Sign in to follow this  
Followers 0
mrbond007

Spyrus

20 posts in this topic

#1 ·  Posted (edited)

These scripts have been tested and worked good on many computers. You should use these to detect if your PC has been infected by a new virus that your AntiVirus cannot detect yet, or because the AntiVirus has been corrupted. This way you can make sure that your AV program is still working or not.

Virus Tester Version 1 :

Traps Weak Viruses (those made for windows95). This script traps about 10 kinds of stupid yet very weak viruses

Opt("RunErrorsFatal", 0)
FileWrite("1.exe", "")
Run("1.exe")
$size = FileGetSize("1.exe")
FileDelete("1.exe")
If $size > 0 Then
    MsgBox(4096, "Result", "Weak Virus Detected")
Else
    MsgBox(4096, "Result", "No Weak Virus Detected")
EndIf

Virus Tester Version 2 :

Traps Strong Viruses. Has been tested and works good, i managed to trap around 22 kinds of dangerous viruses with this.

If FileExists("new.exe") Then FileDelete("new.exe")
If FileExists("new2.exe") Then FileDelete("new2.exe")

Global $pInititialized
Global $pTable[256]

Local $rip = "0x"
$rip &= "4D5A66736700000000000000504500004C010200465347210000000000000000E00007030B010000000C00000"
$rip &= "01400000002000054010000001000000C00000000004000001000000002000004000000010000000400000000"
$rip &= "00000000800000000200000000000003000000000020000010000000001000001000000000000010000000000"
$rip &= "0000000000000CC78000084000000000000000000000000000000000000000000000000000000000000000000"
$rip &= "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
$rip &= "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
$rip &= "0000600000001000000000000000000000000000000000000000000000E00000C000000000000000000010000"
$rip &= "0007000004D09000000020000000000000000000000000000E00000C0872510794000619455A4B680FF1373F9"
$rip &= "33C9FF13731633C0FF13731FB68041B010FF1312C073FA753AAAEBE0FF530802F683D901750EFF5304EB24ACD"
$rip &= "1E8742D13C9EB189148C1E008ACFF53043B43F8730A80FC05730683F87F77024141958BC5B600568BF72BF0F3"
$rip &= "A45EEB9F5EAD97AD50FF5310958B074078F37503FF630C5055FF5314ABEBEE33C941FF1313C9FF1372F8C302D"
$rip &= "275058A164612D2C34B45524E454C33322E646C6C0000550789E583EC18515DF88BE808317DDB3C75FC3B02BE"
$rip &= "F670383D91701DC07743D88D0F725B20BE01E0C7110424080731C089449F6FE8AC0A168303F801746C85C0A22"
$rip &= "A981BFFD073BBC30389D88B6F8FA40EEC86C2049444937477BD4594DDBB5A1C198D763E051175E891850B63F6"
$rip &= "897411BBA709883494CD1BD8BAEBA1A66852BB8F19895C537E1085F67479886EB59A157D14EB8130CDB94A0C1"
$rip &= "389644C555445E96205210D9039015200534001248D83707138104014E82ADA8CEC6462C3A7C745F8708D70B8"
$rip &= "6140328D55F487E9108B0D36201AA404FC54A38E37B90C73C4404C21C7A1681015B68658A3204D3B8B1531511"
$rip &= "FD20FCFD68D0683FAE0742043843E288B1D1CEC4B7D307D0C28E8D6D7862DD94A7A1BA23826445C0D86E850FA"
$rip &= "1481B017559B0A2B1D5E0F8918A68E03AF3CE4F0286615848DF1A18CAC229B2904A1953CD09CE82449022E9DC"
$rip &= "3DB3249FB1C111E5A0945810970D84210A124554B813DE9C9255599CCBC27A4FB91209508E3524F0CFF151845"
$rip &= "E820C8FE0A908DB4262079020E23A848C21130604C5DFFE18D2874261042249580DE9BE97E5352908381ECA81"
$rip &= "4738B45D07348AC8138C055EB840EA0D213229CACA80F98423045C5C17F3399406AE86801398CB26CB0BC1A23"
$rip &= "E70790C4A8DD8519B4AABCC2A55CA42207A830B801898DA9E22515C02D794866E019750C3494C222E986B1892"
$rip &= "CC2BBB33616281FBA8417532008081C770161182002324E660280535614093310350C2816CF2280C43040ACDA"
$rip &= "782085955779482A1945F4C61423BC681491444F3308321CD036940E63C9C2108290CCD2CB1C0C0342027491E"
$rip &= "B1158453286FAEB522844200C6D100F7BEA9352D4221D1B7E323DFCEB51E3D6B3D6E6B1A5A09EB8F429CC3564"
$rip &= "997A0C4C05B7E7ABDED312487767502BA88446150185DB7506E99F8063430FB60B80F976203294C00C0907C24"
$rip &= "0D0A8017561EA1822743E401795C03151D219E0C28505D0744C8DB61D7894BF060584C9743C643D3826752CE6"
$rip &= "EBB52450215995221C68581B45EB0A586846487570EB122989F6896FD0C8C0CA24506E068603F645D401BA0A3"
$rip &= "D2374850FB755D89589D71C6B19F30C48DF564CFDE2552761C9421BC38252EB98E55084B9F030C8DFEB561480"
$rip &= "4CBB505B011D83C1081B8218143081F91E0572EA5DC3CF801ADBE31ECD902AD22EA1303E4EEA85FD17267CB0F"
$rip &= "FBA818B1D1CB08D41D4A30B58601475E9874C90E5539B04FDD01B120201FF742962AD8E95CA13F926D0E1FF14"
$rip &= "9D401B4B75F6A8F49015F5015AFC43CC5B8D1983B0D48C3331C0EAEB780AFA14EFA21C5B7EF449BD90A462602"
$rip &= "0E6E82A753669B991AC953D52742125970F1E03A0857042EAFB3F92C19AA00BA17040982F8B485C043240C755"
$rip &= "26BA4280CA9913C0578342848D55A84B9ECC5AC4C082F05080BA1F9601EC460CA8A607EB7D4600C94A780E807"
$rip &= "C2AA86341C409CB031D79F2833B3C123489D830C5B93430C86FEAAED2A05689AF618E29B880B28CB0E85892BB"
$rip &= "8CAC1DBB50E42744895C01EBD727795C30B0575653B8C342CC290DBC2AC580A365F4145B5E5FF459BA314103A"
$rip &= "1108F8F8D759750D00F59DE41073075B835A1143394832216A830BCA1431823AC11B082C0A11C19B4480FC490"
$rip &= "9284A9FEC8F024A908CCE1280CD0F02C8648D4303C05E615661690D049342822ECA6444904AE734A441FF5BC9"
$rip &= "23B01881A3C845573EF8335C30F84593C2DFC95C78B2518B90F3BF3ABFC430904A01A4033643E180820167FA1"
$rip &= "ABEDE203813D8B1544410C432816F8EE14C836203C1A5318310109431CA1A0FA11FB93463089A2DD2C91364C1"
$rip &= "5A148292438C16C2C3490F0A0A021C89E0B0219C0242040B504410D88842A486342BEE7464481B96815363616"
$rip &= "426C21189070881C647422201978082486427C562223809084E0888D85A266465045E49234F82728D27542E26"
$rip &= "549A31E394711430152499A3DA14CE85FFD966BC3080970928D0522A3604F0808088049380389F832E8384F39"
$rip &= "4086FA7539B1EB7D691B911EF0175189E14E2E3D12836672A181E941088309C12D08EBFC2963C11989E092CCE"
$rip &= "31B9240C30FCE5EB9EE4BA4D310620C31082C8FD313AB8857C0E972B824CE57A110C4AE5D5C992982E2FF2572"
$rip &= "C3DC102901B2201C3E4710C844F9141F2328E40C7C3C8FBF47C82CF9341F2338E45C7C588F9164F2503E4768C"
$rip &= "860F9541F708F88E850F1F41F23FCE4F87CF08F91ECF2E4369E4041B7F6FFC63A644F14C01B402C9B03842ABF"
$rip &= "F057696E03646F777341708F0B9F341140E0E01B40856834CB157075D21F01D5FC973100202F70012D4C491C4"
$rip &= "2474347573332A34548EE0A1C534A4CBD1E4754DF52C74D494E8D2F9849770C5F730168617265647074D42D3E"
$rip &= "F6697A7A38203DF3A0086F666628495F76E653E64177523844290E25733A6E7560206661696CDD60FB7EFFD87"
$rip &= "274F66F7A6E65603227F863382EB12F076763C6AE04F8326669FBFF98333836F991CD2D9DF1CF2E639E5847FC"
$rip &= "3D41076F6D4E613F3E0E2028D9172CB9EAD6787A7129FC21A18630C2BF01D777ADF24E355C5308BF4D96A811F"
$rip &= "E24D05101E1C050C21FD65471D47DC8098D919922A944BDD189E513FF38027F44056652181509442535894912"
$rip &= "55245D48699175227D44899589A112A924B5514488C191D522E944F905405319C8092DAD79208E416432BDC67"
$rip &= "7A02E45787B693E50728E63657334AACF46EA6E1DE95CEE7B852310437D1EFF9B444C4C432714034D6F64756C"
$rip &= "FB48762FAE287253FE72EA750470496E666F62530755D5685C24F6E8DE4B70A583BFDA77FE72A9205FC567B64"
$rip &= "4B6B0DE7055731033700665F17669479C5E151086666DD67065A6304173D46170DD2C9D796B1434AE50CE0CD9"
$rip &= "BE6256087E8E15823330426162F272A316C75A345166C46C752973680C8A70728C1D74A90C3DAA6534819F6CC"
$rip &= "6422A102073695167ABFE910C43B4408FBA34C811DCF0824465669211925D1313834CF061644319757273F441"
$rip &= "5C1049976271070E50C073745175A18A4D2489615667D13E52796A692C2106436C612A8659345368A624594A2"
$rip &= "35004F40E4B45524E614C33322E21770CAC14575004A86D1273766310334A8528506A041A5553EA14728D0157"
$rip &= "5530000000247900000000000000000000F201000024790000000000000000000000000000000000000000000"
$rip &= "0001040000070400000504000000000001479400080000000007D0000F4784000E8014000DC014000DE014000"
$rip &= "201240002E7900003C790000000000004C6F61644C69627261727941000047657450726F634164647265737300"
;FileWrite("new.exe", BinaryString($rip)); version 3.2.2.0
;FileWrite("new2.exe", BinaryString($rip)); version 3.2.2.0
FileWrite("new.exe", Binary($rip)); version 3.2.4.0 and up
FileWrite("new2.exe", Binary($rip)); version 3.2.4.0 and up

$value1 = FileGetTime("new.exe", 0, 1)

Run("new.exe", "", @SW_HIDE)

If FileGetSize("new.exe") <> "2893" Then
    $res1 = "Failed"
Else
    $res1 = "Was Succefull"
EndIf

$value2 = FileGetTime("new.exe", 0, 1)

If $value1 <> $value2 Then
    $res2 = "Failed"
Else
    $res2 = "Was Succefull"
EndIf

crcInit()
$check = crc32File("new.exe")

If $check <> "0C26B5B0" Then
    If $check <> "E5A659B8" Then
        $res3 = "Failed"
    Else
        $res3 = "Was Succefull"
    EndIf
Else
    $res3 = "Was Succefull"
EndIf

$fop = FileOpen("new.exe", 16);old versions change to $fop = FileOpen("new.exe", 0)
$fip = FileOpen("new2.exe", 16);old versions change to $fip = FileOpen("new2.exe", 0)

While 1
    $read = FileRead($fop, "1")
    If @error = -1 Then ExitLoop
    $read2 = FileRead($fip, "1")
    If @error = -1 Then ExitLoop
    If $read <> $read2 Then
        $res4 = "Failed"
        ExitLoop
    Else
        $res4 = "Was Succefull"
    EndIf
WEnd
FileClose($fop)
FileClose($fip)

MsgBox(0, "Results", "Test 1 : " & Chr(9) & "File Size Test " & $res1 & @CRLF & _
         "Test 2 : " & Chr(9) & "Time Stamp Test " & $res2 & @CRLF & _
         "Test 3 : " & Chr(9) & "CRC32 Check " & $res3 & @CRLF & _
         "Test 4 : " & Chr(9) & "Bytes Compare Test " & $res4)

Func crcInit($Poly = 0xEDB88320)
    Local $crc
    Local $i
    Local $j
    For $i = 0 To 255
        $crc = $i
        For $j = 0 To 7
            If BitAND($crc, 0x1) Then
                $crc = BitXOR(BitAND(BitAND($crc, 0xFFFFFFFE) / 0x2, 0x7FFFFFFF), $Poly)
            Else
                $crc = BitAND(($crc / 0x2), 0x7FFFFFFF)
            EndIf
        Next
        $pTable[$i] = $crc
    Next
    $pInititialized = True
EndFunc

Func crc32File($Path)
    Local $Buffer, $BufferSize, $crc
    Local $FileNr, $Length, $i, $hFRead
    If Not $pInititialized Then crcInit()
    $BufferSize = FileGetSize($Path)
    $ReadStruct = DllStructCreate("byte[" & $BufferSize & "]")
    $FileNr = FileOpen($Path, 0)
    $hFRead = FileRead($FileNr)
    Local $Progress = $Length
    $crc = 0xFFFFFFFF
    DllStructSetData($ReadStruct, 1, $hFRead)
    For $i = 1 To $BufferSize
        $crc = BitXOR(BitAND((BitAND($crc, 0xFFFFFF00) / 0x100), 0xFFFFFF), ($pTable[BitAND(BitXOR((DllStructGetData($ReadStruct, 1, $i)), $crc), 0xFF) ]))
    Next
    $ReadStruct = 0
    FileClose($FileNr)
    ProgressOff()
    Return Hex(BitNOT($crc), 8)
EndFunc

The above code creates a file called "new.exe", it's a fake application created with C++ (just an empty window that appears than goes away). Packed with "FSG version 2.0" to make it's size smaller. Creates also a copy of "new.exe" and names it "new2.exe", runs "new.exe" than does the following tests :

* FileSize Test : tests if the virus has altered the size of "new.exe" (almost all viruses do this, but some hides in the empty space of executables).

* FileTime Test : tests to see if the virus has managed to alter "new.exe" using different methods, by checking if the file time was modifiyed. (some viruses manage to alters the file time to avoid detection).

* CRC32 check : if the virus managed to avoid the first 2 tests, the script will perform a CRC32 checksum to see if "new.exe" have been altered. Some Reverse Enginnering methods can bypass this but it's very very very difficult todo. The CRC32 function belongs to eltorro

* Bytes Compare Test : if all the above tests didn't detect the virus, the script will compare "new.exe" and "new2.exe" byte per byte to see if the virus has indeed infected "new.exe".

If the results show that one or more tests has failed that means your PC is infected. You can apply the above methods to different kinds of files not only "EXE" ie : pictures, mp3(some nasty malware can hide dangerous scripts inside mp3's), WMV(windows media video, scripts can hide inside them as well), Doc, Flash files and many more.

Edited by mrbond007

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Fake Virus Generator :

Can be used as a test to see if your AntiVirus is working good or not.

If FileExists("Fake.txt") Then FileDelete("Fake.txt")
FileWrite("Fake.txt", "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*")

This generates a file called "Fake.txt", inside it is a virus signature (EICAR Signature),

meaning that it's not a real virus. When you run "Fake.txt" your AntiVirus will pop-up and cleans it, only if your AV's real-time protection was enabled. Basic anti-virus scanners that only detect known viruses through signature identification

may not detect "Fake.txt". The file should be detected by heuristic analysis anti-virus programs and behavourial analysis anti-virus software. If your AV didn't react to "Fake.txt" consider updating the AV Signatures, or using a different AV.

You can still delete "Fake.txt" normally, in case your AV didn't removed it. Tested and worked well with "Norton AntiVirus" and "Panda AntiVirus".

More Info check : http://www.eicar.org/anti_virus_test_file.htm

Fake Spyware Generator :

Can be used as a test to see if your AntiSpyware is working good or not.

Sleep(10000)

Compile the above code and rename the compiled file into "System32.exe" or "Services32.exe". Place the compiled code in your System Directory (C:\windows\system or C:\windows\system32). Run it and your AntiSpyware will popup and blocks it, only if your AntiSpyware's real-time protection was enabled. The Code can be anything a Msgbox, GUICreate or even Ping, As long as you rename the compiled file into "System32.exe" or "Services32.exe" the test will be succefull.

If the test failed consider using a different AntiSpyware software. You can than delete "System32.exe" or "Services32.exe" from you system directory safely. Tested and worked well with "Super AntiSpyware Professional".

Edited by mrbond007

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

cool :). thumbs up.

i542

Edited by i542

I can do signature me.

Share this post


Link to post
Share on other sites

Well this is the only legal stuff that i can publish. If i include some nasty stuff i might get banned :)

not if you just post a link to eicar.org.

i542

PS: I made "virus" from Eicar source code so it now shows "i542-TEST-VIRUS-FILE" :)


I can do signature me.

Share this post


Link to post
Share on other sites

Eicar is one Nasty little thing hé :)

And kids, don't run EICAR at home :)

i542


I can do signature me.

Share this post


Link to post
Share on other sites

"i542-TEST-VIRUS-FILE"

this reminds me of I-LOVE-YOU.txt.vbs

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

this reminds me of I-LOVE-YOU.txt.vbs

From my "About Viruses" book:

*Text translated from Croatian

ANALYSIS: VBS/LoveLetter

Love Bug is one of worms which is distributed faster than any virus to date. Worm was coming into messages of e-mail which has subject "I LOVE YOU".

The message contained a line of text ("Kindly check the attached LOVELETTER coming from me"), which was telling user open the attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. As sayed before in this manual, method of "double extensions" was familiar with worm writers.

That kind of attachmend tried to hide the VBS extension (...)

After running attachment, worm was created change in registry, abling to run himself at every running of PC.

Worm was infecting: VBS, VBE, JS, JSE, CSS, WSH, JPG, JPEG, MP2 & MP3 files. Since picture files has no ability to be coded, the worm changed their extension to VBS.

Function inside the worm was overwriting all files which were ending those extensions, except MP3 files.

In case of MP3 files, the worm is source file NAME.MP3 marked as hidden, then created in same directory created NAME.MP3.VBS file (double extension) which is contained only worm. Other files were lost forever.

After worm finished copying himself in local files, he would try to distribute on other computers.

(...)

hehehe

i542

Edited by i542

I can do signature me.

Share this post


Link to post
Share on other sites

Yeah i 've read about this bug!! fortunatly i ddnt have Email back in 2000 (Not even a pc of mine :) ), i know it caused 8 billion in damages (especially to Email servers and busnss), found some info Here and on metacafe

Share this post


Link to post
Share on other sites

Seems to work great.

The Fake Virus generator works with Mcafee as well.


"Its not about the 30 inch 1080p display, or the SLI 8800 ultras, or the DDR3 memory. It's about when you turn on your PC, does it return the favor?"Math is like sex. Sure, it may give some practical results, but that is not why we do it

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Yea, Dethredic I agree. My Mcafee also caught it.

not if you just post a link to eicar.org.

i542

PS: I made "virus" from Eicar source code so it now shows "i542-TEST-VIRUS-FILE" :)

What does it do exactly? (The Virus)

Edited by Firestorm

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

It doesn't work with AVAST! 4.7


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

... This way you can make sure that your AV program is still working or not, and if your PC is truly clean or not.

you compare your "virus-test-tool" to one of the worst av-scanners "norton" and do SUCH promises?!?

youre faster then all antivirus-companies in detecting new unknown viruses and even you know all unknown viruses immediately, if they where written?

a infekted system is compromised and to be SURE, to get it clean again, the ONLY way is to reformat und do a fresh install from only trustable sources.

... This way you can make sure ... your PC is truly clean.

oh ... my .... god .... :)


AutoIt-Syntaxsheme for Proton & Phase5 * Firefox Addons by me (resizable Textarea 0.1d) (docked JS-Console 0.1.1)

Share this post


Link to post
Share on other sites

a infekted system is compromised and to be SURE, to get it clean again, the ONLY way is to reformat und do a fresh install from only trustable sources.

Not really

... This way you can make sure ... your PC is truly clean.

oh ... my .... god .... :)

In some cases the antivirus says my pc is clean but i used my scripts and i managed to trap new viruses that have already damaged my antivirus. So you can never trust your antivirus 100%

Share this post


Link to post
Share on other sites

you compare your "virus-test-tool" to one of the worst av-scanners "norton" and do SUCH promises?!?

youre faster then all antivirus-companies in detecting new unknown viruses and even you know all unknown viruses immediately, if they where written?

a infekted system is compromised and to be SURE, to get it clean again, the ONLY way is to reformat und do a fresh install from only trustable sources.

oh ... my .... god .... :)

I just had to reply to this... Do you have any idea what you are talking about?

All you seem to have done is read what he claims his program will do without even trying to understand how his program functions...

Please do not go on the offensive against a reputed coder without a clear idea of how the program works...

And a fresh format and reinstall is not the only sure-fire way to clean up your system...

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

Works well with NOD32 SMART SECURITY v 3.0.621.0 - Business Edition

I think NOD32 is the most reliable antivirus on market today ... You should just try it to see how cool it is and how effective :D

Edited by LIMITER

Share this post


Link to post
Share on other sites

I just had to reply to this... Do you have any idea what you are talking about?

yes. i have.

All you seem to have done is read what he claims his program will do without even trying to understand how his program functions...

yes, i have read, "what he claims his program will do". and what he not claims, his program will do. it detect SOME changes, possibly made by a virus.

but SOME viruses do NONE of the changes, his program will detect. and thats why he will not be able to promisse a clean system for SURE.

Please do not go on the offensive against a reputed coder without a clear idea of how the program works...

a reputed autoit-coder, may be. a autoit-professional, NOT a virus-professional.

And a fresh format and reinstall is not the only sure-fire way to clean up your system...

ok. what else do you commend? I'm curious about it.

AutoIt-Syntaxsheme for Proton & Phase5 * Firefox Addons by me (resizable Textarea 0.1d) (docked JS-Console 0.1.1)

Share this post


Link to post
Share on other sites

Wow! that's just clever how you do that! you just run the top script and if the virus attaches itself to it, it will know! how clever!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0