TUCoPS :: Malware :: bt886.txt

TUCoPS :: Malware :: bt886.txt
AW: Analysis/decompilation of main() of the msblast worm


Thanks,

Someone pointed this out already and I updated the paper.
You can grab it here:

http://www.backtrace.de/msblast_analysis.txt


greetings,

Dennis

-----Urspr=FCngliche Nachricht-----
Von: Tim van Erven [mailto:tve@vormig.net]=20
Gesendet: Donnerstag, 14. August 2003 18:18
An: bugtraq@securityfocus.com
Betreff: Re: Analysis/decompilation of main() of the msblast worm

On Thu, 14/08/2003 22:44 +0200, Dennis wrote:
> Here's a little analysis of the msblast worm.

[snip]

> Every year starting on August the 16th to December the 31st the
payload() routine will be started.

Judging from the disassembly quoted below this is not correct.

> get_date:				; CODE XREF: main+26E=18j
> 		push	3		; cchDate
> 		lea	eax, [ebp+day_of_month]
> 		push	eax		; lpDateStr
> 		push	offset dateformat_d ; Day of month as digits
with no leading zero for single-digit days
> 		push	0		; lpDate
> 		push	0		; dwFlags
> 		push	409h		; Locale
> 		call	GetDateFormatA	; get day of month
> 		push	3		; cchDate
> 		lea	eax, [ebp+month]
> 		push	eax		; lpDateStr
> 		push	offset dateformat_M ; Month as digits with no
leading zero for single-digit months.
> 		push	0		; lpDate
> 		push	0		; dwFlags
> 		push	409h		; Locale
> 		call	GetDateFormatA
> 		lea	eax, [ebp+day_of_month]
> 		push	eax
> 		call	atoi		; convert daystring to integer
> 		pop	ecx
> 		cmp	eax, 15
> 		jg	short payload	; if it	is the 16th day	of a
month
> 					; or above, start payload
> 		lea	edi, [ebp+month]
> 		push	edi
> 		call	atoi		; convert monthstring to integer
> 		pop	ecx
> 		cmp	eax, 8		; else if month	=3D September,
October, November,	December,
> 					; start	payload
> 		jle	short loc_401562
>=20
> payload:				; CODE XREF: main+2EB=18j
> 		lea	eax, [ebp+ThreadId]
> 		push	eax		; lpThreadId
> 		push	0		; dwCreationFlags
> 		push	0		; lpParameter
> 		push	offset payload?	; lpStartAddress
> 		push	0		; dwStackSize
> 		push	0		; lpThreadAttributes
> 		call	CreateThread
>=20
> loc_401562:				; CODE XREF: main+2FA=18j
main+317=19j

If I read this correctly, the payload code will run either if the

* current system day of the month > 15
OR
* the current system month is one of September, October, November,
December

So it will also run in the last half of each month from Januari through
August.

> 	// get date
> 	GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3);
> 	GetDateFormatA(0x409, 0, 0, &"M", &month, 3);
>=20
> 	// start payload on 16th august until 31st december
> 	if ( (atoi(& day_of_month) > 15) || (atoi(& month) >=3D 8) )
> 		CreateThread(0, 0, payload, 0, 0, &ThreadId);
>=20
> 	// start spreading the worm all over the windoze-world
> 	while (1) spreadworm();

There is also a minor error in the translation to C quoted above:

if ( (atoi(& day_of_month) > 15) || (atoi(& month) >=3D 8) )

should be

if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) )

(>=3D should be >.)

Regards,

--=20
Tim van Erven <tve@vormig.net>          Fingerprint: F6C9 61EE 242C C012
OpenPGP Key ID: 712CB811                   36D5 BBF8 6310 D557 712C B811