Bugtraq mailing list archives
Re: Analysis/decompilation of main() of the msblast worm
From: Tim van Erven <tve () vormig net>
Date: Thu, 14 Aug 2003 18:18:17 +0200
On Thu, 14/08/2003 22:44 +0200, Dennis wrote:
Here's a little analysis of the msblast worm.
[snip]
Every year starting on August the 16th to December the 31st the payload() routine will be started.
Judging from the disassembly quoted below this is not correct.
get_date: ; CODE XREF: main+26Ej push 3 ; cchDate lea eax, [ebp+day_of_month] push eax ; lpDateStr push offset dateformat_d ; Day of month as digits with no leading zero for single-digit days push 0 ; lpDate push 0 ; dwFlags push 409h ; Locale call GetDateFormatA ; get day of month push 3 ; cchDate lea eax, [ebp+month] push eax ; lpDateStr push offset dateformat_M ; Month as digits with no leading zero for single-digit months. push 0 ; lpDate push 0 ; dwFlags push 409h ; Locale call GetDateFormatA lea eax, [ebp+day_of_month] push eax call atoi ; convert daystring to integer pop ecx cmp eax, 15 jg short payload ; if it is the 16th day of a month ; or above, start payload lea edi, [ebp+month] push edi call atoi ; convert monthstring to integer pop ecx cmp eax, 8 ; else if month = September, October, November, December, ; start payload jle short loc_401562 payload: ; CODE XREF: main+2EBj lea eax, [ebp+ThreadId] push eax ; lpThreadId push 0 ; dwCreationFlags push 0 ; lpParameter push offset payload? ; lpStartAddress push 0 ; dwStackSize push 0 ; lpThreadAttributes call CreateThread loc_401562: ; CODE XREF: main+2FAj main+317j
If I read this correctly, the payload code will run either if the * current system day of the month > 15 OR * the current system month is one of September, October, November, December So it will also run in the last half of each month from Januari through August.
// get date GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3); GetDateFormatA(0x409, 0, 0, &"M", &month, 3); // start payload on 16th august until 31st december if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) ) CreateThread(0, 0, payload, 0, 0, &ThreadId); // start spreading the worm all over the windoze-world while (1) spreadworm();
There is also a minor error in the translation to C quoted above: if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) ) should be if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) ) (>= should be >.) Regards, -- Tim van Erven <tve () vormig net> Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
Current thread:
- Analysis/decompilation of main() of the msblast worm Dennis (Aug 14)
- Re: Analysis/decompilation of main() of the msblast worm Tim van Erven (Aug 14)
- AW: Analysis/decompilation of main() of the msblast worm Dennis (Aug 14)
- <Possible follow-ups>
- Re: Analysis/decompilation of main() of the msblast worm Helmut Hauser (Aug 14)
- Re: Analysis/decompilation of main() of the msblast worm Tim van Erven (Aug 14)