Re: Analysis/decompilation of main() of the msblast worm

From: Tim van Erven (tveat_private)
Date: Thu Aug 14 2003 - 09:18:17 PDT

Next message: Stephen Clowater: "[Full-Disclosure] Re: Buffer overflow prevention"

Previous message: kain: "Re: BBCode XSS in XOOPS CMS"
In reply to: Dennis: "Analysis/decompilation of main() of the msblast worm"
Next in thread: Helmut Hauser: "Re: Analysis/decompilation of main() of the msblast worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 14/08/2003 22:44 +0200, Dennis wrote:
> Here's a little analysis of the msblast worm.

[snip]

> Every year starting on August the 16th to December the 31st the payload() routine will be started.

Judging from the disassembly quoted below this is not correct.

> get_date:				; CODE XREF: main+26Ej
> 		push	3		; cchDate
> 		lea	eax, [ebp+day_of_month]
> 		push	eax		; lpDateStr
> 		push	offset dateformat_d ; Day of month as digits with no leading zero for single-digit days
> 		push	0		; lpDate
> 		push	0		; dwFlags
> 		push	409h		; Locale
> 		call	GetDateFormatA	; get day of month
> 		push	3		; cchDate
> 		lea	eax, [ebp+month]
> 		push	eax		; lpDateStr
> 		push	offset dateformat_M ; Month as digits with no leading zero for single-digit months.
> 		push	0		; lpDate
> 		push	0		; dwFlags
> 		push	409h		; Locale
> 		call	GetDateFormatA
> 		lea	eax, [ebp+day_of_month]
> 		push	eax
> 		call	atoi		; convert daystring to integer
> 		pop	ecx
> 		cmp	eax, 15
> 		jg	short payload	; if it	is the 16th day	of a month
> 					; or above, start payload
> 		lea	edi, [ebp+month]
> 		push	edi
> 		call	atoi		; convert monthstring to integer
> 		pop	ecx
> 		cmp	eax, 8		; else if month	= September, October, November,	December,
> 					; start	payload
> 		jle	short loc_401562
> 
> payload:				; CODE XREF: main+2EBj
> 		lea	eax, [ebp+ThreadId]
> 		push	eax		; lpThreadId
> 		push	0		; dwCreationFlags
> 		push	0		; lpParameter
> 		push	offset payload?	; lpStartAddress
> 		push	0		; dwStackSize
> 		push	0		; lpThreadAttributes
> 		call	CreateThread
> 
> loc_401562:				; CODE XREF: main+2FAj	main+317j

If I read this correctly, the payload code will run either if the

* current system day of the month > 15
OR
* the current system month is one of September, October, November, December

So it will also run in the last half of each month from Januari through
August.

> 	// get date
> 	GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3);
> 	GetDateFormatA(0x409, 0, 0, &"M", &month, 3);
> 
> 	// start payload on 16th august until 31st december
> 	if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )
> 		CreateThread(0, 0, payload, 0, 0, &ThreadId);
> 
> 	// start spreading the worm all over the windoze-world
> 	while (1) spreadworm();

There is also a minor error in the translation to C quoted above:

if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )

should be

if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) )

(>= should be >.)

Regards,

-- 
Tim van Erven <tveat_private>          Fingerprint: F6C9 61EE 242C C012
OpenPGP Key ID: 712CB811                   36D5 BBF8 6310 D557 712C B811

Next message: Stephen Clowater: "[Full-Disclosure] Re: Buffer overflow prevention"
Previous message: kain: "Re: BBCode XSS in XOOPS CMS"
In reply to: Dennis: "Analysis/decompilation of main() of the msblast worm"
Next in thread: Helmut Hauser: "Re: Analysis/decompilation of main() of the msblast worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 10:49:56 PDT