Sign in to follow this  
Followers 0
nhd1986

Virus: Backdoor.rbot

5 posts in this topic

#1 ·  Posted (edited)

i wrote:

#include <GUIConstants.au3>

Opt("GUIOnEventMode", 1); Change to OnEvent mode 
$mainwindow = GUICreate("Shui Hu Bot", 200, 100)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")
GUICtrlCreateLabel("click Start de bat dau", 30, 10)
$okbutton = GUICtrlCreateButton("Start", 70, 50, 60)
GUICtrlSetOnEvent($okbutton, "_attack")
GUISetState(@SW_SHOW)

While 1
  Sleep(1000); Idle around
WEnd
Func _check()
$coord = PixelSearch(146,132,179,135,0x5a555a)

if not @error Then;
            send("{F1}")
            sleep(30000)
        EndIf
    EndFunc
func _attack()
    Sleep(1000)
$i=0
$a=0
$b=0
while $i<1000
    $x = 460
$y = 150
$toado = PixelSearch(202,104,875,565,0x00FF00)
if not @error Then
    For $a=0 To 100
        for $b=0 to 30
            if hex(PixelGetColor($toado[0]+$a,$toado[1]+$b),6)="00FF00" and (hex(PixelGetColor($toado[0]+$a+1,$toado[1]+$b),6)="00FF00"or hex(PixelGetColor($toado[0]+$a,$toado[1]+$b+1),6)="00FF00")Then
                    _MouseMovePlus(($toado[0]+$a+20)*(65535/@DesktopWidth), ($toado[1]+$b+30)*(65535/@DesktopHeight),1)
                    MouseClick("left")
                send("{F2}")
                $i=$i+1
                sleep(1000)
                $c = PixelSearch(457,149,471,151,0xffffff)
                if not @error Then
                    if hex(PixelGetColor($c[0],$c[1]),6)="ffffff" then
                        while hex(PixelGetColor($x,$y),6)="ffffff"
                            $c = PixelSearch(457,149,471,151,0xffffff)
                            if not @error then 
                                $x = $c[0]
                                $y = $c[1]
                            EndIf
                        WEnd
                    EndIf
                EndIf
                _check()
            EndIf
        Next
    Next
EndIf
Send("{F3}")
sleep(1000)
WEnd
EndFunc

Func _MouseMovePlus($X, $Y,$absolute = 0)
        Local $MOUSEEVENTF_MOVE = 1
    Local $MOUSEEVENTF_ABSOLUTE = 32768
    DllCall("user32.dll", "none", "mouse_event", _
            "long",  $MOUSEEVENTF_MOVE + ($absolute*$MOUSEEVENTF_ABSOLUTE),  "long",  $X,   "long",  $Y,    "long", 0,  "long",  0)
        EndFunc
Func CLOSEClicked()
  Exit
EndFunc

and convert2exe,then check http://www.virustotal.com , then

Antivirus Version Update Result

AntiVir 6.34.0.24 04.20.2006 no virus found

Avast 4.6.695.0 05.02.2006 no virus found

AVG 386 05.02.2006 no virus found

Avira 6.34.1.58 05.03.2006 no virus found

BitDefender 7.2 05.03.2006 no virus found

CAT-QuickHeal 8.00 05.03.2006 no virus found

ClamAV devel-20060426 05.03.2006 no virus found

DrWeb 4.33 05.03.2006 no virus found

eTrust-InoculateIT 23.71.145 05.03.2006 no virus found

eTrust-Vet 12.4.2191 05.02.2006 no virus found

Ewido 3.5 05.03.2006 no virus found

Fortinet 2.71.0.0 05.03.2006 suspicious

F-Prot 3.16c 05.03.2006 no virus found

Ikarus 0.2.65.0 05.03.2006 no virus found

Kaspersky 4.0.2.24 05.03.2006 no virus found

McAfee 4753 05.02.2006 no virus found

Microsoft 1.1372 05.03.2006 no virus found

NOD32v2 1.1517 05.02.2006 no virus found

Norman 5.90.17 05.03.2006 no virus found

Panda 9.0.0.4 05.03.2006 Suspicious file

Sophos 4.05.0 05.03.2006 no virus found

Symantec 8.0 05.03.2006 no virus found

TheHacker 5.9.7.137 05.03.2006 no virus found

UNA 1.83 04.28.2006 Backdoor.Rbot

VBA32 3.11.0 05.03.2006 no virus found

what's this??????? why do my code have virus Edited by nhd1986

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

i wrote:

A) google "false positive" ....

:) get a better virus checker....

C) remember that the av people just write code too, problems can exist in things that are not your code :(

Edited by flyingboz

Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites

hhahahahha its funny theres a few AV's that no matter what count autoit , in fact and macro script as a virus so it just means that that AV is a POS and just and doesn't understand how to detect viruses :)

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

...what's this???????

"This" is a moving target...

Code as simple as:

MsgBox(0, "", "")
Can show up as "bad" by some checks:

Antivirus Version Update Result

AntiVir 6.34.0.24 04.20.2006 no virus found

Avast 4.6.695.0 05.05.2006 no virus found

AVG 386 05.05.2006 no virus found

Avira 6.34.1.58 05.07.2006 no virus found

BitDefender 7.2 05.08.2006 no virus found

CAT-QuickHeal 8.00 05.05.2006 no virus found

ClamAV devel-20060426 05.07.2006 no virus found

DrWeb 4.33 05.07.2006 no virus found

eTrust-InoculateIT 23.72.2 05.07.2006 no virus found

eTrust-Vet 12.4.2194 05.04.2006 no virus found

Ewido 3.5 05.07.2006 no virus found

Fortin et 2.71.0.0 05.08.2006 suspicious

F-Prot 3.16c 05.05.2006 no virus found

Ikarus 0.2.65.0 05.05.2006 no virus found

Kaspersky 4.0.2.24 05.08.2006 no virus found

McAfee 4756 05.05.2006 no virus found

Microsoft 1.1372 05.08.2006 no virus found

NOD32v2 1.1523 05.05.2006 no virus found

Norman 5.90.17 05.05.2006 no virus found

Panda 9.0.0.4 05.07.2006 no virus found

Sophos 4.05.0 05.07.2006 no virus found

Symantec 8.0 05.07.2006 no virus found

TheHacker 5.9.7.140 05.08.2006 Adware/Maxifiles.f

UNA 1.83 05.06.2006 Backdoor.Rbot

VBA32 3.11.0 05.08.2006 no virus found

...but this is an improvement over past checks of that same one line of code compiled with the current "production" version of AutoIt... fewer false positives. :-)

You can read more about "false positives" in these forum threads:

http://www.autoitscript.com/forum/index.php?showtopic=20731

http://www.autoitscript.com/forum/index.php?showtopic=20511

http://www.autoitscript.com/forum/index.php?showtopic=13179

http://www.autoitscript.com/forum/index.php?showtopic=19142

http://www.autoitscript.com/forum/index.php?showtopic=17313

http://www.autoitscript.com/forum/index.php?showtopic=16906

http://www.autoitscript.com/forum/index.php?showtopic=16589

http://www.autoitscript.com/forum/index.php?showtopic=15288

http://www.autoitscript.com/forum/index.php?showtopic=7156

http://www.autoitscript.com/forum/index.php?showtopic=5766

http://www.autoitscript.com/forum/index.php?showtopic=4368

http://www.autoitscript.com/forum/index.php?showtopic=1456

http://www.autoitscript.com/forum/index.php?showtopic=2000

... there are more...

Edited by herewasplato

[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites

You should be able to send your compiled script into the AV and get it checked to see if...

Shui Hu Bot = Backdoor.Rbot

and confirm your Bot script validity.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0