"A..Z" :\kazme__gheyz.exe
"A..Z" :\autorun.inf
%WINDIR%\virus.exe <- run in startup mode
%SysDir%\Service.exe <- run in startup mode
%SysDir%\FSP32.exe <- run in service mode
:Create Service with this properties
کد:
Service name: "Win32CM"
Display name: "File System Protection (FSP)"
Description: "Stores security information about file system options,
If you stop this service your computer can not be run properly."
Path to executable: C:\WINDOWS\system32\FSP32.exe
:Other
کد:
Close window Program if find "Process" in caption window.
Can Sending PM to Yahoo Messenger
Private Declare Function ExpandEnvironmentStrings Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function RegQueryInfoKey Lib "advapi32.dll" Alias "RegQueryInfoKeyA" (ByVal hKey As Long, ByVal lpClass As String, lpcbClass As Long, ByVal lpReserved As Long, lpcSubKeys As Long, lpcbMaxSubKeyLen As Long, lpcbMaxClassLen As Long, lpcValues As Long, lpcbMaxValueNameLen As Long, lpcbMaxValueLen As Long, lpcbSecurityDescriptor As Long, lpftLastWriteTime As FILETIME) As Long
Private Declare Function RegConnectRegistry Lib "advapi32.dll" Alias "RegConnectRegistryA" (ByVal lpMachineName As String, ByVal hKey As Long, phkResult As Long) As Long
Private Declare Function RegEnumValue Lib "advapi32.dll" Alias "RegEnumValueA" (ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpValueName As String, lpcbValueName As Long, ByVal lpReserved As Long, lpType As Long, lpData As Byte, lpcbData As Long) As Long
Private Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias "RegCreateKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long, ByVal samDesired As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, phkResult As Long, lpdwDisposition As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
Private Declare Function RegCloseKey Lib "advapi32.dll" Alias "RegCloseKey" (ByVal hKey As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you the lpData parameter as String, you must pass it By Value.
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" Alias "RegCloseKey" (ByVal hKey As Long) As Long
Private Declare Function RegQueryValue Lib "advapi32.dll" Alias "RegQueryValueA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal lpValue As String, lpcbValue As Long) As Long
Private Declare Function RegEnumKey Lib "advapi32.dll" Alias "RegEnumKeyA" (ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpName As String, ByVal cbName As Long) As Long
Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long
Private Declare Sub Process32Next Lib "kernel32"()
Private Declare Sub Process32First Lib "kernel32"()
Private Declare Sub CreateToolhelp32Snapshot Lib "kernel32"()
Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function GetClassName Lib "user32" Alias "GetClassNameA" (ByVal hwnd As Long, ByVal lpClassName As String, ByVal nMaxCount As Long) As Long
Private Declare Function ShowWindow Lib "user32" Alias "ShowWindow" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Private Declare Function EnableWindow Lib "user32" Alias "EnableWindow" (ByVal hwnd As Long, ByVal fEnable As Long) As Long
Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function WindowFromPoint Lib "user32" Alias "WindowFromPoint" (ByVal xPoint As Long, ByVal yPoint As Long) As Long
Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function BringWindowToTop Lib "user32" Alias "BringWindowToTop" (ByVal hwnd As Long) As Long
Private Declare Function GetParent Lib "user32" Alias "GetParent" (ByVal hwnd As Long) As Long
Private Declare Function IsWindowVisible Lib "user32" Alias "IsWindowVisible" (ByVal hwnd As Long) As Long
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Private Declare Function EnumWindows Lib "user32" (ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long
Private Declare Sub BlockInput Lib "user32"()
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function Shell_NotifyIcon Lib "shell32.dll" Alias " Shell_NotifyIconA" (ByVal dwMessage As Long, lpData As NOTIFYICONDATA) As Long
Private Declare Function SetForegroundWindow Lib "user32" Alias "SetForegroundWindow" (ByVal hwnd As Long) As Long
Private Declare Sub SetLastError Lib "kernel32" Alias "SetLastError" (ByVal dwErrCode As Long)
Private Declare Function GetVersion Lib "kernel32" Alias "GetVersion" () As Long
Private Declare Function GetLastError Lib "kernel32" Alias "GetLastError" () As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" Alias "AdjustTokenPrivileges" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LARGE_INTEGER) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" Alias "OpenProcessToken" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" Alias "GetCurrentProcess" () As Long
Private Declare Function ExitWindowsEx Lib "user32" Alias "ExitWindowsEx" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Private Declare Sub TerminateProcess Lib "kernel32"()
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LARGE_INTEGER) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" Alias "AdjustTokenPrivileges" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Sub Process32Next Lib "kernel32"()
Private Declare Sub Process32First Lib "kernel32"()
Private Declare Function OpenProcessToken Lib "advapi32.dll" Alias "OpenProcessToken" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Sub OpenProcess Lib "kernel32"()
Private Declare Sub lstrlenA Lib "kernel32"()
Private Declare Sub GetWindowsDirectoryA Lib "kernel32"()
Private Declare Sub GetQueueStatus Lib "user32"()
Private Declare Sub GetModuleFileNameExA Lib "psapi.dll"()
Private Declare Sub GetModuleBaseNameA Lib "psapi.dll"()
Private Declare Sub GetCurrentProcess Lib "kernel32"()
Private Declare Sub FormatMessageA Lib "kernel32"()
Private Declare Sub EnumProcessModules Lib "psapi.dll"()
Private Declare Sub EnumProcesses Lib "psapi.dll"()
Private Declare Sub CreateToolhelp32Snapshot Lib "kernel32"()
Private Declare Sub CryptGetHashParam Lib "advapi32"()
Private Declare Sub CryptDestroyHash Lib "advapi32"()
Private Declare Sub CryptHashData Lib "advapi32"()
Private Declare Sub CryptCreateHash Lib "advapi32"()
Private Declare Sub CryptDecrypt Lib "advapi32"()
Private Declare Sub CryptEncrypt Lib "advapi32"()
Private Declare Sub CryptDestroyKey Lib "advapi32"()
Private Declare Sub CryptDeriveKey Lib "advapi32"()
Private Declare Sub CryptReleaseContext Lib "advapi32"()
Private Declare Sub CryptAcquireContextA Lib "advapi32"()
Private Declare Sub RegisterServiceProcess Lib "kernel32"()
Private Declare Function GetCurrentProcessId Lib "kernel32" Alias "GetCurrentProcessId" () As Long
Private Declare Sub DeviceIoControl Lib "kernel32"()
Private Declare Function SystemParametersInfo Lib "user32" Alias "SystemParametersInfoA" (ByVal uAction As Long, ByVal uParam As Long, ByRef lpvParam As Any, ByVal fuWinIni As Long) As Long
Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Declare Function SetWindowPos Lib "user32" Alias "SetWindowPos" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Private Declare Function GetSystemMenu Lib "user32" Alias "GetSystemMenu" (ByVal hwnd As Long, ByVal bRevert As Long) As Long
Private Declare Function DeleteMenu Lib "user32" Alias "DeleteMenu" (ByVal hMenu As Long, ByVal nPosition As Long, ByVal wFlags As Long) As Long
Private Declare Sub RasGetConnectStatusA Lib "RasApi32.dll"()
Private Declare Sub RasEnumConnectionsA Lib "RasApi32.dll"()
Private Declare Function waveOutGetNumDevs Lib "winmm.dll" Alias "waveOutGetNumDevs" () As Long
Private Declare Function GetDeviceCaps Lib "gdi32" Alias "GetDeviceCaps" (ByVal hdc As Long, ByVal nIndex As Long) As Long
Private Declare Sub GlobalMemoryStatus Lib "kernel32" Alias "GlobalMemoryStatus" (lpBuffer As MEMORYSTATUS)
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long
Private Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long
Private Declare Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" (ByVal lpBuffer As String, nSize As Long) As Long
Private Declare Function GetVolumeInformation Lib "kernel32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetDiskFreeSpace Lib "kernel32" Alias "GetDiskFreeSpaceA" (ByVal lpRootPathName As String, lpSectorsPerCluster As Long, lpBytesPerSector As Long, lpNumberOfFreeClusters As Long, lpTotalNumberOfClusters As Long) As Long
Private Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long
Private Declare Function GetLogicalDriveStrings Lib "kernel32" Alias "GetLogicalDriveStringsA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function GetCurrentTime Lib "kernel32" Alias "GetTickCount" () As Long
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function DeleteService Lib "advapi32.dll" Alias "DeleteService" (ByVal hService As Long) As Long
Private Declare Function ControlService Lib "advapi32.dll" Alias "ControlService" (ByVal hService As Long, ByVal dwControl As Long, lpServiceStatus As SERVICE_STATUS) As Long
Private Declare Function StartService Lib "advapi32.dll" Alias "StartServiceA" (ByVal hService As Long, ByVal dwNumServiceArgs As Long, ByVal lpServiceArgVectors As Long) As Long
Private Declare Function OpenService Lib "advapi32.dll" Alias "OpenServiceA" (ByVal hSCManager As Long, ByVal lpServiceName As String, ByVal dwDesiredAccess As Long) As Long
Private Declare Function CloseServiceHandle Lib "advapi32.dll" Alias "CloseServiceHandle" (ByVal hSCObject As Long) As Long
Private Declare Function CreateService Lib "advapi32.dll" Alias "CreateServiceA" (ByVal hSCManager As Long, ByVal lpServiceName As String, ByVal lpDisplayName As String, ByVal dwDesiredAccess As Long, ByVal dwServiceType As Long, ByVal dwStartType As Long, ByVal dwErrorControl As Long, ByVal lpBinaryPathName As String, ByVal lpLoadOrderGroup As String, lpdwTagId As Long, ByVal lpDependencies As String, ByVal lp As String, ByVal lpPassword As String) As Long
Private Declare Function OpenSCManager Lib "advapi32.dll" Alias "OpenSCManagerA" (ByVal lpMachineName As String, ByVal lpDatabaseName As String, ByVal dwDesiredAccess As Long) As Long
Private Declare Sub GetVersionExA Lib "kernel32"()
Private Declare Sub GetTempPathA Lib "kernel32"()
Private Declare Sub CloseHandle Lib "kernel32"()
Private Declare Sub CreateFileA Lib "kernel32"()
Private Declare Sub GetLastError Lib "kernel32"()
Private Declare Sub CopyFileA Lib "kernel32"()
Private Declare Sub GetSystemDirectoryA Lib "kernel32"()
Special thanks to Casit Virus Analyzer 1.0 by Arash Veyskarami
دستتون درد نکنه،
معذرت میخوام ، من یه شئ Dir هم تو برنامه دیده بودم
میشه بگید من اشتباه میکنم یا شما یادتون رفت بزاریدش یا اصلا وجود داره یا من اشتباه میکنم ؟؟
بازم معذرت میخوام بابت جسارتم
این آنتی ویروسی هم که نوشتید رو حداقل رو کام من عمل نمیکنه و هنگام بستن پروسس یه 3 ، 4 باری ارور میده ،، (فایا آپلود نمیشه واستون بفرستمش)
یا حق
(آخرین ویرایش در این ارسال: ۱۶-شهریور-۱۳۸۷, ۰۳:۰۴:۰۳، توسط babyy.)
سلام
خواهش می کنم
ویروسی که در بالا بهش اشاره کردم متاسفانه Polymorphic تشریف دارن و همچنین دارای ورژن های مختلفی هست که من رو یکی از اونا کار کردم فکر می کنم شما به یه ورژن دیگش دارین اشاره می کنین.
اینی که من آنالیز کردم آیکونش یه تب سفید رنگه دم دستم نیست بذارم
واسه من هم آیکونش یه تب سفید ؛ فکر کنم آیکوناش کلا سفیدن.
من یه اطلا عاتی در آوردم ازش،گزاشتم تو http://forum.iranled.com/showthread.php?tid=9909
.
ویروسش یه جوریه ، نرمال نیست ، نقش او DIR رو هنوز نفهمیدم ، نزدیک به 10 ، 20 بار اجراش کردم ، اسکن کردم ، dir هیچ نقشی نداره.
راستی تو این ورژنش فایلی واسه اجرای سرویس نتونستم پیدا کنم ، فکر کنم بی وجود ترین ورژنشو من گیر آوردم !!!
خیلی بده که ورژن ها مختلف داره. اعصاب آدم رو خورد می کنه.
اون DIR احتمالاً برا دسترسی به لیست درایو هاست. اولا درایوهای هارد دیسک رو لازم داره تا Autorun کنه همه رو دوما فکر کنم Dir رو Refresh می کنه تا ببینه Cool Disk (کلا Removable Drive) اضافه شده یا نه که آلودش کنه.
چیز کثیفیه بخاطر اینکه یه آنتی براش میگیری میبینی مال یه نسخه دیگس.
حالا دو سؤال فنی؟
Polymorphic ای ینی چه؟ (همون چند نسخه ای بودنش رو میگید؟)
Task Manager و Registry Editor چی میشه که اگه اسمش رو عوض کنی (Rename) اجرا میشه؟
با تشکر
(آخرین ویرایش در این ارسال: ۱۷-شهریور-۱۳۸۷, ۰۷:۲۷:۱۲، توسط mojtabamalaekeh.)
صفحه اصلی
انجمن
جستجو
فهرست اعضا
افزونه های فایرفاکس
» 
تشکر شده توسط :
![[تصویر: 308z4af.png]](http://i37.tinypic.com/308z4af.png)
![[تصویر: cropped-Logo-3-2.png]](http://kernel32.ir/wp-content/uploads/2019/01/cropped-Logo-3-2.png){kind=logo}
