I was quite surprised when I realized that I have not posted a single code on my blog. Unfortunately I am not the programmer one expects to design complex algorithms or solve logical problems in a jiffy. Every semester break, I plan to code small application which involve new languages or something which has not been taught before. The first such attempt involved learning Visual Basic. Visual Basic 6 is very easy to learn and Windows GUI programs are very easy to build. It offers simple functions to manipulate and control external devices like CD-ROM drives and complex structures such as Regsitry Hives. I decided to write an application which is able to hide itself and write registries, basically imitating a malware. It is also able to make copies of it and store them in different locations and run these whenever the computer boots up. It is a very simple program and once you know how to write registries and run some system commands using VB,you are done!
I chose Visual Basic since it the easiest language to write in when doing Windows Programming.Also it was one of the first languages in which simple malware, worms like I love you worm were written in VBSscript(closely related to VB).
Why Visual Basic:
I chose Visual Basic since it the easiest language to write in when doing Windows Programming.Also it was one of the first languages in which simple malware, worms like I love you worm were written in VBSscript(closely related to VB).
I have used VB6 because of its smaller size but found out that it easier to use when writing these sorts of codes compared to VB.NET. This software writes and modifies registry entries a lot of times and is simpler unlike C which requires knowledge of complicated functions and Windows API( although it provides complete control over Windows Registry).
* Disables Task Manager
* Disables Regedit
* Disables UAC in Vista
* Enables Remote Desktop
* Disables command prompt
* Disable access to USB drives
* Enable/Disable Automatic Updates
* Disables Windows Installer
* Disable Control Panel
* Remove shutdown icon
* Remove logoff button
* Disable applications such as: firefox, notepad, wordpad, Avira antivirus etc
* Change file associations, eg. html pages will be opened in wordpad only
* Disable changing of file associations
* Disable folder options
After understanding how primitive malware works you can write applications which can reverse these effects. Many such malware do the above mentioned, like disable the Task Manager. After reading through the very simple source code you will be able to repair your system.
Also this application can be modified and deployed by computer admins who want to control the amount of access to provide to users.For example an admin might employ such methods to disable control panel and other features to prevent abuse. I have provided links to "regdigest.exe" which will infect your system. "regundigest.exe" on the other hand will disinfect/repair your system. I have also put up links to their source codes. I am not responsible for any damages caused nor do I encourage the use of this code for illegal purposes.
* CreateObject("WScript.Shell) returns an object which allows for registry key editing.
* [object].regwrite is used to write regsitry key
* [object].regdelete used to delete a registry key
* Copy file to different locations in hard drive
* add entries to "run" to ensure all the programs are run at startup
Here are a few things you may want to add:
Some features:
* Disables Task Manager
* Disables Regedit
* Disables UAC in Vista
* Enables Remote Desktop
* Disables command prompt
* Disable access to USB drives
* Enable/Disable Automatic Updates
* Disables Windows Installer
* Disable Control Panel
* Remove shutdown icon
* Remove logoff button
* Disable applications such as: firefox, notepad, wordpad, Avira antivirus etc
* Change file associations, eg. html pages will be opened in wordpad only
* Disable changing of file associations
* Disable folder options
After understanding how primitive malware works you can write applications which can reverse these effects. Many such malware do the above mentioned, like disable the Task Manager. After reading through the very simple source code you will be able to repair your system.
Also this application can be modified and deployed by computer admins who want to control the amount of access to provide to users.For example an admin might employ such methods to disable control panel and other features to prevent abuse. I have provided links to "regdigest.exe" which will infect your system. "regundigest.exe" on the other hand will disinfect/repair your system. I have also put up links to their source codes. I am not responsible for any damages caused nor do I encourage the use of this code for illegal purposes.
Basic flow of the program:
* CreateObject("WScript.Shell) returns an object which allows for registry key editing.
* [object].regwrite is used to write regsitry key
* [object].regdelete used to delete a registry key
* Copy file to different locations in hard drive
* add entries to "run" to ensure all the programs are run at startup
Food for thought:
Here are a few things you may want to add:
* Restrict running of major antivirus software.
* copy the application to network drives
* modify autorun.inf to execute it whenever the corresponding drive is opened.
* Disable firewall, ports.
NOTE: Some of the antiviruses might flag the exe as a trojan or virus. Disable it before downloading.
Changing Icons
You will notice that the exe has a typical Visual Basic styled icon. Malware and viruses generally carry icons which do not give away their identity. They usually have popular software icons like new firefox version etc. A great tool called ResourceTuner can be used to edit your application's icons.
Vista and UAC compatibility:
Vista users will be familiar with UAC and small shield which appers on executables requiring admin privileges. These are UAC compatible applications and make use of 'Application Manifest' which "inform the OS what resources an application needs". An Application Manifest basically carries information of privileges and resources required by the application. You can manually create an Appilcation Manifest file or Resource Tuner do the work.
Avoiding Antivirus:
There are tools known as crypter which can help in avoiding antivirus detection. Right now I do not have much clue about how they work but I do know that there are many posts available on the Internet which teach how to build your own crypters.
Important Links:
* copy the application to network drives
* modify autorun.inf to execute it whenever the corresponding drive is opened.
* Disable firewall, ports.
NOTE: Some of the antiviruses might flag the exe as a trojan or virus. Disable it before downloading.
A few issues to consider:
Changing Icons
You will notice that the exe has a typical Visual Basic styled icon. Malware and viruses generally carry icons which do not give away their identity. They usually have popular software icons like new firefox version etc. A great tool called ResourceTuner can be used to edit your application's icons.
Vista and UAC compatibility:
Vista users will be familiar with UAC and small shield which appers on executables requiring admin privileges. These are UAC compatible applications and make use of 'Application Manifest' which "inform the OS what resources an application needs". An Application Manifest basically carries information of privileges and resources required by the application. You can manually create an Appilcation Manifest file or Resource Tuner do the work.
Avoiding Antivirus:
There are tools known as crypter which can help in avoiding antivirus detection. Right now I do not have much clue about how they work but I do know that there are many posts available on the Internet which teach how to build your own crypters.
Important Links: