home *** CD-ROM | disk | FTP | other *** search
- ;
- ; ┌──════════──┌─────────────────────────────────────────────┐──════════──┐
- ; : Prizzy/29A : Win32.Dream : Prizzy/29A :
- ; └──════════──└─────────────────────────────────────────────┘──════════──┘
- ;
- ; Hello people, here is my third virus especially when it is designed for
- ; whole Win32 platform. It infects only EXE (PE - Portable Executable)
- ; files and also HLP (Windows Help File Format).
- ;
- ; When infected EXE file is started, EIP goes through my easy polymorphic
- ; engine, which isn't so important in this virus, then hooks CreateFileA
- ; function, installs itself into memory and only then it can put EIP to
- ; the host - there're two returns, one for EXE the other for HLP files.
- ;
- ; With might and mind I wanted to use only it the best from new high-tech
- ; vx methods we know. And I think is nothing worst than virus equipped of
- ; interprocess communication (IPC). I also changed my coding style and
- ; this source is most optimization as I could.
- ;
- ;
- ; Detailed Information
- ; ──────────────────────
- ;
- ;
- ; 1. Interprocess Communication (IPC)
- ; ───────────────────────────────────
- ; You could see one IPC virus (Vulcano) by Benny/29A but I used this fea-
- ; ture other way than he. His IPC virus is only in one process and it can
- ; communicate with others viruses in another process.
- ;
- ; The parts of my Win32.Dream virus work in several processes and in fact
- ; it behades like one whole virus. After installing to memory, virus will
- ; remove itself from memory of the infected program.
- ;
- ;
- ; 1.1. Creating processes
- ; ───────────────────────
- ; This virus is divided into seven 'independent' functions which have own
- ; process. To create new process I would build a dropper and via the Cre-
- ; ateProcessA I would run them.
- ;
- ; The dropper wait than new function for its process is ready, if yes, it
- ; shares two mapped blocks (OpenFileMappingA) for that process (it's Glo-
- ; bal memory and Function's body) and creates thread on the function. The
- ; process can't terminate it can only Sleep. All created processed are
- ; hiden in Windows 95, not in WinNT/2k (is't more complex).
- ;
- ;
- ; 1.2. IPC in action
- ; ──────────────────
- ; Hooked CreateFileA functions retrieves control, sets flag for certain
- ; process and awakes its. That process finishes own task and returns re-
- ; sults.
- ;
- ;
- ; 1.3. Global memory
- ; ──────────────────
- ; It's necessary to share some important information among all processes.
- ; There are:
- ;
- ; + [thandle] : When the dropper will create new thread here is re-
- ; turned handle. It indicates the thread's errorcode.
- ; + [th_mempos] : Here is stored the name of the Function's mapped
- ; object. The dropper will open that memory area.
- ; + [process] : hProcess, ProcessID values of the all created pro-
- ; cesses because of opening/runing them.
- ; + [apiz] : The addresses of the all APIz I call are on this
- ; place.
- ; + [active] : If other process wants to run me, sets certain flag
- ; here and the thread tests it.
- ; + [paramz] : This is place where the virus store some parameters
- ; among processes (see below).
- ; + [vbody] : Here is the copy of the virus, useful for changing
- ; values inside and for poly engine.
- ; + [filename] : The future infected filename. New CreateFileA func-
- ; tion stores the name here.
- ; + [cinfected] : Two FPU memory buffers, one for creating of the in-
- ; fection mark the other for checking.
- ; + [poly_vbody] : Output from polymorphic engine.
- ;
- ;
- ; 1.4. Parameters
- ; ───────────────
- ; As I wrote above I have to get some parameters of the input processes.
- ; Here is the description of them:
- ;
- ; + [1st param] : Out of polymorhpic engine, the new size of the virus
- ; + [2nd param] : Filesize for checksum (+poly size yet).
- ; + [3rd param] : The name of the mapped file (for OpenFileMappingA).
- ; + [4th param] : a. Filesize for check_infected (without poly size).
- ; b. Out of checksum.
- ; + [5th param] : Input for check_infected, if '1', then it wants to
- ; get an angle for create_infected.
- ; + [6th param] : Terminate all processes ? (WinNT/2000 only)
- ; + [7th param] : Terminate all processes ? (Win95/98 only)
- ; (because of Win95/98 kernel bug)
- ;
- ;
- ; 1.5. Termination of the all processes
- ; ─────────────────────────────────────
- ; I remember it was a nut for me but of course I'd to solve it. At first
- ; I changed flags of the process (SetErrorMode, it means, the process 'll
- ; not show any message box if it will do bad instructions), then I had to
- ; check if the host lives yet. In Win95/98 I have discovered a kernel bug
- ; so that I couldn't use WinNT version (OpenProcess) to check if the host
- ; still exists because Win95/98 don't delete its process id handle.
- ; Win95 - you can only read some value the from allocated memory by host.
- ; WinNT - that allocated memory is opened by other process, you can't
- ; identify if the host still exists.
- ;
- ;
- ; 1.6. The scheme of the all processes
- ; ────────────────────────────────────
- ;
- ;
- ; ╔═────────────────────────────────────────────────────────────────═╗
- ; │ new CreateFileA API function │
- ; ╚═────╤───────────────────────────────────────────────────────────═╝
- ; │
- ; ╔═────────────═╗
- ; │ infect file │ ╔═──────────────═╗
- ; ╚═─╤───────────═╝ ┌─── infect HLP │
- ; ├────────────────┘ ╚═──────────────═╝
- ; │
- ; │ ╔═────────═╗
- ; │ ║ ║ ┌── [check_infected]
- ; │ │ ├───────┘
- ; │ │ infect ├────┼────── [poly_engine]
- ; └─── │ │
- ; │ EXE ├────┼────── [create_infected]
- ; │ ├───────┐
- ; ║ ║ └── [checksum]
- ; ╚═─────────╝
- ;
- ;
- ; 2. Optimalization and comments
- ; ──────────────────────────────
- ; Sometimes I heard my last virus Win32.Crypto is too huge and also some
- ; people had a fun from me (benny, mort - gotcha bastards!) that my next
- ; virus will be bigger than one megabyte. I wanted to optimize next one
- ; and I've not told them it so I think it'll be surprise for them I pro-
- ; ved. Nevertheless I've a taste of the second side and now I can return
- ; myself without any major problems. But now I can say the virus is more
- ; optimization than benny's bits and pieces. The source code is not com-
- ; mented enough because I think no many people will taste something like
- ; IPC is. If yes, they can contact me.
- ;
- ;
- ; 3. Check infected routine
- ; ─────────────────────────
- ; Long ago in Win32.Crypto I tasted to use unique math technique how to
- ; check if the file is infected. Now I thought up new more complex way.
- ; At first from infected file I'll compile the equation, for example:
- ; y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x
- ; and I'll get two points on that curve, for example x1=4 and x2=7. Then
- ; I will calculate what angle is between the tangents to the curve from
- ; that two points, it means: I have to calculate derivation y' of that
- ; equation and if I know y=x1 and y=x2 then I will determine:
- ; & = arc tg | log(x1 - x2) - log(1 + x1*x2) |
- ; If the angle will be greater e.g. than 75 degree, file is infected.
- ;
- ; This algorithm has been coded only for fun so that I know we've easier
- ; methods but I couldn't call to remembrance on any.
- ;
- ;
- ; 4. Pearls behind the scene
- ; ──────────────────────────
- ; * Only two weeks before release I've think the virus name up at last.
- ; * At a time, during coding, I stopped writing and this virus I haven't
- ; coded for two months. Later when I started again I couldn't remember
- ; what that code does and so on.
- ; * In present exists over than fifty backup copies.
- ; * The worst part of the virus was the dropper, there were many changes
- ; because of Win9x and WinNT compatibility; many bugs were there.
- ; * After a hour of the coding I unwillingly deleted new version. So that
- ; I'd to save more than one gigabytes from FAT32 on another hard disk.
- ; Only there I found that lost version.
- ; * The best thing I like on the whole virus is main comment.
- ; * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'.
- ; * Last week I was looking for help on mirc
- ; <prizzy> i used also OpenFileMapping, but I think yes; if ...
- ; <Bumblebee> mmm
- ; <Bumblebee> OpenFileMapping?
- ; <prizzy> yes :)
- ; <Bumblebee> i've never used it [bumble~1.log, 18:59:17]
- ; ...but much help I haven't found there (although Bumblebee helped
- ; me with another bug).
- ; * During whole coding I've read five books and three film scripts.
- ;
- ;
- ; 5. List of greetings
- ; ────────────────────
- ; Darkman The master of the good optimistic mood
- ; Bumblebee Thanks for your help during coding
- ; Billy Belcebu So, our communication has started yet
- ; GriYo All the time busy man
- ; Lord Julus Waiting for your new virus and its meta engine
- ; Mort So did you think this source will be bigger then
- ; one megabytes? Sorry, maybe later :).
- ; J.P. I look forward on future with you, dude.
- ; Ratter No, no. Stop reading and let you show us what you
- ; are hiding inside.
- ; VirusBuster Here is that secret bin with savage poly engine as
- ; you wrote on #virus.
- ; Benny It the best in the end, benny. Haha, at last this
- ; source is optimized and you will stop to worry me.
- ; Thanks for all you have e'er done for me.
- ; ...and for flush, asmodeus, mlapse, mgl, f0re and evul.
- ;
- ;
- ; 6. Contact me
- ; ─────────────
- ; prizzy@coderz.net
- ; http://**********
- ;
- ;
- ; (c)oded by Prizzy/29A, June 2000
- ;
- ;