62 lines
2.2 KiB
Org Mode
62 lines
2.2 KiB
Org Mode
#+TITLE: Y2K GDI Malware
|
|
|
|
A fork of a [[https://github.com/LunzRh/Y2K.EXE][malware]] created by [[https://github.com/LunzRh][Jotaxisz]] with a reworked source structure (minor changes).
|
|
|
|
To run this malware you need a Windows XP macchine with date set to <2000-01-01> or <2000-01-02> wich will change the payload.
|
|
|
|
* Building
|
|
|
|
** On Linux
|
|
|
|
You will need *MinGW* and *Make*. You can parse the
|
|
argument =CXX= to change the C++ compiler (the default is ~i686-w64-mingw-g++~) and
|
|
the =WINDRES= to change the default ~windres~ command (the default is ~i686-w64-mingw-windres~).
|
|
Others arguments are =NASM= and =LD= for changing the nasm and ld commands.
|
|
You can change the =CXX= and =WINDRES= and =LD= to ~x86_64-w64-mingw-g++~ and ~x86_64-w64-mingw-windres~ and ~x86_64-w64-mingw32-ld~ respectively to build it natively for 64bit envioriments.
|
|
|
|
*** Arch linux:
|
|
|
|
#+BEGIN_SRC shell
|
|
pacman -S make mingw-w64 nasm
|
|
make
|
|
#+END_SRC
|
|
|
|
*** Ubuntu
|
|
|
|
#+BEGIN_SRC shell
|
|
apt install make mingw-w64 nasm
|
|
make
|
|
#+END_SRC
|
|
|
|
|
|
You can also execute ~make clean~ to clean =bin/= folder, =.o= files on =res/= and =.bin= and =.o= files on folder =mbr/=.
|
|
|
|
** On Windows
|
|
|
|
You will need to install [[https://sourceforge.net/projects/mingw/][MinGW]] or another C++ compiler
|
|
and [[https://nasm.us/][NASM]].
|
|
Then run the command:
|
|
|
|
#+BEGIN_SRC batch
|
|
windres -o res\resource.o res\resource.rc
|
|
nasm -o mbr\bootloader.bin mbr\bootloader.asm
|
|
ld -r -b binary -o mbr\bootloader.o mbr\bootloader.bin
|
|
g++ src\* res\resource.o mbr\bootloader.o -static -l gdi32 -l winmm -o Y2K
|
|
#+END_SRC
|
|
|
|
* Bootloader
|
|
|
|
This project has a void function under the namespace called byeByeBoot, this function load and write the custom bootloader code to the EFI partition. The source code the binary can be found [[src/mbr/][here]].
|
|
|
|
* Payloads
|
|
|
|
If you execute the malware at any date it will always disable the Task Manager, CMD, Execute and Power Options.
|
|
|
|
** <2000-01-01>
|
|
|
|
This payload will start the =res/alarm.wav= and then start the GDI part and replace multiples system files with copies of Notepad executables, after the visual payload ended after forcing reseting the machine the bootloader payload will start.
|
|
|
|
** <2000-01-02>
|
|
|
|
This payload will start the =res/jeff_syndicate_hip_hop.wav=.
|