» Worm sources http://www.megapanzer.com Fri, 23 Dec 2011 13:02:33 +0000 en hourly 1 http://wordpress.org/?v=3.3 PowerShell worm Skowor http://www.megapanzer.com/2009/12/11/powershell-worm-skowor/ http://www.megapanzer.com/2009/12/11/powershell-worm-skowor/#comments Fri, 11 Dec 2009 08:37:05 +0000 carrumba http://www.megapanzer.com/?p=3196       Name Worm.MSH.Skowor.A worm   Type Worm     Author sk0r/Czybik     Written in PowerShell     Description I was looking for PowerShell based malware and eventually found the POC Skowor worm. The only worm written in this language.
It attempts to propagate via the Kazaa P2P network by putting a copy of itself in the shared folders. As far as I see there is no typical malicious payload except it overwrites files with a specific file extension.

Good to know it exists and to see how it works.   Questions Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.   Downloads Source


]]> http://www.megapanzer.com/2009/12/11/powershell-worm-skowor/feed/ 0 W32.Blaster.Worm source code. http://www.megapanzer.com/2009/11/13/w32-blaster-worm-source-code/ http://www.megapanzer.com/2009/11/13/w32-blaster-worm-source-code/#comments Fri, 13 Nov 2009 20:15:14 +0000 carrumba http://www.megapanzer.com/?p=3093       Name Win32/Blaster/Worm (Lovsan, Lovesan) worm   Type Spreader, Worm     Author Unknown     Written in C     Description This worm was very active in 2003. It spreaded via an RPC vulnerability and executed a DoS attack on a specific date. It’s a well structured code, easy to read and understand. The intresting paragraphs are the spreader which attacks new victim system to learn and see how (easily) it is done and the usage of raw sockets in the payload which is in charge of the SYN flood attack.   Questions Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.   Downloads Source   Information Wikipedia


]]> http://www.megapanzer.com/2009/11/13/w32-blaster-worm-source-code/feed/ 0 Win32/ogw0rm source code. http://www.megapanzer.com/2009/11/08/ogw0rm-source-code/ http://www.megapanzer.com/2009/11/08/ogw0rm-source-code/#comments Sun, 08 Nov 2009 15:02:55 +0000 carrumba http://www.megapanzer.com/?p=3071       Name Win32/ogw0rm trojanhorse   Type Spreader, Worm     Author Unknown     Written in C     Description Ogw0rm is a good example how malware propagates itself via Instant Messaging apps. It checks the process list for running IM applications and propagates itself by sending messages to new victims.

It shows how to enumerate Windows, send key strokes to the OS, Registry stuff and a little networking stuff. A simple malware source to read on a rainy sunday afternoon.

  Questions Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.   Downloads Source


]]> http://www.megapanzer.com/2009/11/08/ogw0rm-source-code/feed/ 1 Win32/Rbot source code. http://www.megapanzer.com/2009/10/16/win32rbot-source-code/ http://www.megapanzer.com/2009/10/16/win32rbot-source-code/#comments Fri, 16 Oct 2009 21:13:31 +0000 carrumba http://www.megapanzer.com/?p=3007       Name Win32/Rbot trojanhorse   Malware type RAT, Worm     Author Unknown     Written in C     Description Rbot is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are compressed and/or encrypted with one or more run-time executable packers.

Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms.

Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.

Via Network Shares (TCP ports 139 and 445)
Via LSASS buffer overflow vuln. (TCP port 445)
Via WebDav vuln. (TCP port 80)
Via RPC msgbuffer overflow vuln. (TCP ports 135, 445, 1025)
Via RPCSS DCOM msg buffer overflow vuln. (TCP port 135)
Via Exploiting weak passwords on MS SQL servers
Via UPnP NOTIFY buffer overflow (TCP port 5000)

Rbot’s main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim’s computer can be controlled. The IRC server, port number, channel and password differ with each variant.

Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.

Once the victim’s computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit.

  Questions Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.   Downloads Source   Sources www.ca.com


]]> http://www.megapanzer.com/2009/10/16/win32rbot-source-code/feed/ 0