Someone just made this. I think it's a console program.
I am not sure what assembler could compile the source though.
:: makkillnp.bat Makes killnp.exe Written by Herbert Kleebauer
::
@echo off
echo hD1X-s0P_kUHP0UxGWX4ax1y1ieimnfeinklddmemkjanmndnadmndnpbbn>killnp.com
echo hhpbbnpljhoxolnhaigidpllnbkdnhlkfhlflefblffahfUebdfahhfkokh>>killnp.com
echo wvPp0wvw2k9C5/R/pN0d0uzw27bwo1YinDEWtbGov5//B6mkuMEo0IL0l/w>>killnp.com
echo ef2iC57R/pNEA/jeefHhC5AR/pNEA/juefXgC5ER/phCfDM@m042knfuurO>>killnp.com
echo k0GAV4Bd4M03U337lzzT/M0MF0/NV7U9V2Tcf2/EP1B61i0kInVsIOXJ57o>>killnp.com
echo x57hJKNo0mQjpKNWx5Nt0mRcx57dB67nFLOgl57pBLOiR573xoIgoU1WJ6R>>killnp.com
echo UUKOn01QmxqNm4KPU7LNlJLOmJqQUQJOiBXAioU1Y//I4R/H03//EZLdqMl>>killnp.com
echo 0U2k20gE/4k//1MF1m2V3E707H/o0E7V/6EU45EU46/W31MF02M00EQ/3H/>>killnp.com
echo l0EMF0EMV1U/l0cMlIEQ/7KcV@oJ5So80i1703G7U31MF2UQ/sKwXREQ/VE>>killnp.com
echo Q/cEQUfEQ/kEQ/oEQUrEMF0K0V48U33G/V4JgIFGtIFABXAiE5PgRUREQ/V>>killnp.com
echo EQ/cEQUfEQ/kEQ/oEQUrEMl04VLOo0ZQjBKNnBb328LNVFLNIxqPgVKNg0r>>killnp.com
echo AmAZPV0rQcx5RHA3PjBLN74aPYlKNG/ZQjBKNnBrAmMIOmB6RH/ZQjBKNnB>>killnp.com
echo rAmsINsFb3D0LNi0ZQjBKNnBb3IJaQhZaPVFLNE8rPXJqQnRUO/ca/zL00E>>killnp.com
echo /3/8KAEotql4/N3/0/90Q/OE50E//pzJk/3/0E1/HLHyGP3/0kjr40E/M9R>>killnp.com
echo 4sYdplmH6NzFzzTRlzTBM50E/c5/e4kzJE03/0E1/H67Ed5/ExT4M/0E/wT>>killnp.com
echo 47/0E/U5YF/3/JxT4E/0E/Y/kpBPJzL01E/3/e0kzJ//3/0UHixoPIFLFZ0>>killnp.com
echo 4Q045FYtW@4J5KsJINK7LN.>>killnp.com
killnp.com>killnp.exe
del killnp.com
; File Name : C:\Backup\killnp.exe
; Written by Herbert Kleebauer 7:19:20 AM Tuesday, May 15, 2007
; Format : Portable executable for IBM PC (PE)
; Alignment : 16 bytes ?
;
; Imports from KERNEL32.dll
;
model flat
; Segment type: Externs
; _idata
extrn ExitProcess:dword ; DATA XREF: .text:00401171�r
extrn CreateToolhelp32Snapshot:dword ; DATA XREF: .text:004010F6�r
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; DATA XREF: .text:00401152�r
; .text:00401169�r
extrn Process32First:dword ; DATA XREF: .text:00401111�r
extrn Process32Next:dword ; DATA XREF: .text:0040115E�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
extrn OpenProcess:dword ; DATA XREF: .text:0040113E�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
extrn TerminateProcess:dword ; DATA XREF: .text:0040114C�r
; Segment type: Pure code
_text segment para public 'CODE' use32
assume cs:_text
;org 401020h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h, 704F0000h
dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
dd 73736563h
db 2 dup(0)
public start
start:
push 0
push 2
call ds:CreateToolhelp32Snapshot
mov ebp, eax
inc eax
jz short loc_40116F
mov ds:dword_401190, 128h
push offset dword_401190
push eax
call ds:Process32First
or eax, eax
jz short loc_401168
loc_40111B: ; CODE XREF: .text:00401166�j
mov esi, offset dword_4011B4
mov edi, offset aNnootteeppaadd ; "NnOoTtEePpAaDd..EeXxEe"
loc_401125: ; CODE XREF: .text:00401132�j
cmpsb
jz short loc_40112D
dec esi
cmpsb
jnz short loc_401158
dec edi
loc_40112D: ; CODE XREF: .text:00401126�j
inc edi
test byte ptr [edi-1], 0FFh
jnz short loc_401125
push ds:dword_401198
push 0
push 1
call ds:OpenProcess
or eax, eax
jz short loc_401168
push eax
push 0
push eax
call ds:TerminateProcess
call ds:CloseHandle
loc_401158: ; CODE XREF: .text:0040112A�j
push offset dword_401190
push ebp
call ds:Process32Next
or eax, eax
jnz short loc_40111B
loc_401168: ; CODE XREF: .text:00401119�j
; .text:00401146�j
push ebp
call ds:CloseHandle
loc_40116F: ; CODE XREF: .text:004010FF�j
push 0
call ds:ExitProcess
aNnootteeppaadd db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF: .text:00401120�o
align 4
dword_401190 dd 0 ; DATA XREF: .text:00401101�w
; .text:0040110B�o ...
align 8
dword_401198 dd 0 ; DATA XREF: .text:00401134�r
dd 6 dup(0)
dword_4011B4 dd 13h dup(0) ; DATA XREF: .text:0040111B�o
dd 2Eh dup(?)
_text ends
end start
another notepad killer.... why the hatred towards notepad?, what did it do to you? ;p
looks suspicious though, especially the appending to the end of the exe, possible tag/signature i guess
nasm would probably compile it maybe
Quote from: evlncrn8 on May 15, 2007, 12:47:55 PM
another notepad killer.... why the hatred towards notepad?, what did it do to you? ;p
looks suspicious though, especially the appending to the end of the exe, possible tag/signature i guess
nasm would probably compile it maybe
No hatred towards notepad. Just an example that could be safely closed.
I just modified it to close bartshel.exe when it's not needed. That is an "evil" program. :-)
I disassembled one of the them and I saw a string that said something like, "Cool that someone still codes in DOS"
Try to think more positive.
That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.
After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:
You planning to write any code that needs this kind of software resources ???
BTW, Do you know how much we like writers of malware ???
Regards, P1 :8)
Quote from: P1 on May 15, 2007, 02:29:59 PM
That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.
After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:
You planning to write any code that needs this kind of software resources ???
BTW, Do you know how much we like writers of malware ???
Regards, P1 :8)
The batch file deletes the com file which isn't needed.
I guess the author could have left that line out
and there would be a com file that wouldn't do as intended.
In a far reaching way, that may be considered
malware if someone accidentally ran it.
the more understandable version..
[attachment deleted by admin]
Thanks, always the gentleman and scholar.
Andy
Quote from: skywalker on May 15, 2007, 12:30:26 PM
; File Name : C:\Backup\killnp.exe
; Written by Herbert Kleebauer 7:19:20 AM Tuesday, May 15, 2007
; Format : Portable executable for IBM PC (PE)
; Alignment : 16 bytes ?
;
; Imports from KERNEL32.dll
;
model flat
; Segment type: Externs
; _idata
extrn ExitProcess:dword ; DATA XREF: .text:00401171�r
extrn CreateToolhelp32Snapshot:dword ; DATA XREF: .text:004010F6�r
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; DATA XREF: .text:00401152�r
; .text:00401169�r
extrn Process32First:dword ; DATA XREF: .text:00401111�r
extrn Process32Next:dword ; DATA XREF: .text:0040115E�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
extrn OpenProcess:dword ; DATA XREF: .text:0040113E�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
extrn TerminateProcess:dword ; DATA XREF: .text:0040114C�r
; Segment type: Pure code
_text segment para public 'CODE' use32
assume cs:_text
;org 401020h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h, 704F0000h
dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
dd 73736563h
db 2 dup(0)
public start
start:
push 0
push 2
call ds:CreateToolhelp32Snapshot
mov ebp, eax
inc eax
jz short loc_40116F
mov ds:dword_401190, 128h
push offset dword_401190
push eax
call ds:Process32First
or eax, eax
jz short loc_401168
loc_40111B: ; CODE XREF: .text:00401166�j
mov esi, offset dword_4011B4
mov edi, offset aNnootteeppaadd ; "NnOoTtEePpAaDd..EeXxEe"
loc_401125: ; CODE XREF: .text:00401132�j
cmpsb
jz short loc_40112D
dec esi
cmpsb
jnz short loc_401158
dec edi
loc_40112D: ; CODE XREF: .text:00401126�j
inc edi
test byte ptr [edi-1], 0FFh
jnz short loc_401125
push ds:dword_401198
push 0
push 1
call ds:OpenProcess
or eax, eax
jz short loc_401168
push eax
push 0
push eax
call ds:TerminateProcess
call ds:CloseHandle
loc_401158: ; CODE XREF: .text:0040112A�j
push offset dword_401190
push ebp
call ds:Process32Next
or eax, eax
jnz short loc_40111B
loc_401168: ; CODE XREF: .text:00401119�j
; .text:00401146�j
push ebp
call ds:CloseHandle
loc_40116F: ; CODE XREF: .text:004010FF�j
push 0
call ds:ExitProcess
aNnootteeppaadd db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF: .text:00401120�o
align 4
dword_401190 dd 0 ; DATA XREF: .text:00401101�w
; .text:0040110B�o ...
align 8
dword_401198 dd 0 ; DATA XREF: .text:00401134�r
dd 6 dup(0)
dword_4011B4 dd 13h dup(0) ; DATA XREF: .text:0040111B�o
dd 2Eh dup(?)
_text ends
end start
You can stop with your retarded lies. You are certainly *one* of the reasons this board has a reputation of being a masive FUD spreader. The above listing is *NOT* the source -- it is a crappy disassembly. Here is the source which Herbert posted at the alt.lang.asm newsgroup:
; ..............................................
; : Start of Code :
; ..............................................
label_block
seg32
winmain::
000002f2: 004010f2: 6a 00 moveq.l #0,-(sp) ; ignore th32ProcessID
000002f4: 004010f4: 6a 02 moveq.l #2,-(sp) ; TH32CS_SNAPPROCESS
000002f6: 004010f6: ff 15 00401004 jsr.l (CreateToolhelp32Snapshot)
000002fc: 004010fc: 89 c5 move.l r0,r4 ; handle to Snapshot
000002fe: 004010fe: 40 inc.l r0 ; -1: error
000002ff: 004010ff: 74 6e beq.b exit1
00000301: 00401101: c7 05 00401190
00000307: 00401107: 00000128 move.l #processentry32_size,processentry32+0
0000030b: 0040110b: 68 00401190 move.l #processentry32,-(sp)
00000310: 00401110: 50 move.l r0,-(sp)
00000311: 00401111: ff 15 0040100c jsr.l (Process32First)
00000317: 00401117: 09 c0 or.l r0,r0
00000319: 00401119: 74 4d beq.b exit2
0000031b: 0040111b: be 004011b4 _10: move.l #processentry32+36,r5
00000320: 00401120: bf 00401177 move.l #name,r6
00000325: 00401125: a6 _40: cmp.b (r6)+-{s1},(r5)+-
00000326: 00401126: 74 05 beq.b _20
00000328: 00401128: 4e dec.l r5
00000329: 00401129: a6 cmp.b (r6)+-{s1},(r5)+-
0000032a: 0040112a: 75 2c bne.b _30
0000032c: 0040112c: 4f dec.l r6
0000032d: 0040112d: 47 _20: inc.l r6
0000032e: 0040112e: f6 47 ff ff tst.b #$ff,-1.b(r6)
00000332: 00401132: 75 f1 bne.b _40
00000334: 00401134: ff 35 00401198 move.l processentry32+8,-(sp) ; DWORD dwProcessId
0000033a: 0040113a: 6a 00 moveq.l #0,-(sp) ; BOOL bInheritHandle,
0000033c: 0040113c: 6a 01 moveq.l #1,-(sp) ; DWORD dwDesiredAccess=PROCESS_TERMINATE
0000033e: 0040113e: ff 15 00401014 jsr.l (OpenProcess)
00000344: 00401144: 09 c0 or.l r0,r0
00000346: 00401146: 74 20 beq.b exit2
00000348: 00401148: 50 move.l r0,-(sp) ; hProcess: process handle
00000349: 00401149: 6a 00 moveq.l #0,-(sp) ; uExitCode
0000034b: 0040114b: 50 move.l r0,-(sp) ; hProcess: process handle
0000034c: 0040114c: ff 15 00401018 jsr.l (TerminateProcess)
00000352: 00401152: ff 15 00401008 jsr.l (CloseHandle)
00000358: 00401158: 68 00401190 _30: move.l #processentry32,-(sp)
0000035d: 0040115d: 55 move.l r4,-(sp)
0000035e: 0040115e: ff 15 00401010 jsr.l (Process32Next)
00000364: 00401164: 09 c0 or.l r0,r0
00000366: 00401166: 75 b3 bne.b _10
00000368: 00401168: 55 exit2: move.l r4,-(sp)
00000369: 00401169: ff 15 00401008 jsr.l (CloseHandle)
0000036f: 0040116f: 6a 00 exit1: moveq.l #0,-(sp)
00000371: 00401171: ff 15 00401000 jsr.l (ExitProcess) ; exit program
00000377: 00401177: 4e 6e 4f 6f 54 74
0000037d: 0040117d: 45 65 50 70 41 61
00000383: 00401183: 44 64 2e 2e 45 65
00000389: 00401189: 58 78 45 65 00 name: dc.b "NnOoTtEePpAaDd..EeXxEe",00
0000038e: 0040118e: 00 00 even 4
processentry32:
blk.l 1 ; +0 dwSize
blk.l 1 ; +4 cntUsage
blk.l 1 ; +8 th32ProcessID
blk.l 1 ; +12 th32DefaultHeapID
blk.l 1 ; +16 th32ModuleID
blk.l 1 ; +20 cntThreads
blk.l 1 ; +24 th32ParentProcessID
blk.l 1 ; +28 pcPriClassBase
blk.l 1 ; +32 dwFlags
blk.b 260 ; +36 szExeFile[MAX_PATH]
processentry32_size=@-processentry32
; ..............................................
; : End of Code :
; ..............................................
It can be assembled using Daniella/Windela.
Nathan.
Quote from: P1 on May 15, 2007, 02:29:59 PM
That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.
After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:
You planning to write any code that needs this kind of software resources ???
BTW, Do you know how much we like writers of malware ???
Regards, P1 :8)
What moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!" I've got news for you -- we are NOT sheep! So please stop spreading this rediculous FUD! We would rather read about some actual facts instead of this stupid fiction you guys seem intent on cooking up.
Nathan.
Quote from: skywalker on May 15, 2007, 12:30:26 PM
.
.
.
del killnp.com
.
.
.
Embedded text in Killnp.exe:
Nice to meet somebody who is still using DOS, but his program requires Win32. Quote from: Evenbit on May 15, 2007, 07:17:12 PMWhat moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!"
See above for source being deleted. The line "killnp.com>killnp.exe" killnp.com is run with the re-directed output to killnp.exe, which runs as well. See snipped text from killnp.exe.
Quote from: Evenbit on May 15, 2007, 07:17:12 PMI've got news for you -- we are NOT sheep!
I'm sorry I need proof. What does "killnp.com>killnp.exe" do again ???
I'm so glad that some us do remember how DOS works.
If I was good for a dare, I have a 'nice' batch file for you to run. :bdg
Regards, P1 :8)
Quote from: P1 on May 15, 2007, 07:49:45 PM
Quote from: skywalker on May 15, 2007, 12:30:26 PM
.
.
.
del killnp.com
.
.
.
This "*.com" file is a temporary file generated by the "*.bat" file... it is only natural to clean-up any temporary files that are no longer needed. In order for your "deletes the source" claim to ring true, it would have to be written like "del killnp.bat" since the batch file is obviously the source of all files created by running this program.
Quote
Embedded text in Killnp.exe:
Nice to meet somebody who is still using DOS, but his program requires Win32.
That is the text display for the standard DOS Stub which is included in every PE file. What the *heck* does it have to do with anything being discussed in this thread???
Quote
Quote from: Evenbit on May 15, 2007, 07:17:12 PMWhat moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!"
See above for source being deleted. The line "killnp.com>killnp.exe" killnp.com is run with the re-directed output to killnp.exe, which runs as well. See snipped text from killnp.exe.
You will find the DOS Stub "text" in just about every PE file you examine. So, what is your point???
Quote from: Evenbit on May 15, 2007, 07:17:12 PMI've got news for you -- we are NOT sheep!
I'm sorry I need proof. What does "killnp.com>killnp.exe" do again ???
I'm so glad that some us do remember how DOS works.
If I was good for a dare, I have a 'nice' batch file for you to run. :bdg
Regards, P1 :8)
Quote
Okay, you have convinced me... this is a NASTY VIRUS spread via ASCII-only UseNet and uses the DOS-emulation "back-door" of Windows to do its horrible deads! Quick! Somebody alert Microsoft!!!
Nathan.
Quote from: Evenbit on May 15, 2007, 08:35:07 PMOkay, you have convinced me... this is a NASTY VIRUS spread via ASCII-only UseNet and uses the DOS-emulation "back-door" of Windows to do its horrible deads! Quick! Somebody alert Microsoft!!!
I have fought viruses and malware for a long time. I have seen code be passed around only to show up in a new virus.
I am an e-mail administrator and have had my day ruin by users who are ignorant and who think the AV will catch every thing.
I can accept you don't understand my point of view. But one day it will happen to you, you will lose hours of productivity. Maybe data that you were careless to leave in only one spot. I hope that you can avoid a painful lesson like that. Now days, they wait for banking information, when your broke, Please let me know.
Extremes are usually bad, so from Chicken Little to WHAT ME WORRY? by Alfred E. Neuman ( They don't call it MAD magazine for nothing. ), somewhere is prudence and wisdom in between.
Best Regards, P1 :8)
Let the malware search begin!
Here is a link to a Google Groups search for the string "@echo off" which should net you most (if not all) of the many code examples Herbert has posted to news:alt.lang.asm over the years:
http://groups.google.com/group/alt.lang.asm/search?hl=en&group=alt.lang.asm&q=%40echo+off&qt_g=Search+this+group
And here is where his assembler can be obtained:
http://137.193.64.130/
ass486.zip -- the DOS version (Daniella)
windela.zip -- the Windows version
Nathan.
another thing worth mentioning, xp64 - doesnt particularly like dos programs.. especially coms...
wont run...
Quote from: evlncrn8 on May 16, 2007, 09:11:52 AManother thing worth mentioning, xp64 - doesnt particularly like dos programs.. especially coms...
wont run...
M$ after years of trying to balance backward compatability with the risk exposure of that feature. M$ is killing off features that are not being use for almost anything but malware.
Quote from: Evenbit on May 15, 2007, 10:55:36 PMLet the malware search begin!
Maybe you missed the point. It's not that you can find it, but it's use has degraded to exclusively malware. Even as a MASM programmer, I have never encapsulated a program four times(Source.exe>dist.com>.bat>.com>.exe ) for distribution, much less, using back door in DOS to do it.
So my challenge to you, Can you realistically expect to use this technique for legitimate software distribution? The next is, Who would, but for malware?
Regards, P1 :8)