I am interested in new viruses that are circulating around these days and I noticed it among them that are encrypted or coded to say they can bypass the antivirus.
So in order to make a cleaning tool
to put everything in order and cover their tracks, i must read its contents of course ie the original source code to see what are the keys in the registry that were changed or been added or deleted before being encrypted or encoded.
Yesterday I managed to decode a virus circulating on the USB key, it is because I saw at the end of the source a function that decodes the content by running it, so I took it and I have changed to finally get to decode the contents of this virus.
Here this function:
avira = "encrypted code of the virus ?" 'Of course it is not readable
For i = 1 To Len (avira) = PRGT PRGT & Chr (Asc (Mid (avira, i, 1)) - 1): Next: Execute (PRGT)
and here I tested the code to decode it, well I will not put the entire virus code but just so that I deciphered the first three lines
For i = 1 To Len (avira)
PRGT = PRGT & Chr (Asc (Mid (avira, i, 1)) - 1)
Set fso = CreateObject ("Scripting.FileSystemObject")
NomFichierLog = "Fichierdecode.txt"
Set Output = fso.OpenTextFile (NomFichierLog, 2, True)
and it will output this:
'by: @ MyLoveFaceBook.LiuYiFei Hotmail.CoM
on error resume next
MySource Sun, WinPath, flashdrive, fs, mf, atr, tf, rg, nt, check, sd
So my question is: knowing the function of decoding or deciphering how I can do the opposite ie determining the function of encoding or encryption?
Thank you for your eventual Help!