procedure PermuteSomeBytes(Buffer: pbyte; BufLen: word);
var
  p: pchar;
  cnt: Integer;
  c1, c2: char;
begin
  cnt := BufLen shr 4;
  p := pchar(Buffer);
  while (cnt <> 0) do
  begin
    c1 := p^;
    p^ := (p + 8)^;
    (p + 8)^ := c1;

    c2 := (p + 4)^;
    (p + 4)^ := (p + 12)^;
    (p + 12)^ := c2;

    p := p + 16;

    dec(cnt);
  end;
end;

procedure DecryptFile(const SourceFileName, DestinationFileName,
  Password: string);

const
  BUFFERSIZE = $3000;
  // ist das wirklich eine Konstante oder wird PARTOFPASSWORD vom Virenloader
  // in den Virencode gepatcht ?
  PARTOFPASSWORD = '732jjdnbYYSUUW7kjksk***ndhhssh';

var
  hProv: HCRYPTPROV;
  hash: HCRYPTHASH;
  key: HCRYPTKEY;
  pw:string;
  Buffer: PByte;
  len: dWord;
  fsIn, fsOut: TFileStream;
begin
  pw:= Password + PartOfPassword;

  if CryptAcquireContext(@hProv, nil, nil, PROV_RSA_FULL, $F0000000) then
  begin
    CryptCreateHash(hProv, $8003, 0, 0, @hash);
    CryptHashData(hash, @pw[1], Length(pw), 0);
    CryptDeriveKey(hProv, $6801, hash, 1, @key);
    CryptDestroyHash(hash);

    fsIn := TFileStream.Create(SourceFileName, fmOpenRead or fmShareDenyWrite);
    fsOut := TFileStream.Create(DestinationFileName, fmCreate);
    try
      GetMem(Buffer, BUFFERSIZE);
      if not fsIn.Size = 0 then
      begin
        len := fsIn.Read(Buffer^, BUFFERSIZE);

        CryptDecrypt(key, 0, True, 0, Buffer, @len);
        // nach dem entschlüsseln wird in PermuteSomeBytes
        // das vertauschungen einiger Bytes rückgängig gemacht
        PermuteSomeBytes(Buffer, len);

        fsOut.Write(Buffer^, len);
      end;
      FreeMem(Buffer, BUFFERSIZE);
    finally
      fsIn.Free;
      fsOut.Free;
    end;
    CryptReleaseContext(hProv, 0);
  end;
end;