Chip 2001 October

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2001 October / Chip_2001-10_cd1.bin / servis / viry.cz / 000605.txt < prev next >

Wrap

Text File | 2000-06-05 | 10KB | 219 lines

; ; ┌──════════──┌─────────────────────────────────────────────┐──════════──┐ ; : Prizzy/29A : Win32.Dream : Prizzy/29A : ; └──════════──└─────────────────────────────────────────────┘──════════──┘ ; ; Hello people, here is my third virus especially when it is designed for ; whole Win32 platform. It infects only EXE (PE - Portable Executable) ; files and also HLP (Windows Help File Format). ; ; When infected EXE file is started, EIP goes through my easy polymorphic ; engine, which isn't so important in this virus, then hooks CreateFileA ; function, installs itself into memory and only then it can put EIP to ; the host - there're two returns, one for EXE the other for HLP files. ; ; With might and mind I wanted to use only it the best from new high-tech ; vx methods we know. And I think is nothing worst than virus equipped of ; interprocess communication (IPC). I also changed my coding style and ; this source is most optimization as I could. ; ; ; Detailed Information ; ────────────────────── ; ; ; 1. Interprocess Communication (IPC) ; ─────────────────────────────────── ; You could see one IPC virus (Vulcano) by Benny/29A but I used this fea- ; ture other way than he. His IPC virus is only in one process and it can ; communicate with others viruses in another process. ; ; The parts of my Win32.Dream virus work in several processes and in fact ; it behades like one whole virus. After installing to memory, virus will ; remove itself from memory of the infected program. ; ; ; 1.1. Creating processes ; ─────────────────────── ; This virus is divided into seven 'independent' functions which have own ; process. To create new process I would build a dropper and via the Cre- ; ateProcessA I would run them. ; ; The dropper wait than new function for its process is ready, if yes, it ; shares two mapped blocks (OpenFileMappingA) for that process (it's Glo- ; bal memory and Function's body) and creates thread on the function. The ; process can't terminate it can only Sleep. All created processed are ; hiden in Windows 95, not in WinNT/2k (is't more complex). ; ; ; 1.2. IPC in action ; ────────────────── ; Hooked CreateFileA functions retrieves control, sets flag for certain ; process and awakes its. That process finishes own task and returns re- ; sults. ; ; ; 1.3. Global memory ; ────────────────── ; It's necessary to share some important information among all processes. ; There are: ; ; + [thandle] : When the dropper will create new thread here is re- ; turned handle. It indicates the thread's errorcode. ; + [th_mempos] : Here is stored the name of the Function's mapped ; object. The dropper will open that memory area. ; + [process] : hProcess, ProcessID values of the all created pro- ; cesses because of opening/runing them. ; + [apiz] : The addresses of the all APIz I call are on this ; place. ; + [active] : If other process wants to run me, sets certain flag ; here and the thread tests it. ; + [paramz] : This is place where the virus store some parameters ; among processes (see below). ; + [vbody] : Here is the copy of the virus, useful for changing ; values inside and for poly engine. ; + [filename] : The future infected filename. New CreateFileA func- ; tion stores the name here. ; + [cinfected] : Two FPU memory buffers, one for creating of the in- ; fection mark the other for checking. ; + [poly_vbody] : Output from polymorphic engine. ; ; ; 1.4. Parameters ; ─────────────── ; As I wrote above I have to get some parameters of the input processes. ; Here is the description of them: ; ; + [1st param] : Out of polymorhpic engine, the new size of the virus ; + [2nd param] : Filesize for checksum (+poly size yet). ; + [3rd param] : The name of the mapped file (for OpenFileMappingA). ; + [4th param] : a. Filesize for check_infected (without poly size). ; b. Out of checksum. ; + [5th param] : Input for check_infected, if '1', then it wants to ; get an angle for create_infected. ; + [6th param] : Terminate all processes ? (WinNT/2000 only) ; + [7th param] : Terminate all processes ? (Win95/98 only) ; (because of Win95/98 kernel bug) ; ; ; 1.5. Termination of the all processes ; ───────────────────────────────────── ; I remember it was a nut for me but of course I'd to solve it. At first ; I changed flags of the process (SetErrorMode, it means, the process 'll ; not show any message box if it will do bad instructions), then I had to ; check if the host lives yet. In Win95/98 I have discovered a kernel bug ; so that I couldn't use WinNT version (OpenProcess) to check if the host ; still exists because Win95/98 don't delete its process id handle. ; Win95 - you can only read some value the from allocated memory by host. ; WinNT - that allocated memory is opened by other process, you can't ; identify if the host still exists. ; ; ; 1.6. The scheme of the all processes ; ──────────────────────────────────── ; ; ; ╔═────────────────────────────────────────────────────────────────═╗ ; │ new CreateFileA API function │ ; ╚═────╤───────────────────────────────────────────────────────────═╝ ; │ ; ╔═────────────═╗ ; │ infect file │ ╔═──────────────═╗ ; ╚═─╤───────────═╝ ┌─── infect HLP │ ; ├────────────────┘ ╚═──────────────═╝ ; │ ; │ ╔═────────═╗ ; │ ║ ║ ┌── [check_infected] ; │ │ ├───────┘ ; │ │ infect ├────┼────── [poly_engine] ; └─── │ │ ; │ EXE ├────┼────── [create_infected] ; │ ├───────┐ ; ║ ║ └── [checksum] ; ╚═─────────╝ ; ; ; 2. Optimalization and comments ; ────────────────────────────── ; Sometimes I heard my last virus Win32.Crypto is too huge and also some ; people had a fun from me (benny, mort - gotcha bastards!) that my next ; virus will be bigger than one megabyte. I wanted to optimize next one ; and I've not told them it so I think it'll be surprise for them I pro- ; ved. Nevertheless I've a taste of the second side and now I can return ; myself without any major problems. But now I can say the virus is more ; optimization than benny's bits and pieces. The source code is not com- ; mented enough because I think no many people will taste something like ; IPC is. If yes, they can contact me. ; ; ; 3. Check infected routine ; ───────────────────────── ; Long ago in Win32.Crypto I tasted to use unique math technique how to ; check if the file is infected. Now I thought up new more complex way. ; At first from infected file I'll compile the equation, for example: ; y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x ; and I'll get two points on that curve, for example x1=4 and x2=7. Then ; I will calculate what angle is between the tangents to the curve from ; that two points, it means: I have to calculate derivation y' of that ; equation and if I know y=x1 and y=x2 then I will determine: ; & = arc tg | log(x1 - x2) - log(1 + x1*x2) | ; If the angle will be greater e.g. than 75 degree, file is infected. ; ; This algorithm has been coded only for fun so that I know we've easier ; methods but I couldn't call to remembrance on any. ; ; ; 4. Pearls behind the scene ; ────────────────────────── ; * Only two weeks before release I've think the virus name up at last. ; * At a time, during coding, I stopped writing and this virus I haven't ; coded for two months. Later when I started again I couldn't remember ; what that code does and so on. ; * In present exists over than fifty backup copies. ; * The worst part of the virus was the dropper, there were many changes ; because of Win9x and WinNT compatibility; many bugs were there. ; * After a hour of the coding I unwillingly deleted new version. So that ; I'd to save more than one gigabytes from FAT32 on another hard disk. ; Only there I found that lost version. ; * The best thing I like on the whole virus is main comment. ; * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'. ; * Last week I was looking for help on mirc ; <prizzy> i used also OpenFileMapping, but I think yes; if ... ; <Bumblebee> mmm ; <Bumblebee> OpenFileMapping? ; <prizzy> yes :) ; <Bumblebee> i've never used it [bumble~1.log, 18:59:17] ; ...but much help I haven't found there (although Bumblebee helped ; me with another bug). ; * During whole coding I've read five books and three film scripts. ; ; ; 5. List of greetings ; ──────────────────── ; Darkman The master of the good optimistic mood ; Bumblebee Thanks for your help during coding ; Billy Belcebu So, our communication has started yet ; GriYo All the time busy man ; Lord Julus Waiting for your new virus and its meta engine ; Mort So did you think this source will be bigger then ; one megabytes? Sorry, maybe later :). ; J.P. I look forward on future with you, dude. ; Ratter No, no. Stop reading and let you show us what you ; are hiding inside. ; VirusBuster Here is that secret bin with savage poly engine as ; you wrote on #virus. ; Benny It the best in the end, benny. Haha, at last this ; source is optimized and you will stop to worry me. ; Thanks for all you have e'er done for me. ; ...and for flush, asmodeus, mlapse, mgl, f0re and evul. ; ; ; 6. Contact me ; ───────────── ; prizzy@coderz.net ; http://********** ; ; ; (c)oded by Prizzy/29A, June 2000 ; ;