AW: Analysis/decompilation of main() of the msblast worm

["Dennis" <Dennis () backtrace de>]

Thanks,

Someone pointed this out already and I updated the paper.
You can grab it here:

http://www.backtrace.de/msblast_analysis.txt


greetings,

Dennis

-----Ursprüngliche Nachricht-----
Von: Tim van Erven [mailto:tve () vormig net] 
Gesendet: Donnerstag, 14. August 2003 18:18
An: bugtraq () securityfocus com
Betreff: Re: Analysis/decompilation of main() of the msblast worm

On Thu, 14/08/2003 22:44 +0200, Dennis wrote:
> Here's a little analysis of the msblast worm.

[snip]

> Every year starting on August the 16th to December the 31st the
payload() routine will be started.

Judging from the disassembly quoted below this is not correct.

> get_date:                             ; CODE XREF: main+26Ej
>               push    3               ; cchDate
>               lea     eax, [ebp+day_of_month]
>               push    eax             ; lpDateStr
>               push    offset dateformat_d ; Day of month as digits
with no leading zero for single-digit days
>               push    0               ; lpDate
>               push    0               ; dwFlags
>               push    409h            ; Locale
>               call    GetDateFormatA  ; get day of month
>               push    3               ; cchDate
>               lea     eax, [ebp+month]
>               push    eax             ; lpDateStr
>               push    offset dateformat_M ; Month as digits with no
leading zero for single-digit months.
>               push    0               ; lpDate
>               push    0               ; dwFlags
>               push    409h            ; Locale
>               call    GetDateFormatA
>               lea     eax, [ebp+day_of_month]
>               push    eax
>               call    atoi            ; convert daystring to integer
>               pop     ecx
>               cmp     eax, 15
>               jg      short payload   ; if it is the 16th day of a
month
>                                       ; or above, start payload
>               lea     edi, [ebp+month]
>               push    edi
>               call    atoi            ; convert monthstring to integer
>               pop     ecx
>               cmp     eax, 8          ; else if month = September,
October, November,      December,
>                                       ; start payload
>               jle     short loc_401562
>
> payload:                              ; CODE XREF: main+2EBj
>               lea     eax, [ebp+ThreadId]
>               push    eax             ; lpThreadId
>               push    0               ; dwCreationFlags
>               push    0               ; lpParameter
>               push    offset payload? ; lpStartAddress
>               push    0               ; dwStackSize
>               push    0               ; lpThreadAttributes
>               call    CreateThread
>
> loc_401562:                           ; CODE XREF: main+2FAj
main+317j

If I read this correctly, the payload code will run either if the

* current system day of the month > 15
OR
* the current system month is one of September, October, November,
December

So it will also run in the last half of each month from Januari through
August.

>       // get date
>       GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3);
>       GetDateFormatA(0x409, 0, 0, &"M", &month, 3);
>
>       // start payload on 16th august until 31st december
>       if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )
>               CreateThread(0, 0, payload, 0, 0, &ThreadId);
>
>       // start spreading the worm all over the windoze-world
>       while (1) spreadworm();

There is also a minor error in the translation to C quoted above:

if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )

should be

if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) )

(>= should be >.)

Regards,

-- 
Tim van Erven <tve () vormig net>          Fingerprint: F6C9 61EE 242C C012
OpenPGP Key ID: 712CB811                   36D5 BBF8 6310 D557 712C B811