原理很简单
00401000 >/$>mov esi,00401246 ; ASCII "Anti-Viking v0.1"
00401005 |.>push esi ; /MutexName => "Anti-Viking v0.1"
00401006 |.>push 0 ; |Inheritable = FALSE
00401008 |.>push 1F0001 ; |Access = 1F0001
0040100D |.>call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
00401012 |.>or eax,eax
00401014 |.>je short 00401021
00401016 |.>push eax ; /hObject
00401017 |.>call <jmp.&kernel32.CloseHandle> ; \CloseHandle
0040101C |.>jmp 0040123E
00401021 |>>push esi ; /MutexName
00401022 |.>push 0 ; |InitialOwner = FALSE
00401024 |.>push 0 ; |pSecurity = NULL
00401026 |.>call <jmp.&kernel32.CreateMutexA> ; \CreateMutexA
0040102B |.>push 00402085 ; /Value = "Load"
00401030 |.>push 00402050 ; |SubKey = "SoftWare\\microsoft\\Windows NT\\CurrentVersion\\Windows"
00401035 |.>push 80000001 ; |hKey = HKEY_CURRENT_USER
0040103A |.>call <jmp.&shlwapi.SHDeleteValueA> ; \SHDeleteValueA
0040103F |.>mov esi,00403008
00401044 |.>push 0 ; /pModule = NULL
00401046 |.>call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
0040104B |.>push 100 ; /BufSize = 100 (256.)
00401050 |.>push esi ; |PathBuffer => AntiViki.00403008
00401051 |.>push eax ; |hModule
00401052 |.>call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA
00401057 |.>inc eax
00401058 |.>push eax ; /DataLength
00401059 |.>push esi ; |Data => ""
0040105A |.>push 1 ; |ValueType = REG_SZ
0040105C |.>push 004020B8 ; |Value = "AntiViking"
00401061 |.>push 0040208A ; |Subkey = "software\\microsoft\\Windows\\currentversion\\run"
00401066 |.>push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040106B |.>call <jmp.&shlwapi.SHSetValueA> ; \SHSetValueA
00401070 |.>mov esi,00403108
00401075 |.>push 200 ; /BufSize = 200 (512.)
0040107A |.>push esi ; |Buffer => AntiViki.00403108
0040107B |.>call <jmp.&kernel32.GetWindowsDirectoryA> ; \GetWindowsDirectoryA
00401080 |.>mov ebx,eax
00401082 |.>push 004020C3 ; /String2 = "\\Rundl132.exe"
00401087 |.>push esi ; |String1 => ""
00401088 |.>call <jmp.&kernel32.lstrcat> ; \lstrcat
0040108D |.>push 80 ; /FileAttributes = NORMAL
00401092 |.>push esi ; |FileName => ""
00401093 |.>call <jmp.&kernel32.SetFileAttributesA> ; \SetFileAttributesA
00401098 |.>push esi ; /FileName => ""
00401099 |.>call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
0040109E |.>push 0 ; /hTemplateFile = NULL
004010A0 |.>push 80 ; |Attributes = NORMAL
004010A5 |.>push 2 ; |Mode = CREATE_ALWAYS
004010A7 |.>push 0 ; |pSecurity = NULL
004010A9 |.>push 0 ; |ShareMode = 0
004010AB |.>push 80000000 ; |Access = GENERIC_READ
004010B0 |.>push esi ; |FileName => ""
004010B1 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA
004010B6 |.>mov byte ptr [ebx+esi],0
004010BA |.>push 004020D1 ; /String2 = "\\Logo1_.exe"
004010BF |.>push esi ; |String1 => ""
004010C0 |.>call <jmp.&kernel32.lstrcat> ; \lstrcat
004010C5 |.>push 80 ; /FileAttributes = NORMAL
004010CA |.>push esi ; |FileName => ""
004010CB |.>call <jmp.&kernel32.SetFileAttributesA> ; \SetFileAttributesA
004010D0 |.>push esi ; /FileName => ""
004010D1 |.>call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
004010D6 |.>push 0 ; /hTemplateFile = NULL
004010D8 |.>push 7 ; |Attributes = READONLY|HIDDEN|SYSTEM
004010DA |.>push 2 ; |Mode = CREATE_ALWAYS
004010DC |.>push 0 ; |pSecurity = NULL
004010DE |.>push 0 ; |ShareMode = 0
004010E0 |.>push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004010E5 |.>push esi ; |FileName => ""
004010E6 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA
004010EB |.>cmp eax,-1
004010EE |.>jnz short 00401112
004010F0 |.>push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004010F2 |.>push 00402103 ; |Title = "提示"
004010F7 |.>push 004020DD ; |Text = "病毒可能正在运行,请重新启动你的机器!"
004010FC |.>push 0 ; |hOwner = NULL
004010FE |.>call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401103 |.>push 4 ; /Flags = DELAY_UNTIL_REBOOT
00401105 |.>push 0 ; |NewName = NULL
00401107 |.>push esi ; |ExistingName => ""
00401108 |.>call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA
0040110D |.>jmp 0040123E
00401112 |>>mov edi,00403000
00401117 |.>mov [edi],eax
00401119 |.>mov ebx,00401257 ; ASCII "Anti viking file."
0040111E |.>mov ecx,00403004
00401123 |.>push 0 ; /pOverlapped = NULL
00401125 |.>push ecx ; |pBytesWritten => AntiViki.00403004
00401126 |.>push 12 ; |nBytesToWrite = 12 (18.)
00401128 |.>push ebx ; |Buffer => AntiViki.00401257
00401129 |.>push eax ; |hFile
0040112A |.>call <jmp.&kernel32.WriteFile> ; \WriteFile
0040112F |.>push dword ptr [edi] ; /hObject
00401131 |.>call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00401136 |.>push 0 ; /hTemplateFile = NULL
00401138 |.>push 7 ; |Attributes = READONLY|HIDDEN|SYSTEM
0040113A |.>push 3 ; |Mode = OPEN_EXISTING
0040113C |.>push 0 ; |pSecurity = NULL
0040113E |.>push 0 ; |ShareMode = 0
00401140 |.>push 80000000 ; |Access = GENERIC_READ
00401145 |.>push esi ; |FileName
00401146 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA
0040114B |>>/push 1000 ; /Timeout = 4096. ms
00401150 |.>|call <jmp.&kernel32.Sleep> ; \Sleep
00401155 |.>|mov edi,edi
00401157 |.>|mov edi,edi
00401159 |.>|mov edi,edi
........ |.>|............... ; 真无聊......
00401233 |.>|mov edi,edi
00401235 |.>|mov edi,edi
00401237 |.>|mov edi,edi
00401239 |.>\jmp 0040114B
0040123E |>>push 0 ; /ExitCode = 0
00401240 \.>call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00401245 .>retn
00401246 .>ascii "Anti-Viking v0.1"
00401256 .>ascii 0
00401257 .>ascii "Anti viking file"
00401267 .>ascii ".",0