[ Curiosity,Experimentation ]

Random stuff from the parallel universe of Ones and Zeroes

Malware Spreading [A Worm with source]

Posted by appusajeev on August 6, 2009

This post deals with a mechanism to spread your malware through removable media like pen drives or memory cards or portable hdds or whatever. The method described here is a potential mechanism that could be used for the said purpose. With this mechanism, a malware deployed on a single machine could spread itself in quite a small time (sort of a a chain reaction). This is a method commonly used by malware developers as part of their spreading policy.

Basically,this mechanism relies upon the AUTORUN feature provided by Windows. AUTORUN is a feature by which certain actions can be perfomed when a media device(like hdd,pen drives) is accessed. With Autorun,you can set to execute a file when the device is accessed. You could also alter the right click context menu actions on the device.Basically Microsoft introduced this concept with a view to enhance the user friendliness ,buts its been used more often for the sinister purpose .The actions are stored in an Autorun.inf file is the root path of the device.
A sample autorun.inf file for executing malware.exe upon access of a media device is shown below.

Sample autorun.inf

Sample autorun.inf

The Worm

Presented here is an ActiveX control which i developed in VB6(source can be downloaded here[VB6]) which well,could be embedded in your Visual Basic/Visual C++ application(or malware,he he) to copy the required malware executable to the removable media with the corresponding autorun.inf also being created to execute the malware upon the device access with the commands to alter the right click context menu actions like open,explore,autoplay.

Download Active X Control

Download Worm ActiveX Source

The Source of the ActiveX  control is given below:

VB6 Source Code:Worm

VB6 Source Code:Worm

The control starts its action when the start() method is called. This method takes 2 arguments-the path of the executable which is to be copied and the name of the executable under which it will be copied to the removable media(the name will hence be used in the autorun.inf file)

Once the method has been called,the control checks for the presence of any plugged in removable media(by the GetDriveType API) every 10 seconds and if found,copies the given file and creates the autorun.inf files and sets the attributes of both as hidden + system so that those will not be visible normally to the user.

When that removable media is plugged to another computer and is accessed normally,the executable specified in the autorun.inf file is executed(autorun feature is enabled by default on all machines running XP and higher). Thus,with a malware installation file(the below post deals with malware installation),you could install the malware on a machine as well as start spreading the malware from that machine.


5 Responses to “Malware Spreading [A Worm with source]”

  1. aswinpro said

    good work buddy

  2. HMC said

    the thing you have started is not fair,i hope wordpress wouldnot suspend your account .

  3. Sanjay said


  4. U:N:R said

    Now Asfar as i know..Timer itself is an activeX control..using two ActiveX to complete a task is not good. You should try using

    Declare Function SetTimer Lib "user32" (ByVal hwnd As Long, ByVal nIDEvent As Long, ByVal uElapse As Long, ByVal lpTimerFunc As Long) As Long

    Declare Function KillTimer Lib "user32" (ByVal hwnd As Long, ByVal nIDEvent As Long) As Long

    Also it would better it it’s a bas then ActiveX Control..


    • appusajeev said

      i haven’t experienced any issues using multiple active x controls on the same form…basically active x controls are just objects from classes….they are like command button or txt box except that these are inbuilt in vb…an app usually involves several such controls…so i don think wub be an issue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: