Virus: Backdoor.rbot

nhd1986 · May 8, 2006

i wrote:

#include <GUIConstants.au3>

Opt("GUIOnEventMode", 1); Change to OnEvent mode 
$mainwindow = GUICreate("Shui Hu Bot", 200, 100)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")
GUICtrlCreateLabel("click Start de bat dau", 30, 10)
$okbutton = GUICtrlCreateButton("Start", 70, 50, 60)
GUICtrlSetOnEvent($okbutton, "_attack")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000); Idle around
WEnd
Func _check()
$coord = PixelSearch(146,132,179,135,0x5a555a)

if not @error Then;
            send("{F1}")
            sleep(30000)
        EndIf
    EndFunc
func _attack()
    Sleep(1000)
$i=0
$a=0
$b=0
while $i<1000
    $x = 460
$y = 150
$toado = PixelSearch(202,104,875,565,0x00FF00)
if not @error Then
    For $a=0 To 100
        for $b=0 to 30
            if hex(PixelGetColor($toado[0]+$a,$toado[1]+$b),6)="00FF00" and (hex(PixelGetColor($toado[0]+$a+1,$toado[1]+$b),6)="00FF00"or hex(PixelGetColor($toado[0]+$a,$toado[1]+$b+1),6)="00FF00")Then
                    _MouseMovePlus(($toado[0]+$a+20)*(65535/@DesktopWidth), ($toado[1]+$b+30)*(65535/@DesktopHeight),1)
                    MouseClick("left")
                send("{F2}")
                $i=$i+1
                sleep(1000)
                $c = PixelSearch(457,149,471,151,0xffffff)
                if not @error Then
                    if hex(PixelGetColor($c[0],$c[1]),6)="ffffff" then
                        while hex(PixelGetColor($x,$y),6)="ffffff"
                            $c = PixelSearch(457,149,471,151,0xffffff)
                            if not @error then 
                                $x = $c[0]
                                $y = $c[1]
                            EndIf
                        WEnd
                    EndIf
                EndIf
                _check()
            EndIf
        Next
    Next
EndIf
Send("{F3}")
sleep(1000)
WEnd
EndFunc

Func _MouseMovePlus($X, $Y,$absolute = 0)
        Local $MOUSEEVENTF_MOVE = 1
    Local $MOUSEEVENTF_ABSOLUTE = 32768
    DllCall("user32.dll", "none", "mouse_event", _
            "long",  $MOUSEEVENTF_MOVE + ($absolute*$MOUSEEVENTF_ABSOLUTE),  "long",  $X,   "long",  $Y,    "long", 0,  "long",  0)
        EndFunc
Func CLOSEClicked()
  Exit
EndFunc

and convert2exe,then check http://www.virustotal.com , then

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.02.2006 no virus found
AVG 386 05.02.2006 no virus found
Avira 6.34.1.58 05.03.2006 no virus found
BitDefender 7.2 05.03.2006 no virus found
CAT-QuickHeal 8.00 05.03.2006 no virus found
ClamAV devel-20060426 05.03.2006 no virus found
DrWeb 4.33 05.03.2006 no virus found
eTrust-InoculateIT 23.71.145 05.03.2006 no virus found
eTrust-Vet 12.4.2191 05.02.2006 no virus found
Ewido 3.5 05.03.2006 no virus found
Fortinet 2.71.0.0 05.03.2006 suspicious
F-Prot 3.16c 05.03.2006 no virus found
Ikarus 0.2.65.0 05.03.2006 no virus found
Kaspersky 4.0.2.24 05.03.2006 no virus found
McAfee 4753 05.02.2006 no virus found
Microsoft 1.1372 05.03.2006 no virus found
NOD32v2 1.1517 05.02.2006 no virus found
Norman 5.90.17 05.03.2006 no virus found
Panda 9.0.0.4 05.03.2006 Suspicious file
Sophos 4.05.0 05.03.2006 no virus found
Symantec 8.0 05.03.2006 no virus found
TheHacker 5.9.7.137 05.03.2006 no virus found
UNA 1.83 04.28.2006 Backdoor.Rbot
VBA32 3.11.0 05.03.2006 no virus found

what's this??????? why do my code have virus Edited May 8, 2006 by nhd1986

flyingboz · May 8, 2006

i wrote:

A) google "false positive" ....

get a better virus checker....

C) remember that the av people just write code too, problems can exist in things that are not your code

Edited May 8, 2006 by flyingboz

Thatsgreat2345 · May 8, 2006

hhahahahha its funny theres a few AV's that no matter what count autoit , in fact and macro script as a virus so it just means that that AV is a POS and just and doesn't understand how to detect viruses

herewasplato · May 8, 2006

...what's this???????

"This" is a moving target...

Code as simple as:

MsgBox(0, "", "")

Can show up as "bad" by some checks:

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.07.2006 no virus found
BitDefender 7.2 05.08.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 no virus found
ClamAV devel-20060426 05.07.2006 no virus found
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.2 05.07.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortin et 2.71.0.0 05.08.2006 suspicious
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 no virus found
Kaspersky 4.0.2.24 05.08.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.08.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 no virus found
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.140 05.08.2006 Adware/Maxifiles.f
UNA 1.83 05.06.2006 Backdoor.Rbot
VBA32 3.11.0 05.08.2006 no virus found

...but this is an improvement over past checks of that same one line of code compiled with the current "production" version of AutoIt... fewer false positives. :-)

You can read more about "false positives" in these forum threads:

http://www.autoitscript.com/forum/index.php?showtopic=20731

http://www.autoitscript.com/forum/index.php?showtopic=20511

http://www.autoitscript.com/forum/index.php?showtopic=13179

http://www.autoitscript.com/forum/index.php?showtopic=19142

http://www.autoitscript.com/forum/index.php?showtopic=17313

http://www.autoitscript.com/forum/index.php?showtopic=16906

http://www.autoitscript.com/forum/index.php?showtopic=16589

http://www.autoitscript.com/forum/index.php?showtopic=15288

http://www.autoitscript.com/forum/index.php?showtopic=7156

http://www.autoitscript.com/forum/index.php?showtopic=5766

http://www.autoitscript.com/forum/index.php?showtopic=4368