Sample code for the first malware module, Watcher.
The watcher is a piece of malware that runs in the background and is able to detect or control running processes in the background of the system. This gives the malware some intelligence because it can respond appropriately to the event-generated detection of defined processes.
Malware can detect processes by name or Process ID and shut down recursively.
I implemented the module password protection after x-counts of detection processes, security tools such as HijackThis, ComboFix, ... After a certain number of Eset Smart Security malware detections, it deletes the hdd content.
Note that ComboFix includes x-many add-ons + programs that run on its own and that can be detectable. The more process names we define, the less chance this tool will run.
Because it is a problematic tool, we not only achieve program crash and the ability to reactivate repeatedly, but also "kick" the system itself, as its scan loads modules and performs operations that do not terminate properly, thereby internally damaging or shutting down part of the system.