API tools faq
paste
Advertisement
FlyFar
FlyFar
Feb 19th, 2023
70
0
Never
Add comment
This is comment for paste Virus.PHP.Polymorph-Rainbow.A - Source Code - PHP Prepender Virus
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.00 KB | 0 0
raw download clone embed print report
  1. PHP.Rainbow
  2. by Second Part To Hell[rRlf]
  3. www.spth.de.vu
  4. spth@aonmail.at
  5. written in october 2003
  6. in Austria
  7.  
  8. Technique Information:
  9.  
  10. * Poly Engines
  11.  
  12. --> Adding Trash/Junk/Garbage
  13. The Virus adds ine in two lines a junk line to the code.
  14. This Junk-line could contain:
  15. - // anything
  16. - $anything='anything';
  17. - $anything=number;
  18. Because the code would be damn big after the 5th generation, I desided
  19. to delete the trash after every generation and make a new one. Anyway,
  20. the chance to get a trash-line will be bigger, because there are more
  21. lines (more lines --> more chance). But I tested about 30 generation
  22. and it's no big problem with the size.
  23.  
  24. --> Changing Variable/function names
  25. The Virus uses an array with all variable/function names of the virus,
  26. every generation it changes every array-entry (every name) to a 5-15
  27. sign long new name.
  28.  
  29. --> Number changing
  30. The virus is able to change every number in the code. This is a real
  31. sucessfull way to fake AVs, I think! A number (for instands '10') could
  32. also be one of the following things:
  33. 10=(8+2)
  34. 10=(19-9)
  35. 10=(130/13)
  36. It's easy to understand, I think. I decided to change ever 5th number I can
  37. find, because it looks better than changing every number every generation.
  38.  
  39. * Infection Method
  40.  
  41. --> Prepender
  42. This code is a prepender virus, which doesn't harm the victim file.
  43. It reads the first PHP part (which is the whole virus code) of the current
  44. file (__FILE__, as it's called in PHP). Than it searchs for every PHP-files
  45. in the current directory, and adds the changed virus code at the beginn of
  46. the victim file. Before infecting the virus checks, if there's already an
  47. infection mark or the virus, which is 'RainBow'.
  48.  
  49. Something else little interesting is, that it's hard to get many different generations from
  50. the virus, because it just changes, if it infects a file. And just the infected file has the
  51. different form, not the old virus.
  52.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!