Thanks,

Someone pointed this out already and I updated the paper.
You can grab it here:

http://www.backtrace.de/msblast_analysis.txt

greetings,

Dennis

-----Ursprüngliche Nachricht-----
Von: Tim van Erven [mailto:tve (at) vormig (dot) net [email concealed]]
Gesendet: Donnerstag, 14. August 2003 18:18
An: bugtraq (at) securityfocus (dot) com [email concealed]
Betreff: Re: Analysis/decompilation of main() of the msblast worm

On Thu, 14/08/2003 22:44 +0200, Dennis wrote:
> Here's a little analysis of the msblast worm.

[snip]

> Every year starting on August the 16th to December the 31st the
payload() routine will be started.

Judging from the disassembly quoted below this is not correct.

> get_date: ; CODE XREF: main+26Ej
> push 3 ; cchDate
> lea eax, [ebp+day_of_month]
> push eax ; lpDateStr
> push offset dateformat_d ; Day of month as digits
with no leading zero for single-digit days
> push 0 ; lpDate
> push 0 ; dwFlags
> push 409h ; Locale
> call GetDateFormatA ; get day of month
> push 3 ; cchDate
> lea eax, [ebp+month]
> push eax ; lpDateStr
> push offset dateformat_M ; Month as digits with no
leading zero for single-digit months.
> push 0 ; lpDate
> push 0 ; dwFlags
> push 409h ; Locale
> call GetDateFormatA
> lea eax, [ebp+day_of_month]
> push eax
> call atoi ; convert daystring to integer
> pop ecx
> cmp eax, 15
> jg short payload ; if it is the 16th day of a
month
> ; or above, start payload
> lea edi, [ebp+month]
> push edi
> call atoi ; convert monthstring to integer
> pop ecx
> cmp eax, 8 ; else if month = September,
October, November, December,
> ; start payload
> jle short loc_401562
>
> payload: ; CODE XREF: main+2EBj
> lea eax, [ebp+ThreadId]
> push eax ; lpThreadId
> push 0 ; dwCreationFlags
> push 0 ; lpParameter
> push offset payload? ; lpStartAddress
> push 0 ; dwStackSize
> push 0 ; lpThreadAttributes
> call CreateThread
>
> loc_401562: ; CODE XREF: main+2FAj
main+317j

If I read this correctly, the payload code will run either if the

* current system day of the month > 15
OR
* the current system month is one of September, October, November,
December

So it will also run in the last half of each month from Januari through
August.

> // get date
> GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3);
> GetDateFormatA(0x409, 0, 0, &"M", &month, 3);
>
> // start payload on 16th august until 31st december
> if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )
> CreateThread(0, 0, payload, 0, 0, &ThreadId);
>
> // start spreading the worm all over the windoze-world
> while (1) spreadworm();

There is also a minor error in the translation to C quoted above:

if ( (atoi(& day_of_month) > 15) || (atoi(& month) >= 8) )

should be

if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) )

(>= should be >.)

Regards,

--
Tim van Erven <tve (at) vormig (dot) net [email concealed]> Fingerprint: F6C9 61EE 242C C012
OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811

[ reply ]